[ PESpinÀ̶õ? ]

- ¼ø¼ö ¾î¼Àºí¸®¾î·Î ¸¸µé¾îÁø Windows ÆÄÀÏ Æ÷¸Ë(EXE, DLL) protector°â compressor 
- http://pespin.w.interia.pl ¿¡¼­ ¹èÆ÷ 
- µµ¸ÞÀÎ È®ÀåÀÚ°¡ plÀÎ °ÍÀ¸·Î º¸¾Æ Æú¶õµå °³¹ßÀÚ°¡ ¸¸µç °ÍÀ¸·Î º¸ÀÓ
- code ¿µ¿ª »Ó¸¸¾Æ´Ï¶ó, data, resource ¿µ¿ª±îÁö ÆÐÅ· °¡´É
- Windows XP/Vista/7¿¡¼­ »ç¿ë °¡´É
- 32/64bit ¸ðµÎ Áö¿ø
- 100% ¹«·á (±âºÎ °¡´É)

[ download ]

32ºñÆ®
http://pespin.w.interia.pl/pespin132.rar

64ºñÆ®
http://pespin.w.interia.pl/pespin_v12_x64.rar


[ ¿À´ÃÀÇ ¿¹Á¦ ÇÁ·Î±×·¥ ]

===========================================================================

#include 

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
	MessageBox(HWND_DESKTOP, "Hello Win32", "", MB_OK);
	return 0;
}


===========================================================================

 
[ PESpin ÀÎÅÍÆäÀ̽º (v1.32 ±âÁØ) ]


- ½ÇÇà È­¸é


- ÀÎÅÍÆäÀ̽º ¿ä¾à
	[¸Þ´ººÎ]
	- File -> Open : Packing ÇÒ ÆÄÀÏÀ» OpenÇÕ´Ï´Ù.
	- File -> Exit : Á¾·á

	[ÅǺÎ]
	- PE Spin ÅÇ : 
	- Settings : °¢Á¾ Packing ¿É¼ÇÀ» ¼±ÅÃÇÕ´Ï´Ù.

	[¹öÆ°ºÎ]
	- Protect File ¹öÆ° : PackingÀ» ½ÃÀÛÇÕ´Ï´Ù. ÆÄÀÏ ¼±ÅÃÀÌ ¸ÕÀú µÇ¾îÀÖ¾î¾ß ÇÕ´Ï´Ù.
	- Open File ¹öÆ° : Packing ÇÒ ÆÄÀÏÀ» OpenÇÕ´Ï´Ù. 
	- Exit ¹öÆ° : Á¾·á 


[ ±âº» Packing Å×½ºÆ® ]

- ¿¹Á¦ ÇÁ·Î±×·¥ Open ÈÄ Protect File ¹öÆ° Ŭ¸¯




[ °á°ú È®ÀÎ ]

- ¿ë·® ºñ±³

Àü : 36846 Bytes
ÈÄ : 32768 Bytes


- PEID °á°ú ºñ±³




- PEView °á°ú ºñ±³




[ ¸Å´º¾ó Unpacking ½ÃÀÛ (with ¿Ã¸®µð¹ö°Å) ]

- ÆÄÀÏ ¿ÀÇÂ

´ÙÀ½°ú °°Àº °æ°í ¸Þ½ÃÁö°¡ ¶å´Ï´Ù. (-> È®ÀÎ)



ÀÌ´Â PE Çì´õ¿¡ ÁöÁ¤µÈ Entry Point°¡ ¿ª½Ã PE Çì´õ¿¡ ÁöÁ¤µÈ CODE ¿µ¿ª ¹üÀ§¿¡¼­ ¹þ¾î³ª±â 
¶§¹®ÀÓÀ¸·Î¼­, Packing µÈ ¹ÙÀ̳ʸ®µéÀÇ Æ¯Â¡À̱⵵ ÇÕ´Ï´Ù.



