打造世界最小LZMA解压DLL(最终话)

在前面的文章里,我们通过使用UPX Stub中的代码加以手工修改PE文件导出表得到了3280byte的目标DLL(点击此处),又通过重新编译LZMA SDK将目标缩小到2970byte(点击此处)。今天我们继续精简,通过修改源代码来进一步缩小目标文件的大小。

首先我们可以看到原来LZMA解压在不加其他功能情况下的声明是:

int LzmaDecode(CLzmaDecoderState *vs, const unsigned char *inStream, SizeT inSize, SizeT *inSizeProcessed, unsigned char *outStream, SizeT outSize, SizeT *outSizeProcessed);

typedef struct _CLzmaProperties
{
  int lc;
  int lp;
  int pb;
}CLzmaProperties;

typedef struct _CLzmaDecoderState
{
  CLzmaProperties Properties;
  CProb *Probs;
} CLzmaDecoderState;

这里可以去除我们不需要的部分:

1、inSizeProcessed和outSizeProcessed不需要。

2、CLzmaProperties采用默认的lc=3,lp=0,pb=2,可以硬编码到代码中。

3、Probs可以放在函数内作为局部变量。

故修改函数声明及前面局部变量声明为:

隐藏行号 复制代码 这是一段程序代码。
  1. int __stdcall LzmaDecode(
    
  2.     const unsigned char *inStream, SizeT inSize,
    
  3.     unsigned char *outStream, SizeT outSize)
    
  4. {
    
  5.   //CProb *p = vs->Probs;
    
  6.   SizeT nowPos = 0;
    
  7.   Byte previousByte = 0;
    
  8.   UInt32 posStateMask = (1 << (/*vs->Properties.pb*/2)) - 1;
    
  9.   UInt32 literalPosMask = (1 << (/*vs->Properties.lp*/0)) - 1;
    
  10.   int lc = /*vs->Properties.lc*/3;
    
  11. 
    
  12.   int state = 0;
    
  13.   UInt32 rep0 = 1, rep1 = 1, rep2 = 1, rep3 = 1;
    
  14.   int len = 0;
    
  15.   const Byte *Buffer;
    
  16.   const Byte *BufferLim;
    
  17.   UInt32 Range;
    
  18.   UInt32 Code;
    
  19. 
    
  20.   CProb Probs[LZMA_BASE_SIZE + (LZMA_LIT_SIZE << (3 + 0))];
    
  21.   CProb *p = Probs;
    
  22.   //*inSizeProcessed = 0;
    
  23.   //*outSizeProcessed = 0;
    
  24. 
    

使用VC6编译即可。编译后需要注意一个问题:Probs数组大小为15980字节,超过了一页4kb的大小,编译出来可以看到编译器采用了mov eax,xxxxxxxx; call __chkesp的做法分配栈空间,这样可以防止发生访问越界问题。而这里我们需要将这个call手动实现,参考以前的文章:mov ecx,xxxxxxxx; push 0; loopd $-2,由于代码量较少,直接修改机器码即可。

最后除掉RET这段解压代码的大小为2296byte,生成目标DLL大小为2810字节。

ASM代码:

隐藏行号 复制代码 这是一段程序代码。
  1. .386
    
  2. .model flat
    
  3. .code
    
  4. db 55h,8Bh,0ECh,0B9h,0A8h,0Fh,0,0,6Ah,0,0E2h,0FCh,53h,56h,57h,80h
    
  5. db 65h,0FBh,0,0B9h,9Bh,0Fh,0,0,0B8h,0,4,0,4,8Dh,0BDh,60h
    
  6. db 0C1h,0FFh,0FFh,6Ah,1,0F3h,0ABh,8Bh,45h,8,8Bh,4Dh,0Ch,8Bh,0D0h,3
    
  7. db 0C1h,33h,0F6h,5Bh,33h,0C9h,89h,45h,0F4h,89h,75h,0DCh,89h,75h,0FCh,89h
    
  8. db 5Dh,0F0h,89h,5Dh,0D0h,89h,5Dh,0D4h,89h,5Dh,0CCh,89h,4Dh,8,83h,0C8h
    
  9. db 0FFh,0EBh,3,6Ah,1,5Bh,3Bh,55h,0F4h,74h,24h,8Bh,7Dh,8,0Fh,0B6h
    
  10. db 1Ah,0C1h,0E7h,8,0Bh,0FBh,42h,41h,89h,7Dh,8,83h,0F9h,5,89h,55h
    
  11. db 0Ch,7Ch,0E0h,83h,7Dh,14h,0,0Fh,86h,75h,8,0,0,0EBh,0Ah,8Bh
    
  12. db 0C3h,0E9h,6Eh,8,0,0,8Bh,55h,0Ch,8Bh,4Dh,0FCh,83h,0E6h,3,0C1h
    
  13. db 0E1h,4,3,0CEh,3Dh,0,0,0,1,8Dh,0BCh,4Dh,60h,0C1h,0FFh,0FFh
    
  14. db 73h,1Eh,3Bh,55h,0F4h,0Fh,84h,3Eh,8,0,0,8Bh,4Dh,8,0Fh,0B6h
    
  15. db 1Ah,0C1h,0E1h,8,0C1h,0E0h,8,0Bh,0CBh,42h,89h,4Dh,8,89h,55h,0Ch
    
  16. db 66h,8Bh,0Fh,8Bh,0D8h,0Fh,0B7h,0D1h,0C1h,0EBh,0Bh,0Fh,0AFh,0DAh,39h,5Dh
    
  17. db 8,0Fh,83h,98h,1,0,0,0Fh,0B7h,0F1h,8Bh,0C3h,0BBh,0,8,0
    
  18. db 0,2Bh,0DEh,6Ah,1,0C1h,0FBh,5,3,0D9h,5Ah,0Fh,0B6h,4Dh,0FBh,0C1h
    
  19. db 0E9h,5,66h,89h,1Fh,8Dh,0Ch,49h,0C1h,0E1h,9,83h,7Dh,0FCh,7,8Dh
    
  20. db 8Ch,0Dh,0CCh,0CFh,0FFh,0FFh,89h,4Dh,0E4h,0Fh,8Ch,0B5h,0,0,0,8Bh
    
  21. db 4Dh,0DCh,8Bh,75h,10h,2Bh,4Dh,0F0h,0Fh,0B6h,0Ch,31h,89h,4Dh,0E0h,0D1h
    
  22. db 65h,0E0h,8Bh,4Dh,0E0h,8Bh,75h,0E4h,81h,0E1h,0,1,0,0,89h,4Dh
    
  23. db 0ECh,3,0CAh,3Dh,0,0,0,1,8Dh,0B4h,4Eh,0,2,0,0,73h
    
  24. db 21h,8Bh,4Dh,0Ch,3Bh,4Dh,0F4h,0Fh,84h,9Ch,7,0,0,8Bh,7Dh,8
    
  25. db 0Fh,0B6h,19h,0C1h,0E7h,8,0C1h,0E0h,8,0Bh,0FBh,41h,89h,7Dh,8,89h
    
  26. db 4Dh,0Ch,66h,8Bh,0Eh,8Bh,0F8h,0Fh,0B7h,0D9h,0C1h,0EFh,0Bh,0Fh,0AFh,0FBh
    
  27. db 39h,7Dh,8,73h,1Bh,8Bh,0C7h,0BFh,0,8,0,0,2Bh,0FBh,0C1h,0FFh
    
  28. db 5,3,0F9h,0D1h,0E2h,83h,7Dh,0ECh,0,66h,89h,3Eh,75h,2Eh,0EBh,1Bh
    
  29. db 29h,7Dh,8,2Bh,0C7h,66h,8Bh,0F9h,8Dh,54h,12h,1,66h,0C1h,0EFh,5
    
  30. db 2Bh,0CFh,83h,7Dh,0ECh,0,66h,89h,0Eh,74h,11h,81h,0FAh,0,1,0
    
  31. db 0,0Fh,8Dh,81h,0,0,0,0E9h,63h,0FFh,0FFh,0FFh,81h,0FAh,0,1
    
  32. db 0,0,7Dh,74h,8Bh,4Dh,0E4h,8Dh,3Ch,12h,89h,7Dh,0ECh,3,0F9h,3Dh
    
  33. db 0,0,0,1,73h,21h,8Bh,4Dh,0Ch,3Bh,4Dh,0F4h,0Fh,84h,7,7
    
  34. db 0,0,8Bh,75h,8,0Fh,0B6h,19h,0C1h,0E6h,8,0C1h,0E0h,8,0Bh,0F3h
    
  35. db 41h,89h,75h,8,89h,4Dh,0Ch,66h,8Bh,0Fh,8Bh,0F0h,0Fh,0B7h,0D9h,0C1h
    
  36. db 0EEh,0Bh,0Fh,0AFh,0F3h,39h,75h,8,73h,15h,8Bh,0C6h,0BEh,0,8,0
    
  37. db 0,2Bh,0F3h,0C1h,0FEh,5,3,0F1h,66h,89h,37h,0D1h,0E2h,0EBh,9Dh,29h
    
  38. db 75h,8,66h,8Bh,0D1h,66h,0C1h,0EAh,5,2Bh,0C6h,2Bh,0CAh,66h,89h,0Fh
    
  39. db 8Bh,4Dh,0ECh,8Dh,51h,1,0EBh,84h,8Bh,4Dh,10h,8Bh,75h,0DCh,88h,55h
    
  40. db 0FBh,88h,14h,0Eh,46h,83h,7Dh,0FCh,4,89h,75h,0DCh,7Dh,9,83h,65h
    
  41. db 0FCh,0,0E9h,7Ah,6,0,0,83h,7Dh,0FCh,0Ah,7Dh,9,83h,6Dh,0FCh
    
  42. db 3,0E9h,6Bh,6,0,0,83h,6Dh,0FCh,6,0E9h,62h,6,0,0,29h
    
  43. db 5Dh,8,66h,8Bh,0D1h,66h,0C1h,0EAh,5,2Bh,0CAh,2Bh,0C3h,66h,89h,0Fh
    
  44. db 8Bh,4Dh,0FCh,3Dh,0,0,0,1,8Dh,94h,4Dh,0E0h,0C2h,0FFh,0FFh,73h
    
  45. db 21h,8Bh,4Dh,0Ch,3Bh,4Dh,0F4h,0Fh,84h,4Ch,6,0,0,8Bh,7Dh,8
    
  46. db 0Fh,0B6h,19h,0C1h,0E7h,8,0C1h,0E0h,8,0Bh,0FBh,41h,89h,7Dh,8,89h
    
  47. db 4Dh,0Ch,66h,8Bh,0Ah,8Bh,0F8h,0Fh,0B7h,0D9h,0C1h,0EFh,0Bh,0Fh,0AFh,0FBh
    
  48. db 39h,7Dh,8,73h,44h,8Bh,0C7h,0BBh,0,8,0,0,0Fh,0B7h,0F9h,2Bh
    
  49. db 0DFh,0C1h,0FBh,5,3,0D9h,8Bh,4Dh,0D4h,89h,4Dh,0CCh,8Bh,4Dh,0D0h,89h
    
  50. db 4Dh,0D4h,8Bh,4Dh,0F0h,89h,4Dh,0D0h,33h,0C9h,83h,7Dh,0FCh,7,66h,89h
    
  51. db 1Ah,0Fh,9Dh,0C1h,49h,83h,0E1h,0FDh,83h,0C1h,3,89h,4Dh,0FCh,8Dh,8Dh
    
  52. db 0C4h,0C7h,0FFh,0FFh,0E9h,39h,2,0,0,29h,7Dh,8,2Bh,0C7h,66h,8Bh
    
