- UID
- 44482
注册时间2008-2-7
阅读权限40
最后登录1970-1-1
独步武林
 
该用户从未签到
|
壳版本: Nspack3.7.Cracked.exe
工具: IDA, OD
外壳shell简单分析
外壳第一部分:
1.申请堆空间
2.处理shell第二部分,并拷贝到堆空间
3.执行完shell第二部分后循环处理E8
4.填写IAT
5.恢复内存属性
6.跳转到OEP
外壳第二部分:
解压数据并拷贝到原地址
外壳shell分析:- .nsp1:0040A219 pushf ; (1)
- .nsp1:0040A21A pusha
- .nsp1:0040A21B call $+5
- .nsp1:0040A220 pop ebp
- .nsp1:0040A221 sub ebp, 7 ; 获得当前(1)处地址
- .nsp1:0040A224 lea ecx, [ebp-19Dh]
- .nsp1:0040A22A cmp byte ptr [ecx], 1 ; 标记位
- .nsp1:0040A22D jz loc_40A475
- .nsp1:0040A233 mov byte ptr [ecx], 1 ; 标记位置1
- .nsp1:0040A236 mov eax, ebp
- .nsp1:0040A238 sub eax, [ebp-209h] ; [ebp-209] 存放当前 OEP RVA
- .nsp1:0040A23E mov [ebp-209h], eax ; image base
- .nsp1:0040A244 add [ebp-1D9h], eax ; image base + code seg RVA
- .nsp1:0040A24A lea esi, [ebp-195h]
- .nsp1:0040A250 add [esi], eax ; image base + code seg RVA
- .nsp1:0040A252 push ebp ; 保存ebp(加壳后程序入口点)
- .nsp1:0040A253 push esi ; 保存esi(DWORD指针,指向未加壳程序代码段内存偏移)
- .nsp1:0040A254 push 40h ; 参数(PAGE_EXECUTE_READWRITE 0x40)
- .nsp1:0040A256 push 1000h ; 参数(MEM_COMMIT 0x1000 )
- .nsp1:0040A25B push 1000h ; 参数(dwSize)
- .nsp1:0040A260 push 0 ; 起始地址,为0则系统自动分配
- .nsp1:0040A262 call dword ptr [ebp-171h] ; CALL kernel32.VirtualAlloc
- .nsp1:0040A268 test eax, eax ; 是否申请成功
- .nsp1:0040A26A jz loc_40A5D9
- .nsp1:0040A270 mov [ebp-1E1h], eax ; 保存申请的堆空间首地址
- .nsp1:0040A276 call $+5
- .nsp1:0040A27B pop ebx
- .nsp1:0040A27C mov ecx, 367h
- .nsp1:0040A281 add ebx, ecx
- .nsp1:0040A283 push eax ; 目的,申请的堆空间
- .nsp1:0040A284 push ebx ; 源数据,shell第二部分代码
- .nsp1:0040A285 call __ShellDecode ; 把shell第二部分代码修正并拷贝到堆空间
- .nsp1:0040A28A pop esi
- .nsp1:0040A28B pop ebp
- .nsp1:0040A28C mov esi, [esi] ; [esi] 00401000
- .nsp1:0040A28E mov edi, ebp ; 加壳后OEP内存偏移
- .nsp1:0040A290 add edi, [ebp-219h] ; [ebp-219] 取得偏移 906h
- .nsp1:0040A296 mov ebx, edi
- .nsp1:0040A298 cmp dword ptr [edi], 0
- .nsp1:0040A29B jnz short loc_40A2A7
- .nsp1:0040A29D add edi, 4
- .nsp1:0040A2A0 mov ecx, 0
- .nsp1:0040A2A5 jmp short loc_40A2BD
- .nsp1:0040A2A7 ; ---------------------------------------------------------------------------
- .nsp1:0040A2A7
- .nsp1:0040A2A7 loc_40A2A7: ; CODE XREF: start+82�j
- .nsp1:0040A2A7 mov ecx, 1
- .nsp1:0040A2AC add edi, [ebx]
- .nsp1:0040A2AE add ebx, 4
- .nsp1:0040A2B1
- .nsp1:0040A2B1 loc_40A2B1: ; CODE XREF: start+CF�j
- .nsp1:0040A2B1 cmp dword ptr [ebx], 0
- .nsp1:0040A2B4 jz short loc_40A2EA
- .nsp1:0040A2B6 add [ebx], edx
- .nsp1:0040A2B8 mov esi, [ebx]
- .nsp1:0040A2BA add edi, [ebx+4]
- .nsp1:0040A2BD
- .nsp1:0040A2BD loc_40A2BD: ; CODE XREF: start+8C�j
- .nsp1:0040A2BD push edi
- .nsp1:0040A2BE push ecx
- .nsp1:0040A2BF push ebx
- .nsp1:0040A2C0 push dword ptr [ebp-16Dh] ; VirtualFree
- .nsp1:0040A2C6 push dword ptr [ebp-171h] ; [EBP-171] kernel32.VirtualAlloc
- .nsp1:0040A2CC mov edx, esi
