标 题:
anti trick Ⅱ -- InString
发帖人:Immlep
时 间: 2005-09-16 11:04
原文链接:http://bbs.pediy.com/showthread.php?threadid=16944
详细信息:
anti trick Ⅱ -- InString
site:www.ptteam.com
by 来自轻院的狼[Immlep]
这个不是什么新鲜的东西,不过我还没有见过有人在壳中使用的,用这个来做anti,它比FindWindow强很多了,不过这些东西说出来后,以后就没什么,可能以后你一看到类似的anti你就会很清楚了,另外这个anti调用的函数过多,代码长,挺不好的,本文中的例子(InString )是我引用现成的代码的,只不过做了一下简单的修改。思路是使用GetWindow循环获取系统的窗口的标题,查看标题中是否包含了要查找的关键字,如果发现,就做坏事,这个来检测Ollydbg也挺好的,可以检测"- [CPU - ",这样的字样,另外因为Ollydbg调试的时候会把被调试程序的名称显示在Ollydbg的窗口中,所以我们也可以检测“-debugme.exe-[”这样的字符(debugme.exe为被调试程序的名称,你可以用GetFullFilename等函数来获取被加壳后程序的名称,然后再处理一下),当然最好先给这些字符加密一下了。。
还有你可以用InString来做不anti的其它事情,这样可以防止调试者在InString做手脚,另外这个anti调用的函数,你最好也让它干一些有用的东西,不要只拿来做anti,很容易被hook的:)
我测试了一下,anti效果还是良好的,什么修改版的Od都被干掉了(当然不保证以后),SoftICE的loader也不例外:)
代码:
searchtext PROC ;;;;;;获取系统中所有窗口的标题 invoke GetDesktopWindow invoke GetWindow,eax,GW_CHILD @1: mov hwindow,eax invoke GetWindowText,hwindow,ADDR buff,200 cmp eax,0 jz skip1 ;lea edi,offset buff push offset buff2 ;我们要查找的窗口标题中包含的关键字,如"- [CPU - " push offset buff ;;找到的窗口的中标题 push 1 ;从第一个字符找 call _InString add esp,0ch ;invoke InString,1,addr buff,addr buff2 cmp eax,0 jz @F invoke PostMessage,hwindow,WM_QUIT,0,0 ;在壳中做坏事不要这样做,很容易被跟踪出来的,自己想点新鲜的。 ;invoke MessageBox,NULL,addr szdbtext1,addr szdbtext1,MB_OK skip1: @@: invoke GetWindow,hwindow,GW_HWNDNEXT cmp eax,NULL jne @1 jmp loc111 ;;;;;;获取系统中所有窗口的标题 ;;;;InString我处理了重定位问题,,可以在壳中使用!!!代码好长!!汗个!!!! _InString: jmp @F StartPos dd 0 lpszString dd 0 lpszSubStr dd 0 lnStrng dd 0 lnSubSt dd 0 reg1 dd 0 reg2 dd 0 Byte1 byte 0 @@: push eax mov eax,DWORD PTR [ESP+8] mov [EBP+OFFSET StartPos],eax pop eax push eax mov eax,DWORD PTR [ESP+0ch] mov [EBP+OFFSET lpszString],eax pop eax push eax mov eax,DWORD PTR [ESP+10h] mov [EBP+OFFSET lpszSubStr],eax pop eax push esi push edi push ebx .if [EBP+OFFSET StartPos] < 1 mov eax, -2 ; set eax -2 jmp @@Get_Outa_Here ; exit if less than 1 .endif dec [EBP+OFFSET StartPos] ; correct to 0 based index mov eax,[EBP+OFFSET lpszString] call _lstrlen ;;;;;把原来的lstrlen函数也干掉!!! mov [EBP+OFFSET lnStrng], eax push eax mov eax,[EBP+OFFSET lpszSubStr] call _lstrlen mov [EBP+OFFSET lnSubSt], eax pop eax sub eax, [EBP+OFFSET lnSubSt] ; subtract substr len from main string ; The following order is important. .if eax >= [EBP+OFFSET lnStrng] ; the substring is greater than the main string mov eax,0 jmp @@Get_Outa_Here .elseif [EBP+OFFSET StartPos] == eax ; startpos at the last position accepted jmp Same_Size .elseif [EBP+OFFSET StartPos] > eax ; startpos greater than the last position accepted mov eax, 0 jmp @@Get_Outa_Here .elseif eax == 0 ; the two strings have the same size jmp Same_Size .endif mov