【软件名称】 天翼之链2.46客户端
用PEiD查看壳为:SVKP 1.3x -> Pavol Cerven
保护方式:SDK stolen code
设置:忽略全部异常,隐藏OD。
OD载入目标停在这里:
0057B000 I> 60 pushad ;停在这里
0057B001 E8 00000000 call InphaseN.0057B006
0057B006 5D pop ebp
0057B007 81ED 06000000 sub ebp,6
F9运行,发生异常,异常位置:
05DD1383 6285 120B0000 bound eax,qword ptr ss:[ebp+B12]
05DD1389 EB 02 jmp short 05DD138D
05DD138B 0FE88B D1EB02CD psubsb mm1,qword ptr ds:[ebx+CD02EB>
05DD1392 208B C2EB02CD and byte ptr ds:[ebx+CD02EBC2],cl
异常后对code段下断点.
Memory map, item 13
Address=00401000
Size=00135000 (983040.)
Owner=InphaseN 00400000
Section=
Contains=code
Type=Imag 01001002
Access=R
Initial access=RWE
下断后,SHIFT+F9这样来到了这里.
05DFDF98 8A06 mov al,byte ptr ds:[esi]
05DFDF9A 46 inc esi
05DFDF9B 47 inc edi
05DFDF9C 8843 0F mov byte ptr ds:[ebx+F],al
05DFDF9F 8A46 FF mov al,byte ptr ds:[esi-1]
05DFDFA2 55 push ebp
05DFDFA3 E8 00000000 call 05DFDFA8
05DFDFA8 5D pop ebp
05DFDFA9 81ED 0D470000 sub ebp,470D
05DFDFAF 8A8D 50030000 mov cl,byte ptr ss:[ebp+350]
05DFDFB5 5D pop ebp
05DFDFB6 32C1 xor al,cl
05DFDFB8 8847 FF mov byte ptr ds:[edi-1],al
05DFDFBB 8BC5 mov eax,ebp
05DFDFBD 4D dec ebp
05DFDFBE 85C0 test eax,eax
05DFDFC0 ^ 75 A4 jnz short 05DFDF66 ;这里跳回去循环解压代码
05DFDFC2 33C0 xor eax,eax
05DFDFC4 5D pop ebp
05DFDFC5 5F pop edi
05DFDFC6 5E pop esi
05DFDFC7 5B pop ebx
05DFDFC8 C2 1400 retn 14;直接在这里下F4
现在在12FFB0处下硬件访问断点(也就是hr 12ffb0)
第一次断这里:
0012FC40 60 PUSHAD
0012FC41 E8 03000000 CALL 0012FC49
……
0012FC54 E8 01000000 CALL 0012FC5A ;第二次
0012FC59 E8 E8020000 CALL 0012FF46
0012FC5E 00CD ADD CH,CL
0012FC60 2083 04240B83 AND BYTE PTR DS:[EBX+830B2404],AL
……
0012FCFB E8 00000000 CALL 0012FD00 ;第三次
0012FD00 5D POP EBP
0012FD01 E8 02000000 CALL 0012FD08
第三次中断后hd 12ffb0取消断点。再下tc ebp==12ffc0,回车,在这里断下:
05E3C517 55 push ebp
05E3C518 50 push eax
05E3C519 B8 A30E7B43 mov eax,437B0EA3
05E3C51E 294424 04 sub dword ptr ss:[esp+4],eax
05E3C522 E9 87010000 jmp 05E3C6AE;断在这里
05E3C527 0000 add byte ptr ds:[eax],al
05E3C529 0000 add byte ptr ds:[eax],al
05E3C52B 0000 add byte ptr ds:[eax],al
05E3C52D 0000 add byte ptr ds:[eax],al
05E3C52F 0000 add byte ptr ds:[eax],al
05E3C531 0000 add byte ptr ds:[eax],al
05E3C533 0000 add byte ptr ds:[eax],al
05E3C535 0000 add byte ptr ds:[eax],al
05E3C537 0000 add byte ptr ds:[eax],al
05E3C539 0000 add byte ptr ds:[eax],al
05E3C53B 0000 add byte ptr ds:[eax],al
05E3C53D 0000 add byte ptr ds:[eax],al
05E3C53F 0000 add byte ptr ds:[eax],al
