姓名:
电话:
QQ:
学历:

PEID 识别机制揭密【二】

发布时间:2011-01-03 18:36   内容发布:武汉科锐软件安全教育机构
特征码定义完成, 如下所示
01DBF9BC  50 00 6A 00 00 00 E8 00 00 AB 00 AB FF 00 FF 00  P.j...?.??.?.
01DBF9CC  BA 00 00 AB 00 AB 00 AB 00 AB 52 00 89 00 05 00  ?.???玆.?.
01DBF9DC  00 AB 00 AB 00 AB 00 AB 89 00 42 00 04 00 E8 00  .???珘.B. .?
01DBF9EC  00 AB 00 AB 00 AB 00 AB 5A 00 58 00 E8 00 00 AB  .???玓.X.?.?
01DBF9FC  00 0A 00 AB 00 AB C3 00 55 00 8B 00 EC 00 33 00  ...?.U.??3.
01DBFA0C  C0 00 00 00 E8 00 00 AB 00 AB 00 AB 00 AB 6A 00  ?..?.???玧.
01DBFA1C  00 AB E8 00 00 AB 00 AB 00 AB 00 AB 89 00 05 00  ...???珘..
01DBFA2C  00 AB 00 AB 00 AB 00 AB E8 00 00 AB 00 AB 00 AB  .???..???
01DBFA3C  00 AB 89 00 05 00 00 AB 00 AB 00 AB 00 AB C7 00  .珘...???.
01DBFA4C  05 00 00 AB 00 AB 00 AB 00 AB 0A 00 00 AB 00 AB  ..????..??
01DBFA5C  00 AB B8 00 00 AB 00 AB 00 AB 00 AB C3 00 DB 01  ...???.?
01DBFA6C  50 00 6A 00 00 AB E8 00 00 AB 00 AB FF 00 FF 00  P.j....??.?.
01DBFA7C  BA 00 00 AB 00 AB 00 AB 00 AB 52 00 89 00 05 00  ?.???玆.?.
01DBFA8C  00 AB 00 AB 00 AB 00 AB 89 00 42 00 04 00 C7 00  .???珘.B. .?
01DBFA9C  42 00 08 00 00 AB 00 AB 00 AB 00 AB C7 00 42 00  B...???.B.
01DBFAAC  0C 00 00 AB 00 AB 00 AB 00 AB E8 00 00 AB 00 AB  ...???..??
01DBFABC  00 AB 00 AB 5A 00 58 00 E8 00 00 AB 00 AB 00 AB  .?玓.X.?.???
01DBFACC  00 AB C3 00 53 00 8B 00 D8 00 33 00 C0 00 A3 00  ..S.??3.??
01DBFADC  00 AB 00 AB 00 AB 00 AB 6A 00 00 AB E8 00 00 AB  .???玧....?
01DBFAEC  00 AB 00 AB FF 00 A3 00 00 AB 00 AB 00 AB 00 AB  .??.?.????
01DBFAFC  A1 00 00 AB 00 AB 00 AB 00 AB A3 00 00 AB 00 AB  ?.???..??
01DBFB0C  00 AB 00 AB 33 00 C0 00 A3 00 00 AB 00 AB 00 AB  .??.??.???
01DBFB1C  00 AB 33 00 C0 00 A3 00 00 AB 00 AB 00 AB 00 AB  .?.??.????
01DBFB2C  E8 00 00 00                                      ?..
