分析某BOSS身上掉下来的装备
本帖最后由 demoscene 于 2010-6-16 14:37 编辑据说这里某BOSS身上掉下来的装备。BOSS是谁?不清楚,貌似程序的区段名中有一个神奇的字符串:lol
在ximo牛的建议下就写篇文章和大家分享下吧。
下面面都是F7来走,所以看起来像流水账。:lol :lol
1.分析
入口。貌似是一堆垃圾指令,直接F7。
入口:
0040CD70 >E8 18000000 call 0040CD8D
0040CD75- 66:75 63 jnz short 0000CDDB
0040CD78 6B7A 61 70 imul edi, dword ptr [edx+61], 70
0040CD7C 6C ins byte ptr es:[edi], dx
0040CD7D 696E 65 0062790>imul ebp, dword ptr [esi+65], 796200
0040CD84 65:76 65 jbe short 0040CDEC
0040CD87 72 79 jb short 0040CE02
F7走一小段后到下面这里,
0040C970 55 push ebp
0040C971 8BEC mov ebp, esp
0040C973 81EC 9C010000 sub esp, 19C
0040C979 53 push ebx
0040C97A 56 push esi
0040C97B 57 push edi
0040C97C E8 7FF6FFFF call 0040C000
0040C981 8BF0 mov esi, eax ; ;获取Kernel32.dll基址
0040C983 6A 00 push 0
0040C000 56 push esi
0040C001 33C0 xor eax, eax
0040C003 64:8B40 30 mov eax, dword ptr fs:[eax+30] ; ;PEB
0040C007 8B40 0C mov eax, dword ptr [eax+C] ; ;PEB_LDR_DATA
0040C00A 8B70 1C mov esi, dword ptr [eax+1C]
0040C00D AD lods dword ptr [esi] ; ;InInitializationOrderModuleList
0040C00E 8B40 08 mov eax, dword ptr [eax+8] ; ;Kernel32.dll->BaseAddress
0040C011 5E pop esi
0040C012 C3 retn
返回继续
0040C985 68 FF1F7CC9 push C97C1FFF ; ;hash值
0040C98A 56 push esi
0040C98B 6A 01 push 1
0040C98D E8 5EFCFFFF call 0040C5F0 ; 获取GetProcAddress地址
0040C992 85C0 test eax, eax ; ;获取成功?
0040C994 8945 D4 mov dword ptr [ebp-2C], eax
0040C5F0 83EC 0C sub esp, 0C
0040C5F3 53 push ebx
0040C5F4 55 push ebp
0040C5F5 8B6C24 1C mov ebp, dword ptr [esp+1C]
0040C5F9 56 push esi
0040C5FA 85ED test ebp, ebp
0040C5FC 57 push edi
0040C5FD C74424 10 00000>mov dword ptr [esp+10], 0
0040C605 0F84 13010000 je 0040C71E
0040C60B 8B4424 20 mov eax, dword ptr [esp+20]
0040C60F 85C0 test eax, eax
0040C611 74 0E je short 0040C621
0040C613 8B4424 28 mov eax, dword ptr [esp+28]
0040C617 85C0 test eax, eax
0040C619 0F84 FF000000 je 0040C71E
0040C61F EB 0C jmp short 0040C62D
0040C621 8B4424 2C mov eax, dword ptr [esp+2C]
0040C625 85C0 test eax, eax
0040C627 0F84 F1000000 je 0040C71E
0040C62D 66:817D 00 4D5A cmp word ptr [ebp], 5A4D ; ;'ZM'
0040C633 0F85 E5000000 jnz 0040C71E
0040C639 8B45 3C mov eax, dword ptr [ebp+3C]
0040C63C 03C5 add eax, ebp
0040C63E 8138 50450000 cmp dword ptr [eax], 4550 ; ;'EP'
0040C644 0F85 D4000000 jnz 0040C71E
0040C64A 8B40 78 mov eax, dword ptr [eax+78] ; ;IMAGE_EXPORT_DESCRIPTOR RVA
0040C64D 03C5 add eax, ebp
0040C64F 3BC5 cmp eax, ebp
0040C651 0F84 C7000000 je 0040C71E ; ;导出表是否为0
0040C657 8B48 1C mov ecx, dword ptr [eax+1C] ; ;-> AddressOfFunctions
0040C65A 8B58 20 mov ebx, dword ptr [eax+20] ; ;--AddressOfNames
0040C65D 8B70 18 mov esi, dword ptr [eax+18] ; ;--NumberOfNames
0040C660 03CD add ecx, ebp
0040C662 894C24 18 mov dword ptr [esp+18], ecx
0040C666 8B48 24 mov ecx, dword ptr [eax+24] ; ;--AddressOFNameOrdinals
0040C669 03DD add ebx, ebp
0040C66B 03CD add ecx, ebp
0040C66D 8BC6 mov eax, esi
0040C66F 4E dec esi
0040C670 85C0 test eax, eax
0040C672 894C24 24 mov dword ptr [esp+24], ecx
0040C676 897424 14 mov dword ptr [esp+14], esi
0040C67A 0F84 9E000000 je 0040C71E ; 0040C71E
0040C680 8B13 mov edx, dword ptr [ebx] ; ;edx ->AddressOfNames RVA
0040C682 8B4424 20 mov eax, dword ptr [esp+20]
0040C686 03D5 add edx, ebp ; ;VA
0040C688 85C0 test eax, eax ; ;这里的eax是一个标志位,上层函数传进来的,如果是1表明是壳要调用的函数。采用hash扫描的方式获取函数地址
0040C68A 74 20 je short 0040C6AC ; ;否则肢解通过API名字获取函数地址
0040C68C 8BFA mov edi, edx
0040C68E 83C9 FF or ecx, FFFFFFFF
0040C691 33C0 xor eax, eax
0040C693 F2:AE repne scas byte ptr es:[edi] ; ;计算API名字的长度
0040C695 F7D1 not ecx
0040C697 49 dec ecx
0040C698 51 push ecx
0040C699 52 push edx ; ;edx =API名字
0040C69A E8 D1FEFFFF call 0040C570 ; ;根据API名字计算出一个hash值
0040C69F 8B4C24 30 mov ecx, dword ptr [esp+30]
0040C6A3 83C4 08 add esp, 8
0040C6A6 3BC8 cmp ecx, eax ; ;比较是否是要找的函数
0040C6A8 74 5E je short 0040C708
0040C6AA EB 35 jmp short 0040C6E1
0040C6AC 8B7424 2C mov esi, dword ptr [esp+2C] ; ;ESI = API名字
0040C6B0 8A0A mov cl, byte ptr [edx]
0040C6B2 8AC1 mov al, cl
0040C6B4 3A0E cmp cl, byte ptr [esi] ; ;比较是否相等
0040C6B6 75 1C jnz short 0040C6D4
0040C6B8 84C0 test al, al
0040C6BA 74 14 je short 0040C6D0
0040C6BC 8A4A 01 mov cl, byte ptr [edx+1]
0040C6BF 8AC1 mov al, cl
0040C6C1 3A4E 01 cmp cl, byte ptr [esi+1]
0040C6C4 75 0E jnz short 0040C6D4 ; ;继续比较下一个字符
0040C6C6 83C2 02 add edx, 2 ; ;加2,它隔了一个字符没比较
0040C6C9 83C6 02 add esi, 2
0040C6CC 84C0 test al, al
0040C6CE^ 75 E0 jnz short 0040C6B0 ; ;是否字符串末尾
0040C6D0 33C0 xor eax, eax ; ;找到后会到这里
0040C6D2 EB 05 jmp short 0040C6D9 ; 0040C6D9
