yoda's cryptor 壳流程分析
程序员文章站
2022-10-02 15:00:24
作 者: qinxijp
代码:
这里是一开始壳的加密算法~~,非常简单
算法分析: //可逆算法,
加密算法
char pMem[] = {0x8...
作 者: qinxijp
代码:
这里是一开始壳的加密算法~~,非常简单
算法分析: //可逆算法,
加密算法
char pMem[] = {0x8B,0x44};
int nSize = 0x0c23 ;
//加密的算法
__asm
{
mov ecx,0x0c23
lea edi,pMem
mov esi,edi
Lol1:
_emit 0xAC
xor al,0x3a
add al,cl
inc al
xor al,0x33
xor al,0x1d
xor al,0x97
add al,0xf4
add al,cl
rol al,0x6f
add al,cl
sub al,0x2b
inc al
xor al,0x58
__emit 0xAA // stos byte ptre [edi]
//
// loop Lol1:
}
//解密的算法
__asm
{
mov ecx,nSize
lea edi,pMem
mov esi,edi
Lop:
__emit 0xAC // Lodsb byte ptr [esi]
xor al,0x58
dec al
add al,0x2b
sub al,cl
ror al,0x6f
sub al,cl
sub al,0xf4
xor al,0x97
xor al,0x1d
xor al,0x33
dec al
sub al,cl
Xor al,0x3a
__emit 0xAA // stos byte ptre [edi]
End:
Loop lop
}
0058F063 6A FF push -1
0058F065 68 2A2C0A00 push 0A2C2A ; 这个 注意
0058F06A 68 38900D00 push 0D9038 ; 注意
0058F06F 64:A1 00000000 mov eax, dword ptr fs:[0]
0058F075 50 push eax
0058F076 64:8925 0000000>mov dword ptr fs:[0], esp
0058F07D 58 pop eax
0058F07E 64:A3 00000000 mov dword ptr fs:[0], eax
0058F084 58 pop eax
0058F085 EB 0B jmp short 0058F092 ; //以上代码伪造VC入口点
0058F087 58 pop eax
0058F088 58 pop eax
0058F089 58 pop eax
0058F08A 58 pop eax
0058F08B 58 pop eax
0058F08C 58 pop eax
0058F08D 58 pop eax
0058F08E 58 pop eax
0058F08F 58 pop eax
0058F090 90 nop
0058F091 90 nop
0058F092 60 pushad
0058F093 E8 00000000 call 0058F098 ; 代码重定位
0058F098 5D pop ebp
0058F099 81ED 89172A07 sub ebp, 72A1789
0058F09F B9 230C0000 mov ecx, 0C23
0058F0A4 8DBD D1172A07 lea edi, dword ptr [ebp+72A17D1]
0058F0AA 8BF7 mov esi, edi
0058F0AC AC lods byte ptr [esi]
0058F0AD EB 01 jmp short 0058F0B0 ; 看opcode 为eb 01 也跳到eip+当前指令长度+1的位置,把E9这个给改成NOP
0058F0AF - E9 F890F8F9 jmp FA5181AC
0058F0B4 34 58 xor al, 58
0058F0B6 FEC8 dec al
0058F0B8 04 2B add al, 2B
0058F0BA 90 nop
0058F0BB 2AC1 sub al, cl
0058F0BD EB 01 jmp short 0058F0C0
0058F0BF C2 F8C0 retn 0C0F8
0058F0C2 C8 6F2AC1 enter 2A6F, 0C1
0058F0C6 F9 stc
0058F0C7 2C F4 sub al, 0F4
0058F0C9 34 97 xor al, 97
0058F0CB F9 stc
0058F0CC EB 01 jmp short 0058F0CF
0058F0CE C2 341D retn 1D34
0058F0D1 34 33 xor al, 33
0058F0D3 FEC8 dec al
0058F0D5 2AC1 sub al, cl
0058F0D7 34 3A xor al, 3A
0058F0D9 EB 01 jmp short 0058F0DC
0058F0DB - E9 F8AAE2CC jmp CD3B9BD8
0058F0E0 8B4424 20 mov eax, dword ptr [esp+20] ; 取入口的时候压入的数值
0058F0E4 40 inc eax
0058F0E5 78 0A js short 0058F0F1
0058F0E7 C785 7F212A07 0>mov dword ptr [ebp+72A217F], 1
0058F0F1 8D85 51172A07 lea eax, dword ptr [ebp+72A1751] ; 入口点
0058F0F7 B9 66070000 mov ecx, 766
0058F0FC E8 46030000 call 0058F447 ; 校验
0058F101 8985 7B212A07 mov dword ptr [ebp+72A217B], eax
0058F107 8B85 73212A07 mov eax, dword ptr [ebp+72A2173]
0058F10D 83E0 01 and eax, 1
0058F110 74 40 je short 0058F152
0058F112 8DB5 EB222A07 lea esi, dword ptr [ebp+72A22EB]
0058F118 8D85 30182A07 lea eax, dword ptr [ebp+72A1830]
0058F11E 8946 08 mov dword ptr [esi+8], eax
0058F121 8BFD mov edi, ebp
0058F123 8D85 09212A07 lea eax, dword ptr [ebp+72A2109]
0058F129 33DB xor ebx, ebx
0058F12B 50 push eax
0058F12C 64:FF33 push dword ptr fs:[ebx]
0058F12F 64:8923 mov dword ptr fs:[ebx], esp
0058F132 BD 4B484342 mov ebp, 4243484B
0058F137 66:B8 0400 mov ax, 4
0058F13B EB 01 jmp short 0058F13E
0058F13D FFCC dec esp
0058F13F 8BEF mov ebp, edi
0058F141 33DB xor ebx, ebx
0058F143 64:8F03 pop dword ptr fs:[ebx]
0058F146 83C4 04 add esp, 4
0058F149 3C 04 cmp al, 4
0058F14B 74 05 je short 0058F152
0058F14D EB 01 jmp short 0058F150
0058F14F - E9 61C38B85 jmp 85E4B4B5
0058F154 6B21 2A imul esp, dword ptr [ecx], 2A
0058F157 07 pop es
0058F158 0340 3C add eax, dword ptr [eax+3C] ; 定位到NT头
0058F15B 05 80000000 add eax, 80 ; 定位到Directory [输入表]
0058F160 8B08 mov ecx, dword ptr [eax] ; 获取输入表地址
0058F162 038D 6B212A07 add ecx, dword ptr [ebp+72A216B]
0058F168 83C1 10 add ecx, 10 ; 获取FirstThunk
0058F16B 8B01 mov eax, dword ptr [ecx]
0058F16D 0385 6B212A07 add eax, dword ptr [ebp+72A216B]
0058F173 8B18 mov ebx, dword ptr [eax] ; 下面就是获取一些壳需要用到的API
0058F175 899D F7222A07 mov dword ptr [ebp+72A22F7], ebx
0058F17B 83C0 04 add eax, 4
0058F17E 8B18 mov ebx, dword ptr [eax]
0058F180 899D FB222A07 mov dword ptr [ebp+72A22FB], ebx
