在拜读了kanxue坛主的文章:
Asprotect SKE 2.2 的Advanced Import protection保护技术
之后有了这篇文章。
因为Volx的IAT脚本1.02版已经不能对付它了,所以手工修复,一个字:累。
福建体彩“22选5”选号专家 3.0 Build 2006.07.29
软件大小:14161KB
软件语言:简体中文
软件类别:国产软件/共享版/彩票工具
运行环境:WinNT/2000/XP/2003
加入时间:2006-7-29 16:23:55
软件详细信息
《福建体彩“22选5”选号专家》是一款集号码走势分析、号码选取、号码过滤(缩水)、开核对,历史数据自动网上更新为一体的界面美观、操作简单的专用于福建体彩“22选5”彩票的软件!其内置了各种最有效的彩票过滤方法!其独特的智能化过滤缩水功能,可过滤掉众多的垃圾组合,为您好节省大把的买彩资金,使彩票投资的效益最大化!
ASProtect 2.1x SKE -> Alexey Solodovnikov
Version: ASProtect 2.11 SKE build 03.13 Release [1]
1.Stolen OEP+IAT:
Volx脚本:Asprotect 2.xx SKE OEP finder.txt
停在伪OEP:
014C0303 6A 64 push 64
014C0305 66:9C pushfw
014C0307 57 push edi
014C0308 EB 02 jmp short 014C030C
Alt+M在code下断,停在004037DE,VB程序:
004037D2 - FF25 E8104000 jmp dword ptr ds:[4010E8] ; msvbvm60.GetMem4
004037D8 - FF25 28114000 jmp dword ptr ds:[401128] ; msvbvm60.PutMem4
004037DE - FF25 E4124000 jmp dword ptr ds:[4012E4] ; msvbvm60.ThunRTMain
004037E4 - E9 1ACB0B01 jmp 014C0303 ; oep
004037E9 2853 0A sub byte ptr ds:[ebx+A],dl
004037EC 87E7 xchg edi,esp
堆栈:
0012FFBC 014C0342 返回到 014C0342 来自 01630000
0012FFC0 004356C8 ASCII "VB5!6&vb6chs.dll" // push
0012FFC4 77E687F5 返回到 kernel32.77E687F5
被偷的代码:
push 004356C8
call 4037DE
即:
004037DE - FF25 E4124000 jmp dword ptr ds:[4012E4] ; msvbvm60.ThunRTMain
004037E4 68 C8564300 push fjTC225.004356C8 ; ASCII "VB5!6&vb6chs.dll"
004037E9 E8 F0FFFFFF call fjTC225.004037DE ; jmp to msvbvm60.ThunRTMain
IAT没有加密:
00401000 >660C9ADE msvbvm60.EVENT_SINK_GetIDsOfNames
00401004 66109881 msvbvm60.__vbaVarTstGt
00401008 6610782A msvbvm60.__vbaVarSub
0040100C 660DF9B9 msvbvm60.__vbaStrI2
...
0040138C 660D9A27 msvbvm60.__vbaFreeObj
00401390 660E60B0 msvbvm60.__vbaFreeStr
00401394 660D2DD4 msvbvm60.rtcR8ValFromBstr
00401398 00000000
此时上ImportREC,添入OEP=000037E4,自动搜索,Level1,全部有效,保存备用。
此时还不能dump,因为还有Advanced Import protection没有搞定。
搜索E8:004D5D9F E8 5CA20101 call 014F0000
n多这样的函数,Volx的IAT修复脚本用不上,只好手工上。
参考kanxue文章:Asprotect SKE 2.2 的Advanced Import protection保护技术
2.Advanced Import Protection的分类位置:
进入call 014F0000 后总共3层:
第一层:保存所有当前寄存器 (出来后还要继续运行的,不能影响后面,不过它不是明目张胆的pushad)
第二层:1. 决定是哪一种方式的导入函数调用
a. 第一种方式:将call 014F0000 变成call F00004之类,出来后再次从原地进入F00004进入导入函数
b. 第二种方式:直接带着参数进入导入函数
2. 决定这个调用是call (ff15)还是jmp (ff25)
不要以为C的都是call,delphi的都是jmp
c. 如果是call (ff15),返回地址要+1,比如inc [esp],因为call 014F0000占5个字节,call(ff15)占6个字节
d. 如果是jmp (ff25),要esp+4
3. 如果是1.b的情况,可能有更邪恶的对下一行的偷代码
第三层:恢复所有的寄存器返回
进入到第一层,一路F7,直到碰到call eax(也可能是call ecx等,第一个call):
014F0000 /3E:EB 02 jmp short 014F0005
014F0003 |CD20 509C8D44 vxdjump 448D9C50
014F0009 35 432BC683 xor eax,83C62B43
014F000E EC in al,dx
014F000F 2013 and byte ptr ds:[ebx],dl
...
014F0197 /EB 01 jmp short 014F019A
014F0199 |C7 ??? ; 未知命令
014F019A \FFD0 call eax // 就是这里
014F019C FF7424 0C push dword ptr ss:[esp+C]
014F01A0 8D4447 7C lea eax,dword ptr ds:[edi+eax*2+7C]
014F01A4 65:EB 01 jmp short 014F01A8
进入call eax到第二层:可以一路F8
0127B348 55 push ebp
0127B349 8BEC mov ebp,esp
0127B34B 83C4 D4 add esp,-2C
0127B34E 53 push ebx
0127B34F 56 push esi
0127B350 57 push edi
0127B351 33C0 xor eax,eax
0127B353 8945 D8 mov dword ptr ss:[ebp-28],eax
0127B356 8945 D4 mov dword ptr ss:[ebp-2C],eax
0127B359 8945 DC mov dword ptr ss:[ebp-24],eax
0127B35C 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
...
0127B481 8B7483 68 mov esi,dword ptr ds:[ebx+eax*4+68]
0127B485 8B45 FC mov eax,dword ptr ss:[ebp-4]
0127B488 FFD6 call esi
0127B48A 8BF0 mov esi,eax
0127B48C 3B75 F8 cmp esi,dword ptr ss:[ebp-8]
0127B48F 75 63 jnz short 0127B4F4
0127B491 807B 20 00 cmp byte ptr ds:[ebx+20],0
0127B495 74 3C je short 0127B4D3 ; 分类处
...
0127B4A1 8B5483 68 mov edx,dword ptr ds:[ebx+eax*4+68]
0127B4A5 8B45 FC mov eax,dword ptr ss:[ebp-4]
0127B4A8 FFD2 call edx ; 再次分类
0127B4AA 3C 01 cmp al,1 ; eax为1则是a情况
0127B4AC 75 25 jnz short 0127B4D3 ; eax为0则是b情况
0127B4AE 56 push esi
0127B4AF 8D45 FC lea eax,dword ptr ss:[ebp-4]
0127B4B2 50 push eax
0127B4B3 8B45 14 mov eax,dword ptr ss:[ebp+14]
0127B4B6 50 push eax
0127B4B7 8B45 18 mov eax,dword ptr ss:[ebp+18]
0127B4BA 50 push eax
0127B4BB 8B45 0C mov eax,dword ptr ss:[ebp+C]
0127B4BE 50 push eax
0127B4BF 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0127B4C2 50 push eax
0127B4C3 8B4D 1C mov ecx,dword ptr ss:[ebp+1C]
0127B4C6 8B55 10 mov edx,dword ptr ss:[ebp+10]
0127B4C9 8BC3 mov eax,ebx
0127B4CB E8 C0010000 call 0127B690 ; a情况
0127B4D0 /EB 01 jmp short 0127B4D3
...
0127B4D3 8D45 FC lea eax,dword ptr ss:[ebp-4]
0127B4D6 50 push eax
0127B4D7 8B45 14 mov eax,dword ptr ss:[ebp+14]
0127B4DA 50 push eax
0127B4DB 8B45 18 mov eax,dword ptr ss:[ebp+18]
0127B4DE 50 push eax
0127B4DF 8B45 0C mov eax,dword ptr ss:[ebp+C]
0127B4E2 50 push eax
0127B4E3 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0127B4E6 50 push eax
0127B4E7 8B4D 1C mov ecx,dword ptr ss:[ebp+1C]
0127B4EA 8B55 10 mov edx,dword ptr ss:[ebp+10]
0127B4ED 8BC3 mov eax,ebx
0127B4EF E8 64F1FFFF call 0127A658 ; b情况
0127B4F4 81C7 FF000000 add edi,0FF
0127B4FA 3B7D F4 cmp edi,dword ptr ss:[ebp-C]
0127B4FD ^ 0F86 64FFFFFF jbe 0127B467
0127B503 EB 01 jmp short 0127B506
a情况,进入call 0127B690:
0127B7DD 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0127B7E0 8B80 E0000000 mov eax,dword ptr ds:[eax+E0]
0127B7E6 0345 E4 add eax,dword ptr ss:[ebp-1C]
0127B7E9 8945 FC mov dword ptr ss:[ebp-4],eax // [ebp-4]是解密出来的API
0127B7EC 33C0 xor eax,eax
0127B7EE 8AC3 mov al,bl
0127B7F0 0145 10 add dword ptr ss:[ebp+10],eax
0127B7F3 57 push edi
0127B7F4 6A 00 push 0
0127B7F6 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0127B7F9 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0127B7FC 8B40 3C mov eax,dword ptr ds:[eax+3C]
0127B7FF 8B55 FC mov edx,dword ptr ss:[ebp-4]
0127B802 E8 6DB9FFFF call 01277174
0127B807 8945 FC mov dword ptr ss:[ebp-4],eax
0127B80A 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0127B80D 8B00 mov eax,dword ptr ds:[eax]
0127B80F E8 C0E6FFFF call 01279ED4
0127B814 8BD0 mov edx,eax
0127B816 0255 DF add dl,byte ptr ss:[ebp-21] ; 这里得到dl
0127B819 8B4D FC mov ecx,dword ptr ss:[ebp-4] ; [ebp-4C]就是我们要的函数
0127B81C 8B45 F4 mov eax,dword ptr ss:[ebp-C]
到了这里 [ebp-4C]是我们需要的导入函数的地址,dl中的值决定了是call(ff15)还是jmp(ff25)
dl中的值不同的程序是随机,找几个call 014F0000进去出来看一下就知道当前的程序中哪个对应ff15,哪个对应ff25了
b情况,进入call 0127A658,一路F8:
0127A7D6 8B7C82 68 mov edi,dword ptr ds:[edx+eax*4+68]
0127A7DA 8B06 mov eax,dword ptr ds:[esi]
0127A7DC FFD7 call edi
0127A7DE 8845 CA mov byte ptr ss:[ebp-36],al
0127A7E1 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0127A7E4 8A40 4A mov al,byte ptr ds:[eax+4A]
0127A7E7 3A45 EF cmp al,byte ptr ss:[ebp-11] ; al的值决定是FF15还是FF25
0127A7EA 0F85 9C000000 jnz 0127A88C ; 不跳是FF15情况
0127A7F0 EB 01 jmp short 0127A7F3
al中的值,不同程序是不同的。我的是F7。
FF15:
0127A7F3 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0127A7F6 8B80 E0000000 mov eax,dword ptr ds:[eax+E0]
0127A7FC 0145 FC add dword ptr ss:[ebp-4],eax ; [ebp-4]是解密出来的API
0127A7FF EB 01 jmp short 0127A802 ; 这里下断就能得到API
FF25:
0127A8A5 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0127A8A8 8B80 E0000000 mov eax,dword ptr ds:[eax+E0]
0127A8AE 0145 FC add dword ptr ss:[ebp-4],eax ; [ebp-4]是解密出来的API
0127A8B1 8D45 0C lea eax,dword ptr ss:[ebp+C] ; 这里下断就能得到API
0127A7FC或0127A8AE或0127B7E9执行完后[ebp-4] 是需要的输入函数的地址,再看看[ebp-2c],如果它是FFFFFFFF,说明这个导入函数调用是干净的,如果它有值,表示它的下一行也偷了。
因此只要在0127A7FF&0127A8B1&0127B819处下断即可获得API。
3.Advanced Import Protection的保护位置:
重新加载原程序,对004D5D9F+1(第一个E8我们不需要,要的是后面的4个字节)下内存写入断点:
004D5D9F E8 5CA20101 call 014F0000
第2次断下后停在这里:
0127BAD3 8945 00 mov dword ptr ss:[ebp],eax // ebp指向004D5DA0,eax写入后,变成call 014F0000
0127BAD6 6A 0A push 0A
0127BAD8 E8 7F9AFEFF call 0126555C
0127BADD 8BC8 mov ecx,eax
0127BADF 038B E4000000 add ecx,dword ptr ds:[ebx+E4]
0127BAE5 8BD6 mov edx,esi
0127BAE7 8BC3 mov eax,ebx
0127BAE9 E8 8EE5FFFF call 0127A07C
0127BAEE FF0C24 dec dword ptr ss:[esp]
0127BAF1 03B3 E4000000 add esi,dword ptr ds:[ebx+E4]
0127BAF7 833C24 00 cmp dword ptr ss:[esp],0
0127BAFB ^ 0F87 55FEFFFF ja 0127B956 // 如果还有需要处理就跳上去
0127BB01 53 push ebx
0127BB02 E8 5D000000 call 0127BB64
0127BB07 0183 EC000000 add dword ptr ds:[ebx+EC],eax
0127BB0D B0 01 mov al,1
0127BB0F 83C4 24 add esp,24
0127BB12 5D pop ebp
0127BB13 5F pop edi
0127BB14 5E pop esi
0127BB15 5B pop ebx
0127BB16 C3 retn
跟随:0127BAFB ^ 0F87 55FEFFFF ja 0127B956
0127B956 33C0 xor eax,eax
0127B958 8A07 mov al,byte ptr ds:[edi]
0127B95A 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127B95D 8B6C83 68 mov ebp,dword ptr ds:[ebx+eax*4+68]
0127B961 8BC6 mov eax,esi
0127B963 FFD5 call ebp
0127B965 8BE8 mov ebp,eax
0127B967 036B 24 add ebp,dword ptr ds:[ebx+24]
0127B96A 03AB E0000000 add ebp,dword ptr ds:[ebx+E0]
0127B970 EB 01 jmp short 0127B973
0127B973 33C0 xor eax,eax
0127B975 8A47 09 mov al,byte ptr ds:[edi+9]
0127B978 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127B97B 8B5483 68 mov edx,dword ptr ds:[ebx+eax*4+68]
0127B97F 8BC6 mov eax,esi
0127B981 FFD2 call edx //call edx 结果在eax
0127B983 807B 20 00 cmp byte ptr ds:[ebx+20],0 //eax 可能是1或0
0127B987 0F85 3D010000 jnz 0127BACA
0127B98D 3C 01 cmp al,1
0127B98F 0F85 35010000 jnz 0127BACA
0127B995 EB 01 jmp short 0127B998
shoooo:
如果是1,当前这个call 01200000处运行时,会重新回到调用地址,再进入导入函数
如果是0,当前这个call 01200000进入导入函数后出来,不过这种方式比较邪恶,它可能做更多的事情
4.获得所有Call 014F0000的地址表:
这里想办法获得程序里“ call 014F0000 ”语句所有的地址,上面代码中“0127B981 FFD2 call edx ”这个点比较好,除了能得到地址表,还能得知晓call 014F0000是按类型1来处理的,还是按类型2来处理的。
OD载入,忽略除内存异常外的所有异常,F9,异常停住,Ctrl+G到0127B981 FFD2 call edx 下断,取消异常忽略,Shift+F9直接断在这里:
0127B981 FFD2 call edx // 断住,patch
0127B983 807B 20 00 cmp byte ptr ds:[ebx+20],0
0127B987 0F85 3D010000 jnz 0127BACA
0127B98D 3C 01 cmp al,1
0127B98F 0F85 35010000 jnz 0127BACA
0127B995 EB 01 jmp short 0127B998
堆栈:
0012FEF8 0000073C // 有73C个加密
0012FEFC FE07987D
0012FF00 0E3169DD
0012FF04 00000000
修改为:
0127B981 - E9 7A462B00 jmp 01530000 // 申请的空间01530000
0127B986 90 nop
0127B987 0F85 3D010000 jnz 0127BACA
0127B98D 3C 01 cmp al,1
0127B98F 0F85 35010000 jnz 0127BACA
0127B995 EB 01 jmp short 0127B998
写上代码:
01530000 FFD2 call edx //壳原来的代码
01530002 60 pushad
01530003 8B1D 30005301 mov ebx,dword ptr ds:[1530030] 取缓存地址,设[1530030]=01530040,需要添入
01530009 C1E0 1F shl eax,1F
0153000C 03C5 add eax,ebp
0153000E 8903 mov dword ptr ds:[ebx],eax
01530010 83C3 04 add ebx,4
01530013 891D 30005301 mov dword ptr ds:[1530030],ebx
01530019 61 popad
0153001A 807B 20 00 cmp byte ptr ds:[ebx+20],0 //壳原来的代码
0153001E - E9 64B9D4FF jmp 0127B987 //跳转回去
写入后数据窗口数据如下:
01530000 FF D2 60 8B 1D 30 00 53 01 C1 E0 1F 03 C5 89 03 ?`?0.S拎?
01530010 83 C3 04 89 1D 30 00 53 01 61 80 7B 20 00 E9 64 ??0.Sa? .殇
01530020 B9 D4 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 乖?............
01530030 40 00 53 01 00 00 00 00 00 00 00 00 00 00 00 00 @.S............
01530040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
其中红色部分需要额外添入,取得的地址就会放到这个地址开始的内存中。
F4到0127BB01:
0127BAF7 833C24 00 cmp dword ptr ss:[esp],0
0127BAFB ^ 0F87 55FEFFFF ja 0127B956 // 如果还有需要处理就跳上去
0127BB01 53 push ebx // F4到这里,处理完毕
0127BB02 E8 5D000000 call 0127BB64
查看数据窗口,此时得到所有API加密的地址:总共73C个
92 32 40 00 98 32 40 00 9E 32 40 00 A4 32 40 00 AA 32 40 00 B0 32 40 00 B6 32 40 00 BC 32 40 00
C2 32 40 00 C8 32 40 00 CE 32 40 00 D4 32 40 00 DA 32 40 00 E0 32 40 00 E6 32 40 00 EC 32 40 00
F2 32 40 00 F8 32 40 00 FE 32 40 00 04 33 40 00 0A 33 40 00 1C 33 40 00 22 33 40 00 28 33 40 00
2E 33 40 00 34 33 40 00 3A 33 40 00 40 33 40 00 46 33 40 00 4C 33 40 00 6A 33 40 00 7C 33 40 00
82 33 40 00 88 33 40 00 8E 33 40 00 94 33 40 00 9A 33 40 00 A6 33 40 00 BE 33 40 00 CA 33 40 00
D6 33 40 00 DC 33 40 00 E2 33 40 00 E8 33 40 00 EE 33 40 00 F4 33 40 00 00 34 40 00 0C 34 40 00
1E 34 40 00 24 34 40 00 2A 34 40 00 30 34 40 00 36 34 40 00 3C 34 40 00 42 34 40 00 48 34 40 00
54 34 40 00 66 34 40 00 6C 34 40 00 78 34 40 00 7E 34 40 00 90 34 40 00 96 34 40 00 9C 34 40 00
A8 34 40 00 AE 34 40 00 B4 34 40 00 BA 34 40 00 C6 34 40 00 CC 34 40 00 D2 34 40 00 D8 34 40 00
DE 34 40 00 E4 34 40 00 EA 34 40 00 F6 34 40 00 FC 34 40 00 02 35 40 00 08 35 40 00 0E 35 40 00
14 35 40 00 1A 35 40 00 20 35 40 00 26 35 40 00 2C 35 40 00 32 35 40 00 38 35 40 00 3E 35 40 00
44 35 40 00 4A 35 40 00 50 35 40 00 56 35 40 00 5C 35 40 00 62 35 40 00 68 35 40 00 6E 35 40 00
74 35 40 00 80 35 40 00 92 35 40 00 98 35 40 00 9E 35 40 00 A4 35 40 80 BC 35 40 80 C2 35 40 80
C8 35 40 00 D4 35 40 80 DA 35 40 80 E0 35 40 80 EC 35 40 80 F2 35 40 00 F8 35 40 80 FE 35 40 80
04 36 40 80 0A 36 40 80 10 36 40 80 16 36 40 80 22 36 40 80 28 36 40 80 34 36 40 80 4C 36 40 80
52 36 40 80 5E 36 40 00 6A 36 40 80 70 36 40 80 76 36 40 80 7C 36 40 80 94 36 40 00 9A 36 40 00
A0 36 40 80 A6 36 40 80 AC 36 40 80 B2 36 40 00 B8 36 40 80 BE 36 40 80 C4 36 40 80 CA 36 40 80
D0 36 40 80 D6 36 40 00 DC 36 40 80 E2 36 40 80 E8 36 40 80 EE 36 40 00 F4 36 40 80 00 37 40 80
06 37 40 80 12 37 40 80 18 37 40 80 24 37 40 80 36 37 40 80 42 37 40 80 48 37 40 80 4E 37 40 80
54 37 40 80 5A 37 40 80 60 37 40 00 66 37 40 80 6C 37 40 80 72 37 40 00 8A 37 40 80 90 37 40 80
3E DA 46 80 68 DA 46 80 FD DA 46 00 1D DB 46 80 B2 DB 46 80 CE DB 46 80 E2 DB 46 80 21 DC 46 00
30 DC 46 80 48 DC 46 80 60 DC 46 80 96 DC 46 80 B1 DC 46 00 C9 DC 46 80 49 DD 46 80 A9 DD 46 80
C0 DD 46 80 13 DE 46 80 2A DE 46 80 7D DE 46 80 94 DE 46 80 E7 DE 46 00 FE DE 46 80 28 DF 46 80
3C DF 46 80 66 DF 46 80 7A DF 46 00 A4 DF 46 80 D1 DF 46 80 E4 DF 46 80 01 E0 46 80 2D E0 46 80
3D E0 46 00 54 E0 46 80 65 E0 46 80 7F E0 46 00 A7 E0 46 80 B7 E0 46 80 09 E1 46 00 31 E1 46 80
41 E1 46 80 77 E1 46 00 9F E1 46 00 AF E1 46 80 E5 E1 46 80 0D E2 46 80 1D E2 46 80 53 E2 46 00
7B E2 46 80 8B E2 46 80 C3 E2 46 80 CC E2 46 80 01 E3 46 80 0A E3 46 80 3F E3 46 80 48 E3 46 80
89 E3 46 80 A8 E3 46 80 D5 E3 46 80 E5 E3 46 80 FC E3 46 80 0F E4 46 00 2C E4 46 00 54 E4 46 80
64 E4 46 80 96 E4 46 80 B6 E4 46 80 75 E5 46 80 8D E5 46 00 9B E5 46 00 AF E5 46 80 BF E5 46 80
34 E6 46 80 4C E6 46 80 5A E6 46 80 6E E6 46 80 7E E6 46 80 F3 E6 46 80 0B E7 46 80 19 E7 46 80
2D E7 46 00 3D E7 46 80 B2 E7 46 80 CA E7 46 00 D8 E7 46 00 EC E7 46 80 FC E7 46 00 71 E8 46 00
89 E8 46 80 97 E8 46 80 AB E8 46 80 BB E8 46 80 30 E9 46 80 48 E9 46 80 56 E9 46 80 6A E9 46 00
7A E9 46 80 07 EA 46 00 1F EA 46 80 2D EA 46 80 41 EA 46 80 51 EA 46 00 C5 EA 46 00 DD EA 46 80
EB EA 46 80 FF EA 46 80 0F EB 46 80 80 EB 46 80 98 EB 46 80 A6 EB 46 80 BA EB 46 00 CA EB 46 80
FC EB 46 80 0C EC 46 80 2C EC 46 80 90 EC 46 80 9F EC 46 00 BB EC 46 80 F6 EC 46 80 35 ED 46 00
40 ED 46 80 47 ED 46 00 52 ED 46 00 5E ED 46 00 04 EE 46 80 26 EE 46 00 32 EE 46 80 4E EE 46 80
B5 EE 46 80 F4 EE 46 80 5B EF 46 80 98 EF 46 00 84 F0 46 80 B2 F0 46 80 18 F1 46 80 66 F1 46 80
CC F1 46 80 FA F1 46 80 61 F2 46 80 9E F2 46 00 D5 F2 46 80 39 F3 46 80 D9 F3 46 00 36 F4 46 80
87 F4 46 80 1E F5 46 00 40 F5 46 80 56 F5 46 00 D0 F5 46 80 34 F6 46 80 DC F6 46 80 39 F7 46 80
72 F7 46 80 82 F7 46 80 9E F7 46 80 AA F7 46 80 0F F8 46 80 46 F8 46 80 AA F8 46 80 4A F9 46 80
A7 F9 46 80 F9 F9 46 80 90 FA 46 80 B2 FA 46 80 C8 FA 46 80 21 FB 46 80 58 FB 46 80 BC FB 46 80
5C FC 46 80 B9 FC 46 80 0B FD 46 00 A2 FD 46 80 C4 FD 46 00 DA FD 46 80 F9 FD 46 80 5F FE 46 80
B3 FE 46 00 19 FF 46 80 47 FF 46 80 82 FF 46 80 C1 FF 46 80 CC FF 46 80 D3 FF 46 80 DE FF 46 80
EA FF 46 80 90 00 47 80 B2 00 47 80 BE 00 47 80 DA 00 47 80 41 01 47 80 C6 01 47 80 B1 02 47 80
DF 02 47 00 45 03 47 80 8C 03 47 80 F3 03 47 80 30 04 47 80 1C 05 47 80 4A 05 47 00 B0 05 47 80
04 06 47 80 6B 06 47 80 A2 06 47 80 09 07 47 80 44 07 47 80 AB 07 47 80 E8 07 47 80 D4 08 47 80
02 09 47 80 68 09 47 80 9B 09 47 00 B7 09 47 80 1D 0A 47 00 43 0A 47 00 4E 0A 47 80 61 0A 47 80
78 0A 47 80 8B 0A 47 80 A1 0A 47 80 AE 0A 47 00 C6 0A 47 00 EA 0A 47 80 E5 0B 47 80 00 0C 47 80
1C 0C 47 00 27 0C 47 00 2E 0C 47 80 39 0C 47 00 45 0C 47 80 D4 0C 47 80 E3 0C 47 00 F9 0C 47 80
80 0D 47 80 30 0F 47 80 B0 0F 47 80 D4 0F 47 80 67 10 47 80 03 11 47 00 28 11 47 80 82 12 47 80
8F 12 47 00 A8 12 47 80 B7 12 47 80 DD 12 47 80 F9 12 47 00 15 13 47 80 31 13 47 80 4D 13 47 80
8A 14 47 80 9C 14 47 80 B2 14 47 80 68 15 47 80 7A 15 47 00 90 15 47 00 40 16 47 80 52 16 47 80
68 16 47 80 18 17 47 80 2A 17 47 80 40 17 47 80 F0 17 47 80 FE 17 47 80 9C 18 47 80 C7 18 47 80
E9 18 47 00 CF 19 47 00 EB 19 47 80 07 1A 47 80 23 1A 47 80 3F 1A 47 80 18 1B 47 00 3E 1B 47 80
4B 1B 47 80 56 1B 47 00 62 1B 47 80 80 1B 47 80 CB 1B 47 00 F6 1B 47 80 03 1C 47 80 55 1C 47 80
14 1D 47 00 1F 1D 47 80 26 1D 47 80 93 1D 47 80 9C 1D 47 80 A5 1D 47 00 BB 1D 47 80 D7 1D 47 80
64 1E 47 80 7A 1E 47 80 A1 1E 47 80 15 1F 47 80 45 1F 47 80 6C 1F 47 80 8C 1F 47 80 9D 1F 47 80
BC 1F 47 00 D2 1F 47 80 F9 1F 47 80 38 20 47 80 E8 20 47 80 F2 20 47 00 12 21 47 80 1E 21 47 80
57 21 47 80 BE 21 47 80 FE 21 47 80 36 22 47 80 86 22 47 00 9A 22 47 80 DB 22 47 80 E9 23 47 80
0D 24 47 00 32 24 47 00 44 24 47 80 50 24 47 00 6F 24 47 80 05 25 47 80 2A 25 47 00 C1 25 47 80
55 26 47 80 6B 26 47 80 FA 26 47 80 16 27 47 80 3C 27 47 00 60 27 47 80 86 27 47 80 B8 27 47 80
DE 27 47 80 0B 28 47 80 1B 28 47 80 33 28 47 80 6B 28 47 80 31 29 47 80 3C 29 47 80 43 29 47 80
B0 29 47 80 B9 29 47 00 C2 29 47 80 D8 29 47 80 F4 29 47 80 81 2A 47 80 97 2A 47 80 BE 2A 47 80
2F 2B 47 00 5F 2B 47 80 86 2B 47 80 A6 2B 47 80 B7 2B 47 80 D6 2B 47 80 EC 2B 47 80 13 2C 47 80
52 2C 47 80 02 2D 47 80 0C 2D 47 80 2C 2D 47 00 38 2D 47 00 71 2D 47 80 D8 2D 47 80 14 2E 47 80
4C 2E 47 80 9C 2E 47 00 B0 2E 47 80 F1 2E 47 80 FF 2F 47 80 23 30 47 80 48 30 47 80 5A 30 47 80
66 30 47 00 85 30 47 80 1B 31 47 80 40 31 47 00 D7 31 47 00 6B 32 47 80 81 32 47 80 10 33 47 00
2C 33 47 80 52 33 47 00 76 33 47 80 9C 33 47 80 CE 33 47 80 F4 33 47 80 21 34 47 00 31 34 47 00
49 34 47 00 81 34 47 00 41 35 47 80 4C 35 47 80 53 35 47 80 C0 35 47 80 C9 35 47 80 D2 35 47 80
E8 35 47 80 04 36 47 80 91 36 47 80 A7 36 47 80 CE 36 47 80 3F 37 47 80 6F 37 47 80 96 37 47 80
B6 37 47 80 C7 37 47 80 E6 37 47 00 FC 37 47 80 23 38 47 80 62 38 47 80 12 39 47 80 1C 39 47 00
3C 39 47 00 48 39 47 00 81 39 47 80 E8 39 47 80 24 3A 47 80 5C 3A 47 80 AC 3A 47 80 C0 3A 47 00
01 3B 47 80 0F 3C 47 00 33 3C 47 80 58 3C 47 80 6A 3C 47 80 76 3C 47 80 95 3C 47 80 2B 3D 47 80
50 3D 47 80 E7 3D 47 80 7B 3E 47 80 91 3E 47 80 20 3F 47 80 3C 3F 47 80 62 3F 47 80 86 3F 47 80
AC 3F 47 80 DE 3F 47 80 04 40 47 80 31 40 47 80 41 40 47 80 59 40 47 80 91 40 47 80 4F 41 47 80
5A 41 47 80 61 41 47 80 C7 41 47 80 D0 41 47 00 D9 41 47 80 EF 41 47 80 0B 42 47 80 8A 42 47 80
A0 42 47 80 BC 42 47 80 46 43 47 80 5C 43 47 80 83 43 47 80 A7 43 47 80 16 44 47 80 4E 44 47 80
0C 45 47 80 38 45 47 80 8E 45 47 80 99 45 47 80 BE 45 47 80 CE 45 47 80 E6 45 47 80 FF 45 47 80
69 46 47 00 8D 46 47 80 B2 46 47 80 C4 46 47 80 D0 46 47 80 1A 47 47 80 52 47 47 80 9F 47 47 80
AA 47 47 80 B1 47 47 80 BC 47 47 80 E2 47 47 80 F2 47 47 80 3C 48 47 80 14 49 47 80 6E 49 47 80
92 49 47 80 B7 49 47 80 C9 49 47 80 D5 49 47 80 F4 49 47 80 75 4A 47 80 9A 4A 47 80 26 4B 47 80
B2 4B 47 80 C8 4B 47 80 58 4C 47 80 74 4C 47 80 9A 4C 47 80 BE 4C 47 80 E4 4C 47 80 16 4D 47 80
