我正在分析一些二进制跟踪,它非常模糊。我需要做的是了解其算法的工作流程。但是,我找不到任何可靠的工具可以帮助我解决这个问题。 。据我所知,只有llvm-mctoll会生成合适的IR(但是在大多数情况下,它会失败,可能是由于缺少受支持的指令),其他的则生成了很多无用的垃圾代码,经过优化后,它看起来更糟。其他工具(例如Miasm或Angr)仅优化了IR,这不是我想要的。

我应该怎么做?手动优化非常容易,但是很耗时(它有大约4k asm指令)。
是否存在任何可能有助于这种优化的工具?
创建它们的地方在哪里?就我所了解的理论而言,这很容易,尤其是我不是在分析二进制而是在跟踪,因此我不必在意正确的流路,拆卸等。 > 
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040135d esp=0255ff78 ebp=0255ff80 nv up ei ng nz na po nc 0040135d e94f9b0000       jmp     0040aeb1
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040aeb1 esp=0255ff78 ebp=0255ff80 nv up ei ng nz na po nc 0040aeb1 9c               pushfd
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040aeb2 esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 0040aeb2 c7042417830b58   mov     dword ptr [esp],580B8317h
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040aeb9 esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 0040aeb9 e96fdaffff       jmp     0040892d
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040892d esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 0040892d 881424           mov     byte ptr [esp],dl
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408930 esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 00408930 c7042432962f1b   mov     dword ptr [esp],1B2F9632h
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408937 esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 00408937 e993570000       jmp     0040e0cf
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040e0cf esp=0255ff74 ebp=0255ff80 nv up ei ng nz na po nc 0040e0cf 9c               pushfd
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040e0d0 esp=0255ff70 ebp=0255ff80 nv up ei ng nz na po nc 0040e0d0 60               pushad
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=0040e0d1 esp=0255ff50 ebp=0255ff80 nv up ei ng nz na po nc 0040e0d1 e825acffff       call    00408cfb
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408cfb esp=0255ff4c ebp=0255ff80 nv up ei ng nz na po nc 00408cfb c7442424c8b5ca7e mov     dword ptr [esp+24h],7ECAB5C8h
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408d03 esp=0255ff4c ebp=0255ff80 nv up ei ng nz na po nc 00408d03 c6042488         mov     byte ptr [esp],88h
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408d07 esp=0255ff4c ebp=0255ff80 nv up ei ng nz na po nc 00408d07 6812a1e14e       push    4EE1A112h
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408d0c esp=0255ff48 ebp=0255ff80 nv up ei ng nz na po nc 00408d0c 50               push    eax
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408d0d esp=0255ff44 ebp=0255ff80 nv up ei ng nz na po nc 00408d0d 8d64242c         lea     esp,[esp+2Ch]
eax=ffff8001 ebx=001603b6 ecx=77781e4c edx=00000000 esi=00401233 edi=00401233 eip=00408d11 esp=0255ff70 ebp=0255ff80 nv up ei ng nz na po nc 00408d11 e973d3ffff       jmp     00406089


,然后手动优化(如果我没有犯任何错误):

sub     esp, 4
mov     dword ptr [esp],1B2F9632h
sub     esp, 4
mov     dword ptr [esp],7ECAB5C8h


甚至: 

push 1B2F9632h
push 7ECAB5C8h




嗨,又是我。一个简单的窥孔优化器,以摆脱无用的指令和这些堆栈修改。原始跟踪有48k条指令,最后我得到了大约2k条指令。仍然有很多糟糕的说明,但这足以完全虚拟化vm并理解shellcode。

现在我正在努力尝试,这就是我所拥有的。看起来像是IR级别的混淆,没有任何模式。您将如何处理?我看到了这一点,但是它在具有一个输入,一个输出的函数上起作用。我不知道它是否可以与带有大量内存修改标志的大量计算一起使用。我也看过Rolf Rolles关于合成的演讲。看起来不错,也许应该会提供更好的结果?
还有没有简单的方法可以在Triton IR级别应用死角去除和恒定折叠?我找不到任何工具吗?

