Ò»¡¢ÆƽâÄ¿±ê£ºEncryptPE V2.2004.7.27¼Ó¿ÇµÄXXÈí¼þ
¶þ¡¢Æƽ⹤¾ß£ºOllyDbg v1.10£¬ImportREC 1.6 Final
Èý¡¢Æƽâ×÷ÕߣºDarkBull@email.com.cn
ËÄ¡¢Æƽâ¹ý³Ì£º
1.ÓÃOllyDbgÔØÈ룬Ìáʾ¸Ã³ÌÐòΪ»µµÄ»òδ֪¸ñʽµÄ32λִÐÐÎļþ£¬²»±ØÀí»á¡£¸Ã¿Ç³ÌÐòÔËÐÐÁ÷³Ì´óÖÂΪ£ºµÚÒ»´ÎÔËÐÐʱ£¬ÏÈÔÚϵͳĿ¼ÄÚ´´½¨V22004727.EPE£¬È»ºó¼ÓÔظÃÄ£¿é£¬³õʼ»¯Ê±Í¨¹ýSetWindowsHookExÉèÖÃÔ¶³Ìϵͳ¹³×Ó£¬ÔÙ¸øExplorer.exeµÄProgman·¢ËÍÏûÏ¢£¬½«¸Ã¹³×Ó²åÈëExplorer.exeÖУ¬Èç¹ûÓÃODµ÷ÊÔ£¬¸Ã¹³×Ó»áµ÷ÓÃTerminateProcess½áÊøOD½ø³Ì£¬×îºóͨ¹ýµ÷ÓÃV22004727.EPEÄ£¿éµÄEncryptPE_Initº¯Êý¸øExplorer.exeµÄProgman·¢ËÍÌض¨µÄÏûÏ¢£¬¸ÃÏûÏ¢±»¹³×Óº¯Êý²¶»ñºó£¬V22004727.EPE¾Í´´½¨Ò»¸öеĽø³Ì£¬Í¨¹ýµ÷ÓÃһϵÁе÷ÊÔº¯ÊýÀ´Íê³É½âѹËõ¹¤×÷£»µÚ¶þ´ÎÔËÐÐʱ£¬ÓÉÓڸù³×ÓÒѱ»²åÈëExplorer.exeÖУ¬ËùÒÔ³ÌÐò×Ô¼ºÌø¹ýSetWindowsHookEx¹ý³Ì£¬ÎÒÃǾͿÉÒÔÓÃODµ÷ÊÔÁË¡£
2.OK£¡µÚ¶þ´Î¼ÓÔØ£¬³ÌÐòÍ£ÔÚÈçÏ´¦£º
GraspNet.> 60 PUSHAD
009C0001 9C PUSHFD
009C0002 64:FF35 00>PUSH DWORD PTR FS:[0]
009C0009 E8 7A01000>CALL GraspNet.009C0188
϶ϵãBP EncryptPE_Init£¬À¹½Øºó´úÂëÈçÏ£º
V2200472.> 55 PUSH EBP
711E39F9 8BEC MOV EBP,ESP
711E39FB 51 PUSH ECX
711E39FC E8 0100000>CALL V2200472.711E3A02 £»Óл¨Ö¸ÁF7²½Èë
711E3A01 EB 58 JMP SHORT V2200472.711E3A5B
711E3A03 8B4424 40 MOV EAX,DWORD PTR SS:[ESP+40]
711E3A07 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
Ö±µ½ÈçÏ´úÂë´¦£º
711E3C2E 6A 01 PUSH 1 £»lParam=1
711E3C30 68 C81B000>PUSH 1BC8 £»wParam=1BC8
711E3C35 A1 0CDC1F7>MOV EAX,DWORD PTR DS:[711FDC0C]
711E3C3A 8B00 MOV EAX,DWORD PTR DS:[EAX]
711E3C3C 50 PUSH EAX £»MSG=IsDebuggerPresentExEdLl(=wfs=)32EXPLORER.EXE
711E3C3D A1 20DE1F7>MOV EAX,DWORD PTR DS:[711FDE20]
711E3C42 8B00 MOV EAX,DWORD PTR DS:[EAX]
711E3C44 50 PUSH EAX
711E3C45 E8 063DF4F>CALL V2200472.71127950 £»JMP to USER32.SendMessageA
711E3C4A EB 0A JMP SHORT V2200472.711E3C56
711E3C4C E8 FB7FFCF>CALL V2200472.711ABC4C
711E3C51 E8 3E81FCF>CALL V2200472.711ABD94
711E3C56 E8 E188FCF>CALL V2200472.711AC53C £»ExitProcess
¸Ã½ø³ÌÒÑÍê³ÉÈÎÎñ£¬ÐµĽø³ÌÒѱ»´´½¨¡£
3.ÔÚ³öÏÖEncryptPE×¢²á´°¿Úʱ£¬ÓÃOD¸½¼ÓÓÚexplorer.exe£¬Ï¶ÏHE WaitForDebugEvent£¬À¹½Øºó¶ÑջΪ£º
0166FD28 711B081C /CALL to WaitForDebugEvent from V2200472.711B0817
0166FD2C 0166FE8C |pDebugEvent = 0166FE8C
0166FD30 FFFFFFFF \Timeout = INFINITE
×¢Òâ0166FE8C´¦Îª£º
0166FE8C 01 00 00 00 74 01 00 00 3C 07 00 00 03 00 00 80 ...t..<....€
0166FE9C 00 00 00 00 00 00 00 00 B7 F1 1A 71 03 00 00 00 ........·ñq...
