[Observation]: PESPIN V1.1 Main Program
[Tu]: Olydbg1.1 (DIY Version), Lordpe, ImportRec1.6F
[任务]: Analyze the shell
[Operation Platform]: WinXP SP2
[Author]: loveboom [dfcg] [fcg] [US]
[Related Links]: Go to the Internet Search
[Brief Description]: This article is a gift for Yock, I promised him to see this version of the shell, dragging it for so long, I'm looking for it, I found out that this version is more A version enhanced a lot. There are also many code to be Patch, and the shell has added a very useful thing SDK, and the SDK will be added to the program to enhance a lot, but the shell's Pe Header pumping code seems to have a bit of chicken ribs J.
[Detailed Procedure]:
PESPIN V0.7 starts from the head to the end, this version also looks also, mainly to see if there is any improvement place, but the result is more regrettable, there is no new change in Loader, and now the shell is still not Anti-ollydbg, I don't know if the author is used to put water .j.
Divided into two steps: analysis, shelling.
first step
:
analysis
OD loaded into the target program, slow analysis, fine taste ^ _ ^.
00412087> / EB 01 JMP Short 0041208A; EP
00412089 | 90 NOP
0041208A / 60 PUSHAD
0041208B E8 00000000 Call 00412090
00412090 8B1C24 MOV EBX, DWORD PTR SS: [ESP]; SMC
00412093 83C3 12 Add EBX, 12
00412096 812B E8B10600 SUB DWORD PTR DS: [EBX], 6B1E8
0041209c fe4b fd dec Byte Ptr DS: [EBX-3]
0041209F 822C24 7D SUB BYTE PTR SS: [ESP], 7D
004120A3 DE46 00 FIADD WORD PTR DS: [ESI]
004120A6 0BE4 or ESP, ESP
004120A8 ^ 74 9e je short 00412048
......
004120F1 8B95 C34B4000 MOV EDX, DWORD PTR SS: [EBP 404BC3]; [EBP 404BC3] = HMODULE (400000)
004120F7 8B42 3C MOV EAX, DWORD PTR DS: [EDX 3C]
004120FA 03C2 Add Eax, EDX
004120FC 8985 CD4B4000 MOV DWORD PTR SS: [EBP 404BCD], EAX; [EBP 404BCD] Save Peheader (4000D0)
......
00412134 41 Inc ECX
00412135 C1E1 07 SHL ECX, 7
00412138 8B0C01 MOV ECX, DWORD PTR DS: [ECX EAX]; Positioning input table RVA (12000) 0041213B 03CA Add ECX, EDX; convert to VA
......
0041214E 8B59 10 MOV EBX, DWORD PTR DS: [ECX 10]; Locate OriginalFirstthunk
00412151 03DA Add EBX, EDX
00412153 8b1b MOV EBX, DWORD PTR DS: [EBX]; Remove the address of MessageBoxa
00412155 899D E14B4000 MOV DWORD PTR SS: [EBP 404BE1], EBX; Save to [EBP 404BE1]
0041215B 53 PUSH EBX
0041215C 8F85 D7494000 POP DWORD PTR SS: [EBP 4049D7]; Address Save in [EBP 4049D7]
00412162 BB CC000000 MOV EBX, 0CC
00412167 B9 Fe110000 MOV ECX, 11FE
0041216C 8DBD 714C4000 LEA EDI, DWORD PTR SS: [EBP 404C71]
00412172 4F DEC EDI
......
0041217F 301C39 XOR BYTE PTR DS: [ECX EDI], BL
00412182 FECB DEC BL
00412184 49 DEC ECX
00412185 9C PUSHFD
00412186 C12C24 06 SHR DWORD PTR SS: [ESP], 6
0041218A F71424 Not DWORD PTR SS: [ESP]
0041218D 832424 01 and DWORD PTR SS: [ESP], 1
00412191 50 Push EAX
00412192 52 Push EDX
00412193 B8 83B2DC12 MOV EAX, 12DCB283
00412198 05 444D23ED Add Eax, ED234D44
0041219D F76424 08 MUL DWORD PTR SS: [ESP 8]
004121A1 8D8428 BD2D4000 LEA EAX, DWORD PTR DS: [EAX EBP 402DBD]
004121A8 894424 08 MOV DWORD PTR SS: [ESP 8], EAX
004121AC 5A POP EDX
004121AD 58 POP EAX
004121AE 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4] 004121B2 FF6424 FC JMP DWORD PTR SS: [ESP-4]; From 415269, start decompression code, size is 11FE
......
004121CE 8170 03 E89868EA XOR DWORD PTR DS: [EAX 3], EA6898E8; SMC
004121D5 83C0 21 Add Eax, 21
......
004121E3 68 CB000000 PUSH 0CB
004121E8 59 POP ECX; Decoding size 0cb
004121E9 8DBD A35D4000 LEA EDI, DWORD PTR SS: [EBP 405DA3]; [EBP 405DA3] = [41519E]
......
004121E3 68 CB000000 PUSH 0CB
004121E8 59 POP ECX; Decoding size 0cb
004121E9 8DBD A35D4000 LEA EDI, DWORD PTR SS: [EBP 405DA3]; [EBP 405DA3] = [41519E]
004121EF 90 NOP
004121F0 90 NOP
004121F1 90 NOP
004121F2 90 NOP
004121F3 90 NOP
004121F4 90 NOP
004121F5 90 NOP
004121F6 90 NOP
004121F7 90 NOP
004121F8 90 NOP
004121F9 90 NOP
004121FA 90 NOP
004121FB 90 NOP
004121FC 90 NOP
004121FD 90 NOP
004121FE 90 NOP
004121FF 90 NOP
00412200 C00C39 02 ROR BYTE PTR DS: [ECX EDI], 2; Key = 2
00412204 49 DEC ECX
......
00412205 9C PUSHFD
00412206 C12C24 06 SHR DWORD PTR SS: [ESP], 6
0041220A F71424 Not DWORD PTR SS: [ESP]
0041220D 832424 01 And DWORD PTR SS: [ESP], 1
00412211 50 push eax00412212 52 Push EDX
00412213 B8 72B2DC12 MOV EAX, 12DCB272
00412218 05 444D23ED ADD EAX, ED234D44
0041221D F76424 08 MUL DWORD PTR SS: [ESP 8]
0041221 8D8428 3E2E4000 Lea Eax, DWORD PTR DS: [EAX EBP 402E3E]
0041228> 894424 08 MOV DWORD PTR SS: [ESP 8], EAX; pespin.00412239
0041222C 5A POP EDX
004122D 58 POP EAX
004122E 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
00412232 FF6424 FC JMP DWORD PTR SS: [ESP-4]; cyclic decompression starts upward down from 415269, unzipped size 0cb
......
00413f09 8b7c24 20 MOV EDI, DWORD PTR SS: [ESP 20]; get kernelbase
00413f0D 81E7 0000ffff and edi, fff0000000
......
00413f23 90 NOP
00413f24 BA 246BDE21 MOV EDX, 21DE6B24
00413f29 81f2 6931de21 xor EDX, 21DE3169; EDX = PE SIG (5A4D)
00413f2f 66: 3917 CMP Word PTR DS: [EDI], DX
00413f32 75 17 JNZ short 00413f4b; judgment is positioned to DOS HEADER
00413f34 81c2 EFA5FFFF Add EDX, FFFFA5EF
00413f3a 0fb7143a Movzx EDX, Word PTR DS: [EDX EDI]
00413f3e 66: F7C2 00F8 TEST DX, 0F800
00413f43 75 06 JNZ Short 00413F4B
00413f45 3B7C3A 34 CMP EDI, DWORD PTR DS: [EDX EDI 34]
00413f49 74 08 Je Short 00413f53
00413f4b 81ef 00000100 SUB EDI, 10000; Unicode "AlluSrsprofile = D: / Documents and Settings / All Users"
00413f51 ^ EB C0 JMP short 00413f13; minus 10000 continues to go back
00413f53 97 XCHG EAX, EDI; Obtained KernelBase Save to Eax ...
00413f65 68 F44B4000 Push 00404BF4
00413f6a 50 push eax; push kerbase (7C800000)
00413f6b 8785 E54B4000 XCHG DWORD PTR SS: [EBP 404BE5], EAX; Save kernelBase to [EBP 404BE5] = (413FE0)
00413f71 016C24 04 Add DWORD PTR SS: [ESP 4], EBP
00413f75 8D85 ECA183EB LEA EAX, DWORD PTR SS: [EBP EB83A1EC]
00413f7b 8D80 BDAABC14 Lea Eax, DWORD PTR DS: [EAX 14BCAABD]
......
00413F8A FFD0 Call Eax; EAX = 4140A4 This is the address of the relevant API
Go in and see:
004140A4 59 POP ECX
004140A5 58 POP EAX
004140A6 5F POP EDI; EDI = 413FEF
004140A7 90 NOP
004140A8 90 NOP
004140A9 90 NOP
004140AA 90 NOP
004140AB 90 NOP
004140ac 90 NOP
004140AD 90 NOP
004140ae 90 NOP
004140AF 90 NOP
004140B0 41 INC ECX
004140B1 41 INC ECX
004140B2 51 PUSH ECX; ECX = 413f8e
004140B3 8BF0 MOV ESI, EAX
004140B5 0340 3C Add Eax, DWORD PTR DS: [EAX 3C]; Location PE Header
004140B8 8B40 78 MOV EAX, DWORD PTR DS: [EAX 78]; Positioning Output
004140bb 03c6 Add Eax, ESI
004140BD FF70 20 Push DWORD PTR DS: [EAX 20]; AddressOfnames
004140C0 5B POP EBX
004140C1 03DE Add EBX, ESI
004140C3 FF70 18 PUSH DWORD PTR DS: [EAX 18]; NumberOfNames004140C6 8F85 674D4000 POP DWORD PTR SS: [EBP 404D67]; [EBP 404D67] Save NumberOfNames
004140CC FF70 24 Push DWORD PTR DS: [EAX 24]; AddressOfnamesordnials
004140CF 5A POP EDX
004140D0 03D6 Add Edx, ESI
004140d2 FF70 1C Push DWORD PTR DS: [EAX 1C]; Addressoffunctions
004140d5 59 POP ECX
004140d6 03CE Add ECX, ESI
004140D8 898D 574D4000 MOV DWORD PTR SS: [EBP 404D57], ECX; [EBP 404D57] Save Addressoffunctions
004140DE 83ef 05 SUB EDI, 5
004140E1 83C7 05 Add EDI, 5
004140E4 833F 00 CMP DWORD PTR DS: [EDI], 0
004140E7 0F84 9D000000 JE 0041418A
004140ed 8A07 MOV Al, Byte Ptr DS: [EDI]
004140ef 8885 1B4D4000 MOV BYTE PTR SS: [EBP 404D1B], Al
004140f5 FF77 01 Push DWORD PTR DS: [EDI 1]
004140F8 8F85 474D4000 POP DWORD PTR SS: [EBP 404D47]
004140fe 53 Push EBX
004140ff 52 Push EDX
00414100 57 Push EDI
00414101 2BC9 SUB ECX, ECX
00414103 90 NOP
00414104 90 NOP
00414105 90 NOP
00414106 90 NOP
00414107 90 NOP
00414108 90 NOP
00414109 90 NOP
0041410A 90 NOP
0041410B 90 NOP
0041410C 90 NOP
0041410D 90 NOP
0041410e 90 NOP
0041410F 8B3B MOV EDI, DWORD PTR DS: [EBX]
00414111 03FE Add EDI, ESI
00414113 807f 02 61 CMP BYTE PTR DS: [EDI 2], 61; Get LoadLibrary Address 00414117 75 43 JNZ Short 0041415C
00414119 E8 02000000 CALL 00414120
0041411E 90 NOP
0041411f 90 NOP
00414120 58 POP EAX
00414121 8D6424 FC LEA ESP, DWORD PTR SS: [ESP-4]
00414125 05 23000000 Add Eax, 23
0041412A 890424 MOV DWORD PTR SS: [ESP], EAX
0041412D 8D85 CA8A94ED LEA EAX, DWORD PTR SS: [EBP ED948ACA]
00414133 2D 353D54ED SUB EAX, ED543D35
00414138 50 Push EAX
00414139 C3 RETN
0041413A 3BC3 CMP EAX, EBX
0041413c 74 35 Je Short 00414173
0041413e 2bc2 SUB EAX, EDX
00414140 9A 3D72423E C07> Call Far 75c0: 3E42723D; FAR CALL
00414147 14 8D ADC Al, 8D
00414149 04 4A Add Al, 4A
0041414B 0fb700 Movzx Eax, Word PTR DS: [EAX]
0041414E C1E0 02 SHL EAX, 2
00414151 05 5426807C Add Eax, 7c802654
00414156 8B00 MOV EAX, DWORD PTR DS: [EAX]
00414158 03C6 Add Eax, ESI
0041415A EB 0E JMP SHORT 0041416A
0041415C 83C3 04 Add EBX, 4
0041415F 41 INC ECX
00414160 81F9 B5030000 CMP ECX, 3B5
00414166 ^ 75 a7 jnz short 0041410f
00414168 33C0 XOR EAX, EAX
0041416A 5F POP EDI
0041416B 5A POP EDX
0041416C 5B POP EBX
0041416D 0BC0 or Eax, EAX
0041416F 74 1B JE SHORT 0041418C
00414171 90 NOP
00414172 90 NOP
00414173 90 NOP
00414174 90 NOP
00414175 90 NOP00414176 90 NOP
00414177 90 NOP
00414178 90 NOP
00414179 90 NOP
0041417A 8038 CC CMP BYTE PTR DS: [EAX], 0CC; Judging no breakpoint
0041417D 75 03 JNZ Short 00414182
0041417F 8028 00 SUB BYTE PTR DS: [EAX], 0
00414182 8947 01 MOV DWORD PTR DS: [EDI 1], EAX
00414185 ^ E9 57ffffff jmp 004140e1
0041418A 0BC0 or EAX, EAX
0041418C EB 01 JMP Short 0041418F
0041418E 90 NOP
0041418F C3 RETN
Get the following API:
LoadLibrarya
EXITPROCESS
GetProcaddress
VirtualProtect
CloseHandle
Virtualalloc
Virtualfree
Createfilea
Readfile
Gettickcount
GetModuleHandlea
CreateThread
Sleep
GetCurrentProcessid
OpenProcess
TERMINATEPROCESS
GetFileSize
GetModuleFileNamea
......
00412267 B8 944380EF MOV EAX, EF804394
0041226C 2BC9 SUB ECX, ECX
0041226e 83c9 15 or ECX, 15
0041271 0FA3C8 BT Eax, ECX
00412274 0F83 81000000 JNB 004122FB; If you do not set the protection password, you will jump here, so if you want to enter a password, it is forcibly skipped.
