Asprotect v2.0 Stolen code的一次修复旅程
【原文链接】:http://bbs.pediy.com/showthread.php?s=&threadid=7160
【目 标】:久久奇迹v3.6版(MU99)
【工 具】:Olydbg1.1(diy版)、LORDPE、ImportREC1.6F
【任 务】:比较简单的找回壳所抽的代码
【操作平台】:Windows Xp sp2
【作 者】:loveboom[DFCG][FCG][US]
【简要说明】:这个壳应该很多朋友都清楚新版本抽代码很”严重”,所以我就要“偷窥”一下被抽的代码.
因为是外挂,所以我就不放源程序上来,目标程序你们自己去找找.
【详细过程】:
设置OD打开int3异常项,其它忽略.主要讲自怎么找回stolen code,所以自己修复IAT我就不讲,在最后一次内存异常后找到的
push [xxxxxx]
RETN
的代码就是原OEP执行原程序代码开始处,我用脚本简化了一下过程,我用自己原来写的ASPR2的脚本改了一下:
/*
//////////////////////////////////////////////////
Script for Asprotect v2.0
Author: loveboom
Email : bmd2chen@tom.com
OS : WinXP sp2,Ollydbg 1.1,OllyScript v0.92
Date : 2004-11-15
Action: Stop stolen code
Config: Ignore all exceptions except 'INT 3 breaks'
Note : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
var addr
lblask:
ask "Press 1 clear junkcode,press other key run script."
cmp $RESULT,1
je lblcCode
lblsetting:
msgyn "Setting:Ignore all exceptions except 'INT 3 breaks',Continue?"
cmp $RESULT,1
je lblbp1 //这里修改一下
ret
//这里开始改变一下
lblbp1:
gpa "LoadLibraryA","kernel32.dll" //获取LOADlibraryA的地址
mov addr,$RESULT
add addr,B //bp LoadLibraryA+0B
bp addr
run
lblbc1:
bc addr
rtu //返回用户代码
rtr //执行到return处
sto
find eip,#E8# //查找CALL
go $RESULT
sti //跟进
find eip,#8B550C8B128902# //找处理IAT代码
mov addr,$RESULT
add addr,5
mov [addr],#891A#
//下面调用原来的代码
start:
dbh
run
lbl1:
find eip,#5B5A59C3# //Found commands 'pop ebx, pop edx, pop
ecx, retn'
cmp $RESULT,0
je lblerr
mov addr,$RESULT
add addr,3
bp addr
lbl2:
esto
lbl3:
cmp eip,addr
jne lbl2
bc addr
lbl4:
find eip,#FF35????????C3#
cmp $RESULT,0
je lblerr
mov addr,$RESULT
add addr,2
mov addr,[addr] //Get push address
mov addr,[addr] //Get push value(address)
bp addr
run
lbl5:
cmp eip,addr
jne lblerr
bc addr
lbl7:
cmt eip,"Stolen code."
msgyn "Clear Junkcode?" //CLEAR JUNKCODE?
cmp $RESULT,0
je lblend
lblcCode:
//jmp 01
repl eip,#2EEB01??#,#90909090#,1000
repl eip,#65EB01??#,#90909090#,1000
repl eip,#F2EB01??#,#90909090#,1000
repl eip,#F3EB01??#,#90909090#,1000
repl eip,#F3EB01??#,#90909090#,1000
repl eip,#EB01??#,#909090#,1000
//jmp 02
repl eip,#26EB02????#,#9090909090#,1000
repl eip,#3EEB02????#,#9090909090#,1000
repl eip,#F3EB02????#,#9090909090#,1000
repl eip,#EB02????#,#90909090#,1000
lblend:
msg "Script by loveboom[DFCG][FCG][US],Thank you for using my Scripts!"
ret
lblerr:
msg "Error!Script aborted.Maybe target is not protect by asprotect 2.0 or
your forgot Ignore all exceptions except 'INT 3 breaks'."
ret
改完后,直接用脚本跑到目的地.
注:这里开始就要花点心去看了,因为壳写了N多垃圾代码,一不小心可能就跟飞了。
00F802FF 55 PUSH EBP ; ☆☆☆☆☆ Stolen code.这里第一行,先记下这个地址,后面还有用
00F80300 81E5 148A85F7 AND EBP,F7858A14
00F80306 90 NOP
……
00F803F2 90 NOP
00F803F3 90 NOP
00F803F4 90 NOP
00F803F5 2BC3 SUB EAX,EBX
00F803F7 58 POP EAX
00F803F8 0BF7 OR ESI,EDI
00F803FA 5E POP ESI
00F803FB 90 NOP
00F803FC 90 NOP
00F803FD 90 NOP
00F803FE 90 NOP
00F803FF 2BEE SUB EBP,ESI ; ☆☆☆☆☆ 这里第二行mov ebp,esp
00F80401 6A FF PUSH –1 ; ☆☆☆☆☆ 第三行push -1
00F80403 90 NOP
00F80404 90 NOP
……
00F80408 FF7424 0C PUSH DWORD PTR SS:[ESP+C]
00F8040C 66:9C PUSHFW
00F8040E 51 PUSH ECX
00F8040F 03CD ADD ECX,EBP
00F80411 03CD ADD ECX,EBP
00F80413 034C24 18 ADD ECX,DWORD PTR SS:[ESP+18]
00F80417 B9 3E064200 MOV ECX,42063E
00F8041C 8D4C14 12 LEA ECX,DWORD PTR SS:[ESP+EDX+12]
00F80420 2BCA SUB ECX,EDX
00F80422 8D4C01 EE LEA ECX,DWORD PTR DS:[ECX+EAX-12]
00F80426 2BC8 SUB ECX,EAX
00F80428 64:90 NOP ; Superfluous prefix
00F8042A 90 NOP
00F8042B 90 NOP
00F8042C 90 NOP
00F8042D 8D4C39 06 LEA ECX,DWORD PTR DS:[ECX+EDI+6]
00F80431 2BCF SUB ECX,EDI
00F80433 68 68A74300 PUSH 43A768
00F80438 90 NOP
00F80439 90 NOP
00F8043A 90 NOP
00F8043B 90 NOP
00F8043C 8F01 POP DWORD PTR DS:[ECX] ; ☆☆☆☆☆ 这里就是第四句,到这里的时候看看那个值就知道.push 43A768
-------------------------
0012FFB8 0043A768 99mu.0043A768
-------------------------
00F8043E 59 POP ECX
00F8043F 66:9D POPFW
……
00F8062E 64:FF35 0000000>PUSH DWORD PTR FS:[0]
