[求助]如何使Skype和softICE共处-经典问答-看雪-安全社区|安全招聘|kanxue.com

[求助]如何使Skype和softICE共处

发表于: 2008-2-25 14:28 9499

[求助]如何使Skype和softICE共处

NWMonster

活跃值

1

2008-2-25 14:28

9499

最近要用Skype，但机器上有softice发现skype中有anti，自己用ollydbg调了下，也上google查了下，发现skype的最新版的anti提高等级了，原来在messageboxa前强跳过去的办法失效，用16进制编辑工具改skype主程序中的softice特征也不管用。大家想想办法看如何解决啊。

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・7

支持

分享

最新回复 (8)
kanxue 雪币： 50161 活跃值： (20605) 能力值： (RANK：350 ) 在线值：发帖 2375 回帖 17046 粉丝 549 关注私信	kanxue 8 2 楼看看这文章有帮助否。标题: 使用异常处理反跟踪调试的例子【分享】作者: softdebug 时间: 2006-12-14,11:13 链接: http://bbs.pediy.com/showthread.php?t=36369 2008-2-25 15:08 0
scz 雪币： 5146 活跃值： (4007) 能力值： ( LV12，RANK：240 ) 在线值：发帖 15 回帖 252 粉丝 71 关注私信	scz 5 3 楼 regedit Siwvid BOOT_START(0) 将Siwvid改成手工启动，这样可以在不启动SoftICE的情况下正常使用Skype。这是以前调试分析Skype时用过的，可能现在过时了，你可以先试试。再就是你强跳过去时是硬件断点跳过去的，还是改了代码跳过去的？ 2008-2-25 15:43 0
NWMonster 雪币： 134 活跃值： (84) 能力值： ( LV5，RANK：60 ) 在线值：发帖 26 回帖 457 粉丝 8 关注私信	NWMonster 1 4 楼谢谢上面两位大哥关心，我是手工改代码跳过去的。 2008-2-25 15:55 0
scz 雪币： 5146 活跃值： (4007) 能力值： ( LV12，RANK：240 ) 在线值：发帖 15 回帖 252 粉丝 71 关注私信	scz 5 5 楼注意自校验，skype有大量自校验，你得单步跳过去之后恢复成原指令试试。我们都是用loader动态patch、运行、恢复。 loader可参考: http://www.opencjk.org/~scz/misc/200606081530.txt 自己改改begin、end、pattern。不过即使这样也可能不能解决你的问题，我们现在也不调试分析skype了，所以未更新loader。 2008-2-25 16:03 0
kanxue 雪币： 50161 活跃值： (20605) 能力值： (RANK：350 ) 在线值：发帖 2375 回帖 17046 粉丝 549 关注私信	kanxue 8 6 楼转份这里存档。;) http://www.opencjk.org/~scz/misc/200606081530.txt /* * ----------------------------------------------------------------------- * Author : <gery.casiez@wanadoo.fr> * Rewrite : NSFocus Security Team <security@nsfocus.com> * Create : 2005 * Modify : 2006-07-21 16:12 * ----------------------------------------------------------------------- * The only thing they can't take from us are our minds. !H * * 1.1.0.79 - 2.5.0.151 * * 将loader放在Skype.exe所在目录，双击执行。可以绕过对SoftICE的检测，即时 * 聊天、语音通信均可，满足自校验。 / #include <stdio.h> #include <stdlib.h> #include <string.h> #include <windows.h> static unsigned char GetCharacterAddr ( unsigned char in, unsigned int insize, unsigned char pattern, unsigned int patternsize, unsigned char wildcard ) { unsigned char addr = NULL, p; unsigned int i; if ( NULL == in \|\| 0 == insize \|\| NULL == pattern \|\| 0 == patternsize \|\| insize < patternsize ) { goto GetCharacterAddr_exit; } p = in; while ( p + patternsize <= in + insize ) { for ( i = 0; i < patternsize; i++ ) { if ( NULL != wildcard ) { if ( wildcard != pattern && p != pattern ) { p++; break; } } else { if ( p != pattern ) { p++; break; } } } /* end of for / if ( i == patternsize ) { addr = p; break; } } / end of while / GetCharacterAddr_exit: return( addr ); } / end of GetCharacterAddr / int WINAPI WinMain ( HINSTANCE hInstance, HINSTANCE hprevInstance, LPSTR lpCmdLine, int nShowCmd ) { int ret = EXIT_FAILURE; char path[MAX_PATH] = ""; unsigned char