附程序源码,有很多地方需要改进
下载地址:
http://forum.wrsky.com/viewthread.php?tid=2917&fpage=1
{pe花指令加密,参考 fi7ke 的 PE花指令加密一文
Author:hnxyy QQ:19026695 2005.11.24
说明:以VC++6的花指令为例说明
//VC++6外衣 1
OEPCODEFIVE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
$53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
$58, $58, $58, $8B, $E8, $E9, $07, $B9, $FE, $FF, $00, $00, $00, $00, $00, $00);
//VC++6外衣 2
OEPCODEFIVE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
$53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
$58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00);
1.直接将入口地址赋给寄存器eax,然后jmp eax
0046902A B8 304A4500 mov eax,Project1.00454A30
0046902F FFE0 jmp eax
00469031 90 nop
2. 直接跳转到入口地址
00469124 - E9 07B9FEFF jmp Project1.00454A30
两种效果实际上是一样的,但我们为了方便修改花指令跳转到原来的入口地址,通常取得原
pe header的AddressOfEntryPoint,然后给寄存器eax保存改值,所以第二种方法就不太方便,
所以一般采用第一种方法,JMPOFF为花指令代码到跳转指令的偏移,如对Visual C++的花指令
JMPOFF=54,其后免跟的是原入口地址,可以随便填写,程序加花指令是会自动修改,一般可以
默认设为00104000(即00401000).
通过汇编修改花指令跳转原入口地址的语句:
asm //这里说明一下,这是嵌入的汇编代码,寄存器—CPU暂时储存数据的东西,比内存更快,以提高效率
PUSHAD
LEA eax, OEPCODE //将OEPCODE的地址交给寄存器
ADD eax, JMPOFF //添加JMPOFF值给寄存器
MOV edx, AddressOfEntryPoint //转移指令,相当于付值语句,左边给右边
MOV DWORD ptr [eax], edx //同上
POPAD
end;
}
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, ExtCtrls, ShellAPI;
type
TForm1 = class(TForm)
Label1: TLabel;
Edit1: TEdit;
Button1: TButton;
RadioGroup1: TRadioGroup;
Label2: TLabel;
Edit2: TEdit;
Label3: TLabel;
Edit3: TEdit;
CheckBox1: TCheckBox;
Button2: TButton;
Label5: TLabel;
OpenDialog1: TOpenDialog;
Label4: TLabel;
procedure Button1Click(Sender: TObject);
procedure obtain;
procedure Button2Click(Sender: TObject);
procedure Label4Click(Sender: TObject);
procedure Edit3KeyPress(Sender: TObject; var Key: Char);
private
{ Private declarations }
FImageBase: DWORD;
procedure SetOepCode;
public
{ Public declarations }
end;
THEAD = array[0..63] of byte;
var
Form1: TForm1;
const
{MYSECTION = 'Fi7ke'; //添加的节名,自定义
JMPOFF = 43; //花指令的机器码,Ollydbg加载后随便取
//Microsoft Visual C++
OEPCODE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $2A, $2C, $0A, $00, $68, $38,
$90, $0D, $00, $64, $A1, $00, $00, $00, $00, $50, $64, $89,
$25, $00, $00, $00, $00, $58, $64, $A3, $00, $00, $00, $00,
$58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00); }
//Nothing found * one
OEPCODEONE: THEAD =
($55, $8B, $EC, $83, $C4, $F4, $83, $C4, $0C, $B8, $00, $10, $40, $00, $50, $C3,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);
