VMP分析二:堆栈运算
加密源代码如下:
int _tmain(int argc, _TCHAR* argv[]) { printf("start test vmp"); int a,b,c; __asm mov eax,0xAAAAAAAA; __asm mov ebx,0xBBBBBBBB; __asm mov ecx,0xcccccccc; __asm mov edx,0xdddddddd; __asm mov esi,0x99999999; __asm mov edi,0x88888888; VMProtectBegin(NULL); a = 0x1000; b = 0x2000; c = a + b; VMProtectEnd(); return 0; }
func3_mov_dw[edi]_dw[ebp] | reg=24 0 func11_push_dw[ebp]_dw[esi] | reg=ff func18_nor_w[ebp]_w[ebp+2] | reg=ff d4aa13e func40_add_dw[ebp]_[ebp+4] | reg=ff d4aa13e 202 func3_mov_dw[edi]_dw[ebp] | reg=28 202 func3_mov_dw[edi]_dw[ebp] | reg=10 d4aa13e func3_mov_dw[edi]_dw[ebp] | reg=2c dddddddd func3_mov_dw[edi]_dw[ebp] | reg=18 cccccccc func3_mov_dw[edi]_dw[ebp] | reg=30 18feb8 func3_mov_dw[edi]_dw[ebp] | reg=28 88888888 func3_mov_dw[edi]_dw[ebp] | reg=14 18ff34 func3_mov_dw[edi]_dw[ebp] | reg=04 bbbbbbbb func3_mov_dw[edi]_dw[ebp] | reg=08 aaaaaaaa func3_mov_dw[edi]_dw[ebp] | reg=00 202 func3_mov_dw[edi]_dw[ebp] | reg=1c 99999999 func3_mov_dw[edi]_dw[ebp] | reg=34 ca661051 func3_mov_dw[edi]_dw[ebp] | reg=20 b9a7ee09 func6_push_dw[ebp]_dw[edi] | reg=00 202 func11_push_dw[ebp]_dw[esi] | reg=ff func18_nor_w[ebp]_w[ebp+2] | reg=ff 5b209bf3 func27_push_dw[ebp]_w[esi] | reg=ff fffffeff func6_push_dw[ebp]_dw[edi] | reg=00 202 func6_push_dw[ebp]_dw[edi] | reg=00 202 func8_nor_dw[ebp]_dw[ebp+4] | reg=ff fffffdfd 282 func3_mov_dw[edi]_dw[ebp] | reg=38 282 func8_nor_dw[ebp]_dw[ebp+4] | reg=ff 0 246 func3_mov_dw[edi]_dw[ebp] | reg=38 246 func3_mov_dw[edi]_dw[ebp] | reg=3c 0 func11_push_dw[ebp]_dw[esi] | reg=ff func18_nor_w[ebp]_w[ebp+2] | reg=ff 5b209882 func12_push_dw[ebp]_ebp | reg=ff 18fecc func29_push_w[ebp]_b[esi] | reg=ff 4 func31_ push_dw[ebp]_b[esi] | reg=ff ffffffbf func6_push_dw[ebp]_dw[edi] | reg=38 246 func8_nor_dw[ebp]_dw[ebp+4] | reg=ff 0 246 func3_mov_dw[edi]_dw[ebp] | reg=3c 246 func5_shr_dw[ebp]_b[ebp+4] | reg=ff 0 246 func3_mov_dw[edi]_dw[ebp] | reg=20 246 func40_add_dw[ebp]_[ebp+4] | reg=ff 18fecc 206 func3_mov_dw[edi]_dw[ebp] | reg=20 206 func7_push_dw[ebp]_dw[ss:mm] | reg=ff 5b209882 func3_mov_dw[edi]_dw[ebp] | reg=00 5b209882 func3_mov_dw[edi]_dw[ebp] | reg=3c 5b209882 func3_mov_dw[edi]_dw[ebp] | reg=3c 5b209bf3 func6_push_dw[ebp]_dw[edi] | reg=00 5b209882 func3_mov_dw[edi]_dw[ebp] | reg=34 5b209882 func6_push_dw[ebp]_dw[edi] | reg=34 5b209882 func12_push_dw[ebp]_ebp | reg=ff 18fed0 func7_push_dw[ebp]_dw[ss:mm] | reg=ff 5b209882 func8_nor_dw[ebp]_dw[ebp+4] | reg=ff a4df677d 286 func3_mov_dw[edi]_dw[ebp] | reg=0c 286 func11_push_dw[ebp]_dw[esi] | reg=ff func18_nor_w[ebp]_w[ebp+2] | reg=ff a4973dea func8_nor_dw[ebp]_dw[ebp+4] | reg=ff 5b208000 206 func3_mov_dw[edi]_dw[ebp] | reg=20 206 func11_push_dw[ebp]_dw[esi] | reg=ff func18_nor_w[ebp]_w[ebp+2] | reg=ff 