SKYPE中的 anti-debug 分析
软件名称: skype
实例下载: http://www.skype.com/download
作 者: blackeyes
声 明: skype 是 freeware, 没有什么要 PJ的, 只是分析它的anti-debug
1. 基本信息
入口点(OEP): 005E7A28
引入表(I T): 00B8F000-00B8F21B ( size: 021C )
引入地址表(IAT): 00B8F21C-00B8FD38 ( size: 0B1C )
PeID结果: Borland Delphi 6.0 - 7.0 [Overlay]
2. 调试器检测, CODE 解码, 解析第二份IAT
// OD 载入后停在这里 005E7A28
005E7A28 > $Content$nbsp;/EB 57 JMP SHORT Skype.005E7A81
005E7A81 > \E8 26010000 CALL Skype.005E7BAC ; // detect softice (第 1 处)
005E7A86 . 84C0 TEST AL,AL
005E7A88 . 74 1C JE SHORT Skype.005E7AA6
005E7A8A . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
005E7A8C . FF35 482FB800 PUSH DWORD PTR DS:[B82F48] ; |Title = "Skype"
005E7A92 . FF35 4C2FB800 PUSH DWORD PTR DS:[B82F4C] ; |Text = "Error: Skype is not compatible with debuggers like SoftICE .."
005E7A98 . 6A 00 PUSH 0 ; |hOwner = NULL
005E7A9A . E8 9910E2FF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
005E7A9F . 6A 01 PUSH 1 ; /ExitCode = 1
005E7AA1 . E8 5A04E2FF CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
005E7AA6 > BA 011E1600 MOV EDX,161E01
005E7AAB . 81C2 A38BA100 ADD EDX,Skype.00A18BA3 ; // EDX = 00B7A9A4
005E7AB1 . 52 PUSH EDX
005E7AB2 . EB 10 JMP SHORT Skype.005E7AC4
005E7AB4 . BF 287A5E00 MOV EDI,Skype.<ModuleEntryPoint>
005E7AB9 . B9 C47A5E00 MOV ECX,Skype.005E7AC4
005E7ABE . 29F9 SUB ECX,EDI
005E7AC0 . 31C0 XOR EAX,EAX
005E7AC2 . F3:AA REP STOS BYTE PTR ES:[EDI]
005E7AC4 > E8 CF3F0100 CALL Skype.005FBA98
005E7AC9 . E8 AAFEFFFF CALL Skype.005E7978
005E7ACE . C3 RETN ; // return 00B7A9A4
00B7A9A4 . 55 PUSH EBP ; 感觉这儿才是程序入口点
00B7A9A5 . 8BEC MOV EBP,ESP
00B7A9A7 . B9 20000000 MOV ECX,20
00B7A9AC > 6A 00 PUSH 0
00B7A9AE . 6A 00 PUSH 0
00B7A9B0 . 49 DEC ECX
00B7A9B1 .^ 75 F9 JNZ SHORT Skype.00B7A9AC
00B7A9B3 . 53 PUSH EBX
00B7A9B4 . 56 PUSH ESI
00B7A9B5 . 57 PUSH EDI
00B7A9B6 . B8 749FB700 MOV EAX,Skype.00B79F74
00B7A9BB . E8 6CD088FF CALL Skype.00407A2C ; // *** Init CALL ****
00B7A9C0 . BF 78E6B800 MOV EDI,Skype.00B8E678
00B7A9C5 . 33C0 XOR EAX,EAX
00B7A9C7 . 55 PUSH EBP
00B7A9C8 . 68 1BBAB700 PUSH Skype.00B7BA1B
00B7A9CD . 64:FF30 PUSH DWORD PTR FS:[EAX]
00B7A9D0 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00B7A9D3 . A1 90B2B800 MOV EAX,DWORD PTR DS:[B8B290]
00B7A9D8 . C600 01 MOV BYTE PTR DS:[EAX],1
00B7A9DB . 6A 00 PUSH 0
00B7A9DD . E8 661D8AFF CALL <JMP.&ole32.OleInitialize>
00B7A9E2 . E8 3DB6A6FF CALL Skype.005E6024 ; // detect debug (第 2 处)
00B7A9E7 . 84C0 TEST AL,AL
00B7A9E9 . 74 1A JE SHORT Skype.00B7AA05
00B7A9EB . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00B7A9ED . 68 30BAB700 PUSH Skype.00B7BA30 ; |Title = "Skype"
00B7A9F2 . 68 38BAB700 PUSH Skype.00B7BA38 ; |Text = "Skype is not compatible with system debuggers like SoftICE."
