【目 标】:PESpin v1.1主程序
【工 具】:Olydbg1.1(diy版)、LORDPE、ImportREC1.6F
【任 务】:分析外壳
【操作平台】:WinXP sp2
【作 者】: LOVEBOOM[DFCG][FCG][US]
【相关链接】: 自己去上网搜搜
【简要说明】: 这篇文章算是给yock的一份礼物吧,前一段时间我答应他看看这个版本的壳,拖了这么久真不好意思 J,上次看过一下,发现这个版本比上一版本增强了不少。要patch的代码也多很多的,壳新增了一个非常有用的东西SDK,用上SDK去加程序增强不少,不过壳的PE Header抽代码显得有点鸡肋的感觉J。
【详细过程】:
PESpin v0.7开始就从头到尾看了一下,这个版本同样也看看,主要是看看有没有什么改进的地方,不过结果比较遗憾,在Loader里没有什么新的变化,到现在壳还不anti-OllyDbg,不知道是不是作者用意的放水.J。
分两步进行:分析,脱壳。
第一步:分析
OD载入目标程序,慢慢的分析,细细的品味^_^。
00412087 > /EB 01 JMP SHORT 0041208A ; EP
00412089 |90 NOP
0041208A \60 PUSHAD
0041208B E8 00000000 CALL 00412090
00412090 8B1C24 MOV EBX,DWORD PTR SS:[ESP] ; SMC
00412093 83C3 12 ADD EBX,12
00412096 812B E8B10600 SUB DWORD PTR DS:[EBX],6B1E8
0041209C FE4B FD DEC BYTE PTR DS:[EBX-3]
0041209F 822C24 7D SUB BYTE PTR SS:[ESP],7D
004120A3 DE46 00 FIADD WORD PTR DS:[ESI]
004120A6 0BE4 OR ESP,ESP
004120A8 ^ 74 9E JE SHORT 00412048
……
004120F1 8B95 C34B4000 MOV EDX,DWORD PTR SS:[EBP+404BC3] ; [EBP+404BC3]=hModule(400000)
004120F7 8B42 3C MOV EAX,DWORD PTR DS:[EDX+3C]
004120FA 03C2 ADD EAX,EDX
004120FC 8985 CD4B4000 MOV DWORD PTR SS:[EBP+404BCD],EAX ; [EBP+404BCD]保存peHeader(4000D0)
……
00412134 41 INC ECX
00412135 C1E1 07 SHL ECX,7
00412138 8B0C01 MOV ECX,DWORD PTR DS:[ECX+EAX] ; 定位输入表RVA(12000)
0041213B 03CA ADD ECX,EDX ; 转为VA
……
0041214E 8B59 10 MOV EBX,DWORD PTR DS:[ECX+10] ; 定位OriginalFirstThunk
00412151 03DA ADD EBX,EDX
00412153 8B1B MOV EBX,DWORD PTR DS:[EBX] ; 取出MessageBoxA的地址
00412155 899D E14B4000 MOV DWORD PTR SS:[EBP+404BE1],EBX ; 结果保存到[EBP+404BE1]处
0041215B 53 PUSH EBX
0041215C 8F85 D7494000 POP DWORD PTR SS:[EBP+4049D7] ; 地址同时保存在[EBP+4049D7]中
00412162 BB CC000000 MOV EBX,0CC
00412167 B9 FE110000 MOV ECX,11FE
0041216C 8DBD 714C4000 LEA EDI,DWORD PTR SS:[EBP+404C71]
00412172 4F DEC EDI
……
0041217F 301C39 XOR BYTE PTR DS:[ECX+EDI],BL
00412182 FECB DEC BL
00412184 49 DEC ECX
00412185 9C PUSHFD
00412186 C12C24 06 SHR DWORD PTR SS:[ESP],6
0041218A F71424 NOT DWORD PTR SS:[ESP]
0041218D 832424 01 AND DWORD PTR SS:[ESP],1
00412191 50 PUSH EAX
00412192 52 PUSH EDX
00412193 B8 83B2DC12 MOV EAX,12DCB283
00412198 05 444D23ED ADD EAX,ED234D44
0041219D F76424 08 MUL DWORD PTR SS:[ESP+8]
004121A1 8D8428 BD2D4000 LEA EAX,DWORD PTR DS:[EAX+EBP+402DBD]
004121A8 894424 08 MOV DWORD PTR SS:[ESP+8],EAX
004121AC 5A POP EDX
004121AD 58 POP EAX
004121AE 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]
004121B2 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 从415269处开始向前解压代码, size为11FE
……
004121CE 8170 03 E89868EA XOR DWORD PTR DS:[EAX+3],EA6898E8 ; SMC
004121D5 83C0 21 ADD EAX,21
……
004121E3 68 CB000000 PUSH 0CB
004121E8 59 POP ECX ; 解码大小0CB
004121E9 8DBD A35D4000 LEA EDI,DWORD PTR SS:[EBP+405DA3] ; [EBP+405DA3]=[41519E]
……
004121E3 68 CB000000 PUSH 0CB
004121E8 59 POP ECX ; 解码大小0CB
004121E9 8DBD A35D4000 LEA EDI,DWORD PTR SS:[EBP+405DA3] ; [EBP+405DA3]=[41519E]
004121EF 90 NOP
004121F0 90 NOP
004121F1 90 NOP
004121F2 90 NOP
004121F3 90 NOP
004121F4 90 NOP
004121F5 90 NOP
004121F6 90 NOP
004121F7 90 NOP
004121F8 90 NOP
004121F9 90 NOP
004121FA 90 NOP
004121FB 90 NOP
004121FC 90 NOP
004121FD 90 NOP
004121FE 90 NOP
004121FF 90 NOP
00412200 C00C39 02 ROR BYTE PTR DS:[ECX+EDI],2 ; KEY=2
00412204 49 DEC ECX
……
00412205 9C PUSHFD
00412206 C12C24 06 SHR DWORD PTR SS:[ESP],6
0041220A F71424 NOT DWORD PTR SS:[ESP]
