Surrurality (1) - Flower Directive

zhaozj2021-02-11  196

There is a spear.

So we want to discuss encryption technology.

We know that all compilation languages, such as VC, BCB, Delphi, and Win32ASM ..., eventually compile the source code into 0 and 1 - therefore can also compile these 0 and 1 to assembly code. . What is the use of anti-compilation? Try thinking, you have worked hard to write a PERFECT software, is preparing to sell 1 million copies, suddenly! A lot of imitation appears on the market ... Hoho, I don't know what you want? Anyway, I will want to cry without tears. There is another situation, your software is authorized in the form of a registration code, and each license is to sell 30 knives. Oh, when you consider going to California or Hawaiian vacation, your software is CRACK - that is, you will not get it ... (Ah! I want to jump !! )

So we want to discuss how to encrypt your own program. Tell the simplest flower directive this time.

Before explaining this "flower directive", you may wish to do a few small experiments first.

Let's first write a program, name hua.asm, the content is as follows:

*********************************************************** **************; junk code experiment 1; author: Luo Cong; date: 2002-8-21; ***************** *******************************************************************************************. 386.MODEL flat, stdcalloption casemap: noneinclude /masm32/include/windows.incinclude /masm32/include/kernel32.incinclude /masm32/include/user32.incincludelib /masm32/lib/kernel32.libincludelib /masm32/lib/user32.lib.dataszText db " Hey, this is a flower instruction program ... ", 0Szcaption DB" flower Directive Demo BY LC 2002-8-21 ", 0.Codemain: JMP DO_ITDO_IT: Invoke MessageBox, Null, Addr Sztext, Addr Szcaption, MB_OK Invoke EXITPROCESS, 0END main

Then use W32DASM V10 to compile it, the result is as follows: (Due to the limit, only the key part is listed here)

Assembly Code Listing // ******** ************** Start of code in object .text *********************** Program entry point = 00401000 (hua.exe file offset: 00001600) / / ***************************** Program entry point ********: 00401000 EB00 JMP 00401002 * REFERENCED BY A (U) NCONDITIONAL OR? OON Address: |: 00401000 (U) |: 00401002 6A00 PUSH 00000000 * Possible StringData Ref from Data Obj -> "Flower Directive Demo BY LC 2002-8-21" |: 00401004 681F304000 Push 0040301F * Possible StringData Ref from Data Obj -> "Hey, this is a junk code program ......" |: 00401009 6800304000 push 00403000: 0040100E 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord: 01BBh |: 00401010 E80D000000 Call 00401022: 00401015 6A00 push 00000000 * Reference To: KERNEL32 .Exitprocess, ORD: 0075H | 00401017 E800000000 Call 0040101C Wow, so exaggerated! You may say. The decomposed code is almost one by one with the source code, so? What secrets do we have any programs? It is possible to understand the functionality of the program from the anti-compilation results.

And we can also get in W32DASM's "String Data References":

"Hey, this is a flower instruction program ..." "" Flower Directive Demo BY LC 2002-8-21 "

Take a slight change in the source program to do the second experiment:

*********************************************************** **************; junk code experiment 2; author: Luo Cong; date: 2002-8-21; ***************** *******************************************************************************************. 386.MODEL flat, stdcalloption casemap: noneinclude /masm32/include/windows.incinclude /masm32/include/kernel32.incinclude /masm32/include/user32.incincludelib /masm32/lib/kernel32.libincludelib /masm32/lib/user32.lib.dataszText db " Hey, this is a flower instruction program ... ", 0Szcaption DB" flower Directive Demo BY LC 2002-8-21 ", 0.Codemain: JZ DO_IT; Note the difference between the source program in the first experiment JNZ DO_IT; Note that the difference between the source program in the first experiment DO_IT: Invoke Messagebox, Null, Addr Sztext, Addr Szcaption, MB_OKEND Main use W32DASM anti-compilation:

Assembly Code Listing // ******** ************** Start of code in object .text *********************** Program entry point = 00401000 (hua.exe file offset: 00001600) / / ******************* Program entry point ********: 00401000 7402 JE 00401004: 00401002 7500 JNE 00401004 * Reference by a (u) nconditional ? or onditional Jump at Addresses: |: 00401000 ?,: 00401002 |: 00401004 6A00 push 00000000 * Possible StringData Ref from Data Obj -> "junk code presentation by LC 2002-8-21" |:? 00401006 681F304000 push 0040301F * Possible StringData Ref from Data Obj -> "Hey, this is a junk code program ......" |: 0040100B 6800304000 push 00403000: 00401010 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord: 01BBh |: 00401012 E801000000 Call 00401018 can be seen The compiler of W32DASM is still correct at this time. But W32DASM actually gradually fall into the "trap" we set up.

