00417000 90 NOP
00417001 > 60 PUSHAD
00417002 E8 03000000 CALL 00_aspac.0041700A ; 下一条是花指令 按1
00417007 90 NOP
00417008 EB 04 JMP SHORT 00_aspac.0041700E
0041700A 5D POP EBP ; 上一条17002call了,所以把返回地址17007压入了栈再pop出来
0041700B 45 INC EBP ; 因此上条ebp是17007,自增完就是17008
0041700C 55 PUSH EBP ; 17008压入
0041700D C3 RETN ; 返回到17008.
0041700E E8 01000000 CALL 00_aspac.00417014
00417013 EB 5D JMP SHORT 00_aspac.00417072
//初始化
00417015 BB EDFFFFFF MOV EBX,-0x13 ; ebx=-0x13
0041701A 03DD ADD EBX,EBP ; ebx=417000
0041701C 81EB 00700100 SUB EBX,0x17000 ; 计算出模块基址ebx=400000映像基地址
00417022 83BD 88040000 0>CMP DWORD PTR SS:[EBP+0x488],0x0
00417029 899D 88040000 MOV DWORD PTR SS:[EBP+0x488],EBX ;保存模块基址
0041702F 0F85 CB030000 JNZ 00_aspac.00417400
00417035 8D85 94040000 LEA EAX,DWORD PTR SS:[EBP+0x494]
0041703B 50 PUSH EAX
0041703C FF95 A90F0000 CALL DWORD PTR SS:[EBP+0xFA9] ; 获取kernel32基地址
00417042 8985 8C040000 MOV DWORD PTR SS:[EBP+0x48C],EAX ; 保存kernel32基址到ebp+0x48c
00417048 8BF0 MOV ESI,EAX ; 保存kernel32基址到esi
0041704A 8D7D 51 LEA EDI,DWORD PTR SS:[EBP+0x51] ; 初始化edi
0041704D 57 PUSH EDI ; 用来放返回的函数地址
0041704E 56 PUSH ESI ; esi存在kernel32基址
0041704F FF95 A50F0000 CALL DWORD PTR SS:[EBP+0xFA5] ; 获取函数地址kernel32.GetProcAddress
00417055 AB STOS DWORD PTR ES:[EDI] ; 放2个字节的eax内容到edi上的地址
00417056 B0 00 MOV AL,0x0
00417058 AE SCAS BYTE PTR ES:[EDI] ; SCAS每一个字节,跟0做对比,遇到0结束
00417059 ^ 75 FD JNZ SHORT 00_aspac.00417058 ; 不是0跳回去
0041705B 3807 CMP BYTE PTR DS:[EDI],AL
0041705D ^ 75 EE JNZ SHORT 00_aspac.0041704D ; 如果不是连续两个0就重新获取新的函数
0041705F 8D45 7A LEA EAX,DWORD PTR SS:[EBP+0x7A] ; 41708D
00417062 FFE0 JMP EAX ; 解压函数
00417064 F4 HLT
00417065 05 48767561 ADD EAX,0x61757648
0041706A 6C INS BYTE PTR ES:[EDI],DX
0041706B 41 INC ECX
0041706C 6C INS BYTE PTR ES:[EDI],DX
0041706D 6C INS BYTE PTR ES:[EDI],DX
0041706E 6F OUTS DX,DWORD PTR DS:[ESI]
0041706F 6300 ARPL WORD PTR DS:[EAX],AX
00417071 35 0D487675 XOR EAX,0x7576480D
00417076 61 POPAD
00417077 6C INS BYTE PTR ES:[EDI],DX
00417078 46 INC ESI
00417079 72 65 JB SHORT 00_aspac.004170E0
0041707B 65:00AB 5047767>ADD BYTE PTR GS:[EBX+0x75764750],CH
00417082 61 POPAD
00417083 6C INS BYTE PTR ES:[EDI],DX
00417084 50 PUSH EAX
00417085 72 6F JB SHORT 00_aspac.004170F6
00417087 74 65 JE SHORT 00_aspac.004170EE
00417089 637400 00 ARPL WORD PTR DS:[EAX+EAX],SI
//开始解压
