ZeTa给了个韩天一的天堂木马服务端,说是他中了这个东西,委托我拆开看看
在此献丑了
OD载入,停在如下代码处
00428F6D L> BE 88014000 mov esi,L.00400188
00428F72 AD lods dword ptr ds:[esi]
00428F73 8BF8 mov edi,eax
00428F75 95 xchg eax,ebp
00428F76 AD lods dword ptr ds:[esi]
00428F77 91 xchg eax,ecx
代码分析不是很麻烦但是也不必慢慢分析了
我总结了一下WinUpack寻找OEP的规律
直接CTRL+S搜索命令序列
push esi
xchg eax,edi
到了如下代码处
00429117 - 0F84 BBDFFDFF je L.004070D8
0042911D 56 push esi
0042911E 97 xchg eax,edi
0042911F FF53 FC call dword ptr ds:[ebx-4]
00429122 95 xchg eax,ebp
00429123 AC lods byte ptr ds:[esi]
紧靠上面的je L.004070D8看见了么?
je后面的值就是OEP了,呵呵,简单吧
复制OEP,CTRL+G转跳到 OEP
F4运行到OEP
004070D8 55 db 55 ; CHAR 'U'
004070D9 8B db 8B
004070DA EC db EC
004070DB 83 db 83
004070DC C4 db C4
004070DD F0 db F0
004070DE B8 db B8
004070DF 68704000 dd L.00407068
004070E3 E8 db E8
004070E4 5C db 5C ; CHAR ''
看见的都是数据呵,没有关系的,CTRL+A分析代码
典型的Borland Delphi 6.0 - 7.0入口
用LordPE DUMP出来,RecImport修复输入表
运行看看有没有问题,..................,竟然运行以后没有反应
估计是有自校验
再看看自校验的问题
OD载入
004070D8 d> $ 55 push ebp
004070D9 . 8BEC mov ebp,esp
004070DB . 83C4 F0 add esp,-10
004070DE . B8 68704000 mov eax,dumped_.00407068
004070E3 . E8 5CCDFFFF call dumped_.00403E44
004070E8 . E8 B3E9FFFF call dumped_.00405AA0
004070ED . E8 EAC3FFFF call dumped_.004034DC
从call dumped_.00405AA0跟进
00405AA0 /$ 55 push ebp
00405AA1 |. 8BEC mov ebp,esp
00405AA3 |. B9 0C000000 mov ecx,0C
00405AA8 |> 6A 00 /push 0
00405AAA |. 6A 00 |push 0
00405AAC |. 49 |dec ecx
00405AAD |.^ 75 F9 \jnz short dumped_.00405AA8
00405AAF |. 51 push ecx
00405AB0 |. 53 push ebx
把光标停在00405AB0
F4越过00405AAD |.^ 75 F9 \jnz short dumped_.00405AA8处的循环
看见下面的
00405AC6 |> /E8 51120000 /call dumped_.00406D1C
00405ACB |. |A1 04814000 |mov eax,dword ptr ds:[408104]
00405AD0 |. |8B00 |mov eax,dword ptr ds:[eax]
00405AD2 |. |E8 6DDEFFFF |call dumped_.00403944
00405AD7 |. |50 |push eax ; /MapName
00405AD8 |. |68 FB100100 |push 110FB ; |MaximumSizeLow = 110FB
00405ADD |. |6A 00 |push 0 ; |MaximumSizeHigh = 0
00405ADF |. |6A 04 |push 4 ; |Protection = PAGE_READWRITE
00405AE1 |. |6A 00 |push 0 ; |pSecurity = NULL
00405AE3 |. |6A FF |push -1 ; |hFile = FFFFFFFF
00405AE5 |. |E8 46E4FFFF |call
00405AEA |. |A3 CC974000 |mov dword ptr ds:[4097CC],eax
00405AEF |. |6A 00 |push 0 ; /MapSize = 0
00405AF1 |. |6A 00 |push 0 ; |OffsetLow = 0
00405AF3 |. |6A 00 |push 0 ; |OffsetHigh = 0
00405AF5 |. |6A 06 |push 6 ; |AccessMode = 6
00405AF7 |. |A1 CC974000 |mov eax,dword ptr ds:[4097CC] ; |
00405AFC |. |50 |push eax ; |hMapObject => NULL
00405AFD |. |E8 36E5FFFF |call
呵呵,木马打开自身准备操作了
跟进00405AC6处的 call 00406D1C
看下面的代码
00406D55 . 6A 00 push 0 ; /pFileSizeHigh = NULL
00406D57 . 56 push esi ; |hFile
00406D58 . E8 53D2FFFF call
00406D5D . 8945 FC mov dword ptr ss:[ebp-4],eax
00406D60 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00406D63 . E8 20B7FFFF call dumped_.00402488
00406D68 . 8BD8 mov ebx,eax
00406D6A . 6A 00 push 0 ; /pOverlapped = NULL
00406D6C . 8D45 FC lea eax,dword ptr ss:[ebp-4] ; |
00406D6F . 50 push eax ; |pBytesRead
00406D70 . 8B45 FC mov eax,dword ptr ss:[ebp-4] ; |
00406D73 . 50 push eax ; |BytesToRead
00406D74 . 53 push ebx ; |Buffer
00406D75 . 56 push esi ; |hFile
00406D76 . E8 D5D2FFFF call
00406D9D .^\75 EF jnz short dumped_.00406D8E
00406D9F > 8B55 FC mov edx,dword ptr ss:[ebp-4]
00406DA2 . 8BC3 mov eax,ebx
00406DA4 . E8 FFB6FFFF call dumped_.004024A8
00406DA9 . 56 push esi ; /hObject
00406DAA . E8 61D1FFFF call
00406DAF . 817D F8 80000000 cmp dword ptr ss:[ebp-8],80
00406DB6 . 74 11 je short dumped_.00406DC9
00406DB8 > 6A 00 push 0 ; /ExitCode = 0
00406DBA . E8 99D1FFFF call
00406DBF .^\E9 73FFFFFF jmp dumped_.00406D37
00406DC4 . E8 13C7FFFF call dumped_.004034DC
木马通过上面的代码验证自身的大小,如果大小与预定值不符,则ExitProcess
解除自校验也很简单
把00406DB6 处的 je short 00406DC9改成绝对转跳就OK了
jmp short 00406DC9
改好以后另存为exe就好了