Home > Others

Reverse Analysis Ahpack

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

It has been 1.5 months since the summer began to reverse the study of a compressed shell tonight.

In fact, like this shell can be completely esp the law of the second off, the reason why the analysis of it, is because I want to know the so-called IAT repair specific is how to do, there is a compression shell in the end the flow is how, I think the most fun to learn the converse is to meet the curiosity of people, as long as the energy enough,

The aplib part did not go (aplib part in gray), because like this algorithm with my current level to analyze, it is too burning the brain.

In fact, aplib Part I think the author should be placed in a function, should be the result of compiler optimization

004040FF > Pushad
00404100 54404000 PUSH ahpack.00404054; ASCII "KERNEL32. DLL "
00404105 B8 48404000 MOV eax,<&kernel32. Getmodulehandlea>
0040410A FF10 call DWORD PTR Ds:[eax]; Get KERNERL32 Base Address
0040410C B3404000 PUSH ahpack.004040b3; ASCII "GlobalAlloc"
00404111 PUSH EAX
00404112 B8 44404000 MOV eax,<&kernel32. Getprocaddress>
00404117 FF10 call DWORD PTR Ds:[eax]; Get GlobalAlloc function from kernel32
00404119 00080000 PUSH 800
0040411E 6A 40 PUSH; Gptr
00404120 FFD0 call EAX; Request 800 bytes
00404122 8905 CA404000 MOV DWORD PTR ds:[4040ca],eax
00404128 89c7 MOV Edi,eax
0040412A be 00104000 MOV esi,ahpack.00401000
0040412F Pushad; start Aplib
00404130 FC CLD
00404131 B2 MOV dl,80
00404133 31DB XOR ebx,ebx
00404135 A4 MOVS BYTE ptr es:[edi],byte ptr Ds:[esi]
00404136 B3 MOV bl,2
00404138 E8 6d000000 call AHPACK.004041AA
0040413D ^ F6 JNB short ahpack.00404135
0040413F 31c9 XOR ecx,ecx
00404141 E8 64000000 call AHPACK.004041AA
00404146 1C JNB short ahpack.00404164
00404148 31c0 XOR eax,eax
0040414A E8 5b000000 call AHPACK.004041AA
0040414F JNB Short ahpack.00404174
00404151 B3 MOV bl,2
00404153 INC ECX
00404154 B0 MOV al,10
00404156 E8 4f000000 call AHPACK.004041AA
0040415B 10c0 ADC al,al
0040415D ^ F7 JNB short ahpack.00404156
0040415F 3F jnz short ahpack.004041a0
00404161 AA stos BYTE PTR Es:[edi]
00404162 ^ EB D4 JMP Short ahpack.00404138
00404164 E8 4d000000 call Ahpack.004041b6
00404169 29d9 SUB ecx,ebx
0040416B jnz Short ahpack.0040417d
0040416D E8 42000000 call ahpack.004041b4
00404172 EB-JMP short ahpack.0040419c
00404174 AC lods BYTE PTR Ds:[esi]
00404175 d1e8 SHR eax,1
00404177 4D JE short ahpack.004041c6
00404179 11c9 ADC ecx,ecx
0040417B EB 1C JMP short ahpack.00404199
0040417D XCHG eax,ecx
0040417E DEC EAX
0040417F c1e0 SHL eax,8
00404182 AC lods BYTE PTR Ds:[esi]
00404183 E8 2c000000 call ahpack.004041b4
00404188 3D 007d0000 CMP eax,7d00
0040418D 0A JNB short ahpack.00404199
0040418F 80FC CMP ah,5
00404192 JNB Short ahpack.0040419a
00404194 83f8 7F CMP eax,7f
00404197-JA short ahpack.0040419b
00404199 INC ECX
0040419A ECX INC
0040419B XCHG eax,ebp
0040419C 89E8 MOV eax,ebp
0040419E B3 MOV bl,1
004041A0-i- PUSH ESI
004041a1 89FE MOV esi,edi
004041a3 29c6 SUB esi,eax
004041a5 f3:a4 REP MOVS BYTE ptr es:[edi],byte PTR ds:[>
004041a7 5E POP ESI
004041a8 ^ EB 8E JMP Short ahpack.00404138
004041AA 00d2 ADD dl,dl
004041AC jnz Short ahpack.004041b3
004041AE 8a16 MOV dl,byte PTR Ds:[esi]
004041b0 INC ESI
004041b1 10D2 ADC dl,dl
004041b3 C3 RETN
004041b4 31c9 XOR ecx,ecx
004041b6 INC ECX
004041b7 E8 eeffffff call AHPACK.004041AA
004041BC 11c9 ADC ecx,ecx
004041BE E8 e7ffffff call AHPACK.004041AA
004041c3 ^ F2 JB short Ahpack.004041b7
004041c5 C3 RETN
004041c6 Popad; End Aplib, data is solved in memory of 404120 applications
004041c7 B9 FC070000 MOV ECX,7FC
004041CC 8b1c08 MOV ebx,dword PTR DS:[EAX+ECX]
004041CF 8999 00104000 MOV DWORD PTR ds:[ecx+401000],ebx
004041d5 ^ E2 F5 loopd Short ahpack.004041cc; 404120 of the requested memory contains the extracted data, copy it to the Oep place
