Themida 2.0.6.5 RISC VM 某一单handle分析
TMD的RISC VM一共有6个段1。双opcode决定handle所用的第一opcode指向的一张表,如:
003A000000 00 3B 00 0C 00 3B 00 18 00 3B 00 24 00 3B 00
003A001030 00 3B 00 3C 00 3B 00 48 00 3B 00 54 00 3B 00
003A002060 00 3B 00 6C 00 3B 00 78 00 3B 00 84 00 3B 00
003A003090 00 3B 00 9C 00 3B 00 A8 00 3B 00 B4 00 3B 00
003A0040C0 00 3B 00 CC 00 3B 00 D8 00 3B 00 E4 00 3B 00
003A0050F0 00 3B 00 FC 00 3B 00 08 01 3B 00 14 01 3B 00
003A006020 01 3B 00 2C 01 3B 00 38 01 3B 00 44 01 3B 00
003A007050 01 3B 00 5C 01 3B 00 68 01 3B 00 74 01 3B 00
003A008080 01 3B 00 8C 01 3B 00 98 01 3B 00 A4 01 3B 00
003A0090B0 01 3B 00 BC 01 3B 00 C8 01 3B 00 D4 01 3B 00
003A00A0E0 01 3B 00 EC 01 3B 00 F8 01 3B 00 04 02 3B 00
003A00B010 02 3B 00 1C 02 3B 00 28 02 3B 00 34 02 3B 00
003A00C040 02 3B 00 4C 02 3B 00 58 02 3B 00 64 02 3B 00
003A00D070 02 3B 00 7C 02 3B 00 88 02 3B 00 94 02 3B 00
003A00E0A0 02 3B 00 AC 02 3B 00 B8 02 3B 00 C4 02 3B 00
003A00F0D0 02 3B 00 DC 02 3B 00 E8 02 3B 00 F4 02 3B 00
2。双opcode决定handle所用的第二opcode指向的一张表,如:
003B000000 00 00 00 A4 17 4B 01 5D 5F 58 01 A0 41 48 01
003B00101F BD 48 01 DE 61 4F 01 B7 38 4B 01 69 5E 48 01
003B00205C 27 47 01 F9 82 52 01 2B EB 50 01 00 00 00 00
003B003003 B8 55 01 A7 D8 51 01 55 7C 4C 01 00 00 00 00
003B004000 00 00 00 2F 32 51 01 B2 1F 49 01 73 C2 46 01
003B0050C5 1E 4F 01 C8 9D 4D 01 00 00 00 00 CD 09 50 01
003B006064 B9 4C 01 07 38 49 01 C1 77 53 01 55 25 4D 01
003B0070BB CD 49 01 88 FA 54 01 FF 5E 51 01 42 EF 52 01
003B008007 3B 4C 01 1C 5C 51 01 B2 AF 53 01 9E 82 58 01
003B0090F8 18 47 01 0D BA 4E 01 70 C9 4C 01 00 00 00 00
003B00A0B4 7D 4F 01 9E 6A 51 01 9D 2A 55 01 00 00 00 00
003B00B04A 67 4A 01 00 00 00 00 BE 8D 56 01 04 55 46 01
003B00C0B7 9E 4A 01 C0 A1 50 01 B5 A9 56 01 00 00 45 01
003B00D027 69 53 01 B1 61 56 01 8E 81 51 01 7C 11 54 01
003B00E05A 16 58 01 3C 31 4B 01 41 E7 56 01 2B EF 54 01
003B00F000 00 00 00 9C D2 49 01 B2 75 52 01 43 36 57 01
所以双opcode决定handle如下:
如果opcode1为10,opcode2为4,那么003A0000 + 10 = 3A0010,查表得003B0030,003B0030 + 4 = 003B0034,查表得0151D8A7,所以决定
的handle的地址就是0151D8A7
3。单opcode决定handle所用的opcode指向的一张表,如:
003C000000 00 45 01 30 D6 51 01 E4 90 48 01 B8 71 47 01
003C001064 B9 4C 01 83 42 57 01 9D 2A 55 01 73 C2 46 01
003C002091 8B 45 01 B7 9E 4A 01 C8 9D 4D 01 5A 9D 57 01
003C00300D 4B 56 01 B4 CC 57 01 BB 8E 4F 01 07 3B 4C 01
003C0040B7 C8 4D 01 1F 64 4A 01 CF 33 4B 01 B2 1F 49 01
003C00505A 16 58 01 8C E6 47 01 9E 2A 47 01 DA EA 54 01
003C0060E2 E9 4B 01 18 82 47 01 D3 80 48 01 5D 5F 58 01
003C0070B6 55 47 01 55 25 4D 01 A2 C8 4D 01 B8 C9 45 01
003C0080B5 92 56 01 CD 09 50 01 74 29 53 01 BA FF 4B 01
003C00902F 32 51 01 C0 CE 4F 01 B9 BF 58 01 2F C6 58 01
003C00A0F7 BE 50 01 3C 31 4B 01 CA 9C 4A 01 B8 06 46 01
003C00B02B EF 54 01 70 C9 4C 01 44 42 46 01 DF 13 59 01
003C00C085 1D 51 01 69 5E 48 01 DC 95 55 01 A0 3C 59 01
003C00D0F0 28 4B 01 88 FA 54 01 BE 8D 56 01 8E 81 51 01
003C00E008 3B 45 01 EE 86 52 01 C5 B3 4A 01 D7 15 4F 01
003C00F0C1 5F 51 01 C5 1E 4F 01 4A EC 59 01 00 00 00 00
这张表只需要一个opcode就可以决定handle,如果opcode为10,那么查表得003C0000 + 10 = 003C0010,为014CB964,即为handle地址
4。 VMContext段,这个段放置VM执行需要的一些数据,如eax~edi这8个寄存器等等其他数据
5。 VM的栈
6。 VM的代码段
几个概念:
handle:具体执行的VM指令集,如VM_mov,VM_or等等。
pcode_data:执行某一条handle时,需要的操作数等等数据所放的地方。
dispatcher:TMD的VM中没有dispatcher,是通过每条handle中计算出下一条handle地址和pcode_data地址,直接跳过去。
下面我们只分析Themida2065.exe主程序中其中某一个handle的代码,在分析前,首先需要能看懂代码乱序,代码变形等等,还要对VM的大致结构有一
定的了解。
我们取其中的一句pcode,我这里加载TMLicense.dat加载的区段是0x3670000,在0x3670000中下硬件访问断点,然后运行,一开始没有停在VM中,继
续F9,直到停在VM中
这时候栈如下:
00391FF0 6479DB2D
00391FF4 03670000
00391FF8 00000000
00391FFC 00000000
因为这时候停在某一句handle的中间,我们让他运行到下一句的handle的最开始,在run trace的command is one of里加上jmp esi,然后CTRL+F11
停下来了。因为handle太长,这里我们记录run trace,再按一次CTRL + F11,这样就把这句handle所执行的语句全部记录下来了。下面就开始分析了
。
先介绍可能用到的几个内存地址数据
edi指向VM_Context段
esi指向pcode_data的地址
VM_Context.5DC-----pCode_data_addr
VM_Context.490-----Key1 解码pCode_data中操作数的key
VM_Context.544-----Key2 解码下一条pCode_data地址的key
除了进入VM的第一条指令的opcode地址是1字节指向,其他的opcode都需要2字节指向
VM_Context.434-----Key3 解码下一条opCode2字节的key
VM_Context.37C-----Key4 解码下一条opCode字节的key
VM_Context.550-----OpCode_2byte_table1的地址,就是上面的那个3A0000
VM_Context.62C-----OpCode2(offset)
VM_Context.47C-----OpCode1(offset)
下条指令的handle: -> xxx
-> yyy
其他的在用到的地方再讲
----------------------------------------------开始讲解-----------------------------------------
AddressThread Command ; Registers and comments
//初始化esi为pCode_data_addr
0157163E Main push dword ptr //edi+0x5DC的地址存放的是pCode_data_addr ; ESP=00391FF4
01571644 Main jmp 0151EF85
0151EF85 Main mov esi, dword ptr //esi指向了pCode_data_addr ; ESI=00BE2A50
这里有点代码变形,实际上处理的就是add esp, 4
//push ebx
0151EF88 Main push 0x4621 ; ESP=00391FF0
0151EF8D Main mov dword ptr , ebx
0151EF90 Main jmp 014D21A5
//ebx为push dword ptr 前的esp地址
014D21A5 Main mov ebx, esp ; EBX=00391FF0
014D21A7 Main add ebx, 0x4 ; EBX=00391FF4
014D21AD Main add ebx, 0x4 ; EBX=00391FF8
014D21B3 Main push ebx ; ESP=00391FEC
//mov ebx,
014D21B4 Main push dword ptr ; ESP=00391FE8
014D21B8 Main pop ebx ; EBX=411D51F8, ESP=00391FEC
//把push dword ptr 前的esp地址弹到栈顶
014D21B9 Main pop dword ptr ; ESP=00391FF0
//平衡堆栈
014D21BC Main pop esp ; ESP=00391FF8
014D21BD Main push eax ; ESP=00391FF4
014D21BE Main jmp 01472EB1
//这里实际上是mov ebx, 3
//mov ebx, 0x48155F8C
01472EB1 Main push 0x48155F8C ; ESP=00391FF0
01472EB6 Main pop ebx ; EBX=48155F8C, ESP=00391FF4
01472EB7 Main or ebx, 0x19E94E2D ; EBX=59FD5FAD
01472EBD Main jmp 014D87AE
014D87AE Main inc ebx ; EBX=59FD5FAE
014D87AF Main push eax ; ESP=00391FF0
014D87B0 Main mov eax, 0x59FD5FAD ; EAX=59FD5FAD
014D87B5 Main xor ebx, eax ; FL=P, EBX=00000003
014D87B7 Main pop eax ; EAX=00000008, ESP=00391FF4
//---------------------------------取pcode_data进行操作----------------------------
014D87B8 Main mov eax, ebx ; EAX=00000003
014D87BA Main add eax, 0x57AC23B5 ; EAX=57AC23B8
014D87BF Main add eax, esi ; FL=0, EAX=586A4E08
014D87C1 Main sub eax, 0x57AC23B5 ; FL=P, EAX=00BE2A53
014D87C6 Main mov bl, byte ptr //bl = ,就是pcode_data
014D87C8 Main pop eax ; EAX=00000008, ESP=00391FF8
014D87C9 Main push edx ; ESP=00391FF4
014D87CA Main jmp 01571649
//edx = esi
01571649 Main mov edx, 0x0 ; EDX=00000000
0157164E Main add edx, esi ; EDX=00BE2A50
01571650 Main push ebx ; ESP=00391FF0
01571651 Main jmp 01497E68
01497E68 Main mov ebx, 0x0 ; EBX=00000000
01497E6D Main add ebx, edx ; EBX=00BE2A50
01497E6F Main push edx ; ESP=00391FEC
01497E70 Main mov edx, 0x0 ; EDX=00000000
01497E75 Main sub edx, 0x1EC233F0 ; FL=CS, EDX=E13DCC10
01497E7B Main add edx, ebx ; FL=PS, EDX=E1FBF660
01497E7D Main add edx, 0x1EC233F0 ; FL=CP, EDX=00BE2A50
01497E83 Main mov al, byte ptr //al = ,就是pcode_data ; EAX=00000012
01497E85 Main pop edx ; ESP=00391FF0
01497E86 Main mov ebx, dword ptr ; EBX=00000003
01497E89 Main add esp, 0x4 ; FL=0, ESP=00391FF4
01497E8C Main pop edx ; EDX=4C4C133B, ESP=00391FF8
01497E8D Main push esi ; ESP=00391FF4
01497E8E Main jmp 01519F1D
01519F1D Main mov esi, esp ; ESI=00391FF4
01519F1F Main add esi, 0x4 ; ESI=00391FF8
01519F25 Main sub esi, 0x2 ; FL=P, ESI=00391FF6
01519F2B Main jmp 0146EF7E
0146EF7E Main xchg dword ptr , esi ; ESI=00BE2A50
0146EF81 Main pop esp ; ESP=00391FF6
0146EF82 Main mov word ptr , cx
//mov dh, 0x80
0146EF86 Main mov dh, 0x51 ; EDX=4C4C513B
0146EF88 Main shr dh, 0x2 ; EDX=4C4C143B
0146EF8B Main jpo 0154981E
0146EF91 Main inc dh ; FL=0, EDX=4C4C153B
0146EF93 Main xor dh, 0x91 ; FL=PS, EDX=4C4C843B
0146EF96 Main jpo 01568C1F
0146EF9C Main add dh, 0x57 ; EDX=4C4CDB3B
0146EF9F Main jge 0147CAF8
0146EFA5 Main sub dh, 0x5B ; FL=S, EDX=4C4C803B
0146EFA8 Main mov ch, dh ; ECX=00008005
0146EFAA Main sub dh, bl ; FL=PAO, EDX=4C4C7D3B
0146EFAC Main and al, ch //and , 80,就是取pcode_data的最高位 ; FL=PZ, EAX=00000000
0146EFAE Main mov cx, word ptr ; ECX=00000005
0146EFB2 Main add esp, 0x2 ; FL=0, ESP=00391FF8
0146EFB5 Main or al, al ; FL=PZ
0146EFB7 Main je 01571697 //如果0偏移的最高位为0就跳,1不跳,这里没走到不跳的地方,我们来看下不跳的代码
//这里就是不跳的代码,这里处理的是把key1清0,其实如果pcode_data的第一字节的最高位为1,会把
key1,key2,key3,key4都清0
//key2,key3,key4的清0在用到这3个key的地方清0
0146EFBD C787 90040000 E>mov dword ptr , 0x3C8728EB //VMContext_490是key1 = 3C8728EB
0146EFC7 E9 E8610E00 jmp 015551B4
015551B4 F79F 90040000 neg dword ptr //key1 = C378D715
015551BA^ 0F83 3FB4FDFF jnb 015305FF
015551C0 52 push edx
015551C1^ E9 44AEFCFF jmp 0152000A
0152000A 55 push ebp
0152000B BD 90040000 mov ebp, 0x490
01520010 89EA mov edx, ebp
01520012 5D pop ebp
01520013 01FA add edx, edi //edx = edi + 0x490
01520015 53 push ebx
01520016 BB 00000000 mov ebx, 0x0
0152001B 01D3 add ebx, edx //ebx = edx = key1
0152001D 52 push edx
0152001E BA 00000000 mov edx, 0x0
01520023 01DA add edx, ebx
01520025 8132 964B0013 xor dword ptr , 0x13004B96 //key1 = D0789C83
0152002B 5A pop edx
0152002C 5B pop ebx
0152002D 5A pop edx
0152002E F79F 90040000 neg dword ptr //key1 = 2F87637D
01520034 0F8E E78B0300 jle 01558C21
0152003A 81B7 90040000 7>xor dword ptr , 0x2F87637D //key1 = 0
01520044 B9 C354F87D mov ecx, 0x7DF854C3
01520049^ E9 AC1AF9FF jmp 014B1AFA
014B1AFA 81C1 C31D5B58 add ecx, 0x585B1DC3
014B1B00 81E1 09149044 and ecx, 0x44901409
014B1B06 81E1 A1660C14 and ecx, 0x140C66A1
014B1B0C E9 45FB0B00 jmp 01571656
01571656 C1E1 02 shl ecx, 0x2
01571659 81E9 52F3EAA3 sub ecx, 0xA3EAF352
0157165F 50 push eax
01571660 B8 10040000 mov eax, 0x410
01571665 01F8 add eax, edi
01571667 8908 mov dword ptr , ecx
01571669 58 pop eax
0157166A 01E1 add ecx, esp
0157166C BD D40D8172 mov ebp, 0x72810DD4
01571671 C1ED 02 shr ebp, 0x2
01571674 C1E5 07 shl ebp, 0x7
01571677 81ED 3D01C87B sub ebp, 0x7BC8013D
0157167D 81ED 657B64CD sub ebp, 0xCD647B65