¶È¶ÈÇÑ ¿Ã¸®´Â ¾ÐÃà µÈ ÆÄÀÏÀ̶õ °Íµµ ¾Ë·ÁÁÝ´Ï´Ù. (-> ¿¹) 




- ¾ÈƼ µð¹ö±ë ¿©ºÎ È®ÀÎ

f9(run)¸¦ ´­·¯ ¿¹Á¦ ÇÁ·Î±×·¥ÀÇ "Hello Win32" ¸Þ½ÃÁö ¹Ú½º°¡ ¶ß¸é ¾ÈƼ µð¹ö±ëÀº ¾ø´Â °Í

¾ßÈ£
(¿Ã¸®µð¹ö°ÅÀÇ ¼³Á¤¿¡ µû¶ó Áß°£¿¡ Access violation, division by zero, Privileged instruction ÀͼÁ¼ÇÀÌ 
¶ã ¼öµµ ÀÖ°í ¾È ¶ã ¼öµµ ÀÖ½À´Ï´Ù. ¶ß¸é shift+f9¸¦ ´­·¯ ¹«½ÃÇÕ´Ï´Ù.)




[ Manual Unpacking ù ¹ø° ¹æ¹ý ]

ÆÐÅ· µÈ ÆÄÀÏÀ» ¿­°í f8À» ÇÑ ¹ø ´­·¯ entry point¿¡ À§Ä¡ÇÏ°í ÀÖ´Â jmp ¸í·ÉÀ» ½ÇÇàÇÕ´Ï´Ù.



±×·³ pushad Äڵ尡 ³ª¿À´Âµ¥¿ä,



ÀÌ pushad´Â ÇöÀç ·¹Áö½ºÅ͵éÀ» ÀüºÎ ½ºÅÿ¡ ¹é¾÷ÇÏ´Â ¿ªÇÒÀ» ÇÕ´Ï´Ù.

pushad¿Í ½ÖÀ» ÀÌ·ç´Â ¸í·ÉÀÌ popadÀε¥, ÀÌ ¶§¿£ ¹é¾÷ÇÑ ·¹Áö½ºÅ͵éÀ» º¹±¸ÇÕ´Ï´Ù.

¸¹Àº ÆÐÄ¿µéÀÌ ÀÚ½ÅÀÇ Äڵ带 ½ÇÇàÇϱâ Àü¿¡ pushad¸¦ Çϴµ¥¿ä, 

ÀÌ´Â ¿ø·¡ ÇÁ·Î±×·¥ÀÇ È帧¿¡ À߸øµÈ ¿µÇâÀ» ¹ÌÄ¡Áö ¾Ê±â À§Çؼ­ÀÔ´Ï´Ù.

±×·¡¼­ ÀÌó·³ ¸ÕÀú pushad¸¦ ÇÑ ÈÄ, ÆÐÄ¿ÀÇ ¿ªÇÒÀÌ ³¡³ª¸é ´Ù½Ã popad¸¦ ÇÕ´Ï´Ù.

ù ¹ø° ¾ðÆÐÅ·Àº ÀÌ Æ¯Â¡À» ÀÌ¿ëÇؼ­ Çغ¸°Ú½À´Ï´Ù.

f8À» ÇÑ ¹ø ´õ ´­·¯¼­ pushad¸¦ ½ÇÇàÇÏ°í, ÀÌ ¸í·É¿¡ ÀÇÇØ ½ºÅÿ¡ ½×ÀÎ °ªµé Áß Çϳª¿¡ 

ºê·¹ÀÌÅ© Æ÷ÀÎÆ®¸¦ °Ì´Ï´Ù.

±×·³ ¾ðÆÐÅ·ÀÌ ³¡³­ ÈÄ popad¸¦ ÇÏ´Â ½ÃÁ¡¿¡¼­ ÀÌ ºê·¹ÀÌÅ© Æ÷ÀÎÆ®¿¡ °É¸®°Ô µÇ±â ¶§¹®ÀÔ´Ï´Ù.



