PowerShield反混淆初探 boke.25k5.com 电脑技术 标题：PowerShield反混淆初探 经过对PowerShield1.0简易版用各种混淆复杂度进行研究，总结两点： 1. PowerShield混淆和加密对软件的保护微乎其微；因为基于东躲西藏的思路，不是可靠的加密方式； 2. 经过一周的仔细分析和研究，包括在pbdecomplier的增加对反混淆的编程时发现，PowerShield是很容易去掉冗余的跳转指令，并归并和整理还原成普通编译后的代码形式，从而再用以前开发的反编译器就能轻松反编译它。 下面简单介绍一下反混淆原理，过多的细节不便说，因为如果没有反编译的基础，光靠能把跳转去掉，要处理并还原成源码还是不容易的。 1. 原则：再怎么混淆，它无法打破正常编译后的p-code顺序，这是铁定的事实。 2. 混淆_8h
"@理：去掉p-code行数参数，致使pbkiller崩溃，因为pbkiller依靠这个参数(更正：依靠debug参数来参与还原一些行的布局，因为debug参数与源码的留行是一致的。pbkiller并不依靠这个参数来断行) 3. 设置行计数器，每行代码拼接后在插入到vector时，给一个行号；行号不重复； 4. LJP，逻辑判断跳转处记录下跳转地址，等第一个分支分析完后，再分析这些分支；最后得到完整的代码。当然因为欺骗跳转的原因，得到的代码是错乱的。 5. 在每一行内，欺骗跳转只做转移，不参与任何逻辑跳转，直到断行后； 6. 在行与行之间的欺骗跳转，不可以直接忽略，因为它有可能影响到逻辑走向，因为原始的pbd中也会有很多跳转。欺骗跳转与正常跳转混杂在一起，或者欺骗代码用数个跳转，代替原本的一个跳转，我想的办法是压缩跳转，取得其首地址和跳转的最终目_8h
"@地址二个参数，作为后续分析跳转用。 7. 在4步得到的结果如下： //local variables list qty = 4 //param: string commandlineboolean l_bblong ll_xxlong ll_yy 00000000:(00010000/00000001) //expression lines: 0//Confused expression by PowerShield! 0000FFFF:(00010000/00000001) _._._.J.X.F: 43C8FFFF/00000000: //vcJP010203_3900 insert43C8FFFF:(00010000/00000002) L._._.J.F.F: 212EFFFF/00000000: l_bb = true1AACFFFF:(00010000/00000003) _._._.J.X.F: 4406FFFF/00000000: //vcJP010203_3900 insert4406FFFF:(00010000/00000004) ll_xx = 3216EFFFF:(00010000/00000005) _._._.J.X.F: 1612FFFF/00000000: //vcJP010203_3900 insert1612FFFF:(00010000/00000006)&nbs_8h
"@p; ll_xx = 421C0FFFF:(00010000/00000007) _._._.J.X.F: 407EFFFF/00000000: //vcJP010203_3900 insert407EFFFF:(00010000/00000008) L._._.J.F.F: 41F4FFFF/00000000: l_bb = true3D62FFFF:(00010000/00000009) _._._.J.X.F: 1B04FFFF/00000000: //vcJP010203_3900 insert1B04FFFF:(00010000/0000000A) ll_xx = 73310FFFF:(00010000/0000000B) _._._.J.X.F: 305CFFFF/00000000: //vcJP010203_3900 insert305CFFFF:(00010000/0000000C) ll_xx = 80A18FFFF:(00010000/0000000D) _._._.J.X.F: 45E8FFFF/00000000: 41F4FFFF:(00000008/0000000E) ll_yy = 90562FFFF:(00000008/0000000F) _._._.J.X.F: 164AFFFF/00000000: &n_8h
"@bsp;//vcJP010203_3900 insert164AFFFF:(00000008/00000010) ll_xx = 100442FFFF:(00000008/00000011) _._._.J.X.F: 45E8FFFF/00000000: 212EFFFF:(00000002/00000012) ll_yy = 52252FFFF:(00000002/00000013) _._._.J.X.F: 3CAAFFFF/00000000: //vcJP010203_3900 insert3CAAFFFF:(00000002/00000014) ll_xx = 6131AFFFF:(00000002/00000015) _._._.J.X.B: 407EFFFF/00000000: //vcJP010203_3900 insert45E8FFFF:(FFFFFFFF/FFFFFFFF) __endof__ 那接下来就是按视觉顺序和逻辑顺序进行整理排序: //local variables list qty = 4 //param: string commandlineboolean l_bblong ll_xxlong ll_yy 000_8h
