[EncryptPE V2.2007.04.11 -> WFS * Sign.By.fly]
signature = 60 9C 64 FF 35 00 00 00 00 E8 1B 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 00 00
ep_only = true
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000220 45 50 45 3A 20 45 6E 63 72 79 70 74 50 45 20 56 EPE: EncryptPE V
00000230 32 2E 32 30 30 37 2E 34 2E 31 31 2C 20 43 6F 70 2.2007.4.11, Cop
00000240 79 72 69 67 68 74 20 28 43 29 20 57 46 53 00 00 yright (C) WFS
0040D000 60 pushad
//进入OllyDbg后暂停在这
0040D001 9C pushfd
0040D002 64:FF35 00000000 push dword ptr fs:[0]
0040D009 E8 1B020000 call 0040D229
00F9FF48 711F7C29 /CALL 到 IsDebuggerPresent 来自 V2200704.711F7C27
00F9FF4C 00F9FF78 指针到下一个 SEH 记录
711F7C27 FFD3 call ebx ; kernel32.IsDebuggerPresent
//IsDebuggerPresent 检测
711F7C29 85C0 test eax,eax
711F7C2B 74 10 je short 711F7C3D
711F7C2D 803D B6182371 00 cmp byte ptr ds:[712318B6],0
711F7C34 75 07 jnz short 711F7C3D
711F7C36 C605 B0182271 01 mov byte ptr ds:[712218B0],1
//发现Debugger
711F7C3D 85DB test ebx,ebx
711F7C3F 74 16 je short 711F7C57
711F7C41 FFD3 call ebx ; kernel32.IsDebuggerPresent
//IsDebuggerPresent 检测
711F7C43 85C0 test eax,eax
711F7C45 75 10 jnz short 711F7C57
711F6118 6A 00 push 0
711F611A E8 291CF3FF call 71127D48 ; jmp to USER32.FindWindowA
711F611F 8BD8 mov ebx,eax
711F6121 EB 0C jmp short 711F612F
00D831B0 54 52 57 32 30 30 30 20 66 6F 72 20 57 69 6E 64 TRW2000 for Wind
00D831C0 6F 77 73 20 39 78 00 00 26 00 00 00 0C 1C D8 00 ows 9x..&....?
00D832CC 54 57 58 32 30 30 32 20 66 6F 72 20 57 69 6E 64 TWX2002 for Wind
00D832DC 6F 77 73 20 24 00 00 00 1B 00 00 00 01 00 00 00 ows $.........
00D832EC 0B 00 00 00 52 65 67 6D 6F 6E 43 6C 61 73 73 00 ...RegmonClass.
00D832FC 1F 00 00 00 01 00 00 00 0F 00 00 00 54 44 65 44 .........TDeD
00D8330C 65 4D 61 69 6E 57 69 6E 58 00 00 00 17 00 00 00 eMainWinX......
00D8331C 01 00 00 00 04 00 00 00 41 43 50 55 00 00 00 00 ......ACPU....
00D8332C 17 00 00 00 01 00 00 00 07 00 00 00 4F 4C 4C 59 .........OLLY
00D8333C 44 42 47 00 00 00 00 00 00 00 00 00 00 00 00 00 DBG.............
