实现调用加壳的外壳中的子程序的一点见解

<P class=MsoNormal><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">加壳往往是实现对原</SPAN><SPAN lang=EN-US>PE</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的节数据加密、压缩，若能加壳的同时，让加壳后的程序调用壳中的某些子程序，那加壳强度大大增加。这样处理后，即使脱掉了壳，程序执行也肯定不正常，因为脱壳的同时也将这些子程序脱掉了！</SPAN><SPAN lang=EN-US> </SPAN></P>
& `, U1 U4 @5 m4 b& Q9 ^<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">怎样实现呢？作为探讨性的介绍，还是搞一个最基本的来说（假设现在您已经会写</SPAN><SPAN lang=EN-US>PE-exe</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">、</SPAN><SPAN lang=EN-US>PE-dll</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">等</SPAN><SPAN lang=EN-US>PE</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">加壳程序）：</SPAN><SPAN lang=EN-US> </SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">我的实现是这样的：作为一个</SPAN><SPAN lang=EN-US>PE</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">文件，多多少少程序中会有</SPAN><SPAN lang=EN-US>mov eax,1</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">或</SPAN><SPAN lang=EN-US>mov eax,0</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的语句，就是从这里开刀，因为</SPAN><SPAN lang=EN-US>mov eax,xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">这样的指令长度正好与</SPAN><SPAN lang=EN-US>Call xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">指令的长度一样，处理起来相对简单。在加壳程序加壳时，查找这些语句统统换成：</SPAN><SPAN lang=EN-US> </SPAN></P>
2 m* e. Y$ L  H<P class=MsoNormal><SPAN lang=EN-US>call shellSub </SPAN></P>
9 f; Z/ |' d" G/ G! x& \0 I0 n<P class=MsoNormal><SPAN lang=EN-US>// </SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US>shellSub</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">实现如下：</SPAN><SPAN lang=EN-US> </SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US>shellSub() </SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US>{ </SPAN></P>
; |( V3 M7 m# r! l+ Y1 b5 n, B<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>mov eax,1 </SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">或</SPAN><SPAN lang=EN-US> mov eax,0 </SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US>} </SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">当然，这里有个问题是怎样计算这个</SPAN><SPAN lang=EN-US>Call xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的</SPAN><SPAN lang=EN-US>xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">，其实想一想也很简单，加壳时候我们已经计算出了外壳程序的入口</SPAN><SPAN lang=EN-US>RVA</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">，只要以这个</SPAN><SPAN lang=EN-US>RVA</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">为基准，就可以得到</SPAN><SPAN lang=EN-US>:(shellSub</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的</SPAN><SPAN lang=EN-US>RVA)-(mov eax,1</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的</SPAN><SPAN lang=EN-US>RVA)</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的差值，这个差值再减去</SPAN><SPAN lang=EN-US>5</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">（</SPAN><SPAN lang=EN-US>Call</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的指令长度）就是</SPAN><SPAN lang=EN-US>xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">。</SPAN><SPAN lang=EN-US> </SPAN></P>
% H9 h; M; B# z* ]* z; }* X<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">这里仅仅抛砖引玉的介绍了最基本的方法，其实通过变化，可以对原程序的很多特定语句实现改成调用外壳中不同的</SPAN><SPAN lang=EN-US>sub</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">，大大增加了外壳的保密强度。</SPAN><SPAN lang=EN-US> </SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">这样处理后，可想而知，脱壳后的运行情况：</SPAN><SPAN lang=EN-US>Windows</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">错误，某个地址不能为读或写。。呵呵，要的就是这个效果！！！</SPAN><SPAN lang=EN-US> </SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">错误之处，恳请各位高手指正！</SPAN><SPAN lang=EN-US> </SPAN></P>