00F80635 66:9C PUSHFW
00F80637 53 PUSH EBX
00F80638 90 NOP
00F80639 90 NOP
00F8063A 90 NOP
00F8063B 90 NOP
00F8063C 90 NOP
00F8063D 81D3 4EFB8179 ADC EBX,7981FB4E
00F80643 8BDC MOV EBX,ESP
00F80645 90 NOP
00F80646 90 NOP
00F80647 90 NOP
00F80648 90 NOP
00F80649 8D5B 06 LEA EBX,DWORD PTR DS:[EBX+6]
00F8064C 52 PUSH EDX
00F8064D 8D940B AE784500 LEA EDX,DWORD PTR DS:[EBX+ECX+4578AE]
00F80654 8D9427 AA1B4300 LEA EDX,DWORD PTR DS:[EDI+431BAA]
00F8065B 2BD7 SUB EDX,EDI
00F8065D 8913 MOV DWORD PTR DS:[EBX],EDX ;☆☆☆☆☆ PUSH 431BAA
00F8065F 5A POP EDX
00F80660 5B POP EBX
00F80661 90 NOP
00F80662 90 NOP
00F80663 90 NOP
00F80664 90 NOP
00F80665 66:9D POPFW
00F80667 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] ; ☆☆☆☆☆
00F8066D 50 PUSH EAX ; ☆☆☆☆☆
00F8066E 64:8925 0000000>MOV DWORD PTR FS:[0],ESP ; ☆☆☆☆☆
00F80675 36:90 NOP ; Superfluous prefix
00F80677 90 NOP
00F80678 90 NOP
00F80679 83EC 68 SUB ESP,68 ; ☆☆☆☆☆
00F8067C 53 PUSH EBX ; ☆☆☆☆☆
00F8067D 56 PUSH ESI ; ☆☆☆☆☆
00F8067E 57 PUSH EDI ; ☆☆☆☆☆
00F8067F 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP ; ☆☆☆☆☆
00F80682 33DB XOR EBX,EBX ; ☆☆☆☆☆
00F80684 895D FC MOV DWORD PTR SS:[EBP-4],EBX ; ☆☆☆☆☆
00F80687 6A 02 PUSH 2 ; ☆☆☆☆☆
00F80689 FF15 94644300 CALL DWORD PTR DS:[436494] ; ☆☆☆☆☆
00F8068F 59 POP ECX ; ☆☆☆☆☆
00F80690 830D 10874500 F>OR DWORD PTR DS:[458710],FFFFFFFF ; ☆☆☆☆☆
00F80697 830D 14874500 F>OR DWORD PTR DS:[458714],FFFFFFFF ; ☆☆☆☆☆
00F8069E FF15 BC644300 CALL DWORD PTR DS:[4364BC] ; ☆☆☆☆☆
00F806A4 90 NOP
00F806A5 90 NOP
00F806A6 90 NOP
00F806A7 90 NOP
00F806A8 334C24 28 XOR ECX,DWORD PTR SS:[ESP+28] ; 这里都是垃圾代码
00F806AC 83C9 71 OR ECX,71
00F806AF 90 NOP
00F806B0 90 NOP
00F806B1 90 NOP
00F806B2 90 NOP
00F806B3 FF35 04874500 PUSH DWORD PTR DS:[458704]
00F806B9 034C24 38 ADD ECX,DWORD PTR SS:[ESP+38] ; 垃圾代码
00F806BD 034C24 18 ADD ECX,DWORD PTR SS:[ESP+18]
00F806C1 59 POP ECX ;
☆☆☆☆☆ 这里也就是MOV ECX,[458704]
00F806C2 8908 MOV DWORD PTR DS:[EAX],ECX ;
☆☆☆☆☆
00F806C4 FF15 5C644300 CALL DWORD PTR DS:[43645C] ;
☆☆☆☆☆ msvcrt.__p__commode
00F806CA 83E9 33 SUB ECX,33
00F806CD 83D9 8F SBB ECX,-71
00F806D0 90 NOP
00F806D1 90 NOP
00F806D2 90 NOP
00F806D3 90 NOP
00F806D4 90 NOP
00F806D5 FF35 00874500 PUSH DWORD PTR DS:[458700]
00F806DB 334C24 28 XOR ECX,DWORD PTR SS:[ESP+28]
00F806DF 83D9 89 SBB ECX,-77
00F806E2 59 POP ECX ;
☆☆☆☆☆ mov ecx,[458700]
00F806E3 8908 MOV DWORD PTR DS:[EAX],ECX ;
☆☆☆☆☆
00F806E5 64:90 NOP ; Superfluous prefix
00F806E7 90 NOP
00F806E8 90 NOP
00F806E9 90 NOP
00F806EA 8D440B 36 LEA EAX,DWORD PTR DS:[EBX+ECX+36]
00F806EE FF35 50644300 PUSH DWORD PTR DS:[436450] ; msvcrt._adjust_fdiv
00F806F4 81C8 FA2D991F OR EAX,1F992DFA
00F806FA 58 POP EAX ;
☆☆☆☆☆ MOV EAX,[436450]
00F806FB ^ E9 88FEFFFF JMP 00F80588
00F80588 8B00 MOV EAX,DWORD PTR DS:[EAX] ; ☆☆☆☆☆
00F8058A A3 0C874500 MOV DWORD PTR DS:[45870C],EAX ; ☆☆☆☆☆
00F8058F 68 9D08F800 PUSH 0F8089D ; 这里就是第一个call的代码了
00F80594 E8 67FA1000 CALL 01090000 ; 跟进
进来看看先:
进来后就有更多垃圾代码了,不过不用怕,实际好对付的。
01090000 64:90 NOP ; 跟进后到这里
01090002 90 NOP
01090003 90 NOP
01090004 90 NOP
01090005 51 PUSH ECX
01090006 9C PUSHFD
01090007 90 NOP
01090008 90 NOP
01090009 90 NOP
0109000A 90 NOP
0109000B 81C1 9F3A8AB8 ADD ECX,B88A3A9F
01090011 64:90 NOP ; Superfluous prefix
……
一直向下找到一个call 寄存器
0109010D 0BD1 OR EDX,ECX
0109010F C1D9 23 RCR ECX,23 ; Shift constant out of range 1..31
01090112 034C24 38 ADD ECX,DWORD PTR SS:[ESP+38]
01090116 68 A429D600 PUSH 0D629A4
0109011B 81E1 D82E9C40 AND ECX,409C2ED8
01090121 59 POP ECX
01090122 FFD1 CALL ECX ; 向下找到这里,这里继续跟进
01090124 FF7424 10 PUSH DWORD PTR SS:[ESP+10]
01090128 8D4C0B 06 LEA ECX,DWORD PTR DS:[EBX+ECX+6]
再次到来到这里:
00D629A4 55 PUSH EBP
00D629A5 8BEC MOV EBP,ESP
00D629A7 83C4 F8 ADD ESP,-8
00D629AA 53 PUSH EBX
00D629AB 56 PUSH ESI
00D629AC 57 PUSH EDI
00D629AD 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
,这里还是很多垃圾代码.
