SDprotector v1.1加壳的某软件脱壳过程
日期:2005年7月16日 脱壳人:csjwaman[DFCG]
――――――――――――――――――――――――――――――――――――――――――― 【软件名称】:某软件
【下载地址】:本站找
【软件限制】:SDprotector v1.1加壳
【破解声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【操作系统】:WINXP
【脱壳工具】:OD等传统工具
―――――――――――――――――――――――――――――――――――――――――――
【脱壳过程】:
SDprotector v1.1壳,softworm大侠曾写过有关文章。本人认真拜读过。本文就是在softworm大侠文章指引下完成的。在此谢过softworm大侠:)
本软件用PEiD检测显示为Microsoft Visual C++,显然被伪装了。用十六进制工具打开文件,在文件头可以看到如下字符:
000003D0 00 00 00 00 00 00 00 00 00 00 00 00 31 2E 31 00 ............1.1.
000003E0 53 44 50 21 0C 09 FF FF 45 32 1E 7F 9A AA 27 A8 SDP!..?E2.?'
可见是SDP1.1的壳。 一、查找入口
先侦察一下,设置OD忽略所有异常载入程序,F9运行,程序发现调试器。看来程序有反调试手段。下面利用异常来跟踪。跟踪时总的原则:一是多用脚本(这是从softworm处学到的,能省去好多麻烦),因为程序对运行时间检测非常严格;二是不要修改代码(或修改后及时恢复),因为程序有代码完整性检查;三是不要对API下普通断点(硬件断点会被壳删除),因为程序会检查CC。
1、设置OD忽略除INT3中断、单步中断、内存访问异常外的其他所有异常(注意“同时忽略以下定义异常或异常范围”处不能打钩)
2、运行 UnhandleExceptionFilter 插件(每次运行脚本前都须先运行这个插件。原因不赘述,见softworm大侠的相关文章)。
3、写个简单的脚本记录一下程序出现警告提示时的中断和异常次数。
我的脚本(挺烂,但能用就行):
var seh
eoe aman1
eob aman1
run
aman1:
add seh,1
log seh
esto
运行脚本直到出现警告提示,查看LOG: 004EF000 ID 00000908 的主要线程已经创建
00400000 模块 C:\Documents and Settings\csjwaman\桌面\Project2\Project2.exe
固定表格已经被封装或者已经损坏!
77E40000 模块 C:\WINDOWS\system32\kernel32.dll
77F50000 模块 C:\WINDOWS\System32\ntdll.dll
004EF000 程序入口
004EF07A 单步事件位于 Project2.004EF07A
seh = 00000001
004F44FA INT3 命令在 Project2.004F44FA
seh = 00000002
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000003
77D10000 模块 C:\WINDOWS\system32\user32.dll
7E190000 模块 C:\WINDOWS\system32\GDI32.dll
77DA0000 模块 C:\WINDOWS\system32\ADVAPI32.dll
78000000 模块 C:\WINDOWS\system32\RPCRT4.dll
76300000 模块 C:\WINDOWS\System32\IMM32.DLL
62C20000 模块 C:\WINDOWS\System32\LPK.DLL
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000004
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000005
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000006
004EF8F8 INT3 命令在 Project2.004EF8F8
seh = 00000007
004EFB3A INT3 命令在 Project2.004EFB3A
seh = 00000008
004EFD54 单步事件位于 Project2.004EFD54
seh = 00000009
004EFEFA 单步事件位于 Project2.004EFEFA
seh = 0000000A
72F10000 模块 C:\WINDOWS\System32\USP10.dll
5ADC0000 模块 C:\WINDOWS\System32\uxtheme.dll
77BE0000 模块 C:\WINDOWS\system32\msvcrt.dll
74680000 模块 C:\WINDOWS\System32\MSCTF.dll
53000000 模块 C:\PROGRA~1\3721\helper.dll
53001000 Code size in header is 00000000, extending to size of section '.rdata'
70A70000 模块 C:\WINDOWS\system32\SHLWAPI.dll
77310000 模块 C:\WINDOWS\system32\COMCTL32.dll
37210000 模块 C:\WINDOWS\DOWNLO~1\CnsMin.dll
71BA0000 模块 C:\WINDOWS\System32\NETAPI32.dll
77BD0000 模块 C:\WINDOWS\system32\VERSION.dll
10000000 模块 C:\Herosoft\HeroV8\VCvtShell.dll
773A0000 模块 C:\WINDOWS\system32\SHELL32.dll
00B90000 模块 C:\WINDOWS\System32\msctfime.ime
71950000 模块 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1515_x-ww_7bb98b8a\comctl32.dll
00BC0000 模块 C:\WINDOWS\System32\wnwbio.ime
7CAB0000 模块 C:\WINDOWS\System32\ole32.dll 从LOG可以发现当第10次中断后,程序提示错误。那么我们就在第10次中断时开始跟踪:
修改一下上面的脚本:
var seh
eoe aman1
eob aman1
run
aman1:
add seh,1
log seh
cmp seh,a
je stop1
esto
stop1:
coe
cob
ret
运行脚本后中断在
004EFEFA 64:8F00 pop dword ptr fs:[eax] ///中断在此。
004EFEFD 5B pop ebx
004EFEFE E8 01000000 call 004EFF04 ; 004EFF04
004EFF03 FF58 05 call far fword ptr ds:[eax+5]
004EFF06 6BFF FF imul edi,edi,-1
004EFF09 FF80 38E97587 inc dword ptr ds:[eax+8775E938]
堆栈:
0012FF98 0012FFE0 指针到下一个 SEH 记录
0012FF9C 004EFED3 SE 句柄
在004EFED3处下断,然后SHIFT+F9通过,来到:
004EFED3 E8 01000000 call 004EFED9///中断在此。取消断点。
004EFED8 FF58 05 call far fword ptr ds:[eax+5]
004EFEDB 96 xchg eax,esi
这里有花指令,按一下F7代码变成:
004EFED9 58 pop eax ; Project2.004EFED8
004EFEDA 05 96FFFFFF add eax,-6A
004EFEDF 8038 E8 cmp byte ptr ds:[eax],0E8
004EFEE2 ^ 75 B2 jnz short 004EFE96 ; 004EFE96
004EFEE4 C600 E9 mov byte ptr ds:[eax],0E9///为后面的检测单步跟踪设标志。
004EFEE7 2BC0 sub eax,eax
004EFEE9 C3 retn///到系统DLL中。
在4EFEFD处下断,F9后从系统DLL回到:
004EFEFD 5B pop ebx ///中断在此。取消断点。
004EFEFE E8 01000000 call 004EFF04 ; 004EFF04
004EFF03 FF58 05 call far fword ptr ds:[eax+5]
这里有花指令,按二下F7代码变成:
004EFF04 58 pop eax ; Project2.004EFF03
004EFF05 05 6BFFFFFF add eax,-95
004EFF0A 8038 E9 cmp byte ptr ds:[eax],0E9///检测前面设置的检测单步跟踪的标志。
004EFF0D ^ 75 87 jnz short 004EFE96 ///不能跳。
004EFF0F C600 E8 mov byte ptr ds:[eax],0E8
004EFF12 9D popfd
004EFF13 61 popad
004EFF14 3D 00000080 cmp eax,80000000
004EFF19 7C 06 jl short 004EFF21 ; 004EFF21
004EFF1B EB 06 jmp short 004EFF23 ; 004EFF23
004EFF1D 0010 add byte ptr ds:[eax],dl
用F7走到:
004EFF49 58 pop eax
004EFF4A 58 pop eax
004EFF4B 9D popfd
004EFF4C 74 31 je short 004EFF7F ///这里必须跳,不跳则提示错误。修改标志位强行跳转。
004EFF4E 74 03 je short 004EFF53 ; 004EFF53
004EFF50 75 01 jnz short 004EFF53 ; 004EFF53
004EFF52 E8 E8010000 call 004F013F ; 004F013F
004EFF57 00FF add bh,bh
004EFF59 58 pop eax
004FBBBA E8 F784FFFF call 004F40B6 ; 004F40B6
004FBBBF 05 08010000 add eax,108
004FBBC4 50 push eax
004FBBC5 E8 73FFFFFF call 004FBB3D ; 004FBB3D
004FBBCA 35 47F2EA87 xor eax,87EAF247///这个固定值可能是用于加密的。
004FBBCF C3 retn
004F0191 /EB 01 jmp short 004F0194 ; 004F0194
004F0193 |90 nop///花指令。
004F0194 \0F84 0E010000 je 004F02A8 ///此处是子进程和父进程的分支处。跳则以子进程身份运行。修改标志位强行跳转。
004F019A E8 01000000 call 004F01A0 ; 004F01A0
004F019F FF58 05 call far fword ptr ds:[eax+5] 在004F0194处如果不跳,则程序后面调用CreateProcessA创建新的进程,父进程则退出。
下面再用脚本来看看程序强行以子进程身份运行后的中断和异常次数。
脚本如下:
var seh
var mess
//#log
eoe aman1
eob aman1
run
aman1:
add seh,1
log seh
cmp seh,a //第10次中断时跳转。
je stop1
esto stop1:
coe
cob
mov seh,0
bp 4eff4c
esto
bc eip
mov !zf,1
sti
run
bp 4f0194 //子进程与父进程分流处。
esto
bc eip
mov eip,4f02a8 //直接跳过创建子进程,强行让父进程以子进程运行。
eoe aman2
eob aman2
run
aman2:
add seh,1
log seh
esto
ret
运行脚本后,程序直接运行了。看LOG记录: 004EF000 ID 00000E60 的主要线程已经创建
00400000 模块 C:\Documents and Settings\csjwaman\桌面\Project2\Project2.exe
固定表格已经被封装或者已经损坏!
