下载地址:
http://cps2shock.retrogames.com/download.html
OD载入
0076F060 > 50 PUSH EAX ; WINKAWAK.<ModuleEntryPoint>
0076F061 51 PUSH ECX
0076F062 52 PUSH EDX
0076F063 53 PUSH EBX
0076F064 54 PUSH ESP
0076F065 55 PUSH EBP
0076F066 56 PUSH ESI
0076F067 57 PUSH EDI
0076F068 E8 00000000 CALL WINKAWAK.0076F06D //变形的jmp
0076F06D 5D POP EBP
0076F06E 81ED 1E1C4000 SUB EBP,WINKAWAK.00401C1E
0076F074 B9 7B090000 MOV ECX,97B
0076F079 8DBD 661C4000 LEA EDI,DWORD PTR SS:[EBP+401C66]
0076F07F 8BF7 MOV ESI,EDI
0076F081 AC LODS BYTE PTR DS:[ESI]
0076F082 F8 CLC
0076F083 90 NOP
0076F084 C0C8 99 ROR AL,99 ; 移动常数超出 1..31 的范围
0076F087 2C 9D SUB AL,9D
0076F089 02C1 ADD AL,CL
0076F08B 02C1 ADD AL,CL
0076F08D EB 01 JMP SHORT WINKAWAK.0076F090
....
0076F0A5 2C A4 SUB AL,0A4
0076F0A7 02C1 ADD AL,CL
0076F0A9 C0C0 91 ROL AL,91 ; 移动常数超出 1..31 的范围
0076F0AC 90 NOP
0076F0AD C0C0 15 ROL AL,15
0076F0B0 04 07 ADD AL,7
0076F0B2 AA STOS BYTE PTR ES:[EDI]
0076F0B3 ^E2 CC LOOPD SHORT WINKAWAK.0076F081
0076F0B5 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20]
0076F0B9 40 INC EAX
0076F0BA 78 0A JS SHORT WINKAWAK.0076F0C6
0076F0C6 8D85 111C4000 LEA EAX,DWORD PTR SS:[EBP+401C11]
0076F0CC B9 31060000 MOV ECX,631
0076F0D1 E8 41020000 CALL WINKAWAK.0076F317
0076F0D6 8985 9F234000 MOV DWORD PTR SS:[EBP+40239F],EAX
0076F0DC 8B85 97234000 MOV EAX,DWORD PTR SS:[EBP+402397]
0076F0E2 83E0 01 AND EAX,1
0076F0E5 74 40 JE SHORT WINKAWAK.0076F127
...
0076F104 64:8923 MOV DWORD PTR FS:[EBX],ESP
0076F107 BD 4B484342 MOV EBP,4243484B
0076F10C 66:B8 0400 MOV AX,4
0076F110 EB 01 JMP SHORT WINKAWAK.0076F113
0076F113 CC INT3
0076F114 8BEF MOV EBP,EDI
0076F116 33DB XOR EBX,EBX
0076F118 64:8F03 POP DWORD PTR FS:[EBX]
0076F11B 83C4 04 ADD ESP,4
0076F11E 3C 04 CMP AL,4
0076F120 74 05 JE SHORT WINKAWAK.0076F127
去异常出口0076F77C,F2,F9运行
0076F127 8B85 8F234000 MOV EAX,DWORD PTR SS:[EBP+40238F] ; WINKAWAK.00400000
0076F12D 0340 3C ADD EAX,DWORD PTR DS:[EAX+3C]
0076F130 05 80000000 ADD EAX,80
0076F135 8B08 MOV ECX,DWORD PTR DS:[EAX]
0076F137 038D 8F234000 ADD ECX,DWORD PTR SS:[EBP+40238F]
0076F13D 83C1 10 ADD ECX,10
