介紹如何手動清除花指令，供大家參考

我見到的一個比較花的花指令。
介紹如何手動清除花指令，供大家參考

某程式W32DASM編譯後如下：
:10001000 55 push ebp
:10001001 8BEC mov ebp, esp
:10001003 81EC10030000 sub esp, 00000310
:10001009 53 push ebx
:1000100A 56 push esi
:1000100B 57 push edi
:1000100C 780D js 1000101B
:1000100E 87ED xchg ebp, ebp ;==nop
:10001010 7704 ja 10001016
:10001012 87DB xchg ebx, ebx ;==nop
:10001014 7400 je 10001016
:10001016 7008 jo 10001020----\
:10001018 90 nop |==jmp 10001020
:10001019 7105 jno 10001020---/
:1000101B 7700 ja 1000101D ;==nop
:1000101D EBEF jmp 1000100E
:1000101F 86EB xchg bl, ch-----> 這裡被花了也就是說1000100C--1000101F都要nop掉
:10001021 07 pop es

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001029(U)
|
:10001022 8BDB mov ebx, ebx
:10001024 7006 jo 1000102C
:10001026 90 nop
:10001027 7103 jno 1000102C
:10001029 EBF7 jmp 10001022
:1000102B D86804 fsubr dword ptr [eax+04]
:1000102E 0100 add dword ptr [eax], eax
:10001030 008D85FCFEFF add byte ptr [ebp+FFFEFC85], cl
:10001036 FF508B call [eax-75]
:10001039 4D dec ebp
:1000103A 0851FF or byte ptr [ecx-01], dl
:1000103D 1598710910 adc eax, 10097198

改一下，再W32DASM編譯顯示如下：
:10001000 55 push ebp
:10001001 8BEC mov ebp, esp
:10001003 81EC10030000 sub esp, 00000310
:10001009 53 push ebx
:1000100A 56 push esi
:1000100B 57 push edi
:1000100E 90 nop
:1000100F 90 nop
:10001010 90 nop
:10001011 90 nop
:10001012 90 nop
:10001013 90 nop
:10001014 90 nop
:10001015 90 nop
:10001016 90 nop
:10001017 90 nop
:10001018 90 nop
:10001019 90 nop
:1000101A 90 nop
:1000101B 90 nop
:1000101C 90 nop
:1000101D 90 nop
:1000101E 90 nop
:1000101F 90 nop
:10001020 EB07 jmp 10001029<---------------暈，這也是花指令的一部分

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001029(U)
|
:10001022 8BDB mov ebx, ebx<------------==nop
:10001024 7006 jo 1000102C----\
:10001026 90 nop |==jmp 1000102C
:10001027 7103 jno 1000102C---/

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001020(U)
|
:10001029 EBF7 jmp 10001022<--------------還要跳
:1000102B D86804 fsubr dword ptr [eax+04]<------這裡是真正被花的地方
:1000102E 0100 add dword ptr [eax], eax
:10001030 008D85FCFEFF add byte ptr [ebp+FFFEFC85], cl
:10001036 FF508B call [eax-75]
:10001039 4D dec ebp
:1000103A 0851FF or byte ptr [ecx-01], dl
:1000103D 1598710910 adc eax, 10097198

把10001020----1000102B 全部nop掉，再編譯

:10001000 55 push ebp
:10001001 8BEC mov ebp, esp
:10001003 81EC10030000 sub esp, 00000310
:10001009 53 push ebx
:1000100A 56 push esi
:1000100B 57 push edi
:1000100C 90 nop
:1000100D 90 nop
:1000100E 90 nop
:1000100F 90 nop
:10001010 90 nop
:10001011 90 nop
:10001012 90 nop
:10001013 90 nop
:10001014 90 nop
:10001015 90 nop
:10001016 90 nop
:10001017 90 nop
:10001018 90 nop
:10001019 90 nop
:1000101A 90 nop
:1000101B 90 nop
:1000101C 90 nop
:1000101D 90 nop
:1000101E 90 nop
:1000101F 90 nop
:10001020 90 nop
:10001021 90 nop
:10001022 90 nop
:10001023 90 nop
:10001024 90 nop
:10001025 90 nop
:10001026 90 nop
:10001027 90 nop
:10001028 90 nop
:10001029 90 nop
:1000102A 90 nop
:1000102B 90 nop
:1000102C 6804010000 push 00000104
:10001031 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:10001037 50 push eax
:10001038 8B4D08 mov ecx, dword ptr [ebp+08]
:1000103B 51 push ecx

* Reference To: KERNEL32.GetModuleFileNameA, Ord:00FCh
|
:1000103C FF1598710910 Call dword ptr [10097198]

整理這個Call
:10001000 55 push ebp
:10001001 8BEC mov ebp, esp
:10001003 81EC10030000 sub esp, 00000310
:10001009 53 push ebx
:1000100A 56 push esi
:1000100B 57 push edi
:1000102C 6804010000 push 00000104
:10001031 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:10001037 50 push eax
:10001038 8B4D08 mov ecx, dword ptr [ebp+08]
:1000103B 51 push ecx

* Reference To: KERNEL32.GetModuleFileNameA, Ord:00FCh
|
:1000103C FF1598710910 Call dword ptr [10097198]

1000100C--1000102B，32個位元組，全部是干擾程式碼，把他們全nop掉我們看到了一個API函式，不容易呀:)
希望透過這個例子你能真正學會如何去除花指令:-)

ZMWorm[CCG]

介紹如何手動清除花指令，供大家參考

相關文章