cyclotron 兄的CSpy v1.03 released 简单脱壳过程
使用修改版的Ollydbg把异常中的[同时忽略以下指定的异常和范围]去掉勾.
加载后运行,把中断在:
0040F4B9 LOCK CMPXCHG8B EAX ; 非法使用寄存器
0040F4BD JMP SHORT CSpy.0040F509
0040F4BF JMP SHORT CSpy.0040F508
这个异常上次讨论过了,修改OD可以去调OD的提示信息,shift+F9运行,发现第18次后程序运行.
重新加载,到异常后shift+F9运行17次,Alt+M打开内存窗口在code段下访问中断,Shift+F9运行
中断在:
004134DD XCHG BYTE PTR DS:[ESI],BL ;[ESI]=00401002
004134DF JMP SHORT CSpy.0041352A
运行发现,壳不断的修改程序的代码,如果一个一个的跟踪太麻烦,所以在代码的后面一段下访问中断
00401C40 40 DB 40 ; CHAR '@'
00401C41 00 DB 00
00401C42 FF DB FF
00401C43 25 DB 25 ; CHAR '%'
00401C44 5C DB 5C ; CHAR '\'
00401C45 9E DB 9E
00401C46 40 DB 40 ; CHAR '@'
00401C47 00 DB 00
00401C48 00 DB 00
在上面代码下访问中断,直到:
00413DFB CMP WORD PTR DS:[EDI],25FF
00413E00 JMP SHORT CSpy.00413E4F
这时的DS:[EDI]=00401C48 说明壳要完成任务了:D
改用F7跟踪:
00413F40 CMP EDI,DWORD PTR SS:[EBP+402239]
00413F46 JMP SHORT CSpy.00413F95
EDI=00001C49
[EBP+402239]=00001C48
00413F71 JBE CSpy.00413CCE
00413F77 JMP SHORT CSpy.00413FC4
;完成了出来
00413FA0 MOV EDX,DWORD PTR SS:[EBP+4072FA] ; CSpy.00400000
00413FA6 JMP SHORT CSpy.00413FF3
00413FCF MOV ESI,DWORD PTR SS:[EBP+40864E] ;SS:[EBP+40864E]=000020D0
00413FD5 JMP SHORT CSpy.0041401E ;IAT表?
00413FFE ADD ESI,EDX ; CSpy.00400000
00414000 JMP SHORT CSpy.0041404C ;IAT表地址结束地址
0041402B MOV EAX,DWORD PTR DS:[ESI+C] ;DS:[ESI+C]=004020DC
0041402E JMP SHORT CSpy.00414077
来看看这个地址中的内容:
004020DC B8 22 00 00 18 20 00 00 ?.. ..
004020E4 74 21 00 00 00 00 00 00 t!......
004020EC 00 00 00 00 F0 24 00 00 ....?..
004020F4 40 20 00 00 34 21 00 00 @ ..4!..
004020FC 00 00 00 00 00 00 00 00 ........
00402104 3C 25 00 00 00 20 00 00 <%... ..
0040210C FC 21 00 00 00 00 00 00 ?......
00402114 00 00 00 00 54 25 00 00 ....T%..
0040211C C8 20 00 00 00 00 00 00 ?......
00402124 00 00 00 00 00 00 00 00 ........
0040212C 00 00 00 00 00 00 00 00 ........
00402134 32 25 00 00 26 25 00 00 2%..&%..
0040213C FC 24 00 00 1A 25 00 00 ?..%..
00402144 10 25 00 00 00 00 00 00 %......
0040214C 44 22 00 00 A2 22 00 00 D"..?..
00402154 82 22 00 00 66 22 00 00 ?..f"..
0040215C 52 22 00 00 9A 22 00 00 R"..?..
00402164 14 22 00 00 2C 22 00 00 "..,"..
0040216C 04 22 00 00 00 00 00 00 "......
00402174 40 23 00 00 4C 23 00 00 @#..L#..
0040217C 2E 23 00 00 1E 23 00 00 .#..#..
00402184 5C 23 00 00 74 23 00 00 \#..t#..
0040218C 82 23 00 00 96 23 00 00 ?..?..
