00.43845 million> 55 PUSH EBP
00,438,451 8bec MOV EBP, ESP
00,438,453 83EC 0C SUB ESP, 0xC
// first call observed no parameters, return values eax has not been used, we can see this call has no parameters and returns no value,
// ie, in the C language == void fun (void), enter into observation. (Note the CALL-004383A0. 1)
00,438,456 E8 45FFFFFF the CALL 02.004383A0; initialization function address
0043845B A1 40804300 MOV EAX, DWORD PTR DS: [0x438040]; acquiring image base
00438460 0305 44804300 ADD EAX, DWORD PTR DS: [0x438044]; Get code for the RVA
// guesses after the function should be initialized prior to this data. The F8 MOV DWORD the PTR 8945 00,438,466 the SS: [EBP-0x8], the EAX 00,438,469 C745 0000000 the FC> MOV DWORD the PTR the SS: [EBP-0x4], 0x0 00.43847 million 8D4D the LEA the ECX the FC, the PTR DWORD the SS: [EBP-0x4]
51 is the ECX the PUSH 00,438,473
00,438,474 40. 6A the PUSH 0x40
00,438,476 8B15 4C804300 MOV EDX, the PTR DWORD the DS: [0x43804C]
// modified address code base
0043847C 52 is the PUSH EDX
0043847D the EAX MOV 8B45 the F8, the PTR DWORD the SS: [EBP-0x8 ]
00.43848 million 50 PUSH EAX
// here to see a VirtualProtct function, indicating that you may want to modify the page properties, which speculated on a few lines of code are its parameters.
C0924300 the CALL DWORD the PTR FF15 00,438,481 the DS: [0x4392C0]; the DS: [004392C0] = 764750AB (kernel32.VirtualProtect)
00,438,487 E8 04FEFFFF the CALL 02.00438290
0043848C the FC 8D4D the ECX the LEA, the PTR DWORD the SS: [EBP-0x4]
0043848F the PUSH 51 is the ECX
00.43849 million 8B55 MOV EDX the FC, the PTR DWORD the SS: [EBP-0x4]
00,438,493 52 is the PUSH EDX
A1 4C804300 the EAX MOV 00,438,494, the PTR DWORD the DS: [0x43804C]
00,438,499 50 the PUSH the EAX
0043849A MOV 8B4D the ECX the F8, the PTR DWORD the SS: [EBP-0x8]
0043849D 51 is the PUSH the ECX
// There is also a fruit unexpectedly VirtualProtect, this should be It is to restore the property page.
// Because the first VirtualProtect modified code base, so monitor it, and then to step over it, to find the code is modified.
// intermediate these two functions may be modified call 00438290, enter into (call 00438290 Note-2)
0043849E the PTR FF15 C0924300 the CALL DWORD the DS: [0x4392C0]; the DS: [004392C0] = 764750AB (kernel32.VirtualProtect) // here is the MessageBox 004384A4 6A 04 PUSH 0x4 004384A6 68 2C814300 PUSH 02.0043812C; ASCII "the Hello 15PB"
004384AB 68 38814300 PUSH 02.00438138; ASCII "Welcome to free the packer, is running the main program?"
