[笔记]unpacking vcasm 2004版-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

[笔记]unpacking vcasm 2004版

发表于: 2005-9-6 14:02 4969

[笔记]unpacking vcasm 2004版

Fpc

2005-9-6 14:02

4969

前几天跟踪vacm 2004年12月某版本的笔记，嘿嘿，主程序的code redirection还没有跟下来。。。新的1.X版搞不定，凑合看吧。。。

unpack vcasm

by fpc @2005/08

0040DE0A    E8 00000000               call 样本测试.0040DE0F
0040DE0F    5D                        pop ebp
0040DE10    81ED B5A54000             sub ebp,样本测试.0040A5B5
0040DE16    8DB5 949B4000             lea esi,dword ptr ss:[ebp+409B94]
0040DE1C    33C0                      xor eax,eax
0040DE1E    C706 30000000             mov dword ptr ds:[esi],30
0040DE24    C746 04 03020000          mov dword ptr ds:[esi+4],203
0040DE2B    C746 20 02000000          mov dword ptr ds:[esi+20],2
0040DE32    8946 0C                   mov dword ptr ds:[esi+C],eax
0040DE35    8946 10                   mov dword ptr ds:[esi+10],eax
0040DE38    8946 18                   mov dword ptr ds:[esi+18],eax
0040DE3B    8946 1C                   mov dword ptr ds:[esi+1C],eax
0040DE3E    8946 24                   mov dword ptr ds:[esi+24],eax
0040DE41    8946 2C                   mov dword ptr ds:[esi+2C],eax
0040DE44    50              push eax
0040DE45    FF95 279B4000   call dword ptr ss:[ebp+409B27]      ; kernel32.GetModuleHandleA
0040DE4B    8946 14         mov dword ptr ds:[esi+14],eax

0040DE7E    58              pop eax
0040DE7F    8946 08         mov dword ptr ds:[esi+8],eax
0040DE82    56              push esi
0040DE83    FF95 3F9B4000   call dword ptr ss:[ebp+409B3F]      ; USER32.RegisterClassExA
0040DE89    33C0            xor eax,eax
0040DE8B    50              push eax
0040DE8C    50              push eax
0040DE8D    50              push eax
0040DE8E    50              push eax
0040DE8F    6A 14           push 14
0040DE91    68 C8000000     push 0C8
0040DE96    6A 01           push 1
0040DE98    FF95 479B4000   call dword ptr ss:[ebp+409B47]      ; USER32.GetSystemMetrics
0040DE9E    D1E8            shr eax,1
0040DEA0    83E8 0A         sub eax,0A
0040DEA3    50              push eax
0040DEA4    6A 00           push 0
0040DEA6    FF95 479B4000   call dword ptr ss:[ebp+409B47]      ; USER32.GetSystemMetrics
0040DEAC    D1E8            shr eax,1
0040DEAE    83E8 64         sub eax,64
0040DEB1    50              push eax
0040DEB2    68 00008880     push 80880000
0040DEB7    8D85 239F4000   lea eax,dword ptr ss:[ebp+409F23]
0040DEBD    50              push eax
0040DEBE    50              push eax
0040DEBF    68 88000000     push 88
0040DEC4    FF95 439B4000   call dword ptr ss:[ebp+409B43]      ; USER32.CreateWindowExA
0040DECA    8985 989B4000   mov dword ptr ss:[ebp+409B98],eax
0040DED0    50              push eax
0040DED1    68 08000000     push 8
0040DED6    50              push eax
0040DED7    FF95 4B9B4000   call dword ptr ss:[ebp+409B4B]      ; USER32.ShowWindow
0040DEDD    FF95 4F9B4000   call dword ptr ss:[ebp+409B4F]      ; USER32.GetDC
0040DF12    FF95 679B4000   call dword ptr ss:[ebp+409B67]      ; GDI32.SetPixel
0040DF18    47              inc edi
0040DF19    83FF 14         cmp edi,14
0040DF1C  ^ 72 CF           jb short 样本测试.0040DEED
0040DF1E    46              inc esi
0040DF1F    81FE C8000000   cmp esi,0C8
0040DF25  ^ 72 C4           jb short 样本测试.0040DEEB
0040DF27    E8 13010000     call 样本测试.0040E03F

;
0040E03F    59              pop ecx
0040E040    8D85 949B4000   lea eax,dword ptr ss:[ebp+409B94]
0040E046    50              push eax
0040E047    6A 00           push 0
0040E049    FF7424 08       push dword ptr ss:[esp+8]
0040E04D    51              push ecx
0040E04E    6A 00           push 0
0040E050    6A 00           push 0
0040E052    FF95 139B4000   call dword ptr ss:[ebp+409B13]      ; kernel32.CreateThread
0040E058    33F6            xor esi,esi
0040E05A    33FF            xor edi,edi
0040E05C    6A 01           push 1
0040E05E    FF95 2F9B4000   call dword ptr ss:[ebp+409B2F]      ; kernel32.Sleep
0040E064    0F31            rdtsc
0040E066    83E0 1F         and eax,1F
0040E069    05 C0000000     add eax,0C0
0040E06E    8BD8            mov ebx,eax
0040E070    C1E3 08         shl ebx,8
0040E073    03D8            add ebx,eax
0040E075    83EB 40         sub ebx,40
0040E078    C1E3 08         shl ebx,8
0040E07B    03D8            add ebx,eax
0040E07D    C1E3 08         shl ebx,8
0040E080    03D8            add ebx,eax
0040E082    53              push ebx
0040E083    57              push edi
0040E084    56              push esi
0040E085    FFB5 9C9B4000   push dword ptr ss:[ebp+409B9C]
0040E08B    FF95 679B4000   call dword ptr ss:[ebp+409B67]      ; GDI32.SetPixel
0040E091    47              inc edi
0040E092    83FF 14         cmp edi,14
0040E095  ^ 72 CD           jb short 样本测试.0040E064
0040E097    46              inc esi
0040E098    81FE C8000000   cmp esi,0C8
0040E09E  ^ 72 BA           jb short 样本测试.0040E05A
0040E0A0    68 C8000000     push 0C8
0040E0A5    FF95 2F9B4000   call dword ptr ss:[ebp+409B2F]      ; kernel32.Sleep
0040E0AB    FFB5 9C9B4000   push dword ptr ss:[ebp+409B9C]
0040E0B1    FFB5 989B4000   push dword ptr ss:[ebp+409B98]
0040E0B7    FF95 539B4000   call dword ptr ss:[ebp+409B53]      ; USER32.ReleaseDC
0040E0BD    FFB5 989B4000   push dword ptr ss:[ebp+409B98]
0040E0C3    FF95 5F9B4000   call dword ptr ss:[ebp+409B5F]      ; USER32.DestroyWindow

0040E0C9    0F31            rdtsc
0040E0CB    83C2 03         add edx,3
0040E0CE    8995 BD9C4000   mov dword ptr ss:[ebp+409CBD],edx
0040E0D4    E8 07000000     call 样本测试.0040E0E0

