hying 0.76的脱壳过程
【破解作者】 wangli_com
【使用工具】 WinXP、Ollydbg、PEiD、LordPE、ImportREC 1.6F
【破解平台】 WinXP
【软件名称】 某某外挂
【加壳方式】 hying 0.76+iat乱序+抽取代码
【破解声明】 我是一菜青虫,偶得一点心得,愿与大家分享
一.前言
好长一段时间没有玩脱壳了,感觉论坛又多了一大批高手,可自己还是一个菜青虫,看着一偏偏的
精华文章,想着自己也能加一篇多好啊,我觉得这种鼓励也是玩脱壳的一种原动力吧,但更多是一种兴
趣,一种脱完壳以后的满足感,虽然这种兴趣会耗费我大量的时间和精力,但我认为值,因为我喜欢脱壳
。
二、过程简介。
以前就看过hying的壳,但当时被一大堆的seh和花指令给挡了回来,现在看完window和simonzh2000
的文章才明白是为什么,我不得不佩服hying大侠的功力,厉害啊!前些天在脱一个旧版hying程序时,
还得到了hying 大侠的指点,再此谢过了。我想写了这篇脱文会帮助hying 大侠更加强他壳的强度。
因为前几天研究过旧版,所以新版大部分代码我是用脚本走的,感觉增加了几种新的花指令,iat部分对
kernel32.dll和user32.dll进行了乱序处理,代码段中许多call进入了40000-401000代码段,需要写一段
代码进行修复。多达20几个特殊函数的处理,很多函数用壳代码直接模拟了,没有进入系统函数,大部分
是一些常用函数,我是用对比分析的方法找到的。这段模仿系统函数的代码很有意思,值得研究。
三、壳代码的分析。
1、程序需要改动的一处跳转,跳开对iat的处理。
00384981 8B7C24 24 mov edi,dword ptr ss:[esp+24]
00384985 8B7424 28 mov esi,dword ptr ss:[esp+28]
00384989 66:8B06 mov ax,word ptr ds:[esi]
0038498C 66:3D 558B cmp ax,8B55
00384990 75 4B jnz short 003849DD --------1 ;改为jmp 384d6c
。。。。。中间的一些代码省略。。。。。
00384D6C C607 68 mov byte ptr ds:[edi],68--------1
00384D6F 8977 01 mov dword ptr ds:[edi+1],esi
00384D72 C647 05 C3 mov byte ptr ds:[edi+5],0C3
2、其中的一个seh:
0037529F FF35 00000000 push dword ptr ds:[0]
003752A5 64:8925 00000000 mov dword ptr fs:[0],esp
003752AC 8DB5 36464000 lea esi,dword ptr ss:[ebp+404636]
003752B2 B9 1B050000 mov ecx,51B
003752B7 8A0431 mov al,byte ptr ds:[ecx+esi]
003752BA CC int3
003752BB 90 nop
003752BC 880431 mov byte ptr ds:[ecx+esi],al
003752BF ^ E2 F6 loopd short 003752B7
003752C1 64:8F05 00000000 pop dword ptr fs:[0]
003752C8 58 pop eax
3、 用户代码解压
0037719A C785 E8454100 FFF>mov dword ptr ss:[ebp+4145E8],-1 ;385795
003771A4 8D1D E5494100 lea ebx,dword ptr ds:[4149E5]
003771AA 833C2B 00 cmp dword ptr ds:[ebx+ebp],0 ;ds:[00385B92]=00366000
003771AE EB 2B jmp short 003771DB
003771B6 /0F84 4F0C0000 je 00377E0B
; 解压结束跳到 00377E0B
003771E6 8D042B lea eax,dword ptr ds:[ebx+ebp] ;385b92
00377214 8B48 08 mov ecx,dword ptr ds:[eax+8] ;ds:[385b9a]=00086200
0037723F 8B70 04 mov esi,dword ptr ds:[eax+4] ;ds:[385b96]=1000
0037726F 03B5 4C414100 add esi,dword ptr ss:[ebp+41414C] ; main.00400000
003772A2 8BFE mov edi,esi ; main.00401000
003772CE 8D85 5F464100 lea eax,dword ptr ss:[ebp+41465F] ;38580c
003772FD 50 push eax ;38580c
00377328 51 push ecx ;86200
00377352 56 push esi ; main.00401000
00377380 E8 66BD0000 call 003830EB ;f7进入
003773AF 53 push ebx ;4149e5
003773DD 6A 04 push 4
00377408 68 00100000 push 1000
00377432 FF342B push dword ptr ds:[ebx+ebp] ;366000
00377435 6A 00 push 0
00377437 8D85 0D684000 lea eax,dword ptr ss:[ebp+40680D]
0037743D 50 push eax ;eax=003779BA
0037758D 8B85 44414100 mov eax,dword ptr ss:[ebp+414144] ; kernel32.VirtualAlloc
003779C1 5B pop ebx ;4149e5
003779EE 8BF0 mov esi,eax ;eax=cf0000
00377A18 8BC3 mov eax,ebx
00377A45 03C5 add eax,ebp ;eax=385b92
00377A70 8B78 04 mov edi,dword ptr ds:[eax+4] ;ds:[00385B96]=00001000
00377A9E 03BD 4C414100 add edi,dword ptr ss:[ebp+41414C] ;ss:[003852F9]=00400000
00377ACE 8D85 40414100 lea eax,dword ptr ss:[ebp+414140];地址=003852ED
00377B00 8938 mov dword ptr ds:[eax],edi ; main.00401000
00377B30 56 push esi
00377B5D 50 push eax
00377B92 8D85 0E6A4000 lea eax,dword ptr ss:[ebp+406A0E] ;377bbb
00377B9C 50 push eax
00377BA6 83C4 04 add esp,4
00377BA9 8B85 CC414100 mov eax,dword ptr ss:[ebp+4141CC] ;7ec17f
00377BB5 /E9 60CC0000 jmp 0038481A
00377BE4 8B0C2B mov ecx,dword ptr ds:[ebx+ebp] ;ds:[00385B92]=00366000
00377C11 56 push esi
00377C3C 51 push ecx
00377C3D C1E9 02 shr ecx,2
00377C40 F3:A5 rep movs dword ptr es:[edi],dword p>
00377C42 59 pop ecx
00377C43 83E1 03 and ecx,3
00377C46 F3:A4 rep movs byte ptr es:[edi],byte ptr>
ecx=00000000 (十进制 0.)
ds:[esi]=[01056000]=???
es:[edi]=[00767000]=00
00377C71 5E pop esi
00377C9D 53 push ebx
00377CC8 68 00800000 push 8000
00377CF8 6A 00 push 0
00377D28 56 push esi
00377D5B 8D85 D86B4000 lea eax,dword ptr ss:[ebp+406BD8] ;377d85
00377D65 50 push eax
00377D72 8B85 48414100 mov eax,dword ptr ss:[ebp+414148] ; kernel32.VirtualFree
00377D7E /E9 97CA0000 jmp 0038481A
00377DB0 5B pop ebx
00377DDF 83C3 0C add ebx,0C
00377E06 ^\E9 9FF3FFFF jmp 003771AA
4. 检查调试器ZwSetInformationThread
00377183 6A 00 push 0
00377185 6A 00 push 0
00377187 6A 11 push 11
00377189 6A FE push -2
0037718B 8D85 ED5F4000 lea eax,dword ptr ss:[ebp+405FED]
00377191 50 push eax
00377192 8BC7 mov eax,edi -----ZwSetInformationThread
00377194 E9 25DC0000 jmp 00384DBE
5. 处理 IAT,这是我重点讨论的地方。
00377E0B 8DB5 2D6E4000 lea esi,dword ptr ss:[ebp+406E2D] ;377fda
00377F60 87E6 xchg esi,esp
00377F62 B9 C59A0000 mov ecx,9AC5
00377F67 58 pop eax
00377F6E F6D0 not al
00377F7B 50 push eax
00377F82 44 inc esp
00377F88 ^\E2 DD loopd short 00377F67
; 在 Stack 执行, 解密 377fda 开始的代码
00377F8A 87E6 xchg esi,esp
00377F8C 6A 04 push 4
00377F8E 68 00100000 push 1000
00377F93 68 00200000 push 2000
00377F98 6A 00 push 0
00377FA3 8D85 206E4000 lea eax,dword ptr ss:[ebp+406E20] ;377fcd
00377FAD 50 push eax
00377FBA 8B85 44414100 mov eax,dword ptr ss:[ebp+414144] ; kernel32.VirtualAlloc
00377FC6 /E9 4FC80000 jmp 0038481A
00377FCD 8985 6D4A4100 mov dword ptr ss:[ebp+414A6D],eax ;[385c1a]=0cf0000
00377FD3 83A5 714A4100 00 and dword ptr ss:[ebp+414A71],0 ;ss:[00385C1E]=00000000
00377FDA 8B85 7C414100 mov eax,dword ptr ss:[ebp+41417C]
;ss:[00385329]=00000001, IAT 被加密的标志
0037800D 0BC0 or eax,eax
0037800F 0F85 AF090000 jnz 003789C4
003789C4 8D95 901E4000 lea edx,dword ptr ss:[ebp+401E90] ;37303d
003789F7 0395 A0414100 add edx,dword ptr ss:[ebp+4141A0] ;ss:[0038534D]=00012F6D
003789FD 8B3A mov edi,dword ptr ds:[edx] ;ds:[00385FAA]=00000003
;; IAT 开始的地方 ######## 下一个 DLL#######
00378B4E 0BFF or edi,edi
00378B50 75 05 jnz short 00378B57
00378B52 E9 F84D0000 jmp 0037D94F -----处理完iat跳走
00378B57 83C2 05 add edx,5 ; EDX 指向 DLL 的名字
00378CA9 8BF2 mov esi,edx ; ESI 指向 DLL 的名字
00378CAB 56 push esi
00378CB5 8D85 327B4000 lea eax,dword ptr ss:[ebp+407B32] ;; 返回地址 378cdf
00378CBF 50 push eax
00378CCC 8B85 38414100 mov eax,dword ptr ss:[ebp+414138] ; kernel32.GetModuleHandleA
00378CD8 /E9 3DBB0000 jmp 0038481A
00378CDF 0BC0 or eax,eax ; ADVAPI32.77DA0000
00378CE1 75 3D jnz short 00378D20
; DLL 已加载
00378CE3 56 push esi
00378CED 8D85 6A7B4000 lea eax,dword ptr ss:[ebp+407B6A] ;00378D17
00378CF7 50 push eax
00378D04 8B85 34414100 mov eax,dword ptr ss:[ebp+414134] ; KERNEL32.LoadLibraryA