0041220D 832424 01 AND DWORD PTR SS:[ESP],1
00412211 50 PUSH EAX
00412212 52 PUSH EDX
00412213 B8 72B2DC12 MOV EAX,12DCB272
00412218 05 444D23ED ADD EAX,ED234D44
0041221D F76424 08 MUL DWORD PTR SS:[ESP+8]
00412221 8D8428 3E2E4000 LEA EAX,DWORD PTR DS:[EAX+EBP+402E3E]
00412228 > 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; PESpin.00412239
0041222C 5A POP EDX
0041222D 58 POP EAX
0041222E 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]
00412232 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 循环解压从415269处开始向上解压,解压大小为0CB
……
00413F09 8B7C24 20 MOV EDI,DWORD PTR SS:[ESP+20] ; 获取KERNELBASE
00413F0D 81E7 0000FFFF AND EDI,FFFF0000
……
00413F23 90 NOP
00413F24 BA 246BDE21 MOV EDX,21DE6B24
00413F29 81F2 6931DE21 XOR EDX,21DE3169 ; EDX=PE sig(5A4D)
00413F2F 66:3917 CMP WORD PTR DS:[EDI],DX
00413F32 75 17 JNZ SHORT 00413F4B ; 判断是否定位到DOS header
00413F34 81C2 EFA5FFFF ADD EDX,FFFFA5EF
00413F3A 0FB7143A MOVZX EDX,WORD PTR DS:[EDX+EDI]
00413F3E 66:F7C2 00F8 TEST DX,0F800
00413F43 75 06 JNZ SHORT 00413F4B
00413F45 3B7C3A 34 CMP EDI,DWORD PTR DS:[EDX+EDI+34]
00413F49 74 08 JE SHORT 00413F53
00413F4B 81EF 00000100 SUB EDI,10000 ; UNICODE "ALLUSERSPROFILE=D:\Documents and Settings\All Users"
00413F51 ^ EB C0 JMP SHORT 00413F13 ; 减10000继续回去
00413F53 97 XCHG EAX,EDI ; 获取出来的KERNELBASE保存到EAX
……
00413F65 68 F44B4000 PUSH 00404BF4
00413F6A 50 PUSH EAX ; push kerbase(7c800000)
00413F6B 8785 E54B4000 XCHG DWORD PTR SS:[EBP+404BE5],EAX ; 保存KERNELBASE到[EBP+404BE5]=(413FE0)
00413F71 016C24 04 ADD DWORD PTR SS:[ESP+4],EBP
00413F75 8D85 ECA183EB LEA EAX,DWORD PTR SS:[EBP+EB83A1EC]
00413F7B 8D80 BDAABC14 LEA EAX,DWORD PTR DS:[EAX+14BCAABD]
……
00413F8A FFD0 CALL EAX ; EAX=4140A4 这里面就是获取相关API的地址
进去看看:
004140A4 59 POP ECX
004140A5 58 POP EAX
004140A6 5F POP EDI ; EDI=413FEF
004140A7 90 NOP
004140A8 90 NOP
004140A9 90 NOP
004140AA 90 NOP
004140AB 90 NOP
004140AC 90 NOP
004140AD 90 NOP
004140AE 90 NOP
004140AF 90 NOP
004140B0 41 INC ECX
004140B1 41 INC ECX
004140B2 51 PUSH ECX ; ECX=413F8E
004140B3 8BF0 MOV ESI,EAX
004140B5 0340 3C ADD EAX,DWORD PTR DS:[EAX+3C] ; 定位PE header
004140B8 8B40 78 MOV EAX,DWORD PTR DS:[EAX+78] ; 定位输出表
004140BB 03C6 ADD EAX,ESI
004140BD FF70 20 PUSH DWORD PTR DS:[EAX+20] ; AddressofNames
004140C0 5B POP EBX
004140C1 03DE ADD EBX,ESI
004140C3 FF70 18 PUSH DWORD PTR DS:[EAX+18] ; NumberofNames
004140C6 8F85 674D4000 POP DWORD PTR SS:[EBP+404D67] ; [EBP+404D67]保存NumberofNames
004140CC FF70 24 PUSH DWORD PTR DS:[EAX+24] ; AddressofNamesOrdnials
004140CF 5A POP EDX
004140D0 03D6 ADD EDX,ESI
004140D2 FF70 1C PUSH DWORD PTR DS:[EAX+1C] ; AddressofFunctions
004140D5 59 POP ECX
004140D6 03CE ADD ECX,ESI
004140D8 898D 574D4000 MOV DWORD PTR SS:[EBP+404D57],ECX ; [EBP+404D57]保存AddressofFunctions
004140DE 83EF 05 SUB EDI,5
004140E1 83C7 05 ADD EDI,5
004140E4 833F 00 CMP DWORD PTR DS:[EDI],0
004140E7 0F84 9D000000 JE 0041418A
004140ED 8A07 MOV AL,BYTE PTR DS:[EDI]
004140EF 8885 1B4D4000 MOV BYTE PTR SS:[EBP+404D1B],AL
004140F5 FF77 01 PUSH DWORD PTR DS:[EDI+1]
004140F8 8F85 474D4000 POP DWORD PTR SS:[EBP+404D47]
004140FE 53 PUSH EBX
004140FF 52 PUSH EDX
00414100 57 PUSH EDI
00414101 2BC9 SUB ECX,ECX
00414103 90 NOP
00414104 90 NOP
00414105 90 NOP
00414106 90 NOP
00414107 90 NOP
00414108 90 NOP
00414109 90 NOP
0041410A 90 NOP
0041410B 90 NOP
