Asprotect±£»¤µÄ³ÌÐòÍѿǺóµÄÐÞÕý--DialogBoxIndirectParamA
Liotta[BCG]
±¾ÎÄÖ÷Òª½éÉÜAsprotect1.3±£»¤µÄ³ÌÐòÍѿǺó¹ØÓÚ¼ÓÃܺ¯ÊýDialogBoxIndirectParamAµÄÐÞÕýÎÊÌâ¡£
½ö¹©ÐÂÊֲο¼¡£
Ãû³Æ :Advanced Direct Remailer
°æ±¾ :2.12
·¢²¼ÈÕÆÚ :June 1, 2001
ÃèÊö :Powerful remailer with SMTP server,
support for mailing lists, plugins.
²Ù×÷ϵͳ :Windows 98
Ä¿±êÎļþ :Adr.exe
Ïà¹Ø¹¤¾ß:
FI
Peditor
Softice
icedump + iceload
ImpREC
²Î¿¼Îĵµ£º
fs0 ¡°ÍÑAdvanced Email
Extractor PROµÄ¿Ç ¡±
Liotta[BCG] ¡°UNPack CommView v.3.0¡±
Asprotect±£»¤µÄ³ÌÐò£¬µ±ÎÒÃÇÊÖ¶¯ÍѿǺó·¢ÏÖ³ÌÐò×ÜÊÇÎÞ·¨ÔËÐУ¬ÒªÃ´×Ô¶¯Í˳ö¡¢ÒªÃ´³öÏÖ¼ÓÃܺ¯ÊýδÕÒµ½
µÈ³ö´íÐÅÏ¢¡£×ÜÊDz»ÄÜ˳˳ÀûÀûµÄ£¬¶ÔÓÚÎÒÃÇÐÂÊÖÀ´ËµÄܹ»Íê³ÉÊÖ¶¯ÍÑ¿ÇÒÑÊDz»Ò×£¬ÔÙ³öÏÖÕâÖÖÎÊÌâ¶ÔÎÒÃÇÀ´Ëµ£¬
ʵÔÚÊÇÒ»´ó´ò»÷£¡
ÈçºÎÐÞÕýÕâ¸öÎÊÌâÄØ£¿
fs0ÔÚ¡°ÍÑAdvanced Email Extractor PROµÄ¿Ç ¡±Ò»ÎÄÖÐÌáµ½£º
ÓÃAsprotect¼Ó¿ÇµÄ³ÌÐò, ÍѿǺó²»ÄÜÔËÐÐ,ÎÒÖªµÀµÄÓÐ:
1. Ô³ÌÐòµ÷ÓÃAsprotectµÄ"Export
Function", ×î¼òµ¥µÄ¾ÍÊÇ:
push ..