0041708D 8B9D 95050000 MOV EBX,DWORD PTR SS:[EBP+0x595]
00417093 0BDB OR EBX,EBX
00417095 74 0A JE SHORT 00_aspac.004170A1
00417097 8B03 MOV EAX,DWORD PTR DS:[EBX]
00417099 8785 99050000 XCHG DWORD PTR SS:[EBP+0x599],EAX
0041709F 8903 MOV DWORD PTR DS:[EBX],EAX
004170A1 8DB5 C5050000 LEA ESI,DWORD PTR SS:[EBP+0x5C5] ; 获取原始程序区段信息
004170A7 833E 00 CMP DWORD PTR DS:[ESI],0x0
004170AA 0F84 0A010000 JE 00_aspac.004171BA ; 判断
004170B0 6A 04 PUSH 0x4
004170B2 68 00100000 PUSH 0x1000
004170B7 68 00180000 PUSH 0x1800 ; 大小0x1800的
004170BC 6A 00 PUSH 0x0
004170BE FF55 51 CALL DWORD PTR SS:[EBP+0x51] ; 申请内存(kernel32.VirtualAlloc)
004170C1 8985 48010000 MOV DWORD PTR SS:[EBP+0x148],EAX ; 保存申请地址到EBP+0x148里
004170C7 8B46 04 MOV EAX,DWORD PTR DS:[ESI+0x4] ;获取区段大小
004170CA 05 0E010000 ADD EAX,0x10E
004170CF 0F84 B7000000 JE 00_aspac.0041718C
004170D5 6A 04 PUSH 0x4
004170D7 68 00100000 PUSH 0x1000
004170DC 50 PUSH EAX ;大小等于区段大小+10E
004170DD 6A 00 PUSH 0x0
004170DF FF55 51 CALL DWORD PTR SS:[EBP+0x51] ; 再申请了空间
004170E2 8985 44010000 MOV DWORD PTR SS:[EBP+0x144],EAX ; 保存地址起来
004170E8 56 PUSH ESI ; esi是区段信息
004170E9 8B1E MOV EBX,DWORD PTR DS:[ESI] ; 获取区段RVA=1000
004170EB 039D 88040000 ADD EBX,DWORD PTR SS:[EBP+0x488] ; 加上模块基址
004170F1 FFB5 48010000 PUSH DWORD PTR SS:[EBP+0x148] ; 固定大小内存0x1800
004170F7 FF76 04 PUSH DWORD PTR DS:[ESI+0x4] ; 代码段大小0A000
004170FA 50 PUSH EAX ; 第二次申请的空间地址
004170FB 53 PUSH EBX ; 区段虚拟地址00401000
004170FC E8 C7050000 CALL 00_aspac.004176C8 ; 解压的函数(地址,大小,地址,代码段基地址)
00417101 B3 01 MOV BL,0x1
00417103 80FB 00 CMP BL,0x0
00417106 75 4D JNZ SHORT 00_aspac.00417155
00417108 FE85 EF000000 INC BYTE PTR SS:[EBP+0xEF] ; 自己修改了自己00417101的代码。0x0改成了0x1
0041710E 50 PUSH EAX
0041710F 51 PUSH ECX
00417110 56 PUSH ESI
00417111 53 PUSH EBX
00417112 8BC8 MOV ECX,EAX
00417114 83E9 05 SUB ECX,0x5
00417117 8BB5 44010000 MOV ESI,DWORD PTR SS:[EBP+0x144] ; 第二次申请的空间。放的是原本的入口OEP代码
0041711D 33DB XOR EBX,EBX
0041711F 0BC9 OR ECX,ECX
00417121 74 2E JE SHORT 00_aspac.00417151
00417123 78 2C JS SHORT 00_aspac.00417151
00417125 AC LODS BYTE PTR DS:[ESI] ; 加载代码段1个字节
00417126 3C E8 CMP AL,0xE8 ; 比较是不是E8 call
00417128 74 0A JE SHORT 00_aspac.00417134
0041712A EB 00 JMP SHORT 00_aspac.0041712C
0041712C 3C E9 CMP AL,0xE9
0041712E 74 04 JE SHORT 00_aspac.00417134
00417130 43 INC EBX
00417131 49 DEC ECX
