[转载]加壳工具的壳代码-如何加壳(页 1) - 工程学类分支{ Engineering Column } - 逆向工程[ Reverse Engineering ] - 邪恶八进制信息安全团队技术讨论组努力为祖国的信息安全撑起一片蓝天

金州 2006-1-22 04:39

[转载]加壳工具的壳代码-如何加壳

信息来源：无花果编程驿站 <A href="http://www.cnasm.com/down/crack/ShellProtect.rar">完整加壳工具下载</A> 以下是外壳汇编源代码,注意使用本工具加壳的软件可能被Norton认为是病毒
includewin32.inc .586 .modelflat,stdcall locals extrn_wsprintfA:proc,MessageBoxA:proc,ExitProcess:proc,IsDebuggerPresent:proc extrnReleaseDC:proc,GetDC:proc,TextOutA:proc,GetTickCount:proc OLD_TICK_COUNTequ072h GET_TICK_COUNTequ0c1h IS_DBG_PRESENTequ034h EXIT_PROCESSequ0a7h XXequ12345678h .data PCStart: nop @@PCStartRVA: pushad callGetRVAOffset,offset@@KillIDA jmpeax @@KillIDA: ;//定位GetProcAddress函数 ;db0ebh,001h,0e8h;//乱码样版 subesp,100h movebp,esp db0ebh,001h,0e8h;//乱码样版 movebx,[ebp+100h+8*4] @@RepScanGPA: decebx db0ebh,001h,0e8h;//乱码样版 callGetPEOffset,ebx movebx,eax xoresi,esi db0ebh,001h,0e8h;//乱码样版 @@RepScanGPAName: incesi callGetGPANameByIndex,ebx,esi oreax,eax db0ebh,001h,0e8h;//乱码样版 jzshort@@RepScanGPA movedi,eax callGetGPAString db0ebh,001h,0e8h;//乱码样版 movedx,eax callCompareMemory,edi,edx,15 oreax,eax jnzshort@@RepScanGPAName db0ebh,001h,0e8h;//乱码样版 callGetGPARVAByIndex,ebx,esi movesi,eax ;//ebx=Kernel32Base;esi=GetProcAddress ;//定位其他API函数 db0ebh,001h,0e8h;//乱码样版 callGetGTCString callesi,ebx,eax mov[ebp+GET_TICK_COUNT],eax db0ebh,001h,0e8h;//乱码样版 callGetIDPString callesi,ebx,eax mov[ebp+IS_DBG_PRESENT],eax db0ebh,001h,0e8h;//乱码样版 callGetEXPString callesi,ebx,eax mov[ebp+EXIT_PROCESS],eax ;//SaveOldTickCount call[ebp+GET_TICK_COUNT] mov[ebp+OLD_TICK_COUNT],eax db0ebh,001h,0e8h;//乱码样版 ;//SehCheck callSetSehFrame,offset@@SehCheckContinue xoreax,eax db0ebh,001h,0e8h;//乱码样版 diveax ret @@SehCheckContinue: callClsSehFrame ;//CalcOldEntryRVA db0ebh,001h,0e8h;//乱码样版 callGetRVAOffset,offsetPCStart movebx,eax callGetRVAOffset,offsetRRVAEIP db0ebh,001h,0e8h;//乱码样版 addebx,[eax] callGetRVAOffset,offsetJRVAEIP mov[eax],ebx db0ebh,001h,0e8h;//乱码样版 ;//TimeLimitCheckAndDebugCheck call[ebp+GET_TICK_COUNT] cmp[ebp+OLD_TICK_COUNT],eax db0ebh,001h,0e8h;//乱码样版 ja@@ExitProcess; subeax,1000 cmp[ebp+OLD_TICK_COUNT],eax db0ebh,001h,0e8h;//乱码样版 jb@@ExitProcess; call[ebp+IS_DBG_PRESENT] oreax,eax jnz@@ExitProcess; db0ebh,001h,0e8h;//乱码样版 ;//恢复堆栈执行原始程序 addesp,100h popad db0ebh,001h,0e8h;//乱码样版 jmpJmpOldEIP @@ExitProcess: call[ebp+EXIT_PROCESS],0 ;//得到相对地址 GetRVAOffsetprocAddress:DWORD db0ebh,001h,0e8h;//乱码样版 call@@PushRVAOffset @@PushRVAOffset: popeax subeax,offset@@PushRVAOffset db0ebh,001h,0e8h;//乱码样版 addeax,Address ret GetRVAOffsetendp ;//建立SEH过滤 SetSehFrame:;SafeEipChangeeaxecxedx popedx popecx;//PopParamSafeEip callGetRVAOffset,ecx db0ebh,001h,0e8h;//乱码样版 movecx,eax callGetRVAOffset,offsetException pusheax db0ebh,001h,0e8h;//乱码样版 pushfs:dwordptr[0];//PushOldSehFrame movfs:dwordptr[0],esp