"@00000:(00010000/00000001) //expression lines: 0//Confused expression by PowerShield! 43C8FFFF:(00010000/00000002) L._._.J.F.F: 212EFFFF/00000000: l_bb = true4406FFFF:(00010000/00000004) ll_xx = 31612FFFF:(00010000/00000006) ll_xx = 421C0FFFF:(00010000/00000007) _._._.J.X.F: 407EFFFF/00000000: //vcJP010203_3900 insert212EFFFF:(00000002/00000012) ll_yy = 53CAAFFFF:(00000002/00000014) ll_xx = 6407EFFFF:(00010000/00000008) L._._.J.F.F: 41F4FFFF/00000000: l_bb = true1B04FFFF:(00010000/0000000A) ll_xx = 7305CFFFF:(00010000/0_8h
"@000000C) ll_xx = 80A18FFFF:(00010000/0000000D) _._._.J.X.F: 45E8FFFF/00000000: 41F4FFFF:(00000008/0000000E) ll_yy = 9164AFFFF:(00000008/00000010) ll_xx = 1045E8FFFF:(FFFFFFFF/FFFFFFFF) __endof__ 很快的半个小时编程就弄好了，所以我增补上来： //local variables list qty = 4 //param: string commandlineboolean l_bblong ll_xxlong ll_yy //expression lines: 0//Confused expression by PowerShield! if l_bb = true then ll_xx = 3 ll_xx = 4else ll_yy = 5 ll_xx = 6end_8h
"@ if if l_bb = true then ll_xx = 7 ll_xx = 8else ll_yy = 9 ll_xx = 10end if 8. 还原成正常的代码顺序后，再使用反编译器的statement还原程序进行多种结构体的判断(这个我前期已经弄好，而且测试过大量代码无错误)，逐步恢复 包括try。。。catch；for。。。next，do。。。while；if。。。else。。。end if等。上次我看到一个人说要写一个反混淆器，但是他贴一个界面出来，刻意模仿pbkiller完全一样，甚至菜单上的图标都一样（搞笑），他的目标是去除混淆代码，但是如果混淆层次和复杂度比较高，代码冗余非常大，通常没有反编译器很难完成任务。而且不靠反编译器难于还原statement，也就是不可阅读。 我已经经过一周的分析和编程，反复修改_8h
"@序，目前刚刚可以接近未混淆之前的代码了，但是还限于一个if。。。else。。。end if结构体，其他结构尚未细调。 //晚上熬夜了，终于完成90%的任务，只有两个字的感受，完美！ 代码如下，for。。。next还有点问题： ******************************************************************* <2>public open ( string commandline) 0000CBCF ******************************************************************* //local variables list qty = 5 //param: string commandlineboolean l_bblong ll_xxlong ll_yy //expression lines: 0//Confused expression by PowerShield! ll_xx = 100 if l_bb = true then ll_xx = 101 &nb_8h
"@sp;ll_xx = 102else ll_yy = 103 ll_xx = 104end if if l_bb = true then ll_xx = 105 ll_xx = 106else ll_yy = 107 ll_xx = 108end if ll_xx = 110 if l_bb = true then ll_xx = 1 if l_bb = true then ll_xx = 2 if l_bb = true then ll_xx = 3 ll_xx = 4 else &n_8h
"@bsp; ll_yy = 5 ll_xx = 6 end if ll_xx = 7 else ll_yy = 8 ll_xx = 9 end if ll_xx = 10else ll_yy = 11 ll_xx = 12end if do while ll_xx > 0 ll_xx = 21 ll_xx = 22 ll_xx = 23loop do ll_xx = 24 ll_xx = 25 ll_xx = 26loop while ll_xx > 0 ll_xx = 0_8h