00417132 ^ EB EB JMP SHORT 00_aspac.0041711F ; 循环查找E8 call会把整个代码中的call跟jmp恢复
00417134 8B06 MOV EAX,DWORD PTR DS:[ESI] ; 如果是E8跳到这 获取地址
00417136 EB 00 JMP SHORT 00_aspac.00417138
00417138 803E 05 CMP BYTE PTR DS:[ESI],0x5 ; 跟0x5对比
0041713B ^ 75 F3 JNZ SHORT 00_aspac.00417130
0041713D 24 00 AND AL,0x0
0041713F C1C0 18 ROL EAX,0x18
00417142 2BC3 SUB EAX,EBX
00417144 8906 MOV DWORD PTR DS:[ESI],EAX ; 更换call后面地址
00417146 83C3 05 ADD EBX,0x5
00417149 83C6 04 ADD ESI,0x4
0041714C 83E9 05 SUB ECX,0x5
0041714F ^ EB CE JMP SHORT 00_aspac.0041711F ; 判断是否跳出循环
00417151 5B POP EBX
00417152 5E POP ESI
00417153 59 POP ECX
00417154 58 POP EAX
00417155 EB 08 JMP SHORT 00_aspac.0041715F
00417157 0000 ADD BYTE PTR DS:[EAX],AL
00417159 2000 AND BYTE PTR DS:[EAX],AL
0041715B 0000 ADD BYTE PTR DS:[EAX],AL
0041715D 1F POP DS
0041715E 008B C88B3E03 ADD BYTE PTR DS:[EBX+0x33E8BC8],CL
00417164 BD 88040000 MOV EBP,0x488
00417169 8BB5 44010000 MOV ESI,DWORD PTR SS:[EBP+0x144] ; esi=3E0000
0041716F C1F9 02 SAR ECX,0x2
00417172 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; 拷贝代码
00417174 8BC8 MOV ECX,EAX
00417176 83E1 03 AND ECX,0x3
00417179 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0041717B 5E POP ESI
0041717C 68 00800000 PUSH 0x8000
00417181 6A 00 PUSH 0x0
00417183 FFB5 44010000 PUSH DWORD PTR SS:[EBP+0x144]
00417189 FF55 5E CALL DWORD PTR SS:[EBP+0x5E] ; 释放 (kernel32.VirtualFree)
0041718C 83C6 0C ADD ESI,0xC
0041718F 833E 00 CMP DWORD PTR DS:[ESI],0x0
00417192 ^ 0F85 2FFFFFFF JNZ 00_aspac.004170C7 ; 循环解压
00417198 68 00800000 PUSH 0x8000
0041719D 6A 00 PUSH 0x0
0041719F FFB5 48010000 PUSH DWORD PTR SS:[EBP+0x148] ; 1F0000
004171A5 FF55 5E CALL DWORD PTR SS:[EBP+0x5E] ; 释放内存
004171A8 8B9D 95050000 MOV EBX,DWORD PTR SS:[EBP+0x595] ; SS:[004175A8]=00000000
004171AE 0BDB OR EBX,EBX ; EBX=0,
004171B0 74 08 JE SHORT 00_aspac.004171BA ; 实现了
004171B2 8B03 MOV EAX,DWORD PTR DS:[EBX]
004171B4 8785 99050000 XCHG DWORD PTR SS:[EBP+0x599],EAX
004171BA 8B95 88040000 MOV EDX,DWORD PTR SS:[EBP+0x488]
004171C0 8B85 91050000 MOV EAX,DWORD PTR SS:[EBP+0x591]
004171C6 2BD0 SUB EDX,EAX
004171C8 74 79 JE SHORT 00_aspac.00417243 ; 实现,跳到00417243
004171CA 8BC2 MOV EAX,EDX
004171CC C1E8 10 SHR EAX,0x10
004171CF 33DB XOR EBX,EBX
004171D1 8BB5 9D050000 MOV ESI,DWORD PTR SS:[EBP+0x59D]