0076F140 8B01 MOV EAX,DWORD PTR DS:[ECX]
0076F142 0385 8F234000 ADD EAX,DWORD PTR SS:[EBP+40238F]
0076F148 8B18 MOV EBX,DWORD PTR DS:[EAX]
0076F14A 899D 1B254000 MOV DWORD PTR SS:[EBP+40251B],EBX
0076F150 83C0 04 ADD EAX,4
0076F153 8B18 MOV EBX,DWORD PTR DS:[EAX]
0076F155 899D 1F254000 MOV DWORD PTR SS:[EBP+40251F],EBX
0076F15B 8D85 23254000 LEA EAX,DWORD PTR SS:[EBP+402523]
0076F161 50 PUSH EAX
0076F162 FF95 1B254000 CALL DWORD PTR SS:[EBP+40251B]
0076F168 8BF0 MOV ESI,EAX
0076F16A 8985 30254000 MOV DWORD PTR SS:[EBP+402530],EAX
0076F170 8D85 34254000 LEA EAX,DWORD PTR SS:[EBP+402534]
0076F176 E8 96000000 CALL WINKAWAK.0076F211
0076F17B 8985 45254000 MOV DWORD PTR SS:[EBP+402545],EAX
0076F181 8D85 49254000 LEA EAX,DWORD PTR SS:[EBP+402549]
0076F187 E8 85000000 CALL WINKAWAK.0076F211
0076F18C 8985 58254000 MOV DWORD PTR SS:[EBP+402558],EAX
0076F192 8D85 5C254000 LEA EAX,DWORD PTR SS:[EBP+40255C]
0076F198 E8 74000000 CALL WINKAWAK.0076F211
0076F19D 8985 6F254000 MOV DWORD PTR SS:[EBP+40256F],EAX
0076F1A3 8D85 73254000 LEA EAX,DWORD PTR SS:[EBP+402573]
0076F1A9 E8 63000000 CALL WINKAWAK.0076F211
0076F1AE 8985 7F254000 MOV DWORD PTR SS:[EBP+40257F],EAX
0076F1B4 8D85 83254000 LEA EAX,DWORD PTR SS:[EBP+402583]
0076F1BA E8 52000000 CALL WINKAWAK.0076F211
0076F1BF 8985 8F254000 MOV DWORD PTR SS:[EBP+40258F],EAX
0076F1C5 8D85 93254000 LEA EAX,DWORD PTR SS:[EBP+402593]
0076F1CB E8 41000000 CALL WINKAWAK.0076F211
0076F1D0 8985 9E254000 MOV DWORD PTR SS:[EBP+40259E],EAX
0076F1D6 8D85 A2254000 LEA EAX,DWORD PTR SS:[EBP+4025A2]
0076F1DC E8 30000000 CALL WINKAWAK.0076F211
0076F1E1 8985 AB254000 MOV DWORD PTR SS:[EBP+4025AB],EAX
0076F1E7 8D85 AF254000 LEA EAX,DWORD PTR SS:[EBP+4025AF]
0076F1ED E8 1F000000 CALL WINKAWAK.0076F211
0076F1F2 8985 BB254000 MOV DWORD PTR SS:[EBP+4025BB],EAX
0076F1F8 8D85 BF254000 LEA EAX,DWORD PTR SS:[EBP+4025BF]
0076F1FE E8 0E000000 CALL WINKAWAK.0076F211
0076F203 8985 CB254000 MOV DWORD PTR SS:[EBP+4025CB],EAX
0076F209 8D85 CB1D4000 LEA EAX,DWORD PTR SS:[EBP+401DCB]
0076F20F 50 PUSH EAX
0076F210 C3 RETN
....
