能力值:
( LV2,RANK:10 )
20 楼
感觉不太靠谱。下载测试了一下,发现用example第一个运行
出现错误
{"error":[],"warning":["section name: .text$unest_here,section number: 64 ,a static jump out of current section range,give up"],"notice":[]}
后来用vs2008写个程序,自己加入.text$unest_aaaa,命令行测试转换成功,但是链接运行失败。出错。
我觉得理论上是可以无限转换,但是转换代码是否兼容,还是从简单混淆还是吧。
能力值:
( LV6,RANK:90 )
23 楼
[QUOTE=sjm;1321372]感觉不太靠谱。下载测试了一下,发现用example第一个运行
出现错误
{"error":[],"warning":["section name: .text$unest_here,section number: 64 ,a static jump out of current section ...[/QUOTE]
作者: sjm 发表时间: 2014-10-04, 15:57:49 本来以为可以运行,结果大失所望。下载crackme.exe运行都出错。 赶快升级后再让大家测试
1. 那是一个warning,不是error
2. 检查一下config,如果配制不当,比如开放了不该开放的寄存器保护,混淆后程序会出错
3. crackme为了方便下断,自带了一个int 3 断点
能力值:
( LV2,RANK:10 )
24 楼
看看我做的,这个warning并非可以忽略过去,否则后面生成就不会混淆。
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>f:
F:\>cd F:\code\drivers\unest-5.03\unest-5.03
F:\code\drivers\unest-5.03\unest-5.03>F:\code\drivers\php-5.4.33-Win32-VC9-x86\p
hp.exe ./engine/ready.php "path=&filename=demoDlg.obj&cnf=1.config&type=coff&out
put=&base=D:\unest_project\&log=ready.log&timelimit=60000"
<br> "c:\Program Files\nasm\ndisasm.exe" -b 32 -o0 -s6816 D:\unest_project\//dem
oDlg.obj.bin >> D:\unest_project\//demoDlg.obj.asm
<br><br><br><br>binary size: int(95025)
<br><br><br><br>array(3) {
["error"]=>
array(0) {
}
["warning"]=>
array(1) {
[0]=>
string(101) "section name: .text$unest_here,section number: 64 ,a static jum
p out of current section range,give up"
}
["notice"]=>
array(0) {
}
}
array(10) {
["analysis_input_file_format"]=>
float(0.03125)
["collect_and_disasm"]=>
float(0.1875)
["format_disasm_file"]=>
float(0.015625)
["sec_reloc_format"]=>
float(0)
["eip rel label replace"]=>
float(0)
["disasm to standard"]=>
float(0)
["exec thread list"]=>
float(0)
["usable register and memory"]=>
float(0)
["compress same char to output"]=>
float(0)
["init mem_addition"]=>
float(0.03125)
}
<br>memory_get_usage: int(3501160)
F:\code\drivers\unest-5.03\unest-5.03>
F:\code\drivers\unest-5.03\unest-5.03>F:\code\drivers\php-5.4.33-Win32-VC9-x86\p
hp.exe ./engine/generat.php "filename=demoDlg.obj&base=d:\unest_project\&log=./g
enerat.log&outputfile=demoDlg.obj.result&cnf=1.config&rdy=demoDlg.obj.rdy&timeli
mit=12000"
<br>meat model:<br>int(36)
array(3) {
["error"]=>
array(0) {
}
["warning"]=>
array(1) {
[0]=>
string(65) "ignored unknown section name in configure file : .text$unest_her
e"
}
["notice"]=>
array(0) {
}
}
array(2) {
["nasm final obj"]=>
float(0.28125)
["others"]=>
float(0)
}
<br>memory_get_usage: int(31142176)
F:\code\drivers\unest-5.03\unest-5.03>
因为前面警告,导致后面生成被忽略,不做任何混淆。
ignored unknown section name in configure file : .text$unest_here
用ida查看两个文件,数据是一样的
.text$unest_here:00003BF4 jmp short loc_3C05
.text$unest_here:00003BF4 ; ---------------------------------------------------------------------------
.text$unest_here:00003BF6 dw 574Ah
.text$unest_here:00003BF8 db 79h, 52h, 17h
.text$unest_here:00003BFB ; ---------------------------------------------------------------------------
