【目 标】:PESpin v1.1主程序
【工 具】:Olydbg1.1(diy版)、LORDPE、ImportREC1.6F
【任 务】:分析外壳
【操作平台】:WinXP sp2
【作 者】: LOVEBOOM[DFCG][FCG][US]
【相关链接】: 自己去上网搜搜
【简要说明】: 这篇文章算是给yock的一份礼物吧,前一段时间我答应他看看这个版本的壳,拖了这么久真不好意思 J,上次看过一下,发现这个版本比上一版本增强了不少。要patch的代码也多很多的,壳新增了一个非常有用的东西SDK,用上SDK去加程序增强不少,不过壳的PE Header抽代码显得有点鸡肋的感觉J。【详细过程】:PESpin v0.7开始就从头到尾看了一下,这个版本同样也看看,主要是看看有没有什么改进的地方,不过结果比较遗憾,在Loader里没有什么新的变化,到现在壳还不anti-OllyDbg,不知道是不是作者用意的放水.J。
分两步进行:分析,脱壳。第一步:分析OD载入目标程序,慢慢的分析,细细的品味^_^。00412087 > /EB 01 JMP SHORT 0041208A ; EP00412089 |90 NOP0041208A \60 PUSHAD0041208B E8 00000000 CALL 0041209000412090 8B1C24 MOV EBX,DWORD PTR SS:[ESP] ; SMC00412093 83C3 12 ADD EBX,1200412096 812B E8B10600 SUB DWORD PTR DS:[EBX],6B1E80041209C FE4B FD DEC BYTE PTR DS:[EBX-3]0041209F 822C24 7D SUB BYTE PTR SS:[ESP],7D004120A3 DE46 00 FIADD WORD PTR DS:[ESI]004120A6 0BE4 OR ESP,ESP004120A8 ^ 74 9E JE SHORT 00412048……004120F1 8B95 C34B4000 MOV EDX,DWORD PTR SS:[EBP+404BC3] ; [EBP+404BC3]=hModule(400000)004120F7 8B42 3C MOV EAX,DWORD PTR DS:[EDX+3C]004120FA 03C2 ADD EAX,EDX004120FC 8985 CD4B4000 MOV DWORD PTR SS:[EBP+404BCD],EAX ; [EBP+404BCD]保存peHeader(4000D0)……00412134 41 INC ECX00412135 C1E1 07 SHL ECX,700412138 8B0C01 MOV ECX,DWORD PTR DS:[ECX+EAX] ; 定位输入表RVA(12000)0041213B 03CA ADD ECX,EDX ; 转为VA……0041214E 8B59 10 MOV EBX,DWORD PTR DS:[ECX+10] ; 定位OriginalFirstThunk00412151 03DA ADD EBX,EDX00412153 8B1B MOV EBX,DWORD PTR DS:[EBX] ; 取出MessageBoxA的地址00412155 899D E14B4000 MOV DWORD PTR SS:[EBP+404BE1],EBX ; 结果保存到[EBP+404BE1]处0041215B 53 PUSH EBX0041215C 8F85 D7494000 POP DWORD PTR SS:[EBP+4049D7] ; 地址同时保存在[EBP+4049D7]中00412162 BB CC000000 MOV EBX,0CC00412167 B9 FE110000 MOV ECX,11FE0041216C 8DBD 714C4000 LEA EDI,DWORD PTR SS:[EBP+404C71]00412172 4F DEC EDI……0041217F 301C39 XOR BYTE PTR DS:[ECX+EDI],BL00412182 FECB DEC BL00412184 49 DEC ECX00412185 9C PUSHFD00412186 C12C24 06 SHR DWORD PTR SS:[ESP],60041218A F71424 NOT DWORD PTR SS:[ESP]0041218D 832424 01 AND DWORD PTR SS:[ESP],100412191 50 PUSH EAX00412192 52 PUSH EDX00412193 B8 83B2DC12 MOV EAX,12DCB28300412198 05 444D23ED ADD EAX,ED234D440041219D F76424 08 MUL DWORD PTR SS:[ESP+8]004121A1 8D8428 BD2D4000 LEA EAX,DWORD PTR DS:[EAX+EBP+402DBD]004121A8 894424 08 MOV DWORD PTR SS:[ESP+8],EAX004121AC 5A POP EDX004121AD 58 POP EAX004121AE 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]004121B2 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 从415269处开始向前解压代码, size为11FE……004121CE 8170 03 E89868EA XOR DWORD PTR DS:[EAX+3],EA6898E8 ; SMC004121D5 83C0 21 ADD EAX,21……004121E3 68 CB000000 PUSH 0CB004121E8 59 POP ECX ; 解码大小0CB004121E9 8DBD A35D4000 LEA EDI,DWORD PTR SS:[EBP+405DA3] ; [EBP+405DA3]=[41519E]……004121E3 68 CB000000 PUSH 0CB004121E8 59 POP ECX ; 解码大小0CB004121E9 8DBD A35D4000 LEA EDI,DWORD PTR SS:[EBP+405DA3] ; [EBP+405DA3]=[41519E]004121EF 90 NOP004121F0 90 NOP004121F1 90 NOP004121F2 90 NOP004121F3 90 NOP004121F4 90 NOP004121F5 90 NOP004121F6 90 NOP004121F7 90 NOP004121F8 90 NOP004121F9 90 NOP004121FA 90 NOP004121FB 90 NOP004121FC 90 NOP004121FD 90 NOP004121FE 90 NOP004121FF 90 NOP00412200 C00C39 02 ROR BYTE PTR DS:[ECX+EDI],2 ; KEY=200412204 49 DEC ECX……00412205 9C PUSHFD00412206 C12C24 06 SHR DWORD PTR SS:[ESP],60041220A F71424 NOT DWORD PTR SS:[ESP]0041220D 832424 01 AND DWORD PTR SS:[ESP],100412211 50 PUSH EAX00412212 52 PUSH EDX00412213 B8 72B2DC12 MOV EAX,12DCB27200412218 05 444D23ED ADD EAX,ED234D440041221D F76424 08 MUL DWORD PTR SS:[ESP+8]00412221 8D8428 3E2E4000 LEA EAX,DWORD PTR DS:[EAX+EBP+402E3E]00412228 > 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; PESpin.004122390041222C 5A POP EDX0041222D 58 POP EAX0041222E 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]00412232 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 循环解压从415269处开始向上解压,解压大小为0CB……00413F09 8B7C24 20 MOV EDI,DWORD PTR SS:[ESP+20] ; 获取KERNELBASE00413F0D 81E7 0000FFFF AND EDI,FFFF0000……00413F23 90 NOP00413F24 BA 246BDE21 MOV EDX,21DE6B2400413F29 81F2 6931DE21 XOR EDX,21DE3169 ; EDX=PE sig(5A4D)00413F2F 66:3917 CMP WORD PTR DS:[EDI],DX00413F32 75 17 JNZ SHORT 00413F4B ; 判断是否定位到DOS header00413F34 81C2 EFA5FFFF ADD EDX,FFFFA5EF00413F3A 0FB7143A MOVZX EDX,WORD PTR DS:[EDX+EDI]00413F3E 66:F7C2 00F8 TEST DX,0F80000413F43 75 06 JNZ SHORT 00413F4B00413F45 3B7C3A 34 CMP EDI,DWORD PTR DS:[EDX+EDI+34]00413F49 74 08 JE SHORT 00413F5300413F4B 81EF 00000100 SUB EDI,10000 ; UNICODE "ALLUSERSPROFILE=D:\Documents and Settings\All Users"00413F51 ^ EB C0 JMP SHORT 00413F13 ; 减10000继续回去00413F53 97 XCHG EAX,EDI ; 获取出来的KERNELBASE保存到EAX……00413F65 68 F44B4000 PUSH 00404BF400413F6A 50 PUSH EAX ; push kerbase(7c800000)00413F6B 8785 E54B4000 XCHG DWORD PTR SS:[EBP+404BE5],EAX ; 保存KERNELBASE到[EBP+404BE5]=(413FE0)00413F71 016C24 04 ADD DWORD PTR SS:[ESP+4],EBP00413F75 8D85 ECA183EB LEA EAX,DWORD PTR SS:[EBP+EB83A1EC]00413F7B 8D80 BDAABC14 LEA EAX,DWORD PTR DS:[EAX+14BCAABD]……00413F8A FFD0 CALL EAX ; EAX=4140A4 这里面就是获取相关API的地址进去看看:004140A4 59 POP ECX004140A5 58 POP EAX004140A6 5F POP EDI ; EDI=413FEF004140A7 90 NOP004140A8 90 NOP004140A9 90 NOP004140AA 90 NOP004140AB 90 NOP004140AC 90 NOP004140AD 90 NOP004140AE 90 NOP004140AF 90 NOP004140B0 41 INC ECX004140B1 41 INC ECX004140B2 51 PUSH ECX ; ECX=413F8E004140B3 8BF0 MOV ESI,EAX004140B5 0340 3C ADD EAX,DWORD PTR DS:[EAX+3C] ; 定位PE header004140B8 8B40 78 MOV EAX,DWORD PTR DS:[EAX+78] ; 定位输出表004140BB 03C6 ADD EAX,ESI004140BD FF70 20 PUSH DWORD PTR DS:[EAX+20] ; AddressofNames004140C0 5B POP EBX004140C1 03DE ADD EBX,ESI004140C3 FF70 18 PUSH DWORD PTR DS:[EAX+18] ; NumberofNames004140C6 8F85 674D4000 POP DWORD PTR SS:[EBP+404D67] ; [EBP+404D67]保存NumberofNames004140CC FF70 24 PUSH DWORD PTR DS:[EAX+24] ; AddressofNamesOrdnials004140CF 5A POP EDX004140D0 03D6 ADD EDX,ESI004140D2 FF70 1C PUSH DWORD PTR DS:[EAX+1C] ; AddressofFunctions004140D5 59 POP ECX004140D6 03CE ADD ECX,ESI004140D8 898D 574D4000 MOV DWORD PTR SS:[EBP+404D57],ECX ; [EBP+404D57]保存AddressofFunctions004140DE 83EF 05 SUB EDI,5004140E1 83C7 05 ADD EDI,5004140E4 833F 00 CMP DWORD PTR DS:[EDI],0004140E7 0F84 9D000000 JE 0041418A004140ED 8A07 MOV AL,BYTE PTR DS:[EDI]004140EF 8885 1B4D4000 MOV BYTE PTR SS:[EBP+404D1B],AL004140F5 FF77 01 PUSH DWORD PTR DS:[EDI+1]004140F8 8F85 474D4000 POP DWORD PTR SS:[EBP+404D47]004140FE 53 PUSH EBX004140FF 52 PUSH EDX00414100 57 PUSH EDI00414101 2BC9 SUB ECX,ECX00414103 90 NOP00414104 90 NOP00414105 90 NOP00414106 90 NOP00414107 90 NOP00414108 90 NOP00414109 90 NOP0041410A 90 NOP0041410B 90 NOP0041410C 90 NOP0041410D 90 NOP0041410E 90 NOP0041410F 8B3B MOV EDI,DWORD PTR DS:[EBX]00414111 03FE ADD EDI,ESI00414113 807F 02 61 CMP BYTE PTR DS:[EDI+2],61 ; 获取LoadLibraryA的地址00414117 75 43 JNZ SHORT 0041415C00414119 E8 02000000 CALL 004141200041411E 90 NOP0041411F 90 NOP00414120 58 POP EAX00414121 8D6424 FC LEA ESP,DWORD PTR SS:[ESP-4]00414125 05 23000000 ADD EAX,230041412A 890424 MOV DWORD PTR SS:[ESP],EAX0041412D 8D85 CA8A94ED LEA EAX,DWORD PTR SS:[EBP+ED948ACA]00414133 2D 353D54ED SUB EAX,ED543D3500414138 50 PUSH EAX00414139 C3 RETN0041413A 3BC3 CMP EAX,EBX0041413C 74 35 JE SHORT 004141730041413E 2BC2 SUB EAX,EDX00414140 9A 3D72423E C07>CALL FAR 75C0:3E42723D ; Far call00414147 14 8D ADC AL,8D00414149 04 4A ADD AL,4A0041414B 0FB700 MOVZX EAX,WORD PTR DS:[EAX]0041414E C1E0 02 SHL EAX,200414151 05 5426807C ADD EAX,7C80265400414156 8B00 MOV EAX,DWORD PTR DS:[EAX]00414158 03C6 ADD EAX,ESI0041415A EB 0E JMP SHORT 0041416A0041415C 83C3 04 ADD EBX,40041415F 41 INC ECX00414160 81F9 B5030000 CMP ECX,3B500414166 ^ 75 A7 JNZ SHORT 0041410F00414168 33C0 XOR EAX,EAX0041416A 5F POP EDI0041416B 5A POP EDX0041416C 5B POP EBX0041416D 0BC0 OR EAX,EAX0041416F 74 1B JE SHORT 0041418C00414171 90 NOP00414172 90 NOP00414173 90 NOP00414174 90 NOP00414175 90 NOP00414176 90 NOP00414177 90 NOP00414178 90 NOP00414179 90 NOP0041417A 8038 CC CMP BYTE PTR DS:[EAX],0CC ; 判断有没有下断点0041417D 75 03 JNZ SHORT 004141820041417F 8028 00 SUB BYTE PTR DS:[EAX],000414182 8947 01 MOV DWORD PTR DS:[EDI+1],EAX00414185 ^ E9 57FFFFFF JMP 004140E10041418A 0BC0 OR EAX,EAX0041418C EB 01 JMP SHORT 0041418F0041418E 90 NOP0041418F C3 RETN获取了下面几个API:LoadLibraryAExitProcessGetProcAddressVirtualProtectCloseHandleVirtualAllocVirtualFreeCreateFileAReadFileGetTickCountGetModuleHandleACreateThreadSleepGetCurrentProcessIDOpenProcessTerminateProcessGetFileSizeGetModuleFileNameA……00412267 B8 944380EF MOV EAX,EF8043940041226C 2BC9 SUB ECX,ECX0041226E 83C9 15 OR ECX,1500412271 0FA3C8 BT EAX,ECX00412274 0F83 81000000 JNB 004122FB ; 如果没有设置保护密码这里就跳,因此如果是要输入密码的程序,强行跳过是没有用的0041227A 8DB40D D44B4000 LEA ESI,DWORD PTR SS:[EBP+ECX+404BD4]00412281 8BD6 MOV EDX,ESI00412283 B9 10000000 MOV ECX,1000412288 AC LODS BYTE PTR DS:[ESI]00412289 84C0 TEST AL,AL0041228B 74 06 JE SHORT 004122930041228D C04E FF 03 ROR BYTE PTR DS:[ESI-1],300412291 ^ E2 F5 LOOPD SHORT 0041228800412293 E8 00000000 CALL 0041229800412298 59 POP ECX00412299 81C1 1D000000 ADD ECX,1D0041229F 52 PUSH EDX004122A0 51 PUSH ECX004122A1 C1E9 05 SHR ECX,5004122A4 23D1 AND EDX,ECX004122A6 FFA5 F54B4000 JMP DWORD PTR SS:[EBP+404BF5]004122AC 0BC0 OR EAX,EAX004122AE 0F85 3F0A0000 JNZ 00412CF3004122B4 A3 8D8D534C MOV DWORD PTR DS:[4C538D8D],EAX004122B9 40 INC EAX004122BA 0051 50 ADD BYTE PTR DS:[ECX+50],DL004122BD 8D85 19F54500 LEA EAX,DWORD PTR SS:[EBP+45F519]004122C3 2D 70A80500 SUB EAX,5A870004122C8 FFD0 CALL EAX004122CA 0BC0 OR EAX,EAX004122CC 0F84 D41B0000 JE 00413EA6004122D2 8DBD AB454000 LEA EDI,DWORD PTR SS:[EBP+4045AB]004122D8 2BC9 SUB ECX,ECX004122DA 2BC0 SUB EAX,EAX004122DC B0 23 MOV AL,23004122DE 41 INC ECX004122DF 32C1 XOR AL,CL004122E1 48 DEC EAX004122E2 284439 FF SUB BYTE PTR DS:[ECX+EDI-1],AL004122E6 81F9 F4030000 CMP ECX,3F4004122EC ^ 75 F0 JNZ SHORT 004122DE004122EE 8D85 6A894000 LEA EAX,DWORD PTR SS:[EBP+40896A]004122F4 05 5EBDFFFF ADD EAX,FFFFBD5E004122F9 FFD0 CALL EAX ; 这里进去就是显示密码框的代码,注意,壳不会直接比较密码的 004122FB EB 01 JMP SHORT 004122FE……00414776 68 A0050000 PUSH 5A00041477B 59 POP ECX ; push size 5a00041477C 8DBD 8B304000 LEA EDI,DWORD PTR SS:[EBP+40308B]00414782 81EF 2A010000 SUB EDI,12A00414788 D1EB SHR EBX,10041478A 73 06 JNB SHORT 004147920041478C 81F3 3488328C XOR EBX,8C32883400414792 301F XOR BYTE PTR DS:[EDI],BL ; 从41235c开始向下解压,SIZE:5A000414794 47 INC EDI00414795 49 DEC ECX00414796 9C PUSHFD00414797 C12C24 06 SHR DWORD PTR SS:[ESP],60041479B F71424 NOT DWORD PTR SS:[ESP]0041479E 832424 01 AND DWORD PTR SS:[ESP],1004147A2 50 PUSH EAX004147A3 52 PUSH EDX004147A4 B8 77B2DC10 MOV EAX,10DCB277004147A9 05 444D23EF ADD EAX,EF234D44004147AE F76424 08 MUL DWORD PTR SS:[ESP+8]004147B2 8D8428 D2534000 LEA EAX,DWORD PTR DS:[EAX+EBP+4053D2]004147B9 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; PESpin.004147CD004147BD 5A POP EDX004147BE 58 POP EAX004147BF 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]004147C3 FF6424 FC JMP DWORD PTR SS:[ESP-4]……004123D9 68 FF000000 PUSH 0FF ; /BufSize = FF (255.)004123DE 56 PUSH ESI ; |PathBuffer = PESpin.00412000004123DF 6A 00 PUSH 0 ; |hModule = NULL004123E1 53 PUSH EBX ; |Return address004123E2 FFA5 4A4C4000 JMP DWORD PTR SS:[EBP+404C4A] ; \GetModuleFileNameA…… 004123F6 6A 00 PUSH 0 ; /hTemplateFile = NULL004123F8 68 80000000 PUSH 80 ; |Attributes = NORMAL004123FD 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING004123FF 6A 00 PUSH 0 ; |pSecurity = NULL00412401 6A 01 PUSH 1 ; |ShareMode = FILE_SHARE_READ00412403 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ00412408 56 PUSH ESI ; |FileName00412409 53 PUSH EBX ; |Return address0041240A FFA5 184C4000 JMP DWORD PTR SS:[EBP+404C18] ; \CreateFileA……00412413 E8 01000000 CALL 0041241900412418 90 NOP00412419 5A POP EDX0041241A 81C2 1A000000 ADD EDX,1A00412420 8985 8F5E4000 MOV DWORD PTR SS:[EBP+405E8F],EAX00412426 93 XCHG EAX,EBX00412427 6A 00 PUSH 0 ; /pFileSizeHigh = NULL00412429 53 PUSH EBX ; |hFile = 00000040 (window)0041242A 52 PUSH EDX ; |Return Address0041242B FFA5 454C4000 JMP DWORD PTR SS:[EBP+404C45] ; \GetFileSize00412431 90 NOP00412432 E8 01000000 CALL 0041243800412437 90 NOP00412438 5A POP EDX00412439 81C2 24000000 ADD EDX,240041243F 8BD8 MOV EBX,EAX00412441 53 PUSH EBX00412442 8F85 9B5E4000 POP DWORD PTR SS:[EBP+405E9B]00412448 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE0041244A 68 00300000 PUSH 3000 ; |AllocationType = MEM_COMMIT|MEM_RESERVE0041244F 50 PUSH EAX ; |Size = D400 (54272.)00412450 6A 00 PUSH 0 ; |Address = NULL00412452 52 PUSH EDX ; |Return address00412453 FFA5 0E4C4000 JMP DWORD PTR SS:[EBP+404C0E] ; \VirtualAlloc00412459 90 NOP0041245A 90 NOP0041245B 50 PUSH EAX0041245C 8F85 C94B4000 POP DWORD PTR SS:[EBP+404BC9] ; [EBP+404BC9]=[413FC4]保存hmem00412462 8D8D 9B5E4000 LEA ECX,DWORD PTR SS:[EBP+405E9B]00412468 E8 01000000 CALL 0041246E0041246D 90 NOP0041246E 5A POP EDX0041246F 81C2 1E000000 ADD EDX,1E00412475 6A 00 PUSH 0 ; /pOverlapped = NULL00412477 51 PUSH ECX ; |pBytesRead = PESpin.0041529600412478 53 PUSH EBX ; |BytesToRead = D400 (54272.)00412479 50 PUSH EAX ; |Buffer = 003D00000041247A FFB5 8F5E4000 PUSH DWORD PTR SS:[EBP+405E8F] ; |hFile = 00000040 (window)00412480 52 PUSH EDX ; |Return Address00412481 FFA5 1D4C4000 JMP DWORD PTR SS:[EBP+404C1D] ; \ReadFile00412487 90 NOP00412488 90 NOP00412489 90 NOP0041248A 90 NOP0041248B E8 01000000 CALL 0041249100412490 90 NOP00412491 5A POP EDX00412492 81C2 17000000 ADD EDX,1700412498 FFB5 8F5E4000 PUSH DWORD PTR SS:[EBP+405E8F] ; /hObject = 00000040 (window)0041249E 52 PUSH EDX ; |Return address0041249F FFA5 094C4000 JMP DWORD PTR SS:[EBP+404C09] ; \CloseHandle004124A5 90 NOP004124A6 90 NOP……004124E4 FFD0 CALL EAX ; 计算CRC的值004124E6 2985 A35E4000 SUB DWORD PTR SS:[EBP+405EA3],EAX ; [EBP+405EA3]=[0041529E]004124EC E8 01000000 CALL 004124F2004124F1 90 NOP004124F2 5A POP EDX004124F3 81C2 1E000000 ADD EDX,1E004124F9 68 00800000 PUSH 8000 ; /FreeType = MEM_RELEASE004124FE 6A 00 PUSH 0 ; |Size = 000412500 FFB5 C94B4000 PUSH DWORD PTR SS:[EBP+404BC9] ; |Address = 003D000000412506 52 PUSH EDX ; |Return address00412507 FFA5 134C4000 JMP DWORD PTR SS:[EBP+404C13] ; \VirtualFree……004125BF 0FB78D C74B4000 MOVZX ECX,WORD PTR SS:[EBP+404BC7]004125C6 8B95 CD4B4000 MOV EDX,DWORD PTR SS:[EBP+404BCD]004125CC 81C2 F8000000 ADD EDX,0F8004125D2 8B9D 935E4000 MOV EBX,DWORD PTR SS:[EBP+405E93]004125D8 33C0 XOR EAX,EAX004125DA 90 NOP004125DB 90 NOP004125DC 90 NOP004125DD 90 NOP004125DE 90 NOP004125DF 90 NOP004125E0 90 NOP004125E1 90 NOP004125E2 90 NOP004125E3 90 NOP004125E4 90 NOP004125E5 90 NOP004125E6 90 NOP004125E7 90 NOP004125E8 90 NOP004125E9 90 NOP004125EA 90 NOP004125EB 51 PUSH ECX004125EC 0FA3C3 BT EBX,EAX004125EF 73 67 JNB SHORT 00412658004125F1 52 PUSH EDX004125F2 90 NOP004125F3 90 NOP004125F4 90 NOP004125F5 90 NOP004125F6 90 NOP004125F7 90 NOP004125F8 90 NOP004125F9 90 NOP004125FA 90 NOP004125FB 90 NOP004125FC 90 NOP004125FD 90 NOP004125FE 90 NOP004125FF 90 NOP00412600 90 NOP00412601 90 NOP00412602 90 NOP00412603 8B7A 0C MOV EDI,DWORD PTR DS:[EDX+C]00412606 03BD C34B4000 ADD EDI,DWORD PTR SS:[EBP+404BC3]0041260C 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+10]0041260F 8B95 A35E4000 MOV EDX,DWORD PTR SS:[EBP+405EA3]00412615 D1EA SHR EDX,100412617 72 06 JB SHORT 0041261F00412619 81F2 31AF43ED XOR EDX,ED43AF310041261F 3017 XOR BYTE PTR DS:[EDI],DL ; 循环还原各区段00412621 47 INC EDI00412622 90 NOP00412623 90 NOP00412624 90 NOP00412625 90 NOP00412626 90 NOP00412627 90 NOP00412628 90 NOP00412629 90 NOP0041262A 90 NOP0041262B 90 NOP0041262C 90 NOP0041262D 90 NOP0041262E 90 NOP0041262F 90 NOP00412630 90 NOP00412631 90 NOP00412632 90 NOP00412633 90 NOP00412634 90 NOP00412635 90 NOP00412636 90 NOP00412637 90 NOP00412638 90 NOP00412639 90 NOP0041263A 90 NOP0041263B 90 NOP0041263C 90 NOP0041263D 90 NOP0041263E 90 NOP0041263F 90 NOP00412640 90 NOP00412641 90 NOP00412642 90 NOP00412643 90 NOP00412644 90 NOP00412645 90 NOP00412646 90 NOP00412647 90 NOP00412648 90 NOP00412649 90 NOP0041264A 90 NOP0041264B 90 NOP0041264C 90 NOP0041264D 90 NOP0041264E 90 NOP0041264F 90 NOP00412650 90 NOP00412651 90 NOP00412652 90 NOP00412653 90 NOP00412654 49 DEC ECX00412655 ^ 75 BE JNZ SHORT 0041261500412657 5A POP EDX00412658 40 INC EAX00412659 83C2 28 ADD EDX,280041265C 59 POP ECX0041265D 90 NOP0041265E 90 NOP0041265F 90 NOP00412660 90 NOP00412661 90 NOP00412662 90 NOP00412663 90 NOP00412664 90 NOP00412665 90 NOP00412666 90 NOP00412667 90 NOP00412668 90 NOP00412669 90 NOP0041266A 90 NOP0041266B 90 NOP0041266C 90 NOP0041266D 90 NOP0041266E 49 DEC ECX0041266F 9C PUSHFD00412670 C12C24 06 SHR DWORD PTR SS:[ESP],600412674 F71424 NOT DWORD PTR SS:[ESP]00412677 832424 01 AND DWORD PTR SS:[ESP],10041267B 50 PUSH EAX0041267C 52 PUSH EDX0041267D B8 04B2DC12 MOV EAX,12DCB20400412682 05 444D23ED ADD EAX,ED234D4400412687 F76424 08 MUL DWORD PTR SS:[ESP+8]0041268B 8D8428 A8324000 LEA EAX,DWORD PTR DS:[EAX+EBP+4032A8]00412692 894424 08 MOV DWORD PTR SS:[ESP+8],EAX00412696 5A POP EDX00412697 58 POP EAX00412698 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]0041269C FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 没有解压完则继续跳回去……004126B4 838D 9D5D4000 0>OR DWORD PTR SS:[EBP+405D9D],0 ; 测试是否anti-debug004126BB 74 0D JE SHORT 004126CA ; 如果没有选择anti-degub则跳下一步,主程序没有设置anti debug004126BD 8D85 C8554000 LEA EAX,DWORD PTR SS:[EBP+4055C8] ; CreateFileA方式测试sice004126C3 2D D1030000 SUB EAX,3D1004126C8 FFD0 CALL EAX004126CA 68 80010000 PUSH 180004126CF 59 POP ECX……00412703 E8 01000000 CALL 0041270900412708 90 NOP00412709 D1EA SHR EDX,10041270B 73 06 JNB SHORT 004127130041270D 81F2 32AF43ED XOR EDX,ED43AF3200412713 3017 XOR BYTE PTR DS:[EDI],DL00412715 47 INC EDI00412716 49 DEC ECX00412717 