逆向分析AHpack

By admin in 使用交流 on 2020年1月5日

这是要搞哪样?用穷举法列出所有可能的序列号么?

从暑假开始逆向研究也有一个半月了,今晚分析了一个压缩壳,第一次脱离书本逆向一个程序,放上来纪念一下。

00A43DE0  |.  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]

其实像这种壳完全可以esp定律秒掉的,之所以分析它,是因为我想知道所谓IAT修复具体是怎么个算法,还有压缩壳到底流程是怎么样的,我认为学逆向最大的乐趣就是可以满足人的好奇心,只要精力够,程序的每个细节是怎么做的都可以知道。

00A43DE3  |.  BA 7842A400   MOV EDX,picpick.00A44278                 ;
 UNICODE “PBK-AZJH-TVVT-LTTD”
00A43DE8  |.  E8 934A9CFF   CALL picpick.00408880
00A43DED  |.  75 0C         JNZ SHORT picpick.00A43DFB
00A43DEF  |.  8BC3          MOV EAX,EBX
00A43DF1  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43DF6  |.  E8 9D439CFF   CALL picpick.00408198
00A43DFB  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43DFE  |.  BA C842A400   MOV EDX,picpick.00A442C8                 ;
 UNICODE “PBK-PKTK-VLTD-CTKB”
00A43E03  |.  E8 784A9CFF   CALL picpick.00408880
00A43E08  |.  75 0C         JNZ SHORT picpick.00A43E16
00A43E0A  |.  8BC3          MOV EAX,EBX
00A43E0C  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
大奖888网页版登陆,00A43E11  |.  E8 82439CFF   CALL picpick.00408198
00A43E16  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43E19  |.  BA FC42A400   MOV EDX,picpick.00A442FC                 ;
 UNICODE “PBK-UTVD-QWTY-ABIU”
00A43E1E  |.  E8 5D4A9CFF   CALL picpick.00408880
00A43E23  |.  75 0C         JNZ SHORT picpick.00A43E31
00A43E25  |.  8BC3          MOV EAX,EBX
00A43E27  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43E2C  |.  E8 67439CFF   CALL picpick.00408198
00A43E31  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43E34  |.  BA 3043A400   MOV EDX,picpick.00A44330                 ;
 UNICODE “PBK-BHRH-JKHU-WJDI”
00A43E39  |.  E8 424A9CFF   CALL picpick.00408880
00A43E3E  |.  75 0C         JNZ SHORT picpick.00A43E4C
00A43E40  |.  8BC3          MOV EAX,EBX
00A43E42  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43E47  |.  E8 4C439CFF   CALL picpick.00408198
00A43E4C  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43E4F  |.  BA 6443A400   MOV EDX,picpick.00A44364                 ;
 UNICODE “PBK-DSDF-GSVF-GSDF”
00A43E54  |.  E8 274A9CFF   CALL picpick.00408880
00A43E59  |.  75 0C         JNZ SHORT picpick.00A43E67
00A43E5B  |.  8BC3          MOV EAX,EBX
00A43E5D  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43E62  |.  E8 31439CFF   CALL picpick.00408198
00A43E67  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43E6A  |.  BA 9843A400   MOV EDX,picpick.00A44398                 ;
 UNICODE “PBK-HFWE-TYHB-QSVH”
00A43E6F  |.  E8 0C4A9CFF   CALL picpick.00408880
00A43E74  |.  75 0C         JNZ SHORT picpick.00A43E82
00A43E76  |.  8BC3          MOV EAX,EBX
00A43E78  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43E7D  |.  E8 16439CFF   CALL picpick.00408198
00A43E82  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43E85  |.  BA CC43A400   MOV EDX,picpick.00A443CC                 ;