- .nsp1:0040A2CE mov ecx, edi
- .nsp1:0040A2D0 mov eax, [ebp-1E1h] ; VirtualAlloc返回的首地址
- .nsp1:0040A2D6 add eax, 5AAh
- .nsp1:0040A2DB call eax ; __Shell_Decode_Data 数据解压并拷贝到原虚拟地址
- .nsp1:0040A2DD pop ebx
- .nsp1:0040A2DE pop ecx
- .nsp1:0040A2DF pop edi
- .nsp1:0040A2E0 cmp ecx, 0
- .nsp1:0040A2E3 jz short loc_40A2EA
- .nsp1:0040A2E5 add ebx, 8
- .nsp1:0040A2E8 jmp short loc_40A2B1
- .nsp1:0040A2EA ; ---------------------------------------------------------------------------
- .nsp1:0040A2EA
- .nsp1:0040A2EA loc_40A2EA: ; CODE XREF: start+9B�j
- .nsp1:0040A2EA ; start+CA�j
- .nsp1:0040A2EA push 8000h
- .nsp1:0040A2EF push 0
- .nsp1:0040A2F1 push dword ptr [ebp-1E1h]
- .nsp1:0040A2F7 call dword ptr [ebp-16Dh] ; kernel32.VirtualFree
- .nsp1:0040A2FD lea esi, [ebp-1D9h]
- .nsp1:0040A303 mov ecx, [esi+8]
- .nsp1:0040A306 lea edx, [esi+10h]
- .nsp1:0040A309 mov esi, [esi]
- .nsp1:0040A30B mov edi, esi
- .nsp1:0040A30D cmp ecx, 0 ; 循环处理near call(ecx循环次数)
- .nsp1:0040A310 jz short loc_40A351
- .nsp1:0040A312
- .nsp1:0040A312 loc_40A312: ; CODE XREF: start+100�j
- .nsp1:0040A312 ; start+10E�j
- .nsp1:0040A312 mov al, [edi] ; 处理开始
- .nsp1:0040A314 inc edi
- .nsp1:0040A315 sub al, 0E8h ; E8是near call的机器码
- .nsp1:0040A317
- .nsp1:0040A317 loc_40A317: ; CODE XREF: start+136�j
- .nsp1:0040A317 cmp al, 1
- .nsp1:0040A319 ja short loc_40A312 ; 大于1跳过
- .nsp1:0040A31B mov eax, [edi]
- .nsp1:0040A31D cmp byte ptr [edx+1], 0
- .nsp1:0040A321 jz short loc_40A337 ; 是near call则跳去处理
- .nsp1:0040A323 mov bl, [edx]
- .nsp1:0040A325 cmp [edi], bl
- .nsp1:0040A327 jnz short loc_40A312
- .nsp1:0040A329 mov bl, [edi+4]
- .nsp1:0040A32C shr ax, 8
- .nsp1:0040A330 rol eax, 10h
- .nsp1:0040A333 xchg al, ah
- .nsp1:0040A335 jmp short loc_40A341
- .nsp1:0040A337 ; ---------------------------------------------------------------------------
- .nsp1:0040A337
- .nsp1:0040A337 loc_40A337: ; CODE XREF: start+108�j
- .nsp1:0040A337 mov bl, [edi+4]
- .nsp1:0040A33A xchg al, ah
- .nsp1:0040A33C rol eax, 10h
- .nsp1:0040A33F xchg al, ah
- .nsp1:0040A341
- .nsp1:0040A341 loc_40A341: ; CODE XREF: start+11C�j
- .nsp1:0040A341 sub eax, edi
- .nsp1:0040A343 add eax, esi
- .nsp1:0040A345 mov [edi], eax
- .nsp1:0040A347 add edi, 5
- .nsp1:0040A34A sub bl, 0E8h
- .nsp1:0040A34D mov eax, ebx
- .nsp1:0040A34F loop loc_40A317 ; near call处理结束
- .nsp1:0040A351
- .nsp1:0040A351 loc_40A351: ; CODE XREF: start+F7�j
- .nsp1:0040A351 call __Fill_IAT_Table ; 填IAT表
- .nsp1:0040A356 lea ecx, [ebp-1C5h]
- .nsp1:0040A35C mov eax, [ecx+8]
- .nsp1:0040A35F cmp eax, 0
- .nsp1:0040A362 jz loc_40A3E9
- .nsp1:0040A368 mov esi, edx
- .nsp1:0040A36A sub esi, [ecx+10h]
- .nsp1:0040A36D jz short loc_40A3E9
- .nsp1:0040A36F mov [ecx+10h], esi
- .nsp1:0040A372 lea esi, [ebp-195h]
- .nsp1:0040A378 mov esi, [esi]
