能力值:
( LV9,RANK:250 )
|
-
-
4 楼
最初由 softbihu 发布 修改过一个字节都好象不行~
还不知道怎么处理~等待牛人出现~
粉明锢的,公布此方法後,作者,已???,此一弱?
做了,加?,CODE 瘁,已有 CRC ?查.....
只不咿,百密一疏......
其? THMIDA,的保罪,?不?比 ASPR 或 Armadillo 困膣
只是,它在防 DEBUG,方面,十分?硬而已......
我以?,能?有效,?抗 THMIDA,的方法,就是...
能?打造,或修改,特殊的 DEBUG TOOL,或是 PATCH DEBUG
直接 HOOK 原始 INT OR SSDT 咄入?,就可以 DEBUG THMIDA
|
能力值:
( LV9,RANK:250 )
|
-
-
6 楼
最初由 boobobo 发布 不知道有没有哪位大侠试过, Hook int 2E ,再把被THMIDA改动过的函数改为正确的。 有可能可以哦。 还有他只是一部分代码做了CRC ?查。
用 r0cmd 就可以,?原正催的,ssdt 了,呃???有用
如果 THMIDA,像 INT 一?,不?刷新 IDT,SSDT
或是加入 CRC CHECK,就?用了...
我的想法,是直接 HOOK OR FIX OS 核心 CODE
,呃?就不受 IDT AMD SSDT 影?了
你必?要在 RING 0 下,?程序,才有可能.......
以前,我就曾?修改咿 WIN98 核心,直接通咿,?篦?查
????有保罪,??查,OS 核心,的??的.....
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
下面是处理int 14的代码
seg000:00000000 pushf
seg000:00000001 pusha
seg000:00000002 call $+5
seg000:00000007 pop ebp
seg000:00000008 sub ebp, 661174Dh
seg000:0000000E jmp short loc_1D
seg000:00000010 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:00000010 cmp dword ptr [ebp+6611948h], 63h ; 'c'
seg000:00000017 ja loc_B6
seg000:0000001D
seg000:0000001D loc_1D: ; CODE XREF: seg000:0000000Ej
seg000:0000001D ; seg000:00000130j
seg000:0000001D mov eax, [esp+28h]
seg000:00000021 cmp eax, 0FFFFFFFFh
seg000:00000024 jz short loc_39
seg000:00000026 mov eax, [esp+24h]
seg000:0000002A cmp eax, 0FFFFFFFFh
seg000:0000002D jnz loc_1DD
seg000:00000033 popa
seg000:00000034 popf
seg000:00000035 add esp, 0Ch
seg000:00000038 iret
seg000:00000039 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:00000039
seg000:00000039 loc_39: ; CODE XREF: seg000:00000024j
seg000:00000039 mov eax, 1
seg000:0000003E mov ecx, eax
seg000:00000040 or eax, eax
seg000:00000042 jnz loc_140
seg000:00000048 mov eax, 12345678h
seg000:0000004D mov eax, [eax]
seg000:0000004F cmp dword ptr [eax+8], 0
seg000:00000053 jz 0000018D
seg000:00000059 cmp dword ptr [eax+8], 2
seg000:0000005D ja 0000018D
seg000:00000063 cmp dword ptr [eax+8], 1
seg000:00000067 jz loc_135
seg000:0000006D
seg000:0000006D loc_6D: ; CODE XREF: seg000:00000165j
seg000:0000006D ; seg000:0000017Dj
seg000:0000006D mov eax, 0
seg000:00000072 cmp eax, 1
seg000:00000075 jz 0000018D
seg000:0000007B or ecx, ecx
seg000:0000007D jnz short loc_96
seg000:0000007F mov ebx, esp
seg000:00000081 add ebx, 34h ; '4'
seg000:00000084 mov eax, [ebx]
seg000:00000086 cmp byte ptr [eax-1], 0CCh ; '?
seg000:0000008A jnz short loc_AD
seg000:0000008C mov byte ptr [eax-1], 0C5h ; '?
seg000:00000090 inc eax
seg000:00000091 jmp loc_1B1
seg000:00000096 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:00000096
seg000:00000096 loc_96: ; CODE XREF: seg000:0000007Dj
seg000:00000096 mov ebx, esp
seg000:00000098 add ebx, 34h ; '4'
seg000:0000009B mov eax, [ebx]
seg000:0000009D cmp byte ptr [eax-1], 0CCh ; '?
seg000:000000A1 jnz loc_1B1
seg000:000000A7 inc eax
seg000:000000A8 jmp loc_1B1
seg000:000000AD ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:000000AD
seg000:000000AD loc_AD: ; CODE XREF: seg000:0000008Aj
seg000:000000AD mov byte ptr [eax-2], 0C5h ; '?
