标题:小菜的Armadillo V5.0X 标准加壳保护方式脱壳笔记
链接:http://www.unpack.cn/viewthread.php?tid=18449
贴者:Cyg07
日期:2007-10-18 17:58
一.寻找MagicJmp->避开IAT加密
使用OllyDBG修改版TheODBG,使用IsDebug插件Hide,忽略所有的异常选项。
载入后Alt+B->清除所有断点。
BP VirtualProtect
Shift+F9,中断后取消断点
BP CreateFileMappingA
Shift+F9,中断后取消断点
Ctrl+G:GetModuleHandleA
在GetModuleHandleA函数末尾处设断,防止壳检测函数首部的CC断点复制内容到剪贴板代码:
77E12CD1 k> 837C24 04 00 cmp dword ptr ss:[esp+4],0
77E12CD6 74 18 je short 77E12CF0 ; kernel32.77E12CF0
77E12CD8 FF7424 04 push dword ptr ss:[esp+4]
77E12CDC E8 92FFFFFF call 77E12C73 ; kernel32.77E12C73
77E12CE1 85C0 test eax,eax
77E12CE3 74 08 je short 77E12CED ; kernel32.77E12CED
77E12CE5 FF70 04 push dword ptr ds:[eax+4]
77E12CE8 E8 77520000 call 77E17F64 ; kernel32.GetModuleHandleW
77E12CED C2 0400 retn 4
//这里设断Shift+F9 观察堆栈变化:复制内容到剪贴板代码:
00129844 00CCEB59 RETURN to 00CCEB59 from kernel32.GetModuleHandleA
00129848 00CF5B90 ASCII "kernel32.dll"
0012984C 00CF6A20 ASCII "VirtualAlloc"Shift+F9复制内容到剪贴板代码:
00129844 00CCEB77 RETURN to 00CCEB77 from kernel32.GetModuleHandleA
00129848 00CF5B90 ASCII "kernel32.dll"
0012984C 00CF6A14 ASCII "VirtualFree"Shift+F9复制内容到剪贴板代码:
001295CC 00CB6CCC RETURN to 00CB6CCC from kernel32.GetModuleHandleA
001295D0 00129734 ASCII "kernel32.dll"“VirtualAlloc、VirtualFree”特征出来了!
取消GetModuleHandleA函数末尾的断点了,F7返回00CB6CC7调用处复制内容到剪贴板代码:
00CB6CC6 FF15 C030CF00 call dword ptr ds:[CF30C0] ; kernel32.GetModuleHandleA
00CB6CCC 8B55 F8 mov edx,dword ptr ss:[ebp-8] ;
//返回在这里
00CB6CCF 8B0D 1C2FD000 mov ecx,dword ptr ds:[D02F1C]
00CB6CD5 890491 mov dword ptr ds:[ecx+edx*4],eax ; kernel32.77E10000
00CB6CD8 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00CB6CDB A1 1C2FD000 mov eax,dword ptr ds:[D02F1C]
00CB6CE0 833C90 00 cmp dword ptr ds:[eax+edx*4],0
00CB6CE4 75 5B jnz short 00CB6D41
00CB6CE6 8B4D FC mov ecx,dword ptr ss:[ebp-4]
00CB6CE9 8B51 08 mov edx,dword ptr ds:[ecx+8]
00CB6CEC 83E2 02 and edx,2
00CB6CEF 74 37 je short 00CB6D28
00CB6CF1 B8 17000000 mov eax,17
00CB6CF6 C1E0 02 shl eax,2
00CB6CF9 8B0D D40AD000 mov ecx,dword ptr ds:[D00AD4] ; fraps.004B1368
00CB6CFF 8B15 D40AD000 mov edx,dword ptr ds:[D00AD4] ; fraps.004B1368
00CB6D05 8B35 D40AD000 mov esi,dword ptr ds:[D00AD4] ; fraps.004B1368
00CB6D0B 8B5E 1C mov ebx,dword ptr ds:[esi+1C]
00CB6D0E 331A xor ebx,dword ptr ds:[edx] ; ntdll.77FB2360
00CB6D10 331C01 xor ebx,dword ptr ds:[ecx+eax]
00CB6D13 83E3 10 and ebx,10
00CB6D16 F7DB neg ebx
00CB6D18 1BDB sbb ebx,ebx
00CB6D1A F7DB neg ebx
00CB6D1C 0FB6C3 movzx eax,bl
00CB6D1F 85C0 test eax,eax ; kernel32.77E10000
00CB6D21 75 05 jnz short 00CB6D28
00CB6D23 ^ E9 1DFFFFFF jmp 00CB6C45
00CB6D28 8D8D F0FEFFFF lea ecx,dword ptr ss:[ebp-110]
00CB6D2E 51 push ecx ; kernel32.77E18172
00CB6D2F FF15 D431CF00 call dword ptr ds:[CF31D4] ; kernel32.LoadLibraryA
00CB6D35 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00CB6D38 8B0D 1C2FD000 mov ecx,dword ptr ds:[D02F1C]
00CB6D3E 890491 mov dword ptr ds:[ecx+edx*4],eax ; kernel32.77E10000
00CB6D41 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00CB6D44 A1 1C2FD000 mov eax,dword ptr ds:[D02F1C]
00CB6D49 833C90 00 cmp dword ptr ds:[eax+edx*4],0
00CB6D4D 75 05 jnz short 00CB6D54
//MagicJmp->nop->避开IAT加密通过单步跟踪找到了比较函数,下面给出下面是处理 IAT 的流程(菜!目前无法做分析,有兴趣的朋友可以继续)复制内容到剪贴板代码:
00CD15B9 BA 01000000 mov edx,1
00CD15BE 85D2 test edx,edx ; ntdll.77FB2340
00CD15C0 0F84 62090000 je 00CD1F28
00CD15C6 8B85 8CDBFFFF mov eax,dword ptr ss:[ebp-2474]
00CD15CC 8985 3CD6FFFF mov dword ptr ss:[ebp-29C4],eax ; kernel32.77E10000
00CD15D2 6A 00 push 0
00CD15D4 8B8D 8CDBFFFF mov ecx,dword ptr ss:[ebp-2474]
00CD15DA 51 push ecx ; kernel32.77E18172
00CD15DB E8 40B90000 call 00CDCF20
00CD15E0 83C4 08 add esp,8
00CD15E3 83C0 01 add eax,1
00CD15E6 8985 8CDBFFFF mov dword ptr ss:[ebp-2474],eax ; kernel32.77E10000
00CD15EC 8B95 3CD6FFFF mov edx,dword ptr ss:[ebp-29C4]
00CD15F2 0FBE02 movsx eax,byte ptr ds:[edx]
00CD15F5 85C0 test eax,eax ; kernel32.77E10000
00CD15F7 75 05 jnz short 00CD15FE
00CD15F9 E9 2A090000 jmp 00CD1F28
00CD15FE 8B8D 8CDBFFFF mov ecx,dword ptr ss:[ebp-2474]
00CD1604 8B11 mov edx,dword ptr ds:[ecx]
00CD1606 8995 38D6FFFF mov dword ptr ss:[ebp-29C8],edx ; ntdll.77FB2340
00CD160C 8B85 8CDBFFFF mov eax,dword ptr ss:[ebp-2474]
00CD1612 83C0 04 add eax,4
00CD1615 8985 8CDBFFFF mov dword ptr ss:[ebp-2474],eax ; kernel32.77E10000
00CD161B 8B8D 8CDBFFFF mov ecx,dword ptr ss:[ebp-2474]
00CD1621 8B11 mov edx,dword ptr ds:[ecx]
00CD1623 8995 58D7FFFF mov dword ptr ss:[ebp-28A8],edx ; ntdll.77FB2340
00CD1629 8B85 8CDBFFFF mov eax,dword ptr ss:[ebp-2474]
00CD162F 83C0 04 add eax,4
00CD1632 8985 8CDBFFFF mov dword ptr ss:[ebp-2474],eax ; kernel32.77E10000
00CD1638 8A0D 5835CF00 mov cl,byte ptr ds:[CF3558]
