传神199脱壳笔记-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

传神199脱壳笔记

发表于: 2005-12-14 09:53 4999

传神199脱壳笔记

jskew

2005-12-14 09:53

4999

003435A5 9C             PUSHFD
003435A6 6A 03          PUSH 3
003435A8 73 0B          JNB SHORT 003435B5
003435AA EB 02          JMP SHORT 003435AE
003435AC 75 75          JNZ SHORT 00343623
003435AE E8 06000000    CALL 003435B9
003435B3 66:35 73F7    XOR AX,0F773
003435B7 EB 1D          JMP SHORT 003435D6
003435B9 83C4 04       ADD ESP,4
003435BC EB 02          JMP SHORT 003435C0
003435BE 75 75          JNZ SHORT 00343635
003435C0 FF0C24       DEC DWORD PTR [ESP]
003435C3 71 01          JNO SHORT 003435C6
003435C5 71 79          JNO SHORT 00343640
003435C7 E0 7A          LOOPDNE SHORT 00343643
003435C9 0175 83       ADD [EBP-7D],ESI
...
003435CB 83C4 04       ADD ESP,4
003435CE 9D             POPFD

003435CF /EB 01                JMP SHORT 003435D2

9c 6a 03 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
EB 2B 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 00 00 90

/////////////////////////////////////////////////////////////////////

00343587 /7C 0C                JL SHORT 00343595
00343589 |EB 07                JMP SHORT 00343592
0034358B |CD 87                INT 87
0034358D |0C 24                OR AL,24
0034358F |EB 09                JMP SHORT 0034359A
00343591 |E8 7D01E98B          CALL 8C1D3713
00343596 08EB                OR BL,CH

00343586 51                   PUSH ECX
00343587 EB 0C                JMP SHORT 00343595
00343589 90                   NOP
0034358A 90                   NOP
0034358B 90                   NOP
0034358C 870C24             XCHG [ESP],ECX
0034358F EB 09                JMP SHORT 0034359A
00343591 90                   NOP
00343592 90                   NOP
00343593 90                   NOP
00343594 90                   NOP
00343595 8B08                MOV ECX,[EAX]
00343597  ^ EB F3                JMP SHORT 0034358C
00343599 90                   NOP
0034359A 58                   POP EAX

7C 0C EB 07 CD 87 0C 24 EB 09 E8 7D 01 E9 8B 08 EB F3 FF

8B 08 87 0C 24 EB 0C 66 35 78 78 66 35 78 78 66 35 78 78

00343578 E8 04000000          CALL 00343581
0034357D 0000                ADD [EAX],AL
0034357F 0000                ADD [EAX],AL
00343581 5A                   POP EDX
00343582 8B4424 04          MOV EAX,[ESP+4]
00343586 51                   PUSH ECX
00343587 8B08                MOV ECX,[EAX]
00343589 870C24             XCHG [ESP],ECX
0034358C EB 0C                JMP SHORT 0034359A
0034358E 66:35 7878          XOR AX,7878
00343592 66:35 7878          XOR AX,7878
00343596 66:35 7878          XOR AX,7878
0034359A 58                   POP EAX
0034359B 8B4C24 0C          MOV ECX,[ESP+C]
0034359F C701 17000100       MOV DWORD PTR [ECX],10017

/////////////////////////////////////////////////////////////////////
77F8A1E9 CD 2E          INT 2E

0012FFA0 00343578  SE handler
bp 77F8A1E9
bp 00343578

/////////////////////////////////////////////////////////////////////
003438CF 68 14FFFB78    PUSH 78FBFF14 ;参与运算
003438D4 53             PUSH EBX ;无用
003438D5 E8 5D000000    CALL 00343937 ;1 准备sm
003438DA EB FF          JMP SHORT 003438DB
003438DC  ^ 79 E9          JNS SHORT 003438C7
... ;栈内容代码
0034391C 70 78          JO SHORT 00343996
0034391E 36:81F6 EB87342>XOR ESI,243487EB
00343925 8B8B 1C2483EC MOV ECX,[EBX+EC83241C] ;6 从栈出来 00343926 8B1C24       MOV EBX,[ESP]
0034392B F8             CLC
0034392C EB 01          JMP SHORT 0034392F
0034392E E8 83ECFCE9    CALL EA3125B6 ;7 sm结束 00343932 /E9 E7000000    JMP 00343A1E
00343933 E7 00          OUT 0,EAX
00343935 0000          ADD [EAX],AL
00343937 5B             POP EBX ;2 准备 call
00343938 EB FF          JMP SHORT 00343939
00343941 EB FF          JMP SHORT 00343942
00343943 33E8          XOR EBP,EAX ;3 去构造栈内容 00343944 E8 C9000000    CALL 00343A12
00343945 C9             LEAVE
00343946 0000          ADD [EAX],AL
00343948 0089 E3EBFFD3 ADD [ECX+D3FFEBE3],CL ;5 跳进栈 0034394C FFD3          CALL EBX
0034394E EB FF          JMP SHORT 0034394F
00343950  ^ 77 E8          JA SHORT 0034393A
00343952 83C3 01       ADD EBX,1
... ;构造栈代码
00343A0F  ^ EB FA          JMP SHORT 00343A0B
00343A11  ^ EB 83          JMP SHORT 00343996 ;4 往上走 00343A12 83C3 17       ADD EBX,17
00343A13 C3             RETN
00343A1B  ^ EB FA          JMP SHORT 00343A17
00343A1D EB 33          JMP SHORT 00343A52 ;8 sm外面 00343A1E 33C0          XOR EAX,EAX
00343A1F C0E9 58       SHR CL,58
00343A22 07             POP ES

00343A1E-003438D5=149

tc eip<300000
/////////////////////////////////////////////////////////////////////
0034430B          9C             PUSHFD
0034430C          72 0A          JB SHORT 00344318
0034430E          EB 01          JMP SHORT 00344311
00344310       ^ 73 E8          JNB SHORT 003442FA
00344312          05 00000075    ADD EAX,75000000
00344317          75 72          JNZ SHORT 0034438B
00344319          F4             HLT                                     ; Privileged command
0034431A       ^ 75 83          JNZ SHORT 0034429F
0034431C          C4049D EB01E8C0 LES EAX,[EBX*4+C0E801EB]                ; Modification of segment register
00344323          C004EB 2B    ROL BYTE PTR [EBX+EBP*8],2B             ; Shift constant out of range 1..31
00344327          66:35 7878    XOR AX,7878

jmp 00344322

9C 72 ?? ?? ?? ?? E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 C4 04 9D ?? ?? ??
EB 15 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 90
/////////////////////////////////////////////////////////////////////
003436B2       /EB 24          JMP SHORT 003436D8 ;1
003436B4       |DF22          FBLD TBYTE PTR [EDX]
003436B6       |3A9A C0894108 CMP BL,[EDX+84189C0] ;5 003436B9          8941 08       MOV [ECX+8],EAX
003436BC       |EB 4A          JMP SHORT 00343708 ;003436BC       /EB 4A          JMP SHORT 00343708
003436BE       ^|EB DF          JMP SHORT 0034369F
003436C0       |43             INC EBX
003436C1       |694E 58 587DF2E>IMUL ECX,[ESI+58],EBF27D58 ;4 003436C4          58             POP EAX
003436C8       |01DF          ADD EDI,EBX ;003436C5       ^\7D F2          JGE SHORT 003436B9
003436CA       ^|7C ED          JL SHORT 003436B9
003436CC       |DF58 9C       FISTP WORD PTR [EAX-64] ;3 003436CD          58             POP EAX
003436CF       |05 E6FFFFFF    ADD EAX,-1A ;003436CE          9C             PUSHFD
003436D4       |9D             POPFD ;003436D5       ^\FFE0          JMP EAX
003436D5       |FFE0          JMP EAX
003436D7       |FF50 E8       CALL [EAX-18] ;2 003436D8          50             PUSH EAX
003436DA          EF             OUT DX,EAX ;003436D9          E8 EFFFFFFF    CALL 003436CD
003436DB          FFFF          ???

0034381E          57             PUSH EDI
0034381F          E8 ECFFFFFF    CALL 00343810

5? e8 ?? FF FF FF

00343789          58             POP EAX
0034378A          9C             PUSHFD
0034378B          05 E4FFFFFF    ADD EAX,-1C
00343790          9D             POPFD
00343791          FFE0          JMP EAX

003437B7          5E             POP ESI
003437B8          9C             PUSHFD
003437B9          81C6 E4FFFFFF ADD ESI,-1C
003437BF          9D             POPFD
003437C0          FFE6          JMP ESI

5?9c????ffffff9dff
5?9c??????ffffff9dff
/////////////////////////////////////////////////////////////////////
00343750       \7B F1          JPO SHORT 00343743
00343752          EB 01          JMP SHORT 00343755
00343754          DF7A EC       FISTP QWORD PTR [EDX-14]
00343757       - E9 5A9C81C2    JMP C2B5D3B6

00343755       \7A EC          JPE SHORT 00343743

00343780       ^\75 EE          JNZ SHORT 00343770
00343782          EB 01          JMP SHORT 00343785
00343784          DF74E9 E9    FBSTP TBYTE PTR [ECX+EBP*8-17]

00343785       ^\74 E9          JE SHORT 00343770

7???eb01??7???
eb??9090909090

00343573          E8 060C0000    CALL 0034417E
00343578          E8 04000000    CALL 00343581

00343578  E8 04 00 00 00 00 00 00 00 5A 8B 44 24 04 51 8B  ?.......Z?$Q

E8 04 00 00 00 00 00 00 00 5A 8B 44 24 04 51 8B 08 87 0C 24 EB 0C 66 35 78 78 66 35 78 78 66 35
78 78 58 8B 4C 24 0C C7 01 17 00 01 00 EB 2B 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66
35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 00 00 90 FF 81 B8 00 00 00
3D 03 00 00 80 0F 85 A9 02 00 00 8B 81 B4 00 00 00 EB 2B 66 35 78 78 66 35 78 78 66 35 78 78 66
35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 00 00 90 8D 80
C8 35 40 00 EB 2B 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35
78 78 66 35 78 78 66 35 78 78 66 35 78 78 00 00 90 89 41 04 EB 2B 66 35 78 78 66 35 78 78 66 35
78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 00 00
90 8B 81 B4 00 00 00 EB 2B 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78
78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 00 00 90 8D 80 5C 38 40 00 EB 05 90 90 90 90
90 89 41 08 EB 25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 90 8B 81 B4 00 00 00 EB 29 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 8D 80 05 3A
40 00 EB 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 90 89 41 0C EB 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8B 81 B4 00 00 00 EB 28
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 8D 80 9E 3B 40 00 EB 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 89 41 10 EB 29 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 90 33 C0 EB 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 81 61 14 F0 0F FF FF EB 2A 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 C7 41 18 55 01 00 00 EB 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 E9 F1 08 00 00 3D 1D 00 00 C0 0F 85 8E 01 00 00 8D
81 B8 00 00 00 68 1D EF B3 78 EB 2B 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78
66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 66 35 78 78 00 00 90 68 14 FF FB 78 53 E8 5D 00

;dr0=00344687
;dr1=0034491B
;dr2=00344AC4
;dr3=00344C5D
;dr6=00000000
;dr7=00000155
ecx
17 00 01 00
87 46 34 00 dr0
1B 49 34 00 dr1
C4 4A 34 00 dr2
5D 4C 34 00 dr3
00 00 00 00 dr6
55 01 00 00 dr7
7F 02 FF FF

解码00343A29

003444B8          B9 BA050000    MOV ECX,5BA
003444BD          AC             LODS BYTE PTR [ESI]
003444BE          32C1          XOR AL,CL
003444C0          04 4D          ADD AL,4D
003444C2          C0C0 03       ROL AL,3
003444C5          AA             STOS BYTE PTR ES:[EDI]
003444C6       ^ E2 F5          LOOPD SHORT 003444BD

ESI=00340000
ECX=00342F42

00344537          E8 5D000000    CALL 00344599

00344680          AC             LODS BYTE PTR [ESI]
00344681          03D8          ADD EBX,EAX
00344683       ^ E2 FB          LOOPD SHORT 00344680

ebx=0010BA7E

DR0 00344687
DR1 0034491B
DR2 00344AC4
DR3 00344C5D
DR6 FFFF0FF0
DR7 00000555

ebx=0010BA7E

00344C58          0000          ADD [EAX],AL
00344C5A          C1E9 02       SHR ECX,2
00344C5D          90             NOP
00344C5E          90             NOP
00344C5F          802E 13       SUB BYTE PTR [ESI],13
00344C62          F616          NOT BYTE PTR [ESI]
00344C64          83C6 04       ADD ESI,4
00344C67       ^ E2 F4          LOOPD SHORT 00344C5D

xor byte ptr [esi],55

DS:[00344C69]=85

Log data, item 0
Address=00344E02
Message=Integer division by zero

DR0 0FFF0123
DR1 0FFF4567
DR2 0FFF89AB
DR3 0FFFCDEF
DR6 FFFF0FF0
DR7 00000555

00345FD3 24 40          AND AL,40

CreateFileW >  55             PUSH EBP

00344E02 F7F3          DIV EBX
00344E04 90             NOP

00343FE6 3D 940000C0    CMP EAX,C0000094

设置drx值
00343FF1 AND DWORD PTR [EDX],0
00343FFC INC DWORD PTR [ECX+B8]
0034402B XOR EAX,EAX
00344056 MOV DWORD PTR [ECX+4],0FFF0123
00344088 MOV DWORD PTR [ECX+8],0FFF4567
003440B9 MOV DWORD PTR [ECX+C],0FFF89AB
003440EB MOV DWORD PTR [ECX+10],0FFFCDEF
0034411B AND DWORD PTR [ECX+14],FFFF0FF0
0034414D MOV DWORD PTR [ECX+18],155

00344DC5 AC             LODS BYTE PTR [ESI]
00344DC6 32C1          XOR AL,CL
00344DC8 04 63          ADD AL,63
00344DCA AA             STOS BYTE PTR ES:[EDI]
00344DCB  ^ E2 F8          LOOPD SHORT 00344DC5
00344DCD 33C0          XOR EAX,EAX
00344DCF FEC4          INC AH
00344DD1 EB 2B          JMP SHORT 00344DFE
00344DD3 66:35 7878    XOR AX,7878
00344DD7 66:35 7878    XOR AX,7878
00344DDB 66:35 7878    XOR AX,7878
00344DDF 66:35 7878    XOR AX,7878
00344DE3 66:35 7878    XOR AX,7878
00344DE7 66:35 7878    XOR AX,7878
00344DEB 66:35 7878    XOR AX,7878
00344DEF 66:35 7878    XOR AX,7878
00344DF3 66:35 7878    XOR AX,7878
00344DF7 66:35 7878    XOR AX,7878
00344DFB 0000          ADD [EAX],AL
00344DFD 90             NOP
00344DFE 33D2          XOR EDX,EDX
00344E00 33DB          XOR EBX,EBX
00344E02 F7F3          DIV EBX ;除0异常,设置drx的值
00344E04 90             NOP
00344E05 64:8F05 0000000>POP DWORD PTR FS:[0]
00344E0C 58             POP EAX
00344E0D 8BFC          MOV EDI,ESP
00344E0F 8DA5 A23F4100 LEA ESP,[EBP+413FA2]
00344E15 B9 21020100    MOV ECX,10221
00344E1A 8B85 43404100 MOV EAX,[EBP+414043]
00344E20 BB BDD89800    MOV EBX,98D8BD
00344E25 BE D5260000    MOV ESI,26D5
00344E2A 33D2          XOR EDX,EDX
00344E2C F7E6          MUL ESI
00344E2E 05 78563412    ADD EAX,12345678
00344E33 83D2 00       ADC EDX,0
00344E36 F7F3          DIV EBX
00344E38 58             POP EAX
00344E39 32C2          XOR AL,DL
00344E3B 50             PUSH EAX
00344E3C 4C             DEC ESP
00344E3D 8BC2          MOV EAX,EDX
00344E3F  ^ E2 E9          LOOPD SHORT 00344E2A ;解码00344E41
00344E41 8BE7          MOV ESP,EDI
00344E43 E8 5B030000    CALL 003451A3
00344E48 8B4C24 0C    MOV ECX,[ESP+C]
00344E4C EB 2B          JMP SHORT 00344E79

003451BF CC             INT3
003451C0 90             NOP

seh handle
00344E48 8B4C24 0C    MOV ECX,[ESP+C]

;取drx值解码

00344E48 MOV ECX,[ESP+C]                         ; ECX=0012FCD0
00344EA6 MOV EAX,[ECX+B0]                         ; EAX=004453DC
00344EAC MOV EDX,[ECX+4]                         ; EDX=00000000
00344EDC NOT AL                                  ; EAX=00445323
00344EF5 XOR AL,DL
00344EFE AND AX,0FF                               ; EAX=00440023
00344F2B ADD DX,AX                               ; EDX=00000023
00344F59 ROR DX,3                               ; EDX=00006004
00344F87 MOV [ECX+4],DX
00344FB5 XOR [ECX+8],DX
00344FE3 MOV DX,[ECX+8]
00345011 ROR DX,2                               ; EDX=00001801
0034503D ADD [ECX+C],DX
0034506C MOV DX,[ECX+C]
0034509B NOT DX                                  ; EDX=0000E7FE
003450C8 SUB DX,[ECX+10]
003450F8 ROR DX,1                               ; EDX=000073FF
0034511F XOR [ECX+4],DX
0034513A MOV [ECX+B0],EAX
0034516D INC DWORD PTR [ECX+B8]
003451A0 XOR EAX,EAX                            ; EAX=00000000
003451A2 RETN

