JGL's UnpackMe v2 外壳分析
【目 标】:JGL's UnpackMe 2
【工 具】:Olydbg1.1(diy版)、LORDPE、ImportREC1.6F IDA4.7
【任 务】:分析外壳
【操作平台】:Windows 2003 server
【作 者】: LOVEBOOM[DFCG][FCG][US]
【相关链接】: 看雪论坛
【简要说明】: 近日心神不定,昨夜恶梦连连,今晨头仍晕晕。随便分析下外壳让脑袋醒醒。
【详细过程】:
一般外壳分析的文章,我就不多讲什么几个F7之类的,如果你没有那么多时间或兴趣,就休
息下看别的东西。
我也是边脱边写,所以呢,当中可能会有很多自己水平不足造成的错误。如你发现欢迎指正:-)。
od载入:
005D90C5 > E8 02000000 CALL 005D90CC ; EP
005D90CA 98 CWDE
005D90CB 4C DEC ESP
......
经过两次解压后执行部分代码:
sag008:005D96C5 ; ------------------------------------------------------------------
----------
seg008:005D96C5 push ebp
seg008:005D96C6 mov eax , 0FFBFFFFFh
seg008:005D96CB mov ecx , 400h
seg008:005D96D0 xor eax , 0FFFFFFFFh ; 计算
出ImageBase,和很多外壳有点不同的方式:-)
seg008:005D96D5 or edx , 0FFFFFFFFh
seg008:005D96D8
seg008:005D96D8 loc_5D96D8: ; CODE XREF:
seg008:005D96DEj
seg008:005D96D8 xor dl , [eax +ecx -1] ; 计算PeHeader
的值:1C780A22,这个值是关键Key来的
seg008:005D96DC rol edx , cl
seg008:005D96DE loop loc_5D96D8 ; 计算PeHeader
的值:1C780A22,这个值是关键Key来的
seg008:005D96E0 push edx
seg008:005D96E1 call GETAPIADDR
这里面执行 SetUnhandledExceptionFilter之前先patch一下,然后记下传入地
址pTopLevelFilter = JGL's_Un.005D9BA1
否则后面的INT 3无法通过的。
seg008:005D96E6 push edx ; Push szKey
seg008:005D96E7 push 0
seg008:005D96E9 call DeCode ; 这里进去处理
部分NT函数和解压代码
解压后:
seg008:005D96EE cld
seg008:005D96EF mov ebp , offset off_5D9028 ; CODE XREF:
seg008:005D9753j
seg008:005D96F4 push 4 ; Protect = PAGE_READWRITE
seg008:005D96F6 push 3000h ; AllocationType =
MEM_COMMIT|MEM_RESERVE
seg008:005D96FB push 4000h ; Size = 4000 (16384.)
seg008:005D9700 push ecx ; Address = NULL
seg008:005D9701 mov edx , [ebp +4]
seg008:005D9704 cmp byte ptr [edx ], 0CCh ; 一个比较有新意的判断有
seg008:005D9704 ; 没有在相关api下CC断的方法
seg008:005D9707 setz cl
seg008:005D970A add edx , ecx ; CODE XREF:
seg008:005D974Fj
seg008:005D970A ; 如果下了CC断cl为1则跳去over
了
seg008:005D970C call edx ; VirtualAlloc申请空间
seg008:005D970E lea edx , [ebp +4088h] ; 5DD0B0
seg008:005D9714 push eax
seg008:005D9715 push edx
seg008:005D9716 push eax
seg008:005D9717 call $+5
seg008:005D971C add dword ptr [esp ], 8
seg008:005D9720 retn
seg008:005D9720 ; ------------------------------------------------------------------
----------
seg008:005D9721 db 0B8h ; ?
seg008:005D9722 ; ------------------------------------------------------------------
----------
seg008:005D9722 jmp short loc_5D9726
seg008:005D9722 ; ------------------------------------------------------------------
----------
seg008:005D9724 db 0CCh ; ? ; 如果没有Patch会在这个Int3处
无法绕过,
seg008:005D9725 db 0CCh ; ?
seg008:005D9726 ; ------------------------------------------------------------------
----------
如果前面patch了,直接在5D9BA1处下断。
seg008:005D9BA1 ; ------------------------------------------------------------------
----------
seg008:005D9BA1 mov edx , [esp +4]
seg008:005D9BA5 mov edx , [edx +4]
seg008:005D9BA8 mov eax , [edx +0B8h] ; 获取异常地址
seg008:005D9BAE call $+5
seg008:005D9BB3 pop ecx
seg008:005D9BB4 and cx , 0F000h
seg008:005D9BB9 add ecx , 66h
seg008:005D9BBF mov [ecx ], eax ; 保存异常地址
seg008:005D9BC1 inc eax
seg008:005D9BC2 inc eax
seg008:005D9BC3 mov [edx +0B8h], eax ; 异常地址处有两
个int 3,改为异常地址+2。
seg008:005D9BC9 call Decrypt_Code ; 这里进去关键,外
壳的解密部分
seg008:005D9BCE xor eax , eax
seg008:005D9BD0 dec eax
seg008:005D9BD1 retn 4
seg008:005D9BD1 ; ------------------------------------------------------------------
----------
进去后有两个地方会动态改变,第一次就是解密后的获取api的地址后,会把相关名字给清除掉,
第二处就是壳通过
哂名管道,把子进程建立后,通过同步事件把关键代码写入子进程,然后子进程执行关键代码。
第一处:
005DA22C E8 3C020000 CALL 005DA46D
005DA231 3215 120F121A XOR DL ,BYTE PTR DS :[1A120F12]
005DA237 17 POP SS ; Modification
of segment register
通过后面的分析写出解密代码:
PUSHAD
MOV ESI ,005DA231
MOV EDI ,ESI
L003:
LODS BYTE PTR DS :[ESI ]
CMP AL ,0
JE L009
XOR AL ,7B
STOS BYTE PTR ES :[EDI ]
JMP L003
L009:
CMP BYTE PTR DS :[ESI ],0
NOP
JE L017
NOP
INC EDI
JMP L003
NOP
NOP
L017:
POPAD
第二处:
005DA747 E8 0D000000 CALL 005DA759
005DA74C 41 INC ECX
005DA74D 44 INC ESP
005DA74E 56 PUSH ESI
第二处的分析结果如下:
第一次解密地址:5DA7E9 size:0F0 KEY:06
第二次解密地址:5DA8D9 size:0F0 KEY:05
第三次解密地址:5DA9C9 size:0F0 KEY:04
第三次解密地址:5DAAB9 size:0F0 KEY:03
第四次解密地址:5DABA9 size:0F0 KEY:02
第五次解密地址:5DAC99 size:0F0 KEY:01
第六次解密地址:5DAD89 size:0C9 KEY:C9
根据分析再写一段解密代码,写这两段代码都是为了方便用IDA分析外壳,
如果只是为了一般的脱壳,没有必要这样做,解密代码:
PUSHAD
MOV EBX ,6
MOV ECX ,0F0
MOV ESI ,005DA7E9
MOV EDI ,ESI
L005:
LODS BYTE PTR DS :[ESI ]
XOR AL ,BL
STOS BYTE PTR ES :[EDI ]
LOOPD L005
CMP EBX ,1
JE L014
DEC EBX
MOV ECX ,0F0
JMP L005
L014:
MOV EBX ,0C9
MOV ECX ,EBX
L016:
LODS BYTE PTR DS :[ESI ]
XOR AL ,BL
STOS BYTE PTR ES :[EDI ]
LOOPD L016
POPAD
解密出来了,用IDA分析就好很多了,内容比较长,慢慢看:-):
seg008:005DA1BA Decrypt_Code proc far ; CODE XREF:
seg008:005D9BC9p
seg008:005DA1BA
seg008:005DA1BA var_16B0 = dword ptr -16B0h
seg008:005DA1BA var_pSecurity = dword ptr -0A04h
seg008:005DA1BA var_A00 = dword ptr -0A00h
seg008:005DA1BA var_9FC = dword ptr -9FCh
seg008:005DA1BA var_KERBASE = dword ptr -9F8h
seg008:005DA1BA var_hUser32 = dword ptr -9F4h
seg008:005DA1BA LookupPrivilegeValueA= dword ptr -9F0h
seg008:005DA1BA var_hGDI32 = dword ptr -9ECh
seg008:005DA1BA var_9E8 = dword ptr -9E8h
seg008:005DA1BA var_9E4 = dword ptr -9E4h
seg008:005DA1BA var_9E0 = dword ptr -9E0h
seg008:005DA1BA var_PEB = dword ptr -9DCh
seg008:005DA1BA var_PEB1 = dword ptr -9D8h
seg008:005DA1BA var_9D0 = dword ptr -9D0h
seg008:005DA1BA var_9CC = dword ptr -9CCh
seg008:005DA1BA var_App_hModule = dword ptr -9C8h
seg008:005DA1BA var_9C4 = dword ptr -9C4h
seg008:005DA1BA var_9C0 = dword ptr -9C0h
seg008:005DA1BA var_9BC = dword ptr -9BCh
seg008:005DA1BA var_9B8 = dword ptr -9B8h
seg008:005DA1BA var_9B4 = dword ptr -9B4h
seg008:005DA1BA var_GetProcAddress= dword ptr -9A4h
seg008:005DA1BA var_hLocal = dword ptr -998h
seg008:005DA1BA var_994 = dword ptr -994h
seg008:005DA1BA var_990 = dword ptr -990h
seg008:005DA1BA var_LoadLibraryA= dword ptr -98Ch
seg008:005DA1BA var_988 = dword ptr -988h
seg008:005DA1BA var_hMemLocal = dword ptr -984h
seg008:005DA1BA var_CmdLen = dword ptr -980h
seg008:005DA1BA var_97C = dword ptr -97Ch
seg008:005DA1BA var_CurrentPID = dword ptr -978h
seg008:005DA1BA var_hEvent = dword ptr -974h
seg008:005DA1BA var_hMap = dword ptr -970h
seg008:005DA1BA var_hMem = dword ptr -96Ch
seg008:005DA1BA var_CodeBase = dword ptr -968h
seg008:005DA1BA var_964 = dword ptr -964h
seg008:005DA1BA var_hWrite2 = dword ptr -960h
seg008:005DA1BA var_hRead2 = dword ptr -95Ch
seg008:005DA1BA var_hWrite1 = dword ptr -958h
seg008:005DA1BA var_hRead1 = dword ptr -954h
seg008:005DA1BA _InitCriticalSection= dword ptr -950h
seg008:005DA1BA var_GetCurrentThread= dword ptr -93Ch
seg008:005DA1BA var_LocalAlloc = dword ptr -934h
seg008:005DA1BA var_ContinueDebugEvent= dword ptr -92Ch
seg008:005DA1BA var_WaitForDebugEvent= dword ptr -928h
seg008:005DA1BA var_GetThreadContext= dword ptr -924h
seg008:005DA1BA var_SetThreadContext= dword ptr -920h
seg008:005DA1BA var_ReadProcMemory= dword ptr -91Ch
seg008:005DA1BA var_918 = dword ptr -918h
seg008:005DA1BA var_DebugActiveProcess= dword ptr -914h
seg008:005DA1BA var_910 = dword ptr -910h
seg008:005DA1BA var_SetEvent = dword ptr -90Ch
seg008:005DA1BA var_908 = dword ptr -908h
seg008:005DA1BA var_Sleep = dword ptr -904h
seg008:005DA1BA var_WaitForsingleObject= dword ptr -900h
seg008:005DA1BA var_GetStartupInfoA= dword ptr -8F8h
seg008:005DA1BA var_CreateProcessA= dword ptr -8F4h
seg008:005DA1BA var_CloseHandle = dword ptr -8F0h
seg008:005DA1BA var_CreatePipe = dword ptr -8ECh
seg008:005DA1BA var_CreateEventA= dword ptr -8E8h
seg008:005DA1BA var_GetCurrentProcessId= dword ptr -8E4h
seg008:005DA1BA GetCurrentProc = dword ptr -8E0h
seg008:005DA1BA var_MapViewOfFile= dword ptr -8DCh
seg008:005DA1BA var_GetWin32LastError= dword ptr -8D8h
seg008:005DA1BA var_CreateFileMappingA= dword ptr -8D4h
seg008:005DA1BA var_RtlZeroMemory= dword ptr -8D0h
seg008:005DA1BA var_GetModuleFileNameA= dword ptr -8CCh
seg008:005DA1BA var_GetModuleHandleA= dword ptr -8C8h
seg008:005DA1BA var_GetCommandLineA= dword ptr -8C4h
seg008:005DA1BA var_ReSetEvent = dword ptr -8C0h
seg008:005DA1BA var_pContext = dword ptr -8BCh
seg008:005DA1BA var_80C = dword ptr -80Ch
seg008:005DA1BA var_ExcepAddress= dword ptr -804h
seg008:005DA1BA var_pBaseAddress= dword ptr -7F8h
seg008:005DA1BA var_DebugEvent = dword ptr -5E8h
seg008:005DA1BA var_ProcessId = dword ptr -5E4h
seg008:005DA1BA var_ThreadId = dword ptr -5E0h
seg008:005DA1BA var_Exception_Code= dword ptr -5DCh
seg008:005DA1BA var_5D8 = dword ptr -5D8h
seg008:005DA1BA var_pThread = dword ptr -5D4h
seg008:005DA1BA var_hGDI321 = dword ptr -588h
seg008:005DA1BA var_RepPath = dword ptr -578h
seg008:005DA1BA var_Cstr(PID) = dword ptr -478h
seg008:005DA1BA var_hProcess = dword ptr -470h
seg008:005DA1BA var_hThread = dword ptr -46Ch
seg008:005DA1BA var_460 = dword ptr -460h
seg008:005DA1BA var_410 = dword ptr -410h
seg008:005DA1BA var_RlZMemDestination= dword ptr -400h
seg008:005DA1BA arg_40 = qword ptr 4Ch
seg008:005DA1BA arg_36FFF738 = dword ptr 36FFF744h
seg008:005DA1BA arg_3FA5743E = byte ptr 3FA5744Ah
seg008:005DA1BA
seg008:005DA1BA push ebp
seg008:005DA1BB mov ebp , esp
seg008:005DA1BD add esp , 0FFFFF5FCh
seg008:005DA1C3 push esi
seg008:005DA1C4 push edi
seg008:005DA1C5 push ebx
seg008:005DA1C6 push edx
seg008:005DA1C7 xor eax , eax
seg008:005DA1C9 mov [ebp +var_hGDI321], eax ; 初始化相关变
量
seg008:005DA1CF mov [ebp +var_990], eax
seg008:005DA1D5 mov [ebp +var_9CC], eax
seg008:005DA1DB mov [ebp +var_RepPath], eax
seg008:005DA1E1 mov [ebp +var_994], eax
seg008:005DA1E7 call GetCodeBase
seg008:005DA1EC jmp short loc_5DA1F3
seg008:005DA1EE ; ------------------------------------------------------------------
----------
seg008:005DA1EE
seg008:005DA1EE loc_5DA1EE: ; CODE XREF:
Decrypt_Code+3Cj
seg008:005DA1EE sub eax , 1000h
seg008:005DA1F3
seg008:005DA1F3 loc_5DA1F3: ; CODE XREF:
Decrypt_Code+32j
seg008:005DA1F3 cmp byte ptr [eax ], 28h
seg008:005DA1F6 jnz short loc_5DA1EE
seg008:005DA1F8 mov esi , eax
seg008:005DA1FA mov edi , eax
seg008:005DA1FC mov [ebp +var_CodeBase], eax
seg008:005DA202 push dword ptr [eax +28h]
seg008:005DA205 pop [ebp +var_LoadLibraryA]
seg008:005DA20B add edi , 62h
seg008:005DA211 push dword ptr [edi ]
seg008:005DA213 pop [ebp +var_KERBASE]
seg008:005DA219 mov eax , [ebp +var_CodeBase]
seg008:005DA21F add eax , 5Eh
seg008:005DA224 push dword ptr [eax ]
seg008:005DA226 pop [ebp +var_PEB]
seg008:005DA22C call @F
seg008:005DA22C ; ------------------------------------------------------------------
----------
seg008:005DA231 aInitializecrit db 'InitializeCriticalSection' ,0 ; 这些字符串是
解密后的
seg008:005DA24B aWritefile db 'WriteFile' ,0
seg008:005DA255 aLeavecriticals db 'LeaveCriticalSection' ,0
seg008:005DA26A aEntercriticals db 'EnterCriticalSection' ,0
