【文章标题】: peid逆向记录
【文章作者】: layper
【作者邮箱】: layper2002@yahoo.com.cn
【作者主页】: www.sy135.com
【下载地址】: 自己搜索下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
用PEID加载入EXE文件,过程如下:
打开文件:
00439DFE FF15 88D34700 call dword ptr ds:[<&comdlg32.GetOpenFileNameA>] ;
comdlg32.GetOpenFileNameA
0012F458 0012F460 /pOpenFileName = 0012F460
创建线程:
00448F5C FF15 F0D04700 call dword ptr ds:[<&kernel32.CreateThrea>;
kernel32.CreateThread
0012F4A0 00000000 |pSecurity = NULL
0012F4A4 00000000 |StackSize = 0
0012F4A8 00444EB0 |ThreadFunction = PEiD.00444EB0
0012F4AC 00468ACC |pThreadParm = PEiD.00468ACC
0012F4B0 00000000 |CreationFlags = 0
0012F4B4 00468A0C /pThreadId = PEiD.00468A0C
拖放文件作初始化:
0043B720 FF15 20D24700 call dword ptr ds:[<&shell32.DragAcceptFi>;
shell32.DragAcceptFiles
0012F498 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F49C 00000000 /Accept = FALSE
设置控件文本:
0043B776 FF15 64D34700 call dword ptr ds:[<&user32.SetWindowText>;
USER32.SetWindowTextA
0012F498 00050452 |hWnd = 00050452 ('退出(&X)',class='Button',parent=003503AE)
0012F49C 004077C8 /Text = "中止"
设置对话框项目的文本:
00449210 FF15 50D34700 call dword ptr ds:[<&user32.SetDlgItemTex>;
USER32.SetDlgItemTextA
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 000003E8 |ControlID = 3E8 (1000.)
0012F60C 00468B00 /Text = "D:/我的程序/Project1.exe"
打开文件:
004384BD FF15 FCD14700 call dword ptr ds:[<&kernel32.CreateFileA>; kernel32.CreateFileA
0140FF38 00468B00 |FileName = "D:/我的程序/Project1.exe"
0140FF3C 80000000 |Access = GENERIC_READ
0140FF40 00000001 |ShareMode = FILE_SHARE_READ
0140FF44 00000000 |pSecurity = NULL
0140FF48 00000003 |Mode = OPEN_EXISTING
0140FF4C 00000080 |Attributes = NORMAL
0140FF50 00000000 /hTemplateFile = NULL
得到文件大小:
004384CE FF15 ECD14700 call dword ptr ds:[<&kernel32.GetFileSize>; kernel32.GetFileSize
0140FF4C 000001EC |hFile = 000001EC (window)
0140FF50 00000000 /pFileSizeHigh = NULL
创建一个新的文件映射对象:
004384E4 FF15 F0D14700 call dword ptr ds:[<&kernel32.CreateFileM>;
kernel32.CreateFileMappingA
0140FF3C 000001EC |hFile = 000001EC (window)
0140FF40 00000000 |pSecurity = NULL
0140FF44 00000002 |Protection = PAGE_READONLY
0140FF48 00000000 |MaximumSizeHigh = 0
0140FF4C 00000000 |MaximumSizeLow = 0
0140FF50 00000000 /MapName = NULL
映射到当前应用程序的地址空间:
004384F9 FF15 F4D14700 call dword ptr ds:[<&kernel32.MapViewOfFi>;
kernel32.MapViewOfFile
0140FF40 00000110 |hMapObject = 00000110 (window)
0140FF44 00000004 |AccessMode = FILE_MAP_READ
0140FF48 00000000 |OffsetHigh = 0
0140FF4C 00000000 |OffsetLow = 0
0140FF50 00000000 /MapSize = 0
设置文本:
00449210 FF15 50D34700 call dword ptr ds:[<&user32.SetDlgItemTex>;
USER32.SetDlgItemTextA
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000404 |ControlID = 404 (1028.)
0012F60C 00407323 /Text = ""
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000405 |ControlID = 405 (1029.)
0012F60C 00407323 /Text = ""
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000408 |ControlID = 408 (1032.)
0012F60C 00407323 /Text = ""
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000409 |ControlID = 409 (1033.)
0012F60C 00407323 /Text = ""
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000406 |ControlID = 406 (1030.)
0012F60C 00407323 /Text = ""
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000407 |ControlID = 407 (1031.)
0012F60C 00407323 /Text = ""
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000404 |ControlID = 404 (1028.)
0012F60C 0140FF20 /Text = "00063014"
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000405 |ControlID = 405 (1029.)
0012F60C 0140FF20 /Text = "00062414"
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000408 |ControlID = 408 (1032.)
0012F60C 0140FF20 /Text = "2.25"
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000406 |ControlID = 406 (1030.)
0012F60C 0140FF08 /Text = "CODE"
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000407 |ControlID = 407 (1031.)
0012F60C 0140FF20 /Text = "55,8B,EC,83"
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000409 |ControlID = 409 (1033.)
0012F60C 0140FF20 /Text = "Win32 GUI"
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 000003E9 |ControlID = 3E9 (1001.)
0012F60C 004078D8 /Text = "正在扫描..."
进行实际的内存分配工作:
0045AD22 FF15 84D14700 call dword ptr ds:[<&kernel32.HeapAlloc>] ;
ntdll.RtlAllocateHeap
0140F8E8 003E0000 |hHeap = 003E0000
0140F8EC 00000000 |Flags = 0
0140F8F0 00000020 /HeapSize = 20 (32.)
