:a 56b372
001B:0056B372 nop
001B:0056B373
£º
µÃµ½£º
001B:0056B372 90 NOP
001B:0056B373 6800400000 PUSH 00004000
/* Õâ²ÅÊÇ001B:0056B2FD´¦jzµÄÄ¿µÄµØ */
001B:0056B378 6A00 PUSH 00
001B:0056B37A 57 PUSH EDI
001B:0056B37B FF9545974000 CALL [EBP+00409745]
001B:0056B381 8BBD3C964000 MOV EDI,[EBP+0040963C]
001B:0056B387 03BDE6904000 ADD EDI,[EBP+004090E6]
001B:0056B38D 8B8D40964000 MOV ECX,[EBP+00409640]
001B:0056B393 51 PUSH ECX
001B:0056B394 57 PUSH EDI
001B:0056B395 33D2 XOR EDX,EDX
001B:0056B397 33DB XOR EBX,EBX
001B:0056B399 33F6 XOR ESI,ESI
001B:0056B39B 03FE ADD EDI,ESI
001B:0056B39D 03DE ADD EBX,ESI
001B:0056B39F 49 DEC ECX
001B:0056B3A0 7472 JZ 0056B414
001B:0056B3A2 7870 JS 0056B414
001B:0056B3A4 668B07 MOV AX,[EDI]
001B:0056B3A7 2CE8 SUB AL,E8
001B:0056B3A9 3C01 CMP AL,01
001B:0056B3AB 7638 JBE 0056B3E5
001B:0056B3AD 663D1725 CMP AX,2517
001B:0056B3B1 7451 JZ 0056B404
001B:0056B3B3 3C27 CMP AL,27
001B:0056B3B5 750A JNZ 0056B3C1
001B:0056B3B7 80FC80 CMP AH,80
001B:0056B3BA 7205 JB 0056B3C1
001B:0056B3BC 80FC8F CMP AH,8F
001B:0056B3BF 7605 JBE 0056B3C6
001B:0056B3C1 47 INC EDI
001B:0056B3C2 43 INC EBX
001B:0056B3C3 EBDA JMP 0056B39F
001B:0056B3C5 B88B470290 MOV EAX,9002478B
001B:0056B3CA 90 NOP
001B:0056B3CB 90 NOP
001B:0056B3CC 90 NOP
001B:0056B3CD 90 NOP
001B:0056B3CE 90 NOP
001B:0056B3CF 90 NOP
001B:0056B3D0 90 NOP
001B:0056B3D1 90 NOP
001B:0056B3D2 90 NOP
001B:0056B3D3 90 NOP
001B:0056B3D4 90 NOP
001B:0056B3D5 90 NOP
001B:0056B3D6 2BC3 SUB EAX,EBX
001B:0056B3D8 894702 MOV [EDI+02],EAX
001B:0056B3DB BE06000000 MOV ESI,00000006
001B:0056B3E0 83E905 SUB ECX,05
001B:0056B3E3 EBB6 JMP 0056B39B
001B:0056B3E5 8B4701 MOV EAX,[EDI+01]
001B:0056B3E8 90 NOP
001B:0056B3E9 90 NOP
001B:0056B3EA 90 NOP
001B:0056B3EB 90 NOP
001B:0056B3EC 90 NOP
001B:0056B3ED 90 NOP
001B:0056B3EE 90 NOP
001B:0056B3EF 90 NOP
001B:0056B3F0 90 NOP
001B:0056B3F1 90 NOP
001B:0056B3F2 90 NOP
001B:0056B3F3 90 NOP
001B:0056B3F4 90 NOP
001B:0056B3F5 2BC3 SUB EAX,EBX
001B:0056B3F7 894701 MOV [EDI+01],EAX
001B:0056B3FA BE05000000 MOV ESI,00000005
