【文章标题】: MyVM_#1_KeygenMe_by_BUBlic虚拟机粗略分析记录
【文章作者】: layper
【作者邮箱】: layper@yahoo.com.cn
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
分析虚拟机确实非常痛苦的事,虽然MyVM_#1_KeygenMe_by_BUBlic虚拟机比较简单,分析它我还是费了九牛二虎之力.
注:
水平有限,而且是第一次分析虚拟机,错漏难免.
由于没有分析出算法,不涉及算法部分.
一call 401000:
这个call是crack主体部分,分析如下:
.text:00401000 sub_401000 proc near ; CODE XREF: DialogFunc:loc_4011B5p
.text:00401000
.text:00401000 var_C = dword ptr -0Ch
.text:00401000 var_8 = dword ptr -8
.text:00401000 var_1 = byte ptr -1
.text:00401000
.text:00401000 push ebp
.text:00401001 mov ebp, esp
.text:00401003 sub esp, 0Ch
.text:00401006 push ebx
.text:00401007 push esi
.text:00401008 push edi
.text:00401009 mov edi, ds:GetDlgItemTextA
.text:0040100F mov ebx, 0FFh
.text:00401014 push ebx ; cchMax
.text:00401015 mov esi, offset NameString ; esi为注册名
.text:0040101A push esi ; lpString
.text:0040101B push 3EBh ; nIDDlgItem
.text:00401020 push hDlg ; hDlg
.text:00401026 call edi ; GetDlgItemTextA
.text:00401026
.text:00401028 push ebx ; cchMax
.text:00401029 mov ebx, offset SerialString ; ebx为注册码
.text:0040102E push ebx ; lpString
.text:0040102F push 3E9h ; nIDDlgItem
.text:00401034 push hDlg ; hDlg
.text:0040103A call edi ; GetDlgItemTextA
.text:0040103A
.text:0040103C push esi ; Str
.text:0040103D call _strlen
.text:0040103D
.text:00401042 mov edi, eax
.text:00401044 push ebx ; Str
.text:00401045 mov [ebp+var_C], edi ; 用户名长度
.text:00401048 call _strlen
.text:00401048
.text:0040104D add edi, 0FFFFFFFDh
.text:00401050 cmp edi, 33h ; 比较名称长度是否大于33h
.text:00401053 pop ecx
.text:00401054 pop ecx
.text:00401055 mov [ebp+var_8], eax ; eax为注册码长度
.text:00401058 ja NameError
.text:00401058
.text:0040105E mov ecx, eax
.text:00401060 and ecx, 80000001h ; 与运算
.text:00401066 jns short loc_40106D ; sf=0则跳转
.text:00401066
.text:00401068 dec ecx ; 减1
.text:00401069 or ecx, 0FFFFFFFEh ; 或运算
.text:0040106C inc ecx ; 加一
.text:0040106C
.text:0040106D
.text:0040106D loc_40106D: ; CODE XREF: sub_401000+66j
.text:0040106D jnz Wrongserial ; ZF不等于0则出错
.text:0040106D
.text:00401073 cmp eax, 10h ; 注册码运算后的长度是否小于10h,小于则出错
.text:00401076 jl Wrongserial
.text:00401076
.text:0040107C xor edi, edi ; 清除
.text:0040107E test eax, eax
.text:00401080 mov ebx, offset dword_40FE88
.text:00401085 jz short loc_4010AC ; eax为0则跳
.text:00401085
.text:00401087
.text:00401087 loc_401087: ; CODE XREF: sub_401000+AAj
.text:00401087 mov eax, edi ; 第一次先清0
.text:00401089 cdq ; 把EDX的所有位都设成EAX最高位的值
.text:00401089 ; 当EAX <80000000, EDX 00000000;
.text:00401089 ; 当EAX >= 80000000, EDX 则为FFFFFFFF).
