PESpin1.3 的脱壳和修复
附件中有全文和脱壳产品.
这个壳花了我很多时间, 尤其是找暗桩,
差不多把 PESpin 的加壳代码分析了一遍.
附件:pespin13.rar
不忽略异常, F9, 竟然运行了.
再用进程管理器看看, 两个进程.
重新来过, 详细分析
0041211A 5D POP EBP ; 00F354
0041213E 8B95 DF4E4000 MOV EDX,DWORD PTR SS:[EBP+404EDF] ; PESpin.00400000
00412144 8B42 3C MOV EAX,DWORD PTR DS:[EDX+3C]
00412147 03C2 ADD EAX,EDX
00412149 8985 E94E4000 MOV DWORD PTR SS:[EBP+404EE9],EAX ; PESpin.00400060
00412182 C1E1 07 SHL ECX,7 ; 80
00412185 8B0C01 MOV ECX,DWORD PTR DS:[ECX+EAX] ; Import RVA
00412188 03CA ADD ECX,EDX ; PESpin.00400000
0041219B 8B59 10 MOV EBX,DWORD PTR DS:[ECX+10] ; FirstThunk(User32.dll)
0041219E 03DA ADD EBX,EDX ; PESpin.00400000
004121A0 8B1B MOV EBX,DWORD PTR DS:[EBX] ; USER32.MessageBoxA
004121A2 899D FD4E4000 MOV DWORD PTR SS:[EBP+404EFD],EBX ; [00414251]
004121A8 53 PUSH EBX
004121A9 8F85 F34C4000 POP DWORD PTR SS:[EBP+404CF3] ; [00414047]
004121BB 8B59 38 MOV EBX,DWORD PTR DS:[ECX+38] ; FirstThunk(Kernel32.dll)
004121BE 03DA ADD EBX,EDX
004121C0 8B3B MOV EDI,DWORD PTR DS:[EBX] ; KERNEL32.LoadLibraryA
004121C2 89BD A24F4000 MOV DWORD PTR SS:[EBP+404FA2],EDI ; [004142F6]
004121C8 8D5B 04 LEA EBX,DWORD PTR DS:[EBX+4]
004121CB 8B1B MOV EBX,DWORD PTR DS:[EBX] ; KERNEL32.GetProcAddress
004121CD 899D A74F4000 MOV DWORD PTR SS:[EBP+404FA7],EBX ; [004142FB]
// 下面这段循环比较巧妙, 壳反复使用这种技巧, 仔细体会
004121FD BB 27000000 MOV EBX,27
00412202 B9 84120000 MOV ECX,1284 ; 长度
00412207 8DBD D84F4000 LEA EDI,DWORD PTR SS:[EBP+404FD8] ; 41432C
0041220D 4F DEC EDI
0041221A 301C39 XOR BYTE PTR DS:[ECX+EDI],BL ; SMC 代码
0041221D FECB DEC BL
0041221F 49 DEC ECX
00412220 9C PUSHFD ; 这里很关键, 当 ECX=0, 影响 00412245 结果
0041222A C12C24 06 SHR DWORD PTR SS:[ESP],6
0041222E F71424 NOT DWORD PTR SS:[ESP]
00412231 832424 01 AND DWORD PTR SS:[ESP],1
00412235 50 PUSH EAX
00412236 52 PUSH EDX
00412237 B8 79B2DC12 MOV EAX,12DCB279
0041223C 05 444D23ED ADD EAX,ED234D44
00412241 F76424 08 MUL DWORD PTR SS:[ESP+8]
00412245 8D8428 092F4000 LEA EAX,DWORD PTR DS:[EAX+EBP+402F09] ; ECX=0 时, EAX=0, 可直接计算出口地址
0041224C 894424 08 MOV DWORD PTR SS:[ESP+8],EAX
00412250 5A POP EDX
00412251 58 POP EAX
00412252 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]
00412256 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 0041221A(ECX>0), 0041225D(ECX=0), 第一次
0041225D /EB 01 JMP SHORT PESpin.00412260
004122E8 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00412294(ECX>0), 004122EF(ECX=0), 第二次
004122EF E8 02000000 CALL PESpin.004122F6
// 求 Kernel32 Base Address
0041417E 8B7C24 20 MOV EDI,DWORD PTR SS:[ESP+20] ; KERNEL32.7C598989
00414182 81E7 0000FFFF AND EDI,FFFF0000
00414199 BA 246BDE21 MOV EDX,21DE6B24
0041419E 81F2 6931DE21 XOR EDX,21DE3169
004141A4 66:3917 CMP WORD PTR DS:[EDI],DX ; "MZ"
004141A7 75 17 JNZ SHORT PESpin.004141C0
004141A9 81C2 EFA5FFFF ADD EDX,FFFFA5EF ; 3C
004141AF 0FB7143A MOVZX EDX,WORD PTR DS:[EDX+EDI]
004141B3 66:F7C2 00F8 TEST DX,0F800
004141B8 75 06 JNZ SHORT PESpin.004141C0
004141BA 3B7C3A 34 CMP EDI,DWORD PTR DS:[EDX+EDI+34] ; KERNEL32.7C570000
004141BE /74 08 JE SHORT PESpin.004141C8
004141C0 81EF 00000100 SUB EDI,10000
004141C6 ^ EB C0 JMP SHORT PESpin.00414188 ; 实际到 00414199
004141C8 97 XCHG EAX,EDI ; KERNEL32.7C570000
// 求出 壳要用的其他 API, 先比较 API 名字的第三个字符, 再比较名字的 Hash
// 这里有一些 SMC, 不是很明显
004141E0 8785 014F4000 XCHG DWORD PTR SS:[EBP+404F01],EAX ; [00414255]
00414373 8BF0 MOV ESI,EAX ; KERNEL32.7C570000
00414375 0340 3C ADD EAX,DWORD PTR DS:[EAX+3C]
00414378 FF70 7C PUSH DWORD PTR DS:[EAX+7C] ; ExportSize
0041437B 8F85 FC504000 POP DWORD PTR SS:[EBP+4050FC] ; [00414450]
00414381 8B40 78 MOV EAX,DWORD PTR DS:[EAX+78] ; ExportRVA
00414384 03C6 ADD EAX,ESI
00414386 50 PUSH EAX
00414387 8F85 F2504000 POP DWORD PTR SS:[EBP+4050F2] ; [00414446]
0041438D FF70 20 PUSH DWORD PTR DS:[EAX+20] ; AddressOfNames
00414390 5B POP EBX
00414391 03DE ADD EBX,ESI ; KERNEL32.7C570000
00414393 FF70 18 PUSH DWORD PTR DS:[EAX+18] ; NumberOfNames
00414396 8F85 DE504000 POP DWORD PTR SS:[EBP+4050DE] ; [00414432]
0041439C FF70 24 PUSH DWORD PTR DS:[EAX+24] ; AddressOfNameOrdinals
0041439F 5A POP EDX
004143A0 03D6 ADD EDX,ESI ; KERNEL32.7C570000
004143A2 FF70 1C PUSH DWORD PTR DS:[EAX+1C] ; AddressOfFunctions
004143A6 03CE ADD ECX,ESI ; KERNEL32.7C570000
004143A8 898D CE504000 MOV DWORD PTR SS:[EBP+4050CE],ECX ; [00414422]
004143B1 83C7 05 ADD EDI,5 ; 每个 API 占 5 个 byte
004143B4 833F 00 CMP DWORD PTR DS:[EDI],0 ; 00414264
004143B7 0F84 13010000 JE PESpin.004144D0 ; 所有 API 处理完了, 大出口
004143BD 8A07 MOV AL,BYTE PTR DS:[EDI]
004143BF 8885 92504000 MOV BYTE PTR SS:[EBP+405092],AL ; [004143E6]
004143C5 FF77 01 PUSH DWORD PTR DS:[EDI+1]
004143C8 8F85 BE504000 POP DWORD PTR SS:[EBP+4050BE] ; [00414412]
004143CE 53 PUSH EBX
004143CF 52 PUSH EDX
004143D0 57 PUSH EDI
004143D1 2BC9 SUB ECX,ECX
004143DF 8B3B MOV EDI,DWORD PTR DS:[EBX] ; AddressOfNames
004143E1 03FE ADD EDI,ESI ; KERNEL32.7C570000
004143E3 807F 02 69 CMP BYTE PTR DS:[EDI+2],69 ; 比较名字的第三个字符
004143E7 /75 43 JNZ SHORT PESpin.0041442C
004143E9 E8 02000000 CALL PESpin.004143F0 ; 实际上 CALL 004144D6 (计算 API 名字Hash)
00414411 3D 3368EFDA CMP EAX,DAEF6833 ; 比较 Hash
00414416 75 14 JNZ SHORT PESpin.0041442C
00414418 8D044A LEA EAX,DWORD PTR DS:[EDX+ECX*2]
0041441B 0FB700 MOVZX EAX,WORD PTR DS:[EAX]
0041441E C1E0 02 SHL EAX,2
00414421 05 58425C7C ADD EAX,7C5C4258
00414426 8B00 MOV EAX,DWORD PTR DS:[EAX]
00414428 03C6 ADD EAX,ESI
0041442A EB 0E JMP SHORT PESpin.0041443A ; 找到了一个 API, 小出口
0041442C \83C3 04 ADD EBX,4 ; Export 中下一个
0041442F 41 INC ECX
00414430 81F9 3D030000 CMP ECX,33D
00414436 ^ 75 A7 JNZ SHORT PESpin.004143DF
004144D6 52 PUSH EDX ; 对 string 计算 Hash ;
004144D7 83CA FF OR EDX,FFFFFFFF
004144E6 8A07 MOV AL,BYTE PTR DS:[EDI] ; 指向 API 名字
004144E8 0AC0 OR AL,AL
004144EA /74 32 JE SHORT PESpin.0041451E
004144FD 47 INC EDI ; KERNEL32.7C5C63CD
004144FE 32D0 XOR DL,AL
00414500 B0 08 MOV AL,8
0041450E D1EA SHR EDX,1
00414510 /73 06 JNB SHORT PESpin.00414518
00414512 |81F2 2083B8ED XOR EDX,EDB88320
00414518 \FEC8 DEC AL
0041451A ^\75 E6 JNZ SHORT PESpin.00414502 ; 实际上 0041450E
0041451C ^\EB C8 JMP SHORT PESpin.004144E6
0041451E 33FF XOR EDI,EDI
0041452C 92 XCHG EAX,EDX
0041455F 5A POP EDX ;
00414560 C3 RETN
0041443A 5F POP EDI ; PESpin.00414264
0041443B 5A POP EDX
0041443C 5B POP EBX
0041443D 0BC0 OR EAX,EAX
0041443F 0F84 8D000000 JE PESpin.004144D2
00414445 B9 30425C7C MOV ECX,7C5C4230 ; 再比较地址是否位于 Export 范围内, 如果是的话, 指向另一 DLL 的另一 API
0041444A 3BC1 CMP EAX,ECX
0041444C 76 63 JBE SHORT PESpin.004144B1
0041444E 81C1 115C0000 ADD ECX,5C11
00414454 3BC8 CMP ECX,EAX
00414456 76 59 JBE SHORT PESpin.004144B1
00414458 60 PUSHAD ; 2K 下上面的情况我们没遇到, XP 下就会遇到
00414459 8DBD AC2C4000 LEA EDI,DWORD PTR SS:[EBP+402CAC]
0041445F 96 XCHG EAX,ESI
00414460 33C9 XOR ECX,ECX
00414462 8A0431 MOV AL,BYTE PTR DS:[ECX+ESI]
00414465 3C 2E CMP AL,2E ; "."
00414467 74 04 JE SHORT PESpin.0041446D
00414469 41 INC ECX
0041446A AA STOS BYTE PTR ES:[EDI]
0041446B ^ EB F5 JMP SHORT PESpin.00414462
0041446D 41 INC ECX
0041446E 03F1 ADD ESI,ECX
00414470 56 PUSH ESI
00414471 2C 2E SUB AL,2E
00414473 AA STOS BYTE PTR ES:[EDI]
00414474 2BF9 SUB EDI,ECX
00414476 57 PUSH EDI
00414477 8DBD 104F4000 LEA EDI,DWORD PTR SS:[EBP+404F10]
0041447D B9 92000000 MOV ECX,92
00414482 FF1439 CALL DWORD PTR DS:[ECX+EDI] ; LoadLibrary
00414491 8DBD 017F1246 LEA EDI,DWORD PTR SS:[EBP+46127F01]
00414497 81EF 7E18A845 SUB EDI,45A8187E
0041449D 81EF 73172A00 SUB EDI,2A1773
004144A3 B9 97000000 MOV ECX,97
004144A8 50 PUSH EAX
004144A9 FF1439 CALL DWORD PTR DS:[ECX+EDI] ; GetProcAddress
004144AC 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
004144B0 61 POPAD
004144BA B9 E72BFFFF MOV ECX,FFFF2BE7
004144BF 32CD XOR CL,CH
004144C1 3808 CMP BYTE PTR DS:[EAX],CL ; CC, Int3
004144C3 75 03 JNZ SHORT PESpin.004144C8
004144C5 8028 00 SUB BYTE PTR DS:[EAX],0 ; 如果有断点, 这里就会触发非法访问异常
004144C8 8947 01 MOV DWORD PTR DS:[EDI+1],EAX ; 用 API 地址替换原来的 Hash
004144CB ^\E9 E1FEFFFF JMP PESpin.004143B1 ; 下一个
004144D0 0BC0 OR EAX,EAX
用到的 API 有 ExitProcess, VirtualProtect, CloseHandle, VirtualAlloc, VirtualFree, CreateFileA, ReadFile, GetTickCount,
GetModuleHandleA, CreateThread, Sleep, GetCurrentProcessId, OpenProcess, TerminateProcess, GetFileSize, GetModuleFileNameA,
CreateMutexA, CreateProcessA, GetCommandLineA, GetLastError, GetThreadContext, SetThreadContext, VirtualProtectEx, WaitForDebugEvent,
ContinueDebugEvent, ReadProcessMemory, WriteProcessMemory, VirtualQueryEx
// 继续 SMC
00412322 2BC9 SUB ECX,ECX
00412324 80C9 25 OR CL,25
00412327 8D85 48D7460F LEA EAX,DWORD PTR SS:[EBP+F46D748]
0041232D 85C0 TEST EAX,EAX
0041232F 81F3 4823D90E XOR EBX,0ED92348
00412335 49 DEC ECX
00412336 9C PUSHFD
...
0041236C ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 0041232F(ECX>0), 00412374(ECX=0), 第三次
00412374 2D A970060F SUB EAX,0F0670A9
00412379 0BC0 OR EAX,EAX
00412390 BB 3F317A02 MOV EBX,27A313F
00412395 8DBD 1DE043ED LEA EDI,DWORD PTR SS:[EBP+ED43E01D]
0041239B 81EF C17D03ED SUB EDI,ED037DC1
004123A1 68 31130000 PUSH 1331
004123A6 59 POP ECX
004123A7 C1EB 03 SHR EBX,3
004123AA /72 06 JB SHORT PESpin.004123B2
004123AC |81EB B48765F0 SUB EBX,F06587B4
004123B2 FE07 INC BYTE PTR DS:[EDI]
004123B4 301F XOR BYTE PTR DS:[EDI],BL
004123B6 47 INC EDI
004123B7 49 DEC ECX
004123B8 9C PUSHFD
...
004123E8 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 004123A7(ECX>0), 004123F2(ECX=0), 第四次
00415A24 41 INC ECX
00415A25 9C PUSHFD
...