3C 4D 47 80 62 4D 47 80 88 4D 47 80 B5 4D 47 80 C5 4D 47 80 DD 4D 47 80 1A 4E 47 80 CF 4E 47 80
DA 4E 47 80 E1 4E 47 80 47 4F 47 80 50 4F 47 80 59 4F 47 80 6F 4F 47 80 8B 4F 47 80 0A 50 47 80
20 50 47 80 3C 50 47 80 C6 50 47 80 DC 50 47 80 03 51 47 80 27 51 47 80 96 51 47 80 CE 51 47 80
8C 52 47 80 B8 52 47 80 0E 53 47 80 19 53 47 80 3E 53 47 80 4E 53 47 80 66 53 47 80 7F 53 47 80
E9 53 47 80 0D 54 47 80 32 54 47 80 44 54 47 80 50 54 47 80 9A 54 47 80 D2 54 47 80 1F 55 47 80
2A 55 47 80 31 55 47 80 3C 55 47 80 62 55 47 80 72 55 47 80 BC 55 47 80 94 56 47 80 EE 56 47 80
12 57 47 80 37 57 47 80 74 57 47 00 F5 57 47 80 1A 58 47 80 A6 58 47 80 5D 5B 47 80 9A 5B 47 80
4F 5C 47 80 C7 5C 47 80 8A 5D 47 80 BC 5D 47 80 52 62 47 80 BE 67 47 80 62 68 47 80 88 68 47 80
DD 68 47 80 91 6C 47 80 00 6D 47 80 09 6D 47 80 1F 6D 47 80 BA 6D 47 80 8C 6E 47 80 D7 6E 47 80
3C 70 47 80 EE 70 47 80 2F 71 47 80 00 72 47 80 82 72 47 80 CF 72 47 80 44 74 47 80 9E 74 47 80
05 75 47 80 F8 76 47 80 CA 77 47 80 EE 77 47 80 FF 79 47 80 77 7A 47 80 50 7B 47 80 96 7E 47 80
A2 80 47 80 62 84 47 80 12 86 47 80 65 86 47 80 8D 86 47 80 F7 87 47 80 00 88 47 80 76 89 47 80
8C 89 47 80 D7 89 47 80 C9 8B 47 80 2F 8C 47 80 EC 8D 47 80 22 8E 47 80 6C 8E 47 80 CA 90 47 80
F8 91 47 80 6C 93 47 80 92 93 47 80 FF 94 47 80 F6 96 47 80 33 97 47 80 49 99 47 80 C4 9C 47 80
67 9D 47 80 24 A0 47 80 36 A2 47 80 8D A2 47 80 94 A2 47 80 F4 A2 47 80 FC A4 47 80 07 A5 47 80
68 A7 47 80 C3 A7 47 80 70 A8 47 80 95 A8 47 80 85 AA 47 80 A0 AB 47 80 36 AC 47 80 06 AD 47 80
38 AD 47 80 B1 AD 47 80 C7 AD 47 80 39 AE 47 80 27 AF 47 80 00 B0 47 80 CF B4 47 80 01 B5 47 80
54 B5 47 80 66 B6 47 80 94 B6 47 80 B1 B7 47 80 12 B8 47 80 41 BA 47 80 CF BB 47 80 43 BE 47 80
85 BE 47 80 A9 BE 47 80 74 BF 47 80 C4 BF 47 80 4A C0 47 80 82 C0 47 80 06 C1 47 80 B1 C1 47 80
CF C5 47 80 EE C5 47 80 C4 C7 47 80 C4 C9 47 80 4A CA 47 80 F4 CA 47 80 06 CB 47 80 B1 CB 47 80
FC CC 47 80 07 CD 47 80 41 CE 47 80 B1 CF 47 80 C3 CF 47 80 23 D1 47 80 AE D1 47 80 C4 D1 47 80
27 D3 47 80 31 D4 47 80 C7 D4 47 80 D9 D4 47 80 91 D5 47 80 AC D5 47 80 18 D7 47 80 71 D9 47 80
BB DA 47 80 2B DB 47 80 4E DB 47 80 CD DC 47 80 50 DE 47 80 C5 DE 47 80 29 DF 47 80 92 E0 47 80
BD E0 47 80 21 E2 47 80 40 E2 47 80 8A E2 47 80 B5 E2 47 80 19 E4 47 80 AD E4 47 80 54 E6 47 80
0C E7 47 80 05 E8 47 80 21 E8 47 80 1C E9 47 80 A1 EA 47 80 20 EB 47 80 8E ED 47 80 5C EF 47 80
A8 F0 47 80 96 F3 47 80 ED F3 47 80 D7 F6 47 80 F9 F6 47 80 0A F8 47 80 D5 F8 47 80 51 F9 47 80
B4 F9 47 80 CD FA 47 80 28 FC 47 80 51 FC 47 80 AE FC 47 80 D3 FC 47 80 F5 FC 47 80 24 01 48 80
50 01 48 80 76 02 48 80 27 04 48 80 92 05 48 80 AB 06 48 80 D6 06 48 80 FA 06 48 80 9E 07 48 80
58 08 48 80 8F 08 48 80 9F 08 48 80 B2 08 48 80 C2 08 48 80 95 09 48 80 84 0A 48 80 E2 0A 48 80
B7 0B 48 80 C3 0B 48 80 37 10 48 80 26 12 48 80 3C 12 48 80 63 12 48 80 AA 14 48 80 39 15 48 80
40 16 48 80 AE 16 48 80 F8 16 48 80 98 18 48 80 58 19 48 80 7E 19 48 80 AC 19 48 80 F1 19 48 80
25 1A 48 80 07 1B 48 80 10 1B 48 80 9D 1B 48 80 CE 1B 48 80 25 1C 48 80 E1 1C 48 80 75 1F 48 80
CE 1F 48 80 B7 20 48 80 D7 20 48 80 01 21 48 80 3B 21 48 80 66 21 48 80 CF 21 48 80 0A 22 48 80
2A 23 48 80 06 24 48 80 94 24 48 80 1B 25 48 80 46 26 48 80 22 2B 48 80 F2 2B 48 80 AB 2E 48 80
B6 2E 48 80 CB 2E 48 80 EB 2E 48 80 F2 2E 48 80 06 2F 48 80 4B 30 48 80 60 30 48 80 80 30 48 80
C1 30 48 80 D9 31 48 80 1A 33 48 80 4F 33 48 80 68 33 48 80 9C 33 48 80 C0 34 48 80 21 35 48 80
84 36 48 80 91 37 48 80 B1 37 48 80 E7 37 48 80 FF 3B 48 80 29 3C 48 80 A5 3D 48 80 BA 3D 48 80
E8 3E 48 80 08 3F 48 80 13 3F 48 80 6B 40 48 80 A6 40 48 80 53 41 48 80 46 42 48 80 5A 42 48 80
A9 43 48 80 D8 43 48 80 EE 44 48 80 F9 44 48 80 31 45 48 80 38 45 48 80 50 45 48 80 74 46 48 80
7F 46 48 80 ED 47 48 80 38 48 48 80 25 49 48 80 75 4B 48 80 85 4B 48 80 40 4C 48 80 55 4C 48 80
81 4D 48 80 98 4E 48 80 B8 4E 48 80 CD 4E 48 80 C4 4F 48 80 EF 4F 48 80 F9 4F 48 80 0B 50 48 80
1F 50 48 80 30 51 48 80 80 52 48 80 95 52 48 80 BB 52 48 80 DC 53 48 80 11 54 48 80 4A 54 48 80
07 55 48 80 1C 55 48 80 8E 56 48 80 98 56 48 80 A3 56 48 80 AE 56 48 80 D0 57 48 80 DB 57 48 80
FB 57 48 80 29 58 48 80 F2 58 48 80 FC 58 48 80 07 59 48 80 2E 59 48 80 53 5A 48 80 81 5A 48 80
6A 5B 48 80 74 5B 48 80 AD 5B 48 80 80 5C 48 80 8B 5C 48 80 D9 5C 48 80 AC 5D 48 80 CE 5E 48 80
1E 5F 48 80 EF 5F 48 80 5D 60 48 80 22 61 48 80 63 61 48 80 97 63 48 80 1D 64 48 80 4F 64 48 80
B7 64 48 80 02 65 48 80 2A 66 48 80 F3 66 48 80 12 68 48 80 EF 68 48 80 05 69 48 80 44 6A 48 80
62 6A 48 80 87 6E 48 80 9C 6E 48 80 42 6F 48 80 E8 6F 48 80 49 71 48 80 5E 71 48 80 6E 71 48 80
7A 71 48 80 04 72 48 80 CF 72 48 80 DB 72 48 80 FD 73 48 80 30 74 48 80 C6 74 48 80 8B 75 48 80
97 75 48 80 2F 76 48 80 B6 76 48 80 1F 79 48 80 5F 7A 48 80 F2 7F 48 80 62 83 48 80 BD 83 48 80
22 84 48 80 D3 85 48 80 F7 85 48 80 03 86 48 80 68 86 48 80 2D 87 48 80 E5 89 48 80 81 8C 48 80
97 8C 48 80 67 8E 48 80 8D 8E 48 80 C8 8E 48 80 1F 8F 48 80 14 90 48 80 D7 91 48 80 C6 93 48 80
D2 93 48 80 BB 96 48 80 50 99 48 80 41 9A 48 80 F8 9B 48 80 68 9C 48 80 34 9D 48 80 87 9E 48 80
B1 9E 48 80 EA A1 48 80 08 A2 48 80 21 A2 48 80 A8 A2 48 80 1B A4 48 80 69 A4 48 80 95 A4 48 80
BC A4 48 80 0E A5 48 80 45 A5 48 80 C0 A7 48 80 F4 A7 48 80 0D A9 48 80 A6 A9 48 80 74 AA 48 80
A6 AA 48 80 CD AA 48 80 A8 AB 48 80 B3 AB 48 80 D6 AB 48 80 F1 AC 48 80 16 AE 48 80 86 AF 48 80
23 B0 48 80 9C B1 48 80 59 B2 48 80 D4 B2 48 80 91 B3 48 80 AB B5 48 80 0E B7 48 80 54 B8 48 80
B5 BA 48 80 D4 BA 48 80 5A BB 48 80 95 BB 48 80 9A BC 48 80 4D BE 48 80 88 BE 48 80 54 C0 48 80
22 C2 48 80 4F C3 48 80 8E C4 48 80 5A C5 48 80 1C C6 48 80 47 C7 48 80 61 C7 48 80 C4 C7 48 80
D4 C8 48 80 31 C9 48 80 D5 C9 48 80 1B CA 48 80 A5 CB 48 80 01 CD 48 80 E2 CD 48 80 B1 CE 48 80
4C CF 48 80 2F D0 48 80 22 D2 48 80 3A D2 48 80 07 D3 48 80 B1 D3 48 80 D7 D3 48 80 EB D3 48 80
84 D5 48 80 C5 D8 48 80 E7 D8 48 80 C7 DA 48 80 01 DB 48 80 EC DB 48 80 1E DC 48 80 43 DC 48 80
5B DC 48 80 89 DC 48 80 23 DD 48 80 E9 DD 48 80 90 DF 48 80 F2 E2 48 80 52 E4 48 80 68 E4 48 80
15 E7 48 80 67 E7 48 80 6E E7 48 80 68 E9 48 80 D2 E9 48 80 B5 EA 48 80 25 EC 48 80 4B EC 48 80
11 ED 48 80 3A EE 48 80 52 EE 48 80 EB EE 48 80 C9 EF 48 80 A3 F0 48 80 AF F2 48 80 86 F3 48 80
EC F4 48 80 47 F5 48 80 9A F5 48 80 9D F6 48 80 D4 F6 48 80 9A F7 48 80 36 F8 48 80 B5 F8 48 80
5C FA 48 80 BE FA 48 80 D2 FA 48 80 A2 FC 48 80 1C FD 48 80 30 FF 48 80 43 FF 48 80 5B FF 48 80
BC 00 49 80 3A 01 49 80 97 01 49 80 FF 01 49 80 4C 02 49 80 06 04 49 80 F0 04 49 80 57 06 49 80
77 06 49 80 C1 07 49 80 CC 07 49 80 12 08 49 80 82 08 49 80 9A 08 49 80 46 0A 49 80 97 0A 49 80
4D 0B 49 80 C4 0C 49 80 23 0D 49 80 26 0E 49 80 B0 0F 49 80 F3 0F 49 80 5B 10 49 80 66 10 49 80
15 12 49 80 CA 12 49 80 FA 13 49 80 C2 15 49 80 A2 16 49 80 1C 19 49 80 E7 19 49 80 F2 19 49 80
FE 1A 49 80 E0 1C 49 80 F4 1C 49 80 AE 1D 49 80 CD 1D 49 80 03 1E 49 80 9B 1E 49 80 CF 1E 49 80
10 20 49 80 A2 20 49 80 22 21 49 80 86 21 49 80 36 23 49 80 00 24 49 80 D0 25 49 80 4A 27 49 80
73 27 49 80 D4 27 49 80 2D 28 49 80 39 28 49 80 F7 28 49 80 8F 29 49 80 A4 29 49 80 CD 29 49 80
64 2A 49 80 6C 2B 49 80 E0 2B 49 80 81 2C 49 80 88 2C 49 80 D2 2C 49 80 1B 2D 49 80 7F 2D 49 80
A0 2D 49 80 BC 2D 49 80 1C 2F 49 80 E2 30 49 80 73 32 49 80 57 33 49 80 AF 33 49 80 FC 34 49 80
3A 36 49 80 75 36 49 80 1F 38 49 80 0F 39 49 80 38 39 49 80 40 3A 49 80 AF 3B 49 80 F5 3B 49 80
2E 3D 49 80 10 3E 49 80 9B 41 49 80 8B 43 49 80 90 46 49 80 C3 46 49 80 54 47 49 80 89 47 49 80
95 47 49 80 AC 48 49 80 B4 49 49 80 71 4A 49 80 BA 4A 49 80 9A 4B 49 80 4F 4D 49 80 5C 4D 49 80
EB 4D 49 80 36 4E 49 80 F1 4E 49 80 38 50 49 80 B9 50 49 80 22 52 49 80 39 52 49 80 15 53 49 80
02 54 49 80 B2 54 49 80 1C 55 49 80 83 56 49 80 7C 58 49 80 20 5B 49 80 CD 5E 49 80 CD 5F 49 80
19 61 49 80 CF 67 49 80 39 68 49 80 45 68 49 80 82 69 49 80 F6 6A 49 80 40 6B 49 80 A9 6B 49 80
09 6C 49 80 18 6C 49 80 04 6D 49 80 86 6D 49 80 34 6E 49 80 62 6E 49 80 FF 6E 49 80 E0 74 49 80
57 75 49 80 0F 79 49 80 71 79 49 80 B4 7A 49 80 DF 7A 49 80 67 7B 49 80 B6 7B 49 80 31 7C 49 80
82 7C 49 80 CE 7C 49 80 2B 7D 49 80 5B 7D 49 80 6D 7D 49 80 BD 7D 49 80 6E 7E 49 80 AF 7F 49 80
91 80 49 80 10 82 49 80 68 82 49 80 1E 83 49 80 FA 87 49 80 9D 8A 49 80 C8 8A 49 80 7A 8B 49 80
96 8B 49 80 A9 8B 49 80 0D 8C 49 80 75 8C 49 80 11 8D 49 80 29 8D 49 80 7C 8D 49 80 D9 8E 49 80
59 91 49 80 6F 91 49 80 89 91 49 80 28 92 49 80 D6 92 49 80 A8 94 49 80 FC 94 49 80 B3 96 49 80
