月光软件站 - 编程文档 - 其他语言 - PESpin v1.1完全外壳分析

其他语言

本类阅读TOP10

·基于Solaris 开发环境的整体构思
·前两天看到的#pragma用法
·用C写的简单学生成绩管理系统
·射频芯片nRF401天线设计的分析
·入门系列--OpenGL最简单的入门
·简单的CreateRemoteThread例程-初学者必看
·BCB数据库图像保存技术
·GNU中的Makefile
·使用AutoMake轻松生成Makefile
·数据结构

→ 分类导航

VC语言	Delphi
VB语言	ASP
Perl	Java
Script	数据库
其他语言	游戏开发
文件格式	网站制作
软件工程	.NET开发

PESpin v1.1完全外壳分析

作者：未知来源：月光软件站 加入时间：2005-5-13　月光软件站

【目     标】:PESpin v1.1主程序
【工     具】:Olydbg1.1(diy版)、LORDPE、ImportREC1.6F
【任     务】:分析外壳
【操作平台】:WinXP sp2
【作     者】: LOVEBOOM[DFCG][FCG][US]
【相关链接】: 自己去上网搜搜

【简要说明】：这篇文章算是给yock的一份礼物吧，前一段时间我答应他看看这个版本的壳，拖了这么久真不好意思　J,上次看过一下，发现这个版本比上一版本增强了不少。要patch的代码也多很多的,壳新增了一个非常有用的东西SDK,用上SDK去加程序增强不少，不过壳的PE Header抽代码显得有点鸡肋的感觉J。

【详细过程】:

PESpin v0.7开始就从头到尾看了一下，这个版本同样也看看，主要是看看有没有什么改进的地方，不过结果比较遗憾，在Loader里没有什么新的变化,到现在壳还不anti-OllyDbg,不知道是不是作者用意的放水.J。

分两步进行：分析，脱壳。

第一步:分析

OD载入目标程序，慢慢的分析,细细的品味^_^。

00412087 > /EB 01 JMP SHORT 0041208A ; EP

00412089 |90 NOP

0041208A \60 PUSHAD

0041208B E8 00000000 CALL 00412090

00412090 8B1C24 MOV EBX,DWORD PTR SS:[ESP] ; SMC

00412093 83C3 12 ADD EBX,12

00412096 812B E8B10600 SUB DWORD PTR DS:[EBX],6B1E8

0041209C FE4B FD DEC BYTE PTR DS:[EBX-3]

0041209F 822C24 7D SUB BYTE PTR SS:[ESP],7D

004120A3 DE46 00 FIADD WORD PTR DS:[ESI]

004120A6 0BE4 OR ESP,ESP

004120A8 ^ 74 9E JE SHORT 00412048

……

004120F1 8B95 C34B4000 MOV EDX,DWORD PTR SS:[EBP+404BC3] ; [EBP+404BC3]=hModule(400000)

004120F7 8B42 3C MOV EAX,DWORD PTR DS:[EDX+3C]

004120FA 03C2 ADD EAX,EDX

004120FC 8985 CD4B4000 MOV DWORD PTR SS:[EBP+404BCD],EAX ; [EBP+404BCD]保存peHeader(4000D0)

……

00412134 41 INC ECX

00412135 C1E1 07 SHL ECX,7

00412138 8B0C01 MOV ECX,DWORD PTR DS:[ECX+EAX] ; 定位输入表RVA(12000)

0041213B 03CA ADD ECX,EDX ; 转为VA

……

0041214E 8B59 10 MOV EBX,DWORD PTR DS:[ECX+10] ; 定位OriginalFirstThunk

00412151 03DA ADD EBX,EDX

00412153 8B1B MOV EBX,DWORD PTR DS:[EBX] ; 取出MessageBoxA的地址

00412155 899D E14B4000 MOV DWORD PTR SS:[EBP+404BE1],EBX ; 结果保存到[EBP+404BE1]处

0041215B 53 PUSH EBX

0041215C 8F85 D7494000 POP DWORD PTR SS:[EBP+4049D7] ; 地址同时保存在[EBP+4049D7]中

00412162 BB CC000000 MOV EBX,0CC

00412167 B9 FE110000 MOV ECX,11FE

0041216C 8DBD 714C4000 LEA EDI,DWORD PTR SS:[EBP+404C71]

00412172 4F DEC EDI

……

0041217F 301C39 XOR BYTE PTR DS:[ECX+EDI],BL

00412182 FECB DEC BL

00412184 49 DEC ECX

00412185 9C PUSHFD

00412186 C12C24 06 SHR DWORD PTR SS:[ESP],6

0041218A F71424 NOT DWORD PTR SS:[ESP]

0041218D 832424 01 AND DWORD PTR SS:[ESP],1

00412191 50 PUSH EAX

00412192 52 PUSH EDX

00412193 B8 83B2DC12 MOV EAX,12DCB283

00412198 05 444D23ED ADD EAX,ED234D44

0041219D F76424 08 MUL DWORD PTR SS:[ESP+8]

004121A1 8D8428 BD2D4000 LEA EAX,DWORD PTR DS:[EAX+EBP+402DBD]

004121A8 894424 08 MOV DWORD PTR SS:[ESP+8],EAX

004121AC 5A POP EDX

004121AD 58 POP EAX

004121AE 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]

004121B2 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 从415269处开始向前解压代码， size为11FE

……

004121CE 8170 03 E89868EA XOR DWORD PTR DS:[EAX+3],EA6898E8 ; SMC

004121D5 83C0 21 ADD EAX,21

……

004121E3 68 CB000000 PUSH 0CB

004121E8 59 POP ECX ; 解码大小0CB

004121E9 8DBD A35D4000 LEA EDI,DWORD PTR SS:[EBP+405DA3] ; [EBP+405DA3]=[41519E]

