【文章标题】: Armadillo V4.62 Public Build 的 IAT 加密及 Magic Jmp 分析
【文章作者】: RegKiller
【作者邮箱】: 保密一下
【作者主页】: http://bbs.86sw.com
【作者QQ号】: 看雪不让说
【软件名称】: Win98 记事本
【软件大小】: 576 KB
【加壳方式】: Armadillo V4.62 Public Build 单进程标准
【保护方式】: 加密壳保护
【使用工具】: 最新版本的->电脑 + 大脑 + 双手
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
前段时间电脑挂了,刚修好,好久没上线了,今天一上来看到好多软件都更新为新版本了,顺手下载了一个 FLY 破解的 Armadillo V4.62 Public Build 然后用单进程标准方式加壳了一个 Win98 记事本看看新版本有没有变化,这一测试可好,果然有变化,以前直接 BP GetModuleHandleA 找 Magic Jmp 的方法竟然不灵了,测试了一下用 dilloDIE 1.6 脱壳机脱出来后竟然无法运行,所以出此下文,水平有限,错误之处敬请网友指教
【详细过程】
手脱 Armadillo V4.62 Public Build 单进程标准方式加壳的 Win98 记事本
本文是写给向我一样的菜鸟的,目的是希望菜鸟也能基本看的明白,所以写的过于罗嗦,望高手谅解。
本文重点:介绍加密壳避开 IAT 加密的方法
主要目的:希望新手通过此文可以学习到如何处理加密壳加密 IAT 的方法
我们分三个部分搞定
第一步:获取 OEP 和 IAT 的地址和 Size
第二步:避开 IAT 加密及寻找 Magic Jmp
第三步:脱壳后的程序优化
OK
开始步入主题
第一步:获取 OEP 和 IAT 的地址和 Size
00448173 >/$ 55
push ebp ; OD加载后停在此处
00448174 |. 8BEC
mov ebp,
esp
00448176 |. 6A FF
push -1
00448178 |. 68 682F4700
push PackEd.00472F68
0044817D |. 68 B07E4400
push PackEd.00447EB0
; SE 处理程序安装
Alt+M
打开内存映射窗口 在.text段下F2断点然后 Shift+F9 运行 中断在 00C202DB 处
00C202DB 8B12
mov edx,
dword ptr ds:[
edx]
; 中断在这里F8向下走
00C202DD 8955 DC
mov dword ptr ss:[
ebp-24],
edx
00C202E0 834D FC FF
or dword ptr ss:[
ebp-4],FFFFFFFF
00C202E4 EB 11
jmp short 00C202F7
00C202E6 6A 01
push 1
00C202E8 58
pop eax
00C202E9 C3
retn
00C202EA 8B65 E8
mov esp,
dword ptr ss:[
ebp-18]
00C202ED 834D FC FF
or dword ptr ss:[
ebp-4],FFFFFFFF
00C202F1 8B7D 08
mov edi,
dword ptr ss:[
ebp+8]
00C202F4 8B55 DC
mov edx,
dword ptr ss:[
ebp-24]
00C202F7 A1 D415C300
mov eax,
dword ptr ds:[C315D4]
00C202FC 3150 24
xor dword ptr ds:[
eax+24],
edx
00C202FF A1 D415C300
mov eax,
dword ptr ds:[C315D4]
00C20304 3150 24
xor dword ptr ds:[
eax+24],
edx
00C20307 A1 D415C300
mov eax,
dword ptr ds:[C315D4]
00C2030C 8B48 38
mov ecx,
dword ptr ds:[
eax+38]
00C2030F 3348 30
xor ecx,
dword ptr ds:[
eax+30]
00C20312 3308
xor ecx,
dword ptr ds:[
eax]
00C20314 030D EC15C300
add ecx,
dword ptr ds:[C315EC]
; PackEd.00400000
00C2031A 8B17
mov edx,
dword ptr ds:[
edi]
00C2031C 85D2
test edx,
edx
00C2031E 75 18
jnz short 00C20338
00C20320 FF77 18
push dword ptr ds:[
edi+18]
00C20323 FF77 14
push dword ptr ds:[
edi+14]
00C20326 FF77 10
push dword ptr ds:[
edi+10]
00C20329 8B50 68
mov edx,
dword ptr ds:[
eax+68]
00C2032C 3350 40
xor edx,
dword ptr ds:[
eax+40]
00C2032F 3350 30
xor edx,
dword ptr ds:[
eax+30]
00C20332 2BCA
sub ecx,
edx
00C20334 FFD1
call ecx
00C20336 EB 1D
jmp short 00C20355
00C20338 83FA 01
cmp edx,1
00C2033B 75 1B
jnz short 00C20358
00C2033D FF77 04
push dword ptr ds:[
edi+4]
00C20340 FF77 08
push dword ptr ds:[
edi+8]
00C20343 6A 00
push 0
00C20345 FF77 0C
push dword ptr ds:[
edi+C]
00C20348 8B50 68
mov edx,
dword ptr ds:[
eax+68]
00C2034B 3350 40
xor edx,
dword ptr ds:[
eax+40]
00C2034E 3350 30
xor edx,
dword ptr ds:[
eax+30]
00C20351 2BCA
sub ecx,
edx
00C20353 FFD1
call ecx ; PackEd.004010CC 这个地址是什么?呵呵。
可以看到 00C20353 的 call ecx 后面的注释里已经出现记事本的 OEP 了 F7进入此 Call
004010CC 55
push ebp ; 记事本 OEP
004010CD 8BEC
mov ebp,
esp
004010CF 83EC 44
sub esp,44
004010D2 56
push esi
004010D3 FF15 E4634000
call dword ptr ds:[4063E4]
004010D9 8BF0
mov esi,
eax
004010DB 8A00
mov al,
byte ptr ds:[
eax]
004010DD 3C 22
cmp al,22
004010DF 75 1B
jnz short PackEd.004010FC
004010E1 56
push esi
004010E2 FF15 F4644000
call dword ptr ds:[4064F4]
; USER32.CharNextA
004010E8 8BF0
mov esi,
eax
004010EA 8A00
mov al,
byte ptr ds:[
eax]
004010EC 84C0
test al,
al
004010EE 74 04
je short PackEd.004010F4
004010F0 3C 22
cmp al,22
004010F2 ^ 75 ED
jnz short PackEd.004010E1
004010F4 803E 22
cmp byte ptr ds:[
esi],22
004010F7 75 15
jnz short PackEd.0040110E
004010F9 46
inc esi
004010FA EB 12
jmp short PackEd.0040110E
004010FC 3C 20
cmp al,20
004010FE 7E 0E
jle short PackEd.0040110E
00401100 56
push esi
00401101 FF15 F4644000
call dword ptr ds:[4064F4]
; USER32.CharNextA
可以看出上面部分 IAT 已经被加密了。
查看方法是在 004010D3 处鼠标右键从弹出菜单中选 跟随到数据窗口->内存地址
在数据窗口中滚动鼠标上下察看下 IAT 可以看出 IAT 并不是连续的,中间部分断开了
不过这不妨碍我们获取 IAT 的起始地址和结束地址,滚动鼠标上下察看得出 IAT 地址和大小
IAT
起始地址:004062E4-00400000=62E4
IAT
结束地址:00406524-00400000=6524
IAT
大小=结束地址-起始地址=6524-62E4=240
减 00400000 是减去基址 00400000
整理一下
OEP
:10CC
IAT Rva
:62E4
IAT Size
:240
第二步:避开 IAT 加密及寻找 Magic Jmp
我们继续看数据窗口,向下找可以找到这里
00406378 7C830927 kernel32.LocalReAlloc
0040637C 7C80998D kernel32.LocalAlloc
00406380 7C832E1D kernel32.LocalLock