01571683 01E9 add ecx, ebp
01571685 81F5 0E02E703 xor ebp, 0x3E7020E
0157168B 31D5 xor ebp, edx
0157168D 8187 10040000 5>add dword ptr , 0x93EAF35>
01571697 Main push 0x4EE0 ; ESP=00391FF4
0157169C Main jmp 015349A0
015349A0 Main mov dword ptr , ecx
015349A3 Main mov ch, 0x3 ; ECX=00000305
015349A5 Main and bl, ch //取bl的最低2位,就是pcode_data的低2位, 这低2位是用于选择变换key1的方式
; FL=P
015349A7 Main jmp 014ACDDB
014ACDDB Main push dword ptr ; ESP=00391FF0
014ACDDE Main pop ecx ; ECX=00000005, ESP=00391FF4
014ACDDF Main push edi ; ESP=00391FF0
014ACDE0 Main mov edi, esp ; EDI=00391FF0
014ACDE2 Main add edi, 0x4 ; FL=0, EDI=00391FF4
014ACDE8 Main add edi, 0x4 ; EDI=00391FF8
014ACDEB Main xchg dword ptr , edi ; EDI=003D0000
014ACDEE Main pop esp ; ESP=00391FF8
014ACDEF Main push ebx ; ESP=00391FF4
014ACDF0 Main jmp 01461F62
//mov eax, 0
01461F62 Main mov eax, 0x128E518D ; EAX=128E518D
01461F67 Main and eax, 0x333752B7 //eax的值 ; EAX=12065085
01461F6C Main mov ebp, 0x4F7F4548 ; EBP=4F7F4548
01461F71 Main jmp 015716A1
015716A1 Main add ebp, 0xEDF0D07 //ebp的值 ; EBP=5E5E524F
015716A7 Main add eax, ebp //eax的值 ; FL=PA, EAX=7064A2D4
015716A9 Main xor ebp, 0x291222DA ; FL=P, EBP=774C7095
015716AF Main sub eax, 0x7064A2D4 //eax的值 ; FL=PZ, EAX=00000000
015716B4 Main mov ebx, eax ; EBX=00000000
015716B6 Main sub eax, esi ; FL=CS, EAX=FF41D5B0
015716B8 Main sub eax, 0x7A326E20 ; FL=PS, EAX=850F6790
015716BD Main add ebx, esi //ebx = pcode_data ; FL=P, EBX=00BE2A50
015716BF Main push ecx ; ESP=00391FF0
015716C0 Main mov ecx, 0x0 ; ECX=00000000
015716C5 Main add ecx, ebx //ecx = pcode_data ; ECX=00BE2A50
015716C7 Main mov al, byte ptr ; EAX=850F6712
015716C9 Main mov ecx, dword ptr ; ECX=00000005
015716CC Main add esp, 0x4 ; FL=0, ESP=00391FF4
015716CF Main pop ebx ; EBX=00000003, ESP=00391FF8
//bl就是pcode_data的低2位,其实4个key是流密码差不多的,每次使用后都会变换,pcode_data的低2位表示变换方式,这里是3
015716D0 Main or bl, bl ; FL=P
015716D2 Main jnz 015716DE
015716DE Main cmp bl, 0x1 ; FL=0
015716E1 Main jnz 0145A2E5
0145A2E5 Main cmp bl, 0x2
0145A2E8 Main jnz 015716F1
015716F1 Main sub byte ptr , al //将key1 - pcode_data,然后放回到key1 ; FL=S
015716F7 Main jmp 0155D986
0155D986 Main mov eax, 0x191F333C ; EAX=191F333C
0155D98B Main jmp 0148123C
0148123C Main shr eax, 0x7 ; FL=P, EAX=00323E66
0148123F Main je 01560BBC
01481245 Main sub eax, 0x6BED066D ; FL=CPAS, EAX=944537F9
0148124A Main jmp 014E8E19
014E8E19 Main jge 0155E4E6
014E8E1F Main sub eax, 0x823EFA25 ; FL=P, EAX=12063DD4
014E8E24 Main mov ebp, eax ; EBP=12063DD4
014E8E26 Main sub eax, esp ; FL=A, EAX=11CD1DDC
014E8E28 Main not ebp ; EBP=EDF9C22B
014E8E2A Main add ebp, 0x2266A3D3 ; FL=C, EBP=106065FE
014E8E30 Main mov eax, ebp ; EAX=106065FE
014E8E32 Main add ebp, eax ; FL=PA, EBP=20C0CBFC
014E8E34 Main add eax, -0x1 ; FL=CA, EAX=106065FD
014E8E37 Main not eax ; EAX=EF9F9A02
014E8E39 Main mov ebx, 0x3FA877A8 ; EBX=3FA877A8
014E8E3E Main shl ebx, 0x8 ; FL=CPAS, EBX=A877A800
014E8E41 Main inc ebx ; FL=CS, EBX=A877A801
014E8E42 Main add ebx, 0x6EA2F395 ; FL=CP, EBX=171A9B96
014E8E48 Main add eax, ebx ; FL=C, EAX=06BA3598
014E8E4A Main add ebx, ebx ; FL=0, EBX=2E35372C
014E8E4C Main xor ebx, 0x3A9B38F7 ; FL=P, EBX=14AE0FDB
014E8E52 Main mov ebx, eax ; EBX=06BA3598
014E8E54 Main push 0x413A ; ESP=00391FF4
014E8E59 Main jmp 014ACEA9
014ACEA9 Main mov dword ptr , edx
014ACEAC Main mov edx, 0x3 ; EDX=00000003
014ACEB1 Main sub edx, 0x38804317 ; FL=CAS, EDX=C77FBCEC
014ACEB7 Main jmp 0148E7C4
0148E7C4 Main sub edx, 0x17537633 ; FL=S, EDX=B02C46B9
0148E7CA Main add edx, esi ; FL=PS, EDX=B0EA7109
0148E7CC Main add edx, 0x17537633 ; EDX=C83DE73C
0148E7D2 Main add edx, 0x38804317 //edx = pcode_data地址 ; FL=CPA, EDX=00BE2A53
0148E7D8 Main push dword ptr ; ESP=00391FF0
0148E7DA Main add dword ptr , 0x212B4E82 ; FL=S
0148E7E1 Main pop eax ; EAX=E273D885, ESP=00391FF4
0148E7E2 Main sub eax, 0x212B4E82 //eax = pcode_data ; FL=PS, EAX=C1488A03
0148E7E7 Main pop edx ; EDX=4C4C7D3B, ESP=00391FF8
0148E7E8 Main push edx ; ESP=00391FF4
0148E7E9 Main jmp 015716FC
015716FC Main mov ebx, 0x37575E15 ; EBX=37575E15
01571701 Main shr ebx, 0x8 ; FL=0, EBX=0037575E
01571704 Main and ebx, 0x13170AC3 ; FL=P, EBX=00170242
0157170A Main jmp 0149086B
0149086B Main push eax ; ESP=00391FF0
0149086C Main mov eax, 0x43612E84 ; EAX=43612E84
01490871 Main xor ebx, eax ; EBX=43762CC6
01490873 Main mov eax, dword ptr ; EAX=C1488A03
01490876 Main add esp, 0x4 ; FL=0, ESP=00391FF4
01490879 Main neg ebx ; FL=CPAS, EBX=BC89D33A
0149087B Main xor ebx, 0x3AC842EB ; FL=PS, EBX=864191D1
01490881 Main xor ebx, 0x864191CD ; FL=0, EBX=0000001C
01490887 Main mov edx, ebx //edx = 1C ; EDX=0000001C
01490889 Main sub ebx, ebp ; FL=CS, EBX=DF3F3420
0149088B Main sub ebx, esi ; FL=S, EBX=DE8109D0
0149088D Main and eax, edx //eax & 1C = 0,取的是pcode_data(b7-b0)的b4-b2这3位,这3位决定VM_eax~VM_edi这8个寄
存器是否需要轮转 ; FL=PZ, EAX=00000000
//所谓轮转就是把这几个寄存器的值滚动一下,
完全是为了干扰调试。这里为0,表示这句handle不轮转。
0149088F Main mov edx, dword ptr ; EDX=4C4C7D3B
01490892 Main add esp, 0x4 ; FL=0, ESP=00391FF8
01490898 Main shr eax, 0x2 ; FL=PZ
0149089B Main jmp 01484B33
01484B33 Main shl eax, 0x3
01484B36 Main jmp 0156912A
0156912A Main or eax, eax
0156912C Main jmp 014B2F31
014B2F31 Main je 0146630A //比较这3位的值,看是不是为0,这里为0,跳了,如果不为0,那么就不跳,会根据这3位的值,对
VMContext中的eax-edi 8个寄存器进行轮转,因为里面太复杂了,就不贴出代码了
0146630A Main push esi ; ESP=00391FF4
0146630B Main jmp 0157181E
0157181E Main mov esi, esp ; ESI=00391FF4
01571820 Main add esi, 0x4 ; FL=0, ESI=00391FF8
01571826 Main push eax ; ESP=00391FF0
01571827 Main jmp 0150E258
0150E258 Main mov eax, 0x4 ; EAX=00000004
0150E25D Main sub esi, eax ; ESI=00391FF4
0150E25F Main pop eax ; EAX=00000000, ESP=00391FF4
0150E260 Main xchg dword ptr , esi ; ESI=00BE2A50
0150E263 Main pop esp
0150E264 Main mov dword ptr , esi
0150E267 Main mov eax, dword ptr ; EAX=00BE2A50
0150E26A Main add esp, 0x4 ; ESP=00391FF8
0150E26D Main push eax ; ESP=00391FF4
0150E26E Main jmp 01485D10
//---------------------------------取pcode_data~pcode_data进行操作----------------------------
//这里取pcode_data~pcode_data的值,通过下面的分析可以知道,这个数是一个操作数,先称为old操作数。
01485D10 Main mov eax, 0x9 ; EAX=00000009
01485D15 Main sub eax, 0x4D1D77A8 ; FL=CS, EAX=B2E28861
01485D1A Main mov edx, 0x28D36CB3 ; EDX=28D36CB3
01485D1F Main jmp 0149DFCA
0149DFCA Main xor edx, 0x48740002 ; FL=P, EDX=60A76CB1
0149DFD0 Main add eax, edx ; FL=CP, EAX=1389F512
0149DFD2 Main xor edx, 0x38095DF0 ; FL=P, EDX=58AE3141
0149DFD8 Main add eax, esi ; FL=0, EAX=14481F62
0149DFDA Main push esi ; ESP=00391FF0
0149DFDB Main mov esi, 0x60A76CB1 ; ESI=60A76CB1
0149DFE0 Main sub eax, esi ; FL=CPS, EAX=B3A0B2B1
0149DFE2 Main pop esi ; ESP=00391FF4, ESI=00BE2A50
0149DFE3 Main add eax, 0x4D1D77A8 ; FL=CP, EAX=00BE2A59
0149DFE8 Main mov ecx, dword ptr //ecx =pcode_data~pcode_data ; ECX=00221200
0149DFEA Main pop eax ; EAX=00BE2A50, ESP=00391FF8
0149DFEB Main push ecx ; ESP=00391FF4
0149DFEC Main jmp 0145621B
0145621B Main mov ecx, 0x490 ; ECX=00000490
01456220 Main add ecx, edi //ecx = key1地址 ; FL=P, ECX=003D0490
01456222 Main push edx ; ESP=00391FF0
01456223 Main jmp 014CF1CB
014CF1CB Main mov ebp, 0x61A08A8 ; EBP=061A08A8
014CF1D0 Main shr ebp, 0x5 ; FL=0, EBP=0030D045
014CF1D3 Main not ebp ; EBP=FFCF2FBA
014CF1D5 Main dec ebp ; FL=S, EBP=FFCF2FB9
014CF1D6 Main je 0155DE54
014CF1DC Main sub ebp, 0xFFCF2FB9 ; FL=PZ, EBP=00000000
014CF1E2 Main push ebp ; ESP=00391FEC
014CF1E3 Main pop edx ; EDX=00000000, ESP=00391FF0
014CF1E4 Main push ecx ; ESP=00391FEC
014CF1E5 Main mov ecx, 0x74906796 ; ECX=74906796
014CF1EA Main xor ebp, ecx ; FL=P, EBP=74906796
014CF1EC Main pop ecx ; ECX=003D0490, ESP=00391FF0
014CF1ED Main add ebp, 0x489C3565 ; FL=SO, EBP=BD2C9CFB
014CF1F3 Main add edx, ecx //这里转了一圈后 edx还是key1的地址 ; FL=P, EDX=003D0490
014CF1F5 Main mov al, byte ptr //al = key1 ; EAX=00BE2AE0
014CF1F7 Main pop edx ; EDX=58AE3141, ESP=00391FF4
014CF1F8 Main pop ecx ; ECX=00221200, ESP=00391FF8
014CF1F9 Main push ebp ; ESP=00391FF4
014CF1FA Main jmp 0150DD01
//这里计算一个循环次数值,最后放到edx里,这个循环次数值用来解码old操作数,因为old操作数总为4字节,所以这个edx = 4
0150DD01 Main mov ebp, 0x28920E14 ; EBP=28920E14
0150DD06 Main mov ebx, ebp ; EBX=28920E14
0150DD08 Main pop ebp ; ESP=00391FF8, EBP=BD2C9CFB
0150DD09 Main jmp 01462A1A
01462A1A Main xor ebx, 0x36B179A4 ; FL=0, EBX=1E2377B0
01462A20 Main mov ebp, 0x7B0B69B2 ; EBP=7B0B69B2
01462A25 Main add ebp, 0x66D11EA2 ; FL=SO, EBP=E1DC8854
01462A2B Main add ebx, ebp ; FL=C, EBX=00000004
01462A2D Main push ebx ; ESP=00391FF4
01462A2E Main pop edx ; EDX=00000004, ESP=00391FF8
01462A2F Main mov ebp, 0x10BB5A20 ; EBP=10BB5A20
01462A34 Main jmp 014EE092
014EE092 Main or ebp, 0x39226A7A ; FL=0, EBP=39BB7A7A
014EE098 Main jle 0159F9F1
014EE09E Main shr ebp, 0x4 ; FL=C, EBP=039BB7A7
014EE0A1 Main jmp 014874D7
014874D7 Main jpo 014FEA98
014FEA98 Main shr ebp, 0x4 ; FL=0, EBP=0039BB7A
014FEA9B Main xor ebp, 0x39BBFA ; EBP=00000080
014FEAA1 Main mov ebx, ebp ; EBX=00000080
014FEAA3 Main push eax ; ESP=00391FF4
014FEAA4 Main push ecx ; ESP=00391FF0
014FEAA5 Main mov ecx, 0x21D15DB0 ; ECX=21D15DB0
014FEAAA Main push edx ; ESP=00391FEC
014FEAAB Main mov edx, 0x58F47652 ; EDX=58F47652
014FEAB0 Main mov eax, edx ; EAX=58F47652
014FEAB2 Main pop edx ; EDX=00000004, ESP=00391FF0
014FEAB3 Main sub eax, ecx ; EAX=372318A2
014FEAB5 Main pop ecx ; ECX=00221200, ESP=00391FF4
014FEAB6 Main sub eax, 0x10D032C2 ; EAX=2652E5E0
014FEABB Main sub eax, 0xF3E0866E ; FL=CPA, EAX=32725F72
014FEAC0 Main add ebp, eax ; FL=0, EBP=32725FF2
014FEAC2 Main mov eax, dword ptr ; EAX=00BE2AE0
014FEAC5 Main add esp, 0x4 ; ESP=00391FF8
