PESpin 1.3 主程序详细分析-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

PESpin 1.3 主程序详细分析

发表于: 2005-8-5 09:04 16101

PESpin 1.3 主程序详细分析

simonzh2000 活跃值

2005-8-5 09:04

16101

PESpin1.3 的脱壳和修复

附件中有全文和脱壳产品.

这个壳花了我很多时间, 尤其是找暗桩,
差不多把 PESpin 的加壳代码分析了一遍.

附件:pespin13.zip

不忽略异常, F9, 竟然运行了.
再用进程管理器看看, 两个进程.

重新来过, 详细分析

0041211A 5D             POP EBP                               ; 00F354
0041213E 8B95 DF4E4000 MOV EDX,DWORD PTR SS:[EBP+404EDF]       ; PESpin.00400000
00412144 8B42 3C       MOV EAX,DWORD PTR DS:[EDX+3C]
00412147 03C2          ADD EAX,EDX
00412149 8985 E94E4000 MOV DWORD PTR SS:[EBP+404EE9],EAX       ; PESpin.00400060
00412182 C1E1 07       SHL ECX,7                               ; 80
00412185 8B0C01       MOV ECX,DWORD PTR DS:[ECX+EAX]          ; Import RVA
00412188 03CA          ADD ECX,EDX                            ; PESpin.00400000
0041219B 8B59 10       MOV EBX,DWORD PTR DS:[ECX+10]          ; FirstThunk(User32.dll)
0041219E 03DA          ADD EBX,EDX                            ; PESpin.00400000
004121A0 8B1B          MOV EBX,DWORD PTR DS:[EBX]             ; USER32.MessageBoxA
004121A2 899D FD4E4000 MOV DWORD PTR SS:[EBP+404EFD],EBX       ; [00414251]
004121A8 53             PUSH EBX
004121A9 8F85 F34C4000 POP DWORD PTR SS:[EBP+404CF3]          ; [00414047]

004121BB 8B59 38       MOV EBX,DWORD PTR DS:[ECX+38]          ; FirstThunk(Kernel32.dll)
004121BE 03DA          ADD EBX,EDX
004121C0 8B3B          MOV EDI,DWORD PTR DS:[EBX]             ; KERNEL32.LoadLibraryA
004121C2 89BD A24F4000 MOV DWORD PTR SS:[EBP+404FA2],EDI       ; [004142F6]
004121C8 8D5B 04       LEA EBX,DWORD PTR DS:[EBX+4]
004121CB 8B1B          MOV EBX,DWORD PTR DS:[EBX]             ; KERNEL32.GetProcAddress
004121CD 899D A74F4000 MOV DWORD PTR SS:[EBP+404FA7],EBX       ; [004142FB]

// 下面这段循环比较巧妙, 壳反复使用这种技巧,  仔细体会

004121FD BB 27000000    MOV EBX,27
00412202 B9 84120000    MOV ECX,1284                            ; 长度
00412207 8DBD D84F4000 LEA EDI,DWORD PTR SS:[EBP+404FD8]       ; 41432C
0041220D 4F             DEC EDI
0041221A 301C39       XOR BYTE PTR DS:[ECX+EDI],BL          ; SMC 代码
0041221D FECB          DEC BL
0041221F 49             DEC ECX
00412220 9C             PUSHFD                                  ; 这里很关键, 当 ECX=0, 影响 00412245 结果
0041222A C12C24 06    SHR DWORD PTR SS:[ESP],6
0041222E F71424       NOT DWORD PTR SS:[ESP]
00412231 832424 01    AND DWORD PTR SS:[ESP],1
00412235 50             PUSH EAX
00412236 52             PUSH EDX
00412237 B8 79B2DC12    MOV EAX,12DCB279
0041223C 05 444D23ED    ADD EAX,ED234D44
00412241 F76424 08    MUL DWORD PTR SS:[ESP+8]
00412245 8D8428 092F4000 LEA EAX,DWORD PTR DS:[EAX+EBP+402F09] ; ECX=0 时, EAX=0, 可直接计算出口地址
0041224C 894424 08    MOV DWORD PTR SS:[ESP+8],EAX
00412250 5A             POP EDX
00412251 58             POP EAX
00412252 8D6424 04    LEA ESP,DWORD PTR SS:[ESP+4]
00412256 FF6424 FC    JMP DWORD PTR SS:[ESP-4]                ; 0041221A(ECX>0), 0041225D(ECX=0), 第一次
0041225D /EB 01          JMP SHORT PESpin.00412260

004122E8  ^\FF6424 FC    JMP DWORD PTR SS:[ESP-4]                ; 00412294(ECX>0), 004122EF(ECX=0), 第二次
004122EF E8 02000000    CALL PESpin.004122F6

// 求 Kernel32 Base Address

0041417E 8B7C24 20    MOV EDI,DWORD PTR SS:[ESP+20]          ; KERNEL32.7C598989
00414182 81E7 0000FFFF AND EDI,FFFF0000
00414199 BA 246BDE21    MOV EDX,21DE6B24
0041419E 81F2 6931DE21 XOR EDX,21DE3169
004141A4 66:3917       CMP WORD PTR DS:[EDI],DX                ; "MZ"
004141A7 75 17          JNZ SHORT PESpin.004141C0
004141A9 81C2 EFA5FFFF ADD EDX,FFFFA5EF                      ; 3C
004141AF 0FB7143A       MOVZX EDX,WORD PTR DS:[EDX+EDI]
004141B3 66:F7C2 00F8 TEST DX,0F800
004141B8 75 06          JNZ SHORT PESpin.004141C0
004141BA 3B7C3A 34    CMP EDI,DWORD PTR DS:[EDX+EDI+34]       ; KERNEL32.7C570000
004141BE /74 08          JE SHORT PESpin.004141C8
004141C0 81EF 00000100 SUB EDI,10000
004141C6  ^ EB C0          JMP SHORT PESpin.00414188             ; 实际到 00414199
004141C8 97             XCHG EAX,EDI                            ; KERNEL32.7C570000

// 求出壳要用的其他 API,  先比较 API 名字的第三个字符, 再比较名字的 Hash
// 这里有一些 SMC, 不是很明显

004141E0 8785 014F4000 XCHG DWORD PTR SS:[EBP+404F01],EAX    ; [00414255]
00414373 8BF0          MOV ESI,EAX                            ; KERNEL32.7C570000
00414375 0340 3C       ADD EAX,DWORD PTR DS:[EAX+3C]
00414378 FF70 7C       PUSH DWORD PTR DS:[EAX+7C]             ; ExportSize
0041437B 8F85 FC504000 POP DWORD PTR SS:[EBP+4050FC]          ; [00414450]
00414381 8B40 78       MOV EAX,DWORD PTR DS:[EAX+78]          ; ExportRVA
00414384 03C6          ADD EAX,ESI
00414386 50             PUSH EAX
00414387 8F85 F2504000 POP DWORD PTR SS:[EBP+4050F2]          ; [00414446]
0041438D FF70 20       PUSH DWORD PTR DS:[EAX+20]             ; AddressOfNames
00414390 5B             POP EBX
00414391 03DE          ADD EBX,ESI                            ; KERNEL32.7C570000
00414393 FF70 18       PUSH DWORD PTR DS:[EAX+18]             ; NumberOfNames
00414396 8F85 DE504000 POP DWORD PTR SS:[EBP+4050DE]          ; [00414432]
0041439C FF70 24       PUSH DWORD PTR DS:[EAX+24]             ; AddressOfNameOrdinals
0041439F 5A             POP EDX
004143A0 03D6          ADD EDX,ESI                            ; KERNEL32.7C570000
004143A2 FF70 1C       PUSH DWORD PTR DS:[EAX+1C]             ; AddressOfFunctions
004143A6 03CE          ADD ECX,ESI                            ; KERNEL32.7C570000
004143A8 898D CE504000 MOV DWORD PTR SS:[EBP+4050CE],ECX       ; [00414422]

004143B1 83C7 05       ADD EDI,5                               ; 每个 API 占 5 个 byte
004143B4 833F 00       CMP DWORD PTR DS:[EDI],0                ; 00414264
004143B7 0F84 13010000 JE PESpin.004144D0                      ; 所有 API 处理完了, 大出口
004143BD 8A07          MOV AL,BYTE PTR DS:[EDI]
004143BF 8885 92504000 MOV BYTE PTR SS:[EBP+405092],AL       ; [004143E6]
004143C5 FF77 01       PUSH DWORD PTR DS:[EDI+1]
004143C8 8F85 BE504000 POP DWORD PTR SS:[EBP+4050BE]          ; [00414412]
004143CE 53             PUSH EBX
004143CF 52             PUSH EDX
004143D0 57             PUSH EDI
004143D1 2BC9          SUB ECX,ECX

004143DF 8B3B          MOV EDI,DWORD PTR DS:[EBX]             ; AddressOfNames
004143E1 03FE          ADD EDI,ESI                            ; KERNEL32.7C570000
004143E3 807F 02 69    CMP BYTE PTR DS:[EDI+2],69             ; 比较名字的第三个字符
004143E7 /75 43          JNZ SHORT PESpin.0041442C

004143E9 E8 02000000    CALL PESpin.004143F0                   ; 实际上 CALL 004144D6 (计算 API 名字Hash)

00414411 3D 3368EFDA    CMP EAX,DAEF6833                      ; 比较 Hash
00414416 75 14          JNZ SHORT PESpin.0041442C
00414418 8D044A       LEA EAX,DWORD PTR DS:[EDX+ECX*2]
0041441B 0FB700       MOVZX EAX,WORD PTR DS:[EAX]
0041441E C1E0 02       SHL EAX,2
00414421 05 58425C7C    ADD EAX,7C5C4258
00414426 8B00          MOV EAX,DWORD PTR DS:[EAX]
00414428 03C6          ADD EAX,ESI
0041442A EB 0E          JMP SHORT PESpin.0041443A             ; 找到了一个 API, 小出口

0041442C \83C3 04       ADD EBX,4                               ; Export 中下一个
0041442F 41             INC ECX
00414430 81F9 3D030000 CMP ECX,33D
00414436  ^ 75 A7          JNZ SHORT PESpin.004143DF

004144D6 52             PUSH EDX                               ; 对 string 计算 Hash                               ;
004144D7 83CA FF       OR EDX,FFFFFFFF
004144E6 8A07          MOV AL,BYTE PTR DS:[EDI]                ; 指向 API 名字
004144E8 0AC0          OR AL,AL
004144EA /74 32          JE SHORT PESpin.0041451E
004144FD 47             INC EDI                               ; KERNEL32.7C5C63CD
004144FE 32D0          XOR DL,AL
00414500 B0 08          MOV AL,8
0041450E D1EA          SHR EDX,1
00414510 /73 06          JNB SHORT PESpin.00414518
00414512 |81F2 2083B8ED XOR EDX,EDB88320
00414518 \FEC8          DEC AL
0041451A  ^\75 E6          JNZ SHORT PESpin.00414502             ; 实际上 0041450E
0041451C  ^\EB C8          JMP SHORT PESpin.004144E6
0041451E 33FF          XOR EDI,EDI
0041452C 92             XCHG EAX,EDX
0041455F 5A             POP EDX                               ;
00414560 C3             RETN

0041443A 5F             POP EDI                               ; PESpin.00414264
0041443B 5A             POP EDX
0041443C 5B             POP EBX
0041443D 0BC0          OR EAX,EAX
0041443F 0F84 8D000000 JE PESpin.004144D2
00414445 B9 30425C7C    MOV ECX,7C5C4230                      ; 再比较地址是否位于 Export 范围内, 如果是的话, 指向另一 DLL 的另一 API
0041444A 3BC1          CMP EAX,ECX
0041444C 76 63          JBE SHORT PESpin.004144B1
0041444E 81C1 115C0000 ADD ECX,5C11
00414454 3BC8          CMP ECX,EAX
00414456 76 59          JBE SHORT PESpin.004144B1

00414458 60             PUSHAD                                  ; 2K 下上面的情况我们没遇到, XP 下就会遇到
00414459 8DBD AC2C4000 LEA EDI,DWORD PTR SS:[EBP+402CAC]
0041445F 96             XCHG EAX,ESI
00414460 33C9          XOR ECX,ECX
00414462 8A0431       MOV AL,BYTE PTR DS:[ECX+ESI]
00414465 3C 2E          CMP AL,2E                               ; "."
00414467 74 04          JE SHORT PESpin.0041446D
00414469 41             INC ECX
0041446A AA             STOS BYTE PTR ES:[EDI]
0041446B  ^ EB F5          JMP SHORT PESpin.00414462
0041446D 41             INC ECX
0041446E 03F1          ADD ESI,ECX
00414470 56             PUSH ESI
00414471 2C 2E          SUB AL,2E
00414473 AA             STOS BYTE PTR ES:[EDI]
00414474 2BF9          SUB EDI,ECX
00414476 57             PUSH EDI
00414477 8DBD 104F4000 LEA EDI,DWORD PTR SS:[EBP+404F10]
0041447D B9 92000000    MOV ECX,92
00414482 FF1439       CALL DWORD PTR DS:[ECX+EDI]             ; LoadLibrary
00414491 8DBD 017F1246 LEA EDI,DWORD PTR SS:[EBP+46127F01]
00414497 81EF 7E18A845 SUB EDI,45A8187E
0041449D 81EF 73172A00 SUB EDI,2A1773
004144A3 B9 97000000    MOV ECX,97
004144A8 50             PUSH EAX
004144A9 FF1439       CALL DWORD PTR DS:[ECX+EDI]             ; GetProcAddress
004144AC 894424 1C    MOV DWORD PTR SS:[ESP+1C],EAX
004144B0 61             POPAD

004144BA B9 E72BFFFF    MOV ECX,FFFF2BE7
004144BF 32CD          XOR CL,CH
004144C1 3808          CMP BYTE PTR DS:[EAX],CL                ; CC, Int3
004144C3 75 03          JNZ SHORT PESpin.004144C8
004144C5 8028 00       SUB BYTE PTR DS:[EAX],0                ; 如果有断点, 这里就会触发非法访问异常
004144C8 8947 01       MOV DWORD PTR DS:[EDI+1],EAX             ; 用 API 地址替换原来的 Hash
004144CB  ^\E9 E1FEFFFF    JMP PESpin.004143B1                      ; 下一个

004144D0 0BC0          OR EAX,EAX

用到的 API 有 ExitProcess, VirtualProtect, CloseHandle, VirtualAlloc, VirtualFree, CreateFileA, ReadFile, GetTickCount,
GetModuleHandleA, CreateThread, Sleep, GetCurrentProcessId, OpenProcess, TerminateProcess, GetFileSize, GetModuleFileNameA,
CreateMutexA, CreateProcessA, GetCommandLineA, GetLastError, GetThreadContext, SetThreadContext, VirtualProtectEx, WaitForDebugEvent,
ContinueDebugEvent, ReadProcessMemory, WriteProcessMemory, VirtualQueryEx

// 继续 SMC

00412322 2BC9          SUB ECX,ECX
00412324 80C9 25       OR CL,25
00412327 8D85 48D7460F LEA EAX,DWORD PTR SS:[EBP+F46D748]
0041232D 85C0          TEST EAX,EAX
0041232F 81F3 4823D90E XOR EBX,0ED92348
00412335 49             DEC ECX
00412336 9C             PUSHFD
...
0041236C  ^\FF6424 FC    JMP DWORD PTR SS:[ESP-4]                ; 0041232F(ECX>0), 00412374(ECX=0), 第三次
00412374 2D A970060F    SUB EAX,0F0670A9
00412379 0BC0          OR EAX,EAX

00412390 BB 3F317A02    MOV EBX,27A313F
00412395 8DBD 1DE043ED LEA EDI,DWORD PTR SS:[EBP+ED43E01D]
0041239B 81EF C17D03ED SUB EDI,ED037DC1
004123A1 68 31130000    PUSH 1331
004123A6 59             POP ECX
004123A7 C1EB 03       SHR EBX,3
004123AA /72 06          JB SHORT PESpin.004123B2
004123AC |81EB B48765F0 SUB EBX,F06587B4
004123B2 FE07          INC BYTE PTR DS:[EDI]
004123B4 301F          XOR BYTE PTR DS:[EDI],BL
004123B6 47             INC EDI
004123B7 49             DEC ECX
004123B8 9C             PUSHFD
...
004123E8  ^\FF6424 FC    JMP DWORD PTR SS:[ESP-4]                ; 004123A7(ECX>0), 004123F2(ECX=0), 第四次

00415A24 41             INC ECX
00415A25 9C             PUSHFD
...
00415A51  ^\FF6424 FC    JMP DWORD PTR SS:[ESP-4]                ; 00415A09(ECX<0), 00415A72(ECX=0), 第五次

// 为父进程做标志, 为子进程选另一条路

00415A72 8D85 D8624000 LEA EAX,DWORD PTR SS:[EBP+4062D8]       ; 0041562C, "MDYGINTX"
00415A78 50             PUSH EAX
00415A79 6A 00          PUSH 0
00415A7B 6A 00          PUSH 0
00415A7D 8D85 8283C9ED LEA EAX,DWORD PTR SS:[EBP+EDC98382]
00415A83 2D 213489ED    SUB EAX,ED893421                      ;
00415A88 FF10          CALL DWORD PTR DS:[EAX]                ; KERNEL32.CreateMutexA
00415A8A 8985 D4624000 MOV DWORD PTR SS:[EBP+4062D4],EAX       ; [00415628]
00415A90 8D85 6C1E1F03 LEA EAX,DWORD PTR SS:[EBP+31F1E6C]
00415A96 2D FCCEDE02    SUB EAX,2DECEFC
00415A9B FF10          CALL DWORD PTR DS:[EAX]                ; KERNEL32.GetLastError

00415A9D BB CA7DB9FE    MOV EBX,FEB97DCA
00415AA2 81EB 137DB9FE SUB EBX,FEB97D13                      ; B7
00415AA8 3BC3          CMP EAX,EBX                            ; 相等表示 Mutex 已存在
00415AAA 9C             PUSHFD                                  ; 父子进程的命运在此决定 *******************************************
00415AAB C12C24 06    SHR DWORD PTR SS:[ESP],6
00415AAF F71424       NOT DWORD PTR SS:[ESP]
00415AB2 832424 01    AND DWORD PTR SS:[ESP],1
00415AB6 58             POP EAX
00415AB7 2BD2          SUB EDX,EDX
00415AB9 BB BAE74D02    MOV EBX,24DE7BA
00415ABE 81EB 86E74D02 SUB EBX,24DE786
00415AC4 F7E3          MUL EBX
00415AC6 81CB FE12F40E OR EBX,0EF412FE
00415ACC 8D8428 B40291ED LEA EAX,DWORD PTR DS:[EAX+EBP+ED9102B4]
00415AD3 2D 179B50ED    SUB EAX,ED509B17
00415AD8 FFE0          JMP EAX                               ; 父进程走 00415B25,  子进程走 00415AF1

// 我们先看看父进程

// CreateProcess

00415B36 B9 00100000    MOV ECX,1000                            ; size
00415B3B 6A 04          PUSH 4
00415B3D 68 00300000    PUSH 3000
00415B42 51             PUSH ECX
00415B43 6A 00          PUSH 0
00415B45 8D85 214F4000 LEA EAX,DWORD PTR SS:[EBP+404F21]
00415B4B 48             DEC EAX
00415B4C FF10          CALL DWORD PTR DS:[EAX]                ; KERNEL32.VirtualAlloc
00415B4E 8985 A0624000 MOV DWORD PTR SS:[EBP+4062A0],EAX       ; [004155F4], buffer1, 保留子进程的 ThreadID 和 hThread 用
00415B54 B9 00100000    MOV ECX,1000                            ; size
00415B59 6A 04          PUSH 4
00415B5B 68 00300000    PUSH 3000
00415B60 51             PUSH ECX
00415B61 6A 00          PUSH 0
00415B63 8D85 214F4000 LEA EAX,DWORD PTR SS:[EBP+404F21]
00415B69 48             DEC EAX
00415B6A FF10          CALL DWORD PTR DS:[EAX]                ; KERNEL32.VirtualAlloc
00415B6C 8985 C4624000 MOV DWORD PTR SS:[EBP+4062C4],EAX       ; [00415618], buffer2,  给 mov reg1, [reg2+offset] 用的

00415BA0 C785 EE624000 4>MOV DWORD PTR SS:[EBP+4062EE],44       ; [00415642], StartupInfo
00415BAA 8D85 6C4F4000 LEA EAX,DWORD PTR SS:[EBP+404F6C]
00415BB0 48             DEC EAX
00415BB1 FF10          CALL DWORD PTR DS:[EAX]                ; KERNEL32.GetCommandLineA
00415BB3 8BF8          MOV EDI,EAX
00415BB5 8BD0          MOV EDX,EAX                            ; EDX -> CommandLine
00415BB7 803F 22       CMP BYTE PTR DS:[EDI],22                ; 双引号
00415BBA 75 1A          JNZ SHORT PESpin.00415BD6

00415BBC 83C9 FF       OR ECX,FFFFFFFF
00415BBF 47             INC EDI
00415BC0 8BF7          MOV ESI,EDI
00415BC2 B0 22          MOV AL,22
00415BC4 F2:AE          REPNE SCAS BYTE PTR ES:[EDI]
00415BC6 F7D1          NOT ECX
00415BC8 49             DEC ECX                               ; 去掉双引号的长度
00415BC9 8BBD A0624000 MOV EDI,DWORD PTR SS:[EBP+4062A0]
00415BCF 8BDF          MOV EBX,EDI                               ; EBX -> buffer1
00415BD1 F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 复制到 buffer1
00415BD3 2AC0          SUB AL,AL
00415BD5 AA             STOS BYTE PTR ES:[EDI]

00415BE2 8DB5 EE624000 LEA ESI,DWORD PTR SS:[EBP+4062EE]       ; 00415642, pStartupInfo
00415BE8 8DBD 32634000 LEA EDI,DWORD PTR SS:[EBP+406332]       ; 00415686, pProcessInfo
00415BEE 8D85 5D2E8663 LEA EAX,DWORD PTR SS:[EBP+63862E5D]
00415BF4 57             PUSH EDI
00415BF5 56             PUSH ESI
00415BF6 6A 00          PUSH 0
00415BF8 6A 00          PUSH 0

00415C0B 6A 03          PUSH 3
00415C0D 6A 01          PUSH 1
00415C0F 6A 00          PUSH 0
00415C11 6A 00          PUSH 0
00415C13 2D F8DE4563    SUB EAX,6345DEF8
00415C18 52             PUSH EDX
00415C19 53             PUSH EBX
00415C1A 40             INC EAX
00415C1B FF10          CALL DWORD PTR DS:[EAX]                ; KERNEL32.CreateProcessA

