使vmp生成较干净的解释器-软件逆向-看雪-安全社区|安全招聘|kanxue.com

使vmp生成较干净的解释器

2022-5-30 08:34 16682

使vmp生成较干净的解释器

waiWH

2022-5-30 08:34

16682

很长时间没上论坛了把帖子翻了翻看到这篇文章挺感兴趣的
想着也很久没有调试软件了于是花了大概大半天时间把vmp3的加壳过程调了调

加壳入口读取配置要做什么样的保护倒是vm了

1	`0000000000269140` `0F` `00` `00` `00` `00` `00` `00` `00` `C8` `04` `08` `00` `00` `00` `00` `00` `........È.......`

但由于作者在生成解释器过程中存在大量的for循环以及stl相关
可能考虑性能这部分并没有vm
需要抛异常导致有一系列比较重要的字符串方便定位(Runtime error at xxxx)

下断这里可以看到加壳后整个pe的拷贝过程

rva:260E7F
 
000000013F5A0E7F   | 41:8D56 01              | lea edx,qword ptr ds:[r14+1]                                |
000000013F5A0E83   | E8 D8A3DE00             | call vmprotect.14038B260                                    |
000000013F5A0E88   | 48:8973 20              | mov qword ptr ds:[rbx+20],rsi                               |
000000013F5A0E8C   | 48:8B4B 28              | mov rcx,qword ptr ds:[rbx+28]                               |
000000013F5A0E90   | 4C:8BC7                 | mov r8,rdi                                                  |
000000013F5A0E93   | 48:03CE                 | add rcx,rsi                                                 |
000000013F5A0E96   | 48:8BD5                 | mov rdx,rbp                                                 |
000000013F5A0E99   | E8 82ECDE00             | call vmprotect.14038FB20                                    |
000000013F5A0E9E   | 48:017B 28              | add qword ptr ds:[rbx+28],rdi                               |
000000013F5A0EA2   | 48:8BC7                 | mov rax,rdi                                                 |
000000013F5A0EA5   | E9 EA000000             | jmp vmprotect.13F5A0F94                                     |
000000013F5A0EAA   | 48:85F6                 | test rsi,rsi                                                |
000000013F5A0EAD   | 74 24                   | je vmprotect.13F5A0ED3                                      |
000000013F5A0EAF   | E8 2CFCFFFF             | call vmprotect.13F5A0AE0                                    | copy
000000013F5A0EB4   | 48:0343 28              | add rax,qword ptr ds:[rbx+28]                               | add length
000000013F5A0EB8   | 4C:8BC6                 | mov r8,rsi                                                  |
000000013F5A0EBB   | 48:8BC8                 | mov rcx,rax                                                 |
000000013F5A0EBE   | 48:8BD5                 | mov rdx,rbp                                                 |
000000013F5A0EC1   | E8 5AECDE00             | call vmprotect.14038FB20                                    |
000000013F5A0EC6   | 48:0173 28              | add qword ptr ds:[rbx+28],rsi                               |
000000013F5A0ECA   | 48:2BFE                 | sub rdi,rsi                                                 |
000000013F5A0ECD   | 48:03EE                 | add rbp,rsi                                                 |
000000013F5A0ED0   | 4C:8BF6                 | mov r14,rsi                                                 |
000000013F5A0ED3   | B2 01                   | mov dl,1                                                    |
000000013F5A0ED5   | 48:8BCB                 | mov rcx,rbx                                                 |
000000013F5A0ED8   | E8 53FCFFFF             | call vmprotect.13F5A0B30                                    | copy
000000013F5A0EDD   | 48:8B4B 08              | mov rcx,qword ptr ds:[rbx+8]                                |
000000013F5A0EE1   | 48:3B7B 18              | cmp rdi,qword ptr ds:[rbx+18]                               | add length
000000013F5A0EE5   | 0F83 90000000           | jae vmprotect.13F5A0F7B                                     |

不过此时
已经是要写入pe文件的数据了(上层为Runtime error at WriteToFile)

核心是如抛Runtime error at CompileToNative的几个函数
里面大概包含的整个解释器和字节码处理过程会生成多组引擎(如加解密立即数、混淆等)