ÁÖÀÇ
	- stack À©µµ¿ì¿¡¼± BP¸¦ °ÉÁö ¸øÇϱ⠶§¹®¿¡ dump À©µµ¿ì¿¡¼­ stack ÁÖ¼Ò¿Í µ¿ÀÏÇÑ ÁÖ¼Ò·Î À̵¿ ÈÄ BP¸¦ °Ì´Ï´Ù
		- dump À©µµ¿ì¿¡¼­ ctrl + g Çϼŵµ µÇ°í, 
		- ÇöÀç stack ÁÖ¼Ò´Â ESP ·¹Áö½ºÅÍ¿Í °°±â ¶§¹®¿¡ ESP¿¡¼­ ¿ìÃø ¹öÆ° ´©¸¥ ÈÄ Follow in Dump ÇÏ¸é µË´Ï´Ù.
		- stack À©µµ¿ì¿¡¼­µµ ¿ìÃø ¹öÆ°À» ´©¸£¸é Follow in Dump âÀÌ ³ªÅ¸³ªÁö¸¸, ÁÖ¼Ò°¡ ¾Æ´Ñ °ªÀ¸·Î À̵¿ÇϹǷΠX

	- dump À©µµ¿ì¿¡¼± memroy BP ȤÀº hardware BP ¹Û¿¡ °ÉÁö ¸øÇÕ´Ï´Ù.
	- ±×¸²°ú °°ÀÌ Hardware, on access¸¦ °É¾îÁÝ´Ï´Ù. size´Â ¹«¾ùÀÌµç »ó°ü¾ø½À´Ï´Ù.
	- memory BP¸¦ °ÉÁö ¾Ê´Â ÀÌÀ¯´Â, memory BP °°Àº °æ¿ì¿£ ÇØ´ç ¸Þ¸ð¸® ¿µ¿ª¿¡ Åë°·Î BP¸¦ °É¾î¹ö¸®±â ¶§¹®ÀÔ´Ï´Ù.
	-  CPU À©µµ¿ì¿¡¼­ ÇØ´ç ÁÖ¼Ò·Î À̵¿Çϸé software BP¸¦ °É ¼öµµ Àִµ¥, ±×·¸°Ô ÇÏÁö ¾Ê´Â ÀÌÀ¯´Â software BP´Â 
	   ÄÚµå ½ÇÇà(excution)¿¡ ´ëÇÑ °¨Áö¸¸ °¡´ÉÇϱ⠶§¹®ÀÔ´Ï´Ù. 
		- ÇöÀç ¿ì¸®´Â ÇØ´ç ÁÖ¼ÒÀÇ ½ÇÇàÀÌ ¾Æ´Ñ, µ¥ÀÌÅÍ ÂüÁ¶(access)¸¦ °¨ÁöÇÏ·Á°í ÇÏ´Â °ÍÀÔ´Ï´Ù.

ÀÌÁ¦ f9¸¦ ´­·¯ run ½Ãŵ´Ï´Ù.

¸¸¾à óÀ½ ÇßÀ» ¶§¿Í ¸¶Âù°¡Áö·Î ¿©·¯°¡Áö exceptionÀÌ ¹ß»ýÇϸé, ¿ª½Ã shift+f9¸¦ ´­·¯ ¹«½ÃÇØ ÁÝ´Ï´Ù.

±×·¯´Ùº¸¸é ¾î´À ¼ø°£¿¡ ´ÙÀ½°ú °°ÀÌ NOT EDX ¸í·ÉÀÌ ½ÇÇàµÇ±â Á÷Àü¿¡ hardware BP¿¡ °É¸®°Ô µË´Ï´Ù.



±×¸®°í ÀÌ ½ÃÁ¡¿¡¼­ Å°º¸µå ¡è Å°¸¦ ´­·¯º¸¸é, ¿ª½Ã ¿¹»ó´ë·Î POPAD ¸í·ÉÀÌ º¸ÀÔ´Ï´Ù.
Áï, POPAD ¸í·ÉÀÌ ½ÇÇàµÈ Á÷ÈÄ hardware BP¿¡ °É¸° °ÍÀÔ´Ï´Ù.



´Ù¸¥ ¾ðÆÐÅ· °°Àº °æ¿ì¿£ POPAD ÈÄ¿¡ ¹Ù·Î Original Entry Point(ÆÐÅ·Çϱâ ÀüÀÇ ¿ø·¡ Entry Point)·Î °©´Ï´Ù.

