HeapMagic-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

最新回复 (32) ◀ 1 2
okdodo 雪币： 233 活跃值： (10) 能力值： ( LV6，RANK：90 ) 在线值：发帖 12 回帖 396 粉丝 1 关注私信	okdodo 2 26 楼最初由 softworm* 发布* 是吗,能否给我一份源码学习,我的老是蓝屏发到softworm2003@hotmail.com或oysg2002@21cn.com,谢谢我在unpack.cn给你发了消息 2006-12-14 19:04 0
kanxue 雪币： 44229 活跃值： (19955) 能力值： (RANK：350 ) 在线值：发帖 2369 回帖 17027 粉丝 528 关注私信	kanxue 8 27 楼最初由 softworm* 发布* 如果没被调试,会产生异常,这里的代码和ap0x的例子一字不差;-) ........ softworm对Themida虚拟机研究的很深，这段代码这么完美地还原了。另外，ap0x的例子是这页面上的吗？ http://www.openrce.org/reference_library/anti_reversing 2006-12-14 22:14 0
skylly 雪币： 304 活跃值： (82) 能力值： ( LV9，RANK：170 ) 在线值：发帖 70 回帖 1087 粉丝 2 关注私信	skylly 4 28 楼最初由 kanxue* 发布* softworm对Themida虚拟机研究的很深，这段代码这么完美地还原了。另外，ap0x的例子是这页面上的吗？ http://www.openrce.org/reference_library/anti_reversing 是呀,ap0x给它取的名字是Ring3 Debugger Detection via LDR_MODULE 代码如下: Description: ; ######################################################################### .586 .model flat, stdcall option casemap :none ; case sensitive ; ######################################################################### include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\comdlg32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\comdlg32.lib ; ######################################################################### .data DbgFoundTitle db "Debugger found:",0h DbgFoundText db "Debugger has been found!",0h DbgNotFoundTitle db "Debugger not found:",0h DbgNotFoundText db "Debugger not found!",0h Tries db 30 Alloc dd ? .code start: ; MASM32 antiRing3Debugger example ; coded by ap0x ; Reversing Labs: http://ap0x.headcoders.net ASSUME FS:NOTHING PUSH offset _SehExit PUSH DWORD PTR FS:[0] MOV FS:[0],ESP ; Get NtGlobalFlag MOV EAX,DWORD PTR FS:[30h] ; Get LDR_MODULE MOV EAX,DWORD PTR[EAX+12] ; The trick is here ;) If ring3 debugger is present memory will be allocated ; and it will contain 0xFEEEFEEE bytes at the end of alloc. This will only ; happen if ring3 debugger is present! ; If there is no debugger SEH will fire and take control. ; Note: This code works only on NT systems! _loop: INC EAX CMP DWORD PTR[EAX],0FEEEFEEEh JNE _loop DEC [Tries] JNE _loop PUSH 30h PUSH offset DbgFoundTitle PUSH offset DbgFoundText PUSH 0 CALL MessageBox PUSH 0 CALL ExitProcess RET _Exit: PUSH 40h PUSH offset DbgNotFoundTitle PUSH offset DbgNotFoundText PUSH 0 CALL MessageBox PUSH 0 CALL ExitProcess RET _SehExit: POP FS:[0] ADD ESP,4 JMP _Exit end start 2006-12-14 22:47 0
skylly 雪币： 304 活跃值： (82) 能力值： ( LV9，RANK：170 ) 在线值：发帖 70 回帖 1087 粉丝 2 关注私信	skylly 4 29 楼这段代码在Themida里是明文,早就注意到了,只是没看过ap0x的例子,所以没有想到这就是传说中的heapMagic,一直围绕着heapalloc,heapsize那里推敲,以为是调试堆那里出了问题,始终没有进展....... 