VMP分析一:寄存器赋值分析
mov eax,0x123456
进入VM前寄存器和堆栈的值
EAX AAAAAAAA
ECX CCCCCCCC
EDX DDDDDDDD
EBX BBBBBBBB
ESP 0018FEE8
EBP EEEEEEEE
ESI 99999999
EDI 88888888
EIP 00427079 TestVmp_.00427079
C 0 ES 002B 32位 0(FFFFFFFF)
P 1 CS 0023 32位 0(FFFFFFFF)
A 0 SS 002B 32位 0(FFFFFFFF)
Z 0 DS 002B 32位 0(FFFFFFFF)
S 0 FS 0053 32位 7EFDD000(FFF)
T 0 GS 002B 32位 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 掩码 1 1 1 1 1 1
0018FEE8 00000000
0018FEEC 00000000
0018FEF0 7EFDE000
0018FEF4 F3B5AB2F
0018FEF8 00000000
0018FEFC 00000000
0018FF00 7EFDE000
0018FF04 00425276 TestVmp_.00425276
0018FF08 9938AD55
0018FF0C 0018FF1C
0018FF10 0018FF70
0018FF14 0042546A TestVmp_.0042546A
0018FF18 F3EA9E37
0018FF1C FFFFFFFE
0018FF20 0018FF2C
------------------------------------------------------------------------------------------------------
Log data, 条目 10
地址=0048417C
消息=0x48417c-->func13_call_dw[ebp]
Log data, 条目 8
地址=004834EE
消息=0x4834ee-->func25_retn_dw[esp]
Log data, 条目 4
地址=004851DF
消息=0x4851df-->func24_ jmp_dw[ebp]
-----------------------------------------------------
dispatch地址
00484256 FF7424 38 push dword ptr ss:[esp+0x38] ; TestVmp_.00483535
0048425A C2 3C00 retn 0x3C
----------------------------------------------------------------------------------------------------
func3_mov_dw[edi]_dw[ebp] | reg=3c 0 ;VM入口的 push 0
func11_push_dw[ebp]_dw[esi] | reg=ff 7647153b
func40_add_dw[ebp]_[ebp+4] | reg=ff 7647153b 202
func3_mov_dw[edi]_dw[ebp] | reg=04 202
func3_mov_dw[edi]_dw[ebp] | reg=34 7647153b ;类似校验
func3_mov_dw[edi]_dw[ebp] | reg=30 99999999
func3_mov_dw[edi]_dw[ebp] | reg=18 dddddddd
func3_mov_dw[edi]_dw[ebp] | reg=14 bbbbbbbb
func3_mov_dw[edi]_dw[ebp] | reg=04 bbbbbbbb
func3_mov_dw[edi]_dw[ebp] | reg=24 eeeeeeee
func3_mov_dw[edi]_dw[ebp] | reg=08 206
func3_mov_dw[edi]_dw[ebp] | reg=0c 88888888
func3_mov_dw[edi]_dw[ebp] | reg=20 cccccccc
func3_mov_dw[edi]_dw[ebp] | reg=38 aaaaaaaa ;保存寄存器
func3_mov_dw[edi]_dw[ebp] | reg=1c 5ceb61a0
func3_mov_dw[edi]_dw[ebp] | reg=1c 5659631f ;保存两个常量
func6_push_dw[ebp]_dw[edi] | reg=08 206
func11_push_dw[ebp]_dw[esi] | reg=ff aac8e133
func11_push_dw[ebp]_dw[esi] | reg=ff aac8de94
func27_push_dw[ebp]_w[esi] | reg=ff fffffeff
func6_push_dw[ebp]_dw[edi] | reg=08 206
func6_push_dw[ebp]_dw[edi] | reg=08 206
func8_nor_dw[ebp]_dw[ebp+4] | reg=ff fffffdf9 286 ; nand(206,206)
func3_mov_dw[edi]_dw[ebp] | reg=1c 286
func8_nor_dw[ebp]_dw[ebp+4] | reg=ff 0 246 ; nand( nand(206,206) , nand(100,100) ) == and (206 , 100)
func3_mov_dw[edi]_dw[ebp] | reg=2c 246
func3_mov_dw[edi]_dw[ebp] | reg=00 0 ; 保存结果到VM寄存器
func12_push_dw[ebp]_ebp | reg=ff 18fed8
func29_push_w[ebp]_b[esi] | reg=ff 4
func6_push_dw[ebp]_dw[edi] | reg=2c 246 ; 取出 and (206 , 100) 的标志
func6_push_dw[ebp]_dw[edi] | reg=2c 246
func8_nor_dw[ebp]_dw[ebp+4] | reg=ff fffffdb9 282 ;nand(246,246)
func3_mov_dw[edi]_dw[ebp] | reg=00 282
func31_ push_dw[ebp]_b[esi] | reg=ff ffffffbf
func8_nor_dw[ebp]_dw[ebp+4] | reg=ff 40 202 ; nand( nand(246,246), nand(40,40) ) == and (246 , 40)
