Simple encryption shell code analysis

Others 2019-08-02 23:25:57 views: null 
00.43845 million> 55 PUSH EBP 
00,438,451 8bec MOV EBP, ESP 
00,438,453 83EC 0C SUB ESP, 0xC 
// first call observed no parameters, return values eax has not been used, we can see this call has no parameters and returns no value, 
// ie, in the C language == void fun (void), enter into observation. (Note the CALL-004383A0. 1) 
00,438,456 E8 45FFFFFF the CALL 02.004383A0; initialization function address 
0043845B A1 40804300 MOV EAX, DWORD PTR DS: [0x438040]; acquiring image base 
00438460 0305 44804300 ADD EAX, DWORD PTR DS: [0x438044]; Get code for the RVA 
// guesses after the function should be initialized prior to this data. The F8 MOV DWORD the PTR 8945 00,438,466 the SS: [EBP-0x8], the EAX 00,438,469 C745 0000000 the FC> MOV DWORD the PTR the SS: [EBP-0x4], 0x0 00.43847 million 8D4D the LEA the ECX the FC, the PTR DWORD the SS: [EBP-0x4]




51 is the ECX the PUSH 00,438,473 
00,438,474 40. 6A the PUSH 0x40 
00,438,476 8B15 4C804300 MOV EDX, the PTR DWORD the DS: [0x43804C] 
// modified address code base 
0043847C 52 is the PUSH EDX 
0043847D the EAX MOV 8B45 the F8, the PTR DWORD the SS: [EBP-0x8 ] 
00.43848 million 50 PUSH EAX 
// here to see a VirtualProtct function, indicating that you may want to modify the page properties, which speculated on a few lines of code are its parameters. 
C0924300 the CALL DWORD the PTR FF15 00,438,481 the DS: [0x4392C0]; the DS: [004392C0] = 764750AB (kernel32.VirtualProtect) 
00,438,487 E8 04FEFFFF the CALL 02.00438290 
0043848C the FC 8D4D the ECX the LEA, the PTR DWORD the SS: [EBP-0x4] 
0043848F the PUSH 51 is the ECX 
00.43849 million 8B55 MOV EDX the FC, the PTR DWORD the SS: [EBP-0x4] 
00,438,493 52 is the PUSH EDX
A1 4C804300 the EAX MOV 00,438,494, the PTR DWORD the DS: [0x43804C] 
00,438,499 50 the PUSH the EAX 
0043849A MOV 8B4D the ECX the F8, the PTR DWORD the SS: [EBP-0x8] 
0043849D 51 is the PUSH the ECX 
// There is also a fruit unexpectedly VirtualProtect, this should be It is to restore the property page. 
// Because the first VirtualProtect modified code base, so monitor it, and then to step over it, to find the code is modified. 
// intermediate these two functions may be modified call 00438290, enter into (call 00438290 Note-2) 
0043849E the PTR FF15 C0924300 the CALL DWORD the DS: [0x4392C0]; the DS: [004392C0] = 764750AB (kernel32.VirtualProtect) // here is the MessageBox 004384A4 6A 04 PUSH 0x4 004384A6 68 2C814300 PUSH 02.0043812C; ASCII "the Hello 15PB"




004384AB 68 38814300 PUSH 02.00438138; ASCII "Welcome to free the packer, is running the main program?" 
004384B0 6A 00 PUSH 0x0 
004384B2 the CALL DWORD PTR DS FF15 BC924300: [0x4392BC]; user32.MessageBoxA 
004384B8 MOV DWORD PTR SS 8945 F4: [ 0xC-EBP], EAX 
004384BB 837D CMP DWORD PTR SS 06 F4: [EBP-0xC], 0x6; return to judge whether yes 
004384BF 75 0B JNZ SHORT 02.004384CC 
// here is the end of the MessageBox 004384C1 E8 1A000000 the CALL 02.004384E0 // It is here to the OEP (note FIG. 3-OEP), however when this discovery has been encrypted IAT (Note 4-IAT FIG encryption) // and this intermediate may be in front of the call 004384E0 encryption. enter into the (Note-the CALL 004384E0. 5) 004384C6 - FF25 3C804300 the JMP DWORD the PTR the DS: [0x43803C]; the OEP inlet






