[原創逆向]Telock98加密過程分析(上)

看雪資料發表於2004-06-24

Telock98加密過程分析(上)

作者:lordor
Mail:lordor2#hotmail.com
來自:NukeGroup
網站:www.digitalnuke.com
逆向物件:Telock98

不知大家有沒有興趣研究PE加殼技術,我沒編寫過加殼器,但想了解,所以逆向了一下Telock的加殼過程。
在看本文前,最好了解一下pe32的格式。如果大家有什麼好的想法,Please let me know.

我們開始:
看一下加密過程用到什麼call,定位createfilea函式,來到如下:


00404A85  PUSH 180                                            ; |Message = LB_ADDSTRING
00404A8A  PUSH DWORD PTR DS:[40EFA8]                          ; |hWnd = 7B0392
00404A90  CALL <JMP.&user32.SendMessageA>                     ; \SendMessageA
00404A95  PUSH dumped_.00410B61                               ; /FileName = "C:\Documents and Settings\lordor\桌面\TELock098

\WinPE V1.0.exe.bak"
00404A9A  CALL <JMP.&kernel32.GetFileAttributesA>             ; \GetFileAttributesA  ==>檔案屬性
00404A9F  CMP EAX,-1
00404AA2  JE SHORT dumped_.00404AD8
00404AA4  AND EAX,1
00404AA7  JE SHORT dumped_.00404AD8
00404AA9  PUSH 24                                             ; /Style = MB_YESNO|MB_ICONQUESTION|MB_APPLMODAL
00404AAB  PUSH dumped_.0040B0B1                               ; |Title = "確認"
00404AB0  PUSH dumped_.0040AF18                               ; |Text = "檔案被防寫。您仍要加鎖嗎?"
00404AB5  PUSH DWORD PTR DS:[40EF28]                          ; |hOwner = 00340288 ('tElock v0.98',class='tEWinClass')
00404ABB  CALL <JMP.&user32.MessageBoxA>                      ; \MessageBoxA
00404AC0  CMP EAX,6
00404AC3  JNZ dumped_.0040568F
00404AC9  PUSH 80                                             ; /FileAttributes = NORMAL
00404ACE  PUSH dumped_.00410B61                               ; |FileName = "C:\Documents and Settings\lordor\桌面\TELock098

\WinPE V1.0.exe.bak"
00404AD3  CALL <JMP.&kernel32.SetFileAttributesA>             ; \SetFileAttributesA  ==>設定檔案屬性
00404AD8  XOR EAX,EAX
00404ADA  PUSH EAX                                            ; /hTemplateFile => NULL
00404ADB  PUSH 80                                             ; |Attributes = NORMAL
00404AE0  PUSH 3                                              ; |Mode = OPEN_EXISTING
00404AE2  PUSH EAX                                            ; |pSecurity => NULL
00404AE3  PUSH EAX                                            ; |ShareMode => 0
00404AE4  PUSH C0000000                                       ; |Access = GENERIC_READ|GENERIC_WRITE
00404AE9  PUSH dumped_.00410B61                               ; |FileName = "C:\Documents and Settings\lordor\桌面\TELock098

