SKYPE中的 anti-debug 分析,anti-debug,反跟踪技术 2008年06月23日 星期一 下午 02:01 SKYPE中的 anti-debug 分析 软件名称: skype 实例下载: http://www.skype.com/download 作 者: blackeyes 声 明: skype 是 freeware, 没有什么要 PJ的, 只是分析它的anti-debug 1. 基本信息 入口点(OEP): 005E7A28 引入表(I T): 00B8F000-00B8F21B ( size: 021C ) 引入地址表(IAT): 00B8F21C-00B8FD38 ( size: 0B1C ) PeID结果: Borland Delphi 6.0 - 7.0 [Overlay] 2. 调试器检测, CODE 解码, 解析第二份IAT // OD 载入后停在这里 005E7A28 005E7A28 > $Content$nbsp;/EB 57 JMP SHORT Skype.005E7A81 005E7A81 > \E8 26010000 CALL Skype.005E7BAC ; // detect softice (第 1 处) 005E7A86 . 84C0 TEST AL,AL 005E7A88 . 74 1C JE SHORT Skype.005E7AA6 005E7A8A . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL 005E7A8C . FF35 482FB800 PUSH DWORD PTR DS:[B82F48] ; |Title = "Skype" 005E7A92 . FF35 4C2FB800 PUSH DWORD PTR DS:[B82F4C] ; |Text = "Error: Skype is not compatible with debuggers like SoftICE .." 005E7A98 . 6A 00 PUSH 0 ; |hOwner = NULL 005E7A9A . E8 9910E2FF CALL 005E7A9F . 6A 01 PUSH 1 ; /ExitCode = 1 005E7AA1 . E8 5A04E2FF CALL 005E7AA6 > BA 011E1600 MOV EDX,161E01 005E7AAB . 81C2 A38BA100 ADD EDX,Skype.00A18BA3 ; // EDX = 00B7A9A4 005E7AB1 . 52 PUSH EDX 005E7AB2 . EB 10 JMP SHORT Skype.005E7AC4 005E7AB4 . BF 287A5E00 MOV EDI,Skype. 005E7AB9 . B9 C47A5E00 MOV ECX,Skype.005E7AC4 005E7ABE . 29F9 SUB ECX,EDI 005E7AC0 . 31C0 XOR EAX,EAX 005E7AC2 . F3:AA REP STOS BYTE PTR ES:[EDI] 005E7AC4 > E8 CF3F0100 CALL Skype.005FBA98 005E7AC9 . E8 AAFEFFFF CALL Skype.005E7978 005E7ACE . C3 RETN ; // return 00B7A9A4 00B7A9A4 . 55 PUSH EBP ; 感觉这儿才是程序入口点 00B7A9A5 . 8BEC MOV EBP,ESP 00B7A9A7 . B9 20000000 MOV ECX,20 00B7A9AC > 6A 00 PUSH 0 00B7A9AE . 6A 00 PUSH 0 00B7A9B0 . 49 DEC ECX 00B7A9B1 .^ 75 F9 JNZ SHORT Skype.00B7A9AC 00B7A9B3 . 53 PUSH EBX 00B7A9B4 . 56 PUSH ESI 00B7A9B5 . 57 PUSH EDI 00B7A9B6 . B8 749FB700 MOV EAX,Skype.00B79F74 00B7A9BB . E8 6CD088FF CALL Skype.00407A2C ; // *** Init CALL **** 00B7A9C0 . BF 78E6B800 MOV EDI,Skype.00B8E678 00B7A9C5 . 33C0 XOR EAX,EAX 00B7A9C7 . 55 PUSH EBP 00B7A9C8 . 68 1BBAB700 PUSH Skype.00B7BA1B 00B7A9CD . 64:FF30 PUSH DWORD PTR FS:[EAX] 00B7A9D0 . 64:8920 MOV DWORD PTR FS:[EAX],ESP 00B7A9D3 . A1 90B2B800 MOV EAX,DWORD PTR DS:[B8B290] 00B7A9D8 . C600 01 MOV BYTE PTR DS:[EAX],1 00B7A9DB . 6A 00 PUSH 0 00B7A9DD . E8 661D8AFF CALL 00B7A9E2 . E8 3DB6A6FF CALL Skype.005E6024 ; // detect debug (第 2 处) 00B7A9E7 . 84C0 TEST AL,AL 00B7A9E9 . 74 1A JE SHORT Skype.00B7AA05 00B7A9EB . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL 00B7A9ED . 68 30BAB700 PUSH Skype.00B7BA30 ; |Title = "Skype" 00B7A9F2 . 68 38BAB700 PUSH Skype.00B7BA38 ; |Text = "Skype is not compatible with system debuggers like SoftICE." 00B7A9F7 . 6A 00 PUSH 0 ; |hOwner = NULL 00B7A9F9 . E8 32E188FF CALL 00B7A9FE . 