jdpack:0040B000 pusha ; OEP--保存堆栈和寄存器环境
.jdpack:0040B001 call Jmp_Confused ; 近地址call 相当于jmp
jdpack:0040B028 Jmp_Confused proc near ; CODE XREF: EntryPoint+1�p
.jdpack:0040B028 push offset ShellCode ; 变形的跳转
.jdpack:0040B02D retn
seg006:0040A0FF pusha
seg006:0040A100 push offset s_Kernel32_dll ; "KERNEL32.DLL"
seg006:0040A105 mov eax, offset GetModuleHandleA
seg006:0040A10A call dword ptr [eax]
seg006:0040A10A
seg006:0040A10C push offset s_Globalalloc ; "GlobalAlloc"
seg006:0040A111 push eax
seg006:0040A112 mov eax, offset GetProcAddress
seg006:0040A117 call dword ptr [eax]
seg006:0040A117
seg006:0040A119 push 1A00h
seg006:0040A11E push 40h
seg006:0040A120 call eax ; GetProcAddress ; 调用GlobalAlloc分配一个内存空间,用来解码代码
seg006:0040A120
seg006:0040A122 mov ds:hModule, eax
seg006:0040A128 mov edi, eax ; 解压算法的参数1,目标地址,用来放置解码后的代码
seg006:0040A12A mov esi, offset dword_401000 ; 解压算法的参数2,源地址,即压缩后的代码所放的位置
seg006:0040A12F
seg006:0040A12F ; =============== S U B R O U T I N E =======================================
seg006:0040A12F
seg006:0040A12F
seg006:0040A12F aPLib_Depack proc near
seg006:0040A12F
seg006:0040A12F ; FUNCTION CHUNK AT seg006:0040A1C6 SIZE 0000010B BYTES
seg006:0040A12F ; FUNCTION CHUNK AT seg006:0040A2D8 SIZE 00000008 BYTES
seg006:0040A12F
seg006:0040A12F pusha
seg006:0040A130 cld
seg006:0040A131 mov dl, 80h
seg006:0040A133 xor ebx, ebx
seg006:0040A133
seg006:0040A135
seg006:0040A135 loc_40A135: ; CODE XREF: aPLib_Depack+E�j
seg006:0040A135 movsb
seg006:0040A136 mov bl, 2
seg006:0040A136
seg006:0040A138
seg006:0040A138 loc_40A138: ; CODE XREF: aPLib_Depack+33�j
seg006:0040A138 ; aPLib_Depack+79�j
seg006:0040A138 call sub_40A1AA
seg006:0040A138
seg006:0040A13D jnb short loc_40A135
seg006:0040A13D
seg006:0040A13F xor ecx, ecx
seg006:0040A141 call sub_40A1AA
seg006:0040A141
seg006:0040A146 jnb short loc_40A164
seg006:0040A146
seg006:0040A148 xor eax, eax
seg006:0040A14A call sub_40A1AA
seg006:0040A14A
seg006:0040A14F jnb short loc_40A174
seg006:0040A14F
seg006:0040A151 mov bl, 2
seg006:0040A153 inc ecx
seg006:0040A154 mov al, 10h
seg006:0040A154
seg006:0040A156
seg006:0040A156 loc_40A156: ; CODE XREF: aPLib_Depack+2E�j
seg006:0040A156 call sub_40A1AA
seg006:0040A156
seg006:0040A15B adc al, al
seg006:0040A15D jnb short loc_40A156
seg006:0040A15D
seg006:0040A15F jnz short loc_40A1A0
seg006:0040A15F
seg006:0040A161 stosb
seg006:0040A162 jmp short loc_40A138
seg006:0040A162
seg006:0040A164 ; ---------------------------------------------------------------------------
seg006:0040A164
seg006:0040A164 loc_40A164: ; CODE XREF: aPLib_Depack+17�j
seg006:0040A164 call sub_40A1B6
seg006:0040A164
seg006:0040A169 sub ecx, ebx
seg006:0040A16B jnz short loc_40A17D
seg006:0040A16B
seg006:0040A16D call sub_40A1B4
seg006:0040A16D
seg006:0040A172 jmp short loc_40A19C
seg006:0040A172
seg006:0040A174 ; ---------------------------------------------------------------------------
seg006:0040A174
seg006:0040A174 loc_40A174: ; CODE XREF: aPLib_Depack+20�j
seg006:0040A174 lodsb
seg006:0040A175 shr eax, 1