00402194 F6 22 00 00 6C 23 00 00 ?..l#..
0040219C 08 24 00 00 E0 23 00 00 $..?..
004021A4 EE 23 00 00 FA 23 00 00 ?..?..
004021AC 08 23 00 00 16 24 00 00 #..$..
004021B4 26 24 00 00 32 24 00 00 &$..2$..
004021BC 42 24 00 00 54 24 00 00 B$..T$..
004021C4 72 24 00 00 84 24 00 00 r$..?..
004021CC 94 24 00 00 A6 24 00 00 ?..?..
004021D4 BA 24 00 00 C8 24 00 00 ?..?..
004021DC DE 24 00 00 E4 22 00 00 ?..?..
004021E4 D2 22 00 00 C6 22 00 00 ?..?..
004021EC B8 23 00 00 A8 23 00 00 ?..?..
004021F4 CA 23 00 00 00 00 00 00 ?......
004021FC 46 25 00 00 00 00 00 00 F%......
004140B3 ADD EAX,EDX ; CSpy.00400000
004140B5 JMP SHORT CSpy.00414100 ; EAX=000022B8
00414137 MOV EAX,DWORD PTR SS:[EBP+40ACF4] ; kernel32.GetModuleHandleA
0041413D JMP SHORT CSpy.00414189
发现上面的表是写IAT表的指针表.
004141BF MOV CL,0CC ; 准备干什么了:)
004141C1 JMP SHORT CSpy.0041420A
看看这里:
004141EA CMP CL,BYTE PTR DS:[EAX] ; 干起来了
004141EC JMP SHORT CSpy.00414237
00414217 JNZ SHORT CSpy.00414290 ; 这里应该跳吧
00414219 JMP SHORT CSpy.00414262 ; OVER?
再来:
0041426F CMP CL,BYTE PTR DS:[EAX+1]
00414272 JMP SHORT CSpy.004142BD
不错:
004142F3 CMP CL,BYTE PTR DS:[EAX+2]
004142F6 JMP SHORT CSpy.00414341
有点烦:
00414379 CMP CL,BYTE PTR DS:[EAX+3]
0041437C JMP SHORT CSpy.004143C7
不能这样吧:(
004143FD CMP CL,BYTE PTR DS:[EAX+4]
00414400 JMP SHORT CSpy.0041444B
再不结束我就#$%^
00414483 CMP CL,BYTE PTR DS:[EAX+5]
00414486 JMP SHORT CSpy.004144D1
00414535 JMP EAX ; kernel32.GetModuleHandleA
00414537 JMP SHORT CSpy.00414580
00414A13 MOV DWORD PTR SS:[EBP+408646],EAX ; kernel32.77E40000
00414A19 JMP SHORT CSpy.00414A6A
00414A77 MOV EDX,DWORD PTR SS:[EBP+4072FA] ; CSpy.00400000
00414A7D JMP SHORT CSpy.00414AC8
00414AA8 MOV EAX,DWORD PTR DS:[ESI] ; DS:[ESI]=004020D0
00414AAA JMP SHORT CSpy.00414AF3
00414B57 ADD EAX,EDX ; CSpy.00400000
00414B59 JMP SHORT CSpy.00414BA6 ; EAX=0000214C
这里德看看另外一个表:
00402000 32 25 00 00 26 25 00 00 2%..&%..
00402008 FC 24 00 00 1A 25 00 00 ?..%..
00402010 10 25 00 00 00 00 00 00 %......
00402018 44 22 00 00 A2 22 00 00 D"..?..
00402020 82 22 00 00 66 22 00 00 ?..f"..
00402028 52 22 00 00 9A 22 00 00 R"..?..
00402030 14 22 00 00 2C 22 00 00 "..,"..
00402038 04 22 00 00 00 00 00 00 "......
00402040 40 23 00 00 4C 23 00 00 @#..L#..
00402048 2E 23 00 00 1E 23 00 00 .#..#..
00402050 5C 23 00 00 74 23 00 00 \#..t#..
00402058 82 23 00 00 96 23 00 00 ?..?..
00402060 F6 22 00 00 6C 23 00 00 ?..l#..
00402068 08 24 00 00 E0 23 00 00 $..?..
00402070 EE 23 00 00 FA 23 00 00 ?..?..
00402078 08 23 00 00 16 24 00 00 #..$..