  53. db 0F9h,66h,0C1h,0EFh,5,2Bh,0CFh,3Dh,0,0,0,1,66h,89h,0Ah,73h
    
  54. db 21h,8Bh,4Dh,0Ch,3Bh,4Dh,0F4h,0Fh,84h,0BCh,5,0,0,8Bh,55h,8
    
  55. db 0Fh,0B6h,39h,0C1h,0E2h,8,0C1h,0E0h,8,0Bh,0D7h,41h,89h,55h,8,89h
    
  56. db 4Dh,0Ch,8Bh,7Dh,0FCh,8Bh,0C8h,0C1h,0E9h,0Bh,66h,8Bh,94h,7Dh,0F8h,0C2h
    
  57. db 0FFh,0FFh,0Fh,0B7h,0DAh,0Fh,0AFh,0CBh,39h,4Dh,8,0Fh,83h,0C2h,0,0
    
  58. db 0,0BFh,0,8,0,0,8Bh,0C1h,2Bh,0FBh,0C1h,0FFh,5,3,0FAh,8Bh
    
  59. db 55h,0FCh,66h,89h,0BCh,55h,0F8h,0C2h,0FFh,0FFh,0C1h,0E2h,4,3,0D6h,81h
    
  60. db 0F9h,0,0,0,1,8Dh,94h,55h,40h,0C3h,0FFh,0FFh,73h,23h,8Bh,7Dh
    
  61. db 0Ch,3Bh,7Dh,0F4h,0Fh,84h,4Fh,5,0,0,0Fh,0B6h,1Fh,0C1h,0E1h,8
    
  62. db 8Bh,0C1h,8Bh,4Dh,8,0C1h,0E1h,8,0Bh,0CBh,47h,89h,4Dh,8,89h,7Dh
    
  63. db 0Ch,66h,8Bh,0Ah,8Bh,0F8h,0Fh,0B7h,0D9h,0C1h,0EFh,0Bh,0Fh,0AFh,0FBh,39h
    
  64. db 7Dh,8,73h,49h,0BEh,0,8,0,0,8Bh,0C7h,2Bh,0F3h,0C1h,0FEh,5
    
  65. db 3,0F1h,66h,89h,32h,8Bh,75h,0DCh,85h,0F6h,0Fh,84h,9,5,0,0
    
  66. db 33h,0C9h,83h,7Dh,0FCh,7,8Bh,55h,10h,0Fh,9Dh,0C1h,49h,83h,0E1h,0FEh
    
  67. db 83h,0C1h,0Bh,89h,4Dh,0FCh,8Bh,0CEh,2Bh,4Dh,0F0h,8Ah,0Ch,11h,88h,0Ch
    
  68. db 16h,46h,88h,4Dh,0FBh,89h,75h,0DCh,0E9h,0C4h,4,0,0,29h,7Dh,8
    
  69. db 2Bh,0C7h,66h,8Bh,0F9h,66h,0C1h,0EFh,5,2Bh,0CFh,66h,89h,0Ah,0E9h,6
    
  70. db 1,0,0,29h,4Dh,8,2Bh,0C1h,66h,8Bh,0CAh,66h,0C1h,0E9h,5,2Bh
    
  71. db 0D1h,3Dh,0,0,0,1,66h,89h,94h,7Dh,0F8h,0C2h,0FFh,0FFh,8Dh,94h
    
  72. db 7Dh,10h,0C3h,0FFh,0FFh,73h,21h,8Bh,4Dh,0Ch,3Bh,4Dh,0F4h,0Fh,84h,96h
    
  73. db 4,0,0,8Bh,7Dh,8,0Fh,0B6h,19h,0C1h,0E7h,8,0C1h,0E0h,8,0Bh
    
  74. db 0FBh,41h,89h,7Dh,8,89h,4Dh,0Ch,66h,8Bh,0Ah,8Bh,0F8h,0Fh,0B7h,0D9h
    
  75. db 0C1h,0EFh,0Bh,0Fh,0AFh,0FBh,39h,7Dh,8,73h,19h,8Bh,0C7h,0BFh,0,8
    
  76. db 0,0,2Bh,0FBh,0C1h,0FFh,5,3,0F9h,8Bh,4Dh,0D0h,66h,89h,3Ah,0E9h
    
  77. db 8Ch,0,0,0,29h,7Dh,8,2Bh,0C7h,66h,8Bh,0F9h,66h,0C1h,0EFh,5
    
  78. db 2Bh,0CFh,3Dh,0,0,0,1,66h,89h,0Ah,8Bh,4Dh,0FCh,8Dh,94h,4Dh
    
  79. db 28h,0C3h,0FFh,0FFh,73h,21h,8Bh,4Dh,0Ch,3Bh,4Dh,0F4h,0Fh,84h,27h,4
    
  80. db 0,0,8Bh,7Dh,8,0Fh,0B6h,19h,0C1h,0E7h,8,0C1h,0E0h,8,0Bh,0FBh
    
  81. db 41h,89h,7Dh,8,89h,4Dh,0Ch,66h,8Bh,0Ah,8Bh,0F8h,0Fh,0B7h,0D9h,0C1h
    
  82. db 0EFh,0Bh,0Fh,0AFh,0FBh,39h,7Dh,8,73h,16h,8Bh,0C7h,0BFh,0,8,0
    
  83. db 0,2Bh,0FBh,0C1h,0FFh,5,3,0F9h,8Bh,4Dh,0D4h,66h,89h,3Ah,0EBh,1Ah
    
  84. db 29h,7Dh,8,2Bh,0C7h,66h,8Bh,0F9h,66h,0C1h,0EFh,5,2Bh,0CFh,66h,89h
    
  85. db 0Ah,8Bh,55h,0D4h,8Bh,4Dh,0CCh,89h,55h,0CCh,8Bh,55h,0D0h,89h,55h,0D4h
    
  86. db 8Bh,55h,0F0h,89h,4Dh,0F0h,89h,55h,0D0h,33h,0C9h,83h,7Dh,0FCh,7,0Fh
    
  87. db 9Dh,0C1h,49h,83h,0E1h,0FDh,83h,0C1h,0Bh,89h,4Dh,0FCh,8Dh,8Dh,0C8h,0CBh
    
  88. db 0FFh,0FFh,3Dh,0,0,0,1,73h,21h,8Bh,55h,0Ch,3Bh,55h,0F4h,0Fh
    
  89. db 84h,94h,3,0,0,8Bh,7Dh,8,0Fh,0B6h,1Ah,0C1h,0E7h,8,0C1h,0E0h
    
  90. db 8,0Bh,0FBh,42h,89h,7Dh,8,89h,55h,0Ch,66h,8Bh,11h,8Bh,0F8h,0Fh
    
  91. db 0B7h,0DAh,0C1h,0EFh,0Bh,0Fh,0AFh,0FBh,39h,7Dh,8,73h,28h,8Bh,0C7h,0BFh
    
  92. db 0,8,0,0,2Bh,0FBh,0C1h,0FFh,5,3,0FAh,0C1h,0E6h,4,83h,65h
    
  93. db 0E0h,0,66h,89h,39h,8Dh,4Ch,0Eh,4,0C7h,45h,0E4h,3,0,0,0
    
  94. db 0E9h,9Eh,0,0,0,29h,7Dh,8,2Bh,0C7h,66h,8Bh,0FAh,66h,0C1h,0EFh
    
  95. db 5,2Bh,0D7h,3Dh,0,0,0,1,66h,89h,11h,73h,21h,8Bh,55h,0Ch
    
  96. db 3Bh,55h,0F4h,0Fh,84h,20h,3,0,0,8Bh,7Dh,8,0Fh,0B6h,1Ah,0C1h
    
  97. db 0E7h,8,0C1h,0E0h,8,0Bh,0FBh,42h,89h,7Dh,8,89h,55h,0Ch,66h,8Bh
    
  98. db 51h,2,8Bh,0F8h,0Fh,0B7h,0DAh,0C1h,0EFh,0Bh,0Fh,0AFh,0FBh,39h,7Dh,8
    
  99. db 73h,2Bh,8Bh,0C7h,0BBh,0,8,0,0,0Fh,0B7h,0FAh,2Bh,0DFh,0C7h,45h
    
  100. db 0E0h,8,0,0,0,0C1h,0FBh,5,3,0DAh,0C1h,0E6h,4,66h,89h,59h
    
  101. db 2,8Dh,8Ch,0Eh,4,1,0,0,0E9h,7Ch,0FFh,0FFh,0FFh,29h,7Dh,8
    
  102. db 66h,8Bh,0F2h,66h,0C1h,0EEh,5,2Bh,0D6h,2Bh,0C7h,66h,89h,51h,2,81h
    