001B:0056B3FF 83E904 SUB ECX,04
001B:0056B402 EB97 JMP 0056B39B
001B:0056B404 295702 SUB [EDI+02],EDX
001B:0056B407 BE08000000 MOV ESI,00000008
001B:0056B40C 83EA04 SUB EDX,04
001B:0056B40F 2BCE SUB ECX,ESI
001B:0056B411 41 INC ECX
001B:0056B412 EB87 JMP 0056B39B
001B:0056B414 5F POP EDI
/* ÕâÀïÓÃg 56b414Ö±½ÓÌø¹ýÀ´ */
001B:0056B415 59 POP ECX
001B:0056B416 33C0 XOR EAX,EAX
001B:0056B418 85C9 TEST ECX,ECX
001B:0056B41A 743B JZ 0056B457
001B:0056B41C 8BF7 MOV ESI,EDI
001B:0056B41E 33C0 XOR EAX,EAX
001B:0056B420 83F904 CMP ECX,04
001B:0056B423 7232 JB 0056B457
001B:0056B425 87DB XCHG EBX,EBX
001B:0056B427 87DB XCHG EBX,EBX
001B:0056B429 87DB XCHG EBX,EBX
001B:0056B42B 87DB XCHG EBX,EBX
001B:0056B42D 87DB XCHG EBX,EBX
001B:0056B42F 8B1E MOV EBX,[ESI]
001B:0056B431 03C3 ADD EAX,EBX
001B:0056B433 D1E3 SHL EBX,1
001B:0056B435 83D301 ADC EBX,01
001B:0056B438 33C3 XOR EAX,EBX
001B:0056B43A 83C604 ADD ESI,04
001B:0056B43D 83E904 SUB ECX,04
001B:0056B440 7415 JZ 0056B457
001B:0056B442 83F904 CMP ECX,04
001B:0056B445 73E8 JAE 0056B42F
001B:0056B447 BA04000000 MOV EDX,00000004
001B:0056B44C 2BD1 SUB EDX,ECX
001B:0056B44E 2BF2 SUB ESI,EDX
001B:0056B450 B904000000 MOV ECX,00000004
001B:0056B455 EBD8 JMP 0056B42F
001B:0056B457 3B8567974000 CMP EAX,[EBP+00409767]
/* ÕâÀïÓÃg 56b457Ö±½ÓÌø¹ýÀ´ */
001B:0056B45D 744D JZ 0056B4AC
/* ×¢ÒâÕâ¸öjzµÄÄ¿µÄµØ */
001B:0056B45F E94FFEFFFF JMP 0056B2B3
001B:0056B464 54 PUSH ESP
001B:0056B465 6869732065 PUSH 65207369
001B:0056B46A 7865 JS 0056B4D1
001B:0056B46C 637574 ARPL [EBP+74],SI
001B:0056B46F 61 POPAD
001B:0056B470 626C6520 BOUND EBP,[EBP+20]
001B:0056B474 697320636F7272 IMUL ESI,[EBX+20],72726F63
001B:0056B47B 7570 JNZ 0056B4ED
001B:0056B47D 7421 JZ 0056B4A0
001B:0056B47F 20506C AND [EAX+6C],DL
001B:0056B482 6561 POPAD
001B:0056B484 7365 JAE 0056B4EB
001B:0056B486 206F62 AND [EDI+62],CH
001B:0056B489 7461 JZ 0056B4EC
001B:0056B48B 696E2061206E65 IMUL EBP,[ESI+20],656E2061
001B:0056B492 7720 JA 0056B4B4
001B:0056B494 636F70 ARPL [EDI+70],BP
001B:0056B497 792E JNS 0056B4C7