.text$unest_here:00003BFB neg edx
.text$unest_here:00003BFD test edi, ecx
.text$unest_here:00003BFF cmp ebp, 3
.text$unest_here:00003C02 retn
.text$unest_here:00003C02 ; ---------------------------------------------------------------------------
.text$unest_here:00003C03 db 43h
.text$unest_here:00003C04 db 8
.text$unest_here:00003C05 ; ---------------------------------------------------------------------------
.text$unest_here:00003C05
.text$unest_here:00003C05 loc_3C05: ; CODE XREF: CdemoDlg::MyEncrypt(char *)j
.text$unest_here:00003C05 or edx, ebp
.text$unest_here:00003C07 neg edx
.text$unest_here:00003C09 jg short loc_3C26
.text$unest_here:00003C0B lea edx, [edx+edx*2+71F0h]
.text$unest_here:00003C12 jle short loc_3C26
.text$unest_here:00003C14 jmp near ptr 0BD349835h
.text$unest_here:00003C14 ?MyEncrypt@CdemoDlg@@AAE_NPAD@Z endp ; sp-analysis failed
没有混淆。
能力值:
( LV2,RANK:10 )
25 楼
原来运行程序错误是因为有int3导致错误,我把它们去掉就好了。
.text$unest_here这个段名有问题,我改成 .text$unets_aaaa
// _asm{int 3h}
// _asm{pushad}
MyEncrypt(buff);
// _asm{popad}
// _asm{int 3h}
GetDlgItem(IDC_STATIC)->SetWindowText((LPCTSTR)buff);
}
#pragma code_seg (".text$unest_aaaa")
bool CmfcappDlg::MyEncrypt(char * buff)
{
int flag = *(int*)buff;
if (0x00303030 == flag){
* (int *)buff = 0x00003131;
}else{
for (int i=0;;i++){
if (0 == buff[i]){
break;
}else{
int j = buff[i];
j -= 0x30;
j += i+1;
while (j > 9)
j -= 10;
buff[i] = j + 0x30;
}
}
}
return true;
}
#pragma code_seg ()
修改后重新测试,用vs2008编译。终于运行了。混淆代码MyEncrypt还有两个函数
.text:00411230 ; bool __thiscall CmfcappDlg__MyEncrypt(CmfcappDlg *this, char *buff)
.text:00411230 j_?MyEncrypt@CmfcappDlg@@QAE_NPAD@Z proc near
.text:00411230 ; CODE XREF: CmfcappDlg::OnBnClickedButton1(void)+D2p
.text:00411230 jmp ?MyEncrypt@CmfcappDlg@@QAE_NPAD@Z ; CmfcappDlg::MyEncrypt(char *)
.text:00411230 j_?MyEncrypt@CmfcappDlg@@QAE_NPAD@Z endp .text:00418100 ; bool __thiscall CmfcappDlg__MyEncrypt(CmfcappDlg *this, char *buff)
.text:00418100 ?MyEncrypt@CmfcappDlg@@QAE_NPAD@Z proc near
.text:00418100 ; CODE XREF: CmfcappDlg::MyEncrypt(char *)j
.text:00418100
.text:00418100 var_F8 = byte ptr -0F8h
.text:00418100 var_F0 = byte ptr -0F0h
.text:00418100 var_CF = byte ptr -0CFh
.text:00418100 var_7F = byte ptr -7Fh
.text:00418100 var_37 = byte ptr -37h
.text:00418100 j = dword ptr -2Ch
.text:00418100 i = dword ptr -20h
.text:00418100 flag = dword ptr -14h
.text:00418100 this = dword ptr -8
.text:00418100 var_0 = byte ptr 0
.text:00418100 buff = dword ptr 8
.text:00418100 arg_62 = byte ptr 6Ah
.text:00418100
.text:00418100 ; FUNCTION CHUNK AT .text:00418311 SIZE 000000B9 BYTES
.text:00418100 ; FUNCTION CHUNK AT .text:004183DE SIZE 00000042 BYTES
.text:00418100 ; FUNCTION CHUNK AT .text:00418428 SIZE 00000113 BYTES
.text:00418100 ; FUNCTION CHUNK AT .text:0041854F SIZE 0000033F BYTES
.text:00418100 ; FUNCTION CHUNK AT .text:004188A5 SIZE 0000005F BYTES
.text:00418100 ; FUNCTION CHUNK AT .text:00418913 SIZE 00000011 BYTES
