因为这时候停在某一句handle的中间,我们让他运行到下一句的handle的最开始,在run trace的command is one of里加上jmp esi,然后CTRL+F11
停下来了。因为handle太长,这里我们记录run trace,再按一次CTRL + F11,这样就把这句handle所执行的语句全部记录下来了。下面就开始分析了
----------------------------------------------开始讲解-----------------------------------------
Address Thread Command ; Registers and comments
//初始化esi为pCode_data_addr
0157163E Main push dword ptr [edi+0x5DC] //edi+0x5DC的地址存放的是pCode_data_addr ; ESP=00391FF4
01571644 Main jmp 0151EF85
0151EF85 Main mov esi, dword ptr [esp] //esi指向了pCode_data_addr ; ESI=00BE2A50
这里有点代码变形,实际上处理的就是add esp, 4
//push ebx
0151EF88 Main push 0x4621 ; ESP=00391FF0
0151EF8D Main mov dword ptr [esp], ebx
0151EF90 Main jmp 014D21A5
//ebx为push dword ptr [edi+0x5DC]前的esp地址
014D21A5 Main mov ebx, esp ; EBX=00391FF0
014D21A7 Main add ebx, 0x4 ; EBX=00391FF4
014D21AD Main add ebx, 0x4 ; EBX=00391FF8
014D21B3 Main push ebx ; ESP=00391FEC
//mov ebx, [esp+0x4]
014D21B4 Main push dword ptr [esp+0x4] ; ESP=00391FE8
014D21B8 Main pop ebx ; EBX=411D51F8, ESP=00391FEC
//把push dword ptr [edi+0x5DC]前的esp地址弹到栈顶
014D21B9 Main pop dword ptr [esp] ; ESP=00391FF0
//平衡堆栈
014D21BC Main pop esp ; ESP=00391FF8
014D21BD Main push eax ; ESP=00391FF4
014D21BE Main jmp 01472EB1
//这里实际上是mov ebx, 3
//mov ebx, 0x48155F8C
01472EB1 Main push 0x48155F8C ; ESP=00391FF0
01472EB6 Main pop ebx ; EBX=48155F8C, ESP=00391FF4
01472EB7 Main or ebx, 0x19E94E2D ; EBX=59FD5FAD
01472EBD Main jmp 014D87AE
014D87AE Main inc ebx ; EBX=59FD5FAE
014D87AF Main push eax ; ESP=00391FF0
014D87B0 Main mov eax, 0x59FD5FAD ; EAX=59FD5FAD
014D87B5 Main xor ebx, eax ; FL=P, EBX=00000003
014D87B7 Main pop eax ; EAX=00000008, ESP=00391FF4
//---------------------------------取pcode_data[3]进行操作----------------------------
014D87B8 Main mov eax, ebx ; EAX=00000003
014D87BA Main add eax, 0x57AC23B5 ; EAX=57AC23B8
014D87BF Main add eax, esi ; FL=0, EAX=586A4E08
014D87C1 Main sub eax, 0x57AC23B5 ; FL=P, EAX=00BE2A53
014D87C6 Main mov bl, byte ptr [eax] //bl = [esi+3],就是pcode_data[3]
014D87C8 Main pop eax ; EAX=00000008, ESP=00391FF8
014D87C9 Main push edx ; ESP=00391FF4
014D87CA Main jmp 01571649
//edx = esi
01571649 Main mov edx, 0x0 ; EDX=00000000
0157164E Main add edx, esi ; EDX=00BE2A50
01571650 Main push ebx ; ESP=00391FF0
01571651 Main jmp 01497E68
01497E68 Main mov ebx, 0x0 ; EBX=00000000
01497E6D Main add ebx, edx ; EBX=00BE2A50
01497E6F Main push edx ; ESP=00391FEC
01497E70 Main mov edx, 0x0 ; EDX=00000000
01497E75 Main sub edx, 0x1EC233F0 ; FL=CS, EDX=E13DCC10
01497E7B Main add edx, ebx ; FL=PS, EDX=E1FBF660
01497E7D Main add edx, 0x1EC233F0 ; FL=CP, EDX=00BE2A50
01497E83 Main mov al, byte ptr [edx] //al = [esi],就是pcode_data[0] ; EAX=00000012
01497E85 Main pop edx ; ESP=00391FF0
01497E86 Main mov ebx, dword ptr [esp] ; EBX=00000003
01497E89 Main add esp, 0x4 ; FL=0, ESP=00391FF4
01497E8C Main pop edx ; EDX=4C4C133B, ESP=00391FF8
01497E8D Main push esi ; ESP=00391FF4
01497E8E Main jmp 01519F1D
01519F1D Main mov esi, esp ; ESI=00391FF4
01519F1F Main add esi, 0x4 ; ESI=00391FF8
01519F25 Main sub esi, 0x2 ; FL=P, ESI=00391FF6
01519F2B Main jmp 0146EF7E
0146EF7E Main xchg dword ptr [esp], esi ; ESI=00BE2A50
0146EF81 Main pop esp ; ESP=00391FF6
0146EF82 Main mov word ptr [esp], cx
//mov dh, 0x80
0146EF86 Main mov dh, 0x51 ; EDX=4C4C513B
0146EF88 Main shr dh, 0x2 ; EDX=4C4C143B
0146EF8B Main jpo 0154981E
0146EF91 Main inc dh ; FL=0, EDX=4C4C153B
0146EF93 Main xor dh, 0x91 ; FL=PS, EDX=4C4C843B
0146EF96 Main jpo 01568C1F
0146EF9C Main add dh, 0x57 ; EDX=4C4CDB3B
0146EF9F Main jge 0147CAF8
0146EFA5 Main sub dh, 0x5B ; FL=S, EDX=4C4C803B
0146EFA8 Main mov ch, dh ; ECX=00008005
0146EFAA Main sub dh, bl ; FL=PAO, EDX=4C4C7D3B
0146EFAC Main and al, ch //and [esi], 80,就是取pcode_data[0]的最高位 ; FL=PZ, EAX=00000000
0146EFAE Main mov cx, word ptr [esp] ; ECX=00000005
0146EFB2 Main add esp, 0x2 ; FL=0, ESP=00391FF8
0146EFB5 Main or al, al ; FL=PZ
0146EFB7 Main je 01571697 //如果0偏移的最高位为0就跳,1不跳,这里没走到不跳的地方,我们来看下不跳的代码
//这里就是不跳的代码,这里处理的是把key1清0,其实如果pcode_data的第一字节的最高位为1,会把
01571697 Main push 0x4EE0 ; ESP=00391FF4
0157169C Main jmp 015349A0
015349A0 Main mov dword ptr [esp], ecx
015349A3 Main mov ch, 0x3 ; ECX=00000305
015349A5 Main and bl, ch //取bl的最低2位,就是pcode_data[3]的低2位, 这低2位是用于选择变换key1的方式
; FL=P
015349A7 Main jmp 014ACDDB
014ACDDB Main push dword ptr [esp] ; ESP=00391FF0
014ACDDE Main pop ecx ; ECX=00000005, ESP=00391FF4
014ACDDF Main push edi ; ESP=00391FF0
014ACDE0 Main mov edi, esp ; EDI=00391FF0
014ACDE2 Main add edi, 0x4 ; FL=0, EDI=00391FF4
014ACDE8 Main add edi, 0x4 ; EDI=00391FF8
014ACDEB Main xchg dword ptr [esp], edi ; EDI=003D0000
014ACDEE Main pop esp ; ESP=00391FF8
014ACDEF Main push ebx ; ESP=00391FF4
014ACDF0 Main jmp 01461F62
//mov eax, 0
01461F62 Main mov eax, 0x128E518D ; EAX=128E518D
01461F67 Main and eax, 0x333752B7 //eax的值 ; EAX=12065085
01461F6C Main mov ebp, 0x4F7F4548 ; EBP=4F7F4548
01461F71 Main jmp 015716A1
015716A1 Main add ebp, 0xEDF0D07 //ebp的值 ; EBP=5E5E524F
015716A7 Main add eax, ebp //eax的值 ; FL=PA, EAX=7064A2D4
015716A9 Main xor ebp, 0x291222DA ; FL=P, EBP=774C7095
015716AF Main sub eax, 0x7064A2D4 //eax的值 ; FL=PZ, EAX=00000000
015716B4 Main mov ebx, eax ; EBX=00000000
015716B6 Main sub eax, esi ; FL=CS, EAX=FF41D5B0
015716B8 Main sub eax, 0x7A326E20 ; FL=PS, EAX=850F6790
015716BD Main add ebx, esi //ebx = pcode_data[0] ; FL=P, EBX=00BE2A50
015716BF Main push ecx ; ESP=00391FF0
015716C0 Main mov ecx, 0x0 ; ECX=00000000
015716C5 Main add ecx, ebx //ecx = pcode_data[0] ; ECX=00BE2A50
015716C7 Main mov al, byte ptr [ecx] ; EAX=850F6712
015716C9 Main mov ecx, dword ptr [esp] ; ECX=00000005
015716CC Main add esp, 0x4 ; FL=0, ESP=00391FF4
015716CF Main pop ebx ; EBX=00000003, ESP=00391FF8
//bl就是pcode_data[3]的低2位,其实4个key是流密码差不多的,每次使用后都会变换,pcode_data[3]的低2位表示变换方式,这里是3
015716D0 Main or bl, bl ; FL=P
015716D2 Main jnz 015716DE
015716DE Main cmp bl, 0x1 ; FL=0
015716E1 Main jnz 0145A2E5
0145A2E5 Main cmp bl, 0x2
0145A2E8 Main jnz 015716F1
015716F1 Main sub byte ptr [edi+0x490], al //将key1 - pcode_data[0],然后放回到key1 ; FL=S
015716F7 Main jmp 0155D986
0155D986 Main mov eax, 0x191F333C ; EAX=191F333C
0155D98B Main jmp 0148123C
0148123C Main shr eax, 0x7 ; FL=P, EAX=00323E66
0148123F Main je 01560BBC
01481245 Main sub eax, 0x6BED066D ; FL=CPAS, EAX=944537F9
0148124A Main jmp 014E8E19
014E8E19 Main jge 0155E4E6
014E8E1F Main sub eax, 0x823EFA25 ; FL=P, EAX=12063DD4
014E8E24 Main mov ebp, eax ; EBP=12063DD4
014E8E26 Main sub eax, esp ; FL=A, EAX=11CD1DDC
014E8E28 Main not ebp ; EBP=EDF9C22B
014E8E2A Main add ebp, 0x2266A3D3 ; FL=C, EBP=106065FE
014E8E30 Main mov eax, ebp ; EAX=106065FE
014E8E32 Main add ebp, eax ; FL=PA, EBP=20C0CBFC
014E8E34 Main add eax, -0x1 ; FL=CA, EAX=106065FD
014E8E37 Main not eax ; EAX=EF9F9A02
014E8E39 Main mov ebx, 0x3FA877A8 ; EBX=3FA877A8
014E8E3E Main shl ebx, 0x8 ; FL=CPAS, EBX=A877A800
014E8E41 Main inc ebx ; FL=CS, EBX=A877A801
014E8E42 Main add ebx, 0x6EA2F395 ; FL=CP, EBX=171A9B96
014E8E48 Main add eax, ebx ; FL=C, EAX=06BA3598
014E8E4A Main add ebx, ebx ; FL=0, EBX=2E35372C
014E8E4C Main xor ebx, 0x3A9B38F7 ; FL=P, EBX=14AE0FDB
014E8E52 Main mov ebx, eax ; EBX=06BA3598
014E8E54 Main push 0x413A ; ESP=00391FF4
014E8E59 Main jmp 014ACEA9
014ACEA9 Main mov dword ptr [esp], edx
014ACEAC Main mov edx, 0x3 ; EDX=00000003
014ACEB1 Main sub edx, 0x38804317 ; FL=CAS, EDX=C77FBCEC
014ACEB7 Main jmp 0148E7C4
0148E7C4 Main sub edx, 0x17537633 ; FL=S, EDX=B02C46B9
0148E7CA Main add edx, esi ; FL=PS, EDX=B0EA7109
0148E7CC Main add edx, 0x17537633 ; EDX=C83DE73C
0148E7D2 Main add edx, 0x38804317 //edx = pcode_data[3]地址 ; FL=CPA, EDX=00BE2A53
0148E7D8 Main push dword ptr [edx] ; ESP=00391FF0
0148E7DA Main add dword ptr [esp], 0x212B4E82 ; FL=S
0148E7E1 Main pop eax ; EAX=E273D885, ESP=00391FF4
0148E7E2 Main sub eax, 0x212B4E82 //eax = pcode_data[3] ; FL=PS, EAX=C1488A03