E3 98 49 80 F6 99 49 80 7A 9A 49 80 94 9A 49 80 16 9B 49 80 81 9B 49 80 D0 9B 49 80 42 9D 49 80
E2 9D 49 80 F4 9E 49 80 CA 9F 49 80 FC A5 49 80 41 A7 49 80 80 A8 49 80 33 AA 49 80 95 AA 49 80
A7 AB 49 80 F8 AB 49 80 1E AC 49 80 4F AD 49 80 AC AD 49 80 36 AE 49 80 62 AE 49 80 C0 AE 49 80
7F B0 49 80 16 B1 49 80 26 B1 49 80 1F B4 49 80 FA B4 49 80 9E B5 49 80 CE B6 49 80 E2 B7 49 80
11 B9 49 80 7F B9 49 80 16 BA 49 80 27 BB 49 80 E0 BB 49 80 20 BC 49 80 F3 BC 49 80 A0 C3 49 80
09 C5 49 80 9D C5 49 80 AF C6 49 80 B9 C6 49 80 F9 C7 49 80 56 C9 49 80 AB C9 49 80 B4 C9 49 80
EE C9 49 80 F8 C9 49 80 43 CA 49 80 38 CD 49 80 9D CF 49 80 6B D0 49 80 4F D1 49 80 A5 D1 49 80
85 D2 49 80 BF D2 49 80 0E D3 49 80 3C D3 49 80 0E D4 49 80 78 D4 49 80 CB D4 49 80 03 D5 49 80
57 D5 49 80 F6 D5 49 80 AC D6 49 80 20 D7 49 80 B9 D7 49 80 0B D8 49 80 1E D8 49 80 20 D9 49 80
46 D9 49 80 A7 D9 49 80 01 DA 49 80 2E DA 49 80 7C DB 49 80 9E DB 49 80 F0 DB 49 80 13 DD 49 80
48 DF 49 80 A1 DF 49 80 AD DF 49 80 08 E0 49 80 5C E2 49 80 BF E2 49 80 4C E3 49 80 B0 E4 49 80
44 E6 49 80 84 E6 49 80 6E E7 49 80 C5 EA 49 80 19 EB 49 80 39 EB 49 80 E1 ED 49 80 07 EE 49 80
5D F2 49 80 7D F2 49 80 93 F3 49 80 E5 F5 49 80 32 F6 49 80 2E F7 49 80 B1 F7 49 80 4E F8 49 80
FD F8 49 80 C0 F9 49 80 26 FA 49 80 FB FB 49 80 16 FC 49 80 66 FC 49 80 81 FC 49 80 87 FC 49 80
CD FC 49 80 3A FE 49 80 16 FF 49 80 B5 FF 49 80 2B 00 4A 80 18 02 4A 80 51 02 4A 80 58 03 4A 80
88 05 4A 80 DB 08 4A 80 E4 08 4A 80 46 0A 4A 80 66 0A 4A 80 9C 0B 4A 80 8F 0C 4A 80 00 0D 4A 80
72 0D 4A 80 EA 0D 4A 80 73 0F 4A 80 2A 10 4A 80 92 10 4A 80 0A 11 4A 80 AD 11 4A 80 84 12 4A 80
20 14 4A 80 F3 14 4A 80 63 15 4A 80 89 15 4A 80 F5 15 4A 80 00 17 4A 80 5B 17 4A 80 86 17 4A 80
8F 17 4A 80 AF 17 4A 80 BA 17 4A 80 25 19 4A 80 03 1A 4A 80 98 1B 4A 80 01 1C 4A 80 71 1C 4A 80
19 1E 4A 80 98 1E 4A 80 E8 1E 4A 80 93 1F 4A 80 A5 1F 4A 80 12 20 4A 80 62 20 4A 80 E5 20 4A 80
1F 21 4A 80 9C 21 4A 80 17 22 4A 80 23 23 4A 80 3B 23 4A 80 1B 24 4A 80 52 25 4A 80 82 26 4A 80
B3 26 4A 80 31 27 4A 80 59 27 4A 80 92 27 4A 80 AA 27 4A 80 B6 2B 4A 80 CA 2B 4A 80 4B 2C 4A 80
E9 2D 4A 80 BE 2E 4A 80 F5 30 4A 80 0F 32 4A 80 79 33 4A 80 9D 33 4A 80 B7 34 4A 80 C7 34 4A 80
E3 35 4A 80 27 37 4A 80 95 3A 4A 80 F5 3A 4A 80 36 3B 4A 80 C9 3B 4A 80 A0 3D 4A 80 B5 3D 4A 80
4F 3E 4A 80 F0 3E 4A 80 D6 3F 4A 80 66 40 4A 80 36 43 4A 80 5E 43 4A 80 86 43 4A 80 75 45 4A 80
AD 45 4A 80 25 47 4A 80 75 47 4A 80 DD 47 4A 80 DC 4A 4A 80 F0 4A 4A 80 19 4D 4A 80 7C 4D 4A 80
74 4F 4A 80 8C 4F 4A 80 09 50 4A 80 D4 50 4A 80 EC 50 4A 80 33 51 4A 80 12 52 4A 80 27 52 4A 80
31 52 4A 80 76 52 4A 80 E7 52 4A 80 51 54 4A 80 5E 54 4A 80 14 55 4A 80 AC 55 4A 80 07 56 4A 80
3E 56 4A 80 8F 56 4A 80 1D 5D 4A 80 73 5D 4A 80 25 5F 4A 80 E0 60 4A 80 01 61 4A 80 A8 61 4A 80
F6 61 4A 80 AC 62 4A 80 BE 62 4A 80 A4 63 4A 80 B6 65 4A 80 40 66 4A 80 C6 66 4A 80 01 68 4A 80
1E 68 4A 80 04 69 4A 80 BA 6B 4A 80 65 6C 4A 80 6E 6C 4A 80 71 6D 4A 80 08 6E 4A 80 F8 6E 4A 80
04 6F 4A 80 15 6F 4A 80 D5 6F 4A 80 68 70 4A 80 9A 70 4A 80 D2 71 4A 80 AE 72 4A 80 07 74 4A 80
23 74 4A 80 A6 74 4A 80 AA 75 4A 80 C6 76 4A 80 D9 77 4A 80 E6 77 4A 80 BE 7A 4A 80 D5 7A 4A 80
42 7B 4A 80 1F 7D 4A 80 C0 7D 4A 80 96 7E 4A 80 BB 7F 4A 80 1B 80 4A 80 46 80 4A 80 30 81 4A 80
42 81 4A 80 83 81 4A 80 88 83 4A 80 87 85 4A 80 B9 85 4A 80 47 86 4A 80 B3 88 4A 80 52 89 4A 80
35 8A 4A 80 62 8A 4A 80 E4 8A 4A 80 98 8B 4A 80 06 8E 4A 80 B6 8E 4A 80 8D 8F 4A 80 DD 8F 4A 80
0F 90 4A 80 04 91 4A 80 AC 94 4A 80 C7 94 4A 80 08 95 4A 80 C8 95 4A 80 E5 95 4A 80 2F 96 4A 80
97 97 4A 80 6D 98 4A 80 D7 99 4A 80 2A 9B 4A 80 8B 9C 4A 80 37 9E 4A 80 90 9F 4A 80 32 A0 4A 80
23 A3 4A 80 3F A3 4A 80 C2 A3 4A 80 A5 A4 4A 80 22 A5 4A 80 FF A5 4A 80 90 A7 4A 80 9D A7 4A 80
6B AA 4A 80 75 AA 4A 80 56 AD 4A 80 63 AD 4A 80 E2 AD 4A 80 32 AE 4A 80 CC AE 4A 80 0F B0 4A 80
44 B0 4A 80 2D B1 4A 80 6A B1 4A 80 87 B2 4A 80 91 B2 4A 80 20 B3 4A 80 2A B3 4A 80 55 B3 4A 80
E2 B3 4A 80 23 B4 4A 80 10 B5 4A 80 DD B6 4A 80 F4 B6 4A 80 24 B7 4A 80 3F B8 4A 80 BC B8 4A 80
4D B9 4A 80 72 B9 4A 80 7C BA 4A 80 D3 BA 4A 80 0F BB 4A 80 EA BC 4A 80 CC BD 4A 80 79 BF 4A 80
91 BF 4A 80 BA C4 4A 00 D7 C4 4A 00 BF C9 4A 00 DB CC 4A 00 76 CE 4A 00 8F D0 4A 00 31 D2 4A 00
43 D6 4A 00 B0 D9 4A 00 94 DE 4A 00 72 E7 4A 00 EB F0 4A 00 C1 F5 4A 00 46 00 4B 00 51 04 4B 00
8A 0E 4B 00 26 29 4B 00 E3 2E 4B 00 D1 3F 4B 00 00 49 4B 00 00 4F 4B 80 BA 56 4B 00 F4 56 4B 00
4C 5D 4B 00 EB 69 4B 00 64 6C 4B 00 EA 70 4B 00 66 76 4B 80 41 94 4B 00 83 97 4B 00 4A 9F 4B 80
CC A0 4B 00 5A B0 4B 00 7C B0 4B 00 60 C4 4B 00 07 CD 4B 00 6A D2 4B 00 46 DD 4B 00 7A DE 4B 00
6B DF 4B 00 9E E2 4B 00 6E E5 4B 80 A4 E5 4B 00 48 E8 4B 00 08 08 4C 00 45 0C 4C 00 8B 0D 4C 80
79 26 4C 00 02 2E 4C 00 E2 30 4C 00 C5 35 4C 00 E0 36 4C 00 4C 3E 4C 80 1A 51 4C 00 DF 56 4C 00
0E 57 4C 00 7E 5A 4C 00 4D 66 4C 00 17 6C 4C 80 05 76 4C 00 A1 76 4C 00 C7 98 4C 80 A3 AA 4C 80
DD AE 4C 80 4C AF 4C 00 B5 AF 4C 00 63 B0 4C 00 A0 B0 4C 00 12 B2 4C 00 F4 BA 4C 00 E1 D4 4C 00
56 DC 4C 00 CF E4 4C 00 8C F9 4C 00 F0 F9 4C 00 11 01 4D 00 72 0E 4D 00 CB 10 4D 00 2A 1A 4D 00
0C 34 4D 80 8E 47 4D 00 1B 49 4D 00 95 52 4D 80 9F 5D 4D 00 EA 5E 4D 80 01 61 4D 00 E8 61 4D 00
28 6C 4D 00 79 76 4D 80 AD 78 4D 00 13 7B 4D 00 5E 81 4D 00 B1 8B 4D 00 08 A2 4D 00 AA AF 4D 00
D8 B5 4D 00 9C B7 4D 80 74 BE 4D 00 F7 BF 4D 00 FE C3 4D 00 F7 C4 4D 00 36 C5 4D 00 19 CA 4D 80
CB CF 4D 00 8B D3 4D 00 E5 DE 4D 00 6A E9 4D 00 89 EE 4D 00 C5 F7 4D 00 41 FA 4D 00 4C 00 4E 80
81 01 4E 00 E7 01 4E 00 0C 03 4E 00 ED 06 4E 80 E4 07 4E 00 09 0E 4E 80 FC 14 4E 00 D1 15 4E 80
EC 1D 4E 00 FA 2F 4E 00 D7 30 4E 00 B0 31 4E 00 01 36 4E 00 C6 3D 4E 00 57 53 4E 00 34 54 4E 00
D9 62 4E 00 2A 67 4E 00 63 72 4E 00 40 73 4E 00 E8 8F 4E 00 C5 90 4E 00 12 95 4E 00 63 99 4E 00
68 B2 4E 00 45 B3 4E 00 02 BB 4E 00 AF C9 4E 00 58 D8 4E 00 A9 DC 4E 00 86 DD 4E 00 63 DE 4E 00
AE E2 4E 00 FA E2 4E 00 3E E3 4E 00 74 E3 4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
其中地址的高位为00与80,分别对应0,1。
5.Advanced Import Protection的函数修复:
经过上面分析,现在可以写修复代码了,每个被加密的函数都从call 014F0000进入,在计算过程中某个点,其调用函数名会显示出来,因此我们在这个出口设断取得函数地址。
a情况:
0127B7E9 8945 FC mov dword ptr ss:[ebp-4],eax // [ebp-4]是解密出来的API
0127B819 8B4D FC mov ecx,dword ptr ss:[ebp-4] ; 这里下断,[ebp-4C]就是我们要的函数
b情况:
FF15:
0127A7FC 0145 FC add dword ptr ss:[ebp-4],eax ; [ebp-4]是解密出来的API
0127A7FF EB 01 jmp short 0127A802 ; 这里下断,[ebp-4]就是我们要的函数
FF25:
0127A8AE 0145 FC add dword ptr ss:[ebp-4],eax ; [ebp-4]是解密出来的API
0127A8B1 8D45 0C lea eax,dword ptr ss:[ebp+C] ; 这里下断,[ebp-4]就是我们要的函数
因为是VB的程序,IAT并没有加密,范围从401000到401398。
还记得第4节获得的地址表吧,现在可以用上了,写个补丁程序,扫描这个地址表,依次从表里的每个地址(这些地址都是call 014F0000形式的)进入,然后在0127A7FF或0127A8B1或0127B819这3个出口处获得函数地址,扫描IAT表,将找到的IAT地址写入程序代码中。
016C0000 A1 C0006C01 mov eax,dword ptr ds:[16C00C0] ; 指向待处理的地址列表
016C0005 8B18 mov ebx,dword ptr ds:[eax]
016C0007 81E3 FFFFFF7F and ebx,7FFFFFFF
016C000D FFE3 jmp ebx
016C000F 0000 add byte ptr ds:[eax],al
016C0011 0000 add byte ptr ds:[eax],al
016C0013 0000 add byte ptr ds:[eax],al
016C0015 0000 add byte ptr ds:[eax],al
016C0017 0000 add byte ptr ds:[eax],al
016C0019 0000 add byte ptr ds:[eax],al
016C001B 0000 add byte ptr ds:[eax],al
016C001D 0000 add byte ptr ds:[eax],al
016C001F 0000 add byte ptr ds:[eax],al ; 以下处理b情况
016C0021 BF C0006C01 mov edi,16C00C0 ; 指向需要处理的API地址表
016C0026 8B07 mov eax,dword ptr ds:[edi]
016C0028 8B18 mov ebx,dword ptr ds:[eax]
016C002A 81FB FFFFFF7F cmp ebx,7FFFFFFF
016C0030 79 49 jns short 016C007B ; 高位是1的走这条路线(跳),即处理a方式
016C0032 837D D4 FF cmp dword ptr ss:[ebp-2C],-1 ; 如为-1,导入函数调用是干净
016C0036 74 0F je short 016C0047
016C0038 8B47 04 mov eax,dword ptr ds:[edi+4] ; 存放那些下一句被抽的API的CALL
016C003B 8B1F mov ebx,dword ptr ds:[edi] ; 指向待处理的API列表
016C003D 8B1B mov ebx,dword ptr ds:[ebx]
016C003F 8918 mov dword ptr ds:[eax],ebx
016C0041 83C0 04 add eax,4
016C0044 8947 04 mov dword ptr ds:[edi+4],eax
016C0047 8B5D FC mov ebx,dword ptr ss:[ebp-4] ; ebp-4是获得的API函数地址
016C004A E8 46000000 call 016C0095 ; 在IAT里搜索,正确的IAT项从ESI中返回
016C004F B0 F7 mov al,0F7 ; 决定是ff15还是ff25,不同软件AL的值不同
016C0051 66:B9 FF15 mov cx,15FF
016C0055 3A45 EF cmp al,byte ptr ss:[ebp-11]
016C0058 74 05 je short 016C005F
016C005A 66:81C1 0010 add cx,1000
016C005F 8B07 mov eax,dword ptr ds:[edi] ; 指向待处理的API列表
016C0061 8B18 mov ebx,dword ptr ds:[eax]
016C0063 81E3 FFFFFF7F and ebx,7FFFFFFF ; 将高1位清除
016C0069 83C0 04 add eax,4 ; 指向下一个地址
016C006C 8907 mov dword ptr ds:[edi],eax
016C006E 66:890B mov word ptr ds:[ebx],cx
