-
-
[旧帖] 样本的释放分析 0.00雪花
-
发表于: 2011-10-5 13:52
-
在卡饭下了个样本练手,没逆出不良行为。于是
分析了下程序的释放过程安慰下自己,水平有限高手就别扔砖了,
诚恳希望高手有空给逆下结果放出来学习下。
第一次释放exe在临时目录下,释放完后执行,
临时目录下的exe会在C:\Program Files下创建一个Toyo\masmyk目录
然后再次释放二个文件,释放完后并执行;
Pokemon.exe
进入程序来到
004038A4 /$ 55 PUSH EBP
004038A5 |. 8BEC MOV EBP,ESP
004038A7 |. 83C4 C4 ADD ESP,-3C
004038AA |. B8 FCA44100 MOV EAX,Pokemon.0041A4FC
004038AF |. 53 PUSH EBX
004038B0 |. BB 70554100 MOV EBX,Pokemon.00415570
004038B5 |. 56 PUSH ESI
004038B6 |. E8 65C80000 CALL Pokemon.00410120
这个call对字符集的字符调用了IsDBCSLeadByte结果保存在 0041A4FC
CALL Pokemon.00410120
{
00410120 /$ 53 PUSH EBX
00410121 |. 56 PUSH ESI
00410122 |. 83C4 EC ADD ESP,-14
00410125 |. 8BF0 MOV ESI,EAX
00410127 |. 54 PUSH ESP ; /pCPInfo
00410128 |. 6A 00 PUSH 0 ; |CodePage = CP_ACP
0041012A |. E8 A1390000 CALL <JMP.&KERNEL32.GetCPInfo> ; \GetCPInfo
0041012F |. 833C24 01 CMP DWORD PTR SS:[ESP],1
00410133 |. 0F97C0 SETA AL
00410136 |. 83E0 01 AND EAX,1
00410139 |. 8886 00010000 MOV BYTE PTR DS:[ESI+100],AL
0041013F |. 33DB XOR EBX,EBX
00410141 |> 53 PUSH EBX ; /TestChar
00410142 |. E8 1F3A0000 CALL <JMP.&KERNEL32.IsDBCSLeadByte> ; \IsDBCSLeadByte
00410147 |. 85C0 TEST EAX,EAX
00410149 |. 0F95C0 SETNE AL
0041014C |. 83E0 01 AND EAX,1
0041014F |. 88041E MOV BYTE PTR DS:[ESI+EBX],AL
00410152 |. 43 INC EBX
00410153 |. 81FB 00010000 CMP EBX,100
00410159 |.^ 7C E6 JL SHORT Pokemon.00410141
0041015B |. 83C4 14 ADD ESP,14
0041015E |. 5E POP ESI
0041015F |. 5B POP EBX
00410160 \. C3 RETN
}
继续往下
004039DE |. E8 611C0000 CALL Pokemon.00405644 ;加载com
004039E3 |. BA 70514100 MOV EDX,Pokemon.00415170
004039E8 |. B8 E0A44100 MOV EAX,Pokemon.0041A4E0
004039ED |. E8 92120000 CALL Pokemon.00404C84 ; 打开程序文件查找数据
004039F2 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004039F5 |. E8 F2070000 CALL Pokemon.004041EC
004039FA |. 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
004039FD |. E8 EA070000 CALL Pokemon.004041EC ; buffer清零操作
00403A02 |. 6A 00 PUSH 0 ; /lParam = NULL
00403A04 |. 68 83114000 PUSH Pokemon.00401183 ; |DlgProc = Pokemon.00401183
00403A09 |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24] ; |
00403A0C |. 6A 00 PUSH 0 ; |hOwner = NULL
00403A0E |. 8915 785D4100 MOV DWORD PTR DS:[415D78],EDX ; |
00403A14 |. 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C] ; |
00403A17 |. 68 13414100 PUSH Pokemon.00414113 ; |pTemplate = "STARTDLG"
00403A1C |. 53 PUSH EBX ; |hInst
00403A1D |. 890D 7C5D4100 MOV DWORD PTR DS:[415D7C],ECX ; |
00403A23 |. E8 40020100 CALL <JMP.&USER32.DialogBoxParamA> ; \DialogBoxParamA
CALL Pokemon.00404C84 ; 打开程序文件查找数据
{
00404C84 /$ 53 PUSH EBX
00404C85 |. 8BD8 MOV EBX,EAX
00404C87 |. 8BC3 MOV EAX,EBX
00404C89 |. E8 0A000000 CALL Pokemon.00404C98 这个call里进行了开文件查找数据的操作
00404C8E |. 8BC3 MOV EAX,EBX
00404C90 |. E8 E3020000 CALL Pokemon.00404F78
}
CALL Pokemon.00404C98
{
在CALL Pokemon.0040E2B0 ; buf初始化
处会有个结构的初始化,后面有很多地方用到这个结构
00404CAC |. 8B8424 003000>MOV EAX,DWORD PTR SS:[ESP+3000]
00404CB3 |. 83C4 D8 ADD ESP,-28
00404CB6 |. 8BDA MOV EBX,EDX
00404CB8 |. 8BF0 MOV ESI,EAX
00404CBA |. 8DAC24 2C1000>LEA EBP,DWORD PTR SS:[ESP+102C]
00404CC1 |. BA 5C000000 MOV EDX,5C
00404CC6 |. 8BC3 MOV EAX,EBX
00404CC8 |. E8 13AB0000 CALL Pokemon.0040F7E0 ; 字符查找函数==strstr
00404CCD |. 85C0 TEST EAX,EAX
00404CCF |. 75 31 JNZ SHORT Pokemon.00404D02
00404CD1 |. 68 00040000 PUSH 400 ; /BufSize = 400 (1024.)
00404CD6 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10] ; |
00404CDA |. 51 PUSH ECX ; |PathBuffer
00404CDB |. 6A 00 PUSH 0 ; |hModule = NULL
00404CDD |. E8 30EE0000 CALL <JMP.&KERNEL32.GetModuleFileNameA> ; \GetModuleFileNameA
00404CE2 |. 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]
00404CE6 |. BA 5C000000 MOV EDX,5C
00404CEB |. E8 08AB0000 CALL Pokemon.0040F7F8
00404CF0 |. 85C0 TEST EAX,EAX
00404CF2 |. 0F84 74020000 JE Pokemon.00404F6C
00404CF8 |. 40 INC EAX
00404CF9 |. 8BD3 MOV EDX,EBX
00404CFB |. E8 50AB0000 CALL Pokemon.0040F850
00404D00 |. EB 0B JMP SHORT Pokemon.00404D0D
00404D02 |> 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]
00404D06 |. 8BD3 MOV EDX,EBX
00404D08 |. E8 43AB0000 CALL Pokemon.0040F850 ; memcpy
00404D0D |> 8D8424 0C0400>LEA EAX,DWORD PTR SS:[ESP+40C]
00404D14 |. E8 97950000 CALL Pokemon.0040E2B0 ; buf初始化
这个结构比较大,列出一些后面用到的
struct HFILE
{
DWORD dwFun;
HAND hFile;
BYTE byUnKnow[7];
char chDirectry[MAXPATH]
}
00404D19 |. 6A 01 PUSH 1
00404D1B |. 6A 00 PUSH 0
00404D1D |. 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14]
00404D21 |. 8D8424 140400>LEA EAX,DWORD PTR SS:[ESP+414]
00404D28 |. 33C9 XOR ECX,ECX
00404D2A |. E8 1D960000 CALL Pokemon.0040E34C ; 开文件初始化BUF的文件句柄成员
00404D2F |. 84C0 TEST AL,AL
00404D31 |. 75 16 JNZ SHORT Pokemon.00404D49
00404D33 |. 8D8424 0C0400>LEA EAX,DWORD PTR SS:[ESP+40C]
00404D3A |. BA 02000000 MOV EDX,2
00404D3F |. E8 C0950000 CALL Pokemon.0040E304
00404D44 |. E9 23020000 JMP Pokemon.00404F6C
00404D49 |> C70424 FFFFFF>MOV DWORD PTR SS:[ESP],-1