esi, [EBP+OFFSET lpszSubStr] ; get 1st byte in substring mov bl, [esi] ; ------------------------------------------------------- ; set maximum count as main string length minus substring ; ------------------------------------------------------- mov ecx, [EBP+OFFSET lpszString] add ecx, [EBP+OFFSET lnStrng] sub ecx, [EBP+OFFSET lnSubSt] inc ecx mov esi, [EBP+OFFSET lpszString] ; main string address add esi, [EBP+OFFSET StartPos] ; add starting position to esi cld ; read forward @@L1s: ; 8 cycles on no 1st char match mov al, [esi] ; 1 inc esi ; 1 cmp al, bl ; 1 find 1st substring byte je @F ; 1 - 3 compare subsequent bytes to @@L1r: cmp esi, ecx ; 1 jne @@L1s ; 3 - 1 mov eax, 0 ; return zero and exit if jmp @@Get_Outa_Here ; match not found in string ; ------------------------------------------------ ; do the comparison, main string is already in esi ; ------------------------------------------------ @@: mov [EBP+OFFSET reg1], ecx ; 1 mov [EBP+OFFSET reg2], esi ; 1 mov byte ptr[EBP+OFFSET Byte1], bl ; 1 mov ecx, [EBP+OFFSET lnSubSt ] ; sub string length .if ecx == 1 inc esi jmp @@GetRetVal .endif inc ecx ; compare correct number of bytes dec esi ; back one to compare correct bytes mov edi, [EBP+OFFSET lpszSubStr] repe cmpsb ; 9 if strings match, ecx will be 0 cmp ecx, 0 ; did the two strings match ?? jne @F ; jnz @F @@GetRetVal: mov eax, [EBP+OFFSET lpszString] sub esi, eax ; subtract it from esi current value sub esi, [EBP+OFFSET lnSubSt] ; subtract the search string length mov eax, esi ; put count in eax add eax, [EBP+OFFSET StartPos] ; add starting pos to get correct count jmp @@Get_Outa_Here @@: mov ecx, [EBP+OFFSET reg1] ; 1 mov esi, [EBP+OFFSET reg2] ; 1 mov bl,byte ptr[EBP+OFFSET Byte1] ; 1 jmp @@L1r ; try again for match Same_Size: mov esi, [EBP+OFFSET lpszString ] ; main string address add esi, [EBP+OFFSET StartPos ] ; add starting position to esi mov edi, [EBP+OFFSET lpszSubStr] ; sub string address mov ecx, [EBP+OFFSET lnSubSt ] ; sub string length cld repe cmpsb .if ZERO? ; the two strings match mov eax, [EBP+OFFSET StartPos ] ; get the return value inc eax .else mov eax, 0 .endif jmp @@Get_Outa_Here _lstrlen: pushfd push ecx push ebx ;mov eax,lpStr lea ecx,[eax-1] l1: inc ecx test ecx,3 jz l2 cmp byte ptr[ecx],0 jne l1 jmp l6 l2: mov ebx,[ecx] ; U add ecx,4 ; V test bl,bl ; U jz l5 ; V test bh,bh ; U jz l4 ; V test ebx,0ff0000h ; U jz l3 ; V test ebx,0ff000000h ; U jnz l2 ; V +1brt inc ecx l3: inc ecx l4: inc ecx l5: sub ecx,4 l6: sub ecx,eax mov eax,ecx pop ebx pop ecx popfd db 0C3h @@Get_Outa_Here: pop ebx pop edi pop esi ret searchtext endp
附件中是我写来测试这个anti的小例子,只能对付ollydbg
附件:crackme.rar
| | |||
|