016C0071 83C3 02 add ebx,2
016C0074 8933 mov dword ptr ds:[ebx],esi
016C0076 ^ EB 88 jmp short 016C0000
016C0078 90 nop
016C0079 90 nop
016C007A 90 nop ; 以下处理a情况
016C007B 8B5D B4 mov ebx,dword ptr ss:[ebp-4C] ; ebp-4c是获得的API函数地址
016C007E E8 12000000 call 016C0095 ; 在IAT里搜索,正确的IAT项从ESI中返回
016C0083 B0 F7 mov al,0F7
016C0085 66:B9 FF15 mov cx,15FF
016C0089 3AC2 cmp al,dl ; dl中的值决定了是call(ff15)还是jmp(ff25)
016C008B ^ 74 D2 je short 016C005F
016C008D ^ EB CB jmp short 016C005A
016C008F 0000 add byte ptr ds:[eax],al
016C0091 0000 add byte ptr ds:[eax],al
016C0093 0000 add byte ptr ds:[eax],al ; 以下这个CALL搜索IAT中的指定项
016C0095 BE 00104000 mov esi,401000 ; IAT起始地址
016C009A 391E cmp dword ptr ds:[esi],ebx
016C009C 74 0D je short 016C00AB
016C009E 83C6 04 add esi,4
016C00A1 81FE 98134000 cmp esi,401398 ; IAT结束地址,判断是否越界
016C00A7 77 03 ja short 016C00AC
016C00A9 ^ EB EF jmp short 016C009A ; 如果在IAT里没找到就死循环
016C00AB C3 retn
016C00AC - EB FE jmp short 016C00AC ; 程序结束又一死循环
016C00AE 0000 add byte ptr ds:[eax],al
A1 C0 00 6C 01 8B 18 81 E3 FF FF FF 7F FF E3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 BF C0 00 6C 01 8B 07 8B 18 81 FB FF FF FF 7F 79 49 83 7D D4 FF 74 0F 8B 47 04 8B 1F 8B 1B 89
18 83 C0 04 89 47 04 8B 5D FC E8 46 00 00 00 B0 F7 66 B9 FF 15 3A 45 EF 74 05 66 81 C1 00 10 8B
07 8B 18 81 E3 FF FF FF 7F 83 C0 04 89 07 66 89 0B 83 C3 02 89 33 EB 88 90 90 90 8B 5D B4 E8 12
00 00 00 B0 F7 66 B9 FF 15 3A C2 74 D2 EB CB 00 00 00 00 00 00 BE 00 10 40 00 39 1E 74 0D 83 C6
04 81 FE 98 13 40 00 77 03 EB EF C3 EB FE 00 00
这样数据窗口的数据为:
016C0000 A1 C0 00 6C 01 8B 18 81 E3 FF FF FF 7F FF E3 00 ±.l?????
016C0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
016C0020 00 BF C0 00 6C 01 8B 07 8B 18 81 FB FF FF FF 7F .坷.l?????
016C0030 79 49 83 7D D4 FF 74 0F 8B 47 04 8B 1F 8B 1B 89 yI??t???
016C0040 18 83 C0 04 89 47 04 8B 5D FC E8 46 00 00 00 B0 ????F...
016C0050 F7 66 B9 FF 15 3A 45 EF 74 05 66 81 C1 00 10 8B 麈?:E雉f?.
016C0060 07 8B 18 81 E3 FF FF FF 7F 83 C0 04 89 07 66 89 ??????f
016C0070 0B 83 C3 02 89 33 EB 88 90 90 90 8B 5D B4 E8 12 ?????]磋
016C0080 00 00 00 B0 F7 66 B9 FF 15 3A C2 74 D2 EB CB 00 ...镑f?:卖译?
016C0090 00 00 00 00 00 BE 00 10 40 00 39 1E 74 0D 83 C6 .....?@.9t.?
016C00A0 04 81 FE 98 13 40 00 77 03 EB EF C3 EB FE 00 00 ??@.w腼秒?.
016C00B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
016C00C0 D0 00 6C 01 00 1E 6C 01 00 00 00 00 00 00 00 00 ?l`l........
016C00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
注意:016C00C0&016C00C4的地址需要手工填入值,一个用来指向地址表,一个用来存放下行被偷的API地址。
这里设为:016C00C0 D0 00 6C 01 00 1E 6C 01 00 00 00 00 00 00 00 00 ?l`l........
然后在016C00D0开始粘贴加密地址表的二进制:
016C00D0 92 32 40 00 98 32 40 00 9E 32 40 00 A4 32 40 00 ?@.?@.?@.?@.
016C00E0 AA 32 40 00 B0 32 40 00 B6 32 40 00 BC 32 40 00 ?@.?@.?@.?@.
016C00F0 C2 32 40 00 C8 32 40 00 CE 32 40 00 D4 32 40 00 ?@.?@.?@.?@.
...
016C1DA0 58 D8 4E 00 A9 DC 4E 00 86 DD 4E 00 63 DE 4E 00 X匚.┸N.?N.c尬.
016C1DB0 AE E2 4E 00 FA E2 4E 00 3E E3 4E 00 74 E3 4E 00 ?N.?N.>阄.t阄.
016C1DC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
016C1DD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
016C1DE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
016C1DF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
016C1E00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
然后下3个函数出口的断点:
he 0127A7FF // b情况,FF15
he 0127A8B1 // b情况,FF25
he 0127B819 // a情况
在第一个地址的call 014F0000处即00403292新建eip,F9运行,遇到硬件断点就运行以下脚本:
mov eip,16C0021
run
地址表里有多少项就多少行,当然少些也没关系,多运行n次。
经过n长的等待,终于提示0000000地址不可读,说明全部修复完毕。
此时Ctrl+G到stolen oep处补上代码,上LordPE选择进程dump。
上ImportREC导出之前保存的IAT表修复。
在数据窗口看到可能被偷下一行代码的API地址:
016C1E00 7A DF 46 00 FC E7 46 00 51 EA 46 00 35 ED 46 00 z咂.?F.Q昶.5砥.
016C1E10 47 ED 46 00 26 EE 46 00 D9 F3 46 00 1E F5 46 00 G砥.&钇.袤F.跗.
016C1E20 56 F5 46 00 0B FD 46 00 C4 FD 46 00 1D 0A 47 00 V跗.?.凝F..G.
016C1E30 1C 0C 47 00 14 1D 47 00 2C 2D 47 00 49 34 47 00 .G.G.,-G.I4G.
016C1E40 3C 39 47 00 C0 3A 47 00 D7 C4 4A 00 76 CE 4A 00 <9G.?G.啄J.v问.
016C1E50 43 D6 4A 00 51 04 4B 00 EB 69 4B 00 CC A0 4B 00 C质.QK.腴K.踢K.
016C1E60 7C B0 4B 00 A1 76 4C 00 63 B0 4C 00 CB CF 4D 00 |八.■L.c疤.讼M.
016C1E70 8B D3 4D 00 89 EE 4D 00 C5 F7 4D 00 E7 01 4E 00 ?M.?M.坯M.?N.
016C1E80 3E E3 4E 00 00 00 00 00 00 00 00 00 00 00 00 00 >阄.............
6.API的下一行的Stolen code:8种情况的Stolen code
只有b情况才对下一行进行stolen code。
第2节分析AIP的分类位置,我们来到b情况处:
0127B4EF E8 64F1FFFF call 0127A658 ; b情况
跟进来到FF15或FF25的分型处:
0127A7DE 8845 CA mov byte ptr ss:[ebp-36],al
0127A7E1 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0127A7E4 8A40 4A mov al,byte ptr ds:[eax+4A]
0127A7E7 3A45 EF cmp al,byte ptr ss:[ebp-11] ; al的值决定是FF15还是FF25
0127A7EA 0F85 9C000000 jnz 0127A88C ; 不跳是FF15情况
0127A7F0 EB 01 jmp short 0127A7F3
再往下就是判断是否有偷下一行代码:
0127A969 837D D4 FF cmp dword ptr ss:[ebp-2C],-1 ; 如果为-1,正常,否则有偷下一行
0127A96D 74 33 je short 0127A9A2
0127A96F 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
0127A972 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0127A975 E8 AAFCFFFF call 0127A624
0127A97A 8945 D8 mov dword ptr ss:[ebp-28],eax
0127A97D 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0127A980 50 push eax
0127A981 8B45 14 mov eax,dword ptr ss:[ebp+14]
0127A984 50 push eax
0127A985 8B45 10 mov eax,dword ptr ss:[ebp+10]
0127A988 50 push eax
0127A989 8B45 0C mov eax,dword ptr ss:[ebp+C]
0127A98C 50 push eax
0127A98D 8B45 08 mov eax,dword ptr ss:[ebp+8]
0127A990 50 push eax
0127A991 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
0127A994 8B55 F0 mov edx,dword ptr ss:[ebp-10]
0127A997 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0127A99A E8 59000000 call 0127A9F8 ; 这里跟进
0127A99F EB 01 jmp short 0127A9A2
跟进call 0127A9F8进行分类,用了8段代码,模拟8种情况:
第1种:edx+4A的情况,模拟call xxxxxxxx;
第2种:edx+4B的情况,模拟jmp xxxxxxxx:
0127AA9B 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AA9E 3A42 4A cmp al,byte ptr ds:[edx+4A] ; 第1种 call xxxxxxxx
0127AAA1 74 0B je short 0127AAAE
0127AAA3 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AAA6 3A42 4B cmp al,byte ptr ds:[edx+4B] ; 第2种 jmp xxxxxxxx
0127AAA9 75 3E jnz short 0127AAE9
0127AAAB EB 01 jmp short 0127AAAE
0127AAAE 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AAB1 8B9A E0000000 mov ebx,dword ptr ds:[edx+E0]
0127AAB7 035D EC add ebx,dword ptr ss:[ebp-14]
0127AABA 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AABD 035A 14 add ebx,dword ptr ds:[edx+14] ; ebx中的值是一个地址,如jmp xxxxx,call xxxxx
0127AAC0 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AAC3 3A42 4A cmp al,byte ptr ds:[edx+4A]
0127AAC6 0F85 A6020000 jnz 0127AD72 ; 如果是第2种jmp xxx,从这里跳走
0127AACC 836D FC 04 sub dword ptr ss:[ebp-4],4
0127AAD0 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0127AAD3 8B80 E0000000 mov eax,dword ptr ds:[eax+E0]
0127AAD9 0345 F0 add eax,dword ptr ss:[ebp-10]
0127AADC 0345 F4 add eax,dword ptr ss:[ebp-C]
0127AADF 8B55 FC mov edx,dword ptr ss:[ebp-4]
0127AAE2 8902 mov dword ptr ds:[edx],eax
0127AAE4 E9 89020000 jmp 0127AD72
第3种:edx+4F的情况,模拟add x,n
0127AAE9 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AAEC 3A42 4F cmp al,byte ptr ds:[edx+4F] ; 第3种,add x,n
0127AAEF 75 6F jnz short 0127AB60
0127AAF1 33C0 xor eax,eax
0127AAF3 8A46 05 mov al,byte ptr ds:[esi+5]
0127AAF6 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127AAF9 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AAFC 8B5482 68 mov edx,dword ptr ds:[edx+eax*4+68]
0127AB00 8BC3 mov eax,ebx
0127AB02 FFD2 call edx //(x) 0=eax,1=ecx,2=edx,3=ebx,4=esp,5=ebp,6=esi,7=edi
0127AB04 8845 EB mov byte ptr ss:[ebp-15],al
0127AB07 EB 01 jmp short 0127AB0A
0127AB0A 33C0 xor eax,eax
0127AB0C 8A46 07 mov al,byte ptr ds:[esi+7]
0127AB0F 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127AB12 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AB15 8B5482 68 mov edx,dword ptr ds:[edx+eax*4+68]
0127AB19 8BC3 mov eax,ebx
0127AB1B FFD2 call edx //返回值是n
0127AB1D 8BD8 mov ebx,eax
0127AB1F EB 01 jmp short 0127AB22
第4种:edx+50的情况,模拟MOV xxx1,xxx2
0127AB60 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AB63 3A42 50 cmp al,byte ptr ds:[edx+50] ; 第4种,mov xxx1,xxx2
0127AB66 75 63 jnz short 0127ABCB
0127AB68 33C0 xor eax,eax
0127AB6A 8A46 05 mov al,byte ptr ds:[esi+5]
0127AB6D 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127AB70 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AB73 8B5482 68 mov edx,dword ptr ds:[edx+eax*4+68]
0127AB77 8BC3 mov eax,ebx
0127AB79 FFD2 call edx //0=eax,1=ecx,2=edx,3=ebx,4=esp,5=ebp,6=esi,7=edi(xxx1)
0127AB7B 8845 EB mov byte ptr ss:[ebp-15],al
0127AB7E EB 01 jmp short 0127AB81