00404D50 |. 33C9 XOR ECX,ECX
00404D52 |. 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
00404D56 |. E9 D7000000 JMP Pokemon.00404E32
00404D5B |> 8D8424 0C0400>/LEA EAX,DWORD PTR SS:[ESP+40C]
00404D62 |. E8 399C0000 |CALL Pokemon.0040E9A0 ; 设置文件指针
00404D67 |. 894424 08 |MOV DWORD PTR SS:[ESP+8],EAX
00404D6B |. 8BD5 |MOV EDX,EBP
00404D6D |. 8D8424 0C0400>|LEA EAX,DWORD PTR SS:[ESP+40C]
00404D74 |. B9 00200000 |MOV ECX,2000 ; 要读取的字节数
00404D79 |. E8 069A0000 |CALL Pokemon.0040E784 ; 读取文件
00404D7E |. 8BF8 |MOV EDI,EAX
00404D80 |. 83FF 10 |CMP EDI,10
00404D83 |. 0F8C BA000000 |JL Pokemon.00404E43
00404D89 |. 33DB |XOR EBX,EBX
00404D8B |. EB 7C |JMP SHORT Pokemon.00404E09
00404D8D |> 33C0 |/XOR EAX,EAX
00404D8F |. 8A441D 00 ||MOV AL,BYTE PTR SS:[EBP+EBX]
00404D93 |. 83F8 2A ||CMP EAX,2A
00404D96 |. 75 2C ||JNZ SHORT Pokemon.00404DC4
00404D98 |. 33D2 ||XOR EDX,EDX
00404D9A |. 8A541D 01 ||MOV DL,BYTE PTR SS:[EBP+EBX+1]
00404D9E |. 83FA 2A ||CMP EDX,2A
00404DA1 |. 75 21 ||JNZ SHORT Pokemon.00404DC4
00404DA3 |. BA 40454100 ||MOV EDX,Pokemon.00414540 ; ASCII "*messages***"
00404DA8 |. 8D45 02 ||LEA EAX,DWORD PTR SS:[EBP+2]
00404DAB |. 03C3 ||ADD EAX,EBX
00404DAD |. B9 0B000000 ||MOV ECX,0B
00404DB2 |. E8 EDAA0000 ||CALL Pokemon.0040F8A4
00404DB7 |. 85C0 ||TEST EAX,EAX
00404DB9 |. 75 09 ||JNZ SHORT Pokemon.00404DC4
00404DBB |. 035C24 08 ||ADD EBX,DWORD PTR SS:[ESP+8]
00404DBF |. 891C24 ||MOV DWORD PTR SS:[ESP],EBX
00404DC2 |. EB 50 ||JMP SHORT Pokemon.00404E14
00404DC4 |> 33C0 ||XOR EAX,EAX
00404DC6 |. 8A441D 00 ||MOV AL,BYTE PTR SS:[EBP+EBX]
00404DCA |. 83F8 52 ||CMP EAX,52
00404DCD |. 75 39 ||JNZ SHORT Pokemon.00404E08
00404DCF |. 33D2 ||XOR EDX,EDX
00404DD1 |. 8A541D 01 ||MOV DL,BYTE PTR SS:[EBP+EBX+1]
00404DD5 |. 83FA 61 ||CMP EDX,61
00404DD8 |. 75 2E ||JNZ SHORT Pokemon.00404E08
00404DDA |. BA 4D454100 ||MOV EDX,Pokemon.0041454D ; 在PE数据中查找指定数据开头的数据
00404DDF |. 8D45 02 ||LEA EAX,DWORD PTR SS:[EBP+2]
00404DE2 |. 03C3 ||ADD EAX,EBX
00404DE4 |. B9 04000000 ||MOV ECX,4
00404DE9 |. E8 B6AA0000 ||CALL Pokemon.0040F8A4 ; 相当于memcmp
00404DEE |. 85C0 ||TEST EAX,EAX
00404DF0 |. 75 16 ||JNZ SHORT Pokemon.00404E08
00404DF2 |. 8D8424 0C0400>||LEA EAX,DWORD PTR SS:[ESP+40C]
00404DF9 |. BA 02000000 ||MOV EDX,2
00404DFE |. E8 01950000 ||CALL Pokemon.0040E304
00404E03 |. E9 64010000 ||JMP Pokemon.00404F6C
00404E08 |> 43 ||INC EBX
00404E09 |> 8D4F F0 | LEA ECX,DWORD PTR DS:[EDI-10]
00404E0C |. 3BD9 ||CMP EBX,ECX
00404E0E |.^ 0F8E 79FFFFFF |\JLE Pokemon.00404D8D
00404E14 |> 8B4424 08 |MOV EAX,DWORD PTR SS:[ESP+8]
}
接着就是创建对话框了
在窗口处理过程00401183处下断经过一些初始话接着就调用了窗口创建函数
00401267 |. 68 4408A150 PUSH 50A10844 ; |Style =
WS_CHILD|WS_TABSTOP|WS_VISIBLE|WS_VSCROLL|WS_BORDER|844
0040126C |. 68 99404100 PUSH Pokemon.00414099 ; |WindowName = ""
00401271 |. 68 1C414100 PUSH Pokemon.0041411C ; |Class = "RichEdit"
00401276 |. 6A 00 PUSH 0 ; |ExtStyle = 0
00401278 |. E8 D3290100 CALL <JMP.&USER32.CreateWindowExA> ; \CreateWindowExA
继续单步往下
00401304 |. E8 631A0000 CALL Pokemon.00402D6C ; 给对话框控件添加自动完成功能
00401309 |. C605 19404100>MOV BYTE PTR DS:[414019],0
00401310 |. B9 54404100 MOV ECX,Pokemon.00414054
00401315 |. BA 48404100 MOV EDX,Pokemon.00414048
0040131A |. B8 70514100 MOV EAX,Pokemon.00415170
0040131F |. E8 C4230000 CALL Pokemon.004036E8 ; 解密出
path=temp%..SavePath..Setup=pokemon.exe..Setup=pokemon.jpg..Silent=1..Overwrite=1
看下CALL Pokemon.004036E8 是怎么解密的
{
004036E8 /$ 53 PUSH EBX
004036E9 |. 56 PUSH ESI
004036EA |. 57 PUSH EDI
004036EB |. 50 PUSH EAX
004036EC |. B8 07000000 MOV EAX,7
004036F1 |> 81C4 04F0FFFF /ADD ESP,-0FFC
004036F7 |. 50 |PUSH EAX
004036F8 |. 48 |DEC EAX
004036F9 |.^ 75 F6 \JNZ SHORT Pokemon.004036F1
004036FB |. 8B8424 007000>MOV EAX,DWORD PTR SS:[ESP+7000]
00403702 |. 81C4 0CFEFFFF ADD ESP,-1F4
00403708 |. 8BF9 MOV EDI,ECX
0040370A |. 8BF2 MOV ESI,EDX
0040370C |. 8BD8 MOV EBX,EAX
0040370E |. E8 19BA0000 CALL Pokemon.0040F12C ; 加密
00403713 |. 8BC4 MOV EAX,ESP
00403715 |. 33D2 XOR EDX,EDX
00403717 |. E8 CC390000 CALL Pokemon.004070E8 ; 结构的初始化与加密
0040371C |. 8BC4 MOV EAX,ESP
0040371E |. 33C9 XOR ECX,ECX
00403720 |. 8BD3 MOV EDX,EBX
00403722 |. E8 193C0000 CALL Pokemon.00407340
00403727 |. 8D8424 EC7100>LEA EAX,DWORD PTR SS:[ESP+71EC]
0040372E |. E8 99000000 CALL Pokemon.004037CC
00403733 |. 8D9424 EC7100>LEA EDX,DWORD PTR SS:[ESP+71EC]
0040373A |. 8BC4 MOV EAX,ESP
0040373C |. 33C9 XOR ECX,ECX
0040373E |. E8 D9350000 CALL Pokemon.00406D1C
00403743 |. 84C0 TEST AL,AL
00403745 |. 74 2B JE SHORT Pokemon.00403772
00403747 |. 8B9C24 F07100>MOV EBX,DWORD PTR SS:[ESP+71F0]
0040374E |. 891F MOV DWORD PTR DS:[EDI],EBX
00403750 |. 8D43 01 LEA EAX,DWORD PTR DS:[EBX+1]
00403753 |. 50 PUSH EAX
00403754 |. E8 53C20000 CALL Pokemon.0040F9AC
00403759 |. 59 POP ECX
0040375A |. 8906 MOV DWORD PTR DS:[ESI],EAX
0040375C |. 85C0 TEST EAX,EAX
0040375E |. 74 12 JE SHORT Pokemon.00403772