0041410C 90 NOP
0041410D 90 NOP
0041410E 90 NOP
0041410F 8B3B MOV EDI,DWORD PTR DS:[EBX]
00414111 03FE ADD EDI,ESI
00414113 807F 02 61 CMP BYTE PTR DS:[EDI+2],61 ; 获取LoadLibraryA的地址
00414117 75 43 JNZ SHORT 0041415C
00414119 E8 02000000 CALL 00414120
0041411E 90 NOP
0041411F 90 NOP
00414120 58 POP EAX
00414121 8D6424 FC LEA ESP,DWORD PTR SS:[ESP-4]
00414125 05 23000000 ADD EAX,23
0041412A 890424 MOV DWORD PTR SS:[ESP],EAX
0041412D 8D85 CA8A94ED LEA EAX,DWORD PTR SS:[EBP+ED948ACA]
00414133 2D 353D54ED SUB EAX,ED543D35
00414138 50 PUSH EAX
00414139 C3 RETN
0041413A 3BC3 CMP EAX,EBX
0041413C 74 35 JE SHORT 00414173
0041413E 2BC2 SUB EAX,EDX
00414140 9A 3D72423E C07>CALL FAR 75C0:3E42723D ; Far call
00414147 14 8D ADC AL,8D
00414149 04 4A ADD AL,4A
0041414B 0FB700 MOVZX EAX,WORD PTR DS:[EAX]
0041414E C1E0 02 SHL EAX,2
00414151 05 5426807C ADD EAX,7C802654
00414156 8B00 MOV EAX,DWORD PTR DS:[EAX]
00414158 03C6 ADD EAX,ESI
0041415A EB 0E JMP SHORT 0041416A
0041415C 83C3 04 ADD EBX,4
0041415F 41 INC ECX
00414160 81F9 B5030000 CMP ECX,3B5
00414166 ^ 75 A7 JNZ SHORT 0041410F
00414168 33C0 XOR EAX,EAX
0041416A 5F POP EDI
0041416B 5A POP EDX
0041416C 5B POP EBX
0041416D 0BC0 OR EAX,EAX
0041416F 74 1B JE SHORT 0041418C
00414171 90 NOP
00414172 90 NOP
00414173 90 NOP
00414174 90 NOP
00414175 90 NOP
00414176 90 NOP
00414177 90 NOP
00414178 90 NOP
00414179 90 NOP
0041417A 8038 CC CMP BYTE PTR DS:[EAX],0CC ; 判断有没有下断点
0041417D 75 03 JNZ SHORT 00414182
0041417F 8028 00 SUB BYTE PTR DS:[EAX],0
00414182 8947 01 MOV DWORD PTR DS:[EDI+1],EAX
00414185 ^ E9 57FFFFFF JMP 004140E1
0041418A 0BC0 OR EAX,EAX
0041418C EB 01 JMP SHORT 0041418F
0041418E 90 NOP
0041418F C3 RETN
获取了下面几个API:
LoadLibraryA
ExitProcess
GetProcAddress
VirtualProtect
CloseHandle
VirtualAlloc
VirtualFree
CreateFileA
ReadFile
GetTickCount
GetModuleHandleA
CreateThread
Sleep
GetCurrentProcessID
OpenProcess
TerminateProcess
GetFileSize
GetModuleFileNameA
……
00412267 B8 944380EF MOV EAX,EF804394
0041226C 2BC9 SUB ECX,ECX
0041226E 83C9 15 OR ECX,15
00412271 0FA3C8 BT EAX,ECX
00412274 0F83 81000000 JNB 004122FB ; 如果没有设置保护密码这里就跳,因此如果是要输入密码的程序,强行跳过是没有用的
0041227A 8DB40D D44B4000 LEA ESI,DWORD PTR SS:[EBP+ECX+404BD4]
00412281 8BD6 MOV EDX,ESI
00412283 B9 10000000 MOV ECX,10
00412288 AC LODS BYTE PTR DS:[ESI]
00412289 84C0 TEST AL,AL
0041228B 74 06 JE SHORT 00412293
0041228D C04E FF 03 ROR BYTE PTR DS:[ESI-1],3
00412291 ^ E2 F5 LOOPD SHORT 00412288
00412293 E8 00000000 CALL 00412298
00412298 59 POP ECX
00412299 81C1 1D000000 ADD ECX,1D
0041229F 52 PUSH EDX
004122A0 51 PUSH ECX
004122A1 C1E9 05 SHR ECX,5
004122A4 23D1 AND EDX,ECX
004122A6 FFA5 F54B4000 JMP DWORD PTR SS:[EBP+404BF5]
004122AC 0BC0 OR EAX,EAX
004122AE 0F85 3F0A0000 JNZ 00412CF3
004122B4 A3 8D8D534C MOV DWORD PTR DS:[4C538D8D],EAX
004122B9 40 INC EAX
004122BA 0051 50 ADD BYTE PTR DS:[ECX+50],DL
004122BD 8D85 19F54500 LEA EAX,DWORD PTR SS:[EBP+45F519]
004122C3 2D 70A80500 SUB EAX,5A870
004122C8 FFD0 CALL EAX
004122CA 0BC0 OR EAX,EAX
004122CC 0F84 D41B0000 JE 00413EA6
004122D2 8DBD AB454000 LEA EDI,DWORD PTR SS:[EBP+4045AB]
004122D8 2BC9 SUB ECX,ECX
004122DA 2BC0 SUB EAX,EAX
004122DC B0 23 MOV AL,23
004122DE 41 INC ECX
004122DF 32C1 XOR AL,CL
004122E1 48 DEC EAX
004122E2 284439 FF SUB BYTE PTR DS:[ECX+EDI-1],AL
004122E6 81F9 F4030000 CMP ECX,3F4
