-
-
加壳技术--DRx解码阻止调试
-
发表于:
2004-6-25 19:38
10634
-
这些代码是从我逆向出hying外壳原码得来,有些描述不准确,凑合看吧
;//////////////////////////////////
;//drx 解码
Call Push_drx_handler
Drx_handler
Proc Near
Pframe =
Dword Ptr 4
Pcontext =
Dword Ptr 0ch
Mov Eax, [
esp+pframe]
Mov Eax, [
eax]
; Eax = Pframe->exceptioncode
Mov Ecx, [
esp+pcontext]
; Ecx -> Context
Inc Dword Ptr [
ecx+0b8h]
; Context.regeip++
Cmp Eax, Exception_breakpoint
Jnz Drx_not_breakpoint
Mov Eax, [
ecx+0b4h]
; Eax <- Context.regebp
Lea Eax, [drx_0-@symbiont_start][
eax]
Mov [
ecx+4],
Eax ; Dr0
Mov Eax, [
ecx+0b4h]
; Eax <- Context.regebp
Lea Eax, [drx_1-@symbiont_start][
eax]
Mov [
ecx+8],
Eax ; Dr1
Mov Eax, [
ecx+0b4h]
Lea Eax, [drx_2-@symbiont_start][
eax]
Mov [
ecx+0ch],
Eax ; Dr2
Mov Eax, [
ecx+0b4h]
Lea Eax, [drx_3-@symbiont_start][
eax]
Mov [
ecx+10h],
Eax ; Dr3
Xor Eax,
Eax
And Dword Ptr [
ecx+14h], 0ffff0ff0h
; 11111111111111110000111111110000b
Mov Dword Ptr [
ecx+18h], 155h
; 101010101b
Jmp Drx_ret
Drx_not_breakpoint:
Cmp Eax, Exception_single_step
Jnz Drx_not_single
Call Drx_get_counet
Dd 0
; 记录单步断点出现次数
Drx_get_counet:
Pop Eax
Inc Dword Ptr [
eax]
Mov Eax, [
eax]
Cmp Eax, 1
; Dr0
Jnz Loc_401341
Not Dword Ptr [
ecx+0b0h]
; Context.regeax
Jmp Drx_processed
Loc_401341:
Cmp Eax, 2
; Dr1
Jnz Loc_401357
Mov Eax, [
ecx+0b0h]
; Eax <- Context.regeax
Rol Eax, 13h
Mov [
ecx+0b0h],
Eax ; Eax -> Context.regeax
Jmp Drx_processed
Loc_401357:
Cmp Eax, 3
; Dr2
Jnz Loc_401385
Add Dword Ptr [
ecx+0b0h], 78787878
; Context.regeax += 78787878h
Mov Eax, [
ecx+0b0h]
; Eax <- Context.regeax
Mov Ebx, [
ecx+0a4h]
; Ebx <- Context.regebx
Xchg Ax,
Bx
Add Ax,
Bx
Mov [
ecx+0b0h],
Eax ; Eax <- Context.regeax
Mov [
ecx+0a4h],
Ebx ; Ebx <- Context.regebx
Jmp Drx_processed
Loc_401385:
Mov Eax, [
ecx+0a0h]
; Dr3
; Eax <- Context.regesi
Xor Byte Ptr [
eax], 55h
Drx_processed:
Xor Eax,
Eax
Jmp Drx_ret
Drx_not_single:
Cmp Eax, Exception_int_divide_by_zero
Jnz Drx_cannot_process
Inc Dword Ptr [
ecx+0b8h]
; Context.regeip++ (2 Byte Code)
Xor Eax,
Eax
And [
ecx+4],
Eax ; Context.idr0 <- 0
And [
ecx+8],
Eax ; Context.idr1 <- 0
And [
ecx+0ch],
Eax ; Context.idr2 <- 0
And [
ecx+10h],
Eax ; Context.idr3 <- 0
And Dword Ptr [
ecx+14h], 0ffff0ff0h
; Context.idr6 <- 0ffff0ff0h
; 清 Bt,bs,bd,b3,b2,b1,b0 位
And Dword Ptr [
ecx+18h], 0dc00h
; 仅保留 Gd,ge 位
Jmp Drx_ret
Drx_cannot_process:
Xor Eax,
Eax
Inc Eax
Drx_ret:
Ret
Drx_handler
EndpPush_drx_handler:
Xor Eax,
Eax
Push Dword Ptr Fs:0
Mov Fs:0,
Esp
Int 3
; 设置 Drx
Nop ; Int 3 后紧跟 Nop 通常是为了兼容某些系统
Mov Ecx,
Ebp
Sub Ecx,
Esi
Xor Ebx,
Ebx
Xor Eax,
Eax
Drx_crc_13db:
Lodsb
Add Ebx,
Eax
Loop Drx_crc_13db
Mov Eax,
Ebx
Drx_0:
Clc ; Not Eax
Nop
Lea Esi, [drx_1-@symbiont_start][
ebp]
Mov Ecx, @sumbiont_end-drx_1
Drx_decode_13ef:
Mul Ecx
Ror Eax,
Cl
Xor [
esi],
Al
Inc Esi
Inc Eax
Aam
Loop Drx_decode_13ef
Mov Ecx, Drx_handler-@symbiont_start
; Esi -> Loader Data
Mov Esi,
Ebp ; Mem Ptr Start
Xor Eax,
Eax
Drx_crc_1404:
Xor Al, [
esi]
Ror Eax, 8
Inc Esi
Loop Drx_crc_1404
Drx_1:
Cld ; Rol Eax, 13h
Nop
Mov Ecx, @sumbiont_end-drx_2
Lea Esi, [drx_2-@symbiont_start][
ebp]
Drx_decode_1419:
Lea Eax, [
ecx+
eax*4+key_1]
; 43h
Xor [
esi],
Al
Aam
Inc Esi
Loop Drx_decode_1419
Mov Ecx, Drx_2-push_drx_handler
Shr Ecx, 2
; Ecx /= 4 (sizeof Dword)
Lea Esi, [push_drx_handler-@symbiont_start][
ebp]
Xor Ebx,
Ebx
Drx_crc_1434:
Lodsd
Xor Ebx,
Eax
Loop Drx_crc_1434
Drx_2:
Stc ; Add Eax, 78787878h
; Xchg Ax, Bx
; Add Ax, Bx
Nop
Mov Ecx, @sumbiont_end-drx_3
Shr Ecx, 2
Lea Esi, [drx_3-@symbiont_start][
ebp]
Drx_decode_1449:
Xor Edx,
Edx
Mul Ebx
Add Edx, 78787878
Xor [
esi],
Edx
Mov Eax,
Ebx
Mov Ebx,
Edx
Add Esi, 4
Loop Drx_decode_1449
Lea Esi, [crypted_code_start-@symbiont_start][
ebp]
Mov Ecx, @sumbiont_end-crypted_code_start
Drx_decode_1469:
Not Byte Ptr [
esi]
Drx_3:
Nop ; Xor Byte Ptr [esi], 55h
Nop
Inc Esi
Loop Drx_decode_1469
Crypted_code_start:
Mov Eax, 100h
Xor Edx,
Edx
Xor Ebx,
Ebx
Div Ebx ; :d
Nop
Pop Dword Ptr Fs:0
Pop Eax
[课程]Linux pwn 探索篇!