05E3C541 0000 add byte ptr ds:[eax],al
05E3C543 0000 add byte ptr ds:[eax],al
05E3C545 0000 add byte ptr ds:[eax],al
05E3C547 0000 add byte ptr ds:[eax],al
05E3C549 0000 add byte ptr ds:[eax],al
05E3C54B 0000 add byte ptr ds:[eax],al
大部分的代码都copy过来,F7走
05E3C6AE 58 pop eax ◆这里典型的SVKP的代码,所以这里应该是push ebp
05E3C6AF 81ED A30E7B43 sub ebp,437B0EA3
05E3C6B5 E9 92060000 jmp 05E3CD4C
05E3CD4C 68 00000000 push 0
05E3CD51 68 00000000 push 0
05E3CD56 89C9 mov ecx,ecx
05E3CD58 50 push eax
05E3CD59 B8 A30E7B43 mov eax,437B0EA3
05E3CD5E 014424 04 add dword ptr ss:[esp+4],eax
05E3CD62 87DB xchg ebx,ebx
05E3CD64 58 pop eax
05E3CD65 58 pop eax
05E3CD66 ^ E9 38F4FFFF jmp 05E3C1A3
05E3C1A3 010424 add dword ptr ss:[esp],eax
05E3C1A6 58 pop eax
05E3C1A7 010424 add dword ptr ss:[esp],eax
05E3C1AA 5D pop ebp 0012FFC0
05E3C1AB 58 pop eax 05E3B491
05E3C1AC 68 ECF184BC push BC84F1EC
05E3C1B1 E9 7D0F0000 jmp 05E3D133
05E3D133 50 push eax
05E3D134 B8 A30E7B43 mov eax,437B0EA3
05E3D139 014424 04 add dword ptr ss:[esp+4],eax
05E3D13D 58 pop eax ; 05E3b491
05E3D13E 05 A30E7B43 add eax,437B0EA3
05E3D143 05 A30E7B43 add eax,437B0EA3
05E3D148 50 push eax
05E3D149 B8 A30E7B43 mov eax,437B0EA3
05E3D14E 290424 sub dword ptr ss:[esp],eax
05E3D151 ^ E9 60ECFFFF jmp 05E3BDB6
05E3BDB6 8B0424 mov eax,dword ptr ss:[esp]
05E3BDB9 ^ E9 19F7FFFF jmp 05E3B4D7
05E3B4D7 B8 A30E7B43 mov eax,437B0EA3
05E3B4DC E9 730F0000 jmp 05E3C454
05E3C454 290424 sub dword ptr ss:[esp],eax
05E3C457 8B0424 mov eax,dword ptr ss:[esp]
05E3C45A E9 7C060000 jmp 05E3CADB
05E3CADB 68 CDF184BC push BC84F1CD
05E3CAE0 50 push eax
05E3CAE1 B8 A30E7B43 mov eax,437B0EA3
05E3CAE6 ^ E9 8FF8FFFF jmp 05E3C37A
05E3C37A 014424 04 add dword ptr ss:[esp+4],eax
05E3C37E 58 pop eax ; 05E3B491
05E3C37F 58 pop eax
05E3C380 ^ E9 70F9FFFF jmp 05E3BCF5
05E3BCF5 014424 04 add dword ptr ss:[esp+4],eax
05E3BCF9 87C9 xchg ecx,ecx
05E3BCFB 58 pop eax
05E3BCFC 68 A2F55E79 push 795EF5A2
05E3BD01 87ED xchg ebp,ebp
05E3BD03 E9 13170000 jmp 05E3D41B
05E3D41B 05 A30E7B43 add eax,437B0EA3
05E3D420 ^ E9 49E9FFFF jmp 05E3BD6E
05E3BD6E 50 push eax
05E3BD6F B8 A30E7B43 mov eax,437B0EA3
05E3BD74 290424 sub dword ptr ss:[esp],eax
05E3BD77 E9 510E0000 jmp 05E3CBCD
05E3CBCD 8B0424 mov eax,dword ptr ss:[esp]
05E3CBD0 B8 A30E7B43 mov eax,437B0EA3
05E3CBD5 ^ E9 16FAFFFF jmp 05E3C5F0
05E3C5F0 014424 04 add dword ptr ss:[esp+4],eax
05E3C5F4 58 pop eax