004384CC    6A 00           PUSH 0x0
004384CE    FF15 B8924300   CALL DWORD PTR DS:[0x4392B8]             ; kernel32.ExitProcess
004384D4    8BE5            MOV ESP,EBP
004384D6    5D              POP EBP
004384D7    C3              RETN

Notes 1-CALL 004383A0

// function have discovered fs source operating registers, access registers are generally accessible Fs TEB and PEB thread structure, together with the acquisition kernel32 base address list, if desired, the access module PEB structure. From the above understanding of the PEB and FS register, the code is mostly found kernel32 base address. Look down'll see the familiar functions. We had speculated before the observation step after step with this parameter is the address of the initialization function. 
004383A0 55 the PUSH EBP 
004383A1 8bec MOV EBP, the ESP 
004383A3 51 is the PUSH the ECX 
004383A4 56 is the PUSH ESI 
004383A5 C745 the FC 0000000> MOV DWORD the PTR the SS: [EBP-0x4], 0x0 
004383AC 50 the PUSH the EAX 
004383AD 64: A1 30000000 MOV the EAX, DWORD the PTR the FS : [0x30]; obtaining the PEB 
004383B3 8B40 0C MOV the EAX, DWORD the PTR the DS: [the EAX + 0xC] 
004383B6 8B40 1C MOV the EAX, DWORD the PTR the DS: [the EAX + 0x1C] 
004383B9 8B00 MOV the EAX, DWORD the PTR the DS: [the EAX] 
004383BB 8B00 MOV EAX, DWORD PTR DS: [EAX]
004383BD    8B40 08         MOV EAX,DWORD PTR DS:[EAX+0x8]
004383C0    8945 FC         MOV DWORD PTR SS:[EBP-0x4],EAX
004383C3    58              POP EAX
004383C4    8B75 FC         MOV ESI,DWORD PTR SS:[EBP-0x4]
004383C7    E8 F4FEFFFF     CALL 02.004382C0
004383CC    68 C4804300     PUSH 02.004380C4                         ; ASCII "LoadLibraryA"
004383D1    56              PUSH ESI
004383D2    A3 CC924300     MOV DWORD PTR DS:[0x4392CC],EAX
004383D7    FFD0            CALL EAX
004383D9    68 D4804300     PUSH 02.004380D4                         ; ASCII "GetModuleHandleA"
004383DE    56              PUSH ESI
004383DF    A3 C8924300     MOV DWORD PTR DS:[0x4392C8],EAX
004383E4    FF15 CC924300   CALL DWORD PTR DS:[0x4392CC]
004383EA    68 E8804300     PUSH 02.004380E8                         ; ASCII "VirtualProtect"
004383EF    56              PUSH ESI
004383F0    A3 C4924300     MOV DWORD PTR DS:[0x4392C4],EAX
004383F5    FF15 CC924300   CALL DWORD PTR DS:[0x4392CC]
004383FB    68 F8804300     PUSH 02.004380F8                         ; ASCII "user32.dll"
00438400    A3 C0924300     MOV DWORD PTR DS:[0x4392C0],EAX
00438405    FF15 C8924300   CALL DWORD PTR DS:[0x4392C8]
0043840B    68 04814300     PUSH 02.00438104                         ; ASCII "MessageBoxA"
00438410    50              PUSH EAX
00438411    FF15 CC924300   CALL DWORD PTR DS:[0x4392CC]
00438417    68 10814300     PUSH 02.00438110                         ; ASCII "ExitProcess"
0043841C    56              PUSH ESI
0043841D    A3 BC924300     MOV DWORD PTR DS:[0x4392BC],EAX
00438422    FF15 CC924300   CALL DWORD PTR DS:[0x4392CC]
00438428    68 1C814300     PUSH 02.0043811C                         ; ASCII "VirtualAlloc"
0043842D    56              PUSH ESI
0043842E    A3 B8924300     MOV DWORD PTR DS:[0x4392B8],EAX
00438433    FF15 CC924300   CALL DWORD PTR DS:[0x4392CC]
00438439    A3 B4924300     MOV DWORD PTR DS:[0x4392B4],EAX
0043843E    5E              POP ESI
0043843F    8BE5            MOV ESP,EBP
00438441    5D              POP EBP
00438442    C3              RETN