func3_mov_dw[edi]_dw[ebp] | reg=00 202
func5_shr_dw[ebp]_b[ebp+4] | reg=ff 4 202 ;将 and (246 , 40) 的结果右移动4位
func3_mov_dw[edi]_dw[ebp] | reg=00 202
func40_add_dw[ebp]_[ebp+4] | reg=ff 18fedc 202
func3_mov_dw[edi]_dw[ebp] | reg=00 202 ;右移的结果与 18fed8 相加得到 18fedc
func7_push_dw[ebp]_dw[ss:mm] | reg=ff aac8e133 ;取出 18fedc 中的值
func3_mov_dw[edi]_dw[ebp] | reg=28 aac8e133
func3_mov_dw[edi]_dw[ebp] | reg=1c aac8de94
func3_mov_dw[edi]_dw[ebp] | reg=10 aac8e133
func6_push_dw[ebp]_dw[edi] | reg=28 aac8e133
func12_push_dw[ebp]_ebp | reg=ff 18fedc
func7_push_dw[ebp]_dw[ss:mm] | reg=ff aac8e133
func3_mov_dw[edi]_dw[ebp] | reg=10 aac8e133
func12_push_dw[ebp]_ebp | reg=ff 18fedc
func7_push_dw[ebp]_dw[ss:mm] | reg=ff aac8e133
func8_nor_dw[ebp]_dw[ebp+4] | reg=ff 55371ecc 206 ;nand(aac8e133,aac8e133)
func3_mov_dw[edi]_dw[ebp] | reg=1c 206
func11_push_dw[ebp]_dw[esi] | reg=ff 557f7e2b
func8_nor_dw[ebp]_dw[ebp+4] | reg=ff aa808110 282
func3_mov_dw[edi]_dw[ebp] | reg=28 282
func11_push_dw[ebp]_dw[esi] | reg=ff aa8081d4
func6_push_dw[ebp]_dw[edi] | reg=10 aac8e133
func8_nor_dw[ebp]_dw[ebp+4] | reg=ff 55371e08 202
func3_mov_dw[edi]_dw[ebp] | reg=28 202
func8_nor_dw[ebp]_dw[ebp+4] | reg=ff 4860e7 206
func3_mov_dw[edi]_dw[ebp] | reg=28 206
func3_mov_dw[edi]_dw[ebp] | reg=00 4860e7 ;xor(557f7e2b,aac8e133) == 4860e7
func6_push_dw[ebp]_dw[edi] | reg=34 7647153b
func6_push_dw[ebp]_dw[edi] | reg=0c 88888888
func6_push_dw[ebp]_dw[edi] | reg=24 eeeeeeee
func6_push_dw[ebp]_dw[edi] | reg=20 cccccccc
func6_push_dw[ebp]_dw[edi] | reg=04 bbbbbbbb
func6_push_dw[ebp]_dw[edi] | reg=18 dddddddd
func6_push_dw[ebp]_dw[edi] | reg=30 99999999
func6_push_dw[ebp]_dw[edi] | reg=38 aaaaaaaa
func6_push_dw[ebp]_dw[edi] | reg=2c 246
func6_push_dw[ebp]_dw[edi] | reg=0c 88888888 ; 将寄存器压入栈
func6_push_dw[ebp]_dw[edi] | reg=1c 206
func6_push_dw[ebp]_dw[edi] | reg=34 7647153b ;校验值
func11_push_dw[ebp]_dw[esi] | reg=ff 89b8eac5
func40_add_dw[ebp]_[ebp+4] | reg=ff 0 257
func3_mov_dw[edi]_dw[ebp] | reg=08 257 ;值保存在堆栈中
func6_push_dw[ebp]_dw[edi] | reg=3c 0 ;VM入口的 push 0
func6_push_dw[ebp]_dw[edi] | reg=00 4860e7
func24_jmp_dw[ebp] | reg=ff ;跳转
----------------------------------------------------------------------------------------------------------------------------------------------
func3_mov_dw[edi]_dw[ebp] | reg=2c 0 ;push 0
func11_push_dw[ebp]_dw[esi] | reg=ff 7647153b
func40_add_dw[ebp]_[ebp+4] | reg=ff 7647153b 202
func3_mov_dw[edi]_dw[ebp] | reg=00 202
func3_mov_dw[edi]_dw[ebp] | reg=38 7647153b ;校验
func3_mov_dw[edi]_dw[ebp] | reg=3c 206 ; nand(aac8e133,aac8e133) 的 EFL存入
func6_push_dw[ebp]_dw[edi] | reg=3c 206
func12_push_dw[ebp]_ebp | reg=ff 18feb4
func7_push_dw[ebp]_dw[ss:mm] | reg=ff 206
func8_nor_dw[ebp]_dw[ebp+4] | reg=ff fffffdf9 286 ;nand(206,206)
func3_mov_dw[edi]_dw[ebp] | reg=34 286
func11_push_dw[ebp]_dw[esi] | reg=ff 557f7e2b
func8_nor_dw[ebp]_dw[ebp+4] | reg=ff 4 202
func3_mov_dw[edi]_dw[ebp] | reg=14 202