6A 00 PUSH 0 ; /ExitCode = 0 00B7AA00 . E8 FBD488FF CALL 00B7AA05 > B9 7CBAB700 MOV ECX,Skype.00B7BA7C ; ASCII "Starting .." 00B7AA0A . BA 94BAB700 MOV EDX,Skype.00B7BA94 ; ASCII "Skype.main" // Init call 00407A2C /$Content$nbsp; 53 PUSH EBX 00407A2D |. 8BD8 MOV EBX,EAX 00407A2F |. 33C0 XOR EAX,EAX 00407A31 |. A3 A4C0B700 MOV DWORD PTR DS:[B7C0A4],EAX 00407A36 |. 6A 00 PUSH 0 ; /pModule = NULL 00407A38 |. E8 2BFFFFFF CALL 00407A3D |. A3 68C6B800 MOV DWORD PTR DS:[B8C668],EAX 00407A42 |. A1 68C6B800 MOV EAX,DWORD PTR DS:[B8C668] 00407A47 |. A3 B0C0B700 MOV DWORD PTR DS:[B7C0B0],EAX 00407A4C |. 33C0 XOR EAX,EAX 00407A4E |. A3 B4C0B700 MOV DWORD PTR DS:[B7C0B4],EAX 00407A53 |. 33C0 XOR EAX,EAX 00407A55 |. A3 B8C0B700 MOV DWORD PTR DS:[B7C0B8],EAX 00407A5A |. E8 C1FFFFFF CALL Skype.00407A20 00407A5F |. BA ACC0B700 MOV EDX,Skype.00B7C0AC 00407A64 |. 8BC3 MOV EAX,EBX 00407A66 |. E8 95D2FFFF CALL Skype.00404D00 ; // 都在这里 CALL init 00407A6B |. 5B POP EBX 00407A6C \. C3 RETN 00404D00 /$Content$nbsp; C705 14C0B800 F01240>MOV DWORD PTR DS:[B8C014], 00404D0A |. C705 18C0B800 001340>MOV DWORD PTR DS:[B8C018], 00404D14 |. A3 40C6B800 MOV DWORD PTR DS:[B8C640],EAX 00404D19 |. 33C0 XOR EAX,EAX 00404D1B |. A3 44C6B800 MOV DWORD PTR DS:[B8C644],EAX 00404D20 |. 8915 48C6B800 MOV DWORD PTR DS:[B8C648],EDX 00404D26 |. 8B42 04 MOV EAX,DWORD PTR DS:[EDX 4] 00404D29 |. A3 30C0B800 MOV DWORD PTR DS:[B8C030],EAX 00404D2E |. E8 A5FEFFFF CALL Skype.00404BD8 00404D33 |. C605 38C0B800 00 MOV BYTE PTR DS:[B8C038],0 00404D3A |. E8 51FFFFFF CALL Skype.00404C90 ; // Delphi 的程序好象都是这样 00404D3F \. C3 RETN 00404C90 $Content$nbsp; 55 PUSH EBP 00404C91 . 8BEC MOV EBP,ESP 00404C93 . 83C4 F8 ADD ESP,-8 00404C96 . 53 PUSH EBX 00404C97 . 56 PUSH ESI 00404C98 . 57 PUSH EDI 00404C99 . BF 38C6B800 MOV EDI,Skype.00B8C638 00404C9E . 8B47 08 MOV EAX,DWORD PTR DS:[EDI 8] 00404CA1 . 85C0 TEST EAX,EAX 00404CA3 . 74 54 JE SHORT Skype.00404CF9 00404CA5 . 8B30 MOV ESI,DWORD PTR DS:[EAX] 00404CA7 . 33DB XOR EBX,EBX 00404CA9 . 8B40 04 MOV EAX,DWORD PTR DS:[EAX 4] 00404CAC . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 00404CAF . 33C0 XOR EAX,EAX 00404CB1 . 55 PUSH EBP 00404CB2 . 68 E54C4000 PUSH Skype.00404CE5 00404CB7 . 64:FF30 PUSH DWORD PTR FS:[EAX] 00404CBA . 64:8920 MOV DWORD PTR FS:[EAX],ESP 00404CBD . 3BF3 CMP ESI,EBX 00404CBF . 7E 1A JLE SHORT Skype.00404CDB 00404CC1 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00404CC4 . 8B04D8 MOV EAX,DWORD PTR DS:[EAX EBX*8] 00404CC7 . 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 00404CCA . 43 INC EBX 00404CCB . 895F 0C MOV DWORD PTR DS:[EDI C],EBX 00404CCE . 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 00404CD2 . 74 03 JE SHORT Skype.00404CD7 00404CD4 . FF55 F8 CALL DWORD PTR SS:[EBP-8] ; // Call each init Func, 其中 00B75AF0 最关键, 00404CD7 > 3BF3 CMP ESI,EBX 00404CD9 .