软件名称: Skype 2.0.0.76
实例下载: http://www.skype.com/download/
1. 基本信息
入口点(OEP):
005E7A28
引入表(I T):
Addr: 00B8F000, size:& 00003E92
引入地址表(IAT):
Addr: 00B8F21C-00B8FD38, size: 0B1C
2. 调试器检测, CODE 解码, 解析第二份IAT
// 载入后停在这里 005E7A28
005E7A28 > $ /EB 57 JMP SHORT Skype.005E7A81
005E7A81 > \E8 26010000 CALL Skype.005E7BAC ; // detect debug (1)
005E7A86 . 84C0 TEST AL,AL
005E7A88 . 74 1C JE SHORT Skype.005E7AA6
005E7A8A . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
005E7A8C . FF35 482FB800 PUSH DWORD PTR DS:[B82F48] ; |Title = "Skype"
005E7A92 . FF35 4C2FB800 PUSH DWORD PTR DS:[B82F4C] ; |Text = "Error: Skype is not compatible with debuggers like SoftICE .."
005E7A98 . 6A 00 PUSH 0 ; |hOwner = NULL
005E7A9A . E8 9910E2FF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
005E7A9F . 6A 01 PUSH 1 ; /ExitCode = 1
005E7AA1 . E8 5A04E2FF CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
005E7AA6 > BA 011E1600 MOV EDX,161E01
005E7AAB . 81C2 A38BA100 ADD EDX,Skype.00A18BA3 ; // EDX = 00B7A9A4
005E7AB1 . 52 PUSH EDX
005E7AB2 . EB 10 JMP SHORT Skype.005E7AC4
005E7AB4 . BF 287A5E00 MOV EDI,Skype.<ModuleEntryPoint>
005E7AB9 . B9 C47A5E00 MOV ECX,Skype.005E7AC4
005E7ABE . 29F9 SUB ECX,EDI
005E7AC0 . 31C0 XOR EAX,EAX
005E7AC2 . F3:AA REP STOS BYTE PTR ES:[EDI]
005E7AC4 > E8 CF3F0100 CALL Skype.005FBA98
005E7AC9 . E8 AAFEFFFF CALL Skype.005E7978
005E7ACE . C3 RETN ; // return 00B7A9A4
00B7A9A4 . 55 PUSH EBP
00B7A9A5 . 8BEC MOV EBP,ESP
00B7A9A7 . B9 20000000 MOV ECX,20
00B7A9AC > 6A 00 PUSH 0
00B7A9AE . 6A 00 PUSH 0
00B7A9B0 . 49 DEC ECX
00B7A9B1 .^ 75 F9 JNZ SHORT Skype.00B7A9AC
00B7A9B3 . 53 PUSH EBX
00B7A9B4 . 56 PUSH ESI
00B7A9B5 . 57 PUSH EDI
00B7A9B6 . B8 749FB700 MOV EAX,Skype.00B79F74
00B7A9BB . E8 6CD088FF CALL Skype.00407A2C ; // *** Init CALL ****
00B7A9C0 . BF 78E6B800 MOV EDI,Skype.00B8E678
00B7A9C5 . 33C0 XOR EAX,EAX
00B7A9C7 . 55 PUSH EBP
00B7A9C8 . 68 1BBAB700 PUSH Skype.00B7BA1B
00B7A9CD . 64:FF30 PUSH DWORD PTR FS:[EAX]
00B7A9D0 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00B7A9D3 . A1 90B2B800 MOV EAX,DWORD PTR DS:[B8B290]
00B7A9D8 . C600 01 MOV BYTE PTR DS:[EAX],1
00B7A9DB . 6A 00 PUSH 0
00B7A9DD . E8 661D8AFF CALL <JMP.&ole32.OleInitialize>
00B7A9E2 . E8 3DB6A6FF CALL Skype.005E6024 ; // detect debug (2)
00B7A9E7 . 84C0 TEST AL,AL
00B7A9E9 . 74 1A JE SHORT Skype.00B7AA05
00B7A9EB . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00B7A9ED . 68 30BAB700 PUSH Skype.00B7BA30 ; |Title = "Skype"
00B7A9F2 . 68 38BAB700 PUSH Skype.00B7BA38 ; |Text = "Skype is not compatible with system debuggers like SoftICE."