push -1
call GetProcAddress
¿´Æä·µ»ØÖµÊÇ·ñΪ0, Ϊ0 ¾Í³ö´í»òÍ˳ö(AeePro¾ÍÊÇÕâÑùµÄ)
2. Ô³ÌÐò×Ô¼ì¼Ó¿ÇºóµÄ³ÌÐò(ÒѾ¼Ó¿ÇÁË, Õæ²»ÖªµÀËûÊÇÔõô¼ìµÄ)¡£
3. Asprotect µ÷ÓÃÔ³ÌÐòµÄ¡°³õʼ»¯¡±º¯Êý, µ±µ½´ï OEP Ç°,
ijЩȫ¾Ö±äÁ¿ÒѾ³õʼ»¯ÁË,
ÍѿǺóÔËÐоͺܿÉÄܳö´í, ½â¾ö·½·¨ÊÇ, ÐÞ¸ÄÍѿǺóµÄ³ÌÐò, ÏÈÔËÐиá°³õʼ»¯¡±º¯Êý,
ÔÙÌø
µ½OEP ÔËÐоͿÉÒÔÁË¡£
4. ÔÙÓоÍÊÇDialogBoxIndirectParamAµÈ¡£
ÏÖÔÚ½áºÏ ADRÍѿǺóµÄÐÞÕýÀ´ËµËµÕâ¸öDialogBoxIndirectParamAÎÊÌ⣬
Ê×ÏÈ£¬ÒªÕÒµ½³ÌÐòµÄ OEP²¢DUMP£¬È»ºóÖع¹ÊäÈë±í²¢ÐÞ¸ÄDUMPµµ¡£Èç¹ûÄ㻹²»´óÇå³þAsprotect±£»¤ÍÑ¿ÇÇë
ϸÔÄÉÏÊö²Î¿¼Îĵµ¡£
µ±ÔËÐÐÎÒÃÇÍѿǺóµÄ³ÌÐòʱ£¬È´³öÏÖ¡°Crypt API not found.¡¡¡±´íÎóÐÅÏ¢¿ò£¬È»ºó¾ÍÍ˳ö¡£
ÈÃÎÒÃÇBPX MessageBoxA£¬°´F12·µ»Øµ½³ÌÐò¿Õ¼ä£¬ÏòÉÏ¿´¿´£º
017F:00433590 6A04 PUSH
BYTE +04
017F:00433592 6AFF PUSH
BYTE -01
017F:00433594 FF154C014400 CALL `KERNEL32!GetProcAddress`
017F:0043359A 85C0 TEST
EAX,EAX <--EAX=0Ôò³ö´í
017F:0043359C A36C564600 MOV [0046566C],EAX
017F:004335A1 7516 JNZ
004335B9 <--75¸Ä³ÉEB¼´¿ÉÐÞÕý
017F:004335A3 6A10 PUSH
BYTE +10
017F:004335A5 68E0424400 PUSH DWORD 004442E0
017F:004335AA 68C4774400 PUSH DWORD 004477C4
017F:004335AF 50 PUSH
EAX
017F:004335B0 FF15A4034400 CALL `USER32!MessageBoxA`
<--³ö´íÐÅÏ¢¿ò
017F:004335B6 33C0 XOR
EAX,EAX
017F:004335B8 C3 RET
<--Í˳ö
¿´µ½ÁË°É£¡Óà HEX±à¼Æ÷ÐÞ¸Ä75³ÉEB¼´¿ÉÐÞÕý×î¼òµ¥µÄ´íÎó¡£
ÐÞÕýºó£¬³ÌÐòÄÜÔËÐС£µ«Êǵ±ÎÒÃǵã»÷HELPÖеÄRegistrationʱȴ³öÏÖÑÏÖØ´íÎ󣡣¡
ÎÒÃÇÓÃW32DASMÀ´·´»ã±à¸Ã³ÌÐò£¬·¢ÏÖHELPÖеÄRegistrationµ÷ÓÃUSER32.dll!DialogBoxIndirectParamA
¿ÉÒԿ϶¨ÊǺ¯ÊýDialogBoxIndirectParamAÔÚ¸ã¹í£¡²¢·¢ÏÖÓм¸´¦µ÷Óøú¯Êý¡£
ÆäÖÐÖ®£¨Ò»£©
* Reference To: USER32.DialogBoxIndirectParamA, Ord:0091h
|
:00434713 FF1568034400 Call dword ptr
[00440368]
µØÖ·00440368´æ·ÅµÄ¾ÍÊÇUSER32.dll!DialogBoxIndirectParamAº¯Êýµ÷ÓõØÖ·¡£
ÈÃÎÒÃÇÏÈ¿´¿´£¬ÍÑ¿ÇÊÇÕÒµ½µÄUSER32.dll!DialogBoxIndirectParamAº¯ÊýÔÐÍ£º