 UNICODE “PBK-ODKS-DTHJ-FDSD”
00A43E8A  |.  E8 F1499CFF   CALL picpick.00408880
00A43E8F  |.  75 0C         JNZ SHORT picpick.00A43E9D
00A43E91  |.  8BC3          MOV EAX,EBX
00A43E93  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43E98  |.  E8 FB429CFF   CALL picpick.00408198
00A43E9D  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43EA0  |.  BA 0044A400   MOV EDX,picpick.00A44400                 ;
 UNICODE “PBK-GJSJ-DSYR-YFGF”
00A43EA5  |.  E8 D6499CFF   CALL picpick.00408880
00A43EAA  |.  75 0C         JNZ SHORT picpick.00A43EB8
00A43EAC  |.  8BC3          MOV EAX,EBX
00A43EAE  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43EB3  |.  E8 E0429CFF   CALL picpick.00408198
00A43EB8  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43EBB  |.  BA 3444A400   MOV EDX,picpick.00A44434                 ;
 UNICODE “PBK-TPWK-TDSD-FBKD”
00A43EC0  |.  E8 BB499CFF   CALL picpick.00408880
00A43EC5  |.  75 0C         JNZ SHORT picpick.00A43ED3
00A43EC7  |.  8BC3          MOV EAX,EBX
00A43EC9  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43ECE  |.  E8 C5429CFF   CALL picpick.00408198
00A43ED3  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43ED6  |.  BA 6844A400   MOV EDX,picpick.00A44468                 ;
 UNICODE “PBK-UYIT-FLDT-FLSA”
00A43EDB  |.  E8 A0499CFF   CALL picpick.00408880
00A43EE0  |.  75 0C         JNZ SHORT picpick.00A43EEE
00A43EE2  |.  8BC3          MOV EAX,EBX
00A43EE4  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43EE9  |.  E8 AA429CFF   CALL picpick.00408198
00A43EEE  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43EF1  |.  BA 9C44A400   MOV EDX,picpick.00A4449C                 ;
 UNICODE “PBK-QFGH-ZBTV-GSDK”
00A43EF6  |.  E8 85499CFF   CALL picpick.00408880
00A43EFB  |.  75 0C         JNZ SHORT picpick.00A43F09
00A43EFD  |.  8BC3          MOV EAX,EBX
00A43EFF  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43F04  |.  E8 8F429CFF   CALL picpick.00408198
00A43F09  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43F0C  |.  BA D044A400   MOV EDX,picpick.00A444D0                 ;
 UNICODE “PBK-FTFS-DYHJ-EWER”
00A43F11  |.  E8 6A499CFF   CALL picpick.00408880
00A43F16  |.  75 0C         JNZ SHORT picpick.00A43F24
00A43F18  |.  8BC3          MOV EAX,EBX
00A43F1A  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43F1F  |.  E8 74429CFF   CALL picpick.00408198
00A43F24  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43F27  |.  BA 0445A400   MOV EDX,picpick.00A44504                 ;
 UNICODE “PBK-BHJH-DCXD-QWEY”
00A43F2C  |.  E8 4F499CFF   CALL picpick.00408880
00A43F31  |.  75 0C         JNZ SHORT picpick.00A43F3F
00A43F33  |.  8BC3          MOV EAX,EBX
00A43F35  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43F3A  |.  E8 59429CFF   CALL picpick.00408198
00A43F3F  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43F42  |.  BA 3845A400   MOV EDX,picpick.00A44538                 ;
