能力值:
(RANK:1060 )
|
-
-
3 楼
只分析了level1-9
004E3046 > B8 00304E00 mov eax, 004E3000 ; eax = loaderbase
004E304B 68 E3644100 push 004164E3
004E3050 64:FF35 0000000>push dword ptr fs:[0]
004E3057 64:8925 0000000>mov dword ptr fs:[0], esp
004E305E 66:9C pushfw
004E3060 60 pushad
004E3061 50 push eax
004E3062 8BD8 mov ebx, eax ; ebx = 4e3000 = loaderbase
004E3064 0300 add eax, dword ptr [eax] ; import offset
004E3066 68 A4A50000 push 0A5A4
004E306B 6A 00 push 0
004E306D FF50 1C call dword ptr [eax+1C]
004E3070 8943 08 mov dword ptr [ebx+8], eax ; ldrbase+8 = decode buffer
004E3073 68 00004000 push 00400000 ; [esp] = imagebase
004E3078 8B3C24 mov edi, dword ptr [esp] ; edi = imagebase
004E307B 8B33 mov esi, dword ptr [ebx] ; esi = # bytes passed
004E307D 66:81C7 8007 add di, 780 ; edi = ...buf
004E3082 8D741E 08 lea esi, dword ptr [esi+ebx+8]
004E3086 893B mov dword ptr [ebx], edi
004E3088 53 push ebx
004E3089 8B5E 10 mov ebx, dword ptr [esi+10]
004E308C B8 80080000 mov eax, 880
004E3091 56 push esi
004E3092 6A 02 push 2
004E3094 50 push eax
004E3095 57 push edi
004E3096 6A 15 push 15
004E3098 6A 0A push 0A
004E309A 56 push esi
004E309B 6A 04 push 4
004E309D 50 push eax
004E309E 57 push edi
004E309F FFD3 call ebx ; fuck rva780
004E30A1 83EE 08 sub esi, 8
004E30A4 59 pop ecx
004E30A5 F3:A5 rep movs dword ptr es:[edi], dword p>
004E30A7 59 pop ecx ; 复制import
004E30A8 66:83C7 58 add di, 58
004E30AC 81C6 02010000 add esi, 102
004E30B2 F3:A5 rep movs dword ptr es:[edi], dword p>; 需要的dll strings
004E30B4 FFD3 call ebx ; fuck page
004E30B6 58 pop eax
004E30B7 8D90 A0010000 lea edx, dword ptr [eax+1A0]
004E30BD 8B0A mov ecx, dword ptr [edx]
004E30BF 83C2 14 add edx, 14 ; next block
004E30C2 8B5A F0 mov ebx, dword ptr [edx-10]
004E30C5 85DB test ebx, ebx
004E30C7 ^ 74 F4 je short 004E30BD
004E30C9 8B0424 mov eax, dword ptr [esp] ; eax = imagebase
004E30CC 8D3401 lea esi, dword ptr [ecx+eax] ; esi = compressed
004E30CF 8B6C24 04 mov ebp, dword ptr [esp+4] ; import
004E30D3 8B6D 08 mov ebp, dword ptr [ebp+8] ; allocated buffer
004E30D6 8B4A FC mov ecx, dword ptr [edx-4] ; ecx = size
004E30D9 8BFD mov edi, ebp
004E30DB 52 push edx
004E30DC F3:A5 rep movs dword ptr es:[edi], dword p>
004E30DE 8BF5 mov esi, ebp
004E30E0 8B7A F4 mov edi, dword ptr [edx-C]
004E30E3 03F8 add edi, eax
004E30E5 EB 28 jmp short 004E310F //解压缩算法,直接照抄用就可以
004E30E7 58 pop eax
004E30E8 58 pop eax
004E30E9 58 pop eax
004E30EA 58 pop eax
004E30EB 5A pop edx
004E30EC ^ 74 CF je short 004E30BD
004E30EE ^ E9 19FFFFFF jmp 004E300C
解压缩后面有个段rva =0,会引发异常,转到004164E3这里
00416537 33C0 xor eax, eax
00416539 5E pop esi
