-
-
[原创]PEQueKe0.06花指令壳学习笔记[这壳太猛了]
-
发表于: 2011-6-16 12:20
-
|
|
|---|---|
|
|
|
|
|
00401020 55 push ebp 00401021 89E5 mov ebp, esp 00401023 6A FF push -1 00401025 68 10304000 push 403010 0040102A 68 28114000 push 401128 0040102F 64:FF35 0000000>push dword ptr fs:[0] 00401036 64:8925 0000000>mov dword ptr fs:[0], esp 0040103D 83EC 0C sub esp, 0C 00401040 53 push ebx 00401041 56 push esi 00401042 57 push edi  这个是吗?
|
|
|
|
|
|
|
|
|
只为给韬哥翻页..
004220AA 5D pop ebp ; PEQuake.00422005
004220AB 81ED 05000000 sub ebp,5
004220B1 8D75 3D lea esi,dword ptr ss:[ebp+3D]
004220B4 56 push esi
004220B5 FF55 31 call dword ptr ss:[ebp+31] ; 获取kernel32模块基址
004220B8 8DB5 81000000 lea esi,dword ptr ss:[ebp+81]
004220BE 56 push esi
004220BF 50 push eax
004220C0 FF55 2D call dword ptr ss:[ebp+2D] ; 获取VirtualAlloc地址
004220C3 8985 8E000000 mov dword ptr ss:[ebp+8E],eax
004220C9 6A 04 push 4
004220CB 68 00100000 push 1000
004220D0 68 0F9C0000 push 9C0F
004220D5 6A 00 push 0
004220D7 FF95 8E000000 call dword ptr ss:[ebp+8E] ; 申请一块buffer
004220DD 50 push eax
004220DE 8B9D 7D000000 mov ebx,dword ptr ss:[ebp+7D]
004220E4 03DD add ebx,ebp
004220E6 50 push eax
004220E7 53 push ebx
004220E8 E8 04000000 call 004220F1 ; Aplib解压.解压到刚才申请的buffer
004220ED 5A pop edx
004220EE 55 push ebp
004220EF FFE2 jmp edx ; 执行刚才解压出来的代码
00394781 8D85 62194000 lea eax,dword ptr ss:[ebp+401962]
00394787 50 push eax
00394788 6A 00 push 0
0039478A FF7424 08 push dword ptr ss:[esp+8]
0039478E 51 push ecx
0039478F 6A 00 push 0
00394791 6A 00 push 0
00394793 FF95 30644000 call dword ptr ss:[ebp+406430] ; 创建线程,检测调试器
00394799 33F6 xor esi,esi
0039479B 33FF xor edi,edi
// 查找当前进程 反调试...
00394B33 5E pop esi
00394B34 C706 28010000 mov dword ptr ds:[esi],128
00394B3A 56 push esi
00394B3B 53 push ebx
00394B3C FF95 1B664000 call dword ptr ss:[ebp+40661B] ; Process32First
00394B42 397E 08 cmp dword ptr ds:[esi+8],edi ; 判断是否是当前进程
00394B45 0F84 5C010000 je 00394CA7
00394B4B 56 push esi
00394B4C 53 push ebx
// 已经找到了当前进程,开始查找父进程
00394CA7 FF76 18 push dword ptr ds:[esi+18] ; 找到了当前进程
00394CAA 5F pop edi
00394CAB 56 push esi
00394CAC 53 push ebx
00394CAD FF95 1B664000 call dword ptr ss:[ebp+40661B]
00394CB3 397E 08 cmp dword ptr ds:[esi+8],edi ; 这里开始查找当前进程的父进程
00394CB6 0F84 D5020000 je 00394F91
// 找到父进程了,开始检查父进程
00394F91 8D76 24 lea esi,dword ptr ds:[esi+24] ; 找到父进程了
00394F94 56 push esi ; 开始检查父进程名,不是explorer.exe就挂起
00394F95 FF95 82644000 call dword ptr ss:[ebp+406482]
00394F9B 03F0 add esi,eax
00394F9D 56 push esi
00394F9E 83EE 07 sub esi,7
00394FA1 AD lods dword ptr ds:[esi]
00394FA2 25 5F5F5F5F and eax,5F5F5F5F
00394FA7 3D 434D442E cmp eax,2E444D43
00394FAC 0F84 60010000 je 00395112
00394FB2 5E pop esi
00395105 AD lods dword ptr ds:[esi]
00395106 25 5F5F5F5F and eax,5F5F5F5F
0039510B 3D 4558504C cmp eax,4C505845 ; "expl"
00395110 - 75 FE jnz short 00395110 ; 检查到父进程不是explorer就挂起了,jmp eip
00395112 61 popad
00395113 BB 46520000 mov ebx,5246
00395118 833C2B 00 cmp dword ptr ds:[ebx+ebp],0
// 之后开始解压区段了
003996D1 40 AE 80 7C 41 B7 80 7C 7B 1D 80 7C F1 9A 80 7C @畝|A穩|{€|駳€|
003996E1 00 00 40 00 FC 55 00 00 FA 6A 00 00 F1 20 42 00 ..@.黆..鷍..?B.
003996F1 00 C0 00 00 00 10 00 00 00 2C 00 00 20 4D 01 00 .?.....,.. M.