0040E0EE    E8 00000000     call 样本测试.0040E0F3
0040E0F3    5D              pop ebp
0040E0F4    81ED 99A84000   sub ebp,样本测试.0040A899
0040E0FA    8BAD 279B4000   mov ebp,dword ptr ss:[ebp+409B27]
0040E100    64:FF35 3000000>push dword ptr fs:[30]
0040E107    58              pop eax
0040E108    85C0            test eax,eax
0040E10A    78 0F           js short 样本测试.0040E11B
0040E10C    8B40 0C         mov eax,dword ptr ds:[eax+C]
0040E10F    8B40 0C         mov eax,dword ptr ds:[eax+C]
0040E112    C740 20 0000000>mov dword ptr ds:[eax+20],0		;distroy image size
0040E119    EB 18           jmp short 样本测试.0040E133


0040E1F6    0F31            rdtsc
0040E1F8    E8 00000000     call 样本测试.0040E1FD
0040E1FD    5D              pop ebp
0040E1FE    81ED A3A94000   sub ebp,样本测试.0040A9A3
0040E204    3995 BD9C4000   cmp dword ptr ss:[ebp+409CBD],edx		;anti debug
0040E20A    72 21           jb short 样本测试.0040E22D			;dont jump

0040DA33    FF95 179B4000   call dword ptr ss:[ebp+409B17]      ; kernel32.GetVersion

0040DB29    FF95 1F9F4000   call dword ptr ss:[ebp+409F1F]	; VirtualAlloc

0040DBF3    E8 3F010000     call 样本测试.0040DD37		;apdepack




0040DC6D    8881 1FA44000   mov byte ptr ds:[ecx+40A41F],al
0040DC73    8383 B8000000 0>add dword ptr ds:[ebx+B8],2		;seh handler
0040DC7A    33C0            xor eax,eax
0040DC7C    8943 04         mov dword ptr ds:[ebx+4],eax
0040DC7F    8943 08         mov dword ptr ds:[ebx+8],eax
0040DC82    8943 0C         mov dword ptr ds:[ebx+C],eax
0040DC85    8943 10         mov dword ptr ds:[ebx+10],eax
0040DC88    8943 14         mov dword ptr ds:[ebx+14],eax
0040DC8B    8943 18         mov dword ptr ds:[ebx+18],eax
0040DC8E    C3              retn


0040DD35  - FFE2            jmp edx

003E213B   /E9 D10D0000     jmp 003E2F11

003E2F05    8B85 D0C64000   mov eax,dword ptr ss:[ebp+40C6D0]
003E2F0B  - E9 90900000     jmp 003EBFA0
003E2F0B   /E9 CC0C0000     jmp 003E3BDC


003E2950    8BC6            mov eax,esi			;api was overwrite
change to: mov [esp+4], eax

003E2E96   /E2 02           loopd short 003E2E9A	;loop all apis of a dll
003E2E98   |EB 05           jmp short 003E2E9F
003E2E9A  ^\E9 31FBFFFF     jmp 003E29D0
003E2E9F    E9 540D0000     jmp 003E3BF8

003E2656   /E9 D5170000     jmp 003E3E30		;all dll is done

003E4482    8B07            mov eax,dword ptr ds:[edi]	;to be continue
003E4484  - E9 90900000     jmp 003ED519

003E4482    8B07            mov eax,dword ptr ds:[edi]
003E4484    E9 CC000000     jmp 003E4555

003E3E9D  ^\74 E8           je short 003E3E87
003E3E9F  ^ E9 A5E5FFFF     jmp 003E2449

003E290B    3347 0C         xor eax,dword ptr ds:[edi+C]	;取得被抽离代码地址，如4010d8
003E290E    E9 78010000     jmp 003E2A8B

003E3FEE    8958 FC         mov dword ptr ds:[eax-4],ebx	;call 3e316d到壳里面
003E3FF1  ^ E9 B8E3FFFF     jmp 003E23AE

003E3E87  ^\E9 3EEAFFFF     jmp 003E28CA			;when done




003E3B95  - E9 90900000     jmp 003ECC2A
003E3B95   /E9 CC090000     jmp 003E4566


003E4993  - E9 90900000     jmp 003EDA28

003E4993   /E9 CC000000     jmp 003E4A64


003E26FC    50              push eax
003E26FD    50              push eax
003E26FE    E8 00000000     call 003E2703
003E2703    58              pop eax
003E2704    2D A0AF4000     sub eax,40AFA0
003E2709    C680 29BA4000 B>mov byte ptr ds:[eax+40BA29],0B8
003E2710    8F80 2ABA4000   pop dword ptr ds:[eax+40BA2A]
003E2716    C3              retn



===========================
003E213B   /E9 D10D0000     jmp 003E2F11
003E2F31    E8 00000000     call 003E2F36
003E2F36    5A              pop edx
003E2F37    81EA D3B74000   sub edx,40B7D3		;edx=FFFD7763
003E3DC0    5D              pop ebp			;ebp=385a
003E2CDF    B9 03000000     mov ecx,3
003E3DC9    8DB5 239B4000   lea esi,dword ptr ss:[ebp+409B23]	;3 api address in kernel32
003E2ADC    8DBA 7BD64000   lea edi,dword ptr ds:[edx+40D67B]
003E2CBF    89AA 77D64000   mov dword ptr ds:[edx+40D677],ebp
003E30FE    2992 77D64000   sub dword ptr ds:[edx+40D677],edx	;sub ebp, edx
003E3EE0    8B06            mov eax,dword ptr ds:[esi]               ; kernel32.GetProcAddress
003E402D    8907            mov dword ptr ds:[edi],eax               ; kernel32.GetProcAddress
003E3DAD    83C6 04         add esi,4
003E42A6    83C7 04         add edi,4
003E28DC   /E2 02           loopd short 003E28E0
003E28DE   |EB 05           jmp short 003E28E5
003E28E0   \E9 22170000     jmp 003E4007
003E28E5    E9 631B0000     jmp 003E444D

003E444F    8D85 DDA44000   lea eax,dword ptr ss:[ebp+40A4DD]		;de-apack func
003E3FF9    8982 AFD64000   mov dword ptr ds:[edx+40D6AF],eax        ; 样本测试.0040DD37
003E4549    8B85 1F9F4000   mov eax,dword ptr ss:[ebp+409F1F]        ; kernel32.VirtualAlloc
003E3FE0    8982 8FD64000   mov dword ptr ds:[edx+40D68F],eax        ; kernel32.VirtualAlloc
003E4819    8BEA            mov ebp,edx
003E4840    6A 00           push 0
003E4847    FF95 7FD64000   call dword ptr ss:[ebp+40D67F]           ; kernel32.GetModuleHandleA
003E4870    8985 93D64000   mov dword ptr ss:[ebp+40D693],eax        ; 样本测试.00400000

003E312E    8DB5 B3D64000   lea esi,dword ptr ss:[ebp+40D6B3]		;kernel32.dll
003E4883    56              push esi
003E4889    FF95 7FD64000   call dword ptr ss:[ebp+40D67F]           ; kernel32.GetModuleHandleA
003E4894    83F8 00         cmp eax,0
003E21D0    8985 8BD64000   mov dword ptr ss:[ebp+40D68B],eax        ; kernel32.77E40000
003E2A13   /0F85 8F190000   jnz 003E43A8
003E2A19  ^|E9 64F8FFFF     jmp 003E2282

003E2284    56              push esi
003E2C8A    FF95 83D64000   call dword ptr ss:[ebp+40D683]		;load


003E4580    8BF0            mov esi,eax                              ; kernel32.77E40000

