|
幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略
强烈抗议 fly 改帖,要求赔偿精神损失!:D |
|
谁来试试脱我?
7119EAA4 $ 55 push ebp 7119EAA5 . 8BEC mov ebp, esp 7119EAA7 . 83C4 D8 add esp, -28 7119EAAA . 53 push ebx 7119EAAB . 56 push esi 7119EAAC . 33D2 xor edx, edx 7119EAAE . 8955 D8 mov dword ptr ss:[ebp-28], edx 7119EAB1 . 8955 F8 mov dword ptr ss:[ebp-8], edx 7119EAB4 . 8945 FC mov dword ptr ss:[ebp-4], eax 7119EAB7 . 33C0 xor eax, eax 7119EAB9 . 55 push ebp 7119EABA . 68 A4ED1971 push V0000000.7119EDA4 7119EABF . 64:FF30 push dword ptr fs:[eax] 7119EAC2 . 64:8920 mov dword ptr fs:[eax], esp 7119EAC5 . 33F6 xor esi, esi 7119EAC7 > 8BC6 mov eax, esi 7119EAC9 . 83E8 01 sub eax, 1 ; Switch (cases 0..2) 7119EACC . 72 07 jb short V0000000.7119EAD5 7119EACE . 74 19 je short V0000000.7119EAE9 7119EAD0 . 48 dec eax 7119EAD1 . 74 2A je short V0000000.7119EAFD 7119EAD3 . EB 3A jmp short V0000000.7119EB0F 7119EAD5 > 8D4D F8 lea ecx, dword ptr ss:[ebp-8] ; Case 0 of switch 7119EAC9 7119EAD8 . BA 16000000 mov edx, 16 7119EADD . B8 27000000 mov eax, 27 7119EAE2 . E8 85EDFFFF call V0000000.7119D86C 7119EAE7 . EB 26 jmp short V0000000.7119EB0F 7119EAE9 > 8D4D F8 lea ecx, dword ptr ss:[ebp-8] ; Case 1 of switch 7119EAC9 7119EAEC . BA 16000000 mov edx, 16 7119EAF1 . B8 3D000000 mov eax, 3D 7119EAF6 . E8 71EDFFFF call V0000000.7119D86C 7119EAFB . EB 12 jmp short V0000000.7119EB0F 7119EAFD > 8D4D F8 lea ecx, dword ptr ss:[ebp-8] ; Case 2 of switch 7119EAC9 7119EB00 . BA 0B000000 mov edx, 0B 7119EB05 . B8 53000000 mov eax, 53 7119EB0A . E8 5DEDFFFF call V0000000.7119D86C 7119EB0F > 8B45 F8 mov eax, dword ptr ss:[ebp-8] ; Default case of switch 7119EAC9 7119EB12 . E8 2162F8FF call V0000000.71124D38 7119EB17 . 50 push eax ; /Title 7119EB18 . 6A 00 push 0 ; |Class = 0 7119EB1A . E8 6989F8FF call <jmp.&user32.FindWindowA> ; \FindWindowA 7119EB1F . 8BD8 mov ebx, eax 7119EB21 . EB 0C jmp short V0000000.7119EB2F 7119EB23 > 6A 00 push 0 ; /lParam = 0 7119EB25 . 6A 00 push 0 ; |wParam = 0 7119EB27 . 6A 10 push 10 ; |Message = WM_CLOSE 7119EB29 . 53 push ebx ; |hWnd 7119EB2A . E8 998BF8FF call <jmp.&user32.PostMessageA> ; \PostMessageA 7119EB2F > 53 push ebx ; /hWnd 7119EB30 . E8 0B8BF8FF call <jmp.&user32.IsWindow> ; \IsWindow 7119EB35 . 85C0 test eax, eax 7119EB37 .^ 75 EA jnz short V0000000.7119EB23 7119EB39 . 46 inc esi 7119EB3A . 83FE 03 cmp esi, 3 7119EB3D .^ 75 88 jnz short V0000000.7119EAC7 7119EB3F . 33F6 xor esi, esi 7119EB41 > 8BC6 mov eax, esi 7119EB43 . 83E8 01 sub eax, 1 ; Switch (cases 0..1) 7119EB46 . 72 04 jb short V0000000.7119EB4C 7119EB48 . 