首页
论坛
课程
招聘
[原创]第一题VM人肉还原,附带还原工具源码
2010-11-1 12:23 8275

[原创]第一题VM人肉还原,附带还原工具源码

2010-11-1 12:23
8275

共有三块VM代码:
1:
1 : MOV VM_VAR1 , VM_EFL
2 : MOV dword  VM_Stack[0] ,VM_EBX
3 : MOV dword  VM_Stack[1] , 0x0FFFFFFFC
4 : ADD VM_Stack[0] , VM_Stack[0]
5 : MOV dword VM_EBX , VM_Stack[0]
6 : MOV dword  VM_Stack[1] ,VM_ECX
7 : MOV dword  [VM_Stack[0]] , VM_Stack[1]
8 : MOV dword  VM_Stack[0] ,VM_EBP
9 : MOV dword  VM_Stack[1] ,VM_EBP
10 : XOR dword  VM_Stack[0] , [VM_Stack[1]]
11 : MOV VM_EFL, VM_VAR1
12 : MOV dword VM_EBP , VM_Stack[0]
13 : MOV dword  VM_Stack[0] , 0x040ECE0
14 : MOV dword VM_ESI , VM_Stack[0]
15 : MOV dword  VM_Stack[0] ,VM_EBP
16 : MOV dword VM_EDI , VM_Stack[0]
17 : MOV dword  VM_Stack[0] , 0x08
18 : MOV dword VM_ECX , VM_Stack[0]
19 : MOV dword  VM_Stack[0] ,VM_EDI
20 : MOV dword  VM_Stack[1] , 0x01
21 : TEST byte  VM_Stack[0] , [VM_Stack[1]]
22 : MOVZFSF VM_VAR2 , VM_VAR1
23 : TEST VM_Stack[9]<>0 , JMP 10
24 : MOV dword  VM_Stack[0] ,VM_EDI
25 : MOV dword  VM_Stack[1] , 0x01
26 : SHR dword  VM_Stack[0] , [VM_Stack[1]]
27 : MOV dword VM_EDI , VM_Stack[0]
28 : MOV dword  VM_Stack[0] ,VM_EDI
29 : MOV dword  VM_Stack[1] , 0x0EDB08320
30 : XOR dword  VM_Stack[0] , [VM_Stack[1]]
31 : MOV dword VM_EDI , VM_Stack[0]
32 : MOVZFSF VM_VAR2 , VM_VAR1
33 : TEST VM_Stack[9]<>0 , JMP 4
34 : MOV dword  VM_Stack[0] ,VM_EDI
35 : MOV dword  VM_Stack[1] , 0x01
36 : SHR dword  VM_Stack[0] , [VM_Stack[1]]
37 : MOV dword VM_EDI , VM_Stack[0]
38 : MOV dword  VM_Stack[0] ,VM_ECX
39 : MOV dword  VM_Stack[1] , 0x01
40 : SUB dword  VM_Stack[0] , [VM_Stack[1]]
41 : MOV dword VM_ECX , VM_Stack[0]
42 : MOVZFSF VM_VAR2 , VM_VAR1
43 : TEST VM_Stack[9]<>0 , JMP 268435431
44 : MOV dword  VM_Stack[1] ,VM_EDI
45 : MOV dword  VM_Stack[0] ,VM_ESI
46 : MOV dword  [VM_Stack[0]] , VM_Stack[1]
47 : MOV dword  VM_Stack[0] ,VM_ESI
48 : MOV dword  VM_Stack[1] , 0x04
49 : ADD dword  VM_Stack[0] , [VM_Stack[1]]
50 : MOV dword VM_ESI , VM_Stack[0]
51 : MOV dword  VM_Stack[0] ,VM_EBP
52 : MOV dword  VM_Stack[1] , 0x01
53 : ADD dword  VM_Stack[0] , [VM_Stack[1]]
54 : MOV dword VM_EBP , VM_Stack[0]
55 : MOV dword  VM_Stack[0] ,VM_ESI
56 : MOV dword  VM_Stack[1] , 0x040F0E0
57 : SUB dword  VM_Stack[0] , [VM_Stack[1]]
58 : MOVZFSF VM_VAR2 , VM_VAR1
59 : TEST VM_Stack[9]<>0 , JMP 268435411
60 : MOV dword  VM_Stack[0] ,VM_EBX
61 : MOV dword  VM_Stack[1] , [VM_Stack[0]]
62 : MOV dword VM_ECX , VM_Stack[1]
63 : MOV dword  VM_Stack[0] ,VM_EBX
64 : MOV dword  VM_Stack[1] , 0x04
65 : ADD VM_Stack[0] , VM_Stack[0]
66 : MOV dword VM_EBX , VM_Stack[0]
67 : MOV dword  VM_Stack[0] ,VM_EBX
68 : MOV dword  VM_Stack[7] , [VM_Stack[0]]
69 : MOV dword  VM_Stack[0] ,VM_EBX
70 : MOV dword  VM_Stack[1] , 0x04
71 : ADD VM_Stack[0] , VM_Stack[0]
72 : MOV dword VM_EBX , VM_Stack[0]
73 : MOV VM_EFL, VM_VAR1
74 : VM_RtlLeaveCriticalSection