0012FF74 00415C1D  /CALL to CreateProcessA from PESpin.00415C1B
0012FF78 00880000  |ModuleFileName = "E:\pespin13\PESpin.exe"
0012FF7C 00132610  |CommandLine = ""E:\pespin13\PESpin.exe""
0012FF80 00000000  |pProcessSecurity = NULL
0012FF84 00000000  |pThreadSecurity = NULL
0012FF88 00000001  |InheritHandles = TRUE
0012FF8C 00000003  |CreationFlags = DEBUG_PROCESS|DEBUG_ONLY_THIS_PROCESS
0012FF90 00000000  |pEnvironment = NULL
0012FF94 00000000  |CurrentDir = NULL
0012FF98 00415642  |pStartupInfo = PESpin.00415642
0012FF9C 00415686  \pProcessInfo = PESpin.00415686

00415C1D 0BC0          OR EAX,EAX
00415C1F 0F84 68060000 JE PESpin.0041628D                      ; 不成功直接退出

// 调试循环

00415C5D 8D9D 42634000 LEA EBX,DWORD PTR SS:[EBP+406342]       ; 00415696, DebugEvent
00415C63 8D85 854F4000 LEA EAX,DWORD PTR SS:[EBP+404F85]
00415C69 6A FF          PUSH -1                                  ; 无限等待
00415C6B 53             PUSH EBX
00415C6C 48             DEC EAX
00415C6D FF10          CALL DWORD PTR DS:[EAX]                ; KERNEL32.WaitForDebugEvent

00415C6F 0BC0          OR EAX,EAX
00415C71 0F84 16060000 JE PESpin.0041628D                      ; 结束

00415C77 8B85 42634000 MOV EAX,DWORD PTR SS:[EBP+406342]       ; dwDebugEventCode
00415C7D 35 C19B54D3    XOR EAX,D3549BC1
00415C82 3D C29B54D3    CMP EAX,D3549BC2
00415C87 0F84 D4050000 JE PESpin.00416261                      ; CREATE_PROCESS_DEBUG_EVENT, 好象没干什么活, 最后跳到 00415CB5

00415C8D 3D C09B54D3    CMP EAX,D3549BC0
00415C92 74 50          JE SHORT PESpin.00415CE4                ; EXCEPTION_DEBUG_EVENT

00415C94 3D C49B54D3    CMP EAX,D3549BC4
00415C99 0F84 EE050000 JE PESpin.0041628D                      ; EXIT_PROCESS_DEBUG_EVENT

00415C9F 3D C39B54D3    CMP EAX,D3549BC3
00415CA4 0F84 33050000 JE PESpin.004161DD                      ; CREATE_THREAD_DEBUG_EVENT, 增加成员到 Buffer1

00415CAA 3D C59B54D3    CMP EAX,D3549BC5
00415CAF 0F84 69050000 JE PESpin.0041621E                      ; EXIT_THREAD_DEBUG_EVENT, 减少 Buffer1 成员

00415CB5 B8 127DB87E    MOV EAX,7EB87D12
00415CBA 35 137DB9FE    XOR EAX,FEB97D13
00415CBF 50             PUSH EAX                               ; 80010001, DBG_EXCEPTION_NOT_HANDLED
00415CC0 FFB5 4A634000 PUSH DWORD PTR SS:[EBP+40634A]          ; dwThreadId
00415CC6 FFB5 46634000 PUSH DWORD PTR SS:[EBP+406346]          ; dwProcessId
00415CCC 8D85 8A4F4000 LEA EAX,DWORD PTR SS:[EBP+404F8A]
00415CD2 48             DEC EAX
00415CD3 FF10          CALL DWORD PTR DS:[EAX]                ; KERNEL32.ContinueDebugEvent

00415CD5 8D85 219BA74F LEA EAX,DWORD PTR SS:[EBP+4FA79B21]
00415CDB 05 E8CD98B0    ADD EAX,B098CDE8
00415CE0 FFE0          JMP EAX                                  ; 00415C5D

// 对异常的处理

00415CE4 8B85 4E634000 MOV EAX,DWORD PTR SS:[EBP+40634E]       ; EXCEPTION_DEBUG_EVENT 的处理代码
00415CEA 35 A1B97180    XOR EAX,8071B9A1
00415CEF 3D A2B97100    CMP EAX,71B9A2
00415CF4 74 1F          JE SHORT PESpin.00415D15                ; 80 00 00 03 Int3
00415CF6 3D A5B97100    CMP EAX,71B9A5
00415CFB 0F84 C8030000 JE PESpin.004160C9                      ; 80 00 00 04 单步
00415D01 3D BCB97140    CMP EAX,4071B9BC
00415D06 74 5E          JE SHORT PESpin.00415D66                ; C0 00 00 1D 非法指令
00415D08 8D85 49014800 LEA EAX,DWORD PTR SS:[EBP+480149]       ; 其他异常父进程都不处理
00415D0E 2D E8970700    SUB EAX,797E8
00415D13  ^\FFE0          JMP EAX                                  ; PESpin.00415CB5

00415D15 838D B4624000 0>OR DWORD PTR SS:[EBP+4062B4],0          ; [00415608] Int3 异常次数
00415D1C 75 39          JNZ SHORT PESpin.00415D57

      // 第一次 Int3 异常
00415D1E FF85 B4624000 INC DWORD PTR SS:[EBP+4062B4]          ; 第一次, 系统异常
00415D2E 50             PUSH EAX                               ; DBG_CONTINUE
00415D2F FFB5 4A634000 PUSH DWORD PTR SS:[EBP+40634A]          ; dwThreadId
00415D35 FFB5 46634000 PUSH DWORD PTR SS:[EBP+406346]          ; dwProcessId
00415D3B 8D85 0A176B51 LEA EAX,DWORD PTR SS:[EBP+516B170A]
00415D41 2D 81C72A51    SUB EAX,512AC781
00415D46 FF10          CALL DWORD PTR DS:[EAX]                ; KERNEL32.ContinueDebugEvent
00415D48 8D85 25A9150A LEA EAX,DWORD PTR SS:[EBP+A15A925]
00415D4E 2D 1C40D509    SUB EAX,9D5401C
00415D53 FFE0          JMP EAX                                  ; 00415C5D

      // 第二次以上子进程自己处理
00415D57 8D85 02A577EF LEA EAX,DWORD PTR SS:[EBP+EF77A502]
00415D5D 2D A13B37EF    SUB EAX,EF373BA1
00415D62  ^ FFE0          JMP EAX                                  ; PESpin.00415CB5

      // 第一次非法指令异常到这里
00415D66  ^\E9 4AFFFFFF    JMP PESpin.00415CB5                      ; 父进程不做处理, 子进程自己处理

      // 第二次非法指令异常到这里, 代码已被改变
00415D66 /EB 00          JMP SHORT PESpin.00415D68
00415D68 \EB 01          JMP SHORT PESpin.00415D6B
00415D6B 90             NOP
00415D6C 90             NOP
00415D6D 90             NOP
00415D6E 90             NOP
00415D6F 90             NOP
00415D70 EB 07          JMP SHORT PESpin.00415D79
00415D79  ^\EB F8          JMP SHORT PESpin.00415D73
00415D73 /EB 01          JMP SHORT PESpin.00415D76
00415D76 /EB 04          JMP SHORT PESpin.00415D7C

00415D7C 8B85 36634000 MOV EAX,DWORD PTR SS:[EBP+406336]       ; hThread
00415D82 F785 A4624000 F>TEST DWORD PTR SS:[EBP+4062A4],FFFFFFFF ; [004155F8], 子进程有没有创建其他线程(0没有)
00415D8C /74 33          JE SHORT PESpin.00415DC1

00415D8E 8BB5 A0624000 MOV ESI,DWORD PTR SS:[EBP+4062A0]       ; 存放线程信息的 Buffer1
00415D94 8B8D A4624000 MOV ECX,DWORD PTR SS:[EBP+4062A4]       ; 已使用字节数
00415D9A 8B85 4A634000 MOV EAX,DWORD PTR SS:[EBP+40634A]       ; dwThreadID
00415DA9 3906          CMP DWORD PTR DS:[ESI],EAX
00415DAB /74 1C          JE SHORT PESpin.00415DC9                ; 相等表示异常不是主线程中发生的
00415DAD |83C6 08       ADD ESI,8
00415DBC 83E9 08       SUB ECX,8
00415DBF  ^ 75 E8          JNZ SHORT PESpin.00415DA9

00415DC1 8B85 36634000 MOV EAX,DWORD PTR SS:[EBP+406336]       ; hThread, 主线程
00415DC7 EB 03          JMP SHORT PESpin.00415DCC

00415DC9 8B46 04       MOV EAX,DWORD PTR DS:[ESI+4]             ; hThread, 从线程 (异常发生在从线程, 从表中取 hThread)

00415DCC E8 03000000    CALL PESpin.00415DD4
00415DDD 8985 A8624000 MOV DWORD PTR SS:[EBP+4062A8],EAX       ; [004155FC]
00415DE3 B8 13000100    MOV EAX,10013
00415DE8 8D95 4754AE34 LEA EDX,DWORD PTR SS:[EBP+34AE5447]
00415DEE 81EA 0CE16D34 SUB EDX,346DE10C
00415DF4 FFD2          CALL EDX                                  ; PESpin.0041668F, 类似 004166D5 调用  GetThreadContext
00415DF6 93             XCHG EAX,EBX
...
0041675F 8B041A       MOV EAX,DWORD PTR DS:[EDX+EBX]          ; EDX = B0h, regEax=0
00416762 8907          MOV DWORD PTR DS:[EDI],EAX                ; [004155B0]
00416764 BA B3E40D00    MOV EDX,0DE4B3
00416769 81F2 1FE40D00 XOR EDX,0DE41F
0041676F 8B041A       MOV EAX,DWORD PTR DS:[EDX+EBX]          ; EDX = ACh, regEcx=0
00416772 8947 04       MOV DWORD PTR DS:[EDI+4],EAX

0041677E BA 2700EC00    MOV EDX,0EC0027
00416783 81EA 7FFFEB00 SUB EDX,0EBFF7F
00416789 8B041A       MOV EAX,DWORD PTR DS:[EDX+EBX]          ; EDX = A8h, regEdx=-1
0041678C 8947 08       MOV DWORD PTR DS:[EDI+8],EAX

004167BD BA 27EF0D00    MOV EDX,0DEF27
004167C2 81F2 83EF0D00 XOR EDX,0DEF83
004167C8 8B041A       MOV EAX,DWORD PTR DS:[EDX+EBX]          ; EDX = A4h, regEbx=7FFDF000
004167CB 8947 0C       MOV DWORD PTR DS:[EDI+C],EAX

004167CE BA 5102FFFF    MOV EDX,FFFF0251
004167D3 81C2 73FE0000 ADD EDX,0FE73
004167D9 8B041A       MOV EAX,DWORD PTR DS:[EDX+EBX]          ; EDX = C4h, regEsp=12FFC4
004167DC 8947 10       MOV DWORD PTR DS:[EDI+10],EAX

004167EB BA E5720C00    MOV EDX,0C72E5
004167F0 81EA 31720C00 SUB EDX,0C7231
004167F6 8B041A       MOV EAX,DWORD PTR DS:[EDX+EBX]          ; EDX = B4h, regEbp=12FFF0
004167F9 8947 14       MOV DWORD PTR DS:[EDI+14],EAX

0041682E BA C1A3F9FF    MOV EDX,FFF9A3C1
00416833 81C2 DF5C0600 ADD EDX,65CDF
00416839 8B041A       MOV EAX,DWORD PTR DS:[EDX+EBX]          ; EDX = A0h, regEsi=1
0041683C 8947 18       MOV DWORD PTR DS:[EDI+18],EAX

0041683F BA D5FB0900    MOV EDX,9FBD5
00416844 81EA 39FB0900 SUB EDX,9FB39
0041684A 8B041A       MOV EAX,DWORD PTR DS:[EDX+EBX]          ; EDX = 9Ch, regEdi=414913
0041684D 8947 1C       MOV DWORD PTR DS:[EDI+1C],EAX

00415E16 BA 2A14FFFF    MOV EDX,FFFF142A
00415E1B 8D92 8EEC0000 LEA EDX,DWORD PTR DS:[EDX+EC8E]
00415E21 8B0413       MOV EAX,DWORD PTR DS:[EBX+EDX]          ; EDX = B8h, regEip=4098F8( 已经进入程序代码空间) ***************************************************

00415E24 8DBD E1624000 LEA EDI,DWORD PTR SS:[EBP+4062E1]       ; 00415635
...
00415E8C  ^\FF6424 FC    JMP DWORD PTR SS:[ESP-4]                ; 00415E5D(ECX>0), 00415E9A(ECX=0)
00415ED5 /FF6424 FC    JMP DWORD PTR SS:[ESP-4]                ; PESpin.00415EE3
00415F14 /FF6424 FC    JMP DWORD PTR SS:[ESP-4]                ; PESpin.00415F2F
00415F66  ^\FF6424 FC    JMP DWORD PTR SS:[ESP-4]                ; 00415E41(ECX>0), 00415F70(ECX=0)  以上 4 个是嵌套的, 最终出口 415F70
                                                                     ; 作用就是把 Address->String(8位16进制)
...
00415F81 C647 08 00    MOV BYTE PTR DS:[EDI+8],0                ; 00415635 "004098F8"
00415F85 8D85 901B1F13 LEA EAX,DWORD PTR SS:[EBP+131F1B90]
00415F8B 2D 0ECADE12    SUB EAX,12DECA0E
00415F90 FFD0          CALL EAX                                  ; PESpin.004144D6 (计算 Hash)

00415F92 8DBD BFAF530F LEA EDI,DWORD PTR SS:[EBP+F53AFBF]       ; 破坏字符串
00415F98 81EF DE4C130F SUB EDI,0F134CDE                         ; 00415635
00415F9E B9 DE4613ED    MOV ECX,ED1346DE
00415FA3 BB B60D385A    MOV EBX,5A380DB6
00415FA8 2BCB          SUB ECX,EBX
00415FAA C1E9 1C       SHR ECX,1C
00415FAD 2BDB          SUB EBX,EBX                               ; EBX = 0
00415FAF 49             DEC ECX                                  ; ECX = 8
00415FB0 8D95 A2D1540F LEA EDX,DWORD PTR SS:[EBP+F54D1A2]
00415FB6 81EA 3665140F SUB EDX,0F146536
00415FBC 03D1          ADD EDX,ECX
00415FBE FFE2          JMP EDX
00415FC8 49             DEC ECX
...
00415FF8  ^\FF6424 FC    JMP DWORD PTR SS:[ESP-4]                ; 00415FC8(ECX>0), 00416003(ECX=0)

0041600F BF F36B4100    MOV EDI,PESpin.00416BF3                   ; 父进程放一个表, 处理子进程到 OEP 后的异常
00416014 B9 55010000    MOV ECX,155                               ; 总长 155 字节
0041602A 3B07          CMP EAX,DWORD PTR DS:[EDI]
0041602C /74 26          JE SHORT PESpin.00416054                ; 找到了, 出口
0041602E |83C7 0B       ADD EDI,0B                               ; 每段 0B 字节
0041603D 83E9 0B       SUB ECX,0B
00416040 0BC9          OR ECX,ECX
00416042  ^ 77 D5          JA SHORT PESpin.00416019                ; 实际到 0041602A

00416044 8D85 D1C51E13    LEA EAX,DWORD PTR SS:[EBP+131EC5D1]    ; 找不到, 子进程自己处理
0041604A 2D 705CDE12    SUB EAX,12DE5C70
0041604F FFE0             JMP EAX                               ; 00415CB5

00416BF3  9A 78 C3 A0 1E 00 00 00 03 01 02       ; 4098F8 , 对应的地址
            82 14 AA 21 94 00 00 00 03 00 06       ; 409912
            9F 92 FD DD 05 00 00 00 01 03 02       ; 40993E
            8A 9E 73 E9 05 00 00 00 01 20 02       ; 409992
            31 1E B4 EC 05 00 00 00 01 54 02       ; 4099BA
            79 FB C9 4C 5F 00 00 00 03 00 02       ; 4099C7
            FF DB C5 85 9C 04 00 00 03 00 06       ; 4099CD
            BE 6D 88 03 27 00 00 00 03 00 02       ; 4099D7
            38 4D 84 CA 34 04 00 00 03 00 06       ; 4099DD
            FF 5C 93 1A 19 04 00 00 03 00 06       ; 4099E7
            09 AA DD D8 0F 04 00 00 03 00 06       ; 4099F1
            88 89 37 FC C4 04 00 00 03 00 06       ; 409A05
            46 4C 46 95 F0 03 00 00 03 00 06       ; 409A10
            56 5C 4D 2B E9 04 00 00 03 00 06       ; 409A1B
            C7 2D B7 CC 05 00 00 00 01 30 02       ; 409C4A
            82 5E 96 2E 27 00 00 00 03 00 02       ; 409C72
            8B 8A F0 97 03 00 00 00 01 71 02       ; 409C7D
            58 C1 F1 70 16 00 00 00 03 00 02       ; 409CAC
            EF 81 F2 34 20 00 00 00 03 01 02       ; 409CE6
            98 2B EE 7A 20 00 00 00 03 01 02       ; 409D16
            DD DF 99 07 20 00 00 00 03 01 02       ; 409D46
            6B C1 25 32 11 00 00 00 03 01 02       ; 409D85
            17 50 F5 E7 11 00 00 00 03 00 02       ; 409DB5
            3B 31 FB 09 14 00 00 00 00 75 03       ; 409DB7
            39 71 2B 0C 14 00 00 00 00 45 03       ; 409E17
            30 A5 4D B5 08 00 00 00 00 40 03       ; 409E1A
            75 D6 6C 57 07 00 00 00 03 00 02       ; 409E22
            54 A6 68 64 10 00 00 00 00 5D 03       ; 409E6F
            36 D6 4A 23 1B 00 00 00 03 00 02       ; 409E99
            8A FC 63 5E 1C 00 00 00 03 01 02       ; 409ED7
            DA 9E 64 97 01 00 00 00 01 03 02       ; 409F14

structure table
{
      dword AddressHash;
      dword offset;
      byte  Type;
      byte  Reg;
      byte  Length;(被偷指令长度)
}

对 Type = 0, Reg 表示两个 reg, (3-5)reg1, (0-2)reg2, offset 表示偏移(1 or 4 byte),  mov reg1, [reg2+offset]

对 Type = 1, Reg 表示两个 reg, (4-7)reg1, (0-3)reg2, offset 表示五种运算  xxx reg1, reg2

对 Type = 3, Reg=1 表示 JNZ,  Reg=0 表示 JZ,  offset 表示偏移(最高位表示方向, 1 or 4 byte)

0 or ,  1 and , 2 xor, 3 add, 4 sub, 5 mov
00 EAX, 01 ECX, 02 EDX, 03 EBX, 04 ESP, 05 EBP, 06 ESI, 07 EDI

写一个程序, 计算 Hash 对应的地址和对应的二进制代码, 结果如下

deNanomite STRUCT
dwAddr          DD ?             ; 对应的地址
dwLen          DD ?             ; 代码长度
dbCode          DB 8 dup(?)       ; 二进制代码
deNanomite ENDS

F8 98 40 00 02 00 00 00 75 1E 00 00 00 00 00 00
12 99 40 00 06 00 00 00 0F 84 94 00 00 00 00 00
3E 99 40 00 02 00 00 00 8B C3 00 00 00 00 00 00
92 99 40 00 02 00 00 00 8B D0 00 00 00 00 00 00
BA 99 40 00 02 00 00 00 8B EC 00 00 00 00 00 00
C7 99 40 00 02 00 00 00 74 5F 00 00 00 00 00 00
CD 99 40 00 06 00 00 00 0F 84 9C 04 00 00 00 00
D7 99 40 00 02 00 00 00 74 27 00 00 00 00 00 00
DD 99 40 00 06 00 00 00 0F 84 34 04 00 00 00 00
E7 99 40 00 06 00 00 00 0F 84 19 04 00 00 00 00
F1 99 40 00 06 00 00 00 0F 84 0F 04 00 00 00 00
05 9A 40 00 06 00 00 00 0F 84 C4 04 00 00 00 00
10 9A 40 00 06 00 00 00 0F 84 F0 03 00 00 00 00
1B 9A 40 00 06 00 00 00 0F 84 E9 04 00 00 00 00

4A 9C 40 00 02 00 00 00 8B D8 00 00 00 00 00 00
72 9C 40 00 02 00 00 00 74 27 00 00 00 00 00 00
7D 9C 40 00 02 00 00 00 03 F9 00 00 00 00 00 00
AC 9C 40 00 02 00 00 00 74 16 00 00 00 00 00 00
E6 9C 40 00 02 00 00 00 75 20 00 00 00 00 00 00
16 9D 40 00 02 00 00 00 75 20 00 00 00 00 00 00
46 9D 40 00 02 00 00 00 75 20 00 00 00 00 00 00
85 9D 40 00 02 00 00 00 75 11 00 00 00 00 00 00
B5 9D 40 00 02 00 00 00 74 11 00 00 00 00 00 00
B7 9D 40 00 03 00 00 00 8B 75 14 00 00 00 00 00

17 9E 40 00 03 00 00 00 8B 45 14 00 00 00 00 00
1A 9E 40 00 03 00 00 00 8B 40 08 00 00 00 00 00
22 9E 40 00 02 00 00 00 74 07 00 00 00 00 00 00
6F 9E 40 00 03 00 00 00 8B 5D 10 00 00 00 00 00
99 9E 40 00 02 00 00 00 74 1B 00 00 00 00 00 00
D7 9E 40 00 02 00 00 00 75 1C 00 00 00 00 00 00

14 9F 40 00 02 00 00 00 23 C3 00 00 00 00 00 00

00416054 BE 0FD4FAFE    MOV ESI,FEFAD40F
00416059 81EE 137DB9FE SUB ESI,FEB97D13                         ; 004156FC, pContext
0041605F 8D85 990880E1 LEA EAX,DWORD PTR SS:[EBP+E1800899]
00416065 2D 1B983FE1    SUB EAX,E13F981B
0041606A FFD0          CALL EAX                                  ; 004163D2, 实际到 004163E3, 见后面, 很关键 ********************************************

0041607D B8 FBCEEA6C    MOV EAX,6CEACEFB
00416082 2D F8CEE96C    SUB EAX,6CE9CEF8                         ; 10003
00416087 8D9D EDA354B8 LEA EBX,DWORD PTR SS:[EBP+B854A3ED]
0041608D 81EB DE3014B8 SUB EBX,B81430DE
00416093 FFD3          CALL EBX                                  ; 00416663, 类同 004168B0 去调用 SetThreadContext

