标签:false void 分享 app isp style dispatch mapped x11
vm_context
00000000 vm_context struc ; (sizeof=0x70, mappedto_32) 00000000 r0 dd ? 00000004 r1 dd ? 00000008 r2 dd ? 0000000C r3 dd ? 00000010 r4 dd ? 00000014 opcode dd ? 00000018 cmdA0 dd ? 0000001C fn_set_imm dd ? 00000020 cmdA1 dd ? 00000024 fn_xor_r0_r1 dd ? 00000028 cmdA2 dd ? 0000002C fn_cmp dd ? 00000030 cmdA4 dd ? 00000034 fn_prompt dd ? 00000038 cmdA5 dd ? 0000003C fn_exit dd ? 00000040 cmdA3 dd ? 00000044 fn_null dd ? 00000048 cmdA6 dd ? 0000004C fn_jnz dd ? 00000050 cmdA7 dd ? 00000054 fn_input dd ? 00000058 cmdA8 dd ? 0000005C fn_output dd ? 00000060 cmdA9 dd ? 00000064 fn_check dd ? 00000068 cmdAA dd ? 0000006C fn_decrypt_string dd ? 00000070 vm_context ends
vm_init()
void *__usercall vm_init@<eax>(vm_context *vm_ctx@<eax>, void *data_start)
{
char *v2; // ecx@1
signed int v3; // edx@1
vm_ctx->r0 = 0;
vm_ctx->r1 = 0;
vm_ctx->r2 = 0;
vm_ctx->r3 = 0;
vm_ctx->r4 = 0;
v2 = (char *)&vm_ctx->cmdA0;
v3 = 32;
do
{
*v2 = 0;
v2 += 8;
--v3;
}
while ( v3 );
LOBYTE(vm_ctx->cmdA0) = 0xA0u;
vm_ctx->fn_set_imm = (int)fn_set_imm;
LOBYTE(vm_ctx->cmdA1) = 0xA1u;
vm_ctx->fn_xor_r0_r1 = (int)fn_xor_r0_r1;
LOBYTE(vm_ctx->cmdA2) = 0xA2u;
vm_ctx->fn_cmp = (int)fn_cmp;
LOBYTE(vm_ctx->cmdA4) = 0xA4u;
vm_ctx->fn_prompt = (int)fn_prompt;
LOBYTE(vm_ctx->cmdA5) = 0xA5u;
vm_ctx->fn_exit = (int)fn_exit;
LOBYTE(vm_ctx->cmdA3) = 0xA3u;
vm_ctx->fn_null = (int)fn_null;
LOBYTE(vm_ctx->cmdA6) = 0xA6u;
vm_ctx->fn_jnz = (int)fn_jnz;
LOBYTE(vm_ctx->cmdA7) = 0xA7u;
vm_ctx->fn_input = (int)fn_input;
LOBYTE(vm_ctx->cmdA8) = 0xA8u;
vm_ctx->fn_output = (int)fn_output;
LOBYTE(vm_ctx->cmdA9) = 0xA9u;
vm_ctx->fn_check = (int)fn_check;
LOBYTE(vm_ctx->cmdAa) = 0xAAu;
vm_ctx->fn_decrypt_string = (int)fn_decrypt_string;
return memset(data_start, 0, 0x1000u);
}
vm_dispatcher()
int __usercall vm_dispatcher@<eax>(int opcode_start@<eax>, vm_context *vm_ctx@<esi>, int data_start)
{
char *vm_handler_type; // ecx@2
vm_ctx->opcode = opcode_start;
while ( *(_BYTE *)vm_ctx->opcode != 0xA3u )
{
opcode_start = 0;
vm_handler_type = (char *)&vm_ctx->cmdA0;
while ( opcode_start < 0x20 )
{
if ( *(_BYTE *)vm_ctx->opcode == *vm_handler_type )
{
opcode_start = (*((int (__cdecl **)(_DWORD, _DWORD))&vm_ctx->fn_set_imm + 2 * opcode_start))(vm_ctx, data_start);
break;
}
++opcode_start;
vm_handler_type += 8;
}
}
return opcode_start;