 
00440197     50                          push eax
00440198     8BCE                        mov ecx,esi                                      ecx = MZ头部
0044019A     E8 E1300100                 call unpack.00453280
0044019F     8B0E                        mov ecx,dword ptr ds:[esi]
004401A1     8BF8                        mov edi,eax
004401A3     8D0439                      lea eax,dword ptr ds:[ecx+edi]                   eax = OEP
004401A6     8038 55                     cmp byte ptr ds:[eax],55                         比较入口, Delphi的入口应该是55 8B EC 83(B9)
004401A9     0F85 44010000               jnz unpack.004402F3
004401AF     8078 01 8B                  cmp byte ptr ds:[eax+1],8B
004401B3     0F85 3A010000               jnz unpack.004402F3
004401B9     8078 02 EC                  cmp byte ptr ds:[eax+2],0EC
004401BD     0F85 30010000               jnz unpack.004402F3
004401C3     8A40 03                     mov al,byte ptr ds:[eax+3]
004401C6     3C 83                       cmp al,83
004401C8     74 08                       je short unpack.004401D2
004401CA     3C B9                       cmp al,0B9
004401CC     0F85 21010000               jnz unpack.004402F3
004401D2     8B46 0C                     mov eax,dword ptr ds:[esi+C]                     eax = PE头
004401D5     8078 1A 02                  cmp byte ptr ds:[eax+1A],2                       检查连接器版本, Delphi对应的值应该是02 19
004401D9     0F85 14010000               jnz unpack.004402F3
004401DF     8078 1B 19                  cmp byte ptr ds:[eax+1B],19
004401E3     0F85 0A010000               jnz unpack.004402F3
004401E9     6A 29                       push 29                                          特征码长度
004401EB     8D5424 18                   lea edx,dword ptr ss:[esp+18]                    edx = Delphi特征码库首地址
004401EF     52                          push edx
004401F0     8D8C24 90010000             lea ecx,dword ptr ss:[esp+190]                   ecx = Delphi特征码库尾地址
004401F7     E8 4471FFFF                 call unpack.00437340
004401FC     8B0E                        mov ecx,dword ptr ds:[esi]                       ecx = MZ头
004401FE     8D4424 10                   lea eax,dword ptr ss:[esp+10]
00440202     50                          push eax                                       /Arg3
00440203     81C1 00040000               add ecx,400                                     |ecx = CODE节
00440209     57                          push edi                                       |Arg2
0044020A     51                          push ecx                                       |Arg1
0044020B     8D8C24 94010000             lea ecx,dword ptr ss:[esp+194]                 |ecx = 特征码地址
00440212     E8 39F4FFFF                 call unpack.0043F650                           \在CODE节里搜索特征码
00440217     84C0                        test al,al
00440219     74 0A                       je short unpack.00440225
0044021B     68 94634000                 push unpack.00406394                             ASCII "Borland Delphi 3.0"
00440220     E9 AF000000                 jmp unpack.004402D4
00440225     6A 32                       push 32
00440227     8D9424 C8000000             lea edx,dword ptr ss:[esp+C8]
0044022E     52                          push edx
0044022F     8D8C24 90010000             lea ecx,dword ptr ss:[esp+190]
00440236     E8 0571FFFF                 call unpack.00437340
0044023B     8B0E                        mov ecx,dword ptr ds:[esi]                       MZ
0044023D     8D4424 10                   lea eax,dword ptr ss:[esp+10]
00440241     50                          push eax                                       /Arg3
00440242     81C1 00040000               add ecx,400                                     |CODE 节
00440248     57                          push edi                                       |Arg2
00440249     51                          push ecx                                       |Arg1
0044024A     8D8C24 94010000             lea ecx,dword ptr ss:[esp+194]                 |
00440251     E8 FAF3FFFF                 call unpack.0043F650                           \在CODE节里搜索特征码
00440256     84C0                        test al,al
00440258     74 07                       je short unpack.00440261
0044025A     68 78634000                 push unpack.00406378                             ASCII "Borland Delphi 4.0 - 5.0"
0044025F     EB 73                       jmp short unpack.004402D4
00440261     6A 2F                       push 2F
00440263     8D9424 2C010000             lea edx,dword ptr ss:[esp+12C]
0044026A     52                          push edx
0044026B     8D8C24 90010000             lea ecx,dword ptr ss:[esp+190]
00440272     E8 C970FFFF                 call unpack.00437340
00440277     8B0E                        mov ecx,dword ptr ds:[esi]
00440279     8D4424 10                   lea eax,dword ptr ss:[esp+10]
0044027D     50                          push eax                                       /Arg3
0044027E     81C1 00040000               add ecx,400                                     |
00440284     57                          push edi                                       |Arg2
00440285     51                          push ecx                                       |Arg1
00440286     8D8C24 94010000             lea ecx,dword ptr ss:[esp+194]                 |
0044028D     E8 BEF3FFFF                 call unpack.0043F650                           \在CODE节里搜索特征码
00440292     84C0                        test al,al
00440294     74 07                       je short unpack.0044029D
00440296     68 5C634000                 push unpack.0040635C                             ASCII "Borland Delphi 6.0 - 7.0"
0044029B     EB 37                       jmp short unpack.004402D4
0044029D     6A 2D                       push 2D
0044029F     8D5424 6C                   lea edx,dword ptr ss:[esp+6C]
004402A3     52                          push edx
004402A4     8D8C24 90010000&nbs, p            lea ecx,dword ptr ss:[esp+190]
004402AB     E8 9070FFFF                 call unpack.00437340