00416095 B8 117DB8FE    MOV EAX,FEB87D11
0041609A 35 137DB9FE    XOR EAX,FEB97D13
0041609F 50             PUSH EAX                               ; DBG_CONTINUE
004160A0 FFB5 4A634000 PUSH DWORD PTR SS:[EBP+40634A]
004160A6 FFB5 46634000 PUSH DWORD PTR SS:[EBP+406346]
004160AC 8D85 A46744F9 LEA EAX,DWORD PTR SS:[EBP+F94467A4]
004160B2 2D 1B1804F9    SUB EAX,F904181B
004160B7 FF10          CALL DWORD PTR DS:[EAX]                ; KERNEL32.ContinueDebugEvent
004160B9 8D85 7C47EC80 LEA EAX,DWORD PTR SS:[EBP+80EC477C]
004160BF 2D 73DEAB80    SUB EAX,80ABDE73
004160C4 FFE0          JMP EAX                                  ; 00415C5D

004160C9 /EB 04          JMP SHORT PESpin.004160CF
004160D2 F785 B8624000 F>TEST DWORD PTR SS:[EBP+4062B8],FFFFFFFF ; [0041560C]  单步异常次数
004160DC /75 71          JNZ SHORT PESpin.0041614F

      // 第一次单步异常
004160DE FFB5 D4624000 PUSH DWORD PTR SS:[EBP+4062D4]          ; [00415628], hMutex
004160E4 8D85 1C4F4000 LEA EAX,DWORD PTR SS:[EBP+404F1C]
004160EA 48             DEC EAX
004160EB FF10          CALL DWORD PTR DS:[EAX]                ; KERNEL32.CloseHandle, 释放 Mutex

004160FE B8 09311793    MOV EAX,93173109
00416103 05 F8CEE96C    ADD EAX,6CE9CEF8                         ; 10001
00416108 8D9D 5D704512 LEA EBX,DWORD PTR SS:[EBP+1245705D]
0041610E 81EB E5FC0412 SUB EBX,1204FCE5
00416114 FFD3          CALL EBX                               ; 004166D5 去调用 GetThreadContext

004166D5 A3 FC564100    MOV DWORD PTR DS:[4156FC],EAX          ; 10001
004166DA 68 FC564100    PUSH PESpin.004156FC                   ; pContext
004166DF FFB5 36634000 PUSH DWORD PTR SS:[EBP+406336]          ; [0041568A], hThread
004166F0 FF10          CALL DWORD PTR DS:[EAX]                ; KERNEL32.GetThreadContext
004166F2 0BC0          OR EAX,EAX
004166F4 74 05          JE SHORT PESpin.004166FB
004166F6 B8 FC564100    MOV EAX,PESpin.004156FC
004166FB C3             RETN

00416116 96             XCHG EAX,ESI                            ; pContext->ESI
00416117 B8 9A81FFFF    MOV EAX,FFFF819A
0041611C 8D80 1E7F0000 LEA EAX,DWORD PTR DS:[EAX+7F1E]          ; B8
00416122 810406 1E000000 ADD DWORD PTR DS:[ESI+EAX],1E          ; regEip + 1E,  00415AF2->00415B10
00416129 B8 C09B55D3    MOV EAX,D3559BC0
0041612E 35 C19B54D3    XOR EAX,D3549BC1                         ; 10001
00416133 8D9D 53650E35 LEA EBX,DWORD PTR SS:[EBP+350E6553]
00416139 81EB F7EFCD34 SUB EBX,34CDEFF7
0041613F FFD3          CALL EBX                               ; 004168B0 去调用 SetThreadContext

004168C1 A3 FC564100    MOV DWORD PTR DS:[4156FC],EAX
004168C6 68 FC564100    PUSH PESpin.004156FC
004168CB FFB5 36634000 PUSH DWORD PTR SS:[EBP+406336]       ; hThread
004168D1 8D85 336C66D6 LEA EAX,DWORD PTR SS:[EBP+D6666C33]
004168D7 2D B91C26D6    SUB EAX,D6261CB9
004168DC FF10          CALL DWORD PTR DS:[EAX]             ; KERNEL32.SetThreadContext
004168DE C3             RETN

00416141 8D9D 37510614 LEA EBX,DWORD PTR SS:[EBP+14065137]
00416147 81EB C3E2C513 SUB EBX,13C5E2C3
0041614D FFE3          JMP EBX                                  ; 004161C8

0041614F EB 04          JMP SHORT PESpin.00416155                ; 实际到 416158
00416158 83BD B8624000 0>CMP DWORD PTR SS:[EBP+4062B8],1          ; 是第二次单步异常吗
0041615F 75 67          JNZ SHORT PESpin.004161C8

      // 第二次单步异常
00416161 B8 20451CD0    MOV EAX,D01C4520                         ; 第二次单步异常父进程 SMC 本身五个字节
00416166 35 CB45F7D1    XOR EAX,D1F745CB                         ; 01EB00EB
0041616B 8DBD 126A4000 LEA EDI,DWORD PTR SS:[EBP+406A12]       ; 00415D66,
00416171 AB             STOS DWORD PTR ES:[EDI]
00416172 B0 D3          MOV AL,0D3
00416174 AA             STOS BYTE PTR ES:[EDI]
0041617F 35 A1B97180    XOR EAX,8071B9A1                         ; 10001
00416184 8D9D 7472FE10 LEA EBX,DWORD PTR SS:[EBP+10FE7274]
0041618A 81EB FCFEBD10 SUB EBX,10BDFEFC
00416190 FFD3          CALL EBX                               ; PESpin.004166CC,  类同 004166D5 去调用 GetThreadContext

00416192 96             XCHG EAX,ESI                            ; PESpin.004156FC
00416193 B8 B6810200    MOV EAX,281B6
00416198 35 0E810200    XOR EAX,2810E                            ; B8
0041619D 810406 2B000000 ADD DWORD PTR DS:[ESI+EAX],2B          ; regEip + 2B,  41638B->4163B6
004161A4 EB 07          JMP SHORT PESpin.004161AD

004161B0 B8 F9CEEA6C    MOV EAX,6CEACEF9
004161B5 2D F8CEE96C    SUB EAX,6CE9CEF8                         ; 10001
004161BA 8D9D 908539DF LEA EBX,DWORD PTR SS:[EBP+DF398590]
004161C0 81EB 3410F9DE SUB EBX,DEF91034
004161C6 FFD3          CALL EBX                               ; 004168B0 去调用 SetThreadContext

   // 第三次以上单步异常
004161C8 FF85 B8624000 INC DWORD PTR SS:[EBP+4062B8]          ; 单步次数加 1
004161CE 8D85 302B129F LEA EAX,DWORD PTR SS:[EBP+9F122B30]
004161D4 2D EFBDD19E    SUB EAX,9ED1BDEF
004161D9 FFE0          JMP EAX                                  ; 00416095, 父进程已处理, 子进程不用处理

// 新线程创建的处理
004161DD E8 03000000    CALL PESpin.004161E5
004161EE 8B85 4A634000 MOV EAX,DWORD PTR SS:[EBP+40634A]       ; dwThreadID(新)
004161F4 8BBD A0624000 MOV EDI,DWORD PTR SS:[EBP+4062A0]       ; EDI-> buffer1
004161FA 03BD A4624000 ADD EDI,DWORD PTR SS:[EBP+4062A4]       ; 已使用字节数
00416200 AB             STOS DWORD PTR ES:[EDI]                ; dwThreadID

00416201 8B85 4E634000 MOV EAX,DWORD PTR SS:[EBP+40634E]       ; hThread(新)
00416207 AB             STOS DWORD PTR ES:[EDI]
00416208 8385 A462400008 ADD DWORD PTR SS:[EBP+4062A4],8          ; 用了 8 字节

0041620F 8D85 80277209    LEA EAX,DWORD PTR SS:[EBP+9722780]
00416215 2D 1FBE3109    SUB EAX,931BE1F
0041621A  ^\FFE0             JMP EAX                               ; PESpin.00415CB5, 父进程保留 dwThreadID 和 hThread

// 新线程退出的处理
0041621E 8BB5 A0624000    MOV ESI,DWORD PTR SS:[EBP+4062A0]    ; ESI->Buffer1
00416224 8B8D A4624000    MOV ECX,DWORD PTR SS:[EBP+4062A4]    ; 已使用字节数
0041622A 8B85 4A634000    MOV EAX,DWORD PTR SS:[EBP+40634A]    ; 退出的线程 ID
00416230 8D1C31          LEA EBX,DWORD PTR DS:[ECX+ESI]
00416233 3906             CMP DWORD PTR DS:[ESI],EAX             ; 搜索数组
00416235 74 0A          JE SHORT PESpin.00416241
00416237 83C6 08          ADD ESI,8
0041623A 83E9 08          SUB ECX,8
0041623D  ^ 75 F4          JNZ SHORT PESpin.00416233
0041623F EB 12          JMP SHORT PESpin.00416253             ; 没有, 直接退出

00416241 8BFE             MOV EDI,ESI                            ; 找到了, 去掉该成员
00416243 83C6 08          ADD ESI,8
00416246 83AD A4624000 08  SUB DWORD PTR SS:[EBP+4062A4],8
0041624D 87CB             XCHG EBX,ECX
0041624F 2BCE             SUB ECX,ESI
00416251 F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]

00416253 8D85 F5D86D01    LEA EAX,DWORD PTR SS:[EBP+16DD8F5]
00416259 2D 946F2D01    SUB EAX,12D6F94
0041625E  ^\FFE0             JMP EAX                               ; PESpin.00415CB5

   //  处理子进程的的关键代码
004163E3 60             PUSHAD
004163E4 0FB647 08    MOVZX EAX,BYTE PTR DS:[EDI+8]          ; Table.Type
004163E8 8D9D 54C01F02 LEA EBX,DWORD PTR SS:[EBP+21FC054]
004163EE 81EB EE4FDF01 SUB EBX,1DF4FEE                         ; 004163BA
004163F4 8B0483       MOV EAX,DWORD PTR DS:[EBX+EAX*4]
004163F7 2D 6FD45CE3    SUB EAX,E35CD46F
004163FC 03C5          ADD EAX,EBP                            ; 0-41641D    1-41647F       3-416539
0041640F /FFE0          JMP EAX                                  ; EAX

0041641D /EB 04          JMP SHORT PESpin.00416426
00416426 0FB65F 09    MOVZX EBX,BYTE PTR DS:[EDI+9]          ; Table.Reg
0041642A 2BC0          SUB EAX,EAX
0041642C 8AC3          MOV AL,BL
0041642E 24 07          AND AL,7
00416430 C1E0 02       SHL EAX,2                               ; * 4
00416433 8B8428 5C624000 MOV EAX,DWORD PTR DS:[EAX+EBP+40625C]    ; reg2
0041643A 807F 0A 03    CMP BYTE PTR DS:[EDI+A],3                ; offset 是 dword or byte?
0041643E 75 16          JNZ SHORT PESpin.00416456

00416440 0FBA67 04 07 BT DWORD PTR DS:[EDI+4],7                ; 符号位
00416445 73 0F          JNB SHORT PESpin.00416456
00416447 8B4F 04       MOV ECX,DWORD PTR DS:[EDI+4]
0041644A F7D9          NEG ECX                                  ; 取反
0041644C 81E1 FF000000 AND ECX,0FF
00416452 2BC1          SUB EAX,ECX                               ; reg2+offset( 1 byte, 负数)
00416454 EB 03          JMP SHORT PESpin.00416459

00416456 0347 04       ADD EAX,DWORD PTR DS:[EDI+4]             ; reg2+offset

00416459 2BC9          SUB ECX,ECX
0041645B 80C9 04       OR CL,4
0041645E E8 9F020000    CALL PESpin.00416702                      ; ReadProcessMemory [reg2+offset], 见下面
00416463 8B00          MOV EAX,DWORD PTR DS:[EAX]                ; [reg2+offset]
00416465 C0EB 03       SHR BL,3
00416468 80E3 07       AND BL,7                                  ; (3-5)
0041646B C1E3 02       SHL EBX,2
0041646E 8B9C2B 80624000 MOV EBX,DWORD PTR DS:[EBX+EBP+406280]
00416475 890433       MOV DWORD PTR DS:[EBX+ESI],EAX          ; reg1
00416478 E9 BB010000    JMP PESpin.00416638

0041647F 0FB647 09    MOVZX EAX,BYTE PTR DS:[EDI+9]          ; Table.Reg
00416483 2BDB          SUB EBX,EBX
00416485 8AD8          MOV BL,AL
00416487 80E3 0F       AND BL,0F
0041648A C0C8 04       ROR AL,4                               ; (4-7)
0041648D 24 0F          AND AL,0F
0041648F 8B9C9D 5C624000 MOV EBX,DWORD PTR SS:[EBP+EBX*4+40625C] ; reg2
00416496 8B9485 5C624000 MOV EDX,DWORD PTR SS:[EBP+EAX*4+40625C] ; reg1
0041649D 8B8485 80624000 MOV EAX,DWORD PTR SS:[EBP+EAX*4+406280] ; 004155D4
004164A4 834F 04 00    OR DWORD PTR DS:[EDI+4],0
004164A8 75 04          JNZ SHORT PESpin.004164AE
004164AA 0BD3          OR EDX,EBX                               ; 0 = or
004164AC EB 30          JMP SHORT PESpin.004164DE
004164AE 837F 04 01    CMP DWORD PTR DS:[EDI+4],1
004164B2 75 04          JNZ SHORT PESpin.004164B8
004164B4 23D3          AND EDX,EBX                            ; 1 = and
004164B6 EB 26          JMP SHORT PESpin.004164DE
004164B8 837F 04 02    CMP DWORD PTR DS:[EDI+4],2
004164BC 75 04          JNZ SHORT PESpin.004164C2
004164BE 33D3          XOR EDX,EBX                            ; 2 = xor
004164C0 EB 1C          JMP SHORT PESpin.004164DE
004164C2 837F 04 03    CMP DWORD PTR DS:[EDI+4],3
004164C6 75 04          JNZ SHORT PESpin.004164CC
004164C8 03D3          ADD EDX,EBX                            ; 3 = add
004164CA EB 12          JMP SHORT PESpin.004164DE
004164CC 837F 04 04    CMP DWORD PTR DS:[EDI+4],4
004164D0 75 04          JNZ SHORT PESpin.004164D6
004164D2 2BD3          SUB EDX,EBX                            ; 4 = sub
004164D4 EB 08          JMP SHORT PESpin.004164DE
004164D6 837F 04 05    CMP DWORD PTR DS:[EDI+4],5
004164DA 87D3          XCHG EBX,EDX                            ; 其他 mov
004164DC EB 0F          JMP SHORT PESpin.004164ED
004164DE 9C             PUSHFD
004164DF BB B8CFE96C    MOV EBX,6CE9CFB8
004164E4 81EB F8CEE96C SUB EBX,6CE9CEF8                         ; C0, Elags
004164EA 8F0433       POP DWORD PTR DS:[EBX+ESI]             ; 除了 Mov, 其他还需要处理标志位
004164ED 891430       MOV DWORD PTR DS:[EAX+ESI],EDX
004164F0 E9 43010000    JMP PESpin.00416638

00416539 BB 61BA7180    MOV EBX,8071BA61                         ; Type = 3
0041653E 81EB A1B97180 SUB EBX,8071B9A1                         ; C0
00416544 8B1433       MOV EDX,DWORD PTR DS:[EBX+ESI]          ; ESI = 004156FC, regEflag
00416547 C1EA 06       SHR EDX,6
00416553 8B47 04       MOV EAX,DWORD PTR DS:[EDI+4]             ; Table.offset
00416556 0FB65F 09    MOVZX EBX,BYTE PTR DS:[EDI+9]          ; Table.Reg
0041655A 83FB 00       CMP EBX,0
0041655D 74 02          JE SHORT PESpin.00416561
0041655F F7D2          NOT EDX
00416561 83E2 01       AND EDX,1                               ; Zf = 1 吗
00416564 4A             DEC EDX
00416565 0F85 CD000000 JNZ PESpin.00416638

0041656B 807F 0A 02    CMP BYTE PTR DS:[EDI+A],2                ; Table.Length
0041656F /74 0A          JE SHORT PESpin.0041657B
00416571 |0FBAE0 1F    BT EAX,1F                               ; 31 位
00416575 |73 2A          JNB SHORT PESpin.004165A1
00416577 |F7D8          NEG EAX                                  ; 对负数取反
00416579 |EB 0D          JMP SHORT PESpin.00416588
0041657B \0FBAE0 07    BT EAX,7                               ; 7 位
0041657F 73 20          JNB SHORT PESpin.004165A1
00416581 F7D8          NEG EAX                                  ; 对负数取反

00416583 25 FF000000    AND EAX,0FF                            ; 对 Length = 2, 只取一个 byte
00416588 BB B1E50000    MOV EBX,0E5B1
0041658D 81EB F9E40000 SUB EBX,0E4F9                            ; B8
00416593 0FB657 0A    MOVZX EDX,BYTE PTR DS:[EDI+A]
00416597 2BC2          SUB EAX,EDX
00416599 290433       SUB DWORD PTR DS:[EBX+ESI],EAX
0041659C E9 AD000000    JMP PESpin.0041664E

004165A1 BB 59FF0000    MOV EBX,0FF59
004165A6 81EB A1FE0000 SUB EBX,0FEA1                            ; B8
004165AC 0FB657 0A    MOVZX EDX,BYTE PTR DS:[EDI+A]
004165B0 03C2          ADD EAX,EDX
004165B2 010433       ADD DWORD PTR DS:[EBX+ESI],EAX          ; regEip 4098F8+20=409918
004165B5 E9 94000000    JMP PESpin.0041664E

00416638 /EB 07          JMP SHORT PESpin.00416641
00416641  ^\EB F8          JMP SHORT PESpin.0041663B
0041663B /EB 01          JMP SHORT PESpin.0041663E
0041663E /EB 04          JMP SHORT PESpin.00416644

00416644 0FB647 0A    MOVZX EAX,BYTE PTR DS:[EDI+A]          ; 跳过该条指令长度
00416648 0186 B8000000 ADD DWORD PTR DS:[ESI+B8],EAX

0041664E E8 03000000    CALL PESpin.00416656                   ; 花指令
0041665F 61             POPAD
00416660 C3             RETN

// mov reg1, [reg2+offset] 专用的一段程序

00416702 60             PUSHAD
00416703 8BBD C4624000 MOV EDI,DWORD PTR SS:[EBP+4062C4]       ; buffer2
00416709 6A 00          PUSH 0
0041670B 51             PUSH ECX                                  ; 4 byte
0041670C 57             PUSH EDI                                  ; buffer2
0041670D 50             PUSH EAX                                  ; address
0041670E FFB5 32634000 PUSH DWORD PTR SS:[EBP+406332]          ; hProcess
00416720 8D85 BFA356E9 LEA EAX,DWORD PTR SS:[EBP+E956A3BF]
00416726 2D 315416E9    SUB EAX,E9165431
0041672B FF10          CALL DWORD PTR DS:[EAX]                   ; KERNEL32.ReadProcessMemory
0041672D 61             POPAD
0041672E 8B85 C4624000 MOV EAX,DWORD PTR SS:[EBP+4062C4]       ; buffer2
00416734 C3             RETN

父进程就这么多了.

// 接下来我们看看子进程

00415AF1 F1             INT1                                     ; 单步异常, 由父进程处理 ****************************************************
00415AF2 E8 1C030000    CALL PESpin.00415E13                   ; eip -> 00415B10

00415B10 8B85 D4624000 MOV EAX,DWORD PTR SS:[EBP+4062D4]       ; hMutex
00415B16 50             PUSH EAX
00415B17 8D85 D8A388ED LEA EAX,DWORD PTR SS:[EBP+ED88A3D8]
00415B1D 2D BD5448ED    SUB EAX,ED4854BD
00415B22 FF10          CALL DWORD PTR DS:[EAX]                ; KERNEL32.CloseHandle
00415B24 C3             RETN                                     ; 004123F5

...

