一个反调试程序的动态分析
本帖最后由 xujidejia 于 2024-5-28 00:03 编辑今天遇到一个反调试程序,X64DBG运行直接就退出。最后用动态调试。这是一个网络验证,搜索不到有用字符,最终一步一步跟踪到了一个循环内,但是在这个循环内就出现了到期时间,感觉好奇怪,代码如下:
00000001407544E7 | 8B4424 3C | mov eax,dword ptr ss: |
00000001407544EB | E9 00000000 | jmp at.1407544F0 |
00000001407544F0 | FFC0 | inc eax |
00000001407544F2 | 894424 3C | mov dword ptr ss:,eax |
00000001407544F6 | 48:8B8424 18020000 | mov rax,qword ptr ss: | :L"X"
00000001407544FE | 8B00 | mov eax,dword ptr ds: |
0000000140754500 | F9 | stc |
0000000140754501 | E9 00000000 | jmp at.140754506 |
0000000140754506 | 394424 3C | cmp dword ptr ss:,eax |
000000014075450A | E9 00000000 | jmp at.14075450F |
000000014075450F | 0F8D 07010000 | jge at.14075461C |
0000000140754515 | 0FB64424 30 | movzx eax,byte ptr ss: |
000000014075451A | F5 | cmc |
000000014075451B | 4C:0FB3F9 | btr rcx,r15 |
000000014075451F | 8B4C24 3C | mov ecx,dword ptr ss: |
0000000140754523 | C0CA 02 | ror dl,2 |
0000000140754526 | 8D4408 03 | lea eax,qword ptr ds: |
000000014075452A | 99 | cdq |
000000014075452B | 0F95C1 | setne cl |
000000014075452E | 48:98 | cdqe |
0000000140754530 | 66:0FBAE2 39 | bt dx,39 |
0000000140754535 | 48:8B8C24 00020000 | mov rcx,qword ptr ss: |
000000014075453D | 0F90C2 | seto dl |
0000000140754540 | 66:85CB | test bx,cx |
0000000140754543 | 6644:0FA3CA | bt dx,r9w |
0000000140754548 | 0FB60401 | movzx eax,byte ptr ds: |
000000014075454C | 35 78030000 | xor eax,378 |
0000000140754551 | 35 9A020000 | xor eax,29A |
0000000140754556 | FEC2 | inc dl |
0000000140754558 | 80C6 28 | add dh,28 |
000000014075455B | 66:F7D1 | not cx |
000000014075455E | B9 04000000 | mov ecx,4 |
0000000140754563 | C1FA 82 | sar edx,82 | edx:L"{"
0000000140754566 | 48:6BC9 05 | imul rcx,rcx,5 |
000000014075456A | 33440C 60 | xor eax,dword ptr ss: |
000000014075456E | B9 04000000 | mov ecx,4 |
0000000140754573 | 48:6BC9 04 | imul rcx,rcx,4 |
0000000140754577 | 99 | cdq |
0000000140754578 | 33440C 60 | xor eax,dword ptr ss: |
000000014075457C | 48:0FBAF1 3B | btr rcx,3B |
0000000140754581 | 80D2 9A | adc dl,9A |
0000000140754584 | B9 04000000 | mov ecx,4 |
0000000140754589 | 41:0FB7D4 | movzx edx,r12w | edx:L"{"
000000014075458D | D2D6 | rcl dh,cl |
000000014075458F | 66:C1F2 89 | shl dx,89 |
0000000140754593 | 48:6BC9 03 | imul rcx,rcx,3 |
0000000140754597 | F6C7 3D | test bh,3D |
000000014075459A | 66:BA 9472 | mov dx,7294 |
000000014075459E | 66:0FBAE2 A5 | bt dx,A5 |
00000001407545A3 | 2B440C 60 | sub eax,dword ptr ss: |
00000001407545A7 | C0D5 97 | rcl ch,97 |
00000001407545AA | 41:0FBDCB | bsr ecx,r11d |
00000001407545AE | B9 04000000 | mov ecx,4 |
00000001407545B3 | C0E2 39 | shl dl,39 |
00000001407545B6 | 80EA A8 | sub dl,A8 |
00000001407545B9 | 48:6BC9 02 | imul rcx,rcx,2 |
00000001407545BD | 0FB7D4 | movzx edx,sp |
00000001407545C0 | 33440C 60 | xor eax,dword ptr ss: |
00000001407545C4 | B9 04000000 | mov ecx,4 |
00000001407545C9 | 6641:85D6 | test r14w,dx |