003E48AB    8D9D C0D64000   lea ebx,dword ptr ss:[ebp+40D6C0]		;api name:virtualfree
003E48B6    53              push ebx
003E2A35    56              push esi                                 ; kernel32.77E40000
003E48BF    FF95 7BD64000   call dword ptr ss:[ebp+40D67B]           ; kernel32.GetProcAddress
003E2FF9    8985 90904000   mov dword ptr ss:[ebp+409090],eax        ; kernel32.VirtualFree

003E443C    BB D0D64000     mov ebx,40D6D0

------------
003E48EB    833C2B 00       cmp dword ptr ds:[ebx+ebp],0		;packed size? 6000

003E48F9  ^\0F84 BBE5FFFF   je 003E2EBA				;->3e2f05
003E48FF  ^ E9 53D9FFFF     jmp 003E2257

003E225D    53              push ebx                                 ; 样本测试.0040D6D0

003E23B8    6A 04           push 4
003E2804    68 00100000     push 1000
003E2C00    FF342B          push dword ptr ds:[ebx+ebp]
003E4214    6A 00           push 0
003E4310    FF95 8FD64000   call dword ptr ss:[ebp+40D68F]           ; kernel32.VirtualAlloc

003E3E29    5B              pop ebx                                  ; 样本测试.0040D6D0
003E475D    8BF0            mov esi,eax
003E2865    8BC3            mov eax,ebx                              ; 样本测试.0040D6D0
003E2DE4    03C5            add eax,ebp

003E4755    8B78 04         mov edi,dword ptr ds:[eax+4]		;1000
003E47C3    03BD 93D64000   add edi,dword ptr ss:[ebp+40D693]        ; 样本测试.00400000
003E2A21    56              push esi
003E2D3C    57              push edi                                 ; 样本测试.00401000
003E217A    FF95 AFD64000   call dword ptr ss:[ebp+40D6AF]           ; 样本测试.0040DD37
003E2F8E    8B0C2B          mov ecx,dword ptr ds:[ebx+ebp]
003E3EB0    56              push esi
003E3FCF    F3:A4           rep movs byte ptr es:[edi],byte ptr ds:[>	;restore packed section
003E2300    5E              pop esi                                  ; 003F0000
003E42FE    53              push ebx                                 ; 样本测试.0040D6D0

003E268B    68 00800000     push 8000
003E2E21    6A 00           push 0
003E2250    56              push esi
003E29AE    FF95 90904000   call dword ptr ss:[ebp+409090]           ; kernel32.VirtualFree
003E2627    5B              pop ebx                                  ; 样本测试.0040D6D0
003E2C73    83C3 0C         add ebx,0C					;next section

003E48EB    833C2B 00       cmp dword ptr ds:[ebx+ebp],0
------------

003E2F05    8B85 D0C64000   mov eax,dword ptr ss:[ebp+40C6D0]		;1f4
003E3BDE    C1E0 08         shl eax,8
003E419F    6A 04           push 4
003E43B8    68 00100000     push 1000
003E3EF5    50              push eax
003E42E5    6A 00           push 0
003E28BE    FF95 8FD64000   call dword ptr ss:[ebp+40D68F]           ; kernel32.VirtualAlloc
003E297D    8985 A7D64000   mov dword ptr ss:[ebp+40D6A7],eax
003E2E36    8B85 97D64000   mov eax,dword ptr ss:[ebp+40D697]		;1
003E2A82    83F8 00         cmp eax,0
003E30BA   /0F85 740C0000   jnz 003E3D34				;jump
003E30C0  ^|E9 3AF9FFFF     jmp 003E29FF

003E40C4    8B95 9FD64000   mov edx,dword ptr ss:[ebp+40D69F]		;2d98
003E4188    03D5            add edx,ebp
003E42BE    81C2 D8A94000   add edx,40A9D8

003E30EB    8B3A            mov edi,dword ptr ds:[edx]			;fist thunk of a dll:63f8
003E23A5    83FF 00         cmp edi,0					;is all dll done?

003E24D6   /0F84 7A010000   je 003E2656
003E24DC   |E9 8C030000     jmp 003E286D				;jump

003E288D    03BD 93D64000   add edi,dword ptr ss:[ebp+40D693]        ; 样本测试.00400000
003E41F2    83C2 05         add edx,5					;point to dll name
003E4490    8BF2            mov esi,edx
003E44A0    56              push esi
003E25E1    FF95 7FD64000   call dword ptr ss:[ebp+40D67F]           ; kernel32.GetModuleHandleA
003E44B3    83F8 00         cmp eax,0

003E42CC  ^\0F85 C9E5FFFF   jnz 003E289B
003E42D2    E9 E5010000     jmp 003E44BC

003E44BE    56              push esi
003E265E    FF95 83D64000   call dword ptr ss:[ebp+40D683]           ; kernel32.LoadLibraryA

003E4263    0FB64E FF       movzx ecx,byte ptr ds:[esi-1]		;strlen
003E453F    03F1            add esi,ecx

003E24C3    8BD6            mov edx,esi
003E4615    8BF0            mov esi,eax                              ; SHELL32.base...
003E2AD3    42              inc edx

003E426F    8B0A            mov ecx,dword ptr ds:[edx]			;number of api in current dll
003E2210    83C2 04         add edx,4

003E21F6    51              push ecx
003E2D23    0FB602          movzx eax,byte ptr ds:[edx]			;strlen of apiname
003E2E8B    83F8 00         cmp eax,0

003E3A47  ^\0F85 82F5FFFF   jnz 003E2FCF				;jump
003E3A4D  ^ E9 E6EDFFFF     jmp 003E2838

003E21C7    42              inc edx
003E4415    52              push edx

003E459F    52              push edx
003E4647    56              push esi                                 ; SHELL32.#584
003E3047    FF95 7BD64000   call dword ptr ss:[ebp+40D67B]           ; kernel32.GetProcAddress

>>>>>>>eax=api, edi=thunk

003E458A    E8 49F9FFFF     call 003E3ED8
003E458F  ^\E9 E9F9FFFF     jmp 003E3F7D
003E422A    60              pushad

003E2E0D    8B9D A7D64000   mov ebx,dword ptr ss:[ebp+40D6A7]		;api redirection mem
003E423B    B9 08000000     mov ecx,8



003E4433    51              push ecx
003E2FB2    8BF3            mov esi,ebx

003E3A25    E8 80F6FFFF     call 003E30AA				;step in, modify first word of redirection code
003E3A2A    E9 0E060000     jmp 003E403D

003E3D57    E8 D4E8FFFF     call 003E2630				;step in, random dl
003E3D5C  ^ E9 A9E7FFFF     jmp 003E250A

003E2BA7    C1CF 03         ror edi,3
003E2E44    33F8            xor edi,eax                              ; SHELL32.DragFinish
003E218C    03FB            add edi,ebx
003E2AF5    D1CF            ror edi,1
003E2E4E    47              inc edi
003E2E63    33D7            xor edx,edi					;edx=semi-random value
003E2A2A    80E2 0F         and dl,0F
003E2EA7    C3              retn