0058F186 8D85 FF222A07 lea eax, dword ptr [ebp+72A22FF]
0058F18C 50 push eax ; 获取kernel32极值
0058F18D FF95 F7222A07 call dword ptr [ebp+72A22F7]
0058F193 8BF0 mov esi, eax
0058F195 8985 0C232A07 mov dword ptr [ebp+72A230C], eax
0058F19B 8D85 10232A07 lea eax, dword ptr [ebp+72A2310]
0058F1A1 E8 C9000000 call 0058F26F ; GetModuleHandle
0058F1A6 8985 21232A07 mov dword ptr [ebp+72A2321], eax
0058F1AC 8D85 25232A07 lea eax, dword ptr [ebp+72A2325]
0058F1B2 E8 B8000000 call 0058F26F ; VirtualProtect
0058F1B7 8985 34232A07 mov dword ptr [ebp+72A2334], eax
0058F1BD 8D85 38232A07 lea eax, dword ptr [ebp+72A2338]
0058F1C3 E8 A7000000 call 0058F26F ; GetModuleFileNameA
0058F1C8 8985 4B232A07 mov dword ptr [ebp+72A234B], eax
0058F1CE 8D85 4F232A07 lea eax, dword ptr [ebp+72A234F]
0058F1D4 E8 96000000 call 0058F26F ; CreateFileA
0058F1D9 8985 5B232A07 mov dword ptr [ebp+72A235B], eax
0058F1DF 8D85 5F232A07 lea eax, dword ptr [ebp+72A235F]
0058F1E5 E8 85000000 call 0058F26F ; GlobalAlloc
0058F1EA 8985 6B232A07 mov dword ptr [ebp+72A236B], eax
0058F1F0 8D85 6F232A07 lea eax, dword ptr [ebp+72A236F]
0058F1F6 E8 74000000 call 0058F26F ; GlobalFree
0058F1FB 8985 7A232A07 mov dword ptr [ebp+72A237A], eax
0058F201 8D85 7E232A07 lea eax, dword ptr [ebp+72A237E]
0058F207 E8 63000000 call 0058F26F ; ReadFile
0058F20C 8985 87232A07 mov dword ptr [ebp+72A2387], eax
0058F212 8D85 8B232A07 lea eax, dword ptr [ebp+72A238B]
0058F218 E8 52000000 call 0058F26F ; GetFileSize
0058F21D 8985 97232A07 mov dword ptr [ebp+72A2397], eax
0058F223 8D85 9B232A07 lea eax, dword ptr [ebp+72A239B]
0058F229 E8 41000000 call 0058F26F ; CloseHandle
0058F22E 8985 A7232A07 mov dword ptr [ebp+72A23A7], eax
0058F234 8D85 AB232A07 lea eax, dword ptr [ebp+72A23AB]
0058F23A E8 30000000 call 0058F26F ; VirtualAlloc
0058F23F 8985 B8232A07 mov dword ptr [ebp+72A23B8], eax
0058F245 8D85 D2232A07 lea eax, dword ptr [ebp+72A23D2]
0058F24B E8 1F000000 call 0058F26F ; ExitProcess
0058F250 8985 DE232A07 mov dword ptr [ebp+72A23DE], eax
0058F256 8D85 BC232A07 lea eax, dword ptr [ebp+72A23BC]
0058F25C E8 0E000000 call 0058F26F ; ReadProcessMemory
0058F261 8985 CE232A07 mov dword ptr [ebp+72A23CE], eax
0058F267 8D85 69192A07 lea eax, dword ptr [ebp+72A1969]
0058F26D 50 push eax
0058F26E
C3 retn //到下面见
0058F278 64:FF35 3000000>push dword ptr fs:[30]
0058F27F 58 pop eax ; 获取peb
0058F280 85C0 test eax, eax
0058F282 78 0F js short 0058F293
0058F284 8B40 0C mov eax, dword ptr [eax+C] ; 获取PEB.Ldr
0058F287 8B40 0C mov eax, dword ptr [eax+C] ; 获取Ldr.InLoadOrderModuleList
0058F28A 8140 20 0030000>add dword ptr [eax+20], 3000 ; 当前进程的镜像大小+ 3000 这么操作有什么用呢,,,。。。
0058F291 EB 1C jmp short 0058F2AF
0058F293 6A 00 push 0
0058F295 FF95 21232A07 call dword ptr [ebp+72A2321]
0058F29B 85D2 test edx, edx
0058F29D 79 10 jns short 0058F2AF
0058F29F 837A 08 FF cmp dword ptr [edx+8], -1
0058F2A3 75 0A jnz short 0058F2AF
0058F2A5 8B52 04 mov edx, dword ptr [edx+4]
0058F2A8 C742 50 0010000>mov dword ptr [edx+50], 1000
0058F2AF E8 0A000000 call 0058F2BE ; 这里作者加入了很多反调试F7
0058F2BE FF95 21232A07 call dword ptr [ebp+72A2321] ; kernel32.GetModuleHandleA
0058F2C4 91 xchg eax, ecx
0058F2C5 E3 58 jecxz short 0058F31F
0058F2C7 E8 17000000 call 0058F2E3 ; F7 反调试
0058F2E3 51 push ecx ; ntdll_12.<ModuleEntryPoint>
0058F2E4 FF95 FB222A07 call dword ptr [ebp+72A22FB]
0058F2EA 91 xchg eax, ecx ; 获取ZwSetInfomationThread
0058F2EB E3 32 jecxz short 0058F31F
0058F2ED 87CF xchg edi, ecx
0058F2EF E8 11000000 call 0058F305 F7进入
0058F305 FFB5 0C232A07 push dword ptr [ebp+72A230C]
0058F30B FF95 FB222A07 call dword ptr [ebp+72A22FB]
0058F311 91 xchg eax, ecx
0058F312 E3 0B jecxz short 0058F31F
0058F314 FFD1 call ecx ; GetCurrentThread 获取当前线程
0058F316 6A 00 push 0
0058F318 6A 00 push 0
0058F31A 6A 11 push 11 ; 压入ThreadHideFromDebugger标志,使当前线程隐藏,起到反调试的作用
0058F31C 50 push eax
0058F31D FFD7 call edi
0058F31F 8CC9 mov cx, cs
0058F321 32C9 xor cl, cl
0058F323 E3 02 jecxz short 0058F327
0058F325 EB 66 jmp short 0058F38D
0058F327 EB 14 jmp short 0058F33D
0058F329 8B4C24 04 mov ecx, dword ptr [esp+4]
0058F32D 8B49 04 mov ecx, dword ptr [ecx+4]
