首页
社区
课程
招聘
使vmp生成较干净的解释器
发表于: 2022-5-30 08:34 17314

使vmp生成较干净的解释器

2022-5-30 08:34
17314

很长时间没上论坛了 把帖子翻了翻 看到这篇文章 挺感兴趣的
想着也很久没有调试软件了 于是花了大概大半天时间 把vmp3的加壳过程调了调

加壳入口 读取配置 要做什么样的保护 倒是vm了

但由于作者在生成解释器过程中存在大量的for循环以及stl相关
可能考虑性能 这部分并没有vm
需要抛异常 导致有一系列比较重要的字符串方便定位(Runtime error at xxxx)

下断这里 可以看到加壳后整个pe的拷贝过程

不过此时
已经是要写入pe文件的数据了(上层为Runtime error at WriteToFile)

核心是如抛Runtime error at CompileToNative的几个函数
里面大概包含的整个解释器和字节码处理过程 会生成多组引擎(如加解密立即数、混淆等)

想生成干净的解释器
有点简单的处理方式

将这个函数头直接ret掉

生成的解释器代码就会比较干净
大概这样

此时就神似vmp1.x了
除去vmcase
仅包含一些取vm_opcode/立即数的加解密
(其实几套解释器在vmp2.x都并未vm)

rva对应的版本号为vmp v3.4.0[waterlord4@gmail.com]那个

已经发帖的时候 都不知道怎么发了
找了好久 发现按钮在右上角...

 
0000000000269140  0F 00 00 00 00 00 00 00 C8 04 08 00 00 00 00 00  ........È.......
0000000000269140  0F 00 00 00 00 00 00 00 C8 04 08 00 00 00 00 00  ........È.......
 
rva:260E7F
 
000000013F5A0E7F   | 41:8D56 01              | lea edx,qword ptr ds:[r14+1]                                |
000000013F5A0E83   | E8 D8A3DE00             | call vmprotect.14038B260                                    |
000000013F5A0E88   | 48:8973 20              | mov qword ptr ds:[rbx+20],rsi                               |
000000013F5A0E8C   | 48:8B4B 28              | mov rcx,qword ptr ds:[rbx+28]                               |
000000013F5A0E90   | 4C:8BC7                 | mov r8,rdi                                                  |
000000013F5A0E93   | 48:03CE                 | add rcx,rsi                                                 |
000000013F5A0E96   | 48:8BD5                 | mov rdx,rbp                                                 |
000000013F5A0E99   | E8 82ECDE00             | call vmprotect.14038FB20                                    |
000000013F5A0E9E   | 48:017B 28              | add qword ptr ds:[rbx+28],rdi                               |
000000013F5A0EA2   | 48:8BC7                 | mov rax,rdi                                                 |
000000013F5A0EA5   | E9 EA000000             | jmp vmprotect.13F5A0F94                                     |
000000013F5A0EAA   | 48:85F6                 | test rsi,rsi                                                |
000000013F5A0EAD   | 74 24                   | je vmprotect.13F5A0ED3                                      |
000000013F5A0EAF   | E8 2CFCFFFF             | call vmprotect.13F5A0AE0                                    | copy
000000013F5A0EB4   | 48:0343 28              | add rax,qword ptr ds:[rbx+28]                               | add length
000000013F5A0EB8   | 4C:8BC6                 | mov r8,rsi                                                  |
000000013F5A0EBB   | 48:8BC8                 | mov rcx,rax                                                 |
000000013F5A0EBE   | 48:8BD5                 | mov rdx,rbp                                                 |
000000013F5A0EC1   | E8 5AECDE00             | call vmprotect.14038FB20                                    |
000000013F5A0EC6   | 48:0173 28              | add qword ptr ds:[rbx+28],rsi                               |
000000013F5A0ECA   | 48:2BFE                 | sub rdi,rsi                                                 |
000000013F5A0ECD   | 48:03EE                 | add rbp,rsi                                                 |
000000013F5A0ED0   | 4C:8BF6                 | mov r14,rsi                                                 |
000000013F5A0ED3   | B2 01                   | mov dl,1                                                    |
000000013F5A0ED5   | 48:8BCB                 | mov rcx,rbx                                                 |
000000013F5A0ED8   | E8 53FCFFFF             | call vmprotect.13F5A0B30                                    | copy
000000013F5A0EDD   | 48:8B4B 08              | mov rcx,qword ptr ds:[rbx+8]                                |
000000013F5A0EE1   | 48:3B7B 18              | cmp rdi,qword ptr ds:[rbx+18]                               | add length
000000013F5A0EE5   | 0F83 90000000           | jae vmprotect.13F5A0F7B                                     |
rva:260E7F
 