0040C6D4 1BC0 sbb eax, eax
0040C6D6 83D8 FF sbb eax, -1
0040C6D9 85C0 test eax, eax
0040C6DB 74 2B je short 0040C708 ; ;找到相同的API名字,跳
0040C6DD 8B7424 14 mov esi, dword ptr [esp+14]
0040C6E1 8B5424 24 mov edx, dword ptr [esp+24]
0040C6E5 83C3 04 add ebx, 4 ; AddressOfNames +4
0040C6E8 83C2 02 add edx, 2
0040C6EB 895424 24 mov dword ptr [esp+24], edx
0040C6EF 8BD6 mov edx, esi
0040C6F1 4E dec esi
0040C6F2 85D2 test edx, edx
0040C6F4 897424 14 mov dword ptr [esp+14], esi
0040C6F8^ 75 86 jnz short 0040C680
0040C6FA 8B4424 10 mov eax, dword ptr [esp+10]
0040C6FE 5F pop edi
0040C6FF 5E pop esi
0040C700 5D pop ebp
0040C701 5B pop ebx
0040C702 83C4 0C add esp, 0C
0040C705 C2 1000 retn 10
0040C708 8B4C24 24 mov ecx, dword ptr [esp+24] ; ;跳到这
0040C70C 8B5424 18 mov edx, dword ptr [esp+18] ; ;edx = AddressOfFunctions
0040C710 33C0 xor eax, eax
0040C712 66:8B01 mov ax, word ptr [ecx] ; ;ax =引出序数
0040C715 8B0482 mov eax, dword ptr [edx+eax*4] ; eax = API 函数rva
0040C718 03C5 add eax, ebp ; ;加基址
0040C71A 894424 10 mov dword ptr [esp+10], eax
0040C71E 8B4424 10 mov eax, dword ptr [esp+10] ; 通过EAX返回
0040C722 5F pop edi
0040C723 5E pop esi
0040C724 5D pop ebp
0040C725 5B pop ebx
0040C726 83C4 0C add esp, 0C
0040C729 C2 1000 retn 10
返回继续
0040C98D E8 5EFCFFFF call 0040C5F0 ; 获取GetProcAddress地址
0040C992 85C0 test eax, eax ; ;获取成功?
0040C994 8945 D4 mov dword ptr [ebp-2C], eax
0040C997 0F84 B4030000 je 0040CD51
0040C99D 6A 00 push 0
0040C99F 68 706586B1 push B1866570
0040C9A4 56 push esi
0040C9A5 6A 01 push 1
0040C9A7 E8 44FCFFFF call 0040C5F0
0040C9AC 8BD8 mov ebx, eax ; ;获取GetModuleHandleA地址
0040C9AE 85DB test ebx, ebx
0040C9B0 895D D0 mov dword ptr [ebp-30], ebx
0040C9B3 0F84 98030000 je 0040CD51
0040C9B9 6A 00 push 0
0040C9BB 68 8DBDC13F push 3FC1BD8D
0040C9C0 56 push esi
0040C9C1 6A 01 push 1
0040C9C3 E8 28FCFFFF call 0040C5F0 ; ;获取LoadLibraryA
0040C9C8 85C0 test eax, eax
0040C9CA 8945 DC mov dword ptr [ebp-24], eax
0040C9CD 0F84 7E030000 je 0040CD51
0040C9D3 6A 00 push 0
0040C9D5 68 4A0DCE09 push 9CE0D4A
0040C9DA 56 push esi
0040C9DB 6A 01 push 1
0040C9DD E8 0EFCFFFF call 0040C5F0
0040C9E2 8BF8 mov edi, eax ; ;获取VirtualAlloc地址
0040C9E4 85FF test edi, edi
0040C9E6 897D E0 mov dword ptr [ebp-20], edi
0040C9E9 0F84 62030000 je 0040CD51
0040C9EF 6A 00 push 0
0040C9F1 68 DDF553CD push CD53F5DD
0040C9F6 56 push esi
0040C9F7 6A 01 push 1
0040C9F9 E8 F2FBFFFF call 0040C5F0
0040C9FE 85C0 test eax, eax ; 获取VirtualFree地址
0040CA00 8945 F4 mov dword ptr [ebp-C], eax
0040CA03 0F84 48030000 je 0040CD51
0040CA09 E8 B2FAFFFF call 0040C4C0 ; 0040C4C0
0040CA0E 25 FF000000 and eax, 0FF ; ;里面有个SEH,不知道是干什么的。直接在下面F4
0040CA13 6A 00 push 0
0040CA15 8945 D8 mov dword ptr [ebp-28], eax
0040CA18 FFD3 call ebx ; ;GetModuleHandleA
0040CA1A 8BD8 mov ebx, eax
0040CA1C 85DB test ebx, ebx
0040CA1E 0F84 2D030000 je 0040CD51 ; 0040CD51
0040CA24 6A 1C push 1C
0040CA26 57 push edi ; ;kernel32.VirtualAlloc
0040CA27 E8 14FBFFFF call 0040C540 ; ;检测VirtualAlloc前1C个字节是否被下断
0040C540 56 push esi
0040C541 8B7424 0C mov esi, dword ptr [esp+C]
0040C545 33C9 xor ecx, ecx
0040C547 85F6 test esi, esi
0040C549 7E 14 jle short 0040C55F ; 0040C55F
0040C54B 8B4424 08 mov eax, dword ptr [esp+8]
0040C54F 8A10 mov dl, byte ptr [eax]
0040C551 80F2 55 xor dl, 55
0040C554 80FA 99 cmp dl, 99 ; ;99^55 =CC
0040C557 74 0A je short 0040C563 ; 0040C563
0040C559 41 inc ecx
0040C55A 40 inc eax
0040C55B 3BCE cmp ecx, esi
0040C55D^ 7C F0 jl short 0040C54F ; 0040C54F
0040C55F 33C0 xor eax, eax
0040C561 5E pop esi
0040C562 C3 retn
0040C563 B8 01000000 mov eax, 1
0040C568 5E pop esi
0040C569 C3
返回继续
0040CA2C 8945 E4 mov dword ptr [ebp-1C], eax
0040CA2F 8B45 DC mov eax, dword ptr [ebp-24]
0040CA32 6A 32 push 32
0040CA34 50 push eax
0040CA35 E8 06FBFFFF call 0040C540 ; ;检测LoadLibraryA
0040CA3A 8B75 E4 mov esi, dword ptr [ebp-1C]
0040CA3D 33C9 xor ecx, ecx
0040CA3F 03F0 add esi, eax
0040CA41 8B43 3C mov eax, dword ptr [ebx+3C]
0040CA44 03C3 add eax, ebx ; ;PE头
0040CA46 8975 E4 mov dword ptr [ebp-1C], esi
0040CA49 66:8B48 14 mov cx, word ptr [eax+14] ; ;SizeOfoptionalHeader
0040CA4D 8B7401 2C mov esi, dword ptr [ecx+eax+2C] ; 代码段->PointerToRawData
0040CA51 8B5401 28 mov edx, dword ptr [ecx+eax+28] ; ;SizeOfRawData
0040CA55 8D4401 18 lea eax, dword ptr [ecx+eax+18] ; ;Name
0040CA59 03F3 add esi, ebx
0040CA5B 56 push esi
0040CA5C 8945 F0 mov dword ptr [ebp-10], eax
0040CA5F 8955 E8 mov dword ptr [ebp-18], edx
0040CA62 E8 B9F5FFFF call 0040C020 ; 0040C020
