VMProtect完全解析之TLS


发布人:admin分类:网络安全浏览量:38发布时间:2017-12-12

听朋友说程序加了VMProtect后,很难破解,今天我们就来看看这个保护有多难。首先先分析下VMProtect最早执行的部分–TLS。今天我们的样本就先看看VMProtect的主程序,我用的是VMProtect Ultimate v 2.12.3版本,网上搜一下就可以下载得到。

VMProtect主要实现了一个自己的虚拟机,通过解析执行来完成相关的工作,直接看他的引擎本文暂不描述,我自己写了个解析器。将TLS部分解析后如下:

           SetReg32 38
           GetImm32 9711ACF7
           Add32
           SetReg32 0C
           SetReg32 2C
           SetReg32 30
           SetReg32 20
           SetReg32 34
           SetReg32 24
           SetReg32 08
           SetReg32 14
           SetReg32 3C
           SetReg32 10
           SetReg32 18
           SetReg32 1C
           SetReg32 28
           GetImm32 45569F07
           GetImm16 0000
           GetImm32 01179B0A   ===================== cmp byte ptr [0x01179b0a], 0
           RmDs8
           GetEsp32
           RmSs8
           NNA8
           SetReg32 04
           Add8
           SetReg32 28
           GetEsp32
           RmSs8
           NNA8
           SetReg32 0C
           SetReg8 1C
           GetReg32 28
           GetReg32 28
           NNA32
           SetReg32 08
           GetImm32 FFFFF7EA
           NNA32
           SetReg32 3C
           GetReg32 0C
           GetReg32 0C
           NNA32
           SetReg32 3C
           GetImm32 00000815
           NNA32
           SetReg32 04
           Add32
           SetReg32 00
           SetReg32 04
           GetImm32 449A0010
           GetEsp32
           GetImm16 0004
           GetReg32 04
           GetImm32 FFFFFFBF
           NNA32
           SetReg32 28
           Shr32
           SetReg32 08
           Add32
           SetReg32 00
           RdSs32
           jne -> 449A0010:45569F07
           SetReg32 1C
           SetReg32 3C
           SetReg32 00
           GetReg32 1C
           SetReg32 00
           GetReg32 00
           GetEsp32
           RdSs32
           NNA32
           SetReg32 08
           GetImm32 BBBEF8A6
           NNA32
           SetReg32 3C
           GetReg32 00
           GetImm32 44410759
           NNA32
           SetReg32 08
           NNA32
           SetReg32 3C
           SetReg32 08
           GetReg32 2C
           GetReg32 18
           GetReg32 04
           GetReg32 20
           GetReg32 34
           GetReg32 18
           GetReg32 10
           GetReg32 24
           GetReg32 30
           GetReg32 00
           GetReg32 14
           GetImm32 68EE5309
           GetReg32 2C
           Add32
           SetReg32 0C
           GetReg32 38
           GetReg32 08
           SetEip

 首先检测 0x01179B0A 是否初始化,这个值关系着后面的流程,如果这个被置1,后面就不会检测入口的断点。我们接着看第二部分:

           ===================================================================
           ===== Jne 00DB0749 0117985E
           ===================================================================
           =====00DB0749 00DB0749
           SetReg32 24
           GetImm32 9711ACF7
           Add32
           SetReg32 04
           SetReg32 00
           SetReg32 1C
           SetReg32 38
           GetReg32 38
           GetReg32 38
           NNA32
           SetReg32 10
           GetImm32 BBBEF8A6
           NNA32
           SetReg32 08
           GetReg32 38
           GetImm32 44410759
           NNA32
           SetReg32 10
           NNA32
           SetReg32 18
           SetReg32 20
           SetReg32 04
           SetReg32 30
           SetReg32 34
           SetReg32 28
           SetReg32 10
           SetReg32 3C
           SetReg32 0C
           SetReg32 2C
           SetReg32 08
           GetReg32 0C
           GetReg32 30
           GetReg32 3C
           GetReg32 04
           GetReg32 1C
           GetReg32 10
           GetReg32 34
           GetImm32 55D02669
           GetImm32 01179B0A
           GetImm32 00400000     =============================Image base
           SetReg32 2C
           GetImm32 0000003C     =============================PeOffset
           GetReg32 2C
           Add32
           SetReg32 18
           RmDs32
           SetReg32 08
           GetReg32 2C
           GetReg32 08
           Add32
           SetReg32 30
           SetReg32 18           ==============================PeHead
           GetImm32 00000028     ==============================Pe Entry offset
           GetReg32 18
           Add32
           SetReg32 30
           RmDs32
           GetEsp32
           RdSs32
           SetReg32 34
           GetReg32 2C
           Add32
           SetReg32 08
           SetReg32 30
           GetImm16 00CC         ================================INT 3断点
           GetReg32 30
           RmDs8
           GetEsp32
           RmSs8
           NNA8
           SetReg32 18
           Add8
           SetReg32 34
           GetEsp32
           RmSs8
           NNA8
           SetReg32 18
           SetReg8 08
           GetReg32 34
           GetEsp32
           RdSs32
           NNA32
           SetReg32 20
           GetImm32 FFFFF7EA
           NNA32
           SetReg32 0C
           GetReg32 18
           GetEsp32
           RdSs32
           NNA32
           SetReg32 08
           GetImm32 00000815
           NNA32
           SetReg32 14
           Add32
           SetReg32 20
           SetReg32 14
           SetReg32 08
           GetImm32 55D026FC
           GetEsp32
           GetImm16 0004
           GetReg32 14
           GetImm32 FFFFFFBF
           NNA32
           SetReg32 3C
           Shr32
           SetReg32 20
           Add32
           SetReg32 3C
           RdSs32
           jne -> 55D026FC:55D02669
           SetReg32 3C
           SetReg32 38
           SetReg32 34
           GetReg32 3C
           SetReg32 34
           GetReg32 34
           GetEsp32
           RdSs32
           NNA32
           SetReg32 20
           GetImm32 AB37E0B8
           NNA32
           SetReg32 3C
           GetReg32 34
           GetImm32 54C81F47
           NNA32
           SetReg32 20
           NNA32
           SetReg32 20
           SetReg32 38
           GetReg32 2C
           GetReg32 10
           GetReg32 10
           GetReg32 28
           GetReg32 2C
           GetReg32 04
           GetReg32 14
           GetReg32 30
           GetReg32 28
           GetReg32 1C
           GetReg32 08
           GetReg32 00
           GetImm32 68EE5309
           Add32
           SetReg32 0C
           GetReg32 24
           GetReg32 38
           SetEip