00CD163E 888D 40D6FFFF mov byte ptr ss:[ebp-29C0],cl
00CD1644 68 03010000 push 103
00CD1649 6A 00 push 0
00CD164B 8D95 41D6FFFF lea edx,dword ptr ss:[ebp-29BF]
00CD1651 52 push edx ; ntdll.77FB2340
00CD1652 E8 39B80000 call 00CDCE90
00CD1657 83C4 0C add esp,0C
00CD165A 8B85 3CD6FFFF mov eax,dword ptr ss:[ebp-29C4]
00CD1660 50 push eax ; kernel32.77E10000
00CD1661 E8 1A78FEFF call 00CB8E80
00CD1666 8985 4CD7FFFF mov dword ptr ss:[ebp-28B4],eax ; kernel32.77E10000
00CD166C 83BD 4CD7FFFF 00 cmp dword ptr ss:[ebp-28B4],0
00CD1673 0F85 A6000000 jnz 00CD171F
00CD1679 83BD 4CD7FFFF 00 cmp dword ptr ss:[ebp-28B4],0
00CD1680 75 60 jnz short 00CD16E2
00CD1682 6A 01 push 1
00CD1684 8D8D 30D5FFFF lea ecx,dword ptr ss:[ebp-2AD0]
00CD168A 51 push ecx ; kernel32.77E18172
00CD168B E8 5079FFFF call 00CC8FE0
00CD1690 83C4 08 add esp,8
00CD1693 6A 5C push 5C
00CD1695 8D95 30D5FFFF lea edx,dword ptr ss:[ebp-2AD0]
00CD169B 52 push edx ; ntdll.77FB2340
00CD169C E8 0FDE0000 call 00CDF4B0
00CD16A1 83C4 08 add esp,8
00CD16A4 8985 2CD5FFFF mov dword ptr ss:[ebp-2AD4],eax ; kernel32.77E10000
00CD16AA 83BD 2CD5FFFF 00 cmp dword ptr ss:[ebp-2AD4],0
00CD16B1 74 2F je short 00CD16E2
00CD16B3 8B85 3CD6FFFF mov eax,dword ptr ss:[ebp-29C4]
00CD16B9 50 push eax ; kernel32.77E10000
00CD16BA 8B8D 2CD5FFFF mov ecx,dword ptr ss:[ebp-2AD4]
00CD16C0 83C1 01 add ecx,1
00CD16C3 51 push ecx ; kernel32.77E18172
00CD16C4 E8 47BA0000 call 00CDD110
00CD16C9 83C4 08 add esp,8
00CD16CC 6A 08 push 8
00CD16CE 6A 00 push 0
00CD16D0 8D95 30D5FFFF lea edx,dword ptr ss:[ebp-2AD0]
00CD16D6 52 push edx ; ntdll.77FB2340
00CD16D7 E8 F478FEFF call 00CB8FD0
00CD16DC 8985 4CD7FFFF mov dword ptr ss:[ebp-28B4],eax ; kernel32.77E10000
00CD16E2 83BD 4CD7FFFF 00 cmp dword ptr ss:[ebp-28B4],0
00CD16E9 75 34 jnz short 00CD171F
00CD16EB 6A 01 push 1
00CD16ED 8D85 30D5FFFF lea eax,dword ptr ss:[ebp-2AD0]
00CD16F3 50 push eax ; kernel32.77E10000
00CD16F4 E8 E778FFFF call 00CC8FE0
00CD16F9 83C4 08 add esp,8
00CD16FC 8D8D 30D5FFFF lea ecx,dword ptr ss:[ebp-2AD0]
00CD1702 51 push ecx ; kernel32.77E18172
00CD1703 8D95 40D6FFFF lea edx,dword ptr ss:[ebp-29C0]
00CD1709 52 push edx ; ntdll.77FB2340
00CD170A 8B85 3CD6FFFF mov eax,dword ptr ss:[ebp-29C4]
00CD1710 50 push eax ; kernel32.77E10000
00CD1711 E8 1A70FEFF call 00CB8730
00CD1716 83C4 0C add esp,0C
00CD1719 8985 4CD7FFFF mov dword ptr ss:[ebp-28B4],eax ; kernel32.77E10000
00CD171F 83BD 4CD7FFFF 00 cmp dword ptr ss:[ebp-28B4],0
00CD1726 75 59 jnz short 00CD1781
00CD1728 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00CD172B 8B11 mov edx,dword ptr ds:[ecx]
00CD172D C702 03000000 mov dword ptr ds:[edx],3
00CD1733 0FBE85 40D6FFFF movsx eax,byte ptr ss:[ebp-29C0]
00CD173A 85C0 test eax,eax ; kernel32.77E10000
00CD173C 74 0E je short 00CD174C
00CD173E 8D8D 40D6FFFF lea ecx,dword ptr ss:[ebp-29C0]
00CD1744 898D D0ACFFFF mov dword ptr ss:[ebp+FFFFACD0],ecx ; kernel32.77E18172
00CD174A EB 0C jmp short 00CD1758
00CD174C 8B95 3CD6FFFF mov edx,dword ptr ss:[ebp-29C4]
00CD1752 8995 D0ACFFFF mov dword ptr ss:[ebp+FFFFACD0],edx ; ntdll.77FB2340
00CD1758 FF15 0433CF00 call dword ptr ds:[CF3304] ; ntdll.RtlGetLastWin32Error
00CD175E 50 push eax ; kernel32.77E10000
00CD175F 8B85 D0ACFFFF mov eax,dword ptr ss:[ebp+FFFFACD0]
00CD1765 50 push eax ; kernel32.77E10000
00CD1766 68 1467CF00 push 0CF6714 ; ASCII "File ""%s"", error %d"
00CD176B 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00CD176E 8B51 04 mov edx,dword ptr ds:[ecx+4]
00CD1771 52 push edx ; ntdll.77FB2340
00CD1772 E8 67B80000 call 00CDCFDE
00CD1777 83C4 10 add esp,10
00CD177A 33C0 xor eax,eax ; kernel32.77E10000
00CD177C E9 BD120000 jmp 00CD2A3E
00CD1781 8B85 4CD7FFFF mov eax,dword ptr ss:[ebp-28B4]
00CD1787 50 push eax ; kernel32.77E10000
00CD1788 E8 F352FEFF call 00CB6A80
00CD178D 83C4 04 add esp,4
00CD1790 C785 48D7FFFF 0000>mov dword ptr ss:[ebp-28B8],0
00CD179A 8B0D EC0AD000 mov ecx,dword ptr ds:[D00AEC] ; fraps2.00400000
00CD17A0 898D B4ADFFFF mov dword ptr ss:[ebp+FFFFADB4],ecx ; kernel32.77E18172
00CD17A6 8B95 4CD7FFFF mov edx,dword ptr ss:[ebp-28B4]
00CD17AC 3B95 B4ADFFFF cmp edx,dword ptr ss:[ebp+FFFFADB4]
00CD17B2 75 0F jnz short 00CD17C3
00CD17B4 C785 48D7FFFF B0C0>mov dword ptr ss:[ebp-28B8],0CFC0B0
00CD17BE E9 D9000000 jmp 00CD189C
00CD17C3 C785 28D5FFFF 0000>mov dword ptr ss:[ebp-2AD8],0
00CD17CD C785 24D5FFFF 3CC2>mov dword ptr ss:[ebp-2ADC],0CFC23C
00CD17D7 EB 1E jmp short 00CD17F7
00CD17D9 8B85 24D5FFFF mov eax,dword ptr ss:[ebp-2ADC]
00CD17DF 83C0 0C add eax,0C
00CD17E2 8985 24D5FFFF mov dword ptr ss:[ebp-2ADC],eax ; kernel32.77E10000
00CD17E8 8B8D 28D5FFFF mov ecx,dword ptr ss:[ebp-2AD8]
00CD17EE 83C1 01 add ecx,1
00CD17F1 898D 28D5FFFF mov dword ptr ss:[ebp-2AD8],ecx ; kernel32.77E18172