……
00D62A12 8B45 14 MOV EAX,DWORD PTR SS:[EBP+14]
00D62A15 50 PUSH EAX
00D62A16 E8 CDF3FFFF CALL 00D61DE8
00D62A1B 50 PUSH EAX
00D62A1C 8BCE MOV ECX,ESI
00D62A1E 8B55 18 MOV EDX,DWORD PTR SS:[EBP+18]
00D62A21 8BC3 MOV EAX,EBX
00D62A23 E8 8CFDFFFF CALL 00D627B4 ; 到这里继续跟进
00D62A28 4F DEC EDI
00D62A29 0373 70 ADD ESI,DWORD PTR DS:[EBX+70]
00D62A2C 85FF TEST EDI,EDI
00D62A2E ^ 77 CB JA SHORT 00D629FB
再跟进来看看
00D627B4 55 PUSH EBP ; 进到这里
00D627B5 8BEC MOV EBP,ESP
00D627B7 83C4 F0 ADD ESP,-10
00D627BA 53 PUSH EBX
00D627BB 56 PUSH ESI
00D627BC 57 PUSH EDI
……
进来后一直向下找到JMP DWORD PTR DS:[EAX+24].找到这里:
00D62959 FF75 0C PUSH DWORD PTR SS:[EBP+C]
00D6295C 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00D6295F FF60 24 JMP DWORD PTR DS:[EAX+24] ; 找到这里后,直接F4到这里.再按F8一次终于到了我们想到的地方:
010A0000 64:90 NOP ; 进到这里直接到POPFD
010A0002 90 NOP
010A0003 90 NOP
010A0004 90 NOP
010A0005 90 NOP
010A0006 90 NOP
010A0007 90 NOP
010A0008 C1D9 D7 RCR ECX,0D7 ; Shift constant out of range 1..31
010A000B 36:90 NOP ; Superfluous prefix
010A000D 90 NOP
010A000E 90 NOP
010A000F 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
010A0013 59 POP ECX
010A0014 035424 18 ADD EDX,DWORD PTR SS:[ESP+18]
到这里后,直接CTRL+S找
POPFD
POP ESP
JMP [ESP-4]
找到这里:
010A00BA 59 POP ECX
010A00BB 9D POPFD
010A00BC 5C POP ESP
010A00BD - FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 99mu.00431BDD
找到后直接在010a00bd处下一个断,下次就不用再重复上面的工作了(当然这个地址,每次载入后不一定相同)。执行到010a00bd处后,看到跳去的值就是原程序处,所以我们这里的代码就是:
☆☆☆☆☆ CALL 431BDD
继续返回到壳代码中,继续跟出代码来.
00F8089D 391D 781C4400 CMP DWORD PTR DS:[441C78],EBX ; ☆☆☆☆☆返回到这里继续
00F808A3 0F85 61000000 JNZ 00F8090A ; ☆☆☆☆☆这里的跳转不能直接写,我们要记下先,这里会跳下去。
00F808A9 64:FF35 0000000>PUSH DWORD PTR FS:[0]
00F808B0 90 NOP
00F808B1 90 NOP
00F808B2 90 NOP
00F808B3 66:9C PUSHFW
00F808B5 57 PUSH EDI
00F808B6 1BFB SBB EDI,EBX
00F808B8 90 NOP
00F808B9 90 NOP
00F808BA 90 NOP
00F808BB 90 NOP
00F808BC 90 NOP
00F808BD 90 NOP
00F808BE 90 NOP
00F808BF C1C7 8D ROL EDI,8D ; Shift constant out of range 1..31
00F808C2 90 NOP
00F808C3 90 NOP
00F808C4 90 NOP
00F808C5 90 NOP
00F808C6 83E7 40 AND EDI,40
00F808C9 90 NOP
00F808CA 90 NOP
00F808CB 90 NOP
00F808CC 90 NOP
00F808CD 2BFD SUB EDI,EBP
00F808CF 8D7C0C 36 LEA EDI,DWORD PTR SS:[ESP+ECX+36]
00F808D3 2BF9 SUB EDI,ECX
00F808D5 8D7C2F CA LEA EDI,DWORD PTR DS:[EDI+EBP-36]
00F808D9 90 NOP
00F808DA 90 NOP
00F808DB 90 NOP
00F808DC 90 NOP
00F808DD 2BFD SUB EDI,EBP
00F808DF 36:90 NOP ; Superfluous prefix
00F808E1 90 NOP
00F808E2 90 NOP
00F808E3 8D7C27 06 LEA EDI,DWORD PTR DS:[EDI+6]
00F808E7 55 PUSH EBP
00F808E8 C1C5 97 ROL EBP,97 ; Shift constant out of range 1..31
00F808EB C1C5 B3 ROL EBP,0B3 ; Shift constant out of range 1..31
00F808EE 8DAC26 DA1B4300 LEA EBP,DWORD PTR DS:[ESI+431BDA]
00F808F5 90 NOP
00F808F6 90 NOP
00F808F7 90 NOP
00F808F8 90 NOP
00F808F9 90 NOP
00F808FA 2BEE SUB EBP,ESI
00F808FC 55 PUSH EBP
00F808FD 8F07 POP DWORD PTR DS:[EDI] ; ☆☆☆☆☆ PUSH 431BDA
00F808FF 5D POP EBP
00F80900 5F POP EDI
00F80901 66:9D POPFW
00F80903 FF15 54644300 CALL DWORD PTR DS:[436454] ; ☆☆☆☆☆
00F80909 59 POP ECX ; ☆☆☆☆☆
00F8090A 68 7B04F800 PUSH 0F8047B ; 不相等就跳到这里
00F8090F E8 ECF61000 CALL 01090000 ; 这里再次跟进,这里又是一个call了,
00F80914 68 B6134800 PUSH 4813B6
好了,上面的代码是用这种方法来整理:
CMP [441C78],EBX
JNZ @F
PUSH 431BDA
CALL [436454]
POP ECX
@@:
CALL @C1
进到上面的call后,就会发现又到了第一次那个很多垃圾代码的地方,记得我们在010A00BD下断了吧,对了,直接运行后中断到目的地。
00F80599 68 72EC4400 PUSH 44EC72 ; 继续中断后f8就到这里
00F8059E 66:9C PUSHFW
00F805A0 50 PUSH EAX
00F805A1 334424 08 XOR EAX,DWORD PTR SS:[ESP+8]
00F805A5 83E8 ED SUB EAX,-13
00F805A8 90 NOP
00F805A9 90 NOP
00F805AA 90 NOP
00F805AB 90 NOP
00F805AC 8D8435 584E4300 LEA EAX,DWORD PTR SS:[EBP+ESI+434E58]
00F805B3 90 NOP
00F805B4 90 NOP
00F805B5 90 NOP
00F805B6 90 NOP
00F805B7 8D4424 52 LEA EAX,DWORD PTR SS:[ESP+52]
00F805BB 8D4428 AE LEA EAX,DWORD PTR DS:[EAX+EBP-52]
00F805BF 90 NOP
00F805C0 90 NOP
00F805C1 90 NOP
00F805C2 90 NOP
00F805C3 90 NOP
00F805C4 2BC5 SUB EAX,EBP
00F805C6 8D40 06 LEA EAX,DWORD PTR DS:[EAX+6]
00F805C9 52 PUSH EDX
00F805CA 81DA 8CB4B73D SBB EDX,3DB7B48C
00F805D0 8D97 00000300 LEA EDX,DWORD PTR DS:[EDI+30000]
00F805D6 2BD7 SUB EDX,EDI
00F805D8 90 NOP
00F805D9 90 NOP
00F805DA 90 NOP
00F805DB 52 PUSH EDX
00F805DC 90 NOP
00F805DD 90 NOP
00F805DE 90 NOP
00F805DF 90 NOP
