资源段自动加密
江民针对资源段查杀比较严格,需要对资源段做特殊处理。
关键字004C55E1 5C 52 55 4E 45 78 65 4D 65 6D 55 6E 69 74 00 54 \RUNExeMemUnit.T 004C55F1 50 46 30 0D 54 4D 61 69 6E 46 6F 72 6D 56 65 72 PF0.TMainFormVer2
004A2238 > 55 push ebp004A2239 89E5 mov ebp, esp004A223B 51 push ecx004A223C B9 08000000 mov ecx, 0x8004A2241 6A 00 push 0x0004A2243 49 dec ecx004A2244 ^ 75 FB jnz short 004A2241004A2246 8B4C24 20 mov ecx, dword ptr [esp+0x20]004A224A 8944E4 1C mov dword ptr [esp+0x1C], eax004A224E 895CE4 18 mov dword ptr [esp+0x18], ebx004A2252 894CE4 14 mov dword ptr [esp+0x14], ecx004A2256 8954E4 10 mov dword ptr [esp+0x10], edx004A225A 8964E4 0C mov dword ptr [esp+0xC], esp004A225E 896CE4 08 mov dword ptr [esp+0x8], ebp004A2262 8974E4 04 mov dword ptr [esp+0x4], esi004A2266 893CE4 mov dword ptr [esp], edi004A2269 90 nop004A226A 90 nop004A226B 90 nop004A226C 90 nop004A226D 90 nop004A226E E8 00000000 call 004A2273004A2273 58 pop eax004A2274 25 00F0FFFF and eax, -0x1000004A2279 66:8138 4D5A cmp word ptr [eax], 0x5A4D004A227E 74 07 je short 004A2287004A2280 2D 00100000 sub eax, 0x1000004A2285 ^ EB F2 jmp short 004A2279004A2287 50 push eax ; push004A2288 8BD8 mov ebx, eax004A228A 83C3 3C add ebx, 0x3C004A228D 8B1B mov ebx, dword ptr [ebx]004A228F 03D8 add ebx, eax ; pe address004A2291 8BD3 mov edx, ebx ; ebx edx004A2293 33C9 xor ecx, ecx004A2295 66:8B4B 06 mov cx, word ptr [ebx+0x6] ; cx num004A2299 33C0 xor eax, eax004A229B 66:8B43 14 mov ax, word ptr [ebx+0x14] ; pe daxiao004A229F 83C3 18 add ebx, 0x18004A22A2 03D8 add ebx, eax ; qu duan004A22A4 90 nop004A22A5 49 dec ecx ; 28004A22A6 83C3 28 add ebx, 0x28004A22A9 49 dec ecx004A22AA ^ 75 FA jnz short 004A22A6004A22AC 90 nop004A22AD 83C3 0C add ebx, 0xC ; rva004A22B0 8B1B mov ebx, dword ptr [ebx] ; rva004A22B2 031C24 add ebx, dword ptr [esp] ; zi yuan duan address004A22B5 53 push ebx ; push004A22B6 90 nop004A22B7 90 nop004A22B8 90 nop004A22B9 90 nop004A22BA 90 nop004A22BB 90 nop004A22BC 90 nop ; next search004A22BD 803B 5C cmp byte ptr [ebx], 0x5C004A22C0 74 03 je short 004A22C5004A22C2 43 inc ebx004A22C3 ^ EB F8 jmp short 004A22BD004A22C5 807B 01 52 cmp byte ptr [ebx+0x1], 0x52004A22C9 74 03 je short 004A22CE004A22CB 43 inc ebx004A22CC ^ EB EF jmp short 004A22BD004A22CE 807B 02 55 cmp byte ptr [ebx+0x2], 0x55004A22D2 74 03 je short 004A22D7004A22D4 43 inc ebx004A22D5 ^ EB E6 jmp short 004A22BD004A22D7 807B 03 4E cmp byte ptr [ebx+0x3], 0x4E004A22DB 74 03 je short 004A22E0004A22DD 43 inc ebx004A22DE ^ EB DD jmp short 004A22BD004A22E0 807B 04 45 cmp byte ptr [ebx+0x4], 0x45004A22E4 74 03 je short 004A22E9004A22E6 43 inc ebx004A22E7 ^ EB D4 jmp short 004A22BD004A22E9 90 nop ; zhe ebx004A22EA 83EB 05 sub ebx, 0x5004A22ED B9 10060000 mov ecx, 0x610004A22F2 8033 A7 xor byte ptr [ebx], 0xA7004A22F5 4B dec ebx004A22F6 49 dec ecx004A22F7 ^ 75 F9 jnz short 004A22F2 ; 加密盲搜索之后的资源数据004A22F9 90 nop004A22FA 90 nop004A22FB 90 nop004A22FC 90 nop004A22FD 90 nop004A22FE 803B 54 cmp byte ptr [ebx], 0x54004A2301 74 03 je short 004A2306004A2303 43 inc