一段VM代码求还原:3:
//[006AACC0]函数地址
006AACC0 2B49 FC sub ecx,dword ptr ds:[ecx-0x4]
006AACC3 81E9 14030000 sub ecx,0x314
006AACC9 ^ E9 C2FEFEFF jmp XClient.0069AB90
0069AB90 8B81 48FFFFFF mov eax,dword ptr ds:[ecx-0xB8]
0069AB96 C3 retn
0069AB97 CC int3
具体代码
//1.0
00721D6C FFFF ??? ; 未知命令
00721D6E 8985 C4FEFFFF mov dword ptr ss:[ebp-0x13C],eax
00721D74 8B4F 04 mov ecx,dword ptr ds:[edi+0x4]
00721D77 8B51 04 mov edx,dword ptr ds:[ecx+0x4]
00721D7A 8B443A 04 mov eax,dword ptr ds:[edx+edi+0x4]
00721D7E 8D4C3A 04 lea ecx,dword ptr ds:[edx+edi+0x4] ;[013CA0E0]+3d8+4
00721D82 8B50 1C mov edx,dword ptr ds:[eax+0x1C]
00721D85 FFD2 call edx ; edx=006AACC0
00721D87 8B8D F0FEFFFF mov ecx,dword ptr ss:[ebp-0x110]
00721D8D 8985 C0FEFFFF mov dword ptr ss:[ebp-0x140],eax
00721D93 8B85 F8FEFFFF mov eax,dword ptr ss:[ebp-0x108]
00721D99 89B5 C8FEFFFF mov dword ptr ss:[ebp-0x138],esi
00721D9F 52 push edx ; edx = 006AACC0 是个函数地址,
00721DA0 E8 01000000 call XClient.00721DA6 ;
00721DA5 7A 5A jpe XXClient.00721E01
00721DA7 8D92 BF692E01 lea edx,dword ptr ds:[edx+0x12E69BF] ; 00721DA5+12e69bf
00721DAD FFE2 jmp edx ; JMP 01A08764地址
00721DAF ^ 73 9D jnb XXClient.00721D4E
//1.1
00721DA6 5A pop edx
00721DA7 8D92 BF692E01 lea edx,dword ptr ds:[edx+0x12E69BF] ; 00721DA5+12e69bf
00721DAD FFE2 jmp edx ; JMP 01A08764
//2.0
01A08764 5A pop edx
01A08765 889D CCFEFFFF mov byte ptr ss:[ebp-0x134],bl
01A0876B 899D D1FEFFFF mov dword ptr ss:[ebp-0x12F],ebx ;ebx=0
01A08771 899D D5FEFFFF mov dword ptr ss:[ebp-0x12B],ebx ;
01A08777 899D D9FEFFFF mov dword ptr ss:[ebp-0x127],ebx
01A0877D 899D DDFEFFFF mov dword ptr ss:[ebp-0x123],ebx
01A08783 899D E1FEFFFF mov dword ptr ss:[ebp-0x11F],ebx
01A08789 899D E5FEFFFF mov dword ptr ss:[ebp-0x11B],ebx
01A0878F 3999 E01D0000 cmp dword ptr ds:[ecx+0x1DE0],ebx
01A08795 8B80 64F10300 mov eax,dword ptr ds:[eax+0x3F164]
01A0879B - 0F86 26F9E5FE jbe XClient.008680C7 ; 跳了
01A087A1 52 push edx ;不跳就什么都不做
01A087A2 E8 01000000 call XClient.01A087A8
01A087A7 75 5A jnz XXClient.01A08803
01A087A9 8D92 4F95FDFF lea edx,dword ptr ds:[edx+0xFFFD954F]
01A087AF FFD2 call edx ; edx=006AACC0
01A087B1 ^ 74 8D je XXClient.01A08740
//3.0
jbe XClient.008680C7的地址
008680C7 899D CDFEFFFF mov dword ptr ss:[ebp-0x133],ebx ; ebx=0
008680CD B9 B41DCF71 mov ecx,0x71CF1DB4