004122EC ^ 75 F0 JNZ SHORT 004122DE
004122EE 8D85 6A894000 LEA EAX,DWORD PTR SS:[EBP+40896A]
004122F4 05 5EBDFFFF ADD EAX,FFFFBD5E
004122F9 FFD0 CALL EAX ; 这里进去就是显示密码框的代码,注意,壳不会直接比较密码的
004122FB EB 01 JMP SHORT 004122FE
……
00414776 68 A0050000 PUSH 5A0
0041477B 59 POP ECX ; push size 5a0
0041477C 8DBD 8B304000 LEA EDI,DWORD PTR SS:[EBP+40308B]
00414782 81EF 2A010000 SUB EDI,12A
00414788 D1EB SHR EBX,1
0041478A 73 06 JNB SHORT 00414792
0041478C 81F3 3488328C XOR EBX,8C328834
00414792 301F XOR BYTE PTR DS:[EDI],BL ; 从41235c开始向下解压,SIZE:5A0
00414794 47 INC EDI
00414795 49 DEC ECX
00414796 9C PUSHFD
00414797 C12C24 06 SHR DWORD PTR SS:[ESP],6
0041479B F71424 NOT DWORD PTR SS:[ESP]
0041479E 832424 01 AND DWORD PTR SS:[ESP],1
004147A2 50 PUSH EAX
004147A3 52 PUSH EDX
004147A4 B8 77B2DC10 MOV EAX,10DCB277
004147A9 05 444D23EF ADD EAX,EF234D44
004147AE F76424 08 MUL DWORD PTR SS:[ESP+8]
004147B2 8D8428 D2534000 LEA EAX,DWORD PTR DS:[EAX+EBP+4053D2]
004147B9 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; PESpin.004147CD
004147BD 5A POP EDX
004147BE 58 POP EAX
004147BF 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]
004147C3 FF6424 FC JMP DWORD PTR SS:[ESP-4]
……
004123D9 68 FF000000 PUSH 0FF ; /BufSize = FF (255.)
004123DE 56 PUSH ESI ; |PathBuffer = PESpin.00412000
004123DF 6A 00 PUSH 0 ; |hModule = NULL
004123E1 53 PUSH EBX ; |Return address
004123E2 FFA5 4A4C4000 JMP DWORD PTR SS:[EBP+404C4A] ; \GetModuleFileNameA
……
004123F6 6A 00 PUSH 0 ; /hTemplateFile = NULL
004123F8 68 80000000 PUSH 80 ; |Attributes = NORMAL
004123FD 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
004123FF 6A 00 PUSH 0 ; |pSecurity = NULL
00412401 6A 01 PUSH 1 ; |ShareMode = FILE_SHARE_READ
00412403 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ
00412408 56 PUSH ESI ; |FileName
00412409 53 PUSH EBX ; |Return address
0041240A FFA5 184C4000 JMP DWORD PTR SS:[EBP+404C18] ; \CreateFileA
……
00412413 E8 01000000 CALL 00412419
00412418 90 NOP
00412419 5A POP EDX
0041241A 81C2 1A000000 ADD EDX,1A
00412420 8985 8F5E4000 MOV DWORD PTR SS:[EBP+405E8F],EAX
00412426 93 XCHG EAX,EBX
00412427 6A 00 PUSH 0 ; /pFileSizeHigh = NULL
00412429 53 PUSH EBX ; |hFile = 00000040 (window)
0041242A 52 PUSH EDX ; |Return Address
0041242B FFA5 454C4000 JMP DWORD PTR SS:[EBP+404C45] ; \GetFileSize
00412431 90 NOP
00412432 E8 01000000 CALL 00412438
00412437 90 NOP
00412438 5A POP EDX
00412439 81C2 24000000 ADD EDX,24
0041243F 8BD8 MOV EBX,EAX
00412441 53 PUSH EBX
00412442 8F85 9B5E4000 POP DWORD PTR SS:[EBP+405E9B]
00412448 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE
0041244A 68 00300000 PUSH 3000 ; |AllocationType = MEM_COMMIT|MEM_RESERVE
0041244F 50 PUSH EAX ; |Size = D400 (54272.)
00412450 6A 00 PUSH 0 ; |Address = NULL
00412452 52 PUSH EDX ; |Return address
00412453 FFA5 0E4C4000 JMP DWORD PTR SS:[EBP+404C0E] ; \VirtualAlloc
00412459 90 NOP
0041245A 90 NOP
0041245B 50 PUSH EAX
0041245C 8F85 C94B4000 POP DWORD PTR SS:[EBP+404BC9] ; [EBP+404BC9]=[413FC4]保存hmem
00412462 8D8D 9B5E4000 LEA ECX,DWORD PTR SS:[EBP+405E9B]
00412468 E8 01000000 CALL 0041246E
0041246D 90 NOP
0041246E 5A POP EDX
0041246F 81C2 1E000000 ADD EDX,1E
00412475 6A 00 PUSH 0 ; /pOverlapped = NULL
00412477 51 PUSH ECX ; |pBytesRead = PESpin.00415296
00412478 53 PUSH EBX ; |BytesToRead = D400 (54272.)
