AcProtect 1.41 外壳分析

【目 标】: 应作者要求，这里不贴上软件名

【工 具】:Olydbg1.1(diy版)、LORDPE、ImportREC1.6F

【任 务】:分析外壳

【操作平台】:Windows 2003 server

【作 者】: LOVEBOOM[DFCG][FCG][US]

【相关链接】: ......

【简要说明】： 脱ACPROTECT的壳并不多，以前最多只是大概的脱一下，对壳有流程并没有多少认识，前几天帮朋友了一下这个软件，也许

是我水平太菜了，也许是脱这个东西脱的比较少，在脱这个软件花了我很多时间，搞的过程中还很容易出小问题。还有一个原因是脱了一下新

版的ASPR 2.X stolen code让我看到头疼，虽然坚持了，但现在还有一小部分没有解决:-(。没办法两个都壳都是难搞的，本着看aspr的东西稍

微多了点，因此牺牲了睡觉时间，帮自己补了下课。壳的思路比较新，边执行边解壳，解压一段执行后又还原回去，代码替换，EMBEDD protect

等等。这么有吸引力，当然不要错过了。因为我对RSA无KEY怎么突破之类的没有一点了解，再者也没有见过软件用RSAlock code.，所以这次没

有分析KEY相关的东西。我这次和以前的文章有点不同，这次为了更细的分析出壳的各模块功能，把相关的模块放在独立的地方，也不像以前那

样，插来插去的。不是很方便自己查看。也很久没有细细的去品尝壳了。也是该“享受”一下。

【详细过程】:

写在前面的，你只是想知道怎么脱壳的话，那么这你可跳过这一章节，这一章节是分析壳的每个部分，是比较漫长的。如果你完全分析好了，

后面脱就简单了。

由于是一步一步的走，所以不用什么特别的设置了。唯一一点就是要很磨得下去。打开OD，忽略全部异常。准备眼睛再度近视几度。

泡上一杯水，然后开始这次的旅程：

为了防止壳的检测，这次我没有去除花指令直接动态跟踪分析了下。

0057C000 > 60 PUSHAD ; EP

0057C001 E8 01000000 CALL 0057C007 ; 程序一开始就反复解壳代码

0057C006 - 72 83 JB SHORT 0057BF8B

0057C008 04 24 ADD AL,24

0057C00A 06 PUSH ES

0057C00B C3 RETN

0057C00C 85C3 TEST EBX,EAX

0057C00E 76 01 JBE SHORT 0057C011

0057C010 4B DEC EBX

0057C011 87D8 XCHG EAX,EBX

0057C013 E8 01000000 CALL 0057C019

0057C018 - 76 83 JBE SHORT 0057BF9D

......

0057C204 64:FF30 PUSH DWORD PTR FS:[EAX]

0057C207 64:8920 MOV DWORD PTR FS:[EAX],ESP

0057C20A CC INT3

0057C20B 90 NOP

0057C20C F8 CLC

0057C20D 90 NOP

0057C20E FC CLD

......

0057C29F 64:8F05 0000000>POP DWORD PTR FS:[0] ; 直接F2，然后执行到这里，

0057C2A6 83C4 04 ADD ESP,4

0057C2A9 7C 03 JL SHORT 0057C2AE ; 这里是开始还原的地址

0057C2AB 7D 01 JGE SHORT 0057C2AE

......

0057C436 4A DEC EDX

0057C437 ^ 0F85 7FFFFFFF JNZ 0057C3BC ; 没有解压完则跳回继续解压

0057C43D EB 01 JMP SHORT 0057C440

壳一开始就通过几个异常来循环解压出壳的代码。解压的方法很简单的：

MOV EBX,DWORD PTR DS:[EAX]

XOR EBX,EDI

ROR EBX,1F

ADD EAX,4

XOR EBX,DWORD PTR DS:[EAX]

ADD EAX,-4

MOV DWORD PTR DS:[EAX],EBX

XOR EDI,45BA1300

继续:

......

0057C7F8 64:8F05 0000000>POP DWORD PTR FS:[0] ; 0012FFE0

0057C7FF 83C4 04 ADD ESP,4

0057C802 E9 BB4A0100 JMP 005912C2 ; 全部解压完了跳去执行壳的代码

......

005912C2 E8 39AEFFFF CALL <sub_GetEBP >

; jmp到这里

005912C7 E8 00000000 CALL 005912CC

005912CC 5B POP EBX

005912CD 2B9D 0E204000 SUB EBX,DWORD PTR SS:[EBP+40200E] ; 计算IMAGEBASE

005912D3 81EB CC520100 SUB EBX,152CC

005912D9 899D 46F84000 MOV DWORD PTR SS:[EBP+40F846],EBX ; 计算出的IMAGEBASE保存到[EBP+40F846]=[0058A846]=400000

005912DF 899D 7BFD4000 MOV DWORD PTR SS:[EBP+40FD7B],EBX ; 计算出的IMAGEBASE保存到[EBP+40FD7B]=[0058AD7B]==400000

005912E5 E8 C6FDFFFF CALL <sub_GetEP_CRYPT_KEY>

005912EA E8 11AEFFFF CALL <sub_GetEBP >

005912EF E8 DAA5FFFF CALL <Get_RND_VALUE>

005912F4 8985 D5084100 MOV DWORD PTR SS:[EBP+4108D5],EAX

005912FA E8 01AEFFFF CALL <sub_GetEBP >

005912FF C685 6CF74000 0>MOV BYTE PTR SS:[EBP+40F76C],0 ; 刚开始就设置为没有注册的标志

00591306 E8 F0D2FFFF CALL <sub_GETAPIAddress> ; 获取壳要用的API

0059130B E8 38F9FFFF CALL <COPY_Import table> ; 填充跳转表

00591310 E8 EBADFFFF CALL <sub_GetEBP >

00591315 8B85 6B814100 MOV EAX,DWORD PTR SS:[EBP+41816B]

0059131B 8985 7FFD4000 MOV DWORD PTR SS:[EBP+40FD7F],EAX

00591321 8B85 6F814100 MOV EAX,DWORD PTR SS:[EBP+41816F]

00591327 8985 83FD4000 MOV DWORD PTR SS:[EBP+40FD83],EAX

0059132D E8 66D0FFFF CALL <UnPack_sections> ; 解压程序各段

00591332 E8 1FFBFFFF CALL <Restore_JMP API TABLE> ; 还原壳的跳转表

00591337 E8 2EFDFFFF CALL <sub_SDK_Disposal> ; 处理用到SDK的地址代码

0059133C 43 INC EBX

0059133D 85F3 TEST EBX,ESI

0059133F 87D9 XCHG ECX,EBX

00591341 E8 01000000 CALL 00591347 ; 开始解压出下一段要执行的代码。

00591346 EA 83C4047D 028>JMP FAR 8502:7D04C483 ; Far jump

......

下面的代码就开始边走边解壳了：

......

0059142A E8 EF000000 CALL 0059151E

0059142F E8 04000000 CALL 00591438

00591434 0000 ADD BYTE PTR DS:[EAX],AL

00591436 0000 ADD BYTE PTR DS:[EAX],AL

00591438 5A POP EDX

00591439 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]

0059143D 8B00 MOV EAX,DWORD PTR DS:[EAX]

0059143F 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]

00591443 FF81 B8000000 INC DWORD PTR DS:[ECX+B8]

00591449 3D 03000080 CMP EAX,80000003

0059144E 75 4D JNZ SHORT 0059149D

00591450 8D82 02114000 LEA EAX,DWORD PTR DS:[EDX+401102]

00591456 2D 0E104000 SUB EAX,0040100E

0059145B 8941 04 MOV DWORD PTR DS:[ECX+4],EAX

0059145E 8D82 04114000 LEA EAX,DWORD PTR DS:[EDX+401104]

00591464 2D 0E104000 SUB EAX,0040100E

00591469 8941 08 MOV DWORD PTR DS:[ECX+8],EAX

0059146C 8D82 06114000 LEA EAX,DWORD PTR DS:[EDX+401106]

00591472 2D 0E104000 SUB EAX,0040100E

00591477 8941 0C MOV DWORD PTR DS:[ECX+C],EAX

0059147A 8D82 08114000 LEA EAX,DWORD PTR DS:[EDX+401108]

00591480 2D 0E104000 SUB EAX,0040100E

00591485 8941 10 MOV DWORD PTR DS:[ECX+10],EAX

00591488 33C0 XOR EAX,EAX

0059148A 8161 14 F00FFFF>AND DWORD PTR DS:[ECX+14],FFFF0FF0

00591491 C741 18 5501000>MOV DWORD PTR DS:[ECX+18],155

00591498 E9 80000000 JMP 0059151D

0059149D 3D 940000C0 CMP EAX,C0000094

005914A2 75 2A JNZ SHORT 005914CE

005914A4 C702 00000000 MOV DWORD PTR DS:[EDX],0

005914AA FF81 B8000000 INC DWORD PTR DS:[ECX+B8]

005914B0 33C0 XOR EAX,EAX

005914B2 2141 04 AND DWORD PTR DS:[ECX+4],EAX

005914B5 2141 08 AND DWORD PTR DS:[ECX+8],EAX

005914B8 2141 0C AND DWORD PTR DS:[ECX+C],EAX

005914BB 2141 10 AND DWORD PTR DS:[ECX+10],EAX

005914BE 8161 14 F00FFFF>AND DWORD PTR DS:[ECX+14],FFFF0FF0

005914C5 8161 18 00DC000>AND DWORD PTR DS:[ECX+18],0DC00

005914CC EB 4F JMP SHORT 0059151D

005914CE 3D 04000080 CMP EAX,80000004

......

0059160E 830424 06 ADD DWORD PTR SS:[ESP],6

00591612 C3 RETN

00591613 E8 A7B9FFFF CALL <sub_UnKnow>

00591618 E9 0B000000 JMP 00591628

......

005917E0 56 PUSH ESI

005917E1 8F05 DDCA5700 POP DWORD PTR DS:[57CADD]

005917E7 FF35 DDCA5700 PUSH DWORD PTR DS:[57CADD]

005917ED 56 PUSH ESI

005917EE C70424 05C95700 MOV DWORD PTR SS:[ESP],0057C905

005917F5 8F05 0DCA5700 POP DWORD PTR DS:[57CA0D]

005917FB 8B35 0DCA5700 MOV ESI,DWORD PTR DS:[57CA0D]

00591801 891E MOV DWORD PTR DS:[ESI],EBX

00591803 8F05 1DC95700 POP DWORD PTR DS:[57C91D]

00591809 FF35 1DC95700 PUSH DWORD PTR DS:[57C91D]

0059180F 5E POP ESI

00591810 FF35 05C95700 PUSH DWORD PTR DS:[57C905] ; 开始边走边唱了

00591816 892C24 MOV DWORD PTR SS:[ESP],EBP ; push ebp,这里开始执行了程序前面的代码

00591819 8925 99C85700 MOV DWORD PTR DS:[57C899],ESP

0059181F FF35 99C85700 PUSH DWORD PTR DS:[57C899]

00591825 8B2C24 MOV EBP,DWORD PTR SS:[ESP] ; mov ebp,esp

00591828 8F05 39C85700 POP DWORD PTR DS:[57C839]

0059182E 56 PUSH ESI

找Stolen Code比较简单，后面的代码我并没有注释下来。

......

00591953 83C4 04 ADD ESP,4

00591956 58 POP EAX

00591957 76 01 JBE SHORT 0059195A

00591959 48 DEC EAX

0059195A 03DA ADD EBX,EDX

0059195C 50 PUSH EAX

0059195D E8 01000000 CALL 00591963

00591962 ^ 7C 83 JL SHORT 005918E7

00591964 C40458 LES EAX,FWORD PTR DS:[EAX+EBX*2] ; Modification of segment register

00591967 E8 CDD3FFFF CALL <sub_Kernel> ; 这个call里面的东西应该是壳的核心了:-)

0059196C E9 06000000 JMP 00591977

很多解码之类的，跟踪时要小心点。

......

0059198D /76 7B JBE SHORT 00591A0A

0059198F |0366 8B ADD ESP,DWORD PTR DS:[ESI-75]

00591992 |C6 ??? ; Unknown command

00591993 |8919 MOV DWORD PTR DS:[ECX],EBX

00591995 |EB 01 JMP SHORT 00591998

00591997 |90 NOP

00591998 |E8 08E9FFFF CALL <Sub_Disposal IAT> ; 其实这里CALL的时候，前面的call kernel里已经处理过了，这里进去只是一个ret而已

0059199D |E9 05000000 JMP 005919A7

005919A2 |B8 0DB7D4E5 MOV EAX,E5D4B70D

005919A7 |81EA AE3A7D06 SUB EDX,67D3AAE

......

005919D0 /0F81 02000000 JNO 005919D8

005919D6 |87FD XCHG EBP,EDI

005919D8 \83C6 FF ADD ESI,-1

005919DB ^ 0F85 69FFFFFF JNZ 0059194A ; 循环解出后面的代码

005919E1 EB 01 JMP SHORT 005919E4

005919E3 ^ 76 E8 JBE SHORT 005919CD

005919E5 03C0 ADD EAX,EAX

005919E7 FFFF ??? ; Unknown command

005919E9 0F8C 02000000 JL 005919F1

005919EF 87E8 XCHG EAX,EBP

005919F1 B8 64000000 MOV EAX,64

005919F6 33D2 XOR EDX,EDX

005919F8 33DB XOR EBX,EBX

005919FA F7F3 DIV EBX ; 异常

005919FC 90 NOP

005919FD 64:8F05 0000000>POP DWORD PTR FS:[0]

00591A04 83C4 04 ADD ESP,4

00591A07 61 POPAD ;边执行程序的代码边解壳代码

00591A08 893C24 MOV DWORD PTR SS:[ESP],EDI

00591A0B C705 21CA5700 C>MOV DWORD PTR DS:[57CA21],0057C9C5

00591A15 8B3D 21CA5700 MOV EDI,DWORD PTR DS:[57CA21] ; MainCon.0057C9C5

00591A1B 891F MOV DWORD PTR DS:[EDI],EBX

00591A1D 8B3C24 MOV EDI,DWORD PTR SS:[ESP]

00591A20 8F05 79C85700 POP DWORD PTR DS:[57C879]

00591A26 FF35 C5C95700 PUSH DWORD PTR DS:[57C9C5]

00591A2C 891424 MOV DWORD PTR SS:[ESP],EDX

00591A2F C70424 FFFFFFFF MOV DWORD PTR SS:[ESP],-1 ; push -1 *********

00591A36 53 PUSH EBX

00591A37 8F05 2DCB5700 POP DWORD PTR DS:[57CB2D]

00591A3D FF35 2DCB5700 PUSH DWORD PTR DS:[57CB2D]

00591A43 890424 MOV DWORD PTR SS:[ESP],EAX

00591A46 891C24 MOV DWORD PTR SS:[ESP],EBX

00591A49 C70424 609F4B00 MOV DWORD PTR SS:[ESP],004B9F60 ; push 4b9f60 ***********

00591A50 53 PUSH EBX

00591A51 890424 MOV DWORD PTR SS:[ESP],EAX

00591A54 891424 MOV DWORD PTR SS:[ESP],EDX

00591A57 57 PUSH EDI

00591A58 60 PUSHAD

......

00591C1B 61 POPAD

00591C1C C70424 89C85700 MOV DWORD PTR SS:[ESP],0057C889

00591C23 8F05 01CB5700 POP DWORD PTR DS:[57CB01]

00591C29 8B15 01CB5700 MOV EDX,DWORD PTR DS:[57CB01]

00591C2F 890A MOV DWORD PTR DS:[EDX],ECX

00591C31 8F05 A5C95700 POP DWORD PTR DS:[57C9A5]

00591C37 FF35 A5C95700 PUSH DWORD PTR DS:[57C9A5]

00591C3D 5A POP EDX

00591C3E FF35 89C85700 PUSH DWORD PTR DS:[57C889]

00591C44 C70424 602F4B00 MOV DWORD PTR SS:[ESP],004B2F60 ; PUSH 4B2F60 *********

00591C4B 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] ; MOV EAX,DWORD PTR FS:[0] **************

00591C51 56 PUSH ESI

00591C52 8F05 A9C85700 POP DWORD PTR DS:[57C8A9]

00591C58 FF35 A9C85700 PUSH DWORD PTR DS:[57C8A9]

00591C5E 891C24 MOV DWORD PTR SS:[ESP],EBX

00591C61 8935 91C85700 MOV DWORD PTR DS:[57C891],ESI

00591C67 90 NOP

00591C68 90 NOP

00591C69 60 PUSHAD

......

00591E1B F7F3 DIV EBX ; 除0异常

00591E1D 90 NOP

00591E1E 64:8F05 0000000>POP DWORD PTR FS:[0]

00591E25 83C4 04 ADD ESP,4

00591E28 61 POPAD

00591E29 FF35 91C85700 PUSH DWORD PTR DS:[57C891]

00591E2F C70424 A1CA5700 MOV DWORD PTR SS:[ESP],0057CAA1

00591E36 8F05 69C95700 POP DWORD PTR DS:[57C969]

00591E3C FF35 69C95700 PUSH DWORD PTR DS:[57C969]

00591E42 5B POP EBX

00591E43 8903 MOV DWORD PTR DS:[EBX],EAX

00591E45 8B1C24 MOV EBX,DWORD PTR SS:[ESP]

00591E48 8F05 B1CA5700 POP DWORD PTR DS:[57CAB1]

00591E4E FF35 A1CA5700 PUSH DWORD PTR DS:[57CAA1] ; PUSH EAX ************

00591E54 64:8925 0000000>MOV DWORD PTR FS:[0],ESP ; MOV DWORD PTR FS:[0],ESP ********

00591E5B 83EC 68 SUB ESP,68 ; ***************

00591E5E 56 PUSH ESI

00591E5F 8F05 D9CA5700 POP DWORD PTR DS:[57CAD9]

00591E65 FF35 D9CA5700 PUSH DWORD PTR DS:[57CAD9]

00591E6B 891C24 MOV DWORD PTR SS:[ESP],EBX

00591E6E 8F05 E5CA5700 POP DWORD PTR DS:[57CAE5]

00591E74 90 NOP

00591E75 90 NOP

00591E76 60 PUSHAD

......

00591FBB 83EA FC SUB EDX,-4

00591FBE 2B02 SUB EAX,DWORD PTR DS:[EDX]

00591FC0 83C2 FC ADD EDX,-4

00591FC3 E8 01000000 CALL 00591FC9 ; 这里不能像前面那样找到jnz xxx然后就在下面一行下断的方式，那样类似这样东西就会不放过了:-)

00591FC8 90 NOP

00591FC9 83C4 04 ADD ESP,4

00591FCC E8 7FACFFFF CALL <sub_chekRing0's Debug> ; 检测系统级调试器

00591FD1 BF C64E0B93 MOV EDI,930B4EC6

00591FD6 66:8BFA MOV DI,DX

00591FD9 8902 MOV DWORD PTR DS:[EDX],EAX

00591FDB E8 01000000 CALL 00591FE1

00591FE0 ^ 74 83 JE SHORT 00591F65

00591FE2 C4041B LES EAX,FWORD PTR DS:[EBX+EBX] ; Modification of segment register

00591FE5 F785 FB81EDA1 8>TEST DWORD PTR SS:[EBP+A1ED81FB],78BBFB8>

00591FEF 0379 01 ADD EDI,DWORD PTR DS:[ECX+1]

00591FF2 7A E9 JPE SHORT 00591FDD

00591FF4 05 000000D3 ADD EAX,D3000000

00591FF9 D3C1 ROL ECX,CL

00591FFB C6 ??? ; Unknown command

00591FFC ^ 73 81 JNB SHORT 00591F7F

00591FFE C2 0400 RETN 4

00592001 0000 ADD BYTE PTR DS:[EAX],AL

00592003 50 PUSH EAX

00592004 E8 01000000 CALL 0059200A

00592009 ^ 7E 83 JLE SHORT 00591F8E

0059200B C40458 LES EAX,FWORD PTR DS:[EAX+EBX*2] ; Modification of segment register

0059200E 43 INC EBX

0059200F 0F81 03000000 JNO 00592018

00592015 66:8BF0 MOV SI,AX

00592018 83C1 FF ADD ECX,-1

0059201B ^ 0F85 70FFFFFF JNZ 00591F91 ; 循环解压代码

00592021 E8 01000000 CALL 00592027

00592026 ^ EB 83 JMP SHORT 00591FAB

00592028 C404E8 LES EAX,FWORD PTR DS:[EAX+EBP*8] ; Modification of segment register

0059202B 0ACD OR CL,CH

......

0059203E F7F3 DIV EBX

00592040 90 NOP

00592041 64:8F05 0000000>POP DWORD PTR FS:[0] ; 好多个这个结构的

00592048 83C4 04 ADD ESP,4

0059204B 61 POPAD

0059204C FF35 E5CA5700 PUSH DWORD PTR DS:[57CAE5]

00592052 8915 D1C95700 MOV DWORD PTR DS:[57C9D1],EDX

00592058 FF35 D1C95700 PUSH DWORD PTR DS:[57C9D1]

0059205E 53 PUSH EBX

0059205F BB B1C85700 MOV EBX,0057C8B1

00592064 8BD3 MOV EDX,EBX

00592066 5B POP EBX

00592067 8932 MOV DWORD PTR DS:[EDX],ESI

00592069 8F05 F5C85700 POP DWORD PTR DS:[57C8F5]

0059206F 8B15 F5C85700 MOV EDX,DWORD PTR DS:[57C8F5]

00592075 FF35 B1C85700 PUSH DWORD PTR DS:[57C8B1]

0059207B 8F05 FDC85700 POP DWORD PTR DS:[57C8FD]

00592081 FF35 FDC85700 PUSH DWORD PTR DS:[57C8FD]

00592087 52 PUSH EDX

00592088 8F05 19C95700 POP DWORD PTR DS:[57C919]

0059208E FF35 19C95700 PUSH DWORD PTR DS:[57C919]

00592094 893424 MOV DWORD PTR SS:[ESP],ESI

00592097 57 PUSH EDI

00592099 90 NOP

0059209A 60 PUSHAD

......

00592260 83C4 04 ADD ESP,4

00592263 61 POPAD

00592264 BF 1DCA5700 MOV EDI,0057CA1D

00592269 890F MOV DWORD PTR DS:[EDI],ECX

0059226B 5F POP EDI

0059226C FF35 1DCA5700 PUSH DWORD PTR DS:[57CA1D]

00592272 891D B1C95700 MOV DWORD PTR DS:[57C9B1],EBX

00592278 FF35 B1C95700 PUSH DWORD PTR DS:[57C9B1]

0059227E 51 PUSH ECX

0059227F B9 D1C85700 MOV ECX,0057C8D1

00592284 8BD9 MOV EBX,ECX

00592286 59 POP ECX

00592287 53 PUSH EBX

00592288 59 POP ECX

00592289 8F05 69C85700 POP DWORD PTR DS:[57C869]

0059228F 8B1D 69C85700 MOV EBX,DWORD PTR DS:[57C869]

00592295 890D 99C95700 MOV DWORD PTR DS:[57C999],ECX

0059229B FF35 99C95700 PUSH DWORD PTR DS:[57C999] ; MainCon.0057C8D1

005922A1 8F05 F5C95700 POP DWORD PTR DS:[57C9F5] ; MainCon.0057C8D1

005922A7 8B35 F5C95700 MOV ESI,DWORD PTR DS:[57C9F5] ; MainCon.0057C8D1

005922AD 8F05 49C85700 POP DWORD PTR DS:[57C849]

005922B3 56 PUSH ESI ; MainCon.0057C8D1

005922B4 60 PUSHAD

005922B5 E8 01000000 CALL 005922BB

......

005923FB 830424 06 ADD DWORD PTR SS:[ESP],6

005923FF C3 RETN

00592400 E9 02000000 JMP 00592407

00592405 87CB XCHG EBX,ECX

00592407 83EA FC SUB EDX,-4

0059240A 2B32 SUB ESI,DWORD PTR DS:[EDX]

0059240C 83C2 FC ADD EDX,-4

0059240F EB 01 JMP SHORT 00592412 ; 这里也暗蔵杀机哦:-)

00592411 90 NOP

00592412 E8 21B8FFFF CALL<chek IsDebuggerPresent> ; 再次检测有没有Ring 3级调试器

00592417 78 01 JS SHORT 0059241A

00592419 F9 STC

......

00592462 33DB XOR EBX,EBX

00592464 F7F3 DIV EBX

00592466 90 NOP

00592467 64:8F05 0000000>POP DWORD PTR FS:[0] ; SEH用来反调试同时也给我们指引了一条道路

0059246E 83C4 04 ADD ESP,4

00592471 61 POPAD

00592472 BE 49C85700 MOV ESI,0057C849

00592477 8B0E MOV ECX,DWORD PTR DS:[ESI]

00592479 5E POP ESI

0059247A 893E MOV DWORD PTR DS:[ESI],EDI

0059247C 8F05 ADCA5700 POP DWORD PTR DS:[57CAAD]

00592482 893D B5C95700 MOV DWORD PTR DS:[57C9B5],EDI

00592488 FF35 B5C95700 PUSH DWORD PTR DS:[57C9B5]

0059248E 51 PUSH ECX

0059248F B9 ADCA5700 MOV ECX,0057CAAD

00592494 8BF9 MOV EDI,ECX

00592496 59 POP ECX

00592497 8B37 MOV ESI,DWORD PTR DS:[EDI]

00592499 8B3C24 MOV EDI,DWORD PTR SS:[ESP]

0059249C 8F05 35CA5700 POP DWORD PTR DS:[57CA35]

005924A2 FF35 D1C85700 PUSH DWORD PTR DS:[57C8D1]

005924A8 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP ; **********

005924AB 33DB XOR EBX,EBX

005924AD 895D FC MOV DWORD PTR SS:[EBP-4],EBX ; ************

005924B0 52 PUSH EDX

005924B1 891C24 MOV DWORD PTR SS:[ESP],EBX

005924B4 68 09CB5700 PUSH 0057CB09

005924B9 5B POP EBX

005924BA 8913 MOV DWORD PTR DS:[EBX],EDX

005924BC 8F05 E5C85700 POP DWORD PTR DS:[57C8E5]

005924C2 60 PUSHAD

005924C3 E8 01000000 CALL 005924C9

......

005924BC 8F05 E5C85700 POP DWORD PTR DS:[57C8E5]

005924C2 60 PUSHAD

005924C3 E8 01000000 CALL 005924C9

005924C8 90 NOP

005924C9 83C4 04 ADD ESP,4

005924CC E8 D4DDFFFF CALL <Sub_Disposal IAT> ; iat已经处理过了，这里再进去只是一个ret而已

005924D1 E9 0D000000 JMP 005924E3

......

0059267C F7F3 DIV EBX

0059267E 90 NOP

0059267F 64:8F05 0000000>POP DWORD PTR FS:[0]

00592686 83C4 04 ADD ESP,4 ; 异常

00592689 61 POPAD

0059268A 8B1D E5C85700 MOV EBX,DWORD PTR DS:[57C8E5]

00592690 FF35 09CB5700 PUSH DWORD PTR DS:[57CB09]

00592696 53 PUSH EBX

00592697 BB 02000000 MOV EBX,2 ; ************

0059269C 891D 19CB5700 MOV DWORD PTR DS:[57CB19],EBX

005926A2 5B POP EBX

005926A3 FF35 19CB5700 PUSH DWORD PTR DS:[57CB19]

005926A9 8F05 3DC95700 POP DWORD PTR DS:[57C93D]

005926AF 53 PUSH EBX

005926B0 BB 3DC95700 MOV EBX,0057C93D

005926B5 8B13 MOV EDX,DWORD PTR DS:[EBX]

005926B7 5B POP EBX

005926B8 57 PUSH EDI

005926B9 891C24 MOV DWORD PTR SS:[ESP],EBX

005926BC C705 F9C85700 A>MOV DWORD PTR DS:[57C8F9],0057C8A1

005926C6 8B1D F9C85700 MOV EBX,DWORD PTR DS:[57C8F9]

005926CC 8913 MOV DWORD PTR DS:[EBX],EDX

005926CE 8F05 11CB5700 POP DWORD PTR DS:[57CB11]

005926D4 8B1D 11CB5700 MOV EBX,DWORD PTR DS:[57CB11]

005926DA 60 PUSHAD

005926DB E8 01000000 CALL 005926E1

......

