0x56a9a3 jmp 0x56a9ad
0x56a9ad jmp 0x665150
0x665150 push 0x5618ae2c
0x665155 call 0x54ef36
0x54ef36 pushfd
0x54ef37 jmp 0x67b850
0x67b850 push edx
0x67b851 push esi
0x67b852 stc
0x67b853 push eax
0x67b854 rcr al, 0x70
0x67b857 push ecx
0x67b858 bswap eax
0x67b85a not al
0x67b85c rol al, cl
0x67b85e push ebx
0x67b85f push ebp
0x67b860 push edi
0x67b861 mov eax, 0
0x67b866 rol bp, -0x3b
0x67b86a push eax
0x67b86b mov esi, dword ptr [esp + 0x28]
0x67b86f rcr bp, -0x72
0x67b873 cmova bp, si
0x67b877 rol esi, 3
0x67b87a sar ebx, cl
0x67b87c bsr bp, di
0x67b880 sar ebx, -0x6c
0x67b883 xor esi, 0x34952d6c
0x67b889 sbb edi, eax
0x67b88b lea esi, [esi + 0x28803bf1]
0x67b891 sub di, 0x69a5
0x67b896 movsx ebp, di
0x67b899 rcr edi, -0x37
0x67b89c bswap esi
0x67b89e not esi
0x67b8a0 lea esi, [esi + eax]
0x67b8a3 test bp, si
0x67b8a6 sub edi, 0x502f0448
0x67b8ac sbb bp, 0x619b
0x67b8b1 mov ebp, esp
0x67b8b3 sub esp, 0xc0
0x67b8b9 test ch, 0xc3
0x67b8bc mov ebx, esi
0x67b8be or eax, 0x688512e0
0x67b8c3 mov eax, 0
0x67b8c8 and edi, ecx
0x67b8ca movsx edi, si
0x67b8cd sub ebx, eax
0x67b8cf lea edi, [0x67b8cf]
0x67b8d5 sub esi, 4
0x67b8db movsx ax, ch
0x67b8df mov eax, dword ptr [esi]
0x67b8e1 test eax, edi
0x67b8e3 cmp ax, si
0x67b8e6 clc
0x67b8e7 xor eax, ebx
0x67b8e9 bswap eax
0x67b8eb test dl, ch
0x67b8ed neg eax
0x67b8ef jmp 0x67042b
0x67042b dec eax
0x67042c stc
0x67042d cmc
0x67042e clc
0x67042f ror eax, 1
0x670431 test bp, 0x557
0x670436 cmp bx, si
0x670439 jmp 0x667287
0x667287 not eax
0x667289 xor ebx, eax
0x66728b test edx, 0x763c3768
0x667291 cmp si, dx
0x667294 add edi, eax
去除所有JMP和flag指令,这些都是无意义的。
0x665150 push 0x5618ae2c
0x665155 call 0x54ef36
0x54ef36 pushfd
0x67b850 push edx
0x67b851 push esi
0x67b853 push eax
0x67b854 rcr al, 0x70
0x67b857 push ecx
0x67b858 bswap eax
0x67b85a not al
0x67b85c rol al, cl
0x67b85e push ebx
0x67b85f push ebp
0x67b860 push edi
0x67b861 mov eax, 0
0x67b866 rol bp, -0x3b
0x67b86a push eax
0x67b86b mov esi, dword ptr [esp + 0x28]
0x67b86f rcr bp, -0x72
0x67b873 cmova bp, si
0x67b877 rol esi, 3
0x67b87a sar ebx, cl
0x67b87c bsr bp, di
0x67b880 sar ebx, -0x6c
0x67b883 xor esi, 0x34952d6c
0x67b889 sbb edi, eax
0x67b88b lea esi, [esi + 0x28803bf1]
0x67b891 sub di, 0x69a5
0x67b896 movsx ebp, di
0x67b899 rcr edi, -0x37
0x67b89c bswap esi
0x67b89e not esi
0x67b8a0 lea esi, [esi + eax]
0x67b8a6 sub edi, 0x502f0448
0x67b8ac sbb bp, 0x619b
0x67b8b1 mov ebp, esp
0x67b8b3 sub esp, 0xc0
0x67b8bc mov ebx, esi
0x67b8be or eax, 0x688512e0
