A little analysis of a plug-in shell (on)
[Observation]: a plug-in program
[Tu]: Olydbg1.1
[Operation Platform]: WinXP Pro SP1
[Author]: loveboom [dfcg] [fcg] [US]
【brief introduction】:
The National Day has passed, and this time did not write this time. Now the remaining article of the National Day, because the shell is related to the inner people, so our internal members will see it. Don't reprint it at any time, please don't reprint it :-).
[Detailed Procedure]:
Not much to say anything, let's take a look!! ...
004C559E> / E9 00000000 JMP 004C55A3; into the entrance to the shell of XPR here
004c55a3 / 60 pushad
004C55A4 E8 14000000 Call 004c55BD
004c55A9 5D POP EBP
004c55AA 81ed 00000000 SUB EBP, 0
004c55B0 6A 45 Push 45
004C55B2 E8 A3000000 CALL 004C565A
004c55b7 68 00000000 push 0
004c55bc 90 NOP
004c55BD 58 POP EAX
004c55be 61 popad; look at it here knows that it is a deception.
004c55bf ^ E9 0DBBFEFF JMP 004B10D1
004B10D7 5D POP EBP; MOV EBP, 5B10D7
004b10d8 81ed D7000000 SUB EBP, 0D7
004B10DE 8DB5 EE000000 Lea ESI, DWORD PTR SS: [EBP EE]
004b10e4 55 Push EBP
004b10e5 56 Push ESI; prepare to decompress the code from 4b10ee
004b10e6 81c5 890B0000 Add EBP, 0B89
004b10ec 55 push eBp; Turnt 4B1B89 start decompression code
004b10ed C3 RETN
......
004B1EA5 45 INC EBP
004B1EA6 25 1C790119 and Eax, 1901791C
004B1EAB B8 A4C0F368 MOV EAX, 68F3C0A4
004B1EB0 8132 91D56240 XOR DWORD PTR DS: [EDX], 4062D591; Many of the unzipped code like this
004B1EB6 B8 370C2157 MOV EAX, 57210C37
004B1EBB 4F DEC EDI
004B1EBC B8 42487B77 MOV EAX, 777B4842
004B1EC1 8D85 24ACAE31 Lea Eax, DWORD PTR SS: [EBP 31AEAC24]
004b1ec7 b8 8e336864 MOV EAX, 6468338E004B1ECC 42 Inc EDX
......
004B2FE1 81EA 2A812A81 SUB EDX, 812A812A
004B2FE7 FF0424 Inc DWORD PTR SS: [ESP]
004B2FEA C3 RETN; After the above decompression is here, it returns to 4B10F0 here, that is, jump to the beginning of the start of the decompression code 1.
......
Here I will know that I quickly come here. At the beginning of the PUSH ESI's ESP in the program, I will go to 4B2FEA.
004B10D7 5D POP EBP; MOV EBP, 5B10D7
004b10d8 81ed D7000000 SUB EBP, 0D7
004B10DE 8DB5 EE000000 Lea ESI, DWORD PTR SS: [EBP EE]
004b10e4 55 Push EBP
004b10e5 56 Push ESI; prepare to decompress the code from 4b10ee
004b10e6 81c5 890B0000 Add EBP, 0B89
004b10ec 55 push eBp; Turnt 4B1B89 start decompression code
004b10ed C3 RETN
004b10ee EB 5D JMP Short 004B114D
004b10f0 8b45 00 MOV EAX, DWORD PTR SS: [EBP]; whether it has been decompressed, this is generally for DLL
004b10f3 0BC0 or Eax, EAX
004b10f5 74 04 Je Short 004B10FB; if there is no sign, jump
004b10f7 55 Push EBP
004b10f8 ff65 0C JMP DWORD PTR SS: [EBP C]
004b10fb ff45 00 inc DWORD PTR SS: [EBP]; if it is not unzipped, dispose of a 1 sign in 4B1000
004B10FE 8B4424 24 MOV Eax, DWORD PTR SS: [ESP 24]
004b1102 8945 04 MOV DWORD PTR SS: [EBP 4], EAX
004B1105 8DB5 84000000 Lea ESI, DWORD PTR SS: [EBP 84]; Haha, see what you have saved here. Put the DLL's name save the address in ESI
004b110b 56 Push ESI; address 4B1084 Fact (kernel32.dll)
004b110c ff55 78 Call DWORD PTR SS: [EBP 78]; getModuleHandlea004b110f 8d75 1C LEA ESI, DWORD PTR SS: [EBP 1C]; transmit the address of the VirtualAlaLocc name to ESI
004b1112 56 Push ESI
004b1113 50 push eax; HMODULE in Kernel32, because Windows is running, the program is a successful GetModuleHandlea successful
004b1114 FF55 74 Call Dword PTR SS: [EBP 74]; Get address of VirtualAlloc
......
0012FF9C 004b110f / call to getModuleHandlea from xxx.004b110c
0012FFA0 004B1084 / PModule = "kernel32.dll"
......
0012FF98 004B1117 / Call to getProcaddress from xxx.004b1114
0012ff9c 77e40000 | HMODULE = 77E40000 (kernel32)
0012ffa0 004b101c / procnameorordinal = "virtualalloc"
0012ffa4 0012cd78
......
004b1117 8945 2c MOV DWORD PTR SS: [EBP 2C], EAX; retrieve the address of the Virtualalloc to 4B102C
004b111a 6a 04 push 4; this is now necessary to apply for space, enough!
004b111c 68 00100000 PUSH 1000
004b1121 FF75 10 Push DWORD PTR SS: [EBP 10]
004b1124 6a 00 push 0
004b1126 FF55 2C Call DWORD PTR SS: [EBP 2C]; Application Space, VirtualallococoC
......
0012FF90 004B1129 / Call to virtualaloc from xxx.004b1126
0012ff94 00000000 | Address = NULL
0012FF98 0001670F | size = 1670f (91919.)
0012FF9C 00001000 | AllocationType = MEM_COMMIT
0012ffa0 00000004 / protect = Page_Readwrite
......
004b1129 50 push EAX; the application is available for 00370000, the first
004b112a 8945 0c MOV DWORD PTR SS: [EBP C], EAX; save the application to 4B100C
004b112d 8b5d 08 MOV EBX, DWORD PTR SS: [EBP 8]; decoded code relative offset 1ffe004b1130 03dd add EBX, EBP; convert RVA to VA = 4B2FFE
004b1132 50 push EAX; Just requested the address address 00370000, used to store the decompressed code
004b1133 53 Push EBX; source address 4B2FFE
004b1134 E8 18000000 Call 004b1151; unzipped code here
......
004b115b 8b7424 20 MOV ESI, DWORD PTR SS: [ESP 20]; source site into ESI
004b115f 8b7c24 24 MOV EDI, DWORD PTR SS: [ESP 24]; Target Address 370000 into EDI
......
After completion, here.
004b1139 5a pop EDX; decompression, put the address 370000 of the application in EDX
004b113a 52 Push EDX
004b113b 55 Push EBP
004b113c 8d85 DE000000 Lea Eax, DWORD PTR SS: [EBP DE]; put 4B10DE in Eax
004b1142 C600 EB MOV BYTE PTR DS: [EAX], 0eb; [EAX] is stored in the 0eb, which is close to jump
004b1145 c640 01 10 MOV BYTE PTR DS: [EAX 1], 10; here is still changing code
004b1149 8b45 30 MOV EAX, DWORD PTR SS: [EBP 30]; After the finished, save 4B1030 to [EBP 74]
004b114c 8945 74 MOV DWORD PTR SS: [EBP 74], EAX; 4B1074 Save 00ec6915
004b114f - ffe2 jmp edx; after the finish jumps to the place you have decomposed
00370000 E8 24000000 Call 00370029; JMP EDX here
00370005 8B4424 04 MOV EAX, DWORD PTR SS: [ESP 4]
......
00370027 / EB 24 JMP Short 0037004D
00370029 | 64: ff35 0000000> Push DWORD PTR fs: [0]; ready to abnormally
00370030 | EB 12 JMP short 00370044
00370032 | 90 NOP00370033 | 9C PUSHFD
00370034 | 74 03 Je Short 00370039
00370036 | 75 01 JNZ Short 00370039
00370038 | 90 NOP
00370039 | 810C24 00010000 or DWORD PTR SS: [ESP], 100; accidentally come in dizziness, come back
00370040 | 9D POPFD
......
00370041 90 NOP
00370042 ^ EB F4 JMP Short 00370038; here is unusual
......
00370158 ^ / EB E6 JMP short 00370140
0037015A E8 24000000 Call 00370183; Similar to this code is to be careful, don't mess with F7, this code my dealing method is: because the macro is used, so we can find the rules after seeing a few. It is good to find the law.
0037015F 8B4424 04 MOV EAX, DWORD PTR SS: [ESP 4]; Directly, it is simply in this way, can be solved in this way
00370163 8B00 MOV EAX, DWORD PTR DS: [EAX]
......
0037313b E8 00000000 Call 00373140
00373140 5A POP EDX; EDX = 373140 After the n macro, I wanted to use the script to come here, but I was afraid of the next CRC, so I was slowly following this.
00373141 81EA 9E1B4000 SUB EDX, 401B9E
......
0037314D 90 NOP
0037314E 90 NOP
0037314F 5D POP EBP; POP ImageBase, 4B1000
00373150 EB 4A JMP SHORT 0037319C
00373152 ^ EB DF JMP Short 00373133
00373154 43 Inc EBX
00373155 90 NOP
00373156 90 NOP
00373157 90 NOP
00373158 58 POP EAX
00373159 ^ 7D F4 JGE Short 0037314F
0037315B EB 01 JMP Short 0037315E
0037315D 90 NOP
0037315E ^ 7C EF JL Short 0037314F
00373160 90 NOP
00373161 58 POP EAX
00373162 9C PUSHFD
00373163 05 E6FFFFF Add Eax, -1a
00373168 9D POPFD
00373169 FFE0 JMP EAX; JMP 00373158
0037316B 90 NOP
......
00373178 B9 03000000 MOV ECX, 3
0037317D EB 4A JMP SHORT 003731C9
......
003731A8 8D75 74 LEA ESI, DWORD PTR SS: [EBP 74]; GetProcAddress address into ESI
......
003731D5 8DBA 02020F4100 LEA EDI, DWORD PTR DS: [EDX 410F02]; EDI = 003824A4
This version of the shell, the garbage code is really much. Be careful when you follow.
00373226 50 Push Eax; EAX = 003730f3 is coming this one, fainting, there are several such things.
......
00373205 F3: A5 Rep MOVS DWORD PTR ES: [EDI], DWORD PTR DS: [ESI]; starting from 3824A4 Start three DWORD code
......
00373252 56 Push ESI; Push 4B1080
......
0037355E 6a 00 Push 0; Push 0
00373560 FF95 060F4100 Call DWORD PTR SS: [EBP 410F06]; GetModuleHandlea
00373566 EB 01 JMP short 00373569
00373568 90 NOP
00373569 68 C2100000 PUSH 10C2
0037356E E8 01000000 Call 00373574
00373573 90 NOP
00373574 68 24080E68 PUSH 680E0824
00373579 68 90908344 Push 44839090
0037357E - FFE4 JMP ESP; jump to 12FF90
......
00373581 8985 120F4100 MOV DWORD PTR SS: [EBP 410F12], EAX; Add address of GetModuleHandlea 4000000 into 3824B4
......
0037359E 6A 04 Push 4; allocate space again
003735A0 68 00100000 Push 1000
003735A5 68 00100000 Push 1000003735AA 6A 00 PUSH 0
003735AC FF95 0E0F4100 Call DWORD PTR SS: [EBP 410F0E]; Virtualalloc
......