00592880 83EB 01 SUB EBX,1

00592883 ^ 0F85 6EFFFFFF JNZ 005927F7 ; 循环解压代码

00592889 E8 01000000 CALL 0059288F

0059288E 90 NOP

0059288F 83C4 04 ADD ESP,4

00592892 E8 0CAFFFFF CALL <Shit Int3> ; shit int 3

00592897 E9 06000000 JMP 005928A2

0059289C 66:B8 065B MOV AX,5B06

005928A0 85C6 TEST ESI,EAX

005928A2 B8 64000000 MOV EAX,64

005928A7 33D2 XOR EDX,EDX

005928A9 33DB XOR EBX,EBX

005928AB F7F3 DIV EBX

005928AD 90 NOP

005928AE 64:8F05 0000000>POP DWORD PTR FS:[0] ; 到这里就看到希望了，后面很明显的看出是程序的代码

005928B5 83C4 04 ADD ESP,4

005928B8 61 POPAD

005928B9 8B1424 MOV EDX,DWORD PTR SS:[ESP]

005928BC 8F05 F9C95700 POP DWORD PTR DS:[57C9F9]

005928C2 FF35 A1C85700 PUSH DWORD PTR DS:[57C8A1] ; ***********

005928C8 FF15 14774B00 CALL DWORD PTR DS:[4B7714] ; msvcrt.__set_app_type

005928CE 8F05 EDCA5700 POP DWORD PTR DS:[57CAED]

005928D4 FF35 EDCA5700 PUSH DWORD PTR DS:[57CAED]

005928DA 8F05 25C85700 POP DWORD PTR DS:[57C825]

005928E0 FF35 25C85700 PUSH DWORD PTR DS:[57C825]

005928E6 59 POP ECX

005928E7 830D AC464D00 F>OR DWORD PTR DS:[4D46AC],FFFFFFFF

005928EE 830D B0464D00 F>OR DWORD PTR DS:[4D46B0],FFFFFFFF

005928F5 FF15 10774B00 CALL DWORD PTR DS:[4B7710] ; msvcrt.__p__fmode

005928FB FF35 70464D00 PUSH DWORD PTR DS:[4D4670]

00592901 8F05 19CA5700 POP DWORD PTR DS:[57CA19]

00592907 90 NOP

00592908 90 NOP

00592909 60 PUSHAD

0059290A E8 01000000 CALL 00592910

......

00592ACD B8 64000000 MOV EAX,64

00592AD2 33D2 XOR EDX,EDX

00592AD4 33DB XOR EBX,EBX

00592AD6 F7F3 DIV EBX

00592AD8 90 NOP

00592AD9 64:8F05 0000000>POP DWORD PTR FS:[0]

00592AE0 83C4 04 ADD ESP,4

00592AE3 61 POPAD

00592AE4 FF35 19CA5700 PUSH DWORD PTR DS:[57CA19]

00592AEA 8F05 5DC85700 POP DWORD PTR DS:[57C85D]

00592AF0 8B0D 5DC85700 MOV ECX,DWORD PTR DS:[57C85D]

00592AF6 8908 MOV DWORD PTR DS:[EAX],ECX ; **************

00592AF8 FF15 0C774B00 CALL DWORD PTR DS:[4B770C] ; msvcrt.__p__commode

00592AFE FF35 6C464D00 PUSH DWORD PTR DS:[4D466C]

00592B04 8F05 A9CA5700 POP DWORD PTR DS:[57CAA9]

00592B0A 8915 2DC95700 MOV DWORD PTR DS:[57C92D],EDX

00592B10 FF35 2DC95700 PUSH DWORD PTR DS:[57C92D]

00592B16 68 A9CA5700 PUSH 0057CAA9

00592B1B 5A POP EDX

00592B1C 8B0A MOV ECX,DWORD PTR DS:[EDX]

00592B1E 8B1424 MOV EDX,DWORD PTR SS:[ESP]

00592B21 8F05 C1C95700 POP DWORD PTR DS:[57C9C1]

00592B27 8908 MOV DWORD PTR DS:[EAX],ECX

00592B29 A1 08774B00 MOV EAX,DWORD PTR DS:[4B7708]

00592B2E 8B00 MOV EAX,DWORD PTR DS:[EAX]

00592B30 90 NOP

00592B31 90 NOP

00592B32 60 PUSHAD

00592B33 E8 01000000 CALL 00592B39

......

00592C7E 83C4 04 ADD ESP,4

00592C81 66:BB 9B5E MOV BX,5E9B

00592C85 F9 STC

00592C86 8929 MOV DWORD PTR DS:[ECX],EBP

00592C88 EB 01 JMP SHORT 00592C8B

00592C8A 90 NOP

00592C8B E8 94A6FFFF CALL <sub_Check_UnhandledExceptionFilter> ; 检测UnhandledExceptionFilter入口有没有处CC断点

00592C90 66:23DD AND BX,BP

00592C93 81E8 C1E0555F SUB EAX,5F55E0C1

00592C99 E8 01000000 CALL 00592C9F

00592C9E ^ 79 83 JNS SHORT 00592C23

00592CA0 C40466 LES EAX,FWORD PTR DS:[ESI] ; Modification of segment register

00592CA3 BB 82FFF981 MOV EBX,81F9FF82

00592CA8 C10400 00 ROL DWORD PTR DS:[EAX+EAX],0 ; Shift constant out of range 1..31

00592CAC 00E8 ADD AL,CH

00592CAE 0100 ADD DWORD PTR DS:[EAX],EAX

00592CB0 0000 ADD BYTE PTR DS:[EAX],AL

00592CB2 ^ 76 83 JBE SHORT 00592C37

00592CB4 04 24 ADD AL,24

00592CB6 06 PUSH ES

00592CB7 C3 RETN

00592CB8 4A DEC EDX

00592CB9 85F3 TEST EBX,ESI

00592CBB 83EF 01 SUB EDI,1

00592CBE ^ 0F85 88FFFFFF JNZ 00592C4C ; 循环解压

00592CC4 E8 01000000 CALL 00592CCA

......

00592E8E 23CE AND ECX,ESI

00592E90 45 INC EBP

00592E91 83E8 01 SUB EAX,1

00592E94 ^ 0F85 5BFFFFFF JNZ 00592DF5 ; 到了这里还循环解压代码

00592E9A EB 01 JMP SHORT 00592E9D

00592E9C ^ 7C 85 JL SHORT 00592E23

00592E9E CD 66 INT 66

00592EA0 33CD XOR ECX,EBP

00592EA2 B8 64000000 MOV EAX,64

00592EA7 33D2 XOR EDX,EDX

00592EA9 33DB XOR EBX,EBX

00592EAB F7F3 DIV EBX

00592EAD 90 NOP

00592EAE 64:8F05 0000000>POP DWORD PTR FS:[0]

00592EB5 83C4 04 ADD ESP,4

00592EB8 E8 4392FFFF CALL <sub_GetEBP >; 准备跳去执行程序的代码了

00592EBD 6A 00 PUSH 0

00592EBF E8 0A000000 CALL <sub_GOTO_END>

00592EC4 41 INC ECX

......

00592EC5 43 INC EBX

00592EC6 50 PUSH EAX

00592EC7 72 6F JB SHORT 00592F38

00592EC9 74 65 JE SHORT 00592F30

00592ECB 90 NOP

00592ECC 90 NOP

00592ECD 90 NOP

00592ECE > E8 25000000 CALL <GOTO END>

00592ED3 42 INC EDX

00592ED4 79 20 JNS SHORT 00592EF6

00592ED6 54 PUSH ESP

00592ED7 72 69 JB SHORT 00592F42

00592ED9 61 POPAD

00592EDA 6C INS BYTE PTR ES:[EDI],DX ; I/O command

00592EDB 2041 43 AND BYTE PTR DS:[ECX+43],AL

00592EDE 50 PUSH EAX

00592EDF 72 6F JB SHORT 00592F50

00592EE1 74 65 JE SHORT 00592F48

00592EE3 637400 73 ARPL WORD PTR DS:[EAX+EAX+73],SI

00592EE7 74 65 JE SHORT 00592F4E

00592EE9 72 65 JB SHORT 00592F50

00592EEB 64:2041 43 AND BYTE PTR FS:[ECX+43],AL

00592EEF 50 PUSH EAX

00592EF0 72 6F JB SHORT 00592F61

00592EF2 74 65 JE SHORT 00592F59

00592EF4 637421 00 ARPL WORD PTR DS:[ECX],SI

00592EF8 > 6A 00 PUSH 0 ; GOTO END改为jmp [addr] 的方式执行到fake OEP地址

00592EFA 83C4 10 ADD ESP,10 ; 到了这里，只剩跳去fake oep都要加密一下

00592EFD 90 NOP

......

005930A9 E8 5290FFFF CALL <sub_GetEBP >

005930AE 8B85 4B814100 MOV EAX,DWORD PTR SS:[EBP+41814B]

005930B4 0385 46F84000 ADD EAX,DWORD PTR SS:[EBP+40F846]

005930BA 8985 4B814100 MOV DWORD PTR SS:[EBP+41814B],EAX ; 要去执行的地址

005930C0 E8 3B90FFFF CALL <sub_GetEBP >

005930C5 C685 08814100 E>MOV BYTE PTR SS:[EBP+418108],0E8

005930CC E8 2F90FFFF CALL <sub_GetEBP >

005930D1 C785 09814100 F>MOV DWORD PTR SS:[EBP+418109],25FF ; 改成jmp [address]的方式

005930DB 8D85 4B814100 LEA EAX,DWORD PTR SS:[EBP+41814B]

005930E1 8985 0B814100 MOV DWORD PTR SS:[EBP+41810B],EAX

005930E7 E8 1490FFFF CALL <sub_GetEBP >

005930EC 8DBD B87E4100 LEA EDI,DWORD PTR SS:[EBP+417EB8]

005930F2 8D8D FD804100 LEA ECX,DWORD PTR SS:[EBP+4180FD]

005930F8 2BCF SUB ECX,EDI

005930FA C1E9 02 SHR ECX,2

005930FD > E8 CC87FFFF CALL <Get_RND_VALUE> ; Fill junk code

00593102 AB STOS DWORD PTR ES:[EDI]

00593103 ^ E2 F8 LOOPD SHORT <sub_fill_Junk> ; 循环填上垃圾代码，

00593105 61 POPAD

00593106 EB 01 JMP SHORT 00593109

00593108 90 NOP

00593109 - FF25 4B315900 JMP DWORD PTR DS:[59314B] ; JMP to FAKE OEP

.......

004B2DE9 A3 A8464D00 MOV DWORD PTR DS:[4D46A8],EAX ; fake OEP

004B2DEE E8 6B010000 CALL 004B2F5E

004B2DF3 391D 782F4C00 CMP DWORD PTR DS:[4C2F78],EBX

004B2DF9 75 0C JNZ SHORT 004B2E07

分析完整理一下得出Stolen code长这么个模样：

004B2D84 55 PUSH EBP

004B2D85 8BEC MOV EBP,ESP

004B2D87 6A FF PUSH -1

004B2D89 68 609F4B00 PUSH 004B9F60

004B2D8E 68 602F4B00 PUSH 004B2F60 ; JMP to msvcrt._except_handler3

004B2D93 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]

004B2D99 50 PUSH EAX

004B2D9A 64:8925 0000000>MOV DWORD PTR FS:[0],ESP

004B2DA1 83EC 68 SUB ESP,68

004B2DA4 53 PUSH EBX

004B2DA5 56 PUSH ESI

004B2DA6 57 PUSH EDI

004B2DA7 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP

004B2DAA 33DB XOR EBX,EBX

004B2DAC 895D FC MOV DWORD PTR SS:[EBP-4],EBX

004B2DAF 6A 02 PUSH 2

004B2DB1 5F POP EDI

004B2DB2 57 PUSH EDI

004B2DB3 FF15 14774B00 CALL DWORD PTR DS:[4B7714] ; msvcrt.__set_app_type

004B2DB9 59 POP ECX

004B2DBA 830D AC464D00 F>OR DWORD PTR DS:[4D46AC],FFFFFFFF

004B2DC1 830D B0464D00 F>OR DWORD PTR DS:[4D46B0],FFFFFFFF

004B2DC8 FF15 10774B00 CALL DWORD PTR DS:[4B7710] ; msvcrt.__p__fmode

004B2DCE 8B0D 70464D00 MOV ECX,DWORD PTR DS:[4D4670]

004B2DD4 8908 MOV DWORD PTR DS:[EAX],ECX

004B2DD6 FF15 0C774B00 CALL DWORD PTR DS:[4B770C] ; msvcrt.__p__commode

004B2DDC 8B0D 6C464D00 MOV ECX,DWORD PTR DS:[4D466C]

004B2DE2 8908 MOV DWORD PTR DS:[EAX],ECX

004B2DE4 A1 08774B00 MOV EAX,DWORD PTR DS:[4B7708]

sub_RePlace_code:

0057D02E > 60 PUSHAD ; sub_Restore_Replace_Code

0057D02F 90 NOP

0057D030 90 NOP

0057D031 90 NOP

0057D032 90 NOP

......

0057D1D9 E8 22EF0000 CALL <sub_GetEBP >

0057D1DE 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20] ; 取call这个处理模块的地址

0057D1E2 33C9 XOR ECX,ECX

0057D1E4 8B9C8D 812E4000 MOV EBX,DWORD PTR SS:[EBP+ECX*4+402E81]

0057D1EB 039D 46F84000 ADD EBX,DWORD PTR SS:[EBP+40F846]

0057D1F1 3BC3 CMP EAX,EBX

0057D1F3 74 07 JE SHORT 0057D1FC ; 表里查到符合条件的则跳

0057D1F5 90 NOP

0057D1F6 90 NOP

0057D1F7 90 NOP

0057D1F8 90 NOP

0057D1F9 41 INC ECX

0057D1FA ^ EB E8 JMP SHORT 0057D1E4 ; 循环查表

0057D1FC 8DB5 615D4000 LEA ESI,DWORD PTR SS:[EBP+405D61]

0057D202 B8 0A000000 MOV EAX,0A

0057D207 F7E1 MUL ECX

0057D209 03F0 ADD ESI,EAX

0057D20B 8DBD 07184000 LEA EDI,DWORD PTR SS:[EBP+401807]

0057D211 0FB6840D C92240>MOVZX EAX,BYTE PTR SS:[EBP+ECX+4022C9]

0057D219 FEC0 INC AL

0057D21B 88840D C9224000 MOV BYTE PTR SS:[EBP+ECX+4022C9],AL

0057D222 3C 20 CMP AL,20

0057D224 75 13 JNZ SHORT 0057D239

0057D226 90 NOP

0057D227 90 NOP

0057D228 90 NOP

0057D229 90 NOP

0057D22A 8BBD 4AF84000 MOV EDI,DWORD PTR SS:[EBP+40F84A]

0057D230 B8 0A000000 MOV EAX,0A

0057D235 F7E1 MUL ECX

0057D237 03F8 ADD EDI,EAX

0057D239 8A9D 1E204000 MOV BL,BYTE PTR SS:[EBP+40201E]

0057D23F B9 0A000000 MOV ECX,0A

0057D244 > AC LODS BYTE PTR DS:[ESI] ; 还原出正确的代码，加了垃圾代码的

0057D245 32C3 XOR AL,BL

0057D247 AA STOS BYTE PTR ES:[EDI]

0057D248 ^ E2 FA LOOPD SHORT <Decrypt_Replaced_CODE>

0057D24A 83EF 0A SUB EDI,0A

0057D24D 57 PUSH EDI

0057D24E 8DB5 07184000 LEA ESI,DWORD PTR SS:[EBP+401807]

0057D254 33F7 XOR ESI,EDI

0057D256 74 19 JE SHORT 0057D271

0057D258 90 NOP

0057D259 90 NOP

0057D25A 90 NOP

0057D25B 90 NOP

0057D25C 8B7424 24 MOV ESI,DWORD PTR SS:[ESP+24]

0057D260 83EE 04 SUB ESI,4

0057D263 AD LODS DWORD PTR DS:[ESI]

0057D264 81EF 2E204000 SUB EDI,0040202E

0057D26A 2BFD SUB EDI,EBP

0057D26C 03C7 ADD EAX,EDI

0057D26E 8946 FC MOV DWORD PTR DS:[ESI-4],EAX

0057D271 5F POP EDI

0057D272 57 PUSH EDI

0057D273 33C9 XOR ECX,ECX

0057D275 83F9 08 CMP ECX,8

0057D278 74 0E JE SHORT 0057D288

0057D27A 90 NOP

0057D27B 90 NOP

0057D27C 90 NOP

0057D27D 90 NOP

0057D27E 8B448C 04 MOV EAX,DWORD PTR SS:[ESP+ECX*4+4]

0057D282 89048C MOV DWORD PTR SS:[ESP+ECX*4],EAX

0057D285 41 INC ECX

0057D286 ^ EB ED JMP SHORT 0057D275

0057D288 893C8C MOV DWORD PTR SS:[ESP+ECX*4],EDI

......

0057D2C7 61 POPAD

0057D2C8 C3 RETN

进了程序代码空间后，现在分三个任务完成脱壳：去除Acprotect 用到的SDK保护Embedd Protect,去除Replace Code.

去除Acprotect 用到的SDK保护Embedd Protect：

按照任务的顺序一个一个来，我们先解决最大的拌脚石，ACProtect的Embedd Protect应该这个壳里的最大亮点之一。

加上了对程序的保护加强了不少。下面看看我们就去搬走这块石头。

由上篇的文章里的分析，我写个了脚本方便很快就去关键地方，脚本如下：

/*

Set break point at Embedd protect start address

*/

var bpaddr

start:

bprm 401000,b6000//在Code section处下断点

esto

bpmc

bp 591079//断下后，在处理SDK的那个关键地方下个断

lbl1:

eob lbl2

run

lbl2:

cmp esi,0

je lbl3

cob

mov bpaddr,esi

add bpaddr,400000//取出sdk的具体地址，然后在相关地址处下断

mov addrval,[bpaddr]

bp bpaddr

jmp lbl1

lbl3:

cob

bc 591079//如果处理完了就结束这个脚本,清除上面的关键断点

ret

写好后，设置OD忽略全部异常。运行脚本后最后结束在这里：

00591079 0BF6 OR ESI,ESI ; 如果没有用SDK或SDK处理部分已经操作完成则跳

0059107B 74 31 JE SHORT <finished>

0059107D 90 NOP

0059107E 90 NOP

0059107F 90 NOP

断下后，alt+B打开断点窗口:把非pushad处设置的断点取消：

Breakpoints

Address Module Active Disassembly Comment

0040CC05 MainCon Always PUSHAD

0040FE71 MainCon Always SUB BYTE PTR DS:[ECX],2D ;Clear it

004132D7 MainCon Always PUSHAD

004166D1 MainCon Always PUSHAD

00419A9B MainCon Always PUSHAD

0041CCD6 MainCon Always CMP AL,0A3 ;Clear it

0042089A MainCon Always PUSHAD

00423ADF MainCon Always CMC ;Clear it

00427422 MainCon Always PUSHAD

0042ABD1 MainCon Always PUSHAD

0042DEA1 MainCon Always PUSHAD

004317A2 MainCon Always PUSHAD

00436067 MainCon Always PUSHAD

0043930F MainCon Always JBE SHORT 00439375 ;Clear it

0043C77D MainCon Always PUSHAD

0043FA3D MainCon Always PUSHAD

00442DBD MainCon Always PUSHAD

0044607D MainCon Always PUSHAD

0044933D MainCon Always PUSHAD

0044C600 MainCon Always PUSHAD

0044F8DD MainCon Always PUSHAD

00452C0F MainCon Always PUSHAD

00455EF0 MainCon Always PUSHAD

00459389 MainCon Always PUSHAD

0045C95D MainCon Always PUSHAD

0045FC38 MainCon Always PUSHAD

00462EC8 MainCon Always PUSHAD

0046618B MainCon Always PUSHAD

004696FF MainCon Always PUSHAD

0046C932 MainCon Always INS BYTE PTR ES:[EDI],DX ;Clear it

004708D9 MainCon Always PUSHAD

00474389 MainCon Always PUSHAD

004775C3 MainCon Always OR DH,BYTE PTR DS:[EAX+6F] ;Clear it

0047A80F MainCon Always MOV AL,BYTE PTR DS:[C095E1F] ;Clear it

0047DE02 MainCon Always PUSHAD

00481126 MainCon Always PUSHAD

00484396 MainCon Always INT1 ;Clear it

取消相关的断点后，F9运行后，中断下来：

0042089A 60 PUSHAD ; 运行后中断在这里

0042089B F8 CLC

0042089C 66:2BCD SUB CX,BP

0042089F 87C1 XCHG ECX,EAX

......

00420A62 0000 ADD BYTE PTR DS:[EAX],AL

00420A64 47 INC EDI

00420A65 4F DEC EDI

00420A66 83E8 01 SUB EAX,1

00420A69 ^ 0F85 81FFFFFF JNZ 004209F0 ; 循环解压代码后面有很多的东西

00420A6F 7A 03 JPE SHORT 00420A74

......

00420D64 /E9 08000000 JMP 00420D71

00420D69 |79 03 JNS SHORT 00420D6E

00420D6B |C1EE 47 SHR ESI,47 ;解压了几个回合到一个远程jmp处，不要以为这里就差不多到头哦,后面还有很长的路，

00420D6E |66:8BCE MOV CX,SI

00420D71 \E9 E91D0000 JMP 00422B5F

......

00422B5F E8 8FFDFFFF CALL <sub_Copy code> ; 这里进去复制代码

00422B64 33C2 XOR EAX,EDX

00422B66 EB 01 JMP SHORT 00422B69

00422B68 73 40 JNB SHORT 00422BAA

......

00422C1F 03FD ADD EDI,EBP

00422C21 E8 01000000 CALL 00422C27

00422C26 90 NOP

00422C27 83C4 04 ADD ESP,4

00422C2A E8 37E5FFFF CALL <Check Debugger>

00422C2F 66:C1C6 B1 ROL SI,0B1 ; Shift constant out of range 1..31

00422C33 46 INC ESI

00422C34 C1CF 1E ROR EDI,1E

00422C37 7C 03 JL SHORT 00422C3C

00422C39 7D 01 JGE SHORT 00422C3C

00422C3B ^ 73 E9 JNB SHORT 00422C26

......

00422C6C E8 01000000 CALL 00422C72

00422C71 90 NOP

00422C72 83C4 04 ADD ESP,4

00422C75 E8 3AE8FFFF CALL <Crc File>

00422C7A 66:C1D6 21 RCL SI,21 ; Shift constant out of range 1..31

00422C7E 81C5 19AA764B ADD EBP,4B76AA19

......

00422E90 830424 06 ADD DWORD PTR SS:[ESP],6

00422E94 C3 RETN

00422E95 E8 8DF1FFFF CALL <sub_Anti_Fake_Unpack> ; 检测是否被脱壳了，

00422E9A 8BD5 MOV EDX,EBP

00422E9C 81EF 6D259939 SUB EDI,3999256D

00422EA2 50 PUSH EAX

00422EA3 E8 01000000 CALL 00422EA9

00422EA8 EA 83C40458 66C>JMP FAR C166:5804C483 ; Far jump

00422EAF FA CLI

00422EB0 F1 INT1

00422EB1 83C1 04 ADD ECX,4

00422EB4 E8 01000000 CALL 00422EBA

00422EB9 ^ 7D 83 JGE SHORT 00422E3E

00422EBB C404BA LES EAX,FWORD PTR DS:[EDX+EDI*4] ; Modification of segment register

00422EBE 41 INC ECX

00422EBF 0D AE870F87 OR EAX,870F87AE

00422EC4 0100 ADD DWORD PTR DS:[EAX],EAX

00422EC6 0000 ADD BYTE PTR DS:[EAX],AL

00422EC8 43 INC EBX

00422EC9 83C5 FF ADD EBP,-1

00422ECC ^ 0F85 6AFFFFFF JNZ 00422E3C ; 循环解压代码

00422ED2 E8 01000000 CALL 00422ED8

00422ED7 9A 83C40487 D86>CALL FAR 66D8:8704C483 ; Far call

00422EDE 81C0 56FFE800 ADD EAX,0E8FF56

......

0042327E 83C4 04 ADD ESP,4 ; 过了一段漫长的路，到这里

00423281 58 POP EAX

00423282 E8 84E4FFFF CALL <sub_INT 1_Check_Debug>

00423287 47 INC EDI

00423288 83C1 04 ADD ECX,4

0042328B 2B11 SUB EDX,DWORD PTR DS:[ECX]

......

004232F5 90 NOP

004232F6 61 POPAD ; 一堆检测过后，解开被保护的代码

004232F7 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10] ; 程序代码

004232FA 68 01010100 PUSH 10101

004232FF 68 EBEBEB00 PUSH 0EBEBEB

00423304 90 NOP

00423305 90 NOP

00423306 60 PUSHAD ; 后面还代码，这里继续

00423307 E8 00000000 CALL 0042330C

0042330C 5D POP EBP

......

0042334F /74 03 JE SHORT 00423354

00423351 |75 01 JNZ SHORT 00423354

00423353 |90 NOP

00423354 \E8 12E6FFFF CALL <sub_Fuck_int3> ;这里进去的int3会清除硬件的

00423359 85FD TEST EBP,EDI

0042335B 0F80 02000000 JO 00423363

......

004235B9 81C5 E47934EE ADD EBP,EE3479E4

004235BF EB 01 JMP SHORT 004235C2

004235C1 90 NOP

004235C2 E8 CAF0FFFF CALL <Anti_Fake_Unpack_check_Import> ;反脱壳的检测还真不少

004235C7 E9 02000000 JMP 004235CE

004235CC 87CF XCHG EDI,ECX

......

00423926 830424 06 ADD DWORD PTR SS:[ESP],6

0042392A C3 RETN

0042392B E9 04000000 JMP 00423934

00423930 8BF8 MOV EDI,EAX

00423932 03F9 ADD EDI,ECX

00423934 E9 82010000 JMP 00423ABB ; 跳去执行程序的代码了

00423939 EB 01 JMP SHORT 0042393C

......

00423ABB 61 POPAD

00423ABC 90 NOP

00423ABD 90 NOP

00423ABE 90 NOP

00423ABF 90 NOP

00423AC0 90 NOP

00423AC1 90 NOP

00423AC2 90 NOP

00423AC3 90 NOP

00423AC4 90 NOP

00423AC5 90 NOP

00423AC6 90 NOP

00423AC7 90 NOP

00423AC8 90 NOP ; 这里又是程序代码了

00423AC9 E8 96F10800 CALL 004B2C64 ; JMP to MFC42.#5943

00423ACE 60 PUSHAD

00423ACF 6A 05 PUSH 5

00423AD1 6A 00 PUSH 0

00423AD3 6A 00 PUSH 0

00423AD5 6A FF PUSH -1

00423AD7 FF15 C8784B00 CALL DWORD PTR DS:[4B78C8] ; <MainCon.sub_SDK_Disposal>

这里跟进去可以看到SDK处理的核心部分sub_EmbeddProtect

00423ADD 61 POPAD

00423ADE 90 NOP

......

00423FA9 /E9 08000000 JMP 00423FB6

00423FAE |66:81D3 A6AF ADC BX,0AFA6

00423FB3 |66:03D9 ADD BX,CX

00423FB6 \E9 E91D0000 JMP 00425DA4 ; 呵呵又一个远程跳,必有动作

00423FBB 0000 ADD BYTE PTR DS:[EAX],AL

......

00426066 /79 01 JNS SHORT 00426069

00426068 |90 NOP

00426069 \E8 68F8FFFF CALL <Anti_Fake_Unpack_check_Import>

0042606E 0F83 02000000 JNB 00426076

00426074 D3DE RCR ESI,CL

00426076 8BCD MOV ECX,EBP

......

00426242 ^\71 83 JNO SHORT 004261C7

00426244 C40458 LES EAX,FWORD PTR DS:[EAX+EBX*2] ; Modification of segment register

00426247 E8 5FE1FFFF CALL <sub_Fuck_RING0'Debugger>

0042624C 87C7 XCHG EDI,EAX ; MainCon.004262F6

0042624E 4F DEC EDI

......

004266AB 830424 06 ADD DWORD PTR SS:[ESP],6

004266AF C3 RETN

004266B0 E8 3DE7FFFF CALL <sub_check_ring3_debug>

004266B5 E9 10000000 JMP 004266CA

004266BA 0F84 02000000 JE 004266C2

004266C0 87D1 XCHG ECX,EDX

......

0042670C E8 01000000 CALL 00426712

00426711 - E9 83C40458 JMP 58472B99

00426716 E8 DEDFFFFF CALL <SUB_CRC>

0042671B 0BCF OR ECX,EDI

0042671D 87D9 XCHG ECX,EBX

0042671F E8 00000000 CALL 00426724

......

00426B78 4F DEC EDI

00426B79 E9 82010000 JMP 00426D00 ; 跳去执行程序代码了

00426B7E E8 01000000 CALL 00426B84

......

