-dont_append_source
但是,在字符串应用程序或我尝试过的许多反汇编程序中都找不到此字符串。因此,某些命令行参数很可能已被混淆。
至少有8个:参数?
#1 楼
这些命令行开关在几种语言中似乎是显而易见的种类:> kindlegen.exe -dont_append_source
Info:I9018:option: -donotaddsource: Source files will not be added
种类:>字符串- o kindlegen.exe | grep -i donotaddsource
5130184:option: -donotaddsource: Source files will not be added
5208360:Option: -donotaddsource: Quelldateien werden nicht hinzugef
5287768:option: -donotaddsource: Les fichiers sources se seront pas ajout
5367504:opzione: -donotaddsource: I file sorgente non verranno aggiunti
5448722:n: -donotaddsource: no se agregan los archivos fuente
5482150:-donotaddsource
5524610:: -donotaddsource:
5595760:o:-donotaddsource: Os arquivos de origem n
5673552:: -donotaddsource:
5748880:optie: -donotaddsource: bronbestanden worden niet toegevoegd
偏移量的二进制转储,如strings.exe所示。
kind:\>xxd -s 5130184 -g1 -l0x70 kindlegen.exe
04e47c8: 6f 00 70 00 74 00 69 00 6f 00 6e 00 3a 00 20 00 o.p.t.i.o.n.:. .
04e47d8: 2d 00 64 00 6f 00 6e 00 6f 00 74 00 61 00 64 00 -.d.o.n.o.t.a.d.
04e47e8: 64 00 73 00 6f 00 75 00 72 00 63 00 65 00 3a 00 d.s.o.u.r.c.e.:.
04e47f8: 20 00 53 00 6f 00 75 00 72 00 63 00 65 00 20 00 .S.o.u.r.c.e. .
04e4808: 66 00 69 00 6c 00 65 00 73 00 20 00 77 00 69 00 f.i.l.e.s. .w.i.
04e4818: 6c 00 6c 00 20 00 6e 00 6f 00 74 00 20 00 62 00 l.l. .n.o.t. .b.
04e4828: 65 00 20 00 61 00 64 00 64 00 65 00 64 00 00 00 e. .a.d.d.e.d...
windbg
kindle:\>echo get bounds of exe & cdb -c "lm m kin*;q" kindlegen.exe | grep def
get bounds of exe
00400000 00bdd000 kindlegen (deferred)
kindle:\>echo search string within bounds & cdb -c "lm m kin*;s -u kindlegen L?(0xbdd000
-0x400000) donotaddsource: ; q" kindlegen.exe | grep quit: -B 11
search for emitted string within bounds
start end module name
00400000 00bdd000 kindlegen (deferred)
008e59da 0064 006f 006e 006f 0074 0061 0064 0064 d.o.n.o.t.a.d.d.
008f8b3a 0064 006f 006e 006f 0074 0061 0064 0064 d.o.n.o.t.a.d.d.
0090c16a 0064 006f 006e 006f 0074 0061 0064 0064 d.o.n.o.t.a.d.d.
0091f8e4 0064 006f 006e 006f 0074 0061 0064 0064 d.o.n.o.t.a.d.d.
0093361a 0064 006f 006e 006f 0074 0061 0064 0064 d.o.n.o.t.a.d.d.
00945e88 0064 006f 006e 006f 0074 0061 0064 0064 d.o.n.o.t.a.d.d.
00957476 0064 006f 006e 006f 0074 0061 0064 0064 d.o.n.o.t.a.d.d.
0096a456 0064 006f 006e 006f 0074 0061 0064 0064 d.o.n.o.t.a.d.d.
0097caa0 0064 006f 006e 006f 0074 0061 0064 0064 d.o.n.o.t.a.d.d.
quit:
也许是所有命令行开关
0:000> .foreach(位置{s-[1] u 400000 bdd000选项: }){du / c100 place}
00839650 "option: {0}"
008e5478 "option: -preserve_img: Original Image size will be preserved"
008e54f8 "option: -image64K: The maximum size of the image is restricted to 64K"
008e5588 "option: -image128K: The maximum size of the image is restricted to 128K"
008e5618 "option: -gif: gif image conversion (no jpeg)"
008e5674 "option: -c0: No compression"
008e56b0 "option: -c1: Standard DOC compression"
008e5700 "option: -c2: Kindle Huffdic compression"
008e5750 "option: -allscript: Authorize all scripting"
008e57a8 "option: -western: Forced Windows-1252 output"
008e5808 "option: -verbose: Verbose output"
008e5850 "option: -noparseback: Parse back won't be built"
008e58b0 "option: -regserver: The XOPFPlugin type library has been registered"
008e5938 "option: -unregserver: The XOPFPlugin type library has been unregistered"
008e59c8 "option: -donotaddsource: Source files will not be added"
008e5a38 "option: (hidden) Skip the HTML cleanup"
008e5a88 "option: (hidden) creates json position map file for debugging purpose."