014FEACB Main xor ebp, esp ; FL=P, EBP=324B400A
014FEACD Main jmp 0145B225
//这里开始解码old操作数
0145B225 Main or edx, edx //比赛edx是否为0,不为0就解码,edx初始值就是上面说的4 ; FL=0
0145B227 Main jnz 0157182C
0157182C Main ror ecx, 0x4 //解码通用语句,一般是ror r32, 4这样 ; ECX=00022120
0157182F Main jmp 014CD837
014CD837 Main cmp al, bl //bl是80,比较key1和80 ; FL=P
014CD839 Main jbe 014D2C58 //根据比较结果的不同,把ror的数据和key1进行计算,不同的比较结果,运算方式不同
。
014CD83F Main push ebx ; ESP=00391FF4
014CD840 Main jmp 014652CE
014652CE Main mov bl, 0x93 ; EBX=00000093
014652D0 Main sub cl, bl //cl - 93 ; FL=CPASO, ECX=0002218D
014652D2 Main pop ebx ; EBX=00000080, ESP=00391FF8
014652D3 Main jmp 01472EFB
01472EFB Main push edx ; ESP=00391FF4
01472EFC Main mov dl, 0xEC ; EDX=000000EC
01472EFE Main push cx ; ESP=00391FF2
01472F00 Main mov ch, 0x1F ; ECX=00021F8D
01472F02 Main or dl, ch ; FL=PS, EDX=000000FF
01472F04 Main pop cx ; ECX=0002218D, ESP=00391FF4
01472F06 Main xor dl, 0xC6 ; FL=P, EDX=00000039
01472F09 Main sub cl, dl //cl - 93 - 39 ; FL=O, ECX=00022154
01472F0B Main pop edx ; EDX=00000004, ESP=00391FF8
01472F0C Main add cl, al //cl - 93 - 39 + al ; FL=C, ECX=00022134
01472F0E Main add cl, 0x39 //cl - 93 + al ; FL=0, ECX=0002216D
01472F11 Main add cl, 0x93 //cl + al ; FL=CPAZ, ECX=00022100
01472F14 Main jmp 0149B2B1
0149B2B1 Main push ebx ; ESP=00391FF4
0149B2B2 Main jmp 01517395
01517395 Main mov ebx, -0x1 ; EBX=FFFFFFFF
0151739A Main sub edx, 0x20316002 ; FL=CS, EDX=DFCEA002
015173A0 Main add edx, ebx //dec edx ; FL=CAS, EDX=DFCEA001
015173A2 Main jmp 0145B209
0145B209 Main add edx, 0x20316002 ; FL=CP, EDX=00000003
0145B20F Main mov ebx, dword ptr ; EBX=00000080
0145B212 Main push ecx ; ESP=00391FF0
0145B213 Main mov ecx, esp ; ECX=00391FF0
0145B215 Main add ecx, 0x4 ; FL=0, ECX=00391FF4
0145B21B Main add ecx, 0x4 ; ECX=00391FF8
0145B221 Main xchg dword ptr , ecx ; ECX=00022100
0145B224 Main pop esp ; ESP=00391FF8
0145B225 Main or edx, edx //比较edx是否为0,不为0继续解码 ; FL=P
0145B227 Main jnz 0157182C
0157182C Main ror ecx, 0x4 ; ECX=00002210
0157182F Main jmp 014CD837
014CD837 Main cmp al, bl
014CD839 Main jbe 014D2C58
014CD83F Main push ebx ; ESP=00391FF4
014CD840 Main jmp 014652CE
014652CE Main mov bl, 0x93 ; EBX=00000093
014652D0 Main sub cl, bl ; FL=CPA, ECX=0000227D
014652D2 Main pop ebx ; EBX=00000080, ESP=00391FF8
014652D3 Main jmp 01472EFB
01472EFB Main push edx ; ESP=00391FF4
01472EFC Main mov dl, 0xEC ; EDX=000000EC
01472EFE Main push cx ; ESP=00391FF2
01472F00 Main mov ch, 0x1F ; ECX=00001F7D
01472F02 Main or dl, ch ; FL=PS, EDX=000000FF
01472F04 Main pop cx ; ECX=0000227D, ESP=00391FF4
01472F06 Main xor dl, 0xC6 ; FL=P, EDX=00000039
01472F09 Main sub cl, dl ; ECX=00002244
01472F0B Main pop edx ; EDX=00000003, ESP=00391FF8
01472F0C Main add cl, al ; FL=CP, ECX=00002224
01472F0E Main add cl, 0x39 ; FL=0, ECX=0000225D
01472F11 Main add cl, 0x93 ; FL=PAS, ECX=000022F0
01472F14 Main jmp 0149B2B1
0149B2B1 Main push ebx ; ESP=00391FF4
0149B2B2 Main jmp 01517395
01517395 Main mov ebx, -0x1 ; EBX=FFFFFFFF
0151739A Main sub edx, 0x20316002 ; FL=CS, EDX=DFCEA001
015173A0 Main add edx, ebx ; FL=CPAS, EDX=DFCEA000
015173A2 Main jmp 0145B209
0145B209 Main add edx, 0x20316002 ; FL=C, EDX=00000002
0145B20F Main mov ebx, dword ptr ; EBX=00000080
0145B212 Main push ecx ; ESP=00391FF0
0145B213 Main mov ecx, esp ; ECX=00391FF0
0145B215 Main add ecx, 0x4 ; FL=0, ECX=00391FF4
0145B21B Main add ecx, 0x4 ; ECX=00391FF8
0145B221 Main xchg dword ptr , ecx ; ECX=000022F0
0145B224 Main pop esp ; ESP=00391FF8
0145B225 Main or edx, edx
0145B227 Main jnz 0157182C
0157182C Main ror ecx, 0x4 ; ECX=0000022F
0157182F Main jmp 014CD837
014CD837 Main cmp al, bl ; FL=P
014CD839 Main jbe 014D2C58
014CD83F Main push ebx ; ESP=00391FF4
014CD840 Main jmp 014652CE
014652CE Main mov bl, 0x93 ; EBX=00000093
014652D0 Main sub cl, bl ; FL=CPSO, ECX=0000029C
014652D2 Main pop ebx ; EBX=00000080, ESP=00391FF8
014652D3 Main jmp 01472EFB
01472EFB Main push edx ; ESP=00391FF4
01472EFC Main mov dl, 0xEC ; EDX=000000EC
01472EFE Main push cx ; ESP=00391FF2
01472F00 Main mov ch, 0x1F ; ECX=00001F9C
01472F02 Main or dl, ch ; FL=PS, EDX=000000FF
01472F04 Main pop cx ; ECX=0000029C, ESP=00391FF4
01472F06 Main xor dl, 0xC6 ; FL=P, EDX=00000039
01472F09 Main sub cl, dl ; FL=PO, ECX=00000263
01472F0B Main pop edx ; EDX=00000002, ESP=00391FF8
01472F0C Main add cl, al ; FL=C, ECX=00000243
01472F0E Main add cl, 0x39 ; FL=0, ECX=0000027C
01472F11 Main add cl, 0x93 ; FL=CP, ECX=0000020F
01472F14 Main jmp 0149B2B1
0149B2B1 Main push ebx ; ESP=00391FF4
0149B2B2 Main jmp 01517395
01517395 Main mov ebx, -0x1 ; EBX=FFFFFFFF
0151739A Main sub edx, 0x20316002 ; FL=CPS, EDX=DFCEA000
015173A0 Main add edx, ebx ; EDX=DFCE9FFF
015173A2 Main jmp 0145B209
0145B209 Main add edx, 0x20316002 ; FL=CA, EDX=00000001
0145B20F Main mov ebx, dword ptr ; EBX=00000080
0145B212 Main push ecx ; ESP=00391FF0
0145B213 Main mov ecx, esp ; ECX=00391FF0
0145B215 Main add ecx, 0x4 ; FL=0, ECX=00391FF4
0145B21B Main add ecx, 0x4 ; ECX=00391FF8
0145B221 Main xchg dword ptr , ecx ; ECX=0000020F
0145B224 Main pop esp ; ESP=00391FF8
0145B225 Main or edx, edx
0145B227 Main jnz 0157182C
0157182C Main ror ecx, 0x4 ; FL=C, ECX=F0000020
0157182F Main jmp 014CD837
014CD837 Main cmp al, bl ; FL=P
014CD839 Main jbe 014D2C58
014CD83F Main push ebx ; ESP=00391FF4
014CD840 Main jmp 014652CE
014652CE Main mov bl, 0x93 ; EBX=00000093
014652D0 Main sub cl, bl ; FL=CPASO, ECX=F000008D
014652D2 Main pop ebx ; EBX=00000080, ESP=00391FF8
014652D3 Main jmp 01472EFB
01472EFB Main push edx ; ESP=00391FF4
01472EFC Main mov dl, 0xEC ; EDX=000000EC
01472EFE Main push cx ; ESP=00391FF2
01472F00 Main mov ch, 0x1F ; ECX=F0001F8D
01472F02 Main or dl, ch ; FL=PS, EDX=000000FF
01472F04 Main pop cx ; ECX=F000008D, ESP=00391FF4
01472F06 Main xor dl, 0xC6 ; FL=P, EDX=00000039
01472F09 Main sub cl, dl ; FL=O, ECX=F0000054
01472F0B Main pop edx ; EDX=00000001, ESP=00391FF8
01472F0C Main add cl, al ; FL=C, ECX=F0000034
01472F0E Main add cl, 0x39 ; FL=0, ECX=F000006D
01472F11 Main add cl, 0x93 ; FL=CPAZ, ECX=F0000000
01472F14 Main jmp 0149B2B1
0149B2B1 Main push ebx ; ESP=00391FF4
0149B2B2 Main jmp 01517395
01517395 Main mov ebx, -0x1 ; EBX=FFFFFFFF
0151739A Main sub edx, 0x20316002 ; FL=CPAS, EDX=DFCE9FFF
015173A0 Main add edx, ebx ; FL=CAS, EDX=DFCE9FFE
015173A2 Main jmp 0145B209
0145B209 Main add edx, 0x20316002 ; FL=CPAZ, EDX=00000000
0145B20F Main mov ebx, dword ptr ; EBX=00000080
0145B212 Main push ecx ; ESP=00391FF0
0145B213 Main mov ecx, esp ; ECX=00391FF0
0145B215 Main add ecx, 0x4 ; FL=0, ECX=00391FF4
0145B21B Main add ecx, 0x4 ; ECX=00391FF8
0145B221 Main xchg dword ptr , ecx ; ECX=F0000000
0145B224 Main pop esp ; ESP=00391FF8
0145B225 Main or edx, edx ; FL=PZ
0145B227 Main jnz 0157182C
解码old操作数这里结束,我们来写个伪代码,大致如下:
for(int i = 0; i < 4; i++)
{
OldArgment= OldArgment >> 4; (ror)
if(key1 > 80)
{
OldArgment = OldArgment + key1;
}
else
{
另外的处理
}
}
0145B22D Main push ecx //把处理出来的old操作数压栈,等下要用 ; ESP=00391FF4
0145B22E Main pushfd ; ESP=00391FF0
0145B22F Main jmp 0153B57B
0153B57B Main add ecx, 0x74EB33D5 ; FL=C, ECX=64EB33D5
0153B581 Main jmp 015368A8
015368A8 Main sub ecx, 0x38C000EF ; FL=A, ECX=2C2B32E6
015368AE Main add ecx, edx ; FL=0
015368B0 Main push esi ; ESP=00391FEC
015368B1 Main jmp 01558DF9
01558DF9 Main push 0x7FC458E6 ; ESP=00391FE8
01558DFE Main pop ebp ; ESP=00391FEC, EBP=7FC458E6
01558DFF Main sub ebp, 0x19920765 ; FL=P, EBP=66325181
01558E05 Main jbe 0159F9F9
01558E0B Main shl ebp, 0x2 ; FL=CS, EBP=98C94604
01558E0E Main jnz 014B7CD3
014B7CD3 Main or ebp, 0x6D1070DC ; FL=S, EBP=FDD976DC
014B7CD9 Main jbe 014EDA56
014B7CDF Main sub ebp, 0xC51975ED ; FL=A, EBP=38C000EF
014B7CE5 Main mov esi, ebp ; ESI=38C000EF
014B7CE7 Main add ebp, edi ; FL=0, EBP=38FD00EF
014B7CE9 Main xor ebp, 0x62E836CA ; EBP=5A153625
014B7CEF Main add ebp, 0x3AE9787C ; FL=ASO, EBP=94FEAEA1
014B7CF5 Main add ecx, esi ; FL=A, ECX=64EB33D5
014B7CF7 Main pop esi ; ESP=00391FF0, ESI=00BE2A50
014B7CF8 Main mov eax, 0x7C415628 ; EAX=7C415628
014B7CFD Main shl eax, 0x7 ; FL=PA, EAX=20AB1400
014B7D00 Main and eax, 0x128B417B ; FL=P, EAX=008B0000
014B7D05 Main and eax, 0x34BB64C6
014B7D0A Main inc eax ; FL=0, EAX=008B0001
014B7D0B Main sub eax, 0x8B9FCC2C ; FL=CA, EAX=74EB33D5
014B7D10 Main sub ecx, eax ; FL=CPS, ECX=F0000000
014B7D12 Main sub eax, ecx ; FL=CSO, EAX=84EB33D5
014B7D14 Main add eax, edi ; FL=S, EAX=852833D5
014B7D16 Main popfd ; FL=PZ, ESP=00391FF4
014B7D17 Main jmp 01567F5F
//---------------------------------取pcode_data进行操作----------------------------
//这里取pcode_data
01567F5F Main push dword ptr ; ESP=00391FF0
01567F62 Main jmp 014DBDF7
014DBDF7 Main add dword ptr , 0x4C95063B ; FL=A
014DBDFE Main mov eax, dword ptr ; EAX=6EA70646
014DBE01 Main add esp, 0x4 ; FL=0, ESP=00391FF4
014DBE04 Main jmp 0156A749
0156A749 Main mov edx, 0x4D23602E ; EDX=4D23602E
0156A74E Main inc edx ; EDX=4D23602F
0156A74F Main sub edx, 0xDA73156 ; EDX=3F7C2ED9
0156A755 Main or edx, 0x2FC00ED9 ; EDX=3FFC2ED9
0156A75B Main add edx, 0xC98D762 ; EDX=4C95063B
0156A761 Main add eax, 0x2B5F5882 ; FL=SO, EAX=9A065EC8
0156A766 Main sub eax, 0x4B873E36 ; FL=O, EAX=4E7F2092
0156A76B Main sub eax, edx ; FL=A, EAX=01EA1A57
0156A76D Main add eax, 0x4B873E36 ; FL=P, EAX=4D71588D
0156A772 Main sub eax, 0x2B5F5882 //al =pcode_data = 0B ; FL=0, EAX=2212000B
0156A777 Main mov ebx, 0x77C648BA ; EBX=77C648BA
0156A77C Main jmp 014D050A
014D050A Main mov edx, ebx ; EDX=77C648BA
014D050C Main push edx ; ESP=00391FF0
014D050D Main not dword ptr
014D0510 Main jmp 014E5CA2