008680D2 8D89 F059D08F lea ecx,dword ptr ds:[ecx+0x8FD059F0] ; 71CF1DB4+8FD059F0=1019F77A4
008680D8 FFE1 jmp ecx ; JMP到019F77A4地址
//4.0
019F77A4 81EC 2C000000 sub esp,0x2C ; sub esp,0x2C
019F77AA 9C pushfd
019F77AB C7C1 3233216C mov ecx,0x6C213332
019F77B1 51 push ecx
019F77B2 C70424 D3543FEF mov dword ptr ss:[esp],0xEF3F54D3
019F77B9 810424 262E5C44 add dword ptr ss:[esp],0x445C2E26
019F77C0 030C24 add ecx,dword ptr ss:[esp]
019F77C3 8DA424 04000000 lea esp,dword ptr ss:[esp+0x4]
019F77CA 81F9 21B6BC9F cmp ecx,0x9FBCB621
019F77D0 8D89 A61A67E6 lea ecx,dword ptr ds:[ecx+0xE6671AA6]
019F77D6 8D89 392FDC79 lea ecx,dword ptr ds:[ecx+0x79DC2F39]
019F77DC 9D popfd
019F77DD 51 push ecx
019F77DE 59 pop ecx
019F77DF 8BFC mov edi,esp
019F77E1 52 push edx ; edx=006AACC0
019F77E2 E8 01000000 call XClient.019F77E8
019F77E7 E1 5A loopde XXClient.019F7843 ; 19f77e7+FFFFB9DF = 019F31C6
019F77E9 8D92 DFB9FFFF lea edx,dword ptr ds:[edx+0xFFFFB9DF]
019F77EF FFD2 call edx ; edx=019F31C6
//4.1
019F77E8 5A pop edx ; 来自CALL.019F77E8
019F77E9 8D92 DFB9FFFF lea edx,dword ptr ds:[edx+0xFFFFB9DF]
019F77EF FFD2 call edx ; edx=019F31C6
//5.0
019F31C6 5A pop edx
019F31C7 5A pop edx ; pop完edx=006AACC0
019F31C8 8DB5 C0FEFFFF lea esi,dword ptr ss:[ebp-0x140]
019F31CE F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi];
019F31D0 A4 movs byte ptr es:[edi],byte ptr ds:[esi] ;
019F31D1 E8 809FFCFF call XClient.019BD156 ;返回0x28
019F31D6 FF35 E8573B01 push dword ptr ds:[0x13B57E8]
019F31DC 58 pop eax
019F31DD 81C4 2C000000 add esp,0x2C ;add esp,0x2C
019F31E3 51 push ecx
019F31E4 50 push eax
019F31E5 59 pop ecx
019F31E6 3BCB cmp ecx,ebx
019F31E8 59 pop ecx
019F31E9 52 push edx ;edx=006AACC0
019F31EA E8 01000000 call XClient.019F31F0
019F31EF E3 5A jecxz XXClient.019F324B
019F31F1 8D92 A4490000 lea edx,dword ptr ds:[edx+0x49A4] ; 019F31ef+49a4=19F7B93
019F31F7 FFE2 jmp edx ; JMP到19F7B93
//5.1
019F31F0 5A pop edx
019F31F1 8D92 A4490000 lea edx,dword ptr ds:[edx+0x49A4] ; 019F31ef+49a4=19F7B93
019F31F7 FFE2 jmp edx ; JMP到19F7B93
//6.0
019F7B93 5A pop edx
019F7B94 0F84 C1920000 je XClient.01A00E5B ; 没跳
019F7B9A 53 push ebx
019F7B9B BB 3E9A139C mov ebx,0x9C139A3E
019F7BA0 8D9B 93BD8B65 lea ebx,dword ptr ds:[ebx+0x658BBD93]
019F7BA6 871C24 xchg dword ptr ss:[esp],ebx
019F7BA9 C3 retn ;retn