.text:0040108A sub eax, edx ; eax-0或者eax-(-1)
.text:0040108C sar eax, 1 ; 左移一位
.text:0040108E add eax, ebx ; 第一次:40FE88+eax
.text:00401090 push eax
.text:00401091 lea eax, SerialString[edi] ; 注册码的[edi]位
.text:00401097 push offset s_2x ; "%2X"
.text:0040109C push eax ; char *
.text:0040109D call _sscanf ; 执行从字符串中的格式化
.text:0040109D
.text:004010A2 add esp, 0Ch ; esp退后10位
.text:004010A5 inc edi
.text:004010A6 inc edi ; edi加2
.text:004010A7 cmp edi, [ebp+var_8] ; 与注册码长度比较
.text:004010AA jnz short loc_401087 ; 不等循环
.text:004010AA
.text:004010AC
.text:004010AC loc_4010AC: ; CODE XREF: sub_401000+85j
.text:004010AC push 480h ; Size
.text:004010B1 call operator new(uint) ; 分配480h内存
.text:004010B1
.text:004010B6 xor edi, edi
.text:004010B8 cmp eax, edi ; 分配返回地址
.text:004010BA pop ecx
.text:004010BB jz short loc_4010D2 ; 为0则跳走
.text:004010BB
.text:004010BD mov edx, offset unk_40E000
.text:004010C2 push edx ; int
.text:004010C3 push 0BC1h ; Size
.text:004010C8 push edx ; int
.text:004010C9 mov ecx, eax ; 分配返回地址
.text:004010CB call sub_401BDC ; arg_0与arg_8初始值为40E000
.text:004010CB ; 使用这个函数后
.text:004010CB ; esi,edi,ecx与进入是一样
.text:004010CB ; esi为注册名,edi=0
.text:004010CB ; eax为第一次分配返回地址
.text:004010CB ; [第一次分配返回地址+?]填充了大量函数偏移
.text:004010CB ; [第一次分配返回地址+48h]为1000h大小,
.text:004010CB ; [第一次分配返回地址+4Ch]取[40E000+20h]值
.text:004010CB
.text:004010D0 jmp short loc_4010D4
.text:004010D0
.text:004010D2 ; ---------------------------------------------------------------------------
.text:004010D2
.text:004010D2 loc_4010D2: ; CODE XREF: sub_401000+BBj
.text:004010D2 xor eax, eax
.text:004010D2
.text:004010D4
.text:004010D4 loc_4010D4: ; CODE XREF: sub_401000+D0j
.text:004010D4 lea ecx, [ebp+var_1] ; ecx指向var_1
.text:004010D7 push ecx
.text:004010D8 push ebx
.text:004010D9 push [ebp+var_C] ; 用户名长度
.text:004010DC mov [ebp+var_1], 1
.text:004010E0 push esi ; 注册名
.text:004010E1 push edi ; 0
.text:004010E2 push eax ; eax为第一次分配返回地址
.text:004010E3 call sub_40156A
.text:004010E3
.text:004010E8 add esp, 18h
.text:004010EB cmp [ebp+var_1], 0
.text:004010EF push edi
.text:004010F0 jnz short GootOK
.text:004010F0
.text:004010F2 push offset s_BadBoy ; "Bad boy"
.text:004010F7 push offset s_KeepOnTrying ; "Keep on trying!"
.text:004010FC jmp short UseMessageBoxA
.text:004010FC
.text:004010FE ; ---------------------------------------------------------------------------
.text:004010FE
.text:004010FE GootOK: ; CODE XREF: sub_401000+F0j
.text:004010FE push offset s_GoodBoy ; "Good boy"
.text:00401103 push offset s_YouDidIt ; "You did it!"
.text:00401108 jmp short UseMessageBoxA
.text:00401108
.text:0040110A ; ---------------------------------------------------------------------------
.text:0040110A
.text:0040110A Wrongserial: ; CODE XREF: sub_401000:loc_40106Dj
.text:0040110A ; sub_401000+76j
.text:0040110A push 10h
.text:0040110C push offset Caption ; "ERROR"
.text:00401111 push offset s_WrongSerial ; "Wrong serial!"
.text:00401116 jmp short UseMessageBoxA
.text:00401116
.text:00401118 ; ---------------------------------------------------------------------------
.text:00401118
.text:00401118 NameError: ; CODE XREF: sub_401000+58j
.text:00401118 push 10h ; uType
.text:0040111A push offset Caption ; "ERROR"
.text:0040111F push offset Text ; "Use some other name!"
.text:0040111F
.text:00401124
.text:00401124 UseMessageBoxA: ; CODE XREF: sub_401000+FCj
.text:00401124 ; sub_401000+108j
.text:00401124 ; sub_401000+116j
.text:00401124 push hDlg ; hWnd
.text:0040112A call ds:MessageBoxA
.text:0040112A
.text:00401130 pop edi
.text:00401131 pop esi
.text:00401132 pop ebx
.text:00401133 leave
.text:00401134 retn
.text:00401134
.text:00401134 sub_401000 endp
.text:00401134
二、VM初始化
这个VM是"非标准"的虚拟机,初始化时它所做的主要是把VM指令指针保存在一个分配好的内存地址中,为以下调用作准备.
