能力值:
( LV9,RANK:1210 )
|
-
-
23 楼
非常抱歉,1楼的好消息是假的,看过约20解释函数后发现各数据field的
offset仍然是变化的。
v1.1.1.0的pcode指令条数大约为被保护代码的几倍,应该不会超出10倍。
即,若用VM保护的汇编指令若为10行(从oep到call 401644就是10行),pcode
行数应该不会超出100。
v1.5.0.0有变化,如果在401644下断,在dump处trace into,断下后用
ultraedit统计run trace内的jmp esi个数为767。我把原来的程序大
概改了一下,先不考虑pcode的解释,仅跟踪pcode执行路径,还没有到
处理完,已经近千条了。
大致看看,下面的列表,没有显示pcode的行是还没有做。为了清晰一点,
稍微分行了一下。
0001 00BB3EDD:01501392 nop
0002 00BB3EEB:0148771E mov register,addr_of_context.ebp
0003 00BB3EF9:0150C5DD push dword ptr [register]
0004 00BB3F07:0148771E mov register,context.esp
0005 00BB3F15:014C7A77 sub register,00000004
0006 00BB3F23:014A1AEA rep movsb [register],[esp] (04 bytes)
0007 00BB3F31:0150C5DD push register
0008 00BB3F3F:014A1AEA rep movsb context.esp,[esp] (04 bytes) ; push ebp
0009 00BB3F4D:01450073 mov register,0DD6C7B9
0010 00BB3F5B:0148771E mov register,addr_of_context.edi
0011 00BB3F69:0150C5DD push dword ptr [register]
0012 00BB3F77:0148771E mov register,addr_of_context.edx
0013 00BB3F85:0150C5DD push dword ptr [register]
0014 00BB3F93:014D5EF3 test [esp+4],[esp] ; test edi,edx
0015 00BB3FA1:01450073 mov register,01FDCEA1
0016 00BB3FAF:0148771E mov register,addr_of_context.eax
0017 00BB3FBD:0150C5DD push dword ptr [register]
0018 00BB3FCB:0148771E mov register,context.esp
0019 00BB3FD9:014C7A77 sub register,00000004
0020 00BB3FE7:014A1AEA rep movsb [register],[esp] (04 bytes)
0021 00BB3FF5:0150C5DD push register
0022 00BB4003:014A1AEA rep movsb context.esp,[esp] (04 bytes) ; push eax
0023 00BB4011:01450073 mov register,0E111969
0024 00BB401F:0148771E mov register,addr_of_context.edx
0025 00BB402D:0150C5DD push dword ptr [register]
0026 00BB403B:0150C5DD push FFFFFFBA
0027 00BB4049:014D5EF3 test [esp+4],[esp](字节操作) ; test dl,BA
0028 00BB4057:01450073 mov register,05C35893
0029 00BB4065:0148771E mov register,addr_of_context.ebp
0030 00BB4073:0150C5DD push dword ptr [register]
0031 00BB4081:0150C5DD push 00000005
0032 00BB408F:01446674 shr [esp+4],[esp](双字操作)
0033 00BB409D:014A1AEA rep movsb [register],[esp] (04 bytes) ; shr ebp,5
0034 00BB40AB:01450073 mov register,0A9C82A3
0035 00BB40B9:0148771E mov register,addr_of_context.eax
0036 00BB40C7:0150C5DD push dword ptr [register]
0037 00BB40D5:0148771E mov register,addr_of_context.edi
0038 00BB40E3:0150C5DD push dword ptr [register]
0039 00BB40F1:014FF38F ; 未实现
0040 00BB40FF:0148771E mov register,addr_of_context.eax
0041 00BB410D:014A1AEA rep movsb [register],[esp] (04 bytes)
0042 00BB411B:01450073 mov register,03CDA03D
0043 00BB4129:0148771E mov register,addr_of_context.ecx
0044 00BB4137:0150C5DD push dword ptr [register]
0045 00BB4145:0148771E mov register,addr_of_context.eax
0046 00BB4153:014A1AEA rep movsb [register],[esp] (01 bytes) ; mov eax,ecx
0047 00BB4161:0148771E mov register,context.esp
0048 00BB416F:0150C5DD push dword ptr [register]
0049 00BB417D:0148771E mov register,addr_of_context.eax
0050 00BB418B:014A1AEA rep movsb [register],[esp] (04 bytes) ; mov eax,[esp]
0051 00BB4199:0148771E mov register,context.esp
0052 00BB41A7:0152C47F ; 未实现,可以猜测是add esp,4
0053 00BB41B5:0150C5DD push register
0054 00BB41C3:014A1AEA rep movsb context.esp,[esp] (04 bytes)
0055 00BB41D1:01450073 mov register,0BA18350
0056 00BB41DF:0148771E mov register,addr_of_context.ebp
0057 00BB41ED:0150C5DD push dword ptr [register]
0058 00BB41FB:0150C5DD push 00000005
0059 00BB4209:014F7A55 ; 未实现
0060 00BB4217:014A1AEA rep movsb [register],[esp] (04 bytes)
0061 00BB4225:01461D1F
0062 00BB4233:0148771E mov register,context.esp
0063 00BB4241:0150C5DD push dword ptr [register]
0064 00BB424F:0148771E mov register,addr_of_context.ebp
0065 00BB425D:014A1AEA rep movsb [register],[esp] (04 bytes)
0066 00BB426B:0148771E mov register,context.esp ; 可以看到mov ebp,esp在这里
结论是,被转换为pcode方式运行的代码,事先被混淆过了。再用这种手工式
的修复方法,已经不可行了。
1行真正的汇编指令,大约对应10行pcode代码,每条pcode执行时,对应的汇编
指令一般超出2000行,真正有点疯狂呵呵。
|