00378D10 /E9 05BB0000 jmp 0038481A
00378D17 0BC0 or eax,eax ; DLL base Memory
00378D19 75 05 jnz short 00378D20
------ ; LoadLibrary OK, 跳, 花指令后到 12FF90-------
00378D28 87EF xchg edi,ebp ;edi=1
00378D55 68 E8EB6B3C push 3C6BEBE8
00378D82 68 256A0AFF push FF0A6A25
00378DB2 68 03142974 push 74291403
00378DE3 68 E925620D push 0D6225E9
00378E16 68 E75DA500 push 0A55DE7
0012FF90 0FB64E FF movzx ecx,byte ptr ds:[esi-1]
ds:[00385FAE]=0C (Form Feed), ;; DLL 名字字符长度, 跳过
0012FF94 01CE add esi,ecx
0012FF96 89F2 mov edx,esi
0012FF99 FFC2 inc edx ;; Null 结尾
0012FF9B 8BCD mov ecx,ebp ebp=00000003 ,ecx=0000000C
0012FF9D 81E1 00000080 and ecx,80000000
0012FFA3 C3 retn
00378F88 87EF xchg edi,ebp
00378F8A 8BF0 mov esi,eax
00378F8C 0BC9 or ecx,ecx
00378F8E 0F85 A5070000 jnz 00379739
; 8X XX XX XX 是重定向的标志, 两种字符加密方式也不一样
00378F94 8BCF mov ecx,edi
003790E5 8B3A mov edi,dword ptr ds:[edx] ;ds:[00385FBC]=00343270
;edi=00000003
003790E7 03BD 4C414100 add edi,dword ptr ss:[ebp+41414C] ;ss:[003852F9]=00400000
-->edi=iat函数存放的地址
003790ED 83C2 04 add edx,4
003790F0 51 push ecx ; ; 开始处理每一个 API
003790F1 0FB602 movzx eax,byte ptr ds:[edx] ;API Name 长度
003790F4 0BC0 or eax,eax
; 不等于0 表示 API Name 长度, 到 003792C1
003790F6 0F85 C5010000 jnz 003792C1
; 等于0, 表示后4 byte 是函数序号, 到 003790FC
003790FC 42 inc edx
003790FD 52 push edx
003792C1 42 inc edx
003792C2 52 push edx
003792C3 60 pushad
003792C4 8BF2 mov esi,edx
003792C6 8DBD A2464100 lea edi,dword ptr ss:[ebp+4146A2];地址=0038584F, (ASCII
"StartServiceA")
edi=00743270 (main.00743270)
0037941B 33C0 xor eax,eax
0037941D AC lods byte ptr ds:[esi]
0037941E EB 07 jmp short 00379427
00379420 C0C0 03 rol al,3
00379423 F6D0 not al
00379425 AA stos byte ptr es:[edi]
00379426 AC lods byte ptr ds:[esi]
00379427 0BC0 or eax,eax
00379429 ^ 75 F5 jnz short 00379420
0037942B AA stos byte ptr es:[edi]
0037942C 9C pushfd
; 解密 API Name
00379443 61 popad
00379444 8D95 A2464100 lea edx,dword ptr ss:[ebp+4146A2] ;地址=0038584F, (ASCII
"RegQueryValueExA"), edx=00385FC1
00379599 52 push edx
0037959A 56 push esi
003795A4 8D85 21844000 lea eax,dword ptr ss:[ebp+408421];地址=003795CE
003795AE 50 push eax
003795BB 8B85 30414100 mov eax,dword ptr ss:[ebp+414130];ss:[003852DD]=00384FB0
003795C7 /E9 4EB20000 jmp 0038481A
003795CE E8 0ABB0000 call 003850DD ;;检查 cc断点
-----------------------
003850DD 56 push esi ; ADVAPI32.77DA0000
003850DE 51 push ecx ;ecx=3
003850DF 50 push eax ;eax=77DA23D7 ADVAPI32.RegQueryValueExA
003850E0 8BF0 mov esi,eax
003850E2 B9 01000000 mov ecx,1
003850E7 AC lods byte ptr ds:[esi]
003850E8 3C CC cmp al,0CC
003850EA 75 08 jnz short 003850F4
003850EC 58 pop eax
003850ED 59 pop ecx
003850EE 5E pop esi
003850EF E9 870E0000 jmp 00385F7B
003850F4 ^ E2 F1 loopd short 003850E7
003850F6 58 pop eax
003850F7 59 pop ecx
003850F8 5E pop esi
003850F9 C3 retn
--------------------------
00379722 8907 mov dword ptr ds:[edi],eax ; 存放iat地址
eax=77DA23D7 (ADVAPI32.RegQueryValueExA)
ds:[00743270]=00000000
00379724 5A pop edx
00379725 0FB642 FF movzx eax,byte ptr ds:[edx-1];; DLL 名字字符长度, 跳过
00379729 03D0 add edx,eax
0037972B 42 inc edx
0037972C 59 pop ecx ;3个函数
0037972D 49 dec ecx ;2
0037972E ^ 0F85 B1F9FFFF jnz 003790E5
00379734 E9 11420000 jmp 0037D94A
;上面是不要加密的api,下面是需要加密的api
00379739 8BCF mov ecx,edi ;edi=8000001A
; 8X XX XX XX 是重定向的标志, 两种字符加密方式也不一样
0037973B 81E1 FFFFFF7F and ecx,7FFFFFFF
00379741 51 push ecx ; ; DLL 对应的 API 个数
00379742 52 push edx
00379892 C1E1 05 shl ecx,5 ; ; 每个 API HOOK 32 字节空间
00379895 6A 04 push 4
00379897 68 00100000 push 1000
0037989C 51 push ecx
0037989D 6A 00 push 0
003798A8 8D85 24874000 lea eax,dword ptr ss:[ebp+408724] ;返回地址=003798D1
003798B2 50 push eax
003798BF 8B85 44414100 mov eax,dword ptr ss:[ebp+414144] ; kernel32.VirtualAlloc
003798CB /E9 4AAF0000 jmp 0038481A
003798D1 8985 9C414100 mov dword ptr ss:[ebp+41419C],eax ;eax=00D20000
ss:[00385349]=00000000
003798D7 5A pop edx
003798D8 59 pop ecx
------------------------------------------------
在00379A29设f2断点,第一次中断时eax=e50000,ecx=1a,代表wsock32.dll,共1a个函数;第二次中断时
eax=e70000,ecx=96,代表kernel32.dll,共96个函数;第三次中断时eax=e80000,ecx=b0,代表user32.dll
,共b0个函数;壳程序只对kernel32.dll和user32.dll进行了乱序处理,因此我们修改一下程序,找个连
续空间,让他有序排列,并建立一个call修改表,研究过Armadillo乱序的人,应该知道Armadillo有一个
乱序跳转表,这个程序也类似,我个人认为处理iat乱序不难,难的是找到其中的22个特别函数。
---------------------------------------------------
00379A29 8BD8 mov ebx,eax ;eax=00e70000
在这里设个f2断点,当eax=00e70000 时,取消断点,对这段代码进行修改,转到下面####处
00379A2B EB 1D jmp short 00379A4A
00379A2D 8B3A mov edi,dword ptr ds:[edx] ;ds:[00386C5B]=00343858
00379A2F 03BD 4C414100 add edi,dword ptr ss:[ebp+41414C] ss:[003852F9]=00400000
00379A35 891F mov dword ptr ds:[edi],ebx ;;存放iat地址
00379A37 83C3 20 add ebx,20
00379A3A 0FB642 04 movzx eax,byte ptr ds:[edx+4] ;name长度
00379A3E 0AC0 or al,al
00379A40 75 02 jnz short 00379A44
00379A42 04 04 add al,4
00379A44 03D0 add edx,eax
00379A46 83C2 06 add edx,6 地址长度+两个字节=6
00379A49 49 dec ecx
00379A4A 0BC9 or ecx,ecx
00379A4C ^ 75 DF jnz short 00379A2D
############-改为:##############
说明:******处为修改的代码
00379A29 8BD8 mov ebx,eax
00379A2B EB 30 jmp short 00379A5D ******
00379A2D 8B3A mov edi,dword ptr ds:[edx]
00379A2F 03BD 4C414100 add edi,dword ptr ss:[ebp+41414C]
00379A35 EB 19 jmp short 00379A50 ******
00379A37 83C3 20 add ebx,20
00379A3A 0FB642 04 movzx eax,byte ptr ds:[edx+4]
00379A3E 0AC0 or al,al
00379A40 75 02 jnz short 00379A44
00379A42 04 04 add al,4
00379A44 03D0 add edx,eax
00379A46 83C2 06 add edx,6
00379A49 49 dec ecx
00379A4A 0BC9 or ecx,ecx
00379A4C ^ 75 DF jnz short 00379A2D
00379A4E EB 2B jmp short 00379A7B ******在这里设个f2断点,再f9运行
00379A50 89BE 00000100 mov dword ptr ds:[esi+10000],edi ;007535B8是乱序对照表的
位置,自己设定
00379A56 891E mov dword ptr ds:[esi],ebx ******
00379A58 83C6 04 add esi,4 ******
00379A5B ^ EB DA jmp short 00379A37 ******
00379A5D BE 14307400 mov esi,743014 第二次是 kernel32.dll ,存入743014
,743014这个位置确定原则就是在iat附近找个连续空白空间
00379A62 ^ EB E6 jmp short 00379A4A ******
00379A64 90 nop
8B D8 EB 30 8B 3A 03 BD 4C 41 41 00 EB 19 83 C3 20 0F B6 42 04 0A C0 75 02 04 04 03 D0 83 C2
06
49 0B C9 75 DF EB 2B 89 BE 00 00 01 00 89 1E 83 C6 04 EB DA BE 14 30 74 00 EB E6
00379A5D BE 8C357400 mov esi,74358C /// 第三次是 user32.dll,换个地址存入 74358C
######################################
最后中断在00379a4e后,恢复所有的修改,用脚本继续运行。
00379A7B 61 popad
00379A7C 8BF8 mov edi,eax ;eax=00D20000
00379A7E 57 push edi