003451A0 33C0          XOR EAX,EAX
003451A2 C3             RETN
003451A3 64:FF35 0000000>PUSH DWORD PTR FS:[0]
003451AA 64:8925 0000000>MOV FS:[0],ESP
003451B1 8DB5 29464000 LEA ESI,[EBP+404629] ;ESI=003456E8+51b=345C03
003451B7 B9 1B050000    MOV ECX,51B
003451BC 8A0431       MOV AL,[ECX+ESI]
003451BF CC             INT3
003451C0 90             NOP
003451C1 880431       MOV [ECX+ESI],AL
003451C4  ^ E2 F6          LOOPD SHORT 003451BC

EBP=FFF410BF

DR0 0FFF0123
DR1 0FFF4567
DR2 0FFF89AB
DR3 0FFFCDEF

;eax,edx 参与运算，不能使用
sub esp,c
mov [esp+4],0FFF0123
mov [esp+8],0FFF4567
mov [esp+c],0FFF89AB
mov [esp+10],0FFFCDEF
MOV EDX,[esp+4]
NOT AL
XOR AL,DL
AND AX,0FF
ADD DX,AX
ROR DX,3
MOV [esp+4],DX
XOR [esp+8],DX
MOV DX,[esp+8]
ROR DX,2
ADD [esp+C],DX
MOV DX,[esp+C]
NOT DX
SUB DX,[esp+10]
ROR DX,1
XOR [esp+4],DX
jmp back
add esp,10

0034514E  66 35 73 F7 EB 1D 83 C4 04 EB 02 75 75 FF 0C 24  f5s麟??uu?$

org
66 35 73 F7 EB 1D 83 C4 04 EB 02 75 75 FF 0C 24 71 01 79 79 E0 7A 01 75 83 C4 04 9D EB 01 75 FF
81 B8 00 00 00 9C 6A 03 73 0B EB 02 75 75 E8 06 00 00 00 66 35 73 F7 EB 1D 83 C4 04 EB 02 75 75
FF 0C 24 71 01 7F 79 E0 7A 01 78 83 C4 04 9D EB 01 75 33 C0 C3 64 FF 35 00 00 00 00 64 89 25 00
00 00 00 8D B5 29 46 40 00 B9 1B 05 00 00 8A 04

my code
83 EC 0C C7 44 24 04 23 01 FF 0F C7 44 24 08 67 45 FF 0F C7 44 24 0C AB 89 FF 0F C7 44 24 10 EF
CD FF 0F 8B 54 24 04 F6 D0 32 C2 66 25 FF 00 66 03 D0 66 C1 CA 03 66 89 54 24 04 66 31 54 24 08
66 8B 54 24 08 66 C1 CA 02 66 01 54 24 0C 66 8B 54 24 0C 66 F7 D2 66 2B 54 24 10 66 D1 CA 66 31
54 24 04 EB 0E

0034514E 83EC 0C          SUB ESP,0C
00345151 C74424 04 2301FF0F  MOV DWORD PTR [ESP+4],0FFF0123
00345159 C74424 08 6745FF0F  MOV DWORD PTR [ESP+8],0FFF4567
00345161 C74424 0C AB89FF0F  MOV DWORD PTR [ESP+C],0FFF89AB
00345169 C74424 10 EFCDFF0F  MOV DWORD PTR [ESP+10],0FFFCDEF
00345171 8B5424 04          MOV EDX,[ESP+4]
00345175 F6D0             NOT AL
00345177 32C2             XOR AL,DL
00345179 66:25 FF00       AND AX,0FF
0034517D 66:03D0          ADD DX,AX
00345180 66:C1CA 03       ROR DX,3
00345184 66:895424 04       MOV [ESP+4],DX
00345189 66:315424 08       XOR [ESP+8],DX
0034518E 66:8B5424 08       MOV DX,[ESP+8]
00345193 66:C1CA 02       ROR DX,2
00345197 66:015424 0C       ADD [ESP+C],DX
0034519C 66:8B5424 0C       MOV DX,[ESP+C]
003451A1 66:F7D2          NOT DX
003451A4 66:2B5424 10       SUB DX,[ESP+10]
003451A9 66:D1CA          ROR DX,1
003451AC 66:315424 04       XOR [ESP+4],DX
003451B1 EB 0E             JMP SHORT 003451C1
003451B3 90                NOP
003451B4 90                NOP
003451B5 90                NOP
003451B6 90                NOP
003451B7 B9 1B050000       MOV ECX,51B
003451BC 8A0431             MOV AL,[ECX+ESI]
003451BF  ^ EB B0             JMP SHORT 00345171
003451C1 880431             MOV [ECX+ESI],AL
003451C4  ^ E2 F6             LOOPD SHORT 003451BC

003456E8  59 8D BD 15 45 41 00 53 9C 6A 03 73 0B EB 02 75  Y?EA.S?s?u

decoded 003456E8
59 8D BD 15 45 41 00 53 9C 6A 03 73 0B EB 02 75 75 E8 06 00 00 00 66 35 73 F7 EB 1D 83 C4 04 EB
02 75 75 FF 0C 24 71 01 71 79 E0 7A 01 75 83 C4 04 9D EB 01 75 8A 03 EB 06 F6 D0 AA 43 8A 03 0A
C0 75 F6 AA 5B 8D BD 15 45 41 00 51 57 56 7C 05 EB 05 0F CD 20 74 F9 8D 85 AA 46 40 00 EB 02 0F
0F 50 E8 04 00 00 00 CD 20 E9 68 83 C4 04 8B 85 A3 3F 41 00 EB 04 C7 84 A3 C7 E9 38 EE 00 00 FF
FF 0F B6 4B FF 89 03 03 D9 43 59 49 0F 85 6F FF FF FF 8D B5 FC 42 41 00 68 00 FE 98 C7 50 E8 5D
00 00 00 EB FF 71 08 C2 50 00 EB D6 5E F3 68 89 74 24 48 74 24 58 FF 8D 74 24 58 5E 83 C6 4C 75
F4 59 8D 71 08 75 09 81 F6 EB FF 51 B9 01 00 83 EE FC 49 FF 71 08 75 19 8B 74 24 00 00 81 36 50
56 8B 36 EB FF 70 04 36 81 F6 EB 87 34 24 8B 8B 04 24 83 EC FC EB 01 E8 83 EC FC E9 E7 00 00 00
58 EB FF F0 EB FF C0 83 E8 FD EB FF 30 E8 C9 00 00 00 89 E0 EB FF D0 EB FF 71 08 83 C0 01 EB FF
70 F0 71 EE EB FA EB 83 C0 14 EB FF 70 ED 71 EB EB FA FF 83 C0 FC EB FF 70 ED 71 EB EB FA 08 83
C0 F8 EB FF 70 ED 71 EB EB FA FF 83 C0 18 EB FF 70 ED 71 EB EB FA 08 83 C0 04 EB FF 70 ED 71 EB
EB FA 71 83 C0 08 EB FF 70 ED 71 EB EB FA 71 83 C0 0C EB FF 70 ED 71 EB EB FA EB 83 C0 F8 EB FF
70 ED 71 EB EB FA FF 83 C0 EC EB FF 70 ED 71 EB EB FA EB 83 C0 F0 EB FF 70 ED 71 EB EB FA 71 83
C0 F8 EB FF 70 ED 71 EB EB FA 71 83 C0 14 EB FF 70 ED 71 EB EB FA EB 83 C0 10 EB FF 70 ED 71 EB
EB FA 08 83 C0 0C EB FF 70 ED 71 EB EB FA FF 83 C0 08 EB FF 70 ED 71 EB EB FA EB 83 C0 17 EB FF
70 ED 71 EB EB FA EB 56 7C 05 EB 05 0F CD 20 74 F9 8D 85 43 48 40 00 EB 02 0F 0F 50 E8 04 00 00
00 CD 20 E9 68 83 C4 04 8B 85 AB 3F 41 00 EB 04 C7 84 A3 C7 E9 9E EC 00 00 68 0B C0 75 34 56 7C
05 EB 05 0F CD 20 74 F9 8D 85 7B 48 40 00 EB 02 0F 0F 50 E8 04 00 00 00 CD 20 E9 68 83 C4 04 8B
85 A7 3F 41 00 EB 04 C7 84 A3 C7 E9 67 EC 00 00 FF FF 8B F0 8D 9D 08 43 41 00 B9 04 00 00 00 8D
BD 15 45 41 00 53 8A 03 EB 06 F6 D0 AA 43 8A 03 0A C0 75 F6 AA 5B 8D BD 15 45 41 00 51 57 56 7C
05 EB 05 0F CD 20 74 F9 8D 85 DB 48 40 00 EB 02 0F 0F 50 E8 04 00 00 00 CD 20 E9 68 83 C4 04 8B
85 A3 3F 41 00 EB 04 C7 84 A3 C7 E9 07 EC 00 00 FF FF 0F B6 4B FF 89 03 03 D9 43 59 E2 A1 8D B5
25 43 41 00 68 00 FE 98 C7 50 E8 5D 00 00 00 EB FF 71 08 C2 50 00 EB D6 5E F3 68 89 74 24 48 74
24 58 FF 8D 74 24 58 5E 83 C6 4C 75 F4 59 8D 71 08 75 09 81 F6 EB FF 51 B9 01 00 83 EE FC 49 FF
71 08 75 19 8B 74 24 00 00 81 36 50 56 8B 36 EB FF 70 04 36 81 F6 EB 87 34 24 8B 8B 04 24 83 EC
FC EB 01 E8 83 EC FC E9 E7 00 00 00 58 EB FF F0 EB FF C0 83 E8 FD EB FF 30 E8 C9 00 00 00 89 E0
EB FF D0 EB FF 71 08 83 C0 01 EB FF 70 F0 71 EE EB FA EB 83 C0 14 EB FF 70 ED 71 EB EB FA FF 83
C0 FC EB FF 70 ED 71 EB EB FA 08 83 C0 F8 EB FF 70 ED 71 EB EB FA FF 83 C0 18 EB FF 70 ED 71 EB
EB FA 08 83 C0 04 EB FF 70 ED 71 EB EB FA 71 83 C0 08 EB FF 70 ED 71 EB EB FA 71 83 C0 0C EB FF
70 ED 71 EB EB FA EB 83 C0 F8 EB FF 70 ED 71 EB EB FA FF 83 C0 EC EB FF 70 ED 71 EB EB FA EB 83
C0 F0 EB FF 70 ED 71 EB EB FA 71 83 C0 F8 EB FF 70 ED 71 EB EB FA 71 83 C0 14 EB FF 70 ED 71 EB
EB FA EB 83 C0 10 EB FF 70 ED 71 EB EB FA 08 83 C0 0C EB FF 70 ED 71 EB EB FA FF 83 C0 08 EB FF
70 ED 71 EB EB FA EB 83 C0 17 EB FF 70 ED 71 EB EB FA EB 56 7C 05 EB 05 0F CD 20 74 F9 8D 85 6F
4A 40 00 EB 02 0F 0F 50 E8 04 00 00 00 CD 20 E9 68 83 C4 04 8B 85 AB 3F 41 00 EB 04 C7 84 A3 C7
E9 72 EA 00 00 68 0B C0 75 34 56 7C 05 EB 05 0F CD 20 74 F9 8D 85 A7 4A 40 00 EB 02 0F 0F 50 E8
04 00 00 00 CD 20 E9 68 83 C4 04 8B 85 A7 3F 41 00 EB 04 C7 84 A3 C7 E9 3B EA 00 00 FF FF 8B F0
8D 9D 33 43 41 00 6A 08 59 8D BD 15 45 41 00 53 8A 03 EB 06 F6 D0 AA 43 8A 03 0A C0 75 F6 AA 5B
8D BD 15 45 41 00 51 57 56 7C 05 EB 05 0F CD 20 74 F9 8D 85 05 4B 40 00 EB 02 0F 0F 50 E8 04 00
00 00 CD 20 E9 68 83 C4 04 8B 85 A3 3F 41 00 EB 04 C7 84 A3 C7 E9 DD E9 00 00 FF FF 0F B6 4B FF
89 03 03 D9 43 59 E2 A1 6A 02 6A FF 7C 05 EB 05 0F CD 20 74 F9 8D 85 48 4B 40 00 EB 02 0F 0F 50
E8 04 00 00 00 CD 20 E9 68 83 C4 04 8B 85 74 42 41 00 EB 04 C7 84 A3 C7 E9 9A E9 00 00 FF FF 50

;处理api函数,先sm,后比较api头
0035459F    6A 00             PUSH 0
003545A1    50                PUSH EAX
003545A2    8B85 D8484100    MOV EAX,[EBP+4148D8]
003545A8    68 00FE2FC7       PUSH C72FFE00

;比较api头机器码
00354703 FFE0             JMP EAX
00354705 60                PUSHAD
00354706 8B7C24 24          MOV EDI,[ESP+24]
0035470A 8B7424 28          MOV ESI,[ESP+28]
0035470E 66:8B06          MOV AX,[ESI]
00354711 66:3D 558B       CMP AX,8B55
00354715 75 4B             JNZ SHORT 00354762
00354717 807E 02 EC       CMP BYTE PTR [ESI+2],0EC

00354ADD 3C CC             CMP AL,0CC ;int3
00354ADF 75 05             JNZ SHORT 00354AE6
00354AE1 E9 1A120000       JMP 00355D00
00354AE6 66:3D CD03       CMP AX,3CD ;int3
00354AEA 75 05             JNZ SHORT 00354AF1
00354AEC E9 0F120000       JMP 00355D00

;循环取api地址
00345512    0FB64B FF          MOVZX ECX,BYTE PTR [EBX-1]
00345516    8903             MOV [EBX],EAX
00345518    03D9             ADD EBX,ECX
0034551A    43                INC EBX
0034551B    59                POP ECX
0034551C    ^ E2 A2             LOOPD SHORT 003454C0
0034551E    8DB5 4B404100    LEA ESI,[EBP+41404B]

SetThreadPriority

DS:[00400150]=003DCBE2
EAX=00400100 (main.00400100), ASCII "PE"

SS:[00355092]=00026680
EAX=003DCBE2

00345F69       8B85 D8414100          MOV EAX,[EBP+4141D8]                   ; KERNEL32.GetProcessHeap
00345F6F       EB 04                   JMP SHORT 00345F75
...
00345F7B

0034602B       8DB5 D2444100          LEA ESI,[EBP+4144D2] ;esi=00355591

00355591  25 68 0E AC 6C D3 FD 15 B3 BC B6 94 7F B0 C2 8B  %h?育臣?奥
org
25 68 0E AC 6C D3 FD 15 B3 BC B6 94 7F B0 C2 8B EB 5A CF DB F6 5F 28 B4 E1 47 79 CB 97 3C 0C 58
uncode
DA 97 F1 53 93 2C 02 EA 4C 43 49 6B 80 4F 3D 74 14 A5 30 24 09 A0 D7 4B 1E B8 86 34 68 C3 F3 A7