00B7A9F7 . 6A 00 PUSH 0 ; |hOwner = NULL
00B7A9F9 . E8 32E188FF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00B7A9FE . 6A 00 PUSH 0 ; /ExitCode = 0
00B7AA00 . E8 FBD488FF CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
00B7AA05 > B9 7CBAB700 MOV ECX,Skype.00B7BA7C ; ASCII "Starting .."
00B7AA0A . BA 94BAB700 MOV EDX,Skype.00B7BA94 ; ASCII "Skype.main"
// Init call
00407A2C /$Content$nbsp; 53 PUSH EBX
00407A2D |. 8BD8 MOV EBX,EAX
00407A2F |. 33C0 XOR EAX,EAX
00407A31 |. A3 A4C0B700 MOV DWORD PTR DS:[B7C0A4],EAX
00407A36 |. 6A 00 PUSH 0 ; /pModule = NULL
00407A38 |. E8 2BFFFFFF CALL <JMP.&kernel32.GetModuleHandleA> ; \GetModuleHandleA
00407A3D |. A3 68C6B800 MOV DWORD PTR DS:[B8C668],EAX
00407A42 |. A1 68C6B800 MOV EAX,DWORD PTR DS:[B8C668]
00407A47 |. A3 B0C0B700 MOV DWORD PTR DS:[B7C0B0],EAX
00407A4C |. 33C0 XOR EAX,EAX
00407A4E |. A3 B4C0B700 MOV DWORD PTR DS:[B7C0B4],EAX
00407A53 |. 33C0 XOR EAX,EAX
00407A55 |. A3 B8C0B700 MOV DWORD PTR DS:[B7C0B8],EAX
00407A5A |. E8 C1FFFFFF CALL Skype.00407A20
00407A5F |. BA ACC0B700 MOV EDX,Skype.00B7C0AC
00407A64 |. 8BC3 MOV EAX,EBX
00407A66 |. E8 95D2FFFF CALL Skype.00404D00 ; // 都在这里 CALL init
00407A6B |. 5B POP EBX
00407A6C \. C3 RETN
00404D00 /$Content$nbsp; C705 14C0B800 F01240>MOV DWORD PTR DS:[B8C014],<JMP.&kernel32.RaiseException>
00404D0A |. C705 18C0B800 001340>MOV DWORD PTR DS:[B8C018],<JMP.&kernel32.RtlUnwind>
00404D14 |. A3 40C6B800 MOV DWORD PTR DS:[B8C640],EAX
00404D19 |. 33C0 XOR EAX,EAX
00404D1B |. A3 44C6B800 MOV DWORD PTR DS:[B8C644],EAX
00404D20 |. 8915 48C6B800 MOV DWORD PTR DS:[B8C648],EDX
00404D26 |. 8B42 04 MOV EAX,DWORD PTR DS:[EDX+4]
00404D29 |. A3 30C0B800 MOV DWORD PTR DS:[B8C030],EAX
00404D2E |. E8 A5FEFFFF CALL Skype.00404BD8
00404D33 |. C605 38C0B800 00 MOV BYTE PTR DS:[B8C038],0
00404D3A |. E8 51FFFFFF CALL Skype.00404C90 ; // Delphi 的程序好象都是这样
00404D3F \. C3 RETN
00404C90 $Content$nbsp; 55 PUSH EBP
00404C91 . 8BEC MOV EBP,ESP
00404C93 . 83C4 F8 ADD ESP,-8
00404C96 . 53 PUSH EBX
00404C97 . 56 PUSH ESI
00404C98 . 57 PUSH EDI
00404C99 . BF 38C6B800 MOV EDI,Skype.00B8C638
00404C9E . 8B47 08 MOV EAX,DWORD PTR DS:[EDI+8]
00404CA1 . 85C0 TEST EAX,EAX
00404CA3 . 74 54 JE SHORT Skype.00404CF9
00404CA5 . 8B30 MOV ESI,DWORD PTR DS:[EAX]
00404CA7 . 33DB XOR EBX,EBX
00404CA9 . 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
00404CAC . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00404CAF . 33C0 XOR EAX,EAX
00404CB1 . 55 PUSH EBP
00404CB2 . 68 E54C4000 PUSH Skype.00404CE5
00404CB7 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00404CBA . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00404CBD . 3BF3 CMP ESI,EBX
00404CBF . 7E 1A JLE SHORT Skype.00404CDB
00404CC1 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00404CC4 . 8B04D8 MOV EAX,DWORD PTR DS:[EAX+EBX*8]
00404CC7 . 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00404CCA . 43 INC EBX
00404CCB . 895F 0C MOV DWORD PTR DS:[EDI+C],EBX
00404CCE . 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
00404CD2 . 74 03 JE SHORT Skype.00404CD7
00404CD4 . FF55 F8 CALL DWORD PTR SS:[EBP-8] ; // Call each init Func, 其中 00B75AF0 最关键,
00404CD7 > 3BF3 CMP ESI,EBX
00404CD9 .^ 7F E6 JG SHORT Skype.00404CC1
00404CDB > 33C0 XOR EAX,EAX
00404CDD . 5A POP EDX
00404CDE . 59 POP ECX
00404CDF . 59 POP ECX