00B7A9F7 . 6A 00 PUSH 0 ; |hOwner = NULL
00B7A9F9 . E8 32E188FF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00B7A9FE . 6A 00 PUSH 0 ; /ExitCode = 0
00B7AA00 . E8 FBD488FF CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
00B7AA05 > B9 7CBAB700 MOV ECX,Skype.00B7BA7C ; ASCII "Starting .."
00B7AA0A . BA 94BAB700 MOV EDX,Skype.00B7BA94 ; ASCII "Skype.main"
// Init call
00407A2C /$ 53 PUSH EBX
00407A2D |. 8BD8 MOV EBX,EAX
00407A2F |. 33C0 XOR EAX,EAX
00407A31 |. A3 A4C0B700 MOV DWORD PTR DS:[B7C0A4],EAX
00407A36 |. 6A 00 PUSH 0 ; /pModule = NULL
00407A38 |. E8 2BFFFFFF CALL <JMP.&kernel32.GetModuleHandleA> ; \GetModuleHandleA
00407A3D |. A3 68C6B800 MOV DWORD PTR DS:[B8C668],EAX
00407A42 |. A1 68C6B800 MOV EAX,DWORD PTR DS:[B8C668]
00407A47 |. A3 B0C0B700 MOV DWORD PTR DS:[B7C0B0],EAX
00407A4C |. 33C0 XOR EAX,EAX
00407A4E |. A3 B4C0B700 MOV DWORD PTR DS:[B7C0B4],EAX
00407A53 |. 33C0 XOR EAX,EAX
00407A55 |. A3 B8C0B700 MOV DWORD PTR DS:[B7C0B8],EAX
00407A5A |. E8 C1FFFFFF CALL Skype.00407A20
00407A5F |. BA ACC0B700 MOV EDX,Skype.00B7C0AC
00407A64 |. 8BC3 MOV EAX,EBX
00407A66 |. E8 95D2FFFF CALL Skype.00404D00 ; // F7
00407A6B |. 5B POP EBX
00407A6C \. C3 RETN
00404D00 /$ C705 14C0B800 F01240>MOV DWORD PTR DS:[B8C014],<JMP.&kernel32.RaiseException>
00404D0A |. C705 18C0B800 001340>MOV DWORD PTR DS:[B8C018],<JMP.&kernel32.RtlUnwind>
00404D14 |. A3 40C6B800 MOV DWORD PTR DS:[B8C640],EAX
00404D19 |. 33C0 XOR EAX,EAX
00404D1B |. A3 44C6B800 MOV DWORD PTR DS:[B8C644],EAX
00404D20 |. 8915 48C6B800 MOV DWORD PTR DS:[B8C648],EDX
00404D26 |. 8B42 04 MOV EAX,DWORD PTR DS:[EDX+4]
00404D29 |. A3 30C0B800 MOV DWORD PTR DS:[B8C030],EAX
00404D2E |. E8 A5FEFFFF CALL Skype.00404BD8
00404D33 |. C605 38C0B800 00 MOV BYTE PTR DS:[B8C038],0
00404D3A |. E8 51FFFFFF CALL Skype.00404C90
00404D3F \. C3 RETN
00404C90 $ 55 PUSH EBP
00404C91 . 8BEC MOV EBP,ESP
00404C93 . 83C4 F8 ADD ESP,-8
00404C96 . 53 PUSH EBX
00404C97 . 56 PUSH ESI
00404C98 . 57 PUSH EDI
00404C99 . BF 38C6B800 MOV EDI,Skype.00B8C638
00404C9E . 8B47 08 MOV EAX,DWORD PTR DS:[EDI+8]
00404CA1 . 85C0 TEST EAX,EAX
00404CA3 . 74 54 JE SHORT Skype.00404CF9
00404CA5 . 8B30 MOV ESI,DWORD PTR DS:[EAX]
00404CA7 . 33DB XOR EBX,EBX
00404CA9 . 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
00404CAC . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00404CAF . 33C0 XOR EAX,EAX
00404CB1 . 55 PUSH EBP
00404CB2 . 68 E54C4000 PUSH Skype.00404CE5
00404CB7 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00404CBA . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00404CBD . 3BF3 CMP ESI,EBX
00404CBF . 7E 1A JLE SHORT Skype.00404CDB
00404CC1 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00404CC4 . 8B04D8 MOV EAX,DWORD PTR DS:[EAX+EBX*8]
00404CC7 . 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00404CCA . 43 INC EBX
00404CCB . 895F 0C MOV DWORD PTR DS:[EDI+C],EBX
00404CCE . 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
00404CD2 . 74 03 JE SHORT Skype.00404CD7
00404CD4 . FF55 F8 CALL DWORD PTR SS:[EBP-8] ; // Call each init Func, 其中 00B75AF0 最关键
00404CD7 > 3BF3 CMP ESI,EBX
00404CD9 .^ 7F E6 JG SHORT Skype.00404CC1
00404CDB > 33C0 XOR EAX,EAX
00404CDD . 5A POP EDX
00404CDE . 59 POP ECX
00404CDF . 59 POP ECX
