Aspack壳代码分析


00417000    90              NOP
00417001 >  60              PUSHAD
00417002    E8 03000000     CALL 00_aspac.0041700A                   ; 下一条是花指令 按1
00417007    90              NOP
00417008    EB 04           JMP SHORT 00_aspac.0041700E
0041700A    5D              POP EBP                                 ; 上一条17002call了,所以把返回地址17007压入了栈再pop出来
0041700B    45              INC EBP                                 ; 因此上条ebp是17007,自增完就是17008
0041700C    55              PUSH EBP                                 ; 17008压入
0041700D    C3              RETN                                     ; 返回到17008.
0041700E    E8 01000000     CALL 00_aspac.00417014
00417013    EB 5D           JMP SHORT 00_aspac.00417072
 
//初始化
00417015    BB EDFFFFFF     MOV EBX,-0x13                           ; ebx=-0x13
0041701A    03DD            ADD EBX,EBP                             ; ebx=417000
0041701C    81EB 00700100   SUB EBX,0x17000                         ; 计算出模块基址ebx=400000映像基地址
00417022    83BD 88040000 0>CMP DWORD PTR SS:[EBP+0x488],0x0
00417029    899D 88040000   MOV DWORD PTR SS:[EBP+0x488],EBX ;保存模块基址
0041702F    0F85 CB030000   JNZ 00_aspac.00417400                   
00417035    8D85 94040000   LEA EAX,DWORD PTR SS:[EBP+0x494]        
0041703B    50              PUSH EAX                                
0041703C    FF95 A90F0000   CALL DWORD PTR SS:[EBP+0xFA9]           ; 获取kernel32基地址
00417042    8985 8C040000   MOV DWORD PTR SS:[EBP+0x48C],EAX         ; 保存kernel32基址到ebp+0x48c
00417048    8BF0            MOV ESI,EAX                             ; 保存kernel32基址到esi
0041704A    8D7D 51         LEA EDI,DWORD PTR SS:[EBP+0x51]         ; 初始化edi
0041704D    57              PUSH EDI                                 ; 用来放返回的函数地址
0041704E    56              PUSH ESI                                 ; esi存在kernel32基址
0041704F    FF95 A50F0000   CALL DWORD PTR SS:[EBP+0xFA5]           ; 获取函数地址kernel32.GetProcAddress
00417055    AB              STOS DWORD PTR ES:[EDI]                 ; 放2个字节的eax内容到edi上的地址
00417056    B0 00           MOV AL,0x0
00417058    AE              SCAS BYTE PTR ES:[EDI]                   ; SCAS每一个字节,跟0做对比,遇到0结束
00417059  ^ 75 FD           JNZ SHORT 00_aspac.00417058             ; 不是0跳回去
0041705B    3807            CMP BYTE PTR DS:[EDI],AL
0041705D  ^ 75 EE           JNZ SHORT 00_aspac.0041704D             ; 如果不是连续两个0就重新获取新的函数
0041705F    8D45 7A         LEA EAX,DWORD PTR SS:[EBP+0x7A]         ; 41708D
00417062    FFE0            JMP EAX                                 ; 解压函数
00417064    F4              HLT
00417065    05 48767561     ADD EAX,0x61757648
0041706A    6C              INS BYTE PTR ES:[EDI],DX
0041706B    41              INC ECX
0041706C    6C              INS BYTE PTR ES:[EDI],DX
0041706D    6C              INS BYTE PTR ES:[EDI],DX
0041706E    6F              OUTS DX,DWORD PTR DS:[ESI]
0041706F    6300            ARPL WORD PTR DS:[EAX],AX
00417071    35 0D487675     XOR EAX,0x7576480D
00417076    61              POPAD
00417077    6C              INS BYTE PTR ES:[EDI],DX
00417078    46              INC ESI
00417079    72 65           JB SHORT 00_aspac.004170E0
0041707B    65:00AB 5047767>ADD BYTE PTR GS:[EBX+0x75764750],CH
00417082    61              POPAD
