PEid插件——Generic OEP Finder 原理分析
程序员文章站
2022-03-05 16:08:24
aspContentLabel style="PADDING-RIGHT: 10px; DISPLAY: block; PADDING-LEFT: 10px; PADDING-BOTTOM:...
aspContentLabel style="PADDING-RIGHT: 10px; DISPLAY: block; PADDING-LEFT: 10px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px">PEid的这个小插件用了很久了,一直觉得功能不错,准确率也挺高的,自己在写壳的过程中也曾尝试避开其检测,但一直没有成功,于是抽了些时间看看它的实现原理,这才恍然大悟。
下面是这个插件的一级输出函数:
10001870 ; Exported entry 1. DoMyJob
10001870
10001870 ; ************** S U B R O U T I N E *****************************************
10001870
10001870
10001870 public DoMyJob
10001870 DoMyJob proc near
10001870
10001870 hWnd = dword ptr 4
10001870 arg_4 = dword ptr 8
10001870 arg_8 = dword ptr 0Ch
10001870
10001870 mov eax, [esp+arg_8]
10001874 push ebx
10001875 push esi
10001876 cmp eax, 50456944h
1000187B push edi
1000187C jz short loc_10001889
1000187E cmp eax, 5852445Ah
10001883 jnz loc_10001A81
10001889
10001889 loc_10001889: ; ...
10001889 mov ebx, [esp+0Ch+arg_4]
1000188D or ecx, 0FFFFFFFFh
10001890 mov edi, ebx
10001892 xor eax, eax
10001894 repne scasb
10001896 not ecx
10001898 dec ecx
10001899 cmp ecx, 1
1000189C jnb short loc_100018BE
1000189E mov eax, [esp+0Ch+hWnd]
100018A2 push 40000h ; uType
100018A7 push offset szError ; lpCaption
100018AC push offset szNoFileSpecifie ; lpText
100018B1 push eax ; hWnd
100018B2 call ds:MessageBoxA
100018B8 pop edi
100018B9 pop esi
100018BA xor eax, eax
100018BC pop ebx
100018BD retn
100018BE ; ----------------------------------------------------------------------------
100018BE
100018BE loc_100018BE: ; ...
100018BE push 0 ; hTemplateFile
100018C0 push 80h ; dwFlagsAndAttributes
100018C5 push 3
下面是这个插件的一级输出函数:
10001870 ; Exported entry 1. DoMyJob
10001870
10001870 ; ************** S U B R O U T I N E *****************************************
10001870
10001870
10001870 public DoMyJob
10001870 DoMyJob proc near
10001870
10001870 hWnd = dword ptr 4
10001870 arg_4 = dword ptr 8
10001870 arg_8 = dword ptr 0Ch
10001870
10001870 mov eax, [esp+arg_8]
10001874 push ebx
10001875 push esi
10001876 cmp eax, 50456944h
1000187B push edi
1000187C jz short loc_10001889
1000187E cmp eax, 5852445Ah
10001883 jnz loc_10001A81
10001889
10001889 loc_10001889: ; ...
10001889 mov ebx, [esp+0Ch+arg_4]
1000188D or ecx, 0FFFFFFFFh
10001890 mov edi, ebx
10001892 xor eax, eax
10001894 repne scasb
10001896 not ecx
10001898 dec ecx
10001899 cmp ecx, 1
1000189C jnb short loc_100018BE
1000189E mov eax, [esp+0Ch+hWnd]
100018A2 push 40000h ; uType
100018A7 push offset szError ; lpCaption
100018AC push offset szNoFileSpecifie ; lpText
100018B1 push eax ; hWnd
100018B2 call ds:MessageBoxA
100018B8 pop edi
100018B9 pop esi
100018BA xor eax, eax
100018BC pop ebx
100018BD retn
100018BE ; ----------------------------------------------------------------------------
100018BE
100018BE loc_100018BE: ; ...
100018BE push 0 ; hTemplateFile
100018C0 push 80h ; dwFlagsAndAttributes
100018C5 push 3