1、rd (x,0x90909090);FBin = 74 04 75 02 EB 02 EB 01 81;/ 花指令2的特征码for (x = FindBinary(MinEA(),0x03,FBin);x != BADADDR;x = FindBinary(x,0x03,FBin)x = x + 4;PatchWord (x,0x9090);x = x + 4;PatchByte (x,0x90);FBin = 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04;/ 花指令3的特征码for (x = FindBin
2、ary(MinEA(),0x03,FBin);x != BADADDR;x = FindBinary(x,0x03,FBin)x = x + 6;PatchWord (x,0x9090);x = x + 11;PatchWord (x,0x9090);FBin = EB 01 68 EB 02 CD 20 EB 01 E8;/ 花指令4的特征码for (x = FindBinary(MinEA(),0x03,FBin);x != BADADDR;x = FindBinary(x,0x03,FBin)x = x+2;PatchByte (x,0x90);x = x+3;PatchWord (x,
3、0x9090);x = x+4;PatchByte (x,0x90);通过观察可知花指令中并不包含任何有意义的数据,在花指令的前后,堆栈是平衡的,各寄存器的数值也是不变的。IDC提供了隐藏区域的命令,现在来看看以下脚本:static HideJunkCode() auto x,y,FBin;FBin = E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF;for (x = FindBinary(MinEA(),0x03,FBin);x != BADADDR;x = FindBinary(x,0x03,FBin)MakeUnknown (x,0x17,1);
4、y = x + 0x17;HideArea (x,y,atoa(x),atoa(x),atoa(y),-1);FBin = 74 04 75 02 EB 02 EB 01 81;for (x = FindBinary(MinEA(),0x03,FBin);x != BADADDR;x = FindBinary(x,0x03,FBin)MakeUnknown (x,0x09,1);y = x + 0x09;HideArea (x,y,atoa(x),atoa(x),atoa(y),-1);FBin = 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00
5、 00 29 5A 83 C4 04;for (x = FindBinary(MinEA(),0x03,FBin);x != BADADDR;x = FindBinary(x,0x03,FBin)MakeUnknown (x,0x17,1);y = x + 0x17;HideArea (x,y,atoa(x),atoa(x),atoa(y),-1);FBin = EB 01 68 EB 02 CD 20 EB 01 E8;for (x = FindBinary(MinEA(),0x03,FBin);x != BADADDR;x = FindBinary(x,0x03,FBin)MakeUnkn
6、own (x,0x0a,1);y = x + 0x0a;HideArea (x,y,atoa(x),atoa(x),atoa(y),-1);由于花指令的关系,会使IDA错误识别指令,可能隐藏区域的边界刚好在一条指令的机械码中间,这样隐藏的操作便会失败。因此在隐藏指令执行之前,先使用MakeUnknown将目标代码设置为未识别的状态。在完成隐藏和替换之后,再使用分析引擎分析代码。static main() auto x,FBin,ProcRange;HideJunkCode();PatchJunkCode();AnalyzeArea (MinEA(),MaxEA();CleanJunkCode.
7、idc在运行脚本之后,现在让我们看看修复的成果。seg005:0045639F rdtscseg005:004563A1 push eaxseg005:004563A2 rdtscseg005:004563A4 ; seg005:004563A4 /被隐藏的区域seg005:004563BB sub eax, esp-8+arg_4seg005:004563BE ; seg005:004563BEseg005:004563C7 ; -seg005:004563C7seg005:004563C7 loc_4563C7: ; CODE XREF: sub_4563B3:loc_4563C4jseg
8、005:004563C7 add esp, 4seg005:004563CA ; seg005:004563CAseg005:004563E1 cmp eax, 0FFFhseg005:004563E6 ; seg005:004563E6seg005:004563F0seg005:004563F0 loc_4563F0: ; CODE XREF: sub_4563D9:loc_4563EDjseg005:004563F0 jbe short loc_45640Dseg005:004563F0seg005:004563F2 ; seg005:004563F2seg005:004563FCseg0
9、05:004563FC loc_4563FC: ; CODE XREF: sub_4563D9:loc_4563F9jseg005:004563FC int 3 ; Trap to Debuggers腿幠(迼贁匀踀谀浟贁贁讀缁蜰H缀窢狝踀椀挃挃挃脃脖脖蔖餖匘倀刀倀开層豢彑瘀搀漀挀愀搀搀愀挀攀戀挀戀攀昀昀戀搀愀最椀昀匀倀刀倀开層豢彑瘀搀漀挀尀尀挀戀戀愀戀愀愀戀搀愀攀搀挀挀昀琀焀儀欀砀堀爀倀搀稀瀀洀堀伀儀渀攀椀挀圀嘀匀挀戀眀搀圀挀吀琀儀匀倀刀倀开層豢彑瘀刀倀开層豢开瘀愀愀搀挀愀搀愀愀搀搀愀搀刀倀礀罎層豢琀唀揿愀琀愀氀漀最甀攀舀匀甀洀洀愀爀礀瀀瀀氀椀挀愀戀氀攀戀甀猀椀渀攀猀猀猀挀漀瀀攀層睏卑敏匀瀀攀
10、挀椀昀椀挀猀琀攀瀀猀漀昀戀甀猀椀渀攀猀猀漀瀀攀爀愀琀椀漀渀椀饲灎湥伀潏喋喋喋汓喋余魓喋舀匀甀洀洀愀爀礀瀀瀀氀椀挀愀戀氀攀戀甀猀椀渀攀猀猀猀挀漀瀀攀搀層豢蹵潗獶灸湥喋喋汓沋喋喋豎鍹層睏卑敏匀瀀攀挀椀昀椀挀猀琀攀瀀猀漀昀戀甀猀椀渀攀猀猀漀瀀攀爀愀琀椀漀渀椀饲灎湥譧罎芀蕓楒饲灎湥祡芘刀倀湨塒溈驸刀倀礀湨R瘀苿刀倀刀倀笀譼刀倀箍譼秿該箍譼鎍塞叿吀倀饧鍥瘀坎潏舰鶑湨鹣艝灓湥壿一漀琀攀盿襧坢g马獎譧罎祔魧祎k盿灎挀椀芈蕓楒饲灎湥祡芘刀倀刀倀箍譼秿該箍譼穎腎鎍塞叿吀倀饧鍥匀吀晔瘀坎潏舰鶑湨鹣艝灓湥壿一漀琀攀蹛罎葧葾婢齣伀謀楎匀璀祴罪翿匀圀礀罎楾饲蹗罎萀v瓿摓葾嫿奏齾偓饧琰艺嘀吀伀翿匀啠齟饓e一漀琀攀虎抖艫蕓啝啎箋譼著伀陎垙华葙伀廿厗葙艎蕓伀蹛伀蜀艔蕓伀祒盿钕謀楎敎鏿斏艝豓楔饲晖豻敎鹥晖蹛晎敟伀衾潾塏獛潏喋謀楎潏喋筟譼獎甀戀挀漀渀琀爀愀挀琀椀渀最瘰潏喋蹛葨驶葙獵喋謀楎攀喋灓蝥蹛攀貚灙湥喋葓灶禋葒錀斏腟潏晖癛坎一漀琀攀