0043B720 FF15 20D24700 call dword ptr ds:[<&shell32.DragAcceptFi>;
shell32.DragAcceptFiles
0012F5F0 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F5F4 00000001 /Accept = TRUE
设置窗口文本:
0043B776 FF15 64D34700 call dword ptr ds:[<&user32.SetWindowText>;
USER32.SetWindowTextA
0012F5F0 00050452 |hWnd = 00050452 ('中止',class='Button',parent=003503AE)
0012F5F4 004077D0 /Text = "退出"
设置文本:
00449237 FF15 50D34700 call dword ptr ds:[<&user32.SetDlgItemTex>;
USER32.SetDlgItemTextA
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 000003E9 |ControlID = 3E9 (1001.)
0012F60C 00AA1BA8 /Text = "Borland Delphi 6.0 - 7.0"
解除对一个文件映射对象的映射:
0043843C FF15 F8D14700 call dword ptr ds:[<&kernel32.UnmapViewOf>;
kernel32.UnmapViewOfFile
0140FF5C 01110000 /BaseAddress = 01110000
到这里之后,PEID界面变成:
文件:D:/我的程序/Project1.exe
入口点:00063014 EP段:CODE
文件偏移:00062414 首字节:55,8B,EC,83
连接器版本:2.25 子系统:Win32 GUI
查壳:Borland Delphi 6.0 - 7.0
用OD看清楚它的流程,IDA看他的数据点判断的关键点
.text:004341D0 sub_4341D0 proc near ; CODE XREF: sub_44A740+15B p
.text:004341D0 ; sub_44A740+1A3 p ...
.text:004341D0
.text:004341D0 arg_0 = dword ptr 8
.text:004341D0 arg_4 = dword ptr 0Ch
.text:004341D0 arg_8 = dword ptr 10h
.text:004341D0
.text:004341D0 push ebx
.text:004341D1 mov ebx, [esp+arg_0]
.text:004341D5 push esi
.text:004341D6 mov esi, [esp+4+arg_8]
.text:004341DA push edi
.text:004341DB mov edi, [esp+8+arg_4]
.text:004341DF push esi
.text:004341E0 push edi
.text:004341E1 push ebx
.text:004341E2 call sub_433930 ;跟进
;---------------------------------------------------------------------------
sub_433930:
.text:00433930 sub_433930 proc near ; CODE XREF: sub_4341D0+12 p
.text:00433930 ; .text:00434232 p ...
.text:00433930
.text:00433930 arg_0 = dword ptr 8
.text:00433930 arg_4 = dword ptr 0Ch
.text:00433930
.text:00433930 push ebp
.text:00433931 mov ebp, [esp+arg_0] ;堆栈 ss:[0140FEEC]=00468CE0
.text:00433935 mov eax, [ebp+20h] ;ss:[00468D00]=00000220,eax=000000B5
.text:00433938 test eax, eax
.text:0043393A jnz short loc_433940 ;跳走
.text:0043393C xor al, al
.text:0043393E pop ebp
.text:0043393F retn
.text:00433940 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00433940
.text:00433940 loc_433940: ; CODE XREF: sub_433930+A j到这里
.text:00433940 mov edx, [esp+arg_4] ;edx=ss:[0140FEF0]=0140FF90
.text:00433944 mov eax, [edx+0Ch] ;堆栈 ds:[0140FF9C]=00F200B0, (ASCII
"PE"),eax=00000220文件头PE出来了
.text:00433947 movzx eax, word ptr [eax+6] ;得到文件节数目,ds:[00F200B6]=0003
.text:0043394B lea ecx, [eax+eax*4] ;ecx=文件节的数目*5=F
.text:0043394E mov eax, [edx+18h] ;堆栈 ds:[0140FFA8]=00F201A8, (ASCII
".def")
.text:00433951 lea ecx, [eax+ecx*8-28h] ;ecx=00F201F8 ASCII ".def"
.text:00433955 mov eax, [ecx+10h] ;ds:[00F20208]=00000200,eax=00F201A8,
(ASCII ".def")
.text:00433958 push esi ;esi=000000B5
.text:00433959 cmp eax, [ecx+8] ;注意比较ds:[00F20200]
=00000208,eax=00000200
.text:0043395C jnz short loc_4339D5 ;跳走
.text:0043395E mov esi, [ecx+14h]
.text:00433961 shr eax, 1
.text:00433963 add eax, esi
.text:00433965 mov esi, [edx+4]
.text:00433968 lea ecx, [eax+12h]
.text:0043396B cmp ecx, esi
.text:0043396D ja short loc_4339D5
.text:0043396F lea esi, [eax+20h]
.text:00433972 cmp eax, esi
.text:00433974 jnb short loc_433999
.text:00433976 mov ecx, [edx]
.text:00433978
.text:00433978 loc_433978: ; CODE XREF: sub_433930+67 j
.text:00433978 cmp word ptr [ecx+eax], 6890h
.text:0043397E jnz short loc_433994
.text:00433980 cmp dword ptr [ecx+eax+6], 36FF6467h
.text:00433988 jnz short loc_433994
.text:0043398A cmp dword ptr [ecx+eax+0Ch], 26896467h
.text:00433992 jz short loc_4339BF
.text:00433994
.text:00433994 loc_433994: ; CODE XREF: sub_433930+4E j
.text:00433994 ; sub_433930+58 j
.text:00433994 inc eax
.text:00433995 cmp eax, esi
.text:00433997 jb short loc_433978
.text:00433999
.text:00433999 loc_433999: ; CODE XREF: sub_433930+44 j
.text:00433999 mov edx, [edx]
.text:0043399B mov eax, [ebp+20h]
.text:0043399E cmp word ptr [edx+eax-2], 0E0FFh
.text:004339A5 jnz short loc_4339D5
.text:004339A7 push 1Fh
.text:004339A9 push offset aEpprot0_3Feuer ; "EPProt 0.3 -> FEUERRADER/AHTeam"
.text:004339AE lea ecx, [ebp+4]
.text:004339B1 call sub_430CD0
.text:004339B6 pop esi
.text:004339B7 mov byte ptr [ebp+0], 1
.text:004339BB mov al, 1
.text:004339BD pop ebp
.text:004339BE retn
.text:004339BF ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004339BF
.text:004339BF loc_4339BF: ; CODE XREF: sub_433930+62 j
.text:004339BF push offset aDotfixFakesign ; "DotFix FakeSigner 2.2 -> GPcH
Soft"
.text:004339C4 lea ecx, [ebp+4]
.text:004339C7 call sub_431FA0
.text:004339CC pop esi
.text:004339CD mov byte ptr [ebp+0], 1
.text:004339D1 mov al, 1
.text:004339D3 pop ebp
.text:004339D4 retn
.text:004339D5 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004339D5
.text:004339D5 loc_4339D5: ; CODE XREF: sub_433930+2C j跳到这里
.text:004339D5 ; sub_433930+3D j ...
