① 循环读取API字符串,判断第一个字节是否指定字符
00438F44
8
>MOV EDI,DWORD PTR DS:[EBX]
00438F46
0
>ADD EDI,DWORD PTR SS:[EBP
+
0x40421E
] ; kernel32.
75E20000
00438F4C
8
>
CMP
BYTE PTR DS:[EDI],
0x48
00438F4F
7
>JNZ SHORT
06.00438FA1
00438FA1
8
>ADD EBX,
0x4
00438FA4
4
>INC ECX
00438FA5
8
>
CMP
ECX,
0x54F
00438FAB
^
7
>JNZ SHORT
06.00438F44
② 循环读取API字符串中的字符,求
HASH
0043A70E
8
>MOV AL,BYTE PTR DS:[EDI]
0043A710
0
>OR AL,AL
0043A712
7
>JE SHORT
06.0043A746
;退出循环
0043A725
4
>INC EDI ; kernel32.
75EDBBDF
0043A726
3
>XOR DL,AL
0043A728
B>MOV AL,
0x8
0043A72A
E>JMP SHORT
06.0043A72D
0043A736
D>SHR EDX,
1
0043A738
7
>JNB SHORT
06.0043A740
0043A73A
8
>XOR EDX,
0xEDB88320
0043A740
F>DEC AL
0043A742
^
7
>JNZ SHORT
06.0043A72A
③ 判断
hash
值是否与当前一致,不一致继续循环,一致进行下一步
00438F7A
3
>
CMP
EAX,
0xA124E28D
00438F7F
7
>JNZ SHORT
06.00438FA1
00438F81
8
>MOV EAX,DWORD PTR SS:[EBP
+
0x40421A
] ; 已经寻找到正确的
hash
④ 根据
hash
值,寻找API偏移,求出API地址
00438F81
8
>MOV EAX,DWORD PTR SS:[EBP
+
0x40421A
] ; kernel32.
75ED7848
00438F87
D>SHL ECX,
1
00438F89
0
>ADD EAX,ECX
00438F8B
0
>MOVZX EAX,WORD PTR DS:[EAX]
00438F8E
C>SHL EAX,
0x2
00438F91
0
>ADD EAX,DWORD PTR SS:[EBP
+
0x404226
] ; kernel32.
75ED4DD0
00438F97
8
>MOV EAX,DWORD PTR DS:[EAX]
00438F99
0
>ADD EAX,DWORD PTR SS:[EBP
+
0x40421E
] ; 计算完之后,EAX是API地址
特殊情况,需要特殊处理一下
⑤ 读取API中的代码,生成加密API代码
代码特别长,只复制了一部分
00439333
AC LODS BYTE PTR DS:[ESI]
00439334
8AF8
MOV BH,AL
00439336
8A27
MOV AH,BYTE PTR DS:[EDI]
00439338
47
INC EDI
00439339
C0EC
04
SHR AH,
0x4
0043933C
2AC4
SUB AL,AH
0043933E
^
73
F6 JNB SHORT
06.00439336
⑥ 填充IAT