//[006AACC0]函数地址
006AACC0 2B49 FC sub ecx,dword ptr ds:[ecx-0x4]
006AACC3 81E9 14030000 sub ecx,0x314
006AACC9 ^ E9 C2FEFEFF jmp XClient.0069AB90
0069AB90 8B81 48FFFFFF mov eax,dword ptr ds:[ecx-0xB8]
0069AB96 C3 retn
0069AB97 CC int3
具体代码
//1.0
00721D6C FFFF ??? ; 未知命令
00721D6E 8985 C4FEFFFF mov dword ptr ss:[ebp-0x13C],eax
00721D74 8B4F 04 mov ecx,dword ptr ds:[edi+0x4]
00721D77 8B51 04 mov edx,dword ptr ds:[ecx+0x4]
00721D7A 8B443A 04 mov eax,dword ptr ds:[edx+edi+0x4]
00721D7E 8D4C3A 04 lea ecx,dword ptr ds:[edx+edi+0x4] ;[013CA0E0]+3d8+4
00721D82 8B50 1C mov edx,dword ptr ds:[eax+0x1C]
00721D85 FFD2 call edx ; edx=006AACC0
00721D87 8B8D F0FEFFFF mov ecx,dword ptr ss:[ebp-0x110]
00721D8D 8985 C0FEFFFF mov dword ptr ss:[ebp-0x140],eax
00721D93 8B85 F8FEFFFF mov eax,dword ptr ss:[ebp-0x108]
00721D99 89B5 C8FEFFFF mov dword ptr ss:[ebp-0x138],esi
00721D9F 52 push edx ; edx = 006AACC0 是个函数地址,
00721DA0 E8 01000000 call XClient.00721DA6 ;
00721DA5 7A 5A jpe XXClient.00721E01
00721DA7 8D92 BF692E01 lea edx,dword ptr ds:[edx+0x12E69BF] ; 00721DA5+12e69bf
00721DAD FFE2 jmp edx ; JMP 01A08764地址
00721DAF ^ 73 9D jnb XXClient.00721D4E
//1.1
00721DA6 5A pop edx
00721DA7 8D92 BF692E01 lea edx,dword ptr ds:[edx+0x12E69BF] ; 00721DA5+12e69bf
00721DAD FFE2 jmp edx ; JMP 01A08764
//2.0
01A08764 5A pop edx
01A08765 889D CCFEFFFF mov byte ptr ss:[ebp-0x134],bl
01A0876B 899D D1FEFFFF mov dword ptr ss:[ebp-0x12F],ebx ;ebx=0
01A08771 899D D5FEFFFF mov dword ptr ss:[ebp-0x12B],ebx ;
01A08777 899D D9FEFFFF mov dword ptr ss:[ebp-0x127],ebx
01A0877D 899D DDFEFFFF mov dword ptr ss:[ebp-0x123],ebx
01A08783 899D E1FEFFFF mov dword ptr ss:[ebp-0x11F],ebx
01A08789 899D E5FEFFFF mov dword ptr ss:[ebp-0x11B],ebx
01A0878F 3999 E01D0000 cmp dword ptr ds:[ecx+0x1DE0],ebx
01A08795 8B80 64F10300 mov eax,dword ptr ds:[eax+0x3F164]
01A0879B - 0F86 26F9E5FE jbe XClient.008680C7 ; 跳了
01A087A1 52 push edx ;不跳就什么都不做
01A087A2 E8 01000000 call XClient.01A087A8
01A087A7 75 5A jnz XXClient.01A08803
01A087A9 8D92 4F95FDFF lea edx,dword ptr ds:[edx+0xFFFD954F]
01A087AF FFD2 call edx ; edx=006AACC0
01A087B1 ^ 74 8D je XXClient.01A08740
//3.0
jbe XClient.008680C7的地址
008680C7 899D CDFEFFFF mov dword ptr ss:[ebp-0x133],ebx ; ebx=0
008680CD B9 B41DCF71 mov ecx,0x71CF1DB4