00CD17F7 8B95 24D5FFFF mov edx,dword ptr ss:[ebp-2ADC]
00CD17FD 833A 00 cmp dword ptr ds:[edx],0
00CD1800 0F84 96000000 je 00CD189C
00CD1806 8B85 24D5FFFF mov eax,dword ptr ss:[ebp-2ADC]
00CD180C 8B48 08 mov ecx,dword ptr ds:[eax+8]
00CD180F 83E1 01 and ecx,1
00CD1812 74 36 je short 00CD184A
00CD1814 BA 0E000000 mov edx,0E
00CD1819 C1E2 02 shl edx,2
00CD181C A1 D40AD000 mov eax,dword ptr ds:[D00AD4]
00CD1821 8B0D D40AD000 mov ecx,dword ptr ds:[D00AD4] ; fraps2.004B1368
00CD1827 8B35 D40AD000 mov esi,dword ptr ds:[D00AD4] ; fraps2.004B1368
00CD182D 8B5E 1C mov ebx,dword ptr ds:[esi+1C]
00CD1830 3319 xor ebx,dword ptr ds:[ecx]
00CD1832 331C10 xor ebx,dword ptr ds:[eax+edx]
00CD1835 81E3 80000000 and ebx,80
00CD183B F7DB neg ebx
00CD183D 1BDB sbb ebx,ebx
00CD183F F7DB neg ebx
00CD1841 0FB6D3 movzx edx,bl
00CD1844 85D2 test edx,edx ; ntdll.77FB2340
00CD1846 74 02 je short 00CD184A
00CD1848 ^ EB 8F jmp short 00CD17D9
00CD184A A1 D40AD000 mov eax,dword ptr ds:[D00AD4]
00CD184F 8B0D D40AD000 mov ecx,dword ptr ds:[D00AD4] ; fraps2.004B1368
00CD1855 8B15 D40AD000 mov edx,dword ptr ds:[D00AD4] ; fraps2.004B1368
00CD185B 8B35 D40AD000 mov esi,dword ptr ds:[D00AD4] ; fraps2.004B1368
00CD1861 8BB6 80000000 mov esi,dword ptr ds:[esi+80]
00CD1867 3332 xor esi,dword ptr ds:[edx] ; ntdll.77FB2360
00CD1869 3371 2C xor esi,dword ptr ds:[ecx+2C]
00CD186C 3370 24 xor esi,dword ptr ds:[eax+24]
00CD186F 8B85 28D5FFFF mov eax,dword ptr ss:[ebp-2AD8]
00CD1875 8B0D 1C2FD000 mov ecx,dword ptr ds:[D02F1C]
00CD187B 333481 xor esi,dword ptr ds:[ecx+eax*4]
00CD187E 39B5 4CD7FFFF cmp dword ptr ss:[ebp-28B4],esi ; fraps2.004B1368
00CD1884 75 11 jnz short 00CD1897
00CD1886 8B95 24D5FFFF mov edx,dword ptr ss:[ebp-2ADC]
00CD188C 8B42 04 mov eax,dword ptr ds:[edx+4]
00CD188F 8985 48D7FFFF mov dword ptr ss:[ebp-28B8],eax ; kernel32.77E10000
00CD1895 EB 05 jmp short 00CD189C
00CD1897 ^ E9 3DFFFFFF jmp 00CD17D9
00CD189C C685 57D7FFFF 00 mov byte ptr ss:[ebp-28A9],0
00CD18A3 83BD DCD9FFFF 00 cmp dword ptr ss:[ebp-2624],0
00CD18AA 75 34 jnz short 00CD18E0
00CD18AC 8A0D AC0AD000 mov cl,byte ptr ds:[D00AAC]
00CD18B2 888D B3ADFFFF mov byte ptr ss:[ebp+FFFFADB3],cl
00CD18B8 0FB695 B3ADFFFF movzx edx,byte ptr ss:[ebp+FFFFADB3]
00CD18BF 85D2 test edx,edx ; ntdll.77FB2340
00CD18C1 74 1D je short 00CD18E0
00CD18C3 8B85 38D6FFFF mov eax,dword ptr ss:[ebp-29C8]
00CD18C9 3B45 EC cmp eax,dword ptr ss:[ebp-14]
00CD18CC 72 12 jb short 00CD18E0
00CD18CE 8B8D 38D6FFFF mov ecx,dword ptr ss:[ebp-29C8]
00CD18D4 3B4D F4 cmp ecx,dword ptr ss:[ebp-C]
00CD18D7 73 07 jnb short 00CD18E0
00CD18D9 C685 57D7FFFF 01 mov byte ptr ss:[ebp-28A9],1
00CD18E0 8B95 58D7FFFF mov edx,dword ptr ss:[ebp-28A8]
00CD18E6 83C2 01 add edx,1
00CD18E9 8995 58D7FFFF mov dword ptr ss:[ebp-28A8],edx ; ntdll.77FB2340
00CD18EF 83BD DCD9FFFF 00 cmp dword ptr ss:[ebp-2624],0
00CD18F6 74 4D je short 00CD1945
00CD18F8 8B85 38D6FFFF mov eax,dword ptr ss:[ebp-29C8]
00CD18FE 2B85 7CDAFFFF sub eax,dword ptr ss:[ebp-2584]
00CD1904 C1E8 02 shr eax,2
00CD1907 8985 20D5FFFF mov dword ptr ss:[ebp-2AE0],eax ; kernel32.77E10000
00CD190D 8B8D 20D5FFFF mov ecx,dword ptr ss:[ebp-2AE0]
00CD1913 8B95 DCD9FFFF mov edx,dword ptr ss:[ebp-2624]
00CD1919 8D048A lea eax,dword ptr ds:[edx+ecx*4]
00CD191C 8985 50DAFFFF mov dword ptr ss:[ebp-25B0],eax ; kernel32.77E10000
00CD1922 8B8D 50DAFFFF mov ecx,dword ptr ss:[ebp-25B0]
00CD1928 898D 84DBFFFF mov dword ptr ss:[ebp-247C],ecx ; kernel32.77E18172
00CD192E 8B95 B0D9FFFF mov edx,dword ptr ss:[ebp-2650]
00CD1934 8B85 DCD9FFFF mov eax,dword ptr ss:[ebp-2624]
00CD193A 8D0C90 lea ecx,dword ptr ds:[eax+edx*4]
00CD193D 898D 68DAFFFF mov dword ptr ss:[ebp-2598],ecx ; kernel32.77E18172
00CD1943 EB 68 jmp short 00CD19AD
00CD1945 0FB695 57D7FFFF movzx edx,byte ptr ss:[ebp-28A9]
00CD194C 85D2 test edx,edx ; ntdll.77FB2340
00CD194E 74 3F je short 00CD198F
00CD1950 33C9 xor ecx,ecx ; kernel32.77E18172
00CD1952 8B85 58D7FFFF mov eax,dword ptr ss:[ebp-28A8]
00CD1958 BA 04000000 mov edx,4
00CD195D F7E2 mul edx ; ntdll.77FB2340
00CD195F 0F90C1 seto cl
00CD1962 F7D9 neg ecx ; kernel32.77E18172
00CD1964 0BC8 or ecx,eax ; kernel32.77E10000
00CD1966 51 push ecx ; kernel32.77E18172
00CD1967 E8 43BA0000 call 00CDD3AF
00CD196C 83C4 04 add esp,4
00CD196F 8985 A8AEFFFF mov dword ptr ss:[ebp+FFFFAEA8],eax ; kernel32.77E10000
00CD1975 8B85 A8AEFFFF mov eax,dword ptr ss:[ebp+FFFFAEA8]
00CD197B 8985 50DAFFFF mov dword ptr ss:[ebp-25B0],eax ; kernel32.77E10000
00CD1981 8B8D 50DAFFFF mov ecx,dword ptr ss:[ebp-25B0]
00CD1987 898D 84DBFFFF mov dword ptr ss:[ebp-247C],ecx ; kernel32.77E18172
00CD198D EB 1E jmp short 00CD19AD
00CD198F 8B95 74DAFFFF mov edx,dword ptr ss:[ebp-258C]