004041d7-NOP; The following start to repair the IAT, hehe, 9090 will not be deliberately to a split it
004041d8-NOP
004041d9 BA 00004000 MOV edx,ahpack.00400000
004041DE be 70200000 MOV esi,2070
004041E3 01d6 ADD Esi,edx; ESI is used to iterate Image_import_descriptor,esi now initialized to a pointer to the first image_import_descriptor
004041E5 8b46 0C MOV eax,dword PTR ds:[esi+c]; EAX pointing to the name of the DLL to be repaired
004041E8 85c0 TEST Eax,eax
004041EA 0f84 87000000 JE ahpack.00404277; If all repairs are complete, jump
004041f0 01d0 ADD Eax,edx
004041f2 89c3 MOV Ebx,eax
004041f4 PUSH EAX
004041f5 B8 48404000 MOV eax,<&kernel32. Getmodulehandlea>
004041FA FF10 call DWORD PTR Ds:[eax]; Get the base address of the DLL to be repaired
004041FC 85c0 TEST Eax,eax
004041FE jnz short ahpack.00404208; If the fetch fails, it is loaded once
00404200-PUSH EBX
00404201 B8 4c404000 MOV eax,<&kernel32. Loadlibrarya>
00404206 FF10 call DWORD PTR Ds:[eax]
00404208 8905 CE404000 MOV DWORD PTR ds:[4040ce],eax; To fix a DLL base address to 4040CE
0040420E C705 D2404000 0>mov DWORD PTR ds:[4040d2],0; 4040D2 is used to describe the number of fixes that this DLL has, [4040d2]/4= fixed number
00404218 BA 00004000 MOV edx,ahpack.00400000
0040421D 8b06 MOV eax,dword PTR Ds:[esi]
0040421F 85c0 TEST Eax,eax
00404221 JNZ Short ahpack.00404226
00404223 8b46 MOV eax,dword PTR ds:[esi+10]
00404226 01d0 ADD Eax,edx; Offset of the base address plus IAT
00404228 0305 D2404000 ADD eax,dword PTR ds:[4040d2]; Plus fix count
0040422E 8b18 MOV Ebx,dword PTR Ds:[eax]; [EAX] point to Import_by_name
00404230 8b7e MOV edi,dword PTR ds:[esi+10]
00404233 01d7 ADD Edi,edx
00404235 033D D2404000 ADD edi,dword PTR ds:[4040d2]
0040423B 85DB TEST EBX,EBX
0040423D 2B JE Short ahpack.0040426a; If this DLL has been repaired then jump
0040423F f7c3 00000080 TEST ebx,80000000; Judging whether the wrong data is taken
00404245 JNZ Short ahpack.0040424b
00404247 01d3 ADD Ebx,edx
00404249 Inc. EBX; Because the first field occupies one word, two times Inc is in order to access the Import_by_name. Name
0040424A Inc. EBX
0040424B 81E3 ffffff0f and EBX,0FFFFFFF; The first 4 bits are zeroed
00404251 EBX; To repair a function name
00404252 FF35 CE404000 PUSH DWORD PTR DS:[4040CE]; To fix the DLL where the function resides
00404258 B8 44404000 MOV eax,<&kernel32. Getprocaddress>
0040425D FF10 call DWORD PTR Ds:[eax]; Use GetProcAddress to remove the correct address.
0040425F 8907 MOV DWORD PTR ds:[edi],eax; Repair IAT
00404261 8305 D2404000 0>add DWORD PTR ds:[4040d2],4; Fixed number +1
00404268 ^ EB AE JMP Short ahpack.00404218; Jump up and continue to fix the next function
0040426A 83c6 ADD esi,14; 0x14 to image_import_descriptor size, continue iterating to the next DLL
0040426D BA 00004000 MOV edx,ahpack.00400000; This step is a redundant operation
00404272 ^ E9 6EFFFFFF JMP ahpack.004041e5; Jump up and continue to repair the next DLL
00404277 54404000 PUSH ahpack.00404054; ASCII "KERNEL32. DLL "
0040427C B8 48404000 MOV eax,<&kernel32. Getmodulehandlea>
00404281 FF10 call DWORD PTR Ds:[eax]; Get KERNEL32 Base Address
00404283 BF404000 PUSH AHPACK.004040BF; ASCII "GlobalFree"
00404288 PUSH EAX
00404289 B8 44404000 MOV eax,<&kernel32. Getprocaddress>
0040428E FF10 call DWORD PTR Ds:[eax]; Take GlobalFree from Kernel32 ()
00404290 8b15 CA404000 MOV edx,dword PTR DS:[4040CA]
00404296-PUSH EDX
00404297 FFD0 call EAX; Release buffer prior to application
00404299 Popad
0040429A BA 00104000 MOV edx,ahpack.00401000
0040429F FFE2 JMP EDX; Jumping Oep
004042A1-NOP
004042A2 C3 RETN

qq1454322323

Reverse Analysis Ahpack

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
reverse cosine foreach reverse map reverse reverse characters reverse function reverse host reverse index

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More