在论坛里看了篇关于脱文
http://bbs.pediy.com/showthread.php?t=72688
但是 里面只讲解了如何脱,没有讲解这壳流程,故写此文章来~~~
这里是一开始壳的加密算法~~,非常简单
算法分析: //可逆算法,
加密算法
char pMem[] = {0x8B,0x44};
int nSize = 0x0c23 ;
//加密的算法
__asm
{
mov ecx,0x0c23
lea edi,pMem
mov esi,edi
Lol1:
_emit 0xAC
xor al,0x3a
add al,cl
inc al
xor al,0x33
xor al,0x1d
xor al,0x97
add al,0xf4
add al,cl
rol al,0x6f
add al,cl
sub al,0x2b
inc al
xor al,0x58
__emit 0xAA // stos byte ptre [edi]
//
// loop Lol1:
}
//解密的算法
__asm
{
mov ecx,nSize
lea edi,pMem
mov esi,edi
Lop:
__emit 0xAC // Lodsb byte ptr [esi]
xor al,0x58
dec al
add al,0x2b
sub al,cl
ror al,0x6f
sub al,cl
sub al,0xf4
xor al,0x97
xor al,0x1d
xor al,0x33
dec al
sub al,cl
Xor al,0x3a
__emit 0xAA // stos byte ptre [edi]
End:
Loop lop
}
0058F063 6A FF push -1
0058F065 68 2A2C0A00 push 0A2C2A ; 这个 注意
0058F06A 68 38900D00 push 0D9038 ; 注意
0058F06F 64:A1 00000000 mov eax, dword ptr fs:[0]
0058F075 50 push eax
0058F076 64:8925 0000000>mov dword ptr fs:[0], esp
0058F07D 58 pop eax
0058F07E 64:A3 00000000 mov dword ptr fs:[0], eax
0058F084 58 pop eax
0058F085 EB 0B jmp short 0058F092 ; //以上代码伪造VC入口点
0058F087 58 pop eax
0058F088 58 pop eax
0058F089 58 pop eax
0058F08A 58 pop eax
0058F08B 58 pop eax
0058F08C 58 pop eax
0058F08D 58 pop eax
0058F08E 58 pop eax
0058F08F 58 pop eax
0058F090 90 nop
0058F091 90 nop
0058F092 60 pushad
0058F093 E8 00000000 call 0058F098 ; 代码重定位
0058F098 5D pop ebp
0058F099 81ED 89172A07 sub ebp, 72A1789
0058F09F B9 230C0000 mov ecx, 0C23
0058F0A4 8DBD D1172A07 lea edi, dword ptr [ebp+72A17D1]
0058F0AA 8BF7 mov esi, edi
0058F0AC AC lods byte ptr [esi]
0058F0AD EB 01 jmp short 0058F0B0 ; 看opcode 为eb 01 也跳到eip+当前指令长度+1的位置,把E9这个给改成NOP
0058F0AF - E9 F890F8F9 jmp FA5181AC
0058F0B4 34 58 xor al, 58
0058F0B6 FEC8 dec al
0058F0B8 04 2B add al, 2B
0058F0BA 90 nop
0058F0BB 2AC1 sub al, cl
0058F0BD EB 01 jmp short 0058F0C0
0058F0BF C2 F8C0 retn 0C0F8
0058F0C2 C8 6F2AC1 enter 2A6F, 0C1
0058F0C6 F9 stc
0058F0C7 2C F4 sub al, 0F4
0058F0C9 34 97 xor al, 97
0058F0CB F9 stc
0058F0CC EB 01 jmp short 0058F0CF
0058F0CE C2 341D retn 1D34
0058F0D1 34 33 xor al, 33
0058F0D3 FEC8 dec al
0058F0D5 2AC1 sub al, cl
0058F0D7 34 3A xor al, 3A
0058F0D9 EB 01 jmp short 0058F0DC
0058F0DB - E9 F8AAE2CC jmp CD3B9BD8
0058F0E0 8B4424 20 mov eax, dword ptr [esp+20] ; 取入口的时候压入的数值
0058F0E4 40 inc eax
0058F0E5 78 0A js short 0058F0F1
0058F0E7 C785 7F212A07 0>mov dword ptr [ebp+72A217F], 1
0058F0F1 8D85 51172A07 lea eax, dword ptr [ebp+72A1751] ; 入口点
0058F0F7 B9 66070000 mov ecx, 766
0058F0FC E8 46030000 call 0058F447 ; 校验
0058F101 8985 7B212A07 mov dword ptr [ebp+72A217B], eax
0058F107 8B85 73212A07 mov eax, dword ptr [ebp+72A2173]
0058F10D 83E0 01 and eax, 1
0058F110 74 40 je short 0058F152
0058F112 8DB5 EB222A07 lea esi, dword ptr [ebp+72A22EB]
0058F118 8D85 30182A07 lea eax, dword ptr [ebp+72A1830]
0058F11E 8946 08 mov dword ptr [esi+8], eax
0058F121 8BFD mov edi, ebp
0058F123 8D85 09212A07 lea eax, dword ptr [ebp+72A2109]
0058F129 33DB xor ebx, ebx
0058F12B 50 push eax
0058F12C 64:FF33 push dword ptr fs:[ebx]
0058F12F 64:8923 mov dword ptr fs:[ebx], esp
0058F132 BD 4B484342 mov ebp, 4243484B
0058F137 66:B8 0400 mov ax, 4
0058F13B EB 01 jmp short 0058F13E
0058F13D FFCC dec esp
0058F13F 8BEF mov ebp, edi
0058F141 33DB xor ebx, ebx
0058F143 64:8F03 pop dword ptr fs:[ebx]
0058F146 83C4 04 add esp, 4
0058F149 3C 04 cmp al, 4
0058F14B 74 05 je short 0058F152
0058F14D EB 01 jmp short 0058F150
0058F14F - E9 61C38B85 jmp 85E4B4B5
0058F154 6B21 2A imul esp, dword ptr [ecx], 2A
0058F157 07 pop es