seg008:005DA27F aReadfileo db 'ReadFile' ,0
seg008:005DA288 aGetcurrentthre db 'GetCurrentThread' ,0
seg008:005DA299 aLocalfree db 'LocalFree' ,0
seg008:005DA2A3 aLocalalloc db 'LocalAlloc' ,0
seg008:005DA2AE aOpenthread db 'OpenThread' ,0
seg008:005DA2B9 aContinuedebuge db 'ContinueDebugEvent' ,0
seg008:005DA2CC aWaitfordebugev db 'WaitForDebugEvent' ,0
seg008:005DA2DE aGetthreadconte db 'GetThreadContext' ,0
seg008:005DA2EF aSetthreadconte db 'SetThreadContext' ,0
seg008:005DA300 aReadprocessmem db 'ReadProcessMemory' ,0
seg008:005DA312 aWriteprocessme db 'WriteProcessMemory' ,0
seg008:005DA325 aDebugactivepro db 'DebugActiveProcess' ,0
seg008:005DA338 aOpenprocess db 'OpenProcess' ,0
seg008:005DA344 aSetevent db 'SetEvent' ,0
seg008:005DA34D aDuplicatehandl db 'DuplicateHandle' ,0
seg008:005DA35D aSleep db 'Sleep' ,0
seg008:005DA363 aWaitforsingleo db 'WaitForSingleObject' ,0
seg008:005DA377 aUnmapviewoffil db 'UnmapViewOfFile' ,0
seg008:005DA387 aGetstartupinfo db 'GetStartupInfoA' ,0
seg008:005DA397 aCreateprocessa db 'CreateProcessA' ,0
seg008:005DA3A6 aClosehandle db 'CloseHandle' ,0
seg008:005DA3B2 aCreatepipe db 'CreatePipe' ,0
seg008:005DA3BD aCreateeventa db 'CreateEventA' ,0
seg008:005DA3CA aGetcurrentproc db 'GetCurrentProcessId' ,0
seg008:005DA3DE aGetcurrentpr_0 db 'GetCurrentProcess' ,0
seg008:005DA3F0 aMapviewoffile db 'MapViewOfFile' ,0
seg008:005DA3FE aGetlasterror db 'GetLastError' ,0
seg008:005DA40B aCreatefilemapp db 'CreateFileMappingA' ,0
seg008:005DA41E aRtlzeromemory db 'RtlZeroMemory' ,0
seg008:005DA42C aGetmodulefilen db 'GetModuleFileNameA' ,0
seg008:005DA43F aGetmodulehandl db 'GetModuleHandleA' ,0
seg008:005DA450 aGetcommandline db 'GetCommandLineA' ,0
seg008:005DA460 aResetevent db 'ResetEvent' ,0
seg008:005DA46B db 0
seg008:005DA46C db 0
seg008:005DA46D ; ------------------------------------------------------------------
----------
seg008:005DA46D
seg008:005DA46D @F: ; CODE XREF:
Decrypt_Code+72p
seg008:005DA46D mov edx , [edi ]
seg008:005DA46F pop edi
seg008:005DA470 push dword ptr [esi +24h]
seg008:005DA473 pop [ebp +var_GetProcAddress]
seg008:005DA479 lea esi , [ebp +_InitCriticalSection]
seg008:005DA47F
seg008:005DA47F loc_5DA47F: ; CODE XREF:
Decrypt_Code+309j
seg008:005DA47F push edx ; 这里循环解密
出正确的字符串,Key=7B
seg008:005DA480 xor ecx , ecx
seg008:005DA482
seg008:005DA482 loc_5DA482: ; CODE XREF:
Decrypt_Code+2D1j
seg008:005DA482 xor byte ptr [ecx +edi ], '{'
seg008:005DA486 inc ecx
seg008:005DA487 cmp byte ptr [ecx +edi ], 0
seg008:005DA48B jnz short loc_5DA482
seg008:005DA48D push edi ; push apiName
seg008:005DA48E push edx ; push hModule
seg008:005DA48F
seg008:005DA48F loc_5DA48F: ; GetProcAddress 获取api的地址
seg008:005DA48F call [ebp +var_GetProcAddress]
seg008:005DA495 mov [esi ], eax ; 保存api地址
seg008:005DA497 push eax
seg008:005DA498 push eax
seg008:005DA499 call sub_5DB6B3
seg008:005DA49E cmp eax , 0FFFFFFFFh
seg008:005DA4A1 jz loc_5DA81A
seg008:005DA4A7 lodsd
seg008:005DA4A8 xchg esi , [ebp +var_PEB]
seg008:005DA4AE
seg008:005DA4AE loc_5DA4AE: ; CODE XREF:
Decrypt_Code+2F9j
seg008:005DA4AE lodsb
seg008:005DA4AF stosb
seg008:005DA4B0 cmp byte ptr [edi ], 0
seg008:005DA4B3 jnz short loc_5DA4AE ; 获取了函数的
API后,相关地址保存PEB的内容
seg008:005DA4B5 lodsb
seg008:005DA4B6 stosb
seg008:005DA4B7 xchg esi , [ebp +var_PEB]
seg008:005DA4BD pop edx
seg008:005DA4BE cmp byte ptr [edi ], 0
seg008:005DA4C1 jz short loc_5DA4C5 ; 如果相关api
的地址获取完毕则跳去下一步
seg008:005DA4C3 jmp short loc_5DA47F ; 这里循环解密
出正确的字符串,Key=7B
seg008:005DA4C5 ; ------------------------------------------------------------------
----------
seg008:005DA4C5
seg008:005DA4C5 loc_5DA4C5: ; CODE XREF:
Decrypt_Code+307j
seg008:005DA4C5 push esi
seg008:005DA4C6 push edi
seg008:005DA4C7 push 400h
seg008:005DA4CC lea esi , [ebp +var_RlZMemDestination]
seg008:005DA4D2 push esi
seg008:005DA4D3 call [ebp +var_RtlZeroMemory] ;
RtlZeroMemory 初始化内存空间
seg008:005DA4D3 ;
seg008:005DA4D9 push 400h
seg008:005DA4DE push esi
seg008:005DA4DF push 0
seg008:005DA4E1 call [ebp +var_GetModuleHandleA] ; 获取程序
的ImageBase
seg008:005DA4E7 mov [ebp +var_App_hModule], eax
seg008:005DA4ED push eax
seg008:005DA4EE call [ebp +var_GetModuleFileNameA]
seg008:005DA4F4 lea edi , [ebp +var_RepPath]
seg008:005DA4FA lodsb
seg008:005DA4FB
seg008:005DA4FB loc_5DA4FB: ; CODE XREF:
Decrypt_Code+34Bj
seg008:005DA4FB cmp al , '\' ; 把完整路径名
中的\替换为_.
seg008:005DA4FD jnz short loc_5DA501
seg008:005DA4FF mov al , '_'
seg008:005DA501
seg008:005DA501 loc_5DA501: ; CODE XREF:
Decrypt_Code+343j
seg008:005DA501 stosb
seg008:005DA502 lodsb
seg008:005DA503 or al , al
seg008:005DA505 jnz short loc_5DA4FB ; 如果没有替换
完则继续
seg008:005DA507 stosb
seg008:005DA508 call [ebp +var_GetCurrentProcessId]
seg008:005DA50E mov [ebp +var_CurrentPID], eax ; 保存当前进程
ID
seg008:005DA514 call [ebp +var_GetWin32LastError]
seg008:005DA51A mov edi , eax
seg008:005DA51C lea esi , [ebp +var_Cstr(PID)]
seg008:005DA522 push esi
seg008:005DA523 push [ebp +var_CurrentPID]
seg008:005DA529 call Cstr_PID_ ; 把当前进程ID
转为字符串
seg008:005DA529 ; 类似wsprintf
把十六进制转为字符串
seg008:005DA52E call [ebp +var_GetCommandLineA]
seg008:005DA534 xor ecx , ecx
seg008:005DA536 mov esi , eax
seg008:005DA538 call [ebp +var_GetWin32LastError]
seg008:005DA53E mov edi , eax
seg008:005DA540
seg008:005DA540 loc_5DA540: ; CODE XREF:
Decrypt_Code+392j
seg008:005DA540 lodsb ; 循环计算命令
行长度,去除前后两个"号
seg008:005DA541 cmp al , 22h
seg008:005DA543 jnz short loc_5DA549
seg008:005DA545 or al , al
seg008:005DA547 jz short loc_5DA54A
seg008:005DA549
seg008:005DA549 loc_5DA549: ; CODE XREF:
Decrypt_Code+389j
seg008:005DA549 inc ecx
seg008:005DA54A
seg008:005DA54A loc_5DA54A: ; CODE XREF:
Decrypt_Code+38Dj
seg008:005DA54A or al , al
seg008:005DA54C jnz short loc_5DA540 ; 循环计算命令
行长度,去除前后两个"号
seg008:005DA54E mov [ebp +var_CmdLen], ecx
seg008:005DA554 lea esi , [ebp +var_RepPath]
seg008:005DA55A push esi ; /MapName = "D:_Documents and Settings_
seg008:005DA55B push 400h ;
|MaximumSizeLow = 400
seg008:005DA560 push 0 ;
|MaximumSizeHigh = 0
seg008:005DA562 push 4 ; |Protection
= PAGE_READWRITE
seg008:005DA564 push 0 ; |pSecurity =
NULL
seg008:005DA566 push 0FFFFFFFFh ; |hFile =
FFFFFFFF
seg008:005DA568 call [ebp +var_CreateFileMappingA] ;
\CreateFileMappingA
seg008:005DA56E mov [ebp +var_hMem], eax
seg008:005DA574 call [ebp +var_GetWin32LastError] ; 如果是子进程
则返回0B7
seg008:005DA57A mov edi , eax
seg008:005DA57C push 0 ; /MapSize = 0
seg008:005DA57E push 0 ; |OffsetLow =
0
seg008:005DA580 push 0 ; |OffsetHigh
= 0
seg008:005DA582 push 0F001Fh ; |AccessMode
= F001F
seg008:005DA587 push [ebp +var_hMem] ; |hMapObject
= 0000001C
seg008:005DA58D call [ebp +var_MapViewOfFile] ;
\MapViewOfFile
seg008:005DA593 push eax
seg008:005DA594 mov eax , [ebp +var_CodeBase]
seg008:005DA59A add eax , 8Eh
seg008:005DA59F pop dword ptr [eax ]
seg008:005DA5A1 push dword ptr [eax ]
seg008:005DA5A3 pop [ebp +var_hMap]
seg008:005DA5A9 cmp edi , 0B7h
seg008:005DA5AF jnz loc_5DAE58 ; 这里跳就去父
进程处理部分
seg008:005DA5B5 mov esi , [ebp +var_hMap]
seg008:005DA5BB add esi , 100h
seg008:005DA5C1 lodsd
seg008:005DA5C2 lea esi , [ebp +var_Cstr(PID)]
seg008:005DA5C8 push esi
seg008:005DA5C9 push eax
seg008:005DA5CA call Cstr_PID_
seg008:005DA5CF push edi
seg008:005DA5D0 call loc_5DA5E6
seg008:005DA5D0 ; ------------------------------------------------------------------
----------
seg008:005DA5D5 aPelock_event_1 db 'PeLock_Event_123' ,0
seg008:005DA5E6 ; ------------------------------------------------------------------
----------
seg008:005DA5E6
seg008:005DA5E6 loc_5DA5E6: ; CODE XREF:
Decrypt_Code+416p
seg008:005DA5E6 pop edi
seg008:005DA5E7 push edi
seg008:005DA5E8 xor eax , eax
seg008:005DA5EA push 0FFFFFFFFh
seg008:005DA5EC pop ecx
seg008:005DA5ED repne scasb
seg008:005DA5EF sub edi , 4
seg008:005DA5F2 lea esi , [ebp +var_Cstr(PID)]
seg008:005DA5F8
seg008:005DA5F8 loc_5DA5F8: ; CODE XREF:
Decrypt_Code+442j
seg008:005DA5F8 lodsb
seg008:005DA5F9 stosb
seg008:005DA5FA or al , al
seg008:005DA5FC jnz short loc_5DA5F8
seg008:005DA5FE call [ebp +GetCurrentProc]
seg008:005DA604 mov edi , eax
seg008:005DA606 push 1
seg008:005DA608 push 1
seg008:005DA60A push 0
seg008:005DA60C call [ebp +var_CreateEventA]
seg008:005DA612 mov [ebp +var_hEvent], eax
seg008:005DA618 push 0
seg008:005DA61A push [ebp +var_hEvent]
seg008:005DA620 call [ebp +var_WaitForsingleObject]
seg008:005DA626 cmp eax , 102h
seg008:005DA62B jz short loc_5DA632
seg008:005DA62D call loc_5D9B1E
seg008:005DA632
seg008:005DA632 loc_5DA632: ; CODE XREF:
Decrypt_Code+471j
seg008:005DA632 call [ebp +var_GetWin32LastError]
seg008:005DA638 mov [ebp +var_9D0], eax
seg008:005DA63E
seg008:005DA63E loc_5DA63E:
seg008:005DA63E mov esi , [ebp +var_hMap]
seg008:005DA644 add esi , 100h
seg008:005DA64A lodsd
seg008:005DA64B mov [ebp +var_97C], eax
seg008:005DA651 push eax
seg008:005DA652 push 0
seg008:005DA654 push 1F0FFFh
seg008:005DA659 call [ebp +var_910]
seg008:005DA65F mov [ebp +var_964], eax
seg008:005DA665 push 2
seg008:005DA667 push 1
seg008:005DA669 push 0
seg008:005DA66B lea ecx , [ebp +var_hRead2]
seg008:005DA671 push ecx
seg008:005DA672 push edi
seg008:005DA673 add esi , 7Ch
seg008:005DA676 lodsd
seg008:005DA677 push eax
seg008:005DA678 push [ebp +var_964]
seg008:005DA67E call [ebp +var_908]
seg008:005DA684 push [ebp +var_hRead2]
seg008:005DA68A pop [ebp +var_hRead1]
seg008:005DA690 push 2
seg008:005DA692 push 1
seg008:005DA694 push 0
seg008:005DA696 lea ecx , [ebp +var_hWrite1]
seg008:005DA69C push ecx
seg008:005DA69D push edi
seg008:005DA69E lodsd
seg008:005DA69F push eax
seg008:005DA6A0 push [ebp +var_964]
seg008:005DA6A6 call [ebp +var_908]
seg008:005DA6AC push [ebp +var_hWrite1]
seg008:005DA6B2 pop [ebp +var_hWrite2]
seg008:005DA6B8 push [ebp +var_964]
seg008:005DA6BE call [ebp +var_CloseHandle]
seg008:005DA6C4 mov eax , [ebp +var_CodeBase]
seg008:005DA6CA add eax , 96h
seg008:005DA6CF push eax
seg008:005DA6D0 call [ebp +_InitCriticalSection]
seg008:005DA6D6 push [ebp +var_hEvent]
seg008:005DA6DC call [ebp +var_SetEvent]
seg008:005DA6E2 mov edi , [ebp +var_CodeBase]
seg008:005DA6E8 add edi , 17E9h
seg008:005DA6EE mov eax , 669h
seg008:005DA6F3 xor edx , edx
seg008:005DA6F5 mov ecx , 0F0h
seg008:005DA6FA mov [ebp +var_9E0], 102h
seg008:005DA704 mov [ebp +var_9E4], ecx
seg008:005DA70A div ecx
seg008:005DA70C mov ecx , eax
seg008:005DA70E push edx
seg008:005DA70F
seg008:005DA70F loc_5DA70F: ; CODE XREF:
Decrypt_Code+576j
seg008:005DA70F push ecx
seg008:005DA710 lea eax , [ebp +var_hWrite2]
seg008:005DA716 push [ebp +var_9E0]
seg008:005DA71C push [ebp +var_9E4]
seg008:005DA722 push edi
seg008:005DA723 push eax