;循环createfile \\.\ntice
0034628D       51                      PUSH ECX
0034628E       56                      PUSH ESI
0034628F       AC                      LODS BYTE PTR [ESI]
00346290       EB 06                   JMP SHORT 00346298
00346292       F6D0                   NOT AL
00346294       8846 FF                MOV [ESI-1],AL
00346297       AC                      LODS BYTE PTR [ESI]
00346298       0AC0                   OR AL,AL
0034629A    ^ 75 F6                   JNZ SHORT 00346292
0034629C       5E                      POP ESI
0034629D       6A 00                   PUSH 0
0034629F       68 80000000             PUSH 80
003462A4       6A 03                   PUSH 3
003462A6       6A 00                   PUSH 0
003462A8       6A 03                   PUSH 3
003462AA       68 000000C0             PUSH C0000000
003462AF       EB 2B                   JMP SHORT 003462DC
003462B1       66:35 7878             XOR AX,7878
003462B5       66:35 7878             XOR AX,7878
003462B9       66:35 7878             XOR AX,7878
003462BD       66:35 7878             XOR AX,7878
003462C1       66:35 7878             XOR AX,7878
003462C5       66:35 7878             XOR AX,7878
003462C9       66:35 7878             XOR AX,7878
003462CD       66:35 7878             XOR AX,7878
003462D1       66:35 7878             XOR AX,7878
003462D5       66:35 7878             XOR AX,7878
003462D9       0000                   ADD [EAX],AL
003462DB       90                      NOP
003462DC       56                      PUSH ESI
003462DD       7C 05                   JL SHORT 003462E4
003462DF       EB 05                   JMP SHORT 003462E6
003462E1       0FCD                   BSWAP EBP
003462E3       2074F9 8D             AND [ECX+EDI*8-73],DH
003462E7       8550 52                TEST [EAX+52],EDX
003462EA       40                      INC EAX
003462EB       00EB                   ADD BL,CH
003462ED       020F                   ADD CL,[EDI]
003462EF       0F50E8                MOVMSKPS EBP,XMM0
003462F2       04 00                   ADD AL,0
003462F4       0000                   ADD [EAX],AL
003462F6       CD 20                   INT 20
003462F8    - E9 6883C404             JMP 04F8E665
003462FD       8B85 16414100          MOV EAX,[EBP+414116]
00346303       EB 04                   JMP SHORT 00346309
00346305       C784A3 C7E991E2 0000CD50 MOV DWORD PTR [EBX+E291E9C7],50CD0000
00346310       52                      PUSH EDX
00346311       51                      PUSH ECX
00346312       EB 01                   JMP SHORT 00346315
00346314       E8 0F318BC8             CALL C8BF9428
00346319       E8 03000000             CALL 00346321
0034631E       CD 20                   INT 20
00346320       D6                      SALC
00346321       83C4 04                ADD ESP,4
00346324       E8 38000000             CALL 00346361
00346329       EB 03                   JMP SHORT 0034632E
0034632B       CD 20                   INT 20
0034632D    - E9 EB020F0F             JMP 0F43661D
00346332       E8 46000000             CALL 0034637D
00346337       7C 03                   JL SHORT 0034633C
00346339       EB 03                   JMP SHORT 0034633E
0034633B       0F74FB                PCMPEQB MM7,MM3
0034633E       EB 03                   JMP SHORT 00346343
00346340       C784C7 E8020000 000F350F MOV DWORD PTR [EDI+EAX*8+2E8],0F350F00
0034634B       3183 C4042BC1          XOR [EBX+C12B04C4],EAX
00346351       3D 00000200             CMP EAX,20000
00346356       EB 04                   JMP SHORT 0034635C
00346358       83C4 0C                ADD ESP,0C
0034635B       C3                      RETN
0034635C       59                      POP ECX
0034635D       5A                      POP EDX
0034635E       58                      POP EAX
0034635F       EB 30                   JMP SHORT 00346391
00346361       EB 01                   JMP SHORT 00346364
00346363       E8 68C21000             CALL 004525D0                         ; main.004525D0
00346368       00E8                   ADD AL,CH
0034636A       0100                   ADD [EAX],EAX
0034636C       0000                   ADD [EAX],AL
0034636E    - E9 6824080E             JMP 0E3C87DB
00346373       68 68909083             PUSH 83909068
00346378       44                      INC ESP
00346379       FFE4                   JMP ESP
0034637B       E8 C3E80300             CALL 00384C43
00346380       0000                   ADD [EAX],AL
00346382       C78400 58EB01E9 83C00750 MOV DWORD PTR [EAX+EAX+E901EB58],5007C08>
0034638D       C3                      RETN
0034638E       FF35 C383F8FF          PUSH DWORD PTR [FFF883C3]
00346394       74 05                   JE SHORT 0034639B
00346396       E9 65F90000             JMP 00355D00
0034639B       56                      PUSH ESI
0034639C       AC                      LODS BYTE PTR [ESI]
0034639D       EB 06                   JMP SHORT 003463A5
0034639F       F6D0                   NOT AL
003463A1       8846 FF                MOV [ESI-1],AL
003463A4       AC                      LODS BYTE PTR [ESI]
003463A5       0AC0                   OR AL,AL
003463A7    ^ 75 F6                   JNZ SHORT 0034639F
003463A9       5E                      POP ESI
003463AA       59                      POP ECX
003463AB       0FB646 FF             MOVZX EAX,BYTE PTR [ESI-1]
003463AF       03F0                   ADD ESI,EAX
003463B1       46                      INC ESI
003463B2       49                      DEC ECX
003463B3       50                      PUSH EAX
003463B4       52                      PUSH EDX
003463B5       51                      PUSH ECX
003463B6       EB 01                   JMP SHORT 003463B9
003463B8       E8 0F318BC8             CALL C8BF94CC
003463BD       E8 03000000             CALL 003463C5
003463C2       CD 20                   INT 20
003463C4       D6                      SALC
003463C5       83C4 04                ADD ESP,4
003463C8       E8 38000000             CALL 00346405
003463CD       EB 03                   JMP SHORT 003463D2
003463CF       CD 20                   INT 20
003463D1    - E9 EB020F0F             JMP 0F4366C1
003463D6       E8 46000000             CALL 00346421
003463DB       7C 03                   JL SHORT 003463E0
003463DD       EB 03                   JMP SHORT 003463E2
003463DF       0F74FB                PCMPEQB MM7,MM3
003463E2       EB 03                   JMP SHORT 003463E7
003463E4       C784C7 E8020000 000F350F MOV DWORD PTR [EDI+EAX*8+2E8],0F350F00
003463EF       3183 C4042BC1          XOR [EBX+C12B04C4],EAX
003463F5       3D 00000200             CMP EAX,20000
003463FA       EB 04                   JMP SHORT 00346400
003463FC       83C4 0C                ADD ESP,0C
003463FF       C3                      RETN
00346400       59                      POP ECX
00346401       5A                      POP EDX
00346402       58                      POP EAX
00346403       EB 30                   JMP SHORT 00346435
00346405       EB 01                   JMP SHORT 00346408
00346407       E8 68C21000             CALL 00452674                         ; main.00452674
0034640C       00E8                   ADD AL,CH
0034640E       0100                   ADD [EAX],EAX
00346410       0000                   ADD [EAX],AL
00346412    - E9 6824080E             JMP 0E3C887F
00346417       68 68909083             PUSH 83909068
0034641C       44                      INC ESP
0034641D       FFE4                   JMP ESP
0034641F       E8 C3E80300             CALL 00384CE7
00346424       0000                   ADD [EAX],AL
00346426       C78400 58EB01E9 83C00750 MOV DWORD PTR [EAX+EAX+E901EB58],5007C08>
00346431       C3                      RETN
00346432       FF35 C30BC90F          PUSH DWORD PTR [FC90BC3]
...
00346435       0BC9                   OR ECX,ECX ;ecx=0循环结束
00346437    ^ 0F85 50FEFFFF          JNZ 0034628D

/////////////////////////////////////////////////////////////////////
SetThreadPrior>  55                      PUSH EBP
77E8B8AC       8BEC                   MOV EBP,ESP
77E8B8AE       8B45 0C                MOV EAX,[EBP+C]
77E8B8B1       83F8 0F                CMP EAX,0F
77E8B8B4       8945 0C                MOV [EBP+C],EAX
77E8B8B7       75 09                   JNZ SHORT 77E8B8C2                      ; 77E8B8C2
77E8B8B9       C745 0C 10000000       MOV DWORD PTR [EBP+C],10
77E8B8C0       EB 0C                   JMP SHORT 77E8B8CE                      ; 77E8B8CE
77E8B8C2       83F8 F1                CMP EAX,-0F
77E8B8C5       75 07                   JNZ SHORT 77E8B8CE                      ; 77E8B8CE
77E8B8C7       C745 0C F0FFFFFF       MOV DWORD PTR [EBP+C],-10
77E8B8CE       8D45 0C                LEA EAX,[EBP+C]
77E8B8D1       6A 04                   PUSH 4
77E8B8D3       50                      PUSH EAX
77E8B8D4       6A 03                   PUSH 3
77E8B8D6       FF75 08                PUSH DWORD PTR [EBP+8]
77E8B8D9       FF15 4C13E677          CALL [77E6134C]                         ; ntdll.ZwSetInformationThread
77E8B8DF       85C0                   TEST EAX,EAX
77E8B8E1       7D 0A                   JGE SHORT 77E8B8ED                      ; 77E8B8ED
77E8B8E3       50                      PUSH EAX
77E8B8E4       E8 50C9FDFF             CALL 77E68239                         ; 77E68239
77E8B8E9       33C0                   XOR EAX,EAX
77E8B8EB       EB 03                   JMP SHORT 77E8B8F0                      ; 77E8B8F0
77E8B8ED       6A 01                   PUSH 1
77E8B8EF       58                      POP EAX
77E8B8F0       5D                      POP EBP
77E8B8F1       C2 0800                RETN 8

77E8B8D9       FF15 4C13E677          CALL [77E6134C]                         ; ntdll.ZwSetInformationThread
77E8B8DF       85C0                   TEST EAX,EAX
77E8B8E1       7D 0A                   JGE SHORT 77E8B8ED                      ; 77E8B8ED
77E8B8E3       50                      PUSH EAX

77E8B8D9       FF15 4C13E677          CALL [77E6134C]                         ; ntdll.ZwSetInformationThread
77E8B8DF       33C0                   XOR EAX,EAX
77E8B8E1       F7F0                   DIV EAX
77E8B8E3       50                      PUSH EAX
/////////////////////////////////////////////////////////////////////

NTSTATUS
  ZwSetInformationThread(
IN HANDLE  ThreadHandle,
IN THREADINFOCLASS  ThreadInformationClass,
IN PVOID  ThreadInformation,
IN ULONG  ThreadInformationLength
);

;ZwSetInformationThread函数参数
00347088          6A 00                   PUSH 0
0034708A          6A 00                   PUSH 0
0034708C          6A 11                   PUSH 11
0034708E          6A FE                   PUSH -2
00347090          8D85 E05F4000          LEA EAX,[EBP+405FE0]
00347096          50                      PUSH EAX
00347097          8BC7                   MOV EAX,EDI
00347099          E9 A5DA0000             JMP 00354B43

;特殊照顾ZwSetInformationThread函数
00354B43          6A 00                   PUSH 0
00354B45          50                      PUSH EAX
00354B46          8B85 D8484100          MOV EAX,[EBP+4148D8]
00354B4C          68 00FE2FC7             PUSH C72FFE00
00354B51          50                      PUSH EAX
00354B52          E8 5D000000             CALL 00354BB4

出来地址
0012FF90 0034709F

77FC5A3A    C2 0000                RETN 0
77FC5A3D    C3                      RETN

00354CBA    803E C2                CMP BYTE PTR [ESI],0C2 ;retn x
00354CBD    0F84 3D100000          JE 00355D00
00354CC3    803E C3                CMP BYTE PTR [ESI],0C3 ;retn

00354CB1    60                      PUSHAD
00354CB2    8B7C24 24             MOV EDI,[ESP+24]
00354CB6    8B7424 28             MOV ESI,[ESP+28]
00354CBA    803E C2                CMP BYTE PTR [ESI],0C2
00354CBD    0F84 3D100000          JE 00355D00
00354CC3    803E C3                CMP BYTE PTR [ESI],0C3
00354CC6    0F84 34100000          JE 00355D00
00354CCC    8A06                   MOV AL,[ESI]
00354CCE    3C B8                   CMP AL,0B8
00354CD0    75 04                   JNZ SHORT 00354CD6
00354CD2    A4                      MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]
00354CD3    A5                      MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
00354CD4    EB 33                   JMP SHORT 00354D09
00354CD6    3C 8D                   CMP AL,8D
00354CD8    75 03                   JNZ SHORT 00354CDD
00354CDA    A5                      MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
00354CDB    EB 2C                   JMP SHORT 00354D09
00354CDD    3C CD                   CMP AL,0CD
00354CDF    75 04                   JNZ SHORT 00354CE5
00354CE1    66:A5                   MOVS WORD PTR ES:[EDI],WORD PTR [ESI]
00354CE3    EB 24                   JMP SHORT 00354D09
00354CE5    3C BA                   CMP AL,0BA
00354CE7    75 04                   JNZ SHORT 00354CED
00354CE9    A4                      MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]
00354CEA    A5                      MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
00354CEB    EB 1C                   JMP SHORT 00354D09
00354CED    3C FF                   CMP AL,0FF
00354CEF    75 04                   JNZ SHORT 00354CF5
00354CF1    66:A5                   MOVS WORD PTR ES:[EDI],WORD PTR [ESI]
00354CF3    EB 14                   JMP SHORT 00354D09
00354CF5    3C C2                   CMP AL,0C2
00354CF7    75 0A                   JNZ SHORT 00354D03
00354CF9    A4                      MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]
00354CFA    66:A5                   MOVS WORD PTR ES:[EDI],WORD PTR [ESI]
00354CFC    61                      POPAD
00354CFD    33C0                   XOR EAX,EAX
00354CFF    40                      INC EAX
00354D00    C2 0C00                RETN 0C
00354D03    61                      POPAD
00354D04    33C0                   XOR EAX,EAX
00354D06    C2 0C00                RETN 0C

;用到GetProcessHeap漏洞解码的数据,地址00355591
00352E70    55                      PUSH EBP
00352E71    8BEC                   MOV EBP,ESP
00352E73    83C4 FC                ADD ESP,-4
00352E76    60                      PUSHAD
00352E77    8B7D 10                MOV EDI,[EBP+10]
00352E7A    8B75 08                MOV ESI,[EBP+8]
00352E7D    8B5D 0C                MOV EBX,[EBP+C]
00352E80    D1EB                   SHR EBX,1
00352E82    EB 41                   JMP SHORT 00352EC5
00352E84    53                      PUSH EBX
00352E85    33DB                   XOR EBX,EBX
00352E87    66:C745 FE 0000       MOV WORD PTR [EBP-2],0
00352E8D    EB 25                   JMP SHORT 00352EB4
00352E8F    66:8B16                MOV DX,[ESI]
00352E92    66:23145F             AND DX,[EDI+EBX*2] ;edi=00355591
00352E96    B9 10000000             MOV ECX,10
00352E9B    33C0                   XOR EAX,EAX
00352E9D    66:D1E2                SHL DX,1
00352EA0    73 01                   JNB SHORT 00352EA3
00352EA2    40                      INC EAX
00352EA3 ^ E2 F8                   LOOPD SHORT 00352E9D
00352EA5    66:83E0 01             AND AX,1
00352EA9    66:8BCB                MOV CX,BX
00352EAC    66:D3E0                SHL AX,CL
00352EAF    66:0145 FE             ADD [EBP-2],AX
00352EB3    43                      INC EBX
00352EB4    83FB 10                CMP EBX,10
00352EB7 ^ 72 D6                   JB SHORT 00352E8F
00352EB9    5B                      POP EBX
00352EBA    66:8B45 FE             MOV AX,[EBP-2]
00352EBE    66:8906                MOV [ESI],AX
00352EC1    83C6 02                ADD ESI,2
00352EC4    4B                      DEC EBX
00352EC5    0BDB                   OR EBX,EBX
00352EC7 ^ 75 BB                   JNZ SHORT 00352E84
00352EC9    61                      POPAD
00352ECA    C9                      LEAVE
00352ECB    C2 0C00                RETN 0C

解码程序内容
00347285    E8 E6BB0000             CALL 00352E70

VirtualAlloc

007C317B 56                   PUSH ESI
007C317C 57                   PUSH EDI
007C317D 53                   PUSH EBX
007C317E 55                   PUSH EBP
007C317F 8B7424 14          MOV ESI,[ESP+14]
007C3183 8B7C24 18          MOV EDI,[ESP+18]
007C3187 8B6E 08             MOV EBP,[ESI+8]
007C318A 8B46 04             MOV EAX,[ESI+4]
007C318D 8B36                MOV ESI,[ESI]
007C318F 6A 04                PUSH 4
007C3191 68 00100000          PUSH 1000
007C3196 FF36                PUSH DWORD PTR [ESI]
007C3198 6A 00                PUSH 0
007C319A FFD0                CALL EAX ;KERNEL32.VirtualAlloc
007C319C 8BD8                MOV EBX,EAX
007C319E 50                   PUSH EAX
007C319F 54                   PUSH ESP
007C31A0 FF76 04             PUSH DWORD PTR [ESI+4]
007C31A3 57                   PUSH EDI
007C31A4 FF76 08             PUSH DWORD PTR [ESI+8]
007C31A7 8D46 0F             LEA EAX,[ESI+F]
007C31AA 50                   PUSH EAX
007C31AB 0FB646 0C          MOVZX EAX,BYTE PTR [ESI+C]
007C31AF 50                   PUSH EAX
007C31B0 0FB646 0D          MOVZX EAX,BYTE PTR [ESI+D]
007C31B4 50                   PUSH EAX
007C31B5 0FB646 0E          MOVZX EAX,BYTE PTR [ESI+E]
007C31B9 50                   PUSH EAX
007C31BA FF36                PUSH DWORD PTR [ESI]
007C31BC 53                   PUSH EBX
007C31BD E8 94010000          CALL 007C3356
007C31C2 83C4 28             ADD ESP,28
007C31C5 85C0                TEST EAX,EAX
007C31C7 58                   POP EAX
007C31C8 74 03                JE SHORT 007C31CD
007C31CA 33C0                XOR EAX,EAX
007C31CC 48                   DEC EAX
007C31CD 50                   PUSH EAX
007C31CE 68 00400000          PUSH 4000
007C31D3 FF36                PUSH DWORD PTR [ESI]
007C31D5 53                   PUSH EBX
007C31D6 FFD5                CALL EBP
007C31D8 58                   POP EAX
007C31D9 5D                   POP EBP
007C31DA 5B                   POP EBX
007C31DB 5F                   POP EDI
007C31DC 5E                   POP ESI
007C31DD C2 0800             RETN 8

copy

VirtualFree

;用GetProcessHeap内容解码 ESI=007429A8

KERNEL32.VirtualAlloc

;再解码
007C317B 56                   PUSH ESI

;复制到main.exe里
00347B45 F3:A5                REP MOVS DWORD PTR ES:[EDI],DWORD PTR [E>

