好友
阅读权限10
听众
最后登录1970-1-1
|
闲着没事,最近在用写易语言的图像操作类,写到PrintWindow函数进行后台截图的时候,正常的win7 32位程序都能完成,无意中冒出个想法,想试试能不能后台截游戏的图像,刚好最近在玩传奇SF准备拿来试手,于是我跟这款号称80复古合击的故事来了!
第一次PrintWindow后台截图成功,然后。。就没有然后了,自从跟成功一次之后,在也没有正常截图出来过,全是白板;
于是习惯性的拿出终极武器PCHunter扫一扫,首先排除登录器加载了驱动,(别问我为什么这么肯定,PCHunter与360都没拦截到驱动加载),然后骚进程钩子,乖乖这一扫不得了了,请看图:
PCHunter提示模块文件被替换,目测是进程加载后把自身PE信息抹去了,到这里我先试了从磁盘文件中读取PE信息,然后写入登录器进程中,修复PE问题,以为这样就可以万事大吉抱得美人了,没想到竟然还是出现这种报错;
下一步:
PEID扫一扫,我艹,竟然加了UPX的壳,怎么办? 干他!ESP定律一路脱到底,这下终于可以报的美人归了吧。重复之前的工作,从文件中读取PE信息进去,PCHunter在扫一扫,还是这种问题,要逆天了这是。 这就到了掏终极武器OD和IDA的时候到了.
下一步:
正常的OD附加,一路运行下来OD里的进程退出了,但是登录器已经成功运行。why? 这是哪个娃子写的反调试? 任务管理器打开看看,尼玛,竟然2个登录器进程,搞了半天登录器启动之后,又加载了自身exe文件为新进程,然后自己退出,所以OD看着调试进程已经退出,但是登录器界面成功正常显示,再次掏出PCHunter扫一扫新进程,得了,要翻天,新老进程一模一样的,全部都一样,哎,老老实实的去逆第一个进程吧.
OD已启动exe方式加载进程,中断到入口点(壳已脱,OEP正确),下个CreateProcessA的断点,进程成功断下,一顿操作猛如虎之后,就有了下面的分析,附上这半天时间分析的代码 .
00401368 /$ FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58]
0040136E |. 68 BC094100 PUSH 80复古合.004109BC ; /pModule = "Kernel32.dll"
00401373 |. FF15 18C04000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ; \GetModuleHandleA
00401379 |. 68 CC094100 PUSH 80复古合.004109CC ; /ProcNameOrOrdinal = "VirtualAllocEx"
0040137E |. 50 PUSH EAX ; |hModule
0040137F |. FF15 2CC04000 CALL DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress
00401385 |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58]
0040138B |. 8BC8 MOV ECX,EAX ; EAX= kernel32.VirtualAllocEx
0040138D |. 33C0 XOR EAX,EAX
0040138F |. 890D 5CBFE400 MOV DWORD PTR DS:[0xE4BF5C],ECX [0xE4BF5C]=VirtualAllocEx
00401395 |. 85C9 TEST ECX,ECX
00401397 |. 0F95C0 SETNE AL 取得ZF值后, 取反, 再放到AL中.
0040139A \. C3 RETN 返回到下面继续执行 eax=1
0040156F |. 85C0 TEST EAX,EAX GetProcAddress(VirtualAllocEx)是否=0,不等于0则继续执行,VirtualAllocEx=0则跳转
00401571 |. 74 4E JE SHORT 80复古合.004015C1
00401573 |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58]
00401579 |. BB 00010000 MOV EBX,0x100
0040157E |. 53 PUSH EBX
0040157F |. E8 D81D0000 CALL 80复古合.0040335C //没什么用申请堆内存HeapAlloc(),申请的内存可能为是GetModuleFileNameA的参数buffer
00401584 |. 53 PUSH EBX
00401585 |. 8BF8 MOV EDI,EAX
00401587 |. 33DB XOR EBX,EBX
00401589 |. 53 PUSH EBX
0040158A |. 57 PUSH EDI
0040158B |. 89BD 04FDFFFF MOV [LOCAL.191],EDI
00401591 |. E8 4A160000 CALL 80复古合.00402BE0 //里面一堆跳转都没实现
00401596 |. 83C4 10 ADD ESP,0x10
00401599 |. 68 00010000 PUSH 0x100 ; /BufSize = 100 (256.)