……

004121E3 68 CB000000 PUSH 0CB

004121E8 59 POP ECX ; 解码大小0CB

004121E9 8DBD A35D4000 LEA EDI,DWORD PTR SS:[EBP+405DA3] ; [EBP+405DA3]=[41519E]

004121EF 90 NOP

004121F0 90 NOP

004121F1 90 NOP

004121F2 90 NOP

004121F3 90 NOP

004121F4 90 NOP

004121F5 90 NOP

004121F6 90 NOP

004121F7 90 NOP

004121F8 90 NOP

004121F9 90 NOP

004121FA 90 NOP

004121FB 90 NOP

004121FC 90 NOP

004121FD 90 NOP

004121FE 90 NOP

004121FF 90 NOP

00412200 C00C39 02 ROR BYTE PTR DS:[ECX+EDI],2 ; KEY=2

00412204 49 DEC ECX

……

00412205 9C PUSHFD

00412206 C12C24 06 SHR DWORD PTR SS:[ESP],6

0041220A F71424 NOT DWORD PTR SS:[ESP]

0041220D 832424 01 AND DWORD PTR SS:[ESP],1

00412211 50 PUSH EAX

00412212 52 PUSH EDX

00412213 B8 72B2DC12 MOV EAX,12DCB272

00412218 05 444D23ED ADD EAX,ED234D44

0041221D F76424 08 MUL DWORD PTR SS:[ESP+8]

00412221 8D8428 3E2E4000 LEA EAX,DWORD PTR DS:[EAX+EBP+402E3E]

00412228 > 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; PESpin.00412239

0041222C 5A POP EDX

0041222D 58 POP EAX

0041222E 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]

00412232 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 循环解压从415269处开始向上解压，解压大小为0CB

……

00413F09 8B7C24 20 MOV EDI,DWORD PTR SS:[ESP+20] ; 获取KERNELBASE

00413F0D 81E7 0000FFFF AND EDI,FFFF0000

……

00413F23 90 NOP

00413F24 BA 246BDE21 MOV EDX,21DE6B24

00413F29 81F2 6931DE21 XOR EDX,21DE3169 ; EDX=PE sig(5A4D)

00413F2F 66:3917 CMP WORD PTR DS:[EDI],DX

00413F32 75 17 JNZ SHORT 00413F4B ; 判断是否定位到DOS header

00413F34 81C2 EFA5FFFF ADD EDX,FFFFA5EF

00413F3A 0FB7143A MOVZX EDX,WORD PTR DS:[EDX+EDI]

00413F3E 66:F7C2 00F8 TEST DX,0F800

00413F43 75 06 JNZ SHORT 00413F4B

00413F45 3B7C3A 34 CMP EDI,DWORD PTR DS:[EDX+EDI+34]

00413F49 74 08 JE SHORT 00413F53

00413F4B 81EF 00000100 SUB EDI,10000 ; UNICODE "ALLUSERSPROFILE=D:\Documents and Settings\All Users"

00413F51 ^ EB C0 JMP SHORT 00413F13 ; 减10000继续回去

00413F53 97 XCHG EAX,EDI ; 获取出来的KERNELBASE保存到EAX

……

00413F65 68 F44B4000 PUSH 00404BF4

00413F6A 50 PUSH EAX ; push kerbase(7c800000)

00413F6B 8785 E54B4000 XCHG DWORD PTR SS:[EBP+404BE5],EAX ; 保存KERNELBASE到[EBP+404BE5]=(413FE0)

00413F71 016C24 04 ADD DWORD PTR SS:[ESP+4],EBP

00413F75 8D85 ECA183EB LEA EAX,DWORD PTR SS:[EBP+EB83A1EC]

00413F7B 8D80 BDAABC14 LEA EAX,DWORD PTR DS:[EAX+14BCAABD]

……

00413F8A FFD0 CALL EAX ; EAX=4140A4 这里面就是获取相关API的地址

进去看看：

004140A4 59 POP ECX

004140A5 58 POP EAX

004140A6 5F POP EDI ; EDI=413FEF

004140A7 90 NOP

004140A8 90 NOP

004140A9 90 NOP

004140AA 90 NOP

004140AB 90 NOP

004140AC 90 NOP

004140AD 90 NOP

004140AE 90 NOP

004140AF 90 NOP

004140B0 41 INC ECX

004140B1 41 INC ECX

004140B2 51 PUSH ECX ; ECX=413F8E

004140B3 8BF0 MOV ESI,EAX

004140B5 0340 3C ADD EAX,DWORD PTR DS:[EAX+3C] ; 定位PE header

004140B8 8B40 78 MOV EAX,DWORD PTR DS:[EAX+78] ; 定位输出表

004140BB 03C6 ADD EAX,ESI

004140BD FF70 20 PUSH DWORD PTR DS:[EAX+20] ; AddressofNames

004140C0 5B POP EBX

004140C1 03DE ADD EBX,ESI

004140C3 FF70 18 PUSH DWORD PTR DS:[EAX+18] ; NumberofNames

004140C6 8F85 674D4000 POP DWORD PTR SS:[EBP+404D67] ; [EBP+404D67]保存NumberofNames

004140CC FF70 24 PUSH DWORD PTR DS:[EAX+24] ; AddressofNamesOrdnials

004140CF 5A POP EDX

004140D0 03D6 ADD EDX,ESI

004140D2 FF70 1C PUSH DWORD PTR DS:[EAX+1C] ; AddressofFunctions

004140D5 59 POP ECX

004140D6 03CE ADD ECX,ESI

004140D8 898D 574D4000 MOV DWORD PTR SS:[EBP+404D57],ECX ; [EBP+404D57]保存AddressofFunctions

004140DE 83EF 05 SUB EDI,5

004140E1 83C7 05 ADD EDI,5

004140E4 833F 00 CMP DWORD PTR DS:[EDI],0

004140E7 0F84 9D000000 JE 0041418A

004140ED 8A07 MOV AL,BYTE PTR DS:[EDI]

