Î÷Î÷Èí¼þÔ°¶àÖØ°²È«¼ì²âÏÂÔØÍøÕ¾¡¢ÖµµÃÐÅÀµµÄÈí¼þÏÂÔØÕ¾£¡
Èí¼þ
Èí¼þ
ÎÄÕÂ
ËÑË÷

Ê×Ò³ ¡ú Î÷Î÷½Ì³Ì ¡ú Èí¼þʹÓà ¡ú VMProtect2.04¼Ó¿Ç³ÌÐò´ÓÈëÃŵ½¾«Í¨

VMProtect2.04¼Ó¿Ç³ÌÐò´ÓÈëÃŵ½¾«Í¨

Ïà¹ØÈí¼þÏà¹ØÎÄÕ·¢±íÆÀÂÛ À´Ô´£º±¾Õ¾ÕûÀíʱ¼ä£º2010/11/2 18:59:10×ÖÌå´óС£ºA-A+

×÷ÕߣºØýÃûµã»÷£º3925´ÎÆÀÂÛ£º0´Î±êÇ©£º VMProtect ¼Ó¿Ç

VMProtect UltimateV2.13.5 ÖÐÎÄ×¢²á°æ
  • ÀàÐÍ£º¼Ó¿ÇÍÑ¿Ç´óС£º13.5MÓïÑÔ£ºÖÐÎÄ ÆÀ·Ö£º4.2
  • ±êÇ©£º
Á¢¼´ÏÂÔØ

´ËÎÄÕÂÊÇÎÒѧϰVMProtect2.04¼Ó¿Ç³ÌÐòµÄÐĵá£ÔÚµ÷ÊԵĹý³ÌÖУ¬ÓÈÆäÊdzõÆÚ£¬²Î¿¼ºÍ²éÔÄÁËN¶àµÄÍøÂç×ÊÁÏ£¬ÔÚ´ËÒ»²¢±íʾ¸Ðл¡£ÔÚ¼ÆËã»úÊéÖУ¬×îÖøÃûµÄÁ½ÀàÊéÃûµ±Êô£ºXXXX´ÓÈëÃŵ½¾«Í¨ºÍ21Ììѧ»áXXXX£¬ÎÒÔÚ×Ðϸ˼¿¼£¬×îÖÕ¾õµÃ»¹ÊÇÇ°Õ߱ȽÏÓÐÎüÒýÁ¦¡£ODµÄUDDÎļþµÄʹÓã¬ÔÚD:ÅÌÏÂн¨Îļþ¼ÐUnpack£¬°Ñ¼Ó¿Ç¼Çʱ¾·ÅÈëÎļþ¼ÐÄÚ£¬°ÑUDDÎļþ·ÅÈëODµÄUDDÎļþ¼ÐÄÚ¡£OD´ò¿ª¼Ó¿Ç¼Çʱ¾ºó£¬UDDÎļþ»á×Ô¶¯ÉúЧ¡£
ÉùÃ÷£º±¾ÎÄÔÚ·ÇÓ¯ÀûÐÔÓÃ;¿É×ÔÓÉ´«²¥¡£
Èí¼þ£ºÕý°æVMProtect2.04¼ÓÃܵÄWin98¼Çʱ¾
¼ÓÃÜÑ¡Ï³ýÁË ±àÒë--µ÷ÊÔģʽÓëˮӡ ÒÔÍ⣬ȫ²¿´ò¹³£»ÐéÄâ¼ÆËã»ú--ÊýÁ¿ÎªÄ¬ÈÏÖµ1£»±àÒëÀàÐÍ£º³¬¼¶£¨±äÒì+ÐéÄ⣩
µ÷ÊÔÆ÷£º¹ÙÍøÏÂÔصÄOllyDbg2.0
¼Ó¿Ç³ÌÐòÏÂÔØ£ºNOTEPAD.rarÏÂÔش˸½¼þÐèÒªÏûºÄ2Kx£¬ÏÂÔØÖлá×Ô¶¯¿Û³ý¡£
UDDÎļþ£ºNOTEPAD-udd.rarÏÂÔش˸½¼þÐèÒªÏûºÄ2Kx£¬ÏÂÔØÖлá×Ô¶¯¿Û³ý¡££¨ÕâÊÇÊÇÕûÀíÁËαָÁîµÄUDDÎļþ£¬ºóÐø»¹»á¸üУ©
±¾ÎĵĽṹ£º
ÐòÑÔ
ÎÄÕ¼ò½é
1.»ù´¡ÖªÊ¶
1.1.VMProtectÐéÄâ»ú¼ò½é
1.2.VM¶ÑÕ»
1.3.αָÁî»ã×Ü
2.×ÛºÏÔËÓÃ
2.1.³£¼ûαָÁî×éºÏ
2.2.NAND£¨Óë·ÇÃÅ£©
2.3.EFLAGS±ê־λ¼ì²â+Ìøת
3.NOTEPADÈ«³Ì¸ú×Ù
3.1.TLS
3.2.VMPÍâ¿Çº¯Êý»ñÈ¡
3.3.ÐéÄâÖ´Ðл·¾³Óëµ÷ÊÔÆ÷¼ì²â
3.4.HASHÖµ·Ö¿é¼ì²âÓëAPI»ñÈ¡
3.5.Öصã½âÃÜÑ­»·
4.ʵÑéÊÒ£¨Ôݶ¨£©
βÉù

1.»ù´¡ÖªÊ¶
1.1.VMProtectÐéÄâ»ú¼ò½é
ÐéÄâ»ú¼ÓÃÜ£¬ÊÇÖ¸ÏñVMPÕâÑùµÄ±£»¤³ÌÐò£¬Ëü»á°ÑÔ´³ÌÐòµÄX86Ö¸Áî±ä³É×Ô¶¨ÒåµÄαָÁµÈµ½Ö´ÐеÄʱºò£¬VMPÄÚÖÃÔÚ±£»¤³ÌÐòÖеÄVM¾Í»áÆô¶¯£¬¶ÁȡαָÁȻºó½âÎöÖ´ÐС£
VMPÊÇÒ»¸ö¶ÑÕ»ÐéÄâ»ú£¬ËüµÄÒ»ÇвÙ×÷¶¼ÊÇ»ùÓÚ¶ÑÕ»´«µÝµÄ¡£ÔÚVMPÖУ¬Ã¿Ò»¸öαָÁî¾ÍÊÇÒ»¸öhandler£¬VMÖÐÓÐÒ»¸öºËÐĵÄDispatch²¿·Ö£¬Ëüͨ¹ý¶ÁÈ¡³ÌÐòµÄbytecode£¬È»ºóÔÚDispatchiTableÀïÃ涨λµ½²»Í¬µÄhandlerÖÐÖ´ÐС£¾ø´ó¶àÊýÇé¿öÏ£¬ÔÚÒ»¸öhandlerÖÐÖ´ÐÐÍê³Éºó£¬³ÌÐò½«»Øµ½Dispatch²¿·Ö£¬È»ºóµ½next handlerÖÐÖ´ÐС£
http_imgload.jpgÏÂÔش˸½¼þÐèÒªÏûºÄ2Kx£¬ÏÂÔØÖлá×Ô¶¯¿Û³ý¡£
ÔÚÉÏÃæµÄ¿ò¼ÜÖУ¬ºËÐĵIJ¿¼þ¾ÍÊÇDispatch²¿·Ö£¬ÏÂÃæ²¢ÁеIJ¿¼þ¾ÍÊÇhandlers¡£
¾­¹ýVMP¼ÓÃܵÄX86Ö¸ÁһÌõ¼òµ¥µÄÖ¸Áî±»·Ö½â³ÉÊýÌõVMPµÄαָÁËü°´ÕÕ×Ô¼ºµÄαָÁîÅÅÁÐȥʵÏÖÔ­Ö¸ÁîµÄ¹¦ÄÜ£¬ÔÚ¼ÓÉÏÆäËûµÄ»¨Ö¸Áî»ìÂҵȵȣ¬Ä㽫ÍêÈ«¿´²»µ½Ô´³ÌÐòÖ¸Áî¡£VMP×Ô´øµÄ¸÷ÖÖ»úÖƶ¼²»ÔÙÊÇÒÔX86Ö¸ÁîµÄÐÎʽȥʵÏÖ£¬¶øÊÇÓÃ×Ô¼ºµÄαָÁîÈ¥²âÊÔ¡£
ÔÚVMPµÄVMÔËÐйý³ÌÖУ¬¸÷¸ö¼Ä´æÆ÷µÄ»ù±¾ÓÃ;ÊÇ£ºEBPºÍEDIÊÇVM¶ÑÕ»Ö¸Õ루²»Êdz£¹æµÄ¶ÑÕ»£©£»ESIÊÇαָÁîÖ¸Õ루Ï൱ÓÚ³£¹æµÄEIP£©£»EAXÊÇVM½âÃÜÊý¾ÝµÄÖ÷ÔËËã¼Ä´æÆ÷£»EBXÊÇVM½âÃÜÊý¾ÝµÄ¸¨ÔËËã¼Ä´æÆ÷£»ECXÊdz£¹æµÄÑ­»·¼ÆÊýÆ÷£»ESPÊdz£¹æµÄ¶ÑÕ»Õ»¶¥Ö¸Õë¡£EDXÊǶÁȡαָÁî±íÊý¾Ý£»
EDI¡¢EBP·Ö±ðÖ¸ÏòVM¶ÑÕ»µÄÉÏÏÂÏÞλÖã¬EBPÖ¸Ïò¶ÑÕ»µÄÏÂÏÞ²¢ÏòÉÏ·¢Õ¹£¬EDIÖ¸Ïò¶ÑÕ»µÄÉÏÏÞ²¢Ê¹ÓÃ[EDI+EAX]µÄ·½Ê½ÏòÏ·¢Õ¹£»ESIÖ¸ÏòµÄÄÚ´æ¿éÀï°üÀ¨ÒªÖ´ÐеÄαָÁîÐòÁУ¬¶ø²»Í¬µÄÊÇ£¬µ±VMÒªÊÇʹÓõ½Á¢¼´Êýʱ£¬Ò²ÊÇ´ÓESI¶ÁÈ¡¡£¿É¼ûESIÄÚ´æ¿éÀïÃæÊǾ«ÐĹ¹½¨µÄÊý¾Ý¿é£¬Ö»ÓÐVM×ÔÉíÖ´Ðйý³ÌÖУ¬²ÅÄÜÖªµÀÏÂÒ»¸öÊý¾ÝÊÇ´ú±íαָÁÊÇÁ¢¼´Êý£»ÔÚVMÔËËãÖÐEAX¼Ä´æÆ÷ºÜ¶àʱºòͨ³£Ö»ÓÐAL²ÎÓëÔËËãÈ»ºóÔÚ´æȡʱÔÙÒÔAX»òEAXµÃ·½Ê½´æÈ¡£»EBXÔںܶà¼ÓÃÜÊý¾ÝÔËËãÖУ¬¶¼»á²ÎÓëµ½EAXÖµµÄ¼ÆËãÖУ¬Ð­ÖúÔËËãÖÐÕýÈ·µÄÖµ¡£¶øÿ´ÎEAXµÄÖµÔËËã½áÊøºó£¬·´¹ýÀ´»á¼ÆËãºÃÏÂÒ»´ÎÔËËãÖÐEBXµÄÖµ¡£ËùÒÔEBXµÄÊý¾ÝÒ»µ©³ö´í£¬ÏÂÒ»¸öÊý¾Ý½âÃܱØÈ»´íÎó£»ÔÚVMÔËÐÐÖУ¬Í¨³£Ò»ÇвÙ×÷¶¼ÊÇÔÚVM¶ÑÕ»ÄÚÍê³ÉµÄ£¬ËùÒÔ¾ø´ó¶àÊýÇé¿ö϶ÔESPµÄ²Ù×÷¶¼ÊÇ»¨Ö¸Áî»òjunk code¡£ÔÚһЩÐéÄâÓëÏÖʵ£¨±ÈÈç˵µ÷ÓÃϵͳº¯Êý£©½»½ÓµÄµØ·½£¬ÏµÍ³²¢²»ÖªµÀVM¶ÑÕ»µÄ´æÔÚ£¬Õâ¾ÍÐèÒª°ÑÊý¾Ý£¨±ÈÈçϵͳº¯ÊýµÄµ÷ÓòÎÊý£©Òƶ¯µ½³£¹æESPÕ»¶¥¡£EDXÊÇÒ»¸ö½ÏÉÙʹÓõļĴæÆ÷£¬Ö»ÔÚһЩ½âÃÜÑ­»·ÀïÃæ²ÎÓëÔËËã¡£¶øËüµÄÒ»¸öÖ÷ÒªµÄÔËÓÃÊÇÔÚDISPATCH²¿¼þÀ¸ù¾ÝESIµÄÖµÀ´»ñÈ¡DispatchTableµÄÊý¾Ý£¬ÈÃVMÖ´ÐÐÏÂÒ»ÌõαָÁî¡£

1.2.VM¶ÑÕ»
VMPµÄVMÊÇ»ùÓÚ¶ÑÕ»µÄÐéÄâ¼Ò£¬Àí½âºÃVMµÄ¶ÑÕ»¿Õ¼ä»®·ÖºÍ²Ù×÷£¬ÊÇÀí½âÕû¸öVMÔËÐеĻù´¡¡£
VMProtect2.04¼Ó¿Ç³ÌÐòÊÇ´ÓTLS¿ªÊ¼ÔËÐеģ¬ÎÒÃÇÊ×Ïȵã»÷ODµÄoptions²Ëµ¥£¬ÐÞ¸ÄStartup and exitÑ¡ÏÈÃODÖжÏÔÚTLS callbackÀï¡£¼Ó¿Ç³ÌÐòÔËÐкó£¬VMP³õʼ»¯VM£¬²¢½øÈëDISPATCH²¿·Ö¡£ÕâÀïÎÒÃǾÍÒÔ³õʼ»¯ºóµÄ¶ÑջΪÀý¡£
VMµÄ¶ÑÕ»Ò»¹²Ê¹ÓÃ61¸öDWORD£¬ÉÏÏ·ֱðÓÐ2¸ö¶ÑÕ»Ö¸Õ룬ÏÂÃæΪEBPÖ¸Õ룬ÉÏÃæΪEDIÖ¸Õë¡£ÏÂÃæÊÇVM³õʼ»¯Ê±£¬¸øEDIºÍEBPÖ¸Õ븳ֵºóµÄ¶ÑÕ»¡£
EDI=0013F8BC
EBP=0013F9B0
CPU Stack
Locked Value ASCII Comments
0013F8BC 009539E8 9. £»ÕâÀïÊÇEDIÖ¸Ïò
0013F8C0 00950000 ...
0013F8C4 00150000 ...
0013F8C8 00000080 ...
0013F8CC 019314D6
0013F8D0 0013F8A8 .
0013F8D4 7C92E920 |
0013F8D8 00000000 ....
0013F8DC 00000000 ....
0013F8E0 00000000 ....
0013F8E4 FFFFFFFF
0013F8E8 7C98FEFF |
0013F8EC 7C00ADE7 .|
0013F8F0 00000000 ....
0013F8F4 00150000 ...
0013F8F8 0013F6F0 .
0013F8FC 0013F940 @.
0013F900 0013F944 D.
0013F904 7C92E920 |
0013F908 7C9301E0 |
0013F90C FFFFFFFF
0013F910 7C9301DB |
0013F914 7C9314D6 |
0013F918 7C931514 |
0013F91C 7C99E120 |
0013F920 7C9314EA |
0013F924 5ADF1158 XZ
0013F928 00000001 ...
0013F92C 00000000 ....
0013F930 7FFDA000 .
0013F934 7FFDF000 .
0013F938 00158070 p.
0013F93C 0013F890 .
0013F940 00000000 ....
0013F944 0043D759 YC.
0013F948 0000E9ED ..
0013F94C 409B0002 .@
0013F950 00000020 ...
0013F954 0013F9CC .
0013F958 0013F96C l.
0013F95C 0043E9ED C.
0013F960 000359F4 Y.
0013F964 00000020 ...
0013F968 004253CD SB.
0013F96C 409B0000 ..@
0013F970 00000020 ...
0013F974 0013F9CC .
0013F978 0013F98C .
0013F97C 00000000 .... £»ÕâÀïÊÇEBPÖ¸Ïò
0013F980 00000000 .... £»ÕâÀïÊÇVM³õʼ»¯±£´æµÄ¸÷¸ö¼Ä´æÆ÷
0013F984 00000246 F..
0013F988 000359F4 Y.
0013F98C 00000020 ...
0013F990 00000000 ....
0013F994 0013F9CC .
0013F998 004253CD SB.
0013F99C 000359F4 Y.
0013F9A0 00400000 ..@.
0013F9A4 0013F9C0 .
0013F9A8 C456C619 V £»ÕâÀïÊÇVMPµÄ2¸ö¼ÓÃÜÊý¾Ý
0013F9AC 2EF6420A .B.
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»ÕâÀïÊÇTLS½øÀ´Ê±µÄÕ»¶¥
¹ØÓÚ2¸ö¼ÓÃÜÊý¾ÝºÍ³õʼ»¯µÄ¹ý³ÌÎÒÃǺóÐøÀ´Ëµ£¬ÕâÀïÎÒÃÇÖ÷Òª¹Ø×¢VMµÄ¶ÑÕ»»®·Ö¡£
ÎÒ°ÑÉÏÃæµÄEDIÖ¸ÏòµÄ¶ÑÕ»³ÆΪEDISTACK£¬°ÑEBPÖ¸ÏòµÄ¶ÑÕ»³ÆΪEBPSTACK¡£ÔÚVMÖУ¬EBPSTACKÊÇÔËËãÇø£¬¸÷ÀàÊý¾ÝµÄÔËËã²Ù×÷ÔÚÕâÀïÍê³É£»EDISTACKÊÇ´æ´¢Çø°üÀ¨³¤ÆÚ´æ´¢Êý¾ÝºÍÁÙʱ´æ´¢EBPSTACKµÄÔËËãÊý¡£
ÏÂÃæÎÒÃÇÀ´¿´Ò»ÌõÊý¾ÝÒƶ¯Î±Ö¸Á
ÃüÃû£º
VM_MOVdw_EDISTACKdw_EBPSTACKdw
´úÂ룺
0043DC19 |. F6D8 NEG AL ; *
0043DC26 |. C0C8 07 ROR AL,7 ; *
0043DC34 |. 2C 20 SUB AL,20 ; *
0043DC41 |. 24 3C AND AL,3C ; *

0043E080 |$ 8B55 00 MOV EDX,DWORD PTR SS:[EBP] ; *
0043E086 |. 83C5 04 ADD EBP,4 ; *

0043D3D7 /> /891438 MOV DWORD PTR DS:[EDI+EAX],EDX ; *
¹¦ÄÜ£º
°Ñ1¸ödwordµÄÊý¾Ý´ÓEBPSTAKÕ»¶¥Òƶ¯µ½EDISTACK£¬Ê¹ÓÃEAX×÷ΪƫÒÆÁ¿

ÔÚEDISTACKµÄÊý¾ÝÒƶ¯ÖУ¬Ê¹ÓÃ[EDI+EAX]µÄ·½Ê½À´´æ´¢Óë»ñÈ¡¸÷¸öÖµ¡£Í¨¹ý¼ÆË㲻ͬµÄEAXµÄÖµ£¬¿ÉÒÔµ½´ïEDISTACKÖв»Í¬Î»Öá£ÔÚ¼ÆËãEAXֵʱ£¬Êµ¼ÊÕæÕý¼ÆËãµÄÊÇALµÄÖµ£¬ÎÒÃÇÀ´¿¼ÂÇÒ»ÏÂALµÄ×îСֵºÍ×î´óÖµ£¬AL=00ʱ[EDI+EAX]=[0013F8BC+00000000]=0013F8BC,AL=FFʱ[EDI+EAX]=[0013F8BC+000000FF]=0013F9BB£¬ÕâÊÇʹÓÃ[EDI+EAX]¿ÉÒÔ¶ÁÈ¡µÄÉÏÏÂÏÞ¡£µ«ÊÇ£¬ÔÚVMµÄALÖµ¼ÆËã¹ý³ÌÖУ¬×îºóÓÐÒ»ÌõAND AL,0x3CÖ¸Á0x3C=00111100bitÓÉÓÚÕâÌõÖ¸ÁîµÄÏÞÖÆ£¬ÎÞÂÛALΪÈκÎÖµ£¨´Ó00000000bitµ½11111111bit£©£¬Í¨¹ýAND²Ù×÷£¬Ö»ÄÜÓÐ1111bitµÄ»î¶¯¿Õ¼ä´óС£¬1111bitÏ൱ÓÚ16£¬ËùÒÔEDISTACK×î¶à¿ÉÒÔ¶ÁÈ¡16¸ödword£»ÓÉÓÚ00111100bit×îºóÁ½¸ö00λµÄÏÞÖÆ£¬ÈκÎÊý×ÖÓëËüANDºó£¬ºóÁ½Î»¶¼±ØȻΪ0£¬±ä³ÉÓë4¶ÔÆëµÄÖµ£¬ËµÃ÷VM¶¼ÊÇ°´ÕÕ0013F8BC 0013F8C0 0013F8C4 0013F8C8ÕâÑùµÄ4¶ÔÆëÀ´¶ÁÈ¡¡£ÔÚ¶Áȡʱ£¬VM¿ÉÒÔ¶ÁÈ¡byte word dword£¬µ«ÊÇVM½«²»»áÈ¥¶ÁÈ¡0013F8BE¡£
ÓÉÓÚEDISTACK¶ÑÕ»ÏòÏ·¢Õ¹£¬EBPSTACK¶ÑÕ»ÏòÉÏ·¢Õ¹£¬EDISTACKÓÐ0x3C¿ØÖÆ×Å·¶Î§£¬¶øEBPSTACKÊDzÙ×÷Çø£¬Ã»ÓÐÓ²ÐԵķ¶Î§¿ØÖÆ¡£ÎªÁËÔ¤·ÀÁ½¸ö¿Õ¼äÏàײ£¬ÔÚÿ´ÎÍùEBPSTACKÒƶ¯Êý¾Ýºó£¬VM¶¼ÓÐÏàÓ¦µÄ±ß½ç¼ì²âÖ¸ÁîÈçÏ£º
0043CE5A |. 8D47 50 LEA EAX,[EDI+50] ; *
0043EE5D |. 39C5 CMP EBP,EAX ; *
0043F08C |.^\0F87 29F6FFFF JA 0043E6BB ; *
±È½Ï½á¹û ´óÓÚ £¬Õâ¸öÕý³£µÄÇé¿ö£¬ÔÚÕâ¸öVM¸ú×Ù¹ý³ÌÖУ¬ÎÒûÓз¢ÏÖÒ»´ÎСÓÚµÄÇé¿ö¡£Èç¹ûСÓÚ£¬Ò²¾ÍÊÇEBPSTACKÕ»¶¥ÒѾ­µ½´ï[EDI+50]λÖã¬VM½«»áÖØзÖÅä¶ÑÕ»¿Õ¼ä¡£0x50µÄÆ«ÒÆÁ¿±È0x3CµÄÆ«ÒÆÁ¿¶à5¸ödwordµÄ»º³åÇø¡£ÎÒÃÇÀ´ÊÖ¶¯ÐÞ¸ÄEBPÖ¸Õ룬¿´¿´VMµÄ¶ÔÓÚÁ½¸ö¶ÑÕ»¿Õ¼ä¼´½«ÏàײµÄ´¦ÀíÇé¿ö£º
CPU Disasm
Address Hex dump Command Comments
0043F092 |. 52 PUSH EDX ;
0043D6C1 |. 8D5424 08 LEA EDX,[ARG.2] ; *EDX»ñµÃµÄÊÇÔ­À´EDIÖ¸ÕëµØÖ·0013F8BC
0043DF38 |. 8D4F 40 LEA ECX,[EDI+40] ; *0x40µÄÆ«ÒÆÁ¿ÊÇ0x3CµÄÆ«ÒÆÁ¿Êý¾Ý1¸ödword½áÊøºóµÄλÖÃ
0043DF46 |. 29D1 SUB ECX,EDX ; *¼õ·¨¼ÆËã³öÊý¾Ý´æ´¢Á¿
0043DF4B |. 8D45 80 LEA EAX,[EBP-80] ; *Ôö¼Ó0x80µÄ¿Õ¼ä
0043DF5C |. 24 FC AND AL,FC ; *°´4¶ÔÆë
0043DF68 |. 29C8 SUB EAX,ECX ; *ÔÚÔö¼ÓÔ­À´Êý¾Ý´óСµÄ¶ÑÕ»¿Õ¼ä
0043DF6E |. 89C4 MOV ESP,EAX ; *
0043DF7E |. 56 PUSH ESI ; |Arg1 = NOTEPAD.425748, *
0043DF87 |. 89D6 MOV ESI,EDX ; |*
0043DB3A /$ 8D7C01 C0 LEA EDI,[EAX+ECX-40] ; *
0043EC1E . 89C7 MOV EDI,EAX ; *
0043EEED |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ ; *Òƶ¯Ô­À´EDISTACKÖд洢µÄÊý¾Ý
0043EEF7 |. 8B7C24 10 MOV EDI,DWORD PTR SS:[ESP+10] ; *
0043EEFF |. 8B7424 10 MOV ESI,DWORD PTR SS:[ESP+10] ; *
ÕâÀïÎÒÃÇ¿ÉÒÔ¿´µ½£¬Ã¿´Î·¢ÏÖÁ½¸ö¶ÑÕ»¿Õ¼ä¼´½«Ïàײ£¬VM¶¼ÖØиøEBP·ÖÅä¶ÑÕ»£¬²¢°ÑÔ­À´EDISTACK´æ´¢µÄÊý¾ÝÒƶ¯µ½ÐµĿռäÄÚ¡£
ÏÂÃæÊÇʹÓÃOD¸ú×ÙVM¶ÑÕ»µÄ¼¸¸öС¼¼ÇÉ£º
ÔÚODÖиú×ÙVMÊý¾ÝÒƶ¯Ê±£¬Ë«»÷0013F8BCµØÖ·£¬OD½«»áÒÔ0013F8BCΪ»ùÖ·£¬ÏÔʾÉÏϸ÷¸öµØÖ·ÓëËüµÄÆ«ÒÆÁ¿£¬Èçͼ£º
CPU Stack
Locked Value ASCII Comments
$-C 759D0000 ..u
$-8 00000001 ...
$-4 0013F8FC .
$ ==> 009539E8 9. £»ÕâÀïÊÇ0013F8BC£¬Ë«»÷ºóµÄЧ¹û
$+4 00950000 ...
$+8 00150000 ...
$+C 00000080 ...
$+10 019314D6
ÔÚ¸ú×ÙVMʱ£¬ÔÚÊý¾ÝÒƶ¯Î±Ö¸ÁîÖеÄAND AL,0x3CµÄÏÂÒ»ÌõÖ¸Áî϶ϵ㣬ÕâÑùÿ´Î½øÐÐÊý¾ÝÒƶ¯£¬Ä㶼¿ÉÒÔÔÚÕâ¸ö¶Ïµã¿´µ½£¬Êý¾ÝµÄÈ¥ÏòºÍÀ´Ô´£¬ÕâÊǼ«ÆäÓÐÓõġ£ÔںܶิÔÓµÄÔËËãµØ·½£¬ÄãÐèÒªÔڲݸåÖ½ÉϼÇÏ£¬EDISTACKÖÐһЩ¿Õ¼äµÄÊý¾ÝʱÀ´×ÔÓÚʲôʱºò£¿±ÈÈç±ê־λZF¼ì²â+ÌøתÊÇVMµÄÒ»¸öÖØÒª²Ù×÷£¬¶øEFLAGS±êÖ¾Êý¶¼ÊÇÏà²î²»¶à»òÀàËƵÄ00000286 00000246µÈµÈ£¬Èç¹ûÄã²»ÄÜ׼ȷ֪µÀ[EDI+EAX]´æ´¢»ò¶ÁÈ¡µÄλÖã¬Ä㽫ÎÞ·¨Àí½âVMµÄ²Ù×÷¡£Õâ·Ç³£µÄÖØÒª£¬ÇëÀμǣ¡±ØҪʱÁ¬ODµÃÊý¾Ý´°¿ÚÒ²Ò»ÆðÅäºÏÏÔʾVM¶ÑÕ»

°ÑODÀïµÄ¶ÑÕ»´°¿ÚÀ­¸ß£¬ÈÃËü¾¹¿ÉÄܶàµÄÏÔʾÊý¾Ý£¬Ôڸ߷ֱæÂʵĵçÄÔÉÏ£¬×îºÃÊÇÄܹ»ÏÔʾ³öÕû¸öVMµÄ¶ÑÕ»¡£Ä¬ÈÏÇé¿öÏ£¬¶ÑÕ»´°¿ÚÊÇËæ×ÅESPÖ¸ÕëµÄ±ä»¯¶ø×Ô¶¯ÏÔʾµÄ£¬Õâ¶ÔÓÚÎÒÃÇҪʱ¿Ì¶¢×ÅVM¶ÑÕ»µÄÐèÇó²»Ïà·û£¬ÔÚ¶ÑÕ»´°¿Ú-->ÓÒ¼ü-->Lock address ´ò¹³£¬ÕâÑùOD¾Í»áËø¶¨¶ÑÕ»´°¿Ú¡£
µ½ÕâÀ¹ØÓÚ¶ÑÕ»¿Õ¼äµÄ½éÉܾͽáÊøÁË¡£¶Ô¶ÑÕ»µÄÀí½âÊDZ¾Îĵĸù»ù¡£

