![](/icons/25079yi.gif)
![](/icons/25079de.gif)
![](/icons/25079dou.gif)
![](/icons/25079dou.gif)
在此献丑了
OD载入
![](/icons/25079dou.gif)
00428F6D L> BE 88014000 mov esi,L.00400188
00428F72 AD lods dword ptr ds:[esi]
00428F73 8BF8 mov edi,eax
00428F75 95 xchg eax,ebp
00428F76 AD lods dword ptr ds:[esi]
00428F77 91 xchg eax,ecx
代码分析不是很麻烦但是也不必慢慢分析了
我整理总结了
![](/icons/25079yi.gif)
![](/icons/25079de.gif)
直接CTRL+S搜索命令序列
push esi
xchg eax,edi
到了如下代码处
00429117 - 0F84 BBDFFDFF je L.004070D8
0042911D 56 push esi
0042911E 97 xchg eax,edi
0042911F FF53 FC call dword ptr ds:[ebx-4]
00429122 95 xchg eax,ebp
00429123 AC lods
![](/icons/25079byte.gif)
紧靠上面
![](/icons/25079de.gif)
je后面
![](/icons/25079de.gif)
![](/icons/25079dou.gif)
![](/icons/25079dou.gif)
复制OEP
![](/icons/25079dou.gif)
F4运行到OEP
004070D8 55 db 55 ; CHAR 'U'
004070D9 8B db 8B
004070DA EC db EC
004070DB 83 db 83
004070DC C4 db C4
004070DD F0 db F0
004070DE B8 db B8
004070DF 68704000 dd L.00407068
004070E3 E8 db E8
004070E4 5C db 5C ; CHAR ''
看见
![](/icons/25079de.gif)
![](/icons/25079dou.gif)
![](/icons/25079de.gif)
![](/icons/25079dou.gif)
典型
![](/icons/25079de.gif)
用LordPE DUMP出来
![](/icons/25079dou.gif)
运行看看有没有问题
![](/icons/25079dou.gif)
![](/icons/25079dou.gif)
估计是有自校验
再看看自校验
![](/icons/25079de.gif)
OD载入
004070D8 d> $ 55 push ebp
004070D9 . 8BEC mov ebp,esp
004070DB . 83C4 F0 add esp,-10
004070DE . B8 68704000 mov eax,dumped_.00407068
004070E3 . E8 5CCDFFFF call dumped_.00403E44
004070E8 . E8 B3E9FFFF call dumped_.00405AA0
004070ED . E8 EAC3FFFF call dumped_.004034DC
从call dumped_.00405AA0跟进
00405AA0 /$ 55 push ebp
00405AA1 |. 8BEC mov ebp,esp
00405AA3 |. B9 0C000000 mov ecx,0C
00405AA8 |> 6A 00 /push 0
00405AAA |. 6A 00 |push 0
00405AAC |. 49 |dec ecx
00405AAD |.^ 75 F9 \jnz
![](/icons/25079short.gif)
00405AAF |. 51 push ecx
00405AB0 |. 53 push ebx
把光标停在00405AB0
F4越过00405AAD |.^ 75 F9 \jnz
![](/icons/25079short.gif)
![](/icons/25079de.gif)
看见下面
![](/icons/25079de.gif)
00405AC6 |> /E8 51120000 /call dumped_.00406D1C
00405ACB |. |A1 04814000 |mov eax,dword ptr ds:[408104]
00405AD0 |. |8B00 |mov eax,dword ptr ds:[eax]
00405AD2 |. |E8 6DDEFFFF |call dumped_.00403944
00405AD7 |. |50 |push eax ; /MapName
00405AD8 |. |68 FB100100 |push 110FB ; |MaximumSizeLow = 110FB
00405ADD |. |6A 00 |push 0 ; |MaximumSizeHigh = 0
00405ADF |. |6A 04 |push 4 ; |Protection = PAGE_READWRITE
00405AE1 |. |6A 00 |push 0 ; |pSecurity = NULL
00405AE3 |. |6A FF |push -1 ; |hFile = FFFFFFFF
00405AE5 |. |E8 46E4FFFF |call <jmp.&kernel32.CreateFileMa>; \CreateFileMappingA
00405AEA |. |A3 CC974000 |mov dword ptr ds:[4097CC],eax
00405AEF |. |6A 00 |push 0 ; /MapSize = 0
00405AF1 |. |6A 00 |push 0 ; |Off
![](/icons/25079set.gif)
00405AF3 |. |6A 00 |push 0 ; |Off
![](/icons/25079set.gif)
00405AF5 |. |6A 06 |push 6 ; |AccessMode = 6
00405AF7 |. |A1 CC974000 |mov eax,dword ptr ds:[4097CC] ; |
00405AFC |. |50 |push eax ; |hMapObject => NULL
00405AFD |. |E8 36E5FFFF |call <jmp.&kernel32.MapViewOfFil>; \MapViewOfFile
呵呵
![](/icons/25079dou.gif)
跟进00405AC6处
![](/icons/25079de.gif)
看下面
![](/icons/25079de.gif)
00406D55 . 6A 00 push 0 ; /pFileSizeHigh = NULL
00406D57 . 56 push esi ; |hFile
00406D58 . E8 53D2FFFF call <jmp.&kernel32.GetFileSize> ; \GetFileSize
00406D5D . 8945 FC mov dword ptr ss:[ebp-4],eax
00406D60 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00406D63 . E8 20B7FFFF call dumped_.00402488
00406D68 . 8BD8 mov ebx,eax
00406D6A . 6A 00 push 0 ; /pOverlapped = NULL
00406D6C . 8D45 FC lea eax,dword ptr ss:[ebp-4] ; |
00406D6F . 50 push eax ; |pBytesRead
00406D70 . 8B45 FC mov eax,dword ptr ss:[ebp-4] ; |
00406D73 . 50 push eax ; |BytesToRead
00406D74 . 53 push ebx ; |Buffer
00406D75 . 56 push esi ; |hFile
00406D76 . E8 D5D2FFFF call <jmp.&kernel32.ReadFile> ; \ReadFile
00406D9D .^\75 EF jnz
![](/icons/25079short.gif)
00406D9F > 8B55 FC mov edx,dword ptr ss:[ebp-4]
00406DA2 . 8BC3 mov eax,ebx
00406DA4 . E8 FFB6FFFF call dumped_.004024A8
00406DA9 . 56 push esi ; /hObject
00406DAA . E8 61D1FFFF call <jmp.&kernel32.CloseHandle> ; \CloseHandle
00406DAF . 817D F8 80000000 cmp dword ptr ss:[ebp-8],80
00406DB6 . 74 11 je
![](/icons/25079short.gif)
00406DB8 > 6A 00 push 0 ; /ExitCode = 0
00406DBA . E8 99D1FFFF call <jmp.&kernel32.ExitProcess> ; \ExitProcess
00406DBF .^\E9 73FFFFFF jmp dumped_.00406D37
00406DC4 . E8 13C7FFFF call dumped_.004034DC
木马通过上面
![](/icons/25079de.gif)
![](/icons/25079de.gif)
![](/icons/25079dou.gif)
![](/icons/25079dou.gif)
解除自校验也很简单
把00406DB6 处
![](/icons/25079de.gif)
![](/icons/25079short.gif)
jmp
![](/icons/25079short.gif)
改好以后另存为exe就好了
![](/icons/25079yi.gif)
![](/icons/25079de.gif)
![](/icons/25079yi.gif)
最新评论