Teach you step-by-step encryption and decryption technology--software Protection Technology (2) (1)

The second section of the reverse tracking technology 1, ANTI-DEBUG1. Meltice subtype Type: Detect SoftICE, TRW2000 platform: windows9x, Windows NT principle: Attempt to get Createfilea driver "_lopen" with SoftICE () or \\.\sice () function (windows9x version), "\\.\siwdebug", "\\.\ntice" (Windows NT version), "\\.\siwvid", and so on, if successful, indicates that the SoftICE resides in memory. 2. Vwin32_int41dispatch subtype Type: Detect SoftICE Platform: windows9x principle: Vwin32.vxd (its VxD ID is 0x002a) provides a VxD named Vwin32_int41dispatch Service (its service ID is 0x002a), which is used by the system kernel to communicate with system-level debuggers such as WinDbg, SoftICE, and so on. The 0x4f chant function is used to query whether the debugger has resided in memory and can handle protected-mode programs, and if so, the debugger should return 0xf386. 3. Send command type to SoftICE: Detect SoftICE Platform: windows9x, Windows NT principle: by debugging interrupt int 3 to send a command to SoftICE, where the SI and Di registers are fixed value 0x4647 ("FG") and 0x4a4d ("JM"). An ax holds a child function number, and a value of 0x0911 means that the SoftICE executes the command, at which point the DX points to a command string such as "HBOOT". Ax can also have other child function numbers, such as having SoftICE modify breakpoint settings. 4, BoundsChecker back door type: Detection SoftICE platform: windows9x, Windows NT principle: This is softice for the BoundsChecker left a public interface, the entry parameter EBP = 0x4243484b (that is, " Bchk "), AL = 4, if softice in memory, it should return al = 0. This method is generally combined with SEH (structural exception handling), otherwise it will cause illegal operation when SoftICE does not exist. 5. Icecream subtype Type: Detect SoftICE, TRW2000 platform: windows9x principle: The debugger resides and modifies the entry of int 1 and int 3, pointing to its own handler, so the entry high offset is different from other interrupts. All other interrupt entry high position offsets are the same. 6. INT 68h subtype Type: checkMeasuring SoftICE Platform: windows9x principle: MOV AH, 43hINT 68hCMP AX, 0f386h; detects whether this is set by the debugger 0F386HJZ softice_is_here7. Search feature String type: Detect SoftICE Platform: windows9x principle: Discover SoftICE by searching SoftICE's feature strings in memory, which is commonly used in conjunction with SEH to prevent errors in memory protection and cause the program to be terminated. This method is feasible in DOS. This method is limited because the address space of each ring 3 process in the operating system after WINDOWS95 is independent. For example, search for "winice.br" in memory. 8. Isdebuggerpresent subtype Type: Detect SoftICE Platform: Windows NT principle: Invoke Kernel32.dll output function isdebuggerpresent () to detect the existence of a debugger. This function can only check the debugger that uses the debug API to track a program, and cannot detect a system-level debugger such as SoftICE. 2, anti-static analysis 1. Dead Loop statement type: against the W32dasm platform: windows9x, Windows NT principle: The following is a dead loop that is intentionally inserted into a program, and may cause some versions of W32DASM to stop responding: 0401000 JMP 00401005 ... 00401005 JMP 00401000 Countermeasures: W32dasm into the dead cycle, with the bpx Hmempcy set off, came to the dead Loop code, out of the dead loop, or Ida to disassembly. 2. Flower instruction is an important method to deal with static analysis. The following is a compilation of source program: Start_: XOR eax,1 add eax,2 jmp label1 label1:xor eax,3 add eax,4 xor eax,5 end Start_ At this point the source program is compiled, and then the W32dasm Disassembly, the resulting disassembly result is completely normal. Then we modify the above source program as follows: Start_: XOR eax,1 add eax,2 jnz label1; Notice here, with two conditional jumps replaced: jmp label1 JZ Label1 db 0e8h; Note the difference between this useless byte and the source program Labe L1:xor eax,3 Add eax,4 xor eax,5 end Start_ then compile the source program, and then disassemble it with w32dasm to see the results of the disassembly: 00401000 83f001:00401003 83c002:00401006 7503:00401008 7401:0040100a e883f00383:0040100f C00483F0xor, 00000001add eax, 00000002jne 0040100Bje 0040100Bcall 83440092rol byte ptr [ebx+4*eax], F0 result is very surprising, will find that w32dasm disassembly of the results and written assembly instructions are not the same, The "real" function of the program has not been understood from the results of the disassembly, and w32dasm an unexpected answer. This is because the changes were made to make a mistake in W32dasm's disassembly effort. So why did w32dasm make such a mistake? The different machine instructions contain the same number of bytes, some single-byte instructions, and some multibyte commands. For multibyte instructions, the disassembly software needs to determine the starting position of the first byte of the instruction, which is the position of the opcode, so that the instruction can be disassembled correctly, otherwise it may be disassembled into another instruction. If you add some useless bytes to the program to interfere with the disassembly software's judgment, so that it can incorrectly determine the starting position of the instruction, it also achieves the purpose of interfering with the w32dasm disassembly work. Through the previous introduction, know that because "useless bytes" interfere with the w32dasm to the direction of the initial position of the decision, resulting in the disassembly of the error results, so if you can let w32dasm correctly identify the starting position of the instructions, also achieve the purpose of removing the flower instructions. For example, you can replace the useless bytes with single-byte instructions, and the most common alternative is to replace the useless bytes with the NOP instruction, which is hexadecimal number 90. 1 2 3 4 5 6 7 next page >> content navigation to force (0 votes) (0 Votes) nonsense (0 Votes) The professional (0 votes) The title party (0 Votes) passed (0 Votes) The original text: teach you step-by-step encryption and decryption technology--software Protection Technology (2) (1) Return to network security home