[Observation]: PESPIN 1.0 main program
[Tu]: Olydbg1.1
[Renuction]: Grab its clothes, light. Haha
[Operation Platform]: WinXP Pro SP1
[Author]: loveboom [dfcg] [fcg] [US]
【Related Links】:
http:/pespin.w.interia.pl/ (Author's official site)
[Brief Description]: I have been there for so long, I haven't written any article for a long time. Seeing other friends in progress, I feel that I am really old :-). Write this article is also given to a gift in Mid-Autumn Festival, I wish you all a happy Mid-Autumn Festival! Good health! Work smoothly!!
[Detailed Procedure]:
The setting has nothing special, because this time I want to see a little bit, so it is slowly. Open all the exceptions.
00410087> 90 NOP; EP, housing, is a spam code, so I directly nop dropped it.
00410088 90 NOP
00410089 90 NOP
0041008A 60 Pushad
0041008B E8 00000000 Call 00410090
00410090 8B1C24 MOV EBX, DWORD PTR SS: [ESP]; here is POP EBX
00410093 83C3 12 Add EBX, 12
00410096 812B E8B10600 SUB DWORD PTR DS: [EBX], 6B1E8; Dynamic change code
0041009c fe4b fd dec Byte Ptr DS: [EBX-3]
0041009F 812C24 E02A4000 SUB DWORD PTR SS: [ESP], 00402AE0
004100A6 DC9E 83B17501 FCOMP QWORD PTR DS: [ESI 175B183]
004100ac 90 NOP
004100AD 8173 04 D77AF72> XOR DWORD PTR DS: [EBX 4], 2FF77AD7; also dynamically generated code
004100B4 8173 19 770043B> XOR DWORD PTR DS: [EBX 19], B7430077
004100BB 81C3 28000000 Add EBX, 28
004100C1 F9 STC; Setup
004100C2 FFE3 JMP EBX
004100C4 C9 Leave
004100C5 C2 0800 RETN 8
004100C8 90 NOP
004100C9 90 NOP
004100CA 72 01 JB Short 004100CD; It is actually JMP XXX because the C flag has been set up.
004100cc 90 NOP
004100CD 5D POP EBP
004100ce 33c9 xor ECX, ECX
004100D0 41 INC ECX
004100D1 E2 17 LOOPD SHORT 004100EA004100D3 / EB 07 JMP SHORT 004100DC
004100D5 | 90 NOP
004100D6 | EB 01 JMP Short 004100D9
004100D8 | 90 NOP
004100D9 | EB 0D JMP Short 004100E8
004100db | 90 NOP
004100DC / E8 01000000 CALL 004100E2
004100E1 90 NOP
004100E2 5A POP EDX
004100E3 83EA 0B SUB EDX, 0B
004100E6 FFE2 JMP EDX; this shell is much like this.
004100F1 8B95 D2424000 MOV EDX, DWORD PTR SS: [EBP 4042D2]; [EBP 4042D2] = 4042d2 D5B0 is stored by the program's IMGBase
004100F7 8B42 3C MOV EAX, DWORD PTR DS: [EDX 3C]; this is not to take PE So in place 3C
004100fa 03c2 Add Eax, EDX; additional PE file is the beginning of the PE file
004100FC 8985 DC424000 MOV DWORD PTR SS: [EBP 4042DC], EAX; PE file start at 4000D0 Disposal [EBP 4042DC]
00410102 EB 02 JMP short 00410106
00410104 90 NOP
00410105 90 NOP
00410106 F9 STC; here is also a significant deformation JMP
00410107 72 08 JB Short 00410111
00410109 73 0e jnb short 00410119
0041010B F9 STC
0041010C 830424 17 Add DWORD PTR SS: [ESP], 17
00410110 C3 RETN
00410111 E8 04000000 CALL 0041011A
00410116 90 NOP
00410117 F5 CMC
00410118 73 11 JNB Short 0041012B; again a pile of garbage code
0041011A EB 06 JMP short 00410122
0041011C 90 NOP
0041011d ^ 72 ED JB SHORT 0041010C
0041011f 1F POP DS; Modification of segment register00410120 EB 07 JMP Short 00410129
00410122 F5 CMC; here is to clear the C flag, so it will not jump below (actually reflect)
00410123 72 0e jb short 00410133
00410125 F5 CMC; reverse it again, this time will jump
00410126 ^ 72 F8 JB Short 00410120
00410128 90 NOP
00410129 ^ EB EC JMP Short 00410117
0041012B 830424 07 Add DWORD PTR SS: [ESP], 7
0041012F F5 CMC
00410130 FF3424 PUSH DWORD PTR SS: [ESP]; PESPIN.0041011D
00410133 C3 RETN
00410134 41 Inc ECX
00410135 C1E1 07 SHL ECX, 7
00410138 8B0C01 MOV ECX, DWORD PTR DS: [ECX EAX]; START Address in CODE
0041013b 03ca add ECX, EDX; ECX is the start RVA to save the CODE segment
......
0041014E 8B59 10 MOV EBX, DWORD PTR DS: [ECX 10]
00410151 03DA Add EBX, EDX
00410153 8B1B MOV EBX, DWORD PTR DS: [EBX]
00410155 899D F0424000 MOV DWORD PTR SS: [EBP 4042F0], EBX; [EBP 4042F0] Store the address of MessageBox?
0041015B 53 PUSH EBX
0041015C 8F85 94414000 POP DWORD PTR SS: [EBP 404194]; [EBP 404194] Store the address of MessageBox?
00410162 BB E1000000 MOV EBX, 0E1
00410167 b9 8c0b0000 MOV ECX, 0B8C; SIZE to be extracted
0041016C 8DBD 80434000 LEA EDI, DWORD PTR SS: [EBP 404380]
00410172 4F DEC EDI
00410173 EB 01 JMP short 00410176
00410175 90 NOP
00410176 301C39 XOR BYTE PTR DS: [ECX EDI], BL; code starts from 4124bb to decompress the size of 0B8C, is up to decompress 00410179 FECB DEC BL
0041017B ^ E2 f9 loopd short 00410176
......
00410180 68 CB000000 PUSH 0CB
00410185 59 POP ECX; MOV ECX, 0CB
00410186 8DBD 404E4000 LEA EDI, DWORD PTR SS: [EBP 404E40]; Started Address 41192F EDI
......
0041019D C00C39 02 ROR BYTE PTR DS: [ECX EDI], 2; 41192F 0CB = 4124bb (end address above) ROR 2
004101A1 ^ E2 fa loopd short 0041019d; here again to decompress the size of 0cb from 4124bb again
......
004101A1 ^ / E2 fa Loopd Short 0041019d; code from 4124bb is then decompressed again from 4124bb
004101A3 E8 02000000 CALL 004101AA; part of the code only unscrupulous
004101A8 90 NOP
004101A9 90 NOP
004101AA 5A POP EDX; MOV EDX, 401A8
004101AB 8D85 FD685600 LEA EAX, DWORD PTR SS: [EBP 5668FD]; [EBP 5668FD] = D5B0 5668FD = 573EAD Address into EAX
004101B1 BB 54130B00 MOV EBX, 0B1354
004101B6 D1E3 SHL EBX, 1
004101B8 2BC3 SUB EAX, EBX
004101BA FFE0 JMP EAX; pespin.00411805
......
00411820 66: 813f 4D5A CMP Word PTR DS: [EDI], 5A4D; Rooping Kernel 32.dll here (77E410000)
00411825 75 11 JNZ Short 00411838; If you find it, you don't jump.
