设为首页收藏本站

 找回密码
 注册
搜索
热搜: 回贴
微赢网络技术论坛 门户 安全攻防 加密解密 查看内容

脱壳技术,关于DBPE的一点反跟踪技巧(21千字),跟踪

2010-1-30 18:18| 发布者: admin| 查看: 71| 评论: 0|原作者: 柳梦璃


脱壳技术,关于DBPE的一点反跟踪技巧(21千字),跟踪
2008年06月23日 星期一 下午 02:35
DBPE也算是个不错的加壳工具,但对于信息的人并不算什么,对于我可就难了,花了九牛二虎之力才高出这么一点点。

不知道再Win NT下如何,我几次修改都不能得到要害,只能说说Win 9x下的情况了。



总共分四部分:

第一部分

分析INT3中断设置以及系统0层的跳入,其中设置了INT3中断门

第二部分

分析INT3子过程,其中,设定了INT1中断门,以及清除使用调试寄存器的断点

第三部分

分析INT1子过程,仅仅简单的完成一段解码

第四部分

其他一些东西,关于操作系统的标志的获取





第一部分 分析INT3中断以及系统0层的跳入

程序首先修改中断门INT3,这样,你根本就无法设置BPX断点,不过此时还可以设置BPM断电和单步调试断点;具体看看这段代码:

004F671C 90 NOP==========>修改

004F671D 0F010E SIDT FWORD PTR DS:[ESI]======******>取出中断描述符表寄存器(IDTR)

=========================================================******>保存到[ESI]

004F6720 9C PUSHFD

004F6721 6A 10 PUSH 10

004F6723 73 0B JNB SHORT N4F671D.004F6730

004F6721 6A 10 PUSH 10

004F6723 73 0B JNB SHORT 4F69F6-.004F6730

004F6725 EB 02 JMP SHORT 4F69F6-.004F6729

004F6727 90 NOP==========>修改

004F6728 90 NOP==========>修改

004F6729 E8 06000000 CALL 4F69F6-.004F6734

004F672E 90 NOP==========>修改

004F672F 90 NOP==========>修改

004F6730 73 F7 JNB SHORT 4F69F6-.004F6729

004F6732 5B POP EBX

004F6733 90 NOP==========>修改

004F6734 83C4 04 ADD ESP,4

004F6737 EB 02 JMP SHORT 4F69F6-.004F673B

004F6739 99 CDQ

004F673A 90 NOP==========>修改

004F673B FF0C24 DEC DWORD PTR SS:[ESP]