00F805E0 8F00 POP DWORD PTR DS:[EAX] ; ☆☆☆☆☆ push 30000
00F805E2 5A POP EDX
00F805E3 58 POP EAX
00F805E4 90 NOP
00F805E5 90 NOP
00F805E6 90 NOP
00F805E7 66:9D POPFW
……
00F8070E 56 PUSH ESI
00F8070F 66:9C PUSHFW
00F80711 51 PUSH ECX
00F80712 1BCD SBB ECX,EBP
00F80714 90 NOP
00F80715 90 NOP
00F80716 90 NOP
00F80717 90 NOP
00F80718 2BCB SUB ECX,EBX
00F8071A 8D4C24 29 LEA ECX,DWORD PTR SS:[ESP+29]
00F8071E 8D4C29 D7 LEA ECX,DWORD PTR DS:[ECX+EBP-29]
00F80722 90 NOP
00F80723 90 NOP
00F80724 90 NOP
00F80725 90 NOP
00F80726 90 NOP
00F80727 2BCD SUB ECX,EBP
00F80729 90 NOP
00F8072A 90 NOP
00F8072B 90 NOP
00F8072C 90 NOP
00F8072D 90 NOP
00F8072E 90 NOP
00F8072F 8D4C11 06 LEA ECX,DWORD PTR DS:[ECX+EDX+6]
00F80733 2BCA SUB ECX,EDX
00F80735 36:90 NOP ; Superfluous prefix
00F80737 90 NOP
00F80738 90 NOP
00F80739 53 PUSH EBX
00F8073A BB 96594000 MOV EBX,405996
00F8073F BB 4EED4500 MOV EBX,45ED4E
00F80744 8D9C22 00000100 LEA EBX,DWORD PTR DS:[EDX+10000]
00F8074B 2BDA SUB EBX,EDX
00F8074D 8919 MOV DWORD PTR DS:[ECX],EBX ; ☆☆☆☆☆ push 10000
00F8074F 5B POP EBX
00F80750 59 POP ECX
00F80751 90 NOP
00F80752 90 NOP
00F80753 90 NOP
00F80754 90 NOP
00F80755 90 NOP
00F80756 66:9D POPFW
00F80758 68 7504F800 PUSH 0F80475 ; 这里又来了
00F8075D E8 9EF81000 CALL 01090000
运行再次中断到jmp [esp-4]处后,f8一次到这里:
00431BDE - FF25 B0644300 JMP DWORD PTR DS:[4364B0] ; msvcrt._controlfp
到原程序代码处后,再F8进了API中,进入后ALT+F9再次返回到壳中:
00F80475 59 POP ECX ; ☆☆☆☆☆
00F80476 E9 04040000 JMP 00F8087F
……
00F8087F 59 POP ECX ; ☆☆☆☆☆
00F80880 C3 RETN ; ☆☆☆☆☆
00F80881 ^ E9 90FFFFFF JMP 00F80816
所以@c1的代码就是:
PUSH 30000
PUSH 10000
CALL 431BDE
POP ECX
POP ECX
RETN
继续跟:
00F8047B 52 PUSH EDX ; 返回到这里,
00F8047C 66:9C PUSHFW ; 继续跟下去
00F8047E 55 PUSH EBP
00F8047F 81F5 4ACE18D1 XOR EBP,D118CE4A
00F80485 8BEC MOV EBP,ESP
00F80487 8D6C1D 07 LEA EBP,DWORD PTR SS:[EBP+EBX+7]
00F8048B 50 PUSH EAX
00F8048C 51 PUSH ECX
00F8048D 83D8 1B SBB EAX,1B
00F80490 034424 38 ADD EAX,DWORD PTR SS:[ESP+38]
00F80494 B8 01FC196F MOV EAX,6F19FC01
00F80499 C1D9 9D RCR ECX,9D ; Shift constant out of range 1..31
00F8049C 334C24 08 XOR ECX,DWORD PTR SS:[ESP+8]
00F804A0 334C24 08 XOR ECX,DWORD PTR SS:[ESP+8]
00F804A4 B9 1A884800 MOV ECX,48881A
00F804A9 8D48 41 LEA ECX,DWORD PTR DS:[EAX+41]
00F804AC 52 PUSH EDX
00F804AD 035424 18 ADD EDX,DWORD PTR SS:[ESP+18]
00F804B1 035424 38 ADD EDX,DWORD PTR SS:[ESP+38]
00F804B5 90 NOP
00F804B6 90 NOP
00F804B7 90 NOP
00F804B8 90 NOP
00F804B9 90 NOP
00F804BA BA DA1522A8 MOV EDX,A82215DA
00F804BF 83F2 C3 XOR EDX,FFFFFFC3
00F804C2 F7D2 NOT EDX
00F804C4 83F2 5F XOR EDX,5F
00F804C7 F7D2 NOT EDX
00F804C9 81F2 5BEADD57 XOR EDX,57DDEA5B
00F804CF 4A DEC EDX
00F804D0 90 NOP
00F804D1 90 NOP
00F804D2 90 NOP
00F804D3 90 NOP
00F804D4 90 NOP
00F804D5 8D0C11 LEA ECX,DWORD PTR DS:[ECX+EDX]
00F804D8 90 NOP
00F804D9 90 NOP
00F804DA 90 NOP
00F804DB 90 NOP
00F804DC C1DA 8F RCR EDX,8F ; Shift constant out of range 1..31
00F804DF 90 NOP
00F804E0 90 NOP
00F804E1 90 NOP
00F804E2 83DA 51 SBB EDX,51
00F804E5 5A POP EDX
00F804E6 83E9 5D SUB ECX,5D
00F804E9 81C1 7BECB8F7 ADD ECX,F7B8EC7B
00F804EF F7D9 NEG ECX
00F804F1 81E9 83172D98 SUB ECX,982D1783
00F804F7 49 DEC ECX
00F804F8 87C1 XCHG ECX,EAX
00F804FA C1C0 48 ROL EAX,48 ; Shift constant out of range 1..31
00F804FD 2BE8 SUB EBP,EAX
00F804FF 8D8F 9CAF4600 LEA ECX,DWORD PTR DS:[EDI+46AF9C]
00F80505 59 POP ECX
00F80506 334424 08 XOR EAX,DWORD PTR SS:[ESP+8]
00F8050A B8 CA7C4100 MOV EAX,417CCA
00F8050F 58 POP EAX
00F80510 2BEB SUB EBP,EBX
00F80512 90 NOP
00F80513 90 NOP
00F80514 90 NOP
00F80515 90 NOP
00F80516 90 NOP
00F80517 56 PUSH ESI
00F80518 1BF7 SBB ESI,EDI
00F8051A 8DB3 20F04300 LEA ESI,DWORD PTR DS:[EBX+43F020]
00F80520 2BF3 SUB ESI,EBX
00F80522 56 PUSH ESI
00F80523 8F45 00 POP DWORD PTR SS:[EBP] ; ☆☆☆☆☆ PUSH 43F020
00F80526 5E POP ESI
00F80527 5D POP EBP
00F80528 66:9D POPFW
00F8052A E9 E5030000 JMP 00F80914
00F80914 68 B6134800 PUSH 4813B6
00F80919 90 NOP
00F8091A 90 NOP
00F8091B 90 NOP
00F8091C 90 NOP
00F8091D 90 NOP
00F8091E 66:9C PUSHFW
00F80920 57 PUSH EDI
00F80921 23FB AND EDI,EBX
00F80923 64:90 NOP ; Superfluous prefix
00F80925 90 NOP
00F80926 90 NOP
00F80927 90 NOP
00F80928 03F9 ADD EDI,ECX
00F8092A 2BF9 SUB EDI,ECX
00F8092C 8D7C2C 4F LEA EDI,DWORD PTR SS:[ESP+EBP+4F]
00F80930 2BFD SUB EDI,EBP