0148E7E7 Main pop edx ; EDX=4C4C7D3B, ESP=00391FF8
0148E7E8 Main push edx ; ESP=00391FF4
0148E7E9 Main jmp 015716FC
015716FC Main mov ebx, 0x37575E15 ; EBX=37575E15
01571701 Main shr ebx, 0x8 ; FL=0, EBX=0037575E
01571704 Main and ebx, 0x13170AC3 ; FL=P, EBX=00170242
0157170A Main jmp 0149086B
0149086B Main push eax ; ESP=00391FF0
0149086C Main mov eax, 0x43612E84 ; EAX=43612E84
01490871 Main xor ebx, eax ; EBX=43762CC6
01490873 Main mov eax, dword ptr [esp] ; EAX=C1488A03
01490876 Main add esp, 0x4 ; FL=0, ESP=00391FF4
01490879 Main neg ebx ; FL=CPAS, EBX=BC89D33A
0149087B Main xor ebx, 0x3AC842EB ; FL=PS, EBX=864191D1
01490881 Main xor ebx, 0x864191CD ; FL=0, EBX=0000001C
01490887 Main mov edx, ebx //edx = 1C ; EDX=0000001C
01490889 Main sub ebx, ebp ; FL=CS, EBX=DF3F3420
0149088B Main sub ebx, esi ; FL=S, EBX=DE8109D0
0149088D Main and eax, edx //eax & 1C = 0,取的是pcode_data[3](b7-b0)的b4-b2这3位,这3位决定VM_eax~VM_edi这8个寄
完全是为了干扰调试。这里为0,表示这句handle不轮转。
0149088F Main mov edx, dword ptr [esp] ; EDX=4C4C7D3B
01490892 Main add esp, 0x4 ; FL=0, ESP=00391FF8
01490898 Main shr eax, 0x2 ; FL=PZ
0149089B Main jmp 01484B33
01484B33 Main shl eax, 0x3
01484B36 Main jmp 0156912A
0156912A Main or eax, eax
0156912C Main jmp 014B2F31
014B2F31 Main je 0146630A //比较这3位的值,看是不是为0,这里为0,跳了,如果不为0,那么就不跳,会根据这3位的值,对
VMContext中的eax-edi 8个寄存器进行轮转,因为里面太复杂了,就不贴出代码了
0146630A Main push esi ; ESP=00391FF4
0146630B Main jmp 0157181E
0157181E Main mov esi, esp ; ESI=00391FF4
01571820 Main add esi, 0x4 ; FL=0, ESI=00391FF8
01571826 Main push eax ; ESP=00391FF0
01571827 Main jmp 0150E258
0150E258 Main mov eax, 0x4 ; EAX=00000004
0150E25D Main sub esi, eax ; ESI=00391FF4
0150E25F Main pop eax ; EAX=00000000, ESP=00391FF4
0150E260 Main xchg dword ptr [esp], esi ; ESI=00BE2A50
0150E263 Main pop esp
0150E264 Main mov dword ptr [esp], esi
0150E267 Main mov eax, dword ptr [esp] ; EAX=00BE2A50
0150E26A Main add esp, 0x4 ; ESP=00391FF8
0150E26D Main push eax ; ESP=00391FF4
0150E26E Main jmp 01485D10
//---------------------------------取pcode_data[9]~pcode_data[C]进行操作----------------------------
//这里取pcode_data[9]~pcode_data[C]的值,通过下面的分析可以知道,这个数是一个操作数,先称为old操作数。
01485D10 Main mov eax, 0x9 ; EAX=00000009
01485D15 Main sub eax, 0x4D1D77A8 ; FL=CS, EAX=B2E28861
01485D1A Main mov edx, 0x28D36CB3 ; EDX=28D36CB3
01485D1F Main jmp 0149DFCA
0149DFCA Main xor edx, 0x48740002 ; FL=P, EDX=60A76CB1
0149DFD0 Main add eax, edx ; FL=CP, EAX=1389F512
0149DFD2 Main xor edx, 0x38095DF0 ; FL=P, EDX=58AE3141
0149DFD8 Main add eax, esi ; FL=0, EAX=14481F62
0149DFDA Main push esi ; ESP=00391FF0
0149DFDB Main mov esi, 0x60A76CB1 ; ESI=60A76CB1
0149DFE0 Main sub eax, esi ; FL=CPS, EAX=B3A0B2B1
0149DFE2 Main pop esi ; ESP=00391FF4, ESI=00BE2A50
0149DFE3 Main add eax, 0x4D1D77A8 ; FL=CP, EAX=00BE2A59
0149DFE8 Main mov ecx, dword ptr [eax] //ecx = pcode_data[9]~pcode_data[C] ; ECX=00221200
0149DFEA Main pop eax ; EAX=00BE2A50, ESP=00391FF8
0149DFEB Main push ecx ; ESP=00391FF4
0149DFEC Main jmp 0145621B
0145621B Main mov ecx, 0x490 ; ECX=00000490
01456220 Main add ecx, edi //ecx = key1地址 ; FL=P, ECX=003D0490
01456222 Main push edx ; ESP=00391FF0
01456223 Main jmp 014CF1CB
014CF1CB Main mov ebp, 0x61A08A8 ; EBP=061A08A8
014CF1D0 Main shr ebp, 0x5 ; FL=0, EBP=0030D045
014CF1D3 Main not ebp ; EBP=FFCF2FBA
014CF1D5 Main dec ebp ; FL=S, EBP=FFCF2FB9
014CF1D6 Main je 0155DE54
014CF1DC Main sub ebp, 0xFFCF2FB9 ; FL=PZ, EBP=00000000
014CF1E2 Main push ebp ; ESP=00391FEC
014CF1E3 Main pop edx ; EDX=00000000, ESP=00391FF0
014CF1E4 Main push ecx ; ESP=00391FEC
014CF1E5 Main mov ecx, 0x74906796 ; ECX=74906796
014CF1EA Main xor ebp, ecx ; FL=P, EBP=74906796
014CF1EC Main pop ecx ; ECX=003D0490, ESP=00391FF0
014CF1ED Main add ebp, 0x489C3565 ; FL=SO, EBP=BD2C9CFB
014CF1F3 Main add edx, ecx //这里转了一圈后 edx还是key1的地址 ; FL=P, EDX=003D0490
014CF1F5 Main mov al, byte ptr [edx] //al = key1 ; EAX=00BE2AE0
014CF1F7 Main pop edx ; EDX=58AE3141, ESP=00391FF4
014CF1F8 Main pop ecx ; ECX=00221200, ESP=00391FF8
014CF1F9 Main push ebp ; ESP=00391FF4
014CF1FA Main jmp 0150DD01
//这里计算一个循环次数值,最后放到edx里,这个循环次数值用来解码old操作数,因为old操作数总为4字节,所以这个edx = 4
0150DD01 Main mov ebp, 0x28920E14 ; EBP=28920E14
0150DD06 Main mov ebx, ebp ; EBX=28920E14
0150DD08 Main pop ebp ; ESP=00391FF8, EBP=BD2C9CFB
0150DD09 Main jmp 01462A1A
01462A1A Main xor ebx, 0x36B179A4 ; FL=0, EBX=1E2377B0
01462A20 Main mov ebp, 0x7B0B69B2 ; EBP=7B0B69B2
01462A25 Main add ebp, 0x66D11EA2 ; FL=SO, EBP=E1DC8854
01462A2B Main add ebx, ebp ; FL=C, EBX=00000004
01462A2D Main push ebx ; ESP=00391FF4
01462A2E Main pop edx ; EDX=00000004, ESP=00391FF8
01462A2F Main mov ebp, 0x10BB5A20 ; EBP=10BB5A20
01462A34 Main jmp 014EE092
014EE092 Main or ebp, 0x39226A7A ; FL=0, EBP=39BB7A7A
014EE098 Main jle 0159F9F1
014EE09E Main shr ebp, 0x4 ; FL=C, EBP=039BB7A7
014EE0A1 Main jmp 014874D7
014874D7 Main jpo 014FEA98
014FEA98 Main shr ebp, 0x4 ; FL=0, EBP=0039BB7A
014FEA9B Main xor ebp, 0x39BBFA ; EBP=00000080
014FEAA1 Main mov ebx, ebp ; EBX=00000080
014FEAA3 Main push eax ; ESP=00391FF4
014FEAA4 Main push ecx ; ESP=00391FF0
014FEAA5 Main mov ecx, 0x21D15DB0 ; ECX=21D15DB0
014FEAAA Main push edx ; ESP=00391FEC
014FEAAB Main mov edx, 0x58F47652 ; EDX=58F47652
014FEAB0 Main mov eax, edx ; EAX=58F47652
014FEAB2 Main pop edx ; EDX=00000004, ESP=00391FF0
014FEAB3 Main sub eax, ecx ; EAX=372318A2
014FEAB5 Main pop ecx ; ECX=00221200, ESP=00391FF4
014FEAB6 Main sub eax, 0x10D032C2 ; EAX=2652E5E0
014FEABB Main sub eax, 0xF3E0866E ; FL=CPA, EAX=32725F72
014FEAC0 Main add ebp, eax ; FL=0, EBP=32725FF2
014FEAC2 Main mov eax, dword ptr [esp] ; EAX=00BE2AE0
014FEAC5 Main add esp, 0x4 ; ESP=00391FF8
014FEACB Main xor ebp, esp ; FL=P, EBP=324B400A
014FEACD Main jmp 0145B225
//这里开始解码old操作数
0145B225 Main or edx, edx //比赛edx是否为0,不为0就解码,edx初始值就是上面说的4 ; FL=0
0145B227 Main jnz 0157182C
0157182C Main ror ecx, 0x4 //解码通用语句,一般是ror r32, 4这样 ; ECX=00022120
0157182F Main jmp 014CD837
014CD837 Main cmp al, bl //bl是80,比较key1和80 ; FL=P
014CD839 Main jbe 014D2C58 //根据比较结果的不同,把ror的数据和key1进行计算,不同的比较结果,运算方式不同
。
014CD83F Main push ebx ; ESP=00391FF4
014CD840 Main jmp 014652CE
014652CE Main mov bl, 0x93 ; EBX=00000093
014652D0 Main sub cl, bl //cl - 93 ; FL=CPASO, ECX=0002218D
014652D2 Main pop ebx ; EBX=00000080, ESP=00391FF8
014652D3 Main jmp 01472EFB
01472EFB Main push edx ; ESP=00391FF4
01472EFC Main mov dl, 0xEC ; EDX=000000EC
01472EFE Main push cx ; ESP=00391FF2
01472F00 Main mov ch, 0x1F ; ECX=00021F8D
01472F02 Main or dl, ch ; FL=PS, EDX=000000FF
01472F04 Main pop cx ; ECX=0002218D, ESP=00391FF4
01472F06 Main xor dl, 0xC6 ; FL=P, EDX=00000039
01472F09 Main sub cl, dl //cl - 93 - 39 ; FL=O, ECX=00022154
01472F0B Main pop edx ; EDX=00000004, ESP=00391FF8
01472F0C Main add cl, al //cl - 93 - 39 + al ; FL=C, ECX=00022134
01472F0E Main add cl, 0x39 //cl - 93 + al ; FL=0, ECX=0002216D
01472F11 Main add cl, 0x93 //cl + al ; FL=CPAZ, ECX=00022100
01472F14 Main jmp 0149B2B1
0149B2B1 Main push ebx ; ESP=00391FF4
0149B2B2 Main jmp 01517395
01517395 Main mov ebx, -0x1 ; EBX=FFFFFFFF
0151739A Main sub edx, 0x20316002 ; FL=CS, EDX=DFCEA002
015173A0 Main add edx, ebx //dec edx ; FL=CAS, EDX=DFCEA001
015173A2 Main jmp 0145B209
0145B209 Main add edx, 0x20316002 ; FL=CP, EDX=00000003
0145B20F Main mov ebx, dword ptr [esp] ; EBX=00000080
0145B212 Main push ecx ; ESP=00391FF0
0145B213 Main mov ecx, esp ; ECX=00391FF0
0145B215 Main add ecx, 0x4 ; FL=0, ECX=00391FF4
0145B21B Main add ecx, 0x4 ; ECX=00391FF8
0145B221 Main xchg dword ptr [esp], ecx ; ECX=00022100
0145B224 Main pop esp ; ESP=00391FF8
0145B225 Main or edx, edx //比较edx是否为0,不为0继续解码 ; FL=P
0145B227 Main jnz 0157182C
0157182C Main ror ecx, 0x4 ; ECX=00002210
0157182F Main jmp 014CD837
014CD837 Main cmp al, bl
014CD839 Main jbe 014D2C58
014CD83F Main push ebx ; ESP=00391FF4
014CD840 Main jmp 014652CE