00406384 00C0A7EF
00406388 7C80A7D4 kernel32.GetLocalTime
0040638C 7C83632D kernel32.GetTimeFormatA
我们看到 00406384 处的函数是空白,但她上下都是有内容的,说明这个函数已经被加密,这里说一下如何确定这个是被加密了呢?我们可以看一下下面的这个例子:
加壳前的样子
004063F8 >7D6470B0 SHELL32.DragFinish
004063FC >7D63245A SHELL32.ShellAboutA
00406400 >7D610EB0 SHELL32.ShellExecuteA
00406404 >7D5FAF9E SHELL32.DragAcceptFiles
00406408 >7D688BE2 SHELL32.SHGetSpecialFolderPathA
0040640C >7D6470C1 SHELL32.DragQueryFileA
00406410 00000000
00406414 >77D1A8AD USER32.wsprintfA
加壳后的样子
004063F8 7D6470B0 SHELL32.DragFinish
004063FC 7D63245A SHELL32.ShellAboutA
00406400 7D610EB0 SHELL32.ShellExecuteA
00406404 7D5FAF9E SHELL32.DragAcceptFiles
00406408 7D688BE2 SHELL32.SHGetSpecialFolderPathA
0040640C 7D6470C1 SHELL32.DragQueryFileA
00406410 00C07414
00406414 77D1A8AD USER32.wsprintfA
这里只有 00406410 行有变化,加壳前的 00406410 里面的数据是 00000000,而加壳后的是 00C07414 那么这个 00C07414 为什么不是被加密的函数呢?其实很简单,因为 00406410 上面的是 SHELL32 而她下面的是 USER32 说明这是2个不同的 Dll 文件里的函数,所以 00C07414 这个数据其实是无用数据,或者可以说是正常的分隔数据(个人理解)。
OK,明白了上面的东西后我们继续把目光锁定在 00406378
拖动鼠标选择 00406378 行到 004063A8 行
00406378 7C830927 kernel32.LocalReAlloc
0040637C 7C80998D kernel32.LocalAlloc
00406380 7C832E1D kernel32.LocalLock
00406384 00C0A7EF
00406388 7C80A7D4 kernel32.GetLocalTime
0040638C 7C83632D kernel32.GetTimeFormatA
00406390 7C8361EE kernel32.GetDateFormatA
00406394 7C80BAA1 kernel32.lstrcmpiA
00406398 7C801EEE kernel32.GetStartupInfoA
0040639C 00C0A7A4
004063A0 00C0819F
004063A4 7C80BDB6 kernel32.lstrlenA
004063A8 7C810111 kernel32.lstrcpynA
确定选择了上面内容之后从右键菜单中选择断点->硬件写入->字节(或者选字也可以),然后 Ctrl+F2 从新加载程序。
在命令行里下 d 406378 后回车,然后 Shift+F 运行程序中断在这里:
77C16FA3 F3:A5
rep movs dword ptr es:[
edi],
dword ptr ds:[
esi]
; 中断在这里
77C16FA5 FF2495 B870C177
jmp dword ptr ds:[
edx*4+77C170B8]
77C16FAC 8BC7
mov eax,
edi
77C16FAE BA 03000000
mov edx,3
77C16FB3 83E9 04
sub ecx,4
Alt+F9
返回
00C1BCC3 83C4 0C
add esp,0C
; 返回到这里
00C1BCC6 8D85 C4D5FFFF
lea eax,
dword ptr ss:[
ebp-2A3C]
00C1BCCC 50
push eax
00C1BCCD FFB5 C4D5FFFF
push dword ptr ss:[
ebp-2A3C]
00C1BCD3 FFB5 CCD5FFFF
push dword ptr ss:[
ebp-2A34]
返回后再 Shift+F9 中断在这里
00C1CF28 8B85 10D9FFFF
mov eax,
dword ptr ss:[
ebp-26F0]
; 中断在这里
00C1CF2E 83C0 04
add eax,4
00C1CF31 8985 10D9FFFF
mov dword ptr ss:[
ebp-26F0],
eax
00C1CF37 ^ E9 4DFCFFFF
jmp 00C1CB89
00C1CF3C FF15 8472C200
call dword ptr ds:[C27284]
; kernel32.GetTickCount
此时可以发现数据窗口中已经写入了一个函数了。
00406378 7C830927 kernel32.LocalReAlloc
0040637C BFF74934
00406380 BFFA0C8F
00406384 BFF74934
现在我们删除硬件断点后从 00C1CF28 处 F8 单步跟踪
发现程序一直在 00C1CB89 到 00C1CF37 中间打转,并且每循环一次就出现一个函数
通过单步跟踪发现 当 00C1CDD0 的 [ebp-3598] 等于 0 的时候 IAT 不加密,反之就加密 IAT
00C1CDD0 83BD 68CAFFFF 0>
cmp dword ptr ss:[
ebp-3598],0
; [ebp-3598] 为 0 吗
00C1CDD7 75 42
jnz short 00C1CE1B
; 跳就加密 IAT(如果上面没修改这里nop掉可避开加密)
那么可以把 00C1CDD7 的 jnz short 00C1CE1B 这句 nop 掉就可以避开 IAT 加密了。
后来通过详细跟踪发现下面这段才是 Magic Jmp 的关键:
00C1CD26 8B85 58C2FFFF
mov eax,
dword ptr ss:[
ebp-3DA8]
; 开始循环计算函数地址
00C1CD2C 83C0 0C
add eax,0C
00C1CD2F 8985 58C2FFFF
mov dword ptr ss:[
ebp-3DA8],
eax
00C1CD35 8B85 58C2FFFF
mov eax,
dword ptr ss:[
ebp-3DA8]
00C1CD3B 8378 08 00
cmp dword ptr ds:[
eax+8],0
00C1CD3F 74 49
je short 00C1CD8A
00C1CD41 68 00010000
push 100
00C1CD46 8D85 58C1FFFF
lea eax,
dword ptr ss:[
ebp-3EA8]
00C1CD4C 50
push eax
00C1CD4D 8B85 58C2FFFF
mov eax,
dword ptr ss:[
ebp-3DA8]
00C1CD53 FF30
push dword ptr ds:[
eax]
00C1CD55 E8 9153FDFF
call 00BF20EB
00C1CD5A 83C4 0C
add esp,0C
00C1CD5D 8D85 58C1FFFF
lea eax,
dword ptr ss:[
ebp-3EA8]
00C1CD63 50
push eax
00C1CD64 8D85 68C2FFFF
lea eax,
dword ptr ss:[
ebp-3D98]
00C1CD6A 50
push eax
00C1CD6B FF15 7873C200
call dword ptr ds:[C27378]
; msvcrt._stricmp
00C1CD71 59
pop ecx
00C1CD72 59
pop ecx
00C1CD73 85C0
test eax,
eax ; 这里 EAX 的值情况有 3 种情况
00C1CD75 75 11
jnz short 00C1CD88
; Magic Jmp
00C1CD77 8B85 58C2FFFF
mov eax,
dword ptr ss:[
ebp-3DA8]
; 如果上面 EAX 值为 0 那么就加密 IAT
00C1CD7D 8B40 08
mov eax,
dword ptr ds:[
eax+8]
00C1CD80 8985 68CAFFFF
mov dword ptr ss:[
ebp-3598],
eax
00C1CD86 EB 02
jmp short 00C1CD8A
; 找到了就结束循环继续处理
00C1CD88 ^ EB 9C
jmp short 00C1CD26
; 返回 00C1CD26 继续循环
00C1CD73
的 test eax,eax 这里 EAX 的值情况有 3 种情况
第1种 EAX 的值为 FFFFFFFF
第2种 EAX 的值为 1
第3种 EAX 的值为 0
当 EAX 的值为 0 时就加密 IAT
那么可以推断 00C1CD75 的 jnz short 00C1CD88 就是 Magic Jmp 这里把 JNZ 改为 JMP 就可以避开 IAT 加密了。
只想脱壳找 Magic Jmp 方法的可以略过下面这段以下是处理 IAT 的详细分析:
00C1C72E 6A 01
push 1
; IAT 处理开始
00C1C730 58
pop eax