004384B0 6A 00 PUSH 0x0
004384B2 the CALL DWORD PTR DS FF15 BC924300: [0x4392BC]; user32.MessageBoxA
004384B8 MOV DWORD PTR SS 8945 F4: [ 0xC-EBP], EAX
004384BB 837D CMP DWORD PTR SS 06 F4: [EBP-0xC], 0x6; return to judge whether yes
004384BF 75 0B JNZ SHORT 02.004384CC
// here is the end of the MessageBox 004384C1 E8 1A000000 the CALL 02.004384E0 // It is here to the OEP (note FIG. 3-OEP), however when this discovery has been encrypted IAT (Note 4-IAT FIG encryption) // and this intermediate may be in front of the call 004384E0 encryption. enter into the (Note-the CALL 004384E0. 5) 004384C6 - FF25 3C804300 the JMP DWORD the PTR the DS: [0x43803C]; the OEP inlet
004384CC 6A 00 PUSH 0x0
004384CE FF15 B8924300 CALL DWORD PTR DS:[0x4392B8] ; kernel32.ExitProcess
004384D4 8BE5 MOV ESP,EBP
004384D6 5D POP EBP
004384D7 C3 RETN
Notes 1-CALL 004383A0
// function have discovered fs source operating registers, access registers are generally accessible Fs TEB and PEB thread structure, together with the acquisition kernel32 base address list, if desired, the access module PEB structure. From the above understanding of the PEB and FS register, the code is mostly found kernel32 base address. Look down'll see the familiar functions. We had speculated before the observation step after step with this parameter is the address of the initialization function.
004383A0 55 the PUSH EBP
004383A1 8bec MOV EBP, the ESP
004383A3 51 is the PUSH the ECX
004383A4 56 is the PUSH ESI
004383A5 C745 the FC 0000000> MOV DWORD the PTR the SS: [EBP-0x4], 0x0
004383AC 50 the PUSH the EAX
004383AD 64: A1 30000000 MOV the EAX, DWORD the PTR the FS : [0x30]; obtaining the PEB
004383B3 8B40 0C MOV the EAX, DWORD the PTR the DS: [the EAX + 0xC]
004383B6 8B40 1C MOV the EAX, DWORD the PTR the DS: [the EAX + 0x1C]
004383B9 8B00 MOV the EAX, DWORD the PTR the DS: [the EAX]
004383BB 8B00 MOV EAX, DWORD PTR DS: [EAX]
004383BD 8B40 08 MOV EAX,DWORD PTR DS:[EAX+0x8]
004383C0 8945 FC MOV DWORD PTR SS:[EBP-0x4],EAX
004383C3 58 POP EAX
004383C4 8B75 FC MOV ESI,DWORD PTR SS:[EBP-0x4]
004383C7 E8 F4FEFFFF CALL 02.004382C0
004383CC 68 C4804300 PUSH 02.004380C4 ; ASCII "LoadLibraryA"
004383D1 56 PUSH ESI
004383D2 A3 CC924300 MOV DWORD PTR DS:[0x4392CC],EAX
004383D7 FFD0 CALL EAX
004383D9 68 D4804300 PUSH 02.004380D4 ; ASCII "GetModuleHandleA"
004383DE 56 PUSH ESI
004383DF A3 C8924300 MOV DWORD PTR DS:[0x4392C8],EAX
004383E4 FF15 CC924300 CALL DWORD PTR DS:[0x4392CC]
004383EA 68 E8804300 PUSH 02.004380E8 ; ASCII "VirtualProtect"
004383EF 56 PUSH ESI
004383F0 A3 C4924300 MOV DWORD PTR DS:[0x4392C4],EAX
004383F5 FF15 CC924300 CALL DWORD PTR DS:[0x4392CC]
004383FB 68 F8804300 PUSH 02.004380F8 ; ASCII "user32.dll"
00438400 A3 C0924300 MOV DWORD PTR DS:[0x4392C0],EAX
00438405 FF15 C8924300 CALL DWORD PTR DS:[0x4392C8]
