【目 标】:N/A
【工 具】:Olydbg1.1(diy版)、LORDPE、ImportREC1.6F
【任 务】:分析外壳
【操作平台】:Windows xp sp2
【作 者】: LOVEBOOM[DFCG][FCG][CUG]
【相关链接】: N/A
【简要说明】: 传说这个外壳比较强悍,我以前没时间分析的时间时候,用OD试了几次挂了,后面一直没有时间分析这个外壳,今天终于可以完成自己的心愿,拨开它的神秘面纱,看看这个壳是是不是真的这么神秘,这么强劲。不过说真的,等自己分析完了,第一个感觉就是上当,作者的写壳能力是我见过的最有待改进的。不过不管怎么说,什么事都是说容易做的时候难,也许有一天我自己写的时候也会出不少问题.题外话:用Word写分析文章还是真不方便,抓下来的代码给自己的感觉就是乱乱的。但不用WORD也不好办,文件太长了,做成txt的打开不方便,做成html 的修改格式就麻烦,没办法,只能选个择中的方法。
加上这个外壳的分析,算起来就快到十个外壳完全分析了,恭喜下自己,向20进军。关于文章的其它说明,文章已经不再是以前的教你按几次F9,按什么键等操作性文章,如果你只是想知道怎么脱壳,那么很抱歉文章不适用于你。
【详细过程】:
壳的保护:
这个外壳用的Anti-Debug还是比较多,可以大概的分为两部分,一部分是OD和sice共用的反调试部分,另一部分是分别针对sice 或OD的,还好,这个壳对OD的检测还只是一般的水平。共用的反调试部分也是这个壳的灵魂部分:用时间差来检测调试器,不断的检测时间差(从另一角度来看,这也是这个壳的失败之处,对于稍微有经验的朋友来说,时间差他们没有起到多大的作用,只可能让壳的性能降低,浪费CPU资源。),这个壳的检测时间的方法为RDTSC、GetProcessTimes和GetTickcount.。另一部分中的针对Od的检测: 主要用ZwQueryInformationProcess和IsDebuggerPresent,还有一个是多线程(多线程对SICE来讲没有很大的阻碍);针对sice的检测就比较多有常用的INT3擦除硬件断点(注:虽然这个对OD也有效,但作用并不大),防止单步调试检测,CreateFileA 检测(这个检测 同时会检测常用的调试器和调试器相关的东西,如Trw,icedump等等)ZwQuerySystemInformation检测驱动名(还会检测IceExt,感觉多余,因为iceext安装时可以自定义名字的)。
我自己是用OD分析,检测sice之类的对我来说就不重要了,重要的是公用检测和OD检测部分,好了,接下来开始慢慢分析,并从中找出跳过检测的方法。同前面的文章差不多,我喜欢用IDA来静态注释,那样看起来很方便。
准备工作:
开始文章之前你要对壳有个大概的了解,对汇编有一定的了解,对调试工具也要有一定的了解。我分析过几次之后发现这个外壳和其它外壳一样有,花指令基本上是用宏来写的,根据它的特性我随手写了个简单的清除花指令的脚本,因为我自己担心会影响到程序的,所以只是简单的处理了下花指令没有完全去除,不过这样已经很方便我们看代码,附件中的csdp.txt便为清楚花指令脚本。准备好了相关工作后,开始进入分析过程。
用OD载入目标程序:
; ************** S U B R O U T I N E *****************************************
SDPI:0047A000
SDPI:0047A000 ; 入口处开始一堆花指令
SDPI:0047A000
SDPI:0047A000 public start
SDPI:0047A000 start proc near
SDPI:0047A000
SDPI:0047A000 ; FUNCTION CHUNK AT SDPI:0047A022 SIZE 00000024 BYTES
SDPI:0047A000
SDPI:0047A000 jz short loc_47A009
SDPI:0047A002 jnz short loc_47A009
SDPI:0047A002 ; ----------------------------------------------------------------------------
SDPI:0047A004 a2gss db 19h,'2g梃'
SDPI:0047A009 ; ----------------------------------------------------------------------------
SDPI:0047A009
SDPI:0047A009 loc_47A009: ; CODE XREF: start j
SDPI:0047A009 ; start+2 j
SDPI:0047A009 jz short loc_47A02A
SDPI:0047A00B jnz short loc_47A02A
SDPI:0047A00B ; ----------------------------------------------------------------------------
SDPI:0047A00D db 0E8h ; ?
SDPI:0047A00E ; ----------------------------------------------------------------------------
SDPI:0047A00E
SDPI:0047A00E loc_47A00E: ; CODE XREF: SDPI:0047A04F j
SDPI:0047A00E ; SDPI:0047A051 j
SDPI:0047A00E push 0CD4439h
SDPI:0047A013 pop ecx
SDPI:0047A014 pushf
SDPI:0047A015 push eax
SDPI:0047A016 jz short loc_47A022
SDPI:0047A018 jnz short loc_47A022
SDPI:0047A018 ; ----------------------------------------------------------------------------
SDPI:0047A01A db 0E8h
SDPI:0047A01B ; ----------------------------------------------------------------------------
SDPI:0047A01B
SDPI:0047A01B loc_47A01B: ; CODE XREF: start:loc_47A022 p
SDPI:0047A01B pop ecx
和一般的保存壳一样,EP开头部分多数是一大堆的花指令,这个就是考你脱壳的耐力,看这篇文章也是一样,要耐心看才行。嗯跑题了,继续继续跟进去。
call loc_47A3BA
SDPI:0047A3B9 nop
SDPI:0047A3BA
SDPI:0047A3BA loc_47A3BA: ; CODE XREF: SDPI:0047A3B4 p
SDPI:0047A3BA pop edx
SDPI:0047A3BB add edx, 9835h
SDPI:0047A3C1 call loc_47A3C7
SDPI:0047A3C6 nop
SDPI:0047A3C7
SDPI:0047A3C7 loc_47A3C7: ; CODE XREF: SDPI:0047A3C1 p
SDPI:0047A3C7 pop eax
SDPI:0047A3C8 add eax, 0FFFFFDE2h
SDPI:0047A3CD mov ecx, 10h
SDPI:0047A3D2 call De_Code ; invoke De_Code,ecx(counter),eax(key),edx(end)
SDPI:0047A3D2 ; 用于解密代码,解密起始地址就是call进来
SDPI:0047A3D2 ; 的下一行代码地址
SDPI:0047A3D7 mov eax, 0
SDPI:0047A3DC push eax
SDPI:0047A3DD call loc_47A3E3 ; 变形call
SDPI:0047A3DD ; 这里实际就是:
SDPI:0047A3DD ; push 0
SDPI:0047A3DD ; call 481a21
SDPI:0047A3E2 nop
SDPI:0047A3E3
SDPI:0047A3E3 loc_47A3E3: ; CODE XREF: SDPI:0047A3DD p
SDPI:0047A3E3 pop eax ; 变形call
SDPI:0047A3E3 ; 这里实际就是:
SDPI:0047A3E3 ; push 0
SDPI:0047A3E3 ; call 481a21
SDPI:0047A3E4 add eax, 11h
SDPI:0047A3E9 push eax
SDPI:0047A3EA jmp Disposal_IMP ; 跳去处理第一个解密壳数据的call
SDPI:0047A3EF ; ----------------------------------------------------------------------------
SDPI:0047A3EF nop
0047A3F3 call loc_47A3F9
SDPI:0047A3F8 nop
SDPI:0047A3F9
SDPI:0047A3F9 loc_47A3F9: ; CODE XREF: SDPI:0047A3F3 p
SDPI:0047A3F9 pop eax
SDPI:0047A3FA add eax, 11h
SDPI:0047A3FF push eax
SDPI:0047A400 jmp loc_4813BB ; 这里进行计算MD5值,不明有什么作用
SDPI:0047A405 ; ----------------------------------------------------------------------------
SDPI:0047A405 nop
SDPI:0047A406 nop
SDPI:0047A407 nop
SDPI:0047A408 nop
SDPI:0047A409 push 1
SDPI:0047A40B call loc_47A411
SDPI:0047A410 nop
SDPI:0047A411
SDPI:0047A411 loc_47A411: ; CODE XREF: SDPI:0047A40B p
SDPI:0047A411 pop eax
SDPI:0047A412 add eax, 11h
SDPI:0047A417 push eax
SDPI:0047A418 jmp Alloc_Sp_480825 ; push 1
SDPI:0047A418 ; call 480825
SDPI:0047A41D ; ----------------------------------------------------------------------------
SDPI:0047A41D nop
SDPI:0047A41E nop
SDPI:0047A41F nop
SDPI:0047A420 nop
SDPI:0047A421 call loc_47A427
SDPI:0047A426 nop
SDPI:0047A427
SDPI:0047A427 loc_47A427: ; CODE XREF: SDPI:0047A421 p
SDPI:0047A427 pop eax
SDPI:0047A428 add eax, 11h
SDPI:0047A42D push eax
SDPI:0047A42E jmp Get_Version
SDPI:0047A433 ; ----------------------------------------------------------------------------
SDPI:0047A433 nop
SDPI:0047A434 nop
SDPI:0047A435 nop
SDPI:0047A436 nop
SDPI:0047A437 cmp eax, 80000000h
SDPI:0047A43C jb isWinNT__47A4CE
SDPI:0047A442 sub esp, 8
SDPI:0047A445 sidt qword ptr [esp] ; 如果是Win9x大于80000000
SDPI:0047A449 mov eax, [esp+2]
SDPI:0047A44D mov cx, [eax+0Eh]
SDPI:0047A451 mov dx, [eax+6]
SDPI:0047A455 mov bx, [eax+1Eh]
SDPI:0047A459 add esp, 8
SDPI:0047A45C cmp cx, dx
SDPI:0047A45F jnz short loc_47A466
SDPI:0047A461 cmp bx, dx
SDPI:0047A464 jz short isWinNT__47A4CE
SDPI:0047A466
SDPI:0047A466 loc_47A466: ; CODE XREF: SDPI:0047A45F j
SDPI:0047A466 nop
SDPI:0047A467 nop
SDPI:0047A468 nop
SDPI:0047A469 nop
SDPI:0047A46A nop
SDPI:0047A46B call sub_47A471
SDPI:0047A470 nop
SDPI:0047A471
SDPI:0047A471 ; ************** S U B R O U T I N E *****************************************
SDPI:0047A471
SDPI:0047A471
SDPI:0047A471 sub_47A471 proc near ; CODE XREF: SDPI:0047A46B p
SDPI:0047A471 pop eax
SDPI:0047A472 add eax, 5Eh
SDPI:0047A477 mov edx, eax
SDPI:0047A479 add edx, 32h
SDPI:0047A47C call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047A47C ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047A47C ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047A47C ; 用来解密
SDPI:0047A481 call sub_47A487
SDPI:0047A486 nop
SDPI:0047A486 sub_47A471 endp
SDPI:0047A486
SDPI:0047A487
SDPI:0047A487 ; ************** S U B R O U T I N E *****************************************
SDPI:0047A487
SDPI:0047A487
SDPI:0047A487 sub_47A487 proc near ; CODE XREF: sub_47A471+10 p
SDPI:0047A487 pop eax
SDPI:0047A488 add eax, 4C16h
SDPI:0047A48D call sub_47A493
SDPI:0047A492 nop
SDPI:0047A492 sub_47A487 endp
SDPI:0047A492
SDPI:0047A493
SDPI:0047A493 ; ************** S U B R O U T I N E *****************************************
SDPI:0047A493
SDPI:0047A493
SDPI:0047A493 sub_47A493 proc near ; CODE XREF: sub_47A487+6 p
SDPI:0047A493 pop ecx
SDPI:0047A494 add ecx, 4CB7h
SDPI:0047A49A push 0
SDPI:0047A49C push ecx
SDPI:0047A49D push eax
SDPI:0047A49E push 0
SDPI:0047A4A0 call sub_47A4A6
SDPI:0047A4A5 nop
SDPI:0047A4A5 sub_47A493 endp
SDPI:0047A4A5
SDPI:0047A4A6
SDPI:0047A4A6 ; ************** S U B R O U T I N E *****************************************
SDPI:0047A4A6
SDPI:0047A4A6
SDPI:0047A4A6 sub_47A4A6 proc near ; CODE XREF: sub_47A493+D p
SDPI:0047A4A6 pop eax
SDPI:0047A4A7 add eax, 11h
SDPI:0047A4AC push eax
SDPI:0047A4AD jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047A4AD sub_47A4A6 endp ; 判断函数的前5位是否为CC
SDPI:0047A4AD ; 也就是判断有没有下int3断点
SDPI:0047A4B2 ; ----------------------------------------------------------------------------
SDPI:0047A4B2 nop
SDPI:0047A4B3 nop
SDPI:0047A4B4 nop
SDPI:0047A4B5 nop
SDPI:0047A4B6 push 7
SDPI:0047A4B8 call sub_47A4BE
SDPI:0047A4BD nop
SDPI:0047A4BE
SDPI:0047A4BE ; ************** S U B R O U T I N E *****************************************
SDPI:0047A4BE
SDPI:0047A4BE
SDPI:0047A4BE sub_47A4BE proc near ; CODE XREF: SDPI:0047A4B8 p
SDPI:0047A4BE pop eax
SDPI:0047A4BF add eax, 11h
SDPI:0047A4C4 push eax
SDPI:0047A4C5 jmp ExitProcess
SDPI:0047A4C5 sub_47A4BE endp
SDPI:0047A4C5
SDPI:0047A4CA ; ----------------------------------------------------------------------------
SDPI:0047A4CA nop
SDPI:0047A4CB nop
SDPI:0047A4CC nop
SDPI:0047A4CD nop
SDPI:0047A4CE
SDPI:0047A4CE isWinNT__47A4CE: ; CODE XREF: SDPI:0047A43C j
SDPI:0047A4CE ; SDPI:0047A464 j
SDPI:0047A4CE jo short loc_47A4DE
SDPI:0047A4D0 jno short loc_47A4DE
SDPI:0047A4D0 ; ----------------------------------------------------------------------------
SDPI:0047A4D2 db 0
SDPI:0047A4D3 db 10h
SDPI:0047A4D4 db 40h
SDPI:0047A4D5 db 0
SDPI:0047A4D6 db 0BFh ; ?
SDPI:0047A4D7 db 56h ; V
SDPI:0047A4D8 db 7Ch ; |
SDPI:0047A4D9 db 21h ; !
SDPI:0047A4DA db 76h ; v
SDPI:0047A4DB db 12h
SDPI:0047A4DC db 80h ;
SDPI:0047A4DD db 0Eh
SDPI:0047A4DE ; ----------------------------------------------------------------------------
SDPI:0047A4DE
SDPI:0047A4DE loc_47A4DE: ; CODE XREF: SDPI:isWinNT__47A4CE j
SDPI:0047A4DE ; SDPI:0047A4D0 j
SDPI:0047A4DE mov ecx, 769E3CF2h
SDPI:0047A4E3 call loc_47A4E9
SDPI:0047A4E8 nop
SDPI:0047A4E9
SDPI:0047A4E9 loc_47A4E9: ; CODE XREF: SDPI:0047A4E3 p
SDPI:0047A4E9 pop eax
SDPI:0047A4EA add eax, 5FEh
SDPI:0047A4EF call loc_47A4F5
SDPI:0047A4F4 nop
SDPI:0047A4F5
SDPI:0047A4F5 loc_47A4F5: ; CODE XREF: SDPI:0047A4EF p
SDPI:0047A4F5 pop edx
SDPI:0047A4F6 add edx, 8E3h
SDPI:0047A4FC call Crypt_Code ; 把前面De_code解出的代码再加密回去
SDPI:0047A4FC ; 作者这里很阴险的用计算后的MD5值来加
SDPI:0047A4FC ; 密回去,如果代码修改了,MD5值肯定不对了.
SDPI:0047A4FC ; 第一次加密地址:0047AAE6
SDPI:0047A501 push eax
SDPI:0047A502 xor eax, eax
SDPI:0047A504 call loc_47A50A
SDPI:0047A509 nop
SDPI:0047A50A
SDPI:0047A50A loc_47A50A: ; CODE XREF: SDPI:0047A504 p
SDPI:0047A50A pop edi
SDPI:0047A50B add edi, 61h
SDPI:0047A511 mov ebx, [edi]
SDPI:0047A513 mov edx, [edi+4]
SDPI:0047A516 jz short loc_47A522
SDPI:0047A518 jnz short loc_47A522
SDPI:0047A518 ; ----------------------------------------------------------------------------
SDPI:0047A51A dd 401000h
SDPI:0047A51E dd 9F7AB0Bh
SDPI:0047A522 ; ----------------------------------------------------------------------------
SDPI:0047A522
SDPI:0047A522 loc_47A522: ; CODE XREF: SDPI:0047A516 j
SDPI:0047A522 ; SDPI:0047A518 j
SDPI:0047A522 call loc_47A528
SDPI:0047A527 nop
SDPI:0047A528
SDPI:0047A528 loc_47A528: ; CODE XREF: SDPI:loc_47A522 p
SDPI:0047A528 pop esi
SDPI:0047A529 add esi, 59h
SDPI:0047A52F mov ecx, 3
SDPI:0047A534 jl short loc_47A53D
SDPI:0047A536
SDPI:0047A536 loc_47A536: ; CODE XREF: SDPI:loc_47A53D j
SDPI:0047A536 jmp short loc_47A53F
SDPI:0047A536 ; ----------------------------------------------------------------------------
SDPI:0047A538 db 0
SDPI:0047A539 db 10h
SDPI:0047A53A db 40h ; @
SDPI:0047A53B db 0
SDPI:0047A53C db 0E8h ; ?
SDPI:0047A53D ; ----------------------------------------------------------------------------
SDPI:0047A53D
SDPI:0047A53D loc_47A53D: ; CODE XREF: SDPI:0047A534 j
SDPI:0047A53D jz short loc_47A536
SDPI:0047A53F
SDPI:0047A53F loc_47A53F: ; CODE XREF: SDPI:loc_47A536 j
SDPI:0047A53F jb short loc_47A553
SDPI:0047A541 jnb short loc_47A553
SDPI:0047A541 ; ----------------------------------------------------------------------------
SDPI:0047A543 dd 401000h
SDPI:0047A547 dword_47A547 dd 72C303E8h ; CODE XREF: SDPI:0047A55A j
SDPI:0047A54B dd 19731Bh
SDPI:0047A54F dd 0E8004010h
SDPI:0047A553 ; ----------------------------------------------------------------------------
SDPI:0047A553
SDPI:0047A553 loc_47A553: ; CODE XREF: SDPI:loc_47A53F j
SDPI:0047A553 ; SDPI:0047A541 j
SDPI:0047A553 pushfw
SDPI:0047A555 push eax
SDPI:0047A556 xor eax, eax
SDPI:0047A558 cmp ebx, eax
SDPI:0047A55A jz short near ptr dword_47A547+1
SDPI:0047A55C call loc_47A566
SDPI:0047A55C ; ----------------------------------------------------------------------------
SDPI:0047A561 dd 401000h
SDPI:0047A565 db 0E8h ; ?
SDPI:0047A566 ; ----------------------------------------------------------------------------
SDPI:0047A566
SDPI:0047A566 loc_47A566: ; CODE XREF: SDPI:0047A55C p
SDPI:0047A566 pop eax
SDPI:0047A567 pop eax
SDPI:0047A568 popfw
SDPI:0047A56A rep movsw ; shit Junk code
SDPI:0047A56D call sub_47A5EE ; 这里是花指令来的,防止单步跟踪
SDPI:0047A56D ; 实际movsw 后是EB 01 XX EB 03 XXXXXX
SDPI:0047A56D ;
SDPI:0047A572 call INT3_47a65E ; 这里进去CC异常,并还原上面的花指令
SDPI:0047A577 call near ptr 87B57Ch
SDPI:0047A57C mov al, 89h
SDPI:0047A57E pushf
SDPI:0047A57F add al, 0EBh
SDPI:0047A581 add [eax-6F6FFC15h], edx
SDPI:0047A587 nop
SDPI:0047A588 nop
SDPI:0047A589 nop
SDPI:0047A58A nop
SDPI:0047A58B call sub_47A591
SDPI:0047A590 nop
SDPI:0047A591
SDPI:0047A591 ; ************** S U B R O U T I N E *****************************************
SDPI:0047A591
SDPI:0047A591
SDPI:0047A591 sub_47A591 proc near ; CODE XREF: SDPI:0047A58B p
SDPI:0047A591 pop eax
SDPI:0047A592 add eax, 5Eh
SDPI:0047A597 mov edx, eax
SDPI:0047A599 add edx, 32h
SDPI:0047A59C call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047A59C ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047A59C ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047A59C ; 用来解密
SDPI:0047A5A1 call sub_47A5A7
SDPI:0047A5A6 nop
SDPI:0047A5A6 sub_47A591 endp
SDPI:0047A5A6
SDPI:0047A5A7
SDPI:0047A5A7 ; ************** S U B R O U T I N E *****************************************
SDPI:0047A5A7
SDPI:0047A5A7
SDPI:0047A5A7 sub_47A5A7 proc near ; CODE XREF: sub_47A591+10 p
SDPI:0047A5A7 pop eax
SDPI:0047A5A8 add eax, 4AF6h
SDPI:0047A5AD call sub_47A5B3
SDPI:0047A5B2 nop
SDPI:0047A5B2 sub_47A5A7 endp
SDPI:0047A5B2
SDPI:0047A5B3
SDPI:0047A5B3 ; ************** S U B R O U T I N E *****************************************
SDPI:0047A5B3
SDPI:0047A5B3
SDPI:0047A5B3 sub_47A5B3 proc near ; CODE XREF: sub_47A5A7+6 p
SDPI:0047A5B3 pop ecx
SDPI:0047A5B4 add ecx, 4B97h
SDPI:0047A5BA push 0
SDPI:0047A5BC push ecx
SDPI:0047A5BD push eax
SDPI:0047A5BE push 0
SDPI:0047A5C0 call sub_47A5C6
SDPI:0047A5C5 nop
SDPI:0047A5C5 sub_47A5B3 endp
SDPI:0047A5C5
SDPI:0047A5C6
SDPI:0047A5C6 ; ************** S U B R O U T I N E *****************************************
SDPI:0047A5C6
SDPI:0047A5C6
SDPI:0047A5C6 sub_47A5C6 proc near ; CODE XREF: sub_47A5B3+D p
SDPI:0047A5C6 pop eax
SDPI:0047A5C7 add eax, 11h
SDPI:0047A5CC push eax
SDPI:0047A5CD jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047A5CD sub_47A5C6 endp ; 判断函数的前5位是否为CC
SDPI:0047A5CD ; 也就是判断有没有下int3断点
SDPI:0047A5CD ; ----------------------------------------------------------------------------
SDPI:0047A5D2 db 90h ; ?
SDPI:0047A5D3 db 90h ; ?
SDPI:0047A5D4 db 90h ; ?
SDPI:0047A5D5 db 90h ; ?
SDPI:0047A5D6 db 6Ah ; j
SDPI:0047A5D7 db 7
SDPI:0047A5D8 db 0E8h ; ?
SDPI:0047A5D9 db 1
SDPI:0047A5DA db 0
SDPI:0047A5DB db 0
SDPI:0047A5DC db 0
SDPI:0047A5DD db 90h ; ?
SDPI:0047A5DE db 58h ; X
SDPI:0047A5DF db 5
SDPI:0047A5E0 db 11h
SDPI:0047A5E1 db 0
SDPI:0047A5E2 db 0
SDPI:0047A5E3 db 0
SDPI:0047A5E4 db 50h ; P
SDPI:0047A5E5 db 0E9h ; ?
SDPI:0047A5E6 db 28h ; (
SDPI:0047A5E7 db 90h ; ?
SDPI:0047A5E8 db 0
SDPI:0047A5E9 db 0
SDPI:0047A5EA db 90h ; ?
SDPI:0047A5EB db 90h ; ?
SDPI:0047A5EC db 90h ; ?
SDPI:0047A5ED db 90h ; ?
SDPI:0047A5EE
SDPI:0047A5EE ; ************** S U B R O U T I N E *****************************************
SDPI:0047A5EE
SDPI:0047A5EE
SDPI:0047A5EE sub_47A5EE proc near ; CODE XREF: SDPI:0047A56D p
SDPI:0047A5EE nop
SDPI:0047A5EF nop
SDPI:0047A5F0 nop
SDPI:0047A5F1 nop
SDPI:0047A5F2 nop
SDPI:0047A5F3 call sub_47A5F9
SDPI:0047A5F8 nop
SDPI:0047A5F8 sub_47A5EE endp
SDPI:0047A5F8
SDPI:0047A5F9
SDPI:0047A5F9 ; ************** S U B R O U T I N E *****************************************
SDPI:0047A5F9
SDPI:0047A5F9
SDPI:0047A5F9 sub_47A5F9 proc near ; CODE XREF: sub_47A5EE+5 p
SDPI:0047A5F9 pop eax
SDPI:0047A5FA add eax, 5Eh
SDPI:0047A5FF mov edx, eax
SDPI:0047A601 add edx, 32h
SDPI:0047A604 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047A604 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047A604 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047A604 ; 用来解密
SDPI:0047A609 call sub_47A60F
SDPI:0047A60E nop
SDPI:0047A60E sub_47A5F9 endp
SDPI:0047A60E
SDPI:0047A60F
SDPI:0047A60F ; ************** S U B R O U T I N E *****************************************
SDPI:0047A60F
SDPI:0047A60F
SDPI:0047A60F sub_47A60F proc near ; CODE XREF: sub_47A5F9+10 p
SDPI:0047A60F pop eax
SDPI:0047A610 add eax, 4A8Eh
SDPI:0047A615 call sub_47A61B
SDPI:0047A61A nop
SDPI:0047A61A sub_47A60F endp
SDPI:0047A61A
SDPI:0047A61B
SDPI:0047A61B ; ************** S U B R O U T I N E *****************************************
SDPI:0047A61B
SDPI:0047A61B
SDPI:0047A61B sub_47A61B proc near ; CODE XREF: sub_47A60F+6 p
SDPI:0047A61B pop ecx
SDPI:0047A61C add ecx, 4B2Fh
SDPI:0047A622 push 0
SDPI:0047A624 push ecx
SDPI:0047A625 push eax
SDPI:0047A626 push 0
SDPI:0047A628 call sub_47A62E
SDPI:0047A62D nop
SDPI:0047A62D sub_47A61B endp
SDPI:0047A62D
SDPI:0047A62E
SDPI:0047A62E ; ************** S U B R O U T I N E *****************************************
SDPI:0047A62E
SDPI:0047A62E
SDPI:0047A62E sub_47A62E proc near ; CODE XREF: sub_47A61B+D p
SDPI:0047A62E pop eax
SDPI:0047A62F add eax, 11h
SDPI:0047A634 push eax
SDPI:0047A635 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047A635 sub_47A62E endp ; 判断函数的前5位是否为CC
SDPI:0047A635 ; 也就是判断有没有下int3断点
SDPI:0047A635 ; ----------------------------------------------------------------------------
SDPI:0047A63A db 90h ; ?
SDPI:0047A63B db 90h ; ?
SDPI:0047A63C db 90h ; ?
SDPI:0047A63E ; ----------------------------------------------------------------------------
SDPI:0047A63E push 7
SDPI:0047A640 call sub_47A646
SDPI:0047A645 nop
SDPI:0047A646
SDPI:0047A646 ; ************** S U B R O U T I N E *****************************************
SDPI:0047A646
SDPI:0047A646
SDPI:0047A646 sub_47A646 proc near ; CODE XREF: SDPI:0047A640 p
SDPI:0047A646 pop eax
SDPI:0047A647 add eax, 11h
SDPI:0047A64C push eax
SDPI:0047A64D jmp ExitProcess
SDPI:0047A64D sub_47A646 endp
SDPI:0047A64D
SDPI:0047A64D ; ----------------------------------------------------------------------------
SDPI:0047A652 db 90h ; ?
SDPI:0047A653 db 90h ; ?
SDPI:0047A654 db 90h ; ?
SDPI:0047A655 db 90h ; ?
SDPI:0047A656 db 90h ; ?
SDPI:0047A657 db 90h ; ?
SDPI:0047A658 db 90h ; ?
SDPI:0047A659 db 90h ; ?
SDPI:0047A65E
SDPI:0047A65E INT3_47a65E: ; CODE XREF: SDPI:0047A572 p
SDPI:0047A65E call loc_47A664
SDPI:0047A663 nop
SDPI:0047A664
SDPI:0047A664 loc_47A664: ; CODE XREF: SDPI:INT3_47a65E p
SDPI:0047A664 pop edi
SDPI:0047A665 add edi, 0FFFFFF07h
SDPI:0047A66B mov [edi], ebx ; 还原前面的花指令,
SDPI:0047A66D mov [edi+4], edx
SDPI:0047A670 pop eax
SDPI:0047A671 call loc_47A677
SDPI:0047A676 nop
SDPI:0047A677
SDPI:0047A677 loc_47A677: ; CODE XREF: SDPI:0047A671 p
SDPI:0047A677 pop eax
SDPI:0047A678 add eax, 124h
SDPI:0047A67D push eax
SDPI:0047A67E xor eax, eax
SDPI:0047A680 push dword ptr fs:[eax] ; 设置SEH
SDPI:0047A683 mov fs:[eax], esp
SDPI:0047A686 mov ebp, 300EF1D3h
SDPI:0047A68B add ebp, 12345678h
SDPI:0047A691 mov ax, 17h
SDPI:0047A695 sub ax, 13h
SDPI:0047A699 jl short loc_47A6A2
SDPI:0047A69B
SDPI:0047A69B loc_47A69B: ; CODE XREF: SDPI:loc_47A6A2 j
SDPI:0047A69B jmp short loc_47A6A4
SDPI:0047A69B ; ----------------------------------------------------------------------------
SDPI:0047A69D db 0
SDPI:0047A69E db 10h
SDPI:0047A69F db 40h ; @
SDPI:0047A6A0 db 0
SDPI:0047A6A1 db 0E8h ; ?
SDPI:0047A6A2 ; ----------------------------------------------------------------------------
SDPI:0047A6A2
SDPI:0047A6A2 loc_47A6A2: ; CODE XREF: SDPI:0047A699 j
SDPI:0047A6A2 jz short loc_47A69B
SDPI:0047A6A4
SDPI:0047A6A4 loc_47A6A4: ; CODE XREF: SDPI:loc_47A69B j
SDPI:0047A6A4 jb short loc_47A6B8
SDPI:0047A6A6 jnb short loc_47A6B8
SDPI:0047A6A6 ; ----------------------------------------------------------------------------
SDPI:0047A6A8 dd 401000h
SDPI:0047A6AC dword_47A6AC dd 72C303E8h ; CODE XREF: SDPI:0047A6BF j
SDPI:0047A6B0 dd 19731Bh
SDPI:0047A6B4 dd 0E8004010h
SDPI:0047A6B8 ; ----------------------------------------------------------------------------
SDPI:0047A6B8
SDPI:0047A6B8 loc_47A6B8: ; CODE XREF: SDPI:loc_47A6A4 j
SDPI:0047A6B8 ; SDPI:0047A6A6 j
SDPI:0047A6B8 pushfw
SDPI:0047A6BA push eax
SDPI:0047A6BB xor eax, eax
SDPI:0047A6BD cmp ebx, eax
SDPI:0047A6BF jz short near ptr dword_47A6AC+1
SDPI:0047A6C1 call loc_47A6CB
SDPI:0047A6C1 ; ----------------------------------------------------------------------------
SDPI:0047A6C6 dd 401000h ; 好多类似这样的垃圾代码
SDPI:0047A6CA db 0E8h ; ?
SDPI:0047A6CB ; ----------------------------------------------------------------------------
SDPI:0047A6CB
SDPI:0047A6CB loc_47A6CB: ; CODE XREF: SDPI:0047A6C1 p
SDPI:0047A6CB pop eax
SDPI:0047A6CC pop eax
SDPI:0047A6CD popfw
SDPI:0047A6CF nop
SDPI:0047A6D0 nop
SDPI:0047A6D1 nop
SDPI:0047A6D2 nop
SDPI:0047A6D3 nop
SDPI:0047A6D4 int 3 ; Trap to Debugger
SDPI:0047A6D5 nop
SDPI:0047A6D6 cmp al, 4
SDPI:0047A6D8 jz short INT3_DONE_7A74B ; 如果al不为4则over了
SDPI:0047A6DA
SDPI:0047A6DA Over_47a6da: ; CODE XREF: SDPI:0047A764 j
SDPI:0047A6DA ; SDPI:0047A77C j ...
SDPI:0047A6DA nop ; 这里和前面的INT3一样,提示出错信息
SDPI:0047A6DB nop
SDPI:0047A6DC nop
SDPI:0047A6DD nop
SDPI:0047A6DE nop
SDPI:0047A6DF call loc_47A6E5
SDPI:0047A6E4 nop
SDPI:0047A6E5
SDPI:0047A6E5 loc_47A6E5: ; CODE XREF: SDPI:0047A6DF p
SDPI:0047A6E5 pop eax
SDPI:0047A6E6 add eax, 5Eh
SDPI:0047A6EB mov edx, eax
SDPI:0047A6ED add edx, 32h
SDPI:0047A6F0 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047A6F0 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047A6F0 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047A6F0 ; 用来解密
SDPI:0047A6F5 call loc_47A6FB
SDPI:0047A6FA nop
SDPI:0047A6FB
SDPI:0047A6FB loc_47A6FB: ; CODE XREF: SDPI:0047A6F5 p
SDPI:0047A6FB pop eax
SDPI:0047A6FC add eax, 49A2h
SDPI:0047A701 call loc_47A707
SDPI:0047A706 nop
SDPI:0047A707
SDPI:0047A707 loc_47A707: ; CODE XREF: SDPI:0047A701 p
SDPI:0047A707 pop ecx
SDPI:0047A708 add ecx, 4A43h
SDPI:0047A70E push 0
SDPI:0047A710 push ecx
SDPI:0047A711 push eax
SDPI:0047A712 push 0
SDPI:0047A714 call loc_47A71A
SDPI:0047A719 nop
SDPI:0047A71A
SDPI:0047A71A loc_47A71A: ; CODE XREF: SDPI:0047A714 p
SDPI:0047A71A pop eax
SDPI:0047A71B add eax, 11h
SDPI:0047A720 push eax
SDPI:0047A721 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047A721 ; 判断函数的前5位是否为CC
SDPI:0047A721 ; 也就是判断有没有下int3断点
SDPI:0047A721 ; ----------------------------------------------------------------------------
SDPI:0047A726 db 90h ; ?
INT3_DONE_7A74B: ; CODE XREF: SDPI:0047A6D8 j
SDPI:0047A74B pop large dword ptr fs:0
SDPI:0047A752 add esp, 4
SDPI:0047A755 call loc_47A75B
SDPI:0047A75A nop
SDPI:0047A75B
SDPI:0047A75B loc_47A75B: ; CODE XREF: SDPI:0047A755 p
SDPI:0047A75B pop eax
SDPI:0047A75C add eax, 0FFFFFE1Dh
SDPI:0047A761 cmp byte ptr [eax], 0E9h ; SEH时改成了0E9,所以这里判断是否为0e9
SDPI:0047A761 ; 不是则over
SDPI:0047A764 jnz Over_47a6da ; 这里和前面的INT3一样,提示出错信息
SDPI:0047A76A mov byte ptr [eax], 0E8h ; 改回原代码
SDPI:0047A76D rdtsc
SDPI:0047A76F mov ecx, eax
SDPI:0047A771 mov ebx, edx
SDPI:0047A773 rdtsc
SDPI:0047A775 sub eax, ecx
SDPI:0047A777 sbb edx, ebx
SDPI:0047A779 cmp edx, 0 ; int3后面紧跟着时间检测
SDPI:0047A77C jnz Over_47a6da ; 这里和前面的INT3一样,提示出错信息
SDPI:0047A782 cmp eax, 30000000h
SDPI:0047A787 ja Over_47a6da ; 这里和前面的INT3一样,提示出错信息
SDPI:0047A78D jz short Nodbg_47A7D8
SDPI:0047A78F jnz short Nodbg_47A7D8
SDPI:0047A78F ; ----------------------------------------------------------------------------
SDPI:0047A791 db 0E8h
SDPI:0047A792 db 0
SDPI:0047A793 db 10h
SDPI:0047A794 db 40h ; @
SDPI:0047A795 db 0
SDPI:0047A796 db 0B0h
SDPI:0047A797 db 89h ; ?
SDPI:0047A798 ; ----------------------------------------------------------------------------
SDPI:0047A798 pushf
SDPI:0047A798 ; ----------------------------------------------------------------------------
SDPI:0047A799 db 4
SDPI:0047A79A ; ----------------------------------------------------------------------------
SDPI:0047A79A mov eax, [esp+4] ; SEH处理处
SDPI:0047A79E mov ecx, [esp+0Ch]
SDPI:0047A7A2 inc dword ptr [ecx+0B8h] ; reg[EIP]+1
SDPI:0047A7A8 mov eax, [eax]
SDPI:0047A7AA sub eax, 80000003h ; 判断是否为CC异常
SDPI:0047A7AF jnz short locret_47A7D7
SDPI:0047A7B1 call sub_47A7B7
SDPI:0047A7B6 nop
SDPI:0047A7B7
SDPI:0047A7B7 ; ************** S U B R O U T I N E *****************************************
SDPI:0047A7B7
SDPI:0047A7B7
SDPI:0047A7B7 sub_47A7B7 proc near ; CODE XREF: SDPI:0047A7B1 p
SDPI:0047A7B7 pop eax
SDPI:0047A7B8 add eax, 0FFFFFDC1h
SDPI:0047A7BD cmp byte ptr [eax], 0E8h ; 判断0047A577处是否为0E8,不则则over了
SDPI:0047A7BD ; 如果是则改写为0E9
SDPI:0047A7BD ;
SDPI:0047A7C0 jnz Over_47a6da ; 这里和前面的INT3一样,提示出错信息
SDPI:0047A7C6 mov byte ptr [eax], 0E9h
SDPI:0047A7C9 xor eax, eax
SDPI:0047A7CB mov [ecx+4], eax
SDPI:0047A7CE mov [ecx+8], eax
SDPI:0047A7D1 mov [ecx+0Ch], eax
SDPI:0047A7D4 mov [ecx+10h], eax
SDPI:0047A7D7
SDPI:0047A7D7 locret_47A7D7: ; CODE XREF: SDPI:0047A7AF j
SDPI:0047A7D7 retn
SDPI:0047A7D7 sub_47A7B7 endp ; sp = 4
SDPI:0047A7D7
SDPI:0047A7D8 ; ----------------------------------------------------------------------------
SDPI:0047A7D8
SDPI:0047A7D8 Nodbg_47A7D8: ; CODE XREF: SDPI:0047A78D j
SDPI:0047A7D8 ; SDPI:0047A78F j
SDPI:0047A7D8 pop eax
SDPI:0047A7D9 call Call_GetTickCount ; 这里开始有几个GetTickCount
SDPI:0047A7D9 ; 来检测调试器.没处理好这里很容易被挂的:-)
SDPI:0047A7D9 ; ----------------------------------------------------------------------------
SDPI:0047A7DE dd 401000h
SDPI:0047A7E2 dd 15C56BEh
SDPI:0047A7E6 ; ----------------------------------------------------------------------------
SDPI:0047A7E6
SDPI:0047A7E6 junk_47a7e6: ; CODE XREF: SDPI:0047A9E4 p
SDPI:0047A7E6 pop ebp
SDPI:0047A7E7 pop eax
SDPI:0047A7E8 jmp loc_47A9E9
SDPI:0047A7ED ; ----------------------------------------------------------------------------
SDPI:0047A7ED mov ecx, 0FFFFFF00h
SDPI:0047A7F2 push fs
SDPI:0047A7F4 jz short loc_47A800
SDPI:0047A7F6 jnz short loc_47A800
SDPI:0047A7F6 ; ----------------------------------------------------------------------------
SDPI:0047A7F8 dd 401000h
SDPI:0047A7FC dd 49C89B0h
SDPI:0047A800 ; ----------------------------------------------------------------------------
SDPI:0047A800
SDPI:0047A800 loc_47A800: ; CODE XREF: SDPI:0047A7F4 j
SDPI:0047A800 ; SDPI:0047A7F6 j
SDPI:0047A800 pushfw
SDPI:0047A802 push eax
SDPI:0047A803 mov eax, ebx ; junk
SDPI:0047A805 push ebx
SDPI:0047A806 mov eax, ecx ; mov eax,-100
SDPI:0047A808 push eax
SDPI:0047A809 add eax, edx ; 这也实际上是mov eax,edx
SDPI:0047A809 ; sub eax,100
SDPI:0047A809 ; mov ebx,eax
SDPI:0047A80B mov ebx, eax
SDPI:0047A80D push ebx
SDPI:0047A80E pop eax
SDPI:0047A80F push edx
SDPI:0047A810 call loc_47A81D
SDPI:0047A810 ; ----------------------------------------------------------------------------
SDPI:0047A815 dd 401000h
SDPI:0047A819 dd 132BD7B0h
SDPI:0047A81D ; ----------------------------------------------------------------------------
SDPI:0047A81D
SDPI:0047A81D loc_47A81D: ; CODE XREF: SDPI:0047A810 p
SDPI:0047A81D pop eax
SDPI:0047A81E call loc_47A824
SDPI:0047A823 nop
SDPI:0047A824
SDPI:0047A824 loc_47A824: ; CODE XREF: SDPI:0047A81E p
SDPI:0047A824 pop eax
SDPI:0047A825 add eax, 11h
SDPI:0047A82A push eax
SDPI:0047A82B jmp GetTickCount
SDPI:0047A82B ; ----------------------------------------------------------------------------
SDPI:0047A830 db 90h ; ?