00402080 26 24 00 00 32 24 00 00 &$..2$..
00402088 42 24 00 00 54 24 00 00 B$..T$..
00402090 72 24 00 00 84 24 00 00 r$..?..
00402098 94 24 00 00 A6 24 00 00 ?..?..
004020A0 BA 24 00 00 C8 24 00 00 ?..?..
004020A8 DE 24 00 00 E4 22 00 00 ?..?..
004020B0 D2 22 00 00 C6 22 00 00 ?..?..
004020B8 B8 23 00 00 A8 23 00 00 ?..?..
004020C0 CA 23 00 00 00 00 00 00 ?......
004020C8 46 25 00 00 00 00 00 00 F%......
004020D0 4C 21 00 00 00 00 00 00 L!......
00414B82 ADD EAX,DWORD PTR SS:[EBP+408652] ;补偿?
00414B88 JMP SHORT CSpy.00414BD1
00414BB1 MOV EBX,DWORD PTR DS:[EAX] ;EAX=0040214C
00414BB3 JMP SHORT CSpy.00414BFF
再看看这个表:
0040214C 44 22 00 00 A2 22 00 00 D"..?..
00402154 82 22 00 00 66 22 00 00 ?..f"..
0040215C 52 22 00 00 9A 22 00 00 R"..?..
00402164 14 22 00 00 2C 22 00 00 "..,"..
0040216C 04 22 00 00 00 00 00 00 "......
00402174 40 23 00 00 4C 23 00 00 @#..L#..
0040217C 2E 23 00 00 1E 23 00 00 .#..#..
00402184 5C 23 00 00 74 23 00 00 \#..t#..
0040218C 82 23 00 00 96 23 00 00 ?..?..
00402194 F6 22 00 00 6C 23 00 00 ?..l#..
0040219C 08 24 00 00 E0 23 00 00 $..?..
004021A4 EE 23 00 00 FA 23 00 00 ?..?..
004021AC 08 23 00 00 16 24 00 00 #..$..
004021B4 26 24 00 00 32 24 00 00 &$..2$..
004021BC 42 24 00 00 54 24 00 00 B$..T$..
004021C4 72 24 00 00 84 24 00 00 r$..?..
004021CC 94 24 00 00 A6 24 00 00 ?..?..
004021D4 BA 24 00 00 C8 24 00 00 ?..?..
004021DC DE 24 00 00 E4 22 00 00 ?..?..
004021E4 D2 22 00 00 C6 22 00 00 ?..?..
004021EC B8 23 00 00 A8 23 00 00 ?..?..
004021F4 CA 23 00 00 00 00 00 00 ?......
00414BDE MOV EDI,DWORD PTR DS:[ESI+10] ;DS:[ESI+10]=004020E0
00414BE1 JMP SHORT CSpy.00414C2C
00414C0C ADD EDI,EDX ; CSpy.00400000
00414C0E JMP SHORT CSpy.00414C5D ; EDI=00002018
00414C39 ADD EDI,DWORD PTR SS:[EBP+408652]
00414C3F JMP SHORT CSpy.00414C88
00414D50 ADD EBX,EDX ; CSpy.00400000
00414D52 JMP SHORT CSpy.00414D9C ; EBX=00002244
00414E61 MOV EAX,DWORD PTR SS:[EBP+40ACF0] ; kernel32.GetProcAddress
00414E67 JMP SHORT CSpy.00414EB3
呵呵,后面还是不忘记比较CC所以不详细的跟踪了
在代码402000到4020DC段下访问中断,F9运行:
开始写入IAT表
|
0041528C MOV DWORD PTR DS:[EDI],EAX ; kernel32.ExitProcess
0041528E JMP SHORT CSpy.004152DC ; DS:[EDI]=00402018
在0041528C MOV DWORD PTR DS:[EDI],EAX 下中断就可以知道写入IAT表的这个过程.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
再次Alt+M打开内存窗口,在code段下访问中断,F9运行:
00415731 XCHG BYTE PTR DS:[ESI],BL ; 还是修复代码
00415733 JMP SHORT CSpy.0041577E
下面了看看到入口的过程,修改完代码后用F7运行:
00415813 8B85 E6724000 MOV EAX,DWORD PTR SS:[EBP+4072E6] ; <--入口偏移SS:[004152E6]=00001B04
00415819 EB 4D JMP SHORT CSpy.00415868
0041581B EB 47 JMP SHORT CSpy.00415864
00415844 0385 FA724000 ADD EAX,DWORD PTR SS:[EBP+4072FA] ; CSpy.00400000
0041584A EB 23 JMP SHORT CSpy.0041586F ; <--入口地址=401B04
0041584C EB 47 JMP SHORT CSpy.00415895
0041595E 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX ; CSpy.00401B04
00415962 EB 48 JMP SHORT CSpy.004159AC
00415964 EB 47 JMP SHORT CSpy.004159AD
004159B9 - FFE0 JMP EAX ; CSpy.00401B04
004159BB EB 22 JMP SHORT CSpy.004159DF ; 跳到入口
004159BD EB 47 JMP SHORT CSpy.00415A06
程序入口代码:
00401B04 PUSH 0 ; 在这里dump程序
00401B06 CALL CSpy.00401B40 ; Import.Reconstructor获得输入表
00401B0B MOV DWORD PTR DS:[40303C],EAX
00401B10 PUSH 0
00401B12 PUSH CSpy.004015FC
00401B17 PUSH 0
00401B19 PUSH 65
00401B1B PUSH EAX