1.3.αָÁî»ã×Ü
µ÷ÊÔVMPÇ°ÆÚµÄÒ»¸öÖØÒªµÄÌåÁ¦»îÊÇ£¬Ê¶±ð³öËùÓеÄαָÁ²¢¸ù¾ÝËüµÄÓÃ;¸øËüÏàÓ¦µÄÃüÃû¡£ÒÔºó¾Í¿ÉÒÔÔÚDISPATCH²¿¼þµÄ×îºóÌøתµØÖ·£º
0043E11F |. C2 5000 RETN 50
϶ϵ㣬ÔÙ¶¢×ÅVM¶ÑÕ»¾Í¿ÉÒÔÖªµÀVMµÄËùÓвÙ×÷¡£
ÎÒÃÇÏÈÀ´Á˽âËùÓÐαָÁîµÄDISPATCH£¨µ÷Dz£©²¿¼þ£º
0043E6BF |. 8A46 FF MOV AL,BYTE PTR DS:[ESI-1] ; *
0043E6C4 |. 30D8 XOR AL,BL ; *
0043E6CE |. F6D0 NOT AL ; *
0043E6D6 |. FEC8 DEC AL ; *
0043E6DA |. C0C8 07 ROR AL,7 ; *
0043E6E1 |. 83EE 01 SUB ESI,1 ; *
0043E6ED |. 30C3 XOR BL,AL ; *
0043D02F |. 0FB6C0 MOVZX EAX,AL ; *

0043F124 |. 8B1485 DBE143 MOV EDX,DWORD PTR DS:[EAX*4+43E1DB] ; *
0043E100 |> /81C2 6B197FB6 ADD EDX,B67F196B ; *

0043E10A |. 895424 3C MOV DWORD PTR SS:[ESP+3C],EDX ; *
0043E11B |. FF7424 4C PUSH DWORD PTR SS:[ESP+4C] ; *
0043E11F |. C2 5000 RETN 50
Ê×ÏÈ´ÓESIÖнâÃÜ»ñµÃÏÂÒ»ÌõαָÁîÔÚDispatchTable£¨µ÷Dz±í£©ÖеÄÆ«ÒÆÁ¿£¬Ê¹ÓÃ[EAX*4+43E1DB]À´¶ÁÈ¡³öαָÁîµØÖ·£¬¼òµ¥µÄADD½âÃܺ󣬰ÑÕæÕýµÄαָÁîµØַѹÈëESPÕ»¶¥£¬×îºóÓÃRETN 50Ìøתµ½ÏàÓ¦µÄαָÁî¡£
MOV EDX,DWORD PTR DS:[EAX*4+43E1DB]¸øÎÒÃÇÌṩµÄÐÅÏ¢£ºDispatchTableµÄÆðʼµØÖ·ÊÇ0043E1DB£¬×îºóÒ»¸ödwordµÄ¿ªÊ¼µØÖ·ÊÇÒÔALµÄ×î´óÖµFF×÷ΪƫÒÆÁ¿[FF*4+43E1DB]=0043E5D7¡£ÎÒÃǰѼÇʱ¾0043E1DB--0043E5D7µÄÊý¾ÝÕ³Ìù£º
CPU Dump
Address Hex dump ASCII
0043E1D0 09|BA C4 49 D0| .I
0043E1E0 BA C4 49 1E|B7 C4 49 E6|C4 C4 49 53|D1 C4 49 05| IIISI
0043E1F0 BE C4 49 75|D1 C4 49 D4|CE C4 49 0C|D6 C4 49 C3| IuII.I
0043E200 BD C4 49 7B|CE C4 49 67|BE C4 49 26|BF C4 49 EB| I{IgI&I
0043E210 C2 C4 49 82|D0 C4 49 3A|BA C4 49 1E|B5 C4 49 A8| II:II
0043E220 C4 C4 49 1E|B5 C4 49 2E|C8 C4 49 B9|BB C4 49 E9| II.II
0043E230 C3 C4 49 2D|B8 C4 49 95|C1 C4 49 82|D0 C4 49 75| I-IIIu
0043E240 D1 C4 49 C3|BE C4 49 16|B6 C4 49 2D|B8 C4 49 75| IþII-Iu
0043E250 D1 C4 49 95|C1 C4 49 EB|C2 C4 49 52|BF C4 49 B4| IIIRI
0043E260 D3 C4 49 8B|D3 C4 49 05|CE C4 49 52|BF C4 49 D4| IIIRI
0043E270 CE C4 49 E8|B8 C4 49 C3|BD C4 49 C3|BE C4 49 5E| IIýIþI^
0043E280 B4 C4 49 B1|B8 C4 49 61|BD C4 49 5D|BF C4 49 E9| IIaI]I
0043E290 C3 C4 49 26|BF C4 49 5F|D0 C4 49 B4|D3 C4 49 E6| I&I_II
0043E2A0 C4 C4 49 EC|B7 C4 49 1E|B5 C4 49 0D|C0 C4 49 0D| III.I.
0043E2B0 C0 C4 49 C3|BD C4 49 5D|BF C4 49 7B|CE C4 49 C3| IýI]I{I
0043E2C0 BD C4 49 1E|B5 C4 49 82|D0 C4 49 8A|B9 C4 49 A6| IIII
0043E2D0 D1 C4 49 EB|C2 C4 49 D4|CE C4 49 61|BD C4 49 09| IIIaI.
0043E2E0 BA C4 49 53|D1 C4 49 61|BD C4 49 3A|BA C4 49 3A| ISIaI:I:
0043E2F0 D0 C4 49 0C|D6 C4 49 3A|BA C4 49 1E|B7 C4 49 05| I.I:II
0043E300 CE C4 49 0D|C0 C4 49 82|D0 C4 49 27|D2 C4 49 7C| I.II'I|
0043E310 BD C4 49 E8|B8 C4 49 41|C2 C4 49 E9|C3 C4 49 25| IIAII%
0043E320 CE C4 49 53|C6 C4 49 61|BD C4 49 53|C6 C4 49 83| ISIaISI
0043E330 D6 C4 49 53|C6 C4 49 5D|BF C4 49 53|C6 C4 49 A8| ISI]ISI
0043E340 C4 C4 49 53|C6 C4 49 5F|D0 C4 49 53|C6 C4 49 E6| ISI_ISI
0043E350 C4 C4 49 53|C6 C4 49 3A|BA C4 49 53|C6 C4 49 00| ISI:ISI.
0043E360 C7 C4 49 53|C6 C4 49 2D|B8 C4 49 53|C6 C4 49 25| ISI-ISI%
0043E370 CE C4 49 53|C6 C4 49 83|D6 C4 49 53|C6 C4 49 1E| ISIISI
0043E380 B7 C4 49 53|C6 C4 49 C3|BD C4 49 53|C6 C4 49 62| ISIýISIb
0043E390 CF C4 49 53|C6 C4 49 12|D3 C4 49 53|C6 C4 49 E8| ISIISI
0043E3A0 B8 C4 49 05|CE C4 49 1E|B7 C4 49 8A|B9 C4 49 B4| IIII
0043E3B0 D3 C4 49 B9|BB C4 49 A6|D1 C4 49 E8|B8 C4 49 FE| IIII
0043E3C0 C0 C4 49 82|D0 C4 49 53|D1 C4 49 2D|B8 C4 49 52| IISI-IR
0043E3D0 BF C4 49 3A|D0 C4 49 C3|BE C4 49 A6|C1 C4 49 C3| I:IþII
0043E3E0 BE C4 49 5E|B4 C4 49 82|D0 C4 49 7C|BD C4 49 C3| I^II|I
0043E3F0 BD C4 49 C3|BE C4 49 1E|B7 C4 49 61|BD C4 49 A6| IþIIaI
0043E400 C1 C4 49 82|D0 C4 49 12|D3 C4 49 FE|C0 C4 49 25| IIII%
0043E410 CE C4 49 0C|D6 C4 49 09|BA C4 49 2E|C8 C4 49 67| I.I.I.Ig
0043E420 BE C4 49 8A|B9 C4 49 EB|C2 C4 49 D4|CE C4 49 95| IIII
0043E430 C1 C4 49 D1|C7 C4 49 09|BA C4 49 00|C7 C4 49 B9| II.I.I
0043E440 BB C4 49 D1|C7 C4 49 B4|D3 C4 49 5E|B4 C4 49 D1| III^I
0043E450 C7 C4 49 A8|C4 C4 49 A6|C1 C4 49 12|D3 C4 49 B4| IIII
0043E460 D3 C4 49 D0|BA C4 49 41|C2 C4 49 82|D0 C4 49 B1| IкIAII
0043E470 B8 C4 49 1E|B5 C4 49 27|D2 C4 49 82|D0 C4 49 75| II'IIu
0043E480 D1 C4 49 5E|B4 C4 49 25|CE C4 49 16|B6 C4 49 7B| I^I%II{
0043E490 CE C4 49 7C|BD C4 49 EB|C2 C4 49 27|D2 C4 49 83| I|II'I
0043E4A0 D6 C4 49 12|D3 C4 49 2E|C8 C4 49 1E|B5 C4 49 E6| II.II
0043E4B0 C4 C4 49 C3|BD C4 49 95|C1 C4 49 1E|B5 C4 49 EC| IýIII
0043E4C0 B7 C4 49 B9|BB C4 49 5F|D0 C4 49 83|D6 C4 49 8A| II_II
0043E4D0 B9 C4 49 A6|C1 C4 49 D4|CE C4 49 8B|D3 C4 49 0D| IIII.
0043E4E0 C0 C4 49 E8|B8 C4 49 2D|B8 C4 49 61|BD C4 49 82| II-IaI
0043E4F0 D0 C4 49 12|D3 C4 49 1E|B5 C4 49 7C|BD C4 49 D1| III|I
0043E500 C7 C4 49 7C|BD C4 49 05|CE C4 49 A6|C1 C4 49 5F| I|III_
0043E510 D0 C4 49 1E|B7 C4 49 7B|CE C4 49 0C|D6 C4 49 05| II{I.I
0043E520 BE C4 49 9F|C2 C4 49 B9|BB C4 49 9F|C2 C4 49 D4| IIII
0043E530 CE C4 49 9F|C2 C4 49 EC|B7 C4 49 9F|C2 C4 49 62| IIIIb
0043E540 CF C4 49 9F|C2 C4 49 2D|B8 C4 49 9F|C2 C4 49 0C| II-II.
0043E550 D6 C4 49 9F|C2 C4 49 0D|C0 C4 49 9F|C2 C4 49 05| II.II
0043E560 BE C4 49 9F|C2 C4 49 C3|BD C4 49 9F|C2 C4 49 53| IIýIIS
0043E570 D1 C4 49 9F|C2 C4 49 75|D1 C4 49 9F|C2 C4 49 05| IIuII
0043E580 CE C4 49 9F|C2 C4 49 75|D1 C4 49 9F|C2 C4 49 27| IIuII'
0043E590 D2 C4 49 9F|C2 C4 49 09|BA C4 49 9F|C2 C4 49 B9| II.II
0043E5A0 B5 C4 49 E6|C4 C4 49 09|BA C4 49 8B|D3 C4 49 25| II.II%
0043E5B0 CE C4 49 0D|C0 C4 49 B9|B5 C4 49 E9|C3 C4 49 12| I.III
0043E5C0 D3 C4 49 FE|C0 C4 49 05|CE C4 49 83|D6 C4 49 0D| IIII.
0043E5D0 C0 C4 49 EC|B7 C4 49 D0|BA C4 49 IIкI
ËäÈ»DispatchTableµÄÊý¾ÝºÜ¶à£¬µ«ÊǺܶ಻ͬµÄÆ«ÒÆÁ¿Ö¸ÏòµÄÏàͬµÄÊý¾Ý£¬ÕâÊÇÒ»ÖÖ±£»¤·½Ê½¡£ÎÒÃÇ·´¹ýÀ´Ï룬Èç¹ûDispatchTableÖÐÿ¸ödwordÖ¸ÏòµÄÊDz»Í¬µÄαָÁÕâ¾ÍÒâζ×Åÿ¸öEAXÆ«ÒÆÁ¿Ö¸Ïò×ÅΨһµÄÒ»ÌõαָÁ½øÒ»²½µÄÀ´Ëµ¾ÍÊÇÿ¸öESIÖµ´ú±í×ÅΨһµÄÒ»ÌõαָÁî¡£ÄÇô£¬Èç¹ûÓÐÈËÄæÏòÕâ¸öËã·¨£¬¾Í¿ÉÒÔÖªµÀÿ¸öESIÖµ¶ÔÓ¦µÄÊÇÄĸöαָÁÕâÑù¾Í¿ÉÒÔÖ±½Ó¶ÁÈ¡ESIÖµ¶øÁ˽âVMPµÄÖ´ÐÐαָÁ»ù±¾µÈÓÚ°ë×Ô¶¯Ê¶±ðVMP¡£Ò»Ãû¶ÔVMP¾­Ñé·á¸»µÄÈË£¬Ö»Òª¿´×ÅVMÖ´ÐеÄαָÁ×ÅEBPSTACK¶ÑÕ»£¬¾Í¿ÉÒÔÀí½âVMµÄÇé¿ö¡£ÏÖÔÚ£¬ÓÉÓÚ¶à¸öESIÖµÖ¸ÏòÏàͬµÄαָÁ»¹Óж¯Ì¬EBX½âÂ룬½«»á¼èÄѵĶࡣ
ÎÒÃÇÔÚODÖÐÑ°ÕÒÒ»¸ö¿Õ¼ä£¬Ð´Ò»¶ÎÑ­»·´úÂ룬°ÑDispatchTableµÄÊý¾ÝÈ«²¿½âÃܳöÀ´£º
Ô­À´µÄ´úÂ룺
0043F11F \38F5 CMP CH,DH
0043F121 66:FFC2 INC DX
0043F124 8B1485 DBE14300 MOV EDX,DWORD PTR DS:[EAX*4+43E1DB] ; *
0043F12B F9 STC
0043F12C 84F4 TEST AH,DH
0043F12E 60 PUSHAD
0043F12F ^ E9 CC5EFCFF JMP 0043E100
°Ñ×îºóÒ»ÌõÖ¸ÁîÐÞ¸ÄΪ£º
0043F12F ^\E9 CC5EFCFF JMP 00405000
ÔÚ00405000Ìí¼ÓÑ­»·´úÂ룺
CPU Disasm
Address Hex dump Command Comments
00405000 60 PUSHAD
00405001 BE DBE14300 MOV ESI,0043E1DB ; DispatchTableµØÖ·
00405006 BF 00514000 MOV EDI,00405100 ; ½âÃÜÑ­»·µØÖ·
0040500B B9 00010000 MOV ECX,100
00405010 31DB XOR EBX,EBX
00405012 8B0433 MOV EAX,DWORD PTR DS:[ESI+EBX]
00405015 05 6B197FB6 ADD EAX,B67F196B ; ½âÃÜÖ¸ÁîÖ»ÓÐ1ÌõADD
0040501A 89043B MOV DWORD PTR DS:[EDI+EBX],EAX
0040501D 83C3 04 ADD EBX,4
00405020 49 DEC ECX
00405021 ^ 75 EF JNE SHORT 00405012
00405023 61 POPAD
00405024 E9 8E900200 JMP 0043E100
Ñ­»·½áÊøºó£¬ÔÚ00405100Öоͻ¹Ô­ÁËÕû¸öDispatchTable£º
CPU Dump
Address Hex dump ASCII
00405100 74 D3 43 00|3B D4 43 00|89 D0 43 00|51 DE 43 00| tC.;C.C.QC.
00405110 BE EA 43 00|70 D7 43 00|E0 EA 43 00|3F E8 43 00| C.pC.C.?C.
00405120 77 EF 43 00|2E D7 43 00|E6 E7 43 00|D2 D7 43 00| wC..C.C.C.
00405130 91 D8 43 00|56 DC 43 00|ED E9 43 00|A5 D3 43 00| C.VC.C.C.
00405140 89 CE 43 00|13 DE 43 00|89 CE 43 00|99 E1 43 00| C.C.C.C.
00405150 24 D5 43 00|54 DD 43 00|98 D1 43 00|00 DB 43 00| $C.TC.C..C.
00405160 ED E9 43 00|E0 EA 43 00|2E D8 43 00|81 CF 43 00| C.C..C.C.
00405170 98 D1 43 00|E0 EA 43 00|00 DB 43 00|56 DC 43 00| C.C..C.VC.
00405180 BD D8 43 00|1F ED 43 00|F6 EC 43 00|70 E7 43 00| C.C.C.pC.
00405190 BD D8 43 00|3F E8 43 00|53 D2 43 00|2E D7 43 00| C.?C.SC..C.
004051A0 2E D8 43 00|C9 CD 43 00|1C D2 43 00|CC D6 43 00| .C.C.C.C.
004051B0 C8 D8 43 00|54 DD 43 00|91 D8 43 00|CA E9 43 00| C.TC.C.C.
004051C0 1F ED 43 00|51 DE 43 00|57 D1 43 00|89 CE 43 00| C.QC.WC.C.
004051D0 78 D9 43 00|78 D9 43 00|2E D7 43 00|C8 D8 43 00| xC.xC..C.C.
004051E0 E6 E7 43 00|2E D7 43 00|89 CE 43 00|ED E9 43 00| C..C.C.C.
004051F0 F5 D2 43 00|11 EB 43 00|56 DC 43 00|3F E8 43 00| C.C.VC.?C.
00405200 CC D6 43 00|74 D3 43 00|BE EA 43 00|CC D6 43 00| C.tC.C.C.
00405210 A5 D3 43 00|A5 E9 43 00|77 EF 43 00|A5 D3 43 00| C.C.wC.C.
00405220 89 D0 43 00|70 E7 43 00|78 D9 43 00|ED E9 43 00| C.pC.xC.C.
00405230 92 EB 43 00|E7 D6 43 00|53 D2 43 00|AC DB 43 00| C.C.SC.C.
00405240 54 DD 43 00|90 E7 43 00|BE DF 43 00|CC D6 43 00| TC.C.C.C.
00405250 BE DF 43 00|EE EF 43 00|BE DF 43 00|C8 D8 43 00| C.C.C.C.
00405260 BE DF 43 00|13 DE 43 00|BE DF 43 00|CA E9 43 00| C.C.C.C.
00405270 BE DF 43 00|51 DE 43 00|BE DF 43 00|A5 D3 43 00| C.QC.C.C.
00405280 BE DF 43 00|6B E0 43 00|BE DF 43 00|98 D1 43 00| C.kC.C.C.
00405290 BE DF 43 00|90 E7 43 00|BE DF 43 00|EE EF 43 00| C.C.C.C.
004052A0 BE DF 43 00|89 D0 43 00|BE DF 43 00|2E D7 43 00| C.C.C..C.
004052B0 BE DF 43 00|CD E8 43 00|BE DF 43 00|7D EC 43 00| C.C.C.}C.
004052C0 BE DF 43 00|53 D2 43 00|70 E7 43 00|89 D0 43 00| C.SC.pC.C.
004052D0 F5 D2 43 00|1F ED 43 00|24 D5 43 00|11 EB 43 00| C.C.$C.C.
004052E0 53 D2 43 00|69 DA 43 00|ED E9 43 00|BE EA 43 00| SC.iC.C.C.
004052F0 98 D1 43 00|BD D8 43 00|A5 E9 43 00|2E D8 43 00| C.C.C..C.
00405300 11 DB 43 00|2E D8 43 00|C9 CD 43 00|ED E9 43 00| C..C.C.C.
00405310 E7 D6 43 00|2E D7 43 00|2E D8 43 00|89 D0 43 00| C..C..C.C.
00405320 CC D6 43 00|11 DB 43 00|ED E9 43 00|7D EC 43 00| C.C.C.}C.
00405330 69 DA 43 00|90 E7 43 00|77 EF 43 00|74 D3 43 00| iC.C.wC.tC.
00405340 99 E1 43 00|D2 D7 43 00|F5 D2 43 00|56 DC 43 00| C.C.C.VC.
00405350 3F E8 43 00|00 DB 43 00|3C E1 43 00|74 D3 43 00| ?C..C.<C.tC.
00405360 6B E0 43 00|24 D5 43 00|3C E1 43 00|1F ED 43 00| kC.$C.<C.C.
00405370 C9 CD 43 00|3C E1 43 00|13 DE 43 00|11 DB 43 00| C.<C.C.C.
00405380 7D EC 43 00|1F ED 43 00|3B D4 43 00|AC DB 43 00| }C.C.;C.C.
00405390 ED E9 43 00|1C D2 43 00|89 CE 43 00|92 EB 43 00| C.C.C.C.
004053A0 ED E9 43 00|E0 EA 43 00|C9 CD 43 00|90 E7 43 00| C.C.C.C.
004053B0 81 CF 43 00|E6 E7 43 00|E7 D6 43 00|56 DC 43 00| C.C.C.VC.
004053C0 92 EB 43 00|EE EF 43 00|7D EC 43 00|99 E1 43 00| C.C.}C.C.
004053D0 89 CE 43 00|51 DE 43 00|2E D7 43 00|00 DB 43 00| C.QC..C..C.
004053E0 89 CE 43 00|57 D1 43 00|24 D5 43 00|CA E9 43 00| C.WC.$C.C.
004053F0 EE EF 43 00|F5 D2 43 00|11 DB 43 00|3F E8 43 00| C.C.C.?C.
00405400 F6 EC 43 00|78 D9 43 00|53 D2 43 00|98 D1 43 00| C.xC.SC.C.
00405410 CC D6 43 00|ED E9 43 00|7D EC 43 00|89 CE 43 00| C.C.}C.C.
00405420 E7 D6 43 00|3C E1 43 00|E7 D6 43 00|70 E7 43 00| C.<C.C.pC.
00405430 11 DB 43 00|CA E9 43 00|89 D0 43 00|E6 E7 43 00| C.C.C.C.
00405440 77 EF 43 00|70 D7 43 00|0A DC 43 00|24 D5 43 00| wC.pC..C.$C.
00405450 0A DC 43 00|3F E8 43 00|0A DC 43 00|57 D1 43 00| .C.?C..C.WC.
00405460 0A DC 43 00|CD E8 43 00|0A DC 43 00|98 D1 43 00| .C.C..C.C.
00405470 0A DC 43 00|77 EF 43 00|0A DC 43 00|78 D9 43 00| .C.wC..C.xC.
00405480 0A DC 43 00|70 D7 43 00|0A DC 43 00|2E D7 43 00| .C.pC..C..C.
00405490 0A DC 43 00|BE EA 43 00|0A DC 43 00|E0 EA 43 00| .C.C..C.C.
004054A0 0A DC 43 00|70 E7 43 00|0A DC 43 00|E0 EA 43 00| .C.pC..C.C.
004054B0 0A DC 43 00|92 EB 43 00|0A DC 43 00|74 D3 43 00| .C.C..C.tC.
004054C0 0A DC 43 00|24 CF 43 00|51 DE 43 00|74 D3 43 00| .C.$C.QC.tC.
004054D0 F6 EC 43 00|90 E7 43 00|78 D9 43 00|24 CF 43 00| C.C.xC.$C.
004054E0 54 DD 43 00|7D EC 43 00|69 DA 43 00|70 E7 43 00| TC.}C.iC.pC.
004054F0 EE EF 43 00|78 D9 43 00|57 D1 43 00|3B D4 43 00| C.xC.WC.;C.
IntelµÄLittle Endian£¨Ð¡Î²£©·½Ê½´æ´¢ÈÃÎÒÃÇ¿´µÄ·Ç³£µÄ±ðŤ¡£ÔÚODµÄÖ÷´°¿Ú£¨CPU´°¿Ú£©ÖÐÀ´µ½00405000 .data¶Î£¬¿´Ò»ÏÂ00405100µÄÏÔʾ£º
004050F2 0000 ADD BYTE PTR DS:[EAX],AL
004050F4 0000 ADD BYTE PTR DS:[EAX],AL
004050F6 0000 ADD BYTE PTR DS:[EAX],AL
004050F8 0000 ADD BYTE PTR DS:[EAX],AL
004050FA 0000 ADD BYTE PTR DS:[EAX],AL
004050FC 0000 ADD BYTE PTR DS:[EAX],AL
004050FE 0000 ADD BYTE PTR DS:[EAX],AL
00405100 ^ 74 D3 JE SHORT 004050D5
00405102 43 INC EBX
00405103 003B ADD BYTE PTR DS:[EBX],BH
00405105 D4 43 AAM 43
00405110 BE EA430070 MOV ESI,700043EA
OD°ÑÎÒÃǵÄÊý¾Ýµ±×ö´úÂëÀ´ÏÔʾÁË¡£µã»÷ÓÒ¼ü-->Analysis-->Analyse code Ctrl + A £¬µ¯³ö¶Ô»°¿òÊÇ·ñ·ÖÎö£¬µã»÷È·¶¨¡£ÏÔʾÈçÏ£º
004050FB 00 DB 00
004050FC 00 DB 00
004050FD 00 DB 00
004050FE 00 DB 00
004050FF 00 DB 00
00405100 . 74D34300 DD 0043D374
00405104 . 3BD44300 DD 0043D43B
00405108 . 89D04300 DD 0043D089
0040510C . 51DE4300 DD 0043DE51
00405110 . BEEA4300 DD 0043EABE
00405114 . 70D74300 DD 0043D770
00405118 . E0EA4300 DD 0043EAE0
0040511C . 3FE84300 DD 0043E83F
00405120 . 77EF4300 DD 0043EF77
00405124 . 2ED74300 DD 0043D72E
00405128 . E6E74300 DD 0043E7E6
0040512C . D2D74300 DD 0043D7D2
ODÕýÈ·µÄÒÔÊý¾Ý·½Ê½ÏÔʾ£¬²¢ÇÒÒѾ­°´ÕÕÎÒÃÇÈÕ³£µÄÏ°¹ß°ÑÊý¾Ý°´ÕÕBig Endian£¨´ó⣩·½Ê½ÏÔʾ¡£
¶ÔÓÚDispatchTableÖÐÖظ´µÄÊý¾Ý£¬ÎÒÃÇÒ²Òª°ÑËûÇå³ý£¬ÔÚ¸Õ²Å00405000µÄ»ã±à´úÂëÏÂÃæ¼ÌÐø£º
CPU Disasm
Address Hex dump Command Comments
00405000 60 PUSHAD
00405001 BE DBE14300 MOV ESI,0043E1DB ; DispatchTableµØÖ·
00405006 BF 00514000 MOV EDI,00405100 ; ½âÃÜÑ­»·µØÖ·
0040500B B9 00010000 MOV ECX,100
00405010 31DB XOR EBX,EBX
00405012 8B0433 MOV EAX,DWORD PTR DS:[ESI+EBX]
00405015 05 6B197FB6 ADD EAX,B67F196B ; ½âÃÜÖ¸ÁîÖ»ÓÐ1ÌõADD
0040501A 89043B MOV DWORD PTR DS:[EDI+EBX],EAX
0040501D 83C3 04 ADD EBX,4
00405020 49 DEC ECX
00405021 ^ 75 EF JNE SHORT 00405012
00405023 61 POPAD
00405024 EB 03 JMP SHORT 00405029
00405026 90 NOP
00405027 90 NOP
00405028 90 NOP
00405029 60 PUSHAD
0040502A BE 00514000 MOV ESI,00405100 ; TispatchTable
0040502F BF 005A4000 MOV EDI,00405A00 ; new DispatchTable
00405034 B9 00010000 MOV ECX,100
00405039 BA 00000000 MOV EDX,0
0040503E 8D1C8D 00000000 LEA EBX,[ECX*4]
00405045 8B06 MOV EAX,DWORD PTR DS:[ESI]
00405047 83F8 00 CMP EAX,0
0040504A 74 1A JE SHORT 00405066
0040504C 8907 MOV DWORD PTR DS:[EDI],EAX
0040504E 83C7 04 ADD EDI,4
00405051 83C2 04 ADD EDX,4
00405054 39DA CMP EDX,EBX
00405056 74 0E JE SHORT 00405066
00405058 3B0432 CMP EAX,DWORD PTR DS:[ESI+EDX]
0040505B ^ 75 F4 JNE SHORT 00405051
0040505D C70432 00000000 MOV DWORD PTR DS:[ESI+EDX],0
00405064 ^ EB EB JMP SHORT 00405051
00405066 83C6 04 ADD ESI,4
00405069 49 DEC ECX
0040506A ^ 75 CD JNE SHORT 00405039
0040506C 61 POPAD
0040506D E9 8E900200 JMP 0043E100
µÚÒ»²¿·ÖÊÇÇ°Ãæ½âÃÜ´úÂ룬µÚ¶þ²¿·ÖÊÇ·Ö±ð±È½Ï00405100ÖеÄÊý¾Ý£¬°ÑÏàͬµÄÈ«²¿·Å00000000£¬Í¬Ê±°Ñ·Ç0µÄÊý¾Ý´æÈë00405A00ÖС£
Ö´ÐÐÍêÕâЩ´úÂëºó£¬00405A00ÖÐÉú³ÉÁËVMÖÐËùÓеÄαָÁÔÚͨ¹ýOD°ÑËü°´ÕÕÊý¾ÝÏÔʾ³öÀ´ÈçÏ£º
CPU Disasm
Address Hex dump Command Comments
00405A00 . \74D34300 DD 0043D374
00405A04 . 3BD44300 DD 0043D43B
00405A08 . 89D04300 DD 0043D089
00405A0C . 51DE4300 DD 0043DE51
00405A10 . BEEA4300 DD 0043EABE
00405A14 . 70D74300 DD 0043D770
00405A18 . E0EA4300 DD 0043EAE0
00405A1C . 3FE84300 DD 0043E83F
00405A20 . 77EF4300 DD 0043EF77
00405A24 . 2ED74300 DD 0043D72E
00405A28 . E6E74300 DD 0043E7E6
00405A2C . D2D74300 DD 0043D7D2
00405A30 . 91D84300 DD 0043D891
00405A34 . 56DC4300 DD 0043DC56
00405A38 . EDE94300 DD 0043E9ED
00405A3C . A5D34300 DD 0043D3A5
00405A40 . 89CE4300 DD 0043CE89
00405A44 . 13DE4300 DD 0043DE13
00405A48 . 99E14300 DD 0043E199
00405A4C . 24D54300 DD 0043D524
00405A50 . 54DD4300 DD 0043DD54
00405A54 . 98D14300 DD 0043D198
00405A58 . 00DB4300 DD 0043DB00
00405A5C . 2ED84300 DD 0043D82E
00405A60 . 81CF4300 DD 0043CF81
00405A64 . BDD84300 DD 0043D8BD
00405A68 . 1FED4300 DD 0043ED1F
00405A6C . F6EC4300 DD 0043ECF6
00405A70 . 70E74300 DD 0043E770
00405A74 . 53D24300 DD 0043D253
00405A78 . C9CD4300 DD 0043CDC9
00405A7C . 1CD24300 DD 0043D21C
00405A80 . CCD64300 DD 0043D6CC
00405A84 . C8D84300 DD 0043D8C8
00405A88 . CAE94300 DD 0043E9CA
00405A8C . 57D14300 DD 0043D157
00405A90 . 78D94300 DD 0043D978
00405A94 . F5D24300 DD 0043D2F5
00405A98 . 11EB4300 DD 0043EB11
00405A9C . A5E94300 DD 0043E9A5
00405AA0 . 92EB4300 DD 0043EB92
00405AA4 . E7D64300 DD 0043D6E7
00405AA8 . ACDB4300 DD 0043DBAC
00405AAC . 90E74300 DD 0043E790
00405AB0 . BEDF4300 DD 0043DFBE
00405AB4 . EEEF4300 DD 0043EFEE
00405AB8 . 6BE04300 DD 0043E06B
00405ABC . CDE84300 DD 0043E8CD
00405AC0 . 7DEC4300 DD 0043EC7D
00405AC4 . 69DA4300 DD 0043DA69
00405AC8 . 11DB4300 DD 0043DB11
00405ACC . 3CE14300 DD 0043E13C
00405AD0 . 0ADC4300 DD 0043DC0A
00405AD4 . 24CF4300 DD 0043CF24
Õâ¸öVMÒ»¹²ÓÐ52ÌõαָÁÔÚ±¾½ÚÖÐÎÒ½«Ò»Ò»ÁгöÕâ52ÌõαָÁÿ¸ö·ÖÎöVMPµÄÈ˶¼ÓÐ×Ô¼º¶ÔαָÁîµÄÃüÃû·½Ê½¡£
Òƶ¯µ½EBPSTACKµÄÊý¾ÝʹÓÃPUSHÖ¸ÁÒƶ¯µ½EDISTACKµÄÊý¾ÝʹÓÃMOVÖ¸Áî¡£ÔÚVMÖУ¬¶ÔÊý¾ÝµÄ²Ù×÷°üÀ¨byteºÍdword£¬¶ø´æ´¢µÄ·½Ê½ÊÇwordºÍdword£¬µ±Óöµ½byteºÍword½»Ö¯ÔÚÒ»ÆðµÄʱºò£¬¿ÉÒԾͰÑÊý¾Ý×÷Ϊword²Ù×÷À´¿´¡£
ÏÂÃæÎÒÒÔ:VM_PUSHw_MEMORYbΪÀý˵Ã÷ÎÒµÄÃüÃû¹æÔò£º
αָÁîµÄÃüÃûͳһʹÓÃVM_¿ªÍ·£»²¢½ÓÉÏÖ±¹ÛµÄÖú¼Ç·ûPUSH£»EBPSTACKÊÇÒƶ¯µÄÄ¿µÄµØ£»MEMORYÊÇÒƶ¯µÄÀ´Ô´µØ£»w´ú±íword¡¢b´ú±íbyte¡¢dw´ú±ídword£»ÕâÌõÖ¸ÁîµÄ±íʾ£ºÕâÊÇÒ»ÌõÒƶ¯Ö¸Á°Ñ1¸öbyteµÄÊý¾Ý´ÓÄÚ´æ¿éÒƶ¯µ½EBPSTACK£¬´æ´¢Ê±ÊÇ°´ÕÕwordÀ´´æ´¢¡£
ÔÚVMPµÄαָÁîÖаüº¬ÓдóÁ¿µÄ»¨Ö¸ÁîºÍjunk code£¬ÔÚ±¾ÎÄÁгöµÄαָÁÊÇÈ¥³ýÁËÕâЩÎÞÓôúÂë¡£
0043DC0AÃüÃû£º
VM_MOVdw_EDISTACKdw_EBPSTACKdw
´úÂ룺
0043DC19 |. F6D8 NEG AL ; *
0043DC26 |. C0C8 07 ROR AL,7 ; *
0043DC34 |. 2C 20 SUB AL,20 ; *
0043DC41 |. 24 3C AND AL,3C ; *
0043E080 |$ 8B55 00 MOV EDX,DWORD PTR SS:[EBP] ; *
0043E086 |. 83C5 04 ADD EBP,4 ; *
0043D3D7 /> /891438 MOV DWORD PTR DS:[EDI+EAX],EDX ; *
¹¦ÄÜ£º
°ÑEBPSTACKÕ»¶¥1¸ödwordµÄÊý¾Ý´æ´¢µ½EDISTACK