 UNICODE “PBK-PWLD-GKDI-WNBV”
00A43F47  |.  E8 34499CFF   CALL picpick.00408880
00A43F4C  |.  75 0C         JNZ SHORT picpick.00A43F5A
00A43F4E  |.  8BC3          MOV EAX,EBX
00A43F50  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43F55  |.  E8 3E429CFF   CALL picpick.00408198
00A43F5A  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43F5D  |.  BA 6C45A400   MOV EDX,picpick.00A4456C                 ;
 UNICODE “PBK-ZDTY-CDCB-YYUT”
00A43F62  |.  E8 19499CFF   CALL picpick.00408880
00A43F67  |.  75 0C         JNZ SHORT picpick.00A43F75
00A43F69  |.  8BC3          MOV EAX,EBX
00A43F6B  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43F70  |.  E8 23429CFF   CALL picpick.00408198
00A43F75  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43F78  |.  BA A045A400   MOV EDX,picpick.00A445A0                 ;
 UNICODE “PBK-DFVD-GWER-YSDD”
00A43F7D  |.  E8 FE489CFF   CALL picpick.00408880
00A43F82  |.  75 0C         JNZ SHORT picpick.00A43F90
00A43F84  |.  8BC3          MOV EAX,EBX
00A43F86  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43F8B  |.  E8 08429CFF   CALL picpick.00408198
00A43F90  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43F93  |.  BA D445A400   MOV EDX,picpick.00A445D4                 ;
 UNICODE “PBK-VHGD-WERW-DJHQ”
00A43F98  |.  E8 E3489CFF   CALL picpick.00408880
00A43F9D  |.  75 0C         JNZ SHORT picpick.00A43FAB
00A43F9F  |.  8BC3          MOV EAX,EBX
00A43FA1  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43FA6  |.  E8 ED419CFF   CALL picpick.00408198
00A43FAB  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43FAE  |.  BA 0846A400   MOV EDX,picpick.00A44608                 ;
 UNICODE “PBK-QABD-WEBJ-KIGN”
00A43FB3  |.  E8 C8489CFF   CALL picpick.00408880
00A43FB8  |.  75 0C         JNZ SHORT picpick.00A43FC6
00A43FBA  |.  8BC3          MOV EAX,EBX
00A43FBC  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43FC1  |.  E8 D2419CFF   CALL picpick.00408198
00A43FC6  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43FC9  |.  BA 3C46A400   MOV EDX,picpick.00A4463C                 ;
 UNICODE “PBK-DFHF-DERS-HGVB”
00A43FCE  |.  E8 AD489CFF   CALL picpick.00408880
00A43FD3  |.  75 0C         JNZ SHORT picpick.00A43FE1
00A43FD5  |.  8BC3          MOV EAX,EBX
00A43FD7  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43FDC  |.  E8 B7419CFF   CALL picpick.00408198
00A43FE1  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43FE4  |.  BA 7046A400   MOV EDX,picpick.00A44670                 ;
 UNICODE “PBK-UUIT-ETGJ-XDFG”
00A43FE9  |.  E8 92489CFF   CALL picpick.00408880
00A43FEE  |.  75 0C         JNZ SHORT picpick.00A43FFC
00A43FF0  |.  8BC3          MOV EAX,EBX
00A43FF2  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A43FF7  |.  E8 9C419CFF   CALL picpick.00408198
00A43FFC  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A43FFF  |.  BA A446A400   MOV EDX,picpick.00A446A4                 ;
