|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
您现在的位置: ChinaBeta.cn 中文IT资讯 >> 网盟学院 >> 编程类 >> 其它编程程序 >> 网管技术正文
推荐网管技术让我穿过那道"墙"! 畅游网络应…推荐网管技术主动防御!瑞星杀毒2008抢先评…
推荐网管技术速度超快 Discuz! 6.0.0试用手…推荐网管技术奇虎举证:各杀毒软件均报CNNIC…
推荐网管技术Google Earth 4.2加入繁体中文…推荐网管技术专业防护!瑞星防火墙2008测试…
推荐网管技术挂载RAR文件 从认识到爱上WinM…推荐网管技术让你冲浪随心所欲 如何访问被封…
推荐网管技术轻装上阵!江民杀毒软件2008速…推荐网管技术VMware Fusion苹果版全程图解(…
推荐网管技术VMware Fusion苹果版全程图解(…推荐网管技术从菜鸟出发!征服高清详细评测全…
推荐网管技术VS2008和ASP.NET 3.5使用之初体…推荐网管技术[多图]Ubuntu 7.04 初体验
推荐网管技术东风吹战鼓擂 下载软件你选谁?推荐网管技术若隐若现 Windows XP DirectX …
推荐网管技术GPRS上网全攻略推荐网管技术主流杀毒软件Vista兼容性横评
推荐网管技术基于IRF的网络管理和业务管理解…推荐网管技术83个美丽的Wordpress主题
推荐网管技术软交换网络中的关键路由技术详…推荐网管技术不只是换肤?Windows Mobile 6 …
推荐网管技术css教程–十步学会用css建站(全…推荐网管技术巧妙设置路由 预防网络频繁掉线
推荐网管技术打造网络管理七大绝技推荐网管技术CorelDRAW X3 Service Pack 2 …
推荐网管技术重温经典:回归 Live Messenger…推荐网管技术Oracle数据库补丁分类、安装及…
反逆向工程揭密(试炼篇)
Www.ChinaBeta.Cn 更新时间:2006-7-25 阅读次数:

【ChinaBeta.Cn 网盟学院】


保护漏洞:
此Layer包含了一些漏洞。其中一个是:只要通过了清空寄存器的SEH,你就可以在下个Layer上设置硬件断点。另一个是由于Layer的固定大小。只要运用一些如SoftICE宏的插件就可以很快地通过Layer。我禁止了RANDOM SIZE选项,以允许这种攻击。

Those layers always use the same encryption algo, which can allow one to write scripts to decrypt the binary. And as you can read in a few submissions, some people did it. I did put this weakness on purpose as well. In a challenge i had done in the past, i had used random
encryption for each layers, this time i choose not to use it. It is possible to bypass the 175 layers in a few seconds easily as well using a live approach. As we know which API functions are going to be used, we can set a break point after the BPX checks have occured.
Another possibility is to create a little utility that will PATCH the system dll in memory (each application has a copy of the dll) and to redirect them to a place that you control. This way you can put breakpoints without triggering any Detection code.

另外Layer总是使用相同加密算法,使得有人可以写出解密所需的脚本文件。一些人就做到了。我也故意放过了这个漏洞。以前,我任意加密每个Layer,这次我没有。你可以利用现成的脚本文件很容易的通过这175个Layer。你可以在BPX校验后对API函数设置断点。另一种可能就是对内存中的系统DLL(每个应用程序都有一份映射)进行PATCH,使它们重定向到你所控制的范围。这种方法可以使设置的断点不触发任何的侦测代码而获得成功。

Talking of patching the Windows dll files, it is possible to patch ntdll to avoid the Debug Registers access in the context structure, by hooking the Exception Handling Mechanism of Windows. This allows one to put Hardware Breakpoints anywhere without ever having problems,
never seeing his debug breakpoints beeing erased etc. The cool thing is you don't even need a Kernel Mode Driver to do that. I leave this as an exercice for interested people.