014E5CA2 Main mov edx, dword ptr ; EDX=8839B745
014E5CA5 Main add esp, 0x4 ; ESP=00391FF4
014E5CA8 Main mov ecx, 0x614E297A ; ECX=614E297A
014E5CAD Main not ecx ; ECX=9EB1D685
014E5CAF Main shr ecx, 0x8 ; FL=C, ECX=009EB1D6
014E5CB2 Main add ecx, 0x126E558D ; FL=PA, ECX=130D0763
014E5CB8 Main neg ecx ; FL=CAS, ECX=ECF2F89D
014E5CBA Main neg ecx ; FL=CPA, ECX=130D0763
014E5CBC Main add ecx, 0x752CAEE3 ; FL=SO, ECX=8839B646
014E5CC2 Main sub edx, ecx //edx = 000000FF ; FL=PA, EDX=000000FF
014E5CC4 Main sub ecx, ecx ; FL=PZ, ECX=00000000
014E5CC6 Main sub ecx, ecx
014E5CC8 Main and eax, edx //只取al,就是pcode_data ; FL=0, EAX=0000000B
014E5CCA Main add edx, esp ; FL=PA, EDX=003920F3
014E5CCC Main push 0x6802 ; ESP=00391FF0
014E5CD1 Main jmp 01571834
01571834 Main mov dword ptr , edi
01571837 Main push esp ; ESP=00391FEC
01571838 Main pop edi ; ESP=00391FF0, EDI=00391FF0
01571839 Main jmp 0146C912
0146C912 Main add edi, 0x4 ; FL=0, EDI=00391FF4
0146C918 Main sub edi, 0x4 ; FL=P, EDI=00391FF0
0146C91E Main xchg dword ptr , edi ; EDI=003D0000
0146C921 Main pop esp
0146C922 Main mov dword ptr , edx
0146C925 Main mov edx, 0x0 ; EDX=00000000
0146C92A Main add edx, esi ; EDX=00BE2A50
0146C92C Main mov ebx, dword ptr //ebx = pcode_data ; EBX=03E01112
0146C92E Main pop edx ; EDX=003920F3, ESP=00391FF4
0146C92F Main push 0x5D2E ; ESP=00391FF0
0146C934 Main jmp 0149BD04
0149BD04 Main mov dword ptr , ebp
0149BD07 Main mov ebp, 0x80 ; EBP=00000080
0149BD0C Main and ebx, ebp //还是取pcode_data的最高位,这里为0,表示不清key4 ; FL=PZ,
EBX=00000000
0149BD0E Main jmp 0157183E
0157183E Main push dword ptr ; ESP=00391FEC
01571841 Main mov ebp, dword ptr ; EBP=94FEAEA1
01571844 Main add esp, 0x4 ; FL=PA, ESP=00391FF0
01571847 Main add esp, 0x4 ; FL=0, ESP=00391FF4
0157184D Main or ebx, ebx ; FL=PZ
0157184F Main je 014E36DF //这里如果不跳,就清key4了
014E36DF Main mov edx, eax ; EDX=0000000B
014E36E1 Main jmp 0155A078
0155A078 Main mov ebp, edx ; EBP=0000000B
0155A07A Main mov ebx, ebp //把pcode_data的复制一份放到ebx ; EBX=0000000B
0155A07C Main push eax ; ESP=00391FF0
0155A07D Main jmp 014AC932
014AC932 Main mov eax, ebx
014AC934 Main mov ecx, eax ; ECX=0000000B
014AC936 Main pop eax ; ESP=00391FF4
014AC937 Main mov ebx, ecx
014AC939 Main push ebx ; ESP=00391FF0
014AC93A Main jmp 014FB24F
//这里取得第4个key的地址,最后放在ebx里
014FB24F Main mov ebx, 0x37C ; EBX=0000037C
014FB254 Main add ebx, 0x3BE81E78 ; FL=A, EBX=3BE821F4
014FB25A Main push ebp ; ESP=00391FEC
014FB25B Main jmp 01528CE1
01528CE1 Main mov ebp, 0x78C33BB4 ; EBP=78C33BB4
01528CE6 Main sub ebx, ebp ; FL=CS, EBX=C324E640
01528CE8 Main pop ebp ; ESP=00391FF0, EBP=0000000B
01528CE9 Main add ebx, edi ; FL=S, EBX=C361E640
01528CEB Main add ebx, 0x78C33BB4 ; FL=C, EBX=3C2521F4
01528CF1 Main sub ebx, 0x3BE81E78 ; FL=A, EBX=003D037C
//这里用key4去解码pcode_data
01528CF7 Main xor eax, dword ptr //pcode_data ^ key4 ; FL=P, EAX=000000FC
01528CF9 Main mov ebx, dword ptr ; EBX=0000000B
01528CFC Main add esp, 0x4 ; FL=0, ESP=00391FF4
01528CFF Main sub esp, 0x4 ; FL=P, ESP=00391FF0
01528D05 Main jmp 014BD0E5
014BD0E5 Main mov dword ptr , edx
014BD0E8 Main push 0x60F96A9E ; ESP=00391FEC
014BD0ED Main pop ecx ; ECX=60F96A9E, ESP=00391FF0
014BD0EE Main jmp 01510172
01510172 Main add ecx, 0x43D5088F ; FL=PASO, ECX=A4CE732D
01510178 Main or ecx, 0x6116193D ; FL=S, ECX=E5DE7B3D
0151017E Main jpo 0147A231
0147A231 Main inc ecx ; ECX=E5DE7B3E
0147A232 Main xor ecx, 0xE5DE7B20 ; FL=P, ECX=0000001E
0147A238 Main mov ebp, ecx ; EBP=0000001E
0147A23A Main xor ecx, 0x177C2857 ; FL=0, ECX=177C2849
0147A240 Main xor ecx, 0x2E716D2B ; ECX=390D4562
0147A246 Main add ecx, esp ; ECX=39466552
0147A248 Main push ebp ; ESP=00391FEC
0147A249 Main xor dword ptr , 0x1D7735D0
0147A250 Main pop edx ; EDX=1D7735CE, ESP=00391FF0
0147A251 Main xor edx, 0x1D7735D0 ; FL=P, EDX=0000001E
0147A257 Main xor eax, edx //pcode_data ^ key4 ^ 1E(随机常量) ; EAX=000000E2
0147A259 Main pop edx ; EDX=0000000B, ESP=00391FF4
0147A25A Main mov edx, 0x3D402ADF ; EDX=3D402ADF
0147A25F Main jmp 01488EB7
01488EB7 Main push ebx ; ESP=00391FF0
01488EB8 Main mov ebp, 0x64270829 ; EBP=64270829
01488EBD Main xor ebp, 0x5DCF2978 ; FL=0, EBP=39E82151
01488EC3 Main jmp 01464DB8
01464DB8 Main jnz 015618C9
015618C9 Main neg ebp ; FL=CPAS, EBP=C617DEAF
015618CB Main jg 0155AF0D
015618D1 Main shl ebp, 0x7 ; FL=CA, EBP=0BEF5780
015618D4 Main jpe 0155E36A
015618DA Main dec ebp ; EBP=0BEF577F
015618DB Main jnz 01502678
01502678 Main shl ebp, 0x4 ; FL=PAS, EBP=BEF577F0
0150267B Main xor ebp, 0xE79F30DD ; FL=P, EBP=596A472D
01502681 Main mov ebx, ebp ; EBX=596A472D
01502683 Main xor edx, ebx ; FL=0, EDX=642A6DF2
01502685 Main pop ebx ; EBX=0000000B, ESP=00391FF4
01502686 Main xchg edx, ecx ; ECX=642A6DF2, EDX=39466552
01502688 Main dec ecx ; ECX=642A6DF1
01502689 Main xchg edx, ecx ; ECX=39466552, EDX=642A6DF1
0150268B Main sub edx, 0xC444047 ; FL=PA, EDX=57E62DAA
01502691 Main sub edx, 0x5CB93797 ; FL=CS, EDX=FB2CF613
01502697 Main push ebp ; ESP=00391FF0
01502698 Main mov ebp, 0xFB2CF6C9 ; EBP=FB2CF6C9
0150269D Main xor edx, ebp ; FL=0, EDX=000000DA
0150269F Main pop ebp ; ESP=00391FF4, EBP=596A472D
015026A0 Main sub eax, edx //(pcode_data ^ key4 ^ 1E(随机常量)) - DA(随机常量) ; FL=A,
EAX=00000008
015026A2 Main mov ebp, 0x483464A7 ; EBP=483464A7
015026A7 Main jmp 014A60C5
014A60C5 Main xchg eax, ebp ; EAX=483464A7, EBP=00000008
014A60C6 Main push edi ; ESP=00391FF0
014A60C7 Main mov edi, 0x1 ; EDI=00000001
014A60CC Main jmp 01497C0E
01497C0E Main add eax, 0x2AE63E84 ; FL=P, EAX=731AA32B
01497C13 Main add eax, edi ; FL=0, EAX=731AA32C
01497C15 Main sub eax, 0x2AE63E84 ; EAX=483464A8
01497C1A Main pop edi ; ESP=00391FF4, EDI=003D0000
01497C1B Main xchg eax, ebp ; EAX=00000008, EBP=483464A8
01497C1C Main dec ebp ; EBP=483464A7
01497C1D Main xor ebp, 0x48346458 ; FL=P, EBP=000000FF
01497C23 Main and ebx, ebp ; FL=0
01497C25 Main sub ebp, eax ; EBP=000000F7
01497C27 Main xor ebp, ebp ; FL=PZ, EBP=00000000
01497C29 Main push edx ; ESP=00391FF0
01497C2A Main jmp 014E62FD
014E62FD Main mov edx, 0x37C //这里取key4的地址 ; EDX=0000037C
014E6302 Main add edx, edi ; FL=0, EDX=003D037C
014E6304 Main push ecx ; ESP=00391FEC
014E6305 Main jmp 01481869
01481869 Main mov ecx, 0x0 ; ECX=00000000
0148186E Main add ecx, edx ; ECX=003D037C
01481870 Main push eax //计算后的值保存在栈里 ; ESP=00391FE8
01481871 Main mov eax, 0x0 ; EAX=00000000
01481876 Main add eax, ecx ; EAX=003D037C
01481878 Main push ecx ; ESP=00391FE4
01481879 Main mov ecx, 0x0 ; ECX=00000000
0148187E Main add ecx, eax ; ECX=003D037C
01481880 Main xor dword ptr , ebx //ebx就是复制的pcode_data ; FL=P
所以这段解码大致是这样
A = (BYTE)pCode_data + 8 ^ key4
B = A ^ 1E
C = B - DA C就是解码后的值
key4 = key4 ^ (BYTE)pCode_data + 8
01481882 Main pop ecx ; ESP=00391FE8
01481883 Main pop eax //eax = pcode_data解出来的值,其实这个值是用来查找下一条HANDLE用的第一个字节opcode1
; EAX=00000008, ESP=00391FEC
01481884 Main pop ecx ; ECX=39466552, ESP=00391FF0
01481885 Main mov edx, dword ptr ; EDX=000000DA
01481888 Main add esp, 0x4 ; FL=0, ESP=00391FF4
0148188E Main push 0x657B4405 ; ESP=00391FF0
01481893 Main jmp 0149C39C
0149C39C Main pop ecx ; ECX=657B4405, ESP=00391FF4
0149C39D Main push edi ; ESP=00391FF0
0149C39E Main mov edi, 0x15D454A4 ; EDI=15D454A4
0149C3A3 Main jmp 01478A89
01478A89 Main xor ecx, edi ; ECX=70AF10A1
01478A8B Main pop edi ; ESP=00391FF4, EDI=003D0000
01478A8C Main push 0x2E43 ; ESP=00391FF0
01478A91 Main mov dword ptr , ecx
01478A94 Main pop edx ; EDX=70AF10A1, ESP=00391FF4
01478A95 Main xor edx, 0x70AF105E ; FL=P, EDX=000000FF
01478A9B Main and eax, edx ; FL=0
01478A9D Main xor edx, edi ; FL=P, EDX=003D00FF
01478A9F Main mov edx, eax ; EDX=00000008
01478AA1 Main jmp 014FFBF3
014FFBF3 Main push edx ; ESP=00391FF0
014FFBF4 Main push 0x7BDE ; ESP=00391FEC
014FFBF9 Main mov dword ptr , eax
014FFBFC Main jmp 01501FBF
01501FBF Main mov eax, 0x609948EE ; EAX=609948EE
01501FC4 Main add dword ptr , 0x133C6C77 ; FL=0
01501FCC Main sub dword ptr , eax ; FL=CS
01501FD0 Main sub dword ptr , 0x133C6C77 ; FL=AS
01501FD8 Main pop eax ; EAX=00000008, ESP=00391FF0
01501FD9 Main pop dword ptr ; ESP=00391FF4
01501FDF Main add dword ptr , 0x609948EE //VMContext.47C里存放这个数据 ; FL=CA
//取pcode_data
01501FE9 Main push dword ptr ; ESP=00391FF0
01501FEB Main jmp 014A1569
014A1569 Main mov eax, dword ptr ; EAX=03E01112
014A156C Main push esi ; ESP=00391FEC
014A156D Main mov esi, esp ; ESI=00391FEC
014A156F Main jmp 01554D48
01554D48 Main add esi, 0x4 ; FL=PA, ESI=00391FF0
01554D4E Main mov ecx, 0xC862B03 ; ECX=0C862B03
01554D53 Main sub ecx, 0x3E4E06A9 ; FL=CPAS, ECX=CE38245A
01554D59 Main and ecx, 0x19937837 ; FL=P, ECX=08102012
01554D5F Main and ecx, 0x71903D18 ; FL=0, ECX=00102010
01554D65 Main xor ecx, 0x102014 ; ECX=00000004
01554D6B Main add esi, ecx ; ESI=00391FF4
01554D6D Main sub ecx, 0x736C6E59 ; FL=CAS, ECX=8C9391AB
01554D73 Main xor esi, dword ptr ; FL=0, ESI=008735A4
01554D76 Main xor dword ptr , esi
01554D79 Main xor esi, dword ptr ; FL=P, ESI=00BE2A50
01554D7C Main pop esp ; ESP=00391FF4
01554D7D Main sub esp, 0x4 ; ESP=00391FF0
01554D80 Main jmp 0150E10C
0150E10C Main mov dword ptr , edi
0150E10F Main push 0x80 ; ESP=00391FEC
0150E114 Main mov edi, dword ptr ; EDI=00000080
0150E117 Main jmp 01481EC1
01481EC1 Main add esp, 0x4 ; FL=PA, ESP=00391FF0
01481EC7 Main and eax, edi ; FL=PZ, EAX=00000000
01481EC9 Main mov edi, dword ptr ; EDI=003D0000
01481ECC Main add esp, 0x4 ; FL=0, ESP=00391FF4
01481ED2 Main or eax, eax ; FL=PZ
01481ED4 Main je 01571873 //还是比较pcode_data的最高位
//---------------------------------取pcode_data进行操作----------------------------
