好友
阅读权限30
听众
最后登录1970-1-1
|
下面是菜鸟脱Execryptor2.0.26主程序的脱壳笔记,大牛就不要看了,如果看了请勿嘲笑。呵呵。。只是大体介绍下自己理解的一个简单的VM(也不知道是不是。。)的框架。。。这里的框架是
call VM
VMdata // 8字节VM需要的数据 --> 被VM掉的数据
.... // 继续原来的代码
这个简单VM的过程:
1. 保存寄存器环境
2. 解密一个DWORD 数据... 这里的最后一个字节作为索引操作指令用..
3. 解密获取相关的数据
4. 获取操作索引值.. (switch ..case用).. 执行对应的操作
5. 恢复寄存器环境
6. 退出VM。。继续原来的代码..
==> 其实这个壳的这个版本(其他的还未研究到) 还是处理那些 代码乱序。。 代码变形。。 最烦。。 等清到光光后。。最后剩下的有用的就几行代码。。VM的框架和原理也就很容易看出来了(只是这个版本的这个壳)。。。
//***************************************************************************************************************
//
//
// VM 虚拟机 ---> call 00517ECB --> 接在CALL后的是虚拟机解码需要的数据
//
// 参考文献: ExeCryptor v2.2.6虚拟机不完全分析
//
//*****************************************************************************************************************
// 这个CALL开始进入虚拟机 ---> 下面代码都是经过处理的。。去掉乱序和变形代码...
00529E63 E8 63E0FEFF call 00517ECB ; 进入虚拟机?
00529E68 68 1EAEC82E push 2EC8AE1E ; 接CALL后的是加密后的数据,虚拟机用到
00529E6D 05 002FE9E2 add eax, E2E92F00
00529E72 6E outs dx, byte ptr es:[edi]
00529E73 FC cld
00529E74 FFC3 inc ebx
======================================================================================
// 下面是虚拟机代码...
//
// 下面的前几行代码保存寄存器当前环境
//
// edi --> [53774C]
// esi --> [537750]
// eax --> [537DE0]
// ecx --> [537DF4]
// edx --> [537DF8]
// ebx --> [537DFC]
// esp --> [537E00]
// ebp --> [537E04]
00517ECB 9C pushfd ;
00517ECC 893D 4C775300 mov dword ptr [53774C], edi ; 保存edi
0053EE5D pop edi ; 进入虚拟机前的EFLAGS
0053EE5E 8935 50775300 mov dword ptr [537750], esi
00541BE9 pop esi ; call VM的返回地址--> 这里作为传递给VM解码的数据地址
00541BEA 8905 E07D5300 mov dword ptr [537DE0], eax ; 保存 eax
00541BF0 890D F47D5300 mov dword ptr [537DF4], ecx ; 保存 ecx
00541BF6 51 push ecx ;
00541BF7 mov ecx, 537DF8 ;
004F4640 8911 mov dword ptr [ecx], edx ; 保存 edx
00517A59 59 pop ecx
00517A5A 51 push ecx
0054EA7B mov ecx, 537DFC
0052EEC4 8919 mov dword ptr [ecx], ebx ; 保存 ebx
0052EEC6 59 pop ecx
0052EEC7 89E0 mov eax, esp
005270D1 53 push ebx
005270D2 mov ebx, 537E00
00532272 8903 mov dword ptr [ebx], eax ; 保存 esp
00532274 5B pop ebx
00532275 892D 047E5300 mov dword ptr [537E04], ebp
============================================================================================
00541764 push 0051135A ; Morph instruction
// esi = 00529E68 -- 是接在 00529E63 CALL后面的数据... 所以下面的代码在解密数据...