00C1C731 85C0
test eax,
eax
00C1C733 0F84 C5080000
je 00C1CFFE
00C1C739 8B85 84D9FFFF
mov eax,
dword ptr ss:[
ebp-267C]
; DLL 名送 EAX
00C1C73F 8985 84D3FFFF
mov dword ptr ss:[
ebp-2C7C],
eax
00C1C745 6A 00
push 0
00C1C747 FFB5 84D9FFFF
push dword ptr ss:[
ebp-267C]
00C1C74D FF15 2073C200
call dword ptr ds:[C27320]
; msvcrt.strchr
00C1C753 59
pop ecx
00C1C754 59
pop ecx
00C1C755 40
inc eax
00C1C756 8985 84D9FFFF
mov dword ptr ss:[
ebp-267C],
eax
00C1C75C 8B85 84D3FFFF
mov eax,
dword ptr ss:[
ebp-2C7C]
00C1C762 0FBE00
movsx eax,
byte ptr ds:[
eax]
00C1C765 85C0
test eax,
eax
00C1C767 75 05
jnz short 00C1C76E
00C1C769 E9 90080000
jmp 00C1CFFE
00C1C76E 8B85 84D9FFFF
mov eax,
dword ptr ss:[
ebp-267C]
00C1C774 8B00
mov eax,
dword ptr ds:[
eax]
00C1C776 8985 90D4FFFF
mov dword ptr ss:[
ebp-2B70],
eax
00C1C77C 8B85 84D9FFFF
mov eax,
dword ptr ss:[
ebp-267C]
00C1C782 83C0 04
add eax,4
00C1C785 8985 84D9FFFF
mov dword ptr ss:[
ebp-267C],
eax
00C1C78B 8B85 84D9FFFF
mov eax,
dword ptr ss:[
ebp-267C]
00C1C791 8B00
mov eax,
dword ptr ds:[
eax]
00C1C793 8985 98D4FFFF
mov dword ptr ss:[
ebp-2B68],
eax
00C1C799 8B85 84D9FFFF
mov eax,
dword ptr ss:[
ebp-267C]
00C1C79F 83C0 04
add eax,4
00C1C7A2 8985 84D9FFFF
mov dword ptr ss:[
ebp-267C],
eax
00C1C7A8 A0 50FFC200
mov al,
byte ptr ds:[C2FF50]
00C1C7AD 8885 88D3FFFF
mov byte ptr ss:[
ebp-2C78],
al
00C1C7B3 6A 40
push 40
00C1C7B5 59
pop ecx
00C1C7B6 33C0
xor eax,
eax
00C1C7B8 8DBD 89D3FFFF
lea edi,
dword ptr ss:[
ebp-2C77]
00C1C7BE F3:AB
rep stos dword ptr es:[
edi]
00C1C7C0 66:AB
stos word ptr es:[
edi]
00C1C7C2 AA
stos byte ptr es:[
edi]
00C1C7C3 FFB5 84D3FFFF
push dword ptr ss:[
ebp-2C7C]
00C1C7C9 E8 B3ACFEFF
call 00C07481
; 获取 DLL 基址
00C1C7CE 8985 A0D4FFFF
mov dword ptr ss:[
ebp-2B60],
eax ; 基址送 [ebp-2B60] 保存
00C1C7D4 83BD A0D4FFFF 0>
cmp dword ptr ss:[
ebp-2B60],0
00C1C7DB 0F85 9F000000
jnz 00C1C880
00C1C7E1 83BD A0D4FFFF 0>
cmp dword ptr ss:[
ebp-2B60],0
00C1C7E8 75 5B
jnz short 00C1C845
00C1C7EA 6A 01
push 1
00C1C7EC 8D85 80D2FFFF
lea eax,
dword ptr ss:[
ebp-2D80]
00C1C7F2 50
push eax
00C1C7F3 E8 036DFFFF
call 00C134FB
00C1C7F8 59
pop ecx
00C1C7F9 59
pop ecx
00C1C7FA 6A 5C
push 5C
00C1C7FC 8D85 80D2FFFF
lea eax,
dword ptr ss:[
ebp-2D80]
00C1C802 50
push eax
00C1C803 FF15 EC72C200
call dword ptr ds:[C272EC]
; msvcrt.strrchr
00C1C809 59
pop ecx
00C1C80A 59
pop ecx
00C1C80B 8985 7CD2FFFF
mov dword ptr ss:[
ebp-2D84],
eax
00C1C811 83BD 7CD2FFFF 0>
cmp dword ptr ss:[
ebp-2D84],0
00C1C818 74 2B
je short 00C1C845
00C1C81A FFB5 84D3FFFF
push dword ptr ss:[
ebp-2C7C]
00C1C820 8B85 7CD2FFFF
mov eax,
dword ptr ss:[
ebp-2D84]
00C1C826 40
inc eax
00C1C827 50
push eax
00C1C828 E8 FD990000
call 00C2622A
; jmp 到 msvcrt.strcpy
00C1C82D 59
pop ecx
00C1C82E 59
pop ecx
00C1C82F 6A 08
push 8
00C1C831 6A 00
push 0
00C1C833 8D85 80D2FFFF
lea eax,
dword ptr ss:[
ebp-2D80]
00C1C839 50
push eax
00C1C83A E8 36B0FEFF
call 00C07875
00C1C83F 8985 A0D4FFFF
mov dword ptr ss:[
ebp-2B60],
eax
00C1C845 83BD A0D4FFFF 0>
cmp dword ptr ss:[
ebp-2B60],0
00C1C84C 75 32
jnz short 00C1C880
00C1C84E 6A 01
push 1
00C1C850 8D85 80D2FFFF
lea eax,
dword ptr ss:[
ebp-2D80]
00C1C856 50
push eax
00C1C857 E8 9F6CFFFF
call 00C134FB
00C1C85C 59
pop ecx
00C1C85D 59
pop ecx
00C1C85E 8D85 80D2FFFF
lea eax,
dword ptr ss:[
ebp-2D80]
00C1C864 50
push eax
00C1C865 8D85 88D3FFFF
lea eax,
dword ptr ss:[
ebp-2C78]
00C1C86B 50
push eax
00C1C86C FFB5 84D3FFFF
push dword ptr ss:[
ebp-2C7C]
00C1C872 E8 43A7FEFF
call 00C06FBA
00C1C877 83C4 0C
add esp,0C
00C1C87A 8985 A0D4FFFF
mov dword ptr ss:[
ebp-2B60],
eax
00C1C880 83BD A0D4FFFF 0>
cmp dword ptr ss:[
ebp-2B60],0
00C1C887 75 58
jnz short 00C1C8E1
00C1C889 8B45 08
mov eax,
dword ptr ss:[
ebp+8]
00C1C88C 8B00
mov eax,
dword ptr ds:[
eax]
00C1C88E C700 03000000
mov dword ptr ds:[
eax],3
00C1C894 0FBE85 88D3FFFF
movsx eax,
byte ptr ss:[
ebp-2C78]
00C1C89B 85C0
test eax,
eax
00C1C89D 74 0E
je short 00C1C8AD
00C1C89F 8D85 88D3FFFF
lea eax,
dword ptr ss:[
ebp-2C78]
00C1C8A5 8985 E0A8FFFF
mov dword ptr ss:[
ebp+FFFFA8E0],
eax
00C1C8AB EB 0C
jmp short 00C1C8B9
00C1C8AD 8B85 84D3FFFF
mov eax,
dword ptr ss:[
ebp-2C7C]
00C1C8B3 8985 E0A8FFFF
mov dword ptr ss:[
ebp+FFFFA8E0],
eax
00C1C8B9 FF15 C072C200
call dword ptr ds:[C272C0]
; ntdll.RtlGetLastWin32Error
00C1C8BF 50
push eax
00C1C8C0 FFB5 E0A8FFFF
push dword ptr ss:[
ebp+FFFFA8E0]
00C1C8C6 68 78DDC200