0058F330 8381 B8000000 0>add dword ptr [ecx+B8], 2
0058F337 33C0 xor eax, eax
0058F339 48 dec eax
0058F33A C2 0400 retn 4
0058F33D 60 pushad
0058F33E E8 1C000000 call 0058F35F F7 ; 这里是用SEH 进程反调试
0058F35F FFB5 0C232A07 push dword ptr [ebp+72A230C] ; kernel32.763B0000
0058F365 FF95 FB222A07 call dword ptr [ebp+72A22FB] ; 获取 SetUnhandledExceptionFilter
0058F36B 96 xchg eax, esi
0058F36C 8D85 1A1A2A07 lea eax, dword ptr [ebp+72A1A1A]
0058F372 50 push eax
0058F373 FFD6 call esi ; 设置异常捕获函数
0058F375 97 xchg eax, edi ; 下面就是作者故意触发异常
0058F376 33D2 xor edx, edx
0058F378 F7FA idiv edx
0058F37A 90 nop
0058F37B 90 nop
0058F37C CD 01 int 1
0058F37E 90 nop
0058F37F 90 nop
0058F380 CC int3
0058F381 90 nop
0058F382 90 nop
0058F383 33C0 xor eax, eax
0058F385 3100 xor dword ptr [eax], eax
0058F387 90 nop
0058F388 90 nop
0058F389 57 push edi
0058F38A FFD6 call esi
0058F38C 61 popad
0058F38D 8BBD 6B212A07 mov edi, dword ptr [ebp+72A216B]
0058F393 037F 3C add edi, dword ptr [edi+3C]
0058F396 8BB5 6B212A07 mov esi, dword ptr [ebp+72A216B] ; PE头
0058F39C 8B4F 54 mov ecx, dword ptr [edi+54] ; SizeOfHead
0058F39F 8D85 10242A07 lea eax, dword ptr [ebp+72A2410]
0058F3A5 50 push eax ; 保存原属性方式
0058F3A6 6A 04 push 4 ; 新属性
0058F3A8 51 push ecx ; 大小
0058F3A9 FFB5 6B212A07 push dword ptr [ebp+72A216B] ; 修改地址
0058F3AF FF95 34232A07 call dword ptr [ebp+72A2334] ; //修改属性VirtualProtect
0058F3B5 F785 73212A07 0>test dword ptr [ebp+72A2173], 8
0058F3BF 0F84 A7000000 je 0058F46C
0058F3C5 68 04010000 push 104
0058F3CA 8DBD 10242A07 lea edi, dword ptr [ebp+72A2410]
0058F3D0 57 push edi
0058F3D1 6A 00 push 0
0058F3D3 FF95 4B232A07 call dword ptr [ebp+72A234B] ; //获取程序PATH
0058F3D9 6A 00 push 0
0058F3DB 68 80000000 push 80
0058F3E0 6A 03 push 3
0058F3E2 6A 00 push 0
0058F3E4 6A 01 push 1
0058F3E6 68 00000080 push 80000000
0058F3EB 57 push edi
0058F3EC FF95 5B232A07 call dword ptr [ebp+72A235B] ; 打开自身
0058F3F2 83F8 FF cmp eax, -1
0058F3F5 75 04 jnz short 0058F3FB
0058F3F7 33C0 xor eax, eax
0058F3F9 EB 71 jmp short 0058F46C
0058F3FB 8BF8 mov edi, eax
0058F3FD 6A 00 push 0
0058F3FF 57 push edi ; 获取自身大小
0058F400 FF95 97232A07 call dword ptr [ebp+72A2397]
0058F406 83E8 05 sub eax, 5
0058F409 96 xchg eax, esi
0058F40A 56 push esi
0058F40B 6A 40 push 40 ; 创建一块 自身大小的内存
0058F40D FF95 6B232A07 call dword ptr [ebp+72A236B]
0058F413 0BC0 or eax, eax
0058F415 75 02 jnz short 0058F419
0058F417 EB 4A jmp short 0058F463
0058F419 93 xchg eax, ebx
0058F41A 6A 00 push 0
0058F41C 8D85 10242A07 lea eax, dword ptr [ebp+72A2410]
0058F422 50 push eax ; &dwRead
0058F423 56 push esi ; 要读入字节数
0058F424 53 push ebx ; 缓冲区
0058F425 57 push edi ; 文件句柄
0058F426 FF95 87232A07 call dword ptr [ebp+72A2387]
0058F42C 8BC3 mov eax, ebx
0058F42E 8BCE mov ecx, esi
0058F430 53 push ebx
0058F431 57 push edi
0058F432 E8 10000000 call 0058F447 ; 算一个校验 保存起来 后面他会比较
0058F437 8985 77212A07 mov dword ptr [ebp+72A2177], eax
0058F43D 5F pop edi
0058F43E 5B pop ebx
0058F43F 8D85 4C1B2A07 lea eax, dword ptr [ebp+72A1B4C]
0058F445 50 push eax
0058F446 C3 retn
0058F447 8BF8 mov edi, eax
0058F449 33C0 xor eax, eax
0058F44B 33DB xor ebx, ebx
0058F44D 33D2 xor edx, edx
0058F44F 8A07 mov al, byte ptr [edi]
0058F451 F7E2 mul edx
0058F453 03D8 add ebx, eax
0058F455 42 inc edx
0058F456 47 inc edi
0058F457 ^ E2 F6 loopd short 0058F44F
0058F459 93 xchg eax, ebx
0058F45A C3 retn
0058F45B 53 push ebx
0058F45C FF95 7A232A07 call dword ptr [ebp+72A237A] ; 释放
0058F462 96 xchg eax, esi
0058F463 50 push eax
0058F464 57 push edi
0058F465 FF95 A7232A07 call dword ptr [ebp+72A23A7] ; 关闭句柄
0058F46B 58 pop eax
0058F46C E9 0B000000 jmp 0058F47C
0058F471 07 pop es
0058F472 BB 01000000 mov ebx, 1
0058F477 E8 08000000 call 0058F484
0058F47C 8D85 3E1C2A07 lea eax, dword ptr [ebp+72A1C3E]
0058F482 50 push eax
0058F483 C3 retn 这个retn后就要到OEP了
0058F54D 8B9D 6B212A07 mov ebx, dword ptr [ebp+72A216B] ; hsreg.00400000
0058F553 039D 6F212A07 add ebx, dword ptr [ebp+72A216F]
0058F559 C1CB 07 ror ebx, 7 //在这里其实ebx 就指向OEP
来看看下面他做什么了
0058F55C 895C24 10 mov dword ptr [esp+10], ebx
0058F560 8D9D 391F2A07 lea ebx, dword ptr [ebp+72A1F39]
0058F566 895C24 1C mov dword ptr [esp+1C], ebx
0058F56A 8BBD 6B212A07 mov edi, dword ptr [ebp+72A216B]