seg006:0040A177 jz short Depack_Exit
seg006:0040A177
seg006:0040A179 adc ecx, ecx
seg006:0040A17B jmp short loc_40A199
seg006:0040A17B
seg006:0040A17D ; ---------------------------------------------------------------------------
seg006:0040A17D
seg006:0040A17D loc_40A17D: ; CODE XREF: aPLib_Depack+3C�j
seg006:0040A17D xchg eax, ecx
seg006:0040A17E dec eax
seg006:0040A17F shl eax, 8
seg006:0040A182 lodsb
seg006:0040A183 call sub_40A1B4
seg006:0040A183
seg006:0040A188 cmp eax, 7D00h
seg006:0040A18D jnb short loc_40A199
seg006:0040A18D
seg006:0040A18F cmp ah, 5
seg006:0040A192 jnb short loc_40A19A
seg006:0040A192
seg006:0040A194 cmp eax, 7Fh
seg006:0040A197 ja short loc_40A19B
seg006:0040A197
seg006:0040A199
seg006:0040A199 loc_40A199: ; CODE XREF: aPLib_Depack+4C�j
seg006:0040A199 ; aPLib_Depack+5E�j
seg006:0040A199 inc ecx
seg006:0040A199
seg006:0040A19A
seg006:0040A19A loc_40A19A: ; CODE XREF: aPLib_Depack+63�j
seg006:0040A19A inc ecx
seg006:0040A19A
seg006:0040A19B
seg006:0040A19B loc_40A19B: ; CODE XREF: aPLib_Depack+68�j
seg006:0040A19B xchg eax, ebp
seg006:0040A19B
seg006:0040A19C
seg006:0040A19C loc_40A19C: ; CODE XREF: aPLib_Depack+43�j
seg006:0040A19C mov eax, ebp
seg006:0040A19E mov bl, 1
seg006:0040A19E
seg006:0040A1A0
seg006:0040A1A0 loc_40A1A0: ; CODE XREF: aPLib_Depack+30�j
seg006:0040A1A0 push esi
seg006:0040A1A1 mov esi, edi
seg006:0040A1A3 sub esi, eax
seg006:0040A1A5 rep movsb
seg006:0040A1A7 pop esi
seg006:0040A1A8 jmp short loc_40A138
seg006:0040A1A8
seg006:0040A1A8 aPLib_Depack endp
seg006:0040A1A8
seg006:0040A1AA
seg006:0040A1AA ; =============== S U B R O U T I N E =======================================
seg006:0040A1AA
seg006:0040A1AA
seg006:0040A1AA sub_40A1AA proc near ; CODE XREF: aPLib_Depack:loc_40A138�p
seg006:0040A1AA ; aPLib_Depack+12�p
seg006:0040A1AA ; aPLib_Depack+1B�p
seg006:0040A1AA ; aPLib_Depack:loc_40A156�p
seg006:0040A1AA ; sub_40A1B6:loc_40A1B7�p
seg006:0040A1AA ; sub_40A1B6+8�p
seg006:0040A1AA add dl, dl
seg006:0040A1AC jnz short locret_40A1B3
seg006:0040A1AC
seg006:0040A1AE mov dl, [esi]
seg006:0040A1B0 inc esi
seg006:0040A1B1 adc dl, dl
seg006:0040A1B1
seg006:0040A1B3
seg006:0040A1B3 locret_40A1B3: ; CODE XREF: sub_40A1AA+2�j
seg006:0040A1B3 retn
seg006:0040A1B3
seg006:0040A1B3 sub_40A1AA endp
seg006:0040A1B3
seg006:0040A1B4
seg006:0040A1B4 ; =============== S U B R O U T I N E =======================================
seg006:0040A1B4
seg006:0040A1B4
seg006:0040A1B4 sub_40A1B4 proc near ; CODE XREF: aPLib_Depack+3E�p
seg006:0040A1B4 ; aPLib_Depack+54�p
seg006:0040A1B4 xor ecx, ecx
seg006:0040A1B4
seg006:0040A1B4 sub_40A1B4 endp
seg006:0040A1B4
seg006:0040A1B6
seg006:0040A1B6 ; =============== S U B R O U T I N E =======================================
seg006:0040A1B6
seg006:0040A1B6
seg006:0040A1B6 sub_40A1B6 proc near ; CODE XREF: aPLib_Depack:loc_40A164�p
seg006:0040A1B6 inc ecx
seg006:0040A1B6
seg006:0040A1B7
seg006:0040A1B7 loc_40A1B7: ; CODE XREF: sub_40A1B6+D�j
seg006:0040A1B7 call sub_40A1AA
seg006:0040A1B7
