Alex-protect
Comprehensive analysis
[Observation]: Alex-Protect v1.0 beta2
[Tu]:
[Renuction]:
[Operation Platform]:
[Author]: loveboom [dfcg] [fcg] [US]
[Related Links]: Look in the snow, find yourself
[Brief Description]: Fast to Christmas, give an article. This shell is not strong, but the flower directive to a lot.
[Detailed Procedure]:
OD setting: Open all exceptions. I wrote a spending instruction script first, convenient for me. Because the shell is separated from the inspection code, it can not be removed from the garbage code.
Loader starts our journey:
00438000> 60 pushad; protection site
00438001 E8 00000000 Call 00438006
00438006 5D POP EBP
00438007 81ed 06104000 SUB EBP, 00401006; Take Base = 37000
...; there is a bunch of garbage here, I clear the first.
00438103 / E9 B3000000 JMP 004381BB; Qingnan garbage is directly here
......
004381BB 8B85 C4244000 MOV EAX, DWORD PTR SS: [EBP 4024C4]; put the address of getProcAddress in Eax, used for the following comparison CC break
......
00438266 E8 46ffffff Call 004381B1; here is more than the related API, the first time we take a look
After entering:
004381B1 8038 CC CMP BYTE PTR DS: [EAX], 0CC; see it, here is the first part of the associated API is CC, which is to determine whether there is any discrimination
004381B4 74 01 Je Short 004381B7; If it is broken, jump, it is OVER.
004381B6 C3 RETN
004381B7 F0: 0FC7C8 LOCK CMPXCHG8B EAX
Ok, after knowing the situation, you don't have to follow the Call 4381B1.
00438310 8B85 C8244000 MOV EAX, DWORD PTR SS: [EBP 4024C8]; Compare GetModuleHandlea
00438367 E8 45Fefff Call 004381B1
......
00438411 8B85 CC244000 MOV EAX, DWORD PTR SS: [EBP 4024CC]; Decision LoadLibrarya has a break
00438417 E8 95fdfffffffff Call 004381B1;
00438512 8B85 BC244000 MOV EAX, DWORD PTR SS: [EBP 4024BC]; Analyzing MessageBoxA00438518 E8 94FCFFFF CALL 004381B1; ibid.
......
004385c2 E8 35060000 Call 00438BFC; follow-up
......
00438CA1 8D85 25244000 LEA EAX, DWORD PTR SS: [EBP 402425]
00438CA7 50 Push EAX
00438CA8 FF95 C8244000 Call DWORD PTR SS: [EBP 4024C8]; Get Kernel32's Handle
00438CAE 8BF8 MOV EDI, EAX; Getted Handle into EDI
00438CB0 8D9D 3D244000 LEA EBX, DWORD PTR SS: [EBP 40243D]; pass the address of VirtualAlloc to EBX
00438cb6 53 Push EBX
00438CB7 50 Push Eax; Push Handle
00438CB8 E8 B4030000 CALL 00439071
Follow up:
00439071 60 pushad
00439072 8B5C24 24 MOV EBX, DWORD PTR SS: [ESP 24]; Handle into EBX
0043911B 8B43 3C MOV EAX, DWORD PTR DS: [EBX 3C]; positioning PE header
004391C3 03C3 Add Eax, EBX
004391C5 8B48 7C MOV ECX, DWORD PTR DS: [EAX 7C]; SIZE EXPORT TABLE into ECX (6C7B)
004391C8 E3 2F JECXZ Short 004391F9
004391CA 8B68 78 MOV EBP, DWORD PTR DS: [EAX 78]; RVA EXPORT TABLE Export table relative virtual address (262C)
004391CD 03eb Add EBP, EBX
004391CF 8B4424 28 MOV EAX, DWORD PTR SS: [ESP 28]
004391D3 8B00 MOV EAX, DWORD PTR DS: [EAX]
004391D5 A9 0000FFFF TEST Eax, FFFF0000
004391DA 51 PUSH ECX
004391DB 74 21 Je Short 004391FE
004391DD 8B55 20 MOV EDX, DWORD PTR SS: [EBP 20]
004391E0 FC CLD004391E1 03D3 Add EDX, EBX
004391E3 33C0 XOR EAX, EAX
004391E5 8B4D 18 MOV ECX, DWORD PTR SS: [EBP 18]
004391E8 8BF3 MOV ESI, EBX
004391EA 8B7C24 2C MOV EDI, DWORD PTR SS: [ESP 2C]
004391EE 033482 Add ESI, DWORD PTR DS: [EDX EAX * 4]
004391f1 A6 CMPS BYTE PTR DS: [ESI], Byte PTR ES: [EDI]
004391f2 74 12 Je Short 00439206
004391F4 40 Inc EAX
004391F5 49 DEC ECX
004391f6 ^ 75 f0 jnz short 004391E8; find the address of Virtualalloc by traversal
004391F8 59 POP ECX
004391F9 E9 7F010000 JMP 0043937D
004391FE 2B45 10 SUB EAX, DWORD PTR SS: [EBP 10]
00439201 E9 B5000000 JMP 004392BB
......
004392B2 8B55 24 MOV EDX, DWORD PTR SS: [EBP 24]
004392B5 03D3 Add EDX, EBX
004392B7 0FB70442 MOVZX EAX, Word PTR DS: [EDX EAX * 2]
004392BB 3B45 14 CMP EAX, DWORD PTR SS: [EBP 14]
004392BE ^ 0F83 35ffffff jnb 004391f9
004392C4 8B55 1C MOV EDX, DWORD PTR SS: [EBP 1C]
004392C7 03D3 Add EDX, EBX
004392C9 031C82 Add EBX, DWORD PTR DS: [EDX EAX * 4]
004392CC 8BC3 MOV EAX, EBX; obtained address into EAX
004392ce 90 NOP
00439373 2BDD SUB EBX, EBP
00439375 3BD9 CMP EBX, ECX
00439377 ^ 0f82 7cfeffff jb 004391f9
0043937D 894424 1C MOV DWORD PTR SS: [ESP 1C], EAX; Removed Value [ESP C] (7C809A81)
00439381 61 POPAD
00439382 C2 0800 RETN 8 After we come out, we can know:
Call 00439071 is actually Call GetProcaddress.
......
00438D62 E8 4af4ffff Call 004381B1; boring, don't go to check
00438D67 8985 11244000 MOV DWORD PTR SS: [EBP 402411], EAX; Remove the actual address of VirtualAlloc to the variable [EBP 402411]
00438D6D 8D9D 4A244000 LEA EBX, DWORD PTR SS: [EBP 40244A]
00438d73 53 push ebx; / procnameorordinal = "virtualfree"
00438D74 57 Push EDI; | hmodule = 7c800000 (kernel32)
00438D75 E8 F7020000 Call 00439071; / GETPROCADDRESS
......
00438E1F E8 8DF3FFFF CALL 004381B1; It is also boring judgment
00438E24 8985 15244000 MOV DWORD PTR SS: [EBP 402415], EAX; Remove the VirtualFree address to the variable [EBP 402415]
00438E2A 8D9D 56244000 LEA EBX, DWORD PTR SS: [EBP 402456]
00438E30 53 Push Ebx; / procnameorordinal = "getstdhandle"
00438E31 57 Push EDI; | hmodule = 7c800000 (kernel32)
00438E32 E8 3A020000 Call 00439071; / GETPROCADDRESS
......
00438EDC E8 D0F2FFFF CALL 004381B1; Bored Judgment
00438EE1 8985 19244000 MOV DWORD PTR SS: [EBP 402419], EAX; Remove the address of GetStdHandle Add in Variable [EBP 402419]
00438EE7 8D9D 63244000 LEA EBX, DWORD PTR SS: [EBP 402463]
00438EED 53 Push Ebx; / procnameorordinal = "CreateThread"
00438EEE 57 push edi; | hmodule = 7c800000 (KERNEL32) 00438EEF E8 7D010000 Call 00439071; / GETPROCADDRESS
......
00438F99 E8 13f2ffff Call 004381B1; Bored judgment
00438F9E 8985 21244000 MOV DWORD PTR SS: [EBP 402421], EBP; Remove CreateThread's address into variable [EBP 402421]
00438FA4 8D85 32244000 Lea Eax, DWORD PTR SS: [EBP 402432]; Prepare to get the API you want to use in USER32.DLL
00438FAA 50 push eax; / filename = "user32.dll"
00438FAB FF95 CC244000 Call DWORD PTR SS: [EBP 4024CC]; / LoadLibrary
00438fb1 8bf8 MOV EDI, EAX; This author does not use GetModuleHandlea to determine if there is no load in order to "save" code.
00438fb3 8D9D 70244000 Lea EBX, DWORD PTR SS: [EBP 402470]
00438fb9 53 push ebx; / procnameorordinal = "findwindowa"
00438FBA 57 Push EDI; | hmodule = 77d10000 (user32)
00438fbb E8 B1000000 Call 00439071; / GETPROCADDRESS
......
00439065 E8 47f1fffffffffffffffffffFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF CALL 004381B1; yet another boring judgment
0043906A 8985 1D244000 MOV DWORD PTR SS: [EBP 40241D], EAX; Remove the address of FindWindowa [EBP 40241D]
00439070 C3 RETN; return to such an API and return
......
004386BD 8D85 00104000 Lea Eax, DWORD PTR SS: [EBP 401000]; EP (438000) into EAX
004386C3 B9 85130000 MOV ECX, 1385; Here the code in front of CRC is 438000-439385 (438000 1385)
004386C8 E8 E7040000 CALL 00438BB4; here is CRC (35FAFA4B, different values) 004386CD 8DBD 31254000 Lea EDI, DWORD PTR SS: [EBP 402531]; [EBP 402531] = 439531
004386d3 EB 01 JMP Short 004386D6
......
004386F7 8BC3 MOV EAX, EBX
004386F9 8B8D B5234000 MOV ECX, DWORD PTR SS: [EBP 4023B5]; Prepare the size of the decompression (4B7)
004386FF 3007 XOR BYTE PTR DS: [EDI], Al; starts to decompress the next code from 439531
00438701 47 Inc EDI
00438702 49 DEC ECX
00438703 ^ 75 fa jnz short 004386ff; did not decompress continued
......
00438756 6A 04 Push 4; Decompression, prepare the allocation space
004388AE FF95 11244000 Call DWORD PTR SS: [EBP 402411]; Virtualalloc
004388B4 8985 BD234000 MOV DWORD PTR SS: [EBP 4023BD], EAX; Applicable Space Enter [EBP 4023BD] (3D0000)
......
0012FF84 004388B4 / Call to virtualaloc from alexprot.004388ae
0012FF88 00000000 | Address = NULL
0012FF8C 0000ef74 | SIZE = EF74 (61300.)
0012FF90 00001000 | AllocationType = MEM_COMMIT
......
0043895F 8BF8 MOV EDI, EAX; Request Address Add in EDI = 3D0000
00438961 57 Push EDI; Address
......
00438A07 8D85 31254000 Lea Eax, DWORD PTR SS: [EBP 402531]; EAX = 439531
00438A0D 50 Push Eax; Push 439531
......
00438AB4 E8 4FF6FFFF CALL 00438108; APLIB decompressed code
00438AB9 83C4 08 Add ESP, 8
......
00438BB2 - FFE7 JMP EDI; Decompression is completed and jumped to the code to decompressed ...
003D0015 E8 88130000 Call 003D13A2; here to go in
What to see first is to clear the breakpoint:
003D138B 8948 04 MOV DWORD PTR DS: [EAX 4], ECX; start cleaning breakpoint
003d138e 8948 08 MOV DWORD PTR DS: [EAX 8], ECX
003D1391 8948 0C MOV DWORD PTR DS: [EAX C], ECX
003D1394 8948 10 MOV DWORD PTR DS: [EAX 10], ECX
003D1397 C740 18 55010000 MOV DWORD PTR DS: [EAX 18], 155
003D139E 59 POP ECX
003d139f 33c0 xor Eax, EAX
003D13A1 C3 RETN
......
