程序博客网 > 达索软件代理

AcProtect 1.41 外壳分析

来源:互联网 发布:达索软件代理 编辑:程序博客网 时间:2024/06/11 03:36
【目    标】: 应作者要求,这里不贴上软件名【工    具】:Olydbg1.1(diy版)、LORDPE、ImportREC1.6F 【任    务】:分析外壳  【操作平台】:Windows 2003 server 【作    者】: LOVEBOOM[DFCG][FCG][US]【相关链接】: ......【简要说明】: 脱ACPROTECT的壳并不多,以前最多只是大概的脱一下,对壳有流程并没有多少认识,前几天帮朋友了一下这个软件,也许    是我水平太菜了,也许是脱这个东西脱的比较少,在脱这个软件花了我很多时间,搞的过程中还很容易出小问题。还有一个原因是脱了一下新版的ASPR 2.X stolen code让我看到头疼,虽然坚持了,但现在还有一小部分没有解决:-(。没办法两个都壳都是难搞的,本着看aspr的东西稍微多了点,因此牺牲了睡觉时间,帮自己补了下课。壳的思路比较新,边执行边解壳,解压一段执行后又还原回去,代码替换,EMBEDD protect等等。这么有吸引力,当然不要错过了。因为我对RSA无KEY怎么突破之类的没有一点了解,再者也没有见过软件用RSA lock code.,所以这次没有分析KEY相关的东西。我这次和以前的文章有点不同,这次为了更细的分析出壳的各模块功能,把相关的模块放在独立的地方,也不像以前那样,插来插去的。不是很方便自己查看。也很久没有细细的去品尝壳了。也是该“享受”一下。【详细过程】:写在前面的,你只是想知道怎么脱壳的话,那么这你可跳过这一章节,这一章节是分析壳的每个部分,是比较漫长的。如果你完全分析好了,后面脱就简单了。  由于是一步一步的走,所以不用什么特别的设置了。唯一一点就是要很磨得下去。打开OD,忽略全部异常。准备眼睛再度近视几度。泡上一杯水,然后开始这次的旅程:为了防止壳的检测,这次我没有去除花指令直接动态跟踪分析了下。0057C000 >  60              PUSHAD                                   ; EP0057C001    E8 01000000     CALL 0057C007                            ; 程序一开始就反复解壳代码0057C006  - 72 83           JB SHORT 0057BF8B0057C008    04 24           ADD AL,240057C00A    06              PUSH ES0057C00B    C3              RETN0057C00C    85C3            TEST EBX,EAX0057C00E    76 01           JBE SHORT 0057C0110057C010    4B              DEC EBX0057C011    87D8            XCHG EAX,EBX0057C013    E8 01000000     CALL 0057C0190057C018  - 76 83           JBE SHORT 0057BF9D......0057C204    64:FF30         PUSH DWORD PTR FS:[EAX]0057C207    64:8920         MOV DWORD PTR FS:[EAX],ESP0057C20A    CC              INT30057C20B    90              NOP0057C20C    F8              CLC0057C20D    90              NOP0057C20E    FC              CLD......0057C29F    64:8F05 0000000>POP DWORD PTR FS:[0]                     ; 直接F2,然后执行到这里,0057C2A6    83C4 04         ADD ESP,40057C2A9    7C 03           JL SHORT 0057C2AE                        ; 这里是开始还原的地址0057C2AB    7D 01           JGE SHORT 0057C2AE......0057C436    4A              DEC EDX0057C437  ^ 0F85 7FFFFFFF   JNZ 0057C3BC                             ; 没有解压完则跳回继续解压0057C43D    EB 01           JMP SHORT 0057C440壳一开始就通过几个异常来循环解压出壳的代码。解压的方法很简单的:MOV EBX,DWORD PTR DS:[EAX]XOR EBX,EDIROR EBX,1FADD EAX,4XOR EBX,DWORD PTR DS:[EAX]ADD EAX,-4MOV DWORD PTR DS:[EAX],EBXXOR EDI,45BA1300继续:......0057C7F8    64:8F05 0000000>POP DWORD PTR FS:[0]                     ; 0012FFE00057C7FF    83C4 04         ADD ESP,40057C802    E9 BB4A0100     JMP 005912C2                             ; 全部解压完了跳去执行壳的代码......005912C2    E8 39AEFFFF     CALL <sub_GetEBP >
; jmp到这里005912C7    E8 00000000     CALL 005912CC005912CC    5B              POP EBX005912CD    2B9D 0E204000   SUB EBX,DWORD PTR SS:[EBP+40200E]        ; 计算IMAGEBASE005912D3    81EB CC520100   SUB EBX,152CC005912D9    899D 46F84000   MOV DWORD PTR SS:[EBP+40F846],EBX   ; 计算出的IMAGEBASE保存到[EBP+40F846]=[0058A846]=400000005912DF    899D 7BFD4000   MOV DWORD PTR SS:[EBP+40FD7B],EBX        ; 计算出的IMAGEBASE保存到[EBP+40FD7B]=[0058AD7B]==400000005912E5    E8 C6FDFFFF     CALL <sub_GetEP_CRYPT_KEY>005912EA    E8 11AEFFFF     CALL <sub_GetEBP >005912EF    E8 DAA5FFFF     CALL <Get_RND_VALUE>005912F4    8985 D5084100   MOV DWORD PTR SS:[EBP+4108D5],EAX005912FA    E8 01AEFFFF     CALL <sub_GetEBP >
005912FF    C685 6CF74000 0>MOV BYTE PTR SS:[EBP+40F76C],0           ; 刚开始就设置为没有注册的标志00591306    E8 F0D2FFFF     CALL <sub_GETAPIAddress>                 ; 获取壳要用的API0059130B    E8 38F9FFFF     CALL <COPY_Import table>                 ; 填充跳转表00591310    E8 EBADFFFF     CALL <sub_GetEBP >
00591315    8B85 6B814100   MOV EAX,DWORD PTR SS:[EBP+41816B]0059131B    8985 7FFD4000   MOV DWORD PTR SS:[EBP+40FD7F],EAX00591321    8B85 6F814100   MOV EAX,DWORD PTR SS:[EBP+41816F]00591327    8985 83FD4000   MOV DWORD PTR SS:[EBP+40FD83],EAX0059132D    E8 66D0FFFF     CALL <UnPack_sections>                   ; 解压程序各段00591332    E8 1FFBFFFF     CALL <Restore_JMP API TABLE>             ; 还原壳的跳转表00591337    E8 2EFDFFFF     CALL <sub_SDK_Disposal>                  ; 处理用到SDK的地址代码0059133C    43              INC EBX0059133D    85F3            TEST EBX,ESI0059133F    87D9            XCHG ECX,EBX00591341    E8 01000000     CALL 00591347                            ; 开始解压出下一段要执行的代码。00591346    EA 83C4047D 028>JMP FAR 8502:7D04C483                    ; Far jump......下面的代码就开始边走边解壳了:......0059142A    E8 EF000000     CALL 0059151E0059142F    E8 04000000     CALL 0059143800591434    0000            ADD BYTE PTR DS:[EAX],AL00591436    0000            ADD BYTE PTR DS:[EAX],AL00591438    5A              POP EDX00591439    8B4424 04       MOV EAX,DWORD PTR SS:[ESP+4]0059143D    8B00            MOV EAX,DWORD PTR DS:[EAX]0059143F    8B4C24 0C       MOV ECX,DWORD PTR SS:[ESP+C]00591443    FF81 B8000000   INC DWORD PTR DS:[ECX+B8]00591449    3D 03000080     CMP EAX,800000030059144E    75 4D           JNZ SHORT 0059149D00591450    8D82 02114000   LEA EAX,DWORD PTR DS:[EDX+401102]00591456    2D 0E104000     SUB EAX,0040100E0059145B    8941 04         MOV DWORD PTR DS:[ECX+4],EAX0059145E    8D82 04114000   LEA EAX,DWORD PTR DS:[EDX+401104]00591464    2D 0E104000     SUB EAX,0040100E00591469    8941 08         MOV DWORD PTR DS:[ECX+8],EAX0059146C    8D82 06114000   LEA EAX,DWORD PTR DS:[EDX+401106]00591472    2D 0E104000     SUB EAX,0040100E00591477    8941 0C         MOV DWORD PTR DS:[ECX+C],EAX0059147A    8D82 08114000   LEA EAX,DWORD PTR DS:[EDX+401108]00591480    2D 0E104000     SUB EAX,0040100E00591485    8941 10         MOV DWORD PTR DS:[ECX+10],EAX00591488    33C0            XOR EAX,EAX0059148A    8161 14 F00FFFF>AND DWORD PTR DS:[ECX+14],FFFF0FF000591491    C741 18 5501000>MOV DWORD PTR DS:[ECX+18],15500591498    E9 80000000     JMP 0059151D0059149D    3D 940000C0     CMP EAX,C0000094005914A2    75 2A           JNZ SHORT 005914CE005914A4    C702 00000000   MOV DWORD PTR DS:[EDX],0005914AA    FF81 B8000000   INC DWORD PTR DS:[ECX+B8]005914B0    33C0            XOR EAX,EAX005914B2    2141 04         AND DWORD PTR DS:[ECX+4],EAX005914B5    2141 08         AND DWORD PTR DS:[ECX+8],EAX005914B8    2141 0C         AND DWORD PTR DS:[ECX+C],EAX005914BB    2141 10         AND DWORD PTR DS:[ECX+10],EAX005914BE    8161 14 F00FFFF>AND DWORD PTR DS:[ECX+14],FFFF0FF0005914C5    8161 18 00DC000>AND DWORD PTR DS:[ECX+18],0DC00005914CC    EB 4F           JMP SHORT 0059151D005914CE    3D 04000080     CMP EAX,80000004......0059160E    830424 06       ADD DWORD PTR SS:[ESP],600591612    C3              RETN00591613    E8 A7B9FFFF     CALL <sub_UnKnow>00591618    E9 0B000000     JMP 00591628......005917E0    56              PUSH ESI005917E1    8F05 DDCA5700   POP DWORD PTR DS:[57CADD]005917E7    FF35 DDCA5700   PUSH DWORD PTR DS:[57CADD]005917ED    56              PUSH ESI005917EE    C70424 05C95700 MOV DWORD PTR SS:[ESP],0057C905005917F5    8F05 0DCA5700   POP DWORD PTR DS:[57CA0D]005917FB    8B35 0DCA5700   MOV ESI,DWORD PTR DS:[57CA0D]00591801    891E            MOV DWORD PTR DS:[ESI],EBX00591803    8F05 1DC95700   POP DWORD PTR DS:[57C91D]00591809    FF35 1DC95700   PUSH DWORD PTR DS:[57C91D]0059180F    5E              POP ESI00591810    FF35 05C95700   PUSH DWORD PTR DS:[57C905]               ; 开始边走边唱了00591816    892C24          MOV DWORD PTR SS:[ESP],EBP               ; push ebp,这里开始执行了程序前面的代码00591819    8925 99C85700   MOV DWORD PTR DS:[57C899],ESP0059181F    FF35 99C85700   PUSH DWORD PTR DS:[57C899]00591825    8B2C24          MOV EBP,DWORD PTR SS:[ESP]               ; mov ebp,esp00591828    8F05 39C85700   POP DWORD PTR DS:[57C839]0059182E    56              PUSH ESI找Stolen Code比较简单,后面的代码我并没有注释下来。......00591953    83C4 04         ADD ESP,400591956    58              POP EAX00591957    76 01           JBE SHORT 0059195A00591959    48              DEC EAX0059195A    03DA            ADD EBX,EDX0059195C    50              PUSH EAX0059195D    E8 01000000     CALL 0059196300591962  ^ 7C 83           JL SHORT 005918E700591964    C40458          LES EAX,FWORD PTR DS:[EAX+EBX*2]         ; Modification of segment register00591967    E8 CDD3FFFF     CALL <sub_Kernel>                        ; 这个call里面的东西应该是壳的核心了:-)0059196C    E9 06000000     JMP 00591977很多解码之类的,跟踪时要小心点。......0059198D   /76 7B           JBE SHORT 00591A0A0059198F   |0366 8B         ADD ESP,DWORD PTR DS:[ESI-75]00591992   |C6              ???                                      ; Unknown command00591993   |8919            MOV DWORD PTR DS:[ECX],EBX00591995   |EB 01           JMP SHORT 0059199800591997   |90              NOP00591998   |E8 08E9FFFF     CALL <Sub_Disposal IAT>                  ; 其实这里CALL的时候,前面的call kernel里已经处理过了,这里进去只是一个ret而已0059199D   |E9 05000000     JMP 005919A7005919A2   |B8 0DB7D4E5     MOV EAX,E5D4B70D005919A7   |81EA AE3A7D06   SUB EDX,67D3AAE......005919D0   /0F81 02000000   JNO 005919D8005919D6   |87FD            XCHG EBP,EDI005919D8   /83C6 FF         ADD ESI,-1005919DB  ^ 0F85 69FFFFFF   JNZ 0059194A                             ; 循环解出后面的代码005919E1    EB 01           JMP SHORT 005919E4005919E3  ^ 76 E8           JBE SHORT 005919CD005919E5    03C0            ADD EAX,EAX005919E7    FFFF            ???                                      ; Unknown command005919E9    0F8C 02000000   JL 005919F1005919EF    87E8            XCHG EAX,EBP005919F1    B8 64000000     MOV EAX,64005919F6    33D2            XOR EDX,EDX005919F8    33DB            XOR EBX,EBX005919FA    F7F3            DIV EBX                                  ; 异常005919FC    90              NOP005919FD    64:8F05 0000000>POP DWORD PTR FS:[0]00591A04    83C4 04         ADD ESP,400591A07    61              POPAD     ;边执行程序的代码边解壳代码00591A08    893C24          MOV DWORD PTR SS:[ESP],EDI00591A0B    C705 21CA5700 C>MOV DWORD PTR DS:[57CA21],0057C9C500591A15    8B3D 21CA5700   MOV EDI,DWORD PTR DS:[57CA21]            ; MainCon.0057C9C500591A1B    891F            MOV DWORD PTR DS:[EDI],EBX00591A1D    8B3C24          MOV EDI,DWORD PTR SS:[ESP]00591A20    8F05 79C85700   POP DWORD PTR DS:[57C879]00591A26    FF35 C5C95700   PUSH DWORD PTR DS:[57C9C5]00591A2C    891424          MOV DWORD PTR SS:[ESP],EDX00591A2F    C70424 FFFFFFFF MOV DWORD PTR SS:[ESP],-1                ; push -1 *********00591A36    53              PUSH EBX00591A37    8F05 2DCB5700   POP DWORD PTR DS:[57CB2D]00591A3D    FF35 2DCB5700   PUSH DWORD PTR DS:[57CB2D]00591A43    890424          MOV DWORD PTR SS:[ESP],EAX00591A46    891C24          MOV DWORD PTR SS:[ESP],EBX00591A49    C70424 609F4B00 MOV DWORD PTR SS:[ESP],004B9F60          ; push 4b9f60  ***********00591A50    53              PUSH EBX00591A51    890424          MOV DWORD PTR SS:[ESP],EAX00591A54    891424          MOV DWORD PTR SS:[ESP],EDX00591A57    57              PUSH EDI00591A58    60              PUSHAD......00591C1B    61              POPAD00591C1C    C70424 89C85700 MOV DWORD PTR SS:[ESP],0057C88900591C23    8F05 01CB5700   POP DWORD PTR DS:[57CB01]00591C29    8B15 01CB5700   MOV EDX,DWORD PTR DS:[57CB01]00591C2F    890A            MOV DWORD PTR DS:[EDX],ECX00591C31    8F05 A5C95700   POP DWORD PTR DS:[57C9A5]00591C37    FF35 A5C95700   PUSH DWORD PTR DS:[57C9A5]00591C3D    5A              POP EDX00591C3E    FF35 89C85700   PUSH DWORD PTR DS:[57C889]00591C44    C70424 602F4B00 MOV DWORD PTR SS:[ESP],004B2F60          ; PUSH 4B2F60  *********00591C4B    64:A1 00000000  MOV EAX,DWORD PTR FS:[0]                 ; MOV EAX,DWORD PTR FS:[0]   **************00591C51    56              PUSH ESI00591C52    8F05 A9C85700   POP DWORD PTR DS:[57C8A9]00591C58    FF35 A9C85700   PUSH DWORD PTR DS:[57C8A9]00591C5E    891C24          MOV DWORD PTR SS:[ESP],EBX00591C61    8935 91C85700   MOV DWORD PTR DS:[57C891],ESI00591C67    90              NOP00591C68    90              NOP00591C69    60              PUSHAD......00591E1B    F7F3            DIV EBX                                  ; 除0异常00591E1D    90              NOP00591E1E    64:8F05 0000000>POP DWORD PTR FS:[0]00591E25    83C4 04         ADD ESP,400591E28    61              POPAD00591E29    FF35 91C85700   PUSH DWORD PTR DS:[57C891]00591E2F    C70424 A1CA5700 MOV DWORD PTR SS:[ESP],0057CAA100591E36    8F05 69C95700   POP DWORD PTR DS:[57C969]00591E3C    FF35 69C95700   PUSH DWORD PTR DS:[57C969]00591E42    5B              POP EBX00591E43    8903            MOV DWORD PTR DS:[EBX],EAX00591E45    8B1C24          MOV EBX,DWORD PTR SS:[ESP]00591E48    8F05 B1CA5700   POP DWORD PTR DS:[57CAB1]00591E4E    FF35 A1CA5700   PUSH DWORD PTR DS:[57CAA1]               ; PUSH EAX       ************00591E54    64:8925 0000000>MOV DWORD PTR FS:[0],ESP                 ; MOV DWORD PTR FS:[0],ESP   ********00591E5B    83EC 68         SUB ESP,68                               ; ***************00591E5E    56              PUSH ESI00591E5F    8F05 D9CA5700   POP DWORD PTR DS:[57CAD9]00591E65    FF35 D9CA5700   PUSH DWORD PTR DS:[57CAD9]00591E6B    891C24          MOV DWORD PTR SS:[ESP],EBX00591E6E    8F05 E5CA5700   POP DWORD PTR DS:[57CAE5]00591E74    90              NOP00591E75    90              NOP00591E76    60              PUSHAD......00591FBB    83EA FC         SUB EDX,-400591FBE    2B02            SUB EAX,DWORD PTR DS:[EDX]00591FC0    83C2 FC         ADD EDX,-400591FC3    E8 01000000     CALL 00591FC9                            ; 这里不能像前面那样找到jnz xxx然后就在下面一行下断的方式,那样类似这样东西就会不放过了:-)00591FC8    90              NOP00591FC9    83C4 04         ADD ESP,400591FCC    E8 7FACFFFF     CALL <sub_chekRing0's Debug>             ; 检测系统级调试器00591FD1    BF C64E0B93     MOV EDI,930B4EC600591FD6    66:8BFA         MOV DI,DX00591FD9    8902            MOV DWORD PTR DS:[EDX],EAX00591FDB    E8 01000000     CALL 00591FE100591FE0  ^ 74 83           JE SHORT 00591F6500591FE2    C4041B          LES EAX,FWORD PTR DS:[EBX+EBX]           ; Modification of segment register00591FE5    F785 FB81EDA1 8>TEST DWORD PTR SS:[EBP+A1ED81FB],78BBFB8>00591FEF    0379 01         ADD EDI,DWORD PTR DS:[ECX+1]00591FF2    7A E9           JPE SHORT 00591FDD00591FF4    05 000000D3     ADD EAX,D300000000591FF9    D3C1            ROL ECX,CL00591FFB    C6              ???                                      ; Unknown command00591FFC  ^ 73 81           JNB SHORT 00591F7F00591FFE    C2 0400         RETN 400592001    0000            ADD BYTE PTR DS:[EAX],AL00592003    50              PUSH EAX00592004    E8 01000000     CALL 0059200A00592009  ^ 7E 83           JLE SHORT 00591F8E0059200B    C40458          LES EAX,FWORD PTR DS:[EAX+EBX*2]         ; Modification of segment register0059200E    43              INC EBX0059200F    0F81 03000000   JNO 0059201800592015    66:8BF0         MOV SI,AX00592018    83C1 FF         ADD ECX,-10059201B  ^ 0F85 70FFFFFF   JNZ 00591F91                             ; 循环解压代码00592021    E8 01000000     CALL 0059202700592026  ^ EB 83           JMP SHORT 00591FAB00592028    C404E8          LES EAX,FWORD PTR DS:[EAX+EBP*8]         ; Modification of segment register0059202B    0ACD            OR CL,CH......0059203E    F7F3            DIV EBX00592040    90              NOP00592041    64:8F05 0000000>POP DWORD PTR FS:[0]                     ; 好多个这个结构的00592048    83C4 04         ADD ESP,40059204B    61              POPAD0059204C    FF35 E5CA5700   PUSH DWORD PTR DS:[57CAE5]00592052    8915 D1C95700   MOV DWORD PTR DS:[57C9D1],EDX00592058    FF35 D1C95700   PUSH DWORD PTR DS:[57C9D1]0059205E    53              PUSH EBX0059205F    BB B1C85700     MOV EBX,0057C8B100592064    8BD3            MOV EDX,EBX00592066    5B              POP EBX00592067    8932            MOV DWORD PTR DS:[EDX],ESI00592069    8F05 F5C85700   POP DWORD PTR DS:[57C8F5]0059206F    8B15 F5C85700   MOV EDX,DWORD PTR DS:[57C8F5]00592075    FF35 B1C85700   PUSH DWORD PTR DS:[57C8B1]0059207B    8F05 FDC85700   POP DWORD PTR DS:[57C8FD]00592081    FF35 FDC85700   PUSH DWORD PTR DS:[57C8FD]00592087    52              PUSH EDX00592088    8F05 19C95700   POP DWORD PTR DS:[57C919]0059208E    FF35 19C95700   PUSH DWORD PTR DS:[57C919]00592094    893424          MOV DWORD PTR SS:[ESP],ESI00592097    57              PUSH EDI00592099    90              NOP0059209A    60              PUSHAD......00592260    83C4 04         ADD ESP,400592263    61              POPAD00592264    BF 1DCA5700     MOV EDI,0057CA1D00592269    890F            MOV DWORD PTR DS:[EDI],ECX0059226B    5F              POP EDI0059226C    FF35 1DCA5700   PUSH DWORD PTR DS:[57CA1D]00592272    891D B1C95700   MOV DWORD PTR DS:[57C9B1],EBX00592278    FF35 B1C95700   PUSH DWORD PTR DS:[57C9B1]0059227E    51              PUSH ECX0059227F    B9 D1C85700     MOV ECX,0057C8D100592284    8BD9            MOV EBX,ECX00592286    59              POP ECX00592287    53              PUSH EBX00592288    59              POP ECX00592289    8F05 69C85700   POP DWORD PTR DS:[57C869]0059228F    8B1D 69C85700   MOV EBX,DWORD PTR DS:[57C869]00592295    890D 99C95700   MOV DWORD PTR DS:[57C999],ECX0059229B    FF35 99C95700   PUSH DWORD PTR DS:[57C999]               ; MainCon.0057C8D1005922A1    8F05 F5C95700   POP DWORD PTR DS:[57C9F5]                ; MainCon.0057C8D1005922A7    8B35 F5C95700   MOV ESI,DWORD PTR DS:[57C9F5]            ; MainCon.0057C8D1005922AD    8F05 49C85700   POP DWORD PTR DS:[57C849]005922B3    56              PUSH ESI                                 ; MainCon.0057C8D1005922B4    60              PUSHAD005922B5    E8 01000000     CALL 005922BB......005923FB    830424 06       ADD DWORD PTR SS:[ESP],6005923FF    C3              RETN00592400    E9 02000000     JMP 0059240700592405    87CB            XCHG EBX,ECX00592407    83EA FC         SUB EDX,-40059240A    2B32            SUB ESI,DWORD PTR DS:[EDX]0059240C    83C2 FC         ADD EDX,-40059240F    EB 01           JMP SHORT 00592412                       ; 这里也暗蔵杀机哦:-)00592411    90              NOP00592412    E8 21B8FFFF     CALL<chek IsDebuggerPresent>            ; 再次检测有没有Ring 3级调试器00592417    78 01           JS SHORT 0059241A00592419    F9              STC......00592462    33DB            XOR EBX,EBX00592464    F7F3            DIV EBX00592466    90              NOP00592467    64:8F05 0000000>POP DWORD PTR FS:[0]                     ; SEH用来反调试同时也给我们指引了一条道路0059246E    83C4 04         ADD ESP,400592471    61              POPAD00592472    BE 49C85700     MOV ESI,0057C84900592477    8B0E            MOV ECX,DWORD PTR DS:[ESI]00592479    5E              POP ESI0059247A    893E            MOV DWORD PTR DS:[ESI],EDI0059247C    8F05 ADCA5700   POP DWORD PTR DS:[57CAAD]00592482    893D B5C95700   MOV DWORD PTR DS:[57C9B5],EDI00592488    FF35 B5C95700   PUSH DWORD PTR DS:[57C9B5]0059248E    51              PUSH ECX0059248F    B9 ADCA5700     MOV ECX,0057CAAD00592494    8BF9            MOV EDI,ECX00592496    59              POP ECX00592497    8B37            MOV ESI,DWORD PTR DS:[EDI]00592499    8B3C24          MOV EDI,DWORD PTR SS:[ESP]0059249C    8F05 35CA5700   POP DWORD PTR DS:[57CA35]005924A2    FF35 D1C85700   PUSH DWORD PTR DS:[57C8D1]005924A8    8965 E8         MOV DWORD PTR SS:[EBP-18],ESP            ; **********005924AB    33DB            XOR EBX,EBX005924AD    895D FC         MOV DWORD PTR SS:[EBP-4],EBX     ; ************005924B0    52              PUSH EDX005924B1    891C24          MOV DWORD PTR SS:[ESP],EBX005924B4    68 09CB5700     PUSH 0057CB09005924B9    5B              POP EBX005924BA    8913            MOV DWORD PTR DS:[EBX],EDX005924BC    8F05 E5C85700   POP DWORD PTR DS:[57C8E5]005924C2    60              PUSHAD005924C3    E8 01000000     CALL 005924C9......005924BC    8F05 E5C85700   POP DWORD PTR DS:[57C8E5]005924C2    60              PUSHAD005924C3    E8 01000000     CALL 005924C9005924C8    90              NOP005924C9    83C4 04         ADD ESP,4005924CC    E8 D4DDFFFF     CALL <Sub_Disposal IAT>                  ; iat已经处理过了,这里再进去只是一个ret而已005924D1    E9 0D000000     JMP 005924E3......0059267C    F7F3            DIV EBX0059267E    90              NOP0059267F    64:8F05 0000000>POP DWORD PTR FS:[0]00592686    83C4 04         ADD ESP,4                                ; 异常00592689    61              POPAD0059268A    8B1D E5C85700   MOV EBX,DWORD PTR DS:[57C8E5]00592690    FF35 09CB5700   PUSH DWORD PTR DS:[57CB09]00592696    53              PUSH EBX00592697    BB 02000000     MOV EBX,2                                ; ************0059269C    891D 19CB5700   MOV DWORD PTR DS:[57CB19],EBX005926A2    5B              POP EBX005926A3    FF35 19CB5700   PUSH DWORD PTR DS:[57CB19]005926A9    8F05 3DC95700   POP DWORD PTR DS:[57C93D]005926AF    53              PUSH EBX005926B0    BB 3DC95700     MOV EBX,0057C93D005926B5    8B13            MOV EDX,DWORD PTR DS:[EBX]005926B7    5B              POP EBX005926B8    57              PUSH EDI005926B9    891C24          MOV DWORD PTR SS:[ESP],EBX005926BC    C705 F9C85700 A>MOV DWORD PTR DS:[57C8F9],0057C8A1005926C6    8B1D F9C85700   MOV EBX,DWORD PTR DS:[57C8F9]005926CC    8913            MOV DWORD PTR DS:[EBX],EDX005926CE    8F05 11CB5700   POP DWORD PTR DS:[57CB11]005926D4    8B1D 11CB5700   MOV EBX,DWORD PTR DS:[57CB11]005926DA    60              PUSHAD005926DB    E8 01000000     CALL 005926E1......00592880    83EB 01         SUB EBX,100592883  ^ 0F85 6EFFFFFF   JNZ 005927F7                               ; 循环解压代码00592889    E8 01000000     CALL 0059288F0059288E    90              NOP0059288F    83C4 04         ADD ESP,400592892    E8 0CAFFFFF     CALL <Shit Int3>                           ; shit int 300592897    E9 06000000     JMP 005928A20059289C    66:B8 065B      MOV AX,5B06005928A0    85C6            TEST ESI,EAX005928A2    B8 64000000     MOV EAX,64005928A7    33D2            XOR EDX,EDX005928A9    33DB            XOR EBX,EBX005928AB    F7F3            DIV EBX005928AD    90              NOP005928AE    64:8F05 0000000>POP DWORD PTR FS:[0]                       ; 到这里就看到希望了,后面很明显的看出是程序的代码005928B5    83C4 04         ADD ESP,4005928B8    61              POPAD005928B9    8B1424          MOV EDX,DWORD PTR SS:[ESP]005928BC    8F05 F9C95700   POP DWORD PTR DS:[57C9F9]005928C2    FF35 A1C85700   PUSH DWORD PTR DS:[57C8A1]                 ; ***********005928C8    FF15 14774B00   CALL DWORD PTR DS:[4B7714]                 ; msvcrt.__set_app_type005928CE    8F05 EDCA5700   POP DWORD PTR DS:[57CAED]005928D4    FF35 EDCA5700   PUSH DWORD PTR DS:[57CAED]005928DA    8F05 25C85700   POP DWORD PTR DS:[57C825]005928E0    FF35 25C85700   PUSH DWORD PTR DS:[57C825]005928E6    59              POP ECX005928E7    830D AC464D00 F>OR DWORD PTR DS:[4D46AC],FFFFFFFF005928EE    830D B0464D00 F>OR DWORD PTR DS:[4D46B0],FFFFFFFF005928F5    FF15 10774B00   CALL DWORD PTR DS:[4B7710]                 ; msvcrt.__p__fmode005928FB    FF35 70464D00   PUSH DWORD PTR DS:[4D4670]00592901    8F05 19CA5700   POP DWORD PTR DS:[57CA19]00592907    90              NOP00592908    90              NOP00592909    60              PUSHAD0059290A    E8 01000000     CALL 00592910......00592ACD    B8 64000000     MOV EAX,6400592AD2    33D2            XOR EDX,EDX00592AD4    33DB            XOR EBX,EBX00592AD6    F7F3            DIV EBX00592AD8    90              NOP00592AD9    64:8F05 0000000>POP DWORD PTR FS:[0]00592AE0    83C4 04         ADD ESP,400592AE3    61              POPAD00592AE4    FF35 19CA5700   PUSH DWORD PTR DS:[57CA19]00592AEA    8F05 5DC85700   POP DWORD PTR DS:[57C85D]00592AF0    8B0D 5DC85700   MOV ECX,DWORD PTR DS:[57C85D]00592AF6    8908            MOV DWORD PTR DS:[EAX],ECX                 ; **************00592AF8    FF15 0C774B00   CALL DWORD PTR DS:[4B770C]                 ; msvcrt.