首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. 软件逆向
    3. 发新帖
[原创] VMEntry 分析
2023-3-5 17:24 9650

[原创] VMEntry 分析

还我六千雪币 活跃值
2023-3-5 17:24
9650

哪里不对的话 大佬们指点一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
;jmp_registr   = ebp
;pcode_registr = edi
;crypt_registr = ebx
;stack_registr = esi
 
;保存原始寄存器的值:
0040900A | 50                       | push eax                               
0040900B | 9C                       | pushfd                                 
0040900C | 56                       | push esi                               
0040900D | 55                       | push ebp                               
0040900E | 51                       | push ecx                               
0040900F | 52                       | push edx                               
00409010 | 57                       | push edi                               
00409011 | 53                       | push ebx                               
 
;获取一个tmp寄存器复制为0  tmp_register
00409012 | BA 00000000              | mov edx,0                              
 
;push了一个0,可能是为了栈?
00409017 | 52                       | push edx                               
 
;pcode_registr = pcode
00409018 | 8B7C24 28                | mov edi,dword ptr ss:[esp+28]          
 
;解密pcode
0040901C | C1CF 0D                  | ror edi,D                              
0040901F | 81F7 AD1C9418            | xor edi,18941CAD                       
00409025 | 81EF 7860FE23            | sub edi,23FE6078                       
0040902B | 0FCF                     | bswap edi                              
 
;pcode_registr+=tmp_register
0040902D | 03FA                     | add edi,edx                            
 
;把esp赋值给 stack_registr
0040902F | 8BF4                     | mov esi,esp                             |
; C0 = 128 + context_registr_count * size
; C0 = 0x80 + 16 * 4   (x32固定 C0)
00409031 | 81EC C0000000            | sub esp,C0                              |
 
; crypt_registr  pcode中获取到 解密key
00409037 | 8BDF                     | mov ebx,edi                             | edi:"LdrpInitializeProcess"
; 初始化tmp_register   tmp_register  = 0
00409039 | BA 00000000              | mov edx,0                               |
; crypt_registr  - tmp_register  ( -0 好像并没有什么用)
0040903E | 2BDA                     | sub ebx,edx                             |
 
; jmp_registr = opcode_entry
00409040 | 8D2D 40904000            | lea ebp,dword ptr ds:[409040]           |
 
; 获取command opcode
00409046 | 81EF 04000000            | sub edi,4                               | edi:"LdrpInitializeProcess"
0040904C | 8B0F                     | mov ecx,dword ptr ds:[edi]             
 
; command opcode 解密
0040904E | 33CB                     | xor ecx,ebx                             |
00409050 | 41                       | inc ecx                                 |
00409051 | F7D1                     | not ecx                                 |
00409053 | 81E9 8E154B63            | sub ecx,634B158E                        |
00409059 | C1C1 0C                  | rol ecx,C                               |
0040905C | 41                       | inc ecx                                 |
 
; 更新 crypt_registr (下一个handler要用这个数据)
0040905D | 33D9                     | xor ebx,ecx                             |
 
; jmp_registr += tmp_registr
0040905F | 03E9                     | add ebp,ecx                             |
; jmp jmp_registr
00409061 | FFE5                     | jmp ebp                                 |

[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

最后于 2023-3-5 17:25 被还我六千雪币编辑 ,原因: 1
收藏
点赞7
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回