seg008:005DA724 call Write_File
seg008:005DA729 add edi , [ebp +var_9E4]
seg008:005DA72F pop ecx
seg008:005DA730 loop loc_5DA70F
seg008:005DA732 pop edx
seg008:005DA733 lea eax , [ebp +var_hWrite2]
seg008:005DA739 push [ebp +var_9E0]
seg008:005DA73F push edx
seg008:005DA740 push edi
seg008:005DA741 push eax
seg008:005DA742 call Write_File
seg008:005DA747 call loc_5DA759
seg008:005DA747 ; ------------------------------------------------------------------
----------
seg008:005DA74C aAdvapi32_dll db 'ADVAPI32.dll' ,0
seg008:005DA759 ; ------------------------------------------------------------------
----------
seg008:005DA759
seg008:005DA759 loc_5DA759: ; CODE XREF:
Decrypt_Code+58Dp
seg008:005DA759 call [ebp +var_LoadLibraryA]
seg008:005DA75F mov [ebp +LookupPrivilegeValueA], eax
seg008:005DA765 push [ebp +var_CloseHandle]
seg008:005DA76B call loc_5DA786
seg008:005DA76B ; ------------------------------------------------------------------
----------
seg008:005DA770 aAdjusttokenpri db 'AdjustTokenPrivileges' ,0
seg008:005DA786 ; ------------------------------------------------------------------
----------
seg008:005DA786
seg008:005DA786 loc_5DA786: ; CODE XREF:
Decrypt_Code+5B1p
seg008:005DA786 push [ebp +LookupPrivilegeValueA]
seg008:005DA78C call [ebp +var_GetProcAddress]
seg008:005DA792 push eax
seg008:005DA793 call loc_5DA7AE
seg008:005DA793 ; ------------------------------------------------------------------
----------
seg008:005DA798 aLookupprivileg db 'LookupPrivilegeValueA' ,0
seg008:005DA7AE ; ------------------------------------------------------------------
----------
seg008:005DA7AE
seg008:005DA7AE loc_5DA7AE: ; CODE XREF:
Decrypt_Code+5D9p
seg008:005DA7AE push [ebp +LookupPrivilegeValueA]
seg008:005DA7B4 call [ebp +var_GetProcAddress]
seg008:005DA7BA push eax
seg008:005DA7BB call loc_5DA7D1 ; AdjustTokenPrivileges
seg008:005DA7BB ; ------------------------------------------------------------------
----------
seg008:005DA7C0 aOpenprocesstok db 'OpenProcessToken' ,0
seg008:005DA7D1 ; ------------------------------------------------------------------
----------
seg008:005DA7D1
seg008:005DA7D1 loc_5DA7D1: ; CODE XREF:
Decrypt_Code+601p
seg008:005DA7D1 push [ebp +LookupPrivilegeValueA] ;
LookupPrivilegeValueA
seg008:005DA7D7 call [ebp +var_GetProcAddress]
seg008:005DA7DD push eax ;
OpenProcessToke
seg008:005DA7DE push [ebp +GetCurrentProc] ; 分别传入:
seg008:005DA7DE ; GetCurrentProcess
seg008:005DA7DE ; OpenProcessToken
seg008:005DA7DE ;
LookupPrivilegeValueA
seg008:005DA7DE ; AdjustTokenPrivileges
seg008:005DA7DE ; CloseHandle
seg008:005DA7E4 call Get_Privileges
seg008:005DA7E9 nop ;如果没解密之
前这里全部是"垃圾" 来的:-)
seg008:005DA7EA push 0
seg008:005DA7EC push 0
seg008:005DA7EE push 11h
seg008:005DA7F0 call [ebp +var_GetCurrentThread]
seg008:005DA7F6 push eax
seg008:005DA7F7 call GetCodeBase
seg008:005DA7FC add eax , 76h
seg008:005DA801 mov eax , [eax ]
seg008:005DA803 ror eax , 2
seg008:005DA806 call eax ;
ZwSetInformationThread
seg008:005DA808 push [ebp +var_97C]
seg008:005DA80E call [ebp +var_DebugActiveProcess]
seg008:005DA814 push eax
seg008:005DA815 call $+5
seg008:005DA81A
seg008:005DA81A loc_5DA81A: ; CODE XREF:
Decrypt_Code+2E7j
seg008:005DA81A pop eax
seg008:005DA81B add eax , 89Dh
seg008:005DA820 mov byte ptr [eax ], 90h
seg008:005DA823 pop eax
seg008:005DA824 or eax , eax
seg008:005DA826 jz Over ; 如
果DebugActiveProcess失败则结束程序
seg008:005DA82C push 800h
seg008:005DA831 push 0
seg008:005DA833 call [ebp +var_LocalAlloc]
seg008:005DA839 xor ecx , ecx
seg008:005DA83B mov [eax ], ecx
seg008:005DA83D mov [ebp +var_hMemLocal], eax
seg008:005DA843 mov [ebp +var_hGDI321], 0
seg008:005DA84D push [ebp +var_hEvent]
seg008:005DA853 push 0A0h
seg008:005DA858 call [ebp +var_Sleep]
seg008:005DA85E call [ebp +var_SetEvent]
seg008:005DA864
seg008:005DA864 loc_5DA864: ; CODE XREF:
Decrypt_Code+928j
seg008:005DA864 ;
Decrypt_Code+958j ...
seg008:005DA864 push 0FFFFFFFFh
seg008:005DA866 lea eax , [ebp +var_DebugEvent]
seg008:005DA86C push eax
seg008:005DA86D call [ebp +var_WaitForDebugEvent]
seg008:005DA873 cmp [ebp +var_DebugEvent], 5 ; case
EXIT_PROCESS_DEBUG_EVENT
seg008:005DA87A jnz short loc_5DA89D ; case
CREATE_PROCESS_DEBUG_EVENT
seg008:005DA87C push 80010001h
seg008:005DA881 push [ebp +var_ThreadId]
seg008:005DA887 push [ebp +var_ProcessId]
seg008:005DA88D call [ebp +var_ContinueDebugEvent]
seg008:005DA893 jmp loc_5DAE52
seg008:005DA898 ; ------------------------------------------------------------------
----------
seg008:005DA898 jmp loc_5DAE36 ;
ContinueStatus
seg008:005DA89D ; ------------------------------------------------------------------
----------
seg008:005DA89D
seg008:005DA89D loc_5DA89D: ; CODE XREF:
Decrypt_Code+6C0j
seg008:005DA89D cmp [ebp +var_DebugEvent], 3 ; case
CREATE_PROCESS_DEBUG_EVENT
seg008:005DA8A4 jnz short loc_5DA900 ; case
CREATE_THREAD_DEBUG_EVENT
seg008:005DA8A6 mov edx , [ebp +var_hMemLocal]
seg008:005DA8AC inc dword ptr [edx ]
seg008:005DA8AE mov eax , [ebp +var_ThreadId]
seg008:005DA8B4 mov [edx +4], eax
seg008:005DA8B7 mov [ebp +var_988], eax
seg008:005DA8BD mov eax , [ebp +var_pThread]
seg008:005DA8C3 mov [edx +8], eax
seg008:005DA8C6 mov [ebp +var_hThread], eax
seg008:005DA8CC push [ebp +var_5D8]
seg008:005DA8D2 pop [ebp +var_hProcess]
seg008:005DA8D8 mov [ebp +var_pContext], 10001h
seg008:005DA8E2 lea eax , [ebp +var_pContext]
seg008:005DA8E8 push eax
seg008:005DA8E9 push [ebp +var_pThread]
seg008:005DA8EF call [ebp +var_GetThreadContext]
seg008:005DA8F5 mov eax , [ebp +var_ExcepAddress]
seg008:005DA8FB jmp loc_5DAE36 ;
ContinueStatus
seg008:005DA900 ; ------------------------------------------------------------------
----------
seg008:005DA900
seg008:005DA900 loc_5DA900: ; CODE XREF:
Decrypt_Code+6EAj
seg008:005DA900 cmp [ebp +var_DebugEvent], 2 ; case
CREATE_THREAD_DEBUG_EVENT
seg008:005DA907 jnz short loc_5DA92C ; case
EXIT_THREAD_DEBUG_EVENT
seg008:005DA909 mov edx , [ebp +var_hMemLocal]
seg008:005DA90F mov ecx , [edx ]
seg008:005DA911 mov eax , [ebp +var_ThreadId]
seg008:005DA917 mov [edx +ecx *8+4], eax
seg008:005DA91B mov eax , [ebp +var_Exception_Code]
seg008:005DA921 mov [edx +ecx *8+8], eax
seg008:005DA925 inc dword ptr [edx ]
seg008:005DA927 jmp loc_5DAE36 ;
ContinueStatus
seg008:005DA92C ; ------------------------------------------------------------------
----------
seg008:005DA92C
seg008:005DA92C loc_5DA92C: ; CODE XREF:
Decrypt_Code+74Dj
seg008:005DA92C cmp [ebp +var_DebugEvent], 4 ; case
EXIT_THREAD_DEBUG_EVENT
seg008:005DA933 jnz short loc_5DA96D ; case
EXCEPTION_DEBUG_EVENT
seg008:005DA935 push edi
seg008:005DA936 mov edi , [ebp +var_hMemLocal]
seg008:005DA93C mov ecx , [edi ]
seg008:005DA93E add edi , 4
seg008:005DA941 shl ecx , 1
seg008:005DA943 mov eax , [ebp +var_ThreadId]
seg008:005DA949 repne scasd
seg008:005DA94B jnz short loc_5DA967
seg008:005DA94D shr ecx , 1
seg008:005DA94F push esi
seg008:005DA950 sub edi , 4
seg008:005DA953 lea esi , [edi +8]
seg008:005DA956 or ecx , ecx
seg008:005DA958 jz short loc_5DA966
seg008:005DA95A
seg008:005DA95A loc_5DA95A: ; CODE XREF:
Decrypt_Code+7A2j
seg008:005DA95A lodsd
seg008:005DA95B stosd
seg008:005DA95C loop loc_5DA95A
seg008:005DA95E mov edi , [ebp +var_hMemLocal]
seg008:005DA964 dec dword ptr [edi ]
seg008:005DA966
seg008:005DA966 loc_5DA966: ; CODE XREF:
Decrypt_Code+79Ej
seg008:005DA966 pop esi
seg008:005DA967
seg008:005DA967 loc_5DA967: ; CODE XREF:
Decrypt_Code+791j
seg008:005DA967 pop edi
seg008:005DA968 jmp loc_5DAE36 ;
ContinueStatus
seg008:005DA96D ; ------------------------------------------------------------------
----------
seg008:005DA96D
seg008:005DA96D loc_5DA96D: ; CODE XREF:
Decrypt_Code+779j
seg008:005DA96D cmp [ebp +var_DebugEvent], 1 ; case
EXCEPTION_DEBUG_EVENT
seg008:005DA974 jnz loc_5DAE36 ;
ContinueStatus
seg008:005DA97A cmp [ebp +var_Exception_Code], 80000003h ; 断点异
常
seg008:005DA984 jnz loc_5DABCF ;
ACCESS_VIOLATION
seg008:005DA98A mov eax , [ebp +var_988]
seg008:005DA990 cmp eax , [ebp +var_ThreadId]
seg008:005DA996 jnz loc_5DAAEC
seg008:005DA99C cmp [ebp +var_hGDI321], 0
seg008:005DA9A3 jnz loc_5DAA33
seg008:005DA9A9 call loc_5DA9B9
seg008:005DA9A9 ; ------------------------------------------------------------------
----------
seg008:005DA9AE aUser32_dll db 'User32.dll' ,0
seg008:005DA9B9 ; ------------------------------------------------------------------
----------
seg008:005DA9B9
seg008:005DA9B9 loc_5DA9B9: ; CODE XREF:
Decrypt_Code+7EFp
seg008:005DA9B9 call [ebp +var_LoadLibraryA]
seg008:005DA9BF mov [ebp +var_hUser32], eax
seg008:005DA9C5 call loc_5DA9D4
seg008:005DA9C5 ; ------------------------------------------------------------------
----------
seg008:005DA9CA aGdi32_dll db 'GDI32.dll' ,0
seg008:005DA9D4 ; ------------------------------------------------------------------
----------
seg008:005DA9D4
seg008:005DA9D4 loc_5DA9D4: ; CODE XREF:
Decrypt_Code+80Bp
seg008:005DA9D4 call [ebp +var_LoadLibraryA]
seg008:005DA9DA mov [ebp +var_hGDI32], eax
seg008:005DA9E0 mov [ebp +var_hGDI321], eax
seg008:005DA9E6 push edi
seg008:005DA9E7 push esi
seg008:005DA9E8 mov edi , [ebp +var_hMemLocal]
seg008:005DA9EE push dword ptr [edi +8]
seg008:005DA9F1 pop [ebp +var_hThread]
seg008:005DA9F7 mov [ebp +var_pContext], 10007h
seg008:005DAA01 lea eax , [ebp +var_pContext]
seg008:005DAA07 push eax
seg008:005DAA08 push [ebp +var_hThread]
seg008:005DAA0E call [ebp +var_GetThreadContext]
seg008:005DAA14
seg008:005DAA14 loc_5DAA14:
seg008:005DAA14 add [ebp +var_ExcepAddress], 6
seg008:005DAA1B lea eax , [ebp +var_pContext]
seg008:005DAA21 push eax
seg008:005DAA22 push [ebp +var_hThread]
seg008:005DAA28 call [ebp +var_SetThreadContext]
seg008:005DAA2E jmp loc_5DAAC9
seg008:005DAA33 ; ------------------------------------------------------------------
----------
seg008:005DAA33
seg008:005DAA33 loc_5DAA33: ; CODE XREF:
Decrypt_Code+7E9j
seg008:005DAA33 push edi
seg008:005DAA34 push esi
seg008:005DAA35 mov esi , [ebp +var_hMemLocal]
seg008:005DAA3B push dword ptr [esi +8]
seg008:005DAA3E pop [ebp +var_hThread]
seg008:005DAA44 mov [ebp +var_pContext], 10007h
seg008:005DAA4E lea eax , [ebp +var_pContext]
seg008:005DAA54 push eax
seg008:005DAA55 push [ebp +var_hThread]
seg008:005DAA5B call [ebp +var_GetThreadContext]
seg008:005DAA61 mov eax , [ebp +var_ExcepAddress] ; 获取异常地址
seg008:005DAA67 mov edi , [ebp +var_9B4]
seg008:005DAA6D mov edx , [edi +10h]
seg008:005DAA70 mov ecx , [edi +14h]
seg008:005DAA73 sub ecx , edx
seg008:005DAA75 lea edi , [edx +edi +20h]
seg008:005DAA79 mov edx , eax
seg008:005DAA7B sub eax , [ebp +var_App_hModule]
seg008:005DAA81 and ax , 0F000h
seg008:005DAA85 push [ebp +var_hLocal]