004140EF 8885 1B4D4000 MOV BYTE PTR SS:[EBP+404D1B],AL

004140F5 FF77 01 PUSH DWORD PTR DS:[EDI+1]

004140F8 8F85 474D4000 POP DWORD PTR SS:[EBP+404D47]

004140FE 53 PUSH EBX

004140FF 52 PUSH EDX

00414100 57 PUSH EDI

00414101 2BC9 SUB ECX,ECX

00414103 90 NOP

00414104 90 NOP

00414105 90 NOP

00414106 90 NOP

00414107 90 NOP

00414108 90 NOP

00414109 90 NOP

0041410A 90 NOP

0041410B 90 NOP

0041410C 90 NOP

0041410D 90 NOP

0041410E 90 NOP

0041410F 8B3B MOV EDI,DWORD PTR DS:[EBX]

00414111 03FE ADD EDI,ESI

00414113 807F 02 61 CMP BYTE PTR DS:[EDI+2],61 ; 获取LoadLibraryA的地址

00414117 75 43 JNZ SHORT 0041415C

00414119 E8 02000000 CALL 00414120

0041411E 90 NOP

0041411F 90 NOP

00414120 58 POP EAX

00414121 8D6424 FC LEA ESP,DWORD PTR SS:[ESP-4]

00414125 05 23000000 ADD EAX,23

0041412A 890424 MOV DWORD PTR SS:[ESP],EAX

0041412D 8D85 CA8A94ED LEA EAX,DWORD PTR SS:[EBP+ED948ACA]

00414133 2D 353D54ED SUB EAX,ED543D35

00414138 50 PUSH EAX

00414139 C3 RETN

0041413A 3BC3 CMP EAX,EBX

0041413C 74 35 JE SHORT 00414173

0041413E 2BC2 SUB EAX,EDX

00414140 9A 3D72423E C07>CALL FAR 75C0:3E42723D ; Far call

00414147 14 8D ADC AL,8D

00414149 04 4A ADD AL,4A

0041414B 0FB700 MOVZX EAX,WORD PTR DS:[EAX]

0041414E C1E0 02 SHL EAX,2

00414151 05 5426807C ADD EAX,7C802654

00414156 8B00 MOV EAX,DWORD PTR DS:[EAX]

00414158 03C6 ADD EAX,ESI

0041415A EB 0E JMP SHORT 0041416A

0041415C 83C3 04 ADD EBX,4

0041415F 41 INC ECX

00414160 81F9 B5030000 CMP ECX,3B5

00414166 ^ 75 A7 JNZ SHORT 0041410F

00414168 33C0 XOR EAX,EAX

0041416A 5F POP EDI

0041416B 5A POP EDX

0041416C 5B POP EBX

0041416D 0BC0 OR EAX,EAX

0041416F 74 1B JE SHORT 0041418C

00414171 90 NOP

00414172 90 NOP

00414173 90 NOP

00414174 90 NOP

00414175 90 NOP

00414176 90 NOP

00414177 90 NOP

00414178 90 NOP

00414179 90 NOP

0041417A 8038 CC CMP BYTE PTR DS:[EAX],0CC ; 判断有没有下断点

0041417D 75 03 JNZ SHORT 00414182

0041417F 8028 00 SUB BYTE PTR DS:[EAX],0

00414182 8947 01 MOV DWORD PTR DS:[EDI+1],EAX

00414185 ^ E9 57FFFFFF JMP 004140E1

0041418A 0BC0 OR EAX,EAX

0041418C EB 01 JMP SHORT 0041418F

0041418E 90 NOP

0041418F C3 RETN

获取了下面几个API:

LoadLibraryA

ExitProcess

GetProcAddress

VirtualProtect

CloseHandle

VirtualAlloc

VirtualFree

CreateFileA

ReadFile

GetTickCount

GetModuleHandleA

CreateThread

Sleep

GetCurrentProcessID

OpenProcess

TerminateProcess

GetFileSize

GetModuleFileNameA

……

00412267 B8 944380EF MOV EAX,EF804394

0041226C 2BC9 SUB ECX,ECX

0041226E 83C9 15 OR ECX,15

00412271 0FA3C8 BT EAX,ECX

00412274 0F83 81000000 JNB 004122FB ; 如果没有设置保护密码这里就跳，因此如果是要输入密码的程序，强行跳过是没有用的

0041227A 8DB40D D44B4000 LEA ESI,DWORD PTR SS:[EBP+ECX+404BD4]

00412281 8BD6 MOV EDX,ESI

00412283 B9 10000000 MOV ECX,10

00412288 AC LODS BYTE PTR DS:[ESI]

00412289 84C0 TEST AL,AL

0041228B 74 06 JE SHORT 00412293

0041228D C04E FF 03 ROR BYTE PTR DS:[ESI-1],3

00412291 ^ E2 F5 LOOPD SHORT 00412288

00412293 E8 00000000 CALL 00412298

00412298 59 POP ECX

00412299 81C1 1D000000 ADD ECX,1D

0041229F 52 PUSH EDX

004122A0 51 PUSH ECX

004122A1 C1E9 05 SHR ECX,5

004122A4 23D1 AND EDX,ECX

004122A6 FFA5 F54B4000 JMP DWORD PTR SS:[EBP+404BF5]

004122AC 0BC0 OR EAX,EAX

004122AE 0F85 3F0A0000 JNZ 00412CF3

004122B4 A3 8D8D534C MOV DWORD PTR DS:[4C538D8D],EAX

004122B9 40 INC EAX

004122BA 0051 50 ADD BYTE PTR DS:[ECX+50],DL

004122BD 8D85 19F54500 LEA EAX,DWORD PTR SS:[EBP+45F519]

