天天爱天天做天天做天天吃中文|久久综合给久合久久综合|亚洲视频一区二区三区|亚洲国产综合精品2022

    • 

    <delect id="ixd07"></delect>
      

      

      汶上信息港
      
標(biāo)題: 實(shí)現(xiàn)調(diào)用加殼的外殼中的子程序的一點(diǎn)見(jiàn)解 [打印本頁(yè)]
      

      
作者: hbhdgpyz    時(shí)間: 2008-9-28 16:31
      
標(biāo)題: 實(shí)現(xiàn)調(diào)用加殼的外殼中的子程序的一點(diǎn)見(jiàn)解
      <P class=MsoNormal><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">加殼往往是實(shí)現(xiàn)對(duì)原</SPAN><SPAN lang=EN-US>PE</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的節(jié)數(shù)據(jù)加密、壓縮,若能加殼的同時(shí),讓加殼后的程序調(diào)用殼中的某些子程序,那加殼強(qiáng)度大大增加。這樣處理后,即使脫掉了殼,程序執(zhí)行也肯定不正常,因?yàn)槊摎さ耐瑫r(shí)也將這些子程序脫掉了!</SPAN><SPAN lang=EN-US> </SPAN></P>
      
* ]4 z3 }% M2 b  m( p. K0 c<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">怎樣實(shí)現(xiàn)呢?作為探討性的介紹,還是搞一個(gè)最基本的來(lái)說(shuō)(假設(shè)現(xiàn)在您已經(jīng)會(huì)寫</SPAN><SPAN lang=EN-US>PE-exe</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">、</SPAN><SPAN lang=EN-US>PE-dll</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">等</SPAN><SPAN lang=EN-US>PE</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">加殼程序):</SPAN><SPAN lang=EN-US> </SPAN></P>
      
( s, j0 K" ?' g/ f3 q<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">我的實(shí)現(xiàn)是這樣的:作為一個(gè)</SPAN><SPAN lang=EN-US>PE</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">文件,多多少少程序中會(huì)有</SPAN><SPAN lang=EN-US>mov eax,1</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">或</SPAN><SPAN lang=EN-US>mov eax,0</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的語(yǔ)句,就是從這里開(kāi)刀,因?yàn)?lt;/SPAN><SPAN lang=EN-US>mov eax,xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">這樣的指令長(zhǎng)度正好與</SPAN><SPAN lang=EN-US>Call xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">指令的長(zhǎng)度一樣,處理起來(lái)相對(duì)簡(jiǎn)單。在加殼程序加殼時(shí),查找這些語(yǔ)句統(tǒng)統(tǒng)換成:</SPAN><SPAN lang=EN-US> </SPAN></P>9 x1 C. v3 A/ Y4 |8 p0 u
      
<P class=MsoNormal><SPAN lang=EN-US>call shellSub </SPAN></P>
      
; L. x6 h3 ]2 n7 e# X; h0 B5 _& H! \- I<P class=MsoNormal><SPAN lang=EN-US>// </SPAN></P>2 H8 l: h1 {! w" w2 X' `
      
<P class=MsoNormal><SPAN lang=EN-US>shellSub</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">實(shí)現(xiàn)如下:</SPAN><SPAN lang=EN-US> </SPAN></P>, V0 `* @+ p, t" R+ P7 @
      
<P class=MsoNormal><SPAN lang=EN-US>shellSub() </SPAN></P>
      
4 i& q# n8 T4 q4 s+ {1 B3 s; }<P class=MsoNormal><SPAN lang=EN-US>{ </SPAN></P>
      
( r9 f: y# I; d/ a1 E2 F& e% @<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>mov eax,1 </SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">或</SPAN><SPAN lang=EN-US> mov eax,0 </SPAN></P>! j4 p, S0 q" p
      
<P class=MsoNormal><SPAN lang=EN-US>} </SPAN></P>. t- c; p% R0 A  n2 v( J# H
      
<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">當(dāng)然,這里有個(gè)問(wèn)題是怎樣計(jì)算這個(gè)</SPAN><SPAN lang=EN-US>Call xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的</SPAN><SPAN lang=EN-US>xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">,其實(shí)想一想也很簡(jiǎn)單,加殼時(shí)候我們已經(jīng)計(jì)算出了外殼程序的入口</SPAN><SPAN lang=EN-US>RVA</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">,只要以這個(gè)</SPAN><SPAN lang=EN-US>RVA</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">為基準(zhǔn),就可以得到</SPAN><SPAN lang=EN-US>:(shellSub</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的</SPAN><SPAN lang=EN-US>RVA)-(mov eax,1</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的</SPAN><SPAN lang=EN-US>RVA)</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的差值,這個(gè)差值再減去</SPAN><SPAN lang=EN-US>5</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">(</SPAN><SPAN lang=EN-US>Call</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的指令長(zhǎng)度)就是</SPAN><SPAN lang=EN-US>xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">。</SPAN><SPAN lang=EN-US> </SPAN></P>
      
* a4 t5 F# m% e( q+ x, x, e<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">這里僅僅拋磚引玉的介紹了最基本的方法,其實(shí)通過(guò)變化,可以對(duì)原程序的很多特定語(yǔ)句實(shí)現(xiàn)改成調(diào)用外殼中不同的</SPAN><SPAN lang=EN-US>sub</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">,大大增加了外殼的保密強(qiáng)度。</SPAN><SPAN lang=EN-US> </SPAN></P>
      
  C" Z+ \$ p% e, G4 }<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">這樣處理后,可想而知,脫殼后的運(yùn)行情況:</SPAN><SPAN lang=EN-US>Windows</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">錯(cuò)誤,某個(gè)地址不能為讀或?qū)?。。呵呵,要的就是這個(gè)效果!?。?lt;/SPAN><SPAN lang=EN-US> </SPAN></P>
      
/ y. \5 z5 v; F% d! M% A& B3 d) d<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">錯(cuò)誤之處,懇請(qǐng)各位高手指正!</SPAN><SPAN lang=EN-US> </SPAN></P>




      

      

      歡迎光臨 汶上信息港 (http://vancelump.com/)

Powered by Discuz! X3.5