05E3C5F5 05 A30E7B43 add eax,437B0EA3
05E3C5FA 50 push eax
05E3C5FB B8 A30E7B43 mov eax,437B0EA3
05E3C600 290424 sub dword ptr ss:[esp],eax
05E3C603 ^ E9 D9EFFFFF jmp 05E3B5E1
05E3B5E1 8B0424 mov eax,dword ptr ss:[esp]
05E3B5E4 68 00000000 push 0
05E3B5E9 E9 E30E0000 jmp 05E3C4D1
05E3C4D1 05 A30E7B43 add eax,437B0EA3
05E3C4D6 50 push eax
05E3C4D7 B8 A30E7B43 mov eax,437B0EA3
05E3C4DC 290424 sub dword ptr ss:[esp],eax
05E3C4DF E9 B9020000 jmp 05E3C79D
05E3C79D 8B0424 mov eax,dword ptr ss:[esp]
05E3C7A0 B8 A30E7B43 mov eax,437B0EA3
05E3C7A5 014424 04 add dword ptr ss:[esp+4],eax
05E3C7A9 58 pop eax
05E3C7AA ^ E9 5AF6FFFF jmp 05E3BE09
05E3BE09 58 pop eax
05E3BE0A 014424 04 add dword ptr ss:[esp+4],eax
05E3BE0E 58 pop eax
05E3BE0F ^ E9 8DF8FFFF jmp 05E3B6A1
05E3B6A1 68 E9B2D7BC push BCD7B2E9
05E3B6A6 50 push eax
05E3B6A7 E9 EB190000 jmp 05E3D097
05E3D097 68 00000000 push 0
05E3D09C B8 A30E7B43 mov eax,437B0EA3
05E3D0A1 ^ E9 04F3FFFF jmp 05E3C3AA
05E3C3AA 010424 add dword ptr ss:[esp],eax
05E3C3AD 58 pop eax
05E3C3AE 010424 add dword ptr ss:[esp],eax
05E3C3B1 E9 C5070000 jmp 05E3CB7B
05E3CB7B 58 pop eax
05E3CB7C 50 push eax
05E3CB7D 68 00000000 push 0
05E3CB82 87D2 xchg edx,edx
05E3CB84 50 push eax
05E3CB85 B8 A30E7B43 mov eax,437B0EA3
05E3CB8A 014424 04 add dword ptr ss:[esp+4],eax
05E3CB8E 58 pop eax
05E3CB8F 58 pop eax
05E3CB90 290424 sub dword ptr ss:[esp],eax
05E3CB93 ^ E9 8EFEFFFF jmp 05E3CA26
05E3CA26 8B0424 mov eax,dword ptr ss:[esp]
05E3CA29 B8 A30E7B43 mov eax,437B0EA3
05E3CA2E 89C0 mov eax,eax
05E3CA30 014424 04 add dword ptr ss:[esp+4],eax
05E3CA34 58 pop eax
05E3CA35 87C9 xchg ecx,ecx
05E3CA37 68 5DF184BC push BC84F15D
05E3CA3C E9 75020000 jmp 05E3CCB6
05E3CCB6 50 push eax
05E3CCB7 B8 A30E7B43 mov eax,437B0EA3
05E3CCBC 87C9 xchg ecx,ecx
05E3CCBE ^ E9 BCF9FFFF jmp 05E3C67F
05E3C67F 014424 04 add dword ptr ss:[esp+4],eax
05E3C683 58 pop eax
05E3C684 50 push eax
05E3C685 89E4 mov esp,esp
05E3C687 ^ E9 96F9FFFF jmp 05E3C022
05E3C022 68 00000000 push 0
05E3C027 50 push eax
05E3C028 ^ E9 B3FBFFFF jmp 05E3BBE0
05E3BBE0 B8 A30E7B43 mov eax,437B0EA3
05E3BBE5 014424 04 add dword ptr ss:[esp+4],eax
05E3BBE9 58 pop eax
05E3BBEA 58 pop eax
05E3BBEB ^ E9 25F9FFFF jmp 05E3B515
05E3B515 014424 04 add dword ptr ss:[esp+4],eax
05E3B519 58 pop eax
05E3B51A 58 pop eax
05E3B51B 64:FF35 00000000 push dword ptr fs:[0] ◆这里也是变形的,看它无端端来一个push fs:[0]也可以看到,肯定有动作.