0058F570 037F 3C add edi, dword ptr [edi+3C]
0058F573 8B9F C0000000 mov ebx, dword ptr [edi+C0]
0058F579 83FB 00 cmp ebx, 0
0058F57C 74 0F je short 0058F58D
0058F57E 039D 6B212A07 add ebx, dword ptr [ebp+72A216B]
0058F584 8B43 08 mov eax, dword ptr [ebx+8]
0058F587 C700 00000000 mov dword ptr [eax], 0
0058F58D 8B85 77212A07 mov eax, dword ptr [ebp+72A2177]
0058F593 0BC0 or eax, eax
0058F595 74 0D je short 0058F5A4
0058F597 3B85 0C242A07 cmp eax, dword ptr [ebp+72A240C] ; 这里就是 判断校验了
0058F59D 74 05 je short 0058F5A4 跳
0058F59F E9 AF010000 jmp 0058F753
0058F5A4 8DB5 83212A07 lea esi, dword ptr [ebp+72A2183] 跳到这里
0058F5AA F785 73212A07 2>test dword ptr [ebp+72A2173], 20
0058F5B4 74 49 je short 0058F5FF 这里也会跳
0058F5B6 56 push esi
0058F5B7 8DBD 10242A07 lea edi, dword ptr [ebp+72A2410]
0058F5BD 33C9 xor ecx, ecx
0058F5BF EB 17 jmp short 0058F5D8
0058F5C1 8B56 04 mov edx, dword ptr [esi+4]
0058F5C4 0395 6B212A07 add edx, dword ptr [ebp+72A216B]
0058F5CA EB 04 jmp short 0058F5D0
0058F5CC 41 inc ecx
0058F5CD 83C2 04 add edx, 4
0058F5D0 833A 00 cmp dword ptr [edx], 0
0058F5D3 ^ 75 F7 jnz short 0058F5CC
0058F5D5 83C6 0C add esi, 0C
0058F5D8 837E 04 00 cmp dword ptr [esi+4], 0
0058F5DC ^ 75 E3 jnz short 0058F5C1
0058F5DE 33D2 xor edx, edx
0058F5E0 B8 05000000 mov eax, 5
0058F5E5 F7E1 mul ecx
0058F5E7 50 push eax
0058F5E8 6A 00 push 0
0058F5EA FF95 6B232A07 call dword ptr [ebp+72A236B]
0058F5F0 0BC0 or eax, eax
0058F5F2 75 05 jnz short 0058F5F9
0058F5F4 83C4 04 add esp, 4
0058F5F7 61 popad
0058F5F8 C3 retn
0058F5F9 8907 mov dword ptr [edi], eax
0058F5FB 8947 04 mov dword ptr [edi+4], eax
0058F5FE 5E pop esi
0058F5FF E9 42010000 jmp 0058F746 跳到这里, 继续跳 往下面看
0058F604 8B1E mov ebx, dword ptr [esi]
0058F606 039D 6B212A07 add ebx, dword ptr [ebp+72A216B]
0058F60C 8BC3 mov eax, ebx
0058F60E E8 08000000 call 0058F61B
0058F613 8D85 1F1D2A07 lea eax, dword ptr [ebp+72A1D1F]
0058F619 50 push eax
0058F61A C3 retn
0058F604 8B1E mov ebx, dword ptr [esi] 从下面跳上来 取数值
0058F606 039D 6B212A07 add ebx, dword ptr [ebp+72A216B] 加基址
0058F60C 8BC3 mov eax, ebx
0058F60E E8 08000000 call 0058F61B //这个CALL 里面做的事情是
Lodsb
Ror al,4
Stosb
Esi 指向的内容进行ror ,4 解密, 结束条件是不为0
这里就是解出了一些DLL名,以及 相关API名称
0058F613 8D85 1F1D2A07 lea eax, dword ptr [ebp+72A1D1F]
0058F619 50 push eax
0058F61A C3 retn 返回到下面0058f62e
0058F61B 56 push esi
0058F61C 57 push edi
0058F61D 8BF0 mov esi, eax
0058F61F 8BF8 mov edi, eax
0058F621 AC lods byte ptr [esi]
0058F622 C0C8 04 ror al, 4
0058F625 AA stos byte ptr es:[edi]
0058F626 803F 00 cmp byte ptr [edi], 0 也就是这一段 在解密
0058F629 ^ 75 F6 jnz short 0058F621
0058F62B 5F pop edi
0058F62C 5E pop esi
0058F62D C3 retn
0058F62E 53 push ebx //retn 到这里 压入解出来的DLL 名称
0058F62F FF95 F7222A07 call dword ptr [ebp+72A22F7] LoadLibrary( ebx)
0058F635 85C0 test eax, eax
0058F637 0F84 16010000 je 0058F753
0058F63D 50 push eax
0058F63E F785 73212A07 0>test dword ptr [ebp+72A2173], 4
0058F648 74 0E je short 0058F658
0058F64A 8D85 491D2A07 lea eax, dword ptr [ebp+72A1D49]
0058F650 50 push eax
0058F651 8BC3 mov eax, ebx
0058F653 E9 B4030000 jmp 0058FA0C
0058F658 5B pop ebx
0058F659 8B4E 08 mov ecx, dword ptr [esi+8] 继续取出来个地址
0058F65C 0BC9 or ecx, ecx
0058F65E 75 03 jnz short 0058F663
0058F660 8B4E 04 mov ecx, dword ptr [esi+4]
0058F663 038D 6B212A07 add ecx, dword ptr [ebp+72A216B] 加上基址
0058F669 8B56 04 mov edx, dword ptr [esi+4] 继续取+ 基址
0058F66C 0395 6B212A07 add edx, dword ptr [ebp+72A216B]现在不知道他们里面存的什么东西, 我们往下看看
0058F672 E9 C3000000 jmp 0058F73A 跳
0058F677 F701 00000080 test dword ptr [ecx], 80000000
0058F67D 75 4B jnz short 0058F6CA
0058F67F 8B01 mov eax, dword ptr [ecx]
0058F681 83C0 02 add eax, 2
0058F684 0385 6B212A07 add eax, dword ptr [ebp+72A216B]
0058F68A 50 push eax
0058F68B E8 8BFFFFFF call 0058F61B 解密函数名
0058F690 58 pop eax
0058F691 8BF8 mov edi, eax
0058F693 52 push edx
0058F694 51 push ecx 保护环境
0058F695 50 push eax
0058F696 53 push ebx
0058F697 FF95 FB222A07 call dword ptr [ebp+72A22FB] GetProcess 获取api地址
0058F69D 0BC0 or eax, eax
0058F69F 75 07 jnz short 0058F6A8
0058F6A1 59 pop ecx
0058F6A2 5A pop edx
0058F6A3 E9 AB000000 jmp 0058F753
0058F6A8 59 pop ecx
0058F6A9 5A pop edx