.text:004339D5 pop esi
.text:004339D6 xor al, al
.text:004339D8 pop ebp
.text:004339D9 retn
.text:004339D9 sub_433930 endp
;------------------------------------------------------------------------------
.text:004341E7 add esp, 0Ch
.text:004341EA test al, al
.text:004341EC jnz short loc_4341FD ;不跳
.text:004341EE push esi
.text:004341EF push edi
.text:004341F0 push ebx ;ebx=00468CE0 (PEiD.00468CE0)
.text:004341F1 call sub_4339E0 ;跟进
;--------------------------------4439e0--------------------------------------------------
.text:004339E0 sub_4339E0 proc near ; CODE XREF: sub_4341D0+21 p
.text:004339E0 ; .text:00434241 p ...
.text:004339E0
.text:004339E0 var_28 = dword ptr -28h
.text:004339E0 var_C = dword ptr -0Ch
.text:004339E0 var_4 = dword ptr -4
.text:004339E0 arg_0 = dword ptr 4
.text:004339E0 arg_4 = dword ptr 8
.text:004339E0 arg_8 = dword ptr 0Ch
.text:004339E0
.text:004339E0 mov eax, large fs:0
.text:004339E6 mov edx, [esp+arg_4]
.text:004339EA push 0FFFFFFFFh
.text:004339EC push offset loc_464308
.text:004339F1 push eax
.text:004339F2 mov large fs:0, esp
.text:004339F9 mov eax, [edx+0Ch] ;堆栈 ds:[0140FF9C]=00F200B0, (ASCII "PE")
.text:004339FC movzx eax, word ptr [eax+6] ;ds:[00F200B6]=0003,eax=00F200B0,
(ASCII "PE")
.text:00433A00 mov ecx, [edx+18h] ;堆栈 ds:[0140FFA8]=00F201A8, (ASCII
".def")
ecx=00F201F8, (ASCII ".def")
.text:00433A03 sub eax, 2 ;eax=1
.text:00433A06 sub esp, 1Ch ;esp=0140FEDC-1c=0140FEC0
.text:00433A09 lea eax, [eax+eax*4] ;eax=5
.text:00433A0C lea eax, [ecx+eax*8] ;地址=00F201D0, (ASCII ".def")
eax=00000005
.text:00433A0F mov ecx, [eax+10h] ;ds:[00F201E0]=00000200,ecx=00F201A8,
(ASCII ".def")
.text:00433A12 push esi
.text:00433A13 cmp ecx, [eax+8] ;ds:[00F201D8]=0000019E
ecx=00000200
.text:00433A16 jnz short loc_433A4E ;跳走
.text:00433A18 cmp ecx, 5000h
.text:00433A1E jnz short loc_433A4E
.text:00433A20 mov ecx, [eax+38h]
.text:00433A23 add eax, 28h
.text:00433A26 test ecx, ecx
.text:00433A28 jnz short loc_433A4E
.text:00433A2A cmp dword ptr [eax+8], 1000h
.text:00433A31 jnz short loc_433A4E
.text:00433A33 mov ecx, [edx+4]
.text:00433A36 sub eax, 28h
.text:00433A39 mov eax, [eax+14h]
.text:00433A3C dec ecx
.text:00433A3D cmp ecx, eax
.text:00433A3F jbe short loc_433A4E
.text:00433A41 mov edx, [edx]
.text:00433A43
.text:00433A43 loc_433A43: ; CODE XREF: sub_4339E0+6C j
.text:00433A43 cmp byte ptr [edx+ecx], 0
.text:00433A47 jnz short loc_433A60
.text:00433A49 dec ecx
.text:00433A4A cmp ecx, eax
.text:00433A4C ja short loc_433A43
.text:00433A4E
.text:00433A4E loc_433A4E: ; CODE XREF: sub_4339E0+36 j跳到这里
.text:00433A4E ; sub_4339E0+3E j ...
