原文地址:Question about disassembler
簡介
這篇文章介紹了如何在不使用插件的IDA Hex-Rays如何得到比較清晰的偽代碼。IDA Hex-Rays功能很強大,只要你提供了足夠多的信息,它就能產生十分簡單明了的代碼。
下面我們以下面這個二進制文件為例:
為了方便我直接把exe文件后綴改成jpg,下載下來把文件后綴改回exe就行了
二進制文件下載地址:
步驟
打開IDA Pro加載這個exe文件,先按shitf + F5,添加vc32_14, vc32rtf, vc32ucrt這三個符號簽名文件。
這個exe文件的main函數不太好找,我們先定位到exe文件的入口,按F5得到以下結果
signed int __usercall start@<eax>(int a1@<ebp>, int a2@<esi>)
{
char v2; // bl
int v4; // ST14_4
_DWORD *v5; // eax
_DWORD *v6; // esi
_DWORD *v7; // eax
_DWORD *v8; // esi
const char **v9; // edi
int *v10; // esi
const char **v11; // eax
sub_4018B4();
if ( !(unsigned __int8)__scrt_initialize_crt(1)
|| (v2 = 0, *(_BYTE *)(a1 - 25) = 0, *(_DWORD *)(a1 - 4) = 0, *(_BYTE *)(a1 - 36) = sub_401631(), dword_41CC40 == 1) )
{
__scrt_fastfail(7);
goto LABEL_20;
}
if ( dword_41CC40 )
{
v2 = 1;
*(_BYTE *)(a1 - 25) = 1;
}
else
{
dword_41CC40 = 1;
if ( _initterm_e(&unk_415140, &unk_415158) )
{
*(_DWORD *)(a1 - 4) = -2;
return 255;
}
_initterm(&unk_415134, &unk_41513C);
dword_41CC40 = 2;
}
__scrt_release_startup_lock(*(_DWORD *)(a1 - 36));
v5 = (_DWORD *)sub_40196C(v4);
v6 = v5;
if ( *v5 )
{
if ( (unsigned __int8)__scrt_is_nonwritable_in_current_image(v5) )
((void (__thiscall *)(_DWORD, _DWORD, signed int, _DWORD))*v6)(*v6, 0, 2, 0);
}
v7 = (_DWORD *)sub_401972();
v8 = v7;
if ( *v7 )
{
if ( (unsigned __int8)__scrt_is_nonwritable_in_current_image(v7) )
_register_thread_local_exe_atexit_callback(*v8);
}
v9 = *(const char ***)sub_406ACE();
v10 = (int *)sub_406AC8();
v11 = (const char **)unknown_libname_31();
a2 = main(*v10, v9, v11);
if ( !(unsigned __int8)sub_401A94() )
LABEL_20:
exit(a2);
if ( !v2 )
_cexit();
__scrt_uninitialize_crt(1, 0);
*(_DWORD *)(a1 - 4) = -2;
return a2;
}
注意下面的代碼
a2 = main(*v10, v9, v11);
if ( !(unsigned __int8)sub_401A94() )
LABEL_20:
exit(a2);
exit函數的參數應該就是主函數的返回值。
定位到到main函數
.text:00401390 mov esi, eax
.text:00401392 call sub_406312
.text:00401392
.text:00401397 push eax ; envp
.text:00401398 push edi ; argv
.text:00401399 push dword ptr [esi] ; argc
.text:0040139B call main
按F5,我們會得到以下代碼
int __cdecl main(int argc, const char **argv, const char **envp)
{
HMODULE v3; // esi
CHAR v4; // al
int v5; // ecx
unsigned int v6; // esi
char v7; // bl
__int128 v9; // [esp+4h] [ebp-22Ch]
int v10; // [esp+14h] [ebp-21Ch]
int v11; // [esp+18h] [ebp-218h]
__int16 v12; // [esp+1Ch] [ebp-214h]
char v13; // [esp+1Eh] [ebp-212h]
int v14; // [esp+20h] [ebp-210h]
char v15; // [esp+24h] [ebp-20Ch]
CHAR Buffer[256]; // [esp+124h] [ebp-10Ch]
int v17; // [esp+224h] [ebp-Ch]
char v18; // [esp+228h] [ebp-8h]
v3 = GetModuleHandleA(0);
memset(Buffer, 0, 0xFFu);
memset(&v15, 0, 0xFFu);
if ( !LoadStringA(v3, 0x539u, Buffer, 255) )
return -1;
v4 = Buffer[0];
if ( Buffer[0] )
{
v5 = 0;
do
{
*((_BYTE *)&v14 + ++v5 + 3) = v4 ^ 0x30;
v4 = Buffer[v5];
}
while ( v4 );
}
memset(Buffer, 0, 0xFFu);
if ( !LoadStringA(v3, 0x29Au, Buffer, 255) )
return -1;
v17 = 0;
v18 = 0;
v14 = 5;
if ( RegGetValueA(-2147483647, &v15, Buffer, 0xFFFF, 0, &v17, &v14) )
return -1;
v6 = 0;
v9 = xmmword_4194E0;
v10 = 55858812;
v7 = 114;