push 0C2DD78
; ASCII "File "%s", error %d"
00C1C8CB 8B45 08
mov eax,
dword ptr ss:[
ebp+8]
00C1C8CE FF70 04
push dword ptr ds:[
eax+4]
00C1C8D1 FF15 1C73C200
call dword ptr ds:[C2731C]
; msvcrt.sprintf
00C1C8D7 83C4 10
add esp,10
00C1C8DA 33C0
xor eax,
eax
00C1C8DC E9 7F1A0000
jmp 00C1E360
00C1C8E1 FFB5 A0D4FFFF
push dword ptr ss:[
ebp-2B60]
; Dll 基址进栈
00C1C8E7 E8 6294FEFF
call 00C05D4E
00C1C8EC 59
pop ecx
00C1C8ED 83A5 9CD4FFFF 0>
and dword ptr ss:[
ebp-2B64],0
00C1C8F4 A1 EC15C300
mov eax,
dword ptr ds:[C315EC]
00C1C8F9 8985 F0A9FFFF
mov dword ptr ss:[
ebp+FFFFA9F0],
eax ; 镜像基址送 [ebp+FFFFA9F0]
00C1C8FF 8B85 A0D4FFFF
mov eax,
dword ptr ss:[
ebp-2B60]
; Dll 基址送 EAX
00C1C905 3B85 F0A9FFFF
cmp eax,
dword ptr ss:[
ebp+FFFFA9F0]
00C1C90B 75 0F
jnz short 00C1C91C
00C1C90D C785 9CD4FFFF B>
mov dword ptr ss:[
ebp-2B64],0C2BBB8
00C1C917 E9 93000000
jmp 00C1C9AF
00C1C91C 83A5 78D2FFFF 0>
and dword ptr ss:[
ebp-2D88],0
00C1C923 C785 74D2FFFF D>
mov dword ptr ss:[
ebp-2D8C],0C2C1D8
00C1C92D EB 1C
jmp short 00C1C94B
00C1C92F 8B85 74D2FFFF
mov eax,
dword ptr ss:[
ebp-2D8C]
00C1C935 83C0 0C
add eax,0C
00C1C938 8985 74D2FFFF
mov dword ptr ss:[
ebp-2D8C],
eax
00C1C93E 8B85 78D2FFFF
mov eax,
dword ptr ss:[
ebp-2D88]
00C1C944 40
inc eax
00C1C945 8985 78D2FFFF
mov dword ptr ss:[
ebp-2D88],
eax
00C1C94B 8B85 74D2FFFF
mov eax,
dword ptr ss:[
ebp-2D8C]
00C1C951 8338 00
cmp dword ptr ds:[
eax],0
00C1C954 74 59
je short 00C1C9AF
00C1C956 8B85 74D2FFFF
mov eax,
dword ptr ss:[
ebp-2D8C]
00C1C95C 8B40 08
mov eax,
dword ptr ds:[
eax+8]
00C1C95F 83E0 01
and eax,1
00C1C962 85C0
test eax,
eax
00C1C964 74 13
je short 00C1C979
00C1C966 B9 880FC300
mov ecx,0C30F88
00C1C96B E8 77F1FDFF
call 00BFBAE7
00C1C970 0FB6C0
movzx eax,
al
00C1C973 85C0
test eax,
eax
00C1C975 74 02
je short 00C1C979
00C1C977 ^ EB B6
jmp short 00C1C92F
00C1C979 B9 880FC300
mov ecx,0C30F88
00C1C97E E8 ADD1FEFF
call 00C09B30
00C1C983 8B8D 78D2FFFF
mov ecx,
dword ptr ss:[
ebp-2D88]
00C1C989 8B15 9C55C300
mov edx,
dword ptr ds:[C3559C]
00C1C98F 8B0C8A
mov ecx,
dword ptr ds:[
edx+
ecx*4]
00C1C992 33C8
xor ecx,
eax
00C1C994 398D A0D4FFFF
cmp dword ptr ss:[
ebp-2B60],
ecx
00C1C99A 75 11
jnz short 00C1C9AD
00C1C99C 8B85 74D2FFFF
mov eax,
dword ptr ss:[
ebp-2D8C]
00C1C9A2 8B40 04
mov eax,
dword ptr ds:[
eax+4]
00C1C9A5 8985 9CD4FFFF
mov dword ptr ss:[
ebp-2B64],
eax
00C1C9AB EB 02
jmp short 00C1C9AF
00C1C9AD ^ EB 80
jmp short 00C1C92F
00C1C9AF 80A5 94D4FFFF 0>
and byte ptr ss:[
ebp-2B6C],0
00C1C9B6 83BD E4D7FFFF 0>
cmp dword ptr ss:[
ebp-281C],0
00C1C9BD 75 39
jnz short 00C1C9F8
00C1C9BF A0 AC15C300
mov al,
byte ptr ds:[C315AC]
00C1C9C4 8885 ECA9FFFF
mov byte ptr ss:[
ebp+FFFFA9EC],
al
00C1C9CA 0FB685 ECA9FFFF
movzx eax,
byte ptr ss:[
ebp+FFFFA9EC]
00C1C9D1 85C0
test eax,
eax
00C1C9D3 74 23
je short 00C1C9F8
00C1C9D5 8B85 90D4FFFF
mov eax,
dword ptr ss:[
ebp-2B70]
00C1C9DB 3B85 C0FEFFFF
cmp eax,
dword ptr ss:[
ebp-140]
00C1C9E1 72 15
jb short 00C1C9F8
00C1C9E3 8B85 90D4FFFF
mov eax,
dword ptr ss:[
ebp-2B70]
00C1C9E9 3B85 CCFEFFFF
cmp eax,
dword ptr ss:[
ebp-134]
00C1C9EF 73 07
jnb short 00C1C9F8
00C1C9F1 C685 94D4FFFF 0>
mov byte ptr ss:[
ebp-2B6C],1
00C1C9F8 8B85 98D4FFFF
mov eax,
dword ptr ss:[
ebp-2B68]
00C1C9FE 40
inc eax
00C1C9FF 8985 98D4FFFF
mov dword ptr ss:[
ebp-2B68],
eax
00C1CA05 83BD E4D7FFFF 0>
cmp dword ptr ss:[
ebp-281C],0
00C1CA0C 74 4D
je short 00C1CA5B
00C1CA0E 8B85 90D4FFFF
mov eax,
dword ptr ss:[
ebp-2B70]
00C1CA14 2B85 E8D7FFFF
sub eax,
dword ptr ss:[
ebp-2818]
00C1CA1A C1E8 02
shr eax,2
00C1CA1D 8985 70D2FFFF
mov dword ptr ss:[
ebp-2D90],
eax
00C1CA23 8B85 70D2FFFF
mov eax,
dword ptr ss:[
ebp-2D90]
00C1CA29 8B8D E4D7FFFF
mov ecx,
dword ptr ss:[
ebp-281C]
00C1CA2F 8D0481
lea eax,
dword ptr ds:[
ecx+
eax*4]
00C1CA32 8985 10D9FFFF
mov dword ptr ss:[
ebp-26F0],
eax
00C1CA38 8B85 10D9FFFF
mov eax,
dword ptr ss:[
ebp-26F0]
00C1CA3E 8985 6CD9FFFF
mov dword ptr ss:[
ebp-2694],
eax
00C1CA44 8B85 44D9FFFF
mov eax,
dword ptr ss:[
ebp-26BC]
00C1CA4A 8B8D E4D7FFFF
mov ecx,
dword ptr ss:[
ebp-281C]
00C1CA50 8D0481
lea eax,
dword ptr ds:[
ecx+
eax*4]
00C1CA53 8985 64D9FFFF
mov dword ptr ss:[
ebp-269C],
eax
00C1CA59 EB 59
jmp short 00C1CAB4
00C1CA5B 0FB685 94D4FFFF
movzx eax,
byte ptr ss:[
ebp-2B6C]
00C1CA62 85C0
test eax,
eax
00C1CA64 74 30
je short 00C1CA96
00C1CA66 8B85 98D4FFFF
mov eax,
dword ptr ss:[