"@ do while 10000 >= ll_xx ll_xx = 1 ll_xx = 2 ll_xx = 3 ll_xx ++ loop choose case ll_xx case 1 ll_xx = 111 ll_xx = 111 goto: Label_003DFFFF ll_xx = 222 ll_xx = 222 case 2 case 3 ll_xx = 333 ll_xx = 333end choose 但是话又说回来，简单的statement还不要怎么用电脑来算，眼睛就能看出来。但是实际上的程序或者商业软件的编写者总不是傻子，而且对反编译器和混淆器都有相当的研究，也就是它会反复地进行测试，直到市面上的反_8h
"@编译器对它无法造成伤害的前提下他才会发布商业软件。在冗余度很大或者很变态的写法时，还是很难搞清楚他的statement的，所以总结一句话就是：除非你有非常好的归纳能力，能够把各种statement的特点归纳出来，否则类似各种statement相互嵌套和混杂的写法可能是很难还原的，甚至直接用goto写法。如果goto没法还原成正常的statement，那感觉上是反编译出错了，反编译者肯定也难以相信代码的准确性。 写商业代码的人都知道把一些全局变量或者许多控制参数放入注册码验证的流程中，而且在许多地方进行校验，并且有联合注册表，sql库，程序三方联合作用对抗反编译的。所以除非反编译回来的代码跟源代码一致，所以很难保证能达到破解作用。很简单的做法，如把文件的md5码送入dw，或者送入sql后台，后台再进一步作用，如此种种极尽所能的做法。都_8h
"@对软件保护有效果。在注册部分被打上印记的全局参数也会在各个界面用作参数，或者进一步设置到其他参数上去。。 多层嵌套去掉假跳转后的代码如下： 0000FFFF:(00000000/00000001) _._._.J.X.F: B2FAFFFF/00000000: //vcJP0102033900INSERTB2FAFFFF:(00000000/00000002) ll_xx = 13420FFFF:(00000000/00000003) _._._.J.X.F: 94CEFFFF/00000000: //vcJP0102033900INSERT94CEFFFF:(00000000/00000004) L._._.J.F.F: FCC6FFFF/00000000: 2 >= ll_xxEEFCFFFF:(00000000/00000005) _._._.J.X.F: A31EFFFF/00000000: //vcJP0102033900INSERTA31EFFFF:(00000000/00000006) ll_xx = 3A758FFFF:(00000000/00000007) _._._.J.X.F: 6304FFFF/00000000: //vcJP0102033900INSERT6304F_8h
"@FFF:(00000000/00000008) ll_xx = 45B7CFFFF:(00000000/00000009) _._._.J.X.F: 613AFFFF/00000000: //vcJP0102033900INSERT613AFFFF:(00000000/0000000A) L._._.J.F.F: E756FFFF/00000000: ll_xx = 5CB60FFFF:(00000000/0000000B) _._._.J.X.F: 9F30FFFF/00000000: //vcJP0102033900INSERT9F30FFFF:(00000000/0000000C) ll_xx = 6B0B8FFFF:(00000000/0000000D) _._._.J.X.F: 75B2FFFF/00000000: //vcJP0102033900INSERT75B2FFFF:(00000000/0000000E) ll_xx = 7D2C2FFFF:(00000000/0000000F) _._._.J.X.F: A85CFFFF/00000000: //vcJP0102033900INSERTA85CFFFF:(00000000/00000010) _.C._._._._:
case135 = ll_xx2302FFFF:(00000000/00000011) &nb_8h
"@sp; _._._.J.X.F: B780FFFF/00000000: //vcJP0102033900INSERTB780FFFF:(00000000/00000012) L.C._.J.F.F: 0D3EFFFF/00000000: 901 =
case1350F58FFFF:(00000000/00000013) _._._.J.X.F: A590FFFF/00000000: //vcJP0102033900INSERTA590FFFF:(00000000/00000014) ll_xx = 848FCFFFF:(00000000/00000015) _._._.J.X.F: B484FFFF/00000000: //vcJP0102033900INSERTB484FFFF:(00000000/00000016) ll_xx = 9D416FFFF:(00000000/00000017) _._._.J.X.F: 7BB2FFFF/00000000: //vcJP0102033900INSERT7BB2FFFF:(00000000/00000018) L._._.J.F.F: 420CFFFF/00000000: ll_xx = 1051F4FFFF:(00000000/00000019) _._._.J.X.F: D580FFFF/00000000: //vcJP0102033900INSERTD580FFFF:(00000000/0000001A) &nbs_8h
"@p; ll_xx = 11CE5CFFFF:(00000000/0000001B) _._._.J.X.F: 3BFCFFFF/00000000: //vcJP0102033900INSERT3BFCFFFF:(00000000/0000001C) ll_xx = 12F92CFFFF:(00000000/0000001D) _._._.J.X.F: B7C8FFFF/00000000: //vcJP0102033900INSERTB7C8FFFF:(00000000/0000001E) L._._.J.F.F: 6BFEFFFF/00000000: ll_xx = 130736FFFF:(0000001E/0000001F) _._._.J.X.F: 420CFFFF/00000000: //vcJP0102033900INSERT6BFEFFFF:(0000001E/00000020) ll_xx = 14E608FFFF:(0000001E/00000021) _._._.J.X.F: 753EFFFF/00000000: //vcJP0102033900INSERT753EFFFF:(0000001E/00000022) ll_xx = 155472FFFF:(0000001E/00000023) _._._.J.X.F: 7BB2FFFF/00000000: //_8h
"@vcJP0102033900INSERT420CFFFF:(00000018/00000024) ll_xx = 165AC6FFFF:(00000018/00000025) _._._.J.X.F: D90AFFFF/00000000: //vcJP0102033900INSERTD90AFFFF:(00000018/00000026) ll_xx = 17BE6EFFFF:(00000018/00000027) _._._.J.X.F: F054FFFF/00000000: //vcJP0102033900INSERTF054FFFF:(00000018/00000028) ll_xx = 4919C4FFFF:(00000018/00000029) _._._.J.X.F: 4094FFFF/00000000: //vcJP0102033900INSERT4094FFFF:(00000018/0000002A) ll_xx = 50E76EFFFF:(00000012/0000002B) _._._.J.X.F: E756FFFF/00000000: //vcJP0102033900INSERT0D3EFFFF:(00000012/0000002C) L.C._.J.F.F: EA46FFFF/00000000: 902 =
case1355D8AF_8h
"@FFF:(00000012/0000002D) _._._.J.X.F: AA0AFFFF/00000000: //vcJP0102033900INSERTAA0AFFFF:(00000012/0000002E) ll_xx = 185708FFFF:(00000012/0000002F) _._._.J.X.F: B926FFFF/00000000: //vcJP0102033900INSERTB926FFFF:(00000012/00000030) ll_xx = 19D5F6FFFF:(00000012/00000031) _._._.J.X.F: E4E4FFFF/00000000: //vcJP0102033900INSERTE4E4FFFF:(00000012/00000032) ll_xx = 2060B0FFFF:(00000012/00000033) _._._.J.X.F: E950FFFF/00000000: //vcJP0102033900INSERTE950FFFF:(00000012/00000034) ll_xx = 2170FCFFFF:(00000012/00000035) _._._.J.X.F: 3798FFFF/00000000: //vcJP0102033900INSERT3798FFFF:(00000012/00000036)_8h
"@ L._._.J.F.F: 9C82FFFF/00000000: ll_xx = 223440FFFF:(00000012/00000037) _._._.J.X.F: 4DBAFFFF/00000000: //vcJP0102033900INSERT4DBAFFFF:(00000012/00000038) ll_xx = 242F9AFFFF:(00000012/00000039) _._._.J.X.F: 1BEEFFFF/00000000: //vcJP0102033900INSERT1BEEFFFF:(00000012/0000003A) ll_xx = 25B9FCFFFF:(00000012/0000003B) _._._.J.X.F: F054FFFF/00000000: //vcJP0102033900INSERT9C82FFFF:(00000036/0000003C) L._._.J.T.F: E4E4FFFF/00000000: ll_xx = 23AF72FFFF:(00000036/0000003D) _._._.J.X.F: 4DBAFFFF/00000000: //vcJP0102033900INSERTEA46FFFF:(0000002C/0000003E) L.C._.J.F.F: F054FFFF/00000000: 903 =
case13584D8FFFF:(0000002C/0000003F) _._._.J.X.F_8h
"@: D6A0FFFF/00000000: //vcJP0102033900INSERTD6A0FFFF:(0000002C/00000040) ll_xx = 26C350FFFF:(0000002C/00000041) _._._.J.X.F: 1E76FFFF/00000000: //vcJP0102033900INSERT1E76FFFF:(0000002C/00000042) ll_xx = 27C428FFFF:(0000002C/00000043) _._._.J.X.F: CD48FFFF/00000000: //vcJP0102033900INSERTCD48FFFF:(0000002C/00000044) L._._.J.F.F: 4688FFFF/00000000: ll_xx = 28851CFFFF:(0000002C/00000045) _._._.J.X.F: 603CFFFF/00000000: //vcJP0102033900INSERT603CFFFF:(0000002C/00000046) ll_xx = 291BC0FFFF:(0000002C/00000047) _._._.J.X.F: F4CAFFFF/00000000: //vcJP0102033900INSERTF4CAFFFF:(0000002C/00000048) &nb_8h
"@sp; ll_xx = 30850CFFFF:(0000002C/00000049) _._._.J.X.F: E126FFFF/00000000: //vcJP0102033900INSERTE126FFFF:(0000002C/0000004A) L._._.J.F.F: 5758FFFF/00000000: ll_xx = 31D03AFFFF:(0000002C/0000004B) _._._.J.X.F: E82EFFFF/00000000: //vcJP0102033900INSERTE82EFFFF:(0000002C/0000004C) ll_xx = 322900FFFF:(0000002C/0000004D) _._._.J.X.F: 9866FFFF/00000000: //vcJP0102033900INSERT9866FFFF:(0000002C/0000004E) ll_xx = 336DCEFFFF:(0000002C/0000004F) _._._.J.X.F: 9D0AFFFF/00000000: //vcJP0102033900INSERT9D0AFFFF:(0000002C/00000050) L._._.J.F.F: D532FFFF/00000000: ll_xx = 344D9EFFFF:(0000002C/00000051) _._._.J.X.F: AF92FFFF/00000000: //vcJP0102033900INSERTAF92FFFF:(0000002C/00000052) ll_xx = 3555A6FFFF:(0000002C/00000053) _._._.J.X.F: 3AA8FFFF/00000000: //vcJP0102033900INSERT3AA8FFFF:(0000002C/00000054) ll_xx = 36DAC6FFFF:(0000002C/00000055) _._._.J.X.F: 298EFFFF/00000000: //vcJP0102033900INSERT298EFFFF:(0000002C/00000056) ll_xx = 390E4AFFFF:(0000002C/00000057) _._._.J.X.F: ACCEFFFF/00000000: //vcJP0102033900INSERTACCEFFFF:(0000002C/00000058) ll_xx = 401120FFFF:(0000002C/00000059) _._._.J.X.F: 3B4CFFFF/00000000: //vcJP0102033900INSERT3B4CFFFF:(0000002C/0000005A) ll_xx = 434DF4FFFF:(0000002C/0000005B)&nbs_8h
"@p; _._._.J.X.F: 9EDAFFFF/00000000: //vcJP0102033900INSERT9EDAFFFF:(0000002C/0000005C) ll_xx = 44D7CCFFFF:(0000002C/0000005D) _._._.J.X.F: 15A0FFFF/00000000: //vcJP0102033900INSERT15A0FFFF:(0000002C/0000005E) ll_xx = 478CE8FFFF:(0000002C/0000005F) _._._.J.X.F: FA9EFFFF/00000000: //vcJP0102033900INSERTFA9EFFFF:(0000002C/00000060) ll_xx = 488768FFFF:(00000050/00000061) _._._.J.X.F: F054FFFF/00000000: //vcJP0102033900INSERTD532FFFF:(00000050/00000062) ll_yy = 379CD0FFFF:(00000050/00000063) _._._.J.X.F: AB88FFFF/00000000: //vcJP0102033900INSERTAB88FFFF:(00000050/00000064) &nb_8h
"@sp; ll_xx = 38A2A0FFFF:(00000050/00000065) _._._.J.X.F: 298EFFFF/00000000: //vcJP0102033900INSERT5758FFFF:(0000004A/00000066) ll_yy = 4180A2FFFF:(0000004A/00000067) _._._.J.X.F: 3F96FFFF/00000000: //vcJP0102033900INSERT3F96FFFF:(0000004A/00000068) ll_xx = 429E8EFFFF:(0000004A/00000069) _._._.J.X.F: 3B4CFFFF/00000000: //vcJP0102033900INSERT4688FFFF:(00000044/0000006A) ll_yy = 4507E2FFFF:(00000044/0000006B) _._._.J.X.F: B07CFFFF/00000000: //vcJP0102033900INSERTB07CFFFF:(00000044/0000006C) ll_xx = 460BB2FFFF:(00000044/0000006D) _._._.J.X.F: 15A0FFFF/00000000: //_8h
"@vcJP0102033900INSERTE756FFFF:(0000000A/0000006E) ll_xx = 517902FFFF:(0000000A/0000006F) _._._.J.X.F: 8DC8FFFF/00000000: //vcJP0102033900INSERT8DC8FFFF:(0000000A/00000070) ll_xx = 52FAE8FFFF:(0000000A/00000071) _._._.J.X.F: 8108FFFF/00000000: //vcJP0102033900INSERT8108FFFF:(0000000A/00000072) ll_xx ++ 569CFFFF:(0000000A/00000073) _._._.J.X.F: 94CEFFFF/00000000: //vcJP0102033900INSERTFCC6FFFF:(FFFFFFFF/FFFFFFFF) __endof__想把这个代码恢复我用了三天也还没眉目，因为实际上的写法可能还更复杂，嵌套更多层。用尽各种变态的写法和冗余的写法。还是比较难的。 //软件保护和加_8h
"@密从来都是矛盾相生的两个对立面。在此提醒更多pb用户，混淆器的实质就是这么回事。在此之后，我已经总结30多个想法意图再弄弄混淆器。很多方面，反编译器都需要依赖pbd中的没有在编译时抹掉的文字等信息。这些信息尚未有工具去除。另外我目前了解如果要做到终极加密，只有改造vm内部对文件的读取和解析的过程，修改vm参与到对vm的解析过程，比如可以把pbd的文件格式给改掉，这应该是一个终极的加密思路。而反编译时针对这样的加密方式是无法成功的。因为pbd已经跟随修改过的vm进行了匹配，用反编译器的一些规则已经无法分析了。 前几天问到好几个人，用11写程序，都是未有任何保护措施。。所以目前急忙赶完反编译器，下一步着手混淆器。参考java和.net的混淆器，大凡只做到变量名，函数名，对象属性和函数名，流程(statement),数字和_8h
"@文字加密等几种实现。具体还有没有突破现在还不知道。 相关文章 相邻文章:JDBC中的预编译语句 Asp.Net 前台调用后台变量 AJAX实现基于WEB的文件上传的进度控制 Java中的StringBuilder类功能详解 运用类反射机制简化Struts应用程序的开发 转 C++标准I/O库 C++ 扩展和嵌入 Python typedef 的使用 上传图片和图片处理 DataGridView取出当前行中的值 C++笔记——c++编程思想（下）第二三四章防御性编程及输入输出流 Flex给服务器端传送对象 TRANSLATE Java变量在JVM中存储位置简析 正则表达式 Myeclipse 单步调试 详释 DESjava中equals和==的区别 URL参数加密解密(java版) ORACLE/JSP技术涉及日期、时间问题的处理 相关文章:网上购物系统（Task008）——用户界面层公共函数集WebUtility 1031. Campus java笔记2 treeview c++新手常见问题 ORM中数据模型生成利器T4 Templates JFreeChart学习笔记java编程思想中io的例子 java中字符串操作方法整理 标准模板库（STL）的 std::string 与Unicode的使用 将actionForm属性声明为String 25k5 版权所有