前言
练习Soft Defender(1.x)[-]的脱壳, 可惜没脱动. 有一些混肴和自修改, 用IDA不能辅助分析. 这个老壳, 在winxpXp3下, 不管有没有调试器附加, 都会弹出”发现调试器”的弹框(太逗乐了), 估计是WinXpSp3之前才能用. 也不担心以后会遇到他, 用这个壳保护的程序, 连程序自己都运行不起来, 谁会用这个加壳呢? 在单步调试中, 发现这个壳用了一些反调试的手法.
反调试手法
反硬件断点
下硬件断点断不下来. 用PhantOm.dll插件解决, 设置保护DRX选项. 
int3异常处理
004C0295 CC int3004C0296 90 nop ; int3 异常处理004C0297 3C 04 cmp al, 4SEH函数
004C0343 <SoftDefe.fnSehForInt3> 8B4424 04 mov eax, dWord ptr [esp+4]004C0347 8B4C24 0C mov ecx, dword ptr [esp+C]004C034B FF81 B8000000 inc dword ptr [ecx+B8]004C0351 8B00 mov eax, dword ptr [eax]004C0353 2D 03000080 sub eax, 80000003 ; 只处理int3004C0358 75 0E jnz short 004C0368004C035A 33C0 xor eax, eax ; 做一些初始化值的清零工作004C035C 8941 04 mov dword ptr [ecx+4], eax004C035F 8941 08 mov dword ptr [ecx+8], eax004C0362 8941 0C mov dword ptr [ecx+C], eax004C0365 8941 10 mov dword ptr [ecx+10], eax004C0368 C3 retn单步SEH代码的设置 
走到004C0295处下硬件断点 查看SEH链, 在004C0343
时间差检测
004C0316 0F31 rdtsc004C0318 8BC8 mov ecx, eax004C031A 8BDA mov ebx, edx004C031C 0F31 rdtsc004C031E 2BC1 sub eax, ecx004C0320 1BD3 sbb edx, ebx004C0322 83FA 00 cmp edx, 0 ; 时间差检测, 改eax = edx = 0004C0325 ^ 0F85 70FFFFFF jnz 004C029B004C032B 3D 00000030 cmp eax, 30000000004C0330 ^ 0F87 65FFFFFF ja 004C029B004C0336 74 31 je short 004C0369004C0338 75 2F jnz short 004C0369004C033A E8 00104000 call 008C133F004C033F B0 89 mov al, 89在004C0322下硬件执行断点, 命中后, 修改eax = edx = 0, F9跑起, 过检测.
CC断点检测
在执行API时, 进行了封装, 先检测头5个字节有没有0xCC, 如果没有才去执行原始的API地址. 所以要下系统API断点时, 要避开头5个字节.
004C4654 58 pop eax ; SoftDefe.004C4653004C4655 05 E8050000 add eax, 5E8004C465A 8B00 mov eax, dword ptr [eax] ; eax is LoadLibraryA004C465C 8038 CC cmp byte ptr [eax], 0CC ; F2断点检测004C465F 74 22 je short 004C4683004C4661 8078 01 CC cmp byte ptr [eax+1], 0CC004C4665 74 1C je short 004C4683004C4667 8078 02 CC cmp byte ptr [eax+2], 0CC004C466B 74 16 je short 004C4683004C466D 8078 03 CC cmp byte ptr [eax+3], 0CC004C4671 74 10 je short 004C4683004C4673 8078 04 CC cmp byte ptr [eax+4], 0CC004C4677 74 0A je short 004C4683004C4679 50 push eax004C467A C3 retn ; 执行LoadLibraryA(kernel32.dll)CRC校验
看到壳代码中, 计算了很多内存范围的md5值(进入函数后, 看到了MD5魔法数), 且修改代码后, 会有”拷贝已经损坏”的弹框.
调试笔记
也看了一些Soft Defender壳的资料, 自己做的时候, 和人家的说法不一样. 以后进步了再来玩.
Soft Defender(1.x)[-]---------------------------Exit...---------------------------Debugger detected - please close it down and restart!For some debuggers, such as SoftIce, you must restart this machine without it enabled to run this application!---------------------------确定 ---------------------------下2个硬件断点004c0322 改eax = edx = 0, 过时间差保护.004c14ee 弹出框, 12次F9, 再1次F9, 弹出框004C4564 执行API, 如果弹出框,也经过这里004BB572 E8 E7000000 call 004BB65E ; alertDlg004C456A 8B00 mov eax, dword ptr [eax] ; 到达这后, 再执行19次F9, 弹出框.执行18次F9, 单步跟.004BBAEB FF58 05 call far fword ptr [eax+5] ; 要弹dlg004C03DC /7A 28 jpe short 004C0406 ; 流程:18次f9004C0437 3BF2 cmp esi, edx ; SoftDefe.004BBDD7004C0446 E8 01000000 call 004C044C ; f7004BB501 50 push eax ; SoftDefe.004C0464004BB528 5E pop esi ; SoftDefe.004BB527004BB558 3BD8 cmp ebx, eax004BB55A ^ 74 EC je short 004BB548004BB55C E8 05000000 call 004BB566004BB561 0010 add byte ptr [eax], dl004BB563 40 inc eax004BB564 00E8 add al, ch004BB566 58 pop eax004BB567 58 pop eax004BB568 66:9D popfw004BB56A F3:66:A5 rep movs word ptr es:[edi], wor>004BB56D E8 7C000000 call 004BB5EE004BB572 E8 E7000000 call 004BB65E ; alertDlg004BB56D E8 7C000000 call 004BB5EE ; alert dlg004BB572 E8 E7000000 call 004BB65E ; alertDlg////////////////////////////////////////////////////////////////////////////////下2个硬件执行断点 004c0322, 004c14ee, 重新启动程序,按F9开始跑,* 第1次F9, 在int3异常处理里面.* 第2次F9, 在过004c0322, 改eax = edx = 0, 过时间差保护.然后重新记录F9的数量,统计到弹出警告框的F9数量, 13个F9弹框.重新跑程序, 在第12个F9处, 对004C23A2下硬件断点,F9达到后,单步, 找弹出dlg的分水岭.没看见分水岭,必然会出现弹出框警告.