我应该怎么做?手动优化非常容易,但是很耗时(它有大约4k asm指令)。
是否存在任何可能有助于这种优化的工具?
创建它们的地方在哪里?就我所了解的理论而言,这很容易,尤其是我不是在分析二进制而是在跟踪,因此我不必在意正确的流路,拆卸等。 >
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040135d esp=0255ff78 ebp=0255ff80 nv up ei ng nz na po nc 0040135d e94f9b0000 jmp 0040aeb1
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040aeb1 esp=0255ff78 ebp=0255ff80 nv up ei ng nz na po nc 0040aeb1 9c pushfd
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040aeb2 esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 0040aeb2 c7042417830b58 mov dword ptr [esp],580B8317h
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040aeb9 esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 0040aeb9 e96fdaffff jmp 0040892d
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040892d esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 0040892d 881424 mov byte ptr [esp],dl
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408930 esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 00408930 c7042432962f1b mov dword ptr [esp],1B2F9632h
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408937 esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 00408937 e993570000 jmp 0040e0cf
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040e0cf esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 0040e0cf 9c pushfd
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040e0d0 esp=0255ff70 ebp=0255ff80 nv up ei ng nz na po nc 0040e0d0 60 pushad
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040e0d1 esp=0255ff50 ebp=0255ff80 nv up ei ng nz na po nc 0040e0d1 e825acffff call 00408cfb
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408cfb esp=0255ff4c ebp=0255ff80 nv up ei ng nz na po nc 00408cfb c7442424c8b5ca7e mov dword ptr [esp+24h],7ECAB5C8h
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408d03 esp=0255ff4c ebp=0255ff80 nv up ei ng nz na po nc 00408d03 c6042488 mov byte ptr [esp],88h
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408d07 esp=0255ff4c ebp=0255ff80 nv up ei ng nz na po nc 00408d07 6812a1e14e push 4EE1A112h
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408d0c esp=0255ff48 ebp=0255ff80 nv up ei ng nz na po nc 00408d0c 50 push eax
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408d0d esp=0255ff44 ebp=0255ff80 nv up ei ng nz na po nc 00408d0d 8d64242c lea esp,[esp+2Ch]
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408d11 esp=0255ff70 ebp=0255ff80 nv up ei ng nz na po nc 00408d11 e973d3ffff jmp 00406089
,然后手动优化(如果我没有犯任何错误):
sub esp, 4
mov dword ptr [esp],1B2F9632h
sub esp, 4
mov dword ptr [esp],7ECAB5C8h
甚至:
push 1B2F9632h
push 7ECAB5C8h
嗨,又是我。一个简单的窥孔优化器,以摆脱无用的指令和这些堆栈修改。原始跟踪有48k条指令,最后我得到了大约2k条指令。仍然有很多糟糕的说明,但这足以完全虚拟化vm并理解shellcode。
现在我正在努力尝试,这就是我所拥有的。看起来像是IR级别的混淆,没有任何模式。您将如何处理?我看到了这一点,但是它在具有一个输入,一个输出的函数上起作用。我不知道它是否可以与带有大量内存修改标志的大量计算一起使用。我也看过Rolf Rolles关于合成的演讲。看起来不错,也许应该会提供更好的结果?
还有没有简单的方法可以在Triton IR级别应用死角去除和恒定折叠?我找不到任何工具吗?