9C PUSHFD00412718 C12C24 06 SHR DWORD PTR SS:[ESP],60041271C F71424 NOT DWORD PTR SS:[ESP]0041271F 832424 01 AND DWORD PTR SS:[ESP],100412723 50 PUSH EAX00412724 52 PUSH EDX00412725 B8 CEBFABF2 MOV EAX,F2ABBFCE0041272A 05 EB3F540D ADD EAX,0D543FEB0041272F F76424 08 MUL DWORD PTR SS:[ESP+8]00412733 8D8428 4F334000 LEA EAX,DWORD PTR DS:[EAX+EBP+40334F]0041273A 894424 08 MOV DWORD PTR SS:[ESP+8],EAX0041273E 5A POP EDX0041273F 58 POP EAX00412740 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]00412744 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 从41495a处开始向下解压,大小为180……00412757 2BC3 SUB EAX,EBX00412759 50 PUSH EAX ; 解压完去执行解压后的代码 0041275A C3 RETN……0041495A /EB 01 JMP SHORT 0041495D0041495C |90 NOP0041495D \8DBD 60334000 LEA EDI,DWORD PTR SS:[EBP+403360] ; 0041275B00414963 B9 A1010000 MOV ECX,1A1 ; 从41275b处开始向下解压代码,大小为1A100414968 90 NOP00414969 90 NOP0041496A 90 NOP0041496B 90 NOP0041496C 90 NOP0041496D 90 NOP0041496E 90 NOP0041496F 90 NOP00414970 90 NOP00414971 8A07 MOV AL,BYTE PTR DS:[EDI]00414973 02C1 ADD AL,CL00414975 C0C8 1E ROR AL,1E00414978 F9 STC00414979 90 NOP0041497A F9 STC0041497B 02C1 ADD AL,CL0041497D EB 01 JMP SHORT 004149800041497F 90 NOP00414980 02C1 ADD AL,CL00414982 C0C0 93 ROL AL,93 ; Shift constant out of range 1..3100414985 EB 01 JMP SHORT 0041498800414987 90 NOP00414988 EB 01 JMP SHORT 0041498B0041498A 90 NOP0041498B EB 01 JMP SHORT 0041498E0041498D 90 NOP0041498E EB 01 JMP SHORT 0041499100414990 90 NOP00414991 32C1 XOR AL,CL00414993 2C 57 SUB AL,5700414995 02C1 ADD AL,CL00414997 AA STOS BYTE PTR ES:[EDI]00414998 49 DEC ECX00414999 9C PUSHFD0041499A C12C24 06 SHR DWORD PTR SS:[ESP],60041499E F71424 NOT DWORD PTR SS:[ESP]004149A1 832424 01 AND DWORD PTR SS:[ESP],1004149A5 50 PUSH EAX004149A6 52 PUSH EDX004149A7 B8 5EBFDC32 MOV EAX,32DCBF5E004149AC 05 444023CD ADD EAX,CD234044004149B1 F76424 08 MUL DWORD PTR SS:[ESP+8]004149B5 8D8428 D4554000 LEA EAX,DWORD PTR DS:[EAX+EBP+4055D4]004149BC > 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; PESpin.004149CF004149C0 5A POP EDX004149C1 58 POP EAX004149C2 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]004149C6 FF6424 FC JMP DWORD PTR SS:[ESP-4]……004149CF 55 PUSH EBP004149D0 9C PUSHFD004149D1 E8 77000000 CALL 00414A4D ; 这里进去就是SEH异常……004149D7 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]004149DB 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]004149DF 8142 04 3500000>ADD DWORD PTR DS:[EDX+4],35004149E6 81CA 29242123 OR EDX,23212429004149EC 2BC9 SUB ECX,ECX004149EE 2148 04 AND DWORD PTR DS:[EAX+4],ECX ; 清除硬件断点004149F1 2148 08 AND DWORD PTR DS:[EAX+8],ECX004149F4 2148 0C AND DWORD PTR DS:[EAX+C],ECX004149F7 2148 10 AND DWORD PTR DS:[EAX+10],ECX004149FA 8160 14 F00FFFF>AND DWORD PTR DS:[EAX+14],FFFF0FF000414A01 C740 18 5501000>MOV DWORD PTR DS:[EAX+18],15500414A08 33C0 XOR EAX,EAX00414A0A C3 RETN……00414A65 8DBD 01354000 LEA EDI,DWORD PTR SS:[EBP+403501] ; 从004128FC开始解压代码,大小为108f00414A6B B9 8F100000 MOV ECX,108F00414A70 90 NOP00414A71 90 NOP00414A72 90 NOP00414A73 90 NOP00414A74 90 NOP00414A75 90 NOP00414A76 90 NOP00414A77 90 NOP00414A78 90 NOP00414A79 8A07 MOV AL,BYTE PTR DS:[EDI]00414A7B 02C1 ADD AL,CL00414A7D C0C0 43 ROL AL,43 ; Shift constant out of range 1..3100414A80 FEC8 DEC AL00414A82 04 40 ADD AL,4000414A84 2C 39 SUB AL,3900414A86 EB 01 JMP SHORT 00414A8900414A88 90 NOP00414A89 34 BB XOR AL,0BB00414A8B 0AC0 OR AL,AL00414A8D 04 85 ADD AL,8500414A8F EB 01 JMP SHORT 00414A9200414A91 90 NOP00414A92 02C1 ADD AL,CL00414A94 90 NOP00414A95 F9 STC00414A96 C0C8 53 ROR AL,53 ; Shift constant out of range 1..3100414A99 0AC0 OR AL,AL00414A9B 04 C2 ADD AL,0C200414A9D 2AC1 SUB AL,CL00414A9F AA STOS BYTE PTR ES:[EDI]00414AA0 49 DEC ECX00414AA1 9C PUSHFD00414AA2 C12C24 06 SHR DWORD PTR SS:[ESP],600414AA6 F71424 NOT DWORD PTR SS:[ESP]00414AA9 832424 01 AND DWORD PTR SS:[ESP],100414AAD 50 PUSH EAX00414AAE 52 PUSH EDX00414AAF B8 61B2DC12 MOV EAX,12DCB26100414AB4 05 444D23ED ADD EAX,ED234D4400414AB9 F76424 08 MUL DWORD PTR SS:[ESP+8]00414ABD 8D8428 D9564000 LEA EAX,DWORD PTR DS:[EAX+EBP+4056D9]00414AC4 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; PESpin.00414AD400414AC8 5A POP EDX00414AC9 58 POP EAX00414ACA 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]00414ACE FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 如果没有解压完则继续……00412777 68 07000000 PUSH 70041277C 5B POP EBX0041277D 25 25382C37 AND EAX,372C382500412782 50 PUSH EAX00412783 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]00412787 F7D0 NOT EAX00412789 234424 FC AND EAX,DWORD PTR SS:[ESP-4]0041278D 51 PUSH ECX ; 从这里开始解密各段0041278E 90 NOP0041278F 90 NOP00412790 90 NOP00412791 90 NOP00412792 90 NOP00412793 90 NOP00412794 90 NOP00412795 90 NOP00412796 90 NOP00412797 90 NOP00412798 90 NOP00412799 90 NOP0041279A 0FA3C3 BT EBX,EAX0041279D 73 79 JNB SHORT 00412818 ; 如果该段解压完则跳去解压下一段0041279F 90 NOP004127A0 90 NOP004127A1 90 NOP004127A2 90 NOP004127A3 90 NOP004127A4 90 NOP004127A5 90 NOP004127A6 90 NOP004127A7 90 NOP004127A8 90 NOP004127A9 90 NOP004127AA 90 NOP004127AB 90 NOP004127AC 90 NOP004127AD 90 NOP004127AE 90 NOP004127AF 90 NOP004127B0 90 NOP004127B1 90 NOP004127B2 90 NOP004127B3 90 NOP004127B4 90 NOP004127B5 90 NOP004127B6 90 NOP004127B7 90 NOP004127B8 90 NOP004127B9 90 NOP004127BA 90 NOP004127BB 90 NOP004127BC 90 NOP004127BD 90 NOP004127BE 90 NOP004127BF 90 NOP004127C0 90 NOP004127C1 90 NOP004127C2 90 NOP004127C3 90 NOP004127C4 90 NOP004127C5 90 NOP004127C6 90 NOP004127C7 90 NOP004127C8 90 NOP004127C9 90 NOP004127CA 90 NOP004127CB 90 NOP004127CC 90 NOP004127CD 8B7A 0C MOV EDI,DWORD PTR DS:[EDX+C]004127D0 03BD C34B4000 ADD EDI,DWORD PTR SS:[EBP+404BC3]004127D6 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+10] ; RSIZE = 6000004127D9 50 PUSH EAX004127DA 8A07 MOV AL,BYTE PTR DS:[EDI] ; 第一次 从401000处开始解密代码,size:6000004127DC 2C 61 SUB AL,61004127DE F8 CLC004127DF F8 CLC004127E0 C0C0 B1 ROL AL,0B1 ; Shift constant out of range 1..31004127E3 34 AF XOR AL,0AF004127E5 04 70 ADD AL,70004127E7 FEC8 DEC AL004127E9 EB 01 JMP SHORT 004127EC004127EB 90 NOP004127EC F8 CLC004127ED 32C1 XOR AL,CL004127EF C0C0 42 ROL AL,42 ; Shift constant out of range 1..31004127F2 EB 01 JMP SHORT 004127F5004127F4 90 NOP004127F5 02C1 ADD AL,CL004127F7 2AC1 SUB AL,CL004127F9 34 04 XOR AL,4004127FB C0C0 9B ROL AL,9B ; Shift constant out of range 1..31004127FE FEC8 DEC AL00412800 AA STOS BYTE PTR ES:[EDI]00412801 49 DEC ECX00412802 90 NOP00412803 90 NOP00412804 90 NOP00412805 90 NOP00412806 90 NOP00412807 90 NOP00412808 90 NOP00412809 90 NOP0041280A 90 NOP0041280B 90 NOP0041280C 90 NOP0041280D 90 NOP0041280E 90 NOP0041280F 90 NOP00412810 90 NOP00412811 90 NOP00412812 90 NOP00412813 0BC9 OR ECX,ECX00412815 ^ 75 C3 JNZ SHORT 004127DA ; 该段没解压完该段则继续上去解密00412817 58 POP EAX00412818 40 INC EAX00412819 83C2 28 ADD EDX,280041281C 90 NOP0041281D 90 NOP0041281E 90 NOP0041281F 90 NOP00412820 90 NOP00412821 90 NOP00412822 90 NOP00412823 90 NOP00412824 90 NOP00412825 59 POP ECX00412826 49 DEC ECX00412827 9C PUSHFD00412828 C12C24 06 SHR DWORD PTR SS:[ESP],60041282C F71424 NOT DWORD PTR SS:[ESP]0041282F 832424 01 AND DWORD PTR SS:[ESP],100412833 50 PUSH EAX00412834 52 PUSH EDX00412835 B8 E979A6F5 MOV EAX,F5A679E90041283A 05 4985590A ADD EAX,0A5985490041283F F76424 08 MUL DWORD PTR SS:[ESP+8]00412843 8D8428 60344000 LEA EAX,DWORD PTR DS:[EAX+EBP+403460]0041284A 894424 08 MOV DWORD PTR SS:[ESP+8],EAX0041284E 5A POP EDX0041284F 58 POP EAX00412850 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]00412854 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 没有解压完则继续回去解密……0041286B E8 BA1C0000 CALL 0041452A ; 这个CALL实际就是一个异常CALL……00415062 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE00415064 68 00300000 PUSH 3000 ; |AllocationType = MEM_COMMIT|MEM_RESERVE00415069 51 PUSH ECX ; |Size = 3166 (12646.)0041506A 6A 00 PUSH 0 ; |Address = NULL0041506C FF95 0E4C4000 CALL DWORD PTR SS:[EBP+404C0E] ; \VirtualAlloc00415072 96 XCHG EAX,ESI ; hmem==003D000000415073 5A POP EDX00415074 BF 50F40000 MOV EDI,0F45000415079 81C7 00004000 ADD EDI,004000000041507F 56 PUSH ESI ; /存放地址 == 003D000000415080 57 PUSH EDI ; |解压地址 == 40f45000415081 E8 1CDEFFFF CALL 00412EA2 ; \aplib_depack00415086 91 XCHG EAX,ECX00415087 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]00415089 5F POP EDI0041508A 5E POP ESI0041508B EB 01 JMP SHORT 0041508E0041508D 90 NOP0041508E 68 00400000 PUSH 4000 ; /FreeType = MEM_DECOMMIT00415093 52 PUSH EDX ; |Size = 3166 (12646.)00415094 56 PUSH ESI ; |Address = 003D000000415095 FF95 134C4000 CALL DWORD PTR SS:[EBP+404C13] ; \VirtualFree……004150A7 8D85 ED5C4000 LEA EAX,DWORD PTR SS:[EBP+405CED]004150AD 8338 00 CMP DWORD PTR DS:[EAX],0004150B0 0F84 CB000000 JE 00415181004150B6 B9 80B60000 MOV ECX,0B680004150BB 