- .nsp1:0040A37A lea ebx, [esi-4]
- .nsp1:0040A37D mov eax, [ecx]
- .nsp1:0040A37F cmp eax, 1
- .nsp1:0040A382 jz short loc_40A38E
- .nsp1:0040A384 mov edi, edx
- .nsp1:0040A386 add edi, [ecx+8]
- .nsp1:0040A389 mov ecx, [ecx+10h]
- .nsp1:0040A38C jmp short loc_40A396
- .nsp1:0040A38E ; ---------------------------------------------------------------------------
- .nsp1:0040A38E
- .nsp1:0040A38E loc_40A38E: ; CODE XREF: start+169�j
- .nsp1:0040A38E mov edi, esi
- .nsp1:0040A390 add edi, [ecx+8]
- .nsp1:0040A393 mov ecx, [ecx+10h]
- .nsp1:0040A396
- .nsp1:0040A396 loc_40A396: ; CODE XREF: start+173�j
- .nsp1:0040A396 ; start+18E�j
- .nsp1:0040A396 xor eax, eax
- .nsp1:0040A398 mov al, [edi]
- .nsp1:0040A39A inc edi
- .nsp1:0040A39B or eax, eax
- .nsp1:0040A39D jz short loc_40A3BF
- .nsp1:0040A39F cmp al, 0EFh
- .nsp1:0040A3A1 ja short loc_40A3A9
- .nsp1:0040A3A3
- .nsp1:0040A3A3 loc_40A3A3: ; CODE XREF: start+19D�j
- .nsp1:0040A3A3 ; start+1A4�j
- .nsp1:0040A3A3 add ebx, eax
- .nsp1:0040A3A5 add [ebx], ecx
- .nsp1:0040A3A7 jmp short loc_40A396
- .nsp1:0040A3A9 ; ---------------------------------------------------------------------------
- .nsp1:0040A3A9
- .nsp1:0040A3A9 loc_40A3A9: ; CODE XREF: start+188�j
- .nsp1:0040A3A9 and al, 0Fh
- .nsp1:0040A3AB shl eax, 10h
- .nsp1:0040A3AE mov ax, [edi]
- .nsp1:0040A3B1 add edi, 2
- .nsp1:0040A3B4 or eax, eax
- .nsp1:0040A3B6 jnz short loc_40A3A3
- .nsp1:0040A3B8 mov eax, [edi]
- .nsp1:0040A3BA add edi, 4
- .nsp1:0040A3BD jmp short loc_40A3A3
- .nsp1:0040A3BF ; ---------------------------------------------------------------------------
- .nsp1:0040A3BF
- .nsp1:0040A3BF loc_40A3BF: ; CODE XREF: start+184�j
- .nsp1:0040A3BF xor ebx, ebx
- .nsp1:0040A3C1 xchg edi, esi
- .nsp1:0040A3C3 mov eax, [esi]
- .nsp1:0040A3C5 cmp eax, 0
- .nsp1:0040A3C8 jz short loc_40A3E9
- .nsp1:0040A3CA
- .nsp1:0040A3CA loc_40A3CA: ; CODE XREF: start+1BC�j
- .nsp1:0040A3CA lodsd
- .nsp1:0040A3CB or eax, eax
- .nsp1:0040A3CD jz short loc_40A3D7
- .nsp1:0040A3CF add ebx, eax
- .nsp1:0040A3D1 add [edi+ebx], cx
- .nsp1:0040A3D5 jmp short loc_40A3CA
- .nsp1:0040A3D7 ; ---------------------------------------------------------------------------
- .nsp1:0040A3D7
- .nsp1:0040A3D7 loc_40A3D7: ; CODE XREF: start+1B4�j
- .nsp1:0040A3D7 xor ebx, ebx
- .nsp1:0040A3D9 shr ecx, 10h
- .nsp1:0040A3DC
- .nsp1:0040A3DC loc_40A3DC: ; CODE XREF: start+1CE�j
- .nsp1:0040A3DC lodsd
- .nsp1:0040A3DD or eax, eax
- .nsp1:0040A3DF jz short loc_40A3E9
- .nsp1:0040A3E1 add ebx, eax
- .nsp1:0040A3E3 add [edi+ebx], cx
- .nsp1:0040A3E7 jmp short loc_40A3DC
- .nsp1:0040A3E9 ; ---------------------------------------------------------------------------
- .nsp1:0040A3E9
- .nsp1:0040A3E9 loc_40A3E9: ; CODE XREF: start+149�j
- .nsp1:0040A3E9 ; start+154�j ...