014652CE Main mov bl, 0x93 ; EBX=00000093
014652D0 Main sub cl, bl ; FL=CPA, ECX=0000227D
014652D2 Main pop ebx ; EBX=00000080, ESP=00391FF8
014652D3 Main jmp 01472EFB
01472EFB Main push edx ; ESP=00391FF4
01472EFC Main mov dl, 0xEC ; EDX=000000EC
01472EFE Main push cx ; ESP=00391FF2
01472F00 Main mov ch, 0x1F ; ECX=00001F7D
01472F02 Main or dl, ch ; FL=PS, EDX=000000FF
01472F04 Main pop cx ; ECX=0000227D, ESP=00391FF4
01472F06 Main xor dl, 0xC6 ; FL=P, EDX=00000039
01472F09 Main sub cl, dl ; ECX=00002244
01472F0B Main pop edx ; EDX=00000003, ESP=00391FF8
01472F0C Main add cl, al ; FL=CP, ECX=00002224
01472F0E Main add cl, 0x39 ; FL=0, ECX=0000225D
01472F11 Main add cl, 0x93 ; FL=PAS, ECX=000022F0
01472F14 Main jmp 0149B2B1
0149B2B1 Main push ebx ; ESP=00391FF4
0149B2B2 Main jmp 01517395
01517395 Main mov ebx, -0x1 ; EBX=FFFFFFFF
0151739A Main sub edx, 0x20316002 ; FL=CS, EDX=DFCEA001
015173A0 Main add edx, ebx ; FL=CPAS, EDX=DFCEA000
015173A2 Main jmp 0145B209
0145B209 Main add edx, 0x20316002 ; FL=C, EDX=00000002
0145B20F Main mov ebx, dword ptr [esp] ; EBX=00000080
0145B212 Main push ecx ; ESP=00391FF0
0145B213 Main mov ecx, esp ; ECX=00391FF0
0145B215 Main add ecx, 0x4 ; FL=0, ECX=00391FF4
0145B21B Main add ecx, 0x4 ; ECX=00391FF8
0145B221 Main xchg dword ptr [esp], ecx ; ECX=000022F0
0145B224 Main pop esp ; ESP=00391FF8
0145B225 Main or edx, edx
0145B227 Main jnz 0157182C
0157182C Main ror ecx, 0x4 ; ECX=0000022F
0157182F Main jmp 014CD837
014CD837 Main cmp al, bl ; FL=P
014CD839 Main jbe 014D2C58
014CD83F Main push ebx ; ESP=00391FF4
014CD840 Main jmp 014652CE
014652CE Main mov bl, 0x93 ; EBX=00000093
014652D0 Main sub cl, bl ; FL=CPSO, ECX=0000029C
014652D2 Main pop ebx ; EBX=00000080, ESP=00391FF8
014652D3 Main jmp 01472EFB
01472EFB Main push edx ; ESP=00391FF4
01472EFC Main mov dl, 0xEC ; EDX=000000EC
01472EFE Main push cx ; ESP=00391FF2
01472F00 Main mov ch, 0x1F ; ECX=00001F9C
01472F02 Main or dl, ch ; FL=PS, EDX=000000FF
01472F04 Main pop cx ; ECX=0000029C, ESP=00391FF4
01472F06 Main xor dl, 0xC6 ; FL=P, EDX=00000039
01472F09 Main sub cl, dl ; FL=PO, ECX=00000263
01472F0B Main pop edx ; EDX=00000002, ESP=00391FF8
01472F0C Main add cl, al ; FL=C, ECX=00000243
01472F0E Main add cl, 0x39 ; FL=0, ECX=0000027C
01472F11 Main add cl, 0x93 ; FL=CP, ECX=0000020F
01472F14 Main jmp 0149B2B1
0149B2B1 Main push ebx ; ESP=00391FF4
0149B2B2 Main jmp 01517395
01517395 Main mov ebx, -0x1 ; EBX=FFFFFFFF
0151739A Main sub edx, 0x20316002 ; FL=CPS, EDX=DFCEA000
015173A0 Main add edx, ebx ; EDX=DFCE9FFF
015173A2 Main jmp 0145B209
0145B209 Main add edx, 0x20316002 ; FL=CA, EDX=00000001
0145B20F Main mov ebx, dword ptr [esp] ; EBX=00000080
0145B212 Main push ecx ; ESP=00391FF0
0145B213 Main mov ecx, esp ; ECX=00391FF0
0145B215 Main add ecx, 0x4 ; FL=0, ECX=00391FF4
0145B21B Main add ecx, 0x4 ; ECX=00391FF8
0145B221 Main xchg dword ptr [esp], ecx ; ECX=0000020F
0145B224 Main pop esp ; ESP=00391FF8
0145B225 Main or edx, edx
0145B227 Main jnz 0157182C
0157182C Main ror ecx, 0x4 ; FL=C, ECX=F0000020
0157182F Main jmp 014CD837
014CD837 Main cmp al, bl ; FL=P
014CD839 Main jbe 014D2C58
014CD83F Main push ebx ; ESP=00391FF4
014CD840 Main jmp 014652CE
014652CE Main mov bl, 0x93 ; EBX=00000093
014652D0 Main sub cl, bl ; FL=CPASO, ECX=F000008D
014652D2 Main pop ebx ; EBX=00000080, ESP=00391FF8
014652D3 Main jmp 01472EFB
01472EFB Main push edx ; ESP=00391FF4
01472EFC Main mov dl, 0xEC ; EDX=000000EC
01472EFE Main push cx ; ESP=00391FF2
01472F00 Main mov ch, 0x1F ; ECX=F0001F8D
01472F02 Main or dl, ch ; FL=PS, EDX=000000FF
01472F04 Main pop cx ; ECX=F000008D, ESP=00391FF4
01472F06 Main xor dl, 0xC6 ; FL=P, EDX=00000039
01472F09 Main sub cl, dl ; FL=O, ECX=F0000054
01472F0B Main pop edx ; EDX=00000001, ESP=00391FF8
01472F0C Main add cl, al ; FL=C, ECX=F0000034
01472F0E Main add cl, 0x39 ; FL=0, ECX=F000006D
01472F11 Main add cl, 0x93 ; FL=CPAZ, ECX=F0000000
01472F14 Main jmp 0149B2B1
0149B2B1 Main push ebx ; ESP=00391FF4
0149B2B2 Main jmp 01517395
01517395 Main mov ebx, -0x1 ; EBX=FFFFFFFF
0151739A Main sub edx, 0x20316002 ; FL=CPAS, EDX=DFCE9FFF
015173A0 Main add edx, ebx ; FL=CAS, EDX=DFCE9FFE
015173A2 Main jmp 0145B209
0145B209 Main add edx, 0x20316002 ; FL=CPAZ, EDX=00000000
0145B20F Main mov ebx, dword ptr [esp] ; EBX=00000080
0145B212 Main push ecx ; ESP=00391FF0
0145B213 Main mov ecx, esp ; ECX=00391FF0
0145B215 Main add ecx, 0x4 ; FL=0, ECX=00391FF4
0145B21B Main add ecx, 0x4 ; ECX=00391FF8
0145B221 Main xchg dword ptr [esp], ecx ; ECX=F0000000
0145B224 Main pop esp ; ESP=00391FF8
0145B225 Main or edx, edx ; FL=PZ
0145B227 Main jnz 0157182C
解码old操作数这里结束,我们来写个伪代码,大致如下:
for(int i = 0; i < 4; i++)
{
OldArgment = OldArgment >> 4; (ror)
if(key1 > 80)
{
OldArgment = OldArgment + key1;
}
else
{
另外的处理
}
}
0145B22D Main push ecx //把处理出来的old操作数压栈,等下要用 ; ESP=00391FF4
0145B22E Main pushfd ; ESP=00391FF0
0145B22F Main jmp 0153B57B
0153B57B Main add ecx, 0x74EB33D5 ; FL=C, ECX=64EB33D5
0153B581 Main jmp 015368A8
015368A8 Main sub ecx, 0x38C000EF ; FL=A, ECX=2C2B32E6
015368AE Main add ecx, edx ; FL=0
015368B0 Main push esi ; ESP=00391FEC
015368B1 Main jmp 01558DF9
01558DF9 Main push 0x7FC458E6 ; ESP=00391FE8
01558DFE Main pop ebp ; ESP=00391FEC, EBP=7FC458E6
01558DFF Main sub ebp, 0x19920765 ; FL=P, EBP=66325181
01558E05 Main jbe 0159F9F9
01558E0B Main shl ebp, 0x2 ; FL=CS, EBP=98C94604
01558E0E Main jnz 014B7CD3
014B7CD3 Main or ebp, 0x6D1070DC ; FL=S, EBP=FDD976DC
014B7CD9 Main jbe 014EDA56
014B7CDF Main sub ebp, 0xC51975ED ; FL=A, EBP=38C000EF
014B7CE5 Main mov esi, ebp ; ESI=38C000EF
014B7CE7 Main add ebp, edi ; FL=0, EBP=38FD00EF
014B7CE9 Main xor ebp, 0x62E836CA ; EBP=5A153625
014B7CEF Main add ebp, 0x3AE9787C ; FL=ASO, EBP=94FEAEA1
014B7CF5 Main add ecx, esi ; FL=A, ECX=64EB33D5
014B7CF7 Main pop esi ; ESP=00391FF0, ESI=00BE2A50
014B7CF8 Main mov eax, 0x7C415628 ; EAX=7C415628
014B7CFD Main shl eax, 0x7 ; FL=PA, EAX=20AB1400
014B7D00 Main and eax, 0x128B417B ; FL=P, EAX=008B0000
014B7D05 Main and eax, 0x34BB64C6
014B7D0A Main inc eax ; FL=0, EAX=008B0001
014B7D0B Main sub eax, 0x8B9FCC2C ; FL=CA, EAX=74EB33D5
014B7D10 Main sub ecx, eax ; FL=CPS, ECX=F0000000
014B7D12 Main sub eax, ecx ; FL=CSO, EAX=84EB33D5
014B7D14 Main add eax, edi ; FL=S, EAX=852833D5
014B7D16 Main popfd ; FL=PZ, ESP=00391FF4
014B7D17 Main jmp 01567F5F
//---------------------------------取pcode_data[8]进行操作----------------------------
//这里取pcode_data[8]
01567F5F Main push dword ptr [esi+0x8] ; ESP=00391FF0
01567F62 Main jmp 014DBDF7
014DBDF7 Main add dword ptr [esp], 0x4C95063B ; FL=A
014DBDFE Main mov eax, dword ptr [esp] ; EAX=6EA70646
014DBE01 Main add esp, 0x4 ; FL=0, ESP=00391FF4
014DBE04 Main jmp 0156A749
0156A749 Main mov edx, 0x4D23602E ; EDX=4D23602E
0156A74E Main inc edx ; EDX=4D23602F
0156A74F Main sub edx, 0xDA73156 ; EDX=3F7C2ED9
0156A755 Main or edx, 0x2FC00ED9 ; EDX=3FFC2ED9
0156A75B Main add edx, 0xC98D762 ; EDX=4C95063B
0156A761 Main add eax, 0x2B5F5882 ; FL=SO, EAX=9A065EC8
0156A766 Main sub eax, 0x4B873E36 ; FL=O, EAX=4E7F2092
0156A76B Main sub eax, edx ; FL=A, EAX=01EA1A57
0156A76D Main add eax, 0x4B873E36 ; FL=P, EAX=4D71588D
0156A772 Main sub eax, 0x2B5F5882 //al = pcode_data[8] = 0B ; FL=0, EAX=2212000B
0156A777 Main mov ebx, 0x77C648BA ; EBX=77C648BA
0156A77C Main jmp 014D050A
014D050A Main mov edx, ebx ; EDX=77C648BA
014D050C Main push edx ; ESP=00391FF0
014D050D Main not dword ptr [esp]
014D0510 Main jmp 014E5CA2
014E5CA2 Main mov edx, dword ptr [esp] ; EDX=8839B745
014E5CA5 Main add esp, 0x4 ; ESP=00391FF4
014E5CA8 Main mov ecx, 0x614E297A ; ECX=614E297A
014E5CAD Main not ecx ; ECX=9EB1D685
014E5CAF Main shr ecx, 0x8 ; FL=C, ECX=009EB1D6
014E5CB2 Main add ecx, 0x126E558D ; FL=PA, ECX=130D0763
014E5CB8 Main neg ecx ; FL=CAS, ECX=ECF2F89D
014E5CBA Main neg ecx ; FL=CPA, ECX=130D0763
