MSLRH v.031脱壳分析【目 标】: MSLRH v0.31主程序
【工 具】:Olydbg1.1(diy版)、LORDPE、ImportREC1.6F
【任 务】:分析外壳
【操作平台】:WinXP sp2
【作 者】: LOVEBOOM[DFCG][FCG][US]
【相关链接】: 看雪里有的下,自己找找
【简要说明】: 已经有N位兄弟写过了,我也来看下”戏”。这个壳的RDTSC真是很多。所以就更想看看有什么特别之处。【详细过程】:由于壳的”垃圾”太多了,所以老习惯写一点脚本用,这次没有用ollyscript来写,因为用它写的去垃圾脚本有时会使程序异常,所以改用去垃圾插件,写上以下代码:[CODE_ml01]S = 0F31500F31??????????????????????????????????????????????2B0424??????????????????83C404R = 90909090909090909090909090909090909090909090909090909090909090909090909090909090909090[CODE_ml02]S = 3DFF0F0000EB01??EB02????EB01??761BEB01??EB02????EB01??CC66B8FE00??????????????????66E764R = 9090909090909090909090909090909090909090909090909090909090909090909090909090909090909090 [CODE_ml03]S = E80A000000??EB0C????E8F6FFFFFFE8F2FFFFFF83C408R = 9090909090909090909090909090909090909090909090 [CODE_ml04]S = 50E802000000????586BC0??E802000000????83C40458R = 9090909090909090909090909090909090909090909090 [CODE_ml05]S = 74047502????EB01??R = 909090909090909090 [CODE_ml06]S = EB05??EB0440??EBFAR = 909090909090909090 写完后可以用OD加载目标了。00456000 > $ 60 PUSHAD ; 壳入口00456001 . D1CB ROR EBX,1 ; 这里很多垃圾的,可以先不管它00456003 . 0FCA BSWAP EDX00456005 . C1CA E0 ROR EDX,0E0 ; Shift constant out of range 1..31……004560FA > \E8 0A000000 CALL 00456109 ; 直接这里F4004560FF . E8 EB0C0000 CALL 00456DEF00456104 . E8 F6FFFFFF CALL 004560FF00456109 $ E8 F2FFFFFF CALL 00456100……0045615A > \0F31 RDTSC ; 到这里后,用脚本“清理”一下,没有”垃圾”的世界真清静呀J0045615C ? 50 PUSH EAX0045615D ? 0F31 RDTSC……00456A98 0F31 RDTSC00456A9A 50 PUSH EAX00456A9B E8 00000000 CALL 00456AA000456AA0 810424 6F130000 ADD DWORD PTR SS:[ESP],136F00456AA7 64:FF35 0000000>PUSH DWORD PTR FS:[0] ; Install SEH00456AAE 64:8925 0000000>MOV DWORD PTR FS:[0],ESP ; 注意在457E0F下断……0045745C 33C0 XOR EAX,EAX ; 这里要发生异常了0045745E 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]00457461 66:B8 FE00 MOV AX,0FE00457465 66:E7 64 OUT 64,AX ; I/O command……异常后SHIT+F9到457E0F处,然后继续跟到这里:004587B6 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]004587BA 33C9 XOR ECX,ECX004587BC 3348 04 XOR ECX,DWORD PTR DS:[EAX+4] ; 清除相关DRx断点004587BF 3348 08 XOR ECX,DWORD PTR DS:[EAX+8]004587C2 3348 0C XOR ECX,DWORD PTR DS:[EAX+C]004587C5 3348 10 XOR ECX,DWORD PTR DS:[EAX+10]004587C8 8B6424 08 MOV ESP,DWORD PTR SS:[ESP+8]004587CC 64:8F05 0000000>POP DWORD PTR FS:[0]004587D3 83C4 04 ADD ESP,4……0045917D 0F31 RDTSC ; 一个异常后,再次用RDTSC的方式来反调试0045917F 2B0424 SUB EAX,DWORD PTR SS:[ESP]00459182 83C4 04 ADD ESP,400459185 3D FFFFFF00 CMP EAX,0FFFFFF0045918A 76 05 JBE SHORT 00459191 ; 这里一跳要跳,否则就over了0045918C E9 F08E0000 JMP 0046208100459191 51 PUSH ECX00459192 33C9 XOR ECX,ECX00459194 E8 00000000 CALL 0045919900459199 5F POP EDI0045919A 81C7 C4090000 ADD EDI,9C4004591A0 5A POP EDX004591A1 83C2 15 ADD EDX,15004591A4 0FB60439 MOVZX EAX,BYTE PTR DS:[ECX+EDI] ; 把值传到eax中(从459b5d处开始)004591A8 33C2 XOR EAX,EDX ; 取出的值xor 15004591AA 880439 MOV BYTE PTR DS:[ECX+EDI],AL ; 解密后的值保存到相关地址中004591AD 41 INC