说到PATCH Windows的DLL文件,可以通过PATCH NTDLL 挂钩Windows异常处理机制来防止访问CONTEXT STRUCTURE里的调试寄存器。因此向任何地方设置硬件断点就不会遇到问题,也不用担心断点被清除。你甚至连Kernel Mode Driver都可弃之一边。留下这个供大家练习。
? Virtual Machine
The final protection of the binary is a complete Virtual Machine i wrote for the challenge. I have designed a Virtual CPU that will interpret my own Assembly language. The Virtual Machine is quite simple to understand and isn't very complex. Virtual Machines seem to be a new trend in protection systems, so i thought it could be a good thing to write one for such a challenge. The instruction encoding is very trivial, and could have been a lot harder to understand. The first Version i had in mind was a lot more complex. I wanted not only to have a pseudo language, but also to program the instructions handlers

虚拟机
最后一种保护机制是我为这次挑战而写的虚拟机。我设计了一个用来可以接受我的汇编语言的虚拟CPU。虚拟机很容易理解,并不复杂。虚拟机在各种保护机制中是新兴事物,因此我觉得很有必要在我的挑战中写一个。指令编码既琐碎又难于理解。因此在我大脑里的首个版本是十分复杂的。不仅要实现伪语言,我还需要编写指令的处理程序。

emulating real x86 instructions. Each handler would be a few hundred instructions long and a lot harder to analyse. A small program has been written with this Virtual Machine Assembly language, and it was used to authenticate the user running the binary. Read next part for further informations

为了模拟真实的x86指令,每个处理程序将包含上百的指令且很难分析。一个用虚拟机汇编语言写成的小程序,可以被用来鉴别运行应用程序的用户。阅读下面的部分获取进一步的信息

3. Something uncommon has been used to protect the code from beeing reverse engineered, can you identificate what it is and how it works?

Even though, a few protection systems are using some kind of Virtual Machines, those aren't very common. Especially in Malwares and other exploits.

上一页  [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] 下一页  

Google

(责任编辑:hahack)

发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口
热门文章 相关报道
普通网管技术 [软件应用]凤凰涅槃 驱动精灵2008归来 (01-03)最新网管技术
普通网管技术 [ASP|ASP.NET]为ASP.NET MVC框架添加AJAX支持 (01-02)最新网管技术
普通网管技术 [JSP|JAVA]从Java到Ruby:献给引路人的策略 (01-02)最新网管技术
普通网管技术 [PHP]PHP多文件上传实例 (01-02)最新网管技术
普通网管技术 [其它编程程序]QQ 静态截图完善实现之改造 CRec… (01-02)最新网管技术
普通网管技术 [其它编程程序]C++运算符重载转换运算符 (01-02)最新网管技术
普通网管技术 [其它编程程序]详细解析C++编写的ATM自动取款机… (01-02)最新网管技术
普通网管技术 [其它编程程序]C++中用vectors改进内存的再分配 (01-02)最新网管技术
普通网管技术 [其它编程程序]C++中的虚函数((((virtual funct… (01-02)最新网管技术
普通网管技术 [其它编程程序]C++中用函数模板实现和优化抽象操… (01-02)最新网管技术
  • 如何得到网页中的Frame的HT…

  • Delphi屏幕截图完美解决方案

  • Rundll32.exe使用方法大全

  • 凯撒加密与解密程序实现

  • EXE程序的自删除实现

  • Java十大经典中文图书

  • 养成“好”的编程习惯

  • 木马自我拷贝法[Delphi]

  • 在PHP中实现进程间通讯

  • 加快 DHTML 的一组技巧

    		•
      网友评论内容:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!)
    I D *
    邮 箱
    主 页
    评 分 1分 2分 3分 4分 5分
    评 论

    关于我们  中国·国家信息产业部{粤ICP备06006652号}{陇ICP备06002562号}
    版权所有:『AK网盟基地』站长:Hahack | QQ:80505955 | E-mail:Hahack@Gmail.com
    Copyright (C) 2005-2007  akhack.org|chinabeta.cn All Rights Reserved