004171D7 03B5 88040000 ADD ESI,DWORD PTR SS:[EBP+0x488]
004171DD 833E 00 CMP DWORD PTR DS:[ESI],0x0
004171E0 74 61 JE SHORT 00_aspac.00417243
004171E2 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+0x4]
004171E5 83E9 08 SUB ECX,0x8
004171E8 D1E9 SHR ECX,1
004171EA 8B3E MOV EDI,DWORD PTR DS:[ESI]
004171EC 03BD 88040000 ADD EDI,DWORD PTR SS:[EBP+0x488]
004171F2 83C6 08 ADD ESI,0x8
004171F5 66:8B1E MOV BX,WORD PTR DS:[ESI]
004171F8 C1EB 0C SHR EBX,0xC
004171FB 83FB 01 CMP EBX,0x1
004171FE 74 0C JE SHORT 00_aspac.0041720C
00417200 83FB 02 CMP EBX,0x2
00417203 74 16 JE SHORT 00_aspac.0041721B
00417205 83FB 03 CMP EBX,0x3
00417208 74 20 JE SHORT 00_aspac.0041722A
0041720A EB 2C JMP SHORT 00_aspac.00417238
0041720C 66:8B1E MOV BX,WORD PTR DS:[ESI]
0041720F 81E3 FF0F0000 AND EBX,0xFFF
00417215 66:01041F ADD WORD PTR DS:[EDI+EBX],AX
00417219 EB 1D JMP SHORT 00_aspac.00417238
0041721B 66:8B1E MOV BX,WORD PTR DS:[ESI]
0041721E 81E3 FF0F0000 AND EBX,0xFFF
00417224 66:01141F ADD WORD PTR DS:[EDI+EBX],DX
00417228 EB 0E JMP SHORT 00_aspac.00417238
0041722A 66:8B1E MOV BX,WORD PTR DS:[ESI]
0041722D 81E3 FF0F0000 AND EBX,0xFFF
00417233 01141F ADD DWORD PTR DS:[EDI+EBX],EDX
00417236 EB 00 JMP SHORT 00_aspac.00417238
00417238 66:830E FF OR WORD PTR DS:[ESI],0xFFFF
0041723C 83C6 02 ADD ESI,0x2
0041723F ^ E2 B4 LOOPD SHORT 00_aspac.004171F5
00417241 ^ EB 9A JMP SHORT 00_aspac.004171DD
//重定位
00417243 8B95 88040000 MOV EDX,DWORD PTR SS:[EBP+0x488] ; 00400000
00417249 8BB5 A5050000 MOV ESI,DWORD PTR SS:[EBP+0x5A5] ; SS:[004175B8]=00000000
0041724F 0BF6 OR ESI,ESI ; 判断是否为0
012F71C8 /74 79 JE SHORT 00_aspac.012F7243 ; 判断是否开了重定位,没开跳走,开了直接往下
012F71CA |8BC2 MOV EAX,EDX
012F71CC |C1E8 10 SHR EAX,0x10
012F71CF |33DB XOR EBX,EBX
012F71D1 |8BB5 9D050000 MOV ESI,DWORD PTR SS:[EBP+0x59D] ;00016000
012F71D7 |03B5 88040000 ADD ESI,DWORD PTR SS:[EBP+0x488] ;计算出重定位段012E0000
012F71DD |833E 00 CMP DWORD PTR DS:[ESI],0x0 ; esi里面是区段个数10 循环重定位代码
012F71E0 |74 61 JE SHORT 00_aspac.012F7243
012F71E2 |8B4E 04 MOV ECX,DWORD PTR DS:[ESI+0x4] ; esi=重定位块大小E4
012F71E5 |83E9 08 SUB ECX,0x8 ; 减完=DC
012F71E8 |D1E9 SHR ECX,1 ; ecx=重定位项6E
012F71EA |8B3E MOV EDI,DWORD PTR DS:[ESI] ;获取重定位RVA
012F71EC |03BD 88040000 ADD EDI,DWORD PTR SS:[EBP+0x488] ; EDI=重定位VA12E1000
012F71F2 |83C6 08 ADD ESI,0x8 ; esi=重定位基址012F6008