0040CA67 83C4 14 add esp, 14
0040CA6A 8BF8 mov edi, eax
0040CA6C 6A 04 push 4
0040CA6E 68 00100000 push 1000
0040CA73 57 push edi
0040CA74 6A 00 push 0
0040CA76 FF55 E0 call dword ptr [ebp-20] ; ;VirtualAlloc申请内存
0040CA79 85C0 test eax, eax
0040CA7B 8945 FC mov dword ptr [ebp-4], eax
0040CA7E 0F84 CD020000 je 0040CD51
0040CA84 57 push edi
0040CA85 50 push eax
0040CA86 8B45 E8 mov eax, dword ptr [ebp-18]
0040CA89 50 push eax
0040CA8A 56 push esi
0040CA8B E8 A0F9FFFF call 0040C430 ; 0040C430
0040CA90 8B55 F0 mov edx, dword ptr [ebp-10]
0040CA93 8B75 FC mov esi, dword ptr [ebp-4]
0040CA96 8D4F FF lea ecx, dword ptr [edi-1]
0040CA99 83C4 10 add esp, 10
0040CA9C 8B7A 0C mov edi, dword ptr [edx+C]
0040CA9F 8BC1 mov eax, ecx
0040CAA1 03FB add edi, ebx
0040CAA3 68 00800000 push 8000
0040CAA8 C1E9 02 shr ecx, 2
0040CAAB F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
0040CAAD 8BC8 mov ecx, eax
0040CAAF 6A 00 push 0
0040CAB1 83E1 03 and ecx, 3
0040CAB4 F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
0040CAB6 8B4D FC mov ecx, dword ptr [ebp-4]
0040CAB9 51 push ecx
0040CABA FF55 F4 call dword ptr [ebp-C]
0040CABD 68 00D54000 push 40D500
0040CAC2 E8 59F5FFFF call 0040C020 ; 0040C020
0040CAC7 83C4 04 add esp, 4
0040CACA 8BF8 mov edi, eax
0040CACC 6A 40 push 40
0040CACE 68 00100000 push 1000
0040CAD3 68 84000000 push 84
0040CAD8 6A 00 push 0
0040CADA FF55 E0 call dword ptr [ebp-20]
0040CADD 8BF0 mov esi, eax
0040CADF 85F6 test esi, esi
0040CAE1 8975 FC mov dword ptr [ebp-4], esi
0040CAE4 0F84 67020000 je 0040CD51 ; 0040CD51
0040CAEA 57 push edi
0040CAEB 56 push esi
0040CAEC 68 BA000000 push 0BA
0040CAF1 68 00D54000 push 40D500
0040CAF6 E8 35F9FFFF call 0040C430 ; 貌似是处理OEP
0040CAFB 83C4 10 add esp, 10
0040CAFE BA 18204000 mov edx, 402018
0040CB03 2BD6 sub edx, esi
0040CB05 6A 40 push 40
0040CB07 68 00100000 push 1000
0040CB0C 68 00100000 push 1000
0040CB11 6A 00 push 0
0040CB13 8996 97000000 mov dword ptr [esi+97], edx
0040CB19 FF55 E0 call dword ptr [ebp-20] ;VirtualAlloc
0040CB1C 8D8B 00600000 lea ecx, dword ptr [ebx+6000]
0040CB22 8945 F0 mov dword ptr [ebp-10], eax
0040CB25 894D F8 mov dword ptr [ebp-8], ecx
0040CB28 8B41 0C mov eax, dword ptr [ecx+C]
0040CB2B 85C0 test eax, eax
0040CB2D 0F84 19020000 je 0040CD4C
0040CB33 EB 03 jmp short 0040CB38
0040CB35 8B4D F8 mov ecx, dword ptr [ebp-8]
0040CB38 8B01 mov eax, dword ptr [ecx]
0040CB3A 85C0 test eax, eax
0040CB3C 75 03 jnz short 0040CB41
0040CB3E 8B41 10 mov eax, dword ptr [ecx+10]
0040CB41 8B79 0C mov edi, dword ptr [ecx+C]
0040CB44 03C3 add eax, ebx
0040CB46 8945 EC mov dword ptr [ebp-14], eax
0040CB49 8BC3 mov eax, ebx
0040CB4B 03C7 add eax, edi
0040CB4D 50 push eax
0040CB4E FF55 DC call dword ptr [ebp-24] ; ;LoadLibraryA
0040CB51 8BF0 mov esi, eax
0040CB53 6A 04 push 4
0040CB55 68 00100000 push 1000
0040CB5A 8975 CC mov dword ptr [ebp-34], esi
0040CB5D 8B46 3C mov eax, dword ptr [esi+3C]
0040CB60 8B7C30 50 mov edi, dword ptr [eax+esi+50] ; SizeOfImage
0040CB64 57 push edi
0040CB65 6A 00 push 0
0040CB67 FF55 E0 call dword ptr [ebp-20] ; VirtualAlloc
0040CB6A 85C0 test eax, eax
0040CB6C 8945 E8 mov dword ptr [ebp-18], eax
0040CB6F 0F84 DC010000 je 0040CD51
0040CB75 8D4F FF lea ecx, dword ptr [edi-1]
0040CB78 8BF8 mov edi, eax
0040CB7A 8BD1 mov edx, ecx
0040CB7C C1E9 02 shr ecx, 2 ; ecx =循环次数
0040CB7F F3:A5 rep movs dword ptr es:[edi], dword ptr [esi] ; ;复制数据到申请的内存中
0040CB81 8BCA mov ecx, edx
0040CB83 83E1 03 and ecx, 3
0040CB86 F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
0040CB88 8B75 EC mov esi, dword ptr [ebp-14]
0040CB8B 8B06 mov eax, dword ptr [esi]
0040CB8D 85C0 test eax, eax
0040CB8F 0F84 A3010000 je 0040CD38 ; 0040CD38
0040CB95 A9 00000080 test eax, 80000000
0040CB9A 74 28 je short 0040CBC4 ; ;跳
0040CB9C 8B4D E4 mov ecx, dword ptr [ebp-1C]
0040CB9F 8B55 D8 mov edx, dword ptr [ebp-28]
0040CBA2 33C0 xor eax, eax
0040CBA4 66:8B06 mov ax, word ptr [esi]
0040CBA7 03C1 add eax, ecx
0040CBA9 03C2 add eax, edx
0040CBAB 8B55 CC mov edx, dword ptr [ebp-34]
0040CBAE 50 push eax
0040CBAF 52 push edx
0040CBB0 FF55 D4 call dword ptr [ebp-2C]
0040CBB3 8B4D F8 mov ecx, dword ptr [ebp-8]
0040CBB6 8B7D F0 mov edi, dword ptr [ebp-10]
0040CBB9 8B51 10 mov edx, dword ptr [ecx+10]
0040CBBC 890413 mov dword ptr [ebx+edx], eax
0040CBBF E9 55010000 jmp 0040CD19 ; 0040CD19
0040CBC4 8D7418 02 lea esi, dword ptr [eax+ebx+2] ; ;跳到这
0040CBC8 83C9 FF or ecx, FFFFFFFF
0040CBCB 8BFE mov edi, esi
0040CBCD 33C0 xor eax, eax