004402B0     8B0E                        mov ecx,dword ptr ds:[esi]
004402B2     8D4424 10                   lea eax,dword ptr ss:[esp+10]
004402B6     50                          push eax                                       /Arg3
004402B7     81C1 00040000               add ecx,400                                     |
004402BD     57                          push edi                                       |Arg2
004402BE     51                          push ecx                                       |Arg1
004402BF     8D8C24 94010000             lea ecx,dword ptr ss:[esp+194]                 |
004402C6     E8 85F3FFFF                 call unpack.0043F650                           \在CODE节里搜索特征码
004402CB     84C0                        test al,al
004402CD     74 24                       je short unpack.004402F3
004402CF     68 48634000                 push unpack.00406348                             ASCII "Borland Delphi 2.0"
004402D4     8BB424 98050000             mov esi,dword ptr ss:[esp+598]
004402DB     8D4E 04                     lea ecx,dword ptr ds:[esi+4]
004402DE     E8 BD73FFFF                 call unpack.004376A0
004402E3     5F                          pop edi
004402E4     C606 01                     mov byte ptr ds:[esi],1
004402E7     5E                          pop esi
004402E8     5D                          pop ebp
004402E9     B0 01                       mov al,1
004402EB     5B                          pop ebx
004402EC     81C4 80050000               add esp,580
004402F2     C3                          retn
在CODE节里搜索特征码,
特征码库定义为一个 WORD 数组,
按CODE节里的数据一一和对应版本的特征码比较。
其中,特征码中的 00 AB 是通配符。
0043F650    83EC 08                     sub esp,8                                        在CODE节里搜索特征码
0043F653    8B5424 10                   mov edx,dword ptr ss:[esp+10]
0043F657    57                          push edi
0043F658    8B79 04                     mov edi,dword ptr ds:[ecx+4]
0043F65B    3BD7                        cmp edx,edi
0043F65D    894C24 04                   mov dword ptr ss:[esp+4],ecx
0043F661    7D 09                       jge short unpack.0043F66C
0043F663    32C0                        xor al,al
0043F665    5F                          pop edi
0043F666    83C4 08                     add esp,8
0043F669    C2 0C00                     retn 0C
0043F66C    53                          push ebx
0043F66D    55                          push ebp
0043F66E    8B6C24 18                   mov ebp,dword ptr ss:[esp+18]                    ebp = CODE节首地址
0043F672    8BC2                        mov eax,edx
0043F674    2BC7                        sub eax,edi
0043F676    56                          push esi
0043F677    33F6                        xor esi,esi
0043F679    85C0                        test eax,eax
0043F67B    894424 14                   mov dword ptr ss:[esp+14],eax
0043F67F    7E 5F                       jle short unpack.0043F6E0
0043F681    33C0                        xor eax,eax
0043F683    85FF                        test edi,edi
0043F685    7E 26                       jle short unpack.0043F6AD
0043F687    8B19                        mov ebx,dword ptr ds:[ecx]                       ebx = 特征码首地址
0043F689    8DA424 00000000             lea esp,dword ptr ss:[esp]
0043F690    66:8B13                     mov dx,word ptr ds:[ebx]
0043F693    F6C6 FF                     test dh,0FF
0043F696    75 0D                       jnz short unpack.0043F6A5
0043F698    8D0C30                      lea ecx,dword ptr ds:[eax+esi]
0043F69B    66:0FB60C29                 movzx cx,byte ptr ds:[ecx+ebp]
0043F6A0    66:3BCA                     cmp cx,dx
0043F6A3    75 1E                       jnz short unpack.0043F6C3
0043F6A5    40                          inc eax
0043F6A6    83C3 02                     add ebx,2
0043F6A9    3BC7                        cmp eax,edi
0043F6AB    7C E3                       jl short unpack.0043F690
0043F6AD    8B4424 24                   mov eax,dword ptr ss:[esp+24]
0043F6B1    85C0                        test eax,eax
0043F6B3    74 02                       je short unpack.0043F6B7
0043F6B5    8930                        mov dword ptr ds:[eax],esi
0043F6B7    5E                          pop esi
0043F6B8    5D                          pop ebp
0043F6B9    5B                          pop ebx
0043F6BA    B0 01                       mov al,1
0043F6BC    5F                          pop edi
0043F6BD    83C4 08                     add esp,8
0043F6C0    C2 0C00                     retn 0C
0043F6C3    8B4C24 10                   mov ecx,dword ptr ss:[esp+10]
0043F6C7    8D1437                      lea edx,dword ptr ds:[edi+esi]
0043F6CA    0FB6042A                    movzx eax,byte ptr ds:[edx+ebp]
0043F6CE    8B5C81 08                   mov ebx,dword ptr ds:[ecx+eax*4+8]
0043F6D2    8B4424 14                   mov eax,dword ptr ss:[esp+14]
0043F6D6    03F3                        add esi,ebx
0043F6D8    3BF0                        cmp esi,eax
0043F6DA    7C A5                       jl short unpack.0043F681
0043F6DC    8B5424 20                   mov edx,dword ptr ss:[esp+20]
0043F6E0    3BF0                        cmp esi,eax
0043F6E2    75 10                       jnz short unpack.0043F6F4
0043F6E4    2BD6                        sub edx,esi
0043F6E6    52                          push edx
0043F6E7    8D142E                      lea edx,dword ptr ds:[esi+ebp]
0043F6EA    52                          push edx
0043F6EB    E8 D07CFFFF                 call unpack.004373C0
0043F6F0    84C0                        test al,al
0043F6F2    75 B9                       jnz short unpack.0043F6AD
0043F6F4    5E                          pop esi
0043F6F5    5D                          pop ebp
0043F6F6    5B                          pop ebx
0043F6F7    32C0                        xor al,al
0043F6F9    5F                          pop edi
0043F6FA    83C4 08                     add esp,8
0043F6FD    C2 0C00                     retn 0C
Delphi各个版本的特征码如下所示:
Borland  Delphi 3.0
01BBF9BC  50 00 6A 00 00 00 E8 00 00 AB 00 AB FF 00 FF 00  P.j...?.??.?.