001B:0056B499 004368 ADD [EBX+68],AL
001B:0056B49C 65636B73 ARPL GS:[EBX+73],BP
001B:0056B4A0 756D JNZ 0056B50F
001B:0056B4A2 204661 AND [ESI+61],AL
001B:0056B4A5 696C7572652100E8 IMUL EBP,[ESI*2+EBP+72],E8002165
______________________________________________________________________
001B:0056B4a5µÄÖ¸ÁîÓÖ±»»¨ÁË£¬¸ÄÕýËü£º
:a 56b4a5
001B:0056B4A5 nop
001B:0056B4A6
£º
µÃµ½£º
001B:0056B4A5 90 NOP
001B:0056B4A6 6C INSB
001B:0056B4A7 7572 JNZ 0056B51B
001B:0056B4A9 652100 AND GS:[EAX],EAX
001B:0056B4AC E8A1010000 CALL 0056B652
001B:0056B4B1 E8A3000000 CALL 0056B559
001B:0056B4B6 736B JAE 0056B523
001B:0056B4B8 E856020000 CALL 0056B713
001B:0056B4BD 8D9D1B974000 LEA EBX,[EBP+0040971B]
001B:0056B4C3 53 PUSH EBX
001B:0056B4C4 50 PUSH EAX
001B:0056B4C5 FF953D974000 CALL [EBP+0040973D]
001B:0056B4CB 8D9D6B974000 LEA EBX,[EBP+0040976B]
001B:0056B4D1 53 PUSH EBX
001B:0056B4D2 83BD2D97400001 CMP DWORD PTR [EBP+0040972D],01
001B:0056B4D9 7408 JZ 0056B4E3
001B:0056B4DB 8D8DB2964000 LEA ECX,[EBP+004096B2]
001B:0056B4E1 EB06 JMP 0056B4E9
001B:0056B4E3 8D8D6E964000 LEA ECX,[EBP+0040966E]
001B:0056B4E9 8B9525974000 MOV EDX,[EBP+00409725]
001B:0056B4EF 8BBD29974000 MOV EDI,[EBP+00409729]
001B:0056B4F5 57 PUSH EDI
001B:0056B4F6 52 PUSH EDX
001B:0056B4F7 51 PUSH ECX
001B:0056B4F8 53 PUSH EBX
001B:0056B4F9 FFD0 CALL EAX
001B:0056B4FB 8D9D0F974000 LEA EBX,[EBP+0040970F]
001B:0056B501 53 PUSH EBX
001B:0056B502 FFB538964000 PUSH DWORD PTR [EBP+00409638]
001B:0056B508 FF953D974000 CALL [EBP+0040973D]
001B:0056B50E 5B POP EBX
001B:0056B50F 8D8D58964000 LEA ECX,[EBP+00409658]
001B:0056B515 6A10 PUSH 10
001B:0056B517 51 PUSH ECX
001B:0056B518 53 PUSH EBX
001B:0056B519 6A00 PUSH 00
001B:0056B51B FFD0 CALL EAX
001B:0056B51D FFA549974000 JMP [EBP+00409749]
001B:0056B523 80BD6B9F4000C3 CMP BYTE PTR [EBP+00409F6B],C3
001B:0056B52A 7422 JZ 0056B54E
001B:0056B52C 8D956BA14000 LEA EDX,[EBP+0040A16B]
001B:0056B532 6A40 PUSH 40
001B:0056B534 52 PUSH EDX
001B:0056B535 FFB53D974000 PUSH DWORD PTR [EBP+0040973D]
001B:0056B53B FFB539974000 PUSH DWORD PTR [EBP+00409739]
