?? unit1.pas
字號:
{pe花指令加密,參考 fi7ke 的 PE花指令加密一文
Author:hnxyy QQ:19026695 2005.11.24
說明:以VC++6的花指令為例說明
//VC++6外衣 1
OEPCODEFIVE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
$53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
$58, $58, $58, $8B, $E8, $E9, $07, $B9, $FE, $FF, $00, $00, $00, $00, $00, $00);
//VC++6外衣 2
OEPCODEFIVE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
$53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
$58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00);
1.直接將入口地址賦給寄存器eax,然后jmp eax
0046902A B8 304A4500 mov eax,Project1.00454A30
0046902F FFE0 jmp eax
00469031 90 nop
2. 直接跳轉(zhuǎn)到入口地址
00469124 - E9 07B9FEFF jmp Project1.00454A30
兩種效果實(shí)際上是一樣的,但我們?yōu)榱朔奖阈薷幕ㄖ噶钐D(zhuǎn)到原來的入口地址,通常取得原
pe header的AddressOfEntryPoint,然后給寄存器eax保存改值,所以第二種方法就不太方便,
所以一般采用第一種方法,JMPOFF為花指令代碼到跳轉(zhuǎn)指令的偏移,如對Visual C++的花指令
JMPOFF=54,其后免跟的是原入口地址,可以隨便填寫,程序加花指令是會自動修改,一般可以
默認(rèn)設(shè)為00104000(即00401000).
通過匯編修改花指令跳轉(zhuǎn)原入口地址的語句:
asm //這里說明一下,這是嵌入的匯編代碼,寄存器—CPU暫時儲存數(shù)據(jù)的東西,比內(nèi)存更快,以提高效率
PUSHAD
LEA eax, OEPCODE //將OEPCODE的地址交給寄存器
ADD eax, JMPOFF //添加JMPOFF值給寄存器
MOV edx, AddressOfEntryPoint //轉(zhuǎn)移指令,相當(dāng)于付值語句,左邊給右邊
MOV DWORD ptr [eax], edx //同上
POPAD
end;
}
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, ExtCtrls, ShellAPI;
type
TForm1 = class(TForm)
Label1: TLabel;
Edit1: TEdit;
Button1: TButton;
RadioGroup1: TRadioGroup;
Label2: TLabel;
Edit2: TEdit;
Label3: TLabel;
Edit3: TEdit;
CheckBox1: TCheckBox;
Button2: TButton;
Label5: TLabel;
OpenDialog1: TOpenDialog;
Label4: TLabel;
procedure Button1Click(Sender: TObject);
procedure obtain;
procedure Button2Click(Sender: TObject);
procedure Label4Click(Sender: TObject);
procedure Edit3KeyPress(Sender: TObject; var Key: Char);
private
{ Private declarations }
FImageBase: DWORD;
procedure SetOepCode;
public
{ Public declarations }
end;
THEAD = array[0..63] of byte;
var
Form1: TForm1;
const
{MYSECTION = 'Fi7ke'; //添加的節(jié)名,自定義
JMPOFF = 43; //花指令的機(jī)器碼,Ollydbg加載后隨便取
//Microsoft Visual C++
OEPCODE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $2A, $2C, $0A, $00, $68, $38,
$90, $0D, $00, $64, $A1, $00, $00, $00, $00, $50, $64, $89,
$25, $00, $00, $00, $00, $58, $64, $A3, $00, $00, $00, $00,
$58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00); }
//Nothing found * one
OEPCODEONE: THEAD =
($55, $8B, $EC, $83, $C4, $F4, $83, $C4, $0C, $B8, $00, $10, $40, $00, $50, $C3,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);
//Nothing found * two
OEPCODETWO: THEAD =
($55, $8B, $EC, $41, $52, $90, $5A, $49, $5D, $41, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);
//VC++外衣
OEPCODETHREE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $2A, $2C, $0A, $00, $68, $38, $90, $0D, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3,
$00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);
//VC++5外衣
OEPCODEFOUR: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $48, $54, $41, $00, $68, $A8, $21, $40, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $C4, $94,
$53, $56, $57, $00, $00, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);
//VC++6外衣
OEPCODEFIVE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
$53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
$58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00);
//C外衣
OEPCODESIX: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $11, $11, $11, $00, $68, $22, $22, $22, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3,