VirtualFree

date

;处理iat

00347E6C                58                   POP EAX
00347E6D                EB 04                JMP SHORT 00347E73
00347E6F                C7840F C7F6D0E8 03000>MOV DWORD PTR [EDI+ECX+E8D0F6C7],3
00347E7A                CD 20                INT 20
00347E7C                A1 83C40450          MOV EAX,[5004C483]
00347E81                EB 04                JMP SHORT 00347E87
00347E83                CD 20                INT 20
00347E85                B6 DF                MOV DH,0DF
00347E87                44                   INC ESP
00347E88                EB 03                JMP SHORT 00347E8D
00347E8A                CD 20                INT 20
00347E8C                B6 E2                MOV DH,0E2
00347E8E                DD87 E66A0468       FLD QWORD PTR [EDI+68046AE6]

;00347E8D             ^\E2 DD                LOOPD SHORT 00347E6C

00349627          8907             MOV [EDI],EAX ; ADVAPI32.RegOpenKeyExA 保存api地址
00349629          5A                POP EDX
0034962A          0FB642 FF       MOVZX EAX,BYTE PTR [EDX-1]
0034962E          03D0             ADD EDX,EAX
00349630          42                INC EDX
00349631          59                POP ECX
00349632          49                DEC ECX
00349633       ^ 0F85 B1F9FFFF    JNZ 00348FEA ;循环处理api函数
00349639          E9 11420000       JMP 0034D84F

00348A53          0BFF             OR EDI,EDI ;比较处理的个数
00348A55          75 05             JNZ SHORT 00348A5C
00348A57          E9 F84D0000       JMP 0034D854 ;结束iat循环

;filemap
0034EC88          8985 C73F4100    MOV [EBP+413FC7],EAX
0034EC8E          6A 00             PUSH 0
0034EC90          6A 00             PUSH 0
0034EC92          6A 00             PUSH 0
0034EC94          6A 04             PUSH 4
0034EC96          FFB5 C73F4100    PUSH DWORD PTR [EBP+413FC7]
0034EC9C          8D85 F7DB4000    LEA EAX,[EBP+40DBF7]

ntdll.ZwQueryInformationProcess

0034DCE6 8BB5 5B444100 MOV ESI,[EBP+41445B]
0034DCEC 50             PUSH EAX
0034DCED 8BC4          MOV EAX,ESP
0034DCEF E9 4A010000    JMP 0034DE3E

ZwQueryInformationProcess
0012FF88 0034E0F3
0012FF8C FFFFFFFF
0012FF90 00000007
0012FF94 0012FFA0
0012FF98 00000004
0012FF9C 00000000

0034E242 58             POP EAX
0034E243 0BC0          OR EAX,EAX
0034E245 0F84 61010000 JE 0034E3AC ;正确等于0,跳
0034E24B 0F31          RDTSC
0034E24D 25 FF0F0000    AND EAX,0FFF
0034E252 05 00100000    ADD EAX,1000
0034E257 E9 4A010000    JMP 0034E3A6

0034E3A6 8985 D4474100 MOV [EBP+4147D4],EAX ;错误的长度
0034E3AC 33C9          XOR ECX,ECX
0034E3AE FEC5          INC CH
0034E3B0 2BE1          SUB ESP,ECX
0034E3B2 E9 4A010000    JMP 0034E501

修正代码段里的call,jmp
0034F307          66:8B06          MOV AX,[ESI]
0034F30A          3C E8             CMP AL,0E8
0034F30C          0F85 C0010000    JNZ 0034F4D2
0034F312          8B46 01          MOV EAX,[ESI+1]
0034F315          C1C0 08          ROL EAX,8
0034F318          3A85 4F474100    CMP AL,[EBP+41474F] ;SS:[0035580E]=D1
0034F31E          0F85 A3010000    JNZ 0034F4C7
0034F324          6A 00             PUSH 0
0034F326          EB 15             JMP SHORT 0034F33D
...
0034F86B          0283 C60583E9    ADD AL,[EBX+E98305C6]
0034F871          05 464981F9       ADD EAX,F9814946
0034F876          0000             ADD [EAX],AL
0034F878          0080 0F8287FA    ADD [EAX+FA87820F],AL
0034F87E          FFFF             ???                                           ; Unknown command

//////////////////////////////////////////////////////////////////////
;不偷取api函数头，直接执行api函数

0035459F 6A 00          PUSH 0
003545A1 50             PUSH EAX
003545A2 8B85 D8484100 MOV EAX,[EBP+4148D8]
003545A8 68 00FE2FC7    PUSH C72FFE00
003545AD 50             PUSH EAX
003545AE E8 5D000000    CALL 00354610

0035459F FFE0          JMP EAX
003545A1 50             PUSH EAX
003545A2 8B85 D8484100 MOV EAX,[EBP+4148D8]
003545A8 68 00FE2FC7    PUSH C72FFE00
003545AD 50             PUSH EAX
003545AE E8 5D000000    CALL 00354610

00354B43 6A 00          PUSH 0
00354B45 50             PUSH EAX
00354B46 8B85 D8484100 MOV EAX,[EBP+4148D8]
00354B4C 68 00FE2FC7    PUSH C72FFE00
00354B51 50             PUSH EAX
00354B52 E8 5D000000    CALL 00354BB4

00354B43 FFE0          JMP EAX
00354B45 50             PUSH EAX
00354B46 8B85 D8484100 MOV EAX,[EBP+4148D8]
00354B4C 68 00FE2FC7    PUSH C72FFE00
00354B51 50             PUSH EAX
00354B52 E8 5D000000    CALL 00354BB4

//////////////////////////////////////////////////////////////////////
;处理iat表的api函数
00354705 60                            PUSHAD
00354706 8B7C24 24                   MOV EDI,[ESP+24]
0035470A 8B7424 28                   MOV ESI,[ESP+28]
0035470E 66:8B06                      MOV AX,[ESI]
00354711 66:3D 558B                   CMP AX,8B55
00354715 75 4B                         JNZ SHORT 00354762
00354717 807E 02 EC                   CMP BYTE PTR [ESI+2],0EC
0035471B 75 45                         JNZ SHORT 00354762
0035471D 66:817E 03 83C4             CMP WORD PTR [ESI+3],0C483

00347D10 8DB5 206E4000                LEA ESI,[EBP+406E20] ;ESI=00347EDF esp解码
00347E67 B9 45990000                   MOV ECX,9945

00347E8D  ^\E2 DD                         LOOPD SHORT 00347E6C
00347E8F 87E6                         XCHG ESI,ESP
00347E91 6A 04                         PUSH 4
00347E93 68 00100000                   PUSH 1000
00347E98 68 00200000                   PUSH 2000
00347E9D 6A 00                         PUSH 0
00347E9F 7C 05                         JL SHORT 00347EA6

00347D10 LEA ESI,[EBP+406E20] ;ESI=00347EDF esp解码

iat addr
0071E1A4 - 0071E9E8

0071E9E8 - 0071E1A4 = 844 / 4 = 211

145
169
16a

60 B8 A4 E1 71 00 B9 11 02 00 00 51 66 81 78 02 45 01 74 21 90 90 90 90 66 81 78 02 69 01 74 15
90 90 90 90 66 81 78 02 6A 01 74 09 90 90 90 90 EB 17 90 90 90 50 8B 30 8B 7E 1C 8B 76 09 33 FE
8B 47 01 8B 3C 24 89 07 58 83 C0 04 59 E2 BC 61

0035D737 60                   PUSHAD
0035D738 B8 A4E17100          MOV EAX,71E1A4
0035D73D B9 11020000          MOV ECX,211
0035D742 51                   PUSH ECX
0035D743 66:8178 02 4501    CMP WORD PTR [EAX+2],145
0035D749 74 21                JE SHORT 0035D76C
0035D74B 90                   NOP
0035D74C 90                   NOP
0035D74D 90                   NOP
0035D74E 90                   NOP
0035D74F 66:8178 02 6901    CMP WORD PTR [EAX+2],169
0035D755 74 15                JE SHORT 0035D76C
0035D757 90                   NOP
0035D758 90                   NOP
0035D759 90                   NOP
0035D75A 90                   NOP
0035D75B 66:8178 02 6A01    CMP WORD PTR [EAX+2],16A
0035D761 74 09                JE SHORT 0035D76C
0035D763 90                   NOP
0035D764 90                   NOP
0035D765 90                   NOP
0035D766 90                   NOP
0035D767 EB 17                JMP SHORT 0035D780
0035D769 90                   NOP
0035D76A 90                   NOP
0035D76B 90                   NOP
0035D76C 50                   PUSH EAX
0035D76D 8B30                MOV ESI,[EAX]
0035D76F 8B7E 1C             MOV EDI,[ESI+1C]
0035D772 8B76 09             MOV ESI,[ESI+9]
0035D775 33FE                XOR EDI,ESI
0035D777 8B47 01             MOV EAX,[EDI+1]
0035D77A 8B3C24             MOV EDI,[ESP]
0035D77D 8907                MOV [EDI],EAX
0035D77F 58                   POP EAX
0035D780 83C0 04             ADD EAX,4
0035D783 59                   POP ECX
0035D784  ^ E2 BC                LOOPD SHORT 0035D742
0035D786 61                   POPAD

/////////////////////////////////////////////////////////////////////
0034FFD2    E8 2E470000          CALL 00354705 ;WSASend保存在00355897
0034FFD7    6A 00                PUSH 0
0034FFD9    FFB5 11434100       PUSH DWORD PTR [EBP+414311]
0034FFDF    8D85 18484100       LEA EAX,[EBP+414818]
0034FFE5    50                   PUSH EAX
0034FFE6    E8 1A470000          CALL 00354705 ;WSARecv保存在003558D7
0034FFEB    8D85 1D464100       LEA EAX,[EBP+41461D]
0034FFF1    50                   PUSH EAX
0034FFF2    33C0                XOR EAX,EAX

0035007E    8985 60474100       MOV [EBP+414760],EAX
00350084    8BF8                MOV EDI,EAX
00350086    8DB5 29464100       LEA ESI,[EBP+414629]
0035008C    B9 0A000000          MOV ECX,0A
00350091    F3:A4                REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]

/////////////////////////////////////////////////////////////////////

; Address=003506D6
; Message=Access violation when reading [FFFFFFFF]

003506C6    64:FF35 00000000    PUSH DWORD PTR FS:[0]
003506CD    64:8925 00000000    MOV FS:[0],ESP
003506D4    33C0                XOR EAX,EAX
003506D6    CD 01                INT 1
003506D8    40                   INC EAX
003506D9    40                   INC EAX
003506DA    0BC0                OR EAX,EAX
003506DC    64:8F05 00000000    POP DWORD PTR FS:[0]
003506E3    58                   POP EAX
003506E4    0F84 16560000       JE 00355D00

0012FF94    31C9             XOR ECX,ECX
0012FF96    890E             MOV [ESI],ECX
0012FF98    83C6 04          ADD ESI,4
0012FF9B    8933             MOV [EBX],ESI
0012FF9D    0FB70E          MOVZX ECX,WORD PTR [ESI]
0012FFA0    46             INC ESI
0012FFA1    46             INC ESI
0012FFA2    C3             RETN

;debugstrings
00351796    812E 01010101    SUB DWORD PTR [ESI],1010101

;取壳hash
00351B7D    8DB5 831E4000    LEA ESI,[EBP+401E83] ;ESI=00342F42 - 00355062
00351B83    EB 15          JMP SHORT 00351B9A
00351B85    C780 78787878 787>MOV DWORD PTR [EAX+78787878],78787878
00351B8F    C780 78787878 787>MOV DWORD PTR [EAX+78787878],78787878
00351B99    90             NOP
00351B9A    B9 20210100    MOV ECX,12120
00351B9F    EB 2B          JMP SHORT 00351BCC
00351BA1    C780 78787878 787>MOV DWORD PTR [EAX+78787878],78787878
00351BAB    C780 78787878 787>MOV DWORD PTR [EAX+78787878],78787878
00351BB5    C780 78787878 787>MOV DWORD PTR [EAX+78787878],78787878
00351BBF    C780 78787878 787>MOV DWORD PTR [EAX+78787878],78787878
00351BC9    0000             ADD [EAX],AL
00351BCB    90             NOP
00351BCC    C1E9 02          SHR ECX,2
00351BCF    EB 08          JMP SHORT 00351BD9
00351BD1    AD             LODS DWORD PTR [ESI]
00351BD2    3185 07404100    XOR [EBP+414007],EAX ;保存在003550C6
00351BD8    49             DEC ECX
00351BD9    0BC9             OR ECX,ECX
00351BDB    ^ 75 F4          JNZ SHORT 00351BD1

;int3异常
00351C10    E8 48000000    CALL 00351C5D
00351C15    8B4C24 0C       MOV ECX,[ESP+C]
00351C19    FF81 B8000000    INC DWORD PTR [ECX+B8]
00351C1F    33C0             XOR EAX,EAX
00351C21    3341 04          XOR EAX,[ECX+4]
00351C24    0341 08          ADD EAX,[ECX+8]
00351C27    3341 0C          XOR EAX,[ECX+C]
00351C2A    0341 10          ADD EAX,[ECX+10]
00351C2D    0181 B0000000    ADD [ECX+B0],EAX
00351C33    60             PUSHAD
00351C34    8D71 04          LEA ESI,[ECX+4]
00351C37    8BA9 B4000000    MOV EBP,[ECX+B4]
00351C3D    8DBD FC484100    LEA EDI,[EBP+4148FC]
00351C43    81C7 08010000    ADD EDI,108
00351C49    B9 06000000    MOV ECX,6
00351C4E    83BD CF3F4100 00  CMP DWORD PTR [EBP+413FCF],0
00351C55    75 02          JNZ SHORT 00351C59
00351C57    F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
00351C59    61             POPAD
00351C5A    33C0             XOR EAX,EAX
00351C5C    C3             RETN
00351C5D    33C9             XOR ECX,ECX
00351C5F    64:FF31          PUSH DWORD PTR FS:[ECX]
00351C62    64:8921          MOV FS:[ECX],ESP
00351C65    CC             INT3
00351C66    90             NOP

;计算main.exe hash
00352398    8BB5 D0474100    MOV ESI,[EBP+4147D0] ;ESI=00400000
0035239E    03B5 BF3F4100    ADD ESI,[EBP+413FBF] ;ESI=00401000
003523A4    8B8D D4474100    MOV ECX,[EBP+4147D4] ;ECX=0000155E
003523AA    E8 5F050000    CALL 0035290E ;计算hash

; Address=0035255E
; Message=Access violation when reading [00000000]

0035254E    64:FF35 00000000  PUSH DWORD PTR FS:[0]
00352555    64:8925 00000000  MOV FS:[0],ESP
0035255C    33C0             XOR EAX,EAX
0035255E    8B00             MOV EAX,[EAX]
00352560    90             NOP
00352561    90             NOP
00352562    CC             INT3
00352563    ^ EB FB          JMP SHORT 00352560

;div 0
0034F9E2    33C0                XOR EAX,EAX
0034F9E4    F7F0                DIV EAX
0034F9E6    E9 15630000          JMP 00355D00

seh handle
00355ADB    8BD4                MOV EDX,ESP
00355ADD    60                   PUSHAD
00355ADE    8B7A 0C             MOV EDI,[EDX+C] ;context
00355AE1    8BAF B4000000       MOV EBP,[EDI+B4] ;eax
00355AE7    8BB5 F8484100       MOV ESI,[EBP+4148F8] ;异常1
00355AED    8B5A 04             MOV EBX,[EDX+4] ;异常原因
00355AF0    AD                   LODS DWORD PTR [ESI]
00355AF1    3B03                CMP EAX,[EBX]
00355AF3    0F85 70010000       JNZ 00355C69
00355AF9    C707 17000100       MOV DWORD PTR [EDI],10017
00355AFF    AD                   LODS DWORD PTR [ESI] ;异常2
00355B00    8987 B8000000       MOV [EDI+B8],EAX ;eip=eax
00355B06    8D7F 04             LEA EDI,[EDI+4] ;dr0
00355B09    68 4E5AB363          PUSH 63B35A4E
00355B0E    68 4E5AD563          PUSH 63D55A4E
00355B13    50                   PUSH EAX
00355B14    E8 5D000000          CALL 00355B76

0012FBD4    A5                   MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
0012FBD5    A5                   MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
0012FBD6    A5                   MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
0012FBD7    A5                   MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
0012FBD8    A5                   MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
0012FBD9    A5                   MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]

00355C5D    8385 F8484100 20    ADD DWORD PTR [EBP+4148F8],20
00355C64    61                   POPAD
00355C65    33C0                XOR EAX,EAX

;Integer overflow
0034ECB0    40                   INC EAX
0034ECB1    D1C8                ROR EAX,1
0034ECB3    CE                   INTO ;Integer overflow

; Address=0034EBFC
; Message=Array bounds exceeded

0034D18D    64:8F05 00000000  POP DWORD PTR FS:[0] ;拆除seh
0034D194    58             POP EAX
0034D195    68 007498B4    PUSH B4987400