00CD1995 0395 38D6FFFF add edx,dword ptr ss:[ebp-29C8]
00CD199B 8995 84DBFFFF mov dword ptr ss:[ebp-247C],edx ; ntdll.77FB2340
00CD19A1 8B85 84DBFFFF mov eax,dword ptr ss:[ebp-247C]
00CD19A7 8985 50DAFFFF mov dword ptr ss:[ebp-25B0],eax ; kernel32.77E10000
00CD19AD 83BD DCD9FFFF 00 cmp dword ptr ss:[ebp-2624],0
00CD19B4 0F85 BD000000 jnz 00CD1A77
00CD19BA 8D8D 5CD7FFFF lea ecx,dword ptr ss:[ebp-28A4]
00CD19C0 51 push ecx ; kernel32.77E18172
00CD19C1 6A 04 push 4
00CD19C3 8B95 58D7FFFF mov edx,dword ptr ss:[ebp-28A8]
00CD19C9 C1E2 02 shl edx,2
00CD19CC 52 push edx ; ntdll.77FB2340
00CD19CD 8B85 74DAFFFF mov eax,dword ptr ss:[ebp-258C]
00CD19D3 0385 38D6FFFF add eax,dword ptr ss:[ebp-29C8]
00CD19D9 50 push eax ; kernel32.77E10000
00CD19DA FF15 1831CF00 call dword ptr ds:[CF3118] ; kernel32.VirtualProtect
00CD19E0 6A 14 push 14
00CD19E2 E8 2CB40000 call 00CDCE13
00CD19E7 83C4 04 add esp,4
00CD19EA 8985 A4AEFFFF mov dword ptr ss:[ebp+FFFFAEA4],eax ; kernel32.77E10000
00CD19F0 83BD A4AEFFFF 00 cmp dword ptr ss:[ebp+FFFFAEA4],0
00CD19F7 74 59 je short 00CD1A52
00CD19F9 8B0D 8CA3D000 mov ecx,dword ptr ds:[D0A38C]
00CD19FF 898D ACADFFFF mov dword ptr ss:[ebp+FFFFADAC],ecx ; kernel32.77E18172
00CD1A05 8B95 74DAFFFF mov edx,dword ptr ss:[ebp-258C]
00CD1A0B 0395 38D6FFFF add edx,dword ptr ss:[ebp-29C8]
00CD1A11 8B85 A4AEFFFF mov eax,dword ptr ss:[ebp+FFFFAEA4]
00CD1A17 8910 mov dword ptr ds:[eax],edx ; ntdll.77FB2340
00CD1A19 8B8D 58D7FFFF mov ecx,dword ptr ss:[ebp-28A8]
00CD1A1F C1E1 02 shl ecx,2
00CD1A22 8B95 A4AEFFFF mov edx,dword ptr ss:[ebp+FFFFAEA4]
00CD1A28 894A 04 mov dword ptr ds:[edx+4],ecx ; kernel32.77E18172
00CD1A2B 8B85 A4AEFFFF mov eax,dword ptr ss:[ebp+FFFFAEA4]
00CD1A31 C640 0C 00 mov byte ptr ds:[eax+C],0
00CD1A35 8B8D A4AEFFFF mov ecx,dword ptr ss:[ebp+FFFFAEA4]
00CD1A3B 8B95 ACADFFFF mov edx,dword ptr ss:[ebp+FFFFADAC]
00CD1A41 8951 10 mov dword ptr ds:[ecx+10],edx ; ntdll.77FB2340
00CD1A44 8B85 A4AEFFFF mov eax,dword ptr ss:[ebp+FFFFAEA4]
00CD1A4A 8985 CCACFFFF mov dword ptr ss:[ebp+FFFFACCC],eax ; kernel32.77E10000
00CD1A50 EB 0A jmp short 00CD1A5C
00CD1A52 C785 CCACFFFF 0000>mov dword ptr ss:[ebp+FFFFACCC],0
00CD1A5C 8B8D CCACFFFF mov ecx,dword ptr ss:[ebp+FFFFACCC]
00CD1A62 890D 8CA3D000 mov dword ptr ds:[D0A38C],ecx ; kernel32.77E18172
00CD1A68 8B15 8CA3D000 mov edx,dword ptr ds:[D0A38C]
00CD1A6E 8B85 5CD7FFFF mov eax,dword ptr ss:[ebp-28A4]
00CD1A74 8942 08 mov dword ptr ds:[edx+8],eax ; kernel32.77E10000
00CD1A77 C785 60D7FFFF 0000>mov dword ptr ss:[ebp-28A0],0
00CD1A81 FF15 4033CF00 call dword ptr ds:[CF3340] ; kernel32.GetTickCount
00CD1A87 8985 50D7FFFF mov dword ptr ss:[ebp-28B0],eax ; kernel32.77E10000
00CD1A8D B9 01000000 mov ecx,1
00CD1A92 85C9 test ecx,ecx ; kernel32.77E18172
00CD1A94 0F84 C4030000 je 00CD1E5E
00CD1A9A 8B95 8CDBFFFF mov edx,dword ptr ss:[ebp-2474]
00CD1AA0 66:8B02 mov ax,word ptr ds:[edx]
00CD1AA3 66:8985 1CD5FFFF mov word ptr ss:[ebp-2AE4],ax
00CD1AAA 8B8D 8CDBFFFF mov ecx,dword ptr ss:[ebp-2474]
00CD1AB0 83C1 02 add ecx,2
00CD1AB3 898D 8CDBFFFF mov dword ptr ss:[ebp-2474],ecx ; kernel32.77E18172
00CD1AB9 0FB795 1CD5FFFF movzx edx,word ptr ss:[ebp-2AE4]
00CD1AC0 52 push edx ; ntdll.77FB2340
00CD1AC1 8B85 8CDBFFFF mov eax,dword ptr ss:[ebp-2474]
00CD1AC7 50 push eax ; kernel32.77E10000
00CD1AC8 8D8D 18CDFFFF lea ecx,dword ptr ss:[ebp-32E8]
00CD1ACE 51 push ecx ; kernel32.77E18172
00CD1ACF E8 7CAF0000 call 00CDCA50
00CD1AD4 83C4 0C add esp,0C
00CD1AD7 0FB795 1CD5FFFF movzx edx,word ptr ss:[ebp-2AE4]
00CD1ADE 0395 8CDBFFFF add edx,dword ptr ss:[ebp-2474]
00CD1AE4 8995 8CDBFFFF mov dword ptr ss:[ebp-2474],edx ; ntdll.77FB2340
00CD1AEA 66:C785 0CC5FFFF 0>mov word ptr ss:[ebp-3AF4],0
00CD1AF3 A0 5835CF00 mov al,byte ptr ds:[CF3558]
00CD1AF8 8885 10C5FFFF mov byte ptr ss:[ebp-3AF0],al
00CD1AFE 68 FF070000 push 7FF
00CD1B03 6A 00 push 0
00CD1B05 8D8D 11C5FFFF lea ecx,dword ptr ss:[ebp-3AEF]
00CD1B0B 51 push ecx ; kernel32.77E18172
00CD1B0C E8 7FB30000 call 00CDCE90
00CD1B11 83C4 0C add esp,0C
00CD1B14 0FB795 1CD5FFFF movzx edx,word ptr ss:[ebp-2AE4]
00CD1B1B 85D2 test edx,edx ; ntdll.77FB2340
00CD1B1D 74 70 je short 00CD1B8F
00CD1B1F 8D8D CCD9FFFF lea ecx,dword ptr ss:[ebp-2634]
00CD1B25 E8 E63CFDFF call 00CA5810
00CD1B2A 8985 08C5FFFF mov dword ptr ss:[ebp-3AF8],eax ; kernel32.77E10000
00CD1B30 6A 00 push 0
00CD1B32 0FB785 1CD5FFFF movzx eax,word ptr ss:[ebp-2AE4]
00CD1B39 50 push eax ; kernel32.77E10000
00CD1B3A 8D8D 18CDFFFF lea ecx,dword ptr ss:[ebp-32E8]
00CD1B40 51 push ecx ; kernel32.77E18172
00CD1B41 8B95 08C5FFFF mov edx,dword ptr ss:[ebp-3AF8]
00CD1B47 52 push edx ; ntdll.77FB2340
00CD1B48 E8 A3A80000 call 00CDC3F0
00CD1B4D 83C4 10 add esp,10
