Professional Documents
Culture Documents
com
bbs.unpack.cn
: aa1ss2
VMSweeper
.
,,
VM
VMSweeper1.4 beta 8
http://forum.exetools.com/showthread.php?t=13084
,,,,
VMProtect VM VM
VMP VMSweeper
bbs.pediy.com
bbs.unpack.cn
: aa1ss2
Decode VM VM F1
patch
VMSweeper
OD
bbs.pediy.com
bbs.unpack.cn
: aa1ss2
Regs_xxxxxxx
Stack_xxxxxxx
,,,,,
Regs_00405D1E.map:
eax: eax << (ecx << ecx)
ecx: (ecx << ecx) - 1
edx: edx
ebx: 0x00407C27
esp: 0x0012FEE4
ebp: 0x0012FFA4
esi: [0x0012FFA4] + 0x00407C27
edi: 0x0012FEE4
efl: efl
00405D1E
bbs.pediy.com
bbs.unpack.cn
: aa1ss2
ESI(VMP EIP)
EAX ECX VMVMP EAX ECX
EBX ADD ESI,DWORD PTR SS:[EBP]
Stack_00405D1E.map:
0012FF94: empty
0012FF98: empty
0012FF9C: empty
0012FFA0: empty
0012FFA4: 0
0012FFA8: [0x0040616B]
0012FFAC: efl
0012FFB0: ebp
0012FFB4: ecx
0012FFB8: ebx
0012FFBC: esi
0012FFC0: edx
0012FFC4: edi
0012FFC8: ebx
0012FFCC: eax
0012FFD0: 0x991AD4CC
0012FFD4: 0x0101A0F0
0012FFD8: var0
0012FFDC: var1
0012FFE0: var2
0012FFE4: var3
0012FFE8: var4
0012FFEC: var5
0012FFF0: var6
0012FFF4: var7
0012FFF8: var8
0012FFFC: var9
ESPEBPEDI VM
0013FFA0
0013FFB0 ? .
0013FFA4 7FFDD000 .
0013FFA8
FFFFFFFF
0013FFAC
7C92E514 |
ntdll.KiFastSystemCallRet
ntdll.7C930228
0013FFB0
7C930228 (
0013FFB4
7FFDD000 .
0013FFB8
00000000 ....
bbs.pediy.com
bbs.unpack.cn
: aa1ss2
0013FFBC
991AD4CC
VMSweeper VM -_ Regs_00405F91.map Regs_00405D1E.map
00405F91
Regs_00405F91.map:
eax: 0xA3
ecx: [404E69] ^ 0x3FE1E344
edx: edx
ebx: 0x00407CCA
esp: 0x0012FEE4
ebp: 0x0012FFA4
esi: 0x00407C26
edi: 0x0012FEE4
efl: efl
bbs.pediy.com
bbs.unpack.cn
: aa1ss2
VM VM VM VM
VMSweeper
VMSweeper
VM
VM
VMP
VMSweeper VMP
VMP
VMSweeper
VMP_CRC:
VMP
bbs.pediy.com
bbs.unpack.cn
: aa1ss2
bbs.pediy.com
bbs.unpack.cn
: aa1ss2
*** Primitive Template ***
{ NN_mov, dt_dword, "edx", "[ebp]", R_SS };
{ NN_add, dt_dword, "ebp", "4", R_NONE };
{ NN_sub, dt_dword, "cmd", "cmd", R_NONE };
{ NN_mov, dt_dword, "ecx", "cmd", R_NONE };
{ NN_shl, dt_dword, "cmd", "7", R_NONE };
{ NN_shr, dt_dword, "ecx", "0x00000019", R_NONE };
{ NN_or, dt_dword, "cmd", "ecx", R_NONE };
{ NN_xor, dt_byte, "cmd", "[edx]", R_DS };
{ NN_sub, dt_dword, "[ebp]", "1", R_SS };
{ NN_mov, dt_dword, "[ebp]", "cmd", R_SS };
VM primitive 0B Crc
VMSweeper
cmd
reg_cmd VMP
efl eflags
.
handle VMSweeper ( eip).trc 401000.trc
bbs.pediy.com
bbs.unpack.cn
: aa1ss2
***** Stop Virtual Machine *****
Instr: 0 parsing - 0x00140040: push 0101A0F0h (aux:0x1808 insn:0x00)
Instr: 1 parsing - 0x00140045: push 991AD4CCh (aux:0x1808 insn:0x00)
Instr: 2 parsing - 0x0014004A: push eax (aux:0x1808 insn:0x00)
Instr: 3 parsing - 0x0014004B: push ebx (aux:0x1808 insn:0x00)
Instr: 4 parsing - 0x0014004C: push edi (aux:0x1808 insn:0x00)
Instr: 5 parsing - 0x0014004D: push edx (aux:0x1808 insn:0x00)
Instr: 6 parsing - 0x0014004E: push esi (aux:0x1808 insn:0x00)
401000.log
VMSweeper
, 5
=00140000
=00040000 (262144.)