004F673E 71 01 JNO SHORT 4F69F6-.004F6741

004F6740 90 NOP==========>修改

004F6741 79 E0 JNS SHORT 4F69F6-.004F6723

004F6743 7A 01 JPE SHORT 4F69F6-.004F6746

004F6745 90 NOP==========>修改

004F6746 83C4 04 ADD ESP,4

004F6749 9D POPFD

004F674A EB 01 JMP SHORT 4F69F6-.004F674D

004F674C 90 NOP==========>修改

004F674D 8B76 02 MOV ESI,DWORD PTR DS:[ESI 2]======******>取出IDT的基地址

004F6750 9C PUSHFD

004F6751 72 0A JB SHORT 4F69F6-.004F675D

004F6753 EB 01 JMP SHORT 4F69F6-.004F6756

004F6755 90 NOP==========>修改

004F6756 E8 05000000 CALL 4F69F6-.004F6760

004F675B EB 77 JMP SHORT 4F69F6-.004F67D4

004F675D 72 F4 JB SHORT 4F69F6-.004F6753

004F675F 90 NOP==========>修改

004F6760 83C4 04 ADD ESP,4

004F6763 9D POPFD

004F6764 EB 01 JMP SHORT 4F69F6-.004F6767

004F6766 90 NOP==========>修改

004F6767 66:8B46 18 MOV AX,WORD PTR DS:[ESI 18]==========******>读取中断门

004F676B 9C PUSHFD

004F676C 6A 10 PUSH 10

004F676E 73 0B JNB SHORT 4F69F6-.004F677B

004F6770 EB 02 JMP SHORT 4F69F6-.004F6774

004F6772 90 NOP==========>修改

004F6773 90 NOP==========>修改

004F6774 E8 06000000 CALL 4F69F6-.004F677F

004F6779 90 NOP==========>修改

004F677A 90 NOP==========>修改

004F677B 73 F7 JNB SHORT 4F69F6-.004F6774

004F677D 5B POP EBX

004F677E 90 NOP==========>修改

004F677F 83C4 04 ADD ESP,4

004F6782 EB 02 JMP SHORT 4F69F6-.004F6786

004F6784 99 CDQ

004F6785 90 NOP==========>修改

004F6786 FF0C24 DEC DWORD PTR SS:[ESP]

004F6789 71 01 JNO SHORT 4F69F6-.004F678C

004F678B 90 NOP==========>修改

004F678C 79 E0 JNS SHORT 4F69F6-.004F676E

004F678E 7A 01 JPE SHORT 4F69F6-.004F6791

004F6790 90 NOP==========>修改

004F6791 83C4 04 ADD ESP,4

004F6794 9D POPFD

004F6795 EB 01 JMP SHORT 4F69F6-.004F6798

004F6797 90 NOP==========>修改

004F6798 66:8B5E 1E MOV BX,WORD PTR DS:[ESI 1E]==========******>读取中断门

004F679C 72 03 JB SHORT 4F69F6-.004F67A1

004F679E 73 01 JNB SHORT 4F69F6-.004F67A1

004F67A0 90 NOP==========>修改

004F67A1 66:8985 C3164600 MOV WORD PTR SS:[EBP 4616C3],AX======******>保存中断门

004F67A8 72 03 JB SHORT 4F69F6-.004F67AD

004F67AA 73 01 JNB SHORT 4F69F6-.004F67AD

004F67AC 90 NOP==========>修改

004F67AD 66:899D C5164600 MOV WORD PTR SS:[EBP 4616C5],BX======******>保存中断门

004F67B4 74 03 JE SHORT 4F69F6-.004F67B9

004F67B6 75 01 JNZ SHORT 4F69F6-.004F67B9

004F67B8 90 NOP==========>修改

004F67B9 B8 77244600 MOV EAX,4F69F6-.00462477=============******>新中断门地址相关

004F67BE 9C PUSHFD

004F67BF 6A 10 PUSH 10

004F67C1 73 0B JNB SHORT 4F69F6-.004F67CE

004F67C3 EB 02 JMP SHORT 4F69F6-.004F67C7

004F67C5 90 NOP==========>修改

004F67C6 90 NOP==========>修改

004F67C7 E8 06000000 CALL 4F69F6-.004F67D2

004F67CC 90 NOP==========>修改

004F67CD 90 NOP==========>修改

004F67CE 73 F7 JNB SHORT 4F69F6-.004F67C7

004F67D0 5B POP EBX

004F67D1 90 NOP==========>修改

004F67D2 83C4 04 ADD ESP,4

004F67D5 EB 02 JMP SHORT 4F69F6-.004F67D9

004F67D7 99 CDQ

004F67D8 90 NOP==========>修改

004F67D9 FF0C24 DEC DWORD PTR SS:[ESP]

004F67DC 71 01 JNO SHORT 4F69F6-.004F67DF

004F67DE 90 NOP==========>修改

004F67DF 79 E0 JNS SHORT 4F69F6-.004F67C1

004F67E1 7A 01 JPE SHORT 4F69F6-.004F67E4

004F67E3 90 NOP==========>修改

004F67E4 83C4 04 ADD ESP,4

004F67E7 9D POPFD

004F67E8 EB 01 JMP SHORT 4F69F6-.004F67EB

004F67EA 90 NOP==========>修改

004F67EB 03C5 ADD EAX,EBP======================******>新的INT3中断的地址=0x0054F1CC

004F67ED 7A 03 JPE SHORT 4F69F6-.004F67F2

004F67EF 7B 01 JPO SHORT 4F69F6-.004F67F2

004F67F1 90 NOP==========>修改

004F67F2 66:8946 18 MOV WORD PTR DS:[ESI 18],AX======******>新的INT3中断的地址,从现在开始,不能使用bpx 中断

=============================================================******>0x18==24=8*3

=============================================================******>每一个中断门8个字节

=============================================================******>xx xx ?? ??