0058F6AA 60 pushad
0058F6AB F785 73212A07 0>test &nbs
代码:
这里是一开始壳的加密算法~~,非常简单
算法分析: //可逆算法,
加密算法
char pMem[] = {0x8B,0x44};
int nSize = 0x0c23 ;
//加密的算法
__asm
{
mov ecx,0x0c23
lea edi,pMem
mov esi,edi
Lol1:
_emit 0xAC
xor al,0x3a
add al,cl
inc al
xor al,0x33
xor al,0x1d
xor al,0x97
add al,0xf4
add al,cl
rol al,0x6f
add al,cl
sub al,0x2b
inc al
xor al,0x58
__emit 0xAA // stos byte ptre [edi]
//
// loop Lol1:
}
//解密的算法
__asm
{
mov ecx,nSize
lea edi,pMem
mov esi,edi
Lop:
__emit 0xAC // Lodsb byte ptr [esi]
xor al,0x58
dec al
add al,0x2b
sub al,cl
ror al,0x6f
sub al,cl
sub al,0xf4
xor al,0x97
xor al,0x1d
xor al,0x33
dec al
sub al,cl
Xor al,0x3a
__emit 0xAA // stos byte ptre [edi]
End:
Loop lop
}
0058F063 6A FF push -1
0058F065 68 2A2C0A00 push 0A2C2A ; 这个 注意
0058F06A 68 38900D00 push 0D9038 ; 注意
0058F06F 64:A1 00000000 mov eax, dword ptr fs:[0]
0058F075 50 push eax
0058F076 64:8925 0000000>mov dword ptr fs:[0], esp
0058F07D 58 pop eax
0058F07E 64:A3 00000000 mov dword ptr fs:[0], eax
0058F084 58 pop eax
0058F085 EB 0B jmp short 0058F092 ; //以上代码伪造VC入口点
0058F087 58 pop eax
0058F088 58 pop eax
0058F089 58 pop eax
0058F08A 58 pop eax
0058F08B 58 pop eax
0058F08C 58 pop eax
0058F08D 58 pop eax
0058F08E 58 pop eax
0058F08F 58 pop eax
0058F090 90 nop
0058F091 90 nop
0058F092 60 pushad
0058F093 E8 00000000 call 0058F098 ; 代码重定位
0058F098 5D pop ebp
0058F099 81ED 89172A07 sub ebp, 72A1789
0058F09F B9 230C0000 mov ecx, 0C23
0058F0A4 8DBD D1172A07 lea edi, dword ptr [ebp+72A17D1]
0058F0AA 8BF7 mov esi, edi
0058F0AC AC lods byte ptr [esi]
0058F0AD EB 01 jmp short 0058F0B0 ; 看opcode 为eb 01 也跳到eip+当前指令长度+1的位置,把E9这个给改成NOP
0058F0AF - E9 F890F8F9 jmp FA5181AC
0058F0B4 34 58 xor al, 58
0058F0B6 FEC8 dec al
0058F0B8 04 2B add al, 2B
0058F0BA 90 nop
0058F0BB 2AC1 sub al, cl
0058F0BD EB 01 jmp short 0058F0C0
0058F0BF C2 F8C0 retn 0C0F8
0058F0C2 C8 6F2AC1 enter 2A6F, 0C1
0058F0C6 F9 stc
0058F0C7 2C F4 sub al, 0F4
0058F0C9 34 97 xor al, 97
0058F0CB F9 stc
0058F0CC EB 01 jmp short 0058F0CF
0058F0CE C2 341D retn 1D34
0058F0D1 34 33 xor al, 33
0058F0D3 FEC8 dec al
0058F0D5 2AC1 sub al, cl
0058F0D7 34 3A xor al, 3A
0058F0D9 EB 01 jmp short 0058F0DC
0058F0DB - E9 F8AAE2CC jmp CD3B9BD8
0058F0E0 8B4424 20 mov eax, dword ptr [esp+20] ; 取入口的时候压入的数值
0058F0E4 40 inc eax
0058F0E5 78 0A js short 0058F0F1
0058F0E7 C785 7F212A07 0>mov dword ptr [ebp+72A217F], 1
0058F0F1 8D85 51172A07 lea eax, dword ptr [ebp+72A1751] ; 入口点
0058F0F7 B9 66070000 mov ecx, 766
0058F0FC E8 46030000 call 0058F447 ; 校验
0058F101 8985 7B212A07 mov dword ptr [ebp+72A217B], eax
0058F107 8B85 73212A07 mov eax, dword ptr [ebp+72A2173]
0058F10D 83E0 01 and eax, 1
0058F110 74 40 je short 0058F152
0058F112 8DB5 EB222A07 lea esi, dword ptr [ebp+72A22EB]
0058F118 8D85 30182A07 lea eax, dword ptr [ebp+72A1830]
0058F11E 8946 08 mov dword ptr [esi+8], eax
0058F121 8BFD mov edi, ebp
0058F123 8D85 09212A07 lea eax, dword ptr [ebp+72A2109]
0058F129 33DB xor ebx, ebx
0058F12B 50 push eax
0058F12C 64:FF33 push dword ptr fs:[ebx]
0058F12F 64:8923 mov dword ptr fs:[ebx], esp
0058F132 BD 4B484342 mov ebp, 4243484B
0058F137 66:B8 0400 mov ax, 4
0058F13B EB 01 jmp short 0058F13E
0058F13D FFCC dec esp
0058F13F 8BEF mov ebp, edi
0058F141 33DB xor ebx, ebx
0058F143 64:8F03 pop dword ptr fs:[ebx]
0058F146 83C4 04 add esp, 4
0058F149 3C 04 cmp al, 4
0058F14B 74 05 je short 0058F152
0058F14D EB 01 jmp short 0058F150
0058F14F - E9 61C38B85 jmp 85E4B4B5
0058F154 6B21 2A imul esp, dword ptr [ecx], 2A
0058F157 07 pop es
0058F158 0340 3C add eax, dword ptr [eax+3C] ; 定位到NT头
0058F15B 05 80000000 add eax, 80 ; 定位到Directory [输入表]
0058F160 8B08 mov ecx, dword ptr [eax] ; 获取输入表地址
0058F162 038D 6B212A07 add ecx, dword ptr [ebp+72A216B]
0058F168 83C1 10 add ecx, 10 ; 获取FirstThunk
0058F16B 8B01 mov eax, dword ptr [ecx]
0058F16D 0385 6B212A07 add eax, dword ptr [ebp+72A216B]
0058F173 8B18 mov ebx, dword ptr [eax] ; 下面就是获取一些壳需要用到的API
0058F175 899D F7222A07 mov dword ptr [ebp+72A22F7], ebx
0058F17B 83C0 04 add eax, 4
0058F17E 8B18 mov ebx, dword ptr [eax]
0058F180 899D FB222A07 mov dword ptr [ebp+72A22FB], ebx
0058F186 8D85 FF222A07 lea eax, dword ptr [ebp+72A22FF]