00404CE0 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00404CE3 . EB 14 JMP SHORT Skype.00404CF9
00404CE5 .^ E9 3AF9FFFF JMP Skype.00404624
00404CEA . E8 31FFFFFF CALL Skype.00404C20
00404CEF . E8 08FDFFFF CALL Skype.004049FC
00404CF4 . E8 57FDFFFF CALL Skype.00404A50
00404CF9 > 5F POP EDI
00404CFA . 5E POP ESI
00404CFB . 5B POP EBX
00404CFC . 59 POP ECX
00404CFD . 59 POP ECX
00404CFE . 5D POP EBP
00404CFF . C3 RETN
3. 最关键的一个 Init CALL
00B75AF0-00B75EB1, CODE 解码, 解析第二份IAT
// 对 00724F70-00B70F70 (size 0044C000) 解码, 并解析第二份 IAT
// 第二份 IAT:
Addr: 00A09F70-00A0A38C, size: 041C
// 00B75AF0 返回后, 内存中全是明文.
00B75AF0 /> /55 PUSH EBP
00B75AF1 |. |8BEC MOV EBP,ESP
00B75AF3 |. |83C4 A0 ADD ESP,-60
00B75AF6 |. |33C0 XOR EAX,EAX
00B75AF8 |. |8945 A8 MOV DWORD PTR SS:[EBP-58],EAX
00B75AFB |. |8945 A4 MOV DWORD PTR SS:[EBP-5C],EAX
00B75AFE |. |8945 A0 MOV DWORD PTR SS:[EBP-60],EAX
00B75B01 |. |8945 AC MOV DWORD PTR SS:[EBP-54],EAX
00B75B04 |. |33C0 XOR EAX,EAX
00B75B06 |. |55 PUSH EBP
00B75B07 |. |68 A75EB700 PUSH Skype.00B75EA7
00B75B0C |. |64:FF30 PUSH DWORD PTR FS:[EAX]
00B75B0F |. |64:8920 MOV DWORD PTR FS:[EAX],ESP
00B75B12 |. |A1 18BAB800 MOV EAX,DWORD PTR DS:[B8BA18]
00B75B17 |. |C700 09000000 MOV DWORD PTR DS:[EAX],9
00B75B1D |. |B8 287A5E00 MOV EAX,Skype.<ModuleEntryPoint>
00B75B22 |. |8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
00B75B25 |. C745 D0 F4000000 MOV DWORD PTR SS:[EBP-30],0F4
00B75B2C |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00B75B2F |. 50 PUSH EAX ; /pOldProtect
00B75B30 |. 6A 40 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00B75B32 |. 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30] ; |
00B75B35 |. 50 PUSH EAX ; |Size
00B75B36 |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] ; |
00B75B39 |. 50 PUSH EAX ; |Address
00B75B3A |. E8 192789FF CALL <JMP.&kernel32.VirtualProtect> ; \VirtualProtect
00B75B3F |. 85C0 TEST EAX,EAX
00B75B41 |. 75 0A JNZ SHORT Skype.00B75B4D
00B75B43 |. B8 BC5EB700 MOV EAX,Skype.00B75EBC ; ASCII "0ut of memory"
00B75B48 |. E8 2BFAFFFF CALL Skype.00B75578
00B75B4D |> 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
00B75B50 |. 33C9 XOR ECX,ECX
00B75B52 |. 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30]
00B75B55 |. E8 96DD88FF CALL Skype.004038F0
00B75B5A |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00B75B5D |. 50 PUSH EAX ; /pOldProtect
00B75B5E |. 6A 20 PUSH 20 ; |NewProtect = PAGE_EXECUTE_READ
00B75B60 |. 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30] ; |
00B75B63 |. 50 PUSH EAX ; |Size
00B75B64 |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] ; |
00B75B67 |. 50 PUSH EAX ; |Address
00B75B68 |. E8 EB2689FF CALL <JMP.&kernel32.VirtualProtect> ; \VirtualProtect
00B75B6D |. 85C0 TEST EAX,EAX
00B75B6F |. 75 0A JNZ SHORT Skype.00B75B7B
00B75B71 |. B8 BC5EB700 MOV EAX,Skype.00B75EBC ; ASCII "0ut of memory"
00B75B76 |. E8 FDF9FFFF CALL Skype.00B75578
00B75B7B |> C605 0C5FB800 01 MOV BYTE PTR DS:[B85F0C],1
00B75B82 |. 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE
00B75B84 |. 68 00100000 PUSH 1000 ; |AllocationType = MEM_COMMIT
00B75B89 |. A1 605FB800 MOV EAX,DWORD PTR DS:[B85F60] ; |
00B75B8E |. 50 PUSH EAX ; |Size => 44C000 (4505600.)
