【脱文作者】 simonzh2000 第一个 Embedded Protect 终于结束了, 别飞鸡蛋, 我闪
【使用工具】 Peid0.92, Ollydbg1.10B(反Antidbg版), ImportREC1.60, LordPE, Winhex
【破解平台】 Win2000SP4 English
【软件名称】 XieXie Master 1.0.10
【软件简介】 一个法国人的电脑中国象棋,棋力超强,接近大师级水平
【软件大小】 912K
【加壳方式】 ACProtect 1.21
使用Stolen Code, API Relocation, Code Replace, SEH等技术
特殊技术有 Dynamic Encrypt, Embedded Protect, RSA_Lock Code
【作者声明】 上次那篇文章是关于 ACProtect 1.10 , 1.21 相比 1.10 主要有两点改进
1. Stolen Code 长度大了
2. 不能直接用 ImportREC
同时我的上篇文章中有好多错误, 现在看看都不好意思了, 这次更正. 感谢论坛的各位大侠.
本笔记只用于学习交流, 初学Crack,只是感兴趣技术,没有其他目的, 如有不妥之处, 请谅解.
008E8000 > 60 PUSHAD ; // 加壳后OEP, F7
008E8001 BA E95B5FF5 MOV EDX,F55F5BE9
008E8006 42 INC EDX
008E8007 85D7 TEST EDI,EDX
008E8035 8B1F MOV EBX,DWORD PTR DS:[EDI]
008E8037 2BD9 SUB EBX,ECX
008E8039 C1CB 09 ROR EBX,9
008E803C 2B5F 04 SUB EBX,DWORD PTR DS:[EDI+4]
008E803F 891F MOV DWORD PTR DS:[EDI],EBX
008E8041 81E9 55CA3D99 SUB ECX,993DCA55
008E8047 83C7 04 ADD EDI,4
008E804A 4D DEC EBP
008E804B ^ 0F85 E4FFFFFF JNZ XieXieMa.008E8035 ; // 0F85 XXFFFFFF, 循环
// 恢复下面一段代码
// 后面还有很多, ACProtect 的死穴
// 找0F85 XXFFFFFF, 找到后下一语句 F4 过
008E8BE4 ^ F85 DDFFFFFF JNZ XieXieMa.008E8BC7
008E8BEA E9 74080100 JMP XieXieMa.008F9463
008F9463 61 POPAD
这句结束后, 将有一些 Stolen Code
记下STACK, Register
同时在 008F9463 下一硬件执行断点, 以方便多次重启
STACK
0012FFC4 7C5987E7 RETURN to KERNEL32.7C5987E7
0012FFC8 005516A8 XieXieMa.005516A8
0012FFCC 00000056
0012FFD0 7FFDF000
0012FFD4 00000200
0012FFD8 0012FFC8
0012FFDC 00000200
0012FFE0 FFFFFFFF End of SEH chain
0012FFE4 7C5C1BB4 SE handler
0012FFE8 7C572B00 KERNEL32.7C572B00
0012FFEC 00000000
0012FFF0 00000000
0012FFF4 00000000
0012FFF8 008E8000 XieXieMa.<ModuleEntryPoint>
0012FFFC 00000000
EAX 00000000
ECX 00010101
EDX FFFFFFFF
EBX 7FFDF000
ESP 0012FFC4
EBP 0012FFF0
ESI 00000056
EDI 005516A8
008F9464 57 PUSH EDI
008F9465 8F05 488C8E00 POP DWORD PTR DS:[8E8C48] ; XieXieMa.005516A8
008F946B FF35 488C8E00 PUSH DWORD PTR DS:[8E8C48] ; XieXieMa.005516A8
008F9471 50 PUSH EAX
008F9472 C70424 6C8C8E00 MOV DWORD PTR SS:[ESP],XieXieMa.008E8C6C
008F9479 8F05 2C8C8E00 POP DWORD PTR DS:[8E8C2C] ; XieXieMa.008E8C6C
008F947F 8B3D 2C8C8E00 MOV EDI,DWORD PTR DS:[8E8C2C] ; XieXieMa.008E8C6C
008F9485 892F MOV DWORD PTR DS:[EDI],EBP ; // EBP Save in 8E8C6C
008F9487 90 NOP
008F9488 90 NOP
008F9489 90 NOP
008F948A 90 NOP
008F948B 90 NOP
008F948C 60 PUSHAD
008F948D E8 03BDFFFF CALL XieXieMa.008F51DC ; // EBP = 4E7000
008F9492 E8 00000000 CALL XieXieMa.008F9497
008F9497 5B POP EBX
008F9498 2B9D 68214000 SUB EBX,DWORD PTR SS:[EBP+402168]
008F949E 81EB 97140100 SUB EBX,11497 ; // EBX=400000
008F94A4 899D 26D04000 MOV DWORD PTR SS:[EBP+40D026],EBX ; // save in 8F4026
008F94AA 61 POPAD
008F94AB 8F05 448C8E00 POP DWORD PTR DS:[8E8C44] ; XieXieMa.005516A8
008F94B1 FF35 448C8E00 PUSH DWORD PTR DS:[8E8C44] ; XieXieMa.005516A8
008F94B7 5F POP EDI
008F94B8 FF35 6C8C8E00 PUSH DWORD PTR DS:[8E8C6C] ; // Push EBP, Stolen Code 1
008F94BE 8F05 848C8E00 POP DWORD PTR DS:[8E8C84]
008F94C4 FF35 848C8E00 PUSH DWORD PTR DS:[8E8C84]
008F94CA 8925 808C8E00 MOV DWORD PTR DS:[8E8C80],ESP ; // ESP save in 8E8C80
008F94D0 90 NOP
008F94D1 90 NOP
008F94D2 90 NOP
008F94D3 60 PUSHAD
008F94D4 E8 03BDFFFF CALL XieXieMa.008F51DC ; // EBP = 4E7000
008F94D9 E8 9CBAFFFF CALL XieXieMa.008F4F7A ; // EAX 取随机数
008F94DE 8985 81DF4000 MOV DWORD PTR SS:[EBP+40DF81],EAX
008F94E4 61 POPAD
008F94E5 FF35 808C8E00 PUSH DWORD PTR DS:[8E8C80]
008F94EB 8B2C24 MOV EBP,DWORD PTR SS:[ESP] ; // MOV EBP, ESP , Stolen Code 2
008F94EE 8F05 688C8E00 POP DWORD PTR DS:[8E8C68]
008F94F4 50 PUSH EAX ; // 先压一个数入栈
008F94F5 893C24 MOV DWORD PTR SS:[ESP],EDI
008F94F8 890C24 MOV DWORD PTR SS:[ESP],ECX
008F94FB 8F05 648C8E00 POP DWORD PTR DS:[8E8C64]
008F9501 FF35 648C8E00 PUSH DWORD PTR DS:[8E8C64]
008F9507 893C24 MOV DWORD PTR SS:[ESP],EDI
008F950A 90 NOP
008F950B 90 NOP
008F950C 90 NOP
008F950D 60 PUSHAD
008F950E E8 C9BCFFFF CALL XieXieMa.008F51DC
008F9513 C685 4CCF4000 0>MOV BYTE PTR SS:[EBP+40CF4C],0
008F951A 61 POPAD
008F951B C70424 FFFFFFFF MOV DWORD PTR SS:[ESP],-1 ; // PUSH -1, Stolen Code 3
008F9522 52 PUSH EDX
008F9523 BA 408C8E00 MOV EDX,XieXieMa.008E8C40
008F9528 893A MOV DWORD PTR DS:[EDX],EDI ; // EDI save in 8E8C40
008F952A 5A POP EDX
008F952B FF35 408C8E00 PUSH DWORD PTR DS:[8E8C40] ; // 先压一个数入栈
008F9531 890C24 MOV DWORD PTR SS:[ESP],ECX
008F9534 8F05 748C8E00 POP DWORD PTR DS:[8E8C74]
008F953A FF35 748C8E00 PUSH DWORD PTR DS:[8E8C74]
008F9540 90 NOP
008F9541 90 NOP
008F9542 90 NOP
008F9543 60 PUSHAD
008F9544 E8 CDDEFFFF CALL XieXieMa.008F7416 ; // 壳所用的函数
008F9549 61 POPAD
008F954A C70424 B0DB4B00 MOV DWORD PTR SS:[ESP],XieXieMa.004BDBB0 ; // PUSH 4BDBB0, Stolen Code 4
008F9551 51 PUSH ECX
008F9552 893C24 MOV DWORD PTR SS:[ESP],EDI
008F9555 68 608C8E00 PUSH XieXieMa.008E8C60
008F955A 5F POP EDI
008F955B 8907 MOV DWORD PTR DS:[EDI],EAX
008F955D 8B3C24 MOV EDI,DWORD PTR SS:[ESP]
008F9560 8F05 3C8C8E00 POP DWORD PTR DS:[8E8C3C] ; XieXieMa.005516A8
008F9566 FF35 608C8E00 PUSH DWORD PTR DS:[8E8C60]
008F956C 891C24 MOV DWORD PTR SS:[ESP],EBX
008F956F 90 NOP
008F9570 90 NOP
008F9571 90 NOP
008F9572 60 PUSHAD
008F9573 E8 3BDCFFFF CALL XieXieMa.008F71B3 ; // 解压 401000 代码有关, F7
// 到 8F9573, F7 进入 8F71B3, SMC 后
008F735D 47 INC EDI
008F735E E8 79DEFFFF CALL XieXieMa.008F51DC ; // EBP = 4E7000
008F7363 C685 B3014100 C>MOV BYTE PTR SS:[EBP+4101B3],0C3
008F736A 8DB5 2ED04000 LEA ESI,DWORD PTR SS:[EBP+40D02E]
008F7370 56 PUSH ESI
008F7371 AD LODS DWORD PTR DS:[ESI] ; // 8F402E = 1000
008F7372 0BC0 OR EAX,EAX
008F7374 74 49 JE SHORT XieXieMa.008F73BF
008F7376 90 NOP
008F7377 90 NOP
008F7378 90 NOP
008F7379 90 NOP
008F737A 50 PUSH EAX
008F737B AD LODS DWORD PTR DS:[ESI] ; // 8F4032 = 4ED26
008F737C 91 XCHG EAX,ECX
008F737D 51 PUSH ECX
008F737E 51 PUSH ECX
008F737F 6A 40 PUSH 40
008F7381 FF95 DFD44000 CALL DWORD PTR SS:[EBP+40D4DF] ; // 8F44DF = GlobalAlloc(40, 4ED26)
008F7387 8985 2AD04000 MOV DWORD PTR SS:[EBP+40D02A],EAX ; // 1346F8 save in 8F402A
008F738D 59 POP ECX
008F738E 58 POP EAX
008F738F 0385 26D04000 ADD EAX,DWORD PTR SS:[EBP+40D026] ; // 1000+400000, text section
008F7395 8BF0 MOV ESI,EAX ; // ESI = 401000
008F7397 50 PUSH EAX
008F7398 8BBD 2AD04000 MOV EDI,DWORD PTR SS:[EBP+40D02A] ; // EDI = 1346F8
008F739E F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; // ECX = 4ED26
008F73A0 58 POP EAX
008F73A1 50 PUSH EAX
008F73A2 FFB5 2AD04000 PUSH DWORD PTR SS:[EBP+40D02A]
008F73A8 E8 FEE80000 CALL XieXieMa.00905CAB ; // 解压缩到 401000
008F73AD FFB5 2AD04000 PUSH DWORD PTR SS:[EBP+40D02A]
008F73B3 FF95 E3D44000 CALL DWORD PTR SS:[EBP+40D4E3] ; // GlobalFree
008F73B9 5E POP ESI
008F73BA 83C6 08 ADD ESI,8
008F73BD ^ EB B1 JMP SHORT XieXieMa.008F7370 ; // 还要解压一次, 807100, rsrc section
008F73BF 5E POP ESI
008F73C0 68 30750000 PUSH 7530
008F73C5 6A 40 PUSH 40
008F73C7 FF95 DFD44000 CALL DWORD PTR SS:[EBP+40D4DF] ; // GlobalAlloc(40, 7530)
008F73CD 8985 2AD04000 MOV DWORD PTR SS:[EBP+40D02A],EAX
008F73D3 60 PUSHAD
008F73D4 E8 00000000 CALL XieXieMa.008F73D9
008F73D9 5E POP ESI ; XieXieMa.008F73D9
008F73DA 83EE 06 SUB ESI,6
008F73DD B9 75000000 MOV ECX,75
008F73E2 29CE SUB ESI,ECX
008F73E4 BA 92917284 MOV EDX,84729192
008F73E9 C1E9 02 SHR ECX,2
008F73EC 83E9 02 SUB ECX,2
008F73EF 83F9 00 CMP ECX,0
008F73F2 7C 1A JL SHORT XieXieMa.008F740E
008F73F4 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
008F73F7 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
008F73FB 2BC3 SUB EAX,EBX
008F73FD C1C0 1F ROL EAX,1F
008F7400 2BC2 SUB EAX,EDX
008F7402 81F2 EB11730F XOR EDX,0F7311EB
008F7408 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
008F740B 49 DEC ECX
008F740C ^ EB E1 JMP SHORT XieXieMa.008F73EF
008F740E 61 POPAD
008F740F 61 POPAD
008F7410 E8 011F0000 CALL XieXieMa.008F9316
008F7415 C3 RETN ; // return 8F9578
008F9578 61 POPAD
008F9579 C70424 901F4A00 MOV DWORD PTR SS:[ESP],XieXieMa.004A1F90 ; // PUSH 4A1F90, Stolen Code 5
008F9580 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] ; // Stolen Code 6
008F9586 53 PUSH EBX
008F9587 BB 588C8E00 MOV EBX,XieXieMa.008E8C58
008F958C 893B MOV DWORD PTR DS:[EBX],EDI
008F958E 5B POP EBX
008F958F FF35 588C8E00 PUSH DWORD PTR DS:[8E8C58] ; XieXieMa.005516A8
008F9595 890424 MOV DWORD PTR SS:[ESP],EAX ; // PUSH EAX, Stolen code 7
008F9598 8F05 7C8C8E00 POP DWORD PTR DS:[8E8C7C] ; // pop
008F959E 90 NOP
008F959F 90 NOP
008F95A0 90 NOP
008F95A1 60 PUSHAD
008F95A2 E8 76FEFFFF CALL XieXieMa.008F941D
008F95A7 61 POPAD
008F95A8 FF35 7C8C8E00 PUSH DWORD PTR DS:[8E8C7C] ; // push
008F95AE 64:8925 0000000>MOV DWORD PTR FS:[0],ESP ; // Stolen code 8
008F95B5 83EC 58 SUB ESP,58 ; // Stolen code 9
008F95B8 51 PUSH ECX
008F95B9 8F05 548C8E00 POP DWORD PTR DS:[8E8C54]
008F95BF FF35 548C8E00 PUSH DWORD PTR DS:[8E8C54]
008F95C5 891C24 MOV DWORD PTR SS:[ESP],EBX
008F95C8 8F05 788C8E00 POP DWORD PTR DS:[8E8C78] ; // EBX save in 8E8C78
008F95CE 90 NOP
008F95CF 90 NOP
008F95D0 60 PUSHAD
008F95D0 60 PUSHAD
008F95D1 E8 06BCFFFF CALL XieXieMa.008F51DC ; // F7
008F95D6 6A 00 PUSH 0
008F95D8 E8 0A000000 CALL XieXieMa.008F95E7 ; // F7
008F95E7 E8 25000000 CALL XieXieMa.008F9611 ; // F9
008F6829 CD 01 INT 1 ; // 异常
008F682B 40 INC EAX ; // 下断, Shift+F9, 断在这, 取消断点
008F682C 40 INC EAX
008F682D 0BC0 OR EAX,EAX
008F682F 75 05 JNZ SHORT XieXieMa.008F6836
008F6831 90 NOP
008F6832 90 NOP
008F6833 90 NOP
008F6834 90 NOP
008F6835 61 POPAD
008F6836 33C0 XOR EAX,EAX
008F6838 64:8F00 POP DWORD PTR FS:[EAX]
008F683B 58 POP EAX
008F683C 60 PUSHAD
008F683D E8 00000000 CALL XieXieMa.008F6842
008F6842 5E POP ESI
008F6843 83EE 06 SUB ESI,6
008F6846 B9 57000000 MOV ECX,57
008F684B 29CE SUB ESI,ECX
008F684D BA 25F57EDD MOV EDX,DD7EF525
008F6852 C1E9 02 SHR ECX,2
008F6855 83E9 02 SUB ECX,2
008F6858 83F9 00 CMP ECX,0
008F685B 7C 1A JL SHORT XieXieMa.008F6877
008F685D 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
008F6860 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
008F6864 33C3 XOR EAX,EBX
008F6866 C1C0 0D ROL EAX,0D
008F6869 33C2 XOR EAX,EDX
008F686B 81C2 8E7E53EF ADD EDX,EF537E8E
008F6871 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
008F6874 49 DEC ECX
008F6875 ^ EB E1 JMP SHORT XieXieMa.008F6858
008F6877 61 POPAD
008F6878 61 POPAD
008F6879 C3 RETN ; // F4到这里, F7一下
008F988A /E9 02000000 JMP XieXieMa.008F9891 ; // F7走, 一直到008F98FB
.
.
.
008F98FB ^ F85 68FFFFFF JNZ XieXieMa.008F9869 ; // 循环
008F9901 50 PUSH EAX ; // F4到这里, F7走, 中间三个CALL F8 跳过
008F9902 E8 01000000 CALL XieXieMa.008F9908
.
008F9944 E8 83EBFFFF CALL XieXieMa.008F84CC ; // F8
.
008F99A1 E8 94CCFFFF CALL XieXieMa.008F663A ; // F8 (就一个 RETN)
.
008F99DF E8 48C3FFFF CALL XieXieMa.008F5D2C ; // F8
008F99E4 F9 STC
008F99E5 D3D0 RCL EAX,CL
008F99E7 83EF 01 SUB EDI,1
008F99EA ^ 0F85 78FFFFFF JNZ XieXieMa.008F9968 ; // 循环
008F99F0 E8 01000000 CALL XieXieMa.008F99F6 ; // F4到这里, F7走, 一直到008F9AEB
.
008F9AEB ^ F85 5BFFFFFF JNZ XieXieMa.008F9A4C ; // 循环
008F9AF1 50 PUSH EAX ; // F4到这里, F7走
.