^ 7F E6 JG SHORT Skype.00404CC1 00404CDB > 33C0 XOR EAX,EAX 00404CDD . 5A POP EDX 00404CDE . 59 POP ECX 00404CDF . 59 POP ECX 00404CE0 . 64:8910 MOV DWORD PTR FS:[EAX],EDX 00404CE3 . EB 14 JMP SHORT Skype.00404CF9 00404CE5 .^ E9 3AF9FFFF JMP Skype.00404624 00404CEA . E8 31FFFFFF CALL Skype.00404C20 00404CEF . E8 08FDFFFF CALL Skype.004049FC 00404CF4 . E8 57FDFFFF CALL Skype.00404A50 00404CF9 > 5F POP EDI 00404CFA . 5E POP ESI 00404CFB . 5B POP EBX 00404CFC . 59 POP ECX 00404CFD . 59 POP ECX 00404CFE . 5D POP EBP 00404CFF . C3 RETN 检查调试器的两处, 下 CreateFileA, CreateFileW 断点, 很快就可以跟到, 不过它不检测OLLYDBG. 3. 最关键的一个 Init CALL 00B75AF0-00B75EB1 // 对 00724F70-00B70F70 (size 0044C000) 解码, 并解析第二份 IAT // 第二份 IAT: 00A09F70-00A0A38C, size: 041C // 00B75AF0 返回后, 内存中全是明文. 00B75AF0 /> /55 PUSH EBP 00B75AF1 |. |8BEC MOV EBP,ESP 00B75AF3 |. |83C4 A0 ADD ESP,-60 00B75AF6 |. |33C0 XOR EAX,EAX 00B75AF8 |. |8945 A8 MOV DWORD PTR SS:[EBP-58],EAX 00B75AFB |. |8945 A4 MOV DWORD PTR SS:[EBP-5C],EAX 00B75AFE |. |8945 A0 MOV DWORD PTR SS:[EBP-60],EAX 00B75B01 |. |8945 AC MOV DWORD PTR SS:[EBP-54],EAX 00B75B04 |. |33C0 XOR EAX,EAX 00B75B06 |. |55 PUSH EBP 00B75B07 |. |68 A75EB700 PUSH Skype.00B75EA7 00B75B0C |. |64:FF30 PUSH DWORD PTR FS:[EAX] 00B75B0F |. |64:8920 MOV DWORD PTR FS:[EAX],ESP 00B75B12 |. |A1 18BAB800 MOV EAX,DWORD PTR DS:[B8BA18] 00B75B17 |. |C700 09000000 MOV DWORD PTR DS:[EAX],9 00B75B1D |. |B8 287A5E00 MOV EAX,Skype. 00B75B22 |. |8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX 00B75B25 |. C745 D0 F4000000 MOV DWORD PTR SS:[EBP-30],0F4 00B75B2C |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 00B75B2F |. 50 PUSH EAX ; /pOldProtect 00B75B30 |. 6A 40 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE 00B75B32 |. 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30] ; | 00B75B35 |. 50 PUSH EAX ; |Size 00B75B36 |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] ; | 00B75B39 |. 50 PUSH EAX ; |Address 00B75B3A |. E8 192789FF CALL 00B75B3F |. 85C0 TEST EAX,EAX 00B75B41 |. 75 0A JNZ SHORT Skype.00B75B4D 00B75B43 |. B8 BC5EB700 MOV EAX,Skype.00B75EBC ; ASCII "0ut of memory" 00B75B48 |. E8 2BFAFFFF CALL Skype.00B75578 00B75B4D |> 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] 00B75B50 |. 33C9 XOR ECX,ECX 00B75B52 |. 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30] 00B75B55 |. E8 96DD88FF CALL Skype.004038F0 ; 将 OEP 处开始的一小段代码清 0, 防止解码后的 DUMP 00B75B5A |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 00B75B5D |. 50 PUSH EAX ; /pOldProtect 00B75B5E |. 6A 20 PUSH 20 ; |NewProtect = PAGE_EXECUTE_READ 00B75B60 |. 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30] ; | 00B75B63 |. 