00417083    6C              INS BYTE PTR ES:[EDI],DX
00417084    50              PUSH EAX
00417085    72 6F           JB SHORT 00_aspac.004170F6
00417087    74 65           JE SHORT 00_aspac.004170EE
00417089    637400 00       ARPL WORD PTR DS:[EAX+EAX],SI

//开始解压
0041708D    8B9D 95050000   MOV EBX,DWORD PTR SS:[EBP+0x595]        
00417093    0BDB            OR EBX,EBX                              
00417095    74 0A           JE SHORT 00_aspac.004170A1
00417097    8B03            MOV EAX,DWORD PTR DS:[EBX]
00417099    8785 99050000   XCHG DWORD PTR SS:[EBP+0x599],EAX
0041709F    8903            MOV DWORD PTR DS:[EBX],EAX
004170A1    8DB5 C5050000   LEA ESI,DWORD PTR SS:[EBP+0x5C5]         ; 获取原始程序区段信息
004170A7    833E 00         CMP DWORD PTR DS:[ESI],0x0
004170AA    0F84 0A010000   JE 00_aspac.004171BA                     ; 判断
004170B0    6A 04           PUSH 0x4
004170B2    68 00100000     PUSH 0x1000
004170B7    68 00180000     PUSH 0x1800                             ; 大小0x1800的
004170BC    6A 00           PUSH 0x0
004170BE    FF55 51         CALL DWORD PTR SS:[EBP+0x51]             ; 申请内存(kernel32.VirtualAlloc)
004170C1    8985 48010000   MOV DWORD PTR SS:[EBP+0x148],EAX         ; 保存申请地址到EBP+0x148里
004170C7    8B46 04         MOV EAX,DWORD PTR DS:[ESI+0x4] ;获取区段大小
004170CA    05 0E010000     ADD EAX,0x10E
004170CF    0F84 B7000000   JE 00_aspac.0041718C
004170D5    6A 04           PUSH 0x4
004170D7    68 00100000     PUSH 0x1000
004170DC    50              PUSH EAX ;大小等于区段大小+10E
004170DD    6A 00           PUSH 0x0
004170DF    FF55 51         CALL DWORD PTR SS:[EBP+0x51]             ; 再申请了空间
004170E2    8985 44010000   MOV DWORD PTR SS:[EBP+0x144],EAX         ; 保存地址起来
004170E8    56              PUSH ESI                                 ; esi是区段信息
004170E9    8B1E            MOV EBX,DWORD PTR DS:[ESI]               ; 获取区段RVA=1000
004170EB    039D 88040000   ADD EBX,DWORD PTR SS:[EBP+0x488]         ; 加上模块基址
004170F1    FFB5 48010000   PUSH DWORD PTR SS:[EBP+0x148]           ; 固定大小内存0x1800
004170F7    FF76 04         PUSH DWORD PTR DS:[ESI+0x4]             ; 代码段大小0A000
004170FA    50              PUSH EAX                                 ; 第二次申请的空间地址
004170FB    53              PUSH EBX                                 ; 区段虚拟地址00401000
004170FC    E8 C7050000     CALL 00_aspac.004176C8                   ; 解压的函数(地址,大小,地址,代码段基地址)
00417101    B3 01           MOV BL,0x1
00417103    80FB 00         CMP BL,0x0
00417106    75 4D           JNZ SHORT 00_aspac.00417155
00417108    FE85 EF000000   INC BYTE PTR SS:[EBP+0xEF]               ; 自己修改了自己00417101的代码。0x0改成了0x1
0041710E    50              PUSH EAX
0041710F    51              PUSH ECX
00417110    56              PUSH ESI
00417111    53              PUSH EBX                                
00417112    8BC8            MOV ECX,EAX
00417114    83E9 05         SUB ECX,0x5
00417117    8BB5 44010000   MOV ESI,DWORD PTR SS:[EBP+0x144]         ; 第二次申请的空间。放的是原本的入口OEP代码
0041711D    33DB            XOR EBX,EBX
0041711F    0BC9            OR ECX,ECX
00417121    74 2E           JE SHORT 00_aspac.00417151
00417123    78 2C           JS SHORT 00_aspac.00417151
00417125    AC              LODS BYTE PTR DS:[ESI]                   ; 加载代码段1个字节