\WinPE V1.0.exe.bak"
00404AEE  CALL <JMP.&kernel32.CreateFileA>                    ; \CreateFileA
00404AF3  MOV DWORD PTR DS:[40EFF0],EAX
00404AF8  CMP EAX,-1
00404AFB  JNZ SHORT dumped_.00404B35
00404AFD  PUSH dumped_.0040AC83                               ; /lParam = 40AC83
00404B02  PUSH 0                                              ; |wParam = 0
00404B04  PUSH 180                                            ; |Message = LB_ADDSTRING
00404B09  PUSH DWORD PTR DS:[40EFA8]                          ; |hWnd = 7B0392
00404B0F  CALL <JMP.&user32.SendMessageA>                     ; \SendMessageA
00404B14  JMP dumped_.0040568F
00404B19  PUSH dumped_.0040AEB6                               ; /lParam = 40AEB6
00404B1E  PUSH 0                                              ; |wParam = 0
00404B20  PUSH 180                                            ; |Message = LB_ADDSTRING
00404B25  PUSH DWORD PTR DS:[40EFA8]                          ; |hWnd = 7B0392
00404B2B  CALL <JMP.&user32.SendMessageA>                     ; \SendMessageA
00404B30  JMP dumped_.0040568F
00404B35  PUSH 0                                              ; /pFileSizeHigh = NULL
00404B37  PUSH DWORD PTR DS:[40EFF0]                          ; |hFile = 000000A4 (window)
00404B3D  CALL <JMP.&kernel32.GetFileSize>                    ; \GetFileSize
00404B42  TEST EAX,EAX
00404B44  JG SHORT dumped_.00404B6D
00404B46  PUSH dumped_.0040ACB1                               ; /lParam = 40ACB1
00404B4B  PUSH 0                                              ; |wParam = 0
00404B4D  PUSH 180                                            ; |Message = LB_ADDSTRING
00404B52  PUSH DWORD PTR DS:[40EFA8]                          ; |hWnd = 7B0392
00404B58  CALL <JMP.&user32.SendMessageA>                     ; \SendMessageA
00404B5D  PUSH DWORD PTR DS:[40EFF0]                          ; /hObject = 000000A4 (window)
00404B63  CALL <JMP.&kernel32.CloseHandle>                    ; \CloseHandle
00404B68  JMP dumped_.0040568F
00404B6D  MOV DWORD PTR DS:[40F028],EAX
00404B72  MOV DWORD PTR DS:[40F02C],EAX
00404B77  CALL dumped_.00404864                               ;  據取得的檔案大小,再加0x1000大小進行分配記憶體
00404B7C  JE SHORT dumped_.00404B97
00404B7E  PUSH dumped_.0040ACDC                               ; /lParam = 40ACDC
00404B83  PUSH 0                                              ; |wParam = 0
00404B85  PUSH 180                                            ; |Message = LB_ADDSTRING
00404B8A  PUSH DWORD PTR DS:[40EFA8]                          ; |hWnd = 7B0392
00404B90  CALL <JMP.&user32.SendMessageA>                     ; \SendMessageA
00404B95  JMP SHORT dumped_.00404B5D
00404B97  CALL dumped_.0040483A                               ;  把檔案讀入記憶體
00404B9C  JE SHORT dumped_.00404BF4
00404B9E  PUSH dumped_.0040AD0E                               ; /lParam = 40AD0E
00404BA3  PUSH 0                                              ; |wParam = 0
00404BA5  PUSH 180                                            ; |Message = LB_ADDSTRING
00404BAA  PUSH DWORD PTR DS:[40EFA8]                          ; |hWnd = 7B0392
00404BB0  CALL <JMP.&user32.SendMessageA>                     ; \SendMessageA
00404BB5  CALL dumped_.0040488E
00404BBA  PUSH 0                                              ; /lParam = 0
00404BBC  PUSH DWORD PTR DS:[40EFE8]                          ; |wParam = C503D0
00404BC2  PUSH 170                                            ; |Message = STM_SETICON
00404BC7  PUSH DWORD PTR DS:[40EF98]                          ; |hWnd = 9D03EE
00404BCD  CALL <JMP.&user32.SendMessageA>                     ; \SendMessageA
00404BD2  CMP BYTE PTR DS:[40F0AD],0
00404BD9  JNZ SHORT dumped_.00404B5D
00404BDB  PUSH 0                                              ; /lParam = 0
00404BDD  PUSH 0                                              ; |wParam = 0
00404BDF  PUSH 402                                            ; |Message = WM_USER+2
00404BE4  PUSH DWORD PTR DS:[40EFC8]                          ; |hWnd = 29038E