0x67b8c3 mov eax, 0
0x67b8c8 and edi, ecx
0x67b8ca movsx edi, si
0x67b8cd sub ebx, eax
0x67b8cf lea edi, [0x67b8cf]
0x67b8d5 sub esi, 4
0x67b8db movsx ax, ch
0x67b8df mov eax, dword ptr [esi]
0x67b8e3 cmp ax, si
0x67b8e7 xor eax, ebx
0x67b8e9 bswap eax
0x67b8ed neg eax
0x67042b dec eax
0x67042f ror eax, 1
0x670431 test bp, 0x557
0x670436 cmp bx, si
0x667287 not eax
0x667289 xor ebx, eax
0x66728b test edx, 0x763c3768
0x667291 cmp si, dx
0x667294 add edi, eax
进行常量,赋值传播的优化和栈操作的优化。
常量传播的优化原则: 将后续指令对这个变量的引用都替换成常量(直到碰到一条对这个变量的赋值)
栈操作的优化: 我们自己定义以0位基址的栈空间,将所有指令对栈的操作使用我们的栈来模拟
赋值传播: 将之前对此变量的赋值指令全部删除,直到遇到一条引用指令
0x665150 push 0x5618ae2c
0x665155 call 0x54ef36
0x54ef36 pushfd
0x67b850 push edx
0x67b851 push esi
0x67b853 push eax
0x67b854 rcr al, 0x70
0x67b857 push ecx
0x67b858 bswap eax
0x67b85a not al
0x67b85c rol al, cl
0x67b85e push ebx
0x67b85f push ebp
0x67b860 push edi
0x67b861 mov eax, 0
0x67b866 rol bp, -0x3b
0x67b86a push eax
例如: 0x67b861 mov eax, 0 这条指令, 发现eax变量其实是一个常量, 这时候将之前所有对eax 赋值的指令删除, 直到遇到一个eax 的引用指令。
被删除的指令 : 0x67b858 bswap eax
0x67b85a not al
0x67b85c rol al, cl
将后续所有eax的引用指令变为引用常量:
0x67b86a push eax ===> 0x67b86a push 0
0x67b889 sbb edi, eax ===> 0x67b889 sbb edi, 0
0x67b8a0 lea esi, [esi + eax] ===> 0x67b8a0 lea esi, [esi + 0]
0x67b8be or eax, 0x688512e0 ===> 发现是赋值, 停止
再将堆栈模拟后,上述代码就变成了
0x67b861 mov eax, 0
0x67b866 rol bp, -0x3b
0x67b86a push 0
我们的堆栈:
0x5618ae2c 0
ret -4
fd -8
edx -c
esi -10
eax -14
ecx -18
ebx -1c
ebp -20
edi -24
0x0 -28
遇到我们堆栈优化出手的时候了, 我们碰到了 0x67b86b mov esi, dword ptr [esp + 0x28] 这条指令
发现他拿的是0地址的值0x5618ae2c, 所以又可以对esi进行常量优化, 不过很遗憾的是我们里面碰到是一条赋值语句。
0x67b896 movsx ebp, di
我们发现这是一条赋值指令, 所以我们就可以将前面所有对ebp和bp的赋值指令全部删掉
0x67b8b1 mov ebp, esp
又遇到一条,继续删,
0x67b8bc mov ebx, esi 继续
0x67b8c3 mov eax, 0 删除eax
...
边计算边删除
最后得到的结果是
0x67b86b mov esi, 0x5618ae2c
0x67b877 rol esi, 3 esi = B0C57162
0x67b883 xor esi, 0x34952d6c 84505C0E
0x67b88b add esi, 0x28803bf1 ACD097FF
0x67b89c bswap esi FF97D0AC
0x67b89e not esi 00682F53
0x67b8b1 mov ebp, esp
0x67b8b3 sub esp, 0xc0
0x67b8bc mov ebx, 00682F53 ebx = 00682F53
0x67b8cf mov edi, 0x0067b8cf
0x67b8d5 sub esi, 4 esi = 00682F4F
0x67b8df mov eax, dword ptr [00682F4F] eax = 4371D1AC
0x67b8e7 xor eax, 00682F53 eax = 4319FEFF
0x67b8e9 bswap eax eax = FFFE1943
0x67b8ed neg eax eax = 0001E6BD
0x67042b dec eax eax = 0001E6BC
0x67042f ror eax, 1 eax = 0000F35E
0x667287 not eax eax = FFFF0CA1
0x667289 xor ebx, FFFF0CA1 ebx = FF9723F2
0x667294 add edi, FFFF0CA1 edi = 0066C570
这里已经可以得到我们所需的edi和ebx了