00417126    3C E8           CMP AL,0xE8                             ; 比较是不是E8 call
00417128    74 0A           JE SHORT 00_aspac.00417134
0041712A    EB 00           JMP SHORT 00_aspac.0041712C
0041712C    3C E9           CMP AL,0xE9
0041712E    74 04           JE SHORT 00_aspac.00417134
00417130    43              INC EBX
00417131    49              DEC ECX
00417132  ^ EB EB           JMP SHORT 00_aspac.0041711F             ; 循环查找E8 call会把整个代码中的call跟jmp恢复

00417134    8B06            MOV EAX,DWORD PTR DS:[ESI]               ; 如果是E8跳到这 获取地址
00417136    EB 00           JMP SHORT 00_aspac.00417138
00417138    803E 05         CMP BYTE PTR DS:[ESI],0x5               ; 跟0x5对比
0041713B  ^ 75 F3           JNZ SHORT 00_aspac.00417130
0041713D    24 00           AND AL,0x0
0041713F    C1C0 18         ROL EAX,0x18                            
00417142    2BC3            SUB EAX,EBX
00417144    8906            MOV DWORD PTR DS:[ESI],EAX               ; 更换call后面地址
00417146    83C3 05         ADD EBX,0x5
00417149    83C6 04         ADD ESI,0x4
0041714C    83E9 05         SUB ECX,0x5
0041714F  ^ EB CE           JMP SHORT 00_aspac.0041711F             ; 判断是否跳出循环
00417151    5B              POP EBX
00417152    5E              POP ESI
00417153    59              POP ECX
00417154    58              POP EAX
00417155    EB 08           JMP SHORT 00_aspac.0041715F
00417157    0000            ADD BYTE PTR DS:[EAX],AL
00417159    2000            AND BYTE PTR DS:[EAX],AL
0041715B    0000            ADD BYTE PTR DS:[EAX],AL
0041715D    1F              POP DS
0041715E    008B C88B3E03   ADD BYTE PTR DS:[EBX+0x33E8BC8],CL
00417164    BD 88040000     MOV EBP,0x488
00417169    8BB5 44010000   MOV ESI,DWORD PTR SS:[EBP+0x144]                 ; esi=3E0000
0041716F    C1F9 02         SAR ECX,0x2                                     
00417172    F3:A5           REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]   ; 拷贝代码
00417174    8BC8            MOV ECX,EAX
00417176    83E1 03         AND ECX,0x3
00417179    F3:A4           REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0041717B    5E              POP ESI
0041717C    68 00800000     PUSH 0x8000
00417181    6A 00           PUSH 0x0
00417183    FFB5 44010000   PUSH DWORD PTR SS:[EBP+0x144]
00417189    FF55 5E         CALL DWORD PTR SS:[EBP+0x5E]                     ; 释放 (kernel32.VirtualFree)
0041718C    83C6 0C         ADD ESI,0xC
0041718F    833E 00         CMP DWORD PTR DS:[ESI],0x0
00417192  ^ 0F85 2FFFFFFF   JNZ 00_aspac.004170C7                             ; 循环解压

00417198    68 00800000     PUSH 0x8000
0041719D    6A 00           PUSH 0x0
0041719F    FFB5 48010000   PUSH DWORD PTR SS:[EBP+0x148]                     ; 1F0000
004171A5    FF55 5E         CALL DWORD PTR SS:[EBP+0x5E]                     ; 释放内存
004171A8    8B9D 95050000   MOV EBX,DWORD PTR SS:[EBP+0x595]                 ; SS:[004175A8]=00000000
004171AE    0BDB            OR EBX,EBX                                       ; EBX=0,
004171B0    74 08           JE SHORT 00_aspac.004171BA                       ; 实现了
004171B2    8B03            MOV EAX,DWORD PTR DS:[EBX]
004171B4    8785 99050000   XCHG DWORD PTR SS:[EBP+0x599],EAX
004171BA    8B95 88040000   MOV EDX,DWORD PTR SS:[EBP+0x488]                 