00F80932 8D7C0F B1 LEA EDI,DWORD PTR DS:[EDI+ECX-4F]
00F80936 2BF9 SUB EDI,ECX
00F80938 8D7C0F 06 LEA EDI,DWORD PTR DS:[EDI+ECX+6]
00F8093C 2BF9 SUB EDI,ECX
00F8093E 90 NOP
00F8093F 90 NOP
00F80940 90 NOP
00F80941 50 PUSH EAX
00F80942 90 NOP
00F80943 90 NOP
00F80944 90 NOP
00F80945 90 NOP
00F80946 90 NOP
00F80947 81F0 00395087 XOR EAX,87503900
00F8094D 8D85 1CF04300 LEA EAX,DWORD PTR SS:[EBP+43F01C]
00F80953 2BC5 SUB EAX,EBP
00F80955 36:90 NOP ; Superfluous prefix
00F80957 90 NOP
00F80958 90 NOP
00F80959 8907 MOV DWORD PTR DS:[EDI],EAX ; ☆☆☆☆☆ PUSH 43F01C
00F8095B 58 POP EAX
00F8095C 5F POP EDI
00F8095D 66:9D POPFW
00F8095F 68 4405F800 PUSH 0F80544
00F80964 E8 97F61000 CALL 01090000 ; 这里继续F9到JMP [ESP-4]处
F8后到这里:
00431BC2 - FF25 58644300 JMP DWORD PTR DS:[436458] ; msvcrt._initterm
所以这句就是:
CALL 431BC2
……
00F80544 B8 EA064700 MOV EAX,4706EA ; 再次到壳代码处,
00F80549 90 NOP
00F8054A 90 NOP
00F8054B 90 NOP
00F8054C 90 NOP
00F8054D 034424 38 ADD EAX,DWORD PTR SS:[ESP+38] ; 垃圾代码
00F80551 90 NOP
00F80552 90 NOP
00F80553 90 NOP
00F80554 90 NOP
00F80555 FF35 FC864500 PUSH DWORD PTR DS:[4586FC]
00F8055B 334424 28 XOR EAX,DWORD PTR SS:[ESP+28]
00F8055F 334424 08 XOR EAX,DWORD PTR SS:[ESP+8]
00F80563 58 POP EAX ; ☆☆☆☆☆ MOV EAX,[4586FC]
00F80564 8945 94 MOV DWORD PTR SS:[EBP-6C],EAX ; ☆☆☆☆☆
00F80567 8D45 94 LEA EAX,DWORD PTR SS:[EBP-6C] ; ☆☆☆☆☆
00F8056A 50 PUSH EAX ; ☆☆☆☆☆
00F8056B FF35 F8864500 PUSH DWORD PTR DS:[4586F8] ; ☆☆☆☆☆
00F80571 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] ; ☆☆☆☆☆
00F80574 50 PUSH EAX ; ☆☆☆☆☆
00F80575 8D45 90 LEA EAX,DWORD PTR SS:[EBP-70] ; ☆☆☆☆☆
00F80578 50 PUSH EAX ; ☆☆☆☆☆
00F80579 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] ; ☆☆☆☆☆
00F8057C 50 PUSH EAX ; ☆☆☆☆☆
00F8057D FF15 60644300 CALL DWORD PTR DS:[436460] ; ☆☆☆☆☆
00F80583 E9 49020000 JMP 00F807D1
……
00F807D1 68 DA08370C PUSH 0C3708DA
00F807D6 66:9C PUSHFW
00F807D8 55 PUSH EBP
00F807D9 2BE9 SUB EBP,ECX
00F807DB 90 NOP
00F807DC 90 NOP
00F807DD 90 NOP
00F807DE 90 NOP
00F807DF 90 NOP
00F807E0 81E5 18EBDD3E AND EBP,3EDDEB18
00F807E6 8D6C24 38 LEA EBP,DWORD PTR SS:[ESP+38]
00F807EA 8D6D C8 LEA EBP,DWORD PTR SS:[EBP-38]
00F807ED 8D6D 06 LEA EBP,DWORD PTR SS:[EBP+6]
00F807F0 52 PUSH EDX
00F807F1 81DA 5463F448 SBB EDX,48F46354
00F807F7 36:90 NOP ; Superfluous prefix
00F807F9 90 NOP
00F807FA 90 NOP
00F807FB 8D9427 18F04300 LEA EDX,DWORD PTR DS:[EDI+43F018]
00F80802 2BD7 SUB EDX,EDI
00F80804 90 NOP
00F80805 90 NOP
00F80806 90 NOP
00F80807 90 NOP
00F80808 90 NOP
00F80809 52 PUSH EDX
00F8080A 8F45 00 POP DWORD PTR SS:[EBP] ; ☆☆☆☆☆ PUSH 43F018
00F8080D 5A POP EDX
00F8080E 5D POP EBP
00F8080F 66:9D POPFW
00F80811 ^ E9 4CFFFFFF JMP 00F80762
00F80763 90 NOP
00F80764 90 NOP
00F80765 90 NOP
00F80766 FF7424 10 PUSH DWORD PTR SS:[ESP+10]
00F8076A 66:9C PUSHFW
00F8076C 55 PUSH EBP
00F8076D 0BE9 OR EBP,ECX
00F8076F 90 NOP
00F80770 90 NOP
00F80771 90 NOP
00F80772 90 NOP
00F80773 8D6C11 F7 LEA EBP,DWORD PTR DS:[ECX+EDX-9]
00F80777 2BEA SUB EBP,EDX
00F80779 8D6C24 7B LEA EBP,DWORD PTR SS:[ESP+7B]
00F8077D 8D6C35 85 LEA EBP,DWORD PTR SS:[EBP+ESI-7B]
00F80781 90 NOP
00F80782 90 NOP
00F80783 90 NOP
00F80784 2BEE SUB EBP,ESI
00F80786 8D6C1D 06 LEA EBP,DWORD PTR SS:[EBP+EBX+6]
00F8078A 90 NOP
00F8078B 90 NOP
00F8078C 90 NOP
00F8078D 90 NOP
00F8078E 90 NOP
00F8078F 2BEB SUB EBP,EBX
00F80791 51 PUSH ECX
00F80792 83E9 EB SUB ECX,-15
00F80795 034C24 38 ADD ECX,DWORD PTR SS:[ESP+38]
00F80799 8D8C22 00F04300 LEA ECX,DWORD PTR DS:[EDX+43F000]
00F807A0 2BCA SUB ECX,EDX
00F807A2 90 NOP
00F807A3 90 NOP
00F807A4 90 NOP
00F807A5 90 NOP
00F807A6 51 PUSH ECX
00F807A7 64:90 NOP ; Superfluous prefix
00F807A9 90 NOP
00F807AA 90 NOP
00F807AB 90 NOP
00F807AC 8F45 00 POP DWORD PTR SS:[EBP] ; ☆☆☆☆☆ PUSH 43F000
00F807AF 59 POP ECX
00F807B0 5D POP EBP
00F807B1 66:9D POPFW
继续F9到jmp [esp-4],然后F8一次,到这里:
00431BC2 - FF25 58644300 JMP DWORD PTR DS:[436458] ; msvcrt._initterm
所以这里就是: ☆☆☆☆☆ CALL 431BC2
再到壳里:
00F80703 90 NOP
00F80704 90 NOP
00F80705 90 NOP
00F80706 83C4 24 ADD ESP,24 ; ☆☆☆☆☆
00F80709 E9 49010000 JMP 00F80857
……
00F80857 0BC5 OR EAX,EBP
00F80859 90 NOP
00F8085A 90 NOP
00F8085B 90 NOP
00F8085C 81D8 D4487ABE SBB EAX,BE7A48D4
00F80862 8D87 64644300 LEA EAX,DWORD PTR DS:[EDI+436464]
00F80868 2BC7 SUB EAX,EDI
00F8086A 90 NOP ; 这里要注意一下,稍微有点不同.
