unk_8934A0:g_sd
unk_8934B9:g_sd_g_szSerial
unk_8935D9:
8
个字节为
0
unk_8995F1:
0x10
个字节与 用户名相等
8935D9
-
8934A0
=
139
8995F1
-
8934A0
=
6151
8934B9
-
8934A0
=
19
g_sd_g_szSerial:用户输入的序列号,
32
字节
.text:
00401406
68
8C
68
42
00
push offset aInputName ;
"Input name:"
.text:
0040140B
E8
90
FC FF FF call sub_4010A0 ; Call Procedure
.text:
00401410
83
C4
04
add esp,
4
; Add
.text:
00401413
BA
10
00
00
00
mov edx,
10h
.text:
00401418
8D
4D
D8 lea ecx, [ebp
+
Buf1] ;
Buffer
.text:
0040141B
E8
70
FE FF FF call sub_401290 ; Call Procedure
.text:
00401420
0F
B6 D0 movzx edx, al ; Move with Zero
-
Extend
.text:
00401423
85
D2 test edx, edx ; Logical Compare
.text:
00401425
75
21
jnz short loc_401448 ; Jump
if
Not Zero (ZF
=
0
)
【Buf1】【局部变量】:用户输入的用户名
.text:
004014D0
.text:
004014D0
loc_4014D0:
.text:
004014D0
68
AC
68
42
00
push offset aInputKey ;
"Input key:"
.text:
004014D5
E8 C6 FB FF FF call sub_4010A0 ; Call Procedure
.text:
004014DA
83
C4
04
add esp,
4
; Add
.text:
004014DD
BA
40
00
00
00
mov edx,
40h
;
'@'
.text:
004014E2
8D
8D
70
FF FF FF lea ecx, [ebp
+
Buffer
] ;
Buffer
.text:
004014E8
E8 A3 FD FF FF call sub_401290 ; Call Procedure
.text:
004014ED
0F
B6 C0 movzx eax, al ; Move with Zero
-
Extend
.text:
004014F0
85
C0 test eax, eax ; Logical Compare
.text:
004014F2
75
21
jnz short loc_401515 ; Jump
if
Not Zero (ZF
=
0
)
【
Buffer
】【局部变量】:用户输入的序列号
.text:
00401515
.text:
00401515
loc_401515:
.text:
00401515
33
C9 xor ecx, ecx ; Logical Exclusive OR
.text:
00401517
89
4D
B8 mov [ebp
+
var_48], ecx
.text:
0040151A
89
4D
BC mov [ebp
+
var_44], ecx
.text:
0040151D
89
4D
C0 mov [ebp
+
var_40], ecx
.text:
00401520
89
4D
C4 mov [ebp
+
var_3C], ecx
.text:
00401523
89
4D
C8 mov [ebp
+
var_38], ecx
.text:
00401526
89
4D
CC mov [ebp
+
var_34], ecx
.text:
00401529
89
4D
D0 mov [ebp
+
var_30], ecx
.text:
0040152C
89
4D
D4 mov [ebp
+
var_2C], ecx
.text:
0040152F
8D
55
B8 lea edx, [ebp
+
var_48] ; Load Effective Address
.text:
00401532
8D
8D
70
FF FF FF lea ecx, [ebp
+
Buffer
] ; Load Effective Address
.text:
00401538
E8 A3 FD FF FF call sub_4012E0 ; Call Procedure
.text:
0040153D
0F
B6 D0 movzx edx, al ; Move with Zero
-
Extend
.text:
00401540
85
D2 test edx, edx ; Logical Compare
.text:
00401542
75
21
jnz short loc_401565 ; Jump
if
Not Zero (ZF
=
0
)
【第一个是将用户输入的 序列号 拷贝到了 全局变量 unk_8934B9 长度是
32
字节(转换之后),之前是
64
个字符。】
.text:
00401565
loc_401565:
.text:
00401565
B9
08
00
00
00
mov ecx,
8
.text:
0040156A
8D
75
B8 lea esi, [ebp
+
var_48] ; Load Effective Address
.text:
0040156D
BF B9
34
89
00
mov edi, offset unk_8934B9
.text:
00401572
F3 A5 rep movsd ; Move Byte(s)
from
String to String
【第二个是将内置的数据拷贝到了 全局变量】
.text:
00401574
C6
85
6C
FD FF FF
95
mov [ebp
+
var_294],
95h
.text:
0040157B
C6
85
6D
FD FF FF E2 mov [ebp
+
var_293],
0E2h
.text:
00401582
C6
85
6E
FD FF FF
80
mov [ebp
+
var_292],
80h
.text:
00401589
C6
85
6F
FD FF FF C6 mov [ebp
+
var_291],
0C6h
.text:
00401590
C6
85
70
FD FF FF EA mov [ebp
+
var_290],
0EAh
.text:
00401597
C6
85
71
FD FF FF C3 mov [ebp
+
var_28F],
0C3h
…………………………………………………………………………………………………………………………………………………………………………
.text:
00401C58
C6
85
68
FE FF FF CF mov [ebp
+
var_198],
0CFh
.text:
00401C5F
C6
85
69
FE FF FF AE mov [ebp
+
var_197],
0AEh
.text:
00401C66
C6
85
6A
FE FF FF
8B
mov [ebp
+
var_196],
8Bh
.text:
00401C6D
C6
85
6B
FE FF FF CA mov [ebp
+
var_195],
0CAh
.text:
00401C74
8D
85
6C
FE FF FF lea eax, [ebp