rip=00000003de72158d sub     r11d,2AD65C0Bh
rip=00000003de721594 rol     r11d,1
rip=00000003de721597 movsx   rsi,ax
rip=00000003de72159b not     r11d
rip=00000003de72159e inc     cx
rip=00000003de7215a1 sete    bl
rip=00000003de7215a4 inc     r11d
rip=00000003de7215a7 cmc
rip=00000003de7215a8 movzx   si,spl
rip=00000003de7215ad add     r11,rax
rip=00000003de7215b0 adc     bh,ch
rip=00000003de7215b2 mov r9,100000000h
rip=00000003de7215bc ror     r12,56h
rip=00000003de7215c0 add     r11,r9
rip=00000003de7215c3 bsr     r12w,r8w
rip=00000003de7215c8 mov     r12,rsp
rip=00000003de7215cb rol     r14,cl
rip=00000003de7215ce cmp     r11b,0CCh
rip=00000003de7215d2 rol     bl,95h
rip=00000003de7215d5 sub     rsp,180h
rip=00000003de7215dc and     rsp,0FFFFFFFFFFFFFFF0h
rip=00000003de7215e3 sal     bh,98h
rip=00000003de7215e6 cmc
rip=00000003de7215e7 mov     rbx,r11
rip=00000003de7215ea sar     sil,cl
rip=00000003de7215ed and     rcx,14DB3A03h
rip=00000003de7215f4 shl     ch,cl
rip=00000003de7215f6 mov r14,0FFFFF8029E610000h
rip=00000003de721600 cmovno  cx,r13w
rip=00000003de721605 and     ecx,ebp
rip=00000003de721607 sub     rbx,r14




rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b0 rdx=ffff8a8e13e66ab0 rsi=0000000000003000 rdi=0000000000000010 rip=00000003de72158d rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000000ad2f6fe r12=0000000000000000 r13=0000000000000002 r14=0000000000000400 r15=ffff948059d63000 nv up ei ng nz ac po nc fffff803`de72158d 4181eb0b5cd62a  sub     r11d,2AD65C0Bh
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b0 rdx=ffff8a8e13e66ab0 rsi=0000000000003000 rdi=0000000000000010 rip=00000003de721594 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=00000000dffdf651 r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe cy 00000003`de721594 41d1c3          rol     r11d,1
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b0 rdx=ffff8a8e13e66ab0 rsi=0000000000003000 rdi=0000000000000010 rip=00000003de721597 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=00000000bffbeca3 r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe cy 00000003`de721597 480fbff0        movsx   rsi,ax
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b0 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de72159b rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=00000000bffbeca3 r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe cy 00000003`de72159b 41f7d3          not     r11d
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b0 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de72159e rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135c r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe cy 00000003`de72159e 66ffc1          inc     cx
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de7215a1 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135c r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na po cy 00000003`de7215a1 0f94c3          sete    bl
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de7215a4 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135c r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na po cy 00000003`de7215a4 41ffc3          inc     r11d
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de7215a7 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na pe cy 00000003`de7215a7 f5              cmc
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=0000000000000000 rdi=0000000000000010 rip=00000003de7215a8 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na pe nc 00000003`de7215a8 66400fb6f4      movzx   si,spl
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215ad rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=000000004004135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na pe nc 00000003`de7215ad 4c03d8          add     r11,rax
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215b0 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=fffff802de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe nc 00000003`de7215b0 12fd            adc     bh,ch
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215b2 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=00000000000000af r10=ffff8a8e13e667e0 r11=fffff802de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215b2 49b90000000001000000 mov r9,100000000h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215bc rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff802de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215bc 49c1cc56        ror     r12,56h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215c0 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff802de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215c0 4d03d9          add     r11,r9
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215c3 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe nc 00000003`de7215c3 66450fbde0      bsr     r12w,r8w
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215c8 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=0000000000000000 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215c8 4c8be4          mov     r12,rsp
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215cb rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215cb 49d3c6          rol     r14,cl
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215ce rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215ce 4180fbcc        cmp     r11b,0CCh
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215d2 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 ov up ei ng nz na pe cy 00000003`de7215d2 c0c395          rol     bl,95h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215d5 rsp=ffff8a8e13e66ca8 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe nc 00000003`de7215d5 4881ec80010000  sub     rsp,180h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215dc rsp=ffff8a8e13e66b28 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na po nc 00000003`de7215dc 4881e4f0ffffff  and     rsp,0FFFFFFFFFFFFFFF0h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215e3 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na pe nc 00000003`de7215e3 c0f798          sal     bh,98h
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215e6 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215e6 f5              cmc
rax=fffff8029e610000 rbx=0000000000000000 rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215e7 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po cy 00000003`de7215e7 498bdb          mov     rbx,r11
rax=fffff8029e610000 rbx=fffff803de65135d rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000a8 rdi=0000000000000010 rip=00000003de7215ea rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po cy 00000003`de7215ea 40d2fe          sar     sil,cl
rax=fffff8029e610000 rbx=fffff803de65135d rcx=00000000000000b1 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de7215ed rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei ng nz na po cy 00000003`de7215ed 4881e1033adb14  and     rcx,14DB3A03h
rax=fffff8029e610000 rbx=fffff803de65135d rcx=0000000000000001 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de7215f4 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl nz na pe nc 00000003`de7215f4 d2e5            shl     ch,cl
rax=fffff8029e610000 rbx=fffff803de65135d rcx=0000000000000001 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de7215f6 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=0000000000000000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de7215f6 49be0000619e02f8ffff mov r14,0FFFFF8029E610000h
rax=fffff8029e610000 rbx=fffff803de65135d rcx=0000000000000001 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de721600 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=fffff8029e610000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de721600 66410f41cd      cmovno  cx,r13w
rax=fffff8029e610000 rbx=fffff803de65135d rcx=0000000000000002 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de721605 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=fffff8029e610000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de721605 23cd            and     ecx,ebp
rax=fffff8029e610000 rbx=fffff803de65135d rcx=0000000000000000 rdx=ffff8a8e13e66ab0 rsi=00000000000000ff rdi=0000000000000010 rip=00000003de721607 rsp=ffff8a8e13e66b20 rbp=ffff8a8e13e66e40 r8=0000000000000000 r9=0000000100000000 r10=ffff8a8e13e667e0 r11=fffff803de65135d r12=ffff8a8e13e66ca8 r13=0000000000000002 r14=fffff8029e610000 r15=ffff948059d63000 nv up ei pl zr na po nc 00000003`de721607 492bde          sub     rbx,r14