00379A7F 51 push ecx ;1a
00379F10 0BC9 or ecx,ecx
00379F12 ^ 0F85 6DFBFFFF jnz 00379A85
00379A85 8D47 1C lea eax,dword ptr ds:[edi+1C]
00379AB5 66:C707 FF35 mov word ptr ds:[edi],35FF
00379C09 C747 06 81342400 mov dword ptr ds:[edi+6],243481
00379D5F 8947 02 mov dword ptr ds:[edi+2],eax
00379D8F C647 0D C3 mov byte ptr ds:[edi+D],0C3
00379D93 52 push edx
00379D94 0F31 rdtsc ; ; 随机数
00379D96 32E0 xor ah,al
00379D98 C1C8 08 ror eax,8
00379D9B 02E0 add ah,al
00379DB4 C1C8 08 ror eax,8
00379DB7 32E0 xor ah,al
00379F08 8947 09 mov dword ptr ds:[edi+9],eax
00379F0B 5A pop edx
00379F0C 83C7 20 add edi,20 ; 20h 字节
00379F0F 49 dec ecx
00379F10 0BC9 or ecx,ecx
00379F12 ^ 0F85 6DFBFFFF jnz 00379A85 ; 下一个
00379F18 59 pop ecx
00379F19 5F pop edi ;0d20000
00379F1A 83C2 04 add edx,4 ;edx=00386C5B ##下一个 API ##
00379F1D 51 push ecx ; 开始处理每一个 API
00379F1E 0FB602 movzx eax,byte ptr ds:[edx]
; 不等于0 表示 API Name 长度, 到 0037A918
00379F21 0BC0 or eax,eax
; 等于0, 表示后4 byte 是函数序号, 到 00379F29
00379F23 0F85 EF090000 jnz 0037A918
00379F29 42 inc edx
0037A918 42 inc edx ; ; 函数名字的处理
0037A919 52 push edx
0037A920 8BF2 mov esi,edx
0037A927 8DBD A2464100 lea edi,dword ptr ss:[ebp+4146A2] ;地址=0038584F, (ASCII
"GetOpenFileNameA")
0037AA81 33C0 xor eax,eax
0037AA88 0FB64E FF movzx ecx,byte ptr ds:[esi-1]
0012FF68 50 push eax
0012FF69 AC lods byte ptr ds:[esi]
0012FF6A 34 79 xor al,79
0012FF6C 2C 55 sub al,55
0012FF6E C0C0 03 rol al,3
0012FF71 F6D0 not al
0012FF73 AA stos byte ptr es:[edi]
0012FF74 31C0 xor eax,eax
0012FF76 49 dec ecx
0012FF77 ^ 75 F0 jnz short 0012FF69
0012FF79 AA stos byte ptr es:[edi]
0012FF7A 58 pop eax
0012FF7B C3 retn
0037ABDC 8D95 A2464100 lea edx,dword ptr ss:[ebp+4146A2]; 38584f ( Name 解密完毕)
0037ABE2 8B0424 mov eax,dword ptr ss:[esp] ;386c60
0037ABE5 0FB640 FF movzx eax,byte ptr ds:[eax-1]
0037ABE9 83F8 04 cmp eax,4
0037ABEC 0F85 0A240000 jnz 0037CFFC
0037ABF2 /EB 2A jmp short 0037AC1E
0037ABFA 8B85 B0454100 mov eax,dword ptr ss:[ebp+4145B0] ;;ss:[0038575D]=928A22C7
eax=00000004
0037AC2A 3B02 cmp eax,dword ptr ds:[edx] ---比较特殊函数
0037AC56 /0F85 88000000 jnz 0037ACE4
0037AC86 8D85 9C264100 lea eax,dword ptr ss:[ebp+41269C]
0037ACB6 /E9 89280000 jmp 0037D544
0037ACE4 /EB 49 jmp short 0037AD2F
0037AD0D 8B85 BC454100 mov eax,dword ptr ss:[ebp+4145BC]
0037AD3A 3B02 cmp eax,dword ptr ds:[edx]
0037AD67 /0F85 88000000 jnz 0037ADF5
0037D028 52 push edx
0037D052 56 push esi
0037D086 8D85 02BF4000 lea eax,dword ptr ss:[ebp+40BF02] ;37d0af
0037D090 50 push eax
0037D09D 8B85 30414100 mov eax,dword ptr ss:[ebp+414130]
0037D0A9 /E9 6C770000 jmp 0038481A
0037D0AF /EB 4B jmp short 0037D0FC
0037D0D8 8B9D 6D4A4100 mov ebx,dword ptr ss:[ebp+414A6D] ;[385c1a]=00cf0000
0037D108 039D 714A4100 add ebx,dword ptr ss:[ebp+414A71] [385c1e]=0
0037D139 53 push ebx
0037D165 6A 00 push 0
0037D191 50 push eax
0037D1BC 53 push ebx
0037D1E7 E8 94770000 call 00384980
0037D216 2B85 6D4A4100 sub eax,dword ptr ss:[ebp+414A6D] ; 这个 API 占用的空间 (包括
花指令) ss:[00385C1A]=00CF0000
eax=00CF0012
0037D250 8BC8 mov ecx,eax
0037D247 870C24 xchg dword ptr ss:[esp],ecx
0037D255 8F85 714A4100 pop dword ptr ss:[ebp+414A71]
0037D25B 60 pushad
0037D25C 3D C01F0000 cmp eax,1FC0
0037D261 0F86 8A010000 jbe 0037D3F1 ;; 空间还够不够
0037D267 6A 04 push 4
0037D269 68 00100000 push 1000
0037D26E 68 00200000 push 2000
0037D273 6A 00 push 0
0037D275 8D85 37C24000 lea eax,dword ptr ss:[ebp+40C237]
0037D27B 50 push eax
0037D27C 8B85 44414100 mov eax,dword ptr ss:[ebp+414144]
0037D282 E9 93750000 jmp 0038481A
0037D541 5B pop ebx
0037D542 8BC3 mov eax,ebx
0037D544 3347 09 xor eax,dword ptr ds:[edi+9]
0037D696 8947 1C mov dword ptr ds:[edi+1C],eax
0037D699 5A pop edx ; 00386C70
0037D7E9 0FB642 FF movzx eax,byte ptr ds:[edx-1]
0037D7ED 03D0 add edx,eax
0037D7EF 42 inc edx
0037D7F0 83C7 20 add edi,20
0037D942 59 pop ecx
0037D943 49 dec ecx
0037D944 ^ 0F85 D0C5FFFF jnz 00379F1A ; 下一个 API
0037D94A ^ E9 AEB0FFFF jmp 003789FD ; 下一个 DLL
-----------iat处理完毕-----------
6. ZwQueryInformationProcess 检查调试器
0037DC88 0BC0 or eax,eax
0037DC8A 0F84 17080000 je 0037E4A7 ---ZwQueryInformationProcess
0037DC90 8BF8 mov edi,eax
7、又两个重要的seh。
第一个seh,旧版的程序利用下面这段代码计算一个数值,用于解密。
----------------------------------
00381E58 8B4424 EC mov eax,dword ptr ss:[esp-14]
00381E5C 2B85 4C414100 sub eax,dword ptr ss:[ebp+41414C]
00381E62 8985 C0414100 mov dword ptr ss:[ebp+4141C0],eax
00381E68 8B6C24 E8 mov ebp,dword ptr ss:[esp-18]
00381E6C 8B85 68414100 mov eax,dword ptr ss:[ebp+414168]
00381E72 0BC0 or eax,eax
00381E74 74 0F je short 00381E85
00381E76 0385 4C414100 add eax,dword ptr ss:[ebp+41414C]
00381E7C 8D8D DC1E4100 lea ecx,dword ptr ss:[ebp+411EDC]
00381E82 8948 02 mov dword ptr ds:[eax+2],ecx
00381E85 8B85 94414100 mov eax,dword ptr ss:[ebp+414194]
00381E8B E8 48000000 call 00381ED8 ----------跳到seh
00381E90 8B4C24 0C mov ecx,dword ptr ss:[esp+C] ----seh处理代码开始
00381E94 FF81 B8000000 inc dword ptr ds:[ecx+B8]
00381E9A 33C0 xor eax,eax
00381E9C 3341 04 xor eax,dword ptr ds:[ecx+4]
00381E9F 0341 08 add eax,dword ptr ds:[ecx+8]
00381EA2 3341 0C xor eax,dword ptr ds:[ecx+C]
00381EA5 0341 10 add eax,dword ptr ds:[ecx+10]
00381EA8 0181 B0000000 add dword ptr ds:[ecx+B0],eax
00381EAE 60 pushad
00381EAF 8D71 04 lea esi,dword ptr ds:[ecx+4]
00381EB2 8BA9 B4000000 mov ebp,dword ptr ds:[ecx+B4]
00381EB8 8DBD 894A4100 lea edi,dword ptr ss:[ebp+414A89]
00381EBE 81C7 08010000 add edi,108
00381EC4 B9 06000000 mov ecx,6
00381EC9 83BD 5C414100 00 cmp dword ptr ss:[ebp+41415C],0
00381ED0 75 02 jnz short 00381ED4
00381ED2 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[e>
00381ED4 61 popad
00381ED5 33C0 xor eax,eax
00381ED7 C3 retn---------------seh处理代码结束
00381ED8 33C9 xor ecx,ecx
00381EDA 64:FF31 push dword ptr fs:[ecx]
00381EDD 64:8921 mov dword ptr fs:[ecx],esp
00381EE0 CC int3
00381EE1 90 nop
00381EE2 64:8F01 pop dword ptr fs:[ecx]
00381EE5 83C4 04 add esp,4
00381EE8 8985 94414100 mov dword ptr ss:[ebp+414194],eax ;eax=0752BD76
ss:[00385341]=0752BD76 。----- 最后得到的数据存入这里-----
00381EEE 8B85 5C414100 mov eax,dword ptr ss:[ebp+41415C]
----------------------------------------------------------------
第二个seh,主要是为了反跟踪。
00382613 8BB5 5D494100 mov esi,dword ptr ss:[ebp+41495D]
00382619 03B5 4C414100 add esi,dword ptr ss:[ebp+41414C]
0038261F 8B8D 61494100 mov ecx,dword ptr ss:[ebp+414961]