50 PUSH EAX ; |Size 00B75B64 |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] ; | 00B75B67 |. 50 PUSH EAX ; |Address 00B75B68 |. E8 EB2689FF CALL 00B75B6D |. 85C0 TEST EAX,EAX 00B75B6F |. 75 0A JNZ SHORT Skype.00B75B7B 00B75B71 |. B8 BC5EB700 MOV EAX,Skype.00B75EBC ; ASCII "0ut of memory" 00B75B76 |. E8 FDF9FFFF CALL Skype.00B75578 00B75B7B |> C605 0C5FB800 01 MOV BYTE PTR DS:[B85F0C],1 00B75B82 |. 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE 00B75B84 |. 68 00100000 PUSH 1000 ; |AllocationType = MEM_COMMIT 00B75B89 |. A1 605FB800 MOV EAX,DWORD PTR DS:[B85F60] ; | 00B75B8E |. 50 PUSH EAX ; |Size => 44C000 (4505600.) 00B75B8F |. 6A 00 PUSH 0 ; |Address = NULL 00B75B91 |. E8 B22689FF CALL 00B75B96 |. A3 4CE1B800 MOV DWORD PTR DS:[B8E14C],EAX 00B75B9B |. 833D 4CE1B800 00 CMP DWORD PTR DS:[B8E14C],0 00B75BA2 |. 75 0A JNZ SHORT Skype.00B75BAE 00B75BA4 |. B8 D45EB700 MOV EAX,Skype.00B75ED4 ; ASCII "Not enough memory!" 00B75BA9 |. E8 CAF9FFFF CALL Skype.00B75578 00B75BAE |> B8 684F7200 MOV EAX,Skype.00724F68 ; 从这儿开始是解码的CODE, 很简单, 就一个XOR, 只是XOR的值是一直在变. 00B75BB3 |. BA 684F7200 MOV EDX,Skype.00724F68 00B75BB8 |. 0302 ADD EAX,DWORD PTR DS:[EDX] 00B75BBA |. 8945 CC MOV DWORD PTR SS:[EBP-34],EAX 00B75BBD |. 33C0 XOR EAX,EAX 00B75BBF |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 00B75BC2 |. E9 83000000 JMP Skype.00B75C4A 00B75BC7 |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8] ...省略一些CODE 00B75C3B |. 8345 EC 71 ||ADD DWORD PTR SS:[EBP-14],71 00B75C3F |. FF45 E8 ||INC DWORD PTR SS:[EBP-18] 00B75C42 |. FF4D C8 ||DEC DWORD PTR SS:[EBP-38] 00B75C45 |.^ 75 D0 |\JNZ SHORT Skype.00B75C17 00B75C47 |> FF45 F8 |INC DWORD PTR SS:[EBP-8] 00B75C4A |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00B75C4D |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX EAX*4] 00B75C50 |. 833C85 105FB800 00 |CMP DWORD PTR DS:[EAX*4 B85F10],0 00B75C58 |.^ 0F87 69FFFFFF \JA Skype.00B75BC7 ; 解码的CODE到这儿为止 00B75C5E |. 33C0 XOR EAX,EAX ; 从这儿起开始解析一份内部的IAT 00B75C60 |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX 00B75C63 |. 33C0 XOR EAX,EAX 00B75C65 |. 8945 DC MOV DWORD PTR SS:[EBP-24],EAX 00B75C68 |. C745 E8 01000000 MOV DWORD PTR SS:[EBP-18],1 00B75C6F |> 8B45 E8 /MOV EAX,DWORD PTR SS:[EBP-18] ...省略一些CODE 00B75D51 |> 8B45 E0 |MOV EAX,DWORD PTR SS:[EBP-20] 00B75D54 |. 0145 DC |ADD DWORD PTR SS:[EBP-24],EAX 00B75D57 |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18] 00B75D5A |. 8D0440 |LEA EAX,DWORD PTR DS:[EAX EAX*2] 00B75D5D |. 8B0485 705FB800 |MOV EAX,DWORD PTR DS:[EAX*4 B85F70] 00B75D64 |. 0305 4CE1B800 |ADD EAX,DWORD PTR DS:[B8E14C] 00B75D6A |. 8B55 E0 |MOV EDX,DWORD PTR SS:[EBP-20] 00B75D6D |. 8910 |MOV DWORD PTR DS:[EAX],EDX 00B75D6F |> FF45 E8 |INC DWORD PTR SS:[EBP-18] 00B75D72 |. 817D E8 09010000, |CMP DWORD PTR SS:[EBP-18],109 00B75D79 |.