__p__commode00592AFE    FF35 6C464D00   PUSH DWORD PTR DS:[4D466C]00592B04    8F05 A9CA5700   POP DWORD PTR DS:[57CAA9]00592B0A    8915 2DC95700   MOV DWORD PTR DS:[57C92D],EDX00592B10    FF35 2DC95700   PUSH DWORD PTR DS:[57C92D]00592B16    68 A9CA5700     PUSH 0057CAA900592B1B    5A              POP EDX00592B1C    8B0A            MOV ECX,DWORD PTR DS:[EDX]00592B1E    8B1424          MOV EDX,DWORD PTR SS:[ESP]00592B21    8F05 C1C95700   POP DWORD PTR DS:[57C9C1]00592B27    8908            MOV DWORD PTR DS:[EAX],ECX00592B29    A1 08774B00     MOV EAX,DWORD PTR DS:[4B7708]00592B2E    8B00            MOV EAX,DWORD PTR DS:[EAX]00592B30    90              NOP00592B31    90              NOP00592B32    60              PUSHAD00592B33    E8 01000000     CALL 00592B39......00592C7E    83C4 04         ADD ESP,400592C81    66:BB 9B5E      MOV BX,5E9B00592C85    F9              STC00592C86    8929            MOV DWORD PTR DS:[ECX],EBP00592C88    EB 01           JMP SHORT 00592C8B00592C8A    90              NOP00592C8B    E8 94A6FFFF     CALL <sub_Check_UnhandledExceptionFilter>  ; 检测UnhandledExceptionFilter入口有没有处CC断点00592C90    66:23DD         AND BX,BP00592C93    81E8 C1E0555F   SUB EAX,5F55E0C100592C99    E8 01000000     CALL 00592C9F00592C9E  ^ 79 83           JNS SHORT 00592C2300592CA0    C40466          LES EAX,FWORD PTR DS:[ESI]                 ; Modification of segment register00592CA3    BB 82FFF981     MOV EBX,81F9FF8200592CA8    C10400 00       ROL DWORD PTR DS:[EAX+EAX],0               ; Shift constant out of range 1..3100592CAC    00E8            ADD AL,CH00592CAE    0100            ADD DWORD PTR DS:[EAX],EAX00592CB0    0000            ADD BYTE PTR DS:[EAX],AL00592CB2  ^ 76 83           JBE SHORT 00592C3700592CB4    04 24           ADD AL,2400592CB6    06              PUSH ES00592CB7    C3              RETN00592CB8    4A              DEC EDX00592CB9    85F3            TEST EBX,ESI00592CBB    83EF 01         SUB EDI,100592CBE  ^ 0F85 88FFFFFF   JNZ 00592C4C                               ; 循环解压00592CC4    E8 01000000     CALL 00592CCA......00592E8E    23CE            AND ECX,ESI00592E90    45              INC EBP00592E91    83E8 01         SUB EAX,100592E94  ^ 0F85 5BFFFFFF   JNZ 00592DF5                               ; 到了这里还循环解压代码00592E9A    EB 01           JMP SHORT 00592E9D00592E9C  ^ 7C 85           JL SHORT 00592E2300592E9E    CD 66           INT 6600592EA0    33CD            XOR ECX,EBP00592EA2    B8 64000000     MOV EAX,6400592EA7    33D2            XOR EDX,EDX00592EA9    33DB            XOR EBX,EBX00592EAB    F7F3            DIV EBX00592EAD    90              NOP00592EAE    64:8F05 0000000>POP DWORD PTR FS:[0]00592EB5    83C4 04         ADD ESP,400592EB8    E8 4392FFFF     CALL <sub_GetEBP >; 准备跳去执行程序的代码了00592EBD    6A 00           PUSH 000592EBF    E8 0A000000     CALL <sub_GOTO_END>00592EC4    41              INC ECX......00592EC5    43              INC EBX00592EC6    50              PUSH EAX00592EC7    72 6F           JB SHORT 00592F3800592EC9    74 65           JE SHORT 00592F3000592ECB    90              NOP00592ECC    90              NOP00592ECD    90              NOP00592ECE >  E8 25000000     CALL <GOTO END>00592ED3    42              INC EDX00592ED4    79 20           JNS SHORT 00592EF600592ED6    54              PUSH ESP00592ED7    72 69           JB SHORT 00592F4200592ED9    61              POPAD00592EDA    6C              INS BYTE PTR ES:[EDI],DX                   ; I/O command00592EDB    2041 43         AND BYTE PTR DS:[ECX+43],AL00592EDE    50              PUSH EAX00592EDF    72 6F           JB SHORT 00592F5000592EE1    74 65           JE SHORT 00592F4800592EE3    637400 73       ARPL WORD PTR DS:[EAX+EAX+73],SI00592EE7    74 65           JE SHORT 00592F4E00592EE9    72 65           JB SHORT 00592F5000592EEB    64:2041 43      AND BYTE PTR FS:[ECX+43],AL00592EEF    50              PUSH EAX00592EF0    72 6F           JB SHORT 00592F6100592EF2    74 65           JE SHORT 00592F5900592EF4    637421 00       ARPL WORD PTR DS:[ECX],SI00592EF8 >  6A 00           PUSH 0                                     ; GOTO END改为jmp [addr] 的方式执行到fake OEP地址00592EFA    83C4 10         ADD ESP,10                                 ; 到了这里,只剩跳去fake oep都要加密一下00592EFD    90              NOP......005930A9    E8 5290FFFF     CALL <sub_GetEBP >
005930AE    8B85 4B814100   MOV EAX,DWORD PTR SS:[EBP+41814B]005930B4    0385 46F84000   ADD EAX,DWORD PTR SS:[EBP+40F846]005930BA    8985 4B814100   MOV DWORD PTR SS:[EBP+41814B],EAX          ; 要去执行的地址005930C0    E8 3B90FFFF     CALL <sub_GetEBP >
005930C5    C685 08814100 E>MOV BYTE PTR SS:[EBP+418108],0E8005930CC    E8 2F90FFFF     CALL <sub_GetEBP >
005930D1    C785 09814100 F>MOV DWORD PTR SS:[EBP+418109],25FF         ; 改成jmp [address]的方式005930DB    8D85 4B814100   LEA EAX,DWORD PTR SS:[EBP+41814B]005930E1    8985 0B814100   MOV DWORD PTR SS:[EBP+41810B],EAX005930E7    E8 1490FFFF     CALL <sub_GetEBP >
005930EC    8DBD B87E4100   LEA EDI,DWORD PTR SS:[EBP+417EB8]005930F2    8D8D FD804100   LEA ECX,DWORD PTR SS:[EBP+4180FD]005930F8    2BCF            SUB ECX,EDI005930FA    C1E9 02         SHR ECX,2005930FD >  E8 CC87FFFF     CALL <Get_RND_VALUE>                       ; Fill junk code00593102    AB              STOS DWORD PTR ES:[EDI]00593103  ^ E2 F8           LOOPD SHORT <sub_fill_Junk>                ; 循环填上垃圾代码,00593105    61              POPAD00593106    EB 01           JMP SHORT 0059310900593108    90              NOP00593109  - FF25 4B315900   JMP DWORD PTR DS:[59314B]                  ; JMP to FAKE OEP.......004B2DE9    A3 A8464D00     MOV DWORD PTR DS:[4D46A8],EAX              ; fake OEP004B2DEE    E8 6B010000     CALL 004B2F5E004B2DF3    391D 782F4C00   CMP DWORD PTR DS:[4C2F78],EBX004B2DF9    75 0C           JNZ SHORT 004B2E07分析完整理一下得出Stolen code长这么个模样:004B2D84    55              PUSH EBP004B2D85    8BEC            MOV EBP,ESP004B2D87    6A FF           PUSH -1004B2D89    68 609F4B00     PUSH 004B9F60004B2D8E    68 602F4B00     PUSH 004B2F60                              ; JMP to msvcrt._except_handler3004B2D93    64:A1 00000000  MOV EAX,DWORD PTR FS:[0]004B2D99    50              PUSH EAX004B2D9A    64:8925 0000000>MOV DWORD PTR FS:[0],ESP004B2DA1    83EC 68         SUB ESP,68004B2DA4    53              PUSH EBX004B2DA5    56              PUSH ESI004B2DA6    57              PUSH EDI004B2DA7    8965 E8         MOV DWORD PTR SS:[EBP-18],ESP004B2DAA    33DB            XOR EBX,EBX004B2DAC    895D FC         MOV DWORD PTR SS:[EBP-4],EBX004B2DAF    6A 02           PUSH 2004B2DB1    5F              POP EDI004B2DB2    57              PUSH EDI004B2DB3    FF15 14774B00   CALL DWORD PTR DS:[4B7714]                 ; msvcrt.__set_app_type004B2DB9    59              POP ECX004B2DBA    830D AC464D00 F>OR DWORD PTR DS:[4D46AC],FFFFFFFF004B2DC1    830D B0464D00 F>OR DWORD PTR DS:[4D46B0],FFFFFFFF004B2DC8    FF15 10774B00   CALL DWORD PTR DS:[4B7710]                 ; msvcrt.__p__fmode004B2DCE    8B0D 70464D00   MOV ECX,DWORD PTR DS:[4D4670]004B2DD4    8908            MOV DWORD PTR DS:[EAX],ECX004B2DD6    FF15 0C774B00   CALL DWORD PTR DS:[4B770C]                 ; msvcrt.__p__commode004B2DDC    8B0D 6C464D00   MOV ECX,DWORD PTR DS:[4D466C]004B2DE2    8908            MOV DWORD PTR DS:[EAX],ECX004B2DE4    A1 08774B00     MOV EAX,DWORD PTR DS:[4B7708]sub_RePlace_code:0057D02E >  60              PUSHAD                                   ; sub_Restore_Replace_Code0057D02F    90              NOP0057D030    90              NOP0057D031    90              NOP0057D032    90              NOP......0057D1D9    E8 22EF0000     CALL <sub_GetEBP >
0057D1DE    8B4424 20       MOV EAX,DWORD PTR SS:[ESP+20]            ; 取call这个处理模块的地址0057D1E2    33C9            XOR ECX,ECX0057D1E4    8B9C8D 812E4000 MOV EBX,DWORD PTR SS:[EBP+ECX*4+402E81]0057D1EB    039D 46F84000   ADD EBX,DWORD PTR SS:[EBP+40F846]0057D1F1    3BC3            CMP EAX,EBX0057D1F3    74 07           JE SHORT 0057D1FC                        ; 表里查到符合条件的则跳0057D1F5    90              NOP0057D1F6    90              NOP0057D1F7    90              NOP0057D1F8    90              NOP0057D1F9    41              INC ECX0057D1FA  ^ EB E8           JMP SHORT 0057D1E4                       ; 循环查表0057D1FC    8DB5 615D4000   LEA ESI,DWORD PTR SS:[EBP+405D61]0057D202    B8 0A000000     MOV EAX,0A0057D207    F7E1            MUL ECX0057D209    03F0            ADD ESI,EAX0057D20B    8DBD 07184000   LEA EDI,DWORD PTR SS:[EBP+401807]0057D211    0FB6840D C92240>MOVZX EAX,BYTE PTR SS:[EBP+ECX+4022C9]0057D219    FEC0            INC AL0057D21B    88840D C9224000 MOV BYTE PTR SS:[EBP+ECX+4022C9],AL0057D222    3C 20           CMP AL,200057D224    75 13           JNZ SHORT 0057D2390057D226    90              NOP0057D227    90              NOP0057D228    90              NOP0057D229    90              NOP0057D22A    8BBD 4AF84000   MOV EDI,DWORD PTR SS:[EBP+40F84A]0057D230    B8 0A000000     MOV EAX,0A0057D235    F7E1            MUL ECX0057D237    03F8            ADD EDI,EAX0057D239    8A9D 1E204000   MOV BL,BYTE PTR SS:[EBP+40201E]0057D23F    B9 0A000000     MOV ECX,0A0057D244 >  AC              LODS BYTE PTR DS:[ESI]                   ; 还原出正确的代码,加了垃圾代码的0057D245    32C3            XOR AL,BL0057D247    AA              STOS BYTE PTR ES:[EDI]0057D248  ^ E2 FA           LOOPD SHORT <Decrypt_Replaced_CODE>0057D24A    83EF 0A         SUB EDI,0A0057D24D    57              PUSH EDI0057D24E    8DB5 07184000   LEA ESI,DWORD PTR SS:[EBP+401807]0057D254    33F7            XOR ESI,EDI0057D256    74 19           JE SHORT 0057D2710057D258    90              NOP0057D259    90              NOP0057D25A    90              NOP0057D25B    90              NOP0057D25C    8B7424 24       MOV ESI,DWORD PTR SS:[ESP+24]0057D260    83EE 04         SUB ESI,40057D263    AD              LODS DWORD PTR DS:[ESI]0057D264    81EF 2E204000   SUB EDI,0040202E0057D26A    2BFD            SUB EDI,EBP0057D26C    03C7            ADD EAX,EDI0057D26E    8946 FC         MOV DWORD PTR DS:[ESI-4],EAX0057D271    5F              POP EDI0057D272    57              PUSH EDI0057D273    33C9            XOR ECX,ECX0057D275    83F9 08         CMP ECX,80057D278    74 0E           JE SHORT 0057D2880057D27A    90              NOP0057D27B    90              NOP0057D27C    90              NOP0057D27D    90              NOP0057D27E    8B448C 04       MOV EAX,DWORD PTR SS:[ESP+ECX*4+4]0057D282    89048C          MOV DWORD PTR SS:[ESP+ECX*4],EAX0057D285    41              INC ECX0057D286  ^ EB ED           JMP SHORT 0057D2750057D288    893C8C          MOV DWORD PTR SS:[ESP+ECX*4],EDI......0057D2C7    61              POPAD0057D2C8    C3              RETN进了程序代码空间后,现在分三个任务完成脱壳:去除Acprotect 用到的SDK保护Embedd Protect,去除Replace Code.去除Acprotect 用到的SDK保护Embedd Protect:  按照任务的顺序一个一个来,我们先解决最大的拌脚石,ACProtect的Embedd Protect应该这个壳里的最大亮点之一。加上了对程序的保护加强了不少。下面看看我们就去搬走这块石头。由上篇的文章里的分析,我写个了脚本方便很快就去关键地方,脚本如下:/*Set break point at Embedd protect start address*/var bpaddrstart:  bprm 401000,b6000//在Code section处下断点  esto  bpmc  bp 591079//断下后,在处理SDK的那个关键地方下个断lbl1:  eob lbl2  runlbl2:  cmp esi,0  je lbl3  cob  mov bpaddr,esi  add bpaddr,400000//取出sdk的具体地址,然后在相关地址处下断  mov addrval,[bpaddr]  bp bpaddr  jmp lbl1lbl3:  cob  bc 591079//如果处理完了就结束这个脚本,清除上面的关键断点  ret写好后,设置OD忽略全部异常。运行脚本后最后结束在这里:00591079    0BF6            OR ESI,ESI                               ; 如果没有用SDK或SDK处理部分已经操作完成则跳0059107B    74 31           JE SHORT <finished>0059107D    90              NOP0059107E    90              NOP0059107F    90              NOP断下后,alt+B打开断点窗口:把非pushad处设置的断点取消:BreakpointsAddress    Module     Active                     Disassembly                           Comment0040CC05   MainCon    Always                     PUSHAD0040FE71   MainCon    Always                     SUB BYTE PTR DS:[ECX],2D              ;Clear it 004132D7   MainCon    Always                     PUSHAD004166D1   MainCon    Always                     PUSHAD00419A9B   MainCon    Always                     PUSHAD0041CCD6   MainCon    Always                     CMP AL,0A3                            ;Clear it 0042089A   MainCon    Always                     PUSHAD00423ADF   MainCon    Always                     CMC                                   ;Clear it00427422   MainCon    Always                     PUSHAD0042ABD1   MainCon    Always                     PUSHAD0042DEA1   MainCon    Always                     PUSHAD004317A2   MainCon    Always                     PUSHAD00436067   MainCon    Always                     PUSHAD0043930F   MainCon    Always                     JBE SHORT 00439375                     ;Clear it0043C77D   MainCon    Always                     PUSHAD0043FA3D   MainCon    Always                     PUSHAD00442DBD   MainCon    Always                     PUSHAD0044607D   MainCon    Always                     PUSHAD0044933D   MainCon    Always                     PUSHAD0044C600   MainCon    Always                     PUSHAD0044F8DD   MainCon    Always                     PUSHAD00452C0F   MainCon    Always                     PUSHAD00455EF0   MainCon    Always                     PUSHAD00459389   MainCon    Always                     PUSHAD0045C95D   MainCon    Always                     PUSHAD0045FC38   MainCon    Always                     PUSHAD00462EC8   MainCon    Always                     PUSHAD0046618B   MainCon    Always                     PUSHAD004696FF   MainCon    Always                     PUSHAD0046C932   MainCon    Always                     INS BYTE PTR ES:[EDI],DX                ;Clear it004708D9   MainCon    Always                     PUSHAD00474389   MainCon    Always                     PUSHAD004775C3   MainCon    Always                     OR DH,BYTE PTR DS:[EAX+6F]              ;Clear it0047A80F   MainCon    Always                     MOV AL,BYTE PTR DS:[C095E1F]            ;Clear it0047DE02   MainCon    Always                     PUSHAD00481126   MainCon    Always                     PUSHAD00484396   MainCon    Always                     INT1                                    ;Clear it取消相关的断点后,F9运行后,中断下来:0042089A    60              PUSHAD                                   ; 运行后中断在这里0042089B    F8              CLC0042089C    66:2BCD         SUB CX,BP0042089F    87C1            XCHG ECX,EAX......00420A62    0000            ADD BYTE PTR DS:[EAX],AL00420A64    47              INC EDI00420A65    4F              DEC EDI00420A66    83E8 01         SUB EAX,100420A69  ^ 0F85 81FFFFFF   JNZ 004209F0                             ; 循环解压代码后面有很多的东西00420A6F    7A 03           JPE SHORT 00420A74......00420D64   /E9 08000000     JMP 00420D7100420D69   |79 03           JNS SHORT 00420D6E00420D6B   |C1EE 47         SHR ESI,47                               ;解压了几个回合到一个远程jmp处,不要以为这里就差不多到头哦,后面还有很长的路,00420D6E   |66:8BCE         MOV CX,SI00420D71   /E9 E91D0000     JMP 00422B5F......00422B5F    E8 8FFDFFFF     CALL <sub_Copy code>                     ; 这里进去复制代码00422B64    33C2            XOR EAX,EDX00422B66    EB 01           JMP SHORT 00422B6900422B68    73 40           JNB SHORT 00422BAA......00422C1F    03FD            ADD EDI,EBP00422C21    E8 01000000     CALL 00422C2700422C26    90              NOP00422C27    83C4 04         ADD ESP,400422C2A    E8 37E5FFFF     CALL <Check Debugger>00422C2F    66:C1C6 B1      ROL SI,0B1                               ; Shift constant out of range 1..3100422C33    46              INC ESI00422C34    C1CF 1E         ROR EDI,1E00422C37    7C 03           JL SHORT 00422C3C00422C39    7D 01           JGE SHORT 00422C3C00422C3B  ^ 73 E9           JNB SHORT 00422C26......00422C6C    E8 01000000     CALL 00422C7200422C71    90              NOP00422C72    83C4 04         ADD ESP,400422C75    E8 3AE8FFFF     CALL <Crc File>00422C7A    66:C1D6 21      RCL SI,21                                ; Shift constant out of range 1..3100422C7E    81C5 19AA764B   ADD EBP,4B76AA19......00422E90    830424 06       ADD DWORD PTR SS:[ESP],600422E94    C3              RETN00422E95    E8 8DF1FFFF     CALL <sub_Anti_Fake_Unpack>              ; 检测是否被脱壳了,00422E9A    8BD5            MOV EDX,EBP00422E9C    81EF 6D259939   SUB EDI,3999256D00422EA2    50              PUSH EAX00422EA3    E8 01000000     CALL 00422EA900422EA8    EA 83C40458 66C>JMP FAR C166:5804C483                    ; Far jump00422EAF    FA              CLI00422EB0    F1              INT100422EB1    83C1 04         ADD ECX,400422EB4    E8 01000000     CALL 00422EBA00422EB9  ^ 7D 83           JGE SHORT 00422E3E00422EBB    C404BA          LES EAX,FWORD PTR DS:[EDX+EDI*4]         ; Modification of segment register00422EBE    41              INC ECX00422EBF    0D AE870F87     OR EAX,870F87AE00422EC4    0100            ADD DWORD PTR DS:[EAX],EAX00422EC6    0000            ADD BYTE PTR DS:[EAX],AL00422EC8    43              INC EBX00422EC9    83C5 FF         ADD EBP,-100422ECC  ^ 0F85 6AFFFFFF   JNZ 00422E3C                             ; 循环解压代码00422ED2    E8 01000000     CALL 00422ED800422ED7    9A 83C40487 D86>CALL FAR 66D8:8704C483                   ; Far call00422EDE    81C0 56FFE800   ADD EAX,0E8FF56......0042327E    83C4 04         ADD ESP,4                                ; 过了一段漫长的路,到这里00423281    58              POP EAX00423282    E8 84E4FFFF     CALL <sub_INT 1_Check_Debug>00423287    47              INC EDI00423288    83C1 04         ADD ECX,40042328B    2B11            SUB EDX,DWORD PTR DS:[ECX]......004232F5    90              NOP004232F6    61              POPAD                                    ; 一堆检测过后,解开被保护的代码004232F7    8B4D F0         MOV ECX,DWORD PTR SS:[EBP-10]            ; 程序代码004232FA    68 01010100     PUSH 10101004232FF    68 EBEBEB00     PUSH 0EBEBEB00423304    90              NOP00423305    90              NOP00423306    60              PUSHAD                                   ; 后面还代码,这里继续00423307    E8 00000000     CALL 0042330C0042330C    5D              POP EBP......0042334F   /74 03           JE SHORT 0042335400423351   |75 01           JNZ SHORT 0042335400423353   |90              NOP00423354   /E8 12E6FFFF     CALL <sub_Fuck_int3>      ;这里进去的int3会清除硬件的00423359    85FD            TEST EBP,EDI0042335B    0F80 02000000   JO 00423363......004235B9    81C5 E47934EE   ADD EBP,EE3479E4004235BF    EB 01           JMP SHORT 004235C2004235C1    90              NOP004235C2    E8 CAF0FFFF     CALL <Anti_Fake_Unpack_check_Import>      ;反脱壳的检测还真不少004235C7    E9 02000000     JMP 004235CE004235CC    87CF            XCHG EDI,ECX......00423926    830424 06       ADD DWORD PTR SS:[ESP],60042392A    C3              RETN0042392B    E9 04000000     JMP 0042393400423930    8BF8            MOV EDI,EAX00423932    03F9            ADD EDI,ECX00423934    E9 82010000     JMP 00423ABB                             ; 跳去执行程序的代码了00423939    EB 01           JMP SHORT 0042393C......00423ABB    61              POPAD00423ABC    90              NOP00423ABD    90              NOP00423ABE    90              NOP00423ABF    90              NOP00423AC0    90              NOP00423AC1    90              NOP00423AC2    90              NOP00423AC3    90              NOP00423AC4    90              NOP00423AC5    90              NOP00423AC6    90              NOP00423AC7    90              NOP00423AC8    90              NOP                                      ; 这里又是程序代码了00423AC9    E8 96F10800     CALL 004B2C64                            ; JMP to MFC42.#594300423ACE    60              PUSHAD00423ACF    6A 05           PUSH 500423AD1    6A 00           PUSH 000423AD3    6A 00           PUSH 000423AD5    6A FF           PUSH -100423AD7    FF15 C8784B00   CALL DWORD PTR DS:[4B78C8]               ; <MainCon.sub_SDK_Disposal>这里跟进去可以看到SDK处理的核心部分sub_EmbeddProtect00423ADD    61              POPAD00423ADE    90              NOP......00423FA9   /E9 08000000     JMP 00423FB600423FAE   |66:81D3 A6AF    ADC BX,0AFA600423FB3   |66:03D9         ADD BX,CX00423FB6   /E9 E91D0000     JMP 00425DA4                             ; 呵呵又一个远程跳,必有动作00423FBB    0000            ADD BYTE PTR DS:[EAX],AL......00426066   /79 01           JNS SHORT 0042606900426068   |90              NOP00426069   /E8 68F8FFFF     CALL <Anti_Fake_Unpack_check_Import>0042606E    0F83 02000000   JNB 0042607600426074    D3DE            RCR ESI,CL00426076    8BCD            MOV ECX,EBP......00426242  ^/71 83           JNO SHORT 004261C700426244    C40458          LES EAX,FWORD PTR DS:[EAX+EBX*2]         ; Modification of segment register00426247    E8 5FE1FFFF     CALL <sub_Fuck_RING0'Debugger>0042624C    87C7            XCHG EDI,EAX                             ; MainCon.004262F60042624E    4F              DEC EDI......004266AB    830424 06       ADD DWORD PTR SS:[ESP],6004266AF    C3              RETN004266B0    E8 3DE7FFFF     CALL <sub_check_ring3_debug>004266B5    E9 10000000     JMP 004266CA004266BA    0F84 02000000   JE 004266C2004266C0    87D1            XCHG ECX,EDX......0042670C    E8 01000000     CALL 0042671200426711  - E9 83C40458     JMP 58472B9900426716    E8 DEDFFFFF     CALL <SUB_CRC>0042671B    0BCF            OR ECX,EDI0042671D    87D9            XCHG ECX,EBX0042671F    E8 00000000     CALL 00426724......00426B78    4F              DEC EDI00426B79    E9 82010000     JMP 00426D00                             ; 跳去执行程序代码了00426B7E    E8 01000000     CALL 00426B84......00426D00    61              POPAD                                    ; 又开始程序代码00426D01    E8 58BF0800     CALL 004B2C5E                            ; JMP to MFC42.#116800426D06    8B40 08         MOV EAX,DWORD PTR DS:[EAX+8]00426D09    6A 00           PUSH 000426D0B    6A 00           PUSH 000426D0D    68 8C164C00     PUSH 004C168C                            ; ASCII "Demo"00426D12    50              PUSH EAX00426D13    E8 940F0600     CALL 00487CAC00426D18    60              PUSHAD00426D19    6A 04           PUSH 4                                   ; 为4时表示加密00426D1B    6A 00           PUSH 000426D1D    6A 00           PUSH 000426D1F    6A FF           PUSH -100426D21    FF15 C8784B00   CALL DWORD PTR DS:[4B78C8]               ; <MainCon.sub_SDK_Disposal>00426D27    EB 1E           JMP SHORT 00426D4700426D29    7D 66           JGE SHORT 00426D9100426D2B    99              CDQ00426D2C  - E9 6E3956CB     JMP CB98A69F00426D31    67:A8 69        TEST AL,69                               ; Superfluous prefix00426D34    DF59 E5         FISTP WORD PTR DS:[ECX-1B]00426D37    0000            ADD BYTE PTR DS:[EAX],AL00426D39    0000            ADD BYTE PTR DS:[EAX],AL00426D3B    0000            ADD BYTE PTR DS:[EAX],AL00426D3D    0000            ADD BYTE PTR DS:[EAX],AL00426D3F    0000            ADD BYTE PTR DS:[EAX],AL00426D41    0000            ADD BYTE PTR DS:[EAX],AL00426D43    0000            ADD BYTE PTR DS:[EAX],AL00426D45    0000            ADD BYTE PTR DS:[EAX],AL00426D47    61              POPAD                                    ; 下面又是程序代码了,...00426D48    68 84164C00     PUSH 004C1684                            ; ASCII "Skin"00426D4D    68 7C164C00     PUSH 004C167C                            ; ASCII "Skin1"00426D52    6A 00           PUSH 000426D54    E8 FE130600     CALL 0048815700426D59    60              PUSHAD00426D5A    6A 04           PUSH 400426D5C    6A 00           PUSH 000426D5E    6A 00           PUSH 000426D60    6A FF           PUSH -100426D62    FF15 C8784B00   CALL DWORD PTR DS:[4B78C8]               ; <MainCon.sub_SDK_Disposal>00426D68    EB 1E           JMP SHORT 00426D88                       ; 这里跳去就结束这个sdk 的处理、执行了00426D6A    52              PUSH EDX00426D6B    EE              OUT DX,AL                                ; I/O command00426D6C    B3 68           MOV BL,6800426D6E    B9 20AC0B71     MOV ECX,710BAC2000426D73    CF              IRETD00426D74    D019            RCR BYTE PTR DS:[ECX],100426D76    8ADD            MOV BL,CH00426D78    0000            ADD BYTE PTR DS:[EAX],AL00426D7A    0000            ADD BYTE PTR DS:[EAX],AL00426D7C    0000            ADD BYTE PTR DS:[EAX],AL00426D7E    0000            ADD BYTE PTR DS:[EAX],AL00426D80    0000            ADD BYTE PTR DS:[EAX],AL00426D82    0000            ADD BYTE PTR DS:[EAX],AL00426D84    0000            ADD BYTE PTR DS:[EAX],AL00426D86    0000            ADD BYTE PTR DS:[EAX],AL00426D88    61              POPAD00426D89    6A 00           PUSH 0                                   ; 又正常执行程序代码了00426D8B    8D8D 9497FFFF   LEA ECX,DWORD PTR SS:[EBP+FFFF9794]00426D91    E8 9AA50000     CALL 00431330......ok,关于Embedd Protect的分析就结束了,再分析几个地方就可以得到一定的规律。找回正常的代码也就是件很简单的事了,只需要一定的时间就可以了。这里的正确代码就应该为:00420889    8B4D F0         MOV ECX,DWORD PTR SS:[EBP-10]0042088C    68 01010100     PUSH 1010100420891    68 EBEBEB00     PUSH 0EBEBEB00420896    E8 C9230900     CALL <JMP.&MFC42.#5943>0042089B    E8 BE230900     CALL <JMP.&MFC42.#1168>004208A0    8B40 08         MOV EAX,DWORD PTR DS:[EAX+8]004208A3    6A 00           PUSH 0004208A5    6A 00           PUSH 0004208A7    68 8C164C00     PUSH 004C168C                            ; ASCII "Demo"004208AC    50              PUSH EAX004208AD    E8 FA730600     CALL 00487CAC004208B2    68 84164C00     PUSH 004C1684                            ; ASCII "Skin"004208B7    68 7C164C00     PUSH 004C167C                            ; ASCII "Skin1"004208BC    6A 00           PUSH 0004208BE    E8 94780600     CALL 00488157004208C3    E9 C1640000     JMP 00426D89                     ; JMP to MFC42.#5943经过N久的时间把全部的正确代码找回来了之后,dump下code段,第一个任务就算完成了,接下来完成第二个任务。去除Replace Code:    这个任务也算是ACProtect 的一样法宝吧,替换了很多的代码。每次替换5个字节的代码,方式为3+2或2+3,壳解压出来时已经加了垃圾代码。  重来,载入目标,先在rdata段下断点,断下后,在text段下断,运行停止在fake oep后,在最后一个段下内存写入断点。再运行,这样就中断在Replace Code的关键代码处了:sub_Restore_Replace_Code:0057D02E >  60              PUSHAD                                   ; sub_Restore_Replace_Code0057D02F    4A              DEC EDX0057D030    FC              CLD......0057D0EB    8945 1D         MOV DWORD PTR SS:[EBP+1D],EAX            ; 中断在这里0057D0EE    EB 01           JMP SHORT 0057D0F1......0057D1C5    83E9 01         SUB ECX,10057D1C8  ^ 0F85 69FFFFFF   JNZ 0057D137                           ; 循环解压代码0057D1CE    EB 01           JMP SHORT 0057D1D10057D1D0    71 72           JNO SHORT <Decrypt_Replaced_CODE>0057D1D2    06              PUSH ES0057D1D3    81E7 B34D2A57   AND EDI,572A4DB30057D1D9    E8 22EF0000     CALL <sub_GetEBP >
