您所在位置:主题:[讨论]为什么进入死循环而不死机,还能正常运行
phai2003
[专家分:0] 发布于 2007-10-22 12:36:00
以下是一个延时程序,虽然从表面上看与那个毫无关联.
复制内容到剪贴板
代码:
Bj@jzh`0X-`/PPPPPPa(DE(DM(DO(Dh(Ls(Lu(LX(LeZRR]EEEUYRX2Dx=
0DxFP,0Xx.t0P,=XtGsB4o@$?PIyU WwX0GwUY Wv;ovBX2Gv0ExGIuht6
T}{z~~@GwkBG@OEKcUt`~}@MqqBsy?seHB~_Phxr?@zAB`LrPEyoDt@Cj?
pky_jN@QEKpEt@ij?jySjN@REKpEt@jj?jyGjN@SEKkjtlGuNw?p@pjirz
LFvAURQ?OYLTQ@@?~QCoOL~RDU@?aU?@{QOq?@}IKuNWpe~FpeQFwH?Vkk
_GSqoCvH{OjeOSeIQRmA@KnEFB?p??mcjNne~B?M??QhetLBgBPHexh@e=
EsOgwTLbLK?sFU`?LDOD@@K@xO?SUudA?_FKJ@N?KD@?UA??O}HCQOQ??R
_OQOL?CLA?CEU?_FU?UAQ?UBD?LOC?ORO?UOL?UOD?OOI?UgL?LOR@YUO?
dsmSQswDOR[BQAQ?LUA?_L_oUNUScLOOuLOODUO?UOE@OwH?UOQ?DJTSDM
QTqrK@kcmSULkPcLOOuLOOFUO?hwDTqOsTdbnTQrrDsdFTlnBTm`lThKcT
@dmTkRQSoddTT~?K?OCOQp?o??Gds?wOw?PGAtaCHQvNntQv_w?A?it\EH
{zpQpKGk?Jbs?FqokOH{T?jPvP@IQBDFAN?OHROL?Kj??pd~aN?OHROd?G
Q??PGT~B??OC~?ipO?T?~U?p~cUo0x
复制这个代码保存为sleep.com
然后在COMMAND.COM里运行就能看到一个EXE文件的镜像.
或用sleep.com>sleep.exe生成一个EXE文件.
这是德国人写的一个东东.可以说是纯P的.没有使用DEBUG技术.
对其代码进行分析,当分析关键代码时,遇到前所未有的困难.
这个程序可以自己改变文本(或说是程序)中的内容,从而更接近机器码.
最后在一个代码串中反复执行.什么时候出来就不知道了.
这个代码如下:
0C1E:0132 55 PUSH BP
0C1E:0133 59 POP CX
0C1E:0134 52 PUSH DX
0C1E:0135 58 POP AX
0C1E:0136 324478 XOR AL,[SI+78]
0C1E:0139 3D0D0A CMP AX,0A0D
0C1E:013C 304478 XOR [SI+78],AL
0C1E:013F 46 INC SI
0C1E:0140 50 PUSH AX
0C1E:0141 2C30 SUB AL,30
0C1E:0143 58 POP AX
0C1E:0144 78EE JS 0134
0C1E:0146 7430 JZ 0178
0C1E:0148 50 PUSH AX
0C1E:0149 2C3D SUB AL,3D
0C1E:014B 58 POP AX
0C1E:014C 7407 JZ 0155
0C1E:014E 7302 JNB 0152
0C1E:0150 346F XOR AL,6F
0C1E:0152 40 INC AX
0C1E:0153 243F AND AL,3F
0C1E:0155 50 PUSH AX
0C1E:0156 49 DEC CX
0C1E:0157 79DB JNS 0134
0C1E:0159 205777 AND [BX+77],DL
0C1E:015C 58 POP AX
0C1E:015D 304777 XOR [BX+77],AL
0C1E:0160 55 PUSH BP
0C1E:0161 59 POP CX
0C1E:0162 205776 AND [BX+76],DL
0C1E:0165 C1 DB C1
0C1E:0166 6F DB 6F
0C1E:0167 7602 JBE 016B
0C1E:0169 58 POP AX
0C1E:016A 324776 XOR AL,[BX+76]
0C1E:016D 304578 XOR [DI+78],AL
0C1E:0170 47 INC DI
0C1E:0171 49 DEC CX
0C1E:0172 75EE JNZ 0162
0C1E:0174 74BC JZ 0132
我执行了二百遍,代码也未发生改变.