017F:00F5C898 55 PUSH
EBP
017F:00F5C899 8BEC MOV
EBP,ESP
017F:00F5C89B 53 PUSH
EBX
017F:00F5C89C 8B5D08 MOV
EBX,[EBP+08]
017F:00F5C89F 8B4518 MOV
EAX,[EBP+18]
017F:00F5C8A2 50 PUSH
EAX
017F:00F5C8A3 8B4514 MOV
EAX,[EBP+14]
017F:00F5C8A6 50 PUSH
EAX
017F:00F5C8A7 8B4510 MOV
EAX,[EBP+10]
017F:00F5C8AA 50 PUSH
EAX
017F:00F5C8AB 6A05 PUSH
BYTE +05
017F:00F5C8AD 8B450C MOV
EAX,[EBP+0C]
017F:00F5C8B0 50 PUSH
EAX
017F:00F5C8B1 53 PUSH
EBX
017F:00F5C8B2 E8157BFFFF CALL `KERNEL32!FindResourceA`
<--×¢Òâ»úÆ÷Âë(5×Ö½Ú)
017F:00F5C8B7 50 PUSH
EAX
017F:00F5C8B8 53 PUSH
EBX
017F:00F5C8B9 E87E7BFFFF CALL `KERNEL32!LoadResource`
<--×¢Òâ»úÆ÷Âë(5×Ö½Ú)
017F:00F5C8BE 50 PUSH
EAX
017F:00F5C8BF E8807BFFFF CALL `KERNEL32!LockResource`
<--×¢Òâ»úÆ÷Âë(5×Ö½Ú)
017F:00F5C8C4 50 PUSH
EAX
017F:00F5C8C5 53 PUSH
EBX
017F:00F5C8C6 E8917BFFFF CALL `USER32!DialogBoxIndirectParamA`<--×¢Òâ»úÆ÷Âë(5×Ö½Ú)
017F:00F5C8CB 5B POP
EBX
017F:00F5C8CC 5D POP
EBP
017F:00F5C8CD C21400 RET
14
µ«ÓÉÓÚÎÒÃÇÒÑÖع¹ÊäÈë±í£¬¹ÊÉÏÊöº¯ÊýÒªÉÔ×÷Ð޸IJÅÄÜÒýÓá£
ÔÚÓà ImpRECÖع¹ÊäÈë±íʱÎÒÃÇ¿´µ½Ïà¹ØµÄ¼¸Ïî
Flag RVA ModuleName
Ordinal Name
1 00040138 KERNEL32.dll 0123
FindResourceA
1 0004012C KERNEL32.dll 023E
LockResource
1 00040130 KERNEL32.dll 022E
LoadResource
1 00040368 USER32.dll 0091
DialogBoxIndirectParamA
¾Í¿ÉÖª£º
KERNEL32!FindResourceAº¯Êýµ÷ÓõØÖ·´æ·ÅÔÚ00040138+400000=00440138
KERNEL32!LoadResourceº¯Êýµ÷ÓõØÖ·´æ·ÅÔÚ00440130
KERNEL32!LockResourceº¯Êýµ÷ÓõØÖ·´æ·ÅÔÚ0044012C
USER32!DialogBoxIndirectParamAº¯Êýµ÷ÓõØÖ·´æ·ÅÔÚ00440368
ËùÒÔÎÒÃÇ×÷ÒÔÏÂÐÞ¸Ä
017F:004D0F98 55 PUSH
EBP
017F:004D0F99 8BEC MOV
EBP,ESP
017F:004D0F9B 53 PUSH
EBX
017F:004D0F9C 8B5D08 MOV
EBX,[EBP+08]
017F:004D0F9F 8B4518 MOV
EAX,[EBP+18]
017F:004D0FA2 50 PUSH
EAX
017F:004D0FA3 8B4514 MOV
EAX,[EBP+14]
017F:004D0FA6 50 PUSH