008680D2 8D89 F059D08F lea ecx,dword ptr ds:[ecx+0x8FD059F0] ; 71CF1DB4+8FD059F0=1019F77A4
008680D8 FFE1 jmp ecx ; JMP到019F77A4地址
//4.0
019F77A4 81EC 2C000000 sub esp,0x2C ; sub esp,0x2C
019F77AA 9C pushfd
019F77AB C7C1 3233216C mov ecx,0x6C213332
019F77B1 51 push ecx
019F77B2 C70424 D3543FEF mov dword ptr ss:[esp],0xEF3F54D3
019F77B9 810424 262E5C44 add dword ptr ss:[esp],0x445C2E26
019F77C0 030C24 add ecx,dword ptr ss:[esp]
019F77C3 8DA424 04000000 lea esp,dword ptr ss:[esp+0x4]
019F77CA 81F9 21B6BC9F cmp ecx,0x9FBCB621
019F77D0 8D89 A61A67E6 lea ecx,dword ptr ds:[ecx+0xE6671AA6]
019F77D6 8D89 392FDC79 lea ecx,dword ptr ds:[ecx+0x79DC2F39]
019F77DC 9D popfd
019F77DD 51 push ecx
019F77DE 59 pop ecx
019F77DF 8BFC mov edi,esp
019F77E1 52 push edx ; edx=006AACC0
019F77E2 E8 01000000 call XClient.019F77E8
019F77E7 E1 5A loopde XXClient.019F7843 ; 19f77e7+FFFFB9DF = 019F31C6
019F77E9 8D92 DFB9FFFF lea edx,dword ptr ds:[edx+0xFFFFB9DF]
019F77EF FFD2 call edx ; edx=019F31C6
//4.1
019F77E8 5A pop edx ; 来自CALL.019F77E8
019F77E9 8D92 DFB9FFFF lea edx,dword ptr ds:[edx+0xFFFFB9DF]
019F77EF FFD2 call edx ; edx=019F31C6
//5.0
019F31C6 5A pop edx
019F31C7 5A pop edx ; pop完edx=006AACC0
019F31C8 8DB5 C0FEFFFF lea esi,dword ptr ss:[ebp-0x140]
019F31CE F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi];
019F31D0 A4 movs byte ptr es:[edi],byte ptr ds:[esi] ;
019F31D1 E8 809FFCFF call XClient.019BD156 ;返回0x28
019F31D6 FF35 E8573B01 push dword ptr ds:[0x13B57E8]
019F31DC 58 pop eax
019F31DD 81C4 2C000000 add esp,0x2C ;add esp,0x2C
019F31E3 51 push ecx
019F31E4 50 push eax
019F31E5 59 pop ecx
019F31E6 3BCB cmp ecx,ebx
019F31E8 59 pop ecx
019F31E9 52 push edx ;edx=006AACC0
019F31EA E8 01000000 call XClient.019F31F0
019F31EF E3 5A jecxz XXClient.019F324B
019F31F1 8D92 A4490000 lea edx,dword ptr ds:[edx+0x49A4] ; 019F31ef+49a4=19F7B93
019F31F7 FFE2 jmp edx ; JMP到19F7B93
//5.1
019F31F0 5A pop edx
019F31F1 8D92 A4490000 lea edx,dword ptr ds:[edx+0x49A4] ; 019F31ef+49a4=19F7B93
019F31F7 FFE2 jmp edx ; JMP到19F7B93
//6.0
019F7B93 5A pop edx
019F7B94 0F84 C1920000 je XClient.01A00E5B ; 没跳
019F7B9A 53 push ebx
019F7B9B BB 3E9A139C mov ebx,0x9C139A3E
019F7BA0 8D9B 93BD8B65 lea ebx,dword ptr ds:[ebx+0x658BBD93]
019F7BA6 871C24 xchg dword ptr ss:[esp],ebx
019F7BA9 C3 retn ;retn