0058F18C 50 push eax ; 获取kernel32极值
0058F18D FF95 F7222A07 call dword ptr [ebp+72A22F7]
0058F193 8BF0 mov esi, eax
0058F195 8985 0C232A07 mov dword ptr [ebp+72A230C], eax
0058F19B 8D85 10232A07 lea eax, dword ptr [ebp+72A2310]
0058F1A1 E8 C9000000 call 0058F26F ; GetModuleHandle
0058F1A6 8985 21232A07 mov dword ptr [ebp+72A2321], eax
0058F1AC 8D85 25232A07 lea eax, dword ptr [ebp+72A2325]
0058F1B2 E8 B8000000 call 0058F26F ; VirtualProtect
0058F1B7 8985 34232A07 mov dword ptr [ebp+72A2334], eax
0058F1BD 8D85 38232A07 lea eax, dword ptr [ebp+72A2338]
0058F1C3 E8 A7000000 call 0058F26F ; GetModuleFileNameA
0058F1C8 8985 4B232A07 mov dword ptr [ebp+72A234B], eax
0058F1CE 8D85 4F232A07 lea eax, dword ptr [ebp+72A234F]
0058F1D4 E8 96000000 call 0058F26F ; CreateFileA
0058F1D9 8985 5B232A07 mov dword ptr [ebp+72A235B], eax
0058F1DF 8D85 5F232A07 lea eax, dword ptr [ebp+72A235F]
0058F1E5 E8 85000000 call 0058F26F ; GlobalAlloc
0058F1EA 8985 6B232A07 mov dword ptr [ebp+72A236B], eax
0058F1F0 8D85 6F232A07 lea eax, dword ptr [ebp+72A236F]
0058F1F6 E8 74000000 call 0058F26F ; GlobalFree
0058F1FB 8985 7A232A07 mov dword ptr [ebp+72A237A], eax
0058F201 8D85 7E232A07 lea eax, dword ptr [ebp+72A237E]
0058F207 E8 63000000 call 0058F26F ; ReadFile
0058F20C 8985 87232A07 mov dword ptr [ebp+72A2387], eax
0058F212 8D85 8B232A07 lea eax, dword ptr [ebp+72A238B]
0058F218 E8 52000000 call 0058F26F ; GetFileSize
0058F21D 8985 97232A07 mov dword ptr [ebp+72A2397], eax
0058F223 8D85 9B232A07 lea eax, dword ptr [ebp+72A239B]
0058F229 E8 41000000 call 0058F26F ; CloseHandle
0058F22E 8985 A7232A07 mov dword ptr [ebp+72A23A7], eax
0058F234 8D85 AB232A07 lea eax, dword ptr [ebp+72A23AB]
0058F23A E8 30000000 call 0058F26F ; VirtualAlloc
0058F23F 8985 B8232A07 mov dword ptr [ebp+72A23B8], eax
0058F245 8D85 D2232A07 lea eax, dword ptr [ebp+72A23D2]
0058F24B E8 1F000000 call 0058F26F ; ExitProcess
0058F250 8985 DE232A07 mov dword ptr [ebp+72A23DE], eax
0058F256 8D85 BC232A07 lea eax, dword ptr [ebp+72A23BC]
0058F25C E8 0E000000 call 0058F26F ; ReadProcessMemory
0058F261 8985 CE232A07 mov dword ptr [ebp+72A23CE], eax
0058F267 8D85 69192A07 lea eax, dword ptr [ebp+72A1969]
0058F26D 50 push eax
0058F26E
C3 retn //到下面见
0058F278 64:FF35 3000000>push dword ptr fs:[30]
0058F27F 58 pop eax ; 获取peb
0058F280 85C0 test eax, eax
0058F282 78 0F js short 0058F293
0058F284 8B40 0C mov eax, dword ptr [eax+C] ; 获取PEB.Ldr
0058F287 8B40 0C mov eax, dword ptr [eax+C] ; 获取Ldr.InLoadOrderModuleList
0058F28A 8140 20 0030000>add dword ptr [eax+20], 3000 ; 当前进程的镜像大小+ 3000 这么操作有什么用呢,,,。。。
0058F291 EB 1C jmp short 0058F2AF
0058F293 6A 00 push 0
0058F295 FF95 21232A07 call dword ptr [ebp+72A2321]
0058F29B 85D2 test edx, edx
0058F29D 79 10 jns short 0058F2AF
0058F29F 837A 08 FF cmp dword ptr [edx+8], -1
0058F2A3 75 0A jnz short 0058F2AF
0058F2A5 8B52 04 mov edx, dword ptr [edx+4]
0058F2A8 C742 50 0010000>mov dword ptr [edx+50], 1000
0058F2AF E8 0A000000 call 0058F2BE ; 这里作者加入了很多反调试F7
0058F2BE FF95 21232A07 call dword ptr [ebp+72A2321] ; kernel32.GetModuleHandleA
0058F2C4 91 xchg eax, ecx
0058F2C5 E3 58 jecxz short 0058F31F
0058F2C7 E8 17000000 call 0058F2E3 ; F7 反调试
0058F2E3 51 push ecx ; ntdll_12.<ModuleEntryPoint>
0058F2E4 FF95 FB222A07 call dword ptr [ebp+72A22FB]
0058F2EA 91 xchg eax, ecx ; 获取ZwSetInfomationThread
0058F2EB E3 32 jecxz short 0058F31F
0058F2ED 87CF xchg edi, ecx
0058F2EF E8 11000000 call 0058F305 F7进入
0058F305 FFB5 0C232A07 push dword ptr [ebp+72A230C]
0058F30B FF95 FB222A07 call dword ptr [ebp+72A22FB]
0058F311 91 xchg eax, ecx
0058F312 E3 0B jecxz short 0058F31F
0058F314 FFD1 call ecx ; GetCurrentThread 获取当前线程
0058F316 6A 00 push 0
0058F318 6A 00 push 0
0058F31A 6A 11 push 11 ; 压入ThreadHideFromDebugger标志,使当前线程隐藏,起到反调试的作用
0058F31C 50 push eax
0058F31D FFD7 call edi
0058F31F 8CC9 mov cx, cs
0058F321 32C9 xor cl, cl
0058F323 E3 02 jecxz short 0058F327
0058F325 EB 66 jmp short 0058F38D
0058F327 EB 14 jmp short 0058F33D
0058F329 8B4C24 04 mov ecx, dword ptr [esp+4]
0058F32D 8B49 04 mov ecx, dword ptr [ecx+4]
0058F330 8381 B8000000 0>add dword ptr [ecx+B8], 2
0058F337 33C0 xor eax, eax
0058F339 48 dec eax