00401B1C CALL CSpy.00401B82
00401B21 PUSH 0
00401B23 CALL CSpy.00401B3A
运行修正后的程序,居然能运行了.不过壳把到IAT的跳转都放到壳的代码中运行了.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
现在来恢复它,看看跳转代码:
00401B28 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B2E JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B34 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B3A JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B40 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B46 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B4C JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B52 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B58 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B5E JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B64 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B6A JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B70 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B76 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B7C JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B82 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B88 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B8E JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B94 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401B9A JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BA0 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BA6 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BAC JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BB2 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BB8 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BBE JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BC4 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BCA JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BD0 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BD6 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BDC JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BE2 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BE8 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BEE JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BF4 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401BFA JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401C00 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401C06 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401C0C JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401C12 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401C18 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401C1E JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401C24 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401C2A JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401C30 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401C36 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401C3C JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
00401C42 JMP DWORD PTR DS:[417E5C] ; CSpy.00417E60
程序在壳的00417E5C代码段调用iat表,在00417E5C处下中断,运行dump下的程序:
00417E60 PUSH EBX
00417E61 PUSH EDX
00417E62 PUSH EDI
00417E63 CALL dump0_.00417E68
00417E68 POP EBX
00417E69 JMP SHORT dump0_.00417E96
开始对iat表查找
00418077 ADD EDX,DWORD PTR DS:[EDX-4] ; 这里相加后的值就是调用的CAll地址