SDPI:0047A831 db 90h ; ?
SDPI:0047A832 db 90h ; ?
SDPI:0047A833 db 90h ; ?
SDPI:0047A834 ; ----------------------------------------------------------------------------
SDPI:0047A834 push eax
SDPI:0047A835 mov eax, edx
SDPI:0047A837 push eax
SDPI:0047A838 call loc_47A83E
SDPI:0047A83D nop
SDPI:0047A83E
SDPI:0047A83E loc_47A83E: ; CODE XREF: SDPI:0047A838 p
SDPI:0047A83E pop edx
SDPI:0047A83F add edx, 52h
SDPI:0047A845 push edx
SDPI:0047A846 add edx, 401846h
SDPI:0047A84C push edx
SDPI:0047A84D jo short loc_47A8A2
SDPI:0047A84F jno short loc_47A8A2
SDPI:0047A851
SDPI:0047A851 loc_47A851: ; CODE XREF: SDPI:0047A895 p
SDPI:0047A851 pop eax
SDPI:0047A852 pop ebx
SDPI:0047A853 call loc_47A859
SDPI:0047A858 nop
SDPI:0047A859
SDPI:0047A859 loc_47A859: ; CODE XREF: SDPI:0047A853 p
SDPI:0047A859 pop eax
SDPI:0047A85A add eax, 11h
SDPI:0047A85F push eax
SDPI:0047A860 jmp GetTickCount
SDPI:0047A860 ; ----------------------------------------------------------------------------
SDPI:0047A865 db 90h ; ?
SDPI:0047A866 db 90h ; ?
SDPI:0047A867 db 90h ; ?
SDPI:0047A868 db 90h ; ?
SDPI:0047A869 ; ----------------------------------------------------------------------------
SDPI:0047A869 pop ebx
SDPI:0047A86A add ebx, 1F4h ; ===========
SDPI:0047A86A ; 这里注意了,每比较第二次的时间
SDPI:0047A86A ; 第一次的时间值放到堆栈中
SDPI:0047A86A ; 这里不能跳了,跳就over
SDPI:0047A870 sub ebx, eax
SDPI:0047A872 js short Over_47A8B6 ; 因为壳很多地方用到的变形call,
SDPI:0047A872 ; 所以不是很好分模块
SDPI:0047A874 call loc_47A87A
SDPI:0047A879 nop
SDPI:0047A87A
SDPI:0047A87A loc_47A87A: ; CODE XREF: SDPI:0047A874 p
SDPI:0047A87A pop ebx
SDPI:0047A87B add ebx, 0A5h
SDPI:0047A881 push ebx
SDPI:0047A882 call sub_47A8AC
SDPI:0047A887 add [eax], dl
SDPI:0047A889 inc eax
SDPI:0047A88A add [eax+58058C88h], dh
SDPI:0047A890 mov edx, eax
SDPI:0047A892 mov eax, ebx
SDPI:0047A894 push eax
SDPI:0047A895 call loc_47A851
SDPI:0047A89A add [eax], dl
SDPI:0047A89C inc eax
SDPI:0047A89D add [ecx], bh
SDPI:0047A89D ; ----------------------------------------------------------------------------
SDPI:0047A89F db 36h ; 6
SDPI:0047A8A0 db 83h ; ?
SDPI:0047A8A1 db 1
SDPI:0047A8A2 ; ----------------------------------------------------------------------------
SDPI:0047A8A2
SDPI:0047A8A2 loc_47A8A2: ; CODE XREF: SDPI:0047A84D j
SDPI:0047A8A2 ; SDPI:0047A84F j
SDPI:0047A8A2 pop eax
SDPI:0047A8A3 retn
SDPI:0047A8A3 ; ----------------------------------------------------------------------------
SDPI:0047A8A4 db 0
SDPI:0047A8A5 db 10h
SDPI:0047A8A6 db 40h ; @
SDPI:0047A8A7 db 0
SDPI:0047A8A8 db 3Eh ; >
SDPI:0047A8A9 db 56h ; V
SDPI:0047A8AA db 7Ch ; |
SDPI:0047A8AB db 7
SDPI:0047A8AC
SDPI:0047A8AC ; ************** S U B R O U T I N E *****************************************
SDPI:0047A8AC
SDPI:0047A8AC
SDPI:0047A8AC sub_47A8AC proc near ; CODE XREF: SDPI:0047A882 p
SDPI:0047A8AC pop edx
SDPI:0047A8AD retn
SDPI:0047A8AD sub_47A8AC endp ; sp = 4
SDPI:0047A8AD
SDPI:0047A8AD ; ----------------------------------------------------------------------------
SDPI:0047A8AE db 0
SDPI:0047A8AF db 10h
SDPI:0047A8B0 db 40h ; @
SDPI:0047A8B1 db 0
SDPI:0047A8B2 db 0EFh ; ?
SDPI:0047A8B3 db 53h ; S
SDPI:0047A8B4 db 0EDh ; ?
SDPI:0047A8B5 db 1
SDPI:0047A8B6
SDPI:0047A8B6 ; ************** S U B R O U T I N E *****************************************
SDPI:0047A8B6
SDPI:0047A8B6 ; 因为壳很多地方用到的变形call,
SDPI:0047A8B6 ; 所以不是很好分模块
SDPI:0047A8B6
SDPI:0047A8B6 Over_47A8B6 proc near ; CODE XREF: SDPI:0047A872 j
SDPI:0047A8B6 nop
SDPI:0047A8B7 nop
SDPI:0047A8B8 nop
SDPI:0047A8B9 nop
SDPI:0047A8BA nop
SDPI:0047A8BB call loc_47A8C1
SDPI:0047A8C0 nop
SDPI:0047A8C1
SDPI:0047A8C1 loc_47A8C1: ; CODE XREF: Over_47A8B6+5 p
SDPI:0047A8C1 pop eax
SDPI:0047A8C2 add eax, 5Eh
SDPI:0047A8C7 mov edx, eax
SDPI:0047A8C9 add edx, 32h
SDPI:0047A8CC call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047A8CC ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047A8CC ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047A8CC ; 用来解密
SDPI:0047A8D1 call loc_47A8D7
SDPI:0047A8D6 nop
SDPI:0047A8D7
SDPI:0047A8D7 loc_47A8D7: ; CODE XREF: Over_47A8B6+1B p
SDPI:0047A8D7 pop eax
SDPI:0047A8D8 add eax, 47C6h
SDPI:0047A8DD call loc_47A8E3
SDPI:0047A8E2 nop
SDPI:0047A8E3
SDPI:0047A8E3 loc_47A8E3: ; CODE XREF: Over_47A8B6+27 p
SDPI:0047A8E3 pop ecx
SDPI:0047A8E4 add ecx, 4867h
SDPI:0047A8EA push 0
SDPI:0047A8EC push ecx
SDPI:0047A8ED push eax
SDPI:0047A8EE push 0
SDPI:0047A8F0 call loc_47A8F6
SDPI:0047A8F5 nop
SDPI:0047A8F6
SDPI:0047A8F6 loc_47A8F6: ; CODE XREF: Over_47A8B6+3A p
SDPI:0047A8F6 pop eax
SDPI:0047A8F7 add eax, 11h
SDPI:0047A8FC push eax
SDPI:0047A8FD jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047A8FD ; 判断函数的前5位是否为CC
SDPI:0047A8FD ; 也就是判断有没有下int3断点
SDPI:0047A8FD ; ----------------------------------------------------------------------------
SDPI:0047A902 db 90h ; ?
SDPI:0047A903 db 90h ; ?
SDPI:0047A904 db 90h ; ?
SDPI:0047A905 db 90h ; ?
SDPI:0047A906 ; ----------------------------------------------------------------------------
SDPI:0047A906 push 7
SDPI:0047A908 call loc_47A90E
SDPI:0047A90D nop
SDPI:0047A90E
SDPI:0047A90E loc_47A90E: ; CODE XREF: Over_47A8B6+52 p
SDPI:0047A90E pop eax
SDPI:0047A90F add eax, 11h
SDPI:0047A914 push eax
SDPI:0047A915 jmp ExitProcess
SDPI:0047A915 ; ----------------------------------------------------------------------------
SDPI:0047A91A db 90h ; ?
SDPI:0047A91B db 90h ; ?
SDPI:0047A91C db 90h ; ?
SDPI:0047A91D db 90h ; ?
SDPI:0047A91D Over_47A8B6 endp
SDPI:0047A91D
SDPI:0047A91E ; ----------------------------------------------------------------------------
SDPI:0047A91E pop edx ; 第一次计算出的时间出栈
SDPI:0047A91F mov eax, ecx
SDPI:0047A921 add eax, edx
SDPI:0047A923 inc ecx
SDPI:0047A924 push eax
SDPI:0047A925 inc ecx
SDPI:0047A926 pop ebx
SDPI:0047A927 pop ecx
SDPI:0047A928 push eax
SDPI:0047A929 sub eax, 8
SDPI:0047A92C pop ebx
SDPI:0047A92D pop ebx
SDPI:0047A92E inc eax
SDPI:0047A92F add eax, ebx
SDPI:0047A931 pop eax
SDPI:0047A932 pushfw
SDPI:0047A934 popfw
SDPI:0047A936 popfw
SDPI:0047A938 pop es
SDPI:0047A939 mov eax, 12345678h
SDPI:0047A93E push eax
SDPI:0047A93F call loc_47A945
SDPI:0047A944 nop
SDPI:0047A945
SDPI:0047A945 loc_47A945: ; CODE XREF: SDPI:0047A93F p
SDPI:0047A945 pop eax
SDPI:0047A946 add eax, 12Ch
SDPI:0047A94B push eax
SDPI:0047A94C pop ebx
SDPI:0047A94D add eax, 12h ; 一堆交换来交换去的代码:-(
SDPI:0047A950 pop edx
SDPI:0047A951 add eax, edx
SDPI:0047A953 mov edx, eax
SDPI:0047A955 push ebx
SDPI:0047A956 mov ebx, es:[ecx+100h]
SDPI:0047A95D push ebx
SDPI:0047A95E mov eax, esp
SDPI:0047A960 mov ebx, eax
SDPI:0047A962 push ebx
SDPI:0047A963 pop edx
SDPI:0047A964 mov es:[ecx+100h], eax
SDPI:0047A96B xor eax, eax
SDPI:0047A96D jle short loc_47A976
SDPI:0047A96F jg short loc_47A976
SDPI:0047A971 add [eax], dl
SDPI:0047A973 inc eax
SDPI:0047A974 add al, ch
SDPI:0047A976
SDPI:0047A976 loc_47A976: ; CODE XREF: SDPI:0047A96D j
SDPI:0047A976 ; SDPI:0047A96F j
SDPI:0047A976 pushfw
SDPI:0047A978 push ecx
SDPI:0047A979 xor ecx, ecx
SDPI:0047A97B jcxz loc_47A983
SDPI:0047A97E add [eax], dl
SDPI:0047A980 inc eax
SDPI:0047A981 add al, ch
SDPI:0047A983
SDPI:0047A983 loc_47A983: ; CODE XREF: SDPI:0047A97B j
SDPI:0047A983 pop ecx
SDPI:0047A984 nop
SDPI:0047A985 nop
SDPI:0047A986 nop
SDPI:0047A987 nop
SDPI:0047A988 nop
SDPI:0047A989 nop
SDPI:0047A98A nop
SDPI:0047A98B nop
SDPI:0047A98C nop
SDPI:0047A98D nop
SDPI:0047A98E nop
SDPI:0047A98F nop
SDPI:0047A990 nop
SDPI:0047A991 nop
SDPI:0047A992 nop
SDPI:0047A993 nop
SDPI:0047A994 nop
SDPI:0047A995 nop
SDPI:0047A996 nop
SDPI:0047A997 nop
SDPI:0047A998 nop
SDPI:0047A999 nop
SDPI:0047A99A nop
SDPI:0047A99B popfw
SDPI:0047A99D jo short loc_47A9A5
SDPI:0047A99F jno short loc_47A9A5
SDPI:0047A99F ; ----------------------------------------------------------------------------
SDPI:0047A9A1 dd 401000h
SDPI:0047A9A5 ; ----------------------------------------------------------------------------
SDPI:0047A9A5
SDPI:0047A9A5 loc_47A9A5: ; CODE XREF: SDPI:0047A99D j
SDPI:0047A9A5 ; SDPI:0047A99F j
SDPI:0047A9A5 int 3 ; Trap to Debugger
SDPI:0047A9A6 nop ; 这里发生异常后跳去SEH(0047AA70)处
SDPI:0047A9A7 xor eax, eax
SDPI:0047A9A9 mov dword ptr [eax], 401AA9h ; 这里是第三个异常了
SDPI:0047A9AF jp short Call_GetTickCount
SDPI:0047A9B1 jnp short Call_GetTickCount
SDPI:0047A9B3 add [eax], dl
SDPI:0047A9B5 inc eax
SDPI:0047A9B6 add [ebx+3Dh], bh
SDPI:0047A9B9 inc eax
SDPI:0047A9B9 ; ----------------------------------------------------------------------------
SDPI:0047A9BA db 0
SDPI:0047A9BB ; ----------------------------------------------------------------------------
SDPI:0047A9BB
SDPI:0047A9BB Call_GetTickCount: ; CODE XREF: SDPI:0047A7D9 p
SDPI:0047A9BB ; SDPI:0047A9AF j ...
SDPI:0047A9BB call loc_47A9C1
SDPI:0047A9C0 nop
SDPI:0047A9C1
SDPI:0047A9C1 loc_47A9C1: ; CODE XREF: SDPI:Call_GetTickCount p
SDPI:0047A9C1 pop eax
SDPI:0047A9C2 add eax, 11h
SDPI:0047A9C7 push eax
SDPI:0047A9C8 jmp GetTickCount
SDPI:0047A9C8 ; ----------------------------------------------------------------------------
SDPI:0047A9CD db 90h ; ?
SDPI:0047A9CE db 90h ; ?
SDPI:0047A9CF db 90h ; ?
SDPI:0047A9D0 db 90h ; ?
SDPI:0047A9D1 ; ----------------------------------------------------------------------------
SDPI:0047A9D1 call loc_47A9D7
SDPI:0047A9D6 nop
SDPI:0047A9D7
SDPI:0047A9D7 loc_47A9D7: ; CODE XREF: SDPI:0047A9D1 p
SDPI:0047A9D7 pop edx
SDPI:0047A9D8 add edx, 0FFFFFB04h
SDPI:0047A9DE mov [edx], eax ; 保存第一次获取的时间01B85F98
SDPI:0047A9E0 pop ebp
SDPI:0047A9E1 add eax, edx
SDPI:0047A9E3 push eax
SDPI:0047A9E4 call junk_47a7e6
SDPI:0047A9E9
SDPI:0047A9E9 loc_47A9E9: ; CODE XREF: SDPI:0047A7E8 j
SDPI:0047A9E9 call sub_47A9EF
SDPI:0047A9EE nop
SDPI:0047A9EF
SDPI:0047A9EF ; ************** S U B R O U T I N E *****************************************
SDPI:0047A9EF
SDPI:0047A9EF
SDPI:0047A9EF sub_47A9EF proc near ; CODE XREF: SDPI:loc_47A9E9 p
SDPI:0047A9EF pop edx
SDPI:0047A9F0 add edx, 0FFFFFDFFh
SDPI:0047A9F6 add edx, eax
SDPI:0047A9F8 push edx
SDPI:0047A9F9 pop ecx
SDPI:0047A9FA sub ecx, eax
SDPI:0047A9FC push ecx
SDPI:0047A9FD retn 4
SDPI:0047A9FD sub_47A9EF endp
SDPI:0047A9FD
SDPI:0047AA00 ; ----------------------------------------------------------------------------
SDPI:0047AA00
SDPI:0047AA00 OVER_47AA00: ; CODE XREF: SDPI:0047AAA3 j
SDPI:0047AA00 ; SDPI:0047AAAB j ...
SDPI:0047AA00 nop ; 发现了调试器则这里显示错误信息
SDPI:0047AA01 nop
SDPI:0047AA02 nop
SDPI:0047AA03 nop
SDPI:0047AA04 nop
SDPI:0047AA05 call sub_47AA0B
SDPI:0047AA0A nop
SDPI:0047AA0B
SDPI:0047AA0B ; ************** S U B R O U T I N E *****************************************
SDPI:0047AA0B
SDPI:0047AA0B
SDPI:0047AA0B sub_47AA0B proc near ; CODE XREF: SDPI:0047AA05 p
SDPI:0047AA0B pop eax
SDPI:0047AA0C add eax, 5Eh
SDPI:0047AA11 mov edx, eax
SDPI:0047AA13 add edx, 32h
SDPI:0047AA16 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047AA16 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047AA16 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047AA16 ; 用来解密
SDPI:0047AA1B call sub_47AA21
SDPI:0047AA20 nop
SDPI:0047AA20 sub_47AA0B endp
SDPI:0047AA20
SDPI:0047AA21
SDPI:0047AA21 ; ************** S U B R O U T I N E *****************************************
SDPI:0047AA21
SDPI:0047AA21
SDPI:0047AA21 sub_47AA21 proc near ; CODE XREF: sub_47AA0B+10 p
SDPI:0047AA21 pop eax
SDPI:0047AA22 add eax, 467Ch
SDPI:0047AA27 call sub_47AA2D
SDPI:0047AA2C nop
SDPI:0047AA2C sub_47AA21 endp
SDPI:0047AA2C
SDPI:0047AA2D
SDPI:0047AA2D ; ************** S U B R O U T I N E *****************************************
SDPI:0047AA2D
SDPI:0047AA2D
SDPI:0047AA2D sub_47AA2D proc near ; CODE XREF: sub_47AA21+6 p
SDPI:0047AA2D pop ecx
SDPI:0047AA2E add ecx, 471Dh
SDPI:0047AA34 push 0
SDPI:0047AA36 push ecx
SDPI:0047AA37 push eax
SDPI:0047AA38 push 0
SDPI:0047AA3A call sub_47AA40
SDPI:0047AA3F nop
SDPI:0047AA3F sub_47AA2D endp
SDPI:0047AA3F
SDPI:0047AA40
SDPI:0047AA40 ; ************** S U B R O U T I N E *****************************************
SDPI:0047AA40
SDPI:0047AA40
SDPI:0047AA40 sub_47AA40 proc near ; CODE XREF: sub_47AA2D+D p
SDPI:0047AA40 pop eax
SDPI:0047AA41 add eax, 11h
SDPI:0047AA46 push eax
SDPI:0047AA47 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047AA47 sub_47AA40 endp ; 判断函数的前5位是否为CC
SDPI:0047AA47 ; 也就是判断有没有下int3断点
SDPI:0047AA47 ; ----------------------------------------------------------------------------
SDPI:0047AA4C db 90h ; ?
SDPI:0047AA4D db 90h ; ?
SDPI:0047AA4E db 90h ; ?
SDPI:0047AA4F db 90h ; ?
SDPI:0047AA50 ; ----------------------------------------------------------------------------
SDPI:0047AA50 push 7
SDPI:0047AA52 call sub_47AA58
SDPI:0047AA57 nop
SDPI:0047AA58
SDPI:0047AA58 ; ************** S U B R O U T I N E *****************************************
SDPI:0047AA58
SDPI:0047AA58
SDPI:0047AA58 sub_47AA58 proc near ; CODE XREF: SDPI:0047AA52 p
SDPI:0047AA58 pop eax
SDPI:0047AA59 add eax, 11h
SDPI:0047AA5E push eax
SDPI:0047AA5F jmp ExitProcess
SDPI:0047AA5F sub_47AA58 endp
SDPI:0047AA5F
SDPI:0047AA5F ; ----------------------------------------------------------------------------
SDPI:0047AA64 db 90h ; ?
SDPI:0047AA65 db 90h ; ?
SDPI:0047AA66 db 90h ; ?
SDPI:0047AA67 db 90h ; ?
SDPI:0047AA68 db 0
SDPI:0047AA69 db 10h
SDPI:0047AA6A db 40h ; @
SDPI:0047AA6B db 0
SDPI:0047AA6C db 0BEh ; ?
SDPI:0047AA6D db 56h ; V
SDPI:0047AA6E db 5Ch ; \
SDPI:0047AA6F db 1
SDPI:0047AA70 ; ----------------------------------------------------------------------------
SDPI:0047AA70
SDPI:0047AA70 SEH_HND_47A9A5: ; SEH HANDLE_0047A9A5
SDPI:0047AA70 mov esp, [esp+8]
SDPI:0047AA74 pop large dword ptr fs:0
SDPI:0047AA7B call loc_47AA81
SDPI:0047AA80 nop
SDPI:0047AA81
SDPI:0047AA81 loc_47AA81: ; CODE XREF: SDPI:0047AA7B p
SDPI:0047AA81 pop eax
SDPI:0047AA82 add eax, 11h
SDPI:0047AA87 push eax
SDPI:0047AA88 jmp GetTickCount
SDPI:0047AA88 ; ----------------------------------------------------------------------------
SDPI:0047AA8D db 90h ; ?
SDPI:0047AA8E db 90h ; ?
SDPI:0047AA8F db 90h ; ?
SDPI:0047AA90 db 90h ; ?
SDPI:0047AA91 ; ----------------------------------------------------------------------------
SDPI:0047AA91 call loc_47AA97
SDPI:0047AA96 nop
SDPI:0047AA97
SDPI:0047AA97 loc_47AA97: ; CODE XREF: SDPI:0047AA91 p
SDPI:0047AA97 pop edx
SDPI:0047AA98 add edx, 0FFFFFA44h
SDPI:0047AA9E mov ecx, [edx]
SDPI:0047AAA0 cmp ecx, 0 ; 判断时间是否为0
SDPI:0047AAA0 ; 也就是判断是否被我们手工修改过
SDPI:0047AAA0 ; GetTickCount
SDPI:0047AAA3 jz OVER_47AA00 ; 发现了调试器则这里显示错误信息
SDPI:0047AAA9 sub eax, ecx
SDPI:0047AAAB js OVER_47AA00 ; 发现了调试器则这里显示错误信息
SDPI:0047AAB1 sub eax, 7D0h ; 这几个地方都不能跳了,跳就over了
SDPI:0047AAB6 jns OVER_47AA00 ; 发现了调试器则这里显示错误信息
SDPI:0047AABC mov eax, 0E801276h
SDPI:0047AAC1 mov [edx], eax
SDPI:0047AAC3 call loc_47AAC9
SDPI:0047AAC8 nop
SDPI:0047AAC9
SDPI:0047AAC9 loc_47AAC9: ; CODE XREF: SDPI:0047AAC3 p
SDPI:0047AAC9 pop edx
SDPI:0047AACA add edx, 30Fh
SDPI:0047AAD0 call loc_47AAD6
SDPI:0047AAD5 nop
SDPI:0047AAD6
SDPI:0047AAD6 loc_47AAD6: ; CODE XREF: SDPI:0047AAD0 p
SDPI:0047AAD6 pop eax
SDPI:0047AAD7 add eax, 0FFFFF67Bh
SDPI:0047AADC mov ecx, 10h ; 这里就是前面用MD5加密处
SDPI:0047AAE1 call De_Code ; invoke De_Code,ecx(counter),eax(key),edx(end)
SDPI:0047AAE1 ; 用于解密代码,解密起始地址就是call进来
SDPI:0047AAE1 ; 的下一行代码地址
SDPI:0047AAE6 call loc_47AAEC
SDPI:0047AAEB nop
SDPI:0047AAEC
SDPI:0047AAEC loc_47AAEC: ; CODE XREF: SDPI:0047AAE6 p
SDPI:0047AAEC pop eax
SDPI:0047AAED add eax, 11h
SDPI:0047AAF2 push eax
SDPI:0047AAF3 jmp CMPHASH_48147D ; 计算并比较MD5值,判断代码是否被修改过
SDPI:0047AAF3 ; ----------------------------------------------------------------------------
SDPI:0047AAF8 db 90h ; ?
SDPI:0047AAF9 db 90h ; ?
SDPI:0047AAFA db 90h ; ?
SDPI:0047AAFB db 90h ; ?
SDPI:0047AAFC ; ----------------------------------------------------------------------------
SDPI:0047AAFC call loc_47AB02
SDPI:0047AB01 nop
SDPI:0047AB02
SDPI:0047AB02 loc_47AB02: ; CODE XREF: SDPI:0047AAFC p
SDPI:0047AB02 pop eax
SDPI:0047AB03 add eax, 11h
SDPI:0047AB08 push eax
SDPI:0047AB09 jmp Anti_DBG_482360 ; 进去还是检测调试器:-(,
SDPI:0047AB09 ; 光检测调试器不干活了
SDPI:0047AB09 ; ----------------------------------------------------------------------------
SDPI:0047AB0E db 90h ; ?
SDPI:0047AB0F db 90h ; ?
SDPI:0047AB10 db 90h ; ?
SDPI:0047AB11 db 90h ; ?
SDPI:0047AB12 ; ----------------------------------------------------------------------------
SDPI:0047AB12 sub ebx, eax
SDPI:0047AB14 add ecx, ebx
SDPI:0047AB16 xor ebx, ebx
SDPI:0047AB18 sub eax, 0D246534Fh ; 又是比较,这个比较好对付
SDPI:0047AB18 ; 直接在那个call里返回就行了
SDPI:0047AB1D jle short loc_47AB26
SDPI:0047AB1F jg short loc_47AB26
SDPI:0047AB1F ; ----------------------------------------------------------------------------
SDPI:0047AB21 dd 401000h
SDPI:0047AB25 db 0E8h ; ?
SDPI:0047AB26 ; ----------------------------------------------------------------------------
SDPI:0047AB26
SDPI:0047AB26 loc_47AB26: ; CODE XREF: SDPI:0047AB1D j
SDPI:0047AB26 ; SDPI:0047AB1F j
SDPI:0047AB26 pushfw
SDPI:0047AB28 push ecx ; 很多地方有类似这样的垃圾代码
SDPI:0047AB29 xor ecx, ecx
SDPI:0047AB2B jcxz loc_47AB33
SDPI:0047AB2E add [eax], dl
SDPI:0047AB30 inc eax
SDPI:0047AB31 add al, ch
SDPI:0047AB33
SDPI:0047AB33 loc_47AB33: ; CODE XREF: SDPI:0047AB2B j
SDPI:0047AB33 pop ecx
SDPI:0047AB34 nop
SDPI:0047AB35 nop
SDPI:0047AB36 nop
SDPI:0047AB37 nop
SDPI:0047AB38 nop
SDPI:0047AB39 nop
SDPI:0047AB3A nop
SDPI:0047AB49 nop
SDPI:0047AB4A nop
SDPI:0047AB4B popfw
SDPI:0047AB4D jz short Pass_47ABB7 ; 这里不跳就over了
SDPI:0047AB4F
SDPI:0047AB4F ; ************** S U B R O U T I N E *****************************************
SDPI:0047AB4F
SDPI:0047AB4F
SDPI:0047AB4F FINDDBG_47AB4F proc near
SDPI:0047AB4F nop
SDPI:0047AB50 nop
SDPI:0047AB51 nop
SDPI:0047AB52 nop
SDPI:0047AB53 nop
SDPI:0047AB54 call loc_47AB5A
SDPI:0047AB59 nop
SDPI:0047AB5A
SDPI:0047AB5A loc_47AB5A: ; CODE XREF: FINDDBG_47AB4F+5 p
SDPI:0047AB5A pop eax
SDPI:0047AB5B add eax, 5Eh
SDPI:0047AB60 mov edx, eax
SDPI:0047AB62 add edx, 32h
SDPI:0047AB65 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047AB65 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047AB65 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047AB65 ; 用来解密
SDPI:0047AB6A call loc_47AB70
SDPI:0047AB6F nop
SDPI:0047AB70
SDPI:0047AB70 loc_47AB70: ; CODE XREF: FINDDBG_47AB4F+1B p
SDPI:0047AB70 pop eax
SDPI:0047AB71 add eax, 452Dh
SDPI:0047AB76 call loc_47AB7C
SDPI:0047AB7B nop
SDPI:0047AB7C
SDPI:0047AB7C loc_47AB7C: ; CODE XREF: FINDDBG_47AB4F+27 p
SDPI:0047AB7C pop ecx
SDPI:0047AB7D add ecx, 45CEh
SDPI:0047AB83 push 0
SDPI:0047AB85 push ecx
SDPI:0047AB86 push eax
SDPI:0047AB87 push 0
SDPI:0047AB89 call loc_47AB8F
SDPI:0047AB8E nop
SDPI:0047AB8F
SDPI:0047AB8F loc_47AB8F: ; CODE XREF: FINDDBG_47AB4F+3A p
SDPI:0047AB8F pop eax
SDPI:0047AB90 add eax, 11h
SDPI:0047AB95 push eax
SDPI:0047AB96 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047AB96 ; 判断函数的前5位是否为CC
SDPI:0047AB96 ; 也就是判断有没有下int3断点
SDPI:0047AB96 ; ----------------------------------------------------------------------------
SDPI:0047AB9B db 90h ; ?
SDPI:0047AB9C db 90h ; ?
SDPI:0047AB9D db 90h ; ?
SDPI:0047AB9E db 90h ; ?
SDPI:0047AB9F ; ----------------------------------------------------------------------------
SDPI:0047AB9F push 7
SDPI:0047ABA1 call loc_47ABA7
SDPI:0047ABA6 nop
SDPI:0047ABA7
SDPI:0047ABA7 loc_47ABA7: ; CODE XREF: FINDDBG_47AB4F+52 p
SDPI:0047ABA7 pop eax
SDPI:0047ABA8 add eax, 11h
SDPI:0047ABAD push eax
SDPI:0047ABAE jmp ExitProcess
SDPI:0047ABAE ; ----------------------------------------------------------------------------
SDPI:0047ABB3 db 90h ; ?
SDPI:0047ABB4 db 90h ; ?
SDPI:0047ABB5 db 90h ; ?
SDPI:0047ABB6 db 90h ; ?
SDPI:0047ABB6 FINDDBG_47AB4F endp
SDPI:0047ABB6
SDPI:0047ABB7 ; ----------------------------------------------------------------------------
SDPI:0047ABB7
SDPI:0047ABB7 Pass_47ABB7: ; CODE XREF: SDPI:0047AB4D j
SDPI:0047ABB7 call loc_47ABBD
SDPI:0047ABBC nop
SDPI:0047ABBD
SDPI:0047ABBD loc_47ABBD: ; CODE XREF: SDPI:Pass_47ABB7 p
SDPI:0047ABBD pop eax
SDPI:0047ABBE add eax, 11h
SDPI:0047ABC3 push eax
SDPI:0047ABC4 jmp AntiDBG_482535
SDPI:0047ABC4 ; ----------------------------------------------------------------------------
SDPI:0047ABC9 db 90h ; ?
SDPI:0047ABCA db 90h ; ?
SDPI:0047ABCB db 90h ; ?
SDPI:0047ABCC db 90h ; ?
SDPI:0047ABCD ; ----------------------------------------------------------------------------
SDPI:0047ABCD cmp eax, 80000000h
SDPI:0047ABCD ; ----------------------------------------------------------------------------
SDPI:0047ABD2 dd 7EB077Ch ; 垃圾代码
SDPI:0047ABD6 dd 401000h
SDPI:0047ABDA dd 72F774E8h
SDPI:0047ABDE aS@sRS@s db 12h,'s',10h,0,10h,'@',0,'?,3,'胷',1Bh,'s',19h,0,10h,'@',0,'?
SDPI:0047ABF1 aFP3TS@sxxf db 'f淧3?豻扈',5,0,0,0,0,10h,'@',0,'鑈Xf'
SDPI:0047AC07 db 9Dh ; ? ; 上面都是花指令来的,
SDPI:0047AC07 ; 我直接让IDA分析成字符串
SDPI:0047AC08 ; ----------------------------------------------------------------------------
SDPI:0047AC08 jz short Pass_47AC72 ; 这里比较跳,不跳over了
SDPI:0047AC0A
SDPI:0047AC0A ; ************** S U B R O U T I N E *****************************************
SDPI:0047AC0A
SDPI:0047AC0A
SDPI:0047AC0A FNDDBG_47AC0A proc near
SDPI:0047AC0A nop
SDPI:0047AC0B nop
SDPI:0047AC0C nop
SDPI:0047AC0D nop
SDPI:0047AC0E nop
SDPI:0047AC0F call loc_47AC15
SDPI:0047AC14 nop
SDPI:0047AC15
SDPI:0047AC15 loc_47AC15: ; CODE XREF: FNDDBG_47AC0A+5 p
SDPI:0047AC15 pop eax
SDPI:0047AC16 add eax, 5Eh
SDPI:0047AC1B mov edx, eax
SDPI:0047AC1D add edx, 32h
SDPI:0047AC20 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047AC20 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047AC20 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047AC20 ; 用来解密
SDPI:0047AC25 call loc_47AC2B
SDPI:0047AC2A nop
SDPI:0047AC2B
SDPI:0047AC2B loc_47AC2B: ; CODE XREF: FNDDBG_47AC0A+1B p
SDPI:0047AC2B pop eax
SDPI:0047AC2C add eax, 4472h
SDPI:0047AC31 call loc_47AC37
SDPI:0047AC36 nop
SDPI:0047AC37
SDPI:0047AC37 loc_47AC37: ; CODE XREF: FNDDBG_47AC0A+27 p
SDPI:0047AC37 pop ecx
SDPI:0047AC38 add ecx, 4513h
SDPI:0047AC3E push 0
SDPI:0047AC40 push ecx
SDPI:0047AC41 push eax
SDPI:0047AC42 push 0
SDPI:0047AC44 call loc_47AC4A
SDPI:0047AC49 nop
SDPI:0047AC4A
SDPI:0047AC4A loc_47AC4A: ; CODE XREF: FNDDBG_47AC0A+3A p
SDPI:0047AC4A pop eax
SDPI:0047AC4B add eax, 11h
SDPI:0047AC50 push eax
SDPI:0047AC51 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047AC51 ; 判断函数的前5位是否为CC
SDPI:0047AC51 ; 也就是判断有没有下int3断点
SDPI:0047AC51 ; ----------------------------------------------------------------------------
SDPI:0047AC56 db 90h ; ?
SDPI:0047AC57 db 90h ; ?
SDPI:0047AC58 db 90h ; ?
SDPI:0047AC59 db 90h ; ?
SDPI:0047AC5A ; ----------------------------------------------------------------------------
SDPI:0047AC5A
SDPI:0047AC5A ExitProc:
SDPI:0047AC5A push 7
SDPI:0047AC5C call loc_47AC62
SDPI:0047AC61 nop
SDPI:0047AC62
SDPI:0047AC62 loc_47AC62: ; CODE XREF: FNDDBG_47AC0A+52 p
SDPI:0047AC62 pop eax
SDPI:0047AC63 add eax, 11h
SDPI:0047AC68 push eax
SDPI:0047AC69 jmp ExitProcess
SDPI:0047AC69 ; ----------------------------------------------------------------------------
SDPI:0047AC6E db 90h ; ?
SDPI:0047AC6F db 90h ; ?
SDPI:0047AC70 db 90h ; ?
SDPI:0047AC71 db 90h ; ?
SDPI:0047AC71 FNDDBG_47AC0A endp
SDPI:0047AC71
SDPI:0047AC72 ; ----------------------------------------------------------------------------
SDPI:0047AC72
SDPI:0047AC72 Pass_47AC72: ; CODE XREF: SDPI:0047AC08 j
SDPI:0047AC72 call loc_47AC78
SDPI:0047AC77 nop
SDPI:0047AC78
SDPI:0047AC78 loc_47AC78: ; CODE XREF: SDPI:Pass_47AC72 p
SDPI:0047AC78 pop eax
SDPI:0047AC79 add eax, 11h
SDPI:0047AC7E push eax
SDPI:0047AC7F jmp Check_Mode ; 检测是父进程还是子进程
SDPI:0047AC7F ; ----------------------------------------------------------------------------
SDPI:0047AC84 db 90h ; ?
SDPI:0047AC85 db 90h ; ?
SDPI:0047AC86 db 90h ; ?
SDPI:0047AC87 db 90h ; ?
SDPI:0047AC88 ; ----------------------------------------------------------------------------
SDPI:0047AC88 mov ebx, 80000000h
SDPI:0047AC8D add ebx, eax
SDPI:0047AC8F xor eax, 87EAF247h
SDPI:0047AC94 sub eax, 0BC1D12FAh ; 这里关键了,如果相减为0表示是字进程
SDPI:0047AC94 ; ----------------------------------------------------------------------------
SDPI:0047AC99 JUNK_47AC99 db '|',7,'?,7,0,10h,'@',0,'鑤鱮',12h,'s',10h,0,10h,'@',0,'?,3,'?
SDPI:0047AC99 db 'r',1Bh,'s',19h,0,10h,'@',0,'鑖淧3?豻扈',5,0,0,0,0,10h,'@',0
SDPI:0047AC99 db '鑈Xf漼',7,'x',5,0,10h,'@',0,'?
SDPI:0047ACD8 ; ----------------------------------------------------------------------------
SDPI:0047ACD8 jz Subroutine_Mode ; 跳去子进程部分
SDPI:0047ACDE jnz short loc_47ACE5
SDPI:0047ACDE ; ----------------------------------------------------------------------------
SDPI:0047ACE0 dd 401000h
SDPI:0047ACE4 db 0E8h ; ?
SDPI:0047ACE5 ; ----------------------------------------------------------------------------
SDPI:0047ACE5
SDPI:0047ACE5 loc_47ACE5: ; CODE XREF: SDPI:0047ACDE j
SDPI:0047ACE5 call loc_47ACEB
SDPI:0047ACEA nop
SDPI:0047ACEB
SDPI:0047ACEB loc_47ACEB: ; CODE XREF: SDPI:loc_47ACE5 p
SDPI:0047ACEB pop eax
SDPI:0047ACEC add eax, 11h
SDPI:0047ACF1 push eax
SDPI:0047ACF2 jmp WritTMPF_481537 ; 写入临时文件
SDPI:0047ACF2 ; ----------------------------------------------------------------------------
SDPI:0047ACF7 db 90h ; ?
SDPI:0047ACF8 db 90h ; ?
SDPI:0047ACF9 db 90h ; ?
SDPI:0047ACFA db 90h ; ?
SDPI:0047ACFB ; ----------------------------------------------------------------------------
SDPI:0047ACFB sub eax, 8
SDPI:0047ACFB ; ----------------------------------------------------------------------------
SDPI:0047ACFE Junk_47ACFE db '~',7,'',5,0,10h,'@',0,'鑖淨3蒰?,5,0,10h,'@',0,'鑉悙悙悙悙?
SDPI:0047ACFE db '悙悙悙悙悙悙悙f漸',7,'t',5,0,10h,'@',0
SDPI:0047AD36 db 0E8h ; ?
SDPI:0047AD37 ; ----------------------------------------------------------------------------
SDPI:0047AD37 jz Subroutine_Mode
SDPI:0047AD3D call loc_47AD43
SDPI:0047AD42 nop
SDPI:0047AD43
SDPI:0047AD43 loc_47AD43: ; CODE XREF: SDPI:0047AD3D p
SDPI:0047AD43 pop eax
SDPI:0047AD44 add eax, 11h
SDPI:0047AD49 push eax
SDPI:0047AD4A jmp apiGetCmdLine
SDPI:0047AD4A ; ----------------------------------------------------------------------------
SDPI:0047AD4F db 90h ; ?