seg008:005DAA8B push [ebp +var_9B4]
seg008:005DAA91 call Getjmpaddress ; 父进程异常后
,写入正确的内容
seg008:005DAA91 ; 也就是动态写
入跳转表
seg008:005DAA96 test eax , eax ; 操作成功
后eax返回跳转地址
seg008:005DAA98 jz short loc_5DAAE7
seg008:005DAA9A dec edx
seg008:005DAA9B push edx
seg008:005DAA9C mov [ebp +var_ExcepAddress], eax
seg008:005DAAA2 push eax
seg008:005DAAA3 push [ebp +var_hProcess]
seg008:005DAAA9 push [ebp +var_918]
seg008:005DAAAF mov al , 0E9h
seg008:005DAAB1 call WritePresentMem ; 写入代码,改
写成jmp address
seg008:005DAAB1 ; 其中address
就是前面eax的值
seg008:005DAAB6 lea eax , [ebp +var_pContext]
seg008:005DAABC push eax
seg008:005DAABD push [ebp +var_hThread]
seg008:005DAAC3 call [ebp +var_SetThreadContext]
seg008:005DAAC9
seg008:005DAAC9 loc_5DAAC9: ; CODE XREF:
Decrypt_Code+874j
seg008:005DAAC9 ;
Decrypt_Code+A04j
seg008:005DAAC9 push 10002h
seg008:005DAACE push [ebp +var_ThreadId]
seg008:005DAAD4 push [ebp +var_ProcessId]
seg008:005DAADA call [ebp +var_ContinueDebugEvent]
seg008:005DAAE0 pop esi
seg008:005DAAE1 pop edi
seg008:005DAAE2 jmp loc_5DA864
seg008:005DAAE7 ; ------------------------------------------------------------------
----------
seg008:005DAAE7
seg008:005DAAE7 loc_5DAAE7: ; CODE XREF:
Decrypt_Code+8DEj
seg008:005DAAE7 ;
Decrypt_Code+9D4j
seg008:005DAAE7 jmp loc_5DAE36 ;
ContinueStatus
seg008:005DAAEC ; ------------------------------------------------------------------
----------
seg008:005DAAEC
seg008:005DAAEC loc_5DAAEC: ; CODE XREF:
Decrypt_Code+7DCj
seg008:005DAAEC cmp [ebp +var_9CC], 0
seg008:005DAAF3 jnz short loc_5DAB1C
seg008:005DAAF5
seg008:005DAAF5 loc_5DAAF5: ; CODE XREF:
Decrypt_Code+A0Bj
seg008:005DAAF5 inc [ebp +var_9CC]
seg008:005DAAFB push 10002h
seg008:005DAB00 push [ebp +var_ThreadId]
seg008:005DAB06 push [ebp +var_ProcessId]
seg008:005DAB0C call [ebp +var_ContinueDebugEvent]
seg008:005DAB12 jmp loc_5DA864
seg008:005DAB17 ; ------------------------------------------------------------------
----------
seg008:005DAB17 jmp loc_5DABCA
seg008:005DAB1C ; ------------------------------------------------------------------
----------
seg008:005DAB1C
seg008:005DAB1C loc_5DAB1C: ; CODE XREF:
Decrypt_Code+939j
seg008:005DAB1C push edi
seg008:005DAB1D push esi
seg008:005DAB1E mov edi , [ebp +var_hMemLocal]
seg008:005DAB24 mov ecx , [edi ]
seg008:005DAB26 add edi , 4
seg008:005DAB29 shl ecx , 1
seg008:005DAB2B mov eax , [ebp +var_ThreadId]
seg008:005DAB31 repne scasd
seg008:005DAB33 jnz loc_5DABC3
seg008:005DAB39 mov esi , [edi ]
seg008:005DAB3B mov [ebp +var_pContext], 10007h
seg008:005DAB45 lea eax , [ebp +var_pContext]
seg008:005DAB4B push eax
seg008:005DAB4C push esi
seg008:005DAB4D call [ebp +var_GetThreadContext]
seg008:005DAB53 test eax , eax
seg008:005DAB55 jz short loc_5DABC3
seg008:005DAB57 mov eax , [ebp +var_ExcepAddress]
seg008:005DAB5D mov edi , [ebp +var_9B4]
seg008:005DAB63 mov edx , [edi +10h]
seg008:005DAB66 mov ecx , [edi +14h]
seg008:005DAB69 sub ecx , edx
seg008:005DAB6B lea edi , [edx +edi +20h]
seg008:005DAB6F mov edx , eax
seg008:005DAB71 sub eax , [ebp +var_App_hModule]
seg008:005DAB77 and ax , 0F000h
seg008:005DAB7B push [ebp +var_hLocal]
seg008:005DAB81 push [ebp +var_9B4]
seg008:005DAB87 call Getjmpaddress
seg008:005DAB8C test eax , eax
seg008:005DAB8E jz loc_5DAAE7
seg008:005DAB94 dec edx
seg008:005DAB95 push edx
seg008:005DAB96 mov [ebp +var_ExcepAddress], eax
seg008:005DAB9C push eax
seg008:005DAB9D push [ebp +var_hProcess]
seg008:005DABA3 push [ebp +var_918]
seg008:005DABA9 mov al , 0E9h
seg008:005DABAB call WritePresentMem
seg008:005DABB0 lea eax , [ebp +var_pContext]
seg008:005DABB6 push eax
seg008:005DABB7 push esi
seg008:005DABB8 call [ebp +var_SetThreadContext]
seg008:005DABBE jmp loc_5DAAC9
seg008:005DABC3 ; ------------------------------------------------------------------
----------
seg008:005DABC3
seg008:005DABC3 loc_5DABC3: ; CODE XREF:
Decrypt_Code+979j
seg008:005DABC3 ;
Decrypt_Code+99Bj
seg008:005DABC3 pop esi
seg008:005DABC4 pop edi
seg008:005DABC5 jmp loc_5DAAF5
seg008:005DABCA ; ------------------------------------------------------------------
----------
seg008:005DABCA
seg008:005DABCA loc_5DABCA: ; CODE XREF:
Decrypt_Code+95Dj
seg008:005DABCA jmp loc_5DAE36 ;
ContinueStatus
seg008:005DABCF ; ------------------------------------------------------------------
----------
seg008:005DABCF
seg008:005DABCF loc_5DABCF: ; CODE XREF:
Decrypt_Code+7CAj
seg008:005DABCF cmp [ebp +var_Exception_Code], 0C0000005h ;
ACCESS_VIOLATION
seg008:005DABD9 jnz loc_5DAE36 ;
ContinueStatus
seg008:005DABDF push edi
seg008:005DABE0 mov edi , [ebp +var_hMemLocal]
seg008:005DABE6 mov ecx , [edi ]
seg008:005DABE8 mov eax , [ebp +var_ThreadId]
seg008:005DABEE add edi , 4
seg008:005DABF1 shl ecx , 1
seg008:005DABF3 repne scasd
seg008:005DABF5 jnz loc_5DAE35
seg008:005DABFB push dword ptr [edi ]
seg008:005DABFD pop [ebp +var_hThread]
seg008:005DAC03 mov [ebp +var_pContext], 10007h
seg008:005DAC0D lea eax , [ebp +var_pContext]
seg008:005DAC13 push eax
seg008:005DAC14 push [ebp +var_hThread]
seg008:005DAC1A call [ebp +var_GetThreadContext]
seg008:005DAC20 mov eax , [ebp +var_ExcepAddress]
seg008:005DAC26 cmp eax , 0FADE68B1h ; 关键
seg008:005DAC2B jnz loc_5DAD07
seg008:005DAC31 mov [ebp +var_994], eax
seg008:005DAC37 inc [ebp +var_990]
seg008:005DAC3D push esi
seg008:005DAC3E lea eax , [ebp +var_410]
seg008:005DAC44 push eax
seg008:005DAC45 push 30h
seg008:005DAC47 mov edi , [ebp +var_hMemLocal]
seg008:005DAC4D add edi , 10h
seg008:005DAC50 push edi
seg008:005DAC51 push [ebp +var_pBaseAddress]
seg008:005DAC57 push [ebp +var_hProcess]
seg008:005DAC5D call [ebp +var_ReadProcMemory]
seg008:005DAC63 cmp [ebp +var_410], 30h
seg008:005DAC6A jnz short loc_5DACD1
seg008:005DAC6C add esp , 0FFFFFFECh
seg008:005DAC6F lea esi , [edi +4]
seg008:005DAC72 mov edi , esp
seg008:005DAC74 mov ecx , 4
seg008:005DAC79 rep movsd
seg008:005DAC7B mov [edi ], esi
seg008:005DAC7D cmp [ebp +var_990], 1
seg008:005DAC84 jnz short loc_5DACA4
seg008:005DAC86 mov edi , esp
seg008:005DAC88 lea eax , [ebp +var_410]
seg008:005DAC8E push eax
seg008:005DAC8F push 100h
seg008:005DAC94 push dword ptr [edi ]
seg008:005DAC96 push dword ptr [edi ]
seg008:005DAC98 push [ebp +var_hProcess]
seg008:005DAC9E call [ebp +var_ReadProcMemory]
seg008:005DACA4
seg008:005DACA4 loc_5DACA4: ; CODE XREF:
Decrypt_Code+ACAj
seg008:005DACA4 push esi
seg008:005DACA5 call [ebp +var_LoadLibraryA]
seg008:005DACAB call GetAPI
seg008:005DACB0 add esp , 4
seg008:005DACB3 mov [ebp +var_80C], eax
seg008:005DACB9 mov eax , [ebp +var_hMemLocal]
seg008:005DACBF add eax , 10h
seg008:005DACC2 push dword ptr [eax ]
seg008:005DACC4 pop [ebp +var_ExcepAddress]
seg008:005DACCA add [ebp +var_pBaseAddress], 30h
seg008:005DACD1
seg008:005DACD1 loc_5DACD1: ; CODE XREF:
Decrypt_Code+AB0j
seg008:005DACD1 pop esi
seg008:005DACD2 lea eax , [ebp +var_pContext]
seg008:005DACD8 push eax
seg008:005DACD9 push [ebp +var_hThread]
seg008:005DACDF call [ebp +var_SetThreadContext]
seg008:005DACE5 push 10002h
seg008:005DACEA push [ebp +var_ThreadId]
seg008:005DACF0 push [ebp +var_ProcessId]
seg008:005DACF6 call [ebp +var_ContinueDebugEvent]
seg008:005DACFC pop edi
seg008:005DACFD jmp loc_5DA864
seg008:005DAD02 ; ------------------------------------------------------------------
----------
seg008:005DAD02 jmp loc_5DAE35
seg008:005DAD07 ; ------------------------------------------------------------------
----------
seg008:005DAD07
seg008:005DAD07 loc_5DAD07: ; CODE XREF:
Decrypt_Code+A71j
seg008:005DAD07 cmp eax , 70000000h
seg008:005DAD0C jbe loc_5DADB6
seg008:005DAD12 lea eax , [ebp +var_410]
seg008:005DAD18 push eax
seg008:005DAD19 push 30h
seg008:005DAD1B mov edi , [ebp +var_hMemLocal]
seg008:005DAD21 add edi , 10h
seg008:005DAD24 push edi
seg008:005DAD25 push [ebp +var_pBaseAddress]
seg008:005DAD2B push [ebp +var_hProcess]
seg008:005DAD31 call [ebp +var_ReadProcMemory]
seg008:005DAD37 mov eax , [edi ]
seg008:005DAD39 mov edx , eax
seg008:005DAD3B sub eax , [ebp +var_App_hModule]
seg008:005DAD41 and ax , 0F000h
seg008:005DAD45 mov edi , [ebp +var_9B4]
seg008:005DAD4B mov ecx , [edi +10h]
seg008:005DAD4E add edi , 20h
seg008:005DAD51 push [ebp +var_hLocal]
seg008:005DAD57 push [ebp +var_9B4]
seg008:005DAD5D call Getjmpaddress
seg008:005DAD62 test eax , eax
seg008:005DAD64 jz short loc_5DADB4
seg008:005DAD66 sub edx , 5
seg008:005DAD69 push edx
seg008:005DAD6A mov [ebp +var_ExcepAddress], eax
seg008:005DAD70 push eax
seg008:005DAD71 push [ebp +var_hProcess]
seg008:005DAD77
seg008:005DAD77 loc_5DAD77:
seg008:005DAD77 push [ebp +var_918]
seg008:005DAD7D mov al , 0E8h
seg008:005DAD7F call WritePresentMem
seg008:005DAD84 lea eax , [ebp +var_pContext]
seg008:005DAD8A push eax
seg008:005DAD8B push [ebp +var_hThread]
seg008:005DAD91 call [ebp +var_SetThreadContext]
seg008:005DAD97 push 10002h
seg008:005DAD9C push [ebp +var_ThreadId]
seg008:005DADA2 push [ebp +var_ProcessId]
seg008:005DADA8 call [ebp +var_ContinueDebugEvent]
seg008:005DADAE pop edi
seg008:005DADAF jmp loc_5DA864
seg008:005DADB4 ; ------------------------------------------------------------------
----------
seg008:005DADB4
seg008:005DADB4 loc_5DADB4: ; CODE XREF:
Decrypt_Code+BAAj
seg008:005DADB4 jmp short loc_5DAE35
seg008:005DADB6 ; ------------------------------------------------------------------
----------
seg008:005DADB6
seg008:005DADB6 loc_5DADB6: ; CODE XREF:
Decrypt_Code+B52j
seg008:005DADB6 cmp [ebp +var_994], 0
seg008:005DADBD jz short loc_5DAE35
seg008:005DADBF push 1000h
seg008:005DADC4 push 40h
seg008:005DADC6 call [ebp +var_LocalAlloc]
seg008:005DADCC mov [ebp +var_hLocal], eax
seg008:005DADD2 lea eax , [ebp +var_410]
seg008:005DADD8 push eax
seg008:005DADD9 mov eax , [ebp +var_CodeBase]
seg008:005DADDF add eax , 2AC4h
seg008:005DADE4 mov [ebp +var_9B4], eax
seg008:005DADEA push dword ptr [eax +0Ch]
seg008:005DADED pop [ebp +var_9C0]
seg008:005DADF3 push dword ptr [eax +8]
seg008:005DADF6 pop [ebp +var_9BC]
seg008:005DADFC push dword ptr [eax +4]
seg008:005DADFF pop [ebp +var_9C4]
seg008:005DAE05 add esp , 0FFFFFFFCh
seg008:005DAE08 push [ebp +var_hLocal]
seg008:005DAE0E mov eax , [eax ]
seg008:005DAE10 push eax
seg008:005DAE11 sub eax , [ebp +var_hLocal]
seg008:005DAE17 neg eax
seg008:005DAE19 mov [ebp +var_9B8], eax
seg008:005DAE1F push [ebp +var_hProcess]
seg008:005DAE25 call [ebp +var_ReadProcMemory]
seg008:005DAE2B mov [ebp +var_994], 0
seg008:005DAE35
seg008:005DAE35 loc_5DAE35: ; CODE XREF:
Decrypt_Code+A3Bj
seg008:005DAE35 ;
Decrypt_Code+B48j ...
seg008:005DAE35 pop edi
seg008:005DAE36
seg008:005DAE36 loc_5DAE36: ; CODE XREF:
Decrypt_Code+6DEj
seg008:005DAE36 ;
Decrypt_Code+741j ...
