AGB  ·  Datenschutz  ·  Impressum  







Anmelden
Nützliche Links
Registrieren
Thema durchsuchen
Ansicht
Themen-Optionen

Kopierschutz

Ein Thema von Peter666 · begonnen am 30. Dez 2010 · letzter Beitrag vom 8. Jan 2011
 
Vorheriger Beitrag Vorheriger Beitrag   Nächster Beitrag Nächster Beitrag
Peter666

Registriert seit: 11. Aug 2007
357 Beiträge
 
#10

AW: Kopierschutz

  Alt 8. Jan 2011, 14:31
Ich habe mich vorhin mal hingesetzt und angefangen einen alten Assemblersource für einen Junk Code Generator zu erstellen. Herausgekommen ist folgendes..

markieren
Code:
unit UJunkit;
interface
const
  ETG_MOVRR = $00000001;
  ETG_MOVRC = $00000002;
  ETG_MOVSXZX = $00000004;
  ETG_XCHG = $00000008;
  ETG_LEA = $00000010;
  ETG_TTTRR = $00000020;
  ETG_TTTRC = $00000040;
  ETG_INCDEC = $00000080;
  ETG_NOTNEG = $00000100;
  ETG_TESTRR = $00000200;
  ETG_TESTRC = $00000400;
  ETG_IMUL = $00000800;
  ETG_SHIFT = $00001000;
  ETG_SHxD = $00002000;
  ETG_BSWAP = $00004000;
  ETG_XADD = $00008000;
  ETG_BSx = $00010000;
  ETG_BTx = $00020000;
  ETG_JMPS = $00040000;
  ETG_SEG = $00080000;
  ETG_REP = $00100000;
  ETG_ALL = $001FFFFF;
  ETG_DEFAULT = ETG_TTTRC; // used if no cmds specified

  REG_EAX = $00000001;
  REG_ECX = $00000002;
  REG_EDX = $00000004;
  REG_EBX = $00000008;
  REG_ESP = $00000010;
  REG_EBP = $00000020;
  REG_ESI = $00000040;
  REG_EDI = $00000080;
  REG_ALL = (not REG_ESP) and $FF;
  REG_DEFAULT = REG_EAX; // used if no regs specified

procedure Junk(user_param, cmd_avail, regsrcavail,
  regdstavail: DWORD; out osizeptr: DWORD; ncmds, bufsize: DWORD;
  buf: Pointer);

implementation

type
  TRandomFunc = function(userdata, range: DWORD): DWORD; cdecl;

  TETG_Engine = procedure(
    user_param: DWORD; // user-parameter
    cmd_avail: DWORD; // set of ETG_xxx
    regsrcavail: DWORD; // set of REG_xxx
    regdstavail: DWORD; // set of REG_xxx
    out osizeptr: DWORD; // ptr to generated bufsize
    ncmds: DWORD; // max number of commands
    bufsize: DWORD; // max size of buffer
    buf: Pointer; // ptr to output buffer
    Random: TRandomFunc
    ); cdecl;