=============================================================******>?? ?? xx xx

004F67F6 9C PUSHFD

004F67F7 6A 10 PUSH 10

004F67F9 73 0B JNB SHORT 4F69F6-.004F6806

004F67FB EB 02 JMP SHORT 4F69F6-.004F67FF

004F67FD 90 NOP==========>修改

004F67FE 90 NOP==========>修改

004F67FF E8 06000000 CALL 4F69F6-.004F680A

004F6804 90 NOP==========>修改

004F6805 90 NOP==========>修改

004F6806 73 F7 JNB SHORT 4F69F6-.004F67FF

004F6808 5B POP EBX

004F6809 90 NOP==========>修改

004F680A 83C4 04 ADD ESP,4

004F680D EB 02 JMP SHORT 4F69F6-.004F6811

004F680F 99 CDQ

004F6810 90 NOP==========>修改

004F6811 FF0C24 DEC DWORD PTR SS:[ESP]

004F6814 71 01 JNO SHORT 4F69F6-.004F6817

004F6816 90 NOP==========>修改

004F6817 79 E0 JNS SHORT 4F69F6-.004F67F9

004F6819 7A 01 JPE SHORT 4F69F6-.004F681C

004F681B 90 NOP==========>修改

004F681C 83C4 04 ADD ESP,4

004F681F 9D POPFD

004F6820 EB 01 JMP SHORT 4F69F6-.004F6823

004F6822 90 NOP==========>修改

004F6823 C1E8 10 SHR EAX,10=======================******>新的INT3中断的地址

004F6826 72 03 JB SHORT 4F69F6-.004F682B

004F6828 73 01 JNB SHORT 4F69F6-.004F682B

004F682A 90 NOP==========>修改

004F682B 66:8946 1E MOV WORD PTR DS:[ESI 1E],AX======******>新的INT3中断的地址

=============================================================******>至此,新的中断门设立完成

=============================================================******>该进程可以调用INT3中断

=============================================================******>不再产生例外

=============================================================******>实际也就是一个子过程

好了中断门设置好了,你可不能用bpx来设置断点了,接下来是一地段解码程序。再接着是一段加查程序代码和是否正确。

....

