首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 加壳脱壳
    3. 发新帖
[原创]VMProtect分析(三)
发表于: 2021-7-16 18:26 24888

[原创]VMProtect分析(三)

Anakin Stone 活跃值
2
2021-7-16 18:26
24888


参考上节的跟踪记录vm_tls.txt,可以看到第117行和第290行的VmCALL将代码分成3块,标记为Chunk1 - Chunk3,我们先看下VmCALL的实现,再分别分析这3块代码。


shrd rsi,rbx,cl

mov esi,dword ptr ss:[rbp]

Esi = 栈顶DWORD

clc

stc

add rbp,8

jmp   vmp_userdebugger.7FF69E7403F7

bsf ax,di

sar r12d,cl

inc r12d

shl ch,5

lea r12,qword ptr ds:[7FF69E74065C]

R12 固定取7FF69E74065C

rcl al,7

not bh

mov rax,100000000

rcr rbx,10

add rsi,rax

Rsi += 100000000

xchg al,bh

bsr bx,dx

shld bx,sp,cl

rcr ebx,cl

mov rbx,rsi

Rbx = Rsi

movsx cx,cl

add rsi,qword ptr ss:[rbp]

Rsi += 栈顶QWORD, 注意此处未调整RBP栈指针

可以看到,VmCALL取栈中DWORD作为基数计算RBX和RSI,我们第一篇分析过,RSI指向字节码缓冲区,RBX为解密Seed,也就是说每个Chunk都有自己的RSI和RBX。


在继续分析Chunk之前,可先参考下节Nor Gate说明,其对用到的运算的Nor变换做了详细说明,下面的分析不在赘述。

 

[AnakinVmPOP V_98                 ;V_98 = $HandlerBase

[AnakinVmPUSH FFFFFFFF9F5A5C32

[AnakinVmADD

[AnakinVmPOP V_40

[AnakinVmPOP V_B8

[AnakinVmPOP V_28

[AnakinVmPOP V_18

[AnakinVmPOP V_00

[AnakinVmPOP V_78

[AnakinVmPOP V_A0

[AnakinVmPOP V_90

[AnakinVmPOP V_40

[AnakinVmPOP V_20

[AnakinVmPOP V_68

[AnakinVmPOP V_50

[AnakinVmPOP V_58

[AnakinVmPOP V_30

[AnakinVmPOP V_B0

[AnakinVmPOP V_38

[AnakinVmPOP V_48

[AnakinVmPOP V_70

[AnakinVmPOP V_88

[AnakinVmPOP V_10

[AnakinVmPOP V_A8

[AnakinVmPUSH 0000000064765E24    ;压栈分支1标识

[AnakinVmPUSHB8 00

[AnakinVmPUSH 000000014018B3E7

[AnakinVmPUSH V_98

[AnakinVmADD

[AnakinVmPOP V_08

[AnakinVmREADB                    ;b = BYTE:[000000014018B3E7 + $HandlerBase]

[AnakinVmSBP

[AnakinVmREADB

[AnakinVmNOTANDB                  ;b = ~b

[AnakinVmPOP V_60         

[AnakinVmADDB                     ;b = 00 + b

[AnakinVmPOP V_10                 ;V_10 = eflags

[AnakinVmSBP

[AnakinVmREADB

[AnakinVmNOTANDB                  ;b = ~b

[AnakinVmPOP V_80                 ;V_80 = eflags

[AnakinVmPOPW8 V_60               ;V_60 = b  

[AnakinVmPUSH V_10

[AnakinVmPUSH V_10

[AnakinVmNOTAND                   ;d1 = NOTAND(V_10, V_10)            => d1 = ~V_10

[AnakinVmPOP V_60

[AnakinVmPUSH FFFFFFFFFFFFF7EA

[AnakinVmNOTAND                   ;d1 = NOTAND(d1, FFFFF7EA)          => d1 = Nor(~V_10, ~00000815) = V_10 & 00000815

[AnakinVmPOP V_08

[AnakinVmPUSH V_80                

[AnakinVmPUSH V_80

[AnakinVmNOTAND                   ;d2 = NOTAND(V_80, V_80)            => d2 = ~V_80