77E40000 模块 C:\WINDOWS\system32\kernel32.dll
77F50000 模块 C:\WINDOWS\System32\ntdll.dll
004EF000 程序入口
IsDebugPresent hidden
IsDebugPresent hidden
004EF07A 单步事件位于 Project2.004EF07A
seh = 00000001
004F44FA INT3 命令在 Project2.004F44FA
seh = 00000002
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000003
77D10000 模块 C:\WINDOWS\system32\user32.dll
7E190000 模块 C:\WINDOWS\system32\GDI32.dll
77DA0000 模块 C:\WINDOWS\system32\ADVAPI32.dll
78000000 模块 C:\WINDOWS\system32\RPCRT4.dll
76300000 模块 C:\WINDOWS\System32\IMM32.DLL
62C20000 模块 C:\WINDOWS\System32\LPK.DLL
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000004
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000005
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000006
004EF8F8 INT3 命令在 Project2.004EF8F8
seh = 00000007
004EFB3A INT3 命令在 Project2.004EFB3A
seh = 00000008
004EFD54 单步事件位于 Project2.004EFD54
seh = 00000009
004EFEFA 单步事件位于 Project2.004EFEFA
seh = 0000000A
004EFF4C 中断在 Project2.004EFF4C
004F013D 单步事件位于 Project2.004F013D
004F0194 中断在 Project2.004F0194
004F0431 INT3 命令在 Project2.004F0431
seh = 00000001
004F0673 INT3 命令在 Project2.004F0673
seh = 00000002
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000003
004F0A35 单步事件位于 Project2.004F0A35
seh = 00000004
004F44FA INT3 命令在 Project2.004F44FA
seh = 00000005
004F0CCA INT3 命令在 Project2.004F0CCA
seh = 00000006
004F0F0C INT3 命令在 Project2.004F0F0C
seh = 00000007
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000008
004F12AF INT3 命令在 Project2.004F12AF
seh = 00000009
004F150F INT3 命令在 Project2.004F150F
seh = 0000000A
004F21FF 访问违反: 写入到 [00000000]
seh = 0000000B
004F23C3 INT3 命令在 Project2.004F23C3
seh = 0000000C
004F2605 INT3 命令在 Project2.004F2605
seh = 0000000D
004F44FA INT3 命令在 Project2.004F44FA
seh = 0000000E
004F48E2 单步事件位于 Project2.004F48E2
seh = 0000000F
004F29F4 访问违反: 读取 [FFFFFFFF]
seh = 00000010
004F2BCE 单步事件位于 Project2.004F2BCE
seh = 00000011
004F44FA INT3 命令在 Project2.004F44FA
seh = 00000012
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000013
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000014
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000015
72F10000 模块 C:\WINDOWS\System32\USP10.dll
770F0000 模块 C:\WINDOWS\system32\oleaut32.dll
77BE0000 模块 C:\WINDOWS\system32\MSVCRT.DLL
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000016
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000017
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000018
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000019
7CAB0000 模块 C:\WINDOWS\system32\OLE32.DLL
004F48E2 单步事件位于 Project2.004F48E2
seh = 0000001A
004F48E2 单步事件位于 Project2.004F48E2
seh = 0000001B
004F48E2 单步事件位于 Project2.004F48E2
seh = 0000001C
004F48E2 单步事件位于 Project2.004F48E2
seh = 0000001D
004F48E2 单步事件位于 Project2.004F48E2
seh = 0000001E
004F48E2 单步事件位于 Project2.004F48E2
seh = 0000001F
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000020
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000021
77BD0000 模块 C:\WINDOWS\system32\version.dll
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000022
77310000 模块 C:\WINDOWS\system32\comctl32.dll
63000000 模块 C:\WINDOWS\system32\wininet.dll
76230000 模块 C:\WINDOWS\system32\CRYPT32.dll
76210000 模块 C:\WINDOWS\system32\MSASN1.dll
70A70000 模块 C:\WINDOWS\system32\SHLWAPI.dll
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000023
71950000 模块 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1515_x-ww_7bb98b8a\comctl32.dll
009E0000 模块 C:\WINDOWS\System32\WS2_32.dll
71A40000 模块 C:\WINDOWS\System32\wsock32.dll
003D0000 模块 C:\WINDOWS\System32\WS2HELP.dll
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000024
004F2D33 单步事件位于 Project2.004F2D33
seh = 00000025
004F2ED4 单步事件位于 Project2.004F2ED4
seh = 00000026
004F48E2 单步事件位于 Project2.004F48E2
seh = 00000027
004F308A INT3 命令在 Project2.004F308A
seh = 00000028
004F32D0 INT3 命令在 Project2.004F32D0
seh = 00000029
004F36D3 INT3 命令在 Project2.004F36D3
seh = 0000002A
004F3919 INT3 命令在 Project2.004F3919
seh = 0000002B
004F3C00 INT3 命令在 Project2.004F3C00
seh = 0000002C
004F3E46 INT3 命令在 Project2.004F3E46
seh = 0000002D
004F407A 单步事件位于 Project2.004F407A
seh = 0000002E
5ADC0000 模块 C:\WINDOWS\System32\uxtheme.dll
74680000 模块 C:\WINDOWS\System32\MSCTF.dll
53000000 模块 C:\PROGRA~1\3721\helper.dll
53001000 Code size in header is 00000000, extending to size of section '.rdata'
37210000 模块 C:\WINDOWS\DOWNLO~1\CnsMin.dll
71BA0000 模块 C:\WINDOWS\System32\NETAPI32.dll
10000000 模块 C:\Herosoft\HeroV8\VCvtShell.dll
00BD0000 模块 C:\WINDOWS\System32\msctfime.ime
773A0000 模块 C:\WINDOWS\system32\SHELL32.dll
00C00000 模块 C:\WINDOWS\System32\wnwbio.ime
从LOG记录可以发现,当程序第2E次中断后就直接运行了。那我们修改一下脚本,让程序在第2E次中断时停下(脚本不贴了参考前面的)。
004F407A 64:8F00 pop dword ptr fs:[eax] ///停在这里。
004F407D 5B pop ebx
004F407E E8 01000000 call 004F4084///F7
004F4083 FF58 05 call far fword ptr ds:[eax+5]
004F4086 6BFF FF imul edi,edi,-1
004F4089 FF80 38E97587 inc dword ptr ds:[eax+8775E938]
004F408F C600 E8 mov byte ptr ds:[eax],0E8
004F4092 9D popfd
004F4093 61 popad
004F4094 C3 retn
在004F407E处F7后,代码如下:
004F4084 58 pop eax ; Project2.004F4083
004F4085 05 6BFFFFFF add eax,-95
004F408A 8038 E9 cmp byte ptr ds:[eax],0E9///单步跟踪检测。
004F408D ^ 75 87 jnz short 004F4016 ///不能跳。修改标志位不让跳转。
004F408F C600 E8 mov byte ptr ds:[eax],0E8///恢复代码。
004F4092 9D popfd
004F4093 61 popad
004F4094 C3 retn///返回。
0047ED53 C3 retn///再返回一次。
0047ED54 ^ E9 934BF8FF jmp 004038EC ; 004038EC
0047EBB8 55 push ebp///这就是入口了。
0047EBB9 8BEC mov ebp,esp
0047EBBB B9 06000000 mov ecx,6
0047EBC0 6A 00 push 0
0047EBC2 6A 00 push 0
0047EBC4 49 dec ecx
0047EBC5 ^ 75 F9 jnz short 0047EBC0 ; 0047EBC0
0047EBC7 51 push ecx
0047EBC8 53 push ebx
0047EBC9 B8 20E94700 mov eax,47E920
0047EBCE E8 DD74F8FF call 004060B0 ; 004060B0
0047EBD3 8B1D B81C4800 mov ebx,dword ptr ds:[481CB8] ; Project2.00483CD0
0047EBD9 33C0 xor eax,eax
0047EBDB 55 push ebp
0047EBDC 68 54ED4700 push 47ED54
到入口后,修改各区段读写权限为完全权限,然后DUMP下来,并将DUMP下来的文件入口改为7EBB8。
二、修复IAT
用OD载入DUMP后的文件,可以找到IAT地址:
00484164 00 00 00 00 70 38 14 00 ....p8.
0048416C A8 38 14 00 E0 38 14 00 ?.?.
00484174 18 39 14 00 50 39 14 00 9.P9.
0048417C 88 39 14 00 C0 39 14 00 ?.?.
00484184 F8 39 14 00 C9 A5 4F 00 ?.丧O.
。。。。。。
004847EC B7 4E 31 77 F6 7F 31 77 肺1w?1w
004847F4 54 50 31 77 25 74 32 77 TP1w%t2w
004847FC A4 7F 33 77 57 A4 31 77 ?3wW?w
00484804 3D 51 31 77 E3 AD 31 77 =Q1w悱1w
0048480C 00 00 00 00 1B 31 06 63 ....1c
00484814 9D 30 06 63 98 9F 01 63 ?c?c
0048481C 00 00 00 00 DA DF 9E 00 ....谶?
00484824 F3 DD 9E 00 3E BF 9E 00 筝?>?.
0048482C 50 72 9E 00 E8 78 9E 00 Pr?桫?
00484834 59 D1 9E 00 20 10 A4 71 Y?. ゑ
0048483C F2 20 9E 00 D5 21 9E 00 ????
00484844 06 21 9E 00 F2 20 9E 00 !???
0048484C 28 C3 9E 00 00 00 00 00 (?.....
00484854 FF FF FF FF FF FF FF FF ????
IAT的起始地址为484164,结束地址为484854,大小为6F0。
现在来找程序是从何处开始处理IAT的。
还是分析前面的LOG记录。我们可以发现从第12H次中断以后,连续出现004F48E2这个地址,前面也出现过几次。那么这个地址是否和处理IAT有关?我们载入带壳程序,还是用脚本停在第12H次中断处: 004F44FB 90 nop///异常。
004F44FC 3C 04 cmp al,4
004F44FE 74 32 je short 004F4532 ; 004F4532
004F4500 74 03 je short 004F4505 ; 004F4505
004F4502 75 01 jnz short 004F4505 ; 004F4505
堆栈:
0012DB68 0012FFE0 指针到下一个 SEH 记录
0012DB6C 004F4594 SE 句柄
从004F4594处开始跟踪:
004F4594 8B4424 04 mov eax,dword ptr ss:[esp+4]
004F4598 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
004F459C FF81 B8000000 inc dword ptr ds:[ecx+B8]
004F45A2 8B00 mov eax,dword ptr ds:[eax]///注意!执行这句后EAX=4F44FB
004F45A4 2D 03000080 sub eax,80000003
004F45A9 75 16 jnz short 004F45C1 ; 004F45C1
004F45AB B8 55010000 mov eax,155
004F45B0 8941 18 mov dword ptr ds:[ecx+18],eax
004F45B3 33C0 xor eax,eax
004F45B5 8941 04 mov dword ptr ds:[ecx+4],eax///清理硬件断点。
004F45B8 8941 08 mov dword ptr ds:[ecx+8],eax
004F45BB 8941 0C mov dword ptr ds:[ecx+C],eax
004F45BE 8941 10 mov dword ptr ds:[ecx+10],eax
004F45C1 C3 retn///返回到系统DLL中。 在4F44FB处下断,然后F9:
004F44FB 90 nop///断下。以下均用F7走。
004F44FC 3C 04 cmp al,4
004F44FE 74 32 je short 004F4532 ///跳!
004F4500 74 03 je short 004F4505 ; 004F4505
004F4502 75 01 jnz short 004F4505 ; 004F4505
004F4504 E8 E8010000 call 004F46F1 ; 004F46F1
004F4532 64:8F05 00000000 pop dword ptr fs:[0] ; 0012FFE0
004F4539 83C4 04 add esp,4
004F453C 0F31 rdtsc///急甘奔浼觳狻?