SDPI:0047AD50 db 90h ; ?
SDPI:0047AD51 db 90h ; ?
SDPI:0047AD52 db 90h ; ?
SDPI:0047AD53 ; ----------------------------------------------------------------------------
SDPI:0047AD53 push eax
SDPI:0047AD54 mov edi, eax
SDPI:0047AD56 xor al, al
SDPI:0047AD58 mov ecx, 0FFFFFFFFh
SDPI:0047AD5D repne scasb
SDPI:0047AD5F neg ecx
SDPI:0047AD61 dec ecx ; 获取命令行长度
SDPI:0047AD62 pop esi
SDPI:0047AD63 call loc_47AD69
SDPI:0047AD68 nop
SDPI:0047AD69
SDPI:0047AD69 loc_47AD69: ; CODE XREF: SDPI:0047AD63 p
SDPI:0047AD69 pop edi
SDPI:0047AD6A add edi, 0FFFFF4E4h
SDPI:0047AD70 rep movsb ; 复制命令行
SDPI:0047AD72 call loc_47AD78
SDPI:0047AD77 nop
SDPI:0047AD78
SDPI:0047AD78 loc_47AD78: ; CODE XREF: SDPI:0047AD72 p
SDPI:0047AD78 pop edi
SDPI:0047AD79 add edi, 0FFFFF4D5h
SDPI:0047AD7F call loc_47AD85
SDPI:0047AD84 nop
SDPI:0047AD85
SDPI:0047AD85 loc_47AD85: ; CODE XREF: SDPI:0047AD7F p
SDPI:0047AD85 pop eax
SDPI:0047AD86 add eax, 0FFFFF5CCh
SDPI:0047AD8B call loc_47AD91
SDPI:0047AD90 nop
SDPI:0047AD91
SDPI:0047AD91 loc_47AD91: ; CODE XREF: SDPI:0047AD8B p
SDPI:0047AD91 pop ebx
SDPI:0047AD92 add ebx, 0FFFFF4ACh
SDPI:0047AD98 push ebx
SDPI:0047AD99 push eax
SDPI:0047AD9A push 0
SDPI:0047AD9C push 0
SDPI:0047AD9E push 0
SDPI:0047ADA0 push 1
SDPI:0047ADA2 push 0
SDPI:0047ADA4 push 0
SDPI:0047ADA6 push edi
SDPI:0047ADA7 push 0
SDPI:0047ADA9 call loc_47ADAF
SDPI:0047ADAE nop
SDPI:0047ADAF
SDPI:0047ADAF loc_47ADAF: ; CODE XREF: SDPI:0047ADA9 p
SDPI:0047ADAF pop eax
SDPI:0047ADB0 add eax, 11h
SDPI:0047ADB5 push eax
SDPI:0047ADB6 jmp apiCreateProcess ; 创建新进程
SDPI:0047ADB6 ; ----------------------------------------------------------------------------
SDPI:0047ADBB db 90h ; ?
SDPI:0047ADBC db 90h ; ?
SDPI:0047ADBD db 90h ; ?
SDPI:0047ADBE db 90h ; ?
SDPI:0047ADBF ; ----------------------------------------------------------------------------
SDPI:0047ADBF push 0
SDPI:0047ADC1 call loc_47ADC7
SDPI:0047ADC6 nop
SDPI:0047ADC7
SDPI:0047ADC7 loc_47ADC7: ; CODE XREF: SDPI:0047ADC1 p
SDPI:0047ADC7 pop eax
SDPI:0047ADC8 add eax, 11h
SDPI:0047ADCD push eax
SDPI:0047ADCE jmp ExitProcess
SDPI:0047ADCE ; ----------------------------------------------------------------------------
SDPI:0047ADD3 db 90h ; ?
到这里启动进程就结束了,继续跳去被启动部分。
SDPI:0047ADD7 ; ----------------------------------------------------------------------------
SDPI:0047ADD7
SDPI:0047ADD7 Subroutine_Mode: ; CODE XREF: SDPI:0047ACD8 j
SDPI:0047ADD7 ; SDPI:0047AD37 j
SDPI:0047ADD7 call loc_47ADDD
SDPI:0047ADDC nop
SDPI:0047ADDD
SDPI:0047ADDD loc_47ADDD: ; CODE XREF: SDPI:Subroutine_Mode p
SDPI:0047ADDD pop eax
SDPI:0047ADDE add eax, 11h
SDPI:0047ADE3 push eax
SDPI:0047ADE4 jmp CMPHASH_48147D ; 计算并比较MD5值,判断代码是否被修改过
SDPI:0047ADE4 ; ----------------------------------------------------------------------------
SDPI:0047ADE9 dword_47ADE9 dd 90909090h
SDPI:0047ADED aPQ@VVA db 'p',0Eh,'q',0Ch,0,10h,'@',0,'縑|!v',12h,'',0Eh
SDPI:0047ADFD ; ----------------------------------------------------------------------------
SDPI:0047ADFD mov ecx, 769E3CF2h
SDPI:0047AE02 call loc_47AE08
SDPI:0047AE07 nop
SDPI:0047AE08
SDPI:0047AE08 loc_47AE08: ; CODE XREF: SDPI:0047AE02 p
SDPI:0047AE08 pop eax
SDPI:0047AE09 add eax, 5FEh
SDPI:0047AE0E call loc_47AE14
SDPI:0047AE13 nop
SDPI:0047AE14
SDPI:0047AE14 loc_47AE14: ; CODE XREF: SDPI:0047AE0E p
SDPI:0047AE14 pop edx
SDPI:0047AE15 add edx, 6ECh
SDPI:0047AE1B call Crypt_Code ; MD5值加密代码,调用方法:
SDPI:0047AE1B ; invoke Crypt_Code,End,Start
SDPI:0047AE1B ; end加密结束地址,地址在EDX中
SDPI:0047AE1B ; start加密起始地址,地址在eax中
SDPI:0047AE1B ;
SDPI:0047AE20 push eax ; 用够阴险,再用计算出来的md5值
SDPI:0047AE20 ; 加密代码,
SDPI:0047AE20 ; 第二次加密地址为:0047B405
SDPI:0047AE21 xor eax, eax
SDPI:0047AE23 call loc_47AE29
SDPI:0047AE28 nop
SDPI:0047AE29
SDPI:0047AE29 loc_47AE29: ; CODE XREF: SDPI:0047AE23 p
SDPI:0047AE29 pop edi
SDPI:0047AE2A add edi, 61h
SDPI:0047AE30 mov ebx, [edi]
SDPI:0047AE32 mov edx, [edi+4]
SDPI:0047AE32 ; ----------------------------------------------------------------------------
SDPI:0047AE35 aTU@L db 't',0Ah
SDPI:0047AE35 db 'u',8,0,10h,'@',0,0Bh,'',9
SDPI:0047AE41 ; ----------------------------------------------------------------------------
SDPI:0047AE41 call loc_47AE47
SDPI:0047AE46 nop
SDPI:0047AE47
SDPI:0047AE47 loc_47AE47: ; CODE XREF: SDPI:0047AE41 p
SDPI:0047AE47 pop esi
SDPI:0047AE48 add esi, 59h
SDPI:0047AE4E mov ecx, 3
SDPI:0047AE4E ; ----------------------------------------------------------------------------
SDPI:0047AE53 Junk_47AE53 db '|',7,'?,7,0,10h,'@',0,'鑤鱮',12h,'s',10h,0,10h,'@',0,'?,3,'?
SDPI:0047AE53 db 'r',1Bh,'s',19h,0,10h,'@',0,'鑖淧3?豻扈',5,0,0,0,0,10h,'@',0
SDPI:0047AE53 db '鑈Xf?
SDPI:0047AE89 ; ----------------------------------------------------------------------------
SDPI:0047AE89 rep movsw
SDPI:0047AE8C call FNDDBG_47AF0D
SDPI:0047AE91 call Int3_47AF7D ; 第四处INT3了
SDPI:0047AE91 ; ----------------------------------------------------------------------------
SDPI:0047AE96 JUNK_47AE96 db '?,0,10h,'@',0,'皦?,4,'?,1,'愲',3,'悙'
SDPI:0047AEA6
SDPI:0047AEA6 ; ************** S U B R O U T I N E *****************************************
SDPI:0047AEA6
SDPI:0047AEA6
SDPI:0047AEA6 FndDBG_47AEA6 proc near
SDPI:0047AEA6 nop
SDPI:0047AEA7 nop
SDPI:0047AEA8 nop
SDPI:0047AEA9 nop
SDPI:0047AEAA call loc_47AEB0
SDPI:0047AEAF nop
SDPI:0047AEB0
SDPI:0047AEB0 loc_47AEB0: ; CODE XREF: FndDBG_47AEA6+4 p
SDPI:0047AEB0 pop eax
SDPI:0047AEB1 add eax, 5Eh
SDPI:0047AEB6 mov edx, eax
SDPI:0047AEB8 add edx, 32h
SDPI:0047AEBB call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047AEBB ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047AEBB ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047AEBB ; 用来解密
SDPI:0047AEC0 call loc_47AEC6
SDPI:0047AEC5 nop
SDPI:0047AEC6
SDPI:0047AEC6 loc_47AEC6: ; CODE XREF: FndDBG_47AEA6+1A p
SDPI:0047AEC6 pop eax
SDPI:0047AEC7 add eax, 41D7h
SDPI:0047AECC call loc_47AED2
SDPI:0047AED1 nop
SDPI:0047AED2
SDPI:0047AED2 loc_47AED2: ; CODE XREF: FndDBG_47AEA6+26 p
SDPI:0047AED2 pop ecx
SDPI:0047AED3 add ecx, 4278h
SDPI:0047AED9 push 0
SDPI:0047AEDB push ecx
SDPI:0047AEDC push eax
SDPI:0047AEDD push 0
SDPI:0047AEDF call loc_47AEE5
SDPI:0047AEE4 nop
SDPI:0047AEE5
SDPI:0047AEE5 loc_47AEE5: ; CODE XREF: FndDBG_47AEA6+39 p
SDPI:0047AEE5 pop eax
SDPI:0047AEE6 add eax, 11h
SDPI:0047AEEB push eax
SDPI:0047AEEC jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047AEEC ; 判断函数的前5位是否为CC
SDPI:0047AEEC ; 也就是判断有没有下int3断点
SDPI:0047AEEC ; ----------------------------------------------------------------------------
SDPI:0047AEF1 db 90h ; ?
SDPI:0047AEF2 db 90h ; ?
SDPI:0047AEF3 db 90h ; ?
SDPI:0047AEF4 db 90h ; ?
SDPI:0047AEF5 ; ----------------------------------------------------------------------------
SDPI:0047AEF5 push 7
SDPI:0047AEF7 call loc_47AEFD
SDPI:0047AEFC nop
SDPI:0047AEFD
SDPI:0047AEFD loc_47AEFD: ; CODE XREF: FndDBG_47AEA6+51 p
SDPI:0047AEFD pop eax
SDPI:0047AEFE add eax, 11h
SDPI:0047AF03 push eax
SDPI:0047AF04 jmp ExitProcess
SDPI:0047AF04 ; ----------------------------------------------------------------------------
SDPI:0047AF09 db 90h ; ?
SDPI:0047AF0A db 90h ; ?
SDPI:0047AF0B db 90h ; ?
SDPI:0047AF0C db 90h ; ?
SDPI:0047AF0C FndDBG_47AEA6 endp
SDPI:0047AF0C
SDPI:0047AF0D
SDPI:0047AF0D ; ************** S U B R O U T I N E *****************************************
SDPI:0047AF0D
SDPI:0047AF0D
SDPI:0047AF0D FNDDBG_47AF0D proc near ; CODE XREF: SDPI:0047AE8C p
SDPI:0047AF0D nop
SDPI:0047AF0E nop
SDPI:0047AF0F nop
SDPI:0047AF10 nop
SDPI:0047AF11 nop
SDPI:0047AF12 call loc_47AF18
SDPI:0047AF17 nop
SDPI:0047AF18
SDPI:0047AF18 loc_47AF18: ; CODE XREF: FNDDBG_47AF0D+5 p
SDPI:0047AF18 pop eax
SDPI:0047AF19 add eax, 5Eh
SDPI:0047AF1E mov edx, eax
SDPI:0047AF20 add edx, 32h
SDPI:0047AF23 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047AF23 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047AF23 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047AF23 ; 用来解密
SDPI:0047AF28 call loc_47AF2E
SDPI:0047AF2D nop
SDPI:0047AF2E
SDPI:0047AF2E loc_47AF2E: ; CODE XREF: FNDDBG_47AF0D+1B p
SDPI:0047AF2E pop eax
SDPI:0047AF2F add eax, 416Fh
SDPI:0047AF34 call loc_47AF3A
SDPI:0047AF39 nop
SDPI:0047AF3A
SDPI:0047AF3A loc_47AF3A: ; CODE XREF: FNDDBG_47AF0D+27 p
SDPI:0047AF3A pop ecx
SDPI:0047AF3B add ecx, 4210h
SDPI:0047AF41 push 0
SDPI:0047AF43 push ecx
SDPI:0047AF44 push eax
SDPI:0047AF45 push 0
SDPI:0047AF47 call loc_47AF4D
SDPI:0047AF4C nop
SDPI:0047AF4D
SDPI:0047AF4D loc_47AF4D: ; CODE XREF: FNDDBG_47AF0D+3A p
SDPI:0047AF4D pop eax
SDPI:0047AF4E add eax, 11h
SDPI:0047AF53 push eax
SDPI:0047AF54 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047AF54 ; 判断函数的前5位是否为CC
SDPI:0047AF54 ; 也就是判断有没有下int3断点
SDPI:0047AF54 ; ----------------------------------------------------------------------------
SDPI:0047AF59 db 90h ; ?
SDPI:0047AF5A db 90h ; ?
SDPI:0047AF5B db 90h ; ?
SDPI:0047AF5C db 90h ; ?
SDPI:0047AF5D ; ----------------------------------------------------------------------------
SDPI:0047AF5D push 7
SDPI:0047AF5F call loc_47AF65
SDPI:0047AF64 nop
SDPI:0047AF65
SDPI:0047AF65 loc_47AF65: ; CODE XREF: FNDDBG_47AF0D+52 p
SDPI:0047AF65 pop eax
SDPI:0047AF66 add eax, 11h
SDPI:0047AF6B push eax
SDPI:0047AF6C jmp ExitProcess
SDPI:0047AF6C ; ----------------------------------------------------------------------------
SDPI:0047AF71 JUNK_47AF71 db '悙悙',0,10h,'@',0,'鄩?,6
SDPI:0047AF71 FNDDBG_47AF0D endp
SDPI:0047AF71
SDPI:0047AF7D ; ----------------------------------------------------------------------------
SDPI:0047AF7D
SDPI:0047AF7D Int3_47AF7D: ; CODE XREF: SDPI:0047AE91 p
SDPI:0047AF7D call loc_47AF83 ; 第四处INT3了
SDPI:0047AF82 nop
SDPI:0047AF83
SDPI:0047AF83 loc_47AF83: ; CODE XREF: SDPI:Int3_47AF7D p
SDPI:0047AF83 pop edi
SDPI:0047AF84 add edi, 0FFFFFF07h
SDPI:0047AF8A mov [edi], ebx
SDPI:0047AF8C mov [edi+4], edx
SDPI:0047AF8F pop eax
SDPI:0047AF90 call loc_47AF96
SDPI:0047AF95 nop
SDPI:0047AF96
SDPI:0047AF96 loc_47AF96: ; CODE XREF: SDPI:0047AF90 p
SDPI:0047AF96 pop eax
SDPI:0047AF97 add eax, 124h
SDPI:0047AF9C push eax
SDPI:0047AF9D xor eax, eax
SDPI:0047AF9F push dword ptr fs:[eax]
SDPI:0047AFA2 mov fs:[eax], esp
SDPI:0047AFA5 mov ebp, 300EF1D3h
SDPI:0047AFAA add ebp, 12345678h
SDPI:0047AFB0 mov ax, 17h
SDPI:0047AFB4 sub ax, 13h
SDPI:0047AFB4 ; ----------------------------------------------------------------------------
SDPI:0047AFB8 JUNK_47AFB8 db '|',7,'?,7,0,10h,'@',0,'鑤鱮',12h,'s',10h,0,10h,'@',0,'?,3,'?
SDPI:0047AFB8 db 'r',1Bh,'s',19h,0,10h,'@',0,'鑖淧3?豻扈',5,0,0,0,0,10h,'@',0
SDPI:0047AFB8 db '鑈Xf?
SDPI:0047AFEE ; ----------------------------------------------------------------------------
SDPI:0047AFEE nop
SDPI:0047AFEF nop
SDPI:0047AFF0 nop
SDPI:0047AFF1 nop ; 第四次INT3异常后SEH句柄在
SDPI:0047AFF1 ; 0047B0B9处
SDPI:0047AFF2 nop
SDPI:0047AFF3 int 3 ; Trap to Debugger
SDPI:0047AFF4 nop
SDPI:0047AFF5 cmp al, 4
SDPI:0047AFF7 jz short Pass_47B06A ; 通过int3异常则跳
SDPI:0047AFF9
SDPI:0047AFF9 ; ************** S U B R O U T I N E *****************************************
SDPI:0047AFF9
SDPI:0047AFF9 ; 如果发现调试器则和前面一样显示错误信息
SDPI:0047AFF9
SDPI:0047AFF9 FNDDBG_47AFF9 proc near ; CODE XREF: SDPI:0047B083 j
SDPI:0047AFF9 ; SDPI:0047B09B j ...
SDPI:0047AFF9 nop
SDPI:0047AFFA nop
SDPI:0047AFFB nop
SDPI:0047AFFC nop
SDPI:0047AFFD nop
SDPI:0047AFFE call loc_47B004
SDPI:0047B003 nop
SDPI:0047B004
SDPI:0047B004 loc_47B004: ; CODE XREF: FNDDBG_47AFF9+5 p
SDPI:0047B004 pop eax
SDPI:0047B005 add eax, 5Eh
SDPI:0047B00A mov edx, eax
SDPI:0047B00C add edx, 32h
SDPI:0047B00F call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047B00F ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047B00F ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047B00F ; 用来解密
SDPI:0047B014 call loc_47B01A
SDPI:0047B019 nop
SDPI:0047B01A
SDPI:0047B01A loc_47B01A: ; CODE XREF: FNDDBG_47AFF9+1B p
SDPI:0047B01A pop eax
SDPI:0047B01B add eax, 4083h
SDPI:0047B020 call loc_47B026
SDPI:0047B025 nop
SDPI:0047B026
SDPI:0047B026 loc_47B026: ; CODE XREF: FNDDBG_47AFF9+27 p
SDPI:0047B026 pop ecx
SDPI:0047B027 add ecx, 4124h
SDPI:0047B02D push 0
SDPI:0047B02F push ecx
SDPI:0047B030 push eax
SDPI:0047B031 push 0
SDPI:0047B033 call loc_47B039
SDPI:0047B038 nop
SDPI:0047B039
SDPI:0047B039 loc_47B039: ; CODE XREF: FNDDBG_47AFF9+3A p
SDPI:0047B039 pop eax
SDPI:0047B03A add eax, 11h
SDPI:0047B03F push eax
SDPI:0047B040 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047B040 ; 判断函数的前5位是否为CC
SDPI:0047B040 ; 也就是判断有没有下int3断点
SDPI:0047B040 ; ----------------------------------------------------------------------------
SDPI:0047B045 db 90h ; ?
SDPI:0047B046 db 90h ; ?
SDPI:0047B047 db 90h ; ?
SDPI:0047B048 db 90h ; ?
SDPI:0047B049 ; ----------------------------------------------------------------------------
SDPI:0047B049 push 7
SDPI:0047B04B call loc_47B051
SDPI:0047B050 nop
SDPI:0047B051
SDPI:0047B051 loc_47B051: ; CODE XREF: FNDDBG_47AFF9+52 p
SDPI:0047B051 pop eax
SDPI:0047B052 add eax, 11h
SDPI:0047B057 push eax
SDPI:0047B058 jmp ExitProcess
SDPI:0047B058 ; ----------------------------------------------------------------------------
SDPI:0047B05D JUNK_47B05D db '悙悙?,0,10h,'@',0,'皦?,4
SDPI:0047B05D FNDDBG_47AFF9 endp
SDPI:0047B05D
SDPI:0047B06A ; ----------------------------------------------------------------------------
SDPI:0047B06A
SDPI:0047B06A Pass_47B06A: ; CODE XREF: SDPI:0047AFF7 j
SDPI:0047B06A pop large dword ptr fs:0
SDPI:0047B071 add esp, 4
SDPI:0047B074 call loc_47B07A
SDPI:0047B079 nop
SDPI:0047B07A
SDPI:0047B07A loc_47B07A: ; CODE XREF: SDPI:0047B074 p
SDPI:0047B07A pop eax
SDPI:0047B07B add eax, 0FFFFFE1Dh
SDPI:0047B080 cmp byte ptr [eax], 0E9h
SDPI:0047B083 jnz FNDDBG_47AFF9 ; 如果发现调试器则和前面一样显示错误信息
SDPI:0047B089 mov byte ptr [eax], 0E8h
SDPI:0047B08C rdtsc
SDPI:0047B08E mov ecx, eax
SDPI:0047B090 mov ebx, edx
SDPI:0047B092 rdtsc
SDPI:0047B094 sub eax, ecx
SDPI:0047B096 sbb edx, ebx
SDPI:0047B098 cmp edx, 0 ; 又是时间检测
SDPI:0047B09B jnz FNDDBG_47AFF9 ; 如果发现调试器则和前面一样显示错误信息
SDPI:0047B0A1 cmp eax, 30000000h
SDPI:0047B0A6 ja FNDDBG_47AFF9 ; 如果发现调试器则和前面一样显示错误信息
SDPI:0047B0AC jz short pass_47B0F7
SDPI:0047B0AE jnz short pass_47B0F7
SDPI:0047B0AE ; ----------------------------------------------------------------------------
SDPI:0047B0B0 JUNK_47B0B0 db '?,0,10h,'@',0,'皦?,4
SDPI:0047B0B9 ; ----------------------------------------------------------------------------
SDPI:0047B0B9 mov eax, [esp+4] ; 第四处INT3异常的处理句柄
SDPI:0047B0BD mov ecx, [esp+0Ch]
SDPI:0047B0C1 inc dword ptr [ecx+0B8h] ; REG[EIP]+1
SDPI:0047B0C7 mov eax, [eax]
SDPI:0047B0C9 sub eax, EXCEPTION_BREAKPOINT ; 判断是否为异常中断
SDPI:0047B0CE jnz short locret_47B0F6
SDPI:0047B0D0 call loc_47B0D6
SDPI:0047B0D5 nop
SDPI:0047B0D6
SDPI:0047B0D6 loc_47B0D6: ; CODE XREF: SDPI:0047B0D0 p
SDPI:0047B0D6 pop eax
SDPI:0047B0D7 add eax, 0FFFFFDC1h
SDPI:0047B0DC cmp byte ptr [eax], 0E8h ; 这里和前面一样判断是否为0E8,
SDPI:0047B0DC ; 是否被修改过
SDPI:0047B0DF jnz FNDDBG_47AFF9 ; 如果发现调试器则和前面一样显示错误信息
SDPI:0047B0E5 mov byte ptr [eax], 0E9h
SDPI:0047B0E8 xor eax, eax
SDPI:0047B0EA mov [ecx+4], eax ; 清除硬件断点
SDPI:0047B0ED mov [ecx+8], eax
SDPI:0047B0F0 mov [ecx+0Ch], eax
SDPI:0047B0F3 mov [ecx+10h], eax
SDPI:0047B0F6
SDPI:0047B0F6 locret_47B0F6: ; CODE XREF: SDPI:0047B0CE j
SDPI:0047B0F6 retn
SDPI:0047B0F7 ; ----------------------------------------------------------------------------
SDPI:0047B0F7
SDPI:0047B0F7 pass_47B0F7: ; CODE XREF: SDPI:0047B0AC j
SDPI:0047B0F7 ; SDPI:0047B0AE j
SDPI:0047B0F7 pop eax
SDPI:0047B0F8 call CallGetTickCount ; 注意一点的话就会发现和前
SDPI:0047B0F8 ; 一个INT3的代码基本上是一样的
SDPI:0047B0F8 ; 作者很喜欢作宏?
SDPI:0047B0F8 ; ----------------------------------------------------------------------------
SDPI:0047B0FD a@V db 0,10h,'@',0,'綱',1
SDPI:0047B105 ; ----------------------------------------------------------------------------
SDPI:0047B105
SDPI:0047B105 loc_47B105: ; CODE XREF: SDPI:0047B303 p
SDPI:0047B105 pop ebp
SDPI:0047B106 pop eax
SDPI:0047B107 jmp near ptr unk_47B308
SDPI:0047B10C ; ----------------------------------------------------------------------------
SDPI:0047B10C mov ecx, 0FFFFFF00h
SDPI:0047B111 push fs
SDPI:0047B111 ; ----------------------------------------------------------------------------
SDPI:0047B113 aTU@I db 't',0Ah
SDPI:0047B113 db 'u',8,0,10h,'@',0,'皦?,4
SDPI:0047B11F ; ----------------------------------------------------------------------------
SDPI:0047B11F pushfw
SDPI:0047B121 push eax
SDPI:0047B122 mov eax, ebx
SDPI:0047B124 push ebx
SDPI:0047B125 mov eax, ecx
SDPI:0047B127 push eax
SDPI:0047B128 add eax, edx
SDPI:0047B12A mov ebx, eax
SDPI:0047B12C push ebx
SDPI:0047B12D pop eax
SDPI:0047B12E push edx
SDPI:0047B12F call loc_47B13C
SDPI:0047B12F ; ----------------------------------------------------------------------------
SDPI:0047B134 dd 401000h
SDPI:0047B138 dd 132BD7B0h
SDPI:0047B13C ; ----------------------------------------------------------------------------
SDPI:0047B13C
SDPI:0047B13C loc_47B13C: ; CODE XREF: SDPI:0047B12F p
SDPI:0047B13C pop eax
SDPI:0047B13D call loc_47B143
SDPI:0047B142 nop
SDPI:0047B143
SDPI:0047B143 loc_47B143: ; CODE XREF: SDPI:0047B13D p
SDPI:0047B143 pop eax
SDPI:0047B144 add eax, 11h
SDPI:0047B149 push eax
SDPI:0047B14A jmp GetTickCount
SDPI:0047B14A ; ----------------------------------------------------------------------------
SDPI:0047B14F db 90h ; ?
SDPI:0047B150 db 90h ; ?
SDPI:0047B151 db 90h ; ?
SDPI:0047B152 db 90h ; ?
SDPI:0047B153 ; ----------------------------------------------------------------------------
SDPI:0047B153 push eax
SDPI:0047B154 mov eax, edx
SDPI:0047B156 push eax
SDPI:0047B157 call loc_47B15D
SDPI:0047B15C nop
SDPI:0047B15D
SDPI:0047B15D loc_47B15D: ; CODE XREF: SDPI:0047B157 p
SDPI:0047B15D pop edx
SDPI:0047B15E add edx, 52h
SDPI:0047B164 push edx
SDPI:0047B165 add edx, 402165h
SDPI:0047B16B push edx
SDPI:0047B16C jo short loc_47B1C1
SDPI:0047B16E jno short loc_47B1C1
SDPI:0047B170
SDPI:0047B170 ; ************** S U B R O U T I N E *****************************************
SDPI:0047B170
SDPI:0047B170
SDPI:0047B170 sub_47B170 proc near ; CODE XREF: SDPI:0047B1B4 p
SDPI:0047B170 pop eax
SDPI:0047B171 pop ebx
SDPI:0047B172 call sub_47B178
SDPI:0047B177 nop
SDPI:0047B177 sub_47B170 endp
SDPI:0047B177
SDPI:0047B178
SDPI:0047B178 ; ************** S U B R O U T I N E *****************************************
SDPI:0047B178
SDPI:0047B178
SDPI:0047B178 sub_47B178 proc near ; CODE XREF: sub_47B170+2 p
SDPI:0047B178 pop eax
SDPI:0047B179 add eax, 11h
SDPI:0047B17E push eax
SDPI:0047B17F jmp GetTickCount
SDPI:0047B17F sub_47B178 endp
SDPI:0047B17F
SDPI:0047B17F ; ----------------------------------------------------------------------------
SDPI:0047B184 db 90h ; ?
SDPI:0047B185 db 90h ; ?
SDPI:0047B186 db 90h ; ?
SDPI:0047B187 db 90h ; ?
SDPI:0047B188 ; ----------------------------------------------------------------------------
SDPI:0047B188 pop ebx
SDPI:0047B189 add ebx, 1F4h
SDPI:0047B18F sub ebx, eax
SDPI:0047B191 js short OVER_47B1D5 ; 同前一个是一样的,不能跳
SDPI:0047B193 call loc_47B199
SDPI:0047B198 nop
SDPI:0047B199
SDPI:0047B199 loc_47B199: ; CODE XREF: SDPI:0047B193 p
SDPI:0047B199 pop ebx
SDPI:0047B19A add ebx, 0A5h
SDPI:0047B1A0 push ebx
SDPI:0047B1A1 call loc_47B1CB
SDPI:0047B1A1 ; ----------------------------------------------------------------------------
SDPI:0047B1A6 dd 401000h
SDPI:0047B1AA dd 58C88B0h
SDPI:0047B1AE ; ----------------------------------------------------------------------------
SDPI:0047B1AE pop eax
SDPI:0047B1AF mov edx, eax
SDPI:0047B1B1 mov eax, ebx
SDPI:0047B1B3 push eax
SDPI:0047B1B4 call sub_47B170
SDPI:0047B1B4 ; ----------------------------------------------------------------------------
SDPI:0047B1B9 dd 401000h
SDPI:0047B1BD dd 1833639h
SDPI:0047B1C1 ; ----------------------------------------------------------------------------
SDPI:0047B1C1
SDPI:0047B1C1 loc_47B1C1: ; CODE XREF: SDPI:0047B16C j
SDPI:0047B1C1 ; SDPI:0047B16E j
SDPI:0047B1C1 pop eax
SDPI:0047B1C2 retn
SDPI:0047B1C2 ; ----------------------------------------------------------------------------
SDPI:0047B1C3 JUNK_47B1C3 db 0,10h,'@',0,'>V|',7
SDPI:0047B1CB ; ----------------------------------------------------------------------------
SDPI:0047B1CB
SDPI:0047B1CB loc_47B1CB: ; CODE XREF: SDPI:0047B1A1 p
SDPI:0047B1CB pop edx
SDPI:0047B1CC retn
SDPI:0047B1CC ; ----------------------------------------------------------------------------
SDPI:0047B1CD JUNK_47B1cD db 0,10h,'@',0,'颯?,1
SDPI:0047B1D5
SDPI:0047B1D5 ; ************** S U B R O U T I N E *****************************************
SDPI:0047B1D5
SDPI:0047B1D5
SDPI:0047B1D5 OVER_47B1D5 proc near ; CODE XREF: SDPI:0047B191 j
SDPI:0047B1D5 nop
SDPI:0047B1D6 nop
SDPI:0047B1D7 nop
SDPI:0047B1D8 nop
SDPI:0047B1D9 nop
SDPI:0047B1DA call loc_47B1E0
SDPI:0047B1DF nop
SDPI:0047B1E0
SDPI:0047B1E0 loc_47B1E0: ; CODE XREF: OVER_47B1D5+5 p
SDPI:0047B1E0 pop eax
SDPI:0047B1E1 add eax, 5Eh
SDPI:0047B1E6 mov edx, eax
SDPI:0047B1E8 add edx, 32h
SDPI:0047B1EB call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047B1EB ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047B1EB ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047B1EB ; 用来解密
SDPI:0047B1F0 call loc_47B1F6
SDPI:0047B1F5 nop
SDPI:0047B1F6
SDPI:0047B1F6 loc_47B1F6: ; CODE XREF: OVER_47B1D5+1B p
SDPI:0047B1F6 pop eax
SDPI:0047B1F7 add eax, 3EA7h
SDPI:0047B1FC call loc_47B202
SDPI:0047B201 nop
SDPI:0047B202
SDPI:0047B202 loc_47B202: ; CODE XREF: OVER_47B1D5+27 p
SDPI:0047B202 pop ecx
SDPI:0047B203 add ecx, 3F48h
SDPI:0047B209 push 0
SDPI:0047B20B push ecx
SDPI:0047B20C push eax
SDPI:0047B20D push 0
SDPI:0047B20F call loc_47B215
SDPI:0047B214 nop
SDPI:0047B215
SDPI:0047B215 loc_47B215: ; CODE XREF: OVER_47B1D5+3A p
SDPI:0047B215 pop eax
SDPI:0047B216 add eax, 11h
SDPI:0047B21B push eax
SDPI:0047B21C jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047B21C ; 判断函数的前5位是否为CC
SDPI:0047B21C ; 也就是判断有没有下int3断点
SDPI:0047B21C ; ----------------------------------------------------------------------------
SDPI:0047B221 db 90h ; ?
SDPI:0047B222 db 90h ; ?
SDPI:0047B223 db 90h ; ?
SDPI:0047B224 db 90h ; ?
SDPI:0047B225 ; ----------------------------------------------------------------------------
SDPI:0047B225 push 7
SDPI:0047B227 call loc_47B22D
SDPI:0047B22C nop
SDPI:0047B22D
SDPI:0047B22D loc_47B22D: ; CODE XREF: OVER_47B1D5+52 p
SDPI:0047B22D pop eax
SDPI:0047B22E add eax, 11h
SDPI:0047B233 push eax
SDPI:0047B234 jmp ExitProcess
SDPI:0047B234 ; ----------------------------------------------------------------------------
SDPI:0047B239 db 90h ; ?
SDPI:0047B23A db 90h ; ?
SDPI:0047B23B db 90h ; ?
SDPI:0047B23C db 90h ; ?
SDPI:0047B23C OVER_47B1D5 endp
SDPI:0047B23C
SDPI:0047B23D ; ----------------------------------------------------------------------------
SDPI:0047B23D pop edx
SDPI:0047B23E mov eax, ecx
SDPI:0047B240 add eax, edx
SDPI:0047B242 inc ecx
SDPI:0047B243 push eax ; 和上一个INT3差不多,我也就不多讲了
SDPI:0047B244 inc ecx
SDPI:0047B245 pop ebx
SDPI:0047B246 pop ecx
SDPI:0047B247 push eax
SDPI:0047B248 sub eax, 8
SDPI:0047B24B pop ebx
SDPI:0047B24C pop ebx
SDPI:0047B24D inc eax
SDPI:0047B24E add eax, ebx
SDPI:0047B250 pop eax
SDPI:0047B251 pushfw
SDPI:0047B253 popfw
SDPI:0047B255 popfw
SDPI:0047B257 pop es
SDPI:0047B258 mov eax, 12345678h
SDPI:0047B25D push eax
SDPI:0047B25E call loc_47B264
SDPI:0047B263 nop
SDPI:0047B264
SDPI:0047B264 loc_47B264: ; CODE XREF: SDPI:0047B25E p
SDPI:0047B264 pop eax
SDPI:0047B265 add eax, 12Ch
SDPI:0047B26A push eax
SDPI:0047B26B pop ebx
SDPI:0047B26C add eax, 12h
SDPI:0047B26F pop edx
SDPI:0047B270 add eax, edx
SDPI:0047B272 mov edx, eax
SDPI:0047B274 push ebx
SDPI:0047B275 mov ebx, es:[ecx+100h]
SDPI:0047B27C push ebx
SDPI:0047B27D mov eax, esp
SDPI:0047B27F mov ebx, eax
SDPI:0047B281 push ebx
SDPI:0047B282 pop edx
SDPI:0047B283 mov es:[ecx+100h], eax
SDPI:0047B28A xor eax, eax
SDPI:0047B28A ; ----------------------------------------------------------------------------
SDPI:0047B28C JUNK_47B28C db '~',7,'',5,0,10h,'@',0,'鑖淨3蒰?,5,0,10h,'@',0,'鑉悙悙悙悙?
SDPI:0047B28C db '悙悙悙悙悙悙悙f漰',6
SDPI:0047B2BE aQ@ db 'q',4,0,10h,'@',0 ; 迎接第五个int3了
SDPI:0047B2C4 ; ----------------------------------------------------------------------------
SDPI:0047B2C4 int 3 ; Trap to Debugger
SDPI:0047B2C5 nop ; INT3 SEH句柄在0047B38F处
SDPI:0047B2C6 xor eax, eax
SDPI:0047B2C8 mov dword ptr [eax], 4023C8h
SDPI:0047B2C8 ; ----------------------------------------------------------------------------
SDPI:0047B2CE JUNK_47B2CE db 'z',0Ah
SDPI:0047B2CE db '{',8,0,10h,'@',0,'{=@',0
SDPI:0047B2DA ; ----------------------------------------------------------------------------
SDPI:0047B2DA
SDPI:0047B2DA CallGetTickCount: ; CODE XREF: SDPI:0047B0F8 p
SDPI:0047B2DA call loc_47B2E0
SDPI:0047B2DF nop
SDPI:0047B2E0
SDPI:0047B2E0 loc_47B2E0: ; CODE XREF: SDPI:CallGetTickCount p
SDPI:0047B2E0 pop eax
SDPI:0047B2E1 add eax, 11h
SDPI:0047B2E6 push eax
SDPI:0047B2E7 jmp GetTickCount
SDPI:0047B2E7 ; ----------------------------------------------------------------------------
SDPI:0047B2EC db 90h ; ?
SDPI:0047B2ED db 90h ; ?
SDPI:0047B2EE db 90h ; ?
SDPI:0047B2EF db 90h ; ?
SDPI:0047B2F0 ; ----------------------------------------------------------------------------
SDPI:0047B2F0 call loc_47B2F6
SDPI:0047B2F5 nop
SDPI:0047B2F6
SDPI:0047B2F6 loc_47B2F6: ; CODE XREF: SDPI:0047B2F0 p
SDPI:0047B2F6 pop edx
SDPI:0047B2F7 add edx, 0FFFFFB04h
SDPI:0047B2FD mov [edx], eax
SDPI:0047B2FF pop ebp
SDPI:0047B300 add eax, edx
SDPI:0047B302 push eax
SDPI:0047B303 call loc_47B105
SDPI:0047B303 ; ----------------------------------------------------------------------------
SDPI:0047B308 unk_47B308 db 0E8h ; ? ; CODE XREF: SDPI:0047B107 j
SDPI:0047B309 db 1
SDPI:0047B30A db 0
SDPI:0047B30B db 0
SDPI:0047B30C ; ----------------------------------------------------------------------------
SDPI:0047B30C add [eax-3D7EA6h], dl
SDPI:0047B312 std
SDPI:0047B312 ; ----------------------------------------------------------------------------
SDPI:0047B313 db 0FFh
SDPI:0047B314 db 0FFh
SDPI:0047B315 db 3
SDPI:0047B316 db 0D0h ; ?
SDPI:0047B317 db 52h ; R
SDPI:0047B318 db 59h ; Y
SDPI:0047B319 db 2Bh ; +
SDPI:0047B31A db 0C8h ; ?
SDPI:0047B31B db 51h ; Q
SDPI:0047B31C db 0C2h ; ?
SDPI:0047B31D db 4
SDPI:0047B31E db 0
SDPI:0047B31F
SDPI:0047B31F ; ************** S U B R O U T I N E *****************************************
SDPI:0047B31F
SDPI:0047B31F
SDPI:0047B31F OVER_47B31F proc near ; CODE XREF: SDPI:0047B3C2 j
SDPI:0047B31F ; SDPI:0047B3CA j ...
