find 430000, #F2EB2200000000#
mov i, $RESULT //TLS CALL的地址为0043F556,[0043F556]=0043ee79
log i
bphws i,"w"
run
bphwc i
find 430000, #60e8000000005d81#
mov i, $RESULT //壳的入口点是0043C107
log i
bp i
run
bc i
gpa "VirtualAlloc", "kernel32.Dll" //申请内存
mov apiAlloc , $RESULT
mov k,apiAlloc
add k,16
bp k
esto
bc k
mov i,eax
bphws i,"x"
run
bphwc i
find eip, #B9??7?000051EB49# // 第一段解码开始
mov i, $RESULT
log i //0d917cf
mov eip,i
find eip, #669CEB06#
mov i, $RESULT
log i //0d91850
bp i
run
bc i
mov k,[eax]
and k, 00ff0000
xor k, 00330000
log k
find eip, #833000#
mov i, $RESULT //0d918af
log i
xor [i],k
find eip, #E930000000#
mov i, $RESULT //00D918c2
log i
bp i
run
bc i // 第一段解码结束
find eip, #E8000000005f# // 第二段解码开始
mov i, $RESULT //00d991b1
log i
mov eip,i
find eip, #E252# // 00d996a1
find $RESULT, #669CEB06#
mov i, $RESULT //00d996a3
log i
bp i
run
bc i // 第二段解码结束
find eip, #8B068907# //
mov i, $RESULT //00dd28cb
log i
mov eip,i
add i,14
mov k,[i]
log k
find 00a00000, #000000004B45524E454C33322E646C6C# // 主要代码开始
mov i, $RESULT //00ddd1cc
log i
sub i,k
mov edx,i
sub k,28
add i,k
mov edi ,i
mov i,ebp
add i,3c
mov esi,i
mov ecx,3
find eip, #7AEA# // 修复第一处代码
mov i, $RESULT
log i
asm i, "mov ebp,edx"
find eip, #70E0# // 修复第二处代码
mov i, $RESULT
log i
asm i, "mov esi,eax"
find eip, #EB12# // 修复第三处代码
mov i, $RESULT
log i
asm i, "mov esi,edx"
find eip, #EB10# // 修复第四处代码
mov i, $RESULT
log i
asm i, "mov esi,eax"
find eip, #0FB642FF#
find $RESULT, #8DB5#
mov i, $RESULT // 处理iat的地址
log i
bp i
run
bc i