seg006:0040A1BC adc ecx, ecx
seg006:0040A1BE call sub_40A1AA
seg006:0040A1BE
seg006:0040A1C3 jb short loc_40A1B7
seg006:0040A1C3
seg006:0040A1C5 retn
seg006:0040A1C5
seg006:0040A1C5 sub_40A1B6 endp
seg006:0040A1C5
seg006:0040A1C6 ; ---------------------------------------------------------------------------
seg006:0040A1C6 ; START OF FUNCTION CHUNK FOR aPLib_Depack
seg006:0040A1C6
seg006:0040A1C6 Depack_Exit: ; CODE XREF: aPLib_Depack+48�j
seg006:0040A1C6 popa ; 这里是aPLib解压算法的出口 到这里即表明解压完成
seg006:0040A1C7 mov ecx, 19FCh
seg006:0040A1C7
seg006:0040A1CC
seg006:0040A1CC loc_40A1CC: ; CODE XREF: aPLib_Depack+A6�j
seg006:0040A1CC mov ebx, [eax+ecx] ; 这里是用来把解码好的代码复制回程序的代码段,大小为0x19fc
seg006:0040A1CF mov dword_401000[ecx], ebx
seg006:0040A1D5 loop loc_40A1CC
seg006:0040A1D5
seg006:0040A1D7 nop
seg006:0040A1D8 nop
seg006:0040A1D9 mov edx, 400000h ; 获取输入表的VA
seg006:0040A1DE mov esi, 4000h
seg006:0040A1E3 add esi, edx
seg006:0040A1E3
seg006:0040A1E5
seg006:0040A1E5 LoadLibrary: ; CODE XREF: aPLib_Depack+143�j
seg006:0040A1E5 mov eax, [esi+0Ch] ; 读取INT表 载入相应的dll文件
seg006:0040A1E8 test eax, eax
seg006:0040A1EA jz LoaderFinish
seg006:0040A1EA
seg006:0040A1F0 add eax, edx
seg006:0040A1F2 mov ebx, eax
seg006:0040A1F4 push eax
seg006:0040A1F5 mov eax, offset GetModuleHandleA
seg006:0040A1FA call dword ptr [eax]
seg006:0040A1FA
seg006:0040A1FC test eax, eax
seg006:0040A1FE jnz short loc_40A208
seg006:0040A1FE
seg006:0040A200 push ebx
seg006:0040A201 mov eax, offset LoadLibraryA
seg006:0040A206 call dword ptr [eax]
seg006:0040A206
seg006:0040A208
seg006:0040A208 loc_40A208: ; CODE XREF: aPLib_Depack+CF�j
seg006:0040A208 mov ds:dword_40A0CE, eax
seg006:0040A20E mov ds:dword_40A0D2, 0
seg006:0040A20E
seg006:0040A218
seg006:0040A218 loc_40A218: ; CODE XREF: aPLib_Depack+139�j
seg006:0040A218 mov edx, 400000h
seg006:0040A21D mov eax, [esi]
seg006:0040A21F test eax, eax
seg006:0040A221 jnz short GetAPIName
seg006:0040A221
seg006:0040A223 mov eax, [esi+10h]
seg006:0040A223
seg006:0040A226
seg006:0040A226 GetAPIName: ; CODE XREF: aPLib_Depack+F2�j
seg006:0040A226 add eax, edx
seg006:0040A228 add eax, ds:dword_40A0D2
seg006:0040A22E mov ebx, [eax]
seg006:0040A230 mov edi, [esi+10h]
seg006:0040A233 add edi, edx
seg006:0040A235 add edi, ds:dword_40A0D2
seg006:0040A23B test ebx, ebx
seg006:0040A23D jz short loc_40A26A
seg006:0040A23D
seg006:0040A23F test ebx, 80000000h
seg006:0040A245 jnz short GetAPIAddress
seg006:0040A245
seg006:0040A247 add ebx, edx
seg006:0040A249 inc ebx
seg006:0040A24A inc ebx
seg006:0040A24A
seg006:0040A24B
seg006:0040A24B GetAPIAddress: ; CODE XREF: aPLib_Depack+116�j
seg006:0040A24B and ebx, 0FFFFFFFh
seg006:0040A251 push ebx
seg006:0040A252 push ds:dword_40A0CE
seg006:0040A258 mov eax, offset GetProcAddress
seg006:0040A25D call dword ptr [eax]
seg006:0040A25D
seg006:0040A25F mov [edi], eax ; 填充IAT
seg006:0040A261 add ds:dword_40A0D2, 4
seg006:0040A268 jmp short loc_40A218
seg006:0040A268
seg006:0040A26A ; ---------------------------------------------------------------------------