5b68c215 func6_push_dw[ebp]_dw[edi] | reg=34 5b209882 func8_nor_dw[ebp]_dw[ebp+4] | reg=ff a4972568 282 func3_mov_dw[edi]_dw[ebp] | reg=00 282 func8_nor_dw[ebp]_dw[ebp+4] | reg=ff 485a97 202 func3_mov_dw[edi]_dw[ebp] | reg=00 202 func3_mov_dw[edi]_dw[ebp] | reg=0c 485a97 func6_push_dw[ebp]_dw[edi] | reg=18 cccccccc func6_push_dw[ebp]_dw[edi] | reg=34 5b209882 func6_push_dw[ebp]_dw[edi] | reg=04 bbbbbbbb func6_push_dw[ebp]_dw[edi] | reg=28 88888888 func6_push_dw[ebp]_dw[edi] | reg=1c 99999999 func6_push_dw[ebp]_dw[edi] | reg=10 d4aa13e func6_push_dw[ebp]_dw[edi] | reg=18 cccccccc func6_push_dw[ebp]_dw[edi] | reg=2c dddddddd func6_push_dw[ebp]_dw[edi] | reg=08 aaaaaaaa func6_push_dw[ebp]_dw[edi] | reg=38 246 func6_push_dw[ebp]_dw[edi] | reg=14 18ff34 func11_push_dw[ebp]_dw[esi] | reg=ff func18_nor_w[ebp]_w[ebp+2] | reg=ff f2b55ec2 func6_push_dw[ebp]_dw[edi] | reg=10 d4aa13e func40_add_dw[ebp]_[ebp+4] | reg=ff 0 257 func3_mov_dw[edi]_dw[ebp] | reg=30 257 func6_push_dw[ebp]_dw[edi] | reg=24 0 func6_push_dw[ebp]_dw[edi] | reg=0c 485a97 func24_ jmp_dw[ebp] | reg=ff func3_mov_dw[edi]_dw[ebp] | reg=28 0 func11_push_dw[ebp]_dw[esi] | reg=ff func18_nor_w[ebp]_w[ebp+2] | reg=ff d4aa13e func40_add_dw[ebp]_[ebp+4] | reg=ff d4aa13e 202 func3_mov_dw[edi]_dw[ebp] | reg=3c 202 func3_mov_dw[edi]_dw[ebp] | reg=30 d4aa13e func3_mov_dw[edi]_dw[ebp] | reg=18 18ff34 func3_mov_dw[edi]_dw[ebp] | reg=38 246 func3_mov_dw[edi]_dw[ebp] | reg=08 aaaaaaaa func3_mov_dw[edi]_dw[ebp] | reg=04 dddddddd func3_mov_dw[edi]_dw[ebp] | reg=10 cccccccc func3_mov_dw[edi]_dw[ebp] | reg=00 d4aa13e func6_push_dw[ebp]_dw[edi] | reg=00 d4aa13e func6_push_dw[ebp]_dw[edi] | reg=00 d4aa13e func8_nor_dw[ebp]_dw[ebp+4] | reg=ff f2b55ec1 282 func3_mov_dw[edi]_dw[ebp] | reg=2c 282 func11_push_dw[ebp]_dw[esi] | reg=ff func18_nor_w[ebp]_w[ebp+2] | reg=ff a4973dea func8_nor_dw[ebp]_dw[ebp+4] | reg=ff 9488014 206 func3_mov_dw[edi]_dw[ebp] | reg=0c 206 func6_push_dw[ebp]_dw[edi] | reg=00 d4aa13e func11_push_dw[ebp]_dw[esi] | reg=ff func18_nor_w[ebp]_w[ebp+2] | reg=ff 5b68c215 func8_nor_dw[ebp]_dw[ebp+4] | reg=ff a0951cc0 286 func3_mov_dw[edi]_dw[ebp] | reg=0c 286 func8_nor_dw[ebp]_dw[ebp+4] | reg=ff 5622632b 206 func3_mov_dw[edi]_dw[ebp] | reg=24 206 func3_mov_dw[edi]_dw[ebp] | reg=2c 5622632b func3_mov_dw[edi]_dw[ebp] | reg=1c 99999999 func3_mov_dw[edi]_dw[ebp] | reg=0c 88888888 func3_mov_dw[edi]_dw[ebp] | reg=3c bbbbbbbb func3_mov_dw[edi]_dw[ebp] | reg=34 5b209882 func3_mov_dw[edi]_dw[ebp] | reg=14 cccccccc func3_mov_dw[edi]_dw[ebp] | reg=20 202 func6_push_dw[ebp]_dw[edi] | reg=20 202 func12_push_dw[ebp]_ebp | reg=ff 18fed4 func7_push_dw[ebp]_dw[ss:mm] | reg=ff 202 func8_nor_dw[ebp]_dw[ebp+4] | reg=ff fffffdfd 282 