00399701 E0 D2 00 00 E4 C7 00 00 嘁..淝....
// 首先这是内存中的一块数据, 从第三行开始,保存的是区段信息
00395122 53 push ebx
00395123 6A 04 push 4
00395125 68 00100000 push 1000
0039512A FF342B push dword ptr ds:[ebx+ebp]
0039512D 6A 00 push 0
0039512F FF95 32520000 call dword ptr ss:[ebp+5232] ; 申请一块buffer
00395135 5B pop ebx
003953DA 8B78 04 mov edi,dword ptr ds:[eax+4] ; 取区段RVA,准备解压
003953DD 03BD 36520000 add edi,dword ptr ss:[ebp+5236]
003953E3 56 push esi
003953E4 57 push edi
003953E5 FF95 42520000 call dword ptr ss:[ebp+5242] ; Aplib解压区段
003953EB 8B0C2B mov ecx,dword ptr ds:[ebx+ebp]
003953EE 56 push esi
003953EF 51 push ecx
003953F0 C1E9 02 shr ecx,2
003953F3 F3:A5 rep movs dword ptr es:[edi],dword ptr ds>; 将解压出来的数据拷贝回原位置
003953F5 59 pop ecx
003953F6 83E1 03 and ecx,3
003953F9 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
003953FB 5E pop esi
003953FC 53 push ebx
003953FD 68 00800000 push 8000
00395402 6A 00 push 0
00395404 56 push esi
00395405 FF95 D84D0000 call dword ptr ss:[ebp+4DD8] ; 释放buffer
0039540B 5B pop ebx
0039540C 83C3 0C add ebx,0C ; 0xc是下一个区段信息,自定义的结构
// 检查区段是不是都已经解压完了
00395118 833C2B 00 cmp dword ptr ds:[ebx+ebp],0 ; 判断是不是所有的区段都解压完了
0039511C 0F84 F2020000 je 00395414 ; 没完的话,下面又是重复一轮上面的循环
00395122 53 push ebx
00395123 6A 04 push 4
00395125 68 00100000 push 1000
0039512A FF342B push dword ptr ds:[ebx+ebp]
0039512D 6A 00 push 0
0039512F FF95 32520000 call dword ptr ss:[ebp+5232] ; 申请一块buffer
00399791 3C B0 00 00 0C 6B 65 72 6E 65 6C 33 32 2E 64 6C <?..kernel32.dl
003997A1 6C 00 0E 00 00 00 08 52 65 61 64 46 69 6C 65 00 l....ReadFile.
003997B1 1A 57 72 69 74 65 50 72 69 76 61 74 65 50 72 6F WritePrivatePro
003997C1 66 69 6C 65 53 74 72 69 6E 67 41 00 09 57 72 69 fileStringA..Wri
003997D1 74 65 46 69 6C 65 00 0B 56 69 72 74 75 61 6C 46 teFile.VirtualF
003997E1 72 65 65 00 0C 56 69 72 74 75 61 6C 41 6C 6C 6F ree..VirtualAllo
003997F1 63 00 0E 53 65 74 46 69 6C 65 50 6F 69 6E 74 65 c.SetFilePointe
00399801 72 00 0D 52 74 6C 5A 65 72 6F 4D 65 6D 6F 72 79 r..RtlZeroMemory
00399811 00 0B 43 6C 6F 73 65 48 61 6E 64 6C 65 00 15 47 .CloseHandle.G
00399821 65 74 50 72 69 76 61 74 65 50 72 6F 66 69 6C 65 etPrivateProfile
00399831 49 6E 74 41 00 09 43 6F 70 79 46 69 6C 65 41 00 IntA..CopyFileA.
00399841 10 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 GetModuleHandle
00399851 41 00 0B 47 65 74 46 69 6C 65 53 69 7A 65 00 0B A.GetFileSize.
00399861 45 78 69 74 50 72 6F 63 65 73 73 00 0B 43 72 65 ExitProcess.Cre
00399871 61 74 65 46 69 6C 65 41 00 80 B0 00 00 0A 75 73 ateFileA.€?..us
00399881 65 72 33 32 2E 64 6C 6C 00 11 00 00 00 0A 53 68 er32.dll.....Sh
// 内存中有这么一段,导入表结构, 大概结构如下
struct
{
DWORD dwIAT,
BYTE byDllNameLen;
char *dllname;
DWORD dwApiNums; // 从当前DLL中导入的函数个数
char *apiname;
}
反调试还有个PEB.BeingDebugged..掠了...
IAT处理部分貌似还是PE-Armor哪个版本的, 应该都差不多了,所以不看了
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
搞不定啊
 ,花指令跟着跟着就没法跟了,太多花指令了
|
|
|
说明楼下的功夫还不够,建议多花花时间来搞。
|
|
|
|
|
|
00393C2C E8 00000000 call 00393C31 00393C31 5D pop ebp 00393C32 81ED 89174000 sub ebp, 401789 00393C38 8DB5 62194000 lea esi, dword ptr [ebp+401962] 00393C3E 33C0 xor eax, eax 00393C40 C706 30000000 mov dword ptr [esi], 30 00393C46 C746 04 0302000>mov dword ptr [esi+4], 203 00393C4D C746 20 0200000>mov dword ptr [esi+20], 2 00393C54 8946 0C mov dword ptr [esi+C], eax 00393C57 8946 10 mov dword ptr [esi+10], eax 00393C5A 8946 18 mov dword ptr [esi+18], eax 00393C5D 8946 1C mov dword ptr [esi+1C], eax 00393C60 8946 24 mov dword ptr [esi+24], eax 00393C63 8946 2C mov dword ptr [esi+2C], eax 00393C66 50 push eax 00393C67 FF95 13684000 call dword ptr [ebp+406813] ; kernel32.GetModuleHandleA 有的时候运气很重要 |
|
|
|
|
|
|
|
|
|
|
|
 ,原来这样啊,看来单步对付 花指令+异常 还是不行啊
|
|
|
|
|
|
|