评论

您确定执行完全是确定性的,也就是说,无论初始状态如何,程序都将遵循完全相同的路径?如果是这样,您可以尝试将输入建模为符号变量,然后在这些符号值上运行程序。完成后,您将获得方程式形式的输出,应该可以将其转换为装配体。

#1 楼

有趣的话题。

我要做的第一件事是简化混淆处理,确定混淆器是在组装级还是在IR级工作。 ,在IR级别上,您可以从编译器中找到更好看的功能和标准指令。

这种情况应该在汇编语言级别上,因为有很多无用的堆栈移位和赋值,我建议开始简化它。我手动执行此操作,这是一种找出模式(如果可能)然后使过程自动化的方法:

我同意两个push指令。在开始和结束之间,堆栈递减4 + 4,并且在这些偏移量处的赋值给出push的值。
但这并不意味着最终将使用这些值。 >

我试图将这些函数转换为LLVM IR,然后对其进行优化,但是我所知的所有工具都无法做到这一点。据我
记得,只有llvm-mctoll生成了合适的IR(但是在大多数情况下失败了,可能是因为缺少受支持的
指令),其他生成了很多无用的垃圾代码和优化之后,它看起来甚至更糟。


主要问题是指令实际上如何转换为IR,以及它将如何对编译器的传递做出反应。有些混淆可以由编译器优化,而另一些则不能。
一个例子是,编译器应该如何与pushfpushad指令交互?如果您可以将堆栈使用情况重新映射为alloca,则可以轻松删除无用的访问。如果将esp访问视为内存中的非易失性写操作,则编译器必须每次都保留它。
编译器最好执行众所周知的优化,例如恒定传播。 br />Miasm或Angr等其他工具仅优化了IR,这不是我要的。


IR有什么问题?


我应该怎么做?手动优化它很容易,但是
很耗时(它有大约4k asm指令)。


我推荐一个可以在IR级别工作的工具,您可以定义自己的自己优化。如果您可以简化堆栈的使用并简化jmp / call的使用,您将更好地了解原始代码。 br />

是的,但是我想您已经知道它们了。
如果是:triton和medusa(免责声明:我是后者的作者,瞬间)


创建它们的地方在哪里?


大多数这些工具都可用于IR,第一个问题是转换装配将代码转换为IR语言。
下一步是实现简化过程(如编译器)。
最后一步是通过象征性地执行代码来构造表达式,复杂性会非常迅速地增长,并且通常会导致性能/内存耗尽。
通常,您必须通过输入一些具体数据并进行优化来手动简化这些表达式。据我了解理论,这相当ea sy,尤其是我不是分析二进制文件而是跟踪文件,因此我不必关心正确的流路,拆卸等。


分析跟踪通常更容易,但是有一个陷阱。
存储跟踪可能会很繁重,开销可能会过多,您无法轻松地从跟踪中构建表达式,...
如果您想留下痕迹,我认为您可能应该编写一个自定义工具来解析代码并对其进行优化。例如:对于堆栈上的每个分配,请保留确切的地址和值。在每段代码的末尾(例如,调用导入函数,地址已经执行,...),您可以删除堆栈上的无用写入。 。 :)

顺便说一句,您可以共享可执行文件吗?

评论

你好感谢您的答复,也很抱歉我的答复太晚。您问IR有什么问题。因此,我不想使用IR,因为我希望能够运行此优化代码,而将Miasm / Angr IR提升到汇编中并不是一件容易的事。我还编辑了帖子,如果您有时间请看一下。

–kozera2137
19年1月17日在21:50