008F9BB3 E8 14E9FFFF CALL XieXieMa.008F84CC ; // F8
008F9BB8 87C6 XCHG ESI,EAX
008F9BBA 0F89 01000000 JNS XieXieMa.008F9BC1
008F9BC0 46 INC ESI
008F9BC1 8955 00 MOV DWORD PTR SS:[EBP],EDX
008F9BC4 50 PUSH EAX
008F9BC5 E8 01000000 CALL XieXieMa.008F9BCB
008F9BCB 58 POP EAX
008F9BCC 58 POP EAX
008F9BCD E8 F7DFFFFF CALL XieXieMa.008F7BC9 ; // 加载perplex.dll, 判断有无Key.dat, F8
; // 如果没有, 显示 "No License" MessageBox
.
008F9BFD ^ F85 67FFFFFF JNZ XieXieMa.008F9B6A ; // 循环
008F9C03 EB 01 JMP SHORT XieXieMa.008F9C06 ; // F4 到这里, F9
008F6A7B 90 NOP ; // 异常
008F6A7C 64:67:8F06 0000 POP DWORD PTR FS:[0] ; // 断在这, Shift+F9, 断下,取消断点
008F6A82 83C4 04 ADD ESP,4
008F6A85 60 PUSHAD
008F6A86 E8 00000000 CALL XieXieMa.008F6A8B
008F6A8B 5E POP ESI
008F6A8C 83EE 06 SUB ESI,6
008F6A8F B9 5B000000 MOV ECX,5B
008F6A94 29CE SUB ESI,ECX
008F6A96 BA A4CAFB52 MOV EDX,52FBCAA4
008F6A9B C1E9 02 SHR ECX,2
008F6A9E 83E9 02 SUB ECX,2
008F6AA1 83F9 00 CMP ECX,0
008F6AA4 7C 1A JL SHORT XieXieMa.008F6AC0
008F6AA6 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
008F6AA9 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
008F6AAD 33C3 XOR EAX,EBX
008F6AAF C1C0 1D ROL EAX,1D
008F6AB2 33C2 XOR EAX,EDX
008F6AB4 81EA 0E1DB438 SUB EDX,38B41D0E
008F6ABA 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
008F6ABD 49 DEC ECX
008F6ABE ^ EB E1 JMP SHORT XieXieMa.008F6AA1
008F6AC0 61 POPAD
008F6AC1 61 POPAD
008F6AC2 C3 RETN ; // F4 到这里, F7 一下
008FA8C0 FC CLD
008FA8C1 3346 04 XOR EAX,DWORD PTR DS:[ESI+4]
008FA8C4 50 PUSH EAX
以后再 F4, F7, 下面都是循环出口, 也就是0F85 xxFFFFFF 下一句, 可下硬件执行断点
这里有近百个循环, 好变态. (记住, 用 OD 搜索 FF FF FF, 就可以不用 F7)
008F9C06 008FB61B 008FC09B 008FC9E6 008FD3DD 008FDDFB 008FE1FE 008FE6A1 008FE87C 008FF7B2
00900E00 0090184D 009020EE 00902AA0 00903170 009040C8 00904EA0 009055EA 00905B4E
00905B4E 61 POPAD ; // 下面将继续Stolen code
00905B4F FF35 788C8E00 PUSH DWORD PTR DS:[8E8C78] ; // PUSH EBX, Stolen code 10
00905B55 8915 388C8E00 MOV DWORD PTR DS:[8E8C38],EDX
00905B5B FF35 388C8E00 PUSH DWORD PTR DS:[8E8C38]
00905B61 891C24 MOV DWORD PTR SS:[ESP],EBX ; // push ebx
00905B64 56 PUSH ESI
00905B65 BE 708C8E00 MOV ESI,XieXieMa.008E8C70
00905B6A 8935 508C8E00 MOV DWORD PTR DS:[8E8C50],ESI
00905B70 5E POP ESI
00905B71 FF35 508C8E00 PUSH DWORD PTR DS:[8E8C50] ; // push 8E8C70
00905B77 60 PUSHAD
00905B78 E8 5FF6FEFF CALL XieXieMa.008F51DC ; // EBP = 4E7000
00905B7D 8B85 6EEC4100 MOV EAX,DWORD PTR SS:[EBP+41EC6E] ; // EAX = 9BF2D , 伪OEP
00905B83 0385 26D04000 ADD EAX,DWORD PTR SS:[EBP+40D026] ; // EAX + 400000
00905B89 8985 6EEC4100 MOV DWORD PTR SS:[EBP+41EC6E],EAX ; // Save in 905C6E
00905B8F 61 POPAD
00905B90 5B POP EBX ; // pop ebx
00905B91 893B MOV DWORD PTR DS:[EBX],EDI
00905B93 8F05 4C8C8E00 POP DWORD PTR DS:[8E8C4C] ; // pop
00905B99 52 PUSH EDX
00905B9A BA 4C8C8E00 MOV EDX,XieXieMa.008E8C4C
00905B9F 8B1A MOV EBX,DWORD PTR DS:[EDX]
00905BA1 5A POP EDX
00905BA2 FF35 708C8E00 PUSH DWORD PTR DS:[8E8C70] ; XieXieMa.005516A8
00905BA8 893424 MOV DWORD PTR SS:[ESP],ESI ; // PUSH ESI, Stolen code 11
00905BAB 8915 348C8E00 MOV DWORD PTR DS:[8E8C34],EDX
00905BB1 FF35 348C8E00 PUSH DWORD PTR DS:[8E8C34]
00905BB7 56 PUSH ESI
00905BB8 60 PUSHAD
00905BB9 E8 1EF6FEFF CALL XieXieMa.008F51DC
00905BBE C685 2BEC4100 E8 MOV BYTE PTR SS:[EBP+41EC2B],0E8
00905BC5 61 POPAD
00905BC6 BE 5C8C8E00 MOV ESI,XieXieMa.008E8C5C
00905BCB 8BD6 MOV EDX,ESI
00905BCD 5E POP ESI ; // EDX = 8E8C5C
00905BCE 893A MOV DWORD PTR DS:[EDX],EDI
00905BD0 8F05 308C8E00 POP DWORD PTR DS:[8E8C30]
00905BD6 8B15 308C8E00 MOV EDX,DWORD PTR DS:[8E8C30]
00905BDC FF35 5C8C8E00 PUSH DWORD PTR DS:[8E8C5C]
00905BE2 893424 MOV DWORD PTR SS:[ESP],ESI
00905BE5 893C24 MOV DWORD PTR SS:[ESP],EDI ; // PUSH EDI, Stolen Code 12
00905BE8 90 NOP
00905BE9 90 NOP
00905BEA 90 NOP
00905BEB 90 NOP
00905BEC 90 NOP
00905BED 90 NOP
00905BEE 60 PUSHAD
00905BEF E8 E8F5FEFF CALL XieXieMa.008F51DC
00905BF4 C785 2CEC4100 FF250000 MOV DWORD PTR SS:[EBP+41EC2C],25FF
00905BFE 8D85 6EEC4100 LEA EAX,DWORD PTR SS:[EBP+41EC6E]
00905C04 8985 2EEC4100 MOV DWORD PTR SS:[EBP+41EC2E],EAX
00905C0A E8 CDF5FEFF CALL XieXieMa.008F51DC
00905C0F 8DBD 8CE94100 LEA EDI,DWORD PTR SS:[EBP+41E98C]
00905C15 8D8D 20EC4100 LEA ECX,DWORD PTR SS:[EBP+41EC20]
00905C1B 2BCF SUB ECX,EDI
00905C1D C1E9 02 SHR ECX,2
00905C20 E8 55F3FEFF CALL XieXieMa.008F4F7A ; // 取随机数
00905C25 AB STOS DWORD PTR ES:[EDI] ; // 破坏 90598C 开始的区域
00905C26 ^E2 F8 LOOPD SHORT XieXieMa.00905C20
00905C28 61 POPAD ; // F4到这里
00905C29 EB 01 JMP SHORT XieXieMa.00905C2C
00905C2C - FF25 6E5C9000 JMP DWORD PTR DS:[905C6E] ; // 到真正的OEP
// 49BF2D, 补上 Stolen Code , OEP = 49BF0A, Dump 得到 X1.EXE
0049BF0A /> /55 PUSH EBP
0049BF0B |. |8BEC MOV EBP,ESP
0049BF0D |. |6A FF PUSH -1
0049BF0F |. |68 B0DB4B00 PUSH X3.004BDBB0
0049BF14 |. |68 901F4A00 PUSH X3.004A1F90 ; SE handler installation
0049BF19 |. |64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0049BF1F |. |50 PUSH EAX
0049BF20 |. |64:8925 00000000 MOV DWORD PTR FS:[0],ESP
0049BF27 |. |83EC 58 SUB ESP,58
0049BF2A |. |53 PUSH EBX
0049BF2B |. |56 PUSH ESI
0049BF2C |. |57 PUSH EDI
// 这里如果用 ImportRec IAT autoserach, 将一无所获, 继续 F7
0049BF2D |. |8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0049BF30 |. |FF15 38B14B00 CALL DWORD PTR DS:[4BB138] ; // Call GetVersion, VC特征, F7 进入
008E802A /$ 68 DF41F33E PUSH 3EF341DF
008E802F |. 813424 A44AAA42 XOR DWORD PTR SS:[ESP],42AA4AA4
008E8036 . C3 RETN ; // 两数 Xor 得到真正的 GetVersion 地址
7C590B7B > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18] ; // GetVersion
7C590B81 8B48 30 MOV ECX,DWORD PTR DS:[EAX+30]
7C590B84 8B91 B0000000 MOV EDX,DWORD PTR DS:[ECX+B0]
7C590B8A 0FB781 AC000000 MOVZX EAX,WORD PTR DS:[ECX+AC]
7C590B91 83F2 FE XOR EDX,FFFFFFFE
7C590B94 C1E2 0E SHL EDX,0E
7C590B97 0BC2 OR EAX,EDX
7C590B99 C1E0 08 SHL EAX,8
7C590B9C 0B81 A8000000 OR EAX,DWORD PTR DS:[ECX+A8]
7C590BA2 C1E0 08 SHL EAX,8
7C590BA5 0B81 A4000000 OR EAX,DWORD PTR DS:[ECX+A4]
7C590BAB C3 RETN ; // 返回 49BF36
0049BF36 |. |33D2 XOR EDX,EDX
0049BF38 |. |8AD4 MOV DL,AH
0049BF3A |. |8915 08AE4C00 MOV DWORD PTR DS:[4CAE08],EDX
从上面我们可以得到两个重要信息 4BB138, 8E802A
1 先到 8E802A
我们可以发现一直从 8E8010 到 8E8BE4 都是 0xD 字节的 XOr 解密程序
(8E8BE4 - 8E8010 + 1) / 0XD = 0XE9 = 233 个函数
2 再到 4BB138
这应该是Thunk值表的位置,将Dump窗口转到这里, BB000开始, size 54F
发现其中 4BB130 到 4BB4E3 都指向 008E8XXX 段, 中间有4个不是
(4BB4E3 - 4BB130 + 1) / 4 - 4 = 0xE9 = 233
在 49BF36 临时加一段程序修复, 修复后不再需要 XOR 解密段了(8E8010-8E8BE4)
pusha
mov esi,4BB130
mov edi,esi
Next: lodsd
cmp eax,8E8010
jb OK
cmp eax,8E8BE4
ja OK
mov edx,eax
mov eax,[edx+1] ;[edx+1]指向push 的数据
xor eax,[edx+8] ;[edx+8]处是原来xor的数据
OK: stosd
cmp esi,4BB4E4
jb Next
popa
执行后去掉上面程序(Undo Selection) , 发现 4BB130 - 4BB4E4 都变成了 7XXXXXXX, 只有一个例外
// 4BB4C4 ==> 8F45C9 , 这就是 MessageBox (77E33259), 修改成 77E33259
// 启动 ImportRec, RAV 填 BB000, Size 54F, GetImports, 全部 OK
// Fixdump X1.EXE, 由于 ACProtect 要检查ImageSize, 不能 Add New Section(Size = 16D8)
// Start RVA 也不能用 BB000, 因为 ImportRec 修复过程如下
1. 先替换 Start RVA 开始的 16D8 字节
2. 再根据这 16D8 字节的位置修改 4BB000 开始的 54F 字节
// 在该区段最后找 16D8 空闲空间, RVA = C0A90, Fixdump
// 再把 4BB4C4 恢复成 8F45C9
008E8000 > $ B8 C9458F00 MOV EAX,X5.008F45C9
008E8005 . A3 C4B44B00 MOV DWORD PTR DS:[<&user32.MessageBoxA>], EAX
008E800A . E9 A14D0200 JMP X5.49BF0A
// 重新运行, 49FE00 出错
0049FE00 |. E8 83934400 CALL X2.008E9188
// Call 008E9188 有几百处, 是 ACProtect 的 Replace Code
// 记住返回地址 0049FE05
008E9188 $ 60 PUSHAD
008E9189 . 4A DEC EDX
008E918A . 87C5 XCHG EBP,EAX
...
008E9317 . 83EE 01 SUB ESI,1
008E931A .^ 0F85 70FFFFFF JNZ X2.008E9290
// 经过上面变态的花指令后, 我们来到这
008E9333 ? E8 A4BE0000 CALL X2.008F51DC ; // EBP = 4E7000
008E9338 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20] ; // 返回地址 49FE05
008E933C 33C9 XOR ECX,ECX ; // 下面开始查表
008E933E 8B9C8D 5E244000 MOV EBX,DWORD PTR SS:[EBP+ECX*4+40245E]
008E9345 039D 26D04000 ADD EBX,DWORD PTR SS:[EBP+40D026] ; // +400000
008E934B 3BC3 CMP EAX,EBX
008E934D 74 07 JE SHORT X2.008E9356
008E934F 90 NOP
008E9350 90 NOP
008E9351 90 NOP
008E9352 90 NOP
008E9353 41 INC ECX
008E9354 ^ EB E8 JMP SHORT X2.008E933E ; // 不匹配, 下一个
008E9356 C7848D 5E244000 00000000 MOV DWORD PTR SS:[EBP+ECX*4+40245E],0 ; // 找到后,清0
008E9361 8DB5 3E534000 LEA ESI,DWORD PTR SS:[EBP+40533E] ; // 8EC33E 开始放加密后的代码
008E9367 B8 0A000000 MOV EAX,0A ; // A 字节一段
008E936C . F7E1 MUL ECX
008E936E . 03F0 ADD ESI,EAX
008E9370 56 PUSH ESI
008E9371 51 PUSH ECX
008E9372 . 8A85 78214000 MOV AL,BYTE PTR SS:[EBP+402178] ; // 解密用字节,与OEP有关
008E9378 . 0AC0 OR AL,AL
008E937A 75 28 JNZ SHORT X2.008E93A4 ; // 已经计算过了
008E937C 90 NOP
008E937D 90 NOP
008E937E 90 NOP
008E937F 90 NOP
008E9380 8B85 26D04000 MOV EAX,DWORD PTR SS:[EBP+40D026] ; // 400000
008E9386 8B70 3C MOV ESI,DWORD PTR DS:[EAX+3C] ; // PE头 RVA
008E9389 03B5 26D04000 ADD ESI,DWORD PTR SS:[EBP+40D026] ; // PE头 VA
008E938F 83C6 28 ADD ESI,28 ; // OEP VA
008E9392 AD LODS DWORD PTR DS:[ESI] ; // OEP
008E9393 8AD8 MOV BL,AL
008E9395 02DC ADD BL,AH
008E9397 C1E8 10 SHR EAX,10
008E939A 02D8 ADD BL,AL
008E939C 02DC ADD BL,AH
008E939E 889D 78214000 MOV BYTE PTR SS:[EBP+402178],BL ; // OEP四字节之和解密用
008E93A4 59 POP ECX
008E93A5 5E POP ESI
008E93A6 60 PUSHAD
008E93A7 B8 02000000 MOV EAX,2
008E93AC E8 B5BB0000 CALL X2.008F4F66
008E93B1 0BC0 OR EAX,EAX
008E93B3 75 24 JNZ SHORT X2.008E93D9 ; // 为0 则解密到堆中
008E93B5 90 NOP
008E93B6 90 NOP
008E93B7 90 NOP
008E93B8 90 NOP
008E93B9 61 POPAD
008E93BA 8BBD 2AD04000 MOV EDI,DWORD PTR SS:[EBP+40D02A] ; // 8F402A 放 1346F8, 指向解密后的代码
008E93C0 B8 0A000000 MOV EAX,0A
008E93C5 F7E1 MUL ECX
008E93C7 03F8 ADD EDI,EAX
008E93C9 B9 0A000000 MOV ECX,0A
008E93CE 8A9D 78214000 MOV BL,BYTE PTR SS:[EBP+402178]
008E93D4 EB 11 JMP SHORT X2.008E93E7
008E93D6 90 NOP
008E93D7 90 NOP
008E93D8 90 NOP
008E93D9 61 POPAD
008E93DA 8BFE MOV EDI,ESI
008E93DC B9 0A000000 MOV ECX,0A
008E93E1 8A9D 78214000 MOV BL,BYTE PTR SS:[EBP+402178] ; // 取出解密字节
008E93E7 AC LODS BYTE PTR DS:[ESI]
008E93E8 32C3 XOR AL,BL
008E93EA AA STOS BYTE PTR ES:[EDI]
008E93EB ^ E2 FA LOOPD SHORT X2.008E93E7 ; // 解密
008E93ED 83EF 0A SUB EDI,0A
008E93F0 57 PUSH EDI
008E93F1 8B7424 24 MOV ESI,DWORD PTR SS:[ESP+24] ; // 取出返回地址
008E93F5 83EE 04 SUB ESI,4 ; // CALL 08E9188
008E93F8 AD LODS DWORD PTR DS:[ESI]
008E93F9 81EF 88214000 SUB EDI,X2.00402188
008E93FF 2BFD SUB EDI,EBP
008E9401 03C7 ADD EAX,EDI ; // 地址转换成偏移量
008E9403 8946 FC MOV DWORD PTR DS:[ESI-4],EAX ; // 变成 CALL 1346F8 + ECX * A
008E9406 5F POP EDI
008E9407 57 PUSH EDI
008E9408 33C9 XOR ECX,ECX
008E940A 83F9 08 CMP ECX,8
008E940D 74 0E JE SHORT X2.008E941D
008E940F 90 NOP
008E9410 90 NOP
008E9411 90 NOP
008E9412 90 NOP
008E9413 8B448C 04 MOV EAX,DWORD PTR SS:[ESP+ECX*4+4]
008E9417 89048C MOV DWORD PTR SS:[ESP+ECX*4],EAX
008E941A 41 INC ECX
008E941B ^ EB ED JMP SHORT X2.008E940A
008E941D . 893C8C MOV DWORD PTR SS:[ESP+ECX*4],EDI
008E9420 . 60 PUSHAD
008E9421 . E8 00000000 CALL X2.008E9426
008E9426 /$ 5E POP ESI
008E9427 |. 83EE 06 SUB ESI,6
008E942A |. B9 ED000000 MOV ECX,0ED
008E942F |. 29CE SUB ESI,ECX
008E9431 |. BA F0316F46 MOV EDX,466F31F0
008E9436 |. C1E9 02 SHR ECX,2
008E9439 |. 83E9 02 SUB ECX,2
008E943C |> 83F9 00 /CMP ECX,0
008E943F |. 7C 1A |JL SHORT X2.008E945B
008E9441 |. 8B048E |MOV EAX,DWORD PTR DS:[ESI+ECX*4]
008E9444 |. 8B5C8E 04 |MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
008E9448 |. 2BC3 |SUB EAX,EBX
008E944A |. C1C0 02 |ROL EAX,2
008E944D |. 33C2 |XOR EAX,EDX
008E944F |. 81C2 B006C8EC |ADD EDX,ECC806B0
008E9455 |. 89048E |MOV DWORD PTR DS:[ESI+ECX*4],EAX
008E9458 |. 49 |DEC ECX
008E9459 |.^ EB E1 JMP SHORT X2.008E943C
008E945B |> 61 POPAD
008E945C |. 61 POPAD
008E945D . C3 RETN
从上面我们可以看到
1 恢复OEP 为 8E8000, 解密代码才正确
2 就地解密, 用 LordPE 修改 VA=8F402A, 原来 1346F8, 改成 8EC33E
改好后再次运行,一走棋就出错, 8F4F26
008F4F26 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
ECX 00003445
ESI 004090AB X2.004090AB
EDI 001455E8
EIP 008F4F26 X2.008F4F26
检查后知是程序试图向堆中不存在的地址作串传输,
到内存镜像一看, 130000 段是从堆里动态分配的, 大小 9000
用未脱壳程序运行, 大小是 1F000,
1F000-9000=16000, 是在壳代码中分配的
参考上面 8F71B3 中分配内存的函数
在 8E8000 补上下面的语句即可
mov eax, 8F45C9
mov [4BB4C4],eax
push 16000
push 40
call [4BB2B0] //kerner32.GlobalAlloc (7C58DA27)
jmp 49BF0A
// OK, 现在可以走棋,但一思考就出错, 跟 RSA_Lock Code 和 Embeded Protect 有关
=====================================================================================================================
MessageBox SDK说明
引用 ACProtect 文档
#define GetRegistrationName(szRegistrationName) ::MessageBox (HWND(-1), szRegistrationName, NULL, 0);
#define GetTrialUsageTimes(lpUsageTime) ::MessageBox (HWND(-1), lpUsageTime , NULL, 1);
以下分析一个用了 Dynamic encrypt, Embedded Protect, RSA_Lock Code 的 VC6 程序
#include "windows.h"
#include "stdlib.h"
#include "stdio.h"
#include "ACProtect.h"
int main(int argc, char* argv[])
{
//No 1 dynamic encrypt
DYNAMIC_BEGIN; //u must include this line before the code protected
MessageBox(NULL,"First decrypt this code,then run ,it will be encrypted again after run!",
"Dynamic En/Decryption of codes example",MB_OK);
DYNAMIC_END; //u must include this line after the code protected
//No 2 EMBEDDED PROTECTION
EMBEDDED_BEGIN; //u must include this line before the code protected
MessageBox(NULL,"The Cryptor encrypt the codes between the embedded lock header and embedded lock tail ,
then communicate with the loader,After checking,then decrypt the codes,and run the decrypted code.