0040CBCF F2:AE repne scas byte ptr es:[edi] ; ;strlen
0040CBD1 F7D1 not ecx
0040CBD3 49 dec ecx
0040CBD4 8DBD 69FFFFFF lea edi, dword ptr [ebp-97]
0040CBDA 8BD1 mov edx, ecx
0040CBDC B9 18000000 mov ecx, 18
0040CBE1 8885 68FFFFFF mov byte ptr [ebp-98], al
0040CBE7 F3:AB rep stos dword ptr es:[edi]
0040CBE9 66:AB stos word ptr es:[edi]
0040CBEB AA stos byte ptr es:[edi]
0040CBEC B8 00000000 mov eax, 0
0040CBF1 74 23 je short 0040CC16 ; 0040CC16
0040CBF3 8BFE mov edi, esi
0040CBF5 8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
0040CBFB 2BF9 sub edi, ecx
0040CBFD 8DB405 68FFFFFF lea esi, dword ptr [ebp+eax-98] ; ;下面解密函数名字
0040CC04 8A0C37 mov cl, byte ptr [edi+esi]
0040CC07 2A4D E4 sub cl, byte ptr [ebp-1C]
0040CC0A 2A4D D8 sub cl, byte ptr [ebp-28]
0040CC0D FEC9 dec cl
0040CC0F 40 inc eax
0040CC10 3BC2 cmp eax, edx
0040CC12 880E mov byte ptr [esi], cl ; ;保存到堆栈
0040CC14^ 72 E7 jb short 0040CBFD ; 0040CBFD
0040CC16 8B45 E8 mov eax, dword ptr [ebp-18] ; ;申请到的地址
0040CC19 8D95 68FFFFFF lea edx, dword ptr [ebp-98] ; ;解密后的API名字
0040CC1F 52 push edx
0040CC20 6A 00 push 0
0040CC22 50 push eax
0040CC23 6A 00 push 0
0040CC25 E8 C6F9FFFF call 0040C5F0 ; ;获取API地址,注意是在申请的内存中的地址,这个函数前面已经说了
0040CC2A 8B4D E8 mov ecx, dword ptr [ebp-18]
0040CC2D 8BF0 mov esi, eax
0040CC2F 8B41 3C mov eax, dword ptr [ecx+3C]
0040CC32 03C1 add eax, ecx ; ;PE header
0040CC34 8B50 78 mov edx, dword ptr [eax+78]
0040CC37 03D1 add edx, ecx ; ;IMAGE_EXPORT_DESCRIPTOR
0040CC39 85F6 test esi, esi
0040CC3B 74 7C je short 0040CCB9
0040CC3D 3BF2 cmp esi, edx ; ;下面测试是否是转向函数
0040CC3F 72 78 jb short 0040CCB9
0040CC41 8B48 7C mov ecx, dword ptr [eax+7C]
0040CC44 03CA add ecx, edx
0040CC46 3BF1 cmp esi, ecx
0040CC48 73 6F jnb short 0040CCB9 ; ;非转向函数,跳
0040CC4A 8A06 mov al, byte ptr [esi] ; ;如果是转向函数会运行到这里
0040CC4C 8BD6 mov edx, esi
0040CC4E 84C0 test al, al
0040CC50 8955 F4 mov dword ptr [ebp-C], edx
0040CC53 74 64 je short 0040CCB9
0040CC55 3C 2E cmp al, 2E ; 2E = '.'
0040CC57 74 0D je short 0040CC66
0040CC59 8A42 01 mov al, byte ptr [edx+1]
0040CC5C 42 inc edx
0040CC5D 84C0 test al, al
0040CC5F^ 75 F4 jnz short 0040CC55 ; 循环在API名字中搜索 '.'
0040CC61 8955 F4 mov dword ptr [ebp-C], edx
0040CC64 EB 53 jmp short 0040CCB9
0040CC66 B9 40000000 mov ecx, 40
0040CC6B 33C0 xor eax, eax
0040CC6D 8DBD 65FEFFFF lea edi, dword ptr [ebp-19B]
0040CC73 C685 64FEFFFF 0>mov byte ptr [ebp-19C], 0
0040CC7A F3:AB rep stos dword ptr es:[edi]
0040CC7C 8BCA mov ecx, edx
0040CC7E 8955 F4 mov dword ptr [ebp-C], edx
0040CC81 66:AB stos word ptr es:[edi]
0040CC83 2BCE sub ecx, esi
0040CC85 85C9 test ecx, ecx
0040CC87 AA stos byte ptr es:[edi]
0040CC88 7E 2F jle short 0040CCB9 ; 0040CCB9
0040CC8A 8BD1 mov edx, ecx
0040CC8C 8DBD 64FEFFFF lea edi, dword ptr [ebp-19C] ; ;edi =API 名字
0040CC92 C1E9 02 shr ecx, 2
0040CC95 F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
0040CC97 8BCA mov ecx, edx
0040CC99 8D85 64FEFFFF lea eax, dword ptr [ebp-19C]
0040CC9F 83E1 03 and ecx, 3
0040CCA2 50 push eax ; ;DLL 名字
0040CCA3 F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
0040CCA5 FF55 D0 call dword ptr [ebp-30] ; ;LoadLibraryA加载转向函数所在的DLL
0040CCA8 8B4D F4 mov ecx, dword ptr
0040CCAB 41 inc ecx
0040CCAC 51 push ecx
0040CCAD 6A 00 push 0
0040CCAF 50 push eax
0040CCB0 6A 00 push 0
0040CCB2 E8 39F9FFFF call 0040C5F0 ; ;获取函数地址
0040CCB7 8BF0 mov esi, eax
0040CCB9 8B7D F0 mov edi, dword ptr [ebp-10]
0040CCBC BA 20D44000 mov edx, 40D420
0040CCC1 8BC7 mov eax, edi
0040CCC3 81F6 10200000 xor esi, 2010 ; ;加密一下函数地址
0040CCC9 8B0A mov ecx, dword ptr [edx]
0040CCCB 68 00400000 push 4000
0040CCD0 8908 mov dword ptr [eax], ecx ;下面生成push xxxx ,jmp 类型的跳到解密函数的指令
0040CCD2 68 00100000 push 1000
0040CCD7 8B4A 04 mov ecx, dword ptr [edx+4]
0040CCDA 57 push edi
0040CCDB 8948 04 mov dword ptr [eax+4], ecx
0040CCDE 8B52 08 mov edx, dword ptr [edx+8]
0040CCE1 8950 08 mov dword ptr [eax+8], edx
0040CCE4 8977 01 mov dword ptr [edi+1], esi
0040CCE7 8B75 F8 mov esi, dword ptr [ebp-8]
0040CCEA 8BC3 mov eax, ebx
0040CCEC 0346 10 add eax, dword ptr [esi+10] ; ;eax = IMAGE_THUNK_DATA
0040CCEF 50 push eax
0040CCF0 53 push ebx
0040CCF1 53 push ebx
0040CCF2 E8 79FBFFFF call 0040C870 ; 修改函数调用
0040CCF7 8B46 10 mov eax, dword ptr [esi+10]
0040CCFA 8B55 FC mov edx, dword ptr [ebp-4]
0040C870 8B4C24 14 mov ecx, dword ptr [esp+14]
0040C874 53 push ebx
0040C875 55 push ebp
0040C876 8B6C24 20 mov ebp, dword ptr [esp+20]
0040C87A 56 push esi
0040C87B 8B7424 1C mov esi, dword ptr [esp+1C]