711F62F6 50 push eax
711F62F7 E8 6410F3FF call 71127360 ; jmp to kernel32.CreateFileA
711F62FC 8BD8 mov ebx,eax
711F62FE 83FB FF cmp ebx,-1
711F6301 74 0D je short 711F6310
711F6303 C605 B0182271 01 mov byte ptr ds:[712218B0],1
711F6359 E8 06A8FDFF call 711D0B64 ; jmp to advapi32.OpenServiceA
//检测NTICE服务
地址 大小 物主 区段 包含
71120000 00001000 V2200704 71120000 PE header
71121000 000C7000 V2200704 71120000 EPE0
711E8000 00077000 V2200704 71120000 EPE1 code
7125F000 00002000 V2200704 71120000 .rsrc data,imports,exports,resources,relocations
mov edx,dword ptr ds:[eax+80]
mov dword ptr ss:[ebp-38],edx
mov edx,dword ptr ds:[eax+84]
mov dword ptr ss:[ebp-34],edx
7120515F 8B45 D8 mov eax,dword ptr ss:[ebp-28]
71205162 8B40 3C mov eax,dword ptr ds:[eax+3C]
71205165 0345 D8 add eax,dword ptr ss:[ebp-28]
71205168 8B90 80000000 mov edx,dword ptr ds:[eax+80]
//[eax+80]=[00DC53FC]=00006000 原始的Import Table RVA
7120516E 8955 C8 mov dword ptr ss:[ebp-38],edx
71205171 8B90 84000000 mov edx,dword ptr ds:[eax+84]
//[eax+84]=[00DC5400]=0000008C 原始的Import Table Size
71205177 8955 CC mov dword ptr ss:[ebp-34],edx
7120517A 837D C8 00 cmp dword ptr ss:[ebp-38],0
7120517E 0F86 8D020000 jbe 71205411
71205184 837D CC 00 cmp dword ptr ss:[ebp-34],0
71205188 0F86 83020000 jbe 71205411
7120518E 6A 00 push 0
71205190 8D45 B8 lea eax,dword ptr ss:[ebp-48]
71205193 B9 01000000 mov ecx,1
71205198 8B15 4C3A2071 mov edx,dword ptr ds:[71203A4C]
7120519E E8 2510F2FF call 711261C8
712051A3 83C4 04 add esp,4
712051A6 8B75 DC mov esi,dword ptr ss:[ebp-24]
712051A9 0375 C8 add esi,dword ptr ss:[ebp-38]
//ESI=00400000+00006000=00406000 Import Table VA
//在[00406000]处可以看到IID表是原始的
712051AC E9 9E000000 jmp 7120524F
712051B1 A1 E0E02171 mov eax,dword ptr ds:[7121E0E0]
712051B6 8B00 mov eax,dword ptr ds:[eax]
712051B8 8B55 E8 mov edx,dword ptr ss:[ebp-18]
712051BB 8B0490 mov eax,dword ptr ds:[eax+edx*4]
712051BE 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
712051C1 8B56 0C mov edx,dword ptr ds:[esi+C]
//[esi+C]=DLLName RVA
712051C4 0355 DC add edx,dword ptr ss:[ebp-24]
712051C7 E8 A0DBFFFF call 71202D6C
//解密DLLName
712051CC 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
//EAX=[ebp-3C]=[0013FF48]=00DB1074, (ASCII "SHELL32.dll") DLLName
712051CF E8 F4FDF1FF call 71124FC8
//Patch: jmp 71232AA0 ★1
712051D4 50 push eax
712051D5 E8 8E23F2FF call 71127568 ; jmp to kernel32.GetModuleHandleA
712051DA 8945 FC mov dword ptr ss:[ebp-4],eax
712051DD 837D FC 00 cmp dword ptr ss:[ebp-4],0
712051E1 75 11 jnz short 712051F4
712051E3 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
712051E6 E8 DDFDF1FF call 71124FC8
712051EB 50 push eax
712051EC E8 E724F2FF call 711276D8 ; jmp to kernel32.LoadLibraryA
712051F1 8945 FC mov dword ptr ss:[ebp-4],eax
