[讨论]FI 3.01 分析-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [讨论]FI 3.01 分析 0.00雪花

发表于: 2012-2-8 16:16 2869

[旧帖] [讨论]FI 3.01 分析 0.00雪花

option

2012-2-8 16:16

2869

下面的代码有哪些反调试的技巧？
seg014:24A3 sub_6FAD3    proc far             ; CODE XREF: FileInfo+10P
seg014:24A3
seg014:24A3 IntNo          = byte ptr  6
seg014:24A3 arg_10       = word ptr  16h
seg014:24A3 arg_12       = word ptr  18h
seg014:24A3 arg_14       = word ptr  1Ah
seg014:24A3 arg_16       = word ptr  1Ch
seg014:24A3
seg014:24A3                push bp
seg014:24A4                mov    bp, sp
seg014:24A6                mov    al, [bp+IntNo]
seg014:24A9                mov    bx, 0F00h
seg014:24AC                cmp    al, 10h
seg014:24AE                jz    short loc_6FAFC
seg014:24B0                mov    bx, 100h
seg014:24B3                cmp    al, 13h
seg014:24B5                jz    short loc_6FAFC
seg014:24B7                mov    bx, 8500h
seg014:24BA                cmp    al, 15h
seg014:24BC                jz    short loc_6FAFC
seg014:24BE                mov    bx, 3306h
seg014:24C1                cmp    al, 21h
seg014:24C3                jz    short loc_6FAFC
seg014:24C5                mov    bx, 4300h
seg014:24C8                cmp    al, 2Fh
seg014:24CA                jnz    short loc_6FB03
seg014:24CC
seg014:24CC loc_6FAFC:                            ; CODE XREF: sub_6FAD3+Bj
seg014:24CC                                        ; sub_6FAD3+12j ...
seg014:24CC                mov    cs:word_6FB14, bx
seg014:24D1                jmp    short loc_6FB22
seg014:24D3 ; ---------------------------------------------------------------------------
seg014:24D3
seg014:24D3 loc_6FB03:                            ; CODE XREF: sub_6FAD3+27j
seg014:24D3                mov    word ptr cs:Int21off, 5678h
seg014:24DA                mov    word ptr cs:Int21Seg, 1234h
seg014:24E1                jmp    loc_6FC34
seg014:24E1 ; ---------------------------------------------------------------------------
seg014:24E4 word_6FB14    dw 0                   ; DATA XREF: sub_6FAD3:loc_6FAFCw
seg014:24E4                                        ; sub_6FAD3+8Dr
seg014:24E6 word_6FB16    dw 0                   ; DATA XREF: sub_6FAD3+FEr
seg014:24E6                                        ; sub_6FAD3+10Cw
seg014:24E8 byte_6FB18    db 0                   ; DATA XREF: sub_6FAD3+D8r
seg014:24E8                                        ; sub_6FAD3:loc_6FBB3w ...
seg014:24E9 In_INT01h:                            ; DATA XREF: sub_6FAD3+B5r
seg014:24E9                                        ; sub_6FAD3+BDw ...
seg014:24E9                db 0
seg014:24EA Int1off:                               ; DATA XREF: sub_6FAD3+6Fw
seg014:24EA                                        ; sub_6FAD3+97r
seg014:24EA                dw 0
seg014:24EC Int1Seg:                               ; DATA XREF: sub_6FAD3+74w
seg014:24EC                                        ; sub_6FAD3+9Cr
seg014:24EC                dw 0
seg014:24EE Int21off:                            ; DATA XREF: sub_6FAD3:loc_6FB03w
seg014:24EE                                        ; sub_6FAD3+60w ...
seg014:24EE                dw 0
seg014:24F0 Int21Seg:                            ; DATA XREF: sub_6FAD3+37w
seg014:24F0                                        ; sub_6FAD3+65w ...
seg014:24F0                dw 0
seg014:24F2 ; ---------------------------------------------------------------------------
seg014:24F2
seg014:24F2 loc_6FB22:                            ; CODE XREF: sub_6FAD3+2Ej
seg014:24F2                pusha
seg014:24F3                push es
seg014:24F4                push ds
seg014:24F5                mov    ah, 35h
seg014:24F7                int    21h          ; DOS - 2+ - GET INTERRUPT VECTOR
seg014:24F7                                        ; AL = interrupt number