00411827 0fb757 3c Movzx EDX, Word PTR DS: [EDI 3C]
0041182B 66: F7C2 00F8 TEST DX, 0F800; Compare Kerbase 3c is not 0F800
00411830 75 06 JNZ Short 00411838; If not jumping, there is no jump 00411832 3B7C3A 34 CMP EDI, DWORD PTR DS: [EDX EDI 34]
00411836 74 08 Je Short 00411840; here again judge the IMGBase pair of kernel32.dll
00411838 81ef 00000100 SUB EDI, 10000; Unicode "AlluSprofile = D: / Documents and Settings / All Users"
0041183e ^ EB E0 JMP short 00411820
00411840 97 Xchg Eax, EDI;
00411857 50 push eax; push kernel base
00424000 XCHG DWORD PTR SS: [EBP 4042F4], EAX; Save Kernel Base to [EBP 4042F4] = 4118A4.
0041185E 016C24 04 Add DWORD PTR SS: [ESP 4], EBP
00411862 8D85 FB9883EB LEA EAX, DWORD PTR SS: [EBP EB8398FB]
00411868 8D80 BDAABC14 LEA EAX, DWORD PTR DS: [EAX 14BCAABD]; 411968
0041186e EB 01 JMP Short 00411871
00411870 90 NOP
00411871 FFD0 Call EAX; here is Call 411968, where it is to obtain the output table of kernel32.dll by the method of obtaining the output table of kernel32.dll to find the output function you want.
Let's go in and see:
0041196E 8BF0 MOV ESI, EAX
00411970 0340 3C Add Eax, DWORD PTR DS: [EAX 3C]; E_LFANEW
00411973 8B40 78 MOV EAX, DWORD PTR DS: [EAX 78]; RVA Export Table
00411976 03c6 Add Eax, ESI; RVA = 6d040 in the output table
00411978 FF70 20 PUSH DWORD PTR DS: [EAX 20]; Location AddressOfName = 6df20
0041197B 5B POP EBX
0041197C 03DE Add EBX, ESI
0041197E FF70 18 PUSH DWORD PTR DS: [EAX 18]; NumberOfnames == 03AE00411981 8F85 46444000 POP DWORD PTR SS: [EBP 404446]; MOV [EBP 404446], 03AE (4119f6)
00411987 FF70 24 Push DWORD PTR DS: [Eax 24]; AddressOfNameOrdianls = 6edd8
0041198A 5A POP EDX; MOV EDX, AddressOfnameRinals
0041198B 03D6 Add EDX, ESI; converted into VA
0041198D FF70 1C PUSH DWORD PTR DS: [EAX 1C]; addressoffunctions = 6d068
00411990 59 POP ECX; MOV ECX, Addressoffunctions
0041191 03CE Add ECX, ESI
0041993 898D 3644000 MOV DWORD PTR SS: [EBP 404436], ECX; Save Addressoffunctions to [EBP 404436]
00411999 83ef 05 SUB EDI, 5
0041199C 83C7 05 Add EDI, 5
0041199F 833F 00 CMP DWORD PTR DS: [EDI], 0; Jump if you finish it
004119A2 74 71 JE SHORT 00411A15
004119A4 8A07 MOV Al, Byte PTR DS: [EDI]
004119A6 8885 1D444000 MOV BYTE PTR SS: [EBP 40441D], Al
004119ac FF77 01 Push DWORD PTR DS: [EDI 1]
......
004119C6 8B3B MOV EDI, DWORD PTR DS: [EBX]; AddressOfNames Save to EDI
004119C8 03FE Add Edi, ESI
......
00411A00 5B POP EBX
00411A01 0BC0 or EAX, EAX; Judging the result of the take-out is empty, if it is empty
00411A03 74 12 Je Short 00411A17
00411A05 EB 01 JMP Short 00411A08
00411A07 90 NOP
00411A08 8038 CC CMP BYTE PTR DS: [EAX], 0CC; Judgment We have no CC breakpoints in related APIs
00411A0B 75 03 JNZ Short 00411A1000411A0D 8028 00 SUB BYTE PTR DS: [EAX], 0; If you find that you are interrupted at the relevant API, give the API address to clear 0
00411A10 8947 01 MOV DWORD PTR DS: [EDI 1], EAX; if not start writing from 4118b4, the relevant API
00411A13 ^ EB 87 JMP Short 0041199C
00411A15 0BC0 or EAX, EAX
00411A17 EB 01 JMP Short 00411A1A; return to go back
00411A19 90 NOP
00411A1A C3 RETN
Here, I took this kind of API:
Kernel32.10librarya
Kernel32.exitprocess
Kernel32.GetProcaddress
Kernel32.VirtualProtect
Kernel32.closehandle
Kernel32.Virtualallocc
Kernel32.Virtualfree
Kernel32.createfilea
Kernel32.readfile
Kernel32.GettickCount
Kernel32.getModuleHandlea
Kernel32.createthread
Kernel32.sleep
Kernel32.GetcurrentProcessID
Kernel32.openprocess
Kernel32.TerminateProcess
Kernel32.GetFileSize
Kernel32.getmoduleFileNamea
......
00411f25 301f xor Byte PTR DS: [EDI], BL; code starts downward from 4102C4 to decompress the size of 421
00411f27 47 Inc EDI
00411f28 ^ E2 F1 Loopd Short 00411F1B
00411f2a 830424 05 Add DWORD PTR SS: [ESP], 5
00411f2e c3 Retn; decompress the decompressed address 4102C4
......
004102f7 53 push ebx; here are ready, EBX is completely
004102F8 50 Push EAX
......
00410301 B9 13000000 MOV ECX, 13
00410306 E8 00000000 Call 0041030B
0041030B 5F POP EDI
0041030C 83ef 0a Sub EDI, 0A
0041030f be 54194100 MOV ESI, 00411954
00410314 F3: A4 Rep MOVS BYTE PTR ES: [EDI], BYTE PTR DS: [ESI]; Code 411954 Copy 13 to 410301 Start
.......
00410334 5B POP EBX; MOV EBX, 41033400410335 81C3 1e000000 Add EBX, 1E; EBX = 410334 1e
0041033B 8DB5 502A4000 LEA ESI, DWORD PTR SS: [EBP 402A50]; MOV ESI, 410000
00410341 68 FF000000 Push 0FF
00410346 56 PUSH ESI
00410347 6A 00 PUSH 0
00410349 53 Push EBX; Push 410351
0041034A FFA5 59434000 JMP DWORD PTR SS: [EBP 404359]; GetModuleFileNamea
Here is:
0012FF94 00410351 / Call to getModuleFileNamea
0012FF98 00000000 | HMODULE = NULL
0012FF9C 00410000 | Pathbuffer = pESPIN.00410000
0012ffa0 000000FF / bufsize = ff (255.)
4100,000 PATH, remove the full path and program name of the program, and stored in 4100,000.
