【ChinaBeta.Cn 网盟学院】
RANDOM_ORDER:
Each layer use a table to access part of its code. If this option is enabled, Each layer has a random order of execution. I didn't enable this one on purpose.
USE_DIFFERENT_LOOP_CODE:
Each layer loops a given number of time. With this option, one can use different code to test the end of the loop. It makes it harder for the reverse engineer to find removal pattern. This option wasn't enabled. A defaut checking code was used.
RANDOM_FIRST_BLOCK:
This option allows one to use random value inside the first elements of the layers tables. You will see in some submissions that the static value were used to bypass the layers. I didn't enable this option to see whether someone was going to use it or not.
NUMBER:
This is the number of the layer, the generator must use. I used 175 layers in this challenge. I can generate 65000 layers in a few seconds because the generator engine is programmed in Assembly Language.
RANDOM_ORDER:
每个Layer使用表访问自身的代码。当此选项打开时,每个Layer执行的顺序是任意的。我禁止了这个选项。
USE_DIFFERENT_LOOP_CODE:
每个Layer循环指定次数。通过此选项,我们可以使用不同的代码测试循环的结束。这使得逆向者更加难以找到匹配标志。此选项禁止。使用默认代码校验。
RANDOM_FIRST_BLOCK:
此选项可以把任意值放入Layer表的第一个元素中。一些文章利用静态数值绕过Layer。我禁止了此选项就是看看是否有人需要使用这选项。
NUMBER:
这是加密器必须设置的Layer数量。我设置了175个。甚至我可以在几秒之内就产生65000个Layer,因为我的加密器核心是由汇编语言编制的。
Presentation of the encryption layers:
Layer Selector
xor esi,esi ; ESI = 0
mad_loop175_1: ; Loop label
inc esi ; ESI++
mov edi,dword ptr [ebp+(esi*4)+EIPtable175_1] ; Grab block address
mov ebx,dword ptr [ebp+(esi*4)+RETable175_1] ; Grab "Encrypted"
; Return address
Add ebx, [ebp+_startloader] ; Add Base.
push ebx ; Save Return Address
; from the stack
Call tricky_call175_1 ; Fake call
db 0EBh,01,0E8h ; Some junk crap
fake_ret175_1: ; fake return address label.
Add edi, [ebp+_startloader] ; Add EDI Base. EDI now
; contains address of a block ; inside the layer.
jmp edi ; Execute that block.
return_addy175_1:
cmp esi, 4 ; When we get back from the
;block, we check whether we
;have done every blocks.
jnz mad_loop175_1 ; if we didn't, loop!
bpxcheck175_1: ; Label used for BPX check.
jmp @layer175_1
tricky_call175_1:
pop ebx ; Ret address is in EBX
jmp fake_ret175_1 ; Jmp to fake return address.
@layer175_1: ; end of the layer.
This is the main part of a layer. This part loops through the layer blocks using some obfuscated ways. It prepares the stack with return addresses, and fake a call. If you step over with your debugger on this call, the binary won't break and it will run. If you
were debugging a malware, you would get infected. And if you were analysing the binary, you would need to restart from scatch. (Except if you have dumped your position regulary).
加密Layer的陈述:
Layer Selector
xor esi,esi ; ESI = 0
mad_loop175_1: ; 循环标签
inc esi ; ESI++
mov edi,dword ptr [ebp+(esi*4)+EIPtable175_1] ;获取block地址
mov ebx,dword ptr [ebp+(esi*4)+RETable175_1] ; 获取"Encrypted" 返回地址
Add ebx, [ebp+_startloader] ; 添加基址
push ebx ; 从堆栈中保存返回地址
Call tricky_call175_1 ;伪call
db 0EBh,01,0E8h ; 垃圾代码
fake_ret175_1: ;伪返回地址标签
Add edi, [ebp+_startloader] ; 添加EDI基址.EDI
;包含Layer中的block的地址
jmp edi ;执行block.
return_addy175_1:
cmp esi, 4 ; 当我们从block返回时,校验是否已经完成了全部的block
jnz mad_loop175_1 ; 没有则循环
bpxcheck175_1: ;用于BPX校验的标签.
jmp @layer175_1
tricky_call175_1:
pop ebx ; EBX中包含ret地址
jmp fake_ret175_1 ;跳向伪返回地址.
@layer175_1: ;layer结束.
上述代码是Layer的主体部分。通过某种方式在Layer中循环执行block。同时还包括返回地址和伪CALL。如果调试时你不过这个CALL,代码不会被执行而程序将会运行。假使是一个病毒程序,你的系统将会被感染。如果你不幸的在分析代码时终止,你将不得不重新来过。上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] 下一页
(责任编辑:hahack)
|
[软件应用]凤凰涅槃 驱动精灵2008归来 (01-03)