0041807A JMP SHORT CSpy.004180C6
00417F89 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C] ; CSpy.00401B0B
00417F8D EB 4E JMP SHORT CSpy.00417FDD ; 返回地址
0041851E /0F84 A6000000 JE CSpy.004185CA
00418524 |EB 48 JMP SHORT CSpy.0041856E
00417EFE 8B07 MOV EAX,DWORD PTR DS:[EDI]
00417F00 EB 49 JMP SHORT CSpy.00417F4B
00417F89 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C] ; CSpy.00401B0B
00417F8D EB 4E JMP SHORT CSpy.00417FDD
00417FB8 F747 04 0000008>TEST DWORD PTR DS:[EDI+4],80000000
00417FBF EB 4D JMP SHORT CSpy.0041800E
00418019 807A FB E8 CMP BYTE PTR DS:[EDX-5],0E8 ; 测试CALL处理
0041801D EB 4D JMP SHORT CSpy.0041806C
00418048 /0F85 D5000000 JNZ CSpy.00418123
0041804E |EB 48 JMP SHORT CSpy.00418098
00418077 0352 FC ADD EDX,DWORD PTR DS:[EDX-4]
0041807A EB 4A JMP SHORT CSpy.004180C6
004183E0 2B93 FA724000 SUB EDX,DWORD PTR DS:[EBX+4072FA] ; CSpy.00400000
004183E6 EB 48 JMP SHORT CSpy.00418430
00418411 50 PUSH EAX
00418412 EB 49 JMP SHORT CSpy.0041845D
004184C5 58 POP EAX
004184C6 EB 49 JMP SHORT CSpy.00418511
004184F1 3BC2 CMP EAX,EDX
004184F3 EB 4D JMP SHORT CSpy.00418542
00418607 8B18 MOV EBX,DWORD PTR DS:[EAX] ; user32.DialogBoxParamA
00418609 EB 48 JMP SHORT CSpy.00418653 //取函数地址
00418632 803B CC CMP BYTE PTR DS:[EBX],0CC ;又一次检查对函数的下断
00418635 EB 4D JMP SHORT CSpy.00418684
0041868F 807B 01 CC CMP BYTE PTR DS:[EBX+1],0CC
00418693 EB 4D JMP SHORT CSpy.004186E2
004186EF 807B 02 CC CMP BYTE PTR DS:[EBX+2],0CC
004186F3 EB 4D JMP SHORT CSpy.00418742
0041874F 807B 03 CC CMP BYTE PTR DS:[EBX+3],0CC
00418753 EB 4D JMP SHORT CSpy.004187A2
004187AD 807B 04 CC CMP BYTE PTR DS:[EBX+4],0CC
004187B1 EB 4D JMP SHORT CSpy.00418800
0041880D 807B 05 CC CMP BYTE PTR DS:[EBX+5],0CC
00418811 EB 4D JMP SHORT CSpy.00418860
004188F1 - FF20 JMP DWORD PTR DS:[EAX] ; user32.DialogBoxParamA
004188F3 EB 48 JMP SHORT CSpy.0041893D //终于调用函数了
现在只要在00418077 ADD EDX,DWORD PTR DS:[EDX-4] ; 这里相加后的值就是调用的CAll地址
下中断得到调用的地址.
然后在004188F1 JMP DWORD PTR DS:[EAX] ;调用函数了
下中断就能得到调用的函数了.
根据这个修改dump的程序,完成修复工作.
######################################################################
处理过程,好像是根据表值查地址
IAT跳转表:
00417FB8 F747 04 0000008>TEST DWORD PTR DS:[EDI+4],80000000
00417FBF EB 4D JMP SHORT CSpy.0041800E
DS:[EDI+4]:
00417B38 7C BC C7 BD 38 20 40 80 |记? @?
00417B40 34 CD 7E 4E 18 20 40 80 4威N @?
00417B48 ED B2 EA E1 0C 20 40 80 聿赆. @?
00417B50 C0 9C 15 25 AC 20 40 80 ?%?@?
00417B58 5E 24 17 0D 2C 20 40 80 ^$., @?
00417B60 16 55 AE FE 28 20 40 80 U?( @?
00417B68 23 F0 CD 17 24 20 40 80 #鹜$ @?
00417B70 3D 19 18 F7 20 20 40 80 =? @?
00417B78 49 19 A4 54 30 20 40 80 Iぴ0 @?
00417B80 40 CD C2 ED 1C 20 40 80 @吐? @?
00417B88 75 68 A1 04 B4 20 40 80 uh??@?
00417B90 C7 B1 AD C2 B0 20 40 80 潜??@?
00417B98 94 1F 11 6B 40 20 40 80 ?k@ @?
00417BA0 8F C0 14 31 78 20 40 80 ?1x @?
00417BA8 8A F6 C4 8B 48 20 40 80 ??H @?
00417BB0 BA 65 77 D8 60 20 40 80 哄w剜 @?
00417BB8 91 29 C1 D1 4C 20 40 80 ?裂L @?
00417BC0 DB 43 10 7F 50 20 40 80 勖P @?
00417BC8 DC 6E A8 98 64 20 40 80 茴?d @?
00417BD0 26 C6 1D AD BC 20 40 80 &?? @?
00417BD8 52 C6 A1 0E 74 20 40 80 R啤t @?
00417BE0 45 FB 12 57 5C 20 40 80 E?W\ @?
00417BE8 5B 12 C7 B7 58 20 40 80 [欠X @?
00417BF0 38 2F C8 4D B8 20 40 80 8/韧?@?
00417BF8 A1 BA 72 82 44 20 40 80 『r? @?