00403760 |. C60418 00 MOV BYTE PTR DS:[EAX+EBX],0
00403764 |. 8BCB MOV ECX,EBX
00403766 |. 8B9424 EC7100>MOV EDX,DWORD PTR SS:[ESP+71EC]
0040376D |. E8 F2BF0000 CALL Pokemon.0040F764
00403772 |> 8D8424 EC7100>LEA EAX,DWORD PTR SS:[ESP+71EC]
00403779 |. BA 02000000 MOV EDX,2
0040377E |. E8 59000000 CALL Pokemon.004037DC
00403783 |. 8D8424 085800>LEA EAX,DWORD PTR SS:[ESP+5808]
0040378A |. BA 02000000 MOV EDX,2
0040378F |. E8 48000000 CALL Pokemon.004037DC
00403794 |. 8D8424 DC4A00>LEA EAX,DWORD PTR SS:[ESP+4ADC]
0040379B |. BA 02000000 MOV EDX,2
004037A0 |. E8 37000000 CALL Pokemon.004037DC
004037A5 |. 8D8424 901300>LEA EAX,DWORD PTR SS:[ESP+1390]
004037AC |. BA 02000000 MOV EDX,2
004037B1 |. E8 92B80000 CALL Pokemon.0040F048
004037B6 |. 8BC4 MOV EAX,ESP
004037B8 |. 33D2 XOR EDX,EDX
004037BA |. E8 45AB0000 CALL Pokemon.0040E304
004037BF |. 81C4 F8710000 ADD ESP,71F8
CALL Pokemon.0040F12C ; 字符加密
{
0040F12C /$ E8 5F99FFFF CALL Pokemon.00408A90
0040F131 |. B8 D4A44100 MOV EAX,Pokemon.0041A4D4
0040F136 |. E8 09D6FFFF CALL Pokemon.0040C744
CALL Pokemon.00408A90 对字符集进行了一个加密过程加密结果放在416188
{
00408A90 /$ 53 PUSH EBX
00408A91 |. 33C9 XOR ECX,ECX
00408A93 |> 8BC1 /MOV EAX,ECX
00408A95 |. 33D2 |XOR EDX,EDX
00408A97 |> A8 01 |/TEST AL,1
00408A99 |. 74 0C ||JE SHORT Pokemon.00408AA7
00408A9B |. 8BD8 ||MOV EBX,EAX
00408A9D |. D1EB ||SHR EBX,1
00408A9F |. 81F3 2083B8ED ||XOR EBX,EDB88320
00408AA5 |. EB 04 ||JMP SHORT Pokemon.00408AAB
00408AA7 |> 8BD8 ||MOV EBX,EAX
00408AA9 |. D1EB ||SHR EBX,1
00408AAB |> 8BC3 ||MOV EAX,EBX
00408AAD |. 42 ||INC EDX
00408AAE |. 83FA 08 ||CMP EDX,8
00408AB1 |.^ 7C E4 |\JL SHORT Pokemon.00408A97
00408AB3 |. 89048D 886141>|MOV DWORD PTR DS:[ECX*4+416188],EAX
00408ABA |. 41 |INC ECX
00408ABB |. 81F9 00010000 |CMP ECX,100
00408AC1 |.^ 7C D0 \JL SHORT Pokemon.00408A93
00408AC3 |. 5B POP EBX
00408AC4 \. C3 RETN
}
{
MOV EAX,Pokemon.0041A4D4
0040F136 |. E8 09D6FFFF CALL Pokemon.0040C744
在41a4d4+8的地方设标记表示加密完成
}
}
CALL Pokemon.004070E8 ; 结构的初始化与加密
{
004070E8 /$ 53 PUSH EBX
004070E9 |. 56 PUSH ESI
004070EA |. 57 PUSH EDI
004070EB |. 8BFA MOV EDI,EDX
004070ED |. 8BD8 MOV EBX,EAX
004070EF |. 8BC3 MOV EAX,EBX
004070F1 |. E8 BA710000 CALL Pokemon.0040E2B0 ; 某结构的初始化
004070F6 |. BA 20464100 MOV EDX,Pokemon.00414620
004070FB |. 8913 MOV DWORD PTR DS:[EBX],EDX
004070FD |. 8DB3 200C0000 LEA ESI,DWORD PTR DS:[EBX+C20]
00407103 |. 8BC6 MOV EAX,ESI
00407105 |. E8 BA200000 CALL Pokemon.004091C4 ; 再次对字符集加密保存
CALL Pokemon.004091C4 ; 再次对字符集加密保存
{
004091C4 /$ 53 PUSH EBX
004091C5 |. 8BD8 MOV EBX,EAX
004091C7 |. 803D 30684100>CMP BYTE PTR DS:[416830],0 ; 判断是否已经加密
004091CE |. 75 07 JNZ SHORT Pokemon.004091D7
004091D0 |. 8BC3 MOV EAX,EBX
004091D2 |. E8 110A0000 CALL Pokemon.00409BE8 ; 加密call
004091D7 |> 8BC3 MOV EAX,EBX
004091D9 |. 5B POP EBX
004091DA \. C3 RETN
}
}
往下走看
CALL Pokemon.00407340
{
00407340 /$ 53 PUSH EBX
00407341 |. 56 PUSH ESI
00407342 |. 57 PUSH EDI
00407343 |. 8BF9 MOV EDI,ECX
00407345 |. 8BF2 MOV ESI,EDX
00407347 |. 8BD8 MOV EBX,EAX
00407349 |. 8BCF MOV ECX,EDI
0040734B |. 8BD6 MOV EDX,ESI
0040734D |. 8BC3 MOV EAX,EBX
0040734F |. E8 20710000 CALL Pokemon.0040E474 ; 打开文件保存文件句柄等操作
00407354 |. 84C0 TEST AL,AL
00407356 |. 75 04 JNZ SHORT Pokemon.0040735C
00407358 |. 33C0 XOR EAX,EAX
0040735A |. EB 31 JMP SHORT Pokemon.0040738D
0040735C |> 33D2 XOR EDX,EDX
0040735E |. 8BC3 MOV EAX,EBX
00407360 |. E8 67000000 CALL Pokemon.004073CC
CALL Pokemon.004073CC
{
00407340 /$ 53 PUSH EBX
00407341 |. 56 PUSH ESI
00407342 |. 57 PUSH EDI
00407343 |. 8BF9 MOV EDI,ECX
00407345 |. 8BF2 MOV ESI,EDX
00407347 |. 8BD8 MOV EBX,EAX
00407349 |. 8BCF MOV ECX,EDI
0040734B |. 8BD6 MOV EDX,ESI
0040734D |. 8BC3 MOV EAX,EBX
0040734F |. E8 20710000 CALL Pokemon.0040E474 ; 打开文件等操作
00407354 |. 84C0 TEST AL,AL
00407356 |. 75 04 JNZ SHORT Pokemon.0040735C
00407358 |. 33C0 XOR EAX,EAX
0040735A |. EB 31 JMP SHORT Pokemon.0040738D
0040735C |> 33D2 XOR EDX,EDX
0040735E |. 8BC3 MOV EAX,EBX
00407360 |. E8 67000000 CALL Pokemon.004073CC ; 数据操作
00407365 |. 84C0 TEST AL,AL
00407367 |. 75 22 JNZ SHORT Pokemon.0040738B
00407369 |. B8 78000000 MOV EAX,78
0040736E |. E8 8DB6FFFF CALL Pokemon.00402A00
00407373 |. 50 PUSH EAX
00407374 |. 8D53 17 LEA EDX,DWORD PTR DS:[EBX+17]
00407377 |. 52 PUSH EDX
00407378 |. E8 87C2FFFF CALL Pokemon.00403604
0040737D |. 83C4 08 ADD ESP,8
00407380 |. 8BC3 MOV EAX,EBX
00407382 |. E8 19720000 CALL Pokemon.0040E5A0
00407387 |. 33C0 XOR EAX,EAX
00407389 |. EB 02 JMP SHORT Pokemon.0040738D
0040738B |> B0 01 MOV AL,1
0040738D |> 5F POP EDI
0040738E |. 5E POP ESI
0040738F |. 5B POP EBX
00407390 \. C3 RETN
CALL Pokemon.004073CC ; 数据操作
{
004073CC /$ 53 PUSH EBX
004073CD |. 56 PUSH ESI
004073CE |. 57 PUSH EDI
004073CF |. 55 PUSH EBP
004073D0 |. 83C4 D0 ADD ESP,-30
004073D3 |. 8BD8 MOV EBX,EAX
004073D5 |. 8BC3 MOV EAX,EBX
004073D7 |. B9 07000000 MOV ECX,7
004073DC |. 881424 MOV BYTE PTR SS:[ESP],DL