0041227A 8DB40D D44B4000 LEA ESI, DWORD PTR SS: [EBP ECX 404BD4]
0041281 8BD6 MOV EDX, ESI
00412283 B9 10000000 MOV ECX, 10
00412288 AC LODS BYTE PTR DS: [ESI]
00412289 84c0 Test Al, Al
0041228B 74 06 Je Short 00412293
0041228D C04E FF 03 ROR BYTE PTR DS: [ESI-1], 3
00412291 ^ E2 f5 loopd short 00412288
00412293 E8 00000000 Call 00412298
00412298 59 POP ECX
00412299 81C1 1D000000 Add ECX, 1D
0041229F 52 Push EDX
004122A0 51 Push ECX004122A1 C1E9 05 SHR ECX, 5
004122A4 23D1 and EDX, ECX
004122A6 FFA5 F54B4000 JMP DWORD PTR SS: [EBP 404BF5]
004122ac 0BC0 or Eax, EAX
004122AE 0F85 3F0A0000 JNZ 00412CF3
004122B4 A3 8D8D534C MOV DWORD PTR DS: [4C538D8D], EAX
004122B9 40 Inc EAX
004122BA 0051 50 Add Byte PTR DS: [ECX 50], DL
004122BD 8D85 19F54500 LEA EAX, DWORD PTR SS: [EBP 45F519]
004122C3 2D 70A80500 SUB EAX, 5A870
004122C8 FFD0 Call EAX
004122CA 0BC0 or EAX, EAX
004122CC 0F84 D41B0000 JE 00413EA6
004122D2 8DBD AB454000 Lea EDI, DWORD PTR SS: [EBP 4045AB]
004122D8 2BC9 SUB ECX, ECX
004122DA 2BC0 SUB EAX, EAX
004122DC B0 23 MOV Al, 23
00412 DE 41 INC ECX
004122DF 32C1 XOR Al, CL
004122E1 48 DEC EAX
00412E2 284439 FF SUB BYTE PTR DS: [ECX EDI-1], Al
00412E6 81F9 F4030000 CMP ECX, 3F4
004122EC ^ 75 f0 jnz short 004122de
004122ee 8D85 6A894000 Lea Eax, DWORD PTR SS: [EBP 40896A]
004122f4 05 5ebdffff add eax, fffbd5e
004122F9 ffd0 Call Eax; here is the code to display the password box, note that the shell does not directly compare the password
004122FB EB 01 JMP Short 004122FE
......
00414776 68 A0050000 Push 5a0
0041477B 59 PUP ECX; Push Size 5a0
0041477C 8DBD 8B304000 Lea EDI, DWORD PTR SS: [EBP 40308B]
00414782 81ef 2A010000 SUB EDI, 12A
00414788 D1EB SHR EBX, 1
0041478A 73 06 JNB Short 00414792
0041478c 81f3 3488328c xor EBX, 8C328834
00414792 301F xor byte PTR DS: [EDI], BL; decompression from 41235C, Size: 5A000414794 47 Inc EDI
00414795 49 DEC ECX
00414796 9C Pushfd
00414797 C12C24 06 SHR DWORD PTR SS: [ESP], 6
0041479B F71424 Not DWORD PTR SS: [ESP]
0041479E 832424 01 And DWORD PTR SS: [ESP], 1
004147A2 50 Push EAX
004147A3 52 Push EDX
004147A4 B8 77B2DC10 MOV EAX, 10DCB277
004147A9 05 444D23EF ADD EAX, EF234D44
004147AE F76424 08 MUL DWORD PTR SS: [ESP 8]
004147B2 8D8428 D2534000 LEA EAX, DWORD PTR DS: [EAX EBP 4053D2]
004147B9 894424 08 MOV DWORD PTR SS: [ESP 8], EAX; PESPIN.004147CD
004147BD 5A POP EDX
004147BE 58 POP EAX
004147BF 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
004147C3 FF6424 FC JMP DWORD PTR SS: [ESP-4]
......
004123D9 68 FF000000 PUSH 0F; / bufsize = ff (255.)
004123DE 56 Push ESI; | Pathbuffer = pESPIN.00412000
004123DF 6A 00 Push 0; | hModule = NULL
004123E1 53 Push EBX; | RETURN ADDRESS
004123E2 FFA5 4A4C4000 JMP DWORD PTR SS: [EBP 404C4A]; / GETMODULEFILENAMEA
......
004123F6 6A 00 Push 0; / hTemplateFile = NULL
004123F8 68 80000000 PUSH 80; | Attributes = Normal
004123fd 6a 03 Push 3; | Mode = Open_EXISTING
004123FF 6A 00 Push 0; | psecurity = null00412401 6a 01 Push 1; | Sharemode = file_share_read
00412403 68 00000080 PUSH 80000000; | Access = generic_read
00412408 56 Push ESI; | FileName
00412409 53 Push EBX; | RETURN Address
0041240A FFA5 184C4000 JMP DWORD PTR SS: [EBP 404C18]; / CREATEFILEA
......
00412413 E8 01000000 Call 00412419
00412418 90 NOP
00412419 5A POP EDX
0041241A 81C2 1A000000 Add EDX, 1A
00412420 8985 8f5E4000 MOV DWORD PTR SS: [EBP 405E8F], EAX
00412426 93 XCHG EAX, EBX
00412427 6a 00 push 0; / pfilesizehigh = null
00412429 53 Push EBX; | HFILE = 00000040 (Window)
0041242A 52 Push EDX; | RETURN Address
0041242B FFA5 454C4000 JMP DWORD PTR SS: [EBP 404C45]; / GETFILESIZE
00412431 90 NOP
00412432 E8 01000000 Call 00412438
00412437 90 NOP
00412438 5A POP EDX
00412439 81C2 24000000 Add EDX, 24
0041243F 8BD8 MOV EBX, EAX
00412441 53 PUSH EBX
00412442 8F85 9B5E4000 POP DWORD PTR SS: [EBP 405E9B]
00412448 6A 04 Push 4; / protect = Page_Readwrite
0041244A 68 00300000 Push 3000; | ALLOCATIONTYPE = MEM_COMMIT | MEM_RESERVE
0041244F 50 Push Eax; | SIZE = D400 (54272.) 00412450 6A 00 Push 0; | Address = NULL
00412452 52 Push EDX; | RETURN Address
00412453 FFA5 0E4C4000 JMP DWORD PTR SS: [EBP 404C0E]; / Virtualalloc
00412459 90 NOP
0041245A 90 NOP
0041245B 50 Push EAX
0041245C 8F85 C94B4000 POP DWORD PTR SS: [EBP 404BC9]; [EBP 404BC9] = [413fc4] Save HMEM
00412462 8D8D 9B5E4000 LEA ECX, DWORD PTR SS: [EBP 405E9B]
00412468 E8 01000000 CALL 0041246E
0041246D 90 NOP
0041246E 5A POP EDX
0041246F 81C2 1e000000 Add EDX, 1E
00412475 6A 00 Push 0; / Poverlapped = NULL
00412477 51 Push ECX; | PBYTESREAD = pESPIN.00415296
00412478 53 Push EBX; | Bytestoread = D400 (54272.)
00412479 50 push eax; | buffer = 003D0000
0041247A FFB5 8F5E4000 PUSH DWORD PTR SS: [EBP 405E8F]; | HFILE = 00000040 (Window)
00412480 52 Push EDX; | RETURN Address
00412481 FFA5 1D4C4000 JMP DWORD PTR SS: [EBP 404C1D]; / ReadFile
00412487 90 NOP
00412488 90 NOP
00412489 90 NOP
0041248A 90 NOP
0041248B E8 01000000 Call 00412491
00412490 90 NOP
00412491 5A POP EDX
00412492 81C2 17000000 Add EDX, 1700412498 FFB5 8F5E4000 PUSH DWORD PTR SS: [EBP 405E8F]; / HOBJECT = 00000040 (Window)
0041249E 52 Push EDX; | RETURN ADDRESS
0041249F FFA5 094C4000 JMP DWORD PTR SS: [EBP 404C09]; / CloseHandle
004124A5 90 NOP
004124A6 90 NOP
......
004124E4 FFD0 Call Eax; calculates the value of CRC
004124E6 2985 A35E4000 SUB DWORD PTR SS: [EBP 405EA3], EAX; [EBP 405EA3] = [0041529E]
004124EC E8 01000000 Call 004124F2
004124F1 90 NOP
004124F2 5A POP EDX
004124F3 81C2 1e000000 Add EDX, 1E
004124F9 68 00800000 PUSH 8000; / freetype = MEM_RELEASE
004124FE 6A 00 Push 0; | size = 0
00412500 FFB5 C94B4000 PUSH DWORD PTR SS: [EBP 404BC9]; | Address = 003D0000
00412506 52 Push EDX; | RETURN ADDRESS
00412507 FFA5 134C4000 JMP DWORD PTR SS: [EBP 404C13]; / VirtualFree
......
004125BF 0FB78D C74B4000 MOVZX ECX, Word PTR SS: [EBP 404BC7]
004125C6 8B95 CD4B4000 MOV EDX, DWORD PTR SS: [EBP 404BCD]
004125CC 81C2 F8000000 Add EDX, 0F8
004125D2 8B9D 935E4000 MOV EBX, DWORD PTR SS: [EBP 405E93]
004125d8 33c0 xor Eax, EAX
004125DA 90 NOP
004125db 90 NOP
004125dc 90 NOP
004125dd 90 NOP
004125DE 90 NOP
004125df 90 NOP
004125E0 90 NOP
004125E1 90 NOP
004125E2 90 NOP
004125E3 90 NOP
004125E4 90 NOP
004125E5 90 NOP
004125E6 90 NOP
004125E7 90 NOP
004125E8 90 NOP
004125E9 90 NOP
004125ea 90 NOP
004125eb 51 Push ECX
004125EC 0FA3C3 BT EBX, EAX
004125ef 73 67 JNB Short 00412658
004125f1 52 Push EDX
004125F2 90 NOP
004125F3 90 NOP
004125F4 90 NOP
004125F5 90 NOP
004125F6 90 NOP
004125F7 90 NOP
004125F8 90 NOP
004125F9 90 NOP
004125FA 90 NOP
004125fb 90 NOP
004125FC 90 NOP
004125FD 90 NOP
004125fe 90 NOP
004125FF 90 NOP
00412600 90 NOP
00412601 90 NOP
00412602 90 NOP
00412603 8B7A 0C MOV EDI, DWORD PTR DS: [EDX C]
00412606 03BD C34B4000 Add EDI, DWORD PTR SS: [EBP 404BC3]
0041260C 8B4A 10 MOV ECX, DWORD PTR DS: [EDX 10]
0041260F 8B95 A35E4000 MOV EDX, DWORD PTR SS: [EBP 405EA3]
00412615 D1EA SHR EDX, 1
00412617 72 06 JB Short 0041261F
00412619 81f2 31af43ed xor EDX, ED43AF31
0041261F 3017 XOR BYTE PTR DS: [EDI], DL; Cyclic Restore Section
00412621 47 Inc EDI
00412622 90 NOP
00412623 90 NOP
00412624 90 NOP
00412625 90 NOP
00412626 90 NOP
00412627 90 NOP
00412628 90 NOP00412629 90 NOP
0041262A 90 NOP
0041262B 90 NOP
0041262C 90 NOP
0041262D 90 NOP
0041262E 90 NOP
0041262F 90 NOP
00412630 90 NOP
00412631 90 NOP
00412632 90 NOP
00412633 90 NOP
00412634 90 NOP
00412635 90 NOP
00412636 90 NOP
00412637 90 NOP
00412638 90 NOP
00412639 90 NOP
0041263A 90 NOP
0041263B 90 NOP
0041263C 90 NOP
0041263D 90 NOP
0041263e 90 NOP
0041263F 90 NOP
00412640 90 NOP
00412641 90 NOP
00412642 90 NOP
00412643 90 NOP
00412644 90 NOP
00412645 90 NOP
00412646 90 NOP
00412647 90 NOP
00412648 90 NOP
00412649 90 NOP
0041264A 90 NOP
0041264B 90 NOP
0041264C 90 NOP
0041264D 90 NOP
0041264E 90 NOP
0041264F 90 NOP
00412650 90 NOP
00412651 90 NOP
00412652 90 NOP
00412653 90 NOP
00412654 49 DEC ECX
00412655 ^ 75 be jnz short 00412615
00412657 5A POP EDX
00412658 40 Inc EAX
00412659 83C2 28 Add EDX, 28
0041265C 59 POP ECX
0041265D 90 NOP
0041265E 90 NOP
0041265F 90 NOP
00412660 90 NOP
00412661 90 NOP
00412662 90 NOP
00412663 90 NOP
00412664 90 NOP
00412665 90 NOP
00412666 90 NOP
00412667 90 NOP
00412668 90 NOP
00412669 90 NOP
0041266A 90 NOP
0041266B 90 NOP
0041266C 90 NOP
0041266D 90 NOP
0041266E 49 DEC ECX
0041266f 9c pushfd
00412670 C12C24 06 SHR DWORD PTR SS: [ESP], 6
00412674 F71424 Not DWORD PTR SS: [ESP]
00412677 832424 01 And DWORD PTR SS: [ESP], 1
0041267B 50 Push EAX
0041267C 52 Push EDX
0041267D B8 04B2DC12 MOV EAX, 12DCB204
00412682 05 444D23ED Add Eax, ED234D44
00412687 F76424 08 MUL DWORD PTR SS: [ESP 8]
0041268B 8D8428 A8324000 LEA EAX, DWORD PTR DS: [EAX EBP 4032A8]
00412692 894424 08 MOV DWORD PTR SS: [ESP 8], EAX
00412696 5A POP EDX
00412697 58 POP EAX
00412698 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
0041269C FF6424 FC JMP DWORD PTR SS: [ESP-4]; Continue to jump back without decompression
......
004126B4 838D 9D5D4000 0> OR DWORD PTR SS: [EBP 405D9D], 0; Test Whether anti-debug
004126bb 74 0d Je Short 004126CA; If you do not choose Anti-Degub, jump step, the main program is not set up Anti Debug
004126BD 8D85 C8554000 Lea Eax, DWORD PTR SS: [EBP 4055C8]; CREATEFILEA mode Test SICE
004126C3 2D D1030000 SUB EAX, 3D1
004126C8 FFD0 Call EAX
004126CA 68 80010000 Push 180
004126CF 59 POP ECX ...
00412703 E8 01000000 Call 00412709
00412708 90 NOP
00412709 D1EA SHR EDX, 1
0041270B 73 06 JNB Short 00412713
0041270D 81f2 32af43ed xor EDX, ED43AF32
00412713 3017 xor Byte Ptr DS: [EDI], DL
00412715 47 Inc EDI
00412716 49 DEC ECX
00412717 9C Pushfd
00412718 C12C24 06 SHR DWORD PTR SS: [ESP], 6
0041271C F71424 NOT DWORD PTR SS: [ESP]
0041271F 832424 01 And DWORD PTR SS: [ESP], 1
00412723 50 Push EAX
00412724 52 Push EDX
00412725 B8 CEBFABF2 MOV EAX, F2ABBFCE
0041272A 05 EB3F540D ADD EAX, 0D543FEB
0041272F F76424 08 MUL DWORD PTR SS: [ESP 8]
00412733 8D8428 4F334000 LEA EAX, DWORD PTR DS: [EAX EBP 40334F]
0041273A 894424 08 MOV DWORD PTR SS: [ESP 8], EAX
0041273e 5a POP EDX
0041273F 58 POP EAX
00412740 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
00412744 FF6424 FC JMP DWORD PTR SS: [ESP-4]; start downward from 41495A, the size is 180
......