.text:00401BDC ; arg_0与arg_8初始值为40E000
.text:00401BDC ; 使用这个函数后
.text:00401BDC ; esi,edi,ecx与进入是一样
.text:00401BDC ; esi为注册名,edi=0
.text:00401BDC ; eax为第一次分配返回地址
.text:00401BDC ; [第一次分配返回地址+?]填充了大量函数偏移
.text:00401BDC ; [第一次分配返回地址+48h]为1000h大小,
.text:00401BDC ; [第一次分配返回地址+4Ch]取[40E000+20h]值
.text:00401BDC
.text:00401BDC ; int __stdcall sub_401BDC(int,size_t Size,int)
.text:00401BDC sub_401BDC proc near ; CODE XREF: sub_401000+CBp
.text:00401BDC
.text:00401BDC arg_0 = dword ptr 4
.text:00401BDC Size = dword ptr 8
.text:00401BDC arg_8 = dword ptr 0Ch
.text:00401BDC
.text:00401BDC push esi
.text:00401BDD push edi
.text:00401BDE push 24h ; Size
.text:00401BE0 mov esi, ecx ; 分配返回地址
.text:00401BE2 call operator new(uint)
.text:00401BE2
.text:00401BE7 mov edi, 1000h
.text:00401BEC push edi ; Size
.text:00401BED mov [esi+7Ch], eax
.text:00401BF0 call operator new(uint)
.text:00401BF0
.text:00401BF5 mov [esi+40h], edi
.text:00401BF8 mov edi, [esp+10h+Size]
.text:00401BFC push edi ; Size
.text:00401BFD mov [esi+3Ch], eax
.text:00401C00 call operator new(uint)
.text:00401C00
.text:00401C05 push edi
.text:00401C06 push [esp+18h+arg_0] ; 40E000+18h
.text:00401C0A mov [esi+44h], eax
.text:00401C0D push eax
.text:00401C0E call unknown_libname_1 ; Microsoft VisualC 2-8/net runtime
.text:00401C0E
.text:00401C13 mov eax, [esp+20h+arg_8] ; 取[40E000+20h]
.text:00401C17 add esp, 18h
.text:00401C1A mov [esi+48h], edi ; edi为1000h大小,
.text:00401C1A ; esi为第一次分配返回地址
.text:00401C1D mov [esi+4Ch], eax ; 取[40E000+20h]
.text:00401C20 pop edi
.text:00401C21 mov dword ptr [esi+80h], offset VMEip3
.text:00401C2B mov dword ptr [esi+84h], offset VMAdd
.text:00401C35 mov dword ptr [esi+88h], offset VMMOV
.text:00401C3F mov dword ptr [esi+8Ch], offset VMMov_1
.text:00401C49 mov dword ptr [esi+90h], offset VMMov1 ;
.text:00401C49 ; [ebp+var_4]指向[[esi+20h]]
.text:00401C49 ; [esi+20h]加4
.text:00401C53 mov dword ptr [esi+94h], offset VMAND_DOWRD
.text:00401C5D mov dword ptr [esi+98h], offset VMMOV
.text:00401C67 mov dword ptr [esi+9Ch], offset VMImul
.text:00401C71 mov dword ptr [esi+0A0h], offset VMDiv
.text:00401C7B mov dword ptr [esi+0A4h], offset VMMOV_BYTE
.text:00401C85 mov dword ptr [esi+0A8h], offset VMSub
.text:00401C8F mov dword ptr [esi+0ACh], offset VMFlag
.text:00401C99 mov dword ptr [esi+0B0h], offset VMNextEip1
.text:00401CA3 mov dword ptr [esi+0B4h], offset VMEipAddress
.text:00401CAD mov dword ptr [esi+0B8h], offset VMEipAddress1
.text:00401CB7 mov dword ptr [esi+0BCh], offset VMEipAddress_1
.text:00401CC1 mov dword ptr [esi+0C0h], offset VMEipAddress_0
.text:00401CCB mov dword ptr [esi+0C4h], offset VMNextEip
.text:00401CD5 mov dword ptr [esi+0C8h], offset VMNextEip2
.text:00401CDF mov dword ptr [esi+0CCh], offset VMShl
.text:00401CE9 mov dword ptr [esi+0D0h], offset VMShr
.text:00401CF3 mov dword ptr [esi+0D4h], offset VMAnd
.text:00401CFD mov dword ptr [esi+0D8h], offset VMOr
.text:00401D07 mov dword ptr [esi+0DCh], offset VMXor
.text:00401D11 mov dword ptr [esi+0E0h], offset VMNot
.text:00401D1B mov dword ptr [esi+0E4h], offset VMEipAddress_0
.text:00401D25 mov dword ptr [esi+0E8h], offset VMEipAddress_2
.text:00401D2F mov dword ptr [esi+0ECh], offset VMEipAddress_2
.text:00401D39 mov dword ptr [esi+0F0h], offset VMMOV
.text:00401D43 mov dword ptr [esi+0F4h], offset VMFlag1
.text:00401D4D mov eax, esi ; eax为第一次分配返回地址
.text:00401D4F pop esi
.text:00401D50 retn 0Ch
.text:00401D50
.text:00401D50 sub_401BDC endp
可以看出,esi作为指针地址寄存器,指向一个结构或者说是一个表,所以在下面我们就要注意[esi+xx]的代码.
