做看似不需要的操作(crackme) [英] doing seemingly un-needed ops (crackme)

问题描述

 80483ed:       b8 00 00 00 00          mov    $0x0,%eax                                                   │~                                                                                                       
 80483f2:       83 c0 0f                add    $0xf,%eax                                                   │~                                                                                                       
 80483f5:       83 c0 0f                add    $0xf,%eax                                                   │~                                                                                                       
 80483f8:       c1 e8 04                shr    $0x4,%eax                                                   │~                                                                                                       
 80483fb:       c1 e0 04                shl    $0x4,%eax                                                   │~                                                                                                       
 80483fe:       29 c4                   sub    %eax,%esp 

这是我objdump -ded 的crackme 二进制文件的主要函数开头的汇编代码片段.eax 操作对我来说很奇怪:

This is an assembly code snippet from the start of a main function of a crackme binary I objdump -ded. The eax manipulation is very odd to me:

 1. eax = 0
 2. eax += 0xf
 3. eax += 0xf // eax = 0x1e (30 decimal, 11110 in binary)
 4. eax >>= 4 // eax = 1
 5. eax <<= 4 // eax = 16 (0x10)

这是某种出于某种原因对 eax 进行操作的快速方法吗?或者这只是为了摆脱试图 RE 的人而未经优化编译的令人困惑的 C 代码?

Is this some kind of a fast way of manipulating eax that is good for some reason? Or is this just a confusing C code that was compiled without optimization in order to throw off the person trying to RE it?

推荐答案

你只是成为一种温和形式的混淆的受害者，专门用来减缓程序的逆向工程.

You just fall victim to a mild form of obfuscation, specifically done to slow done the reverse engineering of the program.

以这段代码为例:

它来自一个真实世界的例子:一个用于传送恶意软件的 VB6¹ 打包程序(我不记得是哪个，我认为是 Gootkit).
在这个特定的截图中，所有的指令都是无用的，但在整个代码中，你会发现 push 和 pop 在这里和那里 -一种愚蠢的做法 mov , .

It's from a real-world example: a VB6¹ packer used to deliver a malware (I don't remember which one, I think it was Gootkit).
In this specific screenshot, all the instructions are useless, but in the whole code you'll find a push <constant> and pop <reg> here and there - a silly way of doing mov <reg>, <constant>.

这只是为了减慢分析师的速度(并可能让初学者望而却步).
只要简单，您就可以在脑海中翻译代码，但您可能需要考虑使用更复杂的工具(如 IDA 或radare2)来注释和操作代码.

That's just to slow down the analyst (and possibly throw off beginners).
As long as it's easy, you can translate the code in you mind but you may want to consider more sophisticated tools (like IDA or radare2) that allow you to comment and manipulate the code.

随着crackme难度的增加，你应该期待更多的混淆和技巧.

As the crackme difficulty increases, you should expect more obfuscation and tricks.

¹这种打包器最终会调用在 VB6 编译器之外生成的本机代码.

¹This kind of packer ends up calling native code generated outside the VB6 compiler.

这篇关于做看似不需要的操作(crackme)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！