00412757 2BC3 SUB EAX, EBX
00412759 50 push EAX; unzipped the code after performing the decompression
0041275A C3 RETN
......
0041495A / EB 01 JMP SHORT 0041495D
0041495C | 90 NOP
0041495D / 8DBD 60334000 LEA EDI, DWORD PTR SS: [EBP 403360]; 0041275B
00414963 B9 A1010000 MOV ECX, 1A1; start down the code down from 41275b, size 1A1
00414968 90 NOP
00414969 90 NOP
0041496A 90 NOP
0041496B 90 NOP
0041496C 90 NOP0041496D 90 NOP
0041496E 90 NOP
0041496F 90 NOP
00414970 90 NOP
00414971 8A07 MOV Al, Byte PTR DS: [EDI]
00414973 02C1 Add Al, CL
00414975 C0C8 1e Ror Al, 1E
00414978 F9 STC
00414979 90 NOP
0041497A F9 STC
0041497B 02C1 Add Al, CL
0041497D EB 01 JMP short 00414980
0041497F 90 NOP
00414980 02C1 Add Al, Cl
00414982 C0C0 93 ROL Al, 93; Shift Constant Out of Range 1..31
00414985 EB 01 JMP short 00414988
00414987 90 NOP
00414988 EB 01 JMP SHORT 0041498B
0041498A 90 NOP
0041498B EB 01 JMP short 0041498E
0041498D 90 NOP
0041498E EB 01 JMP short 00414991
00414990 90 NOP
00414991 32C1 XOR Al, Cl
00414993 2C 57 SUB AL, 57
00414995 02C1 Add Al, CL
00414997 AA Stos Byte Ptr ES: [EDI]
00414998 49 DEC ECX
00414999 9C Pushfd
0041499A C12C24 06 SHR DWORD PTR SS: [ESP], 6
0041499E F71424 Not DWORD PTR SS: [ESP]
004149A1 832424 01 and DWORD PTR SS: [ESP], 1
004149A5 50 Push EAX
004149A6 52 Push EDX
004149A7 B8 5EBFDC32 MOV EAX, 32DCBF5E
004149ac 05 444023cd add Eax, CD234044
004149B1 F76424 08 MUL DWORD PTR SS: [ESP 8]
004149B5 8D8428 D4554000 LEA EAX, DWORD PTR DS: [EAX EBP 4055D4]
004149BC> 894424 08 MOV DWORD PTR SS: [ESP 8], EAX; PESPIN.004149CF004149C0 5A POP EDX
004149C1 58 POP EAX
004149C2 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
004149C6 FF6424 FC JMP DWORD PTR SS: [ESP-4]
......
004149cf 55 Push EBP
004149D0 9C Pushfd
004149d1 E8 77000000 Call 00414A4D; here is SEH abnormal
......
004149D7 8B5424 08 MOV EDX, DWORD PTR SS: [ESP 8]
004149db 8b4424 0c MOV Eax, DWORD PTR SS: [ESP C]
004149DF 8142 04 3500000> Add DWORD PTR DS: [EDX 4], 35
004149E6 81ca 29242123 Or EDX, 23212429
004149EC 2BC9 SUB ECX, ECX
004149EE 2148 04 and DWORD PTR DS: [EAX 4], ECX; Clear Hardware Breakpoint
004149f1 2148 08 and dword PTR DS: [EAX 8], ECX
004149F4 2148 0C and DWORD PTR DS: [EAX C], ECX
004149F7 2148 10 and dword PTR DS: [EAX 10], ECX
004149FA 8160 14 F00FFFF> And DWORD PTR DS: [EAX 14], FFFF0FF0
00414A01 C740 18 5501000> MOV DWORD PTR DS: [EAX 18], 155
00414A08 33C0 XOR EAX, EAX
00414A0A C3 RETN
......
00414A65 8DBD 01354000 Lea EDI, DWORD PTR SS: [EBP 403501]; from 004128FC to decompress the code, size is 108F
00414A6B B9 8F100000 MOV ECX, 108F
00414A70 90 NOP
00414A71 90 NOP
00414A72 90 NOP
00414A73 90 NOP
00414A74 90 NOP
00414A75 90 NOP
00414A76 90 NOP
00414A77 90 NOP
00414A78 90 NOP
00414A79 8A07 MOV Al, Byte PTR DS: [EDI]
00414A7B 02C1 Add Al, CL
00414A7D C0C0 43 ROL Al, 43; SHIFT Constant Out of Range 1..3100414A80 FEC8 DEC AL
00414A82 04 40 Add Al, 40
00414A84 2C 39 SUB AL, 39
00414A86 EB 01 JMP Short 00414A89
00414A88 90 NOP
00414A89 34 BB XOR Al, 0BB
00414A8B 0ac0 or Al, Al
00414A8D 04 85 Add Al, 85
00414A8F EB 01 JMP SHORT 00414A92
00414A91 90 NOP
00414A92 02C1 Add Al, CL
00414A94 90 NOP
00414A95 F9 STC
00414A96 C0C8 53 ROR Al, 53; SHIFT Constant Out of Range 1..31
00414A99 0ac0 or Al, Al
00414A9B 04 C2 Add Al, 0C2
00414A9D 2ac1 SUB Al, Cl
00414A9f aa stos byte PTR ES: [EDI]
00414AA0 49 DEC ECX
00414AA1 9C PUSHFD
00414AA2 C12C24 06 SHR DWORD PTR SS: [ESP], 6
00414AA6 F71424 NOT DWORD PTR SS: [ESP]
00414AA9 832424 01 and DWORD PTR SS: [ESP], 1
00414AAD 50 Push EAX
00414AAE 52 Push EDX
00414AAF B8 61B2DC12 MOV EAX, 12DCB261
00414AB4 05 444D23ED ADD EAX, ED234D44
00414AB9 F76424 08 MUL DWORD PTR SS: [ESP 8]
00414ABD 8D8428 D9564000 LEA EAX, DWORD PTR DS: [EAX EBP 4056D9]
00414AC4 894424 08 MOV DWORD PTR SS: [ESP 8], EAX; PESPIN.00414AD4
00414ac8 5A POP EDX
00414ac9 58 POP EAX
00414ACA 8D6424 04 Lea ESP, DWORD PTR SS: [ESP 4]
00414ACE FF6424 FC JMP DWORD PTR SS: [ESP-4]; Continue if not decompressed
......
00412777 68 07000000 PUSH 70041277C 5B POP EBX
0041277D 25 25382C37 and Eax, 372C3825
00412782 50 Push EAX
00412783 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
00412787 F7D0 Not Eax
00412789 234424 FC And Eax, DWORD PTR SS: [ESP-4]
0041278D 51 Push ECX; start decryption from this section
0041278E 90 NOP
0041278F 90 NOP
00412790 90 NOP
00412791 90 NOP
00412792 90 NOP
00412793 90 NOP
00412794 90 NOP
00412795 90 NOP
00412796 90 NOP
00412797 90 NOP
00412798 90 NOP
00412799 90 NOP
0041279A 0FA3C3 BT EBX, EAX
0041279D 73 79 JNB Short 00412818; If this segment is decompressed, jump to the next paragraph
0041279F 90 NOP
004127A0 90 NOP
004127A1 90 NOP
004127A2 90 NOP
004127A3 90 NOP
004127A4 90 NOP
004127A5 90 NOP
004127A6 90 NOP
004127A7 90 NOP
004127A8 90 NOP
004127A9 90 NOP
004127AA 90 NOP
004127AB 90 NOP
004127ac 90 NOP
004127AD 90 NOP
004127AE 90 NOP
004127AF 90 NOP
004127B0 90 NOP
004127B1 90 NOP
004127B2 90 NOP
004127B3 90 NOP
004127B4 90 NOP
004127B5 90 NOP
004127B6 90 NOP
004127B7 90 NOP
004127B8 90 NOP004127B9 90 NOP
004127BA 90 NOP
004127BB 90 NOP
004127BC 90 NOP
004127BD 90 NOP
004127BE 90 NOP
004127BF 90 NOP
004127c0 90 NOP
004127C1 90 NOP
004127C2 90 NOP
004127C3 90 NOP
004127C4 90 NOP
004127C5 90 NOP
004127C6 90 NOP
004127C7 90 NOP
004127C8 90 NOP
004127C9 90 NOP
004127CA 90 NOP
004127CB 90 NOP
004127cc 90 NOP
004127CD 8B7A 0C MOV EDI, DWORD PTR DS: [EDX C]
004127D0 03BD C34B4000 Add EDI, DWORD PTR SS: [EBP 404BC3]
004127D6 8B4A 10 MOV ECX, DWORD PTR DS: [EDX 10]; rsize = 6000
004127D9 50 Push EAX
004127DA 8A07 MOV AL, BYTE PTR DS: [EDI]; first start decryption code from 401000, Size: 6000
004127DC 2C 61 SUB AL, 61
004127DE F8 CLC
004127DF F8 CLC
004127E0 C0C0 B1 ROL Al, 0B1; SHIFT Constant Out of Range 1
004127E3 34 AF XOR Al, 0AF
004127E5 04 70 ADD Al, 70
004127E7 FEC8 DEC AL
004127E9 EB 01 JMP SHORT 004127EC
004127EB 90 NOP
004127EC F8 CLC
004127ED 32C1 XOR Al, CL
004127EF C0C0 42 ROL Al, 42; SHIFT Constant Out of Range 1..31
004127f2 EB 01 JMP Short 004127F5
004127F4 90 NOP
004127F5 02C1 Add Al, CL004127F7 2ac1 SUB Al, CL
004127F9 34 04 XOR Al, 4
004127FB C0C0 9B ROL Al, 9B; Shift Constant Out of Range 1..31
004127fe fec8 dec
00412800 aa stos byte PTR ES: [EDI]
00412801 49 DEC ECX
00412802 90 NOP
00412803 90 NOP
00412804 90 NOP
00412805 90 NOP
00412806 90 NOP
00412807 90 NOP
00412808 90 NOP
00412809 90 NOP
0041280A 90 NOP
0041280B 90 NOP
0041280C 90 NOP
0041280D 90 NOP
0041280E 90 NOP
0041280f 90 NOP
00412810 90 NOP
00412811 90 NOP
00412812 90 NOP
00412813 0BC9 or ECX, ECX
00412815 ^ 75 c3 jnz short 004127da; This paragraph did not decompress this paragraph and continued to decrypt
00412817 58 POP EAX
00412818 40 Inc EAX
00412819 83C2 28 Add EDX, 28
0041281C 90 NOP
0041281D 90 NOP
0041281E 90 NOP
0041281F 90 NOP
00412820 90 NOP
00412821 90 NOP
00412822 90 NOP
00412823 90 NOP
00412824 90 NOP
00412825 59 POP ECX
00412826 49 DEC ECX
00412827 9C Pushfd
00412828 C12C24 06 SHR DWORD PTR SS: [ESP], 6
0041282C F71424 Not DWORD PTR SS: [ESP]
0041282F 832424 01 and DWORD PTR SS: [ESP], 1
00412833 50 push eax00412834 52 Push EDX
00412835 B8 E979A6F5 MOV Eax, F5A679E9
0041283A 05 4985590A Add Eax, 0A598549
0041283F F76424 08 MUL DWORD PTR SS: [ESP 8]
00412843 8D8428 60344000 Lea EAX, DWORD PTR DS: [EAX EBP 403460]
0041284A 894424 08 MOV DWORD PTR SS: [ESP 8], EAX
0041284e 5a POP EDX
0041284F 58 POP EAX
00412850 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
00412854 FF6424 FC JMP DWORD PTR SS: [ESP-4]; Continue to go back to decrypt without decompression
......
0041286B E8 ba1c0000 call 0041452A; this CALL is actually an abnormal Call
......
00415062 6A 04 Push 4; / protect = Page_Readwrite
00415064 68 00300000 PUSH 3000; | AllocationType = MEM_COMMIT | MEM_RESERVE
00415069 51 Push ECX; | SIZE = 3166 (12646.)
0041506A 6A 00 Push 0; | | Address = null
0041506C FF95 0E4C4000 Call DWORD PTR SS: [EBP 404C0E]; / Virtualalloc
00415072 96 xchg Eax, ESI; HMEM == 003D0000
00415073 5A POP EDX
00415074 BF 50F40000 MOV EDI, 0F450
00415079 81C7 00004000 Add EDI, 00400000
0041507F 56 Push ESI; / storage address == 003d0000
00415080 57 Push EDI; | Unzip address == 40F450
00415081 E8 1cdeffff Call 00412EA2; / APLIB_DEPACK
00415086 91 XCHG EAX, ECX00415087 F3: A4 Rep Movs byte PTR ES: [EDI], BYTE PTR DS: [ESI]
00415089 5F POP EDI
0041508A 5E POP ESI
0041508B EB 01 JMP Short 0041508E
0041508D 90 NOP
0041508E 68 00400000 Push 4000; / freetype = MEM_DECOMMIT
00415093 52 Push EDX; | SIZE = 3166 (12646.)
00415094 56 push esi; | address = 003d0000
00415095 FF95 134C4000 Call DWORD PTR SS: [EBP 404C13]; / VirtualFree
......
004150A7 8D85 ED5C4000 LEA EAX, DWORD PTR SS: [EBP 405CED]
004150AD 8338 00 CMP DWORD PTR DS: [EAX], 0
004150B0 0F84 CB000000 JE 00415181
004150B6 B9 80B60000 MOV ECX, 0B680
004150BB 6A 04 Push 4; / protect = Page_Readwrite
004150BD 68 00300000 PUSH 3000; | ALLOCATIONTYPE = MEM_COMMIT | MEM_RESERVE
004150C2 51 PUSH ECX; | size = b680 (46720.)