00412479 50 PUSH EAX ; |Buffer = 003D0000
0041247A FFB5 8F5E4000 PUSH DWORD PTR SS:[EBP+405E8F] ; |hFile = 00000040 (window)
00412480 52 PUSH EDX ; |Return Address
00412481 FFA5 1D4C4000 JMP DWORD PTR SS:[EBP+404C1D] ; \ReadFile
00412487 90 NOP
00412488 90 NOP
00412489 90 NOP
0041248A 90 NOP
0041248B E8 01000000 CALL 00412491
00412490 90 NOP
00412491 5A POP EDX
00412492 81C2 17000000 ADD EDX,17
00412498 FFB5 8F5E4000 PUSH DWORD PTR SS:[EBP+405E8F] ; /hObject = 00000040 (window)
0041249E 52 PUSH EDX ; |Return address
0041249F FFA5 094C4000 JMP DWORD PTR SS:[EBP+404C09] ; \CloseHandle
004124A5 90 NOP
004124A6 90 NOP
……
004124E4 FFD0 CALL EAX ; 计算CRC的值
004124E6 2985 A35E4000 SUB DWORD PTR SS:[EBP+405EA3],EAX ; [EBP+405EA3]=[0041529E]
004124EC E8 01000000 CALL 004124F2
004124F1 90 NOP
004124F2 5A POP EDX
004124F3 81C2 1E000000 ADD EDX,1E
004124F9 68 00800000 PUSH 8000 ; /FreeType = MEM_RELEASE
004124FE 6A 00 PUSH 0 ; |Size = 0
00412500 FFB5 C94B4000 PUSH DWORD PTR SS:[EBP+404BC9] ; |Address = 003D0000
00412506 52 PUSH EDX ; |Return address
00412507 FFA5 134C4000 JMP DWORD PTR SS:[EBP+404C13] ; \VirtualFree
……
004125BF 0FB78D C74B4000 MOVZX ECX,WORD PTR SS:[EBP+404BC7]
004125C6 8B95 CD4B4000 MOV EDX,DWORD PTR SS:[EBP+404BCD]
004125CC 81C2 F8000000 ADD EDX,0F8
004125D2 8B9D 935E4000 MOV EBX,DWORD PTR SS:[EBP+405E93]
004125D8 33C0 XOR EAX,EAX
004125DA 90 NOP
004125DB 90 NOP
004125DC 90 NOP
004125DD 90 NOP
004125DE 90 NOP
004125DF 90 NOP
004125E0 90 NOP
004125E1 90 NOP
004125E2 90 NOP
004125E3 90 NOP
004125E4 90 NOP
004125E5 90 NOP
004125E6 90 NOP
004125E7 90 NOP
004125E8 90 NOP
004125E9 90 NOP
004125EA 90 NOP
004125EB 51 PUSH ECX
004125EC 0FA3C3 BT EBX,EAX
004125EF 73 67 JNB SHORT 00412658
004125F1 52 PUSH EDX
004125F2 90 NOP
004125F3 90 NOP
004125F4 90 NOP
004125F5 90 NOP
004125F6 90 NOP
004125F7 90 NOP
004125F8 90 NOP
004125F9 90 NOP
004125FA 90 NOP
004125FB 90 NOP
004125FC 90 NOP
004125FD 90 NOP
004125FE 90 NOP
004125FF 90 NOP
00412600 90 NOP
00412601 90 NOP
00412602 90 NOP
00412603 8B7A 0C MOV EDI,DWORD PTR DS:[EDX+C]
00412606 03BD C34B4000 ADD EDI,DWORD PTR SS:[EBP+404BC3]
0041260C 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+10]
0041260F 8B95 A35E4000 MOV EDX,DWORD PTR SS:[EBP+405EA3]
00412615 D1EA SHR EDX,1
00412617 72 06 JB SHORT 0041261F
00412619 81F2 31AF43ED XOR EDX,ED43AF31
0041261F 3017 XOR BYTE PTR DS:[EDI],DL ; 循环还原各区段
00412621 47 INC EDI
00412622 90 NOP
00412623 90 NOP
00412624 90 NOP
00412625 90 NOP
00412626 90 NOP
00412627 90 NOP
00412628 90 NOP
00412629 90 NOP
0041262A 90 NOP
0041262B 90 NOP
0041262C 90 NOP
0041262D 90 NOP
0041262E 90 NOP
0041262F 90 NOP
00412630 90 NOP
00412631 90 NOP
00412632 90 NOP
00412633 90 NOP
00412634 90 NOP
00412635 90 NOP
00412636 90 NOP
00412637 90 NOP
00412638 90 NOP
00412639 90 NOP
0041263A 90 NOP
0041263B 90 NOP
0041263C 90 NOP
0041263D 90 NOP
0041263E 90 NOP
0041263F 90 NOP
00412640 90 NOP
00412641 90 NOP
00412642 90 NOP
00412643 90 NOP
00412644 90 NOP
00412645 90 NOP
00412646 90 NOP
00412647 90 NOP
00412648 90 NOP
00412649 90 NOP
0041264A 90 NOP
0041264B 90 NOP
0041264C 90 NOP
0041264D 90 NOP
0041264E 90 NOP
0041264F 90 NOP
00412650 90 NOP
00412651 90 NOP
00412652 90 NOP
00412653 90 NOP
00412654 49 DEC ECX
00412655 ^ 75 BE JNZ SHORT 00412615
00412657 5A POP EDX
00412658 40 INC EAX
00412659 83C2 28 ADD EDX,28
0041265C 59 POP ECX
0041265D 90 NOP
0041265E 90 NOP
0041265F 90 NOP
00412660 90 NOP
00412661 90 NOP
00412662 90 NOP
00412663 90 NOP
00412664 90 NOP
00412665 90 NOP
00412666 90 NOP
00412667 90 NOP
00412668 90 NOP
00412669 90 NOP
0041266A 90 NOP
0041266B 90 NOP
0041266C 90 NOP
0041266D 90 NOP
0041266E 49 DEC ECX
0041266F 9C PUSHFD
00412670 C12C24 06 SHR DWORD PTR SS:[ESP],6