 UNICODE “PBK-QIUM-BJTX-DRHG”
00A44004  |.  E8 77489CFF   CALL picpick.00408880
00A44009  |.  75 0C         JNZ SHORT picpick.00A44017
00A4400B  |.  8BC3          MOV EAX,EBX
00A4400D  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A44012  |.  E8 81419CFF   CALL picpick.00408198
00A44017  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A4401A  |.  BA D846A400   MOV EDX,picpick.00A446D8                 ;
 UNICODE “PBK-FVGJ OERW-CVSK”
00A4401F  |.  E8 5C489CFF   CALL picpick.00408880
00A44024  |.  75 0C         JNZ SHORT picpick.00A44032
00A44026  |.  8BC3          MOV EAX,EBX
00A44028  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A4402D  |.  E8 66419CFF   CALL picpick.00408198
00A44032  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A44035  |.  BA 0C47A400   MOV EDX,picpick.00A4470C                 ;
 UNICODE “PBK-KTYY-RDFG-DBNM”
00A4403A  |.  E8 41489CFF   CALL picpick.00408880
00A4403F  |.  75 0C         JNZ SHORT picpick.00A4404D
00A44041  |.  8BC3          MOV EAX,EBX
00A44043  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A44048  |.  E8 4B419CFF   CALL picpick.00408198
00A4404D  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A44050  |.  BA 4047A400   MOV EDX,picpick.00A44740                 ;
 UNICODE “PBK-YEUY-XGVC-DSWE”
00A44055  |.  E8 26489CFF   CALL picpick.00408880
00A4405A  |.  75 0C         JNZ SHORT picpick.00A44068
00A4405C  |.  8BC3          MOV EAX,EBX
00A4405E  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A44063  |.  E8 30419CFF   CALL picpick.00408198
00A44068  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A4406B  |.  BA 7447A400   MOV EDX,picpick.00A44774                 ;
 UNICODE “PBK-ASJH-KJUT-RRYY”
00A44070  |.  E8 0B489CFF   CALL picpick.00408880
00A44075  |.  75 0C         JNZ SHORT picpick.00A44083
00A44077  |.  8BC3          MOV EAX,EBX
00A44079  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A4407E  |.  E8 15419CFF   CALL picpick.00408198
00A44083  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A44086  |.  BA A847A400   MOV EDX,picpick.00A447A8                 ;
 UNICODE “PBK-CVBM-DHFE-YIOK”
00A4408B  |.  E8 F0479CFF   CALL picpick.00408880
00A44090  |.  75 0C         JNZ SHORT picpick.00A4409E
00A44092  |.  8BC3          MOV EAX,EBX
00A44094  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A44099  |.  E8 FA409CFF   CALL picpick.00408198
00A4409E  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A440A1  |.  BA DC47A400   MOV EDX,picpick.00A447DC                 ;
 UNICODE “PBK-CGFF-GTHK-WHHJ”
00A440A6  |.  E8 D5479CFF   CALL picpick.00408880
00A440AB  |.  75 0C         JNZ SHORT picpick.00A440B9
00A440AD  |.  8BC3          MOV EAX,EBX
00A440AF  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A440B4  |.  E8 DF409CFF   CALL picpick.00408198
00A440B9  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A440BC  |.  BA 1048A400   MOV EDX,picpick.00A44810                 ;
