很长时间没上论坛了 把帖子翻了翻 看到这篇文章 挺感兴趣的
想着也很久没有调试软件了 于是花了大概大半天时间 把vmp3的加壳过程调了调
加壳入口 读取配置 要做什么样的保护 倒是vm了
但由于作者在生成解释器过程中存在大量的for循环以及stl相关
可能考虑性能 这部分并没有vm
需要抛异常 导致有一系列比较重要的字符串方便定位(Runtime error at xxxx)
下断这里 可以看到加壳后整个pe的拷贝过程
不过此时
已经是要写入pe文件的数据了(上层为Runtime error at WriteToFile)
核心是如抛Runtime error at CompileToNative的几个函数
里面大概包含的整个解释器和字节码处理过程 会生成多组引擎(如加解密立即数、混淆等)
想生成干净的解释器
有点简单的处理方式
将这个函数头直接ret掉
生成的解释器代码就会比较干净
大概这样
此时就神似vmp1.x了
除去vmcase
仅包含一些取vm_opcode/立即数的加解密
(其实几套解释器在vmp2.x都并未vm)
rva对应的版本号为vmp v3.4.0[waterlord4@gmail.com]那个
已经发帖的时候 都不知道怎么发了
找了好久 发现按钮在右上角...
0000000000269140 0F 00 00 00 00 00 00 00 C8 04 08 00 00 00 00 00 ........È.......
0000000000269140 0F 00 00 00 00 00 00 00 C8 04 08 00 00 00 00 00 ........È.......
rva:260E7F
000000013F5A0E7F | 41:8D56 01 | lea edx,qword ptr ds:[r14+1] |
000000013F5A0E83 | E8 D8A3DE00 | call vmprotect.14038B260 |
000000013F5A0E88 | 48:8973 20 | mov qword ptr ds:[rbx+20],rsi |
000000013F5A0E8C | 48:8B4B 28 | mov rcx,qword ptr ds:[rbx+28] |
000000013F5A0E90 | 4C:8BC7 | mov r8,rdi |
000000013F5A0E93 | 48:03CE | add rcx,rsi |
000000013F5A0E96 | 48:8BD5 | mov rdx,rbp |
000000013F5A0E99 | E8 82ECDE00 | call vmprotect.14038FB20 |
000000013F5A0E9E | 48:017B 28 | add qword ptr ds:[rbx+28],rdi |
000000013F5A0EA2 | 48:8BC7 | mov rax,rdi |
000000013F5A0EA5 | E9 EA000000 | jmp vmprotect.13F5A0F94 |
000000013F5A0EAA | 48:85F6 | test rsi,rsi |
000000013F5A0EAD | 74 24 | je vmprotect.13F5A0ED3 |
000000013F5A0EAF | E8 2CFCFFFF | call vmprotect.13F5A0AE0 | copy
000000013F5A0EB4 | 48:0343 28 | add rax,qword ptr ds:[rbx+28] | add length
000000013F5A0EB8 | 4C:8BC6 | mov r8,rsi |
000000013F5A0EBB | 48:8BC8 | mov rcx,rax |
000000013F5A0EBE | 48:8BD5 | mov rdx,rbp |
000000013F5A0EC1 | E8 5AECDE00 | call vmprotect.14038FB20 |
000000013F5A0EC6 | 48:0173 28 | add qword ptr ds:[rbx+28],rsi |
000000013F5A0ECA | 48:2BFE | sub rdi,rsi |
000000013F5A0ECD | 48:03EE | add rbp,rsi |
000000013F5A0ED0 | 4C:8BF6 | mov r14,rsi |
000000013F5A0ED3 | B2 01 | mov dl,1 |
000000013F5A0ED5 | 48:8BCB | mov rcx,rbx |
000000013F5A0ED8 | E8 53FCFFFF | call vmprotect.13F5A0B30 | copy
000000013F5A0EDD | 48:8B4B 08 | mov rcx,qword ptr ds:[rbx+8] |
000000013F5A0EE1 | 48:3B7B 18 | cmp rdi,qword ptr ds:[rbx+18] | add length
000000013F5A0EE5 | 0F83 90000000 | jae vmprotect.13F5A0F7B |
rva:260E7F
000000013F5A0E7F | 41:8D56 01 | lea edx,qword ptr ds:[r14+1] |
000000013F5A0E83 | E8 D8A3DE00 | call vmprotect.14038B260 |
000000013F5A0E88 | 48:8973 20 | mov qword ptr ds:[rbx+20],rsi |
000000013F5A0E8C | 48:8B4B 28 | mov rcx,qword ptr ds:[rbx+28] |
000000013F5A0E90 | 4C:8BC7 | mov r8,rdi |