74 16 je short V0000000.7119EB60 7119EB4A . EB 26 jmp short V0000000.7119EB72 7119EB4C > 8D4D F8 lea ecx, dword ptr ss:[ebp-8] ; Case 0 of switch 7119EB43 7119EB4F . BA 04000000 mov edx, 4 7119EB54 . B8 F7000000 mov eax, 0F7 7119EB59 . E8 0EEDFFFF call V0000000.7119D86C 7119EB5E . EB 12 jmp short V0000000.7119EB72 7119EB60 > 8D4D F8 lea ecx, dword ptr ss:[ebp-8] ; Case 1 of switch 7119EB43 7119EB63 . BA 07000000 mov edx, 7 7119EB68 . B8 F0000000 mov eax, 0F0 7119EB6D . E8 FAECFFFF call V0000000.7119D86C 7119EB72 > 6A 00 push 0 ; Default case of switch 7119EB43 7119EB74 . 8B45 F8 mov eax, dword ptr ss:[ebp-8] 7119EB77 . E8 BC61F8FF call V0000000.71124D38 7119EB7C . 50 push eax ; |Class 7119EB7D . E8 0689F8FF call <jmp.&user32.FindWindowA> ; \FindWindowA 7119EB82 . 8BD8 mov ebx, eax 7119EB84 . EB 0C jmp short V0000000.7119EB92 7119EB86 > 6A 00 push 0 ; /lParam = 0 7119EB88 . 6A 00 push 0 ; |wParam = 0 7119EB8A . 6A 10 push 10 ; |Message = WM_CLOSE 7119EB8C . 53 push ebx ; |hWnd 7119EB8D . E8 368BF8FF call <jmp.&user32.PostMessageA> ; \PostMessageA 7119EB92 > 53 push ebx ; /hWnd 7119EB93 . E8 A88AF8FF call <jmp.&user32.IsWindow> ; \IsWindow 7119EB98 . 85C0 test eax, eax 7119EB9A .^ 75 EA jnz short V0000000.7119EB86 7119EB9C . 46 inc esi 7119EB9D . 83FE 02 cmp esi, 2 7119EBA0 .^ 75 9F jnz short V0000000.7119EB41 7119EBA2 . 33F6 xor esi, esi 7119EBA4 > 8D45 F8 lea eax, dword ptr ss:[ebp-8] 7119EBA7 . E8 DC5CF8FF call V0000000.71124888 7119EBAC . 8BC6 mov eax, esi 7119EBAE . 83F8 09 cmp eax, 9 ; Switch (cases 0..9) 7119EBB1 . 0F87 FE000000 ja V0000000.7119ECB5 7119EBB7 . FF2485 BEEB19>jmp dword ptr ds:[eax*4+7119EBBE] 7119EBBE . E6EB1971 dd V0000000.7119EBE6 ; Switch table used at 7119EBB7 7119EBC2 . FDEB1971 dd V0000000.7119EBFD 7119EBC6 . 14EC1971 dd V0000000.7119EC14 7119EBCA . 2BEC1971 dd V0000000.7119EC2B 7119EBCE . 3FEC1971 dd V0000000.7119EC3F 7119EBD2 . 53EC1971 dd V0000000.7119EC53 7119EBD6 . 67EC1971 dd V0000000.7119EC67 7119EBDA . 7BEC1971 dd V0000000.7119EC7B 7119EBDE . 8FEC1971 dd V0000000.7119EC8F 7119EBE2 . A3EC1971 dd V0000000.7119ECA3 7119EBE6 > 8D4D F8 lea ecx, dword ptr ss:[ebp-8] ; Case 0 of switch 7119EBAE 7119EBE9 . BA 03000000 mov edx, 3 7119EBEE . B8 27000000 mov eax, 27 7119EBF3 . E8 74ECFFFF call V0000000.7119D86C 7119EBF8 . E9 B8000000 jmp V0000000.7119ECB5 7119EBFD > 8D4D F8 lea ecx, dword ptr ss:[ebp-8] ; Case 1 of switch 7119EBAE 7119EC00 . BA 07000000 mov edx, 7 7119EC05 . B8 27000000 mov eax, 27 7119EC0A . E8 5DECFFFF call V0000000.7119D86C 7119EC0F . E9 A1000000 jmp V0000000.7119ECB5 7119EC14 > 8D4D F8 lea ecx, dword ptr