0058F158 0340 3C add eax, dword ptr [eax+3C] ; 定位到NT头
0058F15B 05 80000000 add eax, 80 ; 定位到Directory [输入表 ]
0058F160 8B08 mov ecx, dword ptr [eax] ; 获取输入表地址
0058F162 038D 6B212A07 add ecx, dword ptr [ebp+72A216B]
0058F168 83C1 10 add ecx, 10 ; 获取FirstThunk
0058F16B 8B01 mov eax, dword ptr [ecx]
0058F16D 0385 6B212A07 add eax, dword ptr [ebp+72A216B]
0058F173 8B18 mov ebx, dword ptr [eax] ; 下面就是获取一些壳需要用到的 API
0058F175 899D F7222A07 mov dword ptr [ebp+72A22F7], ebx
0058F17B 83C0 04 add eax, 4
0058F17E 8B18 mov ebx, dword ptr [eax]
0058F180 899D FB222A07 mov dword ptr [ebp+72A22FB], ebx
0058F186 8D85 FF222A07 lea eax, dword ptr [ebp+72A22FF]
0058F18C 50 push eax ; 获取kernel32极值
0058F18D FF95 F7222A07 call dword ptr [ebp+72A22F7]
0058F193 8BF0 mov esi, eax
0058F195 8985 0C232A07 mov dword ptr [ebp+72A230C], eax
0058F19B 8D85 10232A07 lea eax, dword ptr [ebp+72A2310]
0058F1A1 E8 C9000000 call 0058F26F ; GetModuleHandle
0058F1A6 8985 21232A07 mov dword ptr [ebp+72A2321], eax
0058F1AC 8D85 25232A07 lea eax, dword ptr [ebp+72A2325]
0058F1B2 E8 B8000000 call 0058F26F ; VirtualProtect
0058F1B7 8985 34232A07 mov dword ptr [ebp+72A2334], eax
0058F1BD 8D85 38232A07 lea eax, dword ptr [ebp+72A2338]
0058F1C3 E8 A7000000 call 0058F26F ; GetModuleFileNameA
0058F1C8 8985 4B232A07 mov dword ptr [ebp+72A234B], eax
0058F1CE 8D85 4F232A07 lea eax, dword ptr [ebp+72A234F]
0058F1D4 E8 96000000 call 0058F26F ; CreateFileA
0058F1D9 8985 5B232A07 mov dword ptr [ebp+72A235B], eax
0058F1DF 8D85 5F232A07 lea eax, dword ptr [ebp+72A235F]
0058F1E5 E8 85000000 call 0058F26F ; GlobalAlloc
0058F1EA 8985 6B232A07 mov dword ptr [ebp+72A236B], eax
0058F1F0 8D85 6F232A07 lea eax, dword ptr [ebp+72A236F]
0058F1F6 E8 74000000 call 0058F26F ; GlobalFree
0058F1FB 8985 7A232A07 mov dword ptr [ebp+72A237A], eax
0058F201 8D85 7E232A07 lea eax, dword ptr [ebp+72A237E]
0058F207 E8 63000000 call 0058F26F ; ReadFile
0058F20C 8985 87232A07 mov dword ptr [ebp+72A2387], eax
0058F212 8D85 8B232A07 lea eax, dword ptr [ebp+72A238B]
0058F218 E8 52000000 call 0058F26F ; GetFileSize
0058F21D 8985 97232A07 mov dword ptr [ebp+72A2397], eax
0058F223 8D85 9B232A07 lea eax, dword ptr [ebp+72A239B]
0058F229 E8 41000000 call 0058F26F ; CloseHandle
0058F22E 8985 A7232A07 mov dword ptr [ebp+72A23A7], eax
0058F234 8D85 AB232A07 lea eax, dword ptr [ebp+72A23AB]
0058F23A E8 30000000 call 0058F26F ; VirtualAlloc
0058F23F 8985 B8232A07 mov dword ptr [ebp+72A23B8], eax
0058F245 8D85 D2232A07 lea eax, dword ptr [ebp+72A23D2]
0058F24B E8 1F000000 call 0058F26F ; ExitProcess
0058F250 8985 DE232A07 mov dword ptr [ebp+72A23DE], eax
0058F256 8D85 BC232A07 lea eax, dword ptr [ebp+72A23BC]
0058F25C E8 0E000000 call 0058F26F ; ReadProcessMemory
0058F261 8985 CE232A07 mov dword ptr [ebp+72A23CE], eax
0058F267 8D85 69192A07 lea eax, dword ptr [ebp+72A1969]
0058F26D 50 push eax
0058F26E
C3 retn //到下面见
0058F278 64:FF35 3000000>push dword ptr fs:[30]
0058F27F 58 pop eax ; 获取peb
0058F280 85C0 test eax, eax
0058F282 78 0F js short 0058F293
0058F284 8B40 0C mov eax, dword ptr [eax+C] ; 获取PEB.Ldr
0058F287 8B40 0C mov eax, dword ptr [eax+C] ; 获取Ldr.InLoadOrderModuleList
0058F28A 8140 20 0030000>add dword ptr [eax+20], 3000 ; 当前进程的镜像大小 + 3000 这么操作有什么用呢,,,。。。
0058F291 EB 1C jmp short 0058F2AF
0058F293 6A 00 push 0
0058F295 FF95 21232A07 call dword ptr [ebp+72A2321]
0058F29B 85D2 test edx, edx
0058F29D 79 10 jns short 0058F2AF
0058F29F 837A 08 FF cmp dword ptr [edx+8], -1
0058F2A3 75 0A jnz short 0058F2AF
0058F2A5 8B52 04 mov edx, dword ptr [edx+4]