712051F4 837D FC 00 cmp dword ptr ss:[ebp-4],0
712051F8 75 05 jnz short 712051FF
712051FA E8 6D7EF2FF call 7112D06C
712051FF 8B45 B8 mov eax,dword ptr ss:[ebp-48]
71205202 E8 050EF2FF call 7112600C
71205207 40 inc eax
71205208 50 push eax
71205209 8D45 B8 lea eax,dword ptr ss:[ebp-48]
7120520C B9 01000000 mov ecx,1
71205211 8B15 4C3A2071 mov edx,dword ptr ds:[71203A4C]
71205217 E8 AC0FF2FF call 711261C8
7120521C 83C4 04 add esp,4
7120521F 8B45 B8 mov eax,dword ptr ss:[ebp-48]
71205222 E8 E50DF2FF call 7112600C
71205227 8B55 B8 mov edx,dword ptr ss:[ebp-48]
7120522A 8B4D FC mov ecx,dword ptr ss:[ebp-4]
7120522D 894CC2 F8 mov dword ptr ds:[edx+eax*8-8],ec>
71205231 8B45 B8 mov eax,dword ptr ss:[ebp-48]
71205234 E8 D30DF2FF call 7112600C
71205239 8B55 B8 mov edx,dword ptr ss:[ebp-48]
7120523C 8D44C2 FC lea eax,dword ptr ds:[edx+eax*8-4>
71205240 50 push eax
71205241 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
71205244 E8 87FBF1FF call 71124DD0
71205249 5A pop edx
7120524A 8902 mov dword ptr ds:[edx],eax
7120524C 83C6 14 add esi,14
7120524F 837E 0C 00 cmp dword ptr ds:[esi+C],0
71205253 76 0A jbe short 7120525F
71205255 837E 10 00 cmp dword ptr ds:[esi+10],0
71205259 0F87 52FFFFFF ja 712051B1
//循环处理
71232AA0 60 pushad
71232AA1 9C pushfd
71232AA2 8B7E 0C mov edi,dword ptr ds:[esi+C]
71232AA5 81C7 00004000 add edi,400000
71232AAB 8BF0 mov esi,eax
71232AAD 8B4E FC mov ecx,dword ptr ds:[esi-4]
//[esi-4]处是DLLName长度
71232AB0 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
//复制解密出来的DLLName还原
71232AB2 9D popfd
71232AB3 61 popad
71232AB4 E8 0F25EFFF call 71124FC8
//712051CF处代码挪这里执行
71232AB9 E9 1627FDFF jmp 712051D4
//跳回去继续流程
60 9C 8B 7E 0C 81 C7 00 00 40 00 8B F0 8B 4E FC F3 A4 9D 61 E8 0F 25 EF FF E9 16 27 FD FF
7120525F 8B75 DC mov esi,dword ptr ss:[ebp-24]
//F4到这里,DLLName还原完毕
71205262 0375 C8 add esi,dword ptr ss:[ebp-38]
71205265 33C0 xor eax,eax
71205267 8945 C8 mov dword ptr ss:[ebp-38],eax
7120526A 33C0 xor eax,eax
7120526C 8945 CC mov dword ptr ss:[ebp-34],eax
7120526F 33C0 xor eax,eax
71205271 8945 E0 mov dword ptr ss:[ebp-20],eax
71205274 E9 70010000 jmp 712053E9
71205279 A1 18F72171 mov eax,dword ptr ds:[7121F718]
7120527E 8B40 3C mov eax,dword ptr ds:[eax+3C]
71205281 0305 18F72171 add eax,dword ptr ds:[7121F718]
71205287 0FB740 06 movzx eax,word ptr ds:[eax+6]
7120528B 48 dec eax
7120528C E8 DB0CFFFF call 711F5F6C
71205291 FF15 8B45B88B call dword ptr ds:[8BB8458B]
71205297 55 push ebp
71205298 E0 8B loopdne short 71205225
7120529A 04 D0 add al,0D0
7120529C 8945 FC mov dword ptr ss:[ebp-4],eax
7120529F 8B45 B8 mov eax,dword ptr ss:[ebp-48]
712052A2 8B55 E0 mov edx,dword ptr ss:[ebp-20]
712052A5 8B4CD0 04 mov ecx,dword ptr ds:[eax+edx*8+4]
712052A9 8B46 0C mov eax,dword ptr ds:[esi+C]