0040159E |. 57 PUSH EDI ; |PathBuffer
0040159F |. 53 PUSH EBX ; |hModule
004015A0 |. FF15 00C04000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleFileNameA>] ; \GetModuleFileNameA 获取当前进程的绝对路径
004015A6 |. 4F DEC EDI
004015A7 |> 8A47 01 /MOV AL,BYTE PTR DS:[EDI+0x1] AL="C" esi指向"PE"
004015AA |. 47 |INC EDI
004015AB |. 84C0 |TEST AL,AL AL="C" 从文件路径取出来的,表示C盘 这里循环读取1字节,直到读完整个路径
004015AD |.^ 75 F8 \JNZ SHORT 80复古合.004015A7
004015AF |. A0 B8094100 MOV AL,BYTE PTR DS:[0x4109B8]
004015B4 |. 8807 MOV BYTE PTR DS:[EDI],AL
004015B6 |. 83CF FF OR EDI,0xFFFFFFFF
004015B9 |. 8B85 04FDFFFF MOV EAX,[LOCAL.191] eax=进程路径指针
004015BF |. EB 0A JMP SHORT 80复古合.004015CB
004015C1 |> 33DB XOR EBX,EBX GetProcAddress(VirtualAllocEx)=0则跳转到此
004015C3 |. 8BC3 MOV EAX,EBX
004015C5 |. 8985 04FDFFFF MOV [LOCAL.191],EAX [LOCAL.191]进程路径=“”
004015CB |> 85C0 TEST EAX,EAX GetProcAddress(VirtualAllocEx)!0则执行到此
004015CD |. 0F84 6C030000 JE 80复古合.0040193F 如果GetProcAddress(VirtualAllocEx)!=0则继续执行,并创建新进程,否则跳转0040193F(好像为退出子程序)
004015D3 |. FF75 F4 PUSH [LOCAL.3] ; /Arg6
004015D6 |. 8D4D F4 LEA ECX,[LOCAL.3] ; |
004015D9 |. 51 PUSH ECX ; |Arg5
004015DA |. 8D4D DC LEA ECX,[LOCAL.9] ; |
004015DD |. 51 PUSH ECX ; |Arg4
004015DE |. FFB5 08FDFFFF PUSH [LOCAL.190] ; |Arg3
004015E4 |. 8D8D 08FDFFFF LEA ECX,[LOCAL.190] ; |
004015EA |. 51 PUSH ECX ; |Arg2
004015EB |. 8D4D E8 LEA ECX,[LOCAL.6] ; |
004015EE |. 51 PUSH ECX ; |Arg1
004015EF |. 8D95 10FDFFFF LEA EDX,[LOCAL.188] ; |
004015F5 |. 8BC8 MOV ECX,EAX ; |
004015F7 |. E8 EFFDFFFF CALL 80复古合.004013EB ; \里面创建进程!!!并读内存,然后查询了进程的内存属性
004015FC |. 8B7D E8 MOV EDI,[LOCAL.6]
004015FF |. 85C0 TEST EAX,EAX
00401601 |. 0F84 21030000 JE 80复古合.00401928 进程创建失败,则跳转到00401928 函数尾部
00401607 |. 8B4D E0 MOV ECX,[LOCAL.8]
0040160A |. 8B85 08FDFFFF MOV EAX,[LOCAL.190]
00401610 |. 895D E0 MOV [LOCAL.8],EBX
00401613 |. 8901 MOV DWORD PTR DS:[ECX],EAX
00401615 |. 8B45 DC MOV EAX,[LOCAL.9]
00401618 |. 3946 34 CMP DWORD PTR DS:[ESI+0x34],EAX
0040161B |. 75 2A JNZ SHORT 80复古合.00401647 '这里比较基地址是否相同 0x400000,不相同则跳转到 00401647
0040161D |. 8B8D 0CFDFFFF MOV ECX,[LOCAL.189]
00401623 |. 394D F4 CMP [LOCAL.3],ECX
00401626 |. 72 1F JB SHORT 80复古合.00401647 '这里比较模块大小是否相同?如果相同则跳转
00401628 |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58]
0040162E |. 8D4D E8 LEA ECX,[LOCAL.6]
00401631 |. 51 PUSH ECX ; /pOldProtect