05E3B522 E9 D0040000 jmp 05E3B9F7
05E3B9F7 290424 sub dword ptr ss:[esp],eax
05E3B9FA 58 pop eax EAX=437B0EA3
05E3B9FB 50 push eax ;分析结果,上面的是mov eax,fs:[0]
05E3B9FC 87DB xchg ebx,ebx
05E3B9FE E9 C3050000 jmp 05E3BFC6
05E3BFC6 68 5DF184BC push BC84F15D
05E3BFCB 50 push eax
05E3BFCC B8 A30E7B43 mov eax,437B0EA3
05E3BFD1 ^ E9 60FDFFFF jmp 05E3BD36
05E3BD36 014424 04 add dword ptr ss:[esp+4],eax
05E3BD3A E9 C1140000 jmp 05E3D200
05E3D200 58 pop eax
05E3D201 ^ E9 3FF9FFFF jmp 05E3CB45
05E3CB45 B8 A30E7B43 mov eax,437B0EA3
05E3CB4A 010424 add dword ptr ss:[esp],eax
05E3CB4D 58 pop eax
05E3CB4E 010424 add dword ptr ss:[esp],eax
05E3CB51 58 pop eax
05E3CB52 ^ E9 00F6FFFF jmp 05E3C157
05E3C157 50 push eax
05E3C158 68 00000000 push 0
05E3C15D E9 85050000 jmp 05E3C6E7
05E3C6E7 B8 A30E7B43 mov eax,437B0EA3
05E3C6EC 90 nop
05E3C6ED 010424 add dword ptr ss:[esp],eax
05E3C6F0 58 pop eax
05E3C6F1 010424 add dword ptr ss:[esp],eax
05E3C6F4 58 pop eax
05E3C6F5 05 A30E7B43 add eax,437B0EA3
05E3C6FA 05 A30E7B43 add eax,437B0EA3
05E3C6FF 50 push eax
05E3C700 B8 A30E7B43 mov eax,437B0EA3
05E3C705 ^ E9 24FDFFFF jmp 05E3C42E
05E3C42E 290424 sub dword ptr ss:[esp],eax
05E3C431 8B0424 mov eax,dword ptr ss:[esp]
05E3C434 B8 A30E7B43 mov eax,437B0EA3
05E3C439 E9 760E0000 jmp 05E3D2B4
05E3D2B4 290424 sub dword ptr ss:[esp],eax
05E3D2B7 8B0424 mov eax,dword ptr ss:[esp]
05E3D2BA 68 00000000 push 0
05E3D2BF 50 push eax
05E3D2C0 B8 A30E7B43 mov eax,437B0EA3
05E3D2C5 ^ E9 A7E3FFFF jmp 05E3B671
05E3B671 014424 04 add dword ptr ss:[esp+4],eax
05E3B675 58 pop eax
05E3B676 58 pop eax
05E3B677 290424 sub dword ptr ss:[esp],eax
05E3B67A 8B0424 mov eax,dword ptr ss:[esp]◆这里就是变形的push eax
05E3B67D E9 91080000 jmp 05E3BF13
05E3BF13 64:8925 00000000 mov dword ptr fs:[0],esp◆
05E3BF1A 83EC 68 sub esp,68◆
05E3BF1D 87F6 xchg esi,esi
05E3BF1F 50 push eax
05E3BF20 81C3 A30E7B43 add ebx,437B0EA3
05E3BF26 53 push ebx
05E3BF27 50 push eax
05E3BF28 B8 A30E7B43 mov eax,437B0EA3
05E3BF2D 294424 04 sub dword ptr ss:[esp+4],eax
05E3BF31 58 pop eax
05E3BF32 81EB A30E7B43 sub ebx,437B0EA3
05E3BF38 ^ E9 19F6FFFF jmp 05E3B556
05E3B556 68 00000000 push 0
05E3B55B 68 00000000 push 0
05E3B560 E9 B8120000 jmp 05E3C81D
05E3C81D 50 push eax
05E3C81E B8 A30E7B43 mov eax,437B0EA3
05E3C823 014424 04 add dword ptr ss:[esp+4],eax
05E3C827 58 pop eax
05E3C828 58 pop eax
05E3C829 010424 add dword ptr ss:[esp],eax
05E3C82C E9 C7060000 jmp 05E3CEF8
05E3CEF8 58 pop eax
05E3CEF9 010424 add dword ptr ss:[esp],eax
05E3CEFC 5B pop ebx
05E3CEFD 58 pop eax
05E3CEFE ^ E9 0AEAFFFF jmp 05E3B90D
05E3B90D 81C3 A30E7B43 add ebx,437B0EA3
05E3B913 53 push ebx
05E3B914 50 push eax
05E3B915 E9 50150000 jmp 05E3CE6A
05E3CE6A B8 A30E7B43 mov eax,437B0EA3
05E3CE6F 294424 04 sub dword ptr ss:[esp+4],eax
05E3CE73 E9 35000000 jmp 05E3CEAD