000000013F5A0E7F   | 41:8D56 01              | lea edx,qword ptr ds:[r14+1]                                |
000000013F5A0E83   | E8 D8A3DE00             | call vmprotect.14038B260                                    |
000000013F5A0E88   | 48:8973 20              | mov qword ptr ds:[rbx+20],rsi                               |
000000013F5A0E8C   | 48:8B4B 28              | mov rcx,qword ptr ds:[rbx+28]                               |
000000013F5A0E90   | 4C:8BC7                 | mov r8,rdi                                                  |
000000013F5A0E93   | 48:03CE                 | add rcx,rsi                                                 |
000000013F5A0E96   | 48:8BD5                 | mov rdx,rbp                                                 |
000000013F5A0E99   | E8 82ECDE00             | call vmprotect.14038FB20                                    |
000000013F5A0E9E   | 48:017B 28              | add qword ptr ds:[rbx+28],rdi                               |
000000013F5A0EA2   | 48:8BC7                 | mov rax,rdi                                                 |
000000013F5A0EA5   | E9 EA000000             | jmp vmprotect.13F5A0F94                                     |
000000013F5A0EAA   | 48:85F6                 | test rsi,rsi                                                |
000000013F5A0EAD   | 74 24                   | je vmprotect.13F5A0ED3                                      |
000000013F5A0EAF   | E8 2CFCFFFF             | call vmprotect.13F5A0AE0                                    | copy
000000013F5A0EB4   | 48:0343 28              | add rax,qword ptr ds:[rbx+28]                               | add length
000000013F5A0EB8   | 4C:8BC6                 | mov r8,rsi                                                  |
000000013F5A0EBB   | 48:8BC8                 | mov rcx,rax                                                 |
000000013F5A0EBE   | 48:8BD5                 | mov rdx,rbp                                                 |
000000013F5A0EC1   | E8 5AECDE00             | call vmprotect.14038FB20                                    |
000000013F5A0EC6   | 48:0173 28              | add qword ptr ds:[rbx+28],rsi                               |
000000013F5A0ECA   | 48:2BFE                 | sub rdi,rsi                                                 |
000000013F5A0ECD   | 48:03EE                 | add rbp,rsi                                                 |
000000013F5A0ED0   | 4C:8BF6                 | mov r14,rsi                                                 |
000000013F5A0ED3   | B2 01                   | mov dl,1                                                    |
000000013F5A0ED5   | 48:8BCB                 | mov rcx,rbx                                                 |
000000013F5A0ED8   | E8 53FCFFFF             | call vmprotect.13F5A0B30                                    | copy
000000013F5A0EDD   | 48:8B4B 08              | mov rcx,qword ptr ds:[rbx+8]                                |
000000013F5A0EE1   | 48:3B7B 18              | cmp rdi,qword ptr ds:[rbx+18]                               | add length
000000013F5A0EE5   | 0F83 90000000           | jae vmprotect.13F5A0F7B                                     |
 
 
rva:1BCC00
 
000000013F4FCC00   | 40:55                   | push rbp                                                    |
000000013F4FCC02   | 56                      | push rsi                                                    |
000000013F4FCC03   | 57                      | push rdi                                                    |
000000013F4FCC04   | 41:54                   | push r12                                                    |
000000013F4FCC06   | 41:55                   | push r13                                                    |
000000013F4FCC08   | 41:56                   | push r14                                                    |
000000013F4FCC0A   | 41:57                   | push r15                                                    |
000000013F4FCC0C   | 48:8DAC24 E0E3FFFF      | lea rbp,qword ptr ss:[rsp-1C20]                             |
000000013F4FCC14   | B8 201D0000             | mov eax,1D20                                                |
000000013F4FCC19   | E8 D2ECE800             | call vmprotect.14038B8F0                                    |
000000013F4FCC1E   | 48:2BE0                 | sub rsp,rax                                                 |
000000013F4FCC21   | 48:C785 D0030000 FEFFFF | mov qword ptr ss:[rbp+3D0],FFFFFFFFFFFFFFFE                 |
000000013F4FCC2C   | 48:899C24 701D0000      | mov qword ptr ss:[rsp+1D70],rbx                             |
000000013F4FCC34   | 48:8B05 D5A2B401        | mov rax,qword ptr ds:[141046F10]                            |
000000013F4FCC3B   | 48:33C4                 | xor rax,rsp                                                 |
rva:1BCC00
 
000000013F4FCC00   | 40:55                   | push rbp                                                    |
000000013F4FCC02   | 56                      | push rsi                                                    |
000000013F4FCC03   | 57                      | push rdi                                                    |
000000013F4FCC04   | 41:54                   | push r12                                                    |
000000013F4FCC06   | 41:55                   | push r13                                                    |
000000013F4FCC08   | 41:56                   | push r14                                                    |
000000013F4FCC0A   | 41:57                   | push r15                                                    |
000000013F4FCC0C   | 48:8DAC24 E0E3FFFF      | lea rbp,qword ptr ss:[rsp-1C20]                             |
000000013F4FCC14   | B8 201D0000             | mov eax,1D20                                                |
000000013F4FCC19   | E8 D2ECE800             | call vmprotect.14038B8F0                                    |
000000013F4FCC1E   | 48:2BE0                 | sub rsp,rax                                                 |

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 11
支持
分享
打赏 + 10.00雪花
打赏次数 1 雪花 + 10.00
 
赞赏  pxhb   +10.00 2022/05/30 感谢分享,比那些炫技的好多了,亲测有用
最新回复 (10)
雪    币: 3274
活跃值: (2823)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
 感谢分享,之前找了好久,找不到怎么生成没有vm的。
2022-5-30 09:00
0
雪    币: 210
活跃值: (1697)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
牛逼
2022-5-30 10:55
0
雪    币: 576
活跃值: (2035)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
mark,到壳学习曲线突陡
2022-5-30 12:59
0
雪    币: 6542
活跃值: (4511)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
5
如果能像那个帖子一样去除vm代码就更完美了
2022-5-31 08:46
0
雪    币: 650
活跃值: (4197)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
6
感谢分享 学习了
2022-6-13 12:01
0
雪    币: 897
活跃值: (5916)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
是否會為所有版本提供補丁,直到最新版本?
2022-6-19 19:00
0
雪    币: 6314
活跃值: (952)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
8
感谢分享
2022-9-6 18:29
0
雪    币: 1802
活跃值: (4000)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
感谢分享
2022-9-16 09:08
0
雪    币: 3176
活跃值: (1786)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
mark
2023-8-27 12:07
0
雪    币: 3004
活跃值: (30866)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
11
感谢分享
2023-8-27 18:49
1
游客
登录 | 注册 方可回帖
返回
//