现在的位置: 首页 > 综合 > 正文

peid逆向记录(不完全)

2012年11月18日 ⁄ 综合 ⁄ 共 18844字 ⁄ 字号 评论关闭
peid逆向记录(不完全)

【文章标题】: peid逆向记录(不完全)
【文章作者】: layper
【作者邮箱】: layper2002@yahoo.com.cn
【作者主页】: www.sy135.com
【下载地址】: 自己搜索下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
    用PEID加载入EXE文件,过程如下:
    
    打开文件:
    00439DFE    FF15 88D34700    call dword ptr ds:[<&comdlg32.GetOpenFileNameA>]   ;

comdlg32.GetOpenFileNameA
    
    0012F458   0012F460     /pOpenFileName = 0012F460
    
    创建线程:
    00448F5C    FF15 F0D04700    call dword ptr ds:[<&kernel32.CreateThrea>;

kernel32.CreateThread
    
    0012F4A0   00000000     |pSecurity = NULL
    0012F4A4   00000000     |StackSize = 0
    0012F4A8   00444EB0     |ThreadFunction = PEiD.00444EB0
    0012F4AC   00468ACC     |pThreadParm = PEiD.00468ACC
    0012F4B0   00000000     |CreationFlags = 0
    0012F4B4   00468A0C     /pThreadId = PEiD.00468A0C
    
    拖放文件作初始化:
    0043B720    FF15 20D24700    call dword ptr ds:[<&shell32.DragAcceptFi>;

shell32.DragAcceptFiles
    
    0012F498   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F49C   00000000     /Accept = FALSE
    
    设置控件文本:
    0043B776    FF15 64D34700    call dword ptr ds:[<&user32.SetWindowText>;

USER32.SetWindowTextA
    
    0012F498   00050452     |hWnd = 00050452 ('退出(&X)',class='Button',parent=003503AE)
    0012F49C   004077C8     /Text = "中止"
    
    设置对话框项目的文本:
    00449210    FF15 50D34700    call dword ptr ds:[<&user32.SetDlgItemTex>;

USER32.SetDlgItemTextA
    
    0012F604   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F608   000003E8     |ControlID = 3E8 (1000.)
    0012F60C   00468B00     /Text = "D:/我的程序/Project1.exe"
    
    打开文件:
    004384BD    FF15 FCD14700    call dword ptr ds:[<&kernel32.CreateFileA>; kernel32.CreateFileA
    
    0140FF38   00468B00     |FileName = "D:/我的程序/Project1.exe"
    0140FF3C   80000000     |Access = GENERIC_READ
    0140FF40   00000001     |ShareMode = FILE_SHARE_READ
    0140FF44   00000000     |pSecurity = NULL
    0140FF48   00000003     |Mode = OPEN_EXISTING
    0140FF4C   00000080     |Attributes = NORMAL
    0140FF50   00000000     /hTemplateFile = NULL
    
    得到文件大小:
    004384CE    FF15 ECD14700    call dword ptr ds:[<&kernel32.GetFileSize>; kernel32.GetFileSize
    
    0140FF4C   000001EC     |hFile = 000001EC (window)
    0140FF50   00000000     /pFileSizeHigh = NULL
    
    创建一个新的文件映射对象:
    004384E4    FF15 F0D14700    call dword ptr ds:[<&kernel32.CreateFileM>;

kernel32.CreateFileMappingA
    
    0140FF3C   000001EC     |hFile = 000001EC (window)
    0140FF40   00000000     |pSecurity = NULL
    0140FF44   00000002     |Protection = PAGE_READONLY
    0140FF48   00000000     |MaximumSizeHigh = 0
    0140FF4C   00000000     |MaximumSizeLow = 0
    0140FF50   00000000     /MapName = NULL
    
    映射到当前应用程序的地址空间:
    004384F9    FF15 F4D14700    call dword ptr ds:[<&kernel32.MapViewOfFi>;

kernel32.MapViewOfFile
    
    0140FF40   00000110     |hMapObject = 00000110 (window)
    0140FF44   00000004     |AccessMode = FILE_MAP_READ
    0140FF48   00000000     |OffsetHigh = 0
    0140FF4C   00000000     |OffsetLow = 0
    0140FF50   00000000     /MapSize = 0
    
    设置文本:
    00449210    FF15 50D34700    call dword ptr ds:[<&user32.SetDlgItemTex>;

USER32.SetDlgItemTextA
    
    0012F604   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F608   00000404     |ControlID = 404 (1028.)
    0012F60C   00407323     /Text = ""
    
