-
Notifications
You must be signed in to change notification settings - Fork 25
/
example_recover.txt
227 lines (221 loc) · 6.58 KB
/
example_recover.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
original code:
VIRTUALIZER_START
bar:
xor eax, 1111h
xor ebx, 2222h
xor ecx, 3333h
xor edx, 4444h
xor ebp, 5555h
xor esi, 6666h
xor edi, 7777h
mov edx, offset x
mov dword ptr [edx+eax], 1
VIRTUALIZER_END
recovery from CVL:
0x00000000 000[07] load ptr eflags
0x00000002 001 store addr
0x00000003 018 store dword [addr]
vm_eflags <- eflags
0x00000004 000[03] load ptr edi
0x00000006 001 store addr
0x00000007 018 store dword [addr]
vm_edi <- edi
0x00000008 000[04] load ptr esi
0x0000000a 001 store addr
0x0000000b 018 store dword [addr]
vm_esi <- esi
0x0000000c 000[00] load ptr ebp
0x0000000e 001 store addr
0x0000000f 018 store dword [addr]
vm_ebp <- ebp
0x00000010 000[01] load ptr ebx
0x00000012 001 store addr
0x00000013 018 store dword [addr]
vm_ebx <- ebx
0x00000014 157[02] 157 param: 0x02
unk_157: mov byte [edi+28h], 2
0x00000016 000[01] load ptr ebx
0x00000018 001 store addr
0x00000019 018 store dword [addr]
vm_ebx <- ebx
0x0000001a 000[05] load ptr edx
0x0000001c 001 store addr
0x0000001d 018 store dword [addr]
vm_edx <- edx
0x0000001e 000[02] load ptr ecx
0x00000020 001 store addr
0x00000021 018 store dword [addr]
vm_ecx <- ecx
0x00000022 000[06] load ptr eax
0x00000024 001 store addr
0x00000025 018 store dword [addr]
vm_eax <- eax
0x00000026 14e move addr, STACK
0x00000027 009 load addr
0x00000028 004[00000004] load dword 0x4L
0x0000002d 006 add. dword
0x0000002e 208 move STACK, [STACK]
0x0000002f 009 load addr
0x00000030 000[03] load ptr edi
0x00000032 001 store addr
0x00000033 00c load dword [addr]
0x00000034 001 store addr
0x00000035 001 store addr
0x00000036 000[06] load ptr eax
0x00000038 001 store addr
0x00000039 00c load dword [addr]
0x0000003a 004[00001111] load dword 0x1111L
0x0000003f 03d xor dword
0x00000040 01c[07] store dword eflags
0x00000042 000[06] load ptr eax
0x00000044 001 store addr
0x00000045 018 store dword [addr]
eax <- 0x1111L ^ eax
0x00000046 000[01] load ptr ebx
0x00000048 001 store addr
0x00000049 00c load dword [addr]
0x0000004a 004[00002222] load dword 0x2222L
0x0000004f 03d xor dword
0x00000050 009 load addr
0x00000051 009 load addr
0x00000052 004[00000004] load dword 0x4L
0x00000057 006 add. dword
0x00000058 001 store addr
0x00000059 001 store addr
0x0000005a 01c[07] store dword eflags
0x0000005c 009 load addr
0x0000005d 000[01] load ptr ebx
0x0000005f 001 store addr
0x00000060 001 store addr
0x00000061 000[01] load ptr ebx
0x00000063 001 store addr
0x00000064 018 store dword [addr]
ebx <- 0x2222L ^ ebx
0x00000065 000[02] load ptr ecx
0x00000067 001 store addr
0x00000068 00c load dword [addr]
0x00000069 004[00003333] load dword 0x3333L
0x0000006e 03d xor dword
0x0000006f 01c[07] store dword eflags
0x00000071 000[02] load ptr ecx
0x00000073 001 store addr
0x00000074 018 store dword [addr]
ecx <- 0x3333L ^ ecx
0x00000075 009 load addr
0x00000076 000[06] load ptr eax
0x00000078 001 store addr
0x00000079 001 store addr
0x0000007a 000[05] load ptr edx
0x0000007c 001 store addr
0x0000007d 00c load dword [addr]
0x0000007e 004[00004444] load dword 0x4444L
0x00000083 03d xor dword