seg014:24F7                                        ; Return: ES:BX = value of interrupt vector
seg014:24F9                mov    word ptr cs:loc_6FB64+1, bx
seg014:24FE                mov    word ptr cs:loc_6FB64+3, es
seg014:2503                mov    word ptr cs:Int21off, bx
seg014:2508                mov    word ptr cs:Int21Seg, es
seg014:250D                mov    ax, 3501h
seg014:2510                int    21h          ; DOS - 2+ - GET INTERRUPT VECTOR
seg014:2510                                        ; AL = interrupt number
seg014:2510                                        ; Return: ES:BX = value of interrupt vector
seg014:2512                mov    word ptr cs:Int1off, bx
seg014:2517                mov    word ptr cs:Int1Seg, es
seg014:251C                push cs
seg014:251D                pop    ds
seg014:251E                assume ds:seg014
seg014:251E                mov    ax, 2501h
seg014:2521                mov    dx, offset NewINT1
seg014:2524                int    21h          ; DOS - SET INTERRUPT VECTOR
seg014:2524                                        ; AL = interrupt number
seg014:2524                                        ; DS:DX = new vector to be used for specified interrupt
seg014:2526                jmp    short $+2
seg014:2528                pushf
seg014:2529                pushf
seg014:252A                pop    ax
seg014:252B                or    ax, 100h
seg014:252E                push ax
seg014:252F                popf
seg014:2530                mov    ax, cs:word_6FB14
seg014:2534
seg014:2534 loc_6FB64:                            ; DATA XREF: sub_6FAD3+56w
seg014:2534                                        ; sub_6FAD3+5Bw
seg014:2534                call far ptr 0:0
seg014:2539                nop
seg014:253A                mov    dx, word ptr cs:Int1off
seg014:253F                mov    ds, word ptr cs:Int1Seg
seg014:2544                assume ds:nothing
seg014:2544                mov    ax, 2501h
seg014:2547                int    21h          ; DOS - SET INTERRUPT VECTOR
seg014:2547                                        ; AL = interrupt number
seg014:2547                                        ; DS:DX = new vector to be used for specified interrupt
seg014:2549                pop    ds
seg014:254A                pop    es
seg014:254B                popa
seg014:254C                jmp    loc_6FC34
seg014:254F ; ---------------------------------------------------------------------------
seg014:254F
seg014:254F NewINT1:                               ; DATA XREF: sub_6FAD3+7Eo
seg014:254F                nop
seg014:2550                pusha
seg014:2551                push es
seg014:2552                push ds
seg014:2553                push ss
seg014:2554                mov    bp, sp
seg014:2556                push cs
seg014:2557                pop    ds
seg014:2558                assume ds:seg014
seg014:2558                test byte ptr cs:In_INT01h, 1
seg014:255E                jz    short loc_6FB9B
seg014:2560                xor    byte ptr cs:In_INT01h, 1
seg014:2566                and    [bp+arg_16], 0FEFFh
seg014:256B
seg014:256B loc_6FB9B:                            ; CODE XREF: sub_6FAD3+BBj
seg014:256B                mov    si, [bp+arg_10]
seg014:256E                mov    ds, [bp+arg_12]
seg014:2571                assume ds:nothing
seg014:2571                cld
seg014:2572                lodsb
seg014:2573                cmp    al, 58h ; 'X'
seg014:2575                jb    short loc_6FBE6
seg014:2577                cmp    al, 60h ; '`'
seg014:2579                ja    short loc_6FBE6
seg014:257B                cmp    cs:byte_6FB18, 1
seg014:2581                jnz    short loc_6FBDB
seg014:2583
seg014:2583 loc_6FBB3:                            ; CODE XREF: sub_6FAD3+130j
seg014:2583                xor    cs:byte_6FB18, 1
seg014:2589                inc    [bp+arg_10]
seg014:258C                push ax
