逆向工程 - 简化组装 - 吾爱随笔录

简化组装

逆向工程部件 x86 混淆去混淆

2021-06-22 11:23:04

我正在分析一些二进制跟踪，它非常模糊。我需要做的是了解其算法的工作流程。但是我找不到任何可靠的工具来帮助我。

我试图将这些函数转换为 LLVM IR，然后对其进行优化，但我所知道的所有工具都无法做到这一点。据我所知，只有 llvm-mctoll 生成了合适的 IR（但在大多数情况下它失败了，可能是因为缺乏支持的指令），其他生成了大量无用的垃圾代码，优化后看起来更糟。Miasm 或 Angr 等其他工具仅优化了 IR，这不是我想要的。

我该怎么做？手动优化它很容易，但很耗时（它有大约 4k 条汇编指令）。是否存在可能有助于此类优化的工具？创建它们的问题在哪里？就我理解的理论而言，这很容易，尤其是我不是在分析二进制文件而是在跟踪，所以我不必关心正确的流路、拆卸等。

示例功能：

eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040135d esp=0255ff78 ebp=0255ff80 nv up ei ng nz na po nc 0040135d e94f9b0000       jmp     0040aeb1
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040aeb1 esp=0255ff78 ebp=0255ff80 nv up ei ng nz na po nc 0040aeb1 9c               pushfd
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040aeb2 esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 0040aeb2 c7042417830b58   mov     dword ptr [esp],580B8317h
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040aeb9 esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 0040aeb9 e96fdaffff       jmp     0040892d
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040892d esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 0040892d 881424           mov     byte ptr [esp],dl
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408930 esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 00408930 c7042432962f1b   mov     dword ptr [esp],1B2F9632h
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408937 esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 00408937 e993570000       jmp     0040e0cf
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040e0cf esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 0040e0cf 9c               pushfd
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040e0d0 esp=0255ff70 ebp=0255ff80 nv up ei ng nz na po nc 0040e0d0 60               pushad
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040e0d1 esp=0255ff50 ebp=0255ff80 nv up ei ng nz na po nc 0040e0d1 e825acffff       call    00408cfb
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408cfb esp=0255ff4c ebp=0255ff80 nv up ei ng nz na po nc 00408cfb c7442424c8b5ca7e mov     dword ptr [esp+24h],7ECAB5C8h
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408d03 esp=0255ff4c ebp=0255ff80 nv up ei ng nz na po nc 00408d03 c6042488         mov     byte ptr [esp],88h
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408d07 esp=0255ff4c ebp=0255ff80 nv up ei ng nz na po nc 00408d07 6812a1e14e       push    4EE1A112h
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408d0c esp=0255ff48 ebp=0255ff80 nv up ei ng nz na po nc 00408d0c 50               push    eax
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408d0d esp=0255ff44 ebp=0255ff80 nv up ei ng nz na po nc 00408d0d 8d64242c         lea     esp,[esp+2Ch]
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408d11 esp=0255ff70 ebp=0255ff80 nv up ei ng nz na po nc 00408d11 e973d3ffff       jmp     00406089

手动优化后（如果我没有犯任何错误）：

sub     esp, 4
mov     dword ptr [esp],1B2F9632h
sub     esp, 4
mov     dword ptr [esp],7ECAB5C8h

甚至：

push 1B2F9632h
push 7ECAB5C8h

嗨，又是我。

所以我更深入地研究了 Triton 并编写了一个简单的窥视孔优化器来摆脱无用的指令和这些堆栈修改。原始跟踪有 48k 条指令，我最终得到了大约 2k 条指令。仍然有很多蹩脚的指令，但足以完全去虚拟化 vm 并理解 shellcode。

现在我正在尝试更努力的东西，这就是我所拥有的。它看起来像一个 IR 级别的混淆，没有任何模式。你会如何处理这个问题？我看到了这一点，但它适用于具有一个输入、一个输出的函数。我不知道它是否可以与一个函数一起工作，该函数通过标记大量内存修改进行大量计算。我也看到了这个谈话由罗尔夫·罗尔斯关于合成。看起来不错，也许这应该会产生更好的结果？还有什么简单的方法可以在 Triton IR 级别应用死区去除和恒定折叠？由于我找不到任何东西，是否存在任何工具？

