免杀记录
PE头地址+PE大小 +20代码段的大小00401004 B8 00014000 mov eax,服务端程.00400100
00401009 05 E0000000 add eax,0E0
0040100E 83C0 20 add eax,20
00401011 8B00 mov eax,dword ptr ds:
00401013 05 00004000 add eax,服务端程.00400000
二进制:B8 00 01 40 00 05 E0 00 00 00 83 C0 20 8B 00 05 00 00 40 00
---------------------------------------------------------------------------
PE头地址+PE大小 +24代码段的起始位置
00401004 B8 00014000 mov eax,服务端程.00400100
00401009 05 E0000000 add eax,0E0
0040100E 83C0 24 add eax,24
00401011 8B00 mov eax,dword ptr ds:
00401013 05 00004000 add eax,服务端程.00400000
二进制: B8 00 01 40 00 05 E0 00 00 00 83 C0 24 8B 00 05 00 00 40 00
--------------------------------------------------------------------------
RVA + 映像基址 ====在OD中地址
---------------------------------------------------------------------------
判断字符串长度
004A1ED4BE 8C304A00mov esi,004A308C
004A1ED98BFEmov edi,esi
004A1EDBAEscas byte ptres:
004A1EDC^ 75 FDjnz 004A1EDB
004A1EDE2BFEsub edi,esi
004A1EE04Fdec edi
二进制:BF 94 30 4A 00 8B F7 AE 75 FD 2B FE 4F
004A1E48 >BF 94304A00mov edi,004A3094
004A1E4D83E1 00and ecx,0
004A1E50F7D1not ecx
004A1E52F2:AErepne scas byte ptres:
004A1E54F7D1not ecx
004A1E5649dec ecx
004A1E48 >33C9xor ecx,ecx
004A1E4AF7D1not ecx
004A1E4CBF 94304A00movedi,Server.004A3094
004A1E51F2:AErepne scas byte ptres:
004A1E53F7D1not ecx
004A1E5549dec ecx
二进制:33 C9 F7 D1 BF94 30 4A 00 F2 AE F7 D1 49
---------------------------------------------------------------------------
标记位确定
004A1E56BB 00104000mov ebx,Server.00401000 更改指向
004A1E5B813B 52554E45cmp dword ptrds:,454E5552 内存数值与标志位比较
004A1E6174 03je shortServer.004A1E66 跳转第二个循环
004A1E6343inc ebx
004A1E64^ EB F5jmp shortServer.004A1E5B 继续比较
004A1E66817B 04 78654D65cmp dword ptrds:,654D6578 验证标志位
004A1E6D74 03je short Server.004A1E72 跳出
004A1E6F43inc ebx
004A1E70^ EB E9jmp shortServer.004A1E5B
二进制:BB 00 10 40 00 81 3B 52 55 4E 45 74 03 43 EB F5 81 7B 04 78 65 4D 65 7403 43 EB E9
---------------------------------------------------------------------------
自定位
0040C14F E8 00000000 call 服务端程.0040C154 压栈
0040C154 58 pop eax 弹栈
0040C155 83E8 05 sub eax,5 定位起始位
0040C158 83C0 16 add eax,16
0040C15B FFE0 jmp eax
二进制:E8 00 00 00 00 58 83 E8 05 83 C0 16 FF E0
-----------------------------------------------------------------------------------------------自动查找映像基址
原理:利用的是代码段的自定位技术进行MZ定位
004A1E48 S>E8 00000000 call Server.004A1E4D
004A1E4D 5B pop ebx
004A1E4E 81E3 00F0FFFF and ebx,FFFFF000
004A1E54 66:813B 4D5A cmp word ptr ds:,5A4D
004A1E59 74 08 je short Server.004A1E63
004A1E5B 81EB 00100000 sub ebx,1000
004A1E61 ^ EB F1 jmp short Server.004A1E54
二进制:E8 00 00 00 005B 81 E3 00 F0 FF FF 66 81 3B 4D 5A 74 08 81 EB 00 10 00 00 EB F1
---------------------------------------------------------------------------
二进制计算除法
004142B9B9 90A80200movecx, 0x2A890;ecx代表大小
004142BE33C0xoreax, eax
004142C033D2xoredx, edx
004142C233DBxorebx, ebx
004142C451push ecx
004142C566:8B0424movax, word ptr
004142C966:BB 0200movbx, 0x2
004142CD66:F7F3divbx
004142D050pusheax
004142D166:8B4424 06movax, word ptr
004142D666:F7F3divbx
004142D9C1E0 10shleax, 0x10
004142DC030424addeax, dword ptr
004142DF8BC8movecx, eax
004142E158popeax
004142E258popeax
二进制:B9 90 A8 02 00 33C0 33 D2 33 DB 51 66 8B 04 24 66 BB 02 00 66 F7 F3 50 66 8B 44 24 06 66 F7 F3 C1 E0 10 03 04 248B C8 58 58
页:
[1]