014E5CBC Main add ecx, 0x752CAEE3 ; FL=SO, ECX=8839B646
014E5CC2 Main sub edx, ecx //edx = 000000FF ; FL=PA, EDX=000000FF
014E5CC4 Main sub ecx, ecx ; FL=PZ, ECX=00000000
014E5CC6 Main sub ecx, ecx
014E5CC8 Main and eax, edx //只取al,就是pcode_data[8] ; FL=0, EAX=0000000B
014E5CCA Main add edx, esp ; FL=PA, EDX=003920F3
014E5CCC Main push 0x6802 ; ESP=00391FF0
014E5CD1 Main jmp 01571834
01571834 Main mov dword ptr [esp], edi
01571837 Main push esp ; ESP=00391FEC
01571838 Main pop edi ; ESP=00391FF0, EDI=00391FF0
01571839 Main jmp 0146C912
0146C912 Main add edi, 0x4 ; FL=0, EDI=00391FF4
0146C918 Main sub edi, 0x4 ; FL=P, EDI=00391FF0
0146C91E Main xchg dword ptr [esp], edi ; EDI=003D0000
0146C921 Main pop esp
0146C922 Main mov dword ptr [esp], edx
0146C925 Main mov edx, 0x0 ; EDX=00000000
0146C92A Main add edx, esi ; EDX=00BE2A50
0146C92C Main mov ebx, dword ptr [edx] //ebx = pcode_data[0] ; EBX=03E01112
0146C92E Main pop edx ; EDX=003920F3, ESP=00391FF4
0146C92F Main push 0x5D2E ; ESP=00391FF0
0146C934 Main jmp 0149BD04
0149BD04 Main mov dword ptr [esp], ebp
0149BD07 Main mov ebp, 0x80 ; EBP=00000080
0149BD0C Main and ebx, ebp //还是取pcode_data[0]的最高位,这里为0,表示不清key4 ; FL=PZ,
EBX=00000000
0149BD0E Main jmp 0157183E
0157183E Main push dword ptr [esp] ; ESP=00391FEC
01571841 Main mov ebp, dword ptr [esp] ; EBP=94FEAEA1
01571844 Main add esp, 0x4 ; FL=PA, ESP=00391FF0
01571847 Main add esp, 0x4 ; FL=0, ESP=00391FF4
0157184D Main or ebx, ebx ; FL=PZ
0157184F Main je 014E36DF //这里如果不跳,就清key4了
014E36DF Main mov edx, eax ; EDX=0000000B
014E36E1 Main jmp 0155A078
0155A078 Main mov ebp, edx ; EBP=0000000B
0155A07A Main mov ebx, ebp //把pcode_data[8]的复制一份放到ebx ; EBX=0000000B
0155A07C Main push eax ; ESP=00391FF0
0155A07D Main jmp 014AC932
014AC932 Main mov eax, ebx
014AC934 Main mov ecx, eax ; ECX=0000000B
014AC936 Main pop eax ; ESP=00391FF4
014AC937 Main mov ebx, ecx
014AC939 Main push ebx ; ESP=00391FF0
014AC93A Main jmp 014FB24F
//这里取得第4个key的地址,最后放在ebx里
014FB24F Main mov ebx, 0x37C ; EBX=0000037C
014FB254 Main add ebx, 0x3BE81E78 ; FL=A, EBX=3BE821F4
014FB25A Main push ebp ; ESP=00391FEC
014FB25B Main jmp 01528CE1
01528CE1 Main mov ebp, 0x78C33BB4 ; EBP=78C33BB4
01528CE6 Main sub ebx, ebp ; FL=CS, EBX=C324E640
01528CE8 Main pop ebp ; ESP=00391FF0, EBP=0000000B
01528CE9 Main add ebx, edi ; FL=S, EBX=C361E640
01528CEB Main add ebx, 0x78C33BB4 ; FL=C, EBX=3C2521F4
01528CF1 Main sub ebx, 0x3BE81E78 ; FL=A, EBX=003D037C
//这里用key4去解码pcode_data[8]
01528CF7 Main xor eax, dword ptr [ebx] //pcode_data[8] ^ key4 ; FL=P, EAX=000000FC
01528CF9 Main mov ebx, dword ptr [esp] ; EBX=0000000B
01528CFC Main add esp, 0x4 ; FL=0, ESP=00391FF4
01528CFF Main sub esp, 0x4 ; FL=P, ESP=00391FF0
01528D05 Main jmp 014BD0E5
014BD0E5 Main mov dword ptr [esp], edx
014BD0E8 Main push 0x60F96A9E ; ESP=00391FEC
014BD0ED Main pop ecx ; ECX=60F96A9E, ESP=00391FF0
014BD0EE Main jmp 01510172
01510172 Main add ecx, 0x43D5088F ; FL=PASO, ECX=A4CE732D
01510178 Main or ecx, 0x6116193D ; FL=S, ECX=E5DE7B3D
0151017E Main jpo 0147A231
0147A231 Main inc ecx ; ECX=E5DE7B3E
0147A232 Main xor ecx, 0xE5DE7B20 ; FL=P, ECX=0000001E
0147A238 Main mov ebp, ecx ; EBP=0000001E
0147A23A Main xor ecx, 0x177C2857 ; FL=0, ECX=177C2849
0147A240 Main xor ecx, 0x2E716D2B ; ECX=390D4562
0147A246 Main add ecx, esp ; ECX=39466552
0147A248 Main push ebp ; ESP=00391FEC
0147A249 Main xor dword ptr [esp], 0x1D7735D0
0147A250 Main pop edx ; EDX=1D7735CE, ESP=00391FF0
0147A251 Main xor edx, 0x1D7735D0 ; FL=P, EDX=0000001E
0147A257 Main xor eax, edx //pcode_data[8] ^ key4 ^ 1E(随机常量) ; EAX=000000E2
0147A259 Main pop edx ; EDX=0000000B, ESP=00391FF4
0147A25A Main mov edx, 0x3D402ADF ; EDX=3D402ADF
0147A25F Main jmp 01488EB7
01488EB7 Main push ebx ; ESP=00391FF0
01488EB8 Main mov ebp, 0x64270829 ; EBP=64270829
01488EBD Main xor ebp, 0x5DCF2978 ; FL=0, EBP=39E82151
01488EC3 Main jmp 01464DB8
01464DB8 Main jnz 015618C9
015618C9 Main neg ebp ; FL=CPAS, EBP=C617DEAF
015618CB Main jg 0155AF0D
015618D1 Main shl ebp, 0x7 ; FL=CA, EBP=0BEF5780
015618D4 Main jpe 0155E36A
015618DA Main dec ebp ; EBP=0BEF577F
015618DB Main jnz 01502678
01502678 Main shl ebp, 0x4 ; FL=PAS, EBP=BEF577F0
0150267B Main xor ebp, 0xE79F30DD ; FL=P, EBP=596A472D
01502681 Main mov ebx, ebp ; EBX=596A472D
01502683 Main xor edx, ebx ; FL=0, EDX=642A6DF2
01502685 Main pop ebx ; EBX=0000000B, ESP=00391FF4
01502686 Main xchg edx, ecx ; ECX=642A6DF2, EDX=39466552
01502688 Main dec ecx ; ECX=642A6DF1
01502689 Main xchg edx, ecx ; ECX=39466552, EDX=642A6DF1
0150268B Main sub edx, 0xC444047 ; FL=PA, EDX=57E62DAA
01502691 Main sub edx, 0x5CB93797 ; FL=CS, EDX=FB2CF613
01502697 Main push ebp ; ESP=00391FF0
01502698 Main mov ebp, 0xFB2CF6C9 ; EBP=FB2CF6C9
0150269D Main xor edx, ebp ; FL=0, EDX=000000DA
0150269F Main pop ebp ; ESP=00391FF4, EBP=596A472D
015026A0 Main sub eax, edx //(pcode_data[8] ^ key4 ^ 1E(随机常量)) - DA(随机常量) ; FL=A,
EAX=00000008
015026A2 Main mov ebp, 0x483464A7 ; EBP=483464A7
015026A7 Main jmp 014A60C5
014A60C5 Main xchg eax, ebp ; EAX=483464A7, EBP=00000008
014A60C6 Main push edi ; ESP=00391FF0
014A60C7 Main mov edi, 0x1 ; EDI=00000001
014A60CC Main jmp 01497C0E
01497C0E Main add eax, 0x2AE63E84 ; FL=P, EAX=731AA32B
01497C13 Main add eax, edi ; FL=0, EAX=731AA32C
01497C15 Main sub eax, 0x2AE63E84 ; EAX=483464A8
01497C1A Main pop edi ; ESP=00391FF4, EDI=003D0000
01497C1B Main xchg eax, ebp ; EAX=00000008, EBP=483464A8
01497C1C Main dec ebp ; EBP=483464A7
01497C1D Main xor ebp, 0x48346458 ; FL=P, EBP=000000FF
01497C23 Main and ebx, ebp ; FL=0
01497C25 Main sub ebp, eax ; EBP=000000F7
01497C27 Main xor ebp, ebp ; FL=PZ, EBP=00000000
01497C29 Main push edx ; ESP=00391FF0
01497C2A Main jmp 014E62FD
014E62FD Main mov edx, 0x37C //这里取key4的地址 ; EDX=0000037C
014E6302 Main add edx, edi ; FL=0, EDX=003D037C
014E6304 Main push ecx ; ESP=00391FEC
014E6305 Main jmp 01481869
01481869 Main mov ecx, 0x0 ; ECX=00000000
0148186E Main add ecx, edx ; ECX=003D037C
01481870 Main push eax //计算后的值保存在栈里 ; ESP=00391FE8
01481871 Main mov eax, 0x0 ; EAX=00000000
01481876 Main add eax, ecx ; EAX=003D037C
01481878 Main push ecx ; ESP=00391FE4
01481879 Main mov ecx, 0x0 ; ECX=00000000
0148187E Main add ecx, eax ; ECX=003D037C
01481880 Main xor dword ptr [ecx], ebx //ebx就是复制的pcode_data[8] ; FL=P
所以这段解码大致是这样
A = (BYTE)pCode_data + 8 ^ key4
B = A ^ 1E
C = B - DA C就是解码后的值
key4 = key4 ^ (BYTE)pCode_data + 8
01481882 Main pop ecx ; ESP=00391FE8
01481883 Main pop eax //eax = pcode_data[8]解出来的值,其实这个值是用来查找下一条HANDLE用的第一个字节opcode1
; EAX=00000008, ESP=00391FEC
01481884 Main pop ecx ; ECX=39466552, ESP=00391FF0
01481885 Main mov edx, dword ptr [esp] ; EDX=000000DA
01481888 Main add esp, 0x4 ; FL=0, ESP=00391FF4
0148188E Main push 0x657B4405 ; ESP=00391FF0
01481893 Main jmp 0149C39C
0149C39C Main pop ecx ; ECX=657B4405, ESP=00391FF4
0149C39D Main push edi ; ESP=00391FF0
0149C39E Main mov edi, 0x15D454A4 ; EDI=15D454A4
0149C3A3 Main jmp 01478A89
01478A89 Main xor ecx, edi ; ECX=70AF10A1
01478A8B Main pop edi ; ESP=00391FF4, EDI=003D0000
01478A8C Main push 0x2E43 ; ESP=00391FF0
01478A91 Main mov dword ptr [esp], ecx
01478A94 Main pop edx ; EDX=70AF10A1, ESP=00391FF4
01478A95 Main xor edx, 0x70AF105E ; FL=P, EDX=000000FF
01478A9B Main and eax, edx ; FL=0
01478A9D Main xor edx, edi ; FL=P, EDX=003D00FF
01478A9F Main mov edx, eax ; EDX=00000008
01478AA1 Main jmp 014FFBF3
014FFBF3 Main push edx ; ESP=00391FF0
014FFBF4 Main push 0x7BDE ; ESP=00391FEC
014FFBF9 Main mov dword ptr [esp], eax
014FFBFC Main jmp 01501FBF
01501FBF Main mov eax, 0x609948EE ; EAX=609948EE
01501FC4 Main add dword ptr [esp+0x4], 0x133C6C77 ; FL=0
01501FCC Main sub dword ptr [esp+0x4], eax ; FL=CS
01501FD0 Main sub dword ptr [esp+0x4], 0x133C6C77 ; FL=AS
01501FD8 Main pop eax ; EAX=00000008, ESP=00391FF0
01501FD9 Main pop dword ptr [edi+0x47C] ; ESP=00391FF4