004150c3 6a 00 push 0; | address = null
004150C5 FF95 0E4C4000 Call DWORD PTR SS: [EBP 404C0E]; / Virtualalloc
004150CB 8985 0E5D4000 MOV DWORD PTR SS: [EBP 405D0E], EAX; [EBP 405D0E] == [00415109]
004150d1 EB 01 JMP Short 004150D4
004150D3 90 NOP
004150D4 0FB78D C74B4000 MOVZX ECX, Word PTR SS: [EBP 404BC7]; ECX == 4
004150DB 8B95 CD4B4000 MOV EDX, DWORD PTR SS: [EBP 404BCD] 004150E1 81C2 F8000000 Add EDX, 0F8
004150E7 BB 07000000 MOV EBX, 7
004150EC 2BC0 SUB EAX, EAX
004150EE 51 PUSH ECX
004150ef 90 NOP
004150F0 90 NOP
004150f1 90 NOP
004150f2 90 NOP
004150f3 90 NOP
004150F4 90 NOP
004150f5 90 NOP
004150f6 90 NOP
004150f7 90 NOP
004150F8 0FA3C3 BT EBX, EAX
004150fb 73 27 JNB Short 00415124; Jump if this paragraph is extracted
004150FD 50 Push EAX
004150fe 53 push ebx; paving waste ^ _ ^
004150FF 8B7A 0C MOV EDI, DWORD PTR DS: [EDX C]
00415102 03BD C34B4000 Add EDI, DWORD PTR SS: [EBP 404BC3]; Code start address 401000
00415108 BE 00003F00 MOV ESI, 3F0000
0041510D 56 Push ESI; / Temporary storage location == 003f0000
0041510e 57 push edi; | 要 解 地址 地址 地址 == 401000
0041510F E8 8eddffff Call 00412EA2; / APLIB_DEPACK
00415114 91 XCHG EAX, ECX
00415115 90 NOP
00415116 90 NOP
00415117 90 NOP
00415118 90 NOP
00415119 90 NOP
0041511A 90 NOP
0041511B 90 NOP
0041511C 90 NOP
0041511D 90 NOP
0041511E F3: A4 Rep Movs Byte PTR ES: [EDI], BYTE PTR DS: [ESI]
00415120 5F POP EDI
00415121 5E POP ESI00415122 5B POP EBX
00415123 58 POP EAX
00415124 40 Inc EAX
00415125 83C2 28 Add EDX, 28
00415128 59 POP ECX
00415129 49 DEC ECX
0041512A 9C Pushfd
0041512B C12C24 06 SHR DWORD PTR SS: [ESP], 6
0041512F F71424 Not DWORD PTR SS: [ESP]
00415132 832424 01 And DWORD PTR SS: [ESP], 1
00415136 50 Push EAX
00415137 52 Push EDX
00415138 B8 49B2DC12 MOV EAX, 12DCB249
0041513D 05 444D23ED Add Eax, ED234D44
00415142 F76424 08 MUL DWORD PTR SS: [ESP 8]
00415146 8D8428 665D4000 LEA EAX, DWORD PTR DS: [EAX EBP 405D66]
0041514D 894424 08 MOV DWORD PTR SS: [ESP 8], EAX
00415151 5A POP EDX
00415152 58 POP EAX
00415153 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
00415157 FF6424 FC JMP DWORD PTR SS: [ESP-4]; cycle APLIB decompressed code
......
00415164 8B8D BC5C4000 MOV ECX, DWORD PTR SS: [EBP 405CBC]; [EBP 405CBC] = [4150B7] = B680
0041516A 8B85 0E5D4000 MOV EAX, DWORD PTR SS: [EBP 405D0E]; [EBP 405D0E] = [415109] = 3F0000
00415170 0BC0 or EAX, EAX
00415172 74 0d Je Short 00415181; jump if space or application space has failed
00415174 68 00400000 Push 4000; / freetype = MEM_DECOMMIT
00415179 51 Push ECX; | SIZE = B680 (46720.)
0041517A 56 Push ESI; | Address = 003F0000
0041517B FF95 134C4000 Call DWORD PTR SS: [EBP 404C13]; / VirtualFree00415181 EB 01 JMP short 00415184
This shell compares the province, only the method of applying for a space through the method of erase, unzip each paragraph
......
0041441D 51 PUSH ECX
0041441E 8D85 8B5E4000 LEA EAX, DWORD PTR SS: [EBP 405E8B]
00414424 50 push eax; / poldprotect = pESPIN.00415286
00414425 6A 40 push 40; | newprotect = Page_Execute_readwrite
00414427 51 PUSH ECX; | SIZE = 25c (604.
00414428 57 Push EDI; | Address = pESPIN.004001C8
00414429 8DB5 F44B4000 LEA ESI, DWORD PTR SS: [EBP 404BF4];
0041442F FF56 10 Call DWORD PTR DS: [ESI 10]; / VirtualProtect
00414432 59 POP ECX
00414433 B0 FF MOV Al, 0FF
......
004143F2 8D85 9C504000 Lea Eax, DWORD PTR SS: [EBP 40509C]
004143f8 8785 7e504000 xchg DWORD PTR SS: [EBP 40507E], EAX
004143FE 8BBD C34B4000 MOV EDI, DWORD PTR SS: [EBP 404BC3]
00414404 037F 3C Add EDI, DWORD PTR DS: [EDI 3C]
00414407 89BD A8504000 MOV DWORD PTR SS: [EBP 4050A8], EDI
0041440D 03F8 Add Edi, EAX
0041440F B9 5C020000 MOV ECX, 25C
00414414 90 NOP
00414415 90 NOP
00414416 90 NOP
00414417 90 NOP
00414418 90 NOP
00414419 90 NOP
0041441A 90 NOP
0041441B 90 NOP
0041441C 90 NOP
0041441D 51 PUSH ECX
0041441E 8D85 8B5E4000 Lea Eax, DWORD PTR SS: [EBP 405E8B] 00414424 50 Push Eax; / PoldProtect = PESPIN.00415286
00414425 6A 40 push 40; | newprotect = Page_Execute_readwrite
00414427 51 PUSH ECX; | SIZE = 25c (604.
00414428 57 Push EDI; | Address = pESPIN.004001C8
00414429 8DB5 F44B4000 LEA ESI, DWORD PTR SS: [EBP 404BF4];
0041442F FF56 10 Call DWORD PTR DS: [ESI 10]; / VirtualProtect
00414432 59 POP ECX
00414433 B0 FF MOV Al, 0FF
00414435 90 NOP
00414436 90 NOP
00414437 90 NOP
00414438 90 NOP
00414439 90 NOP
0041443A 90 NOP
0041443B 90 NOP
0041443C 90 NOP
0041443D 90 NOP
0041443e 90 NOP
0041443F 90 NOP
00414440 90 NOP
00414441 8BF7 MOV ESI, EDI
00414443 83C6 07 Add ESI, 7
00414446 C607 Be MOV BYTE PTR DS: [EDI], 0BE; start modifying PE header
00414449 8977 01 MOV DWORD PTR DS: [EDI 1], ESI
0041444C C747 05 8F06000> MOV DWORD PTR DS: [EDI 5], 68F
00414453 83E9 03 SUB ECX, 3
00414456 8D1C0F LEA EBX, DWORD PTR DS: [EDI ECX]
00414459 66: C703 33D2 MOV Word PTR DS: [EBX], 0D233
0041445E C643 02 C3 MOV BYTE PTR DS: [EBX 2], 0C3
00414462 53 Push EBX
00414463 8F85 DD4B4000 POP DWORD PTR SS: [EBP 404BDD] 00414469 2BDB SUB EBX, EBX
0041446B 90 NOP
0041446C 90 NOP
0041446d 90 NOP
0041446E 90 NOP
0041446F 90 NOP
00414470 90 NOP
00414471 90 NOP
00414472 90 NOP
00414473 90 NOP
00414474 E8 04000000 CALL 0041447D
00414479 97 XCHG EAX, EDI
0041447A 44 INC ESP
0041447B 41 INC ECX
0041447C 90 NOP; *** Cannot be seen as garbage instructions and NOP
0041447D 5A POP EDX; Note that this is not NOP, otherwise SEH is problematic
0041447E 8B12 MOV EDX, DWORD PTR DS: [EDX]
00414480 55 Push EBP
00414481 52 Push EDX
00414482 64: FF33 PUSH DWORD PTR FS: [EBX]
00414485 64: 8923 MOV DWORD PTR FS: [EBX], ESP; Install SEH
00414488 68 F3AA9090 Push 9090AAF3
0041448d ffe7 jmp edi; here JMP to destroy the PE header
0041448F 64: 8F02 Pop DWORD PTR FS: [EDX]
00414492 83C4 08 Add ESP, 8
00414495 C3 RETN
Look at the destruction method:
004001C8 BE CF014000 MOV ESI, 004001CF; put all PE headers from 4001C8 to FF, size is 259,
004001CD 8F06 POP DWORD PTR DS: [ESI]
004001cf f3: aa rep Stos Byte PTR ES: [EDI]
004001d1 90 NOP
004001D2 90 NOP
The solution is to give the PE head down before destroying the PE header.
......
004144CA 8D85 F44B4000 LEA EAX, DWORD PTR SS: [EBP 404BF4]
004144D0 B9 2E000000 MOV ECX, 2E
004144D5 FF1401 Call DWORD PTR DS: [ECX EAX]; gettickcount004144d8 8BD8 MOV EBX, EAX
004144DA F7D3 NOT EBX
004144dc 33D8 XOR EBX, EAX
004144DE 43 Inc EBX
004144DF 68 87000000 Push 87
004144E4 59 POP ECX
004144E5 66:35 4C50 XOR AX, 504C
004144E9 66:05 8911 Add Ax, 1189
00414 4ed aa stos byte PTR ES: [EDI]; circulating the code of 412,000 to erase
004144EE EB 01 JMP SHORT 004144F1
004144F0 90 NOP
004144f1 49 DEC ECX
004144f2 9c pushfd
004144f3 C12C24 06 SHR DWORD PTR SS: [ESP], 6
004144F7 F71424 Not DWORD PTR SS: [ESP]
004144FA 832424 01 and DWORD PTR SS: [ESP], 1
004144FE 50 Push EAX
004144FF 52 Push EDX
00414500 B8 6FB2DC12 MOV EAX, 12DCB26F
00414505 05 4E4D23ED ADD EAX, ED234D4E
0041450A F76424 08 MUL DWORD PTR SS: [ESP 8]
0041450E 8D8428 2D514000 Lea Eax, DWORD PTR DS: [EAX EBP 40512D]
00414515 894424 08 MOV DWORD PTR SS: [ESP 8], EAX
00414519 5A POP EDX
0041451A 58 POP EAX
0041451B 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
0041451F FF6424 FC JMP DWORD PTR SS: [ESP-4]
......
00414BBC 6A 04 Push 4; / protect = Page_Readwrite
00414BBE 68 00300000 Push 3000; | ALLOCATIONTYPE = MEM_COMMIT | MEM_RESERVE
00414BC3 51 PUSH ECX; | SIZE = 62 (98.)
00414BC4 6A 00 Push 0; | address = null00414bc6 53 push ebx; | Return Address
00414BC7 FFA5 0E4C4000 JMP DWORD PTR SS: [EBP 404C0E]; / Virtualalloc
00414BCD 90 NOP
00414BCE 90 NOP
00414BCF 90 NOP
00414BD0 8DB5 19574000 LEA ESI, DWORD PTR SS: [EBP 405719]
00414BD6 97 XCHG EAX, EDI
00414BD7 8BDF MOV EBX, EDI
00414BD9 B9 2A000000 MOV ECX, 2A
00414BDE F3: A4 Rep MOVS BYTE PTR ES: [EDI], BYTE PTR DS: [ESI]; move the code starting from 414b14 to the address space of the just applied, size is 2A
00414BE0 be 759fe9d4 MOV ESI, D4E99F75
00414BE5 BA B1B5572B MOV EDX, 2B57B5B1
00414Bea 03F2 Add ESI, EDX
00414BEC B9 0A000000 MOV ECX, 0A; Size 0A
00414BF1 BA 13E40E80 MOV EDX, 800EE413
00414BF6 AD LODS DWORD PTR DS: [ESI]
00414BF7 4A DEC EDX
00414BF8 03C2 Add Eax, EDX
00414BFA 42 INC EDX
00414BFB 33C2 XOR EAX, EDX
00414BFD 4A DEC EDX
00414BFE C1CA 08 ROR EDX, 8
00414C01 AB Stos DWORD PTR ES: [EDI]
00414C02 49 DEC ECX
00414C03 9C Pushfd
00414C04 C12C24 06 SHR DWORD PTR SS: [ESP], 6
00414C08 F71424 Not DWORD PTR SS: [ESP]
00414C0B 832424 01 and dword PTR SS: [ESP], 1
00414c0f 50 Push EAX
00414C10 52 Push EDX
00414C11 B8 817A6FF2 MOV EAX, F26F7A81
00414C16 05 4085900D Add Eax, 0D908540
00414C1B F76424 08 MUL DWORD PTR SS: [ESP 8]
00414C1F 8D8428 3A584000 LEA EAX, DWORD PTR DS: [EAX EBP 40583A] 00414C26 894424 08 MOV DWORD PTR SS: [ESP 8], EAX
00414C2A 5A POP EDX
00414C2B 58 POP EAX
00414C2C 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
00414C30 FF6424 FC JMP DWORD PTR SS: [ESP-4]; LOOP
......
00414C35 B9 10000000 MOV ECX, 10
00414C3A 8DB5 43574000 LEA ESI, DWORD PTR SS: [EBP 405743]
00414C40 F3: A4 Rep MOVS BYTE PTR ES: [EDI], BYTE PTR DS: [ESI]; from: 414B3E TO: D00052 SIZE: 10
00414C42 90 NOP
00414C43 90 NOP
00414C44 90 NOP
00414C45 90 NOP
00414C46 90 NOP
00414C47 90 NOP
00414C48 90 NOP
00414C49 90 NOP
00414C4A 90 NOP
00414C4B 90 NOP
00414C4C 90 NOP
00414C4D 90 NOP
00414C4E 93 XCHG EAX, EBX
00414C4F B9 0A000000 MOV ECX, 0A; SIZE
00414C54 8BBD E6574000 MOV EDI, DWORD PTR SS: [EBP 4057E6]
00414C5A 03BD EB574000 Add EDI, DWORD PTR SS: [EBP 4057EB]
00414C60 F3: AB Rep Stos DWORD PTR ES: [EDI]; Fill the address of the just applied D00000
00414C62 E8 01000000 Call 00414C68
00414C67 90 NOP
00414C68 5B POP EBX
00414C69 81C3 21000000 Add EBX, 21
00414C6F B9 61000000 MOV ECX, 61
00414C74 6A 04 Push 4; / protect = Page_Readwrite
00414C76 68 00300000 PUSH 3000; | AllocationType = MEM_COMMIT | MEM_RESERVE
00414C7B 51 PUSH ECX; | size = 61 (97.) 00414C7C 6A 00 Push 0; | Address = NULL
00414C7E 53 Push EBX; | RETURN ADDRESS
00414C7F FFA5 0E4C4000 JMP DWORD PTR SS: [EBP 404C0E]; / Virtualalloc
00414C85 90 NOP
00414C86 90 NOP
00414C87 90 NOP
00414C88 8DB5 DF564000 LEA ESI, DWORD PTR SS: [EBP 4056DF]
00414C8E 97 XCHG EAX, EDI
00414C8F 8BDF MOV EBX, EDI
00414C91 B9 26000000 MOV ECX, 26
00414C96 F3: A4 Rep Movs Byte PTR ES: [EDI], BYTE PTR DS: [ESI]; From 4A4ADA TO: D10000 SIZE: 26
......
