逆向工程 - 如何在 Win7-64 EXE 中使汇编中的 .text 部分可写 - 吾爱随笔录

我有一个基本的 XOR 解码器，可以在 Linux 中完美运行，但是当我尝试将它移动到 Windows 中的 exe 时，它失败了。由于问题仍然存在，我将这个问题留给历史参考。这里有人建议在汇编解码器中，.text 部分在 windows 中是不可写的。我怎样才能让这个汇编解码器从 windows 中的 .text 部分作为 exe 执行和解码/异或？

将编码器转换为 win 的步骤 7 64

nasm -fwin64 Workingwin7messageBoxassembly.nasm -o xorencoder.obj
从 obj 文件中提取 shellcode
插入到encoder.nasm
组装编码器 nasm -fwin64 encoder.nasm -o xorencoder.obj
在 Windows 上使用 golink 创建 exe。golink \console xorencoder.obj
运行exe并崩溃。

上面的工具已经过验证，可以组装 Workingwin7messageBoxassembly.nasm 并从 golink 创建一个工作 exe。

当我包含从组装/链接的 Workingwin7messageBoxassembly.nasm 中提取的 shellcode 并尝试让下面的解码器调用并解码 shellcode 时，这种方法会中断。在encoded_shellcode: 部分下面的shellcode 是这里找到的win 7-64 消息框的异或版本。此方法在尝试对 encoding_shellcode: 的内容进行异或时存在访问冲突。

    bits 64
    section .text
    global start

    start:
            jmp find_address

    decoder:
            pop rdi
            xor rcx, rcx
            add rax, 260
    decode:
            xor byte [rdi], 0xAA
            inc rdi
            loop decode

            jmp short encoded_shellcode

    find_address:
            call decoder

            encoded_shellcode: db 0xe2,0x29,0x46,0x82,0xe2,0x29,0x4e,0x5a,0xcf,0xe6,0x21,0x8e,0x8f,0xca,0xaa,0xaa,0xaa,0xe7,0x21,0xce,0x8e,0xb2,0xe7,0x21,0xce,0x8e,0x8a,0xe7,0x21,0x8e,0x8e,0xe7,0x21,0xd6,0x8e,0x8a,0xe7,0x21,0x8e,0x8e,0xe7,0x21,0xce,0x8e,0x8a,0x10,0x24,0xe4,0xa4,0x46,0xe6,0x23,0x4b,0x42,0xc2,0xaa,0xaa,0xaa,0x41,0x9e,0xf3,0x55,0x7a,0x10,0x02,0x08,0xe7,0x16,0xe2,0x23,0x6b,0x42,0xfc,0xaa,0xaa,0xaa,0xe2,0x23,0x69,0xe7,0x9b,0x63,0x41,0x94,0xeb,0xf2,0x41,0x82,0xf0,0xe2,0x9b,0x63,0x55,0x79,0x10,0xda,0x67,0x95,0x87,0xe6,0x23,0x53,0x42,0x9d,0xaa,0xaa,0xaa,0xe2,0x9b,0x63,0x55,0x7a,0x42,0x6d,0x55,0x55,0x55,0xdf,0xd9,0xcf,0xd8,0x99,0x98,0x84,0xce,0xc6,0xc6,0x42,0x79,0x55,0x55,0x55,0xfe,0xc2,0xc3,0xd9,0x8a,0xc3,0xd9,0x8a,0xcc,0xdf,0xc4,0x8b,0xaa,0x42,0x17,0x55,0x55,0x55,0x9a,0xd2,0xce,0xcf,0xcb,0xce,0xc8,0xcf,0xcf,0xcc,0xe3,0x23,0x67,0xcd,0xeb,0x21,0xef,0x96,0xcd,0xef,0x21,0x1e,0xaf,0x22,0xaa,0xaa,0xaa,0xef,0xab,0x44,0xcd,0xef,0x21,0xfc,0xb2,0xcd,0xeb,0x21,0xf4,0x8a,0xee,0xab,0x41,0xcd,0x49,0x95,0xeb,0x55,0x60,0xcd,0xe8,0x21,0x9e,0x39,0xee,0xab,0x44,0x9b,0x55,0x9b,0x6a,0x56,0x06,0x2e,0x6a,0xde,0xad,0x6b,0x65,0xa7,0xab,0x6d,0x41,0x5e,0x93,0x7d,0xdf,0x77,0xcd,0xeb,0x21,0xf4,0x8e,0xee,0xab,0x41,0x9b,0x63,0xcc,0xcd,0xe8,0x21,0xa6,0xf9,0xcd,0xeb,0x21,0xf4,0xb6,0xee,0xab,0x41,0xcd,0x21,0xae,0x21,0xee,0xab,0x42,0x69

我使用 LordPE 编辑了 .text 部分，使 exe 中的 .text 部分可写，以允许解码器从 .text 部分读取以进行解码。它仍然失败。我如何让这个汇编解码器解码？