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE004150BD 68 00300000 PUSH 3000 ; |AllocationType = MEM_COMMIT|MEM_RESERVE004150C2 51 PUSH ECX ; |Size = B680 (46720.)004150C3 6A 00 PUSH 0 ; |Address = NULL004150C5 FF95 0E4C4000 CALL DWORD PTR SS:[EBP+404C0E] ; \VirtualAlloc004150CB 8985 0E5D4000 MOV DWORD PTR SS:[EBP+405D0E],EAX ; [EBP+405D0E]==[00415109]004150D1 EB 01 JMP SHORT 004150D4004150D3 90 NOP004150D4 0FB78D C74B4000 MOVZX ECX,WORD PTR SS:[EBP+404BC7] ; ecx==4004150DB 8B95 CD4B4000 MOV EDX,DWORD PTR SS:[EBP+404BCD]004150E1 81C2 F8000000 ADD EDX,0F8004150E7 BB 07000000 MOV EBX,7004150EC 2BC0 SUB EAX,EAX004150EE 51 PUSH ECX004150EF 90 NOP004150F0 90 NOP004150F1 90 NOP004150F2 90 NOP004150F3 90 NOP004150F4 90 NOP004150F5 90 NOP004150F6 90 NOP004150F7 90 NOP004150F8 0FA3C3 BT EBX,EAX004150FB 73 27 JNB SHORT 00415124 ; 如果解压完该段则跳004150FD 50 PUSH EAX004150FE 53 PUSH EBX ; 铺张浪费^_^004150FF 8B7A 0C MOV EDI,DWORD PTR DS:[EDX+C]00415102 03BD C34B4000 ADD EDI,DWORD PTR SS:[EBP+404BC3] ; code起始地址40100000415108 BE 00003F00 MOV ESI,3F00000041510D 56 PUSH ESI ; /临时存放位置 ==003F00000041510E 57 PUSH EDI ; |要解压的地址 == 4010000041510F E8 8EDDFFFF CALL 00412EA2 ; \aplib_dePack00415114 91 XCHG EAX,ECX00415115 90 NOP00415116 90 NOP00415117 90 NOP00415118 90 NOP00415119 90 NOP0041511A 90 NOP0041511B 90 NOP0041511C 90 NOP0041511D 90 NOP0041511E F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]00415120 5F POP EDI00415121 5E POP ESI00415122 5B POP EBX00415123 58 POP EAX00415124 40 INC EAX00415125 83C2 28 ADD EDX,2800415128 59 POP ECX00415129 49 DEC ECX0041512A 9C PUSHFD0041512B C12C24 06 SHR DWORD PTR SS:[ESP],60041512F F71424 NOT DWORD PTR SS:[ESP]00415132 832424 01 AND DWORD PTR SS:[ESP],100415136 50 PUSH EAX00415137 52 PUSH EDX00415138 B8 49B2DC12 MOV EAX,12DCB2490041513D 05 444D23ED ADD EAX,ED234D4400415142 F76424 08 MUL DWORD PTR SS:[ESP+8]00415146 8D8428 665D4000 LEA EAX,DWORD PTR DS:[EAX+EBP+405D66]0041514D 894424 08 MOV DWORD PTR SS:[ESP+8],EAX00415151 5A POP EDX00415152 58 POP EAX00415153 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]00415157 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 循环aplib解压代码……00415164 8B8D BC5C4000 MOV ECX,DWORD PTR SS:[EBP+405CBC] ; [EBP+405CBC]=[4150B7]=B6800041516A 8B85 0E5D4000 MOV EAX,DWORD PTR SS:[EBP+405D0E] ; [EBP+405D0E]=[415109]=3F000000415170 0BC0 OR EAX,EAX00415172 74 0D JE SHORT 00415181 ; 如果已经释放了空间或申请空间失败则跳00415174 68 00400000 PUSH 4000 ; /FreeType = MEM_DECOMMIT00415179 51 PUSH ECX ; |Size = B680 (46720.)0041517A 56 PUSH ESI ; |Address = 003F00000041517B FF95 134C4000 CALL DWORD PTR SS:[EBP+404C13] ; \VirtualFree00415181 EB 01 JMP SHORT 00415184这个壳比较会省,只申请一次空间通过擦除的方法循环解压各段……0041441D 51 PUSH ECX0041441E 8D85 8B5E4000 LEA EAX,DWORD PTR SS:[EBP+405E8B]00414424 50 PUSH EAX ; /pOldProtect = PESpin.0041528600414425 6A 40 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE00414427 51 PUSH ECX ; |Size = 25C (604.00414428 57 PUSH EDI ; |Address = PESpin.004001C800414429 8DB5 F44B4000 LEA ESI,DWORD PTR SS:[EBP+404BF4] ; |0041442F FF56 10 CALL DWORD PTR DS:[ESI+10] ; \VirtualProtect00414432 59 POP ECX00414433 B0 FF MOV AL,0FF……004143F2 8D85 9C504000 LEA EAX,DWORD PTR SS:[EBP+40509C]004143F8 8785 7E504000 XCHG DWORD PTR SS:[EBP+40507E],EAX004143FE 8BBD C34B4000 MOV EDI,DWORD PTR SS:[EBP+404BC3]00414404 037F 3C ADD EDI,DWORD PTR DS:[EDI+3C]00414407 89BD A8504000 MOV DWORD PTR SS:[EBP+4050A8],EDI0041440D 03F8 ADD EDI,EAX0041440F B9 5C020000 MOV ECX,25C00414414 90 NOP00414415 90 NOP00414416 90 NOP00414417 90 NOP00414418 90 NOP00414419 90 NOP0041441A 90 NOP0041441B 90 NOP0041441C 90 NOP0041441D 51 PUSH ECX0041441E 8D85 8B5E4000 LEA EAX,DWORD PTR SS:[EBP+405E8B]00414424 50 PUSH EAX ; /pOldProtect = PESpin.0041528600414425 6A 40 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE00414427 51 PUSH ECX ; |Size = 25C (604.00414428 57 PUSH EDI ; |Address = PESpin.004001C800414429 8DB5 F44B4000 LEA ESI,DWORD PTR SS:[EBP+404BF4] ; |0041442F FF56 10 CALL DWORD PTR DS:[ESI+10] ; \VirtualProtect00414432 59 POP ECX00414433 B0 FF MOV AL,0FF00414435 90 NOP00414436 90 NOP00414437 90 NOP00414438 90 NOP00414439 90 NOP0041443A 90 NOP0041443B 90 NOP0041443C 90 NOP0041443D 90 NOP0041443E 90 NOP0041443F 90 NOP00414440 90 NOP00414441 8BF7 MOV ESI,EDI00414443 83C6 07 ADD ESI,700414446 C607 BE MOV BYTE PTR DS:[EDI],0BE ; 开始修改PE头00414449 8977 01 MOV DWORD PTR DS:[EDI+1],ESI0041444C C747 05 8F06000>MOV DWORD PTR DS:[EDI+5],68F00414453 83E9 03 SUB ECX,300414456 8D1C0F LEA EBX,DWORD PTR DS:[EDI+ECX]00414459 66:C703 33D2 MOV WORD PTR DS:[EBX],0D2330041445E C643 02 C3 MOV BYTE PTR DS:[EBX+2],0C300414462 53 PUSH EBX00414463 8F85 DD4B4000 POP DWORD PTR SS:[EBP+404BDD]00414469 2BDB SUB EBX,EBX0041446B 90 NOP0041446C 90 NOP0041446D 90 NOP0041446E 90 NOP0041446F 90 NOP00414470 90 NOP00414471 90 NOP00414472 90 NOP00414473 90 NOP00414474 E8 04000000 CALL 0041447D00414479 97 XCHG EAX,EDI0041447A 44 INC ESP0041447B 41 INC ECX0041447C 90 NOP ; ***这里不能看成垃圾指令而nop掉0041447D 5A POP EDX ; 注意这上面一句不能nop,否则seh就出问题了0041447E 8B12 MOV EDX,DWORD PTR DS:[EDX]00414480 55 PUSH EBP00414481 52 PUSH EDX00414482 64:FF33 PUSH DWORD PTR FS:[EBX]00414485 64:8923 MOV DWORD PTR FS:[EBX],ESP ; install SEH00414488 68 F3AA9090 PUSH 9090AAF30041448D FFE7 JMP EDI ; 这里jmp去破坏pe头0041448F 64:8F02 POP DWORD PTR FS:[EDX]00414492 83C4 08 ADD ESP,800414495 C3 RETN看看破坏方式:004001C8 BE CF014000 MOV ESI,004001CF ; 把pe头部从4001c8开始全部填充成FF,大小为259,004001CD 8F06 POP DWORD PTR DS:[ESI]004001CF F3:AA REP STOS BYTE PTR ES:[EDI]004001D1 90 NOP004001D2 90 NOP解决方法就是在破坏pe头之前把pe头给dump下来.……004144CA 8D85 F44B4000 LEA EAX,DWORD PTR SS:[EBP+404BF4]004144D0 B9 2E000000 MOV ECX,2E004144D5 FF1401 CALL DWORD PTR DS:[ECX+EAX] ; GetTickCount004144D8 8BD8 MOV EBX,EAX004144DA F7D3 NOT EBX004144DC 33D8 XOR EBX,EAX004144DE 43 INC EBX004144DF 68 87000000 PUSH 87004144E4 59 POP ECX004144E5 66:35 4C50 XOR AX,504C004144E9 66:05 8911 ADD AX,1189004144ED AA STOS BYTE PTR ES:[EDI] ; 循环把412000处的代码给抹掉004144EE EB 01 JMP SHORT 004144F1004144F0 90 NOP004144F1 49 DEC ECX004144F2 9C PUSHFD004144F3 C12C24 06 SHR DWORD PTR SS:[ESP],6004144F7 F71424 NOT DWORD PTR SS:[ESP]004144FA 832424 01 AND DWORD PTR SS:[ESP],1004144FE 50 PUSH EAX004144FF 52 PUSH EDX00414500 B8 6FB2DC12 MOV EAX,12DCB26F00414505 05 4E4D23ED ADD EAX,ED234D4E0041450A F76424 08 MUL DWORD PTR SS:[ESP+8]0041450E 8D8428 2D514000 LEA EAX,DWORD PTR DS:[EAX+EBP+40512D]00414515 894424 08 MOV DWORD PTR SS:[ESP+8],EAX00414519 5A POP EDX0041451A 58 POP EAX0041451B 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]0041451F FF6424 FC JMP DWORD PTR SS:[ESP-4]……00414BBC 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE00414BBE 68 00300000 PUSH 3000 ; |AllocationType = MEM_COMMIT|MEM_RESERVE00414BC3 51 PUSH ECX ; |Size = 62 (98.)00414BC4 6A 00 PUSH 0 ; |Address = NULL00414BC6 53 PUSH EBX ; |Return address00414BC7 FFA5 0E4C4000 JMP DWORD PTR SS:[EBP+404C0E] ; \VirtualAlloc00414BCD 90 NOP00414BCE 90 NOP00414BCF 90 NOP00414BD0 8DB5 19574000 LEA ESI,DWORD PTR SS:[EBP+405719]00414BD6 97 XCHG EAX,EDI00414BD7 8BDF MOV EBX,EDI00414BD9 B9 2A000000 MOV ECX,2A00414BDE F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 把从414b14开始的代码搬到刚申请的地址空间里,大小为2a00414BE0 BE 759FE9D4 MOV ESI,D4E99F7500414BE5 BA B1B5572B MOV EDX,2B57B5B100414BEA 03F2 ADD ESI,EDX00414BEC B9 0A000000 MOV ECX,0A ; 大小0a00414BF1 BA 13E40E80 MOV EDX,800EE41300414BF6 AD LODS DWORD PTR DS:[ESI]00414BF7 4A DEC EDX00414BF8 03C2 ADD EAX,EDX00414BFA 42 INC EDX00414BFB 33C2 XOR EAX,EDX00414BFD 4A DEC EDX00414BFE C1CA 08 ROR EDX,800414C01 AB STOS DWORD PTR ES:[EDI]00414C02 49 DEC ECX00414C03 9C PUSHFD00414C04 C12C24 06 SHR DWORD PTR SS:[ESP],600414C08 F71424 NOT DWORD PTR SS:[ESP]00414C0B 832424 01 AND DWORD PTR SS:[ESP],100414C0F 50 PUSH EAX00414C10 52 PUSH EDX00414C11 B8 817A6FF2 MOV EAX,F26F7A8100414C16 05 4085900D ADD EAX,0D90854000414C1B F76424 08 MUL DWORD PTR SS:[ESP+8]00414C1F 8D8428 3A584000 LEA EAX,DWORD PTR DS:[EAX+EBP+40583A]00414C26 894424 08 MOV DWORD PTR SS:[ESP+8],EAX00414C2A 5A POP EDX00414C2B 58 POP EAX00414C2C 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]00414C30 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; Loop……00414C35 B9 10000000 MOV ECX,1000414C3A 8DB5 43574000 LEA ESI,DWORD PTR SS:[EBP+405743]00414C40 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; From: 414b3e to: d00052 size: 1000414C42 90 NOP00414C43 90 NOP00414C44 90 NOP00414C45 90 NOP00414C46 90 NOP00414C47 90 NOP00414C48 90 NOP00414C49 90 NOP00414C4A 90 NOP00414C4B 90 NOP00414C4C 90 NOP00414C4D 90 NOP00414C4E 93 XCHG EAX,EBX00414C4F B9 0A000000 MOV ECX,0A ; size00414C54 8BBD E6574000 MOV EDI,DWORD PTR SS:[EBP+4057E6]00414C5A 03BD EB574000 ADD EDI,DWORD PTR SS:[EBP+4057EB]00414C60 F3:AB REP STOS DWORD PTR ES:[EDI] ; 填充刚申请的地址d0000000414C62 E8 01000000 CALL 