SDPI:0047B31F nop
SDPI:0047B320 nop
SDPI:0047B321 nop
SDPI:0047B322 nop
SDPI:0047B323 nop
SDPI:0047B324 call loc_47B32A
SDPI:0047B329 nop
SDPI:0047B32A
SDPI:0047B32A loc_47B32A: ; CODE XREF: OVER_47B31F+5 p
SDPI:0047B32A pop eax
SDPI:0047B32B add eax, 5Eh
SDPI:0047B330 mov edx, eax
SDPI:0047B332 add edx, 32h
SDPI:0047B335 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047B335 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047B335 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047B335 ; 用来解密
SDPI:0047B33A call loc_47B340
SDPI:0047B33F nop
SDPI:0047B340
SDPI:0047B340 loc_47B340: ; CODE XREF: OVER_47B31F+1B p
SDPI:0047B340 pop eax
SDPI:0047B341 add eax, 3D5Dh
SDPI:0047B346 call loc_47B34C
SDPI:0047B34B nop
SDPI:0047B34C
SDPI:0047B34C loc_47B34C: ; CODE XREF: OVER_47B31F+27 p
SDPI:0047B34C pop ecx
SDPI:0047B34D add ecx, 3DFEh
SDPI:0047B353 push 0
SDPI:0047B355 push ecx
SDPI:0047B356 push eax
SDPI:0047B357 push 0
SDPI:0047B359 call loc_47B35F
SDPI:0047B35E nop
SDPI:0047B35F
SDPI:0047B35F loc_47B35F: ; CODE XREF: OVER_47B31F+3A p
SDPI:0047B35F pop eax
SDPI:0047B360 add eax, 11h
SDPI:0047B365 push eax
SDPI:0047B366 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047B366 ; 判断函数的前5位是否为CC
SDPI:0047B366 ; 也就是判断有没有下int3断点
SDPI:0047B366 ; ----------------------------------------------------------------------------
SDPI:0047B36B db 90h ; ?
SDPI:0047B36C db 90h ; ?
SDPI:0047B36D db 90h ; ?
SDPI:0047B36E db 90h ; ?
SDPI:0047B36F ; ----------------------------------------------------------------------------
SDPI:0047B36F push 7
SDPI:0047B371 call loc_47B377
SDPI:0047B376 nop
SDPI:0047B377
SDPI:0047B377 loc_47B377: ; CODE XREF: OVER_47B31F+52 p
SDPI:0047B377 pop eax
SDPI:0047B378 add eax, 11h
SDPI:0047B37D push eax
SDPI:0047B37E jmp ExitProcess
SDPI:0047B37E ; ----------------------------------------------------------------------------
SDPI:0047B383 aRrrr@V db '悙悙',0,10h,'@',0,'綱',1
SDPI:0047B383 OVER_47B31F endp
SDPI:0047B383
SDPI:0047B38F ; ----------------------------------------------------------------------------
SDPI:0047B38F mov esp, [esp+8] ; 第五处int3的处理句柄
SDPI:0047B393 pop large dword ptr fs:0
SDPI:0047B39A call loc_47B3A0
SDPI:0047B39F nop
SDPI:0047B3A0
SDPI:0047B3A0 loc_47B3A0: ; CODE XREF: SDPI:0047B39A p
SDPI:0047B3A0 pop eax
SDPI:0047B3A1 add eax, 11h
SDPI:0047B3A6 push eax
SDPI:0047B3A7 jmp GetTickCount
SDPI:0047B3A7 ; ----------------------------------------------------------------------------
SDPI:0047B3AC db 90h ; ?
SDPI:0047B3AD db 90h ; ?
SDPI:0047B3AE db 90h ; ?
SDPI:0047B3AF db 90h ; ?
SDPI:0047B3B0 ; ----------------------------------------------------------------------------
SDPI:0047B3B0 call loc_47B3B6
SDPI:0047B3B5 nop
SDPI:0047B3B6
SDPI:0047B3B6 loc_47B3B6: ; CODE XREF: SDPI:0047B3B0 p
SDPI:0047B3B6 pop edx
SDPI:0047B3B7 add edx, 0FFFFFA44h
SDPI:0047B3BD mov ecx, [edx]
SDPI:0047B3BF cmp ecx, 0
SDPI:0047B3C2 jz OVER_47B31F
SDPI:0047B3C8 sub eax, ecx
SDPI:0047B3CA js OVER_47B31F
SDPI:0047B3D0 sub eax, 7D0h
SDPI:0047B3D5 jns OVER_47B31F ; 没有特殊的了,宏了上面的代码而已
SDPI:0047B3DB mov eax, 0E801276h
SDPI:0047B3E0 mov [edx], eax
SDPI:0047B3E2 call loc_47B3E8
SDPI:0047B3E7 nop
SDPI:0047B3E8
SDPI:0047B3E8 loc_47B3E8: ; CODE XREF: SDPI:0047B3E2 p
SDPI:0047B3E8 pop edx
SDPI:0047B3E9 add edx, 118h
SDPI:0047B3EF call loc_47B3F5
SDPI:0047B3F4 nop
SDPI:0047B3F5
SDPI:0047B3F5 loc_47B3F5: ; CODE XREF: SDPI:0047B3EF p
SDPI:0047B3F5 pop eax
SDPI:0047B3F6 add eax, 0FFFFED5Ch
SDPI:0047B3FB mov ecx, 10h
SDPI:0047B400 call De_Code ; invoke De_Code,ecx(counter),eax(key),edx(end)
SDPI:0047B400 ; 用于解密代码,解密起始地址就是call进来
SDPI:0047B400 ; 的下一行代码地址
SDPI:0047B400 ; ----------------------------------------------------------------------------
SDPI:0047B405 JUNK_47B405 db '~',7,'',5,0,10h,'@',0,'鑖淨3蒰?,5,0,10h,'@',0,'鑉悙悙悙悙?
SDPI:0047B405 db '悙悙悙悙悙悙悙f?
SDPI:0047B435 ; ----------------------------------------------------------------------------
SDPI:0047B435 call loc_47B43B
SDPI:0047B43A nop
SDPI:0047B43B
SDPI:0047B43B loc_47B43B: ; CODE XREF: SDPI:0047B435 p
SDPI:0047B43B pop eax
SDPI:0047B43C add eax, 11h
SDPI:0047B441 push eax
SDPI:0047B442 jmp GetStart_Info ; 获取程序启动的相关信息:
SDPI:0047B442 ; 如程序句柄,系统目录
SDPI:0047B442 ; windows目录,
SDPI:0047B442 ; 程序完整程序等
SDPI:0047B442 ; ----------------------------------------------------------------------------
SDPI:0047B447 db 90h ; ?
SDPI:0047B448 db 90h ; ?
SDPI:0047B449 db 90h ; ?
SDPI:0047B44A db 90h ; ?
SDPI:0047B44B ; ----------------------------------------------------------------------------
SDPI:0047B44B call loc_47B451
SDPI:0047B450 nop
SDPI:0047B451
SDPI:0047B451 loc_47B451: ; CODE XREF: SDPI:0047B44B p
SDPI:0047B451 pop eax
SDPI:0047B452 add eax, 11h
SDPI:0047B457 push eax
SDPI:0047B458 jmp CMP_HASH_481275 ; 进去又是MD5检测
SDPI:0047B458 ; ----------------------------------------------------------------------------
SDPI:0047B45D db 90h ; ?
SDPI:0047B45E db 90h ; ?
SDPI:0047B45F db 90h ; ?
SDPI:0047B460 db 90h ; ?
SDPI:0047B461 ; ----------------------------------------------------------------------------
SDPI:0047B461 cmp eax, 0FE5F3AFEh
SDPI:0047B461 ; ----------------------------------------------------------------------------
SDPI:0047B466 JUNK_47B466 db '|',7,'?,7,0,10h,'@',0,'鑤鱮',12h,'s',10h,0,10h,'@',0,'?,3,'?
SDPI:0047B466 db 'r',1Bh,'s',19h,0,10h,'@',0,'鑖淧3?豻扈',5,0,0,0,0,10h,'@',0
SDPI:0047B466 db '鑈Xf?
SDPI:0047B49C ; ----------------------------------------------------------------------------
SDPI:0047B49C jz OVER_47B5E7
SDPI:0047B4A2 jnz short loc_47B4A9
SDPI:0047B4A2 ; ----------------------------------------------------------------------------
SDPI:0047B4A4 dd 401000h
SDPI:0047B4A8 db 0E8h ; ?
SDPI:0047B4A9 ; ----------------------------------------------------------------------------
SDPI:0047B4A9
SDPI:0047B4A9 loc_47B4A9: ; CODE XREF: SDPI:0047B4A2 j
SDPI:0047B4A9 call loc_47B4AF
SDPI:0047B4AE nop
SDPI:0047B4AF
SDPI:0047B4AF loc_47B4AF: ; CODE XREF: SDPI:loc_47B4A9 p
SDPI:0047B4AF pop eax
SDPI:0047B4B0 add eax, 11h
SDPI:0047B4B5 push eax
SDPI:0047B4B6 jmp IsDebuggerPresent ; 这里应该存在问题,
SDPI:0047B4B6 ; 如果是Win9x这里还能检测到吗??
SDPI:0047B4B6 ; ----------------------------------------------------------------------------
SDPI:0047B4BB db 90h ; ?
SDPI:0047B4BC db 90h ; ?
SDPI:0047B4BD db 90h ; ?
SDPI:0047B4BE db 90h ; ?
SDPI:0047B4BF ; ----------------------------------------------------------------------------
SDPI:0047B4BF cmp eax, 0
SDPI:0047B4BF ; ----------------------------------------------------------------------------
SDPI:0047B4C2 JUNK_47B4C2 db '~',7,'',5,0,10h,'@',0,'鑖淨3蒰?,5,0,10h,'@',0,'鑉悙悙悙悙?
SDPI:0047B4C2 db '悙悙悙悙悙悙悙f?
SDPI:0047B4F2 ; ----------------------------------------------------------------------------
SDPI:0047B4F2 jnz OVER_47B5E7
SDPI:0047B4F8 jz short loc_47B4FF
SDPI:0047B4F8 ; ----------------------------------------------------------------------------
SDPI:0047B4FA dd 401000h
SDPI:0047B4FE db 0E8h ; ?
SDPI:0047B4FF ; ----------------------------------------------------------------------------
SDPI:0047B4FF
SDPI:0047B4FF loc_47B4FF: ; CODE XREF: SDPI:0047B4F8 j
SDPI:0047B4FF call loc_47B505
SDPI:0047B504 nop
SDPI:0047B505
SDPI:0047B505 loc_47B505: ; CODE XREF: SDPI:loc_47B4FF p
SDPI:0047B505 pop eax
SDPI:0047B506 add eax, 0FFFFED3Ch
SDPI:0047B50B call loc_47B511
SDPI:0047B510 nop
SDPI:0047B511
SDPI:0047B511 loc_47B511: ; CODE XREF: SDPI:0047B50B p
SDPI:0047B511 pop ebx
SDPI:0047B512 add ebx, 0FFFFEC7Ch
SDPI:0047B518 mov ecx, [eax]
SDPI:0047B51A mov [ebx], ecx
SDPI:0047B51C call loc_47B522
SDPI:0047B521 nop
SDPI:0047B522
SDPI:0047B522 loc_47B522: ; CODE XREF: SDPI:0047B51C p
SDPI:0047B522 pop eax
SDPI:0047B523 add eax, 0FFFFED23h
SDPI:0047B528 call loc_47B52E
SDPI:0047B52D nop
SDPI:0047B52E
SDPI:0047B52E loc_47B52E: ; CODE XREF: SDPI:0047B528 p
SDPI:0047B52E pop ebx
SDPI:0047B52F add ebx, 0FFFFEC63h
SDPI:0047B535 mov ecx, [eax]
SDPI:0047B537 mov [ebx], ecx
SDPI:0047B539 call loc_47B53F
SDPI:0047B53E nop
SDPI:0047B53F
SDPI:0047B53F loc_47B53F: ; CODE XREF: SDPI:0047B539 p
SDPI:0047B53F pop eax
SDPI:0047B540 add eax, 11h
SDPI:0047B545 push eax
SDPI:0047B546 jmp CreateThread2 ; 创建两个新线程
SDPI:0047B546 ; 线程地址分别为:
SDPI:0047B546 ; 00482100
SDPI:0047B546 ; 00482269
SDPI:0047B546 ; 所幸的是如果是双CPU就不会运行,
SDPI:0047B546 ; 这也说明那两个新线程肯定不是
SDPI:0047B546 ; 什么好东西,也不重要的东西
SDPI:0047B546 ; ----------------------------------------------------------------------------
SDPI:0047B54B db 90h ; ?
SDPI:0047B54C db 90h ; ?
SDPI:0047B54D db 90h ; ?
SDPI:0047B54E db 90h ; ?
SDPI:0047B54F ; ----------------------------------------------------------------------------
SDPI:0047B54F mov ecx, 10h
SDPI:0047B554 call loc_47B55A
SDPI:0047B559 nop
SDPI:0047B55A
SDPI:0047B55A loc_47B55A: ; CODE XREF: SDPI:0047B554 p
SDPI:0047B55A pop eax
SDPI:0047B55B add eax, 0FFFFECE3h
SDPI:0047B560 call FillZero_47F375
SDPI:0047B565 mov ecx, 104h
SDPI:0047B56A call loc_47B570
SDPI:0047B56F nop
SDPI:0047B570
SDPI:0047B570 loc_47B570: ; CODE XREF: SDPI:0047B56A p
SDPI:0047B570 pop eax
SDPI:0047B571 add eax, 0FFFFECDDh
SDPI:0047B576 call FillZero_47F375
SDPI:0047B57B mov ecx, 64h
SDPI:0047B580 call loc_47B586
SDPI:0047B585 nop
SDPI:0047B586
SDPI:0047B586 loc_47B586: ; CODE XREF: SDPI:0047B580 p
SDPI:0047B586 pop eax
SDPI:0047B587 add eax, 0FFFFEDCBh
SDPI:0047B58C call FillZero_47F375
SDPI:0047B591 call loc_47B597
SDPI:0047B596 nop
SDPI:0047B597
SDPI:0047B597 loc_47B597: ; CODE XREF: SDPI:0047B591 p
SDPI:0047B597 pop edx
SDPI:0047B598 add edx, 0FFFFECA2h
SDPI:0047B59E mov ebx, [edx] ; [EDX]=DS:[0047A238]=E821C800
SDPI:0047B59E ; EBX=E821C800
SDPI:0047B5A0 cmp ebx, 0E821C800h ; 这里是标志,不相等则over
SDPI:0047B5A6 jnz short OVER_47B5E7
SDPI:0047B5A8 call loc_47B5AE
SDPI:0047B5AD nop
SDPI:0047B5AE
SDPI:0047B5AE loc_47B5AE: ; CODE XREF: SDPI:0047B5A8 p
SDPI:0047B5AE pop eax
SDPI:0047B5AF add eax, 0FFFFEA57h
SDPI:0047B5B4 mov ecx, [eax]
SDPI:0047B5B6 cmp ecx, 0E8673219h
SDPI:0047B5BC jz Pass_47B64F
SDPI:0047B5C2
SDPI:0047B5C2 OVer_47B5C2:
SDPI:0047B5C2 call loc_47B5C8
SDPI:0047B5C7 nop
SDPI:0047B5C8
SDPI:0047B5C8 loc_47B5C8: ; CODE XREF: SDPI:OVer_47B5C2 p
SDPI:0047B5C8 pop eax
SDPI:0047B5C9 add eax, 11h
SDPI:0047B5CE push eax
SDPI:0047B5CF jmp Get_Version
SDPI:0047B5CF ; ----------------------------------------------------------------------------
SDPI:0047B5D4 db 90h ; ?
SDPI:0047B5D5 db 90h ; ?
SDPI:0047B5D6 db 90h ; ?
SDPI:0047B5D7 db 90h ; ?
SDPI:0047B5D8 ; ----------------------------------------------------------------------------
SDPI:0047B5D8 call loc_47B5DE
SDPI:0047B5DD nop
SDPI:0047B5DE
SDPI:0047B5DE loc_47B5DE: ; CODE XREF: SDPI:0047B5D8 p
SDPI:0047B5DE pop edx
SDPI:0047B5DF add edx, 0FFFFEC5Bh
SDPI:0047B5E5 mov [edx], eax
SDPI:0047B5E7
SDPI:0047B5E7 ; ************** S U B R O U T I N E *****************************************
SDPI:0047B5E7
SDPI:0047B5E7
SDPI:0047B5E7 OVER_47B5E7 proc near ; CODE XREF: SDPI:0047B49C j
SDPI:0047B5E7 ; SDPI:0047B4F2 j ...
SDPI:0047B5E7 nop
SDPI:0047B5E8 nop
SDPI:0047B5E9 nop
SDPI:0047B5EA nop
SDPI:0047B5EB nop
SDPI:0047B5EC call loc_47B5F2
SDPI:0047B5F1 nop
SDPI:0047B5F2
SDPI:0047B5F2 loc_47B5F2: ; CODE XREF: OVER_47B5E7+5 p
SDPI:0047B5F2 pop eax
SDPI:0047B5F3 add eax, 5Eh
SDPI:0047B5F8 mov edx, eax
SDPI:0047B5FA add edx, 32h
SDPI:0047B5FD call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047B5FD ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047B5FD ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047B5FD ; 用来解密
SDPI:0047B602 call loc_47B608
SDPI:0047B607 nop
SDPI:0047B608
SDPI:0047B608 loc_47B608: ; CODE XREF: OVER_47B5E7+1B p
SDPI:0047B608 pop eax
SDPI:0047B609 add eax, 3A95h
SDPI:0047B60E call loc_47B614
SDPI:0047B613 nop
SDPI:0047B614
SDPI:0047B614 loc_47B614: ; CODE XREF: OVER_47B5E7+27 p
SDPI:0047B614 pop ecx
SDPI:0047B615 add ecx, 3B36h
SDPI:0047B61B push 0
SDPI:0047B61D push ecx
SDPI:0047B61E push eax
SDPI:0047B61F push 0
SDPI:0047B621 call loc_47B627
SDPI:0047B626 nop
SDPI:0047B627
SDPI:0047B627 loc_47B627: ; CODE XREF: OVER_47B5E7+3A p
SDPI:0047B627 pop eax
SDPI:0047B628 add eax, 11h
SDPI:0047B62D push eax
SDPI:0047B62E jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047B62E ; 判断函数的前5位是否为CC
SDPI:0047B62E ; 也就是判断有没有下int3断点
SDPI:0047B62E ; ----------------------------------------------------------------------------
SDPI:0047B633 db 90h ; ?
SDPI:0047B634 db 90h ; ?
SDPI:0047B635 db 90h ; ?
SDPI:0047B636 db 90h ; ?
SDPI:0047B637 ; ----------------------------------------------------------------------------
SDPI:0047B637 push 7
SDPI:0047B639 call loc_47B63F
SDPI:0047B63E nop
SDPI:0047B63F
SDPI:0047B63F loc_47B63F: ; CODE XREF: OVER_47B5E7+52 p
SDPI:0047B63F pop eax
SDPI:0047B640 add eax, 11h
SDPI:0047B645 push eax
SDPI:0047B646 jmp ExitProcess
SDPI:0047B646 ; ----------------------------------------------------------------------------
SDPI:0047B64B db 90h ; ?
SDPI:0047B64C db 90h ; ?
SDPI:0047B64D db 90h ; ?
SDPI:0047B64E db 90h ; ?
SDPI:0047B64E OVER_47B5E7 endp
SDPI:0047B64E
SDPI:0047B64F ; ----------------------------------------------------------------------------
SDPI:0047B64F
SDPI:0047B64F Pass_47B64F: ; CODE XREF: SDPI:0047B5BC j
SDPI:0047B64F call loc_47B655
SDPI:0047B654 nop
SDPI:0047B655
SDPI:0047B655 loc_47B655: ; CODE XREF: SDPI:Pass_47B64F p
SDPI:0047B655 pop eax
SDPI:0047B656 add eax, 3Ch ; 加密起始地址47B690
SDPI:0047B65B call loc_47B661
SDPI:0047B660 nop
SDPI:0047B661
SDPI:0047B661 loc_47B661: ; CODE XREF: SDPI:0047B65B p
SDPI:0047B661 pop edx
SDPI:0047B662 add edx, 1D11h ; 加密结束地址:0047D371
SDPI:0047B668 call Crypt_Decrypt_CODE ; 由于后面的DE_CODE要解密,
SDPI:0047B668 ; 而代码已经解出来了,
SDPI:0047B668 ; 因此这里再用一个加密加回去
SDPI:0047B66D call loc_47B673
SDPI:0047B672 nop
SDPI:0047B673
SDPI:0047B673 loc_47B673: ; CODE XREF: SDPI:0047B66D p
SDPI:0047B673 pop edx
SDPI:0047B674 add edx, 1CFFh
SDPI:0047B67A call loc_47B680
SDPI:0047B67F nop
SDPI:0047B680
SDPI:0047B680 loc_47B680: ; CODE XREF: SDPI:0047B67A p
SDPI:0047B680 pop eax
SDPI:0047B681 add eax, 0FFFFEB19h
SDPI:0047B686 mov ecx, 10h
SDPI:0047B68B
SDPI:0047B68B loc_47B68B: ; invoke De_Code,ecx(counter),eax(key),edx(end)
SDPI:0047B68B call De_Code ; 用于解密代码,解密起始地址就是call进来
SDPI:0047B68B ; 的下一行代码地址
SDPI:0047B690 jo short loc_47B6A0
SDPI:0047B692 jno short loc_47B6A0
SDPI:0047B692 ; ----------------------------------------------------------------------------
SDPI:0047B694 JUNK_47B694 db 0,10h,'@',0,'縑|!v',12h,'',0Eh
SDPI:0047B6A0 ; ----------------------------------------------------------------------------
SDPI:0047B6A0
SDPI:0047B6A0 loc_47B6A0: ; CODE XREF: SDPI:0047B690 j
SDPI:0047B6A0 ; SDPI:0047B692 j
SDPI:0047B6A0 mov ecx, 769E3CF2h
SDPI:0047B6A5 call loc_47B6AB
SDPI:0047B6AA nop
SDPI:0047B6AB
SDPI:0047B6AB loc_47B6AB: ; CODE XREF: SDPI:0047B6A5 p
SDPI:0047B6AB pop eax
SDPI:0047B6AC add eax, 5FEh ; 加密起始地址:0047BCA8
SDPI:0047B6B1 call loc_47B6B7
SDPI:0047B6B6 nop
SDPI:0047B6B7
SDPI:0047B6B7 loc_47B6B7: ; CODE XREF: SDPI:0047B6B1 p
SDPI:0047B6B7 pop edx
SDPI:0047B6B8 add edx, 0E8Eh ; 加密结束地址,再次用MD5值把
SDPI:0047B6B8 ; 已解密的代码加密回去
SDPI:0047B6B8 ; 如果被修改过MD5值就肯定不同
SDPI:0047B6B8 ; 那解密出来的也肯定是无效代码
SDPI:0047B6BE call Crypt_Code ; 第三次加密地址为:0047BCA8
SDPI:0047B6C3 push eax
SDPI:0047B6C4 xor eax, eax
SDPI:0047B6C6 call loc_47B6CC
SDPI:0047B6CB nop
SDPI:0047B6CC
SDPI:0047B6CC loc_47B6CC: ; CODE XREF: SDPI:0047B6C6 p
SDPI:0047B6CC pop edi
SDPI:0047B6CD add edi, 61h
SDPI:0047B6D3 mov ebx, [edi]
SDPI:0047B6D5 mov edx, [edi+4]
SDPI:0047B6D8 jz short loc_47B6E4
SDPI:0047B6DA jnz short loc_47B6E4
SDPI:0047B6DA ; ----------------------------------------------------------------------------
SDPI:0047B6DC dd 401000h
SDPI:0047B6E0 dd 9F7AB0Bh
SDPI:0047B6E4 ; ----------------------------------------------------------------------------
SDPI:0047B6E4
SDPI:0047B6E4 loc_47B6E4: ; CODE XREF: SDPI:0047B6D8 j
SDPI:0047B6E4 ; SDPI:0047B6DA j
SDPI:0047B6E4 call loc_47B6EA
SDPI:0047B6E9 nop
SDPI:0047B6EA
SDPI:0047B6EA loc_47B6EA: ; CODE XREF: SDPI:loc_47B6E4 p
SDPI:0047B6EA pop esi
SDPI:0047B6EB add esi, 59h
SDPI:0047B6F1 mov ecx, 3
SDPI:0047B6F1 ; ----------------------------------------------------------------------------
SDPI:0047B6F6 JUNK_47B6F6 db '|',7,'?,7,0,10h,'@',0,'鑤鱮',12h,'s',10h,0,10h,'@',0,'?,3,'?
SDPI:0047B6F6 db 'r',1Bh,'s',19h,0,10h,'@',0,'鑖淧3?豻扈',5,0,0,0,0,10h,'@',0
SDPI:0047B6F6 db '鑈Xf?
SDPI:0047B72C ; ----------------------------------------------------------------------------
SDPI:0047B72C rep movsw
SDPI:0047B72F call Local_47B7B0
SDPI:0047B734 call loc_47B820
SDPI:0047B739 call near ptr 87C73Eh
SDPI:0047B73E mov al, 89h
SDPI:0047B740 pushf
SDPI:0047B741 add al, 0EBh
SDPI:0047B743 add [eax-6F6FFC15h], edx
SDPI:0047B749
SDPI:0047B749 ; ************** S U B R O U T I N E *****************************************
SDPI:0047B749
SDPI:0047B749
SDPI:0047B749 FNDDBG_47B749 proc near
SDPI:0047B749 nop
SDPI:0047B74A nop
SDPI:0047B74B nop
SDPI:0047B74C nop
SDPI:0047B74D call loc_47B753
SDPI:0047B752 nop
SDPI:0047B753
SDPI:0047B753 loc_47B753: ; CODE XREF: FNDDBG_47B749+4 p
SDPI:0047B753 pop eax
SDPI:0047B754 add eax, 5Eh
SDPI:0047B759 mov edx, eax
SDPI:0047B75B add edx, 32h
SDPI:0047B75E call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047B75E ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047B75E ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047B75E ; 用来解密
SDPI:0047B763 call loc_47B769
SDPI:0047B768 nop
SDPI:0047B769
SDPI:0047B769 loc_47B769: ; CODE XREF: FNDDBG_47B749+1A p
SDPI:0047B769 pop eax
SDPI:0047B76A add eax, 3934h
SDPI:0047B76F call loc_47B775
SDPI:0047B774 nop
SDPI:0047B775
SDPI:0047B775 loc_47B775: ; CODE XREF: FNDDBG_47B749+26 p
SDPI:0047B775 pop ecx
SDPI:0047B776 add ecx, 39D5h
SDPI:0047B77C push 0
SDPI:0047B77E push ecx
SDPI:0047B77F push eax
SDPI:0047B780 push 0
SDPI:0047B782 call loc_47B788
SDPI:0047B787 nop
SDPI:0047B788
SDPI:0047B788 loc_47B788: ; CODE XREF: FNDDBG_47B749+39 p
SDPI:0047B788 pop eax
SDPI:0047B789 add eax, 11h
SDPI:0047B78E push eax
SDPI:0047B78F jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047B78F ; 判断函数的前5位是否为CC
SDPI:0047B78F ; 也就是判断有没有下int3断点
SDPI:0047B78F ; ----------------------------------------------------------------------------
SDPI:0047B794 db 90h ; ?
SDPI:0047B795 db 90h ; ?
SDPI:0047B796 db 90h ; ?
SDPI:0047B797 db 90h ; ?
SDPI:0047B798 ; ----------------------------------------------------------------------------
SDPI:0047B798 push 7
SDPI:0047B79A call loc_47B7A0
SDPI:0047B79F nop
SDPI:0047B7A0
SDPI:0047B7A0 loc_47B7A0: ; CODE XREF: FNDDBG_47B749+51 p
SDPI:0047B7A0 pop eax
SDPI:0047B7A1 add eax, 11h
SDPI:0047B7A6 push eax
SDPI:0047B7A7 jmp ExitProcess
SDPI:0047B7A7 ; ----------------------------------------------------------------------------
SDPI:0047B7AC db 90h ; ?
SDPI:0047B7AD db 90h ; ?
SDPI:0047B7AE db 90h ; ?
SDPI:0047B7AF db 90h ; ?
SDPI:0047B7AF FNDDBG_47B749 endp
SDPI:0047B7AF
SDPI:0047B7B0 ; ----------------------------------------------------------------------------
SDPI:0047B7B0
SDPI:0047B7B0 Local_47B7B0: ; CODE XREF: SDPI:0047B72F p
SDPI:0047B7B0 nop
SDPI:0047B7B1 nop
SDPI:0047B7B2 nop
SDPI:0047B7B3 nop
SDPI:0047B7B4 nop
SDPI:0047B7B5 call loc_47B7BB
SDPI:0047B7BA nop
SDPI:0047B7BB
SDPI:0047B7BB loc_47B7BB: ; CODE XREF: SDPI:0047B7B5 p
SDPI:0047B7BB pop eax
SDPI:0047B7BC add eax, 5Eh
SDPI:0047B7C1 mov edx, eax
SDPI:0047B7C3 add edx, 32h
SDPI:0047B7C6 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047B7C6 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047B7C6 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047B7C6 ; 用来解密
SDPI:0047B7CB call loc_47B7D1
SDPI:0047B7D0 nop
SDPI:0047B7D1
SDPI:0047B7D1 loc_47B7D1: ; CODE XREF: SDPI:0047B7CB p
SDPI:0047B7D1 pop eax
SDPI:0047B7D2 add eax, 38CCh
SDPI:0047B7D7 call loc_47B7DD
SDPI:0047B7DC nop
SDPI:0047B7DD
SDPI:0047B7DD loc_47B7DD: ; CODE XREF: SDPI:0047B7D7 p
SDPI:0047B7DD pop ecx
SDPI:0047B7DE add ecx, 396Dh
SDPI:0047B7E4 push 0
SDPI:0047B7E6 push ecx
SDPI:0047B7E7 push eax
SDPI:0047B7E8 push 0
SDPI:0047B7EA call loc_47B7F0
SDPI:0047B7EF nop
SDPI:0047B7F0
SDPI:0047B7F0 loc_47B7F0: ; CODE XREF: SDPI:0047B7EA p
SDPI:0047B7F0 pop eax
SDPI:0047B7F1 add eax, 11h
SDPI:0047B7F6 push eax
SDPI:0047B7F7 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047B7F7 ; 判断函数的前5位是否为CC
SDPI:0047B7F7 ; 也就是判断有没有下int3断点
SDPI:0047B7F7 ; ----------------------------------------------------------------------------
SDPI:0047B7FC dd 90909090h
SDPI:0047B800 ; ----------------------------------------------------------------------------
SDPI:0047B800 push 7
SDPI:0047B802 call loc_47B808
SDPI:0047B807 nop
SDPI:0047B808
SDPI:0047B808 loc_47B808: ; CODE XREF: SDPI:0047B802 p
SDPI:0047B808 pop eax
SDPI:0047B809 add eax, 11h
SDPI:0047B80E push eax
SDPI:0047B80F jmp ExitProcess
SDPI:0047B80F ; ----------------------------------------------------------------------------
SDPI:0047B814 dd 90909090h
SDPI:0047B818 dd 401000h
SDPI:0047B81C dd 69C89E0h
SDPI:0047B820 ; ----------------------------------------------------------------------------
SDPI:0047B820
SDPI:0047B820 loc_47B820: ; CODE XREF: SDPI:0047B734 p
SDPI:0047B820 call loc_47B826
SDPI:0047B825 nop
SDPI:0047B826
SDPI:0047B826 loc_47B826: ; CODE XREF: SDPI:loc_47B820 p
SDPI:0047B826 pop edi
SDPI:0047B827 add edi, 0FFFFFF07h
SDPI:0047B82D mov [edi], ebx
SDPI:0047B82F mov [edi+4], edx
SDPI:0047B832 pop eax
SDPI:0047B833 call loc_47B839
SDPI:0047B838 nop
SDPI:0047B839
SDPI:0047B839 loc_47B839: ; CODE XREF: SDPI:0047B833 p
SDPI:0047B839 pop eax
SDPI:0047B83A add eax, 124h
SDPI:0047B83F push eax
SDPI:0047B840 xor eax, eax
SDPI:0047B842 push dword ptr fs:[eax]
SDPI:0047B845 mov fs:[eax], esp
SDPI:0047B848 mov ebp, 300EF1D3h
SDPI:0047B84D add ebp, 12345678h
SDPI:0047B853 mov ax, 17h
SDPI:0047B857 sub ax, 13h
SDPI:0047B857 ; ----------------------------------------------------------------------------
SDPI:0047B85B aI@stRS@sRS@sfP3TS@s db '|',7,'?,7,0,10h,'@',0,'鑤鱮',12h,'s',10h,0,10h,'@',0,'?,3,'?
SDPI:0047B85B db 'r',1Bh,'s',19h,0,10h,'@',0,'鑖淧3?豻扈',5,0,0,0,0,10h,'@',0
SDPI:0047B85B db '鑈Xf?
SDPI:0047B891 dd 90909090h
SDPI:0047B895 ; ----------------------------------------------------------------------------
SDPI:0047B895 nop
SDPI:0047B896 int 3 ; Trap to Debugger
SDPI:0047B897 nop ; SEH 句柄:0047B95C
SDPI:0047B898 cmp al, 4
SDPI:0047B89A jz short Pass_47B90D
SDPI:0047B89C
SDPI:0047B89C ; ************** S U B R O U T I N E *****************************************
SDPI:0047B89C
SDPI:0047B89C
SDPI:0047B89C fnddbg_47B89C proc near ; CODE XREF: SDPI:0047B926 j
SDPI:0047B89C ; SDPI:0047B93E j ...
SDPI:0047B89C nop
SDPI:0047B89D nop
SDPI:0047B89E nop
SDPI:0047B89F nop
SDPI:0047B8A0 nop
SDPI:0047B8A1 call loc_47B8A7
SDPI:0047B8A6 nop
SDPI:0047B8A7
SDPI:0047B8A7 loc_47B8A7: ; CODE XREF: fnddbg_47B89C+5 p
SDPI:0047B8A7 pop eax
SDPI:0047B8A8 add eax, 5Eh
SDPI:0047B8AD mov edx, eax
SDPI:0047B8AF add edx, 32h
SDPI:0047B8B2 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047B8B2 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047B8B2 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047B8B2 ; 用来解密
SDPI:0047B8B7 call loc_47B8BD
SDPI:0047B8BC nop
SDPI:0047B8BD
SDPI:0047B8BD loc_47B8BD: ; CODE XREF: fnddbg_47B89C+1B p
SDPI:0047B8BD pop eax
SDPI:0047B8BE add eax, 37E0h
SDPI:0047B8C3 call loc_47B8C9
SDPI:0047B8C8 nop
SDPI:0047B8C9
SDPI:0047B8C9 loc_47B8C9: ; CODE XREF: fnddbg_47B89C+27 p
SDPI:0047B8C9 pop ecx
SDPI:0047B8CA add ecx, 3881h
SDPI:0047B8D0 push 0
SDPI:0047B8D2 push ecx
SDPI:0047B8D3 push eax
SDPI:0047B8D4 push 0
SDPI:0047B8D6 call loc_47B8DC
SDPI:0047B8DB nop
SDPI:0047B8DC
SDPI:0047B8DC loc_47B8DC: ; CODE XREF: fnddbg_47B89C+3A p
SDPI:0047B8DC pop eax
SDPI:0047B8DD add eax, 11h
SDPI:0047B8E2 push eax
SDPI:0047B8E3 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047B8E3 ; 判断函数的前5位是否为CC
SDPI:0047B8E3 ; 也就是判断有没有下int3断点
SDPI:0047B8E3 ; ----------------------------------------------------------------------------
SDPI:0047B8E8 db 90h ; ?
SDPI:0047B8E9 db 90h ; ?
SDPI:0047B8EA db 90h ; ?
SDPI:0047B8EB db 90h ; ?