00414CA4 8BB5 E6574000 MOV ESI, DWORD PTR SS: [EBP 4057E6]
00414CAA 03B5 EB574000 Add ESI, DWORD PTR SS: [EBP 4057EB]
00414CB0 83C6 28 Add ESI, 28
00414CB3 B9 0A000000 MOV ECX, 0A; SIZE
00414CB8 BA A4919C0B MOV EDX, 0B9C91A4
00414CBD AD LODS DWORD PTR DS: [ESI]
00414CBE 4A DEC EDX
00414cbf 03c2 Add Eax, EDX
00414cc1 42 Inc EDX
00414cc2 90 NOP
00414cc3 90 NOP
00414cc4 90 NOP
00414cc5 90 NOP
00414cc6 90 NOP
00414cc7 90 NOP
00414cc8 90 NOP
00414cc9 90 NOP
00414cca 90 NOP
00414ccb 90 NOP
00414ccc 90 NOP
00414CCD 90 NOP
00414CCE 33C2 XOR EAX, EDX
00414 CD0 4A DEC EDX
00414 CD1 C1CA 08 ROR EDX, 800414CD4 AB Stos DWORD PTR ES: [EDI]
00414 CD5 49 DEC ECX
00414 CD6 9C Pushfd
00414 CD7 90 NOP
00414 CD8 90 NOP
00414 CD9 90 NOP
00414 CDA 90 NOP
00414CDB 90 NOP
00414 CDC 90 NOP
00414 CDD 90 NOP
00414 CDE 90 NOP
00414 CDF 90 NOP
00414CE0 C12C24 06 SHR DWORD PTR SS: [ESP], 6
00414 CE4 F71424 Not DWORD PTR SS: [ESP]
00414 CE7 832424 01 and DWORD PTR SS: [ESP], 1
00414cet 50 Push EAX
00414cec 52 Push EDX
00414 CED B8 635A9AF0 MOV Eax, F09A5A63
00414CF2 05 46A5650F ADD Eax, 0f65a546
00414CF7 F76424 08 MUL DWORD PTR SS: [ESP 8]
00414CFB 8D8428 19594000 Lea Eax, DWORD PTR DS: [EAX EBP 405919]
00414D02 894424 08 MOV DWORD PTR SS: [ESP 8], EAX
00414D06 5A POP EDX
00414D07 58 POP EAX
00414D08 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
00414D0C FF6424 FC JMP DWORD PTR SS: [ESP-4]; PESPIN.00414D14
......
00414D14 B9 13000000 MOV ECX, 13
00414D19 8DB5 05574000 LEA ESI, DWORD PTR SS: [EBP 405705]
00414D1F F3: A4 Rep MOVS BYTE PTR ES: [EDI], BYTE PTR DS: [ESI]; from: 414b00 to: D1004E Size: 13
00414D21 93 XCHG EAX, EBX
00414D22 B9 0A000000 MOV ECX, 0A
00414D27 8BBD E6574000 MOV EDI, DWORD PTR SS: [EBP 4057E6]
00414D2D 03BD EB574000 Add EDI, DWORD PTR SS: [EBP 4057EB]
00414D33 83C7 28 Add EDI, 28
00414D36 F3: AB Rep Stos DWORD PTR ES: [EDI]
00414D38 58 POP EAX00414D39 90 NOP
00414D3A 90 NOP
00414d3b 90 NOP
00414D3C 90 NOP
00414D3D 90 NOP
00414D3E 90 NOP
00414D3F 90 NOP
00414D40 90 NOP
00414D41 90 NOP
00414D42 2D F9fffff SUB EAX, -7
00414D47 90 NOP
00414D48 90 NOP
00414D49 90 NOP
00414D4A 90 NOP
00414D4B 90 NOP
00414D4C 90 NOP
00414D4D 90 NOP
00414D4E 90 NOP
00414D4F 90 NOP
00414D50 90 NOP
00414D51 90 NOP
00414D52 90 NOP
00414D53 90 NOP
00414D54 90 NOP
00414D55 90 NOP
00414D56 90 NOP
00414d57 90 NOP
00414D58 ^ ffe0 jmp eax; pespin.0041317d
......
004132F6 F685 A15D4000 0> TEST BYTE PTR SS: [EBP 405DA1], 1; This judgment is determined whether API relocation is selected, 0 means not encrypted, 1 means encryption
004132FD 74 51 Je Short 00413350
004132FF 90 NOP
00413300 90 NOP
00413301 90 NOP
00413302 90 NOP
00413303 90 NOP
00413304 90 NOP
00413305 90 NOP
00413306 90 NOP
00413307 90 NOP
00413308 90 NOP
00413309 90 NOP
0041330A 90 NOP
0041330B 90 NOP
0041330C 90 NOP
0041330D 90 NOP
0041330E 90 NOP
0041330F 90 NOP00413310 BB 3C080000 MOV EBX, 83C; Relocation API Size
00413315 0BDB or EBX, EBX
00413317 74 37 Je Short 00413350; If the redemption API size is 0
00413319 2BC0 SUB EAX, EAX
0041331B 2185 D14B4000 AND DWORD PTR SS: [EBP 404BD1], EAX
00413321 E8 01000000 Call 00413327
00413326 90 NOP
00413327 59 POP ECX
00413328 6A 40 Push 40; / protect = Page_execute_readwrite
0041332a 68 00300000 Push 3000; | ALLOCATIONTYPE = MEM_COMMIT | MEM_RESERVE
0041332F 53 Push EBX; | SIZE = 83c (2108.)
00413330 50 push eax; | address = null
00413338 8D6424 FC LEA ESP, DWORD PTR SS: [ESP-4]; |
00413335 81C1 23000000 Add ECX, 23; |
0041333B 890C24 MOV DWORD PTR SS: [ESP], ECX; | RETURN Address
004133E FFA5 0E4C4000 JMP DWORD PTR SS: [EBP 404C0E]; / Virtualalloc
00413344 90 NOP
00413345 85c0 Test Eax, EAX
00413347 74 21 JE SHORT 0041336A
00413349 50 Push EAX
0041334A 8F85 C94B4000 POP DWORD PTR SS: [EBP 404BC9]; [EBP 404BC9] Save HMEM (00D20000)
00413350 8D85 4A0D3400 Lea Eax, DWORD PTR SS: [EBP 340D4A]
00413356 8D80 5F320C00 LEA EAX, DWORD PTR DS: [EAX C325F] 0041335C 48 DEC EAX
0041335D FFD0 Call EAX; 004133A3
......
00414f25 6A 04 Push 4; / protect = Page_Readwrite
00414F27 68 00300000 Push 3000; | ALLOCATIONTYPE = MEM_COMMIT | MEM_RESERVE
00414F2C 51 Push ECX; | SIZE = 5c (92.)
00414f2d 6a 00 push 0; | | address = NULL
00414f2f 53 push ebx; | Return Address
00414F30 FFA5 0E4C4000 JMP DWORD PTR SS: [EBP 404C0E]; / Virtualalloc
00414F36 0F01FE Invlpg DH; Privileged Command
00414F39 8DB5 AA5A4000 LEA ESI, DWORD PTR SS: [EBP 405AAA]
00414F3F 97 XCHG EAX, EDI
00414F40 8BDF MOV EBX, EDI
00414F42 B9 22000000 MOV ECX, 22
00414F47 F3: A4 Rep MOVS BYTE PTR ES: [EDI], BYTE PTR DS: [ESI]; From: 414EA5 To: D30000 SZIE: 22
......
0041340C 3BB5 C34B4000 CMP ESI, DWORD PTR SS: [EBP 404BC3]; ESI Save the start address of the input table 0040C160
......
00413468 8B5E 0C MOV EBX, DWORD PTR DS: [ESI C]
0041346B 039D C34B4000 Add EBX, DWORD PTR SS: [EBP 404BC3]
00413471 8BFB MOV EDI, EBX; First API's NAME address
......
00413473 E8 4C120000 CALL 004146C4; into the reducing DLL name
Go in and see:
004146C4 57 Push EDI
004146C5 800F 00 or byte PTR DS: [EDI], 0; If you get a full DLL, you will return directly, otherwise the Not in the correct DLL name.
004146C8 74 16 JE SHORT 004146E0
004146CA 90 NOP
004146CB 90 NOP
004146CC 90 NOP
004146CD 90 NOP
004146 CE 90 NOP
004146CF 90 NOP
004146D0 90 NOP
004146d1 90 NOP
004146d2 90 NOP
004146d3 90 NOP
004146d4 90 NOP
004146d5 90 NOP
004146D6 90 NOP
004146d7 90 NOP
004146D8 90 NOP
004146D9 90 NOP
004146DA 90 NOP
004146dB F617 Not Byte Ptr DS: [EDI]
004146DD 47 Inc EDI
004146DE ^ EB E5 JMP Short 004146C5
004146E0 5F POP EDI; PESPIN.0040C4C8
004146E1 C3 RETN
......
0041347f 53 push ebx; / filename = "kernel32.dll
00413480 50 push eax; | |
00413481 FFB5 F54B4000 PUSH DWORD PTR SS: [EBP 404BF5]; / LoadLibrarya
00413487 814424 04 14000000 Add DWORD PTR SS: [ESP 4], 14
......
00413491 85c0 Test Eax, EAX
00413493 0F84 3F090000 JE 00413DD8; OVER if loaded
00413499 E8 01000000 Call 0041349f0041349E 90 NOP
0041349F 59 POP ECX
004134a0 50 Push EAX
004134A1 51 PUSH ECX
004134A2 55 Push EBP
004134A3 810424 12374000 Add DWORD PTR SS: [ESP], 00403712
004134AA 814424 04 22000000 Add DWORD PTR SS: [ESP 4], 22
004134B2 C3 RETN; here is equivalent to getModuleHandlea to get the handle of the DLL
......
004134C1 2BD2 SUB EDX, EDX; Get the original DLL function name after obtaining the handle 0
......
004134F0 800B 00 or Byte PTR DS: [EBX], 0
004134f3 74 0d Je Short 00413502; If all clear is complete, jump
004134F5 8813 MOV BYTE PTR DS: [EBX], DL; DLL Name Qing 0
004134F7 C1C2 04 ROL EDX, 4
004134fa 90 NOP
004134fb 90 NOP
004134FC 90 NOP
004134fd 43 Inc EBX
004134fe FF6424 FC JMP DWORD PTR SS: [ESP-4]
00413502 93 XCHG EAX, EBX
00413503 8B56 10 MOV EDX, DWORD PTR DS: [ESI 10]
00413506 0395 C34B4000 Add EDX, DWORD PTR SS: [EBP 404BC3]; Location ThunkValue
0041350C 830A 00 OR DWORD PTR DS: [EDX], 0
0041350f 0f84 59010000 JE 0041366E; If the DLL's API processing is jumped to the next step
00413515 90 NOP
00413516 90 NOP
00413517 90 NOP
00413518 90 NOP
00413519 90 NOP
0041351A 90 NOP
0041351B 90 NOP
0041351C 90 NOP
0041351D 90 NOP
0041351E 75 02 JNZ Short 00413522
00413520 90 NOP
00413521 90 NOP
00413522 8B02 MOV EAX, DWORD PTR DS: [EDX]
00413524 A9 00000080 TEST Eax, 80000000
00413529 74 0A Je Short 00413535
0041352B 25 ffffff7f and eax, 7ffffffff
00413530 2BFF SUB EDI, EDI
00413532 EB 09 JMP SHORT 0041353D
00413534 90 NOP
00413535 40 Inc EAX
00413536 0385 C34B4000 Add Eax, DWORD PTR SS: [EBP 404BC3]
0041353C 97 XCHG EAX, EDI
0041353D 68 AFFAD0F9 PUSH F9D0FAAF
00413542 012C24 Add DWORD PTR SS: [ESP], EBP
00413545 810424 B4466F06 Add DWORD PTR SS: [ESP], 66F46B4
0041354C 68 4D7B630F PUSH 0F637B4D
0041351 812C24 9643230F SUB DWORD PTR SS: [ESP], 0F234396
00413558 012C24 Add DWORD PTR SS: [ESP], EBP
0041355B C3 RETN; Returns the API processing section here
Follow up:
......
00412C70 8B00 MOV EAX, DWORD PTR DS: [EAX]
00412C72 0385 AA374000 Add Eax, DWORD PTR SS: [EBP 4037AA]; Getted API in EAX
00412C78 EB 10 JMP SHORT 00412C8A
00412C7A 83C3 04 Add EBX, 4
00412C7D 41 INC ECX
00412C7E 81F9 B5030000 CMP ECX, 3B5
00412C84 ^ 75 97 JNZ SHORT 00412C1D
00412C86 33C0 XOR EAX, EAX
00412C88 EB 3F JMP Short 00412CC9
00412C8A 8BBD 9E374000 MOV EDI, DWORD PTR SS: [EBP 40379E]
00412C90 3BC7 CMP EAX, EDI; Judging whether to encrypt
00412C92 76 35 JBE Short 00412cc9; if less than or equal to 7C80262C is not encrypted directly
00412C94 03BD A2374000 Add EDI, DWORD PTR SS: [EBP 4037A2]
00412C9A 3BF8 CMP EDI, EAX
00412C9C 76 2B Jbe Short 00412CC9
00412C9E 8DBD 052C4000 LEA EDI, DWORD PTR SS: [EBP 402C05]
00412CA4 96 XCHG EAX, ESI
00412CA5 33C9 XOR ECX, ECX
00412CA7 8A0431 MOV Al, Byte PTR DS: [ECX ESI]
00412CAA 3C 2e CMP Al, 2E
00412CAC 74 04 JE SHORT 00412CB2
00412CAE 41 INC ECX
00412 Caf aa Stos Byte Ptr ES: [EDI]
00412CB0 ^ EB F5 JMP Short 00412CA7
00412 CB2 41 Inc ECX
00412CB3 03F1 Add ESI, ECX
00412CB5 56 PUSH ESI
00412CB6 2C 2e Sub Al, 2E
00412CB8 aa Stos Byte Ptr ES: [EDI]
00412CB9 2BF9 SUB EDI, ECX
00412CBB 57 Push EDI
00412CBC FF95 F54B4000 Call DWORD PTR SS: [EBP 404BF5]
00412cc2 50 Push EAX
00412CC3 FF95 FF4B4000 Call DWORD PTR SS: [EBP 404BFF]
00412cc9 EB 01 JMP Short 00412ccc
00412ccb 90 NOP
00412CCC 894424 1C MOV DWORD PTR SS: [ESP 1C], EAX; Fill API
00412 CD0 61 POPAD
00412 CD1 FF0424 INC DWORD PTR SS: [ESP]
......
0041355f / 0f84 36080000 JE 00413D9B; Over ... if the API fails.
