本帖最后由 珈蓝夜雨 于 2014-6-8 02:45 编辑
[牢骚]
第一次写分析文章,太坑了写N久,一般都是录教程的,不知道最近网盘抽啥疯,不让分享了,然后尝试写文章……写懵我了。写的不好,不要打我
[CM下载地址]
http://www.52pojie.cn/forum.php? ... y%3Ddateline&page=1
典型的易语言自带的花指令,用ESP定律脱掉一层
[Asm] 纯文本查看 复制代码 004C102C > F8 clc
004C102D 73 1C jnb short 1_(1).004C104B
004C102F 394F BB cmp dword ptr ds:[edi-0x45],ecx
004C1032 5C pop esp ; kernel32.7C816037
004C1033 FA cli
004C1034 0FB313 btr dword ptr ds:[ebx],edx ; ntdll.KiFastSystemCallRet
004C1037 3D 54FD237E cmp eax,0x7E23FD54
004C103C 75 2C jnz short 1_(1).004C106A
004C103E 2802 sub byte ptr ds:[edx],al
此CM为易语言编写,采用的是易语言拖拽验证
易语言的文件拖拽首先得注册拖拽组件。一般是在启动窗口创建完毕后在注册的。可以下易语言断点跟入查看
易语言查找按钮事件,一般都是输入FF55FC5F5E二进制找到代码处,查找时能找到两处代码,第一处为平常我们使用的按钮事件,还有一处是不常用的,目前我只发现这个拖拽会调用这个CALL
下好断点后,拖拽文件进入窗体,进入CALL中,代码为以下代码,此代码为易语言花指令扰乱后的代码,虽然先开始脱掉了一层易语言的花指令,但是代码中还残留有花指令,需要单独用易语言花指令清除器清理掉花指令代码
[Asm] 纯文本查看 复制代码 00401224 55 push ebp
00401225 8BEC mov ebp,esp
00401227 EB 01 jmp short 1_(2).0040122A
00401229 82F9 72 cmp cl,0x72
0040122C 010F add dword ptr ds:[edi],ecx
0040122E E8 22FFFFFF call 1_(2).00401155
00401233 EB 01 jmp short 1_(2).00401236
00401235 ^ 78 E8 js short 1_(2).0040121F
00401237 0000 add byte ptr ds:[eax],al
00401239 0000 add byte ptr ds:[eax],al
0040123B 830424 06 add dword ptr ss:[esp],0x6
0040123F C3 retn
清除花指令插件作用是将无用的代码用NOP指令替换,花指令清除后代码:
[Asm] 纯文本查看 复制代码 00401224 55 push ebp
00401225 8BEC mov ebp,esp
00401227 90 nop
00401228 90 nop
00401229 90 nop
0040122A 90 nop
0040122B 90 nop
0040122C 90 nop
0040122D 90 nop
0040122E E8 22FFFFFF call 1_(2).00401155
00401233 90 nop
00401234 90 nop
00401235 90 nop
00401236 90 nop
00401237 90 nop
00401238 90 nop
00401239 90 nop
0040123A 90 nop
0040123B 90 nop
0040123C 90 nop
0040123D 90 nop
0040123E 90 nop
0040123F 90 nop
00401240 90 nop
00401241 90 nop
00401242 90 nop
00401243 90 nop
00401244 90 nop
00401245 8B5D 08 mov ebx,dword ptr ss:[ebp+0x8]
00401248 8B03 mov eax,dword ptr ds:[ebx]
0040124A 85C0 test eax,eax
0040124C 74 15 je short 1_(2).00401263
0040124E 50 push eax
0040124F 8BD8 mov ebx,eax
00401251 E8 63FFFFFF call 1_(2).004011B9
00401256 40 inc eax
00401257 50 push eax
00401258 E8 845E0000 call 1_(2).004070E1
0040125D 59 pop ecx ; 1_(2).0041F77B
0040125E 5E pop esi ; 1_(2).0041F77B
0040125F 8BF8 mov edi,eax
00401261 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
00401263 50 push eax
00401264 90 nop
00401265 90 nop
00401266 90 nop
00401267 90 nop
00401268 8B1D F06E4A00 mov ebx,dword ptr ds:[0x4A6EF0]
0040126E 85DB test ebx,ebx
00401270 74 09 je short 1_(2).0040127B
00401272 53 push ebx
00401273 E8 635E0000 call 1_(2).004070DB
00401278 83C4 04 add esp,0x4
0040127B 58 pop eax ; 1_(2).0041F77B
0040127C A3 F06E4A00 mov dword ptr ds:[0x4A6EF0],eax
00401281 90 nop
00401282 90 nop
00401283 90 nop
00401284 90 nop
00401285 90 nop
00401286 90 nop
00401287 90 nop
00401288 6A 00 push 0x0
0040128A 90 nop
0040128B 90 nop
0040128C 90 nop
0040128D 90 nop
0040128E 90 nop
0040128F 90 nop
00401290 90 nop
00401291 90 nop
00401292 90 nop
00401293 90 nop
00401294 90 nop