01501FDF Main add dword ptr [edi+0x47C], 0x609948EE //VMContext.47C里存放这个数据 ; FL=CA
//取pcode_data[0]
01501FE9 Main push dword ptr [esi] ; ESP=00391FF0
01501FEB Main jmp 014A1569
014A1569 Main mov eax, dword ptr [esp] ; EAX=03E01112
014A156C Main push esi ; ESP=00391FEC
014A156D Main mov esi, esp ; ESI=00391FEC
014A156F Main jmp 01554D48
01554D48 Main add esi, 0x4 ; FL=PA, ESI=00391FF0
01554D4E Main mov ecx, 0xC862B03 ; ECX=0C862B03
01554D53 Main sub ecx, 0x3E4E06A9 ; FL=CPAS, ECX=CE38245A
01554D59 Main and ecx, 0x19937837 ; FL=P, ECX=08102012
01554D5F Main and ecx, 0x71903D18 ; FL=0, ECX=00102010
01554D65 Main xor ecx, 0x102014 ; ECX=00000004
01554D6B Main add esi, ecx ; ESI=00391FF4
01554D6D Main sub ecx, 0x736C6E59 ; FL=CAS, ECX=8C9391AB
01554D73 Main xor esi, dword ptr [esp] ; FL=0, ESI=008735A4
01554D76 Main xor dword ptr [esp], esi
01554D79 Main xor esi, dword ptr [esp] ; FL=P, ESI=00BE2A50
01554D7C Main pop esp ; ESP=00391FF4
01554D7D Main sub esp, 0x4 ; ESP=00391FF0
01554D80 Main jmp 0150E10C
0150E10C Main mov dword ptr [esp], edi
0150E10F Main push 0x80 ; ESP=00391FEC
0150E114 Main mov edi, dword ptr [esp] ; EDI=00000080
0150E117 Main jmp 01481EC1
01481EC1 Main add esp, 0x4 ; FL=PA, ESP=00391FF0
01481EC7 Main and eax, edi ; FL=PZ, EAX=00000000
01481EC9 Main mov edi, dword ptr [esp] ; EDI=003D0000
01481ECC Main add esp, 0x4 ; FL=0, ESP=00391FF4
01481ED2 Main or eax, eax ; FL=PZ
01481ED4 Main je 01571873 //还是比较pcode_data[0]的最高位
//---------------------------------取pcode_data[1]进行操作----------------------------
//取pcode_data[1]
01571873 Main push dword ptr [esi+0x1] ; ESP=00391FF0
01571876 Main jmp 0153CE0D
0153CE0D Main push ecx ; ESP=00391FEC
0153CE0E Main mov ecx, 0x67A93007 ; ECX=67A93007
0153CE13 Main add dword ptr [esp+0x4], ecx ; FL=PS
0153CE17 Main jmp 01545F61
01545F61 Main pop ecx ; ECX=8C9391AB, ESP=00391FF0
01545F62 Main pop ecx ; ECX=F1AD1018, ESP=00391FF4
01545F63 Main mov ebx, 0x6B1D0675 ; EBX=6B1D0675
01545F68 Main inc ebx ; FL=0, EBX=6B1D0676
01545F69 Main inc ebx ; FL=P, EBX=6B1D0677
01545F6A Main jg 01559A70
01559A70 Main or ebx, 0x2D31358 ; FL=0, EBX=6BDF177F
01559A76 Main neg ebx ; FL=CPAS, EBX=9420E881
01559A78 Main jbe 0157187B
0157187B Main and ebx, 0x4DEA61E7 ; FL=P, EBX=04206081
01571881 Main jg 0147571D
0147571D Main add ebx, 0x6947E82E ; EBX=6D6848AF
01475723 Main xor ebx, 0x10BB01EE ; EBX=7DD34941
01475729 Main shr ebx, 1 ; FL=CP, EBX=3EE9A4A0
0147572B Main sub ebx, -0x1 ; FL=CA, EBX=3EE9A4A1
0147572E Main xor ebx, 0x594094A6 ; FL=0, EBX=67A93007
01475734 Main sub ecx, ebx //ecx = pcode_data[1] ; FL=PS, ECX=8A03E011
01475736 Main xor ebx, ebp ; FL=0
01475738 Main push ebp ; ESP=00391FF0
01475739 Main jmp 015081A8
015081A8 Main mov ebp, 0x348A31C8 ; EBP=348A31C8
015081AD Main push esi ; ESP=00391FEC
015081AE Main mov esi, 0x6481383C ; ESI=6481383C
015081B3 Main jmp 014B6CD5
014B6CD5 Main xor ebp, esi ; EBP=500B09F4
014B6CD7 Main pop esi ; ESP=00391FF0, ESI=00BE2A50
014B6CD8 Main or ebp, 0x6C9338A2 ; FL=P, EBP=7C9B39F6
014B6CDE Main jl 01497773
014B6CE4 Main push edx ; ESP=00391FEC
014B6CE5 Main mov edx, 0x634E2DEC ; EDX=634E2DEC
014B6CEA Main mov ebx, edx ; EBX=634E2DEC
014B6CEC Main pop edx ; EDX=00000008, ESP=00391FF0
014B6CED Main and ebx, 0x680680B ; FL=0, EBX=02002808
014B6CF3 Main dec ebx ; EBX=02002807
014B6CF4 Main dec ebx ; FL=P, EBX=02002806
014B6CF5 Main and ebx, 0x58516E62 ; FL=0, EBX=00002802
014B6CFB Main add ebx, 0xF0280B ; EBX=00F0500D
014B6D01 Main sub ebx, 0x84551704 ; FL=CP, EBX=7C9B3909
014B6D07 Main xor ebp, ebx ; FL=P, EBP=000000FF
014B6D09 Main and ecx, ebp //与上000000FF,取的是pcode_data[1]一个字节 ; ECX=00000011
014B6D0B Main pop ebp ; ESP=00391FF4, EBP=00000000
014B6D0C Main mov ebp, ecx ; EBP=00000011
014B6D0E Main jmp 01480A1D
01480A1D Main mov edx, ebp //同上,保存一份到 edx ; EDX=00000011
01480A1F Main push edx ; ESP=00391FF0
01480A20 Main push eax ; ESP=00391FEC
01480A21 Main jmp 0151FFEC
0151FFEC Main mov eax, 0x40421CAC ; EAX=40421CAC
0151FFF1 Main add dword ptr [esp+0x4], eax
0151FFF5 Main mov eax, dword ptr [esp] ; EAX=00000000
0151FFF8 Main add esp, 0x4 ; FL=PA, ESP=00391FF0
0151FFFE Main pop eax ; EAX=40421CBD, ESP=00391FF4
0151FFFF Main sub eax, 0x40421CAC //复制一份到eax ; FL=P, EAX=00000011
01520004 Main push edx ; ESP=00391FF0
01520005 Main jmp 014DCA02
014DCA02 Main mov edx, 0x544 //544是偏移 ; EDX=00000544
014DCA07 Main push esi ; ESP=00391FEC
014DCA08 Main mov esi, 0x559A78E6 ; ESI=559A78E6
014DCA0D Main jmp 01533E5F
01533E5F Main sub edx, esi ; FL=CAS, EDX=AA658C5E
01533E61 Main mov esi, dword ptr [esp] ; ESI=00BE2A50
01533E64 Main add esp, 0x4 ; FL=PA, ESP=00391FF0
01533E6A Main add edx, edi ; FL=S, EDX=AAA28C5E
01533E6C Main push ecx ; ESP=00391FEC
01533E6D Main mov ecx, 0x559A78E6 ; ECX=559A78E6
01533E72 Main add edx, ecx //edx = VMContext.544,这个是key2 ; FL=CPA, EDX=003D0544
01533E74 Main pop ecx ; ECX=00000011, ESP=00391FF0
01533E75 Main xor cl, byte ptr [edx] //跟上面的解码一样,先pcode_data[1] ^ key2 ; FL=0, ECX=0000001A
01533E77 Main pop edx ; EDX=00000011, ESP=00391FF4
01533E78 Main mov dl, 0x91 ; EDX=00000091
01533E7A Main jmp 014700FF
014700FF Main neg dl ; FL=CPA, EDX=0000006F
01470101 Main jbe 01470B12
01470B12 Main add dl, 0x51 ; FL=PASO, EDX=000000C0
01470B15 Main jmp 014B2924
014B2924 Main mov bh, 0x14 ; EBX=7C9B1409
014B2926 Main or bh, 0xE1 ; FL=PS, EBX=7C9BF509
014B2929 Main neg bh ; FL=CA, EBX=7C9B0B09
014B292B Main add bh, 0x14 ; FL=0, EBX=7C9B1F09
014B292E Main add dl, bh ; FL=S, EDX=000000DF
014B2930 Main sub bh, 0x8D ; FL=CSO, EBX=7C9B9209
014B2933 Main add bh, 0x15 ; FL=S, EBX=7C9BA709
014B2936 Main or dl, 0xF2 ; FL=PS, EDX=000000FF
014B2939 Main mov bh, 0x23 ; EBX=7C9B2309
014B293B Main xor bh, 0x56 ; FL=0, EBX=7C9B7509
014B293E Main xor dl, bh ; FL=S, EDX=0000008A
014B2940 Main xor bh, cl ; FL=P, EBX=7C9B6F09
014B2942 Main push ecx ; ESP=00391FF0
014B2943 Main mov ch, 0xBD ; ECX=0000BD1A
014B2945 Main neg ch ; FL=CA, ECX=0000431A
014B2947 Main sub ch, 0xF5 ; FL=CPA, ECX=00004E1A
014B294A Main xor bh, ch ; FL=P, EBX=7C9B2109
014B294C Main pop ecx ; ECX=0000001A, ESP=00391FF4
014B294D Main xor cl, dl //pcode_data[1] ^ key2 ^ 8A ; FL=PS, ECX=00000090
014B294F Main sub dl, 0x4E ; FL=PAO, EDX=0000003C
014B2952 Main push 0x325 ; ESP=00391FF2
014B2956 Main jmp 014F7A27
014F7A27 Main mov word ptr [esp], bx
014F7A2B Main mov dl, 0x4F ; EDX=0000004F
014F7A2D Main mov bl, 0x42 ; EBX=7C9B2142
014F7A2F Main jmp 01571892
01571892 Main xor bl, dl ; FL=0, EBX=7C9B210D
01571894 Main sub dl, 0xDC ; FL=C, EDX=00000073
01571897 Main xor dl, 0xEB ; FL=S, EDX=00000098
先合并下常量C7 - B2 - 0D + B2 - C7 = 0D,所以就是pcode_data[1] ^ key2 ^ 8A - 0D
0157189A Main add cl, 0xC7 ; FL=CO, ECX=00000057
0157189D Main sub cl, 0xB2 ; FL=CPSO, ECX=000000A5
015718A0 Main sub cl, bl ; FL=AS, ECX=00000098
015718A2 Main add cl, 0xB2 ; FL=CO, ECX=0000004A
015718A5 Main sub cl, 0xC7 ; FL=CSO, ECX=00000083
015718A8 Main pop bx ; EBX=7C9B2109, ESP=00391FF4
015718AA Main push ecx //解码后的值压栈 ; ESP=00391FF0
015718AB Main jmp 014EC534
014EC534 Main push 0x544 ; ESP=00391FEC
014EC539 Main mov ecx, dword ptr [esp] ; ECX=00000544
014EC53C Main add esp, 0x4 ; FL=PA, ESP=00391FF0
014EC53F Main jmp 014C7EF3
014C7EF3 Main add ecx, edi ; FL=P, ECX=003D0544
014C7EF5 Main push edx ; ESP=00391FEC
014C7EF6 Main mov edx, 0x0 ; EDX=00000000
014C7EFB Main add edx, ecx ; EDX=003D0544
014C7EFD Main xor dword ptr [edx], eax //key2 = key2 ^ pcode_data[1] ; FL=0
这段解码大致如下:
A = (BYTE)pCode_data + 1 ^ key2
B = A ^ 8A
C = B - 0D C就是解码后的值
key2 = key2 ^ (BYTE)pCode_data + 1
014C7EFF Main pop edx ; EDX=00000098, ESP=00391FF0
014C7F00 Main mov ecx, dword ptr [esp] //ecx = pcode_data[1]解码后的值 ; ECX=00000083
014C7F03 Main add esp, 0x4 ; ESP=00391FF4
014C7F06 Main test ecx, 0x80
014C7F0C Main je 0155CB02 //如果ecx最高位不为1,就跳。这里不跳,这个标志位的含义是,
//如果为0,表示下一条pcode_data在
当前这条pcode_data的前面,最后算出偏移之后是减