    0012F604   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F608   00000405     |ControlID = 405 (1029.)
    0012F60C   00407323     /Text = ""
    
    0012F604   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F608   00000408     |ControlID = 408 (1032.)
    0012F60C   00407323     /Text = ""
    
    0012F604   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F608   00000409     |ControlID = 409 (1033.)
    0012F60C   00407323     /Text = ""
    
    0012F604   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F608   00000406     |ControlID = 406 (1030.)
    0012F60C   00407323     /Text = ""
    
    0012F604   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F608   00000407     |ControlID = 407 (1031.)
    0012F60C   00407323     /Text = ""
    
    0012F604   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F608   00000404     |ControlID = 404 (1028.)
    0012F60C   0140FF20     /Text = "00063014"
    
    0012F604   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F608   00000405     |ControlID = 405 (1029.)
    0012F60C   0140FF20     /Text = "00062414"
    
    0012F604   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F608   00000408     |ControlID = 408 (1032.)
    0012F60C   0140FF20     /Text = "2.25"
    
    0012F604   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F608   00000406     |ControlID = 406 (1030.)
    0012F60C   0140FF08     /Text = "CODE"
    
    0012F604   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F608   00000407     |ControlID = 407 (1031.)
    0012F60C   0140FF20     /Text = "55,8B,EC,83"
    
    0012F604   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F608   00000409     |ControlID = 409 (1033.)
    0012F60C   0140FF20     /Text = "Win32 GUI"
    
    0012F604   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F608   000003E9     |ControlID = 3E9 (1001.)
    0012F60C   004078D8     /Text = "正在扫描..."
    
    进行实际的内存分配工作:
    0045AD22    FF15 84D14700    call dword ptr ds:[<&kernel32.HeapAlloc>] ;

ntdll.RtlAllocateHeap
    
    0140F8E8   003E0000     |hHeap = 003E0000
    0140F8EC   00000000     |Flags = 0
    0140F8F0   00000020     /HeapSize = 20 (32.)
    
    0043B720    FF15 20D24700    call dword ptr ds:[<&shell32.DragAcceptFi>;

shell32.DragAcceptFiles
    
    0012F5F0   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F5F4   00000001     /Accept = TRUE
    
    设置窗口文本:
    0043B776    FF15 64D34700    call dword ptr ds:[<&user32.SetWindowText>;

USER32.SetWindowTextA
    
    0012F5F0   00050452     |hWnd = 00050452 ('中止',class='Button',parent=003503AE)
    0012F5F4   004077D0     /Text = "退出"
    
    设置文本:
    00449237    FF15 50D34700    call dword ptr ds:[<&user32.SetDlgItemTex>;

USER32.SetDlgItemTextA
    
    0012F604   003503AE     |hWnd = 003503AE ('PEiD v0.94',class='#32770')
    0012F608   000003E9     |ControlID = 3E9 (1001.)
    0012F60C   00AA1BA8     /Text = "Borland Delphi 6.0 - 7.0"
    
    解除对一个文件映射对象的映射:
    0043843C    FF15 F8D14700    call dword ptr ds:[<&kernel32.UnmapViewOf>;

kernel32.UnmapViewOfFile
    
    0140FF5C   01110000     /BaseAddress = 01110000
    
    到这里之后,PEID界面变成:
    
    文件:D:/我的程序/Project1.exe
    入口点:00063014    EP段:CODE  
    文件偏移:00062414        首字节:55,8B,EC,83
    连接器版本:2.25          子系统:Win32 GUI
    查壳:Borland Delphi 6.0 - 7.0
    
    用OD看清楚它的流程,IDA看他的数据点判断的关键点
.text:004341D0 sub_4341D0      proc near               ; CODE XREF: sub_44A740+15Bp
.text:004341D0                                         ; sub_44A740+1A3p ...
.text:004341D0
.text:004341D0 arg_0           = dword ptr  8
.text:004341D0 arg_4           = dword ptr  0Ch
.text:004341D0 arg_8           = dword ptr  10h
.text:004341D0
.text:004341D0                 push    ebx
.text:004341D1                 mov     ebx, [esp+arg_0]
.text:004341D5                 push    esi
.text:004341D6                 mov     esi, [esp+4+arg_8]
.text:004341DA                 push    edi
.text:004341DB                 mov     edi, [esp+8+arg_4]
.text:004341DF                 push    esi
.text:004341E0                 push    edi
.text:004341E1                 push    ebx
.text:004341E2                 call    sub_433930   ;跟进