004073DF |. 8DB3 343E0000 LEA ESI,DWORD PTR DS:[EBX+3E34]
004073E5 |. C683 C8650000>MOV BYTE PTR DS:[EBX+65C8],0
004073EC |. 8BD6 MOV EDX,ESI
004073EE |. E8 91730000 CALL Pokemon.0040E784 ; 读取PE文件头7字节到BUF+3e34
004073F3 |. 83F8 07 CMP EAX,7
004073F6 |. 74 07 JE SHORT Pokemon.004073FF
004073F8 |. 33C0 XOR EAX,EAX
004073FA |. E9 50030000 JMP Pokemon.0040774F
004073FF |> 33D2 XOR EDX,EDX
00407401 |. 8993 CC650000 MOV DWORD PTR DS:[EBX+65CC],EDX
00407407 |. 8BD6 MOV EDX,ESI
00407409 |. 8BC3 MOV EAX,EBX
0040740B |. E8 84FFFFFF CALL Pokemon.00407394 ; 对读取的字节进行比较
00407410 |. 84C0 TEST AL,AL
00407412 |. 74 1F JE SHORT Pokemon.00407433
00407414 |. 80BB C0650000>CMP BYTE PTR DS:[EBX+65C0],0
0040741B |. 0F84 1C010000 JE Pokemon.0040753D
00407421 |. 6A 00 PUSH 0
00407423 |. 6A 00 PUSH 0
00407425 |. 33D2 XOR EDX,EDX
00407427 |. 8BC3 MOV EAX,EBX
00407429 |. E8 BA740000 CALL Pokemon.0040E8E8
0040742E |. E9 0A010000 JMP Pokemon.0040753D
00407433 |> 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
00407437 |. BA 00000800 MOV EDX,80000
0040743C |. E8 17030000 CALL Pokemon.00407758 ; 分配指定大小的空间
00407441 |. 8BC3 MOV EAX,EBX
00407443 |. E8 58750000 CALL Pokemon.0040E9A0 ; 指定文件指针
00407448 |. 8BF8 MOV EDI,EAX
0040744A |. 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
0040744E |. 83C1 F0 ADD ECX,-10
00407451 |. 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]
00407455 |. 8BC3 MOV EAX,EBX
00407457 |. E8 28730000 CALL Pokemon.0040E784 ; 读文件
0040745C |. 8BE8 MOV EBP,EAX
0040745E |. 33F6 XOR ESI,ESI
00407460 |. 3BEE CMP EBP,ESI
00407462 |. 0F8E A7000000 JLE Pokemon.0040750F
00407468 |> 8B4424 14 /MOV EAX,DWORD PTR SS:[ESP+14]
0040746C |. 33D2 |XOR EDX,EDX
0040746E |. 8A1430 |MOV DL,BYTE PTR DS:[EAX+ESI]
00407471 |. 83FA 52 |CMP EDX,52 ; 在读出来的数据中查找第一个字节是否52
00407474 |. 0F85 8C000000 |JNZ Pokemon.00407506
0040747A |. 8BD0 |MOV EDX,EAX
0040747C |. 8BC3 |MOV EAX,EBX
0040747E |. 03D6 |ADD EDX,ESI
00407480 |. E8 0FFFFFFF |CALL Pokemon.00407394 ; 判断是否Rar!(估在找寻压缩的数据起始位置)
00407485 |. 84C0 |TEST AL,AL
00407487 |. 74 7D |JE SHORT Pokemon.00407506
00407489 |. 80BB C0650000>|CMP BYTE PTR DS:[EBX+65C0],0
00407490 |. 74 3F |JE SHORT Pokemon.004074D1
00407492 |. 85F6 |TEST ESI,ESI
00407494 |. 7E 3B |JLE SHORT Pokemon.004074D1
00407496 |. 83FF 1C |CMP EDI,1C
00407499 |. 7D 36 |JGE SHORT Pokemon.004074D1
0040749B |. 83FD 1F |CMP EBP,1F
0040749E |. 7E 31 |JLE SHORT Pokemon.004074D1
004074A0 |. B8 1C000000 |MOV EAX,1C
004074A5 |. 2BC7 |SUB EAX,EDI
004074A7 |. 034424 14 |ADD EAX,DWORD PTR SS:[ESP+14]
004074AB |. 33D2 |XOR EDX,EDX
004074AD |. 8A10 |MOV DL,BYTE PTR DS:[EAX]
004074AF |. 83FA 52 |CMP EDX,52
004074B2 |. 75 52 |JNZ SHORT Pokemon.00407506
004074B4 |. 33C9 |XOR ECX,ECX
004074B6 |. 8A48 01 |MOV CL,BYTE PTR DS:[EAX+1]
004074B9 |. 83F9 53 |CMP ECX,53
004074BC |. 75 48 |JNZ SHORT Pokemon.00407506
004074BE |. 33D2 |XOR EDX,EDX
004074C0 |. 8A50 02 |MOV DL,BYTE PTR DS:[EAX+2]
004074C3 |. 83FA 46 |CMP EDX,46
004074C6 |. 75 3E |JNZ SHORT Pokemon.00407506
004074C8 |. 0FB640 03 |MOVZX EAX,BYTE PTR DS:[EAX+3]
004074CC |. 83F8 58 |CMP EAX,58
004074CF |. 75 35 |JNZ SHORT Pokemon.00407506
004074D1 |> 8D0C3E |LEA ECX,DWORD PTR DS:[ESI+EDI]
004074D4 |. 33D2 |XOR EDX,EDX
004074D6 |. 898B CC650000 |MOV DWORD PTR DS:[EBX+65CC],ECX ; rar!所在的PE偏移在PE偏移18607处找到压缩数据
004074DC |. 52 |PUSH EDX
004074DD |. 8BC1 |MOV EAX,ECX
004074DF |. 33D2 |XOR EDX,EDX
004074E1 |. 50 |PUSH EAX
004074E2 |. 8BC3 |MOV EAX,EBX
004074E4 |. E8 FF730000 |CALL Pokemon.0040E8E8 ; 从新设置文件指针
004074E9 |. 80BB C0650000>|CMP BYTE PTR DS:[EBX+65C0],0
004074F0 |. 75 1D |JNZ SHORT Pokemon.0040750F
004074F2 |. 8D93 343E0000 |LEA EDX,DWORD PTR DS:[EBX+3E34]
004074F8 |. B9 07000000 |MOV ECX,7
004074FD |. 8BC3 |MOV EAX,EBX
004074FF |. E8 80720000 |CALL Pokemon.0040E784 ; 从找到的地方从新读7字节到buf+3e34
00407504 |. EB 09 |JMP SHORT Pokemon.0040750F
00407506 |> 46 |INC ESI
00407507 |. 3BEE |CMP EBP,ESI
00407509 |.^ 0F8F 59FFFFFF \JG Pokemon.00407468
0040750F |> 83BB CC650000>CMP DWORD PTR DS:[EBX+65CC],0 ; rar!在磁盘文件中的偏移
00407516 |. /75 17 JNZ SHORT Pokemon.0040752F
00407518 |. |33C0 XOR EAX,EAX
0040751A |. |50 PUSH EAX
0040751B |. |8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
0040751F |. |BA 02000000 MOV EDX,2
00407524 |. |E8 5F020000 CALL Pokemon.00407788 ; free
00407529 |. |58 POP EAX
0040752A |. |E9 20020000 JMP Pokemon.0040774F
0040752F |> \8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
00407533 |. BA 02000000 MOV EDX,2
00407538 |. E8 4B020000 CALL Pokemon.00407788
0040753D |> 8BC3 MOV EAX,EBX
0040753F |. E8 90030000 CALL Pokemon.004078D4 ; 从文件读数据
00407544 |. 8BC3 MOV EAX,EBX
00407546 |. E8 65020000 CALL Pokemon.004077B0 ; 设置文件指针
0040754B |. 66:8B93 D2650>MOV DX,WORD PTR DS:[EBX+65D2] ; 前面酸出来的数字
00407552 |. 66:3B93 943E0>CMP DX,WORD PTR DS:[EBX+3E94] ; 这个地方应该是数据的校验了
00407559 |. 74 29 JE SHORT Pokemon.00407584
0040755B |. B8 7C000000 MOV EAX,7C
00407560 |. E8 9BB4FFFF CALL Pokemon.00402A00