014C7F12 Main push esi ; ESP=00391FF0
014C7F13 Main jmp 01525056
01525056 Main push ecx ; ESP=00391FEC
01525057 Main mov edx, -0x81 ; EDX=FFFFFF7F
0152505C Main mov ecx, edx ; ECX=FFFFFF7F
0152505E Main jmp 014B931C
014B931C Main mov esi, ecx ; ESI=FFFFFF7F
014B931E Main pop ecx ; ECX=00000083, ESP=00391FF0
014B931F Main and ecx, esi //cl & 7F,就是去掉最高位 ; FL=P, ECX=00000003
014B9321 Main push dword ptr [esp] ; ESP=00391FEC
014B9324 Main pop esi ; ESP=00391FF0, ESI=00BE2A50
014B9325 Main add esp, 0x4 ; FL=0, ESP=00391FF4
014B9328 Main imul ecx, ecx, 0xF //这里才是最后的pcode_data的偏移,下一条的pcode_data的地址 = 本条pcode_data地址 +
(-) 这里计算出的ecx ; ECX=0000002D
014B932B Main jmp 014732D6
014732D6 Main sub dword ptr [edi+0x5DC], ecx //当前的pcode_data地址 - 偏移,指向下一条pcode_data的地址 ; FL=A
014732DC Main jmp 0152BD8B
0152BD8B Main jmp 014D1FBB
014D1FBB Main pushfd ; ESP=00391FF0
014D1FBC Main jmp 0148B6F2
0148B6F2 Main sub esp, 0x4 ; ESP=00391FEC
0148B6F8 Main jmp 015385A0
015385A0 Main mov dword ptr [esp], eax
015385A3 Main push 0x3E5C243E ; ESP=00391FE8
015385A8 Main pop ebx ; EBX=3E5C243E, ESP=00391FEC
015385A9 Main jmp 0156480B
0156480B Main inc ebx ; FL=P, EBX=3E5C243F
0156480C Main jle 0155CBCF
01564812 Main shr ebx, 0x5 ; FL=CP, EBX=01F2E121
01564815 Main jnz 01503EE9
01503EE9 Main or ebx, 0x17D6437F ; FL=0, EBX=17F6E37F
01503EEF Main ja 015718B0
015718B0 Main mov ebp, 0x534E7778 ; EBP=534E7778
015718B5 Main sub ebp, 0x6B455AF8 ; FL=CS, EBP=E8091C80
015718BB Main add ebx, ebp ; FL=PS, EBX=FFFFFFFF
015718BD Main mov eax, ebx ; EAX=FFFFFFFF
015718BF Main xor ebx, 0xAF75C3A ; EBX=F508A3C5
015718C5 Main sub ebx, 0x794B7CA5 ; FL=O, EBX=7BBD2720
015718CB Main xor ebx, ebp ; FL=PS, EBX=93B43BA0
015718CD Main add ecx, eax ; FL=CA, ECX=0000002C
015718CF Main pop eax ; EAX=00000011, ESP=00391FF0
015718D0 Main popfd ; FL=A, ESP=00391FF4
015718D1 Main jmp 014AE750
//---------------------------------取pcode_data[6]进行操作----------------------------
//这里取pcode_data[6]
014AE750 Main push dword ptr [esi+0x6] ; ESP=00391FF0
014AE753 Main jmp 01466496
01466496 Main push dword ptr [esp] ; ESP=00391FEC
01466499 Main mov eax, dword ptr [esp] //eax = pcode_data[6] ; EAX=000B81C1
0146649C Main push ecx ; ESP=00391FE8
0146649D Main jmp 0147C674
0147C674 Main mov ecx, esp ; ECX=00391FE8
0147C676 Main add ecx, 0x4 ; FL=0, ECX=00391FEC
0147C67C Main add ecx, 0x4 ; FL=PA, ECX=00391FF0
0147C682 Main xchg dword ptr [esp], ecx ; ECX=0000002C
0147C685 Main pop esp ; ESP=00391FF0
0147C686 Main add esp, 0x4 ; FL=0, ESP=00391FF4
0147C68C Main mov ecx, 0x576C6244 ; ECX=576C6244
0147C691 Main jmp 0150D9A4
0150D9A4 Main add ecx, 0x23C90025 ; FL=P, ECX=7B356269
0150D9AA Main ja 01480AE3
01480AE3 Main and ecx, 0x7E023A4D ; FL=0, ECX=7A002249
01480AE9 Main jmp 01478839
01478839 Main je 01507096
0147883F Main xor ecx, 0x55E24870 ; FL=P, ECX=2FE26A39
01478845 Main xor ecx, 0x626B33A1 ; FL=0, ECX=4D895998
0147884B Main shl ecx, 0x8 ; FL=CPS, ECX=89599800
0147884E Main mov edx, 0x558824B6 ; EDX=558824B6
01478853 Main push eax ; ESP=00391FF0
01478854 Main mov eax, 0x52DC50AB ; EAX=52DC50AB
01478859 Main and edx, eax ; FL=0, EDX=508800A2
0147885B Main pop eax ; EAX=000B81C1, ESP=00391FF4
0147885C Main or edx, 0x2D621ECE ; FL=P, EDX=7DEA1EEE
01478862 Main neg edx ; FL=CPAS, EDX=8215E112
01478864 Main shl edx, 0x6 ; FL=AS, EDX=85784480
01478867 Main push eax ; ESP=00391FF0
01478868 Main mov eax, 0xD531610 ; EAX=0D531610
0147886D Main sub edx, eax ; FL=O, EDX=78252E70
0147886F Main pop eax ; EAX=000B81C1, ESP=00391FF4
01478870 Main sub edx, 0x43190215 ; FL=A, EDX=350C2C5B
01478876 Main sub ecx, edx ; FL=PAO, ECX=544D6BA5
01478878 Main sub edx, 0x367E7C8B ; FL=CS, EDX=FE8DAFD0
0147887E Main xor edx, 0x341B7A94 ; FL=PS, EDX=CA96D544
01478884 Main and ecx, 0x5C436DDF ; FL=0, ECX=54416985
0147888A Main xor ecx, 0x5441697A ; FL=P, ECX=000000FF
01478890 Main and eax, ecx //eax ^ FF,取的也是pcode_data[6]的BYTE,不是DWORD ; FL=0, EAX=000000C1
01478892 Main add ecx, 0x28F04712 ; FL=PA, ECX=28F04811
01478898 Main xor ecx, ebp ; FL=S, ECX=C0F95491
0147889A Main jmp 01492527
01492527 Main push 0x277B ; ESP=00391FF0
0149252C Main jmp 0156A082
0156A082 Main mov dword ptr [esp], ecx
0156A085 Main push 0x0 ; ESP=00391FEC
0156A08A Main pop ecx ; ECX=00000000, ESP=00391FF0
0156A08B Main jmp 01474D3A
01474D3A Main add ecx, esi //ecx = pcode_data[0] ; FL=P, ECX=00BE2A50
01474D3C Main push dword ptr [ecx] ; ESP=00391FEC
01474D3E Main add dword ptr [esp], 0x48361D44
01474D45 Main pop ebx ; EBX=4C162E56, ESP=00391FF0
01474D46 Main sub ebx, 0x48361D44 //bl = pcode_data[0] ; EBX=03E01112
01474D4C Main mov ecx, dword ptr [esp] ; ECX=C0F95491
01474D4F Main add esp, 0x4 ; FL=0, ESP=00391FF4
01474D55 Main mov ecx, 0x404B68E8 ; ECX=404B68E8
01474D5A Main jmp 0149D4BB
0149D4BB Main push 0x0 ; ESP=00391FF0
0149D4C0 Main sub dword ptr [esp], ecx ; FL=CPAS
0149D4C3 Main mov ecx, dword ptr [esp] ; ECX=BFB49718
0149D4C6 Main jmp 01532D14
01532D14 Main add esp, 0x4 ; FL=0, ESP=00391FF4
01532D17 Main add ecx, 0x404B6968 ; FL=CA, ECX=00000080
01532D1D Main and ebx, ecx //bl = pcode_data[0] & 80 ; FL=PZ, EBX=00000000
01532D1F Main xor ecx, edi ; FL=0, ECX=003D0080
01532D21 Main mov edx, 0x1FA3457B ; EDX=1FA3457B
01532D26 Main xor edx, 0x5FDF5EA6 ; FL=P, EDX=407C1BDD
01532D2C Main push ebx ; ESP=00391FF0
01532D2D Main mov ebx, 0x246565CA ; EBX=246565CA
01532D32 Main xor edx, ebx ; EDX=64197E17
01532D34 Main pop ebx ; EBX=00000000, ESP=00391FF4
01532D35 Main add edx, 0xB27BD839 ; FL=CPA, EDX=16955650
01532D3B Main xor ecx, edx ; FL=0, ECX=16A856D0
01532D3D Main xor edx, ebx ; FL=P
01532D3F Main or ebx, ebx //还是比较pcode_data[0]的最高位,如果为1,则清key3 ; FL=PZ
01532D41 Main je 01520D20
01520D20 Main push eax ; ESP=00391FF0
01520D21 Main jmp 014D7BE7
014D7BE7 Main mov eax, esp ; EAX=00391FF0
014D7BE9 Main add eax, 0x4 ; FL=0, EAX=00391FF4
014D7BEE Main sub eax, 0x4 ; FL=P, EAX=00391FF0
014D7BF1 Main jmp 01540610
01540610 Main xchg dword ptr [esp], eax ; EAX=000000C1
01540613 Main pop esp
01540614 Main mov dword ptr [esp], eax
01540617 Main push dword ptr [esp] ; ESP=00391FEC
0154061A Main pop ebx //bl = pcode_data[6] ; EBX=000000C1, ESP=00391FF0
0154061B Main add esp, 0x4 ; FL=0, ESP=00391FF4
01540621 Main push ebx ; ESP=00391FF0
01540622 Main jmp 0148CE2C
0148CE2C Main mov ebp, 0x434 ; EBP=00000434
0148CE31 Main mov ebx, ebp ; EBX=00000434
0148CE33 Main add ebx, edi //ebx = key3的地址 ; EBX=003D0434
0148CE35 Main jmp 014AFA5C
014AFA5C Main push ecx ; ESP=00391FEC
014AFA5D Main mov ecx, 0x0 ; ECX=00000000
014AFA62 Main sub ecx, 0x6438662E ; FL=CPAS, ECX=9BC799D2
014AFA68 Main add ecx, ebx ; FL=PS, ECX=9C049E06
014AFA6A Main push edi ; ESP=00391FE8
014AFA6B Main mov edi, 0x6438662E ; EDI=6438662E
014AFA70 Main add ecx, edi //ecx = key3的地址 ; FL=CA, ECX=003D0434
014AFA72 Main pop edi ; ESP=00391FEC, EDI=003D0000
014AFA73 Main xor eax, dword ptr [ecx] //pcode_data[6] ^ key3 ; FL=P, EAX=000000D8
014AFA75 Main pop ecx ; ECX=16A856D0, ESP=00391FF0
014AFA76 Main pop ebx ; EBX=000000C1, ESP=00391FF4
014AFA77 Main mov ecx, 0x3FDB1679 ; ECX=3FDB1679
014AFA7C Main jmp 014C1C72
014C1C72 Main shr ecx, 0x4 ; FL=C, ECX=03FDB167
014C1C75 Main xor ecx, 0x106878EE ; FL=0, ECX=1395C989
014C1C7B Main je 014BC52F
014C1C81 Main jmp 015718D6
015718D6 Main sub ecx, 0x1 ; FL=P, ECX=1395C988
015718D9 Main push ecx ; ESP=00391FF0
015718DA Main not dword ptr [esp]
015718DD Main pop ecx ; ECX=EC6A3677, ESP=00391FF4
015718DE Main sub ecx, 0xDA7307C0 ; ECX=11F72EB7
015718E4 Main inc ecx ; ECX=11F72EB8
015718E5 Main push eax ; ESP=00391FF0
015718E6 Main mov eax, 0x11F72E55 ; EAX=11F72E55
015718EB Main sub ecx, eax ; ECX=00000063
015718ED Main pop eax ; EAX=000000D8, ESP=00391FF4
015718EE Main xor eax, ecx //pcode_data[6] ^ key3 ^ 63 ; EAX=000000BB
015718F0 Main push ecx ; ESP=00391FF0
015718F1 Main jmp 01461815