00414ADB 49             DEC ECX
00414ADC 9C             PUSHFD
...
00414B09  ^\FF6424 FC    JMP DWORD PTR SS:[ESP-4]                ; 00414ACE(ECX>0), 00414B13(ECX=0)

...
004124FB E8 00000000    CALL PESpin.00412500
00412500 58             POP EAX
00412501 05 36000000    ADD EAX,36
00412506 8D9D FC4F4000 LEA EBX,DWORD PTR SS:[EBP+404FFC]
0041250C 8918          MOV DWORD PTR DS:[EAX],EBX             ; PESpin.00414350
0041250E 33DB          XOR EBX,EBX
00412510 8D4424 F8    LEA EAX,DWORD PTR SS:[ESP-8]
00412514 64:8703       XCHG DWORD PTR FS:[EBX],EAX
00412517 8D9D D3314000 LEA EBX,DWORD PTR SS:[EBP+4031D3]
0041251D 53             PUSH EBX
0041251E 50             PUSH EAX
0041251F 83CF FF       OR EDI,FFFFFFFF
00412522 0BCF          OR ECX,EDI
00412524 F3:AE          REPE SCAS BYTE PTR ES:[EDI]             ; 非法访问异常, 子进程自己处理 *************************************************

00412540 83CD FF       OR EBP,FFFFFFFF                         ; 异常处理完, 这里继续

0041255A 5B             POP EBX                                  ; PESpin.00412559
0041255B 81C3 1E000000 ADD EBX,1E
00412561 8DB5 AC2C4000 LEA ESI,DWORD PTR SS:[EBP+402CAC]
00412567 68 FF000000    PUSH 0FF
0041256C 56             PUSH ESI
0041256D 6A 00          PUSH 0
0041256F 53             PUSH EBX
00412570  - FFA5 5C4F4000 JMP DWORD PTR SS:[EBP+404F5C]          ; KERNEL32.GetModuleFileNameA

0041257D 5B             POP EBX                                  ; PESpin.0041257C
0041257E 81C3 25000000 ADD EBX,25
00412584 6A 00          PUSH 0
00412586 68 80000000    PUSH 80
0041258B 6A 03          PUSH 3
0041258D 6A 00          PUSH 0
0041258F 6A 01          PUSH 1
00412591 68 00000080    PUSH 80000000
00412596 56             PUSH ESI
00412597 53             PUSH EBX
00412598  - FFA5 2A4F4000 JMP DWORD PTR SS:[EBP+404F2A]          ; KERNEL32.CreateFileA

004125A7 5A             POP EDX                                  ; PESpin.004125A6
004125A8 81C2 1A000000 ADD EDX,1A
004125AE 8985 AD754000 MOV DWORD PTR SS:[EBP+4075AD],EAX
004125B4 93             XCHG EAX,EBX
004125B5 6A 00          PUSH 0
004125B7 53             PUSH EBX
004125B8 52             PUSH EDX
004125B9  - FFA5 574F4000 JMP DWORD PTR SS:[EBP+404F57]             ; KERNEL32.GetFileSize

004125C6 5A             POP EDX                                  ; PESpin.004125C5
004125C7 81C2 24000000 ADD EDX,24
004125CD 8BD8          MOV EBX,EAX
004125CF 53             PUSH EBX
004125D0 8F85 B9754000 POP DWORD PTR SS:[EBP+4075B9]
004125D6 6A 04          PUSH 4
004125D8 68 00300000    PUSH 3000
004125DD 50             PUSH EAX
004125DE 6A 00          PUSH 0
004125E0 52             PUSH EDX
004125E1  - FFA5 204F4000 JMP DWORD PTR SS:[EBP+404F20]             ; KERNEL32.VirtualAlloc
004125E9 50             PUSH EAX
004125EA 8F85 E54E4000 POP DWORD PTR SS:[EBP+404EE5]             ; [00414239], bufferForFile

004125FC 5A             POP EDX                                  ; PESpin.004125FB
004125FD 81C2 1E000000 ADD EDX,1E
00412603 6A 00          PUSH 0
00412605 51             PUSH ECX
00412606 53             PUSH EBX
00412607 50             PUSH EAX
00412608 FFB5 AD754000 PUSH DWORD PTR SS:[EBP+4075AD]
0041260E 52             PUSH EDX
0041260F  - FFA5 2F4F4000 JMP DWORD PTR SS:[EBP+404F2F]             ; KERNEL32.ReadFile

0041261F 5A             POP EDX
00412620 81C2 17000000 ADD EDX,17
00412626 FFB5 AD754000 PUSH DWORD PTR SS:[EBP+4075AD]
0041262C 52             PUSH EDX
0041262D  - FFA5 1B4F4000 JMP DWORD PTR SS:[EBP+404F1B]             ; KERNEL32.CloseHandle

00412635 FFB5 B9754000 PUSH DWORD PTR SS:[EBP+4075B9]
0041263B 59             POP ECX                                  ; FileSize
0041263C 81E9 EC1C0000 SUB ECX,1CEC                               ; 一部分不检查
00412642 8DBD E54E4000 LEA EDI,DWORD PTR SS:[EBP+404EE5]
00412648 8B3F          MOV EDI,DWORD PTR DS:[EDI]
0041264A 8D85 8E6F6038 LEA EAX,DWORD PTR SS:[EBP+38606F8E]
00412650 0BC0          OR EAX,EAX

0041266D 2D 7F162038    SUB EAX,3820167F
00412672 FFD0          CALL EAX                                  ; PESpin.00414C63, 计算校验和
00412674 2985 C1754000 SUB DWORD PTR SS:[EBP+4075C1],EAX          ; [00416915]

00412680 5A             POP EDX
00412681 81C2 1E000000 ADD EDX,1E
00412687 68 00800000    PUSH 8000
0041268C 6A 00          PUSH 0
0041268E FFB5 E54E4000 PUSH DWORD PTR SS:[EBP+404EE5]             ; bufferForFile
00412694 52             PUSH EDX
00412695  - FFA5 254F4000 JMP DWORD PTR SS:[EBP+404F25]             ; KERNEL32.VirtualFree

0041269D BB 380D581C    MOV EBX,1C580D38
004126B3 33C0          XOR EAX,EAX
004126B5 68 95334000    PUSH PESpin.00403395
004126BA 64:FF30       PUSH DWORD PTR FS:[EAX]
004126BD 016C24 04    ADD DWORD PTR SS:[ESP+4],EBP             ; SEH = 004126E9
004126C1 64:8920       MOV DWORD PTR FS:[EAX],ESP
004126C4 C1EB 02       SHR EBX,2
004126C7 81EB 4E031607 SUB EBX,716034E
004126D0 F6F3          DIV BL                                     ; 除零异常, 子进程自己处理 ********************************************

0041432D 90             NOP                                        ; 异常处理完这里继续
0041432F 33DB          XOR EBX,EBX
00414331 64:8F03       POP DWORD PTR FS:[EBX]
00414334 5B             POP EBX
00414335 81EB 16000000 SUB EBX,16

0041433E 803B CC       CMP BYTE PTR DS:[EBX],0CC                ; 004126D3 有没有断点
00414341 /75 0B          JNZ SHORT PESpin.0041434E
00414343 |81E4 FFFF0000 AND ESP,0FFFF
00414349 |E8 1A000000    CALL PESpin.00414368                      ; game over
0041434E  ^\FFE3          JMP EBX                                  ; PESpin.004126D3

004126D3 8DB5 4CC83F00 LEA ESI,DWORD PTR SS:[EBP+3FC84C]
004126D9 BA E71A0000    MOV EDX,1AE7
004126E1 C1E2 02       SHL EDX,2
004126E4 03F2          ADD ESI,EDX
004126E6 FFE6          JMP ESI                                  ; 0041273C

0041274D 0FB78D E34E4000 MOVZX ECX,WORD PTR SS:[EBP+404EE3]       ; [00414237]=04 (区段数)
00412754 8B95 E94E4000 MOV EDX,DWORD PTR SS:[EBP+404EE9]          ; [0041423D]=00400060, PE 头
0041275A 81C2 F8000000 ADD EDX,0F8                               ; Section Header
00412760 8B9D B1754000 MOV EBX,DWORD PTR SS:[EBP+4075B1]          ; [00416905]=07, 前面 3 个区段都需要解密, 后面的不用
00412766 33C0          XOR EAX,EAX
00412779 51             PUSH ECX
0041277A 0FA3C3       BT EBX,EAX                               ; 前面 3 个区段都需要解密, 后面的不用
0041277D /73 67          JNB SHORT PESpin.004127E6

0041277F 52             PUSH EDX                                  ; PESpin.00400158
00412791 8B7A 0C       MOV EDI,DWORD PTR DS:[EDX+C]                ; Voffset
00412794 03BD DF4E4000 ADD EDI,DWORD PTR SS:[EBP+404EDF]          ; Base
0041279A 8B4A 10       MOV ECX,DWORD PTR DS:[EDX+10]             ; RawSize
0041279D 8B95 C1754000 MOV EDX,DWORD PTR SS:[EBP+4075C1]          ; [00416915] 前面的文件校验值

004127A3 D1EA          SHR EDX,1
004127A5 72 06          JB SHORT PESpin.004127AD
004127A7 81F2 31AF43ED XOR EDX,ED43AF31
004127AD 3017          XOR BYTE PTR DS:[EDI],DL                   ; 用文件校验值来解密
004127AF 47             INC EDI
004127E2 49             DEC ECX
004127E3  ^ 75 BE          JNZ SHORT PESpin.004127A3

004127E5 5A             POP EDX                                     ; PESpin.00400158

004127E6 40             INC EAX
004127E7 83C2 28       ADD EDX,28                                  ; 下一个区段
004127EA 59             POP ECX

004127FC 49             DEC ECX
004127FD 9C             PUSHFD

0041282A  ^\FF6424 FC    JMP DWORD PTR SS:[ESP-4]                   ; 00412779(ECX>0), 00412831(ECX=0)
00412831 E8 03000000    CALL PESpin.00412839

00412842 838D 8A614000 0>OR DWORD PTR SS:[EBP+40618A],0             ; [004154DE] ???
00412849 /74 0D          JE SHORT PESpin.00412858

0041284B 8D85 B5594000 LEA EAX,DWORD PTR SS:[EBP+4059B5]
00412851 2D D1030000    SUB EAX,3D1
00412856 FFD0          CALL EAX                                     ; 00414938

00412858 68 80010000    PUSH 180                                     ; 这里开始不要单步走, 直到 004128F7
0041285D 59             POP ECX
...
004128F1  ^\FF6424 FC    JMP DWORD PTR SS:[ESP-4]                   ; 00412891(ECX>0), 004128F7(ECX=0)

004128F7 8D85 EC968D65 LEA EAX,DWORD PTR SS:[EBP+658D96EC]
004128FD BB D09EA632    MOV EBX,32A69ED0
00412902 D1E3          SHL EBX,1
00412904 2BC3          SUB EAX,EBX
00412906 50             PUSH EAX
00412907 C3             RETN                                        ; 00414CA0 就对了, 否则 over

00414CA3 8DBD B4354000 LEA EDI,DWORD PTR SS:[EBP+4035B4]          ; 00412908
00414CA9 B9 A1010000    MOV ECX,1A1
...
00414D0C  ^\FF6424 FC    JMP DWORD PTR SS:[ESP-4]                   ; 00414CB7(ECX>0), 00414D15(ECX=0)

00414D15 55             PUSH EBP
00414D16 9C             PUSHFD
00414D17 E8 77000000    CALL PESpin.00414D93

00414D1D 8B5424 08          MOV EDX,DWORD PTR SS:[ESP+8]          ; 一开始的 SEH = 00414D1D
00414D21 8B4424 0C          MOV EAX,DWORD PTR SS:[ESP+C]
00414D25 8142 04 35000000    ADD DWORD PTR DS:[EDX+4],35             ; SEH 00414D1D-> 00414D52
00414D2C 81CA 29242123       OR EDX,23212429
00414D32 2BC9                SUB ECX,ECX
00414D34 2148 04             AND DWORD PTR DS:[EAX+4],ECX
00414D37 2148 08             AND DWORD PTR DS:[EAX+8],ECX
00414D3A 2148 0C             AND DWORD PTR DS:[EAX+C],ECX
00414D3D 2148 10             AND DWORD PTR DS:[EAX+10],ECX
00414D40 8160 14 F00FFFFF    AND DWORD PTR DS:[EAX+14],FFFF0FF0
00414D47 C740 18 55010000    MOV DWORD PTR DS:[EAX+18],155
00414D4E 33C0                XOR EAX,EAX
00414D50 C3                RETN                                  ; 改一下 SEH, 返回后还是同样的异常, 只是 SEH 变了

00414D93 FF0424       INC DWORD PTR SS:[ESP]                      ; PESpin.00414D1C+1
00414D96 2BDB          SUB EBX,EBX
00414D98 64:FF33       PUSH DWORD PTR FS:[EBX]
00414D9B 64:8923       MOV DWORD PTR FS:[EBX],ESP
00414D9E FB             STI                                           ; 特权指令异常(第一次到 00414D1D, 第二次到 00414D52) ************************************

00414D52 8B5424 08          MOV EDX,DWORD PTR SS:[ESP+8]
00414D56 8142 04 1B000000    ADD DWORD PTR DS:[EDX+4],1B             ; SEH 00414D52-> 00414D6D,  第二次改变
00414D60 33DB                XOR EBX,EBX
00414D62 D7                XLAT BYTE PTR DS:[EBX+AL]                ; 在异常处理中又遇到了非法访问异常, 先去系统中走一走,不能处理, 最后还是到 414D6D

00414D6D 8B6424 08          MOV ESP,DWORD PTR SS:[ESP+8]             ; 414D6D 直接恢复 ESP
00414D71 2BD2                SUB EDX,EDX
00414D73 75 1C             JNZ SHORT PESpin.00414D91
00414D75 /74 01             JE SHORT PESpin.00414D78

00414D78 64:8F02             POP DWORD PTR FS:[EDX]                   ; 0012FFE0
00414D7B 5A                POP EDX
00414D7C 81E2 30313431       AND EDX,31343130
00414D82 9D                POPFD
00414D83 5D                POP EBP

00414DAB 8DBD 55374000       LEA EDI,DWORD PTR SS:[EBP+403755]       ; 00412AA9
00414DB1 B9 57110000       MOV ECX,1157
...
00414E14  ^\FF6424 FC          JMP DWORD PTR SS:[ESP-4]                ; 00414DBF(ECX>0), 00414E1A(ECX=0)
00414E1A  ^\E9 E9DAFFFF       JMP PESpin.00412908

00412908 0FB78D E34E4000    MOVZX ECX,WORD PTR SS:[EBP+404EE3]       ; 区段数, 再解密一次数据
0041290F 8B95 E94E4000       MOV EDX,DWORD PTR SS:[EBP+404EE9]
00412915 81C2 F8000000       ADD EDX,0F8
00412924 68 07000000       PUSH 7                                  ; 前三个区段需要解密
00412929 5B                POP EBX
0041293A 51                PUSH ECX                                  ; 区段数

00412947 0FA3C3             BT EBX,EAX
0041294A /73 79             JNB SHORT PESpin.004129C5

0041297A 8B7A 0C             MOV EDI,DWORD PTR DS:[EDX+C]             ; Voffset
0041297D 03BD DF4E4000       ADD EDI,DWORD PTR SS:[EBP+404EDF]       ; Base
00412983 8B4A 10             MOV ECX,DWORD PTR DS:[EDX+10]             ; RawSize
00412986 50                PUSH EAX
00412987 8A07                MOV AL,BYTE PTR DS:[EDI]
...
004129AE 49                DEC ECX
004129C0 0BC9                OR ECX,ECX
004129C2  ^ 75 C3             JNZ SHORT PESpin.00412987
004129C4 58                POP EAX
004129C5 40                INC EAX
004129C6 83C2 28             ADD EDX,28

004129D3 49                DEC ECX
004129D4 9C                PUSHFD

00412A01  ^\FF6424 FC          JMP DWORD PTR SS:[ESP-4]                   ; 0041293A(ECX>0), 00412A08(ECX=0)
00412A08 E8 01000000       CALL PESpin.00412A0E

0041489E 33DB                XOR EBX,EBX
004148A0 55                PUSH EBP
004148A1 E8 16000000       CALL PESpin.004148BC

004148A6 2BDB                SUB EBX,EBX                               ; SEH = 004148A6
004148B1 8B6424 08          MOV ESP,DWORD PTR SS:[ESP+8]             ; 直接恢复 ESP
004148B5 64:8F03             POP DWORD PTR FS:[EBX]
004148B8 5B                POP EBX
004148B9 5D                POP EBP
004148BA /EB 4A             JMP SHORT PESpin.00414906

004148BC 64:FF33             PUSH DWORD PTR FS:[EBX]
004148BF 64:8923             MOV DWORD PTR FS:[EBX],ESP
004148C2 83E0 00             AND EAX,0
004148C5 64:3343 30          XOR EAX,DWORD PTR FS:[EBX+30]             ; PEB
004148C9 /79 1B             JNS SHORT PESpin.004148E6                ; NT 跳

004148F2 8B40 0C             MOV EAX,DWORD PTR DS:[EAX+C]
004148F5 8B40 0C             MOV EAX,DWORD PTR DS:[EAX+C]
00414901 4B                DEC EBX
00414902 0958 20             OR DWORD PTR DS:[EAX+20],EBX             ; 破坏 ImageSize, Skip *****************************************************
00414905 D7                XLAT BYTE PTR DS:[EBX+AL]                ; 非法访问异常, SEH = 004148A6 **********************************************

00414906 6A F9             PUSH -7
00414908 5A                POP EDX
00414909 59                POP ECX
0041490A 8D6424 04          LEA ESP,DWORD PTR SS:[ESP+4]
00414917 03D1                ADD EDX,ECX
00414919  ^ FFE2                JMP EDX                                     ; PESpin.00412A16

...
00412A58 E8 03000000       CALL PESpin.00412A60

00412A6A 33DB                XOR EBX,EBX
00412A6C 8D4424 F4          LEA EAX,DWORD PTR SS:[ESP-C]
00412A70 64:8703             XCHG DWORD PTR FS:[EBX],EAX
00412A73 55                PUSH EBP
00412A74 8D9D 95334000       LEA EBX,DWORD PTR SS:[EBP+403395]          ; SEH = 004126E9
00412A7A 53                PUSH EBX
00412A7B 33DB                XOR EBX,EBX

00412A86 8918                MOV DWORD PTR DS:[EAX],EBX                ; EAX=0, 非法访问异常 *******************************************************

004126E9 8B4424 04          MOV EAX,DWORD PTR SS:[ESP+4]                ; SEH
004126ED 8B4C24 0C          MOV ECX,DWORD PTR SS:[ESP+C]
004126F1 8B00                MOV EAX,DWORD PTR DS:[EAX]
004126F3 35 5B011238       XOR EAX,3812015B
004126F8 3D 5E0112F8       CMP EAX,F812015E
004126FD 75 0F             JNZ SHORT PESpin.0041270E
004126FF 8181 B8000000 E42000>ADD DWORD PTR DS:[ECX+B8],20E4             ; EIP 00412A86->00414B6A
00412709 EB 27             JMP SHORT PESpin.00412732
0041270E 3D 460112F8       CMP EAX,F8120146
00412713 75 0C             JNZ SHORT PESpin.00412721
00412715 8181 B8000000 720100>ADD DWORD PTR DS:[ECX+B8],172
0041271F EB 11             JMP SHORT PESpin.00412732
00412721 3D CF0112F8       CMP EAX,F81201CF
00412726 75 0A             JNZ SHORT PESpin.00412732
00412728 8181 B8000000 5D1C00>ADD DWORD PTR DS:[ECX+B8],1C5D
00412732 33C0                XOR EAX,EAX
00412734 C3                RETN

00414B6A 2BC0                SUB EAX,EAX
00414B6C EB 04             JMP SHORT PESpin.00414B72

00414B75 64:8F00             POP DWORD PTR FS:[EAX]                      ; 0012FFE0
00414B78 58                POP EAX
00414B79 5D                POP EBP
00414B7A 8D85 55374000       LEA EAX,DWORD PTR SS:[EBP+403755]          ; 00412AA9
00414B80 68 57110000       PUSH 1157
00414B85 59                POP ECX
00414B86 68 C3FDE514       PUSH 14E5FDC3
00414B8B 5A                POP EDX
00414B8C D1EA                SHR EDX,1
00414B8E /73 06             JNB SHORT PESpin.00414B96
00414B90 |81F2 32AF43ED       XOR EDX,ED43AF32
00414B96 \3010                XOR BYTE PTR DS:[EAX],DL                   ; SMC 解密代码
00414B98 40                INC EAX
00414B99 49                DEC ECX

00414BD0  ^\FF6424 FC          JMP DWORD PTR SS:[ESP-4]                   ; 00414B8C(ECX>0), 00414BD9(ECX=0)
00414BD9 2D 57110000       SUB EAX,1157
00414BDE  ^ FFE0                JMP EAX                                     ; PESpin.00412AA9

...
00412ADB 8B95 E94E4000       MOV EDX,DWORD PTR SS:[EBP+404EE9]          ; PESpin.00400060
00412AE1 81C2 F8000000       ADD EDX,0F8
00412AE7 8B7A 0C             MOV EDI,DWORD PTR DS:[EDX+C]                ; Voffset
00412AEA 03BD DF4E4000       ADD EDI,DWORD PTR SS:[EBP+404EDF]          ; +Base, edi=401000
00412AF0 6A 20             PUSH 20
00412AF2 59                POP ECX                                     ; 校验 20h 字节

00412B04 E8 02000000       CALL PESpin.00412B0B
00412B0B 58                POP EAX
00412B0C 05 16000000       ADD EAX,16
00412B11 50                PUSH EAX                                  ; 00412B1F 返回地址

00412B12 8D85 4DB8A5E5       LEA EAX,DWORD PTR SS:[EBP+E5A5B84D]
00412B18 2D 776065E5       SUB EAX,E5656077
00412B1D FFE0                JMP EAX                                     ; 00414B2A(另一种 Hash 算法)
00412B1F 2985 B5754000       SUB DWORD PTR SS:[EBP+4075B5],EAX          ; [00416909] 这里放着 401000-401020 的校验
00412B28 /0F85 4E150000       JNZ PESpin.0041407C                         ; 跳 over *************************************************************
00412B2E E8 03000000       CALL PESpin.00412B36

00412B3F 8D9D 19034900       LEA EBX,DWORD PTR SS:[EBP+490319]
00412B45 81EB 15A30800       SUB EBX,8A315                               ; 00415358
00412B73 FFD3                CALL EBX                                     ; PESpin.00415358

;=====================================================================================================================
00414B2A
00414B3B 52                PUSH EDX                                     ; PESpin.00400158
00414B3C 33D2                XOR EDX,EDX
00414B3E 8A0439             MOV AL,BYTE PTR DS:[ECX+EDI]                ; 401020
00414B41 32D0                XOR DL,AL
00414B43 B0 06             MOV AL,6

00414B45 D1EA                SHR EDX,1
00414B47 72 06             JB SHORT PESpin.00414B4F
00414B49 81F2 20292D3A       XOR EDX,3A2D2920
00414B4F 0FBAE2 08          BT EDX,8
00414B53 /73 03             JNB SHORT PESpin.00414B58
00414B55 |80E6 FE             AND DH,0FE
00414B58 \FEC8                DEC AL
00414B5A  ^\75 E9             JNZ SHORT PESpin.00414B45

00414B5C 49                DEC ECX
00414B5D  ^ 75 DF             JNZ SHORT PESpin.00414B3E
00414B5F 92                XCHG EAX,EDX
00414B60 5A                POP EDX
00414B65  ^\FF6424 FC          JMP DWORD PTR SS:[ESP-4]                   ; 返回 PESpin.00412B1F
;========================================================================================================================

00415361 8D85 67604000       LEA EAX,DWORD PTR SS:[EBP+406067]          ; 004153BB, 见下面 004153BA
00415367 8308 00             OR DWORD PTR DS:[EAX],0                      ; F450
0041536A 74 75             JE SHORT PESpin.004153E1                   ; 跳表示资源没加密

00415394 B9 66310000       MOV ECX,3166
00415399 8BD1                MOV EDX,ECX                                  ; size
004153A7 52                PUSH EDX
004153A8 6A 04             PUSH 4
004153AA 68 00300000       PUSH 3000
004153AF 51                PUSH ECX
004153B0 6A 00             PUSH 0
004153B2 FF95 204F4000       CALL DWORD PTR SS:[EBP+404F20]             ; KERNEL32.VirtualAlloc
004153B8 96                XCHG EAX,ESI
004153B9 5A                POP EDX                                     ; 3166
004153BA BF 50F40000       MOV EDI,0F450
004153BF 81C7 00004000       ADD EDI,PESpin.00400000                      ; 0040F450 压缩后资源放在这
004153C5 56                PUSH ESI
004153C6 57                PUSH EDI
004153C7 E8 83DCFFFF       CALL PESpin.0041304F                         ; 解压出资源, F8,  返回长度 2BB0

004153CC 91                XCHG EAX,ECX
004153CD F3:A4             REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]  ; 解压后再复制回 40F450
004153CF 5F                POP EDI
004153D0 5E                POP ESI
004153D4 68 00400000       PUSH 4000
004153D9 52                PUSH EDX
004153DA 56                PUSH ESI
004153DB FF95 254F4000       CALL DWORD PTR SS:[EBP+404F25]                ; KERNEL32.VirtualFree