^ 0F85 F0FEFFFF \JNZ Skype.00B75C6F 00B75D7F |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 00B75D82 |. 50 PUSH EAX ; /pOldProtect 00B75D83 |. 6A 04 PUSH 4 ; |NewProtect = PAGE_READWRITE 00B75D85 |. A1 605FB800 MOV EAX,DWORD PTR DS:[B85F60] ; | 00B75D8A |. 50 PUSH EAX ; |Size => 44C000 (4505600.) 00B75D8B |. 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34] ; | 00B75D8E |. 50 PUSH EAX ; |Address 00B75D8F |. E8 C42489FF CALL 00B75D94 |. 85C0 TEST EAX,EAX 00B75D96 |. 75 51 JNZ SHORT Skype.00B75DE9 00B75D98 |. 68 405FB700 PUSH Skype.00B75F40 ; ASCII "error 9920 (" 00B75D9D |. 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C] 00B75DA0 |. B2 08 MOV DL,8 00B75DA2 |. A1 605FB800 MOV EAX,DWORD PTR DS:[B85F60] 00B75DA7 |. E8 E09791FF CALL Skype.0048F58C 00B75DAC |. FF75 A4 PUSH DWORD PTR SS:[EBP-5C] 00B75DAF |. 68 585FB700 PUSH Skype.00B75F58 00B75DB4 |. E8 572289FF CALL 00B75DB9 |. 33D2 XOR EDX,EDX 00B75DBB |. 52 PUSH EDX ; /Arg2 => 00000000 00B75DBC |. 50 PUSH EAX ; |Arg1 00B75DBD |. 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] ; | 00B75DC0 |. E8 9B5189FF CALL Skype.0040AF60 ; \Skype.0040AF60 00B75DC5 |. FF75 A0 PUSH DWORD PTR SS:[EBP-60] 00B75DC8 |. 68 645FB700 PUSH Skype.00B75F64 00B75DCD |. 8D45 A8 LEA EAX,DWORD PTR SS:[EBP-58] 00B75DD0 |. BA 05000000 MOV EDX,5 00B75DD5 |. E8 52F688FF CALL Skype.0040542C 00B75DDA |. 8B45 A8 MOV EAX,DWORD PTR SS:[EBP-58] 00B75DDD |. E8 46468CFF CALL Skype.0043A428 00B75DE2 |. 6A 00 PUSH 0 ; /ExitCode = 0 00B75DE4 |. E8 172189FF CALL 00B75DE9 |> 8B55 CC MOV EDX,DWORD PTR SS:[EBP-34] 00B75DEC |. A1 4CE1B800 MOV EAX,DWORD PTR DS:[B8E14C] 00B75DF1 |. 8B0D 605FB800 MOV ECX,DWORD PTR DS:[B85F60] ; Skype.0044C000 00B75DF7 |. E8 14D388FF CALL Skype.00403110 ; 00B75DFC |. 68 00800000 PUSH 8000 ; /FreeType = MEM_RELEASE 00B75E01 |. 6A 00 PUSH 0 ; |Size = 0 00B75E03 |. A1 4CE1B800 MOV EAX,DWORD PTR DS:[B8E14C] ; | 00B75E08 |. 50 PUSH EAX ; |Address => NULL 00B75E09 |. E8 422489FF CALL 00B75E0E |. 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34] 00B75E11 |. A3 4CE1B800 MOV DWORD PTR DS:[B8E14C],EAX 00B75E16 |. 33C0 XOR EAX,EAX 00B75E18 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX 00B75E1B |> 8D45 FC /LEA EAX,DWORD PTR SS:[EBP-4] 00B75E1E |. 50 |PUSH EAX ; /pOldProtect 00B75E1F |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18] ; | 00B75E22 |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX EAX*4] ; | 00B75E25 |. 8B0485 205FB800 |MOV EAX,DWORD PTR DS:[EAX*4 B85F20] ; | 00B75E2C |. 50 |PUSH EAX ; |NewProtect 00B75E2D |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18] ; | 00B75E30 |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX EAX*4] ; | 00B75E33 |. 