SDPI:0047B8EC ; ----------------------------------------------------------------------------
SDPI:0047B8EC push 7
SDPI:0047B8EE call loc_47B8F4
SDPI:0047B8F3 nop
SDPI:0047B8F4
SDPI:0047B8F4 loc_47B8F4: ; CODE XREF: fnddbg_47B89C+52 p
SDPI:0047B8F4 pop eax
SDPI:0047B8F5 add eax, 11h
SDPI:0047B8FA push eax
SDPI:0047B8FB jmp ExitProcess
SDPI:0047B8FB ; ----------------------------------------------------------------------------
SDPI:0047B900 aRrrrs@I db '悙悙?,0,10h,'@',0,'皦?,4
SDPI:0047B900 fnddbg_47B89C endp
SDPI:0047B900
SDPI:0047B90D ; ----------------------------------------------------------------------------
SDPI:0047B90D
SDPI:0047B90D Pass_47B90D: ; CODE XREF: SDPI:0047B89A j
SDPI:0047B90D pop large dword ptr fs:0
SDPI:0047B914 add esp, 4
SDPI:0047B917 call loc_47B91D
SDPI:0047B91C nop
SDPI:0047B91D
SDPI:0047B91D loc_47B91D: ; CODE XREF: SDPI:0047B917 p
SDPI:0047B91D pop eax
SDPI:0047B91E add eax, 0FFFFFE1Dh
SDPI:0047B923 cmp byte ptr [eax], 0E9h
SDPI:0047B926 jnz fnddbg_47B89C
SDPI:0047B92C mov byte ptr [eax], 0E8h
SDPI:0047B92F rdtsc
SDPI:0047B931 mov ecx, eax
SDPI:0047B933 mov ebx, edx
SDPI:0047B935 rdtsc
SDPI:0047B937 sub eax, ecx
SDPI:0047B939 sbb edx, ebx
SDPI:0047B93B cmp edx, 0
SDPI:0047B93E jnz fnddbg_47B89C
SDPI:0047B944 cmp eax, 30000000h
SDPI:0047B949 ja fnddbg_47B89C ; 作用用的宏,因此没什么好介绍的了
SDPI:0047B94F jz short PASS_47B99A
SDPI:0047B951 jnz short PASS_47B99A
SDPI:0047B951 ; ----------------------------------------------------------------------------
SDPI:0047B953 aS@I db '?,0,10h,'@',0,'皦?,4
SDPI:0047B95C ; ----------------------------------------------------------------------------
SDPI:0047B95C mov eax, [esp+4] ; SEH处理处
SDPI:0047B960 mov ecx, [esp+0Ch]
SDPI:0047B964 inc dword ptr [ecx+0B8h]
SDPI:0047B96A mov eax, [eax]
SDPI:0047B96C sub eax, 80000003h
SDPI:0047B971 jnz short locret_47B999
SDPI:0047B973 call sub_47B979
SDPI:0047B978 nop
SDPI:0047B979
SDPI:0047B979 ; ************** S U B R O U T I N E *****************************************
SDPI:0047B979
SDPI:0047B979
SDPI:0047B979 sub_47B979 proc near ; CODE XREF: SDPI:0047B973 p
SDPI:0047B979 pop eax
SDPI:0047B97A add eax, 0FFFFFDC1h
SDPI:0047B97F cmp byte ptr [eax], 0E8h
SDPI:0047B982 jnz fnddbg_47B89C
SDPI:0047B988 mov byte ptr [eax], 0E9h
SDPI:0047B98B xor eax, eax
SDPI:0047B98D mov [ecx+4], eax
SDPI:0047B990 mov [ecx+8], eax
SDPI:0047B993 mov [ecx+0Ch], eax
SDPI:0047B996 mov [ecx+10h], eax
SDPI:0047B999
SDPI:0047B999 locret_47B999: ; CODE XREF: SDPI:0047B971 j
SDPI:0047B999 retn
SDPI:0047B999 sub_47B979 endp ; sp = 4
SDPI:0047B999
SDPI:0047B99A ; ----------------------------------------------------------------------------
SDPI:0047B99A
SDPI:0047B99A PASS_47B99A: ; CODE XREF: SDPI:0047B94F j
SDPI:0047B99A ; SDPI:0047B951 j
SDPI:0047B99A pop eax
SDPI:0047B99B call loc_47BB7D
SDPI:0047B99B ; ----------------------------------------------------------------------------
SDPI:0047B9A0 dd 401000h
SDPI:0047B9A4 dd 15C56BEh
SDPI:0047B9A8 ; ----------------------------------------------------------------------------
SDPI:0047B9A8
SDPI:0047B9A8 loc_47B9A8: ; CODE XREF: SDPI:0047BBA6 p
SDPI:0047B9A8 pop ebp
SDPI:0047B9A9 pop eax
SDPI:0047B9AA jmp loc_47BBAB
SDPI:0047B9AF ; ----------------------------------------------------------------------------
SDPI:0047B9AF mov ecx, 0FFFFFF00h
SDPI:0047B9B4 push fs
SDPI:0047B9B6 jz short loc_47B9C2
SDPI:0047B9B8 jnz short loc_47B9C2
SDPI:0047B9B8 ; ----------------------------------------------------------------------------
SDPI:0047B9BA dd 401000h
SDPI:0047B9BE dd 49C89B0h
SDPI:0047B9C2 ; ----------------------------------------------------------------------------
SDPI:0047B9C2
SDPI:0047B9C2 loc_47B9C2: ; CODE XREF: SDPI:0047B9B6 j
SDPI:0047B9C2 ; SDPI:0047B9B8 j
SDPI:0047B9C2 pushfw
SDPI:0047B9C4 push eax
SDPI:0047B9C5 mov eax, ebx
SDPI:0047B9C7 push ebx
SDPI:0047B9C8 mov eax, ecx
SDPI:0047B9CA push eax
SDPI:0047B9CB add eax, edx
SDPI:0047B9CD mov ebx, eax
SDPI:0047B9CF push ebx
SDPI:0047B9D0 pop eax
SDPI:0047B9D1 push edx
SDPI:0047B9D2 call loc_47B9DF
SDPI:0047B9D2 ; ----------------------------------------------------------------------------
SDPI:0047B9D7 dd 401000h
SDPI:0047B9DB dd 132BD7B0h
SDPI:0047B9DF ; ----------------------------------------------------------------------------
SDPI:0047B9DF
SDPI:0047B9DF loc_47B9DF: ; CODE XREF: SDPI:0047B9D2 p
SDPI:0047B9DF pop eax
SDPI:0047B9E0 call loc_47B9E6
SDPI:0047B9E5 nop
SDPI:0047B9E6
SDPI:0047B9E6 loc_47B9E6: ; CODE XREF: SDPI:0047B9E0 p
SDPI:0047B9E6 pop eax
SDPI:0047B9E7 add eax, 11h
SDPI:0047B9EC push eax
SDPI:0047B9ED jmp GetTickCount
SDPI:0047B9ED ; ----------------------------------------------------------------------------
SDPI:0047B9F2 dd 90909090h
SDPI:0047B9F6 ; ----------------------------------------------------------------------------
SDPI:0047B9F6 push eax
SDPI:0047B9F7 mov eax, edx
SDPI:0047B9F9 push eax
SDPI:0047B9FA call loc_47BA00
SDPI:0047B9FF nop
SDPI:0047BA00
SDPI:0047BA00 loc_47BA00: ; CODE XREF: SDPI:0047B9FA p
SDPI:0047BA00 pop edx
SDPI:0047BA01 add edx, 52h
SDPI:0047BA07 push edx
SDPI:0047BA08 add edx, 402A08h
SDPI:0047BA0E push edx
SDPI:0047BA0F jo short loc_47BA64
SDPI:0047BA11 jno short loc_47BA64
SDPI:0047BA13
SDPI:0047BA13 loc_47BA13: ; CODE XREF: SDPI:0047BA57 p
SDPI:0047BA13 pop eax
SDPI:0047BA14 pop ebx
SDPI:0047BA15 call loc_47BA1B
SDPI:0047BA1A nop
SDPI:0047BA1B
SDPI:0047BA1B loc_47BA1B: ; CODE XREF: SDPI:0047BA15 p
SDPI:0047BA1B pop eax
SDPI:0047BA1C add eax, 11h
SDPI:0047BA21 push eax
SDPI:0047BA22 jmp GetTickCount
SDPI:0047BA22 ; ----------------------------------------------------------------------------
SDPI:0047BA27 dd 90909090h
SDPI:0047BA2B ; ----------------------------------------------------------------------------
SDPI:0047BA2B pop ebx
SDPI:0047BA2C add ebx, 1F4h
SDPI:0047BA32 sub ebx, eax ; 这里同上,跳则over
SDPI:0047BA34 js short FNDDBG_47BA78
SDPI:0047BA36 call loc_47BA3C
SDPI:0047BA3B nop
SDPI:0047BA3C
SDPI:0047BA3C loc_47BA3C: ; CODE XREF: SDPI:0047BA36 p
SDPI:0047BA3C pop ebx
SDPI:0047BA3D add ebx, 0A5h
SDPI:0047BA43 push ebx
SDPI:0047BA44 call loc_47BA6E
SDPI:0047BA44 ; ----------------------------------------------------------------------------
SDPI:0047BA49 dd 401000h
SDPI:0047BA4D dd 58C88B0h
SDPI:0047BA51 ; ----------------------------------------------------------------------------
SDPI:0047BA51 pop eax
SDPI:0047BA52 mov edx, eax
SDPI:0047BA54 mov eax, ebx
SDPI:0047BA56 push eax
SDPI:0047BA57 call loc_47BA13
SDPI:0047BA57 ; ----------------------------------------------------------------------------
SDPI:0047BA5C dd 401000h
SDPI:0047BA60 dd 1833639h
SDPI:0047BA64 ; ----------------------------------------------------------------------------
SDPI:0047BA64
SDPI:0047BA64 loc_47BA64: ; CODE XREF: SDPI:0047BA0F j
SDPI:0047BA64 ; SDPI:0047BA11 j
SDPI:0047BA64 pop eax
SDPI:0047BA65 retn
SDPI:0047BA65 ; ----------------------------------------------------------------------------
SDPI:0047BA66 dd 401000h
SDPI:0047BA6A dd 77C563Eh
SDPI:0047BA6E ; ----------------------------------------------------------------------------
SDPI:0047BA6E
SDPI:0047BA6E loc_47BA6E: ; CODE XREF: SDPI:0047BA44 p
SDPI:0047BA6E pop edx
SDPI:0047BA6F retn
SDPI:0047BA6F ; ----------------------------------------------------------------------------
SDPI:0047BA70 JUNK_47BA70 db 0,10h,'@',0,'颯?,1
SDPI:0047BA78
SDPI:0047BA78 ; ************** S U B R O U T I N E *****************************************
SDPI:0047BA78
SDPI:0047BA78
SDPI:0047BA78 FNDDBG_47BA78 proc near ; CODE XREF: SDPI:0047BA34 j
SDPI:0047BA78 nop
SDPI:0047BA79 nop
SDPI:0047BA7A nop
SDPI:0047BA7B nop
SDPI:0047BA7C nop
SDPI:0047BA7D call loc_47BA83
SDPI:0047BA82 nop
SDPI:0047BA83
SDPI:0047BA83 loc_47BA83: ; CODE XREF: FNDDBG_47BA78+5 p
SDPI:0047BA83 pop eax
SDPI:0047BA84 add eax, 5Eh
SDPI:0047BA89 mov edx, eax
SDPI:0047BA8B add edx, 32h
SDPI:0047BA8E call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047BA8E ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047BA8E ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047BA8E ; 用来解密
SDPI:0047BA93 call loc_47BA99
SDPI:0047BA98 nop
SDPI:0047BA99
SDPI:0047BA99 loc_47BA99: ; CODE XREF: FNDDBG_47BA78+1B p
SDPI:0047BA99 pop eax
SDPI:0047BA9A add eax, 3604h
SDPI:0047BA9F call loc_47BAA5
SDPI:0047BAA4 nop
SDPI:0047BAA5
SDPI:0047BAA5 loc_47BAA5: ; CODE XREF: FNDDBG_47BA78+27 p
SDPI:0047BAA5 pop ecx
SDPI:0047BAA6 add ecx, 36A5h
SDPI:0047BAAC push 0
SDPI:0047BAAE push ecx
SDPI:0047BAAF push eax
SDPI:0047BAB0 push 0
SDPI:0047BAB2 call loc_47BAB8
SDPI:0047BAB7 nop
SDPI:0047BAB8
SDPI:0047BAB8 loc_47BAB8: ; CODE XREF: FNDDBG_47BA78+3A p
SDPI:0047BAB8 pop eax
SDPI:0047BAB9 add eax, 11h
SDPI:0047BABE push eax
SDPI:0047BABF jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047BABF ; 判断函数的前5位是否为CC
SDPI:0047BABF ; 也就是判断有没有下int3断点
SDPI:0047BABF ; ----------------------------------------------------------------------------
SDPI:0047BAC4 dd 90909090h
SDPI:0047BAC8 ; ----------------------------------------------------------------------------
SDPI:0047BAC8 push 7
SDPI:0047BACA call loc_47BAD0
SDPI:0047BACF nop
SDPI:0047BAD0
SDPI:0047BAD0 loc_47BAD0: ; CODE XREF: FNDDBG_47BA78+52 p
SDPI:0047BAD0 pop eax
SDPI:0047BAD1 add eax, 11h
SDPI:0047BAD6 push eax
SDPI:0047BAD7 jmp ExitProcess
SDPI:0047BAD7 ; ----------------------------------------------------------------------------
SDPI:0047BADC dd 90909090h
SDPI:0047BADC FNDDBG_47BA78 endp
SDPI:0047BADC
SDPI:0047BAE0 ; ----------------------------------------------------------------------------
SDPI:0047BAE0 pop edx
SDPI:0047BAE1 mov eax, ecx
SDPI:0047BAE3 add eax, edx
SDPI:0047BAE5 inc ecx
SDPI:0047BAE6 push eax
SDPI:0047BAE7 inc ecx
SDPI:0047BAE8 pop ebx
SDPI:0047BAE9 pop ecx
SDPI:0047BAEA push eax
SDPI:0047BAEB sub eax, 8
SDPI:0047BAEE pop ebx
SDPI:0047BAEF pop ebx
SDPI:0047BAF0 inc eax
SDPI:0047BAF1 add eax, ebx
SDPI:0047BAF3 pop eax
SDPI:0047BAF4 pushfw
SDPI:0047BAF6 popfw
SDPI:0047BAF8 popfw
SDPI:0047BAFA pop es
SDPI:0047BAFB mov eax, 12345678h
SDPI:0047BB00 push eax
SDPI:0047BB01 call loc_47BB07
SDPI:0047BB06 nop
SDPI:0047BB07
SDPI:0047BB07 loc_47BB07: ; CODE XREF: SDPI:0047BB01 p
SDPI:0047BB07 pop eax
SDPI:0047BB08 add eax, 12Ch
SDPI:0047BB0D push eax
SDPI:0047BB0E pop ebx
SDPI:0047BB0F add eax, 12h
SDPI:0047BB12 pop edx
SDPI:0047BB13 add eax, edx
SDPI:0047BB15 mov edx, eax
SDPI:0047BB17 push ebx
SDPI:0047BB18 mov ebx, es:[ecx+100h]
SDPI:0047BB1F push ebx
SDPI:0047BB20 mov eax, esp
SDPI:0047BB22 mov ebx, eax
SDPI:0047BB24 push ebx
SDPI:0047BB25 pop edx
SDPI:0047BB26 mov es:[ecx+100h], eax
SDPI:0047BB2D xor eax, eax
SDPI:0047BB2F jle short loc_47BB38
SDPI:0047BB31 jg short loc_47BB38
SDPI:0047BB31 ; ----------------------------------------------------------------------------
SDPI:0047BB33 dd 401000h
SDPI:0047BB37 db 0E8h ; ?
SDPI:0047BB38 ; ----------------------------------------------------------------------------
SDPI:0047BB38
SDPI:0047BB38 loc_47BB38: ; CODE XREF: SDPI:0047BB2F j
SDPI:0047BB38 ; SDPI:0047BB31 j
SDPI:0047BB38 pushfw
SDPI:0047BB3A push ecx
SDPI:0047BB3B xor ecx, ecx
SDPI:0047BB3D jcxz loc_47BB45
SDPI:0047BB40 add [eax], dl
SDPI:0047BB42 inc eax
SDPI:0047BB43 add al, ch
SDPI:0047BB45
SDPI:0047BB45 loc_47BB45: ; CODE XREF: SDPI:0047BB3D j
SDPI:0047BB45 pop ecx
SDPI:0047BB46 nop
SDPI:0047BB47 nop
SDPI:0047BB48 nop
SDPI:0047BB49 nop
SDPI:0047BB4A nop
SDPI:0047BB4B nop
SDPI:0047BB4C nop
SDPI:0047BB4D nop
SDPI:0047BB4E nop
SDPI:0047BB4F nop
SDPI:0047BB50 nop
SDPI:0047BB51 nop
SDPI:0047BB52 nop
SDPI:0047BB53 nop
SDPI:0047BB54 nop
SDPI:0047BB55 nop
SDPI:0047BB56 nop
SDPI:0047BB57 nop
SDPI:0047BB58 nop
SDPI:0047BB59 nop
SDPI:0047BB5A nop
SDPI:0047BB5B nop
SDPI:0047BB5C nop
SDPI:0047BB5D popfw
SDPI:0047BB5F jo short loc_47BB67
SDPI:0047BB61 jno short loc_47BB67
SDPI:0047BB61 ; ----------------------------------------------------------------------------
SDPI:0047BB63 dd 401000h
SDPI:0047BB67 ; ----------------------------------------------------------------------------
SDPI:0047BB67
SDPI:0047BB67 loc_47BB67: ; CODE XREF: SDPI:0047BB5F j
SDPI:0047BB67 ; SDPI:0047BB61 j
SDPI:0047BB67 int 3 ; Trap to Debugger
SDPI:0047BB68 nop ; SEH 位置:0047BC32
SDPI:0047BB69 xor eax, eax
SDPI:0047BB6B mov dword ptr [eax], 402C6Bh
SDPI:0047BB71 jp short loc_47BB7D
SDPI:0047BB73 jnp short loc_47BB7D
SDPI:0047BB73 ; ----------------------------------------------------------------------------
SDPI:0047BB75 dd 401000h
SDPI:0047BB79 dd 403D7Bh
SDPI:0047BB7D ; ----------------------------------------------------------------------------
SDPI:0047BB7D
SDPI:0047BB7D loc_47BB7D: ; CODE XREF: SDPI:0047B99B p
SDPI:0047BB7D ; SDPI:0047BB71 j ...
SDPI:0047BB7D call loc_47BB83
SDPI:0047BB82 nop
SDPI:0047BB83
SDPI:0047BB83 loc_47BB83: ; CODE XREF: SDPI:loc_47BB7D p
SDPI:0047BB83 pop eax
SDPI:0047BB84 add eax, 11h
SDPI:0047BB89 push eax
SDPI:0047BB8A jmp GetTickCount
SDPI:0047BB8A ; ----------------------------------------------------------------------------
SDPI:0047BB8F dd 90909090h
SDPI:0047BB93 ; ----------------------------------------------------------------------------
SDPI:0047BB93 call loc_47BB99
SDPI:0047BB98 nop
SDPI:0047BB99
SDPI:0047BB99 loc_47BB99: ; CODE XREF: SDPI:0047BB93 p
SDPI:0047BB99 pop edx
SDPI:0047BB9A add edx, 0FFFFFB04h
SDPI:0047BBA0 mov [edx], eax
SDPI:0047BBA2 pop ebp
SDPI:0047BBA3 add eax, edx
SDPI:0047BBA5 push eax
SDPI:0047BBA6 call loc_47B9A8
SDPI:0047BBAB
SDPI:0047BBAB loc_47BBAB: ; CODE XREF: SDPI:0047B9AA j
SDPI:0047BBAB call loc_47BBB1
SDPI:0047BBB0 nop
SDPI:0047BBB1
SDPI:0047BBB1 loc_47BBB1: ; CODE XREF: SDPI:loc_47BBAB p
SDPI:0047BBB1 pop edx
SDPI:0047BBB2 add edx, 0FFFFFDFFh
SDPI:0047BBB8 add edx, eax
SDPI:0047BBBA push edx
SDPI:0047BBBB pop ecx
SDPI:0047BBBC sub ecx, eax
SDPI:0047BBBE push ecx
SDPI:0047BBBF retn 4
SDPI:0047BBC2
SDPI:0047BBC2 ; ************** S U B R O U T I N E *****************************************
SDPI:0047BBC2
SDPI:0047BBC2
SDPI:0047BBC2 FNDDBG_47BBC2 proc near ; CODE XREF: SDPI:0047BC65 j
SDPI:0047BBC2 ; SDPI:0047BC6D j ...
SDPI:0047BBC2 nop
SDPI:0047BBC3 nop
SDPI:0047BBC4 nop
SDPI:0047BBC5 nop
SDPI:0047BBC6 nop
SDPI:0047BBC7 call loc_47BBCD
SDPI:0047BBCC nop
SDPI:0047BBCD
SDPI:0047BBCD loc_47BBCD: ; CODE XREF: FNDDBG_47BBC2+5 p
SDPI:0047BBCD pop eax
SDPI:0047BBCE add eax, 5Eh
SDPI:0047BBD3 mov edx, eax
SDPI:0047BBD5 add edx, 32h
SDPI:0047BBD8 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047BBD8 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047BBD8 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047BBD8 ; 用来解密
SDPI:0047BBDD call loc_47BBE3
SDPI:0047BBE2 nop
SDPI:0047BBE3
SDPI:0047BBE3 loc_47BBE3: ; CODE XREF: FNDDBG_47BBC2+1B p
SDPI:0047BBE3 pop eax
SDPI:0047BBE4 add eax, 34BAh
SDPI:0047BBE9 call loc_47BBEF
SDPI:0047BBEE nop
SDPI:0047BBEF
SDPI:0047BBEF loc_47BBEF: ; CODE XREF: FNDDBG_47BBC2+27 p
SDPI:0047BBEF pop ecx
SDPI:0047BBF0 add ecx, 355Bh
SDPI:0047BBF6 push 0
SDPI:0047BBF8 push ecx
SDPI:0047BBF9 push eax
SDPI:0047BBFA push 0
SDPI:0047BBFC call loc_47BC02
SDPI:0047BC01 nop
SDPI:0047BC02
SDPI:0047BC02 loc_47BC02: ; CODE XREF: FNDDBG_47BBC2+3A p
SDPI:0047BC02 pop eax
SDPI:0047BC03 add eax, 11h
SDPI:0047BC08 push eax
SDPI:0047BC09 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047BC09 ; 判断函数的前5位是否为CC
SDPI:0047BC09 ; 也就是判断有没有下int3断点
SDPI:0047BC09 ; ----------------------------------------------------------------------------
SDPI:0047BC0E dd 90909090h
SDPI:0047BC12 ; ----------------------------------------------------------------------------
SDPI:0047BC12 push 7
SDPI:0047BC14 call loc_47BC1A
SDPI:0047BC19 nop
SDPI:0047BC1A
SDPI:0047BC1A loc_47BC1A: ; CODE XREF: FNDDBG_47BBC2+52 p
SDPI:0047BC1A pop eax
SDPI:0047BC1B add eax, 11h
SDPI:0047BC20 push eax
SDPI:0047BC21 jmp ExitProcess
SDPI:0047BC21 ; ----------------------------------------------------------------------------
SDPI:0047BC26 aRrrr@V_0 db '悙悙',0,10h,'@',0,'綱',1
SDPI:0047BC26 FNDDBG_47BBC2 endp
SDPI:0047BC26
SDPI:0047BC32 ; ----------------------------------------------------------------------------
SDPI:0047BC32 mov esp, [esp+8]
SDPI:0047BC36 pop large dword ptr fs:0
SDPI:0047BC3D call loc_47BC43
SDPI:0047BC42 nop
SDPI:0047BC43
SDPI:0047BC43 loc_47BC43: ; CODE XREF: SDPI:0047BC3D p
SDPI:0047BC43 pop eax
SDPI:0047BC44 add eax, 11h
SDPI:0047BC49 push eax
SDPI:0047BC4A jmp GetTickCount
SDPI:0047BC4A ; ----------------------------------------------------------------------------
SDPI:0047BC4F dd 90909090h
SDPI:0047BC53 ; ----------------------------------------------------------------------------
SDPI:0047BC53 call loc_47BC59
SDPI:0047BC58 nop
SDPI:0047BC59
SDPI:0047BC59 loc_47BC59: ; CODE XREF: SDPI:0047BC53 p
SDPI:0047BC59 pop edx
SDPI:0047BC5A add edx, 0FFFFFA44h
SDPI:0047BC60 mov ecx, [edx]
SDPI:0047BC62 cmp ecx, 0
SDPI:0047BC65 jz FNDDBG_47BBC2
SDPI:0047BC6B sub eax, ecx
SDPI:0047BC6D js FNDDBG_47BBC2
SDPI:0047BC73 sub eax, 7D0h
SDPI:0047BC78 jns FNDDBG_47BBC2
SDPI:0047BC7E mov eax, 0E801276h
SDPI:0047BC83 mov [edx], eax
SDPI:0047BC85 call loc_47BC8B
SDPI:0047BC8A nop
SDPI:0047BC8B
SDPI:0047BC8B loc_47BC8B: ; CODE XREF: SDPI:0047BC85 p
SDPI:0047BC8B pop edx
SDPI:0047BC8C add edx, 8BAh ; 解密终止地址47c544
SDPI:0047BC92 call loc_47BC98
SDPI:0047BC97 nop
SDPI:0047BC98
SDPI:0047BC98 loc_47BC98: ; CODE XREF: SDPI:0047BC92 p
SDPI:0047BC98 pop eax
SDPI:0047BC99 add eax, 0FFFFE4B9h
SDPI:0047BC9E mov ecx, 10h
SDPI:0047BCA3 call De_Code ; invoke De_Code,ecx(counter),eax(key),edx(end)
SDPI:0047BCA3 ; 用于解密代码,解密起始地址就是call进来
SDPI:0047BCA3 ; 的下一行代码地址
SDPI:0047BCA8 call loc_47BCAE
SDPI:0047BCAD nop
SDPI:0047BCAE
SDPI:0047BCAE loc_47BCAE: ; CODE XREF: SDPI:0047BCA8 p
SDPI:0047BCAE pop eax
SDPI:0047BCAF add eax, 11h
SDPI:0047BCB4 push eax
SDPI:0047BCB5 jmp CHK_R0D_4825DA ; 检测RING 0级调试器
SDPI:0047BCB5 ; 只检测ICE和ICEEXT
SDPI:0047BCB5 ; 看来私下的秘密武器还是有
SDPI:0047BCB5 ; 很大作用^_^
SDPI:0047BCB5 ; ----------------------------------------------------------------------------
SDPI:0047BCBA dd 90909090h
SDPI:0047BCBE ; ----------------------------------------------------------------------------
SDPI:0047BCBE call loc_47BCC4
SDPI:0047BCC3 nop
SDPI:0047BCC4
SDPI:0047BCC4 loc_47BCC4: ; CODE XREF: SDPI:0047BCBE p
SDPI:0047BCC4 pop eax
SDPI:0047BCC5 add eax, 11h
SDPI:0047BCCA push eax
SDPI:0047BCCB jmp Get_Version
SDPI:0047BCCB ; ----------------------------------------------------------------------------
SDPI:0047BCD0 db 90h ; ?
SDPI:0047BCD1 db 90h ; ?
SDPI:0047BCD2 db 90h ; ?
SDPI:0047BCD3 db 90h ; ?
SDPI:0047BCD4 ; ----------------------------------------------------------------------------
SDPI:0047BCD4 call loc_47BCDA
SDPI:0047BCD9 nop
SDPI:0047BCDA
SDPI:0047BCDA loc_47BCDA: ; CODE XREF: SDPI:0047BCD4 p
SDPI:0047BCDA pop edx
SDPI:0047BCDB add edx, 0FFFFE32Bh
SDPI:0047BCE1 mov [edx], eax ; 保存Version info
SDPI:0047BCE3 pushf
SDPI:0047BCE4 pop eax ; 反单步跟踪
SDPI:0047BCE5 test eax, 100h
SDPI:0047BCEA jz short Pass_47BD54
SDPI:0047BCEC
SDPI:0047BCEC ; ************** S U B R O U T I N E *****************************************
SDPI:0047BCEC
SDPI:0047BCEC ; 检测到调试器则OVER了
SDPI:0047BCEC
SDPI:0047BCEC FNDDBG_47BCEC proc near
SDPI:0047BCEC nop
SDPI:0047BCED nop
SDPI:0047BCEE nop
SDPI:0047BCEF nop
SDPI:0047BCF0 nop
SDPI:0047BCF1 call loc_47BCF7
SDPI:0047BCF6 nop
SDPI:0047BCF7
SDPI:0047BCF7 loc_47BCF7: ; CODE XREF: FNDDBG_47BCEC+5 p
SDPI:0047BCF7 pop eax
SDPI:0047BCF8 add eax, 5Eh
SDPI:0047BCFD mov edx, eax
SDPI:0047BCFF add edx, 32h
SDPI:0047BD02 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047BD02 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047BD02 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047BD02 ; 用来解密
SDPI:0047BD07 call loc_47BD0D
SDPI:0047BD0C nop
SDPI:0047BD0D
SDPI:0047BD0D loc_47BD0D: ; CODE XREF: FNDDBG_47BCEC+1B p
SDPI:0047BD0D pop eax
SDPI:0047BD0E add eax, 3390h
SDPI:0047BD13 call loc_47BD19
SDPI:0047BD18 nop
SDPI:0047BD19
SDPI:0047BD19 loc_47BD19: ; CODE XREF: FNDDBG_47BCEC+27 p
SDPI:0047BD19 pop ecx
SDPI:0047BD1A add ecx, 3431h
SDPI:0047BD20 push 0
SDPI:0047BD22 push ecx
SDPI:0047BD23 push eax
SDPI:0047BD24 push 0
SDPI:0047BD26 call loc_47BD2C
SDPI:0047BD2B nop
SDPI:0047BD2C
SDPI:0047BD2C loc_47BD2C: ; CODE XREF: FNDDBG_47BCEC+3A p
SDPI:0047BD2C pop eax
SDPI:0047BD2D add eax, 11h
SDPI:0047BD32 push eax
SDPI:0047BD33 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047BD33 ; 判断函数的前5位是否为CC
SDPI:0047BD33 ; 也就是判断有没有下int3断点
SDPI:0047BD33 ; ----------------------------------------------------------------------------
SDPI:0047BD38 db 90h ; ?
SDPI:0047BD39 db 90h ; ?
SDPI:0047BD3A db 90h ; ?
SDPI:0047BD3B db 90h ; ?
SDPI:0047BD3C ; ----------------------------------------------------------------------------
SDPI:0047BD3C push 7
SDPI:0047BD3E call loc_47BD44
SDPI:0047BD43 nop
SDPI:0047BD44
SDPI:0047BD44 loc_47BD44: ; CODE XREF: FNDDBG_47BCEC+52 p
SDPI:0047BD44 pop eax
SDPI:0047BD45 add eax, 11h
SDPI:0047BD4A push eax
SDPI:0047BD4B jmp ExitProcess
SDPI:0047BD4B ; ----------------------------------------------------------------------------
SDPI:0047BD50 dd 90909090h
SDPI:0047BD50 FNDDBG_47BCEC endp
SDPI:0047BD50
SDPI:0047BD54 ; ----------------------------------------------------------------------------
SDPI:0047BD54
SDPI:0047BD54 Pass_47BD54: ; CODE XREF: SDPI:0047BCEA j
SDPI:0047BD54 call loc_47BD5A
SDPI:0047BD59 nop
SDPI:0047BD5A
SDPI:0047BD5A loc_47BD5A: ; CODE XREF: SDPI:Pass_47BD54 p
SDPI:0047BD5A pop eax
SDPI:0047BD5B add eax, 11h
SDPI:0047BD60 push eax
SDPI:0047BD61 jmp CHK_IsREGED_481774 ; 跳去判断加壳的主程序是否已注册
SDPI:0047BD61 ; ----------------------------------------------------------------------------
SDPI:0047BD66 db 90h ; ?
SDPI:0047BD67 db 90h ; ?
SDPI:0047BD68 db 90h ; ?
SDPI:0047BD69 db 90h ; ?
SDPI:0047BD6A ; ----------------------------------------------------------------------------
SDPI:0047BD6A xor eax, 87EAF247h
SDPI:0047BD6F sub eax, 254653EFh
SDPI:0047BD6F ; ----------------------------------------------------------------------------
SDPI:0047BD74 JUNK_46BD74 db '|',7,'?,7,0,10h,'@',0,'鑤鱮',12h,'s',10h,0,10h,'@',0,'?,3,'?
SDPI:0047BD74 db 'r',1Bh,'s',19h,0,10h,'@',0,'鑖淧3?豻扈',5,0,0,0,0,10h,'@',0
SDPI:0047BD74 db '鑈Xf?
SDPI:0047BDAA ; ----------------------------------------------------------------------------
SDPI:0047BDAA jz short IsReged_47BE17
SDPI:0047BDAA ; ----------------------------------------------------------------------------
SDPI:0047BDAC junk_47bdac db '|',7,'?,7,0,10h,'@',0,'鑤鱮',12h,'s',10h,0,10h,'@',0,'?,3,'?
SDPI:0047BDAC db 'r',1Bh,'s',19h,0,10h,'@',0,'鑖淧3?豻扈',5,0,0,0,0,10h,'@',0
SDPI:0047BDAC db '鑈Xf?
SDPI:0047BDE2
SDPI:0047BDE2 ; ************** S U B R O U T I N E *****************************************
SDPI:0047BDE2
SDPI:0047BDE2 ; 显示未注册信息框
SDPI:0047BDE2
SDPI:0047BDE2 UnReg_MSG proc near
SDPI:0047BDE2 call loc_47BDE8
SDPI:0047BDE7 nop
SDPI:0047BDE8
SDPI:0047BDE8 loc_47BDE8: ; CODE XREF: UnReg_MSG p
SDPI:0047BDE8 pop eax
SDPI:0047BDE9 add eax, 336Ch
SDPI:0047BDEE call loc_47BDF4
SDPI:0047BDF3 nop
SDPI:0047BDF4
SDPI:0047BDF4 loc_47BDF4: ; CODE XREF: UnReg_MSG+C p
SDPI:0047BDF4 pop ecx
SDPI:0047BDF5 add ecx, 3457h
SDPI:0047BDFB push 0
SDPI:0047BDFD push ecx
SDPI:0047BDFE push eax
SDPI:0047BDFF push 0
SDPI:0047BE01 call loc_47BE07
SDPI:0047BE06 nop
SDPI:0047BE07
SDPI:0047BE07 loc_47BE07: ; CODE XREF: UnReg_MSG+1F p
SDPI:0047BE07 pop eax
SDPI:0047BE08 add eax, 11h
SDPI:0047BE0D push eax
SDPI:0047BE0E jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047BE0E ; 判断函数的前5位是否为CC
SDPI:0047BE0E ; 也就是判断有没有下int3断点
SDPI:0047BE0E ; ----------------------------------------------------------------------------
SDPI:0047BE13 db 90h ; ?
SDPI:0047BE14 db 90h ; ?
SDPI:0047BE15 db 90h ; ?
SDPI:0047BE16 db 90h ; ?
SDPI:0047BE16 UnReg_MSG endp
SDPI:0047BE16
SDPI:0047BE17 ; ----------------------------------------------------------------------------
SDPI:0047BE17
SDPI:0047BE17 IsReged_47BE17: ; CODE XREF: SDPI:0047BDAA j
SDPI:0047BE17 jo short loc_47BE27
SDPI:0047BE19 jno short loc_47BE27
SDPI:0047BE19 ; ----------------------------------------------------------------------------
SDPI:0047BE1B dd 401000h
SDPI:0047BE1F dd 217C56BFh
SDPI:0047BE23 dd 0E801276h
SDPI:0047BE27 ; ----------------------------------------------------------------------------
SDPI:0047BE27
SDPI:0047BE27 loc_47BE27: ; CODE XREF: SDPI:IsReged_47BE17 j
SDPI:0047BE27 ; SDPI:0047BE19 j
SDPI:0047BE27 push eax
SDPI:0047BE28 xor eax, eax
SDPI:0047BE2A call loc_47BE30
SDPI:0047BE2F nop
SDPI:0047BE30
SDPI:0047BE30 loc_47BE30: ; CODE XREF: SDPI:0047BE2A p
SDPI:0047BE30 pop edi
SDPI:0047BE31 add edi, 61h
SDPI:0047BE37 mov ebx, [edi]
SDPI:0047BE39 mov edx, [edi+4]
SDPI:0047BE3C jz short loc_47BE48
SDPI:0047BE3E jnz short loc_47BE48
SDPI:0047BE3E ; ----------------------------------------------------------------------------
SDPI:0047BE40 dd 401000h
SDPI:0047BE44 dd 9F7AB0Bh
SDPI:0047BE48 ; ----------------------------------------------------------------------------
SDPI:0047BE48
SDPI:0047BE48 loc_47BE48: ; CODE XREF: SDPI:0047BE3C j
SDPI:0047BE48 ; SDPI:0047BE3E j
SDPI:0047BE48 call loc_47BE4E
SDPI:0047BE4D nop
SDPI:0047BE4E
SDPI:0047BE4E loc_47BE4E: ; CODE XREF: SDPI:loc_47BE48 p
SDPI:0047BE4E pop esi
SDPI:0047BE4F add esi, 59h
SDPI:0047BE55 mov ecx, 3
SDPI:0047BE55 ; ----------------------------------------------------------------------------
SDPI:0047BE5A JUNK_47BE5A db '|',7,'?,7,0,10h,'@',0,'鑤鱮',12h,'s',10h,0,10h,'@',0,'?,3,'?
SDPI:0047BE5A db 'r',1Bh,'s',19h,0,10h,'@',0,'鑖淧3?豻扈',5,0,0,0,0,10h,'@',0
SDPI:0047BE5A db '鑈Xf?
SDPI:0047BE90 ; ----------------------------------------------------------------------------
SDPI:0047BE90 rep movsw
SDPI:0047BE93 call FNDDBG_47BF14
SDPI:0047BE98 call INT3_47BF84
SDPI:0047BE98 ; ----------------------------------------------------------------------------
SDPI:0047BE9D JUNK_47BE9D db '?,0,10h,'@',0,'皦?,4,'?,1,'愲',3,'悙?
SDPI:0047BEAE
SDPI:0047BEAE ; ************** S U B R O U T I N E *****************************************
SDPI:0047BEAE
SDPI:0047BEAE
SDPI:0047BEAE FNDDBG_47BEAE proc near
SDPI:0047BEAE nop
SDPI:0047BEAF nop
SDPI:0047BEB0 nop
SDPI:0047BEB1 call loc_47BEB7
SDPI:0047BEB6 nop
SDPI:0047BEB7
SDPI:0047BEB7 loc_47BEB7: ; CODE XREF: FNDDBG_47BEAE+3 p
SDPI:0047BEB7 pop eax
SDPI:0047BEB8 add eax, 5Eh
SDPI:0047BEBD mov edx, eax
SDPI:0047BEBF add edx, 32h
SDPI:0047BEC2 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047BEC2 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047BEC2 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047BEC2 ; 用来解密
SDPI:0047BEC7 call loc_47BECD
SDPI:0047BECC nop
SDPI:0047BECD
SDPI:0047BECD loc_47BECD: ; CODE XREF: FNDDBG_47BEAE+19 p
SDPI:0047BECD pop eax
SDPI:0047BECE add eax, 31D0h
SDPI:0047BED3 call loc_47BED9
SDPI:0047BED8 nop
SDPI:0047BED9
SDPI:0047BED9 loc_47BED9: ; CODE XREF: FNDDBG_47BEAE+25 p
SDPI:0047BED9 pop ecx
SDPI:0047BEDA add ecx, 3271h
SDPI:0047BEE0 push 0
SDPI:0047BEE2 push ecx
SDPI:0047BEE3 push eax
SDPI:0047BEE4 push 0
SDPI:0047BEE6 call loc_47BEEC
SDPI:0047BEEB nop
SDPI:0047BEEC
SDPI:0047BEEC loc_47BEEC: ; CODE XREF: FNDDBG_47BEAE+38 p
SDPI:0047BEEC pop eax
SDPI:0047BEED add eax, 11h
SDPI:0047BEF2 push eax
SDPI:0047BEF3 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047BEF3 ; 判断函数的前5位是否为CC
SDPI:0047BEF3 ; 也就是判断有没有下int3断点
SDPI:0047BEF3 ; ----------------------------------------------------------------------------
SDPI:0047BEF8 dd 90909090h
SDPI:0047BEFC ; ----------------------------------------------------------------------------
SDPI:0047BEFC push 7
SDPI:0047BEFE call loc_47BF04
SDPI:0047BF03 nop
SDPI:0047BF04
SDPI:0047BF04 loc_47BF04: ; CODE XREF: FNDDBG_47BEAE+50 p
SDPI:0047BF04 pop eax
SDPI:0047BF05 add eax, 11h
SDPI:0047BF0A push eax
SDPI:0047BF0B jmp ExitProcess
SDPI:0047BF0B ; ----------------------------------------------------------------------------
SDPI:0047BF10 dd 90909090h
SDPI:0047BF10 FNDDBG_47BEAE endp
SDPI:0047BF10
SDPI:0047BF14
SDPI:0047BF10
SDPI:0047BF14
SDPI:0047BF14 ; ************** S U B R O U T I N E *****************************************
SDPI:0047BF14
SDPI:0047BF14
SDPI:0047BF14 FNDDBG_47BF14 proc near ; CODE XREF: SDPI:0047BE93 p
SDPI:0047BF14 nop
SDPI:0047BF15 nop
SDPI:0047BF16 nop
SDPI:0047BF17 nop
SDPI:0047BF18 nop
SDPI:0047BF19 call loc_47BF1F
SDPI:0047BF1E nop
SDPI:0047BF1F
SDPI:0047BF1F loc_47BF1F: ; CODE XREF: FNDDBG_47BF14+5 p
SDPI:0047BF1F pop eax
SDPI:0047BF20 add eax, 5Eh
SDPI:0047BF25 mov edx, eax
SDPI:0047BF27 add edx, 32h
SDPI:0047BF2A call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047BF2A ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047BF2A ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047BF2A ; 用来解密
SDPI:0047BF2F call loc_47BF35
SDPI:0047BF34 nop
SDPI:0047BF35
SDPI:0047BF35 loc_47BF35: ; CODE XREF: FNDDBG_47BF14+1B p
SDPI:0047BF35 pop eax
SDPI:0047BF36 add eax, 3168h
SDPI:0047BF3B call loc_47BF41
SDPI:0047BF40 nop
SDPI:0047BF41
SDPI:0047BF41 loc_47BF41: ; CODE XREF: FNDDBG_47BF14+27 p
SDPI:0047BF41 pop ecx
SDPI:0047BF42 add ecx, 3209h
SDPI:0047BF48 push 0
SDPI:0047BF4A push ecx
SDPI:0047BF4B push eax
SDPI:0047BF4C push 0
SDPI:0047BF4E call loc_47BF54
SDPI:0047BF53 nop
SDPI:0047BF54
SDPI:0047BF54 loc_47BF54: ; CODE XREF: FNDDBG_47BF14+3A p
SDPI:0047BF54 pop eax
SDPI:0047BF55 add eax, 11h
SDPI:0047BF5A push eax
SDPI:0047BF5B jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047BF5B ; 判断函数的前5位是否为CC
SDPI:0047BF5B ; 也就是判断有没有下int3断点
SDPI:0047BF5B ; ----------------------------------------------------------------------------
SDPI:0047BF60 dd 90909090h
SDPI:0047BF64 ; ----------------------------------------------------------------------------
SDPI:0047BF64 push 7
SDPI:0047BF66 call loc_47BF6C
SDPI:0047BF6B nop
SDPI:0047BF6C
SDPI:0047BF6C loc_47BF6C: ; CODE XREF: FNDDBG_47BF14+52 p
SDPI:0047BF6C pop eax
SDPI:0047BF6D add eax, 11h
SDPI:0047BF72 push eax
SDPI:0047BF73 jmp ExitProcess
SDPI:0047BF73 ; ----------------------------------------------------------------------------
SDPI:0047BF78 JUNK_47BF78 db '悙悙',0,10h,'@',0,'鄩?,6
SDPI:0047BF78 FNDDBG_47BF14 endp
SDPI:0047BF78
SDPI:0047BF84 ; ----------------------------------------------------------------------------
SDPI:0047BF84
SDPI:0047BF84 INT3_47BF84: ; CODE XREF: SDPI:0047BE98 p
SDPI:0047BF84 call loc_47BF8A
SDPI:0047BF89 nop
SDPI:0047BF8A
SDPI:0047BF8A loc_47BF8A: ; CODE XREF: SDPI:INT3_47BF84 p
SDPI:0047BF8A pop edi
SDPI:0047BF8B add edi, 0FFFFFF07h
SDPI:0047BF91 mov [edi], ebx
SDPI:0047BF93 mov [edi+4], edx
SDPI:0047BF96 pop eax
SDPI:0047BF97 call loc_47BF9D
SDPI:0047BF9C nop
SDPI:0047BF9D
SDPI:0047BF9D loc_47BF9D: ; CODE XREF: SDPI:0047BF97 p
SDPI:0047BF9D pop eax
SDPI:0047BF9E add eax, 124h
SDPI:0047BFA3 push eax
SDPI:0047BFA4 xor eax, eax
SDPI:0047BFA6 push dword ptr fs:[eax]
SDPI:0047BFA9 mov fs:[eax], esp
SDPI:0047BFAC mov ebp, 300EF1D3h
SDPI:0047BFB1 add ebp, 12345678h
SDPI:0047BFB7 mov ax, 17h
SDPI:0047BFBB sub ax, 13h
SDPI:0047BFBB ; ----------------------------------------------------------------------------
SDPI:0047BFBF JUNK_47BFBF db '|',7,'?,7,0,10h,'@',0,'鑤鱮',12h,'s',10h,0,10h,'@',0,'?,3,'?