00000001407545CD | 48:6BC9 01 | imul rcx,rcx,1 |
00000001407545D1 | 66:C1DA 1E | rcr dx,1E |
00000001407545D5 | 33440C 60 | xor eax,dword ptr ss: |
00000001407545D9 | 44:84C6 | test sil,r8b |
00000001407545DC | B9 04000000 | mov ecx,4 |
00000001407545E1 | 48:C1C2 9B | rol rdx,9B | rdx:L"{"
00000001407545E5 | 41:33D1 | xor edx,r9d | edx:L"{"
00000001407545E8 | 48:6BC9 00 | imul rcx,rcx,0 |
00000001407545EC | 41:0FBFD5 | movsx edx,r13w | edx:L"{"
00000001407545F0 | 48:C1D2 A8 | rcl rdx,A8 | rdx:L"{"
00000001407545F4 | 48:0BD4 | or rdx,rsp |
00000001407545F7 | 33440C 60 | xor eax,dword ptr ss: |
00000001407545FB | 49:63D0 | movsxd rdx,r8d | rdx:L"{", r8d:" \r@"
00000001407545FE | F6D2 | not dl |
0000000140754600 | 48:99 | cqo |
0000000140754602 | 48:634C24 3C | movsxd rcx,dword ptr ss: |
0000000140754607 | 48:8B9424 10020000 | mov rdx,qword ptr ss: | :L"{"
000000014075460F | E9 00000000 | jmp at.140754614 |
0000000140754614 | 88040A | mov byte ptr ds:,al | rdx+rcx*1:L"{"
0000000140754617 | E9 CBFEFFFF | jmp at.1407544E7 |这个位置一直在循环
000000014075461C | 48:8D9424 E0000000 | lea rdx,qword ptr ss: |
0000000140754624 | 66:F7D1 | not cx |
0000000140754627 | E9 02000000 | jmp at.14075462E |
000000014075462C | B1 1B | mov cl,1B |
000000014075462E | 48:8D8C24 A0000000 | lea rcx,qword ptr ss: |
0000000140754636 | E9 00000000 | jmp at.14075463B |
000000014075463B | E8 F0F08AFF | call at.140003730 |
0000000140754640 | 83F8 01 | cmp eax,1 |
0000000140754643 | E9 00000000 | jmp at.140754648 |
0000000140754648 | 0F85 A8000000 | jne at.1407546F6 |
当这个循环完了以后,我在000000014075450F 处的跳转jge at.14075461C这里了直接F4出来以后,出现了以下代码:
00000001407544E7 | 8B4424 3C | mov eax,dword ptr ss: |
00000001407544EB | E9 00000000 | jmp at.1407544F0 |
00000001407544F0 | FFC0 | inc eax |
00000001407544F2 | 894424 3C | mov dword ptr ss:,eax |
00000001407544F6 | 48:8B8424 18020000 | mov rax,qword ptr ss: | :L"X"
00000001407544FE | 8B00 | mov eax,dword ptr ds: |
0000000140754500 | F9 | stc |
0000000140754501 | E9 00000000 | jmp at.140754506 |
0000000140754506 | 394424 3C | cmp dword ptr ss:,eax |
000000014075450A | E9 00000000 | jmp at.14075450F |
000000014075450F | 0F8D 07010000 | jge at.14075461C |
0000000140754515 | 0FB64424 30 | movzx eax,byte ptr ss: |
000000014075451A | F5 | cmc |
000000014075451B | 4C:0FB3F9 | btr rcx,r15 |
000000014075451F | 8B4C24 3C | mov ecx,dword ptr ss: |
0000000140754523 | C0CA 02 | ror dl,2 |
0000000140754526 | 8D4408 03 | lea eax,qword ptr ds: |
000000014075452A | 99 | cdq |
000000014075452B | 0F95C1 | setne cl |
000000014075452E | 48:98 | cdqe |
0000000140754530 | 66:0FBAE2 39 | bt dx,39 |
0000000140754535 | 48:8B8C24 00020000 | mov rcx,qword ptr ss: |
000000014075453D | 0F90C2 | seto dl |
0000000140754540 | 66:85CB | test bx,cx |
0000000140754543 | 6644:0FA3CA | bt dx,r9w |
0000000140754548 | 0FB60401 | movzx eax,byte ptr ds: |
000000014075454C | 35 78030000 | xor eax,378 |