2:
1 : MOV VM_VAR1 , VM_EFL
2 : MOV dword  VM_Stack[0] ,VM_EBX
3 : MOV dword  VM_Stack[1] , 0x0FFFFFFFC
4 : ADD VM_Stack[0] , VM_Stack[0]
5 : MOV dword VM_EBX , VM_Stack[0]
6 : MOV dword  VM_Stack[1] ,VM_ECX
7 : MOV dword  [VM_Stack[0]] , VM_Stack[1]
8 : MOV dword  VM_Stack[0] ,VM_EBX
9 : MOV dword  VM_Stack[1] , 0x0C
10 : ADD VM_Stack[0] , VM_Stack[0]
11 : MOV dword  VM_Stack[0] , [VM_Stack[0]]
12 : MOV dword VM_ECX , VM_Stack[0]
13 : MOV dword  VM_Stack[0] ,VM_EDI
14 : MOV dword  VM_Stack[1] , 0x0FFFFFFFF
15 : OR dword  VM_Stack[0] , [VM_Stack[1]]
16 : MOV dword VM_EDI , VM_Stack[0]
17 : MOV dword  VM_Stack[0] ,VM_ECX
18 : MOV dword  VM_Stack[1] ,VM_ECX
19 : TEST dword  VM_Stack[0] , [VM_Stack[1]]
20 : MOVZFSF VM_VAR2 , VM_VAR1
21 : TEST VM_Stack[9]<>0 , JMP 63
22 : MOV dword  VM_Stack[0] ,VM_EBX
23 : MOV dword  VM_Stack[1] , 0x08
24 : ADD VM_Stack[0] , VM_Stack[0]
25 : MOV dword  VM_Stack[0] , [VM_Stack[0]]
26 : MOV dword VM_ESI , VM_Stack[0]
27 : MOV dword  VM_Stack[0] ,VM_EBX
28 : MOV dword  VM_Stack[1] , 0x0FFFFFFFC
29 : ADD VM_Stack[0] , VM_Stack[0]
30 : MOV dword VM_EBX , VM_Stack[0]
31 : MOV dword  VM_Stack[1] ,VM_ESP
32 : MOV dword  [VM_Stack[0]] , VM_Stack[1]
33 : MOV dword  VM_Stack[0] ,VM_EDI
34 : MOV dword VM_EBP , VM_Stack[0]
35 : MOV dword  VM_Stack[0] ,VM_ESP
36 : MOV dword  VM_Stack[1] ,VM_ESP
37 : XOR dword  VM_Stack[0] , [VM_Stack[1]]
38 : MOV VM_EFL, VM_VAR1
39 : MOV dword VM_ESP , VM_Stack[0]
40 : MOV dword  VM_Stack[0] ,VM_ESI
41 : MOV byte  VM_Stack[0] , [VM_Stack[0]]
42 : MOV byte VM_ESP , VM_Stack[0]
43 : MOV dword  VM_Stack[0] ,VM_EBP
44 : MOV dword  VM_Stack[1] , 0x0FF
45 : AND dword  VM_Stack[0] , [VM_Stack[1]]
46 : MOV dword VM_EBP , VM_Stack[0]
47 : MOV dword  VM_Stack[0] ,VM_EBP
48 : MOV dword  VM_Stack[1] ,VM_ESP
49 : XOR dword  VM_Stack[0] , [VM_Stack[1]]
50 : MOV VM_EFL, VM_VAR1
51 : MOV dword VM_EBP , VM_Stack[0]
52 : MOV dword  VM_Stack[0] ,VM_EDI
53 : MOV dword  VM_Stack[1] , 0x08
54 : SHR dword  VM_Stack[0] , [VM_Stack[1]]
55 : MOV dword VM_EDI , VM_Stack[0]
56 : MOV dword  VM_Stack[0] ,VM_EBP
57 : MOV dword  VM_Stack[1] , 0x04
58 : MUL VM_Stack[0] , VM_Stack[0]
59 : MOV dword  VM_Stack[1] , 0x040ECE0
60 : ADD VM_Stack[0] , VM_Stack[0]
61 : MOV dword  VM_Stack[0] , [VM_Stack[0]]
62 : MOV dword VM_EBP , VM_Stack[0]
63 : MOV dword  VM_Stack[0] ,VM_EDI
64 : MOV dword  VM_Stack[1] ,VM_EBP
65 : OR dword  VM_Stack[0] , [VM_Stack[1]]
66 : MOV VM_EFL, VM_VAR1
67 : MOV dword VM_EDI , VM_Stack[0]
68 : MOV dword  VM_Stack[0] ,VM_ESI
69 : MOV dword  VM_Stack[1] , 0x01
70 : ADD dword  VM_Stack[0] , [VM_Stack[1]]
71 : MOV dword VM_ESI , VM_Stack[0]
72 : MOV dword  VM_Stack[0] ,VM_ECX
73 : MOV dword  VM_Stack[1] , 0x01
74 : SUB dword  VM_Stack[0] , [VM_Stack[1]]
75 : MOV dword VM_ECX , VM_Stack[0]
76 : MOVZFSF VM_VAR2 , VM_VAR1
77 : TEST VM_Stack[9]<>0 , JMP 268435411
78 : MOV dword  VM_Stack[0] ,VM_EBX
79 : MOV dword  VM_Stack[1] , [VM_Stack[0]]
80 : MOV dword VM_ESP , VM_Stack[1]
81 : MOV dword  VM_Stack[0] ,VM_EBX
82 : MOV dword  VM_Stack[1] , 0x04
83 : ADD VM_Stack[0] , VM_Stack[0]
84 : MOV dword VM_EBX , VM_Stack[0]
85 : MOV dword  VM_Stack[0] ,VM_EDI
86 : NOT dword  VM_Stack[0] , [VM_Stack[1]]
87 : MOV dword VM_EDI , VM_Stack[0]
88 : MOV dword  VM_Stack[0] ,VM_EBX
89 : MOV dword  VM_Stack[1] , [VM_Stack[0]]
90 : MOV dword VM_ECX , VM_Stack[1]
91 : MOV dword  VM_Stack[0] ,VM_EBX
92 : MOV dword  VM_Stack[1] , 0x04
93 : ADD VM_Stack[0] , VM_Stack[0]
94 : MOV dword VM_EBX , VM_Stack[0]
95 : MOV dword  VM_Stack[0] ,VM_EBX
96 : MOV dword  VM_Stack[7] , [VM_Stack[0]]
97 : MOV dword  VM_Stack[0] ,VM_EBX
98 : MOV dword  VM_Stack[1] , 0x04
99 : ADD VM_Stack[0] , VM_Stack[0]
100 : MOV dword VM_EBX , VM_Stack[0]
101 : MOV VM_EFL, VM_VAR1
102 : VM_RtlLeaveCriticalSection