00401632 |. 6A 40 PUSH 0x40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00401634 |. FF75 F4 PUSH [LOCAL.3] ; |Size
00401637 |. 8945 E0 MOV [LOCAL.8],EAX ; |
0040163A |. 50 PUSH EAX ; |Address
0040163B |. 57 PUSH EDI ; |hProcess
0040163C |. FF15 24C04000 CALL DWORD PTR DS:[<&KERNEL32.VirtualProtectEx>] ; \VirtualProtectEx
00401642 |. E9 B7000000 JMP 80复古合.004016FE
00401647 |> E8 1CFDFFFF CALL 80复古合.00401368 基地址不相同 0x400000 则跳转此处
0040164C |. 85C0 TEST EAX,EAX
0040164E |. 0F84 AA000000 JE 80复古合.004016FE
00401654 |. 8B55 DC MOV EDX,[LOCAL.9]
00401657 |. 8BCF MOV ECX,EDI
00401659 |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58]
0040165F |. E8 37FDFFFF CALL 80复古合.0040139B
00401664 |. 85C0 TEST EAX,EAX
00401666 |. 74 1C JE SHORT 80复古合.00401684
00401668 |. 6A 40 PUSH 0x40
0040166A |. 68 00300000 PUSH 0x3000
0040166F |. FFB5 0CFDFFFF PUSH [LOCAL.189]
00401675 |. FF76 34 PUSH DWORD PTR DS:[ESI+0x34]
00401678 |. 57 PUSH EDI
00401679 |. FF15 5CBFE400 CALL DWORD PTR DS:[0xE4BF5C] ; kernel32.VirtualAllocEx
0040167F |. 8945 E0 MOV [LOCAL.8],EAX
00401682 |. EB 03 JMP SHORT 80复古合.00401687
00401684 |> 8B45 E0 MOV EAX,[LOCAL.8]
00401687 |> 85C0 TEST EAX,EAX
00401689 |. 75 7D JNZ SHORT 80复古合.00401708
0040168B |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58]
00401691 |. 399E A0000000 CMP DWORD PTR DS:[ESI+0xA0],EBX
00401697 |. 0F84 59020000 JE 80复古合.004018F6
0040169D |. 399E A4000000 CMP DWORD PTR DS:[ESI+0xA4],EBX
004016A3 |. 0F84 4D020000 JE 80复古合.004018F6
004016A9 |. 6A 40 PUSH 0x40
004016AB |. 68 00300000 PUSH 0x3000
004016B0 |. FFB5 0CFDFFFF PUSH [LOCAL.189]
004016B6 |. 53 PUSH EBX
004016B7 |. 57 PUSH EDI
004016B8 |. FF15 5CBFE400 CALL DWORD PTR DS:[0xE4BF5C] ; kernel32.VirtualAllocEx
004016BE |. 8BC8 MOV ECX,EAX
004016C0 |. 894D E0 MOV [LOCAL.8],ECX
004016C3 |. 85C9 TEST ECX,ECX
004016C5 |. 0F84 2B020000 JE 80复古合.004018F6
004016CB |. 8B96 A0000000 MOV EDX,DWORD PTR DS:[ESI+0xA0]
004016D1 |. 0355 E4 ADD EDX,[LOCAL.7]
004016D4 |. 8305 58BFE400>ADD DWORD PTR DS:[0xE4BF58],0x2
004016DB |. 8B4A 04 MOV ECX,DWORD PTR DS:[EDX+0x4]
004016DE |. 030A ADD ECX,DWORD PTR DS:[EDX]
004016E0 |. 74 1C JE SHORT 80复古合.004016FE
004016E2 |> 8B42 04 /MOV EAX,DWORD PTR DS:[EDX+0x4]
004016E5 |. 8D4A 08 |LEA ECX,DWORD PTR DS:[EDX+0x8]
004016E8 |. 83E8 08 |SUB EAX,0x8
004016EB |. D1E8 |SHR EAX,1
004016ED |. 83F8 01 |CMP EAX,0x1
004016F0 |. 72 03 |JB SHORT 80复古合.004016F5
004016F2 |. 8D0C41 |LEA ECX,DWORD PTR DS:[ECX+EAX*2]