004135A2 0FBA67 FF 07 BT DWORD PTR DS: [EDI-1], 7; Get [EDI-1] 7th bit transfer to CF, if CF is 1 just encrypted API
So here you can directly Patch into CLC
004135A7 EB 01 JMP Short 004135AA
004135A9 90 NOP
004135AA 9C Pushfd
004135AB F71424 Not DWORD PTR SS: [ESP]
004135ae 832424 01 and DWORD PTR SS: [ESP], 1
004135B2 50 Push EAX
004135B3 52 Push EDX
004135B4 B8 2E306BF9 MOV EAX, F96B302E
004135B9 05 31D09406 Add Eax, 694D031
004135BE F76424 08 MUL DWORD PTR SS: [ESP 8]
004135C2 8D8428 E9414000 Lea Eax, DWORD PTR DS: [EAX EBP 4041E9]
004135C9 894424 08 MOV DWORD PTR SS: [ESP 8], EAX
004135CD 5A POP EDX
004135ce 58 POP EAX
004135cf 90 NOP
004135d0 90 NOP
004135d1 90 NOP
004135d2 90 NOP
004135d3 90 NOP
004135d4 90 NOP
004135d5 90 NOP
004135d6 90 NOP
004135d7 90 NOP
004135d8 90 NOP
004135d9 90 NOP
004135DA 90 NOP
004135db 8D6424 04 Lea ESP, DWORD PTR SS: [ESP 4]
004135DF FF6424 FC JMP DWORD PTR SS: [ESP-4]; CF is 1 encrypted API, encryption jumps to EIP 5
......
00413614 E8 03000000 CALL 0041361C
00413619 A0 9AFF5B81 MOV Al, Byte PTR DS: [815BFF9A]
0041361E C3 RETN
0041361F 1900 SBB DWORD PTR DS: [EAX], EAX
00413621 0000 Add byte PTR DS: [EAX], Al
00413623 53 PUSH EBX
00413624 8D9D C050288E LEA EBX, DWORD PTR SS: [EBP 8E2850C0] 0041362A 81EB BC1AE88D SUB EBX, 8DE81ABC
00413630 FFE3 JMP EBX; jump to the encryption API
......
Jump here when CF is 0:
00413643 E8 C4F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF CALL 00412D0C
Come in and see:
00412D18 57 Push EDI; this code and 1.0 have no changes
00412D19 EB 01 JMP Short 00412D1C
00412D1B 90 NOP
00412d1c 51 Push ECX
00412D1D 90 NOP
00412D1E 90 NOP
00412D1F 90 NOP
00412D20 90 NOP
00412D21 90 NOP
00412D22 90 NOP
00412D23 90 NOP
00412D24 90 NOP
00412D25 90 NOP
00412D26 BF DA9A4000 MOV EDI, 00409ADA
00412D2B EB 01 JMP SHORT 00412D2E
00412D2D 90 NOP
00412D2E B9 8C010000 MOV ECX, 18C
00412D33 90 NOP
00412D34 90 NOP
00412D35 90 NOP
00412D36 90 NOP
00412D37 90 NOP
00412D38 90 NOP
00412D39 90 NOP
00412D3A 90 NOP
00412D3B 90 NOP
00412D3C 90 NOP
00412D3D 90 NOP
00412D3E 90 NOP
00412D3F 90 NOP
00412D40 90 NOP
00412D41 90 NOP
00412D42 90 NOP
00412D43 90 NOP
00412D44 3917 CMP DWORD PTR DS: [EDI], EDX; Judging whether the address is found
00412D46 90 NOP
00412D47 90 NOP
00412D48 90 NOP
00412D49 90 NOP00412D4A 90 NOP
00412D4B 90 NOP
00412D4C 90 NOP
00412D4D 90 NOP
00412D4E 90 NOP
00412D4F 90 NOP
00412D50 90 NOP
00412D51 90 NOP
00412D52 0F84 90000000 JE 00412DE8; if you find it
00412D58 47 Inc EDI
00412D59 EB 01 JMP Short 00412D5C
00412D5B 90 NOP
00412D5C 49 DEC ECX
00412D5D 9C Pushfd
00412D5E C12C24 06 SHR DWORD PTR SS: [ESP], 6
00412D62 F71424 Not DWORD PTR SS: [ESP]
00412D65 832424 01 And DWORD PTR SS: [ESP], 1
00412D69 50 Push EAX
00412D6A 52 Push EDX
00412D6B B8 6592DC52 MOV EAX, 52DC9265
00412D70 05 446D23AD ADD EAX, AD236D44
00412D75 F76424 08 MUL DWORD PTR SS: [ESP 8]
00412D79 90 NOP
00412D7A 90 NOP
00412D7B 90 NOP
00412D7C 90 NOP
00412D7D 90 NOP
00412D7E 90 NOP
00412D7F 90 NOP
00412D80 90 NOP
00412D81 90 NOP
00412D82 8D8428 A0394000 LEA EAX, DWORD PTR DS: [EAX EBP 4039A0]
00412D89 894424 08 MOV DWORD PTR SS: [ESP 8], EAX
00412D8D 5A POP EDX
00412D8E 58 POP EAX
00412D8F 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
00412D93 FF6424 FC JMP DWORD PTR SS: [ESP-4]; loop back to find this address
......
00412DCF 90 NOP
00412DD0 8902 MOV DWORD PTR DS: [EDX], EAX; Direct Fill
00412DD2 90 NOP00412DD3 90 NOP
00412DD4 90 NOP
00412DD5 90 NOP
00412DD6 90 NOP
00412DD7 90 NOP
00412DD8 90 NOP
00412DD9 90 NOP
00412DDA 90 NOP
00412DDB 90 NOP
00412DDC 90 NOP
00412DDD 90 NOP
00412DDE 90 NOP
00412DDF 90 NOP
00412DE0 90 NOP
00412DE1 90 NOP
00412DE2 90 NOP
00412DE3 E9 B2000000 JMP 00412E9A; filling out to return
00412DE8 90 NOP
00412DE9 90 NOP
00412DEA 90 NOP
00412DEB 90 NOP
00412DEC 90 NOP
00412DED 90 NOP
00412 DEE 90 NOP
00412DEF 90 NOP
00412DF0 90 NOP
00412DF1 807F FF 00 CMP BYTE PTR DS: [EDI-1], 0; Fill the API directly if the address is empty
00412DF5 74 60 Je Short 00412E57
......
00412E08 807F FF EA CMP BYTE PTR DS: [EDI-1], 0EA; if the EDI-1 bit is EA
00412E0C ^ 75 90 JNZ Short 00412D9E
00412e0e 90 NOP
00412E0F 90 NOP
00412e10 90 NOP
00412E11 90 NOP
00412E12 90 NOP
00412E13 90 NOP
00412E14 90 NOP
00412E15 90 NOP
00412E16 90 NOP
00412E17 Fe4f ff Dec Byte Ptr DS: [EDI-1]; change to E9 remote jump Shell to store API when EA
00412E1A 83C7 04 Add EDI, 4
00412E1D 2BC7 SUB EAX, EDI
00412E1F 8947 FC MOV DWORD PTR DS: [EDI-4], EAX
......
PATCH:
00412E0E 66: C747 FF FF25 MOV Word PTR DS: [EDI-1], 25FF
00412E14 8957 01 MOV DWORD PTR DS: [EDI 1], EDX
00412E17 8902 MOV DWORD PTR DS: [EDX], EAX
......
00412E97 / EB 01 JMP Short 00412E9A
00412E99 | 90 NOP
00412E9A / 59 POP ECX
00412E9B EB 01 JMP SHORT 00412E9E
00412E9D 90 NOP
00412E9E 5F POP EDI
00412E9F C3 RETN; return
......
00413689 ^ / E9 a1fdffff jmp 0041342f; Jump back to continue if there is no completely
......
00413773 F3: prefix rep:; Superfluous Prefix
00413774 0F31 RDTSC; Handling full API is here, the shell is RDTSC time to reverse adjustment
00413776 50 Push EAX
00413777 F3: prefix rep:; Superfluous Prefix
00413778 0F31 RDTSC
0041377A EB 01 JMP SHORT 0041377D
Give these two RDTSCs to NOP.
......
004137B7 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
004137BB FF6424 FC JMP DWORD PTR SS: [ESP-4]; If the above RDTSC is executed, this will jump to the wrong address.
......
00413834 BB BDAED669 MOV EBX, 69D6AEBD
00413839 2BC3 SUB EAX, EBX
0041383B 3D 99E925A9 CMP Eax, A925E999; Is there a selected Code Redirection when it is judged?
00413840 90 NOP
00413841 90 NOP
00413842 90 NOP
00413843 90 NOP
00413844 90 NOP
00413845 90 NOP
00413846 90 NOP
00413847 90 NOP
00413848 90 NOP
00413849 74 79 Je Short 004138C4; If you do not choose Code relocation, Jump 0041384B Be A2524100 MOV ESI, 004152A2; start processing from 4152A2
00413850 B9 5C020000 MOV ECX, 25C
00413855 51 PUSH ECX
00413856 B0 05 MOV Al, 5
00413858 304431 ff xor byte PTR DS: [ECX ESI-1], Al; End Address is 4154FD calculation method is xor 5
0041385c 90 NOP
0041385D 90 NOP
0041385E 90 NOP
0041385f 90 NOP
00413860 90 NOP
00413861 90 NOP
00413862 90 NOP
00413863 90 NOP
00413864 90 NOP
00413865 90 NOP
00413866 90 NOP
00413867 90 NOP
00413868 004c31 ff add byte PTR DS: [ECX ESI-1], CL; then XOR CL value
0041386C 49 DEC ECX
0041386D 9C Pushfd
0041386E C12C24 06 SHR DWORD PTR SS: [ESP], 6
00413872 F71424 Not DWORD PTR SS: [ESP]
00413875 832424 01 and DWORD PTR SS: [ESP], 1
00413879 50 Push EAX
0041387A 52 Push EDX
0041387B B8 72B2DC12 MOV EAX, 12DCB272
00413880 05 444D23ED Add Eax, ED234D44
0041388 F76424 08 MUL DWORD PTR SS: [ESP 8]
00413889 8D8428 A7440 LEA EAX, DWORD PTR DS: [EAX EBP 4044A7]
00413890 894424 08 MOV DWORD PTR SS: [ESP 8], EAX
00413894 5A POP EDX
00413895 58 POP EAX
00413896 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
0041389A ^ FF6424 FC JMP DWORD PTR SS: [ESP-4]; If you don't decompress it, you jump back to continue
0041384B be A2524100 MOV ESI, 004152A2; start processing from 4152A2 00413850 B9 5C020000 MOV ECX, 25C
00413855 51 PUSH ECX
00413856 B0 05 MOV Al, 5
00413858 304431 ff xor byte PTR DS: [ECX ESI-1], Al; End Address is 4154FD calculation method is xor 5
0041385c 90 NOP
0041385D 90 NOP
0041385E 90 NOP
0041385f 90 NOP
00413860 90 NOP
00413861 90 NOP
00413862 90 NOP
00413863 90 NOP
00413864 90 NOP
00413865 90 NOP
00413866 90 NOP
00413867 90 NOP
00413868 004c31 ff add byte PTR DS: [ECX ESI-1], CL; then XOR CL value
0041386C 49 DEC ECX
0041386D 9C Pushfd
0041386E C12C24 06 SHR DWORD PTR SS: [ESP], 6
00413872 F71424 Not DWORD PTR SS: [ESP]
00413875 832424 01 and DWORD PTR SS: [ESP], 1
00413879 50 Push EAX
0041387A 52 Push EDX
0041387B B8 72B2DC12 MOV EAX, 12DCB272
00413880 05 444D23ED Add Eax, ED234D44
0041388 F76424 08 MUL DWORD PTR SS: [ESP 8]
00413889 8D8428 A7440 LEA EAX, DWORD PTR DS: [EAX EBP 4044A7]
00413890 894424 08 MOV DWORD PTR SS: [ESP 8], EAX
00413894 5A POP EDX
00413895 58 POP EAX
00413896 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
0041389A ^ FF6424 FC JMP DWORD PTR SS: [ESP-4]; If you don't decompress it, you jump back to continue
......
004138A2 59 POP ECX
004138A3 90 NOP
004138A4 90 NOP
004138A5 90 NOP
004138A6 90 NOP004138A7 90 NOP
004138A8 90 NOP
004138A9 90 NOP
004138AA 90 NOP
004138AB 90 NOP
004138ac 90 NOP
004138ad 90 NOP
004138ae 90 NOP
004138af 90 NOP
004138B0 90 NOP
004138B1 90 NOP
004138B2 90 NOP
004138B3 90 NOP
004138B4 BF C8014000 MOV EDI, 004001C8
004138B9 90 NOP
004138BA 90 NOP
004138BB 90 NOP
004138BC 90 NOP
004138BD 90 NOP
004138BE 90 NOP
004138BF 90 NOP
004138c0 90 NOP
004138C1 90 NOP
004138C2 F3: A4 Rep MOVS BYTE PTR ES: [EDI], BYTE PTR DS: [ESI]; From 4152A2 To: 4001C8 Size: 25C
......
004138fb 61 popad; here is landing
004138FC BA 0F5C8CCE MOV EDX, CE8C5C0F; Program OEP Code
00413901 EB 01 JMP Short 00413904
00413903 90 NOP
00413904 81f2 753DE58A XOR EDX, 8AE53D75
0041390A EB 01 JMP Short 0041390D
0041390C 90 NOP
0041390D 2BC0 SUB EAX, Eax; Sub Eax, Eax
0041390f EB 01 JMP Short 00413912
00413911 90 NOP
00413912 68 1D39ACE7 PUSH E7AC391D
00413917 810424 63979418 Add DWORD PTR SS: [ESP], 18949763; Push 40D080
0041391e 50 Push Eax; Push Eax
0041391F EB 01 JMP Short 0041392200413921 90 NOP
00413922 50 Push Eax; Push Eax
00413923 EB 01 JMP short 00413926
00413925 90 NOP
00413926 68 30394100 Push 00413930; Call 00409AF2
0041392B - E9 C261FFFFFFFFFF 00409AF2; JMP to Kernel32.createMutexa
00413930 68 3A394100 PUSH 0041393A; CALL 00409B1C
00413935 - E9 E261FFFFFFFFFFF 00409B1C; JMP to NTDLL.RTLGetlastwin32error
0041393A 3D B7000000 CMP EAX, 0B7; CMP Eax, 0B7
0041393f EB 01 JMP Short 00413942
00413941 90 NOP
00413942 - E9 025AFFFFFFFF 00409349
So the correct Stolen Code is:
00409326. Ba 0F5C8CCE MOV EDX, CE8C5C0F
0040932b. 81f2 753de58a xor EDX, 8AE53D75
00409331. 2BC0 SUB EAX, EAX
00409333. 68 80D04000 push 0040d080; / mutexname = "pe_spin_v1.1"
00409338. 50 push eax; | initialowner => false
00409339. 50 push eax; | psecurity => null
0040933a. E8 b3070000 call 00409af2; / CreateMutexa
0040933f. E8 D8070000 CALL 00409B1C; JMP to NTDLL.RTLGetlastwin32error
00409344. 3D B7000000 CMP EAX, 0B7
......
(I didn't go on the last time, I didn't go, I am busy all day, but I'm busy and I don't know what to be busy.