00407565 |. 50 PUSH EAX
00407566 |. 8D53 17 LEA EDX,DWORD PTR DS:[EBX+17]
00407569 |. 52 PUSH EDX
0040756A |. E8 95C0FFFF CALL Pokemon.00403604
0040756F |. 83C4 08 ADD ESP,8
00407572 |. E8 EDC0FFFF CALL Pokemon.00403664
00407577 |. 803C24 00 CMP BYTE PTR SS:[ESP],0
0040757B |. 75 07 JNZ SHORT Pokemon.00407584
0040757D |. 33C0 XOR EAX,EAX
0040757F |. E9 CB010000 JMP Pokemon.0040774F
00407584 |> F683 9C3E0000>TEST BYTE PTR DS:[EBX+3E9C],1
0040758B |. 0F95C2 SETNE DL
0040758E |. 83E2 01 AND EDX,1
00407591 |. 8893 C2650000 MOV BYTE PTR DS:[EBX+65C2],DL
00407597 |. F683 9C3E0000>TEST BYTE PTR DS:[EBX+3E9C],8
0040759E |. 0F95C1 SETNE CL
004075A1 |. 83E1 01 AND ECX,1
004075A4 |. 888B C1650000 MOV BYTE PTR DS:[EBX+65C1],CL
004075AA |. F683 9C3E0000>TEST BYTE PTR DS:[EBX+3E9C],2
004075B1 |. 0F95C0 SETNE AL
004075B4 |. 83E0 01 AND EAX,1
004075B7 |. 8883 C3650000 MOV BYTE PTR DS:[EBX+65C3],AL
004075BD |. F683 9C3E0000>TEST BYTE PTR DS:[EBX+3E9C],4
004075C4 |. 0F95C2 SETNE DL
004075C7 |. 83E2 01 AND EDX,1
004075CA |. 8893 C4650000 MOV BYTE PTR DS:[EBX+65C4],DL
004075D0 |. 83BB A43E0000>CMP DWORD PTR DS:[EBX+3EA4],0
004075D7 |. 0F95C1 SETNE CL
004075DA |. 83E1 01 AND ECX,1
004075DD |. 888B C5650000 MOV BYTE PTR DS:[EBX+65C5],CL
004075E3 |. F683 9C3E0000>TEST BYTE PTR DS:[EBX+3E9C],40
004075EA |. 0F95C0 SETNE AL
004075ED |. 83E0 01 AND EAX,1
004075F0 |. 8883 C7650000 MOV BYTE PTR DS:[EBX+65C7],AL
004075F6 |. F683 9C3E0000>TEST BYTE PTR DS:[EBX+3E9C],80
004075FD |. 0F95C2 SETNE DL
00407600 |. 83E2 01 AND EDX,1
00407603 |. 8893 C8650000 MOV BYTE PTR DS:[EBX+65C8],DL
00407609 |. 80BB A83E0000>CMP BYTE PTR DS:[EBX+3EA8],24
00407610 |. 76 16 JBE SHORT Pokemon.00407628
00407612 |. B8 D4A44100 MOV EAX,Pokemon.0041A4D4
00407617 |. BA 01000000 MOV EDX,1
0040761C |. E8 63530000 CALL Pokemon.0040C984
00407621 |. 33C0 XOR EAX,EAX
00407623 |. E9 27010000 JMP Pokemon.0040774F
00407628 |> 80BB 843E0000>CMP BYTE PTR DS:[EBX+3E84],0
0040762F |. 74 0D JE SHORT Pokemon.0040763E
00407631 |. 80BB C8650000>CMP BYTE PTR DS:[EBX+65C8],0
00407638 |. 0F85 0F010000 JNZ Pokemon.0040774D
0040763E |> 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20]
00407642 |. 8BD3 MOV EDX,EBX
00407644 |. E8 AB830000 CALL Pokemon.0040F9F4
00407649 |. 8B8B B0650000 MOV ECX,DWORD PTR DS:[EBX+65B0]
0040764F |. 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
00407653 |. 8B8B B4650000 MOV ECX,DWORD PTR DS:[EBX+65B4]
00407659 |. 894C24 08 MOV DWORD PTR SS:[ESP+8],ECX
0040765D |. 8B83 B8650000 MOV EAX,DWORD PTR DS:[EBX+65B8]
00407663 |. 894424 0C MOV DWORD PTR SS:[ESP+C],EAX
00407667 |. 8B83 BC650000 MOV EAX,DWORD PTR DS:[EBX+65BC]
0040766D |. 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
00407671 |. C683 C6650000>MOV BYTE PTR DS:[EBX+65C6],0
00407678 |. E9 8B000000 JMP Pokemon.00407708
0040767D |> 8B83 803E0000 /MOV EAX,DWORD PTR DS:[EBX+3E80]
00407683 |. 83F8 7A |CMP EAX,7A
00407686 |. 75 47 |JNZ SHORT Pokemon.004076CF
00407688 |. BA 1C464100 |MOV EDX,Pokemon.0041461C ; ASCII "CMT"
0040768D |. 8D83 084C0000 |LEA EAX,DWORD PTR DS:[EBX+4C08]
00407693 |. E8 E4810000 |CALL Pokemon.0040F87C
00407698 |. 85C0 |TEST EAX,EAX
0040769A |. 0F94C2 |SETE DL
0040769D |. 83E2 01 |AND EDX,1
004076A0 |. 84D2 |TEST DL,DL
004076A2 |. 74 07 |JE SHORT Pokemon.004076AB
004076A4 |. C683 C3650000>|MOV BYTE PTR DS:[EBX+65C3],1
004076AB |> F683 E04B0000>|TEST BYTE PTR DS:[EBX+4BE0],1
004076B2 |. 75 12 |JNZ SHORT Pokemon.004076C6
004076B4 |. 80BB C2650000>|CMP BYTE PTR DS:[EBX+65C2],0
004076BB |. 74 44 |JE SHORT Pokemon.00407701
004076BD |. F683 9D3E0000>|TEST BYTE PTR DS:[EBX+3E9D],1
004076C4 |. 75 3B |JNZ SHORT Pokemon.00407701
004076C6 |> C683 C6650000>|MOV BYTE PTR DS:[EBX+65C6],1
004076CD |. EB 32 |JMP SHORT Pokemon.00407701
004076CF |> 83F8 74 |CMP EAX,74
004076D2 |. 75 43 |JNZ SHORT Pokemon.00407717
004076D4 |. F683 B43E0000>|TEST BYTE PTR DS:[EBX+3EB4],1
004076DB |. 75 1B |JNZ SHORT Pokemon.004076F8
004076DD |. 80BB C2650000>|CMP BYTE PTR DS:[EBX+65C2],0
004076E4 |. 74 31 |JE SHORT Pokemon.00407717
004076E6 |. 80BB CC3E0000>|CMP BYTE PTR DS:[EBX+3ECC],1D
004076ED |. 72 28 |JB SHORT Pokemon.00407717
004076EF |. F683 9D3E0000>|TEST BYTE PTR DS:[EBX+3E9D],1
004076F6 |. 75 1F |JNZ SHORT Pokemon.00407717
004076F8 |> C683 C6650000>|MOV BYTE PTR DS:[EBX+65C6],1
004076FF |. EB 16 |JMP SHORT Pokemon.00407717
00407701 |> 8BC3 |MOV EAX,EBX
00407703 |. E8 A8000000 |CALL Pokemon.004077B0 ; 设置文件指针
00407708 |> 8BC3 MOV EAX,EBX
0040770A |. E8 C5010000 |CALL Pokemon.004078D4
0040770F |. 85C0 |TEST EAX,EAX
00407711 |.^ 0F85 66FFFFFF \JNZ Pokemon.0040767D
00407717 |> 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
0040771B |. 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20]
0040771F |. 8993 B0650000 MOV DWORD PTR DS:[EBX+65B0],EDX
00407725 |. 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
00407729 |. 8993 B4650000 MOV DWORD PTR DS:[EBX+65B4],EDX