seg008:005DAE36 push 80010001h ;
ContinueStatus
seg008:005DAE3B push [ebp +var_ThreadId]
seg008:005DAE41 push [ebp +var_ProcessId]
seg008:005DAE47 call [ebp +var_ContinueDebugEvent]
seg008:005DAE4D jmp loc_5DA864
seg008:005DAE52 ; ------------------------------------------------------------------
----------
seg008:005DAE52
seg008:005DAE52 loc_5DAE52: ; CODE XREF:
Decrypt_Code+6D9j
seg008:005DAE52 pop edi
seg008:005DAE53 jmp Over
seg008:005DAE58 ; ------------------------------------------------------------------
----------
seg008:005DAE58
seg008:005DAE58 loc_5DAE58: ; CODE XREF:
Decrypt_Code+3F5j
seg008:005DAE58 call [ebp +var_GetCurrentProcessId]
seg008:005DAE5E
seg008:005DAE5E loc_5DAE5E:
seg008:005DAE5E mov edi , [ebp +var_hMap]
seg008:005DAE64 add edi , 100h
seg008:005DAE6A stosd ; hMap+100h处
保存当前进程ID
seg008:005DAE6B push edi ; EventName = "PeLock_Event_C40"
seg008:005DAE6C call loc_5DAE82
seg008:005DAE6C ; ------------------------------------------------------------------
----------
seg008:005DAE71 aPelock_eMzC db 'PeLock_Event_123' ,0
seg008:005DAE82 ; ------------------------------------------------------------------
----------
seg008:005DAE82
seg008:005DAE82 loc_5DAE82: ; CODE XREF:
Decrypt_Code+CB2p
seg008:005DAE82 pop edi
seg008:005DAE83 push edi
seg008:005DAE84 xor eax , eax
seg008:005DAE86 push 0FFFFFFFFh
seg008:005DAE88 pop ecx
seg008:005DAE89 repne scasb ; 定位
到Pelock_Event_123的结束处
seg008:005DAE8B sub edi , 4
seg008:005DAE8E lea esi , [ebp +var_Cstr(PID)]
seg008:005DAE94
seg008:005DAE94 loc_5DAE94: ; CODE XREF:
Decrypt_Code+CDEj
seg008:005DAE94 lodsb
seg008:005DAE95 stosb
seg008:005DAE96 or al , al
seg008:005DAE98 jnz short loc_5DAE94 ; 替
换PeLock_Event_123为
seg008:005DAE98 ;
PeLock_Event_xxx(CSTR(PID))
seg008:005DAE9A push 0 ;
|InitiallySignaled = FALSE
seg008:005DAE9C push 1 ; |ManualReset
= TRUE
seg008:005DAE9E push 0 ; |pSecurity =
NULL
seg008:005DAEA0 call [ebp +var_CreateEventA] ;
\CreateEventA
seg008:005DAEA6 mov [ebp +var_hEvent], eax
seg008:005DAEAC pop edi
seg008:005DAEAD stosd
seg008:005DAEAE push 100h ; /BufSize =
100 (256.)
seg008:005DAEB3 lea eax , [ebp +var_pSecurity]
seg008:005DAEB9 push eax ; |pSecurity =
0012EC8C
seg008:005DAEBA mov [ebp +var_pSecurity], 0Ch
seg008:005DAEC4 xor eax , eax
seg008:005DAEC6 mov [ebp +var_A00], eax
seg008:005DAECC inc eax
seg008:005DAECD mov [ebp +var_9FC], eax
seg008:005DAED3 lea eax , [ebp +var_hWrite1]
seg008:005DAED9 push eax ;
|pWriteHandle = 0012ED38
seg008:005DAEDA lea eax , [ebp +var_hRead1]
seg008:005DAEE0 push eax ; |pReadHandle
= 0012ED3C
seg008:005DAEE1 call [ebp +var_CreatePipe] ; \CreatePipe
seg008:005DAEE7 push 100h
seg008:005DAEEC lea eax , [ebp +var_pSecurity] ; /pSecurity
seg008:005DAEF2 push eax ; |
seg008:005DAEF3 lea eax , [ebp +var_hWrite2] ;
|pWriteHandle = 0012ED30
seg008:005DAEF9 push eax ; |
seg008:005DAEFA lea eax , [ebp +var_hRead2] ; |pReadHandle
= 0012ED34
seg008:005DAF00 push eax ; |
seg008:005DAF01 call [ebp +var_CreatePipe] ; \CreatePipe
seg008:005DAF07 mov eax , [ebp +var_hRead2]
seg008:005DAF0D add edi , 78h
seg008:005DAF10 stosd
seg008:005DAF11 mov eax , [ebp +var_hWrite1]
seg008:005DAF17 stosd
seg008:005DAF18 mov eax , [ebp +var_CodeBase]
seg008:005DAF1E push eax
seg008:005DAF1F add eax , 5Eh ; Trap to
Debugger
seg008:005DAF24 mov eax , [eax ]
seg008:005DAF26 xchg eax , [esp +16B0h+var_16B0]
seg008:005DAF29 pop [ebp +var_PEB1]
seg008:005DAF2F add eax , 8Ah
seg008:005DAF34 push dword ptr [eax ]
seg008:005DAF36 call dword ptr [eax -4] ; SetUnhandledExceptionFilter
seg008:005DAF39 lea eax , [ebp +var_hProcess]
seg008:005DAF3F push eax
seg008:005DAF40 push 10h
seg008:005DAF42 push eax
seg008:005DAF43 call [ebp +var_RtlZeroMemory]
seg008:005DAF49 lea eax , [ebp +var_460]
seg008:005DAF4F push eax
seg008:005DAF50 push eax
seg008:005DAF51 push 44h
seg008:005DAF53 push eax
seg008:005DAF54 call [ebp +var_RtlZeroMemory]
seg008:005DAF5A call [ebp +var_GetStartupInfoA]
seg008:005DAF60 push 0
seg008:005DAF62 push 0
seg008:005DAF64 push 0
seg008:005DAF66 push 1
seg008:005DAF68 push 0
seg008:005DAF6A push 0
seg008:005DAF6C lea eax , [ebp +var_Cstr(PID)]
seg008:005DAF72 push eax ; CommandLine
= "C40"
seg008:005DAF73 lea eax , [ebp +var_RlZMemDestination]
seg008:005DAF79 push eax
seg008:005DAF7A call [ebp +var_CreateProcessA]
seg008:005DAF80 test eax , eax
seg008:005DAF82 push 11170h
seg008:005DAF87 push [ebp +var_hEvent]
seg008:005DAF8D call [ebp +var_WaitForsingleObject]
seg008:005DAF93 cmp eax , 102h
seg008:005DAF98 jnz short loc_5DAFA4
seg008:005DAF9A call loc_5D9B1E
seg008:005DAF9F jmp Over
seg008:005DAFA4 ; ------------------------------------------------------------------
----------
seg008:005DAFA4
seg008:005DAFA4 loc_5DAFA4: ; CODE XREF:
Decrypt_Code+DDEj
seg008:005DAFA4 push [ebp +var_hWrite2]
seg008:005DAFAA pop [ebp +var_hWrite1]
seg008:005DAFB0 call GetCodeBase
seg008:005DAFB5 add eax , 96h
seg008:005DAFBA push eax
seg008:005DAFBB call [ebp +_InitCriticalSection]
seg008:005DAFC1 mov [ebp +var_9E0], 28h
seg008:005DAFCB mov eax , 669h
seg008:005DAFD0 xor edx , edx
seg008:005DAFD2 mov [ebp +var_9E8], edx
seg008:005DAFD8 mov ecx , 0F0h
seg008:005DAFDD mov [ebp +var_9E4], ecx
seg008:005DAFE3 div ecx
seg008:005DAFE5 mov esi , eax
seg008:005DAFE7 mov ecx , eax
seg008:005DAFE9 push edx
seg008:005DAFEA
seg008:005DAFEA loc_5DAFEA: ; CODE XREF:
Decrypt_Code+E5Aj
seg008:005DAFEA push ecx
seg008:005DAFEB movzx eax , cl
seg008:005DAFEE ror eax , 8
seg008:005DAFF1 or eax , [ebp +var_9E0]
seg008:005DAFF7 ror eax , 4
seg008:005DAFFA push eax
seg008:005DAFFB lea eax , [ebp +var_hWrite2]
seg008:005DB001 push [ebp +var_9E4]
seg008:005DB007 push [ebp +var_9E8]
seg008:005DB00D push eax
seg008:005DB00E call Write_File ; 解密代码
seg008:005DB013 pop ecx
seg008:005DB014 loop loc_5DAFEA
seg008:005DB016 pop edx
seg008:005DB017 lea ecx , [ebp +var_hWrite2]
seg008:005DB01D mov eax , edx
seg008:005DB01F ror edx , 8
seg008:005DB022 or edx , [ebp +var_9E0]
seg008:005DB028 ror edx , 4
seg008:005DB02B push edx
seg008:005DB02C push eax
seg008:005DB02D push [ebp +var_9E8]
seg008:005DB033 push ecx
seg008:005DB034 call Write_File
seg008:005DB039 push [ebp +var_hEvent]
seg008:005DB03F call [ebp +var_ReSetEvent]
seg008:005DB045 push 80h
seg008:005DB04A call [ebp +var_Sleep]
seg008:005DB050 push 11170h
seg008:005DB055 push [ebp +var_hEvent]
seg008:005DB05B call [ebp +var_WaitForsingleObject]
seg008:005DB061 mov eax , [ebp +var_PEB1]
seg008:005DB067 xor cl , cl
seg008:005DB069 mov [eax +2], cl
seg008:005DB06C
seg008:005DB06C Over: ; CODE XREF:
Decrypt_Code+66Cj
seg008:005DB06C ;
Decrypt_Code+C99j ...
seg008:005DB06C mov edi , [ebp +var_CodeBase]
seg008:005DB072 add edi , 1351h
seg008:005DB078 lea esi , [ebp +var_ReSetEvent]
seg008:005DB07E mov ecx , 30h
seg008:005DB083
seg008:005DB083 loc_5DB083: ; CODE XREF:
Decrypt_Code+ECDj
seg008:005DB083 std
seg008:005DB084 lodsd
seg008:005DB085 cld
seg008:005DB086 stosd
seg008:005DB087 loop loc_5DB083
seg008:005DB089 call GetCodeBase
seg008:005DB08E mov edx , eax
seg008:005DB090 add eax , 726h
seg008:005DB095 add edx , 1231h
seg008:005DB09B movzx edx , byte ptr [edx +68h]
seg008:005DB09F lea esi , [eax +edx ]
seg008:005DB0A2 mov edi , eax
seg008:005DB0A4 mov ecx , 29Ch
seg008:005DB0A9
seg008:005DB0A9 loc_5DB0A9: ; CODE XREF:
Decrypt_Code+EF3j
seg008:005DB0A9 lodsb
seg008:005DB0AA xor al , [esi ]
seg008:005DB0AC stosb
seg008:005DB0AD loop loc_5DB0A9
seg008:005DB0AF pop edi
seg008:005DB0B0 pop esi
seg008:005DB0B1 mov eax , [ebp +var_CodeBase]
seg008:005DB0B7 int 3 ; Trap to
Debugger
seg008:005DB0B8 nop
seg008:005DB0B9 push 0
seg008:005DB0BB call dword ptr [eax +4] ; ExitProcess
seg008:005DB0BE pop edx
seg008:005DB0BF pop ebx
seg008:005DB0C0 pop edi
seg008:005DB0C1 pop esi
seg008:005DB0C2 leave
seg008:005DB0C3 retn
seg008:005DB0C3 Decrypt_Code endp
seg008:005DB0C3
......
这么长看了晕不晕?晕呀,我也一样哦:-),休息去,下次再继续,嘿嘿!!!!!!!!!!!
各模块清单:
Cstr_PID_ proc near ; CODE XREF:
Decrypt_Code+36Fp
seg008:005DA142 ;
Decrypt_Code+410p
seg008:005DA142
seg008:005DA142 arg_0 = dword ptr 8
seg008:005DA142 arg_4 = dword ptr 0Ch
seg008:005DA142
seg008:005DA142 push ebp
seg008:005DA143 mov ebp , esp
seg008:005DA145 push esi
seg008:005DA146 push ecx
seg008:005DA147 push edi
seg008:005DA148 push edx
seg008:005DA149 mov edi , [ebp +arg_4]
seg008:005DA14C mov edx , [ebp +arg_0]
seg008:005DA14F xor ecx , ecx
seg008:005DA151 rol edx , 4
seg008:005DA154 inc ecx
seg008:005DA155
seg008:005DA155 loc_5DA155: ; CODE XREF:
Cstr_PID_+19j
seg008:005DA155 rol edx , 4
seg008:005DA158 inc ecx
seg008:005DA159 or dl , dl
seg008:005DA15B jz short loc_5DA155
seg008:005DA15D mov al , dl
seg008:005DA15F jmp short loc_5DA16F
seg008:005DA161 ; ------------------------------------------------------------------
----------
seg008:005DA161
seg008:005DA161 loc_5DA161: ; CODE XREF:
Cstr_PID_+30j
seg008:005DA161 and al , 0Fh
seg008:005DA163 cmp al , 0Ah
seg008:005DA165 sbb al , 69h
seg008:005DA167 das
seg008:005DA168 stosb
seg008:005DA169 rol edx , 4
seg008:005DA16C inc ecx
seg008:005DA16D mov al , dl
seg008:005DA16F
seg008:005DA16F loc_5DA16F: ; CODE XREF:
Cstr_PID_+1Dj
seg008:005DA16F cmp ecx , 8
seg008:005DA172 jbe short loc_5DA161
seg008:005DA174 xor al , al
seg008:005DA176 stosb
seg008:005DA177 pop edx
seg008:005DA178 pop edi
seg008:005DA179 pop ecx
seg008:005DA17A pop esi
seg008:005DA17B leave
seg008:005DA17C retn 8
seg008:005DA17C Cstr_PID_ endp
seg008:005DA17C
......
seg008:005DB0F8 ; ************** S U B R O U T I N E
*****************************************
seg008:005DB0F8
seg008:005DB0F8 ; Attributes: bp-based frame
seg008:005DB0F8
seg008:005DB0F8 Write_File proc near ; CODE XREF:
Decrypt_Code+56Ap
seg008:005DB0F8 ;
Decrypt_Code+588p ...