const
  ETG_bin: array[0..1139] of byte = (
    $C8, $50, $00, $00, $60, $8B, $7D, $24,
    $FC, $81, $65, $10, $EF, $00, $00, $00,
    $75, $07, $C7, $45, $10, $01, $00, $00,
    $00, $81, $65, $14, $EF, $00, $00, $00,
    $75, $07, $C7, $45, $14, $01, $00, $00,
    $00, $81, $65, $0C, $FF, $FF, $1F, $00,
    $75, $07, $C7, $45, $0C, $40, $00, $00,
    $00, $8B, $C7, $2B, $45, $24, $8B, $4D,
    $18, $89, $01, $83, $C0, $10, $3B, $45,
    $20, $73, $0C, $FF, $4D, $1C, $7C, $07,
    $E8, $05, $00, $00, $00, $EB, $E2, $61,
    $C9, $C3, $C7, $45, $FC, $01, $00, $00,
    $00, $C7, $45, $F8, $08, $00, $00, $00,
    $E8, $E4, $03, $00, $00, $89, $45, $C8,
    $C1, $E0, $03, $89, $45, $C4, $E8, $D1,
    $03, $00, $00, $89, $45, $C0, $C1, $E0,
    $03, $89, $45, $BC, $8B, $45, $14, $23,
    $45, $10, $A9, $0F, $00, $00, $00, $74,
    $13, $B8, $02, $00, $00, $00, $E8, $93,
    $03, $00, $00, $89, $45, $FC, $C1, $E0,
    $03, $89, $45, $F8, $B8, $02, $00, $00,
    $00, $E8, $80, $03, $00, $00, $89, $45,
    $DC, $D1, $E0, $89, $45, $D8, $C1, $E0,
    $02, $89, $45, $D4, $B8, $04, $00, $00,
    $00, $E8, $68, $03, $00, $00, $C1, $E0,
    $03, $89, $45, $D0, $E8, $70, $03, $00,
    $00, $C1, $E0, $03, $89, $45, $CC, $E8,
    $70, $03, $00, $00, $89, $45, $F4, $C1,
    $E0, $03, $89, $45, $E4, $E8, $62, $03,
    $00, $00, $89, $45, $EC, $E8, $5F, $03,
    $00, $00, $89, $45, $F0, $C1, $E0, $03,
    $89, $45, $E0, $E8, $51, $03, $00, $00,
    $89, $45, $E8, $E8, $4E, $03, $00, $00,
    $89, $45, $B8, $C1, $E0, $03, $89, $45,
    $B4, $E8, $40, $03, $00, $00, $89, $45,
    $B0, $B8, $1F, $00, $00, $00, $E8, $0B,
    $03, $00, $00, $96, $46, $8B, $55, $0C,
    $8B, $45, $FC, $D1, $EA, $73, $0E, $4E,
    $0F, $84, $27, $01, $00, $00, $4E, $0F,
    $84, $2D, $01, $00, $00, $D1, $EA, $73,
    $0E, $4E, $0F, $84, $2F, $01, $00, $00,
    $4E, $0F, $84, $36, $01, $00, $00, $D1,
    $EA, $73, $07, $4E, $0F, $84, $32, $01,
    $00, $00, $D1, $EA, $73, $07, $4E, $0F,
    $84, $47, $01, $00, $00, $D1, $EA, $73,
    $07, $4E, $0F, $84, $41, $01, $00, $00,
    $D1, $EA, $73, $0E, $4E, $0F, $84, $44,
    $01, $00, $00, $4E, $0F, $84, $45, $01,
    $00, $00, $D1, $EA, $73, $0E, $4E, $0F,
    $84, $42, $01, $00, $00, $4E, $0F, $84,
    $4C, $01, $00, $00, $D1, $EA, $73, $0E,
    $4E, $0F, $84, $59, $01, $00, $00, $4E,
    $0F, $84, $5F, $01, $00, $00, $D1, $EA,
    $73, $07, $4E, $0F, $84, $5E, $01, $00,
    $00, $D1, $EA, $73, $07, $4E, $0F, $84,
    $60, $01, $00, $00, $D1, $EA, $73, $07,
    $4E, $0F, $84, $62, $01, $00, $00, $D1,
    $EA, $73, $0E, $4E, $0F, $84, $65, $01,
    $00, $00, $4E, $0F, $84, $6E, $01, $00,
    $00, $D1, $EA, $73, $0E, $4E, $0F, $84,
    $70, $01, $00, $00, $4E, $0F, $84, $79,
    $01, $00, $00, $D1, $EA, $73, $0E, $4E,
    $0F, $84, $7F, $01, $00, $00, $4E, $0F,
    $84, $97, $01, $00, $00, $D1, $EA, $73,
    $07, $4E, $0F, $84, $A4, $01, $00, $00,
    $D1, $EA, $73, $07, $4E, $0F, $84, $A0,
    $01, $00, $00, $D1, $EA, $73, $07, $4E,
    $0F, $84, $A3, $01, $00, $00, $D1, $EA,
    $73, $0E, $4E, $0F, $84, $A6, $01, $00,
    $00, $4E, $0F, $84, $B0, $01, $00, $00,
    $D1, $EA, $73, $07, $4E, $0F, $84, $B0,