00415A51 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00415A09(ECX<0), 00415A72(ECX=0), 第五次
// 为父进程做标志, 为子进程选另一条路
00415A72 8D85 D8624000 LEA EAX,DWORD PTR SS:[EBP+4062D8] ; 0041562C, "MDYGINTX"
00415A78 50 PUSH EAX
00415A79 6A 00 PUSH 0
00415A7B 6A 00 PUSH 0
00415A7D 8D85 8283C9ED LEA EAX,DWORD PTR SS:[EBP+EDC98382]
00415A83 2D 213489ED SUB EAX,ED893421 ;
00415A88 FF10 CALL DWORD PTR DS:[EAX] ; KERNEL32.CreateMutexA
00415A8A 8985 D4624000 MOV DWORD PTR SS:[EBP+4062D4],EAX ; [00415628]
00415A90 8D85 6C1E1F03 LEA EAX,DWORD PTR SS:[EBP+31F1E6C]
00415A96 2D FCCEDE02 SUB EAX,2DECEFC
00415A9B FF10 CALL DWORD PTR DS:[EAX] ; KERNEL32.GetLastError
00415A9D BB CA7DB9FE MOV EBX,FEB97DCA
00415AA2 81EB 137DB9FE SUB EBX,FEB97D13 ; B7
00415AA8 3BC3 CMP EAX,EBX ; 相等表示 Mutex 已存在
00415AAA 9C PUSHFD ; 父子进程的命运在此决定 *******************************************
00415AAB C12C24 06 SHR DWORD PTR SS:[ESP],6
00415AAF F71424 NOT DWORD PTR SS:[ESP]
00415AB2 832424 01 AND DWORD PTR SS:[ESP],1
00415AB6 58 POP EAX
00415AB7 2BD2 SUB EDX,EDX
00415AB9 BB BAE74D02 MOV EBX,24DE7BA
00415ABE 81EB 86E74D02 SUB EBX,24DE786
00415AC4 F7E3 MUL EBX
00415AC6 81CB FE12F40E OR EBX,0EF412FE
00415ACC 8D8428 B40291ED LEA EAX,DWORD PTR DS:[EAX+EBP+ED9102B4]
00415AD3 2D 179B50ED SUB EAX,ED509B17
00415AD8 FFE0 JMP EAX ; 父进程走 00415B25, 子进程走 00415AF1
// 我们先看看父进程
// CreateProcess
00415B36 B9 00100000 MOV ECX,1000 ; size
00415B3B 6A 04 PUSH 4
00415B3D 68 00300000 PUSH 3000
00415B42 51 PUSH ECX
00415B43 6A 00 PUSH 0
00415B45 8D85 214F4000 LEA EAX,DWORD PTR SS:[EBP+404F21]
00415B4B 48 DEC EAX
00415B4C FF10 CALL DWORD PTR DS:[EAX] ; KERNEL32.VirtualAlloc
00415B4E 8985 A0624000 MOV DWORD PTR SS:[EBP+4062A0],EAX ; [004155F4], buffer1, 保留子进程的 ThreadID 和 hThread 用
00415B54 B9 00100000 MOV ECX,1000 ; size
00415B59 6A 04 PUSH 4
00415B5B 68 00300000 PUSH 3000
00415B60 51 PUSH ECX
00415B61 6A 00 PUSH 0
00415B63 8D85 214F4000 LEA EAX,DWORD PTR SS:[EBP+404F21]
00415B69 48 DEC EAX
00415B6A FF10 CALL DWORD PTR DS:[EAX] ; KERNEL32.VirtualAlloc
00415B6C 8985 C4624000 MOV DWORD PTR SS:[EBP+4062C4],EAX ; [00415618], buffer2, 给 mov reg1, [reg2+offset] 用的
00415BA0 C785 EE624000 4>MOV DWORD PTR SS:[EBP+4062EE],44 ; [00415642], StartupInfo
00415BAA 8D85 6C4F4000 LEA EAX,DWORD PTR SS:[EBP+404F6C]
00415BB0 48 DEC EAX
00415BB1 FF10 CALL DWORD PTR DS:[EAX] ; KERNEL32.GetCommandLineA
00415BB3 8BF8 MOV EDI,EAX
00415BB5 8BD0 MOV EDX,EAX ; EDX -> CommandLine
00415BB7 803F 22 CMP BYTE PTR DS:[EDI],22 ; 双引号
00415BBA 75 1A JNZ SHORT PESpin.00415BD6
00415BBC 83C9 FF OR ECX,FFFFFFFF
00415BBF 47 INC EDI
00415BC0 8BF7 MOV ESI,EDI
00415BC2 B0 22 MOV AL,22
00415BC4 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00415BC6 F7D1 NOT ECX
00415BC8 49 DEC ECX ; 去掉双引号的长度
00415BC9 8BBD A0624000 MOV EDI,DWORD PTR SS:[EBP+4062A0]
00415BCF 8BDF MOV EBX,EDI ; EBX -> buffer1
00415BD1 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 复制到 buffer1
00415BD3 2AC0 SUB AL,AL
00415BD5 AA STOS BYTE PTR ES:[EDI]
00415BE2 8DB5 EE624000 LEA ESI,DWORD PTR SS:[EBP+4062EE] ; 00415642, pStartupInfo
00415BE8 8DBD 32634000 LEA EDI,DWORD PTR SS:[EBP+406332] ; 00415686, pProcessInfo
00415BEE 8D85 5D2E8663 LEA EAX,DWORD PTR SS:[EBP+63862E5D]
00415BF4 57 PUSH EDI
00415BF5 56 PUSH ESI
00415BF6 6A 00 PUSH 0
00415BF8 6A 00 PUSH 0
00415C0B 6A 03 PUSH 3
00415C0D 6A 01 PUSH 1
00415C0F 6A 00 PUSH 0
00415C11 6A 00 PUSH 0
00415C13 2D F8DE4563 SUB EAX,6345DEF8
00415C18 52 PUSH EDX
00415C19 53 PUSH EBX
00415C1A 40 INC EAX
00415C1B FF10 CALL DWORD PTR DS:[EAX] ; KERNEL32.CreateProcessA
0012FF74 00415C1D /CALL to CreateProcessA from PESpin.00415C1B
0012FF78 00880000 |ModuleFileName = "E:\pespin13\PESpin.exe"
0012FF7C 00132610 |CommandLine = ""E:\pespin13\PESpin.exe""
0012FF80 00000000 |pProcessSecurity = NULL
0012FF84 00000000 |pThreadSecurity = NULL
0012FF88 00000001 |InheritHandles = TRUE
0012FF8C 00000003 |CreationFlags = DEBUG_PROCESS|DEBUG_ONLY_THIS_PROCESS
0012FF90 00000000 |pEnvironment = NULL
0012FF94 00000000 |CurrentDir = NULL
0012FF98 00415642 |pStartupInfo = PESpin.00415642
0012FF9C 00415686 \pProcessInfo = PESpin.00415686
00415C1D 0BC0 OR EAX,EAX
00415C1F 0F84 68060000 JE PESpin.0041628D ; 不成功直接退出
// 调试循环
00415C5D 8D9D 42634000 LEA EBX,DWORD PTR SS:[EBP+406342] ; 00415696, DebugEvent
00415C63 8D85 854F4000 LEA EAX,DWORD PTR SS:[EBP+404F85]
00415C69 6A FF PUSH -1 ; 无限等待
00415C6B 53 PUSH EBX
00415C6C 48 DEC EAX
00415C6D FF10 CALL DWORD PTR DS:[EAX] ; KERNEL32.WaitForDebugEvent
00415C6F 0BC0 OR EAX,EAX
00415C71 0F84 16060000 JE PESpin.0041628D ; 结束
00415C77 8B85 42634000 MOV EAX,DWORD PTR SS:[EBP+406342] ; dwDebugEventCode
00415C7D 35 C19B54D3 XOR EAX,D3549BC1
00415C82 3D C29B54D3 CMP EAX,D3549BC2
00415C87 0F84 D4050000 JE PESpin.00416261 ; CREATE_PROCESS_DEBUG_EVENT, 好象没干什么活, 最后跳到 00415CB5
00415C8D 3D C09B54D3 CMP EAX,D3549BC0
00415C92 74 50 JE SHORT PESpin.00415CE4 ; EXCEPTION_DEBUG_EVENT
00415C94 3D C49B54D3 CMP EAX,D3549BC4
00415C99 0F84 EE050000 JE PESpin.0041628D ; EXIT_PROCESS_DEBUG_EVENT
00415C9F 3D C39B54D3 CMP EAX,D3549BC3
00415CA4 0F84 33050000 JE PESpin.004161DD ; CREATE_THREAD_DEBUG_EVENT, 增加成员到 Buffer1
00415CAA 3D C59B54D3 CMP EAX,D3549BC5
00415CAF 0F84 69050000 JE PESpin.0041621E ; EXIT_THREAD_DEBUG_EVENT, 减少 Buffer1 成员
00415CB5 B8 127DB87E MOV EAX,7EB87D12
00415CBA 35 137DB9FE XOR EAX,FEB97D13
00415CBF 50 PUSH EAX ; 80010001, DBG_EXCEPTION_NOT_HANDLED
00415CC0 FFB5 4A634000 PUSH DWORD PTR SS:[EBP+40634A] ; dwThreadId
00415CC6 FFB5 46634000 PUSH DWORD PTR SS:[EBP+406346] ; dwProcessId
00415CCC 8D85 8A4F4000 LEA EAX,DWORD PTR SS:[EBP+404F8A]
00415CD2 48 DEC EAX
00415CD3 FF10 CALL DWORD PTR DS:[EAX] ; KERNEL32.ContinueDebugEvent
00415CD5 8D85 219BA74F LEA EAX,DWORD PTR SS:[EBP+4FA79B21]
00415CDB 05 E8CD98B0 ADD EAX,B098CDE8
00415CE0 FFE0 JMP EAX ; 00415C5D
// 对异常的处理
00415CE4 8B85 4E634000 MOV EAX,DWORD PTR SS:[EBP+40634E] ; EXCEPTION_DEBUG_EVENT 的处理代码
00415CEA 35 A1B97180 XOR EAX,8071B9A1
00415CEF 3D A2B97100 CMP EAX,71B9A2
00415CF4 74 1F JE SHORT PESpin.00415D15 ; 80 00 00 03 Int3
00415CF6 3D A5B97100 CMP EAX,71B9A5
00415CFB 0F84 C8030000 JE PESpin.004160C9 ; 80 00 00 04 单步
00415D01 3D BCB97140 CMP EAX,4071B9BC
00415D06 74 5E JE SHORT PESpin.00415D66 ; C0 00 00 1D 非法指令
00415D08 8D85 49014800 LEA EAX,DWORD PTR SS:[EBP+480149] ; 其他异常父进程都不处理
00415D0E 2D E8970700 SUB EAX,797E8
00415D13 ^\FFE0 JMP EAX ; PESpin.00415CB5
00415D15 838D B4624000 0>OR DWORD PTR SS:[EBP+4062B4],0 ; [00415608] Int3 异常次数
00415D1C 75 39 JNZ SHORT PESpin.00415D57
// 第一次 Int3 异常
00415D1E FF85 B4624000 INC DWORD PTR SS:[EBP+4062B4] ; 第一次, 系统异常
00415D2E 50 PUSH EAX ; DBG_CONTINUE
00415D2F FFB5 4A634000 PUSH DWORD PTR SS:[EBP+40634A] ; dwThreadId
00415D35 FFB5 46634000 PUSH DWORD PTR SS:[EBP+406346] ; dwProcessId
00415D3B 8D85 0A176B51 LEA EAX,DWORD PTR SS:[EBP+516B170A]
00415D41 2D 81C72A51 SUB EAX,512AC781
00415D46 FF10 CALL DWORD PTR DS:[EAX] ; KERNEL32.ContinueDebugEvent
00415D48 8D85 25A9150A LEA EAX,DWORD PTR SS:[EBP+A15A925]
00415D4E 2D 1C40D509 SUB EAX,9D5401C
00415D53 FFE0 JMP EAX ; 00415C5D
// 第二次以上子进程自己处理
00415D57 8D85 02A577EF LEA EAX,DWORD PTR SS:[EBP+EF77A502]
00415D5D 2D A13B37EF SUB EAX,EF373BA1
00415D62 ^ FFE0 JMP EAX ; PESpin.00415CB5
// 第一次非法指令异常到这里
00415D66 ^\E9 4AFFFFFF JMP PESpin.00415CB5 ; 父进程不做处理, 子进程自己处理
// 第二次非法指令异常到这里, 代码已被改变
00415D66 /EB 00 JMP SHORT PESpin.00415D68
00415D68 \EB 01 JMP SHORT PESpin.00415D6B
00415D6B 90 NOP
00415D6C 90 NOP
00415D6D 90 NOP
00415D6E 90 NOP
00415D6F 90 NOP
00415D70 EB 07 JMP SHORT PESpin.00415D79
00415D79 ^\EB F8 JMP SHORT PESpin.00415D73
00415D73 /EB 01 JMP SHORT PESpin.00415D76
00415D76 /EB 04 JMP SHORT PESpin.00415D7C
00415D7C 8B85 36634000 MOV EAX,DWORD PTR SS:[EBP+406336] ; hThread
00415D82 F785 A4624000 F>TEST DWORD PTR SS:[EBP+4062A4],FFFFFFFF ; [004155F8], 子进程有没有创建其他线程(0没有)
00415D8C /74 33 JE SHORT PESpin.00415DC1
00415D8E 8BB5 A0624000 MOV ESI,DWORD PTR SS:[EBP+4062A0] ; 存放线程信息的 Buffer1
00415D94 8B8D A4624000 MOV ECX,DWORD PTR SS:[EBP+4062A4] ; 已使用字节数
00415D9A 8B85 4A634000 MOV EAX,DWORD PTR SS:[EBP+40634A] ; dwThreadID
00415DA9 3906 CMP DWORD PTR DS:[ESI],EAX
00415DAB /74 1C JE SHORT PESpin.00415DC9 ; 相等表示异常不是主线程中发生的
00415DAD |83C6 08 ADD ESI,8
00415DBC 83E9 08 SUB ECX,8
00415DBF ^ 75 E8 JNZ SHORT PESpin.00415DA9
00415DC1 8B85 36634000 MOV EAX,DWORD PTR SS:[EBP+406336] ; hThread, 主线程
00415DC7 EB 03 JMP SHORT PESpin.00415DCC
00415DC9 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4] ; hThread, 从线程 (异常发生在从线程, 从表中取 hThread)
00415DCC E8 03000000 CALL PESpin.00415DD4
00415DDD 8985 A8624000 MOV DWORD PTR SS:[EBP+4062A8],EAX ; [004155FC]
00415DE3 B8 13000100 MOV EAX,10013
00415DE8 8D95 4754AE34 LEA EDX,DWORD PTR SS:[EBP+34AE5447]
00415DEE 81EA 0CE16D34 SUB EDX,346DE10C
00415DF4 FFD2 CALL EDX ; PESpin.0041668F, 类似 004166D5 调用 GetThreadContext
00415DF6 93 XCHG EAX,EBX
...
0041675F 8B041A MOV EAX,DWORD PTR DS:[EDX+EBX] ; EDX = B0h, regEax=0
00416762 8907 MOV DWORD PTR DS:[EDI],EAX ; [004155B0]
00416764 BA B3E40D00 MOV EDX,0DE4B3
00416769 81F2 1FE40D00 XOR EDX,0DE41F
0041676F 8B041A MOV EAX,DWORD PTR DS:[EDX+EBX] ; EDX = ACh, regEcx=0
00416772 8947 04 MOV DWORD PTR DS:[EDI+4],EAX
0041677E BA 2700EC00 MOV EDX,0EC0027
00416783 81EA 7FFFEB00 SUB EDX,0EBFF7F
00416789 8B041A MOV EAX,DWORD PTR DS:[EDX+EBX] ; EDX = A8h, regEdx=-1
0041678C 8947 08 MOV DWORD PTR DS:[EDI+8],EAX
004167BD BA 27EF0D00 MOV EDX,0DEF27
004167C2 81F2 83EF0D00 XOR EDX,0DEF83
004167C8 8B041A MOV EAX,DWORD PTR DS:[EDX+EBX] ; EDX = A4h, regEbx=7FFDF000
004167CB 8947 0C MOV DWORD PTR DS:[EDI+C],EAX
004167CE BA 5102FFFF MOV EDX,FFFF0251
004167D3 81C2 73FE0000 ADD EDX,0FE73
004167D9 8B041A MOV EAX,DWORD PTR DS:[EDX+EBX] ; EDX = C4h, regEsp=12FFC4
004167DC 8947 10 MOV DWORD PTR DS:[EDI+10],EAX
004167EB BA E5720C00 MOV EDX,0C72E5
004167F0 81EA 31720C00 SUB EDX,0C7231
004167F6 8B041A MOV EAX,DWORD PTR DS:[EDX+EBX] ; EDX = B4h, regEbp=12FFF0
004167F9 8947 14 MOV DWORD PTR DS:[EDI+14],EAX
0041682E BA C1A3F9FF MOV EDX,FFF9A3C1
00416833 81C2 DF5C0600 ADD EDX,65CDF
00416839 8B041A MOV EAX,DWORD PTR DS:[EDX+EBX] ; EDX = A0h, regEsi=1
0041683C 8947 18 MOV DWORD PTR DS:[EDI+18],EAX
0041683F BA D5FB0900 MOV EDX,9FBD5
00416844 81EA 39FB0900 SUB EDX,9FB39
0041684A 8B041A MOV EAX,DWORD PTR DS:[EDX+EBX] ; EDX = 9Ch, regEdi=414913
0041684D 8947 1C MOV DWORD PTR DS:[EDI+1C],EAX
00415E16 BA 2A14FFFF MOV EDX,FFFF142A
00415E1B 8D92 8EEC0000 LEA EDX,DWORD PTR DS:[EDX+EC8E]
00415E21 8B0413 MOV EAX,DWORD PTR DS:[EBX+EDX] ; EDX = B8h, regEip=4098F8( 已经进入程序代码空间) ***************************************************
00415E24 8DBD E1624000 LEA EDI,DWORD PTR SS:[EBP+4062E1] ; 00415635
...
00415E8C ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00415E5D(ECX>0), 00415E9A(ECX=0)
00415ED5 /FF6424 FC JMP DWORD PTR SS:[ESP-4] ; PESpin.00415EE3
00415F14 /FF6424 FC JMP DWORD PTR SS:[ESP-4] ; PESpin.00415F2F
00415F66 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00415E41(ECX>0), 00415F70(ECX=0) 以上 4 个是嵌套的, 最终出口 415F70
; 作用就是把 Address->String(8位16进制)
...
00415F81 C647 08 00 MOV BYTE PTR DS:[EDI+8],0 ; 00415635 "004098F8"
00415F85 8D85 901B1F13 LEA EAX,DWORD PTR SS:[EBP+131F1B90]
00415F8B 2D 0ECADE12 SUB EAX,12DECA0E
00415F90 FFD0 CALL EAX ; PESpin.004144D6 (计算 Hash)
00415F92 8DBD BFAF530F LEA EDI,DWORD PTR SS:[EBP+F53AFBF] ; 破坏字符串
00415F98 81EF DE4C130F SUB EDI,0F134CDE ; 00415635
00415F9E B9 DE4613ED MOV ECX,ED1346DE
00415FA3 BB B60D385A MOV EBX,5A380DB6
00415FA8 2BCB SUB ECX,EBX
00415FAA C1E9 1C SHR ECX,1C
00415FAD 2BDB SUB EBX,EBX ; EBX = 0
00415FAF 49 DEC ECX ; ECX = 8
00415FB0 8D95 A2D1540F LEA EDX,DWORD PTR SS:[EBP+F54D1A2]
00415FB6 81EA 3665140F SUB EDX,0F146536
00415FBC 03D1 ADD EDX,ECX
00415FBE FFE2 JMP EDX
00415FC8 49 DEC ECX
...