seg008:005DB0F8
seg008:005DB0F8 var_12C = dword ptr -12Ch
seg008:005DB0F8 var_28 = dword ptr -28h
seg008:005DB0F8 var_24 = dword ptr -24h
seg008:005DB0F8 var_1C = dword ptr -1Ch
seg008:005DB0F8 var_18 = dword ptr -18h
seg008:005DB0F8 var_WriteFile = dword ptr -10h
seg008:005DB0F8 var_C = dword ptr -0Ch
seg008:005DB0F8 var_8 = dword ptr -8
seg008:005DB0F8 var_ReadFile = dword ptr -4
seg008:005DB0F8 arg_0 = dword ptr 8
seg008:005DB0F8 arg_4 = dword ptr 0Ch
seg008:005DB0F8 arg_DeCryptSize = dword ptr 10h
seg008:005DB0F8 arg_C = dword ptr 14h
seg008:005DB0F8
seg008:005DB0F8 push ebp
seg008:005DB0F9 mov ebp , esp
seg008:005DB0FB add esp , 0FFFFFED4h
seg008:005DB101 push ebx
seg008:005DB102 push esi
seg008:005DB103 push edi
seg008:005DB104 lea edi , [ebp +var_24]
seg008:005DB107 mov esi , [ebp +arg_0]
seg008:005DB10A mov ecx , 9
seg008:005DB10F rep movsd
seg008:005DB111 lea ebx , [ebp +var_12C]
seg008:005DB117 cmp [ebp +arg_4], 0
seg008:005DB11B jz short loc_5DB120
seg008:005DB11D mov ebx , [ebp +arg_4]
seg008:005DB120
seg008:005DB120 loc_5DB120: ; CODE XREF:
Write_File+23j
seg008:005DB120 lea esi , [ebp +var_28]
seg008:005DB123 call GetCodeBase
seg008:005DB128 add eax , 96h
seg008:005DB12D mov edi , eax
seg008:005DB12F mov eax , [ebp +arg_C]
seg008:005DB132 shld ecx , eax , 18h
seg008:005DB136 test ecx , 1
seg008:005DB13C jz short loc_5DB150
seg008:005DB13E mov ecx , [ebp +var_ReadFile]
seg008:005DB141 xchg ecx , [ebp +var_WriteFile]
seg008:005DB144 mov [ebp +var_ReadFile], ecx
seg008:005DB147 mov ecx , [ebp +var_18]
seg008:005DB14A xchg ecx , [ebp +var_1C]
seg008:005DB14D mov [ebp +var_18], ecx
seg008:005DB150
seg008:005DB150 loc_5DB150: ; CODE XREF:
Write_File+44j
seg008:005DB150 test al , 1
seg008:005DB152 jnz short loc_5DB16C
seg008:005DB154 push 0
seg008:005DB156 push esi
seg008:005DB157 push [ebp +arg_DeCryptSize]
seg008:005DB15A push ebx
seg008:005DB15B push [ebp +var_18]
seg008:005DB15E call [ebp +var_ReadFile]
seg008:005DB161 test eax , eax
seg008:005DB163 jz short _ReadFail
seg008:005DB165 mov eax , [ebp +arg_DeCryptSize]
seg008:005DB168 cmp [esi ], eax ; [esi]和eax保
存着解密代码大小
seg008:005DB16A jnz short _ReadFail
seg008:005DB16C
seg008:005DB16C loc_5DB16C: ; CODE XREF:
Write_File+5Aj
seg008:005DB16C push edi
seg008:005DB16D call [ebp +var_8]
seg008:005DB170 mov eax , [ebp +arg_C]
seg008:005DB173 rol eax , 1
seg008:005DB175 test al , 1
seg008:005DB177 jz short loc_5DB184
seg008:005DB179 mov ecx , [esi ]
seg008:005DB17B rol eax , 0Bh
seg008:005DB17E
seg008:005DB17E loc_5DB17E: ; CODE XREF:
Write_File+8Aj
seg008:005DB17E xor [ecx +ebx -1], al
seg008:005DB182 loop loc_5DB17E
seg008:005DB184
seg008:005DB184 loc_5DB184: ; CODE XREF:
Write_File+7Fj
seg008:005DB184 push edi
seg008:005DB185 call [ebp +var_C]
seg008:005DB188 mov eax , [ebp +arg_C]
seg008:005DB18B test eax , 3
seg008:005DB190 jz short _ReadFail
seg008:005DB192 push 0
seg008:005DB194 push esi
seg008:005DB195 push [ebp +arg_DeCryptSize]
seg008:005DB198 lea ecx , [ebp +var_12C]
seg008:005DB19E cmp [ebp +arg_4], 0
seg008:005DB1A2 jz short loc_5DB1A7
seg008:005DB1A4 mov ecx , [ebp +arg_4]
seg008:005DB1A7
seg008:005DB1A7 loc_5DB1A7: ; CODE XREF:
Write_File+AAj
seg008:005DB1A7 push ecx
seg008:005DB1A8 push [ebp +var_1C]
seg008:005DB1AB call [ebp +var_WriteFile]
seg008:005DB1AE
seg008:005DB1AE _ReadFail: ; CODE XREF:
Write_File+6Bj
seg008:005DB1AE ;
Write_File+72j ...
seg008:005DB1AE pop edi
seg008:005DB1AF pop esi
seg008:005DB1B0 pop ebx
seg008:005DB1B1 leave
seg008:005DB1B2 retn 10h
seg008:005DB1B2 Write_File endp
seg008:005DB1B2
......
seg008:005DB1B5 ; ************** S U B R O U T I N E
*****************************************
seg008:005DB1B5
seg008:005DB1B5 ; Attributes: bp-based frame
seg008:005DB1B5
seg008:005DB1B5 ; int __stdcall Get_Privileges(int GetCurrentProc,int
OpenProcessToke,int LookupPrivilegeValueA,int AdjustTokenPrivileges ,int CloseHandle )
seg008:005DB1B5 Get_Privileges proc near ; CODE XREF:
Decrypt_Code+62Ap
seg008:005DB1B5
seg008:005DB1B5 var_handle = dword ptr -34h
seg008:005DB1B5 var_pLocalId = dword ptr -24h
seg008:005DB1B5 var_1C = dword ptr -1Ch
seg008:005DB1B5 var_18 = dword ptr -18h
seg008:005DB1B5 var_14 = dword ptr -14h
seg008:005DB1B5 var_10 = dword ptr -10h
seg008:005DB1B5 var_C = dword ptr -0Ch
seg008:005DB1B5 var_8 = dword ptr -8
seg008:005DB1B5 var_4 = dword ptr -4
seg008:005DB1B5 GetCurrentProc = dword ptr 8
seg008:005DB1B5 OpenProcessToke = dword ptr 0Ch
seg008:005DB1B5 LookupPrivilegeValueA= dword ptr 10h
seg008:005DB1B5 AdjustTokenPrivileges = dword ptr 14h
seg008:005DB1B5 CloseHandle = dword ptr 18h
seg008:005DB1B5
seg008:005DB1B5 push ebp
seg008:005DB1B6 mov ebp , esp
seg008:005DB1B8 sub esp , 1Ch
seg008:005DB1BB lea eax , [esp +1Ch+var_1C]
seg008:005DB1BE push esi
seg008:005DB1BF push eax
seg008:005DB1C0 push 28h
seg008:005DB1C2 xor esi , esi
seg008:005DB1C4 call [ebp +GetCurrentProc]
seg008:005DB1C7 push eax
seg008:005DB1C8 call [ebp +OpenProcessToke]
seg008:005DB1CB test eax , eax
seg008:005DB1CD jnz short loc_5DB1D1
seg008:005DB1CF jmp short loc_5DB236
seg008:005DB1D1 ; ------------------------------------------------------------------
----------
seg008:005DB1D1
seg008:005DB1D1 loc_5DB1D1: ; CODE XREF:
Get_Privileges+18j
seg008:005DB1D1 lea ecx , [esp +2Ch+var_pLocalId]
seg008:005DB1D5 push ecx
seg008:005DB1D6 call loc_5DB1EC
seg008:005DB1D6 ; ------------------------------------------------------------------
----------
seg008:005DB1DB aSedebugprivile db 'SeDebugPrivilege' ,0
seg008:005DB1EC ; ------------------------------------------------------------------
----------
seg008:005DB1EC
seg008:005DB1EC loc_5DB1EC: ; CODE XREF:
Get_Privileges+21p
seg008:005DB1EC push 0
seg008:005DB1EE call [ebp +LookupPrivilegeValueA]
seg008:005DB1F1 test eax , eax
seg008:005DB1F3 jz short loc_5DB22C
seg008:005DB1F5 mov edx , [esp +20h+var_18]
seg008:005DB1F9 mov eax , [esp +20h+var_14]
seg008:005DB1FD push 0
seg008:005DB1FF push 0
seg008:005DB201 lea ecx , [esp +28h+var_10]
seg008:005DB205 mov [esp +28h+var_C], edx
seg008:005DB209 mov edx , [esp +28h+var_1C]
seg008:005DB20D push 10h
seg008:005DB20F push ecx
seg008:005DB210 push 0
seg008:005DB212 push edx
seg008:005DB213 mov [esp +38h+var_10], 1
seg008:005DB21B mov [esp +38h+var_4], 2
seg008:005DB223 mov [esp +38h+var_8], eax
seg008:005DB227 call [ebp +AdjustTokenPrivileges ]
seg008:005DB22A mov esi , eax
seg008:005DB22C
seg008:005DB22C loc_5DB22C: ; CODE XREF:
Get_Privileges+3Ej
seg008:005DB22C mov eax , [esp +38h+var_handle]
seg008:005DB230 push eax
seg008:005DB231 call [ebp +CloseHandle ]
seg008:005DB234 mov eax , esi
seg008:005DB236
seg008:005DB236 loc_5DB236: ; CODE XREF:
Get_Privileges+1Aj
seg008:005DB236 pop esi
seg008:005DB237 add esp , 1Ch
seg008:005DB23A leave
seg008:005DB23B retn 14h
seg008:005DB23B Get_Privileges endp
seg008:005DB23B
seg008:005DB23E ; ------------------------------------------------------------------
----------
......
seg008:005DB0C4 ; ************** S U B R O U T I N E
*****************************************
seg008:005DB0C4
seg008:005DB0C4 ; Attributes: bp-based frame
seg008:005DB0C4
seg008:005DB0C4 Getjmpaddress proc near ; CODE XREF:
Decrypt_Code+8D7p
seg008:005DB0C4 ;
Decrypt_Code+9CDp ...
seg008:005DB0C4
seg008:005DB0C4 arg_4 = dword ptr 0Ch
seg008:005DB0C4
seg008:005DB0C4 push ebp
seg008:005DB0C5 mov ebp , esp
seg008:005DB0C7 shr ecx , 2
seg008:005DB0CA repne scasd
seg008:005DB0CC jnz short loc_5DB0F2
seg008:005DB0CE mov ecx , [edi ] ; 关键表1
seg008:005DB0D0 sub ecx , 8
seg008:005DB0D3 add edi , 4
seg008:005DB0D6 shr ecx , 1
seg008:005DB0D8 mov eax , edx
seg008:005DB0DA and eax , 0FFFh
seg008:005DB0DF repne scasw
seg008:005DB0E2 jnz short loc_5DB0F2
seg008:005DB0E4 xor eax , eax
seg008:005DB0E6 mov ax , [edi ]
seg008:005DB0E9 add eax , [ebp +arg_4] ; 关键表2
seg008:005DB0EC mov eax , [eax ]
seg008:005DB0EE leave
seg008:005DB0EF retn 8
seg008:005DB0F2 ; ------------------------------------------------------------------
----------
......
seg008:005DA17F ; ************** S U B R O U T I N E
*****************************************
seg008:005DA17F
seg008:005DA17F ; Attributes: bp-based frame
seg008:005DA17F
seg008:005DA17F WritePresentMem proc near ; CODE XREF:
Decrypt_Code+8F7p
seg008:005DA17F ;
Decrypt_Code+9F1p ...
seg008:005DA17F
seg008:005DA17F var_10 = dword ptr -10h
seg008:005DA17F var_4 = dword ptr -4
seg008:005DA17F arg_WriteProcessMem= dword ptr 8
seg008:005DA17F arg_4 = dword ptr 0Ch
seg008:005DA17F arg_8 = dword ptr 10h
seg008:005DA17F arg_C = dword ptr 14h
seg008:005DA17F
seg008:005DA17F push ebp
seg008:005DA180 mov ebp , esp
seg008:005DA182 add esp , 0FFFFFFF0h
seg008:005DA185 push esi
seg008:005DA186 push edi
seg008:005DA187 push ebx
seg008:005DA188 push edx
seg008:005DA189 lea edi , [ebp +var_10]
seg008:005DA18C mov [edi ], al
seg008:005DA18E mov eax , [ebp +arg_8]
seg008:005DA191 sub eax , [ebp +arg_C]
seg008:005DA194 sub eax , 5
seg008:005DA197 mov [edi +1], eax
seg008:005DA19A mov [ebp +var_4], 5
seg008:005DA1A1 lea eax , [ebp +var_4]
seg008:005DA1A4 push eax
seg008:005DA1A5 push [ebp +var_4]
seg008:005DA1A8 push edi
seg008:005DA1A9 push [ebp +arg_C]
seg008:005DA1AC push [ebp +arg_4]
seg008:005DA1AF call [ebp +arg_WriteProcessMem]
seg008:005DA1B2 pop edx
seg008:005DA1B3 pop ebx
seg008:005DA1B4 pop edi
seg008:005DA1B5 pop esi
seg008:005DA1B6 leave
seg008:005DA1B7 retn 10h
seg008:005DA1B7 WritePresentMem endp
seg008:005DA1B7
......