00401295 68 01000000 push 0x1
0040129A 6A FF push -0x1
0040129C 6A 05 push 0x5
0040129E 68 13000116 push 0x16010013
004012A3 68 01000152 push 0x52010001
004012A8 E8 4C5E0000 call 1_(2).004070F9
004012AD 83C4 18 add esp,0x18
004012B0 90 nop
004012B1 90 nop
004012B2 90 nop
004012B3 90 nop
004012B4 90 nop
004012B5 90 nop
004012B6 90 nop
004012B7 6A 00 push 0x0
004012B9 90 nop
004012BA 90 nop
004012BB 90 nop
004012BC 90 nop
004012BD 90 nop
004012BE 90 nop
004012BF 90 nop
004012C0 90 nop
004012C1 90 nop
004012C2 90 nop
004012C3 90 nop
004012C4 68 00000000 push 0x0
004012C9 6A FF push -0x1
004012CB 6A 06 push 0x6
004012CD 68 13000116 push 0x16010013
004012D2 68 01000152 push 0x52010001
004012D7 E8 1D5E0000 call 1_(2).004070F9
004012DC 83C4 18 add esp,0x18
004012DF 90 nop
004012E0 90 nop
004012E1 90 nop
004012E2 90 nop
004012E3 90 nop
004012E4 90 nop
004012E5 6A 00 push 0x0
004012E7 90 nop
004012E8 90 nop
004012E9 90 nop
004012EA 90 nop
004012EB 68 01000000 push 0x1
004012F0 6A FF push -0x1
004012F2 6A 0C push 0xC
004012F4 68 13000116 push 0x16010013
004012F9 68 01000152 push 0x52010001
004012FE E8 F65D0000 call 1_(2).004070F9
00401303 83C4 18 add esp,0x18
00401306 90 nop
00401307 90 nop
00401308 90 nop
00401309 90 nop
0040130A 90 nop
0040130B 90 nop
0040130C 90 nop
0040130D 90 nop
0040130E 90 nop
0040130F 90 nop
00401310 90 nop
00401311 90 nop
00401312 90 nop
00401313 90 nop
00401314 6A 00 push 0x0
00401316 90 nop
00401317 90 nop
00401318 90 nop
00401319 68 01000000 push 0x1
0040131E 6A FF push -0x1
00401320 6A 05 push 0x5
00401322 68 14000116 push 0x16010014
00401327 68 01000152 push 0x52010001
0040132C E8 C85D0000 call 1_(2).004070F9
00401331 83C4 18 add esp,0x18
00401334 90 nop
00401335 90 nop
00401336 90 nop
00401337 90 nop
00401338 90 nop
00401339 90 nop
0040133A 90 nop
0040133B E8 B6000000 call 1_(2).004013F6////////关键CALL
00401340 90 nop
00401341 90 nop
00401342 90 nop
00401343 90 nop
00401344 90 nop
00401345 90 nop
00401346 90 nop
00401347 90 nop
00401348 90 nop
00401349 90 nop
0040134A 90 nop
0040134B 90 nop
0040134C 90 nop
0040134D 90 nop
0040134E E8 1AFEFFFF call 1_(2).0040116D
00401353 8BE5 mov esp,ebp
00401355 5D pop ebp ; 1_(2).0041F77B
00401356 C2 0400 retn 0x4
可以看到此段代码是没有跳转判断拖拽的文件是否是成功的文件。也就是说,判断成功的代码是在这段代码中的某一个CALL中。一个一个call跟进看下
0040133B E8 B6000000 call 1_(2).004013F6
进入call 004013F6中可以看到这个call中的代码很长,并且有字符串“硬件码”,“注册信息”等字符串信息,可以基本判断这是一个关键的一个call,因为牵扯到算法,当算法计算完毕后,后面一般都是紧跟着判断的代码。在这段代码中可以发现有俩个跳转是实现的判断代码
[Asm] 纯文本查看 复制代码 00401958 837D F8 00 cmp dword ptr ss:[ebp-0x8],0x0
0040195C 0F84 BA030000 je 1_(2).00401D1C
00401962 90 nop
00401963 90 nop
00401964 90 nop
00401965 90 nop
00401966 90 nop
00401967 90 nop
00401968 90 nop
00401969 90 nop
0040196A 68 01030080 push 0x80000301
0040196F 6A 00 push 0x0
00401971 90 nop
00401972 90 nop
00401973 90 nop
00401974 FF35 006F4A00 push dword ptr ds:[0x4A6F00]
0040197A 68 01000000 push 0x1
0040197F BB C0814000 mov ebx,1_(2).004081C0
00401984 E8 6A570000 call 1_(2).004070F3
00401989 83C4 10 add esp,0x10