.text:00418100 ; FUNCTION CHUNK AT .text:0041892A SIZE 00000056 BYTES
.text:00418100 ; FUNCTION CHUNK AT .text:00418994 SIZE 00000002 BYTES
.text:00418100 ; FUNCTION CHUNK AT .text:004189C1 SIZE 00000007 BYTES
.text:00418100 ; FUNCTION CHUNK AT .text:004189DE SIZE 000000AE BYTES
.text:00418100 ; FUNCTION CHUNK AT .text:00418AA5 SIZE 00000003 BYTES
.text:00418100 ; FUNCTION CHUNK AT .text:00418ABA SIZE 000000BE BYTES
.text:00418100
.text:00418100 push ebp
.text:00418101 mov ebp, esp
.text:00418103 sub esp, 0F0h
.text:00418109 push ebx
.text:0041810A push esi
.text:0041810B jmp short loc_418149
.text:0041810D ; ---------------------------------------------------------------------------
.text:0041810D cmp [ebx-2B2D7265h], esp
.text:00418113 stosd
.text:00418114
.text:00418114 loc_418114: ; CODE XREF: .text:00418230p
.text:00418114 movsx eax, bl
.text:00418117 movsx eax, cl
.text:0041811A xchg eax, edi
.text:0041811B nop
.text:0041811C setnz al
.text:0041811F movzx esi, word ptr [ebp+flag]
.text:00418123 movzx edi, byte ptr [ebp+buff]
.text:00418127 lea ebx, [ecx+ecx*8-3BA2h]
.text:0041812E mov edi, ecx
.text:00418130 nop
.text:00418131 lea eax, [eax+eax-6]
.text:00418135 movsx ebx, cl
.text:00418138 setz al
.text:0041813B retn
.text:0041813B ; ---------------------------------------------------------------------------
.text:0041813C dd 36FA2F2Ah, 52F5F499h, 0E2749452h
.text:00418148 db 72h
.text:00418149 ; ---------------------------------------------------------------------------
.text:00418149
.text:00418149 loc_418149: ; CODE XREF: CmfcappDlg::MyEncrypt(char *)+Bj
.text:00418149 push edi
.text:0041814A mov eax, [ebp+this]
.text:0041814D jnz loc_418428
.text:00418153 lea eax, ds:0[edx*8]
.text:0041815A mov esi, esi
.text:0041815C nop
.text:0041815D lea eax, [eax+6]
.text:00418160 mov eax, ebx
.text:00418162 mov esi, 0EA05B8BCh
.text:00418167 setnl al
.text:0041816A push ecx
.text:0041816B mov eax, [ebp+buff]
.text:0041816E setz al
.text:00418171 xchg edi, ecx
.text:00418173 movsx esi, byte ptr [ebp+buff]
.text:00418177 mov ebx, [ebp+flag]
.text:0041817A xchg edi, ecx
.text:0041817C nop
.text:0041817D lea esi, [esi+edi*2+2292h]
.text:00418184 mov edi, [ebp+buff]
.text:00418187 jmp loc_418311
.text:00418187 ; ---------------------------------------------------------------------------
.text:0041818C db 3Bh, 0F2h, 26h
.text:0041818F ; ---------------------------------------------------------------------------
.text:0041818F
.text:0041818F loc_41818F: ; CODE XREF: CmfcappDlg::MyEncrypt(char *):loc_418428p
.text:0041818F mov ebx, [ebp+this]
.text:00418192 movzx esi, word ptr [ebp+buff]
.text:00418196 lea eax, ds:0[esi*4]
.text:0041819D mov edi, [ebp+this]
.text:004181A0 mov ebx, esi
.text:004181A2 nop
.text:004181A3 setnz bl
.text:004181A6 lea eax, [esp+ebp*4+0]
.text:004181A9 movzx eax, word ptr [ebp+this]
.text:004181AD movzx edi, word ptr [ebp+buff]
.text:004181AD ?MyEncrypt@CmfcappDlg@@QAE_NPAD@Z endp ; sp-analysis failed
