[转载]ASProtect SKE 2.11变形代码浅浅谈
<P>信息来源: 看雪学院</P><P><FONT face=宋体>这段时间学习了一下ASProtectSKE2.11的壳,感谢shoooo给与技巧指点,让我少走了不少弯路。shoooo一文</FONT><A href="http://bbs.pediy.com/showthread.php?threadid=19313" target=_blank><FONT face=宋体><FONT color=darkblue><B>nspack3.5主程序脱壳分析(AsprSKE2.X)</B></FONT><FONT color=#000000></FONT></FONT></A><FONT face=宋体>给人启发不少,看懂这篇文章,再展开一下,ASProtectSKE的壳基本能拿下。<BR>ASProtect脱壳其实也可以不修复StolenCode,直接将壳的这段代码借用过来。但如果要完美脱壳的话,就必须了解点ASProtect中的一些变形技巧了,将代码一句句还原(是个体力活)。<BR><BR>ASProtectSKE难点就在代码变形,用了一段代码来模拟如下指令(可能是作者自己写的变形引擎):<BR>cmpx,y<BR>jxxn<BR><BR>callxxxxx<BR>jmpxxxxx<BR><BR>jxxn<BR><BR>等等…<BR><BR>例如:<BR>下面这段变形代码的作用是模拟cmp指令。<BR>cmpx,y<BR>jxxn<BR><BR>00A8896A8BCEmovecx,esi<BR>00A8896C8B550Cmovedx,[ebp+C]<BR>00A8896F8B45F8moveax,[ebp-8]<BR>00A88972E8D5FDFFFFcall00A8874C<BR>{<BR>00A8877E8B548340movedx,[ebx+eax*4+40]<BR>00A887828BC7moveax,edi<BR>00A88784FFD2calledx;此CALL返回决定是何寄存器(x)0=eax,1=ecx,2=edx,3=ebx,4=esp,5=ebp,6=esi,7=edi<BR>……<BR>00A887BA8B548340movedx,[ebx+eax*4+40]<BR>00A887BE8BC7moveax,edi<BR>00A887C0FFD2calledx;(y)0=eax,1=ecx,2=edx,3=ebx,4=esp,5=ebp,6=esi,7=edi<BR>……<BR>}<BR><BR>00A88977894510mov[ebp+10],eax<BR>00A8897AEB01jmpshort00A8897D<BR>00A8897C-E933C08A43jmp443349B4<BR>00A88981048Baddal,8B<BR>00A8898355pushebp<BR>00A88984F8clc<BR>00A889858B548240movedx,[edx+eax*4+40]<BR>00A889898BC6moveax,esi<BR>00A8898BFFD2calledx;此CALL返回值决定跳转类型3=jnb,2=jb,……<BR>00A8898D8BD8movebx,eax<BR>00A8898F8B4D10movecx,[ebp+10]<BR>00A889928BD3movedx,ebx<BR>00A889948B45F8moveax,[ebp-8]<BR>00A88997E874FBFFFFcall00A88510;里面比较(cmpx,y)<BR>00A8899C84C0testal,al<BR>00A8899E7417jeshort00A889B7<BR><BR><BR><BR>ASProtectSKE最新版也在这方面加强了,这部分我还没搞明白,别问我。;(<BR><BR><BR>对于一般的指令ASProtect也变形,这部分识别起来简单多了,自己用ASProtectSKE压一个软件,对比跟踪一下,很快能找到规律。下面列出的是ASProtect常用的一些简单变形指令。原理是利用lea来指令来计算加,减,乘法,或利用堆栈来传递一些数据。<BR><BR>1.<BR>原代码:<BR>addesi,8<BR>变形后的代码:<BR>leaesi,[esi+8]//esi=esi+8<BR><BR>2<BR>原代码:<BR>addedi,4<BR>变形后的代码:<BR>leaedi,[edi+ecx+4]//edi=edi+ecx+4<BR>subedi,ecx//edi=edi-ecx=edi+ecx+4-ecx=edi+4<BR><BR>3.<BR>原代码:<BR>movecx,eax<BR>变形后的代码:<BR>leaecx,[eax+C]//ecx=eax+c<BR>leaecx,[ecx-C]//ecx=ecx-c=eax+c-c=eax<BR><BR>4.<BR>原代码:movesi,eax<BR>变形后的代码:<BR>oresi,BD20817E<BR>pusheax//有效指令<BR>rolesi,9D<BR>xoresi,[esp+8]<BR>popesi//有效指令<BR><BR>5.<BR>movesi,eax<BR>变形后的代码:<BR>subesi,ecx<BR>leaesi,[eax+2B]<BR>leaesi,[esi+ebp-2B]<BR>subesi,ebp<BR><BR><BR>6.