00410358 81c3 22000000 Add EBX, 22; Compare the intention of the shell to call the API, use this method, the value after the operation is equal to the address to return
0041035E 6a 00 Push 0
00410360 68 80000000 PUSH 80
00410365 6A 03 PUSH 3
00410367 6A 00 PUSH 0
00410369 6A 01 PUSH 1
0041036B 68 00000080 Push 80000000
00410370 56 PUSH ESI
00410371 53 PUSH EBX
00410372 - FFA5 27434000 JMP DWORD PTR SS: [EBP 404327]; CREATEFILEA
I am here:
0012FF84 00410378 / Call to createfilea
0012FF88 00410000 | filename = "g: / ctools / plus /pespin1.0/pesspin.exe"
0012FF8C 80000000 | Access = generic_read
0012FF90 00000001 | ShareMode = file_share_read
0012FF94 00000000 | Psecurity = NULL
0012FF98 00000003 | MODE = Open_EXISTING
0012FF9C 00000080 | Attributes = Normal
0012FFA0 00000000 / HTemplateFile = NULL
00410378 E8 01000000 CALL 0041037E0041037D 90 NOP
0041037E 5A POP EDX
0041037F 81C2 1A000000 Add EDX, 1A; here again, but use this method to call the API
00410385 8985 2C4F4000 MOV DWORD PTR SS: [EBP 404F2C], EAX; into the value returned after CreateFilea into [EBP 4042C]
0041038B 93 XCHG EAX, EBX
0041038C 6A 00 Push 0
0041038E 53 PUSH EBX; handle of the Push file
0041038F 52 Push EDX; here is the address to return
00410390 - FFA5 54434000 JMP DWORD PTR SS: [EBP 404354]; GetFileSize
0012FF98 00410397 / Call to getFileSize
0012FF9C 00000038 | HFILE = 00000038 (Window)
0012ffa0 00000000 / pfilesizehigh = NULL
00410397 E8 01000000 CALL 0041039D
0041039C 90 NOP
0041039D 5A POP EDX
0041039E 81C2 23000000 Add EDX, 23; The address to return after the Call API, 4103BF
004103A4 8BD8 MOV EBX, EAX; file size into EBX
004103A6 53 Push EBX
004103A7 8F85 384F4000 POP DWORD PTR SS: [EBP 404F38]; also deposit file size B600 in [EBP 404F38]
004103AD 6A 04 Push 4
004103AF 68 00300000 Push 3000
004103B4 50 Push EAX
004103B5 6A 00 PUSH 0
004103B7 52 Push EDX
004103B8 FFA5 1D434000 JMP DWORD PTR SS: [EBP 40431D]; here start allocating a file size space
0012FF90 004103BF / Call to Virtualalococ
0012ff94 00000000 | Address = NULL
0012FF98 0000b600 | SIZE = B600 (46592.)
0012FF9C 00003000 | AllocationType = MEM_COMMIT | MEM_RESERVE
0012FFA0 00000004 / protect = page_readwrite The address returned by the application is: 003E0000.
004103BF 50 Push EAX
004103C0 8F85 D8424000 POP DWORD PTR SS: [EBP 4042D8]; [EBP 4042D8] Save the address after the application 003E0000
004103C6 8D8D 384F4000 Lea ECX, DWORD PTR SS: [EBP 404F38]; incoming the address of the file in ECX
004103CC E8 01000000 CALL 004103D2
004103d1 90 NOP
004103D2 5A POP EDX
004103D3 81C2 1C000000 Add EDX, 1C; the address to return after the Call API 4103ed
004103d9 6a 00 push 0; here start reading the file to read the document 000000 at the address of the application through ReadFile
004103db 51 Push ECX
004103DC 53 Push EBX
004103DD 50 Push EAX
004103DE FFB5 2C4F4000 Push DWORD PTR SS: [EBP 404F2C]
004103E4 52 Push EDX
004103E5 FFA5 2C434000 JMP DWORD PTR SS: [EBP 40432C]; ReadFile
004103ed E8 01000000 Call 004103F3
004103f2 90 NOP
004103F3 5A POP EDX
004103F4 81C2 16000000 Add EDX, 16
004103FA FFB5 2C4F4000 PUSH DWORD PTR SS: [EBP 404F2C]; Push file number
00410400 52 Push EDX; Push To return Address 410408
00410401 - FFA5 18434000 JMP DWORD PTR SS: [EBP 404318]; CLOSEHANDLE
00410407 90 NOP
00410408 FFB5 384F4000 PUSH DWORD PTR SS: [EBP 404F38]; File size into ECX
0041040E 59 POP ECX
0041040F 81E9 111B0000 SUB ECX, 1B11; Document size B600-1B11 = 9aef
00410415 8DBD D8424000 LEA EDI, DWORD PTR SS: [EBP 4042D8]
0041041B 8B3F MOV EDI, DWORD PTR DS: [EDI]; Application Address 3E0000 into EDI 0041041D 8D85 0B616038 LEA Eax, DWORD PTR SS: [EBP 3860610B]
00410423 0BC0 or EAX, EAX
00410425 75 19 JNZ Short 00410440; actual is also a JMP
00410447 2985 404F4000 SUB DWORD PTR SS: [EBP 404F40], EAX; Save Hash Value 58873D42 ?? [EBP 404F40] = 58873D42
0041044D E8 01000000 Call 00410453
00410452 90 NOP
00410453 5A POP EDX
00410454 81C2 1C000000 Add EDX, 1C
0041045A 68 00800000 Push 8000
0041045F 6A 00 Push 0
00410461 FFB5 D8424000 PUSH DWORD PTR SS: [EBP 4042D8]; Push 003e0000
00410467 52 Push EDX; Push Return Address 41046E
00410468 FFA5 22434000 JMP DWORD PTR SS: [EBP 404322]; Free Space Just Apply 000000
0041046E BB 380D581C MOV EBX, 1C580D38; before the removal file operation is just to get a HASH value ??
......
00410492 64: 8920 MOV DWORD PTR FS: [EAX], ESP; Interest, the exception here is the ESP value of Call EBP
00410495 C1EB 02 SHR EBX, 2; above is actually setting the SEH handle 4104ba
.......
004104BA 8B4424 04 MOV EAX, DWORD PTR SS: [ESP 4]; here, what happens, I don't know what it is ;-(
004104BE 8B4C24 0C MOV ECX, DWORD PTR SS: [ESP C]
004104C2 8B00 MOV EAX, DWORD PTR DS: [EAX]
004104C4 35 5B011238 XOR EAX, 3812015B
004104C9 3D 5E0112F8 CMP EAX, F812015E
004104ce 75 0f jnz short 004104df; not equal here
004104D0 8181 B8000000 B> Add DWORD PTR DS: [ECX B8], 18BF
004104DA EB 27 JMP short 00410503
004104dc EB 01 JMP Short 004104DF004104DE 90 NOP
004104DF 3D 460112F8 CMP Eax, F8120146; EAX == F81201CF
004104E4 75 0C jnz short 004104f2
004104E6 8181 B8000000 7> Add DWORD PTR DS: [ECX B8], 172
004104F0 EB 11 JMP Short 00410503
004104F2 3D CF0112F8 CMP EAX, F81201CF
004104f7 75 0a jnz short 00410503
004104F9 8181 B8000000 9> Add DWORD PTR DS: [ECX B8], 1490
00410503 33c0 xor EAX, EAX
00410505 C3 RETN
Here you will return to 411931
......
00411942 803b CC CMP BYTE PTR DS: [EBX], 0CC; Judgment 4104A4 does not break down points
00411945 75 0B jnz short 00411952; if not jumping
00411947 81e4 fff0000 and ESP, 0FFFF
0041194D E8 1A000000 CALL 0041196C
00411952 ^ FFE3 JMP EBX; jump back to continue
......
00410549 90 NOP
0041054A 51 PUSH ECX; Push to decompress the section value, ECX == 4
0041054B 0FA3C3 BT EBX, EAX; if the EBX content is empty, the C flag is 0, otherwise CF = 1, we here EBX = 7
0041054E 73 24 JNB Short 00410574; if the segment does not need to decompress
00410550 52 Push EDX; beginning to extract data of each section
00410551 8b7a 0c MOV EDI, DWORD PTR DS: [EDX C]; First result:
00410554 03BD D2424000 Add EDI, DWORD PTR SS: [EBP 4042D2]; Incoming Address To Write Address 401000
0041055A 8B4A 10 MOV ECX, DWORD PTR DS: [EDX 10]; the code size == 5200 to be written is to decompress the size of the .TEXT segment
0041055D 8B95 404F4000 MOV EDX, DWORD PTR SS: [EBP 404F40] Here, take out the value of the above Hash, incompart from 00410563 D1EA SHR EDX, 1
00410565 72 06 JB Short 0041056D
00410567 81f2 32af43ed xor EDX, ED43AF32
0041056D 3017 xor byte PTR DS: [EDI], DL
0041056F 47 Inc EDI
00410570 49 DEC ECX
00410571 ^ E2 f0 Loopd Short 00410563; here looping
00410573 5A POP EDX; If you decompress the previous section, you will point to the next section.
