其代码为
Unpacker:00402E2C push esi ; lpFileName
Unpacker:00402E2D mov ecx, offset dword_402F00 ;ASCII
"ICO"
Unpacker:00402E32 mov edx, offset aMain ; "MAIN"
Unpacker:00402E37 xor eax, eax ; hModule
Unpacker:00402E39 call CreateDllFile
{
Unpacker:00402AAC CreateDllFile proc near ; CODE XREF:
sub_402E18+21 p
Unpacker:00402AAC
Unpacker:00402AAC NumberOfBytesWritten= dword ptr -4
Unpacker:00402AAC lpFileName = dword ptr 8
Unpacker:00402AAC
Unpacker:00402AAC push ebp
Unpacker:00402AAD mov ebp, esp
Unpacker:00402AAF push ecx
Unpacker:00402AB0 push ebx
Unpacker:00402AB1 push esi
Unpacker:00402AB2 push edi
Unpacker:00402AB3 mov ebx, eax
Unpacker:00402AB5 push ecx ; lpType
Unpacker:00402AB6 push edx ; lpName
Unpacker:00402AB7 push ebx ; hModule
Unpacker:00402AB8 call FindResourceA
Unpacker:00402ABD mov esi, eax
Unpacker:00402ABF push esi ; hResInfo
Unpacker:00402AC0 push ebx ; hModule
Unpacker:00402AC1 call SizeofResource
Unpacker:00402AC6 mov edi, eax ;eax=5e00
Unpacker:00402AC8 push esi ; hResInfo
Unpacker:00402AC9 push ebx ; hModule
Unpacker:00402ACA call LoadResource
Unpacker:00402ACF push eax ; hResData
Unpacker:00402AD0 call LockResource
Unpacker:00402AD5 mov esi, eax
Unpacker:00402AD7 push 0 ; hTemplateFile
Unpacker:00402AD9 push 80h ; dwFlagsAndAttributes
Unpacker:00402ADE push 2 ; dwCreationDisposition
Unpacker:00402AE0 push 0 ; lpSecurityAttributes
Unpacker:00402AE2 push 2 ; dwShareMode
Unpacker:00402AE4 push 40000000h ; dwDesiredAccess
Unpacker:00402AE9 mov eax, [ebp+lpFileName]
Unpacker:00402AEC push eax
;lpFileName="C:\WINDOWS\system32\rijxzkin.dll"
Unpacker:00402AED call CreateFileA
Unpacker:00402AF2 mov ebx, eax
Unpacker:00402AF4 push 0 ; lpOverlapped
Unpacker:00402AF6 lea eax, [ebp+NumberOfBytesWritten]
Unpacker:00402AF9 push eax ; lpNumberOfBytesWritten
Unpacker:00402AFA push edi ; nNumberOfBytesToWrite
文件长度5E00
Unpacker:00402AFB push esi ; lpBuffer ASCII "MZP"
Unpacker:00402AFC push ebx ; hFile
Unpacker:00402AFD call WriteFile_0
Unpacker:00402B02 push ebx ; hObject
Unpacker:00402B03 call CloseHandle
Unpacker:00402B08 mov al, 1
Unpacker:00402B0A pop edi
Unpacker:00402B0B pop esi
Unpacker:00402B0C pop ebx
Unpacker:00402B0D pop ecx
Unpacker:00402B0E pop ebp
Unpacker:00402B0F retn 4
Unpacker:00402B0F CreateDllFile endp
}
这里面调用了
FindResourceA, SizeofResource, LoadResource, LockResource, CreateFileA, WriteFile
六个系统api,
我觉得只要CreateFileA与WriteFile就可以了,前面的好像没有什么用,
不知我理解正确吗?
或者大家说FindResourceA, SizeofResource, LoadResource, LockResource在这
里有什么用处啊?
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法