ebp-2B68]
00C1CA6C C1E0 02
shl eax,2
00C1CA6F 50
push eax
00C1CA70 E8 25970000
call 00C2619A
; jmp 到 msvcrt.??2@YAPAXI@Z
00C1CA75 59
pop ecx
00C1CA76 8985 ACABFFFF
mov dword ptr ss:[
ebp+FFFFABAC],
eax
00C1CA7C 8B85 ACABFFFF
mov eax,
dword ptr ss:[
ebp+FFFFABAC]
00C1CA82 8985 10D9FFFF
mov dword ptr ss:[
ebp-26F0],
eax
00C1CA88 8B85 10D9FFFF
mov eax,
dword ptr ss:[
ebp-26F0]
00C1CA8E 8985 6CD9FFFF
mov dword ptr ss:[
ebp-2694],
eax
00C1CA94 EB 1E
jmp short 00C1CAB4
00C1CA96 8B85 0CD8FFFF
mov eax,
dword ptr ss:[
ebp-27F4]
00C1CA9C 0385 90D4FFFF
add eax,
dword ptr ss:[
ebp-2B70]
00C1CAA2 8985 6CD9FFFF
mov dword ptr ss:[
ebp-2694],
eax
00C1CAA8 8B85 6CD9FFFF
mov eax,
dword ptr ss:[
ebp-2694]
00C1CAAE 8985 10D9FFFF
mov dword ptr ss:[
ebp-26F0],
eax
00C1CAB4 83BD E4D7FFFF 0>
cmp dword ptr ss:[
ebp-281C],0
00C1CABB 0F85 B5000000
jnz 00C1CB76
00C1CAC1 8D85 8CD4FFFF
lea eax,
dword ptr ss:[
ebp-2B74]
00C1CAC7 50
push eax
00C1CAC8 6A 04
push 4
00C1CACA 8B85 98D4FFFF
mov eax,
dword ptr ss:[
ebp-2B68]
00C1CAD0 C1E0 02
shl eax,2
00C1CAD3 50
push eax
00C1CAD4 8B85 0CD8FFFF
mov eax,
dword ptr ss:[
ebp-27F4]
00C1CADA 0385 90D4FFFF
add eax,
dword ptr ss:[
ebp-2B70]
00C1CAE0 50
push eax
00C1CAE1 FF15 1871C200
call dword ptr ds:[C27118]
; kernel32.VirtualProtect
00C1CAE7 6A 14
push 14
00C1CAE9 E8 AC960000
call 00C2619A
; jmp 到 msvcrt.??2@YAPAXI@Z
00C1CAEE 59
pop ecx
00C1CAEF 8985 A8ABFFFF
mov dword ptr ss:[
ebp+FFFFABA8],
eax
00C1CAF5 83BD A8ABFFFF 0>
cmp dword ptr ss:[
ebp+FFFFABA8],0
00C1CAFC 74 58
je short 00C1CB56
00C1CAFE A1 08BAC300
mov eax,
dword ptr ds:[C3BA08]
00C1CB03 8985 E8A9FFFF
mov dword ptr ss:[
ebp+FFFFA9E8],
eax
00C1CB09 8B85 0CD8FFFF
mov eax,
dword ptr ss:[
ebp-27F4]
00C1CB0F 0385 90D4FFFF
add eax,
dword ptr ss:[
ebp-2B70]
00C1CB15 8B8D A8ABFFFF
mov ecx,
dword ptr ss:[
ebp+FFFFABA8]
00C1CB1B 8901
mov dword ptr ds:[
ecx],
eax
00C1CB1D 8B85 98D4FFFF
mov eax,
dword ptr ss:[
ebp-2B68]
00C1CB23 C1E0 02
shl eax,2
00C1CB26 8B8D A8ABFFFF
mov ecx,
dword ptr ss:[
ebp+FFFFABA8]
00C1CB2C 8941 04
mov dword ptr ds:[
ecx+4],
eax
00C1CB2F 8B85 A8ABFFFF
mov eax,
dword ptr ss:[
ebp+FFFFABA8]
00C1CB35 8060 0C 00
and byte ptr ds:[
eax+C],0
00C1CB39 8B85 A8ABFFFF
mov eax,
dword ptr ss:[
ebp+FFFFABA8]
00C1CB3F 8B8D E8A9FFFF
mov ecx,
dword ptr ss:[
ebp+FFFFA9E8]
00C1CB45 8948 10
mov dword ptr ds:[
eax+10],
ecx
00C1CB48 8B85 A8ABFFFF
mov eax,
dword ptr ss:[
ebp+FFFFABA8]
00C1CB4E 8985 DCA8FFFF
mov dword ptr ss:[
ebp+FFFFA8DC],
eax
00C1CB54 EB 07
jmp short 00C1CB5D
00C1CB56 83A5 DCA8FFFF 0>
and dword ptr ss:[
ebp+FFFFA8DC],0
00C1CB5D 8B85 DCA8FFFF
mov eax,
dword ptr ss:[
ebp+FFFFA8DC]
00C1CB63 A3 08BAC300
mov dword ptr ds:[C3BA08],
eax
00C1CB68 A1 08BAC300
mov eax,
dword ptr ds:[C3BA08]
00C1CB6D 8B8D 8CD4FFFF
mov ecx,
dword ptr ss:[
ebp-2B74]
00C1CB73 8948 08
mov dword ptr ds:[
eax+8],
ecx
00C1CB76 83A5 A8D4FFFF 0>
and dword ptr ss:[
ebp-2B58],0
00C1CB7D FF15 8472C200
call dword ptr ds:[C27284]
; kernel32.GetTickCount
00C1CB83 8985 A4D4FFFF
mov dword ptr ss:[
ebp-2B5C],
eax
00C1CB89 6A 01
push 1
00C1CB8B 58
pop eax
00C1CB8C 85C0
test eax,
eax
00C1CB8E 0F84 A8030000
je 00C1CF3C
00C1CB94 8B85 84D9FFFF
mov eax,
dword ptr ss:[
ebp-267C]
00C1CB9A 66:8B00
mov ax,
word ptr ds:[
eax]
00C1CB9D 66:8985 64C2FFF>
mov word ptr ss:[
ebp-3D9C],
ax
00C1CBA4 8B85 84D9FFFF
mov eax,
dword ptr ss:[
ebp-267C]
00C1CBAA 40
inc eax
00C1CBAB 40
inc eax
00C1CBAC 8985 84D9FFFF
mov dword ptr ss:[
ebp-267C],
eax
00C1CBB2 0FB785 64C2FFFF
movzx eax,
word ptr ss:[
ebp-3D9C]
00C1CBB9 50
push eax
00C1CBBA FFB5 84D9FFFF
push dword ptr ss:[
ebp-267C]
00C1CBC0 8D85 70CAFFFF
lea eax,
dword ptr ss:[
ebp-3590]
00C1CBC6 50
push eax
00C1CBC7 E8 C8950000
call 00C26194
; jmp 到 msvcrt.memcpy
00C1CBCC 83C4 0C
add esp,0C
00C1CBCF 0FB785 64C2FFFF
movzx eax,
word ptr ss:[
ebp-3D9C]
00C1CBD6 8B8D 84D9FFFF
mov ecx,
dword ptr ss:[
ebp-267C]
00C1CBDC 03C8
add ecx,
eax
00C1CBDE 898D 84D9FFFF
mov dword ptr ss:[
ebp-267C],
ecx
00C1CBE4 66:83A5 6CCAFFF>
and word ptr ss:[
ebp-3594],0
00C1CBEC A0 50FFC200
mov al,
byte ptr ds:[C2FF50]
00C1CBF1 8885 68C2FFFF
mov byte ptr ss:[
ebp-3D98],
al
00C1CBF7 B9 FF010000
mov ecx,1FF
00C1CBFC 33C0
xor eax,
eax
00C1CBFE 8DBD 69C2FFFF
lea edi,
dword ptr ss:[
ebp-3D97]
00C1CC04 F3:AB
rep stos dword ptr es:[
edi]
00C1CC06 66:AB
stos word ptr es:[
edi]
00C1CC08 AA
stos byte ptr es:[
edi]
00C1CC09 0FB785 64C2FFFF
