Analysis of Shellcode in a cracked program

Just interested, Daniel passed by.
The silent sister sends a software which is cracked by the SMC Way, then studies its shellcode in the SMC.

//////////////////////////////////////////////////////////////////////////////////////////////////

Execution process:
1. First get kernel32 imagebase as the initial analytic PE, get the export table.
2. Then remove the GetProcAddress function address to get the specified API
3.Api Hook cracked the software

Analysis Code:

00400380 Pushad;                  Save Register Environment 00400381 8b4424 EAX mov, DWORD ptr [esp+0x44]00400385 0000FFFF and EAX, 0xffff0000 ; 0040038A 66:8138 4d5a cmp word ptr [eax], 0x5a4d, not exported for ordinal; Judge mz0040038f JE Short 00400398; The judgment established means that has been obtained kernel32 imageBase00400391 2D 00100000 sub eax, 0x1000; In-memory 4K alignment, move to the head of the kernel32 dll 00400396 ^ EB F2 jmp short 0040038A; Loop get kernel32 imagebase get a pointer to store Kernel32_imagebase: 00400398-push eax; EAX = = kernel32_imagebase00400399 E8 C2000000 call 00400460; Push 0x0040039e0040039e ecx0040039f-pop eax00400460:00400460 E 8 f5ffffff Call 0040045A 00400465 0000 add byte ptr [eax], al0040045a:0040045a eax 0040045B 870424 xchg dword ptr [ESP], eax 00400 45E push eax 0040045F C3 retn input function when stack layout $ ==> > 00400465 __CALL_RET_EIP- > Eax$+4 > 0040039E _call_ret_eip-$+8 > 7c800000 kernel32_imagebase out function when stack layout $ ==> > 004 0039E _call_ret_eip$+4 > 00400465 __call_ret_eip$+8 > 7c800000 kernel32.7c800000 came to the conclusion that MOV ecx,0040046                         5 (Kernel32_imagebase), the other ignores the fixed offset of the PE structure to calculate the kernel32.dll of the export table, for the subsequent smooth removal WINAPI prepare 004003a0 8bd8 mov ebx, eax ; EBX = = Kernel32_imagebase (SAVE) 004003a2 8b48 3C mov ecx, DWORD ptr [eax+0x3c]; ECX = = e_lfanew (offset) 004003a5 03c8 add ecx, eax; ECX = = Kernel32_image_nt_header004003a7 8B51 mov edx, DWORD ptr [ecx+0x78];            edx = = kernel32_export_table (offset) 004003AA 03d0add edx, eax; EDX = = Kernel32_exporttable_va Ibid positioning function, directly gives the result mov ecx,00400465004003ac eax004003ad E8 AE000 Call 00400460004003b2-pop ecx004003b3 eax004003b4 83c1 add ecx, 0x8; ECX = = pneweipaddr004003b7-push eax; KERNEL32_IMAGEBASE004003B8 push ecx; ECX = = pneweipaddr004003b9 E8 9c000000 call 0040045a0040045a:0040045a 00 pop EAX              40045B 870424 xchg DWORD ptr [ESP], eax 0040045E push eax 0040045F C3 Retn interesting lies in the following sentence, did not notice before, at this time only to find that the position of &PKERNEL32 + 8 is the next operation of the Shellcode part 004003b4 83c1 add ecx, 0x8;                  ECX = = 0040046D (pKernel32) 004003b7 push EAX            ; KERNEL32_IMAGEBASE004003B8 push ecx;              ECX = = punknowaddr004003b9 E8 9c000000 call 0040045a0040046d 58 Pop ecx0040046e Pop eax; EAX = = kernel32_imagebase0040046f 8B4A mov ecx, DWORD ptr [edx+0x20]; ECX = = Kernel32_exprottable_addrofnames (offset) 00400472-push edx; edx = = kernel32_exporttable_va00400473 03c1 add eax, ecx; EAX = = kernel32_exprottable_addrofnames00400475-Push ebx; EBX = = Kernel32_imagebase (SAVE) 00400476 33DB xor