008e5b18 "option: (hidden) creates mobi for older devices."
008e5b80 "option: (hidden) Using manual(tag based) fragmentation mode for building Webkit reader compatible mobi."
008e5c50 "option: (hidden) Webkit reader Compatible mobi will be built"
008e5ccc "option: (hidden) fragsize"
008e5d00 "option: (hidden) custom image size will be used for resizing"
008e5d80 "option: (hidden) amazon creator tool or pipeline"
008e5de8 "option: -genhdcontainers: eMM will be built with given resolutions"
0090bbc0 "option: -preserve_img: La taille d'origine de l'image sera préservée"
0090bc50 "option: -image64K: La taille maximum de l'image est limitée à 64K"
0090bcd8 "option: -image128K: La taille maximum de l'image est limitée à 128K"
0090bd60 "option: -gif: Conversion d'image gif (pas jpeg)"
0090bdc0 "option: -c0: Aucune compression"
0090be00 "option: -c1: Compression DOC standard"
0090be50 "option: -c2: Compression Kindle Huffdic"
0090bea0 "option: -allscript: Autorise toutes les scénarisations"
0090bf10 "option: -western: Sortie Windows-1252 forcée"
0090bf70 "option: -verbose: Sortie Verbose"
0090bfb8 "option: -noparseback: Parse back ne sera pas construit"
0090c028 "option: -regserver: Le type de bibliothèque XOPFPlugin a été enregistré"
0090c0b8 "option: -unregserver: Le type de bibliothèque XOPFPlugin a été désenregistré"
0090c158 "option: -donotaddsource: Les fichiers sources se seront pas ajoutés"
0090c1e0 "option: (masquée) Sauter le nettoyage HTML"
0090c238 "option: (masquée) Crée fichier de carte de position json dans le but d'un débogage."
0090c2e0 "option: (masquée) crée un mobi pour les appareils plus anciens."
0090c360 "option: (masquée) Utilisation du mode de fragmentation manuelle (basé sur les balises) pour construire un lecteur Webkit compatible mobi."
0090c478 "option: (masquée) Un lecteur Webkit compatible mobi sera construit"
0090c500 "option: (masquée) fragsize"
0090c538 "option: (masquée) la taille d'image personnalisée sera utilisée pour redimmensionement"
0090c5e8 "option: (caché) amazon créateur outil ou d'un pipeline"
009bbe70 "option: {0}"
参数字符串用md5进行哈希处理,并与blob进行比较,它似乎是Guntram blohm对您的原始查询的评论
快速浏览一下,似乎散列函数是MD5实现。 >
CPU Disasm
Address Hex dump Command Comments
006836F0 thiscallhashestheargstring (MD5) /$ 83EC 68 SUB ESP, 68 ; kindlegen.thiscallhashestheargstring (MD5)(guessed Arg1)
006836F3 |. 8B50 08 MOV EDX, DWORD PTR DS:[EAX+8]
006836F6 |. 8B48 04 MOV ECX, DWORD PTR DS:[EAX+4]
某些arg字符串的MD5哈希值是
CPU Disasm
Address Command Comments
006838FD LEA EAX, [EBX+EAX+D76AA478]<<<<<<<<<<<<<<<<<<<<<<<
00683904 ROL EAX, 7
00683907 ADD EAX, EDX
00683909 AND EDI, EAX
0068390B MOV ECX, EAX
0068390D NOT ECX
0068390F AND ECX, ESI
00683911 OR ECX, EDI
00683913 ADD ECX, DWORD PTR SS:[ESP+3C]
00683917 MOV DWORD PTR SS:[ESP+18], EBX
0068391B LEA ECX, [EBP+ECX+E8C7B756] <<<<<<<<<<<<<<<<<<<<<<
00683922 ROL ECX, 0C
00683925 ADD ECX, EAX
00683927 MOV EDI, ECX
00683929 NOT EDI
0068392B AND EDI, EDX
0068392D MOV EBX, ECX
0068392F AND EBX, EAX
00683931 OR EDI, EBX
00683933 ADD EDI, DWORD PTR SS:[ESP+40]
00683937 MOV DWORD PTR SS:[ESP+30], ESI
0068393B LEA ESI, [ESI+EDI+242070DB] <<<<<<<<<<<<
哈希值与此处的blob字节进行比较
>注意传递像-abracadabra这样的无效args不会进入此比较功能,因此有可能像argstr len等这样进行预检查断点会产生此
-dont_append_source哈希
cat dontapp.py
import md5
print md5.md5("-dont_append_source").hexdigest()
print md5.md5("-intermediate_only").hexdigest()
print md5.md5("-releasenotes").hexdigest()
python dontapp.py
8465b444e1fe29390e2bb6b98b878829
f837e7c59aeba2cfa4a0ccb7c941e1b8
2368d23829ad7e680cd23385b9fcff6a
-intermediate_only哈希
CPU Disasm
Address Command Comments
006832B0 whoknowswhat PUSH EBP ; kindlegen.whoknowswhat(guessed Arg1,Arg2)
006832B1 MOV EBP, DWORD PTR SS:[ESP+8]
-发行说明
006832B0 INT3: [esp+4] = 84 (132.)