004F453E 8BC8 mov ecx,eax
004F4540 8BDA mov ebx,edx
004F4542 7E 06 jle short 004F454A ///JMP的变形。
004F4544 7F 04 jg short 004F454A ; 004F454A
004F4546 0010 add byte ptr ds:[eax],dl
004F456F 9D popfd
004F4570 58 pop eax
004F4571 0F31 rdtsc///第2次。
004F4573 2BC1 sub eax,ecx
004F4575 1BD3 sbb edx,ebx
004F4577 83FA 00 cmp edx,0
004F457A ^ 75 84 jnz short 004F4500 ///不能跳。
004F457C 3D 00000060 cmp eax,60000000
004F4581 ^ 0F87 79FFFFFF ja 004F4500 ///不能跳。
004F4587 74 39 je short 004F45C2 ///JMP的变形。
004F4589 75 37 jnz short 004F45C2 ; 004F45C2
004F458B E8 00104000 call 008F5590
最后来到:
004FC17C 57 push edi
004FC17D E8 4483FFFF call 004F44C6
004FC182 8B8424 4C040000 mov eax,dword ptr ss:[esp+44C]
004FC189 33ED xor ebp,ebp
004FC18B 85C0 test eax,eax
004FC18D 896C24 14 mov dword ptr ss:[esp+14],ebp
004FC191 75 6D jnz short 004FC200 ///跳。以下用F8跟。
004FC193 68 FDDE4000 push 40DEFD
004FC198 E8 007FFFFF call 004F409D ; 004F409D
004FC19D 50 push eax
004FC19E 68 C4AA4000 push 40AAC4
004FC1A3 E8 F57EFFFF call 004F409D ; 004F409D
004FC1A8 50 push eax
004FC1A9 E8 452C0000 call 004FEDF3 ; 004FEDF3
004FC1AE 50 push eax
004FC1AF E8 E4C2FFFF call 004F8498 ; 004F8498
004FC1B4 68 0CDF4000 push 40DF0C
004FC1B9 8BF8 mov edi,eax
004FC1BB E8 DD7EFFFF call 004F409D ; 004F409D
004FC1C0 50 push eax
004FC1C1 68 C4AA4000 push 40AAC4
004FC1C6 E8 D27EFFFF call 004F409D ; 004F409D
004FC1CB 50 push eax
004FC1CC E8 222C0000 call 004FEDF3 ; 004FEDF3
004FC1D1 50 push eax
004FC1D2 E8 C1C2FFFF call 004F8498 ; 004F8498
004FC1D7 8BF0 mov esi,eax
004FC1D9 E8 D87EFFFF call 004F40B6 ; 004F40B6
004FC1DE 85F6 test esi,esi
004FC1E0 8BD8 mov ebx,eax
004FC1E2 74 16 je short 004FC1FA ; 004FC1FA
004FC1E4 85FF test edi,edi
004FC1E6 74 12 je short 004FC1FA ; 004FC1FA
004FC1E8 68 20030000 push 320
004FC1ED 6A 08 push 8
004FC1EF FFD7 call edi
004FC1F1 50 push eax
004FC1F2 FFD6 call esi
004FC1F4 8BE8 mov ebp,eax
004FC1F6 896C24 14 mov dword ptr ss:[esp+14],ebp
004FC1FA 89AB 94000000 mov dword ptr ds:[ebx+94],ebp
004FC200 33FF xor edi,edi
004FC202 897C24 1C mov dword ptr ss:[esp+1C],edi
004FC206 897C24 2C mov dword ptr ss:[esp+2C],edi
004FC20A E8 7FF9FFFF call 004FBB8E ; 004FBB8E
004FC20F 3D B9C8B813 cmp eax,13B8C8B9
004FC214 BE 01000000 mov esi,1
004FC219 75 04 jnz short 004FC21F ; 004FC21F
004FC21B 897424 1C mov dword ptr ss:[esp+1C],esi
004FC21F E8 54F9FFFF call 004FBB78 ; 004FBB78
004FC224 35 47F2EA87 xor eax,87EAF247
004FC229 3D F71219C1 cmp eax,C11912F7
004FC22E 75 04 jnz short 004FC234 ; 004FC234
004FC230 897424 2C mov dword ptr ss:[esp+2C],esi
004FC234 68 16DF4000 push 40DF16
004FC239 E8 5F7EFFFF call 004F409D ; 004F409D
004FC23E 50 push eax
004FC23F 68 C4AA4000 push 40AAC4
004FC244 E8 547EFFFF call 004F409D ; 004F409D
004FC249 50 push eax
004FC24A E8 FAC2FFFF call 004F8549 ; 004F8549
004FC24F 50 push eax
004FC250 E8 43C2FFFF call 004F8498 ; 004F8498
004FC255 3BC7 cmp eax,edi
004FC257 894424 38 mov dword ptr ss:[esp+38],eax
004FC25B 75 08 jnz short 004FC265 ; 004FC265
004FC25D C74424 38 F30D4100 mov dword ptr ss:[esp+38],410DF3
004FC265 6A 00 push 0
004FC267 E8 D32A0000 call 004FED3F ; 004FED3F
004FC26C 8BE8 mov ebp,eax
004FC26E 896C24 34 mov dword ptr ss:[esp+34],ebp
004FC272 E8 3F7EFFFF call 004F40B6 ; 004F40B6
004FC277 8BF8 mov edi,eax
004FC279 8D4C24 40 lea ecx,dword ptr ss:[esp+40]
004FC27D 51 push ecx
004FC27E 6A 10 push 10
004FC280 8D87 F0000000 lea eax,dword ptr ds:[edi+F0]
004FC286 50 push eax
004FC287 894424 24 mov dword ptr ss:[esp+24],eax
004FC28B E8 3BB3FFFF call 004F75CB ; 004F75CB
004FC290 8B8424 58040000 mov eax,dword ptr ss:[esp+458]
004FC297 83C4 0C add esp,0C
004FC29A 85C0 test eax,eax
004FC29C 74 05 je short 004FC2A3 ; 004FC2A3
004FC29E 8B77 1C mov esi,dword ptr ds:[edi+1C]
004FC2A1 EB 03 jmp short 004FC2A6 ; 004FC2A6
004FC2A3 8B77 0C mov esi,dword ptr ds:[edi+C]
004FC2A6 8B97 98000000 mov edx,dword ptr ds:[edi+98]
004FC2AC 03F5 add esi,ebp
004FC2AE 895424 28 mov dword ptr ss:[esp+28],edx
004FC2B2 E8 88C5FFFF call 004F883F ; 004F883F
004FC2B7 8B5C24 14 mov ebx,dword ptr ss:[esp+14]
004FC2BB 897424 20 mov dword ptr ss:[esp+20],esi
004FC2BF 8B46 10 mov eax,dword ptr ds:[esi+10]
004FC2C2 8B0E mov ecx,dword ptr ds:[esi]
004FC2C4 0BC1 or eax,ecx
004FC2C6 0F84 61080000 je 004FCB2D ; 004FCB2D
004FC2CC 8B4424 18 mov eax,dword ptr ss:[esp+18]
004FC2D0 8D4C24 40 lea ecx,dword ptr ss:[esp+40]
004FC2D4 8D9424 44010000 lea edx,dword ptr ss:[esp+144]
004FC2DB 51 push ecx
004FC2DC 52 push edx
004FC2DD 6A 10 push 10
004FC2DF 50 push eax
004FC2E0 6A 14 push 14
004FC2E2 56 push esi
004FC2E3 E8 18C5FFFF call 004F8800 ; 004F8800
004FC2E8 8B5E 0C mov ebx,dword ptr ds:[esi+C]
004FC2EB 8B8424 4C040000 mov eax,dword ptr ss:[esp+44C]
004FC2F2 85C0 test eax,eax
004FC2F4 74 0A je short 004FC300 ; 004FC300
004FC2F6 8B4424 28 mov eax,dword ptr ss:[esp+28]
004FC2FA 03DD add ebx,ebp
004FC2FC 03D8 add ebx,eax
004FC2FE EB 02 jmp short 004FC302 ; 004FC302
004FC300 03DD add ebx,ebp
004FC302 8B4424 18 mov eax,dword ptr ss:[esp+18]
004FC306 8D4C24 40 lea ecx,dword ptr ss:[esp+40]
004FC30A 8D9424 44010000 lea edx,dword ptr ss:[esp+144]
004FC311 51 push ecx
004FC312 8B4E 04 mov ecx,dword ptr ds:[esi+4]
004FC315 52 push edx
004FC316 6A 10 push 10
004FC318 50 push eax
004FC319 51 push ecx
004FC31A 53 push ebx
004FC31B 895C24 54 mov dword ptr ss:[esp+54],ebx
004FC31F E8 DCC4FFFF call 004F8800 ; 004F8800
004FC324 E8 16C5FFFF call 004F883F ; 004F883F
004FC329 8B7C24 38 mov edi,dword ptr ss:[esp+38]
004FC32D 68 C4AA4000 push 40AAC4
004FC332 E8 667DFFFF call 004F409D ; 004F409D
004FC337 50 push eax ///eax=004F8AC4 (Project2.004F8AC4), ASCII "kernel32.dll" 程序预置的DLL。
004FC338 53 push ebx ///ebx=00484854 (Project2.00484854), ASCII "kernel32.dll" 当前准备处理的DLL。
004FC339 E8 BB96FFFF call 004F59F9 ///比较。如果相同则置EAX为0。
004FC33E 85C0 test eax,eax
004FC340 74 5C je short 004FC39E ///如果和程序预置的DLL同名则加密处理,所以不能跳。修改标志位不让跳转。
004FC342 68 23DF4000 push 40DF23
004FC347 E8 517DFFFF call 004F409D ; 004F409D
004FC34C 50 push eax ///eax=004FBF23 (Project2.004FBF23), ASCII "user32.dll"
004FC34D 53 push ebx ///ebx=00484854 (Project2.00484854), ASCII "kernel32.dll"
004FC34E E8 A696FFFF call 004F59F9 ; 004F59F9
004FC353 85C0 test eax,eax
004FC355 74 47 je short 004FC39E ///不能跳。
004FC357 68 2EDF4000 push 40DF2E
004FC35C E8 3C7DFFFF call 004F409D ; 004F409D
004FC361 50 push eax ///eax=004FBF2E (Project2.004FBF2E), ASCII "gdi32.dll"
004FC362 53 push ebx ///ebx=00484854 (Project2.00484854), ASCII "kernel32.dll"
004FC363 E8 9196FFFF call 004F59F9 ; 004F59F9
004FC368 85C0 test eax,eax
004FC36A 74 32 je short 004FC39E///不能跳。
004FC36C 68 38DF4000 push 40DF38
004FC371 E8 277DFFFF call 004F409D ; 004F409D
004FC376 50 push eax ///eax=004FBF38 (Project2.004FBF38), ASCII "advapi32.dll"
004FC377 53 push ebx ///ebx=00484854 (Project2.00484854), ASCII "kernel32.dll"
004FC378 E8 7C96FFFF call 004F59F9 ; 004F59F9
004FC37D 85C0 test eax,eax
004FC37F 74 1D je short 004FC39E ///不能跳。
004FC381 68 45DF4000 push 40DF45
004FC386 E8 127DFFFF call 004F409D ; 004F409D
004FC38B 50 push eax ///eax=004FBF45 (Project2.004FBF45), ASCII "shell32.dll"
004FC38C 53 push ebx ///ebx=00484854 (Project2.00484854), ASCII "kernel32.dll"
004FC38D E8 6796FFFF call 004F59F9 ; 004F59F9
004FC392 85C0 test eax,eax
004FC394 C74424 24 00000000 mov dword ptr ss:[esp+24],0 ///设置不加密标志。
004FC39C 75 08 jnz short 004FC3A6 ///如果和以上预置的DLL均不相符,则跳走。
004FC39E C74424 24 01000000 mov dword ptr ss:[esp+24],1 ///设置需加密标志。
004FC3A6 68 51DF4000 push 40DF51
004FC3AB E8 ED7CFFFF call 004F409D ; 004F409D
004FC3B0 50 push eax ///eax=004FBF51 (Project2.004FBF51), ASCII "sdprotector.dll"
