手动清除花指令

标题：介绍如何手动清除花指令，供大家参考　
作者：zmworm
时间：2003/02/09 03:48pm
链接：http://bbs.pediy.com

我见到的一个比较花的花指令。
介绍如何手动清除花指令，供大家参考

某程序W32DASM编译后如下：
:10001000 55 push ebp
:10001001 8BEC mov ebp, esp
:10001003 81EC10030000 sub esp, 00000310
:10001009 53 push ebx
:1000100A 56 push esi
:1000100B 57 push edi
:1000100C 780D js 1000101B
:1000100E 87ED xchg ebp, ebp ;==nop
:10001010 7704 ja 10001016
:10001012 87DB xchg ebx, ebx ;==nop
:10001014 7400 je 10001016
:10001016 7008 jo 10001020----\
:10001018 90 nop |==jmp 10001020
:10001019 7105 jno 10001020---/
:1000101B 7700 ja 1000101D ;==nop
:1000101D EBEF jmp 1000100E
:1000101F 86EB xchg bl, ch-----> 这里被花了也就是说1000100C--1000101F都要nop掉
:10001021 07 pop es

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001029(U)
|
:10001022 8BDB mov ebx, ebx
:10001024 7006 jo 1000102C
:10001026 90 nop
:10001027 7103 jno 1000102C
:10001029 EBF7 jmp 10001022
:1000102B D86804 fsubr dword ptr [eax+04]
:1000102E 0100 add dword ptr [eax], eax
:10001030 008D85FCFEFF add byte ptr [ebp+FFFEFC85], cl
:10001036 FF508B call [eax-75]
:10001039 4D dec ebp
:1000103A 0851FF or byte ptr [ecx-01], dl
:1000103D 1598710910 adc eax, 10097198

改一下，再W32DASM编译显示如下：
:10001000 55 push ebp
:10001001 8BEC mov ebp, esp
:10001003 81EC10030000 sub esp, 00000310
:10001009 53 push ebx
:1000100A 56 push esi
:1000100B 57 push edi
:1000100E 90 nop
:1000100F 90 nop
:10001010 90 nop
:10001011 90 nop
:10001012 90 nop
:10001013 90 nop
:10001014 90 nop
:10001015 90 nop
:10001016 90 nop
:10001017 90 nop
:10001018 90 nop
:10001019 90 nop
:1000101A 90 nop
:1000101B 90 nop
:1000101C 90 nop
:1000101D 90 nop
:1000101E 90 nop
:1000101F 90 nop
:10001020 EB07 jmp 10001029<---------------晕，这也是花指令的一部分

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001029(U)
|
:10001022 8BDB mov ebx, ebx<------------==nop
:10001024 7006 jo 1000102C----\
:10001026 90 nop |==jmp 1000102C
:10001027 7103 jno 1000102C---/

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001020(U)
|
:10001029 EBF7 jmp 10001022<--------------还要跳
:1000102B D86804 fsubr dword ptr [eax+04]<------这里是真正被花的地方
:1000102E 0100 add dword ptr [eax], eax
:10001030 008D85FCFEFF add byte ptr [ebp+FFFEFC85], cl
:10001036 FF508B call [eax-75]
:10001039 4D dec ebp
:1000103A 0851FF or byte ptr [ecx-01], dl
:1000103D 1598710910 adc eax, 10097198

把10001020----1000102B 全部nop掉，再编译

:10001000 55 push ebp
:10001001 8BEC mov ebp, esp
:10001003 81EC10030000 sub esp, 00000310
:10001009 53 push ebx
:1000100A 56 push esi
:1000100B 57 push edi
:1000100C 90 nop
:1000100D 90 nop
:1000100E 90 nop
:1000100F 90 nop
:10001010 90 nop
:10001011 90 nop
:10001012 90 nop
:10001013 90 nop
:10001014 90 nop
:10001015 90 nop
:10001016 90 nop
:10001017 90 nop
:10001018 90 nop
:10001019 90 nop
:1000101A 90 nop
:1000101B 90 nop
:1000101C 90 nop
:1000101D 90 nop
:1000101E 90 nop
:1000101F 90 nop
:10001020 90 nop
:10001021 90 nop
:10001022 90 nop
:10001023 90 nop
:10001024 90 nop
:10001025 90 nop
:10001026 90 nop
:10001027 90 nop
:10001028 90 nop
:10001029 90 nop
:1000102A 90 nop
:1000102B 90 nop
:1000102C 6804010000 push 00000104
:10001031 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:10001037 50 push eax
:10001038 8B4D08 mov ecx, dword ptr [ebp+08]
:1000103B 51 push ecx

* Reference To: KERNEL32.GetModuleFileNameA, Ord:00FCh
|
:1000103C FF1598710910 Call dword ptr [10097198]

整理这个Call
:10001000 55 push ebp
:10001001 8BEC mov ebp, esp
:10001003 81EC10030000 sub esp, 00000310
:10001009 53 push ebx
:1000100A 56 push esi
:1000100B 57 push edi
:1000102C 6804010000 push 00000104
:10001031 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:10001037 50 push eax
:10001038 8B4D08 mov ecx, dword ptr [ebp+08]
:1000103B 51 push ecx

* Reference To: KERNEL32.GetModuleFileNameA, Ord:00FCh
|
:1000103C FF1598710910 Call dword ptr [10097198]

1000100C--1000102B，32个字节，全部是干扰代码，把他们全nop掉我们看到了一个API函数，不容易呀:)
希望通过这个例子你能真正学会如何去除花指令:-)

ZMWorm[CCG]