IDA Pro - 如何得到比较清楚的逆向伪代码

原文地址:Question about disassembler

简介

这篇文章介绍了如何在不使用插件的IDA Hex-Rays如何得到比较清晰的伪代码。IDA Hex-Rays功能很强大,只要你提供了足够多的信息,它就能产生十分简单明了的代码。

下面我们以下面这个二进制文件为例:

为了方便我直接把exe文件后缀改成jpg,下载下来把文件后缀改回exe就行了

二进制文件下载地址:

步骤

打开IDA Pro加载这个exe文件,先按shitf + F5,添加vc32_14, vc32rtf, vc32ucrt这三个符号签名文件。

这个exe文件的main函数不太好找,我们先定位到exe文件的入口,按F5得到以下结果

signed int __usercall start@<eax>(int a1@<ebp>, int a2@<esi>)
{
  char v2; // bl
  int v4; // ST14_4
  _DWORD *v5; // eax
  _DWORD *v6; // esi
  _DWORD *v7; // eax
  _DWORD *v8; // esi
  const char **v9; // edi
  int *v10; // esi
  const char **v11; // eax

  sub_4018B4();
  if ( !(unsigned __int8)__scrt_initialize_crt(1)
    || (v2 = 0, *(_BYTE *)(a1 - 25) = 0, *(_DWORD *)(a1 - 4) = 0, *(_BYTE *)(a1 - 36) = sub_401631(), dword_41CC40 == 1) )
  {
    __scrt_fastfail(7);
    goto LABEL_20;
  }
  if ( dword_41CC40 )
  {
    v2 = 1;
    *(_BYTE *)(a1 - 25) = 1;
  }
  else
  {
    dword_41CC40 = 1;
    if ( _initterm_e(&unk_415140, &unk_415158) )
    {
      *(_DWORD *)(a1 - 4) = -2;
      return 255;
    }
    _initterm(&unk_415134, &unk_41513C);
    dword_41CC40 = 2;
  }
  __scrt_release_startup_lock(*(_DWORD *)(a1 - 36));
  v5 = (_DWORD *)sub_40196C(v4);
  v6 = v5;
  if ( *v5 )
  {
    if ( (unsigned __int8)__scrt_is_nonwritable_in_current_image(v5) )
      ((void (__thiscall *)(_DWORD, _DWORD, signed int, _DWORD))*v6)(*v6, 0, 2, 0);
  }
  v7 = (_DWORD *)sub_401972();
  v8 = v7;
  if ( *v7 )
  {
    if ( (unsigned __int8)__scrt_is_nonwritable_in_current_image(v7) )
      _register_thread_local_exe_atexit_callback(*v8);
  }
  v9 = *(const char ***)sub_406ACE();
  v10 = (int *)sub_406AC8();
  v11 = (const char **)unknown_libname_31();
  a2 = main(*v10, v9, v11);
  if ( !(unsigned __int8)sub_401A94() )
LABEL_20:
    exit(a2);
  if ( !v2 )
    _cexit();
  __scrt_uninitialize_crt(1, 0);
  *(_DWORD *)(a1 - 4) = -2;
  return a2;
}

注意下面的代码

  a2 = main(*v10, v9, v11);
  if ( !(unsigned __int8)sub_401A94() )
LABEL_20:
    exit(a2);

exit函数的参数应该就是主函数的返回值。

定位到到main函数

.text:00401390                 mov     esi, eax
.text:00401392                 call    sub_406312
.text:00401392
.text:00401397                 push    eax             ; envp
.text:00401398                 push    edi             ; argv
.text:00401399                 push    dword ptr [esi] ; argc
.text:0040139B                 call    main