After the Running ,all the codes (include the embedded cryptor and the crypted code) will
keep the original encrypted status..", "Embedded Protection of codes example",MB_OK);
EMBEDDED_END; //u must include this line after the code protected
//No 3 GetRegistrationName
//Get User name from ACProtect loader
char usrname[255]="";
GetRegistrationName(usrname);
if (usrname[0])
MessageBox(NULL,usrname,"User Name is :",MB_OK);
else
MessageBox(NULL,"UnRegistered Version","User Name is :",MB_OK);
//No 4 RSA LOCK CODE
bool keyok=false;
RSALOCK_BEGIN; //u must include this line before the code protected
keyok =! keyok;
MessageBox(NULL,"If u have no correct license file,you can not see me!", "RSA Lock code sample",MB_OK);
RSALOCK_END; //u must include this line after the code protected
return 0;
}
用 VC 编译后, 还没加壳时 , 用 OD 载入看看, 很明显
Messagebox(-1,0,0,2) RSA_Lock start
Messagebox(-1,0,0,3) RSA_Lock end
Messagebox(-1,0,0,5) Embeded start
Messagebox(-1,0,0,4) Embeded end
dynamic encrypt 部分, 相当于一个普通压缩壳
0040100C |. 60 PUSHAD
0040100D |. E9 AA010000 JMP ACP.004011BC
00401012 |. 64 79 6D 6C 63 6B 5F 5F 68 65 61 64 65 72 00 ASCII "dymlck__header",0
00401021 | 00 DB 00
00401022 | 00 DB 00
00401023 | 00 DB 00
... ( 中间0 加壳后变成解压部分)
004011AD | 00 DB 00
004011AE | 00 DB 00
004011AF | 00 DB 00
004011B0 | 64 DB 64 ; CHAR 'd'
004011B1 | 79 DB 79 ; CHAR 'y'
004011B2 | 6D DB 6D ; CHAR 'm'
004011B3 | 6C DB 6C ; CHAR 'l'
004011B4 | 63 DB 63 ; CHAR 'c'
004011B5 | 6B DB 6B ; CHAR 'k'
004011B6 | 5F DB 5F ; CHAR '_'
004011B7 | 62 DB 62 ; CHAR 'b'
004011B8 | 65 DB 65 ; CHAR 'e'
004011B9 | 67 DB 67 ; CHAR 'g'
004011BA | 69 DB 69 ; CHAR 'i'
004011BB | 6E DB 6E ; CHAR 'n'
004011BC |> 61 POPAD
004011BD |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
004011BF |. 68 84A24000 PUSH ACP.0040A284 ; |Title = "Dynamic En/Decryption of codes example"
004011C4 |. 68 3CA24000 PUSH ACP.0040A23C ; |Text = "First decrypt this code,then run ,
it will be encrypted again after run!"
004011C9 |. 6A 00 PUSH 0 ; |hOwner = NULL
004011CB |. FF15 B4904000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; MessageBoxA
004011D1 |. 60 PUSHAD
004011D2 |. EB 3A JMP SHORT ACP.0040120E
004011D4 |. 64 79 6D 6C 63 6B 5F 65 6E 64 00 ASCII "dymlck_end",0
004011DF | 00 DB 00
004011E0 | 00 DB 00
004011E1 | 00 DB 00
... ( 中间0 加壳后变成压缩部分)
0040120B | 00 DB 00
0040120C | 00 DB 00
0040120D | 00 DB 00
0040120E |> 61 POPAD
Embeded Protect 部分, 相当于一个反调试的壳
0040120F |. 60 PUSHAD
00401210 |. 6A 05 PUSH 5 ; /Style = MB_RETRYCANCEL|MB_APPLMODAL
00401212 |. 6A 00 PUSH 0 ; |Title = NULL
00401214 |. 6A 00 PUSH 0 ; |Text = NULL
00401216 |. 6A FF PUSH -1 ; |hOwner = FFFFFFFF
00401218 |. FF15 B4904000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; MessageBoxA
0040121E |. 61 POPAD
0040121F |. 60 PUSHAD
00401220 |. E9 1C320000 JMP ACP.00404441
00401225 |. 70 65 65 74 6>ASCII "peetles__header",0 ; // 作者喜欢披头士?
00401235 | 00 DB 00
00401236 | 00 DB 00
00401237 | 00 DB 00
00401238 | 00 DB 00
00401239 | 00 DB 00
0040123A | 00 DB 00
0040123B | 00 DB 00
0040123C | 00 DB 00
.
. 加壳后用来放检测壳, 检测调试器, 解密, 加密代码
. !!!!!!!!!!!!! 0404442 - 0401218 = 322A , 以后从 Call MessageBox 这一行地址加 322A 就是用户代码开始处 !!!!!!!!!
00404432 | 00 DB 00
00404433 | 00 DB 00
00404434 | 70 DB 70 ; CHAR 'p'
00404435 | 65 DB 65 ; CHAR 'e'
00404436 | 65 DB 65 ; CHAR 'e'
00404437 | 74 DB 74 ; CHAR 't'
00404438 | 6C DB 6C ; CHAR 'l'
00404439 | 65 DB 65 ; CHAR 'e'
0040443A | 73 DB 73 ; CHAR 's'
0040443B | 5F DB 5F ; CHAR '_'
0040443C | 62 DB 62 ; CHAR 'b'
0040443D | 65 DB 65 ; CHAR 'e'
0040443E | 67 DB 67 ; CHAR 'g'
0040443F | 69 DB 69 ; CHAR 'i'
00404440 | 6E DB 6E ; CHAR 'n'
00404441 |> 61 POPAD
00404442 |. 8B35 B4904000 MOV ESI,DWORD PTR DS:[<&USER32.MessageBo>; USER32.MessageBoxA, 真正的用户代码开始
00404448 |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
0040444A |. 68 14A24000 PUSH ACP.0040A214 ; |Title = "Embedded Protection of codes example"
0040444F |. 68 D8A04000 PUSH ACP.0040A0D8 ; |Text = "The Cryptor encrypt the codes between the embedded lock header and embedded lock tail,
then communicate with the loader,After checking, then decrypt the codes,
and run the decrypted code .After the Running ,all the codes will keep in original
encrypted status"
00404454 |. 6A 00 PUSH 0 ; |hOwner = NULL
00404456 |. FFD6 CALL ESI ; MessageBoxA , 真正的用户代码结束
00404458 |. 60 PUSHAD
00404459 |. 6A 04 PUSH 4 ; /Style = MB_YESNO|MB_APPLMODAL
0040445B |. 6A 00 PUSH 0 ; |Title = NULL
0040445D |. 6A 00 PUSH 0 ; |Text = NULL
0040445F |. 6A FF PUSH -1 ; |hOwner = FFFFFFFF
00404461 |. FF15 B4904000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; MessageBoxA
00404467 |. EB 1E JMP SHORT ACP.00404487
00404469 |. 70 65 65 74 6>ASCII "peetles_end",0
00404475 | |00 DB 00
00404476 | |00 DB 00
00404477 | |00 DB 00
00404478 | |00 DB 00
00404479 | |00 DB 00
0040447A | |00 DB 00
0040447B | |00 DB 00
0040447C | |00 DB 00
0040447D | |00 DB 00
0040447E | |00 DB 00
0040447F | |00 DB 00
00404480 | |00 DB 00
00404481 | |00 DB 00
00404482 | |00 DB 00
00404483 | |00 DB 00
00404484 | |00 DB 00
00404485 | |00 DB 00
00404486 | |00 DB 00
00404487 |> 61 POPAD
RSA_Lock Code 部分, 相当于一个密码壳, 没有密码不执行, 密码在key.dat中
004044E6 |. 60 PUSHAD
004044E7 |. 6A 02 PUSH 2 ; /Style = MB_ABORTRETRYIGNORE|MB_APPLMODAL
004044E9 |. 6A 00 PUSH 0 ; |Title = NULL
004044EB |. 6A 00 PUSH 0 ; |Text = NULL
004044ED |. 6A FF PUSH -1 ; |hOwner = FFFFFFFF
004044EF |. FF15 B4904000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; MessageBoxA
004044F5 |. EB 0D JMP SHORT ACP.00404504
004044F7 | 52 DB 52 ; CHAR 'R'
004044F8 | 65 DB 65 ; CHAR 'e'
004044F9 | 67 DB 67 ; CHAR 'g'
004044FA | 4F DB 4F ; CHAR 'O'
004044FB | 6E DB 6E ; CHAR 'n'
004044FC | 6C DB 6C ; CHAR 'l'
004044FD | 79 DB 79 ; CHAR 'y'
004044FE | 5F DB 5F ; CHAR '_'
004044FF | 62 DB 62 ; CHAR 'b'
00404500 | 65 DB 65 ; CHAR 'e'
00404501 | 67 DB 67 ; CHAR 'g'
00404502 | 69 DB 69 ; CHAR 'i'
00404503 | 6E DB 6E ; CHAR 'n'
00404504 |> 61 POPAD
00404505 |. 6A 00 PUSH 0 ; 真正的用户代码开始
00404507 |. 68 8CA04000 PUSH ACP.0040A08C ; ASCII "RSA Lock code sample"
0040450C |. 68 30A04000 PUSH ACP.0040A030 ; ASCII "If u have no license file,u can't see me."
00404511 |. 6A 00 PUSH 0
00404513 |. FFD6 CALL ESI ; 真正的用户代码结束
00404515 |. 60 PUSHAD
00404516 |. EB 0B JMP SHORT ACP.00404523
00404518 | 52 DB 52 ; CHAR 'R'
00404519 | 65 DB 65 ; CHAR 'e'
0040451A | 67 DB 67 ; CHAR 'g'
0040451B | 4F DB 4F ; CHAR 'O'
0040451C | 6E DB 6E ; CHAR 'n'
0040451D | 6C DB 6C ; CHAR 'l'
0040451E | 79 DB 79 ; CHAR 'y'
0040451F | 5F DB 5F ; CHAR '_'
00404520 | 65 DB 65 ; CHAR 'e'
00404521 | 6E DB 6E ; CHAR 'n'
00404522 | 64 DB 64 ; CHAR 'd'
00404523 |> 6A 03 PUSH 3 ; /Style = MB_YESNOCANCEL|MB_APPLMODAL
00404525 |. 6A 00 PUSH 0 ; |Title = NULL
00404527 |. 6A 00 PUSH 0 ; |Text = NULL
00404529 |. 6A FF PUSH -1 ; |hOwner = FFFFFFFF
0040452B |. FF15 B4904000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; MessageBoxA
00404531 |. 61 POPAD
!!!!!!!!!!!!!!!但我们可以知道用户代码有多少字节, 40452B - 4044EF - 16h - 16h = 10h !!!!!!!!!!
两个16h 表示
004044EF |. FF15 B4904000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; MessageBoxA
004044F5 EB 0D JMP SHORT ACP.00404504
004044F7 | 52 DB 52 ; CHAR 'R'
004044F8 | 65 DB 65 ; CHAR 'e'
004044F9 | 67 DB 67 ; CHAR 'g'
004044FA | 4F DB 4F ; CHAR 'O'
004044FB | 6E DB 6E ; CHAR 'n'
004044FC | 6C DB 6C ; CHAR 'l'
004044FD | 79 DB 79 ; CHAR 'y'
004044FE | 5F DB 5F ; CHAR '_'
004044FF | 62 DB 62 ; CHAR 'b'
00404500 | 65 DB 65 ; CHAR 'e'
00404501 | 67 DB 67 ; CHAR 'g'
00404502 | 69 DB 69 ; CHAR 'i'
00404503 | 6E DB 6E ; CHAR 'n'
00404504 |> 61 POPAD
00404515 |. 60 PUSHAD
00404516 |. EB 0B JMP SHORT ACP.00404523
00404518 | 52 DB 52 ; CHAR 'R'
00404519 | 65 DB 65 ; CHAR 'e'
0040451A | 67 DB 67 ; CHAR 'g'
0040451B | 4F DB 4F ; CHAR 'O'
0040451C | 6E DB 6E ; CHAR 'n'
0040451D | 6C DB 6C ; CHAR 'l'
0040451E | 79 DB 79 ; CHAR 'y'
0040451F | 5F DB 5F ; CHAR '_'
00404520 | 65 DB 65 ; CHAR 'e'
00404521 | 6E DB 6E ; CHAR 'n'
00404522 | 64 DB 64 ; CHAR 'd'
00404523 |> 6A 03 PUSH 3 ; /Style = MB_YESNOCANCEL|MB_APPLMODAL
00404525 |. 6A 00 PUSH 0 ; |Title = NULL
00404527 |. 6A 00 PUSH 0 ; |Text = NULL
00404529 |. 6A FF PUSH -1 ; |hOwner = FFFFFFFF
=====================================================================================================================
在8F45C9下硬件执行断点, F9, 断下, 看Stack
0012FE88 0041427C X4.0041427C
0012FE8C FFFFFFFF
0012FE90 00000000
0012FE94 00000000
0012FE98 00000002
到 41427C
0041423E 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00414241 68 A8D17F00 PUSH X4.007FD1A8 ; ASCII "XieXieMaster 1.0.10"
00414246 68 A0D17F00 PUSH X4.007FD1A0 ; ASCII "XieXie"
0041424B E8 1C41FFFF CALL X4.0040836C
00414250 6A 10 PUSH 10
00414252 FF15 B8B44B00 CALL DWORD PTR DS:[4BB4B8] ; USER32.GetAsyncKeyState
00414258 0FBFC0 MOVSX EAX,AX
0041425B 85C0 TEST EAX,EAX
0041425D 0F8C D5010000 JL X4.00414438
00414263 C705 047B4C00 00000000 MOV DWORD PTR DS:[4C7B04],0
0041426D 60 PUSHAD
0041426E 6A 02 PUSH 2
00414270 6A 00 PUSH 0
00414272 6A 00 PUSH 0
00414274 6A FF PUSH -1
00414276 FF15 C4B44B00 CALL DWORD PTR DS:[4BB4C4] ; 判断有无Key.dat, 有解密代码
0041427C EB 0D JMP SHORT X4.0041428B ; 没有, 这一句将变成 Jmp 4142B2
0041427E B8 9559B8D3 MOV EAX,D3B85995
00414283 9E SAHF
00414284 ^ E3 96 JECXZ SHORT XieXieMa.0041421C
00414286 E4 94 IN AL,94 ; I/O command
00414288 5B POP EBX
00414289 D385 0B529BF4 ROL DWORD PTR SS:[EBP+F49B520B],CL
0041428F D0E3 SHL BL,1
00414291 836E CF D0 SUB DWORD PTR DS:[ESI-31],-30
00414295 F4 HLT ; Privileged command
00414296 84A8 B0000000 TEST BYTE PTR DS:[EAX+B0],CH
0041429C 0000 ADD BYTE PTR DS:[EAX],AL
0041429E 0000 ADD BYTE PTR DS:[EAX],AL
004142A0 0000 ADD BYTE PTR DS:[EAX],AL
004142A2 0000 ADD BYTE PTR DS:[EAX],AL
004142A4 6A 03 PUSH 3
004142A6 6A 00 PUSH 0
004142A8 6A 00 PUSH 0
004142AA 6A FF PUSH -1
004142AC FF15 C4B44B00 CALL DWORD PTR DS:[4BB4C4] ; 去加密代码
004142B2 61 POPAD
如果没有 Key.dat , 这段代码是不可能还原的. 但我们可以知道有多少字节, 见上面SDK说明
4142AC - 414276 - 16h - 16h = A (用户代码有10个字节)
那么十个字节的代码, 到底是什么? 应该是一个赋值语句, 附近看看,
00414263 C705 047B4C00 00000000 MOV DWORD PTR DS:[4C7B04],0 ( 正好是 10 个字节)
应该是这句了, 这也符合逻辑
C705 047B4C00 01000000 MOV DWORD PTR DS:[4C7B04],1
另外这段代码被 ACProtect Dynamic Encrypt 技术保护(壳中带壳),
用 OD 加载脱壳后程序, 等 Dynamic decrypt后, 修改 414263 处两句
00414263 C705 047B4C00 01000000 MOV DWORD PTR DS:[4C7B04],1
0041426D EB 44 JMP SHORT X4.004142B3 ; 跳过他们
执行完这一段, 等 Dynmaic encrypt 后, 我们就可以知道要修改那些字节了.
