|
|
|
有没有脱过老王v2004.06.18的壳?
9X中是个任打任杀的软柿子。:) |
|
请问,有没有PE(dll)重定位表重构工具啊?
写个这样的东西不太难,但得花点时间和心机。反汇编扫描下再重构应该可以。只是写个这样的东西有没有必要而已。前段时间曾经考虑过搞过,当时在写个专门加密VB的壳,利用到重定位表,VB5有重定位表,VB6没有,所以当时想搞个给VB6添加重定位表的。 |
|
|
|
寻找消失的==》品琳居《===大哥,前辈
我还活着。 |
|
|
|
打造MyGetProcAddress函数(Delphi源码)
最初由 老王 发布 两个函数我都实现了,VB/VC的代码都写了。但GetModuleHandle在9X下还有点问题,导致有资源的DLL或EXE不能正常,NT/2K/XP/2K3没问题。 我考虑采用内存SwapResource。 4月初都在搞这东西,现在又丢一旁了。 |
|
打造MyGetProcAddress函数(Delphi源码)
同一函数,我用在VB_Shell里面的。 Function GetProcAddressDirectly(ByVal lpImageDosHeader As IMAGE_DOS_HEADER Ptr, FuncName As Asciiz) As Dword Dim lpImageNtHeaders As Local IMAGE_NT_HEADERS Ptr Dim lpImageExportDirectory As Local IMAGE_EXPORT_DIRECTORY Ptr Dim lpNameOrdinals As Local Word Ptr Dim lpFunctions As Local Dword Ptr Dim lpName As Local Dword Ptr Dim lpExpFuncName As Local Asciiz Ptr Dim i As Local Dword Dim j As Local Dword Dim lpFuncName As Asciiz Ptr If @lpImageDosHeader.e_magic <> %IMAGE_DOS_SIGNATURE Then ' invalid DOS signature Function = 1 MsgBox "Invalid DOS signature",%MB_ICONWARNING,"Error in GetProcAddressDirectly()" Exit Function End If lpImageNtHeaders = lpImageDosHeader + @lpImageDosHeader.e_lfanew '================================ If @lpImageNtHeaders.Signature <> %IMAGE_NT_SIGNATURE Then ' Invalid NT signature Function = 1 MsgBox "Invalid NT signature",%MB_ICONWARNING,"Error in GetProcAddressDirectly()" Exit Function End If '================================ If @lpImageNtHeaders.FileHeader.SizeOfOptionalHeader <> SizeOf(@lpImageNtHeaders.OptionalHeader) Or _ @lpImageNtHeaders.OptionalHeader.Magic <> %IMAGE_NT_OPTIONAL_HDR32_MAGIC Then Function = 0 MsgBox "SizeOfOptionalHeader or OptionalHeader.Magic",%MB_ICONWARNING,"Error in GetProcAddressDirectly()" Exit Function End If lpImageExportDirectory = @lpImageNtHeaders.OptionalHeader.DataDirectory(%IMAGE_DIRECTORY_ENTRY_EXPORT).VirtualAddress '================================ If lpImageExportDirectory = 0 Then Function = 0 MsgBox "lpImageExportDirectory",%MB_ICONWARNING,"Error in GetProcAddressDirectly()" Exit Function End If lpImageExportDirectory = lpImageExportDirectory + lpImageDosHeader '================================ lpNameOrdinals = @lpImageExportDirectory.AddressOfNameOrdinals + lpImageDosHeader lpName = @lpImageExportDirectory.AddressOfNames + lpImageDosHeader lpFunctions = @lpImageExportDirectory.AddressOfFunctions + lpImageDosHeader '================================ lpFuncName = VarPtr(FuncName) '================================ If HiWrd(lpFuncName) Then ' Name For i = 0 To @lpImageExportDirectory.NumberOfFunctions - 1 If @lpFunctions[i] Then For j = 0 To @lpImageExportDirectory.NumberOfNames - 1 If @lpNameOrdinals[j] = i Then lpExpFuncName = @lpName[j] + lpImageDosHeader If @lpExpFuncName = FuncName Then Function = @lpFunctions[i] + lpImageDosHeader : Exit Function End If Next End If Next Else For i = 0 To @lpImageExportDirectory.NumberOfFunctions - 1 If lpFuncName = @lpImageExportDirectory.nBase + i Then If @lpFunctions[i] Then Function = @lpFunctions[i] + lpImageDosHeader Exit Function End If Next End If '================================ End Function VC: DWORD GetProcAddressDirectly(PIMAGE_DOS_HEADER lpImageDosHeader, char * FuncName) { PIMAGE_NT_HEADERS lpImageNtHeaders; PIMAGE_EXPORT_DIRECTORY