0057D1DE    8B4424 20       MOV EAX,DWORD PTR SS:[ESP+20]          ; 取call这个处理模块的地址0057D1E2    33C9            XOR ECX,ECX0057D1E4    8B9C8D 812E4000 MOV EBX,DWORD PTR SS:[EBP+ECX*4+402E81>; 指向一个表,通过在表里查询来还原代码0057D1EB    039D 46F84000   ADD EBX,DWORD PTR SS:[EBP+40F846]0057D1F1    3BC3            CMP EAX,EBX0057D1F3    74 07           JE SHORT 0057D1FC                      ; 表里查到符合条件的则跳0057D1F5    90              NOP0057D1F6    90              NOP0057D1F7    90              NOP0057D1F8    90              NOP0057D1F9    41              INC ECX0057D1FA  ^ EB E8           JMP SHORT 0057D1E4                     ; 循环查表0057D1FC    8DB5 615D4000   LEA ESI,DWORD PTR SS:[EBP+405D61]0057D202    B8 0A000000     MOV EAX,0A0057D207    F7E1            MUL ECX0057D209    03F0            ADD ESI,EAX0057D20B    8DBD 07184000   LEA EDI,DWORD PTR SS:[EBP+401807]0057D211    0FB6840D C92240>MOVZX EAX,BYTE PTR SS:[EBP+ECX+4022C9]0057D219    FEC0            INC AL0057D21B    88840D C9224000 MOV BYTE PTR SS:[EBP+ECX+4022C9],AL0057D222    3C 20           CMP AL,200057D224    75 13           JNZ SHORT 0057D2390057D226    90              NOP0057D227    90              NOP0057D228    90              NOP0057D229    90              NOP0057D22A    8BBD 4AF84000   MOV EDI,DWORD PTR SS:[EBP+40F84A]0057D230    B8 0A000000     MOV EAX,0A0057D235    F7E1            MUL ECX0057D237    03F8            ADD EDI,EAX0057D239    8A9D 1E204000   MOV BL,BYTE PTR SS:[EBP+40201E]        ; [EBP+40201E]中保存着解密的Key0057D23F    B9 0A000000     MOV ECX,0A0057D244 >  AC              LODS BYTE PTR DS:[ESI]                 ; 还原出正确的代码,加了垃圾代码的0057D245    32C3            XOR AL,BL0057D247    AA              STOS BYTE PTR ES:[EDI]0057D248  ^ E2 FA           LOOPD SHORT <Decrypt_Replaced_CODE>0057D24A    83EF 0A         SUB EDI,0A0057D24D    57              PUSH EDI0057D24E    8DB5 07184000   LEA ESI,DWORD PTR SS:[EBP+401807]0057D254    33F7            XOR ESI,EDI0057D256    74 19           JE SHORT 0057D2710057D258    90              NOP0057D259    90              NOP0057D25A    90              NOP0057D25B    90              NOP0057D25C    8B7424 24       MOV ESI,DWORD PTR SS:[ESP+24]0057D260    83EE 04         SUB ESI,40057D263    AD              LODS DWORD PTR DS:[ESI]0057D264    81EF 2E204000   SUB EDI,0040202E0057D26A    2BFD            SUB EDI,EBP0057D26C    03C7            ADD EAX,EDI0057D26E    8946 FC         MOV DWORD PTR DS:[ESI-4],EAX0057D271    5F              POP EDI0057D272    57              PUSH EDI0057D273    33C9            XOR ECX,ECX0057D275    83F9 08         CMP ECX,80057D278    74 0E           JE SHORT 0057D2880057D27A    90              NOP0057D27B    90              NOP0057D27C    90              NOP0057D27D    90              NOP0057D27E    8B448C 04       MOV EAX,DWORD PTR SS:[ESP+ECX*4+4]0057D282    89048C          MOV DWORD PTR SS:[ESP+ECX*4],EAX0057D285    41              INC ECX0057D286  ^ EB ED           JMP SHORT 0057D2750057D288    893C8C          MOV DWORD PTR SS:[ESP+ECX*4],EDI0057D28B    60              PUSHAD                                 ; 加密代码0057D28C    E8 00000000     CALL 0057D2910057D291    5E              POP ESI0057D292    83EE 06         SUB ESI,60057D295    B9 B2000000     MOV ECX,0B20057D29A    29CE            SUB ESI,ECX0057D29C    BA 41A20ADC     MOV EDX,DC0AA2410057D2A1    C1E9 02         SHR ECX,20057D2A4    83E9 02         SUB ECX,20057D2A7    83F9 00         CMP ECX,00057D2AA    7C 1A           JL SHORT 0057D2C60057D2AC    8B048E          MOV EAX,DWORD PTR DS:[ESI+ECX*4]0057D2AF    8B5C8E 04       MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]0057D2B3    33C3            XOR EAX,EBX0057D2B5    C1C8 15         ROR EAX,150057D2B8    33C2            XOR EAX,EDX0057D2BA    81EA 417BCDED   SUB EDX,EDCD7B410057D2C0    89048E          MOV DWORD PTR DS:[ESI+ECX*4],EAX0057D2C3    49              DEC ECX0057D2C4  ^ EB E1           JMP SHORT 0057D2A70057D2C6    61              POPAD0057D2C7    61              POPAD0057D2C8    C3              RETN                                   ; 返回到要执行的代码处分析出这些代码后,写了个修复代码,这个修复代码是我上次看到股林精怪写的,既然这的这么好,我就直接搬来过借用下:-),修复代码如下:.386.model flat,stdcall;-------------------------------------------------------------;;ACProtect v1.41Replace Code Fix Application;;-------------------------------------------------------------.codestart:  PUSHAD  XOR EAX,EAX  MOV EDI,580d61h;LEA ESI,DWORD PTR SS:[EBP+405D61]  EBP+405D61=525d61L003:  CMP DWORD PTR DS:[EAX+EDI],0  JE L008  XOR BYTE PTR DS:[EAX+EDI],0D7h;MOV BL,BYTE PTR SS:[EBP+40201E]  [0052201e]=22  INC EAX  JMP L003L008:  XOR ECX,ECXL009:  MOV ESI,DWORD PTR DS:[ECX*4+57de81h];MOV EBX,DWORD PTR SS:[EBP+ECX*4+402E81]  EBP+402E81=522e81  CMP ESI,0  JNZ L015  POPAD  SUB DWORD PTR SS:[ESP],5h  RETNL015:  MOV EDI,580d61h;LEA ESI,DWORD PTR SS:[EBP+405D61]  EBP+405D61=525d61  ADD ESI,3FFFFBh  MOV EAX,0Ah  MUL ECX  ADD EDI,EAX  XOR EAX,EAXL021:  CMP BYTE PTR DS:[EAX+EDI],3h  JE L074  CMP BYTE PTR DS:[EAX+EDI],33h  JE L114  CMP BYTE PTR DS:[EAX+EDI],40h  JB L029  CMP BYTE PTR DS:[EAX+EDI],58h  JB L031L029:  INC EAX  JMP L021L031:  MOV DL,BYTE PTR DS:[EAX+EDI]  ADD DL,8  MOV EBX,EAXL034:  INC EBX  CMP DL,BYTE PTR DS:[EBX+EDI]  JE L040  CMP EBX,8  JB L034  JMP L029L040:  SUB EBX,EAX  CMP EAX,0  JNZ L058  CMP EBX,2  JB L029  DEC EBX  INC EDI  XOR EBP,EBPL048:  MOV DL,BYTE PTR DS:[EDI+EBP]  MOV BYTE PTR DS:[ESI+EBP],DL  CMP EBP,4  JE L153  INC EBP  CMP EBX,EBP  JNZ L048  INC EDI  XOR EBX,EBX  JMP L048L058:  CMP EBX,2  JE L029  XOR EBP,EBPL061:  MOV DL,BYTE PTR DS:[EDI+EBP]  MOV BYTE PTR DS:[ESI+EBP],DL  CMP EBP,4  JE L153  INC EBP  CMP EAX,EBP  JNZ L061  INC EDI  XOR EAX,EAX  CMP EBX,1  JNZ L061  INC EDI  JMP L061L074:  MOV DX,WORD PTR DS:[EAX+EDI]  ADD DX,28h  MOV EBX,EAX  INC EBXL078:  INC EBX  CMP WORD PTR DS:[EBX+EDI],DX  JE L084  CMP EBX,8  JB L078  JMP L029L084:  CMP EAX,0  JNZ L099  LEA EAX,DWORD PTR DS:[EBX-2]  ADD EDI,2  XOR EBP,EBPL089:  MOV DL,BYTE PTR DS:[EDI+EBP]  MOV BYTE PTR DS:[ESI+EBP],DL  CMP EBP,4  JE L153  INC EBP  CMP EAX,EBP  JNZ L089  ADD EDI,2  XOR EAX,EAX  JMP L089L099:  SUB EBX,EAX  XOR EBP,EBPL101:  MOV DL,BYTE PTR DS:[EDI+EBP]  MOV BYTE PTR DS:[ESI+EBP],DL  CMP EBP,4  JE L153  INC EBP  CMP EAX,EBP  JNZ L101  ADD EDI,2  XOR EAX,EAX  CMP EBX,2  JNZ L101  ADD EDI,2  JMP L101L114:  MOV DX,WORD PTR DS:[EAX+EDI]  MOV EBX,EAX  INC EBXL117:  INC EBX  CMP WORD PTR DS:[EBX+EDI],DX  JE L123  CMP EBX,8  JB L117  JMP L029L123:  CMP EAX,0  JNZ L138  LEA EAX,DWORD PTR DS:[EBX-2]  ADD EDI,2  XOR EBP,EBPL128:  MOV DL,BYTE PTR DS:[EDI+EBP]  MOV BYTE PTR DS:[ESI+EBP],DL  CMP EBP,4  JE L153  INC EBP  CMP EAX,EBP  JNZ L128  ADD EDI,2  XOR EAX,EAX  JMP L128L138:  SUB EBX,EAX  XOR EBP,EBPL140:  MOV DL,BYTE PTR DS:[EDI+EBP]  MOV BYTE PTR DS:[ESI+EBP],DL  CMP EBP,4  JE L153  INC EBP  CMP EAX,EBP  JNZ L140  ADD EDI,2  XOR EAX,EAX  CMP EBX,2  JNZ L140  ADD EDI,2  JMP L140L153:  INC ECX  JMP L009end start写好代码后,重新加载目标文件,忽略全部异常,直接在rdata处下断,运行中断后005906B7    33C0            XOR EAX,EAX                            ;直接运行到这里 005906B9    B9 00010000     MOV ECX,100运行后断在5906b7处后,把eip改为sub_Restore_Replace_Code(先选择57d02e,然后CTRL+*),然后贴上修复代码,贴上后执行到结束处:0057D02E >  60              PUSHAD                                 ; sub_Restore_Replace_Code0057D02F    33C0            XOR EAX,EAX0057D031    BF 610D5800     MOV EDI,00580D610057D036    833C07 00       CMP DWORD PTR DS:[EDI+EAX],00057D03A    74 07           JE SHORT 0057D0430057D03C    803407 D7       XOR BYTE PTR DS:[EDI+EAX],0D70057D040    40              INC EAX0057D041  ^ EB F3           JMP SHORT 0057D0360057D043    33C9            XOR ECX,ECX0057D045    8B348D 81DE5700 MOV ESI,DWORD PTR DS:[ECX*4+57DE81]0057D04C    83FE 00         CMP ESI,00057D04F    75 06           JNZ SHORT 0057D0570057D051    61              POPAD0057D052    832C24 05       SUB DWORD PTR SS:[ESP],5               ; f4直接执行到这里0057D056    C3              RETN执行完毕后把eip改回原处修复好replace code和embedd protect code之后,修复一下iat和oep信息就可以运行了。总结一下,为了方便自己操作,我写了一段脚本。/*  ACPROTCT 1.4 Unpack script v0.1  */var addrvar mbase//module basevar rmaddrvar rmsizevar IATVAvar tmpvalstart:  gmi eip,MODULEBASE  mov mbase,$RESULT  gpa "GetModuleHandleA","kernel32.dll"  mov addr,$RESULT  bprm addr,0A  esto  lbl1:  bpmc  findop eip,#F3AA#//Find command 'REP STOSB'  cmp $RESULT,0  je lblabort  go $RESULT  mov addr,$RESULT  add addr,2  mov eip,addr  mov rmaddr,4b7000//rdata段的开始地址  mov rmsize,a000//rdata段的大小  bpwm rmaddr,rmsize  esto lbl2:  bpmc  mov IATVA,esi  mov tmpval,esi  sub IATVA,mbase//计算iat的地始地址VA  findop eip,#83660C00#   //find command 'AND DWORD PTR DS:[ESI+C],0'  cmp $RESULT,0  je lblabort  fill $RESULT,4,90  repl eip,#602BC0880343380375F961#,#9090909090909090909090#,500//把清除名字的代码给nop掉  find $RESULT,#618907#  cmp $RESULT,0  je lblabort  go $RESULT  mov addr,$RESULT  inc addr  fill addr,2,90  findop addr,#33C0#  cmp $RESULT,0  je lblabort  mov addr,$RESULT  go addr  log IATVA  fill 6909c7,1,eb  ret    lblabort:  msg "Error!"  ret用od载入目标程序,运行该脚本,然后把前面dump下来修复好的Embedd Protect代码段替换这个现在正在操作的这个目标,然后用修复Replace code的代码修复Replace code,修复完,被上程序的oep被抽的代码,然后dump下目标程序的整个内存,修改OEP,修改正确的IAT信息,iat信息由分析篇得之:OEP RVA=000B2D84 IAT RVA=000BEB88 SIZE=00002398,修复好后程序就可以运行了。这样就算是比较完整的脱壳了,最后我自己还有一个问题哪位会的朋友指点下,谢谢,问题:壳把部分资源放到最后一个节去了,如何修复资源呢?, 对这个我一点都不会:-(。如果资源修复好了,最后一个节应该可以去掉吧。  在脱其它的acprotect的程序时发现有时还会有调用壳的api的代码,我这里附上修复调用壳api的代码:.386.model flat,stdcall.codeFillCode proc cmpaddr:DWORD,waddr:DWORD;----------------;cmpaddr 表示比较地址;waddr 要写入地址pushadmov edi,401000hmov ecx,0baf00h@loop1:cmp word ptr [edi],25ffhjnz jmpnmov ebx,[edi+2]cmp ebx,401000hjb jmpncmp ebx,521000hja jmpnmov ebx,[ebx]cmp cmpaddr,ebxjnz @Fmov ebx,edimov eax,waddrsub ebx,eaxsub ebx,5mov dword ptr [eax+1],ebxjmp @end @@:add edi,4sub ecx,4 jmpn:inc edidec ecx jnz @loop1  @end: popad ret 8FillCode endp@calld52 procpushadCALL @F;CALL 531100 Get EBP value  MOV EAX,DWORD PTR SS:[ESP+24h]  SUB EAX,DWORD PTR SS:[EBP+40F846h]  MOV ECX,3E9h  LEA EDI,DWORD PTR SS:[EBP+40D563h]  REPNE SCAS DWORD PTR ES:[EDI]  OR ECX,ECX  JNZ @F  NOP  NOP  NOP  NOP @@:  SUB ECX,3E9h  NOT ECX  MOVZX EBX,BYTE PTR SS:[EBP+ECX+40E503h]  LEA EAX,DWORD PTR SS:[EBP+EBX*4+40E8EBh]  mov eax,[eax]  mov EDX,DWORD PTR SS:[ESP+24h]  sub edx,5  cmp eax,5000000h  ja @F  mov ebx,[eax+8]  mov eax,[eax+1]  xor eax,ebx  @@:invoke FillCode,eax,edxpopadret 4@calld52 endp start: pushad mov edi,401000h mov ecx,0baf00h @loop1: cmp byte ptr [edi],0e8h jnz @F mov ebx,[edi+1] lea ebx,[ebx+edi+5]   cmp ebx,52d30bh   ;判断是否为call去解码处   jnz @Not52d   lea ebx,[edi+5]   push ebx    call @calld52    jmp @add4 @Not52d: cmp ebx,521000h jb @F cmp ebx,538fd2h ja @Fcmp word ptr [ebx+1],25ffhjnz @Fmov ebx,[ebx+3]mov ebx,[ebx]invoke FillCode,ebx,edi @add4: add edi,4 sub ecx,4 @@: inc edi dec ecx jnz @loop1 popad end start    漫漫长路,终到尽头。分析了这么多,现在看来又好像什么都没有哦:-),花了很多时间,今天终于把ACPROTECT给吃下来了。如果有兴趣可以试试做脱壳机的,我自己看了分析后认为做这个的脱壳机应该是可行的(如果不行,不能怪我哦:-P)。有所收获有所失去。牺牲了睡眠换来了近视:-9。收工zzZZZZ。---------------------------各模块代码------------------------------------sub_EmbeddProtect:0058AE31 >  837C24 04 FF    CMP DWORD PTR SS:[ESP+4],-1               ; 处理SDK的关键代码0058AE36    74 13           JE SHORT 0058AE4B0058AE38    90              NOP0058AE39    90              NOP0058AE3A    90              NOP0058AE3B    90              NOP0058AE3C    55              PUSH EBP0058AE3D    E8 BE120000     CALL <sub_GetEBP >
0058AE42    8BC5            MOV EAX,EBP0058AE44    5D              POP EBP0058AE45    FFA0 C4FD4000   JMP DWORD PTR DS:[EAX+40FDC4]0058AE4B    90              NOP......0058AFF7    55              PUSH EBP0058AFF8    E8 03110000     CALL <sub_GetEBP >
; 这里是关键代码,用于加密解密代码的0058AFFD    8BC5            MOV EAX,EBP0058AFFF    5D              POP EBP0058B000    837C24 04 FF    CMP DWORD PTR SS:[ESP+4],-10058B005    74 25           JE SHORT 0058B02C0058B007    90              NOP0058B008    90              NOP0058B009    90              NOP0058B00A    90              NOP0058B00B    8B98 2C854100   MOV EBX,DWORD PTR DS:[EAX+41852C]0058B011    803B CC         CMP BYTE PTR DS:[EBX],0CC0058B014    0F84 DE000000   JE <Case else>0058B01A    807B 01 CC      CMP BYTE PTR DS:[EBX+1],0CC0058B01E    0F84 D4000000   JE <Case else>0058B024    8BC3            MOV EAX,EBX0058B026    60              PUSHAD0058B027    E9 CC000000     JMP <Case else>0058B02C    60              PUSHAD0058B02D    E8 CE100000     CALL <sub_GetEBP >
0058B032    8B7C24 28       MOV EDI,DWORD PTR SS:[ESP+28]0058B036    8B4424 30       MOV EAX,DWORD PTR SS:[ESP+30]0058B03A    0BC0            OR EAX,EAX                                ; 当EAX=4的时候加密代码,eax=5的时候解密代码0058B03C    74 3F           JE SHORT <Case EAX==0>0058B03E    90              NOP0058B03F    90              NOP0058B040    90              NOP0058B041    90              NOP0058B042    48              DEC EAX0058B043    0BC0            OR EAX,EAX0058B045    74 65           JE SHORT <Case EAX==1>0058B047    90              NOP0058B048    90              NOP0058B049    90              NOP0058B04A    90              NOP0058B04B    48              DEC EAX0058B04C    0BC0            OR EAX,EAX0058B04E    74 68           JE SHORT <Case EAX==2>0058B050    90              NOP0058B051    90              NOP0058B052    90              NOP0058B053    90              NOP0058B054    48              DEC EAX0058B055    0BC0            OR EAX,EAX0058B057    74 75           JE SHORT <Case EAX==3>0058B059    90              NOP0058B05A    90              NOP0058B05B    90              NOP0058B05C    90              NOP0058B05D    48              DEC EAX0058B05E    0BC0            OR EAX,EAX0058B060    74 76           JE SHORT <Case EAX==4>0058B062    90              NOP0058B063    90              NOP0058B064    90              NOP0058B065    90              NOP0058B066    48              DEC EAX0058B067    0BC0            OR EAX,EAX0058B069    74 77           JE SHORT <Case EAX==5>0058B06B    90              NOP0058B06C    90              NOP0058B06D    90              NOP0058B06E    90              NOP0058B06F    48              DEC EAX0058B070    0BC0            OR EAX,EAX0058B072    74 78           JE SHORT <Case EAX==6>0058B074    90              NOP0058B075    90              NOP0058B076    90              NOP0058B077    90              NOP0058B078    EB 7E           JMP SHORT <Case else>0058B07A    90              NOP0058B07B    90              NOP0058B07C    90              NOP0058B07D >  8DB5 2CF54000   LEA ESI,DWORD PTR SS:[EBP+40F52C]         ; 当EAX=0时的处理0058B083    B9 08000000     MOV ECX,80058B088    F3:A5           REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:>0058B08A    8DB5 50F54000   LEA ESI,DWORD PTR SS:[EBP+40F550]0058B090    B9 07000000     MOV ECX,70058B095    F3:A5           REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:>0058B097    4F              DEC EDI0058B098    803F 20         CMP BYTE PTR DS:[EDI],200058B09B    75 06           JNZ SHORT 0058B0A30058B09D    90              NOP0058B09E    90              NOP0058B09F    90              NOP0058B0A0    90              NOP0058B0A1  ^ EB F4           JMP SHORT 0058B0970058B0A3    C647 01 00      MOV BYTE PTR DS:[EDI+1],00058B0A7    EB 4F           JMP SHORT <Case else>0058B0A9    90              NOP0058B0AA    90              NOP0058B0AB    90              NOP0058B0AC >  8A85 6DF74000   MOV AL,BYTE PTR SS:[EBP+40F76D]           ; 当eax==1时的处理0058B0B2    AA              STOS BYTE PTR ES:[EDI]0058B0B3    EB 43           JMP SHORT <Case else>0058B0B5    90              NOP0058B0B6    90              NOP0058B0B7    90              NOP0058B0B8 >  50              PUSH EAX                                  ; 当EAX==2时的处理0058B0B9    8B4424 24       MOV EAX,DWORD PTR SS:[ESP+24]0058B0BD    8985 28F54000   MOV DWORD PTR SS:[EBP+40F528],EAX0058B0C3    58              POP EAX0058B0C4    E8 02380000     CALL <Reg_Info>0058B0C9    EB 2D           JMP SHORT <Case else>0058B0CB    90              NOP0058B0CC    90              NOP0058B0CD    90              NOP0058B0CE >  E8 72000000     CALL 0058B145                             ; 当eax=3时的处理0058B0D3    EB 23           JMP SHORT <Case else>0058B0D5    90              NOP0058B0D6    90              NOP0058B0D7    90              NOP0058B0D8 >  E8 9C020000     CALL <sub_Restore_Crypted_Code>           ; 当eax==4时的处理0058B0DD    EB 19           JMP SHORT <Case else>0058B0DF    90              NOP0058B0E0    90              NOP0058B0E1    90              NOP0058B0E2 >  E8 CA040000     CALL <sub_Decrypt_Code>                   ; 当eax==5时的处理0058B0E7    EB 0F           JMP SHORT <Case else>0058B0E9    90              NOP0058B0EA    90              NOP0058B0EB    90              NOP0058B0EC >  8B85 5D814100   MOV EAX,DWORD PTR SS:[EBP+41815D]         ; 当EAX==6时的处理0058B0F2    AB              STOS DWORD PTR ES:[EDI]0058B0F3    EB 03           JMP SHORT <Case else>0058B0F5    90              NOP0058B0F6    90              NOP0058B0F7    90              NOP0058B0F8 >  90              NOP                                       ; Case else0058B0F9    90              NOP0058B0FA    90              NOP......0058B133    90              NOP0058B134    61              POPAD0058B135    837C24 04 FF    CMP DWORD PTR SS:[ESP+4],-10058B13A    74 06           JE SHORT 0058B1420058B13C    90              NOP0058B13D    90              NOP0058B13E    90              NOP0058B13F    90              NOP0058B140    FFE0            JMP EAX0058B142    C2 1000         RETN 10sub_CRC:004246F9 >  60              PUSHAD                                   ; sub_CRC004246FA    E8 73FAFFFF     CALL <GetEBp>004246FF    C685 1A1C4000 C>MOV BYTE PTR SS:[EBP+401C1A],0C300424706    E8 1B0E0000     CALL 00425526     ;这个Call 进去 0042470B    61              POPAD0042470C    C3              RETN进来后:004256D1    E8 9CEAFFFF     CALL <GetEBp>     ;这里和上篇里的是一样的,所以我也不多注释了:-)004256D6    68 20030000     PUSH 320004256DB    8DBD 00104000   LEA EDI,DWORD PTR SS:[EBP+401000]004256E1    57              PUSH EDI004256E2    6A 00           PUSH 0004256E4    FF95 20164000   CALL DWORD PTR SS:[EBP+401620]            ;GetModuleFileNameA004256EA    6A 00           PUSH 0004256EC    68 80000000     PUSH 80004256F1    6A 03           PUSH 3004256F3    6A 00           PUSH 0004256F5    6A 01           PUSH 1004256F7    68 00000080     PUSH 80000000004256FC    57              PUSH EDI004256FD    FF95 D8154000   CALL DWORD PTR SS:[EBP+4015D8]00425703    40              INC EAX00425704    0F84 8A000000   JE 004257940042570A    48              DEC EAX0042570B    8BF8            MOV EDI,EAX0042570D    6A 00           PUSH 00042570F    57              PUSH EDI00425710    FF95 24164000   CALL DWORD PTR SS:[EBP+401624]00425716    2B85 2C164000   SUB EAX,DWORD PTR SS:[EBP+40162C]0042571C    96              XCHG EAX,ESI0042571D    56              PUSH ESI0042571E    6A 40           PUSH 4000425720    FF95 AC154000   CALL DWORD PTR SS:[EBP+4015AC]00425726    85C0            TEST EAX,EAX00425728    74 61           JE SHORT 0042578B0042572A    90              NOP0042572B    90              NOP0042572C    90              NOP0042572D    90              NOP0042572E    93              XCHG EAX,EBX0042572F    6A 00           PUSH 000425731    8D85 00104000   LEA EAX,DWORD PTR SS:[EBP+401000]00425737    50              PUSH EAX00425738    56              PUSH ESI00425739    53              PUSH EBX0042573A    57              PUSH EDI0042573B    FF95 FC154000   CALL DWORD PTR SS:[EBP+4015FC]00425741    8BC3            MOV EAX,EBX00425743    8BCE            MOV ECX,ESI00425745    60              PUSHAD00425746    E8 3E060000     CALL 00425D890042574B    3985 30164000   CMP DWORD PTR SS:[EBP+401630],EAX00425751    74 27           JE SHORT 0042577A00425753    90              NOP00425754    