00CD1B50 0FB685 18CDFFFF movzx eax,byte ptr ss:[ebp-32E8]
00CD1B57 3D FF000000 cmp eax,0FF
00CD1B5C 75 10 jnz short 00CD1B6E
00CD1B5E 66:8B8D 19CDFFFF mov cx,word ptr ss:[ebp-32E7]
00CD1B65 66:898D 0CC5FFFF mov word ptr ss:[ebp-3AF4],cx
00CD1B6C EB 21 jmp short 00CD1B8F
00CD1B6E 0FBE95 18CDFFFF movsx edx,byte ptr ss:[ebp-32E8]
00CD1B75 85D2 test edx,edx ; ntdll.77FB2340
00CD1B77 74 16 je short 00CD1B8F
00CD1B79 8D85 18CDFFFF lea eax,dword ptr ss:[ebp-32E8]
00CD1B7F 50 push eax ; kernel32.77E10000
00CD1B80 8D8D 10C5FFFF lea ecx,dword ptr ss:[ebp-3AF0]
00CD1B86 51 push ecx ; kernel32.77E18172
00CD1B87 E8 84B50000 call 00CDD110
00CD1B8C 83C4 08 add esp,8
00CD1B8F C785 14CDFFFF 0000>mov dword ptr ss:[ebp-32EC],0
00CD1B99 0FB795 0CC5FFFF movzx edx,word ptr ss:[ebp-3AF4]
00CD1BA0 85D2 test edx,edx ; ntdll.77FB2340
00CD1BA2 74 6E je short 00CD1C12
00CD1BA4 83BD 48D7FFFF 00 cmp dword ptr ss:[ebp-28B8],0
00CD1BAB 74 51 je short 00CD1BFE
00CD1BAD 8B85 48D7FFFF mov eax,dword ptr ss:[ebp-28B8]
00CD1BB3 8985 04C5FFFF mov dword ptr ss:[ebp-3AFC],eax ; kernel32.77E10000
00CD1BB9 EB 0F jmp short 00CD1BCA
00CD1BBB 8B8D 04C5FFFF mov ecx,dword ptr ss:[ebp-3AFC]
00CD1BC1 83C1 0C add ecx,0C
00CD1BC4 898D 04C5FFFF mov dword ptr ss:[ebp-3AFC],ecx ; kernel32.77E18172
00CD1BCA 8B95 04C5FFFF mov edx,dword ptr ss:[ebp-3AFC]
00CD1BD0 837A 08 00 cmp dword ptr ds:[edx+8],0
00CD1BD4 74 28 je short 00CD1BFE
00CD1BD6 0FB785 0CC5FFFF movzx eax,word ptr ss:[ebp-3AF4]
00CD1BDD 8B8D 04C5FFFF mov ecx,dword ptr ss:[ebp-3AFC]
00CD1BE3 0FB751 04 movzx edx,word ptr ds:[ecx+4]
00CD1BE7 3BC2 cmp eax,edx ; ntdll.77FB2340
00CD1BE9 75 11 jnz short 00CD1BFC
00CD1BEB 8B85 04C5FFFF mov eax,dword ptr ss:[ebp-3AFC]
00CD1BF1 8B48 08 mov ecx,dword ptr ds:[eax+8]
00CD1BF4 898D 14CDFFFF mov dword ptr ss:[ebp-32EC],ecx ; kernel32.77E18172
00CD1BFA EB 02 jmp short 00CD1BFE
00CD1BFC ^ EB BD jmp short 00CD1BBB
00CD1BFE 8B95 60D7FFFF mov edx,dword ptr ss:[ebp-28A0]
00CD1C04 83C2 01 add edx,1
00CD1C07 8995 60D7FFFF mov dword ptr ss:[ebp-28A0],edx ; ntdll.77FB2340
00CD1C0D E9 DA000000 jmp 00CD1CEC
00CD1C12 0FBE85 10C5FFFF movsx eax,byte ptr ss:[ebp-3AF0]
00CD1C19 85C0 test eax,eax ; kernel32.77E10000
00CD1C1B 0F84 8D000000 je 00CD1CAE
00CD1C21 83BD 48D7FFFF 00 cmp dword ptr ss:[ebp-28B8],0
00CD1C28 74 73 je short 00CD1C9D
00CD1C2A 8B8D 48D7FFFF mov ecx,dword ptr ss:[ebp-28B8]
00CD1C30 898D 00C5FFFF mov dword ptr ss:[ebp-3B00],ecx ; kernel32.77E18172
00CD1C36 EB 0F jmp short 00CD1C47
00CD1C38 8B95 00C5FFFF mov edx,dword ptr ss:[ebp-3B00]
00CD1C3E 83C2 0C add edx,0C
00CD1C41 8995 00C5FFFF mov dword ptr ss:[ebp-3B00],edx ; ntdll.77FB2340
00CD1C47 8B85 00C5FFFF mov eax,dword ptr ss:[ebp-3B00]
00CD1C4D 8378 08 00 cmp dword ptr ds:[eax+8],0
00CD1C51 74 4A je short 00CD1C9D
00CD1C53 68 00010000 push 100
00CD1C58 8D8D 00C4FFFF lea ecx,dword ptr ss:[ebp-3C00]
00CD1C5E 51 push ecx ; kernel32.77E18172
00CD1C5F 8B95 00C5FFFF mov edx,dword ptr ss:[ebp-3B00]
00CD1C65 8B02 mov eax,dword ptr ds:[edx] ; ntdll.77FB2360
00CD1C67 50 push eax ; kernel32.77E10000
00CD1C68 E8 E3AC0000 call 00CDC950
00CD1C6D 83C4 0C add esp,0C
00CD1C70 8D8D 00C4FFFF lea ecx,dword ptr ss:[ebp-3C00]
00CD1C76 51 push ecx ; kernel32.77E18172
00CD1C77 8D95 10C5FFFF lea edx,dword ptr ss:[ebp-3AF0]
00CD1C7D 52 push edx ; ntdll.77FB2340
00CD1C7E E8 56ED0000 call 00CE09D9
00CD1C83 83C4 08 add esp,8
00CD1C86 85C0 test eax,eax ; kernel32.77E10000
00CD1C88 75 11 jnz short 00CD1C9B
00CD1C8A 8B85 00C5FFFF mov eax,dword ptr ss:[ebp-3B00]
00CD1C90 8B48 08 mov ecx,dword ptr ds:[eax+8]
00CD1C93 898D 14CDFFFF mov dword ptr ss:[ebp-32EC],ecx ; kernel32.77E18172
00CD1C99 EB 02 jmp short 00CD1C9D
00CD1C9B ^ EB 9B jmp short 00CD1C38
00CD1C9D 8B95 60D7FFFF mov edx,dword ptr ss:[ebp-28A0]
00CD1CA3 83C2 01 add edx,1
00CD1CA6 8995 60D7FFFF mov dword ptr ss:[ebp-28A0],edx ; ntdll.77FB2340
00CD1CAC EB 3E jmp short 00CD1CEC
00CD1CAE 68 00010000 push 100
00CD1CB3 8D8D 58DAFFFF lea ecx,dword ptr ss:[ebp-25A8]
00CD1CB9 E8 F286FCFF call 00C9A3B0
00CD1CBE 0FB6C0 movzx eax,al
00CD1CC1 99 cdq
00CD1CC2 B9 14000000 mov ecx,14
00CD1CC7 F7F9 idiv ecx ; kernel32.77E18172
00CD1CC9 8B85 50DAFFFF mov eax,dword ptr ss:[ebp-25B0]
00CD1CCF 8B8C95 F8D9FFFF mov ecx,dword ptr ss:[ebp+edx*4-2608]
00CD1CD6 8908 mov dword ptr ds:[eax],ecx ; kernel32.77E18172
00CD1CD8 8B95 50DAFFFF mov edx,dword ptr ss:[ebp-25B0]
00CD1CDE 83C2 04 add edx,4
00CD1CE1 8995 50DAFFFF mov dword ptr ss:[ebp-25B0],edx ; ntdll.77FB2340
00CD1CE7 E9 72010000 jmp 00CD1E5E
00CD1CEC 83BD 14CDFFFF 00 cmp dword ptr ss:[ebp-32EC],0
00CD1CF3 75 44 jnz short 00CD1D39
00CD1CF5 0FB785 0CC5FFFF movzx eax,word ptr ss:[ebp-3AF4]
00CD1CFC 85C0 test eax,eax ; kernel32.77E10000
00CD1CFE 74 0F je short 00CD1D0F