.text:00433A4E pop esi
.text:00433A4F xor al, al
.text:00433A51 mov ecx, [esp+28h+var_C]
.text:00433A55 mov large fs:0, ecx
.text:00433A5C add esp, 28h
.text:00433A5F retn ;返回004341F6
.text:00433A60 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00433A60
.text:00433A60 loc_433A60: ; CODE XREF: sub_4339E0+67 j
.text:00433A60 cmp byte ptr [edx+ecx], 0C3h
.text:00433A64 jnz short loc_433A4E
.text:00433A66 push offset aMslrh0_32aEmad ; "[MSLRH] 0.32a -> emadicius [ "
.text:00433A6B lea ecx, [esp+30h+var_28]
.text:00433A6F call sub_430DC0
.text:00433A74 mov eax, [esp+2Ch+arg_8]
.text:00433A78 lea edx, [eax+eax*2]
.text:00433A7B mov eax, ds:dword_4037E0[edx*4]
.text:00433A82 push eax
.text:00433A83 lea ecx, [esp+30h+var_28]
.text:00433A87 mov [esp+30h+var_4], 0
.text:00433A8F call sub_431FD0
.text:00433A94 push 2
.text:00433A96 push offset asc_406CD0 ; " ]"
.text:00433A9B lea ecx, [esp+34h+var_28]
.text:00433A9F call sub_431E90
.text:00433AA4 mov esi, [esp+2Ch+arg_0]
.text:00433AA8 push 0FFFFFFFFh
.text:00433AAA push 0
.text:00433AAC lea ecx, [esp+34h+var_28]
.text:00433AB0 push ecx
.text:00433AB1 lea ecx, [esi+4]
.text:00433AB4 call sub_430BE0
.text:00433AB9 lea ecx, [esp+2Ch+var_28]
.text:00433ABD mov byte ptr [esi], 1
.text:00433AC0 call sub_43C7B0
.text:00433AC5 mov ecx, [esp+2Ch+var_C]
.text:00433AC9 pop esi
.text:00433ACA mov al, 1
.text:00433ACC mov large fs:0, ecx
.text:00433AD3 add esp, 28h
.text:00433AD6 retn
.text:00433AD6 sub_4339E0 endp
;----------------------------------------------------------------------------------------------
.text:004341F6 add esp, 0Ch ;返回这里
.text:004341F9 test al, al
.text:004341FB jz short loc_434203 ;跳走
.text:004341FD
.text:004341FD loc_4341FD: ; CODE XREF: sub_4341D0+1C j
.text:004341FD pop edi
.text:004341FE pop esi
.text:004341FF mov al, 1
.text:00434201 pop ebx
.text:00434202 retn
.text:00434203 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00434203
.text:00434203 loc_434203: ; CODE XREF: sub_4341D0+2B j 跳到这里
.text:00434203 push esi
.text:00434204 push edi
.text:00434205 push ebx
.text:00434206 call sub_433AE0
.text:0043420B add esp, 0Ch
.text:0043420E pop edi
.text:0043420F test al, al
.text:00434211 pop esi
.text:00434212 setnz al ;条件为假
.text:00434215 pop ebx
.text:00434216 retn
.text:00434216 sub_4341D0 endp
有点乱,先分析到这里,分析特征码的思路还没有完全明了,原本想利用它的函数调用顺序来分析出特征码的调
用处,但不成功,观察一下,PEID有可能利用异常来转入特征码比较处.所以我就搜索文本发现很多诸如ASCII
"Armadillo 1.75a -> Silicon Realms Toolworks"壳的名称,我就利用回溯法往回找,大致了解他用
cmp eax,[特征码片段] 来搜索出壳的名称.
不知对不对,敬请指点.
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年06月06日 12:33:32
+++++++++++++++++++++++++++++++++++++++++++++++++++
NBW:好快的刀,你继续分析。大家支持你!
贴一点我前几天看的:
//获得入口处的特征
00E1FEE8 00E1FF20 ASCII "60,BE,00,10"
0042D8A0 8D5424 30 lea edx,dword ptr ss:[esp+30]
0042D8A4 68 A42F4000 push PEiD.00402FA4 ; ASCII "%02X,%02X,%02X,%02X"
0042D8A9 52 push edx
0042D8AA FFD3 call ebx
//获得子系统
0042D925 33C0 xor eax,eax
0042D927 66:8B42 44 mov ax,word ptr ds:[edx+44]
0042D92B 48 dec eax
0042D92C 83F8 06 cmp eax,6
0042D92F 77 3E ja short PEiD.0042D96F
0042D931 FF2485 CCD94200 jmp dword ptr ds:[eax*4+42D9CC]
//搜索特征?
0043D5C5 52 push edx
0043D5C6 50 push eax
0043D5C7 53 push ebx
0043D5C8 51 push ecx
0043D5C9 8BCF mov ecx,edi
0043D5CB E8 50FFFFFF call PEiD.0043D520
//获得壳名称
0043B890 50 push eax //PackerNo
0043B891 53 push ebx
0043B892 8D1440 lea edx,dword ptr ds:[eax+eax*2]
0043B895 8B4424 34 mov eax,dword ptr ss:[esp+34]
0043B899 50 push eax
0043B89A FF1495 643B4000 call dword ptr ds:[edx*4+403B64]
他比较特征码的时候可能是个递归,这个一定要注意,不要死跟下去,第一次到那个函数的时候分析参数,好像是这个函数:
0043D5C5 52 push edx
0043D5C6 50 push eax
0043D5C7 53 push ebx
0043D5C8 51 push ecx
0043D5C9 8BCF mov ecx,edi
0043D5CB E8 50FFFFFF call PEiD.0043D520
这里是pedi v0.92
我跟的是pedi v0.94,特征码确实有点象递归,受教了.0.94版跟0.92有所区别了.我的功力还不够,老大分析看看,呵呵.