;---------------------------------------------------------------------------
sub_433930:
.text:00433930 sub_433930      proc near               ; CODE XREF: sub_4341D0+12p
.text:00433930                                         ; .text:00434232p ...
.text:00433930
.text:00433930 arg_0           = dword ptr  8
.text:00433930 arg_4           = dword ptr  0Ch
.text:00433930
.text:00433930                 push    ebp
.text:00433931                 mov     ebp, [esp+arg_0] ;堆栈 ss:[0140FEEC]=00468CE0
.text:00433935                 mov     eax, [ebp+20h] ;ss:[00468D00]=00000220,eax=000000B5
.text:00433938                 test    eax, eax
.text:0043393A                 jnz     short loc_433940 ;跳走
.text:0043393C                 xor     al, al
.text:0043393E                 pop     ebp
.text:0043393F                 retn
.text:00433940 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00433940
.text:00433940 loc_433940:                             ; CODE XREF: sub_433930+Aj到这里
.text:00433940                 mov     edx, [esp+arg_4] ;edx=ss:[0140FEF0]=0140FF90
.text:00433944                 mov     eax, [edx+0Ch]   ;堆栈 ds:[0140FF9C]=00F200B0, (ASCII

"PE"),eax=00000220文件头PE出来了
.text:00433947                 movzx   eax, word ptr [eax+6] ;得到文件节数目,ds:[00F200B6]=0003
.text:0043394B                 lea     ecx, [eax+eax*4]  ;ecx=文件节的数目*5=F
.text:0043394E                 mov     eax, [edx+18h] ;堆栈 ds:[0140FFA8]=00F201A8, (ASCII

".def")
.text:00433951                 lea     ecx, [eax+ecx*8-28h] ;ecx=00F201F8 ASCII ".def"
.text:00433955                 mov     eax, [ecx+10h]   ;ds:[00F20208]=00000200,eax=00F201A8,

(ASCII ".def")
.text:00433958                 push    esi               ;esi=000000B5
.text:00433959                 cmp     eax, [ecx+8] ;注意比较ds:[00F20200]

=00000208,eax=00000200
.text:0043395C                 jnz     short loc_4339D5 ;跳走
.text:0043395E                 mov     esi, [ecx+14h]
.text:00433961                 shr     eax, 1
.text:00433963                 add     eax, esi
.text:00433965                 mov     esi, [edx+4]
.text:00433968                 lea     ecx, [eax+12h]
.text:0043396B                 cmp     ecx, esi
.text:0043396D                 ja      short loc_4339D5
.text:0043396F                 lea     esi, [eax+20h]
.text:00433972                 cmp     eax, esi
.text:00433974                 jnb     short loc_433999
.text:00433976                 mov     ecx, [edx]
.text:00433978
.text:00433978 loc_433978:                             ; CODE XREF: sub_433930+67j
.text:00433978                 cmp     word ptr [ecx+eax], 6890h
.text:0043397E                 jnz     short loc_433994
.text:00433980                 cmp     dword ptr [ecx+eax+6], 36FF6467h
.text:00433988                 jnz     short loc_433994
.text:0043398A                 cmp     dword ptr [ecx+eax+0Ch], 26896467h
.text:00433992                 jz      short loc_4339BF
.text:00433994
.text:00433994 loc_433994:                             ; CODE XREF: sub_433930+4Ej
.text:00433994                                         ; sub_433930+58j
.text:00433994                 inc     eax
.text:00433995                 cmp     eax, esi
.text:00433997                 jb      short loc_433978
.text:00433999
.text:00433999 loc_433999:                             ; CODE XREF: sub_433930+44j
.text:00433999                 mov     edx, [edx]
.text:0043399B                 mov     eax, [ebp+20h]
.text:0043399E                 cmp     word ptr [edx+eax-2], 0E0FFh
.text:004339A5                 jnz     short loc_4339D5
.text:004339A7                 push    1Fh
.text:004339A9                 push    offset aEpprot0_3Feuer ; "EPProt 0.3 -> FEUERRADER/AHTeam"
.text:004339AE                 lea     ecx, [ebp+4]
.text:004339B1                 call    sub_430CD0
.text:004339B6                 pop     esi
.text:004339B7                 mov     byte ptr [ebp+0], 1
.text:004339BB                 mov     al, 1
.text:004339BD                 pop     ebp
.text:004339BE                 retn
.text:004339BF ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004339BF
.text:004339BF loc_4339BF:                             ; CODE XREF: sub_433930+62j
.text:004339BF                 push    offset aDotfixFakesign ; "DotFix FakeSigner 2.2 -> GPcH

