作者:graymice
日期:2009-8-19
目的:学习壳,学习WIN32汇编
声明:这里想和大家讨论,本人是菜鸟中的菜鸟,希望高手来指点,也希望大家一起讨论
**************************************
OD栽入代码在后面
*************************************
Win32汇编程序如下:
.386
.model flat,stdcall
Option casemap:none
.data
Segoffset db offset start-400000(这个值怎么动态取得?)
标志 dd 0 ;重入标志
加密长度 dd offset compressend-offset conpressstart
密钥 db 8e
.data?
加载地址 dd ?
申请空间地址 dd ?
.code
Start: ;编译时预设的地址
Pushad
Call delta ;重定位
Delta:
Pop ebp ;ebp=返回的地址,
MOV EDX,EBP ;保存返回地址到EDX,目的是让EBP里存放偏移量
SUB EBP,offset start ;这里402BC6是编译时的地址先,EBP=DELTA
;原来的数据地址+DELTA就是加载时的内存地址
SUB EDX,dword ptr [ebp+segoffset]
SUB EDX,6 ;EDX=OEP
MOV [ebp+加载地址],edx
CMP [ebp+标记],0
Jnz 003D73EA ;标志未设置,
MOV [ebp+标志],1
Mov ecx, [ebp+加密长度] ;解码长度(循环次数)
Lea esi,[ ebp+加密代码] ;加密代码起始地址
解密:
Mov al,[ebp+密钥]
Mov bl,esi
Xor al,bl ;解密算法: 密钥异或加密数据
Mov esi,al ;解密数据保存
Mov [ebp+密钥],bl ;加密数据作为新的密钥
Inc esi ;下个将要解密的数据指针
Loop 解密
加密代码:
Pushaf
Pop eax ;标志寄存器=EAX
Test ah,1 ;判断TF(切换到单步运行模式)是否置位
Je 取函数地址 ;=1,就更改主要地方的代码
Xor 主要地方地址的一个字节,OFF
取函数地址:
Mov esi,源文件区块数
Mov eax,ebp ;备份DELTA
Push esi
Push eax
Mov ecx,申请空间大小
Invoke VirtualAlloc,0,ecx,1000,4
Mov申请空间地址,eax
Pop eax
Pop esi
Push esi
Push eax
Mov esi, Segoffset ;代码段偏移量
Mov edx,映射基地址
Mov ecx, 申请空间大小
Add esi,edx
Pushad
Mov edi,esi
Xor eax,eax
代码段加密解密:
Lods esi
Xor esi, 主要地方地址的一个字节
Stos edi
Loopd
Popad代码段加密
Mov edi, 申请空间地址
Rep movs edi,esi ;搬运代码段数据到申请空间地址
Mov esi, 申请空间地址 ;加密数据
Mov edi, Segoffset
add edi,edx(映射基地址) ;得到代码段地址
invode 解密函数,代码段地址,加密数据地址
invoke VirtualFree, 申请空间地址, 申请空间大小,4000
jmp代码段加密解密 ;对所有段进行解密
解密函数:
Pushad
Mov esi, 加密数据地址
Mov edi, 代码段地址
Cld ;清除方向标志,esi,edi自动+1
Retn
解密算法:(没有理解完全)(谁能把这个算法写成C语言,帮忙一下)
{
003D74BD 60 pushad
003D74BE 8B7424 24 mov esi, dword ptr ss:[esp+24]
003D74C2 8B7C24 28 mov edi, dword ptr ss:[esp+28]
003D74C6 FC cld
003D74C7 B2 80 mov dl, 80
003D74C9 8A06 mov al, byte ptr ds:[esi]
003D74CB 46 inc esi
003D74CC 8807 mov byte ptr ds:[edi], al
003D74CE 47 inc edi
003D74CF 00D2 add dl, dl
003D74D1 75 05 jnz short EdrLib.003D74D8
003D74D3 8A16 mov dl, byte ptr ds:[esi]
003D74D5 46 inc esi
003D74D6 10D2 adc dl, dl
003D74D8 ^ 73 EF jnb short EdrLib.003D74C9
003D74DA 00D2 add dl, dl
003D74DC 75 05 jnz short EdrLib.003D74E3
003D74DE 8A16 mov dl, byte ptr ds:[esi]
003D74E0 46 inc esi
003D74E1 10D2 adc dl, dl
003D74E3 73 4A jnb short EdrLib.003D752F
003D74E5 31C0 xor eax, eax
003D74E7 00D2 add dl, dl
003D74E9 75 05 jnz short EdrLib.003D74F0
003D74EB 8A16 mov dl, byte ptr ds:[esi]
003D74ED 46 inc esi
003D74EE 10D2 adc dl, dl