00417C00 6E B7 A4 5E 54 20 40 80 n筏^T @?
00417C08 79 8A 17 07 7C 20 40 80 y?| @?
00417C10 2F 12 7B 14 6C 20 40 80 /{l @?
00417C18 0D 8A AB A4 C0 20 40 80 .?だ @?
00417C20 F9 DB C0 CF 88 20 40 80 ?老?@?
00417C28 28 3F C3 F3 70 20 40 80 (?皿p @?
00417C30 CC 7E A3 26 84 20 40 80 烃??@?
00417C38 67 63 C2 E7 68 20 40 80 gc络h @?
00417C40 D2 97 76 C6 80 20 40 80 ?v? @?
00417C48 84 0F 1A D5 90 20 40 80 ?? @?
00417C50 90 66 30 FB 08 20 40 80 ?0? @?
00417C58 22 BF 3C 3D A8 20 40 80 "?=?@?
00417C60 41 82 33 C7 94 20 40 80 A?? @?
00417C68 17 1A 5F D4 A4 20 40 80 _预 @?
00417C70 09 F3 8A 34 A0 20 40 80 .?4?@?
00417C78 6A CE 85 CE 9C 20 40 80 j?? @?
00417C80 83 22 A2 32 8C 20 40 80 ???@?
00417C88 74 27 50 2E 98 20 40 80 t'P.?@?
00417C90 FD A2 E1 5F C8 20 40 80 ?徇?@?
00417C98 D8 17 89 08 04 20 40 80 ?? @?
00417CA0 97 4B 88 1C 10 20 40 80 ?? @?
00417CA8 C6 FE 5C E8 00 20 40 80 掐\? @?
00417CB0 33 E0 C6 A9 34 20 40 80 3嗥? @?
00417CB8 00 00 00 00 00 00 00 00 ........
00417CC0 00 00 00 00 00 00 00 00 ........
00417CC8 00 00 00 00 00 00 00 00 ........
00418019 807A FB E8 CMP BYTE PTR DS:[EDX-5],0E8 ; 测试CALL处理
0041801D EB 4D JMP SHORT CSpy.0041806C ;是CALL吗?
00418077 0352 FC ADD EDX,DWORD PTR DS:[EDX-4]
0041807A EB 4A JMP SHORT CSpy.004180C6
004180A5 83C2 06 ADD EDX,6 ;edx=401b46
004180A8 EB 4C JMP SHORT CSpy.004180F6
004183B2 83EA 06 SUB EDX,6
004183B5 EB 4D JMP SHORT CSpy.00418404
004183E0 2B93 FA724000 SUB EDX,DWORD PTR DS:[EBX+4072FA] ; CSpy.00400000
004183E6 EB 48 JMP SHORT CSpy.00418430
00418411 50 PUSH EAX ;BDC7BC7C
00418412 EB 49 JMP SHORT CSpy.0041845D
0041843D 8BC2 MOV EAX,EDX ;edx=1b40
0041843F EB 4C JMP SHORT CSpy.0041848D
00415B23 PUSH EBX
00415B24 PUSH ECX
00415B25 PUSH EDX
00415B26 PUSH ESI
00415B27 CALL CSpy.00415B2C
00415B2C POP EBX
00415B2D SUB EBX,CSpy.00407B2C
00415B33 ADD EBX,CSpy.00407B5C
00415B39 MOV ECX,EAX
00415B3B XOR EDX,EDX
00415B3D OR EAX,FFFFFFFF
00415B40 MOV ESI,4
00415B45 ROL ECX,8
00415B48 MOV DL,CL
00415B4A XOR DL,AL
00415B4C SHR EAX,8
00415B4F XOR EAX,DWORD PTR DS:[EBX+EDX*4]
00415B52 DEC ESI
00415B53 JNZ SHORT CSpy.00415B45
00415B55 NOT EAX ; 跳转代码
00415B57 POP ESI
00415B58 POP EDX
00415B59 POP ECX
00415B5A POP EBX
00415B5B RETN
过程具体的就不跟踪了
######################################################################################
个人经历,可能存在错误!
感谢cyclotron 兄的辛劳,一个不错的壳!祝它健康成长!
fxyang
2004.7.6
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