movzx eax,
word ptr ss:[
ebp-3D9C]
00C1CC10 85C0
test eax,
eax
00C1CC12 74 6E
je short 00C1CC82
00C1CC14 8D8D 74D9FFFF
lea ecx,
dword ptr ss:[
ebp-268C]
00C1CC1A E8 E143FDFF
call 00BF1000
00C1CC1F 8985 60C2FFFF
mov dword ptr ss:[
ebp-3DA0],
eax
00C1CC25 6A 00
push 0
00C1CC27 0FB785 64C2FFFF
movzx eax,
word ptr ss:[
ebp-3D9C]
00C1CC2E 50
push eax
00C1CC2F 8D85 70CAFFFF
lea eax,
dword ptr ss:[
ebp-3590]
00C1CC35 50
push eax
00C1CC36 FFB5 60C2FFFF
push dword ptr ss:[
ebp-3DA0]
00C1CC3C E8 6B48FDFF
call 00BF14AC
; 获取一个函数名
00C1CC41 83C4 10
add esp,10
00C1CC44 0FB685 70CAFFFF
movzx eax,
byte ptr ss:[
ebp-3590]
; 函数名首字母 ASCII 送到 EAX
00C1CC4B 3D FF000000
cmp eax,0FF
00C1CC50 75 10
jnz short 00C1CC62
00C1CC52 66:8B85 71CAFFF>
mov ax,
word ptr ss:[
ebp-358F]
00C1CC59 66:8985 6CCAFFF>
mov word ptr ss:[
ebp-3594],
ax
00C1CC60 EB 20
jmp short 00C1CC82
00C1CC62 0FBE85 70CAFFFF
movsx eax,
byte ptr ss:[
ebp-3590]
; 函数名首字母 ASCII 送到 EAX
00C1CC69 85C0
test eax,
eax
00C1CC6B 74 15
je short 00C1CC82
00C1CC6D 8D85 70CAFFFF
lea eax,
dword ptr ss:[
ebp-3590]
; 函数名送到 EAX 中保存
00C1CC73 50
push eax
00C1CC74 8D85 68C2FFFF
lea eax,
dword ptr ss:[
ebp-3D98]
; 函数地址送到 EAX 中保存
00C1CC7A 50
push eax
00C1CC7B E8 AA950000
call 00C2622A
; jmp 到 msvcrt.strcpy
00C1CC80 59
pop ecx
00C1CC81 59
pop ecx
00C1CC82 83A5 68CAFFFF 0>
and dword ptr ss:[
ebp-3598],0
00C1CC89 0FB785 6CCAFFFF
movzx eax,
word ptr ss:[
ebp-3594]
; EAX 清 0
00C1CC90 85C0
test eax,
eax
00C1CC92 74 6C
je short 00C1CD00
00C1CC94 83BD 9CD4FFFF 0>
cmp dword ptr ss:[
ebp-2B64],0
00C1CC9B 74 51
je short 00C1CCEE
00C1CC9D 8B85 9CD4FFFF
mov eax,
dword ptr ss:[
ebp-2B64]
00C1CCA3 8985 5CC2FFFF
mov dword ptr ss:[
ebp-3DA4],
eax
00C1CCA9 EB 0F
jmp short 00C1CCBA
00C1CCAB 8B85 5CC2FFFF
mov eax,
dword ptr ss:[
ebp-3DA4]
00C1CCB1 83C0 0C
add eax,0C
00C1CCB4 8985 5CC2FFFF
mov dword ptr ss:[
ebp-3DA4],
eax
00C1CCBA 8B85 5CC2FFFF
mov eax,
dword ptr ss:[
ebp-3DA4]
00C1CCC0 8378 08 00
cmp dword ptr ds:[
eax+8],0
00C1CCC4 74 28
je short 00C1CCEE
00C1CCC6 0FB785 6CCAFFFF
movzx eax,
word ptr ss:[
ebp-3594]
00C1CCCD 8B8D 5CC2FFFF
mov ecx,
dword ptr ss:[
ebp-3DA4]
00C1CCD3 0FB749 04
movzx ecx,
word ptr ds:[
ecx+4]
00C1CCD7 3BC1
cmp eax,
ecx
00C1CCD9 75 11
jnz short 00C1CCEC
00C1CCDB 8B85 5CC2FFFF
mov eax,
dword ptr ss:[
ebp-3DA4]
00C1CCE1 8B40 08
mov eax,
dword ptr ds:[
eax+8]
00C1CCE4 8985 68CAFFFF
mov dword ptr ss:[
ebp-3598],
eax
00C1CCEA EB 02
jmp short 00C1CCEE
00C1CCEC ^ EB BD
jmp short 00C1CCAB
00C1CCEE 8B85 A8D4FFFF
mov eax,
dword ptr ss:[
ebp-2B58]
00C1CCF4 40
inc eax
00C1CCF5 8985 A8D4FFFF
mov dword ptr ss:[
ebp-2B58],
eax
00C1CCFB E9 D0000000
jmp 00C1CDD0
00C1CD00 0FBE85 68C2FFFF
movsx eax,
byte ptr ss:[
ebp-3D98]
; 函数名首字母送 ASCII 码 EAX
00C1CD07 85C0
test eax,
eax
00C1CD09 0F84 8A000000
je 00C1CD99
; 空就跳走
00C1CD0F 83BD 9CD4FFFF 0>
cmp dword ptr ss:[
ebp-2B64],0
00C1CD16 74 72
je short 00C1CD8A
00C1CD18 8B85 9CD4FFFF
mov eax,
dword ptr ss:[
ebp-2B64]
00C1CD1E 8985 58C2FFFF
mov dword ptr ss:[
ebp-3DA8],
eax
00C1CD24 EB 0F
jmp short 00C1CD35
00C1CD26 8B85 58C2FFFF
mov eax,
dword ptr ss:[
ebp-3DA8]
; 开始循环计算函数地址
00C1CD2C 83C0 0C
add eax,0C
00C1CD2F 8985 58C2FFFF
mov dword ptr ss:[
ebp-3DA8],
eax
00C1CD35 8B85 58C2FFFF
mov eax,
dword ptr ss:[
ebp-3DA8]
00C1CD3B 8378 08 00
cmp dword ptr ds:[
eax+8],0
00C1CD3F 74 49
je short 00C1CD8A
00C1CD41 68 00010000
push 100
00C1CD46 8D85 58C1FFFF
lea eax,
dword ptr ss:[
ebp-3EA8]
00C1CD4C 50
push eax
00C1CD4D 8B85 58C2FFFF
mov eax,
dword ptr ss:[
ebp-3DA8]
00C1CD53 FF30
push dword ptr ds:[
eax]
00C1CD55 E8 9153FDFF
call 00BF20EB
00C1CD5A 83C4 0C
add esp,0C
00C1CD5D 8D85 58C1FFFF
lea eax,
dword ptr ss:[
ebp-3EA8]
00C1CD63 50
push eax
00C1CD64 8D85 68C2FFFF
lea eax,
dword ptr ss:[
ebp-3D98]
00C1CD6A 50
push eax
00C1CD6B FF15 7873C200
call dword ptr ds:[C27378]
; msvcrt._stricmp
00C1CD71 59
pop ecx
00C1CD72 59
pop ecx
00C1CD73 85C0
test eax,
eax ; 这里 EAX 的值情况有 3 种情况 第1种 FFFFFFFF 第2种 1 第3种 0
00C1CD75 75 11
jnz short 00C1CD88
; Magic Jmp
00C1CD77 8B85 58C2FFFF
mov eax,
dword ptr ss:[
ebp-3DA8]
; 如果上面 EAX 值为 0 那么就加密 IAT
00C1CD7D 8B40 08
mov eax,
dword ptr ds:[
eax+8]
00C1CD80 8985 68CAFFFF
mov dword ptr ss:[
ebp-3598],
eax
00C1CD86 EB 02
jmp short 00C1CD8A
; 找到了就结束循环继续处理
00C1CD88 ^ EB 9C
jmp short 00C1CD26
; 返回 00C1CD26 继续循环
00C1CD8A 8B85 A8D4FFFF
mov eax,
dword ptr ss:[
ebp-2B58]
; EAX 清 0
00C1CD90 40