00382625 E8 5F050000 call 00382B89 -----------》 ;计算校验和
0038262A 8985 64414100 mov dword ptr ss:[ebp+414164],eax
***************************
这段代码对每次seh返回的地址进行保存,一共7、8次,每个程序不一样
00382630 8BC5 mov eax,ebp
00382632 8DB5 894A4100 lea esi,dword ptr ss:[ebp+414A89]
00382638 0146 04 add dword ptr ds:[esi+4],eax
0038263B 0146 08 add dword ptr ds:[esi+8],eax
0038263E 83C6 20 add esi,20
00382641 0146 04 add dword ptr ds:[esi+4],eax
00382644 83C6 20 add esi,20
00382647 0146 04 add dword ptr ds:[esi+4],eax
0038264A 0146 08 add dword ptr ds:[esi+8],eax
0038264D 83C6 20 add esi,20
00382650 0146 04 add dword ptr ds:[esi+4],eax
00382653 83C6 20 add esi,20
00382656 0146 04 add dword ptr ds:[esi+4],eax
00382659 83C6 20 add esi,20
0038265C 0146 04 add dword ptr ds:[esi+4],eax
0038265F 83C6 20 add esi,20
00382662 0146 04 add dword ptr ds:[esi+4],eax
00382665 83C6 20 add esi,20
00382668 0146 04 add dword ptr ds:[esi+4],eax
0038266B 8DB5 854A4100 lea esi,dword ptr ss:[ebp+414A85]
00382671 0106 add dword ptr ds:[esi],eax
00382673 8D85 A94B4100 lea eax,dword ptr ss:[ebp+414BA9]
*****************************
003827C9 64:FF35 00000000 push dword ptr fs:[0]
003827D0 64:8925 00000000 mov dword ptr fs:[0],esp
003827D7 33C0 xor eax,eax
003827D9 8B00 mov eax,dword ptr ds:[eax]
003827DB 90 nop
003827DC 90 nop
003827DD CC int3
003827DE ^ EB FB jmp short 003827DB
003827E0 50 push eax
003827E1 60 pushad
003827E2 E8 00000000 call 003827E7
;最后一次从SEH函数返回时,到这里
0037D288 64:8F05 00000000 pop dword ptr fs:[0] 断在这 ; 0012FFE0
0037D28F 58 pop eax
7、对mainform的处理=================================
00380ADD 8B1E mov ebx,dword ptr ds:[esi] //ds:[00389636]=0017CB48
00380AE4 039D 4C414100 add ebx,dword ptr ss:[ebp+41414C] ; main.00400000
0012FF94 31C9 xor ecx,ecx
0012FF96 890E mov dword ptr ds:[esi],ecx
0012FF98 83C6 04 add esi,4
0012FF9B 8933 mov dword ptr ds:[ebx],esi //esi=0038963A
ds:[0057CB48]=00000000
;我们要做的是吧0038963A,复制到57e283。
再把ESI这个指针给替换掉
;ESI=57e283
;DS:[0057CB48]=00000000
0012FF9D 0FB70E movzx ecx,word ptr ds:[esi]
0012FFA0 46 inc esi
0012FFA1 46 inc esi
0012FFA2 C3 retn
=================================
8、ZwSetInformationThread的检查。
程序在初始化时,会用ZwSetInformationThread进行检查。
=================================
007ECCFE 50 push eax ;
ntdll.ZwSetInformationThread
007ECCFF 8B4424 04 mov eax,dword ptr ss:[esp+4]
007ECD03 EB 04 jmp short dumped_.007ECD09
007ECD05 8030 FF xor byte ptr ds:[eax],0FF
007ECD08 40 inc eax
007ECD09 8038 00 cmp byte ptr ds:[eax],0
007ECD0C ^ 75 F7 jnz short dumped_.007ECD05
007ECD0E 58 pop eax
007ECD67 8BF8 mov edi,eax
007ECD93 6A 00 push 0
007ECDBF 6A 00 push 0
007ECDEB 6A 11 push 11
007ECE15 6A FE push -2 --------改为push 0
007ECE42 FFD7 call edi -------ntdll.ZwSetInformationThread
下面是几处被修改的代码:
007ECCCF FF93 9E1D4000 call dword ptr ds:[ebx+401D9E] ds:[007EC08D]=015039AF
---------》改为[007EC08D]=77e5a5fd
004D6C75 25 30417600 and eax,764130 改为
////004D6C75 25 FF000000 and eax,0FF//
=================================
9。到达入口点处,写代码进行修改。
0038AEB4 55 push ebp ---------oep处
0038AEB5 EB 00 jmp short 0038AEB7
0038AEB7 54 push esp
0038AEB8 5D pop ebp
0038AEB9 EB 00 jmp short 0038AEBB
0038AEBB 54 push esp
0038AEBC 830424 F0 add dword ptr ss:[esp],-10
0038AEC0 5C pop esp
0038AEC1 EB 03 jmp short 0038AEC6
0038AEC3 08DC or ah,bl
0038AEC5 5A pop edx
0038AEC6 68 38F35900 push 59F338
0038AECB 58 pop eax
0038AECC EB 03 jmp short 0038AED1
一共写了三段代码。
第一段是把输入表中的壳代码换成函数地址。
0038AEB4 60 pushad
0038AEB5 9C pushfd
0038AEB6 BE 14307400 mov esi,743014 --- 输入表开始地址
0038AEBB 81FE D4397400 cmp esi,7439D4 --- 输入表结束地址
0038AEC1 73 2A jnb short 0038AEED
0038AEC3 8B1E mov ebx,dword ptr ds:[esi]
0038AEC5 83FB 00 cmp ebx,0
0038AEC8 74 1E je short 0038AEE8
0038AECA 81FB 0000000C cmp ebx,0C000000
0038AED0 73 16 jnb short 0038AEE8
0038AED2 8B43 1C mov eax,dword ptr ds:[ebx+1C]
0038AED5 3343 09 xor eax,dword ptr ds:[ebx+9]
0038AED8 3D 0000A000 cmp eax,0A00000 ---比较特殊函数
0038AEDD 77 04 ja short 0038AEE3
0038AEDF 8906 mov dword ptr ds:[esi],eax ----把特殊函数的壳地址存入
0038AEE1 EB 05 jmp short 0038AEE8
0038AEE3 8B40 01 mov eax,dword ptr ds:[eax+1]
0038AEE6 8906 mov dword ptr ds:[esi],eax
0038AEE8 83C6 04 add esi,4
0038AEEB ^ EB CE jmp short 0038AEBB
0038AEED 9D popfd
0038AEEE 61 popad
处理完后就可以用ImportREC 1.6F提取iat了,提取出来后先保存。还有特殊函数需要处理。
60 9C BE 14 30 74 00 81 FE D4 39 74 00 73 2A 8B 1E 83 FB 00 74 1E 81 FB 00 00 00 0C 73 16 8B
43
1C 33 43 09 3D 00 00 A0 00 77 04 89 06 EB 05 8B 40 01 89 06 83 C6 04 EB CE 9D 61
第二段是把代码段中乱序call iat,改为我们所希望的地址。
0038AEB4 60 pushad
0038AEB5 9C pushfd
0038AEB6 BE 00104000 mov esi,401000
0038AEBB 81FE 00006000 cmp esi,600000
0038AEC1 73 30 jnb short 0038AEF3
0038AEC3 66:8B06 mov ax,word ptr ds:[esi]
0038AEC6 3C FF cmp al,0FF
0038AEC8 75 24 jnz short 0038AEEE
0038AECA 80FC 25 cmp ah,25
0038AECD 75 1F jnz short 0038AEEE
0038AECF 8B5E 02 mov ebx,dword ptr ds:[esi+2]
0038AED2 BF 14307500 mov edi,753014 ---iat乱序对照表开始地址
0038AED7 3B1F cmp ebx,dword ptr ds:[edi]
0038AED9 74 0A je short 0038AEE5
0038AEDB 83C7 04 add edi,4
0038AEDE 833F FF cmp dword ptr ds:[edi],-1
0038AEE1 74 0B je short 0038AEEE
0038AEE3 ^ EB F2 jmp short 0038AED7
0038AEE5 8D8F 0000FFFF lea ecx,dword ptr ds:[edi+FFFF0000]
0038AEEB 894E 02 mov dword ptr ds:[esi+2],ecx
0038AEEE 83C6 02 add esi,2
0038AEF1 ^ EB C8 jmp short 0038AEBB
0038AEF3 9D popfd
0038AEF4 61 popad
60 9C BE 00 10 40 00 81 FE 00 00 60 00 73 30 66 8B 06 3C FF 75 24 80 FC 25 75 1F 8B 5E 02 BF
14
30 75 00 3B 1F 74 0A 83 C7 04 83 3F FF 74 0B EB F2 8D 8F 00 00 FF FF 89 4E 02 83 C6 02 EB C8
9D
61
第三段是对代码段中call到40000-41000的代码进行修改,这段代码害的我死了n次,还是水平太菜。
0038AEB4 60 pushad
0038AEB5 9C pushfd
0038AEB6 BE 00104000 mov esi,401000
0038AEBB 81FE 00006000 cmp esi,600000
0038AEC1 73 33 jnb short 0038AEF6
0038AEC3 8A06 mov al,byte ptr ds:[esi]
0038AEC5 3C E8 cmp al,0E8
0038AEC7 75 28 jnz short 0038AEF1
0038AEC9 8B5E 01 mov ebx,dword ptr ds:[esi+1]
0038AECC 83C3 05 add ebx,5
0038AECF 03DE add ebx,esi
0038AED1 81FB 00104000 cmp ebx,401000
0038AED7 73 18 jnb short 0038AEF1
0038AED9 81FB 00004000 cmp ebx,400000 ; ASCII "MZP"
0038AEDF 73 10 jb short 0038AEF1
0038AEE1 8B43 01 mov eax,dword ptr ds:[ebx+1]
0038AEE4 83C3 05 add ebx,5
0038AEE7 03C3 add eax,ebx
0038AEE9 2BC6 sub eax,esi
0038AEEB 83E8 05 sub eax,5
0038AEEE 8946 01 mov dword ptr ds:[esi+1],eax
0038AEF1 83C6 01 add esi,1
0038AEF4 ^ EB C5 jmp short 0038AEBB