三VM执行循环
.text:0040156A sub_40156A proc near ; CODE XREF: sub_401000+E3p
.text:0040156A
.text:0040156A arg_0 = dword ptr 4
.text:0040156A arg_4 = byte ptr 8
.text:0040156A arg_8 = byte ptr 0Ch
.text:0040156A
.text:0040156A push ebx
.text:0040156B push esi
.text:0040156C mov esi, [esp+8+arg_0]
.text:00401570 push edi
.text:00401571 xor ebx, ebx
.text:00401573 lea edi, [esp+0Ch+arg_4] ; 指向var_1
.text:00401577 mov [esi+79h], bl
.text:0040157A sub edi, 8
.text:0040157D mov eax, [edi]
.text:0040157F push 30h ; Size
.text:00401581 mov [esi+70h], eax
.text:00401584 lea eax, [esi+4]
.text:00401587 push ebx ; Val
.text:00401588 push eax ; Dst
.text:00401589 call _memset ; 对内存块的每个字节初始化,
.text:00401589
.text:0040158E push 5 ; Size
.text:00401590 lea eax, [esi+34h]
.text:00401593 push ebx ; Val
.text:00401594 push eax ; Dst
.text:00401595 call _memset ; 用来对一段内存空间全部设置为某个字符,
.text:00401595 ; 一般用在对定义的字符串进行初始化为
.text:00401595 ; ‘ ’或‘\0’
.text:00401595
.text:0040159A push 24h ; Size
.text:0040159C push ebx ; Val
.text:0040159D push dword ptr [esi+7Ch] ; Dst
.text:004015A0 call _memset ; 用来对一段内存空间全部设置为某个字符,
.text:004015A0 ; 一般用在对定义的字符串进行初始化为
.text:004015A0 ; ‘ ’或‘\0’
.text:004015A0
.text:004015A5 push 1000h ; Size
.text:004015AA push ebx ; Val
.text:004015AB push dword ptr [esi+3Ch] ; Dst
.text:004015AE call _memset ; 用来对一段内存空间全部设置为某个字符,
.text:004015AE ; 一般用在对定义的字符串进行初始化为
.text:004015AE ; ‘ ’或‘\0’
.text:004015AE
.text:004015B3 mov eax, [esi+3Ch]
.text:004015B6 push 4
.text:004015B8 add eax, 800h
.text:004015BD push edi
.text:004015BE push eax
.text:004015BF mov [esi+20h], eax
.text:004015C2 call unknown_libname_1 ; Microsoft VisualC 2-8/net runtime
.text:004015C2
.text:004015C7 push 800h
.text:004015CC lea eax, [esp+4Ch+arg_8]
.text:004015D0 push eax
.text:004015D1 mov eax, [esi+20h]
.text:004015D4 add eax, 4
.text:004015D7 push eax
.text:004015D8 call unknown_libname_1 ; Microsoft VisualC 2-8/net runtime
.text:004015D8
.text:004015DD add esp, 48h
.text:004015E0 mov [esi+74h], ebx
.text:004015E3 jmp short loc_4015FE
.text:004015E3
.text:004015E5 ; ---------------------------------------------------------------------------
.text:004015E5
.text:004015E5 VMLoop: ; CODE XREF: sub_40156A+97j
.text:004015E5 inc dword ptr [esi+74h]
.text:004015E8 mov ecx, esi
.text:004015EA call sub_4013DF ; 解码key
.text:004015EA
.text:004015EF mov eax, [esi+7Ch]
.text:004015F2 movzx eax, byte ptr [eax]
.text:004015F5 mov ecx, esi
.text:004015F7 call dword ptr [esi+eax*4+80h] ; 执行VM指令
.text:004015F7
.text:004015FE
.text:004015FE loc_4015FE: ; CODE XREF: sub_40156A+79j
.text:004015FE cmp [esi+79h], bl
.text:00401601 jz short VMLoop
.text:00401601
.text:00401603 pop edi
.text:00401604 pop esi
.text:00401605 pop ebx
.text:00401606 retn
.text:00401606
.text:00401606 sub_40156A endp
VMLoop处循环就是执行VM的地方,其中sub_4013DF把数据段的一大段数据进行解码运算,运算后按dword保存在另一个内存空间,
而call dword ptr [esi+eax*4+80h]就是执行VM指令的call.
四VM指令分析
刚开始分析觉得非常奇怪,为什么它初始化是为什么没有很明显的context环境,仅仅是把指令地址保存,而如VM寄存器和标志
位都未曾说明,深入分析后才知道它把这些融入VM指令中.
先分析两个重要call,因为很多VM指令都调用它们.
(1)sub_401271
.text:00401271 ; 相当于指令机器码判断
.text:00401271 ; arg_0计算后值放入arg_4
.text:00401271 ; mov [arg_4],[arg_0]
.text:00401271 ; Attributes: bp-based frame
.text:00401271
.text:00401271 ; int __stdcall sub_401271(int,int)
.text:00401271 sub_401271 proc near ; CODE XREF: VMAdd+1Dp
.text:00401271 ; VMAdd+2Cp VMSub+1Dp
.text:00401271 ; VMSub+2Cp VMMOV+17p
.text:00401271 ; VMMov_1+16p ...
