After a month's work I have a tool that can more or less create basic blocks from instructions.
I decided my first target, identifying and extracting all basic blocks of the little anti-bp checks of the protector.
393844C3 83EC 20 sub esp,20 393844C6 C74424 1C 406CD77A mov dword ptr ss:[esp+1C],7AD76C40 393844CE C74424 18 6E000000 mov dword ptr ss:[esp+18],6E 393844D6 894C24 14 mov dword ptr ss:[esp+14],ecx 393844DA B9 90443839 mov ecx,39384490 393844DF C14C24 1C 10 ror dword ptr ss:[esp+1C],10 393844E4 894424 10 mov dword ptr ss:[esp+10],eax 393844E8 C1E6 00 shl esi,0 393844EB 8B01 mov eax,dword ptr ds:[ecx] 393844ED 014424 1C add dword ptr ss:[esp+1C],eax 393844F1 C1E7 00 shl edi,0 393844F4 83C1 04 add ecx,4 393844F7 66:FF4C24 18 dec word ptr ss:[esp+18] 393844FC 75 ED jne 393844EB
Just a sample of the code, the overall pattern is sub esp <size>, three movs and the most important pattern, mov reg, imm. The checks only process at most 294 bytes. And there are 22718 of them with an additional 5500 that are probably false-positives.
The next step is to analyze whether these 22k checks all use the same algorithm or are different and somehow extract it programmatically. I am exploring dataflow analysis and symbolic execution, or if the algo is the same only one sample is enough.
No comments:
Post a Comment