OD载入:
入口:
0073F000 > E8 AA000000 call NE_St.0073F0AF
0073F005 2D F0330000 sub eax,33F0
0073F00A 0000 add byte ptr ds:[eax],al
0073F00C 0000 add byte ptr ds:[eax],al
0073F00E 0000 add byte ptr ds:[eax],al
0073F010 003D F033002D add byte ptr ds:[2D0033F0],bh
0073F016 F0:3300 lock xor eax,dword ptr ds:[eax] ; 不允许锁定前缀
0073F019 0000 add byte ptr ds:[eax],al
0073F01B 0000 add byte ptr ds:[eax],al
0073F01D 0000 add byte ptr ds:[eax],al
0073F01F 0000 add byte ptr ds:[eax],al
0073F021 0000 add byte ptr ds:[eax],al
0073F023 0000 add byte ptr ds:[eax],al
0073F025 0000 add byte ptr ds:[eax],al
0073F027 0000 add byte ptr ds:[eax],al
0073F029 0000 add byte ptr ds:[eax],al
0073F02B 0000 add byte ptr ds:[eax],al
0073F02D >- 79 BB jns short NE_St.0073EFEA
0073F02F DA77 1F fidiv dword ptr ds:[edi+1F]
0073F032 A0 DA772516 mov al,byte ptr ds:[162577DA]
0073F037 DA77 00 fidiv dword ptr ds:[edi]
0073F03A 0000 add byte ptr ds:[eax],al
0073F03C 004B 45 add byte ptr ds:[ebx+45],cl
0073F03F 52 push edx
0073F040 4E dec esi
0073F041 45 inc ebp
0073F042 4C dec esp
0073F043 3332 xor esi,dword ptr ds:[edx]
0073F045 2E: prefix cs:
0073F046 64:6C ins byte ptr es:[edi],dx
下断bp VirtualAlloc,然后Alt+F9后
断在,然后一直往下找,直到retn 8
0073F0E3 50 push eax
0073F0E4 8B9D 7E000000 mov ebx,dword ptr ss:[ebp+7E]
0073F0EA 03DD add ebx,ebp
0073F0EC 50 push eax
0073F0ED 53 push ebx
0073F0EE E8 04000000 call NE_St.0073F0F7
0073F0F3 5A pop edx
0073F0F4 55 push ebp
0073F0F5 FFE2 jmp edx
0073F0F7 60 pushad
0073F0F8 8B7424 24 mov esi,dword ptr ss:[esp+24]
0073F0FC 8B7C24 28 mov edi,dword ptr ss:[esp+28]
0073F100 FC cld
0073F101 B2 80 mov dl,80
0073F103 33DB xor ebx,ebx
0073F105 A4 movs byte ptr es:[edi],byte ptr>
0073F106 B3 02 mov bl,2
0073F108 E8 6D000000 call NE_St.0073F17A
0073F10D ^ 73 F6 jnb short NE_St.0073F105
0073F10F 33C9 xor ecx,ecx
0073F111 E8 64000000 call NE_St.0073F17A
0073F116 73 1C jnb short NE_St.0073F134
0073F118 33C0 xor eax,eax
0073F11A E8 5B000000 call NE_St.0073F17A
0073F11F 73 23 jnb short NE_St.0073F144
0073F121 B3 02 mov bl,2
0073F123 41 inc ecx
0073F124 B0 10 mov al,10
0073F126 E8 4F000000 call NE_St.0073F17A
0073F12B 12C0 adc al,al
0073F12D ^ 73 F7 jnb short NE_St.0073F126
0073F12F 75 3F jnz short NE_St.0073F170
0073F131 AA stos byte ptr es:[edi]
0073F132 ^ EB D4 jmp short NE_St.0073F108
0073F134 E8 4D000000 call NE_St.0073F186
0073F139 2BCB sub ecx,ebx
0073F13B 75 10 jnz short NE_St.0073F14D