ECX004591AE 81F9 93000000 CMP ECX,93 ; 要解密的大小为93004591B4 ^ 72 EE JB SHORT 004591A4 ; 如果没有解压完则跳去继续解密……00459B5D 8B5C24 20 MOV EBX,DWORD PTR SS:[ESP+20] ; 准备取kernel base00459B61 66:BB 0000 MOV BX,000459B65 0FB703 MOVZX EAX,WORD PTR DS:[EBX]00459B68 2D 4D5A0000 SUB EAX,5A4D00459B6D 74 08 JE SHORT 00459B77 ; 如果找到ODS头则跳00459B6F 81EB 00000100 SUB EBX,10000 ; UNICODE "ALLUSERSPROFILE=D:\Documents and Settings\All Users"00459B75 ^ EB EE JMP SHORT 00459B6500459B77 8BFB MOV EDI,EBX00459B79 037B 3C ADD EDI,DWORD PTR DS:[EBX+3C] ; 定位pe头00459B7C 83C7 78 ADD EDI,7800459B7F 8B3F MOV EDI,DWORD PTR DS:[EDI] ; 定位输出表00459B81 03FB ADD EDI,EBX00459B83 57 PUSH EDI00459B84 83C7 20 ADD EDI,2000459B87 8B3F MOV EDI,DWORD PTR DS:[EDI] ; 取AddressofNames00459B89 03FB ADD EDI,EBX00459B8B 33C0 XOR EAX,EAX00459B8D 40 INC EAX00459B8E 8B0F MOV ECX,DWORD PTR DS:[EDI]00459B90 03CB ADD ECX,EBX ; 定位api00459B92 83C7 04 ADD EDI,400459B95 8139 47657450 CMP DWORD PTR DS:[ECX],50746547 ; 判断API名字前四位是否为GetP00459B9B ^ 75 F0 JNZ SHORT 00459B8D ; 如果不是则跳00459B9D 8179 04 726F634>CMP DWORD PTR DS:[ECX+4],41636F72 ; 判断后面是否为rocA,这里也就是循环找出GetProcAddress的地址00459BA4 ^ 75 E7 JNZ SHORT 00459B8D ; 如果没有找到则继续找00459BA6 6BC0 02 IMUL EAX,EAX,200459BA9 5F POP EDI00459BAA 57 PUSH EDI00459BAB 83C7 24 ADD EDI,2400459BAE 8B3F MOV EDI,DWORD PTR DS:[EDI]00459BB0 03FB ADD EDI,EBX ; 定位AddressofNameOrdinal00459BB2 03F8 ADD EDI,EAX00459BB4 66:8B07 MOV AX,WORD PTR DS:[EDI]00459BB7 6BC0 04 IMUL EAX,EAX,400459BBA 5F POP EDI00459BBB 83C7 1C ADD EDI,1C00459BBE 8B3F MOV EDI,DWORD PTR DS:[EDI] ; 定位AddressofFunctions00459BC0 03FB ADD EDI,EBX00459BC2 03F8 ADD EDI,EAX00459BC4 8B7F FC MOV EDI,DWORD PTR DS:[EDI-4] ; 找到GetProcAddress的地址00459BC7 03FB ADD EDI,EBX ; 找到的地址保存在edi中00459BC9 803F CC CMP BYTE PTR DS:[EDI],0CC ; 如果发现api下了int3断点就会异常出错00459BCC 75 09 JNZ SHORT 00459BD7 ; 如果没有跟踪就跳00459BCE 33C9 XOR ECX,ECX ; 不跳就完了:-)00459BD0 33FF XOR EDI,EDI00459BD2 ^ E9 C1CEFFFF JMP 00456A9800459BD7 E8 00000000 CALL 00459BDC00459BDC 58 POP EAX00459BDD 2D EC3A0000 SUB EAX,3AEC00459BE2 B0 00 MOV AL,0 ; EAX=004560F0定位壳入口00459BE4 05 00200100 ADD EAX,1200000459BE9 8BF0 MOV ESI,EAX ; EAX=0046800000459BEB 891E MOV DWORD PTR DS:[ESI],EBX ; kernel base保存在468000处00459BED 897E 10 MOV DWORD PTR DS:[ESI+10],EDI ; 保存GetProcAddress的地址到468010处00459BF0 33C9 XOR ECX,ECX00459BF2 E8 00000000 CALL 00459BF700459BF7 5F POP EDI00459BF8 81C7 C4090000 ADD EDI,9C4 ; EDI=0045A5BB00459BFE 0FB60439 MOVZX EAX,BYTE PTR DS:[ECX+EDI] ; 准备解开开始地址为0045A5BB,大小为0c3f块的代码00459C02 83F0 15 XOR EAX,15 ; 运算方法为 xor 1500459C05 880439 MOV BYTE PTR DS:[ECX+EDI],AL ; 解压代码00459C08 41 INC ECX00459C09 81F9 3F0C0000 CMP ECX,0C3F00459C0F ^ 72 ED JB SHORT 00459BFE ; 没解压完则继续上去解压……0045A5B8 0F31 RDTSC ; 这里取API的地址的方法比较有意思0045A5BA 50 PUSH EAX0045A5BB EB 13 JMP SHORT 0045A5D0 ; 跳去准备取OutPutDebugStringA的地址0045A5BD 4F DEC EDI0045A5BE 75 74 JNZ SHORT 0045A6340045A5C0 70 75 JO SHORT 0045A6370045A5C2 74 44 JE SHORT 0045A6080045A5C4 