01BBF9CC  BA 00 00 AB 00 AB 00 AB 00 AB 52 00 89 00 05 00  ?.???玆.?.
01BBF9DC  00 AB 00 AB 00 AB 00 AB 89 00 42 00 04 00 E8 00  .???珘.B. .?
01BBF9EC  00 AB 00 AB 00 AB 00 AB 5A 00 58 00 E8 00 00 AB  .???玓.X.?.?
01BBF9FC  00 0A 00 AB 00 AB C3 00 55 00 8B 00 EC 00 33 00  ...?.U.??3.
01BBFA0C  C0 00
 
Borland  Delphi 2.0
01BBFA10  E8 00 00 AB 00 AB 00 AB 00 AB 6A 00 00 AB E8 00  ?.???玧...
01BBFA20  00 AB 00 AB 00 AB 00 AB 89 00 05 00 00 AB 00 AB  .???珘...??
01BBFA30  00 AB 00 AB E8 00 00 AB 00 AB 00 AB 00 AB 89 00  .?..???珘.
01BBFA40  05 00 00 AB 00 AB 00 AB 00 AB C7 00 05 00 00 AB  ..???...?
01BBFA50  00 AB 00 AB 00 AB 0A 00 00 AB 00 AB 00 AB B8 00  .???..??.
01BBFA60  00 AB 00 AB 00 AB 00 AB C3 00                    .???.
Borland Delphi 4.0 - 5.0"
01BBFA6C  50 00 6A 00 00 AB E8 00 00 AB 00 AB FF 00 FF 00  P.j....??.?.
01BBFA7C  BA 00 00 AB 00 AB 00 AB 00 AB 52 00 89 00 05 00  ?.???玆.?.
01BBFA8C  00 AB 00 AB 00 AB 00 AB 89 00 42 00 04 00 C7 00  .???珘.B. .?
01BBFA9C  42 00 08 00 00 AB 00 AB 00 AB 00 AB C7 00 42 00  B...???.B.
01BBFAAC  0C 00
 
Borland Delphi 6.0 - 7.0
01BBFAD0  53 00 8B 00 D8 00 33 00 C0 00 A3 00 00 AB 00 AB  S.??3.??.??
01BBFAE0  00 AB 00 AB 6A 00 00 AB E8 00 00 AB 00 AB 00 AB  .?玧....???
01BBFAF0  FF 00 A3 00 00 AB 00 AB 00 AB 00 AB A1 00 00 AB  ?.?.???..?
01BBFB00  00 AB 00 AB 00 AB A3 00 00 AB 00 AB 00 AB 00 AB  .??..????
01BBFB10  33 00 C0 00 A3 00 00 AB 00 AB 00 AB 00 AB 33 00  3.??.????.
01BBFB20  C0 00 A3 00 00 AB 00 AB 00 AB 00 AB E8 00
这是某个 Delphi 6.0 程序
017565E0  53 8B D8 33 C0 A3 F8 A0 51 00 6A 00 E8 2B FF FF  S嬝3溃鵂Q.j.???
017565F0  FF A3 64 E6 51 00 A1 64 E6 51 00 A3 04 A1 51 00  ?鍽.鍽.?.
01756600  33 C0 A3 08 A1 51 00 33 C0 A3 0C A1 51 00 E8     3溃.3溃..枇


Copyright©2007-2015 武汉市科锐软件技术有限公司.
公司地址:武汉市东湖新技术开发区关南园一路当代光谷梦工场5号楼十层
鄂ICP备17007538号-1