再重复上面的过程, 找出所有 RSA_Lock Code, Embeded Protect
在8F45C9下硬件执行断点, F9, 断下, 看Stack
0012F58C 00417C0D RETURN to X5.00417C0D from X5.008F45C9
0012F590 FFFFFFFF
0012F594 0012F5A0
0012F598 00000000
0012F59C 00000000
00417C02 |. 50 PUSH EAX
00417C03 |. 50 PUSH EAX
00417C04 |. 52 PUSH EDX
00417C05 |. 6A FF PUSH -1
00417C07 |. FF15 C4B44B00 CALL DWORD PTR DS:[4BB4C4] ; X5.008F45C9
00417C0D |. 8A0424 MOV AL,BYTE PTR SS:[ESP] ;
00417C10 |. 84C0 TEST AL,AL
00417C12 |. 74 37 JE SHORT X5.00417C4B ; // 0 Caption 显示 Not registered
; // !0 Caption 显示 Licensed to XXX
求注册名, F7 进入, 发现程序到 4B8ECC 取用户名, 随便改成你喜欢的(其实就是Key.dat 内容)
F9, 又一次中断
0012F944 00413F7C RETURN to X5.00413F7C from X5.008F45C9
0012F948 FFFFFFFF
0012F94C 0012F9E4
0012F950 00000000
0012F954 00000000
00413F71 ? 52 PUSH EDX
00413F72 ? 52 PUSH EDX
00413F73 ? 51 PUSH ECX
00413F74 . 6A FF PUSH -1
00413F76 . FF15 C4B44B00 CALL DWORD PTR DS:[4BB4C4] ; X5.008F45C9
00413F7C ? 8D8D DCFDFFFF LEA ECX,DWORD PTR SS:[EBP-224]
00413F82 ? E8 DDF8FFFF CALL X5.00413864 ; // F8, 求 C 盘卷标
; // 注册码=f(卷标,用户名)
求注册名, F7 进入, 这次到 8F3D0C 取用户名, 改成和上面一样
F9, 又一次中断
0012F8F8 004090A9 X5.004090A9
0012F8FC FFFFFFFF
0012F900 00000000
0012F904 00000000
0012F908 00000005
0040909B 6A 05 PUSH 5
0040909D 6A 00 PUSH 0
0040909F 6A 00 PUSH 0
004090A1 6A FF PUSH -1
004090A3 FF15 C4B44B00 CALL DWORD PTR DS:[<&user32.MessageBoxA>] ; X5.008F45C9
这是 Embeded Protect 的开始, 看看处理些什么?
不好意思, 下面过程太罗嗦
用户代码应该在 4090A3 + 322A = 40C2CD
F7 进入, SMC 后
008F4774 61 POPAD
008F4775 55 PUSH EBP
008F4776 E8 610A0000 CALL XieXieMa.008F51DC ; // EBP = 4E7000
008F477B 8BC5 MOV EAX,EBP
008F477D 5D POP EBP
008F477E 837C24 04 FF CMP DWORD PTR SS:[ESP+4],-1 ; // Messagebox 第一个参数
008F4783 74 25 JE SHORT XieXieMa.008F47AA
008F4785 90 NOP
008F4786 90 NOP
008F4787 90 NOP
008F4788 90 NOP
008F4789 8B98 18F04100 MOV EBX,DWORD PTR DS:[EAX+41F018]
008F478F 803B CC CMP BYTE PTR DS:[EBX],0CC
008F4792 0F84 D7000000 JE XieXieMa.008F486F
008F4798 807B 01 CC CMP BYTE PTR DS:[EBX+1],0CC
008F479C 0F84 CD000000 JE XieXieMa.008F486F
008F47A2 8BC3 MOV EAX,EBX
008F47A4 60 PUSHAD
008F47A5 E9 C5000000 JMP XieXieMa.008F486F
008F47AA 60 PUSHAD
008F47AB E8 2C0A0000 CALL XieXieMa.008F51DC ; // EBP = 4E7000
008F47B0 8B7C24 28 MOV EDI,DWORD PTR SS:[ESP+28] ; // Messagebox 第3个参数
008F47B4 8B4424 30 MOV EAX,DWORD PTR SS:[ESP+30] ; // Messagebox 第4个参数
008F47B8 0BC0 OR EAX,EAX
008F47BA 74 3F JE SHORT XieXieMa.008F47FB ; // Messagebox 第4个参数 = 0
008F47BC 90 NOP
008F47BD 90 NOP
008F47BE 90 NOP
008F47BF 90 NOP
008F47C0 48 DEC EAX
008F47C1 0BC0 OR EAX,EAX
008F47C3 74 65 JE SHORT XieXieMa.008F482A ; // Messagebox 第4个参数 = 1
008F47C5 90 NOP
008F47C6 90 NOP
008F47C7 90 NOP
008F47C8 90 NOP
008F47C9 48 DEC EAX
008F47CA 0BC0 OR EAX,EAX
008F47CC 74 68 JE SHORT XieXieMa.008F4836 ; // Messagebox 第4个参数 = 2
008F47CE 90 NOP
008F47CF 90 NOP
008F47D0 90 NOP
008F47D1 90 NOP
008F47D2 48 DEC EAX
008F47D3 0BC0 OR EAX,EAX
008F47D5 74 75 JE SHORT XieXieMa.008F484C ; // Messagebox 第4个参数 = 3
008F47D7 90 NOP
008F47D8 90 NOP
008F47D9 90 NOP
008F47DA 90 NOP
008F47DB 48 DEC EAX
008F47DC 0BC0 OR EAX,EAX
008F47DE 74 76 JE SHORT XieXieMa.008F4856 ; // Messagebox 第4个参数 = 4
008F47E0 90 NOP
008F47E1 90 NOP
008F47E2 90 NOP
008F47E3 90 NOP
008F47E4 48 DEC EAX
008F47E5 0BC0 OR EAX,EAX
008F47E7 74 77 JE SHORT XieXieMa.008F4860 ; // Messagebox 第4个参数 = 5 (OK)
008F47E9 90 NOP
008F47EA 90 NOP
008F47EB 90 NOP
008F47EC 90 NOP
008F47ED 48 DEC EAX
008F47EE 0BC0 OR EAX,EAX
008F47F0 74 78 JE SHORT XieXieMa.008F486A ; // Messagebox 第4个参数 = 6
008F47F2 90 NOP
008F47F3 90 NOP
008F47F4 90 NOP
008F47F5 90 NOP
008F47F6 EB 77 JMP SHORT XieXieMa.008F486F ; // other
008F47F8 90 NOP
008F47F9 90 NOP
008F47FA 90 NOP
008F4860 E8 C3040000 CALL XieXieMa.008F4D28 ; // F7 进入
// 一段 SMC 后
008F4ED3 61 POPAD
008F4ED4 60 PUSHAD
008F4ED5 8B4424 44 MOV EAX,DWORD PTR SS:[ESP+44] ; // 返回地址 4090A9
008F4ED9 2B85 26D04000 SUB EAX,DWORD PTR SS:[EBP+40D026] ; // - 400000
008F4EDF 8BD8 MOV EBX,EAX ; // EAX = EBX = 90A9
008F4EE1 33C9 XOR ECX,ECX
008F4EE3 8BF1 MOV ESI,ECX ; // ESI = 0
008F4EE5 49 DEC ECX
008F4EE6 8BD1 MOV EDX,ECX ; // EDX = FFFFFFFF
008F4EE8 41 INC ECX ; // ECX ++
008F4EE9 83F9 64 CMP ECX,64
008F4EEC 74 19 JE SHORT XieXieMa.008F4F07
008F4EEE 90 NOP
008F4EEF 90 NOP
008F4EF0 90 NOP
008F4EF1 90 NOP
008F4EF2 8B848D 971C4000 MOV EAX,DWORD PTR SS:[EBP+ECX*4+401C97] ; // 8E8C97 开始
008F4EF9 3BC3 CMP EAX,EBX
008F4EFB ^ 72 EB JB SHORT XieXieMa.008F4EE8
008F4EFD 3BC2 CMP EAX,EDX
008F4EFF ^ 77 E7 JA SHORT XieXieMa.008F4EE8 ; // 无符号比较
008F4F01 8BD0 MOV EDX,EAX
008F4F03 8BF1 MOV ESI,ECX
008F4F05 ^ EB E1 JMP SHORT XieXieMa.008F4EE8
008F4F07 8BCE MOV ECX,ESI
008F4F09 8BB48D 971C4000 MOV ESI,DWORD PTR SS:[EBP+ECX*4+401C97] ; // 最后一个满足的是 90AB
008F4F10 03B5 26D04000 ADD ESI,DWORD PTR SS:[EBP+40D026] ; // 4090AB
008F4F16 8B948D 271E4000 MOV EDX,DWORD PTR SS:[EBP+ECX*4+401E27] ; // [8E8E33]= 3445
008F4F1D 8BBC8D B71F4000 MOV EDI,DWORD PTR SS:[EBP+ECX*4+401FB7] ; // [8E8FC3]= 1455E8
008F4F24 87CA XCHG EDX,ECX
008F4F26 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; // 从 4090AB 复制 3445 字节到 1455E8,
008F4F28 60 PUSHAD
008F4F29 E8 00000000 CALL XieXieMa.008F4F2E ; // 下面是 SMC, 破坏本段代码
008F4F2E 5E POP ESI
008F4F2F 83EE 06 SUB ESI,6
008F4F32 B9 55000000 MOV ECX,55
008F4F37 29CE SUB ESI,ECX
008F4F39 BA 404A36E1 MOV EDX,E1364A40
008F4F3E C1E9 02 SHR ECX,2
008F4F41 83E9 02 SUB ECX,2
008F4F44 83F9 00 CMP ECX,0
008F4F47 7C 1A JL SHORT XieXieMa.008F4F63
008F4F49 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
008F4F4C 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
008F4F50 03C3 ADD EAX,EBX
008F4F52 C1C8 18 ROR EAX,18
008F4F55 33C2 XOR EAX,EDX
008F4F57 81C2 BF55B790 ADD EDX,90B755BF
008F4F5D 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
008F4F60 49 DEC ECX
008F4F61 ^ EB E1 JMP SHORT XieXieMa.008F4F44
008F4F63 61 POPAD
008F4F64 61 POPAD
008F4F65 C3 RETN ; // 返回 8F4865
008F4865 EB 08 JMP SHORT XieXieMa.008F486F
008F486F 60 PUSHAD
008F4870 E8 00000000 CALL XieXieMa.008F4875
008F4875 5E POP ESI
008F4876 83EE 06 SUB ESI,6
008F4879 B9 FB000000 MOV ECX,0FB
008F487E 29CE SUB ESI,ECX
008F4880 BA 1ADA1966 MOV EDX,6619DA1A
008F4885 C1E9 02 SHR ECX,2
008F4888 83E9 02 SUB ECX,2
008F488B 83F9 00 CMP ECX,0
008F488E 7C 1A JL SHORT XieXieMa.008F48AA
008F4890 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
008F4893 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
008F4897 03C3 ADD EAX,EBX
008F4899 C1C0 05 ROL EAX,5
008F489C 03C2 ADD EAX,EDX
008F489E 81EA 9C13693B SUB EDX,3B69139C
008F48A4 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
008F48A7 49 DEC ECX
008F48A8 ^ EB E1 JMP SHORT XieXieMa.008F488B
008F48AA 61 POPAD
008F48AB 61 POPAD
008F48AC 837C24 04 FF CMP DWORD PTR SS:[ESP+4],-1
008F48B1 74 06 JE SHORT XieXieMa.008F48B9 ; // 第一个参数为 -1, ACProtect SDK
008F48B3 90 NOP
008F48B4 90 NOP
008F48B5 90 NOP
008F48B6 90 NOP
008F48B7 FFE0 JMP EAX ; // 普通Messagebox
008F48B9 C2 1000 RETN 10 ; // 返回到4090A9
// 注意刚才复制的代码就是从4090AB开始 (3445字节)到 1455E8
// 这就是Embedded 本身壳代码和加密后用户代码, 保留到堆, 当 Embedded Protect 结束, 恢复原状时要用
004090A9 61 POPAD
004090AA 60 PUSHAD
004090AB 60 PUSHAD
004090AC 48 DEC EAX
004090AD 45 INC EBP
004090AE F9 STC
...
0040913C ^ F85 DDFFFFFF JNZ Xie.0040911F
00409142 . E8 00000000 CALL Xie.00409147
// 这里又有很多 SMC , 查找 0F85 XXFFFFFF
// 可下硬件执行断点的有 40918D, 409297, 409395, 409570, 409603, 40965E, 4096AE
0040969F 81EA FCFFFFFF SUB EDX,-4
004096A5 83C5 FF ADD EBP,-1
004096A8 ^ 0F85 DFFFFFFF JNZ Xie.0040968D
004096AE E9 F41D0000 JMP Xie.0040B4A7
0040B4A7 E8 B3FDFFFF CALL Xie.0040B25F ; // F7
0040B25F 60 PUSHAD
0040B260 45 INC EBP
0040B261 F9 STC
...
0040B3EF ^ F85 6DFFFFFF JNZ Xie.0040B362
0040B3F5 E8 01000000 CALL Xie.0040B3FB
0040B3FB ? 830424 06 ADD DWORD PTR SS:[ESP],6
0040B3FF C3 RETN
0040B400 66:C1CE BE ROR SI,0BE ; Shift constant out of range 1..31
0040B404 77 04 JA SHORT Xie.0040B40A
0040B406 66:BA 9E9F MOV DX,9F9E
0040B40A E8 D5F9FFFF CALL Xie.0040ADE4 ; // F7
0040ADE4 ...