00CD1D00 0FB78D 0CC5FFFF movzx ecx,word ptr ss:[ebp-3AF4]
00CD1D07 898D C8ACFFFF mov dword ptr ss:[ebp+FFFFACC8],ecx ; kernel32.77E18172
00CD1D0D EB 0C jmp short 00CD1D1B
00CD1D0F 8D95 10C5FFFF lea edx,dword ptr ss:[ebp-3AF0]
00CD1D15 8995 C8ACFFFF mov dword ptr ss:[ebp+FFFFACC8],edx ; ntdll.77FB2340
00CD1D1B 6A 01 push 1
00CD1D1D 8B85 C8ACFFFF mov eax,dword ptr ss:[ebp+FFFFACC8]
00CD1D23 50 push eax ; kernel32.77E10000
00CD1D24 8B8D 4CD7FFFF mov ecx,dword ptr ss:[ebp-28B4]
00CD1D2A 51 push ecx ; kernel32.77E18172
00CD1D2B E8 905AFEFF call 00CB77C0
00CD1D30 83C4 0C add esp,0C
00CD1D33 8985 14CDFFFF mov dword ptr ss:[ebp-32EC],eax ; kernel32.77E10000
00CD1D39 83BD 14CDFFFF 00 cmp dword ptr ss:[ebp-32EC],0
00CD1D40 75 44 jnz short 00CD1D86
00CD1D42 0FB795 0CC5FFFF movzx edx,word ptr ss:[ebp-3AF4]
00CD1D49 85D2 test edx,edx ; ntdll.77FB2340
00CD1D4B 74 0F je short 00CD1D5C
00CD1D4D 0FB785 0CC5FFFF movzx eax,word ptr ss:[ebp-3AF4]
00CD1D54 8985 C4ACFFFF mov dword ptr ss:[ebp+FFFFACC4],eax ; kernel32.77E10000
00CD1D5A EB 0C jmp short 00CD1D68
00CD1D5C 8D8D 10C5FFFF lea ecx,dword ptr ss:[ebp-3AF0]
00CD1D62 898D C4ACFFFF mov dword ptr ss:[ebp+FFFFACC4],ecx ; kernel32.77E18172
00CD1D68 6A 00 push 0
00CD1D6A 8B95 C4ACFFFF mov edx,dword ptr ss:[ebp+FFFFACC4]
00CD1D70 52 push edx ; ntdll.77FB2340
00CD1D71 8B85 4CD7FFFF mov eax,dword ptr ss:[ebp-28B4]
00CD1D77 50 push eax ; kernel32.77E10000
00CD1D78 E8 435AFEFF call 00CB77C0
00CD1D7D 83C4 0C add esp,0C
00CD1D80 8985 14CDFFFF mov dword ptr ss:[ebp-32EC],eax ; kernel32.77E10000
00CD1D86 83BD 14CDFFFF 00 cmp dword ptr ss:[ebp-32EC],0
00CD1D8D 0F85 9B000000 jnz 00CD1E2E
00CD1D93 0FB78D 0CC5FFFF movzx ecx,word ptr ss:[ebp-3AF4]
00CD1D9A 85C9 test ecx,ecx ; kernel32.77E18172
00CD1D9C 74 55 je short 00CD1DF3
00CD1D9E FF15 0433CF00 call dword ptr ds:[CF3304] ; ntdll.RtlGetLastWin32Error
00CD1DA4 83F8 32 cmp eax,32
00CD1DA7 75 0C jnz short 00CD1DB5
00CD1DA9 C785 14CDFFFF B077>mov dword ptr ss:[ebp-32EC],0CB77B0
00CD1DB3 EB 3C jmp short 00CD1DF1
00CD1DB5 8B55 08 mov edx,dword ptr ss:[ebp+8]
00CD1DB8 8B02 mov eax,dword ptr ds:[edx] ; ntdll.77FB2360
00CD1DBA C700 03000000 mov dword ptr ds:[eax],3
00CD1DC0 FF15 0433CF00 call dword ptr ds:[CF3304] ; ntdll.RtlGetLastWin32Error
00CD1DC6 50 push eax ; kernel32.77E10000
00CD1DC7 0FB78D 0CC5FFFF movzx ecx,word ptr ss:[ebp-3AF4]
00CD1DCE 51 push ecx ; kernel32.77E18172
00CD1DCF 8B95 3CD6FFFF mov edx,dword ptr ss:[ebp-29C4]
00CD1DD5 52 push edx ; ntdll.77FB2340
00CD1DD6 68 F066CF00 push 0CF66F0 ; ASCII "File ""%s"", ordinal %d (error %d)"
00CD1DDB 8B45 08 mov eax,dword ptr ss:[ebp+8]
00CD1DDE 8B48 04 mov ecx,dword ptr ds:[eax+4]
00CD1DE1 51 push ecx ; kernel32.77E18172
00CD1DE2 E8 F7B10000 call 00CDCFDE
00CD1DE7 83C4 14 add esp,14
00CD1DEA 33C0 xor eax,eax ; kernel32.77E10000
00CD1DEC E9 4D0C0000 jmp 00CD2A3E
00CD1DF1 EB 3B jmp short 00CD1E2E
00CD1DF3 8B55 08 mov edx,dword ptr ss:[ebp+8]
00CD1DF6 8B02 mov eax,dword ptr ds:[edx] ; ntdll.77FB2360
00CD1DF8 C700 03000000 mov dword ptr ds:[eax],3
00CD1DFE FF15 0433CF00 call dword ptr ds:[CF3304] ; ntdll.RtlGetLastWin32Error
00CD1E04 50 push eax ; kernel32.77E10000
00CD1E05 8D8D 10C5FFFF lea ecx,dword ptr ss:[ebp-3AF0]
00CD1E0B 51 push ecx ; kernel32.77E18172
00CD1E0C 8B95 3CD6FFFF mov edx,dword ptr ss:[ebp-29C4]
00CD1E12 52 push edx ; ntdll.77FB2340
00CD1E13 68 CC66CF00 push 0CF66CC ; ASCII "File ""%s"", function ""%s"" (error
%d)"
00CD1E18 8B45 08 mov eax,dword ptr ss:[ebp+8]
00CD1E1B 8B48 04 mov ecx,dword ptr ds:[eax+4]
00CD1E1E 51 push ecx ; kernel32.77E18172
00CD1E1F E8 BAB10000 call 00CDCFDE
00CD1E24 83C4 14 add esp,14
00CD1E27 33C0 xor eax,eax ; kernel32.77E10000
00CD1E29 E9 100C0000 jmp 00CD2A3E
00CD1E2E 8B95 50DAFFFF mov edx,dword ptr ss:[ebp-25B0]
00CD1E34 3B95 68DAFFFF cmp edx,dword ptr ss:[ebp-2598]
00CD1E3A 73 1D jnb short 00CD1E59
00CD1E3C 8B85 50DAFFFF mov eax,dword ptr ss:[ebp-25B0]
00CD1E42 8B8D 14CDFFFF mov ecx,dword ptr ss:[ebp-32EC]
00CD1E48 8908 mov dword ptr ds:[eax],ecx ; kernel32.77E18172
00CD1E4A 8B95 50DAFFFF mov edx,dword ptr ss:[ebp-25B0]
00CD1E50 83C2 04 add edx,4
00CD1E53 8995 50DAFFFF mov dword ptr ss:[ebp-25B0],edx ; ntdll.77FB2340
00CD1E59 ^ E9 2FFCFFFF jmp 00CD1A8D
00CD1E5E FF15 4033CF00 call dword ptr ds:[CF3340] ; kernel32.GetTickCount
00CD1E64 2B85 50D7FFFF sub eax,dword ptr ss:[ebp-28B0]
00CD1E6A 8B8D 60D7FFFF mov ecx,dword ptr ss:[ebp-28A0]
00CD1E70 6BC9 32 imul ecx,ecx,32 ; kernel32.77E18172
00CD1E73 81C1 D0070000 add ecx,7D0
00CD1E79 3BC1 cmp eax,ecx ; kernel32.77E18172
00CD1E7B 76 07 jbe short 00CD1E84
00CD1E7D C685 CBD9FFFF 01 mov byte ptr ss:[ebp-2635],1
00CD1E84 83BD DCD9FFFF 00 cmp dword ptr ss:[ebp-2624],0