但用g 176时,结果就出来了.显示如下: (因为cs:0176永远都执行不到,去程序根本不能从里面出,所以这跟直接用g是没差别的)
MZP☺☺ ♦ P☺ @ É ⁿ╛ü ☼╢L f1╥f1└Ix
¼,0r¶< w►fk╥
f☺┬.╟♠/ 1 δΣ. &/ ♫ fi╥Φ♥ fë╤f┴Θ►┤å═§╕ L═! PE L☺☺ PyÑ6
α ☼☺♂☺♣♀ ☻ ~► ► @ ► ☻ ♦ ♦ ☻ ♥
► ► ► ► ► ►► (
► ► .text
▄ ► ☻ ☻ α
V► d► v► F► 8► ►
KERNEL32.dll V► d► v► ExitProcess GetCommandLineA Sleep
§♦►@ 1╥H@Ç8 t◄Ç8"u☻≈╥ ╥u∩Ç8 uΩ@ⁿë╞1╥1└└t#,0r§< w◄k╥
☺┬╟♣╔►@ ═►@ δΓ %╔►@ Ñ
►@ R ►@ j § ►@
这就是sleep.exe的镜像了.看到了吧,还有API呢.
这显然是用高级语言编写然后用了某种技术,使之成为纯文本.
不过程序并没退出,还会继续,不过要人干预,所以并没影响sleep.exe的使用.
出口就在cs:136上.再执行,就会进入到小于CS:100的地方去了,显然会出错.
这是一个标准的PE文件,反编译后能了解其内容.
0040107E: FF 15 04 10 40 00 CALL DWORD PTR [00401004] ; GetCommandLineA
00401084: 31 D2 XOR EDX,EDX
00401086: 48 DEC EAX
00401087: 40 INC EAX
00401088: 80 38 00 CMP BYTE PTR [EAX],00
0040108B: 74 11 JZ 0040109E
0040108D: 80 38 22 CMP BYTE PTR [EAX],22
00401090: 75 02 JNZ 00401094
00401092: F7 D2 NOT EDX
00401094: 09 D2 OR EDX,EDX
00401096: 75 EF JNZ 00401087
00401098: 80 38 20 CMP BYTE PTR [EAX],20
0040109B: 75 EA JNZ 00401087
0040109D: 40 INC EAX
0040109E: FC CLD
0040109F: 89 C6 MOV ESI,EAX
004010A1: 31 D2 XOR EDX,EDX
004010A3: 31 C0 XOR EAX,EAX
004010A5: AC LODS AL,BYTE PTR DS:[ESI]
004010A6: 08 C0 OR AL,AL
004010A8: 74 23 JZ 004010CD
004010AA: 2C 30 SUB AL,30
004010AC: 72 15 JB 004010C3
004010AE: 3C 09 CMP AL,09
004010B0: 77 11 JNBE 004010C3
004010B2: 6B D2 0A IMUL EDX,EDX,0A
004010B5: 01 C2 ADD EDX,EAX
004010B7: C7 05 C9 10 40 00 CD 10 40 00 MOV DWORD PTR [004010C9],004010CD
004010C1: EB E2 JMP 004010A5
004010C3: FF 25 C9 10 40 00 JMP DWORD PTR [004010C9]
004010C9: A5 MOVS DWORD PTR DS:[ESI],DWORD PTR ES:[EDI]
004010CA: 10 40 00 ADC [EAX+00],AL
004010CD: 52 PUSH EDX
004010CE: FF 15 08 10 40 00 CALL DWORD PTR [00401008] ; Sleep
004010D4: 6A 00 PUSH 00
004010D6: FF 15 00 10 40 00 CALL DWORD PTR [00401000] ; ExitProcess
也能用工具看到他有exe文件的格式:
00000000 5A4D Signature: MZ
00000002 0150 Extra Bytes
00000004 0001 Pages
00000006 0000 Reloc Items