按F5,我们会得到以下代码

int __cdecl main(int argc, const char **argv, const char **envp)
{
  HMODULE v3; // esi
  CHAR v4; // al
  int v5; // ecx
  unsigned int v6; // esi
  char v7; // bl
  __int128 v9; // [esp+4h] [ebp-22Ch]
  int v10; // [esp+14h] [ebp-21Ch]
  int v11; // [esp+18h] [ebp-218h]
  __int16 v12; // [esp+1Ch] [ebp-214h]
  char v13; // [esp+1Eh] [ebp-212h]
  int v14; // [esp+20h] [ebp-210h]
  char v15; // [esp+24h] [ebp-20Ch]
  CHAR Buffer[256]; // [esp+124h] [ebp-10Ch]
  int v17; // [esp+224h] [ebp-Ch]
  char v18; // [esp+228h] [ebp-8h]

  v3 = GetModuleHandleA(0);
  memset(Buffer, 0, 0xFFu);
  memset(&v15, 0, 0xFFu);
  if ( !LoadStringA(v3, 0x539u, Buffer, 255) )
    return -1;
  v4 = Buffer[0];
  if ( Buffer[0] )
  {
    v5 = 0;
    do
    {
      *((_BYTE *)&v14 + ++v5 + 3) = v4 ^ 0x30;
      v4 = Buffer[v5];
    }
    while ( v4 );
  }
  memset(Buffer, 0, 0xFFu);
  if ( !LoadStringA(v3, 0x29Au, Buffer, 255) )
    return -1;
  v17 = 0;
  v18 = 0;
  v14 = 5;
  if ( RegGetValueA(-2147483647, &v15, Buffer, 0xFFFF, 0, &v17, &v14) )
    return -1;
  v6 = 0;
  v9 = xmmword_4194E0;
  v10 = 55858812;
  v7 = 114;
  v11 = 1157851502;
  v12 = 20051;
  v13 = 0;
  do
  {
    sub_401010((const char *)&unk_4194D0, v7 ^ *((_BYTE *)&v17 + v6 % (v14 - 1)));
    v7 = *((_BYTE *)&v9 + v6++ + 1);
  }
  while ( v7 );
  return 0;
}

看起来确实很乱,但我们可以帮助反汇编器给出一个稍好一点的代码

首先我们有两个memsets

  memset(Buffer, 0, 0xFFu);
  memset(&v15, 0, 0xFFu);

Buffer和v15的原型应该是char name[0xFF]。点击Buffer然后按y键,把Buffer的类型改成char name[0xFF],对v15做同样的事即可。

此外我们可以给这些变量一个有意义一点的名字,例如buffer_1和buffer_2。点击变量,按n键即可修改变量的名字。

通过查看unk_4194D0我们会发现它是%c,那么sub_401010这个函数应该就是printf函数了,重命名sub_401010printf,把printf的函数原型改成int printf(const char *format, ...)

LoadStringARegGetValueA里的数字通过按H键转换成十六进制,这样子看起来方便些,然后把其他的一些变量名也改成有意义的字符。

这样子我们就得到下面的代码了:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  HMODULE cur_proc; // esi
  char byte; // al
  int i; // ecx
  unsigned int cou; // esi
  char xor_byte; // bl
  __int128 xored_flag; // [esp+4h] [ebp-22Ch]
  int part_of_xored_flag; // [esp+14h] [ebp-21Ch]
  int part_of_xored_flag_1; // [esp+18h] [ebp-218h]
  __int16 part_of_xored_flag_2; // [esp+1Ch] [ebp-214h]
  char part_of_xored_flag_3; // [esp+1Eh] [ebp-212h]
  int some_buff; // [esp+20h] [ebp-210h]
  char buff_2[255]; // [esp+24h] [ebp-20Ch]
  char buff_1[255]; // [esp+124h] [ebp-10Ch]
  int xor_key_buff; // [esp+224h] [ebp-Ch]
  char v18; // [esp+228h] [ebp-8h]