004016F5 |> 8B41 04 |MOV EAX,DWORD PTR DS:[ECX+0x4]
004016F8 |. 8BD1 |MOV EDX,ECX
004016FA |. 0301 |ADD EAX,DWORD PTR DS:[ECX]
004016FC |.^ 75 E4 \JNZ SHORT 80复古合.004016E2
004016FE |> 837D E0 00 CMP [LOCAL.8],0x0 正常流程jmp到此
00401702 |. 0F84 EE010000 JE 80复古合.004018F6
00401708 |> FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58]
0040170E |. 8D45 E8 LEA EAX,[LOCAL.6]
00401711 |. 50 PUSH EAX ; /pBytesWritten
00401712 |. 6A 04 PUSH 0x4 ; |BytesToWrite = 0x4 第一次写大小 4
00401714 |. 8D45 E0 LEA EAX,[LOCAL.8] ; |
00401717 |. 50 PUSH EAX ; |Buffer buffer地址里的值=0x400000
00401718 |. 8B85 B4FDFFFF MOV EAX,[LOCAL.147] ; |
0040171E |. 83C0 08 ADD EAX,0x8 ; |
00401721 |. 50 PUSH EAX ; |Address 写入地址=7efde008 里面的值=0x400000
00401722 |. 57 PUSH EDI ; |hProcess 进程句柄=0x30 判断下本地进程还是目标进程
00401723 |. FF15 04C04000 CALL DWORD PTR DS:[<&KERNEL32.WriteProcessMemory>] ; \WriteProcessMemory 此次似乎没有用? 都=0x40000
00401729 |. 8B45 E0 MOV EAX,[LOCAL.8]
0040172C |. 8D4D E8 LEA ECX,[LOCAL.6]
0040172F |. 51 PUSH ECX ; /pBytesWritten
00401730 |. FFB5 0CFDFFFF PUSH [LOCAL.189] ; |BytesToWrite 0x5823000
00401736 |. 8946 34 MOV DWORD PTR DS:[ESI+0x34],EAX ; |
00401739 |. FF75 E4 PUSH [LOCAL.7] ; |Buffer buffer地址10b0000里的值="MZP"
0040173C |. 50 PUSH EAX ; |Address 0x400000
0040173D |. 57 PUSH EDI ; |hProcess 进程句柄=0x30
0040173E |. FF15 04C04000 CALL DWORD PTR DS:[<&KERNEL32.WriteProcessMemory>] ; \WriteProcessMemory
00401744 |. 85C0 TEST EAX,EAX
00401746 |. 0F84 7A010000 JE 80复古合.004018C6 写入失败则跳转004018C6
0040174C |. 8B4D E0 MOV ECX,[LOCAL.8]
0040174F |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58]
00401755 |. 8B46 28 MOV EAX,DWORD PTR DS:[ESI+0x28]
00401758 |. C785 10FDFFFF>MOV [LOCAL.188],0x10007
00401762 |. 3B4D DC CMP ECX,[LOCAL.9]
00401765 |. 75 05 JNZ SHORT 80复古合.0040176C
00401767 |. 0346 34 ADD EAX,DWORD PTR DS:[ESI+0x34]
0040176A |. EB 02 JMP SHORT 80复古合.0040176E
0040176C |> 03C1 ADD EAX,ECX
0040176E |> 8985 C0FDFFFF MOV [LOCAL.144],EAX
00401774 |. B8 3C004000 MOV EAX,80复古合.0040003C
00401779 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0040177B |. 05 00004000 ADD EAX,80复古合.00400000
00401780 |. 83C0 28 ADD EAX,0x28
00401783 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00401785 |. 05 00004000 ADD EAX,80复古合.00400000
0040178A |. 8985 0CFDFFFF MOV [LOCAL.189],EAX
00401790 |. 8305 58BFE400>ADD DWORD PTR DS:[0xE4BF58],0x5
00401797 |. 8D45 E4 LEA EAX,[LOCAL.7]