004153ED 8D85 DA604000       LEA EAX,DWORD PTR SS:[EBP+4060DA]             ; 0041542E
004153F3 8338 00             CMP DWORD PTR DS:[EAX],0                      ; 07
004153F6 0F84 CB000000       JE PESpin.004154C7

004153FC B9 80BF0000       MOV ECX,0BF80                               ; Size (解压要用到的最大空间)
00415401 6A 04             PUSH 4
00415403 68 00300000       PUSH 3000
00415408 51                PUSH ECX
00415409 6A 00             PUSH 0
0041540B FF95 204F4000       CALL DWORD PTR SS:[EBP+404F20]                ; KERNEL32.VirtualAlloc
00415411 8985 FB604000       MOV DWORD PTR SS:[EBP+4060FB],EAX             ; 0041544F

0041541A 0FB78D E34E4000    MOVZX ECX,WORD PTR SS:[EBP+404EE3]          ; 区段数
00415421 8B95 E94E4000       MOV EDX,DWORD PTR SS:[EBP+404EE9]             ; PE 头
00415427 81C2 F8000000       ADD EDX,0F8
0041542D BB 07000000       MOV EBX,7                                     ; 前三个需要解压
00415432 2BC0                SUB EAX,EAX
00415434 51                PUSH ECX
0041543E 0FA3C3             BT EBX,EAX
00415441 73 27             JNB SHORT PESpin.0041546A

00415443 50                PUSH EAX
00415444 53                PUSH EBX
00415445 8B7A 0C             MOV EDI,DWORD PTR DS:[EDX+C]                   ; Voffset
00415448 03BD DF4E4000       ADD EDI,DWORD PTR SS:[EBP+404EDF]             ; Base
0041544E BE 00008900       MOV ESI,890000
00415453 56                PUSH ESI
00415454 57                PUSH EDI
00415455 E8 F5DBFFFF       CALL PESpin.0041304F                         ; 解压出代码
0041545A 91                XCHG EAX,ECX
00415464 F3:A4             REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 复制代码到原处
00415466 5F                POP EDI
00415467 5E                POP ESI
00415468 5B                POP EBX
00415469 58                POP EAX

0041546A 40                INC EAX
0041546B 83C2 28             ADD EDX,28                                     ; 下一区段
0041546E 59                POP ECX
0041546F 49                DEC ECX
00415470 9C                PUSHFD
...
0041549D  ^\FF6424 FC          JMP DWORD PTR SS:[ESP-4]                      ; 00415434(ECX>0), 004154A7(ECX=0)

004154A7 /EB 01             JMP SHORT PESpin.004154AA
004154AA 8B8D A9604000       MOV ECX,DWORD PTR SS:[EBP+4060A9]
004154B0 8B85 FB604000       MOV EAX,DWORD PTR SS:[EBP+4060FB]
004154B6 0BC0                OR EAX,EAX
004154B8 74 0D             JE SHORT PESpin.004154C7
004154BA 68 00400000       PUSH 4000
004154BF 51                PUSH ECX
004154C0 56                PUSH ESI
004154C1 FF95 254F4000       CALL DWORD PTR SS:[EBP+404F25]             ; KERNEL32.VirtualFree

004154CA 8D6424 04          LEA ESP,DWORD PTR SS:[ESP+4]
004154CE 8D85 6E6D2201       LEA EAX,DWORD PTR SS:[EBP+1226D6E]
004154D4 2D 4635E200       SUB EAX,0E23546
004154D9  ^ FFE0                JMP EAX                                     ; PESpin.00412B7C

...
00414744 8BBD DF4E4000       MOV EDI,DWORD PTR SS:[EBP+404EDF]          ; PESpin.00400000
0041474A 037F 3C             ADD EDI,DWORD PTR DS:[EDI+3C]
0041474D 89BD 95544000       MOV DWORD PTR SS:[EBP+405495],EDI          ; [004147E9]= PE 头
00414753 03F8                ADD EDI,EAX                                  ; + F8
00414755 B9 62020000       MOV ECX,262
00414763 51                PUSH ECX
00414764 8D85 A9754000       LEA EAX,DWORD PTR SS:[EBP+4075A9]          ; 004168FD
0041476A 50                PUSH EAX
0041476B 6A 40             PUSH 40
0041476D 51                PUSH ECX
0041476E 57                PUSH EDI                                     ; 00400158 (Section Header)
0041476F 8DB5 104F4000       LEA ESI,DWORD PTR SS:[EBP+404F10]
00414775 FF56 06             CALL DWORD PTR DS:[ESI+6]                   ; KERNEL32.VirtualProtect (在 PE 头中制造异常) ***************************************
00414778 59                POP ECX                                     ; 262
00414779 B0 FF             MOV AL,0FF
00414787 8BF7                MOV ESI,EDI                                  ; 00400158
00414789 83C6 07             ADD ESI,7
0041478C C607 BE             MOV BYTE PTR DS:[EDI],0BE
0041478F 8977 01             MOV DWORD PTR DS:[EDI+1],ESI
00414792 C747 05 8F060000    MOV DWORD PTR DS:[EDI+5],68F
00414799 83E9 03             SUB ECX,3
0041479C 8D1C0F             LEA EBX,DWORD PTR DS:[EDI+ECX]             ; 004003B7
0041479F 66:C703 33D2       MOV WORD PTR DS:[EBX],0D233
004147A4 C643 02 C3          MOV BYTE PTR DS:[EBX+2],0C3
004147A8 53                PUSH EBX
004147A9 8F85 F94E4000       POP DWORD PTR SS:[EBP+404EF9]                ; 0041424D

004147AF 2BDB                SUB EBX,EBX
004147C6 55                PUSH EBP
004147C7 52                PUSH EDX                                     ; 004147DD (SEH)
004147C8 64:FF33             PUSH DWORD PTR FS:[EBX]
004147CB 64:8923             MOV DWORD PTR FS:[EBX],ESP
004147CE 68 F3AA9090       PUSH 9090AAF3
004147D3 FFE7                JMP EDI                                     ; 00400158
004147D5 64:8F02             POP DWORD PTR FS:[EDX]
004147D8 83C4 08             ADD ESP,8
004147DB C3                RETN

00400158 BE 5F014000       MOV ESI,PESpin.0040015F
0040015D 8F06                POP DWORD PTR DS:[ESI]                      ; 9090AAF3
0040015F F3:AA             REP STOS BYTE PTR ES:[EDI]                   ; ECX = 25F, EDI = 00400158, 不能 SMC 正在执行的代码,
00400161 90                NOP                                           ; 变成 FF, 非法指令异常, 第一次子进程自己处理 ***************************************
00400162 90                NOP

004147DD 2BDB                SUB EBX,EBX
004147DF 8B6424 08          MOV ESP,DWORD PTR SS:[ESP+8]                ; 直接恢复 Stack
004147E3 64:8F03             POP DWORD PTR FS:[EBX]
004147E6 59                POP ECX
004147E7 5D                POP EBP
004147E8 BF 60004000       MOV EDI,PESpin.00400060                      ; ASCII "PE"
004147ED 81C7 80000000       ADD EDI,80
004147F3 8B3F                MOV EDI,DWORD PTR DS:[EDI]                   ; Import Table RVA
004147F5 03BD DF4E4000       ADD EDI,DWORD PTR SS:[EBP+404EDF]             ; PESpin.00400000

00414810 8D85 104F4000       LEA EAX,DWORD PTR SS:[EBP+404F10]             ; 00414264
00414816 B9 24000000       MOV ECX,24
0041481B FF1401             CALL DWORD PTR DS:[ECX+EAX]                   ; KERNEL32.GetTickCount
0041481E 8BD8                MOV EBX,EAX
00414820 F7D3                NOT EBX
00414822 33D8                XOR EBX,EAX
00414824 43                INC EBX
00414825 68 D4000000       PUSH 0D4
0041482A 59                POP ECX
0041482B 66:35 4C50          XOR AX,504C
0041482F 66:05 8911          ADD AX,1189
00414833 AA                STOS BYTE PTR ES:[EDI]                      ; 破坏 Import Table (加壳后的)
00414837 49                DEC ECX
00414838 9C                PUSHFD
...
00414865 FF6424 FC          JMP DWORD PTR SS:[ESP-4]                      ; 0041482B(ECX>0), 0041486E(ECX=0)
0041486E C3                RETN                                        ; 004132DE
...

00414EEC 5B                POP EBX
00414EED 81C3 2B000000       ADD EBX,2B                                  ; 00414F16
00414EF3 68 62000000       PUSH 62                                     ; size = 62
00414EF8 59                POP ECX
00414F02 6A 04             PUSH 4
00414F04 68 00300000       PUSH 3000
00414F09 51                PUSH ECX
00414F0A 6A 00             PUSH 0
00414F0C 53                PUSH EBX
00414F0D  - FFA5 204F4000       JMP DWORD PTR SS:[EBP+404F20]                ; VirtualAlloc (Buffer for SDK Crypt Start)

00414F16 8DB5 065B4000       LEA ESI,DWORD PTR SS:[EBP+405B06]             ; 00414E5A
00414F1C 97                XCHG EAX,EDI
00414F1D 8BDF                MOV EBX,EDI
00414F1F B9 2A000000       MOV ECX,2A
00414F24 F3:A4             REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 复制 2Ah 字节
00414F26 BE A506B196       MOV ESI,96B106A5
00414F2B BA FE649069       MOV EDX,699064FE
00414F30 03F2                ADD ESI,EDX
00414F32 B9 0A000000       MOV ECX,0A
00414F37 BA CD1B160D       MOV EDX,0D161BCD
00414F3C AD                LODS DWORD PTR DS:[ESI]                      ; 00416BA3 开始放 28h byte
00414F3D 4A                DEC EDX
00414F3E 03C2                ADD EAX,EDX
00414F40 42                INC EDX
00414F41 33C2                XOR EAX,EDX
00414F43 4A                DEC EDX
00414F44 C1CA 08             ROR EDX,8
00414F47 AB                STOS DWORD PTR ES:[EDI]
00414F48 49                DEC ECX
00414F49 9C                PUSHFD

00414F76  ^\FF6424 FC          JMP DWORD PTR SS:[ESP-4]                      ; 00414F3C(ECX>0), 00414F7B(ECX=0)
00414F7B B9 10000000       MOV ECX,10
00414F80 8DB5 305B4000       LEA ESI,DWORD PTR SS:[EBP+405B30]             ; 00414E84
00414F86 F3:A4             REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 10h byte

00414F94 93                XCHG EAX,EBX
00414F95 B9 0A000000       MOV ECX,0A
00414F9A 8BBD D35B4000       MOV EDI,DWORD PTR SS:[EBP+405BD3]
00414FA0 03BD D85B4000       ADD EDI,DWORD PTR SS:[EBP+405BD8]             ; 00416BA3
00414FA6 F3:AB             REP STOS DWORD PTR ES:[EDI]                   ; 破坏

00414FAF 81C3 21000000       ADD EBX,21                                     ; 00414FCE
00414FB5 B9 61000000       MOV ECX,61                                     ; Size = 61
00414FBA 6A 04             PUSH 4
00414FBC 68 00300000       PUSH 3000
00414FC1 51                PUSH ECX
00414FC2 6A 00             PUSH 0
00414FC4 53                PUSH EBX
00414FC5 FFA5 204F4000       JMP DWORD PTR SS:[EBP+404F20]                ; VirtualAlloc (Buffer for SDK Crypt End)
00414FCE 8DB5 CC5A4000       LEA ESI,DWORD PTR SS:[EBP+405ACC]             ; 00414E20
00414FD4 97                XCHG EAX,EDI
00414FD5 8BDF                MOV EBX,EDI
00414FD7 B9 26000000       MOV ECX,26
00414FDC F3:A4             REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 00414E20

00414FEA 8BB5 D35B4000       MOV ESI,DWORD PTR SS:[EBP+405BD3]
00414FF0 03B5 D85B4000       ADD ESI,DWORD PTR SS:[EBP+405BD8]
00414FF6 83C6 28             ADD ESI,28                                     ; 00416BCB 开始放 28h byte
00414FF9 B9 0A000000       MOV ECX,0A
00414FFE BA 9B783DFD       MOV EDX,FD3D789B
00415003 AD                LODS DWORD PTR DS:[ESI]
00415004 4A                DEC EDX
00415005 03C2                ADD EAX,EDX
00415007 42                INC EDX
00415014 33C2                XOR EAX,EDX
00415016 4A                DEC EDX
00415017 C1CA 08             ROR EDX,8
0041501A AB                STOS DWORD PTR ES:[EDI]
0041501B 49                DEC ECX
0041501C 9C                PUSHFD

00415052  ^\FF6424 FC          JMP DWORD PTR SS:[ESP-4]                      ; 00415003(ECX>0), 0041505A(ECX=0)
0041505A B9 13000000       MOV ECX,13
0041505F 8DB5 F25A4000       LEA ESI,DWORD PTR SS:[EBP+405AF2]             ; 00416E46
00415065 F3:A4             REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 13h byte

00415067 93                XCHG EAX,EBX
00415068 B9 0A000000       MOV ECX,0A
0041506D 8BBD D35B4000       MOV EDI,DWORD PTR SS:[EBP+405BD3]
00415073 03BD D85B4000       ADD EDI,DWORD PTR SS:[EBP+405BD8]
00415079 83C7 28             ADD EDI,28                                     ; 00416BCB
0041507C F3:AB             REP STOS DWORD PTR ES:[EDI]                   ; 破坏
0041507E 58                POP EAX

... 一大段花指令, SMC

004162EA B9 FEDE4C7B      MOV ECX,7B4CDEFE
004162EF 81F1 17E4CF9A    XOR ECX,9ACFE417
004162F5 81E9 023B83E1    SUB ECX,E1833B02
004162FB F7D9             NEG ECX                                        ; 循环 019 次
004162FD 2BDB             SUB EBX,EBX
004162FF 4B               DEC EBX
00416300 D1EB             SHR EBX,1
00416302 81F3 CD4B160E    XOR EBX,0E164BCD
00416308 81DB 25896100    SBB EBX,618925
0041630E C1E3 03          SHL EBX,3
00416311 C1C3 11          ROL EBX,11                                     ; B0D11882
00416314 8D85 A1B6114D    LEA EAX,DWORD PTR SS:[EBP+4D11B6A1]
0041631A 2D CF46D14C      SUB EAX,4CD146CF                               ; 00416326
0041631F 0118             ADD DWORD PTR DS:[EAX],EBX

00416381  ^\FF6424 FC          JMP DWORD PTR SS:[ESP-4]                      ; 00416300(ECX>0), 0041638A(ECX=0)  这个有点特殊, F9 不要单步

0041638A F1                INT1                                           ; 单步异常, 由父进程处理 ***********************************************************
0041638B 87DF                XCHG EDI,EBX                                  ; eip -> 004163B6

004163B6 C3                RETN                                           ; to 004134F4

004134FD F685 8E614000 01    TEST BYTE PTR SS:[EBP+40618E],1                ; [004154E2]
00413504 /74 51             JE SHORT PESpin.00413557

00413517 BB 3C080000       MOV EBX,83C                                  ; size = 0, 不处理
0041351C 0BDB                OR EBX,EBX
0041351E 74 37             JE SHORT PESpin.00413557

00413520 2BC0                SUB EAX,EAX
00413522 2185 ED4E4000       AND DWORD PTR SS:[EBP+404EED],EAX             ; 00414241, Buffer for IAT  中已用的字节数置零
0041352E 59                POP ECX                                        ; PESpin.0041352D
0041352F 6A 40             PUSH 40
00413531 68 00300000       PUSH 3000
00413536 53                PUSH EBX                                     ; size = 83C
00413537 50                PUSH EAX
00413538 8D6424 FC          LEA ESP,DWORD PTR SS:[ESP-4]
0041353C 81C1 23000000       ADD ECX,23
00413542 890C24             MOV DWORD PTR SS:[ESP],ECX                   ; 00413550
00413545  - FFA5 204F4000       JMP DWORD PTR SS:[EBP+404F20]                ; KERNEL32.VirtualAlloc (Buffer for IAT redirection)
00413550 50                PUSH EAX
00413551 8F85 E54E4000       POP DWORD PTR SS:[EBP+404EE5]                ; [00414239]=008C0000

00413557 8D85 F80F3400       LEA EAX,DWORD PTR SS:[EBP+340FF8]
0041355D 8D80 5F320C00       LEA EAX,DWORD PTR DS:[EAX+C325F]
00413563 48                DEC EAX
00413564 FFD0                CALL EAX                                     ; 004135AA
...

00415233 B9 16AAD072       MOV ECX,72D0AA16
00415238 05 3B126A06       ADD EAX,66A123B
0041523D 81F1 4F5CA762       XOR ECX,62A75C4F
00415243 81F9 9BF67710       CMP ECX,1077F69B
00415249 75 04             JNZ SHORT PESpin.0041524F
0041524B FFE0                JMP EAX                                        ; 00415302

0041524F E8 01000000       CALL PESpin.00415255
00415255 5B                POP EBX
00415256 81C3 2B000000       ADD EBX,2B                                     ; 0041527F
0041525C 68 5C000000       PUSH 5C
00415261 59                POP ECX
0041526B 6A 04             PUSH 4
0041526D 68 00300000       PUSH 3000
00415272 51                PUSH ECX                                        ; size = 5C
00415273 6A 00             PUSH 0
00415275 53                PUSH EBX
00415276  - FFA5 204F4000       JMP DWORD PTR SS:[EBP+404F20]                   ; KERNEL32.VirtualAlloc (Buffer for SDK Clear Start)

0041527F 8DB5 975E4000       LEA ESI,DWORD PTR SS:[EBP+405E97]             ; 004151EB
00415285 97                XCHG EAX,EDI
00415286 8BDF                MOV EBX,EDI
00415288 B9 22000000       MOV ECX,22
0041528D F3:A4             REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]    ; 复制 22h byte

004152A0 BE BA4DAB97       MOV ESI,97AB4DBA
004152A5 BA 3FE26997       MOV EDX,9769E23F
004152AA 2BF2                SUB ESI,EDX                                     ; 00416B7B
004152AC B9 0A000000       MOV ECX,0A
004152B1 BA C93EEF5E       MOV EDX,5EEF3EC9
004152B6 AD                LODS DWORD PTR DS:[ESI]
004152B7 4A                DEC EDX
004152B8 03C2                ADD EAX,EDX
004152BA 42                INC EDX
004152C7 33C2                XOR EAX,EDX
004152C9 4A                DEC EDX
004152CA C1C2 08             ROL EDX,8
004152CD AB                STOS DWORD PTR ES:[EDI]
004152CE  ^ E2 E6             LOOPD SHORT PESpin.004152B6                   ; 复制 28h 字节

004152D0 B9 11000000       MOV ECX,11
004152D5 8DB5 BA5E4000       LEA ESI,DWORD PTR SS:[EBP+405EBA]             ; 0041520E
004152DB F3:A4             REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 复制 11h byte

004152EE 93                XCHG EAX,EBX
004152EF B9 0A000000       MOV ECX,0A
004152F4 8BBD 4D5F4000       MOV EDI,DWORD PTR SS:[EBP+405F4D]
004152FA 2BBD 525F4000       SUB EDI,DWORD PTR SS:[EBP+405F52]
00415300 F3:AB             REP STOS DWORD PTR ES:[EDI]                   ; 00416B7B (破坏)

...

004135F6 8BB5 43454000       MOV ESI,DWORD PTR SS:[EBP+404543]             ; [00413897] = C160, 真正的 IAT 信息放在这
004135FC 03B5 DF4E4000       ADD ESI,DWORD PTR SS:[EBP+404EDF]             ; PESpin.00400000

0040C160  00 00 00 00 00 00 00 00 00 00 00 00 C8 C4 00 00  ................  ; 真正的 IAT, 6 个 DLL
0040C170  2C C0 00 00
00 00 00 00 00 00 00 00 00 00 00 00  ,...............
0040C180  80 C6 00 00 B0 C0 00 00
00 00 00 00 00 00 00 00  ................
0040C190  00 00 00 00 D2 C6 00 00 00 C0 00 00
00 00 00 00  ................
0040C1A0  00 00 00 00 00 00 00 00 F4 C6 00 00 10 C0 00 00  ................

0040C1B0  00 00 00 00 00 00 00 00 00 00 00 00 44 C7 00 00  ............D...
0040C1C0  9C C0 00 00
                        00 00 00 00 00 00 00 00 00 00 00 00  ................
0040C1D0  90 C7 00 00 18 C0 00 00
00 00 00 00 00 00 00 00  ................  ; 结束的标志
0040C1E0  00 00 00 00 2E 1F 01 00 10 1F 01 00             ............

