<P class=MsoNormal><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">加殼往往是實(shí)現(xiàn)對原</SPAN><SPAN lang=EN-US>PE</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的節(jié)數(shù)據(jù)加密����、壓縮���,若能加殼的同時(shí),讓加殼后的程序調(diào)用殼中的某些子程序����,那加殼強(qiáng)度大大增加。這樣處理后���,即使脫掉了殼����,程序執(zhí)行也肯定不正常����,因?yàn)槊摎さ耐瑫r(shí)也將這些子程序脫掉了!</SPAN><SPAN lang=EN-US> </SPAN></P>
+ J) N. _0 J& W u<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes"> </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">怎樣實(shí)現(xiàn)呢�����?作為探討性的介紹���,還是搞一個最基本的來說(假設(shè)現(xiàn)在您已經(jīng)會寫</SPAN><SPAN lang=EN-US>PE-exe</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">�����、</SPAN><SPAN lang=EN-US>PE-dll</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">等</SPAN><SPAN lang=EN-US>PE</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">加殼程序):</SPAN><SPAN lang=EN-US> </SPAN></P>
9 S) I# r, ^$ S! @0 p<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes"> </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">我的實(shí)現(xiàn)是這樣的:作為一個</SPAN><SPAN lang=EN-US>PE</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">文件���,多多少少程序中會有</SPAN><SPAN lang=EN-US>mov eax,1</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">或</SPAN><SPAN lang=EN-US>mov eax,0</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的語句,就是從這里開刀�����,因?yàn)?lt;/SPAN><SPAN lang=EN-US>mov eax,xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">這樣的指令長度正好與</SPAN><SPAN lang=EN-US>Call xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">指令的長度一樣��,處理起來相對簡單����。在加殼程序加殼時(shí),查找這些語句統(tǒng)統(tǒng)換成:</SPAN><SPAN lang=EN-US> </SPAN></P>
% l4 N+ H0 i+ @<P class=MsoNormal><SPAN lang=EN-US>call shellSub </SPAN></P>6 j; t- k( q* }& R' [7 W
<P class=MsoNormal><SPAN lang=EN-US>// </SPAN></P>) h% \: G- T/ q
<P class=MsoNormal><SPAN lang=EN-US>shellSub</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">實(shí)現(xiàn)如下:</SPAN><SPAN lang=EN-US> </SPAN></P>: d# J" u- r$ h. V2 I6 `$ E4 ]
<P class=MsoNormal><SPAN lang=EN-US>shellSub() </SPAN></P>1 L+ e" p3 |3 W9 F3 I
<P class=MsoNormal><SPAN lang=EN-US>{ </SPAN></P>% b' J3 Q- v. E6 W* i
<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes"> </SPAN>mov eax,1 </SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">或</SPAN><SPAN lang=EN-US> mov eax,0 </SPAN></P>- H- P# p$ Y' x
<P class=MsoNormal><SPAN lang=EN-US>} </SPAN></P> j b/ p0 a4 y. }
<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes"> </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">當(dāng)然����,這里有個問題是怎樣計(jì)算這個</SPAN><SPAN lang=EN-US>Call xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的</SPAN><SPAN lang=EN-US>xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">,其實(shí)想一想也很簡單��,加殼時(shí)候我們已經(jīng)計(jì)算出了外殼程序的入口</SPAN><SPAN lang=EN-US>RVA</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">�,只要以這個</SPAN><SPAN lang=EN-US>RVA</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">為基準(zhǔn),就可以得到</SPAN><SPAN lang=EN-US>:(shellSub</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的</SPAN><SPAN lang=EN-US>RVA)-(mov eax,1</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的</SPAN><SPAN lang=EN-US>RVA)</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的差值�����,這個差值再減去</SPAN><SPAN lang=EN-US>5</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">(</SPAN><SPAN lang=EN-US>Call</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的指令長度)就是</SPAN><SPAN lang=EN-US>xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">。</SPAN><SPAN lang=EN-US> </SPAN></P>
# n& Q" u, B u' _( R' P) o0 w/ c<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes"> </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">這里僅僅拋磚引玉的介紹了最基本的方法����,其實(shí)通過變化,可以對原程序的很多特定語句實(shí)現(xiàn)改成調(diào)用外殼中不同的</SPAN><SPAN lang=EN-US>sub</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">�����,大大增加了外殼的保密強(qiáng)度����。</SPAN><SPAN lang=EN-US> </SPAN></P>
0 Y" W0 P* \0 X/ l<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes"> </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">這樣處理后,可想而知���,脫殼后的運(yùn)行情況:</SPAN><SPAN lang=EN-US>Windows</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">錯誤����,某個地址不能為讀或?qū)?�。�����。呵呵,要的就是這個效果?。?����!</SPAN><SPAN lang=EN-US> </SPAN></P>. Y: ~1 _- Y# c. r
<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes"> </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">錯誤之處�����,懇請各位高手指正�����!</SPAN><SPAN lang=EN-US> </SPAN></P> |
發(fā)表于 2008-9-28 16:31:53
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