712052AC 0345 DC add eax,dword ptr ss:[ebp-24]
712052AF 8BD6 mov edx,esi
712052B1 E8 EE2FF2FF call 711282A4
//修改DLLName NOP掉 ★2
712052B6 837D FC 00 cmp dword ptr ss:[ebp-4],0
712052BA 0F86 14010000 jbe 712053D4
712052C0 8B7E 10 mov edi,dword ptr ds:[esi+10]
712052C3 037D DC add edi,dword ptr ss:[ebp-24]
712052C6 833E 00 cmp dword ptr ds:[esi],0
712052C9 75 07 jnz short 712052D2
712052CB 8BDF mov ebx,edi
712052CD E9 F6000000 jmp 712053C8
712052D2 8B1E mov ebx,dword ptr ds:[esi]
712052D4 035D DC add ebx,dword ptr ss:[ebp-24]
712052D7 E9 EC000000 jmp 712053C8
712052DC A9 00000080 test eax,80000000
712052E1 0F85 B4000000 jnz 7120539B
712052E7 0345 DC add eax,dword ptr ss:[ebp-24]
712052EA 8945 B4 mov dword ptr ss:[ebp-4C],eax
712052ED 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
712052F0 66:8B00 mov ax,word ptr ds:[eax]
712052F3 66:25 FF00 and ax,0FF
712052F7 66:3D FF00 cmp ax,0FF
712052FB 75 7F jnz short 7120537C
//判断是否特殊函数,是则跳转7120537C处理
712052FD A1 E0E02171 mov eax,dword ptr ds:[7121E0E0]
71205302 8B00 mov eax,dword ptr ds:[eax]
71205304 8B55 E8 mov edx,dword ptr ss:[ebp-18]
71205307 8B0490 mov eax,dword ptr ds:[eax+edx*4]
7120530A 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
7120530D 8B15 18F72171 mov edx,dword ptr ds:[7121F718]
71205313 8B52 3C mov edx,dword ptr ds:[edx+3C]
71205316 0315 18F72171 add edx,dword ptr ds:[7121F718]
7120531C 0FB752 06 movzx edx,word ptr ds:[edx+6]
71205320 0355 B4 add edx,dword ptr ss:[ebp-4C]
71205323 83EA 02 sub edx,2
71205326 E8 41DAFFFF call 71202D6C
7120532B 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
7120532E 66:C700 0000 mov word ptr ds:[eax],0
//Hint清0
71205333 33C0 xor eax,eax
71205335 8903 mov dword ptr ds:[ebx],eax
//ThunkValue清0,NOP掉。利用NOP的空间吧,修改为 jmp 71232AC0 ★3
71205337 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
//ss:[0013FF48]=00DB1398, (ASCII "SHGetSpecialFolderPathA")
//[ebp-3C]是解密出来的ApiName
//71205335处修改跳向Patch地方
71232AC0 60 pushad
71232AC1 9C pushfd
71232AC2 8B75 C4 mov esi,dword ptr ss:[ebp-3C]
71232AC5 8B4E FC mov ecx,dword ptr ds:[esi-4]
//[esi-4]处是ApiName长度
71232AC8 8B3B mov edi,dword ptr ds:[ebx]
//[EBX]=ThunkValue
71232ACA 81C7 02004000 add edi,400002
//+00400000->基址 +2->Hint Size
71232AD0 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
//还原ApiName
71232AD2 9D popfd
71232AD3 61 popad
71232AD4 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
//71205337处代码挪这里执行
71232AD7 E9 5E28FDFF jmp 7120533A
//跳回去继续流程
60 9C 8B 75 C4 8B 4E FC 8B 3B 81 C7 02 00 40 00 F3 A4 9D 61 8B 45 C4 E9 5E 28 FD FF
7120533A E8 91FAF1FF call 71124DD0
7120533F 8BC8 mov ecx,eax
71205341 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
71205344 83C0 02 add eax,2
71205347 8BD3 mov edx,ebx
71205349 E8 562FF2FF call 711282A4
//修改ApiName NOP掉 ★4