    $01, $00, $00, $D1, $EA, $73, $0E, $4E,
    $0F, $84, $B7, $01, $00, $00, $4E, $0F,
    $84, $B7, $01, $00, $00, $D1, $EA, $73,
    $07, $4E, $0F, $84, $B3, $01, $00, $00,
    $E9, $BC, $FE, $FF, $FF, $0C, $88, $AA,
    $B0, $C0, $0B, $45, $E4, $0B, $45, $F0,
    $AA, $C3, $0C, $8A, $AA, $B0, $C0, $0B,
    $45, $E0, $0B, $45, $F4, $AA, $C3, $B0,
    $B0, $0B, $45, $F8, $0B, $45, $F0, $AA,
    $E9, $8D, $01, $00, $00, $0C, $C6, $AA,
    $B0, $C0, $EB, $F0, $B0, $0F, $AA, $B0,
    $B6, $0B, $45, $FC, $0B, $45, $D4, $AA,
    $B0, $C0, $0B, $45, $C4, $EB, $D3, $0C,
    $86, $AA, $B0, $C0, $0B, $45, $E0, $0B,
    $45, $E8, $AA, $C3, $0C, $86, $AA, $EB,
    $F1, $B0, $8D, $AA, $B0, $05, $0B, $45,
    $C4, $AA, $E9, $59, $01, $00, $00, $0C,
    $00, $0B, $45, $CC, $AA, $EB, $99, $0C,
    $02, $0B, $45, $CC, $AA, $EB, $9E, $0C,
    $80, $AA, $B0, $C0, $0B, $45, $CC, $0B,
    $45, $F0, $AA, $E9, $32, $01, $00, $00,
    $F7, $45, $14, $01, $00, $00, $00, $0F,
    $84, $2C, $FE, $FF, $FF, $0C, $04, $0B,
    $45, $CC, $AA, $E9, $1A, $01, $00, $00,
    $0C, $FE, $AA, $B0, $C0, $0B, $45, $D4,
    $E9, $60, $FF, $FF, $FF, $B0, $40, $0B,
    $45, $D4, $0B, $45, $C8, $AA, $C3, $0C,
    $F6, $AA, $B0, $D0, $0B, $45, $D4, $E9,
    $49, $FF, $FF, $FF, $0C, $84, $AA, $B0,
    $C0, $0B, $45, $B4, $0B, $45, $B0, $AA,
    $C3, $0C, $F6, $AA, $B0, $C0, $0B, $45,
    $B8, $AA, $E9, $DB, $00, $00, $00, $B0,
    $0F, $AA, $B0, $AF, $AA, $B0, $C0, $0B,
    $45, $C4, $0B, $45, $C0, $AA, $C3, $B0,
    $69, $AA, $E8, $EE, $FF, $FF, $FF, $E9,
    $C4, $00, $00, $00, $0C, $D0, $0B, $45,
    $D8, $AA, $B0, $C0, $0B, $45, $CC, $0B,
    $45, $F0, $AA, $C3, $0C, $C0, $AA, $B0,
    $C0, $0B, $45, $CC, $0B, $45, $F0, $AA,
    $E9, $AD, $00, $00, $00, $B0, $0F, $AA,
    $B0, $A4, $0B, $45, $D4, $AA, $B0, $C0,
    $E8, $05, $00, $00, $00, $E9, $98, $00,
    $00, $00, $B0, $C0, $0B, $45, $BC, $0B,
    $45, $C8, $AA, $C3, $F7, $45, $10, $02,
    $00, $00, $00, $0F, $84, $78, $FD, $FF,
    $FF, $B0, $0F, $AA, $B0, $A5, $0B, $45,
    $D4, $AA, $EB, $DE, $B0, $0F, $AA, $B0,
    $C8, $EB, $DC, $B0, $0F, $AA, $B0, $C0,
    $0B, $45, $FC, $AA, $E9, $E1, $FE, $FF,
    $FF, $B0, $0F, $AA, $B0, $BC, $0B, $45,
    $DC, $AA, $E9, $6E, $FF, $FF, $FF, $B0,
    $0F, $AA, $B0, $BA, $AA, $B0, $E0, $0B,
    $45, $D0, $0B, $45, $C8, $AA, $EB, $42,
    $B0, $0F, $AA, $B0, $A3, $0B, $45, $D0,
    $AA, $EB, $9F, $66, $B8, $EB, $01, $66,
    $AB, $B8, $00, $01, $00, $00, $E8, $33,
    $00, $00, $00, $AA, $C3, $B0, $26, $0B,
    $45, $D0, $AA, $C3, $B0, $64, $0B, $45,
    $DC, $AA, $C3, $B0, $F2, $0B, $45, $DC,
    $AA, $C3, $83, $7D, $FC, $00, $74, $0A,
    $E8, $00, $00, $00, $00, $E8, $00, $00,
    $00, $00, $B8, $00, $01, $00, $00, $E8,
    $02, $00, $00, $00, $AA, $C3, $60, $50,
    $FF, $75, $08, $FF, $55, $28, $83, $C4,
    $08, $89, $44, $24, $1C, $61, $0B, $C0,
    $C3, $B8, $08, $00, $00, $00, $E8, $E3,
    $FF, $FF, $FF, $C3, $8B, $55, $10, $EB,
    $0D, $8B, $55, $14, $EB, $08, $8B, $55,
    $10, $0B, $55, $14, $EB, $00, $E8, $DE,
    $FF, $FF, $FF, $8B, $C8, $83, $7D, $FC,
    $00, $75, $03, $83, $E1, $03, $0F, $A3,
    $CA, $73, $EB, $C3);