00410574 40 Inc EAX
00410575 83C2 28 Add EDX, 28
00410578 59 POP ECX
00410579 EB 01 JMP Short 0041057C
0041057B 40 Inc EAX
0041057c ^ E2 cc loopd short 0041054a; cycle back
0041057E 838D 3A4E4000 0> OR DWORD PTR SS: [EBP 404E3A], 0
00410585 74 0d Je Short 00410594
00410587 8D85 DA4B4000 LEA EAX, DWORD PTR SS: [EBP 404BDA]
0041058D 2D D1030000 SUB EAX, 3D1
00410592 FFD0 Call EAX
00410594 68 19010000 Push 119
00410599 59 POP ECX
0041059A 8DBD BC4A4000 LEA EDI, DWORD PTR SS: [EBP 404ABC]; code to decompress the size of 119 from 41206c
004105A0 BA E9909E01 MOV EDX, 19E90E9
004105A5 D1EA SHR EDX, 1
004105A7 73 06 JNB SHORT 004105AF
004105A9 81F2 32AF43ED XOR EDX, ED43AF32
004105AF 3017 xor byte PTR DS: [EDI], DL
004105B1 47 Inc EDI; PESPIN.00412070
004105B2 ^ E2 F1 Loopd Short 004105A5; Jump back to unzip if not decompressed
004105B4 8D85 5C888D65 LEA EAX, DWORD PTR SS: [EBP 658D885C]
......
004105BF D1E3 SHL EBX, 1004105C1 2BC3 SUB EAX, EBX
004105c3 50 push EAX; jump to the decompressed place 41206C
004105C4 C3 RETN
......
0041206C / EB 01 JMP Short 0041206F; decompression of a section of operation
0041206E | 90 NOP
0041206F / 8DBD 15304000 LEA EDI, DWORD PTR SS: [EBP 403015]; also decompress the code, start the decompression address 4105C5
00412075 B9 20010000 MOV ECX, 120; decompressed code size is 120
......
004120A4 / EB 01 JMP Short 004120A7
004120A6 | 90 NOP
004120A7 / 0ac0 or Al, Al
004120a9 aa stos byte PTR ES: [EDI]
004120AA ^ E2 D7 loopd short 00412083; feels like Yoda's Cryptor
After the decompression is completed, enter the third exception.
.......
00412132 64: 8923 MOV DWORD PTR FS: [EBX], ESP
00412135 FB STI; to the third exception
......
004120AA ^ / E2 D7 loopd short 00412083; feels like Yoda's Cryptor
004120ac 55 Push EBP
004120AD 9C Pushfd
004120AE E8 77000000 Call 0041212A
004120B3 90 NOP
004120B4 8B5424 08 MOV EDX, DWORD PTR SS: [ESP 8]; directly here to go
004120B4 8B5424 08 MOV EDX, DWORD PTR SS: [ESP 8]; directly here to go
004120B8 8B4424 0C MOV EAX, DWORD PTR SS: [ESP C]
004120BC 8142 04 3500000> Add DWORD PTR DS: [EDX 4], 35; Note that the author's exception uses this trick, at the value of the target address
004120C3 81CA 29242123 OR EDX, 23212429
004120C9 2BC9 SUB ECX, ECX
004120CB 2148 04 and DWORD PTR DS: [EAX 4], ECX; Clear breakpoint
004120 CE 2148 08 and DWORD PTR DS: [EAX 8], ECX004120D1 2148 0C and DWORD PTR DS: [EAX C], ECX
004120D4 2148 10 and DWORD PTR DS: [EAX 10], ECX
004120D7 8160 14 F00FFF> And DWORD PTR DS: [EAX 14], FFFF0FF0
004120DE C740 18 5501000> MOV DWORD PTR DS: [EAX 18], 155
004120E5 33c0 XOR EAX, EAX
004120E7 C3 RETN
......
004120E9 8B5424 08 MOV EDX, DWORD PTR SS: [ESP 8]
004120ED 8142 04 1B00000> Add DWORD PTR DS: [EDX 4], 1B; here is an unusual, it seems that the author can't wait, haha
004120F4 EB 01 JMP Short 004120F7
......
00412142 8DBD 35314000 Lea EDI, DWORD PTR SS: [EBP 403135]; EDI = 4106E5
00412148 B9 240C0000 MOV ECX, 0C24; Also prepare to decompress the code from 4106E5, size is 0c24
......
0041217C aa stos byte PTR ES: [EDI]
0041217D ^ E2 D7 loopd short 00412156; Jump back if you don't decompress it
......
004105E1 68 07000000 Push 7
004105E6 5B POP EBX; MOV EBX, 7
......
004105E7 25 25382C37 and Eax, 372c3825
Also come back to decrypt one floor
00411D55 64: 8923 MOV DWORD PTR FS: [EBX], ESP
00411d58 83e0 00 and Eax, 0
00411d5b 64: 3343 30 xor Eax, DWORD PTR FS: [EBX 30]; Halo, the author is connected to several abnormalities
After a bunch of garbage to the seventh abnormal place
......
004104ce / 75 0f jnz short 004104df; not equal here
004104D0 | 8181 B8000000 B> Add DWORD PTR DS: [ECX B8], 18BF; change again here
Remember the reimbursement address, then cut off at that address:
00411f81 2BC0 SUB EAX, EAX
00411f83 90 NOP
00411f84 90 NOP
00411f85 90 NOP
00411f86 90 NOP
00411f87 90 NOP
00411f88 90 NOP00411F89 90 NOP
00411f8a 90 NOP
00411f8b 90 NOP
00411f8c 64: 8f00 Pop DWORD PTR FS: [EAX]
00411F8F 58 POP EAX
00411f90 5D POP EBP
00411f91 8D85 35314000 Lea Eax, DWORD PTR SS: [EBP 403135]; MOV Eax, 4106E5
00411f97 68 240C0000 PUSH 0C24
00411f9c 59 POP ECX; MOV ECX, 0C24
00411f9d 68 9952b30e push 0eb35299
00411fa2 5a POP EDX
00411fa3 D1EA SHR EDX, 1
00411fa5 73 06 JNB Short 00411FAD
00411fa7 81f2 32af43ed xor EDX, ED43AF32; decompression code size from 4106E5 is 0c24
00411fad 3010 xor byte PTR DS: [EAX], DL; here is also unziping a layer of code, TNND pressure is really
00411FAF 40 Inc EAX
00411fb0 ^ E2 F1 Loopd Short 00411FA3
00411fb2 2D 240C0000 SUB EAX, 0C24
00411fb7 ffe0 jmp eax; After the decompression, jump back and go back to execute the decompressed code
Now I can summarize it, press Ctrl S after the seventh abnormality
Sub eax, 0c24
JMP EAX
It is time to break.
......
Slowly, pay attention, pay attention, don't remove the garbage code after the JMP EAX, will not be abnormal.
004122D6 B9 522D0000 MOV ECX, 2D52; SIZE 2D52 for VirutAlloco
004122db 8bd1 MOV EDX, ECX
004122DD EB 07 JMP Short 004122E6
004122FA 96 XCHG EAX, ESI; allocated space is 3e0000, allocating the named address into ESI
004122fb 5a pop EDX; 2D52 to be allocated into EDX
004122FC BF F0D30000 MOV EDI, 0D3F0
00412301 81C7 00004000 Add EDI, 00400000
00412307 56 Push ESI; Push 3e0000
00412308 57 Push EDI; PUSH 40D3F000412309 E8 83E7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF CALL 00410A91; Decompression code to the space allocated, this is the real depack, the decompression code of APLIB V0.36.