 UNICODE “PBK-JUII-TYBN-GJEW”
00A440C1  |.  E8 BA479CFF   CALL picpick.00408880
00A440C6  |.  75 0C         JNZ SHORT picpick.00A440D4
00A440C8  |.  8BC3          MOV EAX,EBX
00A440CA  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A440CF  |.  E8 C4409CFF   CALL picpick.00408198
00A440D4  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A440D7  |.  BA 4448A400   MOV EDX,picpick.00A44844                 ;
 UNICODE “PBK-KLUH-CGNJ-VBJH”
00A440DC  |.  E8 9F479CFF   CALL picpick.00408880
00A440E1  |.  75 0C         JNZ SHORT picpick.00A440EF
00A440E3  |.  8BC3          MOV EAX,EBX
00A440E5  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A440EA  |.  E8 A9409CFF   CALL picpick.00408198
00A440EF  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A440F2  |.  BA 7848A400   MOV EDX,picpick.00A44878                 ;
 UNICODE “PBK-UUIO-UYTE-TRBV”
00A440F7  |.  E8 84479CFF   CALL picpick.00408880
00A440FC  |.  75 0C         JNZ SHORT picpick.00A4410A
00A440FE  |.  8BC3          MOV EAX,EBX
00A44100  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A44105  |.  E8 8E409CFF   CALL picpick.00408198
00A4410A  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A4410D  |.  BA AC48A400   MOV EDX,picpick.00A448AC                 ;
 UNICODE “PBK-DKKS-TUWL-VJSD”
00A44112  |.  E8 69479CFF   CALL picpick.00408880
00A44117  |.  75 0C         JNZ SHORT picpick.00A44125
00A44119  |.  8BC3          MOV EAX,EBX
00A4411B  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A44120  |.  E8 73409CFF   CALL picpick.00408198
00A44125  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A44128  |.  BA E048A400   MOV EDX,picpick.00A448E0                 ;
 UNICODE “PBK-DOEW-TYCJ-WOTO”
00A4412D  |.  E8 4E479CFF   CALL picpick.00408880
00A44132  |.  75 0C         JNZ SHORT picpick.00A44140
00A44134  |.  8BC3          MOV EAX,EBX
00A44136  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A4413B  |.  E8 58409CFF   CALL picpick.00408198
00A44140  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A44143  |.  BA 1449A400   MOV EDX,picpick.00A44914                 ;
 UNICODE “PBK-DOXK-GOFO-TTWX”
00A44148  |.  E8 33479CFF   CALL picpick.00408880
00A4414D  |.  75 0C         JNZ SHORT picpick.00A4415B
00A4414F  |.  8BC3          MOV EAX,EBX
00A44151  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A44156  |.  E8 3D409CFF   CALL picpick.00408198
00A4415B  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A4415E  |.  BA 4849A400   MOV EDX,picpick.00A44948                 ;
 UNICODE “PBK-MBKG-PTIK-QQWS”
00A44163  |.  E8 18479CFF   CALL picpick.00408880
00A44168  |.  75 0C         JNZ SHORT picpick.00A44176
00A4416A  |.  8BC3          MOV EAX,EBX
00A4416C  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A44171  |.  E8 22409CFF   CALL picpick.00408198
00A44176  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A44179  |.  BA 7C49A400   MOV EDX,picpick.00A4497C                 ;