00412674 F71424 NOT DWORD PTR SS:[ESP]
00412677 832424 01 AND DWORD PTR SS:[ESP],1
0041267B 50 PUSH EAX
0041267C 52 PUSH EDX
0041267D B8 04B2DC12 MOV EAX,12DCB204
00412682 05 444D23ED ADD EAX,ED234D44
00412687 F76424 08 MUL DWORD PTR SS:[ESP+8]
0041268B 8D8428 A8324000 LEA EAX,DWORD PTR DS:[EAX+EBP+4032A8]
00412692 894424 08 MOV DWORD PTR SS:[ESP+8],EAX
00412696 5A POP EDX
00412697 58 POP EAX
00412698 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]
0041269C FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 没有解压完则继续跳回去
……
004126B4 838D 9D5D4000 0>OR DWORD PTR SS:[EBP+405D9D],0 ; 测试是否anti-debug
004126BB 74 0D JE SHORT 004126CA ; 如果没有选择anti-degub则跳下一步,主程序没有设置anti debug
004126BD 8D85 C8554000 LEA EAX,DWORD PTR SS:[EBP+4055C8] ; CreateFileA方式测试sice
004126C3 2D D1030000 SUB EAX,3D1
004126C8 FFD0 CALL EAX
004126CA 68 80010000 PUSH 180
004126CF 59 POP ECX
……
00412703 E8 01000000 CALL 00412709
00412708 90 NOP
00412709 D1EA SHR EDX,1
0041270B 73 06 JNB SHORT 00412713
0041270D 81F2 32AF43ED XOR EDX,ED43AF32
00412713 3017 XOR BYTE PTR DS:[EDI],DL
00412715 47 INC EDI
00412716 49 DEC ECX
00412717 9C PUSHFD
00412718 C12C24 06 SHR DWORD PTR SS:[ESP],6
0041271C F71424 NOT DWORD PTR SS:[ESP]
0041271F 832424 01 AND DWORD PTR SS:[ESP],1
00412723 50 PUSH EAX
00412724 52 PUSH EDX
00412725 B8 CEBFABF2 MOV EAX,F2ABBFCE
0041272A 05 EB3F540D ADD EAX,0D543FEB
0041272F F76424 08 MUL DWORD PTR SS:[ESP+8]
00412733 8D8428 4F334000 LEA EAX,DWORD PTR DS:[EAX+EBP+40334F]
0041273A 894424 08 MOV DWORD PTR SS:[ESP+8],EAX
0041273E 5A POP EDX
0041273F 58 POP EAX
00412740 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]
00412744 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 从41495a处开始向下解压,大小为180
……
00412757 2BC3 SUB EAX,EBX
00412759 50 PUSH EAX ; 解压完去执行解压后的代码
0041275A C3 RETN
……
0041495A /EB 01 JMP SHORT 0041495D
0041495C |90 NOP
0041495D \8DBD 60334000 LEA EDI,DWORD PTR SS:[EBP+403360] ; 0041275B
00414963 B9 A1010000 MOV ECX,1A1 ; 从41275b处开始向下解压代码,大小为1A1
00414968 90 NOP
00414969 90 NOP
0041496A 90 NOP
0041496B 90 NOP
0041496C 90 NOP
0041496D 90 NOP
0041496E 90 NOP
0041496F 90 NOP
00414970 90 NOP
00414971 8A07 MOV AL,BYTE PTR DS:[EDI]
00414973 02C1 ADD AL,CL
00414975 C0C8 1E ROR AL,1E
00414978 F9 STC
00414979 90 NOP
0041497A F9 STC
0041497B 02C1 ADD AL,CL
0041497D EB 01 JMP SHORT 00414980
0041497F 90 NOP
00414980 02C1 ADD AL,CL
00414982 C0C0 93 ROL AL,93 ; Shift constant out of range 1..31
00414985 EB 01 JMP SHORT 00414988
00414987 90 NOP
00414988 EB 01 JMP SHORT 0041498B
0041498A 90 NOP
0041498B EB 01 JMP SHORT 0041498E
0041498D 90 NOP
0041498E EB 01 JMP SHORT 00414991
00414990 90 NOP
00414991 32C1 XOR AL,CL
00414993 2C 57 SUB AL,57
00414995 02C1 ADD AL,CL
00414997 AA STOS BYTE PTR ES:[EDI]
00414998 49 DEC ECX
00414999 9C PUSHFD
0041499A C12C24 06 SHR DWORD PTR SS:[ESP],6
0041499E F71424 NOT DWORD PTR SS:[ESP]
004149A1 832424 01 AND DWORD PTR SS:[ESP],1
004149A5 50 PUSH EAX
004149A6 52 PUSH EDX
004149A7 B8 5EBFDC32 MOV EAX,32DCBF5E
004149AC 05 444023CD ADD EAX,CD234044
004149B1 F76424 08 MUL DWORD PTR SS:[ESP+8]
004149B5 8D8428 D4554000 LEA EAX,DWORD PTR DS:[EAX+EBP+4055D4]
004149BC > 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; PESpin.004149CF
004149C0 5A POP EDX
004149C1 58 POP EAX
004149C2 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]
004149C6 FF6424 FC JMP DWORD PTR SS:[ESP-4]
……
004149CF 55 PUSH EBP
004149D0 9C PUSHFD
004149D1 E8 77000000 CALL 00414A4D ; 这里进去就是SEH异常
……
004149D7 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
004149DB 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
004149DF 8142 04 3500000>ADD DWORD PTR DS:[EDX+4],35
004149E6 81CA 29242123 OR EDX,23212429
004149EC 2BC9 SUB ECX,ECX