00404CE0 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00404CE3 . EB 14 JMP SHORT Skype.00404CF9
00404CE5 .^ E9 3AF9FFFF JMP Skype.00404624
00404CEA . E8 31FFFFFF CALL Skype.00404C20
00404CEF . E8 08FDFFFF CALL Skype.004049FC
00404CF4 . E8 57FDFFFF CALL Skype.00404A50
00404CF9 > 5F POP EDI
00404CFA . 5E POP ESI
00404CFB . 5B POP EBX
00404CFC . 59 POP ECX
00404CFD . 59 POP ECX
00404CFE . 5D POP EBP
00404CFF . C3 RETN
检查调试器的两处, 下 CreateFileA, CreateFileW 断点, 很快就可以跟到, 不过它不检测OLLYDBG.
3. 最关键的一个 Init CALL 00B75AF0-00B75EB1
// 对 00724F70-00B70F70 (size 0044C000) 解码, 并解析第二份 IAT
// 第二份 IAT: 00A09F70-00A0A38C, size: 041C
// 00B75AF0 返回后, 内存中全是明文.
00B75AF0 /> /55 PUSH EBP
00B75AF1 |. |8BEC MOV EBP,ESP
00B75AF3 |. |83C4 A0 ADD ESP,-60
00B75AF6 |. |33C0 XOR EAX,EAX
00B75AF8 |. |8945 A8 MOV DWORD PTR SS:[EBP-58],EAX
00B75AFB |. |8945 A4 MOV DWORD PTR SS:[EBP-5C],EAX
00B75AFE |. |8945 A0 MOV DWORD PTR SS:[EBP-60],EAX
00B75B01 |. |8945 AC MOV DWORD PTR SS:[EBP-54],EAX
00B75B04 |. |33C0 XOR EAX,EAX
00B75B06 |. |55 PUSH EBP
00B75B07 |. |68 A75EB700 PUSH Skype.00B75EA7
00B75B0C |. |64:FF30 PUSH DWORD PTR FS:[EAX]
00B75B0F |. |64:8920 MOV DWORD PTR FS:[EAX],ESP
00B75B12 |. |A1 18BAB800 MOV EAX,DWORD PTR DS:[B8BA18]
00B75B17 |. |C700 09000000 MOV DWORD PTR DS:[EAX],9
00B75B1D |. |B8 287A5E00 MOV EAX,Skype.<ModuleEntryPoint>
00B75B22 |. |8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
00B75B25 |. C745 D0 F4000000 MOV DWORD PTR SS:[EBP-30],0F4
00B75B2C |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00B75B2F |. 50 PUSH EAX ; /pOldProtect
00B75B30 |. 6A 40 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00B75B32 |. 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30] ; |
00B75B35 |. 50 PUSH EAX ; |Size
00B75B36 |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] ; |
00B75B39 |. 50 PUSH EAX ; |Address
00B75B3A |. E8 192789FF CALL <JMP.&kernel32.VirtualProtect> ; \VirtualProtect
00B75B3F |. 85C0 TEST EAX,EAX
00B75B41 |. 75 0A JNZ SHORT Skype.00B75B4D
00B75B43 |. B8 BC5EB700 MOV EAX,Skype.00B75EBC ; ASCII "0ut of memory"
00B75B48 |. E8 2BFAFFFF CALL Skype.00B75578
00B75B4D |> 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
00B75B50 |. 33C9 XOR ECX,ECX
00B75B52 |. 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30]
00B75B55 |. E8 96DD88FF CALL Skype.004038F0 ; 将 OEP 处开始的一小段代码清 0, 防止解码后的 DUMP
00B75B5A |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00B75B5D |. 50 PUSH EAX ; /pOldProtect
00B75B5E |. 6A 20 PUSH 20 ; |NewProtect = PAGE_EXECUTE_READ
00B75B60 |. 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30] ; |
00B75B63 |. 50 PUSH EAX ; |Size
00B75B64 |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] ; |
00B75B67 |. 50 PUSH EAX ; |Address
00B75B68 |. E8 EB2689FF CALL <JMP.&kernel32.VirtualProtect> ; \VirtualProtect
00B75B6D |. 85C0 TEST EAX,EAX
00B75B6F |. 75 0A JNZ SHORT Skype.00B75B7B
00B75B71 |. B8 BC5EB700 MOV EAX,Skype.00B75EBC ; ASCII "0ut of memory"
00B75B76 |. E8 FDF9FFFF CALL Skype.00B75578
00B75B7B |> C605 0C5FB800 01 MOV BYTE PTR DS:[B85F0C],1
00B75B82 |. 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE
00B75B84 |. 68 00100000 PUSH 1000 ; |AllocationType = MEM_COMMIT
00B75B89 |. A1 605FB800 MOV EAX,DWORD PTR DS:[B85F60] ; |
00B75B8E |. 50 PUSH EAX ; |Size => 44C000 (4505600.)