0034EBFC    6285 E8484100 BOUND EAX,[EBP+4148E8]

00665218    6205 00000000    BOUND EAX,[0]

mov [77E8B8DF], #33c0f7f0# ////修改SetThreadPriority

mov [77E8B8DF], #620500000000# //修改SetThreadPriority
mov [77E8B8DF], #85C07D0A50E8# //恢复SetThreadPriority

/////////////////////////////////////////////////////////////////////

10
C7807878787878787878 MOV DWORD PTR [EAX+78787878],78787878
4
66357878 XOR AX,7878
6
C70078787878 MOV DWORD PTR [EAX],78787878

///////////////////////////////////////////////////////////////////////

GetModuleHandleA
0012FF9C 00000000

0034D9B2 Main    JL SHORT 0034D9B9
0034D9BB Main    LEA EAX,[EBP+40C925]                   ; EAX=0034D9E4 返回地址
0034D9C5 Main    PUSH EAX
0034D9D2 Main    MOV EAX,[EBP+413FAB]                   ; EAX=77E80ACE 执行地址
0035459F Main    JMP EAX 执行GetModuleHandleA
0034D9E4 Main    OR EAX,EAX
0034D9E6 Main    JE 0034E3AC
0034D9EC Main    CALL 0034DA0B
0034DA0B Main    PUSH EAX
0034DA0C Main    JL SHORT 0034DA13
0034DA15 Main    LEA EAX,[EBP+40C97F]                   ; EAX=0034DA3E 返回地址
0034DA1F Main    PUSH EAX
0034DA2C Main    MOV EAX,[EBP+413FA3]                   ; EAX=00354D35 执行地址
0035459F Main    JMP EAX 取ZwQueryInformatio地址
0034DB8D Main    OR EAX,EAX
0034DB8F Main    JE 0034E3AC
0034DB95 Main    MOV EDI,EAX                            ; EDI=77F93351
0034DCE6 Main    MOV ESI,[EBP+41445B]                   ; ESI=FFFFFFFF
0034DCEC Main    PUSH EAX
0034DCED Main    MOV EAX,ESP                            ; EAX=0012FFA0
0034DE3E Main    PUSH 0
0034DE40 Main    PUSH 4
0034DF91 Main    PUSH EAX
0034DF92 Main    PUSH 7
0034E0E3 Main    PUSH ESI
0034E0E4 Main    LEA EAX,[EBP+40D034]                   ; EAX=0034E0F3 返回地址
0034E0EA Main    PUSH EAX
0034E0EB Main    MOV EAX,EDI                            ; EAX=77F93351 执行地址
00354B43 Main    JMP EAX 执行ZwQueryInformatio
0034E242 Main    POP EAX                                  ; EAX=FFFFFFFF
0034E243 Main    OR EAX,EAX
0034E245 Main    JE 0034E3AC
0034E24B Main    RDTSC                                  ; EAX=7040D2D2, EDX=00009112
0034E24D Main    AND EAX,0FFF                            ; EAX=000002D2
0034E252 Main    ADD EAX,1000                            ; EAX=000012D2
0034E257 Main    JMP 0034E3A6

ntdll!LdrpCallInitRoutine

解码程序text段
9A D7 B1 13 D3 6C 42 AA 0C 03 09 2B C0 0F 7D 34 54 E5 70 64 49 E0 97 0B 5E F8 C6 74 28 83 B3 E7

正确的
DA 97 F1 53 93 2C 02 EA 4C 43 49 6B 80 4F 3D 74 14 A5 30 24 09 A0 D7 4B 1E B8 86 34 68 C3 F3 A7

00352E70       55             PUSH EBP
00352E71       8BEC          MOV EBP,ESP
00352E73       83C4 FC       ADD ESP,-4
00352E76       60             PUSHAD
00352E77       8B7D 10       MOV EDI,[EBP+10]
00352E7A       8B75 08       MOV ESI,[EBP+8]
00352E7D       8B5D 0C       MOV EBX,[EBP+C]
00352E80       D1EB          SHR EBX,1
00352E82       EB 41          JMP SHORT 00352EC5
00352E84       53             PUSH EBX
00352E85       33DB          XOR EBX,EBX
00352E87       66:C745 FE 0000 MOV WORD PTR [EBP-2],0
00352E8D       EB 25          JMP SHORT 00352EB4
00352E8F       66:8B16       MOV DX,[ESI]
00352E92       66:23145F    AND DX,[EDI+EBX*2]
00352E96       B9 10000000    MOV ECX,10
00352E9B       33C0          XOR EAX,EAX
00352E9D       66:D1E2       SHL DX,1
00352EA0       73 01          JNB SHORT 00352EA3
00352EA2       40             INC EAX
00352EA3       ^ E2 F8          LOOPD SHORT 00352E9D
00352EA5       66:83E0 01    AND AX,1
00352EA9       66:8BCB       MOV CX,BX
00352EAC       66:D3E0       SHL AX,CL
00352EAF       66:0145 FE    ADD [EBP-2],AX
00352EB3       43             INC EBX
00352EB4       83FB 10       CMP EBX,10
00352EB7       ^ 72 D6          JB SHORT 00352E8F
00352EB9       5B             POP EBX
00352EBA       66:8B45 FE    MOV AX,[EBP-2]
00352EBE       66:8906       MOV [ESI],AX
00352EC1       83C6 02       ADD ESI,2
00352EC4       4B             DEC EBX
00352EC5       0BDB          OR EBX,EBX
00352EC7       ^ 75 BB          JNZ SHORT 00352E84
00352EC9       61             POPAD
00352ECA       C9             LEAVE
00352ECB       C2 0C00       RETN 0C

/////////////////////////////////////////////////////////////////////

00348902 8B3A          MOV EDI,[EDX] ;api 函数个数
00348A53 0BFF          OR EDI,EDI
00348A55 75 05          JNZ SHORT 00348A5C
00348A57 E9 F84D0000    JMP 0034D854
00348A5C 83C2 05       ADD EDX,5
00348A5F E9 4A010000    JMP 00348BAE
00348BAE 8BF2          MOV ESI,EDX
00348BB0 56             PUSH ESI

00348BBA 8D85 257B4000 LEA EAX,[EBP+407B25]
00348BC0 EB 02          JMP SHORT 00348BC4
00348BC2 0F0F          ???
00348BC4 50             PUSH EAX

00348BD1 8B85 AB3F4100 MOV EAX,[EBP+413FAB] ;GetModuleHandleA

00348C2D 87EF          XCHG EDI,EBP
00348C5A 68 E8EB6B3C    PUSH 3C6BEBE8
00348C87 68 256A0AFF    PUSH FF0A6A25
00348CB7 68 03142974    PUSH 74291403
00348CE8 68 E925620D    PUSH 0D6225E9
00348D1B 68 E75DA500    PUSH 0A55DE7
00348D43 50             PUSH EAX ; ADVAPI32.796D0000
00348D44 E8 5D000000    CALL 00348DA6
sm
0012FF90 0FB64E FF    MOVZX ECX,BYTE PTR [ESI-1] ;dll name 长度
0012FF94 01CE          ADD ESI,ECX
0012FF96 89F2          MOV EDX,ESI
0012FF98 EB FF          JMP SHORT 0012FF99
0012FF99 FFC2          INC EDX ;iat地址
0012FF9B 8BCD          MOV ECX,EBP
0012FF9D 81E1 00000080 AND ECX,80000000
0012FFA3 C3             RETN

;检查是否需要特别照顾的api
00348E8D       87EF          XCHG EDI,EBP
00348E8F       8BF0          MOV ESI,EAX
00348E91       0BC9          OR ECX,ECX ;检查是否需要特别照顾的api
00348E93       0F85 A5070000 JNZ 0034963E
00348E99       8BCF          MOV ECX,EDI
00348E9B       E9 4A010000    JMP 00348FEA

00348E91       0BC9                   OR ECX,ECX
00348E93       90                      NOP
00348E94       90                      NOP
00348E95       90                      NOP
00348E96       90                      NOP
00348E97       90                      NOP
00348E98       90                      NOP
00348E99       8BCF                   MOV ECX,EDI

特别照顾的api
00349932       8B3A          MOV EDI,[EDX]
00349934       03BD BF3F4100 ADD EDI,[EBP+413FBF] ;iat
0034993A       891F          MOV [EDI],EBX ;随机分配的内存地址
0034993C       83C3 20       ADD EBX,20
0034993F       0FB642 04    MOVZX EAX,BYTE PTR [EDX+4] ;api name 长度
00349943       0AC0          OR AL,AL
00349945       75 02          JNZ SHORT 00349949
00349947       04 04          ADD AL,4
00349949       03D0          ADD EDX,EAX
0034994B       83C2 06       ADD EDX,6 ;下一个api组
0034994E       49             DEC ECX ;api个数
0034994F       0BC9          OR ECX,ECX
00349951       ^ 75 DF          JNZ SHORT 00349932
00349953       EB 2B          JMP SHORT 00349980

00354705       60             PUSHAD
00354706       8B7C24 24    MOV EDI,[ESP+24]
0035470A       8B7424 28    MOV ESI,[ESP+28]

正常的api
00348FEA 8B3A          MOV EDI,[EDX] ;iat地址
00348FEC 03BD BF3F4100 ADD EDI,[EBP+413FBF] ;iat+imagesbase
00348FF2 83C2 04       ADD EDX,4 ;
00348FF5 51             PUSH ECX ;3
00348FF6 0FB602       MOVZX EAX,BYTE PTR [EDX] ;10
00348FF9 0BC0          OR EAX,EAX

003491C6 42             INC EDX
003491C7 52             PUSH EDX
003491C8 60             PUSHAD
003491C9 8BF2          MOV ESI,EDX
003491CB 8DBD 15454100 LEA EDI,[EBP+414515] ;api函数名

00349320 33C0          XOR EAX,EAX
00349322 AC             LODS BYTE PTR [ESI]
00349323 EB 07          JMP SHORT 0034932C
00349325 C0C0 03       ROL AL,3
00349328 F6D0          NOT AL
0034932A AA             STOS BYTE PTR ES:[EDI] ;保存api函数字串
0034932B AC             LODS BYTE PTR [ESI] ;取出api函数字串
0034932C 0BC0          OR EAX,EAX
0034932E  ^ 75 F5          JNZ SHORT 00349325
00349330 AA             STOS BYTE PTR ES:[EDI] ;用0截断api函数字串
00349331 EB 15          JMP SHORT 00349348
00349333 C780 78787878 7>MOV DWORD PTR [EAX+78787878],78787878
0034933D C780 78787878 7>MOV DWORD PTR [EAX+78787878],78787878
00349347 90             NOP
00349348 61             POPAD
00349349 8D95 15454100 LEA EDX,[EBP+414515] ;解码出字串地址
0034949E 52             PUSH EDX ;api name
0034949F 56             PUSH ESI ;dll name imagesbase
003494A0 7C 05          JL SHORT 003494A7
003494A2 /EB 05          JMP SHORT 003494A9
003494A9 8D85 14844000 LEA EAX,[EBP+408414]
003494B3 50             PUSH EAX

00349627 8907          MOV [EDI],EAX ;保存api函数地址到iat
00349629 5A             POP EDX
0034962A 0FB642 FF    MOVZX EAX,BYTE PTR [EDX-1]
0034962E 03D0          ADD EDX,EAX
00349630 42             INC EDX
00349631 59             POP ECX ;需要处理的api个数
00349632 49             DEC ECX
00349633  ^ 0F85 B1F9FFFF JNZ 00348FEA
00349639 E9 11420000    JMP 0034D84F ;处理完一个dll

00348A53       0BFF          OR EDI,EDI
00348A55       75 05          JNZ SHORT 00348A5C
00348A57       E9 F84D0000    JMP 0034D854 ;处理完所有iat
00348A5C       83C2 05       ADD EDX,5
00348A5F       E9 4A010000    JMP 00348BAE

0C |61 64 76 61 70 69 33 32 2E 64 6C 6C(dllname)| 00 |70 E2 31 00(iat地址)| 10(长度)|B5 53 13 D5 51 53 B1 D0 35 D3 72 51 53
57 F0 D7(apiname)| 00 |74 E2 31 00 (iat地址)|0D(长度)|B5 53 13 16 F1 53 32 96 53 D0 57 F0 D7 00 78 E2 31(apiname)| 00 0B B5 53 13 97
72 12 91 53 96 53 D0 |00 |03 00 00 00(api函数个数)|0C(dllname长度)|6F 6C 65 61 75 74 33(dllname)|

检测api第一个字节是不是cc
00354E62 56             PUSH ESI
00354E63 51             PUSH ECX
00354E64 50             PUSH EAX
00354E65 8BF0          MOV ESI,EAX
00354E67 B9 01000000    MOV ECX,1
00354E6C AC             LODS BYTE PTR [ESI]
00354E6D 3C CC          CMP AL,0CC
00354E6F 75 08          JNZ SHORT 00354E79
00354E71 58             POP EAX
00354E72 59             POP ECX
00354E73 5E             POP ESI
00354E74 E9 870E0000    JMP 00355D00
00354E79  ^ E2 F1          LOOPD SHORT 00354E6C
00354E7B 58             POP EAX
00354E7C 59             POP ECX
00354E7D 5E             POP ESI
00354E7E C3             RETN

/////////////////////////////////////////////////////////////////////

0034AAFF MOV EAX,[EBP+414423] ;SS:[003554E2]=96B1EC9C

0034AC12 MOV EAX,[EBP+41442F] ;SS:[003554EE]=4A50AFFE

78 71 F6 94 79 B4 87 E5 29 55 DC 08 30 E7 20 29 8C 29 71 CC 01 A1 7A 87 3B 70 74 09 7B F4 D6 58
6E 5C 83 C4 65 D4 79 B2 B0 68 E2 26 A1 39 20 BC 38 14 46 EB 9C EC B1 96 3B AF 88 8C 9A 94 FE 5C
FE AF 50 4A 80 AA 8D CF BA FF 0F B3 0A C4 BD 98 05 12 7B A4 E5 CC 7C 7C EF 18 08 E1 43 83 B2 28
AE 17 A7 2F

―――――――――――――――――――――――――――――――――
五、输入表乱序的简便修复方法

从程序找一个API调用，如：
00407458    FF25 78D7EF00    jmp dword ptr ds:[EFD778]; kernel32.GetModuleHandleA
在转存中跟随0EFD778，上下看到许多函数地址，可以找到IAT开始和结束的地址：

00EFD4D8 00 00 00 00 00 00 00 00 5C 01 07 00 F1 07 1C 01  ........\.?
00EFD4E8 EF 01 D3 77 BD BC D1 77 49 EF D1 77 BF 5E D5 77  ?喻郊痒I镅w哭征
…… ……
00EFDFA8 37 97 80 7C AB AB AB AB AB AB AB AB EE FE EE FE  7?|????铪铪
00EFDFB8 00 00 00 00 00 00 00 00 06 00 5C 01 95 07 1C 01  .........\?