006832B0 INT3: [esp+4] = 65 (101.)
006832B0 INT3: [esp+4] = 0B4 (180.)
006832B0 INT3: [esp+4] = 44 (68.)
006832B0 INT3: [esp+4] = 0E1 (225.)
006832B0 INT3: [esp+4] = 0FE (254.)
006832B0 INT3: [esp+4] = 29 (41.)
006832B0 INT3: [esp+4] = 39 (57.)
006832B0 INT3: [esp+4] = 0
006832B0 INT3: [esp+4] = 0E (14.)
006832B0 INT3: [esp+4] = 2B (43.)
006832B0 INT3: [esp+4] = 0B6 (182.)
006832B0 INT3: [esp+4] = 0B9 (185.)
006832B0 INT3: [esp+4] = 8B (139.)
006832B0 INT3: [esp+4] = 87 (135.)
006832B0 INT3: [esp+4] = 88 (136.)
006832B0 INT3: [esp+4] = 29 (41.)
评论
如果您在列表中查找,则会发现OP询问的“ option :(隐藏)...”命令行选项。 (以及几种语言:“masquée”,“ verborgen”,“скрыто”。)
–杂件
16 Dec 9'在10:18
迪诺addsource没有如op所说隐藏
–实验室
16 Dec 9'在10:49
@blabb:感谢您对此进行调查。我真的很感激!正如其他评论者已经指出的那样,-donotaddsource不是隐藏选项之一。实际上,如果指定了-dont_append_source,kindlegen将显示-donotaddsource。即他们必须稍后更改此隐藏选项的名称。即-donotaddsource被拒绝作为命令行参数。
– Nemo XXX
16 Dec 9'在14:40
的args md5ed它出现看到更新的答案
– blabb
16 Dec 10'在7:29
@blabb:感谢您的更新!!!如果将md5散列发布为:选项:(隐藏)为较旧的设备创建移动设备。和选项:(隐藏的)Webkit阅读器将构建兼容的mobi,我将接受答案并向您授予赏金。
– Nemo XXX
16 Dec 10'在8:49
评论
您将不得不反汇编代码,并检查应用程序如何进行参数处理。如果他们真的想隐藏那些隐藏的参数,则可以对参数运行哈希函数,并将结果与二进制文件中的blob进行比较,在这种情况下,您甚至无法找出原始命令字符串是什么。 >我建议在进程运行并在其上运行字符串实用程序时创建该进程的内存转储。这些混淆的参数有可能在程序启动期间被混淆/解密,并且您会在内存转储中找到这些开关
@w s:不幸的是,创建内存转储并没有帮助我找到参数。
粗略尝试(您永远不会知道):一个简单的增量XOR查找。但是,它不仅无法将示例dont_append_source定位在任何地方,而且除了在选项本身的描述中之外,也找不到“常规”选项。不过,这里有个提示:Windows版本似乎始终使用Unicode,而Mac版本则没有。这可能使事情(部分地)变得更容易。
–对不起,把它刮开。常规选项是简单的字符串,并在单个例程中进行了测试。不过,我看不到对其他字符串(无论是否加密)的明显测试。