 UNICODE “PBK-FFGH-TTIY-GHFH”
00A4417E  |.  E8 FD469CFF   CALL picpick.00408880
00A44183  |.  75 0C         JNZ SHORT picpick.00A44191
00A44185  |.  8BC3          MOV EAX,EBX
00A44187  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A4418C  |.  E8 07409CFF   CALL picpick.00408198
00A44191  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A44194  |.  BA B049A400   MOV EDX,picpick.00A449B0                 ;
 UNICODE “PBK-NBKL-POIS-NVXG”
00A44199  |.  E8 E2469CFF   CALL picpick.00408880
00A4419E  |.  75 0C         JNZ SHORT picpick.00A441AC
00A441A0  |.  8BC3          MOV EAX,EBX
00A441A2  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A441A7  |.  E8 EC3F9CFF   CALL picpick.00408198
00A441AC  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A441AF  |.  BA E449A400   MOV EDX,picpick.00A449E4                 ;
 UNICODE “PBK-ZMNM-PXKD-TUTU”
00A441B4  |.  E8 C7469CFF   CALL picpick.00408880
00A441B9  |.  75 0C         JNZ SHORT picpick.00A441C7
00A441BB  |.  8BC3          MOV EAX,EBX
00A441BD  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A441C2  |.  E8 D13F9CFF   CALL picpick.00408198
00A441C7  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A441CA  |.  BA 184AA400   MOV EDX,picpick.00A44A18                 ;
 UNICODE “PBK-WXGH-UYPU-FKSL”
00A441CF  |.  E8 AC469CFF   CALL picpick.00408880
00A441D4  |.  75 0C         JNZ SHORT picpick.00A441E2
00A441D6  |.  8BC3          MOV EAX,EBX
00A441D8  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A441DD  |.  E8 B63F9CFF   CALL picpick.00408198
00A441E2  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A441E5  |.  BA 4C4AA400   MOV EDX,picpick.00A44A4C                 ;
 UNICODE “PBK-XXVM-WYMU-UKXL”
00A441EA  |.  E8 91469CFF   CALL picpick.00408880
00A441EF  |.  75 0C         JNZ SHORT picpick.00A441FD
00A441F1  |.  8BC3          MOV EAX,EBX
00A441F3  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A441F8  |.  E8 9B3F9CFF   CALL picpick.00408198
00A441FD  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00A44200  |.  BA 804AA400   MOV EDX,picpick.00A44A80                 ;
 UNICODE “PBK-QKSL-FUTK-GHSS”
00A44205  |.  E8 76469CFF   CALL picpick.00408880
00A4420A  |.  75 0C         JNZ SHORT picpick.00A44218
00A4420C  |.  8BC3          MOV EAX,EBX
00A4420E  |.  BA AC42A400   MOV EDX,picpick.00A442AC                 ;
 UNICODE “SUCCESS”
00A44213  |.  E8 803F9CFF   CALL picpick.00408198

aplib部分看上去比较烦,以我现在水平去分析,那简直太烧脑子了。

其实aplib部分我觉得作者本来应该是放在一个函数里的,这个现象是编译器优化所造成的

004040FF > 60 PUSHAD
00404100 68 54404000 PUSH AHpack.00404054 ; ASCII “KERNEL32.DLL”
00404105 B8 48404000 MOV EAX,<&KERNEL32.GetModuleHandleA>
0040410A FF10 CALL DWORD PTR DS:[EAX] ; 获得kernerl32基地址
0040410C 68 B3404000 PUSH AHpack.004040B3 ; ASCII “GlobalAlloc”
00404111 50 PUSH EAX
00404112 B8 44404000 MOV EAX,<&KERNEL32.GetProcAddress>
