本文共 5454 字,大约阅读时间需要 18 分钟。
004149AB 55 push ebp
004149AC 89E5 mov ebp, esp
004149AE 51 push ecx
004149AF B9 08000000 mov ecx, 0x8
004149B4 6A 00 push 0x0
004149B6 49 dec ecx
004149B7 ^ 75 FB jnz short 004149B4
004149B9 8B4C24 20 mov ecx, dword ptr [esp+0x20]
004149BD 8944E4 1C mov dword ptr [esp+0x1C], eax
004149C1 895CE4 18 mov dword ptr [esp+0x18], ebx
004149C5 894CE4 14 mov dword ptr [esp+0x14], ecx
004149C9 8954E4 10 mov dword ptr [esp+0x10], edx
004149CD 8964E4 0C mov dword ptr [esp+0xC], esp
004149D1 896CE4 08 mov dword ptr [esp+0x8], ebp
004149D5 8974E4 04 mov dword ptr [esp+0x4], esi
004149D9 893CE4 mov dword ptr [esp], edi
004149DC 90 nop
004149DD 90 nop
004149DE 90 nop
004149DF E8 00000000 call 004149E4
004149E4 58 pop eax
004149E5 25 00F0FFFF and eax, -0x1000
004149EA 66:8138 4D5A cmp word ptr [eax], 0x5A4D
004149EF 74 07 je short 004149F8
004149F1 2D 00100000 sub eax, 0x1000
004149F6 ^ EB F2 jmp short 004149EA
004149F8 50 push eax
004149F9 8BD8 mov ebx, eax
004149FB 83C3 3C add ebx, 0x3C
004149FE 8B1B mov ebx, dword ptr [ebx]
00414A00 03D8 add ebx, eax
00414A02 53 push ebx
00414A03 83C3 14 add ebx, 0x14
00414A06 33D2 xor edx, edx
00414A08 66:8B13 mov dx, word ptr [ebx]
00414A0B 52 push edx
00414A0C 8B5424 04 mov edx, dword ptr [esp+0x4]
00414A10 83C2 18 add edx, 0x18
00414A13 031424 add edx, dword ptr [esp]
00414A16 52 push edx
00414A17 83C2 0C add edx, 0xC
00414A1A 8B1A mov ebx, dword ptr [edx]
00414A1C 035C24 0C add ebx, dword ptr [esp+0xC]
00414A20 53 push ebx
00414A21 8B5424 04 mov edx, dword ptr [esp+0x4]
00414A25 83C2 10 add edx, 0x10
00414A28 8B1A mov ebx, dword ptr [edx]
00414A2A 53 push ebx
00414A2B 8B5424 08 mov edx, dword ptr [esp+0x8]
00414A2F 83C2 28 add edx, 0x28
00414A32 83C2 0C add edx, 0xC
00414A35 8B1A mov ebx, dword ptr [edx]
00414A37 035C24 14 add ebx, dword ptr [esp+0x14]
00414A3B 53 push ebx
00414A3C 83C2 04 add edx, 0x4
00414A3F 8B1A mov ebx, dword ptr [edx]
00414A41 53 push ebx
00414A42 90 nop
00414A43 90 nop
00414A44 59 pop ecx ; 加密的代码部分
00414A45 81E9 00020000 sub ecx, 0x200
00414A4B 5E pop esi ; 上面三句话是要留着的
00414A4C E8 6D000000 call 00414ABE ; call
00414A51 90 nop
00414A52 90 nop
00414A53 90 nop
00414A54 59 pop ecx
00414A55 81E9 00060000 sub ecx, 0x600
00414A5B 5E pop esi ; 以上三句话是要留着的
00414A5C E8 5D000000 call 00414ABE ; call
00414A61 90 nop ; 以上就是加密code 和data两个区段的部分
00414A62 90 nop
00414A63 58 pop eax
00414A64 58 pop eax
00414A65 58 pop eax
00414A66 58 pop eax
00414A67 8B44E4 1C mov eax, dword ptr [esp+0x1C]
00414A6B 8B5CE4 18 mov ebx, dword ptr [esp+0x18]
00414A6F 8B4CE4 14 mov ecx, dword ptr [esp+0x14]
00414A73 8B54E4 10 mov edx, dword ptr [esp+0x10]
00414A77 8B64E4 0C mov esp, dword ptr [esp+0xC]
00414A7B 8B6CE4 08 mov ebp, dword ptr [esp+0x8]