004171C0    8B85 91050000   MOV EAX,DWORD PTR SS:[EBP+0x591]                 
004171C6    2BD0            SUB EDX,EAX                                       
004171C8    74 79           JE SHORT 00_aspac.00417243                       ; 实现,跳到00417243
004171CA    8BC2            MOV EAX,EDX
004171CC    C1E8 10         SHR EAX,0x10
004171CF    33DB            XOR EBX,EBX
004171D1    8BB5 9D050000   MOV ESI,DWORD PTR SS:[EBP+0x59D]
004171D7    03B5 88040000   ADD ESI,DWORD PTR SS:[EBP+0x488]
004171DD    833E 00         CMP DWORD PTR DS:[ESI],0x0
004171E0    74 61           JE SHORT 00_aspac.00417243
004171E2    8B4E 04         MOV ECX,DWORD PTR DS:[ESI+0x4]
004171E5    83E9 08         SUB ECX,0x8
004171E8    D1E9            SHR ECX,1
004171EA    8B3E            MOV EDI,DWORD PTR DS:[ESI]
004171EC    03BD 88040000   ADD EDI,DWORD PTR SS:[EBP+0x488]
004171F2    83C6 08         ADD ESI,0x8
004171F5    66:8B1E         MOV BX,WORD PTR DS:[ESI]
004171F8    C1EB 0C         SHR EBX,0xC
004171FB    83FB 01         CMP EBX,0x1
004171FE    74 0C           JE SHORT 00_aspac.0041720C
00417200    83FB 02         CMP EBX,0x2
00417203    74 16           JE SHORT 00_aspac.0041721B
00417205    83FB 03         CMP EBX,0x3
00417208    74 20           JE SHORT 00_aspac.0041722A
0041720A    EB 2C           JMP SHORT 00_aspac.00417238
0041720C    66:8B1E         MOV BX,WORD PTR DS:[ESI]
0041720F    81E3 FF0F0000   AND EBX,0xFFF
00417215    66:01041F       ADD WORD PTR DS:[EDI+EBX],AX
00417219    EB 1D           JMP SHORT 00_aspac.00417238
0041721B    66:8B1E         MOV BX,WORD PTR DS:[ESI]
0041721E    81E3 FF0F0000   AND EBX,0xFFF
00417224    66:01141F       ADD WORD PTR DS:[EDI+EBX],DX
00417228    EB 0E           JMP SHORT 00_aspac.00417238
0041722A    66:8B1E         MOV BX,WORD PTR DS:[ESI]
0041722D    81E3 FF0F0000   AND EBX,0xFFF
00417233    01141F          ADD DWORD PTR DS:[EDI+EBX],EDX
00417236    EB 00           JMP SHORT 00_aspac.00417238
00417238    66:830E FF      OR WORD PTR DS:[ESI],0xFFFF
0041723C    83C6 02         ADD ESI,0x2
0041723F  ^ E2 B4           LOOPD SHORT 00_aspac.004171F5
00417241  ^ EB 9A           JMP SHORT 00_aspac.004171DD

//重定位
00417243    8B95 88040000   MOV EDX,DWORD PTR SS:[EBP+0x488]                 ; 00400000
00417249    8BB5 A5050000   MOV ESI,DWORD PTR SS:[EBP+0x5A5]                 ; SS:[004175B8]=00000000
0041724F    0BF6            OR ESI,ESI                                       ; 判断是否为0
012F71C8   /74 79           JE SHORT 00_aspac.012F7243               ; 判断是否开了重定位,没开跳走,开了直接往下
012F71CA   |8BC2            MOV EAX,EDX                             
012F71CC   |C1E8 10         SHR EAX,0x10                            
012F71CF   |33DB            XOR EBX,EBX                             
012F71D1   |8BB5 9D050000   MOV ESI,DWORD PTR SS:[EBP+0x59D]         ;00016000
012F71D7   |03B5 88040000   ADD ESI,DWORD PTR SS:[EBP+0x488]         ;计算出重定位段012E0000
012F71DD   |833E 00         CMP DWORD PTR DS:[ESI],0x0               ; esi里面是区段个数10 循环重定位代码
012F71E0   |74 61           JE SHORT 00_aspac.012F7243
012F71E2   |8B4E 04         MOV ECX,DWORD PTR DS:[ESI+0x4]           ; esi=重定位块大小E4
012F71E5   |83E9 08         SUB ECX,0x8                             ; 减完=DC