p; unsigned int i, j; HANDLE h; STARTUPINFO si; PROCESS_INFORMATION pi; unsigned char begin = ( unsigned char )0x00A00000, end = ( unsigned char )0x00F00000; unsigned char buf = NULL; unsigned int buflen = 0x10000; unsigned char pattern[] = { 0x84, 0xC0, 0x74, 0x1A, 0x6A, 0x00, 0x68, 0xCC, 0xCC, 0xCC, 0xCC, 0x68, 0xCC, 0xCC, 0xCC, 0xCC, 0x6A, 0x00, 0xE8, 0xCC, 0xCC, 0xCC, 0xCC, 0x6A, 0x00, 0xE8 }; unsigned char wildcard = 0xCC; unsigned char patch[] = { 0x30 }; ZeroMemory( ( unsigned char )&pi, sizeof( pi ) ); if ( 0 == GetModuleFileName( NULL, path, sizeof( path ) ) ) { goto WinMain_exit; } p = strrchr( path, '\\' ) + 1; strcpy( p, "Skype.exe" ); h = CreateFile ( path, GENERIC_EXECUTE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if ( INVALID_HANDLE_VALUE == h ) { goto WinMain_exit; } CloseHandle( h ); buf = ( unsigned char * )HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, buflen ); if ( NULL == buf ) { goto WinMain_exit; } GetStartupInfo( &si ); if ( FALSE == CreateProcess ( NULL, path, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi ) ) { goto WinMain_exit; } p = NULL; while ( begin + sizeof( pattern ) <= end ) { if ( begin + buflen <= end ) { i = buflen; } else { i = end - begin; } if ( FALSE == ReadProcessMemory ( pi.hProcess, begin, buf, i, &j ) ) { goto WinMain_0; } if ( j < sizeof( pattern ) ) { break; } p = GetCharacterAddr ( buf, j, pattern, sizeof( pattern ), &wildcard ); if ( NULL != p ) { p = p - buf + begin; if ( FALSE == WriteProcessMemory ( pi.hProcess, p, patch, sizeof( patch ), NULL ) ) { p = NULL; goto WinMain_0; } CopyMemory( patch, p - begin + buf, sizeof( patch ) ); break; } begin += j - sizeof( pattern ) + 1; } /* end of while / WinMain_0: if ( -1 == ResumeThread( pi.hThread ) ) { goto WinMain_exit; } if ( NULL != p ) { if ( 0 != WaitForInputIdle( pi.hProcess, INFINITE ) ) { goto WinMain_exit; } if ( FALSE == WriteProcessMemory ( pi.hProcess, p, patch, sizeof( patch ), NULL ) ) { goto WinMain_exit; } ret = EXIT_SUCCESS; } WinMain_exit: if ( NULL != buf ) { HeapFree( GetProcessHeap(), 0, buf ); buf = NULL; } if ( NULL != pi.hThread ) { CloseHandle( pi.hThread ); pi.hThread = NULL; } if ( NULL != pi.hProcess ) { CloseHandle( pi.hProcess ); pi.hProcess = NULL; } return( ret ); } / end of WinMain */ 2008-2-25 16:12 0
NWMonster 雪币： 134 活跃值： (84) 能力值： ( LV5，RANK：60 ) 在线值：发帖 26 回帖 457 粉丝 8 关注私信	NWMonster 1 7 楼我在网上也找到了个loader不过已经不支持现在的版本了。我感觉这个loader写的不错。发上来吧，呵呵 ////////////////////////////////////////////////////////////////// // This is a loader for Skype which allows its usage with softice // v2 : look 'n replace done // tested with 1.2.0.48, 1.4.0.78, 2.0.0.69, 2.0.0.90 ////////////////////////////////////////////////////////////////// /* JUST FOR REFERENCE : 1.2.0.48 : 00D0BF72 74 1A JE SHORT Skype_1_.00D0BF8E 00D0BF74 6A 00 PUSH 0 00D0BF76 68 2CCBD000 PUSH Skype_1_.00D0CB2C ; ASCII "Skype" 00D0BF7B 68 34CBD000 PUSH Skype_1_.00D0CB34 ; ASCII "Skype is not compatible with system debuggers like SoftICE." 