004F0633 8B06 mov eax, dword ptr [esi]
004F0636 mov edx, eax ; Morph instruction
004F0637 C1C8 10 ror eax, 10
00527E16 66:C1C2 03 rol dx, 3
0051FB9D add edx, 4889224D ; Morph instruction
0051FB9E 81F2 A49F1C1F xor edx, 1F1C9FA4
005531C4 66:33C2 xor ax, dx - -------------------------------------------------------------------------------------------
- 005531C8 mov edx, eax ; Morph instruction
- 005531C9 C1C8 10 ror eax, 10
- 005531CC 66:C1C2 03 rol dx, 3
- 00529811 81C2 754DA536 add edx, 36A54D75
- 0051E97A xor edx, 1D2B587A ; Morph instruction
- 0051E97B 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 00553AE4 mov edx, eax ; Morph instruction
- 00553AE5 C1C8 10 ror eax, 10
- 00553AE8 66:C1C2 03 rol dx, 3
- 005306C4 add edx, 1410774C ; Morph instruction
- 0052A22C xor edx, 299D9F3E ; Morph instruction
- 004F25ED 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 004F25F1 mov edx, eax ; Morph instruction
- 004F25F2 C1C8 10 ror eax, 10
- 004F25F5 66:C1C2 03 rol dx, 3
- 0053ABE0 add edx, 5CB9E32A ; Morph instruction
- 005299DC xor edx, A181E438 ; Morph instruction
- 005299DD 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 005299E1 mov edx, edi ; Morph instruction
- 0052F3DE 53 push ebx
- 0052F3DF mov ebx, 1 ; ebx = 1
- 0052F3F1 84F3 test bl, dh
- 0052F3F3 5B pop ebx
- 0053FFA6 0F95C1 setne cl
- 0053FFA9 D3C8 ror eax, cl
- 00518139 and edx, 000008C1 ; Morph instruction
- 004F2479 or edx, FFFFF73E ; Morph instruction
- 004F247A 23C2 and eax, edx
- -------------------------------------------------------------------------------------------
- 004F247D mov edx, eax ; Morph instruction
- 004F247E C1C8 10 ror eax, 10
- 004F2481 66:C1C2 03 rol dx, 3
- 00511730 add edx, 51E9F8E2 ; Morph instruction
- 00511731 81F2 5AAE07E4 xor edx, E407AE5A
- 00511737 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 0051AEF5 mov edx, eax ; Morph instruction
- 0051AEF6 C1C8 10 ror eax, 10
- 0051AEF9 66:C1C2 03 rol dx, 3
- 005225E9 add edx, 219A547D ; Morph instruction
- 005458A8 xor edx, 01921774 ; Morph instruction
- 004ED3A7 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 004ED3AB mov edx, eax ; Morph instruction
- 004ED3AC C1C8 10 ror eax, 10
- 004ED3AF 66:C1C2 03 rol dx, 3
- 005354C4 add edx, F4B28C92 ; Morph instruction
- 00516E52 xor edx, DBE32FB2 ; Morph instruction
- 00516E53 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 0055093C mov edx, eax ; Morph instruction
- 0055093D C1C8 10 ror eax, 10
- 00550940 66:C1C2 03 rol dx, 3
- 00512DBD add edx, E7E88668 ; Morph instruction
- 00546855 xor edx, 25EC81D8 ; Morph instruction
- 00546856 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 005313E4 mov edx, eax ; Morph instruction
- 005313E5 C1C8 10 ror eax, 10
- 005313E8 66:C1C2 03 rol dx, 3
- 00532511 add edx, 120EEB2D ; Morph instruction
- 00518D50 xor edx, 590B433B ; Morph instruction
- 00518D51 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 00530561 mov edx, eax ; Morph instruction
- 00530562 C1C8 10 ror eax, 10
- 0052B63D 66:C1C2 03 rol dx, 3
- 0052ECA7 add edx, 1EBB3670 ; Morph instruction
- 0053AE1C xor edx, AE63A431 ; Morph instruction
- 005218D7 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 005218DB mov edx, eax ; Morph instruction
- 005218DC C1C8 10 ror eax, 10
- 005218DF 66:C1C2 03 rol dx, 3
- 005177FE add edx, 124CD82C ; Morph instruction
- 005177FF 81F2 E7C3F64D xor edx, 4DF6C3E7
- 00517805 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 00517809 mov edx, eax ; Morph instruction
- 0051780A C1C8 10 ror eax, 10