00415FF8 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00415FC8(ECX>0), 00416003(ECX=0)
0041600F BF F36B4100 MOV EDI,PESpin.00416BF3 ; 父进程放一个表, 处理子进程到 OEP 后的异常
00416014 B9 55010000 MOV ECX,155 ; 总长 155 字节
0041602A 3B07 CMP EAX,DWORD PTR DS:[EDI]
0041602C /74 26 JE SHORT PESpin.00416054 ; 找到了, 出口
0041602E |83C7 0B ADD EDI,0B ; 每段 0B 字节
0041603D 83E9 0B SUB ECX,0B
00416040 0BC9 OR ECX,ECX
00416042 ^ 77 D5 JA SHORT PESpin.00416019 ; 实际到 0041602A
00416044 8D85 D1C51E13 LEA EAX,DWORD PTR SS:[EBP+131EC5D1] ; 找不到, 子进程自己处理
0041604A 2D 705CDE12 SUB EAX,12DE5C70
0041604F FFE0 JMP EAX ; 00415CB5
00416BF3 9A 78 C3 A0 1E 00 00 00 03 01 02 ; 4098F8 , 对应的地址
82 14 AA 21 94 00 00 00 03 00 06 ; 409912
9F 92 FD DD 05 00 00 00 01 03 02 ; 40993E
8A 9E 73 E9 05 00 00 00 01 20 02 ; 409992
31 1E B4 EC 05 00 00 00 01 54 02 ; 4099BA
79 FB C9 4C 5F 00 00 00 03 00 02 ; 4099C7
FF DB C5 85 9C 04 00 00 03 00 06 ; 4099CD
BE 6D 88 03 27 00 00 00 03 00 02 ; 4099D7
38 4D 84 CA 34 04 00 00 03 00 06 ; 4099DD
FF 5C 93 1A 19 04 00 00 03 00 06 ; 4099E7
09 AA DD D8 0F 04 00 00 03 00 06 ; 4099F1
88 89 37 FC C4 04 00 00 03 00 06 ; 409A05
46 4C 46 95 F0 03 00 00 03 00 06 ; 409A10
56 5C 4D 2B E9 04 00 00 03 00 06 ; 409A1B
C7 2D B7 CC 05 00 00 00 01 30 02 ; 409C4A
82 5E 96 2E 27 00 00 00 03 00 02 ; 409C72
8B 8A F0 97 03 00 00 00 01 71 02 ; 409C7D
58 C1 F1 70 16 00 00 00 03 00 02 ; 409CAC
EF 81 F2 34 20 00 00 00 03 01 02 ; 409CE6
98 2B EE 7A 20 00 00 00 03 01 02 ; 409D16
DD DF 99 07 20 00 00 00 03 01 02 ; 409D46
6B C1 25 32 11 00 00 00 03 01 02 ; 409D85
17 50 F5 E7 11 00 00 00 03 00 02 ; 409DB5
3B 31 FB 09 14 00 00 00 00 75 03 ; 409DB7
39 71 2B 0C 14 00 00 00 00 45 03 ; 409E17
30 A5 4D B5 08 00 00 00 00 40 03 ; 409E1A
75 D6 6C 57 07 00 00 00 03 00 02 ; 409E22
54 A6 68 64 10 00 00 00 00 5D 03 ; 409E6F
36 D6 4A 23 1B 00 00 00 03 00 02 ; 409E99
8A FC 63 5E 1C 00 00 00 03 01 02 ; 409ED7
DA 9E 64 97 01 00 00 00 01 03 02 ; 409F14
structure table
{
dword AddressHash;
dword offset;
byte Type;
byte Reg;
byte Length;(被偷指令长度)
}
对 Type = 0, Reg 表示两个 reg, (3-5)reg1, (0-2)reg2, offset 表示偏移(1 or 4 byte), mov reg1, [reg2+offset]
对 Type = 1, Reg 表示两个 reg, (4-7)reg1, (0-3)reg2, offset 表示五种运算 xxx reg1, reg2
对 Type = 3, Reg=1 表示 JNZ, Reg=0 表示 JZ, offset 表示偏移(最高位表示方向, 1 or 4 byte)
0 or , 1 and , 2 xor, 3 add, 4 sub, 5 mov
00 EAX, 01 ECX, 02 EDX, 03 EBX, 04 ESP, 05 EBP, 06 ESI, 07 EDI
写一个程序, 计算 Hash 对应的地址和对应的二进制代码, 结果如下
deNanomite STRUCT
dwAddr DD ? ; 对应的地址
dwLen DD ? ; 代码长度
dbCode DB 8 dup(?) ; 二进制代码
deNanomite ENDS
F8 98 40 00 02 00 00 00 75 1E 00 00 00 00 00 00
12 99 40 00 06 00 00 00 0F 84 94 00 00 00 00 00
3E 99 40 00 02 00 00 00 8B C3 00 00 00 00 00 00
92 99 40 00 02 00 00 00 8B D0 00 00 00 00 00 00
BA 99 40 00 02 00 00 00 8B EC 00 00 00 00 00 00
C7 99 40 00 02 00 00 00 74 5F 00 00 00 00 00 00
CD 99 40 00 06 00 00 00 0F 84 9C 04 00 00 00 00
D7 99 40 00 02 00 00 00 74 27 00 00 00 00 00 00
DD 99 40 00 06 00 00 00 0F 84 34 04 00 00 00 00
E7 99 40 00 06 00 00 00 0F 84 19 04 00 00 00 00
F1 99 40 00 06 00 00 00 0F 84 0F 04 00 00 00 00
05 9A 40 00 06 00 00 00 0F 84 C4 04 00 00 00 00
10 9A 40 00 06 00 00 00 0F 84 F0 03 00 00 00 00
1B 9A 40 00 06 00 00 00 0F 84 E9 04 00 00 00 00
4A 9C 40 00 02 00 00 00 8B D8 00 00 00 00 00 00
72 9C 40 00 02 00 00 00 74 27 00 00 00 00 00 00
7D 9C 40 00 02 00 00 00 03 F9 00 00 00 00 00 00
AC 9C 40 00 02 00 00 00 74 16 00 00 00 00 00 00
E6 9C 40 00 02 00 00 00 75 20 00 00 00 00 00 00
16 9D 40 00 02 00 00 00 75 20 00 00 00 00 00 00
46 9D 40 00 02 00 00 00 75 20 00 00 00 00 00 00
85 9D 40 00 02 00 00 00 75 11 00 00 00 00 00 00
B5 9D 40 00 02 00 00 00 74 11 00 00 00 00 00 00
B7 9D 40 00 03 00 00 00 8B 75 14 00 00 00 00 00
17 9E 40 00 03 00 00 00 8B 45 14 00 00 00 00 00
1A 9E 40 00 03 00 00 00 8B 40 08 00 00 00 00 00
22 9E 40 00 02 00 00 00 74 07 00 00 00 00 00 00
6F 9E 40 00 03 00 00 00 8B 5D 10 00 00 00 00 00
99 9E 40 00 02 00 00 00 74 1B 00 00 00 00 00 00
D7 9E 40 00 02 00 00 00 75 1C 00 00 00 00 00 00
14 9F 40 00 02 00 00 00 23 C3 00 00 00 00 00 00
00416054 BE 0FD4FAFE MOV ESI,FEFAD40F
00416059 81EE 137DB9FE SUB ESI,FEB97D13 ; 004156FC, pContext
0041605F 8D85 990880E1 LEA EAX,DWORD PTR SS:[EBP+E1800899]
00416065 2D 1B983FE1 SUB EAX,E13F981B
0041606A FFD0 CALL EAX ; 004163D2, 实际到 004163E3, 见后面, 很关键 ********************************************
0041607D B8 FBCEEA6C MOV EAX,6CEACEFB
00416082 2D F8CEE96C SUB EAX,6CE9CEF8 ; 10003
00416087 8D9D EDA354B8 LEA EBX,DWORD PTR SS:[EBP+B854A3ED]
0041608D 81EB DE3014B8 SUB EBX,B81430DE
00416093 FFD3 CALL EBX ; 00416663, 类同 004168B0 去调用 SetThreadContext
00416095 B8 117DB8FE MOV EAX,FEB87D11
0041609A 35 137DB9FE XOR EAX,FEB97D13
0041609F 50 PUSH EAX ; DBG_CONTINUE
004160A0 FFB5 4A634000 PUSH DWORD PTR SS:[EBP+40634A]
004160A6 FFB5 46634000 PUSH DWORD PTR SS:[EBP+406346]
004160AC 8D85 A46744F9 LEA EAX,DWORD PTR SS:[EBP+F94467A4]
004160B2 2D 1B1804F9 SUB EAX,F904181B
004160B7 FF10 CALL DWORD PTR DS:[EAX] ; KERNEL32.ContinueDebugEvent
004160B9 8D85 7C47EC80 LEA EAX,DWORD PTR SS:[EBP+80EC477C]
004160BF 2D 73DEAB80 SUB EAX,80ABDE73
004160C4 FFE0 JMP EAX ; 00415C5D
004160C9 /EB 04 JMP SHORT PESpin.004160CF
004160D2 F785 B8624000 F>TEST DWORD PTR SS:[EBP+4062B8],FFFFFFFF ; [0041560C] 单步异常次数
004160DC /75 71 JNZ SHORT PESpin.0041614F
// 第一次单步异常
004160DE FFB5 D4624000 PUSH DWORD PTR SS:[EBP+4062D4] ; [00415628], hMutex
004160E4 8D85 1C4F4000 LEA EAX,DWORD PTR SS:[EBP+404F1C]
004160EA 48 DEC EAX
004160EB FF10 CALL DWORD PTR DS:[EAX] ; KERNEL32.CloseHandle, 释放 Mutex
004160FE B8 09311793 MOV EAX,93173109
00416103 05 F8CEE96C ADD EAX,6CE9CEF8 ; 10001
00416108 8D9D 5D704512 LEA EBX,DWORD PTR SS:[EBP+1245705D]
0041610E 81EB E5FC0412 SUB EBX,1204FCE5
00416114 FFD3 CALL EBX ; 004166D5 去调用 GetThreadContext
004166D5 A3 FC564100 MOV DWORD PTR DS:[4156FC],EAX ; 10001
004166DA 68 FC564100 PUSH PESpin.004156FC ; pContext
004166DF FFB5 36634000 PUSH DWORD PTR SS:[EBP+406336] ; [0041568A], hThread
004166F0 FF10 CALL DWORD PTR DS:[EAX] ; KERNEL32.GetThreadContext
004166F2 0BC0 OR EAX,EAX
004166F4 74 05 JE SHORT PESpin.004166FB
004166F6 B8 FC564100 MOV EAX,PESpin.004156FC
004166FB C3 RETN
00416116 96 XCHG EAX,ESI ; pContext->ESI
00416117 B8 9A81FFFF MOV EAX,FFFF819A
0041611C 8D80 1E7F0000 LEA EAX,DWORD PTR DS:[EAX+7F1E] ; B8
00416122 810406 1E000000 ADD DWORD PTR DS:[ESI+EAX],1E ; regEip + 1E, 00415AF2->00415B10
00416129 B8 C09B55D3 MOV EAX,D3559BC0
0041612E 35 C19B54D3 XOR EAX,D3549BC1 ; 10001
00416133 8D9D 53650E35 LEA EBX,DWORD PTR SS:[EBP+350E6553]
00416139 81EB F7EFCD34 SUB EBX,34CDEFF7
0041613F FFD3 CALL EBX ; 004168B0 去调用 SetThreadContext
004168C1 A3 FC564100 MOV DWORD PTR DS:[4156FC],EAX
004168C6 68 FC564100 PUSH PESpin.004156FC
004168CB FFB5 36634000 PUSH DWORD PTR SS:[EBP+406336] ; hThread
004168D1 8D85 336C66D6 LEA EAX,DWORD PTR SS:[EBP+D6666C33]
004168D7 2D B91C26D6 SUB EAX,D6261CB9
004168DC FF10 CALL DWORD PTR DS:[EAX] ; KERNEL32.SetThreadContext
004168DE C3 RETN
00416141 8D9D 37510614 LEA EBX,DWORD PTR SS:[EBP+14065137]
00416147 81EB C3E2C513 SUB EBX,13C5E2C3
0041614D FFE3 JMP EBX ; 004161C8
0041614F EB 04 JMP SHORT PESpin.00416155 ; 实际到 416158
00416158 83BD B8624000 0>CMP DWORD PTR SS:[EBP+4062B8],1 ; 是第二次单步异常吗
0041615F 75 67 JNZ SHORT PESpin.004161C8
// 第二次单步异常
00416161 B8 20451CD0 MOV EAX,D01C4520 ; 第二次单步异常父进程 SMC 本身五个字节
00416166 35 CB45F7D1 XOR EAX,D1F745CB ; 01EB00EB
0041616B 8DBD 126A4000 LEA EDI,DWORD PTR SS:[EBP+406A12] ; 00415D66,
00416171 AB STOS DWORD PTR ES:[EDI]
00416172 B0 D3 MOV AL,0D3
00416174 AA STOS BYTE PTR ES:[EDI]
0041617F 35 A1B97180 XOR EAX,8071B9A1 ; 10001
00416184 8D9D 7472FE10 LEA EBX,DWORD PTR SS:[EBP+10FE7274]
0041618A 81EB FCFEBD10 SUB EBX,10BDFEFC
00416190 FFD3 CALL EBX ; PESpin.004166CC, 类同 004166D5 去调用 GetThreadContext
00416192 96 XCHG EAX,ESI ; PESpin.004156FC
00416193 B8 B6810200 MOV EAX,281B6
00416198 35 0E810200 XOR EAX,2810E ; B8
0041619D 810406 2B000000 ADD DWORD PTR DS:[ESI+EAX],2B ; regEip + 2B, 41638B->4163B6
004161A4 EB 07 JMP SHORT PESpin.004161AD
004161B0 B8 F9CEEA6C MOV EAX,6CEACEF9
004161B5 2D F8CEE96C SUB EAX,6CE9CEF8 ; 10001
004161BA 8D9D 908539DF LEA EBX,DWORD PTR SS:[EBP+DF398590]
004161C0 81EB 3410F9DE SUB EBX,DEF91034
004161C6 FFD3 CALL EBX ; 004168B0 去调用 SetThreadContext
// 第三次以上单步异常
004161C8 FF85 B8624000 INC DWORD PTR SS:[EBP+4062B8] ; 单步次数加 1
004161CE 8D85 302B129F LEA EAX,DWORD PTR SS:[EBP+9F122B30]
004161D4 2D EFBDD19E SUB EAX,9ED1BDEF
004161D9 FFE0 JMP EAX ; 00416095, 父进程已处理, 子进程不用处理
// 新线程创建的处理
004161DD E8 03000000 CALL PESpin.004161E5
004161EE 8B85 4A634000 MOV EAX,DWORD PTR SS:[EBP+40634A] ; dwThreadID(新)
004161F4 8BBD A0624000 MOV EDI,DWORD PTR SS:[EBP+4062A0] ; EDI-> buffer1
004161FA 03BD A4624000 ADD EDI,DWORD PTR SS:[EBP+4062A4] ; 已使用字节数
00416200 AB STOS DWORD PTR ES:[EDI] ; dwThreadID
00416201 8B85 4E634000 MOV EAX,DWORD PTR SS:[EBP+40634E] ; hThread(新)
00416207 AB STOS DWORD PTR ES:[EDI]
00416208 8385 A462400008 ADD DWORD PTR SS:[EBP+4062A4],8 ; 用了 8 字节
0041620F 8D85 80277209 LEA EAX,DWORD PTR SS:[EBP+9722780]
00416215 2D 1FBE3109 SUB EAX,931BE1F
0041621A ^\FFE0 JMP EAX ; PESpin.00415CB5, 父进程保留 dwThreadID 和 hThread
// 新线程退出的处理
0041621E 8BB5 A0624000 MOV ESI,DWORD PTR SS:[EBP+4062A0] ; ESI->Buffer1
00416224 8B8D A4624000 MOV ECX,DWORD PTR SS:[EBP+4062A4] ; 已使用字节数
0041622A 8B85 4A634000 MOV EAX,DWORD PTR SS:[EBP+40634A] ; 退出的线程 ID
00416230 8D1C31 LEA EBX,DWORD PTR DS:[ECX+ESI]
00416233 3906 CMP DWORD PTR DS:[ESI],EAX ; 搜索数组
00416235 74 0A JE SHORT PESpin.00416241
00416237 83C6 08 ADD ESI,8
0041623A 83E9 08 SUB ECX,8
0041623D ^ 75 F4 JNZ SHORT PESpin.00416233
0041623F EB 12 JMP SHORT PESpin.00416253 ; 没有, 直接退出
00416241 8BFE MOV EDI,ESI ; 找到了, 去掉该成员
00416243 83C6 08 ADD ESI,8
00416246 83AD A4624000 08 SUB DWORD PTR SS:[EBP+4062A4],8
0041624D 87CB XCHG EBX,ECX
0041624F 2BCE SUB ECX,ESI
00416251 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00416253 8D85 F5D86D01 LEA EAX,DWORD PTR SS:[EBP+16DD8F5]
00416259 2D 946F2D01 SUB EAX,12D6F94
0041625E ^\FFE0 JMP EAX ; PESpin.00415CB5
// 处理子进程的的关键代码
004163E3 60 PUSHAD
004163E4 0FB647 08 MOVZX EAX,BYTE PTR DS:[EDI+8] ; Table.Type
004163E8 8D9D 54C01F02 LEA EBX,DWORD PTR SS:[EBP+21FC054]
004163EE 81EB EE4FDF01 SUB EBX,1DF4FEE ; 004163BA
004163F4 8B0483 MOV EAX,DWORD PTR DS:[EBX+EAX*4]
004163F7 2D 6FD45CE3 SUB EAX,E35CD46F
004163FC 03C5 ADD EAX,EBP ; 0-41641D 1-41647F 3-416539
0041640F /FFE0 JMP EAX ; EAX
0041641D /EB 04 JMP SHORT PESpin.00416426
00416426 0FB65F 09 MOVZX EBX,BYTE PTR DS:[EDI+9] ; Table.Reg
0041642A 2BC0 SUB EAX,EAX
0041642C 8AC3 MOV AL,BL
0041642E 24 07 AND AL,7
00416430 C1E0 02 SHL EAX,2 ; * 4
00416433 8B8428 5C624000 MOV EAX,DWORD PTR DS:[EAX+EBP+40625C] ; reg2
0041643A 807F 0A 03 CMP BYTE PTR DS:[EDI+A],3 ; offset 是 dword or byte?
0041643E 75 16 JNZ SHORT PESpin.00416456
00416440 0FBA67 04 07 BT DWORD PTR DS:[EDI+4],7 ; 符号位
00416445 73 0F JNB SHORT PESpin.00416456
00416447 8B4F 04 MOV ECX,DWORD PTR DS:[EDI+4]
0041644A F7D9 NEG ECX ; 取反
0041644C 81E1 FF000000 AND ECX,0FF
00416452 2BC1 SUB EAX,ECX ; reg2+offset( 1 byte, 负数)
00416454 EB 03 JMP SHORT PESpin.00416459
00416456 0347 04 ADD EAX,DWORD PTR DS:[EDI+4] ; reg2+offset
00416459 2BC9 SUB ECX,ECX
0041645B 80C9 04 OR CL,4
0041645E E8 9F020000 CALL PESpin.00416702 ; ReadProcessMemory [reg2+offset], 见下面
00416463 8B00 MOV EAX,DWORD PTR DS:[EAX] ; [reg2+offset]
00416465 C0EB 03 SHR BL,3
00416468 80E3 07 AND BL,7 ; (3-5)
0041646B C1E3 02 SHL EBX,2
0041646E 8B9C2B 80624000 MOV EBX,DWORD PTR DS:[EBX+EBP+406280]
00416475 890433 MOV DWORD PTR DS:[EBX+ESI],EAX ; reg1
00416478 E9 BB010000 JMP PESpin.00416638
0041647F 0FB647 09 MOVZX EAX,BYTE PTR DS:[EDI+9] ; Table.Reg
00416483 2BDB SUB EBX,EBX
00416485 8AD8 MOV BL,AL
00416487 80E3 0F AND BL,0F
0041648A C0C8 04 ROR AL,4 ; (4-7)
0041648D 24 0F AND AL,0F
0041648F 8B9C9D 5C624000 MOV EBX,DWORD PTR SS:[EBP+EBX*4+40625C] ; reg2
00416496 8B9485 5C624000 MOV EDX,DWORD PTR SS:[EBP+EAX*4+40625C] ; reg1
0041649D 8B8485 80624000 MOV EAX,DWORD PTR SS:[EBP+EAX*4+406280] ; 004155D4
004164A4 834F 04 00 OR DWORD PTR DS:[EDI+4],0
004164A8 75 04 JNZ SHORT PESpin.004164AE
004164AA 0BD3 OR EDX,EBX ; 0 = or
004164AC EB 30 JMP SHORT PESpin.004164DE
004164AE 837F 04 01 CMP DWORD PTR DS:[EDI+4],1
004164B2 75 04 JNZ SHORT PESpin.004164B8
004164B4 23D3 AND EDX,EBX ; 1 = and
004164B6 EB 26 JMP SHORT PESpin.004164DE
004164B8 837F 04 02 CMP DWORD PTR DS:[EDI+4],2
004164BC 75 04 JNZ SHORT PESpin.004164C2
004164BE 33D3 XOR EDX,EBX ; 2 = xor
004164C0 EB 1C JMP SHORT PESpin.004164DE
004164C2 837F 04 03 CMP DWORD PTR DS:[EDI+4],3
004164C6 75 04 JNZ SHORT PESpin.004164CC
004164C8 03D3 ADD EDX,EBX ; 3 = add
004164CA EB 12 JMP SHORT PESpin.004164DE
004164CC 837F 04 04 CMP DWORD PTR DS:[EDI+4],4
004164D0 75 04 JNZ SHORT PESpin.004164D6
004164D2 2BD3 SUB EDX,EBX ; 4 = sub
004164D4 EB 08 JMP SHORT PESpin.004164DE
004164D6 837F 04 05 CMP DWORD PTR DS:[EDI+4],5
004164DA 87D3 XCHG EBX,EDX ; 其他 mov
004164DC EB 0F JMP SHORT PESpin.004164ED
004164DE 9C PUSHFD
004164DF BB B8CFE96C MOV EBX,6CE9CFB8
004164E4 81EB F8CEE96C SUB EBX,6CE9CEF8 ; C0, Elags
004164EA 8F0433 POP DWORD PTR DS:[EBX+ESI] ; 除了 Mov, 其他还需要处理标志位
004164ED 891430 MOV DWORD PTR DS:[EAX+ESI],EDX
004164F0 E9 43010000 JMP PESpin.00416638
00416539 BB 61BA7180 MOV EBX,8071BA61 ; Type = 3
0041653E 81EB A1B97180 SUB EBX,8071B9A1 ; C0
00416544 8B1433 MOV EDX,DWORD PTR DS:[EBX+ESI] ; ESI = 004156FC, regEflag
00416547 C1EA 06 SHR EDX,6
00416553 8B47 04 MOV EAX,DWORD PTR DS:[EDI+4] ; Table.offset
00416556 0FB65F 09 MOVZX EBX,BYTE PTR DS:[EDI+9] ; Table.Reg
0041655A 83FB 00 CMP EBX,0
0041655D 74 02 JE SHORT PESpin.00416561
0041655F F7D2 NOT EDX
00416561 83E2 01 AND EDX,1 ; Zf = 1 吗
00416564 4A DEC EDX
00416565 0F85 CD000000 JNZ PESpin.00416638
0041656B 807F 0A 02 CMP BYTE PTR DS:[EDI+A],2 ; Table.Length
0041656F /74 0A JE SHORT PESpin.0041657B
00416571 |0FBAE0 1F BT EAX,1F ; 31 位
00416575 |73 2A JNB SHORT PESpin.004165A1
00416577 |F7D8 NEG EAX ; 对 负数取反
00416579 |EB 0D JMP SHORT PESpin.00416588
0041657B \0FBAE0 07 BT EAX,7 ; 7 位
0041657F 73 20 JNB SHORT PESpin.004165A1
00416581 F7D8 NEG EAX ; 对 负数取反
00416583 25 FF000000 AND EAX,0FF ; 对 Length = 2, 只取一个 byte
00416588 BB B1E50000 MOV EBX,0E5B1
0041658D 81EB F9E40000 SUB EBX,0E4F9 ; B8
00416593 0FB657 0A MOVZX EDX,BYTE PTR DS:[EDI+A]
00416597 2BC2 SUB EAX,EDX
00416599 290433 SUB DWORD PTR DS:[EBX+ESI],EAX
0041659C E9 AD000000 JMP PESpin.0041664E
004165A1 BB 59FF0000 MOV EBX,0FF59
004165A6 81EB A1FE0000 SUB EBX,0FEA1 ; B8
004165AC 0FB657 0A MOVZX EDX,BYTE PTR DS:[EDI+A]
004165B0 03C2 ADD EAX,EDX
004165B2 010433 ADD DWORD PTR DS:[EBX+ESI],EAX ; regEip 4098F8+20=409918
004165B5 E9 94000000 JMP PESpin.0041664E
00416638 /EB 07 JMP SHORT PESpin.00416641
00416641 ^\EB F8 JMP SHORT PESpin.0041663B
0041663B /EB 01 JMP SHORT PESpin.0041663E
0041663E /EB 04 JMP SHORT PESpin.00416644
00416644 0FB647 0A MOVZX EAX,BYTE PTR DS:[EDI+A] ; 跳过该条指令长度
00416648 0186 B8000000 ADD DWORD PTR DS:[ESI+B8],EAX
0041664E E8 03000000 CALL PESpin.00416656 ; 花指令
0041665F 61 POPAD
00416660 C3 RETN
// mov reg1, [reg2+offset] 专用的一段程序
00416702 60 PUSHAD
00416703 8BBD C4624000 MOV EDI,DWORD PTR SS:[EBP+4062C4] ; buffer2
00416709 6A 00 PUSH 0
0041670B 51 PUSH ECX ; 4 byte
0041670C 57 PUSH EDI ; buffer2
0041670D 50 PUSH EAX ; address
0041670E FFB5 32634000 PUSH DWORD PTR SS:[EBP+406332] ; hProcess
00416720 8D85 BFA356E9 LEA EAX,DWORD PTR SS:[EBP+E956A3BF]
00416726 2D 315416E9 SUB EAX,E9165431
0041672B FF10 CALL DWORD PTR DS:[EAX] ; KERNEL32.ReadProcessMemory
0041672D 61 POPAD
0041672E 8B85 C4624000 MOV EAX,DWORD PTR SS:[EBP+4062C4] ; buffer2
00416734 C3 RETN
父进程就这么多了.