callGetRVAOffset,offsetSafeEIP db0ebh,001h,0e8h;//乱码样版 pushdwordptr[eax];//PushOldSafeEip movdwordptr[eax],ecx;//SetSafeEip callGetRVAOffset,offsetSafeESP db0ebh,001h,0e8h;//乱码样版 pushdwordptr[eax];//PushOldSafeEsp subesp,100h;//SubSafeStackSpaceSize movdwordptr[eax],esp;//SetSafeEsp db0ebh,001h,0e8h;//乱码样版 jmpedx ;//清除SEH过滤 ClsSehFrame:;Changeecxedx,Notchangeeax popedx movecx,eax db0ebh,001h,0e8h;//乱码样版 callGetRVAOffset,offsetSafeESP movesp,[eax];//GetSafeEsp addesp,100h;//AddSafeStackSapceSize db0ebh,001h,0e8h;//乱码样版 popdwordptr[eax];//PopOldSafeEsp callGetRVAOffset,offsetSafeEIP popdwordptr[eax];//PopOldSafeEip popfs:dwordptr[0];//PopOldSehFrame db0ebh,001h,0e8h;//乱码样版 popeax;//PopException moveax,ecx db0ebh,001h,0e8h;//乱码样版 jmpedx ;//SEH意外处理，记录错误 Exceptionprocusesebxesiedi,Record:DWORD,Frame:DWORD,Context:DWORD,Dispatch:DWORD movedx,Context callGetRVAOffset,offsetSafeESP db0ebh,001h,0e8h;//乱码样版 moveax,[eax] movdwordptr[edx.cx_Esp],eax callGetRVAOffset,offsetSafeEIP db0ebh,001h,0e8h;//乱码样版 moveax,[eax] movdwordptr[edx.cx_Eip],eax xoreax,eax;忽略错误继续执行 db0ebh,001h,0e8h;//乱码样版 ret Exceptionendp ;//比较字符串 CompareMemoryprocusesebxesiedi,Src:DWORD,Des:DWORD,Size:DWORD db0ebh,001h,0e8h;//乱码样版 callSetSehFrame,offset@@NotSame movesi,Src movedi,Des db0ebh,001h,0e8h;//乱码样版 movecx,Size cld repcmpsb db0ebh,001h,0e8h;//乱码样版 movebx,ecx callClsSehFrame moveax,ebx db0ebh,001h,0e8h;//乱码样版 ret @@NotSame: callClsSehFrame moveax,-1 ret CompareMemoryendp ;//字符解密 EncodeStringprocusesebxesiedi,PChar:DWORD,Size:DWORD db0ebh,001h,0e8h;//乱码样版 movecx,Size movesi,PChar db0ebh,001h,0e8h;//乱码样版 @@ContEncode: xor[esi],dwordptrXX addesi,4 db0ebh,001h,0e8h;//乱码样版 loopshort@@ContEncode db0ebh,001h,0e8h;//乱码样版 ret EncodeStringendp ;//得到GetProcAddress字符串指针 GetGPAStringprocusesebx db0ebh,001h,0e8h;//乱码样版 call@@PushGetProcAddressStr dd$1$PteG$1$xorXX,$1$Acor$1$xorXX,$1$erdd$1$xorXX,$1$ss$1$xorXX @@PushGetProcAddressStr: popebx cmp[ebx],wordptr$1$eG$1$ jzshort@@HasEncode db0ebh,001h,0e8h;//乱码样版 callEncodeString,ebx,4 @@HasEncode: moveax,ebx db0ebh,001h,0e8h;//乱码样版 ret GetGPAStringendp GetGTCStringprocusesebx db0ebh,001h,0e8h;//乱码样版 call@@PushGetTickCountStr dd$1$TteG$1$xorXX,$1$Ckci$1$xorXX,$1$tnuo$1$xorXX,0 @@PushGetTickCountStr: popebx db0ebh,001h,0e8h;//乱码样版 cmp[ebx],wordptr$1$eG$1$ jzshort@@HasEncode callEncodeString,ebx,3 @@HasEncode: moveax,ebx db0ebh,001h,0e8h;//乱码样版 ret GetGTCStringendp GetIDPStringprocusesebx db0ebh,001h,0e8h;//乱码样版 call@@PushIsDebugPresent dd$1$eDsI$1$xorXX,$1$ggub$1$xorXX,$1$rPre$1$xorXX,$1$nese$1$xorXX,$1$t$1$xorXX @@PushIsDebugPresent: popebx cmp[ebx],wordptr$1$sI$1$ jzshort@@HasEncode db0ebh,001h,0e8h;//乱码样版 callEncodeString,ebx,5 @@HasEncode: moveax,ebx db0ebh,001h,0e8h;//乱码样版 ret GetIDPStringendp GetEXPStringprocusesebx db0ebh,001h,0e8h;//乱码样版 