[AnakinVmPOP V_60

[AnakinVmPUSH 0000000000000815

[AnakinVmNOTAND                   ;d2 = NOTAND(d2, 00000815)          => d2 = Nor(~V_80, ~FFFFF7EA) = V_80 & FFFFF7EA

[AnakinVmPOP V_08

[AnakinVmADD

[AnakinVmPOP V_08

[AnakinVmPOP V_70                 ;V_70 = d1 + d2                     => V_70 = EFLAGS(BYTE:[000000014018B3E7 + $HandlerBase] - 0)

[AnakinVmPUSH 0000000064766651    ;压栈分支2标识

[AnakinVmSBP                      ;压栈栈顶指针,用于后文选择分支

[AnakinVmPUSHB8 03

[AnakinVmPUSHD 000000BF

[AnakinVmPUSH V_70

[AnakinVmNOTAND                   ;q = CDQ(NOTAND(V_70, 000000BF))    => ZF == 0 ? 0b1000000 : 0 

[AnakinVmPOP V_68

[AnakinVmSHR                      ;q = SHR(q, 3)                      => ZF == 0 ? 8 : 0 

[AnakinVmPOP V_08

[AnakinVmADD                      ;q += SavedRBP (上文压栈的栈顶指针,选择分支)

[AnakinVmPOP V_08

[AnakinVmREADQ

[AnakinVmPOP V_A8                 ;V_A8 = QWORD:[q](取分支标识)

[AnakinVmPOP V_68

[AnakinVmPOP V_08

[AnakinVmPUSH V_A8

[AnakinVmPOPD V_A8                ;V_A8 = CQD(V_A8)

[AnakinVmPUSHD V_A8               

[AnakinVmSBP

[AnakinVmREADD

[AnakinVmNOTANDD                  ;d1 = NOTAND(V_A8, V_A8)

[AnakinVmPOP V_08

[AnakinVmPUSHD DB91AA8C

[AnakinVmNOTANDD                  ;d1 = NOTAND(d1, DB91AA8C)          => d1 = Nor(~V_A8, ~246E5573)

[AnakinVmPOP V_68

[AnakinVmPUSHD 246E5573

[AnakinVmPUSHD V_A8

[AnakinVmNOTANDD                  ;d2 = NOTAND(V_A8, 246E5573)        => d2 = Nor(V_A8, 246E5573)

[AnakinVmPOP V_60

[AnakinVmNOTANDD

[AnakinVmPOP V_60

[AnakinVmPOP V_08                 ;V_08 = NOTAND(d2, d1)              => V_08 = Nor(d1, d2) = V_A8 ^ 246E5573 (分支标识解密)

[AnakinVmPUSH V_18

[AnakinVmPUSH V_98

[AnakinVmPUSH V_60

[AnakinVmPUSH V_00

[AnakinVmPUSH V_88

[AnakinVmPUSH V_50

[AnakinVmPUSH V_30

[AnakinVmPUSH V_B0

[AnakinVmPUSH V_20

[AnakinVmPUSH V_28

[AnakinVmPUSH V_38

[AnakinVmPUSH V_78

[AnakinVmPUSH V_A0

[AnakinVmPUSH V_90

[AnakinVmPUSH V_58

[AnakinVmPUSH V_48

[AnakinVmPUSH V_40

[AnakinVmPUSH V_18

[AnakinVmPUSH V_70

[AnakinVmPUSH V_B8

[AnakinVmPUSH 0000000060A5A3CE

[AnakinVmADD

[AnakinVmPOP V_60

[AnakinVmPUSH V_98

[AnakinVmPUSH V_08                ;压栈解码后的分支标识                           

[AnakinVmCALL                      ;调用选择分支


等价逻辑:

If (*(BYTE*)(000000014018B3E7 + $HandlerBase) != 0)