At last

00438439 A3 B4924300 MOV DWORD PTR DS:[0x4392B4],EAX

Follow the data window, found some initialization function

1564729714614[4]

Comment 2-call 00438290

There is a clear line of code // XOR function is obvious this call decryption code snippet 
00438290 8B0D 44804300 MOV ECX, DWORD PTR DS: [0x438044]; get the code segment RVA 
00,438,296 33C0 XOR EAX, EAX 
00,438,298 030D 40.8043 million the ADD ECX, DWORD PTR DS: [0x438040]; code base code segments RVA + = image base 
0043829E 3905 4C804300 CMP DWORD PTR DS: [0x43804C], EAX; code segment length 
004382A4. 17 76 SHORT 02.004382BD the JBE 
004382A6 EB 08 the JMP SHORT 02.004382B0 
004382A8 00000000 the ESP the LEA 8DA424, the PTR DWORD the SS: [the ESP] 
004382AF 90 the NOP 
004382B0 the XOR 15 803 408 BYTE the PTR the DS: [the EAX the ECX +], 0x15; code segment base address + offset exclusive or code 
004382B4 the EAX INC. 40 
004382B5 the CMP 3B05 4C804300 the EAX , DWORD PTR DS: [0x43804C]
004382BB  ^ 72 F3           JB SHORT 02.004382B0
004382BD    C3              RETN

Note 3-OEP FIG.

1564730529962[4]

Note FIG encryption 4-IAT

1564730515519[4]

Notes 5-CALL 004384E0

//IAT填充,需要先获取函数地址,于是在GetProcAddress下断,找到它,然后跟踪它分析,发现,有一行代码对它的返回值异或,之后将这个值保存在局部变量,紧接申请一个内存,将局部缓冲区的一块原本准备好的内容+刚刚加密的值宝贝走,然后填充到IAT地址。
004385B9    FF15 CC924300   CALL DWORD PTR DS:[0x4392CC]             ; kernel32.GetProcAddress
004385BF    6A 40           PUSH 0x40
004385C1    68 00300000     PUSH 0x3000
004385C6    6A 20           PUSH 0x20
004385C8    35 15151515     XOR EAX,0x15151515                       ; 修改IAT函数
004385CD    6A 00           PUSH 0x0
004385CF    8945 DB         MOV DWORD PTR SS:[EBP-0x25],EAX         ; 保存加密之后的iat函数
004385D2    FF15 B4924300   CALL DWORD PTR DS:[0x4392B4]             ; kernel32.VirtualAlloc
004385D8    F30F6F45 D0     MOVDQU XMM0,DQWORD PTR SS:[EBP-0x30]     ; 移位64位到数据到mm0
004385DD 8B55 CC MOV EDX, DWORD PTR SS: [EBP-0x34] 
004385E0 F30F7F00 MOVDQU DQWORD PTR DS: [EAX], XMM0; space assigned to the application 
004385E4 F30F6F45 E0 MOVDQU XMM0, DQWORD PTR SS: [EBP-0x20] 
004385E9 F30F7F40 10 MOVDQU DQWORD the PTR the DS: [the EAX + 0x10], XMM0 
004385EE 8907 MOV DWORD the PTR the DS: [EDI], the EAX; the function onto the stack 
004385F0 8B4E 04 MOV the ECX, DWORD the PTR the DS: [ESI + 0x4] 
004385F3 83C6 04 the ADD ESI, 0x4 
004385F6 8BFE MOV EDI, ESI 
004385F8 the TEST 85C9 the ECX, the ECX

1564735088148[4]

Guess you like

Origin www.cnblogs.com/ltyandy/p/11289565.html
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com