05E3CEAD 58 pop eax ; 0012FFE0
05E3CEAE 81EB A30E7B43 sub ebx,437B0EA3
05E3CEB4 05 A30E7B43 add eax,437B0EA3
05E3CEB9 05 A30E7B43 add eax,437B0EA3
05E3CEBE 50 push eax
05E3CEBF B8 A30E7B43 mov eax,437B0EA3
05E3CEC4 290424 sub dword ptr ss:[esp],eax
05E3CEC7 8B0424 mov eax,dword ptr ss:[esp]
05E3CECA B8 A30E7B43 mov eax,437B0EA3
05E3CECF ^ E9 80F7FFFF jmp 05E3C654
05E3C654 290424 sub dword ptr ss:[esp],eax
05E3C657 8B0424 mov eax,dword ptr ss:[esp]
05E3C65A 68 00000000 push 0
05E3C65F E9 CB0C0000 jmp 05E3D32F
05E3D32F 50 push eax
05E3D330 ^ E9 C8F5FFFF jmp 05E3C8FD
05E3C8FD B8 A30E7B43 mov eax,437B0EA3
05E3C902 ^ E9 A8EEFFFF jmp 05E3B7AF
05E3B7AF 014424 04 add dword ptr ss:[esp+4],eax
05E3B7B3 58 pop eax
05E3B7B4 58 pop eax
05E3B7B5 89ED mov ebp,ebp
05E3B7B7 E9 A80A0000 jmp 05E3C264
05E3C264 294424 04 sub dword ptr ss:[esp+4],eax
05E3C268 90 nop
05E3C269 58 pop eax
05E3C26A 89DB mov ebx,ebx
05E3C26C ^ E9 04F5FFFF jmp 05E3B775
05E3B775 50 push eax
05E3B776 81C3 A30E7B43 add ebx,437B0EA3
05E3B77C 53 push ebx
05E3B77D 50 push eax
05E3B77E E9 65000000 jmp 05E3B7E8
05E3B7E8 B8 A30E7B43 mov eax,437B0EA3
05E3B7ED 294424 04 sub dword ptr ss:[esp+4],eax
05E3B7F1 ^ E9 93FDFFFF jmp 05E3B589
05E3B589 58 pop eax ; 0012FFE0
05E3B58A E9 6C170000 jmp 05E3CCFB
05E3CCFB 81EB A30E7B43 sub ebx,437B0EA3
05E3CD01 68 461DF686 push 86F61D46
05E3CD06 68 00000000 push 0
05E3CD0B 50 push eax
05E3CD0C E9 80050000 jmp 05E3D291
05E3D291 B8 A30E7B43 MOV EAX,437B0EA3
05E3D296 ^ E9 10F6FFFF JMP 05E3C8AB
05E3C8AB 014424 04 add dword ptr ss:[esp+4],eax
05E3C8AF ^ E9 8AF5FFFF jmp 05E3BE3E
05E3BE3E 58 pop eax ; 0012FFE0
05E3BE3F 58 pop eax
05E3BE40 90 nop
05E3BE41 290424 sub dword ptr ss:[esp],eax
05E3BE44 E9 FA0F0000 jmp 05E3CE43
05E3CE43 58 POP EAX
05E3C72F 290424 SUB DWORD PTR SS:[ESP],EAX
05E3C0DC 5B POP EBX◆
05E3B8D4 58 pop eax ; 0012FFE0
05E3B8D5 50 push eax
05E3B8D6 E9 A6160000 jmp 05E3CF81
05E3CF81 56 push esi ◆ ; ntdll.77F51778
05E3BAC3 68 00000000 push 0
05E3BAC8 B8 A30E7B43 mov eax,437B0EA3
05E3BACD 010424 add dword ptr ss:[esp],eax
05E3BAD0 58 pop eax
05E3BAD1 E9 56010000 jmp 05E3BC2C
05E3BC2C 010424 add dword ptr ss:[esp],eax
05E3BC2F 5E pop esi
05E3BC30 58 pop eax
05E3BC31 ^ E9 08FFFFFF jmp 05E3BB3E
05E3BB3E 81C6 A30E7B43 add esi,437B0EA3
05E3BB44 81C6 A30E7B43 add esi,437B0EA3
05E3BB0E 56 push esi
05E3BB0F 50 push eax
05E3BB10 E9 B1120000 jmp 05E3CDC6
05E3CDC6 B8 A30E7B43 mov eax,437B0EA3
05E3CDCB 294424 04 sub dword ptr ss:[esp+4],eax
05E3CDCF 58 pop eax
05E3CDD0 90 nop
05E3D0EC 81EE A30E7B43 sub esi,437B0EA3
05E3D0F2 50 push eax
05E3D0F3 68 00000000 push 0
05E3D0F8 50 push eax
05E3D0F9 B8 A30E7B43 mov eax,437B0EA3
05E3D0FE 014424 04 add dword ptr ss:[esp+4],eax
05E3D102 58 pop eax
05E3D103 58 pop eax
05E3B816 294424 04 sub dword ptr ss:[esp+4],eax