90              NOP00425755    90              NOP00425756    90              NOP00425757    60              PUSHAD00425758    E8 15EAFFFF     CALL <GetEBp>0042575D    B8 00010000     MOV EAX,10000425762    E8 18EAFFFF     CALL 0042417F00425767    8BC8            MOV ECX,EAX00425769    8DBD 9A404000   LEA EDI,DWORD PTR SS:[EBP+40409A]0042576F    03F8            ADD EDI,EAX00425771    E8 1DEAFFFF     CALL 0042419300425776    AB              STOS DWORD PTR ES:[EDI]00425777  ^ E2 F8           LOOPD SHORT 0042577100425779    61              POPAD0042577A    61              POPAD0042577B    8D85 A42C4000   LEA EAX,DWORD PTR SS:[EBP+402CA4]00425781    50              PUSH EAX00425782    C3              RETN00425783    53              PUSH EBX00425784    FF95 B0154000   CALL DWORD PTR SS:[EBP+4015B0]0042578A    96              XCHG EAX,ESI0042578B    50              PUSH EAX0042578C    57              PUSH EDI0042578D    FF95 D4154000   CALL DWORD PTR SS:[EBP+4015D4]00425793    58              POP EAX00425794    60              PUSHAD00425795    E8 00000000     CALL 0042579A0042579A    5E              POP ESI0042579B    83EE 06         SUB ESI,60042579E    B9 C3000000     MOV ECX,0C3004257A3    29CE            SUB ESI,ECX004257A5    BA 48A6FC64     MOV EDX,64FCA648004257AA    C1E9 02         SHR ECX,2004257AD    83E9 02         SUB ECX,2004257B0    83F9 00         CMP ECX,0004257B3    7C 1A           JL SHORT 004257CF004257B5    8B048E          MOV EAX,DWORD PTR DS:[ESI+ECX*4]004257B8    8B5C8E 04       MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]004257BC    2BC3            SUB EAX,EBX004257BE    C1C0 1D         ROL EAX,1D004257C1    03C2            ADD EAX,EDX004257C3    81C2 5E6AB05C   ADD EDX,5CB06A5E004257C9    89048E          MOV DWORD PTR DS:[ESI+ECX*4],EAX004257CC    49              DEC ECX004257CD  ^ EB E1           JMP SHORT 004257B0004257CF    61              POPAD004257D0    61              POPAD004257D1    C3              RETNsub_INT 1_Check_Debug:0042170B >  60              PUSHAD                                     ; sub_INT 1_Check_Debug0042170C    4D              DEC EBP0042170D    50              PUSH EAX0042170E    E8 01000000     CALL 0042171400421713  ^ 71 83           JNO SHORT 0042169800421715    C40458          LES EAX,FWORD PTR DS:[EAX+EBX*2]         ; Modification of segment register00421718    66:BD D8B7      MOV BP,0B7D80042171C    7C 03           JL SHORT 004217210042171E    7D 01           JGE SHORT 0042172100421720  - E9 F850E801     JMP 022A681D00421725    0000            ADD BYTE PTR DS:[EAX],AL00421727    00EB            ADD BL,CH......004218B6    E8 72F6FFFF     CALL <GetEBP>004218BB    C685 711E4000 C>MOV BYTE PTR SS:[EBP+401E71],0C3004218C2    8CC8            MOV AX,CS004218C4    A8 04           TEST AL,4                                ; 如果系统是Winnt的,则通过int 1检测调试器004218C6    75 5A           JNZ SHORT <OS is Win9x>004218C8    90              NOP004218C9    90              NOP004218CA    90              NOP004218CB    90              NOP004218CC    E8 0E000000     CALL 004218DF004218D1    8B5C24 0C       MOV EBX,DWORD PTR SS:[ESP+C]004218D5    8383 B8000000 0>ADD DWORD PTR DS:[EBX+B8],2004218DC    33C0            XOR EAX,EAX004218DE    C3              RETN004218DF    64:67:FF36 0000 PUSH DWORD PTR FS:[0]004218E5    64:67:8926 0000 MOV DWORD PTR FS:[0],ESP004218EB    33C0            XOR EAX,EAX004218ED    CD 01           INT 1004218EF    40              INC EAX004218F0    40              INC EAX004218F1    0BC0            OR EAX,EAX004218F3    75 27           JNZ SHORT 0042191C                       ; 如果没有发现则跳004218F5    90              NOP004218F6    90              NOP004218F7    90              NOP004218F8    90              NOP004218F9    60              PUSHAD004218FA    E8 2EF6FFFF     CALL <GetEBP>004218FF    B8 00010000     MOV EAX,10000421904    E8 31F6FFFF     CALL 00420F3A00421909    8BC8            MOV ECX,EAX0042190B    8DBD 9A404000   LEA EDI,DWORD PTR SS:[EBP+40409A]00421911    03F8            ADD EDI,EAX00421913    E8 36F6FFFF     CALL 00420F4E00421918    AB              STOS DWORD PTR ES:[EDI]00421919  ^ E2 F8           LOOPD SHORT 004219130042191B    61              POPAD0042191C    33C0            XOR EAX,EAX0042191E    64:8F00         POP DWORD PTR FS:[EAX]00421921    58              POP EAX00421922 >  60              PUSHAD                                   ; OS is Win9x00421923    E8 00000000     CALL 0042192800421928    5E              POP ESI00421929    83EE 06         SUB ESI,60042192C    B9 6C000000     MOV ECX,6C00421931    29CE            SUB ESI,ECX00421933    BA 2B3C3C6D     MOV EDX,6D3C3C2B00421938    C1E9 02         SHR ECX,20042193B    83E9 02         SUB ECX,20042193E    83F9 00         CMP ECX,000421941    7C 1A           JL SHORT 0042195D00421943    8B048E          MOV EAX,DWORD PTR DS:[ESI+ECX*4]00421946    8B5C8E 04       MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]0042194A    03C3            ADD EAX,EBX0042194C    C1C8 1B         ROR EAX,1B0042194F    03C2            ADD EAX,EDX00421951    81F2 C6E14F4D   XOR EDX,4D4FE1C600421957    89048E          MOV DWORD PTR DS:[ESI+ECX*4],EAX0042195A    49              DEC ECX0042195B  ^ EB E1           JMP SHORT 0042193E0042195D    61              POPAD0042195E    61              POPAD0042195F    C3              RETNsub_Anti_Fake_Unpack:00422027 >  60              PUSHAD                                   ; sub_Anti_Fake_Unpack00422028    4E              DEC ESI00422029    87EA            XCHG EDX,EBP0042202B    46              INC ESI0042202C    50              PUSH EAX0042202D    E8 01000000     CALL 0042203300422032  ^ 77 83           JA SHORT 00421FB700422034    C40458          LES EAX,FWORD PTR DS:[EAX+EBX*2]         ; Modification of segment register00422037    66:8BD1         MOV DX,CX......004221D2    E8 56EDFFFF     CALL <GetEBP>004221D7    C685 8D274000 C>MOV BYTE PTR SS:[EBP+40278D],0C3004221DE    8BB5 28164000   MOV ESI,DWORD PTR SS:[EBP+401628]004221E4    66:8B16         MOV DX,WORD PTR DS:[ESI]004221E7    66:81FA 4D5A    CMP DX,5A4D004221EC    0F85 B1000000   JNZ <Good way>004221F2    0FB756 3C       MOVZX EDX,WORD PTR DS:[ESI+3C]004221F6    8BFE            MOV EDI,ESI004221F8    03FA            ADD EDI,EDX004221FA    8B47 28         MOV EAX,DWORD PTR DS:[EDI+28]004221FD    3B85 50164000   CMP EAX,DWORD PTR SS:[EBP+401650]00422203    74 7B           JE SHORT <over way>                      ; 如果发现入口和原程序一样则over00422205    90              NOP00422206    90              NOP00422207    90              NOP00422208    90              NOP00422209    3B85 54164000   CMP EAX,DWORD PTR SS:[EBP+401654]        ; 比较如果入口和壳入口不一样则over,感觉有点多余,直接判断不为壳入口不行吗?0042220F    75 6F           JNZ SHORT <over way>00422211    90              NOP00422212    90              NOP00422213    90              NOP00422214    90              NOP00422215    0FB747 06       MOVZX EAX,WORD PTR DS:[EDI+6]            ; 判断section是否为5,如果不为5则over00422219    48              DEC EAX0042221A    3D 04000000     CMP EAX,40042221F    75 5F           JNZ SHORT <over way>00422221    90              NOP00422222    90              NOP00422223    90              NOP00422224    90              NOP00422225    BA 28000000     MOV EDX,280042222A    F7E2            MUL EDX0042222C    05 F8000000     ADD EAX,0F800422231    03C7            ADD EAX,EDI00422233    50              PUSH EAX00422234    83C0 0C         ADD EAX,0C00422237    8B18            MOV EBX,DWORD PTR DS:[EAX]00422239    3B9D 54164000   CMP EBX,DWORD PTR SS:[EBP+401654]        ; 再次判断入口是否为壳的入口,0042223F    75 3F           JNZ SHORT <over way>00422241    90              NOP00422242    90              NOP00422243    90              NOP00422244    90              NOP00422245    5E              POP ESI00422246    813E 2E706572   CMP DWORD PTR DS:[ESI],7265702E          ; 比较最后一个字的名字是否为:.perplex0042224C    75 32           JNZ SHORT <over way>                     ; 如果不是则over0042224E    90              NOP0042224F    90              NOP00422250    90              NOP00422251    90              NOP00422252    817E 04 706C657>CMP DWORD PTR DS:[ESI+4],78656C7000422259    75 25           JNZ SHORT <over way>0042225B    90              NOP0042225C    90              NOP0042225D    90              NOP0042225E    90              NOP0042225F    8B85 54164000   MOV EAX,DWORD PTR SS:[EBP+401654]00422265    8BBD 28164000   MOV EDI,DWORD PTR SS:[EBP+401628]0042226B    0FB61C07        MOVZX EBX,BYTE PTR DS:[EDI+EAX]          ; 判断壳入口是否为pushad(60)如果不相等则over0042226F    80EB 30         SUB BL,3000422272    80FB 30         CMP BL,3000422275    75 09           JNZ SHORT <over way>00422277    90              NOP00422278    90              NOP00422279    90              NOP0042227A    90              NOP0042227B    EB 26           JMP SHORT <Good way>0042227D    90              NOP0042227E    90              NOP0042227F    90              NOP00422280 >  60              PUSHAD                                   ; Game over00422281    E8 A7ECFFFF     CALL <GetEBP>                            ; 如果发现程序被修改了就写入随机垃圾代码00422286    B8 00010000     MOV EAX,1000042228B    E8 AAECFFFF     CALL 00420F3A00422290    8BC8            MOV ECX,EAX00422292    8DBD 9A404000   LEA EDI,DWORD PTR SS:[EBP+40409A]00422298    03F8            ADD EDI,EAX0042229A    E8 AFECFFFF     CALL 00420F4E0042229F    AB              STOS DWORD PTR ES:[EDI]004222A0  ^ E2 F8           LOOPD SHORT 0042229A004222A2    61              POPAD004222A3 >  60              PUSHAD                                   ; Good way004222A4    E8 00000000     CALL 004222A9004222A9    5E              POP ESI004222AA    83EE 06         SUB ESI,6004222AD    B9 D1000000     MOV ECX,0D1004222B2    29CE            SUB ESI,ECX004222B4    BA 0D4034EF     MOV EDX,EF34400D004222B9    C1E9 02         SHR ECX,2004222BC    83E9 02         SUB ECX,2004222BF    83F9 00         CMP ECX,0004222C2    7C 1A           JL SHORT 004222DE004222C4    8B048E          MOV EAX,DWORD PTR DS:[ESI+ECX*4]004222C7    8B5C8E 04       MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]004222CB    33C3            XOR EAX,EBX004222CD    C1C0 14         ROL EAX,14004222D0    33C2            XOR EAX,EDX004222D2    81EA 85A8D2E1   SUB EDX,E1D2A885004222D8    89048E          MOV DWORD PTR DS:[ESI+ECX*4],EAX004222DB    49              DEC ECX004222DC  ^ EB E1           JMP SHORT 004222BF004222DE    61              POPAD004222DF    61              POPAD004222E0    C3              RETNsub_Copy code:004228F3 >  60              PUSHAD                                   ; sub_Copy code004228F4    7A 03           JPE SHORT 004228F9004228F6    7B 01           JPO SHORT 004228F9004228F8    9A 0F890600 000>CALL FAR 0000:0006890F                   ; Far call004228FF    81D0 94B7BD5B   ADC EAX,5BBDB79400422905    E8 01000000     CALL 0042290B0042290A  ^ 72 83           JB SHORT 0042288F0042290C    C404F9          LES EAX,FWORD PTR DS:[ECX+EDI*8]         ; Modification of segment register......00422A9E    E8 8AE4FFFF     CALL <GetEBP>00422AA3    C685 59304000 C>MOV BYTE PTR SS:[EBP+403059],0C3         ; 只执行一次call00422AAA    8DB5 9A404000   LEA ESI,DWORD PTR SS:[EBP+40409A]00422AB0    46              INC ESI00422AB1    8B06            MOV EAX,DWORD PTR DS:[ESI]00422AB3    3D 52455452     CMP EAX,5254455200422AB8  ^ 75 F6           JNZ SHORT 00422AB0                       ; 查找标志00422ABA    8B46 04         MOV EAX,DWORD PTR DS:[ESI+4]00422ABD    3D 49564150     CMP EAX,5041564900422AC2  ^ 75 EC           JNZ SHORT 00422AB000422AC4    8B46 08         MOV EAX,DWORD PTR DS:[ESI+8]00422AC7    3D 495A4346     CMP EAX,46435A4900422ACC  ^ 75 E2           JNZ SHORT 00422AB000422ACE    83C6 0E         ADD ESI,0E00422AD1    8DBD AC154000   LEA EDI,DWORD PTR SS:[EBP+4015AC]00422AD7    B9 28000000     MOV ECX,2800422ADC    F3:A5           REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>; 复制代码00422ADE    EB 26           JMP SHORT 00422B0600422AE0    90              NOP00422AE1    90              NOP00422AE2    90              NOP00422AE3    60              PUSHAD00422AE4    E8 44E4FFFF     CALL <GetEBP>00422AE9    B8 00010000     MOV EAX,10000422AEE    E8 47E4FFFF     CALL 00420F3A00422AF3    8BC8            MOV ECX,EAX00422AF5    8DBD 9A404000   LEA EDI,DWORD PTR SS:[EBP+40409A]00422AFB    03F8            ADD EDI,EAX00422AFD    E8 4CE4FFFF     CALL 00420F4E00422B02    AB              STOS DWORD PTR ES:[EDI]00422B03  ^ E2 F8           LOOPD SHORT 00422AFD00422B05    61              POPAD00422B06    60              PUSHAD                                   ; 加密代码00422B07    E8 00000000     CALL 00422B0C00422B0C    5E              POP ESI00422B0D    83EE 06         SUB ESI,600422B10    B9 68000000     MOV ECX,6800422B15    29CE            SUB ESI,ECX00422B17    BA 5EC43194     MOV EDX,9431C45E00422B1C    C1E9 02         SHR ECX,200422B1F    83E9 02         SUB ECX,200422B22    83F9 00         CMP ECX,000422B25    7C 1A           JL SHORT 00422B4100422B27    8B048E          MOV EAX,DWORD PTR DS:[ESI+ECX*4]00422B2A    8B5C8E 04       MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]00422B2E    2BC3            SUB EAX,EBX00422B30    C1C0 1D         ROL EAX,1D00422B33    33C2            XOR EAX,EDX00422B35    81F2 6CD4719B   XOR EDX,9B71D46C00422B3B    89048E          MOV DWORD PTR DS:[ESI+ECX*4],EAX00422B3E    49              DEC ECX00422B3F  ^ EB E1           JMP SHORT 00422B2200422B41    61              POPAD00422B42    61              POPAD00422B43    C3              RETNsub_Fuck_RING0'Debugger:004243AB >  60              PUSHAD004243AC   .  E8 C1FDFFFF   CALL <GetEBp>                            ;  检测Ring 0给调试器004243B1   .  C685 CC184000>MOV BYTE PTR SS:[EBP+4018CC],0C3004243B8   .  E8 00000000   CALL 004243BD004243BD   $  5D            POP EBP004243BE   .  8BF5          MOV ESI,EBP004243C0   .  81ED DE184000 SUB EBP,004018DE004243C6   .  8DB5 2C194000 LEA ESI,DWORD PTR SS:[EBP+40192C]004243CC   >  6A 00         PUSH 0004243CE   .  68 80000000   PUSH 80004243D3   .  6A 03         PUSH 3004243D5   .  6A 00         PUSH 0004243D7   .  6A 03         PUSH 3004243D9   .  68 000000C0   PUSH C0000000004243DE   .  56            PUSH ESI004243DF   .  FF95 D8154000 CALL DWORD PTR SS:[EBP+4015D8]           ;  CreateFileA004243E5   .  40            INC EAX004243E6   .  75 1E         JNZ SHORT 00424406004243E8   .  90            NOP004243E9   .  90            NOP004243EA   .  90            NOP004243EB   .  90            NOP004243EC   .  48            DEC EAX004243ED   .  50            PUSH EAX004243EE   .  FF95 D4154000 CALL DWORD PTR SS:[EBP+4015D4]004243F4   >  46            INC ESI004243F5   .  803E 00       CMP BYTE PTR DS:[ESI],0004243F8   .^ 75 FA         JNZ SHORT 004243F4004243FA   .  46            INC ESI004243FB   .  803E 00       CMP BYTE PTR DS:[ESI],0004243FE   .  0F84 C2000000 JE 004244C600424404   .^ EB C6         JMP SHORT 004243CC00424406   >  E8 BB000000   CALL 004244C60042440B   .  5C 5C 2E 5C 5>ASCII "//./SICE",000424414   .  5C 5C 2E 5C 4>ASCII "//./NTICE",00042441E   .  5C 5C 2E 5C 4>ASCII "//./NTICE7871",00042442C   .  5C 5C 2E 5C 4>ASCII "//./NTICED052",00042443A   .  5C 5C 2E 5C 5>ASCII "//./TRWDEBUG",000424447   .  5C 5C 2E 5C 5>ASCII "//./TRW",00042444F   .  5C 5C 2E 5C 5>ASCII "//./TRW2000",00042445B   .  5C 5C 2E 5C 5>ASCII "//./SUPERBPM",000424468   .  5C 5C 2E 5C 4>ASCII "//./ICEDUMP",000424474   .  5C 5C 2E 5C 5>ASCII "//./REGMON",00042447F   .  5C 5C 2E 5C 4>ASCII "//./FILEMON",00042448B   .  5C 5C 2E 5C 5>ASCII "//./REGVXD",000424496   .  5C 5C 2E 5C 4>ASCII "//./FILEVXD",0004244A2   .  5C 5C 2E 5C 5>ASCII "//./VKEYPROD",0004244AF   .  5C 5C 2E 5C 4>ASCII "//./BW2K",0004244B8   .  5C 5C 2E 5C 5>ASCII "//./SIWDEBUG",0004244C5      00            DB 00004244C6  /$  61            POPAD004244C7  /.  C3            RETNsub_Fuck_int3:0042196B >  60              PUSHAD                                     ; sub_Fuck_int30042196C    E8 01000000     CALL 0042197200421971  ^ 7D 83           JGE SHORT 004218F600421973    04 24           ADD AL,24......00421B16    E8 12F4FFFF     CALL <GetEBP>00421B1B    C685 D1204000 C>MOV BYTE PTR SS:[EBP+4020D1],0C300421B22    E8 2A000000     CALL 00421B5100421B27    8B4424 04       MOV EAX,DWORD PTR SS:[ESP+4]00421B2B    8B4C24 0C       MOV ECX,DWORD PTR SS:[ESP+C]00421B2F    FF81 B8000000   INC DWORD PTR DS:[ECX+B8]00421B35    8B00            MOV EAX,DWORD PTR DS:[EAX]00421B37    2D 03000080     SUB EAX,8000000300421B3C    75 12           JNZ SHORT 00421B5000421B3E    90              NOP00421B3F    90              NOP00421B40    90              NOP00421B41    90              NOP00421B42    33C0            XOR EAX,EAX00421B44    8941 04         MOV DWORD PTR DS:[ECX+4],EAX              ; 清除硬件断点00421B47    8941 08         MOV DWORD PTR DS:[ECX+8],EAX00421B4A    8941 0C         MOV DWORD PTR DS:[ECX+C],EAX00421B4D    8941 10         MOV DWORD PTR DS:[ECX+10],EAX00421B50    C3              RETN00421B51    33C0            XOR EAX,EAX00421B53    64:FF30         PUSH DWORD PTR FS:[EAX]00421B56    64:8920         MOV DWORD PTR FS:[EAX],ESP00421B59    CC              INT300421B5A    90              NOP00421B5B    64:67:8F06 0000 POP DWORD PTR FS:[0]00421B61    83C4 04         ADD ESP,400421B64    60              PUSHAD00421B65    E8 00000000     CALL 00421B6A00421B6A    5E              POP ESI00421B6B    83EE 06         SUB ESI,600421B6E    B9 4E000000     MOV ECX,4E00421B73    29CE            SUB ESI,ECX00421B75    BA 8742CECC     MOV EDX,CCCE428700421B7A    C1E9 02         SHR ECX,200421B7D    83E9 02         SUB ECX,200421B80    83F9 00         CMP ECX,000421B83    7C 1A           JL SHORT 00421B9F00421B85    8B048E          MOV EAX,DWORD PTR DS:[ESI+ECX*4]00421B88    8B5C8E 04       MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]00421B8C    2BC3            SUB EAX,EBX00421B8E    C1C8 02         ROR EAX,200421B91    33C2            XOR EAX,EDX00421B93    81EA FEC97E35   SUB EDX,357EC9FE00421B99    89048E          MOV DWORD PTR DS:[ESI+ECX*4],EAX00421B9C    49              DEC ECX00421B9D  ^ EB E1           JMP SHORT 00421B8000421B9F    61              POPAD00421BA0    61              POPAD00421BA1    C3              RETNAnti_Fake_Unpack_check_Import:00422691 >  60              PUSHAD                                    ; Anti_Fake_Unpack_check_Import00422692    4F              DEC EDI00422693    66:D3E7         SHL DI,CL00422696    03F3            ADD ESI,EBX00422698    E8 01000000     CALL 0042269E0042269D  ^ 76 83           JBE SHORT 00422622......0042283C    E8 ECE6FFFF     CALL <GetEBP>00422841    C685 F72D4000 C>MOV BYTE PTR SS:[EBP+402DF7],0C300422848    8BB5 28164000   MOV ESI,DWORD PTR SS:[EBP+401628]         ; 定位pe头0042284E    0FB756 3C       MOVZX EDX,WORD PTR DS:[ESI+3C]00422852    8BFE            MOV EDI,ESI00422854    03FA            ADD EDI,EDX00422856    83C7 78         ADD EDI,7800422859    83C7 08         ADD EDI,80042285C    8B07            MOV EAX,DWORD PTR DS:[EDI]                ; 定位输入表0042285E    8B5F 04         MOV EBX,DWORD PTR DS:[EDI+4]              ; 定位输入表大小00422861    81FB D8000000   CMP EBX,0D8                               ; 如果输入表大小不为D8则over00422867    75 29           JNZ SHORT <over>00422869    90              NOP0042286A    90              NOP0042286B    90              NOP0042286C    90              NOP0042286D    0385 28164000   ADD EAX,DWORD PTR SS:[EBP+401628]00422873    05 88000000     ADD EAX,8800422878    B9 4D000000     MOV ECX,4D0042287D    E8 C2020000     CALL 00422B4400422882    3D 8A180000     CMP EAX,188A                              ; 又来检测了00422887    75 09           JNZ SHORT <over>00422889    90              NOP0042288A    90              NOP0042288B    90              NOP0042288C    90              NOP0042288D    EB 26           JMP SHORT 004228B50042288F    90              NOP00422890    90              NOP00422891    90              NOP00422892 >  60              PUSHAD                                    ; over00422893    E8 95E6FFFF     CALL <GetEBP>00422898    B8 00010000     MOV EAX,1000042289D    E8 98E6FFFF     CALL 00420F3A004228A2    8BC8            MOV ECX,EAX004228A4    8DBD 9A404000   LEA EDI,DWORD PTR SS:[EBP+40409A]004228AA    03F8            ADD EDI,EAX004228AC    E8 9DE6FFFF     CALL 00420F4E004228B1    AB              STOS DWORD PTR ES:[EDI]004228B2  ^ E2 F8           LOOPD SHORT 004228AC004228B4    61              POPAD004228B5    60              PUSHAD004228B6    E8 00000000     CALL 004228BB004228BB    5E              POP ESI004228BC    83EE 06         SUB ESI,6004228BF    B9 79000000     MOV ECX,79004228C4    29CE            SUB ESI,ECX004228C6    BA B4276A21     MOV EDX,216A27B4004228CB    C1E9 02         SHR ECX,2004228CE    83E9 02         SUB ECX,2004228D1    83F9 00         CMP ECX,0004228D4    7C 1A           JL SHORT 004228F0004228D6    8B048E          MOV EAX,DWORD PTR DS:[ESI+ECX*4]004228D9    8B5C8E 04       MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]004228DD    03C3            ADD EAX,EBX004228DF    C1C8 08         ROR EAX,8004228E2    03C2            ADD EAX,EDX004228E4    81C2 18896C50   ADD EDX,506C8918004228EA    89048E          MOV DWORD PTR DS:[ESI+ECX*4],EAX004228ED    49              DEC ECX004228EE  ^ EB E1           JMP SHORT 004228D1004228F0    61              POPAD004228F1    61              POPAD004228F2    C3              RETNsub_Restore_Crypted_Code:0058B379 >  60              PUSHAD                                    ; sub_Restore_Crypted_Code......0058B525    60              PUSHAD0058B526    8B4424 44       MOV EAX,DWORD PTR SS:[ESP+44]0058B52A    2B85 46F84000   SUB EAX,DWORD PTR SS:[EBP+40F846]0058B530    8BD8            MOV EBX,EAX0058B532    33C9            XOR ECX,ECX0058B534    49              DEC ECX0058B535    41              INC ECX0058B536    83F9 64         CMP ECX,640058B539    74 19           JE SHORT 0058B5540058B53B    90              NOP0058B53C    90              NOP0058B53D    90              NOP0058B53E    90              NOP0058B53F    8B848D 3D1B4000 MOV EAX,DWORD PTR SS:[EBP+ECX*4+401B3D]0058B546    03848D CD1C4000 ADD EAX,DWORD PTR SS:[EBP+ECX*4+401CCD]0058B54D    83E8 24         SUB EAX,240058B550    3BC3            CMP EAX,EBX0058B552  ^ 75 E1           JNZ SHORT 0058B5350058B554    8BB48D 5D1E4000 MOV ESI,DWORD PTR SS:[EBP+ECX*4+401E5D]0058B55B    8BBC8D 3D1B4000 MOV EDI,DWORD PTR SS:[EBP+ECX*4+401B3D]0058B562    03BD 46F84000   ADD EDI,DWORD PTR SS:[EBP+40F846]0058B568    8B948D CD1C4000 MOV EDX,DWORD PTR SS:[EBP+ECX*4+401CCD]0058B56F    87CA            XCHG EDX,ECX0058B571    F3:A4           REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[E>; 把代码加密回去0058B573    90              NOP......0058B5AF    61              POPAD0058B5B0    C3              RETNsub_GetEBP:0058C100 >  E8 00000000     CALL 0058C105                            ; sub_GetEBP0058C105    5D              POP EBP0058C106    81ED 05114100   SUB EBP,00411105                         ; 计算EBP的值,用于定位实际的地址0058C10C    C3              RETN                                     ; EBP==0017B000sub_GetEP_CRYPT_KEY:005910B0 >  60              PUSHAD                                   ; 开始解压代码005910B1    D3C0            ROL EAX,CL005910B3    F8              CLC005910B4    F9              STC005910B5    72 03           JB SHORT 005910BA005910B7    73 01           JNB SHORT 005910BA005910B9  ^ 79 F9           JNS SHORT 005910B4005910BB    EB 01           JMP SHORT 005910BE......00591243    8125 D9C95700 4>AND DWORD PTR DS:[57C9D9],8E10C1470059124D    4F              DEC EDI0059124E  ^ 0F85 54FFFFFF   JNZ 005911A8                             ; 没有解压完跳回去继续......0059125B    E8 A0AEFFFF     CALL <sub_GetEBP >