65:6275 67 BOUND ESI,QWORD PTR GS:[EBP+67] ; Superfluous prefix0045A5C8 53 PUSH EBX0045A5C9 74 72 JE SHORT 0045A63D0045A5CB 696E 67 4100E80>IMUL EBP,DWORD PTR DS:[ESI+67],0E800410045A5D2 0000 ADD BYTE PTR DS:[EAX],AL0045A5D4 0083 2C2418FF ADD BYTE PTR DS:[EBX+FF18242C],AL0045A5DA 36:FF56 10 CALL DWORD PTR SS:[ESI+10]0045A5DE 8946 14 MOV DWORD PTR DS:[ESI+14],EAX ; 获取到的地址保存到468014处0045A5E1 EB 01 JMP SHORT 0045A5E40045A5E3 68 EB02CD20 PUSH 20CD02EB0045A5E8 EB 01 JMP SHORT 0045A5EB0045A5EA E8 E8100000 CALL 0045B6D70045A5EF 0047 65 ADD BYTE PTR DS:[EDI+65],AL0045A5F2 74 43 JE SHORT 0045A6370045A5F4 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O command0045A5F5 6D INS DWORD PTR ES:[EDI],DX ; I/O command0045A5F6 6D INS DWORD PTR ES:[EDI],DX ; I/O command0045A5F7 61 POPAD0045A5F8 6E OUTS DX,BYTE PTR ES:[EDI] ; I/O command0045A5F9 64:4C DEC ESP ; Superfluous prefix0045A5FB 696E 65 4100FF3>IMUL EBP,DWORD PTR DS:[ESI+65],36FF00410045A602 FF56 10 CALL DWORD PTR DS:[ESI+10]0045A605 8946 18 MOV DWORD PTR DS:[ESI+18],EAX ; [468018]保存GetCommandLineA的地址 0045A608 90 NOP0045A609 90 NOP0045A60A 90 NOP0045A60B 90 NOP0045A60C 90 NOP0045A60D 90 NOP0045A60E 90 NOP0045A60F 90 NOP0045A610 90 NOP0045A611 E8 0C000000 CALL 0045A622 ; 获取CreateFileA的地址0045A616 43 INC EBX0045A617 72 65 JB SHORT 0045A67E0045A619 61 POPAD0045A61A 74 65 JE SHORT 0045A6810045A61C 46 INC ESI0045A61D 696C65 41 00FF3>IMUL EBP,DWORD PTR SS:[EBP+41],FF36FF000045A625 56 PUSH ESI0045A626 1089 461C9090 ADC BYTE PTR DS:[ECX+90901C46],CL……0045A7E6 E8 11000000 CALL 0045A7FC0045A7EB 47 INC EDI0045A7EC 65:74 4D JE SHORT 0045A83C ; Superfluous prefix0045A7EF 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O command0045A7F0 64:75 6C JNZ SHORT 0045A85F ; Superfluous prefix0045A7F3 65:48 DEC EAX ; Superfluous prefix0045A7F5 61 POPAD0045A7F6 6E OUTS DX,BYTE PTR ES:[EDI] ; I/O command0045A7F7 64:6C INS BYTE PTR ES:[EDI],DX ; I/O command0045A7F9 65:41 INC ECX ; Superfluous prefix0045A7FB 00FF ADD BH,BH0045A7FD 36:FF56 10 CALL DWORD PTR SS:[ESI+10]0045A801 8946 50 MOV DWORD PTR DS:[ESI+50],EAX ; 最后一个GetModuleHandleA0045A804 90 NOP0045A805 90 NOP0045A806 90 NOP0045A807 90 NOP0045A808 90 NOP0045A809 90 NOP0045A80A 90 NOP0045A80B 90 NOP0045A80C 90 NOP0045A80D 90 NOP0045A80E 0F31 RDTSC0045A810 2B0424 SUB EAX,DWORD PTR SS:[ESP] ; 又一个检测标志0045A813 83C4 04 ADD ESP,40045A816 3D FFFFFF00 CMP EAX,0FFFFFF0045A81B ^ 0F87 D0B8FFFF JA 004560F1 ; 如果发现跟踪则跳,也就over了0045A821 . 56 PUSH ESI ; ESI = 468000到这里壳就取完了全部壳要用到的API,明细如下: ……0045B1C9 8CC9 MOV CX,CS ; 开始判断系统是否为wk/xp之类的0045B1CB 32C9 XOR CL,CL0045B1CD 83F9 00 CMP ECX,00045B1D0 75 28 JNZ SHORT 0045B1FA ; 如果为win9x则跳0045B1D2 64:FF35 3000000>PUSH DWORD PTR FS:[30]0045B1D9 58 POP EAX0045B1DA 0FB648 02 MOVZX ECX,BYTE PTR DS:[EAX+2] ; 取TEB的值,0045B1DE 884E 0C MOV BYTE PTR DS:[ESI+C],CL0045B1E1 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]0045B1E4 