seg014:258D                push di
seg014:258E                mov    di, 14h
seg014:2591                cmp    al, 4Ch ; 'L'
seg014:2593                jnz    short loc_6FBC8
seg014:2595                mov    al, [si+1]
seg014:2598
seg014:2598 loc_6FBC8:                            ; CODE XREF: sub_6FAD3+F0j
seg014:2598                and    ax, 0Fh
seg014:259B                sub    al, 8
seg014:259D                shl    al, 1
seg014:259F                sub    di, ax
seg014:25A1                mov    ax, cs:word_6FB16
seg014:25A5                mov    [bp+di], ax
seg014:25A7                pop    di
seg014:25A8                pop    ax
seg014:25A9                jmp    short loc_6FC05
seg014:25AB ; ---------------------------------------------------------------------------
seg014:25AB
seg014:25AB loc_6FBDB:                            ; CODE XREF: sub_6FAD3+DEj
seg014:25AB                push ax
seg014:25AC                mov    ax, [bp+arg_16]
seg014:25AF                mov    cs:word_6FB16, ax
seg014:25B3                pop    ax
seg014:25B4                jmp    short loc_6FC05
seg014:25B6 ; ---------------------------------------------------------------------------
seg014:25B6
seg014:25B6 loc_6FBE6:                            ; CODE XREF: sub_6FAD3+D2j
seg014:25B6                                        ; sub_6FAD3+D6j
seg014:25B6                cmp    al, 4Ch ; 'L'
seg014:25B8                jnz    short loc_6FC05
seg014:25BA                cmp    byte ptr [si], 4Ch ; 'L'
seg014:25BD                jnz    short loc_6FC05
seg014:25BF                add    [bp+arg_10], 2
seg014:25C3                mov    cs:byte_6FB18, 1
seg014:25C9                cmp    byte ptr [si+1], 58h ; 'X'
seg014:25CD                jb    short loc_6FC05
seg014:25CF                cmp    byte ptr [si+1], 60h ; '`'
seg014:25D3                jb    short loc_6FBB3
seg014:25D5
seg014:25D5 loc_6FC05:                            ; CODE XREF: sub_6FAD3+106j
seg014:25D5                                        ; sub_6FAD3+111j ...
seg014:25D5                cmp    al, 9Ch ; '
seg014:25D7                jnz    short loc_6FC0F
seg014:25D9                or    byte ptr cs:In_INT01h, 1
seg014:25DF
seg014:25DF loc_6FC0F:                            ; CODE XREF: sub_6FAD3+134j
seg014:25DF                cmp    al, 9Dh ; '
seg014:25E1                jnz    short loc_6FC18
seg014:25E3                or    [bp+arg_16], 100h
seg014:25E8
seg014:25E8 loc_6FC18:                            ; CODE XREF: sub_6FAD3+13Ej
seg014:25E8                cmp    al, 0CFh ; '
seg014:25EA                jnz    short loc_6FC21
seg014:25EC                and    [bp+arg_14], 0FEFFh
seg014:25F1
seg014:25F1 loc_6FC21:                            ; CODE XREF: sub_6FAD3+147j
seg014:25F1                cmp    al, 0EAh ; '
seg014:25F3                jnz    short loc_6FC2F
seg014:25F5                lodsw
seg014:25F6                mov    word ptr cs:Int21off, ax
seg014:25FA                lodsw
seg014:25FB                mov    word ptr cs:Int21Seg, ax
seg014:25FF
seg014:25FF loc_6FC2F:                            ; CODE XREF: sub_6FAD3+150j
seg014:25FF                pop    ss
seg014:2600                pop    ds
seg014:2601                pop    es
seg014:2602                popa
seg014:2603                iret
seg014:2604 ; ---------------------------------------------------------------------------
seg014:2604
seg014:2604 loc_6FC34:                            ; CODE XREF: sub_6FAD3+3Ej
seg014:2604                                        ; sub_6FAD3+A9j
seg014:2604                mov    ax, word ptr cs:Int21off
seg014:2608                mov    dx, word ptr cs:Int21Seg
seg014:260D                leave
seg014:260E                retf 2
seg014:260E sub_6FAD3    endp
详细内容见附件
http://115.com/file/be4kgjlh#FI.idb

[课程]Android-CTF解题方法汇总！

收藏・0

免费・0

支持