0058F2A8 C742 50 0010000>mov dword ptr [edx+50], 1000
0058F2AF E8 0A000000 call 0058F2BE ; 这里作者加入了很多反调试 F7
0058F2BE FF95 21232A07 call dword ptr [ebp+72A2321] ; kernel32.GetModuleHandleA
0058F2C4 91 xchg eax, ecx
0058F2C5 E3 58 jecxz short 0058F31F
0058F2C7 E8 17000000 call 0058F2E3 ; F7 反调试
0058F2E3 51 push ecx ; ntdll_12.<ModuleEntryPoint>
0058F2E4 FF95 FB222A07 call dword ptr [ebp+72A22FB]
0058F2EA 91 xchg eax, ecx ; 获取ZwSetInfomationThread
0058F2EB E3 32 jecxz short 0058F31F
0058F2ED 87CF xchg edi, ecx
0058F2EF E8 11000000 call 0058F305 F7进入
0058F305 FFB5 0C232A07 push dword ptr [ebp+72A230C]
0058F30B FF95 FB222A07 call dword ptr [ebp+72A22FB]
0058F311 91 xchg eax, ecx
0058F312 E3 0B jecxz short 0058F31F
0058F314 FFD1 call ecx ; GetCurrentThread 获取当前线程
0058F316 6A 00 push 0
0058F318 6A 00 push 0
0058F31A 6A 11 push 11 ; 压入ThreadHideFromDebugger标志,使当前线程隐藏,起到反调试的作用
0058F31C 50 push eax
0058F31D FFD7 call edi
0058F31F 8CC9 mov cx, cs
0058F321 32C9 xor cl, cl
0058F323 E3 02 jecxz short 0058F327
0058F325 EB 66 jmp short 0058F38D
0058F327 EB 14 jmp short 0058F33D
0058F329 8B4C24 04 mov ecx, dword ptr [esp+4]
0058F32D 8B49 04 mov ecx, dword ptr [ecx+4]
0058F330 8381 B8000000 0>add dword ptr [ecx+B8], 2
0058F337 33C0 xor eax, eax
0058F339 48 dec eax
0058F33A C2 0400 retn 4
0058F33D 60 pushad
0058F33E E8 1C000000 call 0058F35F F7 ; 这里是用SEH 进程反调试
0058F35F FFB5 0C232A07 push dword ptr [ebp+72A230C] ; kernel32.763B0000
0058F365 FF95 FB222A07 call dword ptr [ebp+72A22FB] ; 获取 SetUnhandledExceptionFilter
0058F36B 96 xchg eax, esi
0058F36C 8D85 1A1A2A07 lea eax, dword ptr [ebp+72A1A1A]
0058F372 50 push eax
0058F373 FFD6 call esi ; 设置异常捕获函数
0058F375 97 xchg eax, edi ; 下面就是作者故意触发异常
0058F376 33D2 xor edx, edx
0058F378 F7FA idiv edx
0058F37A 90 nop
0058F37B 90 nop
0058F37C CD 01 int 1
0058F37E 90 nop
0058F37F 90 nop
0058F380 CC int3
0058F381 90 nop
0058F382 90 nop
0058F383 33C0 xor eax, eax
0058F385 3100 xor dword ptr [eax], eax
0058F387 90 nop
0058F388 90 nop
0058F389 57 push edi
0058F38A FFD6 call esi
0058F38C 61 popad
0058F38D 8BBD 6B212A07 mov edi, dword ptr [ebp+72A216B]
0058F393 037F 3C add edi, dword ptr [edi+3C]
0058F396 8BB5 6B212A07 mov esi, dword ptr [ebp+72A216B] ; PE头
0058F39C 8B4F 54 mov ecx, dword ptr [edi+54] ; SizeOfHead
0058F39F 8D85 10242A07 lea eax, dword ptr [ebp+72A2410]
0058F3A5 50 push eax ; 保存原属性方式
0058F3A6 6A 04 push 4 ; 新属性
0058F3A8 51 push ecx ; 大小
0058F3A9 FFB5 6B212A07 push dword ptr [ebp+72A216B] ; 修改地址
0058F3AF FF95 34232A07 call dword ptr [ebp+72A2334] ; //修改属性 VirtualProtect
0058F3B5 F785 73212A07 0>test dword ptr [ebp+72A2173], 8
0058F3BF 0F84 A7000000 je 0058F46C
0058F3C5 68 04010000 push 104
0058F3CA 8DBD 10242A07 lea edi, dword ptr [ebp+72A2410]
0058F3D0 57 push edi
0058F3D1 6A 00 push 0
0058F3D3 FF95 4B232A07 call dword ptr [ebp+72A234B] ; //获取程序PATH
0058F3D9 6A 00 push 0
0058F3DB 68 80000000 push 80
0058F3E0 6A 03 push 3
0058F3E2 6A 00 push 0
0058F3E4 6A 01 push 1
0058F3E6 68 00000080 push 80000000
0058F3EB 57 push edi
0058F3EC FF95 5B232A07 call dword ptr [ebp+72A235B] ; 打开自身
0058F3F2 83F8 FF cmp eax, -1
0058F3F5 75 04 jnz short 0058F3FB
0058F3F7 33C0 xor eax, eax
0058F3F9 EB 71 jmp short 0058F46C
0058F3FB 8BF8 mov edi, eax
0058F3FD 6A 00 push 0
0058F3FF 57 push edi ; 获取自身大小
0058F400 FF95 97232A07 call dword ptr [ebp+72A2397]
0058F406 83E8 05 sub eax, 5
0058F409 96 xchg eax, esi
0058F40A 56 push esi
0058F40B 6A 40 push 40 ; 创建一块 自身大小的内存
0058F40D FF95 6B232A07 call dword ptr [ebp+72A236B]
0058F413 0BC0 or eax, eax