seg000:000000B1 jmp loc_1B1
seg000:000000B6 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:000000B6
seg000:000000B6 loc_B6: ; CODE XREF: seg000:00000017j
seg000:000000B6 mov eax, 80036400h
seg000:000000BB mov eax, eax
seg000:000000BD add eax, 0Ch
seg000:000000C0 mov ecx, cs:[eax]
seg000:000000C3 mov cx, cs:[eax-4]
seg000:000000C8 cmp ecx, 0FFFF0000h
seg000:000000CE jnb short loc_EE
seg000:000000D0 cmp ecx, 80000000h
seg000:000000D6 jb short loc_EE
seg000:000000D8 push ds
seg000:000000D9 mov ecx, 10h
seg000:000000DE db 66h
seg000:000000DE mov ds, cx
seg000:000000E1 assume ds:nothing
seg000:000000E1 mov cx, 0FFFFh
seg000:000000E5 mov [eax-4], cx
seg000:000000E9 mov [eax+2], cx
seg000:000000ED pop ds
seg000:000000EE assume ds:nothing
seg000:000000EE
seg000:000000EE loc_EE: ; CODE XREF: seg000:000000CEj
seg000:000000EE ; seg000:000000D6j
seg000:000000EE mov eax, 80036400h
seg000:000000F3 mov eax, eax
seg000:000000F5 add eax, 1Ch
seg000:000000F8 mov ecx, cs:[eax]
seg000:000000FB mov cx, cs:[eax-4]
seg000:00000100 cmp ecx, 0FFFF0000h
seg000:00000106 jnb short loc_126
seg000:00000108 cmp ecx, 80000000h
seg000:0000010E jb short loc_126
seg000:00000110 push ds
seg000:00000111 mov ecx, 10h
seg000:00000116 db 66h
seg000:00000116 mov ds, cx
seg000:00000119 assume ds:nothing
seg000:00000119 mov cx, 0FFFFh
seg000:0000011D mov [eax-4], cx
seg000:00000121 mov [eax+2], cx
seg000:00000125 pop ds
seg000:00000126 assume ds:nothing
seg000:00000126
seg000:00000126 loc_126: ; CODE XREF: seg000:00000106j
seg000:00000126 ; seg000:0000010Ej
seg000:00000126 mov dword ptr [ebp+6611948h], 0
seg000:00000130 jmp loc_1D
seg000:00000135 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:00000135
seg000:00000135 loc_135: ; CODE XREF: seg000:00000067j
seg000:00000135 lea eax, [ebp+6611925h]
seg000:0000013B mov [eax+1], edx
seg000:0000013E jmp eax
seg000:00000140 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:00000140
seg000:00000140 loc_140: ; CODE XREF: seg000:00000042j
seg000:00000140 push fs
seg000:00000142 mov eax, 30h ; '0'
seg000:00000147 db 66h
seg000:00000147 mov fs, ax
seg000:0000014A assume fs:nothing
seg000:0000014A mov eax, large fs:124h
seg000:00000150 mov eax, [eax+44h]
seg000:00000153 pop fs
seg000:00000155 assume fs:nothing
seg000:00000155 mov ebx, eax
seg000:00000157 and ebx, 7FFFFFFFh
seg000:0000015D mov esi, 0EBA83000h 这个地方可能是关键
seg000:00000162 cmp dword ptr [esi], 0
seg000:00000165 jz loc_6D
seg000:0000016B call sub_206
seg000:00000170 or eax, eax
seg000:00000172 jnz short loc_178
seg000:00000174 jmp short 0000018D
seg000:00000176 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:00000176 jmp short loc_182
seg000:00000178 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:00000178
seg000:00000178 loc_178: ; CODE XREF: seg000:00000172j
seg000:00000178 cmp eax, 1
seg000:0000017B jnz short loc_182
seg000:0000017D jmp loc_6D
seg000:00000182 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:00000182
seg000:00000182 loc_182: ; CODE XREF: seg000:00000176j
seg000:00000182 ; seg000:0000017Bj
seg000:00000182 lea eax, [ebp+6611925h]
seg000:00000188 mov [eax+1], edx
seg000:0000018B jmp eax
seg000:0000018D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:0000018D
seg000:0000018D 0000018D: ; CODE XREF: seg000:00000053j
seg000:0000018D ; seg000:0000005Dj ...
seg000:0000018D mov ebx, esp
seg000:0000018F add ebx, 34h ; '4'
seg000:00000192 mov eax, [ebx]
seg000:00000194 cmp byte ptr [eax-1], 0CCh ; '?
seg000:00000198 jz short loc_1E5
seg000:0000019A cmp word ptr [eax-2], 3CDh
seg000:000001A0 jz short loc_1E5
seg000:000001A2 cmp word ptr [eax-2], 1CDh
seg000:000001A8 jz short loc_1B1
seg000:000001AA popa
seg000:000001AB popf
seg000:000001AC add esp, 10h
seg000:000001AF jmp short int1
seg000:000001B1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:000001B1
seg000:000001B1 loc_1B1: ; CODE XREF: seg000:00000091j
seg000:000001B1 ; seg000:000000A1j ...