想生成干净的解释器
有点简单的处理方式

rva:1BCC00
 
000000013F4FCC00   | 40:55                   | push rbp                                                    |
000000013F4FCC02   | 56                      | push rsi                                                    |
000000013F4FCC03   | 57                      | push rdi                                                    |
000000013F4FCC04   | 41:54                   | push r12                                                    |
000000013F4FCC06   | 41:55                   | push r13                                                    |
000000013F4FCC08   | 41:56                   | push r14                                                    |
000000013F4FCC0A   | 41:57                   | push r15                                                    |
000000013F4FCC0C   | 48:8DAC24 E0E3FFFF      | lea rbp,qword ptr ss:[rsp-1C20]                             |
000000013F4FCC14   | B8 201D0000             | mov eax,1D20                                                |
000000013F4FCC19   | E8 D2ECE800             | call vmprotect.14038B8F0                                    |
000000013F4FCC1E   | 48:2BE0                 | sub rsp,rax                                                 |
000000013F4FCC21   | 48:C785 D0030000 FEFFFF | mov qword ptr ss:[rbp+3D0],FFFFFFFFFFFFFFFE                 |
000000013F4FCC2C   | 48:899C24 701D0000      | mov qword ptr ss:[rsp+1D70],rbx                             |
000000013F4FCC34   | 48:8B05 D5A2B401        | mov rax,qword ptr ds:[141046F10]                            |
000000013F4FCC3B   | 48:33C4                 | xor rax,rsp                                                 |

将这个函数头直接ret掉

生成的解释器代码就会比较干净
大概这样

000000013F97347D | 68 7C4A1D2E              | push 2E1D4A7C                          |
000000013F973482 | E8 D0400800              | call project2.vmp.13F9F7557            |
 
000000013F9F7557 | 52                       | push rdx                               | rdx:EntryPoint
000000013F9F7558 | 56                       | push rsi                               |
000000013F9F7559 | 41:57                    | push r15                               |
000000013F9F755B | 50                       | push rax                               |
000000013F9F755C | 55                       | push rbp                               |
000000013F9F755D | 41:51                    | push r9                                | r9:EntryPoint
000000013F9F755F | 51                       | push rcx                               |
000000013F9F7560 | 41:52                    | push r10                               |
000000013F9F7562 | 41:56                    | push r14                               |
000000013F9F7564 | 41:53                    | push r11                               |
000000013F9F7566 | 9C                       | pushfq                                 |
000000013F9F7567 | 41:55                    | push r13                               |
000000013F9F7569 | 57                       | push rdi                               |
000000013F9F756A | 41:54                    | push r12                               |
000000013F9F756C | 53                       | push rbx                               |
000000013F9F756D | 41:50                    | push r8                                |
000000013F9F756F | 48:BE 000074FFFFFFFFFF   | mov rsi,FFFFFFFFFF740000               |
000000013F9F7579 | 56                       | push rsi                               |
000000013F9F757A | 4C:8B8424 90000000       | mov r8,qword ptr ss:[rsp+90]           |
000000013F9F7582 | 41:0FC8                  | bswap r8d                              |
000000013F9F7585 | 41:81C0 73798F43         | add r8d,438F7973                       |
000000013F9F758C | 41:C1C8 03               | ror r8d,3                              |
000000013F9F7590 | 41:F7D0                  | not r8d                                |
000000013F9F7593 | 41:C1C0 02               | rol r8d,2                              |
000000013F9F7597 | 41:F7D0                  | not r8d                                |
000000013F9F759A | 41:FFC0                  | inc r8d                                |
000000013F9F759D | 41:D1C0                  | rol r8d,1                              |
000000013F9F75A0 | 41:F7D0                  | not r8d                                |
000000013F9F75A3 | 4C:03C6                  | add r8,rsi                             |
000000013F9F75A6 | 49:BA 0000000001000000   | mov r10,100000000                      |
000000013F9F75B0 | 4D:03C2                  | add r8,r10                             |
000000013F9F75B3 | 48:8BFC                  | mov rdi,rsp                            |
000000013F9F75B6 | 48:81EC 80010000         | sub rsp,180                            |
000000013F9F75BD | 48:81E4 F0FFFFFF         | and rsp,FFFFFFFFFFFFFFF0               |
000000013F9F75C4 | 4D:8BC8                  | mov r9,r8                              | r9:EntryPoint
000000013F9F75C7 | 48:BD 000074FFFFFFFFFF   | mov rbp,FFFFFFFFFF740000               |
000000013F9F75D1 | 4C:2BCD                  | sub r9,rbp                             | r9:EntryPoint
000000013F9F75D4 | 48:8D1D F9FFFFFF         | lea rbx,qword ptr ds:[13F9F75D4]       |
000000013F9F75DB | 41:8B28                  | mov ebp,dword ptr ds:[r8]              |
000000013F9F75DE | 49:81C0 04000000         | add r8,4                               |
000000013F9F75E5 | 41:33E9                  | xor ebp,r9d                            |
000000013F9F75E8 | FFC5                     | inc ebp                                |
000000013F9F75EA | 81F5 2B71DF7E            | xor ebp,7EDF712B                       |
000000013F9F75F0 | C1C5 03                  | rol ebp,3                              |
000000013F9F75F3 | FFCD                     | dec ebp                                |
000000013F9F75F5 | F7D5                     | not ebp                                |
000000013F9F75F7 | 81F5 A2505178            | xor ebp,785150A2                       |
000000013F9F75FD | 41:51                    | push r9                                | r9:EntryPoint