0058F415 75 02 jnz short 0058F419
0058F417 EB 4A jmp short 0058F463
0058F419 93 xchg eax, ebx
0058F41A 6A 00 push 0
0058F41C 8D85 10242A07 lea eax, dword ptr [ebp+72A2410]
0058F422 50 push eax ; &dwRead
0058F423 56 push esi ; 要读入字节数
0058F424 53 push ebx ; 缓冲区
0058F425 57 push edi ; 文件句柄
0058F426 FF95 87232A07 call dword ptr [ebp+72A2387]
0058F42C 8BC3 mov eax, ebx
0058F42E 8BCE mov ecx, esi
0058F430 53 push ebx
0058F431 57 push edi
0058F432 E8 10000000 call 0058F447 ; 算一个校验 保存起来 后面他会比较
0058F437 8985 77212A07 mov dword ptr [ebp+72A2177], eax
0058F43D 5F pop edi
0058F43E 5B pop ebx
0058F43F 8D85 4C1B2A07 lea eax, dword ptr [ebp+72A1B4C]
0058F445 50 push eax
0058F446 C3 retn
0058F447 8BF8 mov edi, eax
0058F449 33C0 xor eax, eax
0058F44B 33DB xor ebx, ebx
0058F44D 33D2 xor edx, edx
0058F44F 8A07 mov al, byte ptr [edi]
0058F451 F7E2 mul edx
0058F453 03D8 add ebx, eax
0058F455 42 inc edx
0058F456 47 inc edi
0058F457 ^ E2 F6 loopd short 0058F44F
0058F459 93 xchg eax, ebx
0058F45A C3 retn
0058F45B 53 push ebx
0058F45C FF95 7A232A07 call dword ptr [ebp+72A237A] ; 释放
0058F462 96 xchg eax, esi
0058F463 50 push eax
0058F464 57 push edi
0058F465 FF95 A7232A07 call dword ptr [ebp+72A23A7] ; 关闭句柄
0058F46B 58 pop eax
0058F46C E9 0B000000 jmp 0058F47C
0058F471 07 pop es
0058F472 BB 01000000 mov ebx, 1
0058F477 E8 08000000 call 0058F484
0058F47C 8D85 3E1C2A07 lea eax, dword ptr [ebp+72A1C3E]
0058F482 50 push eax
0058F483 C3 retn 这个retn后就要到OEP了
0058F54D 8B9D 6B212A07 mov ebx, dword ptr [ebp+72A216B] ; hsreg.00400000
0058F553 039D 6F212A07 add ebx, dword ptr [ebp+72A216F]
0058F559 C1CB 07 ror ebx, 7 //在这里其实ebx 就指向OEP
来看看下面他做什么了
0058F55C 895C24 10 mov dword ptr [esp+10], ebx
0058F560 8D9D 391F2A07 lea ebx, dword ptr [ebp+72A1F39]
0058F566 895C24 1C mov dword ptr [esp+1C], ebx
0058F56A 8BBD 6B212A07 mov edi, dword ptr [ebp+72A216B]
0058F570 037F 3C add edi, dword ptr [edi+3C]
0058F573 8B9F C0000000 mov ebx, dword ptr [edi+C0]
0058F579 83FB 00 cmp ebx, 0
0058F57C 74 0F je short 0058F58D
0058F57E 039D 6B212A07 add ebx, dword ptr [ebp+72A216B]
0058F584 8B43 08 mov eax, dword ptr [ebx+8]
0058F587 C700 00000000 mov dword ptr [eax], 0
0058F58D 8B85 77212A07 mov eax, dword ptr [ebp+72A2177]
0058F593 0BC0 or eax, eax
0058F595 74 0D je short 0058F5A4
0058F597 3B85 0C242A07 cmp eax, dword ptr [ebp+72A240C] ; 这里就是 判断校验了
0058F59D 74 05 je short 0058F5A4 跳
0058F59F E9 AF010000 jmp 0058F753
0058F5A4 8DB5 83212A07 lea esi, dword ptr [ebp+72A2183] 跳到这里
0058F5AA F785 73212A07 2>test dword ptr [ebp+72A2173], 20
0058F5B4 74 49 je short 0058F5FF 这里也会跳
0058F5B6 56 push esi
0058F5B7 8DBD 10242A07 lea edi, dword ptr [ebp+72A2410]
0058F5BD 33C9 xor ecx, ecx
0058F5BF EB 17 jmp short 0058F5D8
0058F5C1 8B56 04 mov edx, dword ptr [esi+4]
0058F5C4 0395 6B212A07 add edx, dword ptr [ebp+72A216B]
0058F5CA EB 04 jmp short 0058F5D0
0058F5CC 41 inc ecx
0058F5CD 83C2 04 add edx, 4
0058F5D0 833A 00 cmp dword ptr [edx], 0
0058F5D3 ^ 75 F7 jnz short 0058F5CC
0058F5D5 83C6 0C add esi, 0C
0058F5D8 837E 04 00 cmp dword ptr [esi+4], 0
0058F5DC ^ 75 E3 jnz short 0058F5C1
0058F5DE 33D2 xor edx, edx
0058F5E0 B8 05000000 mov eax, 5
0058F5E5 F7E1 mul ecx
0058F5E7 50 push eax
0058F5E8 6A 00 push 0
0058F5EA FF95 6B232A07 call dword ptr [ebp+72A236B]
0058F5F0 0BC0 or eax, eax
0058F5F2 75 05 jnz short 0058F5F9
0058F5F4 83C4 04 add esp, 4
0058F5F7 61 popad
0058F5F8 C3 retn
0058F5F9 8907 mov dword ptr [edi], eax
0058F5FB 8947 04 mov dword ptr [edi+4], eax
0058F5FE 5E pop esi
0058F5FF E9 42010000 jmp 0058F746 跳到这里 , 继续跳 往下面看
