灰鸽子---你还敢玩么!

今天心情不错,因为今天院长派了一个非常PL的师姐给我们上课,呵呵,我们要好好学习这门课!!

闲话不说了,鸽子大家没有人不知道把,大家都在玩,可是你注意到他的安全性么,他会出卖你的哦,把你好不容易攒的小鸡鸡都归别人所有哦!想知道他是怎么出卖你的就请看下文把!

话说我正和师姐聊天(我保证是.再谈论学习的事情),我的一个群里有个牛X的人说谁帮忙测试马,我正巧没有事就下载下来看看咯,一个Upack 0.3.9 beta2s -> Dwing加壳的下载器大小16.3K ,脱壳后修复后大小120K用Borland Delphi 6.0 - 7.0编写,非常常规的下载器,改时间,创建批处理删除自己,创建autorun.inf在每个驱动器下,修改Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun,并且调用IE下载鸽子

该鸽子加了eXPressor 1.3.0 -> CGSoftLabs

这个壳前面加了好多的花和异常,用IDA分析到0050691E

x_cod:00506919                    jmp        loc_5067B8
.ex_cod:00506919
.ex_cod:0050691E ; ---------------------------------------------------------------------------
.ex_cod:0050691E
.ex_cod:0050691E loc_50691E:                                ; CODE XREF: start+18F j
.ex_cod:0050691E                    push       8000h              ; dwFreeType
.ex_cod:00506923                    push       0                  ; dwSize

OD加载跳.过,00506B42      |.^\E9 F5FDFFFF        \JMP        boot.0050693C
00506B47      |>     A1 88605000        MOV        EAX, DWORD PTR DS:[506088]

和00506CB0      |.     894D CC            |MOV        [LOCAL.13], ECX
00506CB3      |.^ E9 BBFEFFFF        \JMP        boot.00506B73
00506CB8      |>     A1 08755000        MOV        EAX, DWORD PTR DS:[507508]

2个大循环,F8往下看eXPressor结束,到00401000

00506CFF      |.     5D                 POP        EBP                         ;     0012FED0
00506D00      |.- FFE0               JMP        EAX                          ;跳到OEP到00401000
005.06D02      |>     5F                 POP        EDI                              ;     0012FED0

往下走会见到异常跳到

004C4D13        B8 C12E0100          MOV        EAX, 12EC1
004C4D18        BA 00004000          MOV        EDX, boot.00400000         ; ASCII "MZP"
004C4D1D        03C2                 ADD        EAX, EDX
004C4D1F      - FFE0                 JMP        EAX                                     ;跳到00412EC1

00412.EC1        50                   PUSH       EAX
00412EC2        58                   POP        EAX                                              ; 0012FED0
00412EC3        6A 20                PUSH       20
00412EC5        6A E0                PUSH       -20
00412EC7        41                   INC        ECX
00412EC8        49                   DEC        ECX
00412EC9        0F82 2F1F0600        JB         boot.00474DFE                   ;花啊
00412ECF        0F83 291F0600        JNB        boot.00474DFE

跳啊跳

004A21B9        55                   PUSH       EBP
004A21BA        8BEC                 MOV        EBP, ESP
004A21BC        53                   PUSH       EBX                                              ; boot.00413734
004A21BD        56                   PUSH       ESI                                              ; ntdll.7C9305C8
004A21BE        57                   PUSH       EDI
004A21BF        BB 00504000          MOV        EBX, boot.00405000
004A21C4        66:2E:F705 342040>TEST       WORD P.TR CS:[402034], 4
004A21CE        0F85 98000000        JNZ        boot.004A226C
004A21D4        B8 481E4A00          MOV        EAX, boot.004A1E48
004A21D9        FFD0                 CALL       EAX                                    ;004A1E48  

F7往下走发现有一个壳开始了!