// 接下来我们看看子进程
00415AF1 F1 INT1 ; 单步异常, 由父进程处理 ****************************************************
00415AF2 E8 1C030000 CALL PESpin.00415E13 ; eip -> 00415B10
00415B10 8B85 D4624000 MOV EAX,DWORD PTR SS:[EBP+4062D4] ; hMutex
00415B16 50 PUSH EAX
00415B17 8D85 D8A388ED LEA EAX,DWORD PTR SS:[EBP+ED88A3D8]
00415B1D 2D BD5448ED SUB EAX,ED4854BD
00415B22 FF10 CALL DWORD PTR DS:[EAX] ; KERNEL32.CloseHandle
00415B24 C3 RETN ; 004123F5
...
00414ADB 49 DEC ECX
00414ADC 9C PUSHFD
...
00414B09 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00414ACE(ECX>0), 00414B13(ECX=0)
...
004124FB E8 00000000 CALL PESpin.00412500
00412500 58 POP EAX
00412501 05 36000000 ADD EAX,36
00412506 8D9D FC4F4000 LEA EBX,DWORD PTR SS:[EBP+404FFC]
0041250C 8918 MOV DWORD PTR DS:[EAX],EBX ; PESpin.00414350
0041250E 33DB XOR EBX,EBX
00412510 8D4424 F8 LEA EAX,DWORD PTR SS:[ESP-8]
00412514 64:8703 XCHG DWORD PTR FS:[EBX],EAX
00412517 8D9D D3314000 LEA EBX,DWORD PTR SS:[EBP+4031D3]
0041251D 53 PUSH EBX
0041251E 50 PUSH EAX
0041251F 83CF FF OR EDI,FFFFFFFF
00412522 0BCF OR ECX,EDI
00412524 F3:AE REPE SCAS BYTE PTR ES:[EDI] ; 非法访问异常, 子进程自己处理 *************************************************
00412540 83CD FF OR EBP,FFFFFFFF ; 异常处理完, 这里继续
0041255A 5B POP EBX ; PESpin.00412559
0041255B 81C3 1E000000 ADD EBX,1E
00412561 8DB5 AC2C4000 LEA ESI,DWORD PTR SS:[EBP+402CAC]
00412567 68 FF000000 PUSH 0FF
0041256C 56 PUSH ESI
0041256D 6A 00 PUSH 0
0041256F 53 PUSH EBX
00412570 - FFA5 5C4F4000 JMP DWORD PTR SS:[EBP+404F5C] ; KERNEL32.GetModuleFileNameA
0041257D 5B POP EBX ; PESpin.0041257C
0041257E 81C3 25000000 ADD EBX,25
00412584 6A 00 PUSH 0
00412586 68 80000000 PUSH 80
0041258B 6A 03 PUSH 3
0041258D 6A 00 PUSH 0
0041258F 6A 01 PUSH 1
00412591 68 00000080 PUSH 80000000
00412596 56 PUSH ESI
00412597 53 PUSH EBX
00412598 - FFA5 2A4F4000 JMP DWORD PTR SS:[EBP+404F2A] ; KERNEL32.CreateFileA
004125A7 5A POP EDX ; PESpin.004125A6
004125A8 81C2 1A000000 ADD EDX,1A
004125AE 8985 AD754000 MOV DWORD PTR SS:[EBP+4075AD],EAX
004125B4 93 XCHG EAX,EBX
004125B5 6A 00 PUSH 0
004125B7 53 PUSH EBX
004125B8 52 PUSH EDX
004125B9 - FFA5 574F4000 JMP DWORD PTR SS:[EBP+404F57] ; KERNEL32.GetFileSize
004125C6 5A POP EDX ; PESpin.004125C5
004125C7 81C2 24000000 ADD EDX,24
004125CD 8BD8 MOV EBX,EAX
004125CF 53 PUSH EBX
004125D0 8F85 B9754000 POP DWORD PTR SS:[EBP+4075B9]
004125D6 6A 04 PUSH 4
004125D8 68 00300000 PUSH 3000
004125DD 50 PUSH EAX
004125DE 6A 00 PUSH 0
004125E0 52 PUSH EDX
004125E1 - FFA5 204F4000 JMP DWORD PTR SS:[EBP+404F20] ; KERNEL32.VirtualAlloc
004125E9 50 PUSH EAX
004125EA 8F85 E54E4000 POP DWORD PTR SS:[EBP+404EE5] ; [00414239], bufferForFile
004125FC 5A POP EDX ; PESpin.004125FB
004125FD 81C2 1E000000 ADD EDX,1E
00412603 6A 00 PUSH 0
00412605 51 PUSH ECX
00412606 53 PUSH EBX
00412607 50 PUSH EAX
00412608 FFB5 AD754000 PUSH DWORD PTR SS:[EBP+4075AD]
0041260E 52 PUSH EDX
0041260F - FFA5 2F4F4000 JMP DWORD PTR SS:[EBP+404F2F] ; KERNEL32.ReadFile
0041261F 5A POP EDX
00412620 81C2 17000000 ADD EDX,17
00412626 FFB5 AD754000 PUSH DWORD PTR SS:[EBP+4075AD]
0041262C 52 PUSH EDX
0041262D - FFA5 1B4F4000 JMP DWORD PTR SS:[EBP+404F1B] ; KERNEL32.CloseHandle
00412635 FFB5 B9754000 PUSH DWORD PTR SS:[EBP+4075B9]
0041263B 59 POP ECX ; FileSize
0041263C 81E9 EC1C0000 SUB ECX,1CEC ; 一部分不检查
00412642 8DBD E54E4000 LEA EDI,DWORD PTR SS:[EBP+404EE5]
00412648 8B3F MOV EDI,DWORD PTR DS:[EDI]
0041264A 8D85 8E6F6038 LEA EAX,DWORD PTR SS:[EBP+38606F8E]
00412650 0BC0 OR EAX,EAX
0041266D 2D 7F162038 SUB EAX,3820167F
00412672 FFD0 CALL EAX ; PESpin.00414C63, 计算校验和
00412674 2985 C1754000 SUB DWORD PTR SS:[EBP+4075C1],EAX ; [00416915]
00412680 5A POP EDX
00412681 81C2 1E000000 ADD EDX,1E
00412687 68 00800000 PUSH 8000
0041268C 6A 00 PUSH 0
0041268E FFB5 E54E4000 PUSH DWORD PTR SS:[EBP+404EE5] ; bufferForFile
00412694 52 PUSH EDX
00412695 - FFA5 254F4000 JMP DWORD PTR SS:[EBP+404F25] ; KERNEL32.VirtualFree
0041269D BB 380D581C MOV EBX,1C580D38
004126B3 33C0 XOR EAX,EAX
004126B5 68 95334000 PUSH PESpin.00403395
004126BA 64:FF30 PUSH DWORD PTR FS:[EAX]
004126BD 016C24 04 ADD DWORD PTR SS:[ESP+4],EBP ; SEH = 004126E9
004126C1 64:8920 MOV DWORD PTR FS:[EAX],ESP
004126C4 C1EB 02 SHR EBX,2
004126C7 81EB 4E031607 SUB EBX,716034E
004126D0 F6F3 DIV BL ; 除零异常, 子进程自己处理 ********************************************
0041432D 90 NOP ; 异常处理完这里继续
0041432F 33DB XOR EBX,EBX
00414331 64:8F03 POP DWORD PTR FS:[EBX]
00414334 5B POP EBX
00414335 81EB 16000000 SUB EBX,16
0041433E 803B CC CMP BYTE PTR DS:[EBX],0CC ; 004126D3 有没有断点
00414341 /75 0B JNZ SHORT PESpin.0041434E
00414343 |81E4 FFFF0000 AND ESP,0FFFF
00414349 |E8 1A000000 CALL PESpin.00414368 ; game over
0041434E ^\FFE3 JMP EBX ; PESpin.004126D3
004126D3 8DB5 4CC83F00 LEA ESI,DWORD PTR SS:[EBP+3FC84C]
004126D9 BA E71A0000 MOV EDX,1AE7
004126E1 C1E2 02 SHL EDX,2
004126E4 03F2 ADD ESI,EDX
004126E6 FFE6 JMP ESI ; 0041273C
0041274D 0FB78D E34E4000 MOVZX ECX,WORD PTR SS:[EBP+404EE3] ; [00414237]=04 (区段数)
00412754 8B95 E94E4000 MOV EDX,DWORD PTR SS:[EBP+404EE9] ; [0041423D]=00400060, PE 头
0041275A 81C2 F8000000 ADD EDX,0F8 ; Section Header
00412760 8B9D B1754000 MOV EBX,DWORD PTR SS:[EBP+4075B1] ; [00416905]=07, 前面 3 个区段都需要解密, 后面的不用
00412766 33C0 XOR EAX,EAX
00412779 51 PUSH ECX
0041277A 0FA3C3 BT EBX,EAX ; 前面 3 个区段都需要解密, 后面的不用
0041277D /73 67 JNB SHORT PESpin.004127E6
0041277F 52 PUSH EDX ; PESpin.00400158
00412791 8B7A 0C MOV EDI,DWORD PTR DS:[EDX+C] ; Voffset
00412794 03BD DF4E4000 ADD EDI,DWORD PTR SS:[EBP+404EDF] ; Base
0041279A 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+10] ; RawSize
0041279D 8B95 C1754000 MOV EDX,DWORD PTR SS:[EBP+4075C1] ; [00416915] 前面的文件校验值
004127A3 D1EA SHR EDX,1
004127A5 72 06 JB SHORT PESpin.004127AD
004127A7 81F2 31AF43ED XOR EDX,ED43AF31
004127AD 3017 XOR BYTE PTR DS:[EDI],DL ; 用文件校验值来解密
004127AF 47 INC EDI
004127E2 49 DEC ECX
004127E3 ^ 75 BE JNZ SHORT PESpin.004127A3
004127E5 5A POP EDX ; PESpin.00400158
004127E6 40 INC EAX
004127E7 83C2 28 ADD EDX,28 ; 下一个区段
004127EA 59 POP ECX
004127FC 49 DEC ECX
004127FD 9C PUSHFD
0041282A ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00412779(ECX>0), 00412831(ECX=0)
00412831 E8 03000000 CALL PESpin.00412839
00412842 838D 8A614000 0>OR DWORD PTR SS:[EBP+40618A],0 ; [004154DE] ???
00412849 /74 0D JE SHORT PESpin.00412858
0041284B 8D85 B5594000 LEA EAX,DWORD PTR SS:[EBP+4059B5]
00412851 2D D1030000 SUB EAX,3D1
00412856 FFD0 CALL EAX ; 00414938
00412858 68 80010000 PUSH 180 ; 这里开始不要单步走, 直到 004128F7
0041285D 59 POP ECX
...
004128F1 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00412891(ECX>0), 004128F7(ECX=0)
004128F7 8D85 EC968D65 LEA EAX,DWORD PTR SS:[EBP+658D96EC]
004128FD BB D09EA632 MOV EBX,32A69ED0
00412902 D1E3 SHL EBX,1
00412904 2BC3 SUB EAX,EBX
00412906 50 PUSH EAX
00412907 C3 RETN ; 00414CA0 就对了, 否则 over
00414CA3 8DBD B4354000 LEA EDI,DWORD PTR SS:[EBP+4035B4] ; 00412908
00414CA9 B9 A1010000 MOV ECX,1A1
...
00414D0C ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00414CB7(ECX>0), 00414D15(ECX=0)
00414D15 55 PUSH EBP
00414D16 9C PUSHFD
00414D17 E8 77000000 CALL PESpin.00414D93
00414D1D 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8] ; 一开始的 SEH = 00414D1D
00414D21 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
00414D25 8142 04 35000000 ADD DWORD PTR DS:[EDX+4],35 ; SEH 00414D1D-> 00414D52
00414D2C 81CA 29242123 OR EDX,23212429
00414D32 2BC9 SUB ECX,ECX
00414D34 2148 04 AND DWORD PTR DS:[EAX+4],ECX
00414D37 2148 08 AND DWORD PTR DS:[EAX+8],ECX
00414D3A 2148 0C AND DWORD PTR DS:[EAX+C],ECX
00414D3D 2148 10 AND DWORD PTR DS:[EAX+10],ECX
00414D40 8160 14 F00FFFFF AND DWORD PTR DS:[EAX+14],FFFF0FF0
00414D47 C740 18 55010000 MOV DWORD PTR DS:[EAX+18],155
00414D4E 33C0 XOR EAX,EAX
00414D50 C3 RETN ; 改一下 SEH, 返回后还是同样的异常, 只是 SEH 变了
00414D93 FF0424 INC DWORD PTR SS:[ESP] ; PESpin.00414D1C+1
00414D96 2BDB SUB EBX,EBX
00414D98 64:FF33 PUSH DWORD PTR FS:[EBX]
00414D9B 64:8923 MOV DWORD PTR FS:[EBX],ESP
00414D9E FB STI ; 特权指令异常(第一次到 00414D1D, 第二次到 00414D52) ************************************
00414D52 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
00414D56 8142 04 1B000000 ADD DWORD PTR DS:[EDX+4],1B ; SEH 00414D52-> 00414D6D, 第二次改变
00414D60 33DB XOR EBX,EBX
00414D62 D7 XLAT BYTE PTR DS:[EBX+AL] ; 在异常处理中又遇到了非法访问异常, 先去系统中走一走,不能处理, 最后还是到 414D6D
00414D6D 8B6424 08 MOV ESP,DWORD PTR SS:[ESP+8] ; 414D6D 直接恢复 ESP
00414D71 2BD2 SUB EDX,EDX
00414D73 75 1C JNZ SHORT PESpin.00414D91
00414D75 /74 01 JE SHORT PESpin.00414D78
00414D78 64:8F02 POP DWORD PTR FS:[EDX] ; 0012FFE0
00414D7B 5A POP EDX
00414D7C 81E2 30313431 AND EDX,31343130
00414D82 9D POPFD
00414D83 5D POP EBP
00414DAB 8DBD 55374000 LEA EDI,DWORD PTR SS:[EBP+403755] ; 00412AA9
00414DB1 B9 57110000 MOV ECX,1157
...
00414E14 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00414DBF(ECX>0), 00414E1A(ECX=0)
00414E1A ^\E9 E9DAFFFF JMP PESpin.00412908
00412908 0FB78D E34E4000 MOVZX ECX,WORD PTR SS:[EBP+404EE3] ; 区段数, 再解密一次数据
0041290F 8B95 E94E4000 MOV EDX,DWORD PTR SS:[EBP+404EE9]
00412915 81C2 F8000000 ADD EDX,0F8
00412924 68 07000000 PUSH 7 ; 前三个区段需要解密
00412929 5B POP EBX
0041293A 51 PUSH ECX ; 区段数
00412947 0FA3C3 BT EBX,EAX
0041294A /73 79 JNB SHORT PESpin.004129C5
0041297A 8B7A 0C MOV EDI,DWORD PTR DS:[EDX+C] ; Voffset
0041297D 03BD DF4E4000 ADD EDI,DWORD PTR SS:[EBP+404EDF] ; Base
00412983 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+10] ; RawSize
00412986 50 PUSH EAX
00412987 8A07 MOV AL,BYTE PTR DS:[EDI]
...
004129AE 49 DEC ECX
004129C0 0BC9 OR ECX,ECX
004129C2 ^ 75 C3 JNZ SHORT PESpin.00412987
004129C4 58 POP EAX
004129C5 40 INC EAX
004129C6 83C2 28 ADD EDX,28
004129D3 49 DEC ECX
004129D4 9C PUSHFD
00412A01 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 0041293A(ECX>0), 00412A08(ECX=0)
00412A08 E8 01000000 CALL PESpin.00412A0E
0041489E 33DB XOR EBX,EBX
004148A0 55 PUSH EBP
004148A1 E8 16000000 CALL PESpin.004148BC
004148A6 2BDB SUB EBX,EBX ; SEH = 004148A6
004148B1 8B6424 08 MOV ESP,DWORD PTR SS:[ESP+8] ; 直接恢复 ESP
004148B5 64:8F03 POP DWORD PTR FS:[EBX]
004148B8 5B POP EBX
004148B9 5D POP EBP
004148BA /EB 4A JMP SHORT PESpin.00414906
004148BC 64:FF33 PUSH DWORD PTR FS:[EBX]
004148BF 64:8923 MOV DWORD PTR FS:[EBX],ESP
004148C2 83E0 00 AND EAX,0
004148C5 64:3343 30 XOR EAX,DWORD PTR FS:[EBX+30] ; PEB
004148C9 /79 1B JNS SHORT PESpin.004148E6 ; NT 跳
004148F2 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
004148F5 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
00414901 4B DEC EBX
00414902 0958 20 OR DWORD PTR DS:[EAX+20],EBX ; 破坏 ImageSize, Skip *****************************************************
00414905 D7 XLAT BYTE PTR DS:[EBX+AL] ; 非法访问异常, SEH = 004148A6 **********************************************
00414906 6A F9 PUSH -7
00414908 5A POP EDX
00414909 59 POP ECX
0041490A 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]
00414917 03D1 ADD EDX,ECX
00414919 ^ FFE2 JMP EDX ; PESpin.00412A16
...
00412A58 E8 03000000 CALL PESpin.00412A60
00412A6A 33DB XOR EBX,EBX
00412A6C 8D4424 F4 LEA EAX,DWORD PTR SS:[ESP-C]
00412A70 64:8703 XCHG DWORD PTR FS:[EBX],EAX
00412A73 55 PUSH EBP
00412A74 8D9D 95334000 LEA EBX,DWORD PTR SS:[EBP+403395] ; SEH = 004126E9
00412A7A 53 PUSH EBX
00412A7B 33DB XOR EBX,EBX
00412A86 8918 MOV DWORD PTR DS:[EAX],EBX ; EAX=0, 非法访问异常 *******************************************************
004126E9 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; SEH
004126ED 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
004126F1 8B00 MOV EAX,DWORD PTR DS:[EAX]
004126F3 35 5B011238 XOR EAX,3812015B
004126F8 3D 5E0112F8 CMP EAX,F812015E
004126FD 75 0F JNZ SHORT PESpin.0041270E
004126FF 8181 B8000000 E42000>ADD DWORD PTR DS:[ECX+B8],20E4 ; EIP 00412A86->00414B6A
00412709 EB 27 JMP SHORT PESpin.00412732
0041270E 3D 460112F8 CMP EAX,F8120146
00412713 75 0C JNZ SHORT PESpin.00412721
00412715 8181 B8000000 720100>ADD DWORD PTR DS:[ECX+B8],172
0041271F EB 11 JMP SHORT PESpin.00412732
00412721 3D CF0112F8 CMP EAX,F81201CF
00412726 75 0A JNZ SHORT PESpin.00412732
00412728 8181 B8000000 5D1C00>ADD DWORD PTR DS:[ECX+B8],1C5D
00412732 33C0 XOR EAX,EAX
00412734 C3 RETN
00414B6A 2BC0 SUB EAX,EAX
00414B6C EB 04 JMP SHORT PESpin.00414B72
00414B75 64:8F00 POP DWORD PTR FS:[EAX] ; 0012FFE0
00414B78 58 POP EAX
00414B79 5D POP EBP
00414B7A 8D85 55374000 LEA EAX,DWORD PTR SS:[EBP+403755] ; 00412AA9
00414B80 68 57110000 PUSH 1157
00414B85 59 POP ECX
00414B86 68 C3FDE514 PUSH 14E5FDC3
00414B8B 5A POP EDX
00414B8C D1EA SHR EDX,1
00414B8E /73 06 JNB SHORT PESpin.00414B96
00414B90 |81F2 32AF43ED XOR EDX,ED43AF32
00414B96 \3010 XOR BYTE PTR DS:[EAX],DL ; SMC 解密代码
00414B98 40 INC EAX
00414B99 49 DEC ECX
00414BD0 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00414B8C(ECX>0), 00414BD9(ECX=0)
00414BD9 2D 57110000 SUB EAX,1157
00414BDE ^ FFE0 JMP EAX ; PESpin.00412AA9
...