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]0045B1E7 8D58 20 LEA EBX,DWORD PTR DS:[EAX+20]0045B1EA 8D48 18 LEA ECX,DWORD PTR DS:[EAX+18]0045B1ED 8103 C8000000 ADD DWORD PTR DS:[EBX],0C8 ;破坏pe header0045B1F3 B8 00000000 MOV EAX,00045B1F8 0101 ADD DWORD PTR DS:[ECX],EAX0045B1FA 33C9 XOR ECX,ECX0045B1FC E8 00000000 CALL 0045B2010045B201 5F POP EDI0045B202 81C7 C1090000 ADD EDI,9C10045B208 0FB60439 MOVZX EAX,BYTE PTR DS:[ECX+EDI] ; 从45BBC2开始解开下一段0045B20C 83F0 11 XOR EAX,11 ; xor key 110045B20F 880439 MOV BYTE PTR DS:[ECX+EDI],AL ; 还原回去0045B212 41 INC ECX0045B213 81F9 521D0000 CMP ECX,1D52 ; 解压代码大小1D520045B219 ^ 72 ED JB SHORT 0045B208 ; 如果没有解压完跳回去继续……0045C569 0F31 RDTSC ; 又准备异常。0045C56B 50 PUSH EAX0045C56C E8 00000000 CALL 0045C571 ; Install SEH0045C571 810424 CA090000 ADD DWORD PTR SS:[ESP],9CA0045C578 64:FF35 0000000>PUSH DWORD PTR FS:[0]0045C57F 64:8925 0000000>MOV DWORD PTR FS:[0],ESP ; 异常地址45CF3B0045C586 33DB XOR EBX,EBX0045C588 8B1B MOV EBX,DWORD PTR DS:[EBX]……0045D8DF 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]0045D8E3 33C9 XOR ECX,ECX0045D8E5 3348 04 XOR ECX,DWORD PTR DS:[EAX+4] ; 再次清除硬件断点0045D8E8 3348 08 XOR ECX,DWORD PTR DS:[EAX+8]0045D8EB 3348 0C XOR ECX,DWORD PTR DS:[EAX+C]0045D8EE 3348 10 XOR ECX,DWORD PTR DS:[EAX+10]0045D8F1 8B6424 08 MOV ESP,DWORD PTR SS:[ESP+8]0045D8F5 64:8F05 0000000>POP DWORD PTR FS:[0]0045D8FC 83C4 04 ADD ESP,40045D8FF 0F31 RDTSC0045D901 2B0424 SUB EAX,DWORD PTR SS:[ESP]0045D904 83C4 04 ADD ESP,40045D907 3D FFFFFF00 CMP EAX,0FFFFFF ; 这里一定要跳,又一个时间差来anit debug0045D90C 76 06 JBE SHORT 0045D9140045D90E 5E POP ESI0045D90F C646 0F 01 MOV BYTE PTR DS:[ESI+F],10045D913 56 PUSH ESI……0045DA75 5E POP ESI0045DA76 884E 0D MOV BYTE PTR DS:[ESI+D],CL……0045E420 E8 05000000 CALL 0045E42A0045E425 25 73257300 AND EAX,732573 ; /Debug String =%s%s0045E42A FF56 14 CALL DWORD PTR DS:[ESI+14] ; \OutPutStringA 注:如果你没有patch OD的那个漏洞的话,这里是过不来的J……0045EDD4 FF56 18 CALL DWORD PTR DS:[ESI+18] ; GetCommandLineA获取命令行0045EDD7 40 INC EAX0045EDD8 33C9 XOR ECX,ECX0045EDDA 41 INC ECX ; 获取命令行长度,值保存在ECX中0045EDDB 803C01 00 CMP BYTE PTR DS:[ECX+EAX],00045EDDF 74 0C JE SHORT 0045EDED0045EDE1 803C01 22 CMP BYTE PTR DS:[ECX+EAX],22 ; 如果没到结尾则继续回去取0045EDE5 ^ 75 F3 JNZ SHORT 0045EDDA0045EDE7 C60401 00 MOV BYTE PTR DS:[ECX+EAX],00045EDEB ^ EB ED JMP SHORT 0045EDDA0045EDED 6A 00 PUSH 0 ; /hTemplateFile = NULL0045EDEF 6A 00 PUSH 0 ; |Attributes = 00045EDF1 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING0045EDF3 6A 00 PUSH 0 ; |pSecurity = NULL0045EDF5 6A 00 PUSH 0 ; |ShareMode = 00045EDF7 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ0045EDFC 50 PUSH EAX ; |FileName = "D:\[MSLRH].exe"0045EDFD FF56 1C CALL DWORD PTR DS:[ESI+1C] ; \CreateFileA0045EE00 90 NOP 这里用CreateFileA使imp rec不能打开文件。