<BR>movedi,eax<BR>变形后的代码:<BR>leaedi,[edx+edi*2+50]<BR>adcedi,F299E634<BR>leaedi,[eax+56]//edi=eax+56<BR>leaedi,[edi+ecx-56]//edi=eax+56+ecx-56=eax+ecx<BR>subedi,ecx//edi=edi-ecx=eax+ecx-ecx=eax<BR><BR>7<BR>movedi,eax<BR>变形后的代码:<BR>leaedi,[ebx+ecx+48612E]<BR>subedi,ecx<BR>xoredi,1ABFD486<BR>leaedi,[eax+ecx+39]//edi=eax+ecx+39<BR>subedi,ecx//edi=edi-ecx=eax+ecx+39-ecx=eax+39<BR>leaedi,[edi-39]//edi=edi-39=eax+39-39=eax<BR><BR><BR>8.<BR>movedi,eax<BR>变形后的代码:<BR>leaedi,[ebx+ecx+48612E]<BR>subedi,ecx<BR>xoredi,1ABFD486<BR>leaedi,[eax+ecx+39]<BR>subedi,ecx<BR>leaedi,[edi-39]<BR><BR><BR>9.<BR>原代码:<BR>moveax,800<BR>变形后的代码:<BR>pushABCAA2A8<BR>pushfw<BR>pushebx<BR>xorebx,C567C100<BR>andebx,edi<BR>leaebx,[esp+69]<BR>subebx,69<BR>prefixrepne:<BR>jmpL010<BR>prefixrep:<BR>L010:<BR>addebx,6<BR>movdwordptr[ebx],800//有效指令<BR>popebx<BR>popfw<BR>addeax,A38396E6<BR>popeax//有效指令<BR><BR>10<BR>原代码:<BR>movecx,edi<BR>变形后的代码:<BR>movecx,42338A<BR>movecx,42A4FA<BR>xorecx,[esp+8]<BR>movecx,4780E2<BR>rcrecx,0ED<BR>leaecx,[edi+eax+5C]//ecx=edi+eax+5C<BR>subecx,eax//ecx=ecx-eax=edi+eax+5C-eax=edi+5C<BR>leaecx,[ecx-5C]//ecx=ecx-5c=edi+5C-5C=edi<BR>sareax,5<BR>andecx,1F<BR><BR>11<BR>原代码:<BR>movedi,405904<BR>变形后的代码:<BR>andedi,ebx<BR>movedi,43FB92<BR>roredi,0C5<BR>leaedi,[ebp+esi*2+53]<BR>leaedi,[eax+ecx+405904]//edi=eax+ecx+405904<BR>subedi,ecx//edi=edi-ecx=eax+ecx+405904-ecx=eax+405904<BR>subedi,eax//edi=edi-eax=eax+405904-eax=405904<BR><BR>12.<BR>原代码:<BR>movebp,esp<BR>变形后的代码:<BR>leaebp,[esp+ecx+5C]//ebp=esp+ecx+5c<BR>subebp,ecx//ebp=ebp-ecx=esp+ecx+5c-ecx=esp+5c<BR>leaebp,[ebp+ebx-5C]//ebp=ebp+ebx-5C=esp+5c+ebx-5C=esp+ebx<BR>subebp,ebx//ebp=ebp-ebx=esp+ebx-ebx=esp<BR><BR><BR>13<BR>moveax,[405A10]<BR>变形后的代码:<BR>leaeax,[ecx+405A10]<BR>subeax,ecx<BR>pushdwordptr[eax]<BR>xoreax,[esp+28]<BR>xoreax,[esp+8]<BR>popeax<BR><BR>14.<BR>原代码:movecx,[eax]<BR>变形后的代码:<BR>xorecx,ebx<BR>pushdwordptr[eax]//[eax]入栈<BR>rcrecx,0C9<BR>movecx,43378A<BR>popecx//栈入数据放到ecx<BR><BR><BR>15.<BR>原代码:<BR>moveax,[405900]<BR>变形后的代码:<BR>leaeax,[ebp+esi+424388]<BR>subeax,esi<BR>leaeax,[ecx+405900]//eax=ecx+405900<BR>subeax,ecx//eax=eax-ecx=ecx+405900-ecx=405900<BR>moveax,[eax]<BR><BR><BR>16.<BR>原代码:<BR>movesi,[eax]<BR><BR>变形后的代码:<BR>oresi,edi<BR>pushdwordptr[eax]<BR>subesi,-45<BR>rolesi,97<BR>popesi<BR><BR>17<BR>moveax,[405900]<BR>变形后的代码:<BR>leaeax,[edi+42CA6C]<BR>xoreax,710E8EFA<BR>moveax,427EBE<BR>addeax,[esp+18]<BR>leaeax,[ebp+esi+405900]<BR>subeax,esi<BR>subeax,ebp<BR>moveax,[eax]<BR><BR><BR>18.<BR><BR>moveax,[405664]<BR>变形后的代码:<BR><BR>leaeax,[ecx+edx-7F]<BR>leaeax,[edi+405664]//eax=edi+405664<BR>subeax,edi//eax=eax-edi=edi+405664-edi=405664<BR>prefixrepne:<BR>jmpL006<BR>???<BR>L006:<BR>pushdwordptr[eax]//[405664]入栈<BR>addeax,[esp+18]<BR>moveax,4487CE<BR>popeax//[405664]出栈<BR><BR><BR><BR>19.