- .nsp1:0040A3E9 lea esi, [ebp-209h]
- .nsp1:0040A3EF mov edx, [esi]
- .nsp1:0040A3F1 lea esi, [ebp-1ADh]
- .nsp1:0040A3F7 mov al, [esi]
- .nsp1:0040A3F9 cmp al, 1
- .nsp1:0040A3FB jnz short loc_40A43C
- .nsp1:0040A3FD add edx, [esi+4]
- .nsp1:0040A400 push esi
- .nsp1:0040A401 push edx
- .nsp1:0040A402 push esi
- .nsp1:0040A403 push 4
- .nsp1:0040A405 push 100h
- .nsp1:0040A40A push edx
- .nsp1:0040A40B call dword ptr [ebp-175h] ; kernel32.VirtualProtect
- .nsp1:0040A411 pop edi
- .nsp1:0040A412 pop esi
- .nsp1:0040A413 cmp eax, 1
- .nsp1:0040A416 jnz loc_40A5D9
- .nsp1:0040A41C add esi, 8
- .nsp1:0040A41F mov ecx, 8
- .nsp1:0040A424 rep movsb
- .nsp1:0040A426 sub esi, 0Ch
- .nsp1:0040A429 sub edi, 8
- .nsp1:0040A42C push esi
- .nsp1:0040A42D push dword ptr [esi-4]
- .nsp1:0040A430 push 100h
- .nsp1:0040A435 push edi
- .nsp1:0040A436 call dword ptr [ebp-175h] ; kernel32.VirtualProtect
- .nsp1:0040A43C
- .nsp1:0040A43C loc_40A43C: ; CODE XREF: start+1E2�j
- .nsp1:0040A43C push ebp
- .nsp1:0040A43D pop ebx
- .nsp1:0040A43E sub ebx, 21h
- .nsp1:0040A444 xor ecx, ecx
- .nsp1:0040A446 mov cl, [ebx]
- .nsp1:0040A448 cmp cl, 0 ; 循环还原属性(cl存放循环次数)
- .nsp1:0040A44B jz short loc_40A475
- .nsp1:0040A44D inc ebx ; 原程序 代码块 和 数据块 属性还原
- .nsp1:0040A44E lea esi, [ebp-209h]
- .nsp1:0040A454 mov edx, [esi]
- .nsp1:0040A456
- .nsp1:0040A456 loc_40A456: ; CODE XREF: start+25A�j
- .nsp1:0040A456 push esi
- .nsp1:0040A457 push ecx
- .nsp1:0040A458 push ebx
- .nsp1:0040A459 push edx
- .nsp1:0040A45A push esi
- .nsp1:0040A45B push dword ptr [ebx]
- .nsp1:0040A45D push dword ptr [ebx+4]
- .nsp1:0040A460 mov eax, [ebx+8]
- .nsp1:0040A463 add eax, edx
- .nsp1:0040A465 push eax
- .nsp1:0040A466 call dword ptr [ebp-175h] ; kernel32.VirtualProtect
- .nsp1:0040A46C pop edx
- .nsp1:0040A46D pop ebx
- .nsp1:0040A46E pop ecx
- .nsp1:0040A46F pop esi
- .nsp1:0040A470 add ebx, 0Ch
- .nsp1:0040A473 loop loc_40A456
- .nsp1:0040A475
- .nsp1:0040A475 loc_40A475: ; CODE XREF: start+14�j
- .nsp1:0040A475 ; start+232�j
- .nsp1:0040A475 mov eax, 0
- .nsp1:0040A47A cmp eax, 0
- .nsp1:0040A47D jz short loc_40A489
- .nsp1:0040A47F popa
- .nsp1:0040A480 popf
- .nsp1:0040A481 mov eax, 1
- .nsp1:0040A486 retn 0Ch
- .nsp1:0040A489 ; ---------------------------------------------------------------------------
- .nsp1:0040A489
- .nsp1:0040A489 loc_40A489: ; CODE XREF: start+264�j
- .nsp1:0040A489 popa
- .nsp1:0040A48A popf
- .nsp1:0040A48B jmp near ptr dword_401000 ; jmp to OEP
- .nsp1:0040A48B start endp
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
IP卡
发表于 2009-8-3 21:35:11
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2009-8-7 20:57:37
楼主
发表于 2015-8-15 21:00:59