0058F33A C2 0400 retn 4
0058F33D 60 pushad
0058F33E E8 1C000000 call 0058F35F F7 ; 这里是用SEH 进程反调试
0058F35F FFB5 0C232A07 push dword ptr [ebp+72A230C] ; kernel32.763B0000
0058F365 FF95 FB222A07 call dword ptr [ebp+72A22FB] ; 获取 SetUnhandledExceptionFilter
0058F36B 96 xchg eax, esi
0058F36C 8D85 1A1A2A07 lea eax, dword ptr [ebp+72A1A1A]
0058F372 50 push eax
0058F373 FFD6 call esi ; 设置异常捕获函数
0058F375 97 xchg eax, edi ; 下面就是作者故意触发异常
0058F376 33D2 xor edx, edx
0058F378 F7FA idiv edx
0058F37A 90 nop
0058F37B 90 nop
0058F37C CD 01 int 1
0058F37E 90 nop
0058F37F 90 nop
0058F380 CC int3
0058F381 90 nop
0058F382 90 nop
0058F383 33C0 xor eax, eax
0058F385 3100 xor dword ptr [eax], eax
0058F387 90 nop
0058F388 90 nop
0058F389 57 push edi
0058F38A FFD6 call esi
0058F38C 61 popad
0058F38D 8BBD 6B212A07 mov edi, dword ptr [ebp+72A216B]
0058F393 037F 3C add edi, dword ptr [edi+3C]
0058F396 8BB5 6B212A07 mov esi, dword ptr [ebp+72A216B] ; PE头
0058F39C 8B4F 54 mov ecx, dword ptr [edi+54] ; SizeOfHead
0058F39F 8D85 10242A07 lea eax, dword ptr [ebp+72A2410]
0058F3A5 50 push eax ; 保存原属性方式
0058F3A6 6A 04 push 4 ; 新属性
0058F3A8 51 push ecx ; 大小
0058F3A9 FFB5 6B212A07 push dword ptr [ebp+72A216B] ; 修改地址
0058F3AF FF95 34232A07 call dword ptr [ebp+72A2334] ; //修改属性VirtualProtect
0058F3B5 F785 73212A07 0>test dword ptr [ebp+72A2173], 8
0058F3BF 0F84 A7000000 je 0058F46C
0058F3C5 68 04010000 push 104
0058F3CA 8DBD 10242A07 lea edi, dword ptr [ebp+72A2410]
0058F3D0 57 push edi
0058F3D1 6A 00 push 0
0058F3D3 FF95 4B232A07 call dword ptr [ebp+72A234B] ; //获取程序PATH
0058F3D9 6A 00 push 0
0058F3DB 68 80000000 push 80
0058F3E0 6A 03 push 3
0058F3E2 6A 00 push 0
0058F3E4 6A 01 push 1
0058F3E6 68 00000080 push 80000000
0058F3EB 57 push edi
0058F3EC FF95 5B232A07 call dword ptr [ebp+72A235B] ; 打开自身
0058F3F2 83F8 FF cmp eax, -1
0058F3F5 75 04 jnz short 0058F3FB
0058F3F7 33C0 xor eax, eax
0058F3F9 EB 71 jmp short 0058F46C
0058F3FB 8BF8 mov edi, eax
0058F3FD 6A 00 push 0
0058F3FF 57 push edi ; 获取自身大小
0058F400 FF95 97232A07 call dword ptr [ebp+72A2397]
0058F406 83E8 05 sub eax, 5
0058F409 96 xchg eax, esi
0058F40A 56 push esi
0058F40B 6A 40 push 40 ; 创建一块 自身大小的内存
0058F40D FF95 6B232A07 call dword ptr [ebp+72A236B]
0058F413 0BC0 or eax, eax
0058F415 75 02 jnz short 0058F419
0058F417 EB 4A jmp short 0058F463
0058F419 93 xchg eax, ebx
0058F41A 6A 00 push 0
0058F41C 8D85 10242A07 lea eax, dword ptr [ebp+72A2410]
0058F422 50 push eax ; &dwRead
0058F423 56 push esi ; 要读入字节数
0058F424 53 push ebx ; 缓冲区
0058F425 57 push edi ; 文件句柄
0058F426 FF95 87232A07 call dword ptr [ebp+72A2387]
0058F42C 8BC3 mov eax, ebx
0058F42E 8BCE mov ecx, esi
0058F430 53 push ebx
0058F431 57 push edi
0058F432 E8 10000000 call 0058F447 ; 算一个校验 保存起来 后面他会比较
0058F437 8985 77212A07 mov dword ptr [ebp+72A2177], eax
0058F43D 5F pop edi
0058F43E 5B pop ebx
0058F43F 8D85 4C1B2A07 lea eax, dword ptr [ebp+72A1B4C]
0058F445 50 push eax
0058F446 C3 retn
0058F447 8BF8 mov edi, eax
0058F449 33C0 xor eax, eax
0058F44B 33DB xor ebx, ebx
0058F44D 33D2 xor edx, edx
0058F44F 8A07 mov al, byte ptr [edi]
0058F451 F7E2 mul edx
0058F453 03D8 add ebx, eax
0058F455 42 inc edx
0058F456 47 inc edi
0058F457 ^ E2 F6 loopd short 0058F44F
0058F459 93 xchg eax, ebx
0058F45A C3 retn
0058F45B 53 push ebx
0058F45C FF95 7A232A07 call dword ptr [ebp+72A237A] ; 释放
0058F462 96 xchg eax, esi
0058F463 50 push eax
0058F464 57 push edi
0058F465 FF95 A7232A07 call dword ptr [ebp+72A23A7] ; 关闭句柄
0058F46B 58 pop eax
0058F46C E9 0B000000 jmp 0058F47C
0058F471 07 pop es
0058F472 BB 01000000 mov ebx, 1
0058F477 E8 08000000 call 0058F484
0058F47C 8D85 3E1C2A07 lea eax, dword ptr [ebp+72A1C3E]
0058F482 50 push eax
0058F483 C3 retn 这个retn后就要到OEP了
0058F54D 8B9D 6B212A07 mov ebx, dword ptr [ebp+72A216B] ; hsreg.00400000
0058F553 039D 6F212A07 add ebx, dword ptr [ebp+72A216F]
0058F559 C1CB 07 ror ebx, 7 //在这里其实ebx 就指向OEP
来看看下面他做什么了
0058F55C 895C24 10 mov dword ptr [esp+10], ebx
0058F560 8D9D 391F2A07 lea ebx, dword ptr [ebp+72A1F39]
0058F566 895C24 1C mov dword ptr [esp+1C], ebx
0058F56A 8BBD 6B212A07 mov edi, dword ptr [ebp+72A216B]
0058F570 037F 3C add edi, dword ptr [edi+3C]