//取pcode_data
01571873 Main push dword ptr ; ESP=00391FF0
01571876 Main jmp 0153CE0D
0153CE0D Main push ecx ; ESP=00391FEC
0153CE0E Main mov ecx, 0x67A93007 ; ECX=67A93007
0153CE13 Main add dword ptr , ecx ; FL=PS
0153CE17 Main jmp 01545F61
01545F61 Main pop ecx ; ECX=8C9391AB, ESP=00391FF0
01545F62 Main pop ecx ; ECX=F1AD1018, ESP=00391FF4
01545F63 Main mov ebx, 0x6B1D0675 ; EBX=6B1D0675
01545F68 Main inc ebx ; FL=0, EBX=6B1D0676
01545F69 Main inc ebx ; FL=P, EBX=6B1D0677
01545F6A Main jg 01559A70
01559A70 Main or ebx, 0x2D31358 ; FL=0, EBX=6BDF177F
01559A76 Main neg ebx ; FL=CPAS, EBX=9420E881
01559A78 Main jbe 0157187B
0157187B Main and ebx, 0x4DEA61E7 ; FL=P, EBX=04206081
01571881 Main jg 0147571D
0147571D Main add ebx, 0x6947E82E ; EBX=6D6848AF
01475723 Main xor ebx, 0x10BB01EE ; EBX=7DD34941
01475729 Main shr ebx, 1 ; FL=CP, EBX=3EE9A4A0
0147572B Main sub ebx, -0x1 ; FL=CA, EBX=3EE9A4A1
0147572E Main xor ebx, 0x594094A6 ; FL=0, EBX=67A93007
01475734 Main sub ecx, ebx //ecx =pcode_data ; FL=PS, ECX=8A03E011
01475736 Main xor ebx, ebp ; FL=0
01475738 Main push ebp ; ESP=00391FF0
01475739 Main jmp 015081A8
015081A8 Main mov ebp, 0x348A31C8 ; EBP=348A31C8
015081AD Main push esi ; ESP=00391FEC
015081AE Main mov esi, 0x6481383C ; ESI=6481383C
015081B3 Main jmp 014B6CD5
014B6CD5 Main xor ebp, esi ; EBP=500B09F4
014B6CD7 Main pop esi ; ESP=00391FF0, ESI=00BE2A50
014B6CD8 Main or ebp, 0x6C9338A2 ; FL=P, EBP=7C9B39F6
014B6CDE Main jl 01497773
014B6CE4 Main push edx ; ESP=00391FEC
014B6CE5 Main mov edx, 0x634E2DEC ; EDX=634E2DEC
014B6CEA Main mov ebx, edx ; EBX=634E2DEC
014B6CEC Main pop edx ; EDX=00000008, ESP=00391FF0
014B6CED Main and ebx, 0x680680B ; FL=0, EBX=02002808
014B6CF3 Main dec ebx ; EBX=02002807
014B6CF4 Main dec ebx ; FL=P, EBX=02002806
014B6CF5 Main and ebx, 0x58516E62 ; FL=0, EBX=00002802
014B6CFB Main add ebx, 0xF0280B ; EBX=00F0500D
014B6D01 Main sub ebx, 0x84551704 ; FL=CP, EBX=7C9B3909
014B6D07 Main xor ebp, ebx ; FL=P, EBP=000000FF
014B6D09 Main and ecx, ebp //与上000000FF,取的是pcode_data一个字节 ; ECX=00000011
014B6D0B Main pop ebp ; ESP=00391FF4, EBP=00000000
014B6D0C Main mov ebp, ecx ; EBP=00000011
014B6D0E Main jmp 01480A1D
01480A1D Main mov edx, ebp //同上,保存一份到 edx ; EDX=00000011
01480A1F Main push edx ; ESP=00391FF0
01480A20 Main push eax ; ESP=00391FEC
01480A21 Main jmp 0151FFEC
0151FFEC Main mov eax, 0x40421CAC ; EAX=40421CAC
0151FFF1 Main add dword ptr , eax
0151FFF5 Main mov eax, dword ptr ; EAX=00000000
0151FFF8 Main add esp, 0x4 ; FL=PA, ESP=00391FF0
0151FFFE Main pop eax ; EAX=40421CBD, ESP=00391FF4
0151FFFF Main sub eax, 0x40421CAC //复制一份到eax ; FL=P, EAX=00000011
01520004 Main push edx ; ESP=00391FF0
01520005 Main jmp 014DCA02
014DCA02 Main mov edx, 0x544 //544是偏移 ; EDX=00000544
014DCA07 Main push esi ; ESP=00391FEC
014DCA08 Main mov esi, 0x559A78E6 ; ESI=559A78E6
014DCA0D Main jmp 01533E5F
01533E5F Main sub edx, esi ; FL=CAS, EDX=AA658C5E
01533E61 Main mov esi, dword ptr ; ESI=00BE2A50
01533E64 Main add esp, 0x4 ; FL=PA, ESP=00391FF0
01533E6A Main add edx, edi ; FL=S, EDX=AAA28C5E
01533E6C Main push ecx ; ESP=00391FEC
01533E6D Main mov ecx, 0x559A78E6 ; ECX=559A78E6
01533E72 Main add edx, ecx //edx = VMContext.544,这个是key2 ; FL=CPA, EDX=003D0544
01533E74 Main pop ecx ; ECX=00000011, ESP=00391FF0
01533E75 Main xor cl, byte ptr //跟上面的解码一样,先pcode_data ^ key2 ; FL=0, ECX=0000001A
01533E77 Main pop edx ; EDX=00000011, ESP=00391FF4
01533E78 Main mov dl, 0x91 ; EDX=00000091
01533E7A Main jmp 014700FF
014700FF Main neg dl ; FL=CPA, EDX=0000006F
01470101 Main jbe 01470B12
01470B12 Main add dl, 0x51 ; FL=PASO, EDX=000000C0
01470B15 Main jmp 014B2924
014B2924 Main mov bh, 0x14 ; EBX=7C9B1409
014B2926 Main or bh, 0xE1 ; FL=PS, EBX=7C9BF509
014B2929 Main neg bh ; FL=CA, EBX=7C9B0B09
014B292B Main add bh, 0x14 ; FL=0, EBX=7C9B1F09
014B292E Main add dl, bh ; FL=S, EDX=000000DF
014B2930 Main sub bh, 0x8D ; FL=CSO, EBX=7C9B9209
014B2933 Main add bh, 0x15 ; FL=S, EBX=7C9BA709
014B2936 Main or dl, 0xF2 ; FL=PS, EDX=000000FF
014B2939 Main mov bh, 0x23 ; EBX=7C9B2309
014B293B Main xor bh, 0x56 ; FL=0, EBX=7C9B7509
014B293E Main xor dl, bh ; FL=S, EDX=0000008A
014B2940 Main xor bh, cl ; FL=P, EBX=7C9B6F09
014B2942 Main push ecx ; ESP=00391FF0
014B2943 Main mov ch, 0xBD ; ECX=0000BD1A
014B2945 Main neg ch ; FL=CA, ECX=0000431A
014B2947 Main sub ch, 0xF5 ; FL=CPA, ECX=00004E1A
014B294A Main xor bh, ch ; FL=P, EBX=7C9B2109
014B294C Main pop ecx ; ECX=0000001A, ESP=00391FF4
014B294D Main xor cl, dl //pcode_data ^ key2 ^ 8A ; FL=PS, ECX=00000090
014B294F Main sub dl, 0x4E ; FL=PAO, EDX=0000003C
014B2952 Main push 0x325 ; ESP=00391FF2
014B2956 Main jmp 014F7A27
014F7A27 Main mov word ptr , bx
014F7A2B Main mov dl, 0x4F ; EDX=0000004F
014F7A2D Main mov bl, 0x42 ; EBX=7C9B2142
014F7A2F Main jmp 01571892
01571892 Main xor bl, dl ; FL=0, EBX=7C9B210D
01571894 Main sub dl, 0xDC ; FL=C, EDX=00000073
01571897 Main xor dl, 0xEB ; FL=S, EDX=00000098
先合并下常量C7 - B2 - 0D + B2 - C7 = 0D,所以就是pcode_data ^ key2 ^ 8A - 0D
0157189A Main add cl, 0xC7 ; FL=CO, ECX=00000057
0157189D Main sub cl, 0xB2 ; FL=CPSO, ECX=000000A5
015718A0 Main sub cl, bl ; FL=AS, ECX=00000098
015718A2 Main add cl, 0xB2 ; FL=CO, ECX=0000004A
015718A5 Main sub cl, 0xC7 ; FL=CSO, ECX=00000083
015718A8 Main pop bx ; EBX=7C9B2109, ESP=00391FF4
015718AA Main push ecx //解码后的值压栈 ; ESP=00391FF0
015718AB Main jmp 014EC534
014EC534 Main push 0x544 ; ESP=00391FEC
014EC539 Main mov ecx, dword ptr ; ECX=00000544
014EC53C Main add esp, 0x4 ; FL=PA, ESP=00391FF0
014EC53F Main jmp 014C7EF3
014C7EF3 Main add ecx, edi ; FL=P, ECX=003D0544
014C7EF5 Main push edx ; ESP=00391FEC
014C7EF6 Main mov edx, 0x0 ; EDX=00000000
014C7EFB Main add edx, ecx ; EDX=003D0544
014C7EFD Main xor dword ptr , eax //key2 = key2 ^ pcode_data ; FL=0
这段解码大致如下:
A = (BYTE)pCode_data + 1 ^ key2
B = A ^ 8A
C = B - 0D C就是解码后的值
key2 = key2 ^ (BYTE)pCode_data + 1
014C7EFF Main pop edx ; EDX=00000098, ESP=00391FF0
014C7F00 Main mov ecx, dword ptr //ecx = pcode_data解码后的值 ; ECX=00000083
014C7F03 Main add esp, 0x4 ; ESP=00391FF4
014C7F06 Main test ecx, 0x80
014C7F0C Main je 0155CB02 //如果ecx最高位不为1,就跳。这里不跳,这个标志位的含义是,
//如果为0,表示下一条pcode_data在
当前这条pcode_data的后面,最后算出偏移之后是加
//如果为1,表示下一条pcode_data在
当前这条pcode_data的前面,最后算出偏移之后是减
014C7F12 Main push esi ; ESP=00391FF0
014C7F13 Main jmp 01525056
01525056 Main push ecx ; ESP=00391FEC
01525057 Main mov edx, -0x81 ; EDX=FFFFFF7F
0152505C Main mov ecx, edx ; ECX=FFFFFF7F
0152505E Main jmp 014B931C
014B931C Main mov esi, ecx ; ESI=FFFFFF7F
014B931E Main pop ecx ; ECX=00000083, ESP=00391FF0
014B931F Main and ecx, esi //cl & 7F,就是去掉最高位 ; FL=P, ECX=00000003
014B9321 Main push dword ptr ; ESP=00391FEC
014B9324 Main pop esi ; ESP=00391FF0, ESI=00BE2A50
014B9325 Main add esp, 0x4 ; FL=0, ESP=00391FF4
014B9328 Main imul ecx, ecx, 0xF //这里才是最后的pcode_data的偏移,下一条的pcode_data的地址 = 本条pcode_data地址 +
(-) 这里计算出的ecx ; ECX=0000002D
014B932B Main jmp 014732D6
014732D6 Main sub dword ptr , ecx //当前的pcode_data地址 - 偏移,指向下一条pcode_data的地址 ; FL=A
014732DC Main jmp 0152BD8B
0152BD8B Main jmp 014D1FBB
014D1FBB Main pushfd ; ESP=00391FF0
014D1FBC Main jmp 0148B6F2
0148B6F2 Main sub esp, 0x4 ; ESP=00391FEC
0148B6F8 Main jmp 015385A0
015385A0 Main mov dword ptr , eax
015385A3 Main push 0x3E5C243E ; ESP=00391FE8
015385A8 Main pop ebx ; EBX=3E5C243E, ESP=00391FEC
015385A9 Main jmp 0156480B
0156480B Main inc ebx ; FL=P, EBX=3E5C243F
0156480C Main jle 0155CBCF
01564812 Main shr ebx, 0x5 ; FL=CP, EBX=01F2E121
01564815 Main jnz 01503EE9
01503EE9 Main or ebx, 0x17D6437F ; FL=0, EBX=17F6E37F
01503EEF Main ja 015718B0
015718B0 Main mov ebp, 0x534E7778 ; EBP=534E7778
015718B5 Main sub ebp, 0x6B455AF8 ; FL=CS, EBP=E8091C80
015718BB Main add ebx, ebp ; FL=PS, EBX=FFFFFFFF
015718BD Main mov eax, ebx ; EAX=FFFFFFFF
015718BF Main xor ebx, 0xAF75C3A ; EBX=F508A3C5
015718C5 Main sub ebx, 0x794B7CA5 ; FL=O, EBX=7BBD2720
015718CB Main xor ebx, ebp ; FL=PS, EBX=93B43BA0
015718CD Main add ecx, eax ; FL=CA, ECX=0000002C
015718CF Main pop eax ; EAX=00000011, ESP=00391FF0
015718D0 Main popfd ; FL=A, ESP=00391FF4
015718D1 Main jmp 014AE750
//---------------------------------取pcode_data进行操作----------------------------
//这里取pcode_data
014AE750 Main push dword ptr ; ESP=00391FF0
014AE753 Main jmp 01466496
01466496 Main push dword ptr ; ESP=00391FEC
01466499 Main mov eax, dword ptr //eax = pcode_data ; EAX=000B81C1
0146649C Main push ecx ; ESP=00391FE8
0146649D Main jmp 0147C674
0147C674 Main mov ecx, esp ; ECX=00391FE8
0147C676 Main add ecx, 0x4 ; FL=0, ECX=00391FEC
0147C67C Main add ecx, 0x4 ; FL=PA, ECX=00391FF0
0147C682 Main xchg dword ptr , ecx ; ECX=0000002C
0147C685 Main pop esp ; ESP=00391FF0
0147C686 Main add esp, 0x4 ; FL=0, ESP=00391FF4
0147C68C Main mov ecx, 0x576C6244 ; ECX=576C6244
0147C691 Main jmp 0150D9A4
0150D9A4 Main add ecx, 0x23C90025 ; FL=P, ECX=7B356269
0150D9AA Main ja 01480AE3
01480AE3 Main and ecx, 0x7E023A4D ; FL=0, ECX=7A002249
01480AE9 Main jmp 01478839
01478839 Main je 01507096
0147883F Main xor ecx, 0x55E24870 ; FL=P, ECX=2FE26A39
01478845 Main xor ecx, 0x626B33A1 ; FL=0, ECX=4D895998
0147884B Main shl ecx, 0x8 ; FL=CPS, ECX=89599800
0147884E Main mov edx, 0x558824B6 ; EDX=558824B6
01478853 Main push eax ; ESP=00391FF0
01478854 Main mov eax, 0x52DC50AB ; EAX=52DC50AB
01478859 Main and edx, eax ; FL=0, EDX=508800A2
0147885B Main pop eax ; EAX=000B81C1, ESP=00391FF4
0147885C Main or edx, 0x2D621ECE ; FL=P, EDX=7DEA1EEE
01478862 Main neg edx ; FL=CPAS, EDX=8215E112
01478864 Main shl edx, 0x6 ; FL=AS, EDX=85784480