3:
1 : MOV VM_VAR1 , VM_EFL
2 : MOV dword  VM_Stack[0] ,VM_EBX
3 : MOV dword  VM_Stack[1] , 0x08
4 : ADD dword  VM_Stack[0] , [VM_Stack[1]]
5 : MOV dword VM_EBX , VM_Stack[0]
6 : MOV dword  VM_Stack[0] ,VM_ECX
7 : MOV dword  VM_Stack[1] , 0x0C
8 : ADD VM_Stack[0] , VM_Stack[0]
9 : MOV dword  VM_Stack[1] , [VM_Stack[0]]
10 : MOV dword  VM_Stack[0] ,VM_EDI
11 : SUB dword  VM_Stack[0] , [VM_Stack[1]]
12 : MOVZFSF VM_VAR2 , VM_VAR1
13 : TEST VM_Stack[9]<>0 , JMP 5
14 : MOV dword  VM_Stack[0] ,VM_EDX
15 : MOV dword  VM_Stack[1] , 0x02C
16 : SUB VM_Stack[0] , VM_Stack[0]
17 : MOV dword  VM_Stack[1] , 0x01
18 : MOV dword  [VM_Stack[0]] , VM_Stack[1]
19 : MOV dword  VM_Stack[0] ,VM_EBX
20 : MOV dword  VM_Stack[1] , [VM_Stack[0]]
21 : MOV dword VM_ECX , VM_Stack[1]
22 : MOV dword  VM_Stack[0] ,VM_EBX
23 : MOV dword  VM_Stack[1] , 0x04
24 : ADD VM_Stack[0] , VM_Stack[0]
25 : MOV dword VM_EBX , VM_Stack[0]
26 : MOV VM_EFL, VM_VAR1

出错的地方自己分析吧。
附带分析源代码DELPHI的。

恭喜ID[飞翔的猫咪]获看雪安卓应用安全能力认证高级安全工程师!!