+
var_194] ; Load Effective Address
.text:
00401C7A
50
push eax
.text:
00401C7B
8D
8D
6C
FD FF FF lea ecx, [ebp
+
var_294] ; Load Effective Address
.text:
00401C81
51
push ecx
.text:
00401C82
8D
8D
7C
FC FF FF lea ecx, [ebp
+
var_384] ; Load Effective Address
.text:
00401C88
E8 D3
07
00
00
call unknown_libname_3 ; Microsoft VisualC
14
/
net runtime
.text:
00401C8D
8B
50
04
mov edx, [eax
+
4
]
.text:
00401C90
52
push edx
.text:
00401C91
8B
00
mov eax, [eax]
.text:
00401C93
50
push eax
.text:
00401C94
8D
8D
E8 FC FF FF lea ecx, [ebp
+
var_318] ; Load Effective Address
.text:
00401C9A
E8
41
08
00
00
call sub_4024E0 ; Call Procedure
上面这段代码,应该是执行了一个内部的机制。
list
<uint8_t> list_table
=
{}
程序现将所有的数据赋值给了一堆局部变量,然后将 [ebp
+
var_294] 作为
list
<uint8_t> list_table 的地址,调用了 unknown_libname_3 方法
接下来:call sub_4024E0 没看明白。。。。(
2022
-
06
-
03
2120
)
.text:
00401C9F
C7
45
FC
00
00
00
00
mov [ebp
+
var_4],
0
【
try
】【
0
】
.text:
00401CA6
68
00
01
00
00
push
100h
;
.text:
00401CAB
6A
00
push
0
;
.text:
00401CAD
8D
8D
70
FE FF FF lea ecx, [ebp
+
var_190] ;
.text:
00401CB3
51
push ecx ; void
*
.text:
00401CB4
E8
17
71
00
00
call _memset ; Call Procedure【内存拷贝,其实是初始化了局部变量 】【[ebp
+
var_190]】
.text:
00401CB9
83
C4
0C
add esp,
0Ch
;
.text:
00401CBC
C6
45
FC
01
mov byte ptr [ebp
+
var_4],
1
【
try
】【
1
】
.text:
00401CC0
83
7D
08
64
cmp
[ebp
+
argc],
64h
;
'd'
; Compare Two Operands
.text:
00401CC4
7D
1E
jge short loc_401CE4 ; Jump
if
Greater
or
Equal (SF
=
OF)【大于等于
100
,则退出】
/
/
对应于C
.text:
00401CC6
8D
8D
B4 FC FF FF lea ecx, [ebp
+
pExceptionObject] ; Load Effective Address
.text:
00401CCC
E8 FF F3 FF FF call sub_4010D0 ; Call Procedure
.text:
00401CD1
68
90
79
42
00
push offset __TI1?AVexception@std@@ ; pThrowInfo
.text:
00401CD6
8D
95
B4 FC FF FF lea edx, [ebp
+
pExceptionObject] ; Load Effective Address
.text:
00401CDC
52
push edx ; pExceptionObject
.text:
00401CDD
E8
0C
70
00
00
call __CxxThrowException@
8
; attributes:
.rdata:
00427140
stru_427140 TryBlockMapEntry <
1
,
1
,
2
,
2
, offset stru_427230> __msRttiDscr <
9
,
00892A20
,
0
,
401D04h
>
【
401D04
】
.text:
00401D04
C7
85
D8 FC FF FF D9
34
89
00
mov [ebp
+
var_328], offset unk_8934D9
.text:
00401D0E
C7
85
44
FD FF FF
00
00
00
00
mov [ebp
+
var_2BC],
0
【循环索引:
0
】
.text:
00401D18
8D
8D
E8 FC FF FF lea ecx, [ebp
+
var_318] ; Load Effective Address 【循环长度】
.text:
00401D1E
89
8D
34
FD FF FF mov [ebp
+
var_2CC], ecx
.text:
00401D24
8D
95
48
FD FF FF lea edx, [ebp
+
var_2B8] ; Load Effective Address
.text:
00401D2A
52
push edx
.text:
00401D2B
8B
8D
34
FD FF FF mov ecx, [ebp
+
var_2CC]
.text:
00401D31
E8
5A
07
00
00
call sub_402490 ; Call Procedure 【找this指针?】
.text:
00401D36
8D
85
DC FC FF FF lea eax, [ebp
+
var_324] ; Load Effective Address
.text:
00401D3C
50
push eax
.text:
00401D3D
8B
8D
34
FD FF FF mov ecx, [ebp
+
var_2CC]
.text:
00401D43
E8
38
07
00
00
call ?_Unwrapped@?$_Tree_iterator@V?$_Tree_val@U?$_Tree_simple_types@U?$pair@QAXU_Mutex_count_pair@?A0x04e813ea@@@std@@@std@@@std@@@std@@QBE?AV?$_Tree_unchecked_iterator@V?$_Tree_val@U?$_Tree_simple_types@U?$pair@QAXU_Mutex_count_pair@?A0x04e813ea@@@std@@@std@@@std@@@
2
@XZ ; std::_Tree_iterator<std::_Tree_val<std::_Tree_simple_types<std::pair<void
*
const,`anonymous namespace'::_Mutex_count_pair>>>>::_Unwrapped(void)
.text:
00401D48
EB
0B
jmp short loc_401D55 ; Jump
.text:
00401D55
.text:
00401D55
loc_401D55:
.text:
00401D55