这些完成后,就是INT3指令,这就转到了作者所设计的INT3过程0x0054F1CC

004F69F6 CC INT3===============================>在这儿,程序自动掌握INT3中断

===============================================================>也就是上面的0x0054F1CC



第二部分,分析INT3子过程

它首先是修改INT1中断门,然后

0054F2A5 90 NOP

0054F2A6 0F010E SIDT FWORD PTR DS:[ESI]==================******>存储IDT表

0054F2A9 7A 03 JPE SHORT 4F69F6.0054F2AE

0054F2AB 7B 01 JPO SHORT 4F69F6.0054F2AE

0054F2AD 90 NOP

0054F2AE 8B76 02 MOV ESI,DWORD PTR DS:[ESI 2]=============******>得到IDT基址

0054F2B1 72 03 JB SHORT 4F69F6.0054F2B6

0054F2B3 73 01 JNB SHORT 4F69F6.0054F2B6

0054F2B5 90 NOP

0054F2B6 BB 7C274600 MOV EBX,4F69F6.0046277C

0054F2BB 74 03 JE SHORT 4F69F6.0054F2C0

0054F2BD 75 01 JNZ SHORT 4F69F6.0054F2C0

0054F2BF 90 NOP

0054F2C0 03DD ADD EBX,EBP

0054F2C2 9C PUSHFD

0054F2C3 72 0A JB SHORT 4F69F6.0054F2CF

0054F2C5 EB 01 JMP SHORT 4F69F6.0054F2C8

0054F2C7 90 NOP

0054F2C8 E8 05000000 CALL 4F69F6.0054F2D2

0054F2CD EB 77 JMP SHORT 4F69F6.0054F346

0054F2CF 72 F4 JB SHORT 4F69F6.0054F2C5

0054F2D1 90 NOP

0054F2D2 83C4 04 ADD ESP,4

0054F2D5 9D POPFD

0054F2D6 EB 01 JMP SHORT 4F69F6.0054F2D9

0054F2D8 90 NOP

0054F2D9 66:8B46 08 MOV AX,WORD PTR DS:[ESI 8]=============******>

0054F2DD 9C PUSHFD

0054F2DE 72 0A JB SHORT 4F69F6.0054F2EA

0054F2E0 EB 01 JMP SHORT 4F69F6.0054F2E3

0054F2E2 90 NOP

0054F2E3 E8 05000000 CALL 4F69F6.0054F2ED

0054F2E8 EB 77 JMP SHORT 4F69F6.0054F361

0054F2EA 72 F4 JB SHORT 4F69F6.0054F2E0

0054F2EC 90 NOP

0054F2ED 83C4 04 ADD ESP,4

0054F2F0 9D POPFD

0054F2F1 EB 01 JMP SHORT 4F69F6.0054F2F4

0054F2F3 90 NOP

0054F2F4 66:3BD8 CMP BX,AX

0054F2F7 74 53 JE SHORT 4F69F6.0054F34C

0054F2F9 7A 03 JPE SHORT 4F69F6.0054F2FE

0054F2FB 7B 01 JPO SHORT 4F69F6.0054F2FE

0054F2FD 90 NOP

0054F2FE 66:8B46 08 MOV AX,WORD PTR DS:[ESI 8]=============******>

0054F302 7A 03 JPE SHORT 4F69F6.0054F307

0054F304 7B 01 JPO SHORT 4F69F6.0054F307

0054F306 90 NOP

0054F307 66:8B5E 0E MOV BX,WORD PTR DS:[ESI E]=============******>

0054F30B 72 03 JB SHORT 4F69F6.0054F310

0054F30D 73 01 JNB SHORT 4F69F6.0054F310

0054F30F 90 NOP

0054F310 66:8985 C7164600 MOV WORD PTR SS:[EBP 4616C7],AX=============******>

0054F317 9C PUSHFD

0054F318 72 0A JB SHORT 4F69F6.0054F324

0054F31A EB 01 JMP SHORT 4F69F6.0054F31D

0054F31C 90 NOP

0054F31D E8 05000000 CALL 4F69F6.0054F327

0054F322 EB 77 JMP SHORT 4F69F6.0054F39B

0054F324 72 F4 JB SHORT 4F69F6.0054F31A

0054F326 90 NOP

0054F327 83C4 04 ADD ESP,4

0054F32A 9D POPFD

0054F32B EB 01 JMP SHORT 4F69F6.0054F32E

0054F32D 90 NOP

0054F32E 66:899D C9164600 MOV WORD PTR SS:[EBP 4616C9],BX=============******>

0054F335 9C PUSHFD

0054F336 72 0A JB SHORT 4F69F6.0054F342

0054F338 EB 01 JMP SHORT 4F69F6.0054F33B

0054F33A 90 NOP

0054F33B E8 05000000 CALL 4F69F6.0054F345

0054F340 EB 77 JMP SHORT 4F69F6.0054F3B9