=
00140000 ()
=
=Priv 00021040
=RWE
=RWE
0x40 VMP
00140040: [0x00140020] = 0
00140064: svm_1 = add [0x0040616B], 0x203D9563
0014006D: [0x00140034] = iEFL
00140074: [0x00140034] = svm_1
0014007A: [0x00140004] = iEFL
00140080: [0x0014002C] = iEBP
00140086: [0x00140010] = iECX
0014008C: [0x00140028] = iEBX
00140092: [0x00140018] = iESI
00140098: [0x00140008] = iEDX
0014009E: [0x00140038] = iEDI
001400A4: [0x00140024] = iEBX
001400AA: [0x0014003C] = iEAX
001400B0: [0x0014001C] = 0x991AD4CC
001400B6: [0x00140014] = 0x0101A0F0
001400BC: svm_2 = add 0xB1B55788, 0x4E8AF8C5
bbs.pediy.com
bbs.unpack.cn
: aa1ss2
001400CF: [0x00140014] = iEFL
001400D6: svm_3 = add svm_2, [0x00140020]
001400E0: [0x0014001C] = iEFL
001400E7: svm_4 = add 0x696F2C6D, [svm_3]
001400EE: [0x00140030] = iEFL
001400F5: svm_5 = add 0x0000000A, __$esp
Patch
00140040
00140045
0014004A
0014004B
0014004C
0014004D
0014004E
0014004F
00140050
00140051
00140052
00140053
00140059
0014005E
00140064
00140069
0014006A
0014006D
0014006E
00140074
0014007A
00140080
00140086
0014008C
00140092
00140098
0014009E
001400A4
001400AA
001400B0
001400B6
001400BC
001400C1
001400C6
001400CB
001400CC
68 F0A00101
68 CCD41A99
50
53
57
52
56
53
51
55
9C
FF35 6B614000
68 00000000
8F05 20001400
68 63953D20
58
010424
9C
8F05 34001400
8F05 34001400
8F05 04001400
8F05 2C001400
8F05 10001400
8F05 28001400
8F05 18001400
8F05 08001400
8F05 38001400
8F05 24001400
8F05 3C001400
8F05 1C001400
8F05 14001400
68 6D2C6F69
68 8857B5B1
68 C5F88A4E
58
010424
PUSH 101A0F0
//
PUSH 991AD4CC
PUSH EAX
PUSH EBX
PUSH EDI
PUSH EDX
PUSH ESI
PUSH EBX
PUSH ECX
PUSH EBP
PUSHFD
PUSH DWORD PTR DS:[40616B]
PUSH 0
POP DWORD PTR DS:[140020]
PUSH 203D9563
POP EAX
ADD DWORD PTR SS:[ESP],EAX
PUSHFD
POP DWORD PTR DS:[140034]
POP DWORD PTR DS:[140034]
POP DWORD PTR DS:[140004]
POP DWORD PTR DS:[14002C]
POP DWORD PTR DS:[140010]
POP DWORD PTR DS:[140028]
POP DWORD PTR DS:[140018]
POP DWORD PTR DS:[140008]
POP DWORD PTR DS:[140038]
POP DWORD PTR DS:[140024]
POP DWORD PTR DS:[14003C]
POP DWORD PTR DS:[14001C]
POP DWORD PTR DS:[140014]
PUSH 696F2C6D
PUSH B1B55788
PUSH 4E8AF8C5
POP EAX
ADD DWORD PTR SS:[ESP],EAX
//
10
bbs.pediy.com
bbs.unpack.cn
: aa1ss2
001400CF
001400D0
001400D6
001400DC
001400DD
001400E0
001400E1
001400E7
001400E8
001400EA
001400EB
001400EE
001400EF
001400F5
9C
8F05 14001400
FF35 20001400
58
010424
9C
8F05 1C001400
58
FF30
58
010424
9C
8F05 30001400
68 4DF9ADA9
PUSHFD
POP DWORD PTR DS:[140014]
PUSH DWORD PTR DS:[140020]
POP EAX
ADD DWORD PTR SS:[ESP],EAX
PUSHFD
POP DWORD PTR DS:[14001C]
POP EAX
PUSH DWORD PTR DS:[EAX]
POP EAX
ADD DWORD PTR SS:[ESP],EAX
PUSHFD
POP DWORD PTR DS:[140030]
PUSH A9ADF94D
Patch
VMSweeper patch
VMSweeper
VMSweeper
VMP
2011-03-01
11