 从上面的代码可以看出,VMProtect直接检测了入口的CC断点,因此,如果我们OD直接停在入口点的话将会被检测到。

           ===================================================================
           =====011839BB 011839BB
           SetReg32 3C
           GetImm32 9711ACF7
           Add32
           SetReg32 18
           SetReg32 20
           SetReg32 2C
           SetReg32 04
           SetReg32 08
           SetReg32 0C
           SetReg32 38
           SetReg32 00
           SetReg32 28
           SetReg32 34
           GetReg32 34
           GetReg32 34
           NNA32
           SetReg32 14
           GetImm32 AB37E0B8
           NNA32
           SetReg32 10
           GetImm32 54C81F47
           GetReg32 34
           NNA32
           SetReg32 24
           NNA32
           SetReg32 30
           SetReg32 14
           SetReg32 24
           SetReg32 10
           SetReg32 30
           GetImm16 0001                =======================如果检测到了就写入1
           GetImm32 00000001            =======================记录地址偏移1(0x01179b0a+1)
           GetReg32 2C
           Add32
           SetReg32 30
           WmDs8
           GetImm32 0000027B
           GetReg32 30
           GetReg32 24
           GetReg32 14
           SetReg32 18
           GetReg32 18
           GetEsp32
           RdSs32
           NNA32
           SetReg32 10
           GetImm32 AB37E0B8
           NNA32
           SetReg32 1C
           GetImm32 54C81F47
           GetReg32 18
           NNA32
           SetReg32 1C
           NNA32
           SetReg32 10
           GetReg32 28
           GetReg32 00
           GetReg32 38
           GetReg32 0C
           GetReg32 08
           GetReg32 04
           GetReg32 2C
           GetImm32 68EE5309
           GetReg32 20
           Add32
           SetReg32 30
           GetReg32 3C
           SetReg32 1C
           GetImm32 9711ACF7
           Add32
           SetReg32 3C
           SetReg32 34
           SetReg32 3C
           SetReg32 30
           SetReg32 10
           SetReg32 20
           SetReg32 04
           SetReg32 0C
           SetReg32 38
           SetReg32 28
           GetReg32 28
           GetEsp32
           RdSs32
           NNA32
           SetReg32 2C
           GetImm32 AB37E0B8
           NNA32
           SetReg32 18
           GetReg32 28
           GetImm32 54C81F47
           NNA32
           SetReg32 08
           NNA32
           SetReg32 08
           SetReg32 2C
           SetReg32 00
           SetReg32 24
           SetReg32 14
           SetReg32 14
           SetReg32 24
           SetReg32 00
           SetReg32 18
           SetReg32 30
           SetReg32 08
           SetReg32 38
           GetReg32 38
           GetReg32 38
           NNA32
           SetReg32 0C
           GetImm32 000008FF
           NNA32
           SetReg32 0C
           AddEsp4
           GetEsp32
           RdSs32
           GetEsp32
           GetImm32 00000010
           Add32
           SetReg32 0C
           WmSs32
           SetReg32 3C
           SetReg32 3C
           SetReg32 04
           GetReg32 10
           GetReg32 14
           GetReg32 38
           GetReg32 00
           GetReg32 2C
           GetReg32 08
           GetReg32 24
           GetReg32 30
           GetReg32 18
           GetReg32 0C
           GetReg32 0C

TLS中只是将检测结果保存起来,然后在入口点之后的代码里检测这个标志位,我们只要在入口点将这个值改成0,后面就不会显示检测到调试器,当然后面的检测还有,下次再分享,本文就不再描述。

总结:整个TLS的过程不复杂,复杂的是对VMProtect的引擎的解析,如果大家喜欢此类文章,后续我将继续发表相关文章。        


被黑站点统计 - 文章版权1、本主题所有言论和图片纯属会员个人意见,与本文章立场无关
2、本站所有主题由该文章作者发表,该文章作者与被黑站点统计享有文章相关版权
3、其他单位或个人使用、转载或引用本文时必须同时征得该文章作者和被黑站点统计的同意
4、文章作者须承担一切因本文发表而直接或间接导致的民事或刑事法律责任
5、本帖部分内容转载自其它媒体,但并不代表本站赞同其观点和对其真实性负责
6、如本帖侵犯到任何版权问题,请立即告知本站,本站将及时予与删除并致以最深的歉意
7、被黑站点统计管理员有权不事先通知发贴者而删除本文

免责声明

本站主要通过网络搜集国内被黑网站信息,统计分析数据,为部署安全型网络提供强有力的依据.本站所有工作人员均不参与黑站,挂马或赢利性行为,所有数据均为网民提供,提交者不一定是黑站人,所有提交采取不记名,先提交先审核的方式,如有任何疑问请及时与我们联系.

admin  的文章


微信公众号

微信公众号


Copyright © 2012-2022被黑网站统计系统All Rights Reserved
页面总访问量:21242186(PV) 页面执行时间:105.326(MS)
  • xml
  • 网站地图