阅读:1265回复:2
谁给讲一下下面这段exe2bat
@echo off
echo q | debug>nul echo Bj@jzh`0X-`/PPPPPPa(DE(DM(DO(Dh(Ls(Lu(LX(LeZRR]EEEUYRX2Dx=>sleep.com echo 0DxFP,0Xx.t0P,=XtGsB4o@$?PIyU WwX0GwUY Wv;ovBX2Gv0ExGIuht6>>sleep.com echo T}{z~~@GwkBG@OEKcUt`~}@MqqBsy?seHB~_Phxr?@zAB`LrPEyoDt@Cj?>>sleep.com echo pky_jN@QEKpEt@ij?jySjN@REKpEt@jj?jyGjN@SEKkjtlGuNw?p@pjirz>>sleep.com echo LFvAURQ?OYLTQ@@?~QCoOL~RDU@?aU?@{QOq?@}IKuNWpe~FpeQFwH?Vkk>>sleep.com echo _GSqoCvH{OjeOSeIQRmA@KnEFB?p??mcjNne~B?M??QhetLBgBPHexh@e=>>sleep.com echo EsOgwTLbLK?sFU`?LDOD@@K@xO?SUudA?_FKJ@N?KD@?UA??O}HCQOQ??R>>sleep.com echo _OQOL?CLA?CEU?_FU?UAQ?UBD?LOC?ORO?UOL?UOD?OOI?UgL?LOR@YUO?>>sleep.com echo dsmSQswDOR[BQAQ?LUA?_L_oUNUScLOOuLOODUO?UOE@OwH?UOQ?DJTSDM>>sleep.com echo QTqrK@kcmSULkPcLOOuLOOFUO?hwDTqOsTdbnTQrrDsdFTlnBTm`lThKcT>>sleep.com echo @dmTkRQSoddTT~?K?OCOQp?o??Gds?wOw?PGAtaCHQvNntQv_w?A?it\EH>>sleep.com echo {zpQpKGk?Jbs?FqokOH{T?jPvP@IQBDFAN?OHROL?Kj??pd~aN?OHROd?G>>sleep.com echo Q??PGT~B??OC~?ipO?T?~U?p~cUo0x>>sleep.com sleep.com>sleep.exe echo wait %1 seconds: sleep.exe %1000 del sleep.com del sleep.exe 一段代码首先定向到sleep.com,这个程序是一个DOS 16位的应用程序,使用DOS功能调用,对编码的内容进行控制台输出,然后输出的结果再定向到sleep.exe中,生成真正的windows程序。 这种编码的好处是不依赖debug程序就可以还原一个exe文件。而且比使用debug还原exe 批处理文件的大小要小很多。编码的风格类似于缓冲区溢出采用的特殊编码格式,目标是把不可视变成可视字符。回避特殊字符,不过sleep.com 汇编代码比较难懂,谁给分析一下。 |
|
沙发#
发布于:2007-02-08 12:03
没有玩过,不过帮你贴段代码
#include <stdio.h> #include <string.h> #define M 65279 char *msg="GOOD_LUCK"; void help(void); char exe2bat(char *,char *); int main(int argc,char **argv) { if(argc==1) { help(); } exe2bat(argv[1],argv[2]); return 0; } void help() { printf("\nWritten by W.Z.T <==Don't be lazy,Just go ahead==>\n\n"); printf("exe2bat.exe input.exe output.bat\n"); exit(0); } char exe2bat(char *s_f,char *t_f) { FILE *s_fp,*t_fp; char *s_fe=s_f; char *t_fe=t_f; char c; char ch; long lenth; int i=1,k=256; if((s_fp=fopen(s_fe,"rb"))==NULL) { printf("Can't open the file %s.\n",s_fe); exit(0); } if((t_fp=fopen(t_fe,"w+"))==NULL) { printf("Can't create the file %s.\n",t_fe); exit(0); } fseek(s_fp,0,SEEK_END); lenth=ftell(s_fp); fseek(s_fp,0,SEEK_SET); printf("%ld,%x\n",lenth,lenth); if(lenth>=M) { printf("The exe file's lenth must be <= M-1\n"); exit(0); } fputs("@echo e ",t_fp); fprintf(t_fp,"%04x ",k); while(!feof(s_fp)) { k++; c = fgetc(s_fp); if(( unsigned char ) c<= ( unsigned char )15) fprintf(t_fp,"0",c); fprintf(t_fp,"%x ",(unsigned char)c); if(i%16==0) { fputs(">>sgl\n",t_fp); fputs("@echo e ",t_fp); fprintf(t_fp,"%04x ",k); } i++; } if(lenth%16!=0) fputs(">>%tmp%\\sgl\n",t_fp); fputs("@echo rcx>>sgl\n",t_fp); fprintf(t_fp,"@echo %x>>sgl\n",lenth,t_fp); fputs("@echo n tthacker>>sgl\n",t_fp); fputs("@echo w>>sgl\n",t_fp); fputs("@echo q>>sgl\n",t_fp); fputs("@debug<sgl>nul\n",t_fp); fputs("@del sgl\n",t_fp); fputs("@ren tthacker ",t_fp); fprintf(t_fp,"%s>>sgl\n",s_fe); fputs("@",t_fp); fprintf(t_fp,"%s",s_fe); fclose(s_fp); fclose(t_fp); puts(msg); return 0; } |
|
|
板凳#
发布于:2007-02-09 17:19
这东西的特点就是把一个.com文件转成了.txt文件,因为要转成可见字符,所以代码都被重新调整了,但含义不变(类似于代码优化?),象测试反病毒软件用的EICAR.TXT其实就是一个可直接执行的COM文件。这种代码确实太难懂了。似乎听人说过有程序可以自动转换,可惜没有见过。
|
|