0041230E 91 XCHG EAX, ECX; incoming the size of the decompressed in ECX, used for the following copy code
0041230F F3: A4 Rep Movs Byte PTR ES: [EDI], BYTE PTR DS: [>
00412311 5F POP EDI; During operation, restore EDI and ESI value
00412312 5E POP ESI
00412313 EB 01 JMP short 00412316
00412315 90 NOP
00412316 68 00400000 PUSH 4000
0041231B 52 Push EDX
0041231C 56 PUSH ESI
0041231D FF95 22434000 Call DWORD PTR SS: [EBP 404322] After the decompression code is completed, release the spatial applied again
00412323 EB 01 JMP short 00412326
00412325 90 NOP
00412335 8338 00 CMP DWORD PTR DS: [EAX], 0; Judgment 412370 There is no thing, no jump
00412338 0F84 95000000 JE 004123D3
0041233E B9 C09D0000 MOV ECX, 9DC0; Push Size 9DC0
00412343 6A 04 PUSH 4
00412345 68 00300000 PUSH 3000
0041234A 51 PUSH ECX
0041234B 6A 00 Push 0; ready to apply for a rest again
0041234D FF95 1D434000 Call DWORD PTR SS: [EBP 40431D]; Virtualalloc
0012FF8C 00412353 / Call to Virtualaloc from pespin.0041234d
0012ff90 00000000 | Address = NULL
0012FF94 00009DC0 | SIZE = 9DC0 (40384.)
0012FF98 00003000 | AllocationType = MEM_COMMIT | MEM_RESERVE
0012FF9C 00000004 / protect = Page_Readwrite
......
0041238A 03BD D2424000 Add EDI, DWORD PTR SS: [EBP 4042D2]; Dinner, take off the vest :-) 00412390 be 00009000 MOV ESI, 900000
00412395 56 PUSH ESI
00412396 57 Push EDI
00412397 E8 F5 F5E6FFFFFFFFFFFF CALL 00410A91; APLIB decompression code is also performed here.
004123B6 8B8D 8F4D4000 MOV ECX, DWORD PTR SS: [EBP 404D8F]; Decompression, release the space just now 900000
004123BC 8B85 E14D4000 MOV EAX, DWORD PTR SS: [EBP 404DE1]
004123C2 0BC0 or EAX, EAX
004123C4 74 0D Je Short 004123D3
004123C6 68 00400000 PUSH 4000
004123CB 51 Push ECX; Push Size
004123CC 56 Push ESI; Push Address
004123CD FF95 22434000 Call DWORD PTR SS: [EBP 404322]; Kernel32.VirtualFree
......
0012FF90 004123D3 / Call to VirtualFree from pespin.004123cd
0012FF94 00900000 | Address = 00900000
0012FF98 00009DC0 | SIZE = 9DC0 (40384.)
0012FF9C 00004000 / freetype = MEM_DECOMMIT
......
0012FF88 00411C71 / CALL TO VirtualProtect from pespin.00411c6e
0012FF8C 004001C8 | Address = pESPIN.004001C8
0012FF90 0000025C | SIZE = 25c (604.)
0012FF94 00000040 | NewProtect = Page_execute_readwrite
0012FF98 004124D8 / POLDPROTECT = pESPIN.004124D8
Change the segment to the attribute that can be read or written by VirtualProtect.
00411C9D C643 02 C3 MOV BYTE PTR DS: [EBX 2], 0C3
00411CA1 53 Push EBX
Be careful to get to the last anomaly:
0012ff94 0012ffe0 Pointer to Next SEH Record
0012FF98 00411CD6 SE HANDLER
Disconnected at 411cd6:
00411 CD6 2BDB SUB EBX, EBX
00411 CD8 8B6424 08 MOV ESP, DWORD PTR SS: [ESP 8]
00411 CDC 64: 8F03 Pop DWORD PTR FS: [EBX] ......
00411D0F B9 2E000000 MOV ECX, 2E
00411d14 FF1401 Call DWORD PTR DS: [ECX EAX]; here I don't know what effect with gettickcount
00411D23 59 POP ECX; MOV ECX, 87
00411D24 66:35 4C50 XOR AX, 504C
00411D28 66:05 8911 Add Ax, 1189
00411d2c aa stos byte PTR ES: [EDI]; to here, to decompress the code
......
00410D3A 8000 81 Add byte PTR DS: [EAX], 81
00410D3D E9 0F000000 JMP 00410D51; If you choose to detect the tester, you will jump into an int3.
00410D42 C9 Leave
00410D43 E8 76000000 Call 00410DBE
00410D48 0BC0 or Eax, Eax; PESPIN is not detected in OD now, don't know why
00410D4A ^ 74 Ed Je Short 00410d39; just used two INT3 to detect SICE
00410D4C - E9 7217FF35 JMP 364024C3
00410D51 EB 01 JMP Short 00410D54; extent or not to detect the debugger will be here.
00410D53 90 NOP
......
00410D54 68 B95734E1 PUSH E13457B9; Here you still have to cheer us
00410d59 EB 01 JMP Short 00410D5C
00410D5B 90 NOP
00410D5C 59 POP ECX; here MOV ECX, E1345789
00410D5D 90 NOP
......
00410D6E 81E9 B95734E1 SUB ECX, E13457B9; here is reduced, it is not white.
00410D74 0BC9 or ECX, ECX
00410D76 EB 01 JMP Short 00410D79
......
00410D79 9C Pushfd
00410D7A C12C24 06 SHR DWORD PTR SS: [ESP], 6
00410d7e 832424 01 and dword PTR SS: [ESP], 1
00410D82 50 Push EAX
00410D83 52 Push EDX00410D84 B8 066F7579 MOV EAX, 79756F06
00410D89 05 51918A86 Add Eax, 868a9151
00410d8e F76424 08 MUL DWORD PTR SS: [ESP 8]; also garbage code
00410D92 8D8428 F9374000 Lea Eax, DWORD PTR DS: [EAX EBP 4037F9]
00410d99 894424 08 MOV DWORD PTR SS: [ESP 8], EAX
00410D9D 5A POP EDX
00410d9E 58 POP EAX
00410D9F 8D6424 04 Lea ESP, DWORD PTR SS: [ESP 4]; I will not understand this, don't you use JMP [ESP] directly? Up to another Add ESP, 4
00410DA3 FF6424 FC JMP DWORD PTR SS: [ESP-4]; Is this not a waste of code?
......
00410E09. F685 3e4e4000 0> Test Byte PTR SS: [EBP 404E3E], 1
00410E10. 74 40 Je Short 00410E52
00410E12. BB 3C080000 MOV EBX, 83C
00410e17. 0bdb or ebx, ebx; if it is a VB program, the shell is MOV EBX, 0
00410E19. 74 37 Je Short 00410E52; here is JMP, because the above assignment, so it is impossible to jump here.
00410E1B. 2BC0 SUB EAX, EAX; EAX Clear 0
00410E1D. 2185 E0424000 and DWORD PTR SS: [EBP 4042E0], EAX
00410E23. E8 01000000 Call 00410E29
00410E28. 90 NOP
00410E29 $ 59 POP ECX; MOV ECX, 410E28
00410E2A. 6A 40 PUSH 40
00410E2C. 68 00300000 Push 3000
00410E31. 53 Push Ebx; Push Size 83C
00410E32. 50 push eax
00410E33. 8D6424 FC LEA ESP, DWORD PTR SS: [ESP-4]
00410E37. 81C1 23000000 Add ECX, 23
00410E3D. 890C24 MOV DWORD PTR SS: [ESP], ECX; PUSH ECX, that is, Push to return address 00410E40. - FFA5 1D434000 JMP DWORD PTR SS: [EBP 40431D]; VirtualAlalloc Apply for a memory space
0012FF90 00410E4B / Call to Virtualalococ
0012ff94 00000000 | Address = NULL
0012FF98 0000083C | SIZE = 83c (2108.)