//SMC
0040AF87 C1FB 8A SAR EBX,8A ; Shift constant out of range 1..31
0040AF8A BB 745319E0 MOV EBX,E0195374
0040AF8F E8 4EEBFFFF CALL XieXieMa.00409AE2 ; // EBP = 80AB
0040AF94 C685 392D4000 C>MOV BYTE PTR SS:[EBP+402D39],0C3
0040AF9B E8 00000000 CALL XieXieMa.0040AFA0
0040AFA0 5B POP EBX
0040AFA1 2BDD SUB EBX,EBP
0040AFA3 81EB F51E0000 SUB EBX,1EF5
0040AFA9 8BF3 MOV ESI,EBX
0040AFAB 4E DEC ESI
0040AFAC 66:8B16 MOV DX,WORD PTR DS:[ESI]
0040AFAF 66:81FA 4D5A CMP DX,5A4D ; // "MZ"
0040AFB4 ^ 75 F5 JNZ SHORT XieXieMa.0040AFAB ; // 在PE头中找 "MZ"
0040AFB6 0FB756 3C MOVZX EDX,WORD PTR DS:[ESI+3C] ; // EDX = E8, 指向PE
0040AFBA 66:F7C2 00F0 TEST DX,0F000
0040AFBF ^ 75 EA JNZ SHORT XieXieMa.0040AFAB
0040AFC1 0FB70C16 MOVZX ECX,WORD PTR DS:[ESI+EDX]
0040AFC5 81F9 50450000 CMP ECX,4550 ; // "PE"
0040AFCB ^ 75 DE JNZ SHORT XieXieMa.0040AFAB
0040AFCD 89B5 F8194000 MOV DWORD PTR SS:[EBP+4019F8],ESI ; // 400000
0040AFD3 8BFE MOV EDI,ESI
0040AFD5 03FA ADD EDI,EDX ; // 4000E8
0040AFD7 8B47 50 MOV EAX,DWORD PTR DS:[EDI+50] ; // ImageSize = 50CDD0
0040AFDA 03C6 ADD EAX,ESI ; // ImageSize + 400000
0040AFDC 8985 F0194000 MOV DWORD PTR SS:[EBP+4019F0],EAX ; // Save in 409A9B
0040AFE2 8B47 1C MOV EAX,DWORD PTR DS:[EDI+1C] ; // SizeOfCode = 50C000
0040AFE5 03C6 ADD EAX,ESI ; // SizeOfCode + 400100
0040AFE7 05 00010000 ADD EAX,100
0040AFEC 8985 F4194000 MOV DWORD PTR SS:[EBP+4019F4],EAX ; // Save in 409A9F
0040AFF2 8B47 28 MOV EAX,DWORD PTR DS:[EDI+28] ; // OEP = 4E8000
0040AFF5 3B85 E8194000 CMP EAX,DWORD PTR SS:[EBP+4019E8] ; // [409A93] = 9BF0A
0040AFFB 74 15 JE SHORT XieXieMa.0040B012 ; // 可以见到敏感数据有: ImageSize, CodeSize, OEP
0040AFFD 90 NOP
0040AFFE 90 NOP
0040AFFF 90 NOP
0040B000 90 NOP
0040B001 3B85 EC194000 CMP EAX,DWORD PTR SS:[EBP+4019EC] ; // [409A97] = 4E8000
0040B007 75 09 JNZ SHORT XieXieMa.0040B012
0040B009 90 NOP
0040B00A 90 NOP
0040B00B 90 NOP
0040B00C 90 NOP
0040B00D EB 05 JMP SHORT XieXieMa.0040B014 ; // SMC 加密代码(Dynamic End)
0040B014 60 PUSHAD
0040B015 E8 00000000 CALL XieXieMa.0040B01A
0040B01A 5E POP ESI
0040B01B 83EE 06 SUB ESI,6
0040B01E B9 85000000 MOV ECX,85
0040B023 29CE SUB ESI,ECX
0040B025 BA B2DC5B11 MOV EDX,115BDCB2
0040B02A C1E9 02 SHR ECX,2
0040B02D 83E9 02 SUB ECX,2
0040B030 83F9 00 CMP ECX,0
0040B033 7C 1A JL SHORT XieXieMa.0040B04F
0040B035 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
0040B038 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
0040B03C 33C3 XOR EAX,EBX
0040B03E C1C8 12 ROR EAX,12
0040B041 03C2 ADD EAX,EDX
0040B043 81C2 A7DC7C20 ADD EDX,207CDCA7
0040B049 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
0040B04C 49 DEC ECX
0040B04D ^ EB E1 JMP SHORT XieXieMa.0040B030
0040B04F 61 POPAD
0040B050 61 POPAD
0040B051 C3 RETN ; // return to 40B40F
0040B40F E8 CEE6FFFF CALL Xie.00409AE2 ; // F8 , EBP = 80AB
0040B414 C685 B4314000>MOV BYTE PTR SS:[EBP+4031B4],0C3 ; // 将 40B25F 处指令改成 RETN, 下次不再执行
0040B41B 8DB5 A5404000 LEA ESI,DWORD PTR SS:[EBP+4040A5]
0040B421 46 INC ESI
0040B422 3BB5 F0194000 CMP ESI,DWORD PTR SS:[EBP+4019F0] ; Xie.0090CDD0
0040B428 77 36 JA SHORT Xie.0040B460
0040B42A 90 NOP
0040B42B 90 NOP
0040B42C 90 NOP
0040B42D 90 NOP
0040B42E 8B06 MOV EAX,DWORD PTR DS:[ESI]
0040B430 3D 52455452 CMP EAX,52544552 ; // "RETR"
0040B435 ^ 75 EA JNZ SHORT XieXieMa.0040B421 ; // ESI = 8F44D1 才找到
0040B437 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
0040B43A 3D 49564150 CMP EAX,50415649 ; // "IVAP"
0040B43F ^ 75 E0 JNZ SHORT XieXieMa.0040B421
0040B441 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8]
0040B444 3D 495A4346 CMP EAX,46435A49 ; // "IZCF"
0040B449 ^ 75 D6 JNZ SHORT XieXieMa.0040B421 ; // "RETRIVAPIZCF"
0040B44B 83C6 0E ADD ESI,0E ; // ESI = 8F44DF
0040B44E 8DBD 4C194000 LEA EDI,DWORD PTR SS:[EBP+40194C] ; // EDI = 4099F7
0040B454 B9 26000000 MOV ECX,26
0040B459 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ;// 壳所用的函数, 检测调试器用
008F4361 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 47 ..KERNEL32.DLL.G
008F4371 6C 6F 62 61 6C 41 6C 6C 6F 63 00 47 6C 6F 62 61 lobalAlloc.Globa
008F4381 6C 46 72 65 65 00 47 65 74 43 75 72 72 65 6E 74 lFree.GetCurrent
008F4391 50 72 6F 63 65 73 73 49 64 00 43 72 65 61 74 65 ProcessId.Create
008F43A1 54 6F 6F 6C 68 65 6C 70 33 32 53 6E 61 70 73 68 Toolhelp32Snapsh
008F43B1 6F 74 00 50 72 6F 63 65 73 73 33 32 46 69 72 73 ot.Process32Firs
008F43C1 74 00 50 72 6F 63 65 73 73 33 32 4E 65 78 74 00 t.Process32Next.
008F43D1 43 6C 6F 73 65 48 61 6E 64 6C 65 00 43 72 65 61 CloseHandle.Crea
008F43E1 74 65 46 69 6C 65 41 00 54 65 72 6D 69 6E 61 74 teFileA.Terminat
008F43F1 65 50 72 6F 63 65 73 73 00 49 73 44 65 62 75 67 eProcess.IsDebug
008F4401 67 65 72 50 72 65 73 65 6E 74 00 4F 70 65 6E 50 gerPresent.OpenP
008F4411 72 6F 63 65 73 73 00 52 65 61 64 46 69 6C 65 00 rocess.ReadFile.
008F4421 57 72 69 74 65 46 69 6C 65 00 46 72 65 65 4C 69 WriteFile.FreeLi
008F4431 62 72 61 72 79 00 47 65 74 54 65 6D 70 50 61 74 brary.GetTempPat
008F4441 68 41 00 55 6E 68 61 6E 64 6C 65 64 45 78 63 65 hA.UnhandledExce
008F4451 70 74 69 6F 6E 46 69 6C 74 65 72 00 47 65 74 54 ptionFilter.GetT
008F4461 68 72 65 61 64 43 6F 6E 74 65 78 74 00 53 65 74 hreadContext.Set
008F4471 54 68 72 65 61 64 43 6F 6E 74 65 78 74 00 47 65 ThreadContext.Ge
008F4481 74 43 75 72 72 65 6E 74 54 68 72 65 61 64 00 55 tCurrentThread.U
008F4491 53 45 52 33 32 2E 44 4C 4C 00 45 6E 75 6D 57 69 SER32.DLL.EnumWi
008F44A1 6E 64 6F 77 73 00 47 65 74 57 69 6E 64 6F 77 54 ndows.GetWindowT
008F44B1 65 78 74 41 00 47 65 74 43 6C 61 73 73 4E 61 6D extA.GetClassNam
008F44C1 65 41 00 50 6F 73 74 4D 65 73 73 61 67 65 41 00 eA.PostMessageA.
008F44D1 52 45 54 52 49 56 41 50 49 5A 43 46 00 00 RETRIVAPIZCF..
0040B45B EB 05 JMP SHORT XieXieMa.0040B462
0040B462 60 PUSHAD
0040B463 E8 00000000 CALL XieXieMa.0040B468
0040B468 5E POP ESI
0040B469 83EE 06 SUB ESI,6
0040B46C B9 58000000 MOV ECX,58
0040B471 29CE SUB ESI,ECX
0040B473 BA CE2308FB MOV EDX,FB0823CE
0040B478 C1E9 02 SHR ECX,2
0040B47B 83E9 02 SUB ECX,2
0040B47E 83F9 00 CMP ECX,0
0040B481 7C 1A JL SHORT XieXieMa.0040B49D
0040B483 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
0040B486 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
0040B48A 03C3 ADD EAX,EBX
0040B48C C1C0 17 ROL EAX,17
0040B48F 33C2 XOR EAX,EDX
0040B491 81F2 08F96AB7 XOR EDX,B76AF908
0040B497 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
0040B49A 49 DEC ECX
0040B49B ^ EB E1 JMP SHORT XieXieMa.0040B47E
0040B49D 61 POPAD
0040B49E 61 POPAD
0040B49F C3 RETN ; // return to 40B4AC
0040B4AC 7E 03 JLE SHORT Xie.0040B4B1
0040B4AE 7F 01 JG SHORT Xie.0040B4B1
0040B4B0 90 NOP
0040B4B1 2BF3 SUB ESI,EBX
...
0040B522 83C4 04 ADD ESP,4
0040B525 E8 7CF4FFFF CALL Xie.0040A9A6 ; // F8, 就一个RETN
0040B52A E9 0E000000 JMP Xie.0040B53D
0040B52F 0F80 03000000 JO Xie.0040B538
0040B535 66:0BCD OR CX,BP
0040B538 B9 568278B8 MOV ECX,B8788256
0040B53D BA 0E3796B9 MOV EDX,B996370E
0040B542 4F DEC EDI
0040B543 81F2 E04372E0 XOR EDX,E07243E0
0040B549 E8 01000000 CALL Xie.0040B54F
0040B54E 7B DB 7B ; CHAR '{'
0040B54F 830424 06 ADD DWORD PTR SS:[ESP],6
0040B553 C3 RETN
0040B554 FC CLD
0040B555 BB DC1195D8 MOV EBX,D89511DC
0040B55A F9 STC
0040B55B 81EB 9C1195D8 SUB EBX,D895119C
0040B561 E8 01000000 CALL Xie.0040B567
0040B566 E9 DB E9
0040B567 830424 06 ADD DWORD PTR SS:[ESP],6
0040B56B C3 RETN
0040B56C E8 75EDFFFF CALL Xie.0040A2E6 ; // F8, 就一个RETN
0040B571 66:C1C9 D8 ROR CX,0D8 ; Shift constant out of range 1..31
0040B575 8B30 MOV ESI,DWORD PTR DS:[EAX]
0040B577 7A 03 JPE SHORT Xie.0040B57C
0040B579 . 7B 01 JPO SHORT Xie.0040B57C
0040B57B 90 NOP
0040B57C F9 STC
0040B57D 33F2 XOR ESI,EDX
0040B57F . 72 03 JB SHORT Xie.0040B584
0040B581 73 01 JNB SHORT Xie.0040B584
0040B583 EB DB EB
0040B584 E8 52F6FFFF CALL Xie.0040ABDB ; // F7 进入
有很多花指令, 找 0F85 XXFFFFFF,
0040AD77 83E8 01 SUB EAX,1
0040AD7A ^ 0F85 65FFFFFF JNZ Xie.0040ACE5
0040AD80 EB 01 JMP SHORT Xie.0040AD83
0040AD82 77 DB 77 ; CHAR 'w'
0040AD83 76 01 JBE SHORT Xie.0040AD86
0040AD85 FC CLD
0040AD86 E8 57EDFFFF CALL Xie.00409AE2 ; // EBP = 80AB
0040AD8B C685 302B4000 C3 MOV BYTE PTR SS:[EBP+402B30],0C3
0040AD92 FF95 94194000 CALL DWORD PTR SS:[EBP+401994] ; // KERNEL32.IsDebuggerPresent !!!
0040AD98 0BC0 OR EAX,EAX ; // 0 ok, 1 exit
0040AD9A 74 05 JE SHORT Xie.0040ADA1
0040AD9C 90 NOP
0040AD9D 90 NOP
0040AD9E 90 NOP
0040AD9F 90 NOP
0040ADA0 9D POPFD
0040ADA1 60 PUSHAD
0040ADA2 E8 00000000 CALL Xie.0040ADA7
0040ADA7 5E POP ESI
0040ADA8 83EE 06 SUB ESI,6
0040ADAB B9 1B000000 MOV ECX,1B
0040ADB0 29CE SUB ESI,ECX
0040ADB2 BA C305CEE5 MOV EDX,E5CE05C3
0040ADB7 C1E9 02 SHR ECX,2
0040ADBA 83E9 02 SUB ECX,2
0040ADBD 83F9 00 CMP ECX,0
0040ADC0 7C 1A JL SHORT Xie.0040ADDC
0040ADC2 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
0040ADC5 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
0040ADC9 2BC3 SUB EAX,EBX
0040ADCB C1C0 01 ROL EAX,1
0040ADCE 2BC2 SUB EAX,EDX
0040ADD0 81EA 46CC2620 SUB EDX,2026CC46
0040ADD6 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
0040ADD9 49 DEC ECX
0040ADDA ^ EB E1 JMP SHORT Xie.0040ADBD
0040ADDC 61 POPAD
0040ADDD 61 POPAD
0040ADDE C3 RETN ; // Return to 40B589
0040B589 /E9 05000000 JMP Xie.0040B593
0040B58E |BF 7E72C26D MOV EDI,6DC2727E
0040B593 C1CE 0A ROR ESI,0A
0040B596 E8 01000000 CALL Xie.0040B59C
0040B59B 78 DB 78 ; CHAR 'x'
0040B59C 830424 06 ADD DWORD PTR SS:[ESP],6
0040B5A0 C3 RETN
0040B5A1 /0F82 01000000 JB Xie.0040B5A8
0040B5A7 |FC CLD
0040B5A8 370 04 ADD ESI,DWORD PTR DS:[EAX+4]
0040B5AB 50 PUSH EAX
0040B5AC E8 01000000 CALL Xie.0040B5B2
0040B5B1 90 NOP
0040B5B2 58 POP EAX
0040B5B3 58 POP EAX
0040B5B4 41 INC ECX
0040B5B5 0F88 01000000 JS Xie.0040B5BC
0040B5BB F9 STC
0040B5BC 8930 MOV DWORD PTR DS:[EAX],ESI
0040B5BE EB 01 JMP SHORT Xie.0040B5C1
0040B5C0 90 NOP
0040B5C1 8BCA MOV ECX,EDX
0040B5C3 81C2 26FD7F26 ADD EDX,267FFD26
0040B5C9 EB 01 JMP SHORT Xie.0040B5CC
0040B5CB EB DB EB
0040B5CC E9 0C000000 JMP Xie.0040B5DD
0040B5DD 81E8 FCFFFFFF SUB EAX,-4
0040B5E3 E8 01000000 CALL Xie.0040B5E9
0040B5E8 90 NOP
0040B5E9 830424 06 ADD DWORD PTR SS:[ESP],6
0040B5ED C3 RETN
0040B5EE E9 08000000 JMP Xie.0040B5FB
0040B5FB 4B DEC EBX
0040B5FC ^ 0F85 73FFFFFF JNZ Xie.0040B575 ; // 大循环
0040B602 E8 01000000 CALL Xie.0040B608 ; // 硬件执行断点, F9, 取消
0040B607 73 DB 73 ; CHAR 's'
0040B608 830424 06 ADD DWORD PTR SS:[ESP],6
0040B60C C3 RETN
0040B60D E9 03000000 JMP Xie.0040B615
0040B615 E8 00000000 CALL Xie.0040B61A
0040B61A 5D POP EBP
0040B61B 8BC5 MOV EAX,EBP
0040B61D 3B45 29 CMP EAX,DWORD PTR SS:[EBP+29]
0040B620 7C 06 JL SHORT Xie.0040B628
0040B622 0345 29 ADD EAX,DWORD PTR SS:[EBP+29]
0040B625 8945 29 MOV DWORD PTR SS:[EBP+29],EAX
0040B628 E8 01000000 CALL Xie.0040B62E
0040B62D 90 NOP
0040B62E 830424 06 ADD DWORD PTR SS:[ESP],6
0040B632 C3 RETN
0040B633 E9 0A000000 JMP Xie.0040B642
0040B642 68 19B74000 PUSH Xie.0040B719
0040B647 43 INC EBX
0040B648 5F POP EDI
0040B649 EB 01 JMP SHORT Xie.0040B64C
0040B64B 90 NOP
0040B64C 79 02 JNS SHORT Xie.0040B650
0040B64E 85D8 TEST EAX,EBX
0040B650 BD B44B1C1A MOV EBP,1A1C4BB4
0040B655 0F89 03000000 JNS Xie.0040B65E
0040B65B 66:8BDA MOV BX,DX
0040B65E 81ED 5F1C37D6 SUB EBP,D6371C5F
0040B664 72 03 JB SHORT Xie.0040B669
0040B666 73 01 JNB SHORT Xie.0040B669
0040B668 E8 DB E8
0040B669 E8 38F3FFFF CALL Xie.0040A9A6 ; // F8, RETN
0040B66E D3F8 SAR EAX,CL
0040B670 C1DB 54 RCR EBX,54 ; Shift constant out of range 1..31
0040B673 68 45000000 PUSH 45
...
0040B70A 83E9 01 SUB ECX,1
0040B70D ^ 0F85 77FFFFFF JNZ Xie.0040B68A ; // 循环
0040B713 /EB 01 JMP SHORT Xie.0040B716
0040B715 |75 DB 75 ; CHAR 'u'
...
0040B80E E9 01000000 JMP Xie.0040B814
0040B813 4A DB 4A ; CHAR 'J'
0040B814 83C5 FF ADD EBP,-1
0040B817 ^ 0F85 4EFFFFFF JNZ Xie.0040B76B ; // 循环
...
0040B89B 50 PUSH EAX
0040B89C E8 01000000 CALL Xie.0040B8A2
0040B8A1 75 DB 75 ; CHAR 'u'
0040B8A2 58 POP EAX
0040B8A3 58 POP EAX ; Xie.0040B8A1
0040B8A4 E8 32F3FFFF CALL Xie.0040ABDB
...
0040B907 /EB 01 JMP SHORT Xie.0040B90A
0040B909 |7D DB 7D ; CHAR '}'
0040B90A C1D8 E6 RCR EAX,0E6 ; Shift constant out of range 1..31
0040B90D 83C6 FF ADD ESI,-1
0040B910 ^ 0F85 82FFFFFF JNZ Xie.0040B898 ; // 循环
0040B916 E8 01000000 CALL Xie.0040B91C
0040BA0C 83C4 04 ADD ESP,4
0040BA0F E9 01000000 JMP Xie.0040BA15
0040BA14 4A DB 4A ; CHAR 'J'
0040BA15 83C3 FF ADD EBX,-1
0040BA18 ^ 0F85 7CFFFFFF JNZ Xie.0040B99A ; // 循环
0040BA1E /EB 01 JMP SHORT Xie.0040BA21
0040BAE1 66:C1D8 B7 RCR AX,0B7 ; Shift constant out of range 1..31
0040BAE5 81EE 0C4B6D33 SUB ESI,336D4B0C
0040BAEB EB 01 JMP SHORT Xie.0040BAEE
0040BAED 7F DB 7F
0040BAEE E8 77ECFFFF CALL Xie.0040A76A ; // F7
F7 进入 40A76A, SMC,
0040A905 /77 01 JA SHORT Xie.0040A908
0040A907 |4F DB 4F ; CHAR 'O'
0040A908 49 DEC ECX
0040A909 ^ 0F85 7AFFFFFF JNZ Xie.0040A889 ; // 循环
0040A90F 72 03 JB SHORT Xie.0040A914
0040A911 73 01 JNB SHORT Xie.0040A914
0040A913 E8 DB E8
0040A914 FC CLD
0040A915 E8 C8F1FFFF CALL Xie.00409AE2 ; // EBP = 80AB, F8
0040A91A C685 BF264000 C3 MOV BYTE PTR SS:[EBP+4026BF],0C3
0040A921 E8 2A000000 CALL Xie.0040A950 ; // 去加载SEH
// SEH handle
0040A926 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; // 指向 Exception_Record
0040A92A 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C] ; // 指向 Context
0040A92E FF81 B8000000 INC DWORD PTR DS:[ECX+B8] ; // Context.regEIP + 1 = 40A959, 从这里继续
0040A934 8B00 MOV EAX,DWORD PTR DS:[EAX] ; // Exception Code (INT3=80000003)
0040A936 2D 03000080 SUB EAX,80000003
0040A93B 75 12 JNZ SHORT Xie.0040A94F
0040A93D 90 NOP
0040A93E 90 NOP
0040A93F 90 NOP
0040A940 90 NOP
0040A941 33C0 XOR EAX,EAX
0040A943 8941 04 MOV DWORD PTR DS:[ECX+4],EAX ; // iDr0
0040A946 8941 08 MOV DWORD PTR DS:[ECX+8],EAX ; // iDr1
0040A949 ? 8941 0C MOV DWORD PTR DS:[ECX+C],EAX ; // iDr2
0040A94C 8941 10 MOV DWORD PTR DS:[ECX+10],EAX ; // iDr3
0040A94F C3 RETN
0040A950 33C0 XOR EAX,EAX
0040A952 64:FF30 PUSH DWORD PTR FS:[EAX] ; // push fs:[0]
0040A955 64:8920 MOV DWORD PTR FS:[EAX],ESP ; // fs:[0] = 12F5B0
0040A958 CC INT3 ; // 触发INT3异常, 去40A926
// SEH处理完毕, 这里继续
0040A959 90 NOP
0040A95A 64:67:8F06 0000 POP DWORD PTR FS:[0]
0040A960 83C4 04 ADD ESP,4
0040A963 60 PUSHAD
0040A964 E8 00000000 CALL Xie.0040A969
0040A969 5E POP ESI
0040A96A 83EE 06 SUB ESI,6
0040A96D B9 4E000000 MOV ECX,4E
0040A972 29CE SUB ESI,ECX
0040A974 BA 9400AD26 MOV EDX,26AD0094
0040A979 C1E9 02 SHR ECX,2
0040A97C 83E9 02 SUB ECX,2
0040A97F 83F9 00 CMP ECX,0
0040A982 7C 1A JL SHORT Xie.0040A99E
0040A984 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
0040A987 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
0040A98B 33C3 XOR EAX,EBX
0040A98D C1C8 07 ROR EAX,7
0040A990 2BC2 SUB EAX,EDX
0040A992 81C2 12C6D782 ADD EDX,82D7C612
0040A998 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
0040A99B 49 DEC ECX
0040A99C ^ EB E1 JMP SHORT Xie.0040A97F
0040A99E 61 POPAD
0040A99F 61 POPAD
0040A9A0 C3 RETN ; // return to 40BAF3
0040BAF3 87CF XCHG EDI,ECX
0040BAF5 83C2 04 ADD EDX,4
0040BAF8 76 03 JBE SHORT Xie.0040BAFD
0040BAFA 77 01 JA SHORT Xie.0040BAFD
0040BAFC 7F DB 7F
0040BAFD FC CLD
0040BAFE 4D DEC EBP
0040BAFF ^ 0F85 8CFFFFFF JNZ Xie.0040BA91 ; // 循环
0040BB05 7E 03 JLE SHORT Xie.0040BB0A
0040BB07 7F 01 JG SHORT Xie.0040BB0A
0040BB09 77 DB 77 ; CHAR 'w'
0040BB0A E9 0A000000 JMP Xie.0040BB19
0040BB19 E8 00000000 CALL Xie.0040BB1E
0040BB1E 5D POP EBP
0040BB1F 8BC5 MOV EAX,EBP
0040BB21 3B45 16 CMP EAX,DWORD PTR SS:[EBP+16]
0040BB24 7C 06 JL SHORT Xie.0040BB2C
0040BB26 0345 16 ADD EAX,DWORD PTR SS:[EBP+16]
0040BB29 8945 16 MOV DWORD PTR SS:[EBP+16],EAX
0040BB2C 7E 03 JLE SHORT Xie.0040BB31
0040BB2E 7F 01 JG SHORT Xie.0040BB31
0040BB30 78 DB 78 ; CHAR 'x'
0040BB31 F9 STC
0040BB32 F9 STC
0040BB33 B8 16BC4000 MOV EAX,Xie.0040BC16
0040BB38 E8 01000000 CALL Xie.0040BB3E
0040BB3D 76 DB 76 ; CHAR 'v'
0040BB3E 83C4 04 ADD ESP,4
0040BB41 /E9 09000000 JMP Xie.0040BB4F
0040BB4F B9 89CA9E24 MOV ECX,249ECA89
0040BB54 66:81E5 9488 AND BP,8894
0040BB59 81E9 5C1818AD SUB ECX,AD18185C
0040BB5F EB 01 JMP SHORT Xie.0040BB62
0040BB62 /E9 0C000000 JMP Xie.0040BB73
0040BB73 BE 5BFCBD70 MOV ESI,70BDFC5B
0040BB78 87FD XCHG EBP,EDI
0040BB7A 81C6 E903428F ADD ESI,8F4203E9
0040BB80 78 03 JS SHORT Xie.0040BB85
0040BB82 79 01 JNS SHORT Xie.0040BB85
0040BB84 76 DB 76 ; CHAR 'v'
0040BB85 E9 02000000 JMP Xie.0040BB8C
0040BB8A 8B DB 8B
0040BB8B FD DB FD
0040BB8C 8B10 MOV EDX,DWORD PTR DS:[EAX]
0040BB8E E8 01000000 CALL Xie.0040BB94
0040BB93 7F DB 7F
0040BB94 83C4 04 ADD ESP,4
0040BB97 8BDF MOV EBX,EDI
0040BB99 03D1 ADD EDX,ECX
0040BB9B EB 01 JMP SHORT Xie.0040BB9E
0040BB9D E9 DB E9
0040BB9E E8 49E7FFFF CALL Xie.0040A2EC ; // F7
// 进入 40A2EC 后, SMC
0040A47B 46 INC ESI
0040A47C 4A DEC EDX
0040A47D ^ 0F85 87FFFFFF JNZ Xie.0040A40A ; // 循环
0040A483 /EB 01 JMP SHORT Xie.0040A486
0040A485 |77 DB 77 ; CHAR 'w'
0040A486 E9 0C000000 JMP Xie.0040A497
0040A497 ? E8 46F6FFFF CALL Xie.00409AE2 ; // EBP =80AB
0040A49C ? C685 41224000 C3 MOV BYTE PTR SS:[EBP+402241],0C3
0040A4A3 . BB 09244000 MOV EBX,Xie.00402409
0040A4A8 ? 03DD ADD EBX,EBP
0040A4AA . E8 E6F8FFFF CALL Xie.00409D95 ; // F7
00409D95 33C0 XOR EAX,EAX
00409D97 8DBD FC194000 LEA EDI,DWORD PTR SS:[EBP+4019FC] ; // EDI = 409AA7
00409D9D 57 PUSH EDI ; // SEH handle
00409D9E 64:FF30 PUSH DWORD PTR FS:[EAX] ; // push fs:[0]
00409DA1 64:8920 MOV DWORD PTR FS:[EAX],ESP
00409DA4 FFD3 CALL EBX ; // Call 40A4B4, F7
0040A4B4 . 8B85 AC194000 MOV EAX,DWORD PTR SS:[EBP+4019AC] ; KERNEL32.UnhandledExceptionFilter
0040A4BA 8038 CC CMP BYTE PTR DS:[EAX],0CC ; // 有没有断点
0040A4BD 75 07 JNZ SHORT Xie.0040A4C6
0040A4BF 90 NOP
0040A4C0 90 NOP
0040A4C1 90 NOP
0040A4C2 90 NOP
0040A4C3 5F POP EDI
0040A4C4 5E POP ESI
0040A4C5 5A POP EDX
0040A4C6 C3 RETN ; // return to 409DA6
00409DA6 2BC0 SUB EAX,EAX
00409DA8 64:8F00 POP DWORD PTR FS:[EAX]
00409DAB 58 POP EAX
00409DAC C3 RETN ; // return to 40A4AF
0040A4AF . /EB 16 JMP SHORT Xie.0040A4C7
0040A4B1 . |90 NOP
0040A4B2 ? |90 NOP
0040A4B3 . |90 NOP
0040A4B4 . |8B85 AC194000 MOV EAX,DWORD PTR SS:[EBP+4019AC]
0040A4BA |8038 CC CMP BYTE PTR DS:[EAX],0CC
0040A4BD |75 07 JNZ SHORT Xie.0040A4C6
0040A4BF |90 NOP
0040A4C0 |90 NOP
0040A4C1 |90 NOP
0040A4C2 |90 NOP
0040A4C3 |5F POP EDI
0040A4C4 |5E POP ESI
0040A4C5 |5A POP EDX
0040A4C6 |C3 RETN
0040A4C7 60 PUSHAD
0040A4C8 E8 00000000 CALL Xie.0040A4CD
0040A4CD 5E POP ESI
0040A4CE 83EE 06 SUB ESI,6
0040A4D1 B9 30000000 MOV ECX,30
0040A4D6 29CE SUB ESI,ECX
0040A4D8 BA E4934106 MOV EDX,64193E4
0040A4DD C1E9 02 SHR ECX,2
0040A4E0 83E9 02 SUB ECX,2
0040A4E3 83F9 00 CMP ECX,0
0040A4E6 7C 1A JL SHORT Xie.0040A502
0040A4E8 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
0040A4EB 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
0040A4EF 2BC3 SUB EAX,EBX
0040A4F1 C1C0 13 ROL EAX,13
0040A4F4 . 03C2 ADD EAX,EDX
0040A4F6 ? 81EA C650EB0B SUB EDX,0BEB50C6
0040A4FC 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
0040A4FF 49 DEC ECX
0040A500 ^ EB E1 JMP SHORT Xie.0040A4E3
0040A502 61 POPAD
0040A503 61 POPAD
0040A504 C3 RETN ; // return to 40BBA3
0040BBA3 /0F80 01000000 JO Xie.0040BBAA
0040BBA9 |FC CLD
0040BBAA F8 CLC
0040BBAB C1CA 0F ROR EDX,0F
0040BBAE 50 PUSH EAX
.....
0040BBFE D3CF ROR EDI,CL
0040BC00 66:8BE8 MOV BP,AX
0040BC03 83EE 01 SUB ESI,1
0040BC06 ^ 0F85 80FFFFFF JNZ Xie.0040BB8C ; // 大循环
0040BC0C /EB 01 JMP SHORT Xie.0040BC0F ; // 这里硬件执行断点, F9, 取消断点
0040BC0E |E8 DB E8
0040BC0F E9 02000000 JMP Xie.0040BC16
0040BC14 D3 DB D3
0040BC15 C7 DB C7
0040BC16 E8 00000000 CALL Xie.0040BC1B
0040BC1B 5D POP EBP
0040BC1C 8BC5 MOV EAX,EBP
0040BC1E 3B45 1E CMP EAX,DWORD PTR SS:[EBP+1E]
0040BC21 7C 06 JL SHORT Xie.0040BC29
0040BC23 0345 1E ADD EAX,DWORD PTR SS:[EBP+1E]
0040BC26 8945 1E MOV DWORD PTR SS:[EBP+1E],EAX
...
0040BC84 ? 83C4 04 ADD ESP,4
0040BC87 ? E8 26E1FFFF CALL Xie.00409DB2 ; // F7
// 进入409DB2, SMC
00409F50 C6 DB C6
00409F51 FF DB FF
00409F52 ^ 0F85 72FFFFFF JNZ Xie.00409ECA ; // 循环
00409F58 EB 01 JMP SHORT Xie.00409F5B
00409F5A |74 DB 74 ; CHAR 't'
00409F5B 85EA TEST EDX,EBP
00409F5D E8 80FBFFFF CALL Xie.00409AE2 ; // EBP = 80AB
00409F62 C685 071D4000 C3 MOV BYTE PTR SS:[EBP+401D07],0C3
00409F69 E8 00000000 CALL Xie.00409F6E
00409F6E 5D POP EBP
00409F6F 8BF5 MOV ESI,EBP
00409F71 81ED C31E4000 SUB EBP,Xie.00401EC3
00409F77 8DB5 111F4000 LEA ESI,DWORD PTR SS:[EBP+401F11]
00409F7D 6A 00 PUSH 0
00409F7F 68 80000000 PUSH 80
00409F84 6A 03 PUSH 3
00409F86 6A 00 PUSH 0
00409F88 6A 03 PUSH 3
00409F8A 68 000000C0 PUSH C0000000
00409F8F 56 PUSH ESI
00409F90 FF95 78194000 CALL DWORD PTR SS:[EBP+401978] ; // CreateFileA
00409F96 40 INC EAX
00409F97 75 1E JNZ SHORT Xie.00409FB7
00409F99 90 NOP
00409F9A 90 NOP
00409F9B 90 NOP
00409F9C 90 NOP
00409F9D 48 DEC EAX
00409F9E 50 PUSH EAX
00409F9F FF95 74194000 CALL DWORD PTR SS:[EBP+401974] ; // CloseHandle
00409FA5 46 INC ESI
00409FA6 803E 00 CMP BYTE PTR DS:[ESI],0
00409FA9 ^ 75 FA JNZ SHORT Xie.00409FA5
00409FAB 46 INC ESI
00409FAC 803E 00 CMP BYTE PTR DS:[ESI],0
00409FAF 0F84 C2000000 JE Xie.0040A077
00409FB5 ^ EB C6 JMP SHORT Xie.00409F7D
00409FBC 5C 5C 2E 5C 53 49 43 45 00 5C 5C 2E 5C 4E 54 49 \.SICE.\.NTI
00409FCC 43 45 00 5C 5C 2E 5C 4E 54 49 43 45 37 38 37 31 CE.\.NTICE7871
00409FDC 00 5C 5C 2E 5C 4E 54 49 43 45 44 30 35 32 00 5C .\.NTICED052.
00409FEC 5C 2E 5C 54 52 57 44 45 42 55 47 00 5C 5C 2E 5C .TRWDEBUG.\.
00409FFC 54 52 57 00 5C 5C 2E 5C 54 52 57 32 30 30 30 00 TRW.\.TRW2000.
0040A00C 5C 5C 2E 5C 53 55 50 45 52 42 50 4D 00 5C 5C 2E \.SUPERBPM.\.
0040A01C 5C 49 43 45 44 55 4D 50 00 5C 5C 2E 5C 52 45 47 ICEDUMP.\.REG
0040A02C 4D 4F 4E 00 5C 5C 2E 5C 46 49 4C 45 4D 4F 4E 00 MON.\.FILEMON.
0040A03C 5C 5C 2E 5C 52 45 47 56 58 44 00 5C 5C 2E 5C 46 \.REGVXD.\.F
0040A04C 49 4C 45 56 58 44 00 5C 5C 2E 5C 56 4B 45 59 50 ILEVXD.\.VKEYP
0040A05C 52 4F 44 00 5C 5C 2E 5C 42 57 32 4B 00 5C 5C 2E ROD.\.BW2K.\.
0040A06C 5C 53 49 57 44 45 42 55 47 00 00 60 E8 00 00 00 SIWDEBUG..`?..
0040A077 60 PUSHAD
0040A078 E8 00000000 CALL Xie.0040A07D
0040A07D 5E POP ESI
0040A07E 83EE 06 SUB ESI,6
0040A081 B9 1A010000 MOV ECX,11A
0040A086 29CE SUB ESI,ECX
0040A088 BA 531E600D MOV EDX,0D601E53
0040A08D C1E9 02 SHR ECX,2
0040A090 > 83E9 02 SUB ECX,2
0040A093 ? 83F9 00 CMP ECX,0
0040A096 ? 7C 1A JL SHORT Xie.0040A0B2
0040A098 ? 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
0040A09B ? 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
0040A09F ? 2BC3 SUB EAX,EBX
0040A0A1 . C1C8 17 ROR EAX,17
0040A0A4 33C2 XOR EAX,EDX
0040A0A6 81C2 F3E8C26C ADD EDX,6CC2E8F3
0040A0AC 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
0040A0AF 49 DEC ECX
0040A0B0 ^ EB E1 JMP SHORT Xie.0040A093
0040A0B2 61 POPAD
0040A0B3 61 POPAD
0040A0B4 C3 RETN ; // return to 40BC8C
0040BC8C ? 0F87 02000000 JA Xie.0040BC94
...
0040BCFC F8 DB F8
0040BCFD 81E8 FCFFFFFF SUB EAX,-4
0040BD03 76 03 JBE SHORT Xie.0040BD08
0040BD05 77 01 JA SHORT Xie.0040BD08
0040BD07 7B DB 7B ; CHAR '{'
0040BD08 E8 99ECFFFF CALL Xie.0040A9A6 ; // F8, RETN
0040BD0D /E9 01000000 JMP Xie.0040BD13
0040BD12 |FC DB FC
0040BD13 4F DEC EDI
0040BD14 ^ 0F85 7BFFFFFF JNZ Xie.0040BC95 ; // 小循环
0040BD1A EB 01 JMP SHORT Xie.0040BD1D
...