{

//未执行

VmCALL 40180B57

}

Else

{

//即Chunk2

VmCALL 40183322

}


[AnakinVmPOP V_90                     ;V_90 = $HandlerBase

[AnakinVmPUSH FFFFFFFF9F5A5C32

[AnakinVmADD

[AnakinVmPOP V_20

[AnakinVmPOP V_00

[AnakinVmPOP V_70

[AnakinVmPOP V_80

[AnakinVmPOP V_60

[AnakinVmPOP V_98

[AnakinVmPOP V_38

[AnakinVmPOP V_48

[AnakinVmPOP V_28

[AnakinVmPOP V_18

[AnakinVmPOP V_30

[AnakinVmPOP V_10

[AnakinVmPOP V_88

[AnakinVmPOP V_08

[AnakinVmPOP V_A8

[AnakinVmPOP V_40

[AnakinVmPOP V_20

[AnakinVmPOP V_68

[AnakinVmPOPD V_78                    ;V_78 = eflags

[AnakinVmPUSHD V_78

[AnakinVmPUSHD V_78

[AnakinVmNOTANDD

[AnakinVmPOP V_B0

[AnakinVmPUSHD DB91AA8C

[AnakinVmNOTANDD

[AnakinVmPOP V_B8

[AnakinVmPUSHD 246E5573

[AnakinVmPUSHD V_78

[AnakinVmNOTANDD

[AnakinVmPOP V_50

[AnakinVmNOTANDD

[AnakinVmPOP V_B0

[AnakinVmPOP V_A0                     ;V_A0 = V_78 ^ 246E5573

[AnakinVmPOP V_58

[AnakinVmPOP V_B8

[AnakinVmPUSH V_70

[AnakinVmPUSH V_88

[AnakinVmPUSH V_08

[AnakinVmPUSH V_48

[AnakinVmPUSH V_98

[AnakinVmPUSH V_80

[AnakinVmPUSH V_A8

[AnakinVmPUSH 000000000CABFA9E        ;PUSH Branch1

[AnakinVmPUSH 000000014018B3E7

[AnakinVmPUSH V_90

[AnakinVmADD

[AnakinVmPOP V_50                     ;PUSH (V_90 + 000000014018B3E7)

[AnakinVmPUSH 0000000140000000

[AnakinVmPUSH V_90

[AnakinVmADD

[AnakinVmPOP V_58

[AnakinVmPOP V_50                     ;V_50 = V_90 + 0000000140000000         => V_50 = PIMAGE_DOS_HEADER

[AnakinVmPUSH V_50

[AnakinVmPUSHD 0000003C

[AnakinVmADD

[AnakinVmPOP V_58                     ;PUSH (V_50 + 0000003C)

[AnakinVmREADD

[AnakinVmPOPD V_88                    ;V_88 = DWORD:[BP]                      => V_88 = PIMAGE_DOS_HEADER->e_lfanew

[AnakinVmPUSH 0000000000000000

[AnakinVmPOPD V_8C

[AnakinVmPUSH V_88

[AnakinVmPUSH V_50

[AnakinVmADD

[AnakinVmPOP V_A8                     ;PUSH (V_50 + V_88)                     => PUSH PIMAGE_NT_HEADERS64

[AnakinVmSBP

[AnakinVmREADQ        

[AnakinVmPOP V_B0   

[AnakinVmPUSHD 00000028               

[AnakinVmADD

[AnakinVmPOP V_A8                     ;PUSH (PIMAGE_NT_HEADERS64 + 00000028)  => PUSH PIMAGE_NT_HEADERS64->AddressOfEntryPoint

[AnakinVmREADD

[AnakinVmPOPD V_B0                    ;V_B0 = AddressOfEntryPoint

[AnakinVmPUSH 0000000000000000

[AnakinVmPOPD V_B4                    ;V_B4 = 0

[AnakinVmPUSH V_50

[AnakinVmPUSH V_B0

[AnakinVmADD

[AnakinVmPOP V_A8

[AnakinVmPOP V_A8                     ;V_A8 = V_B0 + V_50

[AnakinVmPUSHB8 cc

[AnakinVmPUSH V_A8

[AnakinVmREADB                        ;b = BYTE:[V_A8], 判断程序入口点地址第一个字节是不是‘0xCC’

