MASM的反反汇编技术

时间:2021-11-09 01:14:03

reference:http://www.aogosoft.com/downpage.asp?mode=viewtext&id=54

由于汇编语言是与机器语言机器码一一对应的,所以程序的代码非常简洁,编译、链接程序不会在其中加入任何其它代码,所以,用Win32DASM等把汇编工具反汇编汇编语言写的程序,其列出的汇编代码几乎与编写的顺序、过程、代码一模一样,这也是汇编语言简洁的证据。
但是这种过于简洁的代码却给了破解者提供了方便,破解者只需要有一定的Windows SDK编程与汇编的经验,破解就非常简单,根本不需要用SoftICE这些动态工具就可以破解。于是,相应的防止跟踪的技术就出来了,比如花指令、不按规则调用API等等,今天就花指令和大家研究研究。
花指令,其实就是在程序中加入一些字节来干扰静态工具反汇编,毕竟汇编工具没有人的思维,所以这招非常好骗。

我在RadAsm中写入以下代码:

    .386
    .Model Flat, StdCall
    Option Casemap :None
;_____________________________________________________________

    Include windows.inc
    Include user32.inc
    Include kernel32.inc

    IncludeLib user32.lib
    IncludeLib kernel32.lib
;_____________________________________________________________

    .data
    Welcome db "欢迎来到汇编的世界",0
;_____________________________________________________________

    .CODE
START:
    invoke MessageBox,0,offset Welcome,0,0
    invoke ExitProcess,0
    END START

对应的反汇编程序:

00401000 >/$  6A 00         push    0                                ; /(initial cpu selection)
00401002  |.  6A 00         push    0                                ; |Title = NULL
00401004  |.  68 00304000   push    00403000                         ; |欢迎来到汇编的世界
00401009  |.  6A 00         push    0                                ; |hOwner = NULL
0040100B  |.  E8 08000000   call    <jmp.&user32.MessageBoxA>        ; \MessageBoxA
00401010  |.  6A 00         push    0                                ; /ExitCode = 0
00401012  \.  E8 07000000   call    <jmp.&kernel32.ExitProcess>      ; \ExitProcess
00401017      CC            int3
00401018   $- FF25 08204000 jmp     dword ptr [<&user32.MessageBoxA>>;  user32.MessageBoxA
0040101E   .- FF25 00204000 jmp     dword ptr [<&kernel32.ExitProces>;  kernel32.ExitProcess

修改code段代码为:

    .CODE
START:
    lea eax,Welcome
    invoke MessageBox,0,eax,0,0
    invoke ExitProcess,0
    END START

也就是说,我们并没有使用花指令,而是在使用字符串时先把字符串的地址传给eax,然后再把eax做为参数传给MessageBox,这样做,Win23DASM这些反汇编工具就无法识别了,好,用Win32DASM重新打开编译的文件,在[参考]菜单中,[字符串]这一项灰色显示,提示这个程序没有字符串,骗过它了!^_^

反汇编变成了这样:

00401000 >/$  8D05 00304000 lea     eax, dword ptr [403000]          ; /(initial cpu selection)
00401006  |?  6A 00         push    0
00401008  |?  6A 00         push    0
0040100A  |?  50            push    eax
0040100B  |.  6A 00         push    0                                ; \MessageBoxA
0040100D  |?  E8 08000000   call    <jmp.&user32.MessageBoxA>
00401012  \.  6A 00         push    0                                ; \ExitProcess
00401014   ?  E8 07000000   call    <jmp.&kernel32.ExitProcess>
00401019   ?  CC            int3
0040101A   ?- FF25 08204000 jmp     dword ptr [<&user32.MessageBoxA>>;  user32.MessageBoxA
00401020   ?- FF25 00204000 jmp     dword ptr [<&kernel32.ExitProces>;  kernel32.ExitProcess

还有就是使用花指令,花指令不但可以使反汇编工具无法识别出字符串,更会让它们把汇编出错误的代码,花指令一般都是使用一些无用的字节来进行干扰,但是干扰反汇编的字节仍是可以使用的,像这样子:

    .data
    
    Welcome db "你是不是在搞笑哦!",0
;_____________________________________________________________

    .CODE
START:
    jz @F
    jnz @F
    www db "欢迎来到汇编世界",0
  @@:
    lea eax,www
    lea ebx,Welcome
    invoke MessageBox,0,eax,ebx,0
    invoke ExitProcess,0
    END START

反汇编后:

00401000 > $ /74 13         je      short 00401015
00401002   . |75 11         jnz     short 00401015
00401004   . |BB B6D3ADC0   mov     ebx, C0ADD3B6
00401009   . |B4 B5         mov     ah, 0B5
0040100B   . |BD BBE3B1E0   mov     ebp, E0B1E3BB
00401010   . |CA C0BD       retf    0BDC0
00401013   . |E7 00         out     0, eax
00401015   > \8D05 04104000 lea     eax, dword ptr [401004]
0040101B   .  8D1D 00304000 lea     ebx, dword ptr [403000]
00401021   .  6A 00         push    0                                ; /Style = MB_OK|MB_APPLMODAL
00401023   .  53            push    ebx                              ; |Title => "你是",B2,"",BB,"是在",B8,"阈",A6,"?,B6,"?,A1,""
00401024   .  50            push    eax                              ; |Text => ""BB,"",B6,"?,AD,"?,B4,"?,BD,"",BB,"惚嗍?,BD,"?
00401025   .  6A 00         push    0                                ; |hOwner = NULL
00401027   .  E8 08000000   call    <jmp.&user32.MessageBoxA>        ; \MessageBoxA
0040102C   .  6A 00         push    0                                ; /ExitCode = 0
0040102E   .  E8 07000000   call    <jmp.&kernel32.ExitProcess>      ; \ExitProcess
00401033      CC            int3
00401034   $- FF25 08204000 jmp     dword ptr [<&user32.MessageBoxA>>;  user32.MessageBoxA
0040103A   .- FF25 00204000 jmp     dword ptr [<&kernel32.ExitProces>;  kernel32.ExitProcess