00B75B8F |. 6A 00 PUSH 0 ; |Address = NULL
00B75B91 |. E8 B22689FF CALL <JMP.&kernel32.VirtualAlloc> ; \VirtualAlloc
00B75B96 |. A3 4CE1B800 MOV DWORD PTR DS:[B8E14C],EAX
00B75B9B |. 833D 4CE1B800 00 CMP DWORD PTR DS:[B8E14C],0
00B75BA2 |. 75 0A JNZ SHORT Skype.00B75BAE
00B75BA4 |. B8 D45EB700 MOV EAX,Skype.00B75ED4 ; ASCII "Not enough memory!"
00B75BA9 |. E8 CAF9FFFF CALL Skype.00B75578
00B75BAE |> B8 684F7200 MOV EAX,Skype.00724F68
00B75BB3 |. BA 684F7200 MOV EDX,Skype.00724F68
00B75BB8 |. 0302 ADD EAX,DWORD PTR DS:[EDX]
00B75BBA |. 8945 CC MOV DWORD PTR SS:[EBP-34],EAX
00B75BBD |. 33C0 XOR EAX,EAX
00B75BBF |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00B75BC2 |. E9 83000000 JMP Skype.00B75C4A
00B75BC7 |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8]
00B75BCA |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4]
00B75BCD |. 8B0485 185FB800 |MOV EAX,DWORD PTR DS:[EAX*4+B85F18]
00B75BD4 |. 0345 CC |ADD EAX,DWORD PTR SS:[EBP-34]
00B75BD7 |. 8945 F4 |MOV DWORD PTR SS:[EBP-C],EAX
00B75BDA |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]
00B75BDD |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4]
00B75BE0 |. 8B0485 105FB800 |MOV EAX,DWORD PTR DS:[EAX*4+B85F10]
00B75BE7 |. 0305 4CE1B800 |ADD EAX,DWORD PTR DS:[B8E14C]
00B75BED |. 8945 F0 |MOV DWORD PTR SS:[EBP-10],EAX
00B75BF0 |. C745 EC 0FF07770 |MOV DWORD PTR SS:[EBP-14],7077F00F
00B75BF7 |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]
00B75BFA |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4]
00B75BFD |. 8B0485 1C5FB800 |MOV EAX,DWORD PTR DS:[EAX*4+B85F1C]
00B75C04 |. C1E8 02 |SHR EAX,2
00B75C07 |. 48 |DEC EAX
00B75C08 |. 85C0 |TEST EAX,EAX
00B75C0A |. 72 3B |JB SHORT Skype.00B75C47
00B75C0C |. 40 |INC EAX
00B75C0D |. 8945 C8 |MOV DWORD PTR SS:[EBP-38],EAX
00B75C10 |. C745 E8 00000000 |MOV DWORD PTR SS:[EBP-18],0
00B75C17 |> 8B45 F4 |/MOV EAX,DWORD PTR SS:[EBP-C]
00B75C1A |. 8B55 E8 ||MOV EDX,DWORD PTR SS:[EBP-18]
00B75C1D |. 8B0490 ||MOV EAX,DWORD PTR DS:[EAX+EDX*4]
00B75C20 |. 3345 EC ||XOR EAX,DWORD PTR SS:[EBP-14]
00B75C23 |. 8B55 F0 ||MOV EDX,DWORD PTR SS:[EBP-10]
00B75C26 |. 8B4D E8 ||MOV ECX,DWORD PTR SS:[EBP-18]
00B75C29 |. 89048A ||MOV DWORD PTR DS:[EDX+ECX*4],EAX
00B75C2C |. 8B45 F4 ||MOV EAX,DWORD PTR SS:[EBP-C]
00B75C2F |. 8B55 E8 ||MOV EDX,DWORD PTR SS:[EBP-18]
00B75C32 |. 8B0490 ||MOV EAX,DWORD PTR DS:[EAX+EDX*4]