00591260    8B85 46F84000   MOV EAX,DWORD PTR SS:[EBP+40F846]        ; MOV EAX,OFFSET dd_IMAGEBASE00591266    8B70 3C         MOV ESI,DWORD PTR DS:[EAX+3C]            ; Get PEHEADER00591269    03B5 46F84000   ADD ESI,DWORD PTR SS:[EBP+40F846]0059126F    83C6 28         ADD ESI,28                               ; 定位AddressOfEntryPoint(定位壳入口)00591272    AD              LODS DWORD PTR DS:[ESI]                  ; 壳入口RVA为:17C00000591273    8AD8            MOV BL,AL00591275    02DC            ADD BL,AH00591277    C1E8 10         SHR EAX,100059127A    02D8            ADD BL,AL0059127C    02DC            ADD BL,AH                                ; 实际就是把壳EP直接相加,0059127E    889D 1E204000   MOV BYTE PTR SS:[EBP+40201E],BL          ; 相加后的值做为KEY保存在[EBP+40201E]处,[57D01E]==D7(17+C0)00591284    60              PUSHAD                                   ; 计算完毕把代码再加密回去00591285    E8 00000000     CALL 0059128A0059128A    5E              POP ESI0059128B    83EE 06         SUB ESI,60059128E    B9 29000000     MOV ECX,2900591293    29CE            SUB ESI,ECX00591295    BA 151E68EC     MOV EDX,EC681E150059129A    C1E9 02         SHR ECX,20059129D    83E9 02         SUB ECX,2005912A0    83F9 00         /CMP ECX,0005912A3    7C 1A           |JL SHORT 005912BF005912A5    8B048E          |MOV EAX,DWORD PTR DS:[ESI+ECX*4]005912A8    8B5C8E 04       |MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]005912AC    33C3            |XOR EAX,EBX005912AE    C1C0 1C         |ROL EAX,1C005912B1    2BC2            |SUB EAX,EDX005912B3    81EA F0B28598   |SUB EDX,9885B2F0005912B9    89048E          |MOV DWORD PTR DS:[ESI+ECX*4],EAX005912BC    49              |DEC ECX005912BD  ^ EB E1           /JMP SHORT 005912A0                      ; 循环加密代码005912BF    61              POPAD005912C0    61              POPAD005912C1    C3              RETNGet_RND_VALUE:0058B8CE >  52              PUSH EDX0058B8CF    0F31            RDTSC0058B8D1    C1D0 02         RCL EAX,20058B8D4    05 78563412     ADD EAX,123456780058B8D9    13C4            ADC EAX,ESP0058B8DB    33C1            XOR EAX,ECX0058B8DD    3185 D5084100   XOR DWORD PTR SS:[EBP+4108D5],EAX        ; [0058B8D5]==A0C10B22,每次的结果应该不同的0058B8E3    034424 F8       ADD EAX,DWORD PTR SS:[ESP-8]0058B8E7    D1D0            RCL EAX,10058B8E9    5A              POP EDX0058B8EA    C3              RETNsub_GETAPIAddress:0058E5FB >  E8 00DBFFFF     CALL <sub_GetEBP >
; sub_GETAPIAddress0058E600    8D85 83FB4000   LEA EAX,DWORD PTR SS:[EBP+40FB83]         ; 从58ABD3处开始取API的地址0058E606    8BD8            MOV EBX,EAX0058E608    50              PUSH EAX0058E609    50              PUSH EAX0058E60A    8B85 20854100   MOV EAX,DWORD PTR SS:[EBP+418520]         ; GetModuleHandleA0058E610    0FB600          MOVZX EAX,BYTE PTR DS:[EAX]0058E613    83E8 33         SUB EAX,330058E616    3D 99000000     CMP EAX,990058E61B    74 10           JE SHORT <Game Over>                      ; 判断是否在API的入口处下了INT 3断点,如果下了则OVER了0058E61D    90              NOP0058E61E    90              NOP0058E61F    90              NOP0058E620    90              NOP0058E621    58              POP EAX                                   ; /hModule=='Kernel32.dll'0058E622    FF95 20854100   CALL DWORD PTR SS:[EBP+418520]            ; /GetModuleHandleA0058E628    EB 17           JMP SHORT <Next>0058E62A    90              NOP0058E62B    90              NOP0058E62C    90              NOP0058E62D >  B8 E8030000     MOV EAX,3E8                               ; Game Over0058E632    E8 97D2FFFF     CALL <Get_RND_VALUE>0058E637    8DBD 615D4000   LEA EDI,DWORD PTR SS:[EBP+405D61]0058E63D    03F8            ADD EDI,EAX0058E63F    AB              STOS DWORD PTR ES:[EDI]0058E640    58              POP EAX0058E641 >  0BC0            OR EAX,EAX0058E643    75 3D           JNZ SHORT <DLL_isLoaded>0058E645    90              NOP0058E646    90              NOP0058E647    90              NOP0058E648    90              NOP0058E649    53              PUSH EBX0058E64A    50              PUSH EAX0058E64B    8B85 24854100   MOV EAX,DWORD PTR SS:[EBP+418524]         ; LoadLibraryA0058E651    0FB600          MOVZX EAX,BYTE PTR DS:[EAX]0058E654    83E8 33         SUB EAX,330058E657    3D 99000000     CMP EAX,990058E65C    74 10           JE SHORT <GameOver>0058E65E    90              NOP0058E65F    90              NOP0058E660    90              NOP0058E661    90              NOP0058E662    58              POP EAX                                   ; /hModule='kernel32.dll'0058E663    FF95 24854100   CALL DWORD PTR SS:[EBP+418524]            ; /LoadLibraryA0058E669    EB 17           JMP SHORT <DLL_isLoaded>0058E66B    90              NOP0058E66C    90              NOP0058E66D    90              NOP0058E66E >  B8 E8030000     MOV EAX,3E80058E673    E8 56D2FFFF     CALL <Get_RND_VALUE>0058E678    8DBD 615D4000   LEA EDI,DWORD PTR SS:[EBP+405D61]0058E67E    03F8            ADD EDI,EAX0058E680    AB              STOS DWORD PTR ES:[EDI]0058E681    58              POP EAX0058E682 >  8BD8            MOV EBX,EAX                               ; DLL_IsLoaded0058E684    8985 12204000   MOV DWORD PTR SS:[EBP+402012],EAX0058E68A    B8 90FB4000     MOV EAX,0040FB900058E68F    BA FFFC4000     MOV EDX,0040FCFF                          ; /GlobalALLOC0058E694    E8 91DAFFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E699    B8 9CFB4000     MOV EAX,0040FB9C0058E69E    BA 03FD4000     MOV EDX,0040FD03                          ; /GlobalFree0058E6A3    E8 82DAFFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E6A8    B8 A7FB4000     MOV EAX,0040FBA70058E6AD    BA 17FD4000     MOV EDX,0040FD17                          ; /GetCurrentProcessId0058E6B2    E8 73DAFFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E6B7    B8 BBFB4000     MOV EAX,0040FBBB0058E6BC    BA 1BFD4000     MOV EDX,0040FD1B                          ; /CreateToolhelp32Snapshot0058E6C1    E8 64DAFFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E6C6    B8 D4FB4000     MOV EAX,0040FBD40058E6CB    BA 1FFD4000     MOV EDX,0040FD1F                          ; /Process32First0058E6D0    E8 55DAFFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E6D5    B8 E3FB4000     MOV EAX,0040FBE30058E6DA    BA 23FD4000     MOV EDX,0040FD23                          ; /Process32Next0058E6DF    E8 46DAFFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E6E4    B8 F1FB4000     MOV EAX,0040FBF10058E6E9    BA 27FD4000     MOV EDX,0040FD27                          ; /CloseHandle0058E6EE    E8 37DAFFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E6F3    B8 FDFB4000     MOV EAX,0040FBFD0058E6F8    BA 2BFD4000     MOV EDX,0040FD2B                          ; /CreateFileA0058E6FD    E8 28DAFFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E702    B8 09FC4000     MOV EAX,0040FC090058E707    BA 2FFD4000     MOV EDX,0040FD2F                          ; /TerminateProcess0058E70C    E8 19DAFFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E711    B8 1AFC4000     MOV EAX,0040FC1A0058E716    BA 47FD4000     MOV EDX,0040FD47                          ; /IsDebuggerPresent0058E71B    E8 0ADAFFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E720    B8 2CFC4000     MOV EAX,0040FC2C0058E725    BA 4BFD4000     MOV EDX,0040FD4B                          ; /OpenProcess0058E72A    E8 FBD9FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E72F    B8 38FC4000     MOV EAX,0040FC380058E734    BA 4FFD4000     MOV EDX,0040FD4F                          ; /ReadFile0058E739    E8 ECD9FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E73E    B8 41FC4000     MOV EAX,0040FC410058E743    BA 53FD4000     MOV EDX,0040FD53                          ; /WriteFile0058E748    E8 DDD9FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E74D    B8 4BFC4000     MOV EAX,0040FC4B0058E752    BA 57FD4000     MOV EDX,0040FD57                          ; /FreeLibrary0058E757    E8 CED9FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E75C    B8 57FC4000     MOV EAX,0040FC570058E761    BA 5BFD4000     MOV EDX,0040FD5B                          ; /GetTempPathA0058E766    E8 BFD9FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E76B    B8 64FC4000     MOV EAX,0040FC640058E770    BA 5FFD4000     MOV EDX,0040FD5F                          ; /UnhandledExceptionFilter0058E775    E8 B0D9FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E77A    B8 7DFC4000     MOV EAX,0040FC7D0058E77F    BA 67FD4000     MOV EDX,0040FD67                          ; /GetThreadContext0058E784    E8 A1D9FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E789    B8 8EFC4000     MOV EAX,0040FC8E0058E78E    BA 6BFD4000     MOV EDX,0040FD6B                          ; /SetThreadContext0058E793    E8 92D9FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E798    B8 9FFC4000     MOV EAX,0040FC9F0058E79D    BA 6FFD4000     MOV EDX,0040FD6F                          ; /GetCurrentThread0058E7A2    E8 83D9FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E7A7    B8 A7FD4000     MOV EAX,0040FDA70058E7AC    BA A3FD4000     MOV EDX,0040FDA3                          ; /SetFilePointer0058E7B1    E8 74D9FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E7B6    B8 D7FD4000     MOV EAX,0040FDD70058E7BB    BA 73FD4000     MOV EDX,0040FD73                          ; /GetModuleFileNameA0058E7C0    E8 65D9FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E7C5    B8 EAFD4000     MOV EAX,0040FDEA0058E7CA    BA 77FD4000     MOV EDX,0040FD77                          ; /GetFileSize0058E7CF    E8 56D9FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E7D4    8D85 B0FC4000   LEA EAX,DWORD PTR SS:[EBP+40FCB0]         ; User32.dll0058E7DA    8BD8            MOV EBX,EAX0058E7DC    50              PUSH EAX0058E7DD    50              PUSH EAX0058E7DE    8B85 20854100   MOV EAX,DWORD PTR SS:[EBP+418520]         ; GetModuleHandleA0058E7E4    0FB600          MOVZX EAX,BYTE PTR DS:[EAX]0058E7E7    83E8 33         SUB EAX,330058E7EA    3D 99000000     CMP EAX,990058E7EF    74 10           JE SHORT 0058E8010058E7F1    90              NOP0058E7F2    90              NOP0058E7F3    90              NOP0058E7F4    90              NOP0058E7F5    58              POP EAX0058E7F6    FF95 20854100   CALL DWORD PTR SS:[EBP+418520]0058E7FC    EB 17           JMP SHORT 0058E8150058E7FE    90              NOP0058E7FF    90              NOP0058E800    90              NOP0058E801    B8 E8030000     MOV EAX,3E8                               ; Over0058E806    E8 C3D0FFFF     CALL <Get_RND_VALUE>0058E80B    8DBD 615D4000   LEA EDI,DWORD PTR SS:[EBP+405D61]0058E811    03F8            ADD EDI,EAX0058E813    AB              STOS DWORD PTR ES:[EDI]0058E814    58              POP EAX0058E815    0BC0            OR EAX,EAX0058E817    75 3D           JNZ SHORT 0058E8560058E819    90              NOP0058E81A    90              NOP0058E81B    90              NOP0058E81C    90              NOP0058E81D    53              PUSH EBX0058E81E    50              PUSH EAX0058E81F    8B85 24854100   MOV EAX,DWORD PTR SS:[EBP+418524]0058E825    0FB600          MOVZX EAX,BYTE PTR DS:[EAX]0058E828    83E8 33         SUB EAX,330058E82B    3D 99000000     CMP EAX,990058E830    74 10           JE SHORT 0058E8420058E832    90              NOP0058E833    90              NOP0058E834    90              NOP0058E835    90              NOP0058E836    58              POP EAX0058E837    FF95 24854100   CALL DWORD PTR SS:[EBP+418524]            ; LoadLibraryA0058E83D    EB 17           JMP SHORT 0058E8560058E83F    90              NOP0058E840    90              NOP0058E841    90              NOP0058E842    B8 E8030000     MOV EAX,3E80058E847    E8 82D0FFFF     CALL <Get_RND_VALUE>0058E84C    8DBD 615D4000   LEA EDI,DWORD PTR SS:[EBP+405D61]0058E852    03F8            ADD EDI,EAX0058E854    AB              STOS DWORD PTR ES:[EDI]0058E855    58              POP EAX0058E856    8BD8            MOV EBX,EAX                               ; dllis loaded0058E858    8985 16204000   MOV DWORD PTR SS:[EBP+402016],EAX0058E85E    B8 BBFC4000     MOV EAX,0040FCBB0058E863    BA 07FD4000     MOV EDX,0040FD07                          ; /EnumWindows0058E868    E8 BDD8FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E86D    B8 C7FC4000     MOV EAX,0040FCC70058E872    BA 0BFD4000     MOV EDX,0040FD0B                          ; /GetWindowTextA0058E877    E8 AED8FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E87C    B8 D6FC4000     MOV EAX,0040FCD60058E881    BA 0FFD4000     MOV EDX,0040FD0F                          ; /GetClassNameA0058E886    E8 9FD8FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E88B    B8 E4FC4000     MOV EAX,0040FCE40058E890    BA 13FD4000     MOV EDX,0040FD13                          ; /PostMessageA0058E895    E8 90D8FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E89A    B8 BAFD4000     MOV EAX,0040FDBA0058E89F    BA B6FD4000     MOV EDX,0040FDB6                          ; /wsprintfA0058E8A4    E8 81D8FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E8A9    B8 C8FD4000     MOV EAX,0040FDC80058E8AE    BA C4FD4000     MOV EDX,0040FDC4                          ; /RegisterHotKey0058E8B3    E8 72D8FFFF     CALL <sub_GetProcAddress>                 ; /GetProcAddressFun0058E8B8    8DBD 83FB4000   LEA EDI,DWORD PTR SS:[EBP+40FB83]0058E8BE    8D8D F1FC4000   LEA ECX,DWORD PTR SS:[EBP+40FCF1]         ; 获取完相关的API后,清除名字0058E8C4    2BCF            SUB ECX,EDI                               ; 大小为16e0058E8C6    33C0            XOR EAX,EAX0058E8C8    F3:AA           REP STOS BYTE PTR ES:[EDI]                ; 清除壳API数据0058E8CA    C3              RETNsub_GetProcAddress:0058C12A >  53              PUSH EBX                                 ; sub_GetProcAddress0058C12B    50              PUSH EAX0058C12C    52              PUSH EDX0058C12D    03C5            ADD EAX,EBP0058C12F    50              PUSH EAX0058C130    53              PUSH EBX0058C131    50              PUSH EAX0058C132    8B85 1C854100   MOV EAX,DWORD PTR SS:[EBP+41851C]0058C138    0FB600          MOVZX EAX,BYTE PTR DS:[EAX]0058C13B    83E8 33         SUB EAX,330058C13E    3D 99000000     CMP EAX,990058C143    74 10           JE SHORT <gameOver>0058C145    90              NOP0058C146    90              NOP0058C147    90              NOP0058C148    90              NOP0058C149    58              POP EAX                                  ; /GlobalAlloc0058C14A    FF95 1C854100   CALL DWORD PTR SS:[EBP+41851C]           ; /GetProcAddress0058C150    EB 17           JMP SHORT <save address>0058C152    90              NOP0058C153    90              NOP0058C154    90              NOP0058C155 >  B8 E8030000     MOV EAX,3E8                              ; GameOver0058C15A    E8 6FF7FFFF     CALL <Get_RND_VALUE>0058C15F    8DBD 615D4000   LEA EDI,DWORD PTR SS:[EBP+405D61]0058C165    03F8            ADD EDI,EAX0058C167    AB              STOS DWORD PTR ES:[EDI]0058C168    58              POP EAX0058C169 >  5A              POP EDX                                  ; save address0058C16A    894415 00       MOV DWORD PTR SS:[EBP+EDX],EAX           ; 填入正确的API0058C16E    58              POP EAX0058C16F    5B              POP EBX0058C170    C3              RETNCOPY_Import table:00590C48 >  60              PUSHAD                                    ; COPY_Import table00590C49    47              INC EDI00590C4A    7A 02           JPE SHORT 00590C4E00590C4C    85FB            TEST EBX,EDI00590C4E    8BC1            MOV EAX,ECX00590C50    7E 03           JLE SHORT 00590C5500590C52    7F 01           JG SHORT 00590C5500590C54  ^ 75 D3           JNZ SHORT 00590C2900590C56  ^ E0 E8           LOOPDNE SHORT 00590C4000590C58    0100            ADD DWORD PTR DS:[EAX],EAX00590C5A    0000            ADD BYTE PTR DS:[EAX],AL00590C5C  ^ 71 83           JNO SHORT 00590BE100590C5E    C404FC          LES EAX,FWORD PTR SS:[ESP+EDI*8]          ; Modification of segment register00590C61    E8 01000000     CALL 00590C6700590C66  ^ 7C 83           JL SHORT 00590BEB......00590DF3    E8 08B3FFFF     CALL <sub_GetEBP >
00590DF8    8DB5 1C854100   LEA ESI,DWORD PTR SS:[EBP+41851C]         ; 壳输入表起始位置00590DFE    8DBD 33FD4000   LEA EDI,DWORD PTR SS:[EBP+40FD33]         ; 复制到目标地址的起始位置00590E04    B9 05000000     MOV ECX,500590E09    F3:A5           REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:>; 复制00590E0B    8DBD 43FD4000   LEA EDI,DWORD PTR SS:[EBP+40FD43]00590E11    8D85 4BFE4000   LEA EAX,DWORD PTR SS:[EBP+40FE4B]00590E17    AB              STOS DWORD PTR ES:[EDI]                   ; 把MessageBoxA的地址改为58AE4B00590E18    60              PUSHAD                                    ; 加密代码00590E19    E8 00000000     CALL 00590E1E00590E1E    5E              POP ESI00590E1F    83EE 06         SUB ESI,600590E22    B9 25000000     MOV ECX,2500590E27    29CE            SUB ESI,ECX00590E29    BA AB6D95B2     MOV EDX,B2956DAB00590E2E    C1E9 02         SHR ECX,200590E31    83E9 02         SUB ECX,200590E34    83F9 00         /CMP ECX,000590E37    7C 1A           |JL SHORT 00590E5300590E39    8B048E          |MOV EAX,DWORD PTR DS:[ESI+ECX*4]00590E3C    8B5C8E 04       |MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]00590E40    33C3            |XOR EAX,EBX00590E42    C1C8 02         |ROR EAX,200590E45    03C2            |ADD EAX,EDX00590E47    81F2 7CDB1D5C   |XOR EDX,5C1DDB7C00590E4D    89048E          |MOV DWORD PTR DS:[ESI+ECX*4],EAX00590E50    49              |DEC ECX00590E51  ^ EB E1           /JMP SHORT 00590E3400590E53    61              POPAD00590E54    61              POPAD00590E55    C3              RETNUnPack_sections:0058E398 >  60              PUSHAD                                    ; UnPack_sections0058E399    48              DEC EAX0058E39A    85E8            TEST EAX,EBP0058E39C    E8 01000000     CALL 0058E3A20058E3A1  ^ EB 83           JMP SHORT 0058E3260058E3A3    04 24           ADD AL,240058E3A5    06              PUSH ES0058E3A6    C3              RETN......0058E543    E8 B8DBFFFF     CALL <sub_GetEBP >
0058E548    C685 98334100 C>MOV BYTE PTR SS:[EBP+413398],0C30058E54F    8DB5 4EF84000   LEA ESI,DWORD PTR SS:[EBP+40F84E]0058E555    56              PUSH ESI                                  ; 开始循环解压各段的代码0058E556    AD              LODS DWORD PTR DS:[ESI]0058E557    0BC0            OR EAX,EAX0058E559    74 49           JE SHORT 0058E5A40058E55B    90              NOP0058E55C    90              NOP0058E55D    90              NOP0058E55E    90              NOP0058E55F    50              PUSH EAX0058E560    AD              LODS DWORD PTR DS:[ESI]0058E561    91              XCHG EAX,ECX0058E562    51              PUSH ECX0058E563    51              PUSH ECX                                  ; /MemSize = 9EB02 (649986.)0058E564    6A 40           PUSH 40                                   ; |Flags = GPTR0058E566    FF95 FFFC4000   CALL DWORD PTR SS:[EBP+40FCFF]            ; /GlobalAlloc0058E56C    8985 4AF84000   MOV DWORD PTR SS:[EBP+40F84A],EAX0058E572    59              POP ECX0058E573    58              POP EAX0058E574    0385 46F84000   ADD EAX,DWORD PTR SS:[EBP+40F846]0058E57A    8BF0            MOV ESI,EAX0058E57C    50              PUSH EAX0058E57D    8BBD 4AF84000   MOV EDI,DWORD PTR SS:[EBP+40F84A]0058E583    F3:A4           REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[E>0058E585    58              POP EAX0058E586    50              PUSH EAX                                  ; /save code0058E587    FFB5 4AF84000   PUSH DWORD PTR SS:[EBP+40F84A]            ; |Crypted code0058E58D    E8 2C4C0000     CALL <ApLibUnpack>                        ; /Unpack code0058E592    FFB5 4AF84000   PUSH DWORD PTR SS:[EBP+40F84A]            ; /hMem0058E598    FF95 03FD4000   CALL DWORD PTR SS:[EBP+40FD03]            ; /GlobalFree0058E59E    5E              POP ESI0058E59F    83C6 08         ADD ESI,80058E5A2  ^ EB B1           JMP SHORT 0058E5550058E5A4    5E              POP ESI0058E5A5    68 30750000     PUSH 7530                                 ; /MemSize =7530h0058E5AA    6A 40           PUSH 40                                   ; |Flags = GPTR0058E5AC    FF95 FFFC4000   CALL DWORD PTR SS:[EBP+40FCFF]            ; /GlobalAlloc0058E5B2    8985 4AF84000   MOV DWORD PTR SS:[EBP+40F84A],EAX0058E5B8    60              PUSHAD                                    ; 加密代码0058E5B9    E8 00000000     CALL 0058E5BE0058E5BE    5E              POP ESI0058E5BF    83EE 06         SUB ESI,60058E5C2    B9 75000000     MOV ECX,750058E5C7    29CE            SUB ESI,ECX0058E5C9    BA 2C5B0D05     MOV EDX,50D5B2C0058E5CE    C1E9 02         SHR ECX,20058E5D1    83E9 02         SUB ECX,20058E5D4    83F9 00         CMP ECX,00058E5D7    7C 1A           JL SHORT 0058E5F30058E5D9    8B048E          MOV EAX,DWORD PTR DS:[ESI+ECX*4]0058E5DC    8B5C8E 04       MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]0058E5E0    03C3            ADD EAX,EBX0058E5E2    C1C8 11         ROR EAX,110058E5E5    33C2            XOR EAX,EDX0058E5E7    81F2 97C336B5   XOR EDX,B536C3970058E5ED    89048E          MOV DWORD PTR DS:[ESI+ECX*4],EAX0058E5F0    49              DEC ECX0058E5F1  ^ EB E1           JMP SHORT 0058E5D40058E5F3    61              POPAD0058E5F4    61              POPAD0058E5F5    E8 F7240000     CALL <DLL_Reloc_Crypt>0058E5FA    C3              RETNDLL_Reloc_Crypt:00590AF1 >  60              PUSHAD                                   ; DLL_Reloc_Crypt00590AF2    EB 1D           JMP SHORT 00590B1100590AF4    90              NOP00590AF5    90              NOP00590AF6    90              NOP00590AF7    0000            ADD BYTE PTR DS:[EAX],AL00590AF9    0000            ADD BYTE PTR DS:[EAX],AL00590AFB    0000            ADD BYTE PTR DS:[EAX],AL00590AFD    0000            ADD BYTE PTR DS:[EAX],AL00590AFF    2E:52           PUSH EDX                                 ; Superfluous prefix00590B01    45              INC EBP00590B02    4C              DEC ESP00590B03    4F              DEC EDI00590B04    43              INC EBX00590B05    0000            ADD BYTE PTR DS:[EAX],AL00590B07    0000            ADD BYTE PTR DS:[EAX],AL00590B09    0000            ADD BYTE PTR DS:[EAX],AL00590B0B    0000            ADD BYTE PTR DS:[EAX],AL00590B0D    0000            ADD BYTE PTR DS:[EAX],AL00590B0F    0000            ADD BYTE PTR DS:[EAX],AL00590B11    E8 EAB5FFFF     CALL <sub_GetEBP >