00D0BF80 6A 00 PUSH 0 00D0BF82 E8 A1C56FFF CALL <JMP.&user32.MessageBoxA> 00D0BF87 6A 00 PUSH 0 00D0BF89 E8 92B96FFF CALL <JMP.&kernel32.ExitProcess> 00D0BF8E B9 78CBD000 MOV ECX,Skype_1_.00D0CB78 ; ASCII "Starting .." 1.4.0.78 : 00B35DF6 74 1A JE SHORT Skype_1_.00B35E12 00B35DF8 6A 00 PUSH 0 00B35DFA 68 3C6EB300 PUSH Skype_1_.00B36E3C ; ASCII "Skype" 00B35DFF 68 446EB300 PUSH Skype_1_.00B36E44 ; ASCII "Skype is not compatible with system debuggers like SoftICE." 00B35E04 6A 00 PUSH 0 00B35E06 E8 052C8DFF CALL <JMP.&user32.MessageBoxA> 00B35E0B 6A 00 PUSH 0 00B35E0D E8 F61F8DFF CALL <JMP.&kernel32.ExitProcess> 00B35E12 B9 886EB300 MOV ECX,Skype_1_.00B36E88 ; ASCII "Starting .." 2.0.0.69 : 0xb6eb7a 00B76F41 74 1A JE SHORT Skype_2_.00B76F5D 00B76F43 6A 00 PUSH 0 00B76F45 68 887FB700 PUSH Skype_2_.00B77F88 ; ASCII "Skype" 00B76F4A 68 907FB700 PUSH Skype_2_.00B77F90 ; ASCII "Skype is not compatible with system debuggers like SoftICE." 00B76F4F 6A 00 PUSH 0 00B76F51 E8 DA1B89FF CALL <JMP.&user32.MessageBoxA> 00B76F56 6A 00 PUSH 0 00B76F58 E8 A30F89FF CALL <JMP.&kernel32.ExitProcess> 00B76F5D B9 D47FB700 MOV ECX,Skype_2_.00B77FD4 ; ASCII "Starting .." 2.0.0.90 : 0xb74896 00B7CC69 74 1A JE SHORT Skype.00B7CC85 00B7CC6B 6A 00 PUSH 0 00B7CC6D 68 B4DCB700 PUSH Skype.00B7DCB4 ; ASCII "Skype" 00B7CC72 68 BCDCB700 PUSH Skype.00B7DCBC ; ASCII "Skype is not compatible with system debuggers like SoftICE." 00B7CC77 6A 00 PUSH 0 00B7CC79 E8 B2BE88FF CALL <JMP.&user32.MessageBoxA> 00B7CC7E 6A 00 PUSH 0 00B7CC80 E8 7BB288FF CALL <JMP.&kernel32.ExitProcess> 00B7CC85 B9 00DDB700 MOV ECX,Skype.00B7DD00 ; ASCII "Starting .." search for : 74 1A 6A 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? B9 replace with : EB ... / #include <windows.h> #include <stdio.h> #define ERRORMSG(a) MessageBox(NULL, a, "Error", MB_ICONERROR\|MB_OK); #define BUFLEN 65535 TCHAR searchData[30] = "\x74\x1A\x6A\x00\x68\xCC\xCC\xCC\xCC\x68\xCC\xCC\xCC\xCC\x6A\x00\xE8\xCC\xCC\xCC\xCC\x6A\x00\xE8\xCC\xCC\xCC\xCC\xB9"; SIZE_T searchDataLen = 29; TCHAR wildcardByte = 0xCC; / yeah, damn ugly, but who cares ? it works =) laziness is everything... */ TCHAR readBuffer[BUFLEN]; SIZE_T readLen; int searchAndDestroy(void); int APIENTRY WinMain(HINSTANCE hinst, HINSTANCE hinstPrev, LPSTR lpCmdLine, int nCmdShow) { PROCESS_INFORMATION pi; STARTUPINFO si; OFSTRUCT ofs; TCHAR buf[MAX_PATH] = ""; TCHAR newByte = 0xEB; TCHAR origByte = 0x74; SIZE_T searchOffset = 0xA00000; SIZE_T searchOffsetStop = 0xF00000; SIZE_T patchOffset; (void)hinst; (void)hinstPrev; (void)lpCmdLine; (void)nCmdShow; GetModuleFileName(NULL, buf, MAX_PATH); buf[(strrchr(buf, '\\') - buf) + 1] = '\0'; strcat(buf, "skype.exe"); fprintf(stderr, "OpenFile... "); if (OpenFile(buf, &ofs, OF_EXIST) == HFILE_ERROR) { ERRORMSG("Skype.exe not found in current directory...exiting!") return 1; } fprintf(stderr, "OK\n"); fprintf(stderr, "GetStartupInfo... "); GetStartupInfo(&si); fprintf(stderr, "OK\n"); fprintf(stderr, "CreateProcess... "); printf("CreateProcess...