00000008 0004 Header Size
0000000A 0000 Min Alloc
0000000C FFFF Max Alloc
0000000E 0000 Initial SS
00000010 0150 Initial SP
00000012 0000 Check Sum
00000014 0000 Initial IP
00000016 0000 Initial CS
00000018 0040 Reloc Table
0000001A 0000 Overlay
00000090 00004550 Signature: PE
00000094 014C Machine: 014C=I386
00000096 0001 Number of Sections
00000098 36A57950 Time/Date Stamp
0000009C 00000000 Pointer to Symbol Table
000000A0 00000000 Number of Symbols
000000A4 00E0 Optional Header Size
000000A6 010F Characteristics
00000188 .text Section Name
00000190 000000DC Virtual Size
00000194 00001000 RVA/Offset
00000198 00000200 Size of Raw Data
0000019C 00000200 Pointer to Raw Data
000001A0 00000000 Pointer to Relocs
000001A4 00000000 Pointer to Line Numbers
000001A8 0000 Number of Relocs
000001AA 0000 Number of Line Numbers
000001AC E0000020 Section Flags (Writeable, Readable, Executable, Code)
不再怀疑它是一个正宗的PE文件了吧.
至于sleep.exe原理吗,很简单,看下面就知道了
00000000 ExitProcess
00000000 GetCommandLineA
00000000 Sleep
这三个都是kernel32.dll中的API,也就是说可以直接用高级汇编语言,比如win32asm调用.
我的问题是为什么虽然这个代码串是一个死循环,但程序依然能运行.在不出来的情况下执行了.并显示了上面的EXE镜象.
希望有汇编高手能给予解答.
复制内容到剪贴板
代码:
Bj@jzh`0X-`/PPPPPPa(DE(DM(DO(Dh(Ls(Lu(LX(LeZRR]EEEUYRX2Dx=
0DxFP,0Xx.t0P,=XtGsB4o@$?PIyU WwX0GwUY Wv;ovBX2Gv0ExGIuht6
T}{z~~@GwkBG@OEKcUt`~}@MqqBsy?seHB~_Phxr?@zAB`LrPEyoDt@Cj?
pky_jN@QEKpEt@ij?jySjN@REKpEt@jj?jyGjN@SEKkjtlGuNw?p@pjirz
LFvAURQ?OYLTQ@@?~QCoOL~RDU@?aU?@{QOq?@}IKuNWpe~FpeQFwH?Vkk
_GSqoCvH{OjeOSeIQRmA@KnEFB?p??mcjNne~B?M??QhetLBgBPHexh@e=
EsOgwTLbLK?sFU`?LDOD@@K@xO?SUudA?_FKJ@N?KD@?UA??O}HCQOQ??R
_OQOL?CLA?CEU?_FU?UAQ?UBD?LOC?ORO?UOL?UOD?OOI?UgL?LOR@YUO?
dsmSQswDOR[BQAQ?LUA?_L_oUNUScLOOuLOODUO?UOE@OwH?UOQ?DJTSDM
QTqrK@kcmSULkPcLOOuLOOFUO?hwDTqOsTdbnTQrrDsdFTlnBTm`lThKcT
@dmTkRQSoddTT~?K?OCOQp?o??Gds?wOw?PGAtaCHQvNntQv_w?A?it\EH
{zpQpKGk?Jbs?FqokOH{T?jPvP@IQBDFAN?OHROL?Kj??pd~aN?OHROd?G
Q??PGT~B??OC~?ipO?T?~U?p~cUo0x
复制这个代码保存为sleep.com
然后在COMMAND.COM里运行就能看到一个EXE文件的镜像.