g008:005D99D4 ; ************** S U B R O U T I N E
*****************************************
seg008:005D99D4
seg008:005D99D4 ; Attributes: bp-based frame
seg008:005D99D4
seg008:005D99D4 GETAPIADDR proc near ; CODE XREF:
seg008:005D96E1p
seg008:005D99D4
seg008:005D99D4 var_130 = dword ptr -130h
seg008:005D99D4 var_128 = dword ptr -128h
seg008:005D99D4 var_GetProcAddresVA= dword ptr -118h
seg008:005D99D4 var_GetProcAddressRVA= dword ptr -114h
seg008:005D99D4 var_KerBASE = dword ptr -108h
seg008:005D99D4 var_CodeBase = dword ptr -104h
seg008:005D99D4 arg_0 = dword ptr 8
seg008:005D99D4
seg008:005D99D4 push ebp
seg008:005D99D5 mov ebp , esp
seg008:005D99D7 add esp , 0FFFFFEE8h
seg008:005D99DD push esi
seg008:005D99DE push edi
seg008:005D99DF call GetCodeBase ; 获取段的起始
地址
seg008:005D99E4 mov [ebp +var_CodeBase], eax
seg008:005D99EA mov al , 2Ch
seg008:005D99EC mov [ebp +var_GetProcAddressRVA], eax
seg008:005D99F2 mov esi , eax
seg008:005D99F4 lodsd
seg008:005D99F5 mov [ebp +var_GetProcAddresVA], eax
seg008:005D99FB xor ax , ax
seg008:005D99FE mov dx , 'ZM' ; 准备定
位KERBASE
seg008:005D9A02 jmp short @1
seg008:005D9A04 ; ------------------------------------------------------------------
----------
seg008:005D9A04
seg008:005D9A04 @B: ; CODE XREF:
GETAPIADDR+37j
seg008:005D9A04 dec eax
seg008:005D9A05 xor ax , ax
seg008:005D9A08
seg008:005D9A08 @1: ; CODE XREF:
GETAPIADDR+2Ej
seg008:005D9A08 cmp [eax ], dx
seg008:005D9A0B jnz short @B ; 循环的方式获
取DOS HEADER
seg008:005D9A0D mov edi , [ebp +var_CodeBase]
seg008:005D9A13 add edi , 62h
seg008:005D9A19 stosd
seg008:005D9A1A mov [ebp +var_KerBASE], eax ; 保
存kernel32.dll的句柄
seg008:005D9A20 call @2 ; Kernel base
seg008:005D9A20 ; ------------------------------------------------------------------
----------
seg008:005D9A25 aExitprocess db 'ExitProcess' ,0
seg008:005D9A31 ; ------------------------------------------------------------------
----------
seg008:005D9A31
seg008:005D9A31 @2: ; CODE XREF:
GETAPIADDR+4Cp
seg008:005D9A31 push eax ; Kernel base
seg008:005D9A32 call [ebp +var_GetProcAddresVA]
seg008:005D9A38 mov edx , [ebp +var_CodeBase]
seg008:005D9A3E mov [edx +4], eax
seg008:005D9A41 call @3
seg008:005D9A41 ; ------------------------------------------------------------------
----------
seg008:005D9A46 aUnhandledexceptionfi db 'UnhandledExceptionFilter' ,0
seg008:005D9A5F ; ------------------------------------------------------------------
----------
seg008:005D9A5F
seg008:005D9A5F @3: ; CODE XREF:
GETAPIADDR+6Dp
seg008:005D9A5F push [ebp +var_KerBASE]
seg008:005D9A65 call [ebp +var_GetProcAddresVA]
seg008:005D9A6B rol eax , 2
seg008:005D9A6E push eax
seg008:005D9A6F mov eax , [ebp +var_CodeBase]
seg008:005D9A75 add eax , 0BDh
seg008:005D9A7A pop dword ptr [eax ]
seg008:005D9A7C call @4
seg008:005D9A7C ; ------------------------------------------------------------------
----------
seg008:005D9A81 aVirtualalloc db 'VirtualAlloc' ,0
seg008:005D9A8E ; ------------------------------------------------------------------
----------
seg008:005D9A8E
seg008:005D9A8E @4: ; CODE XREF:
GETAPIADDR+A8p
seg008:005D9A8E push [ebp +var_KerBASE]
seg008:005D9A94 call [ebp +var_GetProcAddresVA]
seg008:005D9A9A
seg008:005D9A9A @5:
seg008:005D9A9A or eax , eax
seg008:005D9A9C jz short Exit_Proc
seg008:005D9A9E push eax
seg008:005D9A9F sub esi , 4
seg008:005D9AA2 mov edi , esi
seg008:005D9AA4 lodsd
seg008:005D9AA5 xchg eax , [esp +128h+var_128]
seg008:005D9AA8 stosd
seg008:005D9AA9 pop eax
seg008:005D9AAA sub edi , 0Ch
seg008:005D9AAD stosd
seg008:005D9AAE mov eax , 0BA1h
seg008:005D9AB3
seg008:005D9AB3 @6:
seg008:005D9AB3 add eax , [ebp +var_CodeBase]
seg008:005D9AB9 push eax
seg008:005D9ABA call @7
seg008:005D9ABA ; ------------------------------------------------------------------
----------
seg008:005D9ABF aSetunhandledexceptio db 'SetUnhandledExceptionFilter' ,0
seg008:005D9ADB ; ------------------------------------------------------------------
----------
seg008:005D9ADB
seg008:005D9ADB @7: ; CODE XREF:
GETAPIADDR+E6p
seg008:005D9ADB push [ebp +var_KerBASE]
seg008:005D9AE1 call [ebp +var_GetProcAddresVA]
seg008:005D9AE7 mov edx , [ebp +var_CodeBase]
seg008:005D9AED add edx , 86h
seg008:005D9AF3 mov [edx ], eax
seg008:005D9AF5 call eax
seg008:005D9AF7 push eax
seg008:005D9AF8 push [ebp +var_CodeBase]
seg008:005D9AFE add [esp +130h+var_130], 8Ah
seg008:005D9B05 pop eax
seg008:005D9B06 pop dword ptr [eax ]
seg008:005D9B08 jmp short ok_way
seg008:005D9B0A ; ------------------------------------------------------------------
----------
seg008:005D9B0A
seg008:005D9B0A Exit_Proc: ; CODE XREF:
GETAPIADDR+C8j
seg008:005D9B0A mov eax , [ebp +var_CodeBase]
seg008:005D9B10 push 0FFFFFFFFh
seg008:005D9B12 call dword ptr [eax +4]
seg008:005D9B15
seg008:005D9B15 ok_way: ; CODE XREF:
GETAPIADDR+134j
seg008:005D9B15 mov edx , [ebp +arg_0]
seg008:005D9B18 pop edi
seg008:005D9B19 pop esi
seg008:005D9B1A leave
seg008:005D9B1B retn 4
seg008:005D9B1B GETAPIADDR endp
seg008:005D9B1B
seg008:005D9B1E ; ------------------------------------------------------------------
---------- g008:005D99C2 ; ************** S U B R O U T I N E
*****************************************
seg008:005D99C2
seg008:005D99C2 ; Attributes: bp-based frame
seg008:005D99C2
seg008:005D99C2 UnPackCode_5D96EE proc near ; CODE XREF:
DeCode+2D8p
seg008:005D99C2 push ebp
seg008:005D99C3 mov ebp , esp
seg008:005D99C5 mov eax , [ebp +8]
seg008:005D99C8
seg008:005D99C8 loc_5D99C8: ; CODE XREF:
UnPackCode_5D96EE+Cj
seg008:005D99C8 sub [eax +ecx -1], dl
seg008:005D99CC rol edx , cl
seg008:005D99CE loop loc_5D99C8
seg008:005D99D0 leave
seg008:005D99D1 retn 4
seg008:005D99D1 UnPackCode_5D96EE endp
seg008:005D99D1; -------------------------------------------------------------------
--------- g008:005DB23E ; ************** S U B R O U T I N E
*****************************************
seg008:005DB23E
seg008:005DB23E ; Attributes: bp-based frame
seg008:005DB23E
seg008:005DB23E DeCode proc near ; CODE XREF:
seg008:005D96E9p
seg008:005DB23E
seg008:005DB23E var_1994 = dword ptr -1994h
seg008:005DB23E var_1988 = dword ptr -1988h
seg008:005DB23E var_1984 = dword ptr -1984h
seg008:005DB23E var_1980 = dword ptr -1980h
seg008:005DB23E var_1978 = dword ptr -1978h
seg008:005DB23E var_1974 = dword ptr -1974h
seg008:005DB23E var_hMem1 = dword ptr -1970h
seg008:005DB23E _ZwSetInfoThread= dword ptr -11A0h
seg008:005DB23E _ZwQueryInfoThread= dword ptr -119Ch
seg008:005DB23E var_CloseHandle = dword ptr -1198h
seg008:005DB23E var_OpenProcess = dword ptr -1194h
seg008:005DB23E var_GlobalFree = dword ptr -1190h
seg008:005DB23E var_GlobalAlloc = dword ptr -118Ch
seg008:005DB23E var_CodeBase = dword ptr -1188h
seg008:005DB23E var_1184 = dword ptr -1184h
seg008:005DB23E var_1174 = dword ptr -1174h
seg008:005DB23E var_1154 = dword ptr -1154h
seg008:005DB23E var_1150 = dword ptr -1150h
seg008:005DB23E var_1148 = dword ptr -1148h
seg008:005DB23E var_1140 = dword ptr -1140h
seg008:005DB23E var_113C = dword ptr -113Ch
seg008:005DB23E var_112C = dword ptr -112Ch
seg008:005DB23E var_28 = dword ptr -28h
seg008:005DB23E var_24 = dword ptr -24h
seg008:005DB23E var_20 = dword ptr -20h
seg008:005DB23E var_1C = dword ptr -1Ch
seg008:005DB23E _ZwQueryObject = dword ptr -18h
seg008:005DB23E _ZwDupObject = dword ptr -14h
seg008:005DB23E _ZwQueryInfoProc= dword ptr -10h
seg008:005DB23E _ZwQuerysysInfo = dword ptr -0Ch
seg008:005DB23E var_NTdllHandle = dword ptr -8
seg008:005DB23E var_hMem = dword ptr -4
seg008:005DB23E arg_PID = dword ptr 8
seg008:005DB23E arg_PeHeaderCValue= dword ptr 0Ch
seg008:005DB23E
seg008:005DB23E push ebp
seg008:005DB23F mov ebp , esp
seg008:005DB241 add esp , 0FFFFEE60h
seg008:005DB247 push esi
seg008:005DB248 push edi
seg008:005DB249 push ebx
seg008:005DB24A xor eax , eax
seg008:005DB24C
seg008:005DB24C loc_5DB24C: ; CODE XREF:
seg008:005DB1E3j
seg008:005DB24C ;
seg008:005DB1E5j
seg008:005DB24C mov [ebp +var_1150], eax
seg008:005DB252 mov [ebp +var_113C], eax
seg008:005DB258 call GetCodeBase
seg008:005DB25D mov esi , eax
seg008:005DB25F mov [ebp +var_CodeBase], eax
seg008:005DB265 add eax , 62h
seg008:005DB26A call loc_5DB27A
seg008:005DB26A ; ------------------------------------------------------------------
----------
seg008:005DB26F aGlobalfree db 'GlobalFree' ,0
seg008:005DB27A ; ------------------------------------------------------------------
----------
seg008:005DB27A
seg008:005DB27A loc_5DB27A: ; CODE XREF:
DeCode+2Cp
seg008:005DB27A push dword ptr [eax ]
seg008:005DB27C call loc_5DB28D
seg008:005DB27C ; ------------------------------------------------------------------
----------
seg008:005DB281 aClosehandle db 'CloseHandle' ,0
seg008:005DB28D ; ------------------------------------------------------------------
----------
seg008:005DB28D
seg008:005DB28D loc_5DB28D: ; CODE XREF:
DeCode+3Ep
seg008:005DB28D push dword ptr [eax ]
seg008:005DB28F call loc_5DB2A0
seg008:005DB28F ; ------------------------------------------------------------------
----------
seg008:005DB294 aOpenprocess db 'OpenProcess' ,0
seg008:005DB2A0 ; ------------------------------------------------------------------
----------
seg008:005DB2A0
seg008:005DB2A0 loc_5DB2A0: ; CODE XREF:
DeCode+51p
seg008:005DB2A0 push dword ptr [eax ]
seg008:005DB2A2 call loc_5DB2B3
seg008:005DB2A2 ; ------------------------------------------------------------------
----------
seg008:005DB2A7 aGlobalalloc db 'GlobalAlloc' ,0
seg008:005DB2B3 ; ------------------------------------------------------------------
----------
seg008:005DB2B3
seg008:005DB2B3 loc_5DB2B3: ; CODE XREF:
DeCode+64p
seg008:005DB2B3 push dword ptr [eax ]
seg008:005DB2B5 call loc_5DB2CE
seg008:005DB2B5 ; ------------------------------------------------------------------
----------
seg008:005DB2BA aGetcurrentprocessid db 'GetCurrentProcessId' ,0
seg008:005DB2CE ; ------------------------------------------------------------------
----------
seg008:005DB2CE
seg008:005DB2CE loc_5DB2CE: ; CODE XREF:
DeCode+77p
seg008:005DB2CE push dword ptr [eax ]
seg008:005DB2D0 mov edx , large fs :18h ; 准备检测调试
器?
seg008:005DB2D7 mov edx , [edx +30h]
seg008:005DB2DA mov [eax -4], edx
seg008:005DB2DD mov eax , [ebp +var_CodeBase]
seg008:005DB2E3 movzx edi , byte ptr [eax ]
seg008:005DB2E6 call dword ptr [edi +esi -4] ; 获
取GetCurrentProcessId的实际地址
seg008:005DB2EA call eax ; GetCurrentProcessID
seg008:005DB2EC mov [ebp +arg_PID], eax
seg008:005DB2EF call dword ptr [edi +esi -4] ; 获
取GlobalAlloc地址
seg008:005DB2F3 mov [ebp +var_GlobalAlloc], eax
seg008:005DB2F9 call dword ptr [edi +esi -4] ; GetProcAddress
seg008:005DB2FD mov [ebp +var_OpenProcess], eax
seg008:005DB303 call dword ptr [edi +esi -4] ; GetProcAddress
seg008:005DB307 mov [ebp +var_CloseHandle], eax
seg008:005DB30D call dword ptr [edi +esi -4] ; GetProcAddress
seg008:005DB311 mov [ebp +var_GlobalFree], eax
seg008:005DB317 call loc_5DB326 ; LoadLibraryA
载入Ntdll.dll
seg008:005DB317 ; ------------------------------------------------------------------
----------
seg008:005DB31C aNtdll_dll db 'ntdll.dll' ,0
seg008:005DB326 ; ------------------------------------------------------------------
----------
seg008:005DB326
seg008:005DB326 loc_5DB326: ; CODE XREF:
DeCode+D9p
seg008:005DB326 call dword ptr [edi +esi ] ; LoadLibraryA
载入Ntdll.dll
seg008:005DB329 test eax , eax
seg008:005DB32B jz Over ; 如果载入失败
不处理WinNt函数,这里不能跳
seg008:005DB32B ; 跳了就over了
,不知道这样算不算壳不能在
seg008:005DB32B ; Win9X下运行
呢
seg008:005DB331 mov [ebp +var_NTdllHandle], eax ; 保
存NTDLL.dll的句柄
seg008:005DB334 call loc_5DB352
seg008:005DB334 ; ------------------------------------------------------------------
----------
seg008:005DB339 aZwquerysysteminforma db 'ZwQuerySystemInformation' ,0
seg008:005DB352 ; ------------------------------------------------------------------
----------
seg008:005DB352
seg008:005DB352 loc_5DB352: ; CODE XREF:
DeCode+F6p
seg008:005DB352 push [ebp +var_NTdllHandle]
seg008:005DB355 call dword ptr [edi +esi -4] ; 获取Nt函数中
的地址了
seg008:005DB359 test eax , eax ; 如果获取失败
则over
seg008:005DB35B jz Over
seg008:005DB361 mov [ebp +_ZwQuerysysInfo], eax
seg008:005DB364 rol eax , 2
seg008:005DB367 push eax
seg008:005DB368 call GetCodeBase
seg008:005DB36D add eax , 72h
seg008:005DB372 pop dword ptr [eax ] ; ROL
_ZwQuerysysInfo,2的值,不明白
这里ZwQuerySystemInformation起了什么作用
seg008:005DB372 ; 保存
在[CODEBASE+72H]=[005D9072]处
seg008:005DB374 add eax , 4
seg008:005DB377 push eax
seg008:005DB378 call loc_5DB394
seg008:005DB378 ; ------------------------------------------------------------------
----------
seg008:005DB37D aZwsetinformationthre db 'ZwSetInformationThread' ,0
seg008:005DB394 ; ------------------------------------------------------------------
----------
seg008:005DB394
seg008:005DB394 loc_5DB394: ; CODE XREF:
DeCode+13Ap
seg008:005DB394 push [ebp +var_NTdllHandle]
seg008:005DB397 call dword ptr [edi +esi -4] ; 获
取ZwSetInformationThread的地址
seg008:005DB39B test eax , eax
seg008:005DB39D jz Over
seg008:005DB3A3 mov [ebp +_ZwSetInfoThread], eax
seg008:005DB3A9 rol eax , 2
seg008:005DB3AC xchg eax , [esp +118Ch+var_GlobalAlloc]
seg008:005DB3AF pop dword ptr [eax ] ; 保存加密后的
地址
seg008:005DB3B1 add eax , 4
seg008:005DB3B4 push eax
seg008:005DB3B5 call loc_5DB3D3
seg008:005DB3B5 ; ------------------------------------------------------------------
----------
seg008:005DB3BA aZwqueryinformationth db 'ZwQueryInformationThread' ,0
seg008:005DB3D3 ; ------------------------------------------------------------------
----------
seg008:005DB3D3
seg008:005DB3D3 loc_5DB3D3: ; CODE XREF:
DeCode+177p
seg008:005DB3D3 push [ebp +var_NTdllHandle]
seg008:005DB3D6 call dword ptr [edi +esi -4] ; GetProcAddress
seg008:005DB3DA test eax , eax
seg008:005DB3DC jz Over
seg008:005DB3E2 mov [ebp +_ZwQueryInfoThread], eax
seg008:005DB3E8 rol eax , 2
seg008:005DB3EB xchg eax , [esp +1188h+var_CodeBase]
seg008:005DB3EE pop dword ptr [eax ]
seg008:005DB3F0 call loc_5DB40F
seg008:005DB3F0 ; ------------------------------------------------------------------
----------
seg008:005DB3F5 aZwqueryinformationpr db 'ZwQueryInformationProcess' ,0
seg008:005DB40F ; ------------------------------------------------------------------
----------
seg008:005DB40F
seg008:005DB40F loc_5DB40F: ; CODE XREF:
DeCode+1B2p
seg008:005DB40F push [ebp +var_NTdllHandle]
seg008:005DB412 call dword ptr [edi +esi -4]
seg008:005DB416 test eax , eax
seg008:005DB418 jz Over
seg008:005DB41E mov [ebp +_ZwQueryInfoProc], eax
seg008:005DB421 call loc_5DB438
seg008:005DB421 ; ------------------------------------------------------------------
----------
seg008:005DB426 aZwduplicateobject db 'ZwDuplicateObject' ,0
seg008:005DB438 ; ------------------------------------------------------------------
----------
seg008:005DB438
seg008:005DB438 loc_5DB438: ; CODE XREF:
DeCode+1E3p
seg008:005DB438 push [ebp +var_NTdllHandle]
seg008:005DB43B call dword ptr [edi +esi -4]
seg008:005DB43F test eax , eax
seg008:005DB441 mov [ebp +_ZwDupObject], eax ; 这里和前面的
有点不同,先保存后判断
seg008:005DB444 jz Over
seg008:005DB44A call loc_5DB45D
seg008:005DB44A ; ------------------------------------------------------------------
----------
seg008:005DB44F aZwqueryobject db 'ZwQueryObject' ,0
seg008:005DB45D ; ------------------------------------------------------------------
----------
seg008:005DB45D
seg008:005DB45D loc_5DB45D: ; CODE XREF:
DeCode+20Cp
seg008:005DB45D push [ebp +var_NTdllHandle]
seg008:005DB460 call dword ptr [edi +esi -4] ; GetProcAddress
seg008:005DB464 test eax , eax
seg008:005DB466 mov [ebp +_ZwQueryObject], eax
seg008:005DB469 jz Over
seg008:005DB46F push esi
seg008:005DB470 push edi
seg008:005DB471 mov eax , [ebp +var_CodeBase]
seg008:005DB477 add eax , 5Eh
seg008:005DB47C mov edx , [eax ]
seg008:005DB47E mov al , [edx +2] ; 果然没错检测
ring3级调试器
seg008:005DB481 test al , al
seg008:005DB483 jnz loc_5DB521
seg008:005DB489 mov eax , [ebp +var_CodeBase]
seg008:005DB48F add eax , 0BDh
seg008:005DB494 mov edi , [eax ]
seg008:005DB496 mov ax , 15FFh
seg008:005DB49A ror edi , 2
seg008:005DB49D add edi , 10h
seg008:005DB4A0 mov ecx , 100h
seg008:005DB4A5 jmp short loc_5DB51D
seg008:005DB4A7 ; ------------------------------------------------------------------
----------
seg008:005DB4A7
seg008:005DB4A7 loc_5DB4A7: ; CODE XREF:
DeCode+2E1j
seg008:005DB4A7 repne scasb
seg008:005DB4A9 cmp [edi ], ah
seg008:005DB4AB jnz short loc_5DB51D
seg008:005DB4AD mov edx , [edi +1]
seg008:005DB4B0 mov edx , [edx ]
seg008:005DB4B2 cmp edx , [ebp +_ZwQueryInfoProc]
seg008:005DB4B5 jnz short loc_5DB51D
seg008:005DB4B7 cmp byte ptr [edi +7], 0Fh
seg008:005DB4BB jnz short loc_5DB4C8
seg008:005DB4BD cmp byte ptr [edi +0Dh], 39h
seg008:005DB4C1 jnz short loc_5DB4C8
seg008:005DB4C3 add edi , 0Eh
seg008:005DB4C6 jmp short loc_5DB4DD
seg008:005DB4C8 ; ------------------------------------------------------------------
----------
seg008:005DB4C8
seg008:005DB4C8 loc_5DB4C8: ; CODE XREF:
DeCode+27Dj
seg008:005DB4C8 ; DeCode+283j
seg008:005DB4C8 cmp byte ptr [edi +7], 7Fh
seg008:005DB4CC jbe short loc_5DB4D4
seg008:005DB4CE
seg008:005DB4CE loc_5DB4CE:
seg008:005DB4CE cmp byte ptr [edi +7], 70h
seg008:005DB4D2 jb short loc_5DB4DD
seg008:005DB4D4
seg008:005DB4D4 loc_5DB4D4: ; CODE XREF:
DeCode+28Ej
seg008:005DB4D4 cmp byte ptr [edi +9], 39h
seg008:005DB4D8 jnz short loc_5DB4DD
seg008:005DB4DA add edi , 0Ah
seg008:005DB4DD
seg008:005DB4DD loc_5DB4DD: ; CODE XREF:
DeCode+288j
seg008:005DB4DD ; DeCode+294j
...