01244152 8BC0 mov eax, eax 01244154 83BD D92A3509 0>cmp dword ptr [ebp+9352AD9], 1 0124415B 0F85 C3000000 jnz 01244224 01244161 83BD 7D193509 0>cmp dword ptr [ebp+935197D], 0 01244168 0F85 B6000000 jnz 01244224 0124416E 83BD B9233509 0>cmp dword ptr [ebp+93523B9], 0 01244175 0F85 A9000000 jnz 01244224 0124417B 8D85 D4BF4409 lea eax, dword ptr [ebp+944BFD4] 01244181 50 push eax 01244182 890424 mov dword ptr [esp], eax 01244185 64:FF35 0000000>push dword ptr fs:[0] 0124418C 64:8925 0000000>mov dword ptr fs:[0], esp 01244193 64:A1 30000000 mov eax, dword ptr fs:[30] 01244199 8B40 0C mov eax, dword ptr [eax+C] 0124419C B9 30000000 mov ecx, 30 012441A1 40 inc eax 012441A2 8138 EEFEEEFE cmp dword ptr [eax], FEEEFEEE 012441A8 ^ 0F85 F3FFFFFF jnz 012441A1 012441AE 49 dec ecx 012441AF ^ 0F85 ECFFFFFF jnz 012441A1 012441B5 8BC0 mov eax, eax 012441B7 83BD 85273509 0>cmp dword ptr [ebp+9352785], 0 012441BE 75 09 jnz short 012441C9 012441C0 83BD 0D103509 0>cmp dword ptr [ebp+935100D], 0 012441C7 74 13 je short 012441DC 012441C9 50 push eax 012441CA 53 push ebx 012441CB 8BC0 mov eax, eax 012441CD B8 D1040000 mov eax, 4D1 012441D2 8D9D A2734109 lea ebx, dword ptr [ebp+94173A2] 012441D8 FFD3 call ebx 012441DA 5B pop ebx 012441DB 58 pop eax 012441DC 8BC0 mov eax, eax 012441DE C785 4D1D3509 0>mov dword ptr [ebp+9351D4D], 1 012441E8 E9 2D000000 jmp 0124421A 012441ED 8B5C24 0C mov ebx, dword ptr [esp+C] 012441F1 50 push eax 012441F2 892C24 mov dword ptr [esp], ebp 012441F5 E8 00000000 call 012441FA 012441FA 5D pop ebp 012441FB 81ED E1BF4409 sub ebp, 944BFE1 01244201 8B83 B8000000 mov eax, dword ptr [ebx+B8] 01244207 8D85 01C04409 lea eax, dword ptr [ebp+944C001] 0124420D 8983 B8000000 mov dword ptr [ebx+B8], eax 01244213 5D pop ebp 01244214 B8 00000000 mov eax, 0 01244219 C3 retn 0124421A 64:8F05 0000000>pop dword ptr fs:[0] 01244221 83C4 04 add esp, 4 01244224 8BC0 mov eax, eax 01244226 83BD 85273509 0>cmp dword ptr [ebp+9352785], 0 0124422D 75 09 jnz short 01244238 0124422F 83BD 0D103509 0>cmp dword ptr [ebp+935100D], 0 01244236 74 19 je short 01244251 01244238 50 push eax 01244239 53 push ebx 0124423A 8BC0 mov eax, eax 0124423C B8 D1040000 mov eax, 4D1 01244241 8985 95283509 mov dword ptr [ebp+9352895], eax 01244247 8D9D 9C764109 lea ebx, dword ptr [ebp+941769C] 0124424D FFD3 call ebx 0124424F 5B pop ebx 01244250 58 pop eax 01244251 83BD 0D103509 0>cmp dword ptr [ebp+935100D], 0 01244258 74 17 je short 01244271 0124425A 50 push eax 0124425B 53 push ebx 0124425C B8 D1040000 mov eax, 4D1 01244261 8985 95283509 mov dword ptr [ebp+9352895], eax 01244267 8D9D 3D734109 lea ebx, dword ptr [ebp+941733D] 0124426D FFD3 call ebx 0124426F 5B pop ebx 01244270 58 pop eax 01244271 8BC0 mov eax, eax 01244273 E9 54010000 jmp 012443CC 2006-12-14 23:06 0
kanxue 雪币： 44229 活跃值： (19955) 能力值： (RANK：350 ) 在线值：发帖 2369 回帖 17027 粉丝 528 关注私信	kanxue 8 30 楼最初由 skylly* 发布* 是呀,ap0x给它取的名字是Ring3 Debugger Detection via LDR_MODULE 代码如下: ........ 谢谢skylly 将hero的代码拿来升级了一下HideOD,现在可以躲过这个Anti了： http://bbs.pediy.com/showthread.php?s=&threadid=36439 2006-12-15 17:52 0
fosom 雪币： 1839 活跃值： (295) 能力值： ( LV9，RANK：370 ) 在线值：发帖 30 回帖 422 粉丝 24 关注私信	fosom 8 31 楼求助themida 1.8.0.0脱壳脚本 2007-4-8 20:24 0
qiweixue 雪币： 258 活跃值： (230) 能力值： ( LV12，RANK：770 ) 在线值：发帖 47 回帖 1136 粉丝 3 关注私信	qiweixue 19 32 楼我靠,牛人啊. 学习!!! 2007-4-9 18:37 0
悔悟雪币： 0 能力值： (RANK：10 ) 在线值：发帖 2 回帖 22 粉丝 0 关注私信	悔悟 33 楼哎。。你们太厉害了！！ 2007-4-12 13:18 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

okdodo

雪币： 233

活跃值： (10)

