『第 18 楼』:
使用 LLM 解释/回答一下
终于遇到高手了,能否请楼上的看看下面的这个程序
它用的是编码还是其它什么方法.顺便回答我下面的问题
如果是编码,那么它是如何自解码的?
以下是一个延时程序,虽然从表面上看与那个毫无关联.
复制内容到剪贴板
代码:
Bj@jzh`0X-`/PPPPPPa(DE(DM(DO(Dh(Ls(Lu(LX(LeZRR]EEEUYRX2Dx=
0DxFP,0Xx.t0P,=XtGsB4o@$?PIyU WwX0GwUY Wv;ovBX2Gv0ExGIuht6
T}{z~~@GwkBG@OEKcUt`~}@MqqBsy?seHB~_Phxr?@zAB`LrPEyoDt@Cj?
pky_jN@QEKpEt@ij?jySjN@REKpEt@jj?jyGjN@SEKkjtlGuNw?p@pjirz
LFvAURQ?OYLTQ@@?~QCoOL~RDU@?aU?@{QOq?@}IKuNWpe~FpeQFwH?Vkk
_GSqoCvH{OjeOSeIQRmA@KnEFB?p??mcjNne~B?M??QhetLBgBPHexh@e=
EsOgwTLbLK?sFU`?LDOD@@K@xO?SUudA?_FKJ@N?KD@?UA??O}HCQOQ??R
_OQOL?CLA?CEU?_FU?UAQ?UBD?LOC?ORO?UOL?UOD?OOI?UgL?LOR@YUO?
dsmSQswDOR
0C1E:0139 3D0D0A CMP AX,0A0D
0C1E:013C 304478 XOR ,AL
0C1E:013F 46 INC SI
0C1E:0140 50 PUSH AX
0C1E:0141 2C30 SUB AL,30
0C1E:0143 58 POP AX
0C1E:0144 78EE JS 0134
0C1E:0146 7430 JZ 0178
0C1E:0148 50 PUSH AX
0C1E:0149 2C3D SUB AL,3D
0C1E:014B 58 POP AX
0C1E:014C 7407 JZ 0155
0C1E:014E 7302 JNB 0152
0C1E:0150 346F XOR AL,6F
0C1E:0152 40 INC AX
0C1E:0153 243F AND AL,3F
0C1E:0155 50 PUSH AX
0C1E:0156 49 DEC CX
0C1E:0157 79DB JNS 0134
0C1E:0159 205777 AND ,DL
0C1E:015C 58 POP AX
0C1E:015D 304777 XOR ,AL
0C1E:0160 55 PUSH BP
0C1E:0161 59 POP CX
0C1E:0162 205776 AND ,DL
0C1E:0165 C1 DB C1
0C1E:0166 6F DB 6F
0C1E:0167 7602 JBE 016B
0C1E:0169 58 POP AX
0C1E:016A 324776 XOR AL,
0C1E:016D 304578 XOR ,AL
0C1E:0170 47 INC DI
0C1E:0171 49 DEC CX
0C1E:0172 75EE JNZ 0162
0C1E:0174 74BC JZ 0132
我执行了二百遍,代码也未发生改变.
但用g 176时,结果就出来了.显示如下: (因为cs:0176永远都执行不到,程序根本不能从里面出去,所以这跟直接用g是没差别的)
MZP☺☺ ♦ P☺ @ É ⁿ╛ü ☼╢L f1╥f1└Ix
¼,0r¶< w►fk╥
f☺┬.╟♠/ 1 δΣ. &/ ♫ fi╥Φ♥ fë╤f┴Θ►┤å═§╕ L═! PE L☺☺ PyÑ6
α ☼☺♂☺♣♀ ☻ ~► ► @ ► ☻ ♦ ♦ ☻ ♥
► ► ► ► ► ►► (
► ► .text
▄ ► ☻ ☻ α
V► d► v► F► 8► ►
KERNEL32.dll V► d► v► ExitProcess GetCommandLineA Sleep
§♦►@ 1╥H@Ç8 t◄Ç8"u☻≈╥ ╥u∩Ç8 uΩ@ⁿë╞1╥1└└t#,0r§< w◄k╥
☺┬╟♣╔►@ ═►@ δΓ %╔►@ Ñ
►@ R ►@ j § ►@
这就是sleep.exe的镜像了.看到了吧,还有API呢.