003E252A    0AD2            or dl,dl					;redirection begin...
003E252C    75 0D           jnz short 003E253B
003E252E    66:C703 87DB    mov word ptr ds:[ebx],0DB87
003E2533    83C3 02         add ebx,2
003E2536    E9 81000000     jmp 003E25BC
003E253B    80FA 01         cmp dl,1
003E253E    75 0A           jnz short 003E254A
003E2540    66:C703 87C9    mov word ptr ds:[ebx],0C987
003E2545    83C3 02         add ebx,2
003E2548    EB 72           jmp short 003E25BC
003E254A    80FA 02         cmp dl,2
003E254D    75 0A           jnz short 003E2559
003E254F    66:C703 87D2    mov word ptr ds:[ebx],0D287
003E2554    83C3 02         add ebx,2
003E2557    EB 63           jmp short 003E25BC
003E2559    80FA 03         cmp dl,3
003E255C    75 0A           jnz short 003E2568
003E255E    66:C703 87F6    mov word ptr ds:[ebx],0F687
003E2563    83C3 02         add ebx,2
003E2566    EB 54           jmp short 003E25BC
003E2568    80FA 04         cmp dl,4
003E256B    75 0A           jnz short 003E2577
003E256D    66:C703 87FF    mov word ptr ds:[ebx],0FF87
003E2572    83C3 02         add ebx,2
003E2575    EB 45           jmp short 003E25BC
003E2577    80FA 05         cmp dl,5
003E257A    75 0A           jnz short 003E2586
003E257C    66:C703 87E4    mov word ptr ds:[ebx],0E487
003E2581    83C3 02         add ebx,2
003E2584    EB 36           jmp short 003E25BC
003E2586    80FA 06         cmp dl,6
003E2589    75 0A           jnz short 003E2595
003E258B    66:C703 87ED    mov word ptr ds:[ebx],0ED87
003E2590    83C3 02         add ebx,2
003E2593    EB 27           jmp short 003E25BC
003E2595    80FA 07         cmp dl,7
003E2598    75 0A           jnz short 003E25A4
003E259A    66:C703 5058    mov word ptr ds:[ebx],5850
003E259F    83C3 02         add ebx,2
003E25A2    EB 18           jmp short 003E25BC
003E25A4    80FA 08         cmp dl,8
003E25A7    75 0A           jnz short 003E25B3
003E25A9    66:C703 EB00    mov word ptr ds:[ebx],0EB
003E25AE    83C3 02         add ebx,2
003E25B1    EB 09           jmp short 003E25BC
003E25B3    C703 EB01E900   mov dword ptr ds:[ebx],0E901EB
003E25B9    83C3 03         add ebx,3
003E25BC    E9 481C0000     jmp 003E4209


003E420B    C3              retn

003E3A2A   /E9 0E060000     jmp 003E403D

003E405D    E8 CEE5FFFF     call 003E2630			;step in, random dl
003E4062    E9 5E040000     jmp 003E44C5


003E2BA7    C1CF 03         ror edi,3
003E2E44    33F8            xor edi,eax                              ; SHELL32.DragFinish
003E218C    03FB            add edi,ebx
003E2AF5    D1CF            ror edi,1
003E2E4E    47              inc edi
003E2E63    33D7            xor edx,edi
003E2A2A    80E2 0F         and dl,0F
003E2EA7    C3              retn

003E4062   /E9 5E040000     jmp 003E44C5

003E44C7    0AD2            or dl,dl
003E44C9    75 07           jnz short 003E44D2
003E44CB    E8 C0020000     call 003E4790
003E44D0    EB 65           jmp short 003E4537
003E44D2    80FA 01         cmp dl,1
003E44D5    75 07           jnz short 003E44DE
003E44D7    E8 7ADFFFFF     call 003E2456
003E44DC    EB 59           jmp short 003E4537
003E44DE    80FA 02         cmp dl,2
003E44E1    75 07           jnz short 003E44EA
003E44E3    E8 D4E4FFFF     call 003E29BC
003E44E8    EB 4D           jmp short 003E4537
003E44EA    80FA 03         cmp dl,3
003E44ED    75 07           jnz short 003E44F6
003E44EF    E8 D4E4FFFF     call 003E29C8
003E44F4    EB 41           jmp short 003E4537
003E44F6    80FA 04         cmp dl,4
003E44F9    75 07           jnz short 003E4502
003E44FB    E8 3AE4FFFF     call 003E293A
003E4500    EB 35           jmp short 003E4537
003E4502    80FA 05         cmp dl,5
003E4505    75 07           jnz short 003E450E
003E4507    E8 20E7FFFF     call 003E2C2C
003E450C    EB 29           jmp short 003E4537
003E450E    80FA 06         cmp dl,6
003E4511    75 07           jnz short 003E451A
003E4513    E8 ADFEFFFF     call 003E43C5
003E4518    EB 1D           jmp short 003E4537
003E451A    80FA 07         cmp dl,7
003E451D    75 07           jnz short 003E4526
003E451F    E8 1AE5FFFF     call 003E2A3E
003E4524    EB 11           jmp short 003E4537
003E4526    80FA 08         cmp dl,8
003E4529    75 07           jnz short 003E4532
003E452B    E8 8CEAFFFF     call 003E2FBC
003E4530    EB 05           jmp short 003E4537
003E4532    E8 1FDFFFFF     call 003E2456
003E4537  ^ E9 0EE4FFFF     jmp 003E294A

eg.
003E4513    E8 ADFEFFFF     call 003E43C5

003E2F9D    C603 B8         mov byte ptr ds:[ebx],0B8
003E4835    8943 01         mov dword ptr ds:[ebx+1],eax             ; SHELL32.DragFinish
003E4334    8BC8            mov ecx,eax                              ; SHELL32.DragFinish
003E46E6    03CB            add ecx,ebx
003E2196    294B 01         sub dword ptr ds:[ebx+1],ecx             ; kernel32.77EE66A9
003E3B45    83C3 05         add ebx,5
003E2916    E8 8F070000     call 003E30AA
003E291B    E9 A6010000     jmp 003E2AC6
003E2AC8    C603 05         mov byte ptr ds:[ebx],5
003E2D0A    314B 01         xor dword ptr ds:[ebx+1],ecx             ; kernel32.77EE66A9
003E3AB7    83C3 05         add ebx,5
003E3BED    E8 B8F4FFFF     call 003E30AA
003E3D64    66:C703 FFE0    mov word ptr ds:[ebx],0E0FF
003E2473    83C3 02         add ebx,2
003E3D86    C3              retn

003E2950    8BC6            mov eax,esi
003E3EA7    59              pop ecx                                  ; kernel32.77EE66A9

003E45A8   /E2 02           loopd short 003E45AC
003E45AA   |EB 05           jmp short 003E45B1
003E45AC  ^\E9 C8FCFFFF     jmp 003E4279				;jump 003E4433
003E45B1    E9 C5000000     jmp 003E467B




003E467D    897424 1C       mov dword ptr ss:[esp+1C],esi		;new api entry to eax, nop it!!!!
003E2ABA    899D A7D64000   mov dword ptr ss:[ebp+40D6A7],ebx
003E463E    61              popad
003E2963    C3              retn

003E458F  ^\E9 E9F9FFFF     jmp 003E3F7D
003E3F9D    8907            mov dword ptr ds:[edi],eax

003E417F    5A              pop edx                                  ; 003E4EE9
003E21BB    0FB642 FF       movzx eax,byte ptr ds:[edx-1]
003E2BEB    03D0            add edx,eax
003E4307    42              inc edx

003E239A    83C7 04         add edi,4					;mov iat pointor

003E2E1B    59              pop ecx                                  ; ntdll.77F532FA

003E2E96   /E2 02           loopd short 003E2E9A			;net
003E2E98   |EB 05           jmp short 003E2E9F
003E2E9A  ^\E9 31FBFFFF     jmp 003E29D0
003E2E9F    E9 540D0000     jmp 003E3BF8