ss:[ebp-8] ; Case 2 of switch 7119EBAE 7119EC17 . BA 03000000 mov edx, 3 7119EC1C . B8 3D000000 mov eax, 3D 7119EC21 . E8 46ECFFFF call V0000000.7119D86C 7119EC26 . E9 8A000000 jmp V0000000.7119ECB5 7119EC2B > 8D4D F8 lea ecx, dword ptr ss:[ebp-8] ; Case 3 of switch 7119EBAE 7119EC2E . BA 07000000 mov edx, 7 7119EC33 . B8 3D000000 mov eax, 3D 7119EC38 . E8 2FECFFFF call V0000000.7119D86C 7119EC3D . EB 76 jmp short V0000000.7119ECB5 7119EC3F > 8D4D F8 lea ecx, dword ptr ss:[ebp-8] ; Case 4 of switch 7119EBAE 7119EC42 . BA 04000000 mov edx, 4 7119EC47 . B8 5E000000 mov eax, 5E 7119EC4C . E8 1BECFFFF call V0000000.7119D86C 7119EC51 . EB 62 jmp short V0000000.7119ECB5 7119EC53 > 8D4D F8 lea ecx, dword ptr ss:[ebp-8] ; Case 5 of switch 7119EBAE 7119EC56 . BA 05000000 mov edx, 5 7119EC5B . B8 62000000 mov eax, 62 7119EC60 . E8 07ECFFFF call V0000000.7119D86C 7119EC65 . EB 4E jmp short V0000000.7119ECB5 7119EC67 > 8D4D F8 lea ecx, dword ptr ss:[ebp-8] ; Case 6 of switch 7119EBAE 7119EC6A . BA 06000000 mov edx, 6 7119EC6F . B8 67000000 mov eax, 67 7119EC74 . E8 F3EBFFFF call V0000000.7119D86C 7119EC79 . EB 3A jmp short V0000000.7119ECB5 7119EC7B > 8D4D F8 lea ecx, dword ptr ss:[ebp-8] ; Case 7 of switch 7119EBAE 7119EC7E . BA 08000000 mov edx, 8 7119EC83 . B8 6D000000 mov eax, 6D 7119EC88 . E8 DFEBFFFF call V0000000.7119D86C 7119EC8D . EB 26 jmp short V0000000.7119ECB5 7119EC8F > 8D4D F8 lea ecx, dword ptr ss:[ebp-8] ; Case 8 of switch 7119EBAE 7119EC92 . BA 08000000 mov edx, 8 7119EC97 . B8 80000000 mov eax, 80 7119EC9C . E8 CBEBFFFF call V0000000.7119D86C 7119ECA1 . EB 12 jmp short V0000000.7119ECB5 7119ECA3 > 8D4D F8 lea ecx, dword ptr ss:[ebp-8] ; Case 9 of switch 7119EBAE 7119ECA6 . BA 06000000 mov edx, 6 7119ECAB . B8 88000000 mov eax, 88 7119ECB0 . E8 B7EBFFFF call V0000000.7119D86C 7119ECB5 > 6A 00 push 0 ; Default case of switch 7119EBAE 7119ECB7 . 68 80000000 push 80 7119ECBC . 6A 03 push 3 7119ECBE . 6A 00 push 0 7119ECC0 . 6A 03 push 3 7119ECC2 . 68 000000C0 push C0000000 7119ECC7 . 8D45 D8 lea eax, dword ptr ss:[ebp-28] 7119ECCA . 8B4D F8 mov ecx, dword ptr ss:[ebp-8] 7119ECCD . BA BCED1971 mov edx, V0000000.7119EDBC ; ASCII "\\.\" 7119ECD2 . E8 B55EF8FF call V0000000.71124B8C 7119ECD7 . 8B45 D8 mov eax, dword ptr ss:[ebp-28] 7119ECDA . E8 5960F8FF call V0000000.71124D38 7119ECDF . 50 push eax ; |FileName 7119ECE0 . E8 2B81F8FF call <jmp.&kernel32.CreateFileA> ; \CreateFileA 7119ECE5 . 8BD8 mov ebx, eax 7119ECE7 . 83FB FF cmp ebx, -1 7119ECEA . 74 0D je short V0000000.7119ECF9 7119ECEC . C605 62161C71>mov byte ptr ds:[711C1662], 1 7119ECF3 . 