$00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);
OepCount = 6;
//OEPCODEARRAY :array[0..OepCount-1,0..63] of byte=(
//OEPCODEARRAY :array[0..OepCount-1] of array[0..63] of byte=(
OEPCODEARRAY :array[0..OepCount-1] of THEAD=(
($55, $8B, $EC, $83, $C4, $F4, $83, $C4, $0C, $B8, $00, $10, $40, $00, $50, $C3,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //Nothing found * one
($55, $8B, $EC, $6A, $FF, $68, $2A, $2C, $0A, $00, $68, $38, $90, $0D, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3,
$00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //VC++外衣
($55, $8B, $EC, $6A, $FF, $68, $48, $54, $41, $00, $68, $A8, $21, $40, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $C4, $94,
$53, $56, $57, $00, $00, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //VC++5外衣
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
$53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
$58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00), //VC++6外衣
($55, $8B, $EC, $6A, $FF, $68, $11, $11, $11, $00, $68, $22, $22, $22, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3,
$00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //C外衣
($55, $8B, $EC, $41, $52, $90, $5A, $49, $5D, $41, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00) //Nothing found * two
);
JMPOFFARRAY :array[0..OepCount-1] of integer=(10,43,38,54,43,11);
{Nothing found * ONE:
Borland Delphi 6.0 - 7.0
00469022 0055 8B add byte ptr ss:[ebp-75],dl
00469025 EC in al,dx
00469026 83C4 F4 add esp,-0C
00469029 83C4 0C add esp,0C
0046902C B8 304A4500 mov eax,Project1.00454A30
00469031 50 push eax
00469032 C3 retn
Nothing found * TWO
00454A72 55 push ebp
00454A73 8BEC mov ebp,esp
00454A75 41 inc ecx
00454A76 52 push edx
00454A77 90 nop
00454A78 5A pop edx
00454A79 49 dec ecx
00454A7A 5D pop ebp
00454A7B 41 inc ecx
0046902A B8 304A4500 mov eax,Project1.00454A30
0046902F FFE0 jmp eax
00469031 90 nop
C外衣:
00454A6C 55 push ebp
00454A6D 8BEC mov ebp,esp
00454A6F 6A FF push -1
00454A71 68 11111100 push 111111
00454A76 68 22222200 push 222222
00454A7B 64:A1 00000>mov eax,dword ptr fs:[0]
00454A81 50 push eax
00454A82 64:8925 000>mov dword ptr fs:[0],esp
00454A89 58 pop eax
00454A8A 64:A3 00000>mov dword ptr fs:[0],eax
00454A90 58 pop eax
00454A91 58 pop eax
00454A92 58 pop eax
00454A93 58 pop eax
00454A94 8BE8 mov ebp,eax
00454A96 - E9 65F5CAFF jmp 00104000
VC++5外衣:
0046905F P> 55 push ebp
00469060 8BEC mov ebp,esp
00469062 6A FF push -1
00469064 68 48544100 push Project1.00415448
00469069 68 A8214000 push Project1.004021A8
0046906E 64:A1 0000000>mov eax,dword ptr fs:[0]
00469074 50 push eax
00469075 64:8925 00000>mov dword ptr fs:[0],esp
0046907C 83C4 94 add esp,-6C
0046907F 53 push ebx
00469080 56 push esi
00469081 57 push edi
00469082 0000 add byte ptr ds:[eax],al
0046902A B8 304A4500 mov eax,Project1.00454A30
0046902F FFE0 jmp eax
00469031 90 nop
VC++外衣:
00469000 P> 55 push ebp
00469001 8BEC mov ebp,esp
00469003 6A FF push -1
00469005 68 2A2C0A00 push 0A2C2A
0046900A 68 38900D00 push 0D9038
0046900F 64:A1 0000000>mov eax,dword ptr fs:[0]
00469015 50 push eax
00469016 64:8925 00000>mov dword ptr fs:[0],esp
0046901D 58 pop eax
0046901E 64:A3 0000000>mov dword ptr fs:[0],eax
00469024 58 pop eax
00469025 58 pop eax
00469026 58 pop eax
00469027 58 pop eax
00469028 8BE8 mov ebp,eax
0046902A B8 304A4500 mov eax,Project1.00454A30
0046902F FFE0 jmp eax
00469031 90 nop
VC++6外衣:
?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -