[Objective]: Just caught an Aspack2.12 plus DLL to see it.
[Tu]: Olydbg1.1, Lordpe, IMP.
[Renuction]: The rough reverse of Aspack2.12 (unfortunately the compression part does not go back)
[Operation Platform]: WinXP Pro SP1
[Author]: loveboom [dfcg] [fcg] [US]
[Related Links]: Attachment is
[Brief Description]: I haven't written anything for a long time, I don't say anything, I am more troublesome, and I'm seriously suspected that I don't understand how she takes the shell. Other things don't want to say too much, this article is also blocked. If there is any deficiencies, please advise.
[Detailed Procedure]:
There is no special setting, because it is Packer, so don't worry about your OD hanging. Load it with OD, then analyze it.
1001f001> 60 pushad; shell entrance
1001F002 E8 03000000 Call Cesi.1001F00A
1001F007 90 NOP; flower directive, NOP fall
1001F008 EB 04 JMP Short Cesi.1001F00E
1001F00A 5D POP EBP
1001F00B 45 Inc EBP
1001F00C 55 Push EBP
1001F00D C3 RETN
1001F00E E8 01000000 Call Cesi.1001F014
1001F013 90 NOP; flower instruction
1001F014 5D POP EBP; here is related to MOV EBP, [ESP]
1001F015 BB EdffffFfFFFFFFFFFFFFFFFFFFFFF EBX, -13
1001F01A 03DD Add EBX, EBP
1001F01C 81EB 00F00100 SUB EBX, 1F000; these steps are imagebases that calculate the branch section
1001F022 83BD 22040000 0> CMP DWORD PTR SS: [EBP 422], 0; Comparison [EBP 422] Is there anything, if there is a drop
1001F029 899D 22040000 MOV DWORD PTR SS: [EBP 422], EBX; CodeBase to the current section to [EBP 422]
1001F02F 0F85 65030000 JNZ CESI.1001F39A; if you have already decompressed, you will prepare to jump to the OEP.
1001F035 8D85 2E040000 LEA EAX, DWORD PTR SS: [EBP 42E]; assigning kernel32.dll to Eax, used for later API functions
1001F03B 50 Push EAX
1001F03C FF95 4D0F0000 Call DWORD PTR SS: [EBP F4D]; here is getModuleHandlea, used to take Kernel32.dll Base1001F042 8985 26040000 MOV DWORD PTR SS: [EBP 426], EAX; put module base to [EBP 426 At
1001F048 8BF8 MOV EDI, EAX; simultaneously move Base into EDI, this is taken here == 77E40000
1001F04A 8D5D 5E LEA EBX, DWORD PTR SS: [EBP 5E]; [EBP 5E] is stored in Virtualalloc
1001F04D 53 Push EBX; string address
1001F04E 50 Push Eax; Base Factory
1001F04F FF95 490F0000 Call DWORD PTR SS: [EBP F49]; here GetProcaddress takes the address of VirtualAlloc
1001F055 8985 4D050000 MOV DWORD PTR SS: [EBP 54D], EAX; Removed Address Info [EBP 54D]
1001F05B 8D5D 6B Lea EBX, DWORD PTR SS: [EBP 6B]; Take the VirtualFree string
1001f05e 53 Push EBX; string address
1001F05F 57 Push EDI; Base is in the stack, ready to take the address of VirtualFree
1001F060 FF95 490F0000 Call DWORD PTR SS: [EBP F49]; getProcAddress Take the address of VirtualFree
1001F066 8985 51050000 MOV DWORD PTR SS: [EBP 551], EAX; Take an address in [EBP 551]
1001F06C 8D45 77 Lea Eax, DWORD PTR SS: [EBP 77]; See the value of EBP above, also eax = 1001f013 77
1001F06F FFE0 JMP EAX; here is to jump to 1001f08a
1001F071 56 Push ESI
1001F072 6972 74 75616C4> Imul ESI, DWORD PTR DS: [EDX 74], 416C6175
1001F079 6C INS BYTE PTR ES: [EDI], DX; I / O Command
1001F07A 6C INS BYTE PTR ES: [EDI], DX; I / O Command10011F07B 6f OUTS DX, DWORD PTR ES: [EDI]; I / O Command
1001F07C 6300 ARPL WORD PTR DS: [EAX], AX
1001f07e 56 Push ESI
1001F07F 6972 74 75616C4> Imul ESI, DWORD PTR DS: [EDX 74], 466C6175
1001F086 72 65 JB Short Cesi.1001F0ED
1001F088 90 NOP
1001F089 90 NOP
1001F08A 8B9D 31050000 MOV EBX, DWORD PTR SS: [EBP 531]; Test [EBP 531] Is there any data
1001F090 0BDB or EBX, EBX
1001f092 74 0a Je Short Cesi.1001F09E; Jump if there is no data yet
1001F094 8B03 MOV EAX, DWORD PTR DS: [EBX]
1001F096 8785 35050000 XCHG DWORD PTR SS: [EBP 535], EAX
1001F09C 8903 MOV DWORD PTR DS: [EBX], EAX
1001F09E 8DB5 69050000 Lea ESI, DWORD PTR SS: [EBP 569]; Take the start address 1000 of the Text Section (Voffset)
1001F0A4 833E 00 CMP DWORD PTR DS: [ESI], 0; Compare [EBP 569] Is there no data in this address, 1000 in this program
1001F0A7 0F84 21010000 JE CESI.1001F1CE; if no data is jumped, the following is ready to apply for space.