func3_mov_dw[edi]_dw[ebp] | reg=14 282 func27_push_dw[ebp]_w[esi] | reg=ff 8ff func8_nor_dw[ebp]_dw[ebp+4] | reg=ff 200 206 func3_mov_dw[edi]_dw[ebp] | reg=14 206 func15_pop_dw[eflag]_dw[ebp] | reg=ff func31_ push_dw[ebp]_b[esi] | reg=ff 4 func31_ push_dw[ebp]_b[esi] | reg=ff 8 func12_push_dw[ebp]_ebp | reg=ff 18fed0 func40_add_dw[ebp]_[ebp+4] | reg=ff 18fed8 206 func3_mov_dw[edi]_dw[ebp] | reg=38 206 func40_add_dw[ebp]_[ebp+4] | reg=ff 18fedc 202 func3_mov_dw[edi]_dw[ebp] | reg=38 202 func36_mov_dwEbp_dw[ebp] | reg=ff ;以上是VMP固有代码,第一段检测TF标志,后面的基本是无用handler func31_ push_dw[ebp]_b[esi] | reg=ff fffffff8 func6_push_dw[ebp]_dw[edi] | reg=18 18ff34 ;取出EBP func31_ push_dw[ebp]_b[esi] | reg=ff fffffffc func27_push_dw[ebp]_w[esi] | reg=ff 2000 ;取出一个常量 func31_ push_dw[ebp]_b[esi] | reg=ff fffffff8 ; func27_push_dw[ebp]_w[esi] | reg=ff 1000 func31_ push_dw[ebp]_b[esi] | reg=ff fffffffc func6_push_dw[ebp]_dw[edi] | reg=18 18ff34 ;取出EBP func40_add_dw[ebp]_[ebp+4] | reg=ff 18ff30 217 ; [ebp - c] func3_mov_dw[edi]_dw[ebp] | reg=34 217 func41_mov_dw[ss:mm]_dw[ebp+4] | reg=ff 1000 eax=18ff30 ; mov [ebp - c] = 0x1000 func6_push_dw[ebp]_dw[edi] | reg=18 18ff34 func40_add_dw[ebp]_[ebp+4] | reg=ff 18ff2c 203 ; ebp - 8 func3_mov_dw[edi]_dw[ebp] | reg=24 203 func41_mov_dw[ss:mm]_dw[ebp+4] | reg=ff 2000 eax=18ff2c ;mov [ebp - 8] = 0x2000 func6_push_dw[ebp]_dw[edi] | reg=18 18ff34 func40_add_dw[ebp]_[ebp+4] | reg=ff 18ff30 217 ; ebp - c func3_mov_dw[edi]_dw[ebp] | reg=34 217 func7_push_dw[ebp]_dw[ss:mm] | reg=ff 1000 ; push [ebp - c] func3_mov_dw[edi]_dw[ebp] | reg=24 1000 ;保存到REG24 func40_add_dw[ebp]_[ebp+4] | reg=ff 18ff2c 203 func3_mov_dw[edi]_dw[ebp] | reg=34 203 func7_push_dw[ebp]_dw[ss:mm] | reg=ff 2000 func6_push_dw[ebp]_dw[edi] | reg=24 1000 func40_add_dw[ebp]_[ebp+4] | reg=ff 3000 206 func3_mov_dw[edi]_dw[ebp] | reg=08 206 func3_mov_dw[edi]_dw[ebp] | reg=14 3000 func11_push_dw[ebp]_dw[esi] | reg=ff func18_nor_w[ebp]_w[ebp+2] | reg=ff 427099 func6_push_dw[ebp]_dw[edi] | reg=1c 99999999 func6_push_dw[ebp]_dw[edi] | reg=08 206 func6_push_dw[ebp]_dw[edi] | reg=14 3000 func6_push_dw[ebp]_dw[edi] | reg=3c bbbbbbbb func6_push_dw[ebp]_dw[edi] | reg=18 18ff34 func6_push_dw[ebp]_dw[edi] | reg=0c 88888888 func6_push_dw[ebp]_dw[edi] | reg=2c 5622632b func6_push_dw[ebp]_dw[edi] | reg=14 3000 func6_push_dw[ebp]_dw[edi] | reg=18 18ff34 func31_ push_dw[ebp]_b[esi] | reg=ff fffffff4 func40_add_dw[ebp]_[ebp+4] | reg=ff 18ff28 207 func3_mov_dw[edi]_dw[ebp] | reg=38 207 func41_mov_dw[ss:mm]_dw[ebp+4] | reg=ff 3000 eax=18ff28 ; MOV [EBP - 4] = 0x3000 func6_push_dw[ebp]_dw[edi] | reg=10 cccccccc func6_push_dw[ebp]_dw[edi] | reg=04 dddddddd func6_push_dw[ebp]_dw[edi] | reg=3c bbbbbbbb func6_push_dw[ebp]_dw[edi] | reg=0c 88888888