  103. db 0C1h,4,2,0,0,0C7h,45h,0E0h,10h,0,0,0,0C7h,45h,0E4h,8
    
  104. db 0,0,0,8Bh,55h,0E4h,0C7h,45h,0E8h,1,0,0,0,89h,55h,0ECh
    
  105. db 8Bh,55h,0E8h,8Dh,3Ch,12h,89h,7Dh,0D8h,3,0F9h,3Dh,0,0,0,1
    
  106. db 73h,21h,8Bh,55h,0Ch,3Bh,55h,0F4h,0Fh,84h,7Bh,2,0,0,8Bh,75h
    
  107. db 8,0Fh,0B6h,1Ah,0C1h,0E6h,8,0C1h,0E0h,8,0Bh,0F3h,42h,89h,75h,8
    
  108. db 89h,55h,0Ch,66h,8Bh,17h,8Bh,0F0h,0Fh,0B7h,0DAh,0C1h,0EEh,0Bh,0Fh,0AFh
    
  109. db 0F3h,39h,75h,8,73h,16h,8Bh,0C6h,0BEh,0,8,0,0,2Bh,0F3h,0C1h
    
  110. db 0FEh,5,3,0F2h,0D1h,65h,0E8h,66h,89h,37h,0EBh,18h,29h,75h,8,2Bh
    
  111. db 0C6h,66h,8Bh,0F2h,66h,0C1h,0EEh,5,2Bh,0D6h,66h,89h,17h,8Bh,55h,0D8h
    
  112. db 42h,89h,55h,0E8h,0FFh,4Dh,0ECh,75h,87h,8Bh,4Dh,0E4h,6Ah,1,5Fh,8Bh
    
  113. db 0D7h,0D3h,0E2h,8Bh,4Dh,0E0h,2Bh,0CAh,1,4Dh,0E8h,83h,7Dh,0FCh,4,0Fh
    
  114. db 8Dh,0BDh,1,0,0,83h,45h,0FCh,7,83h,7Dh,0E8h,4,7Dh,5,8Bh
    
  115. db 4Dh,0E8h,0EBh,3,6Ah,3,59h,0C1h,0E1h,7,0C7h,45h,0ECh,6,0,0
    
  116. db 0,8Dh,8Ch,0Dh,0C0h,0C4h,0FFh,0FFh,89h,4Dh,0E4h,8Bh,55h,0E4h,8Dh,0Ch
    
  117. db 3Fh,3Dh,0,0,0,1,89h,4Dh,0D8h,8Dh,34h,0Ah,73h,21h,8Bh,4Dh
    
  118. db 0Ch,3Bh,4Dh,0F4h,0Fh,84h,0BFh,1,0,0,8Bh,55h,8,0Fh,0B6h,19h
    
  119. db 0C1h,0E2h,8,0C1h,0E0h,8,0Bh,0D3h,41h,89h,55h,8,89h,4Dh,0Ch,66h
    
  120. db 8Bh,0Eh,8Bh,0D0h,0Fh,0B7h,0D9h,0C1h,0EAh,0Bh,0Fh,0AFh,0D3h,39h,55h,8
    
  121. db 73h,15h,8Bh,0C2h,0BAh,0,8,0,0,2Bh,0D3h,0C1h,0FAh,5,3,0D1h
    
  122. db 66h,89h,16h,0D1h,0E7h,0EBh,17h,29h,55h,8,2Bh,0C2h,66h,8Bh,0D1h,66h
    
  123. db 0C1h,0EAh,5,2Bh,0CAh,66h,89h,0Eh,8Bh,4Dh,0D8h,8Dh,79h,1,0FFh,4Dh
    
  124. db 0ECh,75h,88h,83h,0EFh,40h,83h,0FFh,4,0Fh,8Ch,0Bh,1,0,0,6Ah
    
  125. db 1,8Bh,0CFh,8Bh,0D7h,5Eh,0D1h,0F9h,23h,0D6h,49h,83h,0CAh,2,83h,0FFh
    
  126. db 0Eh,89h,4Dh,0ECh,7Dh,13h,0D3h,0E2h,89h,55h,0F0h,2Bh,0D7h,8Dh,8Ch,55h
    
  127. db 0BEh,0C6h,0FFh,0FFh,89h,4Dh,0E4h,0EBh,51h,83h,0E9h,4,3Dh,0,0,0
    
  128. db 1,73h,20h,8Bh,7Dh,0Ch,3Bh,7Dh,0F4h,0Fh,84h,1Fh,1,0,0,8Bh
    
  129. db 5Dh,8,0Fh,0B6h,3Fh,0C1h,0E3h,8,0Bh,0DFh,0C1h,0E0h,8,0FFh,45h,0Ch
    
  130. db 89h,5Dh,8,0D1h,0E8h,0D1h,0E2h,39h,45h,8,72h,5,29h,45h,8,0Bh
    
  131. db 0D6h,49h,75h,0C8h,8Dh,8Dh,0A4h,0C7h,0FFh,0FFh,0C7h,45h,0ECh,4,0,0
    
  132. db 0,0C1h,0E2h,4,89h,4Dh,0E4h,89h,55h,0F0h,89h,75h,0D8h,89h,75h,0E0h
    
  133. db 0EBh,3,6Ah,1,5Eh,8Bh,4Dh,0E0h,8Bh,55h,0E4h,3,0C9h,3Dh,0,0
    
  134. db 0,1,8Dh,3Ch,11h,73h,21h,8Bh,55h,0Ch,3Bh,55h,0F4h,0Fh,84h,0BBh
    
  135. db 0,0,0,8Bh,75h,8,0Fh,0B6h,1Ah,0C1h,0E6h,8,0C1h,0E0h,8,0Bh
    
  136. db 0F3h,42h,89h,75h,8,89h,55h,0Ch,66h,8Bh,17h,8Bh,0F0h,0Fh,0B7h,0DAh
    
  137. db 0C1h,0EEh,0Bh,0Fh,0AFh,0F3h,39h,75h,8,73h,16h,0B9h,0,8,0,0
    
  138. db 8Bh,0C6h,2Bh,0CBh,0C1h,0F9h,5,3,0CAh,0D1h,65h,0E0h,66h,89h,0Fh,0EBh
    
  139. db 1Bh,29h,75h,8,2Bh,0C6h,66h,8Bh,0F2h,66h,0C1h,0EEh,5,2Bh,0D6h,41h
    
  140. db 89h,4Dh,0E0h,8Bh,4Dh,0D8h,9,4Dh,0F0h,66h,89h,17h,0D1h,65h,0D8h,0FFh
    
  141. db 4Dh,0ECh,0Fh,85h,7Ah,0FFh,0FFh,0FFh,0EBh,3,89h,7Dh,0F0h,0FFh,45h,0F0h
    
  142. db 74h,38h,8Bh,75h,0DCh,83h,45h,0E8h,2,39h,75h,0F0h,77h,3Bh,8Bh,55h
    
  143. db 10h,8Bh,0CEh,2Bh,4Dh,0F0h,0FFh,4Dh,0E8h,8Ah,0Ch,11h,88h,0Ch,16h,46h
    
  144. db 83h,7Dh,0E8h,0,88h,4Dh,0FBh,89h,75h,0DCh,74h,5,3Bh,75h,14h,72h
    
  145. db 0E0h,3Bh,75h,14h,0Fh,82h,0ACh,0F7h,0FFh,0FFh,3Dh,0,0,0,1,73h
    
  146. db 11h,8Bh,45h,0F4h,39h,45h,0Ch,75h,9,6Ah,1,58h,0EBh,6,8Bh,0C6h
    
  147. db 0EBh,2,33h,0C0h,5Fh,5Eh,5Bh,0C9h
    
  148. retn 10h
    
  149. end
    

打造世界最小LZMA解压DLL(第二弹)

一年前我曾写过一篇《手写PE文件,打造史上最小LZMA解压DLL》,最近因为涉及毕业设计,重新开始研究PE,同时也需要提供LZMA压缩功能。

对原来的程序观察后发现,UPX使用的LZMA代码并不是最优化的编译,原因是局部变量全部使用ESP寻址,而Intel x86对寄存器寻址有个ESP例外,需要多占用一字节的指令。于是重新翻出LZMA SDK,使用VC6编译出2409字节的代码(原来是2694字节)。

另外一个问题就是原来开头写的sub esp, 3e80是不对的。Windows分页机制规定,栈分配是逐页进行的,当当前栈位于页顶端时访问上面的页会引发栈空间分配,但跨页访问即认为访问越界。显然3e80可能会造成跨页访问导致程序崩溃。