这里可以patch 一下push eaxCall CloseHandle这样imp rec就可以用了……0045F7A7 837E 40 00 CMP DWORD PTR DS:[ESI+40],0 ; 判断获取ZwQueryInformationProcess的地址有没有成功0045F7AB 74 24 JE SHORT 0045F7D1 ; 没有成功则跳,所以这里可以直接跳过的0045F7AD FF56 24 CALL DWORD PTR DS:[ESI+24] ; 否则先获取当前进程的ID GetCurrentProcessID0045F7B0 50 PUSH EAX ; /ProcessId0045F7B1 6A 00 PUSH 0 ; |Inheritable = FALSE0045F7B3 68 00040000 PUSH 400 ; |Access = QUERY_INFORMATION0045F7B8 FF56 28 CALL DWORD PTR DS:[ESI+28] ; \OpenProcess 打开自己的进程0045F7BB 8BDC MOV EBX,ESP ; ESP =12FFA40045F7BD 83EB 04 SUB EBX,40045F7C0 6A 00 PUSH 00045F7C2 6A 00 PUSH 0 ; /pReqsize = NULL0045F7C4 6A 04 PUSH 4 ; |Bufsize = 40045F7C6 53 PUSH EBX ; |Buffer = 0012FFA00045F7C7 6A 07 PUSH 7 ; |InfoClass = 70045F7C9 50 PUSH EAX ; |hProcess0045F7CA FF56 40 CALL DWORD PTR DS:[ESI+40] ; \ZwQueryInformationProcess0045F7CD 58 POP EAX0045F7CE 8846 0E MOV BYTE PTR DS:[ESI+E],AL ; 在[46800E]处做个标志,如果执行ZwQueryInformationProcess成功,则设置为FF……00460178 8CC9 MOV CX,CS0046017A 32C9 XOR CL,CL0046017C 83F9 00 CMP ECX,00046017F 0F84 A1130000 JE 00461526 ; 如果系统为win 2k/xp的话则跳,我用xp sp2调试的,所以当然会跳了00460185 8B46 38 MOV EAX,DWORD PTR DS:[ESI+38]00460188 8078 01 4C CMP BYTE PTR DS:[EAX+1],4C0046018C 0F85 94130000 JNZ 0046152600460192 E8 00000000 CALL 0046019700460197 810424 6E130000 ADD DWORD PTR SS:[ESP],136E0046019E 59 POP ECX0046019F 64:FF35 0000000>PUSH DWORD PTR FS:[0]004601A6 8B46 38 MOV EAX,DWORD PTR DS:[ESI+38]004601A9 8B40 0B MOV EAX,DWORD PTR DS:[EAX+B]004601AC 8908 MOV DWORD PTR DS:[EAX],ECX……00461ECD E8 00000000 CALL 00461ED200461ED2 58 POP EAX00461ED3 2D E2BD0000 SUB EAX,0BDE2 ; EAX = 004560F000461ED8 B0 00 MOV AL,000461EDA 05 00200100 ADD EAX,12000 ; eax = 0046800000461EDF 8BF0 MOV ESI,EAX00461EE1 807E 0C 00 CMP BYTE PTR DS:[ESI+C],0 ; 这个不知道有什么作用:-(00461EE5 74 51 JE SHORT 00461F38 ; 这里跳00461EE7 6A 00 PUSH 000461EE9 FF56 50 CALL DWORD PTR DS:[ESI+50] ; GetModuleHandleA00461EEC 50 PUSH EAX00461EED 8BD8 MOV EBX,EAX00461EEF 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C] ; 定位pe头00461EF2 03C3 ADD EAX,EBX00461EF4 8D98 00010000 LEA EBX,DWORD PTR DS:[EAX+100]00461EFA 8B1B MOV EBX,DWORD PTR DS:[EBX]00461EFC 58 POP EAX00461EFD 03D8 ADD EBX,EAX00461EFF 05 00100000 ADD EAX,100000461F04 8BF8 MOV EDI,EAX00461F06 81EB FF000000 SUB EBX,0FF00461F0C B9 10270000 MOV ECX,271000461F11 0F31 RDTSC00461F13 C1E8 18 SHR EAX,1800461F16 03F8 ADD EDI,EAX00461F18 3007 XOR BYTE PTR DS:[EDI],AL00461F1A 3BFB CMP EDI,EBX00461F1C 7D 03 JGE SHORT 00461F2100461F1E 49 DEC ECX00461F1F ^ 75 F0 JNZ SHORT 00461F1100461F21 90 NOP00461F22 90 NOP00461F23 90 NOP00461F24 90 NOP00461F25 90 NOP00461F26 90 NOP00461F27 90 NOP00461F28 90 NOP00461F29 90 NOP00461F2A 90 NOP00461F2B 90 NOP00461F2C 90 NOP00461F2D 90 NOP00461F2E 90 NOP00461F2F 90 NOP00461F30 90 NOP00461F31 90 NOP00461F32 90 NOP00461F33 90 NOP00461F34 90 NOP00461F35 90 NOP00461F36 90 NOP00461F37 90 NOP00461F38 807E 0D 00 CMP BYTE PTR DS:[ESI+D],000461F3C ^ 0F85 AF41FFFF JNZ 004560F100461F42 90 NOP00461F43 90 NOP00461F44 90 NOP00461F45 90 NOP00461F46 90 NOP00461F47 90 NOP00461F48 90 NOP00461F49 90 NOP00461F4A 90 NOP00461F4B 807E 0E 00 