003D74F0 0F83 DB000000 jnb EdrLib.003D75D1
003D74F6 00D2 add dl, dl
003D74F8 75 05 jnz short EdrLib.003D74FF
003D74FA 8A16 mov dl, byte ptr ds:[esi]
003D74FC 46 inc esi
003D74FD 10D2 adc dl, dl
003D74FF 11C0 adc eax, eax
003D7501 00D2 add dl, dl
003D7503 75 05 jnz short EdrLib.003D750A
003D7505 8A16 mov dl, byte ptr ds:[esi]
003D7507 46 inc esi
003D7508 10D2 adc dl, dl
003D750A 11C0 adc eax, eax
003D750C 00D2 add dl, dl
003D750E 75 05 jnz short EdrLib.003D7515
003D7510 8A16 mov dl, byte ptr ds:[esi]
003D7512 46 inc esi
003D7513 10D2 adc dl, dl
003D7515 11C0 adc eax, eax
003D7517 00D2 add dl, dl
003D7519 75 05 jnz short EdrLib.003D7520
003D751B 8A16 mov dl, byte ptr ds:[esi]
003D751D 46 inc esi
003D751E 10D2 adc dl, dl
003D7520 11C0 adc eax, eax
003D7522 74 06 je short EdrLib.003D752A
003D7524 57 push edi
003D7525 29C7 sub edi, eax
003D7527 8A07 mov al, byte ptr ds:[edi]
003D7529 5F pop edi
003D752A 8807 mov byte ptr ds:[edi], al
003D752C 47 inc edi
003D752D ^ EB A0 jmp short EdrLib.003D74CF
003D752F B8 01000000 mov eax, 1
003D7534 00D2 add dl, dl
003D7536 75 05 jnz short EdrLib.003D753D
003D7538 8A16 mov dl, byte ptr ds:[esi]
003D753A 46 inc esi
003D753B 10D2 adc dl, dl
003D753D 11C0 adc eax, eax
003D753F 00D2 add dl, dl
003D7541 75 05 jnz short EdrLib.003D7548
003D7543 8A16 mov dl, byte ptr ds:[esi]
003D7545 46 inc esi
003D7546 10D2 adc dl, dl
003D7548 ^ 72 EA jb short EdrLib.003D7534
003D754A 2D 02000000 sub eax, 2
003D754F 75 28 jnz short EdrLib.003D7579
003D7551 B9 01000000 mov ecx, 1
003D7556 00D2 add dl, dl
003D7558 75 05 jnz short EdrLib.003D755F
003D755A 8A16 mov dl, byte ptr ds:[esi]
003D755C 46 inc esi
003D755D 10D2 adc dl, dl
003D755F 11C9 adc ecx, ecx
003D7561 00D2 add dl, dl
003D7563 75 05 jnz short EdrLib.003D756A
003D7565 8A16 mov dl, byte ptr ds:[esi]
003D7567 46 inc esi
003D7568 10D2 adc dl, dl
003D756A ^ 72 EA jb short EdrLib.003D7556
003D756C 56 push esi
003D756D 89FE mov esi, edi
003D756F 29EE sub esi, ebp
003D7571 F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi]
003D7573 5E pop esi
003D7574 ^ E9 56FFFFFF jmp EdrLib.003D74CF
003D7579 48 dec eax
003D757A C1E0 08 shl eax, 8
003D757D 8A06 mov al, byte ptr ds:[esi]
003D757F 46 inc esi
003D7580 89C5 mov ebp, eax
003D7582 B9 01000000 mov ecx, 1
003D7587 00D2 add dl, dl
003D7589 75 05 jnz short EdrLib.003D7590
003D758B 8A16 mov dl, byte ptr ds:[esi]
003D758D 46 inc esi
003D758E 10D2 adc dl, dl
003D7590 11C9 adc ecx, ecx
003D7592 00D2 add dl, dl