v11 = 1157851502;
v12 = 20051;
v13 = 0;
do
{
sub_401010((const char *)&unk_4194D0, v7 ^ *((_BYTE *)&v17 + v6 % (v14 - 1)));
v7 = *((_BYTE *)&v9 + v6++ + 1);
}
while ( v7 );
return 0;
}
看起來確實很亂,但我們可以幫助反匯編器給出一個稍好一點的代碼
首先我們有兩個memsets
memset(Buffer, 0, 0xFFu);
memset(&v15, 0, 0xFFu);
Buffer和v15的原型應該是char name[0xFF]。點擊Buffer然后按y鍵,把Buffer的類型改成char name[0xFF],對v15做同樣的事即可。
此外我們可以給這些變量一個有意義一點的名字,例如buffer_1和buffer_2。點擊變量,按n鍵即可修改變量的名字。
通過查看unk_4194D0我們會發現它是%c,那么sub_401010這個函數應該就是printf函數了,重命名sub_401010為printf,把printf的函數原型改成int printf(const char *format, ...)。
把LoadStringA和RegGetValueA里的數字通過按H鍵轉換成十六進制,這樣子看起來方便些,然后把其他的一些變量名也改成有意義的字符。
這樣子我們就得到下面的代碼了:
int __cdecl main(int argc, const char **argv, const char **envp)
{
HMODULE cur_proc; // esi
char byte; // al
int i; // ecx
unsigned int cou; // esi
char xor_byte; // bl
__int128 xored_flag; // [esp+4h] [ebp-22Ch]
int part_of_xored_flag; // [esp+14h] [ebp-21Ch]
int part_of_xored_flag_1; // [esp+18h] [ebp-218h]
__int16 part_of_xored_flag_2; // [esp+1Ch] [ebp-214h]
char part_of_xored_flag_3; // [esp+1Eh] [ebp-212h]
int some_buff; // [esp+20h] [ebp-210h]
char buff_2[255]; // [esp+24h] [ebp-20Ch]
char buff_1[255]; // [esp+124h] [ebp-10Ch]
int xor_key_buff; // [esp+224h] [ebp-Ch]
char v18; // [esp+228h] [ebp-8h]
cur_proc = GetModuleHandleA(0);
memset(buff_1, 0, 0xFFu);
memset(buff_2, 0, 0xFFu);
if ( !LoadStringA(cur_proc, 1337u, buff_1, 255) )
return -1;
byte = buff_1[0];
if ( buff_1[0] )
{
i = 0;
do
{
*((_BYTE *)&some_buff + ++i + 3) = byte ^ 0x30;
byte = buff_1[i];
}
while ( byte );
}
memset(buff_1, 0, 0xFFu);
if ( !LoadStringA(cur_proc, 666u, buff_1, 255) )
return -1;
xor_key_buff = 0;
v18 = 0;
some_buff = 5;
if ( RegGetValueA(0x80000001, buff_2, buff_1, 0xFFFF, 0, &xor_key_buff, &some_buff) )
return -1;
cou = 0;
xored_flag = xmmword_4194E0;
part_of_xored_flag = 0x354567C;
xor_byte = 0x72;
part_of_xored_flag_1 = 0x4503696E;
part_of_xored_flag_2 = 0x4E53;
part_of_xored_flag_3 = 0;
do
{
printf("%c", xor_byte ^ *((char *)&xor_key_buff + cou % (some_buff - 1)));
xor_byte = *((_BYTE *)&xored_flag + cou++ + 1);
}
while ( xor_byte );
return 0;
}
看起來清爽了一點,但還是有點亂。
下面我們看看能對```some_buff做些什么,雙擊some_buff`我們會跳轉到棧視圖。
-0000022C xored_flag db ?
-0000022B db ? ; undefined
-0000022A db ? ; undefined
-00000229 db ? ; undefined
-00000228 db ? ; undefined
-00000227 db ? ; undefined
-00000226 db ? ; undefined
-00000225 db ? ; undefined
-00000224 db ? ; undefined
-00000223 db ? ; undefined
-00000222 db ? ; undefined
-00000221 db ? ; undefined
-00000220 db ? ; undefined
-0000021F db ? ; undefined
-0000021E db ? ; undefined
-0000021D db ? ; undefined
-0000021C db ? ; undefined
-0000021B db ? ; undefined
-0000021A db ? ; undefined
-00000219 db ? ; undefined
-00000218 db ? ; undefined
-00000217 db ? ; undefined
-00000216 db ? ; undefined
-00000215 db ? ; undefined
-00000214 db ? ; undefined
-00000213 db ? ; undefined
-00000212 db ? ; undefined
-00000211 db ? ; undefined
-00000210 some_buff dd ? ; <<<<< our variable
-0000020C buff_2 db 255 dup(?)
-0000010D db ? ; undefined
-0000010C buff_1 db 255 dup(?)