After returning, the analysis will find that Call 003D13A2 is clearing the breakpoint Call.
003D001A 6A 04 Push 4
003D00C1 68 00100000 Push 1000
003D00C6 8B85 A1234000 MOV EAX, DWORD PTR SS: [EBP 4023A1]; EAX = F0
003D0171 BB 4A000000 MOV EBX, 4A
003D0176 F7E3 MUL EBX
003D0178 50 Push EAX 'Size to apply for space
003d021e 6a 00 push 0
003D0220 FF95 11244000 Call DWORD PTR SS: [EBP 402411]; VirtualAlloc
003D0226 8985 A5234000 MOV DWORD PTR SS: [EBP 4023A5], EAX; Space Address 3E0000 [EBP 4023A5]
......
0012FF78 003D0226 / Call to virtualaloc from 003D0220
0012FF7C 00000000 | Address = NULL
0012FF80 00004560 | SIZE = 4560 (17760.)
0012FF84 00001000 | AllocationType = MEM_COMMIT
......
003D02D1 8DB5 C1234000 LEA ESI, DWORD PTR SS: [EBP 4023C1]; ESI = 4393C1
003D02D7 8B46 04 MOV EAX, DWORD PTR DS: [ESI 4]; EAX = 9be8 (Size of Text Section)
003D02DA 6A 04 PUSH 4
003D02DC 68 00100000 PUSH 1000003D02E1 50 PUSH EAX
003D0387 6A 00 PUSH 0
003D0389 FF95 11244000 Call DWORD PTR SS: [EBP 402411]; VirtualAlloc
003D038F 8985 9D234000 MOV DWORD PTR SS: [EBP 40239D], EAX; The third application to the space address 3F0000 is stored in [EBP 40239D]
......
0012FF78 003D038F / Call to virtualaloc from 003D0389
0012FF7C 00000000 | Address = NULL
0012FF80 00009Be8 | size = 9be8 (39912.)
0012FF84 00001000 | AllocationType = MEM_COMMIT
......
003D0395 56 PUSH ESI
003D0396 8B1E MOV EBX, DWORD PTR DS: [ESI]; Voffset 1000
003D0398 039D 99234000 Add EBX, DWORD PTR SS: [EBP 402399]; Transfer to VA (401000)
003D039E 50 Push Eax; Space for the application is included 003D0444 53 Push EBX; Push Text Section Address
003D0445 8D8D 08114000 LEA ECX, DWORD PTR SS: [EBP 401108]; ECX = 438108
003d044b ffd1 Call ECX; here is the APLIB decompression Text section
003D044D 83C4 08 Add ESP, 8
003D0450 8BC8 MOV ECX, EAX; TEXT segment 9be8 into ECX
003D0452 8B3E MOV EDI, DWORD PTR DS: [ESI]; TEXT segment RVA into EDI
......
003D04F9 03BD 99234000 Add EDI, DWORD PTR SS: [EBP 402399]; Convert to VA (401000)
003D04FF 8BB5 9D234000 MOV ESI, DWORD PTR SS: [EBP 40239D]; here is actually applying for a space to temporarily get the Text segment to the application space, after completing the actual address
003D0505 F3: A4 Rep Movs byte PTR ES: [EDI], BYTE PTR DS: [>
003D0507 5E POP ESI
003D0508 8B85 9D234000 MOV EAX, DWORD PTR SS: [EBP 40239D] 003D050E 68 00800000 Push 8000
003D0513 6A 00 PUSH 0
003D0515 50 Push EAX
003D0516 FF95 15244000 Call DWORD PTR SS: [EBP 402415] After the data of the TEXT segment is reduced, the temporary space (3F0000)
......
003D05C1 83C6 08 Add ESI, 8
003D05C4 833E 00 CMP DWORD PTR DS: [ESI], 0
003d05c7 ^ 0F85 0AFDFFF JNZ 003D02D7; judgment has no decompression complete segment, no, go back to continue to decompress
003D05CD E8 D00D0000 Call 003d13a2; Here, it is said to clear the breakpoint, so don't follow it.