seg006:0040A26A
seg006:0040A26A loc_40A26A: ; CODE XREF: aPLib_Depack+10E�j
seg006:0040A26A add esi, 14h
seg006:0040A26D mov edx, 400000h
seg006:0040A272 jmp LoadLibrary
seg006:0040A272
seg006:0040A277 ; ---------------------------------------------------------------------------
seg006:0040A277
seg006:0040A277 LoaderFinish: ; CODE XREF: aPLib_Depack+BB�j
seg006:0040A277 push offset s_Kernel32_dll ; 到这里了就表示IAT填充完成 代码解码也完成了
seg006:0040A27C mov eax, offset GetModuleHandleA
seg006:0040A281 call dword ptr [eax]
seg006:0040A281
seg006:0040A283 push offset s_Globalfree ; "GlobalFree"
seg006:0040A288 push eax ; lpProcName
seg006:0040A289 mov eax, offset GetProcAddress
seg006:0040A28E call dword ptr [eax]
seg006:0040A28E
seg006:0040A290 mov edx, ds:hModule
seg006:0040A296 push edx ; hModule
seg006:0040A297 call eax ; GetProcAddress
seg006:0040A297
seg006:0040A299 popa ; 释放内存
seg006:0040A29A mov eax, 401240h ; <suspicious> ; OEP
seg006:0040A29F mov edx, 0EAh ; 1
seg006:0040A2A4 mov ecx, 0E015h ; 2
seg006:0040A2A9 add ecx, edx
seg006:0040A2AB xchg ecx, edx
seg006:0040A2AD xor ebx, ebx
seg006:0040A2AF nop
seg006:0040A2B0 add ebx, eax
seg006:0040A2B2 nop
seg006:0040A2B3 xor eax, eax
seg006:0040A2B5 nop
seg006:0040A2B6 add eax, edx
seg006:0040A2B8 nop
seg006:0040A2B9 push eax ; 3
seg006:0040A2B9 ; 123这三条指令是为在堆栈栈顶放一条指令E0 15,汇编代码就是jmp eax
seg006:0040A2BA xor eax, eax
seg006:0040A2BC add eax, ebx
seg006:0040A2BE xor ecx, ecx
seg006:0040A2C0 add ecx, esp
seg006:0040A2C2 xor edx, edx
seg006:0040A2C4 add edx, eax
seg006:0040A2C6 xor edx, 20h
seg006:0040A2C9 xor eax, eax
seg006:0040A2C9
seg006:0040A2CB
seg006:0040A2CB loc_40A2CB: ; CODE XREF: aPLib_Depack+1AA�j
seg006:0040A2CB cmp eax, edx
seg006:0040A2CD jz short loc_40A2DB
seg006:0040A2CD
seg006:0040A2CF jmp short loc_40A2D8
seg006:0040A2CF
seg006:0040A2CF ; END OF FUNCTION CHUNK FOR aPLib_Depack
seg006:0040A2CF ; ---------------------------------------------------------------------------
seg006:0040A2D1 db 0C3h ; ?
seg006:0040A2D2 db 0EBh ; ?
seg006:0040A2D3 db 4
seg006:0040A2D4 db 0C3h ; ?
seg006:0040A2D5 db 0EBh ; ?
seg006:0040A2D6 db 1
seg006:0040A2D7 db 0C3h ; ?
seg006:0040A2D8 ; ---------------------------------------------------------------------------
seg006:0040A2D8 ; START OF FUNCTION CHUNK FOR aPLib_Depack
seg006:0040A2D8
seg006:0040A2D8 loc_40A2D8: ; CODE XREF: aPLib_Depack+1A0�j
seg006:0040A2D8 inc eax
seg006:0040A2D9 jmp short loc_40A2CB
seg006:0040A2D9
seg006:0040A2DB ; ---------------------------------------------------------------------------
seg006:0040A2DB
seg006:0040A2DB loc_40A2DB: ; CODE XREF: aPLib_Depack+19E�j
seg006:0040A2DB xor eax, 20h
seg006:0040A2DE push ecx ; 这里就跳转到堆栈中的指令 然后在跳转到OEP
seg006:0040A2DF retn
seg006:0040A2DF
seg006:0040A2DF ; END OF FUNCTION CHUNK FOR aPLib_Depack
seg006:0040A2DF ; ---------------------------------------------------------------------------
试炼文件:http://d.namipan.com/d/8ea5087126102fc3d82624657855d243a026b012273d0000
原帖地址:http://bbs.unpack.cn/viewthread.php?tid=34504&highlight=%2Bbreezer