  cur_proc = GetModuleHandleA(0);
  memset(buff_1, 0, 0xFFu);
  memset(buff_2, 0, 0xFFu);
  if ( !LoadStringA(cur_proc, 1337u, buff_1, 255) )
    return -1;
  byte = buff_1[0];
  if ( buff_1[0] )
  {
    i = 0;
    do
    {
      *((_BYTE *)&some_buff + ++i + 3) = byte ^ 0x30;
      byte = buff_1[i];
    }
    while ( byte );
  }
  memset(buff_1, 0, 0xFFu);
  if ( !LoadStringA(cur_proc, 666u, buff_1, 255) )
    return -1;
  xor_key_buff = 0;
  v18 = 0;
  some_buff = 5;
  if ( RegGetValueA(0x80000001, buff_2, buff_1, 0xFFFF, 0, &xor_key_buff, &some_buff) )
    return -1;
  cou = 0;
  xored_flag = xmmword_4194E0;
  part_of_xored_flag = 0x354567C;
  xor_byte = 0x72;
  part_of_xored_flag_1 = 0x4503696E;
  part_of_xored_flag_2 = 0x4E53;
  part_of_xored_flag_3 = 0;
  do
  {
    printf("%c", xor_byte ^ *((char *)&xor_key_buff + cou % (some_buff - 1)));
    xor_byte = *((_BYTE *)&xored_flag + cou++ + 1);
  }
  while ( xor_byte );
  return 0;
}

看起来清爽了一点,但还是有点乱。

下面我们看看能对```some_buff做些什么,双击some_buff`我们会跳转到栈视图。

-0000022C xored_flag      db ?
-0000022B                 db ? ; undefined
-0000022A                 db ? ; undefined
-00000229                 db ? ; undefined
-00000228                 db ? ; undefined
-00000227                 db ? ; undefined
-00000226                 db ? ; undefined
-00000225                 db ? ; undefined
-00000224                 db ? ; undefined
-00000223                 db ? ; undefined
-00000222                 db ? ; undefined
-00000221                 db ? ; undefined
-00000220                 db ? ; undefined
-0000021F                 db ? ; undefined
-0000021E                 db ? ; undefined
-0000021D                 db ? ; undefined
-0000021C                 db ? ; undefined
-0000021B                 db ? ; undefined
-0000021A                 db ? ; undefined
-00000219                 db ? ; undefined
-00000218                 db ? ; undefined
-00000217                 db ? ; undefined
-00000216                 db ? ; undefined
-00000215                 db ? ; undefined
-00000214                 db ? ; undefined
-00000213                 db ? ; undefined
-00000212                 db ? ; undefined
-00000211                 db ? ; undefined
-00000210 some_buff       dd ?            ; <<<<< our variable
-0000020C buff_2          db 255 dup(?)
-0000010D                 db ? ; undefined
-0000010C buff_1          db 255 dup(?)
-0000000D                 db ? ; undefined
-0000000C xor_key_buff    db ?
-0000000B                 db ? ; undefined
-0000000A                 db ? ; undefined
-00000009                 db ? ; undefined

some_buff是dword或者四个字节,那他应该是一个字符buff,把它的类型改成char a[4]

然后把xor_key_buff的类型设置为char a[4]xored_flag设置为char a[28]buff_1 and buff_2设置为char a[256]

我们就有下面的栈视图了

-0000022C xored_flag      db 28 dup(?)
-00000210 some_buff       db 4 dup(?)
-0000020C buff_2          db 256 dup(?)
-0000010C buff_1          db 256 dup(?)
-0000000C xor_key_buff    db 4 dup(?)

再点下F5刷新伪代码视图,我们会得到以下主函数伪代码:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  HMODULE cur_proc; // esi
  char byte; // al
  int i; // ecx
  unsigned int cou; // esi
  char xor_byte; // bl
  char xored_flag[28]; // [esp+4h] [ebp-22Ch]
  char some_buff[4]; // [esp+20h] [ebp-210h]
  char buff_2[256]; // [esp+24h] [ebp-20Ch]
  char buff_1[256]; // [esp+124h] [ebp-10Ch]
  char xor_key_buff[4]; // [esp+224h] [ebp-Ch]
  char v14; // [esp+228h] [ebp-8h]