00412ADB 8B95 E94E4000 MOV EDX,DWORD PTR SS:[EBP+404EE9] ; PESpin.00400060
00412AE1 81C2 F8000000 ADD EDX,0F8
00412AE7 8B7A 0C MOV EDI,DWORD PTR DS:[EDX+C] ; Voffset
00412AEA 03BD DF4E4000 ADD EDI,DWORD PTR SS:[EBP+404EDF] ; +Base, edi=401000
00412AF0 6A 20 PUSH 20
00412AF2 59 POP ECX ; 校验 20h 字节
00412B04 E8 02000000 CALL PESpin.00412B0B
00412B0B 58 POP EAX
00412B0C 05 16000000 ADD EAX,16
00412B11 50 PUSH EAX ; 00412B1F 返回地址
00412B12 8D85 4DB8A5E5 LEA EAX,DWORD PTR SS:[EBP+E5A5B84D]
00412B18 2D 776065E5 SUB EAX,E5656077
00412B1D FFE0 JMP EAX ; 00414B2A(另一种 Hash 算法)
00412B1F 2985 B5754000 SUB DWORD PTR SS:[EBP+4075B5],EAX ; [00416909] 这里放着 401000-401020 的校验
00412B28 /0F85 4E150000 JNZ PESpin.0041407C ; 跳 over *************************************************************
00412B2E E8 03000000 CALL PESpin.00412B36
00412B3F 8D9D 19034900 LEA EBX,DWORD PTR SS:[EBP+490319]
00412B45 81EB 15A30800 SUB EBX,8A315 ; 00415358
00412B73 FFD3 CALL EBX ; PESpin.00415358
;=====================================================================================================================
00414B2A
00414B3B 52 PUSH EDX ; PESpin.00400158
00414B3C 33D2 XOR EDX,EDX
00414B3E 8A0439 MOV AL,BYTE PTR DS:[ECX+EDI] ; 401020
00414B41 32D0 XOR DL,AL
00414B43 B0 06 MOV AL,6
00414B45 D1EA SHR EDX,1
00414B47 72 06 JB SHORT PESpin.00414B4F
00414B49 81F2 20292D3A XOR EDX,3A2D2920
00414B4F 0FBAE2 08 BT EDX,8
00414B53 /73 03 JNB SHORT PESpin.00414B58
00414B55 |80E6 FE AND DH,0FE
00414B58 \FEC8 DEC AL
00414B5A ^\75 E9 JNZ SHORT PESpin.00414B45
00414B5C 49 DEC ECX
00414B5D ^ 75 DF JNZ SHORT PESpin.00414B3E
00414B5F 92 XCHG EAX,EDX
00414B60 5A POP EDX
00414B65 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 返回 PESpin.00412B1F
;========================================================================================================================
00415361 8D85 67604000 LEA EAX,DWORD PTR SS:[EBP+406067] ; 004153BB, 见下面 004153BA
00415367 8308 00 OR DWORD PTR DS:[EAX],0 ; F450
0041536A 74 75 JE SHORT PESpin.004153E1 ; 跳表示资源没加密
00415394 B9 66310000 MOV ECX,3166
00415399 8BD1 MOV EDX,ECX ; size
004153A7 52 PUSH EDX
004153A8 6A 04 PUSH 4
004153AA 68 00300000 PUSH 3000
004153AF 51 PUSH ECX
004153B0 6A 00 PUSH 0
004153B2 FF95 204F4000 CALL DWORD PTR SS:[EBP+404F20] ; KERNEL32.VirtualAlloc
004153B8 96 XCHG EAX,ESI
004153B9 5A POP EDX ; 3166
004153BA BF 50F40000 MOV EDI,0F450
004153BF 81C7 00004000 ADD EDI,PESpin.00400000 ; 0040F450 压缩后资源放在这
004153C5 56 PUSH ESI
004153C6 57 PUSH EDI
004153C7 E8 83DCFFFF CALL PESpin.0041304F ; 解压出资源, F8, 返回长度 2BB0
004153CC 91 XCHG EAX,ECX
004153CD F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 解压后再复制回 40F450
004153CF 5F POP EDI
004153D0 5E POP ESI
004153D4 68 00400000 PUSH 4000
004153D9 52 PUSH EDX
004153DA 56 PUSH ESI
004153DB FF95 254F4000 CALL DWORD PTR SS:[EBP+404F25] ; KERNEL32.VirtualFree
004153ED 8D85 DA604000 LEA EAX,DWORD PTR SS:[EBP+4060DA] ; 0041542E
004153F3 8338 00 CMP DWORD PTR DS:[EAX],0 ; 07
004153F6 0F84 CB000000 JE PESpin.004154C7
004153FC B9 80BF0000 MOV ECX,0BF80 ; Size (解压要用到的最大空间)
00415401 6A 04 PUSH 4
00415403 68 00300000 PUSH 3000
00415408 51 PUSH ECX
00415409 6A 00 PUSH 0
0041540B FF95 204F4000 CALL DWORD PTR SS:[EBP+404F20] ; KERNEL32.VirtualAlloc
00415411 8985 FB604000 MOV DWORD PTR SS:[EBP+4060FB],EAX ; 0041544F
0041541A 0FB78D E34E4000 MOVZX ECX,WORD PTR SS:[EBP+404EE3] ; 区段数
00415421 8B95 E94E4000 MOV EDX,DWORD PTR SS:[EBP+404EE9] ; PE 头
00415427 81C2 F8000000 ADD EDX,0F8
0041542D BB 07000000 MOV EBX,7 ; 前三个需要解压
00415432 2BC0 SUB EAX,EAX
00415434 51 PUSH ECX
0041543E 0FA3C3 BT EBX,EAX
00415441 73 27 JNB SHORT PESpin.0041546A
00415443 50 PUSH EAX
00415444 53 PUSH EBX
00415445 8B7A 0C MOV EDI,DWORD PTR DS:[EDX+C] ; Voffset
00415448 03BD DF4E4000 ADD EDI,DWORD PTR SS:[EBP+404EDF] ; Base
0041544E BE 00008900 MOV ESI,890000
00415453 56 PUSH ESI
00415454 57 PUSH EDI
00415455 E8 F5DBFFFF CALL PESpin.0041304F ; 解压出代码
0041545A 91 XCHG EAX,ECX
00415464 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 复制代码到原处
00415466 5F POP EDI
00415467 5E POP ESI
00415468 5B POP EBX
00415469 58 POP EAX
0041546A 40 INC EAX
0041546B 83C2 28 ADD EDX,28 ; 下一区段
0041546E 59 POP ECX
0041546F 49 DEC ECX
00415470 9C PUSHFD
...
0041549D ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00415434(ECX>0), 004154A7(ECX=0)
004154A7 /EB 01 JMP SHORT PESpin.004154AA
004154AA 8B8D A9604000 MOV ECX,DWORD PTR SS:[EBP+4060A9]
004154B0 8B85 FB604000 MOV EAX,DWORD PTR SS:[EBP+4060FB]
004154B6 0BC0 OR EAX,EAX
004154B8 74 0D JE SHORT PESpin.004154C7
004154BA 68 00400000 PUSH 4000
004154BF 51 PUSH ECX
004154C0 56 PUSH ESI
004154C1 FF95 254F4000 CALL DWORD PTR SS:[EBP+404F25] ; KERNEL32.VirtualFree
004154CA 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]
004154CE 8D85 6E6D2201 LEA EAX,DWORD PTR SS:[EBP+1226D6E]
004154D4 2D 4635E200 SUB EAX,0E23546
004154D9 ^ FFE0 JMP EAX ; PESpin.00412B7C
...
00414744 8BBD DF4E4000 MOV EDI,DWORD PTR SS:[EBP+404EDF] ; PESpin.00400000
0041474A 037F 3C ADD EDI,DWORD PTR DS:[EDI+3C]
0041474D 89BD 95544000 MOV DWORD PTR SS:[EBP+405495],EDI ; [004147E9]= PE 头
00414753 03F8 ADD EDI,EAX ; + F8
00414755 B9 62020000 MOV ECX,262
00414763 51 PUSH ECX
00414764 8D85 A9754000 LEA EAX,DWORD PTR SS:[EBP+4075A9] ; 004168FD
0041476A 50 PUSH EAX
0041476B 6A 40 PUSH 40
0041476D 51 PUSH ECX
0041476E 57 PUSH EDI ; 00400158 (Section Header)
0041476F 8DB5 104F4000 LEA ESI,DWORD PTR SS:[EBP+404F10]
00414775 FF56 06 CALL DWORD PTR DS:[ESI+6] ; KERNEL32.VirtualProtect (在 PE 头中制造异常) ***************************************
00414778 59 POP ECX ; 262
00414779 B0 FF MOV AL,0FF
00414787 8BF7 MOV ESI,EDI ; 00400158
00414789 83C6 07 ADD ESI,7
0041478C C607 BE MOV BYTE PTR DS:[EDI],0BE
0041478F 8977 01 MOV DWORD PTR DS:[EDI+1],ESI
00414792 C747 05 8F060000 MOV DWORD PTR DS:[EDI+5],68F
00414799 83E9 03 SUB ECX,3
0041479C 8D1C0F LEA EBX,DWORD PTR DS:[EDI+ECX] ; 004003B7
0041479F 66:C703 33D2 MOV WORD PTR DS:[EBX],0D233
004147A4 C643 02 C3 MOV BYTE PTR DS:[EBX+2],0C3
004147A8 53 PUSH EBX
004147A9 8F85 F94E4000 POP DWORD PTR SS:[EBP+404EF9] ; 0041424D
004147AF 2BDB SUB EBX,EBX
004147C6 55 PUSH EBP
004147C7 52 PUSH EDX ; 004147DD (SEH)
004147C8 64:FF33 PUSH DWORD PTR FS:[EBX]
004147CB 64:8923 MOV DWORD PTR FS:[EBX],ESP
004147CE 68 F3AA9090 PUSH 9090AAF3
004147D3 FFE7 JMP EDI ; 00400158
004147D5 64:8F02 POP DWORD PTR FS:[EDX]
004147D8 83C4 08 ADD ESP,8
004147DB C3 RETN
00400158 BE 5F014000 MOV ESI,PESpin.0040015F
0040015D 8F06 POP DWORD PTR DS:[ESI] ; 9090AAF3
0040015F F3:AA REP STOS BYTE PTR ES:[EDI] ; ECX = 25F, EDI = 00400158, 不能 SMC 正在执行的代码,
00400161 90 NOP ; 变成 FF, 非法指令异常, 第一次子进程自己处理 ***************************************
00400162 90 NOP
004147DD 2BDB SUB EBX,EBX
004147DF 8B6424 08 MOV ESP,DWORD PTR SS:[ESP+8] ; 直接恢复 Stack
004147E3 64:8F03 POP DWORD PTR FS:[EBX]
004147E6 59 POP ECX
004147E7 5D POP EBP
004147E8 BF 60004000 MOV EDI,PESpin.00400060 ; ASCII "PE"
004147ED 81C7 80000000 ADD EDI,80
004147F3 8B3F MOV EDI,DWORD PTR DS:[EDI] ; Import Table RVA
004147F5 03BD DF4E4000 ADD EDI,DWORD PTR SS:[EBP+404EDF] ; PESpin.00400000
00414810 8D85 104F4000 LEA EAX,DWORD PTR SS:[EBP+404F10] ; 00414264
00414816 B9 24000000 MOV ECX,24
0041481B FF1401 CALL DWORD PTR DS:[ECX+EAX] ; KERNEL32.GetTickCount
0041481E 8BD8 MOV EBX,EAX
00414820 F7D3 NOT EBX
00414822 33D8 XOR EBX,EAX
00414824 43 INC EBX
00414825 68 D4000000 PUSH 0D4
0041482A 59 POP ECX
0041482B 66:35 4C50 XOR AX,504C
0041482F 66:05 8911 ADD AX,1189
00414833 AA STOS BYTE PTR ES:[EDI] ; 破坏 Import Table (加壳后的)
00414837 49 DEC ECX
00414838 9C PUSHFD
...
00414865 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 0041482B(ECX>0), 0041486E(ECX=0)
0041486E C3 RETN ; 004132DE
...
00414EEC 5B POP EBX
00414EED 81C3 2B000000 ADD EBX,2B ; 00414F16
00414EF3 68 62000000 PUSH 62 ; size = 62
00414EF8 59 POP ECX
00414F02 6A 04 PUSH 4
00414F04 68 00300000 PUSH 3000
00414F09 51 PUSH ECX
00414F0A 6A 00 PUSH 0
00414F0C 53 PUSH EBX
00414F0D - FFA5 204F4000 JMP DWORD PTR SS:[EBP+404F20] ; VirtualAlloc (Buffer for SDK Crypt Start)
00414F16 8DB5 065B4000 LEA ESI,DWORD PTR SS:[EBP+405B06] ; 00414E5A
00414F1C 97 XCHG EAX,EDI
00414F1D 8BDF MOV EBX,EDI
00414F1F B9 2A000000 MOV ECX,2A
00414F24 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 复制 2Ah 字节
00414F26 BE A506B196 MOV ESI,96B106A5
00414F2B BA FE649069 MOV EDX,699064FE
00414F30 03F2 ADD ESI,EDX
00414F32 B9 0A000000 MOV ECX,0A
00414F37 BA CD1B160D MOV EDX,0D161BCD
00414F3C AD LODS DWORD PTR DS:[ESI] ; 00416BA3 开始放 28h byte
00414F3D 4A DEC EDX
00414F3E 03C2 ADD EAX,EDX
00414F40 42 INC EDX
00414F41 33C2 XOR EAX,EDX
00414F43 4A DEC EDX
00414F44 C1CA 08 ROR EDX,8
00414F47 AB STOS DWORD PTR ES:[EDI]
00414F48 49 DEC ECX
00414F49 9C PUSHFD
00414F76 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00414F3C(ECX>0), 00414F7B(ECX=0)
00414F7B B9 10000000 MOV ECX,10
00414F80 8DB5 305B4000 LEA ESI,DWORD PTR SS:[EBP+405B30] ; 00414E84
00414F86 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 10h byte
00414F94 93 XCHG EAX,EBX
00414F95 B9 0A000000 MOV ECX,0A
00414F9A 8BBD D35B4000 MOV EDI,DWORD PTR SS:[EBP+405BD3]
00414FA0 03BD D85B4000 ADD EDI,DWORD PTR SS:[EBP+405BD8] ; 00416BA3
00414FA6 F3:AB REP STOS DWORD PTR ES:[EDI] ; 破坏
00414FAF 81C3 21000000 ADD EBX,21 ; 00414FCE
00414FB5 B9 61000000 MOV ECX,61 ; Size = 61
00414FBA 6A 04 PUSH 4
00414FBC 68 00300000 PUSH 3000
00414FC1 51 PUSH ECX
00414FC2 6A 00 PUSH 0
00414FC4 53 PUSH EBX
00414FC5 FFA5 204F4000 JMP DWORD PTR SS:[EBP+404F20] ; VirtualAlloc (Buffer for SDK Crypt End)
00414FCE 8DB5 CC5A4000 LEA ESI,DWORD PTR SS:[EBP+405ACC] ; 00414E20
00414FD4 97 XCHG EAX,EDI
00414FD5 8BDF MOV EBX,EDI
00414FD7 B9 26000000 MOV ECX,26
00414FDC F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 00414E20
00414FEA 8BB5 D35B4000 MOV ESI,DWORD PTR SS:[EBP+405BD3]
00414FF0 03B5 D85B4000 ADD ESI,DWORD PTR SS:[EBP+405BD8]
00414FF6 83C6 28 ADD ESI,28 ; 00416BCB 开始放 28h byte
00414FF9 B9 0A000000 MOV ECX,0A
00414FFE BA 9B783DFD MOV EDX,FD3D789B
00415003 AD LODS DWORD PTR DS:[ESI]
00415004 4A DEC EDX
00415005 03C2 ADD EAX,EDX
00415007 42 INC EDX
00415014 33C2 XOR EAX,EDX
00415016 4A DEC EDX
00415017 C1CA 08 ROR EDX,8
0041501A AB STOS DWORD PTR ES:[EDI]
0041501B 49 DEC ECX
0041501C 9C PUSHFD
00415052 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00415003(ECX>0), 0041505A(ECX=0)
0041505A B9 13000000 MOV ECX,13
0041505F 8DB5 F25A4000 LEA ESI,DWORD PTR SS:[EBP+405AF2] ; 00416E46
00415065 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 13h byte
00415067 93 XCHG EAX,EBX
00415068 B9 0A000000 MOV ECX,0A
0041506D 8BBD D35B4000 MOV EDI,DWORD PTR SS:[EBP+405BD3]
00415073 03BD D85B4000 ADD EDI,DWORD PTR SS:[EBP+405BD8]
00415079 83C7 28 ADD EDI,28 ; 00416BCB
0041507C F3:AB REP STOS DWORD PTR ES:[EDI] ; 破坏
0041507E 58 POP EAX
... 一大段花指令, SMC
004162EA B9 FEDE4C7B MOV ECX,7B4CDEFE
004162EF 81F1 17E4CF9A XOR ECX,9ACFE417
004162F5 81E9 023B83E1 SUB ECX,E1833B02
004162FB F7D9 NEG ECX ; 循环 019 次
004162FD 2BDB SUB EBX,EBX
004162FF 4B DEC EBX
00416300 D1EB SHR EBX,1
00416302 81F3 CD4B160E XOR EBX,0E164BCD
00416308 81DB 25896100 SBB EBX,618925
0041630E C1E3 03 SHL EBX,3
00416311 C1C3 11 ROL EBX,11 ; B0D11882
00416314 8D85 A1B6114D LEA EAX,DWORD PTR SS:[EBP+4D11B6A1]
0041631A 2D CF46D14C SUB EAX,4CD146CF ; 00416326
0041631F 0118 ADD DWORD PTR DS:[EAX],EBX
00416381 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00416300(ECX>0), 0041638A(ECX=0) 这个有点特殊, F9 不要单步
0041638A F1 INT1 ; 单步异常, 由父进程处理 ***********************************************************
0041638B 87DF XCHG EDI,EBX ; eip -> 004163B6
004163B6 C3 RETN ; to 004134F4
004134FD F685 8E614000 01 TEST BYTE PTR SS:[EBP+40618E],1 ; [004154E2]
00413504 /74 51 JE SHORT PESpin.00413557
00413517 BB 3C080000 MOV EBX,83C ; size = 0, 不处理
0041351C 0BDB OR EBX,EBX
0041351E 74 37 JE SHORT PESpin.00413557
00413520 2BC0 SUB EAX,EAX
00413522 2185 ED4E4000 AND DWORD PTR SS:[EBP+404EED],EAX ; 00414241, Buffer for IAT 中已用的字节数置零
0041352E 59 POP ECX ; PESpin.0041352D
0041352F 6A 40 PUSH 40
00413531 68 00300000 PUSH 3000
00413536 53 PUSH EBX ; size = 83C
00413537 50 PUSH EAX
00413538 8D6424 FC LEA ESP,DWORD PTR SS:[ESP-4]
0041353C 81C1 23000000 ADD ECX,23
00413542 890C24 MOV DWORD PTR SS:[ESP],ECX ; 00413550
00413545 - FFA5 204F4000 JMP DWORD PTR SS:[EBP+404F20] ; KERNEL32.VirtualAlloc (Buffer for IAT redirection)
00413550 50 PUSH EAX
00413551 8F85 E54E4000 POP DWORD PTR SS:[EBP+404EE5] ; [00414239]=008C0000
00413557 8D85 F80F3400 LEA EAX,DWORD PTR SS:[EBP+340FF8]
0041355D 8D80 5F320C00 LEA EAX,DWORD PTR DS:[EAX+C325F]
00413563 48 DEC EAX
00413564 FFD0 CALL EAX ; 004135AA
...