0040C87F 57 push edi
0040C880 8B7C24 14 mov edi, dword ptr [esp+14] ; ;edi = 基址
0040C884 B3 90 mov bl, 90
0040C886 8B5424 1C mov edx, dword ptr [esp+1C] ; ;edx= IMAGE_THUNK_DATA
0040C88A 8D4424 28 lea eax, dword ptr [esp+28]
0040C88E 50 push eax
0040C88F 8B4424 1C mov eax, dword ptr [esp+1C] ; ;eax = 基址
0040C893 52 push edx
0040C894 55 push ebp
0040C895 51 push ecx
0040C896 50 push eax
0040C897 57 push edi
0040C898 E8 93FEFFFF call 0040C730 ; 0040C730
0040C89D 83C4 18 add esp, 18
0040C8A0 85C0 test eax, eax ; ;比较这个DLL是否已经处理完毕
0040C730 8B4C24 0C mov ecx, dword ptr [esp+C] ; ;代码段大小
0040C734 8B4424 10 mov eax, dword ptr [esp+10]
0040C738 53 push ebx
0040C739 55 push ebp
0040C73A 56 push esi
0040C73B 57 push edi
0040C73C 03C1 add eax, ecx
0040C73E 33FF xor edi, edi
0040C740 3BC8 cmp ecx, eax
0040C742 8BF1 mov esi, ecx
0040C744 0F83 1C010000 jnb 0040C866 ; 0040C866
0040C74A 8B6C24 14 mov ebp, dword ptr [esp+14]
0040C74E 03CD add ecx, ebp ; ;ecx 代码段基址
0040C750 8B5424 24 mov edx, dword ptr [esp+24]
0040C754 8B19 mov ebx, dword ptr [ecx]
0040C756 3BDA cmp ebx, edx ; ;循环搜索调用API的地方
0040C758 75 5E jnz short 0040C7B8
0040C75A 8A51 FE mov dl, byte ptr [ecx-2] ; ;下面一段比较调用API的方式
0040C75D 80FA FF cmp dl, 0FF
0040C760 75 0D jnz short 0040C76F
0040C762 8A59 FF mov bl, byte ptr [ecx-1]
0040C765 80FB 15 cmp bl, 15
0040C768 74 5B je short 0040C7C5 ; ;FF15
0040C76A 80FB 25 cmp bl, 25
0040C76D 74 6B je short 0040C7DA ; ;FF25
0040C76F 80FA 8B cmp dl, 8B
0040C772 75 3A jnz short 0040C7AE ; 0040C7AE
0040C774 8A59 FF mov bl, byte ptr [ecx-1]
0040C777 80FB 1D cmp bl, 1D
0040C77A 74 73 je short 0040C7EF ; ;8B1D
0040C77C 3AD2 cmp dl, dl
0040C77E 75 2E jnz short 0040C7AE
0040C780 80FB 0D cmp bl, 0D
0040C783 74 7F je short 0040C804 ; ;8B0D
0040C785 3AD2 cmp dl, dl
0040C787 75 25 jnz short 0040C7AE
0040C789 80FB 15 cmp bl, 15
0040C78C 0F84 87000000 je 0040C819 ; ;8B15
0040C792 3AD2 cmp dl, dl
0040C794 75 18 jnz short 0040C7AE
0040C796 80FB 35 cmp bl, 35
0040C799 0F84 8F000000 je 0040C82E ; ;8B35
0040C79F 3AD2 cmp dl, dl
0040C7A1 75 0B jnz short 0040C7AE
0040C7A3 8AD3 mov dl, bl
0040C7A5 80FA 3D cmp dl, 3D
0040C7A8 0F84 95000000 je 0040C843 ; ;8B3D
0040C7AE 8079 FF A1 cmp byte ptr [ecx-1], 0A1
0040C7B2 0F84 A0000000 je 0040C858 ; ;A1
0040C7B8 46 inc esi
0040C7B9 41 inc ecx
0040C7BA 3BF0 cmp esi, eax
0040C7BC^ 72 92 jb short 0040C750
0040C7BE 8BC7 mov eax, edi
0040C7C0 5F pop edi
0040C7C1 5E pop esi
0040C7C2 5D pop ebp
0040C7C3 5B pop ebx
0040C7C4 C3 retn
0040C7C5 8B4424 28 mov eax, dword ptr [esp+28]
0040C7C9 8D7C2E FE lea edi, dword ptr [esi+ebp-2]
0040C7CD C700 01000000 mov dword ptr [eax], 1 ; ;FF15,返回1
0040C7D3 8BC7 mov eax, edi
0040C7D5 5F pop edi
0040C7D6 5E pop esi
0040C7D7 5D pop ebp
0040C7D8 5B pop ebx
0040C7D9 C3 retn
0040C7DA 8B4C24 28 mov ecx, dword ptr [esp+28]
0040C7DE 8D7C2E FE lea edi, dword ptr [esi+ebp-2]
0040C7E2 8BC7 mov eax, edi
0040C7E4 5F pop edi
0040C7E5 5E pop esi
0040C7E6 5D pop ebp
0040C7E7 C701 02000000 mov dword ptr [ecx], 2 ; ;FF125,返回2
0040C7ED 5B pop ebx
0040C7EE C3 retn
0040C7EF 8B5424 28 mov edx, dword ptr [esp+28]
0040C7F3 8D7C2E FE lea edi, dword ptr [esi+ebp-2]
0040C7F7 8BC7 mov eax, edi
0040C7F9 5F pop edi
0040C7FA 5E pop esi
0040C7FB 5D pop ebp
0040C7FC C702 03000000 mov dword ptr [edx], 3 ; ;8B1D 返回3
0040C802 5B pop ebx
0040C803 C3 retn
0040C804 8B4424 28 mov eax, dword ptr [esp+28]
0040C808 8D7C2E FE lea edi, dword ptr [esi+ebp-2]
0040C80C C700 04000000 mov dword ptr [eax], 4 ; ;8B0D 返回4
0040C812 8BC7 mov eax, edi
0040C814 5F pop edi
0040C815 5E pop esi
0040C816 5D pop ebp
0040C817 5B pop ebx
0040C818 C3 retn
0040C819 8B4C24 28 mov ecx, dword ptr [esp+28]
0040C81D 8D7C2E FE lea edi, dword ptr [esi+ebp-2]
0040C821 8BC7 mov eax, edi
0040C823 5F pop edi
0040C824 5E pop esi
0040C825 5D pop ebp
0040C826 C701 05000000 mov dword ptr [ecx], 5 ; ;8B15 返回5
0040C82C 5B pop ebx
0040C82D C3 retn
0040C82E 8B5424 28 mov edx, dword ptr [esp+28]
0040C832 8D7C2E FE lea edi, dword ptr [esi+ebp-2]
0040C836 8BC7 mov eax, edi
0040C838 5F pop edi
0040C839 5E pop esi
0040C83A 5D pop ebp
0040C83B C702 06000000 mov dword ptr [edx], 6 ; ;8B35 返回6
0040C841 5B pop ebx
0040C842 C3 retn
0040C843 8B4424 28 mov eax, dword ptr [esp+28]
0040C847 8D7C2E FE lea edi, dword ptr [esi+ebp-2]
0040C84B C700 07000000 mov dword ptr [eax], 7 ; ;8B3D 返回7
0040C851 8BC7 mov eax, edi
0040C853 5F pop edi
0040C854 5E pop esi
0040C855 5D pop ebp
0040C856 5B pop ebx
0040C857 C3 retn
0040C858 8B4C24 28 mov ecx, dword ptr [esp+28]