0073F13D E8 42000000 call NE_St.0073F184
0073F142 EB 28 jmp short NE_St.0073F16C
0073F144 AC lods byte ptr ds:[esi]
0073F145 D1E8 shr eax,1
0073F147 74 4D je short NE_St.0073F196
0073F149 13C9 adc ecx,ecx
0073F14B EB 1C jmp short NE_St.0073F169
0073F14D 91 xchg eax,ecx
0073F14E 48 dec eax
0073F14F C1E0 08 shl eax,8
0073F152 AC lods byte ptr ds:[esi]
0073F153 E8 2C000000 call NE_St.0073F184
0073F158 3D 007D0000 cmp eax,7D00
0073F15D 73 0A jnb short NE_St.0073F169
0073F15F 80FC 05 cmp ah,5
0073F162 73 06 jnb short NE_St.0073F16A
0073F164 83F8 7F cmp eax,7F
0073F167 77 02 ja short NE_St.0073F16B
0073F169 41 inc ecx
0073F16A 41 inc ecx
0073F16B 95 xchg eax,ebp
0073F16C 8BC5 mov eax,ebp
0073F16E B3 01 mov bl,1
0073F170 56 push esi
0073F171 8BF7 mov esi,edi
0073F173 2BF0 sub esi,eax
0073F175 F3:A4 rep movs byte ptr es:[edi],byte>
0073F177 5E pop esi
0073F178 ^ EB 8E jmp short NE_St.0073F108
0073F17A 02D2 add dl,dl
0073F17C 75 05 jnz short NE_St.0073F183
0073F17E 8A16 mov dl,byte ptr ds:[esi]
0073F180 46 inc esi
0073F181 12D2 adc dl,dl
0073F183 C3 retn
0073F184 33C9 xor ecx,ecx
0073F186 41 inc ecx
0073F187 E8 EEFFFFFF call NE_St.0073F17A
0073F18C 13C9 adc ecx,ecx
0073F18E E8 E7FFFFFF call NE_St.0073F17A
0073F193 ^ 72 F2 jb short NE_St.0073F187
0073F195 C3 retn
0073F196 2B7C24 28 sub edi,dword ptr ss:[esp+28]
0073F19A 897C24 1C mov dword ptr ss:[esp+1C],edi
0073F19E 61 popad
0073F19F C2 0800 retn 8 //在此下断
在0073F19F 断下二次后,F8返回,来到:
00372F1D 8B0C2B mov ecx,dword ptr ds:[ebx+ebp]
00372F20 56 push esi
00372F21 F3:A4 rep movs byte ptr es:[edi],byte>
00372F23 5E pop esi
00372F24 53 push ebx
00372F25 68 00800000 push 8000
00372F2A 6A 00 push 0
00372F2C 56 push esi
00372F2D FF95 E9020000 call dword ptr ss:[ebp+2E9]
00372F33 5B pop ebx
00372F34 83C3 0C add ebx,0C
00372F37 ^ EB B3 jmp short 00372EEC
00372F39 8B85 B8020000 mov eax,dword ptr ss:[ebp+2B8]
00372F3F 0BC0 or eax,eax
00372F41 0F85 81000000 jnz 00372FC8
00372F47 8BBD C0020000 mov edi,dword ptr ss:[ebp+2C0]
00372F4D 03BD B4020000 add edi,dword ptr ss:[ebp+2B4]
00372F53 8B77 0C mov esi,dword ptr ds:[edi+C]
00372F56 0BF6 or esi,esi
一直往下找,直到:
0037309A /75 0A jnz short 003730A6
0037309C |8B52 04 mov edx,dword ptr ds:[edx+4]
0037309F |C742 50 0010000>mov dword ptr ds:[edx+50],1000
003730A6 \89AD 58020000 mov dword ptr ss:[ebp+258],ebp
003730AC 8B85 C8020000 mov eax,dword ptr ss:[ebp+2C8]