00415233 B9 16AAD072 MOV ECX,72D0AA16
00415238 05 3B126A06 ADD EAX,66A123B
0041523D 81F1 4F5CA762 XOR ECX,62A75C4F
00415243 81F9 9BF67710 CMP ECX,1077F69B
00415249 75 04 JNZ SHORT PESpin.0041524F
0041524B FFE0 JMP EAX ; 00415302
0041524F E8 01000000 CALL PESpin.00415255
00415255 5B POP EBX
00415256 81C3 2B000000 ADD EBX,2B ; 0041527F
0041525C 68 5C000000 PUSH 5C
00415261 59 POP ECX
0041526B 6A 04 PUSH 4
0041526D 68 00300000 PUSH 3000
00415272 51 PUSH ECX ; size = 5C
00415273 6A 00 PUSH 0
00415275 53 PUSH EBX
00415276 - FFA5 204F4000 JMP DWORD PTR SS:[EBP+404F20] ; KERNEL32.VirtualAlloc (Buffer for SDK Clear Start)
0041527F 8DB5 975E4000 LEA ESI,DWORD PTR SS:[EBP+405E97] ; 004151EB
00415285 97 XCHG EAX,EDI
00415286 8BDF MOV EBX,EDI
00415288 B9 22000000 MOV ECX,22
0041528D F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 复制 22h byte
004152A0 BE BA4DAB97 MOV ESI,97AB4DBA
004152A5 BA 3FE26997 MOV EDX,9769E23F
004152AA 2BF2 SUB ESI,EDX ; 00416B7B
004152AC B9 0A000000 MOV ECX,0A
004152B1 BA C93EEF5E MOV EDX,5EEF3EC9
004152B6 AD LODS DWORD PTR DS:[ESI]
004152B7 4A DEC EDX
004152B8 03C2 ADD EAX,EDX
004152BA 42 INC EDX
004152C7 33C2 XOR EAX,EDX
004152C9 4A DEC EDX
004152CA C1C2 08 ROL EDX,8
004152CD AB STOS DWORD PTR ES:[EDI]
004152CE ^ E2 E6 LOOPD SHORT PESpin.004152B6 ; 复制 28h 字节
004152D0 B9 11000000 MOV ECX,11
004152D5 8DB5 BA5E4000 LEA ESI,DWORD PTR SS:[EBP+405EBA] ; 0041520E
004152DB F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 复制 11h byte
004152EE 93 XCHG EAX,EBX
004152EF B9 0A000000 MOV ECX,0A
004152F4 8BBD 4D5F4000 MOV EDI,DWORD PTR SS:[EBP+405F4D]
004152FA 2BBD 525F4000 SUB EDI,DWORD PTR SS:[EBP+405F52]
00415300 F3:AB REP STOS DWORD PTR ES:[EDI] ; 00416B7B (破坏)
...
004135F6 8BB5 43454000 MOV ESI,DWORD PTR SS:[EBP+404543] ; [00413897] = C160, 真正的 IAT 信息放在这
004135FC 03B5 DF4E4000 ADD ESI,DWORD PTR SS:[EBP+404EDF] ; PESpin.00400000
0040C160 00 00 00 00 00 00 00 00 00 00 00 00 C8 C4 00 00 ................ ; 真正的 IAT, 6 个 DLL
0040C170 2C C0 00 00
00 00 00 00 00 00 00 00 00 00 00 00 ,...............
0040C180 80 C6 00 00 B0 C0 00 00
00 00 00 00 00 00 00 00 ................
0040C190 00 00 00 00 D2 C6 00 00 00 C0 00 00
00 00 00 00 ................
0040C1A0 00 00 00 00 00 00 00 00 F4 C6 00 00 10 C0 00 00 ................
0040C1B0 00 00 00 00 00 00 00 00 00 00 00 00 44 C7 00 00 ............D...
0040C1C0 9C C0 00 00
00 00 00 00 00 00 00 00 00 00 00 00 ................
0040C1D0 90 C7 00 00 18 C0 00 00
00 00 00 00 00 00 00 00 ................ ; 结束的标志
0040C1E0 00 00 00 00 2E 1F 01 00 10 1F 01 00 ............
00413613 3BB5 DF4E4000 CMP ESI,DWORD PTR SS:[EBP+404EDF] ; PESpin.00400000
00413625 /75 0F JNZ SHORT PESpin.00413636 ; 应该跳
00413636 817E 10 101F0100 CMP DWORD PTR DS:[ESI+10],11F10 ; DLL 处理完的标志
...
0041366A /FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 0041366F(没完), 004138AB(处理完了)
0041366F 8B5E 0C MOV EBX,DWORD PTR DS:[ESI+C] ; 指向 DLL Name
00413672 039D DF4E4000 ADD EBX,DWORD PTR SS:[EBP+404EDF]
00413678 8BFB MOV EDI,EBX
0041367A E8 8B130000 CALL PESpin.00414A0A ; 取反解密, F8
00413686 53 PUSH EBX
00413687 50 PUSH EAX
00413688 FFB5 A24F4000 PUSH DWORD PTR SS:[EBP+404FA2] ; KERNEL32.LoadLibraryA
0041368E 814424 04 14000000 ADD DWORD PTR SS:[ESP+4],14 ; 返回地址 00413698
00413696 C3 RETN
00413698 85C0 TEST EAX,EAX ; KERNEL32.7C570000
0041369A 0F84 AD090000 JE PESpin.0041404D
004136A0 E8 01000000 CALL PESpin.004136A6
004136A6 59 POP ECX ; PESpin.004136A5
004136A7 50 PUSH EAX ; DLL Base
004136A8 51 PUSH ECX
004136A9 55 PUSH EBP
004136AA 810424 66394000 ADD DWORD PTR SS:[ESP],PESpin.00403966 ; 00412CBA
004136B1 814424 04 22000> ADD DWORD PTR SS:[ESP+4],22 ; 返回地址 004136C7
004136B9 C3 RETN ; Call 00412CBA
;=======================================================================================================================
00412CBA 分析 DLL 的 Export 一段子程序
00412CBD 59 POP ECX ; PESpin.004136C7
00412CBE 5A POP EDX ; DLL Base
00412CBF 41 INC ECX
00412CC0 51 PUSH ECX ; 返回地址 004136C8
00412CCA 57 PUSH EDI ; PESpin.0040C4C8
00412CCB 53 PUSH EBX ; DLL Name
00412CCC 8995 FE394000 MOV DWORD PTR SS:[EBP+4039FE],EDX ; [00412D52]=7C570000
00412CD2 8BDA MOV EBX,EDX ; KERNEL32.7C570000
00412CD4 0352 3C ADD EDX,DWORD PTR DS:[EDX+3C] ; DLL PE 头
00412CD7 FF72 7C PUSH DWORD PTR DS:[EDX+7C] ; DLL Export Size
00412CDA 8F85 F6394000 POP DWORD PTR SS:[EBP+4039F6] ; 00412D4A
00412CE0 8B52 78 MOV EDX,DWORD PTR DS:[EDX+78] ; DLL Export RVA
00412CE3 03D3 ADD EDX,EBX
00412CE5 52 PUSH EDX
00412CE6 8F85 F2394000 POP DWORD PTR SS:[EBP+4039F2] ; 00412D46
00412CF5 FF72 20 PUSH DWORD PTR DS:[EDX+20] ; AddressOfNames
00412CF8 5F POP EDI
00412CF9 03FB ADD EDI,EBX
00412CFB 57 PUSH EDI
00412CFC 8F85 023A4000 POP DWORD PTR SS:[EBP+403A02] ; 00412D56
00412D02 FF72 18 PUSH DWORD PTR DS:[EDX+18] ; NumberofNames
00412D05 8F85 D93A4000 POP DWORD PTR SS:[EBP+403AD9] ; 00412E2D
00412D1A FF72 1C PUSH DWORD PTR DS:[EDX+1C] ; AddressOfFunctions
00412D1D 5F POP EDI
00412D1E 03FB ADD EDI,EBX
00412D20 57 PUSH EDI
00412D21 8F85 063A4000 POP DWORD PTR SS:[EBP+403A06] ; 00412D5A
00412D27 FF72 24 PUSH DWORD PTR DS:[EDX+24] ; AddressOfNameOrdinals
00412D2A 5F POP EDI
00412D2B 03FB ADD EDI,EBX
00412D2D 57 PUSH EDI
00412D2E 8F85 FA394000 POP DWORD PTR SS:[EBP+4039FA] ; 00412D4E
00412D34 FF72 10 PUSH DWORD PTR DS:[EDX+10] ; Base
00412D37 8F85 203A4000 POP DWORD PTR SS:[EBP+403A20] ; 00412D74
00412D40 5B POP EBX ; PESpin.0040C4C8
00412D41 5F POP EDI
00412D42 C3 RETN ; 004136C8
;===========================================================================================================================
004136C8 2BD2 SUB EDX,EDX
004136F7 800B 00 OR BYTE PTR DS:[EBX],0 ; 破坏 DLL Name
004136FA 74 0D JE SHORT PESpin.00413709 ; 出口
004136FC 8813 MOV BYTE PTR DS:[EBX],DL
004136FE C1C2 04 ROL EDX,4
00413701 75 01 JNZ SHORT PESpin.00413704
00413704 43 INC EBX ; PESpin.0040C4C8
00413705 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 004136F7
00413709 93 XCHG EAX,EBX
0041370A 8B56 10 MOV EDX,DWORD PTR DS:[ESI+10] ; First Thunk
0041370D 0395 DF4E4000 ADD EDX,DWORD PTR SS:[EBP+404EDF] ; 00400000
00413713 830A 00 OR DWORD PTR DS:[EDX],0
00413716 0F84 59010000 JE PESpin.00413875 ; 一个 DLL 处理完了, 出口
00413729 8B02 MOV EAX,DWORD PTR DS:[EDX]
0041372B A9 00000080 TEST EAX,80000000
00413730 74 0A JE SHORT PESpin.0041373C ; 跳, Name 导入, 否则 Oridnal 导入
00413732 25 FFFFFF7F AND EAX,7FFFFFFF
00413737 2BFF SUB EDI,EDI
00413739 /EB 09 JMP SHORT PESpin.00413744
0041373C 40 INC EAX ; NameHash 前保留了API Name 首字母
0041373D 0385 DF4E4000 ADD EAX,DWORD PTR SS:[EBP+404EDF] ; PESpin.00400000
00413743 97 XCHG EAX,EDI ; EDI 指向 NameHash
00413744 68 5DFDD0F9 PUSH F9D0FD5D
00413749 012C24 ADD DWORD PTR SS:[ESP],EBP
0041374C 810424 B4466F06 ADD DWORD PTR SS:[ESP],66F46B4 ; 下面Call 的返回地址 00413765
00413753 68 A17D630F PUSH 0F637DA1
00413758 812C24 9643230F SUB DWORD PTR SS:[ESP],0F234396
0041375F 012C24 ADD DWORD PTR SS:[ESP],EBP
00413762 C3 RETN ; Call 00412D5F, 返回 API 地址
; =====================================================================================================================
; 接下来的一段子程序根据 NameHash 获的 API Address
; 根据 NameHash 求 API, EDI 指向 NameHash
; 根据 Oridnal 求 API, EDI =0, EAX = Oridnal
00412D5F 60 PUSHAD
00412D69 0BFF OR EDI,EDI
00412D6B 75 19 JNZ SHORT PESpin.00412D86 ; 00412D92
00412D6D 8B9D 063A4000 MOV EBX,DWORD PTR SS:[EBP+403A06] ; AddressOfFunctions
00412D73 2D 01000000 SUB EAX,1 ; Oridnal Base
00412D78 8B0483 MOV EAX,DWORD PTR DS:[EBX+EAX*4]
00412D7B 0385 FE394000 ADD EAX,DWORD PTR SS:[EBP+4039FE] ; 根据 Oridnal 求地址 API 地址 OK
00412D81 /E9 B1000000 JMP PESpin.00412E37
00412D92 8B9D 023A4000 MOV EBX,DWORD PTR SS:[EBP+403A02] ; AddressOfNames
00412D98 8A47 FF MOV AL,BYTE PTR DS:[EDI-1]
00412D9B 24 7F AND AL,7F ; NameHash 前一字母, 第 8 位是标志(是否重定向)
00412D9D 8885 803A4000 MOV BYTE PTR SS:[EBP+403A80],AL ; [00412DD4]
00412DB4 FF37 PUSH DWORD PTR DS:[EDI] ; DllName Hash
00412DB6 8F85 AD3A4000 POP DWORD PTR SS:[EBP+403AAD] ; [00412E01]
00412DBC 2BC9 SUB ECX,ECX
00412DBE 8327 00 AND DWORD PTR DS:[EDI],0 ; 破坏
00412DCA 8B3B MOV EDI,DWORD PTR DS:[EBX]
00412DCC 03BD FE394000 ADD EDI,DWORD PTR SS:[EBP+4039FE] ; 从 Export 中取出名字
00412DD2 803F 47 CMP BYTE PTR DS:[EDI],47 ; 比较首字母
00412DD5 75 50 JNZ SHORT PESpin.00412E27
00412DD7 E8 03000000 CALL PESpin.00412DDF ; 首字母对上了, 再比较 NameHash
00412DDF 58 POP EAX
00412DE0 8D6424 FC LEA ESP,DWORD PTR SS:[ESP-4]
00412DE4 05 24000000 ADD EAX,24
00412DE9 870424 XCHG DWORD PTR SS:[ESP],EAX ; 00412EE0 下面 CALL 返回地址
00412DEC 8D85 415C028F LEA EAX,DWORD PTR SS:[EBP+8F025C41]
00412DF2 2D BF0AC28E SUB EAX,8EC20ABF
00412DF7 50 PUSH EAX
00412DF8 C3 RETN ; 004144D6 ( Hash 函数)
00412E00 3D 3A4E99D2 CMP EAX,D2994E3A ; 比较 Hash
00412E05 75 20 JNZ SHORT PESpin.00412E27
00412E07 8B85 FA394000 MOV EAX,DWORD PTR SS:[EBP+4039FA] ; AddressOfNameOrdinals
00412E0D D1E1 SHL ECX,1 ; 第几个
00412E0F 03C1 ADD EAX,ECX
00412E11 0FB700 MOVZX EAX,WORD PTR DS:[EAX]
00412E14 C1E0 02 SHL EAX,2
00412E17 0385 063A4000 ADD EAX,DWORD PTR SS:[EBP+403A06] ; AddressOfFunctions
00412E1D 8B00 MOV EAX,DWORD PTR DS:[EAX]
00412E1F 0385 FE394000 ADD EAX,DWORD PTR SS:[EBP+4039FE] ; Dll Base
00412E25 EB 10 JMP SHORT PESpin.00412E37
00412E27 83C3 04 ADD EBX,4 ; Export 中下一个 API
00412E2A 41 INC ECX
00412E2B 81F9 3D030000 CMP ECX,33D
00412E31 ^ 75 97 JNZ SHORT PESpin.00412DCA
00412E33 33C0 XOR EAX,EAX ; 找不到, 则 API address = 0
00412E35 EB 3F JMP SHORT PESpin.00412E76
00412E37 8BBD F2394000 MOV EDI,DWORD PTR SS:[EBP+4039F2] ; 是否是指向另一 DLL
00412E3D 3BC7 CMP EAX,EDI
00412E3F 76 35 JBE SHORT PESpin.00412E76
00412E41 03BD F6394000 ADD EDI,DWORD PTR SS:[EBP+4039F6]
00412E47 3BF8 CMP EDI,EAX
00412E49 76 2B JBE SHORT PESpin.00412E76
00412E4B 8DBD AC2C4000 LEA EDI,DWORD PTR SS:[EBP+402CAC] ; 指向另一 DLL 的另一 API
00412E51 96 XCHG EAX,ESI
00412E52 33C9 XOR ECX,ECX
00412E54 8A0431 MOV AL,BYTE PTR DS:[ECX+ESI]
00412E57 3C 2E CMP AL,2E ; "."
00412E59 74 04 JE SHORT PESpin.00412E5F
00412E5B 41 INC ECX
00412E5C AA STOS BYTE PTR ES:[EDI]
00412E5D ^ EB F5 JMP SHORT PESpin.00412E54
00412E5F 41 INC ECX
00412E60 03F1 ADD ESI,ECX
00412E62 56 PUSH ESI
00412E63 2C 2E SUB AL,2E
00412E65 AA STOS BYTE PTR ES:[EDI]
00412E66 2BF9 SUB EDI,ECX
00412E68 57 PUSH EDI
00412E69 FF95 A24F4000 CALL DWORD PTR SS:[EBP+404FA2] ; LoadLibraryA
00412E6F 50 PUSH EAX
00412E70 FF95 A74F4000 CALL DWORD PTR SS:[EBP+404FA7] ; GetProcAddress
00412E76 /EB 01 JMP SHORT PESpin.00412E79
00412E79 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX ; KERNEL32.GetCommandLineA
00412E7D 61 POPAD
00412E7E FF0424 INC DWORD PTR SS:[ESP] ; 返回地址 00413766
00412EB3 0BC0 OR EAX,EAX ; KERNEL32.GetCommandLineA
00412EB5 C3 RETN
; ========================================================================================================================
00413766 /0F84 A4080000 JE PESpin.00414010 ; API 地址是否为 0
00413775 0BFF OR EDI,EDI ; 为 0 表示 Ordinal 导入
0041377A 9C PUSHFD
...
004137A4 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 004137A9(Name), 0041384A(Ordinal)
004137A9 0FBA67 FF 07 BT DWORD PTR DS:[EDI-1],7 ; API 名字首字母最高位为 1 吗? 为 1 需要重定向, 为 0 不需要
004137E6 /FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 004137EB(重定向), 0041384A(不要重定向) *****************************改成 JMP 41384A
004137EB E8 03000000 CALL PESpin.004137F3
004137FC 68 ED4E4000 PUSH PESpin.00404EED
00413801 012C24 ADD DWORD PTR SS:[ESP],EBP ; 00414241, 参数 2, 放已用的字节数
00413804 FFB5 E54E4000 PUSH DWORD PTR SS:[EBP+404EE5] ; [00414239]=8C0000, Buffer For IAT redirection, 参数1
0041381B E8 03000000 CALL PESpin.00413823
00413823 5B POP EBX
00413824 81C3 19000000 ADD EBX,19
0041382A 53 PUSH EBX ; 00413839, 下面 CALL 的返回地址
0041382B 8D9D 1453288E LEA EBX,DWORD PTR SS:[EBP+8E285314]
00413831 81EB BC1AE88D SUB EBX,8DE81ABC
00413837 ^\FFE3 JMP EBX ; PESpin.00412BAC ( Stolen API 的 CALL)
00412BAC 55 PUSH EBP
00412BAD 8BEC MOV EBP,ESP
00412BAF 60 PUSHAD
...
00412C98 61 POPAD
00412C99 C9 LEAVE
00412C9A C2 0800 RETN 8 ; CALL 有两个参数, 返回 API 被偷后的新地址
00413839 0BE4 OR ESP,ESP
0041383B 75 01 JNZ SHORT PESpin.0041383E
0041384A E8 6AF6FFFF CALL PESpin.00412EB9 ; 修正代码中的跳转表(跳转表大部分被变形了)
0041384F
; ==============================================================================================================================
00412EC5 57 PUSH EDI
00412EC9 51 PUSH ECX ; PESpin.004136C8
00412ED3 BF 8CA04000 MOV EDI,PESpin.0040A08C
00412EDB B9 8C010000 MOV ECX,18C ; 6 字节一组, 0040A08C-0040A216
00412EF1 3917 CMP DWORD PTR DS:[EDI],EDX ; FirstThunk
00412EFF /0F84 90000000 JE PESpin.00412F95 ; ********************************* 改成 JMP 00412F4B
00412F05 47 INC EDI ; PESpin.0040A08C
00412F09 49 DEC ECX
00412F0A 9C PUSHFD
...