这个壳,上不上调试器,都会弹出框,说明壳有问题.004C2ABC 3D B9C8B813 cmp eax, 13B8C8B9 ; 分水岭, 再次F9, 就弹出dlg004C2B51 /0F84 0B050000 je 004C3062 ; 不能动这3个关键API, 会检测cc断点004C4C33 >7C80B731 kernel32.GetModuleHandleA004C4C37 >7C80AE30 kernel32.GetPRocAddress004C4C3B >7C801D7B kernel32.LoadLibraryA004C2B22 E8 FDE9FFFF call 004C1524004C2B27 83C4 0C add esp, 0C004C2B2A 85ED test ebp, ebp004C2B2C 74 05 je short 004C2B33004C2B2E 8B77 1C mov esi, dword ptr [edi+1C]004C2B31 EB 03 jmp short 004C2B36004C2B33 8B77 0C mov esi, dword ptr [edi+C]004C2B36 8B6F 74 mov ebp, dword ptr [edi+74]004C2B39 03F3 add esi, ebx004C2B3B 896C24 2C mov dword ptr [esp+2C], ebp004C2B3F E8 23E9FFFF call 004C1467 ; alert dlg0012FBAC 7C801D7B kernel32.LoadLibraryA0012FBB0 00400000 SoftDefe.004000000012FBB4 ED5A760E0012FBB8 5B03D4BB0012FAFC 004C1514 RETURN to SoftDefe.004C1514 from SoftDefe.004C468A0012FB00 000000000012FB04 004C1427 ASCII "this file is corruped. please obtain a new copy of the program!"0012FB08 004C1420 ASCII "Error!"004C14EE /74 2B je short 004C151B ; 弹出框, 这里要改跳转004C14F0 |E8 93EBFFFF call 004C0088004C14F5 |6A 00 push 0004C14F7 |68 20744000 push 00407420004C14FC |E8 60EBFFFF call 004C0061004C1501 |50 push eax004C1502 |68 27744000 push 00407427004C1507 |E8 55EBFFFF call 004C0061004C150C |50 push eax004C150D |6A 00 push 0004C150F |E8 76310000 call 004C468A004C1514 |6A 09 push 9004C1516 |E8 F7300000 call 004C4612004C151B /B8 01000000 mov eax, 1004C1520 83C4 68 add esp, 68004C1523 C3 retn//////////////////////////////////////////////////////////////////////////////////////////004C1835 /74 22 je short 004C1859 ; not jmp004C184A /75 05 jnz short 004C1851 ; was jmp004C1875 /75 05 jnz short 004C187C ; was jmp004C18A2 /75 26 jnz short 004C18CA ; was jmp004BB421 E8 01000000 call 004BB427 ; need f7004BB42E /E9 0F8F0000 jmp 004C4342004C4342 E8 01000000 call 004C4348 ; need f7004C434E 8B00 mov eax, dword ptr [eax] ; kernel32.GetVersion到了系统函数, ALT+F9返回.004BB437 3D 00000080 cmp eax, 80000000分水岭好像到了004BB43C 0F82 8C000000 jb 004BB4CE ; was jmp004BB4DE B9 F23C9E76 mov ecx, 769E3CF2004BB4E3 E8 01000000 call 004BB4E9 ; alert msg004C03AA /74 66 je short 004C0412 ; not jmp004C03B5 /74 2A je short 004C03E1 ; not jmp004C03D3 /E9 101F0000 jmp 004C22E8004C22E8 83EC 58 sub esp, 58004C22EB 56 push esi004C22EC 57 push edi004C22ED E8 85DDFFFF call <fnGetIatItemAddr>004C040C /7B 11 jpo short 004C041F004C0430 33FF xor edi, edi ; ntdll.7C930208004C0446 E8 01000000 call 004C044C004C0464 5F pop edi ; ntdll.7C930208004BB609 E8 01000000 call 004BB60F///////////////////////////////////////////////////////////////////////////////////////////////////004C2385 68 80000000 push 80 ; find api begin004C238A 8D4C24 08 lea ecx, dword ptr [esp+8]004C238E 50 push eax004C238F 51 push ecx004C2390 E8 30E5FFFF call <fnCRCByMd5>004C2395 8B46 04 mov eax, dword ptr [esi+4]004C2398 83C6 04 add esi, 4004C239B 83C4 0C add esp, 0C004C239E 85C0 test eax, eax004C23A0 ^ 75 E3 jnz short 004C2385 ; find api end004C23A2 8B4424 60 mov eax, dword ptr [esp+60] ; SoftDefe.004BB160///////////////////////////////////////////////////////////////////////////////////////////////////////////////004C3028 ^/E9 BAFCFFFF jmp 004C2CE7 ; 将系统API都得到了004C302D E8 35E4FFFF call <fnCalc3> ; outside loop004C3032 8B57 04 mov edx, dword ptr [edi+4]004C3035 8B4424 24 mov eax, dword ptr [esp+24]004C2B4A 8B17 mov edx, dword ptr [edi]004C2B4C 8B47 10 mov eax, dword ptr [edi+10]004C2B4F 0BD0 or edx, eax004C2B51 0F84 0B050000 je 004C3062 ; not jmp004C2B51 这里不能改, 随原有逻辑走.