0012FF8C 003735B2 / CALL TO Virtualaloc from 003735AC
0012ff90 00000000 | Address = NULL
0012FF94 00001000 | SIZE = 1000 (4096.)
0012FF98 00001000 | AllocationType = MEM_COMMIT
0012FF9C 00000004 / protect = Page_Readwrite
......
003735B2 8985 49184100 MOV DWORD PTR SS: [EBP 411849], EAX; Assigned Space 390000 into 382DEB
003735B8 68 003C070A PUSH 0A073C00
003735BD 68 9FFC0D75 Push 750DFC9F
......
0037445B 8BFE MOV EDI, ESI; loading data to 373763
0037445D B9 46040000 MOV ECX, 446; SIZE 446
00374462 AC LODS BYTE PTR DS: [ESI]; put the removed data into Al
00374463 90 NOP
......
0037448E 90 NOP
0037448F 90 NOP
00374490 32C1 XOR Al, CL
00374492 90 NOP
......
003744A7 90 NOP
003744A8 90 NOP
003744A9 C0C0 04 ROL Al, 4
......
003744d9 aa stos byte PTR ES: [EDI]; start coding from 373763, size is 446
003744DA ^ E2 86 Loopd Short 00374462
......
003744dd 33c0 xor Eax, Eax; After the decompression, it is ready to excente
003744DF 64: FF30 PUSH DWORD PTR FS: [EAX]
003744E2 64: 8920 MOV DWORD PTR FS: [EAX], ESP
003744E5 0F0B UD2
......
0012ff9c 0012ffe0 Pointer to Next SEH Record
0012ffa0 00373712 SE HANDLER
......
After 0 abnormalities, 1311 int3 exceptions were continuous.
Ok, finally arrived.
00375347 90 NOP
00375348 880431 MOV BYTE PTR DS: [ECX ESI], AL0037534B ^ E2 F6 Loopd Short 00375343
0037534D 64: 8F05 0000000> POP DWORD PTR FS: [0]; Directly discontinued here, then ignore all exceptions
00375354 58 POP EAX
......
003754D6 83C4 04 Add ESP, 4
003754D9 8B85 060F4100 MOV EAX, DWORD PTR SS: [EBP 410F06]; kernel32.GetModuleHandlea
......
00381DF2 6A 00 Push 0; Push 0
00381DF4 50 Push Eax; Push GetModuleHandlea
00381DF5 8B85 49184100 MOV EAX, DWORD PTR SS: [EBP 411849]; Space Address 390000
00381F4A 50 Push Eax; Push 390000
00381F4B E8 08000000 Call 00381F58; here is to check the API, put the API in that section in 390000, become a Push API, RET method
00381F50 8B85 49184100 MOV EAX, DWORD PTR SS: [EBP 411849]
00381F56 FFE0 JMP EAX
00381F58 60 Pushad
00381F59 8B7C24 24 MOV EDI, DWORD PTR SS: [ESP 24]
00381F5D 8B7424 28 MOV ESI, DWORD PTR SS: [ESP 28]; start checking the API function
......
00381F64 3C 50 CMP Al, 50
00381F66 E9 55030000 JMP 003822C0; change to JMP will not detect API,
00381f6b 90 NOP
......
003822C0 C607 68 MOV BYTE PTR DS: [EDI], 68; Fill in a PUSH API
003822C3 8977 01 MOV DWORD PTR DS: [EDI 1], ESI
003822C6 C647 05 C3 MOV BYTE PTR DS: [EDI 5], 0C3; this is changed to RETN
003822CA 83C7 06 Add EDI, 6
003822CD 897C24 FC MOV DWORD PTR SS: [ESP-4], EDI
003822d1 837C24 2C 00 CMP DWORD PTR SS: [ESP 2C], 0
003822d6 EB 18 JMP Short 003822f0; This is again changed to JMP, which is to find the API003822D8 8BCE MOV ECX, ESI to find the way it directly push API or directly goes to the relevant DLL.
......
00381F50 8B85 49184100 MOV EAX, DWORD PTR SS: [EBP 411849]; here is the application space that jumped to the API just
00381F56 FFE0 JMP EAX; jump to getModuleHandlea
00381F58 60 Pushad
......
003754EB 8BF0 MOV ESI, EAX; obtained hmodule into ESI, first take Kernel32.dll
003754ed 8985 3A104100 MOV DWORD PTR SS: [EBP 41103A], EAX; put Hinstance (77E40000) into 3825DC
003754F3 8D9D 48104100 LEA EBX, DWORD PTR SS: [EBP 411048]
......
00375662 8DBD 26154100 LEA EDI, DWORD PTR SS: [EBP 411526]; Put "CloseHandle" Address 382AD4 in EDI
00375668 51 Push ECX; Push 21
......
0038232D 60 pushad; loop to find the API you want to find in DLL
0038232E 8B75 08 MOV ESI, DWORD PTR SS: [EBP 8]
...... ..
003823E5 61 POPAD
003823E6 8B45 FC MOV EAX, DWORD PTR SS: [EBP-4]
003823E9 C9 Leave
003823EA C2 0800 RETN 8; After finding it back
The API you want to find in Kernel32.dll is:
0012FF9C 00382AC8 ASCII "CloseHandle"
0012ff9c 00382ac8 ASCII "CREATEFILEA"
0012ff9c 00382ac8 ASCII "CREATEFILEMAPPINGA"
0012ff9c 00382ac8 ASCII "CREATTHREAD"
0012ff9c 00382ac8 ASCII "Deletefilea"
0012ff9c 00382ac8 ASCII "Deviceiocontrol"
0012FF9C 00382AC8 ASCII "EXITPROCESS"
0012ff9c 00382ac8 ASCII "FindResourceA"
0012FF9C 00382AC8 ASCII "getcommandlinea"
0012ff9c 00382ac8 ASCII "getFileSize" 0012FF9C 00382AC8 ASCII "getCurrentProcess"
0012ff9c 00382ac8 ASCII "getcurrentprocessid"
0012ff9c 00382ac8 ASCII "getcurrentthread"
0012ff9c 00382ac8 ASCII "getModuleHandlea"
0012ff9c 00382ac8 ASCII "getModuleFileName"
0012ff9c 00382ac8 ASCII "getTemppatha"
0012ff9c 00382ac8 ASCII "getversion"
0012ff9c 00382ac8 ASCII "LSTRCMPA"
0012ff9c 00382ac8 ASCII "LoadResource"
0012ff9c 00382ac8 ASCII "MapViewOffile"
0012ff9c 00382ac8 ASCII "ReadProcessMemory"
0012ff9c 00382ac8 ASCII "resetEvent"
0012ff9c 00382ac8 ASCII "STEVENT"
0012ff9c 00382ac8 ASCII "setLastError"
0012FF9C 00382AC8 ASCII "SetthreadPriority"
0012ff9c 00382ac8 ASCII "TerminateThread"
0012ff9c 00382ac8 ASCII "unmapViewoffile"
0012ff9c 00382ac8 ASCII "Virtualallocex"
0012ff9c 00382ac8 ASCII "VirtualFree"
0012ff9c 00382ac8 ASCII "VirtualProtect"
0012ff9c 00382ac8 ASCII "WaitforsingleObject"
0012ff9c 00382ac8 ASCII "WriteProcessMemory"
0012FF9C 00382AC8 ASCII "Writefile"
......
0037569d 0fb64b ff Movzx ECX, Byte Ptr DS: [EBX-1]
003756A1 8903 MOV DWORD PTR DS: [EBX], EAX; Removing API [EBX]
003756A3 03D9 Add EBX, ECX
003756A5 43 INC EBX
003756A6 59 POP ECX
003756A7 ^ E2 A2 Loopd Short 0037564B; Jump back to go back if not finished
003756A9 8DB5 8A0F4100 LEA ESI, DWORD PTR SS: [EBP 410F8A]; MOV ESI, "User32.dll"
...... ..
003757 Fe 56 Push ESI; Prepare for the process of User32. The API you want to take in the DLL 003757FF 90 NOP
........
0037581E 90 NOP
0037581F 8B85 060F4100 MOV EAX, DWORD PTR SS: [EBP 410F06]; First time use GETMODULEHANDLEA to determine whether the associated DLL is loaded
00375825 90 NOP
00375826 90 NOP
00375827 90 NOP
00375828 90 NOP
00375829 90 NOP
0037582A 90 NOP
0037582B E9 C2C50000 JMP 00381DF2; here is the JMP API call related API
00375830 90 NOP
00375831 0BC0 or Eax, EAX; If getModuleHandlea failed, it shows that the memory does not load related DLLs.
00375833 75 34 JNZ Short 00375869; If the associated DLL has been loaded, jump to the next step to take the API related to the DLL.
00375835 56 Push ESI; because User32.dll does not load, so shell is loaded with loadLibrary to load this DLL
00375836 90 NOP
00375855 90 NOP
00375856 8B85 0A0F4100 MOV EAX, DWORD PTR SS: [EBP 410F0A]; LoadLibrary
0037585c 90 NOP
0037585D 90 NOP
0037585E 90 NOP
0037585F 90 NOP
00375860 90 NOP
00375861 90 NOP
00375862 E9 8BC50000 JMP 00381DF2; See here to jump to implement API, remember first, JMP 00381DF2 is to implement API, we don't have to follow
00375867 90 NOP
00375868 90 NOP
00375869 8BF0 MOV ESI, EAX; HModule after loading DLL into ESI
0037586B 8D9D 960F4100 LEA EBX, DWORD PTR SS: [EBP 410F96]
00375871 6A 0A PUSH 0A
00375873 59 POP ECX; MOV ECX, 0A, there is an action, here is a 0A related API00375874 8DBD 26154100 Lea EDI, DWORD PTR SS: [EBP 411526]
0037587A 53 PUSH EBX
......
003758B6 aa Stos Byte Ptr Es: [EDI]; it is this trick to get API
003758B7 5B POP EBX
003758B8 8DBD 26154100 Lea EDI, DWORD PTR SS: [EBP 411526]
.........
003758F8 8903 MOV DWORD PTR DS: [EBX], EAX; Takened API (EBX) [EBX]
003758FA 03D9 Add EBX, ECX
003758FC 43 INC EBX
003758FD 59 POP ECX
003758fe 49 DEC ECX
003758FF ^ 0F85 6fffffff jnz 00375874; Next step
00375905 8DB5 49124100 LEA ESI, DWORD PTR SS: [EBP 411249]
...... ..
00375905 8DB5 49124100 LEA ESI, DWORD PTR SS: [EBP 411249]; Now take the API in WS2_32.dll
0037590B 90 NOP
..........
00375A7B 8B85 060F4100 MOV EAX, DWORD PTR SS: [EBP 410F06]; GetModuleHandlea
00375A81 90 NOP
00375A82 90 NOP
00375A83 90 NOP
00375A84 90 NOP
00375A85 90 NOP
00375A86 90 NOP
00375A87 E9 66C30000 JMP 00381DF2
00375A8C 90 NOP
00375A8D 0BC0 or EAX, EAX; also judges that there is no DLL, no first LoadLibrarya
00375A8F 75 34 JNZ Short 00375AC5
00375A91 56 Push ESI
......
00375ACD B9 04000000 MOV ECX, 4; Take 4 APIs this time
The four APIs to be taken are:
00375B29 8903 MOV DWORD PTR DS: [EBX], EAX; WS2_32.wsasend
00375B29 8903 MOV DWORD PTR DS: [EBX], EAX; WS2_32.wsarecv00375b29 8903 MOV DWORD PTR DS: [EBX], EAX; WS2_32.send
00375B29 8903 MOV DWORD PTR DS: [EBX], EAX; WS2_32.Recv
......
00375B31 8DB5 72124100 LEA ESI, DWORD PTR SS: [EBP 411272]; Ok, now take the API in Advapi32.dll
...... ..