012F71E8   |D1E9            SHR ECX,1                               ; ecx=重定位项6E
012F71EA   |8B3E            MOV EDI,DWORD PTR DS:[ESI] ;获取重定位RVA
012F71EC   |03BD 88040000   ADD EDI,DWORD PTR SS:[EBP+0x488]         ; EDI=重定位VA12E1000
012F71F2   |83C6 08         ADD ESI,0x8                             ; esi=重定位基址012F6008
012F71F5   |66:8B1E         MOV BX,WORD PTR DS:[ESI]                 ; 获取typeoffset类型DS:[012F6008]=3006
012F71F8   |C1EB 0C         SHR EBX,0xC                             ; 只保留类型003
012F71FB   |83FB 01         CMP EBX,0x1 ; 判断类型
012F71FE   |74 0C           JE SHORT 00_aspac.012F720C
012F7200   |83FB 02         CMP EBX,0x2
012F7203   |74 16           JE SHORT 00_aspac.012F721B
012F7205   |83FB 03         CMP EBX,0x3                             ; 对比看是不是3
012F7208   |74 20           JE SHORT 00_aspac.012F722A               ; 实现的话更改
012F720A   |EB 2C           JMP SHORT 00_aspac.012F7238
012F720C   |66:8B1E         MOV BX,WORD PTR DS:[ESI]
012F720F   |81E3 FF0F0000   AND EBX,0xFFF
012F7215   |66:01041F       ADD WORD PTR DS:[EDI+EBX],AX
012F7219   |EB 1D           JMP SHORT 00_aspac.012F7238
012F721B   |66:8B1E         MOV BX,WORD PTR DS:[ESI]
012F721E   |81E3 FF0F0000   AND EBX,0xFFF
012F7224   |66:01141F       ADD WORD PTR DS:[EDI+EBX],DX
012F7228   |EB 0E           JMP SHORT 00_aspac.012F7238
012F722A   |66:8B1E         MOV BX,WORD PTR DS:[ESI]                 ; 获取类型
012F722D   |81E3 FF0F0000   AND EBX,0xFFF                           ; 3006AND0xFFF=006
    去除类型,去除3重定位代码
012F7233   |01141F          ADD DWORD PTR DS:[EDI+EBX],EDX           ; 清除重定位,例如原本0040BOF4变成012E0BF4
012F7236   |EB 00           JMP SHORT 00_aspac.012F7238
012F7238   |66:830E FF      OR WORD PTR DS:[ESI],0xFFFF             ; DS:[012F6008]=3006
012F723C   |83C6 02         ADD ESI,0x2                             ; ESI+2.下一个,跳到获取类型那里
012F723F  ^|E2 B4           LOOPD SHORT 00_aspac.012F71F5 ;跳出重定位

//导入表

012F7241  ^|EB 9A           JMP SHORT 00_aspac.012F71DD
012F7243   \8B95 88040000   MOV EDX,DWORD PTR SS:[EBP+0x488]         ; 00400000
012F7249    8BB5 A5050000   MOV ESI,DWORD PTR SS:[EBP+0x5A5]         ; SS:[004175B8]=00000000
012F724F    0BF6            OR ESI,ESI                               ; 判断是否为0
012F7251   /74 11           JE SHORT 00_aspac.012F7264               ; 实现
012F7253   |03F2            ADD ESI,EDX
012F7255   |AD              LODS DWORD PTR DS:[ESI]
012F7256   |0BC0            OR EAX,EAX
012F7258   |74 0A           JE SHORT 00_aspac.012F7264
012F725A   |03C2            ADD EAX,EDX
012F725C   |8BF8            MOV EDI,EAX
012F725E   |66:AD           LODS WORD PTR DS:[ESI]
012F7260   |66:AB           STOS WORD PTR ES:[EDI]
012F7262  ^|EB F1           JMP SHORT 00_aspac.012F7255
012F7264   \BE B4F00000     MOV ESI,0xF0B4                           ; 导入表偏移
012F7269    8B95 88040000   MOV EDX,DWORD PTR SS:[EBP+0x488]         ; 基址放到edx
012F726F    03F2            ADD ESI,EDX                             ; esi=导入表结构012EF0B4
012F7271    8B46 0C         MOV EAX,DWORD PTR DS:[ESI+0xC]           ; EAX=获取模块DLL名称RVA0000F20A
012F7274    85C0            TEST EAX,EAX
012F7276    0F84 0D010000   JE 00_aspac.012F7389
012F727C    03C2            ADD EAX,EDX                             ; 加上基址,字符串VA
