AHpack 0.1 -> FEUERRADER 的简单分析
【破文标题】AHpack 0.1 -> FEUERRADER 的简单分析【破文作者】yangbing1990
【作者邮箱】[email protected]
【破解工具】OD,LoadPE
【破解平台】WinXP
【软件名称】试验小程序
【保护方式】AHpack 0.1
【破解声明】照葫芦画瓢 --!
------------------------------------------------------------------------
【破解过程】
004040FF >60 pushad
00404100 68 54404000 push AHpack_0.00404054 ; ASCII
"KERNEL32.DLL"
00404105 B8 48404000 mov eax, <&KERNEL32.GetModuleHandleA>
0040410A FF10 call near dword ptr ds: ;
//eax=GetModuleHandle("Kernel32.dll");
0040410C 68 B3404000 push AHpack_0.004040B3 ; //获得 Kernel32.dll
模块句柄
00404111 50 push eax
00404112 B8 44404000 mov eax, <&KERNEL32.GetProcAddress>
00404117 FF10 call near dword ptr ds: ;
//eax=GetProcAddress(eax,"GlobalAlloc");
00404119 68 00080000 push 800 ; //获得 ClobalAlloc
函数地址
0040411E 6A 40 push 40
00404120 FFD0 call near eax ; //eax=GlobalAlloc
(GMEM_ZEROINIT,0x800);
00404122 8905 CA404000 mov dword ptr ds:, eax ; //申请 内存空间 保
存在 4040CA
00404128 89C7 mov edi, eax
0040412A BE 00104000 mov esi, AHpack_0.00401000
0040412F 60 pushad ; ----解压函数----
00404130 FC cld
00404131 B2 80 mov dl, 80
00404133 31DB xor ebx, ebx
00404135 A4 movs byte ptr es:, byte ptr ds:[es>
00404136 B3 02 mov bl, 2
00404138 E8 6D000000 call AHpack_0.004041AA
0040413D^ 73 F6 jnb short AHpack_0.00404135
0040413F 31C9 xor ecx, ecx
00404141 E8 64000000 call AHpack_0.004041AA
00404146 73 1C jnb short AHpack_0.00404164
00404148 31C0 xor eax, eax
0040414A E8 5B000000 call AHpack_0.004041AA
0040414F 73 23 jnb short AHpack_0.00404174
00404151 B3 02 mov bl, 2
00404153 41 inc ecx
00404154 B0 10 mov al, 10
00404156 E8 4F000000 call AHpack_0.004041AA
0040415B 10C0 adc al, al
0040415D^ 73 F7 jnb short AHpack_0.00404156
0040415F 75 3F jnz short AHpack_0.004041A0
00404161 AA stos byte ptr es:
00404162^ EB D4 jmp short AHpack_0.00404138
00404164 E8 4D000000 call AHpack_0.004041B6
00404169 29D9 sub ecx, ebx
0040416B 75 10 jnz short AHpack_0.0040417D
0040416D E8 42000000 call AHpack_0.004041B4
00404172 EB 28 jmp short AHpack_0.0040419C
00404174 AC lods byte ptr ds:
00404175 D1E8 shr eax, 1
00404177 74 4D je short AHpack_0.004041C6
00404179 11C9 adc ecx, ecx
0040417B EB 1C jmp short AHpack_0.00404199
0040417D 91 xchg eax, ecx
0040417E 48 dec eax
0040417F C1E0 08 shl eax, 8
00404182 AC lods byte ptr ds:
00404183 E8 2C000000 call AHpack_0.004041B4
00404188 3D 007D0000 cmp eax, 7D00
0040418D 73 0A jnb short AHpack_0.00404199
0040418F 80FC 05 cmp ah, 5
00404192 73 06 jnb short AHpack_0.0040419A
00404194 83F8 7F cmp eax, 7F
00404197 77 02 ja short AHpack_0.0040419B
00404199 41 inc ecx
0040419A 41 inc ecx
0040419B 95 xchg eax, ebp
0040419C 89E8 mov eax, ebp
0040419E B3 01 mov bl, 1
004041A0 56 push esi
004041A1 89FE mov esi, edi
004041A3 29C6 sub esi, eax
004041A5 F3:A4 rep movs byte ptr es:, byte ptr d>
004041A7 5E pop esi
004041A8^ EB 8E jmp short AHpack_0.00404138
004041AA 00D2 add dl, dl
004041AC 75 05 jnz short AHpack_0.004041B3
004041AE 8A16 mov dl, byte ptr ds:
004041B0 46 inc esi
004041B1 10D2 adc dl, dl
004041B3 C3 retn
004041B4 31C9 xor ecx, ecx
004041B6 41 inc ecx
004041B7 E8 EEFFFFFF call AHpack_0.004041AA
004041BC 11C9 adc ecx, ecx
004041BE E8 E7FFFFFF call AHpack_0.004041AA
004041C3^ 72 F2 jb short AHpack_0.004041B7
004041C5 C3 retn
004041C6 61 popad ; ---解压函数---
004041C7 B9 FC070000 mov ecx, 7FC ; //解压数据的 大小