【文章作者】: layper
【作者邮箱】: layper2002@yahoo.com.cn
【作者主页】: www.sy135.com
【下载地址】: 自己搜索下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
用PEID加载入EXE文件,过程如下:
打开文件:
00439DFE FF15 88D34700 call dword ptr ds:[<&comdlg32.GetOpenFileNameA>] ;
comdlg32.GetOpenFileNameA
0012F458 0012F460 /pOpenFileName = 0012F460
创建线程:
00448F5C FF15 F0D04700 call dword ptr ds:[<&kernel32.CreateThrea>;
kernel32.CreateThread
0012F4A0 00000000 |pSecurity = NULL
0012F4A4 00000000 |StackSize = 0
0012F4A8 00444EB0 |ThreadFunction = PEiD.00444EB0
0012F4AC 00468ACC |pThreadParm = PEiD.00468ACC
0012F4B0 00000000 |CreationFlags = 0
0012F4B4 00468A0C /pThreadId = PEiD.00468A0C
拖放文件作初始化:
0043B720 FF15 20D24700 call dword ptr ds:[<&shell32.DragAcceptFi>;
shell32.DragAcceptFiles
0012F498 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F49C 00000000 /Accept = FALSE
设置控件文本:
0043B776 FF15 64D34700 call dword ptr ds:[<&user32.SetWindowText>;
USER32.SetWindowTextA
0012F498 00050452 |hWnd = 00050452 ('退出(&X)',class='Button',parent=003503AE)
0012F49C 004077C8 /Text = "中止"
设置对话框项目的文本:
00449210 FF15 50D34700 call dword ptr ds:[<&user32.SetDlgItemTex>;
USER32.SetDlgItemTextA
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 000003E8 |ControlID = 3E8 (1000.)
0012F60C 00468B00 /Text = "D:/我的程序/Project1.exe"
打开文件:
004384BD FF15 FCD14700 call dword ptr ds:[<&kernel32.CreateFileA>; kernel32.CreateFileA
0140FF38 00468B00 |FileName = "D:/我的程序/Project1.exe"
0140FF3C 80000000 |Access = GENERIC_READ
0140FF40 00000001 |ShareMode = FILE_SHARE_READ
0140FF44 00000000 |pSecurity = NULL
0140FF48 00000003 |Mode = OPEN_EXISTING
0140FF4C 00000080 |Attributes = NORMAL
0140FF50 00000000 /hTemplateFile = NULL
得到文件大小:
004384CE FF15 ECD14700 call dword ptr ds:[<&kernel32.GetFileSize>; kernel32.GetFileSize
0140FF4C 000001EC |hFile = 000001EC (window)
0140FF50 00000000 /pFileSizeHigh = NULL
创建一个新的文件映射对象:
004384E4 FF15 F0D14700 call dword ptr ds:[<&kernel32.CreateFileM>;
kernel32.CreateFileMappingA
0140FF3C 000001EC |hFile = 000001EC (window)
0140FF40 00000000 |pSecurity = NULL
0140FF44 00000002 |Protection = PAGE_READONLY
0140FF48 00000000 |MaximumSizeHigh = 0
0140FF4C 00000000 |MaximumSizeLow = 0
0140FF50 00000000 /MapName = NULL
映射到当前应用程序的地址空间:
004384F9 FF15 F4D14700 call dword ptr ds:[<&kernel32.MapViewOfFi>;
kernel32.MapViewOfFile
0140FF40 00000110 |hMapObject = 00000110 (window)
0140FF44 00000004 |AccessMode = FILE_MAP_READ
0140FF48 00000000 |OffsetHigh = 0
0140FF4C 00000000 |OffsetLow = 0
0140FF50 00000000 /MapSize = 0
设置文本:
00449210 FF15 50D34700 call dword ptr ds:[<&user32.SetDlgItemTex>;
USER32.SetDlgItemTextA
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000404 |ControlID = 404 (1028.)
0012F60C 00407323 /Text = ""
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000405 |ControlID = 405 (1029.)
0012F60C 00407323 /Text = ""
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000408 |ControlID = 408 (1032.)
0012F60C 00407323 /Text = ""
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000409 |ControlID = 409 (1033.)
0012F60C 00407323 /Text = ""
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000406 |ControlID = 406 (1030.)
0012F60C 00407323 /Text = ""
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000407 |ControlID = 407 (1031.)
0012F60C 00407323 /Text = ""
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000404 |ControlID = 404 (1028.)
0012F60C 0140FF20 /Text = "00063014"
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000405 |ControlID = 405 (1029.)
0012F60C 0140FF20 /Text = "00062414"
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000408 |ControlID = 408 (1032.)
0012F60C 0140FF20 /Text = "2.25"
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000406 |ControlID = 406 (1030.)
0012F60C 0140FF08 /Text = "CODE"
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000407 |ControlID = 407 (1031.)
0012F60C 0140FF20 /Text = "55,8B,EC,83"
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 00000409 |ControlID = 409 (1033.)
0012F60C 0140FF20 /Text = "Win32 GUI"
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 000003E9 |ControlID = 3E9 (1001.)
0012F60C 004078D8 /Text = "正在扫描..."
进行实际的内存分配工作:
0045AD22 FF15 84D14700 call dword ptr ds:[<&kernel32.HeapAlloc>] ;
ntdll.RtlAllocateHeap
0140F8E8 003E0000 |hHeap = 003E0000
0140F8EC 00000000 |Flags = 0
0140F8F0 00000020 /HeapSize = 20 (32.)