- 0053D6CB 66:C1C2 03 rol dx, 3
- 0053D6CF 81C2 DF243CB3 add edx, B33C24DF
- 0053D6D5 81F2 2B9A1177 xor edx, 77119A2B
- 0053D6DB 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 0053FCD8 8BD0 mov edx, eax
- 0053FCDA C1C8 10 ror eax, 10
- 0053FCDD 66:C1C2 03 rol dx, 3
- 0051E444 add edx, 05B11F3F ; Morph instruction
- 0052B820 xor edx, 4F692D35 ; Morph instruction
- 0052B821 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 0052DDAE mov edx, eax ; Morph instruction
- 0052DDAF C1C8 10 ror eax, 10
- 0052DDB2 66:C1C2 03 rol dx, 3
- 004EF6E7 81C2 957C6C36 add edx, 366C7C95
- 004EF6ED 81F2 74802F82 xor edx, 822F8074
- 004EF6F3 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 004EF6F7 mov edx, eax ; Morph instruction
- 004EF6F8 C1C8 10 ror eax, 10
- 00527C47 66:C1C2 03 rol dx, 3
- 00527C4B 81C2 EA29CCB8 add edx, B8CC29EA
- 0053624E xor edx, 8C7AB3B6 ; Morph instruction
- 0053624F 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 00536253 mov edx, eax ; Morph instruction
- 00536254 C1C8 10 ror eax, 10
- 004F867B 66:C1C2 03 rol dx, 3
- 0054D15C add edx, B6A422AE ; Morph instruction
- 005193FA xor edx, BAEB5274 ; Morph instruction
- 005193FB 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 00527A95 8BD0 mov edx, eax
- 00527A97 C1C8 10 ror eax, 10
- 00527A9A 66:C1C2 03 rol dx, 3
- 004F098E add edx, 4B3B50EE ; Morph instruction
- 004F098F 81F2 32EBE83B xor edx, 3BE8EB32
- 004F0995 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 0051F2D1 8BD0 mov edx, eax
- 0051F2D3 C1C8 10 ror eax, 10
- 0051F2D6 66:C1C2 03 rol dx, 3
- 00514315 add edx, F0BABDAC ; Morph instruction
- 0052E612 xor edx, 8311B436 ; Morph instruction
- 0052E613 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 0052E616 8BD0 mov edx, eax
- 0052E618 C1C8 10 ror eax, 10
- 0052E61B 66:C1C2 03 rol dx, 3
- 00537262 add edx, C58A8C26 ; Morph instruction
- 0053F4B2 xor edx, 656F399F ; Morph instruction
- 0053F4B3 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 00539200 mov edx, eax ; Morph instruction
- 00541613 C1C8 10 ror eax, 10
- 00541616 66:C1C2 03 rol dx, 3
- 0054161A 81C2 2D09A1D0 add edx, D0A1092D
- 005133F0 xor edx, 06320EA3 ; Morph instruction
- 005133F1 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 005133F5 mov edx, eax ; Morph instruction
- 00550AE3 C1C8 10 ror eax, 10
- 00550AE6 66:C1C2 03 rol dx, 3
- 00550AEA 81C2 047BB65A add edx, 5AB67B04
- 00529418 xor edx, 5165898E ; Morph instruction
- 00529419 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 0052941D mov edx, eax ; Morph instruction
- 0052941E C1C8 10 ror eax, 10
- 00529421 66:C1C2 03 rol dx, 3
- 00511599 add edx, 8CFFBC82 ; Morph instruction
- 0051159A 81F2 3FE6623A xor edx, 3A62E63F
- 005115A0 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 005115A4 mov edx, eax ; Morph instruction
- 005115A5 C1C8 10 ror eax, 10
- 005115A8 66:C1C2 03 rol dx, 3
- 004ED000 81C2 4612534A add edx, 4A531246
- 004ED006 81F2 DB336C52 xor edx, 526C33DB
- 004ED00C 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 004ED010 mov edx, eax ; Morph instruction
- 004ED011 C1C8 10 ror eax, 10
- 0053638E 66:C1C2 03 rol dx, 3
- 00534B46 add edx, F2709C42 ; Morph instruction
- 0054B76F xor edx, C562285A ; Morph instruction
- 0054B770 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 005497AA mov edx, eax ; Morph instruction
- 004EDAC1 C1C8 10 ror eax, 10
- 004EDAC4 66:C1C2 03 rol dx, 3
- 0051903A add edx, F512087B ; Morph instruction
- 00515E66 xor edx, 3DB4864D ; Morph instruction