7120534E A1 18DE2171 mov eax,dword ptr ds:[7121DE18]
//[7121DE18]=712218B0
71205353 8038 00 cmp byte ptr ds:[eax],0
//[712218B0]中是校验标志位
71205356 75 6A jnz short 712053C2
//跳就挂了,NOP掉 ★5
71205358 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
7120535B E8 68FCF1FF call 71124FC8
71205360 50 push eax
71205361 6A 01 push 1
71205363 A1 E0E02171 mov eax,dword ptr ds:[7121E0E0]
71205368 8B00 mov eax,dword ptr ds:[eax]
7120536A 8B55 E8 mov edx,dword ptr ss:[ebp-18]
7120536D 8B0490 mov eax,dword ptr ds:[eax+edx*4]
71205370 8BCF mov ecx,edi
71205372 8B55 FC mov edx,dword ptr ss:[ebp-4]
71205375 E8 32D8FFFF call 71202BAC
//输入表加密,进入修改 ★
7120537A EB 46 jmp short 712053C2
71202BAC 55 push ebp
71202BAD 8BEC mov ebp,esp
71202BAF 83C4 F0 add esp,-10
71202BB2 53 push ebx
71202BB3 56 push esi
71202BB4 57 push edi
71202BB5 894D F8 mov dword ptr ss:[ebp-8],ecx
71202BB8 8955 FC mov dword ptr ss:[ebp-4],edx
71202BBB 8BF8 mov edi,eax
71202BBD 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
71202BC0 33C0 xor eax,eax
71202BC2 8945 F0 mov dword ptr ss:[ebp-10],eax
71202BC5 84DB test bl,bl
71202BC7 74 0E je short 71202BD7
71202BC9 8B55 0C mov edx,dword ptr ss:[ebp+C]
71202BCC 8B45 FC mov eax,dword ptr ss:[ebp-4]
71202BCF E8 00FCFEFF call 711F27D4
71202BD4 8945 F0 mov dword ptr ss:[ebp-10],eax
71202BD7 8B45 F0 mov eax,dword ptr ss:[ebp-10]
71202BDA 8945 F4 mov dword ptr ss:[ebp-C],eax
71202BDD 84DB test bl,bl
71202BDF 0F85 49010000 jnz 71202D2E
71202BE5 8B9F E8030000 mov ebx,dword ptr ds:[edi+3E8]
71202BEB 83FB 1D cmp ebx,1D
71202BEE 7D 60 jge short 71202C50
71202BF0 6A 40 push 40
71202BF2 68 00300000 push 3000
71202BF7 68 00000100 push 10000
71202BFC 6A 00 push 0
71202BFE E8 5D4CF2FF call 71127860
71202C03 8BD8 mov ebx,eax
71202C05 85DB test ebx,ebx
71202C07 74 67 je short 71202C70
71202C09 8B87 78030000 mov eax,dword ptr ds:[edi+378]
71202C0F E8 F833F2FF call 7112600C
71202C14 40 inc eax
71202C15 50 push eax
71202C16 8D87 78030000 lea eax,dword ptr ds:[edi+378]
71202C1C B9 01000000 mov ecx,1
71202C21 8B15 00BD1F71 mov edx,dword ptr ds:[711FBD00]
71202C27 E8 9C35F2FF call 711261C8
71202C2C 83C4 04 add esp,4
71202C2F 8B87 78030000 mov eax,dword ptr ds:[edi+378]
71202C35 E8 D233F2FF call 7112600C
71202C3A 8B97 78030000 mov edx,dword ptr ds:[edi+378]
71202C40 895C82 FC mov dword ptr ds:[edx+eax*4-4],ebx
71202C44 C787 E8030000 00000>mov dword ptr ds:[edi+3E8],10000
71202C4E EB 20 jmp short 71202C70
71202C50 8B87 78030000 mov eax,dword ptr ds:[edi+378]
71202C56 E8 B133F2FF call 7112600C
71202C5B 8B97 78030000 mov edx,dword ptr ds:[edi+378]
71202C61 8B4482 FC mov eax,dword ptr ds:[edx+eax*4-4]
71202C65 BA 00000100 mov edx,10000
71202C6A 2BD3 sub edx,ebx
71202C6C 03C2 add eax,edx
71202C6E 8BD8 mov ebx,eax
71202C70 85DB test ebx,ebx