00404117 FF10 CALL DWORD PTR DS:[EAX] ;
从kernel32里获取GlobalAlloc函数
00404119 68 00080000 PUSH 800
0040411E 6A 40 PUSH 40 ; GPTR
00404120 FFD0 CALL EAX ; 申请800字节
00404122 8905 CA404000 MOV DWORD PTR DS:[4040CA],EAX
00404128 89C7 MOV EDI,EAX
0040412A BE 00104000 MOV ESI,AHpack.00401000
0040412F 60 PUSHAD ; 开始aplib
00404130 FC CLD
00404131 B2 80 MOV DL,80
00404133 31DB XOR EBX,EBX
00404135 A4 MOVS BYTE PTR ES:[EDI],BYTE
PTR DS:[ESI] 
00404136 B3 02 MOV BL,2
00404138 E8 6D000000 CALL
AHpack.004041AA
0040413D ^ 73 F6 JNB SHORT
AHpack.00404135
0040413F 31C9 XOR ECX,ECX
00404141 E8 64000000 CALL
AHpack.004041AA
00404146 73 1C JNB SHORT
AHpack.00404164
00404148 31C0 XOR EAX,EAX
0040414A E8 5B000000 CALL
AHpack.004041AA
0040414F 73 23 JNB SHORT
AHpack.00404174
00404151 B3 02 MOV BL,2
00404153 41 INC ECX
00404154 B0 10 MOV AL,10
00404156 E8 4F000000 CALL
AHpack.004041AA
0040415B 10C0 ADC AL,AL
0040415D ^ 73 F7 JNB SHORT
AHpack.00404156
0040415F 75 3F JNZ SHORT
AHpack.004041A0
00404161 AA STOS BYTE PTR
ES:[EDI]
00404162 ^ EB D4 JMP SHORT
AHpack.00404138
00404164 E8 4D000000 CALL
AHpack.004041B6
00404169 29D9 SUB ECX,EBX
0040416B 75 10 JNZ SHORT
AHpack.0040417D
0040416D E8 42000000 CALL
AHpack.004041B4
00404172 EB 28 JMP SHORT
AHpack.0040419C
00404174 AC LODS BYTE PTR
DS:[ESI]
00404175 D1E8 SHR EAX,1
00404177 74 4D JE SHORT
AHpack.004041C6
00404179 11C9 ADC ECX,ECX
0040417B EB 1C JMP SHORT
AHpack.00404199
0040417D 91 XCHG EAX,ECX
0040417E 48 DEC EAX
0040417F C1E0 08 SHL EAX,8
00404182 AC LODS BYTE PTR
DS:[ESI]
00404183 E8 2C000000 CALL
AHpack.004041B4
00404188 3D 007D0000 CMP EAX,7D00
0040418D 73 0A JNB SHORT
AHpack.00404199
0040418F 80FC 05 CMP AH,5
00404192 73 06 JNB SHORT
AHpack.0040419A
00404194 83F8 7F CMP EAX,7F
00404197 77 02 JA SHORT
AHpack.0040419B
00404199 41 INC ECX
0040419A 41 INC ECX
0040419B 95 XCHG EAX,EBP
0040419C 89E8 MOV EAX,EBP
0040419E B3 01 MOV BL,1
004041A0 56 PUSH ESI
004041A1 89FE MOV ESI,EDI
004041A3 29C6 SUB ESI,EAX
004041A5 F3:A4 REP MOVS BYTE PTR
ES:[EDI],BYTE PTR DS:[>
004041A7 5E POP ESI
004041A8 ^ EB 8E JMP SHORT
AHpack.00404138
004041AA 00D2 ADD DL,DL
004041AC 75 05 JNZ SHORT
AHpack.004041B3
004041AE 8A16 MOV DL,BYTE PTR
DS:[ESI]
004041B0 46 INC ESI
004041B1 10D2 ADC DL,DL
004041B3 C3 RETN
004041B4 31C9 XOR ECX,ECX
004041B6 41 INC ECX
004041B7 E8 EEFFFFFF CALL
AHpack.004041AA
004041BC 11C9 ADC ECX,ECX
004041BE E8 E7FFFFFF CALL
AHpack.004041AA
004041C3 ^ 72 F2 JB SHORT
AHpack.004041B7
004041C5 C3 RETN
004041C6 61 POPAD ; 结束aplib,数据解到404120处申请的内存中
004041C7 B9 FC070000 MOV ECX,7FC
004041CC 8B1C08 MOV EBX,DWORD PTR DS:[EAX+ECX]
004041CF 8999 00104000 MOV DWORD PTR DS:[ECX+401000],EBX
004041D5 ^ E2 F5 LOOPD SHORT AHpack.004041CC ;
404120处申请的内存包含解压后数据,把它拷贝到oep处
004041D7 90 NOP ; 下面开始修复IAT,呵呵,9090不会是故意给个分割吧
004041D8 90 NOP
004041D9 BA 00004000 MOV EDX,AHpack.00400000
004041DE BE 70200000 MOV ESI,2070
004041E3 01D6 ADD ESI,EDX ;