004C2000        60                   PUSHAD
004C2001        B9 02000000          MOV        ECX, 2
004C2006        FC                   CLD
004C2007        E8 00000000          CALL       boot.004C200C
004C200C        5D                   POP        EBP                                              ; 0012FED0
004C200D        81ED 83174000        SUB        EBP, boot.00401783
004C2013        8DB5 CE174000        LEA        ESI, DWORD PTR SS:[EBP+4017CE]
004C2019        51                   PUSH       ECX
004C201A        AD                   LODS       DWORD PTR DS:[ESI]
004C201B        8BC8                 MOV        ECX, EAX
004C201D        AD                   LODS       DWORD PTR DS:[ESI]
004C201E        8BF8                 MOV        EDI, EAX
004C2020        56                   PUSH       ESI                                              ; ntdll.7C9305C8
004C2021        8BF7                 MOV        ESI, EDI
004C2023        AC                   LODS       BYTE PTR DS:[ESI]
004C2024        C0C8 03              ROR        AL, 3
004C2027        34 FF                XOR        AL, 0FF
004C2029        AA                   STOS       BYTE PTR ES:[EDI]
004C202A      ^ E2 F7                LOOPD      SHORT boot.004C2023
004C202C        5E                   POP        ESI                                              ; 0012FED0
004C202D        59                   POP        ECX                                              ; 0012FED0
004C202E        8D85 90174000        LEA        EAX, DWORD PTR SS:[EBP+401790]
004C2034        49                   DEC        ECX
004C2035        E3 02                JECXZ      SHORT boot.004C2039
004C2037      - FFE0                 JMP        EAX
004C2039        B9 05000000          MOV        ECX, 5

看下面

0049C802        68 E07E4A00          PUSH       boot.004A7EE0                ; ASCII "??
0049C807        BA B8CC4900          MOV        EDX, boot.0049CCB8        ; ASCII "REKCAH"
0049C80C        B9 02000000          MOV        ECX, 2
0049C811        B8 0A000000          MOV        EAX, 0A
0049C816        E8 A90D0000          CALL       boot.0049D5C4
0049C81B        84C0                 TEST       AL, AL
0049C81D        0F84 4C040000        JE         boot.0049CC6F
0049C823        B2 01                MOV        DL, 1
0049C825        A1 E8364100          MOV        EAX, DWORD PTR DS:[4136E8]
0049C82A        E8 4D73F6FF          CALL       boot.00403B7C
0049C82F        8945 F8              MOV        DWORD PTR SS:[EBP-8], EAX
0049C832        8D4D F4              LEA        ECX, DWORD PTR SS:[EBP-C]
0049C835        BA C8CC4900          MOV        EDX, boot.0049CCC8                ; ASCII "20050101"
0049C83A        A1 E07E4A00          MOV        EAX, DWORD PTR DS:[4A7EE0]
0049C83F        E8 80ECFBFF          CALL       boot.0045B4C4
0049C844        8B55 F4              MOV        EDX, DWORD PTR SS:[EBP-C]
0049C847        8B45 F8              MOV        EAX, DWORD PTR SS:[EBP-8]
0049C84A        8B08                 MOV        ECX, DWORD PTR DS:[EAX]
0049C84C        FF51 2C              CALL       DWORD PTR DS:[ECX+2C]
0049C84F        8D4D F0              LEA        ECX, DWORD PTR SS:[EBP-10]
0049C852        BA 01000000          MOV        EDX, 1
0049C857        8B45 F8              MOV        EAX, DWORD PTR SS:[EBP-8]
0049C85A        8B18                 MOV        EBX, DWORD PTR DS:[EAX]
0049C85C        FF53 0C              CALL       DWORD PTR DS:[EBX+C]                ; boot.00417850
0049C85F        8B55 F0              MOV        EDX, DWORD PTR SS:[EBP-10]        ;域名
0049C862        B8 147F4A00          MOV        EAX, boot.004A7F14
0049C867        E8 8481F6FF          CALL       boot.004049F0
0049C86C        8D4D EC              LEA        ECX, DWORD PTR SS:[EBP-14]
0049C86F        BA 02000000          MOV        EDX, 2
0049C874        8B45 F8              MOV        EAX, DWORD PTR SS:[EBP-8]         ;张号
0049C877        8B18                 MOV        EBX, DWORD PTR DS:[EAX]
0049C879        FF53 0C              CALL       DWORD PTR DS:[EBX+C]                ; boot.00417850
0049C87C        8B55 EC              MOV        EDX, DWORD PTR SS:[EBP-14]        ;密码
0049C87F        B8 187F4A00          MOV        EAX, boot.004A7F18

别的我就不多说什么了。