05E3B81A 58 pop eax
05E3B81B 81EE A30E7B43 sub esi,437B0EA3
05E3B821 05 A30E7B43 add eax,437B0EA3
05E3B826 50 push eax
05E3B827 B8 A30E7B43 mov eax,437B0EA3
05E3B82C 290424 sub dword ptr ss:[esp],eax
05E3B82F 89ED mov ebp,ebp
05E3B831 8B0424 mov eax,dword ptr ss:[esp]
05E3B834 68 00000000 push 0
05E3B839 05 A30E7B43 add eax,437B0EA3
05E3B83E E9 AA110000 jmp 05E3C9ED
05E3C9ED 50 push eax
05E3C9EE B8 A30E7B43 mov eax,437B0EA3
05E3C9F3 290424 sub dword ptr ss:[esp],eax
05E3C9F6 8B0424 mov eax,dword ptr ss:[esp]
05E3C9F9 B8 A30E7B43 mov eax,437B0EA3
05E3BC9C 014424 04 add dword ptr ss:[esp+4],eax
05E3BCA0 58 pop eax
05E3BCA1 87F6 xchg esi,esi
05E3BCA3 E9 BB030000 jmp 05E3C063
05E3C063 58 pop eax
05E3C064 294424 04 sub dword ptr ss:[esp+4],eax
05E3C068 87E4 xchg esp,esp
05E3C06A 58 pop eax
05E3C06B 89E4 mov esp,esp
05E3C06D ^ E9 45F9FFFF jmp 05E3B9B7
05E3B9B7 81EE A30E7B43 sub esi,437B0EA3
05E3B9BD 05 A30E7B43 add eax,437B0EA3
05E3B9C2 50 push eax
05E3B97E B8 A30E7B43 mov eax,437B0EA3
05E3B983 290424 sub dword ptr ss:[esp],eax
05E3B986 87C9 xchg ecx,ecx
05E3B988 8B0424 mov eax,dword ptr ss:[esp]
05E3B98B 57 push edi
05E3B98C 68 5DF184BC push BC84F15D
05E3B991 50 push eax
05E3B992 B8 A30E7B43 mov eax,437B0EA3
05E3B997 ^ E9 ACFFFFFF jmp 05E3B948
05E3B948 014424 04 add dword ptr ss:[esp+4],eax
05E3B94C 58 pop eax
05E3B94D B8 A30E7B43 mov eax,437B0EA3
05E3B952 010424 add dword ptr ss:[esp],eax
05E3B955 58 pop eax
05E3C34F 010424 add dword ptr ss:[esp],eax
05E3C352 5F pop edi
05E3BA23 58 pop eax ; 0012FFE0
05E3BA24 57 push edi
05E3C0B1 50 push eax
05E3C0B2 68 00000000 push 0
05E3C0B7 E9 30130000 jmp 05E3D3EC ;这里静态分析感觉可疑
05E3D3EC B8 A30E7B43 mov eax,437B0EA3
05E3D3F1 010424 add dword ptr ss:[esp],eax
05E3D3F4 58 pop eax
05E3D3F5 89C0 mov eax,eax
05E3D3F7 ^ E9 AAFDFFFF jmp 05E3D1A6
05E3D1A6 010424 ADD DWORD PTR SS:[ESP],EAX
05E3C291 58 pop eax
05E3C292 ^ E9 A2F3FFFF jmp 05E3B639
05E3B639 50 push eax
05E3B63A 68 00000000 push 0 ??
05E3B5B8 50 push eax
05E3B5B9 B8 A30E7B43 mov eax,437B0EA3
05E3B5BE 014424 04 add dword ptr ss:[esp+4],eax
05E3B5C2 E9 B4110000 jmp 05E3C77B
05E3C77B 58 pop eax
05E3C77C 58 pop eax
05E3C77D E9 AF0A0000 jmp 05E3D231
05E3D231 290424 sub dword ptr ss:[esp],eax
05E3D234 ^ E9 C8F1FFFF jmp 05E3C401
05E3C401 8B0424 mov eax,dword ptr ss:[esp]
05E3C404 B8 A30E7B43 mov eax,437B0EA3
05E3C409 294424 04 sub dword ptr ss:[esp+4],eax
05E3C40D 58 pop eax
05E3C40E 05 A30E7B43 add eax,437B0EA3
05E3C413 89ED mov ebp,ebp
05E3C415 ^ E9 BBF2FFFF jmp 05E3B6D5
05E3B6D5 50 PUSH EAX
05E3BE8A B8 A30E7B43 mov eax,437B0EA3
05E3BE8F 290424 sub dword ptr ss:[esp],eax
05E3BE92 8B0424 mov eax,dword ptr ss:[esp]
05E3BE95 57 push edi◆
05E3BE96 68 A30E7B43 push 437B0EA3
05E3BE9B 50 push eax
05E3BE9C E9 E9140000 jmp 05E3D38A
05E3D38A B8 A30E7B43 mov eax,437B0EA3