或用sleep.com>sleep.exe生成一个EXE文件.
这是德国人写的一个东东.可以说是纯P的.没有使用DEBUG技术.
对其代码进行分析,当分析关键代码时,遇到前所未有的困难.
这个程序可以自己改变文本(或说是程序)中的内容,从而更接近机器码.
最后在一个代码串中反复执行.什么时候出来就不知道了.
这个代码如下:
0C1E:0132 55 PUSH BP
0C1E:0133 59 POP CX
0C1E:0134 52 PUSH DX
0C1E:0135 58 POP AX
0C1E:0136 324478 XOR AL,[SI+78]
0C1E:0139 3D0D0A CMP AX,0A0D
0C1E:013C 304478 XOR [SI+78],AL
0C1E:013F 46 INC SI
0C1E:0140 50 PUSH AX
0C1E:0141 2C30 SUB AL,30
0C1E:0143 58 POP AX
0C1E:0144 78EE JS 0134
0C1E:0146 7430 JZ 0178
0C1E:0148 50 PUSH AX
0C1E:0149 2C3D SUB AL,3D
0C1E:014B 58 POP AX
0C1E:014C 7407 JZ 0155
0C1E:014E 7302 JNB 0152
0C1E:0150 346F XOR AL,6F
0C1E:0152 40 INC AX
0C1E:0153 243F AND AL,3F
0C1E:0155 50 PUSH AX
0C1E:0156 49 DEC CX
0C1E:0157 79DB JNS 0134
0C1E:0159 205777 AND [BX+77],DL
0C1E:015C 58 POP AX
0C1E:015D 304777 XOR [BX+77],AL
0C1E:0160 55 PUSH BP
0C1E:0161 59 POP CX
0C1E:0162 205776 AND [BX+76],DL
0C1E:0165 C1 DB C1
0C1E:0166 6F DB 6F
0C1E:0167 7602 JBE 016B
0C1E:0169 58 POP AX
0C1E:016A 324776 XOR AL,[BX+76]
0C1E:016D 304578 XOR [DI+78],AL
0C1E:0170 47 INC DI
0C1E:0171 49 DEC CX
0C1E:0172 75EE JNZ 0162
0C1E:0174 74BC JZ 0132
我执行了二百遍,代码也未发生改变.
但用g 176时,结果就出来了.显示如下: (因为cs:0176永远都执行不到,去程序根本不能从里面出,所以这跟直接用g是没差别的)
MZP☺☺ ♦ P☺ @ É ⁿ╛ü ☼╢L f1╥f1└Ix
¼,0r¶< w►fk╥
f☺┬.╟♠/ 1 δΣ. &/ ♫ fi╥Φ♥ fë╤f┴Θ►┤å═§╕ L═! PE L☺☺ PyÑ6
α ☼☺♂☺♣♀ ☻ ~► ► @ ► ☻ ♦ ♦ ☻ ♥
► ► ► ► ► ►► (
► ► .text
▄ ► ☻ ☻ α
V► d► v► F► 8► ►
KERNEL32.dll V► d► v► ExitProcess GetCommandLineA Sleep
§♦►@ 1╥H@Ç8 t◄Ç8"u☻≈╥ ╥u∩Ç8 uΩ@ⁿë╞1╥1└└t#,0r§< w◄k╥
☺┬╟♣╔►@ ═►@ δΓ %╔►@ Ñ
►@ R ►@ j § ►@
这就是sleep.exe的镜像了.看到了吧,还有API呢.
这显然是用高级语言编写然后用了某种技术,使之成为纯文本.
不过程序并没退出,还会继续,不过要人干预,所以并没影响sleep.exe的使用.
出口就在cs:136上.再执行,就会进入到小于CS:100的地方去了,显然会出错.
这是一个标准的PE文件,反编译后能了解其内容.