003D05D2 6A 04 PUSH 4
003D05D4 68 00100000 Push 1000
003D05D9 8B85 91234000 MOV EAX, DWORD PTR SS: [EBP 402391]; EAX = C5E
003D05DF 6BC0 02 Imul Eax, Eax, 2
003D0687 50 Push Eax; Push application space size
003D0688 6A 00 PUSH 0
003D068A FF95 11244000 Call DWORD PTR SS: [EBP 402411]; Virtualalloc
......
0012FF74 003D0690 / CALL TO VIRTUALLOC from 003D068A
0012FF78 00000000 | Address = NULL
0012FF7C 000018BC | SIZE = 18bc (6332.)
0012FF80 00001000 | AllocationType = MEM_COMMIT
......
003D0690 8985 AD234000 MOV DWORD PTR SS: [EBP 4023AD], EAX; Application Space 3F0000 into [EBP 4023AD]
003D0696 6A 04 PUSH 4
003D0698 68 00100000 PUSH 1000
003D069D 8B85 8D234000 MOV EAX, DWORD PTR SS: [EBP 40238D]; EAX = 830 (Application Space Size)
......
003D0748 50 Push EAX
003D0749 6A 00 PUSH 0
003D074B FF95 11244000 Call DWORD PTR SS: [EBP 402411]; Virtualalloc
......
0012FF74 003D0751 / CALL TO VirtualLoc from 003D074B0012FF78 00000000 | Address = NULL
0012FF7C 00000830 | SIZE = 830 (2096.)
0012FF80 00001000 | AllocationType = MEM_COMMIT
......
003D0757 8D85 00104000 Lea Eax, DWORD PTR SS: [EBP 401000]; EP into EAX
003D075D B9 85130000 MOV ECX, 1385; decompression size
003D0762 8D95 B41B4000 LEA EDX, DWORD PTR SS: [EBP 401BB4]; Next paragraph to decompress the start address 438bb4
003d0768 ffd2 Call Edx; this Call is the value of CRC
......
003D080F 8DBD 31254000 Lea EDI, DWORD PTR SS: [EBP 402531]; Here started to decompress the next piece of code
003D0815 03BD B5234000 Add EDI, DWORD PTR SS: [EBP 4023B5]
003D081B 33D2 XOR EDX, EDX
003D081D B9 00010000 MOV ECX, 100
003D0822 F7F1 DIV ECX
003D0824 8BDA MOV EBX, EDX
003D0826 F7F1 DIV ECX
003D0828 03DA Add EBX, EDX
003D082A F7F1 DIV ECX
003D082C 03DA Add EBX, EDX
003D082E F7F1 DIV ECX
003D0830 03DA Add EBX, EDX
003D0832 59 POP ECX
003D0833 8BC3 MOV EAX, EBX
003D0835 8B8D B9234000 MOV ECX, DWORD PTR SS: [EBP 4023B9]
003D083B 3007 XOR BYTE PTR DS: [EDI], Al; this time you start decoding at 4399E8
003D083D 47 Inc EDI
003D083E 49 DEC ECX
003d083f ^ 75 fa jnz short 003d083b; did not decompress and step back
......
003D08E6 E8 B70A0000 Call 003d13a2; cleaning points
003D08EB 8B85 A9234000 MOV EAX, DWORD PTR SS: [EBP 4023A9]; Add the address space applied above 920000 into EAX003D08F1 8BF0 MOV ESI, ESI
003D08F3 50 Push EAX
003D08F4 8D9D 31254000 LEA EBX, DWORD PTR SS: [EBP 402531]
003D08FA 039D B5234000 Add EBX, DWORD PTR SS: [EBP 4023B5]; 004399E8
......
