逆向还原exeshell一个可以给sys加花的小东西

很早的时候，在研究怎么给驱动加壳的时候，忘了从哪有了这个exeshell小工具（这个小工具好像是V大写的，我也不是很确定，希望V大不要生气呵呵）可以给sys加密，从而在一定程度上拖延了sys被人用F5虐待的时间 ，于是当时就花了几天把他给逆了，其实简单的说就是把sys文件的.text段与与0x44异或，进行简单加密。具体可以看idb的sub_4014A0函数。

关键代码：

BOOL CEncrptySYSDlg::EncrptySYS(HANDLE hFile,DWORD dwbase)
{
DWORD Reloc_Size;
PIMAGE_SECTION_HEADER SectionHeader,pRelocSection, pTextSection;
int SECTION_ALIGN_MENT;
int nRet =0;
DWORD dwBytesWritten = 0;
//这里是从exeshell中扒出来的花指令
unsigned char Encrptycode[] =
{
0x9C,0x60,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0xE8,0x00,0x00,0x00,0x00,0x5B,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,
0x00,0xE8,0x8B,0xCB,0x49,0x66,0x8B,0x11,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x66,0x81,0xFA,0x4D,0x5A,0x75,0xE8,0x0F,0x80,0x07,0x00,
0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x8B,0x51,0x3C,0x03,0xD1,0x66,0x8B,0x02,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x66,0x3D,
0x50,0x45,0x75,0xC0,0x51,0x52,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x81,0xC2,0xF8,0x00,0x00,0x00,0x8B,0x42,0x0C,0x03,0xC1,0x8B,0x4A,
0x08,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x80,0x34,0x08,0x44,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0xE2,
0xE0,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x80,0x30,0x44,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0xB8,0x11,
0x11,0x11,0x11,0x5A,0x59,0x8B,0xE9,0x85,0xC0,0x0F,0x84,0x9D,0x00,0x00,0x00,0x03,0xC1,0x8B,0x18,0x8B,0x70,0x04,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,
0x00,0x00,0xE8,0x8B,0xC0,0x33,0xC9,0x8B,0xF8,0x83,0xC7,0x08,0x50,0x56,0x0F,0xB7,0x07,0x66,0x85,0xC0,0x74,0x4C,0x66,0x25,0xFF,0x0F,0x51,0x8B,0xF5,0x03,0xF0,0x03,
0xF3,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x8B,0x0E,0x2B,0x4A,0x34,0x03,0xCD,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,
0x00,0xE8,0x89,0x0E,0x59,0x41,0x47,0x47,0x5E,0x56,0x83,0xEE,0x08,0xD1,0xEE,0x3B,0xCE,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x73,0x02,
0xEB,0xAC,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x8B,0xC0,0x5E,0x58,0x03,0xC6,0x8B,0x30,0x85,0xF6,0x0F,0x85,0x72,0xFF,0xFF,0xFF,0x0F,
0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0xB8,0x22,0x22,0x22,0x22,0x03,0xC5,
0xE8,0x08,0x00,0x00,0x00,0xB8,0x00,0x00,0x00,0x00,0xFF,0xE0,0xE9,0x5A,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x8B,0xC0,0x89,0x42,0x01,
0x61,0x9D,0xEB,0xE1,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0x00
};

Reloc_Size = NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;

pRelocSection = GetEnclosingSectionHeaderRavtoOffset(
NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,NtHeader);

if (pRelocSection == NULL)
{
MessageBox("加壳失败！","EncrptySYS",MB_OK);
return FALSE;
}

pTextSection = (PIMAGE_SECTION_HEADER) (NtHeader + 1);
if (pTextSection == NULL)
{
MessageBox("加壳失败！","EncrptySYS",MB_OK);
return FALSE;
}

//:::定位到节表头
SectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)dwbase+dosHeader->e_lfanew+sizeof(IMAGE_NT_HEADERS)) ;

DWORD Reloc_RAV =NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;

//保存原来入口地址
DWORD OrignalOEP = NtHeader->OptionalHeader.AddressOfEntryPoint;

//
//将花指令代码写到文件里
//
DWORD FileSize = GetFileSize(hFile, NULL);
SetFilePointer(hFile, FileSize, NULL, FILE_BEGIN);
WriteFile(hFile, (PVOID)&Encrptycode, SECTION_SIZE, &dwBytesWritten, NULL);
DWORD FlagCode1 = 0x11111111; // 原来的数据目录基址重定位值rva 赋值给花指令中
DWORD FlagCode2 = 0x22222222; // 原来的入口点rva赋值给花指令中
DWORD dwbytesin = 0;
BYTE *bufMyself = NULL;
bufMyself = new BYTE[SECTION_SIZE];
if(NULL == bufMyself)
{
MessageBox(NULL, "分配内存失败!", MB_OK);
return FALSE;
}
ZeroMemory(bufMyself, SECTION_SIZE);
SetFilePointer(hFile, FileSize, NULL, FILE_BEGIN);
ReadFile(hFile,bufMyself, SECTION_SIZE, &dwbytesin, NULL);
int iPointer1 = find_bytes(bufMyself,SECTION_SIZE,(BYTE*)&FlagCode1,4);
int iPointer2 = find_bytes(bufMyself,SECTION_SIZE,(BYTE*)&FlagCode2,4);
delete[] bufMyself;