0040107E: FF 15 04 10 40 00 CALL DWORD PTR [00401004] ; GetCommandLineA
00401084: 31 D2 XOR EDX,EDX
00401086: 48 DEC EAX
00401087: 40 INC EAX
00401088: 80 38 00 CMP BYTE PTR [EAX],00
0040108B: 74 11 JZ 0040109E
0040108D: 80 38 22 CMP BYTE PTR [EAX],22
00401090: 75 02 JNZ 00401094
00401092: F7 D2 NOT EDX
00401094: 09 D2 OR EDX,EDX
00401096: 75 EF JNZ 00401087
00401098: 80 38 20 CMP BYTE PTR [EAX],20
0040109B: 75 EA JNZ 00401087
0040109D: 40 INC EAX
0040109E: FC CLD
0040109F: 89 C6 MOV ESI,EAX
004010A1: 31 D2 XOR EDX,EDX
004010A3: 31 C0 XOR EAX,EAX
004010A5: AC LODS AL,BYTE PTR DS:[ESI]
004010A6: 08 C0 OR AL,AL
004010A8: 74 23 JZ 004010CD
004010AA: 2C 30 SUB AL,30
004010AC: 72 15 JB 004010C3
004010AE: 3C 09 CMP AL,09
004010B0: 77 11 JNBE 004010C3
004010B2: 6B D2 0A IMUL EDX,EDX,0A
004010B5: 01 C2 ADD EDX,EAX
004010B7: C7 05 C9 10 40 00 CD 10 40 00 MOV DWORD PTR [004010C9],004010CD
004010C1: EB E2 JMP 004010A5
004010C3: FF 25 C9 10 40 00 JMP DWORD PTR [004010C9]
004010C9: A5 MOVS DWORD PTR DS:[ESI],DWORD PTR ES:[EDI]
004010CA: 10 40 00 ADC [EAX+00],AL
004010CD: 52 PUSH EDX
004010CE: FF 15 08 10 40 00 CALL DWORD PTR [00401008] ; Sleep
004010D4: 6A 00 PUSH 00
004010D6: FF 15 00 10 40 00 CALL DWORD PTR [00401000] ; ExitProcess
也能用工具看到他有exe文件的格式:
00000000 5A4D Signature: MZ
00000002 0150 Extra Bytes
00000004 0001 Pages
00000006 0000 Reloc Items
00000008 0004 Header Size
0000000A 0000 Min Alloc
0000000C FFFF Max Alloc
0000000E 0000 Initial SS
00000010 0150 Initial SP
00000012 0000 Check Sum
00000014 0000 Initial IP
00000016 0000 Initial CS
00000018 0040 Reloc Table
0000001A 0000 Overlay
00000090 00004550 Signature: PE
00000094 014C Machine: 014C=I386
00000096 0001 Number of Sections
00000098 36A57950 Time/Date Stamp
0000009C 00000000 Pointer to Symbol Table
000000A0 00000000 Number of Symbols
000000A4 00E0 Optional Header Size
000000A6 010F Characteristics
00000188 .text Section Name
00000190 000000DC Virtual Size
00000194 00001000 RVA/Offset
00000198 00000200 Size of Raw Data
0000019C 00000200 Pointer to Raw Data
000001A0 00000000 Pointer to Relocs
000001A4 00000000 Pointer to Line Numbers
000001A8 0000 Number of Relocs
000001AA 0000 Number of Line Numbers
000001AC E0000020 Section Flags (Writeable, Readable, Executable, Code)
不再怀疑它是一个正宗的PE文件了吧.
至于sleep.exe原理吗,很简单,看下面就知道了
00000000 ExitProcess
00000000 GetCommandLineA
00000000 Sleep
这三个都是kernel32.dll中的API,也就是说可以直接用高级汇编语言,比如win32asm调用.
我的问题是为什么虽然这个代码串是一个死循环,但程序依然能运行.在不出来的情况下执行了.并显示了上面的EXE镜象.
希望有汇编高手能给予解答.