8D
8D
DC FC FF FF lea ecx, [ebp
+
var_324] ; Load Effective Address
.text:
00401D5B
51
push ecx
.text:
00401D5C
8D
8D
48
FD FF FF lea ecx, [ebp
+
var_2B8] ; Load Effective Address
.text:
00401D62
E8 D9
06
00
00
call unknown_libname_2 ; Microsoft VisualC
14
/
net runtime
.text:
00401D67
0F
B6 D0 movzx edx, al ; Move with Zero
-
Extend
.text:
00401D6A
85
D2 test edx, edx ; Logical Compare
.text:
00401D6C
74
38
jz short loc_401DA6 ; catch执行之后,下一个地址存入eax里面
.text:
00401DA6
loc_401DA6: ; catch执行之后,下一个地址存入eax里面
.text:
00401DA6
B8 EC
1D
40
00
mov eax, offset loc_401DEC
.text:
00401DAB
C3 retn ; Return Near
from
Procedure
.text:
00401DEC
loc_401DEC:
.text:
00401DEC
C7
45
FC
00
00
00
00
mov [ebp
+
var_4],
0
【
try
】【
0
】
.text:
00401DF3
.text:
00401DF3
loc_401DF3:
.text:
00401DF3
C7
85
64
FD FF FF FC
30
0D
00
mov [ebp
+
dwSize],
0D30FCh
【size_t decompress_size
=
0x000d30f2
+
10
;】
.text:
00401DFD
C7
85
D4 FC FF FF
00
00
00
00
mov [ebp
+
var_32C],
0
【LPBYTE lpbuff1
=
NULL;】
.text:
00401E07
C7
85
5C
FD FF FF
00
00
00
00
mov [ebp
+
var_2A4],
0
【uLong shellcode_size
=
0
;】
.text:
00401E11
C7
85
58
FD FF FF
00
00
00
00
mov [ebp
+
var_2A8],
0
【uLongf ulongfsize
=
0
;】
.text:
00401E1B
C6
45
FC
03
mov byte ptr [ebp
+
var_4],
3
【
try
】【
3
】
.text:
00401E1F
6A
40
push
40h
;
'@'
; flProtect
.text:
00401E21
68
00
10
00
00
push
1000h
; flAllocationType
.text:
00401E26
8B
95
64
FD FF FF mov edx, [ebp
+
dwSize]
.text:
00401E2C
52
push edx ; dwSize
.text:
00401E2D
6A
00
push
0
; lpAddress
.text:
00401E2F
FF
15
00
D0
41
00
call ds:VirtualAlloc ; Indirect Call Near Procedure
【VirtualAlloc(NULL, decompress_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);】
.text:
00401E35
89
85
28
FD FF FF mov [ebp
+
var_2D8], eax 【LPBYTE lpbuff
=
】
.text:
00401E3B
83
7D
08
64
cmp
[ebp
+
argc],
64h
;
'd'
; Compare Two Operands
.text:
00401E3F
7D
1D
jge short loc_401E5E ; Jump
if
Greater
or
Equal (SF
=
OF)【<
100
】
【LPBYTE lpbuff】【局部变量】
=
即将存放的第一阶段代码
.text:
00401E41
8B
85
28
FD FF FF mov eax, [ebp
+
var_2D8]
.text:
00401E47
89
85
24
FD FF FF mov [ebp
+
var_2DC], eax
.text:
00401E4D
68
4C
7A
42
00
push offset __TI2PAE ; pThrowInfo
.text:
00401E52
8D
8D
24
FD FF FF lea ecx, [ebp
+
var_2DC] ; Load Effective Address
.text:
00401E58
51
push ecx ; pExceptionObject
.text:
00401E59
E8
90
6E
00
00
call __CxxThrowException@
8
; _CxxThrowException(x,x)
.rdata:
00427140
TryBlockMapEntry <
3
,
3
,
18h
,
1
, offset stru_427230.nFlag
+
0D0h
> __msRttiDscr <
0
,
00892A10
,
0FFFFFD20h
,
401E63h
>
【
401E63
】
.text:
00401E63
89
65
F0 mov [ebp
+
var_10], esp
.text:
00401E66
8B
95
64
FD FF FF mov edx, [ebp
+
dwSize] ; 解密长度 【ulongfsize
=
(size_t)decompress_size;】
.text:
00401E6C
89
95
58
FD FF FF mov [ebp
+
var_2A8], edx
.text:
00401E72
C7
85
5C
FD FF FF
21
E9
0C
00
mov [ebp
+
var_2A4],
0CE921h
; 原始长度 【shellcode_size
=
sizeof(g_shellcode_compress_64_1);】
.text:
00401E7C
8B
85
5C
FD FF FF mov eax, [ebp
+
var_2A4]
.text:
00401E82
50
push eax
.text:
00401E83
68
90
D2
5C
00
push offset unk_5CD290 ; 原始数据密文 【g_shellcode_compress_64_1】
.text:
00401E88
8D
95
58
FD FF FF lea edx, [ebp
+
var_2A8] ; 解密长度
.text:
00401E8E
8B
8D
20
FD FF FF mov ecx, [ebp
+
var_2E0] ; 解密地址 【LPBYTE lpbuff】
.text:
00401E94
E8
67
F1 FF FF call sub_401000 ; 【第一阶段解码】
.text:
00401E99
83
C4
08
add esp,
8
; Add
.text:
00401E9C
C7
85
40
FD FF FF
00
00
00
00
mov [ebp
+
var_2C0],
0
【PFNDEC pfnDec1
=
NULL;】
