The Art of Reversing by Ap0x - Tutoriali.org
The Art of Reversing by Ap0x - Tutoriali.org
The Art of Reversing by Ap0x - Tutoriali.org
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
004010CB |. 83E9 01<br />
004010CE |. 43<br />
004010CF |. 83F9 00<br />
004010D2 |.^ 75 F4<br />
004010D4 |. 8BD8<br />
004010D6 |. B9 54010000<br />
004010DB |> 8033 11<br />
004010DE |. 83E9 01<br />
004010E1 |. 43<br />
004010E2 |. 83F9 00<br />
004010E5 |.^ 75 F4<br />
004010E7 |. 58<br />
004010E8 \. C3<br />
|SUB ECX,1<br />
|INC EBX<br />
|CMP ECX,0<br />
\JNZ SHORT unpackme.004010C8<br />
MOV EBX,EAX<br />
MOV ECX,154<br />
XOR BYTE PTR DS:[EBX],11<br />
SUB ECX,1<br />
INC EBX<br />
CMP ECX,0<br />
JNZ SHORT unpackme.004010DB<br />
POP EAX<br />
RET<br />
Kao sto vidimo u EBX se smesta adresa 00401007 i 7F bajtova od te adrese<br />
se xoruje sa 7h, posle cega se ponovo xoruje 154h bajtova od adrese<br />
004010F5 sa 11h. Posto nema potrebe da prolazimo kroz sve ove loopove<br />
pritisnucemo CTRL + F9 sto ce izvrsiti ovaj CALL i vratice nas na sledecu<br />
adresu posle izvrsenja RET komande:<br />
004010B5 |. 50 PUSH EAX ; unpackme.004010F5<br />
004010B6 |. E8 7EFFFFFF<br />
CALL unpackme.00401039<br />
004010BB |. 58<br />
POP EAX<br />
004010BC \. C3<br />
RET<br />
Kao sto vidimo ovo nas je odvelo do druge CALL komande u gornjem CALLu.<br />
Sada cemo sa F7 uci i u ovaj drugi CALL:<br />
00401007 . /EB 27 JMP SHORT unpackme.00401030<br />
00401009 . |43 72 43 20 6> ASCII "CrC <strong>of</strong> this file"<br />
00401019 . |20 68 61 73 2> ASCII " has been modifi"<br />
00401029 . |65 64 20 21 2> ASCII "ed !!!",0<br />
00401030 > \EB 07 JMP SHORT unpackme.00401039<br />
00401032 . 45 72 72 6F 7> ASCII "Error:",0<br />
00401039 $ 50 PUSH EAX ; unpackme.004010F5<br />
0040103A . 8BD8<br />
MOV EBX,EAX<br />
0040103C . B9 54010000<br />
MOV ECX,154<br />
00401041 . BA 00000000 MOV EDX,0<br />
00401046 > 0313 ADD EDX,DWORD PTR DS:[EBX]<br />
00401048 . 83E9 01 SUB ECX,1<br />
0040104B . 43<br />
INC EBX<br />
0040104C . 83F9 00<br />
CMP ECX,0<br />
0040104F .^ 75 F5<br />
JNZ SHORT unpackme.00401046<br />
00401051 . B8 4A124000 MOV EAX,unpackme.0040124A<br />
00401056 . BE 80124000 MOV ESI,unpackme.00401280<br />
0040105B . 50<br />
PUSH EAX<br />
0040105C . 56<br />
PUSH ESI<br />
0040105D . E8 28000000<br />
CALL unpackme.0040108A<br />
00401062 . 81FA B08DEB31 CMP EDX,31EB8DB0<br />
00401068 . 74 19 JE SHORT unpackme.00401083<br />
0040106A . 6A 30 PUSH 30<br />
0040106C . 68 32104000<br />
PUSH 00401032 "Error:"<br />
00401071 . 68 09104000 PUSH 00401009 "CrC <strong>of</strong> this file has been modified !!!"<br />
00401076 . 6A 00 PUSH 0<br />
00401078 . E8 E5010000 CALL unpackme.00401262<br />
0040107D . 50<br />
PUSH EAX<br />
0040107E . E8 F1010000<br />
CALL unpackme.00401274<br />
00401083 > E9 96010000 JMP unpackme.0040121E<br />
00401088 . 58 POP EAX<br />
00401089 . C3 RET<br />
Ovo je malo duzi CALL ali sam ga ja podelio na celine kako biste vi lakse<br />
shvatili sta se ovde desava. Analizu cemo raditi po obelezenim bojama.<br />
Zeleni deo predstavlja samo poruke koje ce se prikazati ako smo modifikovali<br />
ovaj fajl, a posto ovo nismo uradili o ovome necemo brinuti.<br />
<strong>The</strong> <strong>Art</strong> <strong>of</strong> <strong>Reversing</strong> <strong>by</strong> <strong>Ap0x</strong> Page 252 <strong>of</strong> 293