0000000140754551 | 35 9A020000 | xor eax,29A |
0000000140754556 | FEC2 | inc dl |
0000000140754558 | 80C6 28 | add dh,28 |
000000014075455B | 66:F7D1 | not cx |
000000014075455E | B9 04000000 | mov ecx,4 |
0000000140754563 | C1FA 82 | sar edx,82 | edx:"{\"LoginForCardNotif\":{\"loginStatus\":1,\"msg\":\"登录成功!到期时间:2024-11-29 22:13:19\"}}\n"
0000000140754566 | 48:6BC9 05 | imul rcx,rcx,5 |
000000014075456A | 33440C 60 | xor eax,dword ptr ss: |
000000014075456E | B9 04000000 | mov ecx,4 |
0000000140754573 | 48:6BC9 04 | imul rcx,rcx,4 |
0000000140754577 | 99 | cdq |
0000000140754578 | 33440C 60 | xor eax,dword ptr ss: |
000000014075457C | 48:0FBAF1 3B | btr rcx,3B |
0000000140754581 | 80D2 9A | adc dl,9A |
0000000140754584 | B9 04000000 | mov ecx,4 |
0000000140754589 | 41:0FB7D4 | movzx edx,r12w | edx:"{\"LoginForCardNotif\":{\"loginStatus\":1,\"msg\":\"登录成功!到期时间:2024-11-29 22:13:19\"}}\n"
000000014075458D | D2D6 | rcl dh,cl |
000000014075458F | 66:C1F2 89 | shl dx,89 |
0000000140754593 | 48:6BC9 03 | imul rcx,rcx,3 |
0000000140754597 | F6C7 3D | test bh,3D |
000000014075459A | 66:BA 9472 | mov dx,7294 |
000000014075459E | 66:0FBAE2 A5 | bt dx,A5 |
00000001407545A3 | 2B440C 60 | sub eax,dword ptr ss: |
00000001407545A7 | C0D5 97 | rcl ch,97 |
00000001407545AA | 41:0FBDCB | bsr ecx,r11d |
00000001407545AE | B9 04000000 | mov ecx,4 |
00000001407545B3 | C0E2 39 | shl dl,39 |
00000001407545B6 | 80EA A8 | sub dl,A8 |
00000001407545B9 | 48:6BC9 02 | imul rcx,rcx,2 |
00000001407545BD | 0FB7D4 | movzx edx,sp |
00000001407545C0 | 33440C 60 | xor eax,dword ptr ss: |
00000001407545C4 | B9 04000000 | mov ecx,4 |
00000001407545C9 | 6641:85D6 | test r14w,dx |
00000001407545CD | 48:6BC9 01 | imul rcx,rcx,1 |
00000001407545D1 | 66:C1DA 1E | rcr dx,1E |
00000001407545D5 | 33440C 60 | xor eax,dword ptr ss: |
00000001407545D9 | 44:84C6 | test sil,r8b |
00000001407545DC | B9 04000000 | mov ecx,4 |
00000001407545E1 | 48:C1C2 9B | rol rdx,9B | rdx:"{\"LoginForCardNotif\":{\"loginStatus\":1,\"msg\":\"登录成功!到期时间:2024-11-29 22:13:19\"}}\n"
00000001407545E5 | 41:33D1 | xor edx,r9d | edx:"{\"LoginForCardNotif\":{\"loginStatus\":1,\"msg\":\"登录成功!到期时间:2024-11-29 22:13:19\"}}\n"
00000001407545E8 | 48:6BC9 00 | imul rcx,rcx,0 |
00000001407545EC | 41:0FBFD5 | movsx edx,r13w | edx:"{\"LoginForCardNotif\":{\"loginStatus\":1,\"msg\":\"登录成功!到期时间:2024-11-29 22:13:19\"}}\n"
00000001407545F0 | 48:C1D2 A8 | rcl rdx,A8 | rdx:"{\"LoginForCardNotif\":{\"loginStatus\":1,\"msg\":\"登录成功!到期时间:2024-11-29 22:13:19\"}}\n"
00000001407545F4 | 48:0BD4 | or rdx,rsp |
00000001407545F7 | 33440C 60 | xor eax,dword ptr ss: |
00000001407545FB | 49:63D0 | movsxd rdx,r8d | rdx:"{\"LoginForCardNotif\":{\"loginStatus\":1,\"msg\":\"登录成功!到期时间:2024-11-29 22:13:19\"}}\n", r8d:" \r@"ginForCardNotif\":{\"loginStatus\":1,\"msg\":\"登录成功!到期时间:2024-11-29 22:13:19\"}}\n"
00000001407545FE | F6D2 | not dl |
0000000140754600 | 48:99 | cqo |