05E3C2BF 014424 04 add dword ptr ss:[esp+4],eax
05E3C2C3 58 pop eax
05E3C2C4 B8 A30E7B43 mov eax,437B0EA3
05E3C2C9 290424 sub dword ptr ss:[esp],eax
05E3C2CC E9 F5060000 jmp 05E3C9C6
05E3C9C6 58 pop eax
05E3C9C7 290424 sub dword ptr ss:[esp],eax
05E3C9CA ^ E9 D1F5FFFF jmp 05E3BFA0
05E3BFA0 5F POP EDI
05E3BC7B 58 pop eax ; 0012FFE0
05E3BC7C 8965 E8 mov dword ptr ss:[ebp-18],esp◆
05E3BAA3 2BDB sub ebx,ebx◆
05E3CBFC 895D FC mov dword ptr ss:[ebp-4],ebx◆
05E3CBFF 68 4CE20979 push 7909E24C;这里静态没分析出来
05E3CC04 50 push eax
05E3CC05 B8 A30E7B43 mov eax,437B0EA3
05E3CC0A E9 38030000 jmp 05E3CF47
05E3CF47 014424 04 add dword ptr ss:[esp+4],eax
05E3CF4B 58 pop eax
05E3CF4C 50 push eax
05E3CF4D E9 83020000 jmp 05E3D1D5
05E3D1D5 68 00000000 push 0
05E3C495 50 push eax
05E3C496 B8 A30E7B43 mov eax,437B0EA3
05E3CFA7 014424 04 add dword ptr ss:[esp+4],eax
05E3CFAB 58 pop eax
05E3CFAC ^ E9 6BE7FFFF jmp 05E3B71C
05E3B71C 58 pop eax
05E3B71D 014424 04 add dword ptr ss:[esp+4],eax
05E3B721 58 pop eax
05E3B722 E9 24190000 jmp 05E3D04B
05E3D04B 50 push eax
05E3D04C 68 2AE30979 push 7909E32A
05E3D051 50 push eax
05E3D052 B8 A30E7B43 mov eax,437B0EA3
05E3D057 014424 04 add dword ptr ss:[esp+4],eax
05E3D05B 58 pop eax
05E3D05C 50 push eax
05E3D05D 68 00000000 push 0
05E3D062 50 push eax
05E3D063 89E4 mov esp,esp
05E3D065 B8 A30E7B43 mov eax,437B0EA3
05E3D06A ^ E9 44FAFFFF jmp 05E3CAB3
05E3CAB3 014424 04 add dword ptr ss:[esp+4],eax
05E3CAB7 E9 66050000 jmp 05E3D022
05E3D022 58 pop eax ; 0012FFE0
05E3D023 58 pop eax
05E3D024 014424 04 add dword ptr ss:[esp+4],eax
05E3D028 90 nop
05E3D029 58 pop eax
05E3D02A 58 pop eax
05E3D02B 014424 04 add dword ptr ss:[esp+4],eax
05E3D02F E9 BF020000 jmp 05E3D2F3
05E3D2F3 58 pop eax ; 0012FFE0
05E3D2F4 FF15 F8615300 call dword ptr ds:[5361F8]◆ ; msvcrt.__set_app_type
05E3D2FA 59 pop ecx◆
05E3D2FB 89ED mov ebp,ebp
05E3D2FD 830D 0C945700 FF or dword ptr ds:[57940C],FFFFFFFF◆
05E3D304 830D 10945700 FF or dword ptr ds:[579410],FFFFFFFF◆
05E3D30B FF15 F4615300 call dword ptr ds:[5361F4]◆ ; msvcrt.__p__fmode
05E3D311 ^ E9 C0F0FFFF jmp 05E3C3D6
05E3C3D6 8B0D 04945700 mov ecx,dword ptr ds:[579404]◆
05E3C3DC 8908 mov dword ptr ds:[eax],ecx◆
05E3C3DE FF15 F0615300 call dword ptr ds:[5361F0]◆ ; msvcrt.__p__commode
05E3C3E4 87F6 xchg esi,esi
05E3C3E6 ^ E9 28F2FFFF jmp 05E3B613
05E3B613 8B0D 00945700 mov ecx,dword ptr ds:[579400]◆;因为先静态,所以我从后向前,等下找出大概的再从前向后,这里就是最后几句了。
05E3B619 8908 mov dword ptr ds:[eax],ecx◆
05E3BBB7 A1 C8615300 mov eax,dword ptr ds:[5361C8]◆
05E3BBBC 8B00 mov eax,dword ptr ds:[eax]◆
05E3C8D6 A3 08945700 mov dword ptr ds:[579408],eax◆;最后所抽代码
05E3C8DB 68 61B4D7BC push BCD7B461
05E3C8E0 87C0 xchg eax,eax
05E3C8E2 ^ E9 02F5FFFF jmp 05E3BDE9;这一行开始是骗人的东东,也就是结束游戏时的动作。
05E3BDE9 05 A30E7B43 add eax,437B0EA3