.text:
00401EA6
C6
45
FC
05
mov byte ptr [ebp
+
var_4],
5
【
try
】【
5
】
.text:
00401EAA
8B
8D
20
FD FF FF mov ecx, [ebp
+
var_2E0]
.text:
00401EB0
89
8D
40
FD FF FF mov [ebp
+
var_2C0], ecx 【pfnDec1
=
(PFNDEC)lpbuff;】【存放
64
位代码】
.text:
00401EB6
83
7D
08
64
cmp
[ebp
+
argc],
64h
;
'd'
; Compare Two Operands
.text:
00401EBA
7D
1D
jge short loc_401ED9 ; Jump
if
Greater
or
Equal (SF
=
OF)
.text:
00401EBC
8B
95
40
FD FF FF mov edx, [ebp
+
var_2C0] 【catch 拷贝 对象】
.text:
00401EC2
89
95
1C
FD FF FF mov [ebp
+
var_2E4], edx
.text:
00401EC8
68
80
79
42
00
push offset __TI1P6AXPAE@Z ; pThrowInfo
.text:
00401ECD
8D
85
1C
FD FF FF lea eax, [ebp
+
var_2E4] ; Load Effective Address
.text:
00401ED3
50
push eax ; pExceptionObject
.text:
00401ED4
E8
15
6E
00
00
call __CxxThrowException@
8
; _CxxThrowException(x,x)
.rdata:
00427140
TryBlockMapEntry <
5
,
5
,
18h
,
1
, offset stru_427230.nFlag
+
0C0h
> __msRttiDscr <
0
,
008929FC
,
0FFFFFCCCh
,
401EDEh
>
【
401EDE
】【接下来就是一个
32
转
64
,执行完了之后,再转
32
】
.text:
00401EDE
89
65
F0 mov [ebp
+
var_10], esp
.text:
00401EE1
6A
FF push
0FFFFFFFFh
.text:
00401EE3
83
04
24
01
add [esp
+
var_s0],
1
; Add
.text:
00401EE7
68
FB
1E
40
00
push offset loc_401EFB
.text:
00401EEC
8D
0D
A0
34
89
00
lea ecx, unk_8934A0 ; Load Effective Address
.text:
00401EF2
6A
33
push
33h
;
'3'
.text:
00401EF4
FF B5 CC FC FF FF push [ebp
+
var_334]
.text:
00401EFA
CB retf ; Return Far
from
Procedure
.text:
00401EFB
.text:
00401EFB
loc_401EFB:
.text:
00401EFB
E8
00
00
00
00
call $
+
5
; Call Procedure
.text:
00401F00
C7
44
24
04
23
00
00
00
mov [esp
+
394h
+
var_390],
23h
;
'#'
.text:
00401F08
83
04
24
0D
add [esp
+
394h
+
var_394],
0Dh
; Add
.text:
00401F0C
CB retf ; Return Far
from
Procedure
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
【第二阶段开始】
.text:
00401F0D
BA
00
03
00
00
mov edx,
300h
.text:
00401F12
8B
8D
40
FD FF FF mov ecx, [ebp
+
var_2C0]
.text:
00401F18
E8
03
F1 FF FF call sub_401020 ; Call Procedure 【change_mem_rand(pfnDec1,
0x300
)】
.text:
00401F1D
C7
85
3C
FD FF FF
00
00
00
00
mov [ebp
+
var_2C4],
0
.text:
00401F27
C6
45
FC
07
mov byte ptr [ebp
+
var_4],
7
【
try
】【
7
】
.text:
00401F2B
C7
85
64
FD FF FF
0B
E5
2F
00
mov [ebp
+
dwSize],
2FE50Bh
【decompress_size
=
0x002fe501
+
10
;】
.text:
00401F35
6A
40
push
40h
;
'@'
; flProtect
.text:
00401F37
68
00
10
00
00
push
1000h
; flAllocationType
.text:
00401F3C
8B
8D
64
FD FF FF mov ecx, [ebp
+
dwSize]
.text:
00401F42
51
push ecx ; dwSize
.text:
00401F43
6A
00
push
0
; lpAddress
.text:
00401F45
FF
15
00
D0
41
00
call ds:VirtualAlloc ; Indirect Call Near Procedure
【VirtualAlloc(NULL, decompress_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);】
.text:
00401F4B
89
85
18
FD FF FF mov [ebp
+
var_2E8], eax 【LPBYTE lpbuff】
.text:
00401F51
8B
95
18
FD FF FF mov edx, [ebp
+
var_2E8]
.text:
00401F57
89
95
14
FD FF FF mov [ebp
+
var_2EC], edx
.text:
00401F5D
68
4C
7A
42
00
push offset __TI2PAE ; pThrowInfo
.text:
00401F62
8D
85
14
FD FF FF lea eax, [ebp
+
var_2EC] ; Load Effective Address
.text:
00401F68
50
push eax ; pExceptionObject
.text:
00401F69
E8
80
6D
00
00
call __CxxThrowException@
8
; _CxxThrowException(x,x)
.rdata:
00427140
TryBlockMapEntry <
7
,
7
,
8
,
1
, offset stru_427230.nFlag
+
20h
> __msRttiDscr <
0
,
00892A10
,
0FFFFFD10h
,
401F6Eh
>
【
401F6E
】
.text:
00401F6E
8B
8D
64
FD FF FF mov ecx, [ebp
+
dwSize] 【ulongfsize
=
(size_t)decompress_size;】