开始地址＝00EFD4E8
结束地址＝00EFDFAC

运行ImportREC。注意：去掉“使用来自磁盘的PE部首”的选项，选择“创建新的IAT”选项！
选中Ollydbg调试的PIMOne.exe进程，填入RVA＝00AFD4E8、大小＝00000AC4，点“Get Import”。
可以看到函数乱序了，ImportREC显示是无效函数。如：
1  00AFD634  user32.dll  0001  ActivateKeyboardLayout
1  00AFD638  kernel32.dll  0032  CloseHandle //乱序
0  00AFD63C  ?  0000  00DDBFAE          //垃圾指针
1  00AFD640  gdi32.dll  00DE  ExtTextOutA //乱序
先不管乱序，现在需要把填充在里面的垃圾指针全部CUT掉，有不少，细心点。

为了能够跨平台运行，需要修改某些函数，如：
1  00AFD554  ntdll.dll  02B6  RtlLeaveCriticalSection
//修改为：kernel32.dll LeaveCriticalSection

修改OEP=001A1654，FixDump！
ImportREC自动新建了一个输入表。

可以删除text和其下的adata、data1、.reloc1、pdata共5个区段，然后再用LordPE或者FileScanner优化一下脱壳后的文件。

―――――――――――――――――――――――――――――――――

00349631 59             POP ECX
00349632 49             DEC ECX
00349633  ^ 0F85 B1F9FFFF JNZ 00348FEA
00349639 E9 11420000    JMP 0034D84F api结束

00348A53 0BFF          OR EDI,EDI
00348A55 75 05          JNZ SHORT 00348A5C
00348A57 E9 F84D0000    JMP 0034D854 iat结束
00348A5C 83C2 05       ADD EDX,5
00348A5F E9 4A010000    JMP 00348BAE

004071CE C3             RETN
004071CF 90             NOP
004071D0 53             PUSH EBX
004071D1 8BD8          MOV EBX,EAX
004071D3 33C0          XOR EAX,EAX

0034CF37  ^\73 F4          JNB SHORT 0034CF2D
0034CF39 EB 01          JMP SHORT 0034CF3C
0034CF3B DF72 EF       FBSTP TBYTE PTR [EDX-11]

73 F4 EB 01 DF 72 EF
73 ?? eb 01 ?? 72 ??

find eip, #73??eb01??72??#
mov [$RESULT],#eb#
add $RESULT,2
mov [$RESULT],#9090909090#

003430A6  ^\79 EF          JNS SHORT 00343097
003430A8 EB 01          JMP SHORT 003430AB
003430AA DF78 EA       FISTP QWORD PTR [EAX-16]

79 ef eb 01 df 78 ea
79 ?? eb 01 ?? 78 ??

find eip, #79??eb01??78??#
mov [$RESULT],#eb#
add $RESULT,2
mov [$RESULT],#9090909090#

find addr, #7???eb01??7?#
mov i,$RESULT
log i
mov [i],#eb#
add i,2
mov [i],#9090909090#
add addr,7

0034F307 Main    MOV AX,[ESI]                            ; EAX=00006F6F
0034F30A Main    CMP AL,0E8
0034F30C Main    JNZ 0034F4D2
0034F4D2 Main    CMP AL,0E9
0034F4D4 Main    JNZ 0034F69A
0034F69A Main    CMP AL,0F
0034F69C Main    JNZ 0034F872
0034F872 Main    INC ESI                                  ; ESI=00401008
0034F873 Main    DEC ECX                                  ; ECX=00188FF3
0034F874 Main    CMP ECX,80000000
0034F87A Main    JB 0034F307

0034F69A 3C 0F                   CMP AL,0F
0034F69C /0F85 D0010000          JNZ 0034F872
0034F6A2 |80FC 7F                CMP AH,7F
0034F6A5 |0F86 C7010000          JBE 0034F872
0034F6AB |80FC 90                CMP AH,90
0034F6AE |0F83 BE010000          JNB 0034F872

0f [7f - 90]

00401069    E8 00000000 CALL 0040106E                         ;  0040106E
0040106E    E9 00000000 JMP 00401073                            ;  00401073
00401073    0F8F 00000000 JG 00401079                            ;  00401079

00351722 C1E9 02                SHR ECX,2
00351725 F3:A5                   REP MOVS DWORD PTR ES:[EDI],DWORD PTR [E>
00351727 59                      POP ECX

ECX=00000030 (decimal 48.)
DS:[ESI]=[003592E3]=0035ADE8
ES:[EDI]=[00400F40]=00000000

00348C25 /EB 26          JMP SHORT 00348C4D
00348C27 |DF22          FBLD TBYTE PTR [EDX]
00348C29 |FF249A       JMP [EDX+EBX*4]
00348C2C |C087 EFEB4BEB D>ROL BYTE PTR [EDI+EB4BEBEF],0DF       ; Shift constant out of range 1..31
00348C33 |64:A1 694E5858  MOV EAX,FS:[58584E69]
00348C39  ^|73 F2          JNB SHORT 00348C2D
00348C3B |EB 01          JMP SHORT 00348C3E
00348C3D |DF72 ED       FBSTP TBYTE PTR [EDX-13]
00348C40 |64:8958 9C    MOV FS:[EAX-64],EBX
00348C44 |05 E5FFFFFF    ADD EAX,-1B
00348C49 |9D             POPFD
00348C4A |FFE0          JMP EAX
00348C4C |C2 50E8       RETN 0E850
00348C4F EF             OUT DX,EAX                            ; I/O command
00348C50 FFFF          ???                                     ; Unknown command
00348C52 FFDF          CALL FAR EDI                            ; Illegal use of register

00348C25 /EB 26          JMP SHORT 00348C4D
00348C4D 50             PUSH EAX
00348C4E E8 EFFFFFFF    CALL 00348C42
00348C42 58             POP EAX
00348C43 9C             PUSHFD
00348C44 05 E5FFFFFF    ADD EAX,-1B
00348C49 9D             POPFD
00348C4A FFE0          JMP EAX
00348C38 58             POP EAX
00348C39  ^ 73 F2          JNB SHORT 00348C2D
00348C2D 87EF          XCHG EDI,EBP
00348C2F EB 4B          JMP SHORT 00348C7C

eb ?? ?? e8 5? ff ff ff 5? 9c ?? ?? ?? ?? ?? 9d

00348C2D-00348C25=8

///////////////////////////////////////////////////////////
;保存pe头
ECX=00000040 (decimal 64.)
DS:[ESI]=[00400100]=00004550
ES:[EDI]=[016D0000]=00004550

003515FC C1E9 02       SHR ECX,2
003515FF F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR [E>
00351601 59             POP ECX
00351602 83E1 03       AND ECX,3
00351605 F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI>

50 45 00 00 4C 01 03 00 19 5E 42 2A 00 00 00 00 00 00 00 00 E0 00 8E 81 0B 01 02 19 00 00 00 00
00 82 0A 00 00 00 00 00 6F C7 3D 00 00 00 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00
04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 E2 CB 3D 00 00 04 00 00 00 00 00 00 02 00 00 00
00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00
61 30 3C 00 70 2C 00 00 00 10 34 00 00 1A 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DA 30 3C 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
39 30 3C 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

;修改pe头
ECX=000003F0 (decimal 1008.)
DS:[ESI]=[003583E3]=003593A3
ES:[EDI]=[00400040]=0E0010BA

00351721 51             PUSH ECX
00351722 C1E9 02       SHR ECX,2
00351725 F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR [E>
00351727 59             POP ECX
00351728 83E1 03       AND ECX,3
0035172B F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI>
0035172D EB 22          JMP SHORT 00351751

0046CEFB FF15 78034000 CALL [400378]
0046CF01 E8 C287F9FF    CALL 004056C8                         ; 004056C8
DS:[00400378]=00359945

00359944 C3             RETN
00359945 8B15 7C2D4600 MOV EDX,[462D7C]                      ; main.00462D80
0035994B C3             RETN

FF15??0?4000

00359945 8B15 7C2D4600 MOV EDX,[462D7C]                      ; main.00462D80
0035994B C3             RETN
0035994C 8B15 50FF5800 MOV EDX,[58FF50]                      ; main.0058A5E4
00359952 C3             RETN
//////////////////////////////////////////////////////////////////////

0035DE11 50             PUSH EAX
0035DE12 8B30          MOV ESI,[EAX]
0035DE14 8B7E 1C       MOV EDI,[ESI+1C]
0035DE17 8B76 09       MOV ESI,[ESI+9]
0035DE1A 33FE          XOR EDI,ESI

0035DE1C 8B47 01       MOV EAX,[EDI+1]

0035DE1F 8B3C24       MOV EDI,[ESP]
0035DE22 8907          MOV [EDI],EAX
0035DE24 58             POP EAX
0035DE25 83C0 04       ADD EAX,4
0035DE28 59             POP ECX
0035DE29  ^ E2 BC          LOOPD SHORT 0035DDE7
0035DE2B 61             POPAD

push edi
shr edi,8
cmp edi,35
je kk
pop edi
MOV EAX,[EDI+1]
jmp aa
kk:
pop edi
mov eax,edi
aa:

8B 3C 24 89 07 58 83 C0 04 59 E2 BC 61 00 00 00

60 B8 A4 E1 71 00 B9 11 02 00 00 51 66 81 78 02 45 01 74 21 90 90 90 90 66 81 78 02 69 01 74 15
90 90 90 90 66 81 78 02 6A 01 74 09 90 90 90 90 EB 2D 90 90 90 50 8B 30 8B 7E 1C 8B 76 09 33 FE
57 C1 EF 10 83 FF 35 74 0D 90 90 90 90 5F 8B 47 01 EB 06 90 90 90 5F 8B C7 8B 3C 24 89 07 58 83
C0 04 59 E2 A6 61 00 00

0035D727 60             PUSHAD
0035D728 B8 A4E17100    MOV EAX,71E1A4                         ; ASCII "D/圜E桤wca圜"
0035D72D B9 11020000    MOV ECX,211
0035D732 51             PUSH ECX
0035D733 66:8178 02 4501 CMP WORD PTR [EAX+2],145
0035D739 74 21          JE SHORT 0035D75C
0035D73B 90             NOP
0035D73C 90             NOP
0035D73D 90             NOP
0035D73E 90             NOP
0035D73F 66:8178 02 6901 CMP WORD PTR [EAX+2],169
0035D745 74 15          JE SHORT 0035D75C
0035D747 90             NOP
0035D748 90             NOP
0035D749 90             NOP
0035D74A 90             NOP
0035D74B 66:8178 02 6A01 CMP WORD PTR [EAX+2],16A
0035D751 74 09          JE SHORT 0035D75C
0035D753 90             NOP
0035D754 90             NOP
0035D755 90             NOP
0035D756 90             NOP
0035D757 EB 2D          JMP SHORT 0035D786
0035D759 90             NOP
0035D75A 90             NOP
0035D75B 90             NOP
0035D75C 50             PUSH EAX
0035D75D 8B30          MOV ESI,[EAX]
0035D75F 8B7E 1C       MOV EDI,[ESI+1C]
0035D762 8B76 09       MOV ESI,[ESI+9]
0035D765 33FE          XOR EDI,ESI
0035D767 57             PUSH EDI
0035D768 C1EF 10       SHR EDI,10
0035D76B 83FF 35       CMP EDI,35
0035D76E 74 0D          JE SHORT 0035D77D
0035D770 90             NOP
0035D771 90             NOP
0035D772 90             NOP
0035D773 90             NOP
0035D774 5F             POP EDI
0035D775 8B47 01       MOV EAX,[EDI+1]
0035D778 EB 06          JMP SHORT 0035D780
0035D77A 90             NOP
0035D77B 90             NOP
0035D77C 90             NOP
0035D77D 5F             POP EDI
0035D77E 8BC7          MOV EAX,EDI
0035D780 8B3C24       MOV EDI,[ESP]
0035D783 8907          MOV [EDI],EAX
0035D785 58             POP EAX
0035D786 83C0 04       ADD EAX,4
0035D789 59             POP ECX
0035D78A  ^ E2 A6          LOOPD SHORT 0035D732
0035D78C 61             POPAD

00353327 /EB 4D          JMP SHORT 00353376
00353329  ^|EB DF          JMP SHORT 0035330A
0035332B |3AA3 694E585A CMP AH,[EBX+5A584E69]
00353331  ^|71 F4          JNO SHORT 00353327

00353327 /EB 4D          JMP SHORT 00353376
00353329  ^|EB DF          JMP SHORT 0035330A
0035332B |3AA3 694E585A CMP AH,[EBX+5A584E69]
00353331  ^|71 F4          JNO SHORT 00353327
00353333 |EB 01          JMP SHORT 00353336

pushad
pushfd

mov eax, 401000
sub eax, 1
mov edx, 741000
sub edx, 2
@@loop:
add eax, 1
cmp eax, edx
ja @@end
cmp WORD ptr [eax], 15FF
jne @@loop
mov edi, eax
mov esi, [eax+2]
add eax, 1
cmp esi, 401000
jnb @@loop
mov esi, [esi]
mov ecx, 6
rep movsb [edi], [esi]
jmp @@loop
@@end:
popfd
popad

B8 00 10 40 00 83 E8 01 BA 00 20 72 00 83 EA 02 83 C0 01 3B C2 77 22 66 81 38 FF 15 75 F2 8B F8
8B 70 02 83 C0 01 81 FE 00 10 40 00 73 E2 8B 36 B9 06 00 00 00 F3 A4 EB D7 EB FE 90 00 00 00 00

007222EA B8 00104000    MOV EAX,401000
007222EF 83E8 01       SUB EAX,1
007222F2 BA 00207200    MOV EDX,722000
007222F7 83EA 02       SUB EDX,2
007222FA 83C0 01       ADD EAX,1
007222FD 3BC2          CMP EAX,EDX
007222FF 77 22          JA SHORT 00722323                         ; 00722323
00722301 66:8138 FF15 CMP WORD PTR [EAX],15FF
00722306  ^ 75 F2          JNZ SHORT 007222FA                         ; 007222FA
00722308 8BF8          MOV EDI,EAX
0072230A 8B70 02       MOV ESI,[EAX+2]
0072230D 83C0 01       ADD EAX,1
00722310 81FE 00104000 CMP ESI,401000
00722316  ^ 73 E2          JNB SHORT 007222FA                         ; 007222FA
00722318 8B36          MOV ESI,[ESI]
0072231A B9 06000000    MOV ECX,6
0072231F F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]
00722321  ^ EB D7          JMP SHORT 007222FA                         ; 007222FA
00722323  - EB FE          JMP SHORT 00722323                         ; 00722323

push ebp
mov ebp,esp
ADD ESP,-10
mov eax,588DFC
call 004071D0

MOV EAX,[0058F750]
mov eax,[eax]
call 0046BF44

mov ecx,[58F128]
mov eax,[058F750]
mov eax,[eax]
mov edx,[56A150]
call 0046BF5C

mov ecx,[58EF4C]
mov eax,[0058F750]
mov eax,[eax]
mov edx,[552D60]
call 0046BF5C

mov eax,[0058F750]
mov eax,[eax]
call 0046BFDC

call 00404B24

Address  Thread Command                                  ;push ebp
0035CE8D Main    JMP SHORT 0035CE92
0035CE92 Main    PUSH ESP
0035CE93 Main    POP EBP                                  ;mov ebp,esp
0035CE94 Main    JMP SHORT 0035CE98
0035CE98 Main    PUSH ESP
0035CE99 Main    ADD DWORD PTR [ESP],-10 ;ADD DWORD PTR [ESP],-10
0035CE9D Main    POP ESP
0035CE9E Main    JMP SHORT 0035CEA1
0035CEA1 Main    PUSH 588DFC
0035CEA6 Main    POP EAX ;mov eax,588DFC
0035CEA7 Main    JMP SHORT 0035CEAB
0035CEAB Main    CALL 0035CEB2 ;call 004071D0
0035CEB2 Main    PUSH EAX
0035CEB3 Main    CALL 0035CEBC
0035CEBC Main    POP EAX                                  ; EAX=0035CEB8
0035CEBD Main    MOV EAX,[EAX]                            ; EAX=004071D0
0035CEBF Main    XCHG [ESP],EAX                         ; EAX=00588DFC
0035CEC2 Main    RETN

004071D0 Main    PUSH EBX
004071D1 Main    MOV EBX,EAX                            ; EAX=00000000, ECX=01800000, EDX=B8A98D64, EBX=00000000, EBP=0012F890, ESI=00000000, EDI=7FFDE000
77F8AE5A Main    RETN 28                                  ; ECX=0012FF9C, EDX=0012FFB4, EBX=7FFDF000, EBP=0012FFC0, ESI=00000056, EDI=005616A8
00407210 Main    RETN

0035CEB0 Main    JMP SHORT 0035CEC3
0035CEC3 Main    JMP SHORT 0035CEC7
0035CEC7 Main    CALL 0035CED0
0035CED0 Main    POP EAX                                  ; EAX=0035CECC
0035CED1 Main    MOV EAX,[EAX]                            ; EAX=0058F750
0035CED3 Main    MOV EAX,[EAX] ;mov eax,[0058F750]       ; EAX=00591C34
0035CED5 Main    JMP SHORT 0035CED8
0035CED8 Main    PUSH DWORD PTR [EAX] ;mov eax,[eax]
0035CEDA Main    POP EAX                                  ; EAX=016F13CC
0035CEDB Main    JMP SHORT 0035CEDD
0035CEDD Main    CALL 0035CEE4 ;call 0046BF44
0035CEE4 Main    PUSH EAX
0035CEE5 Main    CALL 0035CEEE
0035CEEE Main    POP EAX                                  ; EAX=0035CEEA
0035CEEF Main    MOV EAX,[EAX]                            ; EAX=0046BF44
0035CEF1 Main    XCHG [ESP],EAX                         ; EAX=016F13CC
0035CEF4 Main    RETN

0046BF44 Main    PUSH EBX
0046BF45 Main    MOV EAX,[58F26C]                         ; EAX=00591040
0046BF5A Main    RETN

0035CEE2 Main    JMP SHORT 0035CEF5
0035CEF5 Main    JMP SHORT 0035CEF9
0035CEF9 Main    PUSH DWORD PTR [58F128] ;mov ecx,[58F128]
0035CEFF Main    POP ECX                                  ; ECX=0071C778
0035CF00 Main    JMP SHORT 0035CF02
0035CF02 Main    CALL 0035CF0B
0035CF0B Main    POP EAX                                  ; EAX=0035CF07
0035CF0C Main    MOV EAX,[EAX]                            ; EAX=0058F750
0035CF0E Main    MOV EAX,[EAX] ;mov eax,[0058F750]       ; EAX=00591C34
0035CF10 Main    JMP SHORT 0035CF12
0035CF12 Main    PUSH DWORD PTR [EAX] ;mov eax,[eax]
0035CF14 Main    POP EAX                                  ; EAX=016F13CC
0035CF15 Main    JMP SHORT 0035CF18
0035CF18 Main    PUSH DWORD PTR [56A150] ;mov edx,[56A150]
0035CF1E Main    POP EDX                                  ; EDX=0056A19C
0035CF1F Main    JMP SHORT 0035CF23
0035CF23 Main    CALL 0035CF2A ;call 0046BF5C
0035CF2A Main    PUSH EAX
0035CF2B Main    CALL 0035CF34
0035CF34 Main    POP EAX                                  ; EAX=0035CF30
0035CF35 Main    MOV EAX,[EAX]                            ; EAX=0046BF5C
0035CF37 Main    XCHG [ESP],EAX                         ; EAX=016F13CC
0035CF3A Main    RETN