01478867 Main push eax ; ESP=00391FF0
01478868 Main mov eax, 0xD531610 ; EAX=0D531610
0147886D Main sub edx, eax ; FL=O, EDX=78252E70
0147886F Main pop eax ; EAX=000B81C1, ESP=00391FF4
01478870 Main sub edx, 0x43190215 ; FL=A, EDX=350C2C5B
01478876 Main sub ecx, edx ; FL=PAO, ECX=544D6BA5
01478878 Main sub edx, 0x367E7C8B ; FL=CS, EDX=FE8DAFD0
0147887E Main xor edx, 0x341B7A94 ; FL=PS, EDX=CA96D544
01478884 Main and ecx, 0x5C436DDF ; FL=0, ECX=54416985
0147888A Main xor ecx, 0x5441697A ; FL=P, ECX=000000FF
01478890 Main and eax, ecx //eax ^ FF,取的也是pcode_data的BYTE,不是DWORD ; FL=0, EAX=000000C1
01478892 Main add ecx, 0x28F04712 ; FL=PA, ECX=28F04811
01478898 Main xor ecx, ebp ; FL=S, ECX=C0F95491
0147889A Main jmp 01492527
01492527 Main push 0x277B ; ESP=00391FF0
0149252C Main jmp 0156A082
0156A082 Main mov dword ptr , ecx
0156A085 Main push 0x0 ; ESP=00391FEC
0156A08A Main pop ecx ; ECX=00000000, ESP=00391FF0
0156A08B Main jmp 01474D3A
01474D3A Main add ecx, esi //ecx = pcode_data ; FL=P, ECX=00BE2A50
01474D3C Main push dword ptr ; ESP=00391FEC
01474D3E Main add dword ptr , 0x48361D44
01474D45 Main pop ebx ; EBX=4C162E56, ESP=00391FF0
01474D46 Main sub ebx, 0x48361D44 //bl = pcode_data ; EBX=03E01112
01474D4C Main mov ecx, dword ptr ; ECX=C0F95491
01474D4F Main add esp, 0x4 ; FL=0, ESP=00391FF4
01474D55 Main mov ecx, 0x404B68E8 ; ECX=404B68E8
01474D5A Main jmp 0149D4BB
0149D4BB Main push 0x0 ; ESP=00391FF0
0149D4C0 Main sub dword ptr , ecx ; FL=CPAS
0149D4C3 Main mov ecx, dword ptr ; ECX=BFB49718
0149D4C6 Main jmp 01532D14
01532D14 Main add esp, 0x4 ; FL=0, ESP=00391FF4
01532D17 Main add ecx, 0x404B6968 ; FL=CA, ECX=00000080
01532D1D Main and ebx, ecx //bl = pcode_data & 80 ; FL=PZ, EBX=00000000
01532D1F Main xor ecx, edi ; FL=0, ECX=003D0080
01532D21 Main mov edx, 0x1FA3457B ; EDX=1FA3457B
01532D26 Main xor edx, 0x5FDF5EA6 ; FL=P, EDX=407C1BDD
01532D2C Main push ebx ; ESP=00391FF0
01532D2D Main mov ebx, 0x246565CA ; EBX=246565CA
01532D32 Main xor edx, ebx ; EDX=64197E17
01532D34 Main pop ebx ; EBX=00000000, ESP=00391FF4
01532D35 Main add edx, 0xB27BD839 ; FL=CPA, EDX=16955650
01532D3B Main xor ecx, edx ; FL=0, ECX=16A856D0
01532D3D Main xor edx, ebx ; FL=P
01532D3F Main or ebx, ebx //还是比较pcode_data的最高位,如果为1,则清key3 ; FL=PZ
01532D41 Main je 01520D20
01520D20 Main push eax ; ESP=00391FF0
01520D21 Main jmp 014D7BE7
014D7BE7 Main mov eax, esp ; EAX=00391FF0
014D7BE9 Main add eax, 0x4 ; FL=0, EAX=00391FF4
014D7BEE Main sub eax, 0x4 ; FL=P, EAX=00391FF0
014D7BF1 Main jmp 01540610
01540610 Main xchg dword ptr , eax ; EAX=000000C1
01540613 Main pop esp
01540614 Main mov dword ptr , eax
01540617 Main push dword ptr ; ESP=00391FEC
0154061A Main pop ebx //bl = pcode_data ; EBX=000000C1, ESP=00391FF0
0154061B Main add esp, 0x4 ; FL=0, ESP=00391FF4
01540621 Main push ebx ; ESP=00391FF0
01540622 Main jmp 0148CE2C
0148CE2C Main mov ebp, 0x434 ; EBP=00000434
0148CE31 Main mov ebx, ebp ; EBX=00000434
0148CE33 Main add ebx, edi //ebx = key3的地址 ; EBX=003D0434
0148CE35 Main jmp 014AFA5C
014AFA5C Main push ecx ; ESP=00391FEC
014AFA5D Main mov ecx, 0x0 ; ECX=00000000
014AFA62 Main sub ecx, 0x6438662E ; FL=CPAS, ECX=9BC799D2
014AFA68 Main add ecx, ebx ; FL=PS, ECX=9C049E06
014AFA6A Main push edi ; ESP=00391FE8
014AFA6B Main mov edi, 0x6438662E ; EDI=6438662E
014AFA70 Main add ecx, edi //ecx = key3的地址 ; FL=CA, ECX=003D0434
014AFA72 Main pop edi ; ESP=00391FEC, EDI=003D0000
014AFA73 Main xor eax, dword ptr //pcode_data ^ key3 ; FL=P, EAX=000000D8
014AFA75 Main pop ecx ; ECX=16A856D0, ESP=00391FF0
014AFA76 Main pop ebx ; EBX=000000C1, ESP=00391FF4
014AFA77 Main mov ecx, 0x3FDB1679 ; ECX=3FDB1679
014AFA7C Main jmp 014C1C72
014C1C72 Main shr ecx, 0x4 ; FL=C, ECX=03FDB167
014C1C75 Main xor ecx, 0x106878EE ; FL=0, ECX=1395C989
014C1C7B Main je 014BC52F
014C1C81 Main jmp 015718D6
015718D6 Main sub ecx, 0x1 ; FL=P, ECX=1395C988
015718D9 Main push ecx ; ESP=00391FF0
015718DA Main not dword ptr
015718DD Main pop ecx ; ECX=EC6A3677, ESP=00391FF4
015718DE Main sub ecx, 0xDA7307C0 ; ECX=11F72EB7
015718E4 Main inc ecx ; ECX=11F72EB8
015718E5 Main push eax ; ESP=00391FF0
015718E6 Main mov eax, 0x11F72E55 ; EAX=11F72E55
015718EB Main sub ecx, eax ; ECX=00000063
015718ED Main pop eax ; EAX=000000D8, ESP=00391FF4
015718EE Main xor eax, ecx //pcode_data ^ key3 ^ 63 ; EAX=000000BB
015718F0 Main push ecx ; ESP=00391FF0
015718F1 Main jmp 01461815
01461815 Main mov ecx, esp ; ECX=00391FF0
01461817 Main add ecx, 0x4 ; FL=0, ECX=00391FF4
0146181D Main sub ecx, 0x4 ; FL=P, ECX=00391FF0
01461820 Main jmp 01509520
01509520 Main xchg dword ptr , ecx ; ECX=00000063
01509523 Main mov esp, dword ptr
01509526 Main mov dword ptr , edx
01509529 Main mov edx, 0xB9 ; EDX=000000B9
0150952E Main add eax, 0x6DDA4D04 ; FL=0, EAX=6DDA4DBF
01509533 Main sub eax, edx //pcode_data ^ key3 ^ 63 - B9,这里解出来的是解下一条handle地址的第2字节opcode2
; FL=P, EAX=6DDA4D06
01509535 Main sub eax, 0x6DDA4D04 ; FL=0, EAX=00000002
0150953A Main pop edx ; EDX=16955650, ESP=00391FF4
0150953B Main mov ecx, 0x33E50975 ; ECX=33E50975
01509540 Main jmp 014F692E
014F692E Main not ecx ; ECX=CC1AF68A
014F6930 Main shl ecx, 1 ; FL=CPS, ECX=9835ED14
014F6932 Main push ebx ; ESP=00391FF0
014F6933 Main jmp 014A96F7
014A96F7 Main mov ebx, 0x71505DB1 ; EBX=71505DB1
014A96FC Main or ecx, ebx ; FL=S, ECX=F975FDB5
014A96FE Main pop ebx ; EBX=000000C1, ESP=00391FF4
014A96FF Main mov edx, 0x39B004B3 ; EDX=39B004B3
014A9704 Main mov ebp, edx ; EBP=39B004B3
014A9706 Main shr ebp, 0x7 ; FL=P, EBP=00736009
014A9709 Main dec ebp ; FL=0, EBP=00736008
014A970A Main shr ebp, 0x4 ; FL=CP, EBP=00073600
014A970D Main push ebx ; ESP=00391FF0
014A970E Main mov ebx, 0xF48BEA04 ; EBX=F48BEA04
014A9713 Main sub ebp, ebx ; FL=CPA, EBP=0B7B4BFC
014A9715 Main pop ebx ; EBX=000000C1, ESP=00391FF4
014A9716 Main sub ecx, ebp ; FL=AS, ECX=EDFAB1B9
014A9718 Main xor ebp, ebp ; FL=PZ, EBP=00000000
014A971A Main add ecx, 0x12054F46 ; FL=CP, ECX=000000FF
014A9720 Main and ebx, ecx ; FL=0
014A9722 Main push ecx ; ESP=00391FF0
014A9723 Main jmp 01475C12
01475C12 Main push 0x17734891 ; ESP=00391FEC
01475C17 Main pop edx ; EDX=17734891, ESP=00391FF0
01475C18 Main shl edx, 0x5 ; FL=S, EDX=EE691220
01475C1B Main jmp 0156025A
0156025A Main xor edx, 0x4CA27827 ; EDX=A2CB6A07
01560260 Main sub edx, 0xA2CB65D3 ; FL=0, EDX=00000434
01560266 Main mov ecx, edx ; ECX=00000434
01560268 Main sub edx, 0x52CE3CC4 ; FL=CS, EDX=AD31C770
0156026E Main add edx, esi ; FL=PS, EDX=ADEFF1C0
01560270 Main sub ecx, 0x4E380BBB ; FL=CAS, ECX=B1C7F879
01560276 Main add ecx, edi ; FL=S, ECX=B204F879
01560278 Main push ecx ; ESP=00391FEC
01560279 Main push 0x1DEE2941 ; ESP=00391FE8
0156027E Main pop ecx ; ECX=1DEE2941, ESP=00391FEC
0156027F Main inc ecx ; FL=P, ECX=1DEE2942
01560280 Main jo 0153C21E
01560286 Main add ecx, 0x2C741736 ; ECX=4A624078
0156028C Main mov ebp, ecx ; EBP=4A624078
0156028E Main pop ecx ; ECX=B204F879, ESP=00391FF0
0156028F Main sub ebp, 0x2B9E1033 ; FL=0, EBP=1EC43045
01560295 Main neg ebp ; FL=CPAS, EBP=E13BCFBB
01560297 Main not ebp ; EBP=1EC43044
01560299 Main add ebp, 0x2F73DB77 ; FL=P, EBP=4E380BBB
0156029F Main add ecx, ebp ; FL=CA, ECX=003D0434
015602A1 Main xor dword ptr , ebx //key3 = key3 ^ pcode_data ; FL=P
015602A3 Main pop ecx ; ECX=000000FF, ESP=00391FF4
015602A4 Main push 0x7175 ; ESP=00391FF0
015602A9 Main jmp 0155EE48
0155EE48 Main mov dword ptr , ebp
0155EE4B Main mov ebp, 0xFF ; EBP=000000FF
0155EE50 Main and eax, ebp //opcode2 ; FL=0
0155EE52 Main jmp 0147F9EC
0147F9EC Main mov ebp, dword ptr ; EBP=4E380BBB
0147F9EF Main push ebx ; ESP=00391FEC
0147F9F0 Main push esp ; ESP=00391FE8
0147F9F1 Main pop ebx ; EBX=00391FEC, ESP=00391FEC
0147F9F2 Main add ebx, 0x4 ; FL=PA, EBX=00391FF0
0147F9F8 Main add ebx, 0x4 ; FL=0, EBX=00391FF4
0147F9FB Main xchg dword ptr , ebx ; EBX=000000C1
0147F9FE Main pop esp ; ESP=00391FF4
0147F9FF Main push ebx ; ESP=00391FF0
0147FA00 Main jmp 014ABB08
014ABB08 Main mov ebx, 0x62C ; EBX=0000062C
014ABB0D Main add ebx, 0x1B6F1239 ; FL=PA, EBX=1B6F1865
014ABB13 Main add ebx, edi ; FL=P, EBX=1BAC1865
014ABB15 Main jmp 0149E952
0149E952 Main sub ebx, 0x1B6F1239 //ebx = VMContext.62C,这个地址放的是计算下一条handle地址用的opcode2 ;
FL=A, EBX=003D062C
0149E958 Main sub esp, 0x4 ; ESP=00391FEC
0149E95E Main mov dword ptr , eax
0149E961 Main pop dword ptr //跟上一句合在一起就mov , eax eax是opcode2的值,ebx是VMContext.62C
; ESP=00391FF0
这段的解码为
A = (BYTE)pCode_data + 6 ^ key3
B = A ^ 63
C = B - B9 C就是解码后的值
key3 = key3 ^ (BYTE)pCode_data + 6
0149E963 Main mov ebx, dword ptr ; EBX=000000C1
0149E966 Main add esp, 0x4 ; FL=0, ESP=00391FF4
0149E96C Main sub esp, 0x4 ; FL=P, ESP=00391FF0
0149E972 Main jmp 0152C0B5
0152C0B5 Main mov dword ptr , esi
0152C0B8 Main push 0x8A4 ; ESP=00391FEC
0152C0BD Main mov dword ptr , ebp
0152C0C0 Main jmp 0153BF0C
0153BF0C Main push 0x44165698 ; ESP=00391FE8
0153BF11 Main pop ebp ; ESP=00391FEC, EBP=44165698
0153BF12 Main and ebp, 0x5A0B2649 ; FL=0, EBP=40020608
0153BF18 Main xor ebp, 0x5C50505 ; EBP=45C7030D
0153BF1E Main mov esi, ebp ; ESI=45C7030D
0153BF20 Main pop ebp ; ESP=00391FF0, EBP=4E380BBB
0153BF21 Main and esi, 0x2F221151 ; ESI=05020101
0153BF27 Main jl 0159FA11
0153BF2D Main dec esi ; FL=P, ESI=05020100
0153BF2E Main jns 014A7D2D
014A7D2D Main add esi, 0x30923F57 ; FL=0, ESI=35944057
014A7D33 Main jnz 0154A196
0154A196 Main xor esi, 0x35944053 ; ESI=00000004
0154A19C Main mov dword ptr , esi //VMContext.3AC是一个flag,这个具体flag有什么用,引用SM的一个表
b7 b6 b5 b4 b3 b2b1 b0
b7 ?
b6 FS
b5 寻址内存时是否使用fs段 EFlag
b4 是否操作VM_Context.Eflag(比如模仿popf) ?
