您现在的位置: 捷凌网安 >> 文章中心 >> 加密合并 >> 反向跟踪 >> 正文
还原 hying 最后的八连环 SEH

作者:佚名 责任编辑:左决 点击数: 更新时间:2008-2-17 0:49:47

虽然没啥作用,不过看看也是挺有意思的事情。


; ***************************************************************************

; CHAINDRIVE.ASM - reversing hying's SEH chain drive
;
;                       by forgot/iPB
;
; ***************************************************************************


                        .386
                        .model  flat, stdcall
                        option  casemap:none

                        assume  fs : flat

                        .code

start:                  call    delta
delta:                  pop     ebp
                        sub     ebp, delta
                        call    chain_drive             ; test IT

                        retn

; ***************************************************************************
;
; seh chain structure
;
; +0x00                 DWORD   except_code
; +0x04                 DWORD   new_origin
; +0x08                 DWORD   dr0
; +0x0c                 DWORD   dr1
; +0x10                 DWORD   dr2
; +0x14                 DWORD   dr3
; +0x18                 DWORD   dr6
; +0x1c                 DWORD   dr7
;
;                       total size = 4*8 = 0x20
;
; ***************************************************************************


chain_drive:
;                       mov     esi, codebase[ebp]      ; calculate hash of user code
;                       add     esi, imagebase[ebp]
;                       mov     ecx, codesize[ebp]
;                       call    crc32_esi_ecx
;                       mov     saved_hash[ebp], eax

                        mov     eax, ebp                ; eax = ebp = delta
                        lea     esi, sehchain[ebp]

                        add     [esi+4], eax            ; fixup
                        add     [esi+8], eax
                        add     esi, 20h                ; next

                        add     [esi+4], eax
                        add     esi, 20h

                        add     [esi+4], eax
                        add     [esi+8], eax
                        add     esi, 20h

                        add     [esi+4], eax
                        add     esi, 20h

                        add     [esi+4], eax
                        add     esi, 20h

                        add     [esi+4], eax
                        add     esi, 20h

                        add     [esi+4], eax
                        add     esi, 20h

                        add     [esi+4], eax

                        lea     esi, sehchain_ptr[ebp]
                        add     [esi], eax

                        lea     eax, sehchain_handler[ebp]
                        push    eax

                        push    dword ptr fs:[0]
                        mov     dword ptr fs:[0], esp

                        xor     eax, eax
except_1:               mov     eax, [eax]

                        db      "FIGHT WITH THE BEST, AND DIE LIKE THE REST!"

origin_1:               nop

except_2:               nop

                        int     3
except_3:               jmp     origin_1                ; trash

                        db      "HOW CAN I PUT SOMEONE TO THE TEST WITH I THOUGHT I GOT THE BEST?"


origin_2:               pushfd
except_4:               pushfd
                        pop     eax
                        or      ah, 1
                        push    eax                     ; set TF = 1
                        popfd
except_5:               popfd
                        jmp     origin_2

                        db      "UNTIL THE TASTE OF BITTERNESS THEN I REGRET."


origin_3:               xor     eax, eax
except_6:               div     eax
                        jmp     origin_3                ; simplified

                        db      "CHRISTINA OH MY GODDESS!"


origin_4:               inc     eax
                        ror     eax, 1                  ; set OF = 1
                        into
except_7:               jmp     origin_4

                        db      "MUAHAHA STRINGS EMULATED THE JUNK INSTRUCTIONS~"


except_8:               bound   eax, boundlimIT[ebp]
                        jmp     except_8

                        db      "YOU SAY YOU LET YOUR GUARD DOWN? I THINK YOU'RE JUST A WEENIE!"


sehchain_done:          pop     dword ptr fs:[0]
                        pop     eax




                        retn                            ; return




sehchain_handler:       mov     edx, esp                ; edx = current stack ptr
                        pusha

                        mov     edi, [edx+4*3]
                        mov     ebp, [edi+0b4h]         ; ctx.ebp

                        mov     esi, sehchain_ptr[ebp]

                        mov     ebx, [edx+4]            ; exception record

                        lodsd                           ; exception code
                        cmp     eax, [ebx]
                        jne     __ignore

                        mov     dword ptr [edi], 10017h ; ctx.ctxflags = ctrl | drx | segs | integer

                        lodsd                           ; new origin
                        mov     [edi+0b8h], eax

