aksjdjdjjdjdj/taint_analysis
GitHub: aksjdjdjjdjdj/taint_analysis
针对 VMProtect 等代码虚拟化保护方案输出的虚拟指令进行污点分析,追踪数据流传播以辅助逆向工程研究。
Stars: 1 | Forks: 0
代码虚拟化的污点分析
```
VMPROTECT OUTPUT:
CALL FROM 7ff677bb604e Name: strcmp
MOV [0x91d04ff5d8],rax
MOV r10,[0x91d04ff5d8]
MOV [0x91d04ff400],r10
MOV eax,[0x91d04ff400]
MOV [0x91d04ff64c],eax
MOV r10d,[0x91d04ff400]
MOV eax,r10d
MOV edx,0x0
CLC
ADC edx,[0x91d04ff64c]
AND eax,edx
NOT eax
MOV [0x91d04ff64c],eax
MOV esi,[0x91d04ff64c]
MOV edx,esi
MOV ebp,[0x91d04ff64c]
AND edx,ebp
NOT edx
MOV [0x91d04ff440],edx
MOV eax,[0x91d04ff440]
MOV edx,0x0
ADD edx,eax
CLC
ADC edx,0x7fffffff y = x + 0x7fffffff
MOV [0x91d04ff646],edx
MOV ecx,[0x91d04ff440]
MOV [0x91d04ff642],ecx
MOV ecx,[0x91d04ff642]
MOV edx,0x0
XOR edx,[0x91d04ff646]
OR ecx,edx
NOT ecx
MOV [0x91d04ff646],ecx
MOV esi,[0x91d04ff646]
NOT esi
MOV ebp,0x7fffffff
OR ebp,esi
MOV [0x91d04ff646],ebp
MOV r10d,[0x91d04ff646]
MOV esi,r10d
MOV r11d,[0x91d04ff646]
AND esi,r11d
NOT esi
MOV [0x91d04ff646],esi ~((~y)|(~0x80000000)) == y & 0x80000000
MOV rsi,[0x91d04ff646]
SHR rsi,0x19 ZF
MOV [0x91d04ff648],rsi
MOV dl,0x0
CLC
ADC dl,[0x91d04ff440]
MOV [0x91d04ff644],dx
MOVZX si,[0x91d04ff644]
SHR sil,0x4
MOV [0x91d04ff646],si
MOV bp,0x0
XOR bp,[0x91d04ff646]
MOV [0x91d04ff448],bpl
MOVZX r11w,[0x91d04ff440]
MOV [0x91d04ff63e],r11w
MOVZX dx,[0x91d04ff440]
MOV [0x91d04ff63c],dx
MOVZX cx,[0x91d04ff63c]
MOV r11b,[0x91d04ff63e]
XOR cl,0xff
XOR r11b,0xff
OR cl,r11b
MOV [0x91d04ff63e],cx
MOVZX dx,[0x91d04ff448]
MOV [0x91d04ff63c],dx
MOVZX cx,[0x91d04ff63c]
MOV r11b,[0x91d04ff63e]
XOR cl,0xff
XOR r11b,0xff
OR cl,r11b
MOV [0x91d04ff63e],cx
MOV r10b,[0x91d04ff440]
MOV [0x91d04ff63c],r10w
MOV bpl,0x0
OR bpl,[0x91d04ff448]
MOV [0x91d04ff63a],bp
MOVZX ax,[0x91d04ff448]
MOV r11w,ax
MOVZX r11w,r11b
MOV bpl,[0x91d04ff63a]
AND r11b,bpl
XOR r11b,0xff
MOV r10w,r11w
MOVZX r10w,r10b
MOV r11b,[0x91d04ff63c]
XOR r10b,0xff
XOR r11b,0xff
OR r10b,r11b
MOV [0x91d04ff63c],r10w
MOVZX r10w,[0x91d04ff63c]
MOV sil,0x0
XOR sil,[0x91d04ff63e]
AND r10b,sil
XOR r10b,0xff
MOV [0x91d04ff63e],r10w
MOV ax,[0x91d04ff63e]
MOV r11w,0xf
AND r11w,ax
NOT r11w
MOV [0x91d04ff63e],r11w
MOV r11w,[0x91d04ff63e]
MOV [0x91d04ff63c],r11w
MOV ax,[0x91d04ff63c]
MOV dx,[0x91d04ff63e]
NOT ax
NOT dx
AND ax,dx
MOV [0x91d04ff63e],ax
MOV cl,[0x91d04ff63e]
MOV r11w,0x9669 PF magic number
SHR r11w,cl