ebx004A2304 ^ EB F8 jmp short 004A22FE004A2306 807B 01 50 cmp byte ptr [ebx+0x1], 0x50004A230A 74 03 je short 004A230F004A230C 43 inc ebx004A230D ^ EB EF jmp short 004A22FE004A230F 807B 02 46 cmp byte ptr [ebx+0x2], 0x46004A2313 74 03 je short 004A2318004A2315 43 inc ebx004A2316 ^ EB E6 jmp short 004A22FE004A2318 807B 03 30 cmp byte ptr [ebx+0x3], 0x30004A231C 74 03 je short 004A2321004A231E 43 inc ebx004A231F ^ EB DD jmp short 004A22FE004A2321 807B 04 0D cmp byte ptr [ebx+0x4], 0xD004A2325 74 03 je short 004A232A004A2327 43 inc ebx004A2328 ^ EB D4 jmp short 004A22FE004A232A 807B 05 54 cmp byte ptr [ebx+0x5], 0x54004A232E 74 03 je short 004A2333004A2330 43 inc ebx004A2331 ^ EB CB jmp short 004A22FE004A2333 90 nop004A2334 90 nop004A2335 83C3 13 add ebx, 0x13 ; start004A2338 B9 B0020000 mov ecx, 0x2B0004A233D 8033 9A xor byte ptr [ebx], 0x9A004A2340 43 inc ebx004A2341 49 dec ecx004A2342 ^ 75 F9 jnz short 004A233D004A2344 90 nop004A2345 58 pop eax004A2346 58 pop eax004A2347 90 nop004A2348 8B44E4 1C mov eax, dword ptr [esp+0x1C]004A234C 8B5CE4 18 mov ebx, dword ptr [esp+0x18]004A2350 8B4CE4 14 mov ecx, dword ptr [esp+0x14]004A2354 8B54E4 10 mov edx, dword ptr [esp+0x10]004A2358 8B64E4 0C mov esp, dword ptr [esp+0xC]004A235C 8B6CE4 08 mov ebp, dword ptr [esp+0x8]004A2360 8B74E4 04 mov esi, dword ptr [esp+0x4]004A2364 8B3CE4 mov edi, dword ptr [esp]004A2367 B9 00020000 mov ecx, 0x200004A236C C1E1 06 shl ecx, 0x6004A236F C1E9 0C shr ecx, 0xC004A2372 83EC FC sub esp, -0x4004A2375 49 dec ecx004A2376 ^ 75 FA jnz short 004A2372004A2378 8B6C24 04 mov ebp, dword ptr [esp+0x4]004A237C B9 00020000 mov ecx, 0x200004A2381 C1E1 06 shl ecx, 0x6004A2384 C1E9 0C shr ecx, 0xC004A2387 44 inc esp004A2388 49 dec ecx004A2389 ^ 75 FC jnz short 004A2387004A238B 8B4C24 F8 mov ecx, dword ptr [esp-0x8]004A238F E8 00000000 call 004A2394004A2394 812C24 4C050000 sub dword ptr [esp], 0x54C 0x54C是新入口点和原来入口点的距离004A239B C3 retn============== 二进制:55 89 E5 51 B9 08 00 00 00 6A 00 49 75 FB 8B 4C 24 20 89 44 E4 1C 89 5C E4 18 89 4C E4 14 89 54 E4 10 89 64 E4 0C 89 6C E4 08 89 74 E4 04 89 3C E4 90 90 90 90 90 E8 00 00 00 00 58 25 00 F0 FF FF 66 81 38 4D 5A 74 07 2D 00 10 00 00 EB F2 50 8B D8 83 C3 3C 8B 1B 03 D8 8B D3 33 C9 66 8B 4B 06 33 C0 66 8B 43 14 83 C3 18 03 D8 90 49 83 C3 28 49 75 FA 90 83 C3 0C 8B 1B 03 1C 24 53 90 90 90 90 90 90 90 80 3B 5C 74 03 43 EB F8 80 7B 01 52 74 03 43 EB EF 80 7B 02 55 74 03 43 EB E6 80 7B 03 4E 74 03 43 EB DD 80 7B 04 45 74 03 43 EB D4 90 83 EB 05 B9 10 06 00 00 80 33 A7 4B 49 75F9 90 90 90 90 90 80 3B 54 74 03 43 EB F8 80 7B 01 50 74 03 43 EB EF 80 7B 02 46 74 03 43 EB E6 80 7B 03 30 74 03 43 EB DD 80 7B 04 0D 74 03 43 EB D4 80 7B 05 54 74 03 43 EB CB 90 90 83 C3 13 B9 B0 02 00 00 80 33 9A 43 49 75 F9 90 58 58 90 8B 44 E4 1C 8B 5C E4 18 8B 4C E4 14 8B 54 E4 10 8B 64 E4 0C 8B 6C E4 08 8B 74 E4 04 8B 3C E4 B9 00 02 00 00 C1 E1 06 C1 E9 0C 83 EC FC 49 75 FA 8B 6C 24 04 B9 00 02 00 00 C1 E1 06 C1 E9 0C 44 49 75 FC 8B 4C 24 F8 E8 00 00 00 00 81 2C 24 4C 05 00 00 C3