inc eax ; EAX 自加
00C1CD91 8985 A8D4FFFF
mov dword ptr ss:[
ebp-2B58],
eax
00C1CD97 EB 37
jmp short 00C1CDD0
00C1CD99 8D8D 38D9FFFF
lea ecx,
dword ptr ss:[
ebp-26C8]
00C1CD9F E8 9C42FDFF
call 00BF1040
00C1CDA4 0FB6C0
movzx eax,
al
00C1CDA7 99
cdq
00C1CDA8 6A 14
push 14
00C1CDAA 59
pop ecx
00C1CDAB F7F9
idiv ecx
00C1CDAD 8B85 10D9FFFF
mov eax,
dword ptr ss:[
ebp-26F0]
00C1CDB3 8B8C95 94D7FFFF
mov ecx,
dword ptr ss:[
ebp+
edx*4-286C]
00C1CDBA 8908
mov dword ptr ds:[
eax],
ecx
00C1CDBC 8B85 10D9FFFF
mov eax,
dword ptr ss:[
ebp-26F0]
00C1CDC2 83C0 04
add eax,4
00C1CDC5 8985 10D9FFFF
mov dword ptr ss:[
ebp-26F0],
eax
00C1CDCB E9 6C010000
jmp 00C1CF3C
00C1CDD0 83BD 68CAFFFF 0>
cmp dword ptr ss:[
ebp-3598],0
; [ebp-3598] 为 0 吗
00C1CDD7 75 42
jnz short 00C1CE1B
; 跳就加密 IAT(如果上面没修改这里nop掉可避开加密)
00C1CDD9 0FB785 6CCAFFFF
movzx eax,
word ptr ss:[
ebp-3594]
; EAX 清 0
00C1CDE0 85C0
test eax,
eax
00C1CDE2 74 0F
je short 00C1CDF3
00C1CDE4 0FB785 6CCAFFFF
movzx eax,
word ptr ss:[
ebp-3594]
00C1CDEB 8985 D8A8FFFF
mov dword ptr ss:[
ebp+FFFFA8D8],
eax
00C1CDF1 EB 0C
jmp short 00C1CDFF
00C1CDF3 8D85 68C2FFFF
lea eax,
dword ptr ss:[
ebp-3D98]
; 函数名送 EAX
00C1CDF9 8985 D8A8FFFF
mov dword ptr ss:[
ebp+FFFFA8D8],
eax
00C1CDFF 6A 01
push 1
00C1CE01 FFB5 D8A8FFFF
push dword ptr ss:[
ebp+FFFFA8D8]
; 函数名进栈
00C1CE07 FFB5 A0D4FFFF
push dword ptr ss:[
ebp-2B60]
; 函数名所在的 Dll 进栈
00C1CE0D E8 1B98FEFF
call 00C0662D
00C1CE12 83C4 0C
add esp,0C
00C1CE15 8985 68CAFFFF
mov dword ptr ss:[
ebp-3598],
eax ; 把处理好的 IAT 送到 [ebp-3598]
00C1CE1B 83BD 68CAFFFF 0>
cmp dword ptr ss:[
ebp-3598],0
; 送进去了吗?
00C1CE22 75 42
jnz short 00C1CE66
; 送进去就跳到下面继续
00C1CE24 0FB785 6CCAFFFF
movzx eax,
word ptr ss:[
ebp-3594]
00C1CE2B 85C0
test eax,
eax
00C1CE2D 74 0F
je short 00C1CE3E
00C1CE2F 0FB785 6CCAFFFF
movzx eax,
word ptr ss:[
ebp-3594]
00C1CE36 8985 D4A8FFFF
mov dword ptr ss:[
ebp+FFFFA8D4],
eax
00C1CE3C EB 0C
jmp short 00C1CE4A
00C1CE3E 8D85 68C2FFFF
lea eax,
dword ptr ss:[
ebp-3D98]
00C1CE44 8985 D4A8FFFF
mov dword ptr ss:[
ebp+FFFFA8D4],
eax
00C1CE4A 6A 00
push 0
00C1CE4C FFB5 D4A8FFFF
push dword ptr ss:[
ebp+FFFFA8D4]
00C1CE52 FFB5 A0D4FFFF
push dword ptr ss:[
ebp-2B60]
00C1CE58 E8 D097FEFF
call 00C0662D
00C1CE5D 83C4 0C
add esp,0C
00C1CE60 8985 68CAFFFF
mov dword ptr ss:[
ebp-3598],
eax
00C1CE66 83BD 68CAFFFF 0>
cmp dword ptr ss:[
ebp-3598],0
; 送进去了吗?
00C1CE6D 0F85 99000000
jnz 00C1CF0C
; 送进去就跳到下面继续
00C1CE73 0FB785 6CCAFFFF
movzx eax,
word ptr ss:[
ebp-3594]
00C1CE7A 85C0
test eax,
eax
00C1CE7C 74 54
je short 00C1CED2
00C1CE7E FF15 C072C200
call dword ptr ds:[C272C0]
; ntdll.RtlGetLastWin32Error
00C1CE84 83F8 32
cmp eax,32
00C1CE87 75 0C
jnz short 00C1CE95
00C1CE89 C785 68CAFFFF 2>
mov dword ptr ss:[
ebp-3598],0C06622
00C1CE93 EB 3B
jmp short 00C1CED0
00C1CE95 8B45 08
mov eax,
dword ptr ss:[
ebp+8]
00C1CE98 8B00
mov eax,
dword ptr ds:[
eax]
00C1CE9A C700 03000000
mov dword ptr ds:[
eax],3
00C1CEA0 FF15 C072C200
call dword ptr ds:[C272C0]
; ntdll.RtlGetLastWin32Error
00C1CEA6 50
push eax
00C1CEA7 0FB785 6CCAFFFF
movzx eax,
word ptr ss:[
ebp-3594]
00C1CEAE 50
push eax
00C1CEAF FFB5 84D3FFFF
push dword ptr ss:[
ebp-2C7C]
00C1CEB5 68 54DDC200
push 0C2DD54
; ASCII "File "%s", ordinal %d (error %d)"
00C1CEBA 8B45 08
mov eax,
dword ptr ss:[
ebp+8]
00C1CEBD FF70 04
push dword ptr ds:[
eax+4]
00C1CEC0 FF15 1C73C200
call dword ptr ds:[C2731C]
; msvcrt.sprintf
00C1CEC6 83C4 14
add esp,14
00C1CEC9 33C0
xor eax,
eax
00C1CECB E9 90140000
jmp 00C1E360
00C1CED0 EB 3A
jmp short 00C1CF0C
00C1CED2 8B45 08
mov eax,
dword ptr ss:[
ebp+8]
00C1CED5 8B00
mov eax,
dword ptr ds:[
eax]
00C1CED7 C700 03000000
mov dword ptr ds:[
eax],3
00C1CEDD FF15 C072C200
call dword ptr ds:[C272C0]
; ntdll.RtlGetLastWin32Error
00C1CEE3 50
push eax
00C1CEE4 8D85 68C2FFFF
lea eax,
dword ptr ss:[
ebp-3D98]
00C1CEEA 50
push eax
00C1CEEB FFB5 84D3FFFF
push dword ptr ss:[
ebp-2C7C]
00C1CEF1 68 30DDC200
push 0C2DD30
; ASCII "File "%s", function "%s" (error %d)"
00C1CEF6 8B45 08
mov eax,
dword ptr ss:[
ebp+8]
00C1CEF9 FF70 04
push dword ptr ds:[
eax+4]
00C1CEFC FF15 1C73C200
call dword ptr ds:[C2731C]
; msvcrt.sprintf
00C1CF02 83C4 14
add esp,14
00C1CF05 33C0
xor eax,
eax
00C1CF07 E9 54140000
jmp 00C1E360
00C1CF0C 8B85 10D9FFFF
mov eax,
dword ptr ss:[
ebp-26F0]
; 把刚才 IAT 所在的位置送到 EAX
00C1CF12 3B85 64D9FFFF
cmp eax,
dword ptr ss:[
ebp-269C]
; EAX 里现在是 FFFFFFFF 吗?