0043B720 FF15 20D24700 call dword ptr ds:[<&shell32.DragAcceptFi>;
shell32.DragAcceptFiles
0012F5F0 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F5F4 00000001 /Accept = TRUE
设置窗口文本:
0043B776 FF15 64D34700 call dword ptr ds:[<&user32.SetWindowText>;
USER32.SetWindowTextA
0012F5F0 00050452 |hWnd = 00050452 ('中止',class='Button',parent=003503AE)
0012F5F4 004077D0 /Text = "退出"
设置文本:
00449237 FF15 50D34700 call dword ptr ds:[<&user32.SetDlgItemTex>;
USER32.SetDlgItemTextA
0012F604 003503AE |hWnd = 003503AE ('PEiD v0.94',class='#32770')
0012F608 000003E9 |ControlID = 3E9 (1001.)
0012F60C 00AA1BA8 /Text = "Borland Delphi 6.0 - 7.0"
解除对一个文件映射对象的映射:
0043843C FF15 F8D14700 call dword ptr ds:[<&kernel32.UnmapViewOf>;
kernel32.UnmapViewOfFile
0140FF5C 01110000 /BaseAddress = 01110000
到这里之后,PEID界面变成:
文件:D:/我的程序/Project1.exe
入口点:00063014 EP段:CODE
文件偏移:00062414 首字节:55,8B,EC,83
连接器版本:2.25 子系统:Win32 GUI
查壳:Borland Delphi 6.0 - 7.0
用OD看清楚它的流程,IDA看他的数据点判断的关键点
.text:004341D0 sub_4341D0 proc near ; CODE XREF: sub_44A740+15B p
.text:004341D0 ; sub_44A740+1A3 p ...
.text:004341D0
.text:004341D0 arg_0 = dword ptr 8
.text:004341D0 arg_4 = dword ptr 0Ch
.text:004341D0 arg_8 = dword ptr 10h
.text:004341D0
.text:004341D0 push ebx
.text:004341D1 mov ebx, [esp+arg_0]
.text:004341D5 push esi
.text:004341D6 mov esi, [esp+4+arg_8]
.text:004341DA push edi
.text:004341DB mov edi, [esp+8+arg_4]
.text:004341DF push esi
.text:004341E0 push edi
.text:004341E1 push ebx
.text:004341E2 call sub_433930 ;跟进
;---------------------------------------------------------------------------
sub_433930:
.text:00433930 sub_433930 proc near ; CODE XREF: sub_4341D0+12 p
.text:00433930 ; .text:00434232 p ...
.text:00433930
.text:00433930 arg_0 = dword ptr 8
.text:00433930 arg_4 = dword ptr 0Ch
.text:00433930
.text:00433930 push ebp
.text:00433931 mov ebp, [esp+arg_0] ;堆栈 ss:[0140FEEC]=00468CE0
.text:00433935 mov eax, [ebp+20h] ;ss:[00468D00]=00000220,eax=000000B5
.text:00433938 test eax, eax
.text:0043393A jnz short loc_433940 ;跳走
.text:0043393C xor al, al
.text:0043393E pop ebp
.text:0043393F retn
.text:00433940 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00433940
.text:00433940 loc_433940: ; CODE XREF: sub_433930+A j到这里
.text:00433940 mov edx, [esp+arg_4] ;edx=ss:[0140FEF0]=0140FF90
.text:00433944 mov eax, [edx+0Ch] ;堆栈 ds:[0140FF9C]=00F200B0, (ASCII
"PE"),eax=00000220文件头PE出来了
.text:00433947 movzx eax, word ptr [eax+6] ;得到文件节数目,ds:[00F200B6]=0003
.text:0043394B lea ecx, [eax+eax*4] ;ecx=文件节的数目*5=F
.text:0043394E mov eax, [edx+18h] ;堆栈 ds:[0140FFA8]=00F201A8, (ASCII
".def")
.text:00433951 lea ecx, [eax+ecx*8-28h] ;ecx=00F201F8 ASCII ".def"
.text:00433955 mov eax, [ecx+10h] ;ds:[00F20208]=00000200,eax=00F201A8,
(ASCII ".def")
.text:00433958 push esi ;esi=000000B5
.text:00433959 cmp eax, [ecx+8] ;注意比较ds:[00F20200]
=00000208,eax=00000200
.text:0043395C jnz short loc_4339D5 ;跳走
.text:0043395E mov esi, [ecx+14h]
.text:00433961 shr eax, 1
.text:00433963 add eax, esi
.text:00433965 mov esi, [edx+4]
.text:00433968 lea ecx, [eax+12h]
.text:0043396B cmp ecx, esi
.text:0043396D ja short loc_4339D5
.text:0043396F lea esi, [eax+20h]
.text:00433972 cmp eax, esi
.text:00433974 jnb short loc_433999
.text:00433976 mov ecx, [edx]
.text:00433978
.text:00433978 loc_433978: ; CODE XREF: sub_433930+67 j
.text:00433978 cmp word ptr [ecx+eax], 6890h
.text:0043397E jnz short loc_433994
.text:00433980 cmp dword ptr [ecx+eax+6], 36FF6467h
.text:00433988 jnz short loc_433994
.text:0043398A cmp dword ptr [ecx+eax+0Ch], 26896467h
.text:00433992 jz short loc_4339BF
.text:00433994
.text:00433994 loc_433994: ; CODE XREF: sub_433930+4E j
.text:00433994 ; sub_433930+58 j
.text:00433994 inc eax
.text:00433995 cmp eax, esi
.text:00433997 jb short loc_433978
.text:00433999
.text:00433999 loc_433999: ; CODE XREF: sub_433930+44 j
.text:00433999 mov edx, [edx]
.text:0043399B mov eax, [ebp+20h]
.text:0043399E cmp word ptr [edx+eax-2], 0E0FFh
.text:004339A5 jnz short loc_4339D5
.text:004339A7 push 1Fh
.text:004339A9 push offset aEpprot0_3Feuer ; "EPProt 0.3 -> FEUERRADER/AHTeam"
.text:004339AE lea ecx, [ebp+4]
.text:004339B1 call sub_430CD0
.text:004339B6 pop esi
.text:004339B7 mov byte ptr [ebp+0], 1
.text:004339BB mov al, 1
.text:004339BD pop ebp
.text:004339BE retn
.text:004339BF ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004339BF
.text:004339BF loc_4339BF: ; CODE XREF: sub_433930+62 j
.text:004339BF push offset aDotfixFakesign ; "DotFix FakeSigner 2.2 -> GPcH
Soft"
.text:004339C4 lea ecx, [ebp+4]
.text:004339C7 call sub_431FA0
.text:004339CC pop esi
.text:004339CD mov byte ptr [ebp+0], 1
.text:004339D1 mov al, 1
.text:004339D3 pop ebp
.text:004339D4 retn
.text:004339D5 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004339D5
.text:004339D5 loc_4339D5: ; CODE XREF: sub_433930+2C j跳到这里
.text:004339D5 ; sub_433930+3D j ...