0043E7E6ÃüÃû£º
VM_MOVw_EDISTACKw_EBPSTACKw
´úÂ룺
0043E7EC 0FB646 FF MOVZX EAX,BYTE PTR DS:[ESI-1] ; *
0043E7F6 28D8 SUB AL,BL ; *
0043E7FE C0C8 05 ROR AL,5 ; *
0043E80C F6D8 NEG AL ; *
0043E816 34 0E XOR AL,0E ; *
0043E822 28C3 SUB BL,AL ; *
0043E82E 66:8B55 00 MOV DX,WORD PTR SS:[EBP] ; *
0043E835 83C5 02 ADD EBP,2 ; *
0043F03F 4E DEC ESI ; *
0043F045 66:891438 MOV WORD PTR DS:[EDI+EAX],DX ; *
¹¦ÄÜ£º
°ÑEBPSTACKÕ»¶¥1¸öwordµÄÊý¾Ý´æ´¢µ½EDISTACK

0043D374ÃüÃû£º
VM_MOVb_EDISTACKb_EBPSTACKw
´úÂ룺
0043D377 |. 8A46 FF MOV AL,BYTE PTR DS:[ESI-1] ; *
0043F148 /> \30D8 XOR AL,BL ; *
0043D460 |. FEC0 INC AL ; |*
0043D469 |. C0C8 07 ROR AL,7 ; |*
0043D473 |. FEC0 INC AL ; |*
0043D215 |. 30C3 XOR BL,AL ; *
0043EA9C |. 4E DEC ESI ; *
0043EAA0 |. 66:8B55 00 MOV DX,WORD PTR SS:[EBP] ; *
0043EAAC |. 83C5 02 ADD EBP,2 ; *
0043DBDA /> /881438 MOV BYTE PTR DS:[EDI+EAX],DL ; *
°ÑEBPSTACKÕ»¶¥1¸öwordµÄÊý¾Ý°´ÕÕbyteµÄ·½Ê½´æ´¢µ½EDISTACK

0043D21CÃüÃû£º
VM_PUSHw_IMMEDIATEw
´úÂ룺
0043D21F 66:8B46 FE MOV AX,WORD PTR DS:[ESI-2] ; *
0043D22D 86E0 XCHG AL,AH ; *
0043E01A 66:29D8 SUB AX,BX ; *
0043E022 66:05 71F2 ADD AX,0F271 ; *
0043E036 66:F7D8 NEG AX ; *
0043E03D 66:35 A61C XOR AX,1CA6 ; *
0043E054 66:29C3 SUB BX,AX ; *
0043E054 66:29C3 SUB BX,AX ; *
0043E976 8D76 FE LEA ESI,[ESI-2] ; *
0043D094 /66:8945 00 MOV WORD PTR SS:[EBP],AX ; *
¹¦ÄÜ£º
´ÓESIÊý¾ÝÖÐÈ¡µÃ1¸öwordµÄÁ¢¼´ÊýѹÈëEBPSTACK

0043E83FÃüÃû£º
VM_PUSHdw_IMMEDIATEdw
´úÂ룺
0043E845 . 8B46 FC MOV EAX,DWORD PTR DS:[ESI-4] ; *
0043E84D . 0FC8 BSWAP EAX ; *
0043E852 . 01D8 ADD EAX,EBX ; *
0043E857 . C1C8 04 ROR EAX,4 ; *
0043D952 . 8D76 FC LEA ESI,[ESI-4] ; *
0043D956 . 2D E131FF38 SUB EAX,38FF31E1 ; *
0043D967 . C1C0 0A ROL EAX,0A ; |*
0043D96C . 01C3 ADD EBX,EAX ; |*
0043D970 . 83ED 04 SUB EBP,4 ; |*
0043D710 |$ 8945 00 MOV DWORD PTR SS:[EBP],EAX ; *
¹¦ÄÜ£º
´ÓESIÊý¾ÝÖлñµÃ1¸ödwordµÄÁ¢¼´Êý£¬Ñ¹ÈëEBPSTACK

0043DB11ÃüÃû£º
VM_PUSHdw_IMMEDIATEw
´úÂ룺
0043DB1E 66:8B46 FE MOV AX,WORD PTR DS:[ESI-2] ; *
0043D171 /86E0 XCHG AL,AH ; *
0043E948 66:29D8 SUB AX,BX ; *
0043E951 66:05 71F2 ADD AX,0F271 ; *
0043E95C 66:F7D8 NEG AX ; *
0043E969 8D76 FE LEA ESI,[ESI-2] ; *
0043D62C 66:35 A61C XOR AX,1CA6 ; *
0043D640 \66:29C3 SUB BX,AX ; *
0043D648 98 CWDE ; *
0043D190 83ED 04 SUB EBP,4 ; *
0043D933 8945 00 MOV DWORD PTR SS:[EBP],EAX ; *
¹¦ÄÜ£º
´ÓESIÊý¾ÝÖлñµÃ1¸öwordµÄÁ¢¼´Êý£¬°´ÕÕdwordµÄ·½Ê½Ñ¹ÈëEBPSTACK

0043D978̟̞:
VM_PUSHw_IMMEDIATEb
´úÂ룺
0043D979 . 0FB646 FF MOVZX EAX,BYTE PTR DS:[ESI-1] ; *
0043D97E . 30D8 XOR AL,BL ; *
0043D1ED . FEC8 DEC AL ; *
0043D1F0 . F6D8 NEG AL ; *
0043D1F7 . F6D0 NOT AL ; *
0043D1FD . 30C3 XOR BL,AL ; *
0043CEE8 > /83ED 02 SUB EBP,2 ; *
0043DD79 |. 66:8945 00 MOV WORD PTR SS:[EBP],AX ; |*
0043DD62 /$ 4E DEC ESI ; *
¹¦ÄÜ£º
´ÓESIÊý¾ÝÖлñµÃ1¸öbyteµÄÁ¢¼´Êý£¬°´ÕÕwordµÄ·½Ê½Ñ¹ÈëEBPSTACK

0043D3A5ÃüÃû£º
VM_PUSHdw_IMMEDIATEb
´úÂ룺
0043D3A7 0FB646 FF MOVZX EAX,BYTE PTR DS:[ESI-1] ; *
0043D3AC 30D8 XOR AL,BL ; *
0043D848 FEC8 DEC AL ; *
0043D855 F6D8 NEG AL ; *
0043D866 F6D0 NOT AL ; *
0043D86D 30C3 XOR BL,AL ; *
0043ED8C 66:98 CBW ; *
0043CF7B 98 CWDE ; *
0043EC00 8D76 FF LEA ESI,[ESI-1] ; *
0043DB94 83ED 04 SUB EBP,4 ; *
0043DB9F 8945 00 MOV DWORD PTR SS:[EBP],EAX ; *
¹¦ÄÜ£º
´ÓESIÊý¾ÝÖлñµÃ1¸öbyteµÄÁ¢¼´Êý£¬°´ÕÕdwordµÄ·½Ê½Ñ¹ÈëEBPSTACK

0043CF24ÃüÃû£º
VM_ADDdw_EBPSTACK
´úÂ룺
0043CF2F |. 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043EED3 |. 0145 04 ADD DWORD PTR SS:[EBP+4],EAX ; *
0043CE4F |. 9C PUSHFD ; *
0043CE50 |. 8F4424 3C POP DWORD PTR SS:[ESP+3C] ; *
0043D1BF /> \FF7424 3C PUSH DWORD PTR SS:[ESP+3C] ; *
0043D1C3 |. 8F45 00 POP DWORD PTR SS:[EBP] ; *
¹¦ÄÜ£º
°ÑEBPSTACKÕ»¶¥µÄ2¸ödwordÊý¾ÝÏà¼Ó£¬½á¹û´æ´¢ÔÚ[EBP+4]£¬EFLAGS±êÖ¾´æ´¢ÔÚÕ»¶¥¡£
Àý£º
0013F97C 8021D2F0 !
0013F980 00000000 ....
VM_ADDdw_EBPSTACK
0013F97C 00000286 ..
0013F980 8021D2F0 !

0043D43BÃüÃû£º
VM_PUSHdw_MEMORYdw
´úÂ룺
0043D43F 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043D10A 8B00 MOV EAX,DWORD PTR DS:[EAX] ; *
0043D447 8945 00 MOV DWORD PTR SS:[EBP],EAX ; *
¹¦ÄÜ£º
°ÑEBPSTACKÕ»¶¥Êý¾Ý×÷ΪÄÚ´æµØÖ·£¬´ÓÖжÁÈ¡1¸ödwordµÄÊý¾ÝѹÈëEBPSTACK

0043E9CAÃüÃû£º
VM_PUSHw_MEMORYw
´úÂ룺
0043E9D0 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043E9D9 83C5 02 ADD EBP,2 ; *
0043DEBB 66:36:8B00 MOV AX,WORD PTR SS:[EAX] ; *
0043DDC4 66:8945 00 MOV WORD PTR SS:[EBP],AX ; *
¹¦ÄÜ£º
°ÑEBPSTACKÕ»¶¥Êý¾Ý×÷ΪÄÚ´æµØÖ·£¬´ÓÖжÁÈ¡1¸öwordµÄÊý¾ÝѹÈëEBPSTACK

0043D8BDÃüÃû£º
VM_PUSHw_MEMORYb
´úÂ룺
0043D57B |. 8B55 00 MOV EDX,DWORD PTR SS:[EBP]
0043D589 |. 83C5 02 ADD EBP,2 ; *
0043D591 |. 8A02 MOV AL,BYTE PTR DS:[EDX] ; *
0043E70B |. 66:8945 00 MOV WORD PTR SS:[EBP],AX ; *
¹¦ÄÜ£º
°ÑEBPSTACKÕ»¶¥Êý¾Ý×÷ΪÄÚ´æµØÖ·£¬´ÓÖжÁÈ¡1¸öbyteµÄÊý¾Ý£¬°´ÕÕwordµÄ·½Ê½Ñ¹ÈëEBPSTACK

0043DC56ÃüÃû£º
VM_PUSHw_EDISTACKw
´úÂ룺
0043DC5C 8A46 FF MOV AL,BYTE PTR DS:[ESI-1] ; *
0043DC66 28D8 SUB AL,BL ; *
0043DC6D C0C8 05 ROR AL,5 ; *
0043EADA 4E DEC ESI ; *
0043EE2E \F6D8 NEG AL ; *
0043EE34 34 0E XOR AL,0E ; *
0043E740 28C3 SUB BL,AL ; *
0043E746 66:8B0438 MOV AX,WORD PTR DS:[EDI+EAX] ; *
0043D9E4 83ED 02 SUB EBP,2 ; *
0043EE44 66:8945 00 MOV WORD PTR SS:[EBP],AX ; *
¹¦ÄÜ£º
´ÓEDISTACKÖжÁÈ¡1¸öwordÊý¾ÝѹÈëEBPSTACK

0043CF81ÃüÃû£º
VM_PUSHw_EDISTACKb
´úÂ룺
0043CF84 8A46 FF MOV AL,BYTE PTR DS:[ESI-1] ; *
0043CF8E 30D8 XOR AL,BL ; *
0043EE0A \FEC0 INC AL ; *
0043EE11 C0C8 07 ROR AL,7 ; *
0043EE1E FEC0 INC AL ; *
0043D59C 30C3 XOR BL,AL ; *
0043D2CE 4E DEC ESI ; *
0043D2D7 8A0438 MOV AL,BYTE PTR DS:[EDI+EAX] ; *
0043D2E6 83ED 02 SUB EBP,2 ; *
0043D075 66:8945 00 MOV WORD PTR SS:[EBP],AX ; *
¹¦ÄÜ£º
´ÓEDISTACKÖжÁÈ¡1¸öbyteÊý¾Ý,°´ÕÕword·½Ê½Ñ¹ÈëEBPSTACK

0043D72EÃüÃû£º
VM_PUSHdw_EBP
´úÂ룺
0043D72F /. 89E8 MOV EAX,EBP ; *
0043E613 /$ 83ED 04 SUB EBP,4 ; *
0043E61C |. 8945 00 MOV DWORD PTR SS:[EBP],EAX ; *
¹¦ÄÜ£º
¸´ÖÆEBPÖ¸Õëµ½EBPSTACKÕ»¶¥
Àý£º
EBP 0013F9AC
0013F9AC 00000000 ....
VM_PUSHdw_EBP
0013F9A8 0013F9AC .
0013F9AC 00000000 ....

0043EABEÃüÃû£º
VM_COPYdw_EBPSTACK
´úÂ룺
0043EACC 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043DE1B 36:8B00 MOV EAX,DWORD PTR SS:[EAX] ; *
0043DE25 8945 00 MOV DWORD PTR SS:[EBP],EAX ; *
¹¦ÄÜ£º
°ÑEBPSTACKÕ»¶¥Êý¾Ý×÷Ϊ¶ÑÕ»µØÖ·£¬´ÓÖжÁÈ¡Ò»¸ödwordµÄÊý¾ÝѹÈëEBPSTACK
Àý£º
0013F998 F99E
0013F99C 02460013 .F
0013F9A0 0000 ...
VM_COPYdw_EBPSTACK
0013F998 0246
0013F99C 02460000 ..F
0013F9A0 0000 ...

0043E790ÃüÃû£º
VM_COPYw_EBPSTACK
´úÂ룺
0043E79C |. 8B55 00 MOV EDX,DWORD PTR SS:[EBP] ; *
0043E7A7 |. 83C5 02 ADD EBP,2 ; *
0043E7AE |. 36:8A02 MOV AL,BYTE PTR SS:[EDX] ; *
0043D01B |. 66:8945 00 MOV WORD PTR SS:[EBP],AX ; *
¹¦ÄÜ£º
°ÑEBPSTACKÕ»¶¥Êý¾Ý×÷Ϊ¶ÑÕ»µØÖ·£¬´ÓÖжÁÈ¡Ò»¸öbyteµÄÊý¾Ý£¬°´ÕÕwordµÄ·½Ê½Ñ¹ÈëEBPSTACK
Àý£º
0013F9A8 0013F9AC .
0013F9AC 0000 ....
VM_COPYw_EBPSTACK
0013F9A8 0000
0013F9AC 0000 ....

0043D198ÃüÃû£º
VM_NANDdw
´úÂ룺
0043D1A3 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043D1AD 8B55 04 MOV EDX,DWORD PTR SS:[EBP+4] ; *
0043DEAE F7D0 NOT EAX ; *
0043DDE1 /F7D2 NOT EDX ; *
0043CDC2 21D0 AND EAX,EDX ; *
0043E0F8 8945 04 MOV DWORD PTR SS:[EBP+4],EAX ; *
0043D0FB /9C PUSHFD ; *
0043D0FC 8F4424 2C POP DWORD PTR SS:[ESP+2C] ; *
0043EC46 FF7424 34 PUSH DWORD PTR SS:[ESP+34] ; *
0043EC4A 8F45 00 POP DWORD PTR SS:[EBP] ; *
¹¦ÄÜ£º
dword°æµÄÓë·ÇÃÅ£¬´ÓEBPSTACKµÄÕ»¶¥¶ÁÈ¡2¸ödword×÷Ϊ²Ù×÷Êý£¬½á¹û´æ´¢ÔÚµÚ¶þ¸ö²Ù×÷ÊýλÖã¬EFLAGS±êÖ¾´æ´¢ÔÚÕ»¶¥¡£
Àý£º
0013F9A8 00000286 ..
0013F9AC 00000286 ..
VM_NANDdw
0013F9A8 00000282 ..
0013F9AC FFFFFD79 y

0043EB92ÃüÃû£º
VM_NANDw
´úÂ룺
0043EB94 |. 66:8B45 00 MOV AX,WORD PTR SS:[EBP] ; *
0043EBA5 |. 66:8B55 02 MOV DX,WORD PTR SS:[EBP+2] ; *
0043EBB3 |. F6D0 NOT AL ; *
0043EBBB |. F6D2 NOT DL ; *
0043EBC1 |. 83ED 02 SUB EBP,2 ; *
0043EBC5 |. 20D0 AND AL,DL ; *
0043EBCD |. 66:8945 04 MOV WORD PTR SS:[EBP+4],AX ; *
0043EBD5 |. 9C PUSHFD ; *
0043D26F |$ FF7424 28 PUSH DWORD PTR SS:[ESP+28] ; *
0043D273 |. 8F45 00 POP DWORD PTR SS:[EBP] ; *
¹¦ÄÜ£º
word°æµÄÓë·ÇÃÅ£¬´ÓEBPSTACKµÄÕ»¶¥¶ÁÈ¡2¸öword×÷Ϊ²Ù×÷Êý£¬½á¹û´æ´¢ÔÚµÚ¶þ¸ö²Ù×÷ÊýλÖã¬EFLAGS±êÖ¾´æ´¢ÔÚÕ»¶¥¡£
Àý£º
EBP 0013F9AA
0013F9A8 0000
0013F9AC 0000 ....
VM_NANDw
0013F9A8 00000286 ..
0013F9AC 00FF ...

0043EB11ÃüÃû£º
VM_ADDw_EBPSTACK
´úÂ룺
0043EB14 |. 8A45 00 MOV AL,BYTE PTR SS:[EBP] ; *
0043EB1C |. 83ED 02 SUB EBP,2 ; *
0043EB21 |. 0045 04 ADD BYTE PTR SS:[EBP+4],AL ; *
0043EB26 |. 9C PUSHFD ; *
0043EB27 |. 8F4424 20 POP DWORD PTR SS:[ESP+20] ; *
0043E8F9 |> /FF7424 40 PUSH DWORD PTR SS:[ESP+40] ; *
0043E8FD |. |8F45 00 POP DWORD PTR SS:[EBP] ; *
¹¦ÄÜ£º
°ÑEBPSTACKÕ»¶¥µÄ2¸öwordÊý¾ÝÖеĵÍbyteÏà¼Ó£¬½á¹û´æ´¢ÔÚµÚ¶þ¸ö²Ù×÷ÊýλÖã¬EFLAGS±êÖ¾´æ´¢ÔÚÕ»¶¥¡£
Àý£º
0013F9AC 000000FF ...
VM_ADDw_EBPSTACK
0013F9A8 0286
0013F9AC 00FF0000 ...

0043DFBEÃüÃû£º
VM_PUSHdw_EDISTACKdw
´úÂ룺
0043DFC1 F6D8 NEG AL ; *
0043DFCD C0C8 07 ROR AL,7 ; *
0043DFDA 2C 20 SUB AL,20 ; *
0043DFDD 24 3C AND AL,3C ; *
0043CE6C 8B1438 MOV EDX,DWORD PTR DS:[EDI+EAX] ; *
0043CE71 83ED 04 SUB EBP,4 ; *
0043CE79 8955 00 MOV DWORD PTR SS:[EBP],EDX ; *
¹¦ÄÜ£º
°Ñ1¸ödwordµÄÊý¾Ý´ÓEDISTACKѹÈëEBPSTACK

0043D7D2ÃüÃû£º
VM_SHRdw_EBPSTACK
´úÂ룺
0043D7DA 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043D7E6 8A4D 04 MOV CL,BYTE PTR SS:[EBP+4] ; *
0043D4F8 83ED 02 SUB EBP,2 ; *
0043D504 D3E8 SHR EAX,CL ; *
0043F17D \8945 04 MOV DWORD PTR SS:[EBP+4],EAX ; *
0043EA2E 9C PUSHFD ; *
0043EA30 FF7424 20 PUSH DWORD PTR SS:[ESP+20] ; *
0043EA34 8F45 00 POP DWORD PTR SS:[EBP] ; *
¹¦ÄÜ£º
°ÑEBPSTACKÕ»¶¥1¸ödword×÷Ϊ²Ù×÷Êý£¬[EBP+4]×÷ΪÒƶ¯Î»Êý£¬Âß¼­ÓÒÒÆ¡£½á¹ûdword´æ´¢ÔÚµÚ¶þ¸ö²Ù×÷ÊýºÍµÚÒ»¸ö²Ù×÷ÊýµÄ¸ßbyte,EFLAGS±êÖ¾´æ´¢ÔÚÕ»¶¥¡£
Àý£º
0013F99C 0040
0013F9A0 00040000 ...
VM_SHRdw_EBPSTACK
0013F99C 00000202 ..
0013F9A0 00000004 ...