SDPI:0047BFBF db 'r',1Bh,'s',19h,0,10h,'@',0,'鑖淧3?豻扈',5,0,0,0,0,10h,'@',0
SDPI:0047BFBF db '鑈Xf潗悙悙'
SDPI:0047BFFA ; ----------------------------------------------------------------------------
SDPI:0047BFFA int 3 ; Trap to Debugger
SDPI:0047BFFB nop
SDPI:0047BFFC cmp al, 4 ; SEH句柄:0047C0C0
SDPI:0047BFFE jz short Done_47C071
SDPI:0047C000
SDPI:0047C000 ; ************** S U B R O U T I N E *****************************************
SDPI:0047C000
SDPI:0047C000
SDPI:0047C000 FNDDBG_47C000 proc near ; CODE XREF: SDPI:0047C08A j
SDPI:0047C000 ; SDPI:0047C0A2 j ...
SDPI:0047C000 nop
SDPI:0047C001 nop
SDPI:0047C002 nop
SDPI:0047C003 nop
SDPI:0047C004 nop
SDPI:0047C005 call loc_47C00B
SDPI:0047C00A nop
SDPI:0047C00B
SDPI:0047C00B loc_47C00B: ; CODE XREF: FNDDBG_47C000+5 p
SDPI:0047C00B pop eax
SDPI:0047C00C add eax, 5Eh
SDPI:0047C011 mov edx, eax
SDPI:0047C013 add edx, 32h
SDPI:0047C016 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047C016 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047C016 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047C016 ; 用来解密
SDPI:0047C01B call loc_47C021
SDPI:0047C020 nop
SDPI:0047C021
SDPI:0047C021 loc_47C021: ; CODE XREF: FNDDBG_47C000+1B p
SDPI:0047C021 pop eax
SDPI:0047C022 add eax, 307Ch
SDPI:0047C027 call loc_47C02D
SDPI:0047C02C nop
SDPI:0047C02D
SDPI:0047C02D loc_47C02D: ; CODE XREF: FNDDBG_47C000+27 p
SDPI:0047C02D pop ecx
SDPI:0047C02E add ecx, 311Dh
SDPI:0047C034 push 0
SDPI:0047C036 push ecx
SDPI:0047C037 push eax
SDPI:0047C038 push 0
SDPI:0047C03A call loc_47C040
SDPI:0047C03F nop
SDPI:0047C040
SDPI:0047C040 loc_47C040: ; CODE XREF: FNDDBG_47C000+3A p
SDPI:0047C040 pop eax
SDPI:0047C041 add eax, 11h
SDPI:0047C046 push eax
SDPI:0047C047 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047C047 ; 判断函数的前5位是否为CC
SDPI:0047C047 ; 也就是判断有没有下int3断点
SDPI:0047C047 ; ----------------------------------------------------------------------------
SDPI:0047C04C dd 90909090h
SDPI:0047C050 ; ----------------------------------------------------------------------------
SDPI:0047C050 push 7
SDPI:0047C052 call loc_47C058
SDPI:0047C057 nop
SDPI:0047C058
SDPI:0047C058 loc_47C058: ; CODE XREF: FNDDBG_47C000+52 p
SDPI:0047C058 pop eax
SDPI:0047C059 add eax, 11h
SDPI:0047C05E push eax
SDPI:0047C05F jmp ExitProcess
SDPI:0047C05F ; ----------------------------------------------------------------------------
SDPI:0047C064 JUNK_47C064 db '悙悙?,0,10h,'@',0,'皦?,4
SDPI:0047C064 FNDDBG_47C000 endp
SDPI:0047C064
SDPI:0047C071 ; ----------------------------------------------------------------------------
SDPI:0047C071
SDPI:0047C071 Done_47C071: ; CODE XREF: SDPI:0047BFFE j
SDPI:0047C071 pop large dword ptr fs:0
SDPI:0047C078 add esp, 4
SDPI:0047C07B call loc_47C081
SDPI:0047C080 nop
SDPI:0047C081
SDPI:0047C081 loc_47C081: ; CODE XREF: SDPI:0047C07B p
SDPI:0047C081 pop eax
SDPI:0047C082 add eax, 0FFFFFE1Dh
SDPI:0047C087 cmp byte ptr [eax], 0E9h
SDPI:0047C08A jnz FNDDBG_47C000
SDPI:0047C090 mov byte ptr [eax], 0E8h
SDPI:0047C093 rdtsc
SDPI:0047C095 mov ecx, eax
SDPI:0047C097 mov ebx, edx
SDPI:0047C099 rdtsc
SDPI:0047C09B sub eax, ecx
SDPI:0047C09D sbb edx, ebx
SDPI:0047C09F cmp edx, 0
SDPI:0047C0A2 jnz FNDDBG_47C000
SDPI:0047C0A8 cmp eax, 30000000h
SDPI:0047C0AD ja FNDDBG_47C000
SDPI:0047C0B3 jz short PASS_47C0FE
SDPI:0047C0B5 jnz short PASS_47C0FE
SDPI:0047C0B5 ; ----------------------------------------------------------------------------
SDPI:0047C0B7 dd 401000E8h
SDPI:0047C0BB dd 9C89B000h
SDPI:0047C0BF db 4
SDPI:0047C0C0 ; ----------------------------------------------------------------------------
SDPI:0047C0C0 mov eax, [esp+4] ; SEH处理处
SDPI:0047C0C4 mov ecx, [esp+0Ch]
SDPI:0047C0C8 inc dword ptr [ecx+0B8h]
SDPI:0047C0CE mov eax, [eax]
SDPI:0047C0D0 sub eax, 80000003h
SDPI:0047C0D5 jnz short locret_47C0FD
SDPI:0047C0D7 call sub_47C0DD
SDPI:0047C0DC nop
SDPI:0047C0DD
SDPI:0047C0DD ; ************** S U B R O U T I N E *****************************************
SDPI:0047C0DD
SDPI:0047C0DD
SDPI:0047C0DD sub_47C0DD proc near ; CODE XREF: SDPI:0047C0D7 p
SDPI:0047C0DD pop eax
SDPI:0047C0DE add eax, 0FFFFFDC1h
SDPI:0047C0E3 cmp byte ptr [eax], 0E8h
SDPI:0047C0E6 jnz FNDDBG_47C000
SDPI:0047C0EC mov byte ptr [eax], 0E9h
SDPI:0047C0EF xor eax, eax
SDPI:0047C0F1 mov [ecx+4], eax
SDPI:0047C0F4 mov [ecx+8], eax
SDPI:0047C0F7 mov [ecx+0Ch], eax
SDPI:0047C0FA mov [ecx+10h], eax
SDPI:0047C0FD
SDPI:0047C0FD locret_47C0FD: ; CODE XREF: SDPI:0047C0D5 j
SDPI:0047C0FD retn
SDPI:0047C0FD sub_47C0DD endp ; sp = 4
SDPI:0047C0FD
SDPI:0047C0FE ; ----------------------------------------------------------------------------
SDPI:0047C0FE
SDPI:0047C0FE PASS_47C0FE: ; CODE XREF: SDPI:0047C0B3 j
SDPI:0047C0FE ; SDPI:0047C0B5 j
SDPI:0047C0FE pop eax
SDPI:0047C0FF call loc_47C2FF
SDPI:0047C0FF ; ----------------------------------------------------------------------------
SDPI:0047C104 dd 90909090h
SDPI:0047C108 dd 90909090h
SDPI:0047C10C ; ----------------------------------------------------------------------------
SDPI:0047C10C
SDPI:0047C10C loc_47C10C: ; CODE XREF: SDPI:0047C328 p
SDPI:0047C10C pop ebp
SDPI:0047C10D pop eax
SDPI:0047C10E jmp loc_47C32D
SDPI:0047C113 ; ----------------------------------------------------------------------------
SDPI:0047C113 call loc_47C119
SDPI:0047C118 nop
SDPI:0047C119
SDPI:0047C119 loc_47C119: ; CODE XREF: SDPI:0047C113 p
SDPI:0047C119 pop eax
SDPI:0047C11A add eax, 312h ; EAX==0047C42A
SDPI:0047C11F call loc_47C125
SDPI:0047C124 nop
SDPI:0047C125
SDPI:0047C125 loc_47C125: ; CODE XREF: SDPI:0047C11F p
SDPI:0047C125 pop edx
SDPI:0047C126 add edx, 11EEh ; EDX==0047D312
SDPI:0047C12C call Crypt_Decrypt_CODE ; 把47C42A到47D312处的代码加密回去
SDPI:0047C131 mov ecx, 0FFFFFF00h
SDPI:0047C136 push fs
SDPI:0047C138 nop
SDPI:0047C139 nop
SDPI:0047C13A nop
SDPI:0047C13B nop
SDPI:0047C13C nop
SDPI:0047C13D nop
SDPI:0047C13E nop
SDPI:0047C13F nop
SDPI:0047C140 nop
SDPI:0047C141 nop
SDPI:0047C142 nop
SDPI:0047C143 nop
SDPI:0047C144 pushfw
SDPI:0047C146 push eax
SDPI:0047C147 mov eax, ebx
SDPI:0047C149 push ebx
SDPI:0047C14A mov eax, ecx
SDPI:0047C14C push eax
SDPI:0047C14D add eax, edx
SDPI:0047C14F mov ebx, eax
SDPI:0047C151 push ebx
SDPI:0047C152 pop eax
SDPI:0047C153 push edx
SDPI:0047C154 call loc_47C161
SDPI:0047C159 nop
SDPI:0047C15A nop
SDPI:0047C15B nop
SDPI:0047C15C nop
SDPI:0047C15D nop
SDPI:0047C15E nop
SDPI:0047C15F nop
SDPI:0047C160 nop
SDPI:0047C161
SDPI:0047C161 loc_47C161: ; CODE XREF: SDPI:0047C154 p
SDPI:0047C161 pop eax
SDPI:0047C162 call loc_47C168
SDPI:0047C167 nop
SDPI:0047C168
SDPI:0047C168 loc_47C168: ; CODE XREF: SDPI:0047C162 p
SDPI:0047C168 pop eax
SDPI:0047C169 add eax, 11h
SDPI:0047C16E push eax
SDPI:0047C16F jmp GetTickCount
SDPI:0047C16F ; ----------------------------------------------------------------------------
SDPI:0047C174 dd 90909090h
SDPI:0047C178 ; ----------------------------------------------------------------------------
SDPI:0047C178 push eax
SDPI:0047C179 mov eax, edx
SDPI:0047C17B push eax
SDPI:0047C17C call loc_47C182
SDPI:0047C181 nop
SDPI:0047C182
SDPI:0047C182 loc_47C182: ; CODE XREF: SDPI:0047C17C p
SDPI:0047C182 pop edx
SDPI:0047C183 add edx, 52h
SDPI:0047C189 push edx
SDPI:0047C18A add edx, 40318Ah
SDPI:0047C190 push edx
SDPI:0047C191 jo short loc_47C1E6
SDPI:0047C193 jno short loc_47C1E6
SDPI:0047C195
SDPI:0047C195 loc_47C195: ; CODE XREF: SDPI:0047C1D9 p
SDPI:0047C195 pop eax
SDPI:0047C196 pop ebx
SDPI:0047C197 call loc_47C19D
SDPI:0047C19C nop
SDPI:0047C19D
SDPI:0047C19D loc_47C19D: ; CODE XREF: SDPI:0047C197 p
SDPI:0047C19D pop eax
SDPI:0047C19E add eax, 11h
SDPI:0047C1A3 push eax
SDPI:0047C1A4 jmp GetTickCount
SDPI:0047C1A4 ; ----------------------------------------------------------------------------
SDPI:0047C1A9 dd 90909090h
SDPI:0047C1AD ; ----------------------------------------------------------------------------
SDPI:0047C1AD pop ebx
SDPI:0047C1AE add ebx, 1F4h
SDPI:0047C1B4 sub ebx, eax
SDPI:0047C1B6 js short OVER_47C1FA
SDPI:0047C1B8 call loc_47C1BE
SDPI:0047C1BD nop
SDPI:0047C1BE
SDPI:0047C1BE loc_47C1BE: ; CODE XREF: SDPI:0047C1B8 p
SDPI:0047C1BE pop ebx
SDPI:0047C1BF add ebx, 0A5h
SDPI:0047C1C5 push ebx
SDPI:0047C1C6 call loc_47C1F0
SDPI:0047C1C6 ; ----------------------------------------------------------------------------
SDPI:0047C1CB DB90_471cb db 8 dup(90h)
SDPI:0047C1D3 ; ----------------------------------------------------------------------------
SDPI:0047C1D3 pop eax
SDPI:0047C1D4 mov edx, eax
SDPI:0047C1D6 mov eax, ebx
SDPI:0047C1D8 push eax
SDPI:0047C1D9 call loc_47C195
SDPI:0047C1D9 ; ----------------------------------------------------------------------------
SDPI:0047C1DE db 8 dup(90h)
SDPI:0047C1E6 ; ----------------------------------------------------------------------------
SDPI:0047C1E6
SDPI:0047C1E6 loc_47C1E6: ; CODE XREF: SDPI:0047C191 j
SDPI:0047C1E6 ; SDPI:0047C193 j
SDPI:0047C1E6 pop eax
SDPI:0047C1E7 retn
SDPI:0047C1E7 ; ----------------------------------------------------------------------------
SDPI:0047C1E8 db 8 dup(90h)
SDPI:0047C1F0 ; ----------------------------------------------------------------------------
SDPI:0047C1F0
SDPI:0047C1F0 loc_47C1F0: ; CODE XREF: SDPI:0047C1C6 p
SDPI:0047C1F0 pop edx
SDPI:0047C1F1 retn
SDPI:0047C1F1 ; ----------------------------------------------------------------------------
SDPI:0047C1F2 db 8 dup(90h)
SDPI:0047C1FA
SDPI:0047C1FA ; ************** S U B R O U T I N E *****************************************
SDPI:0047C1FA
SDPI:0047C1FA
SDPI:0047C1FA OVER_47C1FA proc near ; CODE XREF: SDPI:0047C1B6 j
SDPI:0047C1FA nop
SDPI:0047C1FB nop
SDPI:0047C1FC nop
SDPI:0047C1FD nop
SDPI:0047C1FE nop
SDPI:0047C1FF call loc_47C205
SDPI:0047C204 nop
SDPI:0047C205
SDPI:0047C205 loc_47C205: ; CODE XREF: OVER_47C1FA+5 p
SDPI:0047C205 pop eax
SDPI:0047C206 add eax, 5Eh
SDPI:0047C20B mov edx, eax
SDPI:0047C20D add edx, 32h
SDPI:0047C210 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047C210 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047C210 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047C210 ; 用来解密
SDPI:0047C215 call loc_47C21B
SDPI:0047C21A nop
SDPI:0047C21B
SDPI:0047C21B loc_47C21B: ; CODE XREF: OVER_47C1FA+1B p
SDPI:0047C21B pop eax
SDPI:0047C21C add eax, 2E82h
SDPI:0047C221 call loc_47C227
SDPI:0047C226 nop
SDPI:0047C227
SDPI:0047C227 loc_47C227: ; CODE XREF: OVER_47C1FA+27 p
SDPI:0047C227 pop ecx
SDPI:0047C228 add ecx, 2F23h
SDPI:0047C22E push 0
SDPI:0047C230 push ecx
SDPI:0047C231 push eax
SDPI:0047C232 push 0
SDPI:0047C234 call loc_47C23A
SDPI:0047C239 nop
SDPI:0047C23A
SDPI:0047C23A loc_47C23A: ; CODE XREF: OVER_47C1FA+3A p
SDPI:0047C23A pop eax
SDPI:0047C23B add eax, 11h
SDPI:0047C240 push eax
SDPI:0047C241 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047C241 ; 判断函数的前5位是否为CC
SDPI:0047C241 ; 也就是判断有没有下int3断点
SDPI:0047C241 ; ----------------------------------------------------------------------------
SDPI:0047C246 db 4 dup(90h)
SDPI:0047C24A ; ----------------------------------------------------------------------------
SDPI:0047C24A push 7
SDPI:0047C24C call loc_47C252
SDPI:0047C251 nop
SDPI:0047C252
SDPI:0047C252 loc_47C252: ; CODE XREF: OVER_47C1FA+52 p
SDPI:0047C252 pop eax
SDPI:0047C253 add eax, 11h
SDPI:0047C258 push eax
SDPI:0047C259 jmp ExitProcess
SDPI:0047C259 ; ----------------------------------------------------------------------------
SDPI:0047C25E db 4 dup(90h)
SDPI:0047C25E OVER_47C1FA endp
SDPI:0047C25E
SDPI:0047C262 ; ----------------------------------------------------------------------------
SDPI:0047C262 pop edx
SDPI:0047C263 mov eax, ecx
SDPI:0047C265 add eax, edx
SDPI:0047C267 inc ecx
SDPI:0047C268 push eax
SDPI:0047C269 inc ecx
SDPI:0047C26A pop ebx
SDPI:0047C26B pop ecx
SDPI:0047C26C push eax
SDPI:0047C26D sub eax, 8
SDPI:0047C270 pop ebx
SDPI:0047C271 pop ebx
SDPI:0047C272 inc eax
SDPI:0047C273 add eax, ebx
SDPI:0047C275 pop eax
SDPI:0047C276 pushfw
SDPI:0047C278 popfw
SDPI:0047C27A popfw
SDPI:0047C27C pop es
SDPI:0047C27D mov eax, 12345678h
SDPI:0047C282 push eax
SDPI:0047C283 call loc_47C289
SDPI:0047C288 nop
SDPI:0047C289
SDPI:0047C289 loc_47C289: ; CODE XREF: SDPI:0047C283 p
SDPI:0047C289 pop eax
SDPI:0047C28A add eax, 12Ch
SDPI:0047C28F push eax
SDPI:0047C290 pop ebx
SDPI:0047C291 add eax, 12h
SDPI:0047C294 pop edx
SDPI:0047C295 add eax, edx
SDPI:0047C297 mov edx, eax
SDPI:0047C299 push ebx
SDPI:0047C29A mov ebx, es:[ecx+100h]
SDPI:0047C2A1 push ebx
SDPI:0047C2A2 mov eax, esp
SDPI:0047C2A4 mov ebx, eax
SDPI:0047C2A6 push ebx
SDPI:0047C2A7 pop edx
SDPI:0047C2A8 mov es:[ecx+100h], eax
SDPI:0047C2AF xor eax, eax
SDPI:0047C2AF ; ----------------------------------------------------------------------------
SDPI:0047C2B1 db 38h dup(90h)
SDPI:0047C2E9 ; ----------------------------------------------------------------------------
SDPI:0047C2E9 int 3 ; Trap to Debugger
SDPI:0047C2EA nop ; SEH 句柄:0047C3B4
SDPI:0047C2EB xor eax, eax
SDPI:0047C2ED mov dword ptr [eax], 4033EDh
SDPI:0047C2F3 jp short loc_47C2FF
SDPI:0047C2F5 jnp short loc_47C2FF
SDPI:0047C2F7 nop
SDPI:0047C2F8 nop
SDPI:0047C2F9 nop
SDPI:0047C2FA nop
SDPI:0047C2FB nop
SDPI:0047C2FC nop
SDPI:0047C2FD nop
SDPI:0047C2FE nop
SDPI:0047C2FF
SDPI:0047C2FF loc_47C2FF: ; CODE XREF: SDPI:0047C0FF p
SDPI:0047C2FF ; SDPI:0047C2F3 j ...
SDPI:0047C2FF call loc_47C305
SDPI:0047C304 nop
SDPI:0047C305
SDPI:0047C305 loc_47C305: ; CODE XREF: SDPI:loc_47C2FF p
SDPI:0047C305 pop eax
SDPI:0047C306 add eax, 11h
SDPI:0047C30B push eax
SDPI:0047C30C jmp GetTickCount
SDPI:0047C30C ; ----------------------------------------------------------------------------
SDPI:0047C311 db 4 dup(90h)
SDPI:0047C315 ; ----------------------------------------------------------------------------
SDPI:0047C315 call loc_47C31B
SDPI:0047C31A nop
SDPI:0047C31B
SDPI:0047C31B loc_47C31B: ; CODE XREF: SDPI:0047C315 p
SDPI:0047C31B pop edx
SDPI:0047C31C add edx, 0FFFFFB09h
SDPI:0047C322 mov [edx], eax
SDPI:0047C324 pop ebp
SDPI:0047C325 add eax, edx
SDPI:0047C327 push eax
SDPI:0047C328 call loc_47C10C
SDPI:0047C32D
SDPI:0047C32D loc_47C32D: ; CODE XREF: SDPI:0047C10E j
SDPI:0047C32D call loc_47C333
SDPI:0047C332 nop
SDPI:0047C333
SDPI:0047C333 loc_47C333: ; CODE XREF: SDPI:loc_47C32D p
SDPI:0047C333 pop edx
SDPI:0047C334 add edx, 0FFFFFDE1h
SDPI:0047C33A add edx, eax
SDPI:0047C33C push edx
SDPI:0047C33D pop ecx
SDPI:0047C33E sub ecx, eax
SDPI:0047C340 push ecx
SDPI:0047C341 retn 4
SDPI:0047C344
SDPI:0047C344 ; ************** S U B R O U T I N E *****************************************
SDPI:0047C344
SDPI:0047C344
SDPI:0047C344 OVER_47C344 proc near ; CODE XREF: SDPI:0047C3E7 j
SDPI:0047C344 ; SDPI:0047C3EF j ...
SDPI:0047C344 nop
SDPI:0047C345 nop
SDPI:0047C346 nop
SDPI:0047C347 nop
SDPI:0047C348 nop
SDPI:0047C349 call loc_47C34F
SDPI:0047C34E nop
SDPI:0047C34F
SDPI:0047C34F loc_47C34F: ; CODE XREF: OVER_47C344+5 p
SDPI:0047C34F pop eax
SDPI:0047C350 add eax, 5Eh
SDPI:0047C355 mov edx, eax
SDPI:0047C357 add edx, 32h
SDPI:0047C35A call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047C35A ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047C35A ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047C35A ; 用来解密
SDPI:0047C35F call loc_47C365
SDPI:0047C364 nop
SDPI:0047C365
SDPI:0047C365 loc_47C365: ; CODE XREF: OVER_47C344+1B p
SDPI:0047C365 pop eax
SDPI:0047C366 add eax, 2D38h
SDPI:0047C36B call loc_47C371
SDPI:0047C370 nop
SDPI:0047C371
SDPI:0047C371 loc_47C371: ; CODE XREF: OVER_47C344+27 p
SDPI:0047C371 pop ecx
SDPI:0047C372 add ecx, 2DD9h
SDPI:0047C378 push 0
SDPI:0047C37A push ecx
SDPI:0047C37B push eax
SDPI:0047C37C push 0
SDPI:0047C37E call loc_47C384
SDPI:0047C383 nop
SDPI:0047C384
SDPI:0047C384 loc_47C384: ; CODE XREF: OVER_47C344+3A p
SDPI:0047C384 pop eax
SDPI:0047C385 add eax, 11h
SDPI:0047C38A push eax
SDPI:0047C38B jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047C38B ; 判断函数的前5位是否为CC
SDPI:0047C38B ; 也就是判断有没有下int3断点
SDPI:0047C38B ; ----------------------------------------------------------------------------
SDPI:0047C390 db 4 dup(90h)
SDPI:0047C394 ; ----------------------------------------------------------------------------
SDPI:0047C394 push 7
SDPI:0047C396 call loc_47C39C
SDPI:0047C39B nop
SDPI:0047C39C
SDPI:0047C39C loc_47C39C: ; CODE XREF: OVER_47C344+52 p
SDPI:0047C39C pop eax
SDPI:0047C39D add eax, 11h
SDPI:0047C3A2 push eax
SDPI:0047C3A3 jmp ExitProcess
SDPI:0047C3A3 ; ----------------------------------------------------------------------------
SDPI:0047C3A8 db 0Ch dup(90h)
SDPI:0047C3A8 OVER_47C344 endp
SDPI:0047C3A8
SDPI:0047C3B4 ; ----------------------------------------------------------------------------
SDPI:0047C3B4 mov esp, [esp+8] ; SEH 处理
SDPI:0047C3B8 pop large dword ptr fs:0
SDPI:0047C3BF call loc_47C3C5
SDPI:0047C3C4 nop
SDPI:0047C3C5
SDPI:0047C3C5 loc_47C3C5: ; CODE XREF: SDPI:0047C3BF p
SDPI:0047C3C5 pop eax
SDPI:0047C3C6 add eax, 11h
SDPI:0047C3CB push eax
SDPI:0047C3CC jmp GetTickCount
SDPI:0047C3CC ; ----------------------------------------------------------------------------
SDPI:0047C3D1 db 4 dup(90h)
SDPI:0047C3D5 ; ----------------------------------------------------------------------------
SDPI:0047C3D5 call loc_47C3DB
SDPI:0047C3DA nop
SDPI:0047C3DB
SDPI:0047C3DB loc_47C3DB: ; CODE XREF: SDPI:0047C3D5 p
SDPI:0047C3DB pop edx
SDPI:0047C3DC add edx, 0FFFFFA49h
SDPI:0047C3E2 mov ecx, [edx]
SDPI:0047C3E4 cmp ecx, 0
SDPI:0047C3E7 jz OVER_47C344
SDPI:0047C3ED sub eax, ecx
SDPI:0047C3EF js OVER_47C344
SDPI:0047C3F5 sub eax, 7D0h
SDPI:0047C3FA jns OVER_47C344
SDPI:0047C400 mov eax, 0E801276h
SDPI:0047C405 mov [edx], eax
SDPI:0047C407 call loc_47C40D
SDPI:0047C40C nop
SDPI:0047C40D
SDPI:0047C40D loc_47C40D: ; CODE XREF: SDPI:0047C407 p
SDPI:0047C40D pop edx
SDPI:0047C40E add edx, 0F06h ; 上面加密回去的代码,再解密出来
SDPI:0047C414 call loc_47C41A ; 解密结束地址:0047D312
SDPI:0047C419 nop
SDPI:0047C41A
SDPI:0047C41A loc_47C41A: ; CODE XREF: SDPI:0047C414 p
SDPI:0047C41A pop eax
SDPI:0047C41B add eax, 0FFFFDD7Fh
SDPI:0047C420 mov ecx, 10h
SDPI:0047C425 call De_Code ; invoke De_Code,ecx(counter),eax(key),edx(end)
SDPI:0047C425 ; 用于解密代码,解密起始地址就是call进来
SDPI:0047C425 ; 的下一行代码地址
SDPI:0047C42A jmp short loc_47C4A2
SDPI:0047C42A ; ----------------------------------------------------------------------------
SDPI:0047C42C db 0Eh dup(90h)
SDPI:0047C43A
SDPI:0047C43A ; ************** S U B R O U T I N E *****************************************
SDPI:0047C43A
SDPI:0047C43A
SDPI:0047C43A OVER_47C43A proc near ; CODE XREF: SDPI:0047C4C7 j
SDPI:0047C43A ; SDPI:0047CB8B j
SDPI:0047C43A nop
SDPI:0047C43B nop
SDPI:0047C43C nop
SDPI:0047C43D nop
SDPI:0047C43E nop
SDPI:0047C43F call loc_47C445
SDPI:0047C444 nop
SDPI:0047C445
SDPI:0047C445 loc_47C445: ; CODE XREF: OVER_47C43A+5 p
SDPI:0047C445 pop eax
SDPI:0047C446 add eax, 5Eh
SDPI:0047C44B mov edx, eax
SDPI:0047C44D add edx, 32h
SDPI:0047C450 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047C450 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047C450 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047C450 ; 用来解密
SDPI:0047C455 call loc_47C45B
SDPI:0047C45A nop
SDPI:0047C45B
SDPI:0047C45B loc_47C45B: ; CODE XREF: OVER_47C43A+1B p
SDPI:0047C45B pop eax
SDPI:0047C45C add eax, 2C42h
SDPI:0047C461 call loc_47C467
SDPI:0047C466 nop
SDPI:0047C467
SDPI:0047C467 loc_47C467: ; CODE XREF: OVER_47C43A+27 p
SDPI:0047C467 pop ecx
SDPI:0047C468 add ecx, 2CE3h
SDPI:0047C46E push 0
SDPI:0047C470 push ecx
SDPI:0047C471 push eax
SDPI:0047C472 push 0
SDPI:0047C474 call loc_47C47A
SDPI:0047C479 nop
SDPI:0047C47A
SDPI:0047C47A loc_47C47A: ; CODE XREF: OVER_47C43A+3A p
SDPI:0047C47A pop eax
SDPI:0047C47B add eax, 11h
SDPI:0047C480 push eax
SDPI:0047C481 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047C481 ; 判断函数的前5位是否为CC
SDPI:0047C481 ; 也就是判断有没有下int3断点
SDPI:0047C481 ; ----------------------------------------------------------------------------
SDPI:0047C486 db 4 dup(90h)
SDPI:0047C48A ; ----------------------------------------------------------------------------
SDPI:0047C48A push 7
SDPI:0047C48C call loc_47C492
SDPI:0047C491 nop
SDPI:0047C492
SDPI:0047C492 loc_47C492: ; CODE XREF: OVER_47C43A+52 p
SDPI:0047C492 pop eax
SDPI:0047C493 add eax, 11h
SDPI:0047C498 push eax
SDPI:0047C499 jmp ExitProcess
SDPI:0047C499 ; ----------------------------------------------------------------------------
SDPI:0047C49E db 4 dup(90h)
SDPI:0047C49E OVER_47C43A endp
SDPI:0047C49E
SDPI:0047C4A2 ; ----------------------------------------------------------------------------
SDPI:0047C4A2
SDPI:0047C4A2 loc_47C4A2: ; CODE XREF: SDPI:0047C42A j
SDPI:0047C4A2 call sub_47C4A8
SDPI:0047C4A7 nop
SDPI:0047C4A8
SDPI:0047C4A8 ; ************** S U B R O U T I N E *****************************************
SDPI:0047C4A8
SDPI:0047C4A8
SDPI:0047C4A8 sub_47C4A8 proc near ; CODE XREF: SDPI:loc_47C4A2 p
SDPI:0047C4A8 pop eax
SDPI:0047C4A9 add eax, 11h
SDPI:0047C4AE push eax
SDPI:0047C4AF jmp Get_Version
SDPI:0047C4AF sub_47C4A8 endp
SDPI:0047C4AF
SDPI:0047C4AF ; ----------------------------------------------------------------------------
SDPI:0047C4B4 db 4 dup(90h)
SDPI:0047C4B8 ; ----------------------------------------------------------------------------
SDPI:0047C4B8 call loc_47C4BE
SDPI:0047C4BD nop
SDPI:0047C4BE
SDPI:0047C4BE loc_47C4BE: ; CODE XREF: SDPI:0047C4B8 p
SDPI:0047C4BE pop edx
SDPI:0047C4BF add edx, 0FFFFDB47h
SDPI:0047C4C5 cmp eax, [edx] ; 这里再来一次判断是否修改过
SDPI:0047C4C5 ; GetVersion的返回值
SDPI:0047C4C7 jnz OVER_47C43A
SDPI:0047C4CD sub ebx, 40000000h
SDPI:0047C4CD ; ----------------------------------------------------------------------------
SDPI:0047C4D3 db 36h dup(90h)
SDPI:0047C509 ; ----------------------------------------------------------------------------
SDPI:0047C509 sub eax, 80000000h
SDPI:0047C509 ; ----------------------------------------------------------------------------
SDPI:0047C50E db 30h dup(90h)
SDPI:0047C53E ; ----------------------------------------------------------------------------
SDPI:0047C53E jb NotIsWin9x_47D312 ; 判断系统是否为winnt,如果是则跳
SDPI:0047C53E ; --------------------------------------------------------------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
Win9x 下的调试器检测部分
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
由于我自己没有Win9x, 也不怎么了解Win9x下的
调试器检测,因此下面也没有怎么进anti-dbg部分
不过应该和以前公布出来的检测方式差不多
SDPI:0047C553 ; ----------------------------------------------------------------------------
SDPI:0047C553 push cs
SDPI:0047C554 push eax
SDPI:0047C555 xor eax, eax
SDPI:0047C557 call loc_47C55D
SDPI:0047C55C nop
SDPI:0047C55D
SDPI:0047C55D loc_47C55D: ; CODE XREF: SDPI:0047C557 p
SDPI:0047C55D pop edi
SDPI:0047C55E add edi, 61h
SDPI:0047C564 mov ebx, [edi]
SDPI:0047C566 mov edx, [edi+4]
SDPI:0047C566 ; ----------------------------------------------------------------------------
SDPI:0047C569 db 0Ch dup(90h)
SDPI:0047C575 ; ----------------------------------------------------------------------------
SDPI:0047C575 call loc_47C57B
SDPI:0047C57A nop
SDPI:0047C57B
SDPI:0047C57B loc_47C57B: ; CODE XREF: SDPI:0047C575 p
SDPI:0047C57B pop esi
SDPI:0047C57C add esi, 59h
SDPI:0047C582 mov ecx, 3
SDPI:0047C587 nop
SDPI:0047C588 nop
SDPI:0047C589 nop
SDPI:0047C58A nop
SDPI:0047C58B nop
SDPI:0047C58C nop
SDPI:0047C58D nop
SDPI:0047C58E nop
SDPI:0047C58F nop
SDPI:0047C590 nop
SDPI:0047C591 nop
SDPI:0047C592 nop
SDPI:0047C593 nop
SDPI:0047C594 nop
SDPI:0047C595 nop
SDPI:0047C596 nop
SDPI:0047C597 nop
SDPI:0047C598 nop
SDPI:0047C599 nop
SDPI:0047C59A nop
SDPI:0047C59B nop
SDPI:0047C59C nop
SDPI:0047C59D nop
SDPI:0047C59E nop
SDPI:0047C59F nop
SDPI:0047C5A0 nop
SDPI:0047C5A1 nop
SDPI:0047C5A2 nop
SDPI:0047C5A3 nop
SDPI:0047C5A4 nop
SDPI:0047C5A5 nop
SDPI:0047C5A6 nop
SDPI:0047C5A7 nop
SDPI:0047C5A8 nop
SDPI:0047C5A9 nop
SDPI:0047C5AA nop
SDPI:0047C5AB nop
SDPI:0047C5AC nop
SDPI:0047C5AD nop
SDPI:0047C5AE nop
SDPI:0047C5AF nop
SDPI:0047C5B0 nop
SDPI:0047C5B1 nop
SDPI:0047C5B2 nop
SDPI:0047C5B3 nop
SDPI:0047C5B4 nop
SDPI:0047C5B5 nop
SDPI:0047C5B6 nop
SDPI:0047C5B7 nop
SDPI:0047C5B8 nop
SDPI:0047C5B9 nop
SDPI:0047C5BA nop
SDPI:0047C5BB nop
SDPI:0047C5BC nop
SDPI:0047C5BD rep movsw
SDPI:0047C5C0 call fnddbg_47C641
SDPI:0047C5C5 call int3_47C6B1
SDPI:0047C5C5 ; ----------------------------------------------------------------------------
SDPI:0047C5CA dd 401000E8h
SDPI:0047C5CE dd 9C89B000h
SDPI:0047C5D2 dd 9001EB04h
SDPI:0047C5D6 dd 909003EBh
SDPI:0047C5DA
SDPI:0047C5DA ; ************** S U B R O U T I N E *****************************************
SDPI:0047C5DA
SDPI:0047C5DA
SDPI:0047C5DA FNDDBG_47C5DA proc near
SDPI:0047C5DA nop
SDPI:0047C5DB nop
SDPI:0047C5DC nop
SDPI:0047C5DD nop
SDPI:0047C5DE call loc_47C5E4
SDPI:0047C5E3 nop
SDPI:0047C5E4
SDPI:0047C5E4 loc_47C5E4: ; CODE XREF: FNDDBG_47C5DA+4 p
SDPI:0047C5E4 pop eax
SDPI:0047C5E5 add eax, 5Eh
SDPI:0047C5EA mov edx, eax
SDPI:0047C5EC add edx, 32h
SDPI:0047C5EF call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047C5EF ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047C5EF ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047C5EF ; 用来解密
SDPI:0047C5F4 call loc_47C5FA
SDPI:0047C5F9 nop
SDPI:0047C5FA
SDPI:0047C5FA loc_47C5FA: ; CODE XREF: FNDDBG_47C5DA+1A p
SDPI:0047C5FA pop eax
SDPI:0047C5FB add eax, 2AA3h
SDPI:0047C600 call loc_47C606
SDPI:0047C605 nop
SDPI:0047C606
SDPI:0047C606 loc_47C606: ; CODE XREF: FNDDBG_47C5DA+26 p
SDPI:0047C606 pop ecx
SDPI:0047C607 add ecx, 2B44h
SDPI:0047C60D push 0
SDPI:0047C60F push ecx
SDPI:0047C610 push eax
SDPI:0047C611 push 0
SDPI:0047C613 call loc_47C619
SDPI:0047C618 nop
SDPI:0047C619
SDPI:0047C619 loc_47C619: ; CODE XREF: FNDDBG_47C5DA+39 p
SDPI:0047C619 pop eax
SDPI:0047C61A add eax, 11h
SDPI:0047C61F push eax
SDPI:0047C620 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047C620 ; 判断函数的前5位是否为CC
SDPI:0047C620 ; 也就是判断有没有下int3断点
SDPI:0047C620 ; ----------------------------------------------------------------------------
SDPI:0047C625 db 4 dup(90h)
SDPI:0047C629 ; ----------------------------------------------------------------------------
SDPI:0047C629 push 7
SDPI:0047C62B call loc_47C631
SDPI:0047C630 nop
SDPI:0047C631
SDPI:0047C631 loc_47C631: ; CODE XREF: FNDDBG_47C5DA+51 p
SDPI:0047C631 pop eax
SDPI:0047C632 add eax, 11h
SDPI:0047C637 push eax
SDPI:0047C638 jmp ExitProcess
SDPI:0047C638 ; ----------------------------------------------------------------------------
SDPI:0047C63D db 4 dup(90h)
SDPI:0047C63D FNDDBG_47C5DA endp
SDPI:0047C63D
SDPI:0047C641
SDPI:0047C641 ; ************** S U B R O U T I N E *****************************************
SDPI:0047C641
SDPI:0047C641
SDPI:0047C641 fnddbg_47C641 proc near ; CODE XREF: SDPI:0047C5C0 p
SDPI:0047C641 nop
SDPI:0047C642 nop
SDPI:0047C643 nop
SDPI:0047C644 nop
SDPI:0047C645 nop
SDPI:0047C646 call loc_47C64C
SDPI:0047C64B nop
SDPI:0047C64C
SDPI:0047C64C loc_47C64C: ; CODE XREF: fnddbg_47C641+5 p
SDPI:0047C64C pop eax
SDPI:0047C64D add eax, 5Eh
SDPI:0047C652 mov edx, eax
SDPI:0047C654 add edx, 32h
SDPI:0047C657 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047C657 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047C657 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047C657 ; 用来解密
SDPI:0047C65C call loc_47C662
SDPI:0047C661 nop
SDPI:0047C662
SDPI:0047C662 loc_47C662: ; CODE XREF: fnddbg_47C641+1B p
SDPI:0047C662 pop eax
SDPI:0047C663 add eax, 2A3Bh
SDPI:0047C668 call loc_47C66E
SDPI:0047C66D nop
SDPI:0047C66E
SDPI:0047C66E loc_47C66E: ; CODE XREF: fnddbg_47C641+27 p
SDPI:0047C66E pop ecx
SDPI:0047C66F add ecx, 2ADCh
SDPI:0047C675 push 0
SDPI:0047C677 push ecx
SDPI:0047C678 push eax
SDPI:0047C679 push 0
SDPI:0047C67B call loc_47C681
SDPI:0047C680 nop
SDPI:0047C681
SDPI:0047C681 loc_47C681: ; CODE XREF: fnddbg_47C641+3A p
SDPI:0047C681 pop eax
SDPI:0047C682 add eax, 11h
SDPI:0047C687 push eax
SDPI:0047C688 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047C688 ; 判断函数的前5位是否为CC
SDPI:0047C688 ; 也就是判断有没有下int3断点
SDPI:0047C688 ; ----------------------------------------------------------------------------
SDPI:0047C68D db 4 dup(90h)
SDPI:0047C691 ; ----------------------------------------------------------------------------
SDPI:0047C691 push 7
SDPI:0047C693 call loc_47C699
SDPI:0047C698 nop
SDPI:0047C699
SDPI:0047C699 loc_47C699: ; CODE XREF: fnddbg_47C641+52 p
SDPI:0047C699 pop eax
SDPI:0047C69A add eax, 11h
SDPI:0047C69F push eax
SDPI:0047C6A0 jmp ExitProcess
SDPI:0047C6A0 ; ----------------------------------------------------------------------------
SDPI:0047C6A5 db 0Ch dup(90h)
SDPI:0047C6A5 fnddbg_47C641 endp
SDPI:0047C6A5
SDPI:0047C6B1 ; ----------------------------------------------------------------------------
SDPI:0047C6B1
SDPI:0047C6B1 int3_47C6B1: ; CODE XREF: SDPI:0047C5C5 p
SDPI:0047C6B1 call loc_47C6B7
SDPI:0047C6B6 nop
SDPI:0047C6B7
SDPI:0047C6B7 loc_47C6B7: ; CODE XREF: SDPI:int3_47C6B1 p
SDPI:0047C6B7 pop edi
SDPI:0047C6B8 add edi, 0FFFFFF07h
SDPI:0047C6BE mov [edi], ebx
SDPI:0047C6C0 mov [edi+4], edx
SDPI:0047C6C3 pop eax
SDPI:0047C6C4 call loc_47C6CA
SDPI:0047C6C9 nop
SDPI:0047C6CA
SDPI:0047C6CA loc_47C6CA: ; CODE XREF: SDPI:0047C6C4 p
SDPI:0047C6CA pop eax
SDPI:0047C6CB add eax, 124h
SDPI:0047C6D0 push eax
SDPI:0047C6D1 xor eax, eax
SDPI:0047C6D3 push dword ptr fs:[eax]
SDPI:0047C6D6 mov fs:[eax], esp
SDPI:0047C6D9 mov ebp, 300EF1D3h
SDPI:0047C6DE add ebp, 12345678h
SDPI:0047C6E4 mov ax, 17h
SDPI:0047C6E8 sub ax, 13h
SDPI:0047C6EC nop
SDPI:0047C6ED nop
SDPI:0047C6EE nop
SDPI:0047C6EF nop
SDPI:0047C6F0 nop
SDPI:0047C6F1 nop
SDPI:0047C6F2 nop
SDPI:0047C6F3 nop
SDPI:0047C6F4 nop
SDPI:0047C6F5 nop
SDPI:0047C6F6 nop
SDPI:0047C6F7 nop
SDPI:0047C6F8 nop
SDPI:0047C6F9 nop
SDPI:0047C6FA nop
SDPI:0047C6FB nop
SDPI:0047C6FC nop
SDPI:0047C6FD nop
SDPI:0047C6FE nop
SDPI:0047C6FF nop
SDPI:0047C700 nop
SDPI:0047C701 nop
SDPI:0047C702 nop
SDPI:0047C703 nop
SDPI:0047C704 nop
SDPI:0047C705 nop
SDPI:0047C706 nop
SDPI:0047C707 nop
SDPI:0047C708 nop
SDPI:0047C709 nop
SDPI:0047C70A nop
SDPI:0047C70B nop
SDPI:0047C70C nop
SDPI:0047C70D nop
SDPI:0047C70E nop
SDPI:0047C70F nop
SDPI:0047C710 nop
SDPI:0047C711 nop
SDPI:0047C712 nop
SDPI:0047C713 nop
SDPI:0047C714 nop
SDPI:0047C715 nop
SDPI:0047C716 nop
SDPI:0047C717 nop
SDPI:0047C718 nop
SDPI:0047C719 nop
SDPI:0047C71A nop
SDPI:0047C71B nop
SDPI:0047C71C nop
SDPI:0047C71D nop
SDPI:0047C71E nop
SDPI:0047C71F nop
SDPI:0047C720 nop
SDPI:0047C721 nop
SDPI:0047C722 nop
SDPI:0047C723 nop
SDPI:0047C724 nop
SDPI:0047C725 nop
SDPI:0047C726 nop
SDPI:0047C727 int 3 ; Trap to Debugger
SDPI:0047C728 nop
SDPI:0047C729 cmp al, 4
SDPI:0047C72B jz short done_47C79E
SDPI:0047C72D
SDPI:0047C72D ; ************** S U B R O U T I N E *****************************************
SDPI:0047C72D
SDPI:0047C72D
SDPI:0047C72D fnddbg_47C72D proc near ; CODE XREF: SDPI:0047C7B7 j
SDPI:0047C72D ; SDPI:0047C7CF j ...
