hnxyy在吗,请教个问题,关于PE伪装器代码中的问题 JMPOFF = 43; //花指令的机器码,Ollydbg加载后随便取这个JMPOFF机器码不知是怎么取得的,现在我增加新的花指令,但这个JMPOFF的值不知是如何取的对“Ollydbg加载后随便取”非常不明白 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 不好意思,下午一直在忙http://hi.baidu.com/hnxyy/blog/item/748e49087ace2e950b7b823c.htmlJMPOFF长度不是固定的,是根据不同的花指令的入口算出来的 OEPCODEARRAY :array[0..OepCount-1] of THEAD=( ($55, $8B, $EC, $83, $C4, $F4, $83, $C4, $0C, $B8, $00, $10, $40, $00, $50, $C3, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //Nothing found * one ($55, $8B, $EC, $6A, $FF, $68, $2A, $2C, $0A, $00, $68, $38, $90, $0D, $00, $64, $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3, $00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //VC++外衣 ($55, $8B, $EC, $6A, $FF, $68, $48, $54, $41, $00, $68, $A8, $21, $40, $00, $64, $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $C4, $94, $53, $56, $57, $00, $00, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //VC++5外衣 ($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64, $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68, $53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00), //VC++6外衣 ($55, $8B, $EC, $6A, $FF, $68, $11, $11, $11, $00, $68, $22, $22, $22, $00, $64, $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3, $00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //C外衣 ($55, $8B, $EC, $41, $52, $90, $5A, $49, $5D, $41, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00) //Nothing found * two ); JMPOFFARRAY :array[0..OepCount-1] of integer=(10,43,38,54,43,11);(10,43,38,54,43,11) 分别对应以上六种花的入口,表示在这个骗移地址后跳回原OEP加花的目的是在原程序的入口处加入一段代码,程序执行的时候先执行这段代码,在返回原入口 这个JMPOFF我知道是对应一种花现在问题就是JMPOFF值是怎么算出来的了例如:VC++6外衣JMPOFF:=43;那么这个43是怎么算出来了呢是不是先写花到文件,然后OD载入该文件,此文件的入口减原未写花的文件入口的值呢?是不是这样理解的现在我成功增加了一个MASM32的6A 00 E8 05 00 00 00 A3 00 00 00 00 83 C4 08 B8 00 10 40 00 50 C3JMPOFF=16现在有一段PowerBasic 7.02的特征55 8B EC 53 56 57 BB 00 80 3B 00 66 2E F7 05 5E 31 3B 00 04 00 0F 85 DB 00 00 00 6A 00现在觉得此段特征后面还少了点什么,老加不对的 如果你想彻底了解这种加花机制,建议你先了解它的原理和PE的一些基础知识,我的程序中基本注释比较清楚了,你可以先学着手工用OD加一些花,添加一个区段写花代码或在PE中找个空隙写都可以,关键要保持堆栈平衡+++++++++++++++++++++++++++说明:以VC++6的花指令为例说明//VC++6外衣 1OEPCODEFIVE: THEAD =($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64, $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68, $53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58, $58, $58, $58, $8B, $E8, $E9, $07, $B9, $FE, $FF, $00, $00, $00, $00, $00, $00); //VC++6外衣 2OEPCODEFIVE: THEAD =($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64, $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68, $53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00);1.直接将入口地址赋给寄存器eax,然后jmp eax0046902A B8 304A4500 mov eax,Project1.00454A300046902F FFE0 jmp eax00469031 90 nop2. 直接跳转到入口地址00469124 - E9 07B9FEFF jmp Project1.00454A30两种效果实际上是一样的,但我们为了方便修改花指令跳转到原来的入口地址,通常取得原pe header的AddressOfEntryPoint,然后给寄存器eax保存改值,所以第二种方法就不太方便,所以一般采用第一种方法,JMPOFF为花指令代码到跳转指令的偏移,如对Visual C++的花指令JMPOFF=54,其后免跟的是原入口地址,可以随便填写,程序加花指令是会自动修改,一般可以默认设为00104000(即00401000).