0040BE36 ^ F85 70FFFFFF JNZ Xie.0040BDAC ; // 小循环
0040BE3C EB 01 JMP SHORT Xie.0040BE3F
0040BE3E |73 DB 73 ; CHAR 's'
0040BE3F E9 02000000 JMP Xie.0040BE46
0040BE44 D3FA SAR EDX,CL
0040BE46 E8 00000000 CALL Xie.0040BE4B
0040BE4B 5D POP EBP
0040BE4C 8BC5 MOV EAX,EBP
0040BE4E 3B45 1A CMP EAX,DWORD PTR SS:[EBP+1A]
0040BE51 7C 06 JL SHORT Xie.0040BE59
0040BE53 0345 1A ADD EAX,DWORD PTR SS:[EBP+1A]
0040BE56 8945 1A MOV DWORD PTR SS:[EBP+1A],EAX
0040BE59 76 03 JBE SHORT Xie.0040BE5E
0040BE5B 77 01 JA SHORT Xie.0040BE5E
0040BE5D E8 DB E8
0040BE5E E9 01000000 JMP Xie.0040BE64
0040BE63 F8 DB F8
0040BE64 68 45BF4000 PUSH Xie.0040BF45
0040BE69 85DA TEST EDX,EBX
0040BE6B 5E POP ESI
0040BE6C 50 PUSH EAX
0040BE6D E8 01000000 CALL Xie.0040BE73
0040BE72 EB DB EB
0040BE73 58 POP EAX
0040BE74 58 POP EAX
0040BE75 E8 40E2FFFF CALL Xie.0040A0BA ; // F7
// 进入 40A0BA, SMC,
0040A252 ^ F85 6FFFFFFF JNZ Xie.0040A1C7 ; // 循环
0040A258 76 03 JBE SHORT Xie.0040A25D
0040A25A 77 01 JA SHORT Xie.0040A25D
0040A25C 7B DB 7B ; CHAR '{'
0040A25D E9 03000000 JMP Xie.0040A265
0040A265 E8 78F8FFFF CALL Xie.00409AE2 ; // EBP = 80AB
0040A26A C685 0F204000 C3 MOV BYTE PTR SS:[EBP+40200F],0C3
0040A271 FF95 BC194000 CALL DWORD PTR SS:[EBP+4019BC] ; KERNEL32.GetCurrentThread
0040A277 50 PUSH EAX ; // HandleToThread
0040A278 8DB5 08164000 LEA ESI,DWORD PTR SS:[EBP+401608] ; // pContext
0040A27E 56 PUSH ESI
0040A27F 56 PUSH ESI
0040A280 50 PUSH EAX
0040A281 FF95 B4194000 CALL DWORD PTR SS:[EBP+4019B4] ; KERNEL32.GetThreadContext
0040A287 5F POP EDI ; // pContext
0040A288 83C7 04 ADD EDI,4
0040A28B 2BC0 SUB EAX,EAX
0040A28D B9 04000000 MOV ECX,4
0040A292 F3:AB REP STOS DWORD PTR ES:[EDI] ; // 放 0 到 DR0-4
0040A294 8DB5 08164000 LEA ESI,DWORD PTR SS:[EBP+401608]
0040A29A 58 POP EAX
0040A29B 56 PUSH ESI
0040A29C 50 PUSH EAX
0040A29D FF95 B8194000 CALL DWORD PTR SS:[EBP+4019B8] ; KERNEL32.SetThreadContext
0040A2A3 60 PUSHAD
0040A2A4 E8 00000000 CALL Xie.0040A2A9
0040A2A9 5E POP ESI
0040A2AA 83EE 06 SUB ESI,6
0040A2AD B9 3E000000 MOV ECX,3E
0040A2B2 29CE SUB ESI,ECX
0040A2B4 BA C6C766C4 MOV EDX,C466C7C6
0040A2B9 C1E9 02 SHR ECX,2
0040A2BC 83E9 02 SUB ECX,2
0040A2BF 83F9 00 CMP ECX,0
0040A2C2 7C 1A JL SHORT Xie.0040A2DE
0040A2C4 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
0040A2C7 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
0040A2CB 33C3 XOR EAX,EBX
0040A2CD C1C0 0B ROL EAX,0B
0040A2D0 03C2 ADD EAX,EDX
0040A2D2 81EA F2FB362A SUB EDX,2A36FBF2
0040A2D8 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
0040A2DB 49 DEC ECX
0040A2DC ^ EB E1 JMP SHORT Xie.0040A2BF
0040A2DE 61 POPAD
0040A2DF 61 POPAD
0040A2E0 C3 RETN ; return to 40BE7A
0040BE7A /E9 04000000 JMP Xie.0040BE83
0040BE7F |70 02 JO SHORT Xie.0040BE83
0040BE81 |87D5 XCHG EBP,EDX
0040BE83 BF F2E3D911 MOV EDI,11D9E3F2
0040BE88 EB 01 JMP SHORT Xie.0040BE8B
...
0040BECA 73 DB 73 ; CHAR 's'
0040BECB 58 POP EAX
0040BECC 58 POP EAX
0040BECD E8 38E6FFFF CALL Xie.0040A50A ; // F7
// SMC 后
0040A699 46 INC ESI
0040A69A 83C1 FF ADD ECX,-1
0040A69D ^ 0F85 7FFFFFFF JNZ Xie.0040A622
....
0040A6B5 E8 28F4FFFF CALL Xie.00409AE2 ; // EBP = 80A8
0040A6BA C685 5F244000>MOV BYTE PTR SS:[EBP+40245F],0C3
0040A6C1 8CC8 MOV AX,CS
0040A6C3 A8 04 TEST AL,4
0040A6C5 75 5A JNZ SHORT Xie.0040A721
0040A6C7 90 NOP
0040A6C8 90 NOP
0040A6C9 90 NOP
0040A6CA 90 NOP
0040A6CB E8 0E000000 CALL Xie.0040A6DE ; // F7
// SEH Handle
0040A6D0 8B5C24 0C MOV EBX,DWORD PTR SS:[ESP+C] ; // cxEIP
0040A6D4 8383 B8000000>ADD DWORD PTR DS:[EBX+B8],2 ; // cXEIP + 2
0040A6DB 33C0 XOR EAX,EAX
0040A6DD C3 RETN ; // 返回到 40A6EE
0040A6DE 64:67:FF36 00>PUSH DWORD PTR FS:[0] ; // SEH 链
0040A6E4 64:67:8926 00>MOV DWORD PTR FS:[0],ESP
0040A6EA 33C0 XOR EAX,EAX
0040A6EC CD 01 INT 1 ; // 内存访问异常, 去40A6D0
0040A6EE 40 INC EAX ; // 这里继续
0040A6EF 40 INC EAX
0040A6F0 0BC0 OR EAX,EAX
0040A6F2 75 27 JNZ SHORT Xie.0040A71B
0040A71B 33C0 XOR EAX,EAX
0040A71D 64:8F00 POP DWORD PTR FS:[EAX]
0040A720 58 POP EAX
0040A721 60 PUSHAD
0040A722 E8 00000000 CALL Xie.0040A727
0040A727 5E POP ESI
0040A728 83EE 06 SUB ESI,6
0040A72B B9 6C000000 MOV ECX,6C
0040A730 29CE SUB ESI,ECX
0040A732 BA 9B6E7D33 MOV EDX,337D6E9B
0040A737 C1E9 02 SHR ECX,2
0040A73A 83E9 02 SUB ECX,2
0040A73D 83F9 00 CMP ECX,0
0040A740 7C 1A JL SHORT Xie.0040A75C
0040A742 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
0040A745 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
0040A749 33C3 XOR EAX,EBX
0040A74B C1C8 01 ROR EAX,1
0040A74E 2BC2 SUB EAX,EDX
0040A750 81EA 83929507 SUB EDX,7959283
0040A756 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
0040A759 49 DEC ECX
0040A75A ^ EB E1 JMP SHORT Xie.0040A73D
0040A75C 61 POPAD
0040A75D 61 POPAD
0040A75E C3 RETN ; // return to 40BED2
0040BED2 D3CB ROR EBX,CL
0040BED4 C1C8 1F ROR EAX,1F
0040BED7 E8 01000000 CALL Xie.0040BEDD
0040BEDD 83C4 04 ADD ESP,4
0040BEE0 E8 72F1FFFF CALL Xie.0040B057 ; // F7
0040B057 60 PUSHAD
0040B058 87F7 XCHG EDI,ESI
0040B05A 85F7 TEST EDI,ESI
0040B05C 48 DEC EAX
...
0040B1E8 58 POP EAX
0040B1E9 58 POP EAX
0040B1EA 47 INC EDI
0040B1EB 83C1 FF ADD ECX,-1
0040B1EE ^ 0F85 70FFFFFF JNZ Xie.0040B164
0040B1F4 E8 01000000 CALL Xie.0040B1FA
0040B1FF 66:8BFD MOV DI,BP
0040B202 E8 DBE8FFFF CALL Xie.00409AE2 ; // EBP = 80AB
0040B207 C685 AC2F4000>MOV BYTE PTR SS:[EBP+402FAC],0C3
0040B20E 6A 00 PUSH 0
0040B210 B8 921A4000 MOV EAX,Xie.00401A92
0040B215 03C5 ADD EAX,EBP
0040B217 83C0 04 ADD EAX,4
0040B21A 50 PUSH EAX
0040B21B FF95 54194000 CALL DWORD PTR SS:[EBP+401954] ; // EnumWindows
0040B221 60 PUSHAD
0040B222 E8 00000000 CALL Xie.0040B227
0040B227 5E POP ESI
0040B228 83EE 06 SUB ESI,6
0040B22B B9 1F000000 MOV ECX,1F
0040B230 29CE SUB ESI,ECX
0040B232 BA DCD35CD7 MOV EDX,D75CD3DC
0040B237 C1E9 02 SHR ECX,2
0040B23A 83E9 02 SUB ECX,2
0040B23D 83F9 00 CMP ECX,0
0040B240 7C 1A JL SHORT Xie.0040B25C
0040B242 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
0040B245 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
0040B249 2BC3 SUB EAX,EBX
0040B24B C1C0 1D ROL EAX,1D
0040B24E 33C2 XOR EAX,EDX
0040B250 81EA 0F8BD4BC SUB EDX,BCD48B0F
0040B256 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
0040B259 49 DEC ECX
0040B25A ^ EB E1 JMP SHORT Xie.0040B23D
0040B25C 61 POPAD
0040B25D 61 POPAD
0040B25E C3 RETN ; // return to 40BEE5
0040BEE5 F8 CLC
0040BEE6 66:D3ED SHR BP,CL
0040BEE9 0346 04 ADD EAX,DWORD PTR DS:[ESI+4]
...
0040BF2B ? 83C4 04 ADD ESP,4
0040BF2E ? 8BD3 MOV EDX,EBX
0040BF30 ? 66:D3CA ROR DX,CL
0040BF33 ? 83C1 FF ADD ECX,-1
0040BF36 ?^ 0F85 70FFFFFF JNZ Xie.0040BEAC ; // 大循环
0040BF3C ? EB 01 JMP SHORT Xie.0040BF3F
...
0040C021 ? BF 6EB519AF MOV EDI,AF19B56E
0040C026 ? 83C0 FF ADD EAX,-1
0040C029 ?^ 0F85 71FFFFFF JNZ Xie.0040BFA0 ; // 小循环
0040C02F . 50 PUSH EAX
...
0040C13A /7A 01 JPE SHORT Xie.0040C13D
0040C13C |42 INC EDX
0040C13D 49 DEC ECX
0040C13E ^ 0F85 65FFFFFF JNZ Xie.0040C0A9 ; // 小循环
0040C144 7C 03 JL SHORT Xie.0040C149
0040C146 7D 01 JGE SHORT Xie.0040C149
0040C149 E8 8DEAFFFF CALL Xie.0040ABDB ; // F8
0040C14E 87C5 XCHG EBP,EAX ; Xie.00409753
0040C150 61 POPAD
0040C151 90 NOP
0040C152 90 NOP
0040C153 90 NOP
...
// 最终到这里
40C2CD 用户代码开始, 计算注册码, 其中还有4个子函数未列, 大家自己练习
F1(), F3() 一组, F2, F4()一组, 由 ECX 控制
0040C2C9 90 NOP
0040C2CA 90 NOP
0040C2CB 90 NOP
0040C2CC 61 POPAD
0040C2CD 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; // 用户名
0040C2D0 85C0 TEST EAX,EAX
0040C2D2 74 07 JE SHORT XieXieMa.0040C2DB
0040C2D4 50 PUSH EAX
0040C2D5 E8 A7A10900 CALL XieXieMa.004A6481 ; // 大写
0040C2DA 59 POP ECX
0040C2DB 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; // 机器码, C盘卷标
0040C2DE 85C0 TEST EAX,EAX
0040C2E0 74 07 JE SHORT XieXieMa.0040C2E9
0040C2E2 50 PUSH EAX
0040C2E3 E8 99A10900 CALL XieXieMa.004A6481 ; // 大写
0040C2E8 59 POP ECX
0040C2E9 33DB XOR EBX,EBX
0040C2EB B9 01000000 MOV ECX,1
0040C2F0 E8 E7060000 CALL XieXieMa.0040C9DC ; // F1()
0040C2F5 B9 01000000 MOV ECX,1
0040C2FA E8 3D020000 CALL XieXieMa.0040C53C ; // F2()
0040C2FF BE 30000000 MOV ESI,30
0040C304 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; // 机器码
0040C307 85C0 TEST EAX,EAX
0040C309 0F84 D5000000 JE XieXieMa.0040C3E4
0040C30F 33C0 XOR EAX,EAX
0040C311 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]
0040C314 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
0040C317 33C0 XOR EAX,EAX
0040C319 8A37 MOV DH,BYTE PTR DS:[EDI] ; // 机器码第一个字符
0040C31B 8BCF MOV ECX,EDI
0040C31D 84F6 TEST DH,DH
0040C31F 74 08 JE SHORT XieXieMa.0040C329
0040C321 41 INC ECX
0040C322 40 INC EAX
0040C323 8A11 MOV DL,BYTE PTR DS:[ECX]
0040C325 84D2 TEST DL,DL
0040C327 ^ 75 F8 JNZ SHORT XieXieMa.0040C321
0040C329 85C0 TEST EAX,EAX ; // EAX = 机器码长度
0040C32B 0F86 B3000000 JBE XieXieMa.0040C3E4
0040C331 895D E4 MOV DWORD PTR SS:[EBP-1C],EBX
0040C334 33C9 XOR ECX,ECX ; // 循环头, 见前一个破文
0040C336 E8 A1060000 CALL XieXieMa.0040C9DC ; // f3()
0040C33B 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
0040C33E 33C9 XOR ECX,ECX
0040C340 E8 F7010000 CALL XieXieMa.0040C53C ; // f4()
0040C345 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0040C348 8B7D F4 MOV EDI,DWORD PTR SS:[EBP-C]
0040C34B 0FBE1C3A MOVSX EBX,BYTE PTR DS:[EDX+EDI]
0040C34F 8BCF MOV ECX,EDI
0040C351 0FAFC9 IMUL ECX,ECX
0040C354 03CE ADD ECX,ESI ; // ECX = i * i + ESI
0040C356 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
0040C359 0FAFD0 IMUL EDX,EAX
0040C35C 03CA ADD ECX,EDX
0040C35E B8 9F12E429 MOV EAX,29E4129F
0040C363 F7E1 MUL ECX
0040C365 8BC1 MOV EAX,ECX
0040C367 2BC2 SUB EAX,EDX
0040C369 D1E8 SHR EAX,1
0040C36B 03C2 ADD EAX,EDX
0040C36D C1E8 05 SHR EAX,5
0040C370 6BC0 37 IMUL EAX,EAX,37
0040C373 2BC8 SUB ECX,EAX
0040C375 031C8D 20314C00 ADD EBX,DWORD PTR DS:[ECX*4+4C3120]
0040C37C B8 4FECC44E MOV EAX,4EC4EC4F
0040C381 F7E3 MUL EBX
0040C383 C1EA 03 SHR EDX,3
0040C386 6BC2 1A IMUL EAX,EDX,1A
0040C389 2BD8 SUB EBX,EAX
0040C38B 80C3 41 ADD BL,41
0040C38E 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0040C391 33C9 XOR ECX,ECX
0040C393 881C07 MOV BYTE PTR DS:[EDI+EAX],BL ; // 一次循环算出一位注册码
0040C396 E8 41060000 CALL XieXieMa.0040C9DC ; // f3()
0040C39B 8BC8 MOV ECX,EAX
0040C39D B8 C770B420 MOV EAX,20B470C7
0040C3A2 F7E1 MUL ECX
0040C3A4 2BCA SUB ECX,EDX
0040C3A6 D1E9 SHR ECX,1
0040C3A8 03CA ADD ECX,EDX
0040C3AA C1E9 07 SHR ECX,7
0040C3AD 03F1 ADD ESI,ECX
0040C3AF 33C9 XOR ECX,ECX
0040C3B1 E8 86010000 CALL XieXieMa.0040C53C ; // f4()
0040C3B6 C1E8 03 SHR EAX,3
0040C3B9 2BF0 SUB ESI,EAX
0040C3BB 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]
0040C3BE FF45 E4 INC DWORD PTR SS:[EBP-1C]
0040C3C1 FF45 F4 INC DWORD PTR SS:[EBP-C]
0040C3C4 33C0 XOR EAX,EAX
0040C3C6 8A37 MOV DH,BYTE PTR DS:[EDI]
0040C3C8 8BCF MOV ECX,EDI
0040C3CA 84F6 TEST DH,DH
0040C3CC 74 08 JE SHORT XieXieMa.0040C3D6
0040C3CE 41 INC ECX
0040C3CF 40 INC EAX
0040C3D0 8A11 MOV DL,BYTE PTR DS:[ECX]
0040C3D2 84D2 TEST DL,DL
0040C3D4 ^ 75 F8 JNZ SHORT XieXieMa.0040C3CE
0040C3D6 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0040C3D9 3BD0 CMP EDX,EAX
0040C3DB ^ F82 53FFFFFF JB XieXieMa.0040C334 ; // 循环尾
0040C3E1 8B5D E4 MOV EBX,DWORD PTR SS:[EBP-1C] ; // 机器码长度
0040C3E4 035D 08 ADD EBX,DWORD PTR SS:[EBP+8] ; // 定位 EBX 到注册码尾部
0040C3E7 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; // 用户名
0040C3EA 85C0 TEST EAX,EAX
0040C3EC C603 41 MOV BYTE PTR DS:[EBX],41 ; // 注册码+ "A"
0040C3EF C643 01 58 MOV BYTE PTR DS:[EBX+1],58 ; // 注册码+ "X"
0040C3F3 /0F84 C0000000 JE XieXieMa.0040C4B9
0040C3F9 |8BF8 MOV EDI,EAX ; // 用户名
0040C3FB |33C0 XOR EAX,EAX
0040C3FD |8A37 MOV DH,BYTE PTR DS:[EDI]
0040C3FF |8BCF MOV ECX,EDI
0040C401 |84F6 TEST DH,DH
0040C403 |74 08 JE SHORT XieXieMa.0040C40D
0040C405 |41 INC ECX
0040C406 |40 INC EAX
0040C407 |8A11 MOV DL,BYTE PTR DS:[ECX]
0040C409 |84D2 TEST DL,DL
0040C40B ^|75 F8 JNZ SHORT XieXieMa.0040C405
0040C40D |83F8 02 CMP EAX,2 ; // EAX = 用户名长度(包括空格)
0040C410 0F82 A3000000 JB XieXieMa.0040C4B9 ; // 用户名小于2 不处理
0040C416 BF 08000000 MOV EDI,8 ; // for(i=8; i<10; i++)
0040C41B 895D E4 MOV DWORD PTR SS:[EBP-1C],EBX ; // EBX 注册码"AX"部分地址,保存
0040C41E 33C9 XOR ECX,ECX ; // 循环头, 同前一个循环基本一样
0040C420 E8 B7050000 CALL XieXieMa.0040C9DC ; // f3()
0040C425 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
0040C428 33C9 XOR ECX,ECX
0040C42A E8 0D010000 CALL XieXieMa.0040C53C ; // f4()
0040C42F 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; // 用户名
0040C432 0FBE5C3A F8 MOVSX EBX,BYTE PTR DS:[EDX+EDI-8] ; // EBX = name[i-8]
0040C437 8BCF MOV ECX,EDI
0040C439 0FAFC9 IMUL ECX,ECX
0040C43C 03CE ADD ECX,ESI
0040C43E 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
0040C441 0FAFD0 IMUL EDX,EAX
0040C444 03CA ADD ECX,EDX
0040C446 B8 9F12E429 MOV EAX,29E4129F
0040C44B F7E1 MUL ECX
0040C44D 8BC1 MOV EAX,ECX
0040C44F 2BC2 SUB EAX,EDX
0040C451 D1E8 SHR EAX,1
0040C453 03C2 ADD EAX,EDX
0040C455 C1E8 05 SHR EAX,5
0040C458 6BC0 37 IMUL EAX,EAX,37
0040C45B 2BC8 SUB ECX,EAX
0040C45D B8 4FECC44E MOV EAX,4EC4EC4F
0040C462 031C8D 20314C00 ADD EBX,DWORD PTR DS:[ECX*4+4C3120]
0040C469 33C9 XOR ECX,ECX
0040C46B F7E3 MUL EBX
0040C46D C1EA 03 SHR EDX,3
0040C470 6BC2 1A IMUL EAX,EDX,1A
0040C473 2BD8 SUB EBX,EAX
0040C475 80C3 41 ADD BL,41
0040C478 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0040C47B 881C07 MOV BYTE PTR DS:[EDI+EAX],BL ; sn[i] = BL
0040C47E E8 59050000 CALL XieXieMa.0040C9DC ; // f3()
0040C483 8BC8 MOV ECX,EAX
0040C485 B8 25499224 MOV EAX,24924925 ; // 这里同前面不一样
0040C48A F7E1 MUL ECX
0040C48C 2BCA SUB ECX,EDX
0040C48E D1E9 SHR ECX,1
0040C490 03CA ADD ECX,EDX
0040C492 C1E9 02 SHR ECX,2 ; // 这里同前面不一样
0040C495 03F1 ADD ESI,ECX
0040C497 33C9 XOR ECX,ECX
0040C499 E8 9E000000 CALL XieXieMa.0040C53C ; // f4()
0040C49E 8BD0 MOV EDX,EAX ; // 这一段同前面有点不一样
0040C4A0 B8 01FF00FF MOV EAX,FF00FF01
0040C4A5 47 INC EDI
0040C4A6 F7E2 MUL EDX
0040C4A8 C1EA 08 SHR EDX,8
0040C4AB 2BF2 SUB ESI,EDX
0040C4AD 83FF 0A CMP EDI,0A ; // EDI < 0A ?