0x00000084 01c[07] store dword eflags
0x00000086 000[05] load ptr edx
0x00000088 001 store addr
0x00000089 009 load addr
0x0000008a 009 load addr
0x0000008b 004[00000004] load dword 0x4L
0x00000090 006 add. dword
0x00000091 001 store addr
0x00000092 001 store addr
0x00000093 018 store dword [addr]
edx <- 0x4444L ^ edx
0x00000094 000[00] load ptr ebp
0x00000096 001 store addr
0x00000097 00c load dword [addr]
0x00000098 004[00005555] load dword 0x5555L
0x0000009d 000[02] load ptr ecx
0x0000009f 001 store addr
0x000000a0 00c load dword [addr]
0x000000a1 000[02] load ptr ecx
0x000000a3 001 store addr
0x000000a4 00c load dword [addr]
0x000000a5 024 add dword
0x000000a6 01c[07] store dword eflags
0x000000a8 001 store addr
0x000000a9 03d xor dword
0x000000aa 01c[07] store dword eflags
0x000000ac 000[00] load ptr ebp
0x000000ae 001 store addr
0x000000af 018 store dword [addr]
ebp <- 0x5555L ^ ebp
0x000000b0 000[04] load ptr esi
0x000000b2 001 store addr
0x000000b3 00c load dword [addr]
0x000000b4 004[00006666] load dword 0x6666L
0x000000b9 03d xor dword
0x000000ba 01c[07] store dword eflags
0x000000bc 000[04] load ptr esi
0x000000be 001 store addr
0x000000bf 018 store dword [addr]
esi <- 0x6666L ^ esi
0x000000c0 000[03] load ptr edi
0x000000c2 001 store addr
0x000000c3 00c load dword [addr]
0x000000c4 004[00007777] load dword 0x7777L
0x000000c9 03d xor dword
0x000000ca 01c[07] store dword eflags
0x000000cc 000[03] load ptr edi
0x000000ce 001 store addr
0x000000cf 009 load addr
0x000000d0 000[04] load ptr esi
0x000000d2 001 store addr
0x000000d3 001 store addr
0x000000d4 018 store dword [addr]
edi <- 0x7777L ^ edi
0x000000d5 004[00403000] load dword 0x403000L
0x000000da 009 load addr
0x000000db 003[53a5] load word 0x53a5L
0x000000de 003[1b62] load word 0x1b62L
0x000000e1 001 store addr
0x000000e2 001 store addr
0x000000e3 000[05] load ptr edx
0x000000e5 001 store addr
0x000000e6 018 store dword [addr]
edx <- 4206592
0x000000e7 009 load addr
0x000000e8 003[e92b] load word 0xe92bL
0x000000eb 003[7882] load word 0x7882L
0x000000ee 001 store addr
0x000000ef 001 store addr
0x000000f0 004[00000001] load dword 0x1L
0x000000f5 007[06] load dword eax
0x000000f7 001 store addr
0x000000f8 211[05] add_reg_to_addr edx
0x000000fa 018 store dword [addr]
[eax + edx] <- 1
0x000000fb 004[0040105b] load dword 0x40105bL
0x00000100 15d 15d
push_return_address: 0x0040105b
0x00000101 154[00000001] jmp $+0x1
jmp $+1
0x00000107 000[07] load ptr eflags
0x00000109 001 store addr
0x0000010a 00c load dword [addr]
0x0000010b 000[06] load ptr eax
0x0000010d 001 store addr
0x0000010e 00c load dword [addr]
0x0000010f 000[02] load ptr ecx
0x00000111 001 store addr
0x00000112 00c load dword [addr]
0x00000113 000[05] load ptr edx
0x00000115 001 store addr
0x00000116 00c load dword [addr]
0x00000117 000[01] load ptr ebx
0x00000119 001 store addr
0x0000011a 00c load dword [addr]
0x0000011b 000[01] load ptr ebx
0x0000011d 001 store addr
0x0000011e 00c load dword [addr]
0x0000011f 000[00] load ptr ebp
0x00000121 001 store addr
0x00000122 00c load dword [addr]
0x00000123 000[04] load ptr esi
0x00000125 001 store addr
0x00000126 00c load dword [addr]
0x00000127 000[03] load ptr edi
0x00000129 001 store addr
0x0000012a 00c load dword [addr]
0x0000012b 212 gtfo
gtfo