0038AEF6 9D popfd
0038AEF7 61 popad
60 9C BE 00 10 40 00 81 FE 00 00 60 00 73 33 8A 06 3C E8 75 28 8B 5E 01 83 C3 05 03 DE 81 FB
00
10 40 00 73 18 81 FB 00 00 40 00 72 10 8B 43 01 83 C3 05 03 C3 2B C6 83 E8 05 89 46 01 83 C6
01
EB C5 9D 61
10、特殊函数的处理代码,我猜想应该有点通用性吧。
0038403E 83F8 01 cmp eax,1 //第一个 77D3B406=user32.DialogBoxIndirectParamA
00384041 75 4C jnz short 0038408F
00384043 60 pushad
00384044 E8 00000000 call 00384049
00384049 5D pop ebp
0038404A 81ED 9C2E4100 sub ebp,412E9C
00384050 8BD4 mov edx,esp
00384052 8B5A 24 mov ebx,dword ptr ds:[edx+24]
00384055 8B42 34 mov eax,dword ptr ds:[edx+34]
00384058 50 push eax
00384059 8B42 30 mov eax,dword ptr ds:[edx+30]
0038405C 50 push eax
0038405D 8B42 2C mov eax,dword ptr ds:[edx+2C]
00384060 50 push eax
00384061 6A 05 push 5
00384063 8B42 28 mov eax,dword ptr ds:[edx+28]
00384066 50 push eax
00384067 53 push ebx
00384068 FF95 FD424100 call dword ptr ss:[ebp+4142FD]
0038406E 50 push eax
0038406F 53 push ebx
00384070 FF95 99434100 call dword ptr ss:[ebp+414399]
00384076 50 push eax
00384077 53 push ebx
00384078 FF95 00424100 call dword ptr ss:[ebp+414200]
0038407E 61 popad
0038407F 83C4 18 add esp,18
00384082 FF6424 E8 jmp dword ptr ss:[esp-18]
00384086 EB 02 jmp short 0038408A
00384088 0FCD bswap ebp
0038408A E9 8B070000 jmp 0038481A
0038408F 83F8 02 cmp eax,2 //第二个 好像没什么东西
00384092 75 1A jnz short 003840AE
00384094 CC int3
00384095 C3 retn
00384096 E8 03000000 call 0038409E
0038409B C78400 58EB01E9 83C>mov dword ptr ds:[eax+eax+E901EB58],5>
003840A6 C3 retn
003840A7 FF35 E96C0700 push dword ptr ds:[76CE9]
003840AD 90 nop
003840AE 83F8 03 cmp eax,3 //第三个 没有用到
003840B1 75 25 jnz short 003840D8
003840B3 E9 7A110000 jmp 00385232
003840B8 EB 01 jmp short 003840BB
003840BA 0F68C2 punpckhbw mm0,mm2
003840BD 1000 adc byte ptr ds:[eax],al
003840BF 00E8 add al,ch
003840C1 0100 add dword ptr ds:[eax],eax
003840C3 0000 add byte ptr ds:[eax],al
003840C5 - E9 6824080E jmp 0E406532
003840CA 68 68909083 push 83909068
003840CF 44 inc esp
003840D0 FFE4 jmp esp
003840D2 E8 E9420700 call 003F83C0
003840D7 90 nop
003840D8 83F8 04 cmp eax,4 //第四个 77E55CB5=kernel32.ExitProcess
003840DB 75 38 jnz short 00384115
003840DD E8 00000000 call 003840E2
003840E2 5D pop ebp
003840E3 81ED 352F4100 sub ebp,412F35 ; ASCII "0A"
003840E9 FFB5 ED484100 push dword ptr ss:[ebp+4148ED]
003840EF FF95 25444100 call dword ptr ss:[ebp+414425]
003840F5 FFB5 DD484100 push dword ptr ss:[ebp+4148DD]
003840FB FF95 96424100 call dword ptr ss:[ebp+414296]
00384101 832424 00 and dword ptr ss:[esp],0
00384105 FFA5 F0424100 jmp dword ptr ss:[ebp+4142F0]
0038410B EB 03 jmp short 00384110
0038410D CD20 B6E90507 vxdjump 705E9B6
00384113 0000 add byte ptr ds:[eax],al
00384115 83F8 05 cmp eax,5 //第五个 41eb1d=<jmp.&kernel32.LockResource>
00384118 75 15 jnz short 0038412F
0038411A 8B4424 04 mov eax,dword ptr ss:[esp+4]
0038411E 83C4 08 add esp,8
00384121 FF6424 F8 jmp dword ptr ss:[esp-8]
00384125 EB 03 jmp short 0038412A
00384127 90 nop
00384128 90 nop
00384129 90 nop
0038412A E9 EB060000 jmp 0038481A
0038412F 83F8 06 cmp eax,6 //第六个
456fa200407424=<jmp.&kernel32.GetProcAddress>
00384132 0F85 95020000 jnz 003843CD
00384138 50 push eax
00384139 60 pushad
0038413A E8 00000000 call 0038413F
0038413F 5D pop ebp
00384140 81ED 922F4100 sub ebp,412F92
00384146 8B4424 28 mov eax,dword ptr ss:[esp+28]
0038414A 3D 78787878 cmp eax,78787878
0038414F 0F85 44010000 jnz 00384299
00384155 8B7424 2C mov esi,dword ptr ss:[esp+2C]
00384159 83FE 01 cmp esi,1
0038415C 75 0F jnz short 0038416D
0038415E 8D85 011A4100 lea eax,dword ptr ss:[ebp+411A01]
00384164 894424 20 mov dword ptr ss:[esp+20],eax
00384168 E9 22010000 jmp 0038428F
0038416D 83FE 02 cmp esi,2
00384170 75 0F jnz short 00384181
00384172 8D85 101A4100 lea eax,dword ptr ss:[ebp+411A10]
00384178 894424 20 mov dword ptr ss:[esp+20],eax
0038417C E9 0E010000 jmp 0038428F
00384181 83FE 03 cmp esi,3
00384184 75 0F jnz short 00384195
00384186 8D85 1E1C4100 lea eax,dword ptr ss:[ebp+411C1E]
0038418C 894424 20 mov dword ptr ss:[esp+20],eax
00384190 E9 FA000000 jmp 0038428F
00384195 83FE 04 cmp esi,4
00384198 75 0F jnz short 003841A9
0038419A 8D85 6B1C4100 lea eax,dword ptr ss:[ebp+411C6B]
003841A0 894424 20 mov dword ptr ss:[esp+20],eax
003841A4 E9 E6000000 jmp 0038428F
003841A9 83FE 05 cmp esi,5
003841AC 75 0F jnz short 003841BD
003841AE 8D85 2E1D4100 lea eax,dword ptr ss:[ebp+411D2E]
003841B4 894424 20 mov dword ptr ss:[esp+20],eax
003841B8 E9 D2000000 jmp 0038428F
003841BD 83FE 06 cmp esi,6
003841C0 75 0F jnz short 003841D1
003841C2 8D85 BE1D4100 lea eax,dword ptr ss:[ebp+411DBE]
003841C8 894424 20 mov dword ptr ss:[esp+20],eax
003841CC E9 BE000000 jmp 0038428F
003841D1 56 push esi
003841D2 8DBD 4C454100 lea edi,dword ptr ss:[ebp+41454C]
003841D8 57 push edi
003841D9 FF95 8F434100 call dword ptr ss:[ebp+41438F]
003841DF 85C0 test eax,eax
003841E1 75 0F jnz short 003841F2
003841E3 8D85 011A4100 lea eax,dword ptr ss:[ebp+411A01]
003841E9 894424 20 mov dword ptr ss:[esp+20],eax
003841ED E9 9D000000 jmp 0038428F
003841F2 56 push esi
003841F3 8DBD 56454100 lea edi,dword ptr ss:[ebp+414556]
003841F9 57 push edi
003841FA FF95 8F434100 call dword ptr ss:[ebp+41438F]
00384200 85C0 test eax,eax
00384202 75 0C jnz short 00384210
00384204 8D85 101A4100 lea eax,dword ptr ss:[ebp+411A10]
0038420A 894424 20 mov dword ptr ss:[esp+20],eax
0038420E EB 7F jmp short 0038428F
00384210 56 push esi
00384211 8DBD 60454100 lea edi,dword ptr ss:[ebp+414560]
00384217 57 push edi
00384218 FF95 8F434100 call dword ptr ss:[ebp+41438F]
0038421E 85C0 test eax,eax
00384220 75 0C jnz short 0038422E
00384222 8D85 1E1C4100 lea eax,dword ptr ss:[ebp+411C1E]
00384228 894424 20 mov dword ptr ss:[esp+20],eax
0038422C EB 61 jmp short 0038428F
0038422E 56 push esi
0038422F 8DBD 68454100 lea edi,dword ptr ss:[ebp+414568]
00384235 57 push edi
00384236 FF95 8F434100 call dword ptr ss:[ebp+41438F]
0038423C 85C0 test eax,eax
0038423E 75 0C jnz short 0038424C
00384240 8D85 6B1C4100 lea eax,dword ptr ss:[ebp+411C6B]
00384246 894424 20 mov dword ptr ss:[esp+20],eax
0038424A EB 43 jmp short 0038428F
0038424C 56 push esi
0038424D 8DBD 70454100 lea edi,dword ptr ss:[ebp+414570]
00384253 57 push edi
00384254 FF95 8F434100 call dword ptr ss:[ebp+41438F]
0038425A 85C0 test eax,eax