0040179A |. 50 PUSH EAX ; /pBytesRead
0040179B |. 6A 05 PUSH 0x5 ; |BytesToRead = 0x5 要读取的大小 0x5
0040179D |. 8D45 EC LEA EAX,[LOCAL.5] ; |
004017A0 |. 885D EC MOV BYTE PTR SS:[EBP-0x14],BL ; |
004017A3 |. 50 PUSH EAX ; |Buffer 保持地址
004017A4 |. FFB5 0CFDFFFF PUSH [LOCAL.189] ; |pBaseAddress 目标地址 0x401b91
004017AA |. 895D ED MOV DWORD PTR SS:[EBP-0x13],EBX ; |
004017AD |. 57 PUSH EDI ; |hProcess 0x30
004017AE |. C745 F4 E9000>MOV [LOCAL.3],0xE9 ; |
004017B5 |. 885D F8 MOV BYTE PTR SS:[EBP-0x8],BL ; |
004017B8 |. FF15 30C04000 CALL DWORD PTR DS:[<&KERNEL32.ReadProcessMemory>] ; \ReadProcessMemory
004017BE |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58]
004017C4 |. 6A 40 PUSH 0x40
004017C6 |. 68 00100000 PUSH 0x1000
004017CB |. 6A 05 PUSH 0x5
004017CD |. 53 PUSH EBX
004017CE |. 57 PUSH EDI
004017CF |. FF15 5CBFE400 CALL DWORD PTR DS:[0xE4BF5C] ; kernel32.VirtualAllocEx
004017D5 |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58]
004017DB |. 8BF0 MOV ESI,EAX
004017DD |. 8D45 E8 LEA EAX,[LOCAL.6]
004017E0 |. 50 PUSH EAX ; /pBytesWritten
004017E1 |. 6A 05 PUSH 0x5 ; |BytesToWrite = 写入大小= 0x5
004017E3 |. 8D45 EC LEA EAX,[LOCAL.5] ; |
004017E6 |. 50 PUSH EAX ; |Buffer buffer地址18feec里的值=0x8dc9bc0f
004017E7 |. 56 PUSH ESI ; |Address 0x1c0000
004017E8 |. 57 PUSH EDI ; |hProcess 0x30
004017E9 |. FF15 04C04000 CALL DWORD PTR DS:[<&KERNEL32.WriteProcessMemory>] ; \WriteProcessMemory
004017EF |. 8B85 0CFDFFFF MOV EAX,[LOCAL.189]
004017F5 |. 8305 58BFE400>ADD DWORD PTR DS:[0xE4BF58],0x4
004017FC |. 6A 40 PUSH 0x40
004017FE |. 68 00100000 PUSH 0x1000
00401803 |. 68 CE8D0300 PUSH 0x38DCE
00401808 |. 53 PUSH EBX
00401809 |. A3 92274100 MOV DWORD PTR DS:[0x412792],EAX
0040180E |. 8B85 C0FDFFFF MOV EAX,[LOCAL.144]
00401814 |. 57 PUSH EDI
00401815 |. 8935 8D274100 MOV DWORD PTR DS:[0x41278D],ESI
0040181B |. A3 A0274100 MOV DWORD PTR DS:[0x4127A0],EAX
00401820 |. FF15 5CBFE400 CALL DWORD PTR DS:[0xE4BF5C] ; kernel32.VirtualAllocEx
00401826 |. 8305 58BFE400>ADD DWORD PTR DS:[0xE4BF58],0x3
0040182D |. 8BF0 MOV ESI,EAX
0040182F |. 8B1D 04C04000 MOV EBX,DWORD PTR DS:[<&KERNEL32.WriteProcessMemory>] ; kernel32.WriteProcessMemory
00401835 |. 8D45 E8 LEA EAX,[LOCAL.6]
00401838 |. 50 PUSH EAX ; pBytesWritten
00401839 |. 68 CE8D0300 PUSH 0x38DCE ; |BytesToWrite 写入大小= 38DCE
0040183E |. 68 80274100 PUSH 80复古合.00412780 ; |Buffer = buffer=00412780