.text:00401271
.text:00401271 arg_0 = dword ptr 8 ; 内存地址
.text:00401271 arg_4 = dword ptr 0Ch ; 堆栈地址
.text:00401271
.text:00401271 push ebp
.text:00401272 mov ebp, esp
.text:00401274 mov eax, [ebp+arg_0]
.text:00401277 movzx edx, byte ptr [eax] ; 逐位取字节
.text:0040127A sub edx, 0 ; 是否为0
.text:0040127D jz short oneis0denextcode
.text:0040127D
.text:0040127F dec edx ; 是否为1
.text:00401280 jz short oneis1denextcode
.text:00401280
.text:00401282 dec edx ; 是否为2
.text:00401283 jnz locreturn0
.text:00401283
.text:00401289 movzx ecx, byte ptr [eax+1]
.text:0040128D sub ecx, edx ; 下一位-上一位+2是否为0
.text:0040128F jz short movaleaxadd4value
.text:0040128F
.text:00401291 dec ecx ; 下一位-上一位+1是否为0
.text:00401292 jz short movaleaxadd4value
.text:00401292
.text:00401294 dec ecx ; 下一位-上一位是否为0
.text:00401295 jz short movaxeaxadd4value
.text:00401295
.text:00401297 dec ecx ; 下一位-上一位-1是否为0
.text:00401298 jnz locreturn0
.text:00401298
.text:0040129E mov eax, [eax+4] ; 第五位
.text:004012A1 jmp short movarg4eax
.text:004012A1
.text:004012A3 ; ---------------------------------------------------------------------------
.text:004012A3
.text:004012A3 movaxeaxadd4value: ; CODE XREF: sub_401271+24j
.text:004012A3 mov ax, [eax+4] ; 取之后第四位
.text:004012A7 jmp short movarg4ax
.text:004012A7
.text:004012A9 ; ---------------------------------------------------------------------------
.text:004012A9
.text:004012A9 movaleaxadd4value: ; CODE XREF: sub_401271+1Ej
.text:004012A9 ; sub_401271+21j
.text:004012A9 mov al, [eax+4] ; 取之后第四位
.text:004012AC jmp short movarg4al
.text:004012AC
.text:004012AE ; ---------------------------------------------------------------------------
.text:004012AE
.text:004012AE oneis1denextcode: ; CODE XREF: sub_401271+Fj
.text:004012AE movzx ecx, byte ptr [eax+1]
.text:004012B2 sub ecx, 0
.text:004012B5 jz short oneis1twois0or1denextcode
.text:004012B5
.text:004012B7 dec ecx
.text:004012B8 jz short oneis1twois0or1denextcode
.text:004012B8
.text:004012BA dec ecx
.text:004012BB jz short oneis1twois2denextcode
.text:004012BB
.text:004012BD dec ecx
.text:004012BE jnz short locreturn0
.text:004012BE
.text:004012C0 mov eax, [eax+4] ; 取下四位
.text:004012C3 mov eax, [eax] ; 取下四位的值
.text:004012C5 jmp short movarg4eax
.text:004012C5
.text:004012C7 ; ---------------------------------------------------------------------------
.text:004012C7
.text:004012C7 oneis1twois2denextcode: ; CODE XREF: sub_401271+4Aj
.text:004012C7 mov eax, [eax+4]
.text:004012CA mov ax, [eax] ; 取之后第四位作为指针,继续取值
.text:004012CD jmp short movarg4ax
.text:004012CD
.text:004012CF ; ---------------------------------------------------------------------------
.text:004012CF
.text:004012CF oneis1twois0or1denextcode: ; CODE XREF: sub_401271+44j
.text:004012CF ; sub_401271+47j
.text:004012CF mov eax, [eax+4]
.text:004012D2 mov al, [eax]
.text:004012D4 jmp short movarg4al
.text:004012D4
.text:004012D6 ; ---------------------------------------------------------------------------
.text:004012D6
.text:004012D6 oneis0denextcode: ; CODE XREF: sub_401271+Cj
.text:004012D6 movzx edx, byte ptr [eax+1] ; 是0取下一位
.text:004012DA sub edx, 0 ; 是否为0
.text:004012DD jz short oneis0twois0denextcode
.text:004012DD
.text:004012DF dec edx
.text:004012E0 jz short oneis0twois1denextcode
.text:004012E0
.text:004012E2 dec edx
.text:004012E3 jz short oneis0twois2denextcode
.text:004012E3
.text:004012E5 dec edx
.text:004012E6 jnz short locreturn0
.text:004012E6
.text:004012E8 mov eax, [eax+4]
.text:004012EB mov eax, [ecx+eax*4+4]
.text:004012EB
.text:004012EF
.text:004012EF movarg4eax: ; CODE XREF: sub_401271+30j
.text:004012EF ; sub_401271+54j
.text:004012EF mov ecx, [ebp+arg_4]
.text:004012F2 mov [ecx], eax
.text:004012F4 jmp short locreturn0
.text:004012F4
.text:004012F6 ; ---------------------------------------------------------------------------
.text:004012F6
.text:004012F6 oneis0twois2denextcode: ; CODE XREF: sub_401271+72j
.text:004012F6 mov eax, [eax+4]
.text:004012F9 mov ax, [ecx+eax*4+4]
.text:004012F9
.text:004012FE
.text:004012FE movarg4ax: ; CODE XREF: sub_401271+36j
.text:004012FE ; sub_401271+5Cj
.text:004012FE mov ecx, [ebp+arg_4]
.text:00401301 mov [ecx], ax
.text:00401304 jmp short locreturn0
.text:00401304
.text:00401306 ; ---------------------------------------------------------------------------
.text:00401306
.text:00401306 oneis0twois1denextcode: ; CODE XREF: sub_401271+6Fj
.text:00401306 mov eax, [eax+4]
.text:00401309 mov eax, [ecx+eax*4+4]
.text:0040130D shr eax, 8
.text:00401310 jmp short movarg4al
.text:00401310
.text:00401312 ; ---------------------------------------------------------------------------
.text:00401312
.text:00401312 oneis0twois0denextcode: ; CODE XREF: sub_401271+6Cj
.text:00401312 mov eax, [eax+4]
.text:00401315 mov al, [ecx+eax*4+4]
.text:00401315
.text:00401319
.text:00401319 movarg4al: ; CODE XREF: sub_401271+3Bj
.text:00401319 ; sub_401271+63j
.text:00401319 ; sub_401271+9Fj
.text:00401319 mov ecx, [ebp+arg_4]
.text:0040131C mov [ecx], al
.text:0040131C
.text:0040131E
.text:0040131E locreturn0: ; CODE XREF: sub_401271+12j
.text:0040131E ; sub_401271+27j
.text:0040131E ; sub_401271+4Dj
.text:0040131E ; sub_401271+75j
.text:0040131E ; sub_401271+83j
.text:0040131E ; sub_401271+93j
.text:0040131E pop ebp
.text:0040131F retn 8
.text:0040131F
.text:0040131F sub_401271 endp
函数sub_4013DF解码数据段unk_40E000,key后这里再一次判断或者说是解码,这个函数有两个参数,一个指向堆栈地址,一个指向内存地址,
运算结果保存在堆栈中.