00426D00 61 POPAD ; 又开始程序代码

00426D01 E8 58BF0800 CALL 004B2C5E ; JMP to MFC42.#1168

00426D06 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]

00426D09 6A 00 PUSH 0

00426D0B 6A 00 PUSH 0

00426D0D 68 8C164C00 PUSH 004C168C ; ASCII "Demo"

00426D12 50 PUSH EAX

00426D13 E8 940F0600 CALL 00487CAC

00426D18 60 PUSHAD

00426D19 6A 04 PUSH 4 ; 为4时表示加密

00426D1B 6A 00 PUSH 0

00426D1D 6A 00 PUSH 0

00426D1F 6A FF PUSH -1

00426D21 FF15 C8784B00 CALL DWORD PTR DS:[4B78C8] ; <MainCon.sub_SDK_Disposal>

00426D27 EB 1E JMP SHORT 00426D47

00426D29 7D 66 JGE SHORT 00426D91

00426D2B 99 CDQ

00426D2C - E9 6E3956CB JMP CB98A69F

00426D31 67:A8 69 TEST AL,69 ; Superfluous prefix

00426D34 DF59 E5 FISTP WORD PTR DS:[ECX-1B]

00426D37 0000 ADD BYTE PTR DS:[EAX],AL

00426D39 0000 ADD BYTE PTR DS:[EAX],AL

00426D3B 0000 ADD BYTE PTR DS:[EAX],AL

00426D3D 0000 ADD BYTE PTR DS:[EAX],AL

00426D3F 0000 ADD BYTE PTR DS:[EAX],AL

00426D41 0000 ADD BYTE PTR DS:[EAX],AL

00426D43 0000 ADD BYTE PTR DS:[EAX],AL

00426D45 0000 ADD BYTE PTR DS:[EAX],AL

00426D47 61 POPAD ; 下面又是程序代码了,...

00426D48 68 84164C00 PUSH 004C1684 ; ASCII "Skin"

00426D4D 68 7C164C00 PUSH 004C167C ; ASCII "Skin1"

00426D52 6A 00 PUSH 0

00426D54 E8 FE130600 CALL 00488157

00426D59 60 PUSHAD

00426D5A 6A 04 PUSH 4

00426D5C 6A 00 PUSH 0

00426D5E 6A 00 PUSH 0

00426D60 6A FF PUSH -1

00426D62 FF15 C8784B00 CALL DWORD PTR DS:[4B78C8] ; <MainCon.sub_SDK_Disposal>

00426D68 EB 1E JMP SHORT 00426D88 ; 这里跳去就结束这个sdk 的处理、执行了

00426D6A 52 PUSH EDX

00426D6B EE OUT DX,AL ; I/O command

00426D6C B3 68 MOV BL,68

00426D6E B9 20AC0B71 MOV ECX,710BAC20

00426D73 CF IRETD

00426D74 D019 RCR BYTE PTR DS:[ECX],1

00426D76 8ADD MOV BL,CH

00426D78 0000 ADD BYTE PTR DS:[EAX],AL

00426D7A 0000 ADD BYTE PTR DS:[EAX],AL

00426D7C 0000 ADD BYTE PTR DS:[EAX],AL

00426D7E 0000 ADD BYTE PTR DS:[EAX],AL

00426D80 0000 ADD BYTE PTR DS:[EAX],AL

00426D82 0000 ADD BYTE PTR DS:[EAX],AL

00426D84 0000 ADD BYTE PTR DS:[EAX],AL

00426D86 0000 ADD BYTE PTR DS:[EAX],AL

00426D88 61 POPAD

00426D89 6A 00 PUSH 0 ; 又正常执行程序代码了

00426D8B 8D8D 9497FFFF LEA ECX,DWORD PTR SS:[EBP+FFFF9794]

00426D91 E8 9AA50000 CALL 00431330

......

ok,关于Embedd Protect的分析就结束了，再分析几个地方就可以得到一定的规律。找回正常的代码也就是件很简单的事了，只需要一定的时间就可以了。

这里的正确代码就应该为：

00420889 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]

0042088C 68 01010100 PUSH 10101

00420891 68 EBEBEB00 PUSH 0EBEBEB

00420896 E8 C9230900 CALL <JMP.&MFC42.#5943>

0042089B E8 BE230900 CALL <JMP.&MFC42.#1168>

004208A0 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]

004208A3 6A 00 PUSH 0

004208A5 6A 00 PUSH 0

004208A7 68 8C164C00 PUSH 004C168C ; ASCII "Demo"

004208AC 50 PUSH EAX

004208AD E8 FA730600 CALL 00487CAC

004208B2 68 84164C00 PUSH 004C1684 ; ASCII "Skin"

004208B7 68 7C164C00 PUSH 004C167C ; ASCII "Skin1"

004208BC 6A 00 PUSH 0

004208BE E8 94780600 CALL 00488157

004208C3 E9 C1640000 JMP 00426D89 ; JMP to MFC42.#5943

经过N久的时间把全部的正确代码找回来了之后，dump下code段，第一个任务就算完成了，接下来完成第二个任务。

去除Replace Code:

这个任务也算是ACProtect 的一样法宝吧，替换了很多的代码。每次替换5个字节的代码，方式为3+2或2+3，壳

解压出来时已经加了垃圾代码。

重来，载入目标，先在rdata段下断点，断下后，在text段下断，运行停止在fake oep后，在最后一个段下内存写

入断点。再运行,这样就中断在Replace Code的关键代码处了:

sub_Restore_Replace_Code:

0057D02E > 60 PUSHAD ; sub_Restore_Replace_Code

0057D02F 4A DEC EDX

0057D030 FC CLD

......

0057D0EB 8945 1D MOV DWORD PTR SS:[EBP+1D],EAX ; 中断在这里

0057D0EE EB 01 JMP SHORT 0057D0F1

......

0057D1C5 83E9 01 SUB ECX,1

0057D1C8 ^ 0F85 69FFFFFF JNZ 0057D137 ; 循环解压代码

0057D1CE EB 01 JMP SHORT 0057D1D1

0057D1D0 71 72 JNO SHORT <Decrypt_Replaced_CODE>

0057D1D2 06 PUSH ES

0057D1D3 81E7 B34D2A57 AND EDI,572A4DB3

0057D1D9 E8 22EF0000 CALL <sub_GetEBP >

0057D1DE 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20] ; 取call这个处理模块的地址

0057D1E2 33C9 XOR ECX,ECX

0057D1E4 8B9C8D 812E4000 MOV EBX,DWORD PTR SS:[EBP+ECX*4+402E81>; 指向一个表，通过在表里查询来还原代码

0057D1EB 039D 46F84000 ADD EBX,DWORD PTR SS:[EBP+40F846]

0057D1F1 3BC3 CMP EAX,EBX

0057D1F3 74 07 JE SHORT 0057D1FC ; 表里查到符合条件的则跳

0057D1F5 90 NOP

0057D1F6 90 NOP

0057D1F7 90 NOP

0057D1F8 90 NOP

0057D1F9 41 INC ECX

0057D1FA ^ EB E8 JMP SHORT 0057D1E4 ; 循环查表

0057D1FC 8DB5 615D4000 LEA ESI,DWORD PTR SS:[EBP+405D61]

0057D202 B8 0A000000 MOV EAX,0A

0057D207 F7E1 MUL ECX

0057D209 03F0 ADD ESI,EAX

0057D20B 8DBD 07184000 LEA EDI,DWORD PTR SS:[EBP+401807]

0057D211 0FB6840D C92240>MOVZX EAX,BYTE PTR SS:[EBP+ECX+4022C9]

0057D219 FEC0 INC AL

0057D21B 88840D C9224000 MOV BYTE PTR SS:[EBP+ECX+4022C9],AL

0057D222 3C 20 CMP AL,20

0057D224 75 13 JNZ SHORT 0057D239

0057D226 90 NOP

0057D227 90 NOP

0057D228 90 NOP

0057D229 90 NOP

0057D22A 8BBD 4AF84000 MOV EDI,DWORD PTR SS:[EBP+40F84A]

0057D230 B8 0A000000 MOV EAX,0A

0057D235 F7E1 MUL ECX

0057D237 03F8 ADD EDI,EAX

0057D239 8A9D 1E204000 MOV BL,BYTE PTR SS:[EBP+40201E] ; [EBP+40201E]中保存着解密的Key

0057D23F B9 0A000000 MOV ECX,0A

0057D244 > AC LODS BYTE PTR DS:[ESI] ; 还原出正确的代码，加了垃圾代码的

0057D245 32C3 XOR AL,BL

0057D247 AA STOS BYTE PTR ES:[EDI]

0057D248 ^ E2 FA LOOPD SHORT <Decrypt_Replaced_CODE>

0057D24A 83EF 0A SUB EDI,0A

0057D24D 57 PUSH EDI

0057D24E 8DB5 07184000 LEA ESI,DWORD PTR SS:[EBP+401807]

0057D254 33F7 XOR ESI,EDI

0057D256 74 19 JE SHORT 0057D271

0057D258 90 NOP

0057D259 90 NOP

0057D25A 90 NOP

0057D25B 90 NOP

0057D25C 8B7424 24 MOV ESI,DWORD PTR SS:[ESP+24]

0057D260 83EE 04 SUB ESI,4

0057D263 AD LODS DWORD PTR DS:[ESI]

0057D264 81EF 2E204000 SUB EDI,0040202E

0057D26A 2BFD SUB EDI,EBP

0057D26C 03C7 ADD EAX,EDI

0057D26E 8946 FC MOV DWORD PTR DS:[ESI-4],EAX

0057D271 5F POP EDI

0057D272 57 PUSH EDI

0057D273 33C9 XOR ECX,ECX

0057D275 83F9 08 CMP ECX,8

0057D278 74 0E JE SHORT 0057D288

0057D27A 90 NOP

0057D27B 90 NOP

0057D27C 90 NOP

0057D27D 90 NOP

0057D27E 8B448C 04 MOV EAX,DWORD PTR SS:[ESP+ECX*4+4]

0057D282 89048C MOV DWORD PTR SS:[ESP+ECX*4],EAX

0057D285 41 INC ECX

0057D286 ^ EB ED JMP SHORT 0057D275

0057D288 893C8C MOV DWORD PTR SS:[ESP+ECX*4],EDI

0057D28B 60 PUSHAD ; 加密代码

0057D28C E8 00000000 CALL 0057D291

0057D291 5E POP ESI

0057D292 83EE 06 SUB ESI,6

0057D295 B9 B2000000 MOV ECX,0B2

0057D29A 29CE SUB ESI,ECX

0057D29C BA 41A20ADC MOV EDX,DC0AA241

0057D2A1 C1E9 02 SHR ECX,2

0057D2A4 83E9 02 SUB ECX,2

0057D2A7 83F9 00 CMP ECX,0

0057D2AA 7C 1A JL SHORT 0057D2C6

0057D2AC 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

0057D2AF 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

0057D2B3 33C3 XOR EAX,EBX

0057D2B5 C1C8 15 ROR EAX,15

0057D2B8 33C2 XOR EAX,EDX

0057D2BA 81EA 417BCDED SUB EDX,EDCD7B41

0057D2C0 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

0057D2C3 49 DEC ECX

0057D2C4 ^ EB E1 JMP SHORT 0057D2A7

0057D2C6 61 POPAD

0057D2C7 61 POPAD

0057D2C8 C3 RETN ; 返回到要执行的代码处

分析出这些代码后，写了个修复代码，这个修复代码是我上次看到股林精怪写的，既然这的这么好，我就直接

搬来过借用下:-),修复代码如下：

.386

.model flat,stdcall

;-------------------------------------------------------------

;

;ACProtect v1.41Replace Code Fix Application

;

;-------------------------------------------------------------

.code

start:

PUSHAD

XOR EAX,EAX

MOV EDI,580d61h;LEA ESI,DWORD PTR SS:[EBP+405D61] EBP+405D61=525d61

L003:

CMP DWORD PTR DS:[EAX+EDI],0

JE L008

XOR BYTE PTR DS:[EAX+EDI],0D7h;MOV BL,BYTE PTR SS:[EBP+40201E] [0052201e]=22

INC EAX

JMP L003

L008:

XOR ECX,ECX

L009:

MOV ESI,DWORD PTR DS:[ECX*4+57de81h];MOV EBX,DWORD PTR SS:[EBP+ECX*4+402E81] EBP+402E81=522e81

CMP ESI,0

JNZ L015

POPAD

SUB DWORD PTR SS:[ESP],5h

RETN

L015:

MOV EDI,580d61h;LEA ESI,DWORD PTR SS:[EBP+405D61] EBP+405D61=525d61

ADD ESI,3FFFFBh

MOV EAX,0Ah

MUL ECX

ADD EDI,EAX

XOR EAX,EAX

L021:

CMP BYTE PTR DS:[EAX+EDI],3h

JE L074

CMP BYTE PTR DS:[EAX+EDI],33h

JE L114

CMP BYTE PTR DS:[EAX+EDI],40h

JB L029

CMP BYTE PTR DS:[EAX+EDI],58h

JB L031

L029:

INC EAX

JMP L021

L031:

MOV DL,BYTE PTR DS:[EAX+EDI]

ADD DL,8

MOV EBX,EAX

L034:

INC EBX

CMP DL,BYTE PTR DS:[EBX+EDI]

JE L040

CMP EBX,8

JB L034

JMP L029

L040:

SUB EBX,EAX

CMP EAX,0

JNZ L058

CMP EBX,2

JB L029

DEC EBX

INC EDI

XOR EBP,EBP

L048:

MOV DL,BYTE PTR DS:[EDI+EBP]

MOV BYTE PTR DS:[ESI+EBP],DL

CMP EBP,4

JE L153

INC EBP

CMP EBX,EBP

JNZ L048

INC EDI

XOR EBX,EBX

JMP L048

L058:

CMP EBX,2

JE L029

XOR EBP,EBP

L061:

MOV DL,BYTE PTR DS:[EDI+EBP]

MOV BYTE PTR DS:[ESI+EBP],DL

CMP EBP,4

JE L153

INC EBP

CMP EAX,EBP

JNZ L061

INC EDI

XOR EAX,EAX

CMP EBX,1

JNZ L061

INC EDI

JMP L061

L074:

MOV DX,WORD PTR DS:[EAX+EDI]

ADD DX,28h

MOV EBX,EAX

INC EBX

L078:

INC EBX

CMP WORD PTR DS:[EBX+EDI],DX

JE L084

CMP EBX,8

JB L078

JMP L029

L084:

CMP EAX,0

JNZ L099

LEA EAX,DWORD PTR DS:[EBX-2]

ADD EDI,2

XOR EBP,EBP

L089:

MOV DL,BYTE PTR DS:[EDI+EBP]

MOV BYTE PTR DS:[ESI+EBP],DL

CMP EBP,4

JE L153

INC EBP

CMP EAX,EBP

JNZ L089

ADD EDI,2

XOR EAX,EAX

JMP L089

L099:

SUB EBX,EAX

XOR EBP,EBP

L101:

MOV DL,BYTE PTR DS:[EDI+EBP]

MOV BYTE PTR DS:[ESI+EBP],DL

CMP EBP,4

JE L153

INC EBP

CMP EAX,EBP

JNZ L101

ADD EDI,2

XOR EAX,EAX

CMP EBX,2

JNZ L101

ADD EDI,2

JMP L101

L114:

MOV DX,WORD PTR DS:[EAX+EDI]

MOV EBX,EAX

INC EBX

L117:

INC EBX

CMP WORD PTR DS:[EBX+EDI],DX

JE L123

CMP EBX,8

JB L117

JMP L029

L123:

CMP EAX,0

JNZ L138

LEA EAX,DWORD PTR DS:[EBX-2]

ADD EDI,2

XOR EBP,EBP

L128:

MOV DL,BYTE PTR DS:[EDI+EBP]

MOV BYTE PTR DS:[ESI+EBP],DL

CMP EBP,4

JE L153

INC EBP

CMP EAX,EBP

JNZ L128

ADD EDI,2

XOR EAX,EAX

JMP L128

L138:

SUB EBX,EAX

XOR EBP,EBP

L140:

MOV DL,BYTE PTR DS:[EDI+EBP]

MOV BYTE PTR DS:[ESI+EBP],DL

CMP EBP,4

JE L153

INC EBP

CMP EAX,EBP

JNZ L140

ADD EDI,2

XOR EAX,EAX

CMP EBX,2

JNZ L140

ADD EDI,2

JMP L140

L153:

INC ECX

JMP L009

end start

写好代码后，重新加载目标文件，忽略全部异常，直接在rdata处下断,运行中断后

005906B7 33C0 XOR EAX,EAX ;直接运行到这里

005906B9 B9 00010000 MOV ECX,100

运行后断在5906b7处后，把eip改为sub_Restore_Replace_Code(先选择57d02e,然后CTRL+*),

然后贴上修复代码,贴上后执行到结束处:

0057D02E > 60 PUSHAD ; sub_Restore_Replace_Code

0057D02F 33C0 XOR EAX,EAX

0057D031 BF 610D5800 MOV EDI,00580D61

0057D036 833C07 00 CMP DWORD PTR DS:[EDI+EAX],0

0057D03A 74 07 JE SHORT 0057D043

0057D03C 803407 D7 XOR BYTE PTR DS:[EDI+EAX],0D7

0057D040 40 INC EAX

0057D041 ^ EB F3 JMP SHORT 0057D036

0057D043 33C9 XOR ECX,ECX

0057D045 8B348D 81DE5700 MOV ESI,DWORD PTR DS:[ECX*4+57DE81]

0057D04C 83FE 00 CMP ESI,0

0057D04F 75 06 JNZ SHORT 0057D057

0057D051 61 POPAD

0057D052 832C24 05 SUB DWORD PTR SS:[ESP],5 ; f4直接执行到这里

0057D056 C3 RETN

执行完毕后把eip改回原处修复好replace code和embedd protect code之后,修复一下iat和oep信息就可以运行了。

总结一下，为了方便自己操作，我写了一段脚本。

/*

ACPROTCT 1.4 Unpack script v0.1

*/

var addr

var mbase//module base

var rmaddr

var rmsize

var IATVA

var tmpval

start:

gmi eip,MODULEBASE

mov mbase,$RESULT

gpa "GetModuleHandleA","kernel32.dll"

mov addr,$RESULT

bprm addr,0A

esto

lbl1:

bpmc

findop eip,#F3AA#//Find command 'REP STOSB'

cmp $RESULT,0

je lblabort

go $RESULT

mov addr,$RESULT

add addr,2

mov eip,addr

mov rmaddr,4b7000//rdata段的开始地址

mov rmsize,a000//rdata段的大小

bpwm rmaddr,rmsize

esto

lbl2:

bpmc

mov IATVA,esi

mov tmpval,esi

sub IATVA,mbase//计算iat的地始地址VA

findop eip,#83660C00# //find command 'AND DWORD PTR DS:[ESI+C],0'

cmp $RESULT,0

je lblabort

fill $RESULT,4,90

repl eip,#602BC0880343380375F961#,#9090909090909090909090#,500//把清除名字的代码给nop掉

find $RESULT,#618907#

cmp $RESULT,0

je lblabort

go $RESULT

mov addr,$RESULT

inc addr

fill addr,2,90

findop addr,#33C0#

cmp $RESULT,0

je lblabort

mov addr,$RESULT

go addr

log IATVA

fill 6909c7,1,eb

ret

lblabort:

msg "Error!"

ret

用od载入目标程序，运行该脚本，然后把前面dump下来修复好的Embedd Protect代码段替换这个现在正在操作的这个目标，然后用修复Replace code

的代码修复Replace code,修复完，被上程序的oep被抽的代码，然后dump下目标程序的整个内存，修改OEP,修改正确的IAT信息，iat信息由分析篇

得之：OEP RVA=000B2D84 IAT RVA=000BEB88 SIZE=00002398，修复好后程序就可以运行了。这样就算是比较完整的脱壳了，最后我自己还有一个问题

哪位会的朋友指点下，谢谢，问题：壳把部分资源放到最后一个节去了，如何修复资源呢?, 对这个我一点都不会:-(。如果资源修复好了，最后一个节

应该可以去掉吧。

在脱其它的acprotect的程序时发现有时还会有调用壳的api的代码，我这里附上修复调用壳api的代码：

.386

.model flat,stdcall

.code

FillCode proc cmpaddr:DWORD,waddr:DWORD

;----------------

;cmpaddr 表示比较地址

;waddr 要写入地址

pushad

mov edi,401000h

mov ecx,0baf00h

@loop1:

cmp word ptr [edi],25ffh

jnz jmpn

mov ebx,[edi+2]

cmp ebx,401000h

jb jmpn

cmp ebx,521000h

ja jmpn

mov ebx,[ebx]

cmp cmpaddr,ebx

jnz @F

mov ebx,edi

mov eax,waddr

sub ebx,eax

sub ebx,5

mov dword ptr [eax+1],ebx

jmp @end

@@:

add edi,4

sub ecx,4

jmpn:

inc edi

dec ecx

jnz @loop1

@end:

popad

ret 8

FillCode endp

@calld52 proc

pushad

CALL @F;CALL 531100 Get EBP value

MOV EAX,DWORD PTR SS:[ESP+24h]

SUB EAX,DWORD PTR SS:[EBP+40F846h]

MOV ECX,3E9h

LEA EDI,DWORD PTR SS:[EBP+40D563h]

REPNE SCAS DWORD PTR ES:[EDI]

OR ECX,ECX

JNZ @F

NOP

NOP

NOP

NOP

@@:

SUB ECX,3E9h

NOT ECX

MOVZX EBX,BYTE PTR SS:[EBP+ECX+40E503h]

LEA EAX,DWORD PTR SS:[EBP+EBX*4+40E8EBh]

mov eax,[eax]

mov EDX,DWORD PTR SS:[ESP+24h]

sub edx,5

cmp eax,5000000h

ja @F

mov ebx,[eax+8]

mov eax,[eax+1]

xor eax,ebx

@@:

invoke FillCode,eax,edx

popad

ret 4

@calld52 endp

start:

pushad

mov edi,401000h

mov ecx,0baf00h

@loop1:

cmp byte ptr [edi],0e8h

jnz @F

mov ebx,[edi+1]

lea ebx,[ebx+edi+5]

cmp ebx,52d30bh ;判断是否为call去解码处

jnz @Not52d

lea ebx,[edi+5]

push ebx

call @calld52

jmp @add4

@Not52d:

cmp ebx,521000h

jb @F

cmp ebx,538fd2h

ja @F

cmp word ptr [ebx+1],25ffh

jnz @F

mov ebx,[ebx+3]

mov ebx,[ebx]

invoke FillCode,ebx,edi

@add4:

add edi,4

sub ecx,4

@@:

inc edi

dec ecx

jnz @loop1

popad

end start

漫漫长路，终到尽头。分析了这么多，现在看来又好像什么都没有哦:-)，花了很多时间，今天终于把ACPROTECT给吃下来了。如果有兴趣可以试试做

脱壳机的，我自己看了分析后认为做这个的脱壳机应该是可行的(如果不行，不能怪我哦:-P)。有所收获有所失去。牺牲了睡眠换来了近视:-9。收工zzZZZZ。

---------------------------各模块代码------------------------------------

sub_EmbeddProtect:

0058AE31 > 837C24 04 FF CMP DWORD PTR SS:[ESP+4],-1 ; 处理SDK的关键代码

0058AE36 74 13 JE SHORT 0058AE4B

0058AE38 90 NOP

0058AE39 90 NOP

0058AE3A 90 NOP

0058AE3B 90 NOP

0058AE3C 55 PUSH EBP

0058AE3D E8 BE120000 CALL <sub_GetEBP >

0058AE42 8BC5 MOV EAX,EBP

0058AE44 5D POP EBP

0058AE45 FFA0 C4FD4000 JMP DWORD PTR DS:[EAX+40FDC4]

0058AE4B 90 NOP

......

0058AFF7 55 PUSH EBP

0058AFF8 E8 03110000 CALL <sub_GetEBP >

; 这里是关键代码,用于加密解密代码的

0058AFFD 8BC5 MOV EAX,EBP

0058AFFF 5D POP EBP

0058B000 837C24 04 FF CMP DWORD PTR SS:[ESP+4],-1

0058B005 74 25 JE SHORT 0058B02C

0058B007 90 NOP

0058B008 90 NOP

0058B009 90 NOP

0058B00A 90 NOP

0058B00B 8B98 2C854100 MOV EBX,DWORD PTR DS:[EAX+41852C]

0058B011 803B CC CMP BYTE PTR DS:[EBX],0CC

0058B014 0F84 DE000000 JE <Case else>

0058B01A 807B 01 CC CMP BYTE PTR DS:[EBX+1],0CC

0058B01E 0F84 D4000000 JE <Case else>

0058B024 8BC3 MOV EAX,EBX

0058B026 60 PUSHAD

0058B027 E9 CC000000 JMP <Case else>

0058B02C 60 PUSHAD

0058B02D E8 CE100000 CALL <sub_GetEBP >

0058B032 8B7C24 28 MOV EDI,DWORD PTR SS:[ESP+28]

0058B036 8B4424 30 MOV EAX,DWORD PTR SS:[ESP+30]

0058B03A 0BC0 OR EAX,EAX ; 当EAX＝4的时候加密代码，eax=5的时候解密代码

0058B03C 74 3F JE SHORT <Case EAX==0>

0058B03E 90 NOP

0058B03F 90 NOP

0058B040 90 NOP

0058B041 90 NOP

0058B042 48 DEC EAX

0058B043 0BC0 OR EAX,EAX

0058B045 74 65 JE SHORT <Case EAX==1>

0058B047 90 NOP

0058B048 90 NOP

0058B049 90 NOP

0058B04A 90 NOP

0058B04B 48 DEC EAX

0058B04C 0BC0 OR EAX,EAX

0058B04E 74 68 JE SHORT <Case EAX==2>

0058B050 90 NOP

0058B051 90 NOP

0058B052 90 NOP

0058B053 90 NOP

0058B054 48 DEC EAX

0058B055 0BC0 OR EAX,EAX

0058B057 74 75 JE SHORT <Case EAX==3>

0058B059 90 NOP

0058B05A 90 NOP

0058B05B 90 NOP

0058B05C 90 NOP

0058B05D 48 DEC EAX

0058B05E 0BC0 OR EAX,EAX

0058B060 74 76 JE SHORT <Case EAX==4>

0058B062 90 NOP

0058B063 90 NOP

0058B064 90 NOP

0058B065 90 NOP

0058B066 48 DEC EAX

0058B067 0BC0 OR EAX,EAX

0058B069 74 77 JE SHORT <Case EAX==5>

0058B06B 90 NOP

0058B06C 90 NOP

0058B06D 90 NOP

0058B06E 90 NOP

0058B06F 48 DEC EAX

0058B070 0BC0 OR EAX,EAX

0058B072 74 78 JE SHORT <Case EAX==6>

0058B074 90 NOP

0058B075 90 NOP

0058B076 90 NOP

0058B077 90 NOP

0058B078 EB 7E JMP SHORT <Case else>

0058B07A 90 NOP

0058B07B 90 NOP

0058B07C 90 NOP

0058B07D > 8DB5 2CF54000 LEA ESI,DWORD PTR SS:[EBP+40F52C] ; 当EAX＝0时的处理

0058B083 B9 08000000 MOV ECX,8

0058B088 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:>

0058B08A 8DB5 50F54000 LEA ESI,DWORD PTR SS:[EBP+40F550]

0058B090 B9 07000000 MOV ECX,7

0058B095 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:>

0058B097 4F DEC EDI

0058B098 803F 20 CMP BYTE PTR DS:[EDI],20

0058B09B 75 06 JNZ SHORT 0058B0A3

0058B09D 90 NOP

0058B09E 90 NOP

0058B09F 90 NOP

0058B0A0 90 NOP

0058B0A1 ^ EB F4 JMP SHORT 0058B097

0058B0A3 C647 01 00 MOV BYTE PTR DS:[EDI+1],0

0058B0A7 EB 4F JMP SHORT <Case else>

0058B0A9 90 NOP

0058B0AA 90 NOP

0058B0AB 90 NOP

0058B0AC > 8A85 6DF74000 MOV AL,BYTE PTR SS:[EBP+40F76D] ; 当eax==1时的处理

0058B0B2 AA STOS BYTE PTR ES:[EDI]

0058B0B3 EB 43 JMP SHORT <Case else>

0058B0B5 90 NOP

0058B0B6 90 NOP

0058B0B7 90 NOP

0058B0B8 > 50 PUSH EAX ; 当EAX＝＝2时的处理

0058B0B9 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]

0058B0BD 8985 28F54000 MOV DWORD PTR SS:[EBP+40F528],EAX

0058B0C3 58 POP EAX

0058B0C4 E8 02380000 CALL <Reg_Info>

0058B0C9 EB 2D JMP SHORT <Case else>

0058B0CB 90 NOP

0058B0CC 90 NOP

0058B0CD 90 NOP

0058B0CE > E8 72000000 CALL 0058B145 ; 当eax=3时的处理

0058B0D3 EB 23 JMP SHORT <Case else>

0058B0D5 90 NOP

0058B0D6 90 NOP

0058B0D7 90 NOP

0058B0D8 > E8 9C020000 CALL <sub_Restore_Crypted_Code> ; 当eax==4时的处理

0058B0DD EB 19 JMP SHORT <Case else>

0058B0DF 90 NOP

0058B0E0 90 NOP

0058B0E1 90 NOP

0058B0E2 > E8 CA040000 CALL <sub_Decrypt_Code> ; 当eax==5时的处理

0058B0E7 EB 0F JMP SHORT <Case else>

0058B0E9 90 NOP

0058B0EA 90 NOP

0058B0EB 90 NOP

0058B0EC > 8B85 5D814100 MOV EAX,DWORD PTR SS:[EBP+41815D] ; 当EAX==6时的处理

0058B0F2 AB STOS DWORD PTR ES:[EDI]

0058B0F3 EB 03 JMP SHORT <Case else>

0058B0F5 90 NOP

0058B0F6 90 NOP

0058B0F7 90 NOP

0058B0F8 > 90 NOP ; Case else

0058B0F9 90 NOP

0058B0FA 90 NOP

......