SDPI:0047C72D nop
SDPI:0047C72E nop
SDPI:0047C72F nop
SDPI:0047C730 nop
SDPI:0047C731 nop
SDPI:0047C732 call loc_47C738
SDPI:0047C737 nop
SDPI:0047C738
SDPI:0047C738 loc_47C738: ; CODE XREF: fnddbg_47C72D+5 p
SDPI:0047C738 pop eax
SDPI:0047C739 add eax, 5Eh
SDPI:0047C73E mov edx, eax
SDPI:0047C740 add edx, 32h
SDPI:0047C743 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047C743 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047C743 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047C743 ; 用来解密
SDPI:0047C748 call loc_47C74E
SDPI:0047C74D nop
SDPI:0047C74E
SDPI:0047C74E loc_47C74E: ; CODE XREF: fnddbg_47C72D+1B p
SDPI:0047C74E pop eax
SDPI:0047C74F add eax, 294Fh
SDPI:0047C754 call loc_47C75A
SDPI:0047C759 nop
SDPI:0047C75A
SDPI:0047C75A loc_47C75A: ; CODE XREF: fnddbg_47C72D+27 p
SDPI:0047C75A pop ecx
SDPI:0047C75B add ecx, 29F0h
SDPI:0047C761 push 0
SDPI:0047C763 push ecx
SDPI:0047C764 push eax
SDPI:0047C765 push 0
SDPI:0047C767 call loc_47C76D
SDPI:0047C76C nop
SDPI:0047C76D
SDPI:0047C76D loc_47C76D: ; CODE XREF: fnddbg_47C72D+3A p
SDPI:0047C76D pop eax
SDPI:0047C76E add eax, 11h
SDPI:0047C773 push eax
SDPI:0047C774 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047C774 ; 判断函数的前5位是否为CC
SDPI:0047C774 ; 也就是判断有没有下int3断点
SDPI:0047C774 ; ----------------------------------------------------------------------------
SDPI:0047C779 db 4 dup(90h)
SDPI:0047C77D ; ----------------------------------------------------------------------------
SDPI:0047C77D push 7
SDPI:0047C77F call loc_47C785
SDPI:0047C784 nop
SDPI:0047C785
SDPI:0047C785 loc_47C785: ; CODE XREF: fnddbg_47C72D+52 p
SDPI:0047C785 pop eax
SDPI:0047C786 add eax, 11h
SDPI:0047C78B push eax
SDPI:0047C78C jmp ExitProcess
SDPI:0047C78C ; ----------------------------------------------------------------------------
SDPI:0047C791 db 0Dh dup(90h)
SDPI:0047C791 fnddbg_47C72D endp
SDPI:0047C791
SDPI:0047C79E ; ----------------------------------------------------------------------------
SDPI:0047C79E
SDPI:0047C79E done_47C79E: ; CODE XREF: SDPI:0047C72B j
SDPI:0047C79E pop large dword ptr fs:0
SDPI:0047C7A5 add esp, 4
SDPI:0047C7A8 call loc_47C7AE
SDPI:0047C7AD nop
SDPI:0047C7AE
SDPI:0047C7AE loc_47C7AE: ; CODE XREF: SDPI:0047C7A8 p
SDPI:0047C7AE pop eax
SDPI:0047C7AF add eax, 0FFFFFE1Dh
SDPI:0047C7B4 cmp byte ptr [eax], 0E9h
SDPI:0047C7B7 jnz fnddbg_47C72D
SDPI:0047C7BD mov byte ptr [eax], 0E8h
SDPI:0047C7C0 rdtsc
SDPI:0047C7C2 mov ecx, eax
SDPI:0047C7C4 mov ebx, edx
SDPI:0047C7C6 rdtsc
SDPI:0047C7C8 sub eax, ecx
SDPI:0047C7CA sbb edx, ebx
SDPI:0047C7CC cmp edx, 0
SDPI:0047C7CF jnz fnddbg_47C72D
SDPI:0047C7D5 cmp eax, 30000000h
SDPI:0047C7DA ja fnddbg_47C72D
SDPI:0047C7E0 jmp short PASS_47C82B
SDPI:0047C7E0 ; ----------------------------------------------------------------------------
SDPI:0047C7E2 db 0Bh dup(90h)
SDPI:0047C7ED ; ----------------------------------------------------------------------------
SDPI:0047C7ED mov eax, [esp+4]
SDPI:0047C7F1 mov ecx, [esp+0Ch]
SDPI:0047C7F5 inc dword ptr [ecx+0B8h]
SDPI:0047C7FB mov eax, [eax]
SDPI:0047C7FD sub eax, 80000003h
SDPI:0047C802 jnz short locret_47C82A
SDPI:0047C804 call loc_47C80A
SDPI:0047C809 nop
SDPI:0047C80A
SDPI:0047C80A loc_47C80A: ; CODE XREF: SDPI:0047C804 p
SDPI:0047C80A pop eax
SDPI:0047C80B add eax, 0FFFFFDC1h
SDPI:0047C810 cmp byte ptr [eax], 0E8h
SDPI:0047C813 jnz fnddbg_47C72D
SDPI:0047C819 mov byte ptr [eax], 0E9h
SDPI:0047C81C xor eax, eax
SDPI:0047C81E mov [ecx+4], eax
SDPI:0047C821 mov [ecx+8], eax
SDPI:0047C824 mov [ecx+0Ch], eax
SDPI:0047C827 mov [ecx+10h], eax
SDPI:0047C82A
SDPI:0047C82A locret_47C82A: ; CODE XREF: SDPI:0047C802 j
SDPI:0047C82A retn
SDPI:0047C82B ; ----------------------------------------------------------------------------
SDPI:0047C82B
SDPI:0047C82B PASS_47C82B: ; CODE XREF: SDPI:0047C7E0 j
SDPI:0047C82B pop eax
SDPI:0047C82C call loc_47CA2C
SDPI:0047C831 nop
SDPI:0047C832 nop
SDPI:0047C833 nop
SDPI:0047C834 nop
SDPI:0047C835 nop
SDPI:0047C836 nop
SDPI:0047C837 nop
SDPI:0047C838 nop
SDPI:0047C839
SDPI:0047C839 loc_47C839: ; CODE XREF: SDPI:0047CA55 p
SDPI:0047C839 pop ebp
SDPI:0047C83A pop eax
SDPI:0047C83B jmp loc_47CA5A
SDPI:0047C840 ; ----------------------------------------------------------------------------
SDPI:0047C840 call loc_47C846
SDPI:0047C845 nop
SDPI:0047C846
SDPI:0047C846 loc_47C846: ; CODE XREF: SDPI:0047C840 p
SDPI:0047C846 pop eax
SDPI:0047C847 add eax, 312h ; 把0047CB57的代码加密回去
SDPI:0047C84C call loc_47C852
SDPI:0047C851 nop
SDPI:0047C852
SDPI:0047C852 loc_47C852: ; CODE XREF: SDPI:0047C84C p
SDPI:0047C852 pop edx
SDPI:0047C853 add edx, 38Ah ; 结束地址:0047CBDB
SDPI:0047C859 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047C859 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047C859 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047C859 ; 用来解密
SDPI:0047C85E mov ecx, 0FFFFFF00h
SDPI:0047C863 push fs
SDPI:0047C865 nop
SDPI:0047C866 nop
SDPI:0047C867 nop
SDPI:0047C868 nop
SDPI:0047C869 nop
SDPI:0047C86A nop
SDPI:0047C86B nop
SDPI:0047C86C nop
SDPI:0047C86D nop
SDPI:0047C86E nop
SDPI:0047C86F nop
SDPI:0047C870 nop
SDPI:0047C871 pushfw
SDPI:0047C873 push eax
SDPI:0047C874 mov eax, ebx
SDPI:0047C876 push ebx
SDPI:0047C877 mov eax, ecx
SDPI:0047C879 push eax
SDPI:0047C87A add eax, edx
SDPI:0047C87C mov ebx, eax
SDPI:0047C87E push ebx
SDPI:0047C87F pop eax
SDPI:0047C880 push edx
SDPI:0047C881 call loc_47C88E
SDPI:0047C886 nop
SDPI:0047C887 nop
SDPI:0047C888 nop
SDPI:0047C889 nop
SDPI:0047C88A nop
SDPI:0047C88B nop
SDPI:0047C88C nop
SDPI:0047C88D nop
SDPI:0047C88E
SDPI:0047C88E loc_47C88E: ; CODE XREF: SDPI:0047C881 p
SDPI:0047C88E pop eax
SDPI:0047C88F call loc_47C895
SDPI:0047C894 nop
SDPI:0047C895
SDPI:0047C895 loc_47C895: ; CODE XREF: SDPI:0047C88F p
SDPI:0047C895 pop eax
SDPI:0047C896 add eax, 11h
SDPI:0047C89B push eax
SDPI:0047C89C jmp GetTickCount
SDPI:0047C89C ; ----------------------------------------------------------------------------
SDPI:0047C8A1 db 4 dup(90h)
SDPI:0047C8A5 ; ----------------------------------------------------------------------------
SDPI:0047C8A5 push eax
SDPI:0047C8A6 mov eax, edx
SDPI:0047C8A8 push eax
SDPI:0047C8A9 call loc_47C8AF
SDPI:0047C8AE nop
SDPI:0047C8AF
SDPI:0047C8AF loc_47C8AF: ; CODE XREF: SDPI:0047C8A9 p
SDPI:0047C8AF pop edx
SDPI:0047C8B0 add edx, 52h
SDPI:0047C8B6 push edx
SDPI:0047C8B7 add edx, 4038B7h
SDPI:0047C8BD push edx
SDPI:0047C8BE jmp short loc_47C913
SDPI:0047C8BE ; ----------------------------------------------------------------------------
SDPI:0047C8C0 db 2 dup(90h)
SDPI:0047C8C2
SDPI:0047C8C2 ; ************** S U B R O U T I N E *****************************************
SDPI:0047C8C2
SDPI:0047C8C2
SDPI:0047C8C2 sub_47C8C2 proc near ; CODE XREF: SDPI:0047C906 p
SDPI:0047C8C2 pop eax
SDPI:0047C8C3 pop ebx
SDPI:0047C8C4 call sub_47C8CA
SDPI:0047C8C9 nop
SDPI:0047C8C9 sub_47C8C2 endp
SDPI:0047C8C9
SDPI:0047C8CA
SDPI:0047C8CA ; ************** S U B R O U T I N E *****************************************
SDPI:0047C8CA
SDPI:0047C8CA
SDPI:0047C8CA sub_47C8CA proc near ; CODE XREF: sub_47C8C2+2 p
SDPI:0047C8CA pop eax
SDPI:0047C8CB add eax, 11h
SDPI:0047C8D0 push eax
SDPI:0047C8D1 jmp GetTickCount
SDPI:0047C8D1 sub_47C8CA endp
SDPI:0047C8D1
SDPI:0047C8D1 ; ----------------------------------------------------------------------------
SDPI:0047C8D6 db 4 dup(90h)
SDPI:0047C8DA ; ----------------------------------------------------------------------------
SDPI:0047C8DA pop ebx
SDPI:0047C8DB add ebx, 1F4h
SDPI:0047C8E1 sub ebx, eax
SDPI:0047C8E3 js short OVER_47C927
SDPI:0047C8E5 call loc_47C8EB
SDPI:0047C8EA nop
SDPI:0047C8EB
SDPI:0047C8EB loc_47C8EB: ; CODE XREF: SDPI:0047C8E5 p
SDPI:0047C8EB pop ebx
SDPI:0047C8EC add ebx, 0A5h
SDPI:0047C8F2 push ebx
SDPI:0047C8F3 call loc_47C91D
SDPI:0047C8F8 nop
SDPI:0047C8F9 nop
SDPI:0047C8FA nop
SDPI:0047C8FB nop
SDPI:0047C8FC nop
SDPI:0047C8FD nop
SDPI:0047C8FE nop
SDPI:0047C8FF nop
SDPI:0047C900 pop eax
SDPI:0047C901 mov edx, eax
SDPI:0047C903 mov eax, ebx
SDPI:0047C905 push eax
SDPI:0047C906 call sub_47C8C2
SDPI:0047C90B nop
SDPI:0047C90C nop
SDPI:0047C90D nop
SDPI:0047C90E nop
SDPI:0047C90F nop
SDPI:0047C910 nop
SDPI:0047C911 nop
SDPI:0047C912 nop
SDPI:0047C913
SDPI:0047C913 loc_47C913: ; CODE XREF: SDPI:0047C8BE j
SDPI:0047C913 pop eax
SDPI:0047C914 retn
SDPI:0047C914 ; ----------------------------------------------------------------------------
SDPI:0047C915 db 8 dup(90h)
SDPI:0047C91D ; ----------------------------------------------------------------------------
SDPI:0047C91D
SDPI:0047C91D loc_47C91D: ; CODE XREF: SDPI:0047C8F3 p
SDPI:0047C91D pop edx
SDPI:0047C91E retn
SDPI:0047C91E ; ----------------------------------------------------------------------------
SDPI:0047C91F db 8 dup(90h)
SDPI:0047C927
SDPI:0047C927 ; ************** S U B R O U T I N E *****************************************
SDPI:0047C927
SDPI:0047C927
SDPI:0047C927 OVER_47C927 proc near ; CODE XREF: SDPI:0047C8E3 j
SDPI:0047C927 nop
SDPI:0047C928 nop
SDPI:0047C929 nop
SDPI:0047C92A nop
SDPI:0047C92B nop
SDPI:0047C92C call loc_47C932
SDPI:0047C931 nop
SDPI:0047C932
SDPI:0047C932 loc_47C932: ; CODE XREF: OVER_47C927+5 p
SDPI:0047C932 pop eax
SDPI:0047C933 add eax, 5Eh
SDPI:0047C938 mov edx, eax
SDPI:0047C93A add edx, 32h
SDPI:0047C93D call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047C93D ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047C93D ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047C93D ; 用来解密
SDPI:0047C942 call loc_47C948
SDPI:0047C947 nop
SDPI:0047C948
SDPI:0047C948 loc_47C948: ; CODE XREF: OVER_47C927+1B p
SDPI:0047C948 pop eax
SDPI:0047C949 add eax, 2755h
SDPI:0047C94E call loc_47C954
SDPI:0047C953 nop
SDPI:0047C954
SDPI:0047C954 loc_47C954: ; CODE XREF: OVER_47C927+27 p
SDPI:0047C954 pop ecx
SDPI:0047C955 add ecx, 27F6h
SDPI:0047C95B push 0
SDPI:0047C95D push ecx
SDPI:0047C95E push eax
SDPI:0047C95F push 0
SDPI:0047C961 call loc_47C967
SDPI:0047C966 nop
SDPI:0047C967
SDPI:0047C967 loc_47C967: ; CODE XREF: OVER_47C927+3A p
SDPI:0047C967 pop eax
SDPI:0047C968 add eax, 11h
SDPI:0047C96D push eax
SDPI:0047C96E jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047C96E ; 判断函数的前5位是否为CC
SDPI:0047C96E ; 也就是判断有没有下int3断点
SDPI:0047C96E ; ----------------------------------------------------------------------------
SDPI:0047C973 db 4 dup(90h)
SDPI:0047C977 ; ----------------------------------------------------------------------------
SDPI:0047C977 push 7
SDPI:0047C979 call loc_47C97F
SDPI:0047C97E nop
SDPI:0047C97F
SDPI:0047C97F loc_47C97F: ; CODE XREF: OVER_47C927+52 p
SDPI:0047C97F pop eax
SDPI:0047C980 add eax, 11h
SDPI:0047C985 push eax
SDPI:0047C986 jmp ExitProcess
SDPI:0047C986 ; ----------------------------------------------------------------------------
SDPI:0047C98B db 4 dup(90h)
SDPI:0047C98B OVER_47C927 endp
SDPI:0047C98B
SDPI:0047C98F ; ----------------------------------------------------------------------------
SDPI:0047C98F pop edx
SDPI:0047C990 mov eax, ecx
SDPI:0047C992 add eax, edx
SDPI:0047C994 inc ecx
SDPI:0047C995 push eax
SDPI:0047C996 inc ecx
SDPI:0047C997 pop ebx
SDPI:0047C998 pop ecx
SDPI:0047C999 push eax
SDPI:0047C99A sub eax, 8
SDPI:0047C99D pop ebx
SDPI:0047C99E pop ebx
SDPI:0047C99F inc eax
SDPI:0047C9A0 add eax, ebx
SDPI:0047C9A2 pop eax
SDPI:0047C9A3 pushfw
SDPI:0047C9A5 popfw
SDPI:0047C9A7 popfw
SDPI:0047C9A9 pop es
SDPI:0047C9AA mov eax, 12345678h
SDPI:0047C9AF push eax
SDPI:0047C9B0 call loc_47C9B6
SDPI:0047C9B5 nop
SDPI:0047C9B6
SDPI:0047C9B6 loc_47C9B6: ; CODE XREF: SDPI:0047C9B0 p
SDPI:0047C9B6 pop eax
SDPI:0047C9B7 add eax, 12Ch
SDPI:0047C9BC push eax
SDPI:0047C9BD pop ebx
SDPI:0047C9BE add eax, 12h
SDPI:0047C9C1 pop edx
SDPI:0047C9C2 add eax, edx
SDPI:0047C9C4 mov edx, eax
SDPI:0047C9C6 push ebx
SDPI:0047C9C7 mov ebx, es:[ecx+100h]
SDPI:0047C9CE push ebx
SDPI:0047C9CF mov eax, esp
SDPI:0047C9D1 mov ebx, eax
SDPI:0047C9D3 push ebx
SDPI:0047C9D4 pop edx
SDPI:0047C9D5 mov es:[ecx+100h], eax
SDPI:0047C9DC xor eax, eax
SDPI:0047C9DC ; ----------------------------------------------------------------------------
SDPI:0047C9DE db 38h dup(90h)
SDPI:0047CA16 ; ----------------------------------------------------------------------------
SDPI:0047CA16 int 3 ; Trap to Debugger
SDPI:0047CA17 nop
SDPI:0047CA18 xor eax, eax
SDPI:0047CA1A mov dword ptr [eax], 403B1Ah
SDPI:0047CA20 nop
SDPI:0047CA21 nop
SDPI:0047CA22 nop
SDPI:0047CA23 nop
SDPI:0047CA24 nop
SDPI:0047CA25 nop
SDPI:0047CA26 nop
SDPI:0047CA27 nop
SDPI:0047CA28 nop
SDPI:0047CA29 nop
SDPI:0047CA2A nop
SDPI:0047CA2B nop
SDPI:0047CA2C
SDPI:0047CA2C loc_47CA2C: ; CODE XREF: SDPI:0047C82C p
SDPI:0047CA2C call loc_47CA32
SDPI:0047CA31 nop
SDPI:0047CA32
SDPI:0047CA32 loc_47CA32: ; CODE XREF: SDPI:loc_47CA2C p
SDPI:0047CA32 pop eax
SDPI:0047CA33 add eax, 11h
SDPI:0047CA38 push eax
SDPI:0047CA39 jmp GetTickCount
SDPI:0047CA39 ; ----------------------------------------------------------------------------
SDPI:0047CA3E db 4 dup(90h)
SDPI:0047CA42 ; ----------------------------------------------------------------------------
SDPI:0047CA42 call loc_47CA48
SDPI:0047CA47 nop
SDPI:0047CA48
SDPI:0047CA48 loc_47CA48: ; CODE XREF: SDPI:0047CA42 p
SDPI:0047CA48 pop edx
SDPI:0047CA49 add edx, 0FFFFFB09h
SDPI:0047CA4F mov [edx], eax
SDPI:0047CA51 pop ebp
SDPI:0047CA52 add eax, edx
SDPI:0047CA54 push eax
SDPI:0047CA55 call loc_47C839
SDPI:0047CA5A
SDPI:0047CA5A loc_47CA5A: ; CODE XREF: SDPI:0047C83B j
SDPI:0047CA5A call loc_47CA60
SDPI:0047CA5F nop
SDPI:0047CA60
SDPI:0047CA60 loc_47CA60: ; CODE XREF: SDPI:loc_47CA5A p
SDPI:0047CA60 pop edx
SDPI:0047CA61 add edx, 0FFFFFDE1h
SDPI:0047CA67 add edx, eax
SDPI:0047CA69 push edx
SDPI:0047CA6A pop ecx
SDPI:0047CA6B sub ecx, eax
SDPI:0047CA6D push ecx
SDPI:0047CA6E retn 4
SDPI:0047CA71
SDPI:0047CA71 ; ************** S U B R O U T I N E *****************************************
SDPI:0047CA71
SDPI:0047CA71
SDPI:0047CA71 Over_47ca71 proc near ; CODE XREF: SDPI:0047CB14 j
SDPI:0047CA71 ; SDPI:0047CB1C j ...
SDPI:0047CA71 nop
SDPI:0047CA72 nop
SDPI:0047CA73 nop
SDPI:0047CA74 nop
SDPI:0047CA75 nop
SDPI:0047CA76 call loc_47CA7C
SDPI:0047CA7B nop
SDPI:0047CA7C
SDPI:0047CA7C loc_47CA7C: ; CODE XREF: Over_47ca71+5 p
SDPI:0047CA7C pop eax
SDPI:0047CA7D add eax, 5Eh
SDPI:0047CA82 mov edx, eax
SDPI:0047CA84 add edx, 32h
SDPI:0047CA87 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047CA87 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047CA87 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047CA87 ; 用来解密
SDPI:0047CA8C call loc_47CA92
SDPI:0047CA91 nop
SDPI:0047CA92
SDPI:0047CA92 loc_47CA92: ; CODE XREF: Over_47ca71+1B p
SDPI:0047CA92 pop eax
SDPI:0047CA93 add eax, 260Bh
SDPI:0047CA98 call loc_47CA9E
SDPI:0047CA9D nop
SDPI:0047CA9E
SDPI:0047CA9E loc_47CA9E: ; CODE XREF: Over_47ca71+27 p
SDPI:0047CA9E pop ecx
SDPI:0047CA9F add ecx, 26ACh
SDPI:0047CAA5 push 0
SDPI:0047CAA7 push ecx
SDPI:0047CAA8 push eax
SDPI:0047CAA9 push 0
SDPI:0047CAAB call loc_47CAB1
SDPI:0047CAB0 nop
SDPI:0047CAB1
SDPI:0047CAB1 loc_47CAB1: ; CODE XREF: Over_47ca71+3A p
SDPI:0047CAB1 pop eax
SDPI:0047CAB2 add eax, 11h
SDPI:0047CAB7 push eax
SDPI:0047CAB8 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047CAB8 ; 判断函数的前5位是否为CC
SDPI:0047CAB8 ; 也就是判断有没有下int3断点
SDPI:0047CAB8 ; ----------------------------------------------------------------------------
SDPI:0047CABD db 4 dup(90h)
SDPI:0047CAC1 ; ----------------------------------------------------------------------------
SDPI:0047CAC1 push 7
SDPI:0047CAC3 call loc_47CAC9
SDPI:0047CAC8 nop
SDPI:0047CAC9
SDPI:0047CAC9 loc_47CAC9: ; CODE XREF: Over_47ca71+52 p
SDPI:0047CAC9 pop eax
SDPI:0047CACA add eax, 11h
SDPI:0047CACF push eax
SDPI:0047CAD0 jmp ExitProcess
SDPI:0047CAD0 ; ----------------------------------------------------------------------------
SDPI:0047CAD5 db 4 dup(90h), 0, 10h, 40h, 0, 0BEh, 56h, 5Ch, 1
SDPI:0047CAD5 Over_47ca71 endp
SDPI:0047CAD5
SDPI:0047CAE1 ; ----------------------------------------------------------------------------
SDPI:0047CAE1 mov esp, [esp+8]
SDPI:0047CAE5 pop large dword ptr fs:0
SDPI:0047CAEC call loc_47CAF2
SDPI:0047CAF1 nop
SDPI:0047CAF2
SDPI:0047CAF2 loc_47CAF2: ; CODE XREF: SDPI:0047CAEC p
SDPI:0047CAF2 pop eax
SDPI:0047CAF3 add eax, 11h
SDPI:0047CAF8 push eax
SDPI:0047CAF9 jmp GetTickCount
SDPI:0047CAF9 ; ----------------------------------------------------------------------------
SDPI:0047CAFE db 4 dup(90h)
SDPI:0047CB02 ; ----------------------------------------------------------------------------
SDPI:0047CB02 call loc_47CB08
SDPI:0047CB07 nop
SDPI:0047CB08
SDPI:0047CB08 loc_47CB08: ; CODE XREF: SDPI:0047CB02 p
SDPI:0047CB08 pop edx
SDPI:0047CB09 add edx, 0FFFFFA49h
SDPI:0047CB0F mov ecx, [edx]
SDPI:0047CB11 cmp ecx, 0
SDPI:0047CB14 jz Over_47ca71
SDPI:0047CB1A sub eax, ecx
SDPI:0047CB1C js Over_47ca71
SDPI:0047CB22 sub eax, 7D0h
SDPI:0047CB27 jns Over_47ca71
SDPI:0047CB2D mov eax, 0E801276h
SDPI:0047CB32 mov [edx], eax
SDPI:0047CB34 call loc_47CB3A
SDPI:0047CB39 nop
SDPI:0047CB3A
SDPI:0047CB3A loc_47CB3A: ; CODE XREF: SDPI:0047CB34 p
SDPI:0047CB3A pop edx
SDPI:0047CB3B add edx, 0A2h
SDPI:0047CB41 call loc_47CB47
SDPI:0047CB46 nop
SDPI:0047CB47
SDPI:0047CB47 loc_47CB47: ; CODE XREF: SDPI:0047CB41 p
SDPI:0047CB47 pop eax
SDPI:0047CB48 add eax, 0FFFFD652h
SDPI:0047CB4D mov ecx, 10h ; 再次解密代码
SDPI:0047CB52 call De_Code ; invoke De_Code,ecx(counter),eax(key),edx(end)
SDPI:0047CB52 ; 用于解密代码,解密起始地址就是call进来
SDPI:0047CB52 ; 的下一行代码地址
SDPI:0047CB52 ; ----------------------------------------------------------------------------
SDPI:0047CB57 db 0Fh dup(90h)
SDPI:0047CB66 ; ----------------------------------------------------------------------------
SDPI:0047CB66 call loc_47CB6C
SDPI:0047CB6B nop
SDPI:0047CB6C
SDPI:0047CB6C loc_47CB6C: ; CODE XREF: SDPI:0047CB66 p
SDPI:0047CB6C pop eax
SDPI:0047CB6D add eax, 11h
SDPI:0047CB72 push eax
SDPI:0047CB73 jmp Get_Version
SDPI:0047CB73 ; ----------------------------------------------------------------------------
SDPI:0047CB78 db 4 dup(90h)
SDPI:0047CB7C ; ----------------------------------------------------------------------------
SDPI:0047CB7C call loc_47CB82
SDPI:0047CB81 nop
SDPI:0047CB82
SDPI:0047CB82 loc_47CB82: ; CODE XREF: SDPI:0047CB7C p
SDPI:0047CB82 pop edx
SDPI:0047CB83 add edx, 0FFFFD483h
SDPI:0047CB89 cmp eax, [edx] ; 又判断是否修改了GetVersion的返回值
SDPI:0047CB8B jnz OVER_47C43A
SDPI:0047CB91 cmp eax, 80000000h
SDPI:0047CB96 jb NotIsWin9x_47D312 ; 再次判断是否为Winnt系统
SDPI:0047CB9C mov ah, 43h ; 如果是Win9x则产生int 68异常
SDPI:0047CB9E int 68h ; - APPC/PC
SDPI:0047CBA0 cmp ax, 0F386h
SDPI:0047CBA4 jnz NODBG_47CC43
SDPI:0047CBAA jz short near ptr aU4Rrrrr+6
SDPI:0047CBAC push ebx
SDPI:0047CBAD push edi
SDPI:0047CBAE push es
SDPI:0047CBAE ; ----------------------------------------------------------------------------
SDPI:0047CBAF a9 db '~',6,'',4,'9窿',0Dh
SDPI:0047CBB7 ; ----------------------------------------------------------------------------
SDPI:0047CBB7 xor di, di
SDPI:0047CBBA db 66h
SDPI:0047CBBA mov es, di
SDPI:0047CBBD mov ax, 1684h
SDPI:0047CBC1 mov bx, 202h
SDPI:0047CBC5 int 2Fh
SDPI:0047CBC7 mov ax, es
SDPI:0047CBCA add ax, di
SDPI:0047CBCD pop es
SDPI:0047CBCE pop edi
SDPI:0047CBCF pop ebx
SDPI:0047CBD0 test ax, ax
SDPI:0047CBD3 jz short NODBG_47CC43
SDPI:0047CBD3 ; ----------------------------------------------------------------------------
SDPI:0047CBD5 aU4Rrrrr db 'u',4,'$4',5,0,'悙悙? ; CODE XREF: SDPI:0047CBAA j
SDPI:0047CBE0
SDPI:0047CBE0 ; ************** S U B R O U T I N E *****************************************
SDPI:0047CBE0
SDPI:0047CBE0
SDPI:0047CBE0 FNDDBG_46CBE0 proc near
SDPI:0047CBE0 call loc_47CBE6
SDPI:0047CBE5 nop
SDPI:0047CBE6
SDPI:0047CBE6 loc_47CBE6: ; CODE XREF: FNDDBG_46CBE0 p
SDPI:0047CBE6 pop eax
SDPI:0047CBE7 add eax, 5Eh
SDPI:0047CBEC mov edx, eax
SDPI:0047CBEE add edx, 32h
SDPI:0047CBF1 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047CBF1 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047CBF1 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047CBF1 ; 用来解密
SDPI:0047CBF6 call loc_47CBFC
SDPI:0047CBFB nop
SDPI:0047CBFC
SDPI:0047CBFC loc_47CBFC: ; CODE XREF: FNDDBG_46CBE0+16 p
SDPI:0047CBFC pop eax
SDPI:0047CBFD add eax, 24A1h
SDPI:0047CC02 call loc_47CC08
SDPI:0047CC07 nop
SDPI:0047CC08
SDPI:0047CC08 loc_47CC08: ; CODE XREF: FNDDBG_46CBE0+22 p
SDPI:0047CC08 pop ecx
SDPI:0047CC09 add ecx, 2542h
SDPI:0047CC0F push 0
SDPI:0047CC11 push ecx
SDPI:0047CC12 push eax
SDPI:0047CC13 push 0
SDPI:0047CC15 call loc_47CC1B
SDPI:0047CC1A nop
SDPI:0047CC1B
SDPI:0047CC1B loc_47CC1B: ; CODE XREF: FNDDBG_46CBE0+35 p
SDPI:0047CC1B pop eax
SDPI:0047CC1C add eax, 11h
SDPI:0047CC21 push eax
SDPI:0047CC22 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047CC22 ; 判断函数的前5位是否为CC
SDPI:0047CC22 ; 也就是判断有没有下int3断点
SDPI:0047CC22 ; ----------------------------------------------------------------------------
SDPI:0047CC27 db 90h ; ?
SDPI:0047CC28 db 90h ; ?
SDPI:0047CC29 db 90h ; ?
SDPI:0047CC2A db 90h ; ?