0043E9A5ÃüÃû£º
VM_SHLdw_EBPSTACK
´úÂ룺
0043E9A9 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043E9B5 8A4D 04 MOV CL,BYTE PTR SS:[EBP+4] ; *
0043E0B2 >83ED 02 SUB EBP,2 ; *
0043E0BC D3E0 SHL EAX,CL ; *
0043CDEA 8945 04 MOV DWORD PTR SS:[EBP+4],EAX ; *
0043DD1A \9C PUSHFD
0043DD1B 8F4424 28 POP DWORD PTR SS:[ESP+28]
0043DD24 FF7424 2C PUSH DWORD PTR SS:[ESP+2C] ; *
0043DD28 8F45 00 POP DWORD PTR SS:[EBP] ; *
¹¦ÄÜ£º
°ÑEBPSTACKÕ»¶¥1¸ödword×÷Ϊ²Ù×÷Êý£¬[EBP+4]×÷ΪÒƶ¯Î»Êý£¬Âß¼­×óÒÆ¡£½á¹ûdword´æ´¢ÔÚµÚ¶þ¸ö²Ù×÷ÊýºÍµÚÒ»¸ö²Ù×÷ÊýµÄ¸ßbyte,EFLAGS±êÖ¾´æ´¢ÔÚÕ»¶¥¡£

0043DE51ÃüÃû£º
VM_SHRDdw_EBPSTACK
´úÂ룺
0043DE5D 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043DE69 8B55 04 MOV EDX,DWORD PTR SS:[EBP+4] ; *
0043DE6E 8A4D 08 MOV CL,BYTE PTR SS:[EBP+8] ; *
0043DE73 83C5 02 ADD EBP,2 ; *
0043DE7A 0FADD0 SHRD EAX,EDX,CL ; *
0043D38F 8945 04 MOV DWORD PTR SS:[EBP+4],EAX ; *
0043D66C 9C PUSHFD ; *
0043D66D 8F4424 34 POP DWORD PTR SS:[ESP+34] ; *
0043D67F FF7424 40 PUSH DWORD PTR SS:[ESP+40] ; *
0043D683 8F45 00 POP DWORD PTR SS:[EBP] ; *
¹¦ÄÜ£º
EBPSTACKË«¾«¶ÈÓÒÒÆÖ¸ÁִÐÐÍê±Ïºó£¬½á¹ûºÍEFLAGS´æ´¢µ½EBPSTACK

0043D524ÃüÃû£º
VM_SHLDdw_EBPSTACK
´úÂ룺
0043D529 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043D537 8B55 04 MOV EDX,DWORD PTR SS:[EBP+4] ; *
0043D545 8A4D 08 MOV CL,BYTE PTR SS:[EBP+8] ; *
0043D550 83C5 02 ADD EBP,2 ; *
0043D558 0FA5D0 SHLD EAX,EDX,CL ; *
0043D637 8945 04 MOV DWORD PTR SS:[EBP+4],EAX ; *
0043CED3 9C PUSHFD
0043D8F4 \FF7424 34 PUSH DWORD PTR SS:[ESP+34] ; *
0043D8F8 8F45 00 POP DWORD PTR SS:[EBP] ; *
¹¦ÄÜ£º
EBPSTACKË«¾«¶È×óÒÆÖ¸ÁִÐÐÍê±Ïºó£¬½á¹ûºÍEFLAGS´æ´¢µ½EBPSTACK

0043D089ÃüÃû£º
VM_JMP
´úÂ룺
0043D722 8B75 00 MOV ESI,DWORD PTR SS:[EBP] ; *
0043EF1F \83C5 04 ADD EBP,4 ; *
0043E6A9 89F3 MOV EBX,ESI ; *
0043E6B8 0375 00 ADD ESI,DWORD PTR SS:[EBP] ; *
¹¦ÄÜ£º
°ÑEBPSTACKÕ»¶¥µØÖ·Òƶ¯µ½ESI£¬ÖØгõʼ»¯EBXºÍESI¡£

0043EF77ÃüÃû£º
VM_EBPSTACK_CALL
´úÂ룺
0043EF7B 0FB646 FF MOVZX EAX,BYTE PTR DS:[ESI-1] ; *
0043EF82 30D8 XOR AL,BL ; *
0043EF8D FEC8 DEC AL ; *
0043EF99 F6D8 NEG AL ; *
0043EFAF 8D76 FF LEA ESI,[ESI-1] ; *
0043EFB3 F6D0 NOT AL ; *
0043EFC4 30C3 XOR BL,AL ; *
0043EFCD 0FB6C8 MOVZX ECX,AL ; *
0043EFDC 894D FC MOV DWORD PTR SS:[EBP-4],ECX ; *

0043ECEA 31C0 XOR EAX,EAX ; *
0043E0C6 87448D 00 XCHG DWORD PTR SS:[ECX*4+EBP],EAX ; * parameter
0043E0CD 894424 24 MOV DWORD PTR SS:[ESP+24],EAX ; *
0043EE89 83E9 01 SUB ECX,1 ; *
0043EE9C ^\0F85 3FFEFFFF JNE 0043ECE1 ; *
0043CF5B 29C0 SUB EAX,EAX ; *
0043CF6A C74424 04 B7EE4 MOV DWORD PTR SS:[ESP+4],0043EEB7 ; *
0043CF60 8745 00 XCHG DWORD PTR SS:[EBP],EAX ; *
0043DDF9 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; *
0043DDFD FF7424 04 PUSH DWORD PTR SS:[ESP+4] ; *
0043DE0C FF7424 34 PUSH DWORD PTR SS:[ESP+34] ; *
0043DE10 C2 3800 RETN 38 ; VM_APICALL
¹¦ÄÜ£º
VMÖÐ×ÔÓµÄαָÁÓÃÓÚϵͳAPIµ÷ÓúͳÌÐò¹ý³Ìµ÷Óá£ESIÊý¾ÝÖÐÈ¡µÃ²ÎÊýµÄ¸öÊý£¬EAXÑ­»·È¡µÃ²ÎÊý£¬Ñ¹ÈëESPÖ¸ÕëÖ¸ÏòµÄ³£¹æ¶ÑÕ»¡£´óÁ¿Ê¹ÓÃ[ESP+X]µÄ·½Ê½µ÷Ó㬲ôÔÓ×Å·Ïѹջ²Ù×÷£¬¾²Ì¬¿´´úÂëÄÑÒÔ¿´³ö¡£·µ»ØµØÖ·Êdz£Á¿Ñ¹ÈëµÄ0043EEB7¡£ÕâÌõαָÁîÉæ¼°ÄÚÈÝÖڶ࣬·ÖÖ§ÅÓ´ó£¬ÏµÍ³APIµ÷ÓúͳÌÐò¹ý³Ìµ÷ÓõÄ×ßÏò¶¼ÊDz»Í¬µÄ£¬ÔÚºóÃæÕ½ÚÏêÊö¡£ÎÒÕâÀïÁоٵÄÊÇÒ»´ÎÖ»ÓÐ1¸ö²ÎÊýµÄϵͳAPIµ÷ÓÃ

0043D891ÃüÃû£º
VM_MOVdw_MEMORYdw_EBPSTACKdw
´úÂ룺
0043D897 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043D8A1 8B55 04 MOV EDX,DWORD PTR SS:[EBP+4] ; *
0043D8A6 83C5 08 ADD EBP,8 ; *
0043D8AA 8910 MOV DWORD PTR DS:[EAX],EDX ; *
¹¦ÄÜ£º
EBPSTACKÕ»¶¥Êý¾Ý×÷ΪµØÖ·£¬°ÑÕ»¶¥µÄµÚ¶þ¸ödword´æ´¢µ½µØÖ·ÄÚ

0043EFEEÃüÃû£º
VM_MOVdw_MEMORYdw_EBPSTACKdw
´úÂ룺
0043EFF3 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043F005 8B55 04 MOV EDX,DWORD PTR SS:[EBP+4] ; *
0043F010 83C5 08 ADD EBP,8 ; *
0043D335 36:8910 MOV DWORD PTR SS:[EAX],EDX ; *
¹¦ÄÜ£º
EBPSTACKÕ»¶¥Êý¾Ý×÷ΪµØÖ·£¬°ÑÕ»¶¥µÄµÚ¶þ¸ödword´æ´¢µ½µØÖ·ÄÚ¡£ÓëÉÏÒ»ÌõαָÁîÍêÈ«Ïàͬ

0043D157ÃüÃû£º
VM_MOVdw_MEMORYdw_EBPSTACKdw
´úÂ룺
0043D159 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043D169 8B55 04 MOV EDX,DWORD PTR SS:[EBP+4] ; *
0043CDF7 83C5 08 ADD EBP,8 ; *
0043CE09 26:8910 MOV DWORD PTR ES:[EAX],EDX ; *
EBPSTACKÕ»¶¥Êý¾Ý×÷ΪµØÖ·£¬°ÑÕ»¶¥µÄµÚ¶þ¸ödword´æ´¢µ½µØÖ·ÄÚ¡£ÓëÉÏÁ½ÌõαָÁîÍêÈ«Ïàͬ

0043E9EDÃüÃû£º
VM_MOVw_MEMORYw_EBPSTACKw
´úÂ룺
0043E9F7 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043E9FD 66:8B55 04 MOV DX,WORD PTR SS:[EBP+4] ; *
0043EA02 83C5 06 ADD EBP,6 ; *
0043EA0D 66:8910 MOV WORD PTR DS:[EAX],DX ; *
¹¦ÄÜ£º
EBPSTACKÕ»¶¥Êý¾Ý×÷ΪµØÖ·£¬°ÑÕ»¶¥µÄµÚ¶þ¸öword´æ´¢µ½µØÖ·ÄÚ

0043D6CCÃüÃû£º
VM_MOVb_MEMORYb_EBPSTACKb
´úÂ룺
0043D6D3 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043D6DB 8A55 04 MOV DL,BYTE PTR SS:[EBP+4] ; *
0043EC6C 83C5 06 ADD EBP,6 ; *
0043D495 36:8810 MOV BYTE PTR SS:[EAX],DL ; *
¹¦ÄÜ£º
EBPSTACKÕ»¶¥Êý¾Ý×÷ΪµØÖ·£¬°ÑÕ»¶¥µÄµÚ¶þ¸öbyte´æ´¢µ½µØÖ·ÄÚ

0043CE89ÃüÃû£º
VM_HASH
´úÂ룺
0043CE98 8B55 00 MOV EDX,DWORD PTR SS:[EBP] ; *
0043CEA0 83C5 04 ADD EBP,4 ; *
0043CEA6 31C0 XOR EAX,EAX ; *
0043DCC0 89C1 MOV ECX,EAX ; *
0043E6FA C1E0 07 SHL EAX,7 ; *
0043E701 C1E9 19 SHR ECX,19 ; *
0043D2BD /09C8 OR EAX,ECX ; *
0043D7EF \3202 XOR AL,BYTE PTR DS:[EDX] ; *
0043D7F2 42 INC EDX ; *
0043DD12 FF4D 00 DEC DWORD PTR SS:[EBP] ; *
0043F023 ^\0F85 7FDEFFFF JNE 0043CEA8 ; *
0043D9FA 8945 00 MOV DWORD PTR SS:[EBP],EAX ; *
¹¦ÄÜ£º
¼ÆËãÒ»¶ÎÊý¾ÝµÄHASHÖµ£¬EBPSTACKÕ»¶¥µÚÒ»¸ödwordÊÇÊý¾ÝµØÖ·£¬µÚ¶þ¸ödwordÊÇÊý¾Ý´óС

0043DE13ÃüÃû£º
VM_MOVdw_EBPreg_EBPSTACK
´úÂ룺
0043F134 \8B6D 00 MOV EBP,DWORD PTR SS:[EBP] ; *
¹¦ÄÜ£º
¸øEBP¼Ä´æÆ÷¸³ÖµEBPSTACKÕ»¶¥Êý¾Ý

0043DD54ÃüÃû£º
VM_FS:[EBPSTACK]
´úÂ룺
0043DD5A 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043F10E 64:8B00 MOV EAX,DWORD PTR FS:[EAX] ; *
0043F112 8945 00 MOV DWORD PTR SS:[EBP],EAX ; *
¹¦ÄÜ£º
¶ÁÈ¡FS[X]Êý¾Ý£¬X=EBPSTACKÕ»¶¥Êý¾Ý

0043D8C8ÃüÃû£º
VM_SEH
´úÂ룺
0043D8CF 8B45 00 MOV EAX,DWORD PTR SS:[EBP] ; *
0043D8DE 8B55 04 MOV EDX,DWORD PTR SS:[EBP+4] ; *
0043D8E7 83C5 08 ADD EBP,8 ; *
0043D243 64:8910 MOV DWORD PTR FS:[EAX],EDX ; *
¹¦ÄÜ£º
¸øFS[X]´«µÝYÊý¾Ý£¬X=EBPSTACKÕ»¶¥Êý¾Ý£¬Y=EBPSTACKÕ»¶¥µÚ2¸öÊý¾Ý¡£ÔÚʵ¼ùÖж¼ÊÇÓÃÓÚ¸øFS[0]¸³Öµ£¬¹¹½¨SEH

0043DA69ÃüÃû£º
VM_EXIT
´úÂ룺
0043DA6F 89EC MOV ESP,EBP ; *
0043DA73 58 POP EAX ; *
0043DA7E 59 POP ECX ; *
0043DA87 9D POPFD ; *
0043DA8D 5D POP EBP ; *
0043CDB1 /59 POP ECX ; *
0043CDB8 8B5C24 08 MOV EBX,DWORD PTR SS:[ESP+8] ; *
0043F068 8B6C24 14 MOV EBP,DWORD PTR SS:[ESP+14] ; *
0043F06D 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38] ; *
0043F06D 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38] ; *
0043DC99 8B7C24 44 MOV EDI,DWORD PTR SS:[ESP+44] ; *
0043DCA7 5E POP ESI ; *
0043DCB6 FF7424 04 PUSH DWORD PTR SS:[ESP+4] ; *
0043DCBA C2 0800 RETN 8 ; *
¹¦ÄÜ£º
¸ø¸÷¸ö¼Ä´æÆ÷¸³ÖµEBPSTACKÖеÄÊý¾Ý£¬EBPSTACKÖеÄ×îºóÒ»¸öÊý¾ÝÊÇÌøתµØÖ·

0043EC7DÃüÃû£º
VM_MOVdw_EFLreg_EBPSTACK
´úÂ룺
0043EC80 FF75 00 PUSH DWORD PTR SS:[EBP] ; *
0043EC83 8F4424 08 POP DWORD PTR SS:[ESP+8] ; *
0043EC8E FF7424 28 PUSH DWORD PTR SS:[ESP+28] ; *
0043EC92 9D POPFD ; *
¹¦ÄÜ£º
¸øEFLAGE¼Ä´æÆ÷¸³ÖµEBPSTACKÕ»¶¥Êý¾Ý

ÔÚF7¸ú×ټӿǼÇʱ¾µÄ¹ý³ÌÖУ¬²¢²»ÊÇËùÓеÄαָÁʹÓõ½ÁË£¬ÒÔÏÂÊÇûÓб»Ö´Ðе½µÄαָÁ
00405A14 . 70D74300 DD 0043D770
00405A18 . E0EA4300 DD 0043EAE0
00405A48 . 99E14300 DD 0043E199
00405A58 . 00DB4300 DD 0043DB00
00405A5C . 2ED84300 DD 0043D82E
00405A68 . 1FED4300 DD 0043ED1F
00405A6C . F6EC4300 DD 0043ECF6
00405A70 . 70E74300 DD 0043E770
00405A74 . 53D24300 DD 0043D253
00405A78 . C9CD4300 DD 0043CDC9
00405A94 . F5D24300 DD 0043D2F5
00405AA4 . E7D64300 DD 0043D6E7
00405AA8 . ACDB4300 DD 0043DBAC
00405AB8 . 6BE04300 DD 0043E06B
00405ABC . CDE84300 DD 0043E8CD
00405ACC . 3CE14300 DD 0043E13C
ÓÉÓÚûÓÐʵ¼ÊµÄ×ß¹ýÕâЩαָÁ¾²Ì¬·ÖÎöºó¾õµÃ£¬Óиö±ðαָÁîµÄ´úÂëÅÂÌáÈ¡´íÁË¡£°ÑÕâЩָÁîд³É¼ò½éģʽ£º
0043D770
EBPSTACKµÄbyteÂß¼­ÓÒÒÆÖ¸Áî
0043EAE0
VM_JMPÌøתָÁÖØиøESI¸³ÖµEBPSTACKÕ»¶¥Êý¾Ý
0043E199
¸´ÖÆEBPSTACKÕ»¶¥1¸öwordµÄÊý¾Ý
0043DB00
°ÑEBPSTACKÕ»¶¥Êý¾Ý×÷ΪµØÖ·£¬¶ÁÈ¡ÆäÖÐ1¸öwordµÄÊý¾ÝѹÈëEBPSTACK
0043D82E
VM_DIV³ý·¨Ö¸Áî
0043ED1F
CPUIDÖ¸Á½á¹ûѹÈëEBPSTACK¡£
0043ECF6
°ÑEBPSTACKÊý¾Ý1¸öbyteÒƶ¯µ½Õ»¶¥ÄÚ´æµØÖ·ÄÚ
0043E770
¸øEBP¼Ä´æÆ÷µÄµÍwordλ¸³ÖµÕ»¶¥Êý¾Ý
0043D253
°ÑSS¶Î¼Ä´æÆ÷ѹÈëEBPSTACKÕ»¶¥
0043CDC9
ÁíÒ»ÖÖ·½Ê½µÄword°æNAND£¬²»¹ýÕâ¸öÊÇÔÚEBPSTACK¶ÑÕ»ÄÚÍê³ÉÔËËã¹ý³Ì
0043D2F5
EBPSTACKµÄbyteÂß¼­×óÒÆÖ¸Áî
0043D6E7
EBPSTACKµÄwordÂß¼­×óÒÆÖ¸Áî
0043DBAC
EBPSTACKµÄwordÂß¼­ÓÒÒÆÖ¸Áî
0043E06B
EBPSTACKµÄword¼Ó·¨
0043E8CD
°ÑEAXºÍEDXѹÈëEBPSTACK
0043E13C
°ÑEBPSTACKÊý¾Ý1¸öwordÒƶ¯µ½Õ»¶¥ÄÚ´æµØÖ·ÄÚ

µ½ÕâÀËùÓеÄαָÁÂÞÁÐÍê±Ï£¬ÕæµÄÊÇÌåÁ¦»îѽ£¡
2.×ÛºÏÔËÓÃ
2.1.³£¼ûαָÁî×éºÏ
ÔÚVMPµÄαָÁîµÄÖ´ÐÐÖÐÓÐһЩ³£¼ûµÄ×éºÏÌ×·£¬ÊìϤËüÃÇÄÜÈÃÎÒÃÇÔÚ¸ú×ÙVMPʱ¸ü¼ÓµÄµÃÐÄÓ¦ÊÖ¡£ÕâЩ×éºÏÓë²Ù×÷ÊýµÄ³¤¶ÈÊÇÎ޹صģ¬ÏÂÃæµÄαָÁȥµôb w dwµÈ±ê¼Ç¡£ÔÚÀý×Ó²¿·Ö£¬ÎÒ½«Ê¹ÓÃdword²Ù×÷ÊýÀ´¾ÙÀý£¬Ö±¹ÛÃ÷ÁË¡£
2.1.1.
VM_PUSH_EBP £»¸´ÖÆEBPÖ¸Õëµ½EBPSTACKÕ»¶¥
VM_COPY_EBPSTACK £»°ÑEBPSTACKÕ»¶¥Êý¾Ý×÷Ϊ¶ÑÕ»µØÖ·£¬´ÓÖжÁÈ¡Ò»¸öÊý¾ÝѹÈëEBPSTACK
ÕâÁ½ÌõÖ¸ÁîÊÇVMPÖнáºÏµÄ¼«Æä½ôÃܵÄ×éºÏ£¬ËüÃǼ¸ºõ×ÜÊÇÒ»Æð³öÏֵģ¬ÓÃÓÚ°ÑEBPSTACK¶ÑÕ»ÖеÄÊý¾Ý¸´ÖÆÆðÀ´µ½EBPSTACK¡£¶øºÜ¶àÇé¿öÏÂËüÃǸ´ÖƵľÍÊÇÔ­À´µÄÕ»¶¥Êý¾Ý¡£ÔÚʹÓÃNANDÀ´Íê³ÉNOT(A)µÄÔËËãÖУ¬ËüÃÇÊDZر¸µÄÇ°×à¡£·²ÊÇÐèÒª°Ñ²Ù×÷ÊýÒ»¸ö±äÁ½¸öµÄµØ·½¶¼ÓÐËüÃǵÄÉíÓ°¡£
Àý£º
EBP 0013F9AC
0013F9AC 00000000 ....
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSH_EBP
EBP 0013F9A8
0013F9A8 0013F9AC .
0013F9AC 00000000 ....
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_COPY_EBPSTACK
EBP 0013F9A8
0013F9A8 00000000 ....
0013F9AC 00000000 ....
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
2.1.2.
VM_NAND|VM_ADD_EBPSTACK|VM_SHLD_EBPSTACK|VM_SHR_EBPSTACKµÈµÈ
VM_MOV_EDISTACK_EBPSTACK £»°Ñ1¸öÊý¾Ý´ÓEBPSTAKÕ»¶¥Òƶ¯µ½EDISTACK£¬Ê¹ÓÃEAX×÷ΪƫÒÆÁ¿
ÔÚVMPËùÓеÄÔËËãαָÁîÖж¼ÊÇͳһµÄģʽ£¬ÔËËãºóµÄEFLAGS¼Ä´æÆ÷ֵλÓÚEBPSTACKÕ»¶¥£¬ÔËËã½á¹ûλÓÚ½ô½ÓÕ»¶¥µÄ[EBP+4]¡£ÔÚÔËËã½áÊøºó£¬¸úÉÏÒ»ÌõVM_MOV_EDISTACK_EBPSTACK°ÑÔËËãºóµÄ±ê־λÒƶ¯µ½EDISTACK£¬Ôںܶàʱºò£¬ÕⶼÊÇÒ»Ìõ·ÏÖ¸Áî²Ù×÷£¬´¿´âÊÇΪȥµôÕ»¶¥Êý¾Ý£¬ÒÔ±ã¼ÌÐø²Ù×÷ÔËËã½á¹û¡£
Èç¹û½ÓÏÂÀ´VM½øÐмì²â±ê־λµÄÏà¹Ø²Ù×÷£¬ÕâÌõÖ¸Áî¾Í±äµÃÒì³£ÖØÒª¡£ÀýÈ磺ÔÚ¶Ôϵͳº¯ÊýµÄCCÂëint3¶Ïµã¼ì²âÖУ¬È¡³öϵͳº¯Êý¿ªÍ·µÄµÚÒ»¸öbyteÊý¾ÝXX£¬°ÑËüÓëCCÏà¼õ£¬ÔÙ¸úÉÏÒ»¸öZF±ê־λ¼ì²â+Ìøת¡£ÔÚÕâ¸öʱºò·´¹ýÀ´£¬ÔËËã½á¹ûÍêÈ«ÎÞÓ㬶øÎÒÃÇÒ»¶¨ÒªÔÚÒƶ¯Ö¸ÁîµÄEAXÆ«ÒÆÁ¿ÄÄÀïϺöϵ㣬¹Û²ìºÃEFLAGS¼Ä´æÆ÷ÖµµÄ×ßÏòÓëÀ´Ô´¡£
2.1.3.
ÔÚ½øÐÐÌøתʱ£¬Î§ÈÆVM_JMPµÄÇ°ºó£¬ÓдóÁ¿ÎÞ¼ÛÖµµÄÊý¾ÝÒƶ¯²Ù×÷¡£¼ÙÉèÏÖÔÚÎÒÃǸսøÐÐÁËÒ»´ÎÌõ¼þÅжϣ¬VM¸Õ¸Õ°ÑÒªÌøתµÄµØÖ·È·¶¨²¢½âÃܳöÀ´£º
EBP 0013F9A8
0013F9A8 00000202 .. £»×îºóÒ»´Î½âÃÜÔËËãµÃµ½µÄEFLAGS
0013F9AC 0043651A eC. £»ÌøתµØÖ·
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_MOVdw_EDISTACKdw_EBPSTACKdw
VM_MOVdw_EDISTACKdw_EBPSTACKdw
EBP 0013F9B0
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHdw_EDISTACKdw
VM_PUSHdw_EDISTACKdw
VM_PUSHdw_EDISTACKdw
VM_PUSHdw_EDISTACKdw
VM_PUSHdw_EDISTACKdw
VM_PUSHdw_EDISTACKdw
VM_PUSHdw_EDISTACKdw
VM_PUSHdw_EDISTACKdw
VM_PUSHdw_EDISTACKdw
VM_PUSHdw_EDISTACKdw
VM_PUSHdw_EDISTACKdw
VM_PUSHdw_EDISTACKdw
EBP 0013F980
0013F980 8021D2F0 !
0013F984 0013F9C0 .
0013F988 00000246 F..
0013F98C 00000020 ...
0013F990 000359F4 Y.
0013F994 0013F9CC .
0013F998 00400000 ..@. ; OFFSET NOTEPAD
0013F99C 00000000 ....
0013F9A0 004253CD SB. ; RETURN from NOTEPAD.004255DB to NOTEPAD.004253CD
0013F9A4 000359F4 Y.
0013F9A8 00400000 ..@. ; ¸Ã´ø×Å×ßµÄÊý¾Ý¶¼ÒªÔÚEBPSTACKÀïÃæ´ø×Å×ߣ¬µ½ÕâÀﻹûÓÐÍê±ÏµÄ¡£
0013F9AC 0043651A eC. £»»¹ÓÐÆäËûµÄÊý¾ÝÒª·ÅÈ룬8021D2F0ÒªÒþ²ØÒ»ÏÂ
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHdw_IMMEDIATEdw
0013F97C 7FDE2D10 -
0013F980 8021D2F0 !
0013F984 0013F9C0
VM_ADDdw_EBPSTACK
0013F97C 00000247 G..
0013F980 00000000 ....
0013F984 0013F9C0
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F980 00000000 ....
0013F984 0013F9C0
VM_PUSHdw_EDISTACKdw
VM_PUSHdw_EDISTACKdw
0013F978 0043651A eC.
0013F97C 00000000 ....
0013F980 00000000 ....
0013F984 0013F9C0 .
0013F988 00000246 F..
0013F98C 00000020 ...
0013F990 000359F4 Y.
0013F994 0013F9CC .
0013F998 00400000 ..@. ; OFFSET NOTEPAD
0013F99C 00000000 ....
0013F9A0 004253CD SB. ; RETURN from NOTEPAD.004255DB to NOTEPAD.004253CD
0013F9A4 000359F4 Y.
0013F9A8 00400000 ..@. ; OFFSET NOTEPAD.B
0013F9AC 0043651A eC.
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A

VM_JMP £»´ø×Å14¸öÊý¾Ý£¬VMÖÕÓÚÌøת£¬³ýÁËÕ»¶¥0043651A·ÅÈëESI£¬ÆäËû13¸öÊý¾ÝÒªÖØб£´æ

VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F980 00000000 ....
0013F984 0013F9C0 .
VM_PUSHdw_IMMEDIATEdw
0013F97C 8021D2F0 !
0013F980 00000000 ....
0013F984 0013F9C0 .
VM_ADDdw_EBPSTACK
0013F97C 00000286 ..
0013F980 8021D2F0 !
0013F984 0013F9C0 . £»ÖØлָ´³öÀ´
VM_MOVdw_EDISTACKdw_EBPSTACKdw
VM_MOVdw_EDISTACKdw_EBPSTACKdw
VM_MOVdw_EDISTACKdw_EBPSTACKdw
VM_MOVdw_EDISTACKdw_EBPSTACKdw
VM_MOVdw_EDISTACKdw_EBPSTACKdw £»µ½ÕâÀïͣһϣ¬¸ã¸öСÔËË㣬ԭEDX=000359F4 XOR 4DFD2FC2
0013F990 000359F4 Y.
0013F994 0013F9CC .
0013F998 00400000 ..@. ; OFFSET NOTEPAD.B
0013F99C 00000000 ....
0013F9A0 004253CD SB. ; RETURN from NOTEPAD.004255DB to NOTEPAD.004253CD
0013F9A4 000359F4 Y.
0013F9A8 00400000 ..@. ; OFFSET NOTEPAD.B
0013F9AC 0043651A eC.
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHdw_EBP
0013F98C 0013F990 .
0013F990 000359F4 Y.
0013F994 0013F9CC .
VM_COPYdw_EBPSTACK
0013F98C 000359F4 Y.
0013F990 000359F4 Y.
0013F994 0013F9CC .
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F990 000359F4 Y.
0013F994 0013F9CC .
VM_PUSHdw_EBP
0013F98C 0013F990 .
0013F990 000359F4 Y.
0013F994 0013F9CC .
VM_COPYdw_EBPSTACK
0013F98C 000359F4 Y.
0013F990 000359F4 Y.
0013F994 0013F9CC .
VM_NANDdw
0013F98C 00000282 ..
0013F990 FFFCA60B
0013F994 0013F9CC .
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F990 FFFCA60B
0013F994 0013F9CC .
VM_PUSHdw_IMMEDIATEdw
0013F98C B202D03D =
0013F990 FFFCA60B
0013F994 0013F9CC .
VM_NANDdw
0013F98C 00000206 ..
0013F990 000109C0 ..
0013F994 0013F9CC .
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F990 000109C0 ..
0013F994 0013F9CC .
VM_PUSHdw_IMMEDIATEdw
0013F98C 4DFD2FC2 /M
0013F990 000109C0 ..
0013F994 0013F9CC .
VM_PUSHdw_EDISTACKdw
0013F988 000359F4 Y.
0013F98C 4DFD2FC2 /M
0013F990 000109C0 ..
0013F994 0013F9CC .
VM_NANDdw
0013F988 00000286 ..
0013F98C B2008009 ..
0013F990 000109C0 ..
0013F994 0013F9CC .
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F98C B2008009 ..
0013F990 000109C0 ..
0013F994 0013F9CC .
VM_NANDdw
0013F98C 00000206 ..
0013F990 4DFE7636 6vM
0013F994 0013F9CC .
VM_MOVdw_EDISTACKdw_EBPSTACKdw
VM_MOVdw_EDISTACKdw_EBPSTACKdw
VM_MOVdw_EDISTACKdw_EBPSTACKdw
VM_MOVdw_EDISTACKdw_EBPSTACKdw
VM_MOVdw_EDISTACKdw_EBPSTACKdw
VM_MOVdw_EDISTACKdw_EBPSTACKdw
VM_MOVdw_EDISTACKdw_EBPSTACKdw
VM_MOVdw_EDISTACKdw_EBPSTACKdw
VM_MOVdw_EDISTACKdw_EBPSTACKdw
EBP 0013F9B0
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
ÿһ´ÎVM_JMPÌøת£¬¶¼Òª´ø×Å14¸öÊý¾Ýת£¬¶øÆäÖÐÄØVM»¹Òª¸ãÉÏÒ»µã°µÂëתÒÆ¡£ÒÔºó¿´µ½ÊÇVM_JMPÌøתµÄ×´¿ö£¬¾ÍÊÇ¿´×ÅEBPÖ¸Õ룬»©»©»©µÄÈÃËüÖ´ÐУ¬Íê±ÏÁ˲ÅÍ£ÏÂÀ´¡£ÖмäµÄ²Ù×÷ÍêÈ«¿ÉÒÔÎÞÊÓ£¬ÎÒÒ²ÊÇΪÁËÍêÕûµÄ±í´ï²Å°ÑËüÕ³Ìù³öÁË´úÂ룬ʵ¼Ê¿´µÄʱºò£¬²»Óùܡ£Õû¸ö¹ý³Ì£ºÒª´ø×Å×ßµÄÊý¾ÝÒƵ½EBPSTACK-->VM_JMPÌøת-->ÖØаÑÊý¾Ý±£´æµ½EDISTACK¡£¹ØÓÚÆäÖÐ000359F4 XOR 4DFD2FC2µÄ¹ý³Ì£¬Çë²Î¿¼ÏÂÒ»½Ú2.2.NAND¡£