0040198C 8945 FC mov dword ptr ss:[ebp-0x4],eax
0040198F 90 nop
00401990 90 nop
00401991 90 nop
00401992 90 nop
00401993 90 nop
00401994 90 nop
00401995 90 nop
00401996 90 nop
00401997 90 nop
00401998 90 nop
00401999 90 nop
0040199A 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
0040199D 90 nop
0040199E 90 nop
0040199F 90 nop
004019A0 50 push eax
004019A1 90 nop
004019A2 90 nop
004019A3 90 nop
004019A4 FF35 F86E4A00 push dword ptr ds:[0x4A6EF8]
004019AA E8 AAF9FFFF call 1_(2).00401359
004019AF 83C4 08 add esp,0x8
004019B2 83F8 00 cmp eax,0x0
004019B5 B8 00000000 mov eax,0x0
004019BA 0F94C0 sete al
004019BD 8945 F8 mov dword ptr ss:[ebp-0x8],eax
004019C0 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]
004019C3 85DB test ebx,ebx
004019C5 74 09 je short 1_(2).004019D0
004019C7 53 push ebx
004019C8 E8 0E570000 call 1_(2).004070DB
004019CD 83C4 04 add esp,0x4
004019D0 837D F8 00 cmp dword ptr ss:[ebp-0x8],0x0
004019D4 0F84 B6000000 je 1_(2).00401A90
004019DA 90 nop
004019DB 90 nop
004019DC 90 nop
004019DD 90 nop
004019DE 90 nop
004019DF 90 nop
004019E0 90 nop
004019E1 6A 00 push 0x0
004019E3 90 nop
004019E4 90 nop
004019E5 90 nop
004019E6 90 nop
004019E7 68 01000000 push 0x1
004019EC 6A FF push -0x1
004019EE 6A 05 push 0x5
004019F0 68 13000116 push 0x16010013
004019F5 68 01000152 push 0x52010001
004019FA E8 FA560000 call 1_(2).004070F9
004019FF 83C4 18 add esp,0x18
00401A02 90 nop
00401A03 90 nop
00401A04 90 nop
00401A05 90 nop
00401A06 90 nop
00401A07 90 nop
00401A08 90 nop
00401A09 6A 00 push 0x0
00401A0B 90 nop
00401A0C 90 nop
00401A0D 90 nop
00401A0E 90 nop
00401A0F 68 01000000 push 0x1
00401A14 6A FF push -0x1
00401A16 6A 06 push 0x6
00401A18 68 13000116 push 0x16010013
00401A1D 68 01000152 push 0x52010001
00401A22 E8 D2560000 call 1_(2).004070F9
00401A27 83C4 18 add esp,0x18
00401A2A 90 nop
00401A2B 90 nop
00401A2C 90 nop
00401A2D 90 nop
00401A2E 90 nop
00401A2F 90 nop
00401A30 90 nop
00401A31 6A 00 push 0x0
00401A33 90 nop
00401A34 90 nop
00401A35 90 nop
00401A36 68 00000000 push 0x0
00401A3B 6A FF push -0x1
00401A3D 6A 0C push 0xC
00401A3F 68 13000116 push 0x16010013
00401A44 68 01000152 push 0x52010001
00401A49 E8 AB560000 call 1_(2).004070F9
00401A4E 83C4 18 add esp,0x18
00401A51 90 nop
00401A52 90 nop
00401A53 90 nop
00401A54 90 nop
00401A55 90 nop
00401A56 90 nop
00401A57 90 nop
00401A58 90 nop
00401A59 68 01030080 push 0x80000301
00401A5E 6A 00 push 0x0
00401A60 90 nop
00401A61 90 nop
00401A62 90 nop
00401A63 68 B80B0000 push 0xBB8
00401A68 68 01000000 push 0x1
00401A6D B8 02000000 mov eax,0x2
00401A72 BB B0FF4400 mov ebx,1_(2).0044FFB0
00401A77 E8 83560000 call 1_(2).004070FF
00401A7C 83C4 10 add esp,0x10
00401A7F 90 nop
00401A80 90 nop
00401A81 90 nop
00401A82 90 nop
00401A83 90 nop
00401A84 90 nop
00401A85 90 nop
00401A86 E8 DF440000 call 1_(2).00405F6A
00401A8B E9 87020000 jmp 1_(2).00401D17
00401A90 90 nop
将实现的跳转NOP后,让程序跑起来就成功了
具体算法就不贴出来了,第一次写这分析文章太坑了
| 
发表于 2014-6-8 02:45
发表于 2014-6-8 03:01
给力!珈蓝夜雨