0012FF9C 00003000 | AllocationType = MEM_COMMIT | MEM_RESERVE
0012ffa0 00000040 / protect = Page_execute_readwrite
......
00410E4B 50 Push Eax; Apply Space 900000 Factory
00410E4C 8F85 D8424000 POP DWORD PTR SS: [EBP 4042D8]; MOV [EBP 4042D8], 900000
00410E52 90 NOP; MOV 410E19, 900000
......
00410E66. E8 01000000 CALL 00410E6C
00410E6B. 90 NOP
00410E6C $ 83C4 04 Add ESP, 4
00410E6F. 8BB5 393B4000 MOV ESI, DWORD PTR SS: [EBP 403B39]; Enter a table RVA start address
00410E75. 03B5 D2424000 Add ESI, DWORD PTR SS: [EBP 4042D2]; Convert to VA == 40A160
00410E7B. 90 NOP
......
00410E8C. 3BB5 D2424000 CMP ESI, DWORD PTR SS: [EBP 4042D2]; Judgment the start address of the input table and whether imagebase is equal
00410E92. 90 NOP
00410E93. 90 NOP
00410E94. 90 NOP
00410E9E. 75 0f jnz short 00410EAF; jump if it is not equal
00410EA0. 90 NOP
00410EAF> 817E 10 C8FB000> CMP DWORD PTR DS: [ESI 10], 0FBC8; Compare Thunkrva (A028) is 0FBC8
00410EB6. | 9C Pushfd
00410EB7. | EB 01 JMP SHORT 00410EBA
00410EB9 | 90 NOP
00410EBA> | C12C24 06 SHR DWORD PTR SS: [ESP], 6
00410EBE. | 832424 01 and DWORD PTR SS: [ESP], 100410EC2. | 50 Push Eax; Protect EAX
00410EC3. | 52 Push EDX
00410EC4. | B8 9C7791BE MOV EAX, Be91779c
00410EC9. | 05 798A6E41 Add Eax, 416E8A79
00420ece. | F76424 08 MUL DWORD PTR SS: [ESP 8]
00410ed2. | 8D8428 38394000 Lea EAX, DWORD PTR DS: [EAX EBP 403938]
00410ed9. | 894424 08 MOV DWORD PTR SS: [ESP 8], EAX; place to jump 410ee 8
00410edd. | 5A POP EDX
00410ede. | 58 POP EAX; Restore site
00410edf 8D6424 04 Lea ESP, DWORD PTR SS: [ESP 4]; let's make our CPU to add :-)
00410EE3. FF6424 FC JMP DWORD PTR SS: [ESP-4]; JMP 410EE8
00410ee7 90 NOP
00410EE8. 8b5e 0c MOV EBX, DWORD PTR DS: [ESI C]; Name == A4C4 positioning input table
00410EEB. 039D D2424000 Add EBX, DWORD PTR SS: [EBP 4042D2]; Convert to VA == 40A4C4
00410ef1. 8BFB MOV EDI, EBX; put NAME into EDI
00410ef3. E8 6B0F0000 Call 00411E63; Remove Name, we can go in and see
00411E63 / $ 57 Push EDI; Protecting EDI (Name of Name)
00411E64 |> 800f 00 / or byte PTR DS: [EDI], 0; if you have finished NAME, return
00411E67 |. 74 16 | Je Short 00411E7F
00411E69 |. 90 | NOP
00411E6A |. 90 | NOP
00411E6B |. 90 | NOP
00411E6C |. 90 | NOP
00411E6D |. 90 | NOP
00411E6E |. 90 | NOP
00411E6F |. 90 | NOP
00411E70 |. 90 | NOP
00411E71 |. 90 | NOP00411E72 |. 90 | NOP
00411E73 |. 90 | NOP
00411E74 |. 90 | NOP
00411E75 |. 90 | NOP
00411E76 |. 90 | NOP
00411E77 |. 90 | NOP
00411E78 |. 90 | NOP
00411E79 |. 90 | NOP
00411E7A |. F617 | Not byte PTR DS: [EDI]; Namae is to restore Name by reflusion
00411E7C |. 47 | Inc EDI
00411E7D |. ^ EB E5 / JMP Short 00411E64
00411E7F |> 5F POP EDI; Restore Scene
00411E80 /. C3 RETN
00410EF8 E8 01000000 Call 00410EFE
00410EFD 90 NOP
00410EFE 58 POP Eax; MOV Eax, 410efd
00410EFF 53 Push Ebx; Push Name
00410f00 50 Push EAX
00410f01 FFB5 04434000 Push DWORD PTR SS: [EBP 404304]; PUSH LOADLIBRARYA
00410f07 814424 04 1400000> Add dword PTR SS: [ESP 4], 14; Push Return Address 410EFD 14 = 410F11
00410F0F C3 RETN
00410f10 90 NOP
00410f11 85c0 Test Eax, Eax; this is something that should be bug, why not first getModuleHandlea first
00410F13 0F84 31080000 JE 0041174A; place where it is wrong if loaded
00410f19 E8 01000000 Call 00410f1f
00410f1e 90 NOP
00410f1f 59 POP ECX; MOV ECX, EIP-1
00410f20 50 push eax; push hmodule
00410f21 51 Push ECX
00410f22 55 Push EBP
00410f23 810424 AE324000 Add DWORD PTR SS: [ESP], 004032AE; PUSH 41085E00410F2A 814424 04 2200000> Add DWORD PTR SS: [ESP 4], 22; Advanced 41085E and return to 410F40
00410f32 c3 Retn; return 41085E, after entering the output table information of the associated DLL
......