通过汇编修改花指令跳转原入口地址的语句:asm //这里说明一下,这是嵌入的汇编代码,寄存器—CPU暂时储存数据的东西,比内存更快,以提高效率 PUSHAD LEA eax, OEPCODE //将OEPCODE的地址交给寄存器 ADD eax, JMPOFF //添加JMPOFF值给寄存器 MOV edx, AddressOfEntryPoint //转移指令,相当于付值语句,左边给右边 MOV DWORD ptr [eax], edx //同上 POPADend;}JMPOFF的长度在上面已经说的很清楚了,就是花指令的长度对:OEPCODEFIVE: THEAD =($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64, $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68, $53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00);它的长度就是$00, $10, $40, $00前的长度54,原入口地址是$00, $10, $40, $00(00104000),随便填写,通过:asm //这里说明一下,这是嵌入的汇编代码,寄存器—CPU暂时储存数据的东西,比内存更快,以提高效率 PUSHAD LEA eax, OEPCODE //将OEPCODE的地址交给寄存器 ADD eax, JMPOFF //添加JMPOFF值给寄存器 MOV edx, AddressOfEntryPoint //转移指令,相当于付值语句,左边给右边 MOV DWORD ptr [eax], edx //同上 POPADend;返回到原入口,这个时候00104000已经变成真正的OEP先压栈,跳到入口,出栈,保持堆栈平衡0046902A B8 304A4500 mov eax,Project1.00454A300046902F FFE0 jmp eax00469031 90 nop$00, $10, $40, $00, $FF, $E0, $90$00, $10, $40, $00是随便填写的,对应上面的B8 304A4500 mov eax,Project1.00454A30表示从这个地方开始返回原入口,之前都是JMPOFF的长度呵呵,表达不清楚,希望你能看明白如果你od用的熟了,一看就明白多用OD进行手工加花,可有助于你理解 花指令可以通过OD反汇编取得对应的16进制VC++6外衣:004690EF P> 55 push ebp004690F0 8BEC mov ebp,esp004690F2 6A FF push -1004690F4 68 00000000 push 0004690F9 68 00000000 push 0004690FE 64:A1 0000000>mov eax,dword ptr fs:[0]00469104 50 push eax00469105 64:8925 00000>mov dword ptr fs:[0],esp0046910C 83EC 68 sub esp,680046910F 53 push ebx00469110 56 push esi00469111 57 push edi00469112 58 pop eax00469113 58 pop eax00469114 58 pop eax00469115 83C4 68 add esp,6800469118 58 pop eax00469119 67:64:A3 0000 mov dword ptr fs:[0],eax0046911E 58 pop eax0046911F 58 pop eax00469120 58 pop eax00469121 58 pop eax00469122 8BE8 mov ebp,eax0046902A B8 304A4500 mov eax,Project1.00454A300046902F FFE0 jmp eax00469031 90 nop 菜鸟级问题,求助! 设备与计算机通讯问题[急!!!] 死片三要过生日....哎~~~~ DELPHI语法 各位帮帮忙,高分收购串口通讯的源代码!!!!(急) 3个问题 如何在delphi实现javascript中eval函数的功能? 有谁知道《delphi 4技术内幕》有没有最新的版本?或者更好的书籍?来者有分! 在Delphi中判断字符串是否数字 为什么我查询数据库总返回同一条记录? 认真看一下,还有点难度的问题! 如何取远程计算机上打了哪些补丁文件?
($55, $8B, $EC, $83, $C4, $F4, $83, $C4, $0C, $B8, $00, $10, $40, $00, $50, $C3,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //Nothing found * one
($55, $8B, $EC, $6A, $FF, $68, $2A, $2C, $0A, $00, $68, $38, $90, $0D, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3,
$00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //VC++外衣
($55, $8B, $EC, $6A, $FF, $68, $48, $54, $41, $00, $68, $A8, $21, $40, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $C4, $94,
$53, $56, $57, $00, $00, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //VC++5外衣
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
$53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
$58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00), //VC++6外衣
($55, $8B, $EC, $6A, $FF, $68, $11, $11, $11, $00, $68, $22, $22, $22, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3,
$00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //C外衣
($55, $8B, $EC, $41, $52, $90, $5A, $49, $5D, $41, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00) //Nothing found * two