0058F604 8B1E mov ebx, dword ptr [esi]
0058F606 039D 6B212A07 add ebx, dword ptr [ebp+72A216B]
0058F60C 8BC3 mov eax, ebx
0058F60E E8 08000000 call 0058F61B
0058F613 8D85 1F1D2A07 lea eax, dword ptr [ebp+72A1D1F]
0058F619 50 push eax
0058F61A C3 retn
0058F604 8B1E mov ebx, dword ptr [esi] 从下面跳上来 取数值
0058F606 039D 6B212A07 add ebx, dword ptr [ebp+72A216B] 加基址
0058F60C 8BC3 mov eax, ebx
0058F60E E8 08000000 call 0058F61B //这个CALL 里面做的事情是
Lodsb
Ror al,4
Stosb
Esi 指向的内容进行ror ,4 解密, 结束条件是不为0
这里就是解出了一些 DLL名,以及 相关API名称
0058F613 8D85 1F1D2A07 lea eax, dword ptr [ebp+72A1D1F]
0058F619 50 push eax
0058F61A C3 retn 返回到下面0058f62e
0058F61B 56 push esi
0058F61C 57 push edi
0058F61D 8BF0 mov esi, eax
0058F61F 8BF8 mov edi, eax
0058F621 AC lods byte ptr [esi]
0058F622 C0C8 04 ror al, 4
0058F625 AA stos byte ptr es:[edi]
0058F626 803F 00 cmp byte ptr [edi], 0 也就是这一段 在解密
0058F629 ^ 75 F6 jnz short 0058F621
0058F62B 5F pop edi
0058F62C 5E pop esi
0058F62D C3 retn
0058F62E 53 push ebx //retn 到这里 压入解出来的DLL 名称
0058F62F FF95 F7222A07 call dword ptr [ebp+72A22F7] LoadLibrary( ebx)
0058F635 85C0 test eax, eax
0058F637 0F84 16010000 je 0058F753
0058F63D 50 push eax
0058F63E F785 73212A07 0>test dword ptr [ebp+72A2173], 4
0058F648 74 0E je short 0058F658
0058F64A 8D85 491D2A07 lea eax, dword ptr [ebp+72A1D49]
0058F650 50 push eax
0058F651 8BC3 mov eax, ebx
0058F653 E9 B4030000 jmp 0058FA0C
0058F658 5B pop ebx
0058F659 8B4E 08 mov ecx, dword ptr [esi+8] 继续取出来个地址
0058F65C 0BC9 or ecx, ecx
0058F65E 75 03 jnz short 0058F663
0058F660 8B4E 04 mov ecx, dword ptr [esi+4]
0058F663 038D 6B212A07 add ecx, dword ptr [ebp+72A216B] 加上基址
0058F669 8B56 04 mov edx, dword ptr [esi+4] 继续取 + 基址
0058F66C 0395 6B212A07 add edx, dword ptr [ebp+72A216B]现在不知道他们里面存的什么东西 , 我们往下看看
0058F672 E9 C3000000 jmp 0058F73A 跳
0058F677 F701 00000080 test dword ptr [ecx], 80000000
0058F67D 75 4B jnz short 0058F6CA
0058F67F 8B01 mov eax, dword ptr [ecx]
0058F681 83C0 02 add eax, 2
0058F684 0385 6B212A07 add eax, dword ptr [ebp+72A216B]
0058F68A 50 push eax
0058F68B E8 8BFFFFFF call 0058F61B 解密函数名
0058F690 58 pop eax
0058F691 8BF8 mov edi, eax
0058F693 52 push edx
0058F694 51 push ecx 保护环境
0058F695 50 push eax
0058F696 53 push ebx
0058F697 FF95 FB222A07 call dword ptr [ebp+72A22FB] GetProcess 获取api地址
0058F69D 0BC0 or eax, eax
0058F69F 75 07 jnz short 0058F6A8
0058F6A1 59 pop ecx
0058F6A2 5A pop edx
0058F6A3 E9 AB000000 jmp 0058F753
0058F6A8 59 pop ecx
0058F6A9 5A pop edx
0058F6AA 60 pushad
0058F6AB F785 73212A07 0>test dword ptr [ebp+72A2173], 4
0058F6B5 74 0E je short 0058F6C5
0058F6B7 8D85 B61D2A07 lea eax, dword ptr [ebp+72A1DB6]
0058F6BD 50 push eax
0058F6BE 8BC7 mov eax, edi
0058F6C0 E9 47030000 jmp 0058FA0C
0058F6C5 61 popad
0058F6C6 8902 mov dword ptr [edx], eax 将获取到的地址存到上面第二个获取到的地址
0058F6C8 EB 19 jmp short 0058F6E3
0058F6CA 52 push edx
0058F6CB 51 push ecx
0058F6CC 8B01 mov eax, dword ptr [ecx]
0058F6CE 2D 00000080 sub eax, 80000000
0058F6D3 50 push eax
0058F6D4 53 push ebx
0058F6D5 FF95 FB222A07 call dword ptr [ebp+72A22FB]
0058F6DB 85C0 test eax, eax
0058F6DD 74 74 je short 0058F753
0058F6DF 59 pop ecx
0058F6E0 5A pop edx
0058F6E1 8902 mov dword ptr [edx], eax
0058F6E3 F785 73212A07 2>test dword ptr [ebp+72A2173], 20
0058F6ED 74 45 je short 0058F734
0058F6EF 83BD 7F212A07 0>cmp dword ptr [ebp+72A217F], 0
0058F6F6 74 14 je short 0058F70C
0058F6F8 81FB 00000070 cmp ebx, 70000000
0058F6FE 72 08 jb short 0058F708
0058F700 81FB FFFFFF77 cmp ebx, 77FFFFFF
0058F706 76 0E jbe short 0058F716
0058F708 EB 2A jmp short 0058F734