004041CC 8B1C08 mov ebx, dword ptr ds:
004041CF 8999 00104000 mov dword ptr ds:, ebx
004041D5^ E2 F5 loopd short AHpack_0.004041CC ; //将解压后的数据 由
后向前拷贝到 401000
004041D7 90 nop
004041D8 90 nop
004041D9 BA 00004000 mov edx, AHpack_0.00400000 ; //基址
004041DE BE 70200000 mov esi, 2070 ; //输入表地址 也是第
一个DLL的ORG保存的地址的RVA
004041E3 01D6 add esi, edx ; //获得VA
004041E5 8B46 0C mov eax, dword ptr ds: ; //获得DllName的RVA
004041E8 85C0 test eax, eax
004041EA 0F84 87000000 je AHpack_0.00404277 ; //判断DLLName是否为
空(为空说明所有DLL都遍历了)
004041F0 01D0 add eax, edx ; //获得DllName的VA
004041F2 89C3 mov ebx, eax
004041F4 50 push eax
004041F5 B8 48404000 mov eax, <&KERNEL32.GetModuleHandleA>;
//eax=GetModuleHandle(DllName);
004041FA FF10 call near dword ptr ds: ; //获得DllName的 模
块句柄
004041FC 85C0 test eax, eax
004041FE 75 08 jnz short AHpack_0.00404208 ; //判断 句柄是否获得
成功
00404200 53 push ebx
00404201 B8 4C404000 mov eax, <&KERNEL32.LoadLibraryA> ; //失败就用
LoadLibrary 再次获取
00404206 FF10 call near dword ptr ds:
00404208 8905 CE404000 mov dword ptr ds:, eax ; //DllName的模块句柄
保存在 4040CE
0040420E C705 D2404000 0>mov dword ptr ds:, 0 ; //4040D2(偏移值 大
小DWORD 即 =4*循环次数(从0开始)) 清零
00404218 BA 00004000 mov edx, AHpack_0.00400000 ; //基址
0040421D 8B06 mov eax, dword ptr ds: ; //获得ORG的RVA
0040421F 85C0 test eax, eax
00404221 75 03 jnz short AHpack_0.00404226 ; //判断ORG 是否为零
00404223 8B46 10 mov eax, dword ptr ds: ; //如果为零 则取
FirstThunk
00404226 01D0 add eax, edx ; //获得 VA
00404228 0305 D2404000 add eax, dword ptr ds:
0040422E 8B18 mov ebx, dword ptr ds: ; //获得 函数名RVA
00404230 8B7E 10 mov edi, dword ptr ds: ; //获得FirstThunk
00404233 01D7 add edi, edx ; //获得 FirstThunk的
VA
00404235 033D D2404000 add edi, dword ptr ds:
0040423B 85DB test ebx, ebx
0040423D 74 2B je short AHpack_0.0040426A ; //判断保存函数名的
地址的 RVA是否为空 如果为空说明这个DLL的函数都遍历完了
0040423F F7C3 00000080 test ebx, 80000000
00404245 75 04 jnz short AHpack_0.0040424B ; //判断是以序号方式
还是函数名方式
00404247 01D3 add ebx, edx ; //获得VA
00404249 43 inc ebx
0040424A 43 inc ebx ; //去了 开头序号
0040424B 81E3 FFFFFF0F and ebx, 0FFFFFFF
00404251 53 push ebx ; //函数名
00404252 FF35 CE404000 push dword ptr ds: ; //当前DLL的模块句柄
00404258 B8 44404000 mov eax, <&KERNEL32.GetProcAddress>
0040425D FF10 call near dword ptr ds: ; //获得函数 地址
0040425F 8907 mov dword ptr ds:, eax ; //用函数地址 填充
FirstThunk
00404261 8305 D2404000 0>add dword ptr ds:, 4
00404268^ EB AE jmp short AHpack_0.00404218 ; //循环 取函数地址
填充 FirstThunk
0040426A 83C6 14 add esi, 14 ; //获得 下一个dll保
存ORG的地址的RVA
0040426D BA 00004000 mov edx, AHpack_0.00400000 ; //基址
00404272^ E9 6EFFFFFF jmp AHpack_0.004041E5 ; //循环 遍历DLL
00404277 68 54404000 push AHpack_0.00404054 ; ASCII
"KERNEL32.DLL"
0040427C B8 48404000 mov eax, <&KERNEL32.GetModuleHandleA>
00404281 FF10 call near dword ptr ds: ; //获得
"Kernel32.dll"的模块句柄
00404283 68 BF404000 push AHpack_0.004040BF ; ASCII "GlobalFree"
00404288 50 push eax
00404289 B8 44404000 mov eax, <&KERNEL32.GetProcAddress>
0040428E FF10 call near dword ptr ds: ; //获得 GlobalFree
函数地址
00404290 8B15 CA404000 mov edx, dword ptr ds:
00404296 52 push edx
00404297 FFD0 call near eax ; //释放 申请空间
00404299 61 popad ; //还原 寄存器
0040429A BA 00104000 mov edx, AHpack_0.00401000 ; //OEP
0040429F FFE2 jmp near edx ; //
004042A1 90 nop
004042A2 C3 retn
最后膜拜YAYA兽 附上程序 你把aspack分析一下吧/:018 收到 现在就去/:001
页:
[1]