0000000140754602 | 48:634C24 3C | movsxd rcx,dword ptr ss: |
0000000140754607 | 48:8B9424 10020000 | mov rdx,qword ptr ss: | :"{\"LoginForCardNotif\":{\"loginStatus\":1,\"msg\":\"登录成功!到期时间:2024-11-29 22:13:19\"}}\n"
000000014075460F | E9 00000000 | jmp at.140754614 |
0000000140754614 | 88040A | mov byte ptr ds:,al | rdx+rcx*1:L"\n"
0000000140754617 | E9 CBFEFFFF | jmp at.1407544E7 |
000000014075461C | 48:8D9424 E0000000 | lea rdx,qword ptr ss: |
0000000140754624 | 66:F7D1 | not cx |
0000000140754627 | E9 02000000 | jmp at.14075462E |
000000014075462C | B1 1B | mov cl,1B |
000000014075462E | 48:8D8C24 A0000000 | lea rcx,qword ptr ss: |
0000000140754636 | E9 00000000 | jmp at.14075463B |
000000014075463B | E8 F0F08AFF | call at.140003730 |
0000000140754640 | 83F8 01 | cmp eax,1 |
0000000140754643 | E9 00000000 | jmp at.140754648 |
0000000140754648 | 0F85 A8000000 | jne at.1407546F6 |
居然出现了登录成功和到期时间的内容。对于这段代码可真的是一点也不知道了,也不知道该重何处下手了。
以上是不提供了正确的卡号出现的结果,当输入错误的卡号就是另外的结果了。
00000001407544E7 | 8B4424 3C | mov eax,dword ptr ss: |
00000001407544EB | E9 00000000 | jmp at.1407544F0 |
00000001407544F0 | FFC0 | inc eax |
00000001407544F2 | 894424 3C | mov dword ptr ss:,eax |
00000001407544F6 | 48:8B8424 18020000 | mov rax,qword ptr ss: | :L"E"
00000001407544FE | 8B00 | mov eax,dword ptr ds: |
0000000140754500 | F9 | stc |
0000000140754501 | E9 00000000 | jmp at.140754506 |
0000000140754506 | 394424 3C | cmp dword ptr ss:,eax |
000000014075450A | E9 00000000 | jmp at.14075450F |
000000014075450F | 0F8D 07010000 | jge at.14075461C |
0000000140754515 | 0FB64424 30 | movzx eax,byte ptr ss: |
000000014075451A | F5 | cmc |
000000014075451B | 4C:0FB3F9 | btr rcx,r15 |
000000014075451F | 8B4C24 3C | mov ecx,dword ptr ss: |
0000000140754523 | C0CA 02 | ror dl,2 |
0000000140754526 | 8D4408 03 | lea eax,qword ptr ds: |
000000014075452A | 99 | cdq |
000000014075452B | 0F95C1 | setne cl |
000000014075452E | 48:98 | cdqe |
0000000140754530 | 66:0FBAE2 39 | bt dx,39 |
0000000140754535 | 48:8B8C24 00020000 | mov rcx,qword ptr ss: |
000000014075453D | 0F90C2 | seto dl |
0000000140754540 | 66:85CB | test bx,cx |
0000000140754543 | 6644:0FA3CA | bt dx,r9w |
0000000140754548 | 0FB60401 | movzx eax,byte ptr ds: |
000000014075454C | 35 78030000 | xor eax,378 |
0000000140754551 | 35 9A020000 | xor eax,29A |
0000000140754556 | FEC2 | inc dl |
0000000140754558 | 80C6 28 | add dh,28 |
000000014075455B | 66:F7D1 | not cx |
000000014075455E | B9 04000000 | mov ecx,4 |
0000000140754563 | C1FA 82 | sar edx,82 | edx:"{\"LoginForCardNotif\":{\"loginStatus\":0,\"msg\":\"登录失败!卡号错误!\"}}\n"
0000000140754566 | 48:6BC9 05 | imul rcx,rcx,5 |
000000014075456A | 33440C 60 | xor eax,dword ptr ss: |
000000014075456E | B9 04000000 | mov ecx,4 |
0000000140754573 | 48:6BC9 04 | imul rcx,rcx,4 |
0000000140754577 | 99 | cdq |
0000000140754578 | 33440C 60 | xor eax,dword ptr ss: |
000000014075457C | 48:0FBAF1 3B | btr rcx,3B |