71202C72 0F84 B6000000 je 71202D2E
71202C78 83AF E8030000 1D sub dword ptr ds:[edi+3E8],1D
71202C7F A1 18F72171 mov eax,dword ptr ds:[7121F718]
71202C84 8B40 3C mov eax,dword ptr ds:[eax+3C]
71202C87 0305 18F72171 add eax,dword ptr ds:[7121F718]
71202C8D 8A40 28 mov al,byte ptr ds:[eax+28]
71202C90 34 60 xor al,60
71202C92 34 A8 xor al,0A8
71202C94 8803 mov byte ptr ds:[ebx],al
71202C96 8BF3 mov esi,ebx
71202C98 46 inc esi
71202C99 B8 98471F71 mov eax,711F4798
71202C9E 2BC6 sub eax,esi
71202CA0 83E8 04 sub eax,4
71202CA3 8906 mov dword ptr ds:[esi],eax
71202CA5 A1 18F72171 mov eax,dword ptr ds:[7121F718]
71202CAA 8B40 3C mov eax,dword ptr ds:[eax+3C]
71202CAD 0305 18F72171 add eax,dword ptr ds:[7121F718]
71202CB3 8A40 28 mov al,byte ptr ds:[eax+28]
71202CB6 34 60 xor al,60
71202CB8 34 BF xor al,0BF
71202CBA 8843 05 mov byte ptr ds:[ebx+5],al
71202CBD A1 18F72171 mov eax,dword ptr ds:[7121F718]
71202CC2 8B40 3C mov eax,dword ptr ds:[eax+3C]
71202CC5 0305 18F72171 add eax,dword ptr ds:[7121F718]
71202CCB 8A40 28 mov al,byte ptr ds:[eax+28]
71202CCE 34 60 xor al,60
71202CD0 34 65 xor al,65
71202CD2 8843 06 mov byte ptr ds:[ebx+6],al
71202CD5 8BF3 mov esi,ebx
71202CD7 83C6 07 add esi,7
71202CDA 8BC3 mov eax,ebx
71202CDC 83C0 0B add eax,0B
71202CDF 8906 mov dword ptr ds:[esi],eax
71202CE1 8BF3 mov esi,ebx
71202CE3 83C6 0F add esi,0F
71202CE6 8B45 FC mov eax,dword ptr ss:[ebp-4]
71202CE9 8906 mov dword ptr ds:[esi],eax
71202CEB 8BF3 mov esi,ebx
71202CED 83C6 13 add esi,13
71202CF0 8B45 0C mov eax,dword ptr ss:[ebp+C]
71202CF3 8906 mov dword ptr ds:[esi],eax
71202CF5 8BF3 mov esi,ebx
71202CF7 83C6 17 add esi,17
71202CFA 8D87 98030000 lea eax,dword ptr ds:[edi+398]
71202D00 E8 1B23F2FF call 71125020
71202D05 8906 mov dword ptr ds:[esi],eax
71202D07 8D97 E5030000 lea edx,dword ptr ds:[edi+3E5]
71202D0D 8BC3 mov eax,ebx
71202D0F 83C0 1B add eax,1B
71202D12 B9 01000000 mov ecx,1
71202D17 E8 8855F2FF call 711282A4
71202D1C 8BF3 mov esi,ebx
71202D1E 83C6 0B add esi,0B
71202D21 8BC3 mov eax,ebx
71202D23 83C0 05 add eax,5
71202D26 3345 F0 xor eax,dword ptr ss:[ebp-10]
71202D29 8906 mov dword ptr ds:[esi],eax
71202D2B 895D F4 mov dword ptr ss:[ebp-C],ebx
71202D2E 837D F8 00 cmp dword ptr ss:[ebp-8],0
71202D32 74 2A je short 71202D5E
71202D34 33C0 xor eax,eax
71202D36 55 push ebp
71202D37 68 542D2071 push 71202D54
71202D3C 64:FF30 push dword ptr fs:[eax]
71202D3F 64:8920 mov dword ptr fs:[eax],esp
71202D42 8B75 F8 mov esi,dword ptr ss:[ebp-8]
71202D45 8B45 F4 mov eax,dword ptr ss:[ebp-C]
71202D48 8906 mov dword ptr ds:[esi],eax
//填充加密后地址,NOP掉 ★6
71202D4A 33C0 xor eax,eax
71202D4C 5A pop edx
71202D4D 59 pop ecx
71202D4E 59 pop ecx
71202D4F 64:8910 mov dword ptr fs:[eax],edx
71202D52 EB 0A jmp short 71202D5E
71202D54 E9 2714F2FF jmp 71124180