第13次, 这里跳转了, 应该是IAT都取完了.004C3062 5F pop edi ; ntdll.7C930208004BB3F3 E8 01000000 call 004BB3F9 ; 弹框了004BB400 /E9 B66F0000 jmp 004C23BB004C007D <SoftDefe.fnAddB084> 58 pop eax004C007E 05 84B0FFFF add eax, FFFFB084004C0083 C3 retnEAX = 004bb100004C23C4 E8 99FFFFFF call 004C2362004C0077 <SoftDefe.fnGetIatItemAddr> E8 01000000 call <fnAddB084> ; aleart msg004C23BB E8 B7DCFFFF call <fnGetIatItemAddr>004C23C0 83C0 60 add eax, 60004C23C3 50 push eax004C23C4 E8 99FFFFFF call 004C2362004C236B 8B70 70 mov esi, dword ptr [eax+70]004C2377 E8 21E5FFFF call <fnFillStruct>004C237C 8B06 mov eax, dword ptr [esi] ; kernel32.GetCurrentThread004C2385 68 80000000 push 80 ; find api begin004C238A 8D4C24 08 lea ecx, dword ptr [esp+8]004C238E 50 push eax004C238F 51 push ecx004C2390 E8 30E5FFFF call <fnCRCByMd5>004C2395 8B46 04 mov eax, dword ptr [esi+4]004C2398 83C6 04 add esi, 4004C239B 83C4 0C add esp, 0C004C239E 85C0 test eax, eax004C23A0 ^ 75 E3 jnz short 004C2385 ; find api end004C23AC E8 BBE5FFFF call <fnCrc1>004C23AC E8 BBE5FFFF call <fnCrc1>004C23B1 83C4 08 add esp, 8 ; 还没弹出dlg004BB409 6A 01 push 1004BB40B E8 01000000 call 004BB411004BB410 FF58 05 call far fword ptr [eax+5]004C1825 51 push ecx004C1826 56 push esi004C1827 57 push edi004C1828 E8 4AE8FFFF call <fnGetIatItemAddr>004C0077 <SoftDefe.fnGetIatItemAddr> E8 01000000 call <fnAddB084> ; aleart msg, 必须F7////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////在比较时间差时,改掉eax = edx = 0004C0322 83FA 00 cmp edx, 0 ; 时间差检测004C0325 ^ 0F85 70FFFFFF jnz <L_FIND_DBG>004C032B 3D 00000030 cmp eax, 30000000004C0330 ^ 0F87 65FFFFFF ja <L_FIND_DBG>004C0336 74 31 je short 004C0369004C0338 75 2F jnz short 004C0369004C033A E8 00104000 call 008C133F004C455E E8 01000000 call <fnAntiDebugAndCallApi> ; 要f7进入这里必须要跳啊.004C14EE /74 2B je short 004C151B ; jmp004BB000 SoftDefe.<ModuleEntryPoint> /74 07 je short 004BB009004BB002 |75 05 jnz short 004BB009004BB009 /74 1F je short 004BB02A004BB00B |75 1D jnz short 004BB02A004BB02A /78 0F js short 004BB03B004BB02C |79 0D jns short 004BB03B004BB03B 68 A2AF4701 push 147AFA2004BB040 59 pop ecx004BB041 E8 01000000 call 004BB047004BB047 58 pop eax ; SoftDefe.004BB046004BB048 05 E6010000 add eax, 1E6004BB04D 03C8 add ecx, eax004BB04F ^ 74 BD je short 004BB00E004BB051 ^ 75 BB jnz short 004BB00E004BB00E 68 3944CD00 push 0CD4439004BB013 59 pop ecx004BB014 9C pushfd004BB015 50 push eax004BB016 74 0A je short 004BB022004BB018 75 08 jnz short 004BB022004BB022 E8 F4FFFFFF call 004BB01B004BB027 56 push esi004BB01B 59 pop ecx ; SoftDefe.004BB027004BB01C C2 0400 retn 4004BB22C /0F82 82010000 jb 004BB3B4004BB232 |0F83 7C010000 jnb 004BB3B4004BB3B4 E8 01000000 call 004BB3BA004BB3B9 FF5A 81 call far fword ptr [edx-7F]004BB3BA 5A pop edx ; SoftDefe.004BB3B9004BB3BB 81C2 35980000 add edx, 9835004BB3C1 E8 01000000 call 004BB3C7004BB3C6 FF58 05 call far fword ptr [eax+5]004BB3C7 58 pop eax ; SoftDefe.004BB3C6004BB3C8 05 E2FDFFFF add eax, -21E004BB3CD B9 10000000 mov ecx, 10004BB3D2 E8 769E0000 call 004C524D004C524D /77 0A ja short 004C5259004C524F |76 12 jbe short 004C5263004C5251 |0010 add byte ptr [eax], dl004C5253 |40 inc eax004C5254 |00D1 add cl, dl004C5256 |392A cmp dword ptr [edx], ebp004C5258 |43 inc ebx004C5259 /77 12 ja short 004C526D004C525B 0010 add byte ptr [eax], dl004C525D 40 inc eax004C525E 00E0 add al, ah004C5260 ^ 73 81 jnb short 004C51E3004C5262 D7 xlat byte ptr [ebx+al]004C5263 76 08 jbe short 004C526D004C5263 /76 08 jbe short 004C526D004C526D 53 push ebx004C526E 56 push esi004C526F 57 push edi004C5270 8BD8 mov ebx, eax004C5272 8B7424 0C mov esi, dword ptr [esp+C]004C5276 51 push ecx004C5277 8B0C24 mov ecx, dword ptr [esp] ; 解码 => from 004bb4xx 004c4bee004C527A 33FF xor edi, edi004C527C 3BF2 cmp esi, edx004C527E 73 0B jnb short 004C528B004C526D 53 push ebx004C526E 56 push esi004C526F 57 push edi004C5270 8BD8 mov ebx, eax004C5272 8B7424 0C mov esi, dword ptr [esp+C]004C5276 51 push ecx004C5277 8B0C24 mov ecx, dword ptr [esp] ; 解码 => from 004bb4xx 004c4bee004C527A 33FF xor edi, edi004C527C 3BF2 cmp esi, edx004C527E 73 0B jnb short 004C528B004C5280 8A041F mov al, byte ptr [edi+ebx]004C5283 3006 xor byte ptr [esi], al004C5285 46 inc esi004C5286 47 inc edi004C5287 ^ E2 F3 loopd short 004C527C004C5289 ^ EB EC