05E3BDEE 89ED mov ebp,ebp
05E3BDF0 E9 34050000 jmp 05E3C329
05E3C329 50 push eax
05E3C32A B8 A30E7B43 mov eax,437B0EA3
05E3C32F 290424 sub dword ptr ss:[esp],eax
05E3C332 E9 E8070000 jmp 05E3CB1F
05E3CB1F 8B0424 mov eax,dword ptr ss:[esp]
05E3CB22 B8 A30E7B43 mov eax,437B0EA3
05E3CB27 ^ E9 49F4FFFF jmp 05E3BF75
05E3BF75 014424 04 add dword ptr ss:[esp+4],eax
05E3C871 58 pop eax
05E3C872 83C4 04 add esp,4
下一句直接跳入伪入口点
0052C304 . E8 22010000 call InphaseN.0052C42B
0052C309 . 391D 105F5600 cmp dword ptr ds:[565F10],ebx
0052C30F . 75 0C jnz short InphaseN.0052C31D
0052C311 . 68 28C45200 push InphaseN.0052C428
0052C316 . FF15 C4615300 call dword ptr ds:[5361C4] ; msvcrt.__setusermatherr
0052C31C . 59 pop ecx
0052C31D > E8 F4000000 call InphaseN.0052C416
0052C322 . 68 24E25500 push InphaseN.0055E224
0052C327 . 68 20E25500 push InphaseN.0055E220
0052C32C . E8 DF000000 call InphaseN.0052C410 ; jmp to msvcrt._initterm
初步静态结果:
push ebp
MOV EBP,ESP
PUSH -1 ;这句看看VC的样子就知道了
PUSH ?? ;第一处
PUSH ?? ;第二处
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
mov dword ptr fs:[0],esp
sub esp,68
POP EBX
PUSH ESI
PUSH EDI
mov dword ptr ss:[ebp-18],esp
sub ebx,ebx
mov dword ptr ss:[ebp-4],ebx
PUSH ?? ;第三处
call dword ptr ds:[5361F8]
pop ecx
or dword ptr ds:[57940C],FFFFFFFF
or dword ptr ds:[579410],FFFFFFFF
call dword ptr ds:[5361F4]
mov ecx,dword ptr ds:[579404]
mov dword ptr ds:[eax],ecx
call dword ptr ds:[5361F0]
mov ecx,dword ptr ds:[579400]
mov dword ptr ds:[eax],ecx
mov eax,dword ptr ds:[5361C8]
mov eax,dword ptr ds:[eax]
mov dword ptr ds:[579408],eax
现在动态解决这三个问题:
05E3BE09 58 pop eax
05E3BE0A 014424 04 add dword ptr ss:[esp+4],eax;第一处
05E3BE0E 58 pop eax
05E3BE0F ^ E9 8DF8FFFF jmp 05E3B6A1;到这里的时候看看堆栈
堆栈:
0012FFB8 005512E8 InphaseN.005512E8
0012FFBC 000000FF
.....
05E3CA29 B8 A30E7B43 mov eax,437B0EA3 ;第二处
05E3CA2E 89C0 mov eax,eax
05E3CA30 014424 04 add dword ptr ss:[esp+4],eax
05E3CA34 58 pop eax
堆栈:
0012FFB0 05E3B491
0012FFB4 0052C18C jmp to msvcrt._except_handler3
0012FFB8 005512E8 InphaseN.005512E8
......
05E3D028 90 nop
05E3D029 58 pop eax
05E3D02A 58 pop eax;第三处
堆栈:
0012FF30 00000070
0012FF34 0012FFE0
好了现在全部代码已经找到,在相关位置补上.
附正确代码
push ebp
MOV EBP,ESP
PUSH -1
PUSH 005512E8
PUSH 0052C18C
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
mov dword ptr fs:[0],esp
sub esp,68
Push EBX
PUSH ESI
PUSH EDI
mov dword ptr ss:[ebp-18],esp
sub ebx,ebx
mov dword ptr ss:[ebp-4],ebx
PUSH 0012FFE0
call dword ptr ds:[5361F8]
pop ecx
or dword ptr ds:[57940C],FFFFFFFF
or dword ptr ds:[579410],FFFFFFFF
call dword ptr ds:[5361F4]
mov ecx,dword ptr ds:[579404]
mov dword ptr ds:[eax],ecx
call dword ptr ds:[5361F0]
mov ecx,dword ptr ds:[579400]
mov dword ptr ds:[eax],ecx
mov eax,dword ptr ds:[5361C8]
mov eax,dword ptr ds:[eax]
mov dword ptr ds:[579408],eax
:D :D :D
还辛苦啊,真累