0000000140754581 | 80D2 9A | adc dl,9A |
0000000140754584 | B9 04000000 | mov ecx,4 |
0000000140754589 | 41:0FB7D4 | movzx edx,r12w | edx:"{\"LoginForCardNotif\":{\"loginStatus\":0,\"msg\":\"登录失败!卡号错误!\"}}\n"
000000014075458D | D2D6 | rcl dh,cl |
000000014075458F | 66:C1F2 89 | shl dx,89 |
0000000140754593 | 48:6BC9 03 | imul rcx,rcx,3 |
0000000140754597 | F6C7 3D | test bh,3D |
000000014075459A | 66:BA 9472 | mov dx,7294 |
000000014075459E | 66:0FBAE2 A5 | bt dx,A5 |
00000001407545A3 | 2B440C 60 | sub eax,dword ptr ss: |
00000001407545A7 | C0D5 97 | rcl ch,97 |
00000001407545AA | 41:0FBDCB | bsr ecx,r11d |
00000001407545AE | B9 04000000 | mov ecx,4 |
00000001407545B3 | C0E2 39 | shl dl,39 |
00000001407545B6 | 80EA A8 | sub dl,A8 |
00000001407545B9 | 48:6BC9 02 | imul rcx,rcx,2 |
00000001407545BD | 0FB7D4 | movzx edx,sp |
00000001407545C0 | 33440C 60 | xor eax,dword ptr ss: |
00000001407545C4 | B9 04000000 | mov ecx,4 |
00000001407545C9 | 6641:85D6 | test r14w,dx |
00000001407545CD | 48:6BC9 01 | imul rcx,rcx,1 |
00000001407545D1 | 66:C1DA 1E | rcr dx,1E |
00000001407545D5 | 33440C 60 | xor eax,dword ptr ss: |
00000001407545D9 | 44:84C6 | test sil,r8b |
00000001407545DC | B9 04000000 | mov ecx,4 |
00000001407545E1 | 48:C1C2 9B | rol rdx,9B | rdx:"{\"LoginForCardNotif\":{\"loginStatus\":0,\"msg\":\"登录失败!卡号错误!\"}}\n"
00000001407545E5 | 41:33D1 | xor edx,r9d | edx:"{\"LoginForCardNotif\":{\"loginStatus\":0,\"msg\":\"登录失败!卡号错误!\"}}\n"
00000001407545E8 | 48:6BC9 00 | imul rcx,rcx,0 |
00000001407545EC | 41:0FBFD5 | movsx edx,r13w | edx:"{\"LoginForCardNotif\":{\"loginStatus\":0,\"msg\":\"登录失败!卡号错误!\"}}\n"
00000001407545F0 | 48:C1D2 A8 | rcl rdx,A8 | rdx:"{\"LoginForCardNotif\":{\"loginStatus\":0,\"msg\":\"登录失败!卡号错误!\"}}\n"
00000001407545F4 | 48:0BD4 | or rdx,rsp |
00000001407545F7 | 33440C 60 | xor eax,dword ptr ss: |
00000001407545FB | 49:63D0 | movsxd rdx,r8d | rdx:"{\"LoginForCardNotif\":{\"loginStatus\":0,\"msg\":\"登录失败!卡号错误!\"}}\n"
00000001407545FE | F6D2 | not dl |
0000000140754600 | 48:99 | cqo |
0000000140754602 | 48:634C24 3C | movsxd rcx,dword ptr ss: |
0000000140754607 | 48:8B9424 10020000 | mov rdx,qword ptr ss: | :"{\"LoginForCardNotif\":{\"loginStatus\":0,\"msg\":\"登录失败!卡号错误!\"}}\n"
000000014075460F | E9 00000000 | jmp at.140754614 |
0000000140754614 | 88040A | mov byte ptr ds:,al | rdx+rcx*1:L"\n"
0000000140754617 | E9 CBFEFFFF | jmp at.1407544E7 |
000000014075461C | 48:8D9424 E0000000 | lea rdx,qword ptr ss: |
0000000140754624 | 66:F7D1 | not cx |
0000000140754627 | E9 02000000 | jmp at.14075462E |
000000014075462C | B1 1B | mov cl,1B |
000000014075462E | 48:8D8C24 A0000000 | lea rcx,qword ptr ss: |
0000000140754636 | E9 00000000 | jmp at.14075463B |
000000014075463B | E8 F0F08AFF | call at.140003730 |
0000000140754640 | 83F8 01 | cmp eax,1 |
0000000140754643 | E9 00000000 | jmp at.140754648 |
0000000140754648 | 0F85 A8000000 | jne at.1407546F6 |
页:
[1]