004FC3B1 53 push ebx ///ebx=00484854 (Project2.00484854), ASCII "kernel32.dll"
004FC3B2 E8 4296FFFF call 004F59F9 ; 004F59F9
004FC3B7 85C0 test eax,eax
004FC3B9 74 7F je short 004FC43A ///不能跳。
004FC3BB 8B8424 4C040000 mov eax,dword ptr ss:[esp+44C]
004FC3C2 C74424 30 00000000 mov dword ptr ss:[esp+30],0 ///设置不加密标志。
004FC3CA 85C0 test eax,eax
004FC3CC 74 10 je short 004FC3DE ; 004FC3DE
004FC3CE 8B4424 1C mov eax,dword ptr ss:[esp+1C]
004FC3D2 85C0 test eax,eax
004FC3D4 74 08 je short 004FC3DE ; 004FC3DE
004FC3D6 53 push ebx
004FC3D7 E8 6DC1FFFF call 004F8549 ; 004F8549
004FC3DC EB 07 jmp short 004FC3E5 ; 004FC3E5
004FC3DE 53 push ebx
004FC3DF 57 push edi
004FC3E0 E8 7DC1FFFF call 004F8562 ; 004F8562
004FC3E5 85C0 test eax,eax
004FC3E7 894424 10 mov dword ptr ss:[esp+10],eax
004FC3EB 75 55 jnz short 004FC442 ; 004FC442
004FC3ED E8 652C0000 call 004FF057 ; 004FF057
004FC3F2 50 push eax
004FC3F3 53 push ebx
004FC3F4 68 61DF4000 push 40DF61
004FC3F9 E8 9F7CFFFF call 004F409D ; 004F409D
004FC3FE 8D9424 50020000 lea edx,dword ptr ss:[esp+250]
004FC405 50 push eax
004FC406 52 push edx
004FC407 E8 1F2E0000 call 004FF22B ; 004FF22B
004FC40C 83C4 10 add esp,10
004FC40F 6A 12 push 12
004FC411 68 72A34000 push 40A372
004FC416 E8 827CFFFF call 004F409D ; 004F409D
004FC41B 50 push eax
004FC41C 8D8424 50020000 lea eax,dword ptr ss:[esp+250]
004FC423 50 push eax
004FC424 6A 00 push 0
004FC426 E8 EC290000 call 004FEE17 ; 004FEE17
004FC42B 83F8 03 cmp eax,3
004FC42E 74 32 je short 004FC462 ; 004FC462
004FC430 83F8 04 cmp eax,4
004FC433 75 36 jnz short 004FC46B ; 004FC46B
004FC435 ^ E9 F3FEFFFF jmp 004FC32D ; 004FC32D
004FC43A C74424 30 01000000 mov dword ptr ss:[esp+30],1 ///设置需加密标志。
004FC442 8B8424 4C040000 mov eax,dword ptr ss:[esp+44C]
004FC449 85C0 test eax,eax
004FC44B 8B06 mov eax,dword ptr ds:[esi]
004FC44D 8D4C05 00 lea ecx,dword ptr ss:[ebp+eax]
004FC451 74 20 je short 004FC473 ; 004FC473
004FC453 8B76 10 mov esi,dword ptr ds:[esi+10]
004FC456 8B5424 28 mov edx,dword ptr ss:[esp+28]
004FC45A 03F5 add esi,ebp
004FC45C 03CA add ecx,edx
004FC45E 03F2 add esi,edx
004FC460 EB 16 jmp short 004FC478 ; 004FC478
004FC462 6A 00 push 0
004FC464 E8 66290000 call 004FEDCF ; 004FEDCF
004FC469 ^ EB D7 jmp short 004FC442 ; 004FC442
004FC46B 83C6 14 add esi,14
004FC46E ^ E9 44FEFFFF jmp 004FC2B7 ; 004FC2B7
004FC473 8B76 10 mov esi,dword ptr ds:[esi+10]///
004FC476 03F5 add esi,ebp
004FC478 85C0 test eax,eax
004FC47A 8BE9 mov ebp,ecx
004FC47C 75 02 jnz short 004FC480 ; 004FC480
004FC47E 8BEE mov ebp,esi
004FC480 E8 BAC3FFFF call 004F883F ; 004F883F
004FC485 8B5C24 18 mov ebx,dword ptr ss:[esp+18]
004FC489 8B7C24 10 mov edi,dword ptr ss:[esp+10]
004FC48D 837D 00 00 cmp dword ptr ss:[ebp],0 ///这里开始处理函数。
004FC491 0F84 5E060000 je 004FCAF5 ; 004FCAF5
004FC497 8D4C24 40 lea ecx,dword ptr ss:[esp+40]
004FC49B 8D9424 44010000 lea edx,dword ptr ss:[esp+144]
004FC4A2 51 push ecx
004FC4A3 52 push edx
004FC4A4 6A 10 push 10
004FC4A6 53 push ebx
004FC4A7 6A 04 push 4
004FC4A9 55 push ebp
004FC4AA E8 51C3FFFF call 004F8800 ; 004F8800
004FC4AF 8D4424 40 lea eax,dword ptr ss:[esp+40]
004FC4B3 8D8C24 44010000 lea ecx,dword ptr ss:[esp+144]
004FC4BA 50 push eax
004FC4BB 51 push ecx
004FC4BC 6A 10 push 10
004FC4BE 53 push ebx
004FC4BF 6A 04 push 4
004FC4C1 56 push esi
004FC4C2 E8 39C3FFFF call 004F8800 ; 004F8800
004FC4C7 8B8424 4C040000 mov eax,dword ptr ss:[esp+44C]
004FC4CE 85C0 test eax,eax
004FC4D0 8B45 00 mov eax,dword ptr ss:[ebp]
004FC4D3 74 0F je short 004FC4E4 ; 004FC4E4
004FC4D5 8B5424 34 mov edx,dword ptr ss:[esp+34]
004FC4D9 8B4C24 28 mov ecx,dword ptr ss:[esp+28]
004FC4DD 8D1C02 lea ebx,dword ptr ds:[edx+eax]
004FC4E0 03D9 add ebx,ecx
004FC4E2 EB 07 jmp short 004FC4EB ; 004FC4EB
004FC4E4 8B4C24 34 mov ecx,dword ptr ss:[esp+34]
004FC4E8 8D1C01 lea ebx,dword ptr ds:[ecx+eax]
004FC4EB A9 00000080 test eax,80000000
004FC4F0 0F84 19010000 je 004FC60F ; 004FC60F
004FC4F6 8B4C24 30 mov ecx,dword ptr ss:[esp+30]
004FC4FA 85C9 test ecx,ecx
004FC4FC 8B8C24 4C040000 mov ecx,dword ptr ss:[esp+44C]
004FC503 0F84 AB000000 je 004FC5B4 ; 004FC5B4
004FC509 85C9 test ecx,ecx
004FC50B 0F84 EB000000 je 004FC5FC ; 004FC5FC
004FC511 25 FFFFFF7F and eax,7FFFFFFF
004FC516 83F8 01 cmp eax,1
004FC519 75 11 jnz short 004FC52C ; 004FC52C
004FC51B 68 EDA84000 push 40A8ED
004FC520 E8 787BFFFF call 004F409D ; 004F409D
004FC525 8906 mov dword ptr ds:[esi],eax
004FC527 E9 AE050000 jmp 004FCADA ; 004FCADA
004FC52C 83F8 02 cmp eax,2
004FC52F 75 11 jnz short 004FC542 ; 004FC542
004FC531 68 FBA84000 push 40A8FB
004FC536 E8 627BFFFF call 004F409D ; 004F409D
004FC53B 8906 mov dword ptr ds:[esi],eax
004FC53D E9 98050000 jmp 004FCADA ; 004FCADA
004FC542 83F8 03 cmp eax,3
004FC545 75 11 jnz short 004FC558 ; 004FC558
004FC547 68 11A94000 push 40A911
004FC54C E8 4C7BFFFF call 004F409D ; 004F409D
004FC551 8906 mov dword ptr ds:[esi],eax
004FC553 E9 82050000 jmp 004FCADA ; 004FCADA
004FC558 83F8 04 cmp eax,4
004FC55B 75 11 jnz short 004FC56E ; 004FC56E
004FC55D 68 24A94000 push 40A924
004FC562 E8 367BFFFF call 004F409D ; 004F409D
004FC567 8906 mov dword ptr ds:[esi],eax
004FC569 E9 6C050000 jmp 004FCADA ; 004FCADA
004FC56E 83F8 05 cmp eax,5
004FC571 75 11 jnz short 004FC584 ; 004FC584
004FC573 68 37A94000 push 40A937
004FC578 E8 207BFFFF call 004F409D ; 004F409D
004FC57D 8906 mov dword ptr ds:[esi],eax
004FC57F E9 56050000 jmp 004FCADA ; 004FCADA
004FC584 83F8 06 cmp eax,6
004FC587 75 11 jnz short 004FC59A ; 004FC59A
004FC589 68 4AA94000 push 40A94A
004FC58E E8 0A7BFFFF call 004F409D ; 004F409D
004FC593 8906 mov dword ptr ds:[esi],eax
004FC595 E9 40050000 jmp 004FCADA ; 004FCADA
004FC59A 83F8 07 cmp eax,7
004FC59D 0F85 37050000 jnz 004FCADA ; 004FCADA
004FC5A3 68 5DA94000 push 40A95D
004FC5A8 E8 F07AFFFF call 004F409D ; 004F409D
004FC5AD 8906 mov dword ptr ds:[esi],eax
004FC5AF E9 26050000 jmp 004FCADA ; 004FCADA
004FC5B4 85C9 test ecx,ecx
004FC5B6 74 44 je short 004FC5FC ; 004FC5FC
004FC5B8 8B4C24 1C mov ecx,dword ptr ss:[esp+1C]
004FC5BC 85C9 test ecx,ecx
004FC5BE 74 16 je short 004FC5D6 ; 004FC5D6
004FC5C0 8B16 mov edx,dword ptr ds:[esi]
004FC5C2 81E2 FFFFFF7F and edx,7FFFFFFF
004FC5C8 52 push edx
004FC5C9 57 push edi
004FC5CA E8 94270000 call 004FED63 ; 004FED63
004FC5CF 8906 mov dword ptr ds:[esi],eax
004FC5D1 E9 04050000 jmp 004FCADA ; 004FCADA
004FC5D6 8B4C24 24 mov ecx,dword ptr ss:[esp+24]
004FC5DA 85C9 test ecx,ecx
004FC5DC 74 1E je short 004FC5FC ; 004FC5FC
004FC5DE 8B4C24 2C mov ecx,dword ptr ss:[esp+2C]
004FC5E2 25 FFFFFF7F and eax,7FFFFFFF
004FC5E7 51 push ecx
004FC5E8 50 push eax
004FC5E9 57 push edi
004FC5EA E8 A9BEFFFF call 004F8498 ; 004F8498
004FC5EF 50 push eax
004FC5F0 E8 EAF6FFFF call 004FBCDF ; 004FBCDF
004FC5F5 8906 mov dword ptr ds:[esi],eax
004FC5F7 E9 DE040000 jmp 004FCADA ; 004FCADA
004FC5FC 25 FFFFFF7F and eax,7FFFFFFF
004FC601 50 push eax
004FC602 57 push edi
004FC603 E8 90BEFFFF call 004F8498 ; 004F8498
004FC608 8906 mov dword ptr ds:[esi],eax
004FC60A E9 CB040000 jmp 004FCADA ; 004FCADA
004FC60F 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
004FC613 8D5424 40 lea edx,dword ptr ss:[esp+40]
004FC617 8D8424 44010000 lea eax,dword ptr ss:[esp+144]
004FC61E 52 push edx
004FC61F 50 push eax
004FC620 6A 10 push 10
004FC622 51 push ecx
004FC623 6A 02 push 2
004FC625 53 push ebx
004FC626 E8 D5C1FFFF call 004F8800 ; 004F8800
004FC62B 8D5424 40 lea edx,dword ptr ss:[esp+40]
004FC62F 8D8424 44010000 lea eax,dword ptr ss:[esp+144]
004FC636 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
004FC63A 52 push edx
004FC63B 33D2 xor edx,edx