0040772F |. BA 02000000 MOV EDX,2
00407734 |. 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
00407738 |. 898B B8650000 MOV DWORD PTR DS:[EBX+65B8],ECX
0040773E |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
00407742 |. 898B BC650000 MOV DWORD PTR DS:[EBX+65BC],ECX
00407748 |. E8 CB820000 CALL Pokemon.0040FA18
0040774D |> B0 01 MOV AL,1
0040774F |> 83C4 30 ADD ESP,30
00407752 |. 5D POP EBP
00407753 |. 5F POP EDI
00407754 |. 5E POP ESI
00407755 |. 5B POP EBX
00407756 \. C3 RETN
CALL Pokemon.004078D4 ; 从文件读数据
{
004078D4 /$ 53 PUSH EBX
004078D5 |. 56 PUSH ESI
004078D6 |. 57 PUSH EDI
004078D7 |. 55 PUSH EBP
004078D8 |. 81C4 04F0FFFF ADD ESP,-0FFC
004078DE |. 8BE8 MOV EBP,EAX
004078E0 |. 50 PUSH EAX
004078E1 |. 8BC5 MOV EAX,EBP
004078E3 |. 81C4 58FFFFFF ADD ESP,-0A8
004078E9 >|. E8 B2700000 CALL Pokemon.0040E9A0 ; 设置文件指针
004078EE |. 8985 B0650000 MOV DWORD PTR SS:[EBP+65B0],EAX ; +65b0为当前文件指针的偏移
004078F4 |. 8995 B4650000 MOV DWORD PTR SS:[EBP+65B4],EDX
004078FA |. 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
004078FE |. 8BD5 MOV EDX,EBP
00407900 |. E8 37780000 CALL Pokemon.0040F13C ; 设置新的BUF存储数据
00407905 |. 80BD C8650000>CMP BYTE PTR SS:[EBP+65C8],0
0040790C |. 74 1F JE SHORT Pokemon.0040792D
继续单步往下
004079E4 |> \8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
004079E8 |. BA 07000000 MOV EDX,7
004079ED |. E8 6E770000 CALL Pokemon.0040F160 ; 读7字节
004079F2 |. 837C24 44 00 CMP DWORD PTR SS:[ESP+44],0
继续往下
00407A7E |> \8D95 883E0000 LEA EDX,DWORD PTR SS:[EBP+3E88]
00407A84 |. 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
00407A88 |. E8 73770000 CALL Pokemon.0040F200 ; 拷贝2字节到buf+3e88的地方(对原始数据进行了扩展)
00407A8D |. 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
00407A91 |. 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
00407A95 |. E8 56770000 CALL Pokemon.0040F1F0 ; 拷贝一个字节
00407A9A |. 33D2 XOR EDX,EDX
00407A9C |. 8A5424 08 MOV DL,BYTE PTR SS:[ESP+8]
00407AA0 |. 8995 8C3E0000 MOV DWORD PTR SS:[EBP+3E8C],EDX
00407AA6 |. 8D95 903E0000 LEA EDX,DWORD PTR SS:[EBP+3E90]
00407AAC |. 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
00407AB0 |. E8 4B770000 CALL Pokemon.0040F200 ; 拷贝2字节
00407AB5 |. 8D95 923E0000 LEA EDX,DWORD PTR SS:[EBP+3E92]
00407ABB |. 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
00407ABF |. E8 3C770000 CALL Pokemon.0040F200 ; 拷贝2字节
00407AC4 |. 66:83BD 923E0>CMP WORD PTR SS:[EBP+3E92],7 ; 这段数据的实际长度
00407ACC |. 73 49 JNB SHORT Pokemon.00407B17
实际长度大于则继续读剩余的数据
JNB SHORT Pokemon.00407B17
00407B17 |> \83BD 8C3E0000>CMP DWORD PTR SS:[EBP+3E8C],75 ; 对原始数据的第3字节进行比较
00407B1E |. 75 10 JNZ SHORT Pokemon.00407B30
00407B20 |. 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
00407B24 |. BA 06000000 MOV EDX,6
00407B29 |. E8 32760000 CALL Pokemon.0040F160
00407B2E |. EB 35 JMP SHORT Pokemon.00407B65
00407B30 |> 83BD 8C3E0000>CMP DWORD PTR SS:[EBP+3E8C],73
00407B37 |. 75 19 JNZ SHORT Pokemon.00407B52
00407B39 |. F685 903E0000>TEST BYTE PTR SS:[EBP+3E90],2
00407B40 |. 74 10 JE SHORT Pokemon.00407B52
00407B42 |. 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
00407B46 |. BA 06000000 MOV EDX,6
00407B4B |. E8 10760000 CALL Pokemon.0040F160
00407B50 |. EB 13 JMP SHORT Pokemon.00407B65
00407B52 |> 0FB795 923E00>MOVZX EDX,WORD PTR SS:[EBP+3E92]
00407B59 |. 83C2 F9 ADD EDX,-7 ; 减去前面所读的7字节
00407B5C |. 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
该处的结构大概如下,结构比较大,列出几个常用的成员
struct
{
PBYTE byteBuf; 数据
DWORD dwDataLenth; 数据长度
DWORD dwBufferLenth; 缓冲长度
HFILE *pHfile;
DWORD dwDataLen; 数据长度
DWORD dwExpendLen; 已经扩展的数据
}
00407B60 |. E8 FB750000 CALL Pokemon.0040F160 ; 继续读剩余的数据并更新结构
00407B65 |> 0FB785 923E00>MOVZX EAX,WORD PTR SS:[EBP+3E92]
00407B6C |. 99 CDQ
00407B6D |. 0385 B0650000 ADD EAX,DWORD PTR SS:[EBP+65B0] ; 记录当前指针
00407B73 |. 1395 B4650000 ADC EDX,DWORD PTR SS:[EBP+65B4]
00407B79 |. 8985 B8650000 MOV DWORD PTR SS:[EBP+65B8],EAX
00407B7F |. 8995 BC650000 MOV DWORD PTR SS:[EBP+65BC],EDX
00407B85 |. 8B8D 8C3E0000 MOV ECX,DWORD PTR SS:[EBP+3E8C]
CALL Pokemon.0040F160 ; 继续读剩余的数据并更新结构
F4到下面
{
0040F1CB |. /74 1B JE SHORT Pokemon.0040F1E8
0040F1CD |. |8BD6 MOV EDX,ESI ; 读出的数据少于原始文件指定的数据继续读剩余的
0040F1CF |. |8BC3 MOV EAX,EBX
0040F1D1 |. |E8 EA7CFFFF CALL Pokemon.00406EC0 ; 结构的数据更新
0040F1D6 |. |8B13 MOV EDX,DWORD PTR DS:[EBX]
0040F1D8 |. |0353 10 ADD EDX,DWORD PTR DS:[EBX+10] ; BUF往后移已经读取的字节数
0040F1DB |. |8BCE MOV ECX,ESI
0040F1DD |. |8B43 0C MOV EAX,DWORD PTR DS:[EBX+C]
0040F1E0 |. |E8 9FF5FFFF CALL Pokemon.0040E784 ; 读文件
0040F1E5 |. |0143 10 ADD DWORD PTR DS:[EBX+10],EAX
}
这个地方第一次是对压缩块的查找并没有对压缩的数据进行读
第二次才是正式的读取压缩数据
读完后呢需要从新构造存储数据的缓冲这个是根据原始数据的第3字节来决定怎么构造的
{
00407BA8 |> \8B85 883E0000 MOV EAX,DWORD PTR SS:[EBP+3E88] ; Case 73 ('s') of switch 00407B8B
00407BAE |. 8985 943E0000 MOV DWORD PTR SS:[EBP+3E94],EAX
00407BB4 |. 8B85 8C3E0000 MOV EAX,DWORD PTR SS:[EBP+3E8C]
00407BBA |. 8985 983E0000 MOV DWORD PTR SS:[EBP+3E98],EAX