ÇÏÁö¸¸ PESpinÀº ¹«¾ð°¡ ´Ù¸¥ °ÍµéÀ» ´õ ÇÏ°í Àִµ¥¿ä, Äڵ带 Àß º¸¸é ´ëºÎºÐÀÌ ¾µµ¥¾ø´Â ÁþµéÀÔ´Ï´Ù.

====================================================================================
0040ACB4   61               POPAD
0040ACB5   F7D2             NOT EDX
0040ACB7   39C2             CMP EDX,EAX
0040ACB9   F7C0 74E7F921    TEST EAX,21F9E774
0040ACBF   0FACC2 48        SHRD EDX,EAX,48                      
0040ACC3   0FBDC8           BSR ECX,EAX
0040ACC6   C7C2 2431C7CD    MOV EDX,CDC73124
0040ACCC   85C0             TEST EAX,EAX
0040ACCE   0FBAEA 31        BTS EDX,31
0040ACD2   F7D2             NOT EDX
0040ACD4   F7C1 25C4A65C    TEST ECX,5CA6C425
0040ACDA   3BD0             CMP EDX,EAX
0040ACDC   0FABC2           BTS EDX,EAX


=====================================================================================

±×¸®°í ¾ê³×¸¦ ÂÞ¿í µû¶ó°¡´Ùº¸¸é..

ÀÌ·± ÀÌ»óÇÑ °ªµéÀÌ ÀÖ´Â °÷À¸·Î °¡°Ô µË´Ï´Ù. 



CPU â¿¡¼­ ÀÌ·± ÀÌ»óÇÑ °ªµéÀÌ ³ªÅ¸³ª¸é º¸Åë ¿Ã¸®µð¹ö°Å°¡ ÄÚµå ºÐ¼®¿¡ ½ÇÆÐÇ߱⠶§¹®ÀÔ´Ï´Ù.

ÀÌ·² ¶© ¿Ã¸®ÀÇ ºÐ¼®À» ÇØÁ¦½ÃÄÑ ÁÝ´Ï´Ù. (¸¶¿ì½º ¿ìÃø -> analysis -> remove analysis from module)

±×·³ Á¦´ë·Î µÈ Äڵ尡 ³ªÅ¸³³´Ï´Ù.



ÀÌÁ¦ ÀÌ Äڵ带 Àß »ìÆ캸¸é..

WinMain()À» È£ÃâÇÏ´Â StartUp CodeÀÓÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù!



´Ü, PESpinÀÌ ½Éº¼ Á¤º¸¸¦ ¸ðµÎ »èÁ¦Çعö·È±â ¶§¹®¿¡ ÇÔ¼ö¸íÀÌ ¾Æ´Ñ, ÆÐÅÏÀ» º¸°í StartUp CodeÀÓÀ» ¾Ë ¼ö ÀÖ¾î¾ß ÇÕ´Ï´Ù.
ÀÌ´Â StartUp Code¸¦ ¿©·¯¹ø °æÇèÇϸé ÀÚ¿¬½º·´°Ô ÀÍÇôÁö±âµµÇÏ°í, ȤÀº StartUp Code°¡ ¾Æ´Ò±î? ÇÏ´Â »ý°¢À¸·Î
ÁøÂ¥ StartUp Code¿Í ºñ±³¸¦ Çغ¸½Ã¸é µË´Ï´Ù.

´ÙÀ½Àº ÀϹÝÀûÀÎ Startup Code¸¦ °¡Á®¿Â °ÍÀÔ´Ï´Ù.