00413613 3BB5 DF4E4000       CMP ESI,DWORD PTR SS:[EBP+404EDF]             ; PESpin.00400000
00413625 /75 0F             JNZ SHORT PESpin.00413636                      ; 应该跳

00413636 817E 10 101F0100    CMP DWORD PTR DS:[ESI+10],11F10                ; DLL 处理完的标志
...
0041366A /FF6424 FC          JMP DWORD PTR SS:[ESP-4]                      ; 0041366F(没完), 004138AB(处理完了)

0041366F 8B5E 0C             MOV EBX,DWORD PTR DS:[ESI+C]                   ; 指向 DLL Name
00413672 039D DF4E4000       ADD EBX,DWORD PTR SS:[EBP+404EDF]
00413678 8BFB                MOV EDI,EBX
0041367A E8 8B130000       CALL PESpin.00414A0A                         ; 取反解密, F8
00413686 53                PUSH EBX
00413687 50                PUSH EAX
00413688 FFB5 A24F4000       PUSH DWORD PTR SS:[EBP+404FA2]                ; KERNEL32.LoadLibraryA
0041368E 814424 04 14000000 ADD DWORD PTR SS:[ESP+4],14                   ; 返回地址 00413698
00413696 C3                RETN

00413698 85C0                TEST EAX,EAX                                  ; KERNEL32.7C570000
0041369A 0F84 AD090000       JE PESpin.0041404D

004136A0 E8 01000000       CALL PESpin.004136A6
004136A6 59                POP ECX                                     ; PESpin.004136A5
004136A7 50                PUSH EAX                                     ; DLL Base
004136A8 51                PUSH ECX
004136A9 55                PUSH EBP
004136AA 810424 66394000    ADD DWORD PTR SS:[ESP],PESpin.00403966       ; 00412CBA
004136B1 814424 04 22000>    ADD DWORD PTR SS:[ESP+4],22                   ; 返回地址 004136C7
004136B9 C3                RETN                                        ; Call 00412CBA

;=======================================================================================================================
00412CBA 分析 DLL 的 Export 一段子程序
00412CBD 59                POP ECX                                        ; PESpin.004136C7
00412CBE 5A                POP EDX                                        ; DLL Base
00412CBF 41                INC ECX
00412CC0 51                PUSH ECX                                     ; 返回地址 004136C8
00412CCA 57                PUSH EDI                                     ; PESpin.0040C4C8
00412CCB 53                PUSH EBX                                     ; DLL Name
00412CCC 8995 FE394000       MOV DWORD PTR SS:[EBP+4039FE],EDX             ; [00412D52]=7C570000
00412CD2 8BDA                MOV EBX,EDX                                  ; KERNEL32.7C570000
00412CD4 0352 3C             ADD EDX,DWORD PTR DS:[EDX+3C]                ; DLL PE 头
00412CD7 FF72 7C             PUSH DWORD PTR DS:[EDX+7C]                   ; DLL Export Size
00412CDA 8F85 F6394000       POP DWORD PTR SS:[EBP+4039F6]                ; 00412D4A

00412CE0 8B52 78             MOV EDX,DWORD PTR DS:[EDX+78]                ; DLL Export RVA
00412CE3 03D3                ADD EDX,EBX
00412CE5 52                PUSH EDX
00412CE6 8F85 F2394000       POP DWORD PTR SS:[EBP+4039F2]                ; 00412D46

00412CF5 FF72 20             PUSH DWORD PTR DS:[EDX+20]                   ; AddressOfNames
00412CF8 5F                POP EDI
00412CF9 03FB                ADD EDI,EBX
00412CFB 57                PUSH EDI
00412CFC 8F85 023A4000       POP DWORD PTR SS:[EBP+403A02]                ; 00412D56
00412D02 FF72 18             PUSH DWORD PTR DS:[EDX+18]                   ; NumberofNames
00412D05 8F85 D93A4000       POP DWORD PTR SS:[EBP+403AD9]                ; 00412E2D

00412D1A FF72 1C             PUSH DWORD PTR DS:[EDX+1C]                   ; AddressOfFunctions
00412D1D 5F                POP EDI
00412D1E 03FB                ADD EDI,EBX
00412D20 57                PUSH EDI
00412D21 8F85 063A4000       POP DWORD PTR SS:[EBP+403A06]                ; 00412D5A
00412D27 FF72 24             PUSH DWORD PTR DS:[EDX+24]                   ; AddressOfNameOrdinals
00412D2A 5F                POP EDI
00412D2B 03FB                ADD EDI,EBX
00412D2D 57                PUSH EDI
00412D2E 8F85 FA394000       POP DWORD PTR SS:[EBP+4039FA]                ; 00412D4E
00412D34 FF72 10             PUSH DWORD PTR DS:[EDX+10]                   ; Base
00412D37 8F85 203A4000       POP DWORD PTR SS:[EBP+403A20]                ; 00412D74
00412D40 5B                POP EBX                                        ; PESpin.0040C4C8
00412D41 5F                POP EDI
00412D42 C3                RETN                                           ; 004136C8
;===========================================================================================================================

004136C8 2BD2                SUB EDX,EDX
004136F7 800B 00             OR BYTE PTR DS:[EBX],0                         ; 破坏 DLL Name
004136FA 74 0D             JE SHORT PESpin.00413709                      ; 出口
004136FC 8813                MOV BYTE PTR DS:[EBX],DL
004136FE C1C2 04             ROL EDX,4
00413701 75 01             JNZ SHORT PESpin.00413704

00413704 43                INC EBX                                        ; PESpin.0040C4C8
00413705 FF6424 FC          JMP DWORD PTR SS:[ESP-4]                      ; 004136F7

00413709 93                XCHG EAX,EBX
0041370A 8B56 10             MOV EDX,DWORD PTR DS:[ESI+10]                   ; First Thunk
0041370D 0395 DF4E4000       ADD EDX,DWORD PTR SS:[EBP+404EDF]             ; 00400000
00413713 830A 00             OR DWORD PTR DS:[EDX],0
00413716 0F84 59010000       JE PESpin.00413875                            ; 一个 DLL 处理完了, 出口

00413729 8B02                MOV EAX,DWORD PTR DS:[EDX]
0041372B A9 00000080       TEST EAX,80000000
00413730 74 0A             JE SHORT PESpin.0041373C                      ; 跳, Name 导入, 否则 Oridnal 导入

00413732 25 FFFFFF7F       AND EAX,7FFFFFFF
00413737 2BFF                SUB EDI,EDI
00413739 /EB 09             JMP SHORT PESpin.00413744

0041373C 40                INC EAX                                        ; NameHash  前保留了API Name 首字母
0041373D 0385 DF4E4000       ADD EAX,DWORD PTR SS:[EBP+404EDF]             ; PESpin.00400000
00413743 97                XCHG EAX,EDI                                  ; EDI 指向 NameHash

00413744 68 5DFDD0F9       PUSH F9D0FD5D
00413749 012C24             ADD DWORD PTR SS:[ESP],EBP
0041374C 810424 B4466F06    ADD DWORD PTR SS:[ESP],66F46B4                ; 下面Call 的返回地址 00413765
00413753 68 A17D630F       PUSH 0F637DA1
00413758 812C24 9643230F    SUB DWORD PTR SS:[ESP],0F234396
0041375F 012C24             ADD DWORD PTR SS:[ESP],EBP
00413762 C3                RETN                                           ; Call 00412D5F, 返回 API 地址

; =====================================================================================================================
; 接下来的一段子程序根据 NameHash 获的 API Address
; 根据 NameHash  求 API, EDI 指向 NameHash
; 根据 Oridnal 求 API,    EDI =0,  EAX = Oridnal

00412D5F 60                PUSHAD
00412D69 0BFF                OR EDI,EDI
00412D6B 75 19             JNZ SHORT PESpin.00412D86                      ; 00412D92

00412D6D 8B9D 063A4000       MOV EBX,DWORD PTR SS:[EBP+403A06]             ; AddressOfFunctions
00412D73 2D 01000000       SUB EAX,1                                     ; Oridnal Base
00412D78 8B0483             MOV EAX,DWORD PTR DS:[EBX+EAX*4]
00412D7B 0385 FE394000       ADD EAX,DWORD PTR SS:[EBP+4039FE]             ; 根据 Oridnal 求地址 API 地址 OK
00412D81 /E9 B1000000       JMP PESpin.00412E37

00412D92 8B9D 023A4000       MOV EBX,DWORD PTR SS:[EBP+403A02]             ; AddressOfNames
00412D98 8A47 FF             MOV AL,BYTE PTR DS:[EDI-1]
00412D9B 24 7F             AND AL,7F                                     ; NameHash 前一字母, 第 8 位是标志(是否重定向)
00412D9D 8885 803A4000       MOV BYTE PTR SS:[EBP+403A80],AL                ; [00412DD4]

00412DB4 FF37                PUSH DWORD PTR DS:[EDI]                         ; DllName Hash
00412DB6 8F85 AD3A4000       POP DWORD PTR SS:[EBP+403AAD]                   ; [00412E01]
00412DBC 2BC9                SUB ECX,ECX
00412DBE 8327 00             AND DWORD PTR DS:[EDI],0                      ; 破坏

00412DCA 8B3B                MOV EDI,DWORD PTR DS:[EBX]
00412DCC 03BD FE394000       ADD EDI,DWORD PTR SS:[EBP+4039FE]             ; 从 Export 中取出名字
00412DD2 803F 47             CMP BYTE PTR DS:[EDI],47                      ; 比较首字母
00412DD5 75 50             JNZ SHORT PESpin.00412E27

00412DD7 E8 03000000       CALL PESpin.00412DDF                            ; 首字母对上了, 再比较 NameHash
00412DDF 58                POP EAX
00412DE0 8D6424 FC          LEA ESP,DWORD PTR SS:[ESP-4]
00412DE4 05 24000000       ADD EAX,24
00412DE9 870424             XCHG DWORD PTR SS:[ESP],EAX                   ; 00412EE0 下面 CALL 返回地址
00412DEC 8D85 415C028F       LEA EAX,DWORD PTR SS:[EBP+8F025C41]
00412DF2 2D BF0AC28E       SUB EAX,8EC20ABF
00412DF7 50                PUSH EAX
00412DF8 C3                RETN                                           ; 004144D6 ( Hash 函数)

00412E00 3D 3A4E99D2       CMP EAX,D2994E3A                               ; 比较 Hash
00412E05 75 20             JNZ SHORT PESpin.00412E27

00412E07 8B85 FA394000       MOV EAX,DWORD PTR SS:[EBP+4039FA]                ; AddressOfNameOrdinals
00412E0D D1E1                SHL ECX,1                                        ; 第几个
00412E0F 03C1                ADD EAX,ECX
00412E11 0FB700             MOVZX EAX,WORD PTR DS:[EAX]
00412E14 C1E0 02             SHL EAX,2
00412E17 0385 063A4000       ADD EAX,DWORD PTR SS:[EBP+403A06]                ; AddressOfFunctions
00412E1D 8B00                MOV EAX,DWORD PTR DS:[EAX]
00412E1F 0385 FE394000       ADD EAX,DWORD PTR SS:[EBP+4039FE]                ; Dll Base
00412E25 EB 10             JMP SHORT PESpin.00412E37

00412E27 83C3 04             ADD EBX,4                                        ; Export 中下一个 API
00412E2A 41                INC ECX
00412E2B 81F9 3D030000       CMP ECX,33D
00412E31  ^ 75 97             JNZ SHORT PESpin.00412DCA
00412E33 33C0                XOR EAX,EAX                                     ; 找不到, 则 API address = 0
00412E35 EB 3F             JMP SHORT PESpin.00412E76

00412E37 8BBD F2394000       MOV EDI,DWORD PTR SS:[EBP+4039F2]                ; 是否是指向另一 DLL
00412E3D 3BC7                CMP EAX,EDI
00412E3F 76 35             JBE SHORT PESpin.00412E76
00412E41 03BD F6394000       ADD EDI,DWORD PTR SS:[EBP+4039F6]
00412E47 3BF8                CMP EDI,EAX
00412E49 76 2B             JBE SHORT PESpin.00412E76

00412E4B 8DBD AC2C4000       LEA EDI,DWORD PTR SS:[EBP+402CAC]                ; 指向另一 DLL 的另一 API
00412E51 96                XCHG EAX,ESI
00412E52 33C9                XOR ECX,ECX
00412E54 8A0431             MOV AL,BYTE PTR DS:[ECX+ESI]
00412E57 3C 2E             CMP AL,2E                                        ; "."
00412E59 74 04             JE SHORT PESpin.00412E5F
00412E5B 41                INC ECX
00412E5C AA                STOS BYTE PTR ES:[EDI]
00412E5D  ^ EB F5             JMP SHORT PESpin.00412E54
00412E5F 41                INC ECX
00412E60 03F1                ADD ESI,ECX
00412E62 56                PUSH ESI
00412E63 2C 2E             SUB AL,2E
00412E65 AA                STOS BYTE PTR ES:[EDI]
00412E66 2BF9                SUB EDI,ECX
00412E68 57                PUSH EDI
00412E69 FF95 A24F4000       CALL DWORD PTR SS:[EBP+404FA2]                   ; LoadLibraryA
00412E6F 50                PUSH EAX
00412E70 FF95 A74F4000       CALL DWORD PTR SS:[EBP+404FA7]                   ; GetProcAddress

00412E76 /EB 01             JMP SHORT PESpin.00412E79
00412E79 894424 1C          MOV DWORD PTR SS:[ESP+1C],EAX                   ; KERNEL32.GetCommandLineA
00412E7D 61                POPAD
00412E7E FF0424             INC DWORD PTR SS:[ESP]                         ; 返回地址 00413766
00412EB3 0BC0                OR EAX,EAX                                     ; KERNEL32.GetCommandLineA
00412EB5 C3                RETN
; ========================================================================================================================

00413766 /0F84 A4080000       JE PESpin.00414010                               ; API　地址是否为 0

00413775 0BFF                OR EDI,EDI                                     ; 为 0 表示 Ordinal 导入
0041377A 9C                PUSHFD
...
004137A4 FF6424 FC          JMP DWORD PTR SS:[ESP-4]                         ; 004137A9(Name), 0041384A(Ordinal)

004137A9 0FBA67 FF 07       BT DWORD PTR DS:[EDI-1],7                      ; API 名字首字母最高位为 1 吗? 为 1 需要重定向, 为 0 不需要
004137E6 /FF6424 FC          JMP DWORD PTR SS:[ESP-4]                         ; 004137EB(重定向), 0041384A(不要重定向) *****************************改成 JMP 41384A

004137EB E8 03000000       CALL PESpin.004137F3
004137FC 68 ED4E4000       PUSH PESpin.00404EED
00413801 012C24             ADD DWORD PTR SS:[ESP],EBP                      ; 00414241, 参数 2, 放已用的字节数
00413804 FFB5 E54E4000       PUSH DWORD PTR SS:[EBP+404EE5]                   ; [00414239]=8C0000, Buffer For IAT redirection, 参数1

0041381B E8 03000000       CALL PESpin.00413823
00413823 5B                POP EBX
00413824 81C3 19000000       ADD EBX,19
0041382A 53                PUSH EBX                                        ; 00413839, 下面 CALL 的返回地址

0041382B 8D9D 1453288E       LEA EBX,DWORD PTR SS:[EBP+8E285314]
00413831 81EB BC1AE88D       SUB EBX,8DE81ABC
00413837  ^\FFE3                JMP EBX                                        ; PESpin.00412BAC ( Stolen API 的 CALL)

00412BAC 55             PUSH EBP
00412BAD 8BEC          MOV EBP,ESP
00412BAF 60             PUSHAD
...
00412C98 61             POPAD
00412C99 C9             LEAVE
00412C9A C2 0800       RETN 8                                           ; CALL 有两个参数, 返回 API 被偷后的新地址

00413839 0BE4                OR ESP,ESP
0041383B 75 01             JNZ SHORT PESpin.0041383E
0041384A E8 6AF6FFFF       CALL PESpin.00412EB9                            ; 修正代码中的跳转表(跳转表大部分被变形了)
0041384F

; ==============================================================================================================================
00412EC5 57                PUSH EDI
00412EC9 51                PUSH ECX                                        ; PESpin.004136C8
00412ED3 BF 8CA04000       MOV EDI,PESpin.0040A08C
00412EDB B9 8C010000       MOV ECX,18C                                     ; 6 字节一组,  0040A08C-0040A216
00412EF1 3917                CMP DWORD PTR DS:[EDI],EDX                      ; FirstThunk
00412EFF /0F84 90000000       JE PESpin.00412F95                               ;                   ********************************* 改成 JMP 00412F4B
00412F05 47                INC EDI                                           ; PESpin.0040A08C
00412F09 49                DEC ECX
00412F0A 9C                PUSHFD
...
00412F40  ^\FF6424 FC          JMP DWORD PTR SS:[ESP-4]                         ; 00412EF1(ECX>0), 00412F48(ECX=0)
00412F48 /EB 01             JMP SHORT PESpin.00412F4B                         ; 找不到表示壳不用处理该 API

00412F4B /EB 02             JMP SHORT PESpin.00412F4F
00412F7D 8902                MOV DWORD PTR DS:[EDX],EAX                      ; EDX 是 FirstThunk
00412F90 /E9 B2000000       JMP PESpin.00413047

00412F95 /EB 04             JMP SHORT PESpin.00412F9B                         ; 找到了, [EDI]=EDX
00412F9E 807F FF 00          CMP BYTE PTR DS:[EDI-1],0
00412FA2 /74 60             JE SHORT PESpin.00413004                         ; 实际到 00413010

00412FB5 807F FF EA          CMP BYTE PTR DS:[EDI-1],0EA
00412FB9  ^\75 90             JNZ SHORT PESpin.00412F4B                         ; 不是 0, EA 开头表示壳不用处理该 API

00412FC4 FE4F FF             DEC BYTE PTR DS:[EDI-1]                         ; EA->E9
00412FC7 83C7 04             ADD EDI,4
00412FCA 2BC7                SUB EAX,EDI
00412FCC 8947 FC             MOV DWORD PTR DS:[EDI-4],EAX                      ; 计算偏移地址
00413001 /EB 44             JMP SHORT PESpin.00413047

00413010 8907                MOV DWORD PTR DS:[EDI],EAX                      ; API 被偷后的新地址

00413047 59                POP ECX
0041304B 5F                POP EDI
0041304C C3                RETN
;================================================================================================================================

00413860 83C2 04          ADD EDX,4                                        ; 处理该 DLL 的下一个 API
0041386F  ^\E9 9FFEFFFF       JMP PESpin.00413713

00413875 8366 10 00       AND DWORD PTR DS:[ESI+10],0                      ; 破坏
00413879 74 01             JE SHORT PESpin.0041387C

0041387C 83C6 14          ADD ESI,14
00413890  ^\E9 A1FDFFFF       JMP PESpin.00413636                               ; 下一个 DLL

004138AB /EB 07             JMP SHORT PESpin.004138B4                         ; 所有 DLL 都处理完了

00413960 81EF B916320E    SUB EDI,0E3216B9                                  ; 00413ACB

0041397A F3:                PREFIX REP:
0041397B 0F31             RDTSC                                              ; 取时间
0041397D 50                PUSH EAX
0041397E F3:                PREFIX REP:
0041397F 0F31             RDTSC
00413984 8D6424 04          LEA ESP,DWORD PTR SS:[ESP+4]
0041398B 2B4424 FC          SUB EAX,DWORD PTR SS:[ESP-4]                      ; 时间差

00413992 0BC0             OR EAX,EAX
00413994 75 01             JNZ SHORT PESpin.00413997

00413997 3D FF0F0000       CMP EAX,0FFF                                     ; EAX 要小于 FFF *******************************************************
0041399C 9C                PUSHFD

004139C2 FF6424 FC          JMP DWORD PTR SS:[ESP-4]                         ; 004139FD(OK), 004139D2(Over)

00413A25 B8 EC355E6B       MOV EAX,6B5E35EC
00413A3B BB 4A58370E       MOV EBX,0E37584A
00413A40 2BC3             SUB EAX,EBX
00413A42 3D 368E9579       CMP EAX,79958E36                                  ; 相等表示没有代码被搬到 PE 头
00413A50 /74 79             JE SHORT PESpin.00413ACB

00413A52 BE 19694100       MOV ESI,PESpin.00416919
00413A57 B9 62020000       MOV ECX,262
00413A5C 51                PUSH ECX
00413A5D B0 BF             MOV AL,0BF
00413A5F 304431 FF          XOR BYTE PTR DS:[ECX+ESI-1],AL                   ; 解密
00413A6F 004C31 FF          ADD BYTE PTR DS:[ECX+ESI-1],CL
00413A73 49                DEC ECX
00413A74 9C                PUSHFD
...
00413AA1  ^\FF6424 FC          JMP DWORD PTR SS:[ESP-4]                         ; 00413A5F(ECX>0), 00413AA9(ECX=0)
00413AA9 59                POP ECX

00413ABB BF C0014000       MOV EDI,PESpin.004001C0                            ; 把代码复制到 PE 头
00413AC9 F3:A4             REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]       ; ESI = 00416919
00413ACB 60                PUSHAD
00413ADE 61                POPAD
00413AE5 83C4 04          ADD ESP,4
00413B02 61                POPAD                                              ; 终于到伪 OEP 了

// 下面开始修复

//

一. 先写一段代码修复 40A08C 处跳转表

008C0000 60             PUSHAD
008C0001 9C             PUSHFD
008C0002 BE 8CA04000    MOV ESI,40A08C
008C0007 8A06          MOV AL,BYTE PTR DS:[ESI]
008C0009 3C EA          CMP AL,0EA
008C000B 75 0B          JNZ SHORT 008C0018
008C000D 8B5E 01       MOV EBX,DWORD PTR DS:[ESI+1]
008C0010 66:C706 FF25 MOV WORD PTR DS:[ESI],25FF
008C0015 895E 02       MOV DWORD PTR DS:[ESI+2],EBX
008C0018 83C6 06       ADD ESI,6
008C001B 81FE 16A24000 CMP ESI,40A216
008C0021  ^ 72 E4          JB SHORT 008C0007
008C0023 9D             POPFD
008C0024 61             POPAD

60 9C BE 8C A0 40 00 8A 06 3C EA 75 0B
8B 5E 01 66 C7 06 FF 25 89 5E 02 83 C6
06 81 FE 16 A2 40 00 72 E4 9D 61

//

二.脱掉 SDK Clear, 搜索 26h 长的 Clear Start, 执行一遍解密, 然后把 SDK Clear Start 和 SDK clear end 清除掉(Nop)

CLEAR_START macro
db 0EBh,24h
db 20h dup (0FBh)
dd 0000BD66h
endm

; 长度 35h, 53d
  CLEAR_END macro
db 0EBh,33h
db 02Fh  dup (0FAh)
dd 0000BD66h
  endm

共有 4 处

1.
00409918 9C                   PUSHFD                   ; SDK Clear Start(长度 26h)
00409919 60                   PUSHAD
0040991A B9 84E1001F          MOV ECX,1F00E184
0040991F BF 9AF24D97          MOV EDI,974DF29A          ; 表示 409918
00409924 81E9 65E1001F       SUB ECX,1F00E165          ; 1Fh 长度 *********************,
0040992A B8 80D1A091          MOV EAX,91A0D180
0040992F 05 039AA06E          ADD EAX,6EA09A03          ; 004168B3
00409934 FF0D 3A994000       DEC DWORD PTR DS:[40993A]  ; SMC 40993A
0040993A 0011                ADD BYTE PTR DS:[ECX],DL ; FF10, CALL [EAX]
0040993C 61                   POPAD
0040993D 9D                   POPFD                   ; (40993E-409918)=26h

1F 长代码

0040995D /EB 0B                JMP SHORT PESpin.0040996A ; SDK Clear End (长度 35h)
...
0040998A 9D                   POPFD
0040998B /EB 05                JMP SHORT PESpin.00409992
0040998D |B8 61EBF91E          MOV EAX,1EF9EB61          ; SDK END (409992-40995D)=35h
00409992

2.
00406407 9C                      PUSHFD
00406408 60                      PUSHAD
00406409 B9 00DE9659             MOV ECX,5996DE00
0040640E BF 89BD4D97             MOV EDI,974DBD89
00406413 81E9 78DD9659          SUB ECX,5996DD78       ; 88h
00406419 B8 59FF85EC             MOV EAX,EC85FF59
0040641E 05 2A6CBB13             ADD EAX,13BB6C2A
00406423 FF0D 29644000          DEC DWORD PTR DS:[406429]
00406429 0011                   ADD BYTE PTR DS:[ECX],DL
0040642B 61                      POPAD
0040642C 9D                      POPFD