003E30EB    8B3A            mov edi,dword ptr ds:[edx]

when done:
003E2656   /E9 D5170000     jmp 003E3E30
003E3E32    B9 FD010000     mov ecx,1FD
003E3F71    8B85 9BD64000   mov eax,dword ptr ss:[ebp+40D69B]		;1, call redirection  flag
003E4037    83F8 01         cmp eax,1

003E40B6  ^\0F85 CBFDFFFF   jnz 003E3E87				;if no, jump next
	-> 003E3D00    60              pushad
003E40BC  ^ E9 A9E5FFFF     jmp 003E266A

003E266C    8BBD A3D64000   mov edi,dword ptr ss:[ebp+40D6A3]		;35d4
003E4347    03FD            add edi,ebp
003E2C21    81C7 D8A94000   add edi,40A9D8				;3e570f
;
003E570F  21 13 77 53 3D 64 E5 B3 3D 64 E5 B3 00 00 00 00  !wS=d宄=d宄....
003E571F  DE EC 88 AC C2 9B 1A 4C C2 9B 1A 4C FF FF FF FF  揿??L?L??
003E572F  DE EC 88 AC C2 9B 1A 4C C2 9B 1A 4C FF FF FF FF  揿??L?L??
003E573F  DE EC 88 AC C2 9B 1A 4C C2 9B 1A 4C FF FF FF FF  揿??L?L??
003E574F  DE EC 88 AC C2 9B 1A 4C C2 9B 1A 4C FF FF FF FF  揿??L?L??
003E575F  DE EC 88 AC C2 9B 1A 4C C2 9B 1A 4C FF FF FF FF  揿??L?L??
003E576F  DE EC 88 AC C2 9B 1A 4C C2 9B 1A 4C FF FF FF FF  揿??L?L??
003E577F  21 13 77 53 3D 64 E5 B3 3D 64 E5 B3 00 00 00 00  !wS=d宄=d宄....
003E578F  61 67 73 27 8B 6F BE 1E C7 5D 9C A4 98 64 44 74  ags'??禽??Dt
003E579F  EC 0F 75 78 06 07 30 42 13 01 91 D7 2A 0C 42 2B  ?ux0B?*.B+
003E57AF  AB 3D 44 22 41 35 01 18 87 AA B8 A0 8C 3F 73 71  ?D"A5?高?sq
003E57BF  EB A9 A8 82 01 A1 ED B8 EB 74 22 50 D4 AB 9F D1  氅?№鸽t"P垣?
003E57CF  EF 08 E7 B7 05 00 14 8E 79 05 7C 7C F8 0A D0 E4  ?绶.?||?袖
003E57DF  1C FA A1 A9 F6 F2 50 90 C0 8E 1B 6D 6C F8 96 FA  ??蛐??ml?



003E2C57    8DB5 0ABA4000   lea esi,dword ptr ss:[ebp+40BA0A]		;public redirect call: 3e316d

-----------------------------------------------
003E4482    8B07            mov eax,dword ptr ds:[edi]

003E455B    35 21137753     xor eax,53771321

003E465D    49              dec ecx

003E3E17    83F9 00         cmp ecx,0					;is all done?

003E3E9D  ^\74 E8           je short 003E3E87
	-> 003E3D00    60              pushad
003E3E9F  ^ E9 A5E5FFFF     jmp 003E2449

003E244B    83F8 00         cmp eax,0

003E2D2E  ^\0F84 7CF6FFFF   je 003E23B0					;no redirection
	003E4281    83C7 10         add edi,10
	003E4482    8B07            mov eax,dword ptr ds:[edi]

003E2D34  ^ E9 87F6FFFF     jmp 003E23C0

003E23C2    83F8 FF         cmp eax,-1

003E2BBC  ^\0F84 EEF7FFFF   je 003E23B0					;no redirection
	003E4281    83C7 10         add edi,10
	003E4482    8B07            mov eax,dword ptr ds:[edi]

003E2BC2  ^ E9 24FDFFFF     jmp 003E28EB

003E290B    3347 0C         xor eax,dword ptr ds:[edi+C]		;eax=va of redirected code, ie. 4010d8

003E2A8D    8BDE            mov ebx,esi
003E2B0E    2BD8            sub ebx,eax                             ; 样本测试.004010D8

003E2F66    8378 FC 00      cmp dword ptr ds:[eax-4],0			;most time, it's 0
003E29A0  ^\0F85 0AFAFFFF   jnz 003E23B0
	003E4281    83C7 10         add edi,10
	003E4482    8B07            mov eax,dword ptr ds:[edi]

003E29A6    E9 25020000     jmp 003E2BD0

003E2BD2    8078 FB E8      cmp byte ptr ds:[eax-5],0E8

003E3B5B  ^\0F85 4FE8FFFF   jnz 003E23B0
	003E4281    83C7 10         add edi,10
	003E4482    8B07            mov eax,dword ptr ds:[edi]

003E3B61    E9 86040000     jmp 003E3FEC
003E3FEE    8958 FC         mov dword ptr ds:[eax-4],ebx		;generate: call 3e316d
003E4281    83C7 10         add edi,10

------------------------------------


003E3D00    60              pushad					;wthell are we going to dip...

003E3CC6    E8 00000000     call 003E3CCB
003E3CCB    5B              pop ebx
003E3CCC    81EB 68C54000   sub ebx,40C568

003E3C7B    E8 0B000000     call 003E3C8B
003E3C80    55              push ebp
003E3C81    73 65           jnb short 003E3CE8
003E3C83    72 33           jb short 003E3CB8

003E3CD7    FF93 7FD64000   call dword ptr ds:[ebx+40D67F]          ; kernel32.GetModuleHandleA

003E3D06    E8 0C000000     call 003E3D17				;push "messageboxa"

003E3C3B    50              push eax                                ; USER32.77D10000
003E3C0E    FF93 7BD64000   call dword ptr ds:[ebx+40D67B]          ; kernel32.GetProcAddress
003E3C41    6A 00           push 0
003E3C19    E8 18000000     call 003E3C36				;push string
003E3C48    E8 25000000     call 003E3C72
003E3C4D  C4 BF C7 B0 BC D3 C3 DC BF C7 CE AA B2 E2 CA D4  目前加密壳为测试
003E3C5D  B0 E6 B1 BE A3 AC C7 EB CE F0 D3 C3 D3 DA B7 A2  版本，请勿用于发
003E3C6D  D0 D0 A3 A1 00                                   行！.?;

003E3CAE    6A 00           push 0
003E3CB5    FFD0            call eax                                ; USER32.MessageBoxA
003E3CC0    61              popad

003E267A    E8 4B050000     call 003E2BCA				;antidump call
003E3E58    64:FF35 3000000>push dword ptr fs:[30]
003E2327    58              pop eax                                 ; 7FFDF000
003E3A87    85C0            test eax,eax				;getversion

003E4121  ^\0F88 18F9FFFF   js 003E3A3F					;jump if win9x, getmodulehandle, then write pe header
003E4127    E9 05010000     jmp 003E4231				;jump under winnt

003E4709    8B40 0C         mov eax,dword ptr ds:[eax+C]
003E4775    8B40 0C         mov eax,dword ptr ds:[eax+C]
003E2E54    C740 20 0000000>mov dword ptr ds:[eax+20],0			;set imagesize 16000 to 0!!
			    ret


003E267F   /E9 28020000     jmp 003E28AC


003E24B2    E8 AF1E0000     call 003E4366				;anti ring 3 debug
003E24B7    E9 B9160000     jmp 003E3B75

003E43E7    E8 12000000     call 003E43FE				;push string
003E43EC  49 73 44 65 62 75 67 67 65 72 50 72 65 73 65 6E  IsDebuggerPresen
003E43FC  74 00                                            t.