0058F70A EB 0A jmp short 0058F716
0058F70C 81FB 00000080 cmp ebx, 80000000
0058F712 73 02 jnb short 0058F716
0058F714 EB 1E jmp short 0058F734
0058F716 57 push edi
0058F717 56 push esi
0058F718 8DBD 10242A07 lea edi, dword ptr [ebp+72A2410]
0058F71E 8B77 04 mov esi, dword ptr [edi+4]
0058F721 8932 mov dword ptr [edx], esi
0058F723 2BC6 sub eax, esi
0058F725 83E8 05 sub eax, 5
0058F728 C606 E9 mov byte ptr [esi], 0E9
0058F72B 8946 01 mov dword ptr [esi+1], eax
0058F72E 8347 04 05 add dword ptr [edi+4], 5
0058F732 5E pop esi
0058F733 5F pop edi
0058F734 83C1 04 add ecx, 4
0058F737 83C2 04 add edx, 4
0058F73A 8339 00 cmp dword ptr [ecx], 0
0058F73D ^ 0F85 34FFFFFF jnz 0058F677 这里循环解密iat
0058F743 83C6 0C add esi, 0C
0058F746 837E 04 00 cmp dword ptr [esi+4], 0 跳到这里 做一个判断 里面数值是否为0
0058F74A ^\0F85 B4FEFFFF jnz 0058F604
2个循环其实就是这样
While ( Import->Name1 )
{
解密Import->Name1指向的数据
加载指向的dll
While (imort->OriginalFirstTunk) // 这里和上面的 就是构造的大体意思就是这样
{
判断FirstTunk 是否是序号导入 跟0x8000000运算
是的话 就sub -0x80000000
进行其他操作
不是话就 +2加基址
Call 跟解密dll名称的那个call 进行解密
调用GetProcAddress ,获取函数地址
存放到[imort->FirstThunk] 里
add 上面取到的地址
Add 上面取到的地址
}
}
最后的数据
0058E28C 22 12 3C 76 45 12 3C 76 A7 49 3C 76 E0 79 3C 76 "<vE<v<v鄖<v
0058E29C 1E FD 49 75 00 00 00 00 00 00 47 65 74 50 72 6F 齀u......GetPro
0058E2AC 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F cAddress...GetMo
0058E2BC 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F duleHandleA...Lo
0058E2CC 61 64 4C 69 62 72 61 72 79 41 00 00 00 45 78 69 adLibraryA...Exi
0058E2DC 74 50 72 6F 63 65 73 73 00 00 00 4D 65 73 73 61 tProcess...Messa
0058E2EC 67 65 42 6F 78 41 00 90 4D 69 6E 65 49 6D 70 6F geBoxA.怣ineImpo
0058E2FC 72 74 5F 45 6E 64 73 73 00 00 00 00 00 rt_Endss.....
0058F750 33C0 xor eax, eax
0058F752 40 inc eax
0058F753 83F8 01 cmp eax, 1
0058F756 74 02 je short 0058F75A跳
0058F758 61 popad
0058F759 C3 retn
0058F75A F785 73212A07 0>test dword ptr [ebp+72A2173], 2
0058F764 74 1D je short 0058F783 跳
0058F766 8CC9 mov cx, cs
0058F768 32C9 xor cl, cl
0058F76A E3 17 jecxz short 0058F783
0058F76C 8BBD 6B212A07 mov edi, dword ptr [ebp+72A216B]
0058F772 B9 12010000 mov ecx, 112
0058F777 8BB5 6B212A07 mov esi, dword ptr [ebp+72A216B]
0058F77D C606 00 mov byte ptr [esi], 0
0058F780 46 inc esi
0058F781 ^ E2 FA loopd short 0058F77D
0058F783 8D85 51172A07 lea eax, dword ptr [ebp+72A1751] 取入口点
0058F789 B9 66070000 mov ecx, 766 字节数
0058F78E EB 01 jmp short 0058F791
0058F790 - E9 E8B1FCFF jmp 0055A97D
0058F795 FFEB jmp far ebx 这里将E9 变成nop 就会看到是一个计算校验的函数 ; Illegal use of register
0058F797 01C7 add edi, eax
0058F799 8B9D 7B212A07 mov ebx, dword ptr [ebp+72A217B] ; 校验
0058F79F 33C3 xor eax, ebx
0058F7A1 74 08 je short 0058F7AB
0058F7A3 EB 01 jmp short 0058F7A6
0058F7A5 2C 61 sub al, 61
0058F7A7 EB 01 jmp short 0058F7AA
0058F799 8B9D 7B212A07 mov ebx, dword ptr [ebp+72A217B] ; 校验
0058F79F 33C3 xor eax, ebx
0058F7A1 74 08 je short 0058F7AB
0058F7A3 EB 01 jmp short 0058F7A6
0058F7A5 90 nop 我将这里都改成nop了 不然太难看了
0058F7A6 61 popad
0058F7A7 EB 01 jmp short 0058F7AA
0058F7A9 90 nop nop
0058F7AA C3 retn
0058F7AB 8DBD B71E2A07 lea edi, dword ptr [ebp+72A1EB7] 取下面的地址, 继续解密 从00
0058F7B1 8BF7 mov esi, edi
0058F7B3 B9 46020000 mov ecx, 246
0058F7B8 33DB xor ebx, ebx
0058F7BA AC lods byte ptr [esi]
0058F7BB 34 79 xor al, 79
0058F7BD 2AC3 sub al, bl
0058F7BF C0C0 02 rol al, 2
0058F7C2 AA stos byte ptr es:[edi] 解密
0058F7C3 43 inc ebx
0058F7C4 ^ E2 F4 loopd short 0058F7BA
0058F7C6 1A1B sbb bl, byte ptr [ebx]
解密以后的数据是这样
0058F7C6 8D85 E2232A07 lea eax, dword ptr [ebp+72A23E2]