012F71F5 |66:8B1E MOV BX,WORD PTR DS:[ESI] ; 获取typeoffset类型DS:[012F6008]=3006
012F71F8 |C1EB 0C SHR EBX,0xC ; 只保留类型003
012F71FB |83FB 01 CMP EBX,0x1 ; 判断类型
012F71FE |74 0C JE SHORT 00_aspac.012F720C
012F7200 |83FB 02 CMP EBX,0x2
012F7203 |74 16 JE SHORT 00_aspac.012F721B
012F7205 |83FB 03 CMP EBX,0x3 ; 对比看是不是3
012F7208 |74 20 JE SHORT 00_aspac.012F722A ; 实现的话更改
012F720A |EB 2C JMP SHORT 00_aspac.012F7238
012F720C |66:8B1E MOV BX,WORD PTR DS:[ESI]
012F720F |81E3 FF0F0000 AND EBX,0xFFF
012F7215 |66:01041F ADD WORD PTR DS:[EDI+EBX],AX
012F7219 |EB 1D JMP SHORT 00_aspac.012F7238
012F721B |66:8B1E MOV BX,WORD PTR DS:[ESI]
012F721E |81E3 FF0F0000 AND EBX,0xFFF
012F7224 |66:01141F ADD WORD PTR DS:[EDI+EBX],DX
012F7228 |EB 0E JMP SHORT 00_aspac.012F7238
012F722A |66:8B1E MOV BX,WORD PTR DS:[ESI] ; 获取类型
012F722D |81E3 FF0F0000 AND EBX,0xFFF ; 3006AND0xFFF=006
去除类型,去除3重定位代码
012F7233 |01141F ADD DWORD PTR DS:[EDI+EBX],EDX ; 清除重定位,例如原本0040BOF4变成012E0BF4
012F7236 |EB 00 JMP SHORT 00_aspac.012F7238
012F7238 |66:830E FF OR WORD PTR DS:[ESI],0xFFFF ; DS:[012F6008]=3006
012F723C |83C6 02 ADD ESI,0x2 ; ESI+2.下一个,跳到获取类型那里
012F723F ^|E2 B4 LOOPD SHORT 00_aspac.012F71F5 ;跳出重定位
//导入表
012F7241 ^|EB 9A JMP SHORT 00_aspac.012F71DD
012F7243 \8B95 88040000 MOV EDX,DWORD PTR SS:[EBP+0x488] ; 00400000
012F7249 8BB5 A5050000 MOV ESI,DWORD PTR SS:[EBP+0x5A5] ; SS:[004175B8]=00000000
012F724F 0BF6 OR ESI,ESI ; 判断是否为0
012F7251 /74 11 JE SHORT 00_aspac.012F7264 ; 实现
012F7253 |03F2 ADD ESI,EDX
012F7255 |AD LODS DWORD PTR DS:[ESI]
012F7256 |0BC0 OR EAX,EAX
012F7258 |74 0A JE SHORT 00_aspac.012F7264
012F725A |03C2 ADD EAX,EDX
012F725C |8BF8 MOV EDI,EAX
012F725E |66:AD LODS WORD PTR DS:[ESI]
012F7260 |66:AB STOS WORD PTR ES:[EDI]
012F7262 ^|EB F1 JMP SHORT 00_aspac.012F7255
012F7264 \BE B4F00000 MOV ESI,0xF0B4 ; 导入表偏移
012F7269 8B95 88040000 MOV EDX,DWORD PTR SS:[EBP+0x488] ; 基址放到edx
012F726F 03F2 ADD ESI,EDX ; esi=导入表结构012EF0B4
012F7271 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0xC] ; EAX=获取模块DLL名称RVA0000F20A
012F7274 85C0 TEST EAX,EAX
012F7276 0F84 0D010000 JE 00_aspac.012F7389
012F727C 03C2 ADD EAX,EDX ; 加上基址,字符串VA
012F727E 8BD8 MOV EBX,EAX ; EAX=012EF20A "USER32.dll"
012F7280 50 PUSH EAX
012F7281 FF95 A90F0000 CALL DWORD PTR SS:[EBP+0xFA9] ; 获取模块基址(kernel32.GetModuleHandleA)
012F7287 85C0 TEST EAX,EAX