003730B2 0385 B4020000 add eax,dword ptr ss:[ebp+2B4]
003730B8 FFE0 jmp eax //找到这里,直接F4下来,这里应该就是入口了
F7来到这里:
奇怪的是入口有花指令,移动一下就变化了
但是用Ctrl+↓可以看到
00665AB4 55 push ebp
00665AB5 8BEC mov ebp,esp
00665AB7 83C4 F0 add esp,-10
00665ABA 53 push ebx
00665ABB B8 EC536600 mov eax,NE_St.006653EC
00665AC0 E8 FB13DAFF call NE_St.00406EC0
00665AC5 8B1D 30AB6600 mov ebx,dword ptr ds:[66AB30] ; NE_St.0066BBF4
00665ACB 8B03 mov eax,dword ptr ds:[ebx]
00665ACD E8 76D1E2FF call NE_St.00492C48
00665AD2 8B0B mov ecx,dword ptr ds:[ebx]
00665AD4 B2 01 mov dl,1
00665AD6 A1 D8516600 mov eax,dword ptr ds:[6651D8]
00665ADB E8 2057E2FF call NE_St.0048B200
00665AE0 8B15 50AC6600 mov edx,dword ptr ds:[66AC50] ; NE_St.0066C400
00665AE6 8902 mov dword ptr ds:[edx],eax
00665AE8 A1 50AC6600 mov eax,dword ptr ds:[66AC50]
00665AED 8B00 mov eax,dword ptr ds:[eax]
00665AEF 8B10 mov edx,dword ptr ds:[eax]
00665AF1 FF92 88000000 call dword ptr ds:[edx+88]
00665AF7 A1 50AC6600 mov eax,dword ptr ds:[66AC50]
00665AFC 8B00 mov eax,dword ptr ds:[eax]
00665AFE 8B10 mov edx,dword ptr ds:[eax]
00665B00 FF92 EC000000 call dword ptr ds:[edx+EC]
00665B06 8B03 mov eax,dword ptr ds:[ebx]
00665B08 BA 505B6600 mov edx,NE_St.00665B50
00665B0D E8 2ECDE2FF call NE_St.00492840
00665B12 8B0D 90A96600 mov ecx,dword ptr ds:[66A990] ; NE_St.0066C3A4
00665B18 8B03 mov eax,dword ptr ds:[ebx]
00665B1A 8B15 B80C6600 mov edx,dword ptr ds:[660CB8] ; NE_St.00660D04
00665B20 E8 3BD1E2FF call NE_St.00492C60
00665B25 8B0D 88A76600 mov ecx,dword ptr ds:[66A788] ; NE_St.0066C21C
00665B2B 8B03 mov eax,dword ptr ds:[ebx]
00665B2D 8B15 9CFA6500 mov edx,dword ptr ds:[65FA9C] ; NE_St.0065FAE8
00665B33 E8 28D1E2FF call NE_St.00492C60
00665B38 8B03 mov eax,dword ptr ds:[ebx]
00665B3A E8 A1D1E2FF call NE_St.00492CE0
00665B3F 5B pop ebx
00665B40 E8 4BECD9FF call NE_St.00404790
00665B45 0000 add byte ptr ds:[eax],al
00665B47 00FF add bh,bh
00665B49 FFFF ??? ; 未知命令
00665B4B FF0C00 dec dword ptr ds:[eax+eax]
00665B4E 0000 add byte ptr ds:[eax],al
00665B50 C8 EDBFBC enter 0BFED,0BC
00665B54 B2 E2 mov dl,0E2
00665B56 CA D4CF retf 0CFD4
00665B59 B5 CD mov ch,0CD
00665B5B B3 00 mov bl,0
00665B5D 0000 add byte ptr ds:[eax],al
到了入口后发现了很多call指令,也许就是加密了的IAT。
到了这步就不知道该怎么办了?
请各位指教,该怎么解密IAT。
软件太大,无法上传,软件地址:
http://www.skycn.com/soft/9191.html
================================================
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