00F8086B 90 NOP
00F8086C 90 NOP
00F8086D 90 NOP
00F8086E FF30 PUSH DWORD PTR DS:[EAX] ; 注意EAX的值
00F80870 034424 18 ADD EAX,DWORD PTR SS:[ESP+18] ; 垃圾代码
00F80874 B8 1EA84600 MOV EAX,46A81E
00F80879 58 POP EAX ; ☆☆☆☆☆ 还原出来就是MOV EAX,[436464]
00F8087A ^ E9 C4FFFFFF JMP 00F80843
00F80843 90 NOP
00F80844 90 NOP
00F80845 90 NOP
00F80846 BE 0E3F4000 MOV ESI,403F0E ; 垃圾代码
00F8084B BE 46A74100 MOV ESI,41A746
00F80850 8B30 MOV ESI,DWORD PTR DS:[EAX] ; ☆☆☆☆☆
00F80852 E9 34010000 JMP 00F8098B
00F8098B 8975 8C MOV DWORD PTR SS:[EBP-74],ESI ; ☆☆☆☆☆
00F8098E E8 6DF61000 CALL 01090000
00F80836 46 INC ESI ; ☆☆☆☆☆
00F80837 8975 8C MOV DWORD PTR SS:[EBP-74],ESI ; ☆☆☆☆☆
00F8083A 8A06 MOV AL,BYTE PTR DS:[ESI] ; ☆☆☆☆☆
00F8083C 3AC3 CMP AL,BL ; ☆☆☆☆☆
00F8083E E8 BDF71000 CALL 01090000
后面见到call 01090000的都按f9àf8的方法过去.
00F807C4 > 3C 22 CMP AL,22 ; ☆☆☆☆☆
00F807C6 0F85 6A000000 JNZ 00F80836
这里只要细心一下就可以得出大概代码:
@@:
INC ESI
MOV DWORD PTR SS:[EBP-74],ESI
MOV AL,BYTE PTR DS:[ESI]
CMP AL,BL
JE @F
CMP AL,22
JNZ @B
@@:
这里的代码现在看不出来,不知道是不是壳处理过了.
@@:
因为这里要循环好几次,所以我设置条件中断Break if AL==22.
00F807C4 3C 22 CMP AL,22 ; ☆☆☆☆☆
……
00F80999 46 INC ESI ; ☆☆☆☆☆
00F8099A 8975 8C MOV DWORD PTR SS:[EBP-74],ESI ; ☆☆☆☆☆
00F8099D 8A06 MOV AL,BYTE PTR DS:[ESI] ; ☆☆☆☆☆
00F8099F 3AC3 CMP AL,BL ; ☆☆☆☆☆
00F809A1 ^ 0F84 47FCFFFF JE 00F805EE ; ☆☆☆☆☆,这里的跳转值不能直接抄,记下先
00F809A7 3C 20 CMP AL,20 ; ☆☆☆☆☆
00F809A9 E8 52F61000 CALL 01090000
……
00F805EE 895D D0 MOV DWORD PTR SS:[EBP-30],EBX ; ☆☆☆☆☆
00F805F1 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C] ; ☆☆☆☆☆
00F805F4 50 PUSH EAX ; ☆☆☆☆☆
00F805F5 FF15 68604300 CALL DWORD PTR DS:[436068] ; ☆☆☆☆☆
00F805FB F645 D0 01 TEST BYTE PTR SS:[EBP-30],1 ; ☆☆☆☆☆
00F805FF 0F84 8D020000 JE 00F80892 ; ☆☆☆☆☆
00F80605 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C] ; ☆☆☆☆☆
00F80609 E9 87020000 JMP 00F80895
……
00F80892 6A 0A PUSH 0A ; ☆☆☆☆☆
00F80894 58 POP EAX ; ☆☆☆☆☆
00F80895 50 PUSH EAX ; ☆☆☆☆☆
00F80896 56 PUSH ESI ; ☆☆☆☆☆
00F80897 53 PUSH EBX ; ☆☆☆☆☆
00F80898 ^ E9 E9FFFFFF JMP 00F80886
00F80886 53 PUSH EBX ; ☆☆☆☆☆
00F80887 FF15 6C604300 CALL DWORD PTR DS:[43606C] ; ☆☆☆☆☆ GetModuleHandleA
00F8088D ^ E9 D8FBFFFF JMP 00F8046A
到这里后,我们整理一下:
@@:
INC ESI
MOV DWORD PTR SS:[EBP-74],ESI
MOV AL,BYTE PTR DS:[ESI]
CMP AL,BL
JE @F
CMP AL,20
JNE @B
@@:
MOV DWORD PTR SS:[EBP-30],EBX
LEA EAX,DWORD PTR SS:[EBP-5C]
PUSH EAX
CALL DWORD PTR DS:[436068]
TEST BYTE PTR SS:[EBP-30],1
JE
MOVZX EAX,WORD PTR SS:[EBP-2C]
JMP p1
PUSH 0A
POP EAX
p1:
PUSH EAX
PUSH ESI
PUSH EBX
PUSH EBX
CALL [43606C] ;GetModuleHandleA
00F8046A 50 PUSH EAX ; ☆☆☆☆☆
00F8046B 68 6204F800 PUSH 0F80462 ;这里又是 CALL ……
00F80470 E8 8BFB1000 CALL 01090000 ;继续到JMP [esp-4]处
00F80816 FF7424 10 PUSH DWORD PTR SS:[ESP+10] ; ☆☆☆☆☆
00F8081A E9 4A010000 JMP 00F80969
00F80969 FF7424 10 PUSH DWORD PTR SS:[ESP+10] ; ☆☆☆☆☆
00F8096D ^ E9 E3FAFFFF JMP 00F80455
00F80455 FF7424 10 PUSH DWORD PTR SS:[ESP+10] ; ☆☆☆☆☆
00F80459 FF7424 10 PUSH DWORD PTR SS:[ESP+10] ; ☆☆☆☆☆
00F8045D E9 B1010000 JMP 00F80613
00F80613 68 0007F800 PUSH 0F80700 ; 又call地址
00F80618 E8 E3F91000 CALL 01090000
F9->f8后到这里:
00431C6C - FF25 48644300 JMP DWORD PTR DS:[436448] ; mfc42.#1576_?AfxWinMain@@YGHPAUHINSTANCE__@@0PADH@Z
所以这里就是 CALL 431C6C
在这里看一下ESP的值,然后在[ESP]处下断,因为这里再按一下程序就运行了,不要再按ALT+F9之类的,那样容易程序没响应。
00F80700 C2 1000 RETN 10 ; ☆☆☆☆☆
00F80703 90 NOP
00F80704 90 NOP
总结@C2就是:
@C2:
PUSH [ESP+10]
PUSH [ESP+10]
PUSH [ESP+10]
PUSH [ESP+10]
CALL 431C6C
RETN 10
返回后,继续找回代码,到这里把被抽的代码找的差不多了:
00F80462 8945 98 MOV DWORD PTR SS:[EBP-68],EAX ; ☆☆☆☆☆
00F80465 E9 B3010000 JMP 00F8061D
00F8061D 50 PUSH EAX ; ☆☆☆☆☆
00F8061E FF15 B8644300 CALL DWORD PTR DS:[4364B8] ; ☆☆☆☆☆,这里过了程序就退出去了
00F80624 E9 F6010000 JMP 00F8081F
到了exit处程序就结束了,所在这里先不要按F8,我们直接看代码(当然你也可以完全在这里就不找了,因为后面的代码好像不会执行到):
00F8081F 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; ☆☆☆☆☆
00F80822 81D1 6C64A1C4 ADC ECX,C4A1646C
00F80828 FF30 PUSH DWORD PTR DS:[EAX]
00F8082A 83C9 59 OR ECX,59
00F8082D 83E9 55 SUB ECX,55
00F80830 59 POP ECX ; ☆☆☆☆☆ MOV ECX,[EAX]
00F80972 FF31 PUSH DWORD PTR DS:[ECX]
00F80974 B9 C66E4900 MOV ECX,496EC6
00F80979 90 NOP
00F8097A 90 NOP
00F8097B 90 NOP
00F8097C 90 NOP
00F8097D B9 8AE34800 MOV ECX,48E38A
00F80982 59 POP ECX ; ☆☆☆☆☆MOV ECX,[ECX]
00F80983 894D 88 MOV DWORD PTR SS:[EBP-78],ECX ; ☆☆☆☆☆
00F80986 ^ E9 32FEFFFF JMP 00F807BD
00F807BD 50 PUSH EAX ; ☆☆☆☆☆
00F807BE 51 PUSH ECX ; ☆☆☆☆☆
00F807BF ^ E9 82FCFFFF JMP 00F80446
到这里跟不进去了.后面几句代码是根据别的程序而抄来的.