004122C3 2D 70A80500 SUB EAX,5A870

004122C8 FFD0 CALL EAX

004122CA 0BC0 OR EAX,EAX

004122CC 0F84 D41B0000 JE 00413EA6

004122D2 8DBD AB454000 LEA EDI,DWORD PTR SS:[EBP+4045AB]

004122D8 2BC9 SUB ECX,ECX

004122DA 2BC0 SUB EAX,EAX

004122DC B0 23 MOV AL,23

004122DE 41 INC ECX

004122DF 32C1 XOR AL,CL

004122E1 48 DEC EAX

004122E2 284439 FF SUB BYTE PTR DS:[ECX+EDI-1],AL

004122E6 81F9 F4030000 CMP ECX,3F4

004122EC ^ 75 F0 JNZ SHORT 004122DE

004122EE 8D85 6A894000 LEA EAX,DWORD PTR SS:[EBP+40896A]

004122F4 05 5EBDFFFF ADD EAX,FFFFBD5E

004122F9 FFD0 CALL EAX ; 这里进去就是显示密码框的代码，注意，壳不会直接比较密码的

004122FB EB 01 JMP SHORT 004122FE

……

00414776 68 A0050000 PUSH 5A0

0041477B 59 POP ECX ; push size 5a0

0041477C 8DBD 8B304000 LEA EDI,DWORD PTR SS:[EBP+40308B]

00414782 81EF 2A010000 SUB EDI,12A

00414788 D1EB SHR EBX,1

0041478A 73 06 JNB SHORT 00414792

0041478C 81F3 3488328C XOR EBX,8C328834

00414792 301F XOR BYTE PTR DS:[EDI],BL ; 从41235c开始向下解压,SIZE:5A0

00414794 47 INC EDI

00414795 49 DEC ECX

00414796 9C PUSHFD

00414797 C12C24 06 SHR DWORD PTR SS:[ESP],6

0041479B F71424 NOT DWORD PTR SS:[ESP]

0041479E 832424 01 AND DWORD PTR SS:[ESP],1

004147A2 50 PUSH EAX

004147A3 52 PUSH EDX

004147A4 B8 77B2DC10 MOV EAX,10DCB277

004147A9 05 444D23EF ADD EAX,EF234D44

004147AE F76424 08 MUL DWORD PTR SS:[ESP+8]

004147B2 8D8428 D2534000 LEA EAX,DWORD PTR DS:[EAX+EBP+4053D2]

004147B9 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; PESpin.004147CD

004147BD 5A POP EDX

004147BE 58 POP EAX

004147BF 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]

004147C3 FF6424 FC JMP DWORD PTR SS:[ESP-4]

……

004123D9 68 FF000000 PUSH 0FF ; /BufSize = FF (255.)

004123DE 56 PUSH ESI ; |PathBuffer = PESpin.00412000

004123DF 6A 00 PUSH 0 ; |hModule = NULL

004123E1 53 PUSH EBX ; |Return address

004123E2 FFA5 4A4C4000 JMP DWORD PTR SS:[EBP+404C4A] ; \GetModuleFileNameA

……

004123F6 6A 00 PUSH 0 ; /hTemplateFile = NULL

004123F8 68 80000000 PUSH 80 ; |Attributes = NORMAL

004123FD 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING

004123FF 6A 00 PUSH 0 ; |pSecurity = NULL

00412401 6A 01 PUSH 1 ; |ShareMode = FILE_SHARE_READ

00412403 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ

00412408 56 PUSH ESI ; |FileName

00412409 53 PUSH EBX ; |Return address

0041240A FFA5 184C4000 JMP DWORD PTR SS:[EBP+404C18] ; \CreateFileA

……

00412413 E8 01000000 CALL 00412419

00412418 90 NOP

00412419 5A POP EDX

0041241A 81C2 1A000000 ADD EDX,1A

00412420 8985 8F5E4000 MOV DWORD PTR SS:[EBP+405E8F],EAX

00412426 93 XCHG EAX,EBX

00412427 6A 00 PUSH 0 ; /pFileSizeHigh = NULL

00412429 53 PUSH EBX ; |hFile = 00000040 (window)

0041242A 52 PUSH EDX ; |Return Address

0041242B FFA5 454C4000 JMP DWORD PTR SS:[EBP+404C45] ; \GetFileSize

00412431 90 NOP

00412432 E8 01000000 CALL 00412438

00412437 90 NOP

00412438 5A POP EDX

00412439 81C2 24000000 ADD EDX,24

0041243F 8BD8 MOV EBX,EAX

00412441 53 PUSH EBX

00412442 8F85 9B5E4000 POP DWORD PTR SS:[EBP+405E9B]

00412448 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE

0041244A 68 00300000 PUSH 3000 ; |AllocationType = MEM_COMMIT|MEM_RESERVE

0041244F 50 PUSH EAX ; |Size = D400 (54272.)

00412450 6A 00 PUSH 0 ; |Address = NULL

00412452 52 PUSH EDX ; |Return address

00412453 FFA5 0E4C4000 JMP DWORD PTR SS:[EBP+404C0E] ; \VirtualAlloc

00412459 90 NOP

0041245A 90 NOP

0041245B 50 PUSH EAX

0041245C 8F85 C94B4000 POP DWORD PTR SS:[EBP+404BC9] ; [EBP+404BC9]=[413FC4]保存hmem

00412462 8D8D 9B5E4000 LEA ECX,DWORD PTR SS:[EBP+405E9B]

00412468 E8 01000000 CALL 0041246E

0041246D 90 NOP

0041246E 5A POP EDX

0041246F 81C2 1E000000 ADD EDX,1E

00412475 6A 00 PUSH 0 ; /pOverlapped = NULL

00412477 51 PUSH ECX ; |pBytesRead = PESpin.00415296

00412478 53 PUSH EBX ; |BytesToRead = D400 (54272.)