003E4425    FFB5 8BD64000   push dword ptr ss:[ebp+40D68B]          ; kernel32.7C800000
003E24E4    FF95 7BD64000   call dword ptr ss:[ebp+40D67B]          ; kernel32.GetProcAddress
003E44A9    0BC0            or eax,eax                              ; kernel32.IsDebuggerPresent

003E2C34  ^\0F84 FAF6FFFF   je 003E2334					;need set zf to skip check
003E2C3A    E9 B10D0000     jmp 003E39F0				;jump here
003E39F2    FFD0            call eax                                ; kernel32.IsDebuggerPresent

003E3FC5    0BC0            or eax,eax					;we had auto hide-dubugger, so eax ==0

003E4572  ^\0F85 72F4FFFF   jnz 003E39EA				;if fail, dead looping...
003E4578  ^ E9 B1DDFFFF     jmp 003E232E				;jump to good guy

003E4403    C3              retn


003E4568    E8 2A000000     call 003E4597				;anti lots of tools, debugger, dip in
003E456D    EB 48           jmp short 003E45B7


003E461F    E8 09000000     call 003E462D				;push sth like "\\.\SICE"

003E40A1    E8 28E5FFFF     call 003E25CE
003E40A6   /E9 B9050000     jmp 003E4664

003E30DC    83BD 87D64000 0>cmp dword ptr ss:[ebp+40D687],0		;0, createfile address

003E2B50   /0F85 8B150000   jnz 003E40E1				;call createfilea
003E2B56   |E9 E2120000     jmp 003E3E3D


003E3E3F    E8 0C000000     call 003E3E50				;push createfilea
003E238C    FFB5 8BD64000   push dword ptr ss:[ebp+40D68B]          ; kernel32.7C800000
003E4085    FF95 7BD64000   call dword ptr ss:[ebp+40D67B]          ; kernel32.GetProcAddress
003E27C3    8985 87D64000   mov dword ptr ss:[ebp+40D687],eax       ; kernel32.CreateFileA
003E2D5B    8B4424 04       mov eax,dword ptr ss:[esp+4]
003E4291    6A 00           push 0
003E2345    68 80000000     push 80
003E3AD0    6A 03           push 3
003E30A0    6A 00           push 0
003E3D45    6A 03           push 3
003E3093    68 000000C0     push C0000000
003E433E    50              push eax
003E4715    FF95 87D64000   call dword ptr ss:[ebp+40D687]          ; kernel32.CreateFileA
003E4720    83F8 FF         cmp eax,-1					;-1 is good

003E4728  ^\0F85 BCF2FFFF   jnz 003E39EA
003E472E    EB 09           jmp short 003E4739

003E473B    C2 0400         retn 4


003E40A6   /E9 B9050000     jmp 003E4664

003E4666    E8 0A000000     call 003E4675				;push string

...

003E2490    E8 0D000000     call 003E24A2

003E46A7    E8 22DFFFFF     call 003E25CE				;createfile call
003E46AC    EB 01           jmp short 003E46AF



003E46B1    E8 0C000000     call 003E46C2

003E2DEE    E8 12000000     call 003E2E05


....

003E41C6    E8 14000000     call 003E41DF
003E41CB  5C 5C 2E 5C 52 76 74 72 61 63 65 72 44 65 76 69  \\.\RvtracerDevi
003E41DB  63 65 30 00                                      ce0.

003E3F25    E8 0D000000     call 003E3F37

003E3F2A  5C 5C 2E 5C 56 4B 45 59 50 52 4F 44 00           \\.\VKEYPROD.

...

003E30F5    C3              retn


;nomal junk code
003E45B9    B9 04000000     mov ecx,4
003E45BE    E8 1F000000     call 003E45E2
003E45C3  ^ EB FA           jmp short 003E45BF
003E45C5    E8 16000000     call 003E45E0
003E45CA  - E9 EBF80000     jmp 003F3EBA
003E45CF    58              pop eax
003E45D0    EB 09           jmp short 003E45DB
003E45D2    0F25            ???                                     ; 未知命令
003E45D4    E8 F2FFFFFF     call 003E45CB
003E45D9    0FB9            ???                                     ; 未知命令
003E45DB    49              dec ecx
003E45DC  ^ 75 F1           jnz short 003E45CF
003E45DE    EB 05           jmp short 003E45E5
003E45E0  ^ EB F9           jmp short 003E45DB
003E45E2  ^ EB F0           jmp short 003E45D4
003E45E4    D6              salc
003E45E5  ^ E9 38DCFFFF     jmp 003E2222


003E2242    8B85 A3D64000   mov eax,dword ptr ss:[ebp+40D6A3]		;35d4

003E30C8    03C5            add eax,ebp
003E3110    05 D8A94000     add eax,40A9D8				;eax=3e570f
003E40E9    8985 3BBA4000   mov dword ptr ss:[ebp+40BA3B],eax
003E2F80    8B85 93D64000   mov eax,dword ptr ss:[ebp+40D693]       ; 样本测试.00400000
003E3A9E    0385 ABD64000   add eax,dword ptr ss:[ebp+40D6AB]		;10cc, oep!!

003E4DFE  01 00 00 00 98 2D 00 00 D4 35 00 00 67 34 A9 00  ...?..?..g4?
003E4E0E  CC 10 00 00 37 DD 40 00 4B 45 52 4E 45 4C 33 32  ?..7堇.KERNEL32
003E4E1E  2E 64 6C 6C 00 56 69 72 74 75 61 6C 46 72 65 65  .dll.VirtualFree

003E26B6    64:8F05 0000000>pop dword ptr fs:[0]                    ; 00A8FFDC, uninstall seh

003E26DB    83C4 04         add esp,4


003E26FC    50              push eax                                ; 样本测试.004010CC

003E26FD    50              push eax
003E26FE    E8 00000000     call 003E2703
003E2703    58              pop eax
003E2704    2D A0AF4000     sub eax,40AFA0
003E2709    C680 29BA4000 B>mov byte ptr ds:[eax+40BA29],0B8		;3b318c
003E2710    8F80 2ABA4000   pop dword ptr ds:[eax+40BA2A]


;modi code here:

003E318B    60              pushad
003E318C    E8 CC030000     call 003E355D
003E3191    8920            mov dword ptr ds:[eax],esp
003E3193    E9 AD070000     jmp 003E3945
;
;


003E2716    C3              retn


oep here, but code unfixed:
004010CC    55              push ebp
004010CD    8BEC            mov ebp,esp
004010CF    83EC 44         sub esp,44
004010D2    56              push esi
004010D3    E8 9520FEFF     call 003E316D
004010D8    028B F08A003C   add cl,byte ptr ds:[ebx+3C008AF0]
004010DE    2275 1B         and dh,byte ptr ss:[ebp+1B]
004010E1    56              push esi
004010E2    E8 8620FEFF     call 003E316D
004010E7    028B F08A0084   add cl,byte ptr ds:[ebx+84008AF0]