0040C85C 8D7C2E FF lea edi, dword ptr [esi+ebp-1]
0040C860 C701 08000000 mov dword ptr [ecx], 8 ; ;A1 返回8
0040C866 8BC7 mov eax, edi
0040C868 5F pop edi
0040C869 5E pop esi
0040C86A 5D pop ebp
0040C86B 5B pop ebx
0040C86C C3 retn
0040C898 E8 93FEFFFF call 0040C730
0040C89D 83C4 18 add esp, 18
0040C8A0 85C0 test eax, eax ; ;比较这个DLL是否已经处理完毕
0040C8A2 0F84 A2000000 je 0040C94A
0040C8A8 8B5424 28 mov edx, dword ptr [esp+28] ; ;edx =返回的数字
0040C8AC 8BC8 mov ecx, eax
0040C8AE 2BCF sub ecx, edi ; ;减去基址,得到调用API处的 RVA
0040C8B0 83C1 06 add ecx, 6
0040C8B3 83FA 01 cmp edx, 1 ; ;返回的数字是否为1
0040C8B6 75 10 jnz short 0040C8C8
0040C8B8 8BD6 mov edx, esi ; ;edx =要指向的地址
0040C8BA C600 E8 mov byte ptr [eax], 0E8 ; ;修改FF15为E8
0040C8BD 2BD0 sub edx, eax ; ;距离偏移
0040C8BF 8858 05 mov byte ptr [eax+5], bl ; ;填充一个字节
0040C8C2 83EA 05 sub edx, 5
0040C8C5 8950 01 mov dword ptr [eax+1], edx ; ;修改目的地址
0040C8C8 837C24 28 02 cmp dword ptr [esp+28], 2 ; ;是否是FF25?
0040C8CD 75 10 jnz short 0040C8DF
0040C8CF 8BD6 mov edx, esi
0040C8D1 C600 E9 mov byte pt , 0E9 ;FF15改成E9
0040C8D4 2BD0 sub edx, eax
0040C8D6 8858 05 mov byte ptr [eax+5], bl
0040C8D9 83EA 05 sub edx, 5
0040C8DC 8950 01 mov dword ptr [eax+1], edx
0040C8DF 837C24 28 03 cmp dword ptr [esp+28], 3
0040C8E4 75 0A jnz short 0040C8F0
0040C8E6 C600 43 mov byte ptr , 43 ;8B1D改成 43
0040C8E9 C640 01 BB mov byte ptr [eax+1], 0BB
0040C8ED 8970 02 mov dword ptr [eax+2], esi
0040C8F0 837C24 28 04 cmp dword ptr [esp+28], 4
0040C8F5 75 0A jnz short 0040C901
0040C8F7 C600 41 mov byte ptr [eax], 41 ; ;8B0D改成41
0040C8FA C640 01 B9 mov byte ptr [eax+1], 0B9
0040C8FE 8970 02 mov dword ptr [eax+2], esi
0040C901 837C24 28 05 cmp dword ptr [esp+28], 5
0040C906 75 0A jnz short 0040C912
0040C908 C600 42 mov byte ptr [eax], 42 ; ;8B15改成 42
0040C90B C640 01 BA mov byte ptr [eax+1], 0BA
0040C90F 8970 02 mov dword ptr [eax+2], esi
0040C912 837C24 28 06 cmp dword ptr [esp+28], 6
0040C917 75 0A jnz short 0040C923
0040C919 C600 46 mov byte ptr eax], 46 ;8B35改成46
0040C91C C640 01 BE mov byte ptr [eax+1], 0BE
0040C920 8970 02 mov dword ptr [eax+2], esi
0040C923 837C24 28 07 cmp dword ptr [esp+28], 7
0040C928 75 0A jnz short 0040C934
0040C92A C600 47 mov byte ptr , 47 ;8B3D 改成 47
0040C92D C640 01 BF mov byte ptr [eax+1], 0BF
0040C931 8970 02 mov dword ptr [eax+2], esi
0040C934 837C24 28 08 cmp dword ptr [esp+28], 8
0040C939^ 0F85 47FFFFFF jnz 0040C886 ; 0040C886
0040C93F C600 B8 mov byte ptr [eax], 0B8 ; ;A1改成B8
0040C942 8970 01 mov dword ptr [eax+1], esi
0040C945^ E9 3CFFFFFF jmp 0040C886 ; 0040C886
0040C94A 5F pop edi
0040C94B 5E pop esi
0040C94C 5D pop ebp
0040C94D 5B pop ebx
0040C94E C3 retn
0040C94F 90 nop ;这里解密函数。加壳后的程序的API调用通过pu xxxx然后来到这里解密地址
0040C950 60 pushad
0040C951 50 push eax
0040C952 36:8B4424 24 mov eax, dword ptr [esp+24]
0040C957 35 10200000 xor eax, 2010
0040C95C 36:894424 24 mov dword ptr [esp+24], eax
0040C961 58 pop eax
0040C962 61 popad
0040C963 C3 retn
继续返回继续
0040CCF2 E8 79FBFFFF call 0040C870 ; 修改函数调用
0040CCF7 8B46 10 mov eax, dword ptr [esi+10]
0040CCFA 8B55 FC mov edx, dword ptr [ebp-4]
0040CCFD 8BCB mov ecx, ebx
0040CCFF 68 00020000 push 200
0040CD04 6A 00 push 0
0040CD06 03C8 add ecx, eax
0040CD08 57 push edi
0040CD09 51 push ecx
0040CD0A 53 push ebx
0040CD0B 52 push edx
0040CD0C E8 5FFBFFFF call 0040C870 ; 0040C870
0040CD11 8BCE mov ecx, esi
0040CD13 8B75 EC mov esi, dword ptr [ebp-14]
0040CD16 83C4 30 add esp, 30
0040CD19 8B51 10 mov edx, dword ptr [ecx+10]
0040CD1C 83C6 04 add esi, 4 ; ;下一个IID
0040CD1F 83C2 04 add edx, 4
0040CD22 83C7 0C add edi, 0C
0040CD25 8951 10 mov dword ptr [ecx+10], edx
0040CD28 8B06 mov eax, dword ptr [esi]
0040CD2A 85C0 test eax, eax
0040CD2C 8975 EC mov dword ptr [ebp-14], esi
0040CD2F 897D F0 mov dword ptr [ebp-10], edi
0040CD32^ 0F85 5DFEFFFF jnz 0040CB95 ; ;循环
0040CD38 8B45 F8 mov eax, dword ptr [ebp-8]
0040CD3B 83C0 14 add eax, 14
0040CD3E 8945 F8 mov dword ptr [ebp-8], eax
0040CD41 8B48 0C mov ecx, dword ptr [eax+C]
0040CD44 85C9 test ecx, ecx
0040CD46^ 0F85 E9FDFFFF jnz 0040CB35 ; ;循环
0040CD4C 8B45 FC mov eax, dword ptr [ebp-4]
0040CD4F FFD0 call eax ; ;跳到OEP
0040CD51 61 popad
0040CD52 75 08 jnz short 0040CD5C ; 0040CD5C
0040CD54 B8 01000000 mov eax, 1
0040CD59 C2 0C00 retn 0C
0040CD5C 68 00204000 push 402000
0040CD61 E8 EA3BFFFF call 00400950 ; 00400950
0040CD66 C3 retn
2.脱壳
先来总结一下对我们脱壳有用的信息。
壳的大概流程:
1.获取壳要用到的 GetProceAddress,GetModuleHandleA,LoadLibraryA,VirtualAlloc,VirtualFree函数的地址
2. 处理其它的一些信息.略.