0046BF5C Main    PUSH EBP
0046BF5D Main    MOV EBP,ESP                            ; EAX=00A49080, ECX=0000C078, EDX=00000000, EBX=00000000, EBP=0012F0BC, ESI=00000000, EDI=7FFDE000
77F8AE5A Main    RETN 28                                  ; EBP=0012F040
77F8AE5A Main    RETN 28                                  ; EAX=016F1D78, ECX=0071C778, EDX=00461D94, EBX=7FFDF000, EBP=0012FFC0, ESI=00000056, EDI=005616A8
0046BFD8 Main    RETN

0035CF28 Main    JMP SHORT 0035CF3B
0035CF3B Main    JMP SHORT 0035CF40
0035CF40 Main    PUSH DWORD PTR [58EF4C] ;mov ecx,[58EF4C]
0035CF46 Main    POP ECX                                  ; ECX=00611DD0
0035CF47 Main    JMP SHORT 0035CF4C
0035CF4C Main    CALL 0035CF55
0035CF55 Main    POP EAX                                  ; EAX=0035CF51
0035CF56 Main    MOV EAX,[EAX]                            ; EAX=0058F750
0035CF58 Main    MOV EAX,[EAX] ;mov eax,[0058F750]       ; EAX=00591C34
0035CF5A Main    JMP SHORT 0035CF5E
0035CF5E Main    PUSH DWORD PTR [EAX] ;mov eax,[eax]
0035CF60 Main    POP EAX                                  ; EAX=016F13CC
0035CF61 Main    JMP SHORT 0035CF64
0035CF64 Main    PUSH DWORD PTR [552D60] ;mov edx,[552D60]
0035CF6A Main    POP EDX                                  ; EDX=00552DAC
0035CF6B Main    JMP SHORT 0035CF6F
0035CF6F Main    CALL 0035CF76 ;call 0046BF5C
0035CF76 Main    PUSH EAX
0035CF77 Main    CALL 0035CF80
0035CF80 Main    POP EAX                                  ; EAX=0035CF7C
0035CF81 Main    MOV EAX,[EAX]                            ; EAX=0046BF5C
0035CF83 Main    XCHG [ESP],EAX                         ; EAX=016F13CC
0035CF86 Main    RETN

0046BF5C Main    PUSH EBP
0046BF5D Main    MOV EBP,ESP                            ; EBP=0012FFA8
0046BF5F Main    PUSH ECX                               ; EAX=00000000, EDX=0012FFB4, EBP=0012FFC0
0046BFD8 Main    RETN

0035CF74 Main    JMP SHORT 0035CF87
0035CF87 Main    JMP SHORT 0035CF89
0035CF89 Main    CALL 0035CF92
0035CF92 Main    POP EAX                                  ; EAX=0035CF8E
0035CF93 Main    MOV EAX,[EAX]                            ; EAX=0058F750
0035CF95 Main    MOV EAX,[EAX] ;mov eax,[0058F750]       ; EAX=00591C34
0035CF97 Main    JMP SHORT 0035CF9B
0035CF9B Main    PUSH DWORD PTR [EAX] ;mov eax,[eax]
0035CF9D Main    POP EAX                                  ; EAX=016F13CC
0035CF9E Main    JMP SHORT 0035CFA1
0035CFA1 Main    CALL 0035CFA8 ;call 0046BFDC
0035CFA8 Main    PUSH EAX
0035CFA9 Main    CALL 0035CFB2
0035CFB2 Main    POP EAX                                  ; EAX=0035CFAE
0035CFB3 Main    MOV EAX,[EAX]                            ; EAX=0046BFDC
0035CFB5 Main    XCHG [ESP],EAX                         ; EAX=016F13CC
0035CFB8 Main    RETN

0046BFDC Main    PUSH EBP
0046BFDD Main    MOV EBP,ESP                            ; EAX=008A0650, ECX=00000000, EDX=00000000, EBX=00000000, EBP=7FFDD09C, ESI=00000000, EDI=0012FA34
.....
0046C0C4 Main    POP ECX                                  ; ECX=016F13CC
0046C0C5 Main    POP EBP                                  ; EBP=0012FFC0
0046C0C6 Main    RETN

0035CFA6 Main    JMP SHORT 0035CFB9
0035CFB9 Main    JMP SHORT 0035CFBC
0035CFBC Main    CALL 0035CFC3 ;call 00404B24
0035CFC3 Main    PUSH EAX
0035CFC4 Main    CALL 0035CFCD
0035CFCD Main    POP EAX                                  ; EAX=0035CFC9
0035CFCE Main    MOV EAX,[EAX]                            ; EAX=00404B24
0035CFD0 Main    XCHG [ESP],EAX                         ; EAX=016F13CC
0035CFD3 Main    RETN

00404B24 Main    PUSH EBX
00404B25 Main    PUSH ESI
00404B26 Main    PUSH EDI
00404B27 Main    PUSH EBP
00404B28 Main    MOV EBX,591630                         ; EBX=00591630
00404B2D Main    MOV ESI,58A000                         ; ESI=0058A000
;exitprocess

007E19F7 55             PUSH EBP
007E19F8 8BEC          MOV EBP,ESP
007E19FA 83C4 F0       ADD ESP,-10
007E19FD B8 FC8D5800    MOV EAX,588DFC
007E1A02 E8 C957C2FF    CALL 004071D0                         ; 004071D0
007E1A07 A1 50F75800    MOV EAX,[58F750]
007E1A0C 8B00          MOV EAX,[EAX]
007E1A0E E8 31A5C8FF    CALL 0046BF44                         ; 0046BF44
007E1A13 8B0D 28F15800 MOV ECX,[58F128]                      ; main_dat.0071C778
007E1A19 A1 50F75800    MOV EAX,[58F750]
007E1A1E 8B00          MOV EAX,[EAX]
007E1A20 8B15 50A15600 MOV EDX,[56A150]                      ; main_dat.0056A19C
007E1A26 E8 31A5C8FF    CALL 0046BF5C                         ; 0046BF5C
007E1A2B 8B0D 4CEF5800 MOV ECX,[58EF4C]                      ; main_dat.00611DD0
007E1A31 A1 50F75800    MOV EAX,[58F750]
007E1A36 8B00          MOV EAX,[EAX]
007E1A38 8B15 602D5500 MOV EDX,[552D60]                      ; main_dat.00552DAC
007E1A3E E8 19A5C8FF    CALL 0046BF5C                         ; 0046BF5C
007E1A43 A1 50F75800    MOV EAX,[58F750]
007E1A48 8B00          MOV EAX,[EAX]
007E1A4A E8 8DA5C8FF    CALL 0046BFDC                         ; 0046BFDC
007E1A4F E8 D030C2FF    CALL 00404B24                         ; 00404B24

55 8B EC 83 C4 F0 B8 FC 8D 58 00 E8 C9 57 C2 FF A1 50 F7 58 00 8B 00 E8 31 A5 C8 FF 8B 0D 28 F1
58 00 A1 50 F7 58 00 8B 00 8B 15 50 A1 56 00 E8 31 A5 C8 FF 8B 0D 4C EF 58 00 A1 50 F7 58 00 8B
00 8B 15 60 2D 55 00 E8 19 A5 C8 FF A1 50 F7 58 00 8B 00 E8 8D A5 C8 FF E8 D0 30 C2 FF 00 00 00

0041FDC8 E8 33000000    CALL 0041FE00                         ; 0041FE00

DS:[0056A168]=0035B6F8
ESI=011F27E0, (ASCII "FormActivate")

3C3000
7C3000
00307c00

Log data, item 0
Address=0040719A
Message=Access violation when reading [00000000]

Log data, item 1173
Address=0046BF46
Message=Privileged instruction

Call stack of main thread
Address Stack    Procedure / arguments                Called from                Frame
0012FB2C 77E00149 user32.77E046CF                      user32.77E00144             0012FB28
0012FB5C 77E1F1A3 user32.77E000C5                      user32.77E1F19E             0012FB58
0012FB8C 77DFFD59 user32.77E1F160                      user32.77DFFD54             0012FB88
0012FDD8 77E03D7A user32.77DFFBF3                      user32.77E03D75             0012FDD4
0012FDF4 77E03DB9 user32.LoadIconW                   user32.77E03DB4             0012FE04
0012FDF8 00400000    hInst = 00400000
0012FDFC 001331E8    RsrcName = "MAINICON"
0012FE08 0046AAEA <JMP.&user32.LoadIconA>             main_dat.0046AAE5          0012FE04
0012FE0C 00400000    hInst = 00400000
0012FE10 001331E8    RsrcName = "M"
0012FF34 00457440 main_dat.0046AA00                   main_dat.0045743B          0012FF30
0012FF6C 004575B4 ? main_dat.00457330                main_dat.004575AF          0012FF68
0012FF80 00404958 Includes main_dat.004575B4          main_dat.00404956          0012FF7C
0012FFA0 004049BF main_dat.00404920                   main_dat.004049BA          0012FF9C
0012FFA4 0040720F main_dat.00404980                   main_dat.0040720A          0012FFC0
0012FFAC 007E1A07 main_dat.004071D0                   main_dat.007E1A02          0012FFC0

0046AAD8 68 E0AB4600    PUSH 46ABE0                            ; ASCII "MAINICON"
0046AADD A1 14ED5800    MOV EAX,[58ED14]
0046AAE2 8B00          MOV EAX,[EAX]
0046AAE4 50             PUSH EAX
0046AAE5 E8 9AD1F9FF    CALL 00407C84                         ; <JMP.&user32.LoadIconA>

007C3A2E
2e3a7c00
2e3a3c00

3db870
7db870
70b87d00

Log data, item 0
Address=0040719A
Message=Access violation when reading [00000000]

Log data, item 430
Address=0046BF46
Message=Privileged instruction

/////////////////////////////////////////////////////////////////////
特殊函数

0 0031E1BC ? 0000 00353327
0 0031E1E4 ? 0000 003537F1
0 0031E1F4 ? 0000 003536DB
0 0031E1F8 ? 0000 00353657
0 0031E238 ? 0000 003530E4
0 0031E2B0 ? 0000 0035398C
0 0031E2E4 ? 0000 00353437
0 0031E2F0 ? 0000 00353327
0 0031E31C ? 0000 003537F1
0 0031E35C ? 0000 003532A2
0 0031E394 ? 0000 003530E4
0 0031E3C8 ? 0000 00353544
0 0031E40C ? 0000 00353902
0 0031E5C0 ? 0000 003533B0
0 0031E63C ? 0000 0035387C
0 0031E670 ? 0000 00353A15
0 0031E674 ? 0000 0035321A
0 0031E748 ? 0000 0035316D
0 0031E7B8 ? 0000 00353061
0 0031E7F8 ? 0000 003535CE
0 0031E7FC ? 0000 00353327
0 0031E808 ? 0000 0035321A
0 0031E83C ? 0000 00353196
0 0031E940 ? 0000 00353765
0 0031E984 ? 0000 00353AA1
0 0031E98C ? 0000 00353B2C

00353DC3 83F8 01       CMP EAX,1
0035450F 83F8 17       CMP EAX,17

00353327
8
GetModuleHandleA

0034FD0D          8B85 B2414100    MOV EAX,[EBP+4141B2]                   ; KERNEL32.GetModuleHandleA
0034FE6E          8985 57444100    MOV [EBP+414457],EAX                   ; main.00400000

003537F1
11
00407574          - FF25 E4E17100    JMP [71E1E4]

003543E5          83F8 11          CMP EAX,11
003543E8          75 27             JNZ SHORT 00354411
003543EA          8BCC             MOV ECX,ESP
003543EC          FF71 0C          PUSH DWORD PTR [ECX+C]
003543EF          FF71 08          PUSH DWORD PTR [ECX+8]
003543F2          FF71 04          PUSH DWORD PTR [ECX+4]
003543F5          E8 200B0000       CALL 00354F1A
003543FA          83C4 10          ADD ESP,10
003543FD          - FF6424 F0       JMP [ESP-10]

8B CC FF 71 0C FF 71 08 FF 71 04 E8 AB FE FF FF 83 C4 10 FF 64 24 F0

007E19E0 8BCC          MOV ECX,ESP
e0 19 3e 00

003536DB
f
00354F69          55                PUSH EBP
00354F6A          8BEC             MOV EBP,ESP
00354F6C          B8 01000000       MOV EAX,1
00354F71          56                PUSH ESI
00354F72          8B75 08          MOV ESI,[EBP+8]
00354F75          0BF6             OR ESI,ESI
00354F77          74 11             JE SHORT 00354F8A
00354F79          8B4E 08          MOV ECX,[ESI+8]
00354F7C          3B0E             CMP ECX,[ESI]
00354F7E          7E 0A             JLE SHORT 00354F8A
00354F80          8B4E 0C          MOV ECX,[ESI+C]
00354F83          3B4E 04          CMP ECX,[ESI+4]
00354F86          7E 02             JLE SHORT 00354F8A
00354F88          33C0             XOR EAX,EAX
00354F8A          5E                POP ESI
00354F8B          C9                LEAVE
00354F8C          C2 0400          RETN 4

007E18EA 55             PUSH EBP
ea 18 3e 00

00353657
e
00354EA3          55                PUSH EBP
00354EA4          8BEC             MOV EBP,ESP
00354EA6          56                PUSH ESI
00354EA7          57                PUSH EDI
00354EA8          53                PUSH EBX
00354EA9          8B45 08          MOV EAX,[EBP+8]
00354EAC          8B75 0C          MOV ESI,[EBP+C]

007E1824 55             PUSH EBP
24 18 3e 00

003530E4
4
ExitProcess

0035398C
14
USER32.SendMessageA

00353437
a
0035422B 8B85 5F444100 MOV EAX,[EBP+41445F]
SS:[0035551E]=00000A28
EAX=0000000A

0034FB72 8985 5F444100    MOV [EBP+41445F],EAX
0034FB78 8D85 26EC4000    LEA EAX,[EBP+40EC26]

0034FB60          8B85 9D414100    MOV EAX,[EBP+41419D]                   ; KERNEL32.GetCurrentProcessId

003532A2
7
00354165 8B85 53444100 MOV EAX,[EBP+414453]
SS:[00355512]=08930005
EAX=00000007

0034F9EB 8985 53444100    MOV [EBP+414453],EAX
0034F9F1 68 00FE98C7       PUSH C798FE00

0034F9D6          8B85 F6414100    MOV EAX,[EBP+4141F6]                   ; KERNEL32.GetVersion

00353544
c
00354285 8B85 63444100 MOV EAX,[EBP+414463]
SS:[00355522]=001321F8, (ASCII ""E:\wg\cq199\main.exe"")
EAX=0000000C

0034FCE5 8985 63444100    MOV [EBP+414463],EAX
0034FCEB 6A 00             PUSH 0

0034FCCE          8B85 7F414100    MOV EAX,[EBP+41417F]                   ; KERNEL32.GetCommandLineA

00353902
13
0035500F          55                PUSH EBP
00355010          8BEC             MOV EBP,ESP
00355012          56                PUSH ESI
00355013          33C0             XOR EAX,EAX
00355015          8B75 08          MOV ESI,[EBP+8]
00355018          0BF6             OR ESI,ESI
0035501A          74 12             JE SHORT 0035502E
0035501C          8B55 0C          MOV EDX,[EBP+C]
0035501F          8B4D 10          MOV ECX,[EBP+10]
00355022          0116             ADD [ESI],EDX
00355024          014E 04          ADD [ESI+4],ECX
00355027          0156 08          ADD [ESI+8],EDX
0035502A          014E 0C          ADD [ESI+C],ECX
0035502D          40                INC EAX
0035502E          5E                POP ESI
0035502F          C9                LEAVE
00355030          C2 0C00          RETN 0C

007E1990 55             PUSH EBP
90193e00

003533B0
9
1 time
003541D9          83F8 09          CMP EAX,9
003541DC          75 3A             JNZ SHORT 00354218
003541DE          50                PUSH EAX
003541DF          60                PUSHAD
003541E0          E8 00000000       CALL 003541E5
003541E5          5D                POP EBP
003541E6          81ED 26314100    SUB EBP,413126
003541EC          8B85 5B444100    MOV EAX,[EBP+41445B]
003541F2          894424 20       MOV [ESP+20],EAX
003541F6          61                POPAD
003541F7          58                POP EAX
003541F8          83C4 04          ADD ESP,4
003541FB          - FF6424 FC       JMP [ESP-4]

00407412          8BC0             MOV EAX,EAX
00407414          - FF25 C0E57100    JMP [71E5C0]
0040741A          8BC0             MOV EAX,EAX

00502587          51                PUSH ECX
00502588          E8 874EF0FF       CALL 00407414                         ; 00407414
0050258D          8945 FC          MOV [EBP-4],EAX

00502587          51                PUSH ECX
00502588          B8 FFFFFFFF       MOV EAX,-1
0050258D          8945 FC          MOV [EBP-4],EAX