jmp short 004C5277004C528B E8 01000000 call 004C5291 ; 解码结束004C5291 58 pop eax ; SoftDefe.004C5290004C5292 05 0D000000 add eax, 0D004C5297 50 push eax004C5298 C3 retn004C529D 59 pop ecx004C529E 5F pop edi004C529F 5E pop esi004C52A0 5B pop ebx004C52A1 C3 retn004BB3D7 B8 00000000 mov eax, 0004BB3DC 50 push eax004BB3DD E8 01000000 call 004BB3E3004BB3E3 58 pop eax ; SoftDefe.004BB3E2004BB3E4 05 11000000 add eax, 11004BB3E9 50 push eax004BB3EA E9 32760000 jmp 004C2A21004C2A21 81EC 30040000 sub esp, 430004C2A27 53 push ebx004C2A28 55 push ebp004C2A29 56 push esi004C2A2A 57 push edi004C2A2B E8 31D8FFFF call 004C0261004C0261 /74 0A je short 004C026D004C0263 |75 08 jnz short 004C026D004C026D E8 01000000 call 004C0273004C0272 FF58 05 call far fword ptr [eax+5]004C0273 58 pop eax ; SoftDefe.004C0272004C0274 05 D1000000 add eax, 0D1004C0279 50 push eax004C027A 33C0 xor eax, eax004C027C 64:FF30 push dword ptr fs:[eax]004C027F 64:8920 mov dword ptr fs:[eax], esp004C0282 BD D3F10E30 mov ebp, 300EF1D3004C0287 81C5 78563412 add ebp, 12345678004C028D 66:B8 1700 mov ax, 17004C0291 66:83E8 13 sub ax, 13004C0295 CC int3004C0296 90 nop004C0297 3C 04 cmp al, 4004C0299 /74 71 je short 004C030C // was jmp004C030C 64:8F05 0000000>pop dword ptr fs:[0] // int3处理之后,去掉SEH处理函数004C0313 83C4 04 add esp, 4004C0316 0F31 rdtsc004C0318 8BC8 mov ecx, eax004C031A 8BDA mov ebx, edx004C031C 0F31 rdtsc004C031E 2BC1 sub eax, ecx004C0320 1BD3 sbb edx, ebx004C0322 83FA 00 cmp edx, 0 // 时间差检测, 改edx = 0004C0325 ^ 0F85 70FFFFFF jnz 004C029B004C032B 3D 00000030 cmp eax, 30000000004C0330 ^ 0F87 65FFFFFF ja 004C029B004C0336 74 31 je short 004C0369 // 突然执行到004c029b, 下硬件断点直接跑到004C0322, 改edx, 过anti004C0338 75 2F jnz short 004C0369004C033A E8 00104000 call 008C133F004C0369 C3 retn004C2A30 8BAC24 44040000 mov ebp, dword ptr [esp+444]004C2A37 C74424 1C 00000>mov dword ptr [esp+1C], 0004C2A3F 85ED test ebp, ebp004C2A41 75 6C jnz short 004C2AAF004C2A30 8BAC24 44040000 mov ebp, dword ptr [esp+444]004C2A37 C74424 1C 00000>mov dword ptr [esp+1C], 0004C2A3F 85ED test ebp, ebp004C2A41 75 6C jnz short 004C2AAF ; ebp is 0, not jmp004C2A43 68 BF884000 push 004088BF004C2A48 E8 14D6FFFF call 004C0061004C0061 E8 00000000 call 004C0066004C0066 58 pop eax004C0067 2D 66604000 sub eax, 00406066004C006C 034424 04 add eax, dword ptr [esp+4]004C0070 C2 0400 retn 4004C0061 E8 00000000 call 004C0066004C0066 58 pop eax004C0067 2D 66604000 sub eax, 00406066004C006C 034424 04 add eax, dword ptr [esp+4] ; now eax is "GetProcessHeap"004C0070 C2 0400 retn 4004C2A4D 50 push eax ; SoftDefe.004C28BF004C2A4E 68 7E7A4000 push 00407A7E004C2A53 E8 09D6FFFF call 004C0061004C2A58 50 push eax004C2A59 E8 F01B0000 call 004C464E // LoadLibraryA004C2A5E 50 push eax004C2A5F E8 F3ECFFFF call 004C1757004C2A64 68 CE884000 push 004088CE004C2A69 8BF8 mov edi, eax004C2A6B E8 F1D5FFFF call 004C0061004C2A70 50 push eax004C2A71 68 7E7A4000 push 00407A7E004C2A76 E8 E6D5FFFF call 004C0061004C2A7B 50 push eax004C2A7C E8 CD1B0000 call 004C464E004C2A81 50 push eax004C2A82 E8 D0ECFFFF call 004C1757004C2A87 8BF0 mov esi, eax004C2A89 E8 E9D5FFFF call 004C0077004C2A8E 85F6 test esi, esi004C2A90 8BD8 mov ebx, eax004C0061 E8 00000000 call 004C0066004C0066 58 pop eax004C0067 2D 66604000 sub eax, 00406066004C006C 034424 04 add eax, dword ptr [esp+4] ; now eax is "kernel32.dll"004C0070 C2 0400 retn 4004C464E E8 01000000 call 004C4654004C4653 FF58 05 call far fword ptr [eax+5]004C4656 E8 0500008B call 8B4C4660004C4654 58 pop eax ; SoftDefe.004C4653004C4655 05 E8050000 add eax, 5E8004C465A 8B00 mov eax, dword ptr [eax] ; eax is LoadLibraryA004C465C 8038 CC cmp byte ptr [eax], 0CC ; F2断点检测004C465F 74 22 je short 004C4683004C4661 8078 01 CC cmp byte ptr [eax+1], 0CC004C4665 74 1C je short 004C4683004C4667 8078 02 CC cmp byte ptr [eax+2], 0CC004C466B 74 16 je short 