rip=00000003de72158d sub     r11d,2AD65C0Bh
rip=00000003de721594 rol     r11d,1
rip=00000003de721597 movsx   rsi,ax
rip=00000003de72159b not     r11d
rip=00000003de72159e inc     cx
rip=00000003de7215a1 sete    bl
rip=00000003de7215a4 inc     r11d
rip=00000003de7215a7 cmc
rip=00000003de7215a8 movzx   si,spl
rip=00000003de7215ad add     r11,rax
rip=00000003de7215b0 adc     bh,ch
rip=00000003de7215b2 mov r9,100000000h
rip=00000003de7215bc ror     r12,56h
rip=00000003de7215c0 add     r11,r9
rip=00000003de7215c3 bsr     r12w,r8w
rip=00000003de7215c8 mov     r12,rsp
rip=00000003de7215cb rol     r14,cl
rip=00000003de7215ce cmp     r11b,0CCh
rip=00000003de7215d2 rol     bl,95h
rip=00000003de7215d5 sub     rsp,180h
rip=00000003de7215dc and     rsp,0FFFFFFFFFFFFFFF0h
rip=00000003de7215e3 sal     bh,98h
rip=00000003de7215e6 cmc
rip=00000003de7215e7 mov     rbx,r11
rip=00000003de7215ea sar     sil,cl
rip=00000003de7215ed and     rcx,14DB3A03h
rip=00000003de7215f4 shl     ch,cl
rip=00000003de7215f6 mov r14,0FFFFF8029E610000h
rip=00000003de721600 cmovno  cx,r13w
rip=00000003de721605 and     ecx,ebp
rip=00000003de721607 sub     rbx,r14

寄存器：

rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b0 rdx=ffff8a8e13e66ab0 rsi=0000000000003000 rdi=0000000000000010 rip=00000003de72158d rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000000ad2f6fe r12=0000000000000000 r13=0000000000000002 r14=0000000000000400 r15=ffff948059d63000 nv up ei ng nz ac po nc fffff803`de72158d 4181eb0b5cd62a  sub     r11d,2AD65C0Bh
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b0 rdx=ffff8a8e13e66ab0 rsi=0000000000003000 rdi=0000000000000010 rip=00000003de721594 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=00000000dffdf651 r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe cy 00000003`de721594 41d1c3          rol     r11d,1
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b0 rdx=ffff8a8e13e66ab0 rsi=0000000000003000 rdi=0000000000000010 rip=00000003de721597 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=00000000bffbeca3 r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe cy 00000003`de721597 480fbff0        movsx   rsi,ax
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b0 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de72159b rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=00000000bffbeca3 r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe cy 00000003`de72159b 41f7d3          not     r11d
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b0 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de72159e rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135c r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe cy 00000003`de72159e 66ffc1          inc     cx
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de7215a1 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135c r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na po cy 00000003`de7215a1 0f94c3          sete    bl
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de7215a4 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135c r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na po cy 00000003`de7215a4 41ffc3          inc     r11d
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de7215a7 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na pe cy 00000003`de7215a7 f5              cmc
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de7215a8 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na pe nc 00000003`de7215a8 66400fb6f4      movzx   si,spl
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215ad rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na pe nc 00000003`de7215ad 4c03d8          add     r11,rax
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215b0 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=fffff802de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe nc 00000003`de7215b0 12fd            adc     bh,ch
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215b2 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=fffff802de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215b2 49b90000000001000000 mov r9,100000000h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215bc rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff802de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215bc 49c1cc56        ror     r12,56h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215c0 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff802de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215c0 4d03d9          add     r11,r9
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215c3 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe nc 00000003`de7215c3 66450fbde0      bsr     r12w,r8w
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215c8 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215c8 4c8be4          mov     r12,rsp
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215cb rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215cb 49d3c6          rol     r14,cl
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215ce rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215ce 4180fbcc        cmp     r11b,0CCh
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215d2 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 ov up ei ng nz na pe cy 00000003`de7215d2 c0c395          rol     bl,95h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215d5 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe nc 00000003`de7215d5 4881ec80010000  sub     rsp,180h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215dc rsp=ffff8a8e13e66b28 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na po nc 00000003`de7215dc 4881e4f0ffffff  and     rsp,0FFFFFFFFFFFFFFF0h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215e3 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe nc 00000003`de7215e3 c0f798          sal     bh,98h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215e6 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215e6 f5              cmc
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215e7 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po cy 00000003`de7215e7 498bdb          mov     rbx,r11
rax=fffff8029e610000 rbx=fffff803de65135d rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215ea rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po cy 00000003`de7215ea 40d2fe          sar     sil,cl
rax=fffff8029e610000 rbx=fffff803de65135d rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de7215ed rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na po cy 00000003`de7215ed 4881e1033adb14  and     rcx,14DB3A03h
rax=fffff8029e610000 rbx=fffff803de65135d rcx=0000000000000001 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de7215f4 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na pe nc 00000003`de7215f4 d2e5            shl     ch,cl
rax=fffff8029e610000 rbx=fffff803de65135d rcx=0000000000000001 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de7215f6 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215f6 49be0000619e02f8ffff mov r14,0FFFFF8029E610000h
rax=fffff8029e610000 rbx=fffff803de65135d rcx=0000000000000001 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de721600 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=fffff8029e610000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de721600 66410f41cd      cmovno  cx,r13w
rax=fffff8029e610000 rbx=fffff803de65135d rcx=0000000000000002 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de721605 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=fffff8029e610000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de721605 23cd            and     ecx,ebp
rax=fffff8029e610000 rbx=fffff803de65135d rcx=0000000000000000 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de721607 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=fffff8029e610000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de721607 492bde          sub     rbx,r14