.text:004339D5 pop esi
.text:004339D6 xor al, al
.text:004339D8 pop ebp
.text:004339D9 retn
.text:004339D9 sub_433930 endp
;------------------------------------------------------------------------------
.text:004341E7 add esp, 0Ch
.text:004341EA test al, al
.text:004341EC jnz short loc_4341FD ;不跳
.text:004341EE push esi
.text:004341EF push edi
.text:004341F0 push ebx ;ebx=00468CE0 (PEiD.00468CE0)
.text:004341F1 call sub_4339E0 ;跟进
;--------------------------------4439e0--------------------------------------------------
.text:004339E0 sub_4339E0 proc near ; CODE XREF: sub_4341D0+21 p
.text:004339E0 ; .text:00434241 p ...
.text:004339E0
.text:004339E0 var_28 = dword ptr -28h
.text:004339E0 var_C = dword ptr -0Ch
.text:004339E0 var_4 = dword ptr -4
.text:004339E0 arg_0 = dword ptr 4
.text:004339E0 arg_4 = dword ptr 8
.text:004339E0 arg_8 = dword ptr 0Ch
.text:004339E0
.text:004339E0 mov eax, large fs:0
.text:004339E6 mov edx, [esp+arg_4]
.text:004339EA push 0FFFFFFFFh
.text:004339EC push offset loc_464308
.text:004339F1 push eax
.text:004339F2 mov large fs:0, esp
.text:004339F9 mov eax, [edx+0Ch] ;堆栈 ds:[0140FF9C]=00F200B0, (ASCII "PE")
.text:004339FC movzx eax, word ptr [eax+6] ;ds:[00F200B6]=0003,eax=00F200B0,
(ASCII "PE")
.text:00433A00 mov ecx, [edx+18h] ;堆栈 ds:[0140FFA8]=00F201A8, (ASCII
".def")
ecx=00F201F8, (ASCII ".def")
.text:00433A03 sub eax, 2 ;eax=1
.text:00433A06 sub esp, 1Ch ;esp=0140FEDC-1c=0140FEC0
.text:00433A09 lea eax, [eax+eax*4] ;eax=5
.text:00433A0C lea eax, [ecx+eax*8] ;地址=00F201D0, (ASCII ".def")
eax=00000005
.text:00433A0F mov ecx, [eax+10h] ;ds:[00F201E0]=00000200,ecx=00F201A8,
(ASCII ".def")
.text:00433A12 push esi
.text:00433A13 cmp ecx, [eax+8] ;ds:[00F201D8]=0000019E
ecx=00000200
.text:00433A16 jnz short loc_433A4E ;跳走
.text:00433A18 cmp ecx, 5000h
.text:00433A1E jnz short loc_433A4E
.text:00433A20 mov ecx, [eax+38h]
.text:00433A23 add eax, 28h
.text:00433A26 test ecx, ecx
.text:00433A28 jnz short loc_433A4E
.text:00433A2A cmp dword ptr [eax+8], 1000h
.text:00433A31 jnz short loc_433A4E
.text:00433A33 mov ecx, [edx+4]
.text:00433A36 sub eax, 28h
.text:00433A39 mov eax, [eax+14h]
.text:00433A3C dec ecx
.text:00433A3D cmp ecx, eax
.text:00433A3F jbe short loc_433A4E
.text:00433A41 mov edx, [edx]
.text:00433A43
.text:00433A43 loc_433A43: ; CODE XREF: sub_4339E0+6C j
.text:00433A43 cmp byte ptr [edx+ecx], 0
.text:00433A47 jnz short loc_433A60
.text:00433A49 dec ecx
.text:00433A4A cmp ecx, eax
.text:00433A4C ja short loc_433A43
.text:00433A4E
.text:00433A4E loc_433A4E: ; CODE XREF: sub_4339E0+36 j跳到这里
.text:00433A4E ; sub_4339E0+3E j ...