00375B31 8DB5 72124100 LEA ESI, DWORD PTR SS: [EBP 411272]; Ok, now take the API in Advapi32.dll
......
00375CF9 6A 08 Push 8
00375cfb 59 POP ECX; in ADVAPI32. 8 APIs in DLL
This eight:
00375D53 8903 MOV DWORD PTR DS: [EBX], EAX; Advapi32.CloseServiceHandle
00375D53 8903 MOV DWORD PTR DS: [EBX], Eax; Advapi32.ControlService
00375D53 8903 MOV DWORD PTR DS: [EBX], Eax; Advapi32.createServicea
00375D53 8903 MOV DWORD PTR DS: [EBX], Eax; Advapi32.deleteService
00375D53 8903 MOV DWORD PTR DS: [EBX], Eax; Advapi32.Openscmanagera
00375D53 8903 MOV DWORD PTR DS: [EBX], Eax; Advapi32.openServicea
00375D53 8903 MOV DWORD PTR DS: [EBX], Eax; Advapi32.QueryServiceStatus
00375D53 8903 MOV DWORD PTR DS: [EBX], Eax; Advapi32.StartServicea
......
00375D7B 8B85 E60F4100 MOV Eax, DWORD PTR SS: [EBP 410FE6]; After taking, start getforegroundwindow, you will know what to do :-)
00375d81 90 NOP
00375d82 90 NOP
......
00375E3D 8B85 CB0F4100 MOV EAX, DWORD PTR SS: [EBP 410FCB]; BT with enableWindow to track
00375E43 90 NOP
00375E44 90 NOP
......
00375E70 8B85 04114100 MOV EAX, DWORD PTR SS: [EBP 411104]; kernel32.GetCurrentthRead
00375E76 90 NOP
00375E77 90 NOP
00375E78 90 NOP
00375E79 90 NOP
00375E7A 90 NOP
00375E7B 90 NOP
00375E7C E9 71BF0000 JMP 00381DF2
......
00375EA6 8B85 B4114100 MOV EAX, DWORD PTR SS: [EBP 4111B4]; kernel32.SetthreadPriority
00375EAC 90 NOP
......
0012FF98 00375EB9 / Call to setthreadpriority
0012FF9C fffffffe | hthread = fffffe
0012FFA0 00000002 / priority = thread_priority_highest
......
00375eb9 50 Push EAX
00375EBA 52 Push EDX
00375EBB 51 PUSH ECX
00375EBC EB 01 JMP SHORT 00375EBF
00375ebe 90 NOP
00375EBF 0F31 RDTSC
00375EC1 8BC8 MOV ECX, EAX; RDTSC Time Anti-tracking
...... ..
00375ECD 90 NOP
00375ECE E8 38000000 Call 00375F0B
00375ed3 90 NOP
Going in and seeing something:
00375f0e 68 C2100000 PUSH 10C2
00375F13 E8 01000000 Call 00375F19
00375f18 90 NOP
00375F19 68 24080E68 Push 680E0824
00375f1e 68 90908344 Push 44839090
00375f23 FFE4 JMP ESP
00375f25 90 NOP
00375F26 C3 RETN
0012FF86 834424 08 0E Add DWORD PTR SS: [ESP 8], 0E
0012FF8B 68 185F3700 PUSH 375F18
0012FF90 C2 1000 RETN 10
......
00375edb 90 NOP
00375EDC E8 46000000 Call 00375f27; all of the garbage is from / LH
00375EE1 90 NOP
......
00375EF4 0F31 RDTSC00375EF6 83C4 04 Add ESP, 4
00375EF9 2BC1 SUB EAX, ECX
00375EFB 3D 00000200 CMP EAX, 2000; here is compared, if less than 2000, the program is tracking
00375F00 76 04 JBE Short 00375F06; Here you must jump
......
00375F3B 8B85 120F4100 MOV Eax, DWORD PTR SS: [EBP 410F12]; ImageBase (40000) into EAX
00375F41 0340 3C Add Eax, DWORD PTR DS: [EAX 3C]; Location PE Location
......
00376093 8B40 50 MOV Eax, DWORD PTR DS: [EAX 50]; SizeOf Image (C5AFA) into EAX
00376096 3385 260F4100 XOR EAX, DWORD PTR SS: [EBP 410F26]; [EBP 410F26] = [003824C8] = E033EF
0037609C 90 NOP
......
003761EA 90 NOP
003761EB 8B8D 020F4100 MOV ECX, DWORD PTR SS: [EBP 410F02]; MOV ECX, EC6915
003761F1 3BC1 CMP EAX, ECX
003761F3 8DB5 29144100 LEA ESI, DWORD PTR SS: [EBP 411429]; MOV ESI, 3829CB
003761F9 46 Inc ESI
......
003763a0 56 Push ESI; Push //.ntice
003763A1 90 NOP
003763A2 90 NOP
003763A3 90 NOP
003763A4 90 NOP
003763A5 90 NOP
003763A6 90 NOP
003763A7 90 NOP
003763A8 90 NOP
003763A9 90 NOP
003763AA 8D85 314E4000 LEA EAX, DWORD PTR SS: [EBP 404E31]; Preparation Check Debugger
003763B0 90 NOP
......
003763BF 90 NOP
003763c0 90 NOP
003763C1 8B85 55104100 MOV EAX, DWORD PTR SS: [EBP 411055]; kernel32.createfilea003763c7 90 NOP
......
003763D9 0F31 RDTSC; inspection process does not forget to use RDTSC method to reverse track
003763db 8bc8 MOV ECX, EAX
......
0037640D 90 NOP
0037640e 0f31 RDTSC
00376410 83C4 04 Add ESP, 4
00376413 2BC1 SUB EAX, ECX
00376415 3D 00000200 CMP EAX, 20000
0037641A 76 04 JBE Short 00376420; if you check it to OVER
0037641C 83C4 0C Add ESP, 0C
0037641F C3 RETN; jump to OVER
......
00376455 83F8 FF CMP EAX, -1
00376458 74 05 Je Short 0037645F; If you don't find it through the CreateFilea method, you will jump.
0037645A E9 F5CC0000 JMP 00383154; Jump to OVER if checking to the debugger
0037645F 56 Push ESI
00376461 / EB 06 JMP short 00376469
00376463 | F6D0 Not Al; Every time you execute, you don't forget to remove the character, good
00376465 | 8846 FF MOV BYTE PTR DS: [ESI-1], Al
00376468 | AC LODS BYTE PTR DS: [ESI]
00376469 / 0ac0 or Al, Al
0037646B ^ 75 F6 Jnz short 00376463; Continue if not yet
0037646D 5E POP ESI
0037647D 0F31 RDTSC; also detects the debugger in the time of time
0037647F 8BC8 MOV ECX, EAX
00376481 90 NOP
......
003764B2 0F31 RDTSC
003764B4 83C4 04 Add ESP, 4
003764B7 2BC1 SUB EAX, ECX
003764B9 3D 00000200 CMP Eax, 20000003764Be 76 04 JBE Short 003764C4; here
003764c0 83c4 0C Add ESP, 0C
003764C3 C3 RETN
......
003764F9 0BC9 or ECX, ECX; if it is not detected, go back to detect,
003764fb ^ 0f85 50feffff jnz 00376351
Test eight nine times
00376501 8cc9 MOV CX, CS
00376503 32C9 XOR CL, CL
00376505 0BC9 or ECX, ECX
00376507 0F84 01080000 JE 00376D0E; By default, it is jumped here, halo, here is jumping to detect if there is a debugger
......
00376DBE 90 NOP
00376DBF 8B85 060F4100 MOV EAX, DWORD PTR SS: [EBP 410F06]; kernel32.GetModuleHandlea
00376DC5 90 NOP
......
0012FF9C 00376DD1 / Call to getModuleHandlea
0012FFA0 00376D95 / PModule = "NTDLL.DLL"
......
00376f68 90 NOP
00376F69 E9 84AE0000 JMP 00381DF2; Jump to NTDLL. The API required in the DLL
00376F6E 90 NOP
For the first time, I will take Zwinformationthread.
003770BD 90 NOP
003770BE 8BF8 MOV EDI, EAX; NTDLL.ZWSETINFORMATIONTHREAD
003770c0 50 Push EAX
003770C1 52 Push EDX
003770c2 51 Push ECX
003770C3 EB 01 JMP Short 003770C6
003770c5 90 NOP
003770C6 0F31 RDTSC
003770C8 8BC8 MOV ECX, EAX; Many of this test debugger macro
003770CA 90 NOP
......
00377174 6A 00 PUSH 0; it is also used by the reverse test.
........
00377162 8B85 0411410> MOV EAX, DWORD PTR SS: [EBP 411104]; Kernel32.GetCurrentThread first get current thread information, then destroy 00377168 90 NOP
00377169 90 NOP
0037716A 90 NOP
0037716B 90 NOP
0037716C 90 NOP
0037716D 90 NOP
0037716E E9 7FAC0000 JMP 00381DF2
00377173 90 NOP
00377176 6A 00 PUSH 0
00377178 6A 11 Push 11
0037717A 50 Push EAX
0037717B 8D85 E85B4000 LEA EAX, DWORD PTR SS: [EBP 405BE8]
00377181 50 Push EAX
00377182 8BC7 MOV EAX, EDI; NTDLL.ZWSETINFORMATIONTHREAD
00377184 E9 69AC0000 JMP 00381DF2
......
0037718A 8D1D C9174100 LEA EBX, DWORD PTR DS: [4117C9]
00377190 833C2B 00 CMP DWORD PTR DS: [EBX EBP], 0; Text Section vsize
......
003771CC 8D042B Lea Eax, DWORD PTR DS: [EBX EBP]
003771FA 8B48 08 MOV ECX, DWORD PTR DS: [EAX 8]; Text Section vsize 40000
00377225 8B70 04 MOV ESI, DWORD PTR DS: [EAX 4]; Text Section Voffset
00377255 03B5 120F4100 Add ESI, DWORD PTR SS: [EBP 410F12]; Text Section Start Address
00377288 8BFE MOV EDI, ESI
003772B4 8D85 E4144100 LEA EAX, DWORD PTR SS: [EBP 4114E4]; 382A86
003772E3 50 Push EAX
0037730E 51 Push ECX
00377338 56 PUSH ESI
00377366 E8 D19F0000 Call 0038133C; Unexpected to TEXT
00377395 53 PUSH EBX
003773C3 6A 04 Push 4
003773ee 68 00100000 Push 1000
00377418 FF342B PUSH DWORD PTR DS: [EBX EBP] 0037741B 6A 00 PUSH 0
0037741D 8D85 Fe634000 Lea Eax, DWORD PTR SS: [EBP 4063FE]
00377423 50 Push EAX
...... ..
00377573 8B85 0E0F4100 MOV EAX, DWORD PTR SS: [EBP 410F0E]; kernel32.Virtualalloc
00377579 E9 74A80000 JMP 00381DF2
......
0012FF8C 003779A0 / CALL TO VIRTUALLOC
0012ff90 00000000 | Address = NULL
0012FF94 000A8000 | SIZE = a8000 (688128.)
0012FF98 00001000 | AllocationType = MEM_COMMIT
0012FF9C 00000004 / protect = Page_Readwrite
003779D4 8BF0 MOV ESI, EAX; Apply Space 9B0000 into ESI
003779fe 8bc3 MOV EAX, EBX; 4117C9
00377A2B 03C5 Add Eax, EBP; EAX == 382D68
00377A56 8B78 04 MOV EDI, DWORD PTR DS: [EAX 4]; MOV EDI, 1000
00377A84 03BD 120F4100 Add EDI, DWORD PTR SS: [EBP 410F12]; Convert to VA 401000
00377AB5 56 Push ESI; PUSH 9B0000
00377AE2 57 Push EDI; Push 401000
00377B17 8D85 9E654000 LEA EAX, DWORD PTR SS: [EBP 40659E]; EAX == 377B40
00377B21 50 Push EAX
00377B2E 8B85 7E0F4100 MOV EAX, DWORD PTR SS: [EBP 410F7E]; 4B1151
After entering 4b1151, it is found or decompressed data.