rip=00000003de72158d sub r11d,2AD65C0Bh
rip=00000003de721594 rol r11d,1
rip=00000003de721597 movsx rsi,ax
rip=00000003de72159b not r11d
rip=00000003de72159e inc cx
rip=00000003de7215a1 sete bl
rip=00000003de7215a4 inc r11d
rip=00000003de7215a7 cmc
rip=00000003de7215a8 movzx si,spl
rip=00000003de7215ad add r11,rax
rip=00000003de7215b0 adc bh,ch
rip=00000003de7215b2 mov r9,100000000h
rip=00000003de7215bc ror r12,56h
rip=00000003de7215c0 add r11,r9
rip=00000003de7215c3 bsr r12w,r8w
rip=00000003de7215c8 mov r12,rsp
rip=00000003de7215cb rol r14,cl
rip=00000003de7215ce cmp r11b,0CCh
rip=00000003de7215d2 rol bl,95h
rip=00000003de7215d5 sub rsp,180h
rip=00000003de7215dc and rsp,0FFFFFFFFFFFFFFF0h
rip=00000003de7215e3 sal bh,98h
rip=00000003de7215e6 cmc
rip=00000003de7215e7 mov rbx,r11
rip=00000003de7215ea sar sil,cl
rip=00000003de7215ed and rcx,14DB3A03h
rip=00000003de7215f4 shl ch,cl
rip=00000003de7215f6 mov r14,0FFFFF8029E610000h
rip=00000003de721600 cmovno cx,r13w
rip=00000003de721605 and ecx,ebp
rip=00000003de721607 sub rbx,r14
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b0 rdx=ffff8a8e13e66ab0 rsi=0000000000003000 rdi=0000000000000010 rip=00000003de72158d rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000000ad2f6fe r12=0000000000000000 r13=0000000000000002 r14=0000000000000400 r15=ffff948059d63000 nv up ei ng nz ac po nc fffff803`de72158d 4181eb0b5cd62a sub r11d,2AD65C0Bh
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b0 rdx=ffff8a8e13e66ab0 rsi=0000000000003000 rdi=0000000000000010 rip=00000003de721594 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=00000000dffdf651 r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe cy 00000003`de721594 41d1c3 rol r11d,1
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b0 rdx=ffff8a8e13e66ab0 rsi=0000000000003000 rdi=0000000000000010 rip=00000003de721597 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=00000000bffbeca3 r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe cy 00000003`de721597 480fbff0 movsx rsi,ax
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b0 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de72159b rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=00000000bffbeca3 r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe cy 00000003`de72159b 41f7d3 not r11d
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b0 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de72159e rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135c r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe cy 00000003`de72159e 66ffc1 inc cx
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de7215a1 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135c r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na po cy 00000003`de7215a1 0f94c3 sete bl
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de7215a4 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135c r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na po cy 00000003`de7215a4 41ffc3 inc r11d
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de7215a7 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na pe cy 00000003`de7215a7 f5 cmc
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de7215a8 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na pe nc 00000003`de7215a8 66400fb6f4 movzx si,spl
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215ad rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na pe nc 00000003`de7215ad 4c03d8 add r11,rax
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215b0 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=fffff802de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe nc 00000003`de7215b0 12fd adc bh,ch
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215b2 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=fffff802de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215b2 49b90000000001000000 mov r9,100000000h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215bc rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff802de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215bc 49c1cc56 ror r12,56h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215c0 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff802de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215c0 4d03d9 add r11,r9
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215c3 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe nc 00000003`de7215c3 66450fbde0 bsr r12w,r8w