3.获取DLL的基址
4.获取API函数地址
5.处理API调用
现在根据这个流程我们来写脚本进行脱壳,思路就是
在获取DLL基址,API函数等信息的时我们把这些正确的信息记录下来
等到壳要修改API调用的时候我们通过修改地址为正确的地址,
或者path代码的方法来把API调用修改成直接调用正确的API地址,然后用UIF修复成见解调用
下面是脚本,各个关键的位置我已经在上面的代码中高亮标出了。
var tmpaddr
var dll_address
var api_address
var dll_readdress
var re_flag
var DLL_BASE //DLL 基址
var RE_DLL_BASE //转向函数的 DLL 基址
var API_ADDR //函数地址
var OEP //OEP
mov DLL_BASE, 0040cB51//在这里
mov RE_DLL_BASE, 0040cca8
mov API_ADDR, 0040c718
mov OEP, 003a0002
bphwc
bc
bp 0040C8BD//1FF15
bp 0040C8D1//2FF25
bp 0040C8E6//38B1D
bp 0040C919//68b35
bp 0040C92A//78B3D
bphws DLL_BASE ,"x" //下硬件执行断点
bphws RE_DLL_BASE,"x"
bphws API_ADDR,"x"
bphws OEP,"x"
esto //5次esto跳过获取壳自己用的API的地方
esto
esto
esto
esto
loop:
esto
cmp eip,0040cB51
je dll_address
cmp eip,0040cca8
je dll_redirect
cmp eip,0040c718
je api_address
cmp eip,0040C8BD
je handler1
cmp eip,0040C8D1
je handler2
cmp eip,0040C8E6
je handler3
cmp eip,0040C919
je handler6
cmp eip,0040C92A
je handler7
cmp eip,003a0002
je exit
mov api_address,edx
jmp loop
dll_address:
mov dll_address,eax //保存DLL基址
jmp loop
dll_redirect:
mov dll_readdress,eax //保存转向API所在DLL基址
mov re_flag,1 //设置DLL转向函数标志
jmp loop
api_address:
mov api_address,eax //保存API函数RVA
cmp re_flag,1 //判断是否是转向函数
je re_api_addr
add api_address,dll_address //加上DLL基址
jmp loop
re_api_addr:
add api_address,dll_readdress //加上转向函数所在DLL基址
jmp loop
handler1:
mov re_flag,0 //清除转向函数标志
mov edx,api_address //修改edx为正确的API地址
jmp loop
handler2:
mov re_flag,0 //清除转向函数标志
mov edx,api_address //修改edx为正确的API地址
jmp loop
handler3:
mov re_flag,0 //清除转向函数标志
fill eip,A,90 //用nop填充掉原来的指令
bc eip //下面要修改这里的指令,为防止这里的CC断点消失,我们暂时清除断点
asm eip,"mov byte ptr , 0BB" //修改指令,改成 B8的形式
mov tmpaddr,eip
add tmpaddr,3 //tmpaddr指向下一条指令
asm tmpaddr,"mov dword ptr , esi" //修改指令
bp eip //重新下断
mov esi,api_address
jmp loop
handler6:
mov re_flag,0 //清除转向函数标志
mov esi,api_address //修改esi为正确的函数地址
fill eip,A,90 //nop填充原始指令
bc eip
asm eip,"mov byte ptr , 0BE" //修改指令
mov tmpaddr,eip
add tmpaddr,3
asm tmpaddr,"mov dword ptr , esi" //修改指令
bp eip
jmp loop
handler7:
mov re_flag,0
bc eip
fill eip,A,90
asm eip,"mov byte ptr , 0BF" //修改指令
mov tmpaddr,eip
add tmpaddr,3
asm tmpaddr,"mov dword ptr , esi" //修改指令
bp eip
mov esi,api_address
log eax
log api_address
jmp loop
exit:
bphwc
bc
ret
现在重载程序直接跑这个脚本。程序就会停在OEP处,当然这个OEP并不是我们想要的OEP
看一下OEP的代码
003A0000 33C0 xor eax, eax
003A0002 9C pushfd
003A0003 892C24 mov dword ptr [esp], ebp
003A0006 83EC 04 sub esp, 4
003A0009 892424 mov dword ptr [esp], esp
003A000C 5D pop ebp
003A000D 83EC 44 sub esp, 44
003A0010 8BC1 mov eax, ecx
003A0012 83E8 14 sub eax, 14
003A0015 25 F8000000 and eax, 0F8
003A001A 50 push eax
003A001B 83C4 FC add esp, -4
003A001E 893424 mov dword ptr [esp], esi
003A0021 58 pop eax
003A0022 E8 962F477C call 7C812FBD ; kernel32.GetCommandLineA
003A0027 90 nop
003A0028 56 push esi
003A0029 50 push eax
003A002A 5E pop esi
003A002B 83C4 04 add esp, 4
003A002E 8A00 mov al, byte ptr [eax]
003A0030 3C 22 cmp al, 22
003A0032 75 13 jnz short 003A0047
003A0034 46 inc esi
003A0035 8A06 mov al, byte ptr [esi]
003A0037 84C0 test al, al
003A0039 74 04 je short 003A003F
003A003B 3C 22 cmp al, 22
003A003D^ 75 F5 jnz short 003A0034
003A003F 803E 22 cmp byte ptr [esi], 22
003A0042 75 0D jnz short 003A0051
003A0044 46 inc esi
003A0045 EB 0A jmp short 003A0051
003A0047 3C 20 cmp al, 20
003A0049 7E 06 jle short 003A0051
003A004B 46 inc esi
003A004C 803E 20 cmp byte ptr [esi], 20
003A004F^ 7F FA jg short 003A004B
003A0051 803E 00 cmp byte ptr [esi], 0
003A0054 74 0B je short 003A0061
003A0056 803E 20 cmp byte ptr [esi], 20
003A0059 7F 06 jg short 003A0061
003A005B 46 inc esi
003A005C 803E 00 cmp byte ptr [esi], 0
003A005F^ 75 F5 jnz short 003A0056
003A0061 33C9 xor ecx, ecx
003A0063 894D E8 mov dword ptr [ebp-18], ecx
003A0066 41 inc ecx
003A0067 8D4D BC lea ecx, dword ptr [ebp-44]
003A006A 83EC 08 sub esp, 8
003A006D 894C24 04 mov dword ptr [esp+4], ecx
003A0071 83C4 04 add esp, 4
003A0074 E8 791E467C call 7C801EF2 ; kernel32.GetStartupInfoA