.text:004181AD
.text:004181B1 setz bl
.text:004181B4 setl bl
.text:004181B7 mov eax, eax
.text:004181B9 movsx ebx, byte ptr [ebp-14h]
.text:004181BD not esi
.text:004181BF setnbe bl
.text:004181C2 setnbe al
.text:004181C5 xchg esi, ebx
.text:004181C7 lea esi, [ebx+ebx-3DD5183Ch]
.text:004181CE mov esi, [ebp+8]
.text:004181D1 nop
.text:004181D2 not eax
.text:004181D4 not ebx
.text:004181D6 lea ebx, [ecx-25ABh]
.text:004181DC nop
.text:004181DD setz al
.text:004181E0 setnle bl
.text:004181E3 movzx eax, byte ptr [ebp-14h]
.text:004181E7 jmp short loc_4181FE
.text:004181E7 ; ---------------------------------------------------------------------------
.text:004181E9 db 6Dh, 3Fh, 2Fh
.text:004181EC dd 66DF94D1h
.text:004181F0 ; ---------------------------------------------------------------------------
.text:004181F0 xchg eax, edi
混淆后代码确实晦涩难懂,还跟原来的大不同。
粘贴混淆前的代码
.text$unest_aaaa:00001094 ; public: bool __thiscall CmfcappDlg::MyEncrypt(char *)
.text$unest_aaaa:00001094 public ?MyEncrypt@CmfcappDlg@@QAE_NPAD@Z
.text$unest_aaaa:00001094 ?MyEncrypt@CmfcappDlg@@QAE_NPAD@Z proc near
.text$unest_aaaa:00001094 ; CODE XREF: CmfcappDlg::OnBnClickedButton1(void)+D2p
.text$unest_aaaa:00001094
.text$unest_aaaa:00001094 var_F0 = byte ptr -0F0h
.text$unest_aaaa:00001094 var_2C = dword ptr -2Ch
.text$unest_aaaa:00001094 var_20 = dword ptr -20h
.text$unest_aaaa:00001094 var_14 = dword ptr -14h
.text$unest_aaaa:00001094 var_8 = dword ptr -8
.text$unest_aaaa:00001094 arg_0 = dword ptr 8
.text$unest_aaaa:00001094
.text$unest_aaaa:00001094 push ebp
.text$unest_aaaa:00001095 mov ebp, esp
.text$unest_aaaa:00001097 sub esp, 0F0h
.text$unest_aaaa:0000109D push ebx
.text$unest_aaaa:0000109E push esi
.text$unest_aaaa:0000109F push edi
.text$unest_aaaa:000010A0 push ecx
.text$unest_aaaa:000010A1 lea edi, [ebp+var_F0]
.text$unest_aaaa:000010A7 mov ecx, 3Ch ; '<'
.text$unest_aaaa:000010AC mov eax, 0CCCCCCCCh
.text$unest_aaaa:000010B1 rep stosd
.text$unest_aaaa:000010B3 pop ecx
.text$unest_aaaa:000010B4 mov [ebp+var_8], ecx
.text$unest_aaaa:000010B7 mov eax, [ebp+arg_0]
.text$unest_aaaa:000010BA mov ecx, [eax]
.text$unest_aaaa:000010BC mov [ebp+var_14], ecx
.text$unest_aaaa:000010BF cmp [ebp+var_14], 303030h
.text$unest_aaaa:000010C6 jnz short loc_10D3
.text$unest_aaaa:000010C8 mov eax, [ebp+arg_0]
.text$unest_aaaa:000010CB mov dword ptr [eax], 3131h
.text$unest_aaaa:000010D1 jmp short loc_1139
.text$unest_aaaa:000010D3 ; ---------------------------------------------------------------------------
.text$unest_aaaa:000010D3
.text$unest_aaaa:000010D3 loc_10D3: ; CODE XREF: CmfcappDlg::MyEncrypt(char *)+32j
.text$unest_aaaa:000010D3 mov [ebp+var_20], 0
.text$unest_aaaa:000010DA jmp short loc_10E5
.text$unest_aaaa:000010DC ; ---------------------------------------------------------------------------
.text$unest_aaaa:000010DC
.text$unest_aaaa:000010DC loc_10DC: ; CODE XREF: CmfcappDlg::MyEncrypt(char *):loc_1137j
