使用vmp 1.0.9 最小保護處理了兩條指令,如下所示:
0045E3A0 | 837D F4 7B | cmp dword ptr ss:[ebp-C],7B | vmp_1.0.9_test.cpp:12, 7B:'{'
0045E3A4 | 75 16 | jne vmp_1.0.9_test.45E3BC |
最後兩條指令膨脹到1330條,如下所示:
0045E3A0 | E9 014D0E00 | jmp vmp_1.0.9_test.vmp_input_base_not_change.5430A6 | vmp_1.0.9_test.cpp:12
005430A6 | 68 B72F5400 | push vmp_1.0.9_test.vmp_input_base_not_change.542FB7 |
005430AB | E9 A0FCFFFF | jmp vmp_1.0.9_test.vmp_input_base_not_change.542D50 |
00542D50 | 9C | pushfd |
00542D51 | 60 | pushad |
00542D52 | 68 00000000 | push 0 |
00542D57 | 8B7424 28 | mov esi,dword ptr ss:[esp+28] | esi:__enc$textbss$end+3B02
00542D5B | BA 00E05300 | mov edx,vmp_1.0.9_test.vmp_input_base_not_change.53E00 | edx:__enc$textbss$end+3B02
00542D60 | FC | cld |
00542D61 | FF15 00A05300 | call dword ptr ds:[<&GetCurrentThreadId>] |
00542D67 | 89C3 | mov ebx,eax |
00542D69 | B9 00010000 | mov ecx,100 | ecx:__enc$textbss$end+3B02
00542D6E | 89D7 | mov edi,edx | edi:__enc$textbss$end+3B02, edx:__enc$textbss$end+3B02
00542D70 | F2:AF | repne scasd |
00542D72 | 74 0D | je vmp_1.0.9_test.vmp_input_base_not_change.542D81 |
00542D74 | B8 00010000 | mov eax,100 |
00542D79 | 91 | xchg ecx,eax | ecx:__enc$textbss$end+3B02
00542D7A | 89D7 | mov edi,edx | edi:__enc$textbss$end+3B02, edx:__enc$textbss$end+3B02
00542D7C | F2:AF | repne scasd |
00542D7E | 895F FC | mov dword ptr ds:[edi-4],ebx | edi-4:__enc$textbss$end+3AFE
00542D81 | 89FD | mov ebp,edi | edi:__enc$textbss$end+3B02
00542D83 | 29D7 | sub edi,edx | edi:__enc$textbss$end+3B02, edx:__enc$textbss$end+3B02
00542D85 | D1E7 | shl edi,1 | edi:__enc$textbss$end+3B02
00542D87 | 8DBCFA C0030000 | lea edi,dword ptr ds:[edx+edi*8+3C0] | edi:__enc$textbss$end+3B02
00542D8E | 033424 | add esi,dword ptr ss:[esp] | esi:__enc$textbss$end+3B02
00542D91 | AC | lodsb |
00542D92 | 0FB6C0 | movzx eax,al |
00542D95 | FF3485 C9285400 | push dword ptr ds:[eax*4+5428C9] |
00542D9C | C3 | ret |
。。。此處省略。。。
使用dtvmp生成簡化後的僞指令,如下所示:
0x45e39d add esp, 0x8
0x45e3a0 jmp 0x5430a6
0x5430a6 push 0x542fb7
0x5430ab jmp 0x542d50
0x542d50 vm_entry_542d50
0x542d70 repne scasd dword ptr [edi]
0x542d72 jz 0x542d81
0x542d74 mov eax, 0x100
0x542d79 xchg ecx, eax
0x542d7a mov edi, edx
0x542d7c repne scasd dword ptr [edi]
0x542d7e mov dword ptr [edi-0x4], ebx
0x542d81 mov ebp, edi
0x542d83 sub edi, edx
0x542d85 shl edi, 0x1
0x542d87 lea edi, ptr [edx+edi*8+0x3c0]
0x542d8e add esi, dword ptr [esp]
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542edd vm_handler_542edd
0x542e64 vm_handler_542e64
0x542e64 vm_handler_542e64
0x542d27 vm_handler_542d27
0x542ee3 vm_handler_542ee3
0x54261d vm_handler_54261d
0x5424a8 vm_handler_5424a8
0x54261d vm_handler_54261d
0x542f9c vm_handler_542f9c
0x5426de vm_handler_5426de
0x5424da vm_handler_5424da
0x542689 vm_handler_542689
0x542689 vm_handler_542689
0x542668 vm_handler_542668
0x542668 vm_handler_542668
0x542da5 vm_handler_542da5
0x542e80 vm_handler_542e80
0x5424a8 vm_handler_5424a8
0x54261d vm_handler_54261d
0x5424ec vm_handler_5424ec
0x5424a8 vm_handler_5424a8
0x542d04 vm_handler_542d04
0x542668 vm_handler_542668
0x5424da vm_handler_5424da
0x542668 vm_handler_542668
0x542689 vm_handler_542689
0x542689 vm_handler_542689
0x542668 vm_handler_542668
0x5424da vm_handler_5424da
0x542668 vm_handler_542668
0x542da5 vm_handler_542da5
0x542e80 vm_handler_542e80
0x542e94 vm_handler_542e94
0x542df5 vm_handler_542df5
0x542df5 vm_handler_542df5
0x5424da vm_handler_5424da
0x542689 vm_handler_542689
0x542668 vm_handler_542668
0x542e80 vm_handler_542e80
0x542ce3 vm_handler_542ce3
0x542689 vm_handler_542689
0x54265a vm_handler_54265a
0x542e80 vm_handler_542e80
0x5424a8 vm_handler_5424a8
0x542ce3 vm_handler_542ce3
0x542689 vm_handler_542689
0x542ee3 vm_handler_542ee3
0x54261d vm_handler_54261d
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542d27 vm_handler_542d27
0x542df5 vm_handler_542df5
0x542d27 vm_handler_542d27
0x542ee3 vm_handler_542ee3
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x54258a vm_exit_54258a
0x542d50 vm_entry_542d50
0x542d72 jz 0x542d81
0x542d74 mov eax, 0x100
0x542d79 xchg ecx, eax
0x542d7a mov edi, edx
0x542d7e mov dword ptr [edi-0x4], ebx
0x542d81 mov ebp, edi
0x542d83 sub edi, edx
0x542d85 shl edi, 0x1
0x542d87 lea edi, ptr [edx+edi*8+0x3c0]
0x542d8e add esi, dword ptr [esp]
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542e94 vm_handler_542e94
0x542edd vm_handler_542edd
0x542df5 vm_handler_542df5
0x542d27 vm_handler_542d27
0x542ee3 vm_handler_542ee3
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x542d27 vm_handler_542d27
0x54258a vm_exit_54258a
0x45e3a6 mov eax, eax
0x45e3a8 mov eax, eax
0x45e3aa mov eax, eax
0x45e3ac mov eax, eax
0x45e3ae mov eax, eax
0x45e3b0 mov eax, eax
0x45e3b2 mov eax, eax
0x45e3b4 mov eax, eax
0x45e3b6 mov eax, eax
0x45e3b8 mov eax, eax
0x45e3ba jmp 0x45e3c6
1330條指令被簡化到140條了,