(2)sub_401322
这个函数也这个函数有两个参数,一个指向堆栈地址,一个指向内存地址,运算结果保存在内存地址中.在VM指令中相当于把运
算结果保存到指定内存地址.
.text:00401322 ; 相当于VM存储器、寄存器等
.text:00401322 ; Attributes: bp-based frame
.text:00401322
.text:00401322 ; int __stdcall sub_401322(int,int)
.text:00401322 sub_401322 proc near ; CODE XREF: VMAdd+3Ep
.text:00401322 ; VMSub+3Ep VMMOV+26p
.text:00401322 ; VMMov1+22p VMImul+46p
.text:00401322 ; VMShl+3Ep ...
.text:00401322
.text:00401322 arg_0 = dword ptr 8 ; 内存地址
.text:00401322 arg_4 = dword ptr 0Ch ; 堆栈地址
.text:00401322
.text:00401322 push ebp
.text:00401323 mov ebp, esp
.text:00401325 mov eax, [ebp+arg_0]
.text:00401328 movzx edx, byte ptr [eax]
.text:0040132B sub edx, 0
.text:0040132E jz short oneis0denextcode
.text:0040132E
.text:00401330 dec edx
.text:00401331 jnz return1
.text:00401331
.text:00401337 movzx ecx, byte ptr [eax+1]
.text:0040133B sub ecx, edx
.text:0040133D jz short onedaimadec1dengyutwodaimaoradd1
.text:0040133D
.text:0040133F dec ecx
.text:00401340 jz short onedaimadec1dengyutwodaimaoradd1
.text:00401340
.text:00401342 dec ecx
.text:00401343 jz short onedaimadec1dengyutwodaimaadd2
.text:00401343
.text:00401345 dec ecx
.text:00401346 jnz return1
.text:00401346
.text:0040134C mov ecx, [ebp+arg_4]
.text:0040134F mov eax, [eax+4]
.text:00401352 mov ecx, [ecx]
.text:00401354 jmp mov_eax_ecx
.text:00401354
.text:00401359 ; ---------------------------------------------------------------------------
.text:00401359
.text:00401359 onedaimadec1dengyutwodaimaadd2: ; CODE XREF: sub_401322+21j
.text:00401359 mov ecx, [ebp+arg_4]
.text:0040135C mov eax, [eax+4]
.text:0040135F mov cx, [ecx]
.text:00401362 mov [eax], cx ; 局部变量指针值存入[eax+4]
.text:00401365 jmp short return1
.text:00401365
.text:00401367 ; ---------------------------------------------------------------------------
.text:00401367
.text:00401367 onedaimadec1dengyutwodaimaoradd1: ; CODE XREF: sub_401322+1Bj
.text:00401367 ; sub_401322+1Ej
.text:00401367 mov ecx, [ebp+arg_4] ; 堆栈局部变量
.text:0040136A mov eax, [eax+4]
.text:0040136D mov cl, [ecx] ; 局部变量指针值
.text:0040136F mov [eax], cl ; 局部变量指针值存入[eax+4]
.text:00401371 jmp short return1
.text:00401371
.text:00401373 ; ---------------------------------------------------------------------------
.text:00401373
.text:00401373 oneis0denextcode: ; CODE XREF: sub_401322+Cj
.text:00401373 movzx edx, byte ptr [eax+1]
.text:00401377 sub edx, 0
.text:0040137A jz short oneis0twois0denextcode
.text:0040137A
.text:0040137C dec edx
.text:0040137D jz short oneis0twois1denextcode
.text:0040137D
.text:0040137F dec edx
.text:00401380 jz short oneis0twois2denextcode
.text:00401380
.text:00401382 dec edx
.text:00401383 jnz short return1
.text:00401383
.text:00401385 mov edx, [ebp+arg_4]
.text:00401388 mov eax, [eax+4]
.text:0040138B mov edx, [edx]
.text:0040138D mov [ecx+eax*4+4], edx ; 局部变量指针值存入[ecx+eax*4+4]
.text:00401391 jmp short return1
.text:00401391
.text:00401393 ; ---------------------------------------------------------------------------
.text:00401393
.text:00401393 oneis0twois2denextcode: ; CODE XREF: sub_401322+5Ej
.text:00401393 mov eax, [eax+4]
.text:00401396 mov edx, [ebp+arg_4]
.text:00401399 movsx edx, word ptr [edx] ; 局部变量指针值
.text:0040139C lea eax, [ecx+eax*4+4]
.text:004013A0 mov ecx, [eax]
.text:004013A2 and ecx, 0FFFF0000h ; ecx=[ecx+eax*4+4] and 0FFFF0000h
.text:004013A8 jmp short orecxedx
.text:004013A8
.text:004013AA ; ---------------------------------------------------------------------------
.text:004013AA