It is important to be more important here to refer to the restoration. What places to be repaired below:
The first:
PE Header Stolen Code can see a lot of code like this:
004093E9 - E9 1e6Effff JMP 0040020C; *******
004093ee FF35 65E04000 Push DWORD PTR DS: [40E065]
004093F4 E8 1e6Efff Call 00400217
004093F9 2BC0 SUB EAX, EAX
004093fb 50 Push EAX
004093FC E8 1C6EffFF Call 0040021d; *******
00409401 E8 1D6EFFFFFFFFFFFFFFFF CALL 0040022; *******
The code is placed in PE Header, and the shell extracts 5 bytes to the PE head every time. The repair here is relatively simple J.
Second:
SDK protect
V1.1's biggest change, more interesting, and divided into two:
The first case:
Decoding code:
00409369 9C Pushfd
0040936A 60 Pushad
0040936B B9 C018265F MOV ECX, 5F2618C0
00409370 BF BABA78D9 MOV EDI, D978BABA
00409375 81E9 A318265F SUB ECX, 5F2618A3
0040937B B8 33F423AF MOV EAX, AF23F433
00409380 05 E7601D51 Add Eax, 511D60E7
00409385 FF0D 8B934000 DEC DWORD PTR DS: [40938B]
0040938B FF10 Call DWORD PTR DS: [EAX]; here you can see the algorithm
0040938D 61 POPAD
0040938E 9D POPFD
Specific decoding code:
00d30000 90 NOP
......
00d30009 81ef 512738d9 Sub EDI, D9382751
00d3000F 87D9 XCHG ECX, EBX
00d30011 b9 24000000 MOV ECX, 24
00d30016 2ac0 SUB Al, Al
00d30018 FC CLD
00D30019 F3: aa rep Stos Byte PTR ES: [EDI]
00d3001b 87d9 xchg ECX, EBX
00D3001D 83C7 02 Add EDI, 2
00d30020 8A07 MOV Al, Byte Ptr DS: [EDI]
00d30022 90 NOP
00d30023 90 NOP
00d30024 90 NOP
00d30025 90 NOP00D30026 90 NOP
00d30027 90 NOP
00d30028 FEC8 DEC AL
00D3002A C0C8 D1 ROR Al, 0D1; SHIFT Constant Out of Range 1
00d3002d C0C8 D7 ROR AL, 0D7; Shift Constant Out of Range 1..31
00d30030 90 NOP
00d30031 90 NOP
00d30032 90 NOP
00d30033 FEC8 DEC AL
00d30035 04 4e Add Al, 4e
00d30037 32C1 XOR Al, Cl
00d30039 C0C8 0F ROR Al, 0F
00d3003c FEC8 DEC AL
00d3003e 90 NOP
00d3003f 90 NOP
00d30040 90 NOP
00d30041 90 NOP
00d30042 90 NOP
00d30043 90 NOP
00d30044 90 NOP
00d30045 90 NOP
00d30046 90 NOP
00d30047 90 NOP
00d30048 02C1 Add Al, Cl
00d3004a aa stos byte PTR ES: [EDI]; Restore Code
00d3004B 49 DEC ECX
00d3004c ^ 75 D2 JNZ Short 00D30020
00d30053 90 NOP
......
00D3005A C3 RETN
Clear code:
004093AC / EB 0B JMP Short 004093B9
004093AE | 90 NOP
004093AF | 81E9 2D08830B SUB ECX, 0B83082D
004093B5 | 40 Inc EAX
004093B6 | 74 10 Je Short 004093C8
004093B8 | 90 NOP
004093B9 / 9C Pushfd
004093BA EB 01 JMP SHORT 004093BD
004093BC 90 NOP004093BD 60 Pushad
004093BE F9 STC
004093BF 1BC0 SBB EAX, EAX
004093C1 B9 6E08830B MOV ECX, 0B83086E
004093C6 ^ EB E7 JMP Short 004093AF
004093C8 BF C8B93096 MOV EDI, 9630B9C8
004093CD FC CLD
004093CE 81C7 C7D90F6A Add EDI, 6A0FD9C7
004093D4 F3: aa rep Stos byte PTR ES: [EDI]
004093D6 48 DEC EAX
004093D7 75 04 JNZ Short 004093DD
004093D9 9D POPFD
004093DA EB 05 JMP Short 004093E1
004093DC 90 NOP
004093DD 61 POPAD
004093DE ^ EB F9 JMP Short 004093D9
004093E0 90 NOP
The second case:
Decoding / encryption:
00406348/75 49 jnz short 00406393
0040634A | FF15 3E554100 Call DWORD PTR DS: [41553E]; here to decode
00406350 | 026B E8 Add Ch, Byte Ptr DS: [EBX-18]
00406353 | 77 CD ja short 00406322
00406369 | 99 CDQ
......
00406382 | FF15 4E554100 CALL DWORD PTR DS: [41554E]; here into the decoded code encryption
Decoding code:
......
00d00003 9C Pushfd
00d00004 90 NOP
00d00005 90 NOP
00d00006 90 NOP
00d00007 60 pushad
00d00008 8B4424 24 MOV Eax, DWORD PTR SS: [ESP 24]
00d0000c 8B08 MOV ECX, DWORD PTR DS: [EAX]
00d0000e 8D78 04 Lea EDI, DWORD PTR DS: [EAX 4]
00d00011 897C24 24 MOV DWORD PTR SS: [ESP 24], EDI
00d00015 81e9 D46AE877 SUB ECX, 77E86AD4
00d0001b fc CLD ...
00d00028 8A07 MOV Al, Byte Ptr DS: [EDI]
00d0002A C0C8 42 ROR Al, 42
00d0002d 90 NOP
00d0002e 90 NOP
00d0002f 90 NOP
00d00030 90 NOP
00d00031 04 D0 Add Al, 0D0
00d00033 02C1 Add Al, Cl
00d00035 FEC8 DEC AL
00d00037 04 09 Add Al, 9
00d00039 FEC8 DEC AL
00d0003B 90 NOP
00d0003c 90 NOP
00d0003d 90 NOP
00d0003e 90 NOP
00d0003f 90 NOP
00d00040 90 NOP
00d00041 34 2C XOR Al, 2C
00d00043 c0c0 da rol al, 0DA
00d00046 90 NOP
00d00047 90 NOP
00d00048 90 NOP
00d00049 90 NOP
00d0004A 90 NOP
00d0004B 90 NOP
00d0004c 90 NOP
00d0004D 90 NOP
00d0004e 90 NOP
00d0004f FEC8 DEC AL
00d00051 90 NOP
00d00052 aa stos byte PTR ES: [EDI]; decoding
00d00053 49 DEC ECX
00d00054 ^ 75 D2 JNZ Short 00d00028
Encrypted code:
......
00d10009 9c pushfd
00d1000a 60 pushad
00d1000B 8B4424 24 MOV Eax, DWORD PTR SS: [ESP 24]
00d1000F 8B08 MOV ECX, DWORD PTR DS: [EAX]
00d10011 8D78 04 Lea EDI, DWORD PTR DS: [EAX 4]
00d10014 897C24 24 MOV DWORD PTR SS: [ESP 24], EDI
00d10018 8D7F F6 Lea EDI, DWORD PTR DS: [EDI-A] 00d1001B 81E9 F67FB0E SUB ECX, 0EBB7FF6
00d10021 2BF9 SUB EDI, ECX
00d10023 FC CLD
00d10024 8A07 MOV Al, Byte Ptr DS: [EDI]
00d10026 90 NOP
00d10027 FEC0 INC AL
00d10029 90 NOP
00d1002a 90 NOP
00d1002b 90 NOP
00d1002c 90 NOP
00d1002d 90 NOP
00d1002e 90 NOP
00d1002f 90 NOP
00d10030 90 NOP
00d10031 90 NOP
00d10032 C0C8 da ROR Al, 0DA;
00d10035 34 2C XOR Al, 2C
00d10037 90 NOP
00d10038 90 NOP
00d10039 90 NOP
00d1003a 90 NOP
00d1003b 90 NOP
00d1003c 90 NOP
00d1003d fec0 incap
00d1003f 2C 09 SUB Al, 9
00d10041 FEC0 INC AL
00d10043 2ac1 SUB Al, Cl, Cl
00d10045 2C D0 SUB Al, 0D0
00d10047 90 NOP
00d10048 90 NOP
00d10049 90 NOP
00d1004a 90 NOP
00d1004B C0C0 42 ROL Al, 42
00d1004e aa stos byte PTR ES: [EDI]
00d1004f 49 DEC ECX
00d10050 ^ 75 d2 jnz short 00d10024
Third type:
Anti Unpack
This doesn't know if it is not counted, but there is a test in the main program:
00409837 B8 ABA44300 MOV EAX, 43A4AB; detection is taken away
0040983C 2D 910A0300 SUB EAX, 30A91
00409841 FFD0 Call EAX; here is the specific method to see specific:
00409A1A B8 1BBAD5FA MOV EAX, FAD5BA1B
00409A1F 05 BFE06A05 Add Eax, 56AE0BF
00409A24 BB 4655A308 MOV EBX, 8A35546
00409A29 81EB 5D54A308 SUB EBX, 8A3545D; EBX = 0e9
00409A2F 2A18 SUB BL, BYTE PTR DS: [EAX]; that is, whether the 409ADA is 0e9, if not, it will jump behind
00409A31 58 POP EAX
00409A32 C1C3 16 ROL EBX, 16
00409A35 03C3 Add Eax, EBX
00409A37 FFE0 JMP EAX; if it is correctly returned to perform the correct code
It has been analyzed here. The second step is ^ _ ^.
Step 2: Shell
You can take a shell after the analysis, and the repair code you want to write is more. I use scripts to modify the shell code and write code to complete the shelling process.
The process is: script repair IAT to Stolen Codeà application space à write code à change Eipà rule à Modify code à script clears "junk" code à removes Anti-Unpack.
First write a script to fix IAT and go to OEP Stolen Code: Script out:
/ *
//
PESPIN V1.1 Stolen Code Finder V0.1
Author: loveboom
Email: loveboom # 163.com
OS: WinXP SP1, OLLYDBG 1.1, OLLYScript v0.92
Date: 2005-3-9
Action: Repair IAT, stop at Stolen Code.
Config: Ignore All Exceptions
Note: if you have one or more question, email me please, thank you!
//
* /
Var Addr
Var Addr1
Start:
MSGYN "Config: IGNORE All EXCEPTIONS, Continue?"
CMP $ Result, 1
Je lbl1
RET
LBL1:
GPA "LoadLibrarya", "kernel32.dll" // is closed at LoadLibrarya B
Mov Addr, $ Result
Add Addr, B
BP Addr
ESTO
LBL2:
CMP EIP, ADDR
JNE LBLABORT
BC Addr
MOV Addr, ESP
Add Addr, C
Mov Addr, [AddR]
BP Addr
ESTO
BC Addr
LBL3:
Find EIP, # 0fba67ff07 # // Find Command 'BT [EDI-1], 7'
CMP $ Result, 0
Je lblabort
Mov Addr, $ Result
Fill Addr, 1, F8 // Modify to CLC Clear CF
Inc Addr
MOV [Addr], 90909090
LBLNext1:
Find Addr, # 0f31 # // Find Command 'RDTSC'
CMP $ Result, 0
Je lblabort
Find $ Result, # ff6424fc # // Find Command 'JMP DWORD PTR SS: [ESP-4]'
CMP $ Result, 0
Je lblabort
Mov Addr1, $ Result
BP Addr1
LBLFIND1:
Find Addr, # ff6424fc # // Find Command 'JMP DWORD PTR SS: [ESP-4]'
CMP $ Result, 0
Je lblabort
Go $ RESULT
STO
STI
LBLFIND2:
Find EIP, # 807ffea # // Find Command'cmp Byte Ptr DS: [EDI-1], 0EA '
CMP $ Result, 0
Je lblabort
Find $ result, # fE4ff83c7042bc78947fc #
/ *
Find Commands:
Fe4f ff dec Byte Ptr DS: [EDI-1]
83C7 04 Add EDI, 4
2BC7 SUB EAX, EDI
8947 FC MOV DWORD PTR DS: [EDI-4], EAX
* /
CMP $ Result, 0
Je lblabort
Fill $ RESULT, B, 90
Mov Addr, $ Result
BP Addr
LBLLOOP1:
Run
LBlCheck:
CMP EIP, ADDR
JNE LBL4
EXEC / / FIX IAT
MOV Word PTR [EDI-1], 25FF
MOV [EDI 1], EDX
MOV [EDX], EAX
Ende
JMP LBLLOOP1
LBL4:
BC Addr
BC Addr1
Find EIP, # e801000000 ?? 83c404 # // Find Commands: 'Call $ 1 Add ESP, 4'
CMP $ Result, 0
Je lblerrver
Go $ RESULT
Find $ Result, # 61 #
CMP $ Result, 0
Je lblerrver
Go $ RESULT
STO
CMT EIP, "Stolen Code."
Lblend:
MSG "script finished, script by loveboom [dfcg] [fcg] [us] .thank you for using my script!"
RET
lblabort:
MSG "Error, Script Aborted.maybe Target is Not Protect By PESPIN 1.1 or You Forgot Ignore All Exceptions."
RET
LBLERRVER:
The MSG "target program may be protected with PESPIN 1.0 or lower version!"
RET
After the script is running, apply for a little space (you can manually or with tools), and write a little code, change the EIP to your Patch code start address:
.code
Start:
Pushfd
Pushhad
MOV EDI, 401000H; start address
MOV ECX, 0B000H; Search Size
Push EDI; Protecting these two registers Back to write code PUSH ECX
CLD
LBLPUPFD01:; PUSHFD
MOV Al, 09ch
LBLLP1:
Repne scaS byte ptr [EDI]; Find Pushfd
JNZ lblcallpart; if you find it, jump
CMP BYTE PTR [EDI], 60H; Compare Whether is Pushfd Pushad
JNE LBLLP1
CMP Word PTR [EDI 23H], 9D61H; again judgment if full requirements
JNE LBLLP1
Dec Edi
Call Edi; restore program code by calling the shell code
JMP LBLLP1
LBLCallPart:; Stolen Code for PEHEADER
POP ECX
POP EDI
Push EDI
Push ECX
Mov al, 0e8h; first find some of the part of the Call
LBLLOOP:
Repne scas byte PTR [EDI]
JNZ lbljmpart; Jump to handle the JMP section if it is handled
Mov Edx, [EDI]
Lea EDX, [EDI EDX 4]; Remove the absolute address
CMP EDX, 4001C8H; judgment is within the range
JB lblloop; jump up if you do not request
CMP EDX, 400428H; this is also judging whether or not
Ja lblloP
CMP BYTE PTR [EDX], 0E9H; Judgment is Direct JMP Address, in fact, here you can write, I wrote to change the code for convenience :-)
JNE LBLLOOP
Push ECX
MOV ECX, [EDX 1]; Restore Code
Lea ECX, [EDX ECX 5]
SUB ECX, EDI
SUB ECX, 4
MOV [EDI], ECX
POP ECX
JMP LBLLOOP
LBLJMPPART:; JMP mode processing
POP ECX
POP EDI
Push EDI
Push ECX
Mov al, 0e9h
LBLLOOP01:
Repne scas Byte PTR [EDI]; here is the same as the CALL
Jnz lblcallpart01
Mov Edx, [EDI]
Lea EDX, [EDI EDX 4]
CMP EDX, 4001C8H; Judging whether it meets the requirements
JB LBLLOOP01
CMP EDX, 400428H
Ja lblloop01
CMP BYTE PTR [EDX 5], 0E9H; Judgment whether only five bytes of code are just smoked, here is also to make it easy to modify the code.