0058F7CC 50 push eax
0058F7CD FFB5 0C232A07 push dword ptr [ebp+72A230C]
0058F7D3 FF95 FB222A07 call dword ptr [ebp+72A22FB] ; //获取IsDeggerPresent 地址
0058F7D9 0BC0 or eax, eax
0058F7DB 74 08 je short 0058F7E5
0058F7DD FFD0 call eax 使用IsDeggerPresent 反调试
0058F7DF 0BC0 or eax, eax
0058F7E1 74 02 je short 0058F7E5 跳
0058F7E3 61 popad
0058F7E4 C3 retn
0058F7E5 F785 73212A07 0>test dword ptr [ebp+72A2173], 1 这里
0058F7EF 74 4F je short 0058F840 继续跳
0058F7F1 8DB5 EB222A07 lea esi, dword ptr [ebp+72A22EB]
0058F7F7 8D85 0C1F2A07 lea eax, dword ptr [ebp+72A1F0C]
0058F7FD 8946 08 mov dword ptr [esi+8], eax
0058F800 33DB xor ebx, ebx
0058F802 8D85 3A212A07 lea eax, dword ptr [ebp+72A213A]
0058F808 50 push eax
0058F809 64:FF33 push dword ptr fs:[ebx]
0058F80C 64:8923 mov dword ptr fs:[ebx], esp
0058F80F 8BFD mov edi, ebp
0058F811 B8 00440000 mov eax, 4400
0058F816 EB 01 jmp short 0058F819
0058F818 C7 ??? ; Unknown command
0058F819 CD 68 int 68
0058F81B 33DB xor ebx, ebx
0058F81D 64:8F03 pop dword ptr fs:[ebx]
0058F820 83C4 04 add esp, 4
0058F823 66:81FF 9712 cmp di, 1297
0058F828 74 0E je short 0058F838
0058F82A 66:81FF 7712 cmp di, 1277
0058F82F 74 07 je short 0058F838
0058F831 66:81FF 3013 cmp di, 1330
0058F836 75 08 jnz short 0058F840
0058F838 EB 01 jmp short 0058F83B
0058F83A FF61 EB jmp dword ptr [ecx-15]
0058F83D 01E8 add eax, ebp
0058F83F C3 retn
0058F840 8D85 6B1F2A07 lea eax, dword ptr [ebp+72A1F6B] 跳到这里
0058F846 50 push eax
0058F847 C3 retn 继续往下看
0058F848 55 push ebp
0058F849 8BEC mov ebp, esp
0058F84B 57 push edi
0058F84C 8B45 10 mov eax, dword ptr [ebp+10]
0058F84F 8BB8 C4000000 mov edi, dword ptr [eax+C4]
0058F855 FF37 push dword ptr [edi]
0058F857 33FF xor edi, edi
0058F859 64:8F07 pop dword ptr fs:[edi]
0058F85C 8380 C4000000 0>add dword ptr [eax+C4], 8
0058F863 8BB8 A4000000 mov edi, dword ptr [eax+A4]
0058F869 C1C7 07 rol edi, 7
0058F86C 89B8 B8000000 mov dword ptr [eax+B8], edi
0058F872 B8 00000000 mov eax, 0
0058F877 5F pop edi
0058F878 C9 leave
0058F879 C3 retn
0058F87A 8CC9 mov cx, cs 跳这里
0058F87C 32C9 xor cl, cl
0058F87E 0BC9 or ecx, ecx
0058F880 0F84 A0000000 je 0058F926
0058F886 6A 40 push 40
0058F888 68 00100008 push 8001000
0058F88D 68 69000000 push 69
0058F892 6A 00 push 0
0058F894 FF95 B8232A07 call dword ptr [ebp+72A23B8]
0058F89A 8985 1C202A07 mov dword ptr [ebp+72A201C], eax
0058F8A0 8BF8 mov edi, eax
0058F8A2 8DB5 4E202A07 lea esi, dword ptr [ebp+72A204E]
0058F8A8 68 69000000 push 69
0058F8AD 59 pop ecx
0058F8AE F3:A4 rep movs byte ptr es:[edi], byte ptr>
0058F8B0 8BD8 mov ebx, eax
0058F8B2 55 push ebp
0058F8B3 8F83 61000000 pop dword ptr [ebx+61]
0058F8B9 FFB5 DE232A07 push dword ptr [ebp+72A23DE]
0058F8BF 8F83 65000000 pop dword ptr [ebx+65]
0058F8C5 8B85 CE232A07 mov eax, dword ptr [ebp+72A23CE]
0058F8CB 83C0 05 add eax, 5
0058F8CE 8983 53000000 mov dword ptr [ebx+53], eax
0058F8D4 8D7B 4D lea edi, dword ptr [ebx+4D]
0058F8D7 8BB5 CE232A07 mov esi, dword ptr [ebp+72A23CE]
0058F8DD 803E E9 cmp byte ptr [esi], 0E9
0058F8E0 74 07 je short 0058F8E9
0058F8E2 6A 05 push 5
0058F8E4 59 pop ecx
0058F8E5 F3:A4 rep movs byte ptr es:[edi], byte ptr>
0058F8E7 EB 0D jmp short 0058F8F6
0058F8E9 8B46 01 mov eax, dword ptr [esi+1]
0058F8EC 03C6 add eax, esi
0058F8EE 2BC7 sub eax, edi
0058F8F0 8947 01 mov dword ptr [edi+1], eax
0058F8F3 C607 E9 mov byte ptr [edi], 0E9
0058F8F6 50 push eax
0058F8F7 0F014C24 FE sidt fword ptr [esp-2]
0058F8FC 5F pop edi
0058F8FD 83C7 20 add edi, 20
0058F900 8B4F 04 mov ecx, dword ptr [edi+4]