004C4683004C466D 8078 03 CC cmp byte ptr [eax+3], 0CC004C4671 74 10 je short 004C4683004C4673 8078 04 CC cmp byte ptr [eax+4], 0CC004C4677 74 0A je short 004C4683004C4679 50 push eax004C467A C3 retn ; 执行LoadLibraryA(kernel32.dll)ALT+F9 返回用户领空004C2A5E 50 push eax ; kernel32.7C800000004C2A5F E8 F3ECFFFF call 004C1757004C464E // LoadLibraryA004C2A5E 50 push eax004C2A5F E8 F3ECFFFF call 004C1757004C1757 <SoftDefe.fnGetProcAddress> 53 push ebx004C1758 55 push ebp004C1759 8B6C24 10 mov ebp, dword ptr [esp+10] // ebp is "GetProcessHeap"004C175D 56 push esi004C175E 57 push edi004C175F 8B7C24 14 mov edi, dword ptr [esp+14]004C1763 85FF test edi, edi // edi is kernel32.dll's imagebase004C1765 0F84 8F000000 je 004C17FA004C176B 66:813F 4D5A cmp word ptr [edi], 5A4D004C1770 0F85 84000000 jnz 004C17FA004C1776 8B47 3C mov eax, dword ptr [edi+3C]004C1779 03C7 add eax, edi004C177B 8138 50450000 cmp dword ptr [eax], 4550 // check is valid pe004C1781 75 77 jnz short 004C17FA004C1783 8B48 7C mov ecx, dword ptr [eax+7C]004C1786 85C9 test ecx, ecx004C1788 74 70 je short <L_ERR>004C178A 8B70 78 mov esi, dword ptr [eax+78]004C178D 03F7 add esi, edi004C178F 03CE add ecx, esi004C1791 F7C5 0000FFFF test ebp, FFFF0000 // ebp is "GetProcessHeap", 判断是否为api序号004C1797 894C24 14 mov dword ptr [esp+14], ecx004C179B 74 3A je short 004C17D7004C179D 8B46 18 mov eax, dword ptr [esi+18]004C17A0 33DB xor ebx, ebx004C17A2 85C0 test eax, eax004C17A4 76 1E jbe short 004C17C4004C17A6 8B46 20 mov eax, dword ptr [esi+20]004C17A9 55 push ebp004C17AA 8D0C98 lea ecx, dword ptr [eax+ebx*4]004C17AD 8B140F mov edx, dword ptr [edi+ecx]004C17B0 03D7 add edx, edi004C17B2 52 push edx // edx is "ActivateActCtx"004C17B3 E8 11FAFFFF call 004C11C9004C11C9 8B4C24 04 mov ecx, dword ptr [esp+4] ; kernel32.7C804B9B004C11CD 8B5424 08 mov edx, dword ptr [esp+8]004C11D1 53 push ebx004C11D2 8A01 mov al, byte ptr [ecx]004C11D4 8A1A mov bl, byte ptr [edx]004C11D6 38D8 cmp al, bl004C11D8 75 10 jnz short 004C11EA004C11DA 84C0 test al, al004C11DC 74 0C je short 004C11EA004C11DE 8A41 01 mov al, byte ptr [ecx+1]004C11E1 8A5A 01 mov bl, byte ptr [edx+1]004C11E4 41 inc ecx004C11E5 42 inc edx004C11E6 38D8 cmp al, bl004C11E8 ^ 74 F0 je short 004C11DA004C11EA 0FBE01 movsx eax, byte ptr [ecx]004C11ED 0FBE0A movsx ecx, byte ptr [edx]004C11F0 2BC1 sub eax, ecx004C11F2 5B pop ebx004C11F3 C2 0800 retn 8004C17B3 E8 11FAFFFF call <fnStrCmp>004C17B8 85C0 test eax, eax004C17BA 74 08 je short 004C17C4004C17BC 8B46 18 mov eax, dword ptr [esi+18]004C17BF 43 inc ebx004C17C0 3BD8 cmp ebx, eax004C17C2 ^ 72 E2 jb short 004C17A6004C17C4 395E 18 cmp dword ptr [esi+18], ebx004C17C7 76 31 jbe short <L_ERR>004C17C9 8B46 24 mov eax, dword ptr [esi+24]004C17CC 8D0C58 lea ecx, dword ptr [eax+ebx*2]004C17CF 33C0 xor eax, eax004C17D1 66:8B040F mov ax, word ptr [edi+ecx]004C17D5 EB 07 jmp short 004C17DE004C17D7 <SoftDefe.L_IS_API_SN> 8B4E 10 mov ecx, dword ptr [esi+10]004C17DA 8BC5 mov eax, ebp004C17DC 2BC1 sub eax, ecx004C17DE 3946 14 cmp dword ptr [esi+14], eax004C17A6 8B46 20 mov eax, dword ptr [esi+20]004C17A9 55 push ebp004C17AA 8D0C98 lea ecx, dword ptr [eax+ebx*4]004C17AD 8B140F mov edx, dword ptr [edi+ecx]004C17B0 03D7 add edx, edi004C17B2 52 push edx004C17B3 E8 11FAFFFF call <fnStrCmp>004C17B8 85C0 test eax, eax004C17BA 74 08 je short 004C17C4004C17BC 8B46 18 mov eax, dword ptr [esi+18]004C17BF 43 inc ebx004C17C0 3BD8 cmp ebx, eax004C17C2 ^ 72 E2 jb short 004C17A6 ; jmp// 在引入表中在找ebp指定的函数名称(循环查找)004C17A4 /76 1E jbe short 004C17C4004C17A6 |8B46 20 mov eax, dword ptr [esi+20]004C17A9 |55 push ebp004C17AA |8D0C98 lea ecx, dword ptr [eax+ebx*4]004C17AD |8B140F mov edx, dword ptr [edi+ecx]004C17B0 |03D7 add edx, edi004C17B2 |52 push edx004C17B3 |E8 11FAFFFF call <fnStrCmp>004C17B8 |85C0 test eax, eax004C17BA |74 08 je short 004C17C4004C17BC |8B46 18 mov eax, dword ptr [esi+18]004C17BF |43 inc ebx004C17C0 |3BD8 cmp ebx, eax004C17C2 ^|72 E2 jb short 004C17A6 ; jmp004C17C4 /395E 18 cmp dword ptr [esi+18], ebx ; from17ba004C17C9 8B46 24 mov eax, dword ptr [esi+24]004C17CC 8D0C58 lea ecx, dword ptr [eax+ebx*2]004C17CF 33C0 xor eax, eax004C17D1 66:8B040F mov ax, word ptr [edi+ecx]004C17D5 EB 07 jmp short 004C17DE ; jmp004C17D7 <SoftDefe.L_IS_API_SN> 8B4E 10 mov ecx, dword ptr [esi+10]004C17DA 8BC5 mov eax, ebp004C17DC 2BC1 sub eax, ecx004C17DE 3946 14 cmp dword ptr [esi+14], eax ; from 17d5004C17E1 /76 17 jbe short <L_ERR>004C17E3 |8B56 1C mov edx, dword ptr [esi+1C]004C17E6 |8D0482 lea eax, dword ptr [edx+eax*4]004C17E9 |8B0407 mov eax, dword ptr [edi+eax]004C17EC |03C7 add eax, edi ; 得到api地址004C17EE |74 0A je short <L_ERR>004C17F0 |3BC6 cmp eax, esi004C17F2 |72 0D jb short 004C1801004C17F4 |3B4424 14 cmp eax, dword ptr [esp+14]004C17F8 |77 07 ja short 004C1801004C17FA <SoftDefe.L_ERR> /55 push ebp004C17FB 57 push edi004C17FC E8 992D0000 call 004C459A004C2A64 68 CE884000 push 004088CE004C2A69 8BF8 mov edi, eax004C2A6B E8 F1D5FFFF call 004C0061 ; edi is api address004C0061 E8 00000000 call 004C0066004C0066 58 pop eax004C0067 2D 66604000 sub eax, 00406066004C006C 034424 04 add eax, dword ptr [esp+4] ; now eax is "GetProcessHeap"004C0070 C2 0400 retn 4004C2A6B E8 F1D5FFFF call <fnGetApiName> ; edi is api address004C2A70 50 push eax ; SoftDefe.004C28CE004C2A71 68 7E7A4000 push 00407A7E004C2A76 E8 E6D5FFFF call <fnGetApiName>004C2A7B 50 push eax004C2A7C E8 CD1B0000 call <fnLoadLibraryA>004C2A81 50 push eax004C2A82 E8 D0ECFFFF call <fnGetProcAddress>004C2A87 8BF0 mov esi, eax004C2A89 E8 E9D5FFFF call 004C0077004C2A6B E8 F1D5FFFF call <fnGetNameByVA> ; edi is api address004C2A70 50 push eax004C2A71 68 7E7A4000 push 00407A7E004C2A76 E8 E6D5FFFF call <fnGetNameByVA>004C2A7B 50 push eax ; SoftDefe.004C1A7E004C2A7C E8 CD1B0000 call <fnLoadLibraryA>004C2A81 50 push eax004C2A82 E8 D0ECFFFF call <fnGetProcAddress>004C2A82 E8 D0ECFFFF call <fnGetProcAddress>004C2A87 8BF0 mov esi, eax004C2A89 E8 E9D5FFFF call 004C0077004C2A8E 85F6 test esi, esi004C2A90 8BD8 mov ebx, eax004C2A92 74 14 je short <L_ERR>004C2A94 85FF test edi, edi004C2A96 74 10 je short <L_ERR>004C2A98 68 20030000 push 320004C2A9D 6A 08 push 8004C0077 E8 01000000 call 004C007D004C007D 58 pop eax ; SoftDefe.004C007C004C007E 05 84B0FFFF add eax, FFFFB084004C0083 C3 retn004C2A89 E8 E9D5FFFF call <fnGetIatItemAddr>004C2A8E 85F6 test esi, esi ; ntdll.RtlAllocateHeap004C2A90 8BD8 mov ebx, eax004C2A92 74 14 je short <L_ERR>004C2A94 85FF test edi, edi004C2A96 74 10 je short <L_ERR>004C2A98 68 20030000 push 320004C2A9D 6A 08 push 8004C2A9F FFD7 call edi // GetProcessHeap004C2AA1 50 push eax004C2AA2 FFD6 call esi // RtlAllocateHeap004C2AB7 E8 8CFCFFFF call 004C2748 // 004C2ABC 3D B9C8B813 cmp eax, 13B8C8B9004C2AC1 75 08 jnz short 004C2ACB004C2AC3 C74424 18 01000>mov dword ptr [esp+18], 1004C2ACB 68 D8884000 push 004088D8004C2AD0 E8 8CD5FFFF call <fnGetNameByVA>004C223C 81EC 04010000 sub esp, 104004C2242 E8 30DEFFFF call <fnGetIatItemAddr>004C2247 8D0C24 lea ecx, dword ptr [esp]004C224A 05 A8000000 add eax, 0A8004C224F 51 push ecx004C2250 6A 10 push 10004C2252 50 push eax004C2253 E8 CCF2FFFF call 004C1524004C2258 8B8424 14010000 mov eax, dword ptr [esp+114]004C225F 8D5424 0C lea edx, dword ptr [esp+C]004C2263 52 push edx004C2264 6A 04 push 4004C2266 50 push eax004C2267 E8 56F3FFFF call 004C15C2004C226C 81C4 1C010000 add esp, 11C004C2272 C2 0400 retn 4004C2253 E8 CCF2FFFF call 004C1524// 作了一张ascii码表, size = 0x100004C1524 <SoftDefe.fnSMC> 83EC 08 sub esp, 8004C1527 33D2 xor edx, edx004C1529 33C0 xor eax, eax004C152B 53 push ebx004C152C 55 push ebp004C152D 8B6C24 1C mov ebp, dword ptr [esp+1C]004C1531 56 push esi004C1532 57 push edi004C1533 8BCD