pandemonium:...
TRANSCRIPT
•
•
••
••
•
•
••
•
••
••
•
••
•
••
•
••
•
•
••
•
•
☓
☓
☓ ☓
☓ ☓
•
•
••
•
•
•
•
•
•
••
•
•
•
•
•
•
push esppush ebppush ebx
movi_i64 tmp12,$0x8260a634st_i64 tmp12,env,$0xdae0ld_i64 tmp12,env,$0xdad0
%2 = add i64 %env_v, 128%3 = inttoptr i64 %2 to i64*store i64 2187372084, i64* %3
•• -dse, -simplifycfg
•• -constprop
• -instcombine
(x = 14; y = x + 8) → (x = 14; y = 22)
(y = 3; ...; y = x + 1) → (...; y = x + 1)
(y = x + 2; z = y + 3) → (z = x + 5)
••
•
•
•
••
• Bb7g86hvE/
•
• GT7g86hvE/
••
•• NtDelayExecution(), WaitForSingleObject(), GetCursorPos(),……
••
cmp eax, 0x7DFje 0xdeadbaad
if(x!=2015) Invalid.ASSERT( INPUT_*_*_* =0hex7DF );
mov esi, 0x13mov edx, 0x7DF
••
mov esi, 0x13…mov esi, 0x7DF
(esi == 0x13) and (edx == 0x7DF)
(esi == 0x13) and (esi == 0x7DF)
static inline int IsSleepPatched(){DWORD time1 = GetTickCount();Sleep(500);DWORD time2 = GetTickCount();if ((time2- time1) > 450)
return 0;else
return 1;}
• Sleep()
•
• RDTSC GetTickCount()
•
mov eax, edx
••
••
••
r3 = Load(r2) tr3 = tr2
••
x = get_input();if (x == "a"){
uri = "c2.php";msg = "a";
}send(uri, msg);
x = get_input();if (x > "a"){
tmp = x + "a"; msg = tmp − x;
} send(uri, msg);
-early-cse,-constprop,-instcombine
•
•
•
••
•
•
•• 999bc5e16312db6abff5f6c9e54c546f• b44634d90a9ff2ed8a9d0304c11bf612• dd207384b31d118745ebc83203a4b04a• B44634d90a9ff2ed8a9d0304c11bf612• 999bc5e16312db6abff5f6c9e54c546f
• PEB.NumberOfProcessors
•
•• eee1bdb8d4ad98cce0031ed6ca43274a
• 84826d5e65987c131a80b1a3aa53ce17
• a2a7d4f75fc263648824facb0757a3c7
•• nop(0x90) 0x32, 0x26, 0xF3
•
•
••
••
••
•
••
•
••
•
••
••
••
••
•
•
••
•