ÓÉÓÚÆäËûµÄ×éºÏ¶¼ºÍNAND»ò±ê־λ¼ì²â+ÌøתÏà¹Ø£¬·ÅÔÚÏÂÁ½½ÚÖС£ÕâÒ»½ÚÖеÄ3¸ö×éºÏÊìϤºó£¬ÒѾ­¿ÉÒÔÎÞÊÓµôÒ»²¿·ÖVMµÄ²Ù×÷¡£

2.2.NAND£¨Óë·ÇÃÅ£©
±¾ÎĵÄÁ½½ÚÖØÍ·Ï·À´ÁË£¬NAND£¨Óë·ÇÃÅ£©ÓëEFLAGS±ê־λ¼ì²â+Ìøת£¬Àí½âÍêÁËÕâÁ½½Úºó£¬¶ÔÓÚVM¾Í¿ÉÒÔÎÞÊÓÁË£¬Ò»ÇÐαָÁîÔÚÄãÑÛÀﶼÊÇÕý³£µÄÖ¸Áî¡£¸ú×ÙVMP¾ÍºÍ¸ú×ÙÆÕͨ³ÌÐòÒ»Ñù£¬Ïë¿´API»ñÈ¡¾Í¿´API»ñÈ¡£¬Ïë¿´¿´³ÌÐòµÄanti·½Ê½¾Í¿´anti·½Ê½¡£Ò»Çж¼»Øµ½ÁËÕý³££¬Äã¿ÉÒÔ¿´´©VM£¨ÐéÄâ»ú£©Õâ¸öÏÅÈ˵ÄÍâÒ¡£
2.2.1.NANDÆðÔ´
NAND£¨Óë·ÇÃÅ£©ºÍNOR£¨»ò·ÇÃÅ£©À´Ô´ÓÚde Morgan's Laws£¨µÂ¡¤Ä¦¸ù¶¨ÂÉ£©£¬ÔËÓÃÓÚÂß¼­¡¢Êý×ֵ緵ȷ½Ã棬±¾½ÚרעÓÚËüÓëand or xor not Ö®¼äµÄÁªÏµ¡£
µÂ¡¤Ä¦¸ù¶¨ÂÉÊÇÊôÓÚÂß¼­Ñ§µÄ¶¨ÂÉ¡£ µÂ¡¤Ä¦¸ù¶¨ÂÉ(»ò³ÆµÂ¡¤Ä¦¸ù¶¨Àí)ÊÇÐÎʽÂß¼­ÖÐÓйطñ¶¨ËùÃèÊöµÄϵͳ·½Ê½ÖеÄÂß¼­ÔËËã·û¶Ôż¶ÔµÄһϵÁз¨Ôò¡£ÓÉ´ËÒý³öµÄ¹ØϵҲ¾Í±»³ÆΪ¡°µÂ¡¤Ä¦¸ù¶þÖØÐÔ¡±¡£
°Â¹Å˹¶¼¡¤µÂ¡¤Ä¦¸ùÊ×ÏÈ·¢ÏÖÁËÔÚÃüÌâÂß¼­ÖдæÔÚ×ÅÏÂÃæÕâЩ¹Øϵ£º
·Ç(P ÇÒ Q)£½(·Ç P)»ò(·Ç Q)
·Ç(P »ò Q)£½(·Ç P)ÇÒ(·Ç Q)
µÂ¡¤Ä¦¸ùµÄ·¢ÏÖÓ°ÏìÁËÇÇÖΡ¤²¼¶û´ÓʵÄÂß¼­ÎÊÌâ´úÊý½â·¨µÄÑо¿£¬Õâ¹®¹ÌÁ˵¡¤Ä¦¸ù×÷Ϊ¸Ã¹æÂɵķ¢ÏÖÕߵĵØ룬¾¡¹ÜÑÇÀïÊ¿¶àµÂÒ²Ôø×¢Òâµ½ÀàËÆÏÖÏó¡¢ÇÒÕâҲΪ¹ÅÏ£À°ÓëÖÐÊÀ¼ÍµÄÂß¼­Ñ§¼ÒÊìÖª(Òý×ÔBoche¨½ski¡¶ÐÎʽÂß¼­ÀúÊ·¡·)¡££¨Òý×Ôά»ù°Ù¿Æ£¬¹Ø¼ü×Ö£ºµÂ¡¤Ä¦¸ù¶¨ÂÉ£©
ÎÒÃÇÔÙÀ´¿´ËüÔÚÊýѧÂß¼­Öеıíʾ£º
1.jpgÏÂÔش˸½¼þÐèÒªÏûºÄ2Kx£¬ÏÂÔØÖлá×Ô¶¯¿Û³ý¡£
£¨Òý×Ô£ºMathWorld£¬¹Ø¼ü×Ö£ºde Morgan's Laws£©
ÓÉÓÚ²»ÊÇÓÃÎÒÃÇÊìϤµÄ¼ÆËã»ú·½Ê½À´±í´ï£¬ÉÏÃæµÄÁ½¶Î½â˵±È½Ï³éÏó£¬Çë¿´2.2.2.
2.2.2.NANDÓëÂß¼­ÔËËã
ÔڼӿǼÇʱ¾ÖÐʹÓõÄÊÇNAND£¬ÏÂÃ沿·Ö½«×¨×¢ÓÚNAND¡£¶ÔÓÚNOR£¬ÀíÂÛ¶¼ÊÇÒ»ÑùµÄ£¬Ö»ÊDz»ÓÃNANDÀ´ÊµÏÖ¡£
NAND£¨A,B)£º
NOT(A)
NOT(B)
ADN(A,B)
Õâ¾ÍÊÇNANDµÄ²Ù×÷·½Ê½¡£NANDµÄ¼ÛÖµÔÚÓÚ£ºÊ¹ÓÃNAND¿ÉÒÔʵÏÖNOT AND OR XORÕâ4¸öÂß¼­ÔËËã¡£
NOT(A):
NAND(A,A)
AND(A,B):
NAND(NAND(A,A),NAND(B,B))
OR£¨A,B):
NAND(NAND(A,B),NAND(A,B))
XOR(A,B):
NAND(NAND(NAND(A,A),NAND(B,B)),NAND(A,B))
2.2.3.VMPαָÁîÖ´Ðйý³Ì
NOT(4DBE4AD8£©:
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHdw_EBP
0013F9A8 0013F9AC .
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_COPYdw_EBPSTACK
0013F9A8 4DBE4AD8 JM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_NANDdw
0013F9A8 00000286 ..
0013F9AC B241B527 'A
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»NAND(A,A)
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9AC B241B527 'A
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
NOT(4DBE4AD8)=B241B527

AND(4DBE4AD8,4DFD2FC2):
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHdw_EBP
0013F9A8 0013F9AC .
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_COPYdw_EBPSTACK
0013F9A8 4DBE4AD8 JM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_NANDdw
0013F9A8 00000286 ..
0013F9AC B241B527 'A
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A ;NAND(NAND(A,A),NAND(B,B))
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9AC B241B527 'A
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHdw_IMMEDIATEdw
0013F9A8 B202D03D =
0013F9AC B241B527 'A
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A ;NAND(NAND(A,A),NAND(B,B))**B202D03D=NAND(B,B)**
VM_NANDdw
0013F9A8 00000206 ..
0013F9AC 4DBC0AC0 .M
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A ;NAND(NAND(A,A),NAND(B,B))VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9AC 4DBC0AC0 .M
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VMPµÄBÊý¾ÝÊÇÖ±½Ó´«µÝËüµÄÏà·´ÊýB202D03D¸øVM£¬Ï൱ÓÚÒþ²ØÁËÒ»´ÎNAND(B,B)µÄ¹ý³Ì¡£AND(4DBE4AD8,4DFD2FC2)=4DBC0AC0

OR (00000293,00000100):
0013F780 00000293 ..
0013F784 00000100 ...
VM_NANDdw ;NAND(NAND(A,B),NAND(A,B))
0013F784 FFFFFC6C l
VM_PUSHdw_EBP
VM_COPYdw_EBPSTACK ;¸´Öƽá¹û£¬¾ÍÏ൱ÓÚNAND(NAND(A,B),NAND(A,B))
0013F780 FFFFFC6C l
0013F784 FFFFFC6C l
VM_NANDdw ;NAND(NAND(A,B),NAND(A,B))
0013F784 00000393 ..
OR (00000293,00000100)=00000393

XOR(4DBE4AD8,4DFD2FC2):
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHdw_EBP
0013F9A8 0013F9AC .
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_COPYdw_EBPSTACK
0013F9A8 4DBE4AD8 JM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_NANDdw
0013F9A8 00000286 ..
0013F9AC B241B527 'A
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A ;NAND(NAND(NAND(A,A),NAND(B,B)),NAND(A,B))
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9AC B241B527 'A
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHdw_IMMEDIATEdw
0013F9A8 B202D03D =
0013F9AC B241B527 'A
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A ;NAND(NAND(NAND(A,A),NAND(B,B)),NAND(A,B))**B202D03D=NAND(B,B)**
VM_NANDdw
0013F9A8 00000206 ..
0013F9AC 4DBC0AC0 .M
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A ;NAND(NAND(NAND(A,A),NAND(B,B)),NAND(A,B))
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9AC 4DBC0AC0 .M
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHdw_EDISTACKdw
0013F9A8 4DBE4AD8 JM
0013F9AC 4DBC0AC0 .M
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHdw_IMMEDIATEdw
0013F9A4 4DFD2FC2 /M
0013F9A8 4DBE4AD8 JM
0013F9AC 4DBC0AC0 .M
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_NANDdw
0013F9A4 00000282 ..
0013F9A8 B2009025 %.
0013F9AC 4DBC0AC0 .M
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A ;NAND(NAND(NAND(A,A),NAND(B,B)),NAND(A,B))
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9A8 B2009025 %.
0013F9AC 4DBC0AC0 .M
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_NANDdw
0013F9A8 00000202 ..
0013F9AC 0043651A eC.
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A ;NAND(NAND(NAND(A,A),NAND(B,B)),NAND(A,B))
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9AC 0043651A eC.
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
ÉÏÃæÕâÌõXORÖ¸Á¾ÍÊÇVMÔÚÈ·¶¨ÌøתµØÖ·ºóµÄ½âÃÜÖ¸Áî¡£¼ÓÃܵØÖ·ÊÇAÊý¾Ý4DBE4AD8£¬XORÔËËãºóµÃµ½ESIÌøתµØÖ·0043651A¡£

ÔÚVMPÖУ¬¼õ·¨ÊDzÉÓÃÓػصķ½Ê½ÊµÏֵģº
A-B:
NOT(A)
A=A+B
NOT(A)
¶øNOTÔËËãÓÖҪʹÓÃNANDÀ´Íê³É
A-B:
NAND(A,A)
A=A+B
NAND(A,A)

2.3.EFLAGS±ê־λ¼ì²â+Ìøת
ÕâÒ»½Ú¿´Íêºó£¬¾Í¿ÉÒÔ³©Í¨ÎÞ×èµÄä¯ÀÀVMPµÄαָÁîÁË¡£
2.3.1.ÅжÏÁ½¸öÊýÊÇ·ñÏàͬ
¾ÙÀýÊý¾Ý£º
°ÑÁ¢¼´Êý0000ºÍÄÚ´æ00427D51ÖеÄ1¸öwordÊý¾Ý±È½Ï£¬¼ì²âÊÇ·ñΪ0¡£
Õû¸ö¹ý³Ì·ÖΪÁ½¸ö½×¶Î£º
µÚÒ»½×¶Î£ºÖ´Ðмõ·¨ÔËËã
A-B:
NAND(A,A) £»ÕâÀïµÄ±ê־λÊÇÎÞÓõÄ
A=A+B £»»ñµÃ±ê־λA
NAND(A,A) £»»ñµÃ±ê־λB
µÚ¶þ½×¶Î£ººÏ²¢Á½¸ö±ê־λ
A=AND(A,00000815)
B=AND(B,FFFFF7EA)
A=A+B
µÚÈý½×¶Î£º¼ì²âZFλ+Ìøת
¹¹½¨ÌøתµØÖ·½á¹¹
¼ì²âZFλ
»ñµÃ¼ÓÃÜÌøתµØÖ·
½âÃÜÌøתµØÖ·
µ÷ÓÃVM_JMP
ÔÚ¿ªÊ¼Õâ¸ö²¿·ÖÇ°£¬°ÑËùÓÐVM_MOV_EDISTACK_EBPSTACKαָÁîÖеÄAND AL,3CÖ¸ÁîµÄÏÂÒ»ÌõÖ¸ÁϺöϵ㣬ÎÒÃÇÒª¼Ç¼Ï¸÷¸ö±ê־λµÄ×ßÏò£¡000000286-->14£¨±íʾEFL´æ´¢µ½Æ«ÒÆÁ¿14µÄ[EDI+EAX]λÖã©
µÚÒ»½×¶Î£º
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHw_IMMEDIATEb
0013F9AC 0000
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»Á¢¼´ÊýIMM0000
VM_PUSHdw_IMMEDIATEdw
0013F9A8 7D51
0013F9AC 00000042 B...
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHw_MEMORYb
0013F9AC 00000000
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»ÄÚ´æÊýMEM0000¡£ºÜÃ÷ÏÔ£¬ÎÒÃÇ¿´µ½Á½¸öÊýÊÇÏàͬµÄ
VM_PUSHdw_EBP
0013F9A8 0013F9AC .
0013F9AC 00000000 ....
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_COPYw_EBPSTACK
0013F9A8 0000
0013F9AC 00000000 ....
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»¸´ÖÆÄÚ´æÊýMEM0000
VM_NANDw
0013F9A8 00000286 ..
0013F9AC 000000FF ...
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»NOT(MEM0000)=MEM00FF
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9AC 000000FF ...
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»000000286-->14£¨±íʾEFL´æ´¢µ½Æ«ÒÆÁ¿14µÄ[EDI+EAX]λÖã©
VM_ADDb_EBPSTACK
0013F9A8 0286
0013F9AC 00FF0000 ...
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»00FF=IMM0000+MEM00FF
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9AC 00FF
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»±ê־λA 000000286-->04
VM_PUSHdw_EBP
0013F9A8 F9AE
0013F9AC 00FF0013 ..
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_COPYw_EBPSTACK
0013F9AC 00FF00FF ..
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_NANDw
0013F9A8 0246
0013F9AC 00000000 ....
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»NOT£¨00FF£©
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9AC 0000
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»±ê־λB 00000246-->3C
VM_MOVw_EDISTACKb_EBPSTACKw
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»
µÚÒ»½×¶Î½áÊø¡£
Á½¸ö²Ù×÷Êý¶¼ÊÇ0000£¬ºÜÃ÷ÏÔÕâ´ÎÅжϽ«ÊÇÁ½¸öÊýÏàͬ£¬¼õ·¨ºóµÄZFλÖÃ1¡£
ÔËËãµÄ½á¹û¶¼ÊÇÎÞÓõģ¬¹Ø¼üÔÚÓÚËüµÄ±ê־룬¼ÌÐø¿´±ê־λZFµÄ¼ì²â+Ìøת
µÚ¶þ½×¶Î£º
VM_PUSHdw_EDISTACKdw
0013F9AC 00000286 ..
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»±ê־λA 000000286<--04
VM_PUSHdw_EDISTACKdw
0013F9A8 00000286 ..
0013F9AC 00000286 ..
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»ÔÙÀ´Ò»´Î±ê־λA
VM_NANDdw
0013F9A8 00000282 ..
0013F9AC FFFFFD79 y
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»NAND(A,A)=NOT(A)=FFFFFD79
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9AC FFFFFD79 y
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHdw_IMMEDIATEw
0013F9A8 FFFFF7EA
0013F9AC FFFFFD79 y
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»NAND(X,X)=NOT(00000815)=FFFFF7EA ´«µÝÏà·´Êý£¬Òþ²ØNOT(00000815)
VM_NANDdw
0013F9A8 00000202 ..
0013F9AC 00000004 ...
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»NAND(NAND£¨A,A),NAND(X,X))=±ê־λA 00000286 AND 00000815
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9AC 00000004 ...
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHdw_EDISTACKdw
0013F9A8 00000246 F..
0013F9AC 00000004 ...
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»±ê־λB 00000246<--3C
VM_PUSHdw_EDISTACKdw
0013F9A4 00000246 F..
0013F9A8 00000246 F..
0013F9AC 00000004 ...
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»ÔÙÀ´Ò»´Î±ê־λB
VM_NANDdw
0013F9A4 00000282 ..
0013F9A8 FFFFFDB9
0013F9AC 00000004 ...
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»NAND(B,B)=NOT(B)=FFFFFDB9
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9A8 FFFFFDB9
0013F9AC 00000004 ...
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHdw_IMMEDIATEw
0013F9A4 00000815 ..
0013F9A8 FFFFFDB9
0013F9AC 00000004 ...
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»NAND(Y,Y)=NOT(FFFFF7EA)=00000815 ´«µÝÏà·´Êý£¬Òþ²ØNOT(FFFFF7EA)
VM_NANDdw
0013F9A4 00000206 ..
0013F9A8 00000242 B..
0013F9AC 00000004 ...
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»NAND(NAND(B,B),NAND(Y,Y))=±ê־λB 00000246 AND FFFFF7EA
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9A8 00000242 B..
0013F9AC 00000004 ...
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_ADDdw_EBPSTACK
0013F9A8 00000202 ..
0013F9AC 00000246 F..
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»Á½¸öANDºóµÄ±ê־λÏà¼Ó
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9AC 00000246 F..
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»00000246-->00 ÔÝ´æ½á¹û
µÚ¶þ½×¶Î½áÊø
ÏÖÔÚVMPÒѾ­°ÑÁ½¸ö±ê־λºÏ²¢³ÉÁËÒ»¸ö£¬¹ØÓÚ±ê־λºÏ²¢µÄ½âÎö½áÊøºóÔÙÀ´¿´¡£¼ÌÐø¿´µÚÈý½×¶Î£º¼ì²âZF+Ìøת£¬×¢Òâ¿´ºÃ¶ÑÕ»Êý¾ÝµÄ¹¹Ô죬¶ÑÕ»ÐéÄâ»úµÄÌøתÅжÏÓÐËû¶ÀÌصĵط½£¡Í¬Ê±ËüÇÉÃîµÄÔËÓÃÁËZFλÔÚEFLAGSÖеÄλÖá£
µÚÈý½×¶Î£º
VM_PUSHdw_IMMEDIATEdw
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»ÌøתµØÖ·1
VM_PUSHdw_IMMEDIATEdw
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»ÌøתµØÖ·2
VM_PUSHdw_EBP
0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»ÌøתµØÖ·Ö¸Õë
VM_PUSHw_IMMEDIATEb
0013F9A0 0004
0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»´«µÝ4£¬¿´ºÃ¶ÑÕ»µÄ¹¹Ô죬ÏÂÃæµÄ¼¸¸ö²Ù×÷ÊǶÀÁ¢µÄ
VM_PUSHdw_EDISTACKdw
0013F99C 0246
0013F9A0 00040000 ...
0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»µÚ¶þ½×¶Î½á¹û00000246<--00
VM_PUSHdw_EBP
0013F998 F99E
0013F99C 02460013 .F
0013F9A0 00040000 ...
0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_COPYdw_EBPSTACK
0013F998 0246
0013F99C 02460000 ..F
0013F9A0 00040000 ...
0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»¸´ÖƱê־λ
VM_NANDdw
0013F998 0282
0013F99C FDB90000 ..
0013F9A0 0004FFFF .
0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»NAND(A,A)=NOT(A)=NOT(00000246)=FFFFFDB9
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F99C FDB9
0013F9A0 0004FFFF .
0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHdw_IMMEDIATEb
0013F998 FFBF
0013F99C FDB9FFFF
0013F9A0 0004FFFF .
0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»NAND(B,B)=NOT(00000040)=FFFFFFBF ´«µÝÏà·´Êý£¬Òþ²ØNOT(000000040)
VM_NANDdw
0013F998 0202
0013F99C 00400000 ..@. ; OFFSET NOTEPAD.B
0013F9A0 00040000 ...
0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»NAND(NAND(B,B),NAND(B,B))=±ê־λ 00000246 AND 00000040
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F99C 0040
0013F9A0 00040000 ...
0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»AND½á¹ûÊÇ00000040£¬ËµÃ÷ZFλÊÇ1£¬Á½¸öÊýÏàµÈ£»ÏëÏëÈç¹û²»ÏàµÈ£¬½á¹ûÊÇ00000000
VM_SHRdw_EBPSTACKb
0013F99C 00000202 ..
0013F9A0 00000004 ...
0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»ÓÒÒÆ4λ¸ÕºÃ°Ñ00000040Òƶ¯³É00000004£»Èç¹û²»ÏàµÈ£¬ÓÒÒƺóÊÇ00000000
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9A0 00000004 ...
0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_ADDdw_EBPSTACK
0013F9A0 00000206 ..
0013F9A4 0013F9AC .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»00000004+0013F9A8=0013F9AC£»Èç¹û²»ÏàµÈ£¬00000000+0013F9A8=0013F9A8
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9A4 0013F9AC .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»ÌøתµØÖ·Ö¸ÕëÖ¸ÏòµÄ¾ÍÊÇÅжϺóµÄÌøתµØÖ·
VM_COPYdw_EBPSTACK
0013F9A4 4DBE4AD8 JM
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»ÌøתµØÖ·Ö¸ÕëÖ¸ÏòµÄÌøתµØÖ·¸´ÖƳöÀ´
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»°Ñ×îÖÕµÄÌøתµØÖ·ÔÝ´æµ½EDISTACK£¬4DBE4AD8-->18
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»É¨Î²¹¤×÷£¬ÊÍ·ÅEBPSTACK
VM_MOVdw_EDISTACKdw_EBPSTACKdw
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»É¨Î²¹¤×÷£¬ÊÍ·ÅEBPSTACK
VM_PUSHdw_EDISTACKdw
0013F9AC 4DBE4AD8 JM
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A £»Ñ¹ÈëÅжϵÄÌøתµØÖ·4DBE4AD8<--18
µÚÈý½×¶Î½áÊø
½ÓÏÂÀ´VM½«Ê¹ÓÃÒ»´ÎXORÔËËã½âÃÜ4DBE4AD8Êý¾Ý£¨Ïê¼û2.2.3.XOR¾ÙÀý£©£¬È»ºóÊÇVM_JMPÖ¸Áîµ÷ÓõÄ×éºÏ£¨Ïê¼û2.1.3.¾ÙÀý£©£¬È«¹ý³Ì½áÊø¡£
Á½¸ö²Ù×÷Êý¶¼ÊÇ0000£¬1¸öÀ´×ÔÄÚ´æ¿Õ¼ä£¬Ò»¸öÀ´×ÔESIµÄ±àÒëÊý¾Ý£¬Í¬Ê±Õâ¶Î´úÂëÊÇÔÚVM¸Õ¸ÕÆô¶¯¾Í½øÐеÄÁË£¬¶¼ÊǶ¨Á¿¡£µ«ÊÇVM»¹Òª½øÐмì²â£¬ËµÃ÷Á½¸öÊý¾ÝÊDz»È·¶¨µÄ£¬VMÔÚÔËÐйý³ÌÖÐÒªÖªµÀËüÊDz»ÊÇ0£¬¿ÉÒÔ°ÑËü²Â²âΪVMPÄÚ²¿µÄÒ»¸öÐźš£VMÒ»¿ªÊ¼¾ÍÒªÖªµÀµ½µ×Ó¦¸Ã×ßÏòÄĸö·ÖÖ§¡£µ½ºóÃæÎÒÃÇ»á½øÐвâÊÔ£¬Èç¹ûÕâ¸öÐźűȽϽá¹û²»Îª0£¬VMµÄ×ßÏòÊÇÔõÑùµÄ¡£
ÏÂÃæÎÒÃÇÀ´Ïê½âÉÏÃæµÄ²Ù×÷¹ý³Ì£¬´ÓµÚ¶þ½×¶ÎºÏ²¢±ê־λÀ´¿´
µÚÒ»½×¶Î£ºÖ´Ðмõ·¨ÔËËã
IMM0000-MEM0000:
NAND(IMM0000,IMM0000) £»ÕâÀïµÄ±ê־λÊÇÎÞÓõÄ
00FF=IMM00FF+MEM0000 £»»ñµÃ±ê־λA 000000286
NAND(00FF,00FF) £»»ñµÃ±ê־λB 000000246
µÚ¶þ½×¶Î£ººÏ²¢Á½¸ö±ê־λ
00000004=AND(00000286,00000815)
00000242=AND(00000246,FFFFF7EA)
00000246=00000004+00000242
°ÑÁ½¸ö±ê־λ·Ö±ðANDºóÏà¼Ó£¬AND²Ù×÷ʱÓÃÓÚ±£ÁôÏëÒªµÄ±ê־룬¼Ó·¨°ÑËüºÏ²¢ÆðÀ´¡£
¹ØÓÚEFLAGS±ê־룬IntelµÄ×ÊÁÏÏÔʾ£º
3.jpgÏÂÔش˸½¼þÐèÒªÏûºÄ2Kx£¬ÏÂÔØÖлá×Ô¶¯¿Û³ý¡£
¸÷¸ö±ê־λµÄÏêϸ˵Ã÷£¬Çë²éÔÄIntel 64 and IA-32 Architectures Software Developer's Mannual(Intel 64λÓëIA-32Ìåϵ½á¹¹Èí¼þ¿ª·¢ÕßÖ¸ÄÏ£©Öоí1µÄ3.4.3 EFLAGS Register
¹ØÓÚADDÖ¸ÁIntelµÄ×ÊÁÏÏÔʾ£º
ADD¡ªAdd
Operation

DEST DEST SRC;

Flags Affected

The OF, SF, ZF, AF, CF, and PF flags are set according to the result.

°Ñ00000286 AND 00000815ʹÓöþ½øÖƱíʾ£º
0000 0000 0000 0000 0000 0010 1000 0110
AND 0000 0000 0000 0000 0000 1000 0001 0101
ÎÒÃÇÏÖÔھͿÉÒÔ¿´µ½£¬VMÒª±£ÁôµÄÊÇ OF AF PF CF λ¡£ÄÇô£¬SFºÍZFλΪʲô²»ÔÚÕâÀï±£ÁôÄØ£¿ÎÒÃÇÒªÏëµ½£¬ÓÉÓÚÕâÀï²¢²»ÊÇA-BµÄ×îºó½á¹û£¬SF ºÍ ZFλҪµÈµ½×îºóµÄÔËËãÍê³É²ÅÄÜÖªµÀ¡£ÔÚ±ê־λAÖУ¬PFλΪ1£¬PFλ±»±£Áô¡£
µÚÒ»¸öANDÊý00000815ÓëµÚ¶þ¸öANDÊýFFFFF7EAÖ®¼äÊÇÓÐÄÚÔÚÁªÏµµÄ¡£00000815+FFFFF7EA=FFFFFFFF£¬Ò²¾ÍÊÇ˵£¬ÕâÁ½¸öÕâÁ½¸öAND²Ù×÷ʱ¿ÉÒÔ°ÑËùÓеıê־λ¶¼±£ÁôÏÂÀ´µÄ£¬²»»á³öÏÖÒÅ©¡£¶ø°ÑËü·Ö¿ªµÄ»°£¬ÊÇÓÉÓڱ任Á˼õ·¨µÄÔËË㷽ʽ²»½øÐб£Áô¶ÔÓ¦µÄ±£Áô¡£
×îºóµÄNAND(A,A)£º
NOT A £»µÚÒ»¸ö²Ù×÷Êý
NOT A £»µÚ¶þ¸ö²Ù×÷Êý
AND A,A £»×îÖÕ±ê־λB 00000246ÊÇÀ´×ÔÕâÀï
¹ØÓÚANDÂß¼­ÔËË㣬IntelµÄ×ÊÁÏÏÔʾ£º
AND¡ªLogical AND
Operation

DEST DEST AND SRC;

Flags Affected

The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the
result. The state of the AF flag is undefined.