00CD1E8B 0F85 92000000 jnz 00CD1F23
00CD1E91 0FB695 57D7FFFF movzx edx,byte ptr ss:[ebp-28A9]
00CD1E98 85D2 test edx,edx ; ntdll.77FB2340
00CD1E9A 0F84 83000000 je 00CD1F23
00CD1EA0 6A 00 push 0
00CD1EA2 8B85 58D7FFFF mov eax,dword ptr ss:[ebp-28A8]
00CD1EA8 C1E0 02 shl eax,2
00CD1EAB 50 push eax ; kernel32.77E10000
00CD1EAC 8B8D 74DAFFFF mov ecx,dword ptr ss:[ebp-258C]
00CD1EB2 038D 38D6FFFF add ecx,dword ptr ss:[ebp-29C8]
00CD1EB8 51 push ecx ; kernel32.77E18172
00CD1EB9 E8 E21B0000 call 00CD3AA0
00CD1EBE 83C4 0C add esp,0C
00CD1EC1 8B95 58D7FFFF mov edx,dword ptr ss:[ebp-28A8]
00CD1EC7 C1E2 02 shl edx,2
00CD1ECA 52 push edx ; ntdll.77FB2340
00CD1ECB 8B85 84DBFFFF mov eax,dword ptr ss:[ebp-247C]
00CD1ED1 50 push eax ; kernel32.77E10000
00CD1ED2 8B8D 74DAFFFF mov ecx,dword ptr ss:[ebp-258C]
00CD1ED8 038D 38D6FFFF add ecx,dword ptr ss:[ebp-29C8]
00CD1EDE 51 push ecx ; kernel32.77E18172
00CD1EDF E8 6CAB0000 call 00CDCA50
00CD1EE4 83C4 0C add esp,0C
00CD1EE7 6A 01 push 1
00CD1EE9 8B95 58D7FFFF mov edx,dword ptr ss:[ebp-28A8]
00CD1EEF C1E2 02 shl edx,2
00CD1EF2 52 push edx ; ntdll.77FB2340
00CD1EF3 8B85 74DAFFFF mov eax,dword ptr ss:[ebp-258C]
00CD1EF9 0385 38D6FFFF add eax,dword ptr ss:[ebp-29C8]
00CD1EFF 50 push eax ; kernel32.77E10000
00CD1F00 E8 9B1B0000 call 00CD3AA0
00CD1F05 83C4 0C add esp,0C
00CD1F08 8B8D 84DBFFFF mov ecx,dword ptr ss:[ebp-247C]
00CD1F0E 898D A0AEFFFF mov dword ptr ss:[ebp+FFFFAEA0],ecx ; kernel32.77E18172
00CD1F14 8B95 A0AEFFFF mov edx,dword ptr ss:[ebp+FFFFAEA0]
00CD1F1A 52 push edx ; ntdll.77FB2340
00CD1F1B E8 44B40000 call 00CDD364
00CD1F20 83C4 04 add esp,4
00CD1F23 ^ E9 91F6FFFF jmp 00CD15B9
00CD1F28 8B85 88DBFFFF mov eax,dword ptr ss:[ebp-2478]
//在此设置断点即可解密至此,解密IAT告一段落。
---------------------------------------------------------------------------------------------------
二、OEP:飞向光明之巅
BP GetCurrentThreadId [ESP]<10000000
Shift+F9运行复制内容到剪贴板代码:
77E119F7 k> 64:A1 18000000 mov eax,dword ptr fs:[18]
//断在这里取消该断点 F8
77E119FD 8B40 24 mov eax,dword ptr ds:[eax+24]
77E11A00 C3 retn复制内容到剪贴板代码:
00CB735C 50 push eax
00CB735D 8B4D FC mov ecx,dword ptr ss:[ebp-4]
00CB7360 51 push ecx ; kernel32.77E1673A
00CB7361 E8 0A000000 call 00CB7370
00CB7366 83C4 0C add esp,0C
00CB7369 8BE5 mov esp,ebp
00CB736B 5D pop ebp
00CB736C C3 retn复制内容到剪贴板代码:
00CD56C6 6A 00 push 0
00CD56C8 E8 F38DFEFF call 00CBE4C0
00CD56CD 83C4 04 add esp,4
00CD56D0 B9 8804D000 mov ecx,0D00488
00CD56D5 E8 D658FCFF call 00C9AFB0
00CD56DA 0FB6D0 movzx edx,al
00CD56DD 85D2 test edx,edx
00CD56DF 74 0C je short 00CD56ED
00CD56E1 6A 01 push 1
00CD56E3 B9 8804D000 mov ecx,0D00488
00CD56E8 E8 633BFDFF call 00CA9250
00CD56ED C705 38C7CF00 586B>mov dword ptr ds:[CFC738],0CF6B58
00CD56F7 B9 80CCD000 mov ecx,0D0CC80
00CD56FC E8 3F730000 call 00CDCA40
00CD5701 C745 F0 00000000 mov dword ptr ss:[ebp-10],0
00CD5708 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00CD570B 50 push eax
00CD570C 68 E057CD00 push 0CD57E0
00CD5711 FF15 4401D000 call dword ptr ds:[D00144]
00CD5717 83C4 08 add esp,8
00CD571A 8B0D EC0AD000 mov ecx,dword ptr ds:[D00AEC] ; fraps2.00400000
00CD5720 894D E4 mov dword ptr ss:[ebp-1C],ecx
00CD5723 BA 02000000 mov edx,2
00CD5728 C1E2 02 shl edx,2
00CD572B A1 D40AD000 mov eax,dword ptr ds:[D00AD4]
00CD5730 8B0D D40AD000 mov ecx,dword ptr ds:[D00AD4] ; fraps2.004B1368
00CD5736 8B35 D40AD000 mov esi,dword ptr ds:[D00AD4] ; fraps2.004B1368
00CD573C 8B76 7C mov esi,dword ptr ds:[esi+7C]
00CD573F 3331 xor esi,dword ptr ds:[ecx]
00CD5741 333410 xor esi,dword ptr ds:[eax+edx]
00CD5744 0375 E4 add esi,dword ptr ss:[ebp-1C] ; fraps2.004B8CD0
00CD5747 8975 F4 mov dword ptr ss:[ebp-C],esi
00CD574A 8B55 08 mov edx,dword ptr ss:[ebp+8] ; fraps2.004B7E48
00CD574D 833A 00 cmp dword ptr ds:[edx],0
00CD5750 75 3D jnz short 00CD578F
00CD5752 A1 D40AD000 mov eax,dword ptr ds:[D00AD4]
00CD5757 8B0D D40AD000 mov ecx,dword ptr ds:[D00AD4] ; fraps2.004B1368
00CD575D 8B50 4C mov edx,dword ptr ds:[eax+4C]
00CD5760 3311 xor edx,dword ptr ds:[ecx]
00CD5762 A1 D40AD000 mov eax,dword ptr ds:[D00AD4]
00CD5767 3350 0C xor edx,dword ptr ds:[eax+C]
00CD576A 8955 E0 mov dword ptr ss:[ebp-20],edx
00CD576D 8B4D 08 mov ecx,dword ptr ss:[ebp+8] ; fraps2.004B7E48
00CD5770 8B51 18 mov edx,dword ptr ds:[ecx+18]
00CD5773 52 push edx
00CD5774 8B45 08 mov eax,dword ptr ss:[ebp+8] ; fraps2.004B7E48
00CD5777 8B48 14 mov ecx,dword ptr ds:[eax+14]
00CD577A 51 push ecx
00CD577B 8B55 08 mov edx,dword ptr ss:[ebp+8] ; fraps2.004B7E48
00CD577E 8B42 10 mov eax,dword ptr ds:[edx+10]
00CD5781 50 push eax
00CD5782 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00CD5785 2B4D E0 sub ecx,dword ptr ss:[ebp-20] ; fraps2.00489CF0
00CD5788 FFD1 call ecx
00CD578A 8945 FC mov dword ptr ss:[ebp-4],eax