CMP BYTE PTR DS:[ESI+E],000461F4F ^ 0F85 9C41FFFF JNZ 004560F100461F55 90 NOP00461F56 90 NOP00461F57 90 NOP00461F58 90 NOP00461F59 90 NOP00461F5A 90 NOP00461F5B 90 NOP00461F5C 90 NOP00461F5D 90 NOP00461F5E 90 NOP00461F5F 90 NOP00461F60 90 NOP00461F61 90 NOP00461F62 90 NOP00461F63 90 NOP00461F64 90 NOP00461F65 90 NOP00461F66 90 NOP00461F67 90 NOP00461F68 90 NOP00461F69 90 NOP00461F6A 90 NOP00461F6B 90 NOP00461F6C 807E 0F 00 CMP BYTE PTR DS:[ESI+F],000461F70 ^ 0F85 7B41FFFF JNZ 004560F1……00461F8D E8 00000000 CALL 00461F92 ; 这里一段开始效验CRC值,所以我们现在把前面的代码还原回去00461F92 59 POP ECX00461F93 90 NOP00461F94 90 NOP00461F95 90 NOP00461F96 90 NOP00461F97 90 NOP00461F98 90 NOP00461F99 90 NOP00461F9A 90 NOP00461F9B 90 NOP00461F9C 90 NOP00461F9D 83E9 05 SUB ECX,500461FA0 90 NOP00461FA1 90 NOP00461FA2 90 NOP00461FA3 90 NOP00461FA4 90 NOP00461FA5 90 NOP00461FA6 90 NOP00461FA7 90 NOP00461FA8 90 NOP00461FA9 90 NOP00461FAA 33DB XOR EBX,EBX00461FAC 90 NOP00461FAD 90 NOP00461FAE 90 NOP00461FAF 90 NOP00461FB0 90 NOP00461FB1 90 NOP00461FB2 90 NOP00461FB3 90 NOP00461FB4 90 NOP00461FB5 90 NOP00461FB6 B8 9CBE0000 MOV EAX,0BE9C00461FBB 90 NOP00461FBC 90 NOP00461FBD 90 NOP00461FBE 90 NOP00461FBF 90 NOP00461FC0 90 NOP00461FC1 90 NOP00461FC2 90 NOP00461FC3 90 NOP00461FC4 90 NOP00461FC5 8BF9 MOV EDI,ECX00461FC7 90 NOP00461FC8 90 NOP00461FC9 90 NOP00461FCA 90 NOP00461FCB 90 NOP00461FCC 90 NOP00461FCD 90 NOP00461FCE 90 NOP00461FCF 90 NOP00461FD0 90 NOP00461FD1 2BF8 SUB EDI,EAX00461FD3 90 NOP00461FD4 90 NOP00461FD5 90 NOP00461FD6 90 NOP00461FD7 90 NOP00461FD8 90 NOP00461FD9 90 NOP00461FDA 90 NOP00461FDB 90 NOP00461FDC 90 NOP00461FDD 0FB607 MOVZX EAX,BYTE PTR DS:[EDI]00461FE0 90 NOP00461FE1 90 NOP00461FE2 90 NOP00461FE3 90 NOP00461FE4 90 NOP00461FE5 90 NOP00461FE6 90 NOP00461FE7 90 NOP00461FE8 90 NOP00461FE9 90 NOP00461FEA 03D8 ADD EBX,EAX00461FEC 90 NOP00461FED 90 NOP00461FEE 90 NOP00461FEF 90 NOP00461FF0 90 NOP00461FF1 90 NOP00461FF2 90 NOP00461FF3 90 NOP00461FF4 90 NOP00461FF5 90 NOP00461FF6 47 INC EDI00461FF7 90 NOP00461FF8 90 NOP00461FF9 90 NOP00461FFA 90 NOP00461FFB 90 NOP00461FFC 90 NOP00461FFD 90 NOP00461FFE 90 NOP00461FFF 90 NOP00462000 90 NOP00462001 3BF9 CMP EDI,ECX00462003 90 NOP00462004 90 NOP00462005 90 NOP00462006 90 NOP00462007 90 NOP00462008 90 NOP00462009 90 NOP0046200A 90 NOP0046200B 90 NOP0046200C 90 NOP0046200D ^ 72 CE JB SHORT 00461FDD0046200F BF 00704400 MOV EDI,0044700000462014 B9 00BC0000 MOV ECX,0BC0000462019 90 NOP0046201A 90 NOP0046201B 90 NOP0046201C 90 NOP0046201D 90 NOP0046201E 90 NOP0046201F 90 NOP00462020 90 NOP00462021 90 NOP00462022 90 NOP00462023 0FB607 MOVZX EAX,BYTE PTR DS:[EDI]00462026 90 NOP00462027 90 NOP00462028 90 NOP00462029 90 NOP0046202A 90 NOP0046202B 90 NOP0046202C 90 NOP0046202D 90 NOP0046202E 90 NOP0046202F 90 NOP00462030 02DF ADD BL,BH00462032 32DF XOR BL,BH00462034 32C3 XOR AL,BL00462036 90 NOP00462037 90 NOP00462038 90 NOP00462039 90 NOP0046203A 