003D09A5 53 PUSH EBX
003D09A6 8D95 08114000 Lea EDX, DWORD PTR SS: [EBP 401108]
003D09AC FFD2 Call EDX; APLIB Decoding
003D09AE 83C4 08 Add ESP, 8
003D09B1 8BBD A9234000 MOV EDI, DWORD PTR SS: [EBP 4023A9]; Apply Space 920000 into EDI
003D09B7 803F C3 CMP BYTE PTR DS: [EDI], 0C3; Determine whether to start processing related DLL (that is, whether the API in the corresponding DLL)
003D09BA 0F85 CC000000 JNZ 003D0A8C; if not jump
003D09C0 83C7 02 Add EDI, 2
003D09C3 57 Push EDI; / PUSH "User32.dll"
003D09C4 FF95 C8244000 Call DWORD PTR SS: [EBP 4024C8]; / getModuleHandlea Judgment DLL is not loaded
003D09CA 85c0 Test Eax, EAX
003D09CC 0F85 AC000000 JNZ 003D0A7E; if it has been loaded, jump
......
003D0A77 57 Push EDI; USER32.DLL is loaded if not loaded
003D0A78 FF95 CC244000 Call DWORD PTR SS: [EBP 4024CC]; LoadLibrarya
003D0A7E 8985 7C244000 MOV DWORD PTR SS: [EBP 40247C], EAX; HMODULE (77D1000.User32.dll) into [EBP 40247C]
003D0A84 33DB XOR EBX, EBX
003D0A86 8A5F FF MOV BL, BYTE PTR DS: [EDI-1]
003D0A89 03FB Add EDI, EBX
003D0A8B 47 INC EDI003D0A8C 803F C4 CMP BYTE PTR DS: [EDI], 0C4; Processing Several Different Sources of Input Table ??
003D0A8F 0F84 98010000 JE 003D0C2D; the first time did not jump, the main program did not jump.
003D0A95 47 INC EDI
003D0A96 57 Push EDI; / Push "TranslateMessage"
003D0A97 FFB5 7C244000 PUSH DWORD PTR SS: [EBP 40247C]; | HMODULE = 77D10000 (user32)
003D0A9D FF95 C4244000 Call DWORD PTR SS: [EBP 4024C4]; / GETPROCADDRESS
......
003D0B4A 8A5F FF MOV BL, BYTE PTR DS: [EDI-1]; addresses
003D0B4D 03FB Add EDI, EBX
003D0B4F 47 Inc EDI
003D0B50 8A1F MOV BL, BYTE PTR DS: [EDI]
003D0B52 47 Inc EDI
003D0B53 E9 B5000000 JMP 003D0C0D
......
003d0c0d 80fb 00 CMP BL, 0; if the BL is more than 0
003D0C10 ^ 0F87 42ffffffff ja 003d0b58
......
003D0B58 50 Push Eax; Push API (77D18BCE)
003D0B59 8B0F MOV ECX, DWORD PTR DS: [EDI]; put the address to IAT to enter ECX
003D0B5B E8 62090000 Call 003D14C2; this time I guess it should fill the API, go in and see
003d14c2 60 pushad; after entering here
003D14C3 8BF0 MOV ESI, EAX; API Address into ESI
003D14C5 8B85 A5234000 MOV EAX, DWORD PTR SS: [EBP 4023A5]; EAX = 003E0000
......
003D1570 0385 B1234000 Add Eax, DWORD PTR SS: [EBP 4023B1]; [EBP 4023B1] (4393b1) The value of the preservation is stored, for example, the first is not written is 0, the second words are 4
003D1576 894424 1C MOV DWORD PTR SS: [ESP 1C], EAX; here is intended to put the API's part of the application space, the real IAT call application address 003D157A E8 000000 Call 003D157F
003D157F 5B POP EBX
003D1580 81C3 61020000 Add EBX, 261; 3D157F 261 = 3D17E0 temporarily preserved API address
003D1586 8933 MOV DWORD PTR DS: [EBX], ESI; API temporarily saved to 3D17E0
003D1588 8BF8 MOV EDI, EAX; EDI = 3e0000
......