012F7289 75 07 JNZ SHORT 00_aspac.012F7292
012F728B 53 PUSH EBX
012F728C FF95 AD0F0000 CALL DWORD PTR SS:[EBP+0xFAD] ; LoadLibraryA
012F7292 8985 A9050000 MOV DWORD PTR SS:[EBP+0x5A9],EAX ; 保存模块基址EAX=75EA0000 (user32.Ordinal2397)
012F7298 C785 AD050000 0>MOV DWORD PTR SS:[EBP+0x5AD],0x0
012F72A2 8B95 88040000 MOV EDX,DWORD PTR SS:[EBP+0x488] ; 获取基址
012F72A8 8B06 MOV EAX,DWORD PTR DS:[ESI] ; 获取指向OrigalFirstThunkRVA eax=0000F1E0
012F72AA 85C0 TEST EAX,EAX
012F72AC 75 03 JNZ SHORT 00_aspac.012F72B1
012F72AE 8B46 10 MOV EAX,DWORD PTR DS:[ESI+0x10]
012F72B1 03C2 ADD EAX,EDX ; 计算出OriginalFirstThunk VA
012F72B3 0385 AD050000 ADD EAX,DWORD PTR SS:[EBP+0x5AD] ; 0
012F72B9 8B18 MOV EBX,DWORD PTR DS:[EAX] ; 获取INT中的数据,即指向函数名称的RVA
012F72BB 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+0x10] ; 获取FirstThunkEdi=0000B0F0
012F72BE 03FA ADD EDI,EDX ; 加上基址,计算出IAT地址=012EB0F0
012F72C0 03BD AD050000 ADD EDI,DWORD PTR SS:[EBP+0x5AD] ; 0
012F72C6 85DB TEST EBX,EBX ;判断结束
012F72C8 0F84 A5000000 JE 00_aspac.012F7373
012F72CE F7C3 00000080 TEST EBX,0x80000000 ; 判断最高位,即判断是不是字母
012F72D4 75 04 JNZ SHORT 00_aspac.012F72DA
012F72D6 03DA ADD EBX,EDX ; 指向函数字符串结构=INT[I]+基址 012EF1FE
012F72D8 43 INC EBX ; 减去2
012F72D9 43 INC EBX ; 跳过字符串前面序号
012F72DA 53 PUSH EBX ; 保存寄存器
012F72DB 81E3 FFFFFF7F AND EBX,0x7FFFFFFF
012F72E1 53 PUSH EBX ;压入字符串or序号
012F72E2 FFB5 A9050000 PUSH DWORD PTR SS:[EBP+0x5A9] ; SS:[012F75BC]=75EA0000 (user32.Ordinal2397)
012F72E8 FF95 A50F0000 CALL DWORD PTR SS:[EBP+0xFA5] ; SS:[012F7FB8]=76481837 (kernel32.GetProcAddress)
012F72EE 85C0 TEST EAX,EAX ; 获取到函数的地址75ED555C
012F72F0 5B POP EBX ;恢复寄存器
012F72F1 75 72 JNZ SHORT 00_aspac.012F7365
012F72F3 F7C3 00000080 TEST EBX,0x80000000
012F72F9 75 19 JNZ SHORT 00_aspac.012F7314
012F72FB 57 PUSH EDI
012F72FC 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0xC]
012F72FF 0385 88040000 ADD EAX,DWORD PTR SS:[EBP+0x488]
012F7305 50 PUSH EAX
012F7306 53 PUSH EBX
012F7307 8D85 DB040000 LEA EAX,DWORD PTR SS:[EBP+0x4DB]
012F730D 50 PUSH EAX
012F730E 57 PUSH EDI
012F730F E9 12010000 JMP 00_aspac.012F7426
012F7314 81E3 FFFFFF7F AND EBX,0x7FFFFFFF
012F731A 8B85 8C040000 MOV EAX,DWORD PTR SS:[EBP+0x48C]
012F7320 3985 A9050000 CMP DWORD PTR SS:[EBP+0x5A9],EAX
012F7326 75 24 JNZ SHORT 00_aspac.012F734C
012F7328 57 PUSH EDI
012F7329 8BD3 MOV EDX,EBX