00412479 50 PUSH EAX ; |Buffer = 003D0000

0041247A FFB5 8F5E4000 PUSH DWORD PTR SS:[EBP+405E8F] ; |hFile = 00000040 (window)

00412480 52 PUSH EDX ; |Return Address

00412481 FFA5 1D4C4000 JMP DWORD PTR SS:[EBP+404C1D] ; \ReadFile

00412487 90 NOP

00412488 90 NOP

00412489 90 NOP

0041248A 90 NOP

0041248B E8 01000000 CALL 00412491

00412490 90 NOP

00412491 5A POP EDX

00412492 81C2 17000000 ADD EDX,17

00412498 FFB5 8F5E4000 PUSH DWORD PTR SS:[EBP+405E8F] ; /hObject = 00000040 (window)

0041249E 52 PUSH EDX ; |Return address

0041249F FFA5 094C4000 JMP DWORD PTR SS:[EBP+404C09] ; \CloseHandle

004124A5 90 NOP

004124A6 90 NOP

……

004124E4 FFD0 CALL EAX ; 计算CRC的值

004124E6 2985 A35E4000 SUB DWORD PTR SS:[EBP+405EA3],EAX ; [EBP+405EA3]=[0041529E]

004124EC E8 01000000 CALL 004124F2

004124F1 90 NOP

004124F2 5A POP EDX

004124F3 81C2 1E000000 ADD EDX,1E

004124F9 68 00800000 PUSH 8000 ; /FreeType = MEM_RELEASE

004124FE 6A 00 PUSH 0 ; |Size = 0

00412500 FFB5 C94B4000 PUSH DWORD PTR SS:[EBP+404BC9] ; |Address = 003D0000

00412506 52 PUSH EDX ; |Return address

00412507 FFA5 134C4000 JMP DWORD PTR SS:[EBP+404C13] ; \VirtualFree

……

004125BF 0FB78D C74B4000 MOVZX ECX,WORD PTR SS:[EBP+404BC7]

004125C6 8B95 CD4B4000 MOV EDX,DWORD PTR SS:[EBP+404BCD]

004125CC 81C2 F8000000 ADD EDX,0F8

004125D2 8B9D 935E4000 MOV EBX,DWORD PTR SS:[EBP+405E93]

004125D8 33C0 XOR EAX,EAX

004125DA 90 NOP

004125DB 90 NOP

004125DC 90 NOP

004125DD 90 NOP

004125DE 90 NOP

004125DF 90 NOP

004125E0 90 NOP

004125E1 90 NOP

004125E2 90 NOP

004125E3 90 NOP

004125E4 90 NOP

004125E5 90 NOP

004125E6 90 NOP

004125E7 90 NOP

004125E8 90 NOP

004125E9 90 NOP

004125EA 90 NOP

004125EB 51 PUSH ECX

004125EC 0FA3C3 BT EBX,EAX

004125EF 73 67 JNB SHORT 00412658

004125F1 52 PUSH EDX

004125F2 90 NOP

004125F3 90 NOP

004125F4 90 NOP

004125F5 90 NOP

004125F6 90 NOP

004125F7 90 NOP

004125F8 90 NOP

004125F9 90 NOP

004125FA 90 NOP

004125FB 90 NOP

004125FC 90 NOP

004125FD 90 NOP

004125FE 90 NOP

004125FF 90 NOP

00412600 90 NOP

00412601 90 NOP

00412602 90 NOP

00412603 8B7A 0C MOV EDI,DWORD PTR DS:[EDX+C]

00412606 03BD C34B4000 ADD EDI,DWORD PTR SS:[EBP+404BC3]

0041260C 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+10]

0041260F 8B95 A35E4000 MOV EDX,DWORD PTR SS:[EBP+405EA3]

00412615 D1EA SHR EDX,1

00412617 72 06 JB SHORT 0041261F

00412619 81F2 31AF43ED XOR EDX,ED43AF31

0041261F 3017 XOR BYTE PTR DS:[EDI],DL ; 循环还原各区段

00412621 47 INC EDI

00412622 90 NOP

00412623 90 NOP

00412624 90 NOP

00412625 90 NOP

00412626 90 NOP

00412627 90 NOP

00412628 90 NOP

00412629 90 NOP

0041262A 90 NOP

0041262B 90 NOP

0041262C 90 NOP

0041262D 90 NOP

0041262E 90 NOP

0041262F 90 NOP

00412630 90 NOP

00412631 90 NOP

00412632 90 NOP

00412633 90 NOP

00412634 90 NOP

00412635 90 NOP

00412636 90 NOP

00412637 90 NOP

00412638 90 NOP

00412639 90 NOP

0041263A 90 NOP

0041263B 90 NOP

0041263C 90 NOP

0041263D 90 NOP

0041263E 90 NOP

0041263F 90 NOP

00412640 90 NOP

00412641 90 NOP

00412642 90 NOP

00412643 90 NOP

00412644 90 NOP

00412645 90 NOP

00412646 90 NOP

00412647 90 NOP

00412648 90 NOP

00412649 90 NOP

0041264A 90 NOP

0041264B 90 NOP

0041264C 90 NOP

0041264D 90 NOP

0041264E 90 NOP

0041264F 90 NOP

00412650 90 NOP

00412651 90 NOP

00412652 90 NOP

00412653 90 NOP

00412654 49 DEC ECX

00412655 ^ 75 BE JNZ SHORT 00412615

00412657 5A POP EDX

00412658 40 INC EAX

00412659 83C2 28 ADD EDX,28

0041265C 59 POP ECX

0041265D 90 NOP

0041265E 90 NOP

0041265F 90 NOP

00412660 90 NOP

00412661 90 NOP

00412662 90 NOP

00412663 90 NOP

00412664 90 NOP

00412665 90 NOP

00412666 90 NOP

00412667 90 NOP

00412668 90 NOP

00412669 90 NOP

0041266A 90 NOP

0041266B 90 NOP

0041266C 90 NOP

0041266D 90 NOP

0041266E 49 DEC ECX

0041266F 9C PUSHFD

00412670 C12C24 06 SHR DWORD PTR SS:[ESP],6

00412674 F71424 NOT DWORD PTR SS:[ESP]

00412677 832424 01 AND DWORD PTR SS:[ESP],1

0041267B 50 PUSH EAX

0041267C 52 PUSH EDX

0041267D B8 04B2DC12 MOV EAX,12DCB204

00412682 05 444D23ED ADD EAX,ED234D44

00412687 F76424 08 MUL DWORD PTR SS:[ESP+8]

0041268B 8D8428 A8324000 LEA EAX,DWORD PTR DS:[EAX+EBP+4032A8]