003D162F 8BF3 MOV ESI, EBX; put the address stored in the API in ESI
003D1631 81EE 38000000 SUB ESI, 38
003D1637 B9 4A000000 MOV ECX, 4A
003D163C FC CLD
003D163D F3: A4 Rep Movs Byte PTR ES: [EDI], BYTE PTR DS: [ESI]; here to fill the authors of our own self-importance to the API code
003D163F 8B85 A5234000 MOV EAX, DWORD PTR SS: [EBP 4023A5]
003D1645 0385 B1234000 Add Eax, DWORD PTR SS: [EBP 4023B1]; EAX = 3e0000
......
003d16f0 8bd8 MOV EBX, EAX; put the address of 003E0000 on EBX
003D16F2 83C3 04 Add EBX, 4
003D179A 8918 MOV DWORD PTR DS: [EAX], EBX
003D179C 8185 B1234000 4A00> Add DWORD PTR SS: [EBP 4023B1], 4A; this is to specify the size of 4A
003D17A6 61 POPAD
003D17A7 C3 RETN; return to
......
003D0C05 8901 MOV DWORD PTR DS: [ECX], EAX; put the encrypted address in IAT, this value is generated by the shell calculation.
003D0C07 83C7 04 Add EDI, 4; Continue to point to the next API to be processed
003D0C0A FECB DEC BL
003D0C0C 58 POP EAX
003d0c0d 80fb 00 cmpl, 0; if BL is greater than 0, jump 003D0C10 ^ 0f87 42fffffffff ja 003d0b58
003D0C16 803F C3 CMP BYTE PTR DS: [EDI], 0C3; It will find that the shell is to determine if there is no current DLL through two C3.
003d0C19 ^ 0f84 A1FDFFFF JE 003D09C0; Judging whether the current DLL has been processed, the processing jumps to the next DLL API process
003D0C1F 833F 00 CMP DWORD PTR DS: [EDI], 0
003D0C22 0F84 DE000000 JE 003D0D06; Judging whether there is an API that has been processed at all, if the processing is finished
003D0C28 ^ E9 8afdffff jmp 003d09b7; untreated, go back to continue
Ok, deal with the entry table, here:
003D0D06 E8 97060000 Call 003D13A2; Handling IAT is here, clear breakpoints, do not follow up
003D0D0B 8D9D 31254000 LEA EBX, DWORD PTR SS: [EBP 402531]; EBX = 439531
......
003D0DB6 039D B5234000 Add EBX, DWORD PTR SS: [EBP 4023B5]
003D0DBC 039D B9234000 Add EBX, DWORD PTR SS: [EBP 4023B9]; 00439C6D
......
003D0E67 8B8D 95234000 MOV ECX, DWORD PTR SS: [EBP 402395]; ECX = a1e
......
003D0F12 8B85 AD234000 MOV EAX, DWORD PTR SS: [EBP 4023AD]; EAX = 3F0000
003D0F18 50 Push EAX
003d0f19 53 push ebx; unwrapping 439C6D start, size is a code section of A1E
003D0F1A 8D95 08114000 Lea EDX, DWORD PTR SS: [EBP 401108]
003d0f20 ffd2 Call EDX; APLIB decompression
003D0F22 90 NOP
......
003D0FC7 83C4 08 Add ESP, 8
003D0FCA 8B85 AD234000 MOV EAX, DWORD PTR SS: [EBP 4023AD]; EAX = 3F0000
003D0FD0 8B9D 91234000 MOV EBX, DWORD PTR SS: [EBP 402391]; EBX = C5E ...
003D107B 8BB5 85234000 MOV ESI, DWORD PTR SS: [EBP 402385]; ESI = 406b07 (this is the second instruction after the OEP, the first line code is pumped by the shell)
003D1081 03C3 add Eax, EBX; EAX = EAX EBX = 3F0000 C5E
003D1083 C600 E9 MOV BYTE PTR DS: [EAX], 0E9; 003F0C5E Write E9 remote jump
003D1086 40 Inc EAX
003D1087 8BCE MOV ECX, ESI; AlexProt.00406B07
......
003d112e 2bc8 Sub ECX, EAX; calculate the value of the code that jumps the second instruction after the OEP
003D1130 83E9 04 SUB ECX, 4
003D1133 8908 MOV DWORD PTR DS: [EAX], ECX; Calculating Value Of course, fill it down to the address
......