call@@PushExitProcessString dd$1$tixE$1$xorXX,$1$corP$1$xorXX,$1$sse$1$xorXX @@PushExitProcessString: popebx cmp[ebx],wordptr$1$xE$1$ jzshort@@HasEncode db0ebh,001h,0e8h;//乱码样版 callEncodeString,ebx,3 @@HasEncode: moveax,ebx db0ebh,001h,0e8h;//乱码样版 ret GetEXPStringendp ;//搜索PE头 GetPEOffsetprocusesebxesiedi,MZOffset:DWORD db0ebh,001h,0e8h;//乱码样版 callSetSehFrame,offset@@RepScanPEOffset movebx,MZOffset @@RepScanPEOffset: decebx andbx,0f000h db0ebh,001h,0e8h;//乱码样版 movzxeax,wordptr[ebx] xoreax,XX cmpeax,dwordptr$1$ZM$1$xorXX db0ebh,001h,0e8h;//乱码样版 jnzshort@@RepScanPEOffset movzxesi,[ebx+PeHeadOffset] addesi,ebx db0ebh,001h,0e8h;//乱码样版 movzxeax,wordptr[esi] xoreax,XX cmpeax,dwordptr$1$EP$1$xorXX db0ebh,001h,0e8h;//乱码样版 jnzshort@@RepScanPEOffset callClsSehFrame moveax,ebx db0ebh,001h,0e8h;//乱码样版 ret GetPEOffsetendp ;//从MZ/PE文件中得到GPA名字 GetGPANameByIndexprocusesebxesiedi,MZOffset:DWORD,Index:DWORD db0ebh,001h,0e8h;//乱码样版 callSetSehFrame,offset@@NotFound movebx,MZOffset movzxecx,[ebx+PeHeadOffset] addecx,ebx db0ebh,001h,0e8h;//乱码样版 movesi,[ecx.peExportsRVA] addesi,ebx movedi,[esi.etExportNameList] db0ebh,001h,0e8h;//乱码样版 addedi,ebx movecx,Index cmpecx,[esi.etExportNameSum] db0ebh,001h,0e8h;//乱码样版 jaeshort@@NotFound movedi,[edi+ecx*4] addedi,ebx db0ebh,001h,0e8h;//乱码样版 oreax,[edi];//Test oreax,[edi+15];//Test callClsSehFrame db0ebh,001h,0e8h;//乱码样版 moveax,edi db0ebh,001h,0e8h;//乱码样版 ret @@NotFound: callClsSehFrame xoreax,eax db0ebh,001h,0e8h;//乱码样版 ret GetGPANameByIndexendp ;//得到GPA地址 GetGPARVAByIndexprocusesebxesiedi,MZOffset:DWORD,Index:DWORD db0ebh,001h,0e8h;//乱码样版 callGetRVAOffset,offset@@NotFound callSetSehFrame,eax db0ebh,001h,0e8h;//乱码样版 movebx,MZOffset movzxecx,[ebx+PeHeadOffset] db0ebh,001h,0e8h;//乱码样版 addecx,ebx movesi,[ecx.peExportsRVA] addesi,ebx db0ebh,001h,0e8h;//乱码样版 movecx,Index cmpecx,[esi.etExportAddrSum] jaeshort@@NotFound db0ebh,001h,0e8h;//乱码样版 movedi,[esi.etExportOrdlList] addedi,ebx db0ebh,001h,0e8h;//乱码样版 movzxecx,wordptr[edi+ecx*2] cmpecx,[esi.etExportAddrSum] jaeshort@@NotFound db0ebh,001h,0e8h;//乱码样版 movedi,[esi.etExportAddrList] addedi,ebx db0ebh,001h,0e8h;//乱码样版 movedi,[edi+ecx*4] db0ebh,001h,0e8h;//乱码样版 addedi,ebx oreax,[edi];//Test callClsSehFrame db0ebh,001h,0e8h;//乱码样版 moveax,edi ret @@NotFound: callClsSehFrame xoreax,eax db0ebh,001h,0e8h;//乱码样版 ret GetGPARVAByIndexendp JmpOldEIP: db068h JRVAEIPdd? db0c3h RRVAEIPdd-1000h SafeESPdd? SafeEIPdd? PCEnd: MsgFmtdb$1$RRVAIP:%X,Size:%x$1$,0 MsgBufdb256dup(?); .code Exit: callShowMsg callExitProcess,0 Start: jmpPCStart ShowMsgproc pushad movebp,esp call_wsprintfA,offsetMsgBuf,offsetMsgFmt,offsetRRVAEIP,offsetPCEnd-offsetPCStart callMessageBoxA,0,offsetMsgBuf,offsetMsgBuf,0 movesp,ebp popad ret ShowMsgendp endStart

页: [1]

邪恶八进制信息安全团队技术讨论组's Archiver

[转载]加壳工具的壳代码-如何加壳