0058B133 90 NOP

0058B134 61 POPAD

0058B135 837C24 04 FF CMP DWORD PTR SS:[ESP+4],-1

0058B13A 74 06 JE SHORT 0058B142

0058B13C 90 NOP

0058B13D 90 NOP

0058B13E 90 NOP

0058B13F 90 NOP

0058B140 FFE0 JMP EAX

0058B142 C2 1000 RETN 10

sub_CRC:

004246F9 > 60 PUSHAD ; sub_CRC

004246FA E8 73FAFFFF CALL <GetEBp>

004246FF C685 1A1C4000 C>MOV BYTE PTR SS:[EBP+401C1A],0C3

00424706 E8 1B0E0000 CALL 00425526 ;这个Call 进去

0042470B 61 POPAD

0042470C C3 RETN

进来后:

004256D1 E8 9CEAFFFF CALL <GetEBp> ;这里和上篇里的是一样的,所以我也不多注释了:-)

004256D6 68 20030000 PUSH 320

004256DB 8DBD 00104000 LEA EDI,DWORD PTR SS:[EBP+401000]

004256E1 57 PUSH EDI

004256E2 6A 00 PUSH 0

004256E4 FF95 20164000 CALL DWORD PTR SS:[EBP+401620] ;GetModuleFileNameA

004256EA 6A 00 PUSH 0

004256EC 68 80000000 PUSH 80

004256F1 6A 03 PUSH 3

004256F3 6A 00 PUSH 0

004256F5 6A 01 PUSH 1

004256F7 68 00000080 PUSH 80000000

004256FC 57 PUSH EDI

004256FD FF95 D8154000 CALL DWORD PTR SS:[EBP+4015D8]

00425703 40 INC EAX

00425704 0F84 8A000000 JE 00425794

0042570A 48 DEC EAX

0042570B 8BF8 MOV EDI,EAX

0042570D 6A 00 PUSH 0

0042570F 57 PUSH EDI

00425710 FF95 24164000 CALL DWORD PTR SS:[EBP+401624]

00425716 2B85 2C164000 SUB EAX,DWORD PTR SS:[EBP+40162C]

0042571C 96 XCHG EAX,ESI

0042571D 56 PUSH ESI

0042571E 6A 40 PUSH 40

00425720 FF95 AC154000 CALL DWORD PTR SS:[EBP+4015AC]

00425726 85C0 TEST EAX,EAX

00425728 74 61 JE SHORT 0042578B

0042572A 90 NOP

0042572B 90 NOP

0042572C 90 NOP

0042572D 90 NOP

0042572E 93 XCHG EAX,EBX

0042572F 6A 00 PUSH 0

00425731 8D85 00104000 LEA EAX,DWORD PTR SS:[EBP+401000]

00425737 50 PUSH EAX

00425738 56 PUSH ESI

00425739 53 PUSH EBX

0042573A 57 PUSH EDI

0042573B FF95 FC154000 CALL DWORD PTR SS:[EBP+4015FC]

00425741 8BC3 MOV EAX,EBX

00425743 8BCE MOV ECX,ESI

00425745 60 PUSHAD

00425746 E8 3E060000 CALL 00425D89

0042574B 3985 30164000 CMP DWORD PTR SS:[EBP+401630],EAX

00425751 74 27 JE SHORT 0042577A

00425753 90 NOP

00425754 90 NOP

00425755 90 NOP

00425756 90 NOP

00425757 60 PUSHAD

00425758 E8 15EAFFFF CALL <GetEBp>

0042575D B8 00010000 MOV EAX,100

00425762 E8 18EAFFFF CALL 0042417F

00425767 8BC8 MOV ECX,EAX

00425769 8DBD 9A404000 LEA EDI,DWORD PTR SS:[EBP+40409A]

0042576F 03F8 ADD EDI,EAX

00425771 E8 1DEAFFFF CALL 00424193

00425776 AB STOS DWORD PTR ES:[EDI]

00425777 ^ E2 F8 LOOPD SHORT 00425771

00425779 61 POPAD

0042577A 61 POPAD

0042577B 8D85 A42C4000 LEA EAX,DWORD PTR SS:[EBP+402CA4]

00425781 50 PUSH EAX

00425782 C3 RETN

00425783 53 PUSH EBX

00425784 FF95 B0154000 CALL DWORD PTR SS:[EBP+4015B0]

0042578A 96 XCHG EAX,ESI

0042578B 50 PUSH EAX

0042578C 57 PUSH EDI

0042578D FF95 D4154000 CALL DWORD PTR SS:[EBP+4015D4]

00425793 58 POP EAX

00425794 60 PUSHAD

00425795 E8 00000000 CALL 0042579A

0042579A 5E POP ESI

0042579B 83EE 06 SUB ESI,6

0042579E B9 C3000000 MOV ECX,0C3

004257A3 29CE SUB ESI,ECX

004257A5 BA 48A6FC64 MOV EDX,64FCA648

004257AA C1E9 02 SHR ECX,2

004257AD 83E9 02 SUB ECX,2

004257B0 83F9 00 CMP ECX,0

004257B3 7C 1A JL SHORT 004257CF

004257B5 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

004257B8 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

004257BC 2BC3 SUB EAX,EBX

004257BE C1C0 1D ROL EAX,1D

004257C1 03C2 ADD EAX,EDX

004257C3 81C2 5E6AB05C ADD EDX,5CB06A5E

004257C9 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

004257CC 49 DEC ECX

004257CD ^ EB E1 JMP SHORT 004257B0

004257CF 61 POPAD

004257D0 61 POPAD

004257D1 C3 RETN

sub_INT 1_Check_Debug:

0042170B > 60 PUSHAD ; sub_INT 1_Check_Debug

0042170C 4D DEC EBP

0042170D 50 PUSH EAX

0042170E E8 01000000 CALL 00421714

00421713 ^ 71 83 JNO SHORT 00421698

00421715 C40458 LES EAX,FWORD PTR DS:[EAX+EBX*2] ; Modification of segment register

00421718 66:BD D8B7 MOV BP,0B7D8

0042171C 7C 03 JL SHORT 00421721

0042171E 7D 01 JGE SHORT 00421721

00421720 - E9 F850E801 JMP 022A681D

00421725 0000 ADD BYTE PTR DS:[EAX],AL

00421727 00EB ADD BL,CH

......

004218B6 E8 72F6FFFF CALL <GetEBP>

004218BB C685 711E4000 C>MOV BYTE PTR SS:[EBP+401E71],0C3

004218C2 8CC8 MOV AX,CS

004218C4 A8 04 TEST AL,4 ; 如果系统是Winnt的，则通过int 1检测调试器

004218C6 75 5A JNZ SHORT <OS is Win9x>

004218C8 90 NOP

004218C9 90 NOP

004218CA 90 NOP

004218CB 90 NOP

004218CC E8 0E000000 CALL 004218DF

004218D1 8B5C24 0C MOV EBX,DWORD PTR SS:[ESP+C]

004218D5 8383 B8000000 0>ADD DWORD PTR DS:[EBX+B8],2

004218DC 33C0 XOR EAX,EAX

004218DE C3 RETN

004218DF 64:67:FF36 0000 PUSH DWORD PTR FS:[0]

004218E5 64:67:8926 0000 MOV DWORD PTR FS:[0],ESP

004218EB 33C0 XOR EAX,EAX

004218ED CD 01 INT 1

004218EF 40 INC EAX

004218F0 40 INC EAX

004218F1 0BC0 OR EAX,EAX

004218F3 75 27 JNZ SHORT 0042191C ; 如果没有发现则跳

004218F5 90 NOP

004218F6 90 NOP

004218F7 90 NOP

004218F8 90 NOP

004218F9 60 PUSHAD

004218FA E8 2EF6FFFF CALL <GetEBP>

004218FF B8 00010000 MOV EAX,100

00421904 E8 31F6FFFF CALL 00420F3A

00421909 8BC8 MOV ECX,EAX

0042190B 8DBD 9A404000 LEA EDI,DWORD PTR SS:[EBP+40409A]

00421911 03F8 ADD EDI,EAX

00421913 E8 36F6FFFF CALL 00420F4E

00421918 AB STOS DWORD PTR ES:[EDI]

00421919 ^ E2 F8 LOOPD SHORT 00421913

0042191B 61 POPAD

0042191C 33C0 XOR EAX,EAX

0042191E 64:8F00 POP DWORD PTR FS:[EAX]

00421921 58 POP EAX

00421922 > 60 PUSHAD ; OS is Win9x

00421923 E8 00000000 CALL 00421928

00421928 5E POP ESI

00421929 83EE 06 SUB ESI,6

0042192C B9 6C000000 MOV ECX,6C

00421931 29CE SUB ESI,ECX

00421933 BA 2B3C3C6D MOV EDX,6D3C3C2B

00421938 C1E9 02 SHR ECX,2

0042193B 83E9 02 SUB ECX,2

0042193E 83F9 00 CMP ECX,0

00421941 7C 1A JL SHORT 0042195D

00421943 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

00421946 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

0042194A 03C3 ADD EAX,EBX

0042194C C1C8 1B ROR EAX,1B

0042194F 03C2 ADD EAX,EDX

00421951 81F2 C6E14F4D XOR EDX,4D4FE1C6

00421957 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

0042195A 49 DEC ECX

0042195B ^ EB E1 JMP SHORT 0042193E

0042195D 61 POPAD

0042195E 61 POPAD

0042195F C3 RETN

sub_Anti_Fake_Unpack:

00422027 > 60 PUSHAD ; sub_Anti_Fake_Unpack

00422028 4E DEC ESI

00422029 87EA XCHG EDX,EBP

0042202B 46 INC ESI

0042202C 50 PUSH EAX

0042202D E8 01000000 CALL 00422033

00422032 ^ 77 83 JA SHORT 00421FB7

00422034 C40458 LES EAX,FWORD PTR DS:[EAX+EBX*2] ; Modification of segment register

00422037 66:8BD1 MOV DX,CX

......

004221D2 E8 56EDFFFF CALL <GetEBP>

004221D7 C685 8D274000 C>MOV BYTE PTR SS:[EBP+40278D],0C3

004221DE 8BB5 28164000 MOV ESI,DWORD PTR SS:[EBP+401628]

004221E4 66:8B16 MOV DX,WORD PTR DS:[ESI]

004221E7 66:81FA 4D5A CMP DX,5A4D

004221EC 0F85 B1000000 JNZ <Good way>

004221F2 0FB756 3C MOVZX EDX,WORD PTR DS:[ESI+3C]

004221F6 8BFE MOV EDI,ESI

004221F8 03FA ADD EDI,EDX

004221FA 8B47 28 MOV EAX,DWORD PTR DS:[EDI+28]

004221FD 3B85 50164000 CMP EAX,DWORD PTR SS:[EBP+401650]

00422203 74 7B JE SHORT <over way> ; 如果发现入口和原程序一样则over

00422205 90 NOP

00422206 90 NOP

00422207 90 NOP

00422208 90 NOP

00422209 3B85 54164000 CMP EAX,DWORD PTR SS:[EBP+401654] ; 比较如果入口和壳入口不一样则over,感觉有点多余，直接判断不为壳入口不行吗?

0042220F 75 6F JNZ SHORT <over way>

00422211 90 NOP

00422212 90 NOP

00422213 90 NOP

00422214 90 NOP

00422215 0FB747 06 MOVZX EAX,WORD PTR DS:[EDI+6] ; 判断section是否为5，如果不为5则over

00422219 48 DEC EAX

0042221A 3D 04000000 CMP EAX,4

0042221F 75 5F JNZ SHORT <over way>

00422221 90 NOP

00422222 90 NOP

00422223 90 NOP

00422224 90 NOP

00422225 BA 28000000 MOV EDX,28

0042222A F7E2 MUL EDX

0042222C 05 F8000000 ADD EAX,0F8

00422231 03C7 ADD EAX,EDI

00422233 50 PUSH EAX

00422234 83C0 0C ADD EAX,0C

00422237 8B18 MOV EBX,DWORD PTR DS:[EAX]

00422239 3B9D 54164000 CMP EBX,DWORD PTR SS:[EBP+401654] ; 再次判断入口是否为壳的入口,

0042223F 75 3F JNZ SHORT <over way>

00422241 90 NOP

00422242 90 NOP

00422243 90 NOP

00422244 90 NOP

00422245 5E POP ESI

00422246 813E 2E706572 CMP DWORD PTR DS:[ESI],7265702E ; 比较最后一个字的名字是否为:.perplex

0042224C 75 32 JNZ SHORT <over way> ; 如果不是则over

0042224E 90 NOP

0042224F 90 NOP

00422250 90 NOP

00422251 90 NOP

00422252 817E 04 706C657>CMP DWORD PTR DS:[ESI+4],78656C70

00422259 75 25 JNZ SHORT <over way>

0042225B 90 NOP

0042225C 90 NOP

0042225D 90 NOP

0042225E 90 NOP

0042225F 8B85 54164000 MOV EAX,DWORD PTR SS:[EBP+401654]

00422265 8BBD 28164000 MOV EDI,DWORD PTR SS:[EBP+401628]

0042226B 0FB61C07 MOVZX EBX,BYTE PTR DS:[EDI+EAX] ; 判断壳入口是否为pushad(60)如果不相等则over

0042226F 80EB 30 SUB BL,30

00422272 80FB 30 CMP BL,30

00422275 75 09 JNZ SHORT <over way>

00422277 90 NOP

00422278 90 NOP

00422279 90 NOP

0042227A 90 NOP

0042227B EB 26 JMP SHORT <Good way>

0042227D 90 NOP

0042227E 90 NOP

0042227F 90 NOP

00422280 > 60 PUSHAD ; Game over

00422281 E8 A7ECFFFF CALL <GetEBP> ; 如果发现程序被修改了就写入随机垃圾代码

00422286 B8 00010000 MOV EAX,100

0042228B E8 AAECFFFF CALL 00420F3A

00422290 8BC8 MOV ECX,EAX

00422292 8DBD 9A404000 LEA EDI,DWORD PTR SS:[EBP+40409A]

00422298 03F8 ADD EDI,EAX

0042229A E8 AFECFFFF CALL 00420F4E

0042229F AB STOS DWORD PTR ES:[EDI]

004222A0 ^ E2 F8 LOOPD SHORT 0042229A

004222A2 61 POPAD

004222A3 > 60 PUSHAD ; Good way

004222A4 E8 00000000 CALL 004222A9

004222A9 5E POP ESI

004222AA 83EE 06 SUB ESI,6

004222AD B9 D1000000 MOV ECX,0D1

004222B2 29CE SUB ESI,ECX

004222B4 BA 0D4034EF MOV EDX,EF34400D

004222B9 C1E9 02 SHR ECX,2

004222BC 83E9 02 SUB ECX,2

004222BF 83F9 00 CMP ECX,0

004222C2 7C 1A JL SHORT 004222DE

004222C4 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

004222C7 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

004222CB 33C3 XOR EAX,EBX

004222CD C1C0 14 ROL EAX,14

004222D0 33C2 XOR EAX,EDX

004222D2 81EA 85A8D2E1 SUB EDX,E1D2A885

004222D8 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

004222DB 49 DEC ECX

004222DC ^ EB E1 JMP SHORT 004222BF

004222DE 61 POPAD

004222DF 61 POPAD

004222E0 C3 RETN

sub_Copy code:

004228F3 > 60 PUSHAD ; sub_Copy code

004228F4 7A 03 JPE SHORT 004228F9

004228F6 7B 01 JPO SHORT 004228F9

004228F8 9A 0F890600 000>CALL FAR 0000:0006890F ; Far call

004228FF 81D0 94B7BD5B ADC EAX,5BBDB794

00422905 E8 01000000 CALL 0042290B

0042290A ^ 72 83 JB SHORT 0042288F

0042290C C404F9 LES EAX,FWORD PTR DS:[ECX+EDI*8] ; Modification of segment register

......

00422A9E E8 8AE4FFFF CALL <GetEBP>

00422AA3 C685 59304000 C>MOV BYTE PTR SS:[EBP+403059],0C3 ; 只执行一次call

00422AAA 8DB5 9A404000 LEA ESI,DWORD PTR SS:[EBP+40409A]

00422AB0 46 INC ESI

00422AB1 8B06 MOV EAX,DWORD PTR DS:[ESI]

00422AB3 3D 52455452 CMP EAX,52544552

00422AB8 ^ 75 F6 JNZ SHORT 00422AB0 ; 查找标志

00422ABA 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]

00422ABD 3D 49564150 CMP EAX,50415649

00422AC2 ^ 75 EC JNZ SHORT 00422AB0

00422AC4 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8]

00422AC7 3D 495A4346 CMP EAX,46435A49

00422ACC ^ 75 E2 JNZ SHORT 00422AB0

00422ACE 83C6 0E ADD ESI,0E

00422AD1 8DBD AC154000 LEA EDI,DWORD PTR SS:[EBP+4015AC]

00422AD7 B9 28000000 MOV ECX,28

00422ADC F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>; 复制代码

00422ADE EB 26 JMP SHORT 00422B06

00422AE0 90 NOP

00422AE1 90 NOP

00422AE2 90 NOP

00422AE3 60 PUSHAD

00422AE4 E8 44E4FFFF CALL <GetEBP>

00422AE9 B8 00010000 MOV EAX,100

00422AEE E8 47E4FFFF CALL 00420F3A

00422AF3 8BC8 MOV ECX,EAX

00422AF5 8DBD 9A404000 LEA EDI,DWORD PTR SS:[EBP+40409A]

00422AFB 03F8 ADD EDI,EAX

00422AFD E8 4CE4FFFF CALL 00420F4E

00422B02 AB STOS DWORD PTR ES:[EDI]

00422B03 ^ E2 F8 LOOPD SHORT 00422AFD

00422B05 61 POPAD

00422B06 60 PUSHAD ; 加密代码

00422B07 E8 00000000 CALL 00422B0C

00422B0C 5E POP ESI

00422B0D 83EE 06 SUB ESI,6

00422B10 B9 68000000 MOV ECX,68

00422B15 29CE SUB ESI,ECX

00422B17 BA 5EC43194 MOV EDX,9431C45E

00422B1C C1E9 02 SHR ECX,2

00422B1F 83E9 02 SUB ECX,2

00422B22 83F9 00 CMP ECX,0

00422B25 7C 1A JL SHORT 00422B41

00422B27 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

00422B2A 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

00422B2E 2BC3 SUB EAX,EBX

00422B30 C1C0 1D ROL EAX,1D

00422B33 33C2 XOR EAX,EDX

00422B35 81F2 6CD4719B XOR EDX,9B71D46C

00422B3B 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

00422B3E 49 DEC ECX

00422B3F ^ EB E1 JMP SHORT 00422B22

00422B41 61 POPAD

00422B42 61 POPAD

00422B43 C3 RETN

sub_Fuck_RING0'Debugger:

004243AB > 60 PUSHAD

004243AC . E8 C1FDFFFF CALL <GetEBp> ; 检测Ring 0给调试器

004243B1 . C685 CC184000>MOV BYTE PTR SS:[EBP+4018CC],0C3

004243B8 . E8 00000000 CALL 004243BD

004243BD $ 5D POP EBP

004243BE . 8BF5 MOV ESI,EBP

004243C0 . 81ED DE184000 SUB EBP,004018DE

004243C6 . 8DB5 2C194000 LEA ESI,DWORD PTR SS:[EBP+40192C]

004243CC > 6A 00 PUSH 0

004243CE . 68 80000000 PUSH 80

004243D3 . 6A 03 PUSH 3

004243D5 . 6A 00 PUSH 0

004243D7 . 6A 03 PUSH 3

004243D9 . 68 000000C0 PUSH C0000000

004243DE . 56 PUSH ESI

004243DF . FF95 D8154000 CALL DWORD PTR SS:[EBP+4015D8] ; CreateFileA

004243E5 . 40 INC EAX

004243E6 . 75 1E JNZ SHORT 00424406

004243E8 . 90 NOP

004243E9 . 90 NOP

004243EA . 90 NOP

004243EB . 90 NOP

004243EC . 48 DEC EAX

004243ED . 50 PUSH EAX

004243EE . FF95 D4154000 CALL DWORD PTR SS:[EBP+4015D4]

004243F4 > 46 INC ESI

004243F5 . 803E 00 CMP BYTE PTR DS:[ESI],0

004243F8 .^ 75 FA JNZ SHORT 004243F4

004243FA . 46 INC ESI

004243FB . 803E 00 CMP BYTE PTR DS:[ESI],0

004243FE . 0F84 C2000000 JE 004244C6

00424404 .^ EB C6 JMP SHORT 004243CC

00424406 > E8 BB000000 CALL 004244C6

0042440B . 5C 5C 2E 5C 5>ASCII "\\.\SICE",0

00424414 . 5C 5C 2E 5C 4>ASCII "\\.\NTICE",0

0042441E . 5C 5C 2E 5C 4>ASCII "\\.\NTICE7871",0

0042442C . 5C 5C 2E 5C 4>ASCII "\\.\NTICED052",0

0042443A . 5C 5C 2E 5C 5>ASCII "\\.\TRWDEBUG",0

00424447 . 5C 5C 2E 5C 5>ASCII "\\.\TRW",0

0042444F . 5C 5C 2E 5C 5>ASCII "\\.\TRW2000",0

0042445B . 5C 5C 2E 5C 5>ASCII "\\.\SUPERBPM",0

00424468 . 5C 5C 2E 5C 4>ASCII "\\.\ICEDUMP",0

00424474 . 5C 5C 2E 5C 5>ASCII "\\.\REGMON",0

0042447F . 5C 5C 2E 5C 4>ASCII "\\.\FILEMON",0

0042448B . 5C 5C 2E 5C 5>ASCII "\\.\REGVXD",0

00424496 . 5C 5C 2E 5C 4>ASCII "\\.\FILEVXD",0

004244A2 . 5C 5C 2E 5C 5>ASCII "\\.\VKEYPROD",0

004244AF . 5C 5C 2E 5C 4>ASCII "\\.\BW2K",0

004244B8 . 5C 5C 2E 5C 5>ASCII "\\.\SIWDEBUG",0

004244C5 00 DB 00

004244C6 /$ 61 POPAD

004244C7 \. C3 RETN

sub_Fuck_int3:

0042196B > 60 PUSHAD ; sub_Fuck_int3

0042196C E8 01000000 CALL 00421972

00421971 ^ 7D 83 JGE SHORT 004218F6

00421973 04 24 ADD AL,24

......

00421B16 E8 12F4FFFF CALL <GetEBP>

00421B1B C685 D1204000 C>MOV BYTE PTR SS:[EBP+4020D1],0C3

00421B22 E8 2A000000 CALL 00421B51

00421B27 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]

00421B2B 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]

00421B2F FF81 B8000000 INC DWORD PTR DS:[ECX+B8]

00421B35 8B00 MOV EAX,DWORD PTR DS:[EAX]

00421B37 2D 03000080 SUB EAX,80000003

00421B3C 75 12 JNZ SHORT 00421B50

00421B3E 90 NOP

00421B3F 90 NOP

00421B40 90 NOP

00421B41 90 NOP

00421B42 33C0 XOR EAX,EAX

00421B44 8941 04 MOV DWORD PTR DS:[ECX+4],EAX ; 清除硬件断点

00421B47 8941 08 MOV DWORD PTR DS:[ECX+8],EAX

00421B4A 8941 0C MOV DWORD PTR DS:[ECX+C],EAX

00421B4D 8941 10 MOV DWORD PTR DS:[ECX+10],EAX

00421B50 C3 RETN

00421B51 33C0 XOR EAX,EAX

00421B53 64:FF30 PUSH DWORD PTR FS:[EAX]

00421B56 64:8920 MOV DWORD PTR FS:[EAX],ESP

00421B59 CC INT3

00421B5A 90 NOP

00421B5B 64:67:8F06 0000 POP DWORD PTR FS:[0]

00421B61 83C4 04 ADD ESP,4

00421B64 60 PUSHAD

00421B65 E8 00000000 CALL 00421B6A

00421B6A 5E POP ESI

00421B6B 83EE 06 SUB ESI,6

00421B6E B9 4E000000 MOV ECX,4E

00421B73 29CE SUB ESI,ECX

00421B75 BA 8742CECC MOV EDX,CCCE4287

00421B7A C1E9 02 SHR ECX,2

00421B7D 83E9 02 SUB ECX,2

00421B80 83F9 00 CMP ECX,0

00421B83 7C 1A JL SHORT 00421B9F

00421B85 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

00421B88 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

00421B8C 2BC3 SUB EAX,EBX

00421B8E C1C8 02 ROR EAX,2

00421B91 33C2 XOR EAX,EDX

00421B93 81EA FEC97E35 SUB EDX,357EC9FE

00421B99 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

00421B9C 49 DEC ECX

00421B9D ^ EB E1 JMP SHORT 00421B80

00421B9F 61 POPAD

00421BA0 61 POPAD

00421BA1 C3 RETN

Anti_Fake_Unpack_check_Import:

00422691 > 60 PUSHAD ; Anti_Fake_Unpack_check_Import

00422692 4F DEC EDI

00422693 66:D3E7 SHL DI,CL

00422696 03F3 ADD ESI,EBX

00422698 E8 01000000 CALL 0042269E

0042269D ^ 76 83 JBE SHORT 00422622

......

0042283C E8 ECE6FFFF CALL <GetEBP>

00422841 C685 F72D4000 C>MOV BYTE PTR SS:[EBP+402DF7],0C3

00422848 8BB5 28164000 MOV ESI,DWORD PTR SS:[EBP+401628] ; 定位pe头

0042284E 0FB756 3C MOVZX EDX,WORD PTR DS:[ESI+3C]

00422852 8BFE MOV EDI,ESI

00422854 03FA ADD EDI,EDX

00422856 83C7 78 ADD EDI,78

00422859 83C7 08 ADD EDI,8

0042285C 8B07 MOV EAX,DWORD PTR DS:[EDI] ; 定位输入表

0042285E 8B5F 04 MOV EBX,DWORD PTR DS:[EDI+4] ; 定位输入表大小

00422861 81FB D8000000 CMP EBX,0D8 ; 如果输入表大小不为D8则over

00422867 75 29 JNZ SHORT <over>

00422869 90 NOP

0042286A 90 NOP

0042286B 90 NOP

0042286C 90 NOP

0042286D 0385 28164000 ADD EAX,DWORD PTR SS:[EBP+401628]

00422873 05 88000000 ADD EAX,88

00422878 B9 4D000000 MOV ECX,4D

0042287D E8 C2020000 CALL 00422B44

00422882 3D 8A180000 CMP EAX,188A ; 又来检测了

00422887 75 09 JNZ SHORT <over>

00422889 90 NOP

0042288A 90 NOP

0042288B 90 NOP

0042288C 90 NOP

0042288D EB 26 JMP SHORT 004228B5

0042288F 90 NOP

00422890 90 NOP

00422891 90 NOP

00422892 > 60 PUSHAD ; over

00422893 E8 95E6FFFF CALL <GetEBP>

00422898 B8 00010000 MOV EAX,100

0042289D E8 98E6FFFF CALL 00420F3A

004228A2 8BC8 MOV ECX,EAX

004228A4 8DBD 9A404000 LEA EDI,DWORD PTR SS:[EBP+40409A]

004228AA 03F8 ADD EDI,EAX

004228AC E8 9DE6FFFF CALL 00420F4E

004228B1 AB STOS DWORD PTR ES:[EDI]

004228B2 ^ E2 F8 LOOPD SHORT 004228AC

004228B4 61 POPAD

004228B5 60 PUSHAD

004228B6 E8 00000000 CALL 004228BB

004228BB 5E POP ESI

004228BC 83EE 06 SUB ESI,6

004228BF B9 79000000 MOV ECX,79

004228C4 29CE SUB ESI,ECX

004228C6 BA B4276A21 MOV EDX,216A27B4

004228CB C1E9 02 SHR ECX,2

004228CE 83E9 02 SUB ECX,2

004228D1 83F9 00 CMP ECX,0

004228D4 7C 1A JL SHORT 004228F0

004228D6 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

004228D9 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

004228DD 03C3 ADD EAX,EBX

004228DF C1C8 08 ROR EAX,8

004228E2 03C2 ADD EAX,EDX

004228E4 81C2 18896C50 ADD EDX,506C8918

004228EA 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

004228ED 49 DEC ECX

004228EE ^ EB E1 JMP SHORT 004228D1

004228F0 61 POPAD

004228F1 61 POPAD

004228F2 C3 RETN

sub_Restore_Crypted_Code:

0058B379 > 60 PUSHAD ; sub_Restore_Crypted_Code

......