00B75C35 |. 3345 EC ||XOR EAX,DWORD PTR SS:[EBP-14]
00B75C38 |. 8945 D8 ||MOV DWORD PTR SS:[EBP-28],EAX
00B75C3B |. 8345 EC 71 ||ADD DWORD PTR SS:[EBP-14],71
00B75C3F |. FF45 E8 ||INC DWORD PTR SS:[EBP-18]
00B75C42 |. FF4D C8 ||DEC DWORD PTR SS:[EBP-38]
00B75C45 |.^ 75 D0 |\JNZ SHORT Skype.00B75C17
00B75C47 |> FF45 F8 |INC DWORD PTR SS:[EBP-8]
00B75C4A |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00B75C4D |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4]
00B75C50 |. 833C85 105FB800 00 |CMP DWORD PTR DS:[EAX*4+B85F10],0
00B75C58 |.^ 0F87 69FFFFFF \JA Skype.00B75BC7
00B75C5E |. 33C0 XOR EAX,EAX
00B75C60 |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
00B75C63 |. 33C0 XOR EAX,EAX
00B75C65 |. 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
00B75C68 |. C745 E8 01000000 MOV DWORD PTR SS:[EBP-18],1
00B75C6F |> 8B45 E8 /MOV EAX,DWORD PTR SS:[EBP-18]
00B75C72 |. 8D0440 |LEA EAX,DWORD PTR DS:[EAX+EAX*2]
00B75C75 |. 833C85 685FB800 00 |CMP DWORD PTR DS:[EAX*4+B85F68],0
00B75C7D |. 75 14 |JNZ SHORT Skype.00B75C93
00B75C7F |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
00B75C82 |. 8D0440 |LEA EAX,DWORD PTR DS:[EAX+EAX*2]
00B75C85 |. 833C85 6C5FB800 00 |CMP DWORD PTR DS:[EAX*4+B85F6C],0
00B75C8D |. 0F84 DC000000 |JE Skype.00B75D6F
00B75C93 |> 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
00B75C96 |. 8D0440 |LEA EAX,DWORD PTR DS:[EAX+EAX*2]
00B75C99 |. 833C85 705FB800 00 |CMP DWORD PTR DS:[EAX*4+B85F70],0
00B75CA1 |. 75 53 |JNZ SHORT Skype.00B75CF6
00B75CA3 |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
00B75CA6 |. 8D0440 |LEA EAX,DWORD PTR DS:[EAX+EAX*2]
00B75CA9 |. 8B0485 685FB800 |MOV EAX,DWORD PTR DS:[EAX*4+B85F68]
00B75CB0 |. E8 B7F888FF |CALL Skype.0040556C
00B75CB5 |. 50 |PUSH EAX ; /FileName
00B75CB6 |. E8 AD2489FF |CALL <JMP.&kernel32.LoadLibraryA> ; \LoadLibraryA
00B75CBB |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX
00B75CBE |. 837D E4 00 |CMP DWORD PTR SS:[EBP-1C],0
00B75CC2 |. 0F85 A7000000 |JNZ Skype.00B75D6F
00B75CC8 |. 68 F05EB700 |PUSH Skype.00B75EF0 ; ASCII "Cannot load the DLL ("
00B75CCD |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
00B75CD0 |. 8D0440 |LEA EAX,DWORD PTR DS:[EAX+EAX*2]
00B75CD3 |. FF3485 685FB800 |PUSH DWORD PTR DS:[EAX*4+B85F68]
00B75CDA |. 68 105FB700 |PUSH Skype.00B75F10 ; ASCII ")!"