88h 代码

004064B5 /EB 0B                   JMP SHORT PESpin.004064C2

004064E2 9D                      POPFD
004064E3 EB 05                   JMP SHORT PESpin.004064EA
004064E5 7A 61                   JPE SHORT PESpin.00406548
004064E7  ^ EB F9                   JMP SHORT PESpin.004064E2
004064E9 9B                      WAIT
004064EA

3.
004065B5 9C                      PUSHFD
004065B6 60                      PUSHAD
004065B7 B9 A5805778             MOV ECX,785780A5
004065BC BF 37BF4D97             MOV EDI,974DBF37
004065C1 81E9 727F5778          SUB ECX,78577F72       ; 133h
004065C7 B8 9668C1E6             MOV EAX,E6C16896
004065CC 05 ED028019             ADD EAX,198002ED
004065D1 FF0D D7654000          DEC DWORD PTR DS:[4065D7]
004065D7 0011                   ADD BYTE PTR DS:[ECX],DL
004065D9 61                      POPAD
004065DA 9D                      POPFD

133h 代码

0040670E /EB 0B                   JMP SHORT PESpin.0040671B
...
0040673B 9D                      POPFD
0040673C EB 05                   JMP SHORT PESpin.00406743
0040673E A8 61                   TEST AL,61
00406740  ^ EB F9                   JMP SHORT PESpin.0040673B
00406742 3F                      AAS
00406743

4.
00409A28 9C                      PUSHFD
00409A29 60                      PUSHAD
00409A2A B9 C92E2288             MOV ECX,88222EC9
00409A2F BF AAF34D97             MOV EDI,974DF3AA
00409A34 81E9 4F2B2288          SUB ECX,88222B4F       ; 37A
00409A3A B8 470CEAA4             MOV EAX,A4EA0C47
00409A3F 05 3C5F575B             ADD EAX,5B575F3C
00409A44 FF0D 4A9A4000          DEC DWORD PTR DS:[409A4A]
00409A4A 0011                   ADD BYTE PTR DS:[ECX],DL
00409A4C 61                      POPAD
00409A4D 9D                      POPFD

37Ah

00409DC8 /EB 0B                   JMP SHORT PESpin.00409DD5
00409DCA |0A81 E970E276          OR AL,BYTE PTR DS:[ECX+76E270E9]

00409DF5 9D                      POPFD
00409DF6 EB 05                   JMP SHORT PESpin.00409DFD
00409DF8 C561 EB                LDS ESP,FWORD PTR DS:[ECX-15]
00409DFB F9                      STC
00409DFC E5
00409DFD

//

三. 脱掉 SDK Crypt 代码

// 10 字节
CRYPT_START macro
   db 0EBh,08h
   db 6 dup(0FCh)
   db 27h,54h
endm

// 10 字节
CRYPT_END macro
      db 0EBh,08h
      db 6 dup(0FDh)
      db 54h,37h
endm

搜索 FF 15 C3 6B 41 00 这是 Crypt Start, 后面 4 字节是加密字节长度变形值
搜索 FF 15 EB 6B 41 00 这是 Crypt End, 后面 4 字节是加密字节长度变形值

共有 3 对

1.
0040675E FF15 C36B4100    CALL DWORD PTR DS:[416BC3]  ; 8a0000  定位到这里, F7 跟进执行解密( 不能用 F8, 会影响加密字节长度 **********************)
00406796 FF15 EB6B4100    CALL DWORD PTR DS:[416BEB]  ; 8b0000  执行完加密, nop 掉

2.
00406824 FF15 C36B4100    CALL DWORD PTR DS:[416BC3]  ; 被加密字节 50h byte
0040687E FF15 EB6B4100    CALL DWORD PTR DS:[416BEB]

3.
00409F0A FF15 C36B4100    CALL DWORD PTR DS:[416BC3]  ; 被加密字节 1Eh byte
00409F32 FF15 EB6B4100    CALL DWORD PTR DS:[416BEB]

//

四.修复 Nanomite 的代码

把 Nanomite 结果复制到 8c0000, 再写一段代码修复被替换的代码

008C0200 60                PUSHAD
008C0201 9C                PUSHFD
008C0202 BE 00008C00       MOV ESI,8C0000
008C0207 8B3E             MOV EDI,DWORD PTR DS:[ESI]
008C0209 83C6 04          ADD ESI,4
008C020C 8B0E             MOV ECX,DWORD PTR DS:[ESI]
008C020E 83C6 04          ADD ESI,4
008C0211 56                PUSH ESI
008C0212 F3:A4             REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
008C0214 5E                POP ESI
008C0215 83C6 08          ADD ESI,8
008C0218 81FE F0018C00    CMP ESI,8C01F0
008C021E  ^ 72 E7             JB SHORT 008C0207
008C0220 9D                POPFD
008C0221 61                POPAD

60 9C BE 00 00 8C 00 8B 3E 83 C6 04 8B 0E 83 C6 04
56 F3 A4 5E 83 C6 08 81 FE F0 01 8C 00 72 E7 9D 61

五. 修复被偷到 PE 头的代码 (4001c0-400418)

分成两种

004098FA .- E9 C168FFFF    JMP PESpin.004001C0
004098FF .- E9 C768FFFF    JMP PESpin.004001CB
00409904 .- E9 CD68FFFF    JMP PESpin.004001D6

008C0000 60                PUSHAD
008C0001 9C                PUSHFD
008C0002 BF 00104000       MOV EDI,401000
008C0007 8A07             MOV AL,BYTE PTR DS:[EDI]
008C0009 3C E9             CMP AL,0E9
008C000B 75 22             JNZ SHORT 008C002F
008C000D 8B47 01          MOV EAX,DWORD PTR DS:[EDI+1]
008C0010 03C7             ADD EAX,EDI
008C0012 83C0 05          ADD EAX,5
008C0015 3D C0014000       CMP EAX,4001C0
008C001A 72 13             JB SHORT 008C002F
008C001C 3D 18044000       CMP EAX,400418
008C0021 77 0C             JA SHORT 008C002F
008C0023 8BF0             MOV ESI,EAX
008C0025 B9 05000000       MOV ECX,5
008C002A F3:A4             REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
008C002C 4F                DEC EDI
008C002D 90                NOP
008C002E 90                NOP
008C002F 47                INC EDI
008C0030 81FF 00C04000    CMP EDI,40C000
008C0036  ^ 72 CF             JB SHORT 008C0007
008C0038 9D                POPFD
008C0039 61                POPAD

60 9C BF 00 10 40 00 8A 07 3C E9 75 22
8B 47 01 03 C7 83 C0 05 3D C0 01 40 00
72 13 3D 18 04 40 00 77 0C 8B F0 B9 05
00 00 00 F3 A4 4F 90 90 47 81 FF 00 C0
40 00 72 CF 9D 61

00409953 .  E8 9568FFFF    CALL PESpin.004001ED
00409958 .  E8 9668FFFF    CALL PESpin.004001F3

008C0000 60                PUSHAD
008C0001 9C                PUSHFD
008C0002 BF 00104000       MOV EDI,401000
008C0007 8A07             MOV AL,BYTE PTR DS:[EDI]
008C0009 3C E8             CMP AL,0E8
008C000B 75 29             JNZ SHORT 008C0036
008C000D 8B47 01          MOV EAX,DWORD PTR DS:[EDI+1]
008C0010 03C7             ADD EAX,EDI
008C0012 83C0 05          ADD EAX,5
008C0015 3D C0014000       CMP EAX,4001C0
008C001A 72 1A             JB SHORT 008C0036
008C001C 3D 18044000       CMP EAX,400418
008C0021 77 13             JA SHORT 008C0036
008C0023 8B70 01          MOV ESI,DWORD PTR DS:[EAX+1]
008C0026 03C6             ADD EAX,ESI
008C0028 83C0 05          ADD EAX,5
008C002B 2BC7             SUB EAX,EDI
008C002D 83E8 05          SUB EAX,5
008C0030 8947 01          MOV DWORD PTR DS:[EDI+1],EAX
008C0033 83C7 04          ADD EDI,4
008C0036 47                INC EDI
008C0037 81FF 00C04000    CMP EDI,40C000
008C003D  ^ 72 C8             JB SHORT 008C0007
008C003F 9D                POPFD
008C0040 61                POPAD

60 9C BF 00 10 40 00 8A 07 3C E8 75 29 8B 47 01 03 C7
83 C0 05 3D C0 01 40 00 72 1A 3D 18 04 40 00 77 13 8B
70 01 03 C6 83 C0 05 2B C7 83 E8 05 89 47 01 83 C7 04
47 81 FF 00 C0 40 00 72 C8 9D 61

6. 找出 Stolen Code
...回到主程序,  一段垃圾代码后, Stolen Code
00413B50 2BC0             SUB EAX,EAX
00413B55 68 3668CFCA       PUSH CACF6836
00413B5A 810424 4E687135    ADD DWORD PTR SS:[ESP],3571684E                   ; push 0040D084
00413B61 50                PUSH EAX                                           ; push 0
00413B65 50                PUSH EAX                                           ; push 0

00413B69 68 733B4100       PUSH PESpin.00413B73                               ; call 40a0a4
00413B6E  - E9 3165FFFF       JMP PESpin.0040A0A4
0040A0A4  - E9 D8FC187C       JMP KERNEL32.CreateMutexA

00413B73 68 7D3B4100       PUSH PESpin.00413B7D                               ; call 40a0ce
00413B78  - E9 5165FFFF       JMP PESpin.0040A0CE
0040A0CE  - E9 92E1167C       JMP KERNEL32.GetLastError

00413B7D 3D B7000000       CMP EAX,0B7                                        ; cmp eax, 0b7
00413B85  - E9 6E5DFFFF       JMP PESpin.004098F8

修复好的代码

004098E0    68 84D04000    PUSH PESpin.0040D084                               ;  ASCII "PE_SPIN_v1.3"
004098E5    6A 00          PUSH 0
004098E7    6A 00          PUSH 0
004098E9    E8 B6070000    CALL PESpin.0040A0A4                               ;  JMP to KERNEL32.CreateMutexA
004098EE    E8 DB070000    CALL PESpin.0040A0CE                               ;  JMP to KERNEL32.GetLastError
004098F3    3D B7000000    CMP EAX,0B7
004098F8    /75 1E          JNZ SHORT PESpin.00409918

//
7. 暗桩, 一共有 5 个
下断 ExitProcess, 找出其中 2 个暗桩

1.
00406617  |.  E8 0E280000 CALL unpack.00408E2A                                  ; Nop 掉

00408E2A  /$  8D05 81994000 LEA EAX,DWORD PTR DS:[409981]
00408E30  |.  B9 11000000 MOV ECX,11
00408E35  |.  BA 54030000 MOV EDX,354
00408E3A  |>  81C2 FE0F0000 /ADD EDX,0FFE
00408E40  |.  40          |INC EAX
00408E41  |.  49          |DEC ECX
00408E42  |.^ 75 F6       \JNZ SHORT unpack.00408E3A
00408E44  |.  0FB718       MOVZX EBX,WORD PTR DS:[EAX]                         ; 409992 必须是 8D90(908Dh)
00408E47  |.  81EB 3CD1FFFF SUB EBX,-2EC4
00408E4D  |.  81EB 51EF0000 SUB EBX,0EF51
00408E53  |.  0BDB       OR EBX,EBX
00408E55  |.  74 10       JE SHORT unpack.00408E67                            ; 必须跳, 否则 over
00408E57  |.  83EC 45    SUB ESP,45
00408E5A  |.  8D05 0AE72201 LEA EAX,DWORD PTR DS:[122E70A]
00408E60  |.  2D 5446E200 SUB EAX,0E24654                                     ; 40A0B6
00408E65  |.  FFE0       JMP EAX                                              ;  <JMP.&kernel32.ExitProcess>
00408E67  \>  C3          RETN

2.
00409CD3  |.  E8 EAC5FFFF CALL unpack.004062C2                                  ; Nop 掉

004062C2  /$  B8 7AA14000 MOV EAX,unpack.0040A17A
004062C7  |.  6A 0A       PUSH 0A
004062C9  |.  40          INC EAX
004062CA  |.  59          POP ECX
004062CB  |.  40          INC EAX
004062CC  |.  8A08       MOV CL,BYTE PTR DS:[EAX]                            ; 40A17C 必须是 E9
004062CE  |.  80F9 5C    CMP CL,5C
004062D1  |.  75 02       JNZ SHORT unpack.004062D5
004062D3  |.  2AD2       SUB DL,DL
004062D5  |>  80C1 17    ADD CL,17
004062D8  |.  0AC9       OR CL,CL
004062DA  |.  74 0F       JE SHORT unpack.004062EB
004062DC  |.  60          PUSHAD
004062DD  |.  55          PUSH EBP
004062DE  |.  8D05 99AE4000 LEA EAX,DWORD PTR DS:[40AE99]
004062E4  |.  2D E30D0000 SUB EAX,0DE3
004062E9  |.  FFE0       JMP EAX                                              ;  <JMP.&kernel32.ExitProcess>
004062EB  \>  C3          RETN

3. 点 OpenFile 后程序出错
00406552  /.  55          PUSH EBP
00406553  |.  8BEC       MOV EBP,ESP
00406555  |.  53          PUSH EBX
00406556  |.  57          PUSH EDI
00406557  |.  56          PUSH ESI
00406558  |.  0FB745 0C    MOVZX EAX,WORD PTR SS:[EBP+C]
0040655C  |.  66:3D 1101 CMP AX,111
00406560  |.  74 1B       JE SHORT unpack.0040657D                            ; 点三个按钮
00406562  |.  66:3D 1001 CMP AX,110
00406566  |.  74 4D       JE SHORT unpack.004065B5                            ; 初始化
00406568  |.  66:83F8 02 CMP AX,2
0040656C  |.  74 33       JE SHORT unpack.004065A1                            ; 结束
0040656E  |.  66:83F8 10 CMP AX,10
00406572  |.  74 2D       JE SHORT unpack.004065A1                            ; 结束
00406574  |.  2BC0       SUB EAX,EAX
00406576  |.  5E          POP ESI
00406577  |.  5F          POP EDI
00406578  |.  5B          POP EBX
00406579  |.  C9          LEAVE
0040657A  |.  C2 1000    RETN 10
0040657D  |>  66:837D 10 02 CMP WORD PTR SS:[EBP+10],2                         ; Exit 按钮
00406582  |.  74 1D       JE SHORT unpack.004065A1
00406584  |.  66:837D 10 03 CMP WORD PTR SS:[EBP+10],3                         ; OpenFile 按钮 (有暗桩)
00406589  |.  0F84 BD010000 JE unpack.0040674C
0040658F  |.  66:837D 10 01 CMP WORD PTR SS:[EBP+10],1                         ; ProtectFile 按钮(有暗桩)
00406594  |.  0F84 1F020000 JE unpack.004067B9
0040659A  |.  5E          POP ESI
0040659B  |.  5F          POP EDI
0040659C  |.  5B          POP EBX
0040659D  |.  C9          LEAVE
0040659E  |.  C2 1000    RETN 10
004065A1  |>  6A 00       PUSH 0                                     ; /Result = 0
004065A3  |.  FF35 C9E04000 PUSH DWORD PTR DS:[40E0C9]                   ; |hWnd = 003D00A8 ('PESpin v1.3',class='#32770')
004065A9  |.  E8 B03B0000 CALL <JMP.&user32.EndDialog>                ; \EndDialog
004065AE  |.  5E          POP ESI
004065AF  |.  5F          POP EDI
004065B0  |.  5B          POP EBX
004065B1  |.  C9          LEAVE
004065B2  |.  C2 1000    RETN 10

// 点 OpenFile 按钮
0040674C  |> \E8 42010000 CALL unpack.00406893                               ; nop 掉

00406893  /$  2BDB       SUB EBX,EBX
00406895  |.  B8 ABA04000 MOV EAX,unpack.0040A0AB
0040689A  |.  48          DEC EAX
0040689B  |.  8A18       MOV BL,BYTE PTR DS:[EAX]                            ;40A0AA 必须为 E9
0040689D  |.  80EB 71    SUB BL,71
004068A0  |.  80EB 78    SUB BL,78
004068A3  |.  C1C3 16    ROL EBX,16                                           ; EBX 必须为 0
004068A6  |.  58          POP EAX
004068A7  |.  03C3       ADD EAX,EBX                                        ; 否则返回地址不对了
004068A9  |.  50          PUSH EAX
004068AA  \.  C3          RETN

// 点 ProtectFile 后, 能加壳, 但加壳后的程序提示文件损坏
// 这个暗桩不好找, 去掉 Pespin 的所有选项, 把加壳流程走一遍.
// 如果你写过壳, 比较容易理解的.

004067B9  |> \8D35 A1E14000 LEA ESI,DWORD PTR DS:[40E1A1]
004067BF  |.  68 FF000000 PUSH 0FF                                        ; /Count = FF (255.)
004067C4  |.  56          PUSH ESI                                        ; |Buffer => fixed.0040E1A1
004067C5  |.  6A 04       PUSH 4                                           ; |ControlID = 4
004067C7  |.  FF35 34D04000 PUSH DWORD PTR DS:[40D034]                      ; |hWnd = 0002027A (class='#32770',parent=00070234)
004067CD  |.  E8 B0390000 CALL <JMP.&user32.GetDlgItemTextA>             ; \GetDlgItemTextA

00406864  |.  68 B9E04000 PUSH fixed.0040E0B9                            ; /pThreadId = fixed.0040E0B9
00406869  |.  6A 00       PUSH 0                                           ; |CreationFlags = 0
0040686B  |.  FF75 08    PUSH DWORD PTR SS:[EBP+8]                      ; |pThreadParm
0040686E  |.  57          PUSH EDI                                        ; |ThreadFunction => fixed.004068AB, 关键, 下断
0040686F  |.  6A 00       PUSH 0                                           ; |StackSize = 0
00406871  |.  6A 00       PUSH 0                                           ; |pSecurity = NULL
00406873  |.  E8 32380000 CALL <JMP.&kernel32.CreateThread>                ; \CreateThread

004068AB  /.  55          PUSH EBP                                        ; 线程开始
004068AC  |.  8BEC       MOV EBP,ESP
004068AE  |.  83C4 FC    ADD ESP,-4
...

00406B50  |.  6A 0E       PUSH 0E                                        ; /ButtonID = E (14.)
00406B52  |.  FF35 38D04000 PUSH DWORD PTR DS:[40D038]                      ; |hWnd = 00020264 (class='#32770',parent=00070234)
00406B58  |.  E8 2B360000 CALL <JMP.&user32.IsDlgButtonChecked>          ; \IsDlgButtonChecked
00406B5D  |.  48          DEC EAX
00406B5E  |.  75 41       JNZ SHORT fixed.00406BA1                         ; 是否选中了 Backup

00406BA9  |.  6A 21       PUSH 21                                        ; /ButtonID = 21 (33.)
00406BAB  |.  FF35 38D04000 PUSH DWORD PTR DS:[40D038]                      ; |hWnd = 00020264 (class='#32770',parent=00070234)
00406BB1  |.  E8 D2350000 CALL <JMP.&user32.IsDlgButtonChecked>          ; \IsDlgButtonChecked
00406BB6  |.  48          DEC EAX
00406BB7  |.  75 31       JNZ SHORT fixed.00406BEA                         ; 是否选中了 Password

00406D14  |.  6A 2F       PUSH 2F                                        ; /ButtonID = 2F (47.)
00406D16  |.  FF35 38D04000 PUSH DWORD PTR DS:[40D038]                      ; |hWnd = 00020264 (class='#32770',parent=00070234)
00406D1C  |.  E8 67340000 CALL <JMP.&user32.IsDlgButtonChecked>          ; \IsDlgButtonChecked
00406D21  |.  48          DEC EAX
00406D22  |.  75 7C       JNZ SHORT fixed.00406DA0                         ; 是否选中了 MS_DOS header 优化

00406DD2  |.  50          PUSH EAX
00406DD3  |.  6A 2E       PUSH 2E                                        ; /ButtonID = 2E (46.)
00406DD5  |.  FF35 38D04000 PUSH DWORD PTR DS:[40D038]                      ; |hWnd = 00020264 (class='#32770',parent=00070234)
00406DDB  |.  E8 A8330000 CALL <JMP.&user32.IsDlgButtonChecked>          ; \IsDlgButtonChecked
00406DE0  |.  48          DEC EAX
00406DE1  |.  58          POP EAX
00406DE2  |.  75 0C       JNZ SHORT fixed.00406DF0                         ; 是否选中了 Code redirection, 是的话, 头部需要增加大小

00406E93  |.  8B43 78    MOV EAX,DWORD PTR DS:[EBX+78]                   ; 导出表 RVA
00406E96  |.  0BC0       OR EAX,EAX
00406E98  |.  74 0B       JE SHORT fixed.00406EA5
00406E9A  |.  50          PUSH EAX
00406E9B  |.  68 3ED54000 PUSH fixed.0040D53E                            ;  ASCII "Export  : %.8lXh"
00406EA0  |.  E8 1FB3FFFF CALL fixed.004021C4
00406EA5  |>  8B83 80000000 MOV EAX,DWORD PTR DS:[EBX+80]                   ; 导入表 RVA
00406EAB  |.  50          PUSH EAX
00406EAC  |.  68 2DD54000 PUSH fixed.0040D52D                            ;  ASCII "Import  : %.8lXh"
00406EB1  |.  E8 0EB3FFFF CALL fixed.004021C4
00406EB6  |.  8B83 88000000 MOV EAX,DWORD PTR DS:[EBX+88]                   ; 资源 RVA
00406EBC  |.  0BC0       OR EAX,EAX
00406EBE  |.  74 0B       JE SHORT fixed.00406ECB

00406FFD  |.  6A 0D       PUSH 0D                                        ; /ButtonID = D (13.)
00406FFF  |.  FF35 38D04000 PUSH DWORD PTR DS:[40D038]                      ; |hWnd = 00020264 (class='#32770',parent=00070234)
00407005  |.  E8 7E310000 CALL <JMP.&user32.IsDlgButtonChecked>          ; \IsDlgButtonChecked
0040700A  |.  48          DEC EAX
0040700B  |.  75 0B       JNZ SHORT fixed.00407018                         ; 是否选中了 API redirection

0040716B  |.  6A 28       PUSH 28                                        ; /ButtonID = 28 (40.)
0040716D  |.  FF35 38D04000 PUSH DWORD PTR DS:[40D038]                      ; |hWnd = 00020264 (class='#32770',parent=00070234)
00407173  |.  E8 10300000 CALL <JMP.&user32.IsDlgButtonChecked>          ; \IsDlgButtonChecked
00407178  |.  48          DEC EAX
00407179  |.  74 73       JE SHORT fixed.004071EE                         ; 是否选中了 Strip overlay