现在已经找回代码了,那代码放什么地方呢,另外找一个空地方?,不用的,在前面开始处,我们不是记下了那个地址吗?对了,在code段里找: JMP 00F802FF,找到这里:
00431A46 - E9 B4E8B400 JMP 00F802FF
为什么这找这里,我上一篇关于aspr的文章里已经说过了,我也不再多说.
也就是说原程序的OEP就是431A46.
全部整理一下出来这么个“样子”:
PUSH EBP
MOV EBP,ESP
PUSH -1
push 43a768
PUSH 431BAA
MOV EAX,FS:[0]
PUSH EAX
MOV FS:[0],ESP
SUB ESP,68
PUSH EBX
PUSH ESI
PUSH EDI
MOV DWORD PTR SS:[EBP-18],ESP
XOR EBX,EBX
MOV DWORD PTR SS:[EBP-4],EBX
PUSH 2
CALL DWORD PTR DS:[436494] ; msvcrt.__set_app_type
POP ECX
OR DWORD PTR DS:[458710],FFFFFFFF
OR DWORD PTR DS:[458714],FFFFFFFF
CALL DWORD PTR DS:[4364BC]
MOV ECX,[458704]
MOV [EAX],ECX
CALL [43645C]
MOV ECX,[458700]
MOV [EAX],ECX
MOV EAX,[436450]
MOV EAX,[EAX]
MOV [45870C],EAX
CALL 431BDD
CMP [441C78],EBX
JNZ @F
PUSH 431BDA
CALL [436454]
POP ECX
@@:
CALL @C1
PUSH 43F020
PUSH 43F01C
CALL 431BC2
MOV EAX,[4586FC]
MOV DWORD PTR SS:[EBP-6C],EAX
LEA EAX,DWORD PTR SS:[EBP-6C]
PUSH EAX
PUSH DWORD PTR DS:[4586F8]
LEA EAX,DWORD PTR SS:[EBP-64]
PUSH EAX
LEA EAX,DWORD PTR SS:[EBP-70]
PUSH EAX
LEA EAX,DWORD PTR SS:[EBP-60]
PUSH EAX
CALL DWORD PTR DS:[436460] ; msvcrt.__getmainargs
PUSH 43F018
PUSH 43F000
CALL 431BC2
ADD ESP,24
MOV EAX,[436464]
MOV ESI,[EAX]
MOV DWORD PTR SS:[EBP-74],ESI
@@:
INC ESI
MOV DWORD PTR SS:[EBP-74],ESI
MOV AL,BYTE PTR DS:[ESI]
CMP AL,BL
JE @F
CMP AL,22
JNZ @B
@@:
@@:
INC ESI
MOV DWORD PTR SS:[EBP-74],ESI
MOV AL,BYTE PTR DS:[ESI]
CMP AL,BL
JE @F
CMP AL,20
JNE @B
@@:
MOV DWORD PTR SS:[EBP-30],EBX
LEA EAX,DWORD PTR SS:[EBP-5C]
PUSH EAX
CALL DWORD PTR DS:[436068]
TEST BYTE PTR SS:[EBP-30],1
JE
MOVZX EAX,WORD PTR SS:[EBP-2C]
JMP p1
PUSH 0A
POP EAX
p1:
PUSH EAX
PUSH ESI
PUSH EBX
PUSH EBX
CALL [43606C] ;GetModuleHandleA
PUSH EAX
CALL @C2
MOV [EBP-68],EAX
PUSH EAX
CALL DWORD PTR DS:[4364B8] ; msvcrt.exit
MOV EAX,[EBP-14]
MOV ECX,[EAX]
MOV ECX,[ECX]
MOV DWORD PTR SS:[EBP-78],ECX
PUSH EAX
PUSH ECX
CALL 431BBC
POP ECX
POP ECX
RETN
那几个不明的地方对照别的程序就可以轻松搞定.