- 00515E67 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 0052A8BD mov edx, eax ; Morph instruction
- 0052A8BE C1C8 10 ror eax, 10
- 004EE60C 66:C1C2 03 rol dx, 3
- 005217F0 add edx, 5118442F ; Morph instruction
- 0052011A xor edx, 3A3F8FCE ; Morph instruction
- 0052011B 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 0052011E 8BD0 mov edx, eax
- 00520120 C1C8 10 ror eax, 10
- 00548A58 66:C1C2 03 rol dx, 3
- 00533E68 add edx, 9625A089 ; Morph instruction
- 0051D4A6 xor edx, 30FCCA86 ; Morph instruction
- 0051D4A7 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 00552F9C mov edx, eax ; Morph instruction
- 00552F9D C1C8 10 ror eax, 10
- 00552FA0 66:C1C2 03 rol dx, 3
- 00528AA0 add edx, 982AE9F7 ; Morph instruction
- 0053242B 81F2 07C81BDC xor edx, DC1BC807
- 00532431 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 00532434 8BD0 mov edx, eax
- 00532436 C1C8 10 ror eax, 10
- 00532439 66:C1C2 03 rol dx, 3
- 00529AE2 add edx, 9D1CB852 ; Morph instruction
- 00529AE3 81F2 5B71DE9B xor edx, 9BDE715B
- 005152A4 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 005152A8 mov edx, eax ; Morph instruction
- 005152A9 C1C8 10 ror eax, 10
- 005152AC 66:C1C2 03 rol dx, 3
- 0051A12C 81C2 966B6B75 add edx, 756B6B96
- 0051A132 81F2 1C3A3A47 xor edx, 473A3A1C
- 0051A138 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 0051A13C mov edx, eax ; Morph instruction
- 0051A13D C1C8 10 ror eax, 10
- 0051A140 66:C1C2 03 rol dx, 3
- 0051A144 81C2 89981061 add edx, 61109889
- 00547524 xor edx, C0D1C3F1 ; Morph instruction
- 00547525 66:33C2 xor ax, dx
- -------------------------------------------------------------------------------------------
- 00547529 mov edx, eax ; Morph instruction
- 0052C522 C1C8 10 ror eax, 10
- 0052C525 66:C1C2 03 rol dx, 3
- 0052C529 81C2 439E0CA8 add edx, A80C9E43
- 0052C52F 81F2 A9FDF85F xor edx, 5FF8FDA9
- 0052C535 66:33C2 xor ax, dx
复制代码
===============================================================================================
// 解密完成。。到达下面的代码.... --> 计算结果 eax = 1AA2EC84
//
//
// [51B108] ---> 存储解密算法计算出来的数值 eax = 1AA2EC84
//
// [51B114] ---> 解密出来的一个地址 (作为操作数?)
//
//
// esi --> 指向的结构数据定义
//
struct stData
{
DWORD val1; // 通过该数值经过解密算法计算出一个数值
DWORD val2; // val1 val2 ==> 计算出该次调用VM解析后的 返回地址... (返回到哪里是通过这两个数值计算出来的)
};
stData VMData;
1AA 2EC 84 -> val1 解密出来的数据
2F000 52E -> val2
==> 52E 2EC (按位组合)
================================================================================================
0052C538 51 push ecx
0052C539 mov ecx, 51B108 ; ecx = 51B108
004EED0B 8901 mov dword ptr [ecx], eax ; eax = 1AA2EC84 --> 上面解密算法计算出来的数据
004EED0D 59 pop ecx
004EED0E 0F89 16D70200 jns 0051C42A
0051C42A 83C6 04 add esi, 4 ; esi --> CALL VM后的数据地址..(那个返回地址)
0051C42D 53 push ebx
005395A9 mov ebx, E0000000 ; ebx = E0000000
0052FCEB 85C3 test ebx, eax ; eax = 1AA2EC84 --> 解密出来的数值
0052FCED 5B pop ebx
0052FCEE 0F84 FF270000 je 005324F3 ; 一个分支跳转
005324F3 A9 C0000000 test eax, 0C0
005324F8 0F84 46520000 je 00537744 ; 一个分支跳转
0054C6A4 0F85 6D7EFDFF jnz 00524517 ; 一个分支跳转
00524517 8B16 mov edx, dword ptr [esi] ; VMData.val2
===========================================================================================
//
// 下面是计算出 此处VM解析完毕后的 返回地址
00524519 C1E8 08 shr eax, 8 ; eax = 1AA2EC84 ==> eax = 001AA2EC
0052451C 25 FF0F0000 and eax, 0FFF ; eax = 001AA2EC ==> eax = 2EC
0053E502 and edx, 000FFFFF ; edx = 2F00052E ==> 52E
0053E503 C1E2 0C shl edx, 0C ; edx = 52E ==> 52E000
0053E506 09D0 or eax, edx ; eax = 52E2EC ==> 这个是此次 VM 指令 操作数?