°Ñ00000246 AND FFFFF7EAʹÓöþ½øÖƱíʾ£º
0000 0000 0000 0000 0000 0010 0100 0110
AND 1111 1111 1111 1111 1111 0111 1110 1010
VMÒª°Ñ³ýÁËÉÏÃæ00000815±£ÁôÁ赀 OF AF PF CF ÒÔÍâµÄ±ê־λ¶¼±£ÁôÁËÏÂÀ´¡£ÔÚ±ê־λBÖУ¬IF ZF PF ºÍµÚ¶þλÊÇIntelµÄ±£ÁôλĬÈÏΪ1 Õâ4¸ö±ê־λΪ1£¬ËùÒÔIF ZF PF±»±£Áô¡£
Á½¸ö±ê־λÏà¼Óºó£¬×îÖպϲ¢³ÉΪÁ½¸ö²Ù×÷ÊýSUBÖ¸ÁîºóµÄ±ê־λ00000246
ÏÂÃæÎÒÃÇÀ´¿´µÚÈý½×¶Î£º
¹¹½¨Ìøת½á¹¹£º
0013F9A0 0004
0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
°ÑÁ½¸öÌøתµØÖ·4DBE49D5Óë4DBE4AD8ѹÈë¶ÑÕ»¡£0013F9A8³ÉΪÌøתµØÖ·Ö¸Õ룬ָÏòµÚÒ»¸öÌøתµØÖ·¡£Èç¹û0013F9A8Ö¸Õë+4£¬Ëü¾Í»áÖ¸ÏòµÚ¶þ¸öÖ¸Õë¡£×îºó»¹ÓÐ1¸ö0004£¬Ëü²¢²»ÊÇÓÃÓÚ¸øÖ¸Õë+4µÄ²Ù×÷Êý£¬ËüÒª²ÎÓëµ½ÇÉÃîÅжÏZFλµÄÔËËãÖС£
½ÓÏÂÀ´£¬VMÓÃNANDÖ´ÐÐÒ»´ÎAND²Ù×÷£¬²Ù×÷ÊýÊÇ£º±ê־λ00000246Óë00000040 £¨ÔÚNAND²Ù×÷ÖУ¬VM²»ÒâÍâµÄÒþ²ØÁËÒ»´ÎNAND(B,B)²Ù×÷£¬Ö±½Ó´«µÝ00000040µÄÏà·´ÊýFFFFFFBF£©
0013F998 FFBF
0013F99C FDB9FFFF
0013F9A0 FFFF .
0013F9A0 0004 £»ÎªÁËÇåÎú±äÏÖ£¬°ÑËü·Ö¿ªÏÔʾ
0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
VM_NANDdw
0013F99C 0040 £»ÔËËã½á¹ûΪ00000040
0013F9A0 00040000 ...
0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM
NAND²Ù×÷ÊÇ£º
NOT(A)
NOT(B)
AND(A,B)
ËùÒÔ£¬ÔÚÕâÌõαָÁîµÄÄÚ²¿£¬00000246 AND 0000040
°Ñ00000246 AND 00000040ʹÓöþ½øÖƱíʾ£º
0000 0000 0000 0000 0000 0010 0100 0110
AND 0000 0000 0000 0000 0000 0000 0100 0000
ΨһµÄ¼ì²âZF룬Èç¹ûZFλΪ1£¬ÄÇô½á¹û½«ÊÇ00000040£¬·ñÔòÊÇ00000000¡£ÓÉÓÚZFλ¸ÕºÃÊÇÔÚbyteµÄ4µÄλÖ㬰ÑËüºÍÇ°ÃæµÄÌøתµØÖ·Ö¸ÕëÏà¼Ó£¬0013F9A8+0ÔòÊDz»±ä£¬Ö¸ÏòµÚÒ»¸öµØÖ·£¬+4¾ÍÖ¸ÏòµÚ¶þ¸öµØÖ·£¬ËùÒԸպÿÉÒÔÈÃANDºóµÄ½á¹ûÓëÖ¸Õë0013F9A8½øÐÐ1´Î¼Ó·¨ÔËË㣬Èç¹ûZFλÊÇ1,0013F9A8+4½«Ö¸Ïò4DBE4AD8Íê³ÉÅжÏÌøת¡£ÓÉÓÚZFλµÄÇ°Ã滹ÓÐ1¸öbyteµÄÊý¾Ý0£¬¾ÍÊÇ00000040ÖÐ×îºóµÄ1¸öbyte0£¬Èç¹ûÖ±½ÓºÍ0013F9A8Ïà¼Ó£¬¾Í±ä³É+40£¬ËùÒÔÒªÏȽøÐÐ1´Î4¸öbitµÄÓÒÒÆ£¬00000040±äΪ00000004,ÕâÑù²ÅÕýÈ·¡£

ZFλΪ1,AND 00000040ºó£º ZFλΪ0£¬AND 00000040ºó£º
00000040 00000000
SHR(4) 00000004 SHR(4) 00000000
ADD 0013F9A8 ADD 0012F9A8
½á¹û 0013F9AC ½á¹û 0013F9A8
0013F9A4 0013F9AC . 0013F9A4 0013F9A8 .
0013F9A8 4DBE49D5 IM 0013F9A8 4DBE49D5 IM
0013F9AC 4DBE4AD8 JM 0013F9AC 4DBE4AD8 JM
ZFλµÄ²»Í¬´øÀ´ÌøתµØÖ·µÄ²»Í¬£¬°ÑÏàÓ¦µÄÌøתµØÖ·½âÃܺó£¬Ê¹ÓÃVM_JMP¸øVMµÄÖ¸ÁîÖ¸ÕëESI¸³Öµ£¬È«³Ì½áÊø¡£
½øÐÐZFλ±È½ÏµÄ»°£¬Ö»ÐèÒª±È½Ï×îºóµÄ±ê־λB¾Í¿ÉÒÔÁË£¬¶øÇÒ¿ÉÒÔ½øÐÐÖ±½ÓµÄ±È½Ï£¬²»ÐèÒªÕâÑù½ØÈ¡+Æ´½Ó£¬ÄÇôΪʲôVMP»¹ÐèÒªÔÚÕû¸ö¹ý³ÌÖнØÈ¡ÁËËùÓеıê־λÄØ£¿ÎÒÏ룬¿ÉÒÔÕâôÀ´¿¼ÂÇ£¬ÔÚVMPÖбê־λµÄ½ØÈ¡+Æ´½ÓÔÚ´úÂëÖÐÊÇÊôÓÚÒ»¸öÄ£¿é£¬²»¹ÜVMPÒª¼ì²âÄĸö±ê־룬Ëü¶¼ÊÇÏȵ÷ÓÃÕâ¸öÄ£¿éÈ»ºóÔÙ½øÐбê־λ¼ì²â¡£ËäÈ»ÔÚµ¥´¿µÄZFλ¼ì²âÖУ¬ÓÐÁ˺ܶàµÄ²»±ØÒªµÄ²Ù×÷£¬µ«ÊÇËüÔö¼ÓÁËͨÓÃÐÔ£¬Ö»Òªµ÷ÓÃÁËÕâ¸öÄ£¿é£¬VMPÔÚºóÃæ¿ÉÒÔ½ÓÉÏÈÎÒâ±ê־λµÄ¼ì²â¡£



3.NOTEPADÈ«³Ì¸ú×Ù
ÔÚÕâÒ»ÕÂÀÎÒÃǽ«È«¹ý³Ìä¯ÀÀNOTEPAD.EXEÎļþ¡£±¾ÕÂÏÔʾµÄ´úÂ룬Íâ¿ÇµÄ»¨Ö¸Áȫ²¿Ìø¹ý£¬VMµÄαָÁîÔò²¿·ÝÌø¹ý¡£
3.1.TLS
3.1.1.µ½´ïDispatch²¿·Ý
VMProtect2.04¼Ó¿Ç³ÌÐòÊÇ´ÓTLS¿ªÊ¼ÔËÐеģ¬ÎÒÃÇÊ×Ïȵã»÷ODµÄoptions²Ëµ¥£¬ÐÞ¸ÄStartup and exitÑ¡ÏÈÃODÖжÏÔÚTLS callbackÀï¡£ÔØÈëNOTOPAD.EXEºó£¬³ÌÐòÍ£ÔÚÕâÀ
004253CD $ 68 9AA597B7 PUSH B797A59A ; TLS callback function
µ±Ç°µÄ¼Ä´æÆ÷Öµ£º
EAX 004253CD NOTEPAD.004253CD
ECX 00000020
EDX 000359F4
EBX 00000000
ESP 0013F9B0
EBP 0013F9CC
ESI 0013F9C0
EDI 00400000 NOTEPAD.
½øÈëVM֮ǰ£¬VMPÒª±£´æµ±Ç°µÄ¸÷¸ö¼Ä´æÆ÷Öµ£¬VM¶ÑÕ»Òª·ÖÅ䣬ͬʱ¸øαָÁîÖ¸Õë¼Ä´æÆ÷ESI¸³ÖµµÈµÈ£¬³õʼ»¯½áÊøºó£¬½øÈëDispatch²¿·ÝVM¿ªÊ¼ÔËÐС£F7µ¥²½ÏÂÈ¥£º
0043BD02 . C74424 40 0A4 MOV DWORD PTR SS:[ESP+40],2EF6420A ; |*
00429088 |> \C74424 44 19C MOV DWORD PTR SS:[ARG.17],C456C619 ; *
£»Ñ¹ÈëVMµÄÁ½¸ö¶¨Á¿¡£
0043DCD2 |. 893424 MOV DWORD PTR SS:[ESP],ESI ; *
0043CF0D . 57 PUSH EDI ; *
0043CF17 . 891424 MOV DWORD PTR SS:[ESP],EDX ; *
0043CF1D . 50 PUSH EAX ; *
0043E17A |. 896C24 04 MOV DWORD PTR SS:[ARG.1],EBP ; *
0043D741 |> /871C24 XCHG DWORD PTR SS:[ESP],EBX ; *
0043D746 |. 894C24 20 MOV DWORD PTR SS:[ESP+20],ECX ; *
£»7¸ö¼Ä´æÆ÷±£´æÍê±Ï
0043D750 |. 875424 40 XCHG DWORD PTR SS:[ESP+40],EDX ; |Arg17, *
0043E62E /$ 9C PUSHFD ; *
0043E62F |. 8F4424 40 POP DWORD PTR SS:[ESP+40] ; *
0043E636 |. FF35 89D24300 PUSH DWORD PTR DS:[43D289] ; *
0043E63C |. 8F4424 3C POP DWORD PTR SS:[ESP+3C] ; *
0043E646 |. C74424 38 000 MOV DWORD PTR SS:[ESP+38],0 ; *
£»¶à±£´æ1¸ö¼Ä´æÆ÷£¬ÓÉÓÚESPÊǶ¯Ì¬µÄ£¬Õâ¸öλÖÃÏ൱ÓÚÊÇESP¼Ä´æÆ÷µÄλÖã»EFLAGS£»ÄÚ´æµØÖ·[43D289]£»³£Á¿0£»Ò»¹²±£´æ13¸öÊý¾Ý
0013F97C 00000000 .... ;³£Á¿0 20
0013F980 00000000 .... ;[43D289] 24 8121D2F0Ïà¼Ó
0013F984 00000246 F.. ;EFLAGS 0C
0013F988 000359F4 Y. ;EDX(¸øESP¼Ä´æÆ÷µÄλÖã© 00
0013F98C 00000020 ... ;ECX 08
0013F990 00000000 .... ;EBX 1C
0013F994 0013F9CC . ;EBP 28
0013F998 004253CD SB. ;EAX 10
0013F99C 000359F4 Y. ;EDX 2C
0013F9A0 00400000 ..@. ;EDI 30
0013F9A4 0013F9C0 . ;ESI 38
0013F9A8 C456C619 V ;³£Á¿B 3C
0013F9AC 2EF6420A .B. ;³£Á¿A 18
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
0043E65B |. 8B7424 68 MOV ESI,DWORD PTR SS:[ESP+68] ; *
£»ÕâÀï¶ÁÈ¡µÄÊdz£Á¿A=2EF6420A£¬ÒÔÏÂÊǽâÃÜ2EF6420AµÄ¹ý³Ì£º
0043E665 |. 0FCE BSWAP ESI ; *
0043E66E |. 4E DEC ESI ; *
0043E67D |. 81F6 63A1000A XOR ESI,0A00A163 ; *
£»½áÊø£¬ESI=0042574E£¬ÕâÀï¾ÍÊÇVMµÄÖ¸ÁîÐòÁÐ
0043E68C |. 8D6C24 34 LEA EBP,[ESP+34]
0043E692 |. 81EC 8C000000 SUB ESP,8C ; *
0043E69C |. 89E7 MOV EDI,ESP ; *
£»µÚÒ»ÌõÖ¸ÁîEBPÈ¡µÃµÄµØÖ·ÊÇ0013F97CµÄλÖã¬Ò²¾ÍÊÇ13¸ö±£´æÊý¾ÝµÄ½áÊøµØÖ·£¬ÒªÔÚÕâ¸öµÄ»ù´¡ÉÏ·ÖÅäVM¶ÑÕ»
£»±£´æµÄ13¸ödword=34byte£¬ESPÔÚÖ´Ðмõ·¨Ç°£¬Î»ÓÚ0013F9FCµÄ34¸öbyteλÖ㬼õ·¨·ÖÅä8Cbyte£»34+34+8C=F4byte=61dword
£»VM¶ÑÕ»µÄÏêϸ·ÖÎöÇë²éÔÄ1.2.VM¶ÑÕ»
0043E6A9 |. 89F3 MOV EBX,ESI ; *
£»EBXÊÇVM½âÃÜÊý¾ÝµÄ¸¨ÔËËã¼Ä´æÆ÷£¬³õʼ»¯ÎªVMµÄÖ¸ÁîÐòÁеØÖ·0042574E
0043E6B8 |. 0375 00 ADD ESI,DWORD PTR SS:[EBP] ; *
£»ESIµÄµØÖ·»¹ÒªºÍ³£Á¿0Ïà¼Ó£¬Ïà¼Ó»á¸Ä±äVMÖ¸ÁîÐòÁеĵØÖ·£¬¾ö¶¨VMµÚÒ»´ÎÔËÐкóÒªÖ´ÐеÄÖ¸Áî
£»³£Á¿0¿ÉÒÔ¿´×÷ÊÇVMÄÚ²¿µÄÒ»¸öÐÞÕýÁ¿£¬ÔÚNOTEPADÀïËüÊÇ0
µ½ÕâÀһÇгõʼ»¯Íê³É£¬³ÌÐòÒѾ­µ½´ïDispatch£¨µ÷Dz£©²¿·Ý¡£Õû¸ö¹ý³Ì¸ÅÀ¨Îª£º±£´æÊý¾Ý¡¢·ÖÅäVM¶ÑÕ»¡¢¸øESI¸³Öµ¡£ÏÂÒ»ÌõÖ¸Áî¾ÍÊÇËùÓÐαָÁîÖ´ÐÐÍê³ÉºóµÄ·µ»ØµØÖ·0043E6BB¡£
0043E6BB |> >66:0FA5FA SHLD DX,DI,CL ; Dispatch »¨Ö¸ÁûÓÐʲôÒâÒå
3.1.2.Dispatch²¿·Ý½âÎö
ÏÂÃæÊǵÚ1ÌõαָÁîµÄ»ñÈ¡¹ý³Ì£º
0043E6BF |. 8A46 FF MOV AL,BYTE PTR DS:[ESI-1] ; *
£»¿ªÊ¼¶ÁȡαָÁîÐòÁкţ¬ÒÔÏÂÊǽâÃÜαָÁîÐòÁкÅC0µÄ¹ý³Ì£º
0043E6C4 |. 30D8 XOR AL,BL
0043E6CE |. F6D0 NOT AL ; *
0043E6D6 |. FEC8 DEC AL ; *
0043E6DA |. C0C8 07 ROR AL,7 ; *
£»½áÊø£¬AL=E0£¬Ëü½«ÓÃÓÚÔÚDispatchTable£¨µ÷Dz±í£©Öж¨Î»³öαָÁîµØÖ·¡£
0043E6E1 |. 83EE 01 SUB ESI,1 ; *
0043E6ED |. 30C3 XOR BL,AL ; *
£»Ö¸ÁîÐòÁмõ1£¬¼ÆËãºÃÏÂÒ»´ÎBLµÄÖµ
0043D02F |. 0FB6C0 MOVZX EAX,AL ; *
0043F124 |. 8B1485 DBE143 MOV EDX,DWORD PTR DS:[EAX*4+43E1DB] ; *
£»È¡³öαָÁîµØÖ·49C4C29F£¬ÒÔÏÂÊǽâÃÜ49C4C29FµÄ¹ý³Ì£º
£»DispatchTableµÄÏêϸ·ÖÎöÇë²éÔÄ1.3.αָÁî»ã×Ü
0043E100 |> /81C2 6B197FB6 ADD EDX,B67F196B ; *
£»Ö»ÓÐ1Ìõ½âÃÜÖ¸Á¼ÓÉϳ£Á¿B67F196B£¬EDX=0043DC0A
0043E10A |. 895424 3C MOV DWORD PTR SS:[ESP+3C],EDX ; *
0043E11B |. FF7424 4C PUSH DWORD PTR SS:[ESP+4C] ; *
0043E11F |. C2 5000 RETN 50 ; Enter
£»ÓÉÓÚÊÇʹÓÃRETÖ¸ÁîÀ´Ìøת£¬ÐèҪʹÓõ½Õæʵ¶ÑÕ»Ö¸ÕëESP£¬ÔÚÔÝ´æEDXµØַʱ£¬VMʹÓõĿռäÊÇEDISTACKµÄÉÏÒ»¸öλÖãº
0013F8B8 0043DC0A .C. ; RETURN from NOTEPAD.0043D5C7 to NOTEPAD.0043DC0A
0013F8BC 00953F38 8?. £»ÕâÀïÊÇEDISTACKµÄÉÏÏÞ

µ½ÕâÀVM½«½øÈëÖ´ÐеÚÒ»ÌõαָÁî¡£Õû¸ö¹ý³Ì£º³õʼ»¯¡¢´ÓESIÖ¸Õë»ñµÃαָÁîÐòÁкš¢´ÓDispatchTable»ñµÃαָÁîµØÖ·¡¢ÌøתִÐÐαָÁî¡£Dispatch²¿·ÝÊÇVMÖн«»á²»¶ÏÖظ´Öظ´ÔÙÖظ´µÄÖ´ÐУ¬ËùÓеÄαָÁîÍê±Ïºó£¬¶¼ÊÇ·µ»Øµ½ÕâÀï»ñµÃÏÂÒ»ÌõαָÁî¡£
3.1.3.anti·½Ê½³õÏÖ
ͨ¹ýÇ°ÃæÕ½ڵĽéÉÜ£¬ÔÚÕâÒ»½ÚÀÎÒ½«¶ÔNOTEPAD´ÓTLS»Øµ÷º¯Êýµ½TLSÍ˳ö½øÐÐÒ»´Î¸ÅÂÛ¡£Õâ¸ö¹ý³Ì½«²»ÔÙ³öÏÖÈκεÄx86Ö¸Áî´úÂ룬ǰÃæ½éÉܵÄαָÁî×éºÏºÍÏà¹ØÄÚÈݽ«»á±»Ëõ¶ÌºÍÁ´½ÓºóÌø¹ý¡£
1.³õʼ»¯£¨Çë²éÔÄ3.1.³õʼ»¯£©
NOTEPADÔÚTLS»Øµ÷º¯ÊýÖжϺ󣬾­¹ý³õʼ»¯¹ý³Ìºó£¬¿ªÊ¼Ö´ÐÐαָÁî¡£VM½«»á°ÑËùÓÐEBPSTACKÖдø¹ýÀ´µÄ13¸ö³õʼ»¯±£ÁôÊý¾ÝÔÝ´æÖÁEDISTACK¡£
2.ESIÊý¾Ý0000Óë[00427D51]=0000½øÐбȽÏ+Ìøת£¨Çë²éÔÄ2.3.1.ÅжÏÏàͬ£©
3.VMP½«¸ù¾ÝPEÎļþ½á¹¹¶ÁÈ¡³ö³ÌÐòÈë¿ÚµÄµÚÒ»¸ö×Ö½Ú½øÐÐCCÂë¼ì²â¡£VM»áÈ¥µ½ÁíÍâµÄ¶ÑÕ»¿Õ¼ä²Ù×÷Õû¸ö¹ý³Ì£¬°ÑESPÖ¸Õë´Ó0013F994-40=0013F954£¬ÔÚ¿ªÍ·¹¹½¨2¸ö0013F954½øÐÐNAND(A,A)ÖУ¬ºÍÇ°ÃæÉÔÓв»Í¬£¬ÕâÀï²»ÔÙÏêÊö¡£¹ý³Ì£º
0013F994-40=0013F954
MOV EBP,0013F954
0013F988 0013F994 .
0013F98C 0013F994 .
0013F990 00000040 @...
0013F994 0013F9C0 . £»¼ÆËãÇ°µÄEBPÖ¸Õë
VM_NANDdw
0013F98C FFEC066B k
0013F990 00000040 @...
0013F994 0013F9C0 .
VM_ADDdw_EBPSTACK
0013F990 FFEC06AB
0013F994 0013F9C0 .
VM_PUSHdw_EBP
VM_COPYw_EBPSTACK
0013F98C FFEC06AB
0013F990 FFEC06AB
0013F994 0013F9C0 .
VM_NANDdw
0013F990 0013F954 T.
0013F994 0013F9C0 .
VM_MOVdw_EBPreg_EBPSTACK
EBP 0013F954
¶ÑÕ»Òƶ¯µ½0013F954ºó£¬
VM_PUSHdw_IMMEDIATEdw £»Ñ¹Èë00427D51
¿ªÊ¼´Ó³ÌÐòµÄÈë¿ÚµØÖ·¸ù¾ÝPEÎļþ¸ñʽ¶¨Î»£º
VM_PUSHdw_IMMEDIATEdw £»Ñ¹Èë00400000£¬NOTEPAD³ÌÐòµÄÎļþÍ·µØÖ·£¬ODÊý¾Ý´°¿Ú¸ú×Ù
00400000 4D 5A 90 00|03 00 00 00|04 00 00 00|FF FF 00 00| MZ.........
00400010 B8 00 00 00|00 00 00 00|40 00 00 00|00 00 00 00| .......@.......
00400020 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
00400030 00 00 00 00|00 00 00 00|00 00 00 00|80 00 00 00| ...............
00400040 0E 1F BA 0E|00 B4 09 CD|21 B8 01 4C|CD 21 54 68| ..!L!Th
00400050 69 73 20 70|72 6F 67 72|61 6D 20 63|61 6E 6E 6F| is program canno
00400060 74 20 62 65|20 72 75 6E|20 69 6E 20|44 4F 53 20| t be run in DOS
00400070 6D 6F 64 65|2E 0D 0D 0A|24 00 00 00|00 00 00 00| mode....$.......
00400080 50 45 00 00|4C 01 09 00|65 91 46 35|00 00 00 00| PE..L..eF5....
00400090 00 00 00 00|E0 00 0F 01|0B 01 03 0A|00 F0 03 00| .....
004000A0 00 74 00 00|00 00 00 00|17 78 03 00|00 10 00 00| .t......x....
004000B0 00 50 00 00|00 00 40 00|00 10 00 00|00 10 00 00| .P....@.......
004000C0 04 00 00 00|00 00 00 00|04 00 00 00|00 00 00 00| ..............
004000D0 00 50 04 00|00 04 00 00|CE 59 03 00|02 00 00 00| .P....Y....
004000E0 00 00 10 00|00 10 00 00|00 00 10 00|00 10 00 00| ............
004000F0 00 00 00 00|10 00 00 00|FC 1D 02 00|50 0C 00 00| ........P...
00400100 18 66 03 00|A0 00 00 00|00 00 04 00|00 50 00 00| f........P..
00400110 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
00400120 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
00400130 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
00400140 F4 59 03 00|20 00 00 00|00 00 00 00|00 00 00 00| Y. ...........
00400150 00 00 00 00|00 00 00 00|B0 7D 03 00|4C 00 00 00| ........}.L...
00400160 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
00400170 00 00 00 00|00 00 00 00|2E 74 65 78|74 00 00 00| .........text...
00400180 9C 3E 00 00|00 10 00 00|00 00 00 00|00 00 00 00| >.............
00400190 00 00 00 00|00 00 00 00|00 00 00 00|20 00 00 60| ............ ..`
004001A0 2E 64 61 74|61 00 00 00|4C 08 00 00|00 50 00 00| .data...L...P..
004001B0 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
004001C0 00 00 00 00|40 00 00 C0|2E 69 64 61|74 61 00 00| ....@...idata..
004001D0 E8 0D 00 00|00 60 00 00|00 00 00 00|00 00 00 00| ....`..........
004001E0 00 00 00 00|00 00 00 00|00 00 00 00|40 00 00 40| ............@..@
004001F0 2E 76 6D 70|31 00 00 00|B8 4F 00 00|00 70 00 00| .vmp1...O...p..
00400200 00 50 00 00|00 10 00 00|00 00 00 00|00 00 00 00| .P.............
00400210 00 00 00 00|60 00 00 60|2E 76 6D 70|30 00 00 00| ....`..`.vmp0...
00400220 9C 0A 00 00|00 C0 00 00|00 00 00 00|00 00 00 00| ..............
00400230 00 00 00 00|00 00 00 00|00 00 00 00|60 00 00 60| ............`..`
00400240 2E 76 6D 70|32 00 00 00|A0 FD 00 00|00 D0 00 00| .vmp2........
00400250 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
00400260 00 00 00 00|20 00 00 20|2E 74 6C 73|00 00 00 00| .... .. .tls....
00400270 18 00 00 00|00 D0 01 00|00 10 00 00|00 60 00 00| .........`..
00400280 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 C0| ...............
00400290 2E 76 6D 70|33 00 00 00|85 11 02 00|00 E0 01 00| .vmp3......
004002A0 00 20 02 00|00 70 00 00|00 00 00 00|00 00 00 00| . ..p..........
004002B0 00 00 00 00|20 00 00 E2|2E 72 73 72|63 00 00 00| .... ...rsrc...
004002C0 B0 4F 00 00|00 00 04 00|00 50 00 00|00 90 02 00| O......P....
004002D0 00 00 00 00|00 00 00 00|00 00 00 00|40 00 00 40| ............@..@
004002E0 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
004002F0 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
00400300 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
00400310 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
00400320 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
00400330 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
00400340 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
..........................................................................

