淺談在分析殼時IDC的使用

標 題:淺談在分析殼時IDC的使用

發信人:Z_axis

時 間:2004年1月20日 11:21 

詳細資訊: 

高手莫笑

似乎很少ida的帖子,呵呵
拋個磚頭引些玉米吧

以下為linson兄弟的殼開頭的一段程式碼,花指令不算多,我就不整理了

XJ:004040BC                 mov     ecx, 0A88h
XJ:004040C1                 lea     edi, byte_401E5A[ebp]
XJ:004040C7                 mov     esi, edi
XJ:004040C9 
XJ:004040C9 loc_4040C9:                             ; CODE XREF: XJ:004040FBj
XJ:004040C9                 lodsb
XJ:004040CA                 stc
XJ:004040CB                 rol     al, 42h
XJ:004040CE                 rol     al, 42h
XJ:004040D1                 jmp     short loc_4040D4
XJ:004040D1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
XJ:004040D3                 db 0E8h
XJ:004040D4 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
XJ:004040D4 
XJ:004040D4 loc_4040D4:                             ; CODE XREF: XJ:004040D1j
XJ:004040D4                 ror     al, 0E0h
XJ:004040D7                 stc
XJ:004040D8                 add     al, 9Dh
XJ:004040DA                 add     al, 5Dh
XJ:004040DC                 add     al, cl
XJ:004040DE                 clc
XJ:004040DF                 jmp     short loc_4040E2
XJ:004040DF ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
XJ:004040E1                 db 0E9h
XJ:004040E2 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
XJ:004040E2 
XJ:004040E2 loc_4040E2:                             ; CODE XREF: XJ:004040DFj
XJ:004040E2                 add     al, cl
XJ:004040E4                 rol     al, 4Fh
XJ:004040E7                 add     al, cl
XJ:004040E9                 xor     al, 82h
XJ:004040EB                 sub     al, 4Fh
XJ:004040ED                 clc
XJ:004040EE                 jmp     short loc_4040F1
XJ:004040EE ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
XJ:004040F0                 db 0E8h
XJ:004040F1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
XJ:004040F1 
XJ:004040F1 loc_4040F1:                             ; CODE XREF: XJ:004040EEj
XJ:004040F1                 jmp     short loc_4040F4
XJ:004040F1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
XJ:004040F3                 db 0C2h
XJ:004040F4 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
XJ:004040F4 
XJ:004040F4 loc_4040F4:                             ; CODE XREF: XJ:004040F1j
XJ:004040F4                 add     al, 0E2h
XJ:004040F6                 jmp     short loc_4040F9
XJ:004040F6 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
XJ:004040F8                 db 0C2h
XJ:004040F9 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
XJ:004040F9 
XJ:004040F9 loc_4040F9:                             ; CODE XREF: XJ:004040F6j
XJ:004040F9                 clc
XJ:004040FA                 stosb
XJ:004040FB                 loop    loc_4040C9
XJ:004040FD                 mov     ebp, 55115115h
XJ:00404102                 pushf

以上迴圈的作用是解碼 offset = 4040FD , size=A88

ida中file - idc file... 開啟des.idc
shift + F2 
輸入命令 :  des(0x4040FD,0xA88);

------des.idc------
static des(from,size){
  auto i,x,y,z;

  for (i=size;i>0;i=i-1){
    x=Byte(from);
    
    x=rol(x,0x42);
    x=rol(x,0x42);
    x=ror(x,0xE0);

    x=x+0x9D;
    x=x+0x5D;
    x=x+i;
    x=x+i;
    
    x=rol(x,0x4F);

    x=x+i;
    x=x^0x82;
    x=x-0x4F;
    x=x+0xE2;

    PatchByte(from,x);
    from = from +1;
  }

}

static rol(source,time){
  auto target,y,z;

  target=source&0x00FF;
  y=target>>(8 - time%8);
  z=target<<(time%8);
  target=y|z;
  return target;
}

static ror(source,time){
  auto target,y,z;

  target=source&0x00FF;
  y=target<<(8 - time%8);
  z=target>>(time%8);
  target=y|z;
  return target;
}

---------------------
執行後看到

XJ:004040FD                 mov     eax, [esp+20h]
XJ:00404102                 js      short near ptr dword_40410C+2
XJ:00404103                 or      al, bh
XJ:00404105                 test    ecx, ebp

跟od裡看到的有點不同  不知道什麼原因啦(ida 4.5下),問ida pro的作者吧
在XJ:004040FD 一行按 'u'-->undefine 然後'c'-->code
好了,一樣了 

XJ:004040FD                 mov     eax, [esp+20h]
XJ:00404101                 inc     eax
XJ:00404102                 js      short near ptr dword_40410C+2