00410862 5A POP EDX; into the EDX
00410863 41 Inc ECX
00410864 51 Push ECX; Push 410f41 is returned to 410f41 after changing
00410865 57 Push EDI; Push Name
00410866 53 Push EBX
00410867 8995 31334000 MOV DWORD PTR SS: [EBP 403331], EDX; Save HModule to [EBP 403331] == 4108E1
0041086D 8BDA MOV EBX, EDX
0041086F 0352 3C Add EDX, DWORD PTR DS: [EDX 3C]; Positioning E_LFNEW (positioning PE header)
00410872 FF72 7C PUSH DWORD PTR DS: [EDX 7C]
00410875 8F85 29334000 POP DWORD PTR SS: [EBP 403329]; Size into [EBP 403329] (4108D9)
0041087B 8B52 78 MOV EDX, DWORD PTR DS: [EDX 78]; Positioning Output
0041087e 03d3 add edx, EBX; convert output tables into VA
00410880 52 Push EDX
00410881 8F85 25334000 POP DWORD PTR SS: [EBP 403325]; Output Table Start Address [EBP 403325] (4108D5]
00410887 90 NOP
00410887 90 NOP
00410888 90 NOP
00410889 90 NOP
0041088A 90 NOP
0041088B 90 NOP
0041088c 90 NOP
0041082D 90 NOP
0041088E 90 NOP
0041088F 90 NOP
00410890 FF72 20 Push DWORD PTR DS: [EDX 20]; AddressOfnames
00410893 5F POP EDI
00410894 03FB Add EDI, EBX; AddResOfNames Convert to VA
00410896 57 Push EDI
00410897 8F85 35334000 POP DWORD PTR SS: [EBP 403335]
0041089d FF72 18 Push DWORD PTR DS: [EDX 18]; NumberOfNames
004108A0 8F85 E8334000 POP DWORD PTR SS: [EBP 4033E8]
004108A6 EB 01 JMP Short 004108A9
004108A8 90 NOP
004108A9 FF72 1C PUSH DWORD PTR DS: [EDX 1C]; Addressoffunctions
004108AC 5F POP EDI
004108AD 03FB Add EDI, EBX; Addressoffunctions to VA
004108AF 57 Push EDI
004108B0 8F85 39334000 POP DWORD PTR SS: [EBP 403339]; AddressOffunctions into the list [EBP 403339]
004108B6 FF72 24 Push DWORD PTR DS: [EDX 24]; AddressOfnamesordinals
004108B9 5F POP EDI
004108BA 03FB Add EDI, EBX
004108BC 57 Push EDI
004108BD 8F85 2D334000 POP DWORD PTR SS: [EBP 40332D]; AddressOfNamesordInals of the output table [EBP 40332D] (004108DD)
004108C3 FF72 10 Push DWORD PTR DS: [EDX 10]; NBASE
004108C6 8F85 53334000 POP DWORD PTR SS: [EBP 4033353]; Output table Base into [EBP 403353] (00410903)
004108cc EB 01 JMP Short 004108CF; acquisition
The first time is a kernel32.dll function
Size 00006B39 of output table [EBP 403329] (4108D9)
Output table start address 77EAD040 into [EBP 403325] (4108D5]
Output table AddressOfnames 77EAD2F0 into [EBP 403335] (4108E5) Output table NumberOfNames 03AE into [EBP 4033E8] (00410998)
Addressoffunctions 77EAD068 for output table [EBP 403339] (004108E9)
AddressOfnamesordinals 77EAEDD8 into [EBP 40332D] (004108DD)
Output table Base 1 [EBP 403353] (00410903)
00410F41 2BD2 SUB EDX, EDX; Clear EDX, this way does not change the sign
......
00410F70 800B 00 or byte PTR DS: [EBX], 0; Take the function to clear the function after taking the DLL
00410f73 74 0d Je Short 00410f82; if you finish it, jump
00410F75 8813 MOV BYTE PTR DS: [EBX], DL
00410f77 C1C2 04 ROL EDX, 4
00410F7A 90 NOP
00410f7b 90 NOP
00410f7c 90 NOP
00410f7d 43 Inc EBX
00410f7e ^ ff6424 FC JMP DWORD PTR SS: [ESP-4]; here jump back until the function name has been cleared
......
00410F83 8B56 10 MOV EDX, DWORD PTR DS: [ESI 10]; THUNKRVA into EDX and turn into VA
00410F86 0395 D2424000 Add Edx, DWORD PTR SS: [EBP 4042D2]
00410f8c 830a 00 or DWORD PTR DS: [EDX], 0; Judging whether there is any operation-related API, run
00410f8f 0f84 32010000 JE 004110C7
00410F95 90 NOP
00410f96 90 NOP
......
00410fb6 0385 D2424000 Add Eax, DWORD PTR SS: [EBP 4042D2]; TunkValue Convert to VA
00410FBC 97 XCHG EAX, EDI; Thunkvlue into EDI,
00410FBD 68 7AF3D0F9 PUSH F9D0F37A
00410FC2 012C24 Add DWORD PTR SS: [ESP], EBP
00410FC5 810424 B4466F06 Add DWORD PTR SS: [ESP], 66F46B4
00410FCC 68 D476630F PUSH 0F6376D4
00410FD1 812C24 9643230F SUB DWORD PTR SS: [ESP], 0F234396
00410FD8 012C24 Add DWORD PTR SS: [ESP], EBP00410FDB C3 RETN; Jump to fill the API function, equivalent to our getProcAddress
There is no big change after entering and the previous version.
......
004108F8 0BFF or EDI, EDI; Judgment ThunkValue is empty, not jumping
004108fa 75 19 Jnz Short 00410915
......
00410921 8B9D 35334000 MOV EBX, DWORD PTR SS: [EBP 403335]; AddResOfNames incorporates EBX
00410927 8A47 FF MOV AL, BYTE PTR DS: [EDI-1]
......
00410959 8B3B MOV EDI, DWORD PTR DS: [EBX]; Location Search related DLL output table
0041095B 03BD 31334000 Add EDI, DWORD PTR SS: [EBP 403331]; Removing Output Table Convert to VA
.......
00410964/75 2C jnz short 00410992
00410966 | E8 B0100000 CALL 00411A1B
0041096B | 3D F7Debca1 CMP EAX, A1BCDEF7
00410970 | 75 20 jnz short 00410992
00410972 | 8B85 2D334000 MOV EAX, DWORD PTR SS: [EBP 40332D]; loop get the API to be in the program, find it here
00410978 | D1E1 SHL ECX, 1
0041097A | 03C1 Add Eax, ECX
0041097C | 0fb700 Movzx Eax, Word PTR DS: [EAX]
0041097F | C1E0 02 SHL EAX, 2
00410982 | 0385 39334000 Add Eax, DWORD PTR SS: [EBP 403339]
00410988 | 8B00 MOV EAX, DWORD PTR DS: [EAX]
0041098A | 0385 31334000 Add Eax, DWORD PTR SS: [EBP 403331]; Convert the API address to VA
00410990 | EB 10 JMP SHORT 004109A2
004109A2 8BBD 25334000 MOV EDI, DWORD PTR SS: [EBP 403325]
004109A8 3BC7 CMP EAX, EDI; EAX is the taken API
004109AA 76 35 Jbe Short 004109E1; here to jump, otherwise, the shell must "take care"
This is changed here:
004109AA / EB 35 JMP Short 004109E1
...... ..
004109E3 90 NOP004109E4 894424 1C MOV DWORD PTR SS: [ESP 1C], Eax; Here we know to change to MOV SS: [EDX], EAX is incoming correct API
So this is changed here:
004109E4 36: 8902 MOV DWORD PTR SS: [EDX], EAX
004109E7 90 NOP
004109E8 61 POPAD
004109E9 FF0424 Inc DWORD PTR SS: [ESP]; Add the address to be returned 1 (410FDF)
004109EC 0BC0 or EAX, EAX
......
00411085 90 NOP
00411086 E8 ECF6FFFF CALL 00410777
0041108B 0BE4 or ESP, ESP
0041108D 90 NOP
0041108E 90 NOP
0041108F 90 NOP
0041109C E8 51f9ffff Call 004109f2; here to change the API
004110A1 90 NOP
Follow up:
......
00410A0B 90 NOP
00410A0C BF 96844000 MOV EDI, 00408496; Incoming Address
00410A11 EB 01 JMP Short 00410A14
00410A13 90 NOP
00410A14 B9 86010000 MOV ECX, 186; Incoming Size
.......
00410A29 90 NOP
00410A2A 3917 CMP DWORD PTR DS: [EDI], EDX
00410A2C 74 0D JE SHORT 00410A3B
00410A2E 47 Inc EDI
00410A2F EB 01 JMP Short 00410A32
00410A31 90 NOP
00410A32 ^ E2 F6 Loopd Short 00410A2A
00410A34 EB 01 JMP Short 00410A37
00410A36 90 NOP
00410A37 8902 MOV DWORD PTR DS: [EDX], EAX; Here, I want to destroy the input table, and NOP.
00410A39 EB 4e JMP Short 00410A89
00410A3B 90 NOP
......