0076F41D 8B9D 8F234000 MOV EBX,DWORD PTR SS:[EBP+40238F] ; WINKAWAK.00400000
0076F423 039D 93234000 ADD EBX,DWORD PTR SS:[EBP+402393]
0076F429 C1CB 07 ROR EBX,7 ////--->jmp ebx
0076F42C 895C24 10 MOV DWORD PTR SS:[ESP+10],EBX
0076F430 8D9D C4224000 LEA EBX,DWORD PTR SS:[EBP+4022C4]
0076F436 895C24 1C MOV DWORD PTR SS:[ESP+1C],EBX
0076F43A 8BBD 8F234000 MOV EDI,DWORD PTR SS:[EBP+40238F]
0076F440 037F 3C ADD EDI,DWORD PTR DS:[EDI+3C]
0076F443 8B9F C0000000 MOV EBX,DWORD PTR DS:[EDI+C0]
0076F449 83FB 00 CMP EBX,0
0076F44C 74 0F JE SHORT WINKAWAK.0076F45D
0076CD70 60 PUSHAD
0076CD71 BE 00407100 MOV ESI,WINKAWAK.00714000
0076CD76 8DBE 00D0CEFF LEA EDI,DWORD PTR DS:[ESI+FFCED000]
0076CD7C 57 PUSH EDI
0076CD7D 83CD FF OR EBP,FFFFFFFF
0076CD80 EB 10 JMP SHORT WINKAWAK.0076CD92
0076CD92 8B1E MOV EBX,DWORD PTR DS:[ESI]
0076CD94 83EE FC SUB ESI,-4
0076CD97 11DB ADC EBX,EBX
0076CD99 ^72 ED JB SHORT WINKAWAK.0076CD88
0076CD9B B8 01000000 MOV EAX,1
0076CDA0 01DB ADD EBX,EBX
0076CDA2 75 07 JNZ SHORT WINKAWAK.0076CDAB
0076CDA4 8B1E MOV EBX,DWORD PTR DS:[ESI]
0076CDA6 83EE FC SUB ESI,-4
0076CDA9 11DB ADC EBX,EBX
0076CDAB 11C0 ADC EAX,EAX
0076CDAD 01DB ADD EBX,EBX
0076CDAF 73 0B JNB SHORT WINKAWAK.0076CDBC
0076CDB1 75 19 JNZ SHORT WINKAWAK.0076CDCC
0076CDB3 8B1E MOV EBX,DWORD PTR DS:[ESI]
0076CDB5 83EE FC SUB ESI,-4
0076CDB8 11DB ADC EBX,EBX
0076CDBA 72 10 JB SHORT WINKAWAK.0076CDCC
0076CDBC 48 DEC EAX
0076CDBD 01DB ADD EBX,EBX
0076CDBF 75 07 JNZ SHORT WINKAWAK.0076CDC8
0076CDC1 8B1E MOV EBX,DWORD PTR DS:[ESI]
0076CDC3 83EE FC SUB ESI,-4
0076CDC6 11DB ADC EBX,EBX
0076CDC8 11C0 ADC EAX,EAX
0076CDCA ^EB D4 JMP SHORT WINKAWAK.0076CDA0
0076CDCC 31C9 XOR ECX,ECX
0076CDCE 83E8 03 SUB EAX,3
0076CDD1 72 11 JB SHORT WINKAWAK.0076CDE4
0076CDD3 C1E0 08 SHL EAX,8
0076CDD6 8A06 MOV AL,BYTE PTR DS:[ESI]
0076CDD8 46 INC ESI
0076CDD9 83F0 FF XOR EAX,FFFFFFFF
0076CDDC 74 78 JE SHORT WINKAWAK.0076CE56
0076CDDE D1F8 SAR EAX,1
0076CDE0 89C5 MOV EBP,EAX
0076CDE2 EB 0B JMP SHORT WINKAWAK.0076CDEF
0076CDE4 01DB ADD EBX,EBX
0076CDE6 75 07 JNZ SHORT WINKAWAK.0076CDEF
0076CDE8 8B1E MOV EBX,DWORD PTR DS:[ESI]
0076CDEA 83EE FC SUB ESI,-4
0076CDED 11DB ADC EBX,EBX
0076CDEF 11C9 ADC ECX,ECX