感觉还是有些明显,我们手动调用API来试试。

 

    .data
    
    Welcome db "你是不是在搞笑哦!",0
;_____________________________________________________________

    .CODE
START:
    lea eax,Welcome
    push 0
    push 0
    push eax
    push 0
    jz @F
    jnz @F
    www db "欢迎来到汇编世界",0
  @@:
    call [MessageBox]
    invoke ExitProcess,0
    END START

反汇编后:

00401000 > $  8D05 00304000 lea     eax, dword ptr [403000]          ;  (initial cpu selection)
00401006   ?  6A 00         push    0
00401008   ?  6A 00         push    0
0040100A   ?  50            push    eax
0040100B   .  6A 00         push    0
0040100D   ?  74 13         je      short 00401022
0040100F   ?  75 11         jnz     short 00401022
00401011   ?  BB B6D3ADC0   mov     ebx, C0ADD3B6
00401016   ?  B4 B5         mov     ah, 0B5
00401018   ?  BD BBE3B1E0   mov     ebp, E0B1E3BB
0040101D   ?  CA C0BD       retf    0BDC0
00401020   ?  E7 00         out     0, eax
00401022   ?  E8 07000000   call    <jmp.&user32.MessageBoxA>
00401027   .  6A 00         push    0                                ; \MessageBoxA
00401029   ?  E8 06000000   call    <jmp.&kernel32.ExitProcess>
0040102E   .- FF25 08204000 jmp     dword ptr [<&user32.MessageBoxA>>; \ExitProcess
00401034   $- FF25 00204000 jmp     dword ptr [<&kernel32.ExitProces>;  kernel32.ExitProcess

用OD调试的时候感觉到有不习惯的了。

 

 

下面是一个完整的示例:

    ;=================
;完整API花指令示例:
    ;=================
    .386
    .Model Flat, StdCall
    Option Casemap :None   ; 不区分大小写(对API与API常数无效)
    ;_____________________________________________________________
    Include windows.inc
    Include user32.inc
    Include kernel32.inc

    IncludeLib user32.lib
    IncludeLib kernel32.lib
    .CODE
START:
    push 0
    push 0
    push offset Welcome
    push 0
    jz @F
    jnz @F
    Welcome db "Welcome",0   
@@:
    mov eax,[MessageBox+4]
    sub eax,4
    jnz @F
    Welcome1 db "Welcome",0   
@@:
    call eax
    invoke ExitProcess,0
    END START

反汇编代码:

00401000 > $  6A 00         push    0
00401002   .  6A 00         push    0
00401004   .  68 0F104000   push    0040100F
00401009   .  6A 00         push    0
0040100B   .  74 0A         je      short 00401017
0040100D   .  75 08         jnz     short 00401017
0040100F   .  57            push    edi
00401010   .  65:6C         ins     byte ptr es:[edi], dx
00401012   .  636F 6D       arpl    word ptr [edi+6D], bp
00401015      65            db      65                               ;  CHAR 'e'
00401016      00            db      00
00401017   .  B8 36104000   mov     eax, 00401036
0040101C   .  83E8 04       sub     eax, 4
0040101F   .  75 08         jnz     short 00401029
00401021   .  57            push    edi
00401022   .  65:6C         ins     byte ptr es:[edi], dx
00401024   .  636F 6D       arpl    word ptr [edi+6D], bp
00401027      65            db      65                               ;  CHAR 'e'
00401028      00            db      00
00401029   .  FFD0          call    eax
0040102B   .  6A 00         push    0                                ; /ExitCode = 0
0040102D   .  E8 06000000   call    <jmp.&kernel32.ExitProcess>      ; \ExitProcess
00401032   .- FF25 08204000 jmp     dword ptr [<&user32.MessageBoxA>>;  user32.MessageBoxA
00401038   .- FF25 00204000 jmp     dword ptr [<&kernel32.ExitProces>;  kernel32.ExitProcess

惨不忍睹,删除模块分析后

00401000 >  6A 00           push    0
00401002    6A 00           push    0
00401004    68 0F104000     push    0040100F                         ; ASCII "Welcome"
00401009    6A 00           push    0
0040100B    74 0A           je      short 00401017
0040100D    75 08           jnz     short 00401017
0040100F    57              push    edi
00401010    65:6C           ins     byte ptr es:[edi], dx
00401012    636F 6D         arpl    word ptr [edi+6D], bp
00401015    65:00B8 3610400>add     byte ptr gs:[eax+401036], bh
0040101C    83E8 04         sub     eax, 4
0040101F    75 08           jnz     short 00401029
00401021    57              push    edi
00401022    65:6C           ins     byte ptr es:[edi], dx
00401024    636F 6D         arpl    word ptr [edi+6D], bp
00401027    65:00FF         add     bh, bh
0040102A    D06A 00         shr     byte ptr [edx], 1
0040102D    E8 06000000     call    <jmp.&kernel32.ExitProcess>
00401032  - FF25 08204000   jmp     dword ptr [<&user32.MessageBoxA>>; user32.MessageBoxA
00401038  - FF25 00204000   jmp     dword ptr [<&kernel32.ExitProces>; kernel32.ExitProcess

感觉没多大变化,看来,花指令会让人发晕的。