00414A7F 8B74E4 04 mov esi, dword ptr [esp+0x4]
00414A83 8B3CE4 mov edi, dword ptr [esp]
00414A86 B9 00020000 mov ecx, 0x200
00414A8B C1E1 06 shl ecx, 0x6
00414A8E C1E9 0C shr ecx, 0xC
00414A91 83EC FC sub esp, -0x4
00414A94 49 dec ecx
00414A95 ^ 75 FA jnz short 00414A91
00414A97 8B6C24 04 mov ebp, dword ptr [esp+0x4]
00414A9B B9 00020000 mov ecx, 0x200
00414AA0 C1E1 06 shl ecx, 0x6
00414AA3 C1E9 0C shr ecx, 0xC
00414AA6 44 inc esp
00414AA7 49 dec ecx
00414AA8 ^ 75 FC jnz short 00414AA6
00414AAA 8B4C24 F8 mov ecx, dword ptr [esp-0x8]
00414AAE 0000 add byte ptr [eax], al
00414AB0 0000 add byte ptr [eax], al
00414AB2 0000 add byte ptr [eax], al
00414AB4 0000 add byte ptr [eax], al
00414AB6 0000 add byte ptr [eax], al
00414AB8 0000 add byte ptr [eax], al
00414ABA 0000 add byte ptr [eax], al
00414ABC 0000 add byte ptr [eax], al
00414ABE 90 nop
00414ABF 90 nop
00414AC0 8BC9 mov ecx, ecx ; ecx 数据来源上面这个
00414AC2 40 inc eax
00414AC3 40 inc eax
00414AC4 40 inc eax
00414AC5 33C0 xor eax, eax ; 清零eax
00414AC7 33D2 xor edx, edx
00414AC9 33DB xor ebx, ebx
00414ACB 51 push ecx
00414ACC 66:8B0424 mov ax, word ptr [esp]
00414AD0 66:BB 0200 mov bx, 0x2 ; 关键在于这个地方的数据
00414AD4 66:F7F3 div bx
00414AD7 50 push eax
00414AD8 66:8B4424 06 mov ax, word ptr [esp+0x6]
00414ADD 66:F7F3 div bx
00414AE0 C1E0 10 shl eax, 0x10
00414AE3 030424 add eax, dword ptr [esp]
00414AE6 8BC8 mov ecx, eax
00414AE8 58 pop eax
00414AE9 58 pop eax ; 这个时候ecx中存方的是长度
00414AEA 8A46 01 mov al, byte ptr [esi+0x1]
00414AED 3006 xor byte ptr [esi], al
00414AEF 46 inc esi
00414AF0 46 inc esi
00414AF1 49 dec ecx
00414AF2 ^ 75 F6 jnz short 00414AEA
00414AF4 C3 retn
00414AF5 90 nop
00414AF6 90 nop
二进制:55 89 E5 51 B9 08 00 00 00 6A 00 49 75 FB 8B 4C 24 20 89 44 E4 1C 89 5C E4 18 89 4C E4 14 89 54 E4 10 89 64 E4 0C 89 6C E4 08 89 74 E4 04 89 3C E4 90 90 90 E8 00 00 00 00 58 25 00 F0 FF FF 66 81 38 4D 5A 74 07 2D 00 10 00 00 EB F2 50 8B D8 83 C3 3C 8B 1B 03 D8 53 83 C3 14 33 D2 66 8B 13 52 8B 54 24 04 83 C2 18 03 14 24 52 83 C2 0C 8B 1A 03 5C 24 0C 53 8B 54 24 04 83 C2 10 8B 1A 53 8B 54 24 08 83 C2 28 83 C2 0C 8B 1A 03 5C 24 14 53 83 C2 04 8B 1A 53 90 90 59 81 E9 00 02 00 00 5E E8 6D 00 00 00 90 90 90 59 81 E9 00 06 00 00 5E E8 5D 00 00 00 90 90 58 58 58 58 8B 44 E4 1C
8B 5C E4 18 8B 4C E4 14 8B 54 E4 10 8B 64 E4 0C 8B 6C E4 08 8B 74 E4 04 8B 3C E4 B9 00 02 00 00 C1 E1 06 C1 E9 0C 83 EC FC 49 75 FA 8B 6C 24 04 B9 00 02 00 00 C1 E1 06 C1 E9 0C 44 49 75 FC 8B 4C 24 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 90 8B C9 40 40 40 33 C0 33 D2 33 DB 51 66 8B 04 24 66 BB 02 00 66 F7 F3 50 66 8B 44 24 06 66 F7 F3 C1 E0 10 03 04 24 8B C8 58 58 8A 46 01 30 06 46 46 49 75 F6 C3 90 90
本文转自文东会博客51CTO博客,原文链接http://blog.51cto.com/hackerwang/1251314如需转载请自行联系原作者
谢文东666