MOV [0x91d04ff63e],r11w
MOV cx,[0x91d04ff63e]
MOV bp,0x1
AND bp,cx
NOT bp
MOV [0x91d04ff63e],bp
MOV si,[0x91d04ff63e]
MOV r11w,si
MOV si,[0x91d04ff63e]
AND r11w,si
NOT r11w
MOV [0x91d04ff63e],r11w
MOV rax,[0x91d04ff63e]
SHL rax,0x2
MOV [0x91d04ff640],rax
MOV rsi,[0x91d04ff640]
MOV rbp,[0x91d04ff648]
CLC
ADC rsi,rbp
MOV [0x91d04ff648],rsi
MOV eax,[0x91d04ff440]
MOV [0x91d04ff63e],eax
MOV edx,[0x91d04ff63e]
NOT edx
MOV eax,0x7fffffff
OR eax,edx
MOV [0x91d04ff63e],eax
MOV edx,[0x91d04ff63e]
MOV [0x91d04ff63a],edx
MOV edx,[0x91d04ff63a]
MOV ebp,[0x91d04ff63e]
NOT edx
NOT ebp
AND edx,ebp
MOV [0x91d04ff63e],edx
MOV rdx,[0x91d04ff63e]
SHR rdx,0x18 SF
MOV [0x91d04ff640],rdx
MOV rcx,[0x91d04ff640]
MOV rbp,[0x91d04ff648]
CLC
ADC rcx,rbp
MOV [0x91d04ff648],rcx
MOV rdx,[0x91d04ff648]
MOV rsi,0x202
ADD rsi,rdx
MOV rbp,rsi
MOV [0x91d04ff460],rbp
MOV rsi,[0x91d04ff460]
MOV [0x91d04ff648],rsi
MOV r10,[0x91d04ff400]
MOV [0x91d04ff640],r10
MOV rbx,[0x91d04ff640]
MOV [0x91d04ff458],rbx
MOV r11,[0x91d04ff648]
MOV [0x91d04ff400],r11
MOV r8,[0x91d04ff400]
MOV rbx,r8
SHR rbx,0x3 ZF->MEM_DSP
MOV [0x91d04ff630],rbx
MOV rdi,[0x91d04ff630]
MOV [0x91d04ff628],rdi
MOV rcx,[0x91d04ff628]
MOV r8,[0x91d04ff630]
NOT rcx
NOT r8
OR rcx,r8
MOV [0x91d04ff630],rcx
MOV rax,0x0
ADD rax,[0x91d04ff630]
NOT rax
MOV rdi,0xfffffffffffffff7
OR rdi,rax
MOV [0x91d04ff630],rdi
MOV rbx,[0x91d04ff630]
MOV r11,0x0
ADD r11,[0x91d04ff630]
OR rbx,r11
NOT rbx
MOV [0x91d04ff630],rbx
MOV r8,[0x91d04ff630]
ADD r8,0x91d04ff640
MOV [0x91d04ff638],r8
MOV r11,[0x91d04ff638]
MOV rbx,[r11] get new VIP
MOV [0x91d04ff638],rbx
MOV rcx,[0x91d04ff638]
MOV [0x91d04ff3f0],rcx
MOV r11,[0x91d04ff3f0]
MOV [0x91d04ff648],r11
MOV rbx,[0x91d04ff648]
MOV r11,0x7ff537900000
CLC
ADC r11,rbx
MOV [0x91d04ff648],r11
MOV rcx,[0x91d04ff648]
MOV [0x91d04ff3f8],rcx
MOV rdx,[0x91d04ff400]
MOV [0x91d04ff648],rdx
MOV r11,0x0
OR r11,[0x91d04ff458]
MOV [0x91d04ff620],r11
MOV r11,[0x91d04ff3f8]
MOV [0x91d04ff5c0],r11
MOV rcx,[0x91d04ff5c0]
MOV rsi,rcx
MOV rbp,rsi
SUB rbp,0x7ff537900000
MOV ecx,[rsi] VIP
LEA rsi,[rsi+0x4] VIP += 4
XOR ecx,ebp DECODE VM OPCODE
NEG ecx
DEC ecx
ROL ecx,0x1
XOR ecx,0x29cd3a5
MOV [0x91d04ff398],rbp
XOR [0x91d04ff398],ecx
MOV rbp,[0x91d04ff398]
MOVSXD rcx,ecx
MOV r9,0x7ff677b70428
ADD r9,rcx
MOV rdx,0x0
ADD rdx,r9
JMP rdx
```
标签:二进制分析, 云安全运维, 云资产清单, 代码虚拟化, 反混淆, 可配置连接, 程序分析, 逆向工程