00B75CDF |. 8D45 AC |LEA EAX,DWORD PTR SS:[EBP-54]
00B75CE2 |. BA 03000000 |MOV EDX,3
00B75CE7 |. E8 40F788FF |CALL Skype.0040542C
00B75CEC |. 8B45 AC |MOV EAX,DWORD PTR SS:[EBP-54]
00B75CEF |. E8 84F8FFFF |CALL Skype.00B75578
00B75CF4 |. EB 79 |JMP SHORT Skype.00B75D6F
00B75CF6 |> 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
00B75CF9 |. 8D0440 |LEA EAX,DWORD PTR DS:[EAX+EAX*2]
00B75CFC |. 833C85 6C5FB800 00 |CMP DWORD PTR DS:[EAX*4+B85F6C],0
00B75D04 |. 75 21 |JNZ SHORT Skype.00B75D27
00B75D06 |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
00B75D09 |. 8D0440 |LEA EAX,DWORD PTR DS:[EAX+EAX*2]
00B75D0C |. 8B0485 685FB800 |MOV EAX,DWORD PTR DS:[EAX*4+B85F68]
00B75D13 |. E8 54F888FF |CALL Skype.0040556C
00B75D18 |. 50 |PUSH EAX ; /ProcNameOrOrdinal
00B75D19 |. 8B45 E4 |MOV EAX,DWORD PTR SS:[EBP-1C] ; |
00B75D1C |. 50 |PUSH EAX ; |hModule
00B75D1D |. E8 362389FF |CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
00B75D22 |. 8945 E0 |MOV DWORD PTR SS:[EBP-20],EAX
00B75D25 |. EB 1A |JMP SHORT Skype.00B75D41
00B75D27 |> 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
00B75D2A |. 8D0440 |LEA EAX,DWORD PTR DS:[EAX+EAX*2]
00B75D2D |. 8B0485 6C5FB800 |MOV EAX,DWORD PTR DS:[EAX*4+B85F6C]
00B75D34 |. 50 |PUSH EAX ; /ProcNameOrOrdinal
00B75D35 |. 8B45 E4 |MOV EAX,DWORD PTR SS:[EBP-1C] ; |
00B75D38 |. 50 |PUSH EAX ; |hModule
00B75D39 |. E8 1A2389FF |CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
00B75D3E |. 8945 E0 |MOV DWORD PTR SS:[EBP-20],EAX
00B75D41 |> 837D E0 00 |CMP DWORD PTR SS:[EBP-20],0
00B75D45 |. 75 0A |JNZ SHORT Skype.00B75D51
00B75D47 |. B8 1C5FB700 |MOV EAX,Skype.00B75F1C ; ASCII "Failed to load function!"
00B75D4C |. E8 27F8FFFF |CALL Skype.00B75578
00B75D51 |> 8B45 E0 |MOV EAX,DWORD PTR SS:[EBP-20]
00B75D54 |. 0145 DC |ADD DWORD PTR SS:[EBP-24],EAX
00B75D57 |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
00B75D5A |. 8D0440 |LEA EAX,DWORD PTR DS:[EAX+EAX*2]
00B75D5D |. 8B0485 705FB800 |MOV EAX,DWORD PTR DS:[EAX*4+B85F70]
00B75D64 |. 0305 4CE1B800 |ADD EAX,DWORD PTR DS:[B8E14C]
00B75D6A |. 8B55 E0 |MOV EDX,DWORD PTR SS:[EBP-20]
00B75D6D |. 8910 |MOV DWORD PTR DS:[EAX],EDX
00B75D6F |> FF45 E8 |INC DWORD PTR SS:[EBP-18]
00B75D72 |. 817D E8 09010000 |CMP DWORD PTR SS:[EBP-18],109
00B75D79 |.^ 0F85 F0FEFFFF \JNZ Skype.00B75C6F
00B75D7F |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00B75D82 |. 50 PUSH EAX ; /pOldProtect
00B75D83 |. 6A 04 PUSH 4 ; |NewProtect = PAGE_READWRITE
00B75D85 |. A1 605FB800 MOV EAX,DWORD PTR DS:[B85F60] ; |
00B75D8A |. 50 PUSH EAX ; |Size => 44C000 (4505600.)