能力值：

( LV6，RANK：90 )

在线值：

发帖

12

回帖

396

粉丝

1

关注

私信

okdodo 2: 26 楼

最初由 softworm 发布
是吗,能否给我一份源码学习,我的老是蓝屏
发到softworm2003@hotmail.com或oysg2002@21cn.com,谢谢

我在unpack.cn给你发了消息

2006-12-14 19:04

0

kanxue

雪币： 44229

活跃值： (19955)

能力值：

(RANK：350 )

在线值：

发帖

2369

回帖

17027

粉丝

528

关注

私信

kanxue 8: 27 楼

最初由 softworm 发布
如果没被调试,会产生异常,这里的代码和ap0x的例子一字不差;-)

........

softworm对Themida虚拟机研究的很深，这段代码这么完美地还原了。
另外，ap0x的例子是这页面上的吗？
http://www.openrce.org/reference_library/anti_reversing

2006-12-14 22:14

0

skylly

雪币： 304

活跃值： (82)

能力值：

( LV9，RANK：170 )

在线值：

发帖

70

回帖

1087

粉丝

2

关注

私信

skylly 4: 28 楼

最初由 kanxue 发布
softworm对Themida虚拟机研究的很深，这段代码这么完美地还原了。
另外，ap0x的例子是这页面上的吗？
http://www.openrce.org/reference_library/anti_reversing

是呀,ap0x给它取的名字是Ring3 Debugger Detection via LDR_MODULE
代码如下:
Description:
; #########################################################################

   .586
   .model flat, stdcall
   option casemap :none ; case sensitive

; #########################################################################
   include \masm32\include\windows.inc
   include \masm32\include\user32.inc
   include \masm32\include\kernel32.inc
   include \masm32\include\comdlg32.inc

   includelib \masm32\lib\user32.lib
   includelib \masm32\lib\kernel32.lib
   includelib \masm32\lib\comdlg32.lib

; #########################################################################
.data
DbgFoundTitle db "Debugger found:",0h
DbgFoundText db "Debugger has been found!",0h
DbgNotFoundTitle db "Debugger not found:",0h
DbgNotFoundText db "Debugger not found!",0h
Tries db 30
Alloc dd ?
.code

start:

; MASM32 antiRing3Debugger example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net

ASSUME FS:NOTHING
PUSH offset _SehExit
PUSH DWORD PTR FS:[0]
MOV FS:[0],ESP

; Get NtGlobalFlag

MOV EAX,DWORD PTR FS:[30h]

; Get LDR_MODULE

MOV EAX,DWORD PTR[EAX+12]

; The trick is here ;) If ring3 debugger is present memory will be allocated
; and it will contain 0xFEEEFEEE bytes at the end of alloc. This will only
; happen if ring3 debugger is present!
; If there is no debugger SEH will fire and take control.

; Note: This code works only on NT systems!

_loop:
INC EAX
CMP DWORD PTR[EAX],0FEEEFEEEh
JNE _loop
DEC [Tries]
JNE _loop

PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
PUSH 0
CALL ExitProcess
RET
_Exit:
PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox
PUSH 0
CALL ExitProcess
RET

_SehExit:
POP FS:[0]
ADD ESP,4
JMP _Exit

end start

2006-12-14 22:47

0

skylly

雪币： 304

活跃值： (82)

能力值：

( LV9，RANK：170 )