00414C6800414C67 90 NOP00414C68 5B POP EBX00414C69 81C3 21000000 ADD EBX,2100414C6F B9 61000000 MOV ECX,6100414C74 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE00414C76 68 00300000 PUSH 3000 ; |AllocationType = MEM_COMMIT|MEM_RESERVE00414C7B 51 PUSH ECX ; |Size = 61 (97.)00414C7C 6A 00 PUSH 0 ; |Address = NULL00414C7E 53 PUSH EBX ; |Return address00414C7F FFA5 0E4C4000 JMP DWORD PTR SS:[EBP+404C0E] ; \VirtualAlloc00414C85 90 NOP00414C86 90 NOP00414C87 90 NOP00414C88 8DB5 DF564000 LEA ESI,DWORD PTR SS:[EBP+4056DF]00414C8E 97 XCHG EAX,EDI00414C8F 8BDF MOV EBX,EDI00414C91 B9 26000000 MOV ECX,2600414C96 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; from 4a4ada to: D10000 size:26……00414CA4 8BB5 E6574000 MOV ESI,DWORD PTR SS:[EBP+4057E6]00414CAA 03B5 EB574000 ADD ESI,DWORD PTR SS:[EBP+4057EB]00414CB0 83C6 28 ADD ESI,2800414CB3 B9 0A000000 MOV ECX,0A ; size00414CB8 BA A4919C0B MOV EDX,0B9C91A400414CBD AD LODS DWORD PTR DS:[ESI]00414CBE 4A DEC EDX00414CBF 03C2 ADD EAX,EDX00414CC1 42 INC EDX00414CC2 90 NOP00414CC3 90 NOP00414CC4 90 NOP00414CC5 90 NOP00414CC6 90 NOP00414CC7 90 NOP00414CC8 90 NOP00414CC9 90 NOP00414CCA 90 NOP00414CCB 90 NOP00414CCC 90 NOP00414CCD 90 NOP00414CCE 33C2 XOR EAX,EDX00414CD0 4A DEC EDX00414CD1 C1CA 08 ROR EDX,800414CD4 AB STOS DWORD PTR ES:[EDI]00414CD5 49 DEC ECX00414CD6 9C PUSHFD00414CD7 90 NOP00414CD8 90 NOP00414CD9 90 NOP00414CDA 90 NOP00414CDB 90 NOP00414CDC 90 NOP00414CDD 90 NOP00414CDE 90 NOP00414CDF 90 NOP00414CE0 C12C24 06 SHR DWORD PTR SS:[ESP],600414CE4 F71424 NOT DWORD PTR SS:[ESP]00414CE7 832424 01 AND DWORD PTR SS:[ESP],100414CEB 50 PUSH EAX00414CEC 52 PUSH EDX00414CED B8 635A9AF0 MOV EAX,F09A5A6300414CF2 05 46A5650F ADD EAX,0F65A54600414CF7 F76424 08 MUL DWORD PTR SS:[ESP+8]00414CFB 8D8428 19594000 LEA EAX,DWORD PTR DS:[EAX+EBP+405919]00414D02 894424 08 MOV DWORD PTR SS:[ESP+8],EAX00414D06 5A POP EDX00414D07 58 POP EAX00414D08 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]00414D0C FF6424 FC JMP DWORD PTR SS:[ESP-4] ; PESpin.00414D14……00414D14 B9 13000000 MOV ECX,1300414D19 8DB5 05574000 LEA ESI,DWORD PTR SS:[EBP+405705]00414D1F F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; From:414B00 to:D1004E size:1300414D21 93 XCHG EAX,EBX00414D22 B9 0A000000 MOV ECX,0A00414D27 8BBD E6574000 MOV EDI,DWORD PTR SS:[EBP+4057E6]00414D2D 03BD EB574000 ADD EDI,DWORD PTR SS:[EBP+4057EB]00414D33 83C7 28 ADD EDI,2800414D36 F3:AB REP STOS DWORD PTR ES:[EDI]00414D38 58 POP EAX00414D39 90 NOP00414D3A 90 NOP00414D3B 90 NOP00414D3C 90 NOP00414D3D 90 NOP00414D3E 90 NOP00414D3F 90 NOP00414D40 90 NOP00414D41 90 NOP00414D42 2D F9FFFFFF SUB EAX,-700414D47 90 NOP00414D48 90 NOP00414D49 90 NOP00414D4A 90 NOP00414D4B 90 NOP00414D4C 90 NOP00414D4D 90 NOP00414D4E 90 NOP00414D4F 90 NOP00414D50 90 NOP00414D51 90 NOP00414D52 90 NOP00414D53 90 NOP00414D54 90 NOP00414D55 90 NOP00414D56 90 NOP00414D57 90 NOP00414D58 ^ FFE0 JMP EAX ; PESpin.0041317D……004132F6 F685 A15D4000 0>TEST BYTE PTR SS:[EBP+405DA1],1 ; 这里判断是否选择了API重定位,0表示不加密,1表示加密004132FD 74 51 JE SHORT 00413350004132FF 90 NOP00413300 90 NOP00413301 90 NOP00413302 90 NOP00413303 90 NOP00413304 90 NOP00413305 90 NOP00413306 90 NOP00413307 90 NOP00413308 90 NOP00413309 90 NOP0041330A 90 NOP0041330B 90 NOP0041330C 90 NOP0041330D 90 NOP0041330E 90 NOP0041330F 90 NOP00413310 BB 3C080000 MOV EBX,83C ; 重定位api大小00413315 0BDB OR EBX,EBX00413317 74 37 JE SHORT 00413350 ; 如果重定位API大小为0就跳00413319 2BC0 SUB EAX,EAX0041331B 2185 D14B4000 AND DWORD PTR SS:[EBP+404BD1],EAX00413321 E8 01000000 CALL 0041332700413326 90 NOP00413327 59 POP ECX00413328 6A 40 PUSH 40 ; /Protect = PAGE_EXECUTE_READWRITE0041332A 68 00300000 PUSH 3000 ; |AllocationType = MEM_COMMIT|MEM_RESERVE0041332F 53 PUSH EBX ; |Size = 83C (2108.)00413330 50 PUSH EAX ; |Address = NULL00413331 8D6424 FC LEA ESP,DWORD PTR SS:[ESP-4] ; |00413335 81C1 23000000 ADD ECX,23 ; |0041333B 890C24 MOV DWORD PTR SS:[ESP],ECX ; |Return Address0041333E FFA5 0E4C4000 JMP DWORD PTR SS:[EBP+404C0E] ; \VirtualAlloc00413344 90 NOP00413345 85C0 TEST EAX,EAX00413347 74 21 JE SHORT 0041336A00413349 50 PUSH EAX0041334A 8F85 C94B4000 POP DWORD PTR SS:[EBP+404BC9] ; [EBP+404BC9]保存hmem(00D20000)00413350 8D85 4A0D3400 LEA EAX,DWORD PTR SS:[EBP+340D4A]00413356 8D80 5F320C00 LEA EAX,DWORD PTR DS:[EAX+C325F]0041335C 48 DEC EAX0041335D FFD0 CALL EAX ; 004133A3……00414F25 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE00414F27 68 00300000 PUSH 3000 ; |AllocationType = MEM_COMMIT|MEM_RESERVE00414F2C 51 PUSH ECX ; |Size = 5C (92.)00414F2D 6A 00 PUSH 0 ; |Address = NULL00414F2F 53 PUSH EBX ; |Return address00414F30 FFA5 0E4C4000 JMP DWORD PTR SS:[EBP+404C0E] ; \VirtualAlloc00414F36 0F01FE INVLPG DH ; Privileged command00414F39 8DB5 AA5A4000 LEA ESI,DWORD PTR SS:[EBP+405AAA]00414F3F 97 XCHG EAX,EDI00414F40 8BDF MOV EBX,EDI00414F42 B9 22000000 MOV ECX,2200414F47 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; From:414ea5 to:D30000 szie:22……0041340C 3BB5 C34B4000 CMP ESI,DWORD PTR SS:[EBP+404BC3] ; ESI保存输入表的起始地址0040C160……00413468 8B5E 0C MOV EBX,DWORD PTR DS:[ESI+C]0041346B 039D C34B4000 ADD EBX,DWORD PTR SS:[EBP+404BC3]00413471 8BFB MOV EDI,EBX ; 第一个API的Name地址……00413473 E8 4C120000 CALL 004146C4 ; 进去就是还原DLL名进去看看: 004146C4 57 PUSH EDI004146C5 800F 00 OR BYTE PTR DS:[EDI],0 ; 如果获取完全部的DLL就直接返回,否则not 还原出正确的DLL名004146C8 74 16 JE SHORT 004146E0004146CA 90 NOP004146CB 90 NOP004146CC 90 NOP004146CD 90 NOP004146CE 90 NOP004146CF 90 NOP004146D0 90 NOP004146D1 90 NOP004146D2 90 NOP004146D3 90 NOP004146D4 90 NOP004146D5 90 NOP004146D6 90 NOP004146D7 90 NOP004146D8 90 NOP004146D9 90 NOP004146DA 90 NOP004146DB F617 NOT BYTE PTR DS:[EDI]004146DD 47 INC EDI004146DE ^ EB E5 JMP SHORT 004146C5004146E0 5F POP EDI ; PESpin.0040C4C8004146E1 C3 RETN……0041347F 53 PUSH EBX ; /FileName = "KERNEL32.DLL00413480 50 PUSH EAX ; |00413481 FFB5 F54B4000 PUSH DWORD PTR SS:[EBP+404BF5] ; \LoadLibraryA00413487 814424 04 14000000 ADD DWORD PTR SS:[ESP+4],14……00413491 85C0 TEST EAX,EAX00413493 0F84 3F090000 JE 00413DD8 ; 如果载入失败则OVER00413499 E8 01000000 CALL 0041349F0041349E 90 NOP0041349F 59 POP ECX004134A0 50 PUSH EAX004134A1 51 PUSH ECX004134A2 55 PUSH EBP004134A3 810424 12374000 ADD DWORD PTR SS:[ESP],00403712004134AA 814424 04 22000000 ADD DWORD PTR SS:[ESP+4],22004134B2 C3 RETN ;这里进去相当于GetModuleHandleA 获取DLL的句柄……004134C1 2BD2 SUB EDX,EDX ; 获取到句柄后把原有DLL的函数名给清0……004134F0 800B 00 OR BYTE PTR DS:[EBX],0004134F3 74 0D JE SHORT 00413502 ; 如果全部清除完毕则跳004134F5 8813 MOV BYTE PTR DS:[EBX],DL ; DLL名清0004134F7 C1C2 04 ROL EDX,4004134FA 90 NOP004134FB 90 NOP004134FC 90 NOP004134FD 43 INC EBX004134FE FF6424 FC JMP DWORD PTR SS:[ESP-4]00413502 93 XCHG EAX,EBX00413503 8B56 10 MOV EDX,DWORD PTR DS:[ESI+10]00413506 0395 C34B4000 ADD EDX,DWORD PTR SS:[EBP+404BC3] ; 定位ThunkValue0041350C 830A 00 OR DWORD PTR DS:[EDX],00041350F 0F84 59010000 JE 0041366E ; 如果该DLL的API处理完则跳去下一步00413515 90 NOP00413516 90 NOP00413517 90 NOP00413518 90 NOP00413519 90 NOP0041351A 90 NOP0041351B 90 NOP0041351C 90 NOP0041351D 90 NOP0041351E 75 02 JNZ SHORT 0041352200413520 90 NOP00413521 90 NOP00413522 8B02 MOV EAX,DWORD PTR DS:[EDX]00413524 A9 00000080 TEST EAX,8000000000413529 74 0A JE SHORT 004135350041352B 25 FFFFFF7F AND EAX,7FFFFFFF00413530 2BFF SUB EDI,EDI00413532 EB 09 JMP SHORT 0041353D00413534 90 NOP00413535 40 INC EAX00413536 0385 C34B4000 ADD EAX,DWORD PTR SS:[EBP+404BC3]0041353C 97 XCHG EAX,EDI0041353D 68 AFFAD0F9 PUSH F9D0FAAF00413542 012C24 ADD DWORD PTR SS:[ESP],EBP00413545 810424 B4466F06 ADD DWORD PTR SS:[ESP],66F46B40041354C 68 4D7B630F PUSH 0F637B4D00413551 812C24 9643230F SUB DWORD PTR SS:[ESP],0F23439600413558 012C24 ADD DWORD PTR SS:[ESP],EBP0041355B C3 RETN ; 这里返回API处理部分跟进看看:……00412C70 8B00 MOV EAX,DWORD PTR DS:[EAX]00412C72 0385 AA374000 ADD EAX,DWORD PTR SS:[EBP+4037AA] ; 获取到的API放到eax中00412C78 EB 10 JMP SHORT 00412C8A00412C7A 83C3 04 ADD EBX,400412C7D 41 INC ECX00412C7E 81F9 B5030000 CMP ECX,3B500412C84 ^ 75 97 JNZ SHORT 00412C1D00412C86 33C0 XOR EAX,EAX00412C88 EB 3F JMP SHORT 00412CC900412C8A 8BBD 9E374000 MOV EDI,DWORD PTR SS:[EBP+40379E]00412C90 3BC7 CMP EAX,EDI ; 判断是否要加密00412C92 76 35 JBE SHORT 00412CC9 ; 如果小于或等于7c80262c则不加密直接填充00412C94 03BD A2374000 ADD EDI,DWORD PTR SS:[EBP+4037A2]00412C9A 3BF8 CMP EDI,EAX00412C9C 76 2B JBE SHORT 00412CC900412C9E 8DBD 052C4000 LEA EDI,DWORD PTR SS:[EBP+402C05]00412CA4 96 XCHG EAX,ESI00412CA5 33C9 XOR ECX,ECX00412CA7 8A0431 MOV AL,BYTE PTR DS:[ECX+ESI]00412CAA 3C 2E CMP AL,2E00412CAC 74 04 JE SHORT 00412CB200412CAE 41 INC ECX00412CAF AA STOS BYTE PTR ES:[EDI]00412CB0 ^ EB F5 JMP SHORT 00412CA700412CB2 41 INC ECX00412CB3 03F1 ADD ESI,ECX00412CB5 56 PUSH ESI00412CB6 2C 2E SUB AL,2E00412CB8 AA STOS BYTE PTR ES:[EDI]00412CB9 2BF9 SUB EDI,ECX00412CBB 57 PUSH EDI00412CBC FF95 