0076CDF1 01DB ADD EBX,EBX
0076CDF3 75 07 JNZ SHORT WINKAWAK.0076CDFC
0076CDF5 8B1E MOV EBX,DWORD PTR DS:[ESI]
0076CDF7 83EE FC SUB ESI,-4
0076CDFA 11DB ADC EBX,EBX
0076CDFC 11C9 ADC ECX,ECX
0076CDFE 75 20 JNZ SHORT WINKAWAK.0076CE20
0076CE00 41 INC ECX
0076CE01 01DB ADD EBX,EBX
0076CE03 75 07 JNZ SHORT WINKAWAK.0076CE0C
0076CE05 8B1E MOV EBX,DWORD PTR DS:[ESI]
0076CE07 83EE FC SUB ESI,-4
0076CE0A 11DB ADC EBX,EBX
0076CE0C 11C9 ADC ECX,ECX
0076CE0E 01DB ADD EBX,EBX
0076CE10 ^73 EF JNB SHORT WINKAWAK.0076CE01
0076CE12 75 09 JNZ SHORT WINKAWAK.0076CE1D
0076CE14 8B1E MOV EBX,DWORD PTR DS:[ESI]
0076CE16 83EE FC SUB ESI,-4
0076CE19 11DB ADC EBX,EBX
0076CE1B ^73 E4 JNB SHORT WINKAWAK.0076CE01
0076CE1D 83C1 02 ADD ECX,2
0076CE20 81FD 00FBFFFF CMP EBP,-500
0076CE26 83D1 01 ADC ECX,1
0076CE29 8D142F LEA EDX,DWORD PTR DS:[EDI+EBP]
0076CE2C 83FD FC CMP EBP,-4
0076CE2F 76 0F JBE SHORT WINKAWAK.0076CE40
0076CE31 8A02 MOV AL,BYTE PTR DS:[EDX]
0076CE33 42 INC EDX
0076CE34 8807 MOV BYTE PTR DS:[EDI],AL
0076CE36 47 INC EDI
0076CE37 49 DEC ECX
0076CE38 ^75 F7 JNZ SHORT WINKAWAK.0076CE31
0076CE3A ^E9 4FFFFFFF JMP WINKAWAK.0076CD8E
0076CE3F 90 NOP
0076CE40 8B02 MOV EAX,DWORD PTR DS:[EDX] //F4
0076CE42 83C2 04 ADD EDX,4
0076CE45 8907 MOV DWORD PTR DS:[EDI],EAX
0076CE47 83C7 04 ADD EDI,4
0076CE4A 83E9 04 SUB ECX,4
0076CE4D ^77 F1 JA SHORT WINKAWAK.0076CE40
0076CE4F 01CF ADD EDI,ECX
0076CE51 ^E9 38FFFFFF JMP WINKAWAK.0076CD8E
0076CE56 5E POP ESI //F4
0076CE57 89F7 MOV EDI,ESI
0076CE59 B9 47210000 MOV ECX,2147
0076CE5E 8A07 MOV AL,BYTE PTR DS:[EDI]
0076CE60 47 INC EDI
0076CE61 2C E8 SUB AL,0E8
0076CE63 3C 01 CMP AL,1
0076CE65 ^77 F7 JA SHORT WINKAWAK.0076CE5E
0076CE67 803F 15 CMP BYTE PTR DS:[EDI],15 //F4
0076CE6A ^75 F2 JNZ SHORT WINKAWAK.0076CE5E
0076CE6C 8B07 MOV EAX,DWORD PTR DS:[EDI]//F4
0076CE6E 8A5F 04 MOV BL,BYTE PTR DS:[EDI+4]
0076CE71 66:C1E8 08 SHR AX,8
0076CE75 C1C0 10 ROL EAX,10
0076CE78 86C4 XCHG AH,AL
0076CE7A 29F8 SUB EAX,EDI
0076CE7C 80EB E8 SUB BL,0E8
0076CE7F 01F0 ADD EAX,ESI
0076CE81 8907 MOV DWORD PTR DS:[EDI],EAX
0076CE83 83C7 05 ADD EDI,5
0076CE86 89D8 MOV EAX,EBX
0076CE88 ^E2 D9 LOOPD SHORT WINKAWAK.0076CE63