003541EC 8B85 5B444100 MOV EAX,[EBP+41445B]
SS:[0035551A]=FFFFFFFF
EAX=00000009

00346C45 C785 5B444100 FFFF>MOV DWORD PTR [EBP+41445B],7FFFFFFF
00346C4F E9 55040000       JMP 003470A9

0034709F C785 5B444100 FFFF>MOV DWORD PTR [EBP+41445B],-1
003470A9 8D1D 58484100    LEA EBX,[414858]
003470AF 833C2B 00       CMP DWORD PTR [EBX+EBP],0

0035387C
12
00354FDD          55                PUSH EBP
00354FDE          8BEC             MOV EBP,ESP
00354FE0          56                PUSH ESI
00354FE1          53                PUSH EBX
00354FE2          8B4D 0C          MOV ECX,[EBP+C]
00354FE5          8B55 10          MOV EDX,[EBP+10]
00354FE8          33DB             XOR EBX,EBX
00354FEA          8B75 08          MOV ESI,[EBP+8]
00354FED          0BF6             OR ESI,ESI

007E195E 55             PUSH EBP
5e193e00

00353A15
15
00354F8F          55                PUSH EBP
00354F90          8BEC             MOV EBP,ESP
00354F92          8B45 08          MOV EAX,[EBP+8]
00354F95          0BC0             OR EAX,EAX
00354F97          74 1A             JE SHORT 00354FB3
00354F99          6A 01             PUSH 1
00354F9B          8B4D 18          MOV ECX,[EBP+18]
00354F9E          8948 0C          MOV [EAX+C],ECX
00354FA1          8B4D 14          MOV ECX,[EBP+14]
00354FA4          8948 08          MOV [EAX+8],ECX
00354FA7          8B4D 10          MOV ECX,[EBP+10]
00354FAA          8948 04          MOV [EAX+4],ECX
00354FAD          8B4D 0C          MOV ECX,[EBP+C]
00354FB0          8908             MOV [EAX],ECX
00354FB2          58                POP EAX
00354FB3          C9                LEAVE
00354FB4          C2 1400          RETN 14

007E1910 55             PUSH EBP
10193e00

0035321A
6
GetProcAddress

0035316D
5
1 time
00353E9A          83F8 05          CMP EAX,5
00353E9D          75 15             JNZ SHORT 00353EB4
00353E9F          8B4424 04       MOV EAX,[ESP+4]
00353EA3          83C4 08          ADD ESP,8
00353EA6          - FF6424 F8       JMP [ESP-8]

004073FC          - FF25 48E77100    JMP [71E748]

0041EB3F          8B46 14          MOV EAX,[ESI+14]
0041EB42          50                PUSH EAX
0041EB43          E8 B488FEFF       CALL 004073FC                         ; 004073FC
0041EB48          8BD3             MOV EDX,EBX

0041EB3F          8B46 14          MOV EAX,[ESI+14]
0041EB42          EB 04             JMP SHORT 0041EB48                      ; 0041EB48
0041EB44          90                NOP
0041EB45          90                NOP
0041EB46          90                NOP
0041EB47          90                NOP
0041EB48          8BD3             MOV EDX,EBX

00353061
3

00354FB7          55                PUSH EBP
00354FB8          8BEC             MOV EBP,ESP
00354FBA          56                PUSH ESI
00354FBB          57                PUSH EDI
00354FBC          33C0             XOR EAX,EAX
00354FBE          8B75 08          MOV ESI,[EBP+8]
00354FC1          8B7D 0C          MOV EDI,[EBP+C]
00354FC4          0BF6             OR ESI,ESI
00354FC6          74 0F             JE SHORT 00354FD7
00354FC8          0BFF             OR EDI,EDI
00354FCA          74 0B             JE SHORT 00354FD7
00354FCC          B9 04000000       MOV ECX,4
00354FD1          FC                CLD
00354FD2          F3:A7             REPE CMPS DWORD PTR ES:[EDI],DWORD PTR [>
00354FD4          75 01             JNZ SHORT 00354FD7
00354FD6          40                INC EAX
00354FD7          5F                POP EDI
00354FD8          5E                POP ESI
00354FD9          C9                LEAVE
00354FDA          C2 0800          RETN 8

007E1938 55             PUSH EBP
38193e00

003535CE
d
00407BF2          8BC0             MOV EAX,EAX
00407BF4          - FF25 F8E77100    JMP [71E7F8]
00407BFA          8BC0             MOV EAX,EAX

00354E7F          55                PUSH EBP
00354E80          8BEC             MOV EBP,ESP
00354E82          56                PUSH ESI
00354E83          33C0             XOR EAX,EAX
00354E85          8B75 08          MOV ESI,[EBP+8]
00354E88          0BF6             OR ESI,ESI
00354E8A          74 12             JE SHORT 00354E9E
00354E8C          8B55 0C          MOV EDX,[EBP+C]
00354E8F          8B4D 10          MOV ECX,[EBP+10]
00354E92          2916             SUB [ESI],EDX
00354E94          294E 04          SUB [ESI+4],ECX
00354E97          0156 08          ADD [ESI+8],EDX
00354E9A          014E 0C          ADD [ESI+C],ECX
00354E9D          48                DEC EAX
00354E9E          5E                POP ESI
00354E9F          C9                LEAVE
00354EA0          C2 0C00          RETN 0C

007E1800 55             PUSH EBP
00183e00

00353196
5
1 time
0040755A          8BC0             MOV EAX,EAX
0040755C          - FF25 3CE87100    JMP [71E83C]
00407562          8BC0             MOV EAX,EAX

0041EB10          50                PUSH EAX
0041EB11          8B43 14          MOV EAX,[EBX+14]
0041EB14          50                PUSH EAX
0041EB15          E8 428AFEFF       CALL 0040755C                         ; 0040755C
0041EB1A          8BD0             MOV EDX,EAX

0041EB11          8B43 14          MOV EAX,[EBX+14]
0041EB14          EB 04             JMP SHORT 0041EB1A                      ; 0041EB1A
0041EB16          90                NOP
0041EB17          90                NOP
0041EB18          90                NOP
0041EB19          90                NOP
0041EB1A          8BD0             MOV EDX,EAX

00353E9F          8B4424 04       MOV EAX,[ESP+4]
00353EA3          83C4 08          ADD ESP,8
00353EA6          FF6424 F8       JMP [ESP-8]

00353765
10
xdll.dll
0040754A          8BC0             MOV EAX,EAX
0040754C          - FF25 40E97100    JMP [71E940]
00407552          8BC0             MOV EAX,EAX
LoadLibraryA

00353AA1
16
003544D9 8D89 D8474100 LEA ECX,[ECX+4147D8]
003544DF FFD1          CALL ECX

WSASend  74FB1525 55                PUSH EBP

00353B2C
17
00354550 8D89 18484100 LEA ECX,[ECX+414818]
00354556 FFD1          CALL ECX

WSARecv  74FB138E 55                PUSH EBP

0035001F          8B85 23414100    MOV EAX,[EBP+414123]                   ; KERNEL32.CreateFileMappingA

0035003A          8985 50474100    MOV [EBP+414750],EAX

0035006C          8B85 1A424100    MOV EAX,[EBP+41421A]                   ; KERNEL32.MapViewOfFile

0035007E          8985 60474100    MOV [EBP+414760],EAX

00456F8F          /0F85 EE000000    JNZ 00457083                            ; 00457083
00456F95          |68 C0704500       PUSH 4570C0                            ; ASCII "IMM32.DLL"
00456F9A          |E8 AD05FBFF       CALL 0040754C                         ; LoadLibraryA
00456F9F          |A3 80AD5800       MOV [58AD80],EAX
00456FA4          |833D 80AD5800 00 CMP DWORD PTR [58AD80],0
00456FAB          |0F84 D2000000    JE 00457083                            ; 00457083
00456FB1          |68 CC704500       PUSH 4570CC                            ; ASCII "ImmGetContext"
00456FB6          |A1 80AD5800       MOV EAX,[58AD80]
00456FBB          |50                PUSH EAX
00456FBC          |E8 C304FBFF       CALL 00407484                         ; 00407484
00456FC1          |A3 F41B5900       MOV [591BF4],EAX

00407484          - FF25 74E67100    JMP [71E674]

GetProcAddress

55 8B EC 56 33 C0 8B 75 08 0B F6 74 12 8B 55 0C 8B 4D 10 29 16 29 4E 04 01 56 08 01 4E 0C 48 5E
C9 C2 0C 00 55 8B EC 56 57 53 8B 45 08 8B 75 0C 8B 7D 10 0B C0 74 5B 0B F6 74 57 0B FF 74 53 8B
06 8B 0F 3B C1 7C 01 91 8B 46 08 8B 57 08 3B C2 7F 01 92 3B CA 7D 2C 8B 46 04 8B 5F 04 3B C3 7C
01 93 8B 46 0C 8B 7F 0C 3B C7 7F 01 97 3B DF 7D 12 8B 75 08 89 0E 89 5E 04 89 56 08 89 7E 0C B0
01 EB 0D 8B 7D 08 33 C0 B9 04 00 00 00 FC F3 AB EB 02 33 C0 5B 5F 5E C9 C2 0C 00 55 8B EC 53 8B
5D 10 8B CB 0B DB 79 02 F7 DB 8B 45 08 33 C8 0B C0 79 02 F7 D8 8B 55 0C 33 CA 0B D2 79 02 F7 DA
F7 E2 53 D1 FB 03 C3 83 D2 00 5B 3B D3 72 05 33 C0 48 EB 11 F7 F3 0B C0 79 05 33 C0 48 EB 06 0B
C9 79 02 F7 D8 5B C9 C2 0C 00 55 8B EC B8 01 00 00 00 56 8B 75 08 0B F6 74 11 8B 4E 08 3B 0E 7E
0A 8B 4E 0C 3B 4E 04 7E 02 33 C0 5E C9 C2 04 00 55 8B EC 8B 45 08 0B C0 74 1A 6A 01 8B 4D 18 89
48 0C 8B 4D 14 89 48 08 8B 4D 10 89 48 04 8B 4D 0C 89 08 58 C9 C2 14 00 55 8B EC 56 57 33 C0 8B
75 08 8B 7D 0C 0B F6 74 0F 0B FF 74 0B B9 04 00 00 00 FC F3 A7 75 01 40 5F 5E C9 C2 08 00 55 8B
EC 56 53 8B 4D 0C 8B 55 10 33 DB 8B 75 08 0B F6 74 16 FC AD 3B C8 7C 10 AD 3B D0 7C 0B AD 3B C8
7D 06 AD 3B D0 7D 01 43 8B C3 5B 5E C9 C2 0C 00 55 8B EC 56 33 C0 8B 75 08 0B F6 74 12 8B 55 0C
8B 4D 10 01 16 01 4E 04 01 56 08 01 4E 0C 40 5E C9 C2 0C 00 55 8B EC 83 C4 FC 60 8B 75 08 8B 7D
0C 33 C0 89 45 FC AC 3A 07 74 08 33 C0 48 89 45 FC EB 05 47 0A C0 75 EE 61 8B 45 FC C9 C2 08 00

007E1800

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (9)
kvip 雪币： 140 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 13 粉丝 0 关注私信	kvip 2 楼晕哟.看到一半看不懂了. 2005-12-14 11:42 0
jskew 雪币： 124 活跃值： (70) 能力值： ( LV4，RANK：50 ) 在线值：发帖 30 回帖 352 粉丝 0 关注私信	jskew 1 3 楼里面很多错误的地方，也很多是多余的分析，我只是贴出来玩玩我自己看了都会晕 2005-12-14 12:12 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 4 楼 hying代码还是好懂，aspr想深入一点都云里雾里 2005-12-14 12:38 0
完美雪币： 208 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 18 回帖 186 粉丝 0 关注私信	完美 1 5 楼恩~~~~从脱壳笔记上看~~~~很像是小X的作品 FORGOT是那里人？ 2005-12-15 11:03 0
shaitan 雪币： 233 活跃值： (160) 能力值： ( LV4，RANK：50 ) 在线值：发帖 9 回帖 36 粉丝 1 关注私信	shaitan 1 6 楼找到目标程序测试了。 OD无法加载，请教是怎么样加载的？论坛上有一些HYING 0.7的文章但都是传X主程序脱文。想学习一下，但是无法加载!!!!! 2005-12-17 14:06 0
jskew 雪币： 124 活跃值： (70) 能力值： ( LV4，RANK：50 ) 在线值：发帖 30 回帖 352 粉丝 0 关注私信	jskew 1 7 楼 alt+o,events,system breakpoint,bp ZwSetInformationThread 2005-12-17 18:15 0
shaitan 雪币： 233 活跃值： (160) 能力值： ( LV4，RANK：50 ) 在线值：发帖 9 回帖 36 粉丝 1 关注私信	shaitan 1 8 楼 77F8A1E0 > B8 C7000000 mov eax,0C7 断在这里 77F8A1E5 8D5424 04 lea edx,dword ptr ss:[esp+4] 77F8A1E9 CD 2E int 2E 过不去了 77F8A1EB C2 1000 retn 10 这里壳的入口好像还远吧？ 2005-12-17 19:57 0
shaitan 雪币： 233 活跃值： (160) 能力值： ( LV4，RANK：50 ) 在线值：发帖 9 回帖 36 粉丝 1 关注私信	shaitan 1 9 楼 ///////////////////////////////////////////////////////////////////// 77F8A1E9 CD 2E INT 2E 这里过不去了？ 0012FFA0 00343578 SE handler 堆栈看不到类似的 bp 77F8A1E9 bp 00343578 请教谁知道为什么呀 ///////////////////////////////////////////////////////////////////// 2005-12-17 20:19 0
jskew 雪币： 124 活跃值： (70) 能力值： ( LV4，RANK：50 ) 在线值：发帖 30 回帖 352 粉丝 0 关注私信	jskew 1 10 楼最初由 shaitan 发布 ///////////////////////////////////////////////////////////////////// 77F8A1E9 CD 2E INT 2E 这里过不去了？ 0012FFA0 00343578 SE handler 堆栈看不到类似的 bp 77F8A1E9 ........ 里面很多错误的地方，也很多是多余的分析，我只是贴出来玩玩我自己看了都会晕 2005-12-17 20:21 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

jskew

发帖

352

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (9)
kvip 雪币： 140 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 13 粉丝 0 关注私信	kvip 2 楼晕哟.看到一半看不懂了. 2005-12-14 11:42 0
jskew 雪币： 124 活跃值： (70) 能力值： ( LV4，RANK：50 ) 在线值：发帖 30 回帖 352 粉丝 0 关注私信	jskew 1 3 楼里面很多错误的地方，也很多是多余的分析，我只是贴出来玩玩我自己看了都会晕 2005-12-14 12:12 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 4 楼 hying代码还是好懂，aspr想深入一点都云里雾里 2005-12-14 12:38 0
完美雪币： 208 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 18 回帖 186 粉丝 0 关注私信	完美 1 5 楼恩~~~~从脱壳笔记上看~~~~很像是小X的作品 FORGOT是那里人？ 2005-12-15 11:03 0
shaitan 雪币： 233 活跃值： (160) 能力值： ( LV4，RANK：50 ) 在线值：发帖 9 回帖 36 粉丝 1 关注私信	shaitan 1 6 楼找到目标程序测试了。 OD无法加载，请教是怎么样加载的？论坛上有一些HYING 0.7的文章但都是传X主程序脱文。想学习一下，但是无法加载!!!!! 2005-12-17 14:06 0
jskew 雪币： 124 活跃值： (70) 能力值： ( LV4，RANK：50 ) 在线值：发帖 30 回帖 352 粉丝 0 关注私信	jskew 1 7 楼 alt+o,events,system breakpoint,bp ZwSetInformationThread 2005-12-17 18:15 0
shaitan 雪币： 233 活跃值： (160) 能力值： ( LV4，RANK：50 ) 在线值：发帖 9 回帖 36 粉丝 1 关注私信	shaitan 1 8 楼 77F8A1E0 > B8 C7000000 mov eax,0C7 断在这里 77F8A1E5 8D5424 04 lea edx,dword ptr ss:[esp+4] 77F8A1E9 CD 2E int 2E 过不去了 77F8A1EB C2 1000 retn 10 这里壳的入口好像还远吧？ 2005-12-17 19:57 0
shaitan 雪币： 233 活跃值： (160) 能力值： ( LV4，RANK：50 ) 在线值：发帖 9 回帖 36 粉丝 1 关注私信	shaitan 1 9 楼 ///////////////////////////////////////////////////////////////////// 77F8A1E9 CD 2E INT 2E 这里过不去了？ 0012FFA0 00343578 SE handler 堆栈看不到类似的 bp 77F8A1E9 bp 00343578 请教谁知道为什么呀 ///////////////////////////////////////////////////////////////////// 2005-12-17 20:19 0
jskew 雪币： 124 活跃值： (70) 能力值： ( LV4，RANK：50 ) 在线值：发帖 30 回帖 352 粉丝 0 关注私信	jskew 1 10 楼最初由 shaitan 发布 ///////////////////////////////////////////////////////////////////// 77F8A1E9 CD 2E INT 2E 这里过不去了？ 0012FFA0 00343578 SE handler 堆栈看不到类似的 bp 77F8A1E9 ........ 里面很多错误的地方，也很多是多余的分析，我只是贴出来玩玩我自己看了都会晕 2005-12-17 20:21 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复