.text:
00401F74
89
8D
58
FD FF FF mov [ebp
+
var_2A8], ecx
.text:
00401F7A
C7
85
5C
FD FF FF EC
6D
1F
00
mov [ebp
+
var_2A4],
1F6DECh
【shellcode_size
=
sizeof(g_shellcode_compress_32_2);】
.text:
00401F84
8B
95
5C
FD FF FF mov edx, [ebp
+
var_2A4]
.text:
00401F8A
52
push edx
.text:
00401F8B
68
B8 BB
69
00
push offset unk_69BBB8 【g_shellcode_compress_32_2】加密地址
.text:
00401F90
8D
95
58
FD FF FF lea edx, [ebp
+
var_2A8] ; Load Effective Address
.text:
00401F96
8B
8D
10
FD FF FF mov ecx, [ebp
+
var_2F0] 【lpbuff】【解密地址】
.text:
00401F9C
E8
5F
F0 FF FF call sub_401000 ; 第二阶段解码
.text:
00401FA1
83
C4
08
add esp,
8
; Add
.text:
00401FA4
8B
85
10
FD FF FF mov eax, [ebp
+
var_2F0]
.text:
00401FAA
89
85
3C
FD FF FF mov [ebp
+
var_2C4], eax 【 pfnDec2
=
(PFNDEC)lpbuff;】
.text:
00401FB0
B8 BF
1F
40
00
mov eax, offset loc_401FBF
.text:
00401FB5
C3 retn ; Return Near
from
Procedure
.text:
00401FBF
loc_401FBF:
.text:
00401FBF
C7
45
FC
06
00
00
00
mov [ebp
+
var_4],
6
【
try
】【
6
】
.text:
00401FC6
.text:
00401FC6
loc_401FC6:
.text:
00401FC6
C6
45
FC
09
mov byte ptr [ebp
+
var_4],
9
【
try
】【
9
】
.text:
00401FCA
83
7D
08
64
cmp
[ebp
+
argc],
64h
;
'd'
; Compare Two Operands
.text:
00401FCE
7D
1C
jge short loc_401FEC ; Jump
if
Greater
or
Equal (SF
=
OF)
.text:
00401FD0
8D
8D
A8 FC FF FF lea ecx, [ebp
+
var_358] ; Load Effective Address
.text:
00401FD6
E8 F5 F0 FF FF call sub_4010D0 ; Call Procedure
.text:
00401FDB
68
90
79
42
00
push offset __TI1?AVexception@std@@ ; pThrowInfo
.text:
00401FE0
8D
8D
A8 FC FF FF lea ecx, [ebp
+
var_358] ; Load Effective Address
.text:
00401FE6
51
push ecx ; pExceptionObject
.text:
00401FE7
E8
02
6D
00
00
call __CxxThrowException@
8
; _CxxThrowException(x,x)
.rdata:
00427140
TryBlockMapEntry <
9
,
9
,
0Ah
,
1
, offset stru_427230.nFlag
+
30h
> __msRttiDscr <
9
,
00892A20
,
0
,
401FEEh
>
【
401FEE
】
.text:
00401FEE
68
A0
34
89
00
push offset unk_8934A0 【g_sd】【重要】【全局变量】
.text:
00401FF3
FF
95
3C
FD FF FF call [ebp
+
var_2C4] ; Indirect Call Near Procedure 【pfnDec2(g_sd);】
.text:
00401FF9
83
C4
04
add esp,
4
; Add
.text:
00401FFC
B8
0B
20
40
00
mov eax, offset loc_40200B
.text:
00402001
C3 retn ; Return Near
from
Procedure
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
【第三阶段处理】
.text:
0040200B
loc_40200B:
.text:
0040200B
C7
45
FC
06
00
00
00
mov [ebp
+
var_4],
6
【
try
】【
6
】
.text:
00402012
.text:
00402012
loc_402012:
.text:
00402012
C7
85
38
FD FF FF
00
00
00
00
mov [ebp
+
var_2C8],
0
【LPBYTE lpbuff3
=
NULL;】
.text:
0040201C
C6
45
FC
0B
mov byte ptr [ebp
+
var_4],
0Bh
【
try
】【B】
.text:
00402020
C7
85
64
FD FF FF
09
D0
1A
00
mov [ebp
+
dwSize],
1AD009h
; 【decompress_size
=
0x001acfff
+
10
;】
.text:
0040202A
6A
40
push
40h
;
'@'
; flProtect
.text:
0040202C
68
00
10
00
00
push
1000h
; flAllocationType
.text:
00402031
8B
95
64
FD FF FF mov edx, [ebp
+
dwSize]
.text:
00402037
52
push edx ; dwSize
.text:
00402038
6A
00
push
0
; lpAddress
.text:
0040203A
FF
15
00
D0
41
00
call ds:VirtualAlloc ; lpbuff3
=
(LPBYTE)VirtualAlloc(NULL, decompress_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
【VirtualAlloc(NULL, decompress_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);】
.text:
00402040
89
85
38
FD FF FF mov [ebp
+
var_2C8], eax
.text:
00402046
83
7D
08
64
cmp
[ebp
+
argc],
64h
;
'd'
; Compare Two Operands
.text:
0040204A
7E
1E
jle short loc_40206A ; Jump
if
Less
or
Equal (ZF
=
1
| SF!