mov ecx, ebp004C1535 8801 mov byte ptr [ecx], al004C1537 40 inc eax004C1538 41 inc ecx004C1539 66:3D 0001 cmp ax, 100004C153D ^ 7C F6 jl short 004C1535004C153F 8895 00010000 mov byte ptr [ebp+100], dl004C1545 8895 01010000 mov byte ptr [ebp+101], dl004C154B 885424 24 mov byte ptr [esp+24], dl004C154F 33F6 xor esi, esi004C1551 8BDD mov ebx, ebp004C1553 C74424 10 00010>mov dword ptr [esp+10], 100004C155B 8B7C24 24 mov edi, dword ptr [esp+24]004C155F 8B4C24 1C mov ecx, dword ptr [esp+1C]004C1563 81E7 FF000000 and edi, 0FF004C1569 33C0 xor eax, eax004C156B 33D2 xor edx, edx004C156D 8A0439 mov al, byte ptr [ecx+edi]004C1570 8A13 mov dl, byte ptr [ebx]004C1572 03F0 add esi, eax004C1574 03D6 add edx, esi004C1576 81E2 FF000080 and edx, 800000FF004C157C 79 08 jns short 004C1586004C157E 4A dec edx004C157F 81CA 00FFFFFF or edx, FFFFFF00004C1585 42 inc edx004C1586 885424 14 mov byte ptr [esp+14], dl004C158A 8B7424 14 mov esi, dword ptr [esp+14]004C158E 81E6 FF000000 and esi, 0FF004C1594 8D4435 00 lea eax, dword ptr [ebp+esi]004C1598 50 push eax004C1599 53 push ebx004C159A E8 43010000 call 004C16E2004C159F 8D47 01 lea eax, dword ptr [edi+1]004C15A2 83C4 08 add esp, 8004C15A5 99 cdq004C15A6 F77C24 20 idiv dword ptr [esp+20]004C15AA 8B4424 10 mov eax, dword ptr [esp+10]004C15AE 43 inc ebx004C15AF 48 dec eax004C15B0 894424 10 mov dword ptr [esp+10], eax004C15B4 885424 24 mov byte ptr [esp+24], dl004C15B8 ^ 75 A1 jnz short 004C155B004C15BA 5F pop edi004C15BB 5E pop esi004C15BC 5D pop ebp004C15BD 5B pop ebx004C15BE 83C4 08 add esp, 8004C15C1 C3 retn004C1576 81E2 FF000080 and edx, 800000FF004C157C 79 08 jns short 004C1586004C157E 4A dec edx004C157F 81CA 00FFFFFF or edx, FFFFFF00004C1585 42 inc edx004C1586 885424 14 mov byte ptr [esp+14], dl004C158A 8B7424 14 mov esi, dword ptr [esp+14]004C158E 81E6 FF000000 and esi, 0FF004C1594 8D4435 00 lea eax, dword ptr [ebp+esi]004C1598 50 push eax004C1599 53 push ebx004C159A E8 43010000 call 004C16E2004C16E2 8B4424 04 mov eax, dword ptr [esp+4]004C16E6 56 push esi004C16E7 8B7424 0C mov esi, dword ptr [esp+C]004C16EB 8A08 mov cl, byte ptr [eax]004C16ED 8A16 mov dl, byte ptr [esi]004C16EF 8810 mov byte ptr [eax], dl004C16F1 880E mov byte ptr [esi], cl004C16F3 5E pop esi004C16F4 C3 retn004C16E2 <SoftDefe.fnSwapByte> 8B4424 04 mov eax, dword ptr [esp+4]004C16E6 56 push esi004C16E7 8B7424 0C mov esi, dword ptr [esp+C]004C16EB 8A08 mov cl, byte ptr [eax]004C16ED 8A16 mov dl, byte ptr [esi]004C16EF 8810 mov byte ptr [eax], dl004C16F1 880E mov byte ptr [esi], cl004C16F3 5E pop esi004C16F4 C3 retn004C159A E8 43010000 call <fnSwapByte>004C159F 8D47 01 lea eax, dword ptr [edi+1]004C15A2 83C4 08 add esp, 8004C15A5 99 cdq004C15A6 F77C24 20 idiv dword ptr [esp+20] ; 0x10004C15AA 8B4424 10 mov eax, dword ptr [esp+10]004C15AE 43 inc ebx004C15AF 48 dec eax004C15B0 894424 10 mov dword ptr [esp+10], eax004C15B4 885424 24 mov byte ptr [esp+24], dl004C15B8 ^ 75 A1 jnz short 004C155B004C15BA 5F pop edi004C15BB 5E pop esi004C15BC 5D pop ebp004C15BD 5B pop ebx004C15BE 83C4 08 add esp, 8004C15C1 C3 retn004C15B8 ^/75 A1 jnz short 004C155B004C15BA 5F pop edi ; 这里在折腾内存数据004C15BB 5E pop esi004C15BC 5D pop ebp004C15BD 5B pop ebx004C15BE 83C4 08 add esp, 8004C15C1 C3 retn004C15C2 83EC 10 sub esp, 10004C15C5 8B5424 18 mov edx, dword ptr [esp+18]004C2267 E8 56F3FFFF call <fnMemOpt>004C226C 81C4 1C010000 add esp, 11C004C2272 C2 0400 retn 4004C26EE E8 49FBFFFF call <fnIatAndMemOpt>004C26F3 8B4424 04 mov eax, dword ptr [esp+4]004C26F7 C2 0400 retn 4004C2753 E8 87FFFFFF call <fnIatAndMemOpt1>004C2758 35 47F2EA87 xor eax, 87EAF247004C275D C3 retn004C2AB7 E8 8CFCFFFF call <fnIatItemOpt>004C2ABC 3D B9C8B813 cmp eax, 13B8C8B9004C2AC1 75 08 jnz short 004C2ACB004C279E 56 push esi ; ntdll.RtlAllocateHeap004C279F 8B7424 08 mov esi, dword ptr [esp+8]004C27A3 56 push