); JMPOFFARRAY :array[0..OepCount-1] of integer=(10,43,38,54,43,11);
(10,43,38,54,43,11) 分别对应以上六种花的入口,表示在这个骗移地址后跳回原OEP加花的目的是在原程序的入口处加入一段代码,程序执行的时候先执行这段代码,在返回原入口
VC++6外衣
JMPOFF:=43;那么这个43是怎么算出来了呢是不是先写花到文件,然后OD载入该文件,此文件的入口减原未写花的文件入口的值呢?是不是这样理解的现在我成功增加了一个MASM32的
6A 00 E8 05 00 00 00 A3 00 00 00 00 83 C4 08 B8 00 10 40 00 50 C3
JMPOFF=16
现在有一段PowerBasic 7.02的特征
55 8B EC 53 56 57 BB 00 80 3B 00 66 2E F7 05 5E 31 3B 00 04 00 0F 85 DB 00 00 00 6A 00
现在觉得此段特征后面还少了点什么,老加不对的
说明:以VC++6的花指令为例说明//VC++6外衣 1
OEPCODEFIVE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
$53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
$58, $58, $58, $8B, $E8, $E9, $07, $B9, $FE, $FF, $00, $00, $00, $00, $00, $00); //VC++6外衣 2
OEPCODEFIVE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
$53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
$58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00);1.直接将入口地址赋给寄存器eax,然后jmp eax
0046902A B8 304A4500 mov eax,Project1.00454A30
0046902F FFE0 jmp eax
00469031 90 nop
2. 直接跳转到入口地址
00469124 - E9 07B9FEFF jmp Project1.00454A30
两种效果实际上是一样的,但我们为了方便修改花指令跳转到原来的入口地址,通常取得原
pe header的AddressOfEntryPoint,然后给寄存器eax保存改值,所以第二种方法就不太方便,
所以一般采用第一种方法,JMPOFF为花指令代码到跳转指令的偏移,如对Visual C++的花指令
JMPOFF=54,其后免跟的是原入口地址,可以随便填写,程序加花指令是会自动修改,一般可以
默认设为00104000(即00401000).
通过汇编修改花指令跳转原入口地址的语句:
asm //这里说明一下,这是嵌入的汇编代码,寄存器—CPU暂时储存数据的东西,比内存更快,以提高效率
PUSHAD
LEA eax, OEPCODE //将OEPCODE的地址交给寄存器
ADD eax, JMPOFF //添加JMPOFF值给寄存器
MOV edx, AddressOfEntryPoint //转移指令,相当于付值语句,左边给右边
MOV DWORD ptr [eax], edx //同上
POPAD
end;
}JMPOFF的长度在上面已经说的很清楚了,就是花指令的长度对:
OEPCODEFIVE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
$53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
$58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00);它的长度就是$00, $10, $40, $00前的长度54,原入口地址是$00, $10, $40, $00(00104000),随便填写,通过:asm //这里说明一下,这是嵌入的汇编代码,寄存器—CPU暂时储存数据的东西,比内存更快,以提高效率
PUSHAD
LEA eax, OEPCODE //将OEPCODE的地址交给寄存器
ADD eax, JMPOFF //添加JMPOFF值给寄存器
MOV edx, AddressOfEntryPoint //转移指令,相当于付值语句,左边给右边
MOV DWORD ptr [eax], edx //同上
POPAD
end;返回到原入口,这个时候00104000已经变成真正的OEP先压栈,跳到入口,出栈,保持堆栈平衡
0046902A B8 304A4500 mov eax,Project1.00454A30
0046902F FFE0 jmp eax
00469031 90 nop$00, $10, $40, $00, $FF, $E0, $90$00, $10, $40, $00是随便填写的,对应上面的
B8 304A4500 mov eax,Project1.00454A30表示从这个地方开始返回原入口,之前都是JMPOFF的长度呵呵,表达不清楚,希望你能看明白如果你od用的熟了,一看就明白多用OD进行手工加花,可有助于你理解
004690F0 8BEC mov ebp,esp
004690F2 6A FF push -1
004690F4 68 00000000 push 0
004690F9 68 00000000 push 0
004690FE 64:A1 0000000>mov eax,dword ptr fs:[0]
00469104 50 push eax
00469105 64:8925 00000>mov dword ptr fs:[0],esp
0046910C 83EC 68 sub esp,68
0046910F 53 push ebx
00469110 56 push esi
00469111 57 push edi
00469112 58 pop eax
00469113 58 pop eax
00469114 58 pop eax
00469115 83C4 68 add esp,68
00469118 58 pop eax
00469119 67:64:A3 0000 mov dword ptr fs:[0],eax
0046911E 58 pop eax
0046911F 58 pop eax
00469120 58 pop eax
00469121 58 pop eax
00469122 8BE8 mov ebp,eax
0046902A B8 304A4500 mov eax,Project1.00454A30
0046902F FFE0 jmp eax
00469031 90 nop