这次最终的DLL文件是2970字节,缩小至原来的90%。

这次先贴代码,DLL文件以后再更新后发,因为看上去可以通过修改SDK使文件更精简。

隐藏行号 复制代码 这是一段程序代码。
  1. .386
  2. .model flat
  3. .code
  4. push ebp
  5. mov ebp,esp
  6. mov ecx,0fa0h
  7. push 0
  8. loopd $-2
  9. mov eax,esp
  10. push eax
  11. add eax,4
  12. push [ebp+0ch]
  13. push [ebp+8]
  14. push eax
  15. add eax,4
  16. push [ebp+14h]
  17. push [ebp+10h]
  18. push eax
  19. mov dword ptr [eax],20003h
  20. push eax
  21. db 55h,8Bh,0ECh,83h,0ECh,40h,8Bh,45h,8,53h,56h,57h,8Ah,48h,2,6Ah
  22. db 1,80h,65h,0Bh,0,5Bh,8Bh,0D3h,33h,0F6h,0D3h,0E2h,8Ah,48h,1,8Dh
  23. db 78h,4,89h,7Dh,0E8h,89h,75h,0E4h,89h,75h,0F8h,89h,5Dh,0F0h,4Ah,89h
  24. db 5Dh,0DCh,89h,55h,0C4h,8Bh,0D3h,0D3h,0E2h,8Bh,4Dh,14h,89h,5Dh,0E0h,89h
  25. db 5Dh,0D4h,4Ah,89h,55h,0C0h,0Fh,0BEh,10h,89h,31h,8Bh,4Dh,20h,89h,55h
  26. db 0C8h,89h,31h,8Ah,48h,1,3,0CAh,0B8h,0,3,0,0,0D3h,0E0h,5
  27. db 36h,7,0,0,74h,10h,8Bh,0C8h,0B8h,0,4,0,4,0D1h,0E9h,0F3h
  28. db 0ABh,13h,0C9h,66h,0F3h,0ABh,8Bh,45h,0Ch,8Bh,4Dh,10h,89h,45h,0FCh,3
  29. db 0C1h,89h,45h,0F4h,8Bh,45h,0FCh,83h,0CAh,0FFh,89h,75h,10h,33h,0C9h,3Bh
  30. db 45h,0F4h,0Fh,84h,0B0h,8,0,0,8Bh,7Dh,10h,0Fh,0B6h,18h,0C1h,0E7h
  31. db 8,0Bh,0FBh,40h,41h,89h,7Dh,10h,83h,0F9h,5,89h,45h,0FCh,7Ch,0DFh
  32. db 39h,75h,1Ch,0Fh,86h,97h,8,0,0,8Bh,7Dh,0C4h,8Bh,45h,0F8h,23h
  33. db 7Dh,0E4h,8Bh,4Dh,0E8h,0C1h,0E0h,4,3,0C7h,81h,0FAh,0,0,0,1
  34. db 8Dh,0Ch,41h,73h,21h,8Bh,45h,0FCh,3Bh,45h,0F4h,0Fh,84h,67h,8,0
  35. db 0,8Bh,75h,10h,0Fh,0B6h,18h,0C1h,0E6h,8,0C1h,0E2h,8,0Bh,0F3h,40h
  36. db 89h,75h,10h,89h,45h,0FCh,66h,8Bh,1,8Bh,0F2h,0Fh,0B7h,0D8h,0C1h,0EEh
  37. db 0Bh,0Fh,0AFh,0F3h,39h,75h,10h,0Fh,83h,0ADh,1,0,0,8Bh,0D6h,0BFh
  38. db 0,8,0,0,0Fh,0B7h,0F0h,2Bh,0FEh,8Bh,75h,0C0h,0C1h,0FFh,5,3
  39. db 0F8h,23h,75h,0E4h,0Fh,0B6h,45h,0Bh,66h,89h,39h,0B1h,8,2Ah,4Dh,0C8h
  40. db 6Ah,1,5Bh,0D3h,0E8h,8Bh,4Dh,0C8h,0D3h,0E6h,8Bh,4Dh,0E8h,3,0C6h,8Dh
  41. db 4,40h,0C1h,0E0h,9,83h,7Dh,0F8h,7,8Dh,84h,8,6Ch,0Eh,0,0
  42. db 89h,45h,8,0Fh,8Ch,0B5h,0,0,0,8Bh,45h,0E4h,8Bh,4Dh,18h,2Bh
  43. db 45h,0F0h,0Fh,0B6h,4,8,89h,45h,0D8h,0D1h,65h,0D8h,8Bh,45h,0D8h,8Bh
  44. db 4Dh,8,25h,0,1,0,0,89h,45h,0CCh,3,0C3h,81h,0FAh,0,0
  45. db 0,1,8Dh,8Ch,41h,0,2,0,0,73h,21h,8Bh,45h,0FCh,3Bh,45h
  46. db 0F4h,0Fh,84h,0B1h,7,0,0,8Bh,75h,10h,0Fh,0B6h,38h,0C1h,0E6h,8
  47. db 0C1h,0E2h,8,0Bh,0F7h,40h,89h,75h,10h,89h,45h,0FCh,66h,8Bh,1,8Bh
  48. db 0F2h,0Fh,0B7h,0F8h,0C1h,0EEh,0Bh,0Fh,0AFh,0F7h,39h,75h,10h,73h,1Bh,8Bh
  49. db 0D6h,0BEh,0,8,0,0,2Bh,0F7h,0C1h,0FEh,5,3,0F0h,0D1h,0E3h,83h
  50. db 7Dh,0CCh,0,66h,89h,31h,75h,2Eh,0EBh,1Bh,29h,75h,10h,2Bh,0D6h,66h
  51. db 8Bh,0F0h,8Dh,5Ch,1Bh,1,66h,0C1h,0EEh,5,2Bh,0C6h,83h,7Dh,0CCh,0
  52. db 66h,89h,1,74h,11h,81h,0FBh,0,1,0,0,0Fh,8Dh,82h,0,0
  53. db 0,0E9h,63h,0FFh,0FFh,0FFh,81h,0FBh,0,1,0,0,7Dh,75h,8Bh,45h
  54. db 8,8Dh,3Ch,1Bh,89h,7Dh,0CCh,3,0F8h,81h,0FAh,0,0,0,1,73h
  55. db 21h,8Bh,45h,0FCh,3Bh,45h,0F4h,0Fh,84h,1Bh,7,0,0,8Bh,4Dh,10h
  56. db 0Fh,0B6h,30h,0C1h,0E1h,8,0C1h,0E2h,8,0Bh,0CEh,40h,89h,4Dh,10h,89h
  57. db 45h,0FCh,66h,8Bh,7,8Bh,0CAh,0Fh,0B7h,0F0h,0C1h,0E9h,0Bh,0Fh,0AFh,0CEh
  58. db 39h,4Dh,10h,73h,15h,8Bh,0D1h,0B9h,0,8,0,0,2Bh,0CEh,0C1h,0F9h
  59. db 5,3,0C8h,66h,89h,0Fh,0D1h,0E3h,0EBh,9Ch,29h,4Dh,10h,2Bh,0D1h,66h
  60. db 8Bh,0C8h,66h,0C1h,0E9h,5,2Bh,0C1h,66h,89h,7,8Bh,45h,0CCh,8Dh,58h
  61. db 1,0EBh,83h,8Bh,45h,18h,8Bh,75h,0E4h,88h,5Dh,0Bh,88h,1Ch,6,46h
  62. db 83h,7Dh,0F8h,4,89h,75h,0E4h,7Dh,9,83h,65h,0F8h,0,0E9h,8Dh,6
  63. db 0,0,83h,7Dh,0F8h,0Ah,7Dh,9,83h,6Dh,0F8h,3,0E9h,7Eh,6,0
  64. db 0,83h,6Dh,0F8h,6,0E9h,75h,6,0,0,29h,75h,10h,2Bh,0D6h,66h
  65. db 8Bh,0F0h,66h,0C1h,0EEh,5,2Bh,0C6h,81h,0FAh,0,0,0,1,66h,89h
  66. db 1,8Bh,45h,0E8h,8Bh,4Dh,0F8h,8Dh,8Ch,48h,80h,1,0,0,73h,21h
  67. db 8Bh,45h,0FCh,3Bh,45h,0F4h,0Fh,84h,5Ch,6,0,0,8Bh,75h,10h,0Fh