seg000:000001B1 sub eax, 2
seg000:000001B4 mov [ebx], eax
seg000:000001B6 popa
seg000:000001B7 popf
seg000:000001B8 add esp, 0Ch
seg000:000001BB mov dword ptr [esp], 2Ah ; '*'
seg000:000001C2 jmp short loc_1FC
seg000:000001C2 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:000001C4 db 8Bh ; ?
seg000:000001C5 db 43h ; C
seg000:000001C6 db 8 ;
seg000:000001C7 db 0A9h ; ?
seg000:000001C8 db 0 ;
seg000:000001C9 db 1 ;
seg000:000001CA db 0 ;
seg000:000001CB db 0 ;
seg000:000001CC db 75h ; u
seg000:000001CD db 2 ;
seg000:000001CE db 40h ; @
seg000:000001CF db 40h ; @
seg000:000001D0 db 43h ; C
seg000:000001D1 db 43h ; C
seg000:000001D2 db 41h ; A
seg000:000001D3 db 42h ; B
seg000:000001D4 db 37h ; 7
seg000:000001D5 db 8Bh ; ?
seg000:000001D6 db 4Ah ; J
seg000:000001D7 db 80h ; ?
seg000:000001D8 db 64h ; d
seg000:000001D9 db 0 ;
seg000:000001DA db 0 ;
seg000:000001DB db 0 ;
seg000:000001DC db 40h ; @
seg000:000001DD ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:000001DD
seg000:000001DD loc_1DD: ; CODE XREF: seg000:0000002Dj
seg000:000001DD popa
seg000:000001DE popf
seg000:000001DF push 0EB606735h
seg000:000001E4 retn
seg000:000001E5 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:000001E5
seg000:000001E5 loc_1E5: ; CODE XREF: seg000:00000198j
seg000:000001E5 ; seg000:000001A0j
seg000:000001E5 popa
seg000:000001E6 popf
seg000:000001E7 add esp, 10h
seg000:000001EA jmp short int3
seg000:000001EA ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:000001EC db 0 ;
seg000:000001ED db 0 ;
seg000:000001EE db 0 ;
seg000:000001EF db 0 ;
seg000:000001F0 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:000001F0
seg000:000001F0 int1: ; CODE XREF: seg000:000001AFj
seg000:000001F0 push 80465CE4h ; 到原来系统int1的处理函数
seg000:000001F5 retn
seg000:000001F6 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:000001F6
seg000:000001F6 int3: ; CODE XREF: seg000:000001EAj
seg000:000001F6 push 80465FD4h ; 到原来系统int3的处理函数
seg000:000001FB retn
seg000:000001FC ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:000001FC
seg000:000001FC loc_1FC: ; CODE XREF: seg000:000001C2j
seg000:000001FC push 8046748Ch ; 到原来系统int13的处理函数
seg000:00000201 retn
seg000:00000201 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:00000202 db 0 ;
seg000:00000203 db 0 ;
seg000:00000204 db 0 ;
seg000:00000205 db 0 ;
seg000:00000206
seg000:00000206 ; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?
seg000:00000206
seg000:00000206
seg000:00000206 sub_206 proc near ; CODE XREF: seg000:0000016Bp
seg000:00000206 mov edi, esi
seg000:00000208 mov cl, 1
seg000:0000020A or cl, cl
seg000:0000020C jz short loc_214
seg000:0000020E add edi, 3E8h
seg000:00000214
seg000:00000214 loc_214: ; CODE XREF: sub_206+6j
seg000:00000214 ; sub_206+30j
seg000:00000214 add esi, 4
seg000:00000217 add edi, 4
seg000:0000021A cmp dword ptr [esi], 47616420h
seg000:00000220 jnz short loc_225
seg000:00000222 xor eax, eax
seg000:00000224 retn
seg000:00000225 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:00000225
seg000:00000225 loc_225: ; CODE XREF: sub_206+1Aj
seg000:00000225 cmp [esi], eax
seg000:00000227 jz short locret_22D
seg000:00000229 cmp [edi], eax
seg000:0000022B jnz short loc_22E
seg000:0000022D
seg000:0000022D locret_22D: ; CODE XREF: sub_206+21j
seg000:0000022D retn
seg000:0000022E ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:0000022E
seg000:0000022E loc_22E: ; CODE XREF: sub_206+25j
seg000:0000022E cmp [esi], ebx
seg000:00000230 jnz short loc_236
seg000:00000232 xor eax, eax
seg000:00000234 inc eax
seg000:00000235 retn
seg000:00000236 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
seg000:00000236
seg000:00000236 loc_236: ; CODE XREF: sub_206+2Aj
seg000:00000236 jmp short loc_214
seg000:00000236 sub_206 endp
seg000:00000236
15D 到170 应该是判断加壳的程序是否在运行,代码可以改动但我不知道怎么改。
我把
seg000:00000170 or eax, eax
seg000:00000172 jnz short loc_178
都改成nop ,加壳的程序一打开就自动退出了。
|