0058B525 60 PUSHAD

0058B526 8B4424 44 MOV EAX,DWORD PTR SS:[ESP+44]

0058B52A 2B85 46F84000 SUB EAX,DWORD PTR SS:[EBP+40F846]

0058B530 8BD8 MOV EBX,EAX

0058B532 33C9 XOR ECX,ECX

0058B534 49 DEC ECX

0058B535 41 INC ECX

0058B536 83F9 64 CMP ECX,64

0058B539 74 19 JE SHORT 0058B554

0058B53B 90 NOP

0058B53C 90 NOP

0058B53D 90 NOP

0058B53E 90 NOP

0058B53F 8B848D 3D1B4000 MOV EAX,DWORD PTR SS:[EBP+ECX*4+401B3D]

0058B546 03848D CD1C4000 ADD EAX,DWORD PTR SS:[EBP+ECX*4+401CCD]

0058B54D 83E8 24 SUB EAX,24

0058B550 3BC3 CMP EAX,EBX

0058B552 ^ 75 E1 JNZ SHORT 0058B535

0058B554 8BB48D 5D1E4000 MOV ESI,DWORD PTR SS:[EBP+ECX*4+401E5D]

0058B55B 8BBC8D 3D1B4000 MOV EDI,DWORD PTR SS:[EBP+ECX*4+401B3D]

0058B562 03BD 46F84000 ADD EDI,DWORD PTR SS:[EBP+40F846]

0058B568 8B948D CD1C4000 MOV EDX,DWORD PTR SS:[EBP+ECX*4+401CCD]

0058B56F 87CA XCHG EDX,ECX

0058B571 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[E>; 把代码加密回去

0058B573 90 NOP

......

0058B5AF 61 POPAD

0058B5B0 C3 RETN

sub_GetEBP:

0058C100 > E8 00000000 CALL 0058C105 ; sub_GetEBP

0058C105 5D POP EBP

0058C106 81ED 05114100 SUB EBP,00411105 ; 计算EBP的值，用于定位实际的地址

0058C10C C3 RETN ; EBP==0017B000

sub_GetEP_CRYPT_KEY:

005910B0 > 60 PUSHAD ; 开始解压代码

005910B1 D3C0 ROL EAX,CL

005910B3 F8 CLC

005910B4 F9 STC

005910B5 72 03 JB SHORT 005910BA

005910B7 73 01 JNB SHORT 005910BA

005910B9 ^ 79 F9 JNS SHORT 005910B4

005910BB EB 01 JMP SHORT 005910BE

......

00591243 8125 D9C95700 4>AND DWORD PTR DS:[57C9D9],8E10C147

0059124D 4F DEC EDI

0059124E ^ 0F85 54FFFFFF JNZ 005911A8 ; 没有解压完跳回去继续

......

0059125B E8 A0AEFFFF CALL <sub_GetEBP >

00591260 8B85 46F84000 MOV EAX,DWORD PTR SS:[EBP+40F846] ; MOV EAX,OFFSET dd_IMAGEBASE

00591266 8B70 3C MOV ESI,DWORD PTR DS:[EAX+3C] ; Get PEHEADER

00591269 03B5 46F84000 ADD ESI,DWORD PTR SS:[EBP+40F846]

0059126F 83C6 28 ADD ESI,28 ; 定位AddressOfEntryPoint(定位壳入口)

00591272 AD LODS DWORD PTR DS:[ESI] ; 壳入口RVA为:17C000

00591273 8AD8 MOV BL,AL

00591275 02DC ADD BL,AH

00591277 C1E8 10 SHR EAX,10

0059127A 02D8 ADD BL,AL

0059127C 02DC ADD BL,AH ; 实际就是把壳EP直接相加，

0059127E 889D 1E204000 MOV BYTE PTR SS:[EBP+40201E],BL ; 相加后的值做为KEY保存在[EBP+40201E]处,[57D01E]==D7(17+C0)

00591284 60 PUSHAD ; 计算完毕把代码再加密回去

00591285 E8 00000000 CALL 0059128A

0059128A 5E POP ESI

0059128B 83EE 06 SUB ESI,6

0059128E B9 29000000 MOV ECX,29

00591293 29CE SUB ESI,ECX

00591295 BA 151E68EC MOV EDX,EC681E15

0059129A C1E9 02 SHR ECX,2

0059129D 83E9 02 SUB ECX,2

005912A0 83F9 00 /CMP ECX,0

005912A3 7C 1A |JL SHORT 005912BF

005912A5 8B048E |MOV EAX,DWORD PTR DS:[ESI+ECX*4]

005912A8 8B5C8E 04 |MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

005912AC 33C3 |XOR EAX,EBX

005912AE C1C0 1C |ROL EAX,1C

005912B1 2BC2 |SUB EAX,EDX

005912B3 81EA F0B28598 |SUB EDX,9885B2F0

005912B9 89048E |MOV DWORD PTR DS:[ESI+ECX*4],EAX

005912BC 49 |DEC ECX

005912BD ^ EB E1 \JMP SHORT 005912A0 ; 循环加密代码

005912BF 61 POPAD

005912C0 61 POPAD

005912C1 C3 RETN

Get_RND_VALUE:

0058B8CE > 52 PUSH EDX

0058B8CF 0F31 RDTSC

0058B8D1 C1D0 02 RCL EAX,2

0058B8D4 05 78563412 ADD EAX,12345678

0058B8D9 13C4 ADC EAX,ESP

0058B8DB 33C1 XOR EAX,ECX

0058B8DD 3185 D5084100 XOR DWORD PTR SS:[EBP+4108D5],EAX ; [0058B8D5]==A0C10B22,每次的结果应该不同的

0058B8E3 034424 F8 ADD EAX,DWORD PTR SS:[ESP-8]

0058B8E7 D1D0 RCL EAX,1

0058B8E9 5A POP EDX

0058B8EA C3 RETN

sub_GETAPIAddress:

0058E5FB > E8 00DBFFFF CALL <sub_GetEBP >

; sub_GETAPIAddress

0058E600 8D85 83FB4000 LEA EAX,DWORD PTR SS:[EBP+40FB83] ; 从58ABD3处开始取API的地址

0058E606 8BD8 MOV EBX,EAX

0058E608 50 PUSH EAX

0058E609 50 PUSH EAX

0058E60A 8B85 20854100 MOV EAX,DWORD PTR SS:[EBP+418520] ; GetModuleHandleA

0058E610 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]

0058E613 83E8 33 SUB EAX,33

0058E616 3D 99000000 CMP EAX,99

0058E61B 74 10 JE SHORT <Game Over> ; 判断是否在API的入口处下了INT 3断点,如果下了则OVER了

0058E61D 90 NOP

0058E61E 90 NOP

0058E61F 90 NOP

0058E620 90 NOP

0058E621 58 POP EAX ; /hModule=='Kernel32.dll'

0058E622 FF95 20854100 CALL DWORD PTR SS:[EBP+418520] ; \GetModuleHandleA

0058E628 EB 17 JMP SHORT <Next>

0058E62A 90 NOP

0058E62B 90 NOP

0058E62C 90 NOP

0058E62D > B8 E8030000 MOV EAX,3E8 ; Game Over

0058E632 E8 97D2FFFF CALL <Get_RND_VALUE>

0058E637 8DBD 615D4000 LEA EDI,DWORD PTR SS:[EBP+405D61]

0058E63D 03F8 ADD EDI,EAX

0058E63F AB STOS DWORD PTR ES:[EDI]

0058E640 58 POP EAX

0058E641 > 0BC0 OR EAX,EAX

0058E643 75 3D JNZ SHORT <DLL_isLoaded>

0058E645 90 NOP

0058E646 90 NOP

0058E647 90 NOP

0058E648 90 NOP

0058E649 53 PUSH EBX

0058E64A 50 PUSH EAX

0058E64B 8B85 24854100 MOV EAX,DWORD PTR SS:[EBP+418524] ; LoadLibraryA

0058E651 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]

0058E654 83E8 33 SUB EAX,33

0058E657 3D 99000000 CMP EAX,99

0058E65C 74 10 JE SHORT <GameOver>

0058E65E 90 NOP

0058E65F 90 NOP

0058E660 90 NOP

0058E661 90 NOP

0058E662 58 POP EAX ; /hModule='kernel32.dll'

0058E663 FF95 24854100 CALL DWORD PTR SS:[EBP+418524] ; \LoadLibraryA

0058E669 EB 17 JMP SHORT <DLL_isLoaded>

0058E66B 90 NOP

0058E66C 90 NOP

0058E66D 90 NOP

0058E66E > B8 E8030000 MOV EAX,3E8

0058E673 E8 56D2FFFF CALL <Get_RND_VALUE>

0058E678 8DBD 615D4000 LEA EDI,DWORD PTR SS:[EBP+405D61]

0058E67E 03F8 ADD EDI,EAX

0058E680 AB STOS DWORD PTR ES:[EDI]

0058E681 58 POP EAX

0058E682 > 8BD8 MOV EBX,EAX ; DLL_IsLoaded

0058E684 8985 12204000 MOV DWORD PTR SS:[EBP+402012],EAX

0058E68A B8 90FB4000 MOV EAX,0040FB90

0058E68F BA FFFC4000 MOV EDX,0040FCFF ; /GlobalALLOC

0058E694 E8 91DAFFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E699 B8 9CFB4000 MOV EAX,0040FB9C

0058E69E BA 03FD4000 MOV EDX,0040FD03 ; /GlobalFree

0058E6A3 E8 82DAFFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E6A8 B8 A7FB4000 MOV EAX,0040FBA7

0058E6AD BA 17FD4000 MOV EDX,0040FD17 ; /GetCurrentProcessId

0058E6B2 E8 73DAFFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E6B7 B8 BBFB4000 MOV EAX,0040FBBB

0058E6BC BA 1BFD4000 MOV EDX,0040FD1B ; /CreateToolhelp32Snapshot

0058E6C1 E8 64DAFFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E6C6 B8 D4FB4000 MOV EAX,0040FBD4

0058E6CB BA 1FFD4000 MOV EDX,0040FD1F ; /Process32First

0058E6D0 E8 55DAFFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E6D5 B8 E3FB4000 MOV EAX,0040FBE3

0058E6DA BA 23FD4000 MOV EDX,0040FD23 ; /Process32Next

0058E6DF E8 46DAFFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E6E4 B8 F1FB4000 MOV EAX,0040FBF1

0058E6E9 BA 27FD4000 MOV EDX,0040FD27 ; /CloseHandle

0058E6EE E8 37DAFFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E6F3 B8 FDFB4000 MOV EAX,0040FBFD

0058E6F8 BA 2BFD4000 MOV EDX,0040FD2B ; /CreateFileA

0058E6FD E8 28DAFFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E702 B8 09FC4000 MOV EAX,0040FC09

0058E707 BA 2FFD4000 MOV EDX,0040FD2F ; /TerminateProcess

0058E70C E8 19DAFFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E711 B8 1AFC4000 MOV EAX,0040FC1A

0058E716 BA 47FD4000 MOV EDX,0040FD47 ; /IsDebuggerPresent

0058E71B E8 0ADAFFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E720 B8 2CFC4000 MOV EAX,0040FC2C

0058E725 BA 4BFD4000 MOV EDX,0040FD4B ; /OpenProcess

0058E72A E8 FBD9FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E72F B8 38FC4000 MOV EAX,0040FC38

0058E734 BA 4FFD4000 MOV EDX,0040FD4F ; /ReadFile

0058E739 E8 ECD9FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E73E B8 41FC4000 MOV EAX,0040FC41

0058E743 BA 53FD4000 MOV EDX,0040FD53 ; /WriteFile

0058E748 E8 DDD9FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E74D B8 4BFC4000 MOV EAX,0040FC4B

0058E752 BA 57FD4000 MOV EDX,0040FD57 ; /FreeLibrary

0058E757 E8 CED9FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E75C B8 57FC4000 MOV EAX,0040FC57

0058E761 BA 5BFD4000 MOV EDX,0040FD5B ; /GetTempPathA

0058E766 E8 BFD9FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E76B B8 64FC4000 MOV EAX,0040FC64

0058E770 BA 5FFD4000 MOV EDX,0040FD5F ; /UnhandledExceptionFilter

0058E775 E8 B0D9FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E77A B8 7DFC4000 MOV EAX,0040FC7D

0058E77F BA 67FD4000 MOV EDX,0040FD67 ; /GetThreadContext

0058E784 E8 A1D9FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E789 B8 8EFC4000 MOV EAX,0040FC8E

0058E78E BA 6BFD4000 MOV EDX,0040FD6B ; /SetThreadContext

0058E793 E8 92D9FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E798 B8 9FFC4000 MOV EAX,0040FC9F

0058E79D BA 6FFD4000 MOV EDX,0040FD6F ; /GetCurrentThread

0058E7A2 E8 83D9FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E7A7 B8 A7FD4000 MOV EAX,0040FDA7

0058E7AC BA A3FD4000 MOV EDX,0040FDA3 ; /SetFilePointer

0058E7B1 E8 74D9FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E7B6 B8 D7FD4000 MOV EAX,0040FDD7

0058E7BB BA 73FD4000 MOV EDX,0040FD73 ; /GetModuleFileNameA

0058E7C0 E8 65D9FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E7C5 B8 EAFD4000 MOV EAX,0040FDEA

0058E7CA BA 77FD4000 MOV EDX,0040FD77 ; /GetFileSize

0058E7CF E8 56D9FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E7D4 8D85 B0FC4000 LEA EAX,DWORD PTR SS:[EBP+40FCB0] ; User32.dll

0058E7DA 8BD8 MOV EBX,EAX

0058E7DC 50 PUSH EAX

0058E7DD 50 PUSH EAX

0058E7DE 8B85 20854100 MOV EAX,DWORD PTR SS:[EBP+418520] ; GetModuleHandleA

0058E7E4 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]

0058E7E7 83E8 33 SUB EAX,33

0058E7EA 3D 99000000 CMP EAX,99

0058E7EF 74 10 JE SHORT 0058E801

0058E7F1 90 NOP

0058E7F2 90 NOP

0058E7F3 90 NOP

0058E7F4 90 NOP

0058E7F5 58 POP EAX

0058E7F6 FF95 20854100 CALL DWORD PTR SS:[EBP+418520]

0058E7FC EB 17 JMP SHORT 0058E815

0058E7FE 90 NOP

0058E7FF 90 NOP

0058E800 90 NOP

0058E801 B8 E8030000 MOV EAX,3E8 ; Over

0058E806 E8 C3D0FFFF CALL <Get_RND_VALUE>

0058E80B 8DBD 615D4000 LEA EDI,DWORD PTR SS:[EBP+405D61]

0058E811 03F8 ADD EDI,EAX

0058E813 AB STOS DWORD PTR ES:[EDI]

0058E814 58 POP EAX

0058E815 0BC0 OR EAX,EAX

0058E817 75 3D JNZ SHORT 0058E856

0058E819 90 NOP

0058E81A 90 NOP

0058E81B 90 NOP

0058E81C 90 NOP

0058E81D 53 PUSH EBX

0058E81E 50 PUSH EAX

0058E81F 8B85 24854100 MOV EAX,DWORD PTR SS:[EBP+418524]

0058E825 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]

0058E828 83E8 33 SUB EAX,33

0058E82B 3D 99000000 CMP EAX,99

0058E830 74 10 JE SHORT 0058E842

0058E832 90 NOP

0058E833 90 NOP

0058E834 90 NOP

0058E835 90 NOP

0058E836 58 POP EAX

0058E837 FF95 24854100 CALL DWORD PTR SS:[EBP+418524] ; LoadLibraryA

0058E83D EB 17 JMP SHORT 0058E856

0058E83F 90 NOP

0058E840 90 NOP

0058E841 90 NOP

0058E842 B8 E8030000 MOV EAX,3E8

0058E847 E8 82D0FFFF CALL <Get_RND_VALUE>

0058E84C 8DBD 615D4000 LEA EDI,DWORD PTR SS:[EBP+405D61]

0058E852 03F8 ADD EDI,EAX

0058E854 AB STOS DWORD PTR ES:[EDI]

0058E855 58 POP EAX

0058E856 8BD8 MOV EBX,EAX ; dllis loaded

0058E858 8985 16204000 MOV DWORD PTR SS:[EBP+402016],EAX

0058E85E B8 BBFC4000 MOV EAX,0040FCBB

0058E863 BA 07FD4000 MOV EDX,0040FD07 ; /EnumWindows

0058E868 E8 BDD8FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E86D B8 C7FC4000 MOV EAX,0040FCC7

0058E872 BA 0BFD4000 MOV EDX,0040FD0B ; /GetWindowTextA

0058E877 E8 AED8FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E87C B8 D6FC4000 MOV EAX,0040FCD6

0058E881 BA 0FFD4000 MOV EDX,0040FD0F ; /GetClassNameA

0058E886 E8 9FD8FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E88B B8 E4FC4000 MOV EAX,0040FCE4

0058E890 BA 13FD4000 MOV EDX,0040FD13 ; /PostMessageA

0058E895 E8 90D8FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E89A B8 BAFD4000 MOV EAX,0040FDBA

0058E89F BA B6FD4000 MOV EDX,0040FDB6 ; /wsprintfA

0058E8A4 E8 81D8FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E8A9 B8 C8FD4000 MOV EAX,0040FDC8

0058E8AE BA C4FD4000 MOV EDX,0040FDC4 ; /RegisterHotKey

0058E8B3 E8 72D8FFFF CALL <sub_GetProcAddress> ; \GetProcAddressFun

0058E8B8 8DBD 83FB4000 LEA EDI,DWORD PTR SS:[EBP+40FB83]

0058E8BE 8D8D F1FC4000 LEA ECX,DWORD PTR SS:[EBP+40FCF1] ; 获取完相关的API后，清除名字

0058E8C4 2BCF SUB ECX,EDI ; 大小为16e

0058E8C6 33C0 XOR EAX,EAX

0058E8C8 F3:AA REP STOS BYTE PTR ES:[EDI] ; 清除壳API数据

0058E8CA C3 RETN

sub_GetProcAddress:

0058C12A > 53 PUSH EBX ; sub_GetProcAddress

0058C12B 50 PUSH EAX

0058C12C 52 PUSH EDX

0058C12D 03C5 ADD EAX,EBP

0058C12F 50 PUSH EAX

0058C130 53 PUSH EBX

0058C131 50 PUSH EAX

0058C132 8B85 1C854100 MOV EAX,DWORD PTR SS:[EBP+41851C]

0058C138 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]

0058C13B 83E8 33 SUB EAX,33

0058C13E 3D 99000000 CMP EAX,99

0058C143 74 10 JE SHORT <gameOver>

0058C145 90 NOP

0058C146 90 NOP

0058C147 90 NOP

0058C148 90 NOP

0058C149 58 POP EAX ; /GlobalAlloc

0058C14A FF95 1C854100 CALL DWORD PTR SS:[EBP+41851C] ; \GetProcAddress

0058C150 EB 17 JMP SHORT <save address>

0058C152 90 NOP

0058C153 90 NOP

0058C154 90 NOP

0058C155 > B8 E8030000 MOV EAX,3E8 ; GameOver

0058C15A E8 6FF7FFFF CALL <Get_RND_VALUE>

0058C15F 8DBD 615D4000 LEA EDI,DWORD PTR SS:[EBP+405D61]

0058C165 03F8 ADD EDI,EAX

0058C167 AB STOS DWORD PTR ES:[EDI]

0058C168 58 POP EAX

0058C169 > 5A POP EDX ; save address

0058C16A 894415 00 MOV DWORD PTR SS:[EBP+EDX],EAX ; 填入正确的API

0058C16E 58 POP EAX

0058C16F 5B POP EBX

0058C170 C3 RETN

COPY_Import table:

00590C48 > 60 PUSHAD ; COPY_Import table

00590C49 47 INC EDI

00590C4A 7A 02 JPE SHORT 00590C4E

00590C4C 85FB TEST EBX,EDI

00590C4E 8BC1 MOV EAX,ECX

00590C50 7E 03 JLE SHORT 00590C55

00590C52 7F 01 JG SHORT 00590C55

00590C54 ^ 75 D3 JNZ SHORT 00590C29

00590C56 ^ E0 E8 LOOPDNE SHORT 00590C40

00590C58 0100 ADD DWORD PTR DS:[EAX],EAX

00590C5A 0000 ADD BYTE PTR DS:[EAX],AL

00590C5C ^ 71 83 JNO SHORT 00590BE1

00590C5E C404FC LES EAX,FWORD PTR SS:[ESP+EDI*8] ; Modification of segment register

00590C61 E8 01000000 CALL 00590C67

00590C66 ^ 7C 83 JL SHORT 00590BEB

......

00590DF3 E8 08B3FFFF CALL <sub_GetEBP >

00590DF8 8DB5 1C854100 LEA ESI,DWORD PTR SS:[EBP+41851C] ; 壳输入表起始位置

00590DFE 8DBD 33FD4000 LEA EDI,DWORD PTR SS:[EBP+40FD33] ; 复制到目标地址的起始位置

00590E04 B9 05000000 MOV ECX,5

00590E09 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:>; 复制

00590E0B 8DBD 43FD4000 LEA EDI,DWORD PTR SS:[EBP+40FD43]

00590E11 8D85 4BFE4000 LEA EAX,DWORD PTR SS:[EBP+40FE4B]

00590E17 AB STOS DWORD PTR ES:[EDI] ; 把MessageBoxA的地址改为58AE4B

00590E18 60 PUSHAD ; 加密代码

00590E19 E8 00000000 CALL 00590E1E

00590E1E 5E POP ESI

00590E1F 83EE 06 SUB ESI,6

00590E22 B9 25000000 MOV ECX,25

00590E27 29CE SUB ESI,ECX

00590E29 BA AB6D95B2 MOV EDX,B2956DAB

00590E2E C1E9 02 SHR ECX,2

00590E31 83E9 02 SUB ECX,2

00590E34 83F9 00 /CMP ECX,0

00590E37 7C 1A |JL SHORT 00590E53

00590E39 8B048E |MOV EAX,DWORD PTR DS:[ESI+ECX*4]

00590E3C 8B5C8E 04 |MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

00590E40 33C3 |XOR EAX,EBX

00590E42 C1C8 02 |ROR EAX,2

00590E45 03C2 |ADD EAX,EDX

00590E47 81F2 7CDB1D5C |XOR EDX,5C1DDB7C

00590E4D 89048E |MOV DWORD PTR DS:[ESI+ECX*4],EAX

00590E50 49 |DEC ECX

00590E51 ^ EB E1 \JMP SHORT 00590E34

00590E53 61 POPAD

00590E54 61 POPAD

00590E55 C3 RETN

UnPack_sections:

0058E398 > 60 PUSHAD ; UnPack_sections

0058E399 48 DEC EAX

0058E39A 85E8 TEST EAX,EBP

0058E39C E8 01000000 CALL 0058E3A2

0058E3A1 ^ EB 83 JMP SHORT 0058E326

0058E3A3 04 24 ADD AL,24

0058E3A5 06 PUSH ES

0058E3A6 C3 RETN

......

0058E543 E8 B8DBFFFF CALL <sub_GetEBP >

0058E548 C685 98334100 C>MOV BYTE PTR SS:[EBP+413398],0C3

0058E54F 8DB5 4EF84000 LEA ESI,DWORD PTR SS:[EBP+40F84E]

0058E555 56 PUSH ESI ; 开始循环解压各段的代码

0058E556 AD LODS DWORD PTR DS:[ESI]

0058E557 0BC0 OR EAX,EAX

0058E559 74 49 JE SHORT 0058E5A4

0058E55B 90 NOP

0058E55C 90 NOP

0058E55D 90 NOP

0058E55E 90 NOP

0058E55F 50 PUSH EAX

0058E560 AD LODS DWORD PTR DS:[ESI]

0058E561 91 XCHG EAX,ECX

0058E562 51 PUSH ECX

0058E563 51 PUSH ECX ; /MemSize = 9EB02 (649986.)