00377B39 90 NOP
00377B3A E9 B3A20000 JMP 00381DF2; Jump to the decompression data, is the code of depack (APLIB)
00377B3F 90 NOP
......
00377B69 8B0C2B MOV ECX, DWORD PTR DS: [EBX EBP]; Push Size ?? a8000
00377B96 56 Push ESI; PUSH 9B0000, this step is to restore the relevant data back 00377BC1 51 PUSH ECX
00377BC2 C1E9 02 SHR ECX, 2; ECX = 2A000 puts the unzipped things to the 401000
00377BC5 F3: A5 Rep Movs DWORD PTR ES: [EDI], DWORD PTR DS>
ECX = 0002A000 (Decimal 172032.)
DS: [ESI] = [009B0000] = 00401004
ES: [EDI] = [00401000] = 0609B0A1
......
00377BC7 59 POP ECX
00377BC8 83e1 03 and ECX, 3
00377BCB F3: A4 Rep Movs byte PTR ES: [EDI], BYTE PTR DS: [>
ECX = 00000000 (Decimal 0.)
DS: [ESI] = [00A58000] = ???; here is this ?? I don't know, ask you a master.
ES: [EDI] = [004A9000] = 00
00377BF6 5E POP ESI; 009B0000
After the operation is completed, it starts to release the space for the original application.
00377cf6 90 NOP
00377CF7 8B85 F9114100 MOV EAX, DWORD PTR SS: [EBP 4111F9]; kernel32.Virtualfree
00377cfd 90 NOP
......
0012FF90 00377D0A / Call to VirtualFree
0012FF94 009B0000 | Address = 009B0000
0012FF98 00000000 | SIZE = 0
0012ff9c 00008000 / freetype = MEM_RELEASE
......
00377D64 83C3 0C Add EBX, 0C; 4117C9 0C
00377190 833C2B 00 CMP DWORD PTR DS: [EBX EBP], 0; [382D77] == 7584
003771CC 8D042B Lea Eax, DWORD PTR DS: [EBX EBP]; MOV Eax, 382D77
003771FA 8B48 08 MOV ECX, DWORD PTR DS: [EAX 8]; MOV ECX, 1E84
00377225 8B70 04 MOV ESI, DWORD PTR DS: [EAX 4]; MOV ESI, A9A7C
00377255 03B5 120F4100 Add ESI, DWORD PTR SS: [EBP 410F12]; Transfer to VA00377288 8BFE MOV EDI, ESI; into the converted VA (4A9A7C) into EDI
003772B4 8D85 E4144100 LEA EAX, DWORD PTR SS: [EBP 4114E4]; MOV Eax, 382A86
00377366 E8 D19F0000 Call 0038133C; 4A9A7C performs decompression code:
......
003773EE 68 00100000 Push 1000; Preparing for allocation space
......
00377573 8B85 0E0F4100 MOV EAX, DWORD PTR SS: [EBP 410F0E]; kernel32.Virtualalloc
00377579 E9 74A80000 JMP 00381DF2; Distribution space
0012FF8C 003779A0 / CALL TO VIRTUALLOC
0012ff90 00000000 | Address = NULL
0012ff94 00007584 | SIZE = 7584 (30084.)
0012FF98 00001000 | AllocationType = MEM_COMMIT
0012FF9C 00000004 / protect = Page_Readwrite
......
00377B2C 90 NOP
00377B2D 90 NOP
00377B2E 8B85 7E0F4100 MOV EAX, DWORD PTR SS: [EBP 410F7E]; xxx.004b1151
00377B34 90 NOP
00377B35 90 NOP
00377B36 90 NOP
00377B37 90 NOP
00377B38 90 NOP
00377B39 90 NOP
00377B3A E9 B3A20000 JMP 00381DF2; re-decoding again
00377B3F 90 NOP
......
00377BC2 C1E9 02 SHR ECX, 2
00377BC5 F3: A5 Rep MOVS DWORD PTR ES: [EDI], DWORD PTR DS>; Unlocked the code at 4A9A7C
00377BC7 59 POP ECX; the author has used this macro
00377BC8 83e1 03 and ECX, 3
00377BCB F3: A4 Rep Movs Byte Ptr Es: [EDI], BYTE PTR DS: [>; Put the code in 41000
00377BCD 90 NOP
......
00377CF5 90 NOP00377CF6 90 NOP
00377CF7 8B85 F9114100 MOV EAX, DWORD PTR SS: [EBP 4111F9]; kernel32.Virtualfree
00377cfd 90 NOP; decompression is completed, release space
00377 CFE 90 NOP
......
00377D90 8DB5 BD694000 LEA ESI, DWORD PTR SS: [EBP 4069BD]
00377EE5 87E6 XCHG ESI, ESP; Unlike a code from 377f5f
00377EE7 B9 8C7D0000 MOV ECX, 7D8C; decompression size is 7d8c
00377EEC 58 POP EAX
00377EED 90 NOP
00377EF3 F6D0 NOT AL
00377F00 50 Push EAX
00377f07 44 Inc ESP
00377f0d ^ / E2 DD loopd short 00377EEC; if you do not decompress it, you will continue
......
00377f11 6A 04 Push 4
00377F13 68 00100000 Push 1000
00377F18 68 00200000 Push 2000
00377F1D 6A 00 Push 0
......
00377F3F 8B85 0E0F4100 MOV EAX, DWORD PTR SS: [EBP 410F0E]; kernel32.Virtualallococ
00377F45 90 NOP; allocated one space
0012FF90 00377F52 / Call to VirtualalocoC
0012ff94 00000000 | Address = NULL
0012FF98 00002000 | SIZE = 2000 (8192.)
0012FF9C 00001000 | AllocationType = MEM_COMMIT
0012ffa0 00000004 / protect = Page_Readwrite
......
00377F52 8985 51184100 MOV DWORD PTR SS: [EBP 411851], EAX; allocated space address 3F0000 into [382DF3]
00377F58 83A5 55184100 0> And DWORD PTR SS: [EBP 411855], 0
00377F5F 8B85 420F4100 MOV EAX, DWORD PTR SS: [EBP 410F42]; MOV Eax, 1
......
00377F92 0BC0 or Eax, EAX
00377F94 0F85 AF090000 JNZ 00378949; Judging whether EAX is 0 is not 0, it is to judge that IAT has no encryption. Because it is already 1, IAT is encrypted. ......
0037897C 0395 620F4100 Add Edx, DWORD PTR SS: [EBP 410F62]
00378982 8B3A MOV EDI, DWORD PTR DS: [EDX]; Judging IAT?
00378AD3 0BFF or EDI, EDI
00378AD5 75 05 JNZ Short 00378ADC; Jumping IAT
00378AD7 E9 89370000 JMP 0037C265; handling here
00378ADC 83C2 05 Add EDX, 5
......
00378C2E 8BF2 MOV ESI, EDX; DLL Name into ESI for the first time is Advapi32.dll
00378c30 56 Push ESI
......
00378C4F 90 NOP
00378c50 90 NOP
00378C51 8B85 060F4100 MOV Eax, DWORD PTR SS: [EBP 410F06]; kernel32.GetModuleHandlea
00378c57 90 NOP; first use getModuleHandlea to determine that the target DLL is loaded
......
00378C64 0BC0 or Eax, EAX
00378C66 75 3D JNZ Short 00378CA5; If it has been loaded, the next step is already loaded, otherwise use LoadLibrarya to load the DLL. If you follow, you will find it, this DLL has been loaded.
00378c68 56 Push ESI; Push DLL's name
...... ..
00378C89 8B85 0A0F4100 MOV Eax, DWORD PTR SS: [EBP 410F0A]; LoadLibrarya
00378C8F 90 NOP; loading DLL
......
00378C9A 90 NOP
00378c9b 90 NOP
00378C9C 0BC0 or Eax, Eax; if the load is successful, the next step
00378C9E 75 05 JNZ Short 00378CA5
00378CA0 E9 34A40000 JMP 003830D9; if the load failed to jump to OVER
00378CA5 EB 26 JMP Short 00378CCD00378CDA 68 E8EB6B3C PUSH 3C6BEBE8
......
00378F0F 8BF0 MOV ESI, EAX; obtained HModule into ESI
00378f11 0bc9 or ECX, ECX
00378F13 0F85 A5070000 JNZ 003796BE
00378F19 8BCF MOV ECX, EDI
......
0037906A 8B3A MOV EDI, DWORD PTR DS: [EDX]
0037906C 03BD 120F4100 Add EDI, DWORD PTR SS: [EBP 410F12]; RVA Convert to VA49A210
00379072 83C2 04 Add EDX, 4
00379075 51 PUSH ECX
00379076 0fb602 Movzx Eax, Byte Ptr DS: [EDX]
00379079 0BC0 or Eax, EAX
......
003793C8 61 POPAD
003793C9 8D95 26154100 LEA EDX, DWORD PTR SS: [EBP 411526]; First Take RegQueryValueexa into EDX
......
0037951D 90 NOP
0037951E 52 Push EDX; Push API Name
0037951F 56 Push ESI; PUSH HMODULE
00379520 90 NOP
......
00379540 8B85 Fe0E4100 MOV EAX, DWORD PTR SS: [EBP 410EFE]; 3824A0
00379546 90 NOP
00379547 90 NOP
00379548 90 NOP
00379549 90 NOP
0037954A 90 NOP
0037954B 90 NOP
0037954C E9 A1880000 JMP 00381DF2; GetProcAddress
00379551 90 NOP
00379552 90 NOP
00379553 E8 FC8E0000 CALL 00382454; Decision related API has no breakpoint, only one more
00379558 90 NOP
...... ..
003796A7 8907 MOV DWORD PTR DS: [EDI], EAX; put the API into the relevant location, the first is RegQueryValueexa
EAX = 77DA2410 (Advapi32.RegqueryValueexa)
DS: [0049A210] = 00000000003796A9 5A POP EDX
003796AA 0fb642 FF Movzx Eax, Byte Ptr DS: [EDX-1]
003796AE 03D0 Add Edx, EAX
003796B0 42 INC EDX
003796B1 59 POP ECX
003796B2 49 DEC ECX
003796B3 ^ 0f85 b1f9fffff jnz 0037906a; if it is not taken, go back to continue
The second time I take Oleaut32.dll, because this DLL is not loaded at the beginning, so this time you have to load.
Be careful when loading this DLL:
0012FF9C 00378C9C / Call to loadLibrarya
0012FFA0 00383CE7 / filename = "wsock32.dll"
......
00378F0F 8BF0 MOV ESI, EAX; obtained HModule into ESI
00378f11 0bc9 or ECX, ECX
00378F13 0F85 A5070000 JNZ 003796BE; after loading the above DLL, it will jump here, and there is no jump on the previous DLL.
00378F19 8BCF MOV ECX, EDI
00378f1b 68 00fe98c7 Push C798FE00
......
003796BE 8BCF MOV ECX, EDI; repositioning IAT
003796C0 81E1 ffffff7f and ecx, 7ffffffff
003796c6 51 Push ECX
003796C7 52 Push EDX
......