00407BC0 |. 8B85 903E0000 MOV EAX,DWORD PTR SS:[EBP+3E90]
00407BC6 |. 8985 9C3E0000 MOV DWORD PTR SS:[EBP+3E9C],EAX
00407BCC |. 8D95 A03E0000 LEA EDX,DWORD PTR SS:[EBP+3EA0]
00407BD2 |. 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
00407BD6 |. E8 25760000 CALL Pokemon.0040F200
00407BDB |. 8D95 A43E0000 LEA EDX,DWORD PTR SS:[EBP+3EA4]
00407BE1 |. 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
00407BE5 |. E8 3A760000 CALL Pokemon.0040F224
00407BEA |. F685 9D3E0000>TEST BYTE PTR SS:[EBP+3E9D],2
00407BF1 |. 0F84 52050000 JE Pokemon.00408149
00407BF7 |. 8D95 A83E0000 LEA EDX,DWORD PTR SS:[EBP+3EA8]
00407BFD |. 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
00407C01 |. E8 EA750000 CALL Pokemon.0040F1F0
00407C06 |. E9 3E050000 JMP Pokemon.00408149
00407C0B |> 8B95 883E0000 MOV EDX,DWORD PTR SS:[EBP+3E88] ; Case 7B ('{') of switch 00407B8B
00407C11 |. 8995 B04B0000 MOV DWORD PTR SS:[EBP+4BB0],EDX
00407C17 |. 8B95 8C3E0000 MOV EDX,DWORD PTR SS:[EBP+3E8C]
00407C1D |. 8995 B44B0000 MOV DWORD PTR SS:[EBP+4BB4],EDX
00407C23 |. 8B95 903E0000 MOV EDX,DWORD PTR SS:[EBP+3E90]
00407C29 |. 8995 B84B0000 MOV DWORD PTR SS:[EBP+4BB8],EDX
00407C2F |. F685 B84B0000>TEST BYTE PTR SS:[EBP+4BB8],2
00407C36 |. 74 0F JE SHORT Pokemon.00407C47
00407C38 |. 8D95 BC4B0000 LEA EDX,DWORD PTR SS:[EBP+4BBC]
00407C3E |. 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
00407C42 |. E8 DD750000 CALL Pokemon.0040F224
00407C47 |> F685 B84B0000>TEST BYTE PTR SS:[EBP+4BB8],8
00407C4E |. 0F84 F5040000 JE Pokemon.00408149
00407C54 |. 8D95 C04B0000 LEA EDX,DWORD PTR SS:[EBP+4BC0]
00407C5A |. 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
00407C5E |. E8 9D750000 CALL Pokemon.0040F200
00407C63 |. E9 E1040000 JMP Pokemon.00408149
00407C68 |> 83BD 8C3E0000>CMP DWORD PTR SS:[EBP+3E8C],74 ; Cases 74 ('t'),7A ('z') of switch 00407B8B
00407C6F |. 75 08 JNZ SHORT Pokemon.00407C79
00407C71 |. 8DB5 AC3E0000 LEA ESI,DWORD PTR SS:[EBP+3EAC]
}
前面的73,7b,74-7a应该为不同的3种类型
73类型的原始结构
struct rar_73
{
WORD dataCheck; 数据校验值
BYTE byType; 类型
BYTE unByte[2];
WORD bLenth; 数据长度
}
struct rar74_7a
{
WORD dataCheck;
BYTE byType;
BYTE unByte[2];
WORD bLenth;
DWORD dwOffsetFile; 下一个原始数据的偏移(也是原始压缩数据区域)
DWORD dwOffsetFile1; 解压缩后的长度
BYTE byunKnow[9];
BYTE bUnKnowFlag;
BYTE bUnKnowFlag1;
WORD charLenth; 块名的长度
BYTE byUnKnow1;
char chInfo[charLenth]; 压缩块名
BYTE byData[dwOffsetFile] 这其实就是压缩数据了
}
贴上字典生成的地方和解压缩的地方
00413567 |> \68 2B010000 PUSH 12B
0041356C |. 8D8E 604C0000 LEA ECX,DWORD PTR DS:[ESI+4C60]
00413572 |. 8BD7 MOV EDX,EDI
00413574 |. 8BC6 MOV EAX,ESI
00413576 |. E8 E5010000 CALL Pokemon.00413760 ; 生成字典解压缩用
解压缩的地方
0041214B . FF83 B0550000 INC DWORD PTR DS:[EBX+55B0]
00412151 . 8B8B 58570000 MOV ECX,DWORD PTR DS:[EBX+5758]
00412157 . 8D1411 LEA EDX,DWORD PTR DS:[ECX+EDX]
0041215A . 52 PUSH EDX
0041215B . 59 POP ECX
0041215C . 8801 MOV BYTE PTR DS:[ECX],AL ; 2
解压完后执行exe和打开jpg图片
00402670 |. 84C0 TEST AL,AL
00402672 |. 0F84 06010000 JE Pokemon.0040277E
00402678 |> 56 PUSH ESI
00402679 |. E8 AE150100 CALL <JMP.&SHELL32.ShellExecuteExA>
其释放过程:
创建对话框
设置释放路径
发消息点释放按钮
最后调用.ShellExecuteExA执行释放exe 打开jpg图片
这个地方就是发消息点安装按纽释放文件的地方(NOP掉就可以看到对话框了)
0040148E 6A 00 PUSH 0 ; /lParam = 0
00401490 6A 01 PUSH 1 ; |wParam = 1
00401492 68 11010000 PUSH 111 ; |Message = WM_COMMAND
00401497 53 PUSH EBX ; |hWnd
00401498 E8 85280100 CALL <JMP.&USER32.SendMessageA> ; \SendMessageA
设置安装路径
00401DD6 |. E8 9E0B0000 |CALL Pokemon.00402979 ; 注册表的操作
00401DDB |. 6A 65 |PUSH 65 ; /ControlID = 65 (101.)
00401DDD |. FF7424 04 |PUSH DWORD PTR SS:[ESP+4] ; |hWnd
00401DE1 |. E8 AC1E0100 |CALL <JMP.&USER32.GetDlgItem> ; \GetDlgItem
00401DE6 |. 8BD8 |MOV EBX,EAX
00401DE8 |. 8D8424 04AD00>|LEA EAX,DWORD PTR SS:[ESP+AD04]
00401DEF |. 50 |PUSH EAX ; /Text
00401DF0 |. 53 |PUSH EBX ; |hWnd
00401DF1 |. E8 501F0100 |CALL <JMP.&USER32.SetWindowTextA> ; \SetWindowTextA
00401DF6 |. 68 78594100 |PUSH Pokemon.00415978 ; /lParam = 415978
00401DFB |. 6A 00 |PUSH 0 ; |wParam = 0
00401DFD |. 68 43010000 |PUSH 143 ; |Message = CB_ADDSTRING
00401E02 |. 53 |PUSH EBX ; |hWnd
00401E03 |. E8 1A1F0100 |CALL <JMP.&USER32.SendMessageA> ; \SendMessageA
临时目录下的Pokemon.exe
先把反调试代码头改为RETN
00407023 C3 RETN ; 反调
00407024 90 NOP
00407025 |. 55 PUSH EBP
00407026 |. 8BEC MOV EBP,ESP
00407028 |. 81EC 28030000 SUB ESP,328
0040702E |. A1 C0E14100 MOV EAX,DWORD PTR DS:[41E1C0]
00407033 |. 33C5 XOR EAX,EBP
00407035 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00407038 |. 83A5 D8FCFFFF>AND DWORD PTR SS:[EBP-328],0
0040703F |. 53 PUSH EBX
00407040 |. 6A 4C PUSH 4C
00407042 |. 8D85 DCFCFFFF LEA EAX,DWORD PTR SS:[EBP-324]
00407048 |. 6A 00 PUSH 0
弹框..真不知道弹这个框干嘛
00401114 |> \50 PUSH EAX ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401115 |. 68 101F4200 PUSH pokemonT.00421F10 ; |Title = "Information"
0040111A |. 68 081E4200 PUSH pokemonT.00421E08 ; |Text = "This application is recommended for systems 32bit!"