0058E564 6A 40 PUSH 40 ; |Flags = GPTR

0058E566 FF95 FFFC4000 CALL DWORD PTR SS:[EBP+40FCFF] ; \GlobalAlloc

0058E56C 8985 4AF84000 MOV DWORD PTR SS:[EBP+40F84A],EAX

0058E572 59 POP ECX

0058E573 58 POP EAX

0058E574 0385 46F84000 ADD EAX,DWORD PTR SS:[EBP+40F846]

0058E57A 8BF0 MOV ESI,EAX

0058E57C 50 PUSH EAX

0058E57D 8BBD 4AF84000 MOV EDI,DWORD PTR SS:[EBP+40F84A]

0058E583 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[E>

0058E585 58 POP EAX

0058E586 50 PUSH EAX ; /save code

0058E587 FFB5 4AF84000 PUSH DWORD PTR SS:[EBP+40F84A] ; |Crypted code

0058E58D E8 2C4C0000 CALL <ApLibUnpack> ; \Unpack code

0058E592 FFB5 4AF84000 PUSH DWORD PTR SS:[EBP+40F84A] ; /hMem

0058E598 FF95 03FD4000 CALL DWORD PTR SS:[EBP+40FD03] ; \GlobalFree

0058E59E 5E POP ESI

0058E59F 83C6 08 ADD ESI,8

0058E5A2 ^ EB B1 JMP SHORT 0058E555

0058E5A4 5E POP ESI

0058E5A5 68 30750000 PUSH 7530 ; /MemSize =7530h

0058E5AA 6A 40 PUSH 40 ; |Flags = GPTR

0058E5AC FF95 FFFC4000 CALL DWORD PTR SS:[EBP+40FCFF] ; \GlobalAlloc

0058E5B2 8985 4AF84000 MOV DWORD PTR SS:[EBP+40F84A],EAX

0058E5B8 60 PUSHAD ; 加密代码

0058E5B9 E8 00000000 CALL 0058E5BE

0058E5BE 5E POP ESI

0058E5BF 83EE 06 SUB ESI,6

0058E5C2 B9 75000000 MOV ECX,75

0058E5C7 29CE SUB ESI,ECX

0058E5C9 BA 2C5B0D05 MOV EDX,50D5B2C

0058E5CE C1E9 02 SHR ECX,2

0058E5D1 83E9 02 SUB ECX,2

0058E5D4 83F9 00 CMP ECX,0

0058E5D7 7C 1A JL SHORT 0058E5F3

0058E5D9 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

0058E5DC 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

0058E5E0 03C3 ADD EAX,EBX

0058E5E2 C1C8 11 ROR EAX,11

0058E5E5 33C2 XOR EAX,EDX

0058E5E7 81F2 97C336B5 XOR EDX,B536C397

0058E5ED 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

0058E5F0 49 DEC ECX

0058E5F1 ^ EB E1 JMP SHORT 0058E5D4

0058E5F3 61 POPAD

0058E5F4 61 POPAD

0058E5F5 E8 F7240000 CALL <DLL_Reloc_Crypt>

0058E5FA C3 RETN

DLL_Reloc_Crypt:

00590AF1 > 60 PUSHAD ; DLL_Reloc_Crypt

00590AF2 EB 1D JMP SHORT 00590B11

00590AF4 90 NOP

00590AF5 90 NOP

00590AF6 90 NOP

00590AF7 0000 ADD BYTE PTR DS:[EAX],AL

00590AF9 0000 ADD BYTE PTR DS:[EAX],AL

00590AFB 0000 ADD BYTE PTR DS:[EAX],AL

00590AFD 0000 ADD BYTE PTR DS:[EAX],AL

00590AFF 2E:52 PUSH EDX ; Superfluous prefix

00590B01 45 INC EBP

00590B02 4C DEC ESP

00590B03 4F DEC EDI

00590B04 43 INC EBX

00590B05 0000 ADD BYTE PTR DS:[EAX],AL

00590B07 0000 ADD BYTE PTR DS:[EAX],AL

00590B09 0000 ADD BYTE PTR DS:[EAX],AL

00590B0B 0000 ADD BYTE PTR DS:[EAX],AL

00590B0D 0000 ADD BYTE PTR DS:[EAX],AL

00590B0F 0000 ADD BYTE PTR DS:[EAX],AL

00590B11 E8 EAB5FFFF CALL <sub_GetEBP >

00590B16 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20]

00590B1A 2B95 46F84000 SUB EDX,DWORD PTR SS:[EBP+40F846]

00590B20 E8 12FFFFFF CALL 00590A37

00590B25 FFB5 07574100 PUSH DWORD PTR SS:[EBP+415707]

00590B2B 8F85 03574100 POP DWORD PTR SS:[EBP+415703]

00590B31 8B85 F75A4100 MOV EAX,DWORD PTR SS:[EBP+415AF7] ; 获取重定位表RVA

00590B37 0BC0 OR EAX,EAX

00590B39 0F84 E4000000 JE <Reloc finished> ; 如果重定位表为空则跳

00590B3F 8B85 46F84000 MOV EAX,DWORD PTR SS:[EBP+40F846] ; MOV EAX,OFFSET IMAGEBASE(这里指内存IMAGEBASE，如果是DLL，IMAGEBASE就不一定等于文件的IMAGEBASE)

00590B45 8B70 3C MOV ESI,DWORD PTR DS:[EAX+3C]

00590B48 03B5 46F84000 ADD ESI,DWORD PTR SS:[EBP+40F846]

00590B4E 83C6 34 ADD ESI,34

00590B51 AD LODS DWORD PTR DS:[ESI] ; 载入文件IMAGEBASE(默认为400000)

00590B52 8B9D 46F84000 MOV EBX,DWORD PTR SS:[EBP+40F846] ; 实际内存IMAGEBASE

00590B58 2BD8 SUB EBX,EAX

00590B5A 899D 055B4100 MOV DWORD PTR SS:[EBP+415B05],EBX

00590B60 0BDB OR EBX,EBX

00590B62 0F84 BB000000 JE <Reloc finished> ; 如果相等则不处理重定位表

00590B68 8BB5 46F84000 MOV ESI,DWORD PTR SS:[EBP+40F846]

00590B6E 03B5 F75A4100 ADD ESI,DWORD PTR SS:[EBP+415AF7] ; mem IMAGEBASE

00590B74 8B8D FB5A4100 MOV ECX,DWORD PTR SS:[EBP+415AFB] ; RELOC SIZE

00590B7A 03F1 ADD ESI,ECX

00590B7C 89B5 095B4100 MOV DWORD PTR SS:[EBP+415B09],ESI

00590B82 2BF1 SUB ESI,ECX

00590B84 3BB5 095B4100 /CMP ESI,DWORD PTR SS:[EBP+415B09] ; 如果处理完则跳去结束处

00590B8A 0F8D 93000000 |JGE <Reloc finished> ; 循环处理重定位表

00590B90 8BBD 46F84000 |MOV EDI,DWORD PTR SS:[EBP+40F846]

00590B96 8BD6 |MOV EDX,ESI

00590B98 AD |LODS DWORD PTR DS:[ESI]

00590B99 03F8 |ADD EDI,EAX

00590B9B AD |LODS DWORD PTR DS:[ESI]

00590B9C 03D0 |ADD EDX,EAX

00590B9E 83E8 08 |SUB EAX,8

00590BA1 D1E8 |SHR EAX,1

00590BA3 8BC8 |MOV ECX,EAX

00590BA5 66:AD |/LODS WORD PTR DS:[ESI]

00590BA7 66:0BC0 ||OR AX,AX

00590BAA 74 70 ||JE SHORT 00590C1C

00590BAC 90 ||NOP

00590BAD 90 ||NOP

00590BAE 90 ||NOP

00590BAF 90 ||NOP

00590BB0 0FB7D8 ||MOVZX EBX,AX

00590BB3 81E3 FF0F0000 ||AND EBX,0FFF

00590BB9 E8 67000000 ||CALL 00590C25

00590BBE 83BD 07574100 0>||CMP DWORD PTR SS:[EBP+415707],0

00590BC5 75 53 ||JNZ SHORT 00590C1A

00590BC7 90 ||NOP

00590BC8 90 ||NOP

00590BC9 90 ||NOP

00590BCA 90 ||NOP

00590BCB 66:C1E8 0C ||SHR AX,0C

00590BCF 66:48 ||DEC AX

00590BD1 66:0BC0 ||OR AX,AX

00590BD4 75 14 ||JNZ SHORT 00590BEA

00590BD6 90 ||NOP

00590BD7 90 ||NOP

00590BD8 90 ||NOP

00590BD9 90 ||NOP

00590BDA 50 ||PUSH EAX

00590BDB 66:8B85 075B410>||MOV AX,WORD PTR SS:[EBP+415B07]

00590BE2 66:01441F 02 ||ADD WORD PTR DS:[EDI+EBX+2],AX

00590BE7 58 ||POP EAX

00590BE8 ^ E2 BB ||LOOPD SHORT 00590BA5

00590BEA 66:48 ||DEC AX

00590BEC 66:0BC0 ||OR AX,AX

00590BEF 75 13 ||JNZ SHORT 00590C04

00590BF1 90 ||NOP

00590BF2 90 ||NOP

00590BF3 90 ||NOP

00590BF4 90 ||NOP

00590BF5 50 ||PUSH EAX

00590BF6 66:8B85 055B410>||MOV AX,WORD PTR SS:[EBP+415B05]

00590BFD 66:01041F ||ADD WORD PTR DS:[EDI+EBX],AX

00590C01 58 ||POP EAX

00590C02 ^ E2 A1 ||LOOPD SHORT 00590BA5

00590C04 66:48 ||DEC AX

00590C06 66:0BC0 ||OR AX,AX

00590C09 75 0F ||JNZ SHORT 00590C1A

00590C0B 90 ||NOP

00590C0C 90 ||NOP

00590C0D 90 ||NOP

00590C0E 90 ||NOP

00590C0F 50 ||PUSH EAX

00590C10 8B85 055B4100 ||MOV EAX,DWORD PTR SS:[EBP+415B05]

00590C16 01041F ||ADD DWORD PTR DS:[EDI+EBX],EAX

00590C19 58 ||POP EAX

00590C1A ^ E2 89 |\LOOPD SHORT 00590BA5

00590C1C 8BF2 |MOV ESI,EDX

00590C1E ^ E9 61FFFFFF \JMP 00590B84

00590C23 > 61 POPAD

00590C24 C3 RETN

Restore_JMP API TABLE:

00590E56 > 60 PUSHAD ; Restore_JMP API TABLE

00590E57 46 INC ESI

00590E58 87D6 XCHG ESI,EDX

00590E5A 66:81F1 8666 XOR CX,6686

00590E5F EB 01 JMP SHORT 00590E62

00590E61 EB 41 JMP SHORT 00590EA4

00590E63 E8 01000000 CALL 00590E69

......

00591001 E8 FAB0FFFF CALL <sub_GetEBP >

00591006 B9 1C000000 MOV ECX,1C

0059100B 8DB5 FFFC4000 LEA ESI,DWORD PTR SS:[EBP+40FCFF]

00591011 8DBD EF074100 LEA EDI,DWORD PTR SS:[EBP+4107EF] ; 从58b7F6处开始还原API JMP

00591017 83C7 07 ADD EDI,7

0059101A B0 90 MOV AL,90

0059101C AA STOS BYTE PTR ES:[EDI] ; 还原成jmp [address]

0059101D B8 FF250000 MOV EAX,25FF

00591022 66:AB STOS WORD PTR ES:[EDI]

00591024 8BC6 MOV EAX,ESI

00591026 AB STOS DWORD PTR ES:[EDI]

00591027 83C6 04 ADD ESI,4

0059102A ^ E2 EE LOOPD SHORT 0059101A

0059102C 60 PUSHAD ; 再次加密回去

0059102D E8 00000000 CALL 00591032

00591032 5E POP ESI

00591033 83EE 06 SUB ESI,6

00591036 B9 2B000000 MOV ECX,2B

0059103B 29CE SUB ESI,ECX

0059103D BA 4BF05729 MOV EDX,2957F04B

00591042 C1E9 02 SHR ECX,2

00591045 83E9 02 SUB ECX,2

00591048 83F9 00 CMP ECX,0

0059104B 7C 1A JL SHORT 00591067

0059104D 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

00591050 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

00591054 33C3 XOR EAX,EBX

00591056 C1C8 0D ROR EAX,0D

00591059 33C2 XOR EAX,EDX

0059105B 81C2 10B43C8D ADD EDX,8D3CB410

00591061 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

00591064 49 DEC ECX

00591065 ^ EB E1 JMP SHORT 00591048

00591067 61 POPAD

00591068 61 POPAD

00591069 C3 RETN

sub_SDK_Disposal:

0059106A > 60 PUSHAD ; sub_SDK_Disposal

0059106B E8 90B0FFFF CALL <sub_GetEBP >

00591070 33D2 XOR EDX,EDX

00591072 > 8BB495 3D1B4000 MOV ESI,DWORD PTR SS:[EBP+EDX*4+401B3D] ; 如果用了SDK这里面的值不为空.

00591079 0BF6 OR ESI,ESI ; 如果没有用SDK或SDK处理部分已经操作完成则跳

0059107B 74 31 JE SHORT <finished>

0059107D 90 NOP

0059107E 90 NOP

0059107F 90 NOP

00591080 90 NOP

00591081 03B5 46F84000 ADD ESI,DWORD PTR SS:[EBP+40F846] ; 把RVA转为VA

00591087 8B8C95 CD1C4000 MOV ECX,DWORD PTR SS:[EBP+EDX*4+401CCD] ; 加密的代码大小

0059108E 60 PUSHAD

0059108F 52 PUSH EDX

00591090 51 PUSH ECX ; /MemSize

00591091 6A 40 PUSH 40 ; |Flags = GPTR

00591093 FF95 FFFC4000 CALL DWORD PTR SS:[EBP+40FCFF] ; \GlobalAlloc

00591099 5A POP EDX

0059109A 898495 5D1E4000 MOV DWORD PTR SS:[EBP+EDX*4+401E5D],EAX ; 保存动态申请的地址

005910A1 61 POPAD

005910A2 8BBC95 5D1E4000 MOV EDI,DWORD PTR SS:[EBP+EDX*4+401E5D]

005910A9 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>; 把代码复制到动态申请的地址空间

005910AB 42 INC EDX

005910AC ^ EB C4 JMP SHORT <Loop MEMCopy>

005910AE > 61 POPAD

005910AF C3 RETN

也就是说壳加密时已经处理好了。这个壳只是加载一而已，看看数据窗口，总结一下就这么回事：

0057CB3D D1 AB 02 00 A1 DE 02 00 D6 CC 01 00 32 C9 06 00 勋.∞.痔
.2?.;这里就是用了SDK的各地址的RVA

0057CB4D DF 3A 02 00 38 FC 05 00 C8 2E 06 00 0F 2C 05 00 ?.8?.?.,.

0057CB5D 0F 93 03 00 71 FE 00 00 8B 61 06 00 7D C7 03 00 ?.q?.媋.}?.

0057CB6D 3D FA 03 00 BD 2D 04 00 7D 60 04 00 3D 93 04 00 =?.?.}`.=?.

0057CB7D DD F8 04 00 F0 5E 05 00 5D C9 05 00 96 43 08 00 蔌.館.]?.朇.

0057CB8D 89 93 05 00 00 C6 04 00 D9 08 07 00 22 74 02 00 墦..?.?."t.

0057CB9D 02 DE 07 00 D7 32 01 00 D1 66 01 00 A2 17 03 00 ?.?
.裦
.?.

0057CBAD 0F A8 07 00 9B 9A 01 00 9A 08 02 00 05 CC 00 00 ?.洑
.?.?.

0057CBBD FF 96 06 00 26 11 08 00 67 60 03 00 C3 75 07 00 ??.&.g`.胾.

0057CBCD 89 43 07 00 00 00 00 00 00 00 00 00 00 00 00 00 塁.............

......

0057CCCD 55 32 00 00 63 32 00 00 69 32 00 00 6B 32 00 00 U2..c2..i2..k2..;用了SDK的大小

0057CCDD 6C 32 00 00 6D 32 00 00 6D 32 00 00 6E 32 00 00 l2..m2..m2..n2..

0057CCED 7B 32 00 00 88 32 00 00 89 32 00 00 9B 32 00 00 {2..?..?..?..

0057CCFD 9B 32 00 00 9B 32 00 00 9B 32 00 00 9B 32 00 00 ?..?..?..?..

0057CD0D 9B 32 00 00 9B 32 00 00 9B 32 00 00 AF 32 00 00 ?..?..?..?..

0057CD1D B2 32 00 00 B5 32 00 00 D5 32 00 00 DA 32 00 00 ?..?..?..?..

0057CD2D DA 32 00 00 E6 32 00 00 F8 32 00 00 3B 33 00 00 ?..?..?..;3..

0057CD3D CB 33 00 00 DC 64 00 00 F2 64 00 00 24 65 00 00 ?..躣..騞..$e..

0057CD4D 27 65 00 00 8C 65 00 00 E2 65 00 00 1E 67 00 00 'e..宔..鈋..g..

0057CD5D AE 99 00 00 00 00 00 00 00 00 00 00 00 00 00 00 畽..............

sub_Unknow1:

0058CFBF > 60 PUSHAD ;对DELPHI的程序，这里会产生异常

0058CFC0 F8 CLC

0058CFC1 BE 97B4BED0 MOV ESI,D0BEB497

0058CFC6 E8 01000000 CALL 0058CFCC

0058CFCB ^ 72 83 JB SHORT 0058CF50

0058CFCD C40481 LES EAX,FWORD PTR DS:[ECX+EAX*4] ; Modification of segment register

0058CFD0 CD D9 INT 0D9

......

0058D16A > E8 91EFFFFF CALL <sub_GetEBP >

0058D16F E8 580F0000 CALL 0058E0CC ; EAX随机产生的值

0058D174 0BC0 OR EAX,EAX

0058D176 75 3D JNZ SHORT 0058D1B5 ;没有异常则跳/?,我这个程序里跳

0058D178 90 NOP

0058D179 90 NOP

0058D17A 90 NOP

0058D17B 90 NOP

0058D17C FF95 6FFD4000 CALL DWORD PTR SS:[EBP+40FD6F] ;GetCurrentThread

0058D182 50 PUSH EAX

0058D183 8DB5 6EF74000 LEA ESI,DWORD PTR SS:[EBP+40F76E]

0058D189 56 PUSH ESI

0058D18A 56 PUSH ESI ;/pContext = MainCon.0058A76E

0058D18B 50 PUSH EAX ;|hThread = FFFFFFFE

0058D18C FF95 67FD4000 CALL DWORD PTR SS:[EBP+40FD67] ;\GetThreadContext

0058D192 5F POP EDI

0058D193 83C7 04 ADD EDI,4

0058D196 2BC0 SUB EAX,EAX

0058D198 B9 04000000 MOV ECX,4

0058D19D F3:AB REP STOS DWORD PTR ES:[EDI]

0058D19F 8DB5 6EF74000 LEA ESI,DWORD PTR SS:[EBP+40F76E]

0058D1A5 58 POP EAX

0058D1A6 56 PUSH ESI ; /pContext

0058D1A7 50 PUSH EAX ; |hThread

0058D1A8 FF95 6BFD4000 CALL DWORD PTR SS:[EBP+40FD6B] ; \SetThreadContext

0058D1AE C685 BF1F4100 C3 MOV BYTE PTR SS:[EBP+411FBF],0C3

0058D1B5 60 PUSHAD ; 把代码加密回去

0058D1B6 E8 00000000 CALL 0058D1BB

0058D1BB 5E POP ESI

0058D1BC 83EE 06 SUB ESI,6

0058D1BF B9 4B000000 MOV ECX,4B

0058D1C4 29CE SUB ESI,ECX

0058D1C6 BA D0D6B318 MOV EDX,18B3D6D0

0058D1CB C1E9 02 SHR ECX,2

0058D1CE 83E9 02 SUB ECX,2

0058D1D1 83F9 00 /CMP ECX,0

0058D1D4 7C 1A |JL SHORT 0058D1F0

0058D1D6 8B048E |MOV EAX,DWORD PTR DS:[ESI+ECX*4]

0058D1D9 8B5C8E 04 |MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

0058D1DD 03C3 |ADD EAX,EBX

0058D1DF C1C8 13 |ROR EAX,13

0058D1E2 03C2 |ADD EAX,EDX

0058D1E4 81C2 B0B2E98F |ADD EDX,8FE9B2B0

0058D1EA 89048E |MOV DWORD PTR DS:[ESI+ECX*4],EAX

0058D1ED 49 |DEC ECX

0058D1EE ^ EB E1 \JMP SHORT 0058D1D1

0058D1F0 61 POPAD

0058D1F1 61 POPAD

0058D1F2 C3 RETN

sub_Kernel:

0058ED39 > 60 PUSHAD ; sub_Kernel

0058ED3A F8 CLC

0058ED3B 66:BE DA51 MOV SI,51DA

0058ED3F 45 INC EBP

0058ED40 90 NOP

0058ED41 90 NOP

0058ED42 90 NOP

0058ED43 90 NOP

......

0058EEE4 E8 17D2FFFF CALL <sub_GetEBP >

0058EEE9 80BD A5524100 C>CMP BYTE PTR SS:[EBP+4152A5],0C3

0058EEF0 74 09 JE SHORT <FinishedIAT>

0058EEF2 90 NOP

0058EEF3 90 NOP

0058EEF4 90 NOP

0058EEF5 90 NOP

0058EEF6 E8 AA130000 CALL <Sub_Disposal IAT>

0058EEFB > 66:C785 2CF5400>MOV WORD PTR SS:[EBP+40F52C],0

0058EF04 83BD 4F814100 0>CMP DWORD PTR SS:[EBP+41814F],0 ; 这里判断是否用了ACPROTECT定义的机器码函数那个选项,是否用RSA1024

0058EF0B 0F84 E5010000 JE 0058F0F6 ; 没有用则跳

0058EF11 8DB5 98F34000 LEA ESI,DWORD PTR SS:[EBP+40F398] ; 如果有则先强行生成一个CID.dll文件

0058EF17 56 PUSH ESI ; /Buffer

0058EF18 68 FF000000 PUSH 0FF ; |size

0058EF1D FF95 5BFD4000 CALL DWORD PTR SS:[EBP+40FD5B] ; \GetTempPathA

0058EF23 B9 FFFF0000 MOV ECX,0FFFF

0058EF28 8DBD 98F34000 LEA EDI,DWORD PTR SS:[EBP+40F398]

0058EF2E 33C0 XOR EAX,EAX

0058EF30 F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; 获取长度

0058EF32 4F DEC EDI

0058EF33 60 PUSHAD

0058EF34 83BD 59814100 0>CMP DWORD PTR SS:[EBP+418159],0

0058EF3B 0F84 AD000000 JE 0058EFEE

0058EF41 C707 4349442E MOV DWORD PTR DS:[EDI],2E444943

0058EF47 C747 04 646C6C6>MOV DWORD PTR DS:[EDI+4],6C6C6C64

0058EF4E C647 07 00 MOV BYTE PTR DS:[EDI+7],0

0058EF52 8DB5 98F34000 LEA ESI,DWORD PTR SS:[EBP+40F398]

0058EF58 6A 00 PUSH 0 ; /hTemplateFile = NULL

0058EF5A 6A 20 PUSH 20 ; |Attributes = ARCHIVE

0058EF5C 6A 02 PUSH 2 ; |Mode = CREATE_ALWAYS

0058EF5E 6A 00 PUSH 0 ; |pSecurity = NULL

0058EF60 6A 03 PUSH 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE

0058EF62 68 000000C0 PUSH C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE

0058EF67 56 PUSH ESI ; |FileName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CID.dll"

0058EF68 FF95 2BFD4000 CALL DWORD PTR SS:[EBP+40FD2B] ; \CreateFileA

0058EF6E 50 PUSH EAX ; /push hFile

0058EF6F 6A 00 PUSH 0 ; |/pOverlapped = NULL

0058EF71 8DB5 B3F44000 LEA ESI,DWORD PTR SS:[EBP+40F4B3] ; ||

0058EF77 56 PUSH ESI ; ||pBytesWritten = MainCon.0058A4B3

0058EF78 FFB5 59814100 PUSH DWORD PTR SS:[EBP+418159] ; ||nBytesToWrite = 0

0058EF7E 8B9D 4F814100 MOV EBX,DWORD PTR SS:[EBP+41814F] ; ||

0058EF84 039D 46F84000 ADD EBX,DWORD PTR SS:[EBP+40F846] ; ||

0058EF8A 2B9D 53814100 SUB EBX,DWORD PTR SS:[EBP+418153] ; ||

0058EF90 2B9D 59814100 SUB EBX,DWORD PTR SS:[EBP+418159] ; ||

0058EF96 53 PUSH EBX ; ||Buffer = MainCon.00400000

0058EF97 50 PUSH EAX ; ||hFile = 00000054 (window)

0058EF98 FF95 53FD4000 CALL DWORD PTR SS:[EBP+40FD53] ; |\WriteFile

0058EF9E FF95 27FD4000 CALL DWORD PTR SS:[EBP+40FD27] ; \CloseHandle

0058EFA4 8DB5 98F34000 LEA ESI,DWORD PTR SS:[EBP+40F398]

0058EFAA 56 PUSH ESI ; /LibraryA Name

0058EFAB FF95 24854100 CALL DWORD PTR SS:[EBP+418524] ; \LoadLibraryA

0058EFB1 8985 3EF84000 MOV DWORD PTR SS:[EBP+40F83E],EAX ; hModule

0058EFB7 8DB5 5D814100 LEA ESI,DWORD PTR SS:[EBP+41815D]

0058EFBD 56 PUSH ESI ; /ProcNameOrOrdinal = "Randimize"

0058EFBE FFB5 3EF84000 PUSH DWORD PTR SS:[EBP+40F83E] ; |hModule = NULL

0058EFC4 FF95 1C854100 CALL DWORD PTR SS:[EBP+41851C] ; \GetProcAddress

0058EFCA FFB5 67814100 PUSH DWORD PTR SS:[EBP+418167]

0058EFD0 FFD0 CALL EAX ; 获取该API的地址后，执行该函数

0058EFD2 8985 5D814100 MOV DWORD PTR SS:[EBP+41815D],EAX

0058EFD8 C785 61814100 0>MOV DWORD PTR SS:[EBP+418161],0

0058EFE2 FFB5 3EF84000 PUSH DWORD PTR SS:[EBP+40F83E] ; /hModule

0058EFE8 FF95 57FD4000 CALL DWORD PTR SS:[EBP+40FD57] ; \FreeLibraryA

0058EFEE 61 POPAD

0058EFEF 60 PUSHAD

0058EFF0 6A 00 PUSH 0

0058EFF2 FF95 20854100 CALL DWORD PTR SS:[EBP+418520] ; GetModuleHandleA

0058EFF8 8DB5 8BF14000 LEA ESI,DWORD PTR SS:[EBP+40F18B]

0058EFFE 56 PUSH ESI

0058EFFF 50 PUSH EAX

0058F000 AD LODS DWORD PTR DS:[ESI]

0058F001 93 XCHG EAX,EBX

0058F002 AD LODS DWORD PTR DS:[ESI]

0058F003 3BC3 CMP EAX,EBX

0058F005 75 09 JNZ SHORT 0058F010

0058F007 90 NOP

0058F008 90 NOP

0058F009 90 NOP

0058F00A 90 NOP

0058F00B EB 20 JMP SHORT 0058F02D

0058F00D 90 NOP

0058F00E 90 NOP

0058F00F 90 NOP

0058F010 8DB5 8BF14000 LEA ESI,DWORD PTR SS:[EBP+40F18B]

0058F016 FF95 1C854100 CALL DWORD PTR SS:[EBP+41851C]

0058F01C 8985 8BF14000 MOV DWORD PTR SS:[EBP+40F18B],EAX

0058F022 8985 8FF14000 MOV DWORD PTR SS:[EBP+40F18F],EAX

0058F028 EB 05 JMP SHORT 0058F02F

0058F02A 90 NOP

0058F02B 90 NOP

0058F02C 90 NOP

0058F02D 58 POP EAX

0058F02E 5E POP ESI

0058F02F 8B85 8BF14000 MOV EAX,DWORD PTR SS:[EBP+40F18B]

0058F035 0BC0 OR EAX,EAX

0058F037 74 1A JE SHORT 0058F053

0058F039 90 NOP

0058F03A 90 NOP

0058F03B 90 NOP

0058F03C 90 NOP

0058F03D FF95 8BF14000 CALL DWORD PTR SS:[EBP+40F18B]

0058F043 8985 5D814100 MOV DWORD PTR SS:[EBP+41815D],EAX

0058F049 C785 61814100 0>MOV DWORD PTR SS:[EBP+418161],0

0058F053 61 POPAD

0058F054 8DB5 B7F44000 LEA ESI,DWORD PTR SS:[EBP+40F4B7] ; 生成%tmp%\perplex.dll

0058F05A B9 0B000000 MOV ECX,0B

0058F05F F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>

0058F061 8DB5 98F34000 LEA ESI,DWORD PTR SS:[EBP+40F398]

0058F067 6A 00 PUSH 0

0058F069 6A 20 PUSH 20

0058F06B 6A 02 PUSH 2

0058F06D 6A 00 PUSH 0

0058F06F 6A 03 PUSH 3

0058F071 68 000000C0 PUSH C0000000

0058F076 56 PUSH ESI

0058F077 FF95 2BFD4000 CALL DWORD PTR SS:[EBP+40FD2B] ; CreateFileA

0058F07D 0BC0 OR EAX,EAX

0058F07F 74 75 JE SHORT 0058F0F6

0058F081 90 NOP

0058F082 90 NOP

0058F083 90 NOP

0058F084 90 NOP

0058F085 50 PUSH EAX

0058F086 6A 00 PUSH 0

0058F088 8DB5 B3F44000 LEA ESI,DWORD PTR SS:[EBP+40F4B3]

0058F08E 56 PUSH ESI

0058F08F FFB5 53814100 PUSH DWORD PTR SS:[EBP+418153]

0058F095 8B9D 4F814100 MOV EBX,DWORD PTR SS:[EBP+41814F]

0058F09B 039D 46F84000 ADD EBX,DWORD PTR SS:[EBP+40F846]

0058F0A1 2B9D 53814100 SUB EBX,DWORD PTR SS:[EBP+418153]

0058F0A7 53 PUSH EBX

0058F0A8 50 PUSH EAX

0058F0A9 FF95 53FD4000 CALL DWORD PTR SS:[EBP+40FD53]

0058F0AF FF95 27FD4000 CALL DWORD PTR SS:[EBP+40FD27]

0058F0B5 8DB5 98F34000 LEA ESI,DWORD PTR SS:[EBP+40F398]

0058F0BB 56 PUSH ESI ; /library name

0058F0BC FF95 24854100 CALL DWORD PTR SS:[EBP+418524] ; \LoadLibraryA

0058F0C2 0BC0 OR EAX,EAX

0058F0C4 74 30 JE SHORT 0058F0F6 ; 如果载入失败则忽略并跳去执行后面的代码

0058F0C6 90 NOP

0058F0C7 90 NOP

0058F0C8 90 NOP

0058F0C9 90 NOP

0058F0CA 8985 3EF84000 MOV DWORD PTR SS:[EBP+40F83E],EAX

0058F0D0 8DB5 C4F44000 LEA ESI,DWORD PTR SS:[EBP+40F4C4] ; 载入成功则获取zcf_decrypt的地址

0058F0D6 56 PUSH ESI ; /name

0058F0D7 FFB5 3EF84000 PUSH DWORD PTR SS:[EBP+40F83E] ; |hmodule

0058F0DD FF95 1C854100 CALL DWORD PTR SS:[EBP+41851C] ; \GetProcAddress

0058F0E3 8985 C4F44000 MOV DWORD PTR SS:[EBP+40F4C4],EAX

0058F0E9 0BC0 OR EAX,EAX

0058F0EB 74 09 JE SHORT 0058F0F6

0058F0ED 90 NOP

0058F0EE 90 NOP

0058F0EF 90 NOP

0058F0F0 90 NOP

0058F0F1 E8 D5F7FFFF CALL <Reg_Info>

0058F0F6 60 PUSHAD ; 把前面的代码加密回去

0058F0F7 E8 00000000 CALL 0058F0FC

0058F0FC 5E POP ESI

0058F0FD 83EE 06 SUB ESI,6

0058F100 B9 12020000 MOV ECX,212

0058F105 29CE SUB ESI,ECX

0058F107 BA 9A465152 MOV EDX,5251469A

0058F10C C1E9 02 SHR ECX,2

0058F10F 83E9 02 SUB ECX,2

0058F112 83F9 00 CMP ECX,0

0058F115 7C 1A JL SHORT 0058F131

0058F117 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

0058F11A 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

0058F11E 03C3 ADD EAX,EBX

0058F120 C1C8 1A ROR EAX,1A

0058F123 2BC2 SUB EAX,EDX

0058F125 81C2 4F6B073C ADD EDX,3C076B4F

0058F12B 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

0058F12E 49 DEC ECX

0058F12F ^ EB E1 JMP SHORT 0058F112

0058F131 61 POPAD

......

