首页
社区
课程
招聘
[翻译]<脱壳的艺术>前言
发表于: 2007-9-14 08:39 7232

[翻译]<脱壳的艺术>前言

2007-9-14 08:39
7232
前几天看到的,昨天开了个头,只是个草稿,如果能弄完的话再整理。第一次搞这活动,再加上六级没过,而且很多术语不懂,所以请多多批语。

脱壳的艺术
Mark Vincent Yason
Malcode Analyst, X-Force Research & Development
IBM Internet Security Systems

翻译:windtrace

Abstract: Unpacking is an art—it is a mental challenge and is one of the most exciting mind games in the reverse engineering field. In some cases, the reverser needs to know the internals of the operating system in order to identify or solve very difficult anti-reversing tricks employed by packers/protectors,  patience and  cleverness  are  also major factors in  a successful unpack. This challenge involves researchers creating the packers and on the other
side, the researchers that are determined to bypass these protections.

摘要:脱壳是一门艺术—他是一种智力的挑战,也是逆向工程领域最激动人心的智力游戏之一。在某些方面,逆向者需要知道操作系统的内部结构,以便识别或是除掉加壳者(保护者)设下的非常困难的反逆向陷阱,同时耐心和智慧也是一次成功脱壳的关键因素。

The  main  purpose  of  this  paper  is  to  present  anti-reversing  techniques  employed  by executable packers/protectors and also discusses techniques and publicly available tools that can be used to bypass or disable this protections. This information will allow researchers, especially, malcode analysts to identify these techniques when utilized by packed malicious code, and then be able decide the next move when these anti-reversing techniques impede successful analysis. As a secondary purpose, the information presented can also be used by researchers that are planning to add some level of protection in their software by slowing down reversers from analyzing their protected code, but of course, nothing will stop a skilled, informed, and determined reverser.

这部作品的主要目的是介绍在加壳软件中投入应用的反逆向技术、仍处于讨论阶段的相关技术以及公开发布的用于绕过或解除相关保护的工具。这些信息将帮助研究人员特别是恶意代码分析人员正确识别那些被压缩的恶意代码利用的技术,以便这些代码被阻止后进行下一步的操作。另一个目的是帮助想提高自己软件保护级别的研究者来减慢逆向者分析他们想保护的代码的速度。不过,没有什么能阻止一个熟练的、知识面广的、不屈不挠的逆向者。

Keywords: reverse engineering, packers, protectors, anti-debugging, anti-reversing

关健词:逆向工程,加壳,保护,反调试,反逆向

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 4441
活跃值: (805)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
2
1.  INTRODUCTION

In the reverse engineering field, packers are one of the most interesting puzzles to solve. In the process of solving these puzzles, the reverser gains more knowledge about a lot of things such operating system internals, reversing tricks, tools and techniques.

在逆向工程领域,加壳是需要解决的一个有趣的难题。在解决这一难题的过程中,逆向者更多的是学到了某一操作系统内部技术、逆向技巧、工具和相关技术。

Packers (the term used in this pape for  both  compressors  and  protectors)  are  created  to protect an executable from analysis. They are used legitimately by commercial applications to prevent  information  disclosure,   tampering  and  piracy.  Unfortunately,  malcodes  also  use packers for the same reasons but for a malicious purpose.

壳(本书中用到的这一术语既指压缩壳也指加密壳)被用来阻止一个可执行文件被分析。他们非常合理被用来阻止商业软件的信息泄露、非法修改和盗版。不幸的是,恶意代码也基于同样的原因加壳来达到他们恶意的目的。

Due  to  a  large  number  of  packed  malcode,  researchers  and  malcode  analysts  started  to develop  the  skills  to  unpack  samples  for  analysis.  However,  as  time  goes  by,  new  anti- reversing techniques are constantly added into packers to prevent reversers from analyzing the protected executable and preventing a successful unpack. And the cycle goes on - new anti-reversing techniques are developed while reversers on the other side of the fence develop the skills, techniques, and tools to defeat them.

因为有大量的恶意代码被加壳,研究者们和恶意代码分析人员开始开发对样品进行脱壳用以分析的技术。然而,随着时间的推移,新的反逆向技术不断的被应用到加壳软件中,来阻止逆向者们分析被保护的程序和防止程序被成功脱壳。于是,新的反逆向技术被应用和该技术被分析解决的循环周而复始。

The  main  focus  of  this  paper  is  to  present  anti-reversing  techniques  employed  by  packers, tools   and  techniques  on  how  to  bypass/disable  these  protections  are  also  discussed. Conversely, some packers can easily be bypassed by process dumping and thus, dealing with anti-reversing  techniques  seems   unnecessary.  However,  there  are  instances   where   the protector code needed to be traced and analyzed, such as:

这本书的重点是列举壳所用到的反逆向技术,相关工具和绕过或解除这些保护方式的技术也将被讨论。相反的,一些壳能够通过进程的转储而轻易绕过,因此针对反逆向的技术看上去似乎没什么必要。然而,也有些实例说明某些被保护的代码需要跟踪和分析,例如:

  *  Parts of the protector code needed to be bypassed in order for a process dumping  and import table rebuilding tool to properly work
  *  In-depth analysis of a protector code in order to integrate unpacking support into an AV product

  *  部分保护代码需要绕过,以便进程代码的转储(dump)和输入表重建工具能够正常工作。
  *  深入分析一段保护代码,以便影音文件的完整脱壳。

Additionally, understanding anti-reversing techniques is also valuable in cases where they are directly applied to a malcode in order prevent tracing and analysis of their malicious routines.

另外,掌握反逆向技术也有利于分析那些利用该技术阻止被跟踪和分析的恶意代码。

This  paper  is  by  no  means  contain  a  complete  list  of  anti-reversing  techniques  as  it  only covers the commonly used and interesting techniques found in packers. The reader is advised to refer to the last section which contains links and books information to learn more about other anti-reversing and reversing techniques.

本书不可能涉及所有的反逆向技术,只是包含了壳中最常用到和最感兴趣的技术。建议读者参考一下最后一章给出的链接和书籍来了解更多的逆向和反逆向技术。

The author hopes that the reader found this material useful and able to apply the tips, tricks and techniques presented. Happy Unpacking!

作者希望读者找到其中有益的资料并能够掌握这些提示、技巧和技术。脱壳愉快!
2007-9-14 09:26
0
雪    币: 47147
活跃值: (20450)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
3
感谢windtrace热心,这篇文章hawking己翻译了:
http://bbs.pediy.com/showthread.php?t=50119
2007-9-14 11:05
0
游客
登录 | 注册 方可回帖
返回
//