0076CE8A 8DBE 00A03600 LEA EDI,DWORD PTR DS:[ESI+36A000]
0076CE90 8B07 MOV EAX,DWORD PTR DS:[EDI]
0076CE92 09C0 OR EAX,EAX
0076CE94 74 45 JE SHORT WINKAWAK.0076CEDB ///此处必须改为jmp
0076CE96 8B5F 04 MOV EBX,DWORD PTR DS:[EDI+4]
0076CE99 8D8430 BCDA3600 LEA EAX,DWORD PTR DS:[EAX+ESI+36DABC]
0076CEA0 01F3 ADD EBX,ESI
0076CEA2 50 PUSH EAX
0076CEA3 83C7 08 ADD EDI,8
0076CEA6 FF96 ACDB3600 CALL DWORD PTR DS:[ESI+36DBAC] //***注意这里**//
0076CEAC 95 XCHG EAX,EBP
0076CEAD 8A07 MOV AL,BYTE PTR DS:[EDI]
0076CEAF 47 INC EDI
0076CEB0 08C0 OR AL,AL
0076CEB2 ^74 DC JE SHORT WINKAWAK.0076CE90
0076CEB4 89F9 MOV ECX,EDI
0076CEB6 79 07 JNS SHORT WINKAWAK.0076CEBF
0076CEB8 0FB707 MOVZX EAX,WORD PTR DS:[EDI]
0076CEBB 47 INC EDI
0076CEBC 50 PUSH EAX
0076CEBD 47 INC EDI
0076CEBE B9 5748F2AE MOV ECX,AEF24857
0076CEC3 55 PUSH EBP
0076CEC4 FF96 B0DB3600 CALL DWORD PTR DS:[ESI+36DBB0]
0076CECA 09C0 OR EAX,EAX
0076CECC 74 07 JE SHORT WINKAWAK.0076CED5
0076CECE 8903 MOV DWORD PTR DS:[EBX],EAX
0076CED0 83C3 04 ADD EBX,4
0076CED3 ^EB D8 JMP SHORT WINKAWAK.0076CEAD
0076CED5 FF96 B4DB3600 CALL DWORD PTR DS:[ESI+36DBB4]
0076CEDB 61 POPAD
0076CEDC -E9 8398D8FF JMP WINKAWAK.004F6764 ///飞向光明之颠
0076CEE1 0000 ADD BYTE PTR DS:[EAX],AL
0076CEE3 0000 ADD BYTE PTR DS:[EAX],AL
0076CEE5 0000 ADD BYTE PTR DS:[EAX],AL
入口点
004F6764 55 PUSH EBP //DUMP
004F6765 8BEC MOV EBP,ESP
004F6767 6A FF PUSH -1
004F6769 68 E0EB4F00 PUSH WINKAWAK.004FEBE0
004F676E 68 F0684F00 PUSH WINKAWAK.004F68F0
004F6773 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004F6779 50 PUSH EAX
004F677A 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
004F6781 83EC 68 SUB ESP,68
004F6784 53 PUSH EBX
004F6785 56 PUSH ESI
004F6786 57 PUSH EDI
004F6787 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004F678A 33DB XOR EBX,EBX
004F678C 895D FC MOV DWORD PTR SS:[EBP-4],EBX
004F678F 6A 02 PUSH 2
用ImportREC1.60修复一下,可以成功运行。
脱壳后的程序大小为3.44M, Microsoft Visual C++ 6.0
总结:
第一层壳应该是EXE Stealth2.72,所以在
0076F429 C1CB 07 ROR EBX,7
直接改为jmp ebx跳往出口点
第二层壳是UPX把 ,主要是将
0076CE94 74 45 JE SHORT WINKAWAK.0076CEDB
改为jmp
不然的话,在
0076CEA6 FF96 ACDB3600 CALL DWORD PTR DS:[ESI+36DBAC]
无法继续跟踪:D
我很菜拉,请高手们指点不足啊:D
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课