Soft"
.text:004339C4                 lea     ecx, [ebp+4]
.text:004339C7                 call    sub_431FA0
.text:004339CC                 pop     esi
.text:004339CD                 mov     byte ptr [ebp+0], 1
.text:004339D1                 mov     al, 1
.text:004339D3                 pop     ebp
.text:004339D4                 retn
.text:004339D5 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:004339D5
.text:004339D5 loc_4339D5:                             ; CODE XREF: sub_433930+2Cj跳到这里
.text:004339D5                                         ; sub_433930+3Dj ...
.text:004339D5                 pop     esi
.text:004339D6                 xor     al, al
.text:004339D8                 pop     ebp
.text:004339D9                 retn
.text:004339D9 sub_433930      endp
;------------------------------------------------------------------------------
.text:004341E7                 add     esp, 0Ch
.text:004341EA                 test    al, al
.text:004341EC                 jnz     short loc_4341FD  ;不跳
.text:004341EE                 push    esi
.text:004341EF                 push    edi
.text:004341F0                 push    ebx ;ebx=00468CE0 (PEiD.00468CE0)
.text:004341F1                 call    sub_4339E0 ;跟进
;--------------------------------4439e0--------------------------------------------------
.text:004339E0 sub_4339E0      proc near               ; CODE XREF: sub_4341D0+21p
.text:004339E0                                         ; .text:00434241p ...
.text:004339E0
.text:004339E0 var_28          = dword ptr -28h
.text:004339E0 var_C           = dword ptr -0Ch
.text:004339E0 var_4           = dword ptr -4
.text:004339E0 arg_0           = dword ptr  4
.text:004339E0 arg_4           = dword ptr  8
.text:004339E0 arg_8           = dword ptr  0Ch
.text:004339E0
.text:004339E0                 mov     eax, large fs:0
.text:004339E6                 mov     edx, [esp+arg_4]
.text:004339EA                 push    0FFFFFFFFh
.text:004339EC                 push    offset loc_464308
.text:004339F1                 push    eax
.text:004339F2                 mov     large fs:0, esp
.text:004339F9                 mov     eax, [edx+0Ch]  ;堆栈 ds:[0140FF9C]=00F200B0, (ASCII "PE")
.text:004339FC                 movzx   eax, word ptr [eax+6] ;ds:[00F200B6]=0003,eax=00F200B0,

(ASCII "PE")
.text:00433A00                 mov     ecx, [edx+18h] ;堆栈 ds:[0140FFA8]=00F201A8, (ASCII

".def")
ecx=00F201F8, (ASCII ".def")
.text:00433A03                 sub     eax, 2 ;eax=1
.text:00433A06                 sub     esp, 1Ch ;esp=0140FEDC-1c=0140FEC0
.text:00433A09                 lea     eax, [eax+eax*4]  ;eax=5
.text:00433A0C                 lea     eax, [ecx+eax*8] ;地址=00F201D0, (ASCII ".def")

eax=00000005
.text:00433A0F                 mov     ecx, [eax+10h] ;ds:[00F201E0]=00000200,ecx=00F201A8,