.text:004013AA oneis0twois1denextcode: ; CODE XREF: sub_401322+5Bj
.text:004013AA mov eax, [eax+4]
.text:004013AD mov edx, [ebp+arg_4]
.text:004013B0 lea eax, [ecx+eax*4+4]
.text:004013B4 xor ecx, ecx
.text:004013B6 mov ch, [edx]
.text:004013B8 mov edx, [eax]
.text:004013BA and edx, 0FFFF00FFh
.text:004013C0 jmp short orecxedx
.text:004013C0
.text:004013C2 ; ---------------------------------------------------------------------------
.text:004013C2
.text:004013C2 oneis0twois0denextcode: ; CODE XREF: sub_401322+58j
.text:004013C2 mov eax, [eax+4]
.text:004013C5 mov edx, [ebp+arg_4]
.text:004013C8 movzx edx, byte ptr [edx]
.text:004013CB lea eax, [ecx+eax*4+4]
.text:004013CF mov ecx, [eax]
.text:004013D1 and ecx, 0FFFFFF00h
.text:004013D1
.text:004013D7
.text:004013D7 orecxedx: ; CODE XREF: sub_401322+86j
.text:004013D7 ; sub_401322+9Ej
.text:004013D7 or ecx, edx ; 局部指针值 or ([ecx+eax*4+4] and 0FFFF0000h)存入ecx=[ecx+eax*4+4] and 0FFFF0000h
.text:004013D7
.text:004013D9
.text:004013D9 mov_eax_ecx: ; CODE XREF: sub_401322+32j
.text:004013D9 mov [eax], ecx ; oneis0时,
.text:004013D9 ; 局部指针值 or ([ecx+eax*4+4] and 0FFFF0000h)
.text:004013D9 ; 存入[ecx+eax*4+4] and 0FFFF0000h.
.text:004013D9 ; one不是0时,
.text:004013D9 ; 局部变量指针值存入[eax+4].
.text:004013D9
.text:004013DB
.text:004013DB return1: ; CODE XREF: sub_401322+Fj
.text:004013DB ; sub_401322+24j
.text:004013DB ; sub_401322+43j
.text:004013DB ; sub_401322+4Fj
.text:004013DB ; sub_401322+61j
.text:004013DB ; sub_401322+6Fj
.text:004013DB pop ebp
.text:004013DC retn 8
.text:004013DC
.text:004013DC sub_401322 endp
分析了以上这两个函数后,VM指令就好识别多了.
(3)寻找下一条key地址的代码特征(unk_40E000为开始)
mov eax, [esi+7Ch]
mov eax, [eax+4] ;本条key长度
add [esi+4Ch], eax ;下一key的地址
(4)经过上面三步分析,识别VM指令就简单多了,一般来说,每个VM指令调用sub_401271和sub_401322中间部分就是识别VM指令
的关键了.
这里仅列举两个VM指令,具体看MyVM #1 KeygenMe by BUBlic.idb文件
标志位指令VMFlag:
.text:004017E3 VMFlag proc near ; DATA XREF: sub_401BDC+B3o
.text:004017E3
.text:004017E3 var_8 = dword ptr -8
.text:004017E3 var_4 = dword ptr -4
.text:004017E3
.text:004017E3 push ebp
.text:004017E4 mov ebp, esp
.text:004017E6 push ecx
.text:004017E7 push ecx
.text:004017E8 push ebx
.text:004017E9 push esi
.text:004017EA push edi
.text:004017EB mov esi, ecx
.text:004017ED mov edi, [esi+7Ch]
.text:004017F0 lea eax, [ebp+var_8]
.text:004017F3 push eax ; int
.text:004017F4 lea eax, [edi+0Ch]
.text:004017F7 xor ebx, ebx
.text:004017F9 push eax ; int
.text:004017FA mov [ebp+var_8], ebx
.text:004017FD mov [ebp+var_4], ebx ; var_4,var_8为0
.text:00401800 call sub_401271 ; 相当于指令机器码判断
.text:00401800 ; arg_0计算后值放入arg_4
.text:00401800 ; mov [arg_4],[arg_0]
.text:00401800
.text:00401805 lea eax, [ebp+var_4]
.text:00401808 push eax ; int
.text:00401809 lea eax, [edi+14h]
.text:0040180C push eax ; int
.text:0040180D mov ecx, esi
.text:0040180F call sub_401271 ; 相当于指令机器码判断
.text:0040180F ; arg_0计算后值放入arg_4
.text:0040180F ; mov [arg_4],[arg_0]
.text:0040180F
.text:00401814 mov ecx, [ebp+var_8]
.text:00401817 cmp ecx, [ebp+var_4] ; 判断取值是否为0
.text:0040181A jnb short loc_401821
.text:0040181A
.text:0040181C mov [esi+3Ah], bl
.text:0040181F jmp short loc_401829
.text:0040181F
.text:00401821 ; ---------------------------------------------------------------------------
.text:00401821
.text:00401821 loc_401821: ; CODE XREF: VMFlag+37j
.text:00401821 setnbe al
.text:00401824 inc al
.text:00401826 mov [esi+3Ah], al
.text:00401826
.text:00401829
.text:00401829 loc_401829: ; CODE XREF: VMFlag+3Cj
.text:00401829 movzx eax, byte ptr [edi+0Dh]
.text:0040182D sub eax, ebx