0058F573 8B9F C0000000 mov ebx, dword ptr [edi+C0]
0058F579 83FB 00 cmp ebx, 0
0058F57C 74 0F je short 0058F58D
0058F57E 039D 6B212A07 add ebx, dword ptr [ebp+72A216B]
0058F584 8B43 08 mov eax, dword ptr [ebx+8]
0058F587 C700 00000000 mov dword ptr [eax], 0
0058F58D 8B85 77212A07 mov eax, dword ptr [ebp+72A2177]
0058F593 0BC0 or eax, eax
0058F595 74 0D je short 0058F5A4
0058F597 3B85 0C242A07 cmp eax, dword ptr [ebp+72A240C] ; 这里就是 判断校验了
0058F59D 74 05 je short 0058F5A4 跳
0058F59F E9 AF010000 jmp 0058F753
0058F5A4 8DB5 83212A07 lea esi, dword ptr [ebp+72A2183] 跳到这里
0058F5AA F785 73212A07 2>test dword ptr [ebp+72A2173], 20
0058F5B4 74 49 je short 0058F5FF 这里也会跳
0058F5B6 56 push esi
0058F5B7 8DBD 10242A07 lea edi, dword ptr [ebp+72A2410]
0058F5BD 33C9 xor ecx, ecx
0058F5BF EB 17 jmp short 0058F5D8
0058F5C1 8B56 04 mov edx, dword ptr [esi+4]
0058F5C4 0395 6B212A07 add edx, dword ptr [ebp+72A216B]
0058F5CA EB 04 jmp short 0058F5D0
0058F5CC 41 inc ecx
0058F5CD 83C2 04 add edx, 4
0058F5D0 833A 00 cmp dword ptr [edx], 0
0058F5D3 ^ 75 F7 jnz short 0058F5CC
0058F5D5 83C6 0C add esi, 0C
0058F5D8 837E 04 00 cmp dword ptr [esi+4], 0
0058F5DC ^ 75 E3 jnz short 0058F5C1
0058F5DE 33D2 xor edx, edx
0058F5E0 B8 05000000 mov eax, 5
0058F5E5 F7E1 mul ecx
0058F5E7 50 push eax
0058F5E8 6A 00 push 0
0058F5EA FF95 6B232A07 call dword ptr [ebp+72A236B]
0058F5F0 0BC0 or eax, eax
0058F5F2 75 05 jnz short 0058F5F9
0058F5F4 83C4 04 add esp, 4
0058F5F7 61 popad
0058F5F8 C3 retn
0058F5F9 8907 mov dword ptr [edi], eax
0058F5FB 8947 04 mov dword ptr [edi+4], eax
0058F5FE 5E pop esi
0058F5FF E9 42010000 jmp 0058F746 跳到这里, 继续跳 往下面看
0058F604 8B1E mov ebx, dword ptr [esi]
0058F606 039D 6B212A07 add ebx, dword ptr [ebp+72A216B]
0058F60C 8BC3 mov eax, ebx
0058F60E E8 08000000 call 0058F61B
0058F613 8D85 1F1D2A07 lea eax, dword ptr [ebp+72A1D1F]
0058F619 50 push eax
0058F61A C3 retn
0058F604 8B1E mov ebx, dword ptr [esi] 从下面跳上来 取数值
0058F606 039D 6B212A07 add ebx, dword ptr [ebp+72A216B] 加基址
0058F60C 8BC3 mov eax, ebx
0058F60E E8 08000000 call 0058F61B //这个CALL 里面做的事情是
Lodsb
Ror al,4
Stosb
Esi 指向的内容进行ror ,4 解密, 结束条件是不为0
这里就是解出了一些DLL名,以及 相关API名称
0058F613 8D85 1F1D2A07 lea eax, dword ptr [ebp+72A1D1F]
0058F619 50 push eax
0058F61A C3 retn 返回到下面0058f62e
0058F61B 56 push esi
0058F61C 57 push edi
0058F61D 8BF0 mov esi, eax
0058F61F 8BF8 mov edi, eax
0058F621 AC lods byte ptr [esi]
0058F622 C0C8 04 ror al, 4
0058F625 AA stos byte ptr es:[edi]
0058F626 803F 00 cmp byte ptr [edi], 0 也就是这一段 在解密
0058F629 ^ 75 F6 jnz short 0058F621
0058F62B 5F pop edi
0058F62C 5E pop esi
0058F62D C3 retn
0058F62E 53 push ebx //retn 到这里 压入解出来的DLL 名称
0058F62F FF95 F7222A07 call dword ptr [ebp+72A22F7] LoadLibrary( ebx)
0058F635 85C0 test eax, eax
0058F637 0F84 16010000 je 0058F753
0058F63D 50 push eax
0058F63E F785 73212A07 0>test dword ptr [ebp+72A2173], 4
0058F648 74 0E je short 0058F658
0058F64A 8D85 491D2A07 lea eax, dword ptr [ebp+72A1D49]
0058F650 50 push eax
0058F651 8BC3 mov eax, ebx
0058F653 E9 B4030000 jmp 0058FA0C
0058F658 5B pop ebx
0058F659 8B4E 08 mov ecx, dword ptr [esi+8] 继续取出来个地址
0058F65C 0BC9 or ecx, ecx
0058F65E 75 03 jnz short 0058F663
0058F660 8B4E 04 mov ecx, dword ptr [esi+4]
0058F663 038D 6B212A07 add ecx, dword ptr [ebp+72A216B] 加上基址
0058F669 8B56 04 mov edx, dword ptr [esi+4] 继续取+ 基址
0058F66C 0395 6B212A07 add edx, dword ptr [ebp+72A216B]现在不知道他们里面存的什么东西, 我们往下看看
0058F672 E9 C3000000 jmp 0058F73A 跳
0058F677 F701 00000080 test dword ptr [ecx], 80000000
0058F67D 75 4B jnz short 0058F6CA
0058F67F 8B01 mov eax, dword ptr [ecx]
0058F681 83C0 02 add eax, 2
0058F684 0385 6B212A07 add eax, dword ptr [ebp+72A216B]
0058F68A 50 push eax
0058F68B E8 8BFFFFFF call 0058F61B 解密函数名
0058F690 58 pop eax
0058F691 8BF8 mov edi, eax
0058F693 52 push edx
0058F694 51 push ecx 保护环境
0058F695 50 push eax
0058F696 53 push ebx
0058F697 FF95 FB222A07 call dword ptr [ebp+72A22FB] GetProcess 获取api地址
0058F69D 0BC0 or eax, eax
0058F69F 75 07 jnz short 0058F6A8
0058F6A1 59 pop ecx
0058F6A2 5A pop edx
0058F6A3 E9 AB000000 jmp 0058F753
0058F6A8 59 pop ecx
0058F6A9 5A pop edx
0058F6AA 60 pushad
0058F6AB F785 73212A07 0>test &nbs
上一篇: 入侵Linux系统实例