0058F2DC E8 1FCEFFFF CALL <sub_GetEBP >

; 开始执行判断是否用了注册提示,是否显示机器码信息框之类的

0058F2E1 66:81BD 2CF5400>CMP WORD PTR SS:[EBP+40F52C],0FF00

0058F2EA 0F84 AC000000 JE 0058F39C

0058F2F0 66:81BD 2CF5400>CMP WORD PTR SS:[EBP+40F52C],0FF01 ; 这几个判断没有认真去看

0058F2F9 74 39 JE SHORT 0058F334

0058F2FB 90 NOP

0058F2FC 90 NOP

0058F2FD 90 NOP

0058F2FE 90 NOP

0058F2FF 66:81BD 2CF5400>CMP WORD PTR SS:[EBP+40F52C],0FF02

0058F308 74 53 JE SHORT 0058F35D

......

0058F4E0 60 PUSHAD ; 加密回去

0058F4E1 E8 00000000 CALL 0058F4E6

0058F4E6 5E POP ESI

0058F4E7 83EE 06 SUB ESI,6

0058F4EA B9 04020000 MOV ECX,204

0058F4EF 29CE SUB ESI,ECX

0058F4F1 BA B615F109 MOV EDX,9F115B6

0058F4F6 C1E9 02 SHR ECX,2

0058F4F9 83E9 02 SUB ECX,2

0058F4FC 83F9 00 CMP ECX,0

0058F4FF 7C 1A JL SHORT 0058F51B

0058F501 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

0058F504 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

0058F508 2BC3 SUB EAX,EBX

0058F50A C1C8 14 ROR EAX,14

0058F50D 2BC2 SUB EAX,EDX

0058F50F 81C2 94655AA2 ADD EDX,A25A6594

0058F515 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

0058F518 49 DEC ECX

0058F519 ^ EB E1 JMP SHORT 0058F4FC

0058F51B 61 POPAD

0058F51C 61 POPAD

0058F51D E8 4C050000 CALL <sub_Check_REG>

0058F522 C3 RETN

Sub_Disposal IAT:

005902A5 > 60 PUSHAD ; Import Table Disposal

005902A6 EB 01 JMP SHORT 005902A9

005902A8 7A 87 JPE SHORT 00590231

005902AA C5EB LDS EBP,EBX ; Illegal use of register

005902AC 017A 66 ADD DWORD PTR DS:[EDX+66],EDI

005902AF BA 78E17A03 MOV EDX,37AE178

......

00590450 E8 ABBCFFFF CALL <sub_GetEBP >

00590455 C685 A5524100 C>MOV BYTE PTR SS:[EBP+4152A5],0C3 ; 如果执行完了则不再执行

0059045C C785 0BF94000 0>MOV DWORD PTR SS:[EBP+40F90B],00401000

00590466 01AD 0BF94000 ADD DWORD PTR SS:[EBP+40F90B],EBP

0059046C 8385 0BF94000 1>ADD DWORD PTR SS:[EBP+40F90B],10

00590473 8B95 46F84000 MOV EDX,DWORD PTR SS:[EBP+40F846] ; 取IMAGEBASE

00590479 8BB5 07F94000 MOV ESI,DWORD PTR SS:[EBP+40F907] ; [EBP+40F907]记录着程序输入表的起始位置RVA==BEB88

0059047F 03F2 ADD ESI,EDX ; 转为VA

00590481 > 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]

00590484 0BC0 OR EAX,EAX

00590486 0F84 25020000 JE <Finished> ; 处理完则跳去结束处

0059048C 8366 0C 00 AND DWORD PTR DS:[ESI+C],0 ; 开始清除原IAT结构,nop掉

00590490 03C2 ADD EAX,EDX

00590492 8BD8 MOV EBX,EAX

00590494 56 PUSH ESI

00590495 57 PUSH EDI

00590496 50 PUSH EAX

00590497 8BF3 MOV ESI,EBX

00590499 8BFB MOV EDI,EBX

0059049B > AC LODS BYTE PTR DS:[ESI] ; Decrypt_DLL_Name

0059049C C0C0 03 ROL AL,3 ; 还原出正确的DLL名

0059049F AA STOS BYTE PTR ES:[EDI]

005904A0 803F 00 CMP BYTE PTR DS:[EDI],0

005904A3 ^ 75 F6 JNZ SHORT <Decrypt_DLL_Name>

005904A5 58 POP EAX

005904A6 5F POP EDI

005904A7 5E POP ESI

005904A8 50 PUSH EAX ; /moduleName

005904A9 FF95 20854100 CALL DWORD PTR SS:[EBP+418520] ; \GetModuleHandleA

005904AF 0BC0 OR EAX,EAX

005904B1 75 43 JNZ SHORT <Dll_is_loaded>

005904B3 90 NOP

005904B4 90 NOP

005904B5 90 NOP

005904B6 90 NOP

005904B7 53 PUSH EBX ; /DllName

005904B8 FF95 24854100 CALL DWORD PTR SS:[EBP+418524] ; \LoadLibraryA

005904BE 0BC0 OR EAX,EAX

005904C0 75 34 JNZ SHORT <Dll_is_loaded>

005904C2 90 NOP

005904C3 90 NOP

005904C4 90 NOP

005904C5 90 NOP

005904C6 > 8B95 46F84000 MOV EDX,DWORD PTR SS:[EBP+40F846] ; 载入失败的路

005904CC 0195 351B4000 ADD DWORD PTR SS:[EBP+401B35],EDX

005904D2 0195 391B4000 ADD DWORD PTR SS:[EBP+401B39],EDX

005904D8 6A 00 PUSH 0 ; /Style

005904DA FFB5 351B4000 PUSH DWORD PTR SS:[EBP+401B35] ; |Caption

005904E0 FFB5 391B4000 PUSH DWORD PTR SS:[EBP+401B39] ; |TEXT

005904E6 6A 00 PUSH 0 ; |hOwner = NULL

005904E8 FF95 2C854100 CALL DWORD PTR SS:[EBP+41852C] ; \MessageBoxA

005904EE 6A 00 PUSH 0 ; /ExitCode==0

005904F0 FF95 28854100 CALL DWORD PTR SS:[EBP+418528] ; \ExitProcess

005904F6 > 60 PUSHAD ; 载入DLL后壳把DLL名给清除掉

005904F7 2BC0 SUB EAX,EAX

005904F9 > 8803 MOV BYTE PTR DS:[EBX],AL ; loop clea dllname

005904FB 43 INC EBX

005904FC 3803 CMP BYTE PTR DS:[EBX],AL

005904FE ^ 75 F9 JNZ SHORT <loop clea dllname>

00590500 61 POPAD

00590501 8985 3EF84000 MOV DWORD PTR SS:[EBP+40F83E],EAX ; 保存hModule

00590507 C785 42F84000 0>MOV DWORD PTR SS:[EBP+40F842],0

00590511 8B95 46F84000 MOV EDX,DWORD PTR SS:[EBP+40F846]

00590517 8B06 MOV EAX,DWORD PTR DS:[ESI]

00590519 0BC0 OR EAX,EAX

0059051B 75 07 JNZ SHORT 00590524

0059051D 90 NOP

0059051E 90 NOP

0059051F 90 NOP

00590520 90 NOP

00590521 8B46 10 MOV EAX,DWORD PTR DS:[ESI+10]

00590524 03C2 ADD EAX,EDX

00590526 0385 42F84000 ADD EAX,DWORD PTR SS:[EBP+40F842]

0059052C 8B18 MOV EBX,DWORD PTR DS:[EAX]

0059052E 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10]

00590531 03FA ADD EDI,EDX

00590533 03BD 42F84000 ADD EDI,DWORD PTR SS:[EBP+40F842]

00590539 85DB TEST EBX,EBX ; 判断当前DLL的API有没有处理完

0059053B 0F84 62010000 JE <Disposal Next DLL>

00590541 F7C3 00000080 TEST EBX,80000000 ; 判断为API名字还是为序号

00590547 75 1D JNZ SHORT 00590566

00590549 90 NOP

0059054A 90 NOP

0059054B 90 NOP

0059054C 90 NOP

0059054D 03DA ADD EBX,EDX ; 如果是字符串，还得先还原出正确的API名字

0059054F 83C3 02 ADD EBX,2

00590552 56 PUSH ESI

00590553 57 PUSH EDI

00590554 50 PUSH EAX

00590555 8BF3 MOV ESI,EBX

00590557 8BFB MOV EDI,EBX

00590559 > AC LODS BYTE PTR DS:[ESI] ; Restor_API_NAME

0059055A C0C0 03 ROL AL,3

0059055D AA STOS BYTE PTR ES:[EDI]

0059055E 803F 00 CMP BYTE PTR DS:[EDI],0

00590561 ^ 75 F6 JNZ SHORT <Restor_API_NAME>

00590563 58 POP EAX

00590564 5F POP EDI

00590565 5E POP ESI

00590566 3B9D 46F84000 CMP EBX,DWORD PTR SS:[EBP+40F846]

0059056C 7C 11 JL SHORT 0059057F ; 如果小于IMAGEBASE说明是序号

0059056E 90 NOP

0059056F 90 NOP

00590570 90 NOP

00590571 90 NOP

00590572 83BD 1A204000 0>CMP DWORD PTR SS:[EBP+40201A],0

00590579 75 0A JNZ SHORT 00590585

0059057B 90 NOP

0059057C 90 NOP

0059057D 90 NOP

0059057E 90 NOP

0059057F 81E3 FFFFFF0F AND EBX,0FFFFFFF

00590585 53 PUSH EBX ; /API Name

00590586 FFB5 3EF84000 PUSH DWORD PTR SS:[EBP+40F83E] ; |hModule

0059058C FF95 1C854100 CALL DWORD PTR SS:[EBP+41851C] ; \GetProcAddress

00590592 3B9D 46F84000 CMP EBX,DWORD PTR SS:[EBP+40F846]

00590598 7C 0F JL SHORT 005905A9 ; 如果是序号则跳

0059059A 90 NOP

0059059B 90 NOP

0059059C 90 NOP

0059059D 90 NOP

0059059E 60 PUSHAD ; 如果是字符串名则清除API名

0059059F 2BC0 SUB EAX,EAX

005905A1 > 8803 MOV BYTE PTR DS:[EBX],AL

005905A3 43 INC EBX

005905A4 3803 CMP BYTE PTR DS:[EBX],AL

005905A6 ^ 75 F9 JNZ SHORT <Clea API NAME>

005905A8 61 POPAD

005905A9 0BC0 OR EAX,EAX ; 如果获取API地址失败则OVER

005905AB ^ 0F84 15FFFFFF JE <Fail Message>

005905B1 3B85 2C854100 CMP EAX,DWORD PTR SS:[EBP+41852C] ; 判断是否为特殊函数MessageBoxA

005905B7 74 20 JE SHORT 005905D9

005905B9 90 NOP

005905BA 90 NOP

005905BB 90 NOP

005905BC 90 NOP

005905BD 3B85 C4FD4000 CMP EAX,DWORD PTR SS:[EBP+40FDC4] ; 判断是否为特殊函数RegisterHotKey

005905C3 74 09 JE SHORT 005905CE

005905C5 90 NOP

005905C6 90 NOP

005905C7 90 NOP

005905C8 90 NOP

005905C9 EB 14 JMP SHORT 005905DF

005905CB 90 NOP

005905CC 90 NOP

005905CD 90 NOP

005905CE 8D85 31FE4000 LEA EAX,DWORD PTR SS:[EBP+40FE31]

005905D4 EB 09 JMP SHORT 005905DF

005905D6 90 NOP

005905D7 90 NOP

005905D8 90 NOP

005905D9 8D85 4BFE4000 LEA EAX,DWORD PTR SS:[EBP+40FE4B]

005905DF 56 PUSH ESI

005905E0 FFB5 3EF84000 PUSH DWORD PTR SS:[EBP+40F83E]

005905E6 5E POP ESI

005905E7 39B5 12204000 CMP DWORD PTR SS:[EBP+402012],ESI ; 判断hmodule是否为kernel32.dll的句柄

005905ED 74 15 JE SHORT 00590604

005905EF 90 NOP

005905F0 90 NOP

005905F1 90 NOP

005905F2 90 NOP

005905F3 39B5 16204000 CMP DWORD PTR SS:[EBP+402016],ESI ; 判断hmodule是否为user32.dll的句柄

005905F9 74 09 JE SHORT 00590604

005905FB 90 NOP

005905FC 90 NOP

005905FD 90 NOP

005905FE 90 NOP

005905FF EB 63 JMP SHORT 00590664

00590601 90 NOP

00590602 90 NOP

00590603 90 NOP

00590604 80BD 16564100 0>CMP BYTE PTR SS:[EBP+415616],0 ; 如果是kernel32.dll或user32.dll的话，再判断是否要加密特殊函数

0059060B 74 57 JE SHORT 00590664

0059060D 90 NOP

0059060E 90 NOP

0059060F 90 NOP

00590610 90 NOP

00590611 EB 07 JMP SHORT 0059061A

00590613 90 NOP

00590614 90 NOP

00590615 90 NOP

00590616 0100 ADD DWORD PTR DS:[EAX],EAX

00590618 0000 ADD BYTE PTR DS:[EAX],AL

0059061A 8BB5 0BF94000 MOV ESI,DWORD PTR SS:[EBP+40F90B]

00590620 83C6 0D ADD ESI,0D

00590623 81EE 02184000 SUB ESI,00401802

00590629 2BF5 SUB ESI,EBP

0059062B 83FE 00 CMP ESI,0

0059062E 7F 34 JG SHORT 00590664

00590630 90 NOP

00590631 90 NOP

00590632 90 NOP

00590633 90 NOP

00590634 8BB5 0BF94000 MOV ESI,DWORD PTR SS:[EBP+40F90B]

0059063A 53 PUSH EBX

0059063B 50 PUSH EAX

0059063C E8 8DB2FFFF CALL <Get_RND_VALUE>

00590641 8BD8 MOV EBX,EAX

00590643 58 POP EAX

00590644 33C3 XOR EAX,EBX

00590646 C606 68 MOV BYTE PTR DS:[ESI],68 ; 改成push address xor [esp],key,ret的方式

00590649 8946 01 MOV DWORD PTR DS:[ESI+1],EAX

0059064C C746 05 8134240>MOV DWORD PTR DS:[ESI+5],243481

00590653 895E 08 MOV DWORD PTR DS:[ESI+8],EBX

00590656 C646 0C C3 MOV BYTE PTR DS:[ESI+C],0C3

0059065A 5B POP EBX

0059065B 8BC6 MOV EAX,ESI

0059065D 8385 0BF94000 0>ADD DWORD PTR SS:[EBP+40F90B],0D

00590664 5E POP ESI ; 普通API函数的处理

00590665 60 PUSHAD

00590666 8BD0 MOV EDX,EAX

00590668 2BBD 46F84000 SUB EDI,DWORD PTR SS:[EBP+40F846]

0059066E 8BC7 MOV EAX,EDI

00590670 B9 01010000 MOV ECX,101

00590675 8DBD EBEC4000 LEA EDI,DWORD PTR SS:[EBP+40ECEB]

0059067B F2:AF REPNE SCAS DWORD PTR ES:[EDI]

0059067D 0BC9 OR ECX,ECX

0059067F 74 13 JE SHORT 00590694

00590681 90 NOP

00590682 90 NOP

00590683 90 NOP

00590684 90 NOP

00590685 81E9 01010000 SUB ECX,101

0059068B F7D1 NOT ECX

0059068D 89948D EBE84000 MOV DWORD PTR SS:[EBP+ECX*4+40E8EB],EDX

00590694 61 POPAD

00590695 8907 MOV DWORD PTR DS:[EDI],EAX ; 填充API地址

00590697 8385 42F84000 0>ADD DWORD PTR SS:[EBP+40F842],4

0059069E ^ E9 6EFEFFFF JMP 00590511

005906A3 > 83C6 14 ADD ESI,14 ; Disposal Next DLL

005906A6 8B95 46F84000 MOV EDX,DWORD PTR SS:[EBP+40F846]

005906AC ^ E9 D0FDFFFF JMP <loop fill IAT>

005906B1 > 8DBD EBEC4000 LEA EDI,DWORD PTR SS:[EBP+40ECEB]

005906B7 33C0 XOR EAX,EAX

005906B9 B9 00010000 MOV ECX,100

005906BE F3:AB REP STOS DWORD PTR ES:[EDI] ; 清场代码

005906C0 60 PUSHAD ; 加密代码

005906C1 E8 00000000 CALL 005906C6

005906C6 5E POP ESI

005906C7 83EE 06 SUB ESI,6

005906CA B9 70020000 MOV ECX,270

005906CF 29CE SUB ESI,ECX

005906D1 BA BF51E4CE MOV EDX,CEE451BF

005906D6 C1E9 02 SHR ECX,2

005906D9 83E9 02 SUB ECX,2

005906DC 83F9 00 CMP ECX,0

005906DF 7C 1A JL SHORT 005906FB

005906E1 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

005906E4 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

005906E8 03C3 ADD EAX,EBX

005906EA C1C8 08 ROR EAX,8

005906ED 2BC2 SUB EAX,EDX

005906EF 81EA 792FBAB2 SUB EDX,B2BA2F79

005906F5 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

005906F8 49 DEC ECX

005906F9 ^ EB E1 JMP SHORT 005906DC

005906FB 61 POPAD

005906FC 61 POPAD

005906FD E8 D9D9FFFF CALL <sub_chek_CRC>

00590702 C3 RETN

sub_chek_CRC:

0058E0DB > 60 PUSHAD ; sub_chek_CRC,检测文件修改

0058E0DC 77 02 JA SHORT 0058E0E0

0058E0DE 8BD7 MOV EDX,EDI

0058E0E0 78 01 JS SHORT 0058E0E3

0058E0E2 F8 CLC

0058E0E3 50 PUSH EAX

0058E0E4 E8 01000000 CALL 0058E0EA

0058E0E9 ^ 74 83 JE SHORT 0058E06E

......

0058E286 . E8 75DEFFFF CALL <sub_GetEBP >

0058E28B . 68 20030000 PUSH 320 ; /BufSize = 320 (800.)

0058E290 . 8DBD 11184000 LEA EDI,DWORD PTR SS:[EBP+401811] ; |

0058E296 . 57 PUSH EDI ; |PathBuffer = MainCon.0057C811

0058E297 . 6A 00 PUSH 0 ; |hModule = NULL

0058E299 . FF95 73FD4000 CALL DWORD PTR SS:[EBP+40FD73] ; \GetModuleFileNameA

0058E29F . 6A 00 PUSH 0 ; /hTemplateFile = NULL

0058E2A1 . 68 80000000 PUSH 80 ; |Attributes = NORMAL

0058E2A6 . 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING

0058E2A8 . 6A 00 PUSH 0 ; |pSecurity = NULL

0058E2AA . 6A 01 PUSH 1 ; |ShareMode = FILE_SHARE_READ

0058E2AC . 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ

0058E2B1 . 57 PUSH EDI ; |FileName

0058E2B2 . FF95 2BFD4000 CALL DWORD PTR SS:[EBP+40FD2B] ; \CreateFileA

0058E2B8 . 40 INC EAX

0058E2B9 . 0F84 87000000 JE 0058E346 ; 读取文件失败则跳

0058E2BF . 48 DEC EAX

0058E2C0 . 8BF8 MOV EDI,EAX

0058E2C2 . 6A 00 PUSH 0 ; /pFileSizeHigh = NULL

0058E2C4 . 57 PUSH EDI ; |hFile = 00000054 (window)

0058E2C5 . FF95 77FD4000 CALL DWORD PTR SS:[EBP+40FD77] ; \GetFileSize

0058E2CB . 2B85 6B814100 SUB EAX,DWORD PTR SS:[EBP+41816B]

0058E2D1 . 96 XCHG EAX,ESI

0058E2D2 . 56 PUSH ESI ; /MemSize

0058E2D3 . 6A 40 PUSH 40 ; |Flags = GPTR

0058E2D5 . FF95 FFFC4000 CALL DWORD PTR SS:[EBP+40FCFF] ; \GlobalAlloc

0058E2DB . 85C0 TEST EAX,EAX

0058E2DD . 74 5E JE SHORT 0058E33D

0058E2DF . 90 NOP

0058E2E0 . 90 NOP

0058E2E1 . 90 NOP

0058E2E2 . 90 NOP

0058E2E3 . 93 XCHG EAX,EBX

0058E2E4 . 6A 00 PUSH 0 ; /pOverlapped = NULL

0058E2E6 . 8D85 11184000 LEA EAX,DWORD PTR SS:[EBP+401811] ; |

0058E2EC . 50 PUSH EAX ; |pBytesRead = MainCon.0057C811

0058E2ED . 56 PUSH ESI ; |BytesToRead = D915D (889181.)

0058E2EE . 53 PUSH EBX ; |Buffer = 00B10020

0058E2EF . 57 PUSH EDI ; |hFile = 00000054 (window)

0058E2F0 . FF95 4FFD4000 CALL DWORD PTR SS:[EBP+40FD4F] ; \ReadFile

0058E2F6 . 8BC3 MOV EAX,EBX

0058E2F8 . 8BCE MOV ECX,ESI

0058E2FA . 60 PUSHAD

0058E2FB . E8 84000000 CALL <Calc CRC VALUE>

0058E300 . 3985 6F814100 CMP DWORD PTR SS:[EBP+41816F],EAX

0058E306 . 74 24 JE SHORT 0058E32C ; 如果文件没有改动则跳

0058E308 . 90 NOP

0058E309 . 90 NOP

0058E30A . 90 NOP

0058E30B . 90 NOP

0058E30C . 83BD 1A204000>CMP DWORD PTR SS:[EBP+40201A],0

0058E313 . 75 17 JNZ SHORT 0058E32C

0058E315 . 90 NOP

0058E316 . 90 NOP

0058E317 . 90 NOP

0058E318 . 90 NOP

0058E319 . 8BBD 4B814100 MOV EDI,DWORD PTR SS:[EBP+41814B] ; 如果CRC值不正确的话，这里开始出阴招:-)

0058E31F . 03BD 46F84000 ADD EDI,DWORD PTR SS:[EBP+40F846]

0058E325 . B9 0A000000 MOV ECX,0A

0058E32A . F3:AB REP STOS DWORD PTR ES:[EDI]

0058E32C > 61 POPAD

0058E32D . 8D85 35334100 LEA EAX,DWORD PTR SS:[EBP+413335]

0058E333 . 50 PUSH EAX

0058E334 . C3 RETN

0058E335 . 53 PUSH EBX ; /hMem

0058E336 . FF95 03FD4000 CALL DWORD PTR SS:[EBP+40FD03] ; \GlobalFree

0058E33C . 96 XCHG EAX,ESI

0058E33D > 50 PUSH EAX

0058E33E . 57 PUSH EDI ; /hObject

0058E33F . FF95 27FD4000 CALL DWORD PTR SS:[EBP+40FD27] ; \CloseHandle

0058E345 . 58 POP EAX

0058E346 > 60 PUSHAD ; 加密代码

0058E347 > E8 00000000 CALL 0058E34C

0058E34C /$ 5E POP ESI

0058E34D |. 83EE 06 SUB ESI,6

0058E350 |. B9 C0000000 MOV ECX,0C0

0058E355 |. 29CE SUB ESI,ECX

0058E357 |. BA E86DCB4B MOV EDX,4BCB6DE8

0058E35C |. C1E9 02 SHR ECX,2

0058E35F |. 83E9 02 SUB ECX,2

0058E362 |> 83F9 00 /CMP ECX,0

0058E365 |. 7C 1A |JL SHORT 0058E381

0058E367 |. 8B048E |MOV EAX,DWORD PTR DS:[ESI+ECX*4]

0058E36A |. 8B5C8E 04 |MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

0058E36E |. 2BC3 |SUB EAX,EBX

0058E370 |. C1C0 06 |ROL EAX,6

0058E373 |. 03C2 |ADD EAX,EDX

0058E375 |. 81F2 13FDB951 |XOR EDX,51B9FD13

0058E37B |. 89048E |MOV DWORD PTR DS:[ESI+ECX*4],EAX

0058E37E |. 49 |DEC ECX

0058E37F |.^ EB E1 \JMP SHORT 0058E362

0058E381 |> 61 POPAD

0058E382 |. 61 POPAD

0058E383 \. C3 RETN

Calc CRC VALUE:

0058E384 > 8BF8 MOV EDI,EAX ; 计算CRC值

0058E386 33C0 XOR EAX,EAX

0058E388 33DB XOR EBX,EBX

0058E38A 33D2 XOR EDX,EDX

0058E38C > 8A07 MOV AL,BYTE PTR DS:[EDI]

0058E38E F7E2 MUL EDX

0058E390 03D8 ADD EBX,EAX

0058E392 42 INC EDX

0058E393 47 INC EDI

0058E394 ^ E2 F6 LOOPD SHORT <loop calc>

0058E396 93 XCHG EAX,EBX

0058E397 C3 RETN

sub_Check_REG:

0058FA6E > 60 PUSHAD ; 检测使用有没有过期之类的

0058FA6F EB 04 JMP SHORT 0058FA75

0058FA71 90 NOP

0058FA72 90 NOP

0058FA73 90 NOP

0058FA74 00F8 ADD AL,BH

0058FA76 E8 01000000 CALL 0058FA7C

......

0058FC1F E8 DCC4FFFF CALL <sub_GetEBP >

0058FC24 C685 6E4A4100 C>MOV BYTE PTR SS:[EBP+414A6E],0C3

0058FC2B C685 6DF74000 0>MOV BYTE PTR SS:[EBP+40F76D],0

0058FC32 C685 744A4100 0>MOV BYTE PTR SS:[EBP+414A74],0

0058FC39 80BD 6CF74000 0>CMP BYTE PTR SS:[EBP+40F76C],1 ; 如果为1表示不检查试用信息

0058FC40 0F84 8D030000 JE <Use>

0058FC46 8A85 634C4100 MOV AL,BYTE PTR SS:[EBP+414C63]

0058FC4C 0AC0 OR AL,AL ; 如果为0表示不检查试用信息

0058FC4E 0F84 7F030000 JE <Use>

0058FC54 EB 33 JMP SHORT <Check Expired>

0058FC56 90 NOP

0058FC57 90 NOP

0058FC58 90 NOP

0058FC59 90 NOP

0058FC5A 90 NOP

0058FC5B 90 NOP

0058FC5C 90 NOP

0058FC5D 90 NOP

0058FC5E 90 NOP

0058FC5F 90 NOP

0058FC60 90 NOP

0058FC61 90 NOP

0058FC62 90 NOP

0058FC63 0000 ADD BYTE PTR DS:[EAX],AL

0058FC65 43 INC EBX

0058FC66 3A5C43 30 CMP BL,BYTE PTR DS:[EBX+EAX*2+30]

0058FC6A 6E OUTS DX,BYTE PTR ES:[EDI] ; I/O command

0058FC6B 66:6967 2E 7361 IMUL SP,WORD PTR DS:[EDI+2E],6173

0058FC71 76 00 JBE SHORT 0058FC73

0058FC73 0000 ADD BYTE PTR DS:[EAX],AL

0058FC75 0000 ADD BYTE PTR DS:[EAX],AL

0058FC77 0000 ADD BYTE PTR DS:[EAX],AL

0058FC79 0000 ADD BYTE PTR DS:[EAX],AL

0058FC7B 0000 ADD BYTE PTR DS:[EAX],AL

0058FC7D 0000 ADD BYTE PTR DS:[EAX],AL

0058FC7F 0000 ADD BYTE PTR DS:[EAX],AL

0058FC81 0000 ADD BYTE PTR DS:[EAX],AL

0058FC83 0000 ADD BYTE PTR DS:[EAX],AL

0058FC85 0000 ADD BYTE PTR DS:[EAX],AL

0058FC87 0000 ADD BYTE PTR DS:[EAX],AL

0058FC89 > 6A 00 PUSH 0 ; /hTemplateFile = NULL

0058FC8B 6A 02 PUSH 2 ; |Attributes = HIDDEN

0058FC8D 6A 04 PUSH 4 ; |Mode = OPEN_ALWAYS

0058FC8F 6A 00 PUSH 0 ; |pSecurity = NULL

0058FC91 6A 03 PUSH 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE

0058FC93 68 000000C0 PUSH C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE

0058FC98 8DB5 654C4100 LEA ESI,DWORD PTR SS:[EBP+414C65] ; |

0058FC9E 56 PUSH ESI ; |Try information FileName

0058FC9F 50 PUSH EAX ; |

0058FCA0 8B85 2BFD4000 MOV EAX,DWORD PTR SS:[EBP+40FD2B] ; |

0058FCA6 0FB600 MOVZX EAX,BYTE PTR DS:[EAX] ; |

0058FCA9 83E8 33 SUB EAX,33 ; |

0058FCAC 3D 99000000 CMP EAX,99 ; |

0058FCB1 74 10 JE SHORT 0058FCC3 ; |

0058FCB3 90 NOP ; |

0058FCB4 90 NOP ; |

0058FCB5 90 NOP ; |

0058FCB6 90 NOP ; |

0058FCB7 58 POP EAX ; |

0058FCB8 FF95 2BFD4000 CALL DWORD PTR SS:[EBP+40FD2B] ; \CreateFileA

0058FCBE EB 17 JMP SHORT 0058FCD7

0058FCC0 90 NOP

0058FCC1 90 NOP

0058FCC2 90 NOP

0058FCC3 B8 E8030000 MOV EAX,3E8

0058FCC8 E8 01BCFFFF CALL <Get_RND_VALUE>

0058FCCD 8DBD 615D4000 LEA EDI,DWORD PTR SS:[EBP+405D61]

0058FCD3 03F8 ADD EDI,EAX

0058FCD5 AB STOS DWORD PTR ES:[EDI]

0058FCD6 58 POP EAX

0058FCD7 0BC0 OR EAX,EAX

0058FCD9 75 32 JNZ SHORT 0058FD0D

0058FCDB 90 NOP

0058FCDC 90 NOP

0058FCDD 90 NOP

0058FCDE 90 NOP

0058FCDF 8DB5 F64C4100 LEA ESI,DWORD PTR SS:[EBP+414CF6]

0058FCE5 6A 00 PUSH 0

0058FCE7 56 PUSH ESI

0058FCE8 56 PUSH ESI

0058FCE9 6A 00 PUSH 0

0058FCEB FF95 2C854100 CALL DWORD PTR SS:[EBP+41852C]

0058FCF1 E9 DD020000 JMP <Use>

0058FCF6 74 72 JE SHORT 0058FD6A

0058FCF8 6961 6C 2063726>IMUL ESP,DWORD PTR DS:[ECX+6C],65726320

0058FCFF 61 POPAD

0058FD00 74 65 JE SHORT 0058FD67

0058FD02 66:696C65 20 65>IMUL BP,WORD PTR SS:[EBP+20],7265

0058FD09 72 6F JB SHORT 0058FD7A

0058FD0B 72 00 JB SHORT 0058FD0D

0058FD0D 8985 774C4100 MOV DWORD PTR SS:[EBP+414C77],EAX ; 这里开始读取试用信息之类的

0058FD13 6A 00 PUSH 0

0058FD15 8DB5 854C4100 LEA ESI,DWORD PTR SS:[EBP+414C85]

......