.text:0040182F jz short loc_40183C
.text:0040182F
.text:00401831 dec eax
.text:00401832 jz short loc_40183C
.text:00401832
.text:00401834 dec eax
.text:00401835 jnz short loc_401842
.text:00401835
.text:00401837 movsx eax, cx
.text:0040183A jmp short loc_40183F
.text:0040183A
.text:0040183C ; ---------------------------------------------------------------------------
.text:0040183C
.text:0040183C loc_40183C: ; CODE XREF: VMFlag+4Cj
.text:0040183C ; VMFlag+4Fj
.text:0040183C movzx eax, cl
.text:0040183C
.text:0040183F
.text:0040183F loc_40183F: ; CODE XREF: VMFlag+57j
.text:0040183F mov [ebp+var_8], eax
.text:0040183F
.text:00401842
.text:00401842 loc_401842: ; CODE XREF: VMFlag+52j
.text:00401842 mov ecx, esi
.text:00401844 call sub_401225
.text:00401844
.text:00401849 sub eax, ebx
.text:0040184B jz short loc_401859
.text:0040184B
.text:0040184D dec eax
.text:0040184E jz short loc_401859
.text:0040184E
.text:00401850 dec eax
.text:00401851 jnz short loc_401860
.text:00401851
.text:00401853 movsx eax, word ptr [ebp+var_4]
.text:00401857 jmp short loc_40185D
.text:00401857
.text:00401859 ; ---------------------------------------------------------------------------
.text:00401859
.text:00401859 loc_401859: ; CODE XREF: VMFlag+68j
.text:00401859 ; VMFlag+6Bj
.text:00401859 movzx eax, byte ptr [ebp+var_4]
.text:00401859
.text:0040185D
.text:0040185D loc_40185D: ; CODE XREF: VMFlag+74j
.text:0040185D mov [ebp+var_4], eax
.text:0040185D
.text:00401860
.text:00401860 loc_401860: ; CODE XREF: VMFlag+6Ej
.text:00401860 mov eax, [ebp+var_8]
.text:00401863 cmp eax, [ebp+var_4]
.text:00401866 jge short loc_40186D
.text:00401866
.text:00401868 mov [esi+3Bh], bl
.text:0040186B jmp short loc_401875
.text:0040186B
.text:0040186D ; ---------------------------------------------------------------------------
.text:0040186D
.text:0040186D loc_40186D: ; CODE XREF: VMFlag+83j
.text:0040186D setnle al
.text:00401870 inc al
.text:00401872 mov [esi+3Bh], al
.text:00401872
.text:00401875
.text:00401875 loc_401875: ; CODE XREF: VMFlag+88j
.text:00401875 mov eax, [edi+4]
.text:00401878 add [esi+4Ch], eax
.text:0040187B pop edi
.text:0040187C pop esi
.text:0040187D pop ebx
.text:0040187E leave
.text:0040187F retn
.text:0040187F
.text:0040187F VMFlag endp
条件跳转指令VMEipAddress:
.text:004018A4 VMEipAddress proc near ; DATA XREF: sub_401BDC+C7o
.text:004018A4
.text:004018A4 var_4 = dword ptr -4
.text:004018A4
.text:004018A4 push ebp
.text:004018A5 mov ebp, esp
.text:004018A7 push ecx
.text:004018A8 and [ebp+var_4], 0
.text:004018AC push esi
.text:004018AD push edi
.text:004018AE mov esi, ecx
.text:004018B0 mov edi, [esi+7Ch]
.text:004018B3 lea eax, [ebp+var_4]
.text:004018B6 push eax ; int
.text:004018B7 lea eax, [edi+0Ch]
.text:004018BA push eax ; int
.text:004018BB call sub_401271 ; 相当于指令机器码判断
.text:004018BB ; arg_0计算后值放入arg_4
.text:004018BB ; mov [arg_4],[arg_0]
.text:004018BB
.text:004018C0 cmp byte ptr [esi+3Bh], 1 ;比较标志位
.text:004018C4 mov eax, [ebp+var_4]
.text:004018C7 jz short loc_4018CC
.text:004018C7
.text:004018C9 mov eax, [edi+4]
.text:004018C9
.text:004018CC
.text:004018CC loc_4018CC: ; CODE XREF: VMEipAddress+23j
.text:004018CC add [esi+4Ch], eax ;跳转到的地址
.text:004018CF pop edi
.text:004018D0 pop esi
.text:004018D1 leave
.text:004018D2 retn
.text:004018D2
.text:004018D2 VMEipAddress endp
收工.:)
--------------------------------------------------------------------------------
【版权声明】: 转载请注明作者并保持文章的完整, 谢谢!
2007年11月08日 13:46:03
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课