01461815 Main mov ecx, esp ; ECX=00391FF0
01461817 Main add ecx, 0x4 ; FL=0, ECX=00391FF4
0146181D Main sub ecx, 0x4 ; FL=P, ECX=00391FF0
01461820 Main jmp 01509520
01509520 Main xchg dword ptr [esp], ecx ; ECX=00000063
01509523 Main mov esp, dword ptr [esp]
01509526 Main mov dword ptr [esp], edx
01509529 Main mov edx, 0xB9 ; EDX=000000B9
0150952E Main add eax, 0x6DDA4D04 ; FL=0, EAX=6DDA4DBF
01509533 Main sub eax, edx //pcode_data[6] ^ key3 ^ 63 - B9,这里解出来的是解下一条handle地址的第2字节opcode2
; FL=P, EAX=6DDA4D06
01509535 Main sub eax, 0x6DDA4D04 ; FL=0, EAX=00000002
0150953A Main pop edx ; EDX=16955650, ESP=00391FF4
0150953B Main mov ecx, 0x33E50975 ; ECX=33E50975
01509540 Main jmp 014F692E
014F692E Main not ecx ; ECX=CC1AF68A
014F6930 Main shl ecx, 1 ; FL=CPS, ECX=9835ED14
014F6932 Main push ebx ; ESP=00391FF0
014F6933 Main jmp 014A96F7
014A96F7 Main mov ebx, 0x71505DB1 ; EBX=71505DB1
014A96FC Main or ecx, ebx ; FL=S, ECX=F975FDB5
014A96FE Main pop ebx ; EBX=000000C1, ESP=00391FF4
014A96FF Main mov edx, 0x39B004B3 ; EDX=39B004B3
014A9704 Main mov ebp, edx ; EBP=39B004B3
014A9706 Main shr ebp, 0x7 ; FL=P, EBP=00736009
014A9709 Main dec ebp ; FL=0, EBP=00736008
014A970A Main shr ebp, 0x4 ; FL=CP, EBP=00073600
014A970D Main push ebx ; ESP=00391FF0
014A970E Main mov ebx, 0xF48BEA04 ; EBX=F48BEA04
014A9713 Main sub ebp, ebx ; FL=CPA, EBP=0B7B4BFC
014A9715 Main pop ebx ; EBX=000000C1, ESP=00391FF4
014A9716 Main sub ecx, ebp ; FL=AS, ECX=EDFAB1B9
014A9718 Main xor ebp, ebp ; FL=PZ, EBP=00000000
014A971A Main add ecx, 0x12054F46 ; FL=CP, ECX=000000FF
014A9720 Main and ebx, ecx ; FL=0
014A9722 Main push ecx ; ESP=00391FF0
014A9723 Main jmp 01475C12
01475C12 Main push 0x17734891 ; ESP=00391FEC
01475C17 Main pop edx ; EDX=17734891, ESP=00391FF0
01475C18 Main shl edx, 0x5 ; FL=S, EDX=EE691220
01475C1B Main jmp 0156025A
0156025A Main xor edx, 0x4CA27827 ; EDX=A2CB6A07
01560260 Main sub edx, 0xA2CB65D3 ; FL=0, EDX=00000434
01560266 Main mov ecx, edx ; ECX=00000434
01560268 Main sub edx, 0x52CE3CC4 ; FL=CS, EDX=AD31C770
0156026E Main add edx, esi ; FL=PS, EDX=ADEFF1C0
01560270 Main sub ecx, 0x4E380BBB ; FL=CAS, ECX=B1C7F879
01560276 Main add ecx, edi ; FL=S, ECX=B204F879
01560278 Main push ecx ; ESP=00391FEC
01560279 Main push 0x1DEE2941 ; ESP=00391FE8
0156027E Main pop ecx ; ECX=1DEE2941, ESP=00391FEC
0156027F Main inc ecx ; FL=P, ECX=1DEE2942
01560280 Main jo 0153C21E
01560286 Main add ecx, 0x2C741736 ; ECX=4A624078
0156028C Main mov ebp, ecx ; EBP=4A624078
0156028E Main pop ecx ; ECX=B204F879, ESP=00391FF0
0156028F Main sub ebp, 0x2B9E1033 ; FL=0, EBP=1EC43045
01560295 Main neg ebp ; FL=CPAS, EBP=E13BCFBB
01560297 Main not ebp ; EBP=1EC43044
01560299 Main add ebp, 0x2F73DB77 ; FL=P, EBP=4E380BBB
0156029F Main add ecx, ebp ; FL=CA, ECX=003D0434
015602A1 Main xor dword ptr [ecx], ebx //key3 = key3 ^ pcode_data[6] ; FL=P
015602A3 Main pop ecx ; ECX=000000FF, ESP=00391FF4
015602A4 Main push 0x7175 ; ESP=00391FF0
015602A9 Main jmp 0155EE48
0155EE48 Main mov dword ptr [esp], ebp
0155EE4B Main mov ebp, 0xFF ; EBP=000000FF
0155EE50 Main and eax, ebp //opcode2 ; FL=0
0155EE52 Main jmp 0147F9EC
0147F9EC Main mov ebp, dword ptr [esp] ; EBP=4E380BBB
0147F9EF Main push ebx ; ESP=00391FEC
0147F9F0 Main push esp ; ESP=00391FE8
0147F9F1 Main pop ebx ; EBX=00391FEC, ESP=00391FEC
0147F9F2 Main add ebx, 0x4 ; FL=PA, EBX=00391FF0
0147F9F8 Main add ebx, 0x4 ; FL=0, EBX=00391FF4
0147F9FB Main xchg dword ptr [esp], ebx ; EBX=000000C1
0147F9FE Main pop esp ; ESP=00391FF4
0147F9FF Main push ebx ; ESP=00391FF0
0147FA00 Main jmp 014ABB08
014ABB08 Main mov ebx, 0x62C ; EBX=0000062C
014ABB0D Main add ebx, 0x1B6F1239 ; FL=PA, EBX=1B6F1865
014ABB13 Main add ebx, edi ; FL=P, EBX=1BAC1865
014ABB15 Main jmp 0149E952
0149E952 Main sub ebx, 0x1B6F1239 //ebx = VMContext.62C,这个地址放的是计算下一条handle地址用的opcode2 ;
FL=A, EBX=003D062C
0149E958 Main sub esp, 0x4 ; ESP=00391FEC
0149E95E Main mov dword ptr [esp], eax
0149E961 Main pop dword ptr [ebx] //跟上一句合在一起就mov [ebx], eax eax是opcode2的值,ebx是VMContext.62C
; ESP=00391FF0
这段的解码为
A = (BYTE)pCode_data + 6 ^ key3
B = A ^ 63
C = B - B9 C就是解码后的值
key3 = key3 ^ (BYTE)pCode_data + 6
0149E963 Main mov ebx, dword ptr [esp] ; EBX=000000C1
0149E966 Main add esp, 0x4 ; FL=0, ESP=00391FF4
0149E96C Main sub esp, 0x4 ; FL=P, ESP=00391FF0
0149E972 Main jmp 0152C0B5
0152C0B5 Main mov dword ptr [esp], esi
0152C0B8 Main push 0x8A4 ; ESP=00391FEC
0152C0BD Main mov dword ptr [esp], ebp
0152C0C0 Main jmp 0153BF0C
0153BF0C Main push 0x44165698 ; ESP=00391FE8
0153BF11 Main pop ebp ; ESP=00391FEC, EBP=44165698
0153BF12 Main and ebp, 0x5A0B2649 ; FL=0, EBP=40020608
0153BF18 Main xor ebp, 0x5C50505 ; EBP=45C7030D
0153BF1E Main mov esi, ebp ; ESI=45C7030D
0153BF20 Main pop ebp ; ESP=00391FF0, EBP=4E380BBB
0153BF21 Main and esi, 0x2F221151 ; ESI=05020101
0153BF27 Main jl 0159FA11
0153BF2D Main dec esi ; FL=P, ESI=05020100
0153BF2E Main jns 014A7D2D
014A7D2D Main add esi, 0x30923F57 ; FL=0, ESI=35944057
014A7D33 Main jnz 0154A196
0154A196 Main xor esi, 0x35944053 ; ESI=00000004
0154A19C Main mov dword ptr [edi+0x3AC], esi //VMContext.3AC是一个flag,这个具体flag有什么用,引用SM的一个表
b7 b6 b5 b4 b3 b2 b1 b0
b7 ?
b6 FS
b5 寻址内存时是否使用fs段 EFlag
b4 是否操作VM_Context.Eflag(比如模仿popf) ?
b3 操作VM_Context.esp? Stack
b2~b1 operand来自vm栈(由前面执行的handler压入) OperandSize 0 -> 8位 1 -> 16位 2 -> 32位
b0 ByRef是否将数据解释为地址(而不是立即值)
而这里是将这个flag预置为4,表示是一个32位的指令。
0154A1A2 Main pop esi ; ESP=00391FF4, ESI=00BE2A50
0154A1A3 Main push eax ; ESP=00391FF0
0154A1A4 Main jmp 0153C703
0153C703 Main sub esp, 0x4 ; FL=A, ESP=00391FEC
0153C709 Main mov dword ptr [esp], edx
//---------------------------------取pcode_data[7]进行操作----------------------------
//计算出常量7
0153C70C Main push 0x7CF174E8 ; ESP=00391FE8
0153C711 Main jmp 015718F6
015718F6 Main pop edx ; EDX=7CF174E8, ESP=00391FEC
015718F7 Main add edx, 0x76BB5C01 ; FL=SO, EDX=F3ACD0E9
015718FD Main sub edx, 0xF3ACD0E2 ; FL=0, EDX=00000007
01571903 Main push edx ; ESP=00391FE8
01571904 Main pop eax ; EAX=00000007, ESP=00391FEC
01571905 Main pop edx ; EDX=ADEFF1C0, ESP=00391FF0
01571906 Main add eax, esi //pcode_data[7]的地址 ; EAX=00BE2A57
01571908 Main push ecx ; ESP=00391FEC
01571909 Main mov ecx, 0x0 ; ECX=00000000
0157190E Main add ecx, eax ; ECX=00BE2A57
01571910 Main mov bl, byte ptr [ecx] //bl = pcode_data[7] ; EBX=00000081
01571912 Main pop ecx ; ECX=000000FF, ESP=00391FF0
01571913 Main pop eax ; EAX=00000002, ESP=00391FF4
01571914 Main push edx ; ESP=00391FF0
01571915 Main jmp 014FCE78
014FCE78 Main mov edx, 0x490 ; EDX=00000490
014FCE7D Main add edx, edi //edx = VMContext.490 = key1 ; FL=P, EDX=003D0490
014FCE7F Main xor bl, byte ptr [edx] //bl = pcode_data[7] ^ key1 ; FL=0, EBX=00000061
014FCE81 Main jmp 0146FF64
0146FF64 Main push dword ptr [esp] ; ESP=00391FEC
0146FF67 Main pop edx ; EDX=ADEFF1C0, ESP=00391FF0
0146FF68 Main push ecx ; ESP=00391FEC
0146FF69 Main mov ecx, esp ; ECX=00391FEC
0146FF6B Main add ecx, 0x4 ; FL=PA, ECX=00391FF0
0146FF71 Main add ecx, 0x4 ; FL=0, ECX=00391FF4
0146FF74 Main xchg dword ptr [esp], ecx ; ECX=000000FF
0146FF77 Main mov esp, dword ptr [esp] ; ESP=00391FF4
0146FF7A Main push ecx ; ESP=00391FF0
0146FF7B Main jmp 014C680A
014C680A Main push ebx ; ESP=00391FEC
014C680B Main push edx ; ESP=00391FE8
014C680C Main mov dh, 0x5D ; EDX=ADEF5DC0
014C680E Main jmp 0153BA15
0153BA15 Main mov bh, 0x81 ; EBX=00008161
0153BA17 Main add bh, dh ; FL=PS, EBX=0000DE61
0153BA19 Main pop edx ; EDX=ADEFF1C0, ESP=00391FEC
0153BA1A Main inc bh ; FL=S, EBX=0000DF61
0153BA1C Main dec bh ; FL=PS, EBX=0000DE61
0153BA1E Main not bh ; EBX=00002161
0153BA20 Main sub bh, 0x3D ; FL=CPAS, EBX=0000E461
0153BA23 Main add bh, 0x5C ; FL=CA, EBX=00004061
0153BA26 Main mov cl, bh ; ECX=00000040
0153BA28 Main pop ebx ; EBX=00000061, ESP=00391FF0
0153BA29 Main inc cl ; FL=CP, ECX=00000041
0153BA2B Main shr cl, 0x8 ; FL=PZ, ECX=00000000