00CD578D EB 45 jmp short 00CD57D4
00CD578F 8B55 08 mov edx,dword ptr ss:[ebp+8] ; fraps2.004B7E48
00CD5792 833A 01 cmp dword ptr ds:[edx],1
00CD5795 75 3D jnz short 00CD57D4
00CD5797 A1 D40AD000 mov eax,dword ptr ds:[D00AD4]
00CD579C 8B0D D40AD000 mov ecx,dword ptr ds:[D00AD4] ; fraps2.004B1368
00CD57A2 8B50 4C mov edx,dword ptr ds:[eax+4C]
00CD57A5 3311 xor edx,dword ptr ds:[ecx]
00CD57A7 A1 D40AD000 mov eax,dword ptr ds:[D00AD4]
00CD57AC 3350 0C xor edx,dword ptr ds:[eax+C]
00CD57AF 8955 DC mov dword ptr ss:[ebp-24],edx
00CD57B2 8B4D 08 mov ecx,dword ptr ss:[ebp+8] ; fraps2.004B7E48
00CD57B5 8B51 04 mov edx,dword ptr ds:[ecx+4]
00CD57B8 52 push edx
00CD57B9 8B45 08 mov eax,dword ptr ss:[ebp+8] ; fraps2.004B7E48
00CD57BC 8B48 08 mov ecx,dword ptr ds:[eax+8]
00CD57BF 51 push ecx
00CD57C0 6A 00 push 0
00CD57C2 8B55 08 mov edx,dword ptr ss:[ebp+8] ; fraps2.004B7E48
00CD57C5 8B42 0C mov eax,dword ptr ds:[edx+C]
00CD57C8 50 push eax
00CD57C9 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00CD57CC 2B4D DC sub ecx,dword ptr ss:[ebp-24]
00CD57CF FFD1 call ecx
//前辈的经验告诉我们这里就是OEP->F7跟进复制内容到剪贴板代码:
0040FCDA E8 37470000 call 00414416 ; fraps2.00414416
//OEP!光明之巅
0040FCDF ^ E9 16FEFFFF jmp 0040FAFA ; fraps2.0040FAFA-复制内容到剪贴板代码:
00414416 55 push ebp ; (Initial CPU selection)
00414417 8BEC mov ebp,esp
00414419 83EC 10 sub esp,10
0041441C A1 60F24300 mov eax,dword ptr ds:[43F260]
00414421 8365 F8 00 and dword ptr ss:[ebp-8],0
00414425 8365 FC 00 and dword ptr ss:[ebp-4],0
00414429 - E9 2A804101 jmp 0182C458
0041442E 91 xchg eax,ecx ; fraps2.0040FCDA
0041442F 91 xchg eax,ecx ; fraps2.0040FCDA
00414430 3BC7 cmp eax,edi
00414432 - E9 38804101 jmp 0182C46F
00414437 74 0D je short 00414446 ; fraps2.00414446
00414439 85C3 test ebx,eax ; fraps2.00400000
0041443B 74 09 je short 00414446 ; fraps2.00414446
0041443D - E9 3D804101 jmp 0182C47F
00414442 97 xchg eax,edi
00414443 97 xchg eax,edi
00414444 EB 60 jmp short 004144A6 ; fraps2.004144A6
00414446 56 push esi
00414447 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0041444A 50 push eax ; fraps2.00400000
0041444B FF15 AC4AE300 call dword ptr ds:[E34AAC] ; kernel32.GetSystemTimeAsFileTime
00414451 8B75 FC mov esi,dword ptr ss:[ebp-4]
00414454 3375 F8 xor esi,dword ptr ss:[ebp-8] ; fraps2.00473AA0
00414457 FF15 584FE300 call dword ptr ds:[E34F58] ; kernel32.GetCurrentProcessId
0041445D 33F0 xor esi,eax ; fraps2.00400000选择0041444B->右键->Follow->Momery Address
上下搜索下IAT基址和大小,整理得:
OEP:0040FCDA
IAT Rva:00E34A74
IAT Size:560 (呆会使用ArmInline修复会使用到)
----------------------------------------------------------------------------------------------------
三.Code Splicing和Import Table Elimination的修复
1.Code Splicing的修复
现在该ArmInline登场了,fly大侠曾在《Armadillo加壳版本号和保护方式的简单判断方法》说过:“Code Splicing和Import Table
Elimination需要你去看。ArmInline修复这些很方便,虽然有些bug”
我是菜鸟,我没发现这里这里有Code Splicing。使用ArmInline的默认数据进行代码拼接。
拼接代码起点:2490000
拼接代码长度:10000
----------------
2147个拼接已修复
修补成功
----------------
2.Import Table Elimination的修复
查看ArmInline的默认修复数据.
--------------------
现有IAT的基:E34A74
现有IAT的大小:3BC
IAT的新基:451000
--------------------
比较下我们上面手工获取的数据,发现IAT的大小有问题。手工修改下ArmInline的IAT大小为560。
点击 变基IAT
--------------------
758个dll调用
204个函数来自8个DLL
758个dll调用已重定象
修补成功
--------------------
现在运行LordPE修正ImageSize后完全Dump这个进程。得到dumped.exe
-------------------------------------------------------------------------------------
四.脱壳后PE的修复和优化
-------------------------------
运行ImportREC,把OEP改为0000FCDA,点IAT AutoSearch、Get Import,可以得到整齐的输入表。
---------------------
OEP:0000FCDA
RVA:00051000
SIZE:00000350
---------------------
修复跨平台问题,用ImportREC修正如下
--------------------
ntdll.dll RtlFreeHeap -> kernel32.dll HeapFree
ntdll.dll RtlGetLastWin32Error -> kernel32.dll GetLastError
ntdll.dll RtlSetLastWin32Error -> kernel32.dll SetLastError
--------------------
OK NOW!
为了让程序更加美观点,我就不直接添加区段。Winhex打开dumped.exe,找到一片空白天空。复制内容到剪贴板代码:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0001F190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0001F1A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0001F1B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0001F1C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................在ImportREC的New Import Infos,填写
---------------
RVA:0001F1A0
Size:00000F6C[ImportREC自动获取]
---------------
Fix Dump后,运行良好.
把脱壳后的文件载入 OD,Alt+M 打开内存映射窗口,从 00401000 到 00551000 这 8 个段全部下 F2 断点。
然后 Shift+F9 直到程序完全运行后再次Alt+M看看哪几个断点已经不存在了,剩下还有断点的这几个段就是无用区段了。
这里分别是:.adata .data1 .pdata
LordPE删除上面几个区段后重建下 PE 就可以了!
优化后程序大小为:1.87MB
----------------------------------------------------------------------
五.写在最后
对壳倒没什么可说的,需要有更扎实的基础才能继续完成对它的分析!感谢machenglin老师的耐心指导!!!
附件地址:http://momery.0wei.com/attachment/1192696531_0.rar
|