0038425C 75 0C jnz short 0038426A
0038425E 8D85 2E1D4100 lea eax,dword ptr ss:[ebp+411D2E]
00384264 894424 20 mov dword ptr ss:[esp+20],eax
00384268 EB 25 jmp short 0038428F
0038426A 56 push esi
0038426B 8DBD 74454100 lea edi,dword ptr ss:[ebp+414574]
00384271 57 push edi
00384272 FF95 8F434100 call dword ptr ss:[ebp+41438F]
00384278 85C0 test eax,eax
0038427A 75 0C jnz short 00384288
0038427C 8D85 BE1D4100 lea eax,dword ptr ss:[ebp+411DBE]
00384282 894424 20 mov dword ptr ss:[esp+20],eax
00384286 EB 07 jmp short 0038428F
00384288 836424 20 00 and dword ptr ss:[esp+20],0
0038428D EB 00 jmp short 0038428F
0038428F 61 popad
00384290 58 pop eax
00384291 C2 0800 retn 8
00384294 E9 18010000 jmp 003843B1
00384299 3D 69696969 cmp eax,69696969
0038429E 75 12 jnz short 003842B2
003842A0 C74424 20 01000000 mov dword ptr ss:[esp+20],1
003842A8 61 popad
003842A9 58 pop eax
003842AA C2 0800 retn 8
003842AD E9 FF000000 jmp 003843B1
003842B2 3D 45454545 cmp eax,45454545
003842B7 0F85 F4000000 jnz 003843B1
003842BD 8B4424 2C mov eax,dword ptr ss:[esp+2C]
003842C1 3D 00000080 cmp eax,80000000
003842C6 0F83 E5000000 jnb 003843B1
003842CC 8A08 mov cl,byte ptr ds:[eax]
003842CE 80F9 01 cmp cl,1
003842D1 75 5F jnz short 00384332
003842D3 66:8B48 02 mov cx,word ptr ds:[eax+2]
003842D7 66:0BC9 or cx,cx
003842DA 75 19 jnz short 003842F5
003842DC 8B70 04 mov esi,dword ptr ds:[eax+4]
003842DF 83AD D4414100 08 sub dword ptr ss:[ebp+4141D4],8
003842E6 8BBD D4414100 mov edi,dword ptr ss:[ebp+4141D4]
003842EC B9 02000000 mov ecx,2
003842F1 F3:A5 rep movs dword ptr es:[edi],dword ptr>
003842F3 EB 36 jmp short 0038432B
003842F5 66:83F9 01 cmp cx,1
003842F9 75 17 jnz short 00384312
003842FB 8B40 04 mov eax,dword ptr ds:[eax+4]
003842FE DB00 fild dword ptr ds:[eax]
00384300 83AD D4414100 08 sub dword ptr ss:[ebp+4141D4],8
00384307 8B85 D4414100 mov eax,dword ptr ss:[ebp+4141D4]
0038430D DD18 fstp qword ptr ds:[eax]
0038430F 9B wait
00384310 EB 19 jmp short 0038432B
00384312 66:83F9 02 cmp cx,2
00384316 75 13 jnz short 0038432B
00384318 DB40 04 fild dword ptr ds:[eax+4]
0038431B 83AD D4414100 08 sub dword ptr ss:[ebp+4141D4],8
00384322 8B85 D4414100 mov eax,dword ptr ss:[ebp+4141D4]
00384328 DD18 fstp qword ptr ds:[eax]
0038432A 9B wait
0038432B 61 popad
0038432C 58 pop eax
0038432D C2 0800 retn 8
00384330 EB 7F jmp short 003843B1
00384332 80F9 02 cmp cl,2
00384335 75 44 jnz short 0038437B
00384337 66:8B48 02 mov cx,word ptr ds:[eax+2]
0038433B 66:0BC9 or cx,cx
0038433E 75 19 jnz short 00384359
00384340 8B78 04 mov edi,dword ptr ds:[eax+4]
00384343 8BB5 D4414100 mov esi,dword ptr ss:[ebp+4141D4]
00384349 B9 02000000 mov ecx,2
0038434E F3:A5 rep movs dword ptr es:[edi],dword ptr>
00384350 8385 D4414100 08 add dword ptr ss:[ebp+4141D4],8
00384357 EB 1B jmp short 00384374
00384359 66:83F9 01 cmp cx,1
0038435D 75 15 jnz short 00384374
0038435F 8B8D D4414100 mov ecx,dword ptr ss:[ebp+4141D4]
00384365 DD01 fld qword ptr ds:[ecx]
00384367 8B40 04 mov eax,dword ptr ds:[eax+4]
0038436A DB18 fistp dword ptr ds:[eax]
0038436C 9B wait
0038436D 8385 D4414100 08 add dword ptr ss:[ebp+4141D4],8
00384374 61 popad
00384375 58 pop eax
00384376 C2 0800 retn 8
00384379 EB 36 jmp short 003843B1
0038437B 80F9 03 cmp cl,3
0038437E 75 17 jnz short 00384397
00384380 8B48 02 mov ecx,dword ptr ds:[eax+2]
00384383 FF71 08 push dword ptr ds:[ecx+8]
00384386 FF71 04 push dword ptr ds:[ecx+4]
00384389 FF31 push dword ptr ds:[ecx]
0038438B E8 F9ECFFFF call 00383089
00384390 61 popad
00384391 58 pop eax
00384392 C2 0800 retn 8
00384395 EB 1A jmp short 003843B1
00384397 80F9 04 cmp cl,4
0038439A 75 15 jnz short 003843B1
0038439C 8B48 02 mov ecx,dword ptr ds:[eax+2]
0038439F FF71 08 push dword ptr ds:[ecx+8]
003843A2 FF71 04 push dword ptr ds:[ecx+4]
003843A5 FF31 push dword ptr ds:[ecx]
003843A7 E8 7EECFFFF call 0038302A
003843AC 61 popad
003843AD 58 pop eax
003843AE C2 0800 retn 8
003843B1 8B85 30414100 mov eax,dword ptr ss:[ebp+414130] //ss:[003852DD]
=00384FB0
eax=77E40000 (kernel32.77E40000)
003843B7 894424 20 mov dword ptr ss:[esp+20],eax
003843BB 61 popad
003843BC 83C4 04 add esp,4
003843BF FF6424 FC jmp dword ptr ss:[esp-4]
003843C3 EB 03 jmp short 003843C8
003843C5 CD20 E9E94D04 vxdjump 44DE9E9
003843CB 0000 add byte ptr ds:[eax],al
003843CD 83F8 07 cmp eax,7 //第七个 4575be<jmp.&kernel32.GetVersion>
003843D0 75 2A jnz short 003843FC
003843D2 50 push eax
003843D3 60 pushad
003843D4 E8 00000000 call 003843D9
003843D9 5D pop ebp
003843DA 81ED 2C324100 sub ebp,41322C
003843E0 8B85 E0454100 mov eax,dword ptr ss:[ebp+4145E0]
003843E6 894424 20 mov dword ptr ss:[esp+20],eax
003843EA 61 popad
003843EB 58 pop eax
003843EC 83C4 04 add esp,4
003843EF FF6424 FC jmp dword ptr ss:[esp-4]
003843F3 EB 02 jmp short 003843F7
003843F5 0F0F ??? ; 未知命令
003843F7 E9 1E040000 jmp 0038481A
003843FC 83F8 08 cmp eax,8 //第八个 jmp.&kernel32.GetModuleHandleA>
003843FF 75 53 jnz short 00384454
00384401 50 push eax
00384402 60 pushad
00384403 E8 00000000 call 00384408
00384408 5D pop ebp
00384409 81ED 5B324100 sub ebp,41325B
0038440F 8B4424 28 mov eax,dword ptr ss:[esp+28]
00384413 0BC0 or eax,eax
00384415 75 0F jnz short 00384426
00384417 8B85 E4454100 mov eax,dword ptr ss:[ebp+4145E4]
0038441D 894424 20 mov dword ptr ss:[esp+20],eax
00384421 61 popad
00384422 58 pop eax
00384423 C2 0400 retn 4
00384426 8B85 3F434100 mov eax,dword ptr ss:[ebp+41433F] //ss:[003854EC]=77E59F93
(kernel32.GetModuleHandleA)
eax=0040E678 (main.0040E678), ASCII "kernel32.dll"
0038442C 894424 20 mov dword ptr ss:[esp+20],eax
00384430 61 popad
00384431 83C4 04 add esp,4
00384434 FF6424 FC jmp dword ptr ss:[esp-4]
00384438 E8 04000000 call 00384441
0038443D C783 EB0E58EB 02CD2>mov dword ptr ds:[ebx+EB580EEB],8320C>
00384447 C002 EB rol byte ptr ds:[edx],0EB
0038444A 01E9 add ecx,ebp
0038444C 50 push eax
0038444D C3 retn
0038444E E8 E9C60300 call 003C0B3C
00384453 90 nop
00384454 83F8 09 cmp eax,9 //第九个 没有用到
00384457 75 3A jnz short 00384493
00384459 50 push eax
0038445A 60 pushad
0038445B E8 00000000 call 00384460
00384460 5D pop ebp
00384461 81ED B3324100 sub ebp,4132B3
00384467 8B85 E8454100 mov eax,dword ptr ss:[ebp+4145E8]
0038446D 894424 20 mov dword ptr ss:[esp+20],eax
00384471 61 popad
00384472 58 pop eax
00384473 83C4 04 add esp,4
00384476 FF6424 FC jmp dword ptr ss:[esp-4]