这显然是用高级语言编写然后用了某种技术,使之成为纯文本.
不过程序并没退出,还会继续,不过要人干预,所以并没影响sleep.exe的使用.
出口就在cs:136上.再执行,就会进入到小于CS:100的地方去了,显然会出错.
这是一个标准的PE文件,反编译后能了解其内容.
0040107E: FF 15 04 10 40 00 CALL DWORD PTR ; GetCommandLineA
00401084: 31 D2 XOR EDX,EDX
00401086: 48 DEC EAX
00401087: 40 INC EAX
00401088: 80 38 00 CMP BYTE PTR ,00
0040108B: 74 11 JZ 0040109E
0040108D: 80 38 22 CMP BYTE PTR ,22
00401090: 75 02 JNZ 00401094
00401092: F7 D2 NOT EDX
00401094: 09 D2 OR EDX,EDX
00401096: 75 EF JNZ 00401087
00401098: 80 38 20 CMP BYTE PTR ,20
0040109B: 75 EA JNZ 00401087
0040109D: 40 INC EAX
0040109E: FC CLD
0040109F: 89 C6 MOV ESI,EAX
004010A1: 31 D2 XOR EDX,EDX
004010A3: 31 C0 XOR EAX,EAX
004010A5: AC LODS AL,BYTE PTR DS:
004010A6: 08 C0 OR AL,AL
004010A8: 74 23 JZ 004010CD
004010AA: 2C 30 SUB AL,30
004010AC: 72 15 JB 004010C3
004010AE: 3C 09 CMP AL,09
004010B0: 77 11 JNBE 004010C3
004010B2: 6B D2 0A IMUL EDX,EDX,0A
004010B5: 01 C2 ADD EDX,EAX
004010B7: C7 05 C9 10 40 00 CD 10 40 00 MOV DWORD PTR ,004010CD
004010C1: EB E2 JMP 004010A5
004010C3: FF 25 C9 10 40 00 JMP DWORD PTR
004010C9: A5 MOVS DWORD PTR DS:,DWORD PTR ES:
004010CA: 10 40 00 ADC ,AL
004010CD: 52 PUSH EDX
004010CE: FF 15 08 10 40 00 CALL DWORD PTR ; Sleep
004010D4: 6A 00 PUSH 00
004010D6: FF 15 00 10 40 00 CALL DWORD PTR ; ExitProcess
也能用工具看到他有exe文件的格式:
00000000 5A4D Signature: MZ
00000002 0150 Extra Bytes
00000004 0001 Pages
00000006 0000 Reloc Items
00000008 0004 Header Size
0000000A 0000 Min Alloc
0000000C FFFF Max Alloc
0000000E 0000 Initial SS
00000010 0150 Initial SP
00000012 0000 Check Sum
00000014 0000 Initial IP
00000016 0000 Initial CS
00000018 0040 Reloc Table
0000001A 0000 Overlay
00000090 00004550 Signature: PE
00000094 014C Machine: 014C=I386
00000096 0001 Number of Sections
00000098 36A57950 Time/Date Stamp
0000009C 00000000 Pointer to Symbol Table
000000A0 00000000 Number of Symbols
000000A4 00E0 Optional Header Size
000000A6 010F Characteristics
00000188 .text Section Name
00000190 000000DC Virtual Size
00000194 00001000 RVA/Offset
00000198 00000200 Size of Raw Data
0000019C 00000200 Pointer to Raw Data
000001A0 00000000 Pointer to Relocs
000001A4 00000000 Pointer to Line Numbers
000001A8 0000 Number of Relocs
000001AA 0000 Number of Line Numbers
000001AC E0000020 Section Flags (Writeable, Readable, Executable, Code)
不再怀疑它是一个正宗的PE文件了吧.
至于sleep.exe原理吗,很简单,看下面就知道了
00000000 ExitProcess
00000000 GetCommandLineA
00000000 Sleep
这三个都是kernel32.dll中的API,也就是说可以直接用高级汇编语言,比如win32asm调用.