8B0485 145FB800 |MOV EAX,DWORD PTR DS:[EAX*4 B85F14] ; | 00B75E3A |. 50 |PUSH EAX ; |Size 00B75E3B |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18] ; | 00B75E3E |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX EAX*4] ; | 00B75E41 |. 8B0485 105FB800 |MOV EAX,DWORD PTR DS:[EAX*4 B85F10] ; | 00B75E48 |. 0305 4CE1B800 |ADD EAX,DWORD PTR DS:[B8E14C] ; | 00B75E4E |. 50 |PUSH EAX ; |Address 00B75E4F |. E8 042489FF |CALL 00B75E54 |. FF45 E8 |INC DWORD PTR SS:[EBP-18] 00B75E57 |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18] 00B75E5A |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX EAX*4] 00B75E5D |. 833C85 105FB800 00 |CMP DWORD PTR DS:[EAX*4 B85F10],0 00B75E65 |.^ 75 B4 \JNZ SHORT Skype.00B75E1B 00B75E67 |. A1 705FB800 MOV EAX,DWORD PTR DS:[B85F70] 00B75E6C |. 0305 4CE1B800 ADD EAX,DWORD PTR DS:[B8E14C] 00B75E72 |. 6A 00 PUSH 0 00B75E74 |. 6A 01 PUSH 1 00B75E76 |. FF35 4CE1B800 PUSH DWORD PTR DS:[B8E14C] 00B75E7C |. FFD0 CALL EAX 00B75E7E |. 833D 4CE1B800 00 CMP DWORD PTR DS:[B8E14C],0 00B75E85 |. 75 05 JNZ SHORT Skype.00B75E8C 00B75E87 |. E8 3805A7FF CALL Skype.005E63C4 00B75E8C |> 33C0 XOR EAX,EAX 00B75E8E |. 5A POP EDX 00B75E8F |. 59 POP ECX 00B75E90 |. 59 POP ECX 00B75E91 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX 00B75E94 |. 68 AE5EB700 PUSH Skype.00B75EAE 00B75E99 |> 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 00B75E9C |. BA 04000000 MOV EDX,4 00B75EA1 |. E8 FEF188FF CALL Skype.004050A4 00B75EA6 \. C3 RETN 00B75EA7 .^ E9 2CEA88FF JMP Skype.004048D8 00B75EAC .^ EB EB JMP SHORT Skype.00B75E99 00B75EAE . 8BE5 MOV ESP,EBP 00B75EB0 . 5D POP EBP 00B75EB1 . C3 RETN 整个过程用C写大致是: VirtualProtect(OEP, size, PAGE_EXECUTE_READWRITE, &oldProtect); memset(OEP, 0, size); VirtualProtect(OEP, size, PAGE_EXECUTE_READ, &oldProtect); pMem = VirtualAlloc(NULL, 0x44C000, MEM_COMMIT, PAGE_READWRITE); value = 0X????; for(i=0;i for(j=0;j offset = .... pMem[offset] = pOrig[offset] ^ value; value = xxxx; } } for(i=0;i if (info[i].flags == xxx) Handle = LoadLibrary(info[i].name); else { pProc = GetProcAddress(Handle, info[i].name) offset = info[i].offset; pMem[offset] = pProc; } } VirtualProtect(pStart, 0x44C000, PAGE_READ_WRITE, &oldProtect); memcpy(pStart, pMem, 0x44C000); VirtualFree(pMem, 0, MEM_RELEASE); for(i=0;i offset = ... VirtualProtect(pStart offset, sizexx, NewProtectxxxx, &oldProtect); } 看看它的作用: a.) 解码的时候清掉了OEP处的一小段代码清, 可防止解码后的简单 DUMP b.) 调用了 VirtualProtect, 对这段 被解密的CODE 下的 memory write 断点不再起作用. c.) 两份IAT, 第一份是标准的EXE的, 由 Loader 解析, 另一份由 自己在解码后 解析. 所以解码后, 即使内存中全是明文, DUMP 后, IAT 也不容易修复, 两份 IAT 在 memory 中相差很远, ImportRec 好象不行, 总不至于手工构造 引入表(I T) 吧? |
|小黑屋|最新主题|手机版|微赢网络技术论坛
( 苏ICP备08020429号 )
GMT+8, 2024-9-30 01:32 , Processed in 0.244199 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.