0013F94C 0000003C <...
0013F950 00400000 ..@. ; OFFSET NOTEPAD. £»DOS_header_addr
VM_ADDdw_EBPSTACK
0013F950 0040003C <.@. £»e_magic
VM_PUSHdw_MEMORYdw
0013F950 00000080 ...
È¡µÃe_magicµÄÊýÖµ£¬»ñÈ¡PEÎļþͷλÖÃ
0013F94C 00000080 ...
0013F950 00400000 ..@. ; OFFSET NOTEPAD
VM_ADDdw_EBPSTACK
0013F950 00400080 .@. ; ASCII "PE" £»IMAGE_NT_HEADERS

0013F94C 00400080 .@. ; ASCII "PE"
0013F950 00000028 (...
VM_ADDdw_EBPSTACK
0013F950 004000A8 .@. £»AddressOfEntryPoint
VM_PUSHdw_MEMORYdw
0013F950 00037817 x.
PEÎļþÍ·28Æ«ÒÆÁ¿µÄλÖÃÊÇÊôÓÚIMAGE_OPTIONAL_HEADER32½á¹¹µÄAddressOfEntryPoint×ֶΣ¬³ÌÐòÖ´ÐÐÈë¿ÚRVA00037817
0013F94C 00037817 x.
0013F950 00400000 ..@. ; OFFSET NOTEPAD
VM_ADDdw_EBPSTACK
0013F950 00437817 xC. ; NOTEPAD.
ÏÖÔÚÒѾ­»ñµÃNOTEPADµÄ³ÌÐòÖ´ÐÐÈë¿ÚµØÖ·
VM_PUSHw_IMMEDIATEb
0013F950 00CC

0013F94C 7817
0013F950 00CC0043 C..
VM_PUSHw_MEMORYb
0013F950 00CC0068 h..
´ÓÖ´ÐÐÈë¿ÚµØÖ·¶ÁÈ¡×Ö½ÚºÍCC½øÐбȽϣ¬ÎÒûÓÐÔÚÈë¿ÚµØÖ·ÏÂINT3¶Ïµã£¬È¡µÃµÄ×Ö½ÚÊÇ68£¬½ÓÏÂÀ´VMP½øÐмõ·¨ºÍ±ê־λZF¼ì²â£¬ÕâÀï²»ÔÙ¸´Êö£¬ÔÚVM_JMP×éºÏÖ´ÐÐÍê±Ïºó£¬»Ö¸´EBPSTACKÖØлص½0013F994¡£
4.IF±ê־λÖÃ1
VMʹÓÃNAND½øÐÐ1´ÎAND²Ù×÷£¬AND²Ù×÷ÊýµÄÒ»¸öÊÇ700£¬½ØÈ¡µÄÊÇDF,IF,TF룬ÁíÒ»¸ö²Ù×÷ÊýÊÇ246£¬ÕâÑù±£ÁôµÄ¾ÍÊÇInterrupt Enable Flag(IF)λ¡£×îºóͨ¹ýαָÁîVM_MOVdw_EFLreg_EBPSTACK°Ñ½á¹ûѹÈëEFlags¼Ä´æÆ÷¡£
0013F9A8 00000246 F..
0013F9AC 00000246 F..
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_NANDdw
0013F9AC FFFFFDB9
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_PUSHdw_IMMEDIATEw
0013F9A8 000008FF ..
0013F9AC FFFFFDB9
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_NANDdw
0013F9AC 00000200 ...
0013F9B0 7C92118A | ; RETURN to ntdll.7C92118A
VM_MOVdw_EFLreg_EBPSTACK
3.1.4.TLSÍ˳ö
0013F990 8021D2F0 !
0013F994 8021D2F0 !
0013F998 00000246 F..
0013F99C F6F93A39 9:
0013F9A0 00000020 ...
0013F9A4 00000000 ....
0013F9A8 0013F994 .
0013F9AC 004253CD SB. ; RETURN from NOTEPAD.004255DB to NOTEPAD.004253CD
0013F9B0 000359F4 Y.
0013F9B4 00400000 ..@. ; OFFSET NOTEPAD.B
0013F9B8 0013F9C0 .
0013F9BC 7C92118A | ; RETURN to ntdll.7C92118A
VM_EXIT
³ÌÐò·µ»Ø½øÈë7C92118A£¬³ÌÐòÒª´ÓTLSÖзµ»Ø£¬ÎÒÃÇÈ¥¿ªÊ¼µØÖ·00437817µØַ϶ϵ㣬ÔÚ³ÌÐòÖ´ÐеØÖ·À¹½ØϳÌÐò¡£
7C92118A 8BE6 MOV ESP,ESI
7C92118C 5B POP EBX
7C92118D 5F POP EDI
7C92118E 5E POP ESI
7C92118F 5D POP EBP
7C921190 C2 1000 RETN 10

 

3.2.VMPÍâ¿Çº¯Êý»ñÈ¡
00437817 . 68 B59DF9FC PUSH FCF99DB5
ÔÚ00437817°Ñ³ÌÐòÀ¹½ØÏÂÀ´ºó£¬ºÍTLSÏàËÆ£¬VMP¿ªÊ¼³õʼ»¯VMµÈµÈ²Ù×÷£¬ÕâÀï²»ÔÙ¸´Êö¡£VMÔËÐкó»¹ÊÇÏȽøÐÐ0000Óë[00427D51]ÖеÄ0000½øÐбȽÏ+Ìøת¡£½ÓÏÂÀ´°ÑVM¶ÑÕ»ÖØзÖÅäºÍTLSÀïµÄÏàËÆ£º
0013FF8C 0013FF98
0013FF90 0013FF98
VM_NANDdw
0013FF90 FFEC0067 g.
0013FF94 00000800 ...
VM_ADDdw_EBPSTACK
0013FF94 FFEC0867 g
VM_PUSHdw_EBP
0013FF90 0013FF94 .
0013FF94 FFEC0867 g
VM_COPYdw_EBPSTACK
0013FF90 FFEC0867 g
0013FF94 FFEC0867 g
VM_NANDdw
0013FF94 0013F798 . ; UNICODE "er"
VM_MOVdw_EBPreg_EBPSTACK
αָÁî½øÐÐÁËÒ»´Î¼õ·¨²Ù×÷0013FF98-800=0013F798£¬×îÖÕ°Ñ0013F798¸³Öµ¸øEBPSTACK£¬ÔÚÕâÌõÖ¸ÁîÀï½øÐеı߽ç¼ì²éÖУ¬½«´¥·¢Õâ¸öVM¶ÑÕ»µÄÖØзÖÅ䣨ÏêÇéÇë²éÔÄ1.2.VM¶ÑÕ»£©
À´µ½ÐµÄVM¶ÑÕ»0013F798ÖУ¬EF±ê־λҲ½«ÔٴεÄÖÃ1£¬Ò»Çж¼ºÍTLSÀïÏàͬ¡£
3.2.1.¶¯Ì¬Á´½Ó¿â
½ÓÏÂÀ´¾ÍÒª½øÈë´ó¹æÄ£µÄanti¼ì²âÁË£¬ÔÚ½øÈë֮ǰ»¹ÓÐÒ»¸ö×¼±¸¹¤×÷£¬ÔÚ½ÓÏÂÀ´µÄʹÓÃÖУ¬ÐèҪʹÓõ½Ò»¸öbuffer£¨»º³åÇø£©ÓÃÓÚ´æ´¢APIº¯ÊýµÄ·µ»ØÖµ£¬¶¯Ì¬Á´½Ó¿âÃû×ֵȵÈÄÚÈÝ£¬VM²ÉÓõķ½Ê½ÊÇ0013FF98-10=0013FF88£¬ÕâÑù¾ÍÔÚ0013FF88----0013FF98Ö®¼ä·ÖÅäºÃÁËbuffer£¬4¸ödword£º
0013FF88 00000212 ..
0013FF8C 00000282 ..
0013FF90 00000202 ..
0013FF94 0013F798 . ; UNICODE "er"
0013FF98
ÔÚºóÃæµÄanti¼ì²âÖУ¬ºÜ¶à¶¼»áʹÓõ½Õâ¸öbuffer¿Õ¼ä¡£½ÓÏÂÀ´¾Í¿ªÊ¼ÍùbufferÄÚдÈë³£Á¿Êý¾Ý£º
0013F790 0013FF88 .
0013F794 6E72656B kern
VM_MOVdw_MEMORYdw_EBPSTACKdw £»Ð´Èëkern
VM_PUSHdw_IMMEDIATEdw
0013F78C 0013FF88 .
0013F790 00000004 ...
0013F794 32336C65 el32
VM_ADDdw_EBPSTACK £»buffer´æ´¢µØÖ·+4
0013F790 0013FF8C .
0013F794 32336C65 el32
VM_MOVdw_MEMORYdw_EBPSTACKdw £»Ð´Èëel32
VM_PUSHdw_IMMEDIATEdw
0013F78C 00000008 ...
0013F790 0013FF88 .
0013F794 6C6C642E .dll
VM_ADDdw_EBPSTACK £»buffer´æ´¢µØÖ·+8
0013F790 0013FF90 .
0013F794 6C6C642E .dll
VM_MOVdw_MEMORYdw_EBPSTACKdw £»Ð´Èë.dll
VM_PUSHdw_IMMEDIATEdw
0013F78C 0000000C ....
0013F790 0013FF88 .
0013F794 00000000 ....
VM_ADDdw_EBPSTACK £»buffer´æ´¢µØÖ·+C
0013F790 0013FF94 .
0013F794 00000000 ....
VM_MOVdw_MEMORYdw_EBPSTACKdw £»Ð´Èë00000000
ÏÖÔÚÎÒÃÇÀ´¿´¿´bufferÖÐÕûÌåдÈëµÄÊý¾Ý£º
0013FF88 6E72656B kern
0013FF8C 32336C65 el32
0013FF90 6C6C642E .dll
0013FF94 00000000 ....
kernel32.dllÁ´½Ó¿â£¬¶àôÊìϤµÄ×ÖÑÛѽ£¬VMдÈëÕâ¸öÊý¾Ýºó£¬»á¿ªÊ¼½øÐÐÒ»´ÎVM_JMPµÄÏà¹Ø²Ù×÷£¬×¼±¸Ìøתµ½Ðµĵط½¼ÌÐø£¬ÏÂÃæÊÇVM_JMPαָÁîµÄÊý¾Ý£º
0013F75C 0042816C lB.
0013F760 00000000 ....
0013F764 7FF224A8 $
0013F768 7C92E514 | ; ntdll.KiFastSystemCallRet
0013F76C 7FFD8000 .
0013F770 00000202 ..
0013F774 00000000 ....
0013F778 0013FFB0 .
0013F77C 00000202 ..
0013F780 0013FF98 .
0013F784 0013FF88 . ; ASCII "kernel32.dll"
0013F788 7FF224A8 $
0013F78C 0013FF88 . ; ASCII "kernel32.dll"
0013F790 00000282 ..
0013F794 004389FB C. ; Entry point of procedure
VM_JMP
×îÖÕVMÖÕÓÚÀ´µ½ANTI¼ì²âºÍVMºóÆÚ½«Òª²»¶Ïµ÷ÓõÄαָÁîVM_EBPSTACK_CALL£¬ÓÃÓÚAPIº¯ÊýºÍ³ÌÐò×ÔÉí¹ý³Ìµ÷Óã¬Á½ÕߵIJÙ×÷¶¼ÊÇÀ뿪ÐéÄâ»ú»·¾³µÄ¡£APIº¯Êýµ÷Óý«½øÈëϵͳ¿Õ¼ä£¬±ØÈ»ÐèÒªÀ뿪ÐéÄâ»ú»·¾³£¬¶øÕâÀïµÄ¹ý³Ìµ÷ÓÃÒ²ÊÇÀ뿪ÐéÄâ»ú»·¾³µÄ¡£À뿪ÐéÄâ»ú»·¾³ÆäʵºÜ¼òµ¥£¬Ö»ÐèÒª¶ÑÕ»Éϱ任һÏ£¬±¾À´¶¼ÊÇÔÚVM¶ÑÕ»µÄÊý¾Ý²ÎÊýÐèÒªÒƶ¯µ½ESPÖ¸ÕëµÄ¶ÑÕ»¿Õ¼äÄÚ£¬Õý³£µÄ³ÌÐòÖ´ÐÐËüÊÇʹÓÃESPÖ¸ÕëµÄ£¬²»¶®µÃµ½VM¶ÑÕ»ÄÚÈ¡Êý¾Ý¡£
0013F78C 00428275 uB. ; RETURN from NOTEPAD.00436E08 to NOTEPAD.00428275
0013F790 0013FF88 . ; ASCII "kernel32.dll"
0013F794 004389FB C. ; Entry point of procedure
VM_EBPSTACK_CALL
¹ØÓÚÕâÌõαָÁÎÒÔÙÀ´Ïêϸ½â˵һÏ£¬Ê×ÏÈËüͨ¹ýVMµÄESIÊý¾Ý»ñµÃÕâ´Îº¯Êýµ÷ÓõIJÎÊý¸öÊý¡£Õâ´ÎËüµÄ²ÎÊýÊÇ1¸ö£¬È»ºó°Ñ1¸øECX£¬ÏÂÃæÊÇÕâÌõαָÁîÄÚ²¿»ñÈ¡²ÎÊýµÄÖ¸Á
0043E0C6 87448D 00 XCHG DWORD PTR SS:[ECX*4+EBP],EAX ; *
0043E0CD 894424 24 MOV DWORD PTR SS:[ESP+24],EAX ; *
EBP=0013F78C£¬ÔÚÑ­»·ÀïÃæͨ¹ý[ECX*4+EBP]µÄ·½Ê½£¬ECXµÄÖµ¾Í¾ö¶¨ÁËҪȡ³ö¶àÉÙ¸ö²ÎÊý£¬È¡³öµÄ²ÎÊýѹÈëESPÖ¸ÏòµÄ¶ÑÕ»£¬ÔÚÕâÀïÏÔʾµÄÊÇ[ESP+24]£¬24µÄÆ«ÒÆÊÇÒòΪÓл¨Ö¸Á²»Óÿ¼ÂÇ¡£Ò»ÇÐ×¼±¸ºÃºó£¬¾ÍÌøתµ½00428275¡£×îºóµÄÌøתָÁîÊý¾Ý½ØÈ¡£º
$ ==> 00428275 uB. ; RETURN from NOTEPAD.00436E08 to NOTEPAD.00428275
$+4 9AF17581 u
$+8 14415549 IUA
$+C 0013F6D8 .
$+10 00428137 7B.
$+14 0013F78C .
$+18 0013F6C0 .
$+1C 80A6D7DB צ
$+20 0043EF77 wC.
$+24 00000000 ....
$+28 00428275 uB. ; RETURN from NOTEPAD.00436E08 to NOTEPAD.00428275
$+2C 0043EED7 C.
$+30 00000246 F..
$+34 0043EED7 C.
$+38 00428275 uB. ; RETURN from NOTEPAD.00436E08 to NOTEPAD.00428275
$+3C 0043EEB7 C. ; RETURN from NOTEPAD.0043D111 to NOTEPAD.0043EEB7 £»Ö´ÐÐÕâÌõÖ¸Áȥ³ý38À¬»øÊý¾ÝºóÌøתÊý¾Ý
$+40 0013FF88 . ; ASCII "kernel32.dll"
0043DE10 C2 3800 RETN 38 ; Call Enter
¼ÈÈ»ÊÇÌøתµ½00428275£¬ÎÒÃÇÀ´¿´¿´00428275´¦ÊÇʲôÑùµÄ´úÂ룬ÄÇÀïÖ»ÓÐÒ»ÌõÌøתָÁ
00428275 -/FF25 E47D4300 JMP DWORD PTR DS:[<&KERNEL32.LoadLibrary
ÏÖÔھͺÜÇåÎúÁË£¬Õâ´ÎcallÊÇʹÓÃLoadLibraryº¯ÊýÀ´»ñÈ¡Kernel32.dllÁ´½Ó¿â¾ä±ú¡£ÎÒÃÇÔÚcall return address´¦0043EEB7´¦Ï¶ϣ¬È»ºó¾Í¿ÉÒÔF9ÔËÐУ¬Ö±½ÓÀ¹½ØÏÂϵͳµ÷ÓýáÊøºó·µ»ØµÄ½á¹ûEAX=7C800000¡£ÏÖÔÚÓÖÒª»Øµ½ÐéÄâ»úÖÐÁË£¬·´¹ýÀ´¾ÍÐèÒª°ÑÊý¾Ý·Å»Øµ½VM¶ÑÕ»ÖУ¬°´ÕÕVMÔËÐз½Ê½ÈÃËüÔÚVM¶ÑÕ»ÖвÙ×÷¡£
ÔÚ·µ»ØVMµÄ¹ý³ÌÖУ¬Ê×ÏÈÊÇ°ÑÔ­À´EBPSTACKÖеIJÎÊýÕ¼¾ÝµÄλÖÃÊÍ·Å£º
0043ED41 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] ; *ÕâÀïÊDZ£´æµÄ±¾´ÎcallµÄ²ÎÊý¸öÊý
0043ED46 8D6C8D 00 LEA EBP,[ECX*4+EBP] ; *Êͷŵô¶ÔÓ¦µÄ¿Õ¼ä
°ÑEAXÖеĽá¹û±£´æµ½EBPSTACK
EAX=7C800000
0043ED50 8945 00 MOV DWORD PTR SS:[EBP],EAX ; *
0013F790 7C800000 ..|
·µ»ØVMºó£¬½øÐÐÒ»´ÎVM_JMPµ÷ÓÃ

3.2.2.Ñ­»·
·ÖÅäеÄbuffer¿Õ¼ä£¬0013FF88-10=0013FF78ÔÙ·ÖÅä4¸ödwordµÄ¿Õ¼ä³öÀ´£¬Ê¹ÓÃÉÏÃæµÄ·½Ê½ÍùеÄbuffer¿Õ¼äдÈëÊý¾Ý¡£4¸ödwordдÈëÍê³Éºóbuffer¿Õ¼äµÄÊý¾ÝÈçÏ£º
0013FF78 8D7E029C ~
0013FF7C 8F81160C .
0013FF80 048DFF7E ~
0013FF84 00C78D05 .
0013FF88 6E72656B kern
0013FF8C 32336C65 el32
0013FF90 6C6C642E .dll
0013FF94 00000000 ....
µ÷ÓÃVM_JMPÌøתµ½Ðµĵط½£¬½ÓÏÂÀ´ºÁÎÞÒÉÎʵÄÊǼÌÐø½øÐÐcallµ÷ÓÃ
0013F788 00421C48 HB. ; Entry point of procedure
0013F78C 7C800000 ..|
0013F790 0013FF78 x.
0013F794 00427C45 E|B.
VM_EBPSTACK_CALL
Õâ´ÎÊÇ´ø×Åkernel32.dllµÄ¾ä±ú7C800000ºÍ0013FF78Á½¸ö²ÎÊýµ÷ÓÃ00421C48£¬Õâ´ÎÊÇÒ»¸ö¹ý³Ìµ÷Óã¬ÎÒÃÇÏÂÃæÀ´¿´00421C48µÄ´úÂ룺
00421C4E 55 PUSH EBP ; *
00421C58 8D6C24 04 LEA EBP,[ESP+4] ; *ÏÂÃæҪʹÓÃEBPÀ´¶ÁÈ¡²ÎÊý£¬Ïȱ£´æºó¶¨Î»
00421C76 56 PUSH ESI ; *
00421C80 893C24 MOV DWORD PTR SS:[ESP],EDI ; *
00421C85 53 PUSH EBX ; *
00421C8C 52 PUSH EDX ; *
¸Ã±£´æµÄ±£´æÆðÀ´
00421C92 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; *¶ÁÈ¡µÚÒ»¸ö²ÎÊýkernel32.dll¾ä±ú7C800000
½ÓÏÂÀ´µÄ²¿·ÖºÍTLSÖеÄPEÎļþÍ·¶¨Î»ÏàËÆ£¬²»¹ýTLSÊÇʹÓÃαָÁîʵÏֵģ¬ÕâÀïÓó£¹æÖ¸ÁîʵÏÖ¡£
00436B42 8B70 3C MOV ESI,DWORD PTR DS:[EAX+3C] ; *
00436B4E 01C6 ADD ESI,EAX ; *
00436B5C 8B56 78 MOV EDX,DWORD PTR DS:[ESI+78] ; * 78Æ«ÒÆÊǵ¼³ö±í½á¹¹Î»Öã¬kernel32.dllµÄµ¼³ö±íRVA
0043A773 01C2 ADD EDX,EAX ; * »ñµÃµ¼³ö±í¿ªÊ¼Î»ÖÃ7C80262C
0043A77D 8B4E 7C MOV ECX,DWORD PTR DS:[ESI+7C] ; * 78Æ«ÒÆÊǵ¼³ö±í½á¹¹Î»Öã¬kernel32.dllµÄµ¼³ö±í´óС
00435CB9 01D1 ADD ECX,EDX ; * »ñµÃµ¼³ö±í½áÊøλÖÃ7C809345
00435CBE 894D F0 MOV DWORD PTR SS:[EBP-10],ECX ; * ±£´æÆðÀ´
00435CCB 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+0C] ; * ÕâÀï»ñÈ¡µÄÊǵڶþ¸ö²ÎÊý0013FF78
0041EE80 8B7A 24 MOV EDI,DWORD PTR DS:[EDX+24] ; * µ¼³ö±í24Æ«ÒƵÄÊÇAddressOfNamesOrdinals Ö¸ÏòÊäÈëÐòÁкÅÊý×é
0041EE8B 01C7 ADD EDI,EAX ; * ÊäÈëÐòÁкÅÊý×éµØÖ·7C804424
0041EE8F 8B5A 20 MOV EBX,DWORD PTR DS:[EDX+20] ; * µ¼³ö±í20Æ«ÒƵÄÊÇAddressOfNames º¯ÊýÃû×ÖµÄÖ¸ÕëµÄµØÖ·
0041EE9B 01C3 ADD EBX,EAX ; * º¯ÊýÃû×ÖµÄÖ¸ÕëµØÖ·7C80353C
0041EEB1 8B4A 18 MOV ECX,DWORD PTR DS:[EDX+18] ; * µ¼³ö±í18Æ«ÒƵÄÊÇNumberOfNames AddressOfNamesÊý×éµÄÏîÊý
Ò»ÇÐ×¼±¸¾ÍÐ÷¿ªÊ¼¶ÁÈ¡µ¼³ö±íº¯Êý±È½Ï
0041EED5 83E9 01 SUB ECX,1 ; * ¼ÆÊýÆ÷µÚ1¸öword¼õÈ¥
0041EEDF 894D FC MOV DWORD PTR SS:[EBP-4],ECX ; *
0041EEF0 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] ; * Õû¸ö³ÌÐòµÄÔØÈëÆ«ÒÆÁ¿
00428D66 034D FC ADD ECX,DWORD PTR SS:[EBP-4] ; *
00428D6B D1E9 SHR ECX,1 ; * ¼ÆÊýÆ÷³ýÒÔ2£¬°´ÕÕword·½Ê½
00428D72 8B3C8B MOV EDI,DWORD PTR DS:[ECX*4+EBX] ; *
00428514 /01C7 ADD EDI,EAX ; *
EDI 7C806FB2 ASCII "GetVDMCurrentDirectories"£¬µ½ÕâÀï¾ÍµÃµ½APIº¯ÊýÃûÁË
0042851E 8B75 0C MOV ESI,DWORD PTR SS:[EBP+0C] ; * 0013FF78
0043A156 AC LODS BYTE PTR DS:[ESI] ; *
0043A159 F6D0 NOT AL ; *
0043A165 F6D8 NEG AL ; *
00435255 /FEC0 INC AL ; *
0043525C 34 37 XOR AL,37 ; *
0043552A FEC0 INC AL ; *
00435530 D0C0 ROL AL,1 ; *
0041E634 FEC0 INC AL ; *
½ÓÏÂÀ´¾ÍÊDZȽÏ
004388E1 3A07 CMP AL,BYTE PTR DS:[EDI] ; *
004388E7 ^\0F8C 35EAFFFF JL 00437322 ; *
004388ED 8D7F 01 LEA EDI,[EDI+1] ; *
004219F2 /0F87 9A6B0100 JA 00438592 ; *
00425FB3 3B4D FC CMP ECX,DWORD PTR SS:[EBP-4] ; *
00425FC4 83C1 01 ADD ECX,1 ; *
00425FCD 894D F8 MOV DWORD PTR SS:[EBP-8],ECX ; *
×¢ÒâºÃËüµÄÌøת·½Ê½ÊÇͨ¹ýJLºÍJA·½Ê½Ò»ÆðʵÏÖ£¬ÉÏÃæµÄÊDZȽÏʧ°ÜºóµÄÑ­»·¡£Èç¹ûÏàͬµÄ»°£¬JLºÍJAÕâÀﶼ²»ÄÜÌøת£¬ÎÒÃÇÈ¥JAµÄÏÂÒ»ÌõÖ¸ÁîÀ¹½Ø±È½ÏÏàͬµÄÇé¿ö£º
004219F2 /0F87 9A6B0100 JA 00438592 ; *
004219F8 |E8 2B480000 CALL 00426228 £»F4ÕâÀï
ÏÖÔÚÎÒÃǾÍÕÒµ½µÚÒ»¸ö×Öĸ±È½ÏÏàͬµÄº¯ÊýÊÇVirtualAlloc
0042968E 807F FF 00 CMP BYTE PTR DS:[EDI-1],0 ; *
0043712D ^\0F85 F213FFFF JNE 00428525 ; *
³öÀ´µ½ÍâÑ­»·¿´ÊDz»ÊÇÒѾ­±È½Ïµ½Î²²¿£¬»¹Ã»ÓоͻØÈ¥±È½ÏµÚ2¸ö×Ö½Ú£¬ÎÒÃÇÖ±½ÓÌø³öÑ­»·¿´½á¹û
0043712D ^\0F85 F213FFFF JNE 00428525 ; *
00437133 0FBAEF 16 BTS EDI,16 £»F4ÕâÀËùÓÐ×Ö½Ú¶¼ÏàͬµÄº¯ÊýÊÇVirtualProtect
µ½ÕâÀï±È½ÏÍê±Ï£¬ÒªÕҵĺ¯ÊýÊÇVirtualProtect
0043C9C1 8B7A 24 MOV EDI,DWORD PTR DS:[EDX+24] ; * AddressOfNamesOrdinals
0043C9C7 01C7 ADD EDI,EAX ; *
0043C9CC 0FB70C4F MOVZX ECX,WORD PTR DS:[ECX*2+EDI] ; *
0043C9D6 29CF SUB EDI,ECX ; *
0043C9DB 8B7A 1C MOV EDI,DWORD PTR DS:[EDX+1C] ; * AddressOfFunctions
0043C9E3 01C7 ADD EDI,EAX ; *
0042862B /8B3C8F MOV EDI,DWORD PTR DS:[ECX*4+EDI] ; *
00438A9F \01F8 ADD EAX,EDI ; *
½â˵²»¹ýÀ´ÁË£¬´ó¼Ò²»Ã÷°×µÄÈ¥¸´Ï°PEÎļþ¸ñʽµÄµ¼³ö±í²¿·Ö°É£¬ÉÏÃæµÄÖ¸Áî½áÊøºó£¬µÃµ½ÁËVirtualProtectµÄϵͳµØÖ·7C801AD4
0043EEB7 89D1 MOV ECX,EDX ; call return address
»Øµ½call·µ»ØµØÖ·£¬Êý¾ÝѹÈëEBPSTACKÕâÀïµÈÓÚ0013F790
0013F790 7C801AD4 | ; kernel32.VirtualProtect
0013F794 00427C45 E|B.
ÎÒÃÇÔÚƽʱµÄ´úÂëÖÐÒ²¾­³£¿ÉÒÔ¿´µ½£¬callµ÷ÓÃÍê±Ïºó¼ì²âÒ»ÏÂÊDz»ÊÇ0£¬VMPÒ²ÊÇÒ»ÑùµÄ£¬Ö»ÊÇÓÃαָÁîÀ´ÊµÏÖ
0013F78C 7C801AD4 | ; kernel32.VirtualProtect
0013F790 7C801AD4 | ; kernel32.VirtualProtect
0013F794 00427C45 E|B.
VM_NANDdw
0013F790 837FE52B +
0013F794 00427C45 E|B.
VM_PUSHdw_EBP
VM_COPYdw_EBPSTACK
0013F78C 837FE52B +
0013F790 837FE52B +
0013F794 00427C45 E|B.
VM_NANDdw
0013F790 7C801AD4 | ; kernel32.VirtualProtect
0013F794 00427C45 E|B.
Á½¸öNOTÖ¸ÁîΪµÄ¾ÍÊÇÒªËüµÄ±ê־λÀ´½øÐÐZFλ¼ì²â+ÌøתVM_JMPÖ¸Áî
½ÓÏÂÀ´VM½«»á½øÐÐÒ»´ÎCCÂë¼ì²â£¬¿´¿´VirtualProtectº¯Êý¿ªÊ¼µØÖ·ÓÐûÓÐ϶ϵ㣬´Ë²¿·Ö²»ÔÙ¸´Êö£¬¼Ç¼¹Ø¼üÊý¾Ý£º
0013F78C 1AD4
0013F790 00CC7C80 |.
0013F794 00427C45 E|B.
¶ÁÈ¡³ö7C801AD4º¯ÊýµÄÊ××Ö½Ú£¬ÓëCCÂë½øÐÐÒ»´Î¼õ·¨²Ù×÷£¬»ñÈ¡ÆäÖеıê־룬½øÐÐZFλ¼ì²â+Ìøת
ÔÚÇ°ÃæµÄEBPSTACKÖÐÒ»Ö±¸½´ø×Å00427C45Õâ¸öÊý¾Ý¶øûÓж¯¾²£¬ÏÖÔÚÔÚÈ·¶¨Ò»Çа²È«Ã»ÓÐÎÊÌ⣬VMÔٴε÷ÓÃVM_JMP¿ØÖÆVMÌøתµ½00427C45λÖã¬ÏÂÃæÎÒÃǾÍÀ´¿´¿´00427C45ÊǸÉʲô²Ù×÷µÄ
0013F790 C9058E9B
0013F794 7C801AD4 | ; kernel32.VirtualProtect
VM_ADDdw_EBPSTACK
0013F794 4585A96F oE