00590B16    8B5424 20       MOV EDX,DWORD PTR SS:[ESP+20]00590B1A    2B95 46F84000   SUB EDX,DWORD PTR SS:[EBP+40F846]00590B20    E8 12FFFFFF     CALL 00590A3700590B25    FFB5 07574100   PUSH DWORD PTR SS:[EBP+415707]00590B2B    8F85 03574100   POP DWORD PTR SS:[EBP+415703]00590B31    8B85 F75A4100   MOV EAX,DWORD PTR SS:[EBP+415AF7]        ; 获取重定位表RVA00590B37    0BC0            OR EAX,EAX00590B39    0F84 E4000000   JE <Reloc finished>                      ; 如果重定位表为空则跳00590B3F    8B85 46F84000   MOV EAX,DWORD PTR SS:[EBP+40F846]        ; MOV EAX,OFFSET IMAGEBASE(这里指内存IMAGEBASE,如果是DLL,IMAGEBASE就不一定等于文件的IMAGEBASE)00590B45    8B70 3C         MOV ESI,DWORD PTR DS:[EAX+3C]00590B48    03B5 46F84000   ADD ESI,DWORD PTR SS:[EBP+40F846]00590B4E    83C6 34         ADD ESI,3400590B51    AD              LODS DWORD PTR DS:[ESI]                  ; 载入文件IMAGEBASE(默认为400000)00590B52    8B9D 46F84000   MOV EBX,DWORD PTR SS:[EBP+40F846]        ; 实际内存IMAGEBASE00590B58    2BD8            SUB EBX,EAX00590B5A    899D 055B4100   MOV DWORD PTR SS:[EBP+415B05],EBX00590B60    0BDB            OR EBX,EBX00590B62    0F84 BB000000   JE <Reloc finished>                      ; 如果相等则不处理重定位表00590B68    8BB5 46F84000   MOV ESI,DWORD PTR SS:[EBP+40F846]00590B6E    03B5 F75A4100   ADD ESI,DWORD PTR SS:[EBP+415AF7]        ; mem IMAGEBASE00590B74    8B8D FB5A4100   MOV ECX,DWORD PTR SS:[EBP+415AFB]      ; RELOC SIZE00590B7A    03F1            ADD ESI,ECX00590B7C    89B5 095B4100   MOV DWORD PTR SS:[EBP+415B09],ESI00590B82    2BF1            SUB ESI,ECX00590B84    3BB5 095B4100   /CMP ESI,DWORD PTR SS:[EBP+415B09]       ; 如果处理完则跳去结束处00590B8A    0F8D 93000000   |JGE <Reloc finished>                    ; 循环处理重定位表00590B90    8BBD 46F84000   |MOV EDI,DWORD PTR SS:[EBP+40F846]00590B96    8BD6            |MOV EDX,ESI00590B98    AD              |LODS DWORD PTR DS:[ESI]00590B99    03F8            |ADD EDI,EAX00590B9B    AD              |LODS DWORD PTR DS:[ESI]00590B9C    03D0            |ADD EDX,EAX00590B9E    83E8 08         |SUB EAX,800590BA1    D1E8            |SHR EAX,100590BA3    8BC8            |MOV ECX,EAX00590BA5    66:AD           |/LODS WORD PTR DS:[ESI]00590BA7    66:0BC0         ||OR AX,AX00590BAA    74 70           ||JE SHORT 00590C1C00590BAC    90              ||NOP00590BAD    90              ||NOP00590BAE    90              ||NOP00590BAF    90              ||NOP00590BB0    0FB7D8          ||MOVZX EBX,AX00590BB3    81E3 FF0F0000   ||AND EBX,0FFF00590BB9    E8 67000000     ||CALL 00590C2500590BBE    83BD 07574100 0>||CMP DWORD PTR SS:[EBP+415707],000590BC5    75 53           ||JNZ SHORT 00590C1A00590BC7    90              ||NOP00590BC8    90              ||NOP00590BC9    90              ||NOP00590BCA    90              ||NOP00590BCB    66:C1E8 0C      ||SHR AX,0C00590BCF    66:48           ||DEC AX00590BD1    66:0BC0         ||OR AX,AX00590BD4    75 14           ||JNZ SHORT 00590BEA00590BD6    90              ||NOP00590BD7    90              ||NOP00590BD8    90              ||NOP00590BD9    90              ||NOP00590BDA    50              ||PUSH EAX00590BDB    66:8B85 075B410>||MOV AX,WORD PTR SS:[EBP+415B07]00590BE2    66:01441F 02    ||ADD WORD PTR DS:[EDI+EBX+2],AX00590BE7    58              ||POP EAX00590BE8  ^ E2 BB           ||LOOPD SHORT 00590BA500590BEA    66:48           ||DEC AX00590BEC    66:0BC0         ||OR AX,AX00590BEF    75 13           ||JNZ SHORT 00590C0400590BF1    90              ||NOP00590BF2    90              ||NOP00590BF3    90              ||NOP00590BF4    90              ||NOP00590BF5    50              ||PUSH EAX00590BF6    66:8B85 055B410>||MOV AX,WORD PTR SS:[EBP+415B05]00590BFD    66:01041F       ||ADD WORD PTR DS:[EDI+EBX],AX00590C01    58              ||POP EAX00590C02  ^ E2 A1           ||LOOPD SHORT 00590BA500590C04    66:48           ||DEC AX00590C06    66:0BC0         ||OR AX,AX00590C09    75 0F           ||JNZ SHORT 00590C1A00590C0B    90              ||NOP00590C0C    90              ||NOP00590C0D    90              ||NOP00590C0E    90              ||NOP00590C0F    50              ||PUSH EAX00590C10    8B85 055B4100   ||MOV EAX,DWORD PTR SS:[EBP+415B05]00590C16    01041F          ||ADD DWORD PTR DS:[EDI+EBX],EAX00590C19    58              ||POP EAX00590C1A  ^ E2 89           |/LOOPD SHORT 00590BA500590C1C    8BF2            |MOV ESI,EDX00590C1E  ^ E9 61FFFFFF     /JMP 00590B8400590C23 >  61              POPAD00590C24    C3              RETNRestore_JMP API TABLE:00590E56 >  60              PUSHAD                                    ; Restore_JMP API TABLE00590E57    46              INC ESI00590E58    87D6            XCHG ESI,EDX00590E5A    66:81F1 8666    XOR CX,668600590E5F    EB 01           JMP SHORT 00590E6200590E61    EB 41           JMP SHORT 00590EA400590E63    E8 01000000     CALL 00590E69......00591001    E8 FAB0FFFF     CALL <sub_GetEBP >
00591006    B9 1C000000     MOV ECX,1C0059100B    8DB5 FFFC4000   LEA ESI,DWORD PTR SS:[EBP+40FCFF]00591011    8DBD EF074100   LEA EDI,DWORD PTR SS:[EBP+4107EF]         ; 从58b7F6处开始还原API JMP00591017    83C7 07         ADD EDI,70059101A    B0 90           MOV AL,900059101C    AA              STOS BYTE PTR ES:[EDI]                    ; 还原成jmp [address]0059101D    B8 FF250000     MOV EAX,25FF00591022    66:AB           STOS WORD PTR ES:[EDI]00591024    8BC6            MOV EAX,ESI00591026    AB              STOS DWORD PTR ES:[EDI]00591027    83C6 04         ADD ESI,40059102A  ^ E2 EE           LOOPD SHORT 0059101A0059102C    60              PUSHAD                                    ; 再次加密回去0059102D    E8 00000000     CALL 0059103200591032    5E              POP ESI00591033    83EE 06         SUB ESI,600591036    B9 2B000000     MOV ECX,2B0059103B    29CE            SUB ESI,ECX0059103D    BA 4BF05729     MOV EDX,2957F04B00591042    C1E9 02         SHR ECX,200591045    83E9 02         SUB ECX,200591048    83F9 00         CMP ECX,00059104B    7C 1A           JL SHORT 005910670059104D    8B048E          MOV EAX,DWORD PTR DS:[ESI+ECX*4]00591050    8B5C8E 04       MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]00591054    33C3            XOR EAX,EBX00591056    C1C8 0D         ROR EAX,0D00591059    33C2            XOR EAX,EDX0059105B    81C2 10B43C8D   ADD EDX,8D3CB41000591061    89048E          MOV DWORD PTR DS:[ESI+ECX*4],EAX00591064    49              DEC ECX00591065  ^ EB E1           JMP SHORT 0059104800591067    61              POPAD00591068    61              POPAD00591069    C3              RETNsub_SDK_Disposal:0059106A >  60              PUSHAD                                   ; sub_SDK_Disposal0059106B    E8 90B0FFFF     CALL <sub_GetEBP >
00591070    33D2            XOR EDX,EDX00591072 >  8BB495 3D1B4000 MOV ESI,DWORD PTR SS:[EBP+EDX*4+401B3D]  ; 如果用了SDK这里面的值不为空.00591079    0BF6            OR ESI,ESI                               ; 如果没有用SDK或SDK处理部分已经操作完成则跳0059107B    74 31           JE SHORT <finished>0059107D    90              NOP0059107E    90              NOP0059107F    90              NOP00591080    90              NOP00591081    03B5 46F84000   ADD ESI,DWORD PTR SS:[EBP+40F846]        ; 把RVA转为VA00591087    8B8C95 CD1C4000 MOV ECX,DWORD PTR SS:[EBP+EDX*4+401CCD]  ; 加密的代码大小0059108E    60              PUSHAD0059108F    52              PUSH EDX00591090    51              PUSH ECX                                 ; /MemSize00591091    6A 40           PUSH 40                                  ; |Flags = GPTR00591093    FF95 FFFC4000   CALL DWORD PTR SS:[EBP+40FCFF]           ; /GlobalAlloc00591099    5A              POP EDX0059109A    898495 5D1E4000 MOV DWORD PTR SS:[EBP+EDX*4+401E5D],EAX  ; 保存动态申请的地址005910A1    61              POPAD005910A2    8BBC95 5D1E4000 MOV EDI,DWORD PTR SS:[EBP+EDX*4+401E5D]005910A9    F3:A4           REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>; 把代码复制到动态申请的地址空间005910AB    42              INC EDX005910AC  ^ EB C4           JMP SHORT <Loop MEMCopy>005910AE >  61              POPAD005910AF    C3              RETN也就是说壳加密时已经处理好了。这个壳只是加载一而已,看看数据窗口,总结一下就这么回事:0057CB3D  D1 AB 02 00 A1 DE 02 00 D6 CC 01 00 32 C9 06 00  勋.∞.痔.2?.;这里就是用了SDK的各地址的RVA0057CB4D  DF 3A 02 00 38 FC 05 00 C8 2E 06 00 0F 2C 05 00  ?.8?.?.,.0057CB5D  0F 93 03 00 71 FE 00 00 8B 61 06 00 7D C7 03 00  ?.q?.媋.}?.0057CB6D  3D FA 03 00 BD 2D 04 00 7D 60 04 00 3D 93 04 00  =?.?.}`.=?.0057CB7D  DD F8 04 00 F0 5E 05 00 5D C9 05 00 96 43 08 00  蔌.館.]?.朇.0057CB8D  89 93 05 00 00 C6 04 00 D9 08 07 00 22 74 02 00  墦..?.?."t.0057CB9D  02 DE 07 00 D7 32 01 00 D1 66 01 00 A2 17 03 00  ?.?.裦.?.0057CBAD  0F A8 07 00 9B 9A 01 00 9A 08 02 00 05 CC 00 00  ?.洑.?.?.0057CBBD  FF 96 06 00 26 11 08 00 67 60 03 00 C3 75 07 00  ?.&.g`.胾.0057CBCD  89 43 07 00 00 00 00 00 00 00 00 00 00 00 00 00  塁...................0057CCCD  55 32 00 00 63 32 00 00 69 32 00 00 6B 32 00 00  U2..c2..i2..k2..;用了SDK的大小0057CCDD  6C 32 00 00 6D 32 00 00 6D 32 00 00 6E 32 00 00  l2..m2..m2..n2..0057CCED  7B 32 00 00 88 32 00 00 89 32 00 00 9B 32 00 00  {2..?..?..?..0057CCFD  9B 32 00 00 9B 32 00 00 9B 32 00 00 9B 32 00 00  ?..?..?..?..0057CD0D  9B 32 00 00 9B 32 00 00 9B 32 00 00 AF 32 00 00  ?..?..?..?..0057CD1D  B2 32 00 00 B5 32 00 00 D5 32 00 00 DA 32 00 00  ?..?..?..?..0057CD2D  DA 32 00 00 E6 32 00 00 F8 32 00 00 3B 33 00 00  ?..?..?..;3..0057CD3D  CB 33 00 00 DC 64 00 00 F2 64 00 00 24 65 00 00  ?..躣..騞..$e..0057CD4D  27 65 00 00 8C 65 00 00 E2 65 00 00 1E 67 00 00  'e..宔..鈋..g..0057CD5D  AE 99 00 00 00 00 00 00 00 00 00 00 00 00 00 00  畽..............sub_Unknow1:0058CFBF >  60               PUSHAD                                   ;对DELPHI的程序,这里会产生异常0058CFC0    F8               CLC0058CFC1    BE 97B4BED0      MOV ESI,D0BEB4970058CFC6    E8 01000000      CALL 0058CFCC0058CFCB  ^ 72 83            JB SHORT 0058CF500058CFCD    C40481           LES EAX,FWORD PTR DS:[ECX+EAX*4]         ; Modification of segment register0058CFD0    CD D9            INT 0D9......0058D16A >  E8 91EFFFFF      CALL <sub_GetEBP >
0058D16F    E8 580F0000      CALL 0058E0CC                            ; EAX随机产生的值0058D174    0BC0             OR EAX,EAX0058D176    75 3D            JNZ SHORT 0058D1B5                       ;没有异常则跳/?,我这个程序里跳0058D178    90               NOP0058D179    90               NOP0058D17A    90               NOP0058D17B    90               NOP0058D17C    FF95 6FFD4000    CALL DWORD PTR SS:[EBP+40FD6F]           ;GetCurrentThread0058D182    50               PUSH EAX0058D183    8DB5 6EF74000    LEA ESI,DWORD PTR SS:[EBP+40F76E]0058D189    56               PUSH ESI0058D18A    56               PUSH ESI                                 ;/pContext = MainCon.0058A76E0058D18B    50               PUSH EAX                                 ;|hThread = FFFFFFFE0058D18C    FF95 67FD4000    CALL DWORD PTR SS:[EBP+40FD67]           ;/GetThreadContext0058D192    5F               POP EDI0058D193    83C7 04          ADD EDI,40058D196    2BC0             SUB EAX,EAX0058D198    B9 04000000      MOV ECX,40058D19D    F3:AB            REP STOS DWORD PTR ES:[EDI]0058D19F    8DB5 6EF74000    LEA ESI,DWORD PTR SS:[EBP+40F76E]0058D1A5    58               POP EAX0058D1A6    56               PUSH ESI                                 ; /pContext0058D1A7    50               PUSH EAX                                 ; |hThread0058D1A8    FF95 6BFD4000    CALL DWORD PTR SS:[EBP+40FD6B]       ; /SetThreadContext0058D1AE    C685 BF1F4100 C3 MOV BYTE PTR SS:[EBP+411FBF],0C30058D1B5    60               PUSHAD                                   ; 把代码加密回去0058D1B6    E8 00000000      CALL 0058D1BB0058D1BB    5E               POP ESI0058D1BC    83EE 06          SUB ESI,60058D1BF    B9 4B000000      MOV ECX,4B0058D1C4    29CE             SUB ESI,ECX0058D1C6    BA D0D6B318      MOV EDX,18B3D6D00058D1CB    C1E9 02          SHR ECX,20058D1CE    83E9 02          SUB ECX,20058D1D1    83F9 00          /CMP ECX,00058D1D4    7C 1A            |JL SHORT 0058D1F00058D1D6    8B048E           |MOV EAX,DWORD PTR DS:[ESI+ECX*4]0058D1D9    8B5C8E 04        |MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]0058D1DD    03C3             |ADD EAX,EBX0058D1DF    C1C8 13          |ROR EAX,130058D1E2    03C2             |ADD EAX,EDX0058D1E4    81C2 B0B2E98F    |ADD EDX,8FE9B2B00058D1EA    89048E           |MOV DWORD PTR DS:[ESI+ECX*4],EAX0058D1ED    49               |DEC ECX0058D1EE  ^ EB E1            /JMP SHORT 0058D1D10058D1F0    61               POPAD0058D1F1    61               POPAD0058D1F2    C3               RETNsub_Kernel:0058ED39 >  60              PUSHAD                                   ; sub_Kernel0058ED3A    F8              CLC0058ED3B    66:BE DA51      MOV SI,51DA0058ED3F    45              INC EBP0058ED40    90              NOP0058ED41    90              NOP0058ED42    90              NOP0058ED43    90              NOP......0058EEE4    E8 17D2FFFF     CALL <sub_GetEBP >
0058EEE9    80BD A5524100 C>CMP BYTE PTR SS:[EBP+4152A5],0C30058EEF0    74 09           JE SHORT <FinishedIAT>0058EEF2    90              NOP0058EEF3    90              NOP0058EEF4    90              NOP0058EEF5    90              NOP0058EEF6    E8 AA130000     CALL <Sub_Disposal IAT>0058EEFB >  66:C785 2CF5400>MOV WORD PTR SS:[EBP+40F52C],00058EF04    83BD 4F814100 0>CMP DWORD PTR SS:[EBP+41814F],0          ; 这里判断是否用了ACPROTECT定义的机器码函数那个选项,是否用RSA10240058EF0B    0F84 E5010000   JE 0058F0F6                              ; 没有用则跳0058EF11    8DB5 98F34000   LEA ESI,DWORD PTR SS:[EBP+40F398]        ; 如果有则先强行生成一个CID.dll文件0058EF17    56              PUSH ESI                                 ; /Buffer0058EF18    68 FF000000     PUSH 0FF                                 ; |size0058EF1D    FF95 5BFD4000   CALL DWORD PTR SS:[EBP+40FD5B]           ; /GetTempPathA0058EF23    B9 FFFF0000     MOV ECX,0FFFF0058EF28    8DBD 98F34000   LEA EDI,DWORD PTR SS:[EBP+40F398]0058EF2E    33C0            XOR EAX,EAX0058EF30    F2:AE           REPNE SCAS BYTE PTR ES:[EDI]             ; 获取长度0058EF32    4F              DEC EDI0058EF33    60              PUSHAD0058EF34    83BD 59814100 0>CMP DWORD PTR SS:[EBP+418159],00058EF3B    0F84 AD000000   JE 0058EFEE0058EF41    C707 4349442E   MOV DWORD PTR DS:[EDI],2E4449430058EF47    C747 04 646C6C6>MOV DWORD PTR DS:[EDI+4],6C6C6C640058EF4E    C647 07 00      MOV BYTE PTR DS:[EDI+7],00058EF52    8DB5 98F34000   LEA ESI,DWORD PTR SS:[EBP+40F398]0058EF58    6A 00           PUSH 0                                   ; /hTemplateFile = NULL0058EF5A    6A 20           PUSH 20                                  ; |Attributes = ARCHIVE0058EF5C    6A 02           PUSH 2                                   ; |Mode = CREATE_ALWAYS0058EF5E    6A 00           PUSH 0                                   ; |pSecurity = NULL0058EF60    6A 03           PUSH 3                                   ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE0058EF62    68 000000C0     PUSH C0000000                            ; |Access = GENERIC_READ|GENERIC_WRITE0058EF67    56              PUSH ESI                                 ; |FileName = "C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/CID.dll"0058EF68    FF95 2BFD4000   CALL DWORD PTR SS:[EBP+40FD2B]           ; /CreateFileA0058EF6E    50              PUSH EAX                                 ; /push hFile0058EF6F    6A 00           PUSH 0                                   ; |/pOverlapped = NULL0058EF71    8DB5 B3F44000   LEA ESI,DWORD PTR SS:[EBP+40F4B3]        ; ||0058EF77    56              PUSH ESI                                 ; ||pBytesWritten = MainCon.0058A4B30058EF78    FFB5 59814100   PUSH DWORD PTR SS:[EBP+418159]           ; ||nBytesToWrite = 00058EF7E    8B9D 4F814100   MOV EBX,DWORD PTR SS:[EBP+41814F]        ; ||0058EF84    039D 46F84000   ADD EBX,DWORD PTR SS:[EBP+40F846]        ; ||0058EF8A    2B9D 53814100   SUB EBX,DWORD PTR SS:[EBP+418153]        ; ||0058EF90    2B9D 59814100   SUB EBX,DWORD PTR SS:[EBP+418159]        ; ||0058EF96    53              PUSH EBX                                 ; ||Buffer = MainCon.004000000058EF97    50              PUSH EAX                                 ; ||hFile = 00000054 (window)0058EF98    FF95 53FD4000   CALL DWORD PTR SS:[EBP+40FD53]           ; |/WriteFile0058EF9E    FF95 27FD4000   CALL DWORD PTR SS:[EBP+40FD27]           ; /CloseHandle0058EFA4    8DB5 98F34000   LEA ESI,DWORD PTR SS:[EBP+40F398]0058EFAA    56              PUSH ESI                                 ; /LibraryA Name0058EFAB    FF95 24854100   CALL DWORD PTR SS:[EBP+418524]           ; /LoadLibraryA0058EFB1    8985 3EF84000   MOV DWORD PTR SS:[EBP+40F83E],EAX        ; hModule0058EFB7    8DB5 5D814100   LEA ESI,DWORD PTR SS:[EBP+41815D]0058EFBD    56              PUSH ESI                                 ; /ProcNameOrOrdinal = "Randimize"0058EFBE    FFB5 3EF84000   PUSH DWORD PTR SS:[EBP+40F83E]           ; |hModule = NULL0058EFC4    FF95 1C854100   CALL DWORD PTR SS:[EBP+41851C]           ; /GetProcAddress0058EFCA    FFB5 67814100   PUSH DWORD PTR SS:[EBP+418167]0058EFD0    FFD0            CALL EAX                                 ; 获取该API的地址后,执行该函数0058EFD2    8985 5D814100   MOV DWORD PTR SS:[EBP+41815D],EAX0058EFD8    C785 61814100 0>MOV DWORD PTR SS:[EBP+418161],00058EFE2    FFB5 3EF84000   PUSH DWORD PTR SS:[EBP+40F83E]           ; /hModule0058EFE8    FF95 57FD4000   CALL DWORD PTR SS:[EBP+40FD57]           ; /FreeLibraryA0058EFEE    61              POPAD0058EFEF    60              PUSHAD0058EFF0    6A 00           PUSH 00058EFF2    FF95 20854100   CALL DWORD PTR SS:[EBP+418520]           ; GetModuleHandleA0058EFF8    8DB5 8BF14000   LEA ESI,DWORD PTR SS:[EBP+40F18B]0058EFFE    56              PUSH ESI0058EFFF    50              PUSH EAX0058F000    AD              LODS DWORD PTR DS:[ESI]0058F001    93              XCHG EAX,EBX0058F002    AD              LODS DWORD PTR DS:[ESI]0058F003    3BC3            CMP EAX,EBX0058F005    75 09           JNZ SHORT 0058F0100058F007    90              NOP0058F008    90              NOP0058F009    90              NOP0058F00A    90              NOP0058F00B    EB 20           JMP SHORT 0058F02D0058F00D    90              NOP0058F00E    90              NOP0058F00F    90              NOP0058F010    8DB5 8BF14000   LEA ESI,DWORD PTR SS:[EBP+40F18B]0058F016    FF95 1C854100   CALL DWORD PTR SS:[EBP+41851C]0058F01C    8985 8BF14000   MOV DWORD PTR SS:[EBP+40F18B],EAX0058F022    8985 8FF14000   MOV DWORD PTR SS:[EBP+40F18F],EAX0058F028    EB 05           JMP SHORT 0058F02F0058F02A    90              NOP0058F02B    90              NOP0058F02C    90              NOP0058F02D    58              POP EAX0058F02E    5E              POP ESI0058F02F    8B85 8BF14000   MOV EAX,DWORD PTR SS:[EBP+40F18B]0058F035    0BC0            OR EAX,EAX0058F037    74 1A           JE SHORT 0058F0530058F039    90              NOP0058F03A    90              NOP0058F03B    90              NOP0058F03C    90              NOP0058F03D    FF95 8BF14000   CALL DWORD PTR SS:[EBP+40F18B]0058F043    8985 5D814100   MOV DWORD PTR SS:[EBP+41815D],EAX0058F049    C785 61814100 0>MOV DWORD PTR SS:[EBP+418161],00058F053    61              POPAD0058F054    8DB5 B7F44000   LEA ESI,DWORD PTR SS:[EBP+40F4B7]        ; 生成%tmp%/perplex.dll0058F05A    B9 0B000000     MOV ECX,0B0058F05F    F3:A4           REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>0058F061    8DB5 98F34000   LEA ESI,DWORD PTR SS:[EBP+40F398]0058F067    6A 00           PUSH 00058F069    6A 20           PUSH 200058F06B    6A 02           PUSH 20058F06D    6A 00           PUSH 00058F06F    6A 03           PUSH 30058F071    68 000000C0     PUSH C00000000058F076    56              PUSH ESI0058F077    FF95 2BFD4000   CALL DWORD PTR SS:[EBP+40FD2B]           ; CreateFileA0058F07D    0BC0            OR EAX,EAX0058F07F    74 75           JE SHORT 0058F0F60058F081    90              NOP0058F082    90              NOP0058F083    90              NOP0058F084    90              NOP0058F085    50              PUSH EAX0058F086    6A 00           PUSH 00058F088    8DB5 B3F44000   LEA ESI,DWORD PTR SS:[EBP+40F4B3]0058F08E    56              PUSH ESI0058F08F    FFB5 53814100   PUSH DWORD PTR SS:[EBP+418153]0058F095    8B9D 4F814100   MOV EBX,DWORD PTR SS:[EBP+41814F]0058F09B    039D 46F84000   ADD EBX,DWORD PTR SS:[EBP+40F846]0058F0A1    2B9D 53814100   SUB EBX,DWORD PTR SS:[EBP+418153]0058F0A7    53              PUSH EBX0058F0A8    50              PUSH EAX0058F0A9    FF95 53FD4000   CALL DWORD PTR SS:[EBP+40FD53]0058F0AF    FF95 27FD4000   CALL DWORD PTR SS:[EBP+40FD27]0058F0B5    8DB5 98F34000   LEA ESI,DWORD PTR SS:[EBP+40F398]0058F0BB    56              PUSH ESI                                 ; /library name0058F0BC    FF95 24854100   CALL DWORD PTR SS:[EBP+418524]           ; /LoadLibraryA0058F0C2    0BC0            OR EAX,EAX0058F0C4    74 30           JE SHORT 0058F0F6                        ; 如果载入失败则忽略并跳去执行后面的代码0058F0C6    90              NOP0058F0C7    90              NOP0058F0C8    90              NOP0058F0C9    90              NOP0058F0CA    8985 3EF84000   MOV DWORD PTR SS:[EBP+40F83E],EAX0058F0D0    8DB5 C4F44000   LEA ESI,DWORD PTR SS:[EBP+40F4C4]        ; 载入成功则获取zcf_decrypt的地址0058F0D6    56              PUSH ESI                                 ; /name0058F0D7    FFB5 3EF84000   PUSH DWORD PTR SS:[EBP+40F83E]           ; |hmodule0058F0DD    FF95 1C854100   CALL DWORD PTR SS:[EBP+41851C]           ; /GetProcAddress0058F0E3    8985 C4F44000   MOV DWORD PTR SS:[EBP+40F4C4],EAX0058F0E9    0BC0            OR EAX,EAX0058F0EB    74 09           JE SHORT 0058F0F60058F0ED    90              NOP0058F0EE    90              NOP0058F0EF    90              NOP0058F0F0    90              NOP0058F0F1    E8 D5F7FFFF     CALL <Reg_Info>0058F0F6    60              PUSHAD                                   ; 把前面的代码加密回去0058F0F7    E8 00000000     CALL 0058F0FC0058F0FC    5E              POP ESI0058F0FD    83EE 06         SUB ESI,60058F100    B9 12020000     MOV ECX,2120058F105    29CE            SUB ESI,ECX0058F107    BA 9A465152     MOV EDX,5251469A0058F10C    C1E9 02         SHR ECX,20058F10F    83E9 02         SUB ECX,20058F112    83F9 00         CMP ECX,00058F115    7C 1A           JL SHORT 0058F1310058F117    8B048E          MOV EAX,DWORD PTR DS:[ESI+ECX*4]0058F11A    8B5C8E 04       MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]0058F11E    03C3            ADD EAX,EBX0058F120    C1C8 1A         ROR EAX,1A0058F123    2BC2            SUB EAX,EDX0058F125    81C2 4F6B073C   ADD EDX,3C076B4F0058F12B    89048E          MOV DWORD PTR DS:[ESI+ECX*4],EAX0058F12E    49              DEC ECX0058F12F  ^ EB E1           JMP SHORT 0058F1120058F131    61              POPAD......0058F2DC    E8 1FCEFFFF     CALL <sub_GetEBP >