b3 操作VM_Context.esp? Stack
b2~b1 operand来自vm栈(由前面执行的handler压入) OperandSize 0 -> 8位 1 -> 16位 2 -> 32位
b0 ByRef是否将数据解释为地址(而不是立即值)
而这里是将这个flag预置为4,表示是一个32位的指令。
0154A1A2 Main pop esi ; ESP=00391FF4, ESI=00BE2A50
0154A1A3 Main push eax ; ESP=00391FF0
0154A1A4 Main jmp 0153C703
0153C703 Main sub esp, 0x4 ; FL=A, ESP=00391FEC
0153C709 Main mov dword ptr , edx
//---------------------------------取pcode_data进行操作----------------------------
//计算出常量7
0153C70C Main push 0x7CF174E8 ; ESP=00391FE8
0153C711 Main jmp 015718F6
015718F6 Main pop edx ; EDX=7CF174E8, ESP=00391FEC
015718F7 Main add edx, 0x76BB5C01 ; FL=SO, EDX=F3ACD0E9
015718FD Main sub edx, 0xF3ACD0E2 ; FL=0, EDX=00000007
01571903 Main push edx ; ESP=00391FE8
01571904 Main pop eax ; EAX=00000007, ESP=00391FEC
01571905 Main pop edx ; EDX=ADEFF1C0, ESP=00391FF0
01571906 Main add eax, esi //pcode_data的地址 ; EAX=00BE2A57
01571908 Main push ecx ; ESP=00391FEC
01571909 Main mov ecx, 0x0 ; ECX=00000000
0157190E Main add ecx, eax ; ECX=00BE2A57
01571910 Main mov bl, byte ptr //bl = pcode_data ; EBX=00000081
01571912 Main pop ecx ; ECX=000000FF, ESP=00391FF0
01571913 Main pop eax ; EAX=00000002, ESP=00391FF4
01571914 Main push edx ; ESP=00391FF0
01571915 Main jmp 014FCE78
014FCE78 Main mov edx, 0x490 ; EDX=00000490
014FCE7D Main add edx, edi //edx = VMContext.490 = key1 ; FL=P, EDX=003D0490
014FCE7F Main xor bl, byte ptr //bl = pcode_data ^ key1 ; FL=0, EBX=00000061
014FCE81 Main jmp 0146FF64
0146FF64 Main push dword ptr ; ESP=00391FEC
0146FF67 Main pop edx ; EDX=ADEFF1C0, ESP=00391FF0
0146FF68 Main push ecx ; ESP=00391FEC
0146FF69 Main mov ecx, esp ; ECX=00391FEC
0146FF6B Main add ecx, 0x4 ; FL=PA, ECX=00391FF0
0146FF71 Main add ecx, 0x4 ; FL=0, ECX=00391FF4
0146FF74 Main xchg dword ptr , ecx ; ECX=000000FF
0146FF77 Main mov esp, dword ptr ; ESP=00391FF4
0146FF7A Main push ecx ; ESP=00391FF0
0146FF7B Main jmp 014C680A
014C680A Main push ebx ; ESP=00391FEC
014C680B Main push edx ; ESP=00391FE8
014C680C Main mov dh, 0x5D ; EDX=ADEF5DC0
014C680E Main jmp 0153BA15
0153BA15 Main mov bh, 0x81 ; EBX=00008161
0153BA17 Main add bh, dh ; FL=PS, EBX=0000DE61
0153BA19 Main pop edx ; EDX=ADEFF1C0, ESP=00391FEC
0153BA1A Main inc bh ; FL=S, EBX=0000DF61
0153BA1C Main dec bh ; FL=PS, EBX=0000DE61
0153BA1E Main not bh ; EBX=00002161
0153BA20 Main sub bh, 0x3D ; FL=CPAS, EBX=0000E461
0153BA23 Main add bh, 0x5C ; FL=CA, EBX=00004061
0153BA26 Main mov cl, bh ; ECX=00000040
0153BA28 Main pop ebx ; EBX=00000061, ESP=00391FF0
0153BA29 Main inc cl ; FL=CP, ECX=00000041
0153BA2B Main shr cl, 0x8 ; FL=PZ, ECX=00000000
0153BA2E Main push edx ; ESP=00391FEC
0153BA2F Main push eax ; ESP=00391FE8
0153BA30 Main mov ah, 0x6D ; EAX=00006D02
0153BA32 Main and ah, 0x7E ; FL=P, EAX=00006C02
0153BA35 Main jl 01545D01
0153BA3B Main xor ah, 0x1B ; EAX=00007702
0153BA3E Main mov dh, ah ; EDX=ADEF77C0
0153BA40 Main pop eax ; EAX=00000002, ESP=00391FEC
0153BA41 Main inc dh ; EDX=ADEF78C0
0153BA43 Main sub dh, 0xBA ; FL=CPASO, EDX=ADEFBEC0
0153BA46 Main sub cl, dh ; FL=CPA, ECX=00000042
0153BA48 Main pop edx ; EDX=ADEFF1C0, ESP=00391FF0
0153BA49 Main add bl, cl //bl = pcode_data ^ key1 + 42 ; FL=PSO, EBX=000000A3
0153BA4B Main jmp 0157191A
0157191A Main pop ecx ; ECX=000000FF, ESP=00391FF4
0157191B Main jmp 01534031
01534031 Main push edx ; ESP=00391FF0
01534032 Main jmp 014CE1D0
014CE1D0 Main sub esp, 0x4 ; FL=A, ESP=00391FEC
014CE1D6 Main mov dword ptr , eax
014CE1D9 Main mov eax, 0x7E83699E ; EAX=7E83699E
014CE1DE Main jmp 0148BE5C
0148BE5C Main dec eax ; FL=0, EAX=7E83699D
0148BE5D Main jpo 01513BFE
01513BFE Main neg eax ; FL=CPAS, EAX=817C9663
01513C00 Main je 014AD8F0
01513C06 Main add eax, 0x413A29B4 ; FL=PS, EAX=C2B6C017
01513C0B Main xor eax, 0xC2B6C487 ; FL=P, EAX=00000490
01513C10 Main mov edx, eax ; EDX=00000490
01513C12 Main pop eax ; EAX=00000002, ESP=00391FF0
01513C13 Main add edx, 0x27C828C0 ; EDX=27C82D50
01513C19 Main sub edx, 0x2EA97FF1 ; FL=CPAS, EDX=F91EAD5F
01513C1F Main add edx, edi ; FL=PS, EDX=F95BAD5F
01513C21 Main add edx, 0x2EA97FF1 ; FL=CPA, EDX=28052D50
01513C27 Main sub edx, 0x27C828C0 ; FL=P, EDX=003D0490
01513C2D Main add bl, byte ptr //bl = pcode_data ^ key1 + 42 + key1,这个值我们暂时称为pcode_detail1
; FL=CS, EBX=00000083
//他的作用就是,经过某一规则(根
据pcode_detail决定),对上面我们解出来的old操作数进行变换
//变换后的new操作数,就是最后的操
作数了。这个值在这里,是83
01513C2F Main pop edx ; EDX=ADEFF1C0, ESP=00391FF4
01513C30 Main sub esp, 0x4 ; FL=P, ESP=00391FF0
01513C33 Main jmp 01523423
01523423 Main mov dword ptr , edx
01523426 Main mov dh, bl //复制一份到dh ; EDX=ADEF83C0
01523428 Main sub esp, 0x4 ; FL=A, ESP=00391FEC
0152342E Main jmp 0148C79A
0148C79A Main mov dword ptr , eax
0148C79D Main push ebx ; ESP=00391FE8
0148C79E Main mov bh, dh ; EBX=00008383
0148C7A0 Main mov ah, bh ; EAX=00008302
0148C7A2 Main pop ebx ; EBX=00000083, ESP=00391FEC
0148C7A3 Main mov cl, ah //复制到cl ; ECX=00000083
0148C7A5 Main pop eax ; EAX=00000002, ESP=00391FF0
0148C7A6 Main pop edx ; EDX=ADEFF1C0, ESP=00391FF4
0148C7A7 Main and cl, 0x80 //取pcode_detail1的最高位 ; FL=S, ECX=00000080
0148C7AA Main pushfd ; ESP=00391FF0
0148C7AB Main jmp 014EA53B
014EA53B Main push eax ; ESP=00391FEC
014EA53C Main jmp 014C2845
014C2845 Main mov al, 0xEC ; EAX=000000EC
014C2847 Main add al, 0xBB ; FL=CAS, EAX=000000A7
014C2849 Main add al, 0x6F ; FL=CA, EAX=00000016
014C284B Main jmp 01482CE9
01482CE9 Main sub al, 0xC0 ; FL=CP, EAX=00000056
01482CEB Main push ecx ; ESP=00391FE8
01482CEC Main push eax ; ESP=00391FE4
01482CED Main mov al, 0x5C ; EAX=0000005C
01482CEF Main push eax ; ESP=00391FE0
01482CF0 Main mov ah, 0xE7 ; EAX=0000E75C
01482CF2 Main sub ah, 0x15 ; FL=PS, EAX=0000D25C
01482CF5 Main jo 01471D39
01482CFB Main shr ah, 0x5 ; FL=CP, EAX=0000065C
01482CFE Main jns 0153A533
0153A533 Main dec ah ; EAX=0000055C
0153A535 Main js 01507551
0153A53B Main and ah, 0xE2 ; FL=PZ, EAX=0000005C
0153A53E Main jpo 014A3C76
0153A544 Main sub ah, 0x60 ; FL=CPS, EAX=0000A05C
0153A547 Main add ah, 0xB0 ; FL=CPO, EAX=0000505C
0153A54A Main mov cl, ah ; ECX=00000050
0153A54C Main pop eax ; EAX=0000005C, ESP=00391FE4
0153A54D Main sub cl, al ; FL=CAS, ECX=000000F4
0153A54F Main pop eax ; EAX=00000056, ESP=00391FE8
0153A550 Main or cl, 0x97 ; FL=S, ECX=000000F7
0153A553 Main neg cl ; FL=CPA, ECX=00000009
0153A555 Main inc cl ; FL=CP, ECX=0000000A
0153A557 Main push edx ; ESP=00391FE4
0153A558 Main mov dh, 0x6D ; EDX=ADEF6DC0
0153A55A Main jmp 01459FFB
01459FFB Main shl dh, 0x7 ; FL=S, EDX=ADEF80C0
01459FFE Main jmp 014F6BE3
014F6BE3 Main sub dh, 0xCC ; FL=CPAS, EDX=ADEFB4C0
014F6BE6 Main jmp 01546FE1
01546FE1 Main add dh, 0x7F ; FL=CPA, EDX=ADEF33C0
01546FE4 Main sub cl, dh ; FL=CPS, ECX=000000D7
01546FE6 Main pop edx ; EDX=ADEFF1C0, ESP=00391FE8
01546FE7 Main sub al, cl ; FL=CA, EAX=0000007F
01546FE9 Main pop ecx ; ECX=00000080, ESP=00391FEC
01546FEA Main and bl, al ; FL=P, EBX=00000003
01546FEC Main pop eax ; EAX=00000002, ESP=00391FF0
01546FED Main popfd ; FL=S, ESP=00391FF4
01546FEE Main jmp 01561DE4
01561DE4 Main push esi ; ESP=00391FF0
01561DE5 Main jmp 014F6DB3
014F6DB3 Main push esp ; ESP=00391FEC
014F6DB4 Main mov esi, dword ptr ; ESI=00391FF0
014F6DB7 Main add esp, 0x4 ; FL=PA, ESP=00391FF0
014F6DBA Main jmp 01455FB8
01455FB8 Main add esi, 0x4 ; FL=0, ESI=00391FF4
01455FBE Main sub esi, 0x4 ; FL=P, ESI=00391FF0
01455FC1 Main xor esi, dword ptr ; ESI=008735A0
01455FC4 Main xor dword ptr , esi
01455FC7 Main xor esi, dword ptr ; ESI=00BE2A50
01455FCA Main pop esp
01455FCB Main mov dword ptr , ebx
//---------------------------------取pcode_data进行操作----------------------------
//这里取pcode_data
01455FCE Main mov bl, byte ptr ; EBX=000000B9
01455FD1 Main xor bl, byte ptr //bl = pcode_data ^ key1 ; EBX=00000059
01455FD7 Main add bl, 0xC7 //bl = pcode_data ^ key1 + C7 ; FL=CA, EBX=00000020
01455FDA Main add bl, byte ptr //bl = pcode_data ^ key1 +C7 + key1,这个字节是opcode_detail2,具体就是设置
几个标志,一般情况都用不到 ; FL=CPZ, EBX=00000000
01455FE0 Main test bl, 0x80 ; FL=PZ
01455FE3 Main je 01456002 //这里跳
01456002 Main cmp bl, 0x30 ; FL=CS
01456005 Main jnz 0154B28A //这里跳
0154B28A Main cmp bl, 0x50
0154B28D Main jnz 0154B29D //这里跳
0154B29D Main pop ebx //bl = pcode_detail1的低7位 ; EBX=00000003, ESP=00391FF4
//这里开始,是对这7位的一个大分支,分支不同,对old操作数的变换方式也不同,但是目的都是一致的,变换出最后需要的new操作数,我们这里值
是3
0154B29E Main or bl, bl ; FL=P
0154B2A0 Main jnz 014FDD99
014FDD99 Main cmp bl, 0x1 ; FL=0
014FDD9C Main jnz 014AC661
014AC661 Main cmp bl, 0x2
014AC664 Main je 014AC673
014AC66A Main cmp bl, 0x3 ; FL=PZ
014AC66D Main jnz 0146BBA2
//这里开始是3这个分支的变换方式,我们具体看一下
014AC673 Main or dword ptr , 0x1 //将VMContext.3AC,就是flag的最低位置1,b0 ByRef是否将数据解释
为地址(而不是立即值) ; FL=P
014AC67A Main and dword ptr , -0xD //-D = F3,将b2,b3清0 ; FL=0
014AC681 Main or dword ptr , 0x4 //将b2置1 ; FL=P
014AC688 Main or cl, cl //还记得这个值吗,这个cl就是pcode_detail1的最高位 ; FL=S
014AC68A Main je 01486C0B //这个值这里为1,所以不跳
该值含义如下(摘自SM的文档):
这个位为1有特殊的含义,此时OldArgment代表以偏移量表示的某个地址
1。若F0000080h <= OldArgument <= F000008Ah,则减去F0000080h的结果
(0-A)代表从VM_Context.segCS开始计算的offset,即OldArgument实际代表
VM_Context内某个段寄存器地址。
2。若F0000000h <= OldArgument <= F0000070h,则减F0000000h的结果
(0-70)代表VM_Context内通用寄存器闭合环内的offset。后面的几行代码
根据当前滚动字节将其调整为指向正确的地址。
3。若OldArgument不在上述2个范围内,则将其减80000000h,代表该VM保护
代码对应pcode数据内的offset,即指向某个pcode数据。
014AC690 Main mov ebx, dword ptr //ebx = 很久以前压入栈的old操作数,这里是F0000000,所以是第2条, 代表VM_Context内
通用寄存器闭合环内的offset ; EBX=F0000000
00000000 Context_reg struc ; (sizeof=0x6C)
00000000 VM_EAX dd ? //F0000000 - F0000000 = 0,所以这里是eax
00000004 ?1 dd ?
00000008 VM_EBX dd ?
0000000C ?2 dd ?
00000010 VM_ECX dd ?
00000014 ?3 dd ?
00000018 VM_EDX dd ?
0000001C ?4 dd ?
00000020 VM_ESI dd ?
00000024 ?5 dd ?
00000028 VM_EDI dd ?
0000002C ?6 dd ?
00000030 VM_EBP dd ?
00000034 ?7 dd ?