53 push ebx ; /hObject 7119ECF4 . E8 F780F8FF call <jmp.&kernel32.CloseHandle> ; \CloseHandle 7119ECF9 > 46 inc esi 7119ECFA . 83FE 0A cmp esi, 0A 7119ECFD .^ 0F85 A1FEFFFF jnz V0000000.7119EBA4 7119ED03 . A1 E4EA1B71 mov eax, dword ptr ds:[711BEAE4] 7119ED08 . 8338 02 cmp dword ptr ds:[eax], 2 7119ED0B . 75 67 jnz short V0000000.7119ED74 7119ED0D . 68 3F000F00 push 0F003F 7119ED12 . 6A 00 push 0 7119ED14 . 6A 00 push 0 7119ED16 . E8 49DAFDFF call <jmp.&advapi32.OpenSCManagerA> 7119ED1B . 8BD8 mov ebx, eax 7119ED1D . 85DB test ebx, ebx 7119ED1F . 76 53 jbe short V0000000.7119ED74 7119ED21 . 8D4D F8 lea ecx, dword ptr ss:[ebp-8] 7119ED24 . BA 05000000 mov edx, 5 7119ED29 . B8 62000000 mov eax, 62 7119ED2E . E8 39EBFFFF call V0000000.7119D86C 7119ED33 . 68 FF010F00 push 0F01FF 7119ED38 . 8B45 F8 mov eax, dword ptr ss:[ebp-8] 7119ED3B . E8 F85FF8FF call V0000000.71124D38 7119ED40 . 50 push eax 7119ED41 . 53 push ebx 7119ED42 . E8 35DAFDFF call <jmp.&advapi32.OpenServiceA> 7119ED47 . 8BF0 mov esi, eax 7119ED49 . 85F6 test esi, esi 7119ED4B . 76 21 jbe short V0000000.7119ED6E 7119ED4D . 8D45 DC lea eax, dword ptr ss:[ebp-24] 7119ED50 . 50 push eax 7119ED51 . 56 push esi 7119ED52 . E8 3DDAFDFF call <jmp.&advapi32.QueryServiceStatus> 7119ED57 . 85C0 test eax, eax 7119ED59 . 74 0D je short V0000000.7119ED68 7119ED5B . 837D E0 01 cmp dword ptr ss:[ebp-20], 1 7119ED5F . 74 07 je short V0000000.7119ED68 7119ED61 . C605 62161C71>mov byte ptr ds:[711C1662], 1 7119ED68 > 56 push esi 7119ED69 . E8 EED9FDFF call <jmp.&advapi32.CloseServiceHandle> 7119ED6E > 53 push ebx 7119ED6F . E8 E8D9FDFF call <jmp.&advapi32.CloseServiceHandle> 7119ED74 > 74 03 je short V0000000.7119ED79 7119ED76 . 75 01 jnz short V0000000.7119ED79 7119ED78 E8 db E8 7119ED79 > 50 push eax 7119ED7A . 8B4424 44 mov eax, dword ptr ss:[esp+44] 7119ED7E . 0345 FC add eax, dword ptr ss:[ebp-4] 7119ED81 . 894424 44 mov dword ptr ss:[esp+44], eax 7119ED85 . 58 pop eax 7119ED86 . 33C0 xor eax, eax 7119ED88 . 5A pop edx 7119ED89 . 59 pop ecx 7119ED8A . 59 pop ecx 7119ED8B . 64:8910 mov dword ptr fs:[eax], edx 7119ED8E . 68 ABED1971 push V0000000.7119EDAB 7119ED93 > 8D45 D8 lea eax, dword ptr ss:[ebp-28] 7119ED96 . E8 ED5AF8FF call V0000000.71124888 7119ED9B . 8D45 F8 lea eax, dword ptr ss:[ebp-8] 7119ED9E . E8 E55AF8FF call V0000000.71124888 7119EDA3 . C3 retn 7119EDA4 .^ E9 FB53F8FF jmp V0000000.711241A4 7119EDA9 .^ EB E8 jmp short V0000000.7119ED93 7119EDAB . 5E pop esi 7119EDAC . 5B pop ebx 7119EDAD . 8BE5 mov esp, ebp 7119EDAF . 5D pop ebp 7119EDB0 . C3 retn |
|
|
|
|
|
谁来试试脱我?