1001F0AD 6A 04 Push 4; / protect = Page_Readwrite
1001F0AF 68 00100000 PUSH 1000; | AllocationType = MEM_COMMIT
1001F0B4 68 00180000 PUSH 1800; | SIZE = 1800 (6144.)
1001f0b9 6a 00 push 0; | | address = NULL
1001F0BB FF95 4D050000 Call DWORD PTR SS: [EBP 54D]; / Virtualalloc
1001F0C1 8985 56010000 MOV DWORD PTR SS: [EBP 156], EAX; Automatic allocation of the above-mentioned address is saved in [EBP 156] at the BC0000
1001F0C7 8B46 04 MOV EAX, DWORD PTR DS: [ESI 4]; Take the TEXT segment into EAX
1001F0CA 05 0E010000 Add Eax, 10e; Prepare to apply for a size of the TEXT segment size 10E (that is, apply for one
Space of size A10E)
1001F0CF 6A 04 Push 4; / protect = Page_Readwrite
1001f0d1 68 00100000 push 1000; | ALLOCATIONTYPE = MEM_COMMIT
1001f0d6 50 push eax; | size = a10e (41230.)
1001f0d7 6a 00 push 0; | address = null (that is, auto-allocation)
1001F0D9 FF95 4D050000 Call DWORD PTR SS: [EBP 54D]; / Virtualalloc
1001F0DF 8985 52010000 MOV DWORD PTR SS: [EBP 152], EAX; Release Address Enter [EBP 152] (BD0000)
1001f0e5 56 Push ESI; / address = ESI's address saves the beginning of the TEXT segment Voffset and SIZE
1001F0E6 8B1E MOV EBX, DWORD PTR DS: [ESI]; | Put the Voffset in the Text Section into EBX
1001F0E8 039D 22040000 Add EBX, DWORD PTR SS: [EBP 422]; | Use the beginning address of the Text segment plus the current section CodeBase
(100000000)
1001F0EE FFB5 56010000 PUSH DWORD PTR SS: [EBP 156]; | VADDRESS1 = Space start address in the first time
1001F0F4 FF76 04 Push DWORD PTR DS: [ESI 4]; | size1 = TEXT segment size
1001F0F7 50 Push Eax; | Viaddress2 = Space Address for the second application
1001f0f8 53 push ebx; | SIZE2 = EBX in the stack (10001000)??
1001F0F9 E8 6E050000 Call Cesi.1001F66C; / Function1001F0F9 E8 6E050000 CALL CESI.1001F66C; here is to decompress the code
1001F0FE B3 01 MOV BL, 1
1001F100 80FB 00 CMP BL, 0
......
1001F189 5E POP ESI
1001F18A 68 00800000 PUSH 8000; here start to release the space just applied
1001F18F 6A 00 Push 0
1001F191 FFB5 52010000 Push DWORD PTR SS: [EBP 152]
1001F197 FF95 51050000 Call DWORD PTR SS: [EBP 551]; VirtualFree
1001F19D 83C6 08 Add ESI, 8
1001F1A0 833E 00 CMP DWORD PTR DS: [ESI], 0
1001F1A3 ^ 0f85 1efffff jnz cesi.1001f0c7; here go back to continue cycle
1001F1A9 68 00800000 Push 8000
1001F1AE 6A 00 Push 0
1001F1B0 FFB5 56010000 Push DWORD PTR SS: [EBP 156]; Free space for the first application
1001F1B6 FF95 51050000 Call DWORD PTR SS: [EBP 551]; VirtualFree
......
1001F1CE 8B95 22040000 MOV EDX, DWORD PTR SS: [EBP 422]; IMAGEBASE of the current section
1001F1D4 8B85 2D050000 MOV EAX, DWORD PTR SS: [EBP 52D]; Program original imagebase
1001F1DA 2BD0 SUB EDX, EAX;
1001f1dc 74 79 Je Short Cesi.1001F257; This judgment should not be relocated, if it does not need to be relocated, jump,
1001F1DE 8BC2 MOV Eax, EDX; Preparation of Treatment Location
1001F1E0 C1E8 10 SHR EAX, 10
1001F1E3 33DB XOR EBX, EBX
1001F1E5 8BB5 39050000 MOV ESI, DWORD PTR SS: [EBP 539]; Resection of the Start Address 1e000
1001F1EB 03B5 22040000 Add ESI, DWORD PTR SS: [EBP 422]; Convert to RVA
1001f1f1 833E 00 CMP DWORD PTR DS: [ESI], 0; [ESI] saves SIZE, if the relocation table is completed, jump to the processing input table
1001F1F4 74 61 Je Short Cesi.1001F257
......
1001F24C 66: 830E FF or Word PTR DS: [ESI], 0FFF; here is handled, NOP will not process
1001F250 83C6 02 Add ESI, 2
1001F253 ^ E2 B4 Loopd Short Cesi.1001F209; here go back to circulation
1001F255 ^ EB 9A JMP Short Cesi.1001F1F1
1001F257 8B95 22040000 MOV EDX, DWORD PTR SS: [EBP 422]
1001F25D 8BB5 41050000 MOV ESI, DWORD PTR SS: [EBP 541]; [EBP 541] Records the end position of the relocation table
......
1001F278 be 70C30000 MOV ESI, 0C370; put the VA of the input table into ESI
1001F27D 8B95 22040000 MOV EDX, DWORD PTR SS: [EBP 422]
1001F283 03F2 Add ESI, EDX; input table VA to RVA
1001F285 8B46 0C MOV EAX, DWORD PTR DS: [ESI C]; Judgment No input table
1001F288 85C0 Test Eax, EAX
1001F28A 0F84 0A010000 JE CESI.1001F39A; if it is not found, OVER is
1001F290 03C2 Add Eax, EDX
1001f292 8bd8 MOV EBX, EAX; Name Adding the first DLL into EBX
1001F294 50 Push Eax; / PModule = "Slsapi.dll"
1001F295 FF95 4D0F0000 Call DWORD PTR SS: [EBP F4D]; / GETMODULEHANDLEA
1001F29B 85C0 Test Eax, Eax; get Base is 3B0000
1001F29D 75 07 JNZ Short Cesi.1001F2A6; If you have obtained success, you jump to the next step. If you fail, you will load this DLL.
1001f29f 53 push ebx; / filename = "Slsapi.dll"
1001F2A0 FF95 510F0000 Call DWORD PTR SS: [EBP F51]; / LoadLibrarya1001F2A6 8985 45050000 MOV DWORD PTR SS: [EBP 545], EAX; Removal Value [EBP 545] = (3B0000)
......
1001f2f5 53 push ebx; / procnameorordinal = # 11
1001F2F6 FFB5 45050000 Push DWORD PTR SS: [EBP 545]; | HMODULE = 003B0000 (SLSAPI)
1001F2FC FF95 490F0000 Call DWORD PTR SS: [EBP F49]; / GETPROCADDRESS
1001F302 85C0 Test Eax, EAX
1001F304 5B POP EBX
1001f305 75 6f jnz short cesi.1001f376; get successfully
Jumping above here:
1001F376 8907 MOV DWORD PTR DS: [EDI], EAX; Fill the above API to
1001F378 8385 49050000 0> Add dword PTR SS: [EBP 549], 4; value plus 4
1001F37F ^ E9 32fffff jmp cesi.1001f2b6; here are cycled back to continue to take relevant API
1001F384 8906 MOV DWORD PTR DS: [ESI], EAX
.......
1001F395 E9 EBFEFFF JMP CESI.1001F285
1001F39A B8 4BA00000 MOV EAX, 0A04B; here the OEP's VA is transmitted to EAX
1001F39F 50 Push EAX
1001F3A0 0385 22040000 Add Eax, DWORD PTR SS: [EBP 422]
1001F3A6 59 POP ECX; incoming the OEP of the program in ECX
1001F3A7 0BC9 or ECX, ECX
1001F3A9 8985 A8030000 MOV DWORD PTR SS: [EBP 3A8], EAX; Program OEP Address (RVA) into [EBP 3A8]
1001F3AF 61 POPAD
1001F3B0 75 08 JNZ Short Cesi.1001f3ba; if the VA of OEP is empty, the main does not jump too.
1001F3B2 B8 01000000 MOV Eax, 1; if OEP is empty, OVER
1001F3B7 C2 0C00 RETN 0C; feeling a bit excessively above, it has been assigned to EAX, is it necessary? 1001F3BA 68 4BA00010 Push Cesi.1000A04B; Turning OEP
1001F3BF C3 RETN
Analysis, how to fix the input table and relocation table, I don't have much to say, ready to go home to sleep.
Greetz:
Fly, Jingulong, Yock, TDASM, David, AHAO, VCASM, UFO (Brother), ALAN (Sister), All of my friends and you!
By LoveBoom [DFCG] [FCG] [US]
Email: bmd2chen@tom.com