00404BEA  CALL <JMP.&user32.SendMessageA>                     ; \SendMessageA
00404BEF  JMP dumped_.00404B5D
00404BF4  MOV EDI,DWORD PTR DS:[40F014]
00404BFA  PUSH dumped_.00410B61                               ; /lParam = 410B61
00404BFF  PUSH 0                                              ; |wParam = 0
00404C01  PUSH 180                                            ; |Message = LB_ADDSTRING
00404C06  PUSH DWORD PTR DS:[40EFA8]                          ; |hWnd = 7B0392
00404C0C  CALL <JMP.&user32.SendMessageA>                     ; \SendMessageA
00404C11  PUSH dumped_.00409FE7                               ; /lParam = 409FE7
00404C16  PUSH 0                                              ; |wParam = 0
00404C18  PUSH 180                                            ; |Message = LB_ADDSTRING
00404C1D  PUSH DWORD PTR DS:[40EFA8]                          ; |hWnd = 7B0392
00404C23  CALL <JMP.&user32.SendMessageA>                     ; \SendMessageA
00404C28  PUSH 0                                              ; /lParam = 0
00404C2A  PUSH 64                                             ; |wParam = 64
00404C2C  PUSH 402                                            ; |Message = WM_USER+2
00404C31  PUSH DWORD PTR DS:[40EFC8]                          ; |hWnd = 29038E
00404C37  CALL <JMP.&user32.SendMessageA>                     ; \SendMessageA
00404C3C  PUSH 0                                              ; /lParam = 0
00404C3E  PUSH DWORD PTR DS:[40EFE4]                          ; |wParam = 4A03F4
00404C44  PUSH 170                                            ; |Message = STM_SETICON
00404C49  PUSH DWORD PTR DS:[40EF98]                          ; |hWnd = 9D03EE
00404C4F  CALL <JMP.&user32.SendMessageA>                     ; \SendMessageA
00404C54  PUSH 0                                              ; /lParam = 0
00404C56  PUSH 0                                              ; |wParam = 0
00404C58  PUSH 0F0                                            ; |Message = BM_GETCHECK
00404C5D  PUSH DWORD PTR DS:[40EF4C]                          ; |hWnd = 5E02DE
00404C63  CALL <JMP.&user32.SendMessageA>                     ; \SendMessageA
00404C68  CMP EAX,1
00404C6B  JE SHORT dumped_.00404C72
00404C6D  CALL dumped_.00406465                               ;  備份
00404C72  PUSH EDI                                            ; /Arg1 = 00D50000
00404C73  CALL dumped_.00405905                               ; \是否加密判斷,請看下面分析
00404C78  JB dumped_.00404BB5
00404C7E  PUSH dumped_.00409FE7                                    ; /lParam = 409FE7
00404C83  PUSH 0                                                   ; |wParam = 0
00404C85  PUSH 180                                                 ; |Message = LB_ADDSTRING
00404C8A  PUSH DWORD PTR DS:[40EFA8]                               ; |hWnd = 7B0392
00404C90  CALL <JMP.&user32.SendMessageA>                          ; \SendMessageA
00404C95  MOV EAX,DWORD PTR DS:[EDI+3C]
00404C98  MOV DWORD PTR SS:[EBP-10],EAX
00404C9B  ADD EDI,EAX
00404C9D  MOV DWORD PTR SS:[EBP-18],EDI
00404CA0  MOV EAX,DWORD PTR DS:[EDI+3C]
00404CA3  CMP EAX,200
00404CA8  JE SHORT dumped_.00404CF5
00404CAA  PUSHAD
00404CAB  PUSH EAX                                                 ; /<%.4lX>
00404CAC  PUSH dumped_.0040AF77                                    ; |Format = "已調整檔案佇列: %.4lXh -> 0200h"
00404CB1  PUSH dumped_.00410D2D                                    ; |s = dumped_.00410D2D
00404CB6  CALL <JMP.&user32.wsprintfA>                             ; \wsprintfA
00404CBB  ADD ESP,0C
00404CBE  PUSH dumped_.00410D2D                                    ; /lParam = 410D2D
00404CC3  PUSH 0                                                   ; |wParam = 0
00404CC5  PUSH 180                                                 ; |Message = LB_ADDSTRING
00404CCA  PUSH DWORD PTR DS:[40EFA8]                               ; |hWnd = 7B0392
00404CD0  CALL <JMP.&user32.SendMessageA>                          ; \SendMessageA