上传的附件:
收藏
点赞0
打赏
分享
最新回复 (7)
雪    币: 10880
活跃值: 活跃值 (3303)
能力值: ( LV15,RANK:2338 )
在线值:
发帖
回帖
粉丝
ccfer 活跃值 16 2010-11-1 12:25
2
0
人肉多少钱一斤啊
雪    币: 296
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
GuluYZ 活跃值 2010-11-1 12:26
3
0
4块吧~~!
雪    币: 265
活跃值: 活跃值 (43)
能力值: ( LV13,RANK:350 )
在线值:
发帖
回帖
粉丝
moonife 活跃值 8 2010-11-1 12:31
4
0
买不了
我直接不管它  盯着VMContext的变化,也看出来了
然后随便猜下 果然是故意把异或运算写成或运算了
雪    币: 41
活跃值: 活跃值 (10)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
codegame 活跃值 2010-11-1 12:49
5
0
VM00_Instruction: RtlLeaveCriticalSection
VM01_Instruction: mov VM_Stack[8] , VM_EFL
VM02_Instruction: mov VM_EFL , VM_Stack[8]
VM03_Instruction: mov VM_Ptr VM_Register[VM_OP1] , VM_Stack[VM_OP2]
VM04_Instruction: mov VM_Ptr VM_Stack[VM_OP1] , VM_Register[VM_OP2]
VM05_Instruction: mov VM_Ptr VM_Stack[VM_OP1] , VM_Stack[VM_OP2]
VM06_Instruction: mov VM_Ptr VM_Stack[VM_OP1] , VM_OP2
VM07_Instruction: mov VM_Ptr [VM_Stack[VM_OP1]] , VM_Stack[VM_OP2]
VM08_Instruction: mov VM_Ptr VM_Stack[VM_OP1] , [VM_Stack[VM_OP2]]
VM09_Instruction: add VM_Stack[0] ,VM_Stack[1]
VM10_Instruction: sub VM_Stack[0] ,VM_Stack[1]
VM11_Instruction: mul VM_Stack[0] ,VM_Stack[1]
VM12_Instruction: div VM_Stack[0] ,VM_Stack[1]
VM13_Instruction: mov VM_Stack[9], ZFSF(VM_Stack[8])
VM14_Instruction: test VM_Stack[9] <>0 ; VM_EIP = VM_EIP + (VM_OP1 shl 4)
VM15_Instruction: add VM_Ptr VM_Stack[0] ,VM_Stack[1] ; mov VM_Stack[8],EFL
VM16_Instruction: sub VM_Ptr VM_Stack[0] ,VM_Stack[1] ; mov VM_Stack[8],EFL
VM17_Instruction: mul VM_Ptr VM_Stack[0] ,VM_Stack[1] ; mov VM_Stack[8],EFL
VM18_Instruction: div VM_Ptr VM_Stack[0] ,VM_Stack[1] ; mov VM_Stack[8],EFL
VM19_Instruction: test VM_Ptr VM_Stack[0] ,VM_Stack[1] ; mov VM_Stack[8],EFL
VM20_Instruction: and VM_Ptr VM_Stack[0] ,VM_Stack[1] ; mov VM_Stack[8],EFL
VM21_Instruction: xor VM_Ptr VM_Stack[0] ,VM_Stack[1] ; mov VM_Stack[8],EFL
VM22_Instruction: or  VM_Ptr VM_Stack[0] ,VM_Stack[1] ; mov VM_Stack[8],EFL
VM23_Instruction: not VM_Ptr VM_Stack[0] ,VM_Stack[1] ; mov VM_Stack[8],EFL
VM24_Instruction: shr VM_Ptr VM_Stack[0] ,VM_Stack[1] ; mov VM_Stack[8],EFL
VM25_Instruction: sar VM_Ptr VM_Stack[0] ,VM_Stack[1] ; mov VM_Stack[8],EFL
VM2627_Instruction: shl VM_Ptr VM_Stack[0] ,VM_Stack[1] ; mov VM_Stack[8],EFL
VM2829_Instruction: nop
雪    币: 5711
活跃值: 活跃值 (953)
能力值: ( LV15,RANK:1431 )
在线值:
发帖
回帖
粉丝
lelfei 活跃值 23 2010-11-1 12:57
6
0
应该是4块VM代码吧?
雪    币: 10880
活跃值: 活跃值 (3303)
能力值: ( LV15,RANK:2338 )
在线值:
发帖
回帖
粉丝
ccfer 活跃值 16 2010-11-1 13:16
7
0
三楼的是在回答我二楼的问题
雪    币: 41
活跃值: 活跃值 (10)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
codegame 活跃值 2010-11-1 14:25
8
0
你牛,我才反映过来.
游客
登录 | 注册 方可回帖
返回