JNE LBLLOOP01PUSH ECX
Mov Cl, Byte PTR [EDX]; Restore Code
MOV BYTE PTR [EDI-1], CL
MOV ECX, [EDX 1]
MOV [EDI], ECX
POP ECX
JMP LBLLOOP01
LBLCallPart01:; Processing Call's encryption code part
POP ECX
POP EDI
@@:
MOV Al, 0FFH
LBLLOOP02:
Repne scas byte PTR [EDI]
JNZ Lblend; If the search is finished, it will work :-)
CMP BYTE PTR [EDI], 15H; Judgment is Call DS: [Address]
JNE lblloop02
MOV EDX, [EDI 1]
CMP EDX, 41553EH; Judging whether address is 41553EH,
JE @f
CMP EDX, 41554EH
JNE lblloop02
Push EDI; Drop the part of the shell encryption code
Dec Edi
Push ECX
Mov ECX, 0AH
MOV Al, 90h
CLD
Rep Stos Byte Ptr [EDI]
POP ECX
POP EDI
JMP @B
@@:
MOV EDX, EDI; Call the shell code restore program code
Dec edx
Call Edx
JMP LBLLOOP02
Lblend:
Popad
POPFD
End Start
My own is as follows:
01120000 9C Pushfd
01120001 60 Pushad
01120002 BF 00104000 MOV EDI, 401000
01120007 b9 00b00000 MOV ECX, 0B000
0112000c 57 Push EDI
0112000D 51 PUSH ECX
0112000E FC CLD
0112000F B0 9C MOV Al, 9C
01120011 F2: ae repne scas Byte PTR ES: [EDI]
01120013 75 12 JNZ Short 01120027
01120015 803F 60 CMP BYTE PTR DS: [EDI], 60
01120018 ^ 75 F7 Jnz Short 01120011
0112001A 66: 817F 23 619D CMP Word PTR DS: [EDI 23], 9D61
01120020 ^ 75 EF Jnz Short 01120011
01120022 4F DEC EDI
01120023 FFD7 Call Edi; After the code is written, the first time is broken here, then follow the modified shell code.
01120025 ^ EB EA JMP Short 0112001101120027 59 POP ECX
01120028 5F POP EDI
01120029 57 Push EDI
0112002A 51 Push ECX
0112002B B0 E8 MOV Al, 0e8
0112002D F2: ae repne scas Byte PTR ES: [EDI]
0112002F 75 2D JNZ Short 0112005E
01120031 8B17 MOV EDX, DWORD PTR DS: [EDI]
01120033 8D543A 04 LEA EDX, DWORD PTR DS: [EDX EDI 4]
01120037 81fa C8014000 CMP EDX, 4001C8
0112003D ^ 72 EE JB SHORT 0112002D
0112003F 81FA 28044000 CMP EDX, 400428
01120045 ^ 77 E6 JA SHORT 0112002D
01120047 803A E9 CMP BYTE PTR DS: [EDX], 0E9
0112004a ^ 75 E1 JNZ Short 0112002D
0112004c 51 Push ECX
0112004D 8B4A 01 MOV ECX, DWORD PTR DS: [EDX 1]
01120050 8D4C11 05 Lea ECX, DWORD PTR DS: [ECX EDX 5]
01120054 2BCF SUB ECX, EDI
01120056 83e9 04 SUB ECX, 4
01120059 890F MOV DWORD PTR DS: [EDI], ECX
0112005B 59 POP ECX
0112005c ^ EB CF JMP Short 0112002D
0112005e 59 POP ECX
0112005F 5F POP EDI
01120060 57 Push EDI
01120061 51 PUSH ECX
01120062 B0 E9 MOV Al, 0e9
01120064 F2: ae repne scas Byte PTR ES: [EDI]
01120066 75 2A Jnz Short 01120092
01120068 8B17 MOV EDX, DWORD PTR DS: [EDI]
0112006A 8D543A 04 Lea EDX, DWORD PTR DS: [EDX EDI 4]
0112006e 81fa C8014000 CMP EDX, 4001C8
01120074 ^ 72 Ee JB Short 0112006401120076 81fa 28044000 CMP EDX, 400428
0112007c ^ 77 e6 ja short 01120064
0112007E 807A 05 E9 CMP BYTE PTR DS: [EDX 5], 0e9
01120082 ^ 75 E0 Jnz Short 01120064
01120084 51 PUSH ECX
01120085 8A0A MOV CL, BYTE PTR DS: [EDX]
01120087 884F FF MOV BYTE PTR DS: [EDI-1], CL
0112008A 8B4A 01 MOV ECX, DWORD PTR DS: [EDX 1]
0112008D 890F MOV DWORD PTR DS: [EDI], ECX
0112008F 59 POP ECX
01120090 ^ EB D2 JMP Short 01120064
01120092 59 POP ECX
01120093 5F POP EDI
01120094 B0 FF MOV Al, 0FF
01120096 F2: ae repne scas Byte PTR ES: [EDI]
01120098 75 30 JNZ Short 011200CA
0112009A 803F 15 CMP BYTE PTR DS: [EDI], 15
0112009d ^ 75 F7 Jnz Short 01120096
0112009F 8B57 01 MOV EDX, DWORD PTR DS: [EDI 1]
011200A2 81FA 3E554100 CMP EDX, 41553E
011200A8 74 19 Je Short 011200C3
011200AA 81FA 4E554100 CMP EDX, 41554E
011200B0 ^ 75 E4 Jnz Short 01120096
011200B2 57 Push EDI
011200B3 4F DEC EDI
011200B4 51 Push ECX
011200B5 B9 0A000000 MOV ECX, 0A
011200BA B0 90 MOV Al, 90
011200BC FC CLD
011200bd f3: aa rep Stos byte PTR ES: [EDI]
011200BF 59 POP ECX
011200C0 5F POP EDI
011200C1 ^ EB D1 JMP Short 01120094
011200C3 8BD7 MOV EDX, EDI
011200C5 4A DEC EDX
011200C6 FFD2 Call Edx; First, it is also broken, then enter the shell with the shell.
011200C8 ^ EB CC JMP Short 01120096
011200CA 61 POPAD
011200CB 9D POPFD
First interruption
Patch
Code:
00d30009 81ef 512738d9 Sub EDI, D9382751
00d3000F 87D9 XCHG ECX, EBX
00d30011 B9 26000000 MOV ECX, 26
00d30016 B0 90 MOV Al, 90; Clear the original code
00d30018 FC CLD
00D30019 F3: aa rep Stos Byte PTR ES: [EDI]
00d3001b 87d9 xchg ECX, EBX
00d3001d 90 NOP
00d3001e 90 NOP
00d3001f 90 NOP
00d30020 8A07 MOV Al, Byte Ptr DS: [EDI]
00d30022 F8 CLC
00d30023 90 NOP
00d30024 90 NOP
00d30025 90 NOP
00d30026 F9 STC
00d30027 F9 STC
00d30028 FEC8 DEC AL
00D3002A C0C8 D1 ROR Al, 0D1; SHIFT Constant Out of Range 1
00d3002d C0C8 D7 ROR AL, 0D7; Shift Constant Out of Range 1..31
00d30030 90 NOP
00d30031 90 NOP
00d30032 90 NOP
00d30033 FEC8 DEC AL
00d30035 04 4e Add Al, 4e
00d30037 32C1 XOR Al, Cl
00d30039 C0C8 0F ROR Al, 0F
00d3003c FEC8 DEC AL
00d3003e F9 STC
00d3003f F8 CLC
00d30040 90 NOP
00d30041 F9 STC
00d30042 90 NOP
00d30043 90 NOP00D30044 90 NOP
00d30045 90 NOP
00d30046 90 NOP
00d30047 90 NOP
00d30048 02C1 Add Al, Cl
00d3004a aa stos byte PTR ES: [EDI]; Restore Code
00d3004B 49 DEC ECX
00d3004c ^ 75 D2 JNZ Short 00D30020
00d3004e 83c4 04 Add ESP, 4; restore to jump to our own Patch code
00d30051 61 POPAD
00d30052 9D POPFD
00d30053 C3 RETN
Modified to cancel the breakpoint of the first place, then F9 run, interrupt in the second place.
The second interruption
Patch
Code:
00d00000 90 NOP
00d00001 90 NOP
00d00002 90 NOP
00d00003 9C Pushfd
00d00004 90 NOP
00d00005 90 NOP
00d00006 90 NOP
00d00007 60 pushad
00d00008 8B4424 24 MOV Eax, DWORD PTR SS: [ESP 24]
00d0000c 8B08 MOV ECX, DWORD PTR DS: [EAX]
00d0000e 8D78 04 Lea EDI, DWORD PTR DS: [EAX 4]
00d00011 897C24 24 MOV DWORD PTR SS: [ESP 24], EDI
00d00015 81e9 D46AE877 SUB ECX, 77E86AD4
00d0001b fc CLD
00d0001c 90 NOP
00d0001D 90 NOP
00d0001e 90 NOP
00d0001f 90 NOP
00d00020 90 NOP
00d00021 90 NOP
00d00022 90 NOP
00d00023 90 NOP
00d00024 90 NOP
00d00025 90 NOP
00d00026 90 NOP
00d00027 90 NOP
00d00028 8A07 MOV Al, Byte Ptr DS: [EDI] 00D0002A C0C8 42 ROR Al, 42; Shift Constant Out of Range 1..31
00d0002d 90 NOP
00d0002e 90 NOP
00d0002f 90 NOP
00d00030 F8 CLC
00d00031 04 D0 Add Al, 0D0
00d00033 02C1 Add Al, Cl
00d00035 FEC8 DEC AL
00d00037 04 09 Add Al, 9
00d00039 FEC8 DEC AL
00d0003B 90 NOP
00d0003c 90 NOP
00d0003d 90 NOP
00d0003e 90 NOP
00d0003f 90 NOP
00d00040 90 NOP
00d00041 34 2C XOR Al, 2C
00d00043 c0c0 da rol al, 0DA
00d00046 90 NOP
00d00047 90 NOP
00d00048 90 NOP
00d00049 90 NOP
00d0004A 90 NOP
00d0004B 90 NOP
00d0004c 90 NOP
00d0004D F9 STC
00d0004E F9 STC
00d0004f FEC8 DEC AL
00d00051 90 NOP
00d00052 aa stos byte PTR ES: [EDI]; decoding
00d00053 49 DEC ECX
00d00054 ^ 75 D2 JNZ Short 00d00028
00d00056 8b7c24 24 MOV EDI, DWORD PTR SS: [ESP 24]; Clear the original code
00d0005A 4F Dec EDI
00d0005B fd STD
00d0005C B0 90 MOV Al, 90
00d0005E B9 0A000000 MOV ECX, 0A
00d00063 f3: aa rep Stos byte PTR ES: [EDI]
00d00065 61 POPAD
00d00066 9D POPFD00D00067 83C4 04 Add ESP, 4
00d0006A C3 RETN
Modify the breakpoint of the disconnection point to the next line of 011200cb. F9 can be run.
011200CB 9D POPFD
After disconnecting the code again, it has been repaired, and then write a little script to delete the above clear code:
// Used to remove "garbage code left by the shell
Var Addr
Var endaddr
Start:
MOV Addr, 401000 // Start Address
LOOP:
/ *
Find the following:
004093AC / EB 0B JMP Short 004093B9 // This type of code is also removed
004093AE | 90 NOP
004093AF | 81E9 2D08830B SUB ECX, 0B83082D
004093B5 | 40 Inc EAX
004093B6 | 74 10 Je Short 004093C8
004093B8 | 90 NOP
004093B9 / 9C Pushfd
004093BA EB 01 JMP SHORT 004093BD
004093BC 90 NOP
004093BD 60 Pushad
004093BE F9 STC
004093BF 1BC0 SBB EAX, EAX
004093C1 B9 6E08830B MOV ECX, 0B83086E
004093C6 ^ EB E7 JMP Short 004093AF
004093C8 BF C8B93096 MOV EDI, 9630B9C8
004093CD FC CLD
004093CE 81C7 C7D90F6A Add EDI, 6A0FD9C7
004093D4 F3: aa rep Stos byte PTR ES: [EDI]
004093D6 48 DEC EAX
004093D7 75 04 JNZ Short 004093DD
004093D9 9D POPFD
004093DA EB 05 JMP Short 004093E1
004093DC 90 NOP
004093DD 61 POPAD
004093DE ^ EB F9 JMP Short 004093D9
004093E0 90 NOP
* /
Find addr, # eb0b ?? 81e9 ???????? 407410 ?? 9ceb01 ?? 60f91bc0b9 ???????? ebe7bf ???????? fc81c7 ???????? F3aa4875049deb05 ?? 61ebf9 ?? #
CMP $ Result, 0
Je lblend
Fill $ Result, 35,90
Mov Addr, $ Result
Add Addr, 35
JMP loop
Lblend:
RET
The code here is all repaired, repair the code snippet:
004093E9 68 20C14000 PUSH 0040C120; ASCII "IDD_PE_SPIN"
004093ee FF35 65E04000 Push DWORD PTR DS: [40E065]
004093F4 E8 A7070000 Call 00409BA0; JMP to User32.dialogboxparama
004093F9 2BC0 SUB EAX, EAX
004093fb 50 Push EAX
004093FC E8 03070000 Call 00409B04; JMP to Kernel32.exitProcess
00409401 E8 1e080000 Call 00409C24; JMP to Comctl32.initcommonControls
Finally, the Anti-Unpack is removed:
00409837 B8 ABA44300 MOV EAX, 43A4AB; detection is taken away
0040983C 2D 910A0300 SUB EAX, 30A91
00409841 FFD0 Call EAX; here is the specific method
modify:
00409837 90 NOP
00409838 90 NOP
00409839 90 NOP
0040983A 90 NOP
0040983B 90 NOP
0040983C 90 NOP
0040983D 90 NOP
0040983E 90 NOP
0040983F 90 NOP
00409840 90 NOP
00409841 90 NOP
00409842 90 NOP
All the code handled by the shell is complete, and now the DMP is used to find it back to IAT with Improtrec.
After the shell is complete! The garbage wrote a pile, and the head to the foot is a waste time ^ _ ^. Write articles also waste N long time :-).
I hope this article is a bit used by Yock ..............
Greet:
Fly.jingulong, Yock, TDASM.David.hexer, Hmimys, Ahao.ufo (Brother) .aran (Sister) .all of my friends and you!
By LoveBoom [DFCG] [FCG] [US]
Email: loveboom # 163.com
Date: 2005-03-30 11:45