func11_push_dw[ebp]_dw[esi] | reg=ff aa8081d4
func6_push_dw[ebp]_dw[edi] | reg=3c 206
func8_nor_dw[ebp]_dw[ebp+4] | reg=ff 557f7c29 202
func3_mov_dw[edi]_dw[ebp] | reg=24 202
func8_nor_dw[ebp]_dw[ebp+4] | reg=ff aa8083d2 286
func3_mov_dw[edi]_dw[ebp] | reg=28 286
func3_mov_dw[edi]_dw[ebp] | reg=10 aa8083d2
func3_mov_dw[edi]_dw[ebp] | reg=1c 88888888
func3_mov_dw[edi]_dw[ebp] | reg=24 246
func3_mov_dw[edi]_dw[ebp] | reg=04 aaaaaaaa
func3_mov_dw[edi]_dw[ebp] | reg=0c 99999999
func3_mov_dw[edi]_dw[ebp] | reg=14 dddddddd
func3_mov_dw[edi]_dw[ebp] | reg=00 bbbbbbbb
func3_mov_dw[edi]_dw[ebp] | reg=34 cccccccc
func3_mov_dw[edi]_dw[ebp] | reg=28 eeeeeeee
func3_mov_dw[edi]_dw[ebp] | reg=08 88888888 ;保存寄存器
func3_mov_dw[edi]_dw[ebp] | reg=30 7647153b
func3_mov_dw[edi]_dw[ebp] | reg=08 206
func6_push_dw[ebp]_dw[edi] | reg=08 206
func12_push_dw[ebp]_ebp | reg=ff 18fee0
func7_push_dw[ebp]_dw[ss:mm] | reg=ff 206
func8_nor_dw[ebp]_dw[ebp+4] | reg=ff fffffdf9 286
func3_mov_dw[edi]_dw[ebp] | reg=24 286
func27_push_dw[ebp]_w[esi] | reg=ff 8ff
func8_nor_dw[ebp]_dw[ebp+4] | reg=ff 200 206
func3_mov_dw[edi]_dw[ebp] | reg=24 206 ;and(206,286)
func15_pop_dw[eflag]_dw[ebp] | reg=ff ;类似反调试
func31_ push_dw[ebp]_b[esi] | reg=ff 4
func12_push_dw[ebp]_ebp | reg=ff 18fee0
func31_ push_dw[ebp]_b[esi] | reg=ff 4
func40_add_dw[ebp]_[ebp+4] | reg=ff 18fee4 206
func3_mov_dw[edi]_dw[ebp] | reg=30 206
func40_add_dw[ebp]_[ebp+4] | reg=ff 18fee8 206
func3_mov_dw[edi]_dw[ebp] | reg=18 206
func36_mov_dwEbp_dw[ebp] | reg=ff ;平衡堆栈
func11_push_dw[ebp]_dw[esi] | reg=ff 12345678
func3_mov_dw[edi]_dw[ebp] | reg=20 12345678 ;将一个常量压入堆
func11_push_dw[ebp]_dw[esi] | reg=ff 42708c ;出口跳转地址
func6_push_dw[ebp]_dw[edi] | reg=20 12345678 ;真实寄存器赋值
func6_push_dw[ebp]_dw[edi] | reg=34 cccccccc
func6_push_dw[ebp]_dw[edi] | reg=1c 88888888
func6_push_dw[ebp]_dw[edi] | reg=08 206
func6_push_dw[ebp]_dw[edi] | reg=28 eeeeeeee
func6_push_dw[ebp]_dw[edi] | reg=00 bbbbbbbb
func6_push_dw[ebp]_dw[edi] | reg=10 aa8083d2
func6_push_dw[ebp]_dw[edi] | reg=14 dddddddd
func6_push_dw[ebp]_dw[edi] | reg=0c 99999999
func6_push_dw[ebp]_dw[edi] | reg=10 aa8083d2
func6_push_dw[ebp]_dw[edi] | reg=38 7647153b
VM_RETN
----------------------------------------------------------------------------------------------------
VM后寄存器和堆栈值
EAX 12345678
ECX CCCCCCCC
EDX DDDDDDDD
EBX BBBBBBBB
ESP 0018FEE8
EBP EEEEEEEE
ESI 99999999
EDI 88888888
EIP 0042708C TestVmp_.0042708C
C 0 ES 002B 32位 0(FFFFFFFF)
P 1 CS 0023 32位 0(FFFFFFFF)
A 0 SS 002B 32位 0(FFFFFFFF)
Z 0 DS 002B 32位 0(FFFFFFFF)
S 0 FS 0053 32位 7EFDD000(FFF)
T 0 GS 002B 32位 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 掩码 1 1 1 1 1 1
0018FEE8 00000000
0018FEEC 00000000
0018FEF0 7EFDE000
0018FEF4 F3B5AB2F
0018FEF8 00000000
0018FEFC 00000000
0018FF00 7EFDE000
0018FF04 00425276 TestVmp_.00425276
0018FF08 9938AD55
0018FF0C 0018FF1C
0018FF10 0018FF70
0018FF14 0042546A TestVmp_.0042546A
0018FF18 F3EA9E37
0018FF1C FFFFFFFE
0018FF20 0018FF2C