0053E508 53 push ebx
0051995F mov ebx, 51B114 ;
00546C35 8903 mov dword ptr [ebx], eax ; eax = 52E2EC
00546C37 5B pop ebx
0053BF4D 83C6 04 add esi, 4 ; ===> VM执行完返回地址 (被虚拟掉的代码接下去的代码)
0053BF50 mov eax, 51B108 ; eax = 51B108 [eax] = 1AA2EC84
0052708D 8B00 mov eax, dword ptr [eax]
=======================================================================================
//
// 下面跟据 1AA2EC84 (前面解密出来的数据) 的最后一个字节判段 此处VM是做什么的--> 对应的x86汇编指令
0052708F A9 80000000 test eax, 80 ; 1AA2EC84 --> 最后一个字节是否等于 0x80
00527094 0F84 AA060100 je 00537744
0051DB5C 0F85 B63A0300 jnz 00551618
00551618 8D05 18165500 lea eax, dword ptr [551618] ; eax = 551618
00537736 8D15 18165500 lea edx, dword ptr [551618]
0053773C 29C2 sub edx, eax
0053773E 0115 14B15100 add dword ptr [51B114], edx ; [51B114] --> 存储 计算出来的一个地址
00537744 C3 retn ; 返回到 0051135A
0051135A 8B05 08B15100 mov eax, dword ptr [51B108] ; 解密算法计算出来的数值 eax = 1AA2EC84
00511360 89C3 mov ebx, eax
00511362 25 FF000000 and eax, 0FF ; 最后一个字节 eax = 0x84 (VM的opcode..指示对应什么汇编操作)
00511367 C1EB 08 shr ebx, 8 ; ebx = 1AA2EC84 ==> ebx = 1AA2EC
0054D3EA 56 push esi
0054D3EB mov esi, 0 ; VMOpcode == 0 ? (专业术语,不懂....)
004EF056 3BC6 cmp eax, esi
0055156F 5E pop esi
00551570 0F85 8FCCFEFF jnz 0053E205
0053E205 57 push edi
0053E206 mov edi, 1 ; VMOpcode == 1 ?
004F8D95 3BC7 cmp eax, edi
004F8D97 5F pop edi
004F8D98 0F85 88AA0100 jnz 00513826
00513826 56 push esi
00513800 mov esi, 2 ; VMOpcode == 2 ?
0054CE22 3BC6 cmp eax, esi
0054CE24 5E pop esi
0054CE25 0F85 9379FFFF jnz 005447BE
005447BE 83F8 03 cmp eax, 3 ; VMOpcode == 3 ?
005447C1 0F85 9BF4FDFF jnz 00523C62
0054451D 53 push ebx
0054451E mov ebx, 4 ; VMOpcode == 4 ?
005511AA 3BC3 cmp eax, ebx
005511AC 5B pop ebx
005511AD 0F85 6DADFDFF jnz 0052BF20
0052BF20 53 push ebx
0052BF21 mov ebx, 5 ; VMOpcode == 5 ?
00516917 3BC3 cmp eax, ebx
004EE4DC 5B pop ebx
004EE4DD 0F85 82300300 jnz 00521565
00521565 53 push ebx
00521566 mov ebx, 6 ; VMOpcode == 6 ?
0052A71D 3BC3 cmp eax, ebx
0052A71F 5B pop ebx
0052A720 0F85 2BCBFCFF jnz 004F7251
004F7251 83F8 07 cmp eax, 7 ; VMOpcode == 7 ?