00B75D8B |. 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34] ; |
00B75D8E |. 50 PUSH EAX ; |Address
00B75D8F |. E8 C42489FF CALL <JMP.&kernel32.VirtualProtect> ; \VirtualProtect
00B75D94 |. 85C0 TEST EAX,EAX
00B75D96 |. 75 51 JNZ SHORT Skype.00B75DE9
00B75D98 |. 68 405FB700 PUSH Skype.00B75F40 ; ASCII "error 9920 ("
00B75D9D |. 8D4D A4 LEA ECX,DWORD PTR SS:[EBP-5C]
00B75DA0 |. B2 08 MOV DL,8
00B75DA2 |. A1 605FB800 MOV EAX,DWORD PTR DS:[B85F60]
00B75DA7 |. E8 E09791FF CALL Skype.0048F58C
00B75DAC |. FF75 A4 PUSH DWORD PTR SS:[EBP-5C]
00B75DAF |. 68 585FB700 PUSH Skype.00B75F58
00B75DB4 |. E8 572289FF CALL <JMP.&kernel32.GetLastError> ; [GetLastError
00B75DB9 |. 33D2 XOR EDX,EDX
00B75DBB |. 52 PUSH EDX ; /Arg2 => 00000000
00B75DBC |. 50 PUSH EAX ; |Arg1
00B75DBD |. 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] ; |
00B75DC0 |. E8 9B5189FF CALL Skype.0040AF60 ; \Skype.0040AF60
00B75DC5 |. FF75 A0 PUSH DWORD PTR SS:[EBP-60]
00B75DC8 |. 68 645FB700 PUSH Skype.00B75F64
00B75DCD |. 8D45 A8 LEA EAX,DWORD PTR SS:[EBP-58]
00B75DD0 |. BA 05000000 MOV EDX,5
00B75DD5 |. E8 52F688FF CALL Skype.0040542C
00B75DDA |. 8B45 A8 MOV EAX,DWORD PTR SS:[EBP-58]
00B75DDD |. E8 46468CFF CALL Skype.0043A428
00B75DE2 |. 6A 00 PUSH 0 ; /ExitCode = 0
00B75DE4 |. E8 172189FF CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
00B75DE9 |> 8B55 CC MOV EDX,DWORD PTR SS:[EBP-34]
00B75DEC |. A1 4CE1B800 MOV EAX,DWORD PTR DS:[B8E14C]
00B75DF1 |. 8B0D 605FB800 MOV ECX,DWORD PTR DS:[B85F60] ; Skype.0044C000
00B75DF7 |. E8 14D388FF CALL Skype.00403110
00B75DFC |. 68 00800000 PUSH 8000 ; /FreeType = MEM_RELEASE
00B75E01 |. 6A 00 PUSH 0 ; |Size = 0
00B75E03 |. A1 4CE1B800 MOV EAX,DWORD PTR DS:[B8E14C] ; |
00B75E08 |. 50 PUSH EAX ; |Address => NULL
00B75E09 |. E8 422489FF CALL <JMP.&kernel32.VirtualFree> ; \VirtualFree
00B75E0E |. 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
00B75E11 |. A3 4CE1B800 MOV DWORD PTR DS:[B8E14C],EAX
00B75E16 |. 33C0 XOR EAX,EAX
00B75E18 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
00B75E1B |> 8D45 FC /LEA EAX,DWORD PTR SS:[EBP-4]
00B75E1E |. 50 |PUSH EAX ; /pOldProtect
00B75E1F |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18] ; |
00B75E22 |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4] ; |
00B75E25 |. 8B0485 205FB800 |MOV EAX,DWORD PTR DS:[EAX*4+B85F20] ; |
00B75E2C |. 50 |PUSH EAX ; |NewProtect
00B75E2D |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18] ; |
00B75E30 |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4] ; |
00B75E33 |. 8B0485 145FB800 |MOV EAX,DWORD PTR DS:[EAX*4+B85F14] ; |
00B75E3A |. 50 |PUSH EAX ; |Size
00B75E3B |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18] ; |
00B75E3E |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4] ; |
00B75E41 |. 8B0485 105FB800 |MOV EAX,DWORD PTR DS:[EAX*4+B85F10] ; |