Let's take the third experiment and change the source program:

*********************************************************** **************; junk code experiment 3; author: Luo Cong; date: 2002-8-21; ***************** *******************************************************************************************. 386.MODEL flat, stdcalloption casemap: noneinclude /masm32/include/windows.incinclude /masm32/include/kernel32.incinclude /masm32/include/user32.incincludelib /masm32/lib/kernel32.libincludelib /masm32/lib/user32.lib.dataszText db " Hey, this is a flower instruction program ... ", 0Szcaption DB" flower Directive Demo BY LC 2002-8-21 ", 0.Codemain: JZ DO_IT; Note the difference between the source program in the first experiment JNZ DO_IT; Note that the difference between the source program in the first experiment DB 0E8H; note the difference between the source program in the second experiment DO_IT: Invoke Messagebox, Null, Addr Sztext, Addr Szcaption, Mb_ok Invoke EXITPROCESS, 0nd Main We come Take a look at the things in W32DASM:

Assembly Code Listing // ******** ************** Start of code in object .text *********************** Program entry point = 00401000 (hua.exe file offset: 00001600) / / ******************* Program entry point ********: 00401000 7403 JE 00401005: 00401002 7501 JNE 00401005: 00401004 E86A00681D CALL 1DA81073: 00401009 304000 XOR BYTE PTR [EAX 00], Al * Possible StringData Ref from Data Obj -> "Hey, this is a flower instruction program ..." |: 0040100C 6800304000 Push 00403000: 00000000 * Reference to: user32.MessageBoxa, ord: 01BBh |: 00401013 E80E000000 Call 00401026: 00401018 6A00 push 00000000 * Reference To: KERNEL32.ExitProcess, ord: 0075h |: 0040101A E801000000 Call 00401020 Oh, it is obvious, this time 00401004-00401009 wrong line, and then View "String Data References", only A:

"Hey, this is a flower instruction program ..."

Let us further hide the information and make the fourth experiment:

*********************************************************** **************; junk code experiment 4; author: Luo Cong; date: 2002-8-21; ***************** *******************************************************************************************. 386.MODEL flat, stdcalloption casemap: noneinclude /masm32/include/windows.incinclude /masm32/include/kernel32.incinclude /masm32/include/user32.incincludelib /masm32/lib/kernel32.libincludelib /masm32/lib/user32.lib.dataszText db " Hey, this is a flower instruction program ... ", 0Szcaption DB" flower Directive Demo BY LC 2002-8-21 ", 0.Codemain: JZ DO_IT; Note the difference between the source program in the first experiment JNZ DO_IT; Note that the difference between the source program in the first experiment DB 0E8H; note the difference between the source program in the second experiment DO_IT: LEA Eax, Sztext; note the difference between the source program in the third experiment, LEA EBX, SZCAPTION; Note The difference between the source program in the third experiment Invoke MessageBox, NULL, EAX, EBX, MB_OK; note the difference between the source program in the third experiment, INVOKE EXITPROCESS, 0nd main compilation, reuse W32dasm is compiled, it is:

Assembly Code Listing // ******** ************** Start of code in object .text *********************** Program entry point = 00401000 (hua.exe file offset: 00001600) / / ******************* Program entry point ********: 00401000 7403 JE 00401005: 00401002 7501004 E88D050030 CALL 30401596: 00401009 40 inc eax: 0040100A 008D1D1D3040 add byte ptr [ebp 40301D1D], cl: 00401010 006A00 add byte ptr [edx 00], ch: 00401013 53 push ebx: 00401014 50 push eax: 00401015 6A00 push 00000000 * Reference To: USER32.MessageBoxA , ORD: 01BBH |: 00401017 E80E000000 Call 0040102a: 0040101C 6A00 Push 00000000 * Reference to: kernel32.exitprocess, Ord: 0075H |: 0040101024 :呵, this time, this time is not only unrecognizable, but The DATA REFERENCES button has become gray. What a spider silk is not. Did you see the official? In fact, the flower instruction is to construct some "traps" and some useless bytes. For example, the second experiment: jz do_itjnz do_IT actually not the same as JMP DO_IT? (Oh, if you write this in the final exam in the final exam, you will be sentenced to it ...) Yes, the original function and logic is still the same, we are only changed a form of expression. However, the anti-compilation tool is not smart, and they often understand these instructions, thus incorrectly determine the starting position of the instruction. To achieve this absolute jump, you can use a lot of methods, such as: push do_itret flower instructions are easy to understand, but everyone should pay attention to the time, don't abuse, you can confuse the crackman and hidden information The role is OK, otherwise I am afraid of being confused when I have to maintain the code, huh, huh ...

转载请注明原文地址:https://www.9cbs.com/read-4883.html

New Post(0)