004FC63D 50 push eax
004FC63E 66:8B13 mov dx,word ptr ds:[ebx]
004FC641 6A 10 push 10
004FC643 8D7B 02 lea edi,dword ptr ds:[ebx+2]
004FC646 51 push ecx
004FC647 52 push edx
004FC648 57 push edi
004FC649 E8 B2C1FFFF call 004F8800 ; 004F8800
004FC64E 8B4424 30 mov eax,dword ptr ss:[esp+30]
004FC652 85C0 test eax,eax
004FC654 8B8424 4C040000 mov eax,dword ptr ss:[esp+44C]
004FC65B 0F84 16010000 je 004FC777 ; 004FC777
004FC661 85C0 test eax,eax
004FC663 0F84 39040000 je 004FCAA2 ; 004FCAA2
004FC669 68 CFDF4000 push 40DFCF
004FC66E E8 2A7AFFFF call 004F409D ; 004F409D
004FC673 50 push eax
004FC674 57 push edi
004FC675 E8 F883FFFF call 004F4A72 ; 004F4A72
004FC67A 85C0 test eax,eax
004FC67C 75 11 jnz short 004FC68F ; 004FC68F
004FC67E 68 EDA84000 push 40A8ED
004FC683 E8 157AFFFF call 004F409D ; 004F409D
004FC688 8906 mov dword ptr ds:[esi],eax
004FC68A E9 31040000 jmp 004FCAC0 ; 004FCAC0
004FC68F 68 E0DF4000 push 40DFE0
004FC694 E8 047AFFFF call 004F409D ; 004F409D
004FC699 50 push eax
004FC69A 57 push edi
004FC69B E8 D283FFFF call 004F4A72 ; 004F4A72
004FC6A0 85C0 test eax,eax
004FC6A2 75 11 jnz short 004FC6B5 ; 004FC6B5
004FC6A4 68 FBA84000 push 40A8FB
004FC6A9 E8 EF79FFFF call 004F409D ; 004F409D
004FC6AE 8906 mov dword ptr ds:[esi],eax
004FC6B0 E9 0B040000 jmp 004FCAC0 ; 004FCAC0
004FC6B5 68 F8DF4000 push 40DFF8
004FC6BA E8 DE79FFFF call 004F409D ; 004F409D
004FC6BF 50 push eax
004FC6C0 57 push edi
004FC6C1 E8 AC83FFFF call 004F4A72 ; 004F4A72
004FC6C6 85C0 test eax,eax
004FC6C8 75 11 jnz short 004FC6DB ; 004FC6DB
004FC6CA 68 11A94000 push 40A911
004FC6CF E8 C979FFFF call 004F409D ; 004F409D
004FC6D4 8906 mov dword ptr ds:[esi],eax
004FC6D6 E9 E5030000 jmp 004FCAC0 ; 004FCAC0
004FC6DB 68 11E04000 push 40E011
004FC6E0 E8 B879FFFF call 004F409D ; 004F409D
004FC6E5 50 push eax
004FC6E6 57 push edi
004FC6E7 E8 8683FFFF call 004F4A72 ; 004F4A72
004FC6EC 85C0 test eax,eax
004FC6EE 75 11 jnz short 004FC701 ; 004FC701
004FC6F0 68 24A94000 push 40A924
004FC6F5 E8 A379FFFF call 004F409D ; 004F409D
004FC6FA 8906 mov dword ptr ds:[esi],eax
004FC6FC E9 BF030000 jmp 004FCAC0 ; 004FCAC0
004FC701 68 27E04000 push 40E027
004FC706 E8 9279FFFF call 004F409D ; 004F409D
004FC70B 50 push eax
004FC70C 57 push edi
004FC70D E8 6083FFFF call 004F4A72 ; 004F4A72
004FC712 85C0 test eax,eax
004FC714 75 11 jnz short 004FC727 ; 004FC727
004FC716 68 37A94000 push 40A937
004FC71B E8 7D79FFFF call 004F409D ; 004F409D
004FC720 8906 mov dword ptr ds:[esi],eax
004FC722 E9 99030000 jmp 004FCAC0 ; 004FCAC0
004FC727 68 3CE04000 push 40E03C
004FC72C E8 6C79FFFF call 004F409D ; 004F409D
004FC731 50 push eax
004FC732 57 push edi
004FC733 E8 3A83FFFF call 004F4A72 ; 004F4A72
004FC738 85C0 test eax,eax
004FC73A 75 11 jnz short 004FC74D ; 004FC74D
004FC73C 68 4AA94000 push 40A94A
004FC741 E8 5779FFFF call 004F409D ; 004F409D
004FC746 8906 mov dword ptr ds:[esi],eax
004FC748 E9 73030000 jmp 004FCAC0 ; 004FCAC0
004FC74D 68 57E04000 push 40E057
004FC752 E8 4679FFFF call 004F409D ; 004F409D
004FC757 50 push eax
004FC758 57 push edi
004FC759 E8 1483FFFF call 004F4A72 ; 004F4A72
004FC75E 85C0 test eax,eax
004FC760 0F85 FC020000 jnz 004FCA62 ; 004FCA62
004FC766 68 5DA94000 push 40A95D
004FC76B E8 2D79FFFF call 004F409D ; 004F409D
004FC770 8906 mov dword ptr ds:[esi],eax
004FC772 E9 49030000 jmp 004FCAC0 ; 004FCAC0
004FC777 85C0 test eax,eax
004FC779 0F84 23030000 je 004FCAA2 ; 004FCAA2
004FC77F 8B4424 1C mov eax,dword ptr ss:[esp+1C]
004FC783 85C0 test eax,eax
004FC785 74 5E je short 004FC7E5 ; 004FC7E5
004FC787 68 6AE04000 push 40E06A
004FC78C E8 0C79FFFF call 004F409D ; 004F409D
004FC791 50 push eax
004FC792 57 push edi
004FC793 E8 DA82FFFF call 004F4A72 ; 004F4A72
004FC798 85C0 test eax,eax
004FC79A 75 11 jnz short 004FC7AD ; 004FC7AD
004FC79C 68 B1CE4000 push 40CEB1
004FC7A1 E8 F778FFFF call 004F409D ; 004F409D
004FC7A6 8906 mov dword ptr ds:[esi],eax
004FC7A8 E9 13030000 jmp 004FCAC0 ; 004FCAC0
004FC7AD 68 10CF4000 push 40CF10
004FC7B2 E8 E678FFFF call 004F409D ; 004F409D
004FC7B7 50 push eax
004FC7B8 57 push edi
004FC7B9 E8 B482FFFF call 004F4A72 ; 004F4A72
004FC7BE 85C0 test eax,eax
004FC7C0 75 11 jnz short 004FC7D3 ; 004FC7D3
004FC7C2 68 27CF4000 push 40CF27
004FC7C7 E8 D178FFFF call 004F409D ; 004F409D
004FC7CC 8906 mov dword ptr ds:[esi],eax
004FC7CE E9 ED020000 jmp 004FCAC0 ; 004FCAC0
004FC7D3 8B4424 10 mov eax,dword ptr ss:[esp+10]
004FC7D7 57 push edi
004FC7D8 50 push eax
004FC7D9 E8 85250000 call 004FED63 ; 004FED63
004FC7DE 8906 mov dword ptr ds:[esi],eax
004FC7E0 E9 DB020000 jmp 004FCAC0 ; 004FCAC0
004FC7E5 8B4424 24 mov eax,dword ptr ss:[esp+24]
004FC7E9 85C0 test eax,eax
004FC7EB 0F84 5C020000 je 004FCA4D ; 004FCA4D
004FC7F1 68 76E04000 push 40E076
004FC7F6 E8 A278FFFF call 004F409D ; 004F409D
004FC7FB 50 push eax
004FC7FC 57 push edi
004FC7FD E8 7082FFFF call 004F4A72 ; 004F4A72
004FC802 85C0 test eax,eax
004FC804 75 11 jnz short 004FC817 ; 004FC817
004FC806 68 E4CF4000 push 40CFE4
004FC80B E8 8D78FFFF call 004F409D ; 004F409D
004FC810 8906 mov dword ptr ds:[esi],eax
004FC812 E9 A9020000 jmp 004FCAC0 ; 004FCAC0
004FC817 68 8AE04000 push 40E08A
004FC81C E8 7C78FFFF call 004F409D ; 004F409D
004FC821 50 push eax
004FC822 57 push edi
004FC823 E8 4A82FFFF call 004F4A72 ; 004F4A72
004FC828 85C0 test eax,eax
004FC82A 75 11 jnz short 004FC83D ; 004FC83D
004FC82C 68 32D04000 push 40D032
004FC831 E8 6778FFFF call 004F409D ; 004F409D
004FC836 8906 mov dword ptr ds:[esi],eax
004FC838 E9 83020000 jmp 004FCAC0 ; 004FCAC0
004FC83D 68 98E04000 push 40E098
004FC842 E8 5678FFFF call 004F409D ; 004F409D
004FC847 50 push eax
004FC848 57 push edi
004FC849 E8 2482FFFF call 004F4A72 ; 004F4A72
004FC84E 85C0 test eax,eax
004FC850 75 11 jnz short 004FC863 ; 004FC863
004FC852 68 C9C54000 push 40C5C9
004FC857 E8 4178FFFF call 004F409D ; 004F409D
004FC85C 8906 mov dword ptr ds:[esi],eax
004FC85E E9 5D020000 jmp 004FCAC0 ; 004FCAC0
004FC863 68 A3E04000 push 40E0A3
004FC868 E8 3078FFFF call 004F409D ; 004F409D
004FC86D 50 push eax
004FC86E 57 push edi
004FC86F E8 FE81FFFF call 004F4A72 ; 004F4A72
004FC874 85C0 test eax,eax
004FC876 75 11 jnz short 004FC889 ; 004FC889
004FC878 68 6FD04000 push 40D06F
004FC87D E8 1B78FFFF call 004F409D ; 004F409D
004FC882 8906 mov dword ptr ds:[esi],eax
004FC884 E9 37020000 jmp 004FCAC0 ; 004FCAC0
004FC889 68 B3E04000 push 40E0B3
004FC88E E8 0A78FFFF call 004F409D ; 004F409D
004FC893 50 push eax
004FC894 57 push edi
004FC895 E8 D881FFFF call 004F4A72 ; 004F4A72
004FC89A 85C0 test eax,eax
004FC89C 75 11 jnz short 004FC8AF ; 004FC8AF
004FC89E 68 56CE4000 push 40CE56
004FC8A3 E8 F577FFFF call 004F409D ; 004F409D
004FC8A8 8906 mov dword ptr ds:[esi],eax
004FC8AA E9 11020000 jmp 004FCAC0 ; 004FCAC0
004FC8AF 68 BFE04000 push 40E0BF
004FC8B4 E8 E477FFFF call 004F409D ; 004F409D
004FC8B9 50 push eax
004FC8BA 57 push edi
004FC8BB E8 B281FFFF call 004F4A72 ; 004F4A72
004FC8C0 85C0 test eax,eax
004FC8C2 75 11 jnz short 004FC8D5 ; 004FC8D5
004FC8C4 68 CDD24000 push 40D2CD
004FC8C9 E8 CF77FFFF call 004F409D ; 004F409D
004FC8CE 8906 mov dword ptr ds:[esi],eax
004FC8D0 E9 EB010000 jmp 004FCAC0 ; 004FCAC0
004FC8D5 68 D0E04000 push 40E0D0 ; ASCII "'H"
004FC8DA E8 BE77FFFF call 004F409D ; 004F409D
004FC8DF 50 push eax
004FC8E0 57 push edi
004FC8E1 E8 8C81FFFF call 004F4A72 ; 004F4A72
004FC8E6 85C0 test eax,eax
004FC8E8 75 11 jnz short 004FC8FB ; 004FC8FB
004FC8EA 68 4BD24000 push 40D24B
004FC8EF E8 A977FFFF call 004F409D ; 004F409D
004FC8F4 8906 mov dword ptr ds:[esi],eax
004FC8F6 E9 C5010000 jmp 004FCAC0 ; 004FCAC0
004FC8FB 68 6AE04000 push 40E06A