<BR>原代码:<BR>movebp,esp<BR>变形后的代码:<BR>addebp,ebx<BR>movebp,45A51E<BR>movebp,[esp+10]<BR>movebp,4A54FE<BR>movebp,463636<BR>leaebp,[esp+esi+E]//ebp=esp+esi+E<BR>pusheax<BR>pushedx<BR>pushecx<BR>movedx,45F39E<BR>movedx,447AD6<BR>movedx,7DF8A705//edx=7DF8A705<BR>movecx,4A86CA<BR>movecx,488942<BR>movecx,edx//ecx=edx=7DF8A705<BR>subecx,B783FC03//ecx=ecx-B783FC03=7DF8A705-B783FC03=C674AB02<BR>negecx//ecx=398B54FE<BR>pushecx//398B54FE入栈<BR>xoredx,[esp+8]<BR>rcledx,0EB<BR>popedx//398B54FE出栈入edx中<BR>addedx,63BE880B//edx=edx+63BE880B=398B54FE+63BE880B=9D49DD09<BR>xoreax,[esp+28]<BR>rcleax,49<BR>pushedx//值9D49DD09入栈<BR>subeax,ebx<BR>popeax//值9D49DD09出栈进eax<BR>xoreax,62B622F9//9D49DD09XOR62B622F9=FFFFFFF0<BR>negeax//eax=10<BR>leaedx,[ebp+esi+6C]//edx=ebp+esi+6C<BR>pusheax//10入栈<BR>pushedi<BR>moveax,93D3D3A9<BR>xchgeax,edi<BR>xoredi,4B566F99<BR>negedi<BR>subedi,6A63E261<BR>negedi<BR>xchgedi,eax<BR>subeax,42E99E29<BR>deceax<BR>leaedx,[edx+eax*2+6A]<BR>leaedx,[edx+ecx-6A]<BR>subedx,ecx<BR>subedx,eax<BR>popedi<BR>popeax<BR>subedx,esi<BR>pusheax<BR>sbbedx,-17<BR>roredx,7B<BR>popedx//10出栈放edx,edx=10<BR>leaebp,[ebp+edx+6F]//ebp=esp+esi+E+10+6F<BR>leaebp,[ebp+ecx-6F]//ebp=esp+esi+E+edx+6F+ecx-6F=esp+esi+E+10+ecx<BR>subebp,ecx//ebp=ebp-ecx=esp+esi+E+edx+ecx-ecx=esp+esi+E+10<BR>leaecx,[ecx+edx*2+72]<BR>leaecx,[ecx+ebx-72]<BR>subecx,ebx<BR>popecx<BR>xoredx,EF5EAB78<BR>popedx<BR>addeax,[esp+38]<BR>sbbeax,2B<BR>popeax<BR>subebp,esi//ebp=ebp-esi=esp+esi+E+edx-esi=esp+E+10=esp+1E<BR>leaebp,[ebp-1E]//ebp=ebp-1E=esp+1E-1E=esp<BR><BR><BR>20.<BR>原代码:push004040D0<BR>变形后的代码:<BR>push-6<BR>pushfw<BR>pushebp<BR>subebp,61388612<BR>movebp,esp<BR>leaebp,[ebp+ebx+6]<BR>subebp,ebx<BR>push4040D0<BR>popdwordptr[ebp]<BR>popebp<BR>popfw<BR><BR><BR>21.<BR>原代码:push00401ED4<BR>变形后的代码:<BR><BR>pushdwordptr[esp+14]<BR>pushfw<BR>pushecx<BR>xorecx,ebp<BR>movecx,esp//ecx=esp<BR>leaecx,[ecx+edi+6]//ecx=ecx+edi+6=esp+edi+6<BR>subecx,edi//ecx=ecx-edi=esp+edi+6-edi=esp+6<BR>pushedi<BR>subedi,-59<BR>subedi,-3D<BR>leaedi,[eax+401ED4]//edi=eax+401ED4<BR>subedi,eax//edi=edi-eax=401ED4<BR>mov[ecx],edi<BR>popedi<BR>popecx//相当于mov[esp+6],401ED4<BR>popfw<BR><BR><BR>22.<BR>原代码:push100<BR>变形后的代码:<BR><BR>pushdwordptrfs:[0]<BR>pushfw<BR>pushecx<BR>xorecx,428F6676<BR>movecx,esp<BR>leaecx,[ecx+edi+6]<BR>subecx,edi<BR>pushedi<BR>subedi,-57<BR>movedi,46894A<BR>adcedi,1AA636D6<BR>leaedi,[eax+ecx+100]//edi=eax+ecx+100<BR>subedi,ecx//edi=edi-ecx=eax+ecx+100-ecx=eax+100<BR>subedi,eax//edi=edi-eax=eax+100-eax=100<BR>pushedi<BR>popdwordptr[ecx]<BR>popedi<BR>popecx<BR>popfw</FONT><BR></P>
页:
[1]