00410A5A 90 NOP
00410A5B 807F FF EA CMP BYTE PTR DS: [EDI-1], 0EA
00410A5F ^ 75 D6 Jnz Short 00410A37
00410A61 90 NOP; here to change to this, introduced into the FF2500410A62 90 NOP
00410A63 90 NOP
00410A64 90 NOP
00410A65 90 NOP; change FF25 to FFEA because the shell is formed
00410A66 90 NOP
00410A67 90 NOP
00410A68 90 NOP
00410A69 90 NOP
00410A6A FE4F FF DEC BYTE PTR DS: [EDI-1]; here start NOP
00410A6D 83C7 04 Add EDI, 4
00410A70 2BC7 SUB EAX, EDI
00410A72 8947 FC MOV DWORD PTR DS: [EDI-4], EAX
00410A75 EB 12 JMP Short 00410A89
After you have changed:
00410A5A 90 NOP
00410A5B 807F FF EA CMP BYTE PTR DS: [EDI-1], 0EA
00410A5F ^ 75 D6 Jnz Short 00410A37
00410A61 66: C747 Fe Ff25 MOV WORD PTR DS: [EDI-2], 25FF; here to change this, incoming FF25
00410A67 90 NOP
00410A68 90 NOP
00410A69 90 NOP
00410A6A 90 NOP; here start NOP
00410A6B 90 NOP
00410A6C 90 NOP
00410A6D 90 NOP
00410A6E 90 NOP
00410A6F 90 NOP
00410A70 90 NOP
00410A71 90 NOP
00410A72 90 NOP
00410A73 90 NOP
00410A74 90 NOP
00410A75 EB 12 JMP Short 00410A89
......
00410A83 90 NOP
00410A84 8907 MOV DWORD PTR DS: [EDI], EAX; here is also destroyed input table, clear
00410A86 EB 01 JMP Short 00410A89
Ok, the input table is completed, enter the next link, and the code to which the sheath is restored.
......
0041114B 90 NOP
0041114C 90 NOP0041114D F3: prefix rep:; Define tracking via RDTSC, this is the last anti-tracking
0041114e 0f31 RDTSC
0041150 50 Push EAX
00411151 F3: prefix rep:; Superfluous Prefix
00411152 0F31 RDTSC
00411154 EB 01 JMP short 00411157
00411156 90 NOP
......
00411191 8D6424 04 LEA ESP, DWORD PTR SS: [ESP 4]
00411195 FF6424 FC JMP DWORD PTR SS: [ESP-4]; If you don't find it, go to normal execution procedure
00411199 90 NOP
0041119A 2200 and Al, Byte Ptr DS: [EAX]
0041119C 0000 Add byte PTR DS: [EAX], Al
0041119E 85c0 Test Eax, EAX
004111a0 75 1f jnz short 004111C1
004111a2 74 34 Je Short 004111d8
004111A4 F8 CLC
004111a5 83c9 ff or ecx, ffffffffff; discovery, you will hang this
004111A8 F3: AB Rep Stos DWORD PTR ES: [EDI]
004111AA E8 1C000000 Call 004111CB
......
004111ce 90 NOP
004111cf 90 NOP
00411D0 B8 7B4D5F0E MOV EAX, 0E5F4D7B; if you don't find tracking, you jump here.
004111d5 90 NOP
......
004111fb / 74 45 Je Short 00411242
004111FD | BE F4244100 MOV ESI, 004124F4
00411202 | B9 5C020000 MOV ECX, 25C; Incoming Size is the size of the code smashed by the shell
00411207 | 51 PUSH ECX
00411208 | B0 3C MOV Al, 3C
0041120A | 304431 FF XOR BYTE PTR DS: [ECX ESI-1], Al; Refractive Case Summary, this is not the entrance of the program.
0041120e | 90 NOP
0041120F | 90 NOP
00411210 | 90 NOP
00411211 | 90 NOP00411212 | 90 NOP
00411213 | 90 NOP
00411214 | 90 NOP
00411215 | 90 NOP
00411216 | 90 NOP
00411217 | 90 NOP
00411218 | 90 NOP
00411219 | 90 NOP
0041121A | 004c31 ff add byte PTR DS: [ECX ESI-1], CL
0041121E ^ | E2 Ea Loopd Short 0041120A
......
00411231 90 NOP
00411232 BF C8014000 MOV EDI, 004001C8; Handling the code for the shell, 俺 is the hands and feet where it is, how to change me, so as not to sell it (see how I have been taking off how to change it) .
00411237 90 NOP
00411238 90 NOP
00411239 90 NOP
0041123A 90 NOP
0041123B 90 NOP
0041123C 90 NOP
0041123D 90 NOP
0041123E 90 NOP
0041123F 90 NOP
00411240 F3: A4 rep MOVS BYTE PTR ES: [EDI], BYTE PTR DS: [>; put the code in the PE HEADER section, enough
......
00411279 61 POPAD; decompressed, executable code
0041127A ba 0f5c8cce MOV EDX, CE8C5C0F; finally landed ;-)
0041127f EB 01 JMP Short 00411282
00411281 90 NOP
00411282 81F2 753DE58A XOR EDX, 8AE53D75
Look at the things inside, haha, make good, so, let's write to fix the script.
......
Var Addr
Var Addrl
Var AddRT
Var AddRT1
Var Addr40
Var AddRT2
Start:
Mov addr, 4101c6 // written more messy, I hope you can understand :-)
LBL1: // Repair code
CMP Addr, 410430
Jae lbl2
Find addr, # e9 #
Mov Addr, $ Result
Mov AddRT, Addr
Mov AddRT1, Addr
Mov Addr40, Addr
Sub Addr40, 10000
Add Addr40, 5
Dec AddRT
Inc AddRT1
MOV AddRT1, [AddRT1]
Add ADDR40, AddRT1
Mov Addr1, AddR40Add AddRT, 5
Sub AddRT, Addrl
MOV AddRT2, Fffffffff
Sub AddRT2, AddRT
Inc Addr
MOV [Addr], AddRT2
JMP LBL1
LBL2: // Repair code 2
REPL 401000, # e8 ?? 81fffff #, # e8 ?? 810000 #, 8b24
REPL 401000, # e9 ?? 81ffff #, # e9 ?? 810000 #, 8b24
REPL 401000, # e8 ?? 82fffff #, # e8 ?? 820000 #, 8b24
REPL 401000, # e9 ?? 82fffff #, # e9 ?? 820000 #, 8b24
REPL 401000, # e8 ?? 83fff #, # e8 ?? 830000 #, 8b24
REPL 401000, # e9 ?? 83fffff #, # e9 ?? 830000 #, 8b24
RET
RET
Ok, now I am going to the last step, put all the JMP tables next address, which is like this.
00408495 90 NOP
00408496 $ - FF25 88A04000 JMP DWORD PTR DS: [<& kernel32.closeHandle>; kernel32.closehandle
0040849C $ - FF25 78A04000 JMP DWORD PTR DS: [<& kernel32.copyfilea>]; kernel32.copyfilea
Ok, now DUMP will use the Import Rec to fix the input table. As for Stolencode, you can find it, you can not use it, I will no longer make up! I have to make it easy. I will know how to change it.
OK, the shell is over, thank you, you can insist on reading the article!
BTW: After you take it off, I looked at Fly's ulapse, which was very deep. He is really a big burger! Try to learn from him.
Due to time, I have finished writing this article for a few days. Please refer to the insufficient article.
Greetz:
Fly, Jingulong, Yock, TDASM, David, Ahao, Vcasm, Ufo (Brother), ALAN (Sister), HEXPE, HEXER, All of My Friends and you!
Welcome TO:
---- ==== China Decrytpion fans cracking group ==== ----
http://www.chinadfcg.com
---- ==== Free cracking group ==== ------
Http://www.fcgchina.com
---- ==== Unpacking Sage (China Unpacking Group) ==== ----
By LoveBoom [DFCG] [FCG]
Email: bmd2chen # Tom.com