00412F40 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00412EF1(ECX>0), 00412F48(ECX=0)
00412F48 /EB 01 JMP SHORT PESpin.00412F4B ; 找不到表示壳不用处理该 API
00412F4B /EB 02 JMP SHORT PESpin.00412F4F
00412F7D 8902 MOV DWORD PTR DS:[EDX],EAX ; EDX 是 FirstThunk
00412F90 /E9 B2000000 JMP PESpin.00413047
00412F95 /EB 04 JMP SHORT PESpin.00412F9B ; 找到了, [EDI]=EDX
00412F9E 807F FF 00 CMP BYTE PTR DS:[EDI-1],0
00412FA2 /74 60 JE SHORT PESpin.00413004 ; 实际到 00413010
00412FB5 807F FF EA CMP BYTE PTR DS:[EDI-1],0EA
00412FB9 ^\75 90 JNZ SHORT PESpin.00412F4B ; 不是 0, EA 开头表示壳不用处理该 API
00412FC4 FE4F FF DEC BYTE PTR DS:[EDI-1] ; EA->E9
00412FC7 83C7 04 ADD EDI,4
00412FCA 2BC7 SUB EAX,EDI
00412FCC 8947 FC MOV DWORD PTR DS:[EDI-4],EAX ; 计算偏移地址
00413001 /EB 44 JMP SHORT PESpin.00413047
00413010 8907 MOV DWORD PTR DS:[EDI],EAX ; API 被偷后的新地址
00413047 59 POP ECX
0041304B 5F POP EDI
0041304C C3 RETN
;================================================================================================================================
00413860 83C2 04 ADD EDX,4 ; 处理该 DLL 的下一个 API
0041386F ^\E9 9FFEFFFF JMP PESpin.00413713
00413875 8366 10 00 AND DWORD PTR DS:[ESI+10],0 ; 破坏
00413879 74 01 JE SHORT PESpin.0041387C
0041387C 83C6 14 ADD ESI,14
00413890 ^\E9 A1FDFFFF JMP PESpin.00413636 ; 下一个 DLL
004138AB /EB 07 JMP SHORT PESpin.004138B4 ; 所有 DLL 都处理完了
00413960 81EF B916320E SUB EDI,0E3216B9 ; 00413ACB
0041397A F3: PREFIX REP:
0041397B 0F31 RDTSC ; 取时间
0041397D 50 PUSH EAX
0041397E F3: PREFIX REP:
0041397F 0F31 RDTSC
00413984 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]
0041398B 2B4424 FC SUB EAX,DWORD PTR SS:[ESP-4] ; 时间差
00413992 0BC0 OR EAX,EAX
00413994 75 01 JNZ SHORT PESpin.00413997
00413997 3D FF0F0000 CMP EAX,0FFF ; EAX 要小于 FFF *******************************************************
0041399C 9C PUSHFD
004139C2 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 004139FD(OK), 004139D2(Over)
00413A25 B8 EC355E6B MOV EAX,6B5E35EC
00413A3B BB 4A58370E MOV EBX,0E37584A
00413A40 2BC3 SUB EAX,EBX
00413A42 3D 368E9579 CMP EAX,79958E36 ; 相等表示没有代码被搬到 PE 头
00413A50 /74 79 JE SHORT PESpin.00413ACB
00413A52 BE 19694100 MOV ESI,PESpin.00416919
00413A57 B9 62020000 MOV ECX,262
00413A5C 51 PUSH ECX
00413A5D B0 BF MOV AL,0BF
00413A5F 304431 FF XOR BYTE PTR DS:[ECX+ESI-1],AL ; 解密
00413A6F 004C31 FF ADD BYTE PTR DS:[ECX+ESI-1],CL
00413A73 49 DEC ECX
00413A74 9C PUSHFD
...
00413AA1 ^\FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 00413A5F(ECX>0), 00413AA9(ECX=0)
00413AA9 59 POP ECX
00413ABB BF C0014000 MOV EDI,PESpin.004001C0 ; 把代码复制到 PE 头
00413AC9 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; ESI = 00416919
00413ACB 60 PUSHAD
00413ADE 61 POPAD
00413AE5 83C4 04 ADD ESP,4
00413B02 61 POPAD ; 终于到伪 OEP 了
// 下面开始修复
//
一. 先写一段代码修复 40A08C 处跳转表
008C0000 60 PUSHAD
008C0001 9C PUSHFD
008C0002 BE 8CA04000 MOV ESI,40A08C
008C0007 8A06 MOV AL,BYTE PTR DS:[ESI]
008C0009 3C EA CMP AL,0EA
008C000B 75 0B JNZ SHORT 008C0018
008C000D 8B5E 01 MOV EBX,DWORD PTR DS:[ESI+1]
008C0010 66:C706 FF25 MOV WORD PTR DS:[ESI],25FF
008C0015 895E 02 MOV DWORD PTR DS:[ESI+2],EBX
008C0018 83C6 06 ADD ESI,6
008C001B 81FE 16A24000 CMP ESI,40A216
008C0021 ^ 72 E4 JB SHORT 008C0007
008C0023 9D POPFD
008C0024 61 POPAD
60 9C BE 8C A0 40 00 8A 06 3C EA 75 0B
8B 5E 01 66 C7 06 FF 25 89 5E 02 83 C6
06 81 FE 16 A2 40 00 72 E4 9D 61
//
二.脱掉 SDK Clear, 搜索 26h 长的 Clear Start, 执行一遍解密, 然后把 SDK Clear Start 和 SDK clear end 清除掉(Nop)
CLEAR_START macro
db 0EBh,24h
db 20h dup (0FBh)
dd 0000BD66h
endm
; 长度 35h, 53d
CLEAR_END macro
db 0EBh,33h
db 02Fh dup (0FAh)
dd 0000BD66h
endm
共有 4 处
1.
00409918 9C PUSHFD ; SDK Clear Start(长度 26h)
00409919 60 PUSHAD
0040991A B9 84E1001F MOV ECX,1F00E184
0040991F BF 9AF24D97 MOV EDI,974DF29A ; 表示 409918
00409924 81E9 65E1001F SUB ECX,1F00E165 ; 1Fh 长度 *********************,
0040992A B8 80D1A091 MOV EAX,91A0D180
0040992F 05 039AA06E ADD EAX,6EA09A03 ; 004168B3
00409934 FF0D 3A994000 DEC DWORD PTR DS:[40993A] ; SMC 40993A
0040993A 0011 ADD BYTE PTR DS:[ECX],DL ; FF10, CALL [EAX]
0040993C 61 POPAD
0040993D 9D POPFD ; (40993E-409918)=26h
1F 长代码
0040995D /EB 0B JMP SHORT PESpin.0040996A ; SDK Clear End (长度 35h)
...
0040998A 9D POPFD
0040998B /EB 05 JMP SHORT PESpin.00409992
0040998D |B8 61EBF91E MOV EAX,1EF9EB61 ; SDK END (409992-40995D)=35h
00409992
2.
00406407 9C PUSHFD
00406408 60 PUSHAD
00406409 B9 00DE9659 MOV ECX,5996DE00
0040640E BF 89BD4D97 MOV EDI,974DBD89
00406413 81E9 78DD9659 SUB ECX,5996DD78 ; 88h
00406419 B8 59FF85EC MOV EAX,EC85FF59
0040641E 05 2A6CBB13 ADD EAX,13BB6C2A
00406423 FF0D 29644000 DEC DWORD PTR DS:[406429]
00406429 0011 ADD BYTE PTR DS:[ECX],DL
0040642B 61 POPAD
0040642C 9D POPFD
88h 代码
004064B5 /EB 0B JMP SHORT PESpin.004064C2
004064E2 9D POPFD
004064E3 EB 05 JMP SHORT PESpin.004064EA
004064E5 7A 61 JPE SHORT PESpin.00406548
004064E7 ^ EB F9 JMP SHORT PESpin.004064E2
004064E9 9B WAIT
004064EA
3.
004065B5 9C PUSHFD
004065B6 60 PUSHAD
004065B7 B9 A5805778 MOV ECX,785780A5
004065BC BF 37BF4D97 MOV EDI,974DBF37
004065C1 81E9 727F5778 SUB ECX,78577F72 ; 133h
004065C7 B8 9668C1E6 MOV EAX,E6C16896
004065CC 05 ED028019 ADD EAX,198002ED
004065D1 FF0D D7654000 DEC DWORD PTR DS:[4065D7]
004065D7 0011 ADD BYTE PTR DS:[ECX],DL
004065D9 61 POPAD
004065DA 9D POPFD
133h 代码
0040670E /EB 0B JMP SHORT PESpin.0040671B
...
0040673B 9D POPFD
0040673C EB 05 JMP SHORT PESpin.00406743
0040673E A8 61 TEST AL,61
00406740 ^ EB F9 JMP SHORT PESpin.0040673B
00406742 3F AAS
00406743
4.
00409A28 9C PUSHFD
00409A29 60 PUSHAD
00409A2A B9 C92E2288 MOV ECX,88222EC9
00409A2F BF AAF34D97 MOV EDI,974DF3AA
00409A34 81E9 4F2B2288 SUB ECX,88222B4F ; 37A
00409A3A B8 470CEAA4 MOV EAX,A4EA0C47
00409A3F 05 3C5F575B ADD EAX,5B575F3C
00409A44 FF0D 4A9A4000 DEC DWORD PTR DS:[409A4A]
00409A4A 0011 ADD BYTE PTR DS:[ECX],DL
00409A4C 61 POPAD
00409A4D 9D POPFD
37Ah
00409DC8 /EB 0B JMP SHORT PESpin.00409DD5
00409DCA |0A81 E970E276 OR AL,BYTE PTR DS:[ECX+76E270E9]
00409DF5 9D POPFD
00409DF6 EB 05 JMP SHORT PESpin.00409DFD
00409DF8 C561 EB LDS ESP,FWORD PTR DS:[ECX-15]
00409DFB F9 STC
00409DFC E5
00409DFD
//
三. 脱掉 SDK Crypt 代码
// 10 字节
CRYPT_START macro
db 0EBh,08h
db 6 dup(0FCh)
db 27h,54h
endm
// 10 字节
CRYPT_END macro
db 0EBh,08h
db 6 dup(0FDh)
db 54h,37h
endm
搜索 FF 15 C3 6B 41 00 这是 Crypt Start, 后面 4 字节是加密字节长度变形值
搜索 FF 15 EB 6B 41 00 这是 Crypt End, 后面 4 字节是加密字节长度变形值
共有 3 对
1.
0040675E FF15 C36B4100 CALL DWORD PTR DS:[416BC3] ; 8a0000 定位到这里, F7 跟进执行解密( 不能用 F8, 会影响加密字节长度 **********************)
00406796 FF15 EB6B4100 CALL DWORD PTR DS:[416BEB] ; 8b0000 执行完加密, nop 掉
2.
00406824 FF15 C36B4100 CALL DWORD PTR DS:[416BC3] ; 被加密字节 50h byte
0040687E FF15 EB6B4100 CALL DWORD PTR DS:[416BEB]
3.
00409F0A FF15 C36B4100 CALL DWORD PTR DS:[416BC3] ; 被加密字节 1Eh byte
00409F32 FF15 EB6B4100 CALL DWORD PTR DS:[416BEB]
//
四.修复 Nanomite 的代码
把 Nanomite 结果复制到 8c0000, 再写一段代码修复被替换的代码
008C0200 60 PUSHAD
008C0201 9C PUSHFD
008C0202 BE 00008C00 MOV ESI,8C0000
008C0207 8B3E MOV EDI,DWORD PTR DS:[ESI]
008C0209 83C6 04 ADD ESI,4
008C020C 8B0E MOV ECX,DWORD PTR DS:[ESI]
008C020E 83C6 04 ADD ESI,4
008C0211 56 PUSH ESI
008C0212 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
008C0214 5E POP ESI
008C0215 83C6 08 ADD ESI,8
008C0218 81FE F0018C00 CMP ESI,8C01F0
008C021E ^ 72 E7 JB SHORT 008C0207
008C0220 9D POPFD
008C0221 61 POPAD
60 9C BE 00 00 8C 00 8B 3E 83 C6 04 8B 0E 83 C6 04
56 F3 A4 5E 83 C6 08 81 FE F0 01 8C 00 72 E7 9D 61
五. 修复被偷到 PE 头的代码 (4001c0-400418)
分成两种
004098FA .- E9 C168FFFF JMP PESpin.004001C0
004098FF .- E9 C768FFFF JMP PESpin.004001CB
00409904 .- E9 CD68FFFF JMP PESpin.004001D6
008C0000 60 PUSHAD
008C0001 9C PUSHFD
008C0002 BF 00104000 MOV EDI,401000
008C0007 8A07 MOV AL,BYTE PTR DS:[EDI]
008C0009 3C E9 CMP AL,0E9
008C000B 75 22 JNZ SHORT 008C002F
008C000D 8B47 01 MOV EAX,DWORD PTR DS:[EDI+1]
008C0010 03C7 ADD EAX,EDI
008C0012 83C0 05 ADD EAX,5
008C0015 3D C0014000 CMP EAX,4001C0
008C001A 72 13 JB SHORT 008C002F
008C001C 3D 18044000 CMP EAX,400418
008C0021 77 0C JA SHORT 008C002F
008C0023 8BF0 MOV ESI,EAX
008C0025 B9 05000000 MOV ECX,5
008C002A F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
008C002C 4F DEC EDI
008C002D 90 NOP
008C002E 90 NOP
008C002F 47 INC EDI
008C0030 81FF 00C04000 CMP EDI,40C000
008C0036 ^ 72 CF JB SHORT 008C0007
008C0038 9D POPFD
008C0039 61 POPAD
60 9C BF 00 10 40 00 8A 07 3C E9 75 22
8B 47 01 03 C7 83 C0 05 3D C0 01 40 00
72 13 3D 18 04 40 00 77 0C 8B F0 B9 05
00 00 00 F3 A4 4F 90 90 47 81 FF 00 C0
40 00 72 CF 9D 61
00409953 . E8 9568FFFF CALL PESpin.004001ED
00409958 . E8 9668FFFF CALL PESpin.004001F3
008C0000 60 PUSHAD
008C0001 9C PUSHFD
008C0002 BF 00104000 MOV EDI,401000
008C0007 8A07 MOV AL,BYTE PTR DS:[EDI]
008C0009 3C E8 CMP AL,0E8
008C000B 75 29 JNZ SHORT 008C0036
008C000D 8B47 01 MOV EAX,DWORD PTR DS:[EDI+1]
008C0010 03C7 ADD EAX,EDI
008C0012 83C0 05 ADD EAX,5
008C0015 3D C0014000 CMP EAX,4001C0
008C001A 72 1A JB SHORT 008C0036
008C001C 3D 18044000 CMP EAX,400418
008C0021 77 13 JA SHORT 008C0036
008C0023 8B70 01 MOV ESI,DWORD PTR DS:[EAX+1]
008C0026 03C6 ADD EAX,ESI
008C0028 83C0 05 ADD EAX,5
008C002B 2BC7 SUB EAX,EDI
008C002D 83E8 05 SUB EAX,5
008C0030 8947 01 MOV DWORD PTR DS:[EDI+1],EAX
008C0033 83C7 04 ADD EDI,4
008C0036 47 INC EDI
008C0037 81FF 00C04000 CMP EDI,40C000
008C003D ^ 72 C8 JB SHORT 008C0007
008C003F 9D POPFD
008C0040 61 POPAD
60 9C BF 00 10 40 00 8A 07 3C E8 75 29 8B 47 01 03 C7
83 C0 05 3D C0 01 40 00 72 1A 3D 18 04 40 00 77 13 8B
70 01 03 C6 83 C0 05 2B C7 83 E8 05 89 47 01 83 C7 04
47 81 FF 00 C0 40 00 72 C8 9D 61
6. 找出 Stolen Code
...回到主程序, 一段垃圾代码后, Stolen Code
00413B50 2BC0 SUB EAX,EAX
00413B55 68 3668CFCA PUSH CACF6836
00413B5A 810424 4E687135 ADD DWORD PTR SS:[ESP],3571684E ; push 0040D084
00413B61 50 PUSH EAX ; push 0
00413B65 50 PUSH EAX ; push 0
00413B69 68 733B4100 PUSH PESpin.00413B73 ; call 40a0a4
00413B6E - E9 3165FFFF JMP PESpin.0040A0A4
0040A0A4 - E9 D8FC187C JMP KERNEL32.CreateMutexA
00413B73 68 7D3B4100 PUSH PESpin.00413B7D ; call 40a0ce
00413B78 - E9 5165FFFF JMP PESpin.0040A0CE
0040A0CE - E9 92E1167C JMP KERNEL32.GetLastError
00413B7D 3D B7000000 CMP EAX,0B7 ; cmp eax, 0b7
00413B85 - E9 6E5DFFFF JMP PESpin.004098F8
修复好的代码
004098E0 68 84D04000 PUSH PESpin.0040D084 ; ASCII "PE_SPIN_v1.3"
004098E5 6A 00 PUSH 0
004098E7 6A 00 PUSH 0
004098E9 E8 B6070000 CALL PESpin.0040A0A4 ; JMP to KERNEL32.CreateMutexA
004098EE E8 DB070000 CALL PESpin.0040A0CE ; JMP to KERNEL32.GetLastError
004098F3 3D B7000000 CMP EAX,0B7
004098F8 /75 1E JNZ SHORT PESpin.00409918
//
7. 暗桩, 一共有 5 个
下断 ExitProcess, 找出其中 2 个暗桩
1.
00406617 |. E8 0E280000 CALL unpack.00408E2A ; Nop 掉
00408E2A /$ 8D05 81994000 LEA EAX,DWORD PTR DS:[409981]
00408E30 |. B9 11000000 MOV ECX,11
00408E35 |. BA 54030000 MOV EDX,354
00408E3A |> 81C2 FE0F0000 /ADD EDX,0FFE
00408E40 |. 40 |INC EAX
00408E41 |. 49 |DEC ECX
00408E42 |.^ 75 F6 \JNZ SHORT unpack.00408E3A
00408E44 |. 0FB718 MOVZX EBX,WORD PTR DS:[EAX] ; 409992 必须是 8D90(908Dh)
00408E47 |. 81EB 3CD1FFFF SUB EBX,-2EC4
00408E4D |. 81EB 51EF0000 SUB EBX,0EF51
00408E53 |. 0BDB OR EBX,EBX
00408E55 |. 74 10 JE SHORT unpack.00408E67 ; 必须跳, 否则 over
00408E57 |. 83EC 45 SUB ESP,45
00408E5A |. 8D05 0AE72201 LEA EAX,DWORD PTR DS:[122E70A]
00408E60 |. 2D 5446E200 SUB EAX,0E24654 ; 40A0B6
00408E65 |. FFE0 JMP EAX ; <JMP.&kernel32.ExitProcess>
00408E67 \> C3 RETN
2.