00412692 894424 08 MOV DWORD PTR SS:[ESP+8],EAX

00412696 5A POP EDX

00412697 58 POP EAX

00412698 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]

0041269C FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 没有解压完则继续跳回去

……

004126B4 838D 9D5D4000 0>OR DWORD PTR SS:[EBP+405D9D],0 ; 测试是否anti-debug

004126BB 74 0D JE SHORT 004126CA ; 如果没有选择anti-degub则跳下一步,主程序没有设置anti debug

004126BD 8D85 C8554000 LEA EAX,DWORD PTR SS:[EBP+4055C8] ; CreateFileA方式测试sice

004126C3 2D D1030000 SUB EAX,3D1

004126C8 FFD0 CALL EAX

004126CA 68 80010000 PUSH 180

004126CF 59 POP ECX

……

00412703 E8 01000000 CALL 00412709

00412708 90 NOP

00412709 D1EA SHR EDX,1

0041270B 73 06 JNB SHORT 00412713

0041270D 81F2 32AF43ED XOR EDX,ED43AF32

00412713 3017 XOR BYTE PTR DS:[EDI],DL

00412715 47 INC EDI

00412716 49 DEC ECX

00412717 9C PUSHFD

00412718 C12C24 06 SHR DWORD PTR SS:[ESP],6

0041271C F71424 NOT DWORD PTR SS:[ESP]

0041271F 832424 01 AND DWORD PTR SS:[ESP],1

00412723 50 PUSH EAX

00412724 52 PUSH EDX

00412725 B8 CEBFABF2 MOV EAX,F2ABBFCE

0041272A 05 EB3F540D ADD EAX,0D543FEB

0041272F F76424 08 MUL DWORD PTR SS:[ESP+8]

00412733 8D8428 4F334000 LEA EAX,DWORD PTR DS:[EAX+EBP+40334F]

0041273A 894424 08 MOV DWORD PTR SS:[ESP+8],EAX

0041273E 5A POP EDX

0041273F 58 POP EAX

00412740 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]

00412744 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 从41495a处开始向下解压,大小为180

……

00412757 2BC3 SUB EAX,EBX

00412759 50 PUSH EAX ; 解压完去执行解压后的代码　

0041275A C3 RETN

……

0041495A /EB 01 JMP SHORT 0041495D

0041495C |90 NOP

0041495D \8DBD 60334000 LEA EDI,DWORD PTR SS:[EBP+403360] ; 0041275B

00414963 B9 A1010000 MOV ECX,1A1 ; 从41275b处开始向下解压代码，大小为1A1

00414968 90 NOP

00414969 90 NOP

0041496A 90 NOP

0041496B 90 NOP

0041496C 90 NOP

0041496D 90 NOP

0041496E 90 NOP

0041496F 90 NOP

00414970 90 NOP

00414971 8A07 MOV AL,BYTE PTR DS:[EDI]

00414973 02C1 ADD AL,CL

00414975 C0C8 1E ROR AL,1E

00414978 F9 STC

00414979 90 NOP

0041497A F9 STC

0041497B 02C1 ADD AL,CL

0041497D EB 01 JMP SHORT 00414980

0041497F 90 NOP

00414980 02C1 ADD AL,CL

00414982 C0C0 93 ROL AL,93 ; Shift constant out of range 1..31

00414985 EB 01 JMP SHORT 00414988

00414987 90 NOP

00414988 EB 01 JMP SHORT 0041498B

0041498A 90 NOP

0041498B EB 01 JMP SHORT 0041498E

0041498D 90 NOP

0041498E EB 01 JMP SHORT 00414991

00414990 90 NOP

00414991 32C1 XOR AL,CL

00414993 2C 57 SUB AL,57

00414995 02C1 ADD AL,CL

00414997 AA STOS BYTE PTR ES:[EDI]

00414998 49 DEC ECX

00414999 9C PUSHFD

0041499A C12C24 06 SHR DWORD PTR SS:[ESP],6

0041499E F71424 NOT DWORD PTR SS:[ESP]

004149A1 832424 01 AND DWORD PTR SS:[ESP],1

004149A5 50 PUSH EAX

004149A6 52 PUSH EDX

004149A7 B8 5EBFDC32 MOV EAX,32DCBF5E

004149AC 05 444023CD ADD EAX,CD234044

004149B1 F76424 08 MUL DWORD PTR SS:[ESP+8]

004149B5 8D8428 D4554000 LEA EAX,DWORD PTR DS:[EAX+EBP+4055D4]

004149BC > 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; PESpin.004149CF

004149C0 5A POP EDX

004149C1 58 POP EAX

004149C2 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]

004149C6 FF6424 FC JMP DWORD PTR SS:[ESP-4]

……

004149CF 55 PUSH EBP

004149D0 9C PUSHFD

004149D1 E8 77000000 CALL 00414A4D ; 这里进去就是SEH异常

……

004149D7 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]

004149DB 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]