0127AB81 33C0 xor eax,eax
0127AB83 8A46 06 mov al,byte ptr ds:[esi+6]
0127AB86 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127AB89 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AB8C 8B5482 68 mov edx,dword ptr ds:[edx+eax*4+68]
0127AB90 8BC3 mov eax,ebx
0127AB92 FFD2 call edx //0=eax,1=ecx,2=edx,3=ebx,4=esp,5=ebp,6=esi,7=edi(xxx2)
0127AB94 8845 EA mov byte ptr ss:[ebp-16],al
0127AB97 8A4D EA mov cl,byte ptr ss:[ebp-16]
0127AB9A 8B55 10 mov edx,dword ptr ss:[ebp+10]
0127AB9D 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0127ABA0 E8 3B020000 call 0127ADE0
0127ABA5 EB 01 jmp short 0127ABA8
第5种情况:edx+51的情况,模拟MOV [n],xxx1
0127ABCB 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127ABCE 3A42 51 cmp al,byte ptr ds:[edx+51] ; 第5种情况,mov [n],xxx1
0127ABD1 75 5E jnz short 0127AC31
0127ABD3 EB 01 jmp short 0127ABD6
0127ABD6 33C0 xor eax,eax
0127ABD8 8A46 05 mov al,byte ptr ds:[esi+5]
0127ABDB 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127ABDE 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127ABE1 8B5482 68 mov edx,dword ptr ds:[edx+eax*4+68]
0127ABE5 8BC3 mov eax,ebx
0127ABE7 FFD2 call edx //(xxx1)0=eax,1=ecx,2=edx,3=ebx,4=esp,5=ebp,6=esi,7=edi
0127ABE9 8845 EB mov byte ptr ss:[ebp-15],al
0127ABEC EB 01 jmp short 0127ABEF
0127ABEF 33C0 xor eax,eax
0127ABF1 8A46 07 mov al,byte ptr ds:[esi+7]
0127ABF4 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127ABF7 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127ABFA 8B5482 68 mov edx,dword ptr ds:[edx+eax*4+68]
0127ABFE 8BC3 mov eax,ebx
0127AC00 FFD2 call edx
0127AC02 8BD8 mov ebx,eax
0127AC04 8A4D EB mov cl,byte ptr ss:[ebp-15]
0127AC07 8B55 10 mov edx,dword ptr ss:[ebp+10]
0127AC0A 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0127AC0D E8 CE010000 call 0127ADE0
0127AC12 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AC15 035A 14 add ebx,dword ptr ds:[edx+14] // <-ebx==n
0127AC18 8903 mov dword ptr ds:[ebx],eax
0127AC1A EB 01 jmp short 0127AC1D
第6种情况:edx+52的情况,模拟 mov [x+n],y
0127AC31 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AC34 3A42 52 cmp al,byte ptr ds:[edx+52] ; 第6种情况,mov [x+n],y
0127AC37 0F85 80000000 jnz 0127ACBD
0127AC3D EB 01 jmp short 0127AC40
0127AC40 33C0 xor eax,eax
0127AC42 8A46 05 mov al,byte ptr ds:[esi+5]
0127AC45 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127AC48 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AC4B 8B5482 68 mov edx,dword ptr ds:[edx+eax*4+68]
0127AC4F 8BC3 mov eax,ebx
0127AC51 FFD2 call edx // (X) 0=eax,1=ecx,2=edx,3=ebx,4=esp,5=ebp,6=esi,7=edi
0127AC53 8845 EB mov byte ptr ss:[ebp-15],al
0127AC56 33C0 xor eax,eax
0127AC58 8A46 06 mov al,byte ptr ds:[esi+6]
0127AC5B 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127AC5E 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AC61 8B5482 68 mov edx,dword ptr ds:[edx+eax*4+68]
0127AC65 8BC3 mov eax,ebx
0127AC67 FFD2 call edx // (Y) 0=eax,1=ecx,2=edx,3=ebx,4=esp,5=ebp,6=esi,7=edi
0127AC69 8845 EA mov byte ptr ss:[ebp-16],al
0127AC6C EB 01 jmp short 0127AC6F
0127AC6F 33C0 xor eax,eax
0127AC71 8A46 07 mov al,byte ptr ds:[esi+7]
0127AC74 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127AC77 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AC7A 8B5482 68 mov edx,dword ptr ds:[edx+eax*4+68]
0127AC7E 8BC3 mov eax,ebx
0127AC80 FFD2 call edx //常数n
0127AC82 8BD8 mov ebx,eax
0127AC84 8A4D EB mov cl,byte ptr ss:[ebp-15]
0127AC87 8B55 10 mov edx,dword ptr ss:[ebp+10]
0127AC8A 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0127AC8D E8 4E010000 call 0127ADE0
0127AC92 8BF0 mov esi,eax
0127AC94 8A4D EA mov cl,byte ptr ss:[ebp-16]
0127AC97 8B55 10 mov edx,dword ptr ss:[ebp+10]
0127AC9A 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0127AC9D E8 3E010000 call 0127ADE0
0127ACA2 03F3 add esi,ebx
0127ACA4 8906 mov dword ptr ds:[esi],eax
0127ACA6 EB 01 jmp short 0127ACA9
第7种情况:edx+4C的情况,模拟: CMP x,y;jxx n
0127ACBD 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127ACC0 3A42 4C cmp al,byte ptr ds:[edx+4C] ; 第7种情况,CMP x,y;jxx n
0127ACC3 75 67 jnz short 0127AD2C
0127ACC5 EB 01 jmp short 0127ACC8
0127ACC8 8BCB mov ecx,ebx
0127ACCA 8B55 10 mov edx,dword ptr ss:[ebp+10]
0127ACCD 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0127ACD0 E8 E7F6FFFF call 0127A3BC ; 这里进入
----------------------------------------------------
0127A3EF 33C0 xor eax,eax
0127A3F1 8A46 07 mov al,byte ptr ds:[esi+7]
0127A3F4 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127A3F7 8B5483 68 mov edx,dword ptr ds:[ebx+eax*4+68]
0127A3FB 8BC7 mov eax,edi
0127A3FD FFD2 call edx
0127A3FF 8945 F8 mov dword ptr ss:[ebp-8],eax
0127A402 33C0 xor eax,eax
0127A404 8A46 05 mov al,byte ptr ds:[esi+5]
0127A407 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127A40A 8B5483 68 mov edx,dword ptr ds:[ebx+eax*4+68]
0127A40E 8BC7 mov eax,edi
0127A410 FFD2 call edx ; (x)0=eax,1=ecx,2=edx,3=ebx,4=esp,5=ebp,6=esi,7=edi
0127A412 8BD0 mov edx,eax
0127A414 80EA 08 sub dl,8
0127A417 0F92C2 setb dl
0127A41A 80FA 01 cmp dl,1
0127A41D 75 0F jnz short 0127A42E
0127A41F 8BC8 mov ecx,eax
0127A421 8B55 FC mov edx,dword ptr ss:[ebp-4]
0127A424 8BC3 mov eax,ebx
0127A426 E8 B5090000 call 0127ADE0
0127A42B 8945 EC mov dword ptr ss:[ebp-14],eax
0127A42E 33C0 xor eax,eax
0127A430 8A46 09 mov al,byte ptr ds:[esi+9]
0127A433 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127A436 8B5483 68 mov edx,dword ptr ds:[ebx+eax*4+68]
0127A43A 8BC7 mov eax,edi
0127A43C FFD2 call edx
0127A43E 8845 F3 mov byte ptr ss:[ebp-D],al
0127A441 EB 01 jmp short 0127A444
0127A444 33C0 xor eax,eax
0127A446 8A46 08 mov al,byte ptr ds:[esi+8]
0127A449 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127A44C 8B5483 68 mov edx,dword ptr ds:[ebx+eax*4+68]
0127A450 8BC7 mov eax,edi
0127A452 FFD2 call edx ; 如果是cmp x,n情况,此处返回常数n,否则为0
0127A454 8945 F4 mov dword ptr ss:[ebp-C],eax
0127A457 33C0 xor eax,eax
0127A459 8A46 06 mov al,byte ptr ds:[esi+6]
0127A45C 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127A45F 8B5483 68 mov edx,dword ptr ds:[ebx+eax*4+68]
0127A463 8BC7 mov eax,edi
0127A465 FFD2 call edx ; (y)0=eax,1=ecx,2=edx,3=ebx,4=esp,5=ebp,6=esi,7=edi
0127A467 8BD0 mov edx,eax
0127A469 80EA 08 sub dl,8
0127A46C 0F92C2 setb dl
0127A46F 80FA 01 cmp dl,1
0127A472 75 12 jnz short 0127A486
----------------------------------------------------
0127ACD5 8945 14 mov dword ptr ss:[ebp+14],eax
0127ACD8 EB 01 jmp short 0127ACDB
0127ACDB 33C0 xor eax,eax
0127ACDD 8A46 04 mov al,byte ptr ds:[esi+4]
0127ACE0 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0127ACE3 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127ACE6 8B5482 68 mov edx,dword ptr ds:[edx+eax*4+68]
0127ACEA 8BC3 mov eax,ebx
0127ACEC FFD2 call edx ; 跳转类型,如是机器码是74则返回4,如是75则返回5,依次类推
0127ACEE 8BD8 mov ebx,eax
0127ACF0 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
0127ACF3 8BD3 mov edx,ebx
0127ACF5 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0127ACF8 E8 57F4FFFF call 0127A154
0127ACFD 84C0 test al,al
0127ACFF 74 1A je short 0127AD1B ; al=0,跳转未实现;1,跳转实现
0127AD01 EB 01 jmp short 0127AD04
0127AD04 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0127AD07 8B98 E0000000 mov ebx,dword ptr ds:[eax+E0]
0127AD0D 035D EC add ebx,dword ptr ss:[ebp-14]
0127AD10 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0127AD13 0358 14 add ebx,dword ptr ds:[eax+14] ; 跳转实现的地址
0127AD16 EB 5A jmp short 0127AD72
0127AD1B 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0127AD1E 8B98 E0000000 mov ebx,dword ptr ds:[eax+E0]
0127AD24 035D F0 add ebx,dword ptr ss:[ebp-10]
0127AD27 035D F4 add ebx,dword ptr ss:[ebp-C] ; 跳转未实现的地址
0127AD2A EB 46 jmp short 0127AD72
第8种情况:edx+4D的情况,模拟:CMP x,y
0127AD2C 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0127AD2F 3A42 4D cmp al,byte ptr ds:[edx+4D]
0127AD32 75 27 jnz short 0127AD5B
0127AD34 EB 01 jmp short 0127AD37
0127AD37 8BCB mov ecx,ebx
0127AD39 8B55 10 mov edx,dword ptr ss:[ebp+10]
0127AD3C 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0127AD3F E8 78F6FFFF call 0127A3BC // 这里进入,与第7种情况一样
0127AD44 8945 14 mov dword ptr ss:[ebp+14],eax
0127AD47 EB 01 jmp short 0127AD4A
7.自校验:
本来想在各个stolen code的api函数地址新建eip来恢复code,发现会异常,只好从脱壳修复后的程序入手。
在各个stolen code的函数地址下断,载入脱壳修复后程序,F9运行,只有004AD643断下,但是跟踪原程序发现这个没有被偷,取消断点,继续F9,程序出错,Runtime 6,确认后over。
估计是自校验。所以先搞定自校验。
载入脱壳修复后的程序步步跟进,当然是在code的范围内,从004AD643断下的位置开始F8步进,如果是其他区段略过。
只允许一个进程:
004940A4 66:399D 84FEFFFF cmp word ptr ss:[ebp-17C],bx
004940AB 0F84 6A010000 je dumped-x.0049421B
如果不跳提示:已经在运行了,你还点?