004F7254 0F85 76EE0200 jnz 005260D0
005260D0 3D C0000000 cmp eax, 0C0 ; VMOpcode == C0 ?
005260D5 0F85 73550100 jnz 0053B64E
0053B64E 3D 82000000 cmp eax, 82 ; VMOpcode == 82 ?
0053B653 0F85 0D99FBFF jnz 004F4F66
004F4F66 56 push esi
005347BF mov esi, 44 ; VMOpcode == 44 ?
004F32A0 3BC6 cmp eax, esi
004F32A2 5E pop esi
004F32A3 0F84 7EE20500 je 00551527
0055151C 3D 84000000 cmp eax, 84 ; VMOpcode == 84 --> 此次VM对应的操作...
00551521 0F85 36F6FEFF jnz 00540B5D
===============================================================================================
//
// 此处VM对应的汇编指令 --> VMOpcode = 0x84 ---> 这里可以看出是汇编指令 <<< push 0052E2EC >>>
00551527 57 push edi
00551528 mov edi, 51B114 ; edi = 51B114
00535E36 8B3F mov edi, dword ptr [edi] ; [edi] = 0052E2EC --> 计算出来的地址 ( VM掉的代码 )
00535E38 873C24 xchg dword ptr [esp], edi ; 入栈地址
00535E3B 832D 007E5300 04 sub dword ptr [537E00], 4 ; [537E00]存储进入VM前的ESP值.. --> 这里减去4.. 入栈操作 esp - 4
00535E42 mov eax, 537E00 ; eax = 537E00
00551BB3 8B00 mov eax, dword ptr [eax] ; 入栈后的ESP值...
00551BB5 89C4 mov esp, eax ; 恢复esp
// 以下恢复 VMContext --> 进入虚拟前的寄存器环境.. --> eax ecx edx ebx ebp esi edi
00551BB7 mov eax, 537DE0 ; eax = 537DE0
00535077 8B00 mov eax, dword ptr [eax]
0051658D mov ecx, 537DF4 ; ecx = 537DF4
00514490 8B09 mov ecx, dword ptr [ecx]
00514493 mov edx, 537DF8 ; edx = 537DF8
004F0B9A 8B12 mov edx, dword ptr [edx]
004F0B9D mov ebx, 537DFC ; ebx = 537DFC
00549ABC 8B1B mov ebx, dword ptr [ebx]
0051FFFF mov ebp, 537E04 ; ebp = 537E04
00532CA0 8B6D 00 mov ebp, dword ptr [ebp]
// call VM 下的 8个字节是数据是给VM解析代码用的... 前面自己定义的结构 stData
00532CA6 push esi ; 代码中被VM掉的数据 接下来的数据 --> call VM下来的数据--> +8个字节...
00532CA9 8B35 50775300 mov esi, dword ptr [537750]
00514357 push edi ; 恢复 esi
0051435A mov edi, 53774C ;
0052F0C5 8B3F mov edi, dword ptr [edi] ; 恢复 edi
00540B5C C3 retn ; 返回到 call VM下来的数据--> +8个字节...
==========================================================================
//
// 退出 VM解析代码.... 返回继续原来的代码....
//
00529E70 - E9 E26EFCFF jmp 004F0D57
00529E75 C3 retn
00529E76 E8 6E170000 call 0052B5E9
=============================================================================
//
// 所以 nop掉对应的虚拟机代码 ---> push 0052E2EC
//
//
//
00529E63 E8 63E0FEFF call 00517ECB ; 进入虚拟机?
00529E68 90 nop ; 接CALL后的是加密后的数据,虚拟机用到 (这里NOP掉。比较好看)
00529E69 90 nop
00529E6A 90 nop
00529E6B 90 nop
00529E6C 90 nop
00529E6D 90 nop
00529E6E 90 nop
00529E6F 90 nop
00529E70 - E9 E26EFCFF jmp 004F0D57 ; 虚拟机处理完毕返回继续..
00529E75 C3 retn |
|
免费评分
-
查看全部评分
|
发表于 2010-3-3 10:48
发表于 2010-3-3 13:24