esi004C27A4 E8 B51D0000 call 004C455E004C27A4 E8 B51D0000 call 004C455E004C4564 <SoftDefe.fnAntiDebugAndCallApi> 58 pop eax ; call GetModuleHandleA004C4565 05 D0060000 add eax, 6D0004C456A 8B00 mov eax, dword ptr [eax] ; kernel32.GetModuleHandleA004C456C 8038 CC cmp byte ptr [eax], 0CC004C456F 74 22 je short 004C4593004C4571 8078 01 CC cmp byte ptr [eax+1], 0CC004C4575 74 1C je short 004C4593004C4577 8078 02 CC cmp byte ptr [eax+2], 0CC004C457B 74 16 je short 004C4593004C457D 8078 03 CC cmp byte ptr [eax+3], 0CC004C4581 74 10 je short 004C4593004C4583 8078 04 CC cmp byte ptr [eax+4], 0CC004C4587 74 0A je short 004C4593004C4589 50 push eax004C458A C3 retn004C455E E8 01000000 call <fnAntiDebugAndCallApi>004C4563 FF58 05 call far fword ptr [eax+5]004C4566 D006 rol byte ptr [esi], 1004C4568 0000 add byte ptr [eax], al004C456A 8B00 mov eax, dword ptr [eax]004C456C 8038 CC cmp byte ptr [eax], 0CC004C456F 74 22 je short 004C4593004C4571 8078 01 CC cmp byte ptr [eax+1], 0CC004C4575 74 1C je short 004C4593004C4577 8078 02 CC cmp byte ptr [eax+2], 0CC004C457B 74 16 je short 004C4593004C457D 8078 03 CC cmp byte ptr [eax+3], 0CC004C4581 74 10 je short 004C4593004C4583 8078 04 CC cmp byte ptr [eax+4], 0CC004C4587 74 0A je short 004C4593004C4589 50 push eax004C458A C3 retn004C2B33 8B77 0C mov esi, dword ptr [edi+C]004C147C E8 E5F2FFFF call <fnIsValidPE>004C1481 E8 F1EBFFFF call <fnGetIatItemAddr>004C1486 8BF0 mov esi, eax ; SoftDefe.004BB100004C148E E8 DCEEFFFF call <fnSetEaxAs9BEE>004C1493 8BD8 mov ebx, eax004C1495 8D4424 1C lea eax, dword ptr [esp+1C]004C14AA E8 16F4FFFF call 004C08C50012FB20 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 �#Eg壂惋簶vT2�0012FB30 00 00 00 00 00 00 00 00 FF FF FF FF BB E6 80 7C ........绘€|0012FB40 EC E4 80 7C 63 00 00 00 9F 15 4C 00 B3 FC 12 00 熹€|c...?L.滁�.004C08C5 53 push ebx004C08C6 55 push ebp004C10D4 56 push esi004C10D4 56 push esi ; fnBackupCode004C10D5 8B7424 10 mov esi, dword ptr [esp+10]004C10D9 85F6 test esi, esi004C10DB 76 13 jbe short 004C10F0004C10DD 8B4424 08 mov eax, dword ptr [esp+8]004C10E1 8B4C24 0C mov ecx, dword ptr [esp+C]004C10E5 2BC8 sub ecx, eax004C10E7 8A1408 mov dl, byte ptr [eax+ecx] ; copy imagebase bytes to backup004C10EA 8810 mov byte ptr [eax], dl004C10EC 40 inc eax004C10ED 4E dec esi004C10EE ^ 75 F7 jnz short 004C10E7004C10F0 5E pop esi004C10F1 C3 retnfnMd5Init004C09E5 53 push ebx ; CRC?004C09E6 56 push esi004C09E7 57 push edi004C09E8 BE 01234567 mov esi, 67452301004C09ED BF 89ABCDEF mov edi, EFCDAB89004C09F2 BA FEDCBA98 mov edx, 98BADCFE004C09F7 BB 76543210 mov ebx, 10325476004C0EA4 81C1 39D0D4D9 add ecx, D9D4D039004C10F2 8B4C24 0C mov ecx, dword ptr [esp+C]004C10F6 85C9 test ecx, ecx004C10F8 76 26 jbe short 004C1120004C10FA 8A4424 08 mov al, byte ptr [esp+8]004C10FE 53 push ebx004C10FF 8AD8 mov bl, al004C1101 8BD1 mov edx, ecx004C1103 8AFB mov bh, bl004C1105 57 push edi004C1106 8B7C24 0C mov edi, dword ptr [esp+C]004C110A 8BC3 mov eax, ebx004C110C C1E0 10 shl eax, 10004C110F 66:8BC3 mov ax, bx004C1112 C1E9 02 shr ecx, 2004C1115 F3:AB rep stos dword ptr es:[edi]004C1117 8BCA mov ecx, edx004C1119 83E1 03 and ecx, 3004C111C F3:AA rep stos byte ptr es:[edi]004C111E 5F pop edi004C111F 5B pop ebx004C1120 C3 retn004C14D1 E8 96F4FFFF call <fnCrc1>004C14D6 83C4 24 add esp, 24004C14E4 E8 57FDFFFF call <fnCalc2>004C14E9 5F pop edi ; SoftDefe.004BB100004C14ED 5B pop ebx004C14EE 74 2B je short 004C151B ; jmp004C2B51 /0F84 0B050000 je 004C3062 ; not jmp004C2B81 /74 0D je short 004C2B90这里必须要跳啊.004C14EE /74 2B je short 004C151B ; jmp004C2CE7 837D 00 00 cmp dword ptr [ebp], 0004C2CEB 0F84 3C030000 je 004C302D ; have not jmp004C3028 ^/E9 BAFCFFFF jmp 004C2CE7 ; 将系统API都得到了004C302D E8 35E4FFFF call <fnCalc3> ; outside loop004C2B51 /0F84 0B050000 je 004C3062 ; not jmp004C2B57 |E8 0BE9FFFF call <fnCalc3>