0037981A 6A 04 Push 4; Prepare allocation space
0037981C 68 00100000 PUSH 1000
00379821 51 PUSH ECX
00379822 6A 00 Push 0
00379844 8B85 0E0F4100 MOV EAX, DWORD PTR SS: [EBP 410F0E]; kernel32.Virtualallocococococ
0037984A 90 NOP
0037984B 90 NOP
0037984C 90 NOP
0037984D 90 NOP
0037984E 90 NOP
0037984F 90 NOP
00379850 E9 9D850000 JMP 00381DF2; jump to allocation space
00379856 8985 5E0F4100 MOV DWORD PTR SS: [EBP 410F5E], EAX; allocated space AB0000 Put [382500] 0037985C 5A POP EDX
0037985D 59 POP ECX
0037985e 60 pushad
0037985F 90 NOP
......
003799AE 8BD8 MOV EBX, EAX; put allocated space in EBX
003799B0 EB 17 JMP Short 003799C9
003799B2 8B3A MOV EDI, DWORD PTR DS: [EDX]
003799B4 03BD 120F4100 Add EDI, DWORD PTR SS: [EBP 410F12]; replace RVA to VA, first is 49A818
003799BA 891F MOV DWORD PTR DS: [EDI], EBX; Halo, here I want to destroy IAT
003799BC 83C3 20 Add EBX, 20
003799BF 0fb642 04 Movzx Eax, Byte Ptr DS: [EDX 4]
003799C3 03D0 Add Edx, EAX
003799C5 83C2 06 Add EDX, 6
003799C8 49 DEC ECX
003799C9 0BC9 or ECX, ECX
003799cb ^ 75 E5 Jnz Short 003799B2; If there is no destruction, go back and continue to destroy
......
00379A34 66: C707 FF35 MOV WORD PTR DS: [EDI], 35FF; Preparing to fill the real API to the space you just allocated
00379A39 90 NOP
......
00379B87 90 NOP
00379B88 C747 06 81342400 MOV DWORD PTR DS: [EDI 6], 243481; XOR DWORD PTR [ESP], xorkey
00379B8F 90 NOP
......
00379CDE 8947 02 MOV DWORD PTR DS: [EDI 2], EAX; Prepare to put into the back string
00379 CE1 90 NOP
00379D0E C647 0D C3 MOV BYTE PTR DS: [EDI D], 0C3; Putting RET
00379d12 52 push edx; here is also ready for time to check the debugger
......
00379E87 8947 09 MOV DWORD PTR DS: [EDI 9], EAX; Xorkey00379E8A 5A Pop Edx
00379E8B 83C7 20 Add EDI, 20
00379E8E 49 DEC ECX
00379E8F 0BC9 or ECX, ECX
00379E91 ^ 0F85 6dfbfffff jnz 00379A04; if there is no "filled" code, continue to destroy.
......
0037AE28 8B85 56114100 MOV EAX, DWORD PTR SS: [EBP 411156]; Comparison String
0037AE2E 90 NOP
......
0012FF8C 0037AE3A / Call to LSTRCMPA
0012FF90 00382986 | String1 = "loadLibrarya"
0012FF94 00382AC8 / STRING2 = "WSacleanup"
0012ff98 00382ac8 ASCII "WSACLEANUP"
......
0037AE3B 85C0 Test Eax, EAX
0037AE3D 75 0B JNZ Short 0037ae4a; Compare If you jump
I am looking for, I have to have a special encrypted API ??
Take a look at this table, there is something to "care".
003828A5 58 44 4C 4C 2E 44 4C 4C 00 46 75 6e 63 32 46 75 xdll.dll.func2fu
003828B5 6e 63 00 54 65 73 74 44 65 62 75 67 00 45 6e 43 nc.testdebug.enc
003828C5 72 79 70 74 00 44 65 43 72 79 70 74 00 43 52 43 rypt.decrypt.crc
003828D5 00 54 65 73 74 42 6D 70 00 43 72 65 61 74 65 44.testbmp.created
003828E5 69 61 6C 6F 67 50 61 72 61 6D 41 00 44 69 61 6C oreogparama.dial
003828F5 6F 67 42 6F 78 50 61 72 61 6D 41 00 44 65 62 75 OGBOXPARAMA.DEBU
00382905 67 42 72 65 61 6B 00 45 78 69 74 50 72 6F 63 65 GBREAK.EXITPROCE
Of 75 72 63 65 00 ss.freeresource.
00382925 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 47 GetProcAddress.g
00382935 65 74 56 65 72 73 69 6F 6E 00 47 65 74 4D 6F 64 ETVERSION.GETMOD
00382945 75 6C 65 48 61 6e 64 6C 65 41 00 47 65 74 43 75 UleHandlea.Getcu
00382955 72 72 65 6E 74 50 72 6F 63 65 73 73 00 47 65 74 RrentProcess.get00382965 43 75 72 72 65 6e 74 50 72 6F 63 65 73 73 49 64 CurrentProcessid
00382975 00 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41.GetcommandLinea
00382985 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 4C 6F.LoadLibrarya.lo
00382995 63 6B 52 65 73 6F 75 72 63 65 00 53 65 6E 64 4D CkResource.sendm
003829A5 65 73 73 61 67 65 41 00 73 65 6e 64 00 72 65 63 Essagea.send.rec
003829B5 76 00 V.
......
0037B124 85C0 Test Eax, EAX
0037B126 75 0B jnz short 0037b133; no jump for the second time
0037B128 8D85 09FE4000 LEA EAX, DWORD PTR SS: [EBP 40FE09]
0037B16E 5A POP EDX
0037B16F 85c0 Test Eax, EAX
0037B171 75 0B jnz short 0037b17e; the third time did not find
0037B1B9 5A POP EDX
0037B1BA 85C0 Test Eax, EAX
0037B1BC 75 0B JNZ Short 0037B1C9; Fourth time comparison
0037B204 5A POP EDX
0037B205 85C0 Test Eax, EAX
0037B207 75 0B jnz short 0037b214; fifth time
0037B209 8D85 67FE4000 LEA EAX, DWORD PTR SS: [EBP 40FE67]
0037B250 85C0 TEST EAX, EAX; Sixth
0037B252 75 0B jnz short 0037b25f
......
0037B3A1 / E9 4C6A0000 JMP 00381DF2; here is a bit different, this time it is not returning to one or two lines
0037B3A6 - | E9 8BC55052 JMP 52887936
0037B3AB | 51 PUSH ECX
A total of sixteen, compared this few APIs, respectively
LoadLibrarya
GetProcaddress
Getversion
GetModuleHandlea
GetCurrentProcessGetCurrentProcessid
Getcommandlinea
LockResource
Freeresource
EXITPROCESS
Dialogboxparama
CreateDialogparama
SendMessagea
Send
RECV
Debugbreak
......
0037BB1B 52 Push EDX; if you don't find it, get the API
0037bb1c 56 Push ESI
0037bb3c 90 NOP
0037BB3D 8B85 Fe0E4100 MOV EAX, DWORD PTR SS: [EBP 410EFE]
0037bb43 90 NOP
0037bb44 90 NOP
0037bb45 90 NOP
0037BB46 90 NOP
0037BB47 90 NOP
0037BB48 90 NOP
0037BB49 E9 A4620000 JMP 00381DF2; enter the acquisition API
0037BB4E 90 NOP
0037BB4F 8B9D 51184100 MOV EBX, DWORD PTR SS: [EBP 411851]; Second Layer Reset Bit ImageBase (003F0000)
0037BB55 039D 55184100 Add EBX, DWORD PTR SS: [EBP 411855]; Second layer reset bit relative address
0037BB5C 6A 00 Push 0
0037BB5E 50 Push EAX
0037BB5F 53 Push EBX
0037BB60 E8 F3630000 CALL 00381F58; Get the API address to become a way of a PUSH API, if not changed, the code shell will be drawn into the shell
0037BB65 2B85 51184100 SUB EAX, DWORD PTR SS: [EBP 411851]
0037BB6B 8985 55184100 MOV DWORD PTR SS: [EBP 411855], EAX
0037bb71 60 pushad
0037BB72 3D C01F0000 CMP EAX, 1FC0; Check if it is not enough to put things, if you are not enough, apply for a space
0037BB77 0F86 8A010000 JBE 0037BD07; We are enough here, so the shell is jumped here.
0037BB7D 6A 04 PUSH 4
0037BB7F 68 00100000 Push 1000; Generally I saw something like this, I know that ten is allocated.
0037BB84 68 00200000 PUSH 20000037BB89 6A 00 PUSH 0
0037BB8B 8D85 58A74000 LEA EAX, DWORD PTR SS: [EBP 40A758]
0037BB91 50 Push EAX
0037BB92 8B85 0E0F4100 MOV EAX, DWORD PTR SS: [EBP 410F0E]
0037BB98 E9 55620000 JMP 00381DF2; Jump Distribution Space
0037BB9D EB 64 JMP Short 0037BC03
0037BE57 5B POP EBX
0037BE58 8BC3 MOV EAX, EBX
0037Be5a 3347 09 XOR EAX, DWORD PTR DS: [EDI 9]
......
0037BFAC 8947 1C MOV DWORD PTR DS: [EDI 1C], Eax; still filled with
0037BFAF 5A POP EDX
0037C258 59 POP ECX
0037C259 49 DEC ECX
0037C25A ^ 0F85 39dcfffff jnz 00379E99; if there is no operation, go back to continue
0037C260 ^ / E9 1DC7FFFF JMP 00378982
0037C265 E8 0A000000 Call 0037C274; Handling IAT is over here
......
0037C293 90 NOP
0037C294 8B85 060F410> MOV EAX, DWORD PTR SS: [EBP 410F06]; Get NTDLL.DLL HMODULE
0037C29A 90 NOP
0037C29B 90 NOP
0037C29C 90 NOP
0037C29D 90 NOP
0037C29E 90 NOP
0037C29F 90 NOP
0037C2A0 E9 4D5B0000 JMP 00381DF2; GetModuleHandlea
......
0037c3f5 0bc0 or Eax, Eax; because my system is XP, so I will not jump here.
0037C3F7 0F84 E709000> JE 0037CDE4; if NTDLL is obtained. DLL fails to jump to the next step, don't know if it is going to add Win9x's way?
0037C43C 90 NOP
0037C43D 8B85 Fe0E410> MOV EAX, DWORD PTR SS: [EBP 410efe]; Jump to ZWQueryInformationProcess
0037C443 90 NOP
0037C444 90 NOP
0037C445 90 NOP
0037c446 90 NOP
0037c447 90 NOP
0037c448 90 NOP
0037C449 E9 A4590000 JMP 00381DF2; GetProcAddress
0037C44E 90 NOP
0037C44F 68 00fe9804 Push 498FE00
......
0037C59E 0BC0 or Eax, Eax; NTDLL.ZWQUERYINFORMATIONPROCESS
0037C5A0 0F84 3E08000> JE 0037CDE4; here is determined that there is no to take that API, if not taken, jump
......
0037C5CD 90 NOP
0037C5CE 8B85 DC10410> MOV EAX, DWORD PTR SS: [EBP 4110DC]; kernel32.getCurrentProcess
0037C5D4 90 NOP; get current process, see here, know he wants to do it.
......
0037C72F 8BF8 MOV EDI, EAX
0037c731 50 Push EAX
0037C732 8BC4 MOV EAX, ESP
......
0037c883 6a 00 push 0; arrive here, do not forget the bomb
0037C885 6A 04 PUSH 4
......
0037C9D6 50 Push EAX
0037C9D7 6A 07 PUSH 7
0037CB28 57 Push EDI
0037CB29 FFD6 Call ESI; NTDLL.ZWQUERYINFORMATIONPROCESS
......
0037cc7a 58 POP EAX
0037cc7b 0bc0 or Eax, EAX
0037CC7D 0F84 61010000 JE 0037CDE4; here is judged that the above API does not work
0037cc83 0f31 RDTSC
0037cc85 25 FF0F0000 and Eax, 0FFF
0037cc8a 05 00100000 Add Eax, 1000
... ..
0037CF39 8BF4 MOV ESI, ESP
0037CF3B 8BFC MOV EDI, ESP
......