; 开始执行判断是否用了注册提示,是否显示机器码信息框之类的0058F2E1    66:81BD 2CF5400>CMP WORD PTR SS:[EBP+40F52C],0FF000058F2EA    0F84 AC000000   JE 0058F39C0058F2F0    66:81BD 2CF5400>CMP WORD PTR SS:[EBP+40F52C],0FF01       ; 这几个判断没有认真去看0058F2F9    74 39           JE SHORT 0058F3340058F2FB    90              NOP0058F2FC    90              NOP0058F2FD    90              NOP0058F2FE    90              NOP0058F2FF    66:81BD 2CF5400>CMP WORD PTR SS:[EBP+40F52C],0FF020058F308    74 53           JE SHORT 0058F35D......0058F4E0    60              PUSHAD                                   ; 加密回去0058F4E1    E8 00000000     CALL 0058F4E60058F4E6    5E              POP ESI0058F4E7    83EE 06         SUB ESI,60058F4EA    B9 04020000     MOV ECX,2040058F4EF    29CE            SUB ESI,ECX0058F4F1    BA B615F109     MOV EDX,9F115B60058F4F6    C1E9 02         SHR ECX,20058F4F9    83E9 02         SUB ECX,20058F4FC    83F9 00         CMP ECX,00058F4FF    7C 1A           JL SHORT 0058F51B0058F501    8B048E          MOV EAX,DWORD PTR DS:[ESI+ECX*4]0058F504    8B5C8E 04       MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]0058F508    2BC3            SUB EAX,EBX0058F50A    C1C8 14         ROR EAX,140058F50D    2BC2            SUB EAX,EDX0058F50F    81C2 94655AA2   ADD EDX,A25A65940058F515    89048E          MOV DWORD PTR DS:[ESI+ECX*4],EAX0058F518    49              DEC ECX0058F519  ^ EB E1           JMP SHORT 0058F4FC0058F51B    61              POPAD0058F51C    61              POPAD0058F51D    E8 4C050000     CALL <sub_Check_REG>0058F522    C3              RETNSub_Disposal IAT:005902A5 >  60              PUSHAD                                   ; Import Table Disposal005902A6    EB 01           JMP SHORT 005902A9005902A8    7A 87           JPE SHORT 00590231005902AA    C5EB            LDS EBP,EBX                              ; Illegal use of register005902AC    017A 66         ADD DWORD PTR DS:[EDX+66],EDI005902AF    BA 78E17A03     MOV EDX,37AE178......00590450    E8 ABBCFFFF     CALL <sub_GetEBP >
00590455    C685 A5524100 C>MOV BYTE PTR SS:[EBP+4152A5],0C3         ; 如果执行完了则不再执行0059045C    C785 0BF94000 0>MOV DWORD PTR SS:[EBP+40F90B],0040100000590466    01AD 0BF94000   ADD DWORD PTR SS:[EBP+40F90B],EBP0059046C    8385 0BF94000 1>ADD DWORD PTR SS:[EBP+40F90B],1000590473    8B95 46F84000   MOV EDX,DWORD PTR SS:[EBP+40F846]        ; 取IMAGEBASE00590479    8BB5 07F94000   MOV ESI,DWORD PTR SS:[EBP+40F907]        ; [EBP+40F907]记录着程序输入表的起始位置RVA==BEB880059047F    03F2            ADD ESI,EDX                              ; 转为VA00590481 >  8B46 0C         MOV EAX,DWORD PTR DS:[ESI+C]00590484    0BC0            OR EAX,EAX00590486    0F84 25020000   JE <Finished>                            ; 处理完则跳去结束处0059048C    8366 0C 00      AND DWORD PTR DS:[ESI+C],0               ; 开始清除原IAT结构,nop掉00590490    03C2            ADD EAX,EDX00590492    8BD8            MOV EBX,EAX00590494    56              PUSH ESI00590495    57              PUSH EDI00590496    50              PUSH EAX00590497    8BF3            MOV ESI,EBX00590499    8BFB            MOV EDI,EBX0059049B >  AC              LODS BYTE PTR DS:[ESI]                   ; Decrypt_DLL_Name0059049C    C0C0 03         ROL AL,3                                 ; 还原出正确的DLL名0059049F    AA              STOS BYTE PTR ES:[EDI]005904A0    803F 00         CMP BYTE PTR DS:[EDI],0005904A3  ^ 75 F6           JNZ SHORT <Decrypt_DLL_Name>005904A5    58              POP EAX005904A6    5F              POP EDI005904A7    5E              POP ESI005904A8    50              PUSH EAX                                 ; /moduleName005904A9    FF95 20854100   CALL DWORD PTR SS:[EBP+418520]           ; /GetModuleHandleA005904AF    0BC0            OR EAX,EAX005904B1    75 43           JNZ SHORT <Dll_is_loaded>005904B3    90              NOP005904B4    90              NOP005904B5    90              NOP005904B6    90              NOP005904B7    53              PUSH EBX                                 ; /DllName005904B8    FF95 24854100   CALL DWORD PTR SS:[EBP+418524]           ; /LoadLibraryA005904BE    0BC0            OR EAX,EAX005904C0    75 34           JNZ SHORT <Dll_is_loaded>005904C2    90              NOP005904C3    90              NOP005904C4    90              NOP005904C5    90              NOP005904C6 >  8B95 46F84000   MOV EDX,DWORD PTR SS:[EBP+40F846]        ; 载入失败的路005904CC    0195 351B4000   ADD DWORD PTR SS:[EBP+401B35],EDX005904D2    0195 391B4000   ADD DWORD PTR SS:[EBP+401B39],EDX005904D8    6A 00           PUSH 0                                   ; /Style005904DA    FFB5 351B4000   PUSH DWORD PTR SS:[EBP+401B35]           ; |Caption005904E0    FFB5 391B4000   PUSH DWORD PTR SS:[EBP+401B39]           ; |TEXT005904E6    6A 00           PUSH 0                                   ; |hOwner = NULL005904E8    FF95 2C854100   CALL DWORD PTR SS:[EBP+41852C]           ; /MessageBoxA005904EE    6A 00           PUSH 0                                   ; /ExitCode==0005904F0    FF95 28854100   CALL DWORD PTR SS:[EBP+418528]           ; /ExitProcess005904F6 >  60              PUSHAD                                   ; 载入DLL后壳把DLL名给清除掉005904F7    2BC0            SUB EAX,EAX005904F9 >  8803            MOV BYTE PTR DS:[EBX],AL                 ; loop clea dllname005904FB    43              INC EBX005904FC    3803            CMP BYTE PTR DS:[EBX],AL005904FE  ^ 75 F9           JNZ SHORT <loop clea dllname>00590500    61              POPAD00590501    8985 3EF84000   MOV DWORD PTR SS:[EBP+40F83E],EAX        ; 保存hModule00590507    C785 42F84000 0>MOV DWORD PTR SS:[EBP+40F842],000590511    8B95 46F84000   MOV EDX,DWORD PTR SS:[EBP+40F846]00590517    8B06            MOV EAX,DWORD PTR DS:[ESI]00590519    0BC0            OR EAX,EAX0059051B    75 07           JNZ SHORT 005905240059051D    90              NOP0059051E    90              NOP0059051F    90              NOP00590520    90              NOP00590521    8B46 10         MOV EAX,DWORD PTR DS:[ESI+10]00590524    03C2            ADD EAX,EDX00590526    0385 42F84000   ADD EAX,DWORD PTR SS:[EBP+40F842]0059052C    8B18            MOV EBX,DWORD PTR DS:[EAX]0059052E    8B7E 10         MOV EDI,DWORD PTR DS:[ESI+10]00590531    03FA            ADD EDI,EDX00590533    03BD 42F84000   ADD EDI,DWORD PTR SS:[EBP+40F842]00590539    85DB            TEST EBX,EBX                             ; 判断当前DLL的API有没有处理完0059053B    0F84 62010000   JE <Disposal Next DLL>00590541    F7C3 00000080   TEST EBX,80000000                        ; 判断为API名字还是为序号00590547    75 1D           JNZ SHORT 0059056600590549    90              NOP0059054A    90              NOP0059054B    90              NOP0059054C    90              NOP0059054D    03DA            ADD EBX,EDX                              ; 如果是字符串,还得先还原出正确的API名字0059054F    83C3 02         ADD EBX,200590552    56              PUSH ESI00590553    57              PUSH EDI00590554    50              PUSH EAX00590555    8BF3            MOV ESI,EBX00590557    8BFB            MOV EDI,EBX00590559 >  AC              LODS BYTE PTR DS:[ESI]                   ; Restor_API_NAME0059055A    C0C0 03         ROL AL,30059055D    AA              STOS BYTE PTR ES:[EDI]0059055E    803F 00         CMP BYTE PTR DS:[EDI],000590561  ^ 75 F6           JNZ SHORT <Restor_API_NAME>00590563    58              POP EAX00590564    5F              POP EDI00590565    5E              POP ESI00590566    3B9D 46F84000   CMP EBX,DWORD PTR SS:[EBP+40F846]0059056C    7C 11           JL SHORT 0059057F                        ; 如果小于IMAGEBASE说明是序号0059056E    90              NOP0059056F    90              NOP00590570    90              NOP00590571    90              NOP00590572    83BD 1A204000 0>CMP DWORD PTR SS:[EBP+40201A],000590579    75 0A           JNZ SHORT 005905850059057B    90              NOP0059057C    90              NOP0059057D    90              NOP0059057E    90              NOP0059057F    81E3 FFFFFF0F   AND EBX,0FFFFFFF00590585    53              PUSH EBX                                 ; /API Name00590586    FFB5 3EF84000   PUSH DWORD PTR SS:[EBP+40F83E]           ; |hModule0059058C    FF95 1C854100   CALL DWORD PTR SS:[EBP+41851C]           ; /GetProcAddress00590592    3B9D 46F84000   CMP EBX,DWORD PTR SS:[EBP+40F846]00590598    7C 0F           JL SHORT 005905A9                        ; 如果是序号则跳0059059A    90              NOP0059059B    90              NOP0059059C    90              NOP0059059D    90              NOP0059059E    60              PUSHAD                                   ; 如果是字符串名则清除API名0059059F    2BC0            SUB EAX,EAX005905A1 >  8803            MOV BYTE PTR DS:[EBX],AL005905A3    43              INC EBX005905A4    3803            CMP BYTE PTR DS:[EBX],AL005905A6  ^ 75 F9           JNZ SHORT <Clea API NAME>005905A8    61              POPAD005905A9    0BC0            OR EAX,EAX                               ; 如果获取API地址失败则OVER005905AB  ^ 0F84 15FFFFFF   JE <Fail Message>005905B1    3B85 2C854100   CMP EAX,DWORD PTR SS:[EBP+41852C]        ; 判断是否为特殊函数MessageBoxA005905B7    74 20           JE SHORT 005905D9005905B9    90              NOP005905BA    90              NOP005905BB    90              NOP005905BC    90              NOP005905BD    3B85 C4FD4000   CMP EAX,DWORD PTR SS:[EBP+40FDC4]        ; 判断是否为特殊函数RegisterHotKey005905C3    74 09           JE SHORT 005905CE005905C5    90              NOP005905C6    90              NOP005905C7    90              NOP005905C8    90              NOP005905C9    EB 14           JMP SHORT 005905DF005905CB    90              NOP005905CC    90              NOP005905CD    90              NOP005905CE    8D85 31FE4000   LEA EAX,DWORD PTR SS:[EBP+40FE31]005905D4    EB 09           JMP SHORT 005905DF005905D6    90              NOP005905D7    90              NOP005905D8    90              NOP005905D9    8D85 4BFE4000   LEA EAX,DWORD PTR SS:[EBP+40FE4B]005905DF    56              PUSH ESI005905E0    FFB5 3EF84000   PUSH DWORD PTR SS:[EBP+40F83E]005905E6    5E              POP ESI005905E7    39B5 12204000   CMP DWORD PTR SS:[EBP+402012],ESI        ; 判断hmodule是否为kernel32.dll的句柄005905ED    74 15           JE SHORT 00590604005905EF    90              NOP005905F0    90              NOP005905F1    90              NOP005905F2    90              NOP005905F3    39B5 16204000   CMP DWORD PTR SS:[EBP+402016],ESI        ; 判断hmodule是否为user32.dll的句柄005905F9    74 09           JE SHORT 00590604005905FB    90              NOP005905FC    90              NOP005905FD    90              NOP005905FE    90              NOP005905FF    EB 63           JMP SHORT 0059066400590601    90              NOP00590602    90              NOP00590603    90              NOP00590604    80BD 16564100 0>CMP BYTE PTR SS:[EBP+415616],0           ; 如果是kernel32.dll或user32.dll的话,再判断是否要加密特殊函数0059060B    74 57           JE SHORT 005906640059060D    90              NOP0059060E    90              NOP0059060F    90              NOP00590610    90              NOP00590611    EB 07           JMP SHORT 0059061A00590613    90              NOP00590614    90              NOP00590615    90              NOP00590616    0100            ADD DWORD PTR DS:[EAX],EAX00590618    0000            ADD BYTE PTR DS:[EAX],AL0059061A    8BB5 0BF94000   MOV ESI,DWORD PTR SS:[EBP+40F90B]00590620    83C6 0D         ADD ESI,0D00590623    81EE 02184000   SUB ESI,0040180200590629    2BF5            SUB ESI,EBP0059062B    83FE 00         CMP ESI,00059062E    7F 34           JG SHORT 0059066400590630    90              NOP00590631    90              NOP00590632    90              NOP00590633    90              NOP00590634    8BB5 0BF94000   MOV ESI,DWORD PTR SS:[EBP+40F90B]0059063A    53              PUSH EBX0059063B    50              PUSH EAX0059063C    E8 8DB2FFFF     CALL <Get_RND_VALUE>00590641    8BD8            MOV EBX,EAX00590643    58              POP EAX00590644    33C3            XOR EAX,EBX00590646    C606 68         MOV BYTE PTR DS:[ESI],68                 ; 改成push address xor [esp],key,ret的方式00590649    8946 01         MOV DWORD PTR DS:[ESI+1],EAX0059064C    C746 05 8134240>MOV DWORD PTR DS:[ESI+5],24348100590653    895E 08         MOV DWORD PTR DS:[ESI+8],EBX00590656    C646 0C C3      MOV BYTE PTR DS:[ESI+C],0C30059065A    5B              POP EBX0059065B    8BC6            MOV EAX,ESI0059065D    8385 0BF94000 0>ADD DWORD PTR SS:[EBP+40F90B],0D00590664    5E              POP ESI                                  ; 普通API函数的处理00590665    60              PUSHAD00590666    8BD0            MOV EDX,EAX00590668    2BBD 46F84000   SUB EDI,DWORD PTR SS:[EBP+40F846]0059066E    8BC7            MOV EAX,EDI00590670    B9 01010000     MOV ECX,10100590675    8DBD EBEC4000   LEA EDI,DWORD PTR SS:[EBP+40ECEB]0059067B    F2:AF           REPNE SCAS DWORD PTR ES:[EDI]0059067D    0BC9            OR ECX,ECX0059067F    74 13           JE SHORT 0059069400590681    90              NOP00590682    90              NOP00590683    90              NOP00590684    90              NOP00590685    81E9 01010000   SUB ECX,1010059068B    F7D1            NOT ECX0059068D    89948D EBE84000 MOV DWORD PTR SS:[EBP+ECX*4+40E8EB],EDX00590694    61              POPAD00590695    8907            MOV DWORD PTR DS:[EDI],EAX               ; 填充API地址00590697    8385 42F84000 0>ADD DWORD PTR SS:[EBP+40F842],40059069E  ^ E9 6EFEFFFF     JMP 00590511005906A3 >  83C6 14         ADD ESI,14                               ; Disposal Next DLL005906A6    8B95 46F84000   MOV EDX,DWORD PTR SS:[EBP+40F846]005906AC  ^ E9 D0FDFFFF     JMP <loop fill IAT>005906B1 >  8DBD EBEC4000   LEA EDI,DWORD PTR SS:[EBP+40ECEB]005906B7    33C0            XOR EAX,EAX005906B9    B9 00010000     MOV ECX,100005906BE    F3:AB           REP STOS DWORD PTR ES:[EDI]              ; 清场代码005906C0    60              PUSHAD                                   ; 加密代码005906C1    E8 00000000     CALL 005906C6005906C6    5E              POP ESI005906C7    83EE 06         SUB ESI,6005906CA    B9 70020000     MOV ECX,270005906CF    29CE            SUB ESI,ECX005906D1    BA BF51E4CE     MOV EDX,CEE451BF005906D6    C1E9 02         SHR ECX,2005906D9    83E9 02         SUB ECX,2005906DC    83F9 00         CMP ECX,0005906DF    7C 1A           JL SHORT 005906FB005906E1    8B048E          MOV EAX,DWORD PTR DS:[ESI+ECX*4]005906E4    8B5C8E 04       MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]005906E8    03C3            ADD EAX,EBX005906EA    C1C8 08         ROR EAX,8005906ED    2BC2            SUB EAX,EDX005906EF    81EA 792FBAB2   SUB EDX,B2BA2F79005906F5    89048E          MOV DWORD PTR DS:[ESI+ECX*4],EAX005906F8    49              DEC ECX005906F9  ^ EB E1           JMP SHORT 005906DC005906FB    61              POPAD005906FC    61              POPAD005906FD    E8 D9D9FFFF     CALL <sub_chek_CRC>00590702    C3              RETNsub_chek_CRC:0058E0DB >  60              PUSHAD                                   ; sub_chek_CRC,检测文件修改0058E0DC    77 02           JA SHORT 0058E0E00058E0DE    8BD7            MOV EDX,EDI0058E0E0    78 01           JS SHORT 0058E0E30058E0E2    F8              CLC0058E0E3    50              PUSH EAX0058E0E4    E8 01000000     CALL 0058E0EA0058E0E9  ^ 74 83           JE SHORT 0058E06E......0058E286   .  E8 75DEFFFF   CALL <sub_GetEBP >
0058E28B   .  68 20030000   PUSH 320                                 ;  /BufSize = 320 (800.)0058E290   .  8DBD 11184000 LEA EDI,DWORD PTR SS:[EBP+401811]        ;  |0058E296   .  57            PUSH EDI                                 ;  |PathBuffer = MainCon.0057C8110058E297   .  6A 00         PUSH 0                                   ;  |hModule = NULL0058E299   .  FF95 73FD4000 CALL DWORD PTR SS:[EBP+40FD73]           ;  /GetModuleFileNameA0058E29F   .  6A 00         PUSH 0                                   ;  /hTemplateFile = NULL0058E2A1   .  68 80000000   PUSH 80                                  ;  |Attributes = NORMAL0058E2A6   .  6A 03         PUSH 3                                   ;  |Mode = OPEN_EXISTING0058E2A8   .  6A 00         PUSH 0                                   ;  |pSecurity = NULL0058E2AA   .  6A 01         PUSH 1                                   ;  |ShareMode = FILE_SHARE_READ0058E2AC   .  68 00000080   PUSH 80000000                            ;  |Access = GENERIC_READ0058E2B1   .  57            PUSH EDI                                 ;  |FileName0058E2B2   .  FF95 2BFD4000 CALL DWORD PTR SS:[EBP+40FD2B]           ;  /CreateFileA0058E2B8   .  40            INC EAX0058E2B9   .  0F84 87000000 JE 0058E346                              ;  读取文件失败则跳0058E2BF   .  48            DEC EAX0058E2C0   .  8BF8          MOV EDI,EAX0058E2C2   .  6A 00         PUSH 0                                   ;  /pFileSizeHigh = NULL0058E2C4   .  57            PUSH EDI                                 ;  |hFile = 00000054 (window)0058E2C5   .  FF95 77FD4000 CALL DWORD PTR SS:[EBP+40FD77]           ;  /GetFileSize0058E2CB   .  2B85 6B814100 SUB EAX,DWORD PTR SS:[EBP+41816B]0058E2D1   .  96            XCHG EAX,ESI0058E2D2   .  56            PUSH ESI                                 ;  /MemSize0058E2D3   .  6A 40         PUSH 40                                  ;  |Flags = GPTR0058E2D5   .  FF95 FFFC4000 CALL DWORD PTR SS:[EBP+40FCFF]           ;  /GlobalAlloc0058E2DB   .  85C0          TEST EAX,EAX0058E2DD   .  74 5E         JE SHORT 0058E33D0058E2DF   .  90            NOP0058E2E0   .  90            NOP0058E2E1   .  90            NOP0058E2E2   .  90            NOP0058E2E3   .  93            XCHG EAX,EBX0058E2E4   .  6A 00         PUSH 0                                   ;  /pOverlapped = NULL0058E2E6   .  8D85 11184000 LEA EAX,DWORD PTR SS:[EBP+401811]        ;  |0058E2EC   .  50            PUSH EAX                                 ;  |pBytesRead = MainCon.0057C8110058E2ED   .  56            PUSH ESI                                 ;  |BytesToRead = D915D (889181.)0058E2EE   .  53            PUSH EBX                                 ;  |Buffer = 00B100200058E2EF   .  57            PUSH EDI                                 ;  |hFile = 00000054 (window)0058E2F0   .  FF95 4FFD4000 CALL DWORD PTR SS:[EBP+40FD4F]           ;  /ReadFile0058E2F6   .  8BC3          MOV EAX,EBX0058E2F8   .  8BCE          MOV ECX,ESI0058E2FA   .  60            PUSHAD0058E2FB   .  E8 84000000   CALL <Calc CRC VALUE>0058E300   .  3985 6F814100 CMP DWORD PTR SS:[EBP+41816F],EAX0058E306   .  74 24         JE SHORT 0058E32C                        ;  如果文件没有改动则跳0058E308   .  90            NOP0058E309   .  90            NOP0058E30A   .  90            NOP0058E30B   .  90            NOP0058E30C   .  83BD 1A204000>CMP DWORD PTR SS:[EBP+40201A],00058E313   .  75 17         JNZ SHORT 0058E32C0058E315   .  90            NOP0058E316   .  90            NOP0058E317   .  90            NOP0058E318   .  90            NOP0058E319   .  8BBD 4B814100 MOV EDI,DWORD PTR SS:[EBP+41814B]        ;  如果CRC值不正确的话,这里开始出阴招:-)0058E31F   .  03BD 46F84000 ADD EDI,DWORD PTR SS:[EBP+40F846]0058E325   .  B9 0A000000   MOV ECX,0A0058E32A   .  F3:AB         REP STOS DWORD PTR ES:[EDI]0058E32C   >  61            POPAD0058E32D   .  8D85 35334100 LEA EAX,DWORD PTR SS:[EBP+413335]0058E333   .  50            PUSH EAX0058E334   .  C3            RETN0058E335   .  53            PUSH EBX                                 ;  /hMem0058E336   .  FF95 03FD4000 CALL DWORD PTR SS:[EBP+40FD03]           ;  /GlobalFree0058E33C   .  96            XCHG EAX,ESI0058E33D   >  50            PUSH EAX0058E33E   .  57            PUSH EDI                                 ;  /hObject0058E33F   .  FF95 27FD4000 CALL DWORD PTR SS:[EBP+40FD27]           ;  /CloseHandle0058E345   .  58            POP EAX0058E346   >  60            PUSHAD                                   ;  加密代码0058E347   >  E8 00000000   CALL 0058E34C0058E34C  /$  5E            POP ESI0058E34D  |.  83EE 06       SUB ESI,60058E350  |.  B9 C0000000   MOV ECX,0C00058E355  |.  29CE          SUB ESI,ECX0058E357  |.  BA E86DCB4B   MOV EDX,4BCB6DE80058E35C  |.  C1E9 02       SHR ECX,20058E35F  |.  83E9 02       SUB ECX,20058E362  |>  83F9 00       /CMP ECX,00058E365  |.  7C 1A         |JL SHORT 0058E3810058E367  |.  8B048E        |MOV EAX,DWORD PTR DS:[ESI+ECX*4]0058E36A  |.  8B5C8E 04     |MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]0058E36E  |.  2BC3          |SUB EAX,EBX0058E370  |.  C1C0 06       |ROL EAX,60058E373  |.  03C2          |ADD EAX,EDX0058E375  |.  81F2 13FDB951 |XOR EDX,51B9FD130058E37B  |.  89048E        |MOV DWORD PTR DS:[ESI+ECX*4],EAX0058E37E  |.  49            |DEC ECX0058E37F  |.^ EB E1         /JMP SHORT 0058E3620058E381  |>  61            POPAD0058E382  |.  61            POPAD0058E383  /.  C3            RETNCalc CRC VALUE:0058E384 >  8BF8            MOV EDI,EAX                              ; 计算CRC值0058E386    33C0            XOR EAX,EAX0058E388    33DB            XOR EBX,EBX0058E38A    33D2            XOR EDX,EDX0058E38C >  8A07            MOV AL,BYTE PTR DS:[EDI]0058E38E    F7E2            MUL EDX0058E390    03D8            ADD EBX,EAX0058E392    42              INC EDX0058E393    47              INC EDI0058E394  ^ E2 F6           LOOPD SHORT <loop calc>0058E396    93              XCHG EAX,EBX0058E397    C3              RETNsub_Check_REG:0058FA6E >  60              PUSHAD                                   ; 检测使用有没有过期之类的0058FA6F    EB 04           JMP SHORT 0058FA750058FA71    90              NOP0058FA72    90              NOP0058FA73    90              NOP0058FA74    00F8            ADD AL,BH0058FA76    E8 01000000     CALL 0058FA7C......0058FC1F    E8 DCC4FFFF     CALL <sub_GetEBP >