在线值：

发帖

70

回帖

1087

粉丝

2

关注

私信

skylly 4: 29 楼

这段代码在Themida里是明文,早就注意到了,只是没看过ap0x的例子,所以没有想到这就是传说中的heapMagic,一直围绕着heapalloc,heapsize那里推敲,以为是调试堆那里出了问题,始终没有进展.......
01244152             8BC0          mov    eax, eax
01244154             83BD D92A3509 0>cmp    dword ptr [ebp+9352AD9], 1
0124415B             0F85 C3000000 jnz    01244224
01244161             83BD 7D193509 0>cmp    dword ptr [ebp+935197D], 0
01244168             0F85 B6000000 jnz    01244224
0124416E             83BD B9233509 0>cmp    dword ptr [ebp+93523B9], 0
01244175             0F85 A9000000 jnz    01244224
0124417B             8D85 D4BF4409 lea    eax, dword ptr [ebp+944BFD4]
01244181             50             push eax
01244182             890424       mov    dword ptr [esp], eax
01244185             64:FF35 0000000>push dword ptr fs:[0]
0124418C             64:8925 0000000>mov    dword ptr fs:[0], esp
01244193             64:A1 30000000  mov    eax, dword ptr fs:[30]
01244199             8B40 0C       mov    eax, dword ptr [eax+C]
0124419C             B9 30000000    mov    ecx, 30
012441A1             40             inc    eax
012441A2             8138 EEFEEEFE cmp    dword ptr [eax], FEEEFEEE
012441A8          ^ 0F85 F3FFFFFF jnz    012441A1
012441AE             49             dec    ecx
012441AF          ^ 0F85 ECFFFFFF jnz    012441A1
012441B5             8BC0          mov    eax, eax
012441B7             83BD 85273509 0>cmp    dword ptr [ebp+9352785], 0
012441BE             75 09          jnz    short 012441C9
012441C0             83BD 0D103509 0>cmp    dword ptr [ebp+935100D], 0
012441C7             74 13          je    short 012441DC
012441C9             50             push eax
012441CA             53             push ebx
012441CB             8BC0          mov    eax, eax
012441CD             B8 D1040000    mov    eax, 4D1
012441D2             8D9D A2734109 lea    ebx, dword ptr [ebp+94173A2]
012441D8             FFD3          call ebx
012441DA             5B             pop    ebx
012441DB             58             pop    eax
012441DC             8BC0          mov    eax, eax
012441DE             C785 4D1D3509 0>mov    dword ptr [ebp+9351D4D], 1
012441E8             E9 2D000000    jmp    0124421A
012441ED             8B5C24 0C    mov    ebx, dword ptr [esp+C]
012441F1             50             push eax
012441F2             892C24       mov    dword ptr [esp], ebp
012441F5             E8 00000000    call 012441FA
012441FA             5D             pop    ebp
012441FB             81ED E1BF4409 sub    ebp, 944BFE1
01244201             8B83 B8000000 mov    eax, dword ptr [ebx+B8]
01244207             8D85 01C04409 lea    eax, dword ptr [ebp+944C001]
0124420D             8983 B8000000 mov    dword ptr [ebx+B8], eax
01244213             5D             pop    ebp
01244214             B8 00000000    mov    eax, 0
01244219             C3             retn
0124421A             64:8F05 0000000>pop    dword ptr fs:[0]
01244221             83C4 04       add    esp, 4
01244224             8BC0          mov    eax, eax
01244226             83BD 85273509 0>cmp    dword ptr [ebp+9352785], 0
0124422D             75 09          jnz    short 01244238
0124422F             83BD 0D103509 0>cmp    dword ptr [ebp+935100D], 0
01244236             74 19          je    short 01244251
01244238             50             push eax
01244239             53             push ebx
0124423A             8BC0          mov    eax, eax
0124423C             B8 D1040000    mov    eax, 4D1
01244241             8985 95283509 mov    dword ptr [ebp+9352895], eax
01244247             8D9D 9C764109 lea    ebx, dword ptr [ebp+941769C]
0124424D             FFD3          call ebx
0124424F             5B             pop    ebx
01244250             58             pop    eax
01244251             83BD 0D103509 0>cmp    dword ptr [ebp+935100D], 0
01244258             74 17          je    short 01244271
0124425A             50             push eax
0124425B             53             push ebx
0124425C             B8 D1040000    mov    eax, 4D1
01244261             8985 95283509 mov    dword ptr [ebp+9352895], eax
01244267             8D9D 3D734109 lea    ebx, dword ptr [ebp+941733D]
0124426D             FFD3          call ebx
0124426F             5B             pop    ebx
01244270             58             pop    eax
01244271             8BC0          mov    eax, eax
01244273             E9 54010000    jmp    012443CC

2006-12-14 23:06

0