0037D1E0 F3: AB Rep Stos DWORD PTR ES: [EDI]
0037D1E2 68 00010000 Push 100; Length ...
0037D336 56 PUSH ESI; buffer address
0037D337 8B85 120F4100 MOV EAX, DWORD PTR SS: [EBP 410F12]; HMODULE
0037D33D 90 NOP
......
0037D48C 50 Push Eax; xxx.00400000
0037D4AD 8B85 28114100 MOV EAX, DWORD PTR SS: [EBP 411128]; kernel32.GetModuleFileNamea
0037D4B3 90 NOP
0037D4B4 90 NOP
0037D4B5 90 NOP
0037D4B6 90 NOP
0037D4B7 90 NOP
0037D4B8 90 NOP
0037D4B9 E9 34490000 JMP 00381DF2; RUN API
......
0012FE94 0037D4BF / Call to getModuleFileNamea
0012FE98 00400000 | HMODULE = 00400000 (XXX)
0012FE9C 0012FEA4 | Pathbuffer = 0012FEA4
0012FEA0 00000100 / bufsize = 100 (256.)
......
0037D60E 6A 00 Push 0
0037D610 68 80000000 PUSH 80
0037D615 6A 03 Push 3
0037D617 6A 00 Push 0
0037D619 6A 03 Push 3
0037D61B 68 00000080 Push 80000000
0037D620 56 Push ESI; PUSH file name
0037D621 8D85 9AC04000 LEA EAX, DWORD PTR SS: [EBP 40C09A]
0037D627 50 Push EAX
0037D628 8B85 55104100 MOV EAX, DWORD PTR SS: [EBP 411055]; kernel32.createfilea
0037D62E E9 BF470000 JMP 00381DF2; Run API
......
0012FE84 0037D63C / Call to createfilea
0012FE88 0012FEA4 | filename = "xxxxxxx.exe"; in order to cause public anger .0012FE8C 80000000 | Access = generic_read
0012FE90 00000003 | Sharemode = file_share_read | file_share_write
0012FE94 00000000 | Psecurity = NULL
0012FE98 00000003 | MODE = Open_EXISTING
0012FE9C 00000080 | Attributes = Normal
0012FEA0 00000000 / HTemplateFile = NULL
......
0037D63C 8BD8 MOV EBX, EAX; HFILE = 40 TO EBX
0037D63E 81C4 00010000 Add ESP, 100
0037D644 6A 00 PUSH 0
0037D646 53 Push EBX; Push Hfile
......
0037D667 8B85 CF104100 MOV EAX, DWORD PTR SS: [EBP 4110CF]; kernel32.GetFileSize
0037D66D 90 NOP; get file size
0037D66E 90 NOP
0037D66F 90 NOP
0037D670 90 NOP
0037D671 90 NOP
0037D672 90 NOP
0037D673 E9 7A470000 JMP 00381DF2; Run API
......
0012ff98 0037d679 / call to getfilesize
0012ff9c 00000040 | HFILE = 00000040 (Window)
0012ffa0 00000000 / pfilesizehigh = NULL
......
0037D678 90 NOP
0037D679 8985 160F4100 MOV DWORD PTR SS: [EBP 410F16], EAX; file size into [3824B8]
0037D67F 6A 00 Push 0
0037D681 FFB5 160F4100 PUSH DWORD PTR SS: [EBP 410F16]; File Size
0037D687 6A 00 Push 0
0037D689 6A 02 PUSH 2
0037D68B 6A 00 PUSH 0
0037D68D 53 Push EBX; Push Hfile
0037D6AE 8B85 62104100 MOV EAX, DWORD PTR SS: [EBP 411062]; kernel32.createfilemappinga0037d6b4 90 NOP
0037D6B5 90 NOP
0037D6B6 90 NOP
0037D6B7 90 NOP
0037D6B8 90 NOP
0037D6B9 90 NOP
0037D6BA E9 33470000 JMP 00381DF2; shoot files into memory
0037D6BF 90 NOP
0037D6C0 8985 1A0F4100 MOV DWORD PTR SS: [EBP 410F1A], EAX; HMAP == 44
0037D6C6 6A 00 PUSH 0
0037D6C8 6A 00 PUSH 0
0037D6CA 6A 00 Push 0
0037D6CC 6A 04 PUSH 4
0037D6CE FFB5 1A0F4100 PUSH DWORD PTR SS: [EBP 410F1A]; Push HMAP
0037D6D4 8D85 4CC14000 Lea Eax, DWORD PTR SS: [EBP 40C14C]
0037D6DA 50 Push EAX
0037D6DB 8B85 6E114100 MOV EAX, DWORD PTR SS: [EBP 41116E]; kernel32.mapviewoffile
......
0012FF8C 0037D6EE / Call to mapViewoffile
0012FF90 00000044 | HMapObject = 00000044 (Window)
0012FF94 00000004 | AccessMode = file_map_read
0012FF98 00000000 | OffsetHigh = 0
0012FF9C 00000000 | Offsetlow = 0
0012FFA0 00000000 / MapSize = 0
......
0037D6EE 8985 1E0F4100 MOV DWORD PTR SS: [EBP 410F1E], EAX; PMAP == AF0000
0037D6F4 53 Push EBX; Push Hfile
0037D6F5 8B40 3C MOV EAX, DWORD PTR DS: [EAX 3C]; Location PE Part E_LFANEW
0037D6F8 8B8D 160F4100 MOV ECX, DWORD PTR SS: [EBP 410F16]; File size into ECX
0037D6FE 2BC8 SUB ECX, EAX
0037D700 8BB5 1E0F4100 MOV ESI, DWORD PTR SS: [EBP 410F1E]
0037D706 03F0 Add ESI, EAX; convert RVA to VA0037D708 E8 CD360000 Call 00380DDA; calculate the value of CRC
0037D70D 5B POP EBX
0037D70E 3385 260F4100 XOR EAX, DWORD PTR SS: [EBP 410F26]
0037D714 C1C8 03 ROR EAX, 3
0037D717 8BF0 MOV ESI, EAX; CRC value is 6d478F72
0037D719 8B85 1E0F4100 MOV EAX, DWORD PTR SS: [EBP 410F1E]
......
0037D86E 0340 3C Add Eax, DWORD PTR DS: [EAX 3C]; Save the CRC value in the PE header reduction 4 :-)
0037D871 8B78 FC MOV EDI, DWORD PTR DS: [EAX-4]; file original calculation CRC value (6D478F72)
0037D874 FFB5 1E0F4100 PUSH DWORD PTR SS: [EBP 410F1E]
......
0037D897 90 NOP
0037D898 90 NOP
0037D899 90 NOP
0037D89A 8B85 D8114100 MOV EAX, DWORD PTR SS: [EBP 4111d8]; kernel32.unmapViewoffile
0037D8A0 90 NOP; After the value of the CRC, turn off the object
......
0037D8AB 90 NOP
0037D8AC FFB5 1A0F4100 PUSH DWORD PTR SS: [EBP 410F1A]; Push HMAP
0037D8B2 90 NOP
.......
0037D8D1 90 NOP
0037D8D2 8B85 48104100 MOV EAX, DWORD PTR SS: [EBP 411048]; kernel32.closehandle
0037D8D8 90 NOP
......
0012ff9c 0037d917 / call to closehandle
0012FFA0 00000040 / HOBJECT = 00000040 (Window); HFILE
......
0037D916 90 NOP
0037D917 8B85 4A0F4100 MOV Eax, DWORD PTR SS: [EBP 410F4A]; Judging whether CRC detection is required
......
0037DA6C 83F8 01 CMP EAX, 1
0037DA6F 75 08 JNZ Short 0037DA79; Do not perform CRC detection
0037DA71 3BF7 CMP ESI, EDI0037DA73 0F85 DB560000 JNZ 00383154; If the two CRCs are equal, they will not be jumped.
0037DA79 80BD C0164100 0> CMP BYTE PTR SS: [EBP 4116C0], 0; the value of the value is DF, determine if the CALL and JMP have been processed???
0037DA80 75 05 JNZ Short 0037DA87;
0037DA82 E9 31080000 JMP 0037E2B8
......
0037DA87 8BB5 41174100 MOV ESI, DWORD PTR SS: [EBP 411741]; Prepare from 401000 to start searching if there is 0e9 or 0e8
0037DA8D 03B5 120F4100 Add ESI, DWORD PTR SS: [EBP 410F12]; To VA 401000
0037DBE2 8B8D 45174100 MOV ECX, DWORD PTR SS: [EBP 411745]; MOV ECX, 10B0
0037DD37 83E9 05 SUB ECX, 5; 10B0-5
0037DD3A E9 6D050000 JMP 0037E2AC
0037DD3F 66: 8B06 MOV AX, Word PTR DS: [ESI]; each time two first comparisons are 0e8 if not jumping
0037DD42 3C E8 CMP AL, 0E8
0037DD44 0F85 C0010000 JNZ 0037DF0A; inequality
0037DD4A 8B46 01 MOV EAX, DWORD PTR DS: [ESI 1]; the same judgment is E8, if the four digits are taken, then determine if the following is DF if it is processed
0037DD4D C1C0 08 ROL Eax, 8
0037DD50 3A85 C0164100 CMP AL, BYTE PTR SS: [EBP 4116C0]
0037DD56 0F85 A3010000 JNZ 0037Deff; jump if it does not meet the conditions
0037DD5C 6A 00 Push 0
0037DD75 68 C5C18E05 PUSH 58EC1C5
0037DEF6 2B85 120F4100 SUB EAX, DWORD PTR SS: [EBP 410F12]; 0E8 and E9 processing, first SHR 8 and subtract the base address
0037DEFC 2946 01 Sub DWORD PTR DS: [ESI 1], EAX
0037Deff 83c6 04 Add ESI, 4
0037DF02 83E9 04 SUB ECX, 4
0037DF05 E9 A0030000 JMP 0037E2AA
0037DF0A 3C E9 CMP Al, 0e9; jumping down is 0e9, if not, then jump 0037DF0C 0F85 C0010000 JNZ 0037E0D2
0037DF12 8B46 01 MOV EAX, DWORD PTR DS: [ESI 1]; If you find it, move the four digits behind E9 to EAX
0037DF15 C1C0 08 ROL Eax, 8
0037DF18 3A85 C0164100 CMP AL, BYTE PTR SS: [EBP 4116C0]; This compare E9 first is not DF
0037DF1E 0F85 A3010000 JNZ 0037E0C7; if not, jump
0037DF24 6A 00 PUSH 0
0037DF53 68 C5C18E05 Push 58ec1c5
0037E0BE 2B85 120F410> SUB EAX, DWORD PTR SS: [EBP 410F12]; Take the removed value to subtract IMGBase
0037E0C4 2946 01 SUB DWORD PTR DS: [ESI 1], EAX; then fill in the calculated value
0037E0C7 83C6 04 Add ESI, 4; because it has been processed above, it is added 4
0037E0CA 83E9 04 SUB ECX, 4
0037E0CD E9 D8010000 JMP 0037E2AA
0037E0D2 3C 0F CMP Al, 0F; relatively low is 0F, not jump
0037E0D4 0F85 D001000> JNZ 0037E2AA
0037E0DA 80FC 7F CMP AH, 7F; compare high levels of 7F,
0037E0DD 0F86 C701000> JBE 0037E2AA
0037E0E3 80FC 90 CMP AH, 90
0037E0E6 / 0F83 be01000> JNB 0037E2AA
0037E0EC | 8B46 02 MOV EAX, DWORD PTR DS: [ESI 2]; Judgment is whether it is a remote condition to determine 0F84, if it is handled
0037E0EF | C1C0 08 ROL Eax, 8
0037E0F2 | 3A85 C016410> CMP AL, BYTE PTR SS: [EBP 4116C0]; Similarly, judgment is DF again
0037E0F8 | 0F85 A601000> JNZ 0037E2A4
... ..