=
OF)【】
.text:
0040206A
.text:
0040206A
loc_40206A:
.text:
0040206A
8B
8D
3C
FD FF FF mov ecx, [ebp
+
var_2C4] 【pfnDec2】【准备将其随机化】
.text:
00402070
89
8D
0C
FD FF FF mov [ebp
+
var_2F4], ecx
.text:
00402076
68
80
79
42
00
push offset __TI1P6AXPAE@Z ; pThrowInfo
.text:
0040207B
8D
95
0C
FD FF FF lea edx, [ebp
+
var_2F4] ; Load Effective Address
.text:
00402081
52
push edx ; pExceptionObject
.text:
00402082
E8
67
6C
00
00
call __CxxThrowException@
8
; _CxxThrowException(x,x)
.rdata:
00427140
TryBlockMapEntry <
0Bh
,
0Bh
,
0Eh
,
1
, offset stru_427230.nFlag
+
50h
> __msRttiDscr <
0
,
008929FC
,
0FFFFFCC8h
,
402089h
>
【
402089
】
.text:
00402089
89
65
F0 mov [ebp
+
var_10], esp
.text:
0040208C
BA
00
03
00
00
mov edx,
300h
.text:
00402091
8B
8D
C8 FC FF FF mov ecx, [ebp
+
var_338]
.text:
00402097
E8
84
EF FF FF call sub_401020 ; 随机打乱解码 【change_mem_rand(pfnDec,
0x300
);】
.text:
0040209C
C6
45
FC
0D
mov byte ptr [ebp
+
var_4],
0Dh
【
try
】【D】
.text:
004020A0
8B
85
64
FD FF FF mov eax, [ebp
+
dwSize] 【ulongfsize
=
(size_t)decompress_size;】【解密长度】
.text:
004020A6
89
85
58
FD FF FF mov [ebp
+
var_2A8], eax
.text:
004020AC
C7
85
5C
FD FF FF DD
39
1A
00
mov [ebp
+
var_2A4],
1A39DDh
【 shellcode_size
=
sizeof(g_shellcode_compress_64_3);】【加密长度】
.text:
004020B6
8B
8D
5C
FD FF FF mov ecx, [ebp
+
var_2A4]
.text:
004020BC
51
push ecx
.text:
004020BD
68
B0
98
42
00
push offset unk_4298B0 【g_shellcode_compress_64_3】【加密地址】
.text:
004020C2
8D
95
58
FD FF FF lea edx, [ebp
+
var_2A8] ; Load Effective Address
.text:
004020C8
8B
8D
38
FD FF FF mov ecx, [ebp
+
var_2C8] 【lpbuff3】【解密地址】
.text:
004020CE
E8
2D
EF FF FF call sub_401000 ; 第三阶段解码
.text:
004020D3
83
C4
08
add esp,
8
; Add
.text:
004020D6
EB
06
jmp short loc_4020DE ; Jump
.text:
004020DE
C7
45
FC
0C
00
00
00
mov [ebp
+
var_4],
0Ch
.text:
004020E5
EB
07
jmp short loc_4020EE ; Jump
.text:
004020EE
loc_4020EE:
.text:
004020EE
B8 FD
20
40
00
mov eax, offset loc_4020FD
.text:
004020F3
C3 retn ; Return Near
from
Procedure
.text:
004020FD
loc_4020FD:
.text:
004020FD
C7
45
FC
06
00
00
00
mov [ebp
+
var_4],
6
.text:
00402104
.text:
00402104
loc_402104:
.text:
00402104
8B
95
38
FD FF FF mov edx, [ebp
+
var_2C8] 【lpbuff3】【解密地址】
.text:
0040210A
89
95
08
FD FF FF mov [ebp
+
var_2F8], edx
.text:
00402110
C6
45
FC
0F
mov byte ptr [ebp
+
var_4],
0Fh
【
try
】【F】
.text:
00402114
83
7D
08
64
cmp
[ebp
+
argc],
64h
;
'd'
; Compare Two Operands
.text:
00402118
7D
1D
jge short loc_402137 ; Jump
if
Greater
or
Equal (SF
=
OF)
.text:
0040211A
8B
85
08
FD FF FF mov eax, [ebp
+
var_2F8]
.text:
00402120
89
85
04
FD FF FF mov [ebp
+
var_2FC], eax
.text:
00402126
68
80
79
42
00
push offset __TI1P6AXPAE@Z ; pThrowInfo
.text:
0040212B
8D
8D
04
FD FF FF lea ecx, [ebp
+
var_2FC] ; Load Effective Address
.text:
00402131
51
push ecx ; pExceptionObject
.text:
00402132
E8 B7
6B
00
00
call __CxxThrowException@
8
; _CxxThrowException(x,x)
.rdata:
00427140
TryBlockMapEntry <
0Fh
,
0Fh
,
18h
,
1
, offset stru_427230.nFlag
+
0B0h
> __msRttiDscr <
0
,
008929FC
,
0FFFFFCC4h
,
40213Ch
>
【
40213C
】
32
转
64
,执行之后,返回
32
.text:
0040213C
89
65
F0 mov [ebp
+
var_10], esp
.text:
0040213F
6A
FF push
0FFFFFFFFh
.text:
00402141
83
04
24
01
add [esp
+
var_s0],
1
; Add
.text:
00402145
68
59
21
40
00
push offset loc_402159
.text:
0040214A
8D
0D
A0
34
89
00
lea ecx, unk_8934A0 ; Load Effective Address
.text:
00402150
6A
33
push
33h
;
'3'
.text:
00402152
FF B5 C4 FC FF FF push [ebp
+
var_33C]
.text:
00402158
CB retf ; Return Far
from
Procedure
.text:
00402159
loc_402159:
.text:
00402159
E8
00
00
00
00
call $
+
5
; Call Procedure
.text:
0040215E
C7
44
24
04
23
00
00
00
mov [esp
+
394h
+
var_390],
23h
;
'#'
.text:
00402166
83
04
24
0D
add [esp
+
394h
+
var_394],
0Dh
; Add
.text:
0040216A
CB retf ; Return Far
from
Procedure
【shellcode执行完成】
.text:
0040216B
83
7D
08
64
cmp
[ebp
+
argc],
64h
;
'd'
; Compare Two Operands
.text:
0040216F
7E
1B
jle short loc_40218C ; Jump
if
Less
or
Equal (ZF
=
1
| SF!