001B:0056B541 E8F40A0000 CALL 0056C03A
001B:0056B546 85C0 TEST EAX,EAX
001B:0056B548 0F859DFDFFFF JNZ 0056B2EB
001B:0056B54E 61 POPAD
001B:0056B54F 9D POPFD
/* ±êÖ¾ÐÔÖ¸Áî */
001B:0056B550 50 PUSH EAX
001B:0056B551 689C124500 PUSH 0045129C
/* Õâ¸ö¾ÍÊÇÔʼÈë¿ÚµãÁË */
001B:0056B556 C20400 RET 0004
ÔÚÕâÀïÓÃa eip
jmp eip
¹ÒÆð³ÌÐò£¬È»ºóµ½PeditorÖÐdump full¡£
___________________________________________________________________
ÏÂÃæµÄ¹¤×÷¾ÍÊǶ¨Î»ÊäÈë±íÁË¡£
ÓÃUltraedit´ò¿ªdumpÏÂÀ´µÄ³ÌÐò£¬ËÑË÷kernel,λÓÚpec1¿éµÄËÑË÷½á¹ûÈçÏÂ(ÊÂʵÉÏ£¬ÔÚpec1 section
ÖÐÓв»Ö¹Ò»´¦µÄkernel,µ«ÊÇÆäËûλÖõÄkernel¶¼²»ÄÜÕÒµ½ÏàÓ¦µÄIID->Name)£º
000950b0h: 74 45 6E 76 69 72 6F 6E 6D 65 6E 74 56 61 72 69 ; tEnvironmentVari
000950c0h: 61 62 6C 65 41 00 4B 45 52 4E 45 4C 33 32 2E 64 ; ableA.KERNEL32.d
000950d0h: 6C 6C 00 00 00 00 47 65 74 4D 65 6E 75 49 74 65 ; ll....GetMenuIte
000950e0h: 6D 49 6E 66 6F 41 00 00 00 00 53 65 74 52 65 63 ; mInfoA....SetRec
000950f0h: 74 00 00 00 44 72 61 77 45 64 67 65 00 00 00 00 ; t...DrawEdge....
00095100h: 46 69 6C 6C 52 65 63 74 00 00 00 00 43 6F 70 79 ; FillRect....Copy
00095110h: 52 65 63 74 00 00 00 00 47 65 74 53 79 73 43 6F ; Rect....GetSysCo
00095120h: 6C 6F 72 00 00 00 53 79 73 74 65 6D 50 61 72 61 ; lor...SystemPara
00095130h: 6D 65 74 65 72 73 49 6E 66 6F 41 00 00 00 44 65 ; metersInfoA...De
ÔÙͨ¹ýÕâ¸öµØÖ··´ÍÆIIDµÄlocation£¬ÏòÉÏÕÒµ½µÄIIDÊý×éÈçÏ£º
00093ea0h: 60 46 09 00 00 00 00 00 00 00 00 00 0E 47 09 00 ; `F...........G..
00093eb0h: 94 06 08 00 68 43 09 00 00 00 00 00 00 00 00 00 ; ?..hC..........
00093ec0h: 80 47 09 00 9C 03 08 00 3C 41 09 00 00 00 00 00 ; €G..?..<A......
ÕâÑù¾ÍµÃµ½ÁËÊäÈë±íµÄµØÖ·£º00093ea0¡£
×îºóÓÃPeditorD´ò¿ªdumpÏÂÀ´µÄÎļþ£¬ÌîÈëOEP:0005129C(RVA)
Import Table:00093EA0
ÔËÐÐһϣ¬³É¹¦£¡
ºó¼Ç£ºÍÑ¿ÇÖÐÓöµ½Ò»Ð©²»Ì«Ã÷°×µÄµØ·½£¬Ï£Íû´óÏÀÄܽâ´ðһϣº
1.ÎÒÔÚÔØÈëÔ´³ÌÐòÇ°°ÑËùÓеÄsectionµÄcharacteristics¶¼¸Ä³ÉE0000020Ò²²»ÄÜʹSofticeÔÚÈë¿Úµã´¦Öжϣ¬²»ÖªÊÇʲôÔÒò¡£
2.Peditor dumpÏÂÀ´µÄÎļþÊÇ´ÅÅÌÎļþ»¹ÊÇÄÚ´æÓ³Ïó£¿ÆäIATÊÇ·ñÒѱ»Ìî³äΪAPIµÄÈë¿ÚµØÖ·£¿
3.ÎÒÊÖ¹¤ÍÑ¿ÇÒÔºóµÄÎļþ·´»ã±àûÓвο¼×Ö·û´®£¬¶øÓÃPe_ScanÍѿǺóÈ´ÓÐ×Ö·û´®¡£²»ÖªÈçºÎ²ÅÄÜ×öµ½¡£