0041653A 64:8B18 mov ebx, dword ptr fs:[eax]
0041653D 8B1B mov ebx, dword ptr [ebx]
0041653F 8D63 D6 lea esp, dword ptr [ebx-2A]
00416542 5D pop ebp
00416543 8D8E CB020000 lea ecx, dword ptr [esi+2CB]
00416549 894B 04 mov dword ptr [ebx+4], ecx//设置seh,这个seh是用来还原e8 e9等指令的,也是照抄就可以
0041654C 64:891D 0000000>mov dword ptr fs:[0], ebx
00416553 8B3C24 mov edi, dword ptr [esp]
00416556 FF77 08 push dword ptr [edi+8]
00416559 FF95 A0070000 call dword ptr [ebp+7A0]
0041655F 81C7 3D000000 add edi, 3D
00416565 6A 0E push 0E
00416567 59 pop ecx
00416568 F3:A4 rep movs byte ptr es:[edi], byte ptr>
0041656A FF33 push dword ptr [ebx]
0041656C 56 push esi
0041656D 57 push edi
0041656E 8DB7 55010000 lea esi, dword ptr [edi+155]
00416574 8BCE mov ecx, esi
00416576 2BCF sub ecx, edi
00416578 F3:AA rep stos byte ptr es:[edi]
0041657A 60 pushad
0041657B FFE0 jmp eax//调用seh
004167D1 51 push ecx
004167D2 72 15 jb short 004167E9
004167D4 037E 04 add edi, dword ptr [esi+4]
004167D7 C1F9 02 sar ecx, 2
004167DA 33C0 xor eax, eax
004167DC F3:AB rep stos dword ptr es:[edi]
004167DE 59 pop ecx
004167DF 83E1 03 and ecx, 3
004167E2 F3:AA rep stos byte ptr es:[edi]
004167E4 83C6 14 add esi, 14
004167E7 ^ EB D5 jmp short 004167BE
004167E9 8B5E 04 mov ebx, dword ptr [esi+4]
004167EC 83EB 06 sub ebx, 6
004167EF 33D2 xor edx, edx
004167F1 3BD3 cmp edx, ebx
004167F3 ^ 7D DF jge short 004167D4
004167F5 8A043A mov al, byte ptr [edx+edi]
004167F8 42 inc edx
004167F9 3C E8 cmp al, 0E8
004167FB 74 12 je short 0041680F
004167FD 3C E9 cmp al, 0E9
004167FF 74 0E je short 0041680F
00416801 3C 0F cmp al, 0F
00416803 ^ 75 EC jnz short 004167F1
00416805 8A043A mov al, byte ptr [edx+edi]
00416808 24 F0 and al, 0F0
0041680A 3C 80 cmp al, 80
0041680C ^ 75 E3 jnz short 004167F1
0041680E 42 inc edx
0041680F 8B043A mov eax, dword ptr [edx+edi]
00416812 3C 0A cmp al, 0A // 这个会变
00416814 ^ 75 DB jnz short 004167F1
00416816 66:C1E8 08 shr ax, 8
0041681A C1C0 10 rol eax, 10
0041681D 86C4 xchg ah, al
0041681F 83C2 04 add edx, 4
00416822 2BC2 sub eax, edx
00416824 89443A FC mov dword ptr [edx+edi-4], eax
00416828 ^ EB C7 jmp short 004167F1
0041682A 59 pop ecx
下面解密一些东西
0041657D 5B pop ebx
0041657E 5A pop edx
0041657F 64:8F05 0000000>pop dword ptr fs:[0]
00416586 58 pop eax
00416587 6A 03 push 3 //这个是计算OEP用的种子,好好保存
00416589 53 push ebx
0041658A 33DB xor ebx, ebx
0041658C 68 3E030000 push 33E
00416591 8B0C24 mov ecx, dword ptr [esp]
00416594 0FBAE3 00 bt ebx, 0
00416598 72 16 jb short 004165B0
0041659A 64:8B35 1C00000>mov esi, dword ptr fs:[1C] ; esi = 0
004165A1 0FBAF6 00 btr esi, 0
004165A5 64:0335 2200000>add esi, dword ptr fs:[22] ; what?