.text:00433A4E pop esi
.text:00433A4F xor al, al
.text:00433A51 mov ecx, [esp+28h+var_C]
.text:00433A55 mov large fs:0, ecx
.text:00433A5C add esp, 28h
.text:00433A5F retn ;返回004341F6
.text:00433A60 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00433A60
.text:00433A60 loc_433A60: ; CODE XREF: sub_4339E0+67 j
.text:00433A60 cmp byte ptr [edx+ecx], 0C3h
.text:00433A64 jnz short loc_433A4E
.text:00433A66 push offset aMslrh0_32aEmad ; "[MSLRH] 0.32a -> emadicius [ "
.text:00433A6B lea ecx, [esp+30h+var_28]
.text:00433A6F call sub_430DC0
.text:00433A74 mov eax, [esp+2Ch+arg_8]
.text:00433A78 lea edx, [eax+eax*2]
.text:00433A7B mov eax, ds:dword_4037E0[edx*4]
.text:00433A82 push eax
.text:00433A83 lea ecx, [esp+30h+var_28]
.text:00433A87 mov [esp+30h+var_4], 0
.text:00433A8F call sub_431FD0
.text:00433A94 push 2
.text:00433A96 push offset asc_406CD0 ; " ]"
.text:00433A9B lea ecx, [esp+34h+var_28]
.text:00433A9F call sub_431E90
.text:00433AA4 mov esi, [esp+2Ch+arg_0]
.text:00433AA8 push 0FFFFFFFFh
.text:00433AAA push 0
.text:00433AAC lea ecx, [esp+34h+var_28]
.text:00433AB0 push ecx
.text:00433AB1 lea ecx, [esi+4]
.text:00433AB4 call sub_430BE0
.text:00433AB9 lea ecx, [esp+2Ch+var_28]
.text:00433ABD mov byte ptr [esi], 1
.text:00433AC0 call sub_43C7B0
.text:00433AC5 mov ecx, [esp+2Ch+var_C]
.text:00433AC9 pop esi
.text:00433ACA mov al, 1
.text:00433ACC mov large fs:0, ecx
.text:00433AD3 add esp, 28h
.text:00433AD6 retn
.text:00433AD6 sub_4339E0 endp
;----------------------------------------------------------------------------------------------
.text:004341F6 add esp, 0Ch ;返回这里
.text:004341F9 test al, al
.text:004341FB jz short loc_434203 ;跳走
.text:004341FD
.text:004341FD loc_4341FD: ; CODE XREF: sub_4341D0+1C j
.text:004341FD pop edi
.text:004341FE pop esi
.text:004341FF mov al, 1
.text:00434201 pop ebx
.text:00434202 retn
.text:00434203 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00434203
.text:00434203 loc_434203: ; CODE XREF: sub_4341D0+2B j 跳到这里
.text:00434203 push esi
.text:00434204 push edi
.text:00434205 push ebx
.text:00434206 call sub_433AE0
.text:0043420B add esp, 0Ch
.text:0043420E pop edi
.text:0043420F test al, al
.text:00434211 pop esi
.text:00434212 setnz al ;条件为假
.text:00434215 pop ebx
.text:00434216 retn
.text:00434216 sub_4341D0 endp
有点乱,先分析到这里,分析特征码的思路还没有完全明了,原本想利用它的函数调用顺序来分析出特征码的调
用处,但不成功,观察一下,PEID有可能利用异常来转入特征码比较处.所以我就搜索文本发现很多诸如ASCII
"Armadillo 1.75a -> Silicon Realms Toolworks"壳的名称,我就利用回溯法往回找,大致了解他用
cmp eax,[特征码片段] 来搜索出壳的名称.
不知对不对,敬请指点.
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年06月06日 12:33:32
+++++++++++++++++++++++++++++++++++++++++++++++++++
NBW:好快的刀,你继续分析。大家支持你!
贴一点我前几天看的:
//获得入口处的特征
00E1FEE8 00E1FF20 ASCII "60,BE,00,10"
0042D8A0 8D5424 30 lea edx,dword ptr ss:[esp+30]
0042D8A4 68 A42F4000 push PEiD.00402FA4 ; ASCII "%02X,%02X,%02X,%02X"
0042D8A9 52 push edx
0042D8AA FFD3 call ebx
//获得子系统
0042D925 33C0 xor eax,eax
0042D927 66:8B42 44 mov ax,word ptr ds:[edx+44]
0042D92B 48 dec eax
0042D92C 83F8 06 cmp eax,6
0042D92F 77 3E ja short PEiD.0042D96F
0042D931 FF2485 CCD94200 jmp dword ptr ds:[eax*4+42D9CC]
//搜索特征?
0043D5C5 52 push edx
0043D5C6 50 push eax
0043D5C7 53 push ebx
0043D5C8 51 push ecx
0043D5C9 8BCF mov ecx,edi
0043D5CB E8 50FFFFFF call PEiD.0043D520
//获得壳名称
0043B890 50 push eax //PackerNo
0043B891 53 push ebx
0043B892 8D1440 lea edx,dword ptr ds:[eax+eax*2]
0043B895 8B4424 34 mov eax,dword ptr ss:[esp+34]
0043B899 50 push eax
0043B89A FF1495 643B4000 call dword ptr ds:[edx*4+403B64]
他比较特征码的时候可能是个递归,这个一定要注意,不要死跟下去,第一次到那个函数的时候分析参数,好像是这个函数:
0043D5C5 52 push edx
0043D5C6 50 push eax
0043D5C7 53 push ebx
0043D5C8 51 push ecx
0043D5C9 8BCF mov ecx,edi
0043D5CB E8 50FFFFFF call PEiD.0043D520
这里是pedi v0.92
我跟的是pedi v0.94,特征码确实有点象递归,受教了.0.94版跟0.92有所区别了.我的功力还不够,老大分析看看,呵呵.
扫一扫
1861
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