=
OF)
.text:
0040218C
loc_40218C:
.text:
0040218C
C6
45
FC
11
mov byte ptr [ebp
+
var_4],
11h
【
try
】【
11
】
.text:
00402190
83
7D
08
64
cmp
[ebp
+
argc],
64h
;
'd'
; Compare Two Operands
.text:
00402194
7D
3A
jge short loc_4021D0 ; Jump
if
Greater
or
Equal (SF
=
OF) 【大于等于
100
,不用考虑】
.text:
00402196
A1 D9
35
89
00
mov eax, dword_8935D9 【g_sd_g_qwDecSuccess】
【
.text:
0040219B
0B
05
DD
35
89
00
or
eax, dword_8935DD ; Logical Inclusive OR
.text:
004021A1
74
09
jz short loc_4021AC ; Jump
if
Zero (ZF
=
1
) 【此时不能被触发,否则会failed】
.text:
004021AC
loc_4021AC:
.text:
004021AC
C6
85
6B
FD FF FF
00
mov [ebp
+
var_295],
0
【g_sd_g_qwDecSuccess
=
False
】
.text:
004021A3
C6
85
6B
FD FF FF
01
mov [ebp
+
var_295],
1
【g_sd_g_qwDecSuccess
=
True
】【失败】
.text:
004021AA
EB
07
jmp short loc_4021B3 ; Jump
.text:
004021B3
.text:
004021B3
loc_4021B3:
.text:
004021B3
8A
8D
6B
FD FF FF mov cl, [ebp
+
var_295]
.text:
004021B9
88
8D
62
FD FF FF mov [ebp
+
var_29E], cl
.text:
004021BF
68
E0
79
42
00
push offset __TI1_N ; pThrowInfo
.text:
004021C4
8D
95
62
FD FF FF lea edx, [ebp
+
var_29E] ; Load Effective Address
.text:
004021CA
52
push edx ; pExceptionObject
.text:
004021CB
E8
1E
6B
00
00
call __CxxThrowException@
8
; _CxxThrowException(x,x)
.rdata:
00427140
TryBlockMapEntry <
11h
,
11h
,
14h
,
1
, offset stru_427230.nFlag
+
70h
> __msRttiDscr <
0
,
00892A3C
,
0FFFFFD4Fh
,
4021D2h
>
【
4021D2
】
.text:
004021D2
89
65
F0 mov [ebp
+
var_10], esp
.text:
004021D5
C6
45
FC
13
mov byte ptr [ebp
+
var_4],
13h
.text:
004021D9
0F
B6
85
4F
FD FF FF movzx eax, [ebp
+
var_2B1] ; Move with Zero
-
Extend
.text:
004021E0
85
C0 test eax, eax ; Logical Compare 【g_sd_g_qwDecSuccess】
.text:
004021E2
74
2B
jz short loc_40220F ; Jump
if
Zero (ZF
=
1
)
.text:
004021E4
BA
00
01
00
00
mov edx,
100h
【g_sd_g_qwDecSuccess
=
True
】【此时应该是弹出 failed】
.text:
004021E9
B9 D9
34
89
00
mov ecx, offset unk_8934D9
.text:
004021EE
E8
2D
EE FF FF call sub_401020 ; Call Procedure
.text:
004021F3
8D
8D
84
FC FF FF lea ecx, [ebp
+
var_37C] ; Load Effective Address
.text:
004021F9
E8 D2 EE FF FF call sub_4010D0 ; Call Procedure
.text:
004021FE
68
90
79
42
00
push offset __TI1?AVexception@std@@ ; pThrowInfo
.text:
00402203
8D
8D
84
FC FF FF lea ecx, [ebp
+
var_37C] ; Load Effective Address
.text:
00402209
51
push ecx ; pExceptionObject
.text:
0040220A
E8 DF
6A
00
00
call __CxxThrowException@
8
; _CxxThrowException(x,x)
.rdata:
00427140
TryBlockMapEntry <
13h
,
13h
,
14h
,
1
, offset stru_427230.nFlag
+
60h
> __msRttiDscr <
9
,
00892A20
,
0
,
402211h
>
/
/
/
【
402211
】
.text:
00402216
E8
85
EE FF FF call sub_4010A0 ; Call Procedure
.text:
0040221B
83
C4
04
add esp,
4
; Add
.text:
0040221E
68
A4
68
42
00
push offset aPause ;
"pause"
.text:
00402223
E8
3F
9C
00
00
call sub_40BE67 ; Call Procedure
.text:
00402228
83
C4
04
add esp,
4
; Add
.text:
0040222B
6A
00
push
0
; uExitCode
.text:
0040222D
FF
15
04
D0
41
00
call ds:ExitProcess ; Indirect Call Near Procedure
【此时是:】【g_sd_g_qwDecSuccess
=
False
】
.text:
0040220F
loc_40220F: 【g_sd_g_qwDecSuccess
=
False
】
.text:
0040220F
EB
28
jmp short loc_402239 ; Jump
.text:
00402239
loc_402239:
.text:
00402239
C7
45
FC
12
00
00
00
mov [ebp
+
var_4],
12h
.text:
00402240
EB
07
jmp short loc_402249 ; Jump
.text:
00402249
loc_402249:
.text:
00402249
B8
58
22
40
00
mov eax, offset loc_402258
.text:
0040224E
C3 retn ; Return Near
from
Procedure
.text:
00402258
loc_402258:
.text:
00402258
C7
45
FC
10
00
00
00
mov [ebp
+
var_4],
10h
.text:
0040225F
loc_40225F:
.text:
0040225F
C6
45
FC
15
mov byte ptr [ebp
+
var_4],
15h
【
try
】【
15
】
.text:
00402263
83
7D
08
64
cmp
[ebp
+
argc],
64h
;
'd'
; Compare Two Operands 【
if
(argc <
100
)】
.text:
00402267
7D
1B
jge short loc_402284 ; Jump
if
Greater
or
Equal (SF
=
OF) 【跳出
try
,也就是出错了】
.text:
00402269
C7
85
FC FC FF FF F1
95
89
00
mov [ebp
+
var_304], offset unk_8995F1 【(void
*
)g_sd_g_szDec】【全局变量】【关键,就是序列号】
.text:
00402273
68
BC
79
42
00
push offset __TI1PAX ; pThrowInfo
.text:
00402278
8D
95
FC FC FF FF lea edx, [ebp
+
var_304] ; Load Effective Address
.text:
0040227E
52
push edx ; pExceptionObject
.text:
0040227F
E8
6A
6A
00
00
call __CxxThrowException@
8
; _CxxThrowException(x,x)
.rdata:
00427140
TryBlockMapEntry <
15h
,
15h
,
18h
,
1
, offset stru_427230.nFlag
+
0A0h
> __msRttiDscr <
0
,
008929C4
,
0FFFFFCD0h
,
402289h
>
【
402289
】
.text:
00402289
89
65
F0 mov [ebp
+
var_10], esp
.text:
0040228C
C6
45
FC
17
mov byte ptr [ebp
+
var_4],
17h
【
try
】【
17
】
.text:
00402290
6A
10
push
10h
; Size
.text:
00402292
8B
85
D0 FC FF FF mov eax, [ebp
+
Buf2] 【buff】【g_sd_g_szDec】【注意
try
与 catch 的参数的传递】
.text:
00402298
50
push eax ; Buf2
.text:
00402299
8D
4D
D8 lea ecx, [ebp
+
Buf1] ; Load Effective Address 【szInput】
.text:
0040229C
51
push ecx ; Buf1
.text:
0040229D
E8
2A
8B
01
00
call _memcmp ; Call Procedure 【memcmp(szInput, buff,
16
);】
.text:
004022A2
83
C4
0C
add esp,
0Ch
; Add
.text:
004022A5
89
85
F8 FC FF FF mov [ebp
+
var_308], eax 【结果】
.text:
004022AB
33
D2 xor edx, edx ; Logical Exclusive OR
.text:
004022AD
83
BD F8 FC FF FF
00
cmp
[ebp
+
var_308],
0
; Compare Two Operands 【相等,则 eax
=
1
】
.text:
004022B4
0F
94
C2 setz dl ;
Set
Byte
if
Zero (ZF
=
1
)
.text:
004022B7
88
95
61
FD FF FF mov [ebp
+
var_29F], dl
.text:
004022BD
0F
B6
85
61
FD FF FF movzx eax, [ebp
+
var_29F] ; Move with Zero
-
Extend
.text:
004022C4
85
C0 test eax, eax ; Logical Compare
.text:
004022C6
74
2D
jz short loc_4022F5 ; Jump
if
Zero (ZF
=
1
)
.text:
004022C8
BA
00
01
00
00
mov edx,
100h
【此时 ZF
=
0
,也就是非零】
.text:
004022CD
B9 D9
34
89
00
mov ecx, offset unk_8934D9
.text:
004022D2
E8
49
ED FF FF call sub_401020 ; Call Procedure【随机化】
.text:
004022D7
8D
8D
90
FC FF FF lea ecx, [ebp
+
var_370] ; Load Effective Address
.text:
004022DD
E8 EE ED FF FF call sub_4010D0 ; Call Procedure
.text:
004022E2
68
90
79
42
00
push offset __TI1?AVexception@std@@ ; pThrowInfo
.text:
004022E7
8D
8D
90
FC FF FF lea ecx, [ebp
+
var_370] ; Load Effective Address 【throw std::exception{};】
/
/
class
std::exception
.rdata:
00427230
__msRttiDscr <
9
,
00892A20
,
0
,
402321h
>
.text:
004022ED
51
push ecx ; pExceptionObject
.text:
004022EE
E8 FB
69
00
00
call __CxxThrowException@
8
; _CxxThrowException(x,x)
.text:
004022F5
loc_4022F5: 【失败】
.text:
004022F5
BA
00
01
00
00
mov edx,
100h
.text:
004022FA
B9 D9
34
89
00
mov ecx, offset unk_8934D9
.text:
004022FF
E8
1C
ED FF FF call sub_401020 ; Call Procedure【随机化】
.text:
00402304
C7
85
F4 FC FF FF
01
00
00
00
mov [ebp
+
var_30C],
1
【 throw
1
;】.rdata:
00427230
__msRttiDscr <
40h
,
0
,
0
,
402349h
>
.text:
0040230E
68
28
79
42
00
push offset __TI1H ; pThrowInfo
.text:
00402313
8D
95
F4 FC FF FF lea edx, [ebp
+
var_30C] ; Load Effective Address
.text:
00402319
52
push edx ; pExceptionObject
.text:
0040231A
E8 CF
69
00
00
call __CxxThrowException@
8
; _CxxThrowException(x,x)
【
try
:
17
有两个catch,此时会通过对象值来判断用哪一个catch】
.rdata:
00427140
TryBlockMapEntry <
17h
,
17h
,
18h
,
2
, offset stru_427230.nFlag
+
80h
> __msRttiDscr <
9
,
00892A20
,
0
,
402321h
>
.rdata:
00427230
__msRttiDscr <
9
,
00892A20
,
0
,
402321h
>
/
/
class
std::exception
.rdata:
00427230
__msRttiDscr <
40h
,
0
,
0
,
402349h
>
【
402321
】
.text:
00402326
E8
75
ED FF FF call sub_4010A0 ; Call Procedure
.text:
0040232B
83
C4
04
add esp,
4
; Add
.text:
0040232E
68
A4
68
42
00
push offset aPause ;
"pause"
.text:
00402333
E8
2F
9B
00
00
call sub_40BE67 ; Call Procedure
.text:
00402338
83
C4
04
add esp,
4
; Add
.text:
0040233B
6A
00
push
0
; uExitCode
.text:
0040233D
FF
15
04
D0
41
00
call ds:ExitProcess ; Indirect Call Near Procedure