\n"); if (!CreateProcess((LPCSTR)buf, 0, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) { ERRORMSG("CreateProcess error...exiting!"); return 1; } fprintf(stderr, "OK\n"); while (searchOffset < searchOffsetStop) { fprintf(stderr, "ReadProcessMemory @ 0x%lx... ", searchOffset); if (!ReadProcessMemory(pi.hProcess, (LPCVOID)searchOffset, readBuffer, BUFLEN, &readLen)) { ERRORMSG("ReadProcessMemory error...exiting!"); return 1; } fprintf(stderr, "OK\n"); fprintf(stderr, "Looking for data to patch... "); if ((patchOffset = searchAndDestroy()) < BUFLEN) { patchOffset += searchOffset - searchDataLen; fprintf(stderr, "FOUND at offset 0x%lx !\n", patchOffset); break; } else { fprintf(stderr, "not found\n"); } searchOffset += BUFLEN - searchDataLen; patchOffset = 0; } if (!patchOffset) { ERRORMSG("Can't find patch offset, this is probably a too new version of Skype, sorry !"); return 1; } fprintf(stderr, "WriteProcessMemory... "); if (!WriteProcessMemory(pi.hProcess, (LPVOID)patchOffset, &newByte, 1, NULL)) { ERRORMSG("WriteProcessMemory error of newByte...exiting!"); return 1; } fprintf(stderr, "OK\n"); fprintf(stderr, "ResumeThread... "); if (!ResumeThread(pi.hThread)) { ERRORMSG("ResumeThread error...exiting!"); } fprintf(stderr, "OK\n"); fprintf(stderr, "WaitForInputIdle... "); if (WaitForInputIdle(pi.hProcess, INFINITE)) { ERRORMSG("WaitForInputIdle error...exiting!"); } fprintf(stderr, "OK\n"); fprintf(stderr, "WriteProcessMemory... "); if (!WriteProcessMemory(pi.hProcess, (LPVOID)patchOffset, &origByte, 1, NULL)) { ERRORMSG("WriteProcessMemory error of origByte...exiting!"); } fprintf(stderr, "OK\n"); return 0; } int searchAndDestroy(void) { SIZE_T offset; SIZE_T searchOffset; for (offset = 0, searchOffset = 0; (offset < readLen) && (searchOffset < searchDataLen); offset++) { if ((readBuffer[offset] == searchData[searchOffset]) \|\| (searchData[searchOffset] == wildcardByte)) { searchOffset++; } else { searchOffset = 0; } } return offset; } // EOF scz莫非你就是nsfocus的那个，很早就看过您的一些文章写的非常不错。skype太大了都有25,339,688 字节都懒得用ollydbg或者IDA细心调试。 2008-2-25 16:45 0
nnhy 雪币： 79 活跃值： (35) 能力值： ( LV2，RANK：150 ) 在线值：发帖 15 回帖 210 粉丝 3 关注私信	nnhy 3 8 楼玩的工具还不少 2010-6-7 21:35 0
神海蛙人雪币： 266 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 35 粉丝 0 关注私信	神海蛙人 9 楼 skype(TM) Version 3.6.4.114 直接修改EB50A6处的 74 1A 为 EB 1A即可（JZ改为JMP），做个记录。 2011-8-15 18:07 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

返回

NWMonster

发帖

回帖

RANK

他的文章

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区

//