ebx, ebx00400478 EB jmp short 00400     47e0040047a 83c0 add eax, 0x40040047d, Inc ebx0040047e 8B0C24 mov ECX, DWORD ptr [ESP]; ECX = = Kernel32_imageBase00400481 8B10 mov edx, DWORD ptr [EAX]; API offset00400483 03d1 add edx, ecx; edx = = API Addr00400485 8BFA mov edi, edx;                              Sava Api Addr00400487 33c9 xor ecx, ecx00400489 push EAX ;                              Kernel32_exprottable_addrofnames (Save) 0040048A 33c0 xor eax, EAX0040048C, Inc ECX ; Counter (API Name Len) 0040048D AE scas byte ptr es:[edi]0040048e ^ p FC jnz Short 0040048c00 400490 Dec ecx00400491 E8 28FFFFFF call 004003be004003be E8 97000000 call 00400 45A004003C3 Inc. EDI; I don't understand normal, because it's a string 004003c4 65:74 je S Hort 00400417004003c7 6F jb short 00400438004003c9 6341 ARPL word ptr [ECX+0x64], ax004003cc 64:72 jb Short 00400434004003CF, JNB short 00400444004003d1 0000 add byte ptr [eax], al004003d3-Push esi004003d4 6972, 75616c5>imul E Si, DWORD ptr [edx+0x74], 0x506>004003db 6F jb Short 0040044c004003dd, je s    Hort 00400444004003DF 637400 arpl word ptr [eax+eax], si004003e3 4D Dec ebp004003e4 Popad004003e5 0040043d004003e7 6965 4f66466>imul ESP, DWORD P TR [ebp+0x77], 0x694>004003ee 6C ins byte ptr Es:[edi], dx004003ef 65:0000 add byte  PTR gs:[eax], al004003f2 0043 add byte ptr [ebx+0x72], al004003f5 65:61 POPAD004003F7 74 Je Short 0040045e004003f9 ESI004003FA inc 696c65 00000>imul EBP, Dwo RD PTR [ebp+0x41], 0x000400402 0056 add byte ptr [esi+0x69] dl00400405 75 JB Short 0040047b00400407 JNZ short 0040046a00400409 6C ins byte ptr Es:[edi], dx0040040a C ecx0040040b 6C ins byte ptr Es:[edi], dx0040040c 6C ins byte ptr Es:[edi], D  x0040040d 6F Outs dx, DWORD ptr es:[edi]0040040e 6300 arpl word ptr [eax], AX004003C3 The 6F, the more than the GetProcAddress of the. 004003D3----------6C, 6F, and VirtualProtect. 004003E3 4D (4F)------6C 004003F3-----------------6C. 00400403---------6C 6C 6C 6F, xx VirtualAlloc Currently in the acquisition getprocaddress0040047a 83c0 add eax, 0x4;     Nudge pointer for New API0040047D EBX Inc                         ; Counter 0040047E 8B0C24 mov ecx, DWORD ptr [ESP]; ECX = = kernel32_imagebase00400481 8B10 mov edx, DWORD ptr [EAX]; API offset00400483 03d1 add edx, ecx; edx = = API Addr00400485 8BFA mov edi, edx;                              Sava Api Addr00400487 33c9 xor ecx, ecx00400489 push EAX ;                              Kernel32_exprottable_addrofnames (Save) 0040048A 33c0 xor eax, EAX0040048C, Inc ECX ; Counter (API Name Len) 0040048D AE scas byte ptr es:[edi]0040048e ^ p FC jnz Short 0040048c00                              400490 Dec ecx00400491 E8 28FFFFFF call 004003be00400496 5E pop esi ;                   ESI = "GetProcAddress" 00400497 eax           ; EAX = = kernel32_exprottable_addrofnames00400498 8BFA mov edi, edx; The currently traversed api0040049a f3:a6 Repe cmps byte ptr es:[edi], byte ptr>; Comparison is consistent 0040049C ^ jnz DC short 0040047A; Inconsistency began the next round of 0040049E eax pops; EAX = = kernel32_imagebase0040049f 870424 xchg dword ptr [ESP], eax;                        Swap with Kernel32_export_table_va 004004a2 nop004004a3 83c0 1C add eax, 0x1C ; EAX = = Kernel32_exporttable_addroffunc (offset) 004004a6 8B00 mov eax, DWORD ptr [EAX]; EAX = = kernel32_exporttable_addroffunc004004a8-Push eax004004a9 8B4C24 