00407250  |> \6A 29       PUSH 29                                        ; /ButtonID = 29 (41.)
00407252  |.  FF35 38D04000 PUSH DWORD PTR DS:[40D038]                      ; |hWnd = 00020264 (class='#32770',parent=00070234)
00407258  |.  E8 2B2F0000 CALL <JMP.&user32.IsDlgButtonChecked>          ; \IsDlgButtonChecked
0040725D  |.  48          DEC EAX
0040725E  |.  0F85 C9000000 JNZ fixed.0040732D                               ; 是否选中了 Strip .reloc section

00407341  |.  6A 0A       PUSH 0A                                        ; /ButtonID = A (10.)
00407343  |.  FF35 38D04000 PUSH DWORD PTR DS:[40D038]                      ; |hWnd = 00020264 (class='#32770',parent=00070234)
00407349  |.  E8 3A2E0000 CALL <JMP.&user32.IsDlgButtonChecked>          ; \IsDlgButtonChecked
0040734E  |.  48          DEC EAX
0040734F  |.  75 6A       JNZ SHORT fixed.004073BB                         ; 是否选中了 Add Debug Dection

004073BB

// 暗桩4, 去掉这个暗桩后, 加壳的程序不提示, 直接退出了, 看来还有问题, 继续
004073D2  |.  BF 2B8F4002 MOV EDI,2408F2B
004073D7  |.  81EF 91EDFF01 SUB EDI,1FFED91                                  ; 40A19A
004073DD  |.  B0 3D       MOV AL,3D
004073DF  |.  34 D4       XOR AL,0D4                                     ; E9
004073E1  |.  3807       CMP BYTE PTR DS:[EDI],AL                         ; 40A19A 必须是 E9
004073E3  |.  74 07       JE SHORT fixed.004073EC                         ; 改成 JMP
004073E5  |.  8305 30804000>ADD DWORD PTR DS:[408030],20                   ; 影响下面 0040802F 校验和的计算
004073EC  |>  C705 6AE54000>MOV DWORD PTR DS:[40E56A],0

00407622  |.  6A 27       PUSH 27                                        ; /ButtonID = 27 (39.)
00407624  |.  FF35 38D04000 PUSH DWORD PTR DS:[40D038]                      ; |hWnd = 00020264 (class='#32770',parent=00070234)
0040762A  |.  E8 592B0000 CALL <JMP.&user32.IsDlgButtonChecked>          ; \IsDlgButtonChecked
0040762F  |.  48          DEC EAX
00407630  |.  0F85 DF000000 JNZ fixed.00407715                               ; 是否选中了 Remove OEP

00407793  |.  51          PUSH ECX
00407794  |.  6A 2E       PUSH 2E                                        ; /ButtonID = 2E (46.)
00407796  |.  FF35 38D04000 PUSH DWORD PTR DS:[40D038]                      ; |hWnd = 00020264 (class='#32770',parent=00070234)
0040779C  |.  E8 E7290000 CALL <JMP.&user32.IsDlgButtonChecked>          ; \IsDlgButtonChecked
004077A1  |.  59          POP ECX
004077A2  |.  48          DEC EAX
004077A3  |.  0F85 90000000 JNZ fixed.00407839                               ; 是否选中了 Code Redirection

00407B22  |> \6A 0F       PUSH 0F                                        ; /ButtonID = F (15.)
00407B24  |.  FF35 38D04000 PUSH DWORD PTR DS:[40D038]                      ; |hWnd = 00020264 (class='#32770',parent=00070234)
00407B2A  |.  E8 59260000 CALL <JMP.&user32.IsDlgButtonChecked>          ; \IsDlgButtonChecked
00407B2F  |.  48          DEC EAX
00407B30  |.  75 0D       JNZ SHORT fixed.00407B3F                         ; 是否选中了 AntiDump

00407C2C  |.  6A 2A       PUSH 2A                                        ; /ButtonID = 2A (42.)
00407C2E  |.  FF35 38D04000 PUSH DWORD PTR DS:[40D038]                      ; |hWnd = 00020264 (class='#32770',parent=00070234)
00407C34  |.  E8 4F250000 CALL <JMP.&user32.IsDlgButtonChecked>          ; \IsDlgButtonChecked
00407C39  |.  A3 F5E04000 MOV DWORD PTR DS:[40E0F5],EAX                   ; 是否选中了 Compress resource

00407C88  |.  51          PUSH ECX
00407C89  |.  53          PUSH EBX
00407C8A  |.  50          PUSH EAX
00407C8B  |.  E8 F0A0FFFF CALL fixed.00401D80                            ; 返回最大一块压缩区段大小, 这里有问题, F7 进去看看
00407C90  |.  8BD0       MOV EDX,EAX

00407D63  |> /833D F5E04000>/CMP DWORD PTR DS:[40E0F5],0                   ; 压缩区段
00407D6A  |. |0F84 B4000000 |JE fixed.00407E24

00407E5E  |.  E8 3D3A0000 |CALL fixed.0040B8A0                            ; 更新进度条

00407EEC  |.  8305 49E14000>|ADD DWORD PTR DS:[40E149],28
00407EF3  |.  8305 45E14000>|ADD DWORD PTR DS:[40E145],28
00407EFA  |.  FF05 41E14000 |INC DWORD PTR DS:[40E141]
00407F00  |.  59          |POP ECX
00407F01  |.  49          |DEC ECX
00407F02  |.^ 0F85 5BFEFFFF \JNZ fixed.00407D63

00407F7E .  FF73 08    PUSH DWORD PTR DS:[EBX+8]                      ; /hObject
00407F81 .  E8 06210000 CALL <JMP.&kernel32.CloseHandle>                ; \CloseHandle

0040802F .  B9 20000000 MOV ECX,20                                     ; 计算 20h 的校验和(401000-401020),
00408034 .  8B43 14    MOV EAX,DWORD PTR DS:[EBX+14]                   ; 400 Raw Offset
00408037 .  03F8       ADD EDI,EAX
00408039 .  E8 C6D7FFFF CALL fixed.00405804

0040833B > \6A 11       PUSH 11                                        ; /ButtonID = 11 (17.)
0040833D .  FF35 38D04000 PUSH DWORD PTR DS:[40D038]                      ; |hWnd = 00100174 (class='#32770',parent=0007025C)
00408343 .  E8 401E0000 CALL <JMP.&user32.IsDlgButtonChecked>          ; \IsDlgButtonChecked
00408348 .  48          DEC EAX
00408349 .  75 24       JNZ SHORT fixed.0040836F                         ; 是否选中了 Close Program After x minute

00408376 > \6A 08       PUSH 8                                           ; /ButtonID = 8
00408378 .  FF35 38D04000 PUSH DWORD PTR DS:[40D038]                      ; |hWnd = 00100174 (class='#32770',parent=0007025C)
0040837E .  E8 051E0000 CALL <JMP.&user32.IsDlgButtonChecked>          ; \IsDlgButtonChecked
00408383 .  48          DEC EAX
00408384 .  75 2B       JNZ SHORT fixed.004083B1                         ; 是否选中了 Section Name( User Name)

004083B1 > \6A 15       PUSH 15                                        ; /ButtonID = 15 (21.)
004083B3 .  FF35 38D04000 PUSH DWORD PTR DS:[40D038]                      ; |hWnd = 00100174 (class='#32770',parent=0007025C)
004083B9 .  E8 CA1D0000 CALL <JMP.&user32.IsDlgButtonChecked>          ; \IsDlgButtonChecked
004083BE .  48          DEC EAX
004083BF .  75 34       JNZ SHORT fixed.004083F5                         ; 是否选中了 Random Section Name

004085C9 .  FF73 08    PUSH DWORD PTR DS:[EBX+8]                      ; /hObject
004085CC .  E8 BB1A0000 CALL <JMP.&kernel32.CloseHandle>                ; \CloseHandle

00408D35 .  FF73 08    PUSH DWORD PTR DS:[EBX+8]             ; /hObject
00408D38 .  E8 4F130000 CALL <JMP.&kernel32.CloseHandle>       ; \CloseHandle
00408D3D .  6A 00       PUSH 0                                  ; /Text = NULL
00408D3F .  6A 04       PUSH 4                                  ; |ControlID = 4
00408D41 .  FF75 08    PUSH DWORD PTR SS:[EBP+8]             ; |hWnd
00408D44 .  E8 6F140000 CALL <JMP.&user32.SetDlgItemTextA>    ; \SetDlgItemTextA
00408D49 .  6A 00       PUSH 0                                  ; /Text = NULL
00408D4B .  6A 05       PUSH 5                                  ; |ControlID = 5
00408D4D .  FF35 C9E04000 PUSH DWORD PTR DS:[40E0C9]             ; |hWnd = 000A027A ('PESpin v1.3',class='#32770')
00408D53 .  E8 60140000 CALL <JMP.&user32.SetDlgItemTextA>    ; \SetDlgItemTextA
00408D58 .  68 47D84000 PUSH fixed.0040D847                   ; /Text = "File successfully protected"
00408D5D .  6A 05       PUSH 5                                  ; |ControlID = 5
00408D5F .  FF35 C9E04000 PUSH DWORD PTR DS:[40E0C9]             ; |hWnd = 000A027A ('PESpin v1.3',class='#32770')
00408D65 .  E8 4E140000 CALL <JMP.&user32.SetDlgItemTextA>    ; \SetDlgItemTextA
00408D6A .  68 D5D34000 PUSH fixed.0040D3D5                   ; /lParam = 40D3D5
00408D6F .  6A 00       PUSH 0                                  ; |wParam = 0
00408D71 .  68 80010000 PUSH 180                               ; |Message = LB_ADDSTRING
00408D76 .  FF35 CDE04000 PUSH DWORD PTR DS:[40E0CD]             ; |hWnd = 90264
00408D7C .  E8 2B140000 CALL <JMP.&user32.SendMessageA>       ; \SendMessageA
00408D81 .  E8 1394FFFF CALL fixed.00402199
00408D86 .  803D 04E64000>CMP BYTE PTR DS:[40E604],0
00408D8D .  74 1C       JE SHORT fixed.00408DAB

00408E01 .  5B          POP EBX
00408E02 .  5F          POP EDI
00408E03 .  5E          POP ESI
00408E04 .  C9          LEAVE
00408E05 .  C2 0400    RETN 4                                  ; 线程结束

// 暗桩 5

00401D80  /$  55          PUSH EBP
00401D81  |.  8BEC       MOV EBP,ESP
00401D83  |.  53          PUSH EBX
00401D84  |.  52          PUSH EDX
00401D85  |.  57          PUSH EDI
00401D86  |.  56          PUSH ESI
00401D87  |.  8B5D 08    MOV EBX,DWORD PTR SS:[EBP+8]
00401D8A  |.  8B55 0C    MOV EDX,DWORD PTR SS:[EBP+C]
00401D8D  |.  8B4D 10    MOV ECX,DWORD PTR SS:[EBP+10]
00401D90  |.  2BC0       SUB EAX,EAX
00401D92  |.  2BFF       SUB EDI,EDI
00401D94  |.  2BF6       SUB ESI,ESI
00401D96  |>  0FA3C3       /BT EBX,EAX
00401D99  |.  73 0B       |JNB SHORT fixed.00401DA6
00401D9B  |.  3B7A 10    |CMP EDI,DWORD PTR DS:[EDX+10]
00401D9E  |.  77 03       |JA SHORT fixed.00401DA3
00401DA0  |.  8B7A 10    |MOV EDI,DWORD PTR DS:[EDX+10]
00401DA3  |>  0372 10    |ADD ESI,DWORD PTR DS:[EDX+10]
00401DA6  |>  40          |INC EAX
00401DA7  |.  83C2 28    |ADD EDX,28
00401DAA  |.^ E2 EA       \LOOPD SHORT fixed.00401D96
00401DAC  |.  97          XCHG EAX,EDI                                  ; 最大一块压缩区段大小
00401DAD  |.  87CE       XCHG ESI,ECX                                  ; 所有要压缩区段总的大小
00401DAF  |.  50          PUSH EAX                                        ; 开始捣乱
00401DB0  |.  B8 FEE24E00 MOV EAX,4EE2FE
00401DB5  |.  2D FE120E00 SUB EAX,0E12FE
00401DBA  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]                      ; 40D000
00401DBC  |.  2D C4F1DE08 SUB EAX,8DEF1C4
00401DC1  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]                      ; 4098F8 必须是 8DC0 (c08dh)
00401DC3  |.  25 FFFF0000 AND EAX,0FFFF
00401DC8  |.  05 867AD73F ADD EAX,3FD77A86
00401DCD  |.  3D 133BD83F CMP EAX,3FD83B13
00401DD2  |.  58          POP EAX
00401DD3  |.  74 15       JE SHORT fixed.00401DEA                         ; 改成 JMP
00401DD5  |.  8325 6AE54000>AND DWORD PTR DS:[40E56A],0
00401DDC  |.  8325 7AE54000>AND DWORD PTR DS:[40E57A],0
00401DE3  |.  8325 4DE14000>AND DWORD PTR DS:[40E14D],0
00401DEA  |>  5E          POP ESI
00401DEB  |.  5F          POP EDI
00401DEC  |.  5A          POP EDX
00401DED  |.  5B          POP EBX
00401DEE  |.  C9          LEAVE
00401DEF  \.  C2 0C00    RETN 0C

登录后可查看完整内容

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・4

免费・7

支持

最新回复 (22)
liuyilin 雪币： 303 活跃值： (466) 能力值： ( LV2，RANK：10 ) 在线值：发帖 51 回帖 1007 粉丝 1 关注私信	liuyilin 2 楼学习ING 2005-8-5 09:12 0
小虾雪币： 2384 活跃值： (766) 能力值： (RANK：410 ) 在线值：发帖 36 回帖 2248 粉丝 7 关注私信	小虾 10 3 楼牛，收藏先。 2005-8-5 09:16 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 4 楼很有耐心 2005-8-5 09:20 0
ngaut 雪币： 267 活跃值： (235) 能力值： ( LV9，RANK：250 ) 在线值：发帖 23 回帖 92 粉丝 1 关注私信	ngaut 6 5 楼牛人，支持! 2005-8-5 09:41 0
hrbx 雪币： 267 活跃值： (44) 能力值： ( LV9，RANK：330 ) 在线值：发帖 11 回帖 195 粉丝 1 关注私信	hrbx 8 6 楼强，支持，学习中 2005-8-5 10:41 0
random 雪币： 209 活跃值： (55) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 142 粉丝 1 关注私信	random 7 楼呵呵，瞧瞧，看看能不能从里面学点写壳经验 2005-8-5 10:41 0
pendan2001 雪币： 61 活跃值： (160) 能力值： ( LV9，RANK：170 ) 在线值：发帖 25 回帖 1180 粉丝 0 关注私信	pendan2001 4 8 楼支持! 2005-8-5 10:45 0
springkang[DFCG 雪币： 323 活跃值： (589) 能力值： ( LV12，RANK：450 ) 在线值：发帖 21 回帖 256 粉丝 3 关注私信	springkang[DFCG 11 9 楼辛苦了！ 2005-8-5 10:50 0
闪电狼雪币： 108 活跃值： (42) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 709 粉丝 0 关注私信	闪电狼 10 楼强人..学习ing~ 2005-8-5 11:11 0
askformore 雪币： 383 活跃值： (786) 能力值： ( LV12，RANK：730 ) 在线值：发帖 73 回帖 349 粉丝 2 关注私信	askformore 18 11 楼这个壳花了我很多时间, 尤其是找暗桩, 差不多把 PESpin 的加壳代码分析了一遍. 谁叫你捉着不放真是5体投d 2005-8-5 11:23 0
prince 雪币： 603 活跃值： (617) 能力值： ( LV12，RANK：660 ) 在线值：发帖 51 回帖 1874 粉丝 8 关注私信	prince 16 12 楼顶~ 2005-8-5 12:34 0
baby2008 雪币： 442 活跃值： (1216) 能力值： ( LV12，RANK：1130 ) 在线值：发帖 87 回帖 1435 粉丝 5 关注私信	baby2008 28 13 楼牛X,顶 2005-8-5 12:42 0
daxia200N 雪币： 690 活跃值： (1826) 能力值： ( LV9，RANK：250 ) 在线值：发帖 40 回帖 576 粉丝 5 关注私信	daxia200N 6 14 楼高,辛苦啦 2005-8-5 13:15 0
greentea 雪币： 2657 活跃值： (469) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 25 粉丝 2 关注私信	greentea 15 楼 acprotect->pespin 2005-8-5 17:18 0
大致asdl 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 9 粉丝 0 关注私信	大致asdl 16 楼学习中......... 2005-8-5 18:37 0
zbqy 雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 34 粉丝 0 关注私信	zbqy 17 楼学习辛苦啦 2005-8-6 01:33 0
kitty 雪币： 93 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 93 粉丝 1 关注私信	kitty 18 楼好也66666666666666666 2005-8-7 16:37 0
clide2000 雪币： 301 活跃值： (300) 能力值： ( LV9，RANK：290 ) 在线值：发帖 56 回帖 1209 粉丝 2 关注私信	clide2000 7 19 楼真是个牛孩 2005-8-7 19:06 0
linhanshi 雪币： 97697 活跃值： (200734) 能力值： (RANK：10 ) 在线值：发帖 9245 回帖 27942 粉丝 450 关注私信	linhanshi 20 楼学习加研究。 2005-8-7 20:34 0
linestyle 雪币： 217 活跃值： (15) 能力值： ( LV3，RANK：20 ) 在线值：发帖 8 回帖 252 粉丝 0 关注私信	linestyle 21 楼佩服!:) 2005-8-10 10:18 0
KuNgBiM 雪币： 817 活跃值： (1927) 能力值： ( LV12，RANK：2670 ) 在线值：发帖 500 回帖 2517 粉丝 21 关注私信	KuNgBiM 66 22 楼支持！牛人 2005-8-10 16:16 0
gcf 雪币： 221 活跃值： (70) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 41 粉丝 1 关注私信	gcf 23 楼好长的文章啊，看到头都疼了 2005-8-12 17:17 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

simonzh2000

发帖

466

回帖

970

RANK

关注

私信

他的文章

[下载]Peid 0.94 正式版发布 11529

关于我们

联系我们

企业服务

看雪公众号

最新回复 (22)
liuyilin 雪币： 303 活跃值： (466) 能力值： ( LV2，RANK：10 ) 在线值：发帖 51 回帖 1007 粉丝 1 关注私信	liuyilin 2 楼学习ING 2005-8-5 09:12 0
小虾雪币： 2384 活跃值： (766) 能力值： (RANK：410 ) 在线值：发帖 36 回帖 2248 粉丝 7 关注私信	小虾 10 3 楼牛，收藏先。 2005-8-5 09:16 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 4 楼很有耐心 2005-8-5 09:20 0
ngaut 雪币： 267 活跃值： (235) 能力值： ( LV9，RANK：250 ) 在线值：发帖 23 回帖 92 粉丝 1 关注私信	ngaut 6 5 楼牛人，支持! 2005-8-5 09:41 0
hrbx 雪币： 267 活跃值： (44) 能力值： ( LV9，RANK：330 ) 在线值：发帖 11 回帖 195 粉丝 1 关注私信	hrbx 8 6 楼强，支持，学习中 2005-8-5 10:41 0
random 雪币： 209 活跃值： (55) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 142 粉丝 1 关注私信	random 7 楼呵呵，瞧瞧，看看能不能从里面学点写壳经验 2005-8-5 10:41 0
pendan2001 雪币： 61 活跃值： (160) 能力值： ( LV9，RANK：170 ) 在线值：发帖 25 回帖 1180 粉丝 0 关注私信	pendan2001 4 8 楼支持! 2005-8-5 10:45 0
springkang[DFCG 雪币： 323 活跃值： (589) 能力值： ( LV12，RANK：450 ) 在线值：发帖 21 回帖 256 粉丝 3 关注私信	springkang[DFCG 11 9 楼辛苦了！ 2005-8-5 10:50 0
闪电狼雪币： 108 活跃值： (42) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 709 粉丝 0 关注私信	闪电狼 10 楼强人..学习ing~ 2005-8-5 11:11 0
askformore 雪币： 383 活跃值： (786) 能力值： ( LV12，RANK：730 ) 在线值：发帖 73 回帖 349 粉丝 2 关注私信	askformore 18 11 楼这个壳花了我很多时间, 尤其是找暗桩, 差不多把 PESpin 的加壳代码分析了一遍. 谁叫你捉着不放真是5体投d 2005-8-5 11:23 0
prince 雪币： 603 活跃值： (617) 能力值： ( LV12，RANK：660 ) 在线值：发帖 51 回帖 1874 粉丝 8 关注私信	prince 16 12 楼顶~ 2005-8-5 12:34 0
baby2008 雪币： 442 活跃值： (1216) 能力值： ( LV12，RANK：1130 ) 在线值：发帖 87 回帖 1435 粉丝 5 关注私信	baby2008 28 13 楼牛X,顶 2005-8-5 12:42 0
daxia200N 雪币： 690 活跃值： (1826) 能力值： ( LV9，RANK：250 ) 在线值：发帖 40 回帖 576 粉丝 5 关注私信	daxia200N 6 14 楼高,辛苦啦 2005-8-5 13:15 0
greentea 雪币： 2657 活跃值： (469) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 25 粉丝 2 关注私信	greentea 15 楼 acprotect->pespin 2005-8-5 17:18 0
大致asdl 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 9 粉丝 0 关注私信	大致asdl 16 楼学习中......... 2005-8-5 18:37 0
zbqy 雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 34 粉丝 0 关注私信	zbqy 17 楼学习辛苦啦 2005-8-6 01:33 0
kitty 雪币： 93 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 93 粉丝 1 关注私信	kitty 18 楼好也66666666666666666 2005-8-7 16:37 0
clide2000 雪币： 301 活跃值： (300) 能力值： ( LV9，RANK：290 ) 在线值：发帖 56 回帖 1209 粉丝 2 关注私信	clide2000 7 19 楼真是个牛孩 2005-8-7 19:06 0
linhanshi 雪币： 97697 活跃值： (200734) 能力值： (RANK：10 ) 在线值：发帖 9245 回帖 27942 粉丝 450 关注私信	linhanshi 20 楼学习加研究。 2005-8-7 20:34 0
linestyle 雪币： 217 活跃值： (15) 能力值： ( LV3，RANK：20 ) 在线值：发帖 8 回帖 252 粉丝 0 关注私信	linestyle 21 楼佩服!:) 2005-8-10 10:18 0
KuNgBiM 雪币： 817 活跃值： (1927) 能力值： ( LV12，RANK：2670 ) 在线值：发帖 500 回帖 2517 粉丝 21 关注私信	KuNgBiM 66 22 楼支持！牛人 2005-8-10 16:16 0
gcf 雪币： 221 活跃值： (70) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 41 粉丝 1 关注私信	gcf 23 楼好长的文章啊，看到头都疼了 2005-8-12 17:17 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复