真恐怖,OD还没Load就挂了…… |
|
|
|
传家宝2。24新版加的什么壳呀?
Hying'sPEArmor |
|
幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略
[part 5] 003B073A E8 4A2A0000 call 003B3189 ; 进去观光 003B31A5 B8 01000000 mov eax, 1 003B31D7 83BD 9ED24100 0>cmp dword ptr ss:[ebp+41D29E], 0 003B31E3 /0F84 C6120000 je 003B44AF ; 不需要注册?跳吧========〉下边在极度困倦下走了弯路 003B31F3 8D85 DD5C4000 lea eax, dword ptr ss:[ebp+405CDD]; ?? 003B3209 83BD FC1D4200 0>cmp dword ptr ss:[ebp+421DFC], 0 003B3210 /75 54 jnz short 003B3266; 不知道是啥,我这里没跳 003B3217 E8 A51D0000 call 003B4FC1; ? 003B3249 3C 01 cmp al, 1 003B324B 74 14 je short 003B3261 003B3270 83BD FC1D4200 0>cmp dword ptr ss:[ebp+421DFC], 2 003B3277 75 66 jnz short 003B32DF 003B32FB 83BD FC1D4200 0>cmp dword ptr ss:[ebp+421DFC], 1 003B3302 75 37 jnz short 003B333B 003B3345 83BD FC1D4200 0>cmp dword ptr ss:[ebp+421DFC], 3 003B334C 75 26 jnz short 003B3374 003B33A6 E8 17270000 call 003B5AC2 003B5B06 60 pushad 003B5B0C C785 EAD24100 0>mov dword ptr ss:[ebp+41D2EA], 0 003B5B32 BB CCD24100 mov ebx, 41D2CC 003B5B3C 03DD add ebx, ebp ; buffer 003B5B43 B9 AAD24100 mov ecx, 41D2AA 003B5B4D 03CD add ecx, ebp ; subkey ; 猜想是读注册标记 003B5B54 53 push ebx 003B5B55 68 1F000200 push 2001F 003B5B5A 6A 00 push 0 003B5B5C 51 push ecx 003B5B5D 68 00000080 push 80000000 003B5B62 FF95 D2CF4100 call dword ptr ss:[ebp+41CFD2] ; advapi32.RegOpenKeyExA 0012FF68 003B5B68 /CALL to RegOpenKeyExA from 003B5B62 0012FF6C 80000000 |hKey = HKEY_CLASSES_ROOT 0012FF70 003B79DD |Subkey = "wrifile\shell\open\command\config" 0012FF74 00000000 |Reserved = 0 0012FF78 0002001F |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000 0012FF7C 003B79FF \pHandle = 003B79FF 003B5B9A 83F8 00 cmp eax, 0 003B5B9D 0F84 2A010000 je 003B5CCD ; JUMP 003B5D09 BE A6D24100 mov esi, 41D2A6 003B5D13 03F5 add esi, ebp 003B5D1A BF A2D24100 mov edi, 41D2A2 003B5D24 03FD add edi, ebp 003B5D30 B8 FECF4100 mov eax, 41CFFE 003B5D3A 03C5 add eax, ebp 003B5D53 BB DCD24100 mov ebx, 41D2DC 003B5D85 03DD add ebx, ebp ; 用这么多regs,气势逼人~~~ 003B5D8C 8B8D CCD24100 mov ecx, dword ptr ss:[ebp+41D2CC] ; Reg的句柄 003B5D97 56 push esi 003B5D98 50 push eax 003B5D99 57 push edi 003B5D9A 6A 00 push 0 003B5D9C 53 push ebx ; 好奇怪的名字,大概是自动计算的 003B5D9D 51 push ecx 003B5D9E FF95 DECF4100 call dword ptr ss:[ebp+41CFDE] ; advapi32.RegQueryValueExA 0012FF64 003B5DA4 /CALL to RegQueryValueExA from 003B5D9E 0012FF68 0000006A |hKey = 6A 0012FF6C 003B7A0F |ValueName = ""9B,"",80,"",8B,"",80,"?,80,"?,80,"",84,"",81,"" 0012FF70 00000000 |Reserved = NULL 0012FF74 003B79D5 |pValueType = 003B79D5 0012FF78 003B7731 |Buffer = 003B7731 0012FF7C 003B79D9 \pBufSize = 003B79D9 ; *** 如果做的DBPE Cleaner,大概就是清理HKEY_CLASSES_ROOT\wrifile\shell\open\command\config\所有子项目 003B5DC0 66:3D 0000 cmp ax, 0 003B5DC9 /0F85 EE020000 jnz 003B60BD ; 做注册部分 003B60C2 8B85 CCD24100 mov eax, dword ptr ss:[ebp+41D2CC] 003B60CD 50 push eax 003B60CE FF95 DACF4100 call dword ptr ss:[ebp+41CFDA] ; advapi32.RegCloseKey 003B6106 61 popad 003B611E 8B85 EAD24100 mov eax, dword ptr ss:[ebp+41D2EA] 003B6129 C3 ret 003B33CC 8B85 7CD24100 mov eax, dword ptr ss:[ebp+41D27C] 003B33FF BB 8CD24100 mov ebx, 41D28C 003B341B 03DD add ebx, ebp 003B3422 B9 27354200 mov ecx, 423527 003B343E 03CD add ecx, ebp 003B3445 50 push eax 003B3446 53 push ebx 003B3447 51 push ecx 003B3448 FF95 64CF4100 call dword ptr ss:[ebp+41CF64] ; user32.wsprintfA 0012FF64 0000006A 0012FF94 003B344E /CALL to wsprintfA from 003B3448 0012FF98 003BDC5A |s = 003BDC5A 0012FF9C 003B79BF |Format = "%08lX" 0012FFA0 06781F8B \<%08lX> = 6781F8B 003B3453 83C4 0C add esp, 0C ; 平衡堆栈 ; ecx -> ------------------------------------------------------------------- 003BDC5D 38 31 46 38 42 00 00 00 81F8B... ------------------------------------------------------------------- 003B3488 BE 0AD04100 mov esi, 41D00A 003B34A4 03F5 add esi, ebp --------------------------------------------------------------------------- 003BDC5A 30 36 37 38 31 46 38 42 00 00 00 00 00 00 00 00 06781F8B........ --------------------------------------------------------------------------- 003B34BD BF 2CFA4100 mov edi, 41FA2C 003B34EF 03FD add edi, ebp 003B34F6 B9 16000000 mov ecx, 16 003B3500 F3:A4 rep movsb ; 传送...不明飞行物 003B3534 BE 27354200 mov esi, 423527 003B353E 03F5 add esi, ebp 003B3545 BF 42FA4100 mov edi, 41FA42 003B354F 03FD add edi, ebp 003B3556 B9 0A000000 mov ecx, 0A 003B3588 F3:A4 rep movsb 003B3599 E8 A1140000 call 003B4A3F ; 传送某种非0的数据 003B4A5B 8DB5 78D04100 lea esi, dword ptr ss:[ebp+41D078] 003B4A8E 8DBD 0AD04100 lea edi, dword ptr ss:[ebp+41D00A] 003B4AD8 8A07 mov al, byte ptr ds:[edi] 003B4AF1 8806 mov byte ptr ds:[esi], al 003B4AF8 47 inc edi 003B4AFE 46 inc esi 003B4B2C 3C 00 cmp al, 0 003B4B2E ^\0F85 77FFFFFF jnz 003B4AAB 003B4B8E 4E dec esi 003B4B94 8DBD 27354200 lea edi, dword ptr ss:[ebp+423527] --------------------------------------------------------------------------- 003BDC5A 30 36 37 38 31 46 38 42 00 00 00 00 00 00 00 00 06781F8B........ --------------------------------------------------------------------------- 003B4BDE 8A07 mov al, byte ptr ds:[edi] 003B4BF7 8806 mov byte ptr ds:[esi], al 003B4BFE 47 inc edi 003B4C16 46 inc esi 003B4C2E 3C 00 cmp al, 0 003B4C30 ^\0F85 7BFFFFFF jnz 003B4BB1 003B4C3B 8806 mov byte ptr ds:[esi], al 003B4C6F 8D9D 02D34100 lea ebx, dword ptr ss:[ebp+41D302] 003B4C7A 8D85 78D04100 lea eax, dword ptr ss:[ebp+41D078] 003B4C85 8BF5 mov esi, ebp 003B4CB4 60 pushad 003B4CBA 53 push ebx 003B4CBB 50 push eax 003B4CBC E8 0C810000 call 003BCDCD ; 奇怪的算法解码出奇怪的信息 003B4CC6 61 popad ; 这里的代码把一堆东西拷来拷去,我没耐心也没兴致看算法,不做解说了。 003B4CF9 8DB5 02D34100 lea esi, dword ptr ss:[ebp+41D302] 003B4D04 8B06 mov eax, dword ptr ds:[esi] 003B4D0B 3385 9ED24100 xor eax, dword ptr ss:[ebp+41D29E] 003B4D16 8985 EED24100 mov dword ptr ss:[ebp+41D2EE], eax 003B4D4E 8B46 04 mov eax, dword ptr ds:[esi+4] 003B4D56 3385 9AD24100 xor eax, dword ptr ss:[ebp+41D29A] 003B4D61 8985 F2D24100 mov dword ptr ss:[ebp+41D2F2], eax 003B4D71 8DBD 20D04100 lea edi, dword ptr ss:[ebp+41D020] 003B4D7C 8DB5 F6D24100 lea esi, dword ptr ss:[ebp+41D2F6] 003B4DDC 8B07 mov eax, dword ptr ds:[edi] 003B4DE3 8906 mov dword ptr ds:[esi], eax 003B4DEA 8B47 04 mov eax, dword ptr ds:[edi+4] 003B4DF2 8946 04 mov dword ptr ds:[esi+4], eax 003B4E0C E8 1B1A0000 call 003B682C ; 从代码给我的印象来看,像是检查非法字符 003B4E28 3B85 EED24100 cmp eax, dword ptr ss:[ebp+41D2EE] 003B4E45 /0F85 D7000000 jnz 003B4F22 003B4F39 B8 00000000 mov eax, 0 003B4F43 8985 F2D24100 mov dword ptr ss:[ebp+41D2F2], eax 003B4F76 8985 EED24100 mov dword ptr ss:[ebp+41D2EE], eax 003B4F93 C3 ret 003B35CB 83F8 01 cmp eax, 1 003B35D3 /0F84 D60E0000 je 003B44AF 003B3622 8D85 DE5C4000 lea eax, dword ptr ss:[ebp+405CDE] 003B3660 E8 AF330000 call 003B6A14 003B6A58 60 pushad 003B6A5E 8D85 8FC74100 lea eax, dword ptr ss:[ebp+41C78F] 003B6A69 6A 00 push 0 003B6A6B 6A 20 push 20 003B6A6D 6A 03 push 3 003B6A6F 6A 00 push 0 003B6A71 6A 00 push 0 003B6A73 68 00000080 push 80000000 003B6A78 50 push eax 003B6A79 FF95 DBCE4100 call dword ptr ss:[ebp+41CEDB] ; kernel32.CreateFileA 0012FF60 003B6A7F /CALL to CreateFileA from 003B6A79 0012FF64 003B6EC2 |FileName = "regdial.dat" 0012FF68 80000000 |Access = GENERIC_READ 0012FF6C 00000000 |ShareMode = 0 0012FF70 00000000 |pSecurity = NULL 0012FF74 00000003 |Mode = OPEN_EXISTING 0012FF78 00000020 |Attributes = ARCHIVE 0012FF7C 00000000 \hTemplateFile = NULL ; 搞注册界面库,我们到沙罗双树园啦;-) 003B6A84 83F8 FF cmp eax, -1 003B6A87 /74 2D je short 003B6AB6 ; 读取失败?