mov ecx, dwor D ptr [esp+0x4]; ECX = = KERNEL32_IMAGEBASE004004AD 8BFF mov edi, edi004004af-eax004004b0 03 C1 add eax, ECX; EAX = = Kernel32_exporttable_addroffunc (VA) 004004b2 8b0498 mov eax, DWORD ptr [eax+ebx*4]; Use counter check table to get API offset004004b5 03c1 add eax, ecx; Get api004004b7-push eax; Push API Addr004004b8 E8 A3FFFFFF call 00400460; Perform 004004c8 ecx004004c9-pop eax004004ca 83c1 add ecx, 0 X10;     From the next item in the Definition API name table (VirtualProtect) 004004CD-push ecx004004ce 8bd0 mov edx, eax004004d0     E8 8BFFFFFF Call 00400460004004d5-pop ecx004004d6-Eax004004d7 -Push eax; Push Lpprocname004004d8 FF31 push DWORD ptr [ECX];                Hmodule004004da FFD2 Call EdX              ; edx = = GETPROCADDRESS004004DC-push eax;     API (VirtualProtect) ADDR004004DD E8 4EFEFFFF call 0040033000400330 8bf8 mov edi, eax00400332                            eax00400333 push esp00400334 6A push 0x40 ; VirtualProtect parameters page_execute_readwrite00400336 00010000 push 0x100; VirtualProtect parameter size0040033b E8 F3000000 call 0040043300400436 0000 add byte ptr [eax], a l00400438 D4 1 a AAM 0x1A; Virtualprotectex addr0040043a 807c95 B9 cmp byte ptr [ebp+edx*4-0x47], 0x80;  MapViewOfFile addr0040043f 7C xx JL short 0040044100400350 8b4424 mov eax, DWORD ptr [esp+0x8]00400354 8901 mov dword ptr [ECX], eax; Save Kernel32_imagebase00400356 8959 mov dword ptr [ecx+0x4], ebx;              Save GetProcAddress00400359 E8 D5000000 call 004004330040035E pop ecx0040035f C3              retn00400580-pop ecx00400581 eax00400582 50 push eax; Push Lpprocname (mapviewoffile) 00400583 FF31 push DWORD ptr [ECX]; hModule00400585 FF51 call DWORD ptr [ecx+0x4]; Kernel32.     GetProcAddress saved the first five bytes, should be to enter hook:004005b8 the pop ecx004005b9, EAX004005BA      83C1 add ecx, 0x14004005bd 8B10 mov edx, DWORD ptr [EAX]004005BF 66:8b58 04     mov bx, word ptr [eax+0x4]004005c3 8911 mov dword ptr [ECX], EDX004005C5 66:8959 mov    Word ptr [ecx+0x4], bx004005c9 C3 Retnhook operation: 00400606 59          Pop ecx00400607, eax00400608 C600, mov byte ptr [eax], 0x680040 060B 8948 mov dword ptr [eax+0x1], ecx0040060e C640 C3 mov byte ptr [eax+0x5], 0xc30040 0612 C3 RETN Recovery Environment: 00400598, popad00400599 830424, add DWORD ptr [ESP],  0x70040059d C3 retncreatefile Hung: 7c801a28 > 8f074000 push 0x40078f; ASCII "PQ?"              7c801a2d C3 retnmapviewoffile Hung: 7c80b995 > 38064000 push 0x4006387c80b99a C3 Retn

Patch Code (just a simple follow up, estimates are not all simply follow the next hook CreateFile part, not tested):

1.004391C9:     jmp patchaddrpatchaddr: Call    patchfun (00400810) Restore the original process:    mov     ecx, esi    jmp     004391cb2.0043b45e  |.  8B07          mov     eax, DWORD ptr [edi]0043b460  |.            Dec     eax                              ;  Switch (Cases 1..C) 0043b461  |.  83f8 0B       cmp     eax, 0xb0043b464  |.  0f87 95020000 ja      0043b6ff0043b45e  |.  33C0          xor     eax, eax0043b460  |.            EAX Inc                              ;  Switch (Cases 1..C) 0043b461  |.  83f8 0B       cmp     eax, 0xb0043b464  |.  0f87 95020000 ja      0043b6ff3.00443830   .  6A FF         push    -0x100443830   .  C3            retn00443831   ?  $            NOP

　　

Analysis of Shellcode in a cracked program