==================================================================================================================
00401020 >/$ 55                     PUSH EBP
00401021  |. 8BEC                   MOV EBP,ESP
00401023  |. 6A FF                  PUSH -1
00401025  |. 68 A8504000            PUSH TEST2.004050A8
0040102A  |. 68 EC1C4000            PUSH TEST2.00401CEC                                 ;  SE handler installation
0040102F  |. 64:A1 00000000         MOV EAX,DWORD PTR FS:[0]
00401035  |. 50                     PUSH EAX
00401036  |. 64:8925 00000000       MOV DWORD PTR FS:[0],ESP
0040103D  |. 83EC 58                SUB ESP,58
00401040  |. 53                     PUSH EBX
00401041  |. 56                     PUSH ESI
00401042  |. 57                     PUSH EDI
00401043  |. 8965 E8                MOV DWORD PTR SS:[EBP-18],ESP
00401046  |. FF15 14504000          CALL DWORD PTR DS:[<&KERNEL32.GetVersion>]          ;  kernel32.GetVersion
0040104C  |. 33D2                   XOR EDX,EDX
0040104E  |. 8AD4                   MOV DL,AH
00401050  |. 8915 E4844000          MOV DWORD PTR DS:[4084E4],EDX
00401056  |. 8BC8                   MOV ECX,EAX
00401058  |. 81E1 FF000000          AND ECX,0FF
0040105E  |. 890D E0844000          MOV DWORD PTR DS:[4084E0],ECX
00401064  |. C1E1 08                SHL ECX,8
00401067  |. 03CA                   ADD ECX,EDX
00401069  |. 890D DC844000          MOV DWORD PTR DS:[4084DC],ECX
0040106F  |. C1E8 10                SHR EAX,10
00401072  |. A3 D8844000            MOV DWORD PTR DS:[4084D8],EAX
00401077  |. 33F6                   XOR ESI,ESI
00401079  |. 56                     PUSH ESI
0040107A  |. E8 160B0000            CALL TEST2.00401B95
0040107F  |. 59                     POP ECX
00401080  |. 85C0                   TEST EAX,EAX
00401082  |. 75 08                  JNZ SHORT TEST2.0040108C
00401084  |. 6A 1C                  PUSH 1C
00401086  |. E8 B0000000            CALL TEST2.0040113B
0040108B  |. 59                     POP ECX
0040108C  |> 8975 FC                MOV DWORD PTR SS:[EBP-4],ESI
0040108F  |. E8 E1070000            CALL TEST2.00401875
00401094  |. FF15 10504000          CALL DWORD PTR DS:[<&KERNEL32.GetCommandLineA>]     ; [GetCommandLineA
0040109A  |. A3 D8894000            MOV DWORD PTR DS:[4089D8],EAX
0040109F  |. E8 9F060000            CALL TEST2.00401743
004010A4  |. A3 C0844000            MOV DWORD PTR DS:[4084C0],EAX
004010A9  |. E8 48040000            CALL TEST2.004014F6
004010AE  |. E8 8A030000            CALL TEST2.0040143D
004010B3  |. E8 A7000000            CALL TEST2.0040115F
004010B8  |. 8975 D0                MOV DWORD PTR SS:[EBP-30],ESI
004010BB  |. 8D45 A4                LEA EAX,DWORD PTR SS:[EBP-5C]
004010BE  |. 50                     PUSH EAX                                            ; /pStartupinfo
004010BF  |. FF15 0C504000          CALL DWORD PTR DS:[<&KERNEL32.GetStartupInfoA>]     ; \GetStartupInfoA
004010C5  |. E8 1B030000            CALL TEST2.004013E5
004010CA  |. 8945 9C                MOV DWORD PTR SS:[EBP-64],EAX
004010CD  |. F645 D0 01             TEST BYTE PTR SS:[EBP-30],1
004010D1  |. 74 06                  JE SHORT TEST2.004010D9
004010D3  |. 0FB745 D4              MOVZX EAX,WORD PTR SS:[EBP-2C]
004010D7  |. EB 03                  JMP SHORT TEST2.004010DC
004010D9  |> 6A 0A                  PUSH 0A
004010DB  |. 58                     POP EAX
004010DC  |> 50                     PUSH EAX
004010DD  |. FF75 9C                PUSH DWORD PTR SS:[EBP-64]
004010E0  |. 56                     PUSH ESI
004010E1  |. 56                     PUSH ESI                                            ; /pModule
004010E2  |. FF15 08504000          CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>]    ; \GetModuleHandleA
004010E8  |. 50                     PUSH EAX
004010E9  |. E8 12FFFFFF            CALL TEST2.00401000					; ¿©±â°¡ WinMain()
004010EE  |. 8945 A0                MOV DWORD PTR SS:[EBP-60],EAX
004010F1  |. 50                     PUSH EAX
004010F2  |. E8 95000000            CALL TEST2.0040118C
004010F7  |. 8B45 EC                MOV EAX,DWORD PTR SS:[EBP-14]
004010FA  |. 8B08                   MOV ECX,DWORD PTR DS:[EAX]
004010FC  |. 8B09                   MOV ECX,DWORD PTR DS:[ECX]
004010FE  |. 894D 98                MOV DWORD PTR SS:[EBP-68],ECX
00401101  |. 50                     PUSH EAX
00401102  |. 51                     PUSH ECX
00401103  |. E8 59010000            CALL TEST2.00401261
00401108  |. 59                     POP ECX
00401109  |. 59                     POP ECX
0040110A  \. C3                     RETN
==============================================================================================================