00B75B8F |. 6A 00 PUSH 0 ; |Address = NULL
00B75B91 |. E8 B22689FF CALL <JMP.&kernel32.VirtualAlloc> ; \VirtualAlloc, 分配 Memory 用来解码
00B75B96 |. A3 4CE1B800 MOV DWORD PTR DS:[B8E14C],EAX
00B75B9B |. 833D 4CE1B800 00 CMP DWORD PTR DS:[B8E14C],0
00B75BA2 |. 75 0A JNZ SHORT Skype.00B75BAE
00B75BA4 |. B8 D45EB700 MOV EAX,Skype.00B75ED4 ; ASCII "Not enough memory!"
00B75BA9 |. E8 CAF9FFFF CALL Skype.00B75578
00B75BAE |> B8 684F7200 MOV EAX,Skype.00724F68 ; 从这儿开始是解码的CODE, 很简单, 就一个XOR, 只是XOR的值是一直在变.
00B75BB3 |. BA 684F7200 MOV EDX,Skype.00724F68
00B75BB8 |. 0302 ADD EAX,DWORD PTR DS:[EDX]
00B75BBA |. 8945 CC MOV DWORD PTR SS:[EBP-34],EAX
00B75BBD |. 33C0 XOR EAX,EAX
00B75BBF |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00B75BC2 |. E9 83000000 JMP Skype.00B75C4A
00B75BC7 |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8]
...省略一些CODE
00B75C3B |. 8345 EC 71 ||ADD DWORD PTR SS:[EBP-14],71
00B75C3F |. FF45 E8 ||INC DWORD PTR SS:[EBP-18]
00B75C42 |. FF4D C8 ||DEC DWORD PTR SS:[EBP-38]
00B75C45 |.^ 75 D0 |\JNZ SHORT Skype.00B75C17
00B75C47 |> FF45 F8 |INC DWORD PTR SS:[EBP-8]
00B75C4A |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00B75C4D |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4]
00B75C50 |. 833C85 105FB800 00 |CMP DWORD PTR DS:[EAX*4+B85F10],0
00B75C58 |.^ 0F87 69FFFFFF \JA Skype.00B75BC7 ; 解码的CODE到这儿为止
00B75C5E |. 33C0 XOR EAX,EAX ; 从这儿起开始解析一份内部的IAT
00B75C60 |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
00B75C63 |. 33C0 XOR EAX,EAX
00B75C65 |. 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
00B75C68 |. C745 E8 01000000 MOV DWORD PTR SS:[EBP-18],1
00B75C6F |> 8B45 E8 /MOV EAX,DWORD PTR SS:[EBP-18]
...省略一些CODE
00B75D51 |> 8B45 E0 |MOV EAX,DWORD PTR SS:[EBP-20]
00B75D54 |. 0145 DC |ADD DWORD PTR SS:[EBP-24],EAX
00B75D57 |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
00B75D5A |. 8D0440 |LEA EAX,DWORD PTR DS:[EAX+EAX*2]
00B75D5D |. 8B0485 705FB800 |MOV EAX,DWORD PTR DS:[EAX*4+B85F70]
00B75D64 |. 0305 4CE1B800 |ADD EAX,DWORD PTR DS:[B8E14C]
00B75D6A |. 8B55 E0 |MOV EDX,DWORD PTR SS:[EBP-20]
00B75D6D |. 8910 |MOV DWORD PTR DS:[EAX],EDX
00B75D6F |> FF45 E8 |INC DWORD PTR SS:[EBP-18]
00B75D72 |. 817D E8 09010000, |CMP DWORD PTR SS:[EBP-18],109
00B75D79 |.^ 0F85 F0FEFFFF \JNZ Skype.00B75C6F
00B75D7F |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00B75D82 |. 50 PUSH EAX ; /pOldProtect
00B75D83 |. 6A 04 PUSH 4 ; |NewProtect = PAGE_READWRITE
00B75D85 |. A1 605FB800 MOV EAX,DWORD PTR DS:[B85F60] ; |
00B75D8A |. 50 PUSH EAX ; |Size => 44C000 (4505600.)