004FC900 E8 9877FFFF call 004F409D ; 004F409D
004FC905 50 push eax
004FC906 57 push edi
004FC907 E8 6681FFFF call 004F4A72 ; 004F4A72
004FC90C 85C0 test eax,eax
004FC90E 75 11 jnz short 004FC921 ; 004FC921
004FC910 68 B1CE4000 push 40CEB1
004FC915 E8 8377FFFF call 004F409D ; 004F409D
004FC91A 8906 mov dword ptr ds:[esi],eax
004FC91C E9 9F010000 jmp 004FCAC0 ; 004FCAC0
004FC921 68 10CF4000 push 40CF10
004FC926 E8 7277FFFF call 004F409D ; 004F409D
004FC92B 50 push eax
004FC92C 57 push edi
004FC92D E8 4081FFFF call 004F4A72 ; 004F4A72
004FC932 85C0 test eax,eax
004FC934 75 11 jnz short 004FC947 ; 004FC947
004FC936 68 27CF4000 push 40CF27
004FC93B E8 5D77FFFF call 004F409D ; 004F409D
004FC940 8906 mov dword ptr ds:[esi],eax
004FC942 E9 79010000 jmp 004FCAC0 ; 004FCAC0
004FC947 68 E3E04000 push 40E0E3
004FC94C E8 4C77FFFF call 004F409D ; 004F409D
004FC951 50 push eax
004FC952 57 push edi
004FC953 E8 1A81FFFF call 004F4A72 ; 004F4A72
004FC958 85C0 test eax,eax
004FC95A 75 11 jnz short 004FC96D ; 004FC96D
004FC95C 68 80D04000 push 40D080
004FC961 E8 3777FFFF call 004F409D ; 004F409D
004FC966 8906 mov dword ptr ds:[esi],eax
004FC968 E9 53010000 jmp 004FCAC0 ; 004FCAC0
004FC96D 68 AFD04000 push 40D0AF
004FC972 E8 2677FFFF call 004F409D ; 004F409D
004FC977 50 push eax
004FC978 57 push edi
004FC979 E8 F480FFFF call 004F4A72 ; 004F4A72
004FC97E 85C0 test eax,eax
004FC980 75 11 jnz short 004FC993 ; 004FC993
004FC982 68 96CF4000 push 40CF96 ; ASCII "MPM"
004FC987 E8 1177FFFF call 004F409D ; 004F409D
004FC98C 8906 mov dword ptr ds:[esi],eax
004FC98E E9 2D010000 jmp 004FCAC0 ; 004FCAC0
004FC993 68 F3E04000 push 40E0F3
004FC998 E8 0077FFFF call 004F409D ; 004F409D
004FC99D 50 push eax
004FC99E 57 push edi
004FC99F E8 CE80FFFF call 004F4A72 ; 004F4A72
004FC9A4 85C0 test eax,eax
004FC9A6 75 11 jnz short 004FC9B9 ; 004FC9B9
004FC9A8 68 E7D14000 push 40D1E7
004FC9AD E8 EB76FFFF call 004F409D ; 004F409D
004FC9B2 8906 mov dword ptr ds:[esi],eax
004FC9B4 E9 07010000 jmp 004FCAC0 ; 004FCAC0
004FC9B9 68 08E14000 push 40E108
004FC9BE E8 DA76FFFF call 004F409D ; 004F409D
004FC9C3 50 push eax
004FC9C4 57 push edi
004FC9C5 E8 A880FFFF call 004F4A72 ; 004F4A72
004FC9CA 85C0 test eax,eax
004FC9CC 75 11 jnz short 004FC9DF ; 004FC9DF
004FC9CE 68 A0D04000 push 40D0A0
004FC9D3 E8 C576FFFF call 004F409D ; 004F409D
004FC9D8 8906 mov dword ptr ds:[esi],eax
004FC9DA E9 E1000000 jmp 004FCAC0 ; 004FCAC0
004FC9DF 68 1CE14000 push 40E11C
004FC9E4 E8 B476FFFF call 004F409D ; 004F409D
004FC9E9 50 push eax
004FC9EA 57 push edi
004FC9EB E8 8280FFFF call 004F4A72 ; 004F4A72
004FC9F0 85C0 test eax,eax
004FC9F2 75 11 jnz short 004FCA05 ; 004FCA05
004FC9F4 68 EFD24000 push 40D2EF
004FC9F9 E8 9F76FFFF call 004F409D ; 004F409D
004FC9FE 8906 mov dword ptr ds:[esi],eax
004FCA00 E9 BB000000 jmp 004FCAC0 ; 004FCAC0
004FCA05 68 31E14000 push 40E131
004FCA0A E8 8E76FFFF call 004F409D ; 004F409D
004FCA0F 50 push eax
004FCA10 57 push edi
004FCA11 E8 5C80FFFF call 004F4A72 ; 004F4A72
004FCA16 85C0 test eax,eax
004FCA18 75 19 jnz short 004FCA33 ; 004FCA33
004FCA1A 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
004FCA1E 50 push eax
004FCA1F 57 push edi
004FCA20 51 push ecx
004FCA21 E8 72BAFFFF call 004F8498 ; 004F8498
004FCA26 50 push eax
004FCA27 E8 B3F2FFFF call 004FBCDF ; 004FBCDF
004FCA2C 8906 mov dword ptr ds:[esi],eax
004FCA2E E9 8D000000 jmp 004FCAC0 ; 004FCAC0
004FCA33 8B5424 2C mov edx,dword ptr ss:[esp+2C]
004FCA37 8B4424 10 mov eax,dword ptr ss:[esp+10]
004FCA3B 52 push edx
004FCA3C 57 push edi
004FCA3D 50 push eax
004FCA3E E8 55BAFFFF call 004F8498 ; 004F8498
004FCA43 50 push eax
004FCA44 E8 96F2FFFF call 004FBCDF ; 004FBCDF
004FCA49 8906 mov dword ptr ds:[esi],eax
004FCA4B EB 73 jmp short 004FCAC0 ; 004FCAC0
004FCA4D 68 6AE04000 push 40E06A
004FCA52 E8 4676FFFF call 004F409D ; 004F409D
004FCA57 50 push eax
004FCA58 57 push edi
004FCA59 E8 1480FFFF call 004F4A72 ///检查是不是MessageBoxA函数。 ; 004F4A72
004FCA5E 85C0 test eax,eax
004FCA60 75 0E jnz short 004FCA70 ///必须跳。
004FCA62 68 B1CE4000 push 40CEB1
004FCA67 E8 3176FFFF call 004F409D ; 004F409D
004FCA6C 8906 mov dword ptr ds:[esi],eax
004FCA6E EB 50 jmp short 004FCAC0 ; 004FCAC0
004FCA70 68 10CF4000 push 40CF10
004FCA75 E8 2376FFFF call 004F409D ; 004F409D
004FCA7A 50 push eax
004FCA7B 57 push edi
004FCA7C E8 F17FFFFF call 004F4A72 ///检查是不是MessageBoxW函数。 ; 004F4A72
004FCA81 85C0 test eax,eax
004FCA83 75 0E jnz short 004FCA93 ///必须跳。
004FCA85 68 27CF4000 push 40CF27
004FCA8A E8 0E76FFFF call 004F409D ; 004F409D
004FCA8F 8906 mov dword ptr ds:[esi],eax
004FCA91 EB 2D jmp short 004FCAC0 ; 004FCAC0
004FCA93 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
004FCA97 57 push edi
004FCA98 51 push ecx
004FCA99 E8 FAB9FFFF call 004F8498 ; 004F8498
004FCA9E 8906 mov dword ptr ds:[esi],eax
004FCAA0 EB 1E jmp short 004FCAC0 ; 004FCAC0
004FCAA2 8B5424 10 mov edx,dword ptr ss:[esp+10]
004FCAA6 57 push edi
004FCAA7 52 push edx
004FCAA8 E8 EBB9FFFF call 004F8498 ; 004F8498
004FCAAD 8906 mov dword ptr ds:[esi],eax
004FCAAF 8B4C24 14 mov ecx,dword ptr ss:[esp+14]
004FCAB3 85C9 test ecx,ecx
004FCAB5 74 09 je short 004FCAC0 ; 004FCAC0
004FCAB7 8901 mov dword ptr ds:[ecx],eax
004FCAB9 83C1 04 add ecx,4
004FCABC 894C24 14 mov dword ptr ss:[esp+14],ecx
004FCAC0 33C0 xor eax,eax
004FCAC2 66:8B03 mov ax,word ptr ds:[ebx]
004FCAC5 50 push eax
004FCAC6 68 FF000000 push 0FF
004FCACB 57 push edi
004FCACC E8 5D8DFFFF call 004F582E ; 004F582E
004FCAD1 66:C703 0000 mov word ptr ds:[ebx],0
004FCAD6 8B7C24 10 mov edi,dword ptr ss:[esp+10]
004FCADA 3BEE cmp ebp,esi
004FCADC 74 08 je short 004FCAE6 ; 004FCAE6
004FCADE 6A 04 push 4
004FCAE0 55 push ebp
004FCAE1 E8 B27FFFFF call 004F4A98 ; 004F4A98
004FCAE6 8B5C24 18 mov ebx,dword ptr ss:[esp+18]
004FCAEA 83C5 04 add ebp,4
004FCAED 83C6 04 add esi,4
004FCAF0 ^ E9 98F9FFFF jmp 004FC48D ///循环处理函数。
004FCAF5 E8 8E7DFFFF call 004F4888 ; 004F4888
004FCAFA 8B7424 20 mov esi,dword ptr ss:[esp+20] ; Project2.004840B4
004FCAFE 8B5424 3C mov edx,dword ptr ss:[esp+3C]
004FCB02 8B4E 04 mov ecx,dword ptr ds:[esi+4]
004FCB05 51 push ecx
004FCB06 68 FF000000 push 0FF
004FCB0B 52 push edx
004FCB0C E8 1D8DFFFF call 004F582E ; 004F582E
004FCB11 6A 14 push 14
004FCB13 56 push esi
004FCB14 E8 7F7FFFFF call 004F4A98 ; 004F4A98
004FCB19 83C6 14 add esi,14
004FCB1C 8B5C24 14 mov ebx,dword ptr ss:[esp+14]
004FCB20 8B6C24 34 mov ebp,dword ptr ss:[esp+34]
004FCB24 897424 20 mov dword ptr ss:[esp+20],esi
004FCB28 ^ E9 92F7FFFF jmp 004FC2BF ///循环处理DLL。
004FCB2D 8B8424 4C040000 mov eax,dword ptr ss:[esp+44C]
004FCB34 85C0 test eax,eax
从以上分析可以看出,程序对kernel32.dll、user32.dll、gdi32.dll、advapi32.dll、shell32.dll、sdprotector.dll等6个DLL的函数进行加密处理,同时对MessageBoxA、MessageBoxW两个函数进行加密处理。跳过这些加密处理就可以得到完整的IAT。
仍然用脚本跳过这些加密处理,得到的IAT全部有效。脚本运行结束后就可以用ImportREC修复IAT了,OEP=7EBB8 RVA=84164 SIZE=6F0即可。
最后完整的IAT:
; Syntax for each function in a thunk (the separator is a TAB)
; ------------------------------------------------------------
; Flag RVA ModuleName Ordinal Name
;
; Details for <Valid> parameter:
; ------------------------------
; Flag: 0 = valid: no -> - Name contains the address of the redirected API (you can set
; it to zero if you edit it).
; - Ordinal is not considered but you should let '0000' as value.
; - ModuleName is not considered but you should let '?' as value.
;
; 1 = valid: yes -> All next parameters on the line will be considered.
; Function imported by ordinal must have no name (the 4th TAB must
; be there though).
;
; 2 = Equivalent to 0 but it is for the loader.
;
; 3 = Equivalent to 1 but it is for the loader.