00494147 FF15 F4104000 call dword ptr ds:[<&msvbvm60.rtcMsgBox>]
文件大小校验:
004C0312 52 push edx
004C0313 FF15 E0124000 call dword ptr ds:[<&msvbvm60.rtcFileLen>]
004C0319 3D F4600A00 cmp eax,0A60F4 //原程序这里eax=00078E00
004C031E 7E 36 jle short dumped-x.004C0356
004C0356 2D F4600A00 sub eax,0A60F4 ; 这里参与计算
004C035B B9 01000000 mov ecx,1
004C0360 0F80 A6000000 jo dumped-x.004C040C
004C0366 2BC8 sub ecx,eax
004C0368 0F80 9E000000 jo dumped-x.004C040C
004C036E 898D 78FFFFFF mov dword ptr ss:[ebp-88],ecx
好像文件长度有参与运算,不管,修改它:
004C0313 FF15 E0124000 call dword ptr ds:[<&msvbvm60.rtcFileLen>]
004C0319 B8 008E0700 mov eax,78E00
004C031E EB 36 jmp short dumped-x.004C0356
8.API下一行Stolen code的恢复:
解决自校验后上脱壳后程序跑,然后根据第5节获得的Stolen code地址,在各个地址下断,在哪断下就跑原程序恢复。
从程序启动到点击各个功能模块,只能解决十几个而已,剩下的应该是未注册或者其他原因没能走过。所以只好根据上下文及参考程序相同模块的使用搞定。
再复习一下AIP的分型情况:
a,b情况的分型:
0127B4AA 3C 01 cmp al,1 ; eax为1则是a情况
0127B4AC 75 25 jnz short 0127B4D3 ; eax为0则是b情况
是否有stolen code:
0127A969 837D D4 FF cmp dword ptr ss:[ebp-2C],-1 ; 如果为-1,正常,否则有偷下一行
stolen code的分型:
0127AA9E 3A42 4A cmp al,byte ptr ds:[edx+4A] ; 从这里开始分型
下一行code需要恢复的所有API地址:根据第5节来的
总共33个地址:
016C1E00 0046DF7A fjTC225.0046DF7A // 第9个,mov ebx,eax
016C1E04 0046E7FC fjTC225.0046E7FC // 第3个,add esp,0C
016C1E08 0046EA51 fjTC225.0046EA51 // 第4个,add esp,0C
016C1E0C 0046ED35 fjTC225.0046ED35 // 第16个,mov edx,eax
016C1E10 0046ED47 fjTC225.0046ED47 // 第17个,mov edx,eax
016C1E14 0046EE26 fjTC225.0046EE26 // 第18个,add esp,0c
016C1E18 0046F3D9 fjTC225.0046F3D9 // 第19个,mov dword ptr ss:[ebp-14C],eax
016C1E1C 0046F51E fjTC225.0046F51E // 第20个,mov dword ptr ss:[ebp-154],eax
016C1E20 0046F556 fjTC225.0046F556 // 第21个,add esp,0C
016C1E24 0046FD0B fjTC225.0046FD0B // 第22个,mov ecx,eax
016C1E28 0046FDC4 fjTC225.0046FDC4 // 第23个,add esp,0c
016C1E2C 00470A1D fjTC225.00470A1D // 第24个,mov dword ptr ss:[ebp-214],eax
016C1E30 00470C1C fjTC225.00470C1C // 第10个,mov edx,eax
016C1E34 00471D14 fjTC225.00471D14 // 第14个,mov edx,eax
016C1E38 00472D2C fjTC225.00472D2C // 第13个,add esp,0C
016C1E3C 00473449 fjTC225.00473449 // 第25个,add esp,14
016C1E40 0047393C fjTC225.0047393C // 第11个,add esp,0c
016C1E44 00473AC0 fjTC225.00473AC0 // 第12个,mov edx,eax
016C1E48 004AC4D7 fjTC225.004AC4D7 // 第26个,add esp,10
016C1E4C 004ACE76 fjTC225.004ACE76 // 第15处,add esp,24
016C1E50 004AD643 fjTC225.004AD643 // 第1个,这个没有偷
016C1E54 004B0451 fjTC225.004B0451 // 第27个,没搞定
016C1E58 004B69EB fjTC225.004B69EB // 第5个,其实没偷
016C1E5C 004BA0CC fjTC225.004BA0CC // 第28个,add esp,14
016C1E60 004BB07C fjTC225.004BB07C // 第2个,mov edx,eax
016C1E64 004C76A1 fjTC225.004C76A1 // 第29个,mov edx,eax
016C1E68 004CB063 fjTC225.004CB063 // 第30个,mov dword ptr ss:[ebp-230],eax
016C1E6C 004DCFCB fjTC225.004DCFCB // 第6个,mov edx,eax
016C1E70 004DD38B fjTC225.004DD38B // 第8个,add esp,0c
016C1E74 004DEE89 fjTC225.004DEE89 // 第31个,add esp,40
016C1E78 004DF7C5 fjTC225.004DF7C5 // 第32个,add esp,0C
016C1E7C 004E01E7 fjTC225.004E01E7 // 第33个,add esp,14
016C1E80 004EE33E fjTC225.004EE33E // 第7个,jmp 004E8F82
下面就是恢复代码前后对比:
程序启动相关:
第1处:并没有真正的偷
004AD643 FF15 A4104000 call dword ptr ds:[<&msvbvm60.__vbaSetSystemError>]
004AD649 8BC6 mov eax,esi
004AD64B 5E pop esi
004AD64C C2 1000 retn 10
第2处:解决自校验后停住
004BB07C FF15 44104000 call dword ptr ds:[<&msvbvm60.__vbaStrVarMove>]
004BB082 3A55 B9 cmp dl,byte ptr ss:[ebp-47] // 下面被变形了
004BB085 F4 hlt
004BB086 004F 00 add byte ptr ds:[edi],cl
004BB089 FFD3 call ebx
004BB07C FF15 44104000 call dword ptr ds:[<&msvbvm60.__vbaStrVarMove>]
004BB082 8BD0 mov edx,eax
004BB084 B9 F4004F00 mov ecx,dumped-x.004F00F4
004BB089 FFD3 call ebx
第3处:程序启动相关
0046E7FC FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0046E802 2C A3 sub al,0A3
0046E804 55 push ebp
0046E805 B9 02000000 mov ecx,2
0046E80A 8BD4 mov edx,esp
0046E80C B8 C0030000 mov eax,3C0
0046E7FC FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0046E802 83C4 0C add esp,0C
0046E805 B9 02000000 mov ecx,2
0046E80A 8BD4 mov edx,esp
0046E80C B8 C0030000 mov eax,3C0
第4处:程序启动相关
0046EA51 FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0046EA57 6F outs dx,dword ptr es:[edi]
0046EA58 DCA1 B9030000 fsub qword ptr ds:[ecx+3B9]
0046EA5E 008B D4894DB0 add byte ptr ds:[ebx+B04D89D4],cl
0046EA64 B8 02000000 mov eax,2
0046EA69 890A mov dword ptr ds:[edx],ecx
0046EA51 FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0046EA57 83C4 0C add esp,0C
0046EA5A B9 03000000 mov ecx,3
0046EA5F 8BD4 mov edx,esp
0046EA61 894D B0 mov dword ptr ss:[ebp-50],ecx
0046EA64 B8 02000000 mov eax,2
0046EA69 890A mov dword ptr ds:[edx],ecx
第5处:程序启动相关
004B69EB FF15 A4104000 call dword ptr ds:[<&msvbvm60.__vbaSetSystemError>]
004B69F1 83C7 34 add edi,34
004B69F4 0F80 33090000 jo dumped-x.004B732D
004B69FA 3BFB cmp edi,ebx
004B69FC ^ 0F8C 39FFFFFF jl dumped-x.004B693B // 这个循环
虽然跟踪原程序这里的确走stolen code的路,为mov eax,esi,但是修改后一直走不出这个循环,如果不修改,程序加载成功。
注册相关:
第6处:点击注册按钮断下
004DCFCB FF15 44104000 call dword ptr ds:[<&msvbvm60.__vbaStrVarMove>]
004DCFD1 E8 2F8D4DD8 call D89B5D05
004DCFD6 FF15 50134000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
004DCFCB FF15 44104000 call dword ptr ds:[<&msvbvm60.__vbaStrVarMove>]
004DCFD1 8BD0 mov edx,eax
004DCFD3 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
004DCFD6 FF15 50134000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
第7处:注册相关
004EE33E FF15 7C134000 call dword ptr ds:[<&msvbvm60.__vbaVarForNext>]
004EE344 B9 70CC46A3 mov ecx,A346CC70
004EE349 8B55 10 mov edx,dword ptr ss:[ebp+10]
004EE34C 8D8D 98FEFFFF lea ecx,dword ptr ss:[ebp-168]
004EE33E FF15 7C134000 call dword ptr ds:[<&msvbvm60.__vbaVarForNext>]
004EE344 ^ E9 39ACFFFF jmp dumped-x.004E8F82
004EE349 8B55 10 mov edx,dword ptr ss:[ebp+10]
004EE34C 8D8D 98FEFFFF lea ecx,dword ptr ss:[ebp-168]
第8处:注册相关
004DD38B FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
004DD391 43 inc ebx
004DD392 98 cwde
004DD393 CB retf
004DD394 C745 FC 10000000 mov dword ptr ss:[ebp-4],10
004DD38B FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
004DD391 83C4 0C add esp,0C
004DD394 C745 FC 10000000 mov dword ptr ss:[ebp-4],10
功能相关:
第9处:过滤条件>>缩水选项
0046DF7A FF15 EC104000 call dword ptr ds:[<&msvbvm60.__vbaObjSet>]
0046DF80 1C 93 sbb al,93
0046DF82 6A FF push -1
0046DF84 53 push ebx
0046DF85 8B03 mov eax,dword ptr ds:[ebx]
0046DF7A FF15 EC104000 call dword ptr ds:[<&msvbvm60.__vbaObjSet>]
0046DF80 8BD8 mov ebx,eax
0046DF82 6A FF push -1
0046DF84 53 push ebx
0046DF85 8B03 mov eax,dword ptr ds:[ebx]
第10处:投注号码>>过滤缩水
00470C1C FF15 1C104000 call dword ptr ds:[<&msvbvm60.__vbaStrI4>]
00470C22 5C pop esp
00470C23 C2 8D4D retn 4D8D
00470C26 8CFF mov di,seg?
00470C28 15 50134000 adc eax,<&msvbvm60.__vbaStrMove>
00470C2D 50 push eax
00470C2E FF15 94104000 call dword ptr ds:[<&msvbvm60.__vbaStrCat>]
00470C1C FF15 1C104000 call dword ptr ds:[<&msvbvm60.__vbaStrI4>]
00470C22 8BD0 mov edx,eax
00470C24 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
00470C27 FF15 50134000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
00470C2D 50 push eax
00470C2E FF15 94104000 call dword ptr ds:[<&msvbvm60.__vbaStrCat>]
第11处:投注号码>>过滤缩水
选号:11 03 09 12 19(选择其他选号竟然不能断下)
0047393C FF15 68104000 call dword ptr ds:[<&msvbvm60.__vbaFreeObjList>]
00473942 47 inc edi
00473943 82CD 8D or ch,FFFFFF8D
00473946 4D dec ebp
00473947 B4 FF mov ah,0FF
00473949 15 2C104000 adc eax,<&msvbvm60.__vbaFreeVar>
0047394E 8B4D EC mov ecx,dword ptr ss:[ebp-14]
0047393C FF15 68104000 call dword ptr ds:[<&msvbvm60.__vbaFreeObjList>]
00473942 83C4 0C add esp,0C
00473945 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
00473948 FF15 2C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVar>]
0047394E 8B4D EC mov ecx,dword ptr ss:[ebp-14]
第12处:投注号码>>过滤缩水,选号:11 03 09 12 19
00473AC0 FF15 94104000 call dword ptr ds:[<&msvbvm60.__vbaStrCat>]
00473AC6 08F1 or cl,dh
00473AC8 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00473AC0 FF15 94104000 call dword ptr ds:[<&msvbvm60.__vbaStrCat>]
00473AC6 8BD0 mov edx,eax
00473AC8 8D4D CC lea ecx,dword ptr ss:[ebp-34]
第13处:投注号码>>过滤缩水,选号:11 03 09 12 19
00472D2C FF15 68104000 call dword ptr ds:[<&msvbvm60.__vbaFreeObjList>]
00472D32 C3 retn
00472D33 66:46 inc si
00472D35 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
00472D2C FF15 68104000 call dword ptr ds:[<&msvbvm60.__vbaFreeObjList>]
00472D32 83C4 0C add esp,0C
00472D35 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
第14处:投注号码>>过滤缩水,选号:11 03 09 12 19
00471D14 FF15 1C104000 call dword ptr ds:[<&msvbvm60.__vbaStrI4>]
00471D1A 28E6 sub dh,ah
00471D1C 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00471D14 FF15 1C104000 call dword ptr ds:[<&msvbvm60.__vbaStrI4>]
00471D1A 8BC6 mov edx,eax
00471D1C 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
退出:
第15处:
004ACE76 FF15 C4124000 call dword ptr ds:[<&msvbvm60.__vbaFreeStrList>]
004ACE7C A7 cmps dword ptr ds:[esi],dword ptr es:[edi]
004ACE7D 52 push edx
004ACE7E F2: prefix repne:
004ACE7F 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
004ACE82 FF15 8C134000 call dword ptr ds:[<&msvbvm60.__vbaFreeObj>]
004ACE76 FF15 C4124000 call dword ptr ds:[<&msvbvm60.__vbaFreeStrList>]
004ACE7C 83C4 24 add esp,24
004ACE7F 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
004ACE82 FF15 8C134000 call dword ptr ds:[<&msvbvm60.__vbaFreeObj>]
剩下的都是推测的:
第16处:mov edx,eax
0046ED35 FF15 1C104000 call dword ptr ds:[<&msvbvm60.__vbaStrI4>]
0046ED3B F2:64: prefix repne:
0046ED3D 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0046ED40 FF15 50134000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
0046ED35 FF15 1C104000 call dword ptr ds:[<&msvbvm60.__vbaStrI4>]
0046ED3B 8BD0 mov edx,eax
0046ED3D 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0046ED40 FF15 50134000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
第17处:估计跟注册标志有关,mov edx,eax
0046ED47 FF15 94104000 call dword ptr ds:[<&msvbvm60.__vbaStrCat>]
0046ED4D 50 push eax
0046ED4E 848D 4DA4FF15 test byte ptr ss:[ebp+15FFA44D],cl
0046ED54 50 push eax
0046ED55 1340 00 adc eax,dword ptr ds:[eax]
0046ED58 50 push eax
0046ED59 68 3C104400 push dumped-x.0044103C ; UNICODE " order by "
0046ED5E FF15 94104000 call dword ptr ds:[<&msvbvm60.__vbaStrCat>]
0046ED47 FF15 94104000 call dword ptr ds:[<&msvbvm60.__vbaStrCat>]
0046ED4D 8BD0 mov edx,eax
0046ED4F 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
0046ED52 FF15 50134000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
0046ED58 50 push eax
0046ED59 68 3C104400 push dumped-x.0044103C ; UNICODE " order by "
0046ED5E FF15 94104000 call dword ptr ds:[<&msvbvm60.__vbaStrCat>]
第18处:add esp,0c
0046EE26 FF15 C4124000 call dword ptr ds:[<&msvbvm60.__vbaFreeStrList>]
0046EE2C 0F33 rdpmc
0046EE2E D28D 4D8CFF15 ror byte ptr ss:[ebp+15FF8C4D],cl
0046EE34 2C 10 sub al,10
0046EE36 40 inc eax
0046EE37 00C7 add bh,al
0046EE39 45 inc ebp
0046EE3A FC cld
0046EE3B 04 00 add al,0
0046EE3D 0000 add byte ptr ds:[eax],al
0046EE3F 837D D0 00 cmp dword ptr ss:[ebp-30],0
0046EE43 75 1A jnz short dumped-x.0046EE5F
0046EE04 FF15 AC104000 call dword ptr ds:[<&msvbvm60.__vbaHresultCheckObj>]
0046EE0A 8985 F4FEFFFF mov dword ptr ss:[ebp-10C],eax
0046EE10 EB 0A jmp short dumped-x.0046EE1C
0046EE12 C785 F4FEFFFF 000000>mov dword ptr ss:[ebp-10C],0
0046EE1C 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
0046EE1F 50 push eax
0046EE20 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0046EE23 51 push ecx
0046EE24 6A 02 push 2
0046EE26 FF15 C4124000 call dword ptr ds:[<&msvbvm60.__vbaFreeStrList>]
0046EE2C 83C4 0C add esp,0C // 上面3个push
0046EE2F 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