003D7594 75 05 jnz short EdrLib.003D759B
003D7596 8A16 mov dl, byte ptr ds:[esi]
003D7598 46 inc esi
003D7599 10D2 adc dl, dl
003D759B ^ 72 EA jb short EdrLib.003D7587
003D759D 3D 007D0000 cmp eax, 7D00
003D75A2 73 1A jnb short EdrLib.003D75BE
003D75A4 3D 00050000 cmp eax, 500
003D75A9 72 0E jb short EdrLib.003D75B9
003D75AB 41 inc ecx
003D75AC 56 push esi
003D75AD 89FE mov esi, edi
003D75AF 29C6 sub esi, eax
003D75B1 F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi]
003D75B3 5E pop esi
003D75B4 ^ E9 16FFFFFF jmp EdrLib.003D74CF
003D75B9 83F8 7F cmp eax, 7F
003D75BC 77 06 ja short EdrLib.003D75C4
003D75BE 81C1 02000000 add ecx, 2
003D75C4 56 push esi
003D75C5 89FE mov esi, edi
003D75C7 29C6 sub esi, eax
003D75C9 F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi]
003D75CB 5E pop esi
003D75CC ^ E9 FEFEFFFF jmp EdrLib.003D74CF
003D75D1 8A06 mov al, byte ptr ds:[esi]
003D75D3 46 inc esi
003D75D4 31C9 xor ecx, ecx
003D75D6 C0E8 01 shr al, 1
003D75D9 74 12 je short EdrLib.003D75ED
003D75DB 83D1 02 adc ecx, 2
003D75DE 89C5 mov ebp, eax
003D75E0 56 push esi
003D75E1 89FE mov esi, edi
003D75E3 29C6 sub esi, eax
003D75E5 F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi]
003D75E7 5E pop esi
003D75E8 ^ E9 E2FEFFFF jmp EdrLib.003D74CF
003D75ED 2B7C24 28 sub edi, dword ptr ss:[esp+28]
003D75F1 897C24 1C mov dword ptr ss:[esp+1C], edi
003D75F5 61 popad
003D75F6 C3 retn
}
********************************解密函数结束*******************************
003D7000 > 60 pushad ;现场环境压栈保存
003D7001 E8 00000000 call EdrLib.003D7006
003D7006 5D pop ebp
003D7007 8BD5 mov edx, ebp
003D7009 81ED C62B4000 sub ebp, 402BC6 ;
003D700F 2B95 61344000 sub edx, dword ptr ss:[ebp+403461]
003D7015 81EA 06000000 sub edx, 6
003D701B 8995 65344000 mov dword ptr ss:[ebp+403465], edx
003D7021 83BD 69344000 00 cmp dword ptr ss:[ebp+403469], 0
003D7028 0F85 BC030000 jnz EdrLib.003D73EA
003D702E C785 69344000 01000>mov dword ptr ss:[ebp+403469], 1
003D7038 B9 88070000 mov ecx, 788
003D703D 8DB5 182C4000 lea esi, dword ptr ss:[ebp+402C18]
003D7043 8A85 60344000 mov al, byte ptr ss:[ebp+403460]
003D7049 8A1E mov bl, byte ptr ds:[esi]
003D704B 32C3 xor al, bl
003D704D 8806 mov byte ptr ds:[esi], al
003D704F 889D 60344000 mov byte ptr ss:[ebp+403460], bl
003D7055 46 inc esi
003D7056 ^ E2 EB loopd short EdrLib.003D7043
下面的代码是经过加密的,算法就是上面说的
解密后的代码就好看多了(呵呵)
003D7058 9C pushfd
003D7059 58 pop eax
003D705A F6C4 01 test ah, 1
003D705D 74 07 je short EdrLib.003D7066