004149EE 2148 04 AND DWORD PTR DS:[EAX+4],ECX ; 清除硬件断点
004149F1 2148 08 AND DWORD PTR DS:[EAX+8],ECX
004149F4 2148 0C AND DWORD PTR DS:[EAX+C],ECX
004149F7 2148 10 AND DWORD PTR DS:[EAX+10],ECX
004149FA 8160 14 F00FFFF>AND DWORD PTR DS:[EAX+14],FFFF0FF0
00414A01 C740 18 5501000>MOV DWORD PTR DS:[EAX+18],155
00414A08 33C0 XOR EAX,EAX
00414A0A C3 RETN
……
00414A65 8DBD 01354000 LEA EDI,DWORD PTR SS:[EBP+403501] ; 从004128FC开始解压代码,大小为108f
00414A6B B9 8F100000 MOV ECX,108F
00414A70 90 NOP
00414A71 90 NOP
00414A72 90 NOP
00414A73 90 NOP
00414A74 90 NOP
00414A75 90 NOP
00414A76 90 NOP
00414A77 90 NOP
00414A78 90 NOP
00414A79 8A07 MOV AL,BYTE PTR DS:[EDI]
00414A7B 02C1 ADD AL,CL
00414A7D C0C0 43 ROL AL,43 ; Shift constant out of range 1..31
00414A80 FEC8 DEC AL
00414A82 04 40 ADD AL,40
00414A84 2C 39 SUB AL,39
00414A86 EB 01 JMP SHORT 00414A89
00414A88 90 NOP
00414A89 34 BB XOR AL,0BB
00414A8B 0AC0 OR AL,AL
00414A8D 04 85 ADD AL,85
00414A8F EB 01 JMP SHORT 00414A92
00414A91 90 NOP
00414A92 02C1 ADD AL,CL
00414A94 90 NOP
00414A95 F9 STC
00414A96 C0C8 53 ROR AL,53 ; Shift constant out of range 1..31
00414A99 0AC0 OR AL,AL
00414A9B 04 C2 ADD AL,0C2
00414A9D 2AC1 SUB AL,CL
00414A9F AA STOS BYTE PTR ES:[EDI]
00414AA0 49 DEC ECX
00414AA1 9C PUSHFD
00414AA2 C12C24 06 SHR DWORD PTR SS:[ESP],6
00414AA6 F71424 NOT DWORD PTR SS:[ESP]
00414AA9 832424 01 AND DWORD PTR SS:[ESP],1
00414AAD 50 PUSH EAX
00414AAE 52 PUSH EDX
00414AAF B8 61B2DC12 MOV EAX,12DCB261
00414AB4 05 444D23ED ADD EAX,ED234D44
00414AB9 F76424 08 MUL DWORD PTR SS:[ESP+8]
00414ABD 8D8428 D9564000 LEA EAX,DWORD PTR DS:[EAX+EBP+4056D9]
00414AC4 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; PESpin.00414AD4
00414AC8 5A POP EDX
00414AC9 58 POP EAX
00414ACA 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]
00414ACE FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 如果没有解压完则继续
……
00412777 68 07000000 PUSH 7
0041277C 5B POP EBX
0041277D 25 25382C37 AND EAX,372C3825
00412782 50 PUSH EAX
00412783 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]
00412787 F7D0 NOT EAX
00412789 234424 FC AND EAX,DWORD PTR SS:[ESP-4]
0041278D 51 PUSH ECX ; 从这里开始解密各段
0041278E 90 NOP
0041278F 90 NOP
00412790 90 NOP
00412791 90 NOP
00412792 90 NOP
00412793 90 NOP
00412794 90 NOP
00412795 90 NOP
00412796 90 NOP
00412797 90 NOP
00412798 90 NOP
00412799 90 NOP
0041279A 0FA3C3 BT EBX,EAX
0041279D 73 79 JNB SHORT 00412818 ; 如果该段解压完则跳去解压下一段
0041279F 90 NOP
004127A0 90 NOP
004127A1 90 NOP
004127A2 90 NOP
004127A3 90 NOP
004127A4 90 NOP
004127A5 90 NOP
004127A6 90 NOP
004127A7 90 NOP
004127A8 90 NOP
004127A9 90 NOP
004127AA 90 NOP
004127AB 90 NOP
004127AC 90 NOP
004127AD 90 NOP
004127AE 90 NOP
004127AF 90 NOP
004127B0 90 NOP
004127B1 90 NOP
004127B2 90 NOP
004127B3 90 NOP
004127B4 90 NOP
004127B5 90 NOP
004127B6 90 NOP
004127B7 90 NOP
004127B8 90 NOP
004127B9 90 NOP
004127BA 90 NOP
004127BB 90 NOP
004127BC 90 NOP
004127BD 90 NOP
004127BE 90 NOP
004127BF 90 NOP
004127C0 90 NOP
004127C1 90 NOP
004127C2 90 NOP
004127C3 90 NOP
004127C4 90 NOP
004127C5 90 NOP
004127C6 90 NOP
004127C7 90 NOP
004127C8 90 NOP
004127C9 90 NOP
004127CA 90 NOP
004127CB 90 NOP
004127CC 90 NOP
004127CD 8B7A 0C MOV EDI,DWORD PTR DS:[EDX+C]
004127D0 03BD C34B4000 ADD EDI,DWORD PTR SS:[EBP+404BC3]
004127D6 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+10] ; RSIZE = 6000
004127D9 50 PUSH EAX
004127DA 8A07 MOV AL,BYTE PTR DS:[EDI] ; 第一次 从401000处开始解密代码,size:6000
004127DC 2C 61 SUB AL,61
004127DE F8 CLC
004127DF F8 CLC
004127E0 C0C0 B1 ROL AL,0B1 ; Shift constant out of range 1..31
004127E3 34 AF XOR AL,0AF
004127E5 04 70 ADD AL,70
004127E7 FEC8 DEC AL
004127E9 EB 01 JMP SHORT 004127EC
004127EB 90 NOP
004127EC F8 CLC