00B75D8B |. 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34] ; |
00B75D8E |. 50 PUSH EAX ; |Address
00B75D8F |. E8 C42489FF CALL <JMP.&kernel32.VirtualProtect> ; \VirtualProtect
00B75D94 |. 85C0 TEST EAX,EAX
00B75D96 |. 75 51 JNZ SHORT Skype.00B75DE9
00B75D98 |. 68 405FB700 PUSH Skype.00B75F40 ; ASCII "error 9920 ("
00B75D9D |. 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
00B75DA0 |. B2 08 MOV DL,8
00B75DA2 |. A1 605FB800 MOV EAX,DWORD PTR DS:[B85F60]
00B75DA7 |. E8 E09791FF CALL Skype.0048F58C
00B75DAC |. FF75 A4 PUSH DWORD PTR SS:[EBP-5C]
00B75DAF |. 68 585FB700 PUSH Skype.00B75F58
00B75DB4 |. E8 572289FF CALL <JMP.&kernel32.GetLastError> ; GetLastError
00B75DB9 |. 33D2 XOR EDX,EDX
00B75DBB |. 52 PUSH EDX ; /Arg2 => 00000000
00B75DBC |. 50 PUSH EAX ; |Arg1
00B75DBD |. 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] ; |
00B75DC0 |. E8 9B5189FF CALL Skype.0040AF60 ; \Skype.0040AF60
00B75DC5 |. FF75 A0 PUSH DWORD PTR SS:[EBP-60]
00B75DC8 |. 68 645FB700 PUSH Skype.00B75F64
00B75DCD |. 8D45 A8 LEA EAX,DWORD PTR SS:[EBP-58]
00B75DD0 |. BA 05000000 MOV EDX,5
00B75DD5 |. E8 52F688FF CALL Skype.0040542C
00B75DDA |. 8B45 A8 MOV EAX,DWORD PTR SS:[EBP-58]
00B75DDD |. E8 46468CFF CALL Skype.0043A428
00B75DE2 |. 6A 00 PUSH 0 ; /ExitCode = 0
00B75DE4 |. E8 172189FF CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
00B75DE9 |> 8B55 CC MOV EDX,DWORD PTR SS:[EBP-34]
00B75DEC |. A1 4CE1B800 MOV EAX,DWORD PTR DS:[B8E14C]
00B75DF1 |. 8B0D 605FB800 MOV ECX,DWORD PTR DS:[B85F60] ; Skype.0044C000
00B75DF7 |. E8 14D388FF CALL Skype.00403110 ;
00B75DFC |. 68 00800000 PUSH 8000 ; /FreeType = MEM_RELEASE
00B75E01 |. 6A 00 PUSH 0 ; |Size = 0
00B75E03 |. A1 4CE1B800 MOV EAX,DWORD PTR DS:[B8E14C] ; |
00B75E08 |. 50 PUSH EAX ; |Address => NULL
00B75E09 |. E8 422489FF CALL <JMP.&kernel32.VirtualFree> ; \VirtualFree
00B75E0E |. 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
00B75E11 |. A3 4CE1B800 MOV DWORD PTR DS:[B8E14C],EAX
00B75E16 |. 33C0 XOR EAX,EAX
00B75E18 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
00B75E1B |> 8D45 FC /LEA EAX,DWORD PTR SS:[EBP-4]
00B75E1E |. 50 |PUSH EAX ; /pOldProtect
00B75E1F |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18] ; |
00B75E22 |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4] ; |
00B75E25 |. 8B0485 205FB800 |MOV EAX,DWORD PTR DS:[EAX*4+B85F20] ; |
00B75E2C |. 50 |PUSH EAX ; |NewProtect
00B75E2D |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18] ; |
00B75E30 |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4] ; |
00B75E33 |. 8B0485 145FB800 |MOV EAX,DWORD PTR DS:[EAX*4+B85F14] ; |
00B75E3A |. 50 |PUSH EAX ; |Size