00409CD3 |. E8 EAC5FFFF CALL unpack.004062C2 ; Nop 掉
004062C2 /$ B8 7AA14000 MOV EAX,unpack.0040A17A
004062C7 |. 6A 0A PUSH 0A
004062C9 |. 40 INC EAX
004062CA |. 59 POP ECX
004062CB |. 40 INC EAX
004062CC |. 8A08 MOV CL,BYTE PTR DS:[EAX] ; 40A17C 必须是 E9
004062CE |. 80F9 5C CMP CL,5C
004062D1 |. 75 02 JNZ SHORT unpack.004062D5
004062D3 |. 2AD2 SUB DL,DL
004062D5 |> 80C1 17 ADD CL,17
004062D8 |. 0AC9 OR CL,CL
004062DA |. 74 0F JE SHORT unpack.004062EB
004062DC |. 60 PUSHAD
004062DD |. 55 PUSH EBP
004062DE |. 8D05 99AE4000 LEA EAX,DWORD PTR DS:[40AE99]
004062E4 |. 2D E30D0000 SUB EAX,0DE3
004062E9 |. FFE0 JMP EAX ; <JMP.&kernel32.ExitProcess>
004062EB \> C3 RETN
3. 点 OpenFile 后程序出错
00406552 /. 55 PUSH EBP
00406553 |. 8BEC MOV EBP,ESP
00406555 |. 53 PUSH EBX
00406556 |. 57 PUSH EDI
00406557 |. 56 PUSH ESI
00406558 |. 0FB745 0C MOVZX EAX,WORD PTR SS:[EBP+C]
0040655C |. 66:3D 1101 CMP AX,111
00406560 |. 74 1B JE SHORT unpack.0040657D ; 点三个按钮
00406562 |. 66:3D 1001 CMP AX,110
00406566 |. 74 4D JE SHORT unpack.004065B5 ; 初始化
00406568 |. 66:83F8 02 CMP AX,2
0040656C |. 74 33 JE SHORT unpack.004065A1 ; 结束
0040656E |. 66:83F8 10 CMP AX,10
00406572 |. 74 2D JE SHORT unpack.004065A1 ; 结束
00406574 |. 2BC0 SUB EAX,EAX
00406576 |. 5E POP ESI
00406577 |. 5F POP EDI
00406578 |. 5B POP EBX
00406579 |. C9 LEAVE
0040657A |. C2 1000 RETN 10
0040657D |> 66:837D 10 02 CMP WORD PTR SS:[EBP+10],2 ; Exit 按钮
00406582 |. 74 1D JE SHORT unpack.004065A1
00406584 |. 66:837D 10 03 CMP WORD PTR SS:[EBP+10],3 ; OpenFile 按钮 (有暗桩)
00406589 |. 0F84 BD010000 JE unpack.0040674C
0040658F |. 66:837D 10 01 CMP WORD PTR SS:[EBP+10],1 ; ProtectFile 按钮(有暗桩)
00406594 |. 0F84 1F020000 JE unpack.004067B9
0040659A |. 5E POP ESI
0040659B |. 5F POP EDI
0040659C |. 5B POP EBX
0040659D |. C9 LEAVE
0040659E |. C2 1000 RETN 10
004065A1 |> 6A 00 PUSH 0 ; /Result = 0
004065A3 |. FF35 C9E04000 PUSH DWORD PTR DS:[40E0C9] ; |hWnd = 003D00A8 ('PESpin v1.3',class='#32770')
004065A9 |. E8 B03B0000 CALL <JMP.&user32.EndDialog> ; \EndDialog
004065AE |. 5E POP ESI
004065AF |. 5F POP EDI
004065B0 |. 5B POP EBX
004065B1 |. C9 LEAVE
004065B2 |. C2 1000 RETN 10
// 点 OpenFile 按钮
0040674C |> \E8 42010000 CALL unpack.00406893 ; nop 掉
00406893 /$ 2BDB SUB EBX,EBX
00406895 |. B8 ABA04000 MOV EAX,unpack.0040A0AB
0040689A |. 48 DEC EAX
0040689B |. 8A18 MOV BL,BYTE PTR DS:[EAX] ;40A0AA 必须为 E9
0040689D |. 80EB 71 SUB BL,71
004068A0 |. 80EB 78 SUB BL,78
004068A3 |. C1C3 16 ROL EBX,16 ; EBX 必须为 0
004068A6 |. 58 POP EAX
004068A7 |. 03C3 ADD EAX,EBX ; 否则返回地址不对了
004068A9 |. 50 PUSH EAX
004068AA \. C3 RETN
// 点 ProtectFile 后, 能加壳, 但加壳后的程序提示文件损坏
// 这个暗桩不好找, 去掉 Pespin 的所有选项, 把加壳流程走一遍.
// 如果你写过壳, 比较容易理解的.
004067B9 |> \8D35 A1E14000 LEA ESI,DWORD PTR DS:[40E1A1]
004067BF |. 68 FF000000 PUSH 0FF ; /Count = FF (255.)
004067C4 |. 56 PUSH ESI ; |Buffer => fixed.0040E1A1
004067C5 |. 6A 04 PUSH 4 ; |ControlID = 4
004067C7 |. FF35 34D04000 PUSH DWORD PTR DS:[40D034] ; |hWnd = 0002027A (class='#32770',parent=00070234)
004067CD |. E8 B0390000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00406864 |. 68 B9E04000 PUSH fixed.0040E0B9 ; /pThreadId = fixed.0040E0B9
00406869 |. 6A 00 PUSH 0 ; |CreationFlags = 0
0040686B |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |pThreadParm
0040686E |. 57 PUSH EDI ; |ThreadFunction => fixed.004068AB, 关键, 下断
0040686F |. 6A 00 PUSH 0 ; |StackSize = 0
00406871 |. 6A 00 PUSH 0 ; |pSecurity = NULL
00406873 |. E8 32380000 CALL <JMP.&kernel32.CreateThread> ; \CreateThread
004068AB /. 55 PUSH EBP ; 线程开始
004068AC |. 8BEC MOV EBP,ESP
004068AE |. 83C4 FC ADD ESP,-4
...
00406B50 |. 6A 0E PUSH 0E ; /ButtonID = E (14.)
00406B52 |. FF35 38D04000 PUSH DWORD PTR DS:[40D038] ; |hWnd = 00020264 (class='#32770',parent=00070234)
00406B58 |. E8 2B360000 CALL <JMP.&user32.IsDlgButtonChecked> ; \IsDlgButtonChecked
00406B5D |. 48 DEC EAX
00406B5E |. 75 41 JNZ SHORT fixed.00406BA1 ; 是否选中了 Backup
00406BA9 |. 6A 21 PUSH 21 ; /ButtonID = 21 (33.)
00406BAB |. FF35 38D04000 PUSH DWORD PTR DS:[40D038] ; |hWnd = 00020264 (class='#32770',parent=00070234)
00406BB1 |. E8 D2350000 CALL <JMP.&user32.IsDlgButtonChecked> ; \IsDlgButtonChecked
00406BB6 |. 48 DEC EAX
00406BB7 |. 75 31 JNZ SHORT fixed.00406BEA ; 是否选中了 Password
00406D14 |. 6A 2F PUSH 2F ; /ButtonID = 2F (47.)
00406D16 |. FF35 38D04000 PUSH DWORD PTR DS:[40D038] ; |hWnd = 00020264 (class='#32770',parent=00070234)
00406D1C |. E8 67340000 CALL <JMP.&user32.IsDlgButtonChecked> ; \IsDlgButtonChecked
00406D21 |. 48 DEC EAX
00406D22 |. 75 7C JNZ SHORT fixed.00406DA0 ; 是否选中了 MS_DOS header 优化
00406DD2 |. 50 PUSH EAX
00406DD3 |. 6A 2E PUSH 2E ; /ButtonID = 2E (46.)
00406DD5 |. FF35 38D04000 PUSH DWORD PTR DS:[40D038] ; |hWnd = 00020264 (class='#32770',parent=00070234)
00406DDB |. E8 A8330000 CALL <JMP.&user32.IsDlgButtonChecked> ; \IsDlgButtonChecked
00406DE0 |. 48 DEC EAX
00406DE1 |. 58 POP EAX
00406DE2 |. 75 0C JNZ SHORT fixed.00406DF0 ; 是否选中了 Code redirection, 是的话, 头部需要增加大小
00406E93 |. 8B43 78 MOV EAX,DWORD PTR DS:[EBX+78] ; 导出表 RVA
00406E96 |. 0BC0 OR EAX,EAX
00406E98 |. 74 0B JE SHORT fixed.00406EA5
00406E9A |. 50 PUSH EAX
00406E9B |. 68 3ED54000 PUSH fixed.0040D53E ; ASCII "Export : %.8lXh"
00406EA0 |. E8 1FB3FFFF CALL fixed.004021C4
00406EA5 |> 8B83 80000000 MOV EAX,DWORD PTR DS:[EBX+80] ; 导入表 RVA
00406EAB |. 50 PUSH EAX
00406EAC |. 68 2DD54000 PUSH fixed.0040D52D ; ASCII "Import : %.8lXh"
00406EB1 |. E8 0EB3FFFF CALL fixed.004021C4
00406EB6 |. 8B83 88000000 MOV EAX,DWORD PTR DS:[EBX+88] ; 资源 RVA
00406EBC |. 0BC0 OR EAX,EAX
00406EBE |. 74 0B JE SHORT fixed.00406ECB
00406FFD |. 6A 0D PUSH 0D ; /ButtonID = D (13.)
00406FFF |. FF35 38D04000 PUSH DWORD PTR DS:[40D038] ; |hWnd = 00020264 (class='#32770',parent=00070234)
00407005 |. E8 7E310000 CALL <JMP.&user32.IsDlgButtonChecked> ; \IsDlgButtonChecked
0040700A |. 48 DEC EAX
0040700B |. 75 0B JNZ SHORT fixed.00407018 ; 是否选中了 API redirection
0040716B |. 6A 28 PUSH 28 ; /ButtonID = 28 (40.)
0040716D |. FF35 38D04000 PUSH DWORD PTR DS:[40D038] ; |hWnd = 00020264 (class='#32770',parent=00070234)
00407173 |. E8 10300000 CALL <JMP.&user32.IsDlgButtonChecked> ; \IsDlgButtonChecked
00407178 |. 48 DEC EAX
00407179 |. 74 73 JE SHORT fixed.004071EE ; 是否选中了 Strip overlay
00407250 |> \6A 29 PUSH 29 ; /ButtonID = 29 (41.)
00407252 |. FF35 38D04000 PUSH DWORD PTR DS:[40D038] ; |hWnd = 00020264 (class='#32770',parent=00070234)
00407258 |. E8 2B2F0000 CALL <JMP.&user32.IsDlgButtonChecked> ; \IsDlgButtonChecked
0040725D |. 48 DEC EAX
0040725E |. 0F85 C9000000 JNZ fixed.0040732D ; 是否选中了 Strip .reloc section
00407341 |. 6A 0A PUSH 0A ; /ButtonID = A (10.)
00407343 |. FF35 38D04000 PUSH DWORD PTR DS:[40D038] ; |hWnd = 00020264 (class='#32770',parent=00070234)
00407349 |. E8 3A2E0000 CALL <JMP.&user32.IsDlgButtonChecked> ; \IsDlgButtonChecked
0040734E |. 48 DEC EAX
0040734F |. 75 6A JNZ SHORT fixed.004073BB ; 是否选中了 Add Debug Dection
004073BB
// 暗桩4, 去掉这个暗桩后, 加壳的程序不提示, 直接退出了, 看来还有问题, 继续
004073D2 |. BF 2B8F4002 MOV EDI,2408F2B
004073D7 |. 81EF 91EDFF01 SUB EDI,1FFED91 ; 40A19A
004073DD |. B0 3D MOV AL,3D
004073DF |. 34 D4 XOR AL,0D4 ; E9
004073E1 |. 3807 CMP BYTE PTR DS:[EDI],AL ; 40A19A 必须是 E9
004073E3 |. 74 07 JE SHORT fixed.004073EC ; 改成 JMP
004073E5 |. 8305 30804000>ADD DWORD PTR DS:[408030],20 ; 影响下面 0040802F 校验和的计算
004073EC |> C705 6AE54000>MOV DWORD PTR DS:[40E56A],0
00407622 |. 6A 27 PUSH 27 ; /ButtonID = 27 (39.)
00407624 |. FF35 38D04000 PUSH DWORD PTR DS:[40D038] ; |hWnd = 00020264 (class='#32770',parent=00070234)
0040762A |. E8 592B0000 CALL <JMP.&user32.IsDlgButtonChecked> ; \IsDlgButtonChecked
0040762F |. 48 DEC EAX
00407630 |. 0F85 DF000000 JNZ fixed.00407715 ; 是否选中了 Remove OEP
00407793 |. 51 PUSH ECX
00407794 |. 6A 2E PUSH 2E ; /ButtonID = 2E (46.)
00407796 |. FF35 38D04000 PUSH DWORD PTR DS:[40D038] ; |hWnd = 00020264 (class='#32770',parent=00070234)
0040779C |. E8 E7290000 CALL <JMP.&user32.IsDlgButtonChecked> ; \IsDlgButtonChecked
004077A1 |. 59 POP ECX
004077A2 |. 48 DEC EAX
004077A3 |. 0F85 90000000 JNZ fixed.00407839 ; 是否选中了 Code Redirection
00407B22 |> \6A 0F PUSH 0F ; /ButtonID = F (15.)
00407B24 |. FF35 38D04000 PUSH DWORD PTR DS:[40D038] ; |hWnd = 00020264 (class='#32770',parent=00070234)
00407B2A |. E8 59260000 CALL <JMP.&user32.IsDlgButtonChecked> ; \IsDlgButtonChecked
00407B2F |. 48 DEC EAX
00407B30 |. 75 0D JNZ SHORT fixed.00407B3F ; 是否选中了 AntiDump
00407C2C |. 6A 2A PUSH 2A ; /ButtonID = 2A (42.)
00407C2E |. FF35 38D04000 PUSH DWORD PTR DS:[40D038] ; |hWnd = 00020264 (class='#32770',parent=00070234)
00407C34 |. E8 4F250000 CALL <JMP.&user32.IsDlgButtonChecked> ; \IsDlgButtonChecked
00407C39 |. A3 F5E04000 MOV DWORD PTR DS:[40E0F5],EAX ; 是否选中了 Compress resource
00407C88 |. 51 PUSH ECX
00407C89 |. 53 PUSH EBX
00407C8A |. 50 PUSH EAX
00407C8B |. E8 F0A0FFFF CALL fixed.00401D80 ; 返回最大一块压缩区段大小, 这里有问题, F7 进去看看
00407C90 |. 8BD0 MOV EDX,EAX
00407D63 |> /833D F5E04000>/CMP DWORD PTR DS:[40E0F5],0 ; 压缩区段
00407D6A |. |0F84 B4000000 |JE fixed.00407E24
00407E5E |. E8 3D3A0000 |CALL fixed.0040B8A0 ; 更新进度条
00407EEC |. 8305 49E14000>|ADD DWORD PTR DS:[40E149],28
00407EF3 |. 8305 45E14000>|ADD DWORD PTR DS:[40E145],28
00407EFA |. FF05 41E14000 |INC DWORD PTR DS:[40E141]
00407F00 |. 59 |POP ECX
00407F01 |. 49 |DEC ECX
00407F02 |.^ 0F85 5BFEFFFF \JNZ fixed.00407D63
00407F7E . FF73 08 PUSH DWORD PTR DS:[EBX+8] ; /hObject
00407F81 . E8 06210000 CALL <JMP.&kernel32.CloseHandle> ; \CloseHandle
0040802F . B9 20000000 MOV ECX,20 ; 计算 20h 的校验和(401000-401020),
00408034 . 8B43 14 MOV EAX,DWORD PTR DS:[EBX+14] ; 400 Raw Offset
00408037 . 03F8 ADD EDI,EAX
00408039 . E8 C6D7FFFF CALL fixed.00405804
0040833B > \6A 11 PUSH 11 ; /ButtonID = 11 (17.)
0040833D . FF35 38D04000 PUSH DWORD PTR DS:[40D038] ; |hWnd = 00100174 (class='#32770',parent=0007025C)
00408343 . E8 401E0000 CALL <JMP.&user32.IsDlgButtonChecked> ; \IsDlgButtonChecked
00408348 . 48 DEC EAX
00408349 . 75 24 JNZ SHORT fixed.0040836F ; 是否选中了 Close Program After x minute
00408376 > \6A 08 PUSH 8 ; /ButtonID = 8
00408378 . FF35 38D04000 PUSH DWORD PTR DS:[40D038] ; |hWnd = 00100174 (class='#32770',parent=0007025C)
0040837E . E8 051E0000 CALL <JMP.&user32.IsDlgButtonChecked> ; \IsDlgButtonChecked
00408383 . 48 DEC EAX
00408384 . 75 2B JNZ SHORT fixed.004083B1 ; 是否选中了 Section Name( User Name)
004083B1 > \6A 15 PUSH 15 ; /ButtonID = 15 (21.)
004083B3 . FF35 38D04000 PUSH DWORD PTR DS:[40D038] ; |hWnd = 00100174 (class='#32770',parent=0007025C)
004083B9 . E8 CA1D0000 CALL <JMP.&user32.IsDlgButtonChecked> ; \IsDlgButtonChecked
004083BE . 48 DEC EAX
004083BF . 75 34 JNZ SHORT fixed.004083F5 ; 是否选中了 Random Section Name
004085C9 . FF73 08 PUSH DWORD PTR DS:[EBX+8] ; /hObject
004085CC . E8 BB1A0000 CALL <JMP.&kernel32.CloseHandle> ; \CloseHandle
00408D35 . FF73 08 PUSH DWORD PTR DS:[EBX+8] ; /hObject
00408D38 . E8 4F130000 CALL <JMP.&kernel32.CloseHandle> ; \CloseHandle
00408D3D . 6A 00 PUSH 0 ; /Text = NULL
00408D3F . 6A 04 PUSH 4 ; |ControlID = 4
00408D41 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00408D44 . E8 6F140000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
00408D49 . 6A 00 PUSH 0 ; /Text = NULL
00408D4B . 6A 05 PUSH 5 ; |ControlID = 5
00408D4D . FF35 C9E04000 PUSH DWORD PTR DS:[40E0C9] ; |hWnd = 000A027A ('PESpin v1.3',class='#32770')
00408D53 . E8 60140000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
00408D58 . 68 47D84000 PUSH fixed.0040D847 ; /Text = "File successfully protected"
00408D5D . 6A 05 PUSH 5 ; |ControlID = 5
00408D5F . FF35 C9E04000 PUSH DWORD PTR DS:[40E0C9] ; |hWnd = 000A027A ('PESpin v1.3',class='#32770')
00408D65 . E8 4E140000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
00408D6A . 68 D5D34000 PUSH fixed.0040D3D5 ; /lParam = 40D3D5
00408D6F . 6A 00 PUSH 0 ; |wParam = 0
00408D71 . 68 80010000 PUSH 180 ; |Message = LB_ADDSTRING
00408D76 . FF35 CDE04000 PUSH DWORD PTR DS:[40E0CD] ; |hWnd = 90264
00408D7C . E8 2B140000 CALL <JMP.&user32.SendMessageA> ; \SendMessageA
00408D81 . E8 1394FFFF CALL fixed.00402199
00408D86 . 803D 04E64000>CMP BYTE PTR DS:[40E604],0
00408D8D . 74 1C JE SHORT fixed.00408DAB
00408E01 . 5B POP EBX
00408E02 . 5F POP EDI
00408E03 . 5E POP ESI
00408E04 . C9 LEAVE
00408E05 . C2 0400 RETN 4 ; 线程结束
// 暗桩 5
00401D80 /$ 55 PUSH EBP
00401D81 |. 8BEC MOV EBP,ESP
00401D83 |. 53 PUSH EBX
00401D84 |. 52 PUSH EDX
00401D85 |. 57 PUSH EDI
00401D86 |. 56 PUSH ESI
00401D87 |. 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
00401D8A |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
00401D8D |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
00401D90 |. 2BC0 SUB EAX,EAX
00401D92 |. 2BFF SUB EDI,EDI
00401D94 |. 2BF6 SUB ESI,ESI
00401D96 |> 0FA3C3 /BT EBX,EAX
00401D99 |. 73 0B |JNB SHORT fixed.00401DA6
00401D9B |. 3B7A 10 |CMP EDI,DWORD PTR DS:[EDX+10]
00401D9E |. 77 03 |JA SHORT fixed.00401DA3
00401DA0 |. 8B7A 10 |MOV EDI,DWORD PTR DS:[EDX+10]
00401DA3 |> 0372 10 |ADD ESI,DWORD PTR DS:[EDX+10]
00401DA6 |> 40 |INC EAX
00401DA7 |. 83C2 28 |ADD EDX,28
00401DAA |.^ E2 EA \LOOPD SHORT fixed.00401D96
00401DAC |. 97 XCHG EAX,EDI ; 最大一块压缩区段大小
00401DAD |. 87CE XCHG ESI,ECX ; 所有要压缩区段总的大小
00401DAF |. 50 PUSH EAX ; 开始捣乱
00401DB0 |. B8 FEE24E00 MOV EAX,4EE2FE
00401DB5 |. 2D FE120E00 SUB EAX,0E12FE
00401DBA |. 8B00 MOV EAX,DWORD PTR DS:[EAX] ; 40D000
00401DBC |. 2D C4F1DE08 SUB EAX,8DEF1C4
00401DC1 |. 8B00 MOV EAX,DWORD PTR DS:[EAX] ; 4098F8 必须是 8DC0 (c08dh)
00401DC3 |. 25 FFFF0000 AND EAX,0FFFF
00401DC8 |. 05 867AD73F ADD EAX,3FD77A86
00401DCD |. 3D 133BD83F CMP EAX,3FD83B13
00401DD2 |. 58 POP EAX
00401DD3 |. 74 15 JE SHORT fixed.00401DEA ; 改成 JMP
00401DD5 |. 8325 6AE54000>AND DWORD PTR DS:[40E56A],0
00401DDC |. 8325 7AE54000>AND DWORD PTR DS:[40E57A],0
00401DE3 |. 8325 4DE14000>AND DWORD PTR DS:[40E14D],0
00401DEA |> 5E POP ESI
00401DEB |. 5F POP EDI
00401DEC |. 5A POP EDX
00401DED |. 5B POP EBX
00401DEE |. C9 LEAVE
00401DEF \. C2 0C00 RETN 0C