pExportDir; PWORD lpNameOrdinals; unsigned char * lpFunctions; DWORD * lpName; char * lpExpFuncName; DWORD i; DWORD j; char * lpFuncName; if(lpImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) { MessageBox(NULL,"Invalid DOS signature",0,0); return 1; } lpImageNtHeaders = (PIMAGE_NT_HEADERS)(lpImageDosHeader + lpImageDosHeader->e_lfanew); if (lpImageNtHeaders->Signature != IMAGE_NT_SIGNATURE) { MessageBox(NULL,"Invalid NT signature",0,0); return 1; } if ((lpImageNtHeaders->FileHeader.SizeOfOptionalHeader != sizeof(lpImageNtHeaders->OptionalHeader)) || (lpImageNtHeaders->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC)) { MessageBox(NULL,"SizeOfOptionalHeader or OptionalHeader->Magic",0,0); return 0; } DWORD exportsStartRVA, exportsEndRVA; PIMAGE_NT_HEADERS pNTHeader; //PIMAGE_NT_HEADERS64 pNTHeader64; PBYTE pImageBase = (PBYTE)lpImageDosHeader; // Make pointers to 32 and 64 bit versions of the header. pNTHeader = MakePtr( PIMAGE_NT_HEADERS, lpImageDosHeader, lpImageDosHeader->e_lfanew ); exportsStartRVA = GetImgDirEntryRVA(pNTHeader,IMAGE_DIRECTORY_ENTRY_EXPORT); exportsEndRVA = exportsStartRVA + GetImgDirEntrySize(pNTHeader, IMAGE_DIRECTORY_ENTRY_EXPORT); // Get the IMAGE_SECTION_HEADER that contains the exports. This is // usually the .edata section, but doesn't have to be. PIMAGE_SECTION_HEADER header; header = GetEnclosingSectionHeader( exportsStartRVA, pNTHeader ); if ( !header ) return 0; INT delta; delta = (INT)(header->VirtualAddress - header->PointerToRawData); pExportDir = (PIMAGE_EXPORT_DIRECTORY)GetPtrFromRVA(exportsStartRVA, pNTHeader, pImageBase); pExportDir =(PIMAGE_EXPORT_DIRECTORY) (lpImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); if (pExportDir == 0) { MessageBox(NULL,"Error in GetProcAddressDirectly()",0,0); return 0; } pExportDir =(PIMAGE_EXPORT_DIRECTORY) (DWORD)pExportDir + (DWORD)lpImageDosHeader; lpNameOrdinals =(unsigned short *)(pExportDir->AddressOfNameOrdinals + lpImageDosHeader); //lpNameOrdinals = (PWORD) GetPtrFromRVA( pExportDir->AddressOfNameOrdinals, pNTHeader, pImageBase ); lpName =(DWORD *) (pExportDir->AddressOfNames + lpImageDosHeader); lpFunctions =(unsigned char *) (pExportDir->AddressOfFunctions + lpImageDosHeader); //PDWORD pdwFunctions; lpFuncName = FuncName; if(HIWORD(lpFuncName)!=0 ) { for( i = 0;i<=pExportDir->NumberOfFunctions - 1;i++) { DWORD entryPointRVA = *lpFunctions; if ( entryPointRVA == 0 ) continue; // Skip over gaps in exported function // ordinals (the entrypoint is 0 for for( j = 0;j<=pExportDir->NumberOfNames - 1;j++) { if( lpNameOrdinals[j] == i) { lpExpFuncName = (char *) (lpName[j] + lpImageDosHeader); if(lpExpFuncName = FuncName) return (unsigned long) (lpFunctions[i] + lpImageDosHeader); } } } } else { for (i = 0 ;i<=pExportDir->NumberOfFunctions - 1;i++) { if (lpFuncName == (char *)(pExportDir->Base + i)) { if (lpFunctions[i]) return (unsigned long) (lpFunctions[i] + lpImageDosHeader); } } } return 0; } |
|
EncryptPE是病毒?这里有没有反病毒公司的人啊?
去年搞FoxLock的时候我也碰到这个问题,老说我加密后的文件是未知病毒,头疼,那时候被迫跟踪下Norton,发现归根到底是我采用了SMC的结果。他所谓的对未知病毒的监控就是对程序入口的一段程序进行反汇编比较一些标准的跳转,发现非标准的就认为是未知病毒了,真的很可笑。下面两种方法都测试过可行建议: 1、VC编译个EXE,把入口代码搬过去; 2、加密后程序的入口不要放在最后一个段,放在.Rsrc之前没问题。放最后一个段的话就跟.Rsrc放同一个段。 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值