º¸½Ã¸é, WinMain()ÀÌ È£ÃâµÉ ¶§ÀÇ ÆÐÅÏÀÌ ´ÙÀ½°ú °°À½À» ¾Ë ¼ö ÀÖ½À´Ï´Ù.

004010D9  |> 6A 0A                  PUSH 0A
004010DB  |. 58                     POP EAX
004010DC  |> 50                     PUSH EAX
004010DD  |. FF75 9C                PUSH DWORD PTR SS:[EBP-64]
004010E0  |. 56                     PUSH ESI
004010E1  |. 56                     PUSH ESI                                            ; /pModule
004010E2  |. FF15 08504000          CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>]    ; \GetModuleHandleA
004010E8  |. 50                     PUSH EAX
004010E9  |. E8 12FFFFFF            CALL TEST2.00401000                                 ; ¿©±â°¡ WinMain()

ÀÌÁ¦ ºÐ¼®ÇÏ´ø ¿Ã¸®µð¹ö°Å¿¡¼­ µ¿ÀÏÇÑ ÆÐÅÏÀÌ ³ª¿Ã ¶§±îÁö f8À» ´­·¯ ÁøÇàÇØ ³ª°¡´Ùº¸¸é..

ã¾Ò½À´Ï´Ù!



¸¶Áö¸·À¸·Î WinMain()¿¡ ÇØ´çÇÏ´Â ÄÚµå·Î step into(F7) Çغ¸¸é, jmp Äڵ尡 ÇÑ ¹ø ³ª¿À°í,



µû¶ó°¡º¸¸é, WinMain() ÇÔ¼ö°¡ ³ªÅ¸³³´Ï´Ù.



ÀÌ·¸°Ô Çؼ­ ù ¹ø° ¹æ¹ýÀ» ÀÌ¿ëÇÑ Manual UnpackingÀ» ¸¶ÃƽÀ´Ï´Ù.

±×·±µ¥..

PESpinÀº POPAD ÀÌÈÄ¿¡ ÀÌ»óÇÑ ÄÚµåµéÀ» ¿Ö ³Ö¾î³õÀº °É±î¿ä?

ÀÏ´Ü Startup Code°¡ ¹ß°ßµÈ ½ÃÁ¡¿¡¼­ºÎÅÍ ±× ½ÃÀÛÁ¡À» ã¾Æ Ä¿¼­¸¦ À§·Î ÂÞ¿í ¿Ã·Áº¾½Ã´Ù.

¾ù.. ÀÖ¾î¾ß ÇÒ Startup CodeÀÇ À­ ºÎºÐÀÌ 0000À¸·Î ä¿öÁ® ÀÖ½À´Ï´Ù.



ÀÌ °°Àº ±«Çö»óÀº Stolen Bytes¶ó´Â ±â¹ý¿¡ ÀÇÇØ ³ªÅ¸³ª´Âµ¥¿ä, 

Stolen Bytes ±â¹ýÀ̶õ, ¿ø·¡ ÄÚµåÀÇ ÀϺθ¦ ¶¼¾î³»¾î Packer°¡ ¸ô·¡ µû·Î ½ÇÇàÇÏ´Â °ÍÀ» ¸»ÇÕ´Ï´Ù. 