0058FC24    C685 6E4A4100 C>MOV BYTE PTR SS:[EBP+414A6E],0C30058FC2B    C685 6DF74000 0>MOV BYTE PTR SS:[EBP+40F76D],00058FC32    C685 744A4100 0>MOV BYTE PTR SS:[EBP+414A74],00058FC39    80BD 6CF74000 0>CMP BYTE PTR SS:[EBP+40F76C],1           ; 如果为1表示不检查试用信息0058FC40    0F84 8D030000   JE <Use>0058FC46    8A85 634C4100   MOV AL,BYTE PTR SS:[EBP+414C63]0058FC4C    0AC0            OR AL,AL                                 ; 如果为0表示不检查试用信息0058FC4E    0F84 7F030000   JE <Use>0058FC54    EB 33           JMP SHORT <Check Expired>0058FC56    90              NOP0058FC57    90              NOP0058FC58    90              NOP0058FC59    90              NOP0058FC5A    90              NOP0058FC5B    90              NOP0058FC5C    90              NOP0058FC5D    90              NOP0058FC5E    90              NOP0058FC5F    90              NOP0058FC60    90              NOP0058FC61    90              NOP0058FC62    90              NOP0058FC63    0000            ADD BYTE PTR DS:[EAX],AL0058FC65    43              INC EBX0058FC66    3A5C43 30       CMP BL,BYTE PTR DS:[EBX+EAX*2+30]0058FC6A    6E              OUTS DX,BYTE PTR ES:[EDI]                ; I/O command0058FC6B    66:6967 2E 7361 IMUL SP,WORD PTR DS:[EDI+2E],61730058FC71    76 00           JBE SHORT 0058FC730058FC73    0000            ADD BYTE PTR DS:[EAX],AL0058FC75    0000            ADD BYTE PTR DS:[EAX],AL0058FC77    0000            ADD BYTE PTR DS:[EAX],AL0058FC79    0000            ADD BYTE PTR DS:[EAX],AL0058FC7B    0000            ADD BYTE PTR DS:[EAX],AL0058FC7D    0000            ADD BYTE PTR DS:[EAX],AL0058FC7F    0000            ADD BYTE PTR DS:[EAX],AL0058FC81    0000            ADD BYTE PTR DS:[EAX],AL0058FC83    0000            ADD BYTE PTR DS:[EAX],AL0058FC85    0000            ADD BYTE PTR DS:[EAX],AL0058FC87    0000            ADD BYTE PTR DS:[EAX],AL0058FC89 >  6A 00           PUSH 0                                   ; /hTemplateFile = NULL0058FC8B    6A 02           PUSH 2                                   ; |Attributes = HIDDEN0058FC8D    6A 04           PUSH 4                                   ; |Mode = OPEN_ALWAYS0058FC8F    6A 00           PUSH 0                                   ; |pSecurity = NULL0058FC91    6A 03           PUSH 3                                   ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE0058FC93    68 000000C0     PUSH C0000000                            ; |Access = GENERIC_READ|GENERIC_WRITE0058FC98    8DB5 654C4100   LEA ESI,DWORD PTR SS:[EBP+414C65]        ; |0058FC9E    56              PUSH ESI                                 ; |Try information FileName0058FC9F    50              PUSH EAX                                 ; |0058FCA0    8B85 2BFD4000   MOV EAX,DWORD PTR SS:[EBP+40FD2B]      ; |0058FCA6    0FB600          MOVZX EAX,BYTE PTR DS:[EAX]              ; |0058FCA9    83E8 33         SUB EAX,33                               ; |0058FCAC    3D 99000000     CMP EAX,99                               ; |0058FCB1    74 10           JE SHORT 0058FCC3                        ; |0058FCB3    90              NOP                                      ; |0058FCB4    90              NOP                                      ; |0058FCB5    90              NOP                                      ; |0058FCB6    90              NOP                                      ; |0058FCB7    58              POP EAX                                  ; |0058FCB8    FF95 2BFD4000   CALL DWORD PTR SS:[EBP+40FD2B]           ; /CreateFileA0058FCBE    EB 17           JMP SHORT 0058FCD70058FCC0    90              NOP0058FCC1    90              NOP0058FCC2    90              NOP0058FCC3    B8 E8030000     MOV EAX,3E80058FCC8    E8 01BCFFFF     CALL <Get_RND_VALUE>0058FCCD    8DBD 615D4000   LEA EDI,DWORD PTR SS:[EBP+405D61]0058FCD3    03F8            ADD EDI,EAX0058FCD5    AB              STOS DWORD PTR ES:[EDI]0058FCD6    58              POP EAX0058FCD7    0BC0            OR EAX,EAX0058FCD9    75 32           JNZ SHORT 0058FD0D0058FCDB    90              NOP0058FCDC    90              NOP0058FCDD    90              NOP0058FCDE    90              NOP0058FCDF    8DB5 F64C4100   LEA ESI,DWORD PTR SS:[EBP+414CF6]0058FCE5    6A 00           PUSH 00058FCE7    56              PUSH ESI0058FCE8    56              PUSH ESI0058FCE9    6A 00           PUSH 00058FCEB    FF95 2C854100   CALL DWORD PTR SS:[EBP+41852C]0058FCF1    E9 DD020000     JMP <Use>0058FCF6    74 72           JE SHORT 0058FD6A0058FCF8    6961 6C 2063726>IMUL ESP,DWORD PTR DS:[ECX+6C],657263200058FCFF    61              POPAD0058FD00    74 65           JE SHORT 0058FD670058FD02    66:696C65 20 65>IMUL BP,WORD PTR SS:[EBP+20],72650058FD09    72 6F           JB SHORT 0058FD7A0058FD0B    72 00           JB SHORT 0058FD0D0058FD0D    8985 774C4100   MOV DWORD PTR SS:[EBP+414C77],EAX        ; 这里开始读取试用信息之类的0058FD13    6A 00           PUSH 00058FD15    8DB5 854C4100   LEA ESI,DWORD PTR SS:[EBP+414C85]......005901B9    E8 42BFFFFF     CALL <sub_GetEBP >
005901BE    80BD 744A4100 0>CMP BYTE PTR SS:[EBP+414A74],0005901C5    0F84 97000000   JE <Try way>                             ; 如果为0则表示没有注册提示005901CB    80BD 6DF74000 0>CMP BYTE PTR SS:[EBP+40F76D],0           ; 如果为0则表示过期了005901D2    0F85 8A000000   JNZ <Try way>005901D8 >  6A 00           PUSH 0                                   ; Game Over005901DA    E8 08000000     CALL <sub_Show_Expired_MSG>              ; 过期提示信息005901DF    45              INC EBP005901E0    78 70           JS SHORT 00590252005901E2    6972 65 64008DB>IMUL ESI,DWORD PTR DS:[EDX+65],B58D0064005901E9    91              XCHG EAX,ECX005901EA    D240 00         ROL BYTE PTR DS:[EAX],CL005901ED    56              PUSH ESI.........00590262 >  60              PUSHAD                                   ; 加密代码00590263    E8 00000000     CALL 0059026800590268    5E              POP ESI00590269    83EE 06         SUB ESI,60059026C    B9 A9000000     MOV ECX,0A900590271    29CE            SUB ESI,ECX00590273    BA D244E9AE     MOV EDX,AEE944D200590278    C1E9 02         SHR ECX,20059027B    83E9 02         SUB ECX,20059027E    83F9 00         CMP ECX,000590281    7C 1A           JL SHORT 0059029D00590283    8B048E          MOV EAX,DWORD PTR DS:[ESI+ECX*4]00590286    8B5C8E 04       MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]0059028A    33C3            XOR EAX,EBX0059028C    C1C0 05         ROL EAX,50059028F    33C2            XOR EAX,EDX00590291    81F2 5D121221   XOR EDX,2112125D00590297    89048E          MOV DWORD PTR DS:[ESI+ECX*4],EAX0059029A    49              DEC ECX0059029B  ^ EB E1           JMP SHORT 0059027E0059029D    61              POPAD0059029E    61              POPAD0059029F    C3              RETNsub_AntiDebug:0058D9EC >  60              PUSHAD                                   ; Anti_debug0058D9ED    E8 01000000     CALL 0058D9F30058D9F2    9A 83042406 C37>CALL FAR 71C3:06240483                   ; Far call0058D9F9    05 B8EB51F3     ADD EAX,F351EBB80058D9FE    46              INC ESI0058D9FF    74 03           JE SHORT 0058DA04......0058DB97    E8 64E5FFFF     CALL <sub_GetEBP >
0058DB9C    E8 2B050000     CALL <EAX=0 Do something>0058DBA1    0BC0            OR EAX,EAX0058DBA3    75 50           JNZ SHORT <safe way>0058DBA5    90              NOP0058DBA6    90              NOP0058DBA7    90              NOP0058DBA8    90              NOP0058DBA9    C685 EC294100 C>MOV BYTE PTR SS:[EBP+4129EC],0C30058DBB0    8CC8            MOV AX,CS0058DBB2    A8 04           TEST AL,40058DBB4    75 1A           JNZ SHORT <OS is Win9x>                  ; 如果不是nt系统则跳0058DBB6    90              NOP0058DBB7    90              NOP0058DBB8    90              NOP0058DBB9    90              NOP0058DBBA    64:67:A1 3000   MOV EAX,DWORD PTR FS:[30]                ; IsDebuggerPresent 检测ring3级调试器0058DBBF    0FB640 02       MOVZX EAX,BYTE PTR DS:[EAX+2]0058DBC3    0AC0            OR AL,AL0058DBC5    75 1B           JNZ SHORT <Found Debug>0058DBC7    90              NOP0058DBC8    90              NOP0058DBC9    90              NOP0058DBCA    90              NOP0058DBCB    EB 28           JMP SHORT <safe way>0058DBCD    90              NOP0058DBCE    90              NOP0058DBCF    90              NOP0058DBD0 >  64:67:A1 2000   MOV EAX,DWORD PTR FS:[20]0058DBD5    0BC0            OR EAX,EAX0058DBD7    75 09           JNZ SHORT <Found Debug>0058DBD9    90              NOP0058DBDA    90              NOP0058DBDB    90              NOP0058DBDC    90              NOP0058DBDD    EB 16           JMP SHORT <safe way>0058DBDF    90              NOP0058DBE0    90              NOP0058DBE1    90              NOP0058DBE2 >  8BBD 4B814100   MOV EDI,DWORD PTR SS:[EBP+41814B]        ; 如果发现调试器就阴人了:-(0058DBE8    03BD 46F84000   ADD EDI,DWORD PTR SS:[EBP+40F846]0058DBEE    B9 0A000000     MOV ECX,0A0058DBF3    F3:AB           REP STOS DWORD PTR ES:[EDI]0058DBF5 >  60              PUSHAD                                   ; Crypt code0058DBF6    E8 00000000     CALL 0058DBFB0058DBFB    5E              POP ESI0058DBFC    83EE 06         SUB ESI,60058DBFF    B9 5E000000     MOV ECX,5E0058DC04    29CE            SUB ESI,ECX0058DC06    BA 49F84A73     MOV EDX,734AF8490058DC0B    C1E9 02         SHR ECX,20058DC0E    83E9 02         SUB ECX,20058DC11    83F9 00         CMP ECX,00058DC14    7C 1A           JL SHORT 0058DC300058DC16    8B048E          MOV EAX,DWORD PTR DS:[ESI+ECX*4]0058DC19    8B5C8E 04       MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]0058DC1D    33C3            XOR EAX,EBX0058DC1F    C1C8 16         ROR EAX,160058DC22    03C2            ADD EAX,EDX0058DC24    81F2 172969FF   XOR EDX,FF6929170058DC2A    89048E          MOV DWORD PTR DS:[ESI+ECX*4],EAX0058DC2D    49              DEC ECX0058DC2E  ^ EB E1           JMP SHORT 0058DC110058DC30    61              POPAD0058DC31    61              POPAD0058DC32    C3              RETNsub_chekRing0's Debug:0058CC50 >  60              PUSHAD                                   ; 检测ring0级调试器0058CC51    D3DA            RCR EDX,CL0058CC53    45              INC EBP0058CC54    E8 01000000     CALL 0058CC5A0058CC59  - E9 83C4040F     JMP 0F5D90E10058CC5E    8802            MOV BYTE PTR DS:[EDX],AL0058CC60    0000            ADD BYTE PTR DS:[EAX],AL......0058CDFB   .  E8 00F3FFFF   CALL <sub_GetEBP >
0058CE00   .  E8 C7120000   CALL <EAX=0 Do something>0058CE05   .  0BC0          OR EAX,EAX0058CE07   .  0F85 6F010000 JNZ <not Found way>0058CE0D   .  C685 501C4100>MOV BYTE PTR SS:[EBP+411C50],0C3         ;  Check sice0058CE14   .  8DB5 C11E4100 LEA ESI,DWORD PTR SS:[EBP+411EC1]0058CE1A > >  6A 00         PUSH 0                                   ;  /hTemplateFile = NULL0058CE1C   .  68 80000000   PUSH 80                                  ;  |Attributes = NORMAL0058CE21   .  6A 03         PUSH 3                                   ;  |Mode = OPEN_EXISTING0058CE23   .  6A 00         PUSH 0                                   ;  |pSecurity = NULL0058CE25   .  6A 03         PUSH 3                                   ;  |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE0058CE27   .  68 000000C0   PUSH C0000000                            ;  |Access = GENERIC_READ|GENERIC_WRITE0058CE2C   .  56            PUSH ESI                                 ;  |FileName = "//./SICE"0058CE2D   .  50            PUSH EAX                                 ;  |0058CE2E   .  8B85 2BFD4000 MOV EAX,DWORD PTR SS:[EBP+40FD2B]        ;  |0058CE34   .  0FB600        MOVZX EAX,BYTE PTR DS:[EAX]              ;  |检测API入口处有没有下CC断点0058CE37   .  83E8 33       SUB EAX,33                               ;  |0058CE3A   .  3D 99000000   CMP EAX,99                               ;  |0058CE3F   .  74 10         JE SHORT 0058CE51                        ;  |0058CE41   .  90            NOP                                      ;  |0058CE42   .  90            NOP                                      ;  |0058CE43   .  90            NOP                                      ;  |0058CE44   .  90            NOP                                      ;  |0058CE45   .  58            POP EAX                                  ;  |0058CE46   .  FF95 2BFD4000 CALL DWORD PTR SS:[EBP+40FD2B]           ;  /CreateFileA0058CE4C   .  EB 17         JMP SHORT 0058CE650058CE4E      90            NOP0058CE4F      90            NOP0058CE50      90            NOP0058CE51   >  B8 E8030000   MOV EAX,3E80058CE56   .  E8 73EAFFFF   CALL <Get_RND_VALUE>0058CE5B   .  8DBD 615D4000 LEA EDI,DWORD PTR SS:[EBP+405D61]0058CE61   .  03F8          ADD EDI,EAX0058CE63   .  AB            STOS DWORD PTR ES:[EDI]0058CE64   .  58            POP EAX0058CE65   >  40            INC EAX0058CE66   .  75 53         JNZ SHORT <Found Debug>0058CE68   .  90            NOP0058CE69   .  90            NOP0058CE6A   .  90            NOP0058CE6B   .  90            NOP0058CE6C   .  48            DEC EAX0058CE6D   .  50            PUSH EAX0058CE6E   .  50            PUSH EAX0058CE6F   .  8B85 27FD4000 MOV EAX,DWORD PTR SS:[EBP+40FD27]        ;  kernel32.CloseHandle0058CE75   .  0FB600        MOVZX EAX,BYTE PTR DS:[EAX]0058CE78   .  83E8 33       SUB EAX,330058CE7B   .  3D 99000000   CMP EAX,990058CE80   .  74 10         JE SHORT 0058CE920058CE82   .  90            NOP0058CE83   .  90            NOP0058CE84   .  90            NOP0058CE85   .  90            NOP0058CE86   .  58            POP EAX0058CE87   .  FF95 27FD4000 CALL DWORD PTR SS:[EBP+40FD27]           ;  CloseHandle0058CE8D   .  EB 17         JMP SHORT 0058CEA60058CE8F      90            NOP0058CE90      90            NOP0058CE91      90            NOP0058CE92   >  B8 E8030000   MOV EAX,3E80058CE97   .  E8 32EAFFFF   CALL <Get_RND_VALUE>0058CE9C   .  8DBD 615D4000 LEA EDI,DWORD PTR SS:[EBP+405D61]0058CEA2   .  03F8          ADD EDI,EAX0058CEA4   .  AB            STOS DWORD PTR ES:[EDI]0058CEA5   .  58            POP EAX0058CEA6   >  46            INC ESI0058CEA7   .  803E 00       CMP BYTE PTR DS:[ESI],00058CEAA   .^ 75 FA         JNZ SHORT 0058CEA60058CEAC   .  46            INC ESI0058CEAD   .  803E 00       CMP BYTE PTR DS:[ESI],00058CEB0   .  0F84 C6000000 JE <not Found way>0058CEB6   .^ E9 5FFFFFFF   JMP <loop Check debug>0058CEBB > >  61            POPAD                                    ;  Found Debug0058CEBC   .^ E9 59FFFFFF   JMP <loop Check debug>0058CEC1   .  5C 5C 2E 5C 5>ASCII "//./SICE",00058CECA   .  5C 5C 2E 5C 4>ASCII "//./NTICE",00058CED4   .  5C 5C 2E 5C 4>ASCII "//./NTICE7871",00058CEE2   .  5C 5C 2E 5C 4>ASCII "//./NTICED052",00058CEF0   .  5C 5C 2E 5C 5>ASCII "//./TRWDEBUG",00058CEFD   .  5C 5C 2E 5C 5>ASCII "//./TRW",00058CF05   .  5C 5C 2E 5C 5>ASCII "//./TRW2000",00058CF11   .  5C 5C 2E 5C 5>ASCII "//./SUPERBPM",00058CF1E   .  5C 5C 2E 5C 4>ASCII "//./ICEDUMP",00058CF2A   .  5C 5C 2E 5C 5>ASCII "//./REGMON",00058CF35   .  5C 5C 2E 5C 4>ASCII "//./FILEMON",00058CF41   .  5C 5C 2E 5C 5>ASCII "//./REGVXD",00058CF4C   .  5C 5C 2E 5C 4>ASCII "//./FILEVXD",00058CF58   .  5C 5C 2E 5C 5>ASCII "//./VKEYPROD",00058CF65   .  5C 5C 2E 5C 4>ASCII "//./BW2K",00058CF6E   .  5C 5C 2E 5C 5>ASCII "//./SIWDEBUG",00058CF7B      00            DB 000058CF7C > >  60            PUSHAD                                   ;  Good0058CF7D   .  E8 00000000   CALL 0058CF820058CF82  /$  5E            POP ESI0058CF83  |.  83EE 06       SUB ESI,60058CF86  |.  B9 81010000   MOV ECX,1810058CF8B  |.  29CE          SUB ESI,ECX0058CF8D  |.  BA EE0A7B2E   MOV EDX,2E7B0AEE0058CF92  |.  C1E9 02       SHR ECX,20058CF95  |.  83E9 02       SUB ECX,20058CF98  |>  83F9 00       CMP ECX,00058CF9B  |.  7C 1A         JL SHORT 0058CFB70058CF9D  |.  8B048E        MOV EAX,DWORD PTR DS:[ESI+ECX*4]0058CFA0  |.  8B5C8E 04     MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]0058CFA4  |.  33C3          XOR EAX,EBX0058CFA6  |.  C1C8 03       ROR EAX,30058CFA9  |>  33C2          XOR EAX,EDX0058CFAB  |.  81F2 27ABEB15 XOR EDX,15EBAB270058CFB1  |.  89048E        MOV DWORD PTR DS:[ESI+ECX*4],EAX0058CFB4  |.  49            DEC ECX0058CFB5  |.^ EB E1         JMP SHORT 0058CF980058CFB7  |>  61            POPAD0058CFB8  |.  61            POPAD0058CFB9  /.  C3            RETNchek IsDebuggerPresent:0058DC38 >  60              PUSHAD                                   ; chek IsDebuggerPresent0058DC39    70 03           JO SHORT 0058DC3E0058DC3B    66:8BCE         MOV CX,SI0058DC3E    F8              CLC......0058DDE3   .  E8 18E3FFFF   CALL <sub_GetEBP >
0058DDE8   .  E8 DF020000   CALL <EAX=0 Do something>0058DDED   .  0BC0          OR EAX,EAX0058DDEF   .  75 34         JNZ SHORT <Not Found debug>0058DDF1   .  90            NOP0058DDF2   .  90            NOP0058DDF3   .  90            NOP0058DDF4   .  90            NOP0058DDF5   .  C685 382C4100>MOV BYTE PTR SS:[EBP+412C38],0C3         ;  如果执行了相关功能则在入口入改为ret0058DDFC   .  FF95 47FD4000 CALL DWORD PTR SS:[EBP+40FD47]           ;  [IsDebuggerPresent0058DE02   .  0BC0          OR EAX,EAX0058DE04   .  74 1F         JE SHORT <Not Found debug>0058DE06   .  90            NOP0058DE07   .  90            NOP0058DE08   .  90            NOP0058DE09   .  90            NOP0058DE0A   .  8BB5 4B814100 MOV ESI,DWORD PTR SS:[EBP+41814B]0058DE10   .  03B5 46F84000 ADD ESI,DWORD PTR SS:[EBP+40F846]0058DE16   >  AC            LODS BYTE PTR DS:[ESI]0058DE17   >  3C E8         CMP AL,0E80058DE19   .  74 08         JE SHORT 0058DE230058DE1B   .  90            NOP0058DE1C   .  90            NOP0058DE1D   .  90            NOP0058DE1E   .  90            NOP0058DE1F   .  3C E9         CMP AL,0E90058DE21   .^ 75 F3         JNZ SHORT 0058DE160058DE23   >  8906          MOV DWORD PTR DS:[ESI],EAX               ;  写上垃圾代码0058DE25 > >  60            PUSHAD                                   ;  没有找到调试器,则跳到这里0058DE26   .  E8 00000000   CALL 0058DE2B0058DE2B   $  5E            POP ESI0058DE2C   .  83EE 06       SUB ESI,60058DE2F   .  B9 42000000   MOV ECX,420058DE34   .  29CE          SUB ESI,ECX0058DE36   .  BA 83CF06DD   MOV EDX,DD06CF830058DE3B   .  C1E9 02       SHR ECX,20058DE3E   .  83E9 02       SUB ECX,20058DE41 > >  83F9 00       CMP ECX,00058DE44   .  7C 1A         JL SHORT 0058DE600058DE46   .  8B048E        MOV EAX,DWORD PTR DS:[ESI+ECX*4]0058DE49   .  8B5C8E 04     MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]0058DE4D   .  03C3          ADD EAX,EBX0058DE4F   .  C1C0 09       ROL EAX,90058DE52   .  2BC2          SUB EAX,EDX0058DE54   .  81C2 AC5210A3 ADD EDX,A31052AC0058DE5A   .  89048E        MOV DWORD PTR DS:[ESI+ECX*4],EAX0058DE5D   .  49            DEC ECX0058DE5E   .^ EB E1         JMP SHORT <Crypt Code>0058DE60   >  61            POPAD0058DE61   >  61            POPAD0058DE62   .  C3            RETNsub_Check_UnhandledExceptionFilter:0058D324 >  60              PUSHAD                                   ; 检测该函数入口处是否下了CC断点0058D325    87F8            XCHG EAX,EDI0058D327    49              DEC ECX0058D328    47              INC EDI0058D329    F9              STC......0058D4CF   > /E8 2CECFFFF   CALL <sub_GetEBP >
0058D4D4   .  E8 F30B0000   CALL <EAX=0 Do something>0058D4D9   .  0BC0          OR EAX,EAX0058D4DB   .  75 3E         JNZ SHORT 0058D51B0058D4DD   .  90            NOP0058D4DE   .  90            NOP0058D4DF   .  90            NOP0058D4E0   .  90            NOP0058D4E1   .  C685 24234100>MOV BYTE PTR SS:[EBP+412324],0C3         ;  改入口为ret0058D4E8   .  8D9D F8244100 LEA EBX,DWORD PTR SS:[EBP+4124F8]0058D4EE   .  E8 40F7FFFF   CALL <sub_CHECKAPI_CC>                   ;  检测UnhandledExceptionFilter入口有没有处CC断点0058D4F3   .  EB 26         JMP SHORT 0058D51B0058D4F5      90            NOP0058D4F6      90            NOP0058D4F7      90            NOP0058D4F8   .  8B85 5FFD4000 MOV EAX,DWORD PTR SS:[EBP+40FD5F]0058D4FE   .  8038 CC       CMP BYTE PTR DS:[EAX],0CC0058D501   .  75 17         JNZ SHORT 0058D51A0058D503   >  90            NOP0058D504   .  90            NOP0058D505   .  90            NOP0058D506   .  90            NOP0058D507   .  B8 90010000   MOV EAX,1900058D50C   .  E8 BDE3FFFF   CALL <Get_RND_VALUE>0058D511   .  8DBD 812E4000 LEA EDI,DWORD PTR SS:[EBP+402E81]0058D517   .  03F8          ADD EDI,EAX0058D519   .  AB            STOS DWORD PTR ES:[EDI]0058D51A   >  C3            RETN0058D51B   >  60            PUSHAD                                   ;  Crypt Code0058D51C   .  E8 00000000   CALL 0058D5210058D521  /$  5E            POP ESI0058D522  |.  83EE 06       SUB ESI,60058D525  |.  B9 4C000000   MOV ECX,4C0058D52A  |.  29CE          SUB ESI,ECX0058D52C  |>  BA 02CA9EA2   MOV EDX,A29ECA020058D531  |.  C1E9 02       SHR ECX,20058D534  |.  83E9 02       SUB ECX,20058D537  |>  83F9 00       /CMP ECX,00058D53A  |.  7C 1A         |JL SHORT 0058D5560058D53C  |.  8B048E        |MOV EAX,DWORD PTR DS:[ESI+ECX*4]0058D53F  |.  8B5C8E 04     |MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]0058D543  |.  33C3          |XOR EAX,EBX0058D545  |.  C1C8 1A       |ROR EAX,1A0058D548  |.  03C2          |ADD EAX,EDX0058D54A  |.  81EA F6727BC1 |SUB EDX,C17B72F60058D550  |.  89048E        |MOV DWORD PTR DS:[ESI+ECX*4],EAX0058D553  |.  49            |DEC ECX0058D554  |.^ EB E1         /JMP SHORT 0058D5370058D556  |>  61            POPAD0058D557  |.  61            POPAD0058D558  /.  C3            RETNsub_CHECKAPI_CC:0058CC33 > $  33C0          XOR EAX,EAX0058CC35   .  8DBD F6FD4000 LEA EDI,DWORD PTR SS:[EBP+40FDF6]        ;  取该API0058CC3B   .  57            PUSH EDI0058CC3C   .  64:FF30       PUSH DWORD PTR FS:[EAX]0058CC3F   .  64:8920       MOV DWORD PTR FS:[EAX],ESP0058CC42   .  FFD3          CALL EBX0058CC44   .  2BC0          SUB EAX,EAX0058CC46   .  64:8F00       POP DWORD PTR FS:[EAX]0058CC49   .  58            POP EAX0058CC4A   .  C3            RETNsub_GOTO_END:00592ECE >  E8 25000000     CALL <GOTO END>00592ED3    42              INC EDX00592ED4    79 20           JNS SHORT 00592EF600592ED6    54              PUSH ESP00592ED7    72 69           JB SHORT 00592F4200592ED9    61              POPAD00592EDA    6C              INS BYTE PTR ES:[EDI],DX                 ; I/O command00592EDB    2041 43         AND BYTE PTR DS:[ECX+43],AL00592EDE    50              PUSH EAX00592EDF    72 6F           JB SHORT 00592F5000592EE1    74 65           JE SHORT 00592F4800592EE3    637400 73       ARPL WORD PTR DS:[EAX+EAX+73],SI00592EE7    74 65           JE SHORT 00592F4E00592EE9    72 65           JB SHORT 00592F5000592EEB    64:2041 43      AND BYTE PTR FS:[ECX+43],AL00592EEF    50              PUSH EAX00592EF0    72 6F           JB SHORT 00592F6100592EF2    74 65           JE SHORT 00592F5900592EF4    637421 00       ARPL WORD PTR DS:[ECX],SI00592EF8 >  6A 00           PUSH 0                                   ; GOTO END改为jmp [addr] 的方式执行到fake OEP地址00592EFA    83C4 10         ADD ESP,1000592EFD    90              NOP......005930A9    E8 5290FFFF     CALL <sub_GetEBP >
005930AE    8B85 4B814100   MOV EAX,DWORD PTR SS:[EBP+41814B]005930B4    0385 46F84000   ADD EAX,DWORD PTR SS:[EBP+40F846]005930BA    8985 4B814100   MOV DWORD PTR SS:[EBP+41814B],EAX        ; 要去执行的地址005930C0    E8 3B90FFFF     CALL <sub_GetEBP >
005930C5    C685 08814100 E>MOV BYTE PTR SS:[EBP+418108],0E8005930CC    E8 2F90FFFF     CALL <sub_GetEBP >
005930D1    C785 09814100 F>MOV DWORD PTR SS:[EBP+418109],25FF       ; 改成jmp [address]的方式005930DB    8D85 4B814100   LEA EAX,DWORD PTR SS:[EBP+41814B]005930E1    8985 0B814100   MOV DWORD PTR SS:[EBP+41810B],EAX005930E7    E8 1490FFFF     CALL <sub_GetEBP >
005930EC    8DBD B87E4100   LEA EDI,DWORD PTR SS:[EBP+417EB8]005930F2    8D8D FD804100   LEA ECX,DWORD PTR SS:[EBP+4180FD]005930F8    2BCF            SUB ECX,EDI005930FA    C1E9 02         SHR ECX,2005930FD >  E8 CC87FFFF     CALL <Get_RND_VALUE>                     ; Fill junk code00593102    AB              STOS DWORD PTR ES:[EDI]00593103  ^ E2 F8           LOOPD SHORT <sub_fill_Junk>              ; 循环填上垃圾代码,00593105    61              POPAD00593106    EB 01           JMP SHORT 0059310900593108    90              NOP00593109  - FF25 4B315900   JMP DWORD PTR DS:[59314B]                ; JMP to FAKE OEPOK,分析篇到此结束,后面的脱壳篇基本上是体力活了。下次会脱出美女来的:-P。再贴上acprotect 1.41的部分东西,:[EBP+40F76C]注册标志1,这里为1则表示没有注册提示[EBP+414C63]注册标志2,这里为0则表示没有注册提示[EBP+418520]GetModuleHandleA[EBP+418524]LoadLibraryA[EBP+402012]hModule==kernel32.dll[EBP+41851C]GetProcAddress[EBP+40FCFF]保存壳API的开始地址[EBP+41851C]壳输入表起始位置[EBP+40F907]程序输入表起始位置[EBP+415AF7]重定位表的RVA[EBP+415AFB]重定位表的SIZE[EBP+401CCD]保存用了SDK地址大小列表的起始地址[EBP+401B3D]保存用了SDK地址列表的起始地址[EBP+4152A5]如果值为C3表示已经处理完输入表或输入表为空[EBP+40F76D]保存可用次数或天数[EBP+40FD5F]UnhandledExceptionFilter[EBP+41814B]Stolen code后执行到该地址,记录RVA[EBP+41816F]保存正确的CRC值[EBP+401650];保存程序的OEP[EBP+401654];保存壳的入口EPGreetz: Fly.Jingulong,yock,tDasm.David.hexer,hmimys,ahao.UFO(brother).alan(sister).all of my friends and you!By loveboom[DFCG][FCG][US]http://blog.csdn.net/bmd2chenEmail:loveboom#163.comDate:2005-6-11 2:35
达索软件代理 达索软件代理
原创粉丝点击
热门IT博客
系统重装了数据恢复系统重装了数据恢复
淘宝制招牌用什么软件淘宝制招牌用什么软件
如何注册网址域名
vmware tools10 linux
php 判断 整数 小数
js怎么隐藏div
php arraypush 用法
java collection list
剑三喵哥捏脸数据大全
商场客户流失数据
音乐家 知乎
微博运营 知乎
name域名
python 爬知乎
兴安得力软件视频教程
新手如何装修淘宝店铺
利用网络信息诽谤他人
seo查收录代码
淘宝图片保护惩罚
心理学 书籍推荐 知乎
热门问题 老师的惩罚 人脸识别 我在镇武司摸鱼那些年 重生之率土为王 我在大康的咸鱼生活 盘龙之生命进化 天生仙种 凡人之先天五行 春回大明朝 姑娘不必设防,我是瞎子 电子打火炉具 柴烤火炉 自制家用无烟柴火炉 农村家用无烟柴火炉 家用无烟节能柴火炉 自制无烟高效柴气炉 液化气罐自制家用无烟柴火炉 广州火锅 柴火鱼图片 柴火鱼的做法 柴火鱼 来宾到柳州动车 来宾到柳州动车时刻表 广州到柳州动车 桂林到柳州动车 梧州到柳州动车 柳州至北海动车 柳州到来宾动车时刻表 柳州到广州动车 南宁到柳州的动车 柳州到桂林动车 柳州到成都动车 柳州到南宁的动车 玉林到柳州动车 南宁到来宾的动车 来宾到贵阳的动车 北海到柳州动车 柳州到来宾汽车时刻表 柳州到福州动车 河池到南宁动车 柳州到玉林动车 柳州到珠海动车 钦州到来宾动车 柳州到梧州动车 南宁到贵港动车 贺州到柳州动车 钦州到柳州动车时刻表 钦州到桂林动车 柳州到桂林动车时刻表 贵港到南宁动车 柳州到防城港动车时刻表

程序博客网,程序员的互联网技术博客家园。csdn论坛精品 msdn技术资料都在这里