我们给他行行好,翻转ZF不跳 003B6AA0 50 push eax 003B6AA1 FF95 E3CE4100 call dword ptr ss:[ebp+41CEE3] ; kernel32.CloseHandle 003B6AAC /E9 14030000 jmp 003B6DC5 003B6DDC 61 popad 003B6DE2 B8 01000000 mov eax, 1 003B6DFE C3 ret 003B36A9 8D85 DF5C4000 lea eax, dword ptr ss:[ebp+405CDF] ; 无聊!!! 003B36E7 B8 87C74100 mov eax, 41C787 003B3703 03C5 add eax, ebp 003B370A E8 6F460000 call 003B7D7E ; 用来得到2个注册功能的窗口函数ShowTryWindow & GetRegister 003B7DAB 60 pushad 003B7DB1 8BD8 mov ebx, eax 003B7DC2 807B 08 00 cmp byte ptr ds:[ebx+8], 0 003B7DCB /0F84 1B030000 je 003B80EC ; nj 003B7DED 8BC3 mov eax, ebx 003B7DF4 83C0 08 add eax, 8 003B7DFC 50 push eax 003B7DFC 50 push eax 003B7DFD FF95 C13D4200 call dword ptr ss:[ebp+423DC1] ; kernel32.LoadLibraryA 0012FF78 003B7E03 /CALL to LoadLibraryA from 003B7DFD 0012FF7C 003B6EC2 \FileName = "regdial.dat" ; 考,居然是lib 003B7E08 8985 7FCC4100 mov dword ptr ss:[ebp+41CC7F], eax 003B7E13 83F8 00 cmp eax, 0 003B7E16 /75 46 jnz short 003B7E5E ; 翻转ZF 003B7EA2 8B33 mov esi, dword ptr ds:[ebx] ; Try.0041C863 003B7EBB 8B7B 04 mov edi, dword ptr ds:[ebx+4] ; Try.0041C881 003B7ED5 03F5 add esi, ebp 003B7EDC 03FD add edi, ebp ; 看名字也知道是要干啥 --------------------------------------------------------------------------- 003B6F96 53 68 6F 77 54 72 79 57 69 6E 64 6F 77 00 47 65 ShowTryWindow.Ge 003B6FA6 74 52 65 67 69 73 74 65 72 00 00 00 00 00 00 00 tRegister....... --------------------------------------------------------------------------- 003B7EFF 803E 00 cmp byte ptr ds:[esi], 0 003B7F02 0F85 BE000000 jnz 003B7FC6 ; 2个都得到了? 为了好看,完成后代码下放 003B7FD0 56 push esi 003B7FD1 FFB5 7FCC4100 push dword ptr ss:[ebp+41CC7F] 003B7FD7 FF95 C53D4200 call dword ptr ss:[ebp+423DC5] ; kernel32.GetProcAddress 0012FF74 003B7FDD /CALL to GetProcAddress from 003B7FD7 0012FF78 00000000 |hModule = NULL ; 我从中作梗 0012FF7C 003B6F96 \ProcNameOrOrdinal = "ShowTryWindow" 003B7FE2 83F8 00 cmp eax, 0 003B7FE5 /75 30 jnz short 003B8017 ; 翻转ZF,j 003B8038 8907 mov dword ptr ds:[edi], eax 003B8051 83C7 04 add edi, 4 ; 指向GetRegister 003B805E 803E 00 cmp byte ptr ds:[esi], 0 003B8061 /74 0D je short 003B8070 003B8068 46 inc esi 003B806E ^\EB EE jmp short 003B805E 003B809D 46 inc esi 003B80CB ^\E9 2AFEFFFF jmp 003B7EFA -------------------------------------------------------------------------- ; 完成以后的代码,接003B7F02 0F85 BE000000 jnz 003B7FC6 ; 2个都得到了? 为了好看,完成后代码下放 003B7F35 83C3 08 add ebx, 8 ; 移动指针 003B7F65 803B 00 cmp byte ptr ds:[ebx], 0 003B7F68 /74 1F je short 003B7F89 003B7F81 43 inc ebx 003B7F87 ^\EB DC jmp short 003B7F65 003B7FB6 43 inc ebx 003B7FBC ^\E9 FCFDFFFF jmp 003B7DBD; 回去〉〉〉 003B7DC2 807B 08 00 cmp byte ptr ds:[ebx+8], 0 003B7DCB /0F84 1B030000 je 003B80EC ; 结束,j 003B80F1 61 popad 003B80F7 8B85 83CC4100 mov eax, dword ptr ss:[ebp+41CC83] 003B8102 C3 ret 003B373C B8 FFFFFFFF mov eax, -1 003B3746 83BD 81C84100 0>cmp dword ptr ss:[ebp+41C881], 0 003B3752 /0F84 570D0000 je 003B44AF; nj 003B376F 83BD 85C84100 0>cmp dword ptr ss:[ebp+41C885], 0 003B37A3 