00B75E3B |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18] ; |
00B75E3E |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4] ; |
00B75E41 |. 8B0485 105FB800 |MOV EAX,DWORD PTR DS:[EAX*4+B85F10] ; |
00B75E48 |. 0305 4CE1B800 |ADD EAX,DWORD PTR DS:[B8E14C] ; |
00B75E4E |. 50 |PUSH EAX ; |Address
00B75E4F |. E8 042489FF |CALL <JMP.&kernel32.VirtualProtect> ; \VirtualProtect
00B75E54 |. FF45 E8 |INC DWORD PTR SS:[EBP-18]
00B75E57 |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
00B75E5A |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4]
00B75E5D |. 833C85 105FB800 00 |CMP DWORD PTR DS:[EAX*4+B85F10],0
00B75E65 |.^ 75 B4 \JNZ SHORT Skype.00B75E1B
00B75E67 |. A1 705FB800 MOV EAX,DWORD PTR DS:[B85F70]
00B75E6C |. 0305 4CE1B800 ADD EAX,DWORD PTR DS:[B8E14C]
00B75E72 |. 6A 00 PUSH 0
00B75E74 |. 6A 01 PUSH 1
00B75E76 |. FF35 4CE1B800 PUSH DWORD PTR DS:[B8E14C]
00B75E7C |. FFD0 CALL EAX
00B75E7E |. 833D 4CE1B800 00 CMP DWORD PTR DS:[B8E14C],0
00B75E85 |. 75 05 JNZ SHORT Skype.00B75E8C
00B75E87 |. E8 3805A7FF CALL Skype.005E63C4
00B75E8C |> 33C0 XOR EAX,EAX
00B75E8E |. 5A POP EDX
00B75E8F |. 59 POP ECX
00B75E90 |. 59 POP ECX
00B75E91 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00B75E94 |. 68 AE5EB700 PUSH Skype.00B75EAE
00B75E99 |> 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
00B75E9C |. BA 04000000 MOV EDX,4
00B75EA1 |. E8 FEF188FF CALL Skype.004050A4
00B75EA6 \. C3 RETN
00B75EA7 .^ E9 2CEA88FF JMP Skype.004048D8
00B75EAC .^ EB EB JMP SHORT Skype.00B75E99
00B75EAE . 8BE5 MOV ESP,EBP
00B75EB0 . 5D POP EBP
00B75EB1 . C3 RETN
整个过程用C写大致是:
VirtualProtect(OEP, size, PAGE_EXECUTE_READWRITE, &oldProtect);
memset(OEP, 0, size);
VirtualProtect(OEP, size, PAGE_EXECUTE_READ, &oldProtect);
pMem = VirtualAlloc(NULL, 0x44C000, MEM_COMMIT, PAGE_READWRITE);
value = 0X????;
for(i=0;i<SegNum;i++){
for(j=0;j<Segs[i].size;j+=4) {
offset = ....
pMem[offset] = pOrig[offset] ^ value;
value += xxxx;
}
}
for(i=0;i<num;i++) {
if (info[i].flags == xxx)
Handle = LoadLibrary(info[i].name);
else {
pProc = GetProcAddress(Handle, info[i].name)
offset = info[i].offset;
pMem[offset] = pProc;
}
}
VirtualProtect(pStart, 0x44C000, PAGE_READ_WRITE, &oldProtect);
memcpy(pStart, pMem, 0x44C000);
VirtualFree(pMem, 0, MEM_RELEASE);
for(i=0;i<SegNum;i++){
offset = ...
VirtualProtect(pStart+offset, sizexx, NewProtectxxxx, &oldProtect);
}
看看它的作用:
a.) 解码的时候清掉了OEP处的一小段代码清, 可防止解码后的简单 DUMP
b.) 调用了 VirtualProtect, 对这段 被解密的CODE 下的 memory write 断点不再起作用.
c.) 两份IAT, 第一份是标准的EXE的, 由 Loader 解析, 另一份由 自己在解码后 解析. 所以解码后, 即使内存中全是明文, DUMP 后, IAT 也不容易修复,
两份 IAT 在 memory 中相差很远, ImportRec 好象不行, 总不至于手工构造 引入表(I T) 吧?
|
安全中国首页 > 文章中心 > 反跟踪技术