90 NOP0046203B 90 NOP0046203C 90 NOP0046203D 90 NOP0046203E 90 NOP0046203F 90 NOP00462040 8807 MOV BYTE PTR DS:[EDI],AL00462042 90 NOP00462043 90 NOP00462044 90 NOP00462045 90 NOP00462046 90 NOP00462047 90 NOP00462048 90 NOP00462049 90 NOP0046204A 90 NOP0046204B 90 NOP0046204C 47 INC EDI0046204D 90 NOP0046204E 90 NOP0046204F 90 NOP00462050 90 NOP00462051 90 NOP00462052 90 NOP00462053 90 NOP00462054 90 NOP00462055 90 NOP00462056 90 NOP00462057 49 DEC ECX00462058 90 NOP00462059 90 NOP0046205A 90 NOP0046205B 90 NOP0046205C 90 NOP0046205D 90 NOP0046205E 90 NOP0046205F 90 NOP00462060 90 NOP00462061 90 NOP00462062 ^ 75 B5 JNZ SHORT 0046201900462064 E8 00000000 CALL 0046206900462069 59 POP ECX0046206A 2959 16 SUB DWORD PTR DS:[ECX+16],EBX0046206D 61 POPAD0046206E 60 PUSHAD0046206F BE 00704400 MOV ESI,0044700000462074 8DBE 00A0FBFF LEA EDI,DWORD PTR DS:[ESI+FFFBA000]0046207A 57 PUSH EDI0046207B 83CD FF OR EBP,FFFFFFFF0046207E 68 ADE29F00 PUSH 9FE2AD ; 如果CRC错误则会乱跳。00462083 C3 RETN……进来后看看像什么?, upx.004528C0 /EB 10 JMP SHORT 004528D2004528C2 |90 NOP004528C3 |90 NOP004528C4 |90 NOP004528C5 |90 NOP004528C6 |90 NOP004528C7 |90 NOP004528C8 |8A06 MOV AL,BYTE PTR DS:[ESI]004528CA |46 INC ESI004528CB |8807 MOV BYTE PTR DS:[EDI],AL004528CD |47 INC EDI004528CE |01DB ADD EBX,EBX004528D0 |75 07 JNZ SHORT 004528D9004528D2 \8B1E MOV EBX,DWORD PTR DS:[ESI]004528D4 83EE FC SUB ESI,-4004528D7 11DB ADC EBX,EBX004528D9 ^ 72 ED JB SHORT 004528C8004528DB B8 01000000 MOV EAX,1004528E0 01DB ADD EBX,EBX004528E2 75 07 JNZ SHORT 004528EB004528E4 8B1E MOV EBX,DWORD PTR DS:[ESI]004528E6 83EE FC SUB ESI,-4004528E9 11DB ADC EBX,EBX004528EB 11C0 ADC EAX,EAX004528ED 01DB ADD EBX,EBX004528EF 73 0B JNB SHORT 004528FC004528F1 75 19 JNZ SHORT 0045290C004528F3 8B1E MOV EBX,DWORD PTR DS:[ESI]004528F5 83EE FC SUB ESI,-4004528F8 11DB ADC EBX,EBX004528FA 72 10 JB SHORT 0045290C004528FC 48 DEC EAX004528FD 01DB ADD EBX,EBX004528FF 75 07 JNZ SHORT 0045290800452901 8B1E MOV EBX,DWORD PTR DS:[ESI]00452903 83EE FC SUB ESI,-400452906 11DB ADC EBX,EBX00452908 11C0 ADC EAX,EAX0045290A ^ EB D4 JMP SHORT 004528E00045290C 31C9 XOR ECX,ECX0045290E 83E8 03 SUB EAX,300452911 72 11 JB SHORT 0045292400452913 C1E0 08 SHL EAX,800452916 8A06 MOV AL,BYTE PTR DS:[ESI]00452918 46 INC ESI00452919 83F0 FF XOR EAX,FFFFFFFF0045291C 74 78 JE SHORT 004529960045291E D1F8 SAR EAX,100452920 89C5 MOV EBP,EAX00452922 EB 0B JMP SHORT 0045292F00452924 01DB ADD EBX,EBX00452926 75 07 JNZ SHORT 0045292F00452928 8B1E MOV EBX,DWORD PTR DS:[ESI]0045292A 83EE FC SUB ESI,-40045292D 11DB ADC EBX,EBX0045292F 11C9 ADC ECX,ECX00452931 01DB ADD EBX,EBX00452933 75 07 JNZ SHORT 0045293C00452935 8B1E MOV EBX,DWORD PTR DS:[ESI]00452937 83EE FC SUB ESI,-40045293A 11DB ADC EBX,EBX0045293C 11C9 ADC ECX,ECX0045293E 75 20 JNZ SHORT 0045296000452940 41 INC ECX00452941 01DB ADD EBX,EBX00452943 75 07 JNZ SHORT 0045294C00452945 8B1E MOV EBX,DWORD PTR DS:[ESI]00452947 