DWORD dwFlushOriBaseRelocRav = FileSize + (DWORD)iPointer1;
DWORD dwFlushOriOEP = FileSize + (DWORD)iPointer2;
SetFilePointer(hFile, dwFlushOriBaseRelocRav, NULL, FILE_BEGIN);
WriteFile(hFile, (PVOID)&Reloc_RAV, 4, &dwBytesWritten, NULL);//原来的数据目录基址重定位值rva 赋值给花指令中
SetFilePointer(hFile, dwFlushOriOEP, NULL, FILE_BEGIN);
WriteFile(hFile, (PVOID)&OrignalOEP, 4, &dwBytesWritten, NULL); //原来的入口点rva赋值给花指令中

//修正SizeOfImage
SECTION_ALIGN_MENT = NtHeader->OptionalHeader.SectionAlignment;
DWORD dwNewSizeOfImage = NtHeader->OptionalHeader.SizeOfImage
+ CalcAlignment(SECTION_ALIGN_MENT,SECTION_SIZE );
long lDistanceToMove = (long)&(NtHeader->OptionalHeader.SizeOfImage)-dwbase;
SetFilePointer(hFile, lDistanceToMove, NULL, FILE_BEGIN);
WriteFile(hFile, (PVOID)&dwNewSizeOfImage, 4, &dwBytesWritten, NULL);
//
//修改数据目录基址重定位值rva 为0
//
DWORD dwBuffer = 0;
lDistanceToMove = (long)&(NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress)-dwbase;
SetFilePointer(hFile, lDistanceToMove, NULL, FILE_BEGIN);
WriteFile(hFile, (PVOID)&dwBuffer, 4, &dwBytesWritten, NULL);
//
// 修改.reloc节的Characteristics属性修改为E0000020
//
lDistanceToMove = (long)&(pRelocSection->Characteristics) - dwbase;
dwBuffer = 0xE0000020;
SetFilePointer(hFile, lDistanceToMove, NULL, FILE_BEGIN);
nRet = WriteFile(hFile, (PVOID)&dwBuffer, 4, &dwBytesWritten, NULL);
if(!nRet)
{
MessageBox("WriteFile(Characteristics) failed.","EncrptySYS",MB_OK);
return FALSE;
}

//
// 修改.text节的Characteristics属性修改为E0000020
//
lDistanceToMove = (long)&(pTextSection->Characteristics) - dwbase;
dwBuffer = 0xE0000020;
SetFilePointer(hFile, lDistanceToMove, NULL, FILE_BEGIN);
nRet = WriteFile(hFile, (PVOID)&dwBuffer, 4, &dwBytesWritten, NULL);
if(!nRet)
{
MessageBox("WriteFile(Characteristics) failed.","EncrptySYS",MB_OK);
return FALSE;
}

//
//修改为新的入口点
//
lDistanceToMove = (long)&(NtHeader->OptionalHeader.AddressOfEntryPoint) - dwbase;
SetFilePointer(hFile, lDistanceToMove, NULL, FILE_BEGIN);
dwBuffer = pRelocSection->VirtualAddress +pRelocSection->SizeOfRawData;
WriteFile(hFile, (PVOID)&dwBuffer, 4, &dwBytesWritten, NULL);

//
//修改.reloc的SizeOfRawData
//
lDistanceToMove = (long)&(pRelocSection->SizeOfRawData) - dwbase;
SetFilePointer(hFile, lDistanceToMove, NULL, FILE_BEGIN);
dwBuffer = CalcAlignment(NtHeader->OptionalHeader.FileAlignment,pRelocSection->Misc.VirtualSize+SECTION_SIZE);
WriteFile(hFile, (PVOID)&dwBuffer, 4, &dwBytesWritten, NULL);

//
//修改.reloc的VirtualSize
//
lDistanceToMove = (long)&(pRelocSection->Misc.VirtualSize) - dwbase;
SetFilePointer(hFile, lDistanceToMove, NULL, FILE_BEGIN);
dwBuffer = pRelocSection->Misc.VirtualSize + SECTION_SIZE;
WriteFile(hFile, (PVOID)&dwBuffer, 4, &dwBytesWritten, NULL);
//
//修改.reloc的PhysicalAddress
//
lDistanceToMove = (long)&(pRelocSection->Misc.PhysicalAddress) - dwbase;
SetFilePointer(hFile, lDistanceToMove, NULL, FILE_BEGIN);
WriteFile(hFile, (PVOID)&dwBuffer, 4, &dwBytesWritten, NULL);
//
//修改可选头部 堆保留大小
//
lDistanceToMove = (long)&(NtHeader->OptionalHeader.SizeOfHeapReserve) - dwbase;
SetFilePointer(hFile, lDistanceToMove, NULL, FILE_BEGIN);
dwBuffer = 0x00100000 ;
WriteFile(hFile, (PVOID)&dwBuffer, 4, &dwBytesWritten, NULL);

//
//将.text段与44h异或
//
unsigned char *pTextData;
pTextData = (unsigned char *)(pTextSection->PointerToRawData+(DWORD)dwbase) ;
for(int k=0 ; k<=((int)(pTextSection->Misc.VirtualSize)-1);k++)
{
pTextData[k] = pTextData[k]^KEY;
}

return TRUE;

}

附件中有原始文件，idb和逆向原代码

水平有限，还请各位大牛多多批评！！