...(待續)....


-------------------------------------------------
00404C73  CALL dumped_.00405905:

00405905  ENTER 4,0
00405909  PUSHAD
0040590A  AND DWORD PTR SS:[EBP-4],0
0040590E  AND DWORD PTR DS:[40F020],0
00405915  AND DWORD PTR DS:[40F024],0
0040591C  MOV EDI,DWORD PTR SS:[EBP+8]             ;  對映記憶體的地址
0040591F  CMP WORD PTR DS:[EDI],5A4D               ;  是dos格式嗎
00405924  JE SHORT dumped_.00405935
00405926  PUSH dumped_.0040B404                    ; /Arg1 = 0040B404
0040592B  CALL dumped_.00405D08                    ; \dumped_.00405D08
00405930  JMP dumped_.00405CEE
00405935  MOV EAX,DWORD PTR DS:[EDI+3C]
00405938  CMP EAX,DWORD PTR DS:[40F028]            ;  是否到檔案尾
0040593E  JL SHORT dumped_.00405942
00405940  JMP SHORT dumped_.00405926
00405942  ADD EDI,EAX                              ;  加基址,定位到pe頭
00405944  CMP DWORD PTR DS:[EDI],4550              ;  是否為pe檔案
0040594A  JE SHORT dumped_.0040594E
0040594C  JMP SHORT dumped_.00405926
0040594E  CMP DWORD PTR DS:[EDI+3C],200            ;  檔案對齊是否為200
00405955  JGE SHORT dumped_.00405966
00405957  PUSH dumped_.0040B606                    ; /Arg1 = 0040B606
0040595C  CALL dumped_.00405D08                    ; \dumped_.00405D08
00405961  JMP dumped_.00405CEE
00405966  TEST DWORD PTR DS:[EDI+F4],100000        ;  pe頭+f4處,此為保留值,看是否為100000,加密標誌
00405970  JE SHORT dumped_.004059A8
00405972  PUSH dumped_.0040B57C                    ; /Arg1 = 0040B57C
00405977  CALL dumped_.00405D08                    ; \dumped_.00405D08
0040597C  PUSH 24                                  ; /Style = MB_YESNO|MB_ICONQUESTION|MB_APPLMODAL
0040597E  PUSH dumped_.0040B297                    ; |Title = "確認"
00405983  PUSH dumped_.0040B29F                    ; |Text = "該檔案似乎已被壓縮或加密。
您真要繼續嗎?"
00405988  PUSH DWORD PTR DS:[40EF28]               ; |hOwner = 00340288 ('tElock v0.98',class='tEWinClass')
0040598E  CALL <JMP.&user32.MessageBoxA>           ; \MessageBoxA
00405993  CMP EAX,6
00405996  JNZ dumped_.00405CEE
0040599C  MOV DWORD PTR DS:[EDI+F4],0
004059A6  JMP SHORT dumped_.004059F6
004059A8  TEST DWORD PTR DS:[EDI+F4],200000        ;  PE頭+0xf4處是否為200000,是則出錯,這個就是telock的加密標誌
004059B2  JE SHORT dumped_.004059C3
004059B4  PUSH dumped_.0040B555                    ; /Arg1 = 0040B555
004059B9  CALL dumped_.00405D08                    ; \dumped_.00405D08
004059BE  JMP dumped_.00405CEE
004059C3  CMP DWORD PTR DS:[EDI+F4],0              ;  是否為0,未加密
004059CA  JE SHORT dumped_.004059F6
004059CC  PUSH 24                                  ; /Style = MB_YESNO|MB_ICONQUESTION|MB_APPLMODAL