0153BA2E Main push edx ; ESP=00391FEC
0153BA2F Main push eax ; ESP=00391FE8
0153BA30 Main mov ah, 0x6D ; EAX=00006D02
0153BA32 Main and ah, 0x7E ; FL=P, EAX=00006C02
0153BA35 Main jl 01545D01
0153BA3B Main xor ah, 0x1B ; EAX=00007702
0153BA3E Main mov dh, ah ; EDX=ADEF77C0
0153BA40 Main pop eax ; EAX=00000002, ESP=00391FEC
0153BA41 Main inc dh ; EDX=ADEF78C0
0153BA43 Main sub dh, 0xBA ; FL=CPASO, EDX=ADEFBEC0
0153BA46 Main sub cl, dh ; FL=CPA, ECX=00000042
0153BA48 Main pop edx ; EDX=ADEFF1C0, ESP=00391FF0
0153BA49 Main add bl, cl //bl = pcode_data[7] ^ key1 + 42 ; FL=PSO, EBX=000000A3
0153BA4B Main jmp 0157191A
0157191A Main pop ecx ; ECX=000000FF, ESP=00391FF4
0157191B Main jmp 01534031
01534031 Main push edx ; ESP=00391FF0
01534032 Main jmp 014CE1D0
014CE1D0 Main sub esp, 0x4 ; FL=A, ESP=00391FEC
014CE1D6 Main mov dword ptr [esp], eax
014CE1D9 Main mov eax, 0x7E83699E ; EAX=7E83699E
014CE1DE Main jmp 0148BE5C
0148BE5C Main dec eax ; FL=0, EAX=7E83699D
0148BE5D Main jpo 01513BFE
01513BFE Main neg eax ; FL=CPAS, EAX=817C9663
01513C00 Main je 014AD8F0
01513C06 Main add eax, 0x413A29B4 ; FL=PS, EAX=C2B6C017
01513C0B Main xor eax, 0xC2B6C487 ; FL=P, EAX=00000490
01513C10 Main mov edx, eax ; EDX=00000490
01513C12 Main pop eax ; EAX=00000002, ESP=00391FF0
01513C13 Main add edx, 0x27C828C0 ; EDX=27C82D50
01513C19 Main sub edx, 0x2EA97FF1 ; FL=CPAS, EDX=F91EAD5F
01513C1F Main add edx, edi ; FL=PS, EDX=F95BAD5F
01513C21 Main add edx, 0x2EA97FF1 ; FL=CPA, EDX=28052D50
01513C27 Main sub edx, 0x27C828C0 ; FL=P, EDX=003D0490
01513C2D Main add bl, byte ptr [edx] //bl = pcode_data[7] ^ key1 + 42 + key1,这个值我们暂时称为pcode_detail1
作数了。这个值在这里,是83
01513C2F Main pop edx ; EDX=ADEFF1C0, ESP=00391FF4
01513C30 Main sub esp, 0x4 ; FL=P, ESP=00391FF0
01513C33 Main jmp 01523423
01523423 Main mov dword ptr [esp], edx
01523426 Main mov dh, bl //复制一份到dh ; EDX=ADEF83C0
01523428 Main sub esp, 0x4 ; FL=A, ESP=00391FEC
0152342E Main jmp 0148C79A
0148C79A Main mov dword ptr [esp], eax
0148C79D Main push ebx ; ESP=00391FE8
0148C79E Main mov bh, dh ; EBX=00008383
0148C7A0 Main mov ah, bh ; EAX=00008302
0148C7A2 Main pop ebx ; EBX=00000083, ESP=00391FEC
0148C7A3 Main mov cl, ah //复制到cl ; ECX=00000083
0148C7A5 Main pop eax ; EAX=00000002, ESP=00391FF0
0148C7A6 Main pop edx ; EDX=ADEFF1C0, ESP=00391FF4
0148C7A7 Main and cl, 0x80 //取pcode_detail1的最高位 ; FL=S, ECX=00000080
0148C7AA Main pushfd ; ESP=00391FF0
0148C7AB Main jmp 014EA53B
014EA53B Main push eax ; ESP=00391FEC
014EA53C Main jmp 014C2845
014C2845 Main mov al, 0xEC ; EAX=000000EC
014C2847 Main add al, 0xBB ; FL=CAS, EAX=000000A7
014C2849 Main add al, 0x6F ; FL=CA, EAX=00000016
014C284B Main jmp 01482CE9
01482CE9 Main sub al, 0xC0 ; FL=CP, EAX=00000056
01482CEB Main push ecx ; ESP=00391FE8
01482CEC Main push eax ; ESP=00391FE4
01482CED Main mov al, 0x5C ; EAX=0000005C
01482CEF Main push eax ; ESP=00391FE0
01482CF0 Main mov ah, 0xE7 ; EAX=0000E75C
01482CF2 Main sub ah, 0x15 ; FL=PS, EAX=0000D25C
01482CF5 Main jo 01471D39
01482CFB Main shr ah, 0x5 ; FL=CP, EAX=0000065C
01482CFE Main jns 0153A533
0153A533 Main dec ah ; EAX=0000055C
0153A535 Main js 01507551
0153A53B Main and ah, 0xE2 ; FL=PZ, EAX=0000005C
0153A53E Main jpo 014A3C76
0153A544 Main sub ah, 0x60 ; FL=CPS, EAX=0000A05C
0153A547 Main add ah, 0xB0 ; FL=CPO, EAX=0000505C
0153A54A Main mov cl, ah ; ECX=00000050
0153A54C Main pop eax ; EAX=0000005C, ESP=00391FE4
0153A54D Main sub cl, al ; FL=CAS, ECX=000000F4
0153A54F Main pop eax ; EAX=00000056, ESP=00391FE8
0153A550 Main or cl, 0x97 ; FL=S, ECX=000000F7
0153A553 Main neg cl ; FL=CPA, ECX=00000009
0153A555 Main inc cl ; FL=CP, ECX=0000000A
0153A557 Main push edx ; ESP=00391FE4
0153A558 Main mov dh, 0x6D ; EDX=ADEF6DC0
0153A55A Main jmp 01459FFB
01459FFB Main shl dh, 0x7 ; FL=S, EDX=ADEF80C0
01459FFE Main jmp 014F6BE3
014F6BE3 Main sub dh, 0xCC ; FL=CPAS, EDX=ADEFB4C0
014F6BE6 Main jmp 01546FE1
01546FE1 Main add dh, 0x7F ; FL=CPA, EDX=ADEF33C0
01546FE4 Main sub cl, dh ; FL=CPS, ECX=000000D7
01546FE6 Main pop edx ; EDX=ADEFF1C0, ESP=00391FE8
01546FE7 Main sub al, cl ; FL=CA, EAX=0000007F
01546FE9 Main pop ecx ; ECX=00000080, ESP=00391FEC
01546FEA Main and bl, al ; FL=P, EBX=00000003
01546FEC Main pop eax ; EAX=00000002, ESP=00391FF0
01546FED Main popfd ; FL=S, ESP=00391FF4
01546FEE Main jmp 01561DE4
01561DE4 Main push esi ; ESP=00391FF0
01561DE5 Main jmp 014F6DB3
014F6DB3 Main push esp ; ESP=00391FEC
014F6DB4 Main mov esi, dword ptr [esp] ; ESI=00391FF0
014F6DB7 Main add esp, 0x4 ; FL=PA, ESP=00391FF0
014F6DBA Main jmp 01455FB8
01455FB8 Main add esi, 0x4 ; FL=0, ESI=00391FF4
01455FBE Main sub esi, 0x4 ; FL=P, ESI=00391FF0
01455FC1 Main xor esi, dword ptr [esp] ; ESI=008735A0
01455FC4 Main xor dword ptr [esp], esi
01455FC7 Main xor esi, dword ptr [esp] ; ESI=00BE2A50
01455FCA Main pop esp
01455FCB Main mov dword ptr [esp], ebx
几个标志,一般情况都用不到 ; FL=CPZ, EBX=00000000
01455FE0 Main test bl, 0x80 ; FL=PZ
01455FE3 Main je 01456002 //这里跳
01456002 Main cmp bl, 0x30 ; FL=CS
01456005 Main jnz 0154B28A //这里跳
0154B28A Main cmp bl, 0x50
0154B28D Main jnz 0154B29D //这里跳
0154B29D Main pop ebx //bl = pcode_detail1的低7位 ; EBX=00000003, ESP=00391FF4
是3
0154B29E Main or bl, bl ; FL=P
0154B2A0 Main jnz 014FDD99
014FDD99 Main cmp bl, 0x1 ; FL=0
014FDD9C Main jnz 014AC661
014AC661 Main cmp bl, 0x2
014AC664 Main je 014AC673
014AC66A Main cmp bl, 0x3 ; FL=PZ
014AC66D Main jnz 0146BBA2
//这里开始是3这个分支的变换方式,我们具体看一下
014AC673 Main or dword ptr [edi+0x3AC], 0x1 //将VMContext.3AC,就是flag的最低位置1,b0 ByRef是否将数据解释
为地址(而不是立即值) ; FL=P
014AC67A Main and dword ptr [edi+0x3AC], -0xD //-D = F3,将b2,b3清0 ; FL=0
014AC681 Main or dword ptr [edi+0x3AC], 0x4 //将b2置1 ; FL=P
014AC688 Main or cl, cl //还记得这个值吗,这个cl就是pcode_detail1的最高位 ; FL=S
014AC68A Main je 01486C0B //这个值这里为1,所以不跳
该值含义如下(摘自SM的文档):
这个位为1有特殊的含义,此时OldArgment代表以偏移量表示的某个地址
1。若F0000080h <= OldArgument <= F000008Ah,则减去F0000080h的结果
(0-A)代表从VM_Context.segCS开始计算的offset,即OldArgument实际代表
VM_Context内某个段寄存器地址。
01513A75 Main mov ecx, dword ptr [esp] ; ECX=003D04D0
01513A78 Main add esp, 0x4 ; ESP=00391FF4
01513A7E Main mov eax, dword ptr [esp] ; EAX=00000002
01513A81 Main add esp, 0x4 ; ESP=00391FF8
01513A84 Main push ebp ; ESP=00391FF4
01513A85 Main jmp 015719E0
015719E0 Main mov ecx, 0x7A2639B3 ; ECX=7A2639B3
015719E5 Main sub ecx, 0x25DAE967 ; FL=A, ECX=544B504C
015719EB Main push ecx ; ESP=00391FF0
015719EC Main jmp 014FEF27
014FEF27 Main xor dword ptr [esp], 0x446A44D5 ; FL=P
014FEF2E Main pop ebp ; ESP=00391FF4, EBP=10211499
014FEF2F Main xor ebp, 0x446A44D5 ; FL=0, EBP=544B504C
014FEF35 Main add ecx, ebx ; FL=A, ECX=544B5054
014FEF37 Main add esi, ebp ; FL=P, ESI=548650AC
014FEF39 Main pop ebp ; ESP=00391FF8, EBP=00000020
014FEF3A Main sub esi, 0x6ED91105 ; FL=CS, ESI=E5AD3FA7
014FEF40 Main add esi, ebx //esi = esi + ebx(opcode2) ; FL=PS, ESI=E5AD3FAF
014FEF42 Main add esi, 0x6ED91105 ; FL=CPA, ESI=548650B4
014FEF48 Main sub esi, 0x544B504C //这里取得的值为003B0068,我们查表得到015377C1,这个地址,就是下一条handle的地址
; FL=A, ESI=003B0068
014FEF4E Main push dword ptr [esi] ; ESP=00391FF4
014FEF50 Main jmp 0149276F
0149276F Main mov esi, dword ptr [esp] //esi为下一条handle的地址 ; ESI=015377C1
01492772 Main push edi ; ESP=00391FF0
01492773 Main mov edi, esp ; EDI=00391FF0
01492775 Main jmp 014F2534
014F2534 Main push ecx ; ESP=00391FEC
014F2535 Main mov ecx, 0x4 ; ECX=00000004
014F253A Main add edi, ecx ; FL=0, EDI=00391FF4
014F253C Main pop ecx ; ECX=544B5054, ESP=00391FF0
014F253D Main push ebx ; ESP=00391FEC
014F253E Main mov ebx, 0x4 ; EBX=00000004
014F2543 Main add edi, ebx ; EDI=00391FF8
014F2545 Main pop ebx ; EBX=00000008, ESP=00391FF0
014F2546 Main xchg dword ptr [esp], edi ; EDI=003D0000
014F2549 Main pop esp ; ESP=00391FF8
014F254A Main jmp esi //然后通过jmp esi进行衔接,跳到了下一句handle中
Run trace closed
发表于 2009-8-28 23:33
发表于 2009-8-29 00:13
发表于 2009-8-29 00:26