0038447A E8 04000000 call 00384483
0038447F 0FEB0C0F por mm1,qword ptr ds:[edi+ecx]
00384483 58 pop eax
00384484 EB 01 jmp short 00384487
00384486 0F40EB cmovo ebp,ebx
00384489 01CD add ebp,ecx
0038448B FFE0 jmp eax
0038448D C7 ??? ; 未知命令
0038448E E9 87030000 jmp 0038481A
00384493 83F8 0A cmp eax,0A //第十个 457375<
jmp.&kernel32.GetCurrentProcessId>
00384496 75 2D jnz short 003844C5
00384498 50 push eax
00384499 60 pushad
0038449A E8 00000000 call 0038449F
0038449F 5D pop ebp
003844A0 81ED F2324100 sub ebp,4132F2
003844A6 8B85 EC454100 mov eax,dword ptr ss:[ebp+4145EC]
003844AC 894424 20 mov dword ptr ss:[esp+20],eax
003844B0 61 popad
003844B1 58 pop eax
003844B2 83C4 04 add esp,4
003844B5 FF6424 FC jmp dword ptr ss:[esp-4]
003844B9 7C 03 jl short 003844BE
003844BB EB 03 jmp short 003844C0
003844BD 0F74FB pcmpeqb mm7,mm3
003844C0 E9 55030000 jmp 0038481A
003844C5 83F8 0B cmp eax,0B //第十一个 没有用到
003844C8 75 23 jnz short 003844ED
003844CA 6A FE push -2
003844CC 58 pop eax
003844CD 83C4 04 add esp,4
003844D0 FF6424 FC jmp dword ptr ss:[esp-4]
003844D4 E8 04000000 call 003844DD
003844D9 0FEB0CC9 por mm1,qword ptr ds:[ecx+ecx*8]
003844DD 58 pop eax
003844DE EB 01 jmp short 003844E1
003844E0 0F40EB cmovo ebp,ebx
003844E3 01CD add ebp,ecx
003844E5 FFE0 jmp eax
003844E7 C7 ??? ; 未知命令
003844E8 E9 2D030000 jmp 0038481A
003844ED 83F8 0C cmp eax,0C //第十二个<jmp.&kernel32.GetCommandLineA>
003844F0 75 31 jnz short 00384523
003844F2 50 push eax
003844F3 60 pushad
003844F4 E8 00000000 call 003844F9
003844F9 5D pop ebp
003844FA 81ED 4C334100 sub ebp,41334C
00384500 8B85 F0454100 mov eax,dword ptr ss:[ebp+4145F0] ss:[0038579D]=00141EE0
eax=0000000C
00384506 894424 20 mov dword ptr ss:[esp+20],eax
0038450A 61 popad
0038450B 58 pop eax
0038450C 83C4 04 add esp,4
0038450F FF6424 FC jmp dword ptr ss:[esp-4]
00384513 E8 03000000 call 0038451B
00384518 CD20 E983C404 vxdjump 4C483E9
0038451E E9 F7020000 jmp 0038481A
00384523 83F8 0D cmp eax,0D //第十三个45349e
call <jmp.&user32.InflateRect>
00384526 75 0F jnz short 00384537
00384528 E9 CD0B0000 jmp 003850FA
0038452D EB 03 jmp short 00384532
0038452F CD20 E9E9E302 vxdjump 2E3E9E9
00384535 0000 add byte ptr ds:[eax],al
00384537 83F8 0E cmp eax,0E //第十四个 47173E=<jmp.&user32.IntersectRect>
0038453A 75 21 jnz short 0038455D
0038453C E9 DD0B0000 jmp 0038511E
00384541 E8 04000000 call 0038454A
00384546 C783 EB0E58EB 02CD2>mov dword ptr ds:[ebx+EB580EEB],8320C>
00384550 C002 EB rol byte ptr ds:[edx],0EB
00384553 01E9 add ecx,ebp
00384555 50 push eax
00384556 C3 retn
00384557 C7 ??? ; 未知命令
00384558 E9 BD020000 jmp 0038481A
0038455D 83F8 0F cmp eax,0F //第十五个 452DAE=<jmp.&user32.IsRectEmpty>
00384560 75 11 jnz short 00384573
00384562 E9 7D0C0000 jmp 003851E4
00384567 7C 03 jl short 0038456C
00384569 EB 03 jmp short 0038456E
0038456B 0F74FB pcmpeqb mm7,mm3
0038456E E9 A7020000 jmp 0038481A
00384573 83F8 10 cmp eax,10 //第十六个456FBE=<jmp.&kernel32.LoadLibraryA>
00384576 0F85 E4000000 jnz 00384660
0038457C 50 push eax
0038457D 60 pushad
0038457E E8 00000000 call 00384583
00384583 5D pop ebp
00384584 81ED D6334100 sub ebp,4133D6
0038458A 8B4424 28 mov eax,dword ptr ss:[esp+28]
0038458E 50 push eax
0038458F 8D85 43454100 lea eax,dword ptr ss:[ebp+414543]
00384595 50 push eax
00384596 FF95 8F434100 call dword ptr ss:[ebp+41438F]
0038459C 0BC0 or eax,eax
0038459E 75 0D jnz short 003845AD
003845A0 C74424 20 78787878 mov dword ptr ss:[esp+20],78787878
003845A8 61 popad
003845A9 58 pop eax
003845AA C2 0400 retn 4
003845AD 8B4424 28 mov eax,dword ptr ss:[esp+28]
003845B1 66:8B08 mov cx,word ptr ds:[eax]
003845B4 66:83F9 01 cmp cx,1
003845B8 75 1E jnz short 003845D8
003845BA 8B85 D4414100 mov eax,dword ptr ss:[ebp+4141D4]
003845C0 DD00 fld qword ptr ds:[eax]
003845C2 8385 D4414100 08 add dword ptr ss:[ebp+4141D4],8
003845C9 83C0 08 add eax,8
003845CC DC00 fadd qword ptr ds:[eax]
003845CE DD18 fstp qword ptr ds:[eax]
003845D0 9B wait
003845D1 61 popad
003845D2 58 pop eax
003845D3 C2 0400 retn 4
003845D6 EB 66 jmp short 0038463E
003845D8 66:83F9 02 cmp cx,2
003845DC 75 1C jnz short 003845FA
003845DE 8385 D4414100 08 add dword ptr ss:[ebp+4141D4],8
003845E5 8B85 D4414100 mov eax,dword ptr ss:[ebp+4141D4]
003845EB DD00 fld qword ptr ds:[eax]
003845ED DC60 F8 fsub qword ptr ds:[eax-8]
003845F0 DD18 fstp qword ptr ds:[eax]
003845F2 9B wait
003845F3 61 popad
003845F4 58 pop eax
003845F5 C2 0400 retn 4
003845F8 EB 44 jmp short 0038463E
003845FA 66:83F9 03 cmp cx,3
003845FE 75 1E jnz short 0038461E
00384600 8B85 D4414100 mov eax,dword ptr ss:[ebp+4141D4]
00384606 DD00 fld qword ptr ds:[eax]
00384608 8385 D4414100 08 add dword ptr ss:[ebp+4141D4],8
0038460F 83C0 08 add eax,8
00384612 DC08 fmul qword ptr ds:[eax]
00384614 DD18 fstp qword ptr ds:[eax]
00384616 9B wait
00384617 61 popad
00384618 58 pop eax
00384619 C2 0400 retn 4
0038461C EB 20 jmp short 0038463E
0038461E 66:83F9 04 cmp cx,4
00384622 75 1A jnz short 0038463E
00384624 8385 D4414100 08 add dword ptr ss:[ebp+4141D4],8
0038462B 8B85 D4414100 mov eax,dword ptr ss:[ebp+4141D4]
00384631 DD00 fld qword ptr ds:[eax]
00384633 DC70 F8 fdiv qword ptr ds:[eax-8]
00384636 DD18 fstp qword ptr ds:[eax]
00384638 9B wait
00384639 61 popad
0038463A 58 pop eax
0038463B C2 0400 retn 4
0038463E 8B85 34414100 mov eax,dword ptr ss:[ebp+414134]
00384644 894424 20 mov dword ptr ss:[esp+20],eax
00384648 61 popad
00384649 83C4 04 add esp,4
0038464C FF6424 FC jmp dword ptr ss:[esp-4]
00384650 E8 03000000 call 00384658
00384655 CD20 D683C404 vxdjump 4C483D6
0038465B E9 BA010000 jmp 0038481A
00384660 83F8 11 cmp eax,11 //第十七个 427741=<jmp.&kernel32.MulDiv>
00384663 75 27 jnz short 0038468C
00384665 8BCC mov ecx,esp
00384667 FF71 0C push dword ptr ds:[ecx+C]
0038466A FF71 08 push dword ptr ds:[ecx+8]
0038466D FF71 04 push dword ptr ds:[ecx+4]
00384670 E8 200B0000 call 00385195
00384675 83C4 10 add esp,10
00384678 FF6424 F0 jmp dword ptr ss:[esp-10]
0038467C E8 03000000 call 00384684
00384681 CD20 D683C404 vxdjump 4C483D6
00384687 E9 8E010000 jmp 0038481A
0038468C 83F8 12 cmp eax,12 //第十八个 44FFCA=<jmp.&user32.PtInRect>
0038468F 75 0F jnz short 003846A0
00384691 E9 C20B0000 jmp 00385258
00384696 EB 03 jmp short 0038469B
00384698 90 nop
00384699 90 nop
0038469A 90 nop
0038469B E9 7A010000 jmp 0038481A
003846A0 83F8 13 cmp eax,13 //第十九个 474B62=<jmp.&user32.OffsetRect>