1个回答

有趣的话题。

我为简化混淆所做的第一件事是确定混淆器是在汇编还是 IR 级别工作。在汇编级别，您通常有更精细的粒度和棘手的指令，而在 IR 级别，您可以找到更好看的函数和来自编译器的标准指令。

这个案例应该是汇编语言层面的，因为有很多无用的栈位移和赋值，建议开始简化。我手动这样做了，这是一种找出模式（如果可能）然后自动化过程的方法：

esp=0255ff78 jmp     0040aeb1
esp=0255ff78 pushfd                                 ;; 0255ff74 = flags
esp=0255ff74 mov     dword ptr [esp],580B8317h      ;; 0255ff74 = 0x580B8317
esp=0255ff74 jmp     0040892d
esp=0255ff74 mov     byte ptr [esp],dl              ;; 0255ff74 = 0x580B8300
esp=0255ff74 mov     dword ptr [esp],1B2F9632h      ;; 0255ff74 = 0x1B2F9632
esp=0255ff74 jmp     0040e0cf
esp=0255ff74 pushfd                                 ;; 0255ff70 = flags
esp=0255ff70 pushad                                 ;; 0255ff6c = eax = ffff8001
                                                    ;; 0255ff68 = ecx = 77781e4c
                                                    ;; 0255ff64 = edx = 00000000
                                                    ;; 0255ff60 = ebx = 001603b6
                                                    ;; 0255ff5c = esp = 0255ff70
                                                    ;; 0255ff58 = ebp = 0255ff80
                                                    ;; 0255ff54 = esi = 00401233
                                                    ;; 0255ff50 = edi = 00401233

esp=0255ff50 call    00408cfb                       ;; 0255ff4c = 0040e0d1 + 5 = 0x40e0d6
esp=0255ff4c mov     dword ptr [esp+24h],7ECAB5C8h  ;; 0255ff70 = 0x7ECAB5C8
esp=0255ff4c mov     byte ptr [esp],88h             ;; 0255ff4c = (0x40e0d6 & 0xffffff00) | 0x88 = 0x40e088
esp=0255ff4c push    4EE1A112h                      ;; 0255ff48 = 0x4EE1A112
esp=0255ff48 push    eax                            ;; 0255ff44 = ffff8001
esp=0255ff44 lea     esp,[esp+2Ch]                  ;; esp = 0255ff70
esp=0255ff70 jmp     00406089

我同意你关于两条push指令的看法。在开始和结束之间，堆栈递减 4 + 4，这些偏移量处的赋值给出了push. 不过，这并不意味着最终会使用这些值。

我试图将这些函数转换为 LLVM IR，然后对其进行优化，但我所知道的所有工具都无法做到这一点。据我所知，只有 llvm-mctoll 生成了合适的 IR（但在大多数情况下它失败了，可能是因为缺乏支持的指令），其他生成了大量无用的垃圾代码，优化后看起来更糟。

主要问题是指令如何实际转换为 IR 以及它将如何与编译器的传递做出反应。有些混淆可以由编译器优化，有些则不能。一个例子是，编译器应该如何与pushforpushad指令交互？如果您可以将堆栈使用重新映射为alloca，则可以轻松删除无用的访问。如果esp访问被视为对内存的非易失性写入，则编译器每次都必须保留它。编译器最好执行众所周知的优化，如常量传播。

Miasm 或 Angr 等其他工具仅优化了 IR，这不是我想要的。

IR 有什么问题？

我该怎么做？手动优化它很容易，但很耗时（它有大约 4k 条汇编指令）。

我推荐一个适用于 IR 级别的工具，您可以定义自己的优化。如果您可以简化堆栈使用和无用jmp/ call，您将更好地查看原始代码。

是否存在可能有助于此类优化的工具？

是的，但我想你已经认识他们了。如果是：triton和Medusa （免责声明：我是后者的作者，现在有点坏了）

创建它们的问题在哪里？

这些工具中的大多数都与 IR 一起工作，第一个问题是将汇编代码转换为要使用的 IR 语言。下一步是实现简化过程（如编译器）。最后一步是通过象征性地执行代码来构造表达式，复杂性增长得非常快，最终性能不佳/内存耗尽。通常，您必须通过具体化一些输入并应用优化来手动简化这些表达式。

就我理解的理论而言，这很容易，尤其是我不是在分析二进制文件而是在跟踪，所以我不必关心正确的流路、拆卸等。

分析跟踪通常更容易，但有一个问题。存储跟踪可能非常繁重，开销可能过多，您不能轻松地从跟踪构建表达式，...如果您想保留跟踪，我认为您可能应该编写一个解析代码的自定义工具并优化它。例如：对于堆栈上的每个赋值，保留准确的地址和值。在每段代码的末尾（例如调用导入的函数，地址已经执行，...）您可以删除堆栈上的无用写入。我不能保证它会在这种情况下工作。:)

顺便说一句，你能分享一下可执行文件吗？

其它你可能感兴趣的问题

上一篇存储“基本”信息的格式/工具是什么？下一篇如何在 Win7-64 EXE 中使汇编中的 .text 部分可写