最后可用结果:
00431A46 /. 55 PUSH EBP
00431A47 |. 8BEC MOV EBP,ESP
00431A49 |. 6A FF PUSH -1
00431A4B |. 68 68A74300 PUSH 0043A768
00431A50 |. 68 AA1B4300 PUSH 00431BAA ; JMP to msvcrt._except_handler3; SE handler installation
00431A55 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00431A5B |. 50 PUSH EAX
00431A5C |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00431A63 |. 83EC 68 SUB ESP,68
00431A66 |. 53 PUSH EBX
00431A67 |. 56 PUSH ESI
00431A68 |. 57 PUSH EDI
00431A69 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00431A6C |. 33DB XOR EBX,EBX
00431A6E |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00431A71 |. 6A 02 PUSH 2
00431A73 |. FF15 94644300 CALL DWORD PTR DS:[436494] ; msvcrt.__set_app_type
00431A79 |. 59 POP ECX
00431A7A |. 830D 10874500>OR DWORD PTR DS:[458710],FFFFFFFF
00431A81 |. 830D 14874500>OR DWORD PTR DS:[458714],FFFFFFFF
00431A88 |. FF15 BC644300 CALL DWORD PTR DS:[4364BC] ; msvcrt.__p__fmode
00431A8E |. 8B0D 04874500 MOV ECX,DWORD PTR DS:[458704]
00431A94 |. 8908 MOV DWORD PTR DS:[EAX],ECX
00431A96 |. FF15 5C644300 CALL DWORD PTR DS:[43645C] ; msvcrt.__p__commode
00431A9C |. 8B0D 00874500 MOV ECX,DWORD PTR DS:[458700]
00431AA2 |. 8908 MOV DWORD PTR DS:[EAX],ECX
00431AA4 |. A1 50644300 MOV EAX,DWORD PTR DS:[436450]
00431AA9 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00431AAB |. A3 0C874500 MOV DWORD PTR DS:[45870C],EAX
00431AB0 |. E8 28010000 CALL 00431BDD
00431AB5 |. 391D 781C4400 CMP DWORD PTR DS:[441C78],EBX
00431ABB |. 75 0C JNZ SHORT 00431AC9
00431ABD |. 68 DA1B4300 PUSH 00431BDA
00431AC2 |. FF15 54644300 CALL DWORD PTR DS:[436454] ; msvcrt.__setusermatherr
00431AC8 |. 59 POP ECX
00431AC9 |> E8 9E380000 CALL 0043536C
00431ACE |. 68 20F04300 PUSH 0043F020
00431AD3 |. 68 1CF04300 PUSH 0043F01C
00431AD8 |. E8 E5000000 CALL 00431BC2 ; JMP to msvcrt._initterm
00431ADD |. A1 FC864500 MOV EAX,DWORD PTR DS:[4586FC]
00431AE2 |. 8945 94 MOV DWORD PTR SS:[EBP-6C],EAX
00431AE5 |. 8D45 94 LEA EAX,DWORD PTR SS:[EBP-6C]
00431AE8 |. 50 PUSH EAX
00431AE9 |. FF35 F8864500 PUSH DWORD PTR DS:[4586F8]
00431AEF |. 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
00431AF2 |. 50 PUSH EAX
00431AF3 |. 8D45 90 LEA EAX,DWORD PTR SS:[EBP-70]
00431AF6 |. 50 PUSH EAX
00431AF7 |. 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
00431AFA |. 50 PUSH EAX
00431AFB |. FF15 60644300 CALL DWORD PTR DS:[436460] ; msvcrt.__getmainargs
00431B01 |. 68 18F04300 PUSH 0043F018
00431B06 |. 68 00F04300 PUSH 0043F000
00431B0B |. E8 B2000000 CALL 00431BC2 ; JMP to msvcrt._initterm
00431B10 |. 83C4 24 ADD ESP,24
00431B13 |. A1 64644300 MOV EAX,DWORD PTR DS:[436464]
00431B18 |. 8B30 MOV ESI,DWORD PTR DS:[EAX]
00431B1A |. 8975 8C MOV DWORD PTR SS:[EBP-74],ESI
00431B1D |. 803E 22 CMP BYTE PTR DS:[ESI],22
00431B20 |. 75 3A JNZ SHORT 00431B5C
00431B22 |> 46 /INC ESI
00431B23 |. 8975 8C |MOV DWORD PTR SS:[EBP-74],ESI
00431B26 |. 8A06 |MOV AL,BYTE PTR DS:[ESI]
00431B28 |. 3AC3 |CMP AL,BL
00431B2A |. 74 04 |JE SHORT 00431B30
00431B2C |. 3C 22 |CMP AL,22
00431B2E |.^ 75 F2 \JNZ SHORT 00431B22
00431B30 |> 803E 22 CMP BYTE PTR DS:[ESI],22
00431B33 |. 75 04 JNZ SHORT 00431B39
00431B35 |> 46 INC ESI
00431B36 |. 8975 8C MOV DWORD PTR SS:[EBP-74],ESI
00431B39 |> 8A06 MOV AL,BYTE PTR DS:[ESI]
00431B3B |. 3AC3 CMP AL,BL
00431B3D |. 74 04 JE SHORT 00431B43
00431B3F |. 3C 20 CMP AL,20
00431B41 |.^ 76 F2 JBE SHORT 00431B35
00431B43 |> 895D D0 MOV DWORD PTR SS:[EBP-30],EBX
00431B46 |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00431B49 |. 50 PUSH EAX ; /pStartupinfo
00431B4A |. FF15 68604300 CALL DWORD PTR DS:[436068] ; \GetStartupInfoA
00431B50 |. F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
00431B54 |. 74 11 JE SHORT 00431B67
00431B56 |. 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]
00431B5A |. EB 0E JMP SHORT 00431B6A
00431B5C |> 803E 20 /CMP BYTE PTR DS:[ESI],20
00431B5F |.^ 76 D8 |JBE SHORT 00431B39
00431B61 |. 46 |INC ESI
00431B62 |. 8975 8C |MOV DWORD PTR SS:[EBP-74],ESI
00431B65 |.^ EB F5 \JMP SHORT 00431B5C
00431B67 |> 6A 0A PUSH 0A
00431B69 |. 58 POP EAX
00431B6A |> 50 PUSH EAX
00431B6B |. 56 PUSH ESI
00431B6C |. 53 PUSH EBX
00431B6D |. 53 PUSH EBX ; /pModule
00431B6E |. FF15 6C604300 CALL DWORD PTR DS:[43606C] ; \GetModuleHandleA
00431B74 |. 50 PUSH EAX
00431B75 |. E8 07380000 CALL 00435381
00431B7A |. 8945 98 MOV DWORD PTR SS:[EBP-68],EAX
00431B7D |. 50 PUSH EAX ; /status
00431B7E |. FF15 B8644300 CALL DWORD PTR DS:[4364B8] ; \exit
00431B84 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00431B87 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00431B89 |. 8B09 MOV ECX,DWORD PTR DS:[ECX]
00431B8B |. 894D 88 MOV DWORD PTR SS:[EBP-78],ECX
00431B8E |. 50 PUSH EAX
00431B8F |. 51 PUSH ECX
00431B90 |. E8 27000000 CALL 00431BBC ; JMP to msvcrt._XcptFilter
00431B95 |. 59 POP ECX
00431B96 |. 59 POP ECX
00431B97 \. C3 RETN
那两个CALL也可以在程序的相关位置找到,我就偷一下懒,在空地上补上去:
0043536C ? 68 00000300 PUSH 30000
00435371 ? 68 00000100 PUSH 10000 ; UNICODE "ALLUSERSPROFILE=D:\Documents and Settings\All Users"
00435376 . E8 63C8FFFF CALL <JMP.&msvcrt._controlfp> ; \_controlfp
0043537B . 59 POP ECX
0043537C . 59 POP ECX
0043537D . C3 RETN
0043537E 00 DB 00
0043537F 00 DB 00
00435380 00 DB 00
00435381 /$ FF7424 10 PUSH DWORD PTR SS:[ESP+10]
00435385 |. FF7424 10 PUSH DWORD PTR SS:[ESP+10]
00435389 |. FF7424 10 PUSH DWORD PTR SS:[ESP+10]
0043538D |. FF7424 10 PUSH DWORD PTR SS:[ESP+10]
00435391 |. E8 D6C8FFFF CALL <JMP.&mfc42.#1576_?AfxWinMain@@YGHP>
00435396 \. C2 1000 RETN 10
刚好抽了一个段的代码,修复完代码就dump+fixdump一下.这次旅程也就算结束了.谢谢你能坚持到底:-)
Greetz:
Fly.Jingulong,yock,tDasm.David.ahao.UFO(brother).alan(sister).all of my friends and you!
By loveboom[DFCG][FCG][US]
Email:bmd2chen@tom.com