0040111F |. 53 PUSH EBX ; |hOwner
00401120 |. FF15 68914100 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
打开自己本身
7C801A28 >/$ 8BFF MOV EDI,EDI
7C801A2A |. 55 PUSH EBP
7C801A2B |. 8BEC MOV EBP,ESP
7C801A2D |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C801A30 |. E8 CFC60000 CALL kernel32.7C80E104
7C801A35 |. 85C0 TEST EAX,EAX
7C801A37 |. 74 1E JE SHORT kernel32.7C801A57
7C801A39 |. FF75 20 PUSH DWORD PTR SS:[EBP+20] ; /hTemplateFile
7C801A3C |. FF75 1C PUSH DWORD PTR SS:[EBP+1C] ; |Attributes
7C801A3F |. FF75 18 PUSH DWORD PTR SS:[EBP+18] ; |Mode
7C801A42 |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |pSecurity
7C801A45 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |ShareMode
7C801A48 |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; |Access
7C801A4B |. FF70 04 PUSH DWORD PTR DS:[EAX+4] ; |FileName = "C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\pokemonTemp.exe"
7C801A4E |. E8 9DED0000 CALL kernel32.CreateFileW ; \CreateFileW
把PE文件读取到内存
{
00401470 |. 56 PUSH ESI
00401471 |. 57 PUSH EDI
00401472 |. 6A 01 PUSH 1
00401474 |. 53 PUSH EBX
00401475 |. E8 FD530000 CALL pokemonT.00406877
未读完的数据拷贝到缓冲
0040A9CA . 8A06 MOV AL,BYTE PTR DS:[ESI]
0040A9CC . 8807 MOV BYTE PTR DS:[EDI],AL
0040A9CE . 8A46 01 MOV AL,BYTE PTR DS:[ESI+1]
0040A9D1 . 8847 01 MOV BYTE PTR DS:[EDI+1],AL
0040A9D4 . 8A46 02 MOV AL,BYTE PTR DS:[ESI+2]
0040A9D7 . C1E9 02 SHR ECX,2
0040A9DA . 8847 02 MOV BYTE PTR DS:[EDI+2],AL
0040A9DD . 83C6 03 ADD ESI,3
0040A9E0 . 83C7 03 ADD EDI,3
0040A9E3 . 83F9 08 CMP ECX,8
0040A9E6 .^ 72 CC JB SHORT pokemonT.0040A9B4
0040A9E8 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; 拷贝
}
原始数据标记名
0040147A |. 56 PUSH ESI
0040147B |. E8 8B540000 CALL pokemonT.0040690B
00401480 |. 83C4 14 ADD ESP,14
00401483 |. BE C81C4200 MOV ESI,pokemonT.00421CC8 ; ASCII "00Frxqw00"
00401488 |. E8 73FBFFFF CALL pokemonT.00401000
0040148D |. BE D41C4200 MOV ESI,pokemonT.00421CD4 ; ASCII "00CFrxqw00"
00401492 |. E8 69FBFFFF CALL pokemonT.00401000
00401497 |. 8B0D 18304200 MOV ECX,DWORD PTR DS:[423018]
0040149D |. 51 PUSH ECX
0040149E |. 56 PUSH ESI
0040149F |. B8 C81C4200 MOV EAX,pokemonT.00421CC8 ; ASCII "00Frxqw00"
004014A4 |. E8 97040000 CALL pokemonT.00401940
解密后的标记名
00401480 |. 83C4 14 ADD ESP,14
00401483 |. BE C81C4200 MOV ESI,pokemonT.00421CC8 ; ASCII "--Count--"
00401488 |. E8 73FBFFFF CALL pokemonT.00401000
0040148D |. BE D41C4200 MOV ESI,pokemonT.00421CD4 ; ASCII "--@Count--"
00401492 |. E8 69FBFFFF CALL pokemonT.00401000
00401497 |. 8B0D 18304200 MOV ECX,DWORD PTR DS:[423018]
0040149D |. 51 PUSH ECX
0040149E |. 56 PUSH ESI
0040149F |. B8 C81C4200 MOV EAX,pokemonT.00421CC8 ; ASCII "--Count--"
004014A4 |. E8 97040000 CALL pokemonT.00401940
在PE文件中匹配--Count--
004014A4 |. E8 97040000 CALL pokemonT.00401940
004014A9 |. 8B15 18304200 MOV EDX,DWORD PTR DS:[423018]
004014AF |. 52 PUSH EDX
在PE文件中匹配--1-- 与--@1-- (这段之间的数据就是加密的PE文件)
004015D5 |. 50 |PUSH EAX
004015D6 |. A1 18304200 |MOV EAX,DWORD PTR DS:[423018]
004015DB |. 51 |PUSH ECX
004015DC |. E8 5F030000 |CALL pokemonT.00401940
004015E1 |. 8B15 0C304200 |MOV EDX,DWORD PTR DS:[42300C]
004015E7 |. 68 08B64100 |PUSH pokemonT.0041B608 ; ASCII "wb"
004015EC |. 52 |PUSH EDX
004015ED |. A3 00304200 |MOV DWORD PTR DS:[423000],EAX
004015F2 |. E8 E94B0000 |CALL pokemonT.004061E0 ; 创建C:\\Program Files\\Toyo\\masmyk\\fribi.estrol"
004015F7 |. 8B0D 10304200 |MOV ECX,DWORD PTR DS:[423010]
004015FD |. 8BF0 |MOV ESI,EAX
004015FF |. A1 00304200 |MOV EAX,DWORD PTR DS:[423000]
00401604 |. 56 |PUSH ESI
00401605 |. 50 |PUSH EAX
00401606 |. 6A 01 |PUSH 1
00401608 |. 51 |PUSH ECX
00401609 |. E8 79550000 |CALL pokemonT.00406B87 ; 往文件写数据(--1-- 与--@1--之间的数据)
amfertoleu.exe的释放
{
00401A85 |> /8AC8 /MOV CL,AL
00401A87 |. |8D85 D8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-128]
00401A8D |. |80C1 0B |ADD CL,0B +0b....
00401A90 |. |50 |PUSH EAX
00401A91 |. |E8 EA380000 |CALL pokemonT.00405380
00401A96 |. |8D8D 60FFFFFF |LEA ECX,DWORD PTR SS:[EBP-A0]
00401A9C |. |51 |PUSH ECX
00401A9D |. |E8 EE000000 |CALL pokemonT.00401B90
00401AA2 |. |8B95 60FFFFFF |MOV EDX,DWORD PTR SS:[EBP-A0] ; pokemonT.0041B658
00401AA8 |. |8B4A 04 |MOV ECX,DWORD PTR DS:[EDX+4]
00401AAB |. |F6840D 68FFFF>|TEST BYTE PTR SS:[EBP+ECX-98],6
00401AB3 |.^\74 D0 \JE SHORT pokemonT.00401A85
CALL pokemonT.00405380
{
这段数据最终会写入amfertoleu.exe文件
004053F0 . FF08 DEC DWORD PTR DS:[EAX]
004053F2 . 8B49 24 MOV ECX,DWORD PTR DS:[ECX+24]
004053F5 . 8B01 MOV EAX,DWORD PTR DS:[ECX]
004053F7 . 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1]
004053FA . 8911 MOV DWORD PTR DS:[ECX],EDX
004053FC . 8818 MOV BYTE PTR DS:[EAX],BL ; 写入
004053FE . 0FB6C3 MOVZX EAX,BL
}
CALL pokemonT.00401B90
{
00401BE0 > \C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00401BE4 . 8B0E MOV ECX,DWORD PTR DS:[ESI]
00401BE6 . 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
00401BE9 . 8B4C32 28 MOV ECX,DWORD PTR DS:[EDX+ESI+28]
00401BED . 8B41 20 MOV EAX,DWORD PTR DS:[ECX+20]
00401BF0 . 3918 CMP DWORD PTR DS:[EAX],EBX
00401BF2 . 74 1A JE SHORT pokemonT.00401C0E
00401BF4 . 8B51 30 MOV EDX,DWORD PTR DS:[ECX+30]
00401BF7 . 391A CMP DWORD PTR DS:[EDX],EBX
00401BF9 . 7E 13 JLE SHORT pokemonT.00401C0E
00401BFB . 8BC2 MOV EAX,EDX
00401BFD . FF08 DEC DWORD PTR DS:[EAX]
00401BFF . 8B49 20 MOV ECX,DWORD PTR DS:[ECX+20]
00401C02 . 8B01 MOV EAX,DWORD PTR DS:[ECX]
00401C04 . 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1]
00401C07 . 8911 MOV DWORD PTR DS:[ECX],EDX
00401C09 . 0FB638 MOVZX EDI,BYTE PTR DS:[EAX] ; 原始数据
}
}
释放完后amfertoleu.exe会把自己copy到fribi.estrol;
最后执行amfertoleu.exe
004016F4 |. 57 |PUSH EDI
004016F5 |. 51 |PUSH ECX
004016F6 |> 53 |PUSH EBX ; |hWnd
004016F7 |. FF15 50914100 |CALL DWORD PTR DS:[<&SHELL32.ShellExecu>; \ShellExecuteA
[培训]科锐软件逆向54期预科班、正式班开始火爆招生报名啦!!!
|
|
|---|---|
