这些代码是从我逆向出hying外壳原码得来,有些描述不准确,凑合看吧
;//////////////////////////////////
;//drx 解码
Call Push_drx_handler
Drx_handler Proc Near
Pframe = Dword Ptr 4
Pcontext = Dword Ptr 0ch
Mov Eax, [esp+pframe]
Mov Eax, [eax] ; Eax = Pframe->exceptioncode
Mov Ecx, [esp+pcontext] ; Ecx -> Context
Inc Dword Ptr [ecx+0b8h] ; Context.regeip++
Cmp Eax, Exception_breakpoint
Jnz Drx_not_breakpoint
Mov Eax, [ecx+0b4h] ; Eax <- Context.regebp
Lea Eax, [drx_0-@symbiont_start][eax]
Mov [ecx+4], Eax ; Dr0
Mov Eax, [ecx+0b4h] ; Eax <- Context.regebp
Lea Eax, [drx_1-@symbiont_start][eax]
Mov [ecx+8], Eax ; Dr1
Mov Eax, [ecx+0b4h]
Lea Eax, [drx_2-@symbiont_start][eax]
Mov [ecx+0ch], Eax ; Dr2
Mov Eax, [ecx+0b4h]
Lea Eax, [drx_3-@symbiont_start][eax]
Mov [ecx+10h], Eax ; Dr3
Xor Eax, Eax
And Dword Ptr [ecx+14h], 0ffff0ff0h ; 11111111111111110000111111110000b
Mov Dword Ptr [ecx+18h], 155h ; 101010101b
Jmp Drx_ret
Drx_not_breakpoint:
Cmp Eax, Exception_single_step
Jnz Drx_not_single
Call Drx_get_counet
Dd 0 ; 记录单步断点出现次数
Drx_get_counet:
Pop Eax
Inc Dword Ptr [eax]
Mov Eax, [eax]
Cmp Eax, 1 ; Dr0
Jnz Loc_401341
Not Dword Ptr [ecx+0b0h] ; Context.regeax
Jmp Drx_processed
Loc_401341:
Cmp Eax, 2 ; Dr1
Jnz Loc_401357
Mov Eax, [ecx+0b0h] ; Eax <- Context.regeax
Rol Eax, 13h
Mov [ecx+0b0h], Eax ; Eax -> Context.regeax
Jmp Drx_processed
Loc_401357:
Cmp Eax, 3 ; Dr2
Jnz Loc_401385
Add Dword Ptr [ecx+0b0h], 78787878 ; Context.regeax += 78787878h
Mov Eax, [ecx+0b0h] ; Eax <- Context.regeax
Mov Ebx, [ecx+0a4h] ; Ebx <- Context.regebx
Xchg Ax, Bx
Add Ax, Bx
Mov [ecx+0b0h], Eax ; Eax <- Context.regeax
Mov [ecx+0a4h], Ebx ; Ebx <- Context.regebx
Jmp Drx_processed
Loc_401385:
Mov Eax, [ecx+0a0h] ; Dr3
; Eax <- Context.regesi
Xor Byte Ptr [eax], 55h
Drx_processed:
Xor Eax, Eax
Jmp Drx_ret
Drx_not_single:
Cmp Eax, Exception_int_divide_by_zero
Jnz Drx_cannot_process
Inc Dword Ptr [ecx+0b8h] ; Context.regeip++ (2 Byte Code)
Xor Eax, Eax
And [ecx+4], Eax ; Context.idr0 <- 0
And [ecx+8], Eax ; Context.idr1 <- 0
And [ecx+0ch], Eax ; Context.idr2 <- 0
And [ecx+10h], Eax ; Context.idr3 <- 0
And Dword Ptr [ecx+14h], 0ffff0ff0h ; Context.idr6 <- 0ffff0ff0h
; 清 Bt,bs,bd,b3,b2,b1,b0 位
And Dword Ptr [ecx+18h], 0dc00h ; 仅保留 Gd,ge 位
Jmp Drx_ret
Drx_cannot_process:
Xor Eax, Eax
Inc Eax
Drx_ret:
Ret
Drx_handler Endp
Push_drx_handler:
Xor Eax, Eax
Push Dword Ptr Fs:0
Mov Fs:0, Esp
Int 3 ; 设置 Drx
Nop ; Int 3 后紧跟 Nop 通常是为了兼容某些系统(9X与NT,发生INT3异常时,context.EIP不一样。
)
Mov Ecx, Ebp
Sub Ecx, Esi
Xor Ebx, Ebx
Xor Eax, Eax
Drx_crc_13db:
Lodsb
Add Ebx, Eax
Loop Drx_crc_13db
Mov Eax, Ebx
Drx_0:
Clc ; Not Eax
Nop
Lea Esi, [drx_1-@symbiont_start][ebp]
Mov Ecx, @sumbiont_end-drx_1
Drx_decode_13ef:
Mul Ecx
Ror Eax, Cl
Xor [esi], Al
Inc Esi
Inc Eax
Aam
Loop Drx_decode_13ef
Mov Ecx, Drx_handler-@symbiont_start ; Esi -> Loader Data
Mov Esi, Ebp ; Mem Ptr Start
Xor Eax, Eax
Drx_crc_1404:
Xor Al, [esi]
Ror Eax, 8
Inc Esi
Loop Drx_crc_1404
Drx_1:
Cld ; Rol Eax, 13h
Nop
Mov Ecx, @sumbiont_end-drx_2
Lea Esi, [drx_2-@symbiont_start][ebp]
Drx_decode_1419:
Lea Eax, [ecx+eax*4+key_1] ; 43h
Xor [esi], Al
Aam
Inc Esi
Loop Drx_decode_1419
Mov Ecx, Drx_2-push_drx_handler
Shr Ecx, 2 ; Ecx /= 4 (sizeof Dword)
Lea Esi, [push_drx_handler-@symbiont_start][ebp]
Xor Ebx, Ebx
Drx_crc_1434:
Lodsd
Xor Ebx, Eax
Loop Drx_crc_1434
Drx_2:
Stc ; Add Eax, 78787878h
; Xchg Ax, Bx
; Add Ax, Bx
Nop
Mov Ecx, @sumbiont_end-drx_3
Shr Ecx, 2
Lea Esi, [drx_3-@symbiont_start][ebp]
Drx_decode_1449:
Xor Edx, Edx
Mul Ebx
Add Edx, 78787878
Xor [esi], Edx
Mov Eax, Ebx
Mov Ebx, Edx
Add Esi, 4
Loop Drx_decode_1449
Lea Esi, [crypted_code_start-@symbiont_start][ebp]
Mov Ecx, @sumbiont_end-crypted_code_start
Drx_decode_1469:
Not Byte Ptr [esi]
Drx_3:
Nop ; Xor Byte Ptr [esi], 55h
Nop
Inc Esi
Loop Drx_decode_1469
Crypted_code_start:
Mov Eax, 100h
Xor Edx, Edx
Xor Ebx, Ebx
Div Ebx ; :d
Nop
Pop Dword Ptr Fs:0
Pop Eax