012F727E    8BD8            MOV EBX,EAX                             ; EAX=012EF20A  "USER32.dll"
012F7280    50              PUSH EAX
012F7281    FF95 A90F0000   CALL DWORD PTR SS:[EBP+0xFA9]           ; 获取模块基址(kernel32.GetModuleHandleA)
012F7287    85C0            TEST EAX,EAX
012F7289    75 07           JNZ SHORT 00_aspac.012F7292
012F728B    53              PUSH EBX
012F728C    FF95 AD0F0000   CALL DWORD PTR SS:[EBP+0xFAD]           ; LoadLibraryA
012F7292    8985 A9050000   MOV DWORD PTR SS:[EBP+0x5A9],EAX         ; 保存模块基址EAX=75EA0000 (user32.Ordinal2397)
012F7298    C785 AD050000 0>MOV DWORD PTR SS:[EBP+0x5AD],0x0
012F72A2    8B95 88040000   MOV EDX,DWORD PTR SS:[EBP+0x488]         ; 获取基址
012F72A8    8B06            MOV EAX,DWORD PTR DS:[ESI]               ; 获取指向OrigalFirstThunkRVA eax=0000F1E0
012F72AA    85C0            TEST EAX,EAX
012F72AC    75 03           JNZ SHORT 00_aspac.012F72B1
012F72AE    8B46 10         MOV EAX,DWORD PTR DS:[ESI+0x10]
012F72B1    03C2            ADD EAX,EDX                             ; 计算出OriginalFirstThunk VA
012F72B3    0385 AD050000   ADD EAX,DWORD PTR SS:[EBP+0x5AD]         ; 0
012F72B9    8B18            MOV EBX,DWORD PTR DS:[EAX]               ; 获取INT中的数据,即指向函数名称的RVA
012F72BB    8B7E 10         MOV EDI,DWORD PTR DS:[ESI+0x10]         ; 获取FirstThunkEdi=0000B0F0
012F72BE    03FA            ADD EDI,EDX                             ; 加上基址,计算出IAT地址=012EB0F0
012F72C0    03BD AD050000   ADD EDI,DWORD PTR SS:[EBP+0x5AD]         ; 0
012F72C6    85DB            TEST EBX,EBX ;判断结束
012F72C8    0F84 A5000000   JE 00_aspac.012F7373
012F72CE    F7C3 00000080   TEST EBX,0x80000000                     ; 判断最高位,即判断是不是字母
012F72D4    75 04           JNZ SHORT 00_aspac.012F72DA
012F72D6    03DA            ADD EBX,EDX                             ; 指向函数字符串结构=INT[I]+基址 012EF1FE
012F72D8    43              INC EBX                                 ; 减去2
012F72D9    43              INC EBX                                 ; 跳过字符串前面序号
012F72DA    53              PUSH EBX                                 ; 保存寄存器 
012F72DB    81E3 FFFFFF7F   AND EBX,0x7FFFFFFF
012F72E1    53              PUSH EBX ;压入字符串or序号
012F72E2    FFB5 A9050000   PUSH DWORD PTR SS:[EBP+0x5A9]           ; SS:[012F75BC]=75EA0000 (user32.Ordinal2397)
012F72E8    FF95 A50F0000   CALL DWORD PTR SS:[EBP+0xFA5]           ; SS:[012F7FB8]=76481837 (kernel32.GetProcAddress)
012F72EE    85C0            TEST EAX,EAX                             ; 获取到函数的地址75ED555C
012F72F0    5B              POP EBX                                  ;恢复寄存器
012F72F1    75 72           JNZ SHORT 00_aspac.012F7365
012F72F3    F7C3 00000080   TEST EBX,0x80000000
012F72F9    75 19           JNZ SHORT 00_aspac.012F7314
012F72FB    57              PUSH EDI
012F72FC    8B46 0C         MOV EAX,DWORD PTR DS:[ESI+0xC]
012F72FF    0385 88040000   ADD EAX,DWORD PTR SS:[EBP+0x488]
012F7305    50              PUSH EAX
012F7306    53              PUSH EBX
012F7307    8D85 DB040000   LEA EAX,DWORD PTR SS:[EBP+0x4DB]
012F730D    50              PUSH EAX
012F730E    57              PUSH EDI
012F730F    E9 12010000     JMP 00_aspac.012F7426
012F7314    81E3 FFFFFF7F   AND EBX,0x7FFFFFFF
012F731A    8B85 8C040000   MOV EAX,DWORD PTR SS:[EBP+0x48C]