我的问题是为什么虽然这个代码串是一个死循环,但程序依然能运行.在不出来的情况下执行了.并显示了上面的EXE镜象.
希望有汇编高手能给予解答.
Last edited by phai2003 on 2007-11-3 at 10:53 PM ]
Finally met an expert, can you please the person above take a look at the following program? It uses encoding or some other method. By the way, answer my following question. If it is encoding, then how does it self-decode?
The following is a delay program, although it seems irrelevant on the surface.
Copy content to clipboard
Code:
Bj@jzh`0X-`/PPPPPPa(DE(DM(DO(Dh(Ls(Lu(LX(LeZRR]EEEUYRX2Dx=
0DxFP,0Xx.t0P,=XtGsB4o@$?PIyU WwX0GwUY Wv;ovBX2Gv0ExGIuht6
T}{z~~@GwkBG@OEKcUt`~}@MqqBsy?seHB~_Phxr?@zAB`LrPEyoDt@Cj?
pky_jN@QEKpEt@ij?jySjN@REKpEt@jj?jyGjN@SEKkjtlGuNw?p@pjirz
LFvAURQ?OYLTQ@@?~QCoOL~RDU@?aU?@{QOq?@}IKuNWpe~FpeQFwH?Vkk
_GSqoCvH{OjeOSeIQRmA@KnEFB?p??mcjNne~B?M??QhetLBgBPHexh@e=
EsOgwTLbLK?sFU`?LDOD@@K@xO?SUudA?_FKJ@N?KD@?UA??O}HCQOQ??R
_OQOL?CLA?CEU?_FU?UAQ?UBD?LOC?ORO?UOL?UOD?OOI?UgL?LOR@YUO?
dsmSQswDOR
0C1E:0139 3D0D0A CMP AX,0A0D
0C1E:013C 304478 XOR ,AL
0C1E:013F 46 INC SI
0C1E:0140 50 PUSH AX
0C1E:0141 2C30 SUB AL,30
0C1E:0143 58 POP AX
0C1E:0144 78EE JS 0134
0C1E:0146 7430 JZ 0178
0C1E:0148 50 PUSH AX
0C1E:0149 2C3D SUB AL,3D
0C1E:014B 58 POP AX
0C1E:014C 7407 JZ 0155
0C1E:014E 7302 JNB 0152
0C1E:0150 346F XOR AL,6F
0C1E:0152 40 INC AX
0C1E:0153 243F AND AL,3F
0C1E:0155 50 PUSH AX
0C1E:0156 49 DEC CX
0C1E:0157 79DB JNS 0134
0C1E:0159 205777 AND ,DL
0C1E:015C 58 POP AX
0C1E:015D 304777 XOR ,AL
0C1E:0160 55 PUSH BP
0C1E:0161 59 POP CX
0C1E:0162 205776 AND ,DL
0C1E:0165 C1 DB C1
0C1E:0166 6F DB 6F
0C1E:0167 7602 JBE 016B
0C1E:0169 58 POP AX
0C1E:016A 324776 XOR AL,
0C1E:016D 304578 XOR ,AL
0C1E:0170 47 INC DI
0C1E:0171 49 DEC CX
0C1E:0172 75EE JNZ 0162
0C1E:0174 74BC JZ 0132
I executed it 200 times, and the code didn't change. But when using g 176, the result came out. The display is as follows: (Because cs:0176 is never executed, the program can't go out from there, so it's no different from directly using g)
MZP☺☺ ♦ P☺ @ É ⁿ╛ü ☼╢L f1╥f1└Ix
¼,0r¶< w►fk╥
f☺┬.╟♠/ 1 δΣ. &/ ♫ fi╥Φ♥ fë╤f┴Θ►┤å═§╕ L═! PE L☺☺ PyÑ6
α ☼☺♂☺♣♀ ☻ ~► ► @ ► ☻ ♦ ♦ ☻ ♥
► ► ► ► ► ►► (
► ► .text
▄ ► ☻ ☻ α
V► d► v► F► 8► ►
KERNEL32.dll V► d► v► ExitProcess GetCommandLineA Sleep
§♦►@ 1╥H@Ç8 t◄Ç8"u☻≈╥ ╥u∩Ç8 uΩ@ⁿë╞1╥1└└t#,0r§< w◄k╥
☺┬╟♣╔►@ ═►@ δΓ %╔►@ Ñ
►@ R ►@ j § ►@
This is the image of sleep.exe. See? There are also APIs.