EAX
017F:004D0FA7 8B4510 MOV
EAX,[EBP+10]
017F:004D0FAA 50 PUSH
EAX
017F:004D0FAB 6A05 PUSH
BYTE +05
017F:004D0FAD 8B450C MOV
EAX,[EBP+0C]
017F:004D0FB0 50 PUSH
EAX
017F:004D0FB1 53 PUSH
EBX
017F:004D0FB2 FF1538014400 CALL `KERNEL32!FindResourceA`
<--×¢Òâ»úÆ÷Âë(6×Ö½Ú)
017F:004D0FB8 50 PUSH
EAX
017F:004D0FB9 53 PUSH
EBX
017F:004D0FBA FF1530014400 CALL `KERNEL32!LoadResource`
<--×¢Òâ»úÆ÷Âë(6×Ö½Ú)
017F:004D0FC0 50 PUSH
EAX
017F:004D0FC1 FF152C014400 CALL `KERNEL32!LockResource`
<--×¢Òâ»úÆ÷Âë(6×Ö½Ú)
017F:004D0FC7 50 PUSH
EAX
017F:004D0FC8 53 PUSH
EBX
017F:004D0FC9 FF1568034400 CALL `USER32!DialogBoxIndirectParamA`<--×¢Òâ»úÆ÷Âë(6×Ö½Ú)
017F:004D0FCF 5B POP
EBX
017F:004D0FD0 5D POP
EBP
017F:004D0FD1 C21400 RET
14
È»ºóÎÒÃÇÀ´´ò²¹¶¡£¡ÕÒÒ»¿é´óСºÏÊÊûÓÐʹÓÿռ䣬ÎÒÔÚÓà ImpRECÖع¹ÊäÈë±íʱËù¼ÓµÄ¶ÎÖÐÑ¡ÁËÒ»¿é
Offset 0 1 2 3 4 5 6
7 8 9 A B C D E F
000D0F90 98 0F 4D 00 00 00 00 00 55 8B EC 53 8B 5D 08 8B ?M.....U‹ìS‹].?
000D0FA0 45 18 50 8B 45 14 50 8B 45 10 50 6A 05 8B 45 0C E.P‹E.P‹E.Pj.‹E.
000D0FB0 50 53 FF 15 38 01 44 00 50 53 FF 15 30 01 44 00 PSÿ.8.D.PSÿ.0.D.
000D0FC0 50 FF 15 2C 01 44 00 50 53 FF 15 68 03 44 00 5B Pÿ.,.D.PSÿ.h.D.[
000D0FD0 5D C2 14 00 00 00 00 00 00 00 00 00 00 00 00 00 ]?.............
Offset000D0F90´æ·ÅµÄÊǺ¯Êýµ÷ÓõØÖ·004D0F98£¬²¢ÔÚOffset000D0F98ÖÐдÈëÐÞÕýºóº¯ÊýµÄ»úÆ÷Âë¡£
×îºó°ÑÔÏÈÕÒµ½µÄ¼¸´¦µ÷ÓÃÖÐCall dword ptr [00440368]¸ÄΪ[004D0f90]
ÆäÖÐÖ®£¨Ò»£©
* Reference To: USER32.DialogBoxIndirectParamA, Ord:0091h
|
:00434713 FF1568034400 Call dword ptr
[004D0f90]
ÖÕÓڴ󹦸æ³É£¡µã»÷HELPÖеÄRegistrationÐå³öRegistration´°¿Ú¡£Asprotect±£»¤µÄ³ÌÐòÍѿǺóµÄÐÞÕý
¾Í½²µ½ÕâÀϣÍû¶Ô´ó¼ÒÓаïÖú£¡
- ±ê Ì⣺Asprotect±£»¤µÄ³ÌÐòÍѿǺóµÄÐÞÕý--DialogBoxIndirectParamA (7ǧ×Ö)
- ×÷ Õߣºliotta[BCG]
- ʱ ¼ä£º2001-9-9 6:51:50
- Á´ ½Ó£ºhttp://bbs.pediy.com