0013F78C 0013F798
0013F790 00000020
0013F794 4585A96F oE
VM_ADDdw_EBPSTACK
0013F790 0013F7B8 .
0013F794 4585A96F oE
VM_MOVb_MEMORYb_EBPSTACKb
ÏÖÔÚÎÒÃÇ¿´Çå³þ£¬00427C45Õâ¸öVM×Ó³ÌÐò¹ý³ÌÊǰѵõ½µÄϵͳµØÖ·¼ÓÃÜÆðÀ´´æ·Å£¬²»ÈÃËü°´ÕÕÃ÷ÂëµÄ·½Ê½´æ´¢¡£µ½ÕâÀïÍê³ÉÁËÒ»¸öϵͳº¯Êý»ñÈ¡µ½´æ´¢µÄÈ«¹ý³Ì£¬½ÓÏÂÀ´³ÌÐò»Øµ½ 3.2.2.Ñ­»· µÄ¿ªÍ·£¬¿ªÊ¼Ðµĺ¯Êý»ñÈ¡£¬´ÓÍù0013FF78ѹÈë4¸ödword¿ªÊ¼£¬½ÓמÍÍ˳ö00427C45Õâ¸öVM×Ó³ÌÐò¹ý³Ì¡£µ±kernel32.dll½áÊøºóÓÖ½øÈëÏÂÒ»¸öDLLÎļþ£¬³ÌÐò»Øµ½ 3.2.1.¶¯Ì¬Á´½Ó¿â ÕâÒ»²¿·Ö²»ÔÙ¸´Êö£¬½ÓÏÂÀ´Ö±½ÓÕ³Ìù»ñÈ¡µÄº¯Êý»ã×Ü
kernel32.dll£º
0013F780 7C801AD4 | ; kernel32.VirtualProtect £»¼ÓÃܺó0013F7B8 4585A96F oE
0013F790 7C809AF1 | ; kernel32.VirtualAlloc £»¼ÓÃܺó0013F7C0 7ED1C93F ?~
0013F790 7C801A28 (| ; kernel32.CreateFileA £»¼ÓÃܺó0013F7DC 45E78F5A ZE
0013F778 7C809BE7 盀| ; kernel32.CloseHandle £»¼ÓÃܺó0013F7D8 877DBA31 1}
0013F790 7C810B17 | ; kernel32.GetFileSize £»¼ÓÃܺó0013F7E4 05F84F8C O
0013F790 7C80950A .| ; kernel32.CreateFileMappingA £»¼ÓÃܺó0013F7F4 8B5A496C lIZ
0013F790 7C80B9A5 | ; kernel32.MapViewOfFile £»¼ÓÃܺó0013F7C4 C2DC4B94 K
0013F790 7C80BA14 | ; kernel32.UnmapViewOfFile £»¼ÓÃܺó0013F798 230A53C4 S.#
0013F790 7C80B741 A| ; kernel32.GetModuleHandleA £»¼ÓÃܺó0013F7CC 058C4D40 @M
0013F794 7C813133 31| ; kernel32.IsDebuggerPresent £»¼ÓÃܺó0013F7EC 9C056A3F ?j
0013F794 7C85AAF2 | ; kernel32.CheckRemoteDebuggerPresent £»¼ÓÃܺó0013F7F8 77ED7C33 3|w
0013F790 7C863FCA ?| ; kernel32.UnhandledExceptionFilter £»¼ÓÃܺó0013F7D0 35B5E8D3 5
ntdll.dll£º
0013F794 7C92D7FE ×’| ; ntdll.ZwQueryInformationProcess £»¼ÓÃܺó0013F7B0 D324C5FE $
0013F794 7C92DCAE Ü’| ; ntdll.NtSetInformationThread £»¼ÓÃܺó0013F7A8 E42D06B3 -
0013F794 7C92D92E .Ù’| ; ntdll.NtQuerySystemInformation £»Ã÷Âë´æ´¢00425E60 7C92D92Eµ½ÕâÀïËùÓеÄÍâ¿Çº¯Êý»ñÈ¡½áÊø£¬VMÖ´ÐÐVM_JMPÌøת×ߣ¬ÓÉÓÚ×îºóµÄ1Ìõϵͳº¯ÊýµØÖ·ÊÇ´æ´¢ÔÚÄÚ´æÖУ¬00425E60½øÐмӷ¨²Ù×÷£¬²»ÈÃËûÒÔÃ÷Âë³öÏÖ£¬Í¬Ê±VM×÷Ϊ¶ÑÕ»ÐéÄâ»ú£¬»¹ÊÇϲ»¶¶ÑÕ»µÄ´æ´¢·½Ê½£¬ËùÒÔÔÙÕÒÒ»¸ö¶ÑÕ»¿Õ¼ä0013F7E8£¬°Ñ°µÂëµØÖ··Å½øÈ¥£º
0013F790 03DDEA1E
0013F794 00425E64 d^B.
VM_ADDdw_EBPSTACK
0013F794 04204882 H

0013F78C 00000050 P...
0013F790 0013F798 .
0013F794 04204882 H
VM_ADDdw_EBPSTACK
0013F790 0013F7E8 .
0013F794 04204882 H
VM_MOVdw_MEMORYdw_EBPSTACKdw

3.3.ÐéÄâÖ´Ðл·¾³Óëµ÷ÊÔÆ÷¼ì²â
ÔÚÇ°ÃæËùÓеĽÚÀïÃæµÄÄÚÈÝÈ«²¿¶¼ÊǹᴩµÄ£¬Ã»ÓÐÒ»¸öµØ·½ÒÅ©ÏÂÀ´µÄÔÚ½âÎö£¬µ«ÊÇÕâÒ»½ÚºÍÉÏÒ»½ÚµÄ½áβ²¢Ã»ÓÐÁ¬½ÓÔÚÒ»Æ𣬲»ÊÇÎÒÏë²Ø×ÅÄóןãÁ÷Ë®ÕËÍÑÎijöÀ´£¬ÊµÔÚÊÇûÓо«Á¦Ò»ÌõÒ»ÌõµÄȥ˵¡£ÎÒÒѾ­ÏëÍÂÁË£¬Ã»ÓÐÐÄÇé¼ÌÐøдÏÂÈ¥ÁË£¬Ô½ÊÇÏë×ÅÈ«ÅÌÍгö£¬ÓÐЩµØ·½ÀÏÊǸüÓÐѹÁ¦º¦ÅÂÒÅ©Á˶«Î÷¡£»¹ÓÐÒ»¸öÊÇÏë¸Ï¿ì½á¸åµÄÐÄÀíÒ²ÓÐһЩ¡£ÔÙ˵£¬VMPµÄANTI¼ì²âÊǺÜÓÐȤµÄÒ»¸ö²¿·Ö£¬µ±ÄãÖªµÀÏÂÃæÓÐÒ»½ÚºÜÓÐȤ£¬¶øÒ»Ö±ÈÆÔÚÉÏÃæµÄ»ù´¡µØ·½£¬ÊµÔÚÒ²ÓеãÐļ±¡£×ÜÖ®£¬Èç¹ûÄã·¢ÏÖÎÒÓÐÒÅ©ÁËûÓнâ˵µÄµØ·½¾Í×Ô¼ºÈ¥¿´ºÃÁË¡£ÏÂÃæÎÒÃǾÍÖ±½ÓÀ´µ½ANTI²¿·Ö£º
3.3.1.VMware
0013F78C 00000000 ....
0013F790 0043B7B2 C. ; RETURN from NOTEPAD.00435E6A to NOTEPAD.0043B7B2
0013F794 0013FF98 .
VM_FS:[EBPSTACK] £»¶ÁÈ¡FS:[0]µÄÊý¾Ý
0013F78C |0013FFE0 .
0013F790 \0043B7B2 C. ; RETURN from NOTEPAD.00435E6A to NOTEPAD.0043B7B2
0013F794 0013FF98 .

0013F784 00000000 ....
0013F788 0013F78C .
0013F78C 0013FFE0 .
0013F790 0043B7B2 C. ; RETURN from NOTEPAD.00435E6A to NOTEPAD.0043B7B2
0013F794 0013FF98 .
VM_SEH
0013F78C |0013FFE0 . ; Pointer to next SEH record
0013F790 \0043B7B2 C. ; SE handler
0013F794 0013FF98 .
ÕâÊÇVM¹¹½¨ÐµÄSEH¡£¶ÁÈ¡FS:[0]µÄÔ­À´µÄSEHµØÖ·£¬È»ºó·ÅÈëеĽøÈ¥VM_SEHαָÁîÀïʵÏֵģ¬²»Ã÷°×µÄ×Ô¼ºÈ¥¿´SEHÏà¹Ø×ÊÁÏ¡£¹¹½¨ºÃSEHºó³ÌÐòµ÷ÓÃVM_EXIT£¬
0013F770 00000000 ....
0013F774 0013FF98 .
0013F778 564D5868 hXMV
0013F77C 00005658 XV..
0013F780 [0042536C lSB. ; RETURN from NOTEPAD.00426E8B to NOTEPAD.0042536C
0013F784 31921C56 V1
0013F788 0042536C lSB. ; RETURN from NOTEPAD.00426E8B to NOTEPAD.0042536C
0013F78C 0013FFE0 . ; Pointer to next SEH record
0013F790 0043B7B2 C. ; SE handler
0013F794 0013FF98 .
VM_EXIT
½ÓÏÂÀ´³ÌÐòÔÚ
0042536C . ED IN EAX,DX ; I/O command
ÕâÌõÖ¸ÁîÕâÀï¾Í¿¨ËÀÁË¡£ÎªÊ²Ã´ÄØ£¿ÒòΪVM_EXITÖÐÓÐןø¸÷¸ö¼Ä´æÆ÷¸³ÖµµÄ²Ù×÷£¬ÆäÖÐÕâÀïËû¾Í¹¹½¨ÁËÒ»¸öVMwareµÄºóÃÅÖ¸Áî¼ì²â¡£ÔÚÕâÀïËãÊÇVMPµÄµÚÒ»¸öÕý¹æµÄANTIÀ´ÁË¡£Ö´ÐÐÕâÌõÖ¸ÁîʱºòµÄCPU״̬ºÍVMwareºóÃżì²âµÄÔ´Â룺
CPU - main thread, module NOTEPAD
EAX 564D5868
ECX 0000000A
EDX 00005658
EBX 00000000
ESP 0013F78C
EBP 0013FF98
ESI 0013FF8C ASCII "ntdll.dll"
EDI 0013FF70
EIP 0042536C NOTEPAD.0042536C
VMwareµÄºóÃÅÖ¸Áî¼ì²â¡£Õâ¸öô²»ÓÃÎÊΪʲô¡£Õâ¸ö¾ÍÊǺóÃÅ
¡¡¡¡ mov eax, 564D5868h
¡¡¡¡ mov ebx, 00000000h
¡¡¡¡ mov ecx, 0000000Ah
¡¡¡¡ mov edx, 00005658h
¡¡¡¡ in eax, dx
Õâ¸ö¼ì²âºÜÆÕͨ£¬ÓÉÓÚÖ»ÓÐÔÚVMwareÏÂÕâÌõÖ¸Áî²ÅÓзµ»ØÖµ£¬·ñÔò¾ÍÊÇÒ»´ÎÒì³£¡£¶øÎÒÃÇÊÇÔÚÕæʵ»·¾³Ïµġ£Õâ¸öÌ«ÆÕͨÁË¡£ÎÒ¸ù±¾Ã»ÓÐÓÃʲôÐéÄâ»ú¡£ÏëÉîÈëÁ˽âµÄ×Ô¼ºgoogle×ÊÁÏ¿´¡£
ÎÒÊÇûÓÐÔÚVMwareµ÷ÊÔVMP£¬ËùÒÔËü±Ø¶¨Òì³£³ö´í£¬ÏÖÔھͿÉÒÔ¿´µ½¸Õ²Å¹¹½¨µÄSEHµÄ×÷ÓÃÁË¡£È¥SEHµØַ϶ϣ¬È»ºóºöÂÔÒì³£¼ÌÐøµ÷ÊÔ¡£
0043B7B2 .^\E9 7DD2FFFF JMP 00438A34 ; VMware SEH
ÎÒÃÇÀ´µ½ÁËÕâÀï¼ÌÐøµ÷ÊÔ£¬ÔÚSEHÖУ¬½«±£´æµ±Ç°µÄ½á¹¹£¬ÖØгõʼ»¯Ò»¸öVM£¬²¢ÔÚÕâ¸öVMÀïÃæÐ޸ĵôcontext½á¹¹ÖÐEIPÖ¸Õë¡£Òª¿´¶®Ð޸ĵÄαָÁ»¹ÊǸ´Ï°Ò»ÏÂSEH»Øµ÷º¯Êý£º
Ê×ÏÈ¿´ºÃSEH»Øµ÷º¯ÊýµÄ²ÎÊý£¬ËüÒ»¹²ÓÐ4¸ö²ÎÊý£º
SEH_Handler proc _lpExceptionRecord,_lpSEH,_lpContext,_lpDispatcherContext
¶ÔÓ¦VMPÀïµÄSEHµØÖ·¿´¿´¾ßÌåÊý¾Ý
0013F3C4 [7C9232A8 2| ; RETURN to ntdll.7C9232A8
0013F3C8 0013F4AC . £»µÚÒ»¸ö²ÎÊý£ºExceptionRecordÖ¸Õë
0013F3CC 0013F78C . £»µÚ¶þ¸ö²ÎÊý£ºSEHÖ¸Õë
0013F3D0 0013F4C0 . £»µÚÈý¸ö²ÎÊý£ºContextÖ¸Õë
0013F3D4 0013F480 . £»µÚËĸö²ÎÊý£ºDispatcherContextÖ¸Õë

¸½CONTEXT½á¹¹»·¾³£º
´úÂë:typedefstruct_CONTEXT{
/*000*/DWORD ContextFlags;
/*004*/DWORD Dr0;
/*008*/DWORD Dr1;
/*00C*/DWORD Dr2;
/*010*/DWORD Dr3;
/*014*/DWORD Dr6;
/*018*/DWORD Dr7;
/*01C*/FLOATING_SAVE_AREAFloatSave;
/*08C*/DWORD SegGs;
/*090*/DWORD SegFs;
/*094*/DWORD SegEs;
/*098*/DWORD SegDs;
/*09C*/DWORD Edi;
/*0A0*/DWORD Esi;
/*0A4*/DWORD Ebx;
/*0A8*/DWORD Edx;
/*0AC*/DWORD Ecx;
/*0B0*/DWORD Eax;
/*0B4*/DWORD Ebp;
/*0B8*/DWORD Eip; £»B8µÄÆ«ÒÆÁ¿Î»ÖÃÊÇEip
/*0BC*/DWORD SegCs;
/*0C0*/DWORD EFlags;
/*0C4*/DWORD Esp;
/*0C8*/DWORD SegSs;
/*0CC*/ BYTE ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION];
/*2CC*/}CONTEXT;
ÏÈÓÃÀíÂÛÀ´ËµÒ»Ï£º
1£©µÚÈý¸ö²ÎÊýµÃµ½context½á¹¹µØÖ·0013F4C0¡£
2£©context½á¹¹»ùµØÖ·+B8µÃµ½Eip´æ´¢µØÖ·¡£
3£©°Ñ°²È«µÄ·µ»ØµØÖ··ÅÈëEipλÖá£
4£©SEHÒì³£·µ»Ø£¬³ÌÐò´ÓеÄEipµØÖ·¿ªÊ¼Ö´ÐС£
ÏÂÃæÀ´¿´Î±Ö¸ÁîµÄ²Ù×÷¹ý³Ì£º
0013F3C4 7C9232A8 2| ; RETURN to ntdll.7C9232A8
VM_PUSHdw_IMMEDIATEb
0013F3C0 0000000C ....
0013F3C4 7C9232A8 2| ; RETURN to ntdll.7C9232A8
VM_PUSHdw_IMMEDIATEb
0013F3BC 00000008 ...
0013F3C0 0000000C ....
0013F3C4 7C9232A8 2| ; RETURN to ntdll.7C9232A8
VM_PUSHdw_EBP
0013F3B8 0013F3BC .
0013F3BC 00000008 ...
0013F3C0 0000000C ....
0013F3C4 7C9232A8 2| ; RETURN to ntdll.7C9232A8
VM_ADDdw_EBPSTACK
0013F3BC 0013F3C4 .
0013F3C0 0000000C ....
0013F3C4 7C9232A8 2| ; RETURN to ntdll.7C9232A8
VM_ADDdw_EBPSTACK
0013F3C0 0013F3D0 .
0013F3C4 7C9232A8 2| ; RETURN to ntdll.7C9232A8
ÕâÊÇ1£©½×¶Î£¬¼Ó8»ñµÃ²ÎÊýµÄλÖ㬼ÓC»ñµÃµÚÈý¸ö²ÎÊý£º
0013F3C0 0013F3D0 .
0013F3C4 7C9232A8 2| ; RETURN to ntdll.7C9232A8
0013F3C8 0013F4AC .
0013F3CC 0013F78C .
0013F3D0 0013F4C0 .
0013F3D4 0013F480 .
VM_COPYdw_EBPSTACK
0013F3C0 0013F4C0 .
0013F3C4 7C9232A8 2| ; RETURN to ntdll.7C9232A8
ÕâÊÇ1£©½×¶Î£¬»ñµÃcontext½á¹¹µØÖ·0013F4C0
0013F3B8 0013F4C0 .
0013F3BC 000000B8 ...
0013F3C0 00436C7D }lC.
0013F3C4 7C9232A8 2| ; RETURN to ntdll.7C9232A8
VM_ADDdw_EBPSTACK
0013F3BC 0013F578 x. ; ASCII "lSB"
0013F3C0 00436C7D }lC.
0013F3C4 7C9232A8 2| ; RETURN to ntdll.7C9232A8
ÕâÊÇ2£©½×¶Î£¬context½á¹¹B8Æ«ÒÆÁ¿Î»ÖÃÊÇEipλÖÃ
VM_MOVdw_MEMORYdw_EBPSTACKdw
ÕâÊÇ3£©½×¶Î£¬±¾À´EipλÖÃÊÇ·¢ÉúÒì³£µÄÖ¸ÁîµØÖ·£º
0013F578 0042536C lSB. ; RETURN from NOTEPAD.00426E8B to NOTEPAD.0042536C
¾­¹ýÐ޸ĺ󣬷ÅÈëÁË·µ»ØºóµÄÖ´ÐеØÖ·£º
0013F578 00436C7D }lC.

0013F398 F32B430A .C+
0013F39C 00000000 ....
0013F3A0 00000246 F..
0013F3A4 7C9232BC 2|
0013F3A8 0013F4C0 .
0013F3AC 00000000 ....
0013F3B0 0013F3E4 .
0013F3B4 00000000 ....
0013F3B8 7C9232BC 2|
0013F3BC 00000000 ....
0013F3C0 00000000 ....
0013F3C4 7C9232A8 2| ; RETURN to ntdll.7C9232A8
VM_EXIT
ÕâÊÇ4£©½×¶Î¡£×îºóµ÷ÓÃVM_EXIT·µ»Ø£¬ÀïÃæ¸ø¼Ä´æÆ÷¸³Öµ£¬ÈÃϵͳ´ÓSEH·µ»Ø£¬¶ø·µ»ØºóeipÖ¸Õë±»Ð޸ģ¬ÎÒÃǾÍÐèÒª´ÓзÅÈëµÄµØÖ·00436C7DÀ¹½Ø³ÌÐò¸ú×Ù¡£½ÓÏÂÀ´ÖØгõʼ»¯VM¡£ÎÒÃǼÌÐø×ßÆðÁË¡£ÏÖÔÚÇ°Ãæ·ÅÖõÄSEHÒѾ­ÎÞÓÃÁË£¬Êͷŵô»Ö¸´Ô­À´µÄSEH£¬Ö±½Ó·ÅαָÁîµÄʵÏÖ¹ý³ÌÁË£¬²»Ã÷°×µÄ²éSEH×ÊÁÏ£º
0013F788 00000000 ....
VM_FS:[EBPSTACK] £»FS:[O]µÄֵȡ³öÀ´£¬µÃµ½µ±Ç°µÄSEH½á¹¹´æ´¢µØÖ·
0013F788 0013F78C .
VM_MOVdw_EBPreg_EBPSTACK £»Òƶ¯EBPÖ¸ÕëÏÂÈ¥£¬µ½´ïSEH½á¹¹´æÖ´µØÖ·
0013F788 00000000 ....
0013F78C 0013FFE0 . ; Pointer to next SEH record
0013F790 0043B7B2 C. ; SE handler
VM_SEH £»»Ö¸´Ô­À´µÄSEH£¬0013FFE0·ÅÈëFS:[0]

3.3.2.µ¥²½Ä£Ê½
Õâ¸ö¼ì²â·½·¨ÓÃαָÁîÀ´ÊµÏÖ¿ÉÒÔ˵ÊǷdz£·Ç³£µÄâ«Ëö¡£ÕâÕжÔÓÚÒ»°ãµÄÈËÀ´ËµºÁÎÞÒâÒ壬ÒòΪ¶¼ÊÇÖ±½ÓÔËÐлòÕß´ÓÀ´²»½øαָÁîÀïÃæÈ¥£¬ºÜÈÝÒ׾͹ýÁË£¬·´µ¹ÊÇÅöµ½ÎÒÕâÑùF7µ¥²½×ßVMµÄÈËÀ´Ëµ£¬²»Ð¡ÐľÍÖÐÕÐÁË¡£×Ü֮ʮ·Öâ«ËöµÄ·½·¨¡£
0013F78C 00000000 ....
0013F790 0041F070 pA. ; RETURN from NOTEPAD.00423165 to NOTEPAD.0041F070
0013F794 0013FF98 .
VM_FS:[EBPSTACK] £»¶ÁÈ¡FS:[0]µÄÖµµ±Ç°SEH½á¹¹
0013F78C |0013FFE0 .
0013F790 \0041F070 pA. ; RETURN from NOTEPAD.00423165 to NOTEPAD.0041F070
0013F794 0013FF98 .

0013F784 00000000 ....
0013F788 0013F78C .
0013F78C 0013FFE0 .
0013F790 0041F070 pA. ; RETURN from NOTEPAD.00423165 to NOTEPAD.0041F070
0013F794 0013FF98 .
VM_SEH
0013F78C |0013FFE0 . ; Pointer to next SEH record
0013F790 \0041F070 pA. ; SE handler
0013F794 0013FF98 .
¹¹½¨ÐµÄSEH½á¹¹£¬ÏÖÔÚµÄÒì³£´¦Àí³ÌÐòµØÖ·ÊÇ0041F070

ÏÂÃæVM»á½øÐÐÒ»´ÎOR²Ù×÷£¬±ê־λ00000293 OR 00000100=00000393²¢°Ñ½á¹ûѹÈëEFLAGS¼Ä´æÆ÷£¬Î±Ö¸Áî¹ý³ÌÈçÏ£º
0013F77C 0013F780 .
0013F780 00000008 ...
0013F784 00000100 ...
0013F788 00000293 ..
0013F78C 0013FFE0 . ; Pointer to next SEH record
0013F790 0041F070 pA. ; SE handler
0013F794 0013FF98 .
VM_ADDdw_EBPSTACK
0013F780 0013F788 .
0013F784 00000100 ...
0013F788 00000293 ..
VM_COPYdw_EBPSTACK
0013F780 00000293 ..
0013F784 00000100 ...
0013F788 00000293 ..
VM_NANDdw
0013F784 FFFFFC6C l
0013F788 00000293 ..
VM_PUSHdw_EBP
VM_COPYdw_EBPSTACK
0013F780 FFFFFC6C l
0013F784 FFFFFC6C l
0013F788 00000293 ..
VM_NANDdw
0013F784 00000393 ..
0013F788 00000293 ..
VM_PUSHdw_EBP
0013F780 0013F784 .
0013F784 00000393 ..
0013F788 00000293 ..
VM_PUSHdw_IMMEDIATEb
0013F77C 00000004 ...
0013F780 0013F784 .
0013F784 00000393 ..
0013F788 00000293 ..
VM_ADDdw_EBPSTACK
0013F780 0013F788 .
0013F784 00000393 ..
0013F788 00000293 ..
VM_MOVdw_MEMORYdw_EBPSTACKdw
0013F788 00000393 ..

0013F758 00000286 ..
0013F75C 0013FF8C . ; ASCII "ntdll.dll"
0013F760 00000206 ..
0013F764 00426C00 .lB.
0013F768 0000000A ....
0013F76C 00000000 ....
0013F770 0013FF98 .
0013F774 00000000 ....
0013F778 00005658 XV..
0013F77C 0013FF70 p.
0013F780 0013FF8C . ; ASCII "ntdll.dll"
0013F784 00428173 sB.
0013F788 00000393 ..
VM_EXIT
ÔÚVM_EXITÖУ¬×îºóÒ»¸öÊý¾Ý00000393ÊÇ
00428173 9D POPFD ; *
±»Ñ¹ÈëÁËEFLAGS¼Ä´æÆ÷£¬ÏÖÔÚÎÒÃÇ¿ÉÒÔ¿´¿´00000100Õâ¸öOR²Ù×÷ÊýÓ°ÏìµÄÊÇTrap Flag£¨TF£©Î»£¬Õâ¸ö¹ý³Ì¾ÍÊǰѱê־λµÄTFλÖÃ1¡£¸ù¾ÝIntel×ÊÁÏ£º
TF (bit 8) Trap flag ¡ª Set to enable single-step mode for debugging;
clear to disable single-step mode.
Ò²¾ÍÊÇVMÉèÖõ¥²½Ä£Ê½(single-step mode)¡£ÏÂÃæÎÒÃÇÀ´»ØÍ·½øºÃºÃ¿´¿´00428173Õâ¸ö¹ý³ÌµÄÏêϸ´úÂ룺
00428173 |. 9D POPFD ; *
00428174 |. 0F31 RDTSC
00428176 |. 90 NOP
00428177 |. 9C PUSHFD
00428178 |. C70424 0A429C MOV DWORD PTR SS:[ESP],489C420A
0042817F |. 9C PUSHFD
00428180 \. E9 58030100 JMP 004384DD
Õâ¶Î´úÂëÄãÒªÊÇÒ»ÌõÒ»ÌõµÄF7×ßÏÂÈ¥£¬ÍêȫûÓÐÎÊÌâ¡£Äܹ»Ò»Ö±×ßµ½JMP 004384DDÕâÀȻºó³ÌÐò¾Í¿ªÊ¼³õʼ»¯VM£¬¿´²»µ½ÈκεÄÎÊÌâ¡£¶øÊÂʵÉÏÄãÒѾ­ÖÐÕÐÁË¡£½ÓÏÂÀ´¾ÍµÈ×Å¿´±»VMP·¢ÏÖµÄÌáʾ¿ò°É¡£
¶øÈç¹ûÄãÖ±½ÓÔÚ½øÈëÕâ¸ö00428173µÄ¹ý³ÌÇ°À´Ò»¸öF9£¬±ÈÈç˵VM_EXITαָÁî´¦¡£Äã¾Í»á·¢ÏÖ³ÌÐò±»À¹½ØÏÂÀ´ÁË
00428173 |. 9D POPFD ; * single-step mode
00428174 |. 0F31 RDTSC
00428176 |. 90 NOP £»*************************
00428177 |. 9C PUSHFD
00428178 |. C70424 0A429C MOV DWORD PTR SS:[ESP],489C420A
0042817F |. 9C PUSHFD
00428180 \. E9 58030100 JMP 004384DD
ÔÚNOPÖ¸ÁîÕâÀ³ÌÐò¾Í±»À¹½ØÏÂÀ´ÁË¡£¿´Ò»ÏÂODϽǵÄÌáʾ¿òÏÔʾ£º
Break on single-step trap set by application - Shift+Run/Step to pass exception to the program
À´ËµËµÔ­Àí£¬ÓÉÓÚODÕâÑùµÄRing3µ÷ÊÔÆ÷£¬F7µ¥²½¿¿µÄ¾ÍÊÇTF±ê־룬ËùÒÔÈç¹ûÄãµ¥²½×ßÕâ¶Î´úÂë¡£VM³ÌÐòÉèÖõÄTFλ¾Í»áºÍODµ÷ÊÔÆ÷µÄTFλÏàͬ£¬ODÒÔΪÊÇ×Ô¼ºµÄµ¥²½µ÷ÊÔ£¬¾Í²»»á´¥·¢Õâ¸öÒì³££¬¶øÒ»µ©ÄãF9ÔËÐгÌÐò£¬OD²Å»á·¢ÏÖ£ºÅ¶£¬Ô­À´ÕâÀïµ÷ÊԵijÌÐò×Ô¼ºÉèÖÃÒ»¸öTFµ¥²½Òì³££¡×¢Òâ¿´OD¸øµÄÌáʾÏûÏ¢£ºÖжÏÔÚÓ¦ÓóÌÐòÉèÖõĵ¥²½ÏÝÚå-Shift+Run/StepÌø¹ý³ÌÐòÒì³£

    Ïà¹ØÆÀÂÛ

    ÔĶÁ±¾ÎĺóÄúÓÐʲô¸ÐÏë? ÒÑÓÐÈ˸ø³öÆÀ¼Û!

    • 8 ϲ»¶Ï²»¶
    • 3 ¶¥¶¥
    • 1 ÄѹýÄѹý
    • 5 ‡å‡å
    • 3 Χ¹ÛΧ¹Û
    • 2 ÎÞÁÄÎÞÁÄ

    ÈÈÃÅÆÀÂÛ

    ×îÐÂÆÀÂÛ

    ·¢±íÆÀÂÛ ²é¿´ËùÓÐÆÀÂÛ(0)

    êdzÆ:
    ±íÇé: ¸ßÐË ¿É º¹ ÎÒ²»Òª º¦Ðß ºÃ ÏÂÏÂÏ ËÍ»¨ ʺ Ç×Ç×
    ×ÖÊý: 0/500 (ÄúµÄÆÀÂÛÐèÒª¾­¹ýÉóºË²ÅÄÜÏÔʾ)