-0000000D db ? ; undefined
-0000000C xor_key_buff db ?
-0000000B db ? ; undefined
-0000000A db ? ; undefined
-00000009 db ? ; undefined
some_buff是dword或者四個字節,那他應該是一個字符buff,把它的類型改成char a[4]
然后把xor_key_buff的類型設置為char a[4],xored_flag設置為char a[28],buff_1 and buff_2設置為char a[256]
我們就有下面的棧視圖了
-0000022C xored_flag db 28 dup(?)
-00000210 some_buff db 4 dup(?)
-0000020C buff_2 db 256 dup(?)
-0000010C buff_1 db 256 dup(?)
-0000000C xor_key_buff db 4 dup(?)
再點下F5刷新偽代碼視圖,我們會得到以下主函數偽代碼:
int __cdecl main(int argc, const char **argv, const char **envp)
{
HMODULE cur_proc; // esi
char byte; // al
int i; // ecx
unsigned int cou; // esi
char xor_byte; // bl
char xored_flag[28]; // [esp+4h] [ebp-22Ch]
char some_buff[4]; // [esp+20h] [ebp-210h]
char buff_2[256]; // [esp+24h] [ebp-20Ch]
char buff_1[256]; // [esp+124h] [ebp-10Ch]
char xor_key_buff[4]; // [esp+224h] [ebp-Ch]
char v14; // [esp+228h] [ebp-8h]
cur_proc = GetModuleHandleA(0);
memset(buff_1, 0, 0xFFu);
memset(buff_2, 0, 0xFFu);
if ( !LoadStringA(cur_proc, 1337u, buff_1, 255) )
return -1;
byte = buff_1[0];
if ( buff_1[0] )
{
i = 0;
do
{
some_buff[++i + 3] = byte ^ 0x30;
byte = buff_1[i];
}
while ( byte );
}
memset(buff_1, 0, 0xFFu);
if ( !LoadStringA(cur_proc, 666u, buff_1, 255) )
return -1;
*(_DWORD *)xor_key_buff = 0;
v14 = 0;
*(_DWORD *)some_buff = 5;
if ( RegGetValueA(0x80000001, buff_2, buff_1, 0xFFFF, 0, xor_key_buff, some_buff) )
return -1;
cou = 0;
*(_OWORD *)xored_flag = xmmword_4194E0;
*(_DWORD *)&xored_flag[16] = 0x354567C;
xor_byte = 0x72;
*(_DWORD *)&xored_flag[20] = 0x4503696E;
*(_WORD *)&xored_flag[24] = 0x4E53;
xored_flag[26] = 0;
do
{
printf("%c", xor_byte ^ xor_key_buff[cou % (*(_DWORD *)some_buff - 1)]);
xor_byte = xored_flag[cou++ + 1];
}
while ( xor_byte );
return 0;
}
現在點擊RegGetValueA里的0x80000001
if ( RegGetValueA(0x80000001, buff_2, buff_1, 0xFFFF, 0, xor_key_buff, some_buff) )
按M選擇枚舉值HKEY_CURRENT_USER
最后的代碼就是這個樣子了
int __cdecl main(int argc, const char **argv, const char **envp)
{
HMODULE cur_proc; // esi
char byte; // al
int i; // ecx
unsigned int cou; // esi
char xor_byte; // bl
char xored_flag[28]; // [esp+4h] [ebp-22Ch]
char some_buff[4]; // [esp+20h] [ebp-210h]
char buff_2[256]; // [esp+24h] [ebp-20Ch]
char buff_1[256]; // [esp+124h] [ebp-10Ch]
char xor_key_buff[4]; // [esp+224h] [ebp-Ch]
char v14; // [esp+228h] [ebp-8h]
cur_proc = GetModuleHandleA(0);
memset(buff_1, 0, 0xFFu);
memset(buff_2, 0, 0xFFu);
if ( !LoadStringA(cur_proc, 1337u, buff_1, 255) )
return -1;
byte = buff_1[0];
if ( buff_1[0] )
{
i = 0;
do
{
some_buff[++i + 3] = byte ^ 0x30;
byte = buff_1[i];
}
while ( byte );
}
memset(buff_1, 0, 0xFFu);
if ( !LoadStringA(cur_proc, 666u, buff_1, 255) )
return -1;
*xor_key_buff = 0;
v14 = 0;
*some_buff = 5;
if ( RegGetValueA(HKEY_CURRENT_USER, buff_2, buff_1, 0xFFFF, 0, xor_key_buff, some_buff) )
return -1;
cou = 0;
*xored_flag = g_xored_flag;
*&xored_flag[16] = 0x354567C;
xor_byte = 0x72;
*&xored_flag[20] = 0x4503696E;
*&xored_flag[24] = 0x4E53;
xored_flag[26] = 0;
do
{
printf("%c", xor_byte ^ xor_key_buff[cou % (*some_buff - 1)]);
xor_byte = xored_flag[cou++ + 1];
}
while ( xor_byte );
return 0;
}