003D705F 80B5 D72F4000 FF xor byte ptr ss:[ebp+402FD7], 0FF
003D7066 8BB5 01324000 mov esi, dword ptr ss:[ebp+403201]
003D706C 8BC5 mov eax, ebp
003D706E 56 push esi
003D706F 50 push eax
003D7070 8B88 09324000 mov ecx, dword ptr ds:[eax+403209]
003D7076 6A 04 push 4
003D7078 68 00100000 push 1000
003D707D 51 push ecx
003D707E 6A 00 push 0
003D7080 FF95 EC334000 call near dword ptr ss:[ebp+4033EC]
003D7086 8985 E1314000 mov dword ptr ss:[ebp+4031E1], eax
003D708C 58 pop eax
003D708D 5E pop esi
003D708E 56 push esi
003D708F 50 push eax
003D7090 8BB0 05324000 mov esi, dword ptr ds:[eax+403205]
003D7096 8B95 65344000 mov edx, dword ptr ss:[ebp+403465]
003D709C 8B88 09324000 mov ecx, dword ptr ds:[eax+403209]
003D70A2 03F2 add esi, edx
003D70A4 60 pushad
003D70A5 8BFE mov edi, esi
003D70A7 33C0 xor eax, eax
003D70A9 AC lods byte ptr ds:[esi]
003D70AA 3285 D72F4000 xor al, byte ptr ss:[ebp+402FD7]
003D70B0 AA stos byte ptr es:[edi]
003D70B1 ^ E2 F6 loopd short EdrLib.003D70A9
003D70B3 61 popad
003D70B4 8BBD E1314000 mov edi, dword ptr ss:[ebp+4031E1]
003D70BA F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi]
003D70BC 8BB5 E1314000 mov esi, dword ptr ss:[ebp+4031E1]
003D70C2 8BB8 05324000 mov edi, dword ptr ds:[eax+403205]
003D70C8 03FA add edi, edx
003D70CA 57 push edi
003D70CB 56 push esi
003D70CC E8 EC030000 call EdrLib.003D74BD
{
}
这里是经过加密的
003D7058 124A BC adc cl, byte ptr ds:[edx-44]
003D705B 78 79 js short EdrLib.003D70D6
003D705D 0D 0A8A3FE8 or eax, E83F8A0A
………………………
……………………
OEP:这里就到了
003D11C9 55 push ebp
003D11CA 8BEC mov ebp, esp
003D11CC 53 push ebx
003D11CD 8B5D 08 mov ebx, dword ptr ss:[ebp+8]
003D11D0 56 push esi
003D11D1 8B75 0C mov esi, dword ptr ss:[ebp+C]
003D11D4 57 push edi
003D11D5 8B7D 10 mov edi, dword ptr ss:[ebp+10]
003D11D8 85F6 test esi, esi
003D11DA 75 09 jnz short EdrLib.003D11E5
003D11DC 833D 60533D00 00 cmp dword ptr ds:[3D5360], 0
003D11E3 EB 26 jmp short EdrLib.003D120B
003D11E5 83FE 01 cmp esi, 1
003D11E8 74 05 je short EdrLib.003D11EF
003D11EA 83FE 02 cmp esi, 2
003D11ED 75 22 jnz short EdrLib.003D1211
003D11EF A1 DC583D00 mov eax, dword ptr ds:[3D58DC]
003D11F4 85C0 test eax, eax
003D11F6 74 09 je short EdrLib.003D1201
003D11F8 57 push edi
003D11F9 56 push esi
003D11FA 53 push ebx
003D11FB FFD0 call near eax
003D11FD 85C0 test eax, eax
003D11FF 74 0C je short EdrLib.003D120D
- 标 题:JDPack脱分析笔记(一)
- 作 者:graymice
- 时 间:2009-08-20 13:11:40
- 链 接:http://bbs.pediy.com/showthread.php?t=96148