003E318B    60              pushad
003E318C    B8 CC104000     mov eax,4010CC
003E3191    8920            mov dword ptr ds:[eax],esp
003E3193    E9 AD070000     jmp 003E3945


003E32D9    8B7C24 20       mov edi,dword ptr ss:[esp+20]           ; 样本测试.004010D8

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・0

支持

最新回复 (10)
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 2 楼支持的说 2005-9-6 15:42 0
wekabc 雪币： 211 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 17 回帖 271 粉丝 0 关注私信	wekabc 3 楼支持一下. 2005-9-6 19:52 0
pendan2001 雪币： 61 活跃值： (160) 能力值： ( LV9，RANK：170 ) 在线值：发帖 25 回帖 1180 粉丝 0 关注私信	pendan2001 4 4 楼学习学习 2005-9-6 20:10 0
鸡蛋壳雪币： 427 活跃值： (412) 能力值： ( LV2，RANK：10 ) 在线值：发帖 456 回帖 3147 粉丝 9 关注私信	鸡蛋壳 5 楼最新版内存补丁一样可以搞的 2005-9-6 20:13 0
csjwaman 雪币： 319 活跃值： (2639) 能力值： ( LV12，RANK：980 ) 在线值：发帖 75 回帖 886 粉丝 11 关注私信	csjwaman 24 6 楼蛋蛋是个高手，可惜不太肯露几手兄弟们学习学习。 2005-9-6 21:05 0
fly 雪币： 898 活跃值： (4054) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 34 关注私信	fly 85 7 楼 Fpc兄加油 2005-9-6 21:11 0
Fpc 雪币： 598 活跃值： (282) 能力值： ( LV13，RANK：330 ) 在线值：发帖 26 回帖 169 粉丝 1 关注私信	Fpc 4 8 楼最初由 fly 发布 Fpc兄加油最近改玩游戏了 2005-9-7 10:22 0
夜凉如水雪币： 136 活跃值： (220) 能力值： ( LV9，RANK：140 ) 在线值：发帖 18 回帖 719 粉丝 1 关注私信	夜凉如水 3 9 楼 55555555555 看不明白!!!! 2005-9-7 18:32 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 16 关注私信	forgot 26 10 楼如果上天再多给我一点时间就看看这个壳 2005-9-8 14:41 0
Fpc 雪币： 598 活跃值： (282) 能力值： ( LV13，RANK：330 ) 在线值：发帖 26 回帖 169 粉丝 1 关注私信	Fpc 4 11 楼最初由 forgot 发布如果上天再多给我一点时间就看看这个壳拿几天时间看2005版。。 CC有改进，还有stack代码，别得记不清了没跟多久就飞了，主要对多进程/多线程体会不深，里面几个Seh handler没搞清关系 vcasm protector 1.2 use od: patch unhandleseh dejunk 004E321C /EB 00 jmp short VProtect.004E321E 004E321E \E8 64000000 call VProtect.004E3287 ;call next 004E3223 8B4424 04 mov eax,dword ptr ss:[esp+4] ;main seh handler 004E3227 8B5C24 0C mov ebx,dword ptr ss:[esp+C] 004E322B 81BB A0000000 4>cmp dword ptr ds:[ebx+A0],1F2B3C4E 004E3235 75 34 jnz short VProtect.004E326B 004E3237 81BB 9C000000 8>cmp dword ptr ds:[ebx+9C],5A6E7D8C 004E3241 75 28 jnz short VProtect.004E326B 004E3243 C783 9C000000 4>mov dword ptr ds:[ebx+9C],1F2B3C4E 004E324D E8 00000000 call VProtect.004E3252 004E3252 59 pop ecx 004E3253 81E9 48044100 sub ecx,VProtect.00410448 004E3259 8D81 F1044100 lea eax,dword ptr ds:[ecx+4104F1] 004E325F 2B83 B8000000 sub eax,dword ptr ds:[ebx+B8] 004E3265 8881 67044100 mov byte ptr ds:[ecx+410467],al 004E326B 8383 B8000000 0>add dword ptr ds:[ebx+B8],2 004E3272 33C0 xor eax,eax 004E3274 8943 04 mov dword ptr ds:[ebx+4],eax 004E3277 8943 08 mov dword ptr ds:[ebx+8],eax 004E327A 8943 0C mov dword ptr ds:[ebx+C],eax 004E327D 8943 10 mov dword ptr ds:[ebx+10],eax 004E3280 8943 14 mov dword ptr ds:[ebx+14],eax 004E3283 8943 18 mov dword ptr ds:[ebx+18],eax 004E3286 C3 retn some anti CCs next: 004E34D3 /EB 3F jmp short VProtect.004E3514 004E3514 55 push ebp 004E37ED E8 FEFEFFFF call VProtect.004E36F0 004E34DE E8 00000000 call VProtect.004E34E3 004E34E3 5D pop ebp 004E34E4 81ED D9064100 sub ebp,VProtect.004106D9 lvl2 sehhandler: 004E37F2 /E9 A3020000 jmp VProtect.004E3A9A 004E3783 56 push esi 004E3A48 FF1424 call dword ptr ss:[esp] 004E3A4B EB 01 jmp short VProtect.004E3A4E bp here to get new eip value in edx: 004E398F FF1424 call dword ptr ss:[esp] 004E3992 EB 01 jmp short VProtect.004E3995 0012F940 8996 B8000000 mov dword ptr ds:[esi+B8],edx ; VProtect.004E3D63 ... lots of CC junk Finally land here: 004E4D11 E8 03000000 call VProtect.004E4D19 main seh handler: 004E4F27 E8 64000000 call VProtect.004E4F90 004E4F2C 8B4424 04 mov eax,dword ptr ss:[esp+4] 004E4F30 8B5C24 0C mov ebx,dword ptr ss:[esp+C] 004E4F34 81BB A0000000 4>cmp dword ptr ds:[ebx+A0],1F2B3C4E 004E4F3E 75 34 jnz short VProtect.004E4F74 004E4F40 81BB 9C000000 8>cmp dword ptr ds:[ebx+9C],5A6E7D8C 004E4F4A 75 28 jnz short VProtect.004E4F74 004E4F4C C783 9C000000 4>mov dword ptr ds:[ebx+9C],1F2B3C4E 004E4F56 E8 00000000 call VProtect.004E4F5B 004E4F5B 59 pop ecx 004E4F5C 81E9 51214100 sub ecx,VProtect.00412151 004E4F62 8D81 FA214100 lea eax,dword ptr ds:[ecx+4121FA] 004E4F68 2B83 B8000000 sub eax,dword ptr ds:[ebx+B8] 004E4F6E 8881 70214100 mov byte ptr ds:[ecx+412170],al 004E4F74 8383 B8000000 0>add dword ptr ds:[ebx+B8],2 004E4F7B 33C0 xor eax,eax 004E4F7D 8943 04 mov dword ptr ds:[ebx+4],eax ;nop these lines 004E4F80 8943 08 mov dword ptr ds:[ebx+8],eax 004E4F83 8943 0C mov dword ptr ds:[ebx+C],eax 004E4F86 8943 10 mov dword ptr ds:[ebx+10],eax 004E4F89 8943 14 mov dword ptr ds:[ebx+14],eax 004E4F8C 8943 18 mov dword ptr ds:[ebx+18],eax 004E4F8F C3 retn 004E500C E8 82060000 call VProtect.004E5693 004E5E88 FFD0 call eax ; kernel32.CreateFileMappingA 004E6028 FFD0 call eax ; kernel32.MapViewOfFile 2005-9-8 15:04 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