  68. db 0B6h,18h,0C1h,0E6h,8,0C1h,0E2h,8,0Bh,0F3h,40h,89h,75h,10h,89h,45h
  69. db 0FCh,66h,8Bh,1,8Bh,0F2h,0Fh,0B7h,0D8h,0C1h,0EEh,0Bh,0Fh,0AFh,0F3h,39h
  70. db 75h,10h,73h,42h,8Bh,0D6h,0BEh,0,8,0,0,2Bh,0F3h,0C1h,0FEh,5
  71. db 3,0F0h,8Bh,45h,0E0h,89h,45h,0D4h,8Bh,45h,0DCh,89h,45h,0E0h,8Bh,45h
  72. db 0F0h,89h,45h,0DCh,33h,0C0h,83h,7Dh,0F8h,7,66h,89h,31h,0Fh,9Dh,0C0h
  73. db 48h,24h,0FDh,83h,0C0h,3,89h,45h,0F8h,8Bh,45h,0E8h,5,64h,6,0
  74. db 0,0E9h,48h,2,0,0,29h,75h,10h,2Bh,0D6h,66h,8Bh,0F0h,66h,0C1h
  75. db 0EEh,5,2Bh,0C6h,81h,0FAh,0,0,0,1,66h,89h,1,8Bh,45h,0F8h
  76. db 8Bh,4Dh,0E8h,8Dh,0B4h,41h,98h,1,0,0,89h,75h,8,73h,21h,8Bh
  77. db 45h,0FCh,3Bh,45h,0F4h,0Fh,84h,0BDh,5,0,0,8Bh,4Dh,10h,0Fh,0B6h
  78. db 18h,0C1h,0E1h,8,0C1h,0E2h,8,0Bh,0CBh,40h,89h,4Dh,10h,89h,45h,0FCh
  79. db 66h,8Bh,6,8Bh,0CAh,0Fh,0B7h,0D8h,0C1h,0E9h,0Bh,0Fh,0AFh,0CBh,39h,4Dh
  80. db 10h,0Fh,83h,0C1h,0,0,0,0BEh,0,8,0,0,8Bh,0D1h,2Bh,0F3h
  81. db 0C1h,0FEh,5,3,0F0h,8Bh,45h,8,66h,89h,30h,8Bh,45h,0F8h,8Bh,75h
  82. db 0E8h,83h,0C0h,0Fh,0C1h,0E0h,4,3,0C7h,81h,0F9h,0,0,0,1,8Dh
  83. db 4,46h,73h,23h,8Bh,75h,0FCh,3Bh,75h,0F4h,0Fh,84h,58h,5,0,0
  84. db 0Fh,0B6h,1Eh,0C1h,0E1h,8,8Bh,0D1h,8Bh,4Dh,10h,0C1h,0E1h,8,0Bh,0CBh
  85. db 46h,89h,4Dh,10h,89h,75h,0FCh,66h,8Bh,8,8Bh,0F2h,0Fh,0B7h,0D9h,0C1h
  86. db 0EEh,0Bh,0Fh,0AFh,0F3h,39h,75h,10h,73h,48h,8Bh,0D6h,0BEh,0,8,0
  87. db 0,2Bh,0F3h,0C1h,0FEh,5,3,0F1h,66h,89h,30h,8Bh,75h,0E4h,85h,0F6h
  88. db 0Fh,84h,12h,5,0,0,33h,0C0h,83h,7Dh,0F8h,7,8Bh,0CEh,0Fh,9Dh
  89. db 0C0h,2Bh,4Dh,0F0h,48h,24h,0FEh,83h,0C0h,0Bh,89h,45h,0F8h,8Bh,45h,18h
  90. db 8Ah,0Ch,1,88h,0Ch,6,46h,88h,4Dh,0Bh,89h,75h,0E4h,0E9h,0CDh,4
  91. db 0,0,29h,75h,10h,2Bh,0D6h,66h,8Bh,0F1h,66h,0C1h,0EEh,5,2Bh,0CEh
  92. db 66h,89h,8,0E9h,0Ch,1,0,0,29h,4Dh,10h,2Bh,0D1h,66h,8Bh,0C8h
  93. db 66h,0C1h,0E9h,5,2Bh,0C1h,8Bh,4Dh,0F8h,66h,89h,6,8Bh,45h,0E8h,81h
  94. db 0FAh,0,0,0,1,8Dh,8Ch,48h,0B0h,1,0,0,73h,21h,8Bh,45h
  95. db 0FCh,3Bh,45h,0F4h,0Fh,84h,9Eh,4,0,0,8Bh,75h,10h,0Fh,0B6h,18h
  96. db 0C1h,0E6h,8,0C1h,0E2h,8,0Bh,0F3h,40h,89h,75h,10h,89h,45h,0FCh,66h
  97. db 8Bh,1,8Bh,0F2h,0Fh,0B7h,0D8h,0C1h,0EEh,0Bh,0Fh,0AFh,0F3h,39h,75h,10h
  98. db 73h,19h,8Bh,0D6h,0BEh,0,8,0,0,2Bh,0F3h,0C1h,0FEh,5,3,0F0h
  99. db 8Bh,45h,0DCh,66h,89h,31h,0E9h,90h,0,0,0,29h,75h,10h,2Bh,0D6h
  100. db 66h,8Bh,0F0h,66h,0C1h,0EEh,5,2Bh,0C6h,81h,0FAh,0,0,0,1,66h
  101. db 89h,1,8Bh,45h,0F8h,8Bh,4Dh,0E8h,8Dh,8Ch,41h,0C8h,1,0,0,73h
  102. db 21h,8Bh,45h,0FCh,3Bh,45h,0F4h,0Fh,84h,2Bh,4,0,0,8Bh,75h,10h
  103. db 0Fh,0B6h,18h,0C1h,0E6h,8,0C1h,0E2h,8,0Bh,0F3h,40h,89h,75h,10h,89h
  104. db 45h,0FCh,66h,8Bh,1,8Bh,0F2h,0Fh,0B7h,0D8h,0C1h,0EEh,0Bh,0Fh,0AFh,0F3h
  105. db 39h,75h,10h,73h,16h,8Bh,0D6h,0BEh,0,8,0,0,2Bh,0F3h,0C1h,0FEh
  106. db 5,3,0F0h,8Bh,45h,0E0h,66h,89h,31h,0EBh,1Ah,29h,75h,10h,2Bh,0D6h
  107. db 66h,8Bh,0F0h,66h,0C1h,0EEh,5,2Bh,0C6h,66h,89h,1,8Bh,4Dh,0E0h,8Bh
  108. db 45h,0D4h,89h,4Dh,0D4h,8Bh,4Dh,0DCh,89h,4Dh,0E0h,8Bh,4Dh,0F0h,89h,45h
  109. db 0F0h,89h,4Dh,0DCh,33h,0C0h,83h,7Dh,0F8h,7,0Fh,9Dh,0C0h,48h,24h,0FDh
  110. db 83h,0C0h,0Bh,89h,45h,0F8h,8Bh,45h,0E8h,5,68h,0Ah,0,0,81h,0FAh
  111. db 0,0,0,1,73h,21h,8Bh,4Dh,0FCh,3Bh,4Dh,0F4h,0Fh,84h,96h,3
  112. db 0,0,8Bh,75h,10h,0Fh,0B6h,19h,0C1h,0E6h,8,0C1h,0E2h,8,0Bh,0F3h
  113. db 41h,89h,75h,10h,89h,4Dh,0FCh,66h,8Bh,8,8Bh,0F2h,0Fh,0B7h,0D9h,0C1h
  114. db 0EEh,0Bh,0Fh,0AFh,0F3h,39h,75h,10h,73h,28h,8Bh,0D6h,0BEh,0,8,0
  115. db 0,2Bh,0F3h,0C1h,0FEh,5,3,0F1h,0C1h,0E7h,4,83h,65h,0D8h,0,66h
  116. db 89h,30h,8Dh,44h,7,4,0C7h,45h,8,3,0,0,0,0E9h,98h,0
  117. db 0,0,29h,75h,10h,2Bh,0D6h,66h,8Bh,0F1h,66h,0C1h,0EEh,5,2Bh,0CEh
  118. db 81h,0FAh,0,0,0,1,66h,89h,8,73h,21h,8Bh,4Dh,0FCh,3Bh,4Dh
  119. db 0F4h,0Fh,84h,21h,3,0,0,8Bh,75h,10h,0Fh,0B6h,19h,0C1h,0E6h,8