83EE FC SUB ESI,-40045294A 11DB ADC EBX,EBX0045294C 11C9 ADC ECX,ECX0045294E 01DB ADD EBX,EBX00452950 ^ 73 EF JNB SHORT 0045294100452952 75 09 JNZ SHORT 0045295D00452954 8B1E MOV EBX,DWORD PTR DS:[ESI]00452956 83EE FC SUB ESI,-400452959 11DB ADC EBX,EBX0045295B ^ 73 E4 JNB SHORT 004529410045295D 83C1 02 ADD ECX,200452960 81FD 00FBFFFF CMP EBP,-50000452966 83D1 01 ADC ECX,100452969 8D142F LEA EDX,DWORD PTR DS:[EDI+EBP]0045296C 83FD FC CMP EBP,-40045296F 76 0F JBE SHORT 0045298000452971 8A02 MOV AL,BYTE PTR DS:[EDX]00452973 42 INC EDX00452974 8807 MOV BYTE PTR DS:[EDI],AL00452976 47 INC EDI00452977 49 DEC ECX00452978 ^ 75 F7 JNZ SHORT 004529710045297A ^ E9 4FFFFFFF JMP 004528CE0045297F 90 NOP00452980 8B02 MOV EAX,DWORD PTR DS:[EDX]00452982 83C2 04 ADD EDX,400452985 8907 MOV DWORD PTR DS:[EDI],EAX00452987 83C7 04 ADD EDI,40045298A 83E9 04 SUB ECX,40045298D ^ 77 F1 JA SHORT 004529800045298F 01CF ADD EDI,ECX00452991 ^ E9 38FFFFFF JMP 004528CE00452996 5E POP ESI00452997 89F7 MOV EDI,ESI00452999 B9 D5160000 MOV ECX,16D50045299E 8A07 MOV AL,BYTE PTR DS:[EDI]004529A0 47 INC EDI004529A1 2C E8 SUB AL,0E8004529A3 3C 01 CMP AL,1004529A5 ^ 77 F7 JA SHORT 0045299E004529A7 803F 01 CMP BYTE PTR DS:[EDI],1004529AA ^ 75 F2 JNZ SHORT 0045299E004529AC 8B07 MOV EAX,DWORD PTR DS:[EDI]004529AE 8A5F 04 MOV BL,BYTE PTR DS:[EDI+4]004529B1 66:C1E8 08 SHR AX,8004529B5 C1C0 10 ROL EAX,10004529B8 86C4 XCHG AH,AL004529BA 29F8 SUB EAX,EDI004529BC 80EB E8 SUB BL,0E8004529BF 01F0 ADD EAX,ESI004529C1 8907 MOV DWORD PTR DS:[EDI],EAX004529C3 83C7 05 ADD EDI,5004529C6 89D8 MOV EAX,EBX004529C8 ^ E2 D9 LOOPD SHORT 004529A3004529CA 8DBE 00000500 LEA EDI,DWORD PTR DS:[ESI+50000]004529D0 8B07 MOV EAX,DWORD PTR DS:[EDI]004529D2 09C0 OR EAX,EAX004529D4 74 3C JE SHORT 00452A12004529D6 8B5F 04 MOV EBX,DWORD PTR DS:[EDI+4]004529D9 8D8430 B0490500 LEA EAX,DWORD PTR DS:[EAX+ESI+549B0]004529E0 01F3 ADD EBX,ESI004529E2 50 PUSH EAX004529E3 83C7 08 ADD EDI,8004529E6 FF96 3C4A0500 CALL DWORD PTR DS:[ESI+54A3C]004529EC 95 XCHG EAX,EBP004529ED 8A07 MOV AL,BYTE PTR DS:[EDI]004529EF 47 INC EDI004529F0 08C0 OR AL,AL004529F2 ^ 74 DC JE SHORT 004529D0004529F4 89F9 MOV ECX,EDI004529F6 57 PUSH EDI004529F7 48 DEC EAX004529F8 F2:AE REPNE SCAS BYTE PTR ES:[EDI]004529FA 55 PUSH EBP004529FB FF96 404A0500 CALL DWORD PTR DS:[ESI+54A40]00452A01 09C0 OR EAX,EAX00452A03 74 07 JE SHORT 00452A0C00452A05 8903 MOV DWORD PTR DS:[EBX],EAX00452A07 83C3 04 ADD EBX,400452A0A ^ EB E1 JMP SHORT 004529ED00452A0C FF96 444A0500 CALL DWORD PTR DS:[ESI+54A44]00452A12 61 POPAD00452A13 - E9 3E13FCFF JMP 00413D56到些也就分析完了,失败了N次,一个下午才分析完,现在好饿了,回家做饭去.说明一下:在第一次去”垃圾”之前自己随便改一个地方,然后改回来,这样后面修复代码就可以直接alt+<-,感觉壳并非想象中那么难的说:-).简直是烂用RDTSC Greetz: Fly.Jingulong,yock,tDasm.David.hexer,hmimys,ahao.UFO(brother).alan(sister).all of my friends and you! By loveboom[DFCG][FCG][US]Email:loveboom#163.comDate:2005-02-25 20:14
本文地址:http://com.8s8s.com/it/it22380.htm