此时就神似vmp1.x了
除去vmcase
仅包含一些取vm_opcode/立即数的加解密
(其实几套解释器在vmp2.x都并未vm)

rva对应的版本号为vmp v3.4.0［waterlord4@gmail.com］那个

已经发帖的时候都不知道怎么发了
找了好久发现按钮在右上角...

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

#调试逆向

收藏・43

免费・11

打赏

打赏 + 10.00雪花

pxhb

打赏次数 1

雪花 + 10.00

pxhb

+10.00

2022/05/30

感谢分享，比那些炫技的好多了，亲测有用

最新回复 (10)
感冒的猪baby 雪币： 2724 活跃值： (2213) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 21 粉丝 2 关注私信	感冒的猪baby 2022-5-30 09:00 2 楼 0 感谢分享，之前找了好久，找不到怎么生成没有vm的。
wx_0xC05StackOver 雪币： 225 活跃值： (1487) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 103 粉丝 13 关注私信	wx_0xC05StackOver 2022-5-30 10:55 3 楼 0 牛逼
kakasasa 雪币： 576 活跃值： (2035) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 294 粉丝 5 关注私信	kakasasa 2022-5-30 12:59 4 楼 0 mark，到壳学习曲线突陡
pxhb 雪币： 6252 活跃值： (4191) 能力值： ( LV7，RANK：110 ) 在线值：发帖 10 回帖 420 粉丝 17 关注私信	pxhb 2 2022-5-31 08:46 5 楼 0 如果能像那个帖子一样去除vm代码就更完美了
Lnju 雪币： 634 活跃值： (3771) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 68 粉丝 1 关注私信	Lnju 1 2022-6-13 12:01 6 楼 0 感谢分享学习了
Alfik 雪币： 897 活跃值： (5917) 能力值： ( LV2，RANK：10 ) 在线值：发帖 46 回帖 367 粉丝 123 关注私信	Alfik 2022-6-19 19:00 7 楼 0 是否會為所有版本提供補丁，直到最新版本？
二娃雪币： 6314 活跃值： (846) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 56 粉丝 3 关注私信	二娃 2022-9-6 18:29 8 楼 0 感谢分享
小希希雪币： 1600 活跃值： (3515) 能力值： ( LV2，RANK：10 ) 在线值：发帖 15 回帖 330 粉丝 18 关注私信	小希希 2022-9-16 09:08 9 楼 0 感谢分享
MsScotch 雪币： 3101 活跃值： (1579) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 337 粉丝 3 关注私信	MsScotch 2023-8-27 12:07 10 楼 0 mark
秋狝雪币： 20708 活跃值： (30099) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1569 粉丝 33 关注私信	秋狝 2023-8-27 18:49 11 楼 1 感谢分享
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复