  120. db 0C1h,0E2h,8,0Bh,0F3h,41h,89h,75h,10h,89h,4Dh,0FCh,66h,8Bh,48h,2
  121. db 8Bh,0F2h,0Fh,0B7h,0D9h,0C1h,0EEh,0Bh,0Fh,0AFh,0F3h,39h,75h,10h,73h,25h
  122. db 8Bh,0D6h,0BEh,0,8,0,0,2Bh,0F3h,0C7h,45h,0D8h,8,0,0,0
  123. db 0C1h,0FEh,5,3,0F1h,0C1h,0E7h,4,66h,89h,70h,2,8Dh,84h,7,4
  124. db 1,0,0,0EBh,81h,29h,75h,10h,2Bh,0D6h,66h,8Bh,0F1h,0C7h,45h,0D8h
  125. db 10h,0,0,0,66h,0C1h,0EEh,5,2Bh,0CEh,0C7h,45h,8,8,0,0
  126. db 0,66h,89h,48h,2,5,4,2,0,0,8Bh,4Dh,8,0C7h,45h,0ECh
  127. db 1,0,0,0,89h,4Dh,0CCh,8Bh,4Dh,0ECh,3,0C9h,89h,4Dh,0D0h,3
  128. db 0C8h,81h,0FAh,0,0,0,1,73h,21h,8Bh,75h,0FCh,3Bh,75h,0F4h,0Fh
  129. db 84h,83h,2,0,0,8Bh,7Dh,10h,0Fh,0B6h,1Eh,0C1h,0E7h,8,0C1h,0E2h
  130. db 8,0Bh,0FBh,46h,89h,7Dh,10h,89h,75h,0FCh,66h,8Bh,19h,8Bh,0FAh,0Fh
  131. db 0B7h,0F3h,0C1h,0EFh,0Bh,0Fh,0AFh,0FEh,39h,7Dh,10h,73h,16h,8Bh,0D7h,0BFh
  132. db 0,8,0,0,2Bh,0FEh,0C1h,0FFh,5,3,0FBh,0D1h,65h,0ECh,66h,89h
  133. db 39h,0EBh,18h,29h,7Dh,10h,66h,8Bh,0F3h,66h,0C1h,0EEh,5,2Bh,0DEh,2Bh
  134. db 0D7h,66h,89h,19h,8Bh,4Dh,0D0h,41h,89h,4Dh,0ECh,0FFh,4Dh,0CCh,75h,87h
  135. db 8Bh,4Dh,8,6Ah,1,8Bh,45h,0D8h,5Bh,8Bh,0F3h,0D3h,0E6h,2Bh,0C6h,1
  136. db 45h,0ECh,83h,7Dh,0F8h,4,0Fh,8Dh,0C4h,1,0,0,83h,45h,0F8h,7
  137. db 83h,7Dh,0ECh,4,7Dh,5,8Bh,45h,0ECh,0EBh,3,6Ah,3,58h,8Bh,4Dh
  138. db 0E8h,0C7h,45h,0CCh,6,0,0,0,0C1h,0E0h,7,8Dh,84h,8,60h,3
  139. db 0,0,89h,45h,8,8Bh,45h,8,8Dh,3Ch,1Bh,89h,7Dh,0D0h,3,0F8h
  140. db 81h,0FAh,0,0,0,1,73h,21h,8Bh,45h,0FCh,3Bh,45h,0F4h,0Fh,84h
  141. db 0C4h,1,0,0,8Bh,4Dh,10h,0Fh,0B6h,30h,0C1h,0E1h,8,0C1h,0E2h,8
  142. db 0Bh,0CEh,40h,89h,4Dh,10h,89h,45h,0FCh,66h,8Bh,7,8Bh,0CAh,0Fh,0B7h
  143. db 0F0h,0C1h,0E9h,0Bh,0Fh,0AFh,0CEh,39h,4Dh,10h,73h,15h,8Bh,0D1h,0B9h,0
  144. db 8,0,0,2Bh,0CEh,0C1h,0F9h,5,3,0C8h,66h,89h,0Fh,0D1h,0E3h,0EBh
  145. db 17h,29h,4Dh,10h,2Bh,0D1h,66h,8Bh,0C8h,66h,0C1h,0E9h,5,2Bh,0C1h,66h
  146. db 89h,7,8Bh,45h,0D0h,8Dh,58h,1,0FFh,4Dh,0CCh,75h,88h,6Ah,4,83h
  147. db 0EBh,40h,5Fh,3Bh,0DFh,0Fh,8Ch,0Dh,1,0,0,6Ah,1,8Bh,0CBh,8Bh
  148. db 0F3h,58h,0D1h,0F9h,23h,0F0h,49h,83h,0CEh,2,83h,0FBh,0Eh,89h,4Dh,0CCh
  149. db 7Dh,16h,0D3h,0E6h,8Bh,4Dh,0E8h,89h,75h,0F0h,2Bh,0F3h,8Dh,8Ch,71h,5Eh
  150. db 5,0,0,89h,4Dh,8,0EBh,53h,2Bh,0CFh,81h,0FAh,0,0,0,1
  151. db 73h,23h,8Bh,45h,0FCh,3Bh,45h,0F4h,0Fh,84h,1Ah,1,0,0,8Bh,5Dh
  152. db 10h,6Ah,1,0Fh,0B6h,0,0C1h,0E3h,8,0Bh,0D8h,58h,0C1h,0E2h,8,0FFh
  153. db 45h,0FCh,89h,5Dh,10h,0D1h,0EAh,0D1h,0E6h,39h,55h,10h,72h,5,29h,55h
  154. db 10h,0Bh,0F0h,49h,75h,0C4h,8Bh,4Dh,0E8h,89h,7Dh,0CCh,81h,0C1h,44h,6
  155. db 0,0,0C1h,0E6h,4,89h,4Dh,8,89h,75h,0F0h,89h,45h,0D0h,89h,45h
  156. db 0D8h,8Bh,45h,0D8h,81h,0FAh,0,0,0,1,8Dh,0Ch,0,8Bh,45h,8
  157. db 8Dh,1Ch,1,73h,21h,8Bh,45h,0FCh,3Bh,45h,0F4h,0Fh,84h,0B7h,0,0
  158. db 0,8Bh,75h,10h,0Fh,0B6h,38h,0C1h,0E6h,8,0C1h,0E2h,8,0Bh,0F7h,40h
  159. db 89h,75h,10h,89h,45h,0FCh,66h,8Bh,3,8Bh,0FAh,0Fh,0B7h,0F0h,0C1h,0EFh
  160. db 0Bh,0Fh,0AFh,0FEh,39h,7Dh,10h,73h,16h,0B9h,0,8,0,0,8Bh,0D7h
  161. db 2Bh,0CEh,0C1h,0F9h,5,3,0C8h,0D1h,65h,0D8h,66h,89h,0Bh,0EBh,1Bh,29h
  162. db 7Dh,10h,66h,8Bh,0F0h,66h,0C1h,0EEh,5,2Bh,0C6h,2Bh,0D7h,66h,89h,3
  163. db 8Bh,45h,0D0h,41h,9,45h,0F0h,89h,4Dh,0D8h,0D1h,65h,0D0h,0FFh,4Dh,0CCh
  164. db 0Fh,85h,7Bh,0FFh,0FFh,0FFh,0EBh,3,89h,5Dh,0F0h,0FFh,45h,0F0h,74h,38h
  165. db 8Bh,75h,0E4h,83h,45h,0ECh,2,39h,75h,0F0h,77h,3Ch,8Bh,4Dh,18h,8Bh
  166. db 0C6h,2Bh,45h,0F0h,0FFh,4Dh,0ECh,8Ah,4,8,88h,4,0Eh,46h,83h,7Dh
  167. db 0ECh,0,88h,45h,0Bh,89h,75h,0E4h,74h,5,3Bh,75h,1Ch,72h,0E0h,3Bh
  168. db 75h,1Ch,0Fh,82h,81h,0F7h,0FFh,0FFh,81h,0FAh,0,0,0,1,73h,10h
  169. db 8Bh,45h,0FCh,3Bh,45h,0F4h,75h,5,6Ah,1,58h,0EBh,18h,0FFh,45h,0FCh
  170. db 8Bh,45h,0FCh,8Bh,4Dh,14h,2Bh,45h,0Ch,89h,1,8Bh,45h,20h,8Bh,4Dh
  171. db 0E4h,89h,8,33h,0C0h,5Fh,5Eh,5Bh,0C9h
  172. add esp,20h
  173. leave
  174. retn 10h
  175. end