0040C4B0 ^ 0F8C 68FFFFFF JL XieXieMa.0040C41E ; // 循环尾
0040C4B6 8B5D E4 MOV EBX,DWORD PTR SS:[EBP-1C] ; // 刚才放"AX"的地址
0040C4B9 C643 02 00 MOV BYTE PTR DS:[EBX+2],0 ; // 这里开始取两位, 用户代码结束
0040C4BD 60 PUSHAD ; // Embedded Protect tail 开始
0040C4BE 6A 04 PUSH 4
0040C4C0 6A 00 PUSH 0
0040C4C2 6A 00 PUSH 0
0040C4C4 6A FF PUSH -1
0040C4C6 FF15 C4B44B00 CALL DWORD PTR DS:[4BB4C4] ; // 加密代码
0040C4CC EB 1E JMP SHORT XieXieMa.0040C4EC
0040C4CE 97 XCHG EAX,EDI
0040C4CF C439 LES EDI,FWORD PTR DS:[ECX]
0040C4D1 D875 AF FDIV DWORD PTR SS:[EBP-51]
0040C4D4 CD C3 INT 0C3
0040C4D6 7B DE JPO SHORT XieXieMa.0040C4B6
0040C4D8 25 6D7DBD00 AND EAX,0BD7D6D
0040C4DD 0000 ADD BYTE PTR DS:[EAX],AL
0040C4DF 0000 ADD BYTE PTR DS:[EAX],AL
0040C4E1 0000 ADD BYTE PTR DS:[EAX],AL
0040C4E3 0000 ADD BYTE PTR DS:[EAX],AL
0040C4E5 0000 ADD BYTE PTR DS:[EAX],AL
上面整个代码段只在启动时求一次注册码, 不去管他.
用 OD 查 MessageBox, 发现 43E751, 441B22, 445926 也有 Embedded Protect,
里面同样有2个异常, 而且每走一步棋都要处理, 把他们给脱了.
0043E751 > /60 PUSHAD
0043E752 . |6A 05 PUSH 5 ; /Style = MB_RETRYCANCEL|MB_APPLMODAL
0043E754 . |6A 00 PUSH 0 ; |Title = NULL
0043E756 . |6A 00 PUSH 0 ; |Text = NULL
0043E758 . |6A FF PUSH -1 ; |hOwner = FFFFFFFF
0043E75A . |FF15 C4B44B00 CALL DWORD PTR DS:[<&user32.MessageBoxA>>; MessageBoxA
0043E760 . |61 POPAD
0043E761 . |60 PUSHAD
0043E762 . |60 PUSHAD
0043E763 . |42 INC EDX
用户代码应该在 43E75A + 322A = 441984 , 下硬件执行断点, F9
00440010 90 NOP ; // INT3 异常, Shift + F9
0043FDA3 CD 01 INT 1 ; // 内存访问异常
0043FDA5 40 INC EAX ; // 异常处理完毕继续, F2, Shift + F9,
; // 断下, F2 取消断点, F9, 被硬件断点断下
00441983 61 POPAD
00441984 0FBE05 C0076300 MOVSX EAX,BYTE PTR DS:[6307C0] ; // 用户代码从这里开始
0044198B A2 54E45B00 MOV BYTE PTR DS:[5BE454],AL
00441990 40 INC EAX
00441991 0FBED0 MOVSX EDX,AL
00441994 83FA 08 CMP EDX,8
00441997 0F84 253E0000 JE X5.004457C2
00441AB3 . 75 0C JNZ SHORT X5.00441AC1
00441AB5 C780 60E45B00 00000000 MOV DWORD PTR DS:[EAX+5BE460],0
00441ABF EB 13 JMP SHORT X5.00441AD4
00441AC1 89B8 60E45B00 MOV DWORD PTR DS:[EAX+5BE460],EDI
00441AC7 8BBCD3 90DC4C00 MOV EDI,DWORD PTR DS:[EBX+EDX*8+4CDC90]
00441ACE 89B8 88E45B00 MOV DWORD PTR DS:[EAX+5BE488],EDI
00441AD4 83C0 2C ADD EAX,2C
00441AD7 42 INC EDX
00441AD8 3BD1 CMP EDX,ECX
00441ADA ^ 7C CE JL SHORT X5.00441AAA ;// 用户代码到这里结束,
00441ADC 60 PUSHAD ;// 把这句改成 JMP 441B0C, LordPE 上场
00441ADD 6A 04 PUSH 4
00441ADF 6A 00 PUSH 0
00441AE1 6A 00 PUSH 0
00441AE3 6A FF PUSH -1
00441AE5 FF15 C4B44B00 CALL DWORD PTR DS:[<&user32.MessageBoxA>] ; X5.008F45C9
00441AEB EB 1E JMP SHORT X5.00441B0B
00441AED 882491 MOV BYTE PTR DS:[ECX+EDX*4],AH
00441ADC 60 PUSHAD
00441ADD 6A 04 PUSH 4
00441ADF 6A 00 PUSH 0
00441AE1 6A 00 PUSH 0
00441AE3 6A FF PUSH -1
00441AE5 FF15 C4B44B00 CALL DWORD PTR DS:[<&user32.MessageBoxA>] ; X5.008F45C9
00441AEB EB 1E JMP SHORT X5.00441B0B
00441AED 882491 MOV BYTE PTR DS:[ECX+EDX*4],AH
00441AF0 5B POP EBX
00441AF1 46 INC ESI
00441AF2 DDB0 4B16CEF1 FSAVE (108-BYTE) PTR DS:[EAX+F1CE164B]
00441AF8 66:F8 CLC
00441AFA C400 LES EAX,FWORD PTR DS:[EAX] ; Modification of segment register
00441AFC 0000 ADD BYTE PTR DS:[EAX],AL
00441AFE 0000 ADD BYTE PTR DS:[EAX],AL
00441B00 0000 ADD BYTE PTR DS:[EAX],AL
00441B02 0000 ADD BYTE PTR DS:[EAX],AL
00441B04 0000 ADD BYTE PTR DS:[EAX],AL
00441B06 0000 ADD BYTE PTR DS:[EAX],AL
00441B08 0000 ADD BYTE PTR DS:[EAX],AL
00441B0A 00 DB 00
00441B0B 61 POPAD
00441B0C C705 20DB5B00 00000000 MOV DWORD PTR DS:[5BDB20],0 ; // 用户代码这里继续
用 LordPE 把 441980 - 441AFF Dump 出来, Size 180h
退出 OD , 用 Winhex 把这段代码粘回去, 再用 OD 载入
把 43E751 这句 PUSHAD 改成 JMP 441984
OK, 同样处理 441B22
00441B0C > C705 20DB5B00 0000000>MOV DWORD PTR DS:[5BDB20],0
00441B16 . 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
00441B19 . 83F8 02 CMP EAX,2
00441B1C > 0F84 6A3C0000 JE X5.0044578C
00441B22 > 60 PUSHAD
00441B23 . 6A 05 PUSH 5 ; /Style = MB_RETRYCANCEL|MB_APPLMODAL
00441B25 . 6A 00 PUSH 0 ; |Title = NULL
00441B27 . 6A 00 PUSH 0 ; |Text = NULL
00441B29 . 6A FF PUSH -1 ; |hOwner = FFFFFFFF
00441B2B . FF15 C4B44B00 CALL DWORD PTR DS:[<&user32.MessageBoxA>>; MessageBoxA
00441B31 . 61 POPAD
用户代码在 441B2B + 322A = 444D55, 下硬件执行断点, F9
00443174 CD 01 INT 1 ; // 内存访问异常, Shift + F9
004433E1 90 NOP ; // Int3 异常 , shift + F9
004433E2 64:67:8F06 00>POP DWORD PTR FS:[0] ; // 异常处理完毕继续, F2, Shift + F9
; // 断下, F2 取消断点, F9
硬件执行断点
00444D54 61 POPAD
00444D55 C705 A49A5D00 0000000>MOV DWORD PTR DS:[5D9AA4],0
00444D5F ? BF 0083FFFF MOV EDI,FFFF8300
00444D64 . BE 007D0000 MOV ESI,7D00
00444DFB A3 58E45B00 MOV DWORD PTR DS:[5BE458],EAX
00444E00 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
00444E03 85C0 TEST EAX,EAX
00444E05 0F8E 4F080000 JLE X5.0044565A
00444E0B ? A1 087B4C00 MOV EAX,DWORD PTR DS:[4C7B08]
00444E10 ? 85C0 TEST EAX,EAX
00444E12 . 74 0A JE SHORT X5.00444E1E
00444E14 . C705 50E45B00 0000000>MOV DWORD PTR DS:[5BE450],0 ; // 用户代码结束
00444E1E ? 60 PUSHAD ; // 这句改成 JMP 444E4E, LordPE
00444E1F ? 6A 04 PUSH 4
00444E21 . 6A 00 PUSH 0
00444E23 ? 6A 00 PUSH 0
00444E25 ? 6A FF PUSH -1
00444E27 ? FF15 C4B44B00 CALL DWORD PTR DS:[<&user32.MessageBoxA>> ; X5.008F45C9
00444E2D . EB 1E JMP SHORT X5.00444E4D
00444E2F B7 2D MOV BH,2D
00444E31 1D 460A3AD5 SBB EAX,D53A0A46
00444E36 8719 XCHG DWORD PTR DS:[ECX],EBX
00444E38 0859 56 OR BYTE PTR DS:[ECX+56],BL
00444E3B ? 7F 49 JG SHORT X5.00444E86
00444E3D ? 0000 ADD BYTE PTR DS:[EAX],AL
00444E3F 0000 ADD BYTE PTR DS:[EAX],AL
00444E41 0000 ADD BYTE PTR DS:[EAX],AL
00444E43 0000 ADD BYTE PTR DS:[EAX],AL
00444E45 0000 ADD BYTE PTR DS:[EAX],AL
00444E47 0000 ADD BYTE PTR DS:[EAX],AL
00444E49 0000 ADD BYTE PTR DS:[EAX],AL
00444E4B 0000 ADD BYTE PTR DS:[EAX],AL
00444E4D > 61 POPAD
00444E4E . 33D2 XOR EDX,EDX ; // 用户代码继续
00444E50 > 33C0 XOR EAX,EAX
用 LordPE 把 444D50 - 444E3F Dump 出来, Size F0h
退出 OD , 用 Winhex 把这段代码粘回去, 再用 OD 载入
把 441B22 这句 PUSHAD 改成 JMP 444D55
接着出理 445926
00445926 > 60 PUSHAD
00445927 . 6A 05 PUSH 5 ; /Style = MB_RETRYCANCEL|MB_APPLMODAL
00445929 . 6A 00 PUSH 0 ; |Title = NULL
0044592B . 6A 00 PUSH 0 ; |Text = NULL
0044592D . 6A FF PUSH -1 ; |hOwner = FFFFFFFF
0044592F . FF15 C4B44B00 CALL DWORD PTR DS:[<&user32.MessageBoxA>>; MessageBoxA
00445935 . 61 POPAD
用户代码在 44592F + 322A = 448B59, 下硬件执行断点, F9
00446F78 CD 01 INT 1 ; // 内存访问异常, Shift + F9
004471E5 90 NOP ; // INT3异常
004471E6 64:67:8F06 00>POP DWORD PTR FS:[0] ; // 异常处理完毕继续, F2, Shift + F9
; // 断下, F2 取消断点, F9
00448B50 90 DB 90
00448B51 90 DB 90
00448B52 90 DB 90
00448B53 90 DB 90
00448B54 90 DB 90
00448B55 90 DB 90
00448B56 90 DB 90
00448B57 90 DB 90
00448B58 61 POPAD
00448B59 B9 A0175B00 MOV ECX,X5.005B17A0 ; // 用户代码开始
00448B5E FF35 C8076300 PUSH DWORD PTR DS:[6307C8]
00448B64 E8 23F6FEFF CALL X5.0043818C
00448B69 A1 087B4C00 MOV EAX,DWORD PTR DS:[4C7B08]
00448B6E 85C0 TEST EAX,EAX
00448B70 75 21 JNZ SHORT X5.00448B93
00448B72 C705 E0524C00 0100000>MOV DWORD PTR DS:[4C52E0],1
00448B7C A1 DC076300 MOV EAX,DWORD PTR DS:[6307DC]
00448B81 83F8 06 CMP EAX,6
00448B84 7E 0D JLE SHORT X5.00448B93
00448B86 8B5D E4 MOV EBX,DWORD PTR SS:[EBP-1C]
00448B89 ? 8B75 E8 MOV ESI,DWORD PTR SS:[EBP-18]
00448B8C . 8B7D EC MOV EDI,DWORD PTR SS:[EBP-14]
00448B8F ? 8BE5 MOV ESP,EBP
00448B91 . 5D POP EBP
00448B92 ? C3 RETN ; // 用户代码结束
00448B93 ? 60 PUSHAD ; // 这句改成 JMP 448BC3, LordPE
00448B94 ? 6A 04 PUSH 4
00448B96 . 6A 00 PUSH 0
00448B98 . 6A 00 PUSH 0
00448B9A ? 6A FF PUSH -1
00448B9C ? FF15 C4B44B00 CALL DWORD PTR DS:[<&user32.MessageBoxA>>; X5.008F45C9
00448BA2 . EB 1E JMP SHORT X5.00448BC2
00448BA4 F0:58 LOCK POP EAX ; LOCK prefix is not allowed
00448BA6 CA 57D3 RETF 0D357 ; Far return
00448BA9 EB 13 JMP SHORT X5.00448BBE
00448BAB 57 PUSH EDI
00448BAC CB RETF ; Far return
00448BAD - E9 D0332619 JMP 196ABF82
00448BB2 0000 ADD BYTE PTR DS:[EAX],AL
00448BB4 0000 ADD BYTE PTR DS:[EAX],AL
00448BB6 0000 ADD BYTE PTR DS:[EAX],AL
00448BB8 0000 ADD BYTE PTR DS:[EAX],AL
00448BBA 0000 ADD BYTE PTR DS:[EAX],AL
00448BBC 0000 ADD BYTE PTR DS:[EAX],AL
00448BBE 0000 ADD BYTE PTR DS:[EAX],AL
00448BC0 0000 ADD BYTE PTR DS:[EAX],AL
00448BC2 > 61 POPAD
00448BC3 . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
用 LordPE 把 448B50 - 448BAF Dump 出来, Size 60h
退出 OD , 用 Winhex 把这段代码粘回去, 再用 OD 载入
把 445926 这句 PUSHAD 改成 JMP 448B59
不好意思, 把我自己的笔记都贴在这里了, 没有好好整理一下.