00000038 VM_ESP dd ?
//我们来看看具体怎么取值
014AC693 Main cmp ebx, 0xF0000080 ; FL=CS
014AC699 Main jb 014E72C8
014E72C8 Main cmp ebx, 0xF0000000 ; FL=PZ
014E72CE Main jb 01486BFA
014E72D4 Main cmp ebx, 0xF0000070 ; FL=CPS
014E72DA Main ja 01486BFA
014E72E0 Main mov ecx, dword ptr //VM_Context.400-----VM_Context.eax等寄存器的轮转偏移字节数 ;
ECX=F0000040
014E72E6 Main sub ecx, 0xF0000000 ecx = 40,表示已经轮转了40字节 ; FL=0, ECX=00000040
014E72EC Main sub ebx, 0xF0000000 //ebx - F0000000 = 要取的寄存器的偏移,这个偏移对应上面的Context_reg ;
FL=PZ, EBX=00000000
014E72F2 Main add ebx, dword ptr //VM_Context.380-----寄存器轮转环的HEAD地址,ebx等于没有轮转情况下,要取的寄
存器的地址 ; FL=P, EBX=003D0074
014E72F8 Main add ebx, ecx //ebx = 轮转后的要取的寄存器的地址 ; EBX=003D00B4
014E72FA Main mov ecx, 0x70 //轮转环的长度,0x70 ; ECX=00000070
014E72FF Main add ecx, dword ptr //ecx = 轮转环的最后的地址 ; ECX=003D00E4
014E7305 Main cmp ebx, ecx //比较计算出要取的地址是否超过环的最高地址,高于的话,要减掉70,这里没有高于
; FL=CS
014E7307 Main jb 01486C08
01486C08 Main mov dword ptr , ebx //这个ebx就是VMContext_eax的地址
01486C0B Main lea ebx, dword ptr ; EBX=003D04D0
01486C11 Main push ebx ; ESP=00391FF0
01486C12 Main jmp 014CA3F2
014CA3F2 Main pushfd ; ESP=00391FEC
014CA3F3 Main mov ebx, 0xDB97B75 ; EBX=0DB97B75
014CA3F8 Main popfd ; ESP=00391FF0
014CA3F9 Main push dword ptr ; ESP=00391FEC
014CA3FD Main jmp 015552ED
015552ED Main mov ebp, dword ptr ; EBP=003D00B4
015552F0 Main push edx ; ESP=00391FE8
015552F1 Main mov edx, esp ; EDX=00391FE8
015552F3 Main jmp 0147B42B
0147B42B Main add edx, 0x4 ; FL=0, EDX=00391FEC
0147B431 Main add edx, 0x4 ; FL=PA, EDX=00391FF0
0147B434 Main push edx ; ESP=00391FE4
0147B435 Main push dword ptr ; ESP=00391FE0
0147B439 Main pop edx ; EDX=ADEFF1C0, ESP=00391FE4
0147B43A Main pop dword ptr ; ESP=00391FE8
0147B43D Main mov esp, dword ptr ; ESP=00391FF0
0147B440 Main push dword ptr ; ESP=00391FEC
0147B443 Main jmp 015719CE
015719CE Main push dword ptr ; ESP=00391FE8
015719D1 Main pop ecx //ecx = VMContext.4D0 ; ECX=003D04D0, ESP=00391FEC
015719D2 Main push edi ; ESP=00391FE8
015719D3 Main jmp 0155B4EC
0155B4EC Main mov edi, esp ; EDI=00391FE8
0155B4EE Main add edi, 0x4 ; FL=0, EDI=00391FEC
0155B4F4 Main add edi, 0x4 ; FL=PA, EDI=00391FF0
0155B4FA Main xchg dword ptr , edi ; EDI=003D0000
0155B4FD Main pop esp ; ESP=00391FF0
0155B4FE Main push ebp ; ESP=00391FEC
0155B4FF Main jmp 015679C7
015679C7 Main push ebx ; ESP=00391FE8
015679C8 Main mov ebx, 0x62AC1FAD ; EBX=62AC1FAD
015679CD Main xor dword ptr , ebx ; FL=0
015679D1 Main jmp 014797D4
014797D4 Main pop ebx ; EBX=0DB97B75, ESP=00391FEC
014797D5 Main pop dword ptr //这句就是这整个handle所做的事,就是把解码出来的new操作数放到VMContext.4D0
; ESP=00391FF0
//VMContext.4D0就是SM文档里所说的
VMContext.Register,就是一个需要读或者写的地址或者数据,先放到这个地址,再进行操作
//这句handle,就是SM所说的Vm_Load,操作是
mov VM_Context.register,NewArgument
014797D7 Main push eax ; ESP=00391FEC
014797D8 Main mov eax, 0x0 ; EAX=00000000
014797DD Main add eax, ecx ; EAX=003D04D0
014797DF Main xor dword ptr , 0x62AC1FAD //VMContext.4D0里放的是VMContext_eax的地址 ; FL=P
014797E5 Main push dword ptr ; ESP=00391FE8
014797E8 Main pop eax ; EAX=00000002, ESP=00391FEC
014797E9 Main add esp, 0x4 ; FL=PA, ESP=00391FF0
014797EC Main push eax ; ESP=00391FEC
014797ED Main jmp 01487ADE
01487ADE Main mov eax, esp ; EAX=00391FEC
01487AE0 Main add eax, 0x4 ; EAX=00391FF0
01487AE5 Main sub eax, 0x4 ; FL=A, EAX=00391FEC
01487AEA Main jmp 0146CFE8
0146CFE8 Main xchg dword ptr , eax ; EAX=00000002
0146CFEB Main pop esp
0146CFEC Main mov dword ptr , ebp
0146CFEF Main push esp ; ESP=00391FE8
0146CFF0 Main pop ebp ; ESP=00391FEC, EBP=00391FEC
0146CFF1 Main add ebp, 0x4 ; FL=PA, EBP=00391FF0
0146CFF7 Main add ebp, 0x8 ; FL=0, EBP=00391FF8
0146CFFA Main push ebp ; ESP=00391FE8
0146CFFB Main push dword ptr ; ESP=00391FE4
0146CFFF Main pop ebp ; ESP=00391FE8, EBP=003D00B4
0146D000 Main pop dword ptr ; ESP=00391FEC
0146D003 Main pop esp ; ESP=00391FF8
//这里开始计算下一跳handle的地址了
0146D004 Main push dword ptr //opcode1 ; ESP=00391FF4
0146D00A Main jmp 0154EF58
0154EF58 Main mov ebp, dword ptr //ebp = opcode1 ; EBP=00000008
0154EF5B Main push eax ; ESP=00391FF0
0154EF5C Main mov eax, esp ; EAX=00391FF0
0154EF5E Main jmp 01460D65
01460D65 Main add eax, 0x4 ; EAX=00391FF4
01460D6A Main push edi ; ESP=00391FEC
01460D6B Main mov edi, 0x4 ; EDI=00000004
01460D70 Main sub eax, 0x25180B4C ; FL=CAS, EAX=DB2114A8
01460D75 Main add eax, edi ; FL=PS, EAX=DB2114AC
01460D77 Main add eax, 0x25180B4C ; FL=CA, EAX=00391FF8
01460D7C Main pop edi ; ESP=00391FF0, EDI=003D0000
01460D7D Main xchg dword ptr , eax ; EAX=00000002
01460D80 Main pop esp ; ESP=00391FF8
01460D81 Main shl ebp, 0x2 //ebp =opcode1 << 2 ; FL=A, EBP=00000020
01460D84 Main jmp 015282A2
015282A2 Main push dword ptr //opcode2 ; ESP=00391FF4
015282A8 Main jmp 01525D4D
01525D4D Main push dword ptr ; ESP=00391FF0
01525D50 Main pop ebx //ebx = opcode2 ; EBX=00000002, ESP=00391FF4
01525D51 Main push 0x5B0 ; ESP=00391FF0
01525D56 Main jmp 0154BC97
0154BC97 Main mov dword ptr , esi
0154BC9A Main mov esi, esp ; ESI=00391FF0
0154BC9C Main add esi, 0x4 ; FL=0, ESI=00391FF4
0154BCA2 Main add esi, 0x4 ; ESI=00391FF8
0154BCA5 Main xchg dword ptr , esi ; ESI=00BE2A50
0154BCA8 Main pop esp ; ESP=00391FF8
0154BCA9 Main shl ebx, 0x2 //ebx = opcode2 << 2 ; EBX=00000008
0154BCAC Main jmp 015719D8
015719D8 Main sub esp, 0x4 ; ESP=00391FF4
015719DB Main jmp 01507937
01507937 Main mov dword ptr , edx
0150793A Main mov edx, 0x550 ; EDX=00000550
0150793F Main add edx, edi //VMContext.550中存放的是2字节opcode的地址表 ; FL=P, EDX=003D0550
如下:
003A000000 00 3B 00 0C 00 3B 00 18 00 3B 00 24 00 3B 00
003A001030 00 3B 00 3C 00 3B 00 48 00 3B 00 54 00 3B 00
003A002060 00 3B 00 6C 00 3B 00 78 00 3B 00 84 00 3B 00
003A003090 00 3B 00 9C 00 3B 00 A8 00 3B 00 B4 00 3B 00
003A0040C0 00 3B 00 CC 00 3B 00 D8 00 3B 00 E4 00 3B 00
003A0050F0 00 3B 00 FC 00 3B 00 08 01 3B 00 14 01 3B 00
003A006020 01 3B 00 2C 01 3B 00 38 01 3B 00 44 01 3B 00
003A007050 01 3B 00 5C 01 3B 00 68 01 3B 00 74 01 3B 00
003A008080 01 3B 00 8C 01 3B 00 98 01 3B 00 A4 01 3B 00
003A0090B0 01 3B 00 BC 01 3B 00 C8 01 3B 00 D4 01 3B 00
003A00A0E0 01 3B 00 EC 01 3B 00 F8 01 3B 00 04 02 3B 00
003A00B010 02 3B 00 1C 02 3B 00 28 02 3B 00 34 02 3B 00
003A00C040 02 3B 00 4C 02 3B 00 58 02 3B 00 64 02 3B 00
003A00D070 02 3B 00 7C 02 3B 00 88 02 3B 00 94 02 3B 00
003A00E0A0 02 3B 00 AC 02 3B 00 B8 02 3B 00 C4 02 3B 00
003A00F0D0 02 3B 00 DC 02 3B 00 E8 02 3B 00 F4 02 3B 00
01507941 Main jmp 0153C14D
0153C14D Main push dword ptr ; ESP=00391FF0
0153C14F Main pop esi //esi就是上面那张表的地址 ; ESP=00391FF4, ESI=003A0000
0153C150 Main mov edx, dword ptr ; EDX=ADEFF1C0
0153C153 Main push ebx ; ESP=00391FF0
0153C154 Main mov ebx, esp ; EBX=00391FF0
0153C156 Main add ebx, 0x4 ; FL=0, EBX=00391FF4
0153C15C Main add ebx, 0x4 ; EBX=00391FF8
0153C162 Main xchg dword ptr , ebx ; EBX=00000008
0153C165 Main pop esp ; ESP=00391FF8
0153C166 Main add esi, 0x1E0770ED ; FL=P, ESI=1E4170ED
0153C16C Main jmp 014F36AA
014F36AA Main add esi, 0x2C9E597F ; FL=PA, ESI=4ADFCA6C
014F36B0 Main add esi, ebp //esi = esi + ebp(opcode1) ; FL=0, ESI=4ADFCA8C
014F36B2 Main sub esi, 0x2C9E597F ; FL=A, ESI=1E41710D
014F36B8 Main jmp 014A403C
014A403C Main push 0x49A5 ; ESP=00391FF4
014A4041 Main mov dword ptr , ecx
014A4044 Main mov ecx, 0x1E0770ED ; ECX=1E0770ED
014A4049 Main sub esi, ecx ; FL=0, ESI=003A0020
014A404B Main mov ecx, dword ptr ; ECX=003D04D0
014A404E Main add esp, 0x4 ; ESP=00391FF8
014A4051 Main push eax ; ESP=00391FF4
014A4052 Main jmp 014B0D88
014B0D88 Main mov eax, 0x0 ; EAX=00000000
014B0D8D Main add eax, esi ; EAX=003A0020
014B0D8F Main push 0xB12 ; ESP=00391FF0
014B0D94 Main jmp 01513A69
01513A69 Main mov dword ptr , ecx
01513A6C Main mov ecx, 0x0 ; ECX=00000000
01513A71 Main add ecx, eax ; ECX=003A0020
01513A73 Main mov esi, dword ptr ; ESI=003B0060
//我们查表得到 = 003B0060,这个地址在另一张表里,如下:
003B000000 00 00 00 A4 17 4B 01 5D 5F 58 01 A0 41 48 01
003B00101F BD 48 01 DE 61 4F 01 B7 38 4B 01 69 5E 48 01
003B00205C 27 47 01 F9 82 52 01 2B EB 50 01 00 00 00 00
003B003003 B8 55 01 A7 D8 51 01 55 7C 4C 01 00 00 00 00
003B004000 00 00 00 2F 32 51 01 B2 1F 49 01 73 C2 46 01 ..
003B0050C5 1E 4F 01 C8 9D 4D 01 00 00 00 00 CD 09 50 01
003B006064 B9 4C 01 07 38 49 01 C1 77 53 01 55 25 4D 01
01513A75 Main mov ecx, dword ptr ; ECX=003D04D0
01513A78 Main add esp, 0x4 ; ESP=00391FF4
01513A7E Main mov eax, dword ptr ; EAX=00000002
01513A81 Main add esp, 0x4 ; ESP=00391FF8
01513A84 Main push ebp ; ESP=00391FF4
01513A85 Main jmp 015719E0
015719E0 Main mov ecx, 0x7A2639B3 ; ECX=7A2639B3
015719E5 Main sub ecx, 0x25DAE967 ; FL=A, ECX=544B504C
015719EB Main push ecx ; ESP=00391FF0
015719EC Main jmp 014FEF27
014FEF27 Main xor dword ptr , 0x446A44D5 ; FL=P
014FEF2E Main pop ebp ; ESP=00391FF4, EBP=10211499
014FEF2F Main xor ebp, 0x446A44D5 ; FL=0, EBP=544B504C
014FEF35 Main add ecx, ebx ; FL=A, ECX=544B5054
014FEF37 Main add esi, ebp ; FL=P, ESI=548650AC
014FEF39 Main pop ebp ; ESP=00391FF8, EBP=00000020
014FEF3A Main sub esi, 0x6ED91105 ; FL=CS, ESI=E5AD3FA7
014FEF40 Main add esi, ebx //esi = esi + ebx(opcode2) ; FL=PS, ESI=E5AD3FAF
014FEF42 Main add esi, 0x6ED91105 ; FL=CPA, ESI=548650B4
014FEF48 Main sub esi, 0x544B504C //这里取得的值为003B0068,我们查表得到015377C1,这个地址,就是下一条handle的地址
; FL=A, ESI=003B0068
014FEF4E Main push dword ptr ; ESP=00391FF4
014FEF50 Main jmp 0149276F
0149276F Main mov esi, dword ptr //esi为下一条handle的地址 ; ESI=015377C1
01492772 Main push edi ; ESP=00391FF0
01492773 Main mov edi, esp ; EDI=00391FF0
01492775 Main jmp 014F2534
014F2534 Main push ecx ; ESP=00391FEC
014F2535 Main mov ecx, 0x4 ; ECX=00000004
014F253A Main add edi, ecx ; FL=0, EDI=00391FF4
014F253C Main pop ecx ; ECX=544B5054, ESP=00391FF0
014F253D Main push ebx ; ESP=00391FEC
014F253E Main mov ebx, 0x4 ; EBX=00000004
014F2543 Main add edi, ebx ; EDI=00391FF8
014F2545 Main pop ebx ; EBX=00000008, ESP=00391FF0
014F2546 Main xchg dword ptr , edi ; EDI=003D0000
014F2549 Main pop esp ; ESP=00391FF8
014F254A Main jmp esi //然后通过jmp esi进行衔接,跳到了下一句handle中
Run trace closed
--------------------------------------------------结束------------------------------------------------------
这个handle已经分析完了,我们来整理一下这句pcode_data每个字节的含义:
0:最高位为1 将key1,key2,key3,key4清0为0不清
1:用于解码下一个pcode_data地址的字节。
2:
3:
x7
x6
x5
让VM_寄存器轮转0不轮转
x4~x2
更新key1的方式
x1~x0
4:
5:
6:用于解码下一条handle所用的opcode2
7:用于转换old操作数到new操作数用的pcode_detail1
这个BYTE被分成了2部分存放
x7 //这个位为1有特殊的含义,此时OldArgment代表以偏移量表示的某个地址
1。若F0000080h <= OldArgument <= F000008Ah,则减去F0000080h的结果
(0-A)代表从VM_Context.segCS开始计算的offset,即OldArgument实际代表
VM_Context内某个段寄存器地址。
2。若F0000000h <= OldArgument <= F0000070h,则减F0000000h的结果
(0-70)代表VM_Context内通用寄存器闭合环内的offset。后面的几行代码
根据当前滚动字节将其调整为指向正确的地址。
3。若OldArgument不在上述2个范围内,则将其减80000000h,代表该VM保护
代码对应pcode数据内的offset,即指向某个pcode数据。
-------------
x6 ~ x0 //根据值进行swtich-case寻找对应的变换
8:用于解码下一条handle所用的opcode1
9~C:用于解码old的操作数
D:pcode_detail2,比较几个值,设置几个标志位,这里没有用到
E:
其他空着的,表示这句handle没有使用到那些部分。
这个handle大致的处理过程如下:
先将解码操作数用的key1进行变换,然后比较VM_Reg是否需要轮转,需要的话,就轮转,不需要的话,不轮转,解码出old的操作数,根据
pcode_detail1对
old的操作数进行变换成new操作数,因为本handle是VM_load,所以把变换后的new操作数赋给VM_register,解码出opcode1和opcode2,计算出下一条
handle的地址,
解码出下一条pcode_data的地址,然后根据jmp esi跳到下一句handle。 感谢faint88大牛也来吾爱发布分析文章!:) 有东西可以慢慢消化了膜拜楼主 {:299_843:},占位学习... 欢迎来到52。。。
一来就是一长篇,先保存下来,慢慢看。
谢谢了!! :)收藏了 学习 膜拜加学习 :P 膜拜faint88神牛……:lol :$真强悍