seg008:005DB4DD cmp byte ptr [edi ], 7Fh
seg008:005DB4E0 jnb short loc_5DB4EA
seg008:005DB4E2 cmp byte ptr [edi +2], 0Fh
seg008:005DB4E6 jnz short loc_5DB4EA
seg008:005DB4E8 jmp short loc_5DB503
seg008:005DB4EA ; ------------------------------------------------------------------
----------
seg008:005DB4EA
seg008:005DB4EA loc_5DB4EA: ; CODE XREF:
DeCode+2A2j
seg008:005DB4EA ; DeCode+2A8j
seg008:005DB4EA cmp byte ptr [edi ], 7Fh
seg008:005DB4ED jbe short loc_5DB4F7
seg008:005DB4EF cmp byte ptr [edi +5], 0Fh
seg008:005DB4F3 jnz short loc_5DB4F7
seg008:005DB4F5 jmp short loc_5DB503
seg008:005DB4F7 ; ------------------------------------------------------------------
----------
seg008:005DB4F7
seg008:005DB4F7 loc_5DB4F7: ; CODE XREF:
DeCode+2AFj
seg008:005DB4F7 ; DeCode+2B5j
seg008:005DB4F7 mov eax , [ebp +var_CodeBase]
seg008:005DB4FD mov [eax +3000h], edi
seg008:005DB503
seg008:005DB503 loc_5DB503: ; CODE XREF:
DeCode+2AAj
seg008:005DB503 ; DeCode+2B7j
seg008:005DB503 call GetCodeBase
seg008:005DB508 add eax , 6EEh
seg008:005DB50D mov edx , [ebp +arg_PeHeaderCValue] ; EDX当Key来进
行解压运算
seg008:005DB510 mov ecx , 2D4h ; 解压大小
seg008:005DB515 push eax ; 解压的起始地
址005D96EE
seg008:005DB516 call UnPackCode_5D96EE ; 解压代码
seg008:005DB51B jmp short loc_5DB521
seg008:005DB51D ; ------------------------------------------------------------------
----------
seg008:005DB51D
seg008:005DB51D loc_5DB51D: ; CODE XREF:
DeCode+267j
seg008:005DB51D ; DeCode+26Dj
...
seg008:005DB51D or eax , eax
seg008:005DB51F jnz short loc_5DB4A7
seg008:005DB521
seg008:005DB521 loc_5DB521: ; CODE XREF:
DeCode+245j
seg008:005DB521 ; DeCode+2DDj
seg008:005DB521 pop edi
seg008:005DB522 pop esi
seg008:005DB523
seg008:005DB523 loc_5DB523: ; CODE XREF:
DeCode+466j
seg008:005DB523 add esp , 0FFFFF800h
seg008:005DB529 mov ebx , 2000h
seg008:005DB52E xor eax , eax
seg008:005DB530 mov [esp +1978h+var_1978], eax
seg008:005DB533
seg008:005DB533 loc_5DB533: ; CODE XREF:
DeCode+34Bj
seg008:005DB533 push ebx
seg008:005DB534 push 0
seg008:005DB536 call [ebp +var_GlobalAlloc]
seg008:005DB53C mov [ebp +var_hMem], eax
seg008:005DB53F mov [esp +1980h+var_hMem1], eax
seg008:005DB543 cmp [esp +1980h+var_hMem1], 0 ; 判断申请空间
是否成功
seg008:005DB548 jz short loc_5DB58B
seg008:005DB54A lea edx , [esp +1980h+var_1974]
seg008:005DB54E push edx
seg008:005DB54F push ebx
seg008:005DB550 mov ecx , [esp +1988h+var_hMem1]
seg008:005DB554 push ecx
seg008:005DB555 push 10h
seg008:005DB557 call [ebp +_ZwQuerysysInfo]
seg008:005DB55A test eax , eax
seg008:005DB55C jz short loc_5DB58B
seg008:005DB55E mov eax , [esp +1990h+var_1980]
seg008:005DB562 push eax
seg008:005DB563 call [ebp +var_GlobalFree]
seg008:005DB569 xor edx , edx
seg008:005DB56B mov [esp +1994h+var_1984], edx
seg008:005DB56F cmp [esp +1994h+var_1988], 0
seg008:005DB574 jnz short loc_5DB57E
seg008:005DB576 mov ecx , ebx
seg008:005DB578 add ecx , ecx
seg008:005DB57A mov ebx , ecx
seg008:005DB57C jmp short loc_5DB582
seg008:005DB57E ; ------------------------------------------------------------------
----------
seg008:005DB57E
seg008:005DB57E loc_5DB57E: ; CODE XREF:
DeCode+336j
seg008:005DB57E mov ebx , [esp +1994h+var_1988]
seg008:005DB582
seg008:005DB582 loc_5DB582: ; CODE XREF:
DeCode+33Ej
seg008:005DB582 inc [esp +1994h+var_1994]
seg008:005DB585 cmp [esp +1994h+var_1994], 0Ah
seg008:005DB589 jl short loc_5DB533
seg008:005DB58B
seg008:005DB58B loc_5DB58B: ; CODE XREF:
DeCode+30Aj
seg008:005DB58B ; DeCode+31Ej
seg008:005DB58B cmp [esp +1994h+var_1984], 0
seg008:005DB590 jnz short loc_5DB599
seg008:005DB592 xor eax , eax
seg008:005DB594 jmp loc_5DB692
seg008:005DB599 ; ------------------------------------------------------------------
----------
seg008:005DB599
seg008:005DB599 loc_5DB599: ; CODE XREF:
DeCode+352j
seg008:005DB599 mov eax , [ebp +var_hMem]
seg008:005DB59C push dword ptr [eax ]
seg008:005DB59E pop [ebp +var_1C]
seg008:005DB5A1 add eax , 4
seg008:005DB5A4 mov [ebp +var_24], eax
seg008:005DB5A7 mov esi , [eax ]
seg008:005DB5A9 mov esi , eax
seg008:005DB5AB xor eax , eax
seg008:005DB5AD mov [ebp +var_20], eax
seg008:005DB5B0 mov eax , [ebp +var_OpenProcess]
seg008:005DB5B6 rol eax , 2
seg008:005DB5B9 mov [ebp +var_1148], eax
seg008:005DB5BF
seg008:005DB5BF loc_5DB5BF: ; CODE XREF:
DeCode+445j
seg008:005DB5BF movzx eax , word ptr [esi +4]
seg008:005DB5C3 cmp eax , 5
seg008:005DB5C6 jnz loc_5DB679
seg008:005DB5CC push dword ptr [esi ]
seg008:005DB5CE push 0
seg008:005DB5D0 push 1F0FFFh
seg008:005DB5D5 call [ebp +var_OpenProcess]
seg008:005DB5DB or eax , eax
seg008:005DB5DD jz loc_5DB679
seg008:005DB5E3 mov [ebp +var_1140], eax
seg008:005DB5E9 xor eax , eax
seg008:005DB5EB mov [ebp +var_28], eax
seg008:005DB5EE push 2
seg008:005DB5F0 push eax
seg008:005DB5F1 push eax
seg008:005DB5F2 lea ecx , [ebp +var_28]
seg008:005DB5F5 push ecx
seg008:005DB5F6 push 0FFFFFFFFh
seg008:005DB5F8 movzx edx , word ptr [esi +6]
seg008:005DB5FC mov [ebp +var_112C], edx
seg008:005DB602 push edx
seg008:005DB603 push [ebp +var_1140]
seg008:005DB609 call [ebp +_ZwDupObject]
seg008:005DB60C cmp [ebp +var_28], 0
seg008:005DB610 jz short loc_5DB66D
seg008:005DB612 lea eax , [ebp +var_1154]
seg008:005DB618 push eax
seg008:005DB619 push 18h
seg008:005DB61B lea eax , [ebp +var_1184]
seg008:005DB621 push eax
seg008:005DB622 push 0
seg008:005DB624 push [ebp +var_28]
seg008:005DB627 call [ebp +_ZwQueryInfoProc]
seg008:005DB62A test eax , eax
seg008:005DB62C or eax , eax
seg008:005DB62E jnz short loc_5DB664
seg008:005DB630 mov eax , [ebp +var_1174]
seg008:005DB636 cmp eax , [ebp +arg_PID]
seg008:005DB639 jnz short loc_5DB664
seg008:005DB63B push dword ptr [esi ]
seg008:005DB63D pop [ebp +var_1150]
seg008:005DB643 call GetCodeBase
seg008:005DB648 push eax
seg008:005DB649 add eax , 0C1h
seg008:005DB64E push [ebp +var_1150]
seg008:005DB654 pop dword ptr [eax ]
seg008:005DB656 pop eax
seg008:005DB657 add eax , 82h
seg008:005DB65C push [ebp +var_1148]
seg008:005DB662 pop dword ptr [eax ]
seg008:005DB664
seg008:005DB664 loc_5DB664: ; CODE XREF:
DeCode+3F0j
seg008:005DB664 ; DeCode+3FBj
seg008:005DB664 push [ebp +var_28]
seg008:005DB667 call [ebp +var_CloseHandle]
seg008:005DB66D
seg008:005DB66D loc_5DB66D: ; CODE XREF:
DeCode+3D2j
seg008:005DB66D push [ebp +var_1140]
seg008:005DB673 call [ebp +var_CloseHandle]
seg008:005DB679
seg008:005DB679 loc_5DB679: ; CODE XREF:
DeCode+388j
seg008:005DB679 ; DeCode+39Fj
seg008:005DB679 add esi , 10h
seg008:005DB67C dec [ebp +var_1C]
seg008:005DB67F cmp [ebp +var_1C], 0
seg008:005DB683 jnz loc_5DB5BF
seg008:005DB689 push [ebp +var_hMem]
seg008:005DB68C call [ebp +var_GlobalFree]
seg008:005DB692
seg008:005DB692 loc_5DB692: ; CODE XREF:
DeCode+356j
seg008:005DB692 add esp , 800h
seg008:005DB698
seg008:005DB698 Over: ; CODE XREF:
DeCode+EDj
seg008:005DB698 ; DeCode+11Dj
...
seg008:005DB698 mov eax , [ebp +var_1150]
seg008:005DB69E cmp eax , [ebp +var_1148]
seg008:005DB6A4 jz loc_5DB523
seg008:005DB6AA xor ecx , ecx
seg008:005DB6AC pop ebx
seg008:005DB6AD pop edi
seg008:005DB6AE pop esi
seg008:005DB6AF leave
seg008:005DB6B0 retn 8
seg008:005DB6B0 DeCode endp
seg008:005DB6B0 ; ------------------------------------------------------------------
----------
.........
sag008:005D90B2 ; ************** S U B R O U T I N E
*****************************************
seg008:005D90B2
seg008:005D90B2
seg008:005D90B2 GetCodeBase proc near ; CODE XREF:
GETAPIADDR+Bp
seg008:005D90B2 ;
seg008:005D9DEFp ...
seg008:005D90B2 call $+5
seg008:005D90B7 pop eax
seg008:005D90B8 and ax , 0F000h
seg008:005D90BC retn
seg008:005D90BC GetCodeBase endp
seg008:005D90BC
seg008:005D90BC ; ------------------------------------------------------------------
---------- -----------------------------------------未完,待继!^_^-----------------------------
-----------------
BTW:做成ubb的就不知道如何设置像html里的:
<a name="label" >label name</a>
在link处 <a href="label" >text</a>
知道的朋友说说:-p
Greetz:
Fly.Jingulong,yock,tDasm.David.hexer,hmimys,ahao.UFO(brother).alan(sister).all of my
friends and you!
By loveboom[DFCG][FCG][US]
http://blog.csdn.net/bmd2chen
Email:loveboom#163.com
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)