004165AC 46 inc esi ; 让 si = 1 就可以借马勒
004165AD 66:33DE xor bx, si
004165B0 321C11 xor bl, byte ptr [ecx+edx]
004165B3 C1C3 0F rol ebx, 0F
004165B6 49 dec ecx
004165B7 ^ 7D DB jge short 00416594
004165B9 8D48 3B lea ecx, dword ptr [eax+3B] ; ebx=key
004165BC 3119 xor dword ptr [ecx], ebx
004165BE 3159 04 xor dword ptr [ecx+4], ebx
004165C1 3159 08 xor dword ptr [ecx+8], ebx
004165C4 3159 0C xor dword ptr [ecx+C], ebx
004165C7 59 pop ecx
自校验,跟脱壳没啥关系,不管了
004165C8 315C11 01 xor dword ptr [ecx+edx+1], ebx
004165CC 33DB xor ebx, ebx
004165CE 8BF2 mov esi, edx
004165D0 81BA 769BFEFF 4>cmp dword ptr [edx+FFFE9B76], 0E3046
004165DA 75 21 jnz short 004165FD
004165DC 81EE B2640100 sub esi, 164B2
004165E2 0FB64E 06 movzx ecx, byte ptr [esi+6]
004165E6 6BC9 0A imul ecx, ecx, 0A
004165E9 66:81C1 3E00 add cx, 3E
004165EE 331E xor ebx, dword ptr [esi]
004165F0 D3C3 rol ebx, cl
004165F2 83C6 04 add esi, 4
004165F5 49 dec ecx
004165F6 ^ 75 F6 jnz short 004165EE
004165F8 3958 04 cmp dword ptr [eax+4], ebx
004165FB 74 08 je short 00416605
004165FD 83C4 2A add esp, 2A
00416600 - E9 14CA0C00 jmp 004E3019
开始填写输入表,顺便计算OEP
00416605 8DB5 CC590100 lea esi, dword ptr [ebp+159CC]
0041660B 8D8D 00080000 lea ecx, dword ptr [ebp+800]
00416611 8BD8 mov ebx, eax
00416613 833E 00 cmp dword ptr [esi], 0
00416616 0F84 0E020000 je 0041682A
0041661C 51 push ecx ; save name list ptr
0041661D 51 push ecx
0041661E FF95 A4070000 call dword ptr [ebp+7A4]
00416624 85C0 test eax, eax
00416626 75 11 jnz short 00416639
00416628 83EC 04 sub esp, 4
0041662B FF95 90070000 call dword ptr [ebp+790]
00416631 85C0 test eax, eax
00416633 0F84 DF000000 je 00416718
00416639 8BF8 mov edi, eax ; edi = dll base
0041663B 0340 3C add eax, dword ptr [eax+3C]
0041663E 8B40 78 mov eax, dword ptr [eax+78] ; eax = export rva
00416641 FF7438 18 push dword ptr [eax+edi+18] ; # of func
00416645 8B4C38 24 mov ecx, dword ptr [eax+edi+24] ; addr base
00416649 03CF add ecx, edi ; +base
0041664B 51 push ecx
0041664C 8B4C38 20 mov ecx, dword ptr [eax+edi+20]
00416650 03CF add ecx, edi
00416652 51 push ecx
00416653 FF7438 10 push dword ptr [eax+edi+10]
00416657 FF7438 14 push dword ptr [eax+edi+14]
0041665B 8B4438 1C mov eax, dword ptr [eax+edi+1C]
0041665F 03C7 add eax, edi
00416661 50 push eax
00416662 56 push esi
00416663 8B36 mov esi, dword ptr [esi] ; thunk
00416665 03F5 add esi, ebp
00416667 8B06 mov eax, dword ptr [esi]
00416669 85C0 test eax, eax
0041666B 0F84 81000000 je 004166F2
00416671 79 2F jns short 004166A2