000000013F5A0E93 | 48:03CE | add rcx,rsi |
000000013F5A0E96 | 48:8BD5 | mov rdx,rbp |
000000013F5A0E99 | E8 82ECDE00 | call vmprotect.14038FB20 |
000000013F5A0E9E | 48:017B 28 | add qword ptr ds:[rbx+28],rdi |
000000013F5A0EA2 | 48:8BC7 | mov rax,rdi |
000000013F5A0EA5 | E9 EA000000 | jmp vmprotect.13F5A0F94 |
000000013F5A0EAA | 48:85F6 | test rsi,rsi |
000000013F5A0EAD | 74 24 | je vmprotect.13F5A0ED3 |
000000013F5A0EAF | E8 2CFCFFFF | call vmprotect.13F5A0AE0 | copy
000000013F5A0EB4 | 48:0343 28 | add rax,qword ptr ds:[rbx+28] | add length
000000013F5A0EB8 | 4C:8BC6 | mov r8,rsi |
000000013F5A0EBB | 48:8BC8 | mov rcx,rax |
000000013F5A0EBE | 48:8BD5 | mov rdx,rbp |
000000013F5A0EC1 | E8 5AECDE00 | call vmprotect.14038FB20 |
000000013F5A0EC6 | 48:0173 28 | add qword ptr ds:[rbx+28],rsi |
000000013F5A0ECA | 48:2BFE | sub rdi,rsi |
000000013F5A0ECD | 48:03EE | add rbp,rsi |
000000013F5A0ED0 | 4C:8BF6 | mov r14,rsi |
000000013F5A0ED3 | B2 01 | mov dl,1 |
000000013F5A0ED5 | 48:8BCB | mov rcx,rbx |
000000013F5A0ED8 | E8 53FCFFFF | call vmprotect.13F5A0B30 | copy
000000013F5A0EDD | 48:8B4B 08 | mov rcx,qword ptr ds:[rbx+8] |
000000013F5A0EE1 | 48:3B7B 18 | cmp rdi,qword ptr ds:[rbx+18] | add length
000000013F5A0EE5 | 0F83 90000000 | jae vmprotect.13F5A0F7B |
rva:1BCC00
000000013F4FCC00 | 40:55 | push rbp |
000000013F4FCC02 | 56 | push rsi |
000000013F4FCC03 | 57 | push rdi |
000000013F4FCC04 | 41:54 | push r12 |
000000013F4FCC06 | 41:55 | push r13 |
000000013F4FCC08 | 41:56 | push r14 |
000000013F4FCC0A | 41:57 | push r15 |
000000013F4FCC0C | 48:8DAC24 E0E3FFFF | lea rbp,qword ptr ss:[rsp-1C20] |
000000013F4FCC14 | B8 201D0000 | mov eax,1D20 |
000000013F4FCC19 | E8 D2ECE800 | call vmprotect.14038B8F0 |
000000013F4FCC1E | 48:2BE0 | sub rsp,rax |
000000013F4FCC21 | 48:C785 D0030000 FEFFFF | mov qword ptr ss:[rbp+3D0],FFFFFFFFFFFFFFFE |
000000013F4FCC2C | 48:899C24 701D0000 | mov qword ptr ss:[rsp+1D70],rbx |
000000013F4FCC34 | 48:8B05 D5A2B401 | mov rax,qword ptr ds:[141046F10] |
000000013F4FCC3B | 48:33C4 | xor rax,rsp |
rva:1BCC00
000000013F4FCC00 | 40:55 | push rbp |
000000013F4FCC02 | 56 | push rsi |
000000013F4FCC03 | 57 | push rdi |
000000013F4FCC04 | 41:54 | push r12 |
000000013F4FCC06 | 41:55 | push r13 |
000000013F4FCC08 | 41:56 | push r14 |
000000013F4FCC0A | 41:57 | push r15 |
000000013F4FCC0C | 48:8DAC24 E0E3FFFF | lea rbp,qword ptr ss:[rsp-1C20] |
000000013F4FCC14 | B8 201D0000 | mov eax,1D20 |
000000013F4FCC19 | E8 D2ECE800 | call vmprotect.14038B8F0 |
000000013F4FCC1E | 48:2BE0 | sub rsp,rax |
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
感谢分享,之前找了好久,找不到怎么生成没有vm的。