00401843 |. 56 PUSH ESI ; |Address 写入的地址= 1d0000里的值"L<" 这个地址为上面VirtualAllocEx申请的远程内存
00401844 |. 8D8E CD0D0000 LEA ECX,DWORD PTR DS:[ESI+0xDCD] ; |
0040184A |. C705 88274100>MOV DWORD PTR DS:[0x412788],0x19 ; |
00401854 |. 57 PUSH EDI ; |hProcess 30
00401855 |. 890D 83274100 MOV DWORD PTR DS:[0x412783],ECX ; |
0040185B |. FFD3 CALL EBX ; \WriteProcessMemory
0040185D |. 2BB5 0CFDFFFF SUB ESI,[LOCAL.189]
00401863 |. 8D45 E8 LEA EAX,[LOCAL.6]
00401866 |. 8305 58BFE400>ADD DWORD PTR DS:[0xE4BF58],0x3
0040186D |. 83EE 05 SUB ESI,0x5
00401870 |. 50 PUSH EAX ; /pOldProtect
00401871 |. 6A 40 PUSH 0x40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00401873 |. 6A 05 PUSH 0x5 ; |Size = 0x5
00401875 |. FFB5 0CFDFFFF PUSH [LOCAL.189] ; |Address
0040187B |. 8975 F5 MOV DWORD PTR SS:[EBP-0xB],ESI ; |
0040187E |. 57 PUSH EDI ; |hProcess
0040187F |. FF15 24C04000 CALL DWORD PTR DS:[<&KERNEL32.VirtualProtectEx>] ; \VirtualProtectEx
00401885 |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58]
0040188B |. 8D45 E8 LEA EAX,[LOCAL.6]
0040188E |. 50 PUSH EAX ; /pBytesWritten
0040188F |. 6A 05 PUSH 0x5 ; |BytesToWrite = 写入大小= 0x5
00401891 |. 8D45 F4 LEA EAX,[LOCAL.3] ; |
00401894 |. 50 PUSH EAX ; |Buffer buffer里的值有e9,这里是hook入口点
00401895 |. FFB5 0CFDFFFF PUSH [LOCAL.189] ; |Address 写入的地址=0x401b91 '模块入口点!!!!!!!!!!
0040189B |. 57 PUSH EDI ; |hProcess
0040189C |. FFD3 CALL EBX ; \WriteProcessMemory
0040189E |. 8B9D 08FDFFFF MOV EBX,[LOCAL.190]
004018A4 |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58]
004018AA |. 53 PUSH EBX ; /hThread
004018AB |. FF15 14C04000 CALL DWORD PTR DS:[<&KERNEL32.ResumeThread>] ; \ResumeThread
004018B1 |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58]
004018B7 |. 53 PUSH EBX ; /hObject
004018B8 |. FF15 20C04000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; \CloseHandle
004018BE |. A1 58BFE400 MOV EAX,DWORD PTR DS:[0xE4BF58]
004018C3 |. 40 INC EAX
004018C4 |. EB 67 JMP SHORT 80复古合.0040192D 这里恢复进程运行之后,跳转到0040192D
004018C6 |> 53 PUSH EBX ; /ExitCode 写入失败则跳转到此,这里进行一些退出的清理工作
004018C7 |. 57 PUSH EDI ; |hProcess
004018C8 |. FF15 10C04000 CALL DWORD PTR DS:[<&KERNEL32.TerminateProcess>] ; \TerminateProcess
004018CE |. FFB5 08FDFFFF PUSH [LOCAL.190] ; /hObject
004018D4 |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58] ; |
004018DA |. 8B35 20C04000 MOV ESI,DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; |kernel32.CloseHandle