【原创】手写PE文件,打造史上最小LZMA解压DLL

因程序需求,需要在VB中调用LZMA解压数据,经过N天研究出此成果~

什么是LZMA:LZMA应该是目前世界上数一数二的压缩算法——压缩时相同的时间得到压缩比最高,解压时速度极快且几乎不占内存。如果你对LZMA算法并无耳闻,那么7z总听说过吧。。没错,LZMA即7z作者发明的,7z使用的算法。什么?7z也没听说过?这样吧,你在网上下的软件,比如旺旺、暴风影音、人人桌面,它们的安装程序都是清一色的NSIS,打包的压缩算法是LZMA。。

用到的工具:

文件、内存编辑器:winhex
汇编器、调试器:ollydbg
upx shell

参考的资料:

看雪论坛《加密与解密》
LZMA SDK
NSIS Source
UPX Source

为什么要使用upx shell呢?在这里偷偷告诉大家,upx shell是支持用lzma算法压缩exe、dll文件的,所以呢,其生成的加壳文件中必定有最最精简最最完美的lzma解压代码,我们有足够的理由相信,不管你用哪个版本的lzma sdk来编译,出来的C语言版本都不会有upx做好的asm版本要好~

废话不再多说,下面来一步步操作:

1、自然是随便找个EXE文件用UPX加壳,注意UPX核心要选择2.92b(只有这个版本是支持LZMA的),高级选项中勾选LZMA。

2、将加壳的EXE用OD打开。从入口处往下看,可以看到有句mov [ebx],30002,然后后面是几个nop对齐,然后是熟悉的push ebp,这即是upx lzma核心解密函数的入口。把这个地址记为0,数到0x0A85,可以看到有对应的pop ebp,这2694字节就是upx lzma解密函数(没有写ret),是由4.43版的LZMA SDK修改得来的,函数声明即4.43版LZMA SDK中的LzmaDecode:

int LzmaDecode(CLzmaDecoderState *vs, const unsigned char *inStream, SizeT inSize, SizeT *inSizeProcessed, unsigned char *outStream, SizeT outSize, SizeT *outSizeProcessed);

与原版SDK不同的是,作为壳的loader,是不太允许去malloc的,所以这个函数被修改过,CLzmaDecoderState不再是原来的那个,而是包含了解压字典,这个结构的大小从加壳EXE中可以看出来有句lea ebx,[esp-3e80],所以我们如果要在C语言中内嵌这段代码,调用的时候也要开一个16K的空间才行。我这里说的都是结果,如果你对我怎么知道这些的感兴趣,可以下载upx的源代码看一下(注意是upx而不是upx shell哦)。

3、我所要编写的一个函数是这样的:

int LzmaDecode(byte *dest, long destLen, const byte *src, long srcLen);

于是我在OD中找到一段空余的空间,模仿upx调用解密函数前面一段的代码,自己编写以下代码:

push ebp ;堆栈框架
mov ebp,esp
sub esp,3e80 ;栈内开16K空间
push edi ;保存edi(Windows下C编译器与API规范规定被调用函数不得修改ebx ebp esi edi四个寄存器)
mov ecx,0fa0 ;准备给16K空间填0
xor eax,eax
lea edi,[esp+4]
rep stos
lea eax,[esp+4]
push eax ;outSizeProcessed
add eax,4
push [ebp+c] ;outSize
push [ebp+8] ;outStream
push eax ;inSizeProcessed
add eax,4
push [ebp+14] ;inSize
push [ebp+10] ;inStream
push eax ;lzmaDecodeState
mov dword [eax],20003 ;硬编码LZMA基本属性,lc=3 lp=0 pb=2
push eax ;dummy call,这里本来是写Call XXXX的,但是函数直接接下去了,要留出一格返回地址的空间
jmp XXXXXXXX ;这里插入LzmaDecode本身的代码
add esp,20 ;相当于ret,7个参数加上一个dummy的返回地址是0x20字节
pop edi ;恢复edi
leave ;出堆栈框架,返回
retn 10

4、用winhex打开调试程序的内存,复制以上汇编好的和2694字节的解压机器码按粘贴到新文件中。

5、到了这一步,我们就已经可以用masm或者vc写一大堆dd把刚才弄好的数据直接汇编成dll了。不过我们再来一点新的挑战——手写DLL。因为编译器总会给生成的文件弄一大堆不需要的东西,比如重定位段(这个程序是不需要重定位的),而手写的话就可以把文件做到最精简。

注意:下面的内容是最让人抓狂的PE文件结构。。。

6、首先,弄清楚我们需要什么。刚才写好的那段代码总长度是2757字节,加上简单的一句DllMain(mov eax,1 ret 0c),就是2765字节,也就是0xACD,所以我们的代码段长度要对齐到0xC00。

然后我们需要一个导出表,导出表中只有一个函数。为了节省空间,我把导出表放到了dos stub的地方。

最后文件的布局就是:

0x0000:DOS文件头(RVA:0x0000)
0x0040:导出表(原DOS代码)
0x00B0:PE文件头
0x01A8:区段表
0x0200:代码段- LzmaDecode(RVA:0x1000)
0x0CC5:DllMain
0x0CD0:结束(最后有4字节的0,为了美观还是对齐到十位吧~)

文件共3280字节。

7、需要注意的有一个地方,就是区段表中VirtualSize和SizeOfRawData的填写。很长的一段时间我的DLL无法正常加载(LoadLibrary失败,LastError是BAD_EXE_FORMAT什么的),折腾好久也不好,最后LordPE修复一下好了,把修复的和原来的比对了一下,发现SizeOfRawData尽管资料上说是要填对齐值,但实际上看来这个值是不得超过文件结尾的,也就是说我开始填了0x0C00,但加载的时候NtLoader看来是遇到了EOF,造成加载失败。

最终文件可以在这里下载

LzmaDecode