}
自定义vm虚拟机
python指令解析器
#!/usr/bin/python # -*- coding: UTF-8 -*- # 代码段 text = [0xAA, 0x15, 0x20, 0x01, 0x00, 0x00, 0xAA, 0x15, 0x40, 0x01, 0x00, 0x00, 0xA0, 0x10, 0x00, 0x00, 0x00, 0x00, 0xA8, 0xA0, 0x10, 0xF0, 0x00, 0x00, 0x00, 0xA8, 0xA0, 0x10, 0x60, 0x01, 0x00, 0x00, 0xA7, 0xAA, 0x11, 0x80, 0x00, 0x00, 0x00, 0xAA, 0x10, 0x60, 0x00, 0x00, 0x00, 0xAA, 0x12, 0xB0, 0x00, 0x00, 0x00, 0xA9, 0xA2, 0xEA, 0xA6, 0x0E, 0xA0, 0x10, 0x20, 0x01, 0x00, 0x00, 0xA0, 0x11, 0x10, 0x01, 0x00, 0x00, 0xA4, 0xA5, 0xA0, 0x10, 0x40, 0x01, 0x00, 0x00, 0xA0, 0x11, 0x10, 0x01, 0x00, 0x00, 0xA4, 0xA5] def toUint(arr): return arr[0] | (arr[1]<<8 | arr[2]<<16 | arr[3]<<24) class Context: def __init__(self): self.ip = 0 def cmdA0(self): c = text[self.ip + 1] p = toUint(text[self.ip+2:self.ip+6]) self.ip += 6 if 0x10 <= c <= 0x13: print "mov r{0}, {1}".format(c-0x10, hex(p)) elif c == 0x14: print "movb r0, [{0}]".format(hex(p)) elif c == 0x15: print "movb [{0}], r0".format(hex(p)) else: assert False def cmdA1(self): self.ip += 1 print "xor r0, r1" def cmdA2(self): p = text[self.ip+1] self.ip += 2 print "equb r0, [{0}]".format(hex(p)) def cmdA3(self): assert False def cmdA4(self): self.ip += 1 print "msg [r0], [r1]" def cmdA5(self): self.ip += 1 print "exit" def cmdA6(self): p = text[self.ip + 1] self.ip += 2 print "jne +{0}".format(hex(p)) def cmdA7(self): self.ip += 1 print "in [r0]" def cmdA8(self): self.ip += 1 print "out [r0]" def cmdA9(self): self.ip += 1 print "check [r0]" def cmdAA(self): c = text[self.ip + 1] p = toUint(text[self.ip+2:self.ip+6]) self.ip += 6 if 0x10 <= c <= 0x12: print "xorstr key{0}, [{1}], [32]".format(c - 0x10, hex(p)) else: print "xorstr [{0}], [32]".format(hex(p)) def run(self): ops = [self.cmdA0, self.cmdA1, self.cmdA2, self.cmdA3, self.cmdA4, self.cmdA5, self.cmdA6, self.cmdA7, self.cmdA8, self.cmdA9, self.cmdAA] while self.ip < len(text): c = text[self.ip] ops[c - 0xA0]() ctx = Context() ctx.run()
运行结果
xorstr [0x120], [32] xorstr [0x140], [32] mov r0, 0x0 out [r0] mov r0, 0xf0 out [r0] mov r0, 0x160 in [r0] xorstr key1, [0x80], [32] xorstr key0, [0x60], [32] xorstr key2, [0xb0], [32] check [r0] equb r0, [0xea] jne +0xe mov r0, 0x120 mov r1, 0x110 msg [r0], [r1] exit mov r0, 0x140 mov r1, 0x110 msg [r0], [r1] exit
标签:false void 分享 app isp style dispatch mapped x11
原文地址:http://www.cnblogs.com/qintangtao/p/7230227.html