004059CE  PUSH dumped_.0040B297                    ; |Title = "確認"
004059D3  PUSH dumped_.0040B29F                    ; |Text = "該檔案似乎已被壓縮或加密。
您真要繼續嗎?"
004059D8  PUSH DWORD PTR DS:[40EF28]               ; |hOwner = 00340288 ('tElock v0.98',class='tEWinClass')
004059DE  CALL <JMP.&user32.MessageBoxA>           ; \MessageBoxA
004059E3  CMP EAX,6
004059E6  JNZ dumped_.00405CEE
004059EC  MOV DWORD PTR DS:[EDI+F4],0
004059F6  CMP DWORD PTR DS:[EDI+9C],0              ;  certificate table size是否為0
004059FD  JE SHORT dumped_.00405A0E
004059FF  PUSH dumped_.0040B483                    ; /Arg1 = 0040B483
00405A04  CALL dumped_.00405D08                    ; \dumped_.00405D08
00405A09  JMP dumped_.00405CEE
00405A0E  CMP DWORD PTR DS:[EDI+8],4F434550        ;  比較Timedatestamp,是否為2012年
00405A15  JNZ SHORT dumped_.00405A37
00405A17  PUSH 24                                  ; /Style = MB_YESNO|MB_ICONQUESTION|MB_APPLMODAL
00405A19  PUSH dumped_.0040B297                    ; |Title = "確認"
00405A1E  PUSH dumped_.0040B384                    ; |Text = "該檔案已被其他工具加密或壓縮。
您真要繼續嗎?(不推薦)"
00405A23  PUSH DWORD PTR DS:[40EF28]               ; |hOwner = 00340288 ('tElock v0.98',class='tEWinClass')
00405A29  CALL <JMP.&user32.MessageBoxA>           ; \MessageBoxA
00405A2E  CMP EAX,6
00405A31  JNZ dumped_.00405CEE
00405A37  MOVZX EDX,WORD PTR DS:[EDI+14]           ;  可選頭大小
00405A3B  ADD EDX,18                               ;  加Filehead
00405A3E  LEA ESI,DWORD PTR DS:[EDI+EDX]           ;  定位到節表啦
00405A41  MOV EAX,DWORD PTR DS:[EDI+28]            ;  入口地址
00405A44  TEST EAX,EAX
00405A46  JE SHORT dumped_.00405A93
00405A48  CMP EAX,DWORD PTR DS:[ESI+C]             ;  esi+c為節表的起始roffset
00405A4B  JGE SHORT dumped_.00405A93
00405A4D  PUSH dumped_.0040B41E                    ; /Arg1 = 0040B41E
00405A52  CALL dumped_.00405D08                    ; \dumped_.00405D08
00405A57  JMP dumped_.00405CEE
00405A5C  CMP DWORD PTR SS:[EBP-4],0
00405A60  JNZ dumped_.00405B93
00405A66  PUSH ECX
00405A67  PUSH EDX
00405A68  PUSH 24                                  ; /Style = MB_YESNO|MB_ICONQUESTION|MB_APPLMODAL
00405A6A  PUSH dumped_.0040B297                    ; |Title = "確認"
00405A6F  PUSH dumped_.0040B384                    ; |Text = "該檔案已被其他工具加密或壓縮。
您真要繼續嗎?(不推薦)"
00405A74  PUSH DWORD PTR DS:[40EF28]               ; |hOwner = 00340288 ('tElock v0.98',class='tEWinClass')
00405A7A  CALL <JMP.&user32.MessageBoxA>           ; \MessageBoxA
00405A7F  POP EDX
00405A80  POP ECX
00405A81  CMP EAX,6
00405A84  JNZ dumped_.00405CEE
00405A8A  OR DWORD PTR SS:[EBP-4],1