SDPI:0047CC2B ; ----------------------------------------------------------------------------
SDPI:0047CC2B push 7
SDPI:0047CC2D call loc_47CC33
SDPI:0047CC32 nop
SDPI:0047CC33
SDPI:0047CC33 loc_47CC33: ; CODE XREF: FNDDBG_46CBE0+4D p
SDPI:0047CC33 pop eax
SDPI:0047CC34 add eax, 11h
SDPI:0047CC39 push eax
SDPI:0047CC3A jmp ExitProcess
SDPI:0047CC3A ; ----------------------------------------------------------------------------
SDPI:0047CC3F db 4 dup(90h)
SDPI:0047CC3F FNDDBG_46CBE0 endp
SDPI:0047CC3F
SDPI:0047CC43 ; ----------------------------------------------------------------------------
SDPI:0047CC43
SDPI:0047CC43 NODBG_47CC43: ; CODE XREF: SDPI:0047CBA4 j
SDPI:0047CC43 ; SDPI:0047CBD3 j
SDPI:0047CC43 nop
SDPI:0047CC44 nop
SDPI:0047CC45 nop
SDPI:0047CC46 nop
SDPI:0047CC47 nop
SDPI:0047CC48 nop
SDPI:0047CC49 nop
SDPI:0047CC4A nop
SDPI:0047CC4B nop
SDPI:0047CC4C nop
SDPI:0047CC4D nop
SDPI:0047CC4E nop
SDPI:0047CC4F nop
SDPI:0047CC50 nop
SDPI:0047CC51 nop
SDPI:0047CC52 push cs
SDPI:0047CC53 push eax
SDPI:0047CC54 xor eax, eax
SDPI:0047CC56 call loc_47CC5C
SDPI:0047CC5B nop
SDPI:0047CC5C
SDPI:0047CC5C loc_47CC5C: ; CODE XREF: SDPI:0047CC56 p
SDPI:0047CC5C pop edi
SDPI:0047CC5D add edi, 61h
SDPI:0047CC63 mov ebx, [edi]
SDPI:0047CC65 mov edx, [edi+4]
SDPI:0047CC65 ; ----------------------------------------------------------------------------
SDPI:0047CC68 db 0Ch dup(90h)
SDPI:0047CC74 ; ----------------------------------------------------------------------------
SDPI:0047CC74 call loc_47CC7A
SDPI:0047CC79 nop
SDPI:0047CC7A
SDPI:0047CC7A loc_47CC7A: ; CODE XREF: SDPI:0047CC74 p
SDPI:0047CC7A pop esi
SDPI:0047CC7B add esi, 59h
SDPI:0047CC81 mov ecx, 3
SDPI:0047CC81 ; ----------------------------------------------------------------------------
SDPI:0047CC86 db 34h dup(90h)
SDPI:0047CCBA db 2 dup(90h)
SDPI:0047CCBC ; ----------------------------------------------------------------------------
SDPI:0047CCBC rep movsw
SDPI:0047CCBC ; ----------------------------------------------------------------------------
SDPI:0047CCBF db 0E8h, 7Ch, 3 dup(0), 0E8h, 0E7h, 3 dup(0), 0E8h, 0
SDPI:0047CCBF db 10h, 40h, 0, 0B0h, 89h, 9Ch, 4, 0EBh, 1, 90h, 0EBh
SDPI:0047CCBF db 3, 6 dup(90h)
SDPI:0047CCDD
SDPI:0047CCDD ; ************** S U B R O U T I N E *****************************************
SDPI:0047CCDD
SDPI:0047CCDD
SDPI:0047CCDD FNDDBG_47CCDD proc near
SDPI:0047CCDD call loc_47CCE3
SDPI:0047CCE2 nop
SDPI:0047CCE3
SDPI:0047CCE3 loc_47CCE3: ; CODE XREF: FNDDBG_47CCDD p
SDPI:0047CCE3 pop eax
SDPI:0047CCE4 add eax, 5Eh
SDPI:0047CCE9 mov edx, eax
SDPI:0047CCEB add edx, 32h
SDPI:0047CCEE call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047CCEE ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047CCEE ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047CCEE ; 用来解密
SDPI:0047CCF3 call loc_47CCF9
SDPI:0047CCF8 nop
SDPI:0047CCF9
SDPI:0047CCF9 loc_47CCF9: ; CODE XREF: FNDDBG_47CCDD+16 p
SDPI:0047CCF9 pop eax
SDPI:0047CCFA add eax, 23A4h
SDPI:0047CCFF call loc_47CD05
SDPI:0047CD04 nop
SDPI:0047CD05
SDPI:0047CD05 loc_47CD05: ; CODE XREF: FNDDBG_47CCDD+22 p
SDPI:0047CD05 pop ecx
SDPI:0047CD06 add ecx, 2445h
SDPI:0047CD0C push 0
SDPI:0047CD0E push ecx
SDPI:0047CD0F push eax
SDPI:0047CD10 push 0
SDPI:0047CD12 call loc_47CD18
SDPI:0047CD17 nop
SDPI:0047CD18
SDPI:0047CD18 loc_47CD18: ; CODE XREF: FNDDBG_47CCDD+35 p
SDPI:0047CD18 pop eax
SDPI:0047CD19 add eax, 11h
SDPI:0047CD1E push eax
SDPI:0047CD1F jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047CD1F ; 判断函数的前5位是否为CC
SDPI:0047CD1F ; 也就是判断有没有下int3断点
SDPI:0047CD1F ; ----------------------------------------------------------------------------
SDPI:0047CD24 db 4 dup(90h)
SDPI:0047CD28 ; ----------------------------------------------------------------------------
SDPI:0047CD28 push 7
SDPI:0047CD2A call loc_47CD30
SDPI:0047CD2F nop
SDPI:0047CD30
SDPI:0047CD30 loc_47CD30: ; CODE XREF: FNDDBG_47CCDD+4D p
SDPI:0047CD30 pop eax
SDPI:0047CD31 add eax, 11h
SDPI:0047CD36 push eax
SDPI:0047CD37 jmp ExitProcess
SDPI:0047CD37 ; ----------------------------------------------------------------------------
SDPI:0047CD3C db 4 dup(90h)
SDPI:0047CD3C FNDDBG_47CCDD endp
SDPI:0047CD3C
SDPI:0047CD40
SDPI:0047CD40 ; ************** S U B R O U T I N E *****************************************
SDPI:0047CD40
SDPI:0047CD40
SDPI:0047CD40 FNDDBG_47CD40 proc near
SDPI:0047CD40 nop
SDPI:0047CD41 nop
SDPI:0047CD42 nop
SDPI:0047CD43 nop
SDPI:0047CD44 nop
SDPI:0047CD45 call loc_47CD4B
SDPI:0047CD4A nop
SDPI:0047CD4B
SDPI:0047CD4B loc_47CD4B: ; CODE XREF: FNDDBG_47CD40+5 p
SDPI:0047CD4B pop eax
SDPI:0047CD4C add eax, 5Eh
SDPI:0047CD51 mov edx, eax
SDPI:0047CD53 add edx, 32h
SDPI:0047CD56 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047CD56 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047CD56 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047CD56 ; 用来解密
SDPI:0047CD5B call loc_47CD61
SDPI:0047CD60 nop
SDPI:0047CD61
SDPI:0047CD61 loc_47CD61: ; CODE XREF: FNDDBG_47CD40+1B p
SDPI:0047CD61 pop eax
SDPI:0047CD62 add eax, 233Ch
SDPI:0047CD67 call loc_47CD6D
SDPI:0047CD6C nop
SDPI:0047CD6D
SDPI:0047CD6D loc_47CD6D: ; CODE XREF: FNDDBG_47CD40+27 p
SDPI:0047CD6D pop ecx
SDPI:0047CD6E add ecx, 23DDh
SDPI:0047CD74 push 0
SDPI:0047CD76 push ecx
SDPI:0047CD77 push eax
SDPI:0047CD78 push 0
SDPI:0047CD7A call loc_47CD80
SDPI:0047CD7F nop
SDPI:0047CD80
SDPI:0047CD80 loc_47CD80: ; CODE XREF: FNDDBG_47CD40+3A p
SDPI:0047CD80 pop eax
SDPI:0047CD81 add eax, 11h
SDPI:0047CD86 push eax
SDPI:0047CD87 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047CD87 ; 判断函数的前5位是否为CC
SDPI:0047CD87 ; 也就是判断有没有下int3断点
SDPI:0047CD87 ; ----------------------------------------------------------------------------
SDPI:0047CD8C db 4 dup(90h)
SDPI:0047CD90 ; ----------------------------------------------------------------------------
SDPI:0047CD90 push 7
SDPI:0047CD92 call loc_47CD98
SDPI:0047CD97 nop
SDPI:0047CD98
SDPI:0047CD98 loc_47CD98: ; CODE XREF: FNDDBG_47CD40+52 p
SDPI:0047CD98 pop eax
SDPI:0047CD99 add eax, 11h
SDPI:0047CD9E push eax
SDPI:0047CD9F jmp ExitProcess
SDPI:0047CD9F ; ----------------------------------------------------------------------------
SDPI:0047CDA4 db 4 dup(90h), 0, 10h, 40h, 0, 0E0h, 89h, 9Ch, 6
SDPI:0047CDA4 FNDDBG_47CD40 endp
SDPI:0047CDA4
SDPI:0047CDB0 ; ----------------------------------------------------------------------------
SDPI:0047CDB0 call loc_47CDB6
SDPI:0047CDB5 nop
SDPI:0047CDB6
SDPI:0047CDB6 loc_47CDB6: ; CODE XREF: SDPI:0047CDB0 p
SDPI:0047CDB6 pop edi
SDPI:0047CDB7 add edi, 0FFFFFF07h
SDPI:0047CDBD mov [edi], ebx
SDPI:0047CDBF mov [edi+4], edx
SDPI:0047CDC2 pop eax
SDPI:0047CDC3 call loc_47CDC9
SDPI:0047CDC8 nop
SDPI:0047CDC9
SDPI:0047CDC9 loc_47CDC9: ; CODE XREF: SDPI:0047CDC3 p
SDPI:0047CDC9 pop eax
SDPI:0047CDCA add eax, 124h
SDPI:0047CDCF push eax
SDPI:0047CDD0 xor eax, eax
SDPI:0047CDD2 push dword ptr fs:[eax]
SDPI:0047CDD5 mov fs:[eax], esp
SDPI:0047CDD8 mov ebp, 300EF1D3h
SDPI:0047CDDD add ebp, 12345678h
SDPI:0047CDE3 mov ax, 17h
SDPI:0047CDE7 sub ax, 13h
SDPI:0047CDEB nop
SDPI:0047CDEC nop
SDPI:0047CDED nop
SDPI:0047CDEE nop
SDPI:0047CDEF nop
SDPI:0047CDF0 nop
SDPI:0047CDF1 nop
SDPI:0047CDF2 nop
SDPI:0047CDF3 nop
SDPI:0047CDF4 nop
SDPI:0047CDF5 nop
SDPI:0047CDF6 nop
SDPI:0047CDF7 nop
SDPI:0047CDF8 nop
SDPI:0047CDF9 nop
SDPI:0047CDFA nop
SDPI:0047CDFB nop
SDPI:0047CDFC nop
SDPI:0047CDFD nop
SDPI:0047CDFE nop
SDPI:0047CDFF nop
SDPI:0047CE00 nop
SDPI:0047CE01 nop
SDPI:0047CE02 nop
SDPI:0047CE03 nop
SDPI:0047CE04 nop
SDPI:0047CE05 nop
SDPI:0047CE06 nop
SDPI:0047CE07 nop
SDPI:0047CE08 nop
SDPI:0047CE09 nop
SDPI:0047CE0A nop
SDPI:0047CE0B nop
SDPI:0047CE0C nop
SDPI:0047CE0D nop
SDPI:0047CE0E nop
SDPI:0047CE0F nop
SDPI:0047CE10 nop
SDPI:0047CE11 nop
SDPI:0047CE12 nop
SDPI:0047CE13 nop
SDPI:0047CE14 nop
SDPI:0047CE15 nop
SDPI:0047CE16 nop
SDPI:0047CE17 nop
SDPI:0047CE18 nop
SDPI:0047CE19 nop
SDPI:0047CE1A nop
SDPI:0047CE1B nop
SDPI:0047CE1C nop
SDPI:0047CE1D nop
SDPI:0047CE1E nop
SDPI:0047CE1F nop
SDPI:0047CE20 nop
SDPI:0047CE21 nop
SDPI:0047CE22 nop
SDPI:0047CE23 nop
SDPI:0047CE24 nop
SDPI:0047CE25 nop
SDPI:0047CE26 int 3 ; Trap to Debugger
SDPI:0047CE27 nop
SDPI:0047CE28 cmp al, 4
SDPI:0047CE2A jz short loc_47CE9D
SDPI:0047CE2C
SDPI:0047CE2C ; ************** S U B R O U T I N E *****************************************
SDPI:0047CE2C
SDPI:0047CE2C
SDPI:0047CE2C FNDDBG_47CE2C proc near ; CODE XREF: SDPI:0047CEB6 j
SDPI:0047CE2C ; SDPI:0047CECE j ...
SDPI:0047CE2C nop
SDPI:0047CE2D nop
SDPI:0047CE2E nop
SDPI:0047CE2F nop
SDPI:0047CE30 nop
SDPI:0047CE31 call loc_47CE37
SDPI:0047CE36 nop
SDPI:0047CE37
SDPI:0047CE37 loc_47CE37: ; CODE XREF: FNDDBG_47CE2C+5 p
SDPI:0047CE37 pop eax
SDPI:0047CE38 add eax, 5Eh
SDPI:0047CE3D mov edx, eax
SDPI:0047CE3F add edx, 32h
SDPI:0047CE42 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047CE42 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047CE42 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047CE42 ; 用来解密
SDPI:0047CE47 call loc_47CE4D
SDPI:0047CE4C nop
SDPI:0047CE4D
SDPI:0047CE4D loc_47CE4D: ; CODE XREF: FNDDBG_47CE2C+1B p
SDPI:0047CE4D pop eax
SDPI:0047CE4E add eax, 2250h
SDPI:0047CE53 call loc_47CE59
SDPI:0047CE58 nop
SDPI:0047CE59
SDPI:0047CE59 loc_47CE59: ; CODE XREF: FNDDBG_47CE2C+27 p
SDPI:0047CE59 pop ecx
SDPI:0047CE5A add ecx, 22F1h
SDPI:0047CE60 push 0
SDPI:0047CE62 push ecx
SDPI:0047CE63 push eax
SDPI:0047CE64 push 0
SDPI:0047CE66 call loc_47CE6C
SDPI:0047CE6B nop
SDPI:0047CE6C
SDPI:0047CE6C loc_47CE6C: ; CODE XREF: FNDDBG_47CE2C+3A p
SDPI:0047CE6C pop eax
SDPI:0047CE6D add eax, 11h
SDPI:0047CE72 push eax
SDPI:0047CE73 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047CE73 ; 判断函数的前5位是否为CC
SDPI:0047CE73 ; 也就是判断有没有下int3断点
SDPI:0047CE73 ; ----------------------------------------------------------------------------
SDPI:0047CE78 db 4 dup(90h)
SDPI:0047CE7C ; ----------------------------------------------------------------------------
SDPI:0047CE7C push 7
SDPI:0047CE7E call loc_47CE84
SDPI:0047CE83 nop
SDPI:0047CE84
SDPI:0047CE84 loc_47CE84: ; CODE XREF: FNDDBG_47CE2C+52 p
SDPI:0047CE84 pop eax
SDPI:0047CE85 add eax, 11h
SDPI:0047CE8A push eax
SDPI:0047CE8B jmp ExitProcess
SDPI:0047CE8B ; ----------------------------------------------------------------------------
SDPI:0047CE90 db 4 dup(90h)
SDPI:0047CE94 db 0E8h, 0, 10h, 40h, 0
SDPI:0047CE99 db 0B0h, 89h, 9Ch, 4
SDPI:0047CE99 FNDDBG_47CE2C endp
SDPI:0047CE99
SDPI:0047CE9D ; ----------------------------------------------------------------------------
SDPI:0047CE9D
SDPI:0047CE9D loc_47CE9D: ; CODE XREF: SDPI:0047CE2A j
SDPI:0047CE9D pop large dword ptr fs:0
SDPI:0047CEA4 add esp, 4
SDPI:0047CEA7 call loc_47CEAD
SDPI:0047CEAC nop
SDPI:0047CEAD
SDPI:0047CEAD loc_47CEAD: ; CODE XREF: SDPI:0047CEA7 p
SDPI:0047CEAD pop eax
SDPI:0047CEAE add eax, 0FFFFFE1Dh
SDPI:0047CEB3 cmp byte ptr [eax], 0E9h
SDPI:0047CEB6 jnz FNDDBG_47CE2C
SDPI:0047CEBC mov byte ptr [eax], 0E8h
SDPI:0047CEBF rdtsc
SDPI:0047CEC1 mov ecx, eax
SDPI:0047CEC3 mov ebx, edx
SDPI:0047CEC5 rdtsc
SDPI:0047CEC7 sub eax, ecx
SDPI:0047CEC9 sbb edx, ebx
SDPI:0047CECB cmp edx, 0
SDPI:0047CECE jnz FNDDBG_47CE2C
SDPI:0047CED4 cmp eax, 30000000h
SDPI:0047CED9 ja FNDDBG_47CE2C
SDPI:0047CEDF jz short loc_47CF2A
SDPI:0047CEE1 jnz short loc_47CF2A
SDPI:0047CEE1 ; ----------------------------------------------------------------------------
SDPI:0047CEE3 dd 401000E8h
SDPI:0047CEE7 dd 9C89B000h
SDPI:0047CEEB db 4
SDPI:0047CEEC ; ----------------------------------------------------------------------------
SDPI:0047CEEC mov eax, [esp+4]
SDPI:0047CEF0 mov ecx, [esp+0Ch]
SDPI:0047CEF4 inc dword ptr [ecx+0B8h]
SDPI:0047CEFA mov eax, [eax]
SDPI:0047CEFC sub eax, EXCEPTION_BREAKPOINT
SDPI:0047CF01 jnz short locret_47CF29
SDPI:0047CF03 call loc_47CF09
SDPI:0047CF08 nop
SDPI:0047CF09
SDPI:0047CF09 loc_47CF09: ; CODE XREF: SDPI:0047CF03 p
SDPI:0047CF09 pop eax
SDPI:0047CF0A add eax, 0FFFFFDC1h
SDPI:0047CF0F cmp byte ptr [eax], 0E8h
SDPI:0047CF12 jnz FNDDBG_47CE2C
SDPI:0047CF18 mov byte ptr [eax], 0E9h
SDPI:0047CF1B xor eax, eax
SDPI:0047CF1D mov [ecx+4], eax
SDPI:0047CF20 mov [ecx+8], eax
SDPI:0047CF23 mov [ecx+0Ch], eax
SDPI:0047CF26 mov [ecx+10h], eax
SDPI:0047CF29
SDPI:0047CF29 locret_47CF29: ; CODE XREF: SDPI:0047CF01 j
SDPI:0047CF29 retn
SDPI:0047CF2A ; ----------------------------------------------------------------------------
SDPI:0047CF2A
SDPI:0047CF2A loc_47CF2A: ; CODE XREF: SDPI:0047CEDF j
SDPI:0047CF2A ; SDPI:0047CEE1 j
SDPI:0047CF2A pop eax
SDPI:0047CF2B call loc_47D12B
SDPI:0047CF2B ; ----------------------------------------------------------------------------
SDPI:0047CF30 dd 401000h
SDPI:0047CF34 dd 15C56BEh
SDPI:0047CF38
SDPI:0047CF38 ; ************** S U B R O U T I N E *****************************************
SDPI:0047CF38
SDPI:0047CF38
SDPI:0047CF38 sub_47CF38 proc near ; CODE XREF: SDPI:0047D154 p
SDPI:0047CF38 pop ebp
SDPI:0047CF39 pop eax
SDPI:0047CF3A jmp loc_47D159
SDPI:0047CF3A sub_47CF38 endp
SDPI:0047CF3A
SDPI:0047CF3F ; ----------------------------------------------------------------------------
SDPI:0047CF3F call loc_47CF45
SDPI:0047CF44 nop
SDPI:0047CF45
SDPI:0047CF45 loc_47CF45: ; CODE XREF: SDPI:0047CF3F p
SDPI:0047CF45 pop eax
SDPI:0047CF46 add eax, 312h
SDPI:0047CF4B call loc_47CF51
SDPI:0047CF50 nop
SDPI:0047CF51
SDPI:0047CF51 loc_47CF51: ; CODE XREF: SDPI:0047CF4B p
SDPI:0047CF51 pop edx
SDPI:0047CF52 add edx, 3C2h ; 和前面的一样了,加密代码回去
SDPI:0047CF58 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047CF58 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047CF58 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047CF58 ; 用来解密
SDPI:0047CF5D mov ecx, 0FFFFFF00h
SDPI:0047CF62 push fs
SDPI:0047CF64 nop
SDPI:0047CF65 nop
SDPI:0047CF66 nop
SDPI:0047CF67 nop
SDPI:0047CF68 nop
SDPI:0047CF69 nop
SDPI:0047CF6A nop
SDPI:0047CF6B nop
SDPI:0047CF6C nop
SDPI:0047CF6D nop
SDPI:0047CF6E nop
SDPI:0047CF6F nop
SDPI:0047CF70 pushfw
SDPI:0047CF72 push eax
SDPI:0047CF73 mov eax, ebx
SDPI:0047CF75 push ebx
SDPI:0047CF76 mov eax, ecx
SDPI:0047CF78 push eax
SDPI:0047CF79 add eax, edx
SDPI:0047CF7B mov ebx, eax
SDPI:0047CF7D push ebx
SDPI:0047CF7E pop eax
SDPI:0047CF7F push edx
SDPI:0047CF80 call loc_47CF8D
SDPI:0047CF80 ; ----------------------------------------------------------------------------
SDPI:0047CF85 dd 401000h
SDPI:0047CF89 dd 132BD7B0h
SDPI:0047CF8D ; ----------------------------------------------------------------------------
SDPI:0047CF8D
SDPI:0047CF8D loc_47CF8D: ; CODE XREF: SDPI:0047CF80 p
SDPI:0047CF8D pop eax
SDPI:0047CF8E call loc_47CF94
SDPI:0047CF93 nop
SDPI:0047CF94
SDPI:0047CF94 loc_47CF94: ; CODE XREF: SDPI:0047CF8E p
SDPI:0047CF94 pop eax
SDPI:0047CF95 add eax, 11h
SDPI:0047CF9A push eax
SDPI:0047CF9B jmp GetTickCount
SDPI:0047CF9B ; ----------------------------------------------------------------------------
SDPI:0047CFA0 db 4 dup(90h)
SDPI:0047CFA4 ; ----------------------------------------------------------------------------
SDPI:0047CFA4 push eax
SDPI:0047CFA5 mov eax, edx
SDPI:0047CFA7 push eax
SDPI:0047CFA8 call loc_47CFAE
SDPI:0047CFAD nop
SDPI:0047CFAE
SDPI:0047CFAE loc_47CFAE: ; CODE XREF: SDPI:0047CFA8 p
SDPI:0047CFAE pop edx
SDPI:0047CFAF add edx, 52h
SDPI:0047CFB5 push edx
SDPI:0047CFB6 add edx, 403FB6h
SDPI:0047CFBC push edx
SDPI:0047CFBD jo short loc_47D012
SDPI:0047CFBF jno short loc_47D012
SDPI:0047CFC1
SDPI:0047CFC1 loc_47CFC1: ; CODE XREF: SDPI:0047D005 p
SDPI:0047CFC1 pop eax
SDPI:0047CFC2 pop ebx
SDPI:0047CFC3 call loc_47CFC9
SDPI:0047CFC8 nop
SDPI:0047CFC9
SDPI:0047CFC9 loc_47CFC9: ; CODE XREF: SDPI:0047CFC3 p
SDPI:0047CFC9 pop eax
SDPI:0047CFCA add eax, 11h
SDPI:0047CFCF push eax
SDPI:0047CFD0 jmp GetTickCount
SDPI:0047CFD0 ; ----------------------------------------------------------------------------
SDPI:0047CFD5 db 4 dup(90h)
SDPI:0047CFD9 ; ----------------------------------------------------------------------------
SDPI:0047CFD9 pop ebx
SDPI:0047CFDA add ebx, 1F4h
SDPI:0047CFE0 sub ebx, eax
SDPI:0047CFE2 js short OVER_47D026
SDPI:0047CFE4 call loc_47CFEA
SDPI:0047CFE9 nop
SDPI:0047CFEA
SDPI:0047CFEA loc_47CFEA: ; CODE XREF: SDPI:0047CFE4 p
SDPI:0047CFEA pop ebx
SDPI:0047CFEB add ebx, 0A5h
SDPI:0047CFF1 push ebx
SDPI:0047CFF2 call loc_47D01C
SDPI:0047CFF7 nop
SDPI:0047CFF8 nop
SDPI:0047CFF9 nop
SDPI:0047CFFA nop
SDPI:0047CFFB nop
SDPI:0047CFFC nop
SDPI:0047CFFD nop
SDPI:0047CFFE nop
SDPI:0047CFFF pop eax
SDPI:0047D000 mov edx, eax
SDPI:0047D002 mov eax, ebx
SDPI:0047D004 push eax
SDPI:0047D005 call loc_47CFC1
SDPI:0047D005 ; ----------------------------------------------------------------------------
SDPI:0047D00A dd 401000h
SDPI:0047D00E dd 1833639h
SDPI:0047D012 ; ----------------------------------------------------------------------------
SDPI:0047D012
SDPI:0047D012 loc_47D012: ; CODE XREF: SDPI:0047CFBD j
SDPI:0047D012 ; SDPI:0047CFBF j
SDPI:0047D012 pop eax
SDPI:0047D013 retn
SDPI:0047D013 ; ----------------------------------------------------------------------------
SDPI:0047D014 dd 401000h
SDPI:0047D018 dd 77C563Eh
SDPI:0047D01C ; ----------------------------------------------------------------------------
SDPI:0047D01C
SDPI:0047D01C loc_47D01C: ; CODE XREF: SDPI:0047CFF2 p
SDPI:0047D01C pop edx
SDPI:0047D01D retn
SDPI:0047D01D ; ----------------------------------------------------------------------------
SDPI:0047D01E dd 401000h
SDPI:0047D022 dd 1ED53EFh
SDPI:0047D026
SDPI:0047D026 ; ************** S U B R O U T I N E *****************************************
SDPI:0047D026
SDPI:0047D026
SDPI:0047D026 OVER_47D026 proc near ; CODE XREF: SDPI:0047CFE2 j
SDPI:0047D026 nop
SDPI:0047D027 nop
SDPI:0047D028 nop
SDPI:0047D029 nop
SDPI:0047D02A nop
SDPI:0047D02B call loc_47D031
SDPI:0047D030 nop
SDPI:0047D031
SDPI:0047D031 loc_47D031: ; CODE XREF: OVER_47D026+5 p
SDPI:0047D031 pop eax
SDPI:0047D032 add eax, 5Eh
SDPI:0047D037 mov edx, eax
SDPI:0047D039 add edx, 32h
SDPI:0047D03C call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047D03C ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047D03C ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047D03C ; 用来解密
SDPI:0047D041 call loc_47D047
SDPI:0047D046 nop
SDPI:0047D047
SDPI:0047D047 loc_47D047: ; CODE XREF: OVER_47D026+1B p
SDPI:0047D047 pop eax
SDPI:0047D048 add eax, 2056h
SDPI:0047D04D call loc_47D053
SDPI:0047D052 nop
SDPI:0047D053
SDPI:0047D053 loc_47D053: ; CODE XREF: OVER_47D026+27 p
SDPI:0047D053 pop ecx
SDPI:0047D054 add ecx, 20F7h
SDPI:0047D05A push 0
SDPI:0047D05C push ecx
SDPI:0047D05D push eax
SDPI:0047D05E push 0
SDPI:0047D060 call loc_47D066
SDPI:0047D065 nop
SDPI:0047D066
SDPI:0047D066 loc_47D066: ; CODE XREF: OVER_47D026+3A p
SDPI:0047D066 pop eax
SDPI:0047D067 add eax, 11h
SDPI:0047D06C push eax
SDPI:0047D06D jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047D06D ; 判断函数的前5位是否为CC
SDPI:0047D06D ; 也就是判断有没有下int3断点
SDPI:0047D06D ; ----------------------------------------------------------------------------
SDPI:0047D072 db 4 dup(90h)
SDPI:0047D076 ; ----------------------------------------------------------------------------
SDPI:0047D076 push 7
SDPI:0047D078 call loc_47D07E
SDPI:0047D07D nop
SDPI:0047D07E
SDPI:0047D07E loc_47D07E: ; CODE XREF: OVER_47D026+52 p
SDPI:0047D07E pop eax
SDPI:0047D07F add eax, 11h
SDPI:0047D084 push eax
SDPI:0047D085 jmp ExitProcess
SDPI:0047D085 ; ----------------------------------------------------------------------------
SDPI:0047D08A db 4 dup(90h)
SDPI:0047D08A OVER_47D026 endp
SDPI:0047D08A
SDPI:0047D08E ; ----------------------------------------------------------------------------
SDPI:0047D08E pop edx
SDPI:0047D08F mov eax, ecx
SDPI:0047D091 add eax, edx
SDPI:0047D093 inc ecx
SDPI:0047D094 push eax
SDPI:0047D095 inc ecx
SDPI:0047D096 pop ebx
SDPI:0047D097 pop ecx
SDPI:0047D098 push eax
SDPI:0047D099 sub eax, 8
SDPI:0047D09C pop ebx
SDPI:0047D09D pop ebx
SDPI:0047D09E inc eax
SDPI:0047D09F add eax, ebx
SDPI:0047D0A1 pop eax
SDPI:0047D0A2 pushfw
SDPI:0047D0A4 popfw
SDPI:0047D0A6 popfw
SDPI:0047D0A8 pop es
SDPI:0047D0A9 mov eax, 12345678h
SDPI:0047D0AE push eax
SDPI:0047D0AF call loc_47D0B5
SDPI:0047D0B4 nop
SDPI:0047D0B5
SDPI:0047D0B5 loc_47D0B5: ; CODE XREF: SDPI:0047D0AF p
SDPI:0047D0B5 pop eax
SDPI:0047D0B6 add eax, 12Ch
SDPI:0047D0BB push eax
SDPI:0047D0BC pop ebx
SDPI:0047D0BD add eax, 12h
SDPI:0047D0C0 pop edx
SDPI:0047D0C1 add eax, edx
SDPI:0047D0C3 mov edx, eax
SDPI:0047D0C5 push ebx
SDPI:0047D0C6 mov ebx, es:[ecx+100h]
SDPI:0047D0CD push ebx
SDPI:0047D0CE mov eax, esp
SDPI:0047D0D0 mov ebx, eax
SDPI:0047D0D2 push ebx
SDPI:0047D0D3 pop edx
SDPI:0047D0D4 mov es:[ecx+100h], eax
SDPI:0047D0DB xor eax, eax
SDPI:0047D0DB ; ----------------------------------------------------------------------------
SDPI:0047D0DD JUNK_47D0DD db '~',7,'',5,0,10h,'@',0,'鑖淨3蒰?,5,0,10h,'@',0,'鑉悙悙悙悙?
SDPI:0047D0DD db '悙悙悙悙悙悙悙f漽',6,'{',4,0,10h,'@',0
SDPI:0047D115 ; ----------------------------------------------------------------------------
SDPI:0047D115 int 3 ; Trap to Debugger
SDPI:0047D116 nop
SDPI:0047D117 xor eax, eax
SDPI:0047D119 mov dword ptr [eax], 404219h
SDPI:0047D11F jp short loc_47D12B
SDPI:0047D121 jnp short loc_47D12B
SDPI:0047D121 ; ----------------------------------------------------------------------------
SDPI:0047D123 dd 401000h
SDPI:0047D127 dd 403D7Bh
SDPI:0047D12B ; ----------------------------------------------------------------------------
SDPI:0047D12B
SDPI:0047D12B loc_47D12B: ; CODE XREF: SDPI:0047CF2B p
SDPI:0047D12B ; SDPI:0047D11F j ...
SDPI:0047D12B call loc_47D131
SDPI:0047D130 nop
SDPI:0047D131
SDPI:0047D131 loc_47D131: ; CODE XREF: SDPI:loc_47D12B p
SDPI:0047D131 pop eax
SDPI:0047D132 add eax, 11h
SDPI:0047D137 push eax
SDPI:0047D138 jmp GetTickCount
SDPI:0047D138 ; ----------------------------------------------------------------------------
SDPI:0047D13D db 4 dup(90h)
SDPI:0047D141 ; ----------------------------------------------------------------------------
SDPI:0047D141 call loc_47D147
SDPI:0047D146 nop
SDPI:0047D147
SDPI:0047D147 loc_47D147: ; CODE XREF: SDPI:0047D141 p
SDPI:0047D147 pop edx
SDPI:0047D148 add edx, 0FFFFFB09h
SDPI:0047D14E mov [edx], eax
SDPI:0047D150 pop ebp
SDPI:0047D151 add eax, edx
SDPI:0047D153 push eax
SDPI:0047D154 call sub_47CF38
SDPI:0047D159
SDPI:0047D159 loc_47D159: ; CODE XREF: sub_47CF38+2 j
SDPI:0047D159 call loc_47D15F
SDPI:0047D15E nop
SDPI:0047D15F
SDPI:0047D15F loc_47D15F: ; CODE XREF: SDPI:loc_47D159 p
SDPI:0047D15F pop edx
SDPI:0047D160 add edx, 0FFFFFDE1h
SDPI:0047D166 add edx, eax
SDPI:0047D168 push edx
SDPI:0047D169 pop ecx
SDPI:0047D16A sub ecx, eax
SDPI:0047D16C push ecx
SDPI:0047D16D retn 4
SDPI:0047D170
SDPI:0047D170 ; ************** S U B R O U T I N E *****************************************
SDPI:0047D170
SDPI:0047D170
SDPI:0047D170 FNDDBG_47D170 proc near ; CODE XREF: SDPI:0047D213 j
SDPI:0047D170 ; SDPI:0047D21B j ...
SDPI:0047D170 nop
SDPI:0047D171 nop
SDPI:0047D172 nop
SDPI:0047D173 nop
SDPI:0047D174 nop
SDPI:0047D175 call loc_47D17B
SDPI:0047D17A nop
SDPI:0047D17B
SDPI:0047D17B loc_47D17B: ; CODE XREF: FNDDBG_47D170+5 p
SDPI:0047D17B pop eax
SDPI:0047D17C add eax, 5Eh
SDPI:0047D181 mov edx, eax
SDPI:0047D183 add edx, 32h
SDPI:0047D186 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047D186 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047D186 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047D186 ; 用来解密
SDPI:0047D18B call loc_47D191
SDPI:0047D190 nop
SDPI:0047D191
SDPI:0047D191 loc_47D191: ; CODE XREF: FNDDBG_47D170+1B p
SDPI:0047D191 pop eax
SDPI:0047D192 add eax, 1F0Ch
SDPI:0047D197 call loc_47D19D
SDPI:0047D19C nop
SDPI:0047D19D
SDPI:0047D19D loc_47D19D: ; CODE XREF: FNDDBG_47D170+27 p
SDPI:0047D19D pop ecx
SDPI:0047D19E add ecx, 1FADh
SDPI:0047D1A4 push 0
SDPI:0047D1A6 push ecx
SDPI:0047D1A7 push eax
SDPI:0047D1A8 push 0
SDPI:0047D1AA call loc_47D1B0
SDPI:0047D1AF nop
SDPI:0047D1B0
SDPI:0047D1B0 loc_47D1B0: ; CODE XREF: FNDDBG_47D170+3A p
SDPI:0047D1B0 pop eax
SDPI:0047D1B1 add eax, 11h
SDPI:0047D1B6 push eax
SDPI:0047D1B7 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047D1B7 ; 判断函数的前5位是否为CC
SDPI:0047D1B7 ; 也就是判断有没有下int3断点
SDPI:0047D1B7 ; ----------------------------------------------------------------------------
SDPI:0047D1BC db 4 dup(90h)
SDPI:0047D1C0 ; ----------------------------------------------------------------------------
SDPI:0047D1C0 push 7
SDPI:0047D1C2 call loc_47D1C8
SDPI:0047D1C7 nop
SDPI:0047D1C8
SDPI:0047D1C8 loc_47D1C8: ; CODE XREF: FNDDBG_47D170+52 p
SDPI:0047D1C8 pop eax
SDPI:0047D1C9 add eax, 11h
SDPI:0047D1CE push eax
SDPI:0047D1CF jmp ExitProcess
SDPI:0047D1CF ; ----------------------------------------------------------------------------
SDPI:0047D1D4 db 4 dup(90h)
SDPI:0047D1D8 dd 401000h
SDPI:0047D1DC dd 15C56BEh
SDPI:0047D1DC FNDDBG_47D170 endp
SDPI:0047D1DC
SDPI:0047D1E0 ; ----------------------------------------------------------------------------
SDPI:0047D1E0 mov esp, [esp+8]
SDPI:0047D1E4 pop large dword ptr fs:0
SDPI:0047D1EB call loc_47D1F1
SDPI:0047D1F0 nop
SDPI:0047D1F1
SDPI:0047D1F1 loc_47D1F1: ; CODE XREF: SDPI:0047D1EB p
SDPI:0047D1F1 pop eax
SDPI:0047D1F2 add eax, 11h
SDPI:0047D1F7 push eax
SDPI:0047D1F8 jmp GetTickCount
SDPI:0047D1F8 ; ----------------------------------------------------------------------------
SDPI:0047D1FD db 4 dup(90h)
SDPI:0047D201 ; ----------------------------------------------------------------------------
SDPI:0047D201 call loc_47D207
SDPI:0047D206 nop
SDPI:0047D207
SDPI:0047D207 loc_47D207: ; CODE XREF: SDPI:0047D201 p
SDPI:0047D207 pop edx
SDPI:0047D208 add edx, 0FFFFFA49h
SDPI:0047D20E mov ecx, [edx]
SDPI:0047D210 cmp ecx, 0
SDPI:0047D213 jz FNDDBG_47D170
SDPI:0047D219 sub eax, ecx
SDPI:0047D21B js FNDDBG_47D170
SDPI:0047D221 sub eax, 7D0h
SDPI:0047D226 jns FNDDBG_47D170
SDPI:0047D22C mov eax, 0E801276h
SDPI:0047D231 mov [edx], eax
SDPI:0047D233 call loc_47D239
SDPI:0047D238 nop
SDPI:0047D239
SDPI:0047D239 loc_47D239: ; CODE XREF: SDPI:0047D233 p
SDPI:0047D239 pop edx
SDPI:0047D23A add edx, 0DAh
SDPI:0047D240 call loc_47D246
SDPI:0047D245 nop
SDPI:0047D246
SDPI:0047D246 loc_47D246: ; CODE XREF: SDPI:0047D240 p
SDPI:0047D246 pop eax
SDPI:0047D247 add eax, 0FFFFCF53h
SDPI:0047D24C mov ecx, 10h ; 再次解开代码,
SDPI:0047D24C ; 这里全都是Win9x下的调试器检测
SDPI:0047D251 call De_Code ; invoke De_Code,ecx(counter),eax(key),edx(end)
SDPI:0047D251 ; 用于解密代码,解密起始地址就是call进来
SDPI:0047D251 ; 的下一行代码地址
SDPI:0047D256 sub esp, 8
SDPI:0047D259 sidt qword ptr [esp] ; 在Win9x下检测检测调试器
SDPI:0047D25D mov eax, [esp+2]
SDPI:0047D261 mov cx, [eax+0Eh]
SDPI:0047D265 mov dx, [eax+6]
SDPI:0047D269 mov bx, [eax+1Eh]
SDPI:0047D26D add esp, 8
SDPI:0047D270 cmp cx, dx
SDPI:0047D273 jnz short FNDDBG_47D2AA
SDPI:0047D275 cmp bx, dx
SDPI:0047D278 jnz short FNDDBG_47D2AA
SDPI:0047D27A sub esp, 8
SDPI:0047D27D sidt qword ptr [esp]
SDPI:0047D281 mov edx, [esp+2]
SDPI:0047D285 add edx, 4Eh
SDPI:0047D288 mov edx, [edx]
SDPI:0047D28A ror edx, 10h
SDPI:0047D28D mov ecx, 0C00h
SDPI:0047D292 add esp, 8
SDPI:0047D295
SDPI:0047D295 loc_47D295: ; CODE XREF: SDPI:0047D2A6 j
SDPI:0047D295 cmp dword ptr [edx], 48455245h
SDPI:0047D29B jz short FNDDBG_47D2AA
SDPI:0047D29D cmp dword ptr [edx], 53474F52h
SDPI:0047D2A3 jz short FNDDBG_47D2AA
SDPI:0047D2A5 inc edx
SDPI:0047D2A6 loop loc_47D295
SDPI:0047D2A8 jmp short NotIsWin9x_47D312 ; Win9x下检测调试器完毕后跳去
SDPI:0047D2A8 ; 下一步,如果是WINNT系统则跳过
SDPI:0047D2A8 ; Win9x下的调试器检测部分
SDPI:0047D2AA
SDPI:0047D2AA ; ************** S U B R O U T I N E *****************************************
SDPI:0047D2AA
SDPI:0047D2AA
SDPI:0047D2AA FNDDBG_47D2AA proc near ; CODE XREF: SDPI:0047D273 j
SDPI:0047D2AA ; SDPI:0047D278 j ...
SDPI:0047D2AA nop
SDPI:0047D2AB nop
SDPI:0047D2AC nop
SDPI:0047D2AD nop
SDPI:0047D2AE nop
SDPI:0047D2AF call loc_47D2B5
SDPI:0047D2B4 nop
SDPI:0047D2B5
SDPI:0047D2B5 loc_47D2B5: ; CODE XREF: FNDDBG_47D2AA+5 p
SDPI:0047D2B5 pop eax
SDPI:0047D2B6 add eax, 5Eh
SDPI:0047D2BB mov edx, eax
SDPI:0047D2BD add edx, 32h
SDPI:0047D2C0 call Crypt_Decrypt_CODE ; 传入edx(结束地址)传入EAX(起始地址)
SDPI:0047D2C0 ; 用于加密或解密代码,加解密操作是互换的
SDPI:0047D2C0 ; 是只简单的xor,因此可以用来加密也可以
SDPI:0047D2C0 ; 用来解密
SDPI:0047D2C5 call loc_47D2CB
SDPI:0047D2CA nop
SDPI:0047D2CB
SDPI:0047D2CB loc_47D2CB: ; CODE XREF: FNDDBG_47D2AA+1B p
SDPI:0047D2CB pop eax
SDPI:0047D2CC add eax, 1DD2h
SDPI:0047D2D1 call loc_47D2D7
SDPI:0047D2D6 nop
SDPI:0047D2D7
SDPI:0047D2D7 loc_47D2D7: ; CODE XREF: FNDDBG_47D2AA+27 p
SDPI:0047D2D7 pop ecx
SDPI:0047D2D8 add ecx, 1E73h
SDPI:0047D2DE push 0
SDPI:0047D2E0 push ecx
SDPI:0047D2E1 push eax
SDPI:0047D2E2 push 0
SDPI:0047D2E4 call loc_47D2EA
SDPI:0047D2E9 nop
SDPI:0047D2EA
SDPI:0047D2EA loc_47D2EA: ; CODE XREF: FNDDBG_47D2AA+3A p
SDPI:0047D2EA pop eax
SDPI:0047D2EB add eax, 11h
SDPI:0047D2F0 push eax
SDPI:0047D2F1 jmp MessageBoxA ; MessageBoxA函数,壳用的宏来处理,
SDPI:0047D2F1 ; 判断函数的前5位是否为CC
SDPI:0047D2F1 ; 也就是判断有没有下int3断点
SDPI:0047D2F1 ; ----------------------------------------------------------------------------
SDPI:0047D2F6 db 4 dup(90h)
SDPI:0047D2FA ; ----------------------------------------------------------------------------
SDPI:0047D2FA push 7
SDPI:0047D2FC call loc_47D302
SDPI:0047D301 nop
SDPI:0047D302
SDPI:0047D302 loc_47D302: ; CODE XREF: FNDDBG_47D2AA+52 p
SDPI:0047D302 pop eax
SDPI:0047D303 add eax, 11h
SDPI:0047D308 push eax
SDPI:0047D309 jmp ExitProcess
SDPI:0047D309 ; ----------------------------------------------------------------------------
SDPI:0047D30E db 4 dup(90h) ; ***********************************************
SDPI:0047D30E FNDDBG_47D2AA endp ; Win9x 调试器检测完毕
SDPI:0047D30E ; ***********************************************
SDPI:0047D312 ; ----------------------------------------------------------------------------
SDPI:0047D312
??
SDPI:0047D312 NotIsWin9x_47D312: ; CODE XREF: SDPI:0047C53E j
SDPI:0047D312 ; SDPI:0047CB96 j ...
SDPI:0047D312 call loc_47D318
SDPI:0047D317 nop
SDPI:0047D318
SDPI:0047D318 loc_47D318: &nb