012F7320    3985 A9050000   CMP DWORD PTR SS:[EBP+0x5A9],EAX
012F7326    75 24           JNZ SHORT 00_aspac.012F734C
012F7328    57              PUSH EDI
012F7329    8BD3            MOV EDX,EBX
012F732B    4A              DEC EDX
012F732C    C1E2 02         SHL EDX,0x2
012F732F    8B9D A9050000   MOV EBX,DWORD PTR SS:[EBP+0x5A9]
012F7335    8B7B 3C         MOV EDI,DWORD PTR DS:[EBX+0x3C]
012F7338    8B7C3B 78       MOV EDI,DWORD PTR DS:[EBX+EDI+0x78]
012F733C    035C3B 1C       ADD EBX,DWORD PTR DS:[EBX+EDI+0x1C]
012F7340    8B0413          MOV EAX,DWORD PTR DS:[EBX+EDX]
012F7343    0385 A9050000   ADD EAX,DWORD PTR SS:[EBP+0x5A9]
012F7349    5F              POP EDI
012F734A    EB 19           JMP SHORT 00_aspac.012F7365
012F734C    57              PUSH EDI
012F734D    8B46 0C         MOV EAX,DWORD PTR DS:[ESI+0xC]
012F7350    0385 88040000   ADD EAX,DWORD PTR SS:[EBP+0x488]
012F7356    50              PUSH EAX
012F7357    53              PUSH EBX
012F7358    8D85 2C050000   LEA EAX,DWORD PTR SS:[EBP+0x52C]
012F735E    50              PUSH EAX
012F735F    57              PUSH EDI
012F7360    E9 C1000000     JMP 00_aspac.012F7426
012F7365    8907            MOV DWORD PTR DS:[EDI],EAX               ; 获取到的地址放到EDI寄存器上地址里面,填充IAT
012F7367    8385 AD050000 0>ADD DWORD PTR SS:[EBP+0x5AD],0x4         ; IAT表+4到下一个
012F736E  ^ E9 2FFFFFFF     JMP 00_aspac.012F72A2                   ; 一个模块内不同函数,跳回去循环
012F7373    8906            MOV DWORD PTR DS:[ESI],EAX
012F7375    8946 0C         MOV DWORD PTR DS:[ESI+0xC],EAX
012F7378    8946 10         MOV DWORD PTR DS:[ESI+0x10],EAX
012F737B    83C6 14         ADD ESI,0x14
012F737E    8B95 88040000   MOV EDX,DWORD PTR SS:[EBP+0x488]
012F7384  ^ E9 E8FEFFFF     JMP 00_aspac.012F7271 ; 不同模块,跳回去循环
012F7389    8BB5 88040000   MOV ESI,DWORD PTR SS:[EBP+0x488]
012F738F    8B7E 3C         MOV EDI,DWORD PTR DS:[ESI+0x3C]
012F7392    03FE            ADD EDI,ESI


//修改区段内存属性

012F73E7    FF77 08         PUSH DWORD PTR DS:[EDI+0x8]
012F73EA    0385 88040000   ADD EAX,DWORD PTR SS:[EBP+0x488]
012F73F0    50              PUSH EAX
012F73F1    FF55 6A         CALL DWORD PTR SS:[EBP+0x6A]             ; 修改各区段属性
012F73F4    59              POP ECX
012F73F5    AD              LODS DWORD PTR DS:[ESI]
012F73F6    AD              LODS DWORD PTR DS:[ESI]
012F73F7    8947 24         MOV DWORD PTR DS:[EDI+0x24],EAX
012F73FA  ^ E2 BB           LOOPD SHORT 00_aspac.012F73B7
012F73FC    FF55 6A         CALL DWORD PTR SS:[EBP+0x6A]             ; 修改内存PE头内存属性
012F73FF    59              POP ECX
012F7400    B8 D2110000     MOV EAX,0x11D2
012F7405    50              PUSH EAX
012F7406    0385 88040000   ADD EAX,DWORD PTR SS:[EBP+0x488]
012F740C    59              POP ECX
012F740D    0BC9            OR ECX,ECX
012F740F    8985 0E040000   MOV DWORD PTR SS:[EBP+0x40E],EAX         ; 填入OEP
012F7415    61              POPAD
012F7416    75 08           JNZ SHORT 00_aspac.012F7420
012F7418    B8 01000000     MOV EAX,0x1
012F741D    C2 0C00         RETN 0xC
012F7420    68 00000000     PUSH 0x0                                 ; 将原始OEP压入栈中跳转回去
012F7425    C3              RETN
012F7426    8B85 8C040000   MOV EAX,DWORD PTR SS:[EBP+0x48C]






上一篇:LINUX - 堆栈


下一篇:linux-boot-arch_x86_boot_compressed_head_32