00C1CF18 73 1D
jnb short 00C1CF37
00C1CF1A 8B85 10D9FFFF
mov eax,
dword ptr ss:[
ebp-26F0]
; 把刚才 IAT 所在的位置送到 EAX
00C1CF20 8B8D 68CAFFFF
mov ecx,
dword ptr ss:[
ebp-3598]
; 把 IAT 送到 ECX
00C1CF26 8908
mov dword ptr ds:[
eax],
ecx ; 写入 IAT,过了这句就可以在数据窗口中看到 IAT 被写入了
00C1CF28 8B85 10D9FFFF
mov eax,
dword ptr ss:[
ebp-26F0]
; 把刚才 IAT 所在位置的地址送到 EAX 中
00C1CF2E 83C0 04
add eax,4
; 加 4 (其实就是指针指向下一个要写入的 IAT 位置)
00C1CF31 8985 10D9FFFF
mov dword ptr ss:[
ebp-26F0],
eax ; 获得下一个要写入的 IAT 的位置后 送到 [ebp-26F0] 中保存
00C1CF37 ^ E9 4DFCFFFF
jmp 00C1CB89
; 回去继续循环
00C1CF3C FF15 8472C200
call dword ptr ds:[C27284]
; kernel32.GetTickCount
00C1CF42 2B85 A4D4FFFF
sub eax,
dword ptr ss:[
ebp-2B5C]
00C1CF48 8B8D A8D4FFFF
mov ecx,
dword ptr ss:[
ebp-2B58]
00C1CF4E 6BC9 32
imul ecx,
ecx,32
00C1CF51 81C1 D0070000
add ecx,7D0
00C1CF57 3BC1
cmp eax,
ecx
00C1CF59 76 07
jbe short 00C1CF62
00C1CF5B C685 34D9FFFF 0>
mov byte ptr ss:[
ebp-26CC],1
00C1CF62 83BD E4D7FFFF 0>
cmp dword ptr ss:[
ebp-281C],0
00C1CF69 0F85 8A000000
jnz 00C1CFF9
00C1CF6F 0FB685 94D4FFFF
movzx eax,
byte ptr ss:[
ebp-2B6C]
00C1CF76 85C0
test eax,
eax
00C1CF78 74 7F
je short 00C1CFF9
00C1CF7A 6A 00
push 0
00C1CF7C 8B85 98D4FFFF
mov eax,
dword ptr ss:[
ebp-2B68]
00C1CF82 C1E0 02
shl eax,2
00C1CF85 50
push eax
00C1CF86 8B85 0CD8FFFF
mov eax,
dword ptr ss:[
ebp-27F4]
00C1CF8C 0385 90D4FFFF
add eax,
dword ptr ss:[
ebp-2B70]
00C1CF92 50
push eax
00C1CF93 E8 061F0000
call 00C1EE9E
00C1CF98 83C4 0C
add esp,0C
00C1CF9B 8B85 98D4FFFF
mov eax,
dword ptr ss:[
ebp-2B68]
00C1CFA1 C1E0 02
shl eax,2
00C1CFA4 50
push eax
00C1CFA5 FFB5 6CD9FFFF
push dword ptr ss:[
ebp-2694]
00C1CFAB 8B85 0CD8FFFF
mov eax,
dword ptr ss:[
ebp-27F4]
00C1CFB1 0385 90D4FFFF
add eax,
dword ptr ss:[
ebp-2B70]
00C1CFB7 50
push eax
00C1CFB8 E8 D7910000
call 00C26194
; jmp 到 msvcrt.memcpy
00C1CFBD 83C4 0C
add esp,0C
00C1CFC0 6A 01
push 1
00C1CFC2 8B85 98D4FFFF
mov eax,
dword ptr ss:[
ebp-2B68]
00C1CFC8 C1E0 02
shl eax,2
00C1CFCB 50
push eax
00C1CFCC 8B85 0CD8FFFF
mov eax,
dword ptr ss:[
ebp-27F4]
00C1CFD2 0385 90D4FFFF
add eax,
dword ptr ss:[
ebp-2B70]
00C1CFD8 50
push eax
00C1CFD9 E8 C01E0000
call 00C1EE9E
00C1CFDE 83C4 0C
add esp,0C
00C1CFE1 8B85 6CD9FFFF
mov eax,
dword ptr ss:[
ebp-2694]
00C1CFE7 8985 A4ABFFFF
mov dword ptr ss:[
ebp+FFFFABA4],
eax
00C1CFED FFB5 A4ABFFFF
push dword ptr ss:[
ebp+FFFFABA4]
00C1CFF3 E8 96910000
call 00C2618E
; jmp 到 msvcrt.??3@YAXPAX@Z
00C1CFF8 59
pop ecx
00C1CFF9 ^ E9 30F7FFFF
jmp 00C1C72E
; 跳回去继续处理 IAT
00C1CFFE 8B85 F0D7FFFF
mov eax,
dword ptr ss:[
ebp-2810]
; 到这里 IAT 已经全部处理完毕
好了,想要的我们都找到了,现在总结一下:
想要避开 IAT 加密这里有2个选择:
1
把 00C1CDD7 的 jnz short 00C1CE1B 这句 nop 掉就可以避开 IAT 加密了。
2
把 00C1CD75 的 jnz 改成 JMP 就可以避开 IAT 加密了。
两种方法任选其一,改好后到 00C1CFFE 设置个硬件执行断点,然后 Shift+F9 运行程序
中断后把刚才改的还原回来这时候就可以用 ImportREC v1.6 Fix 修复输入表了
在 ImportREC 里填好 OEP 后自动搜索IAT或手动输入来获取输入信息都可以。
如果手动输入就用我们前面获得的数据:
OEP
:10CC
IAT Rva
:62E4
IAT Size
:240
这时 ImportREC 提示:
IAT
读取成功.
当前输入表:
0 (
十进制:0) 个有效模块
90 (
十进制:144) 个输入函数.
(5 (
十进制:5) 个未解决的指针)
点 ImportREC 右边的无效函数按钮,然后用鼠标右键菜单中的剪切指针把这些无效指针 CUT 掉
到这里 UnPack 后的程序应该已经可以运行了,脱壳后的文件大小变成了 780 KB
第三步:脱壳后的程序优化
现在我们来优化一下,把脱壳后的文件载入 OD,Alt+M 打开内存映射窗口
从 00401000 到 004C2000 这 11 个段全部下 F2 断点
然后 Shift+F9 直到程序完全运行后再次 Alt+M 看看哪几个断点已经不存在了
剩下还有断点的这几个段就是无用区段了
这里分别是:.idata .reloc .text1 .adata .data1 .reloc1 .pdata
用 LordPE 删除上面几个区段后重建一 PE 下就可以了
优化后大小:38.4 KB
--------------------------------------------------------------------------------
【版权声明】: 本文原创于菜鸟动画吧, 转载请注明作者并保持文章的完整, 谢谢!
2006年12月13日 3:17:08
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课