esi用来迭代IMAGE_IMPORT_DESCRIPTOR,esi现在初始化为指向第一个IMAGE_IMPORT_DESCRIPTOR的指针
004041E5 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C] ; eax指向要修复的dll名
004041E8 85C0 TEST EAX,EAX
004041EA 0F84 87000000 JE AHpack.00404277 ; 如果全部修复完毕就跳转
004041F0 01D0 ADD EAX,EDX
004041F2 89C3 MOV EBX,EAX
004041F4 50 PUSH EAX
004041F5 B8 48404000 MOV EAX,<&KERNEL32.GetModuleHandleA>
004041FA FF10 CALL DWORD PTR DS:[EAX] ; 获取要修复dll的基地址
004041FC 85C0 TEST EAX,EAX
004041FE 75 08 JNZ SHORT AHpack.00404208 ; 如果获取失败,就加载一次
00404200 53 PUSH EBX
00404201 B8 4C404000 MOV EAX,<&KERNEL32.LoadLibraryA>
00404206 FF10 CALL DWORD PTR DS:[EAX]
00404208 8905 CE404000 MOV DWORD PTR DS:[4040CE],EAX ;
要修复dll基址存到4040CE
0040420E C705 D2404000 0>MOV DWORD PTR DS:[4040D2],0 ;
4040D2用来描述此dll已经修复的个数,[4040D2]/4=已修复个数
00404218 BA 00004000 MOV EDX,AHpack.00400000
0040421D 8B06 MOV EAX,DWORD PTR DS:[ESI]
0040421F 85C0 TEST EAX,EAX
00404221 75 03 JNZ SHORT AHpack.00404226
00404223 8B46 10 MOV EAX,DWORD PTR DS:[ESI+10]
00404226 01D0 ADD EAX,EDX ; 基地址加IAT的偏移
00404228 0305 D2404000 ADD EAX,DWORD PTR DS:[4040D2] ;
再加修复次数*4
0040422E 8B18 MOV EBX,DWORD PTR DS:[EAX] ;
[eax]指向IMPORT_BY_NAME
00404230 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10]
00404233 01D7 ADD EDI,EDX
00404235 033D D2404000 ADD EDI,DWORD PTR DS:[4040D2]
0040423B 85DB TEST EBX,EBX
0040423D 74 2B JE SHORT AHpack.0040426A ; 如果这个dll已经修复完则跳转
0040423F F7C3 00000080 TEST EBX,80000000 ; 判断下是否取错数据
00404245 75 04 JNZ SHORT AHpack.0040424B
00404247 01D3 ADD EBX,EDX
00404249 43 INC EBX ;
因为第一个字段占一个word,所以两次inc是为了访问IMPORT_BY_NAME.Name
0040424A 43 INC EBX
0040424B 81E3 FFFFFF0F AND EBX,0FFFFFFF ; 前4位清零
00404251 53 PUSH EBX ; 要修复函数名
00404252 FF35 CE404000 PUSH DWORD PTR DS:[4040CE] ;
要修复函数所在的dll
00404258 B8 44404000 MOV EAX,<&KERNEL32.GetProcAddress>
0040425D FF10 CALL DWORD PTR DS:[EAX] ;
使用GetProcAddress把正确地址取出来
0040425F 8907 MOV DWORD PTR DS:[EDI],EAX ; 修复IAT
00404261 8305 D2404000 0>ADD DWORD PTR DS:[4040D2],4 ;
已修复个数+1
00404268 ^ EB AE JMP SHORT AHpack.00404218 ; 跳上去继续修复下一个函数
0040426A 83C6 14 ADD ESI,14 ;
0x14为IMAGE_IMPORT_DESCRIPTOR大小,继续迭代到下个dll
0040426D BA 00004000 MOV EDX,AHpack.00400000 ; 这步是多余操作
00404272 ^ E9 6EFFFFFF JMP AHpack.004041E5 ; 跳上去继续修复下一个dll
00404277 68 54404000 PUSH AHpack.00404054 ; ASCII “KERNEL32.DLL”
0040427C B8 48404000 MOV EAX,<&KERNEL32.GetModuleHandleA>
00404281 FF10 CALL DWORD PTR DS:[EAX] ; 获得kernel32基地址
00404283 68 BF404000 PUSH AHpack.004040BF ; ASCII “GlobalFree”
00404288 50 PUSH EAX
00404289 B8 44404000 MOV EAX,<&KERNEL32.GetProcAddress>
0040428E FF10 CALL DWORD PTR DS:[EAX] ; 从kernel32取GlobalFree()
00404290 8B15 CA404000 MOV EDX,DWORD PTR DS:[4040CA]
00404296 52 PUSH EDX
00404297 FFD0 CALL EAX ; 释放之前申请的buffer
00404299 61 POPAD
0040429A BA 00104000 MOV EDX,AHpack.00401000
0040429F FFE2 JMP EDX ; 跳oep
004042A1 90 NOP
004042A2 C3 RETN

qq1454322323

发表评论

电子邮件地址不会被公开。 必填项已用*标注

网站地图xml地图
Copyright @ 2010-2020 大奖888网页版登陆 版权所有