°´F9ÔËÐУ¬Ö±µ½0166FEA4´¦Îª711AC53Aʱ£¬ÏòÉϹ۲췢ÏÖ£º
0166FE4C 00 00 00 00 3B 00 00 00 23 00 00 00 23 00 00 00 ....;...#...#...
0166FE5C 00 00 00 00 00 00 00 00 00 F0 FD 7F 04 03 FE 7F .........ðý?
0166FE6C B0 FF 12 00 38 2C 72 00 F0 FF 12 00 38 2C 72 00 ?.8,r.?.8,r.
0166FE7C 1B 00 00 00 86 02 00 00 C4 FF 12 00 23 00 00 00 ...?..?.#...
OK£¬´ËʱOEPΪ00722C38¡£
4.DUMPÏÂÕû¸ö½ø³Ì£¬ÓÃImportREC½áºÏODÐÞ¸´IAT£¬ÒÔÏÂΪ¼ÓÃÜIATµÄ¹Ø¼ü²¿·Ö£¨ÒÔCloseHandleΪÀý£©£º
711AC910 /74 04 JE SHORT V2200472.711AC916
711AC912 |75 02 JNZ SHORT V2200472.711AC916
711AC914 |FF25 9C505>JMP NEAR DWORD PTR DS:[7453509C]
711AC91A 0375 01 ADD ESI,DWORD PTR SS:[EBP+1]
711AC91D E8 E845A7F>CALL 68C20F0A
711AC922 FF9C58 A35>CALL FAR FWORD PTR DS:[EAX+EBX*2+2006>
711AC929 71 74 JNO SHORT V2200472.711AC99F
711AC92B 04 75 ADD AL,75
711AC92D 02FF ADD BH,BH
711AC92F 15 E8BF000>ADC EAX,0BFE8
711AC934 0031 ADD BYTE PTR DS:[ECX],DH
711AC936 C0A0 85062>SHL BYTE PTR DS:[EAX+71200685],83
711AC93D F8 CLC
711AC93E 0075 36 ADD BYTE PTR SS:[EBP+36],DH
711AC941 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
711AC945 89C3 MOV EBX,EAX
711AC947 83C0 02 ADD EAX,2
711AC94A 8B00 MOV EAX,DWORD PTR DS:[EAX]
711AC94C 8B00 MOV EAX,DWORD PTR DS:[EAX]
711AC94E 31D8 XOR EAX,EBX
711AC950 89C3 MOV EBX,EAX £»kernel32.CloseHandle
711AC952 894424 0C MOV DWORD PTR SS:[ESP+C],EAX
711AC956 8B03 MOV EAX,DWORD PTR DS:[EBX]
711AC958 3C CC CMP AL,0CC £»¶Ïµã¼ì²é
711AC95A 74 14 JE SHORT V2200472.711AC970
711AC95C 80FC CC CMP AH,0CC
711AC95F 74 0F JE SHORT V2200472.711AC970
711AC961 C1E8 10 SHR EAX,10
711AC964 3C CC CMP AL,0CC
711AC966 74 08 JE SHORT V2200472.711AC970
711AC968 80FC CC CMP AH,0CC
711AC96B 74 03 JE SHORT V2200472.711AC970
711AC96D EB 08 JMP SHORT V2200472.711AC977
711AC96F - E9 C605850>JMP SHELL32.779FCF3A
711AC974 2071 01 AND BYTE PTR DS:[ECX+1],DH
711AC977 5B POP EBX
711AC978 58 POP EAX
711AC979 9D POPFD
711AC97A C3 RETN £»·µ»Øµ½º¯ÊýÈë¿Ú
5.ºó¼Ç£ºÀÏÍõÀÏʦµÄEPEv2ÕæµÄºÜÀ÷º¦°¡£¬Å¼µÈ²ËÄñ¿àÐÄ×êÑжàÈÕ£¬Ò²²ÅÂÔ֪Ƥë¡£