0037E2AB 49 DEC ECX
0037E2AC 81F9 0000008> CMP ECX, 80000000; I don't understand CMP CEX, 0 can't it be ???
0037E2B2 ^ 0F82 87FAFFF> JB 0037DD3F
After processing, here
0037E40E 8B85 4A114100 MOV EAX, DWORD PTR SS: [EBP 41114A]; kernel32.getversion0037E414 E9 D9390000 JMP 00381DF2
......
0037E423 8985 15144100 MOV DWORD PTR SS: [EBP 411415], EAX; MOV 3829B7, A280105
......
0037E449 8B85 DC104100 MOV EAX, DWORD PTR SS: [EBP 4110DC]; kernel32.GetcurrentProcess
0037E44F 90 NOP
......
0037E5AA 8985 1D144100 MOV DWORD PTR SS: [EBP 41141D], EAX; procid (-1) to 3829bf
......
0037E5D0 8B85 EF104100 MOV Eax, DWORD PTR SS: [EBP 4110ef]; kernel32.GetCurrentProcessID
0037E5D6 90 NOP
......
0037E5E2 8985 21144100 MOV DWORD PTR SS: [EBP 411421], EAX; CURRENT Process ID (BE0)
EAX = 00000BE0
SS: [003829C3] = 00000000
......
0037E73E 8B85 BE104100 MOV EAX, DWORD PTR SS: [EBP 4110BE]; kernel32.Getcommandlinea
0037E744 E9 A9360000 JMP 00381DF2
......
0037E755 8985 25144100 MOV DWORD PTR SS: [EBP 411425], EAX; acquired command access [3829c7]
0037E75B 6A 00 PUSH 0
......
EAX = 00141EE0
SS: [003829C7] = 00000000
......
0037E77D 8B85 16114100 MOV EAX, DWORD PTR SS: [EBP 411116]; kernel32.GetModuleHandlea
0037E783 90 NOP
......
0012ff9c 0037E78F / Call to getModuleHandlea
0012FFA0 00000000 / PModule = NULL
......
0037E8DE 8985 19144100 MOV DWORD PTR SS: [EBP 411419], EAX; HMODULE (400000)
EAX = 00400000 (xxx.00400000), ASCII "MZP"
SS: [003829BB] = 00000000
......
0037EA8F 8B85 62104100 MOV Eax, DWORD PTR SS: [EBP 411062]; kernel32.createfilemappinga
0037EA95 90 NOP
0012FF88 0037EAA1 / CALL TO CREATEFILEMAPPINGA
0012ff8c fffffff | HFILE = fffffffff
0012FF90 00000000 | Psecurity = null0012ff94 00000004 | Protection = Page_Readwrite
0012FF98 00000000 | MaximumsizeHigh = 0
0012FF9C 00000100 | MaximumsiZelow = 100
0012FFA0 00382B00 / MAPNAME = "shelltmpmap"
......
0037EAA1 83F8 00 CMP EAX, 0; jump if it fails
0037EAA4 0F84 aa460000 je 00383154
0037EAAA 8985 C1164100 MOV DWORD PTR SS: [EBP 4116C1], EAX; HMAP = 40
Eax = 00000040
SS: [00382C63] = 00000000
......
0037EADC 8B85 6E114100 MOV EAX, DWORD PTR SS: [EBP 41116E]; kernel32.mapviewoffile
0037EAE2 90 NOP
......
0037EAE8 / E9 05330000 JMP 00381DF2
0037EAED | 90 NOP
0037EAEE | 8985 D1164100 MOV DWORD PTR SS: [EBP 4116D1], EAX; PMApping = AF0000
......
0037EB03 8B85 15144100 MOV EAX, DWORD PTR SS: [EBP 411415]
0037EB09 3D 00000080 CMP EAX, 80000000
0037EB0E 73 19 JNB Short 0037EB29; Judgment The system is Win9X or WinNT, we are Windows XP, so we will not jump
0037EB10 64: FF35 3000000> PUSH DWORD PTR FS: [30]; here is the same as ISDebuggerPresent, detect Ring Level 3 debugger
0037EB17 58 POP EAX
0037EB18 0FB658 02 MOVZX EBX, BYTE PTR DS: [EAX 2]; We can also write D fs: [30] 2
0037EB1C 0Adb or BL, BL
0037EB1E 0F85 30460000 JNZ 00383154; if the debugger jumps to OVER
0037EB24 E9 77010000 JMP 0037ECA0; jump to the NT part
......
0037EC 8BB5 3A0F4100 MOV ESI, DWORD PTR SS: [EBP 410F3A]
0037ECA6 0BF6 or ESI, ESI
0037ECA8 0F84 EA020000 JE 0037EF98; jumping here
......
0037EF98 8CC9 MOV CX, CS
0037EF9A 32C9 XOR CL, CL0037EF9C 0BC9 or ECX, ECX
0037EF9E 0F84 7F010000 JE 0037F123; I went to INT1 unusual words.
......
0037F136 64: FF35 0000000> Push DWORD PTR FS: [0]
0037F13D 64: 8925 0000000> MOV DWORD PTR FS: [0], ESP
0037F144 33C0 XOR EAX, EAX
0037F146 CD 01 INT 1; INT 1 abnormal
0037F148 40 Inc EAX
0037F149 40 Inc EAX
0037F14A 0BC0 or EAX, EAX
0037F14C 64: 8F05 0000000> POP DWORD PTR FS: [0]
0037F153 58 POP EAX
0037F154 0F84 fa 3f0000 JE 00383154
......
0037f2e3 8b85 6E0F4100 MOV Eax, DWORD PTR SS: [EBP 410F6E]; Judging Does HOOK JMP
0037f2e9 0BC0 or Eax, EAX
0037f2eb 0f84 2A040000 JE 0037F71B; if not jumped
......
0037F2F6 8DB5 991B4000 LEA ESI, DWORD PTR SS: [EBP 401B99]
Address = 0037313B
ESI = 00000000
......
0037F44B 03F0 Add ESI, EAX
EAX = 00012BFA
ESI = 0037313B
......
0037F44B 03F0 Add ESI, EAX
0037F44D 68 DBF0C5C8 PUSH C8C5F0DB
0037F452 8B1E MOV EBX, DWORD PTR DS: [ESI]; Used to calculate the value ?? [385d35] = 94A1C
0037F454 68 6B39764F PUSH 4F76396B
0037F459 039D 120F4100 Add EBX, DWORD PTR SS: [EBP 410F12]; convert the project of the hook table to VA (494A1C)
0037F45F 68 D936FBC8 PUSH C8FB36D9
......
0012ff94 31c9 xor ECX, ECX; people who put the code in the ESP to b, ^ _ ^
0012FF96 890E MOV DWORD PTR DS: [ESI], ECX; Clear data in the store
0012FF98 83C6 04 Add ESI, 4; Take the address of ESI 4 to [EBX]
0012FF9B 8933 MOV DWORD PTR DS: [EBX], ESI; put the address of the first layer in the target program 0012ff9d 0fb70e Movzx ECX, Word PTR DS: [ESI]; Non-land ESI's first in the address of ECX
0012ffa0 46 Inc ESI
0012ffa1 46 Inc ESI
0012ffa2 C3 RETN
; ------------------------------------------------- ---------------------------
Here is the JMP Tabel that has taken evacuation in the encrypted address.
; ------------------------------------------------- ---------------------------
0037F70B 2956 02 SUB DWORD PTR DS: [ESI 2], EDX; Processing MainForm
0037F70E 015e 02 Add DWORD PTR DS: [ESI 2], EBX
0037F711 0fb706 Movzx Eax, Word PTR DS: [ESI]
0037F714 03F0 Add ESI, EAX
0037F716 49 DEC ECX
0037F717 0BC9 or ECX, ECX
0037f719 ^ 75 f0 Jnz Short 0037F70B
......
0037F5AE 8B9D 120F4100 MOV EBX, DWORD PTR SS: [EBP 410F12]; IMGBase into EBX
......
0037F71B 6A 04 Push 4; Prepare allocation space, because IAT is already encrypted, so it will come here
0037F71D 68 00100000 PUSH 1000
0037F722 68 00100000 PUSH 1000
0037F727 6A 00 PUSH 0
0037f748 90 NOP
0037F749 8B85 0E0F4100 MOV EAX, DWORD PTR SS: [EBP 410F0E]; kernel32.Virtualallococ
0037F74F 90 NOP
......
0012FF84 0037F75B / Call to Virtulalloc
0012FF88 00000000 | Address = NULL
0012FF8C 00001000 | SIZE = 1000 (4096.)
0012FF90 00001000 | AllocationType = MEM_COMMIT
0012FF94 00000004 / protect = Page_Readwrite
......
0037F75B 8985 860F4100 MOV DWORD PTR SS: [EBP 410F86], EAX; allocated space B00000 into [00382528]
0037F761 8185 860F4100 0> Add dword PTR SS: [EBP 410F86], 10000037F76B 64: FF35 3000000> Push DWORD PTR FS: [30]; I don't know what to use :-(.
0037F8C2 85c0 Test Eax, EAX
0037F8C4 78 12 JS SHORT 0037F8D8
0037F8C6 8B40 0C MOV EAX, DWORD PTR DS: [EAX C]
0037F8C9 8B40 0C MOV EAX, DWORD PTR DS: [EAX C]
0037F8CC C740 20 0010000> MOV DWORD PTR DS: [EAX 20], 1000; anti-DUMP, change to 1000, if no correction is required, the size is 1000
0037F8D3 / E9 AF010000 JMP 0037FA87; jump to VirtualProtect
0037F8D8 6A 00 Push 0
0037F8E3 8D85 6AE34000 LEA EAX, DWORD PTR SS: [EBP 40E36A]
0037f8ed 50 Push EAX
0037F8FA 8B85 060F4100 MOV EAX, DWORD PTR SS: [EBP 410F06]; kernel32.GetModuleHandlea
0037F906 / E9 E7240000 JMP 00381DF2
0037F90B | 90 NOP
0037F90C | 85D2 Test EDX, EDX
0037f90e | 0F89 73010000 JNS 0037FA87
0037F914 | 837A 08 FF CMP DWORD PTR DS: [EDX 8], - 1
0037F918 | 0F85 69010000 JNZ 0037FA87
0037F91E | 8B52 04 MOV EDX, DWORD PTR DS: [EDX 4]
0037F921 | C742 50 0010000> MOV DWORD PTR DS: [EDX 50], 1000; Anti Dump
0037F928 | 64: FF35 2000000> Push DWORD PTR FS: [20]
0037F92F | 58 POP EAX
......
0037FAB8 8B85 06124100 MOV EAX, DWORD PTR SS: [EBP 411206]; kernel32.VirtualProtect
0037FABE 90 NOP
......
0012FF80 0037FACA / CALL TO VIRTUALPROTECT
0012FF84 00400000 | Address = xxx.00400000
0012FF88 00001000 | SIZE = 1000 (4096.)
0012FF8C 00000004 | NewProtect = Page_Readwrite
0012FF90 0012FF94 / POLDPROTECT = 0012FF94
......
0037FACA 83C4 04 Add ESP, 40037FACD 0BC0 or Eax, EAX
0037FACF 0F84 5E010000 JE 0037FC33; Decision operation is successful, no success, jump
0037FAD5 8B95 120F4100 MOV EDX, DWORD PTR SS: [EBP 410F12]; MOV EDX, 400000
0037FADB 0352 3C Add EDX, DWORD PTR DS: [EDX 3C]; Location PE Part
0037Fade 8B42 30 MOV Eax, DWORD PTR DS: [EDX 30]; BaseOfdata (97000) into Eax
......