F54B4000 CALL DWORD PTR SS:[EBP+404BF5]00412CC2 50 PUSH EAX00412CC3 FF95 FF4B4000 CALL DWORD PTR SS:[EBP+404BFF]00412CC9 EB 01 JMP SHORT 00412CCC00412CCB 90 NOP00412CCC 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX ; 填充API00412CD0 61 POPAD00412CD1 FF0424 INC DWORD PTR SS:[ESP]……0041355F /0F84 36080000 JE 00413D9B ; 如果获取API失败则over……004135A2 0FBA67 FF 07 BT DWORD PTR DS:[EDI-1],7 ; 获取[EDI-1]的第7位位传送给CF,如果cf为1刚加密api所以这里可以直接patch成clc004135A7 EB 01 JMP SHORT 004135AA004135A9 90 NOP004135AA 9C PUSHFD004135AB F71424 NOT DWORD PTR SS:[ESP]004135AE 832424 01 AND DWORD PTR SS:[ESP],1004135B2 50 PUSH EAX004135B3 52 PUSH EDX004135B4 B8 2E306BF9 MOV EAX,F96B302E004135B9 05 31D09406 ADD EAX,694D031004135BE F76424 08 MUL DWORD PTR SS:[ESP+8]004135C2 8D8428 E9414000 LEA EAX,DWORD PTR DS:[EAX+EBP+4041E9]004135C9 894424 08 MOV DWORD PTR SS:[ESP+8],EAX004135CD 5A POP EDX004135CE 58 POP EAX004135CF 90 NOP004135D0 90 NOP004135D1 90 NOP004135D2 90 NOP004135D3 90 NOP004135D4 90 NOP004135D5 90 NOP004135D6 90 NOP004135D7 90 NOP004135D8 90 NOP004135D9 90 NOP004135DA 90 NOP004135DB 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]004135DF FF6424 FC JMP DWORD PTR SS:[ESP-4] ; CF为1则加密API,加密就跳去eip+5处……00413614 E8 03000000 CALL 0041361C00413619 A0 9AFF5B81 MOV AL,BYTE PTR DS:[815BFF9A]0041361E C3 RETN0041361F 1900 SBB DWORD PTR DS:[EAX],EAX00413621 0000 ADD BYTE PTR DS:[EAX],AL00413623 53 PUSH EBX00413624 8D9D C050288E LEA EBX,DWORD PTR SS:[EBP+8E2850C0]0041362A 81EB BC1AE88D SUB EBX,8DE81ABC00413630 FFE3 JMP EBX ; 这里跳去加密api……当CF为0时跳到这里:00413643 E8 C4F6FFFF CALL 00412D0C ; 不用加密则处理jmp 表进来看看 :00412D18 57 PUSH EDI ; 这段代码和1.0没有什么变化00412D19 EB 01 JMP SHORT 00412D1C00412D1B 90 NOP00412D1C 51 PUSH ECX00412D1D 90 NOP00412D1E 90 NOP00412D1F 90 NOP00412D20 90 NOP00412D21 90 NOP00412D22 90 NOP00412D23 90 NOP00412D24 90 NOP00412D25 90 NOP00412D26 BF DA9A4000 MOV EDI,00409ADA00412D2B EB 01 JMP SHORT 00412D2E00412D2D 90 NOP00412D2E B9 8C010000 MOV ECX,18C00412D33 90 NOP00412D34 90 NOP00412D35 90 NOP00412D36 90 NOP00412D37 90 NOP00412D38 90 NOP00412D39 90 NOP00412D3A 90 NOP00412D3B 90 NOP00412D3C 90 NOP00412D3D 90 NOP00412D3E 90 NOP00412D3F 90 NOP00412D40 90 NOP00412D41 90 NOP00412D42 90 NOP00412D43 90 NOP00412D44 3917 CMP DWORD PTR DS:[EDI],EDX ; 判断是否找到了该地址00412D46 90 NOP00412D47 90 NOP00412D48 90 NOP00412D49 90 NOP00412D4A 90 NOP00412D4B 90 NOP00412D4C 90 NOP00412D4D 90 NOP00412D4E 90 NOP00412D4F 90 NOP00412D50 90 NOP00412D51 90 NOP00412D52 0F84 90000000 JE 00412DE8 ; 如果找到则跳00412D58 47 INC EDI00412D59 EB 01 JMP SHORT 00412D5C00412D5B 90 NOP00412D5C 49 DEC ECX00412D5D 9C PUSHFD00412D5E C12C24 06 SHR DWORD PTR SS:[ESP],600412D62 F71424 NOT DWORD PTR SS:[ESP]00412D65 832424 01 AND DWORD PTR SS:[ESP],100412D69 50 PUSH EAX00412D6A 52 PUSH EDX00412D6B B8 6592DC52 MOV EAX,52DC926500412D70 05 446D23AD ADD EAX,AD236D4400412D75 F76424 08 MUL DWORD PTR SS:[ESP+8]00412D79 90 NOP00412D7A 90 NOP00412D7B 90 NOP00412D7C 90 NOP00412D7D 90 NOP00412D7E 90 NOP00412D7F 90 NOP00412D80 90 NOP00412D81 90 NOP00412D82 8D8428 A0394000 LEA EAX,DWORD PTR DS:[EAX+EBP+4039A0]00412D89 894424 08 MOV DWORD PTR SS:[ESP+8],EAX00412D8D 5A POP EDX00412D8E 58 POP EAX00412D8F 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]00412D93 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 循环回去找到该地址……00412DCF 90 NOP00412DD0 8902 MOV DWORD PTR DS:[EDX],EAX ; 没有找到则直接填充00412DD2 90 NOP00412DD3 90 NOP00412DD4 90 NOP00412DD5 90 NOP00412DD6 90 NOP00412DD7 90 NOP00412DD8 90 NOP00412DD9 90 NOP00412DDA 90 NOP00412DDB 90 NOP00412DDC 90 NOP00412DDD 90 NOP00412DDE 90 NOP00412DDF 90 NOP00412DE0 90 NOP00412DE1 90 NOP00412DE2 90 NOP00412DE3 E9 B2000000 JMP 00412E9A ; 填充完跳去返回 处00412DE8 90 NOP00412DE9 90 NOP00412DEA 90 NOP00412DEB 90 NOP00412DEC 90 NOP00412DED 90 NOP00412DEE 90 NOP00412DEF 90 NOP00412DF0 90 NOP00412DF1 807F FF 00 CMP BYTE PTR DS:[EDI-1],0 ; 如果地址前一位为空则直接填充API00412DF5 74 60 JE SHORT 00412E57……00412E08 807F FF EA CMP BYTE PTR DS:[EDI-1],0EA ; 如果EDI-1位为EA的情况00412E0C ^ 75 90 JNZ SHORT 00412D9E00412E0E 90 NOP00412E0F 90 NOP00412E10 90 NOP00412E11 90 NOP00412E12 90 NOP00412E13 90 NOP00412E14 90 NOP00412E15 90 NOP00412E16 90 NOP00412E17 FE4F FF DEC BYTE PTR DS:[EDI-1] ; 当为EA时改成 e9 远程跳去壳存放API的地方00412E1A 83C7 04 ADD EDI,400412E1D 2BC7 SUB EAX,EDI00412E1F 8947 FC MOV DWORD PTR DS:[EDI-4],EAX……patch一下:00412E0E 66:C747 FF FF25 MOV WORD PTR DS:[EDI-1],25FF00412E14 8957 01 MOV DWORD PTR DS:[EDI+1],EDX00412E17 8902 MOV DWORD PTR DS:[EDX],EAX……00412E97 /EB 01 JMP SHORT 00412E9A00412E99 |90 NOP00412E9A \59 POP ECX00412E9B EB 01 JMP SHORT 00412E9E00412E9D 90 NOP00412E9E 5F POP EDI00412E9F C3 RETN ; 返回……00413689 ^\E9 A1FDFFFF JMP 0041342F ; 如果没有处理完全部的API则跳回去继续……00413773 F3: PREFIX REP: ; Superfluous prefix00413774 0F31 RDTSC ; 处理完全部的api就到这里来了,壳用rdtsc时间来反调试器00413776 50 PUSH EAX00413777 F3: PREFIX REP: ; Superfluous prefix00413778 0F31 RDTSC0041377A EB 01 JMP SHORT 0041377D把这两个RDTSC给nop掉就行了……004137B7 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]004137BB FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 如果让上面的RDTSC执行的话,这里就会跳去错误 的地址……00413834 BB BDAED669 MOV EBX,69D6AEBD00413839 2BC3 SUB EAX,EBX0041383B 3D 99E925A9 CMP EAX,A925E999 ; 这里判断加壳时有没有选择code redirection00413840 90 NOP00413841 90 NOP00413842 90 NOP00413843 90 NOP00413844 90 NOP00413845 90 NOP00413846 90 NOP00413847 90 NOP00413848 90 NOP00413849 74 79 JE SHORT 004138C4 ; 如果没有选择code 重定位则跳0041384B BE A2524100 MOV ESI,004152A2 ; 从4152a2处开始处理重定位代码00413850 B9 5C020000 MOV ECX,25C00413855 51 PUSH ECX00413856 B0 05 MOV AL,500413858 304431 FF XOR BYTE PTR DS:[ECX+ESI-1],AL ; 结束地址为4154fd计算方法为xor 50041385C 90 NOP0041385D 90 NOP0041385E 90 NOP0041385F 90 NOP00413860 90 NOP00413861 90 NOP00413862 90 NOP00413863 90 NOP00413864 90 NOP00413865 90 NOP00413866 90 NOP00413867 90 NOP00413868 004C31 FF ADD BYTE PTR DS:[ECX+ESI-1],CL ; 然后xor cl的值0041386C 49 DEC ECX0041386D 9C PUSHFD0041386E C12C24 06 SHR DWORD PTR SS:[ESP],600413872 F71424 NOT DWORD PTR SS:[ESP]00413875 832424 01 AND DWORD PTR SS:[ESP],100413879 50 PUSH EAX0041387A 52 PUSH EDX0041387B B8 72B2DC12 MOV EAX,12DCB27200413880 05 444D23ED ADD EAX,ED234D4400413885 F76424 08 MUL DWORD PTR SS:[ESP+8]00413889 8D8428 A7444000 LEA EAX,DWORD PTR DS:[EAX+EBP+4044A7]00413890 894424 08 MOV DWORD PTR SS:[ESP+8],EAX00413894 5A POP EDX00413895 58 POP EAX00413896 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]0041389A ^ FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 如果没有解压完则跳回去继续0041384B BE A2524100 MOV ESI,004152A2 ; 从4152a2处开始处理重定位代码00413850 B9 5C020000 MOV ECX,25C00413855 51 PUSH ECX00413856 B0 05 MOV AL,500413858 304431 FF XOR BYTE PTR DS:[ECX+ESI-1],AL ; 结束地址为4154fd计算方法为xor 50041385C 90 NOP0041385D 90 NOP0041385E 90 NOP0041385F 90 NOP00413860 90 NOP00413861 90 NOP00413862 90 NOP00413863 90 NOP00413864 90 NOP00413865 90 NOP00413866 90 NOP00413867 90 NOP00413868 004C31 FF ADD BYTE PTR DS:[ECX+ESI-1],CL ; 然后xor cl的值0041386C 49 DEC ECX0041386D 9C PUSHFD0041386E C12C24 06 SHR DWORD PTR SS:[ESP],600413872 F71424 NOT DWORD PTR SS:[ESP]00413875 832424 01 AND DWORD PTR SS:[ESP],100413879 50 PUSH EAX0041387A 52 PUSH EDX0041387B B8 72B2DC12 MOV EAX,12DCB27200413880 05 444D23ED ADD EAX,ED234D4400413885 F76424 08 MUL DWORD PTR SS:[ESP+8]00413889 8D8428 A7444000 LEA EAX,DWORD PTR DS:[EAX+EBP+4044A7]00413890 894424 08 MOV DWORD PTR SS:[ESP+8],EAX00413894 5A POP EDX00413895 58 POP EAX00413896 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]0041389A ^ FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 如果没有解压完则跳回去继续……004138A2 59 POP ECX004138A3 90 NOP004138A4 90 NOP004138A5 90 NOP004138A6 90 NOP004138A7 90 NOP004138A8 90 NOP004138A9 90 NOP004138AA 90 NOP004138AB 90 NOP004138AC 90 NOP004138AD 90 NOP004138AE 90 NOP004138AF 90 NOP004138B0 90 NOP004138B1 90 NOP004138B2 90 NOP004138B3 90 NOP004138B4 BF C8014000 MOV EDI,004001C8004138B9 90 NOP004138BA 90 NOP004138BB 90 NOP004138BC 90 NOP004138BD 90 NOP004138BE 90 NOP004138BF 90 NOP004138C0 90 NOP004138C1 90 NOP004138C2 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; From 4152a2 to:4001c8 size:25c……004138FB 61 POPAD ; 到这里就着陆了004138FC BA 0F5C8CCE MOV EDX,CE8C5C0F ; 程序OEP代码00413901 EB 01 JMP SHORT 0041390400413903 90 NOP00413904 81F2 753DE58A XOR EDX,8AE53D750041390A EB 01 JMP SHORT 0041390D0041390C 90 NOP0041390D 2BC0 SUB EAX,EAX ; sub eax,eax0041390F EB 01 JMP SHORT 0041391200413911 90 NOP00413912 68 1D39ACE7 PUSH E7AC391D00413917 810424 63979418 ADD DWORD PTR SS:[ESP],18949763 ; push 40d0800041391E 50 PUSH EAX ; push eax0041391F EB 01 JMP SHORT 0041392200413921 90 NOP00413922 50 PUSH EAX ; push eax00413923 EB 01 JMP SHORT 0041392600413925 90 NOP00413926 68 30394100 PUSH 00413930 ; call 00409AF20041392B - E9 C261FFFF JMP 00409AF2 ; JMP to kernel32.CreateMutexA00413930 68 3A394100 PUSH 0041393A ; call 00409B1C00413935 - E9 E261FFFF JMP 00409B1C ; JMP to ntdll.RtlGetLastWin32Error0041393A 3D B7000000 CMP EAX,0B7 ; CMP EAX,0B70041393F EB 01 JMP SHORT 0041394200413941 90 NOP00413942 - E9 025AFFFF JMP 00409349所以正确的STOLEN code为:00409326 . BA 0F5C8CCE MOV EDX,CE8C5C0F0040932B . 81F2 753DE58A XOR EDX,8AE53D7500409331 . 2BC0 SUB EAX,EAX00409333 . 68 80D04000 PUSH 0040D080 ; /MutexName = "PE_SPIN_v1.1"00409338 . 50 PUSH EAX ; |InitialOwner => FALSE00409339 . 50 PUSH EAX ; |pSecurity => NULL0040933A . E8 B3070000 CALL 00409AF2 ; \CreateMutexA0040933F . E8 D8070000 CALL 00409B1C ; JMP to ntdll.RtlGetLastWin32Error00409344 . 3D B7000000 CMP EAX,0B7……(上次分析到这里就没有下去了,自己整天忙的像什么一样,不过忙完又不知道忙了些什么L)这里开始比较重要是关系到后面的修复。下面分析出哪几个地方要修复:
第一种:Pe Header Stolen code到壳的代码处可以看到很多类似这样的代码:004093E9 - E9 1E6EFFFF JMP 0040020C ;*******004093EE FF35 65E04000 PUSH DWORD PTR DS:[40E065]004093F4 E8 1E6EFFFF CALL 00400217004093F9 2BC0 SUB EAX,EAX004093FB 50 PUSH EAX004093FC E8 1C6EFFFF CALL 0040021D ;*******00409401 E8 1D6EFFFF CALL 00400223 ;*******代码放到PE HEADER里去了,壳每次抽取5个字节主到PE头里去执行。这里的修复比较简单的J。
第二种:SDK ProtectV1.1最大的变化,比较有意思,又分为两种:第一种情况:解码代码:00409369 9C PUSHFD0040936A 60 PUSHAD0040936B B9 C018265F MOV ECX,5F2618C000409370 BF BABA78D9 MOV EDI,D978BABA00409375 81E9 A318265F SUB ECX,5F2618A30040937B B8 33F423AF MOV EAX,AF23F43300409380 05 E7601D51 ADD EAX,511D60E700409385 FF0D 8B934000 DEC DWORD PTR DS:[40938B]0040938B FF10 CALL DWORD PTR DS:[EAX] ;这里跟进去可以看到算法0040938D 61 POPAD0040938E 9D POPFD具体解码代码:00D30000 90 NOP……00D30009 81EF 512738D9 SUB EDI,D938275100D3000F 87D9 XCHG ECX,EBX00D30011 B9 24000000 MOV ECX,2400D30016 2AC0 SUB AL,AL00D30018 FC CLD00D30019 F3:AA REP STOS BYTE PTR ES:[EDI]00D3001B 87D9 XCHG ECX,EBX00D3001D 83C7 02 ADD EDI,200D30020 8A07 MOV AL,BYTE PTR DS:[EDI]00D30022 90 NOP00D30023 90 NOP00D30024 90 NOP00D30025 90 NOP00D30026 90 NOP00D30027 90 NOP00D30028 FEC8 DEC AL00D3002A C0C8 D1 ROR AL,0D1 ; Shift constant out of range 1..3100D3002D C0C8 D7 ROR AL,0D7 ; Shift constant out of range 1..3100D30030 90 NOP00D30031 90 NOP00D30032 90 NOP00D30033 FEC8 DEC AL00D30035 04 4E ADD AL,4E00D30037 32C1 XOR AL,CL00D30039 C0C8 0F ROR AL,0F00D3003C FEC8 DEC AL00D3003E 90 NOP00D3003F 90 NOP00D30040 90 NOP00D30041 90 NOP00D30042 90 NOP00D30043 90 NOP00D30044 90 NOP00D30045 90 NOP00D30046 90 NOP00D30047 90 NOP00D30048 02C1 ADD AL,CL00D3004A AA STOS BYTE PTR ES:[EDI] ; 还原代码00D3004B 49 DEC ECX00D3004C ^ 75 D2 JNZ SHORT 00D3002000D30053 90 NOP……00D3005A C3 RETN清除代码:004093AC /EB 0B JMP SHORT 004093B9 004093AE |90 NOP004093AF |81E9 2D08830B SUB ECX,0B83082D004093B5 |40 INC EAX004093B6 |74 10 JE SHORT 004093C8004093B8 |90 NOP004093B9 \9C PUSHFD004093BA EB 01 JMP SHORT 004093BD004093BC 90 NOP004093BD 60 PUSHAD004093BE F9 STC004093BF 1BC0 SBB EAX,EAX004093C1 B9 6E08830B MOV ECX,0B83086E004093C6 ^ EB E7 JMP SHORT 004093AF004093C8 BF C8B93096 MOV EDI,9630B9C8004093CD FC CLD004093CE 81C7 C7D90F6A ADD EDI,6A0FD9C7004093D4 F3:AA REP STOS BYTE PTR ES:[EDI]004093D6 48 DEC EAX004093D7 75 04 JNZ SHORT 004093DD004093D9 9D POPFD004093DA EB 05 JMP SHORT 004093E1004093DC 90 NOP004093DD 61 POPAD004093DE ^ EB F9 JMP SHORT 004093D9004093E0 90 NOP第二种情况:解码/加密:00406348 /75 49 JNZ SHORT 004063930040634A |FF15 3E554100 CALL DWORD PTR DS:[41553E] ; 这里进去解码00406350 |026B E8 ADD CH,BYTE PTR DS:[EBX-18]00406353 |77 CD JA SHORT 0040632200406369 |99 CDQ……00406382 |FF15 4E554100 CALL DWORD PTR DS:[41554E] ; 这里进去把解码后的代码加密回去解码代码:……00D00003 9C PUSHFD00D00004 90 NOP00D00005 90 NOP00D00006 90 NOP00D00007 60 PUSHAD00D00008 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]00D0000C 8B08 MOV ECX,DWORD PTR DS:[EAX]00D0000E 8D78 04 LEA EDI,DWORD PTR DS:[EAX+4]00D00011 897C24 24 MOV DWORD PTR SS:[ESP+24],EDI00D00015 81E9 D46AE877 SUB ECX,77E86AD400D0001B FC CLD……00D00028 8A07 MOV AL,BYTE PTR DS:[EDI]00D0002A C0C8 42 ROR AL,42 00D0002D 90 NOP00D0002E 90 NOP00D0002F 90 NOP00D00030 90 NOP00D00031 04 D0 ADD AL,0D000D00033 02C1 ADD AL,CL00D00035 FEC8 DEC AL00D00037 04 09 ADD AL,900D00039 FEC8 DEC AL00D0003B 90 NOP00D0003C 90 NOP00D0003D 90 NOP00D0003E 90 NOP00D0003F 90 NOP00D00040 90 NOP00D00041 34 2C XOR AL,2C00D00043 C0C0 DA ROL AL,0DA 00D00046 90 NOP00D00047 90 NOP00D00048 90 NOP00D00049 90 NOP00D0004A 90 NOP00D0004B 90 NOP00D0004C 90 NOP00D0004D 90 NOP00D0004E 90 NOP00D0004F FEC8 DEC AL00D00051 90 NOP00D00052 AA STOS BYTE PTR ES:[EDI] ; 解码00D00053 49 DEC ECX00D00054 ^ 75 D2 JNZ SHORT 00D00028 加密代码:……00D10009 9C PUSHFD00D1000A 60 PUSHAD00D1000B 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]00D1000F 8B08 MOV ECX,DWORD PTR DS:[EAX]00D10011 8D78 04 LEA EDI,DWORD PTR DS:[EAX+4]00D10014 897C24 24 MOV DWORD PTR SS:[ESP+24],EDI00D10018 8D7F F6 LEA EDI,DWORD PTR DS:[EDI-A]00D1001B 81E9 F67FBB0E SUB ECX,0EBB7FF600D10021 2BF9 SUB EDI,ECX00D10023 FC CLD00D10024 8A07 MOV AL,BYTE PTR DS:[EDI]00D10026 90 NOP00D10027 FEC0 INC AL00D10029 90 NOP00D1002A 90 NOP00D1002B 90 NOP00D1002C 90 NOP00D1002D 90 NOP00D1002E 90 NOP00D1002F 90 NOP00D10030 90 NOP00D10031 90 NOP00D10032 C0C8 DA ROR AL,0DA ; 00D10035 34 2C XOR AL,2C00D10037 90 NOP00D10038 90 NOP00D10039 90 NOP00D1003A 90 NOP00D1003B 90 NOP00D1003C 90 NOP00D1003D FEC0 INC AL00D1003F 2C 09 SUB AL,900D10041 FEC0 INC AL00D10043 2AC1 SUB AL,CL00D10045 2C D0 SUB AL,0D000D10047 90 NOP00D10048 90 NOP00D10049 90 NOP00D1004A 90 NOP00D1004B C0C0 42 ROL AL,42 00D1004E AA STOS BYTE PTR ES:[EDI]00D1004F 49 DEC ECX00D10050 ^ 75 D2 JNZ SHORT 00D10024
第三种:Anti Unpack这个不知道算不算,但主程序里有一处检测:00409837 B8 ABA44300 MOV EAX,43A4AB ; 检测是否被脱壳0040983C 2D 910A0300 SUB EAX,30A9100409841 FFD0 CALL EAX ; 这里进去就是具体的方法看看具体的:00409A1A B8 1BBAD5FA MOV EAX,FAD5BA1B00409A1F 05 BFE06A05 ADD EAX,56AE0BF00409A24 BB 4655A308 MOV EBX,8A3554600409A29 81EB 5D54A308 SUB EBX,8A3545D ; EBX=0E900409A2F 2A18 SUB BL,BYTE PTR DS:[EAX] ; 也就是检测409ada处是否为0E9,如果不是后面就会乱跳00409A31 58 POP EAX00409A32 C1C3 16 ROL EBX,1600409A35 03C3 ADD EAX,EBX00409A37 FFE0 JMP EAX ; 如果正确返回上面执行正确的代码到这里壳已经分析完毕。转第二步了^_^.
第二步:脱壳分析完就可以脱壳了,这里要写的修复代码也比较多哦。我用脚本、修改壳代码和自己写代码完成脱壳过程。过程为:脚本修复IAT到stolen codeà申请空间à写代码à改EIPà设断à修改代码à脚本清除“垃圾”代码à去除anti-unpack。先写点脚本修复IAT并到OEP Stolen code处:脚本出下:/*//////////////////////////////////////////////////PESpin v1.1 Stolen Code Finder v0.1 Author: loveboomEmail : loveboom#163.comOS : WinXP sp1,Ollydbg 1.1,OllyScript v0.92Date : 2005-3-9 Action: 修复IAT,停在stolen code处.Config: Ignore all exceptionsNote : If you have one or more question, email me please,thank you!//////////////////////////////////////////////////*/ var addrvar addr1 start: Msgyn "Config:Ignore all exceptions,continue?" cmp $RESULT,1 je lbl1 retlbl1: gpa "LoadLibraryA","kernel32.dll" //在LoadLibrarya+B处下断 mov addr,$RESULT add addr,B bp addr esto lbl2: cmp eip,addr jne lblabort bc addr mov addr,esp add addr,c mov addr,[addr] bp addr esto bc addr lbl3: find eip,#0FBA67FF07# //find command 'bt [edi-1],7' cmp $RESULT,0 je lblabort mov addr,$RESULT fill addr,1,F8 //修改为clc清除CF inc addr mov [addr],90909090 lblnext1: find addr,#0F31# //find command 'RDTSC' cmp $RESULT,0 je lblabort find $RESULT,#FF6424FC# //find command 'JMP DWORD PTR SS:[ESP-4]' cmp $RESULT,0 je lblabort mov addr1,$RESULT bp addr1 lblfind1: find addr,#FF6424FC# //find command 'JMP DWORD PTR SS:[ESP-4]' cmp $RESULT,0 je lblabort go $RESULT sto sti lblfind2: find eip,#807FFFEA# //find command'CMP BYTE PTR DS:[EDI-1],0EA' cmp $RESULT,0 je lblabort find $RESULT,#FE4FFF83C7042BC78947FC# /*find commands:FE4F FF DEC BYTE PTR DS:[EDI-1]83C7 04 ADD EDI,42BC7 SUB EAX,EDI8947 FC MOV DWORD PTR DS:[EDI-4],EAX*/ cmp $RESULT,0 je lblabort fill $RESULT,b,90 mov addr,$RESULT bp addr lblloop1: run lblcheck: cmp eip,addr jne lbl4 exec //fix iat mov word ptr [edi-1],25FF mov [edi+1],edx mov [edx],eax ende jmp lblloop1 lbl4: bc addr bc addr1 find eip,#E801000000??83C404# //find commands:'call $+1 add esp,4' cmp $RESULT,0 je lblerrver go $RESULT find $RESULT,#61# cmp $RESULT,0 je lblerrver go $RESULT sto cmt eip,"Stolen code." lblend: msg "Script finished,script by loveboom[DFCG][FCG][US].Thank you for using my script!" retlblabort: msg "Error,script aborted.Maybe target is not protect by pespin 1.1 or you forgot ignore all exceptions." ret lblerrver: msg "目标程序可能是用pespin 1.0或更低版本保护的!" ret脚本运行完毕自己申请一点空间(自己手工或用工具都可以),并写上一点代码,把EIP改为你的patch代码起始地址:.code start: pushfd pushad mov edi,401000h ;起始地址 mov ecx,0B000h ;搜索大小 push edi ;保护这两个寄存器方便后面写代码 push ecx cld lblpupfd01: ;pushfd的情况 mov al,09Ch lbllp1: repne scas byte ptr [edi] ;查找PUSHFD jnz lblcallpart ;如果找完则跳 cmp byte ptr [edi],60h ;比较是否为pushfd pushad jne lbllp1 cmp word ptr [edi+23h],9D61h ;再次判断是否全要求 jne lbllp1 dec edi call edi ;通过调用壳代码来还原程序代码 jmp lbllp1 lblcallpart: ;处理PeHeader的stolen code pop ecx pop edi push edi push ecx mov al,0E8h ;先查找CALL的部分 lblLoop: repne scas byte ptr [edi] jnz lbljmppart ;如果处理完则跳去处理JMP部分 mov edx,[edi] lea edx,[edi+edx+4] ;取出绝对地址 cmp edx,4001C8h ;判断是否在范围内 jb lblLoop ;如果不合要求则跳上去 cmp edx,400428h ;这也是在判断是否合要求 ja lblLoop cmp byte ptr [edx],0E9h ;判断是否为直接的jmp address,其实这里可以不要写,我写是为了方便以后改代码:-) jne lblLoop push ecx mov ecx,[edx+1] ;还原代码 lea ecx,[edx+ecx+5] sub ecx,edi sub ecx,4 mov [edi],ecx pop ecx jmp lblLoop lbljmppart: ;Jmp方式的处理 pop ecx pop edi push edi push ecx mov al,0E9h lblloop01: repne scas byte ptr [edi] ;这里和CALL的处理方式一样 jnz lblcallpart01 mov edx,[edi] lea edx,[edi+edx+4] cmp edx,4001c8h ;判断是否符合要求 jb lblloop01 cmp edx,400428h ja lblloop01 cmp byte ptr [edx+5],0E9h ;判断是否只抽五个字节的代码,这里也是为了方便以后修改代码 jne lblloop01 push ecx mov cl,byte ptr [edx] ;还原代码 mov byte ptr [edi-1],cl mov ecx,[edx+1] mov [edi],ecx pop ecx jmp lblloop01 lblcallpart01: ;处理Call的加密代码部分pop ecxpop edi @@:mov al,0FFh lblloop02:repne scas byte ptr [edi] jnz lblend ;如果搜索完毕则收工:-) cmp byte ptr [edi],15h ;判断是否为CALL DS:[ADDRESS] jne lblloop02 mov edx,[edi+1]cmp edx,41553eh ;判断ADDRESS是否为41553Eh,je @Fcmp edx,41554Ehjne lblloop02push edi ;把壳加密代码的部分nop掉dec edipush ecxmov ecx,0ahmov al,90hcldrep stos byte ptr [edi]pop ecxpop edijmp @B@@: mov edx,edi ;调用壳的代码还原程序代码 dec edx call edx jmp lblloop02 lblend: popad popfdend start 我自己的如下:01120000 9C PUSHFD01120001 60 PUSHAD01120002 BF 00104000 MOV EDI,40100001120007 B9 00B00000 MOV ECX,0B0000112000C 57 PUSH EDI0112000D 51 PUSH ECX0112000E FC CLD0112000F B0 9C MOV AL,9C01120011 F2:AE REPNE SCAS BYTE PTR ES:[EDI]01120013 75 12 JNZ SHORT 0112002701120015 803F 60 CMP BYTE PTR DS:[EDI],6001120018 ^ 75 F7 JNZ SHORT 011200110112001A 66:817F 23 619D CMP WORD PTR DS:[EDI+23],9D6101120020 ^ 75 EF JNZ SHORT 0112001101120022 4F DEC EDI01120023 FFD7 CALL EDI ; 写完代码后,第一次在这里下个断,然后跟进修改壳代码01120025 ^ EB EA JMP SHORT 0112001101120027 59 POP ECX01120028 5F POP EDI01120029 57 PUSH EDI0112002A 51 PUSH ECX0112002B B0 E8 MOV AL,0E80112002D F2:AE REPNE SCAS BYTE PTR ES:[EDI]0112002F 75 2D JNZ SHORT 0112005E01120031 8B17 MOV EDX,DWORD PTR DS:[EDI]01120033 8D543A 04 LEA EDX,DWORD PTR DS:[EDX+EDI+4]01120037 81FA C8014000 CMP EDX,4001C80112003D ^ 72 EE JB SHORT 0112002D0112003F 81FA 28044000 CMP EDX,40042801120045 ^ 77 E6 JA SHORT 0112002D01120047 803A E9 CMP BYTE PTR DS:[EDX],0E90112004A ^ 75 E1 JNZ SHORT 0112002D0112004C 51 PUSH ECX0112004D 8B4A 01 MOV ECX,DWORD PTR DS:[EDX+1]01120050 8D4C11 05 LEA ECX,DWORD PTR DS:[ECX+EDX+5]01120054 2BCF SUB ECX,EDI01120056 83E9 04 SUB ECX,401120059 890F MOV DWORD PTR DS:[EDI],ECX0112005B 59 POP ECX0112005C ^ EB CF JMP SHORT 0112002D0112005E 59 POP ECX0112005F 5F POP EDI01120060 57 PUSH EDI01120061 51 PUSH ECX01120062 B0 E9 MOV AL,0E901120064 F2:AE REPNE SCAS BYTE PTR ES:[EDI]01120066 75 2A JNZ SHORT 0112009201120068 8B17 MOV EDX,DWORD PTR DS:[EDI]0112006A 8D543A 04 LEA EDX,DWORD PTR DS:[EDX+EDI+4]0112006E 81FA C8014000 CMP EDX,4001C801120074 ^ 72 EE JB SHORT 0112006401120076 81FA 28044000 CMP EDX,4004280112007C ^ 77 E6 JA SHORT 011200640112007E 807A 05 E9 CMP BYTE PTR DS:[EDX+5],0E901120082 ^ 75 E0 JNZ SHORT 0112006401120084 51 PUSH ECX01120085 8A0A MOV CL,BYTE PTR DS:[EDX]01120087 884F FF MOV BYTE PTR DS:[EDI-1],CL0112008A 8B4A 01 MOV ECX,DWORD PTR DS:[EDX+1]0112008D 890F MOV DWORD PTR DS:[EDI],ECX0112008F 59 POP ECX01120090 ^ EB D2 JMP SHORT 0112006401120092 59 POP ECX01120093 5F POP EDI01120094 B0 FF MOV AL,0FF01120096 F2:AE REPNE SCAS BYTE PTR ES:[EDI]01120098 75 30 JNZ SHORT 011200CA0112009A 803F 15 CMP BYTE PTR DS:[EDI],150112009D ^ 75 F7 JNZ SHORT 011200960112009F 8B57 01 MOV EDX,DWORD PTR DS:[EDI+1]011200A2 81FA 3E554100 CMP EDX,41553E011200A8 74 19 JE SHORT 011200C3011200AA 81FA 4E554100 CMP EDX,41554E011200B0 ^ 75 E4 JNZ SHORT 01120096011200B2 57 PUSH EDI011200B3 4F DEC EDI011200B4 51 PUSH ECX011200B5 B9 0A000000 MOV ECX,0A011200BA B0 90 MOV AL,90011200BC FC CLD011200BD F3:AA REP STOS BYTE PTR ES:[EDI]011200BF 59 POP ECX011200C0 5F POP EDI011200C1 ^ EB D1 JMP SHORT 01120094011200C3 8BD7 MOV EDX,EDI011200C5 4A DEC EDX011200C6 FFD2 CALL EDX ; 第一次这里也下断,然后进去利用壳的代码完成脱壳011200C8 ^ EB CC JMP SHORT 01120096011200CA 61 POPAD011200CB 9D POPFD
第一处中断后的patch代码:00D30009 81EF 512738D9 SUB EDI,D938275100D3000F 87D9 XCHG ECX,EBX00D30011 B9 26000000 MOV ECX,2600D30016 B0 90 MOV AL,90 ; 清除原代码00D30018 FC CLD00D30019 F3:AA REP STOS BYTE PTR ES:[EDI]00D3001B 87D9 XCHG ECX,EBX00D3001D 90 NOP00D3001E 90 NOP00D3001F 90 NOP00D30020 8A07 MOV AL,BYTE PTR DS:[EDI]00D30022 F8 CLC00D30023 90 NOP00D30024 90 NOP00D30025 90 NOP00D30026 F9 STC00D30027 F9 STC00D30028 FEC8 DEC AL00D3002A C0C8 D1 ROR AL,0D1 ; Shift constant out of range 1..3100D3002D C0C8 D7 ROR AL,0D7 ; Shift constant out of range 1..3100D30030 90 NOP00D30031 90 NOP00D30032 90 NOP00D30033 FEC8 DEC AL00D30035 04 4E ADD AL,4E00D30037 32C1 XOR AL,CL00D30039 C0C8 0F ROR AL,0F00D3003C FEC8 DEC AL00D3003E F9 STC00D3003F F8 CLC00D30040 90 NOP00D30041 F9 STC00D30042 90 NOP00D30043 90 NOP00D30044 90 NOP00D30045 90 NOP00D30046 90 NOP00D30047 90 NOP00D30048 02C1 ADD AL,CL00D3004A AA STOS BYTE PTR ES:[EDI] ; 还原代码00D3004B 49 DEC ECX00D3004C ^ 75 D2 JNZ SHORT 00D3002000D3004E 83C4 04 ADD ESP,4 ; 还原完跳去我们自己的patch代码00D30051 61 POPAD00D30052 9D POPFD00D30053 C3 RETN修改完把第一处的断点取消,然后F9运行,中断在第二处。
第二处中断后的patch代码:00D00000 90 NOP00D00001 90 NOP00D00002 90 NOP00D00003 9C PUSHFD00D00004 90 NOP00D00005 90 NOP00D00006 90 NOP00D00007 60 PUSHAD00D00008 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]00D0000C 8B08 MOV ECX,DWORD PTR DS:[EAX]00D0000E 8D78 04 LEA EDI,DWORD PTR DS:[EAX+4]00D00011 897C24 24 MOV DWORD PTR SS:[ESP+24],EDI00D00015 81E9 D46AE877 SUB ECX,77E86AD400D0001B FC CLD00D0001C 90 NOP00D0001D 90 NOP00D0001E 90 NOP00D0001F 90 NOP00D00020 90 NOP00D00021 90 NOP00D00022 90 NOP00D00023 90 NOP00D00024 90 NOP00D00025 90 NOP00D00026 90 NOP00D00027 90 NOP00D00028 8A07 MOV AL,BYTE PTR DS:[EDI]00D0002A C0C8 42 ROR AL,42 ; Shift constant out of range 1..3100D0002D 90 NOP00D0002E 90 NOP00D0002F 90 NOP00D00030 F8 CLC00D00031 04 D0 ADD AL,0D000D00033 02C1 ADD AL,CL00D00035 FEC8 DEC AL00D00037 04 09 ADD AL,900D00039 FEC8 DEC AL00D0003B 90 NOP00D0003C 90 NOP00D0003D 90 NOP00D0003E 90 NOP00D0003F 90 NOP00D00040 90 NOP00D00041 34 2C XOR AL,2C00D00043 C0C0 DA ROL AL,0DA00D00046 90 NOP00D00047 90 NOP00D00048 90 NOP00D00049 90 NOP00D0004A 90 NOP00D0004B 90 NOP00D0004C 90 NOP00D0004D F9 STC00D0004E F9 STC00D0004F FEC8 DEC AL00D00051 90 NOP00D00052 AA STOS BYTE PTR ES:[EDI] ; 解码00D00053 49 DEC ECX00D00054 ^ 75 D2 JNZ SHORT 00D0002800D00056 8B7C24 24 MOV EDI,DWORD PTR SS:[ESP+24] ; 清除原代码00D0005A 4F DEC EDI00D0005B FD STD00D0005C B0 90 MOV AL,9000D0005E B9 0A000000 MOV ECX,0A00D00063 F3:AA REP STOS BYTE PTR ES:[EDI]00D00065 61 POPAD00D00066 9D POPFD00D00067 83C4 04 ADD ESP,400D0006A C3 RETN修改完取消断点在011200CB的下一行下断。F9运行就可以。011200CB 9D POPFD再次断下后代码就已经修复的差不多了,再写一点脚本把上面的清除代码给删除掉://用于清除壳留下的"垃圾代码var addrvar endaddr start: mov addr,401000 //起始地址 loop:/* 查找以下内容:004093AC /EB 0B JMP SHORT 004093B9 //这类代码也清除掉004093AE |90 NOP004093AF |81E9 2D08830B SUB ECX,0B83082D004093B5 |40 INC EAX004093B6 |74 10 JE SHORT 004093C8004093B8 |90 NOP004093B9 \9C PUSHFD004093BA EB 01 JMP SHORT 004093BD004093BC 90 NOP004093BD 60 PUSHAD004093BE F9 STC004093BF 1BC0 SBB EAX,EAX004093C1 B9 6E08830B MOV ECX,0B83086E004093C6 ^ EB E7 JMP SHORT 004093AF004093C8 BF C8B93096 MOV EDI,9630B9C8004093CD FC CLD004093CE 81C7 C7D90F6A ADD EDI,6A0FD9C7004093D4 F3:AA REP STOS BYTE PTR ES:[EDI]004093D6 48 DEC EAX004093D7 75 04 JNZ SHORT 004093DD004093D9 9D POPFD004093DA EB 05 JMP SHORT 004093E1004093DC 90 NOP004093DD 61 POPAD004093DE ^ EB F9 JMP SHORT 004093D9004093E0 90 NOP*/ find addr,#EB0B??81E9????????407410??9CEB01??60F91BC0B9????????EBE7BF????????FC81C7????????F3AA4875049DEB05??61EBF9??# cmp $RESULT,0 je lblend fill $RESULT,35,90 mov addr,$RESULT add addr,35 jmp loop lblend: ret到这里代码已经全部修复好了,修复好的代码片段:004093E9 68 20C14000 PUSH 0040C120 ; ASCII "IDD_PE_SPIN"004093EE FF35 65E04000 PUSH DWORD PTR DS:[40E065]004093F4 E8 A7070000 CALL 00409BA0 ; JMP to USER32.DialogBoxParamA004093F9 2BC0 SUB EAX,EAX004093FB 50 PUSH EAX004093FC E8 03070000 CALL 00409B04 ; JMP to kernel32.ExitProcess00409401 E8 1E080000 CALL 00409C24 ; JMP to COMCTL32.InitCommonControls最后把那个Anti-Unpack给清除掉:00409837 B8 ABA44300 MOV EAX,43A4AB ; 检测是否被脱壳0040983C 2D 910A0300 SUB EAX,30A9100409841 FFD0 CALL EAX ; 这里进去就是具体的方法修改:00409837 90 NOP00409838 90 NOP00409839 90 NOP0040983A 90 NOP0040983B 90 NOP0040983C 90 NOP0040983D 90 NOP0040983E 90 NOP0040983F 90 NOP00409840 90 NOP00409841 90 NOP00409842 90 NOP壳要处理的代码全部处理完了,现在Dmp 用improtREC 找回IAT就行了。脱壳完毕!垃圾写了堆,从头到脚看是比较浪费时间^_^。写文章也浪费N长的时间:-)。但愿这篇文章对YOCK有点用…………….
Greet: Fly.Jingulong,yock,tDasm.David.hexer,hmimys,ahao.UFO(brother).alan(sister).all of my friends and you! By loveboom[DFCG][FCG][US]Email:loveboom#163.comDate:2005-03-30 11:45
本文地址:http://com.8s8s.com/it/it22379.htm