004127ED 32C1 XOR AL,CL
004127EF C0C0 42 ROL AL,42 ; Shift constant out of range 1..31
004127F2 EB 01 JMP SHORT 004127F5
004127F4 90 NOP
004127F5 02C1 ADD AL,CL
004127F7 2AC1 SUB AL,CL
004127F9 34 04 XOR AL,4
004127FB C0C0 9B ROL AL,9B ; Shift constant out of range 1..31
004127FE FEC8 DEC AL
00412800 AA STOS BYTE PTR ES:[EDI]
00412801 49 DEC ECX
00412802 90 NOP
00412803 90 NOP
00412804 90 NOP
00412805 90 NOP
00412806 90 NOP
00412807 90 NOP
00412808 90 NOP
00412809 90 NOP
0041280A 90 NOP
0041280B 90 NOP
0041280C 90 NOP
0041280D 90 NOP
0041280E 90 NOP
0041280F 90 NOP
00412810 90 NOP
00412811 90 NOP
00412812 90 NOP
00412813 0BC9 OR ECX,ECX
00412815 ^ 75 C3 JNZ SHORT 004127DA ; 该段没解压完该段则继续上去解密
00412817 58 POP EAX
00412818 40 INC EAX
00412819 83C2 28 ADD EDX,28
0041281C 90 NOP
0041281D 90 NOP
0041281E 90 NOP
0041281F 90 NOP
00412820 90 NOP
00412821 90 NOP
00412822 90 NOP
00412823 90 NOP
00412824 90 NOP
00412825 59 POP ECX
00412826 49 DEC ECX
00412827 9C PUSHFD
00412828 C12C24 06 SHR DWORD PTR SS:[ESP],6
0041282C F71424 NOT DWORD PTR SS:[ESP]
0041282F 832424 01 AND DWORD PTR SS:[ESP],1
00412833 50 PUSH EAX
00412834 52 PUSH EDX
00412835 B8 E979A6F5 MOV EAX,F5A679E9
0041283A 05 4985590A ADD EAX,0A598549
0041283F F76424 08 MUL DWORD PTR SS:[ESP+8]
00412843 8D8428 60344000 LEA EAX,DWORD PTR DS:[EAX+EBP+403460]
0041284A 894424 08 MOV DWORD PTR SS:[ESP+8],EAX
0041284E 5A POP EDX
0041284F 58 POP EAX
00412850 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]
00412854 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 没有解压完则继续回去解密
……
0041286B E8 BA1C0000 CALL 0041452A ; 这个CALL实际就是一个异常CALL
……
00415062 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE
00415064 68 00300000 PUSH 3000 ; |AllocationType = MEM_COMMIT|MEM_RESERVE
00415069 51 PUSH ECX ; |Size = 3166 (12646.)
0041506A 6A 00 PUSH 0 ; |Address = NULL
0041506C FF95 0E4C4000 CALL DWORD PTR SS:[EBP+404C0E] ; \VirtualAlloc
00415072 96 XCHG EAX,ESI ; hmem==003D0000
00415073 5A POP EDX
00415074 BF 50F40000 MOV EDI,0F450
00415079 81C7 00004000 ADD EDI,00400000
0041507F 56 PUSH ESI ; /存放地址 == 003D0000
00415080 57 PUSH EDI ; |解压地址 == 40f450
00415081 E8 1CDEFFFF CALL 00412EA2 ; \aplib_depack
00415086 91 XCHG EAX,ECX
00415087 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00415089 5F POP EDI
0041508A 5E POP ESI
0041508B EB 01 JMP SHORT 0041508E
0041508D 90 NOP
0041508E 68 00400000 PUSH 4000 ; /FreeType = MEM_DECOMMIT
00415093 52 PUSH EDX ; |Size = 3166 (12646.)
00415094 56 PUSH ESI ; |Address = 003D0000
00415095 FF95 134C4000 CALL DWORD PTR SS:[EBP+404C13] ; \VirtualFree
……
004150A7 8D85 ED5C4000 LEA EAX,DWORD PTR SS:[EBP+405CED]
004150AD 8338 00 CMP DWORD PTR DS:[EAX],0
004150B0 0F84 CB000000 JE 00415181
004150B6 B9 80B60000 MOV ECX,0B680
004150BB 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE
004150BD 68 00300000 PUSH 3000 ; |AllocationType = MEM_COMMIT|MEM_RESERVE
004150C2 51 PUSH ECX ; |Size = B680 (46720.)
004150C3 6A 00 PUSH 0 ; |Address = NULL
004150C5 FF95 0E4C4000 CALL DWORD PTR SS:[EBP+404C0E] ; \VirtualAlloc
004150CB 8985 0E5D4000 MOV DWORD PTR SS:[EBP+405D0E],EAX ; [EBP+405D0E]==[00415109]
004150D1 EB 01 JMP SHORT 004150D4
004150D3 90 NOP
004150D4 0FB78D C74B4000 MOVZX ECX,WORD PTR SS:[EBP+404BC7] ; ecx==4
004150DB 8B95 CD4B4000 MOV EDX,DWORD PTR SS:[EBP+404BCD]
004150E1 81C2 F8000000 ADD EDX,0F8
004150E7 BB 07000000 MOV EBX,7
004150EC 2BC0 SUB EAX,EAX
004150EE 51 PUSH ECX
004150EF 90 NOP
004150F0 90 NOP
004150F1 90 NOP
004150F2 90 NOP
004150F3 90 NOP
004150F4 90 NOP
004150F5 90 NOP
004150F6 90 NOP
004150F7 90 NOP
004150F8 0FA3C3 BT EBX,EAX
004150FB 73 27 JNB SHORT 00415124 ; 如果解压完该段则跳
004150FD 50 PUSH EAX
004150FE 53 PUSH EBX ; 铺张浪费^_^
004150FF &n