0037FC2F 90 NOP
0037FC30 8942 2C MOV DWORD PTR DS: [EDX 2C], EAX; BaseOfdata Put 40012C
0037FC33 8DB5 94144100 LEA ESI, DWORD PTR SS: [EBP 411494]
0037FC39 8BFE MOV EDI, ESI
0037FC3B B9 4F000000 MOV ECX, 4F
0037FC40 EB 05 JMP Short 0037FC47
0037FC42 AC LODS BYTE PTR DS: [ESI]; here restore secret message :-)
0037FC43 2C 80 SUB AL, 80
0037FC45 aa Stos Byte Ptr ES: [EDI]
0037FC46 49 DEC ECX
0037FC47 0BC9 or ECX, ECX
0037FC49 ^ 75 F7 JNZ Short 0037FC42
0037FC58 / EB 05 JMP Short 0037FC5F
0037FC5A | AC LODS BYTE PTR DS: [ESI]; After the display is displayed again
0037FC5B | 04 80 Add Al, 80
0037FC5D | aa stos byte PTR ES: [EDI]
0037FC5E | 49 DEC ECX
0037FC5F / 0BC9 or ECX, ECX
0037FC61 ^ 75 F7 JNZ Short 0037FC5A
0037FC63 8B85 520F4100 MOV EAX, DWORD PTR SS: [EBP 410F52]
0037FC69 83F8 01 CMP EAX, 1
0037FC6C 75 45 JNZ Short 0037FCB3; here is not a sign, below, just a settimer below
0037FC6E 8D85 700D4100 LEA EAX, DWORD PTR SS: [EBP 410D70]
0037FC74 50 Push Eax; 3823120037FC75 68 D0070000 Push 7D0
0037FC7A 68 14030000 Push 314
0037FC7F 6A 00 Push 0
0037FCA1 8B85 26104100 MOV Eax, DWORD PTR SS: [EBP 411026]; user32.settimer
......
0012FF90 0037FCB3 / Call to setTimer
0012FF94 00000000 | HWND = NULL
0012FF98 00000314 | Timerid = 314 (788.)
0012FF9C 000007D0 | TIMEOUT = 2000. MS
0012FFA0 00382312 / TimerProc = 00382312
......
0037FCB3 83BD 720F4100 0> CMP DWORD PTR SS: [EBP 410F72], 0; What is the value here???
0037FCBA 74 2F JE SHORT 0037FCEB
0037FCBC 8B8D 120F4100 MOV ECX, DWORD PTR SS: [EBP 410F12]; MOV ECX, 400000
0037FCC2 2B8D 360F4100 SUB ECX, DWORD PTR SS: [EBP 410F36]
0037FCC8 8DBD 991B4000 LEA EDI, DWORD PTR SS: [EBP 401B99]
0037FCCE 03BD 720F4100 Add EDI, DWORD PTR SS: [EBP 410F72]; here added the value is the start address of the shell execution program code, my 00385E69
0037FCD4 8DB5 991B4000 LEA ESI, DWORD PTR SS: [EBP 401B99]
0037FCDA 03B5 760F4100 Add ESI, DWORD PTR SS: [EBP 410F76]
0037FCE0 Ad Lods DWORD PTR DS: [ESI]
0037fce1 EB 04 JMP Short 0037fCE7
0037FCE3 010C38 Add DWORD PTR DS: [EAX EDI], ECX
0037fce6 Ad Lods DWORD PTR DS: [ESI]
0037fce7 0BC0 or EAX, EAX
0037fce9 ^ 75 F8 JNZ Short 0037FCE3
0037fceb 8b85 720F4100 MOV EAX, DWORD PTR SS: [EBP 410F72]
......
0037fceb 8b85 720F4100 MOV EAX, DWORD PTR SS: [EBP 410F72]
0037FE40 0385 120F4100 Add Eax, DWORD PTR SS: [EBP 410F12]; change to VA 412D2E
0037FF95 894424 EC MOV DWORD PTR SS: [ESP-14], EAX; XXX.00412D2E
0037FFC6 896C24 E8 MOV DWORD PTR SS: [ESP-18], EBP0037FFF7 83A5 560F4100 0> And DWORD PTR SS: [EBP 410F56], 0
00380015 33c0 xor Eax, EAX; XXX.00412D2E
00380044 8DB5 991B4000 LEA ESI, DWORD PTR SS: [EBP 401B99]
00380061 B9 65F30000 MOV ECX, 0F365
00380093 C1E9 02 SHR ECX, 2
00380096 EB 08 JMP Short 003800A0
00380098 AD LODS DWORD PTR DS: [ESI]
00380099 3185 560F4100 XOR DWORD PTR SS: [EBP 410F56], EAX; calculates the last Cr Key = D3A1E72D
0038009F 49 DEC ECX
003800A0 0BC9 or ECX, ECX
003800A2 ^ 75 F4 Jnz Short 00380098; Continue if not calculated
003800D7 E8 48000000 Call 00380124; here into an int 3 abnormality
003800DC 8B4C24 0C MOV ECX, DWORD PTR SS: [ESP C]
003800E0 FF81 B8000000 INC DWORD PTR DS: [ECX B8]
003800E6 33c0 XOR EAX, EAX
003800E8 3341 04 xor Eax, DWORD PTR DS: [ECX 4]
003800EB 0341 08 Add Eax, DWORD PTR DS: [ECX 8]
003800EE 3341 0C XOR EAX, DWORD PTR DS: [ECX C]
003800F1 0341 10 Add Eax, DWORD PTR DS: [ECX 10]
003800F4 0181 B0000000 Add DWORD PTR DS: [ECX B0], EAX
003800FA 60 Pushad
003800FB 8D71 04 LEA ESI, DWORD PTR DS: [ECX 4]
003800FE 8BA9 B4000000 MOV EBP, DWORD PTR DS: [ECX B4]
00380104 8DBD 6D184100 LEA EDI, DWORD PTR SS: [EBP 41186D]
0038010A 81C7 08010000 Add EDI, 108
00380110 B9 06000000 MOV ECX, 6
00380115 83BD 220F4100 0> CMP DWORD PTR SS: [EBP 410F22], 0
0038011C 75 02 JNZ Short 00380120
0038011E F3: A5 Rep Movs DWORD PTR ES: [EDI], DWORD PTR DS> 00380120 61 Popad
00380121 33c0 xor Eax, EAX
00380123 C3 RETN
00380124 33c9 xor ECX, ECX
00380126 64: FF31 PUSH DWORD PTR FS: [ECX]
00380129 64: 8921 MOV DWORD PTR FS: [ECX], ESP
0038012C CC INT3
0038012D 90 NOP
0038012e 64: 8F01 Pop DWORD PTR FS: [ECX]
00380131 83C4 04 Add ESP, 4
00380134 8985 560F4100 MOV DWORD PTR SS: [EBP 410F56], EAX
0038013A 8B85 220F4100 MOV Eax, DWORD PTR SS: [EBP 410F22]
0038028F 0BC0 or EAX, EAX
00380291 0F85 57040000 JNZ 003806ee
......
00380558 8DBD 8FF44000 LEA EDI, DWORD PTR SS: [EBP 40F48F]
0038055e b9 0000000 MOV ECX, 0
00380563 AD LODS DWORD PTR DS: [ESI]
00380564 / E9 71010000 JMP 003806DA
003806DA 0BC0 or EAX, EAX
003806dc ^ 0f85 87feffff jnz 00380569; Continue
......
00380569 03C1 Add Eax, ECX
0038056B 68 033C0101 PUSH 1013C03
00380570 8946 FC MOV DWORD PTR DS: [ESI-4], EAX
00380573 68 2CBF3C57 PUSH 573CBF2C
00380578 25 ffffff7f and eax, 7ffffff; remove the 80xxxx in front
0038057D 68 62A73AA1 PUSH A13AA762
00380582 8BC8 MOV ECX, EAX
00380584 68 6204ef04 push 4ef0462
00380589 0385 120F4100 Add Eax, DWORD PTR SS: [EBP 410F12]; Convert to VA401256
0038058F 52 Push EDX; xxx.00400100
Now enter the stack in the stack to execute the code:
0012ff94 89fb MOV EBX, EDI; people who put the code in the ESP to b, ^ _ ^
0012FF96 29C3 SUB EBX, EX; Clear Data 0012FF98 8958 FC MOV DWORD PTR DS: [EAX-4], EBX; Take the address of ESI 4 to [EBX]
0012FF9B 66: C740 FA 90E8 MOV Word PTR DS: [EAX-6], 0E890; put the address of the first layer in the target program
0012ffa1 C3 RETN
0038086A 03B5 120F4100 Add ESI, DWORD PTR SS: [EBP 410F12]; 401000 (start address)
00380870 8B8D 45174100 MOV ECX, DWORD PTR SS: [EBP 411745]; 198C (Size)
00380876 E8 5F050000 Call 00380DDA; CRC detection
0038087B 8985 2A0F4100 MOV DWORD PTR SS: [EBP 410F2A], EAX; detected value of 2A954338 (not necessarily equal)
00380881 8BC5 MOV EAX, EBP; EBP = FFF715A2
00380883 8DB5 6D184100 LEA ESI, DWORD PTR SS: [EBP 41186D]; 382E0F
00380889 0146 04 Add DWORD PTR DS: [ESI 4], EAX
0038088C 0146 08 Add DWORD PTR DS: [ESI 8], EAX
0038088F 83C6 20 Add ESI, 20
00380892 0146 04 Add DWORD PTR DS: [ESI 4], EAX
00380895 83C6 20 Add ESI, 20
00380898 0146 04 Add DWORD PTR DS: [ESI 4], EAX
0038089B 0146 08 Add DWORD PTR DS: [ESI 8], EAX
0038089E 83C6 20 Add ESI, 20
003808A1 0146 04 Add DWORD PTR DS: [ESI 4], EAX
003808A4 83C6 20 Add ESI, 20
003808A7 0146 04 Add DWORD PTR DS: [ESI 4], EAX
003808AA 83C6 20 Add ESI, 20
003808AD 0146 04 Add DWORD PTR DS: [ESI 4], EAX
003808B0 83C6 20 Add ESI, 20
003808B3 0146 04 Add DWORD PTR DS: [ESI 4], EAX
003808B6 83C6 20 Add ESI, 20
003808B9 0146 04 Add DWORD PTR DS: [ESI 4], EAX
003808BC 8DB5 69184100 LEA ESI, DWORD PTR SS: [EBP 411869] 003808C2 0106 Add DWORD PTR DS: [ESI], EAX
003808C4 8D85 8D194100 LEA EAX, DWORD PTR SS: [EBP 41198D]
......
00380a1a 64: FF35 0000000> Push DWORD PTR FS: [0]; again INT3 abnormal
00380A21 64: 8925 0000000> MOV DWORD PTR FS: [0], ESP
00380A28 33C0 XOR EAX, EAX
00380A2A 8B00 MOV EAX, DWORD PTR DS: [EAX]
00380A2C 90 NOP
00380A2D 90 NOP
00380A2E CC INT3
After the arrival here, there are still a few exceptions, but I feel that there is no value, and then, I may have to be busy this time, so I will write a place first, and write the next article. Now we can go directly at the draw code.
OEP code retrieves and fixes, if there is time to write as soon as possible, there is no way to don't have time :-(.
In the end, I have to thank XXX (the name is not said), if there is no such article, I may have no confidence with this shell, and there are many parts that don't understand in the shell, too I have learned from him, thank you!!!
Last finished
Greetz:
Fly, Jingulong, Yock, TDASM, David, Ahao, Vcasm, Ufo (Brother), ALAN (Sister), HEXPE, HEXER, All of My Friends and you!
By LoveBoom [DFCG] [FCG]
Email: bmd2chen # Tom.com
