00905BA8 893424 MOV DWORD PTR SS:[ESP],ESI ; // PUSH ESI, Stolen code 11
00905BAB 8915 348C8E00 MOV DWORD PTR DS:[8E8C34],EDX
00905BB1 FF35 348C8E00 PUSH DWORD PTR DS:[8E8C34]
00905BB7 56 PUSH ESI
00905BB8 60 PUSHAD
00905BB9 E8 1EF6FEFF CALL XieXieMa.008F51DC
00905BBE C685 2BEC4100 E8 MOV BYTE PTR SS:[EBP+41EC2B],0E8
00905BC5 61 POPAD
00905BC6 BE 5C8C8E00 MOV ESI,XieXieMa.008E8C5C
00905BCB 8BD6 MOV EDX,ESI
00905BCD 5E POP ESI ; // EDX = 8E8C5C
00905BCE 893A MOV DWORD PTR DS:[EDX],EDI
00905BD0 8F05 308C8E00 POP DWORD PTR DS:[8E8C30]
00905BD6 8B15 308C8E00 MOV EDX,DWORD PTR DS:[8E8C30]
00905BDC FF35 5C8C8E00 PUSH DWORD PTR DS:[8E8C5C]
00905BE2 893424 MOV DWORD PTR SS:[ESP],ESI
00905BE5 893C24 MOV DWORD PTR SS:[ESP],EDI ; // PUSH EDI, Stolen Code 12
00905BE8 90 NOP
00905BE9 90 NOP
00905BEA 90 NOP
00905BEB 90 NOP
00905BEC 90 NOP
00905BED 90 NOP
00905BEE 60 PUSHAD
00905BEF E8 E8F5FEFF CALL XieXieMa.008F51DC
00905BF4 C785 2CEC4100 FF250000 MOV DWORD PTR SS:[EBP+41EC2C],25FF
00905BFE 8D85 6EEC4100 LEA EAX,DWORD PTR SS:[EBP+41EC6E]
00905C04 8985 2EEC4100 MOV DWORD PTR SS:[EBP+41EC2E],EAX
00905C0A E8 CDF5FEFF CALL XieXieMa.008F51DC
00905C0F 8DBD 8CE94100 LEA EDI,DWORD PTR SS:[EBP+41E98C]
00905C15 8D8D 20EC4100 LEA ECX,DWORD PTR SS:[EBP+41EC20]
00905C1B 2BCF SUB ECX,EDI
00905C1D C1E9 02 SHR ECX,2
00905C20 E8 55F3FEFF CALL XieXieMa.008F4F7A ; // 取随机数
00905C25 AB STOS DWORD PTR ES:[EDI] ; // 破坏 90598C 开始的区域
00905C26 ^\E2 F8 LOOPD SHORT XieXieMa.00905C20
00905C28 61 POPAD ; // F4到这里
00905C29 EB 01 JMP SHORT XieXieMa.00905C2C
00905C2C - FF25 6E5C9000 JMP DWORD PTR DS:[905C6E] ; // 到真正的OEP
// 49BF2D, 补上 Stolen Code , OEP = 49BF0A, Dump 得到 X1.EXE
0049BF0A /> /55 PUSH EBP
0049BF0B |. |8BEC MOV EBP,ESP
0049BF0D |. |6A FF PUSH -1
0049BF0F |. |68 B0DB4B00 PUSH X3.004BDBB0
0049BF14 |. |68 901F4A00 PUSH X3.004A1F90 ; SE handler installation
0049BF19 |. |64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0049BF1F |. |50 PUSH EAX
0049BF20 |. |64:8925 00000000 MOV DWORD PTR FS:[0],ESP
0049BF27 |. |83EC 58 SUB ESP,58
0049BF2A |. |53 PUSH EBX
0049BF2B |. |56 PUSH ESI
0049BF2C |. |57 PUSH EDI
// 这里如果用 ImportRec IAT autoserach, 将一无所获, 继续 F7
0049BF2D |. |8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0049BF30 |. |FF15 38B14B00 CALL DWORD PTR DS:[4BB138] ; // Call GetVersion, VC特征, F7 进入
008E802A /$Content$nbsp; 68 DF41F33E PUSH 3EF341DF
008E802F |. 813424 A44AAA42 XOR DWORD PTR SS:[ESP],42AA4AA4
008E8036 \. C3 RETN ; // 两数 Xor 得到真正的 GetVersion 地址
7C590B7B > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18] ; // GetVersion
7C590B81 8B48 30 MOV ECX,DWORD PTR DS:[EAX+30]
7C590B84 8B91 B0000000 MOV EDX,DWORD PTR DS:[ECX+B0]
7C590B8A 0FB781 AC000000 MOVZX EAX,WORD PTR DS:[ECX+AC]
7C590B91 83F2 FE XOR EDX,FFFFFFFE
7C590B94 C1E2 0E SHL EDX,0E
7C590B97 0BC2 OR EAX,EDX
7C590B99 C1E0 08 SHL EAX,8
7C590B9C 0B81 A8000000 OR EAX,DWORD PTR DS:[ECX+A8]
7C590BA2 C1E0 08 SHL EAX,8
7C590BA5 0B81 A4000000 OR EAX,DWORD PTR DS:[ECX+A4]
7C590BAB C3 RETN ; // 返回 49BF36
0049BF36 |. |33D2 XOR EDX,EDX
0049BF38 |. |8AD4 MOV DL,AH
0049BF3A |. |8915 08AE4C00 MOV DWORD PTR DS:[4CAE08],EDX
上一页 1 2 3 |
安全中国首页 > 文章中心 > 脱壳技术