00416673 0FBAE0 1E bt eax, 1E ; check bit 31,序号的
00416677 72 29 jb short 004166A2
00416679 0FB7C0 movzx eax, ax
0041667C 2B4424 0C sub eax, dword ptr [esp+C]
00416680 0F82 AB000000 jb 00416731
00416686 3B4424 08 cmp eax, dword ptr [esp+8]
0041668A 0F83 A1000000 jnb 00416731
00416690 C1E0 02 shl eax, 2
00416693 034424 04 add eax, dword ptr [esp+4]
00416697 8B00 mov eax, dword ptr [eax]
00416699 03C7 add eax, edi
0041669B 8906 mov dword ptr [esi], eax
0041669D 83C6 04 add esi, 4
004166A0 ^ EB C5 jmp short 00416667
004166A2 03C6 add eax, esi
004166A4 50 push eax
004166A5 50 push eax
004166A6 57 push edi
004166A7 FF95 94070000 call dword ptr [ebp+794]
004166AD 85C0 test eax, eax
004166AF 74 7F je short 00416730
004166B1 FF4C24 28 dec dword ptr [esp+28] ; decrase #注意这个种子
004166B5 7D 1F jge short 004166D6
004166B7 8B5424 24 mov edx, dword ptr [esp+24]
004166BB C602 E9 mov byte ptr [edx], 0E9 ; 抽函数
004166BE 2BC2 sub eax, edx
004166C0 83E8 05 sub eax, 5
004166C3 8942 01 mov dword ptr [edx+1], eax
004166C6 8BC2 mov eax, edx
004166C8 83C2 05 add edx, 5
004166CB 895424 24 mov dword ptr [esp+24], edx
004166CF 83E2 07 and edx, 7
004166D2 895424 28 mov dword ptr [esp+28], edx
004166D6 8906 mov dword ptr [esi], eax ; PATCH IAT
004166D8 873C24 xchg dword ptr [esp], edi ; eax = api name
004166DB 83C9 FF or ecx, FFFFFFFF
004166DE 33C0 xor eax, eax
004166E0 F2:AE repne scas byte ptr es:[edi]
004166E2 FD std
004166E3 F7D1 not ecx
004166E5 4F dec edi
004166E6 F3:AA rep stos byte ptr es:[edi]
004166E8 5F pop edi
004166E9 FC cld
004166EA 83C6 04 add esi, 4
004166ED ^ E9 75FFFFFF jmp 00416667
004166F2 5E pop esi
004166F3 83C4 18 add esp, 18
004166F6 8B16 mov edx, dword ptr [esi]
004166F8 03D5 add edx, ebp
004166FA 8D43 47 lea eax, dword ptr [ebx+47]
004166FD 8B4C24 04 mov ecx, dword ptr [esp+4]
00416701 833A 00 cmp dword ptr [edx], 0
00416704 74 12 je short 00416718
00416706 3B1A cmp ebx, dword ptr [edx]
00416708 8318 00 sbb dword ptr [eax], 0 ; 抽 -2
0041670B 390A cmp dword ptr [edx], ecx
0041670D 8318 00 sbb dword ptr [eax], 0 ; 不抽得-1
00416710 83C2 04 add edx, 4
00416713 C108 03 ror dword ptr [eax], 3 ;这个3好像不变
00416716 ^ EB E9 jmp short 00416701
00416718 C706 00000000 mov dword ptr [esi], 0
0041671E 5F pop edi
0041671F 83C9 FF or ecx, FFFFFFFF
00416722 33C0 xor eax, eax
00416724 F2:AE repne scas byte ptr es:[edi]
00416726 8BCF mov ecx, edi
00416728 83C6 04 add esi, 4
0041672B ^ E9 E3FEFFFF jmp 00416613
往下走道popad jmp oep了
脱壳机就是抄算法,体力活,没意思。
|