0043840B 68 04814300 PUSH 02.00438104 ; ASCII "MessageBoxA"
00438410 50 PUSH EAX
00438411 FF15 CC924300 CALL DWORD PTR DS:[0x4392CC]
00438417 68 10814300 PUSH 02.00438110 ; ASCII "ExitProcess"
0043841C 56 PUSH ESI
0043841D A3 BC924300 MOV DWORD PTR DS:[0x4392BC],EAX
00438422 FF15 CC924300 CALL DWORD PTR DS:[0x4392CC]
00438428 68 1C814300 PUSH 02.0043811C ; ASCII "VirtualAlloc"
0043842D 56 PUSH ESI
0043842E A3 B8924300 MOV DWORD PTR DS:[0x4392B8],EAX
00438433 FF15 CC924300 CALL DWORD PTR DS:[0x4392CC]
00438439 A3 B4924300 MOV DWORD PTR DS:[0x4392B4],EAX
0043843E 5E POP ESI
0043843F 8BE5 MOV ESP,EBP
00438441 5D POP EBP
00438442 C3 RETN
At last
00438439 A3 B4924300 MOV DWORD PTR DS:[0x4392B4],EAX
Follow the data window, found some initialization function
Comment 2-call 00438290
There is a clear line of code // XOR function is obvious this call decryption code snippet
00438290 8B0D 44804300 MOV ECX, DWORD PTR DS: [0x438044]; get the code segment RVA
00,438,296 33C0 XOR EAX, EAX
00,438,298 030D 40.8043 million the ADD ECX, DWORD PTR DS: [0x438040]; code base code segments RVA + = image base
0043829E 3905 4C804300 CMP DWORD PTR DS: [0x43804C], EAX; code segment length
004382A4. 17 76 SHORT 02.004382BD the JBE
004382A6 EB 08 the JMP SHORT 02.004382B0
004382A8 00000000 the ESP the LEA 8DA424, the PTR DWORD the SS: [the ESP]
004382AF 90 the NOP
004382B0 the XOR 15 803 408 BYTE the PTR the DS: [the EAX the ECX +], 0x15; code segment base address + offset exclusive or code
004382B4 the EAX INC. 40
004382B5 the CMP 3B05 4C804300 the EAX , DWORD PTR DS: [0x43804C]
004382BB ^ 72 F3 JB SHORT 02.004382B0
004382BD C3 RETN
Note 3-OEP FIG.
Note FIG encryption 4-IAT
Notes 5-CALL 004384E0
//IAT填充,需要先获取函数地址,于是在GetProcAddress下断,找到它,然后跟踪它分析,发现,有一行代码对它的返回值异或,之后将这个值保存在局部变量,紧接申请一个内存,将局部缓冲区的一块原本准备好的内容+刚刚加密的值宝贝走,然后填充到IAT地址。
004385B9 FF15 CC924300 CALL DWORD PTR DS:[0x4392CC] ; kernel32.GetProcAddress
004385BF 6A 40 PUSH 0x40
004385C1 68 00300000 PUSH 0x3000
004385C6 6A 20 PUSH 0x20
004385C8 35 15151515 XOR EAX,0x15151515 ; 修改IAT函数
004385CD 6A 00 PUSH 0x0
004385CF 8945 DB MOV DWORD PTR SS:[EBP-0x25],EAX ; 保存加密之后的iat函数
004385D2 FF15 B4924300 CALL DWORD PTR DS:[0x4392B4] ; kernel32.VirtualAlloc
004385D8 F30F6F45 D0 MOVDQU XMM0,DQWORD PTR SS:[EBP-0x30] ; 移位64位到数据到mm0
004385DD 8B55 CC MOV EDX, DWORD PTR SS: [EBP-0x34]
004385E0 F30F7F00 MOVDQU DQWORD PTR DS: [EAX], XMM0; space assigned to the application
004385E4 F30F6F45 E0 MOVDQU XMM0, DQWORD PTR SS: [EBP-0x20]
004385E9 F30F7F40 10 MOVDQU DQWORD the PTR the DS: [the EAX + 0x10], XMM0
004385EE 8907 MOV DWORD the PTR the DS: [EDI], the EAX; the function onto the stack
004385F0 8B4E 04 MOV the ECX, DWORD the PTR the DS: [ESI + 0x4]
004385F3 83C6 04 the ADD ESI, 0x4
004385F6 8BFE MOV EDI, ESI
004385F8 the TEST 85C9 the ECX, the ECX