Pin-VM解题工具

Pin VM解题工具

寒假做了点VM相关的逆向题,了解到了一个工具——Pin

Pin是Intel出的一个插桩工具

安装

直接在官网下载压缩包

Linux / macOS:

1
2
3
$ tar zxf pin-3.2-81205-gcc-linux.tar.gz
$ cd pin-3.2-81205-gcc-linux
Use the macOS* kit names respectively.

Windows: 

1
$ cd  pin-3.2-81205-msvc-windows

使用

pintools本身提供了很多插件,做VM类的题目就需要我们自己依据模板编写pintool(其实就是填一下地址

插桩的地址是F7跟程序的控制流得来的

模板:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
/*
 *source/tools/MyPinTool/MyPinTool.cpp
 */

#include <stdio.h>
#include "pin.H"

FILE * trace;

VOID printip(ADDRINT * ip,ADDRINT *rax,ADDRINT *rdx,ADDRINT *rcx,ADDRINT *rbx) { 
  //打印虚拟机log  
  if((long int)ip == 0x004015F1){ //mov
        if(rbx){
            fprintf(trace, "%p\tMOV (%p)[%p],input[%p]\n", ip, rdx, rcx, rax);
        }else{
            fprintf(trace, "%p\tMOV (%p)[%p],ECX(%p)\n", ip, rdx, rax, rcx);
        }
    }else if ((long int)ip == 0x401594){ //add
        if(rbx){
            fprintf(trace, "%p\tADD RDX,input[%p]+input[%p]\n", ip, rax, rcx);
        }else{
            fprintf(trace, "%p\tADD RDX,input[%p]+%p\n", ip, rax, rcx);
        }
    }else if ((long int)ip == 0x401477){ //xor
        if(rbx){
            fprintf(trace, "%p\tXOR (%p)[%p],input[%p]\n", ip, rdx, rax, rcx);
        }else{
            fprintf(trace, "%p\tXOR (%p)[%p],%p\n", ip, rdx, rax, rcx);
        }
    }else if ((long int)ip == 0x401408){ //cmp
        if(rbx){
            fprintf(trace, "%p\tCMP (%p)[%p],(%p)[%p]\n", ip, rdx, rax, rdx, rcx);
        }else{
            fprintf(trace, "%p\tCMP (%p)[%p],%p\n", ip, rdx, rax, rcx);
        }
    }else if ((long int)ip == 0x401464){ //jmp
        if(rdx){
            fprintf(trace, "%p\tJNZ (%p) no \n", ip, rax);
        }else{
            fprintf(trace, "%p\tJNZ (%p)\n", ip, rax);
        }
    }else if ((long int)ip == 0x401535){ //shr
        if(rbx){
            fprintf(trace, "%p\tSHL (%p)[%p],(%p)[%p]\n", ip, rdx, rax, rdx, rcx);
        }else{
             fprintf(trace, "%p\tSHL (%p)[%p],%p\n", ip, rdx, rax,rcx);
        }
    }else if ((long int)ip == 0x4014D6){ //shl
        if(rbx){
            fprintf(trace, "%p\tSHL (%p)[%p],(%p)[%p]\n", ip, rdx, rax, rdx, rcx);
        }else{
            fprintf(trace, "%p\tSHL (%p)[%p],%p\n", ip, rdx, rax,rcx);
        }
    }
}
VOID Instruction(INS ins, VOID *v){
    long int opList[] = {0x004015F1, 0x401594, 0x401477, 0x401408, 0x401464, 0x401535, 0x4014D6};//需要插桩的地址
    long int ip = INS_Address(ins);
    bool flag = false;
    for (size_t i = 0; i < 7; i++){
        if(ip == opList[i]){
            flag = true;
            break;
        }
    }//进行指令级别插桩
    if(flag){//IPOINT_BEFORE在指令执行前插桩
        INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)printip,
                   IARG_INST_PTR,
                   IARG_REG_VALUE,REG_EAX,
                   IARG_REG_VALUE,REG_EDX,
                   IARG_REG_VALUE,REG_ECX,
                   IARG_REG_VALUE,REG_EBX,
                   IARG_END);
    }
  //以IARG_REG_VALUE,REG_EAX的形式将执行这条指令前的寄存器值传入
}

VOID Fini(INT32 code, VOID *v)
{
    fprintf(trace, "#eof\n");
    fclose(trace);
}

/* ===================================================================== */
/* Print Help Message                                                    */
/* ===================================================================== */

INT32 Usage()
{
    PIN_ERROR("This Pintool log flow\n" 
              + KNOB_BASE::StringKnobSummary() + "\n");
    return -1;
}

/* ===================================================================== */
/* Main                                                                  */
/* ===================================================================== */

int main(int argc, char * argv[])
{
    trace = fopen("itrace.out", "w");

    // Initialize pin
    if (PIN_Init(argc, argv)) return Usage();

    // Register Instruction to be called to instrument instructions
    INS_AddInstrumentFunction(Instruction, 0);
    // Register Fini to be called when the application exits
    PIN_AddFiniFunction(Fini, 0);

    // Start the program, never returns
    PIN_StartProgram();

    return 0;
}
//这里的地址是程序中虚拟机的每个代码段的起始地址

写完pintool后

1
2
3
4
$ cd source/tools/MyPinTool
$ make all TARGET=ia32  //64位就是intel64
$ ../../../pin -t obj-intel64/MyPinTool.so -- ./[targetfile]
//最后一个参数是输入的参数,运行后会运行这个程序

然后生成的itrace.out就是受虚拟机所保护的控制流,可以直接阅读汇编猜测加密手段,也可以编译之后反编译成伪C阅读

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

江南大学通信工程在读本科生;江南大学信息安全俱乐部19级成员、现任俱乐部负责人;SU现役成员