012F732B 4A DEC EDX
012F732C C1E2 02 SHL EDX,0x2
012F732F 8B9D A9050000 MOV EBX,DWORD PTR SS:[EBP+0x5A9]
012F7335 8B7B 3C MOV EDI,DWORD PTR DS:[EBX+0x3C]
012F7338 8B7C3B 78 MOV EDI,DWORD PTR DS:[EBX+EDI+0x78]
012F733C 035C3B 1C ADD EBX,DWORD PTR DS:[EBX+EDI+0x1C]
012F7340 8B0413 MOV EAX,DWORD PTR DS:[EBX+EDX]
012F7343 0385 A9050000 ADD EAX,DWORD PTR SS:[EBP+0x5A9]
012F7349 5F POP EDI
012F734A EB 19 JMP SHORT 00_aspac.012F7365
012F734C 57 PUSH EDI
012F734D 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0xC]
012F7350 0385 88040000 ADD EAX,DWORD PTR SS:[EBP+0x488]
012F7356 50 PUSH EAX
012F7357 53 PUSH EBX
012F7358 8D85 2C050000 LEA EAX,DWORD PTR SS:[EBP+0x52C]
012F735E 50 PUSH EAX
012F735F 57 PUSH EDI
012F7360 E9 C1000000 JMP 00_aspac.012F7426
012F7365 8907 MOV DWORD PTR DS:[EDI],EAX ; 获取到的地址放到EDI寄存器上地址里面,填充IAT
012F7367 8385 AD050000 0>ADD DWORD PTR SS:[EBP+0x5AD],0x4 ; IAT表+4到下一个
012F736E ^ E9 2FFFFFFF JMP 00_aspac.012F72A2 ; 一个模块内不同函数,跳回去循环
012F7373 8906 MOV DWORD PTR DS:[ESI],EAX
012F7375 8946 0C MOV DWORD PTR DS:[ESI+0xC],EAX
012F7378 8946 10 MOV DWORD PTR DS:[ESI+0x10],EAX
012F737B 83C6 14 ADD ESI,0x14
012F737E 8B95 88040000 MOV EDX,DWORD PTR SS:[EBP+0x488]
012F7384 ^ E9 E8FEFFFF JMP 00_aspac.012F7271 ; 不同模块,跳回去循环
012F7389 8BB5 88040000 MOV ESI,DWORD PTR SS:[EBP+0x488]
012F738F 8B7E 3C MOV EDI,DWORD PTR DS:[ESI+0x3C]
012F7392 03FE ADD EDI,ESI
//修改区段内存属性
012F73E7 FF77 08 PUSH DWORD PTR DS:[EDI+0x8]
012F73EA 0385 88040000 ADD EAX,DWORD PTR SS:[EBP+0x488]
012F73F0 50 PUSH EAX
012F73F1 FF55 6A CALL DWORD PTR SS:[EBP+0x6A] ; 修改各区段属性
012F73F4 59 POP ECX
012F73F5 AD LODS DWORD PTR DS:[ESI]
012F73F6 AD LODS DWORD PTR DS:[ESI]
012F73F7 8947 24 MOV DWORD PTR DS:[EDI+0x24],EAX
012F73FA ^ E2 BB LOOPD SHORT 00_aspac.012F73B7
012F73FC FF55 6A CALL DWORD PTR SS:[EBP+0x6A] ; 修改内存PE头内存属性
012F73FF 59 POP ECX
012F7400 B8 D2110000 MOV EAX,0x11D2
012F7405 50 PUSH EAX
012F7406 0385 88040000 ADD EAX,DWORD PTR SS:[EBP+0x488]
012F740C 59 POP ECX
012F740D 0BC9 OR ECX,ECX
012F740F 8985 0E040000 MOV DWORD PTR SS:[EBP+0x40E],EAX ; 填入OEP
012F7415 61 POPAD
012F7416 75 08 JNZ SHORT 00_aspac.012F7420
012F7418 B8 01000000 MOV EAX,0x1
012F741D C2 0C00 RETN 0xC
012F7420 68 00000000 PUSH 0x0 ; 将原始OEP压入栈中跳转回去
012F7425 C3 RETN
012F7426 8B85 8C040000 MOV EAX,DWORD PTR SS:[EBP+0x48C]