.text$unest_aaaa:000010DC mov eax, [ebp+var_20]
.text$unest_aaaa:000010DF add eax, 1
.text$unest_aaaa:000010E2 mov [ebp+var_20], eax
.text$unest_aaaa:000010E5
.text$unest_aaaa:000010E5 loc_10E5: ; CODE XREF: CmfcappDlg::MyEncrypt(char *)+46j
.text$unest_aaaa:000010E5 mov eax, [ebp+arg_0]
.text$unest_aaaa:000010E8 add eax, [ebp+var_20]
.text$unest_aaaa:000010EB movsx ecx, byte ptr [eax]
.text$unest_aaaa:000010EE test ecx, ecx
.text$unest_aaaa:000010F0 jnz short loc_10F6
.text$unest_aaaa:000010F2 jmp short loc_1139
.text$unest_aaaa:000010F4 ; ---------------------------------------------------------------------------
.text$unest_aaaa:000010F4 jmp short loc_1137
.text$unest_aaaa:000010F6 ; ---------------------------------------------------------------------------
.text$unest_aaaa:000010F6
.text$unest_aaaa:000010F6 loc_10F6: ; CODE XREF: CmfcappDlg::MyEncrypt(char *)+5Cj
.text$unest_aaaa:000010F6 mov eax, [ebp+arg_0]
.text$unest_aaaa:000010F9 add eax, [ebp+var_20]
.text$unest_aaaa:000010FC movsx ecx, byte ptr [eax]
.text$unest_aaaa:000010FF mov [ebp+var_2C], ecx
.text$unest_aaaa:00001102 mov eax, [ebp+var_2C]
.text$unest_aaaa:00001105 sub eax, 30h ; '0'
.text$unest_aaaa:00001108 mov [ebp+var_2C], eax
.text$unest_aaaa:0000110B mov eax, [ebp+var_20]
.text$unest_aaaa:0000110E mov ecx, [ebp+var_2C]
.text$unest_aaaa:00001111 lea edx, [ecx+eax+1]
.text$unest_aaaa:00001115 mov [ebp+var_2C], edx
.text$unest_aaaa:00001118
.text$unest_aaaa:00001118 loc_1118: ; CODE XREF: CmfcappDlg::MyEncrypt(char *)+93j
.text$unest_aaaa:00001118 cmp [ebp+var_2C], 9
.text$unest_aaaa:0000111C jle short loc_1129
.text$unest_aaaa:0000111E mov eax, [ebp+var_2C]
.text$unest_aaaa:00001121 sub eax, 0Ah
.text$unest_aaaa:00001124 mov [ebp+var_2C], eax
.text$unest_aaaa:00001127 jmp short loc_1118
.text$unest_aaaa:00001129 ; ---------------------------------------------------------------------------
.text$unest_aaaa:00001129
.text$unest_aaaa:00001129 loc_1129: ; CODE XREF: CmfcappDlg::MyEncrypt(char *)+88j
.text$unest_aaaa:00001129 mov eax, [ebp+var_2C]
.text$unest_aaaa:0000112C add eax, 30h ; '0'
.text$unest_aaaa:0000112F mov ecx, [ebp+arg_0]
.text$unest_aaaa:00001132 add ecx, [ebp+var_20]
.text$unest_aaaa:00001135 mov [ecx], al
.text$unest_aaaa:00001137
.text$unest_aaaa:00001137 loc_1137: ; CODE XREF: CmfcappDlg::MyEncrypt(char *)+60j
.text$unest_aaaa:00001137 jmp short loc_10DC
.text$unest_aaaa:00001139 ; ---------------------------------------------------------------------------
.text$unest_aaaa:00001139
.text$unest_aaaa:00001139 loc_1139: ; CODE XREF: CmfcappDlg::MyEncrypt(char *)+3Dj
.text$unest_aaaa:00001139 ; CmfcappDlg::MyEncrypt(char *)+5Ej
.text$unest_aaaa:00001139 mov al, 1
.text$unest_aaaa:0000113B pop edi
.text$unest_aaaa:0000113C pop esi
.text$unest_aaaa:0000113D pop ebx
.text$unest_aaaa:0000113E mov esp, ebp
.text$unest_aaaa:00001140 pop ebp
.text$unest_aaaa:00001141 retn 4
.text$unest_aaaa:00001141 ?MyEncrypt@CmfcappDlg@@QAE_NPAD@Z endp
跟虚拟机是不是有的一拼?