[原创] VMEntry 分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创] VMEntry 分析

发表于: 2023-3-5 17:24 10548

[原创] VMEntry 分析

还我六千雪币

2023-3-5 17:24

10548

哪里不对的话大佬们指点一下

;jmp_registr   = ebp

;pcode_registr = edi

;crypt_registr = ebx

;stack_registr = esi
 
;保存原始寄存器的值：

0040900A | 50                       | push eax                                

0040900B | 9C                       | pushfd                                  

0040900C | 56                       | push esi                                

0040900D | 55                       | push ebp                                

0040900E | 51                       | push ecx                                

0040900F | 52                       | push edx                                

00409010 | 57                       | push edi                                

00409011 | 53                       | push ebx                                
 
;获取一个tmp寄存器复制为0  tmp_register

00409012 | BA 00000000              | mov edx,0                              
 
;push了一个0，可能是为了栈？

00409017 | 52                       | push edx                                
 
;pcode_registr = pcode

00409018 | 8B7C24 28                | mov edi,dword ptr ss:[esp+28]           
 
;解密pcode

0040901C | C1CF 0D                  | ror edi,D                               

0040901F | 81F7 AD1C9418            | xor edi,18941CAD                       

00409025 | 81EF 7860FE23            | sub edi,23FE6078                       

0040902B | 0FCF                     | bswap edi                               
 
;pcode_registr+=tmp_register

0040902D | 03FA                     | add edi,edx                             
 
;把esp赋值给 stack_registr

0040902F | 8BF4                     | mov esi,esp                             |

; C0 = 128 + context_registr_count * size 

; C0 = 0x80 + 16 * 4   (x32固定 C0)

00409031 | 81EC C0000000            | sub esp,C0                              |
 
; crypt_registr  pcode中获取到 解密key

00409037 | 8BDF                     | mov ebx,edi                             | edi:"LdrpInitializeProcess"

; 初始化tmp_register   tmp_register  = 0

00409039 | BA 00000000              | mov edx,0                               |

; crypt_registr  - tmp_register  ( -0 好像并没有什么用)

0040903E | 2BDA                     | sub ebx,edx                             |
 
; jmp_registr = opcode_entry

00409040 | 8D2D 40904000            | lea ebp,dword ptr ds:[409040]           |
 
; 获取command opcode

00409046 | 81EF 04000000            | sub edi,4                               | edi:"LdrpInitializeProcess"

0040904C | 8B0F                     | mov ecx,dword ptr ds:[edi]              
 
; command opcode 解密

0040904E | 33CB                     | xor ecx,ebx                             |

00409050 | 41                       | inc ecx                                 |

00409051 | F7D1                     | not ecx                                 |

00409053 | 81E9 8E154B63            | sub ecx,634B158E                        |

00409059 | C1C1 0C                  | rol ecx,C                               |

0040905C | 41                       | inc ecx                                 |
 
; 更新 crypt_registr （下一个handler要用这个数据）

0040905D | 33D9                     | xor ebx,ecx                             |
 
; jmp_registr += tmp_registr

0040905F | 03E9                     | add ebp,ecx                             |
; jmp jmp_registr

00409061 | FFE5                     | jmp ebp                                 |