004149DF 8142 04 3500000>ADD DWORD PTR DS:[EDX+4],35

004149E6 81CA 29242123 OR EDX,23212429

004149EC 2BC9 SUB ECX,ECX

004149EE 2148 04 AND DWORD PTR DS:[EAX+4],ECX ; 清除硬件断点

004149F1 2148 08 AND DWORD PTR DS:[EAX+8],ECX

004149F4 2148 0C AND DWORD PTR DS:[EAX+C],ECX

004149F7 2148 10 AND DWORD PTR DS:[EAX+10],ECX

004149FA 8160 14 F00FFFF>AND DWORD PTR DS:[EAX+14],FFFF0FF0

00414A01 C740 18 5501000>MOV DWORD PTR DS:[EAX+18],155

00414A08 33C0 XOR EAX,EAX

00414A0A C3 RETN

……

00414A65 8DBD 01354000 LEA EDI,DWORD PTR SS:[EBP+403501] ; 从004128FC开始解压代码,大小为108f

00414A6B B9 8F100000 MOV ECX,108F

00414A70 90 NOP

00414A71 90 NOP

00414A72 90 NOP

00414A73 90 NOP

00414A74 90 NOP

00414A75 90 NOP

00414A76 90 NOP

00414A77 90 NOP

00414A78 90 NOP

00414A79 8A07 MOV AL,BYTE PTR DS:[EDI]

00414A7B 02C1 ADD AL,CL

00414A7D C0C0 43 ROL AL,43 ; Shift constant out of range 1..31

00414A80 FEC8 DEC AL

00414A82 04 40 ADD AL,40

00414A84 2C 39 SUB AL,39

00414A86 EB 01 JMP SHORT 00414A89

00414A88 90 NOP

00414A89 34 BB XOR AL,0BB

00414A8B 0AC0 OR AL,AL

00414A8D 04 85 ADD AL,85

00414A8F EB 01 JMP SHORT 00414A92

00414A91 90 NOP

00414A92 02C1 ADD AL,CL

00414A94 90 NOP

00414A95 F9 STC

00414A96 C0C8 53 ROR AL,53 ; Shift constant out of range 1..31

00414A99 0AC0 OR AL,AL

00414A9B 04 C2 ADD AL,0C2

00414A9D 2AC1 SUB AL,CL

00414A9F AA STOS BYTE PTR ES:[EDI]

00414AA0 49 DEC ECX

00414AA1 9C PUSHFD

00414AA2 C12C24 06 SHR DWORD PTR SS:[ESP],6

00414AA6 F71424 NOT DWORD PTR SS:[ESP]

00414AA9 832424 01 AND DWORD PTR SS:[ESP],1

00414AAD 50 PUSH EAX

00414AAE 52 PUSH EDX

00414AAF B8 61B2DC12 MOV EAX,12DCB261

00414AB4 05 444D23ED ADD EAX,ED234D44

00414AB9 F76424 08 MUL DWORD PTR SS:[ESP+8]

00414ABD 8D8428 D9564000 LEA EAX,DWORD PTR DS:[EAX+EBP+4056D9]

00414AC4 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; PESpin.00414AD4

00414AC8 5A POP EDX

00414AC9 58 POP EAX

00414ACA 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]

00414ACE FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 如果没有解压完则继续

……

00412777 68 07000000 PUSH 7

0041277C 5B POP EBX

0041277D 25 25382C37 AND EAX,372C3825

00412782 50 PUSH EAX

00412783 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]

00412787 F7D0 NOT EAX

00412789 234424 FC AND EAX,DWORD PTR SS:[ESP-4]

0041278D 51 PUSH ECX ; 从这里开始解密各段

0041278E 90 NOP

0041278F 90 NOP

00412790 90 NOP

00412791 90 NOP

00412792 90 NOP

00412793 90 NOP

00412794 90 NOP

00412795 90 NOP

00412796 90 NOP

00412797 90 NOP

00412798 90 NOP

00412799 90 NOP

0041279A 0FA3C3 BT EBX,EAX

0041279D 73 79 JNB SHORT 00412818 ; 如果该段解压完则跳去解压下一段

0041279F 90 NOP

004127A0 90 NOP

004127A1 90 NOP

004127A2 90 NOP

004127A3 90 NOP

004127A4 90 NOP

004127A5 90 NOP

004127A6 90 NOP

004127A7 90 NOP

004127A8 90 NOP

004127A9 90 NOP

004127AA 90 NOP

004127AB 90 NOP

004127AC 90 NOP

004127AD 90 NOP

004127AE 90 NOP

004127AF 90 NOP

004127B0 90 NOP

004127B1 90 NOP

004127B2 90 NOP

004127B3 90 NOP

004127B4 90 NOP

004127B5 90 NOP

004127B6 90 NOP

004127B7 90 NOP

004127B8 90 NOP

004127B9 90 NOP

004127BA 90 NOP

004127BB 90 NOP

004127BC 90 NOP

004127BD 90 NOP

004127BE 90 NOP

004127BF 90 NOP

004127C0 90 NOP

004127C1 90 NOP

004127C2 90 NOP

004127C3 90 NOP

004127C4 90 NOP

004127C5 90 NOP

004127C6 90 NOP

004127C7 90 NOP

004127C8 90 NOP

004127C9 90 NOP

004127CA 90 NOP

004127CB 90 NOP

004127CC 90 NOP

004127CD 8B7A 0C MOV EDI,DWORD PTR DS:[EDX+C]

004127D0 03BD C34B4000 ADD EDI,DWORD PTR SS:[EBP+404BC3]

004127D6 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+10] ; RSIZE = 6000