  cur_proc = GetModuleHandleA(0);
  memset(buff_1, 0, 0xFFu);
  memset(buff_2, 0, 0xFFu);
  if ( !LoadStringA(cur_proc, 1337u, buff_1, 255) )
    return -1;
  byte = buff_1[0];
  if ( buff_1[0] )
  {
    i = 0;
    do
    {
      some_buff[++i + 3] = byte ^ 0x30;
      byte = buff_1[i];
    }
    while ( byte );
  }
  memset(buff_1, 0, 0xFFu);
  if ( !LoadStringA(cur_proc, 666u, buff_1, 255) )
    return -1;
  *(_DWORD *)xor_key_buff = 0;
  v14 = 0;
  *(_DWORD *)some_buff = 5;
  if ( RegGetValueA(0x80000001, buff_2, buff_1, 0xFFFF, 0, xor_key_buff, some_buff) )
    return -1;
  cou = 0;
  *(_OWORD *)xored_flag = xmmword_4194E0;
  *(_DWORD *)&xored_flag[16] = 0x354567C;
  xor_byte = 0x72;
  *(_DWORD *)&xored_flag[20] = 0x4503696E;
  *(_WORD *)&xored_flag[24] = 0x4E53;
  xored_flag[26] = 0;
  do
  {
    printf("%c", xor_byte ^ xor_key_buff[cou % (*(_DWORD *)some_buff - 1)]);
    xor_byte = xored_flag[cou++ + 1];
  }
  while ( xor_byte );
  return 0;
}

现在点击RegGetValueA里的0x80000001

if ( RegGetValueA(0x80000001, buff_2, buff_1, 0xFFFF, 0, xor_key_buff, some_buff) )

按M选择枚举值HKEY_CURRENT_USER

最后的代码就是这个样子了

int __cdecl main(int argc, const char **argv, const char **envp)
{
  HMODULE cur_proc; // esi
  char byte; // al
  int i; // ecx
  unsigned int cou; // esi
  char xor_byte; // bl
  char xored_flag[28]; // [esp+4h] [ebp-22Ch]
  char some_buff[4]; // [esp+20h] [ebp-210h]
  char buff_2[256]; // [esp+24h] [ebp-20Ch]
  char buff_1[256]; // [esp+124h] [ebp-10Ch]
  char xor_key_buff[4]; // [esp+224h] [ebp-Ch]
  char v14; // [esp+228h] [ebp-8h]

  cur_proc = GetModuleHandleA(0);
  memset(buff_1, 0, 0xFFu);
  memset(buff_2, 0, 0xFFu);
  if ( !LoadStringA(cur_proc, 1337u, buff_1, 255) )
    return -1;
  byte = buff_1[0];
  if ( buff_1[0] )
  {
    i = 0;
    do
    {
      some_buff[++i + 3] = byte ^ 0x30;
      byte = buff_1[i];
    }
    while ( byte );
  }
  memset(buff_1, 0, 0xFFu);
  if ( !LoadStringA(cur_proc, 666u, buff_1, 255) )
    return -1;
  *xor_key_buff = 0;
  v14 = 0;
  *some_buff = 5;
  if ( RegGetValueA(HKEY_CURRENT_USER, buff_2, buff_1, 0xFFFF, 0, xor_key_buff, some_buff) )
    return -1;
  cou = 0;
  *xored_flag = g_xored_flag;
  *&xored_flag[16] = 0x354567C;
  xor_byte = 0x72;
  *&xored_flag[20] = 0x4503696E;
  *&xored_flag[24] = 0x4E53;
  xored_flag[26] = 0;
  do
  {
    printf("%c", xor_byte ^ xor_key_buff[cou % (*some_buff - 1)]);
    xor_byte = xored_flag[cou++ + 1];
  }
  while ( xor_byte );
  return 0;
}
posted @ 2018-12-28 10:33  Antiver  阅读(11013)  评论(0编辑  收藏  举报