原文:https://www.pediy.com/kssd/pediy11/123971.html
『深圳腾讯2010安全技术竞赛』第二阶段第一题是一道虚拟机相关的题目。由于自己之前只接触过一些概念相关的知识,最多看过VMP虚拟化单句代码的效果,再复杂就搞不来了,所以想借此机会加深下对虚拟机的理解。在此把自己的分析过程整理出来,望高手指教。
废话结束,下面进入正题。
刚看了题目要求之后,并不知道程序中有虚拟机。挂上OD断到程序映射文件完毕,开始分析。
004010FE . 837D D0 00 cmp dword ptr [ebp-30], 0 00401102 . 0F84 B3000000 je 004011BB 00401108 . 8B4D E4 mov ecx, dword ptr [ebp-1C] 0040110B . 8139 54455354 cmp dword ptr [ecx], 54534554 00401111 . 0F85 A4000000 jnz 004011BB
00401F44 |. B8 10134000 mov eax, 00401310 00401F49 |. 870424 xchg dword ptr [esp], eax 00401F4C \. C3 retn
00401310 60 pushad 00401311 9C pushfd 00401312 8B5424 24 mov edx, dword ptr [esp+24] 00401316 8BC2 mov eax, edx 00401318 05 94000000 add eax, 94 0040131D 8038 01 cmp byte ptr [eax], 1 00401320 74 21 je short 00401343 00401322 8B5424 24 mov edx, dword ptr [esp+24] 00401326 8BC2 mov eax, edx 00401328 05 A4000000 add eax, 0A4 0040132D 50 push eax 0040132E 83E8 0C sub eax, 0C 00401331 8B00 mov eax, dword ptr [eax] 00401333 FFD0 call eax 00401335 8B5424 24 mov edx, dword ptr [esp+24] 00401339 8BC2 mov eax, edx 0040133B 05 94000000 add eax, 94 00401340 C600 01 mov byte ptr [eax], 1 00401343 8B5424 24 mov edx, dword ptr [esp+24] 00401347 8BC2 mov eax, edx 00401349 05 A4000000 add eax, 0A4 0040134E 50 push eax 0040134F 83E8 08 sub eax, 8 00401352 8B00 mov eax, dword ptr [eax] 00401354 FFD0 call eax 00401356 8BF4 mov esi, esp 00401358 B9 09000000 mov ecx, 9 0040135D 8B7C24 24 mov edi, dword ptr [esp+24] 00401361 F3:A5 rep movs dword ptr es:[edi], dword p> 00401363 9D popfd 00401364 61 popad 00401365 58 pop eax 00401366 8BC8 mov ecx, eax 00401368 05 C4000000 add eax, 0C4 0040136D 8B00 mov eax, dword ptr [eax] 0040136F 8BE0 mov esp, eax 00401371 51 push ecx 00401372 E8 E9FEFFFF call 00401260
004012E0 |> 8B46 68 /mov eax, dword ptr [esi+68] 004012E3 |. |0FB608 |movzx ecx, byte ptr [eax] 004012E6 |. |8B148D D0D840>|mov edx, dword ptr [ecx*4+40D8D0] 004012ED |. |56 |push esi 004012EE |. |FFD2 |call edx 004012F0 |. |8346 68 10 |add dword ptr [esi+68], 10 004012F4 |. |397E 68 |cmp dword ptr [esi+68], edi 004012F7 |.^\72 E7 \jb short 004012E0
0040D8D0 80 13 40 00 C0 13 40 00 D0 13 40 00 E0 13 40 00 @.?@.?@.?@. 0040D8E0 30 14 40 00 80 14 40 00 D0 14 40 00 20 15 40 00 0@.@.?@. @. 0040D8F0 80 15 40 00 E0 15 40 00 F0 15 40 00 00 16 40 00 @.?@.?@..@. 0040D900 40 16 40 00 90 16 40 00 20 17 40 00 80 17 40 00 @@.?@. @.@. 0040D910 F0 17 40 00 60 18 40 00 20 19 40 00 E0 19 40 00 ?@.`@. @.?@. 0040D920 40 1A 40 00 F0 1A 40 00 A0 1B 40 00 50 1C 40 00 @@.?@.?@.P@. 0040D930 F0 1C 40 00 A0 1D 40 00 50 1E 40 00 50 1E 40 00 ?@.?@.P@.P@. 0040D940 00 1F 40 00 00 1F 40 00 .@..@.
0040CDD0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0040CDE0 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 .............. 0040CDF0 06 00 00 00 01 00 00 00 FC FF FF FF 00 00 00 00 ......?.... 0040CE00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040CE10 03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 .............. 0040CE20 04 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 ............. 0040CE30 07 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 .............. 0040CE40 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 ..............