;
; And finally, edit this file as your own risk! :-)
Target: C:\Documents and Settings\csjwaman\桌面\Project2\Project2.exe
OEP: 0007EBB8 IATRVA: 00084164 IATSize: 000006F0
FThunk: 00084168 NbFunc: 00000022
1 00084168 kernel32.dll 007B DeleteCriticalSection
1 0008416C kernel32.dll 023A LeaveCriticalSection
1 00084170 kernel32.dll 0090 EnterCriticalSection
1 00084174 kernel32.dll 020F InitializeCriticalSection
1 00084178 kernel32.dll 0367 VirtualFree
1 0008417C kernel32.dll 0364 VirtualAlloc
1 00084180 kernel32.dll 0245 LocalFree
1 00084184 kernel32.dll 0241 LocalAlloc
1 00084188 kernel32.dll 01D4 GetVersion
1 0008418C kernel32.dll 0138 GetCurrentThreadId
1 00084190 kernel32.dll 0213 InterlockedDecrement
1 00084194 kernel32.dll 0217 InterlockedIncrement
1 00084198 kernel32.dll 036C VirtualQuery
1 0008419C kernel32.dll 0378 WideCharToMultiByte
1 000841A0 kernel32.dll 025E MultiByteToWideChar
1 000841A4 kernel32.dll 03AC lstrlen
1 000841A8 kernel32.dll 03A9 lstrcpyn
1 000841AC kernel32.dll 023C LoadLibraryExA
1 000841B0 kernel32.dll 01C6 GetThreadLocale
1 000841B4 kernel32.dll 01A6 GetStartupInfoA
1 000841B8 kernel32.dll 0191 GetProcAddress
1 000841BC kernel32.dll 016F GetModuleHandleA
1 000841C0 kernel32.dll 016D GetModuleFileNameA
1 000841C4 kernel32.dll 0165 GetLocaleInfoA
1 000841C8 kernel32.dll 0103 GetCommandLineA
1 000841CC kernel32.dll 00EA FreeLibrary
1 000841D0 kernel32.dll 00CA FindFirstFileA
1 000841D4 kernel32.dll 00C6 FindClose
1 000841D8 kernel32.dll 00B0 ExitProcess
1 000841DC kernel32.dll 0385 WriteFile
1 000841E0 kernel32.dll 0351 UnhandledExceptionFilter
1 000841E4 kernel32.dll 02BE RtlUnwind
1 000841E8 kernel32.dll 0290 RaiseException
1 000841EC kernel32.dll 01A8 GetStdHandle
FThunk: 000841F4 NbFunc: 00000004
1 000841F4 user32.dll 0128 GetKeyboardType
1 000841F8 user32.dll 01C9 LoadStringA
1 000841FC user32.dll 01DD MessageBoxA
1 00084200 user32.dll 002B CharNextA
FThunk: 00084208 NbFunc: 00000003
1 00084208 advapi32.dll 01EC RegQueryValueExA
1 0008420C advapi32.dll 01E2 RegOpenKeyExA
1 00084210 advapi32.dll 01C9 RegCloseKey
FThunk: 00084218 NbFunc: 00000003
1 00084218 oleaut32.dll 0006 SysFreeString
1 0008421C oleaut32.dll 0005 SysReAllocStringLen
1 00084220 oleaut32.dll 0004 SysAllocStringLen
FThunk: 00084228 NbFunc: 00000004
1 00084228 kernel32.dll 0348 TlsSetValue
1 0008422C kernel32.dll 0347 TlsGetValue
1 00084230 kernel32.dll 0241 LocalAlloc
1 00084234 kernel32.dll 016F GetModuleHandleA
FThunk: 0008423C NbFunc: 00000009
1 0008423C advapi32.dll 01F9 RegSetValueExA
1 00084240 advapi32.dll 01EC RegQueryValueExA
1 00084244 advapi32.dll 01E7 RegQueryInfoKeyA
1 00084248 advapi32.dll 01E2 RegOpenKeyExA
1 0008424C advapi32.dll 01DB RegFlushKey
1 00084250 advapi32.dll 01D6 RegEnumKeyExA
1 00084254 advapi32.dll 01D0 RegDeleteKeyA
1 00084258 advapi32.dll 01CD RegCreateKeyExA
1 0008425C advapi32.dll 01C9 RegCloseKey
FThunk: 00084264 NbFunc: 0000004A
1 00084264 kernel32.dll 03A6 lstrcpy
1 00084268 kernel32.dll 0385 WriteFile
1 0008426C kernel32.dll 0374 WaitForSingleObject
1 00084270 kernel32.dll 036C VirtualQuery
1 00084274 kernel32.dll 0364 VirtualAlloc
1 00084278 kernel32.dll 0338 Sleep
1 0008427C kernel32.dll 0337 SizeofResource
1 00084280 kernel32.dll 0327 SetThreadPriority
1 00084284 kernel32.dll 0326 SetThreadLocale
1 00084288 kernel32.dll 0300 SetFilePointer
1 0008428C kernel32.dll 02FB SetEvent
1 00084290 kernel32.dll 02FA SetErrorMode
1 00084294 kernel32.dll 02F7 SetEndOfFile
1 00084298 kernel32.dll 02B6 ResetEvent
1 0008429C kernel32.dll 029D ReadFile
1 000842A0 kernel32.dll 025E MultiByteToWideChar
1 000842A4 kernel32.dll 025D MulDiv
1 000842A8 kernel32.dll 024E LockResource
1 000842AC kernel32.dll 0240 LoadResource
1 000842B0 kernel32.dll 023B LoadLibraryA
1 000842B4 kernel32.dll 023A LeaveCriticalSection
1 000842B8 kernel32.dll 020F InitializeCriticalSection
1 000842BC kernel32.dll 01F6 GlobalUnlock
1 000842C0 kernel32.dll 01F3 GlobalSize
1 000842C4 kernel32.dll 01F2 GlobalReAlloc
1 000842C8 kernel32.dll 01EE GlobalHandle
1 000842CC kernel32.dll 01EF GlobalLock
1 000842D0 kernel32.dll 01EB GlobalFree
1 000842D4 kernel32.dll 01E7 GlobalFindAtomA
1 000842D8 kernel32.dll 01E6 GlobalDeleteAtom
1 000842DC kernel32.dll 01E4 GlobalAlloc
1 000842E0 kernel32.dll 01E2 GlobalAddAtomA
1 000842E4 kernel32.dll 01D5 GetVersionExA
1 000842E8 kernel32.dll 01D4 GetVersion
1 000842EC kernel32.dll 01CF GetUserDefaultLCID
1 000842F0 kernel32.dll 01CB GetTickCount
1 000842F4 kernel32.dll 01C7 GetThreadPriority
1 000842F8 kernel32.dll 01C6 GetThreadLocale
1 000842FC kernel32.dll 01B2 GetSystemInfo
1 00084300 kernel32.dll 01AA GetStringTypeExA
1 00084304 kernel32.dll 01A8 GetStdHandle
1 00084308 kernel32.dll 0191 GetProcAddress
1 0008430C kernel32.dll 016F GetModuleHandleA
1 00084310 kernel32.dll 016D GetModuleFileNameA
1 00084314 kernel32.dll 0165 GetLocaleInfoA
1 00084318 kernel32.dll 0164 GetLocalTime
1 0008431C kernel32.dll 0162 GetLastError
1 00084320 kernel32.dll 015B GetFullPathNameA
1 00084324 kernel32.dll 013F GetDiskFreeSpaceA
1 00084328 kernel32.dll 0139 GetDateFormatA
1 0008432C kernel32.dll 0138 GetCurrentThreadId
1 00084330 kernel32.dll 0137 GetCurrentThread
1 00084334 kernel32.dll 0136 GetCurrentProcessId
1 00084338 kernel32.dll 0107 GetComputerNameA
1 0008433C kernel32.dll 00F7 GetCPInfo
1 00084340 kernel32.dll 00F0 GetACP
1 00084344 kernel32.dll 00EC FreeResource
1 00084348 kernel32.dll 0214 InterlockedExchange
1 0008434C kernel32.dll 00EA FreeLibrary
1 00084350 kernel32.dll 00E5 FormatMessageA
1 00084354 kernel32.dll 00D9 FindResourceA
1 00084358 kernel32.dll 00CA FindFirstFileA
1 0008435C kernel32.dll 00C6 FindClose
1 00084360 kernel32.dll 00BC FileTimeToLocalFileTime
1 00084364 kernel32.dll 00BB FileTimeToDosDateTime
1 00084368 kernel32.dll 0091 EnumCalendarInfoA
1 0008436C kernel32.dll 0090 EnterCriticalSection
1 00084370 kernel32.dll 0084 DeviceIoControl
1 00084374 kernel32.dll 007B DeleteCriticalSection
1 00084378 kernel32.dll 006A CreateThread
1 0008437C kernel32.dll 004E CreateFileA
1 00084380 kernel32.dll 004A CreateEventA
1 00084384 kernel32.dll 0036 CompareStringA
1 00084388 kernel32.dll 0030 CloseHandle
FThunk: 00084390 NbFunc: 00000003
1 00084390 version.dll 000B VerQueryValueA
1 00084394 version.dll 0002 GetFileVersionInfoSizeA
1 00084398 version.dll 0001 GetFileVersionInfoA
FThunk: 000843A0 NbFunc: 00000048
1 000843A0 gdi32.dll 0253 UnrealizeObject
1 000843A4 gdi32.dll 024A StretchBlt
1 000843A8 gdi32.dll 0244 SetWindowOrgEx
1 000843AC gdi32.dll 0242 SetWinMetaFileBits
1 000843B0 gdi32.dll 0240 SetViewportOrgEx
1 000843B4 gdi32.dll 023D SetTextColor
1 000843B8 gdi32.dll 0239 SetStretchBltMode
1 000843BC gdi32.dll 0236 SetROP2
1 000843C0 gdi32.dll 0232 SetPixel
1 000843C4 gdi32.dll 022C SetMapMode
1 000843C8 gdi32.dll 0223 SetEnhMetaFileBits
1 000843CC gdi32.dll 021F SetDIBColorTable
1 000843D0 gdi32.dll 021A SetBrushOrgEx
1 000843D4 gdi32.dll 0217 SetBkMode
1 000843D8 gdi32.dll 0216 SetBkColor
1 000843DC gdi32.dll 0210 SelectPalette
1 000843E0 gdi32.dll 020F SelectObject
1 000843E4 gdi32.dll 0208 SaveDC
1 000843E8 gdi32.dll 0201 RestoreDC
1 000843EC gdi32.dll 01F7 Rectangle
1 000843F0 gdi32.dll 01F6 RectVisible
1 000843F4 gdi32.dll 01F4 RealizePalette
1 000843F8 gdi32.dll 01EF Polyline
1 000843FC gdi32.dll 01E1 PlayEnhMetaFile
1 00084400 gdi32.dll 01DE PatBlt
1 00084404 gdi32.dll 01D2 MoveToEx
1 00084408 gdi32.dll 01CF MaskBlt
1 0008440C gdi32.dll 01CE LineTo
1 00084410 gdi32.dll 01CC LPtoDP
1 00084414 gdi32.dll 01C8 IntersectClipRect
1 00084418 gdi32.dll 01C4 GetWindowOrgEx
1 0008441C gdi32.dll 01C2 GetWinMetaFileBits
1 00084420 gdi32.dll 01BD GetTextMetricsA
1 00084424 gdi32.dll 01B5 GetTextExtentPoint32A
1 00084428 gdi32.dll 01AA GetSystemPaletteEntries
1 0008442C gdi32.dll 01A6 GetStockObject
1 00084430 gdi32.dll 019D GetPixel
1 00084434 gdi32.dll 019B GetPaletteEntries
1 00084438 gdi32.dll 0196 GetObjectA
1 0008443C gdi32.dll 0176 GetEnhMetaFilePaletteEntries
1 00084440 gdi32.dll 0175 GetEnhMetaFileHeader
1 00084444 gdi32.dll 0173 GetEnhMetaFileDescriptionA
1 00084448 gdi32.dll 0172 GetEnhMetaFileBits
1 0008444C gdi32.dll 016C GetDeviceCaps
1 00084450 gdi32.dll 016B GetDIBits
1 00084454 gdi32.dll 016A GetDIBColorTable
1 00084458 gdi32.dll 0168 GetDCOrgEx
1 0008445C gdi32.dll 0166 GetCurrentPositionEx
1 00084460 gdi32.dll 0161 GetClipBox
1 00084464 gdi32.dll 0151 GetBrushOrgEx
1 00084468 gdi32.dll 014B GetBitmapBits
1 0008446C gdi32.dll 011C GdiFlush
1 00084470 gdi32.dll 00DE ExtTextOutA
1 00084474 gdi32.dll 00D8 ExcludeClipRect
1 00084478 gdi32.dll 0090 DeleteObject
1 0008447C gdi32.dll 008E DeleteEnhMetaFile
1 00084480 gdi32.dll 008D DeleteDC
1 00084484 gdi32.dll 0051 CreateSolidBrush
1 00084488 gdi32.dll 0049 CreatePenIndirect
1 0008448C gdi32.dll 0046 CreatePalette
1 00084490 gdi32.dll 0040 CreateHalftonePalette
1 00084494 gdi32.dll 003B CreateFontIndirectA
1 00084498 gdi32.dll 0038 CreateEnhMetaFileA
1 0008449C gdi32.dll 0034 CreateDIBitmap
1 000844A0 gdi32.dll 0033 CreateDIBSection
1 000844A4 gdi32.dll 002E CreateCompatibleDC
1 000844A8 gdi32.dll 002D CreateCompatibleBitmap
1 000844AC gdi32.dll 002A CreateBrushIndirect
1 000844B0 gdi32.dll 0028 CreateBitmap
1 000844B4 gdi32.dll 0024 CopyEnhMetaFileA
1 000844B8 gdi32.dll 001D CloseEnhMetaFile
1 000844BC gdi32.dll 0013 BitBlt
FThunk: 000844C4 NbFunc: 0000009E
1 000844C4 user32.dll 0061 CreateWindowExA
1 000844C8 user32.dll 02D6 WindowFromPoint