00B75E48 |. 0305 4CE1B800 |ADD EAX,DWORD PTR DS:[B8E14C] ; |
00B75E4E |. 50 |PUSH EAX ; |Address
00B75E4F |. E8 042489FF |CALL <JMP.&kernel32.VirtualProtect> ; \VirtualProtect
00B75E54 |. FF45 E8 |INC DWORD PTR SS:[EBP-18]
00B75E57 |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
00B75E5A |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4]
00B75E5D |. 833C85 105FB800 00 |CMP DWORD PTR DS:[EAX*4+B85F10],0
00B75E65 |.^ 75 B4 \JNZ SHORT Skype.00B75E1B
00B75E67 |. A1 705FB800 MOV EAX,DWORD PTR DS:[B85F70]
00B75E6C |. 0305 4CE1B800 ADD EAX,DWORD PTR DS:[B8E14C]
00B75E72 |. 6A 00 PUSH 0
00B75E74 |. 6A 01 PUSH 1
00B75E76 |. FF35 4CE1B800 PUSH DWORD PTR DS:[B8E14C]
00B75E7C |. FFD0 CALL EAX
00B75E7E |. 833D 4CE1B800 00 CMP DWORD PTR DS:[B8E14C],0
00B75E85 |. 75 05 JNZ SHORT Skype.00B75E8C
00B75E87 |. E8 3805A7FF CALL Skype.005E63C4
00B75E8C |> 33C0 XOR EAX,EAX
00B75E8E |. 5A POP EDX
00B75E8F |. 59 POP ECX
00B75E90 |. 59 POP ECX
00B75E91 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00B75E94 |. 68 AE5EB700 PUSH Skype.00B75EAE
00B75E99 |> 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
00B75E9C |. BA 04000000 MOV EDX,4
00B75EA1 |. E8 FEF188FF CALL Skype.004050A4
00B75EA6 \. C3 RETN
00B75EA7 .^ E9 2CEA88FF JMP Skype.004048D8
00B75EAC .^ EB EB JMP SHORT Skype.00B75E99
00B75EAE . 8BE5 MOV ESP,EBP
00B75EB0 . 5D POP EBP
00B75EB1 . C3 RETN
4. 第一个不清楚的问题: 两份IAT, 如何修复?
程序有两份IAT, 一份由 Loader 解析, 一份由 自己 解析, 如果要用 W32DASM 或 DEDE 来反编译与分析,
DUMP 出正确的Image 后, 该如何修复 IAT ?
两份 IAT 在 memory 中相差很远, ImportRec 好象不行, 总不至于手工构造 引入表(I T) 吧?
我是这样做的:
a. 用 W32DASM 反编译 原程序, 前一半正确, 00724F70-00B70F70 为乱码
b. 00B75AF0 返回后 DUMP image, 选第二份IAT, 用 ImportRec 修复, 再 W32DASM 反编译,
这样的结果是 00724F70-00B70F70 正确, 但前面一半的 API CALL 信息没了!
c. 用 W32DASM 反编译一下, 得半小时, .ALF file 有 200M Bytes
5. 第二个 问题: 程序主要的 anti-Debug 是什么, 怎么解决? 即怎么使它能在 OD 下顺利运行而不自杀?
a. 问题是这样的: 用OllyDbg载入程序, 忽略 所有 Exception, 能正确运行, 其实主要的 Exception 只有 E06D7363 一个,
全是程序自己生成的, 只是 CALL 的地方太多了, CALL 的太频繁了.
b. 程序有自校验, 在程序中设置 F2断点, 稍微跟一段时间以后, 就会出现:
Debugged program was unable to process exception
例如 在0088E263 下 F2断点, 再Debug, 则很容易crash, 却怎么也找不到 自校验 在哪里
而且有随即性, 有时候很快, 有时候又要好久.
0088E250 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
0088E254 56 PUSH ESI
0088E255 8BF1 MOV ESI,ECX
0088E257 57 PUSH EDI
0088E258 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
0088E25C 6A 00 PUSH 0
0088E25E 8B16 MOV EDX,DWORD PTR DS:[ESI]
0088E260 50 PUSH EAX ; BufSize = 5DC
0088E261 51 PUSH ECX ; Buffer = 04F91008
0088E262 52 PUSH EDX ; Socket = 348
0088E263 E8 8C981500 CALL Skype.009E7AF4 ; JMP to WS2_32.recv
0088E268 8BF8 MOV EDI,EAX
0088E26A 85FF TEST EDI,EDI
c. 在 0088E263 用F2断点停下后, 对0088E260 下 hardware access 断点, 再F9运行, 则要么能运行几次, 要么就
Debugged program was unable to process exception
但 对F2断点附近的 CODE 的 hardware access 断点却从未断下来过, 真搞不明白.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