004013C0 /. 55 push ebp ; Verify.004120D0 004013C1 |. 8BEC mov ebp, esp 004013C3 |. 8B45 08 mov eax, dword ptr [ebp+8] 004013C6 |. 8B08 mov ecx, dword ptr [eax] 004013C8 |. 8948 60 mov dword ptr [eax+60], ecx 004013CB |. 5D pop ebp 004013CC \. C2 0400 retn 4
0号函数 负责还原外部环境,也就是退出虚拟机,每个虚拟机指令块的最后一句都是一串0 1号函数 取出标志寄存器,相当于pushfd 2号函数 存入标志寄存器,相当于popfd 3号函数 将一个数据按字节 字或者双字存入通用寄存器,相当于 mov指令,第一个操作数为要从入寄存器的编号 4号函数 将一个数据按字节 字或者双字从寄存器取出到其他地址,相当于mov指令,第二个操作数为要取出寄存器的编号 5号函数 将一个数据按字节 字或者双字从esi+0x40地址取到esi+0x40的另外一个地址,两个操作数分别是相对于esi+0x40的偏移。 在esi保存的环境中,除了保存的寄存器和eip之外,其他的数据我没有确定是什么,比如那里是esp ebp什么的,所以描述起来 可能不准确,希望包涵。 6号函数 将一个数据按字节 字或者双字放入esi+0x40,第一个操作数是偏移,第二个操作数是要放入的数据,相当于mov 立即数。 7号函数 相当于按字节 字或者双字 将第二个操作数中的数据放入第一个操作数中的地址,这里的操作数都是相对于esi+0x40的偏移。 8号函数 也是一个mov指令,但是相当于基址加偏移寻址。 9号函数 加法操作,相当于add,无操作数,操作数在esi+0x40和sei+0x44中 10号函数 减法操作,相当于sub,操作数同9号函数 11号函数 乘法操作,相当于mul,操作数同9号函数 12号函数 除法操作,相当于div,操作数同9号函数 13号函数 ...........................
四字节标志 + 四字节文件头长度 + 四字节数据长度 + 四字节校验值 + 数据 TEST 16 数据长度 校验值 数据
00401598 |. 8B50 08 mov edx, dword ptr [eax+8] ; Case 2 of switch 0040158D 0040159B |. 8B5491 40 mov edx, dword ptr [ecx+edx*4+40] 0040159F |. 8B40 04 mov eax, dword ptr [eax+4] 004015A2 |. 8A12 mov dl, byte ptr [edx]
0040D470 04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 .............. 下面跳转到这里 取出41FFFFFF放入eax 0040D480 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 .............. 放入edx 0040D490 04 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 .............. 0040D4A0 04 00 00 00 01 00 00 00 05 00 00 00 00 00 00 00 ............. 0040D4B0 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0040D4C0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0040D4D0 03 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 .............. 0040D4E0 04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 .............. 0040D4F0 08 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 .............. 取一字节数据 0040D500 03 00 02 00 05 00 00 00 00 00 00 00 00 00 00 00 ............. 将上面取到的一字节放入ebx 0040D510 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 .............. 取出ecx 0040D520 06 00 00 00 01 00 00 00 FF 00 00 00 00 00 00 00 ............. 写入FF到缓冲区 0040D530 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0040D540 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 .............. edx=0xFF 0040D550 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 .............. 0040D560 04 00 00 00 01 00 00 00 05 00 00 00 00 00 00 00 ............. 0040D570 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 取到的第一个字节和FF异或 得到0xAB 0040D580 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 载入标志寄存器 0040D590 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 .............. 将0xAB放入edx 0040D5A0 04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 .............. 0040D5B0 06 00 00 00 01 00 00 00 08 00 00 00 00 00 00 00 ............. 0040D5C0 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0040D5D0 03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 .............. 0xFFFFFF放入eax 0040D5E0 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 .............. 取出edx放到缓冲区 0040D5F0 06 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 ............. 0040D600 0B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0xAB乘以4 0040D610 06 00 00 00 01 00 00 00 E0 EC 40 00 00 00 00 00 ......囔@..... 0040D620 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 乘积加上 0040ECE0 0040D630 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 查表得 4102CA60 表的地址为 0040EF8C 这个表就是上面0040ECE0加上乘积的值 0040D640 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 .............. 将 4102CA60 写入edx 0040D650 04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 .............. 0040D660 04 00 00 00 01 00 00 00 06 00 00 00 00 00 00 00 ............. 0040D670 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 将 4102CA60和00FFFFFF或运算 0040D680 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0040D690 03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 .............. 将或运算结果41FFFFFF放入eax 0040D6A0 04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 .............. 取到字符串指针 0040D6B0 06 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ............. 0040D6C0 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 将字符串指针加1 0040D6D0 03 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 .............. 将字符串指针放入ecx 0040D6E0 04 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 .............. 0040D6F0 06 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ............. 0040D700 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0040D710 03 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 .............. 0040D720 0D 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ............... 0040D730 0E 00 00 00 D3 FF FF FF 00 00 00 00 00 00 00 00 ...?........ 跳转到0040D470 取完字符之后就不会跳转 0040D740 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 .............. 取完字符之后运行到这里