003846A3 75 1E jnz short 003846C3
003846A5 E9 E00B0000 jmp 0038528A
003846AA E8 04000000 call 003846B3
003846AF 0FEB0CC9 por mm1,qword ptr ds:[ecx+ecx*8]
003846B3 58 pop eax
003846B4 EB 01 jmp short 003846B7
003846B6 0F40EB cmovo ebp,ebx
003846B9 01CD add ebp,ecx
003846BB FFE0 jmp eax
003846BD C7 ??? ; 未知命令
003846BE E9 57010000 jmp 0038481A
003846C3 83F8 14 cmp eax,14 //第二十个 (user32.SendMessageA)
003846C6 75 33 jnz short 003846FB
003846C8 50 push eax
003846C9 60 pushad
003846CA E8 00000000 call 003846CF
003846CF 5D pop ebp
003846D0 81ED 22354100 sub ebp,413522
003846D6 8BFC mov edi,esp
003846D8 FF77 34 push dword ptr ds:[edi+34]
003846DB FF77 30 push dword ptr ds:[edi+30]
003846DE FF77 2C push dword ptr ds:[edi+2C]
003846E1 FF77 28 push dword ptr ds:[edi+28]
003846E4 FF95 66424100 call dword ptr ss:[ebp+414266] //ss:[00385413]=77D1702F
(user32.SendMessageA)
003846EA 8947 20 mov dword ptr ds:[edi+20],eax
003846ED 61 popad
003846EE 58 pop eax
003846EF 83C4 14 add esp,14
003846F2 FF6424 EC jmp dword ptr ss:[esp-14]
003846F6 E9 1F010000 jmp 0038481A
003846FB 83F8 15 cmp eax,15 //第二十一个 没有用到
003846FE 75 1E jnz short 0038471E
00384700 E9 050B0000 jmp 0038520A
00384705 E8 04000000 call 0038470E
0038470A 0FEB0CC9 por mm1,qword ptr ds:[ecx+ecx*8]
0038470E 58 pop eax
0038470F EB 01 jmp short 00384712
00384711 0F40EB cmovo ebp,ebx
00384714 01CD add ebp,ecx
00384716 FFE0 jmp eax
00384718 C7 ??? ; 未知命令
00384719 E9 FC000000 jmp 0038481A
0038471E 83F8 16 cmp eax,16 //第二十二个 4BC1EF=<jmp.&wsock32.send>
00384721 75 67 jnz short 0038478A
00384723 55 push ebp
00384724 8BEC mov ebp,esp
00384726 E8 00000000 call 0038472B
0038472B 59 pop ecx
0038472C 81E9 7E354100 sub ecx,41357E
00384732 51 push ecx
00384733 51 push ecx
00384734 8B45 10 mov eax,dword ptr ss:[ebp+10]
00384737 6A 00 push 0
00384739 8945 F8 mov dword ptr ss:[ebp-8],eax
0038473C 8B45 0C mov eax,dword ptr ss:[ebp+C]
0038473F 6A 00 push 0
00384741 8945 FC mov dword ptr ss:[ebp-4],eax
00384744 FF75 14 push dword ptr ss:[ebp+14]
00384747 8D45 10 lea eax,dword ptr ss:[ebp+10]
0038474A 50 push eax
0038474B 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0038474E 6A 01 push 1
00384750 50 push eax
00384751 FF75 08 push dword ptr ss:[ebp+8]
00384754 8D89 65494100 lea ecx,dword ptr ds:[ecx+414965]
0038475A FFD1 call ecx
0038475C 83F8 FF cmp eax,-1
0038475F 75 03 jnz short 00384764
00384761 0945 10 or dword ptr ss:[ebp+10],eax
00384764 8B45 10 mov eax,dword ptr ss:[ebp+10]
00384767 8BE5 mov esp,ebp
00384769 5D pop ebp
0038476A 83C4 14 add esp,14
0038476D FF6424 EC jmp dword ptr ss:[esp-14]
00384771 E8 04000000 call 0038477A
00384776 0FEB0CC9 por mm1,qword ptr ds:[ecx+ecx*8]
0038477A 58 pop eax
0038477B EB 01 jmp short 0038477E
0038477D 0F40EB cmovo ebp,ebx
00384780 01CD add ebp,ecx
00384782 FFE0 jmp eax
00384784 C7 ??? ; 未知命令
00384785 E9 90000000 jmp 0038481A
0038478A 83F8 17 cmp eax,17 //第二十三个 4BC39F=<jmp.&wsock32.recv>
0038478D 0F85 87000000 jnz 0038481A
00384793 55 push ebp
00384794 8BEC mov ebp,esp
00384796 E8 00000000 call 0038479B
0038479B 59 pop ecx
0038479C 81E9 EE354100 sub ecx,4135EE
003847A2 51 push ecx
003847A3 51 push ecx
003847A4 8B45 10 mov eax,dword ptr ss:[ebp+10]
003847A7 6A 00 push 0
003847A9 8945 F8 mov dword ptr ss:[ebp-8],eax
003847AC 8B45 0C mov eax,dword ptr ss:[ebp+C]
003847AF 8945 FC mov dword ptr ss:[ebp-4],eax
003847B2 8B45 14 mov eax,dword ptr ss:[ebp+14]
003847B5 8945 0C mov dword ptr ss:[ebp+C],eax
003847B8 8D45 0C lea eax,dword ptr ss:[ebp+C]
003847BB 6A 00 push 0
003847BD 50 push eax
003847BE 8D45 10 lea eax,dword ptr ss:[ebp+10]
003847C1 50 push eax
003847C2 8D45 F8 lea eax,dword ptr ss:[ebp-8]
003847C5 6A 01 push 1
003847C7 50 push eax
003847C8 FF75 08 push dword ptr ss:[ebp+8]
003847CB 8D89 A5494100 lea ecx,dword ptr ds:[ecx+4149A5]
003847D1 FFD1 call ecx
003847D3 83F8 FF cmp eax,-1
003847D6 74 1D je short 003847F5
003847D8 F645 0D 80 test byte ptr ss:[ebp+D],80
003847DC 74 1B je short 003847F9
003847DE E8 00000000 call 003847E3
003847E3 59 pop ecx
003847E4 81E9 36364100 sub ecx,413636
003847EA 68 38270000 push 2738
003847EF FF91 F3434100 call dword ptr ds:[ecx+4143F3]
003847F5 834D 10 FF or dword ptr ss:[ebp+10],FFFFFFFF
003847F9 8B45 10 mov eax,dword ptr ss:[ebp+10]
003847FC 8BE5 mov esp,ebp
003847FE 5D pop ebp
003847FF 83C4 14 add esp,14
00384802 FF6424 EC jmp dword ptr ss:[esp-14]
00384806 E8 04000000 call 0038480F
0038480B 0FEB0CC9 por mm1,qword ptr ds:[ecx+ecx*8]
0038480F 58 pop eax
00384810 EB 01 jmp short 00384813
00384812 0F40EB cmovo ebp,ebx
00384815 01CD add ebp,ecx
00384817 FFE0 jmp eax
00384819 C7 ??? ; 未知命令
0038481A 6A 00 push 0
0038481C 50 push eax
0038481D 8B85 654A4100 mov eax,dword ptr ss:[ebp+414A65]
11、入口处被抽取代码的还原。
0059F888 55 push ebp
0059F889 8BEC mov ebp,esp
0059F88B 83C4 F0 add esp,-10
0059F88E B8 38F35900 mov eax,main.0059F338
0059F893 E8 3879E6FF call main.004071D0
0059F898 B8 585A5A00 mov eax,main.005A5A58
0059F89D 8B00 mov eax,dword ptr ds:[eax]
0059F89F 8B00 mov eax,dword ptr ds:[eax]
0059F8A1 E8 C2C6ECFF call main.0046BF68
0059F8A6 8B0D E0535A00 mov ecx,dword ptr ds:[5A53E0] ; main.007422A8
0059F8AC B8 585A5A00 mov eax,main.005A5A58
0059F8B1 8B00 mov eax,dword ptr ds:[eax]
0059F8B3 8B00 mov eax,dword ptr ds:[eax]
0059F8B5 8B15 30CB5700 mov edx,dword ptr ds:[57CB30] ; main.0057CB7C
0059F8BB E8 C0C6ECFF call main.0046BF80
0059F8C0 8B0D E8515A00 mov ecx,dword ptr ds:[5A51E8] ; main.00741F44
0059F8C6 B8 585A5A00 mov eax,main.005A5A58
0059F8CB 8B00 mov eax,dword ptr ds:[eax]
0059F8CD 8B00 mov eax,dword ptr ds:[eax]
0059F8CF 8B15 80755600 mov edx,dword ptr ds:[567580] ; main.005675CC
0059F8D5 E8 A6C6ECFF call main.0046BF80
0059F8DA B8 585A5A00 mov eax,main.005A5A58
0059F8DF 8B00 mov eax,dword ptr ds:[eax]
0059F8E1 8B00 mov eax,dword ptr ds:[eax]
0059F8E3 E8 18C7ECFF call main.0046C000
0059F8E8 E8 3752E6FF call main.00404B24
0038B003 68 6DF85900 push 59F86D -------伪oep
0038B008 C3 retn
55 8B EC 83 C4 F0 B8 38 F3 59 00 E8 38 79 E6 FF B8 58 5A 5A 00 8B 00 8B 00 E8 C2 C6 EC FF 8B
0D
E0 53 5A 00 B8 58 5A 5A 00 8B 00 8B 00 8B 15 30 CB 57 00 E8 C0 C6 EC FF 8B 0D E8 51 5A 00 B8
58
5A 5A 00 8B 00 8B 00 8B 15 80 75 56 00 E8 A6 C6 EC FF B8 58 5A 5A 00 8B 00 8B 00 E8 18 C7 EC
FF
E8 37 52 E6 FF
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课