003A0079 90 nop
003A007A F645 E8 01 test byte ptr [ebp-18], 1
003A007E B8 0A000000 mov eax, 0A
003A0083 74 04 je short 003A0089
003A0085 0FB745 EC movzx eax, word ptr [ebp-14]
003A0089 50 push eax
003A008A 56 push esi
003A008B 6A 00 push 0
003A008D 6A 00 push 0
003A008F E8 ADB6467C call 7C80B741 ; kernel32.GetModuleHandleA
003A0094 90 nop
003A0095 50 push eax
003A0096 E8 18200600 call 004020B3 ; fuck_fix.004020B3
003A009B 50 push eax
003A009C 50 push eax
003A009D 83C6 08 add esi, 8
003A00A0 5E pop esi
003A00A1 E8 6CCA477C call 7C81CB12 ; kernel32.ExitProcess
003A00A6 90 nop
003A00A7 8BC6 mov eax, esi
003A00A9 8B3424 mov esi, dword ptr [esp]
003A00AC 83C4 04 add esp, 4
003A00AF 8BE5 mov esp, ebp
003A00B1 5D pop ebp
003A00B2 C3 retn
API都已经修复成直接调用了。
还有一个 CharNextA函数被它直接模拟了,我们不管它,这对我们的程序没有影响。
而且这些代码类似于Aspr 的多态代码,当然这里没有花指令,如果再加点花指令估计代码很难读懂。:Dweeqw
看下OEP的地址。003A0002显然不是我们的地址,这还是在申请的内存中。
我们把这些代码先复制一分保存,然后二进制复制一分。
到代码段找个空的地方把这段二进制粘贴进去。我这里找的是00405300
00405300新建个EIP,
然后对比刚才复制的保存代码,修正CALL的调用地址为保存的地址
00405300 33C0 xor eax, eax
00405302 9C pushfd
00405303 892C24 mov dword ptr [esp], ebp
00405306 83EC 04 sub esp, 4
00405309 892424 mov dword ptr [esp], esp
0040530C 5D pop ebp
0040530D 83EC 44 sub esp, 44
00405310 8BC1 mov eax, ecx
00405312 83E8 14 sub eax, 14
00405315 25 F8000000 and eax, 0F8
0040531A 50 push eax
0040531B 83C4 FC add esp, -4
0040531E 893424 mov dword ptr [esp], esi
00405321 58 pop eax
00405322 E8 96DC407C call 7C812FBD ; kernel32.GetCommandLineA
00405327 90 nop
00405328 56 push esi
00405329 50 push eax
0040532A 5E pop esi
0040532B 83C4 04 add esp, 4
0040532E 8A00 mov al, byte ptr [eax]
00405330 3C 22 cmp al, 22
00405332 75 13 jnz short 00405347 ; 00405347
00405334 46 inc esi
00405335 8A06 mov al, byte ptr [esi]
00405337 84C0 test al, al
00405339 74 04 je short 0040533F ; 0040533F
0040533B 3C 22 cmp al, 22
0040533D^ 75 F5 jnz short 00405334 ; 00405334
0040533F 803E 22 cmp byte ptr [esi], 22
00405342 75 0D jnz short 00405351 ; 00405351
00405344 46 inc esi
00405345 EB 0A jmp short 00405351 ; 00405351
00405347 3C 20 cmp al, 20
00405349 7E 06 jle short 00405351 ; 00405351
0040534B 46 inc esi
0040534C 803E 20 cmp byte ptr [esi], 20
0040534F^ 7F FA jg short 0040534B ; 0040534B
00405351 803E 00 cmp byte ptr [esi], 0
00405354 74 0B je short 00405361 ; 00405361
00405356 803E 20 cmp byte ptr [esi], 20
00405359 7F 06 jg short 00405361 ; 00405361
0040535B 46 inc esi
0040535C 803E 00 cmp byte ptr [esi], 0
0040535F^ 75 F5 jnz short 00405356 ; 00405356
00405361 33C9 xor ecx, ecx
00405363 894D E8 mov dword ptr [ebp-18], ecx
00405366 41 inc ecx
00405367 8D4D BC lea ecx, dword ptr [ebp-44]
0040536A 83EC 08 sub esp, 8
0040536D 894C24 04 mov dword ptr [esp+4], ecx
00405371 83C4 04 add esp, 4
00405374 E8 79CB3F7C call 7C801EF2 ; kernel32.GetStartupInfoA
00405379 90 nop
0040537A F645 E8 01 test byte ptr [ebp-18], 1
0040537E B8 0A000000 mov eax, 0A
00405383 74 04 je short 00405389 ; 00405389
00405385 0FB745 EC movzx eax, word ptr [ebp-14]
00405389 50 push eax
0040538A 56 push esi
0040538B 6A 00 push 0
0040538D 6A 00 push 0
0040538F E8 AD63407C call 7C80B741 ; kernel32.GetModuleHandleA
00405394 90 nop
00405395 50 push eax
00405396 E8 18CDFFFF call 004020B3 ; 004020B3
0040539B 50 push eax
0040539C 50 push eax
0040539D 83C6 08 add esi, 8
004053A0 5E pop esi
004053A1 E8 6C77417C call 7C81CB12 ; kernel32.ExitProcess
004053A6 90 nop
004053A7 8BC6 mov eax, esi
004053A9 8B3424 mov esi, dword ptr [esp]
004053AC 83C4 04 add esp, 4
004053AF 8BE5 mov esp, ebp
004053B1 5D pop ebp
004053B2 C3 retn
修复后,用UIF修复直接调用为间接调用
然后 Lordpe来dump .ImportRec修复就行了,。提醒下ImportRec不要先"按序号重建输入表".会造成不能跨平台的问题,多谢HyperChem的提醒:lol
剩下的我就不演示了。
该收工了。哇咔咔:lol
ximo被爆菊了:lol 鲜艳的菊花。。。 不明真相。。。。 拜读下XP的淫文 补充一下:
0040CA09 E8 B2FAFFFF call 0040C4C0 ; 0040C4C0
0040CA0E 25 FF000000 and eax, 0FF ; ;里面有个SEH,不知道是干什么的。直接在下面F4
这个函数里,用SEH来检测是否存在硬件断点的。如果被检测到,则后面在解密输入表的时候,会解密错误。
分析的很详细,学习。 版主大大都来了···来围观学习· 强帖留个名!初学者 {:298_823:} :lol晕