00405A8E  JMP dumped_.00405B93
00405A93  CMP EAX,DWORD PTR DS:[ESI+34]            ;  與下一節的記憶體偏移比較,這裡是判斷入口點是否在第一個節中
00405A96  JBE SHORT dumped_.00405AB8
00405A98  PUSH 24                                  ; /Style = MB_YESNO|MB_ICONQUESTION|MB_APPLMODAL
00405A9A  PUSH dumped_.0040B297                    ; |Title = "確認"
00405A9F  PUSH dumped_.0040B2F5                    ; |Text = "該檔案的入口點大於區段 2 的 RVA。原因可能是該檔案
已被加密或壓縮。您真要繼續嗎?"
00405AA4  PUSH DWORD PTR DS:[40EF28]               ; |hOwner = 00340288 ('tElock v0.98',class='tEWinClass')
00405AAA  CALL <JMP.&user32.MessageBoxA>           ; \MessageBoxA
00405AAF  CMP EAX,6
00405AB2  JNZ dumped_.00405CEE
00405AB8  MOVZX ECX,WORD PTR DS:[EDI+6]            ;  節表的個數
00405ABC  XOR EBX,EBX
00405ABE  CMP DWORD PTR DS:[ESI],7073612E
00405AC4  JE SHORT dumped_.00405A5C                ;  節表名字是:.asp嗎,以下判斷節表名字,看是否加過密
00405AC6  CMP DWORD PTR DS:[ESI],30585055          ;  是upx0?
00405ACC  JE SHORT dumped_.00405A5C
00405ACE  CMP DWORD PTR DS:[ESI],21585055          ;  upx!  ?
00405AD4  JE SHORT dumped_.00405A5C
00405AD6  CMP DWORD PTR DS:[ESI],6C6B702E          ;  .pkl
00405ADC  JE dumped_.00405A5C
00405AE2  CMP DWORD PTR DS:[ESI],7268732E          ;  .shr
00405AE8  JE dumped_.00405A5C
00405AEE  CMP DWORD PTR DS:[ESI],5057572E          ;  .wwp
00405AF4  JE dumped_.00405A5C
00405AFA  CMP DWORD PTR DS:[ESI],7972432E          ;  .cry
00405B00  JE dumped_.00405A5C
00405B06  CMP DWORD PTR DS:[ESI],7268732E          ;  .shr
00405B0C  JE dumped_.00405A5C
00405B12  CMP DWORD PTR DS:[ESI],5057572E          ;  .wwp
00405B18  JE dumped_.00405A5C
00405B1E  CMP DWORD PTR DS:[ESI],31636570          ;  pec1
00405B24  JE dumped_.00405A5C
00405B2A  CMP DWORD PTR DS:[ESI],48534550          ;  pesh
00405B30  JE dumped_.00405A5C
00405B36  CMP DWORD PTR DS:[ESI],4F4C4550          ;  pelo
00405B3C  JE dumped_.00405A5C
00405B42  CMP DWORD PTR DS:[ESI],464A422E          ;  .BJF
00405B48  JE dumped_.00405A5C
00405B4E  CMP DWORD PTR DS:[ESI],6369662E          ;  .fic
00405B54  JE dumped_.00405A5C
00405B5A  CMP DWORD PTR DS:[ESI],41504550          ;  PEPA
00405B60  JE dumped_.00405A5C
00405B66  CMP DWORD PTR DS:[ESI],41746942          ;  BitA
00405B6C  JE dumped_.00405A5C
00405B72  CMP DWORD PTR DS:[ESI],6F656E2E          ;  .neo
00405B78  JE dumped_.00405A5C
00405B7E  CMP DWORD PTR DS:[ESI],30455354          ;  TSE0
00405B84  JE dumped_.00405A5C
00405B8A  CMP DWORD PTR DS:[ESI],0                 ;  節表名字是0嗎
00405B8D  JE dumped_.00405A5C
00405B93  MOV EAX,DWORD PTR DS:[ESI+10]            ;  節在檔案中大小 Rsize