0054F342 72 F4 JB SHORT 4F69F6.0054F338

0054F344 90 NOP

0054F345 83C4 04 ADD ESP,4

0054F348 9D POPFD

0054F349 EB 01 JMP SHORT 4F69F6.0054F34C

0054F34B 90 NOP

0054F34C 7A 03 JPE SHORT 4F69F6.0054F351

0054F34E 7B 01 JPO SHORT 4F69F6.0054F351

0054F350 90 NOP

0054F351 B8 7C274600 MOV EAX,4F69F6.0046277C

0054F356 9C PUSHFD

0054F357 72 0A JB SHORT 4F69F6.0054F363

0054F359 EB 01 JMP SHORT 4F69F6.0054F35C

0054F35B 90 NOP

0054F35C E8 05000000 CALL 4F69F6.0054F366

0054F361 EB 77 JMP SHORT 4F69F6.0054F3DA

0054F363 72 F4 JB SHORT 4F69F6.0054F359

0054F365 90 NOP

0054F366 83C4 04 ADD ESP,4

0054F369 9D POPFD

0054F36A EB 01 JMP SHORT 4F69F6.0054F36D

0054F36C 90 NOP

0054F36D 03C5 ADD EAX,EBP============================******>新的INT1中断门,0x0054F4D1

0054F36F 74 03 JE SHORT 4F69F6.0054F374

0054F371 75 01 JNZ SHORT 4F69F6.0054F374

0054F373 90 NOP

0054F374 66:8946 08 MOV WORD PTR DS:[ESI 8],AX=============******>修改INT1中断门

===================================================================******>现在开始不能使用INT1中断

0054F378 9C PUSHFD

0054F379 72 0A JB SHORT 4F69F6.0054F385

0054F37B EB 01 JMP SHORT 4F69F6.0054F37E

0054F37D 90 NOP

0054F37E E8 05000000 CALL 4F69F6.0054F388

0054F383 EB 77 JMP SHORT 4F69F6.0054F3FC

0054F385 72 F4 JB SHORT 4F69F6.0054F37B

0054F387 90 NOP

0054F388 83C4 04 ADD ESP,4

0054F38B 9D POPFD

0054F38C EB 01 JMP SHORT 4F69F6.0054F38F

0054F38E 90 NOP

0054F38F C1E8 10 SHR EAX,10============================******>新的INT1中断门

0054F392 9C PUSHFD

0054F393 6A 10 PUSH 10

0054F395 73 0B JNB SHORT 4F69F6.0054F3A2

0054F397 EB 02 JMP SHORT 4F69F6.0054F39B

0054F399 90 NOP

0054F39A 90 NOP

0054F39B E8 06000000 CALL 4F69F6.0054F3A6

0054F3A0 C411 LES EDX,FWORD PTR DS:[ECX]

0054F3A2 73 F7 JNB SHORT 4F69F6.0054F39B

0054F3A4 5B POP EBX

0054F3A5 90 NOP

0054F3A6 83C4 04 ADD ESP,4

0054F3A9 EB 02 JMP SHORT 4F69F6.0054F3AD

0054F3AB 99 CDQ

0054F3AC 90 NOP

0054F3AD FF0C24 DEC DWORD PTR SS:[ESP]

0054F3B0 71 01 JNO SHORT 4F69F6.0054F3B3

0054F3B2 90 NOP

0054F3B3 79 E0 JNS SHORT 4F69F6.0054F395

0054F3B5 7A 01 JPE SHORT 4F69F6.0054F3B8

0054F3B7 90 NOP

0054F3B8 83C4 04 ADD ESP,4

0054F3BB 9D POPFD

0054F3BC EB 01 JMP SHORT 4F69F6.0054F3BF

0054F3BE 90 NOP

0054F3BF 66:8946 0E MOV WORD PTR DS:[ESI E],AX=============******>修改INT1中断门

至此,INT1中断门修改完毕,

然后就执行到这儿,调用INT1中断0x0054F4D1

0054F3FD 90 NOP

0054F3FE CD 01 INT 1==============================>在这儿,程序自动掌握INT1中断

接下来就是,清除你使用调试寄存器DR0-DR3,DR7所设置的断点,具体看下面的分析:

0054F44F 33C0 XOR EAX,EAX===============================>清0

0054F451 7A 0




收藏 分享 邀请

最新评论

相关分类

QQ|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )

GMT+8, 2024-9-29 23:23 , Processed in 0.286216 second(s), 12 queries , Gzip On, MemCache On.

Powered by Discuz! X3.5

© 2001-2023 Discuz! Team.

返回顶部