Fpc

发帖

169

回帖

330

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (10)
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 2 楼支持的说 2005-9-6 15:42 0
wekabc 雪币： 211 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 17 回帖 271 粉丝 0 关注私信	wekabc 3 楼支持一下. 2005-9-6 19:52 0
pendan2001 雪币： 61 活跃值： (160) 能力值： ( LV9，RANK：170 ) 在线值：发帖 25 回帖 1180 粉丝 0 关注私信	pendan2001 4 4 楼学习学习 2005-9-6 20:10 0
鸡蛋壳雪币： 427 活跃值： (412) 能力值： ( LV2，RANK：10 ) 在线值：发帖 456 回帖 3147 粉丝 9 关注私信	鸡蛋壳 5 楼最新版内存补丁一样可以搞的 2005-9-6 20:13 0
csjwaman 雪币： 319 活跃值： (2639) 能力值： ( LV12，RANK：980 ) 在线值：发帖 75 回帖 886 粉丝 11 关注私信	csjwaman 24 6 楼蛋蛋是个高手，可惜不太肯露几手兄弟们学习学习。 2005-9-6 21:05 0
fly 雪币： 898 活跃值： (4054) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 34 关注私信	fly 85 7 楼 Fpc兄加油 2005-9-6 21:11 0
Fpc 雪币： 598 活跃值： (282) 能力值： ( LV13，RANK：330 ) 在线值：发帖 26 回帖 169 粉丝 1 关注私信	Fpc 4 8 楼最初由 fly 发布 Fpc兄加油最近改玩游戏了 2005-9-7 10:22 0
夜凉如水雪币： 136 活跃值： (220) 能力值： ( LV9，RANK：140 ) 在线值：发帖 18 回帖 719 粉丝 1 关注私信	夜凉如水 3 9 楼 55555555555 看不明白!!!! 2005-9-7 18:32 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 16 关注私信	forgot 26 10 楼如果上天再多给我一点时间就看看这个壳 2005-9-8 14:41 0
Fpc 雪币： 598 活跃值： (282) 能力值： ( LV13，RANK：330 ) 在线值：发帖 26 回帖 169 粉丝 1 关注私信	Fpc 4 11 楼最初由 forgot 发布如果上天再多给我一点时间就看看这个壳拿几天时间看2005版。。 CC有改进，还有stack代码，别得记不清了没跟多久就飞了，主要对多进程/多线程体会不深，里面几个Seh handler没搞清关系 vcasm protector 1.2 use od: patch unhandleseh dejunk 004E321C /EB 00 jmp short VProtect.004E321E 004E321E \E8 64000000 call VProtect.004E3287 ;call next 004E3223 8B4424 04 mov eax,dword ptr ss:[esp+4] ;main seh handler 004E3227 8B5C24 0C mov ebx,dword ptr ss:[esp+C] 004E322B 81BB A0000000 4>cmp dword ptr ds:[ebx+A0],1F2B3C4E 004E3235 75 34 jnz short VProtect.004E326B 004E3237 81BB 9C000000 8>cmp dword ptr ds:[ebx+9C],5A6E7D8C 004E3241 75 28 jnz short VProtect.004E326B 004E3243 C783 9C000000 4>mov dword ptr ds:[ebx+9C],1F2B3C4E 004E324D E8 00000000 call VProtect.004E3252 004E3252 59 pop ecx 004E3253 81E9 48044100 sub ecx,VProtect.00410448 004E3259 8D81 F1044100 lea eax,dword ptr ds:[ecx+4104F1] 004E325F 2B83 B8000000 sub eax,dword ptr ds:[ebx+B8] 004E3265 8881 67044100 mov byte ptr ds:[ecx+410467],al 004E326B 8383 B8000000 0>add dword ptr ds:[ebx+B8],2 004E3272 33C0 xor eax,eax 004E3274 8943 04 mov dword ptr ds:[ebx+4],eax 004E3277 8943 08 mov dword ptr ds:[ebx+8],eax 004E327A 8943 0C mov dword ptr ds:[ebx+C],eax 004E327D 8943 10 mov dword ptr ds:[ebx+10],eax 004E3280 8943 14 mov dword ptr ds:[ebx+14],eax 004E3283 8943 18 mov dword ptr ds:[ebx+18],eax 004E3286 C3 retn some anti CCs next: 004E34D3 /EB 3F jmp short VProtect.004E3514 004E3514 55 push ebp 004E37ED E8 FEFEFFFF call VProtect.004E36F0 004E34DE E8 00000000 call VProtect.004E34E3 004E34E3 5D pop ebp 004E34E4 81ED D9064100 sub ebp,VProtect.004106D9 lvl2 sehhandler: 004E37F2 /E9 A3020000 jmp VProtect.004E3A9A 004E3783 56 push esi 004E3A48 FF1424 call dword ptr ss:[esp] 004E3A4B EB 01 jmp short VProtect.004E3A4E bp here to get new eip value in edx: 004E398F FF1424 call dword ptr ss:[esp] 004E3992 EB 01 jmp short VProtect.004E3995 0012F940 8996 B8000000 mov dword ptr ds:[esi+B8],edx ; VProtect.004E3D63 ... lots of CC junk Finally land here: 004E4D11 E8 03000000 call VProtect.004E4D19 main seh handler: 004E4F27 E8 64000000 call VProtect.004E4F90 004E4F2C 8B4424 04 mov eax,dword ptr ss:[esp+4] 004E4F30 8B5C24 0C mov ebx,dword ptr ss:[esp+C] 004E4F34 81BB A0000000 4>cmp dword ptr ds:[ebx+A0],1F2B3C4E 004E4F3E 75 34 jnz short VProtect.004E4F74 004E4F40 81BB 9C000000 8>cmp dword ptr ds:[ebx+9C],5A6E7D8C 004E4F4A 75 28 jnz short VProtect.004E4F74 004E4F4C C783 9C000000 4>mov dword ptr ds:[ebx+9C],1F2B3C4E 004E4F56 E8 00000000 call VProtect.004E4F5B 004E4F5B 59 pop ecx 004E4F5C 81E9 51214100 sub ecx,VProtect.00412151 004E4F62 8D81 FA214100 lea eax,dword ptr ds:[ecx+4121FA] 004E4F68 2B83 B8000000 sub eax,dword ptr ds:[ebx+B8] 004E4F6E 8881 70214100 mov byte ptr ds:[ecx+412170],al 004E4F74 8383 B8000000 0>add dword ptr ds:[ebx+B8],2 004E4F7B 33C0 xor eax,eax 004E4F7D 8943 04 mov dword ptr ds:[ebx+4],eax ;nop these lines 004E4F80 8943 08 mov dword ptr ds:[ebx+8],eax 004E4F83 8943 0C mov dword ptr ds:[ebx+C],eax 004E4F86 8943 10 mov dword ptr ds:[ebx+10],eax 004E4F89 8943 14 mov dword ptr ds:[ebx+14],eax 004E4F8C 8943 18 mov dword ptr ds:[ebx+18],eax 004E4F8F C3 retn 004E500C E8 82060000 call VProtect.004E5693 004E5E88 FFD0 call eax ; kernel32.CreateFileMappingA 004E6028 FFD0 call eax ; kernel32.MapViewOfFile 2005-9-8 15:04 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复