00405B96  CMP DWORD PTR DS:[ESI+8],EAX             ;  與記憶體中的大小比較 Vsize
00405B99  JGE SHORT dumped_.00405B9E
00405B9B  |>MOV DWORD PTR DS:[ESI+8],EAX             ;  改成與檔案的大小一樣
00405B9E  |>MOV EAX,DWORD PTR DS:[ESI+C]             ;  檔案偏移
00405BA1  |>ADD EAX,DWORD PTR DS:[ESI+10]            ;  加上檔案中節的大小
00405BA4  |>CMP EAX,DWORD PTR DS:[EDI+50]            ;  比較sizeofimage
00405BA7  |>JLE SHORT dumped_.00405BB8
00405BA9  PUSH dumped_.0040B4BC                    ; /Arg1 = 0040B4BC
00405BAE  CALL dumped_.00405D08                    ; \dumped_.00405D08
00405BB3  JMP dumped_.00405CEE
00405BB8  MOV EAX,DWORD PTR DS:[ESI+14]            ;  檔案偏移
00405BBB  TEST EAX,EAX
00405BBD  JE SHORT dumped_.00405BD8
00405BBF  ADD EAX,DWORD PTR DS:[ESI+10]            ;  加上Rsize
00405BC2  CMP EBX,EAX
00405BC4  JGE SHORT dumped_.00405BD8
00405BC6  PUSH ECX
00405BC7  MOV ECX,DWORD PTR DS:[EDI+3C]            ;  檔案對齊
00405BCA  XOR EDX,EDX
00405BCC  DIV ECX
00405BCE  TEST EDX,EDX
00405BD0  JE SHORT dumped_.00405BD3
00405BD2  INC EAX
00405BD3  MUL ECX
00405BD5  POP ECX
00405BD6  MOV EBX,EAX
00405BD8  ADD ESI,28                               ;  下一節
00405BDB  DEC ECX
00405BDC  JG dumped_.00405ABE
00405BE2  |>CMP EBX,DWORD PTR DS:[40F028]
00405BE8  |>JNB dumped_.00405CCC
00405BEE  |>PUSH 0                                   ; /lParam = 0
00405BF0  |>PUSH 0                                   ; |wParam = 0
00405BF2  |>PUSH 0F0                                 ; |Message = BM_GETCHECK
00405BF7  |>PUSH DWORD PTR DS:[40EF48]               ; |hWnd = 1027E
00405BFD  |>CALL <JMP.&user32.SendMessageA>          ; \SendMessageA
00405C02  |>CMP EAX,1
00405C05  |>JNZ SHORT dumped_.00405C45
00405C07  |>SUB EBX,DWORD PTR DS:[40F028]
00405C0D  |>/NEG EBX
00405C0F  |>\JS SHORT dumped_.00405C0D
00405C11  |>PUSH EBX                                 ; /<%d>
00405C12  |>PUSH dumped_.0040AF50                    ; |Format = "已找到檔案重複佔位段,截去了 %d 位元組。"
00405C17  |>PUSH dumped_.00410D2D                    ; |s = dumped_.00410D2D
00405C1C  |>CALL <JMP.&user32.wsprintfA>             ; \wsprintfA
00405C21  |>ADD ESP,0C
00405C24  |>PUSH dumped_.00410D2D                    ; /lParam = 410D2D
00405C29  |>PUSH 0                                   ; |wParam = 0
00405C2B  |>PUSH 180                                 ; |Message = LB_ADDSTRING
00405C30  |>PUSH DWORD PTR DS:[40EFA8]               ; |hWnd = 102A4
00405C36  |>CALL <JMP.&user32.SendMessageA>          ; \SendMessageA
00405C3B  |>CALL dumped_.004067EB
00405C40  |>JMP dumped_.00405CCC
00405C45  |>MOV EAX,EBX
00405C47  |>XOR EDX,EDX