0058F903 66:8B0F mov cx, word ptr [edi]
0058F906 FA cli
0058F907 8DB5 24202A07 lea esi, dword ptr [ebp+72A2024]
0058F90D 66:8937 mov word ptr [edi], si
0058F910 C1EE 10 shr esi, 10
0058F913 66:8977 06 mov word ptr [edi+6], si
0058F917 FB sti
0058F918 CD 04 int 4
0058F91A FA cli
0058F91B 66:890F mov word ptr [edi], cx
0058F91E C1E9 10 shr ecx, 10
0058F921 66:894F 06 mov word ptr [edi+6], cx
0058F925 FB sti
0058F926 E9 9B000000 jmp 0058F9C6 跳这里 继续跳
0058F92B 0000 add byte ptr [eax], al
0058F92D 0000 add byte ptr [eax], al
0058F92F 26:35 B20460E8 xor eax, E86004B2
0058F935 0000 add byte ptr [eax], al
0058F937 0000 add byte ptr [eax], al
0058F939 5D pop ebp
0058F93A 81ED 2A202A07 sub ebp, 72A202A
0058F940 8B85 1C202A07 mov eax, dword ptr [ebp+72A201C]
0058F946 2B85 CE232A07 sub eax, dword ptr [ebp+72A23CE]
0058F94C 83E8 05 sub eax, 5
0058F94F 8B8D CE232A07 mov ecx, dword ptr [ebp+72A23CE]
0058F955 C601 E9 mov byte ptr [ecx], 0E9
0058F958 8941 01 mov dword ptr [ecx+1], eax
0058F95B 61 popad
0058F95C CF iretd
0058F95D 9C pushfd
0058F95E 60 pushad
0058F95F E8 00000000 call 0058F964
0058F964 5D pop ebp
0058F965 81ED 55202A07 sub ebp, 72A2055
0058F96B 8B7424 28 mov esi, dword ptr [esp+28]
0058F96F 8D85 AB202A07 lea eax, dword ptr [ebp+72A20AB]
0058F975 50 push eax
0058F976 6A 04 push 4
0058F978 8D85 A7202A07 lea eax, dword ptr [ebp+72A20A7]
0058F97E 50 push eax
0058F97F B8 20202A07 mov eax, 72A2020
0058F984 0385 AF202A07 add eax, dword ptr [ebp+72A20AF]
0058F98A 50 push eax
0058F98B 56 push esi
0058F98C E8 19000000 call 0058F9AA
0058F991 0BC0 or eax, eax
0058F993 74 13 je short 0058F9A8
0058F995 B8 2635B204 mov eax, 4B23526
0058F99A 3985 A7202A07 cmp dword ptr [ebp+72A20A7], eax
0058F9A0 75 06 jnz short 0058F9A8
0058F9A2 FF95 B3202A07 call dword ptr [ebp+72A20B3]
0058F9A8 61 popad
0058F9A9 9D popfd
0058F9AA 55 push ebp
0058F9AB 8BEC mov ebp, esp
0058F9AD 56 push esi
0058F9AE 57 push edi
0058F9AF B8 4E61BC00 mov eax, 0BC614E
0058F9B4 FFE0 jmp eax
0058F9B6 0000 add byte ptr [eax], al
0058F9B8 0000 add byte ptr [eax], al
0058F9BA 0000 add byte ptr [eax], al
0058F9BC 0000 add byte ptr [eax], al
0058F9BE 0000 add byte ptr [eax], al
0058F9C0 0000 add byte ptr [eax], al
0058F9C2 0000 add byte ptr [eax], al
0058F9C4 0000 add byte ptr [eax], al
0058F9C6 FC cld 跳这里
0058F9C7 8BBD 6B212A07 mov edi, dword ptr [ebp+72A216B] 获取基址
0058F9CD 83C7 70 add edi, 70
0058F9D0 8D85 CA202A07 lea eax, dword ptr [ebp+72A20CA] 取字符Foxlock
0058F9D6 AB stos dword ptr es:[edi]
0058F9D7 EB 08 jmp short 0058F9E1 跳
0058F9D9 46 inc esi
0058F9DA 6F outs dx, dword ptr es:[edi]
0058F9DB 78 4C js short 0058FA29
0058F9DD 6F outs dx, dword ptr es:[edi]
0058F9DE 636B 00 arpl word ptr [ebx], bp
0058F9E1 32C0 xor al, al 跳这里
0058F9E3 8DBD 51172A07 lea edi, dword ptr [ebp+72A1751] 取入口点
0058F9E9 B9 E8070000 mov ecx, 7E8 数量
0058F9EE AA stos byte ptr es:[edi]
0058F9EF ^ E2 FD loopd short 0058F9EE ; 这里是删除 壳的代码
0058F9F1 8DBD FD202A07 lea edi, dword ptr [ebp+72A20FD] 0058F9F7 B9 F7020000 mov ecx, 2F7
0058F9FC AA stos byte ptr es:[edi] 继续删下面的代码 用来构造异常
0058F9FD ^ E2 FD loopd short 0058F9FC
0058F9FF 61 popad
0058FA00 50 push eax
0058FA01 33C0 xor eax, eax
0058FA03 64:FF30 push dword ptr fs:[eax]
0058FA06 64:8920 mov dword ptr fs:[eax], esp ; 构造SEH
0058FA09 EB 01 jmp short 0058FA0C ; 触发异常,, 这里跳向入口点的时候, 是在Se handle 里 把eip指向的入口点
0058FA0B 87EB xchg ebx, ebp
跳向入口点的时候, 作者用了seh机制来跳,,这个第一次看到,给我等菜鸟提供了一个新的思路~~~~
通过分析这个壳, 学到了不少新东西,~~~~~
文内有许多分析不怎么对的地方,望各位看官,多多包涵, 多多指出错误之处~~~~
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最近受了不少打击~~~,,麻木了~