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215c8 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215c8 4c8be4 mov r12,rsp
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215cb rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215cb 49d3c6 rol r14,cl
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215ce rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215ce 4180fbcc cmp r11b,0CCh
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215d2 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 ov up ei ng nz na pe cy 00000003`de7215d2 c0c395 rol bl,95h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215d5 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe nc 00000003`de7215d5 4881ec80010000 sub rsp,180h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215dc rsp=ffff8a8e13e66b28 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na po nc 00000003`de7215dc 4881e4f0ffffff and rsp,0FFFFFFFFFFFFFFF0h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215e3 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe nc 00000003`de7215e3 c0f798 sal bh,98h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215e6 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215e6 f5 cmc
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215e7 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po cy 00000003`de7215e7 498bdb mov rbx,r11
rax=fffff8029e610000 rbx=fffff803de65135d rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215ea rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po cy 00000003`de7215ea 40d2fe sar sil,cl
rax=fffff8029e610000 rbx=fffff803de65135d rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de7215ed rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na po cy 00000003`de7215ed 4881e1033adb14 and rcx,14DB3A03h
rax=fffff8029e610000 rbx=fffff803de65135d rcx=0000000000000001 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de7215f4 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na pe nc 00000003`de7215f4 d2e5 shl ch,cl
rax=fffff8029e610000 rbx=fffff803de65135d rcx=0000000000000001 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de7215f6 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215f6 49be0000619e02f8ffff mov r14,0FFFFF8029E610000h
rax=fffff8029e610000 rbx=fffff803de65135d rcx=0000000000000001 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de721600 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=fffff8029e610000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de721600 66410f41cd cmovno cx,r13w
rax=fffff8029e610000 rbx=fffff803de65135d rcx=0000000000000002 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de721605 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=fffff8029e610000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de721605 23cd and ecx,ebp
rax=fffff8029e610000 rbx=fffff803de65135d rcx=0000000000000000 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de721607 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=fffff8029e610000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de721607 492bde sub rbx,r14
#1 楼
有趣的话题。我要做的第一件事是简化混淆处理,确定混淆器是在组装级还是在IR级工作。 ,在IR级别上,您可以从编译器中找到更好看的功能和标准指令。
这种情况应该在汇编语言级别上,因为有很多无用的堆栈移位和赋值,我建议开始简化它。我手动执行此操作,这是一种找出模式(如果可能)然后使过程自动化的方法:
我同意两个
push指令。在开始和结束之间,堆栈递减4 + 4,并且在这些偏移量处的赋值给出push的值。但这并不意味着最终将使用这些值。 >
我试图将这些函数转换为LLVM IR,然后对其进行优化,但是我所知的所有工具都无法做到这一点。据我
记得,只有llvm-mctoll生成了合适的IR(但是在大多数情况下失败了,可能是因为缺少受支持的
指令),其他生成了很多无用的垃圾代码和优化之后,它看起来甚至更糟。
主要问题是指令实际上如何转换为IR,以及它将如何对编译器的传递做出反应。有些混淆可以由编译器优化,而另一些则不能。
一个例子是,编译器应该如何与
pushf或pushad指令交互?如果您可以将堆栈使用情况重新映射为alloca,则可以轻松删除无用的访问。如果将esp访问视为内存中的非易失性写操作,则编译器必须每次都保留它。编译器最好执行众所周知的优化,例如恒定传播。 br />Miasm或Angr等其他工具仅优化了IR,这不是我要的。
IR有什么问题?
我应该怎么做?手动优化它很容易,但是
很耗时(它有大约4k asm指令)。
我推荐一个可以在IR级别工作的工具,您可以定义自己的自己优化。如果您可以简化堆栈的使用并简化
jmp / call的使用,您将更好地了解原始代码。 br /> 是的,但是我想您已经知道它们了。
如果是:triton和medusa(免责声明:我是后者的作者,瞬间)
创建它们的地方在哪里?
大多数这些工具都可用于IR,第一个问题是转换装配将代码转换为IR语言。
下一步是实现简化过程(如编译器)。
最后一步是通过象征性地执行代码来构造表达式,复杂性会非常迅速地增长,并且通常会导致性能/内存耗尽。
通常,您必须通过输入一些具体数据并进行优化来手动简化这些表达式。据我了解理论,这相当ea sy,尤其是我不是分析二进制文件而是跟踪文件,因此我不必关心正确的流路,拆卸等。
分析跟踪通常更容易,但是有一个陷阱。
存储跟踪可能会很繁重,开销可能会过多,您无法轻松地从跟踪中构建表达式,...
如果您想留下痕迹,我认为您可能应该编写一个自定义工具来解析代码并对其进行优化。例如:对于堆栈上的每个分配,请保留确切的地址和值。在每段代码的末尾(例如,调用导入函数,地址已经执行,...),您可以删除堆栈上的无用写入。 。 :)
顺便说一句,您可以共享可执行文件吗?
评论
你好感谢您的答复,也很抱歉我的答复太晚。您问IR有什么问题。因此,我不想使用IR,因为我希望能够运行此优化代码,而将Miasm / Angr IR提升到汇编中并不是一件容易的事。我还编辑了帖子,如果您有时间请看一下。
–kozera2137
19年1月17日在21:50
评论
您确定执行完全是确定性的,也就是说,无论初始状态如何,程序都将遵循完全相同的路径?如果是这样,您可以尝试将输入建模为符号变量,然后在这些符号值上运行程序。完成后,您将获得方程式形式的输出,应该可以将其转换为装配体。