00405C49  |>MOV ECX,DWORD PTR DS:[EDI+38]
00405C4C  |>DIV ECX
00405C4E  |>TEST EDX,EDX
00405C50  |>JE SHORT dumped_.00405C53
00405C52  |>INC EAX
00405C53  |>MUL ECX
00405C55  |>CMP EAX,DWORD PTR DS:[40F028]
00405C5B  |>JNZ SHORT dumped_.00405C79
00405C5D  |>PUSH 24                                  ; /Style = MB_YESNO|MB_ICONQUESTION|MB_APPLMODAL
00405C5F  |>PUSH dumped_.0040B28F                    ; |Title = "確認"
00405C64  |>PUSH dumped_.0040B1C0                    ; |Text = "已檢測到重複佔位段 - 大小匹配檔案的物理結尾與
下一個佇列邊界之間的差距。原因可能是使用了一
個邊界連結器且在大多數情況下能被截去...
您要刪除該重複佔位段嗎?"
00405C69  |>PUSH DWORD PTR DS:[40EF28]               ; |hOwner = 00030262 ('tElock v0.98',class='tEWinClass')
00405C6F  |>CALL <JMP.&user32.MessageBoxA>           ; \MessageBoxA
00405C74  |>CMP EAX,6
00405C77  |>JE SHORT dumped_.00405CCC
00405C79  |>MOV ESI,EBX
00405C7B  |>SUB EBX,DWORD PTR DS:[40F028]
00405C81  |>/NEG EBX
00405C83  |>\JS SHORT dumped_.00405C81
00405C85  |>MOV DWORD PTR DS:[40F024],EBX
00405C8B  |>PUSH 4                                   ; /Protect = PAGE_READWRITE
00405C8D  |>PUSH 1000                                ; |AllocationType = MEM_COMMIT
00405C92  |>PUSH EBX                                 ; |Size
00405C93  |>PUSH 0                                   ; |Address = NULL
00405C95  |>CALL <JMP.&kernel32.VirtualAlloc>        ; \VirtualAlloc
00405C9A  |>TEST EAX,EAX
00405C9C  |>JNZ SHORT dumped_.00405CAA
00405C9E  |>PUSH dumped_.0040B4BC                    ; /Arg1 = 0040B4BC
00405CA3  |>CALL dumped_.00405D08                    ; \dumped_.00405D08
00405CA8  |>JMP SHORT dumped_.00405CEE
00405CAA  |>MOV DWORD PTR DS:[40F020],EAX
00405CAF  |>MOV EDI,EAX
00405CB1  |>MOV ECX,DWORD PTR DS:[40F024]
00405CB7  |>ADD ESI,DWORD PTR DS:[40F014]
00405CBD  |>MOV EAX,ECX
00405CBF  |>AND EAX,3
00405CC2  |>SHR ECX,2
00405CC5  |>CLD
00405CC6  |>REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00405CC8  |>MOV ECX,EAX
00405CCA  |>REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00405CCC  |>PUSH dumped_.0040B5EF                    ; /lParam = 40B5EF
00405CD1  |>PUSH 0                                   ; |wParam = 0
00405CD3  |>PUSH 180                                 ; |Message = LB_ADDSTRING
00405CD8  |>PUSH DWORD PTR DS:[40EFA8]               ; |hWnd = 102A4
00405CDE  |>CALL <JMP.&user32.SendMessageA>          ; \SendMessageA
00405CE3  |>CALL dumped_.004067EB
00405CE8  |>POPAD
00405CE9  |>CLC
00405CEA  |>LEAVE
00405CEB  |>RETN 4
----------------------------------------------

總結:這是Telock加密的第一部分,判斷是否加密等,為後面進一步加密作準備。

By lordor  6.24

相關文章