004018E0 |. FFD6 CALL ESI ; \CloseHandle
004018E2 |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58]
004018E8 |. 57 PUSH EDI ; /hObject
004018E9 |. FFD6 CALL ESI ; \CloseHandle
004018EB |. A1 58BFE400 MOV EAX,DWORD PTR DS:[0xE4BF58]
004018F0 |. 40 INC EAX
004018F1 |. 83CF FF OR EDI,0xFFFFFFFF
004018F4 |. EB 37 JMP SHORT 80复古合.0040192D
004018F6 |> 53 PUSH EBX ; /ExitCode
004018F7 |. 57 PUSH EDI ; |hProcess
004018F8 |. FF15 10C04000 CALL DWORD PTR DS:[<&KERNEL32.TerminateProcess>] ; \TerminateProcess
004018FE |. FFB5 08FDFFFF PUSH [LOCAL.190] ; /hObject
00401904 |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58] ; |
0040190A |. 8B35 20C04000 MOV ESI,DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; |kernel32.CloseHandle
00401910 |. FFD6 CALL ESI ; \CloseHandle
00401912 |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58]
00401918 |. 57 PUSH EDI ; /hObject
00401919 |. FFD6 CALL ESI ; \CloseHandle
0040191B |. A1 58BFE400 MOV EAX,DWORD PTR DS:[0xE4BF58]
00401920 |. 83CF FF OR EDI,0xFFFFFFFF
00401923 |. 83C0 02 ADD EAX,0x2
00401926 |. EB 05 JMP SHORT 80复古合.0040192D
00401928 |> A1 58BFE400 MOV EAX,DWORD PTR DS:[0xE4BF58] 进程创建失败跳转到此
0040192D |> FFB5 04FDFFFF PUSH [LOCAL.191]
00401933 |. 40 INC EAX
00401934 |. A3 58BFE400 MOV DWORD PTR DS:[0xE4BF58],EAX
00401939 |. E8 191A0000 CALL 80复古合.00403357 这个call里面进行一些堆内存清理工作
0040193E |. 59 POP ECX
0040193F |> 8B4D FC MOV ECX,[LOCAL.1] GetProcAddress(VirtualAllocEx)失败,则跳到此处
00401942 |. 8BC7 MOV EAX,EDI
00401944 |. FF05 58BFE400 INC DWORD PTR DS:[0xE4BF58] 正常这里自加后=38e35,跳过创建进程等操作后=38e18
0040194A |. 33CD XOR ECX,EBP
0040194C |. 5F POP EDI
0040194D |. 5E POP ESI
0040194E |. 5B POP EBX
0040194F |. E8 06000000 CALL 80复古合.0040195A 无用,不用管
00401954 |. 8BE5 MOV ESP,EBP
00401956 |. 5D POP EBP
00401957 \. C2 1C00 RETN 0x1C 这里结束后,进程已经创建成功,并且新进程已经能正常显示
目前知问题:
1,登录器通过判断 GetProcAddress(VirtualAllocEx)的返回值来决定是否创建傀儡进程(新进程)
2,中间有个不停出现的计数器++,目测是防止更改程序逻辑之后,检测计数器的值来判定是否被path
3,试了通过修改 GetProcAddress(VirtualAllocEx)的返回值,来让登录器跳过创建傀儡进程,而自身正常运行(傀儡进程和自身进程以及游戏进程都是同一个文件,同一个逻辑)
4,代码中有一堆写远程内存操作,都是修改傀儡进程PE信息的,直接path,还是出错,目测有校验
画了我一天时间,实在是没有精力搞下去了,奉上dump,以及分析的文档,有兴趣的可以试试。dump为传奇SF登录器,目前在运营状态。 dump为脱壳之后的exe,需要原装的可以打开登录器去网站上下载。
第一次发帖,才发现不能附件不能超过1M,这里是登录器的网站http://www.9292d.com/,就几M大小,单双dump没有了,upx的壳,就自己脱了吧
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2019-9-8 03:13
|
发表于 2019-9-9 01:03