                        lea     edi, [edi+4]            ; skip ctx flags

                        ; (sucked from stack magic)
                        movsd                           ; dr0
                        movsd                           ; dr1
                        movsd                           ; dr2
                        movsd                           ; dr3
                        movsd                           ; dr6
                        movsd                           ; dr7

                        add     sehchain_ptr[ebp], 20h  ; point to next structure

                        popa                            ; continue executing
                        xor     eax, eax
                        retn                            ; i optimized ;-)

__ignore:               popa                            ; unknown
                        sub     eax, eax
                        inc     eax
                        retn


sehchain_ptr            dd      sehchain

                        ; memory access violation

sehchain                dd      0c0000005h
                        dd      origin_1
                        dd      except_2
                        dd      0
                        dd      0
                        dd      0
                        dd      0
                        dd      101h

                        ; single step

                        dd      80000004h
                        dd      except_2
                        dd      0
                        dd      0
                        dd      0
                        dd      0
                        dd      0
                        dd      0

                        ; int 3 command

                        dd      80000003h
                        dd      origin_2
                        dd      except_4
                        dd      0
                        dd      0
                        dd      0
                        dd      0
                        dd      101h

                        ; single step

                        dd      80000004h
                        dd      except_4
                        dd      0
                        dd      0
                        dd      0
                        dd      0
                        dd      0
                        dd      0

                        ; trap

                        dd      80000004h
                        dd      origin_3
                        dd      0
                        dd      0
                        dd      0
                        dd      0
                        dd      0
                        dd      0

                        ; integer division by zero

                        dd      0c0000094h
                        dd      origin_4
                        dd      0
                        dd      0
                        dd      0
                        dd      0
                        dd      0
                        dd      0

                        ; integer overflow

                        dd      0c0000095h
                        dd      except_8
                        dd      0
                        dd      0
                        dd      0
                        dd      0
                        dd      0
                        dd      0

                        ; array bounds exceeded

                        dd      0c000008ch
                        dd      sehchain_done
                        dd      0
                        dd      0
                        dd      0
                        dd      0
boundlimit              dd      0                       ; a lITtle optimization X-D
                        dd      0


                        end     start

  • 上一篇文章:

  • 下一篇文章:
    •  
    最进更新
    普通文章瑞星公司06月04日发布 每日计06-04
    普通文章陕西省地震局网站两次遭到"黑06-04
    普通文章谨防"Flash蛀虫"病毒 已感染06-04
    普通文章安全预警:“肉鸡猎人”抓肉06-04
    普通文章灰鸽子伪装成MSN、QQ等常用图06-04
    普通文章微软:Safari浏览器存在安全06-04
    普通文章中国黑客被疑导致美国2003年06-04
    普通文章微软建议用户暂停用苹果Safa06-04
    普通文章台北世贸中心官网被挂马06-04
    普通文章电脑身份验证无处不在 让黑客06-04
     
    推荐文章
    推荐文章触目惊心 专家解读黑色产业链06-04
    推荐文章网络黑色产业链日渐成型 奥运06-04
    推荐文章保护DNS服务器十大技巧06-04
    推荐文章Vista在非常规状态下数据备份06-04
    推荐文章Linux IPv6环境下DNS服务器配05-01
    推荐文章信息安全:阻止SSH口令尝试工05-01
    推荐文章解决网内终端无法通信故障05-01
    推荐文章熟透各种特殊IP地址 将IP藏一05-01
    推荐文章IE用户减少,黑客盯上Safari 05-01
    推荐文章我国网络安全形势非常严峻 应04-30
     
    热点文章 
    普通文章灰鸽子伪装成MSN、QQ等常用图06-04
    普通文章中国黑客被疑导致美国2003年06-04
    普通文章电脑身份验证无处不在 让黑客06-04
    推荐文章触目惊心 专家解读黑色产业链06-04
    普通文章Windows系统用户摆脱黑客攻击06-04
    普通文章病毒导致输入法无法切换的处06-04
    普通文章Informix注入整理05-23
    普通文章Cookies的注入方法和原理05-23
    普通文章SQL注射修改难猜解的MD505-23
    普通文章黑客眼中的OpenSSL:强大的密05-05

    | 设为首页 | 加入收藏 | 联系站长 | 广告服务 | 友情链接 | 版权申明 | 网站地图 |

    在线交流 捷凌网安主群:51649627
    Copyright 2007-2008 © 捷凌网安. All rights reserved.
    备案序号:蜀ICP备08001812号