±×¸®°í ¿ø·¡ ÀÖ¾î¾ß ÇÒ ÄÚµå ºÎºÐÀº 0000°ú °°Àº Àǹ̾ø´Â °ªÀ¸·Î ä¿ö³Ö½À´Ï´Ù.

ÀÌ·± ÀÌ»óÇÑ ÇൿÀ» ÇÏ´Â ÀÌÀ¯°¡ ¹«¾ùÀϱî¿ä?

ÀÌ´Â UnpackingÀ» ¿Ï·áÇÑ ¸®¹ö¼­°¡ ¸Þ¸ð¸®¸¦ dump ¶ß´Â °ÍÀ» ¹æÁöÇϱâ À§ÇÔÀÌ´Ï´Ù.

dump¸¦ ¶á´Ù°í Çصµ Startup CodeÀÇ ¾ÕºÎºÐÀÌ »ç¶óÁø »óÅÂÀ̱⠶§¹®¿¡ ºñÁ¤»ó ÀÛµ¿ÇÒ °ÍÀ̱⠶§¹®ÀÔ´Ï´Ù.

±×·³ »ç¶óÁø Stolen BytesµéÀº ¾îµð·Î °¬À»±î¿ä?

¹Ù·Î ¾Æ±î Àá±ñ º¸¾Ò´ø Àǹ̾ø´Â ÀÌ»óÇÑ ÄÚµåµé »çÀÌ»çÀÌ¿¡ ¸ô·¡ ¼û°ÜÁ® ÀÖ¾ú½À´Ï´Ù.

==========================================================================================================

0040ACB4   61               POPAD
0040ACB5   F7D2             NOT EDX
0040ACB7   39C2             CMP EDX,EAX
0040ACB9   F7C0 74E7F921    TEST EAX,21F9E774
0040ACBF   0FACC2 48        SHRD EDX,EAX,48                          ; Shift constant out of range 1..31
0040ACC3   0FBDC8           BSR ECX,EAX
0040ACC6   C7C2 2431C7CD    MOV EDX,CDC73124
0040ACCC   85C0             TEST EAX,EAX
0040ACCE   0FBAEA 31        BTS EDX,31
0040ACD2   F7D2             NOT EDX
0040ACD4   F7C1 25C4A65C    TEST ECX,5CA6C425
0040ACDA   3BD0             CMP EDX,EAX
0040ACDC   0FABC2           BTS EDX,EAX
0040ACDF   55               PUSH EBP			 	<- ¿©±â!!
0040ACE0   EB 01            JMP SHORT hello_wi.0040ACE3
0040ACE2   AD               LODS DWORD PTR DS:[ESI]
0040ACE3   8BEC             MOV EBP,ESP			<- ¿©±â!!
0040ACE5   EB 01            JMP SHORT hello_wi.0040ACE8
0040ACE7   A2 6AFFEB01      MOV BYTE PTR DS:[1EBFF6A],AL
0040ACEC   3F               AAS

===========================================================================================================

ÀÌó·³ Stolen Bytes ´çÇÑ ¹ÙÀ̳ʸ®¸¦ dump¶ß·Á¸é 0000À¸·Î ä¿öÁø ¿µ¿ªÀ» ´Ù½Ã ¼öµ¿À¸·Î º¹±¸ÇØÁÖ¾î¾ß ÇÕ´Ï´Ù.
Àǹ̾ø´Â ÄÚµåµé ³»¿¡¼­ ¿ø·¡ Äڵ带 ã´Â °ÍÀº ¿À·¡°É¸®±â ¶§¹®¿¡, Á¤»óÀûÀÎ Startup Code »ùÇÃÀ» Çϳª °¡Á®¿Í 
º¹±¸ÇØÁÖ´Â ¹æ¹ýÀ» »ç¿ëÇÕ´Ï´Ù.