var randseed: DWORD;

function MyRandom(userdata, range: DWORD): DWORD; cdecl;
begin
  if range = 0 then result := 0 else
  begin
    randseed := randseed * 214013 + 2531011;
    result := randseed mod range;
  end;
end;

procedure Junk(user_param, cmd_avail, regsrcavail,
  regdstavail: DWORD; out osizeptr: DWORD; ncmds, bufsize: DWORD;
  buf: Pointer);
begin
  randseed := GetTickCount;
  TETG_Engine(@ETG_bin)(user_param, cmd_avail, regsrcavail, regdstavail,
    osizeptr, ncmds, bufsize, buf, MyRandom);
  PAnsiChar(buf)[osizeptr] := #$C3; {ret} inc(osizeptr);
end;
Ich war ehrlich gesagt etwas Faul und habe nicht den Assemblercode (Quelle: ETG 2.00 engine) übersetzt, sondern nur das beiliegende C Beispiel umgesetzt.
Soweit erstellt die Anwendung recht praktischen Datenmüll, wenn ich das wie folgt aufrufe
var
buf: Array[0..2000] of byte;

Junk(
0,
ETG_ALL,
REG_ALL,
REG_EAX or REG_EBX,
bufsize,
1000,
sizeof(buf),
@buf);

Damit man den Code via call auch aufrufen kann, sollte am Ende des Puffers, also bei buf[bufsize] noch ein $C3 (ret) gepackt werden.
Mein Problem ist jedoch folgendes: Wenn ich innerhalb meiner Anwendung etwas wie folgt mache:

db $90,$90...$90

und mit meinem Patchtool in der Exe die Nops durch den Junkcode ersetze, müsste ich doch die Register vorher und hinterher manuell wiederherstellen, oder? Ein einfaches Pusha, popa reicht jedoch in dem Fall nicht. Hat da jemand eventuell eine Idee?

Peter
  Mit Zitat antworten Zitat
 

« Vorheriges Thema | Nächstes Thema »

Forumregeln

Es ist dir nicht erlaubt, neue Themen zu verfassen.
Es ist dir nicht erlaubt, auf Beiträge zu antworten.
Es ist dir nicht erlaubt, Anhänge hochzuladen.
Es ist dir nicht erlaubt, deine Beiträge zu bearbeiten.
BB-Code ist an.
Smileys sind an.
[IMG] Code ist an.
HTML-Code ist aus.
Trackbacks are an
Pingbacks are an
Refbacks are aus
Gehe zu:

Impressum · AGB · Datenschutz · Nach oben
Alle Zeitangaben in WEZ +1. Es ist jetzt 00:02 Uhr.
Powered by vBulletin® Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO © 2011, Crawlability, Inc.
Delphi-PRAXiS (c) 2002 - 2023 by Daniel R. Wolf, 2024-2025 by Thomas Breitkreuz