0046EE32 FF15 2C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVar>]
0046EE38 C745 FC 04000000 mov dword ptr ss:[ebp-4],4
0046EE3F 837D D0 00 cmp dword ptr ss:[ebp-30],0
0046EE43 75 1A jnz short dumped-x.0046EE5F
这里根据堆栈平衡原理,0046EE26处的call上面有3个push,因此add esp,0c。
第19处:mov dword ptr ss:[ebp-14C],eax
0046F3D9 FF15 AC104000 call dword ptr ds:[<&msvbvm60.__vbaHresultCheckObj>]
0046F3DF 82E7 B7 and bh,FFFFFFB7
0046F3E2 48 dec eax
0046F3E3 AF scas dword ptr es:[edi]
0046F3E4 0BEB or ebp,ebx
0046F3E6 0AC7 or al,bh
0046F3E8 85B4FE FFFF0000 test dword ptr ds:[esi+edi*8+FFFF],esi
0046F3EF 0000 add byte ptr ds:[eax],al
0046F3F1 8B55 9C mov edx,dword ptr ss:[ebp-64]
0046F3F4 8995 30FFFFFF mov dword ptr ss:[ebp-D0],edx
0046F3FA 8D45 8C lea eax,dword ptr ss:[ebp-74]
0046F3D9 FF15 AC104000 call dword ptr ds:[<&msvbvm60.__vbaHresultCheckObj>]
0046F3DF 8985 B4FEFFFF mov dword ptr ss:[ebp-14C],eax
0046F3E5 EB 0A jmp short dumped-x.0046F3F1
0046F3E7 C785 B4FEFFFF 000000>mov dword ptr ss:[ebp-14C],0
0046F3F1 8B55 9C mov edx,dword ptr ss:[ebp-64]
0046F3F4 8995 30FFFFFF mov dword ptr ss:[ebp-D0],edx
0046F3FA 8D45 8C lea eax,dword ptr ss:[ebp-74]
这个是参考程序其他地方的值,都是类似的:
call dword ptr ds:[<&msvbvm60.__vbaHresultCheckObj>]
mov dword ptr ss:[ebp-xxx],eax
jmp short xxxxxxxx
mov dword ptr ss:[ebp-xxx],0 // 根据这里的地址推测的
第20处:mov dword ptr ss:[ebp-154],eax
0046F51E FF15 AC104000 call dword ptr ds:[<&msvbvm60.__vbaHresultCheckObj>]
0046F524 4F dec edi
0046F525 AB stos dword ptr es:[edi]
0046F526 C5D0 lds edx,eax
0046F528 8EE9 mov gs,cx
0046F52A EB 0A jmp short dumped-x.0046F536
0046F52C C785 ACFEFFFF 000000>mov dword ptr ss:[ebp-154],0
0046F51E FF15 AC104000 call dword ptr ds:[<&msvbvm60.__vbaHresultCheckObj>]
0046F524 8985 ACFEFFFF mov dword ptr ss:[ebp-154],eax
0046F52A EB 0A jmp short dumped-x.0046F536
0046F52C C785 ACFEFFFF 000000>mov dword ptr ss:[ebp-154],0
第21处:add esp,0C
0046F556 FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0046F55C ^ E3 E8 jecxz short dumped-x.0046F546
0046F55E C3 retn
0046F55F C745 FC 0E000000 mov dword ptr ss:[ebp-4],0E
0046F566 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
0046F569 83C2 01 add edx,1
0046F56C 0F80 78150000 jo dumped-x.00470AEA
0046F556 FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0046F55C 83C4 0C add esp,0C // 上面3个push
0046F55F C745 FC 0E000000 mov dword ptr ss:[ebp-4],0E
0046F566 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
0046F569 83C2 01 add edx,1
0046F56C 0F80 78150000 jo dumped-x.00470AEA
第22处:mov ecx,eax
0046FD0B FF15 04134000 call dword ptr ds:[<&msvbvm60.__vbaVarAdd>]
0046FD11 B8 82B81000 mov eax,10B882
0046FD16 0000 add byte ptr ds:[eax],al
0046FD18 E8 6335F9FF call <jmp.&msvbvm60.__vbaChkstk>
0046FD1D 8BD4 mov edx,esp
0046FD1F 8B01 mov eax,dword ptr ds:[ecx]
0046FD21 8902 mov dword ptr ds:[edx],eax
0046FD23 8B41 04 mov eax,dword ptr ds:[ecx+4]
0046FD26 8942 04 mov dword ptr ds:[edx+4],eax
0046FD29 8B41 08 mov eax,dword ptr ds:[ecx+8]
0046FD0B FF15 04134000 call dword ptr ds:[<&msvbvm60.__vbaVarAdd>]
0046FD11 8BC8 mov ecx,eax
0046FD13 B8 10000000 mov eax,10
0046FD18 E8 6335F9FF call <jmp.&msvbvm60.__vbaChkstk>
这个参考程序另一处:
0046F487 FF15 04134000 call dword ptr ds:[<&msvbvm60.__vbaVarAdd>]
0046F48D 8BC8 mov ecx,eax
0046F48F B8 10000000 mov eax,10
0046F494 E8 E73DF9FF call <jmp.&msvbvm60.__vbaChkstk>
第23处:mov dword ptr ss:[ebp-198],eax
0046FDC4 FF15 68104000 call dword ptr ds:[<&msvbvm60.__vbaFreeObjList>]
0046FDCA 43 inc ebx
0046FDCB 36:B1 8D mov cl,8D
0046FDCE 857CFF FF test dword ptr ds:[edi+edi*8-1],edi
0046FDD2 FF50 8D call dword ptr ds:[eax-73]
0046FDD5 4D dec ebp
0046FDD6 8C51 6A mov word ptr ds:[ecx+6A],ss
0046FDD9 02FF add bh,bh
0046FDDB 15 4C104000 adc eax,<&msvbvm60.__vbaFreeVarList>
0046FDE0 83C4 0C add esp,0C
0046FDE3 C745 FC 1A000000 mov dword ptr ss:[ebp-4],1A
0046FDEA 837D D0 00 cmp dword ptr ss:[ebp-30],0
0046FDEE 75 1A jnz short dumped-x.0046FE0A
0046FDC4 FF15 68104000 call dword ptr ds:[<&msvbvm60.__vbaFreeObjList>]
0046FDCA 83C4 0C add esp,0C // 上面3个push
0046FDCD 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
0046FDD3 50 push eax
0046FDD4 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
0046FDD7 51 push ecx
0046FDD8 6A 02 push 2
0046FDDA FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0046FDE0 83C4 0C add esp,0C
0046FDE3 C745 FC 1A000000 mov dword ptr ss:[ebp-4],1A
0046FDEA 837D D0 00 cmp dword ptr ss:[ebp-30],0
0046FDEE 75 1A jnz short dumped-x.0046FE0A
第24处:mov dword ptr ss:[ebp-214],eax
00470A1D FF15 AC104000 call dword ptr ds:[<&msvbvm60.__vbaHresultCheckObj>]
00470A23 16 push ss
00470A24 6E outs dx,byte ptr es:[edi]
00470A25 ^ 77 87 ja short dumped-x.004709AE
00470A27 6E outs dx,byte ptr es:[edi]
00470A28 BB EB0AC785 mov ebx,85C70AEB
00470A2D EC in al,dx
00470A2E FD std
00470A2F FFFF ???
00470A31 0000 add byte ptr ds:[eax],al
00470A33 0000 add byte ptr ds:[eax],al
00470A35 C745 FC 3C000000 mov dword ptr ss:[ebp-4],3C
00470A3C 68 B0104400 push dumped-x.004410B0
00470A41 6A 00 push 0
00470A43 FF15 4C134000 call dword ptr ds:[<&msvbvm60.__vbaCastObj>]
00470A1D FF15 AC104000 call dword ptr ds:[<&msvbvm60.__vbaHresultCheckObj>]
00470A23 8985 ECFDFFFF mov dword ptr ss:[ebp-214],eax
00470A29 EB 0A jmp short dumped-x.00470A35
00470A2B C785 ECFDFFFF 000000>mov dword ptr ss:[ebp-214],0
00470A35 C745 FC 3C000000 mov dword ptr ss:[ebp-4],3C
00470A3C 68 B0104400 push dumped-x.004410B0
00470A41 6A 00 push 0
00470A43 FF15 4C134000 call dword ptr ds:[<&msvbvm60.__vbaCastObj>]
第25处: add esp,14
00473449 FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0047344F 8347 82 C3 add dword ptr ds:[edi-7E],-3D
00473453 8B35 8C134000 mov esi,dword ptr ds:[<&msvbvm60.__vbaFreeObj>]
00473459 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0047345C FFD6 call esi
0047345E 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00473461 FFD6 call esi
00473463 C3 retn
00473449 FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0047344F 83C4 14 add esp,14 // 上面5个push
00473452 C3 retn
00473453 8B35 8C134000 mov esi,dword ptr ds:[<&msvbvm60.__vbaFreeObj>]
00473459 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0047345C FFD6 call esi
0047345E 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00473461 FFD6 call esi
00473463 C3 retn
第26处:add esp,10
004AC4D7 FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
004AC4DD 86A1 696822C5 xchg byte ptr ds:[ecx+C5226869],ah
004AC4E3 4A dec edx
004AC4E4 00EB add bl,ch
004AC4E6 2A8D 4DE4FF15 sub cl,byte ptr ss:[ebp+15FFE44D]
004AC4EC 90 nop
004AC4ED 1340 00 adc eax,dword ptr ds:[eax]
004AC4F0 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
004AC4F3 FF15 8C134000 call dword ptr ds:[<&msvbvm60.__vbaFreeObj>]
004AC4D7 FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
004AC4DD 83C4 10 add esp,10 // 上面4个push
004AC4E0 68 22C54A00 push dumped-x.004AC522
004AC4E5 EB 2A jmp short dumped-x.004AC511
004AC4E7 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
004AC4EA FF15 90134000 call dword ptr ds:[<&msvbvm60.__vbaFreeStr>]
004AC4F0 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
004AC4F3 FF15 8C134000 call dword ptr ds:[<&msvbvm60.__vbaFreeObj>]
第27处:没搞定
004B0451 FF15 90134000 call dword ptr ds:[<&msvbvm60.__vbaFreeStr>]
004B0457 42 inc edx
004B0458 37 aaa
004B0459 ^ 74 EB je short dumped-x.004B0446
004B045B 46 inc esi
004B045C 8B46 7C mov eax,dword ptr ds:[esi+7C]
004B045F 85C0 test eax,eax
004B0461 74 24 je short dumped-x.004B0487
004B044E 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
004B0451 FF15 90134000 call dword ptr ds:[<&msvbvm60.__vbaFreeStr>]
004B0457 83EC 10 sub esp,10
004B045A EB 46 jmp short dumped-x.004B04A2
004B045C 8B46 7C mov eax,dword ptr ds:[esi+7C]
004B045F 85C0 test eax,eax
004B0461 74 24 je short dumped-x.004B0487
参考:
004923AD 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
004923B0 FF15 90134000 call dword ptr ds:[<&msvbvm60.__vbaFreeStr>]
004923B6 83EC 10 sub esp,10
第28处: add esp,14
004BA0CC FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
004BA0D2 EA 4AB4C38B 3590 jmp far 9035:8BC3B44A
004BA0D9 1340 00 adc eax,dword ptr ds:[eax]
004BA0DC 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004BA0DF FFD6 call esi
004BA0E1 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
004BA0E4 FFD6 call esi
004BA0E6 C3 retn
004BA0CC FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
004BA0D2 83C4 14 add esp,14 // 上面5个push
004BA0D5 C3 retn
004BA0D6 8B35 90134000 mov esi,dword ptr ds:[<&msvbvm60.__vbaFreeStr>]
004BA0DC 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004BA0DF FFD6 call esi
004BA0E1 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
004BA0E4 FFD6 call esi
004BA0E6 C3 retn
第29处:mov edx,eax
004C76A1 FF15 0C104000 call dword ptr ds:[<&msvbvm60.__vbaStrI2>]
004C76A7 0C BA or al,0BA
004C76A9 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
004C76AC FFD6 call esi
004C76AE 50 push eax
004C76AF FF15 94104000 call dword ptr ds:[<&msvbvm60.__vbaStrCat>]
004C76A1 FF15 0C104000 call dword ptr ds:[<&msvbvm60.__vbaStrI2>]
004C76A7 8BD0 mov edx,eax
004C76A9 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
004C76AC FFD6 call esi
004C76AE 50 push eax
004C76AF FF15 94104000 call dword ptr ds:[<&msvbvm60.__vbaStrCat>]
参考:
00498335 FF15 0C104000 call dword ptr ds:[<&msvbvm60.__vbaStrI2>]
0049833B 8BD0 mov edx,eax
0049833D 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
00498340 FFD6 call esi
00498342 50 push eax
00498343 FF15 94104000 call dword ptr ds:[<&msvbvm60.__vbaStrCat>]
第30处: mov dword ptr ss:[ebp-230],eax
004CB063 FF15 AC104000 call dword ptr ds:[<&msvbvm60.__vbaHresultCheckObj>]
004CB069 03BE 1964F857 add edi,dword ptr ds:[esi+57F86419]
004CB06F EB 0A jmp short dumped-x.004CB07B
004CB071 C785 D0FDFFFF 000000>mov dword ptr ss:[ebp-230],0
004CB063 FF15 AC104000 call dword ptr ds:[<&msvbvm60.__vbaHresultCheckObj>]
004CB069 8985 D0FDFFFF mov dword ptr ss:[ebp-230],eax
004CB06F EB 0A jmp short dumped-x.004CB07B
004CB071 C785 D0FDFFFF 000000>mov dword ptr ss:[ebp-230],0
第31处:add esp,40
004DEE89 FF15 C4124000 call dword ptr ds:[<&msvbvm60.__vbaFreeStrList>]
004DEE8F 5B pop ebx
004DEE90 B8 458D4DAC mov eax,AC4D8D45
004DEE95 FF15 8C134000 call dword ptr ds:[<&msvbvm60.__vbaFreeObj>]
004DEE9B C3 retn
004DEE89 FF15 C4124000 call dword ptr ds:[<&msvbvm60.__vbaFreeStrList>]
004DEE8F 83C4 40 add esp,40 // 上面16个push
004DEE92 8D4D AC lea ecx,dword ptr ss:[ebp-54]
004DEE95 FF15 8C134000 call dword ptr ds:[<&msvbvm60.__vbaFreeObj>]
004DEE9B C3 retn
第32处:add esp,0C
004DF7C5 FF15 68104000 call dword ptr ds:[<&msvbvm60.__vbaFreeObjList>]
004DF7CB C5D1 lds edx,ecx
004DF7CD 4D dec ebp
004DF7CE 66:39BD 68FFFFFF cmp word ptr ss:[ebp-98],di
004DF7D5 74 0A je short dumped-x.004DF7E1
004DF7C5 FF15 68104000 call dword ptr ds:[<&msvbvm60.__vbaFreeObjList>]
004DF7CB 83C4 0C add esp,0C // 上面3个push
004DF7CE 66:39BD 68FFFFFF cmp word ptr ss:[ebp-98],di
004DF7D5 74 0A je short dumped-x.004DF7E1
第33个:add esp,14
004E01E7 FF15 68104000 call dword ptr ds:[<&msvbvm60.__vbaFreeObjList>]
004E01ED 8912 mov dword ptr ds:[edx],edx
004E01EF CB retf
004E01F0 8D4D CC lea ecx,dword ptr ss:[ebp-34]
004E01F3 FF15 2C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVar>]
004E01E7 FF15 68104000 call dword ptr ds:[<&msvbvm60.__vbaFreeObjList>]
004E01ED 83C4 14 add esp,14 // 上面5个push
004E01F0 8D4D CC lea ecx,dword ptr ss:[ebp-34]
004E01F3 FF15 2C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVar>]
至此全部搞定。
附件是手记。
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!