[AnakinVmSBP                          ;判断逻辑参考Chunk1Nor Gate

[AnakinVmREADB

[AnakinVmNOTANDB

[AnakinVmPOP V_58                     

[AnakinVmADDB

[AnakinVmPOP V_58

[AnakinVmSBP

[AnakinVmREADB

[AnakinVmNOTANDB

[AnakinVmPOP V_B8

[AnakinVmPOPW8 V_70

[AnakinVmPUSH V_58

[AnakinVmSBP

[AnakinVmREADQ

[AnakinVmNOTAND

[AnakinVmPOP V_88

[AnakinVmPUSH FFFFFFFFFFFFF7EA

[AnakinVmNOTAND

[AnakinVmPOP V_B0

[AnakinVmPUSH V_B8

[AnakinVmPUSH V_B8

[AnakinVmNOTAND

[AnakinVmPOP V_70

[AnakinVmPUSH 0000000000000815

[AnakinVmNOTAND

[AnakinVmPOP V_88

[AnakinVmADD

[AnakinVmPOP V_88

[AnakinVmPOP V_70

[AnakinVmPOP V_88

[AnakinVmPUSH 000000000CABFDC1        ;PUSH Branch2

[AnakinVmSBP

[AnakinVmPUSHB8 03

[AnakinVmPUSHD 000000BF

[AnakinVmPUSH V_70

[AnakinVmNOTAND

[AnakinVmPOP V_A0

[AnakinVmSHR

[AnakinVmPOP V_B0

[AnakinVmADD

[AnakinVmPOP V_B0

[AnakinVmREADQ

[AnakinVmPOP V_58

[AnakinVmPOP V_B0

[AnakinVmPOP V_08

[AnakinVmPUSH V_58

[AnakinVmPOPD V_58

[AnakinVmPUSHD V_58

[AnakinVmSBP

[AnakinVmREADD

[AnakinVmNOTANDD

[AnakinVmPOP V_A0

[AnakinVmPUSHD B34CBE36

[AnakinVmNOTANDD

[AnakinVmPOP V_78

[AnakinVmPUSHD 4CB341C9       

[AnakinVmPUSHD V_58

[AnakinVmNOTANDD

[AnakinVmPOP V_B0

[AnakinVmNOTANDD

[AnakinVmPOP V_B0

[AnakinVmPOP V_08                     ;V_08 = $Branch ^ 4CB341C9

[AnakinVmPUSH V_50

[AnakinVmPUSH V_08

[AnakinVmPUSH V_80

[AnakinVmPUSH V_B0

[AnakinVmPUSH V_40

[AnakinVmPUSH V_88

[AnakinVmPUSH V_38

[AnakinVmPUSH V_98

[AnakinVmPUSH V_18

[AnakinVmPUSH V_68

[AnakinVmPUSH V_28

[AnakinVmPUSH V_30

[AnakinVmPUSH V_48

[AnakinVmPUSH V_60

[AnakinVmPUSH V_10

[AnakinVmPUSH V_A8

[AnakinVmPUSH V_20

[AnakinVmPUSH V_50

[AnakinVmPUSH V_70

[AnakinVmPUSH V_00

[AnakinVmPUSH 0000000060A5A3CE

[AnakinVmADD

[AnakinVmPOP V_B0

[AnakinVmPUSH V_90

[AnakinVmPUSH V_08                     ;压栈选择的分支


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 6
支持
分享
最新回复 (4)
wx_随风_744
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
2
厉害啊
2021-7-20 08:40
0
xiaohang
雪    币: 2149
活跃值: (3211)
能力值: (RANK:260 )
在线值:
发帖
回帖
粉丝
私信
3
怎么都没人回复了,是看懵圈了吗?
2021-7-21 10:41
1
wx_变。
雪    币: 553
活跃值: (241)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
看懵圈了
2021-7-21 19:19
0
朽_木
雪    币: 316
活跃值: (67)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
厉害
2021-7-23 11:57
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//