003D11DA 8B85 AD234000 MOV Eax, DWORD PTR SS: [EBP 4023AD]; Good to stand
003D11E0 894424 1C MOV DWORD PTR SS: [ESP 1C], EAX; here, then play, first jump to the application 3F0000, jump to the second instruction after OEP
003D11E4 61 POPAD
003d11e5 - ffe0 jmp eax; jump into the shell, then the shell jumps to the second instruction after OEP
You can find the first line of code at the shell code. Ok, analysis is over.
Input table processing
:
I have the following two addresses.
411000 start writing data address
410FD0 record address
003D0A61 / EB 11 JMP Short 003D0A74
003D0A63 | 90 NOP
003D0A64 | 8305 D00F4100 04 Add DWORD PTR DS: [410fd0], 4; 8 (first time you write an address) when processing different DLLs
003D0A6B | 8985 7C244000 MOV DWORD PTR SS: [EBP 40247C], EAX; Execute the original case
003D0A71 | C3 RETN
003D0A72 | 90 NOP
003D0A73 | 90 NOP
003D0A74 / 90 NOP
003D0A75 90 NOP003D0A76 90 NOP; ---------------------------
003D0A77 57 Push EDI; original case code
003D0A78 FF95 CC244000 Call DWORD PTR SS: [EBP 4024CC]; ---------------------------
003D0A7E E8 E1FFFFF CALL 003D0A64; This to modify the code above the Call
003D0A83 90 NOP
......
The second is to write into the table:
003D0BEC 58 POP EAX; out of the stack
003d0bed 53 Push EBX
003D0BEE 8B1D D00F4100 MOV EBX, DWORD PTR DS: [410FD0]; put the address to be written to the EBX
003D0BF4 8903 MOV DWORD PTR DS: [EBX], EAX; API Write to IAT
003d0BF6 8919 MOV DWORD PTR DS: [ECX], EBX; IAT address is written in program call
003D0BF8 8305 D00F4100 04 Add DWORD PTR DS: [410fd0], 4; call is incremented
003d0BFF 5B POP EBX; EBX outlet
003D0C00 90 NOP
003D0C01 90 NOP
003D0C02 90 NOP
003D0C03 90 NOP
003D0C04 90 NOP
003D0C05 90 NOP; remove the original code
003D0C06 90 NOP
003D0C07 83C7 04 Add EDI, 4
003D0C0A FECB DEC BL
003d0c0c 90 NOP; the front has been out of the stack, so no need to go out again
Attach two to flower instruction scripts:
PATLIST_ALEX = _ALEX_PUSH01, _ALEX_CALL01
[Code_alex_push01]
S = 60EB03EB03 ?? EBFBE801000000 ?? 83C4040F318BD8EB03EB03 ?? EBFBE801000000 ?? 83C4048BCAEB03EB03 ?? EBFBE801000000 ?? 83C4040F312BC3EB03EB03 ?? EBFBE801000000 ?? 83C4041BD10F3103C3EB03EB03 ?? EBFBE801000000 ?? 83C40413D10F312BC3EB03EB03 ?? EBFBE801000000 ?? 83C404EB05 ?????????? EB03EB03 ?? EBFBE801000000 ?? 83C4041BD1EB03EB03 ?? EBFBE801000000 ?? 83C40485D275D661R = 909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090
[Code_alex_call01]
S = E824000000EB01E98B44240CEB03EB03C7EBFBE801000000A883C4048380B8000000023C404EB03EB03C7EBFBE801000000A883C4045064FF350000000064892500000000EB01 ?? ffff
R = 909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090
After completing the whole text, I found this shell after following it ... :-)
Christmas is coming, I wish you all a happy Christmas! Good health!
Greetz:
Fly.jingulong, Yock, TDASM.David.hexer, Hmimys, Ahao.ufo (Brother) .aran (Sister) .all of my friends and you!
By LoveBoom [DFCG] [FCG] [US]
Email: bmd2chen # Tom.com