This is obviously written with a high-level language and then using some technology to make it pure text.
However, the program doesn't exit and will continue, but it needs human intervention, so it doesn't affect the use of sleep.exe.
The exit is at cs:136. Executing again will enter the place less than CS:100, obviously making a mistake.
This is a standard PE file, and its content can be understood after decompilation.
0040107E: FF 15 04 10 40 00 CALL DWORD PTR ; GetCommandLineA
00401084: 31 D2 XOR EDX,EDX
00401086: 48 DEC EAX
00401087: 40 INC EAX
00401088: 80 38 00 CMP BYTE PTR ,00
0040108B: 74 11 JZ 0040109E
0040108D: 80 38 22 CMP BYTE PTR ,22
00401090: 75 02 JNZ 00401094
00401092: F7 D2 NOT EDX
00401094: 09 D2 OR EDX,EDX
00401096: 75 EF JNZ 00401087
00401098: 80 38 20 CMP BYTE PTR ,20
0040109B: 75 EA JNZ 00401087
0040109D: 40 INC EAX
0040109E: FC CLD
0040109F: 89 C6 MOV ESI,EAX
004010A1: 31 D2 XOR EDX,EDX
004010A3: 31 C0 XOR EAX,EAX
004010A5: AC LODS AL,BYTE PTR DS:
004010A6: 08 C0 OR AL,AL
004010A8: 74 23 JZ 004010CD
004010AA: 2C 30 SUB AL,30
004010AC: 72 15 JB 004010C3
004010AE: 3C 09 CMP AL,09
004010B0: 77 11 JNBE 004010C3
004010B2: 6B D2 0A IMUL EDX,EDX,0A
004010B5: 01 C2 ADD EDX,EAX
004010B7: C7 05 C9 10 40 00 CD 10 40 00 MOV DWORD PTR ,004010CD
004010C1: EB E2 JMP 004010A5
004010C3: FF 25 C9 10 40 00 JMP DWORD PTR
004010C9: A5 MOVS DWORD PTR DS:,DWORD PTR ES:
004010CA: 10 40 00 ADC ,AL
004010CD: 52 PUSH EDX
004010CE: FF 15 08 10 40 00 CALL DWORD PTR ; Sleep
004010D4: 6A 00 PUSH 00
004010D6: FF 15 00 10 40 00 CALL DWORD PTR ; ExitProcess
The format of the EXE file can also be seen with tools:
00000000 5A4D Signature: MZ
00000002 0150 Extra Bytes
00000004 0001 Pages
00000006 0000 Reloc Items
00000008 0004 Header Size
0000000A 0000 Min Alloc
0000000C FFFF Max Alloc
0000000E 0000 Initial SS
00000010 0150 Initial SP
00000012 0000 Check Sum
00000014 0000 Initial IP
00000016 0000 Initial CS
00000018 0040 Reloc Table
0000001A 0000 Overlay
00000090 00004550 Signature: PE
00000094 014C Machine: 014C=I386
00000096 0001 Number of Sections
00000098 36A57950 Time/Date Stamp
0000009C 00000000 Pointer to Symbol Table
000000A0 00000000 Number of Symbols
000000A4 00E0 Optional Header Size
000000A6 010F Characteristics
No longer doubt that it is a genuine PE file, right?
As for the principle of sleep.exe, it's very simple, see below
00000000 ExitProcess
00000000 GetCommandLineA
00000000 Sleep
These are all APIs in kernel32.dll, that is to say, high-level assembly languages such as win32asm can be directly used to call.
My question is why although this code string is a dead loop, the program can still run. It executed without coming out and displayed the above EXE image.
I hope assembly experts can give an answer.
Last edited by phai2003 on 2007-11-3 at 10:53 PM ]
|