(ASCII ".def")
.text:00433A12                 push    esi
.text:00433A13                 cmp     ecx, [eax+8] ;ds:[00F201D8]=0000019E
ecx=00000200
.text:00433A16                 jnz     short loc_433A4E ;跳走
.text:00433A18                 cmp     ecx, 5000h
.text:00433A1E                 jnz     short loc_433A4E
.text:00433A20                 mov     ecx, [eax+38h]
.text:00433A23                 add     eax, 28h
.text:00433A26                 test    ecx, ecx
.text:00433A28                 jnz     short loc_433A4E
.text:00433A2A                 cmp     dword ptr [eax+8], 1000h
.text:00433A31                 jnz     short loc_433A4E
.text:00433A33                 mov     ecx, [edx+4]
.text:00433A36                 sub     eax, 28h
.text:00433A39                 mov     eax, [eax+14h]
.text:00433A3C                 dec     ecx
.text:00433A3D                 cmp     ecx, eax
.text:00433A3F                 jbe     short loc_433A4E
.text:00433A41                 mov     edx, [edx]
.text:00433A43
.text:00433A43 loc_433A43:                             ; CODE XREF: sub_4339E0+6Cj
.text:00433A43                 cmp     byte ptr [edx+ecx], 0
.text:00433A47                 jnz     short loc_433A60
.text:00433A49                 dec     ecx
.text:00433A4A                 cmp     ecx, eax
.text:00433A4C                 ja      short loc_433A43
.text:00433A4E
.text:00433A4E loc_433A4E:                             ; CODE XREF: sub_4339E0+36j跳到这里
.text:00433A4E                                         ; sub_4339E0+3Ej ...
.text:00433A4E                 pop     esi
.text:00433A4F                 xor     al, al
.text:00433A51                 mov     ecx, [esp+28h+var_C]
.text:00433A55                 mov     large fs:0, ecx
.text:00433A5C                 add     esp, 28h
.text:00433A5F                 retn                  ;返回004341F6
.text:00433A60 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00433A60
.text:00433A60 loc_433A60:                             ; CODE XREF: sub_4339E0+67j
.text:00433A60                 cmp     byte ptr [edx+ecx], 0C3h
.text:00433A64                 jnz     short loc_433A4E
.text:00433A66                 push    offset aMslrh0_32aEmad ; "[MSLRH] 0.32a -> emadicius [ "
.text:00433A6B                 lea     ecx, [esp+30h+var_28]
.text:00433A6F                 call    sub_430DC0
.text:00433A74                 mov     eax, [esp+2Ch+arg_8]
.text:00433A78                 lea     edx, [eax+eax*2]
.text:00433A7B                 mov     eax, ds:dword_4037E0[edx*4]
.text:00433A82                 push    eax
.text:00433A83                 lea     ecx, [esp+30h+var_28]
.text:00433A87                 mov     [esp+30h+var_4], 0
.text:00433A8F                 call    sub_431FD0
.text:00433A94                 push    2
.text:00433A96                 push    offset asc_406CD0 ; " ]"
.text:00433A9B                 lea     ecx, [esp+34h+var_28]
.text:00433A9F                 call    sub_431E90
.text:00433AA4                 mov     esi, [esp+2Ch+arg_0]
.text:00433AA8                 push    0FFFFFFFFh
.text:00433AAA                 push    0
.text:00433AAC                 lea     ecx, [esp+34h+var_28]
.text:00433AB0                 push    ecx
.text:00433AB1                 lea     ecx, [esi+4]
.text:00433AB4                 call    sub_430BE0
.text:00433AB9                 lea     ecx, [esp+2Ch+var_28]
.text:00433ABD                 mov     byte ptr [esi], 1
.text:00433AC0                 call    sub_43C7B0
.text:00433AC5                 mov     ecx, [esp+2Ch+var_C]
.text:00433AC9                 pop     esi
.text:00433ACA                 mov     al, 1
.text:00433ACC                 mov     large fs:0, ecx
.text:00433AD3                 add     esp, 28h
.text:00433AD6                 retn
.text:00433AD6 sub_4339E0      endp
;----------------------------------------------------------------------------------------------
.text:004341F6                 add     esp, 0Ch   ;返回这里
.text:004341F9                 test    al, al
.text:004341FB                 jz      short loc_434203  ;跳走
.text:004341FD
.text:004341FD loc_4341FD:                             ; CODE XREF: sub_4341D0+1Cj
.text:004341FD                 pop     edi
.text:004341FE                 pop     esi
.text:004341FF                 mov     al, 1
.text:00434201                 pop     ebx
.text:00434202                 retn
.text:00434203 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00434203
.text:00434203 loc_434203:                             ; CODE XREF: sub_4341D0+2Bj 跳到这里
.text:00434203                 push    esi
.text:00434204                 push    edi
.text:00434205                 push    ebx
.text:00434206                 call    sub_433AE0
.text:0043420B                 add     esp, 0Ch
.text:0043420E                 pop     edi
.text:0043420F                 test    al, al
.text:00434211                 pop     esi
.text:00434212                 setnz   al          ;条件为假
.text:00434215                 pop     ebx
.text:00434216                 retn
.text:00434216 sub_4341D0      endp
  有点乱,先分析到这里,分析特征码的思路还没有完全明了,原本想利用它的函数调用顺序来分析出特征码的调

用处,但不成功,观察一下,PEID有可能利用异常来转入特征码比较处.所以我就搜索文本发现很多诸如ASCII

"Armadillo 1.75a -> Silicon Realms Toolworks"壳的名称,我就利用回溯法往回找,大致了解他用
cmp eax,[特征码片段] 来搜索出壳的名称.
  不知对不对,敬请指点.
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!

                                                       2006年06月06日 12:33:32

 

抱歉!评论已关闭.