我对这部分了解不多,请教高手,象下述情况如何处理分析,没有一点思路;
Exe内嵌入了一些加密的代码,然后动态解码调用(我估计的,下面的loc_5A430C),
.text:00407BFA mov [ebp-164h], eax
.text:00407C00 mov byte ptr [ebp-4], 4
.text:00407C04 mov byte ptr [ebp-4], 5
.text:00407C08 movsx edx, word ptr [ebp+0Ch]
.text:00407C0C push edx
.text:00407C0D movsx eax, word ptr [ebp+8]
.text:00407C11 push eax
.text:00407C12 call loc_5A430C
.text:00407C17 jmp loc_407CDD
下面是loc_5A430C的部分内容(在Exe文件内):
CODE:005A430C loc_5A430C: ; CODE XREF: .text:00407C12p
CODE:005A430C call ds:PEDECODE
CODE:005A4312 add al, [esp+eax]
CODE:005A4315 or al, bl
CODE:005A4317 das
CODE:005A4318 pop edx
CODE:005A4318 ; ---------------------------------------------------------------------------
CODE:005A4319 db 3 dup(0)
CODE:005A431C align 10h
CODE:005A4320 dd offset loc_403680
CODE:005A4324 dd 30020h, 40003Ch, 480044h, 403880h, 30024h, 41003Dh
CODE:005A4324 dd 480045h, 403880h, 30028h, 41003Dh, 480045h, 404110h
CODE:005A4324 dd 3002Ch, 704722h, 70472Eh, 70474Eh, 70475Ah, 4028D0h
CODE:005A4324 dd 3Ch, 401B50h, 5C8BE4h, 401BA0h, 2Ch, 5829A8h, 401BD0h
CODE:005A4324 dd 30h, 5D359Ch, 401C80h, 241C18h, 5A4424h, 401BD0h, 30h
.................(省略)
在另一个dll里有PEDECODE的处理代码,下面列出了一部分:
.text:1FFCB6E0 PEDECODE: ; CODE XREF: CODE32:loc_1FF98A78p
.text:1FFCB6E0 pop ecx
.text:1FFCB6E1 push 0
.text:1FFCB6E3 push edi
.text:1FFCB6E4 mov edi, esp
.text:1FFCB6E6 push ebp
.text:1FFCB6E7 push esi
.text:1FFCB6E8 push ebx
.text:1FFCB6E9 call sub_1FFC68B0
.text:1FFCB6EE or eax, eax
.text:1FFCB6F0 jz short loc_1FFCB6C8
.text:1FFCB6F2 mov ebp, eax
.text:1FFCB6F4 mov ebx, [ebp+50h]
.text:1FFCB6F7 mov eax, [ebp+60h]
.text:1FFCB6FA mov [ebx+14h], eax
.text:1FFCB6FD mov [ebp+60h], ebx
.text:1FFCB700 mov esi, [ebp+54h]
.text:1FFCB703 mov [ebx+18h], esi
.text:1FFCB706 mov [esi], esi
.text:1FFCB708 add dword ptr [ebp+54h], 4
.text:1FFCB70C xchg esi, [ebp+64h]
.text:1FFCB70F mov [ebx+0Ch], esi
.text:1FFCB712 mov eax, [ebp+68h]
.text:1FFCB715 mov [ebx+8], eax
.text:1FFCB718 mov dword ptr [ebx+10h], offset dword_1FFCB86C
.text:1FFCB71F lea esi, [ebx+1Ch]
.text:1FFCB722 mov [esi], esi
.text:1FFCB724 mov eax, ebx
.text:1FFCB726 xchg eax, [ebp+5Ch]
.text:1FFCB729 mov [ebx+4], eax
.text:1FFCB72C add ebx, 20h
.text:1FFCB72F mov [ebp+50h], ebx
.text:1FFCB732 mov dword ptr [ebx], offset off_1FFCB8B8
.text:1FFCB738 mov esi, ecx
.text:1FFCB73A xor eax, eax
.text:1FFCB73C mov ecx, eax
.text:1FFCB73E mov cl, [esi]
.text:1FFCB740 inc esi
.text:1FFCB741 add ebx, 18h
.text:1FFCB744 test ecx, ecx
.text:1FFCB746 jz short loc_1FFCB759
.text:1FFCB748
.text:1FFCB748 loc_1FFCB748: ; CODE XREF: .text:1FFCB757j
.text:1FFCB748 xor eax, eax
.text:1FFCB74A mov al, [esi]
.text:1FFCB74C inc esi
.text:1FFCB74D jmp ds:off_1FFCB670[eax]
.text:1FFCB753 ; ---------------------------------------------------------------------------
.text:1FFCB753
.text:1FFCB753 loc_1FFCB753: ; CODE XREF: .text:1FFCB7CAj
.text:1FFCB753
............................(省略)
使用PEID查看是Microsoft Visual C++ 6.0没有压缩,很多处理估计是放在里面进行的,我有点晕束手无策了,请高手指点一二.
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)