004127D9 50 PUSH EAX

004127DA 8A07 MOV AL,BYTE PTR DS:[EDI] ; 第一次从401000处开始解密代码，size:6000

004127DC 2C 61 SUB AL,61

004127DE F8 CLC

004127DF F8 CLC

004127E0 C0C0 B1 ROL AL,0B1 ; Shift constant out of range 1..31

004127E3 34 AF XOR AL,0AF

004127E5 04 70 ADD AL,70

004127E7 FEC8 DEC AL

004127E9 EB 01 JMP SHORT 004127EC

004127EB 90 NOP

004127EC F8 CLC

004127ED 32C1 XOR AL,CL

004127EF C0C0 42 ROL AL,42 ; Shift constant out of range 1..31

004127F2 EB 01 JMP SHORT 004127F5

004127F4 90 NOP

004127F5 02C1 ADD AL,CL

004127F7 2AC1 SUB AL,CL

004127F9 34 04 XOR AL,4

004127FB C0C0 9B ROL AL,9B ; Shift constant out of range 1..31

004127FE FEC8 DEC AL

00412800 AA STOS BYTE PTR ES:[EDI]

00412801 49 DEC ECX

00412802 90 NOP

00412803 90 NOP

00412804 90 NOP

00412805 90 NOP

00412806 90 NOP

00412807 90 NOP

00412808 90 NOP

00412809 90 NOP

0041280A 90 NOP

0041280B 90 NOP

0041280C 90 NOP

0041280D 90 NOP

0041280E 90 NOP

0041280F 90 NOP

00412810 90 NOP

00412811 90 NOP

00412812 90 NOP

00412813 0BC9 OR ECX,ECX

00412815 ^ 75 C3 JNZ SHORT 004127DA ; 该段没解压完该段则继续上去解密

00412817 58 POP EAX

00412818 40 INC EAX

00412819 83C2 28 ADD EDX,28

0041281C 90 NOP

0041281D 90 NOP

0041281E 90 NOP

0041281F 90 NOP

00412820 90 NOP

00412821 90 NOP

00412822 90 NOP

00412823 90 NOP

00412824 90 NOP

00412825 59 POP ECX

00412826 49 DEC ECX

00412827 9C PUSHFD

00412828 C12C24 06 SHR DWORD PTR SS:[ESP],6

0041282C F71424 NOT DWORD PTR SS:[ESP]

0041282F 832424 01 AND DWORD PTR SS:[ESP],1

00412833 50 PUSH EAX

00412834 52 PUSH EDX

00412835 B8 E979A6F5 MOV EAX,F5A679E9

0041283A 05 4985590A ADD EAX,0A598549

0041283F F76424 08 MUL DWORD PTR SS:[ESP+8]

00412843 8D8428 60344000 LEA EAX,DWORD PTR DS:[EAX+EBP+403460]

0041284A 894424 08 MOV DWORD PTR SS:[ESP+8],EAX

0041284E 5A POP EDX

0041284F 58 POP EAX

00412850 8D6424 04 LEA ESP,DWORD PTR SS:[ESP+4]

00412854 FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 没有解压完则继续回去解密

……

0041286B E8 BA1C0000 CALL 0041452A ; 这个CALL实际就是一个异常CALL

……

00415062 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE

00415064 68 00300000 PUSH 3000 ; |AllocationType = MEM_COMMIT|MEM_RESERVE

00415069 51 PUSH ECX ; |Size = 3166 (12646.)

0041506A 6A 00 PUSH 0 ; |Address = NULL

0041506C FF95 0E4C4000 CALL DWORD PTR SS:[EBP+404C0E] ; \VirtualAlloc

00415072 96 XCHG EAX,ESI ; hmem==003D0000

00415073 5A POP EDX

00415074 BF 50F40000 MOV EDI,0F450

00415079 81C7 00004000 ADD EDI,00400000

0041507F 56 PUSH ESI ; /存放地址 == 003D0000

00415080 57 PUSH EDI ; |解压地址 == 40f450

00415081 E8 1CDEFFFF CALL 00412EA2 ; \aplib_depack

00415086 91 XCHG EAX,ECX

00415087 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]

00415089 5F POP EDI

0041508A 5E POP ESI

0041508B EB 01 JMP SHORT 0041508E

0041508D 90 NOP

0041508E 68 00400000 PUSH 4000 ; /FreeType = MEM_DECOMMIT

00415093 52 PUSH EDX ; |Size = 3166 (12646.)

00415094 56 PUSH ESI ; |Address = 003D0000

00415095 FF95 134C4000 CALL DWORD PTR SS:[EBP+404C13] ; \VirtualFree

……

004150A7 8D85 ED5C4000 LEA EAX,DWORD PTR SS:[EBP+405CED]

004150AD 8338 00 CMP DWORD PTR DS:[EAX],0

004150B0 0F84 CB000000 JE 00415181

004150B6 B9 80B60000 MOV ECX,0B680

004150BB 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE

004150BD 68 00300000 PUSH 3000 ; |AllocationType = MEM_COMMIT|MEM_RESERVE

004150C2 51 PUSH ECX ; |Size = B680 (46720.)

004150C3 6A 00 PUSH 0 ; |Address = NULL

004150C5 FF95 0E4C4000 CALL DWORD PTR SS:[EBP+404C0E] ; \VirtualAlloc

004150CB 8985 0E5D4000 MOV DWORD PTR SS:[EBP+405D0E],EAX ; [EBP+405D0E]==[00415109]

004150D1 EB 01 JMP SHORT 004150D4

004150D3 90 NOP

004150D4 0FB78D C74B4000 MOVZX ECX,WORD PTR SS:[EBP+404BC7] ; ecx==4

004150DB 8B95 CD4B4000 MOV EDX,DWORD PTR SS:[EBP+404BCD]

004150E1 81C2 F8000000 ADD EDX,0F8

004150E7 BB 07000000 MOV EBX,7

004150EC 2BC0 SUB EAX,EAX

004150EE 51 PUSH ECX

004150EF 90 NOP

004150F0 90 NOP

004150F1 90 NOP

004150F2 90 NOP

004150F3 90 NOP

004150F4 90 NOP

004150F5 90 NOP

004150F6 90 NOP

004150F7 90 NOP

004150F8 0FA3C3 BT EBX,EAX

004150FB 73 27 JNB SHORT 00415124 ; 如果解压完该段则跳

004150FD 50 PUSH EAX

004150FE 53 PUSH EBX &