005901B9 E8 42BFFFFF CALL <sub_GetEBP >

005901BE 80BD 744A4100 0>CMP BYTE PTR SS:[EBP+414A74],0

005901C5 0F84 97000000 JE <Try way> ; 如果为0则表示没有注册提示

005901CB 80BD 6DF74000 0>CMP BYTE PTR SS:[EBP+40F76D],0 ; 如果为0则表示过期了

005901D2 0F85 8A000000 JNZ <Try way>

005901D8 > 6A 00 PUSH 0 ; Game Over

005901DA E8 08000000 CALL <sub_Show_Expired_MSG> ; 过期提示信息

005901DF 45 INC EBP

005901E0 78 70 JS SHORT 00590252

005901E2 6972 65 64008DB>IMUL ESI,DWORD PTR DS:[EDX+65],B58D0064

005901E9 91 XCHG EAX,ECX

005901EA D240 00 ROL BYTE PTR DS:[EAX],CL

005901ED 56 PUSH ESI

.........

00590262 > 60 PUSHAD ; 加密代码

00590263 E8 00000000 CALL 00590268

00590268 5E POP ESI

00590269 83EE 06 SUB ESI,6

0059026C B9 A9000000 MOV ECX,0A9

00590271 29CE SUB ESI,ECX

00590273 BA D244E9AE MOV EDX,AEE944D2

00590278 C1E9 02 SHR ECX,2

0059027B 83E9 02 SUB ECX,2

0059027E 83F9 00 CMP ECX,0

00590281 7C 1A JL SHORT 0059029D

00590283 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

00590286 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

0059028A 33C3 XOR EAX,EBX

0059028C C1C0 05 ROL EAX,5

0059028F 33C2 XOR EAX,EDX

00590291 81F2 5D121221 XOR EDX,2112125D

00590297 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

0059029A 49 DEC ECX

0059029B ^ EB E1 JMP SHORT 0059027E

0059029D 61 POPAD

0059029E 61 POPAD

0059029F C3 RETN

sub_AntiDebug:

0058D9EC > 60 PUSHAD ; Anti_debug

0058D9ED E8 01000000 CALL 0058D9F3

0058D9F2 9A 83042406 C37>CALL FAR 71C3:06240483 ; Far call

0058D9F9 05 B8EB51F3 ADD EAX,F351EBB8

0058D9FE 46 INC ESI

0058D9FF 74 03 JE SHORT 0058DA04

......

0058DB97 E8 64E5FFFF CALL <sub_GetEBP >

0058DB9C E8 2B050000 CALL <EAX=0 Do something>

0058DBA1 0BC0 OR EAX,EAX

0058DBA3 75 50 JNZ SHORT <safe way>

0058DBA5 90 NOP

0058DBA6 90 NOP

0058DBA7 90 NOP

0058DBA8 90 NOP

0058DBA9 C685 EC294100 C>MOV BYTE PTR SS:[EBP+4129EC],0C3

0058DBB0 8CC8 MOV AX,CS

0058DBB2 A8 04 TEST AL,4

0058DBB4 75 1A JNZ SHORT <OS is Win9x> ; 如果不是nt系统则跳

0058DBB6 90 NOP

0058DBB7 90 NOP

0058DBB8 90 NOP

0058DBB9 90 NOP

0058DBBA 64:67:A1 3000 MOV EAX,DWORD PTR FS:[30] ; IsDebuggerPresent 检测ring3级调试器

0058DBBF 0FB640 02 MOVZX EAX,BYTE PTR DS:[EAX+2]

0058DBC3 0AC0 OR AL,AL

0058DBC5 75 1B JNZ SHORT <Found Debug>

0058DBC7 90 NOP

0058DBC8 90 NOP

0058DBC9 90 NOP

0058DBCA 90 NOP

0058DBCB EB 28 JMP SHORT <safe way>

0058DBCD 90 NOP

0058DBCE 90 NOP

0058DBCF 90 NOP

0058DBD0 > 64:67:A1 2000 MOV EAX,DWORD PTR FS:[20]

0058DBD5 0BC0 OR EAX,EAX

0058DBD7 75 09 JNZ SHORT <Found Debug>

0058DBD9 90 NOP

0058DBDA 90 NOP

0058DBDB 90 NOP

0058DBDC 90 NOP

0058DBDD EB 16 JMP SHORT <safe way>

0058DBDF 90 NOP

0058DBE0 90 NOP

0058DBE1 90 NOP

0058DBE2 > 8BBD 4B814100 MOV EDI,DWORD PTR SS:[EBP+41814B] ; 如果发现调试器就阴人了:-(

0058DBE8 03BD 46F84000 ADD EDI,DWORD PTR SS:[EBP+40F846]

0058DBEE B9 0A000000 MOV ECX,0A

0058DBF3 F3:AB REP STOS DWORD PTR ES:[EDI]

0058DBF5 > 60 PUSHAD ; Crypt code

0058DBF6 E8 00000000 CALL 0058DBFB

0058DBFB 5E POP ESI

0058DBFC 83EE 06 SUB ESI,6

0058DBFF B9 5E000000 MOV ECX,5E

0058DC04 29CE SUB ESI,ECX

0058DC06 BA 49F84A73 MOV EDX,734AF849

0058DC0B C1E9 02 SHR ECX,2

0058DC0E 83E9 02 SUB ECX,2

0058DC11 83F9 00 CMP ECX,0

0058DC14 7C 1A JL SHORT 0058DC30

0058DC16 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

0058DC19 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

0058DC1D 33C3 XOR EAX,EBX

0058DC1F C1C8 16 ROR EAX,16

0058DC22 03C2 ADD EAX,EDX

0058DC24 81F2 172969FF XOR EDX,FF692917

0058DC2A 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

0058DC2D 49 DEC ECX

0058DC2E ^ EB E1 JMP SHORT 0058DC11

0058DC30 61 POPAD

0058DC31 61 POPAD

0058DC32 C3 RETN

sub_chekRing0's Debug:

0058CC50 > 60 PUSHAD ; 检测ring0级调试器

0058CC51 D3DA RCR EDX,CL

0058CC53 45 INC EBP

0058CC54 E8 01000000 CALL 0058CC5A

0058CC59 - E9 83C4040F JMP 0F5D90E1

0058CC5E 8802 MOV BYTE PTR DS:[EDX],AL

0058CC60 0000 ADD BYTE PTR DS:[EAX],AL

......

0058CDFB . E8 00F3FFFF CALL <sub_GetEBP >

0058CE00 . E8 C7120000 CALL <EAX=0 Do something>

0058CE05 . 0BC0 OR EAX,EAX

0058CE07 . 0F85 6F010000 JNZ <not Found way>

0058CE0D . C685 501C4100>MOV BYTE PTR SS:[EBP+411C50],0C3 ; Check sice

0058CE14 . 8DB5 C11E4100 LEA ESI,DWORD PTR SS:[EBP+411EC1]

0058CE1A > > 6A 00 PUSH 0 ; /hTemplateFile = NULL

0058CE1C . 68 80000000 PUSH 80 ; |Attributes = NORMAL

0058CE21 . 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING

0058CE23 . 6A 00 PUSH 0 ; |pSecurity = NULL

0058CE25 . 6A 03 PUSH 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE

0058CE27 . 68 000000C0 PUSH C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE

0058CE2C . 56 PUSH ESI ; |FileName = "\\.\SICE"

0058CE2D . 50 PUSH EAX ; |

0058CE2E . 8B85 2BFD4000 MOV EAX,DWORD PTR SS:[EBP+40FD2B] ; |

0058CE34 . 0FB600 MOVZX EAX,BYTE PTR DS:[EAX] ; |检测API入口处有没有下CC断点

0058CE37 . 83E8 33 SUB EAX,33 ; |

0058CE3A . 3D 99000000 CMP EAX,99 ; |

0058CE3F . 74 10 JE SHORT 0058CE51 ; |

0058CE41 . 90 NOP ; |

0058CE42 . 90 NOP ; |

0058CE43 . 90 NOP ; |

0058CE44 . 90 NOP ; |

0058CE45 . 58 POP EAX ; |

0058CE46 . FF95 2BFD4000 CALL DWORD PTR SS:[EBP+40FD2B] ; \CreateFileA

0058CE4C . EB 17 JMP SHORT 0058CE65

0058CE4E 90 NOP

0058CE4F 90 NOP

0058CE50 90 NOP

0058CE51 > B8 E8030000 MOV EAX,3E8

0058CE56 . E8 73EAFFFF CALL <Get_RND_VALUE>

0058CE5B . 8DBD 615D4000 LEA EDI,DWORD PTR SS:[EBP+405D61]

0058CE61 . 03F8 ADD EDI,EAX

0058CE63 . AB STOS DWORD PTR ES:[EDI]

0058CE64 . 58 POP EAX

0058CE65 > 40 INC EAX

0058CE66 . 75 53 JNZ SHORT <Found Debug>

0058CE68 . 90 NOP

0058CE69 . 90 NOP

0058CE6A . 90 NOP

0058CE6B . 90 NOP

0058CE6C . 48 DEC EAX

0058CE6D . 50 PUSH EAX

0058CE6E . 50 PUSH EAX

0058CE6F . 8B85 27FD4000 MOV EAX,DWORD PTR SS:[EBP+40FD27] ; kernel32.CloseHandle

0058CE75 . 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]

0058CE78 . 83E8 33 SUB EAX,33

0058CE7B . 3D 99000000 CMP EAX,99

0058CE80 . 74 10 JE SHORT 0058CE92

0058CE82 . 90 NOP

0058CE83 . 90 NOP

0058CE84 . 90 NOP

0058CE85 . 90 NOP

0058CE86 . 58 POP EAX

0058CE87 . FF95 27FD4000 CALL DWORD PTR SS:[EBP+40FD27] ; CloseHandle

0058CE8D . EB 17 JMP SHORT 0058CEA6

0058CE8F 90 NOP

0058CE90 90 NOP

0058CE91 90 NOP

0058CE92 > B8 E8030000 MOV EAX,3E8

0058CE97 . E8 32EAFFFF CALL <Get_RND_VALUE>

0058CE9C . 8DBD 615D4000 LEA EDI,DWORD PTR SS:[EBP+405D61]

0058CEA2 . 03F8 ADD EDI,EAX

0058CEA4 . AB STOS DWORD PTR ES:[EDI]

0058CEA5 . 58 POP EAX

0058CEA6 > 46 INC ESI

0058CEA7 . 803E 00 CMP BYTE PTR DS:[ESI],0

0058CEAA .^ 75 FA JNZ SHORT 0058CEA6

0058CEAC . 46 INC ESI

0058CEAD . 803E 00 CMP BYTE PTR DS:[ESI],0

0058CEB0 . 0F84 C6000000 JE <not Found way>

0058CEB6 .^ E9 5FFFFFFF JMP <loop Check debug>

0058CEBB > > 61 POPAD ; Found Debug

0058CEBC .^ E9 59FFFFFF JMP <loop Check debug>

0058CEC1 . 5C 5C 2E 5C 5>ASCII "\\.\SICE",0

0058CECA . 5C 5C 2E 5C 4>ASCII "\\.\NTICE",0

0058CED4 . 5C 5C 2E 5C 4>ASCII "\\.\NTICE7871",0

0058CEE2 . 5C 5C 2E 5C 4>ASCII "\\.\NTICED052",0

0058CEF0 . 5C 5C 2E 5C 5>ASCII "\\.\TRWDEBUG",0

0058CEFD . 5C 5C 2E 5C 5>ASCII "\\.\TRW",0

0058CF05 . 5C 5C 2E 5C 5>ASCII "\\.\TRW2000",0

0058CF11 . 5C 5C 2E 5C 5>ASCII "\\.\SUPERBPM",0

0058CF1E . 5C 5C 2E 5C 4>ASCII "\\.\ICEDUMP",0

0058CF2A . 5C 5C 2E 5C 5>ASCII "\\.\REGMON",0

0058CF35 . 5C 5C 2E 5C 4>ASCII "\\.\FILEMON",0

0058CF41 . 5C 5C 2E 5C 5>ASCII "\\.\REGVXD",0

0058CF4C . 5C 5C 2E 5C 4>ASCII "\\.\FILEVXD",0

0058CF58 . 5C 5C 2E 5C 5>ASCII "\\.\VKEYPROD",0

0058CF65 . 5C 5C 2E 5C 4>ASCII "\\.\BW2K",0

0058CF6E . 5C 5C 2E 5C 5>ASCII "\\.\SIWDEBUG",0

0058CF7B 00 DB 00

0058CF7C > > 60 PUSHAD ; Good

0058CF7D . E8 00000000 CALL 0058CF82

0058CF82 /$ 5E POP ESI

0058CF83 |. 83EE 06 SUB ESI,6

0058CF86 |. B9 81010000 MOV ECX,181

0058CF8B |. 29CE SUB ESI,ECX

0058CF8D |. BA EE0A7B2E MOV EDX,2E7B0AEE

0058CF92 |. C1E9 02 SHR ECX,2

0058CF95 |. 83E9 02 SUB ECX,2

0058CF98 |> 83F9 00 CMP ECX,0

0058CF9B |. 7C 1A JL SHORT 0058CFB7

0058CF9D |. 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

0058CFA0 |. 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

0058CFA4 |. 33C3 XOR EAX,EBX

0058CFA6 |. C1C8 03 ROR EAX,3

0058CFA9 |> 33C2 XOR EAX,EDX

0058CFAB |. 81F2 27ABEB15 XOR EDX,15EBAB27

0058CFB1 |. 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

0058CFB4 |. 49 DEC ECX

0058CFB5 |.^ EB E1 JMP SHORT 0058CF98

0058CFB7 |> 61 POPAD

0058CFB8 |. 61 POPAD

0058CFB9 \. C3 RETN

chek IsDebuggerPresent:

0058DC38 > 60 PUSHAD ; chek IsDebuggerPresent

0058DC39 70 03 JO SHORT 0058DC3E

0058DC3B 66:8BCE MOV CX,SI

0058DC3E F8 CLC

......

0058DDE3 . E8 18E3FFFF CALL <sub_GetEBP >

0058DDE8 . E8 DF020000 CALL <EAX=0 Do something>

0058DDED . 0BC0 OR EAX,EAX

0058DDEF . 75 34 JNZ SHORT <Not Found debug>

0058DDF1 . 90 NOP

0058DDF2 . 90 NOP

0058DDF3 . 90 NOP

0058DDF4 . 90 NOP

0058DDF5 . C685 382C4100>MOV BYTE PTR SS:[EBP+412C38],0C3 ; 如果执行了相关功能则在入口入改为ret

0058DDFC . FF95 47FD4000 CALL DWORD PTR SS:[EBP+40FD47] ; [IsDebuggerPresent

0058DE02 . 0BC0 OR EAX,EAX

0058DE04 . 74 1F JE SHORT <Not Found debug>

0058DE06 . 90 NOP

0058DE07 . 90 NOP

0058DE08 . 90 NOP

0058DE09 . 90 NOP

0058DE0A . 8BB5 4B814100 MOV ESI,DWORD PTR SS:[EBP+41814B]

0058DE10 . 03B5 46F84000 ADD ESI,DWORD PTR SS:[EBP+40F846]

0058DE16 > AC LODS BYTE PTR DS:[ESI]

0058DE17 > 3C E8 CMP AL,0E8

0058DE19 . 74 08 JE SHORT 0058DE23

0058DE1B . 90 NOP

0058DE1C . 90 NOP

0058DE1D . 90 NOP

0058DE1E . 90 NOP

0058DE1F . 3C E9 CMP AL,0E9

0058DE21 .^ 75 F3 JNZ SHORT 0058DE16

0058DE23 > 8906 MOV DWORD PTR DS:[ESI],EAX ; 写上垃圾代码

0058DE25 > > 60 PUSHAD ; 没有找到调试器,则跳到这里

0058DE26 . E8 00000000 CALL 0058DE2B

0058DE2B $ 5E POP ESI

0058DE2C . 83EE 06 SUB ESI,6

0058DE2F . B9 42000000 MOV ECX,42

0058DE34 . 29CE SUB ESI,ECX

0058DE36 . BA 83CF06DD MOV EDX,DD06CF83

0058DE3B . C1E9 02 SHR ECX,2

0058DE3E . 83E9 02 SUB ECX,2

0058DE41 > > 83F9 00 CMP ECX,0

0058DE44 . 7C 1A JL SHORT 0058DE60

0058DE46 . 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]

0058DE49 . 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

0058DE4D . 03C3 ADD EAX,EBX

0058DE4F . C1C0 09 ROL EAX,9

0058DE52 . 2BC2 SUB EAX,EDX

0058DE54 . 81C2 AC5210A3 ADD EDX,A31052AC

0058DE5A . 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX

0058DE5D . 49 DEC ECX

0058DE5E .^ EB E1 JMP SHORT <Crypt Code>

0058DE60 > 61 POPAD

0058DE61 > 61 POPAD

0058DE62 . C3 RETN

sub_Check_UnhandledExceptionFilter:

0058D324 > 60 PUSHAD ; 检测该函数入口处是否下了CC断点

0058D325 87F8 XCHG EAX,EDI

0058D327 49 DEC ECX

0058D328 47 INC EDI

0058D329 F9 STC

......

0058D4CF > \E8 2CECFFFF CALL <sub_GetEBP >

0058D4D4 . E8 F30B0000 CALL <EAX=0 Do something>

0058D4D9 . 0BC0 OR EAX,EAX

0058D4DB . 75 3E JNZ SHORT 0058D51B

0058D4DD . 90 NOP

0058D4DE . 90 NOP

0058D4DF . 90 NOP

0058D4E0 . 90 NOP

0058D4E1 . C685 24234100>MOV BYTE PTR SS:[EBP+412324],0C3 ; 改入口为ret

0058D4E8 . 8D9D F8244100 LEA EBX,DWORD PTR SS:[EBP+4124F8]

0058D4EE . E8 40F7FFFF CALL <sub_CHECKAPI_CC> ; 检测UnhandledExceptionFilter入口有没有处CC断点

0058D4F3 . EB 26 JMP SHORT 0058D51B

0058D4F5 90 NOP

0058D4F6 90 NOP

0058D4F7 90 NOP

0058D4F8 . 8B85 5FFD4000 MOV EAX,DWORD PTR SS:[EBP+40FD5F]

0058D4FE . 8038 CC CMP BYTE PTR DS:[EAX],0CC

0058D501 . 75 17 JNZ SHORT 0058D51A

0058D503 > 90 NOP

0058D504 . 90 NOP

0058D505 . 90 NOP

0058D506 . 90 NOP

0058D507 . B8 90010000 MOV EAX,190

0058D50C . E8 BDE3FFFF CALL <Get_RND_VALUE>

0058D511 . 8DBD 812E4000 LEA EDI,DWORD PTR SS:[EBP+402E81]

0058D517 . 03F8 ADD EDI,EAX

0058D519 . AB STOS DWORD PTR ES:[EDI]

0058D51A > C3 RETN

0058D51B > 60 PUSHAD ; Crypt Code

0058D51C . E8 00000000 CALL 0058D521

0058D521 /$ 5E POP ESI

0058D522 |. 83EE 06 SUB ESI,6

0058D525 |. B9 4C000000 MOV ECX,4C

0058D52A |. 29CE SUB ESI,ECX

0058D52C |> BA 02CA9EA2 MOV EDX,A29ECA02

0058D531 |. C1E9 02 SHR ECX,2

0058D534 |. 83E9 02 SUB ECX,2

0058D537 |> 83F9 00 /CMP ECX,0

0058D53A |. 7C 1A |JL SHORT 0058D556

0058D53C |. 8B048E |MOV EAX,DWORD PTR DS:[ESI+ECX*4]

0058D53F |. 8B5C8E 04 |MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]

0058D543 |. 33C3 |XOR EAX,EBX

0058D545 |. C1C8 1A |ROR EAX,1A

0058D548 |. 03C2 |ADD EAX,EDX

0058D54A |. 81EA F6727BC1 |SUB EDX,C17B72F6

0058D550 |. 89048E |MOV DWORD PTR DS:[ESI+ECX*4],EAX

0058D553 |. 49 |DEC ECX

0058D554 |.^ EB E1 \JMP SHORT 0058D537

0058D556 |> 61 POPAD

0058D557 |. 61 POPAD

0058D558 \. C3 RETN

sub_CHECKAPI_CC:

0058CC33 > $ 33C0 XOR EAX,EAX

0058CC35 . 8DBD F6FD4000 LEA EDI,DWORD PTR SS:[EBP+40FDF6] ; 取该API

0058CC3B . 57 PUSH EDI

0058CC3C . 64:FF30 PUSH DWORD PTR FS:[EAX]

0058CC3F . 64:8920 MOV DWORD PTR FS:[EAX],ESP

0058CC42 . FFD3 CALL EBX

0058CC44 . 2BC0 SUB EAX,EAX

0058CC46 . 64:8F00 POP DWORD PTR FS:[EAX]

0058CC49 . 58 POP EAX

0058CC4A . C3 RETN

sub_GOTO_END:

00592ECE > E8 25000000 CALL <GOTO END>

00592ED3 42 INC EDX

00592ED4 79 20 JNS SHORT 00592EF6

00592ED6 54 PUSH ESP

00592ED7 72 69 JB SHORT 00592F42

00592ED9 61 POPAD

00592EDA 6C INS BYTE PTR ES:[EDI],DX ; I/O command

00592EDB 2041 43 AND BYTE PTR DS:[ECX+43],AL

00592EDE 50 PUSH EAX

00592EDF 72 6F JB SHORT 00592F50

00592EE1 74 65 JE SHORT 00592F48

00592EE3 637400 73 ARPL WORD PTR DS:[EAX+EAX+73],SI

00592EE7 74 65 JE SHORT 00592F4E

00592EE9 72 65 JB SHORT 00592F50

00592EEB 64:2041 43 AND BYTE PTR FS:[ECX+43],AL

00592EEF 50 PUSH EAX

00592EF0 72 6F JB SHORT 00592F61

00592EF2 74 65 JE SHORT 00592F59

00592EF4 637421 00 ARPL WORD PTR DS:[ECX],SI

00592EF8 > 6A 00 PUSH 0 ; GOTO END改为jmp [addr] 的方式执行到fake OEP地址

00592EFA 83C4 10 ADD ESP,10

00592EFD 90 NOP

......

005930A9 E8 5290FFFF CALL <sub_GetEBP >

005930AE 8B85 4B814100 MOV EAX,DWORD PTR SS:[EBP+41814B]

005930B4 0385 46F84000 ADD EAX,DWORD PTR SS:[EBP+40F846]

005930BA 8985 4B814100 MOV DWORD PTR SS:[EBP+41814B],EAX ; 要去执行的地址

005930C0 E8 3B90FFFF CALL <sub_GetEBP >

005930C5 C685 08814100 E>MOV BYTE PTR SS:[EBP+418108],0E8

005930CC E8 2F90FFFF CALL <sub_GetEBP >

005930D1 C785 09814100 F>MOV DWORD PTR SS:[EBP+418109],25FF ; 改成jmp [address]的方式

005930DB 8D85 4B814100 LEA EAX,DWORD PTR SS:[EBP+41814B]

005930E1 8985 0B814100 MOV DWORD PTR SS:[EBP+41810B],EAX

005930E7 E8 1490FFFF CALL <sub_GetEBP >

005930EC 8DBD B87E4100 LEA EDI,DWORD PTR SS:[EBP+417EB8]

005930F2 8D8D FD804100 LEA ECX,DWORD PTR SS:[EBP+4180FD]

005930F8 2BCF SUB ECX,EDI

005930FA C1E9 02 SHR ECX,2

005930FD > E8 CC87FFFF CALL <Get_RND_VALUE> ; Fill junk code

00593102 AB STOS DWORD PTR ES:[EDI]

00593103 ^ E2 F8 LOOPD SHORT <sub_fill_Junk> ; 循环填上垃圾代码，

00593105 61 POPAD

00593106 EB 01 JMP SHORT 00593109

00593108 90 NOP

00593109 - FF25 4B315900 JMP DWORD PTR DS:[59314B] ; JMP to FAKE OEP

OK,分析篇到此结束，后面的脱壳篇基本上是体力活了。下次会脱出美女来的:-P。

再贴上acprotect 1.41的部分东西,：

[EBP+40F76C]注册标志1,这里为1则表示没有注册提示

[EBP+414C63]注册标志2,这里为0则表示没有注册提示

[EBP+418520]GetModuleHandleA

[EBP+418524]LoadLibraryA

[EBP+402012]hModule==kernel32.dll

[EBP+41851C]GetProcAddress

[EBP+40FCFF]保存壳API的开始地址

[EBP+41851C]壳输入表起始位置

[EBP+40F907]程序输入表起始位置

[EBP+415AF7]重定位表的RVA

[EBP+415AFB]重定位表的SIZE

[EBP+401CCD]保存用了SDK地址大小列表的起始地址

[EBP+401B3D]保存用了SDK地址列表的起始地址

[EBP+4152A5]如果值为C3表示已经处理完输入表或输入表为空

[EBP+40F76D]保存可用次数或天数

[EBP+40FD5F]UnhandledExceptionFilter

[EBP+41814B]Stolen code后执行到该地址，记录RVA

[EBP+41816F]保存正确的CRC值

[EBP+401650];保存程序的OEP

[EBP+401654];保存壳的入口EP

Greetz:

Fly.Jingulong,yock,tDasm.David.hexer,hmimys,ahao.UFO(brother).alan(sister).all of my friends and you!

By loveboom[DFCG][FCG][US]

http://blog.csdn.net/bmd2chen

Email:loveboom#163.com

Date:2005-6-11 2:35

• ·网页左右上下浮动广告代码制作
• ·Java服务器端编程安全必读
• ·漫谈Javascript
• ·Diablo 2oo2’s CrackMe 2
• ·diablo2002’s crackme1算法
• ·Linux内核编程风格
• ·C#编写的windows计算器-源代码
• ·Tc2.0编写俄罗斯方块游戏
• ·C++代码优化方法总结
• ·彻底搞定JSP在线人数（原创）