1 000844CC user32.dll 02D3 WinHelpA
1 000844D0 user32.dll 02D1 WaitMessage
1 000844D4 user32.dll 02BC UpdateWindow
1 000844D8 user32.dll 02B4 UnregisterClassA
1 000844DC user32.dll 02AF UnhookWindowsHookEx
1 000844E0 user32.dll 02AB TranslateMessage
1 000844E4 user32.dll 02AA TranslateMDISysAccel
1 000844E8 user32.dll 02A5 TrackPopupMenu
1 000844EC user32.dll 029A SystemParametersInfoA
1 000844F0 user32.dll 0293 ShowWindow
1 000844F4 user32.dll 0291 ShowScrollBar
1 000844F8 user32.dll 0290 ShowOwnedPopups
1 000844FC user32.dll 028F ShowCursor
1 00084500 user32.dll 028B SetWindowsHookExA
1 00084504 user32.dll 0287 SetWindowTextA
1 00084508 user32.dll 0284 SetWindowPos
1 0008450C user32.dll 0283 SetWindowPlacement
1 00084510 user32.dll 0281 SetWindowLongA
1 00084514 user32.dll 027B SetTimer
1 00084518 user32.dll 0271 SetScrollRange
1 0008451C user32.dll 0270 SetScrollPos
1 00084520 user32.dll 026F SetScrollInfo
1 00084524 user32.dll 026D SetRect
1 00084528 user32.dll 026B SetPropA
1 0008452C user32.dll 0267 SetParent
1 00084530 user32.dll 0263 SetMenuItemInfoA
1 00084534 user32.dll 025E SetMenu
1 00084538 user32.dll 0258 SetForegroundWindow
1 0008453C user32.dll 0257 SetFocus
1 00084540 user32.dll 024E SetCursor
1 00084544 user32.dll 0248 SetClassLongA
1 00084548 user32.dll 0245 SetCapture
1 0008454C user32.dll 0244 SetActiveWindow
1 00084550 user32.dll 023C SendMessageA
1 00084554 user32.dll 0235 ScrollWindow
1 00084558 user32.dll 0232 ScreenToClient
1 0008455C user32.dll 022D RemovePropA
1 00084560 user32.dll 022C RemoveMenu
1 00084564 user32.dll 022B ReleaseDC
1 00084568 user32.dll 022A ReleaseCapture
1 0008456C user32.dll 021B RegisterClipboardFormatA
1 00084570 user32.dll 021B RegisterClipboardFormatA
1 00084574 user32.dll 0217 RegisterClassA
1 00084578 user32.dll 0216 RedrawWindow
1 0008457C user32.dll 020C PtInRect
1 00084580 user32.dll 0202 PostQuitMessage
1 00084584 user32.dll 0200 PostMessageA
1 00084588 user32.dll 01FE PeekMessageA
1 0008458C user32.dll 01F3 OffsetRect
1 00084590 user32.dll 01EF OemToCharA
1 00084594 user32.dll 01DD MessageBoxA
1 00084598 user32.dll 01D8 MapWindowPoints
1 0008459C user32.dll 01D4 MapVirtualKeyA
1 000845A0 user32.dll 01C9 LoadStringA
1 000845A4 user32.dll 01C0 LoadKeyboardLayoutA
1 000845A8 user32.dll 01BC LoadIconA
1 000845AC user32.dll 01B8 LoadCursorA
1 000845B0 user32.dll 01B6 LoadBitmapA
1 000845B4 user32.dll 01B3 KillTimer
1 000845B8 user32.dll 01B1 IsZoomed
1 000845BC user32.dll 01B0 IsWindowVisible
1 000845C0 user32.dll 01AD IsWindowEnabled
1 000845C4 user32.dll 01AC IsWindow
1 000845C8 user32.dll 01A9 IsRectEmpty
1 000845CC user32.dll 01A7 IsIconic
1 000845D0 user32.dll 01A1 IsDialogMessage
1 000845D4 user32.dll 019F IsChild
1 000845D8 user32.dll 0194 InvalidateRect
1 000845DC user32.dll 0193 IntersectRect
1 000845E0 user32.dll 018F InsertMenuItemA
1 000845E4 user32.dll 018E InsertMenuA
1 000845E8 user32.dll 018B InflateRect
1 000845EC user32.dll 017C GetWindowThreadProcessId
1 000845F0 user32.dll 0178 GetWindowTextA
1 000845F4 user32.dll 0175 GetWindowRect
1 000845F8 user32.dll 0174 GetWindowPlacement
1 000845FC user32.dll 016F GetWindowLongA
1 00084600 user32.dll 016D GetWindowDC
1 00084604 user32.dll 0164 GetTopWindow
1 00084608 user32.dll 015E GetSystemMetrics
1 0008460C user32.dll 015D GetSystemMenu
1 00084610 user32.dll 015C GetSysColorBrush
1 00084614 user32.dll 015B GetSysColor
1 00084618 user32.dll 015A GetSubMenu
1 0008461C user32.dll 0158 GetScrollRange
1 00084620 user32.dll 0157 GetScrollPos
1 00084624 user32.dll 0156 GetScrollInfo
1 00084628 user32.dll 014B GetPropA
1 0008462C user32.dll 0146 GetParent
1 00084630 user32.dll 016B GetWindow
1 00084634 user32.dll 013E GetMessageTime
1 00084638 user32.dll 0139 GetMenuStringA
1 0008463C user32.dll 0138 GetMenuState
1 00084640 user32.dll 0135 GetMenuItemInfoA
1 00084644 user32.dll 0134 GetMenuItemID
1 00084648 user32.dll 0133 GetMenuItemCount
1 0008464C user32.dll 012D GetMenu
1 00084650 user32.dll 0129 GetLastActivePopup
1 00084654 user32.dll 0127 GetKeyboardState
1 00084658 user32.dll 0124 GetKeyboardLayoutList
1 0008465C user32.dll 0123 GetKeyboardLayout
1 00084660 user32.dll 0122 GetKeyState
1 00084664 user32.dll 0120 GetKeyNameTextA
1 00084668 user32.dll 011B GetIconInfo
1 0008466C user32.dll 0118 GetForegroundWindow
1 00084670 user32.dll 0117 GetFocus
1 00084674 user32.dll 010F GetDesktopWindow
1 00084678 user32.dll 010E GetDCEx
1 0008467C user32.dll 010D GetDC
1 00084680 user32.dll 010C GetCursorPos
1 00084684 user32.dll 0109 GetCursor
1 00084688 user32.dll 0102 GetClipboardData
1 0008468C user32.dll 0100 GetClientRect
1 00084690 user32.dll 00FD GetClassNameA
1 00084694 user32.dll 00F7 GetClassInfoA
1 00084698 user32.dll 00F4 GetCapture
1 0008469C user32.dll 00EC GetActiveWindow
1 000846A0 user32.dll 00EA FrameRect
1 000846A4 user32.dll 00E4 FindWindowA
1 000846A8 user32.dll 00E3 FillRect
1 000846AC user32.dll 00E0 EqualRect
1 000846B0 user32.dll 00DF EnumWindows
1 000846B4 user32.dll 00DC EnumThreadWindows
1 000846B8 user32.dll 00C9 EndPaint
1 000846BC user32.dll 00C5 EnableWindow
1 000846C0 user32.dll 00C4 EnableScrollBar
1 000846C4 user32.dll 00C3 EnableMenuItem
1 000846C8 user32.dll 00BD DrawTextA
1 000846CC user32.dll 00B9 DrawMenuBar
1 000846D0 user32.dll 00B8 DrawIconEx
1 000846D4 user32.dll 00B7 DrawIcon
1 000846D8 user32.dll 00B6 DrawFrameControl
1 000846DC user32.dll 00B3 DrawEdge
1 000846E0 user32.dll 00A2 DispatchMessageA
1 000846E4 user32.dll 009A DestroyWindow
1 000846E8 user32.dll 0098 DestroyMenu
1 000846EC user32.dll 0096 DestroyCursor
1 000846F0 user32.dll 0096 DestroyCursor
1 000846F4 user32.dll 0092 DeleteMenu
1 000846F8 user32.dll 008F DefWindowProcA
1 000846FC user32.dll 008C DefMDIChildProcA
1 00084700 user32.dll 008A DefFrameProcA
1 00084704 user32.dll 005F CreatePopupMenu
1 00084708 user32.dll 005E CreateMenu
1 0008470C user32.dll 0058 CreateIcon
1 00084710 user32.dll 0041 ClientToScreen
1 00084714 user32.dll 003A CheckMenuItem
1 00084718 user32.dll 001C CallWindowProcA
1 0008471C user32.dll 001B CallNextHookEx
1 00084720 user32.dll 000E BeginPaint
1 00084724 user32.dll 002B CharNextA
1 00084728 user32.dll 0028 CharLowerBuffA
1 0008472C user32.dll 0027 CharLowerA
1 00084730 user32.dll 0031 CharToOemA
1 00084734 user32.dll 0003 AdjustWindowRectEx
1 00084738 user32.dll 0001 ActivateKeyboardLayout
FThunk: 00084740 NbFunc: 00000001
1 00084740 kernel32.dll 0338 Sleep
FThunk: 00084748 NbFunc: 00000008
1 00084748 oleaut32.dll 0094 SafeArrayPtrOfIndex
1 0008474C oleaut32.dll 0013 SafeArrayGetUBound
1 00084750 oleaut32.dll 0014 SafeArrayGetLBound
1 00084754 oleaut32.dll 000F SafeArrayCreate
1 00084758 oleaut32.dll 000C VariantChangeType
1 0008475C oleaut32.dll 000A VariantCopy
1 00084760 oleaut32.dll 0009 VariantClear
1 00084764 oleaut32.dll 0008 VariantInit
FThunk: 0008476C NbFunc: 0000000D
1 0008476C ole32.dll 0092 CreateStreamOnHGlobal
1 00084770 ole32.dll 00D6 IsAccelerator
1 00084774 ole32.dll 00F6 OleDraw
1 00084778 ole32.dll 0112 OleSetMenuDescriptor
1 0008477C ole32.dll 0065 CoTaskMemFree
1 00084780 ole32.dll 0008 CLSIDFromProgID
1 00084784 ole32.dll 0116 ProgIDFromCLSID
1 00084788 ole32.dll 0142 StringFromCLSID
1 0008478C ole32.dll 0012 CoCreateInstance
1 00084790 ole32.dll 0024 CoGetClassObject
1 00084794 ole32.dll 0069 CoUninitialize
1 00084798 ole32.dll 003B CoInitialize
1 0008479C ole32.dll 00D7 IsEqualGUID
FThunk: 000847A4 NbFunc: 00000003
1 000847A4 oleaut32.dll 00C8 GetErrorInfo
1 000847A8 oleaut32.dll 0023 GetActiveObject
1 000847AC oleaut32.dll 0006 SysFreeString
FThunk: 000847B4 NbFunc: 00000016
1 000847B4 comctl32.dll 004F ImageList_SetIconSize
1 000847B8 comctl32.dll 003B ImageList_GetIconSize
1 000847BC comctl32.dll 0052 ImageList_Write
1 000847C0 comctl32.dll 0043 ImageList_Read
1 000847C4 comctl32.dll 0038 ImageList_GetDragImage
1 000847C8 comctl32.dll 0031 ImageList_DragShowNolock
1 000847CC comctl32.dll 004C ImageList_SetDragCursorImage
1 000847D0 comctl32.dll 0030 ImageList_DragMove
1 000847D4 comctl32.dll 002F ImageList_DragLeave
1 000847D8 comctl32.dll 002E ImageList_DragEnter
1 000847DC comctl32.dll 0036 ImageList_EndDrag
1 000847E0 comctl32.dll 002A ImageList_BeginDrag
1 000847E4 comctl32.dll 0044 ImageList_Remove
1 000847E8 comctl32.dll 0033 ImageList_DrawEx
1 000847EC comctl32.dll 0032 ImageList_Draw
1 000847F0 comctl32.dll 0037 ImageList_GetBkColor
1 000847F4 comctl32.dll 004B ImageList_SetBkColor
1 000847F8 comctl32.dll 0046 ImageList_ReplaceIcon
1 000847FC comctl32.dll 0027 ImageList_Add
1 00084800 comctl32.dll 003C ImageList_GetImageCount
1 00084804 comctl32.dll 002D ImageList_Destroy
1 00084808 comctl32.dll 002C ImageList_Create
FThunk: 00084810 NbFunc: 00000003
1 00084810 wininet.dll 0092 FindNextUrlCacheEntryExA
1 00084814 wininet.dll 008B FindFirstUrlCacheEntryExA
1 00084818 wininet.dll 0087 FindCloseUrlCache
FThunk: 00084820 NbFunc: 0000000C
1 00084820 wsock32.dll 0074 WSACleanup
1 00084824 wsock32.dll 0073 WSAStartup
1 00084828 wsock32.dll 0065 WSAAsyncSelect
1 0008482C wsock32.dll 0039 gethostname
1 00084830 wsock32.dll 0034 gethostbyname
1 00084834 wsock32.dll 0017 socket
1 00084838 wsock32.dll 0010 recv
1 0008483C wsock32.dll 0009 htons
1 00084840 wsock32.dll 000B inet_ntoa
1 00084844 wsock32.dll 000A inet_addr
1 00084848 wsock32.dll 0009 htons
1 0008484C wsock32.dll 0002 bind
三、脱壳总结
学会多用脚本。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)