71202D59 E8 8A17F2FF call 711244E8
71202D5E 8B45 F4 mov eax,dword ptr ss:[ebp-C]
71202D61 5F pop edi
71202D62 5E pop esi
71202D63 5B pop ebx
71202D64 8BE5 mov esp,ebp
71202D66 5D pop ebp
71202D67 C2 0800 retn 8
7120537C 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
//堆栈 [ebp-4C]=[0013FF38]=004066EE
//特殊函数ThunkValue+基址
7120537F 50 push eax
71205380 6A 00 push 0
71205382 A1 E0E02171 mov eax,dword ptr ds:[7121E0E0]
71205387 8B00 mov eax,dword ptr ds:[eax]
71205389 8B55 E8 mov edx,dword ptr ss:[ebp-18]
7120538C 8B0490 mov eax,dword ptr ds:[eax+edx*4]
7120538F 8BCF mov ecx,edi
71205391 8B55 FC mov edx,dword ptr ss:[ebp-4]
71205394 E8 13D8FFFF call 71202BAC
//jmp 71232AE4 ★7
71205399 EB 27 jmp short 712053C2
7120539B 25 FFFF0000 and eax,0FFFF
712053A0 50 push eax
712053A1 6A 01 push 1
712053A3 A1 E0E02171 mov eax,dword ptr ds:[7121E0E0]
712053A8 8B00 mov eax,dword ptr ds:[eax]
712053AA 8B55 E8 mov edx,dword ptr ss:[ebp-18]
712053AD 8B0490 mov eax,dword ptr ds:[eax+edx*4]
712053B0 8BCF mov ecx,edi
712053B2 8B55 FC mov edx,dword ptr ss:[ebp-4]
712053B5 E8 F2D7FFFF call 71202BAC
712053BA 3BFB cmp edi,ebx
712053BC 74 04 je short 712053C2
712053BE 33C0 xor eax,eax
712053C0 8903 mov dword ptr ds:[ebx],eax
712053C2 83C3 04 add ebx,4
712053C5 83C7 04 add edi,4
712053C8 8B03 mov eax,dword ptr ds:[ebx]
712053CA 85C0 test eax,eax
712053CC 0F87 0AFFFFFF ja 712052DC
//循环处理每个DLL的函数
712053D2 EB 05 jmp short 712053D9
712053D4 E8 937CF2FF call 7112D06C
712053D9 A1 18DE2171 mov eax,dword ptr ds:[7121DE18]
712053DE 8038 00 cmp byte ptr ds:[eax],0
//[71200685]处保存的是检验标志位
712053E1 75 16 jnz short 712053F9
//NOP掉 ★8
712053E3 83C6 14 add esi,14
712053E6 FF45 E0 inc dword ptr ss:[ebp-20]
712053E9 837E 0C 00 cmp dword ptr ds:[esi+C],0
712053ED 76 0A jbe short 712053F9
712053EF 837E 10 00 cmp dword ptr ds:[esi+10],0
712053F3 0F87 80FEFFFF ja 71205279
//循环处理输入表[code]
★7. Patch Code:
[code]71232AE4 E8 C300FDFF call 71202BAC
//71205394处代码挪这里执行
//EAX是写入IAT的加密地址
71232AE9 60 pushad
71232AEA 9C pushfd
71232AEB 8925 DE2A2371 mov dword ptr ds:[71232ADE],esp
//保存ESP
71232AF1 832D DE2A2371 04 sub dword ptr ds:[71232ADE],4
71232AF8 FFD0 call eax ;0118001D
//模拟程序调用加密函数
71232AFA 8BF0 mov esi,eax
71232AFC 8B4E FC mov ecx,dword ptr ds:[esi-4]
71232AFF 3E:8B7D B8 mov edi,dword ptr ds:[ebp-48]
71232B03 66:C707 0000 mov word ptr ds:[edi],0
71232B08 83C7 02 add edi,2
71232B0B F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
71232B0D C607 00 mov byte ptr ds:[edi],0
71232B10 9D popfd
71232B11 61 popad
71232B12 E9 8228FDFF jmp 71205399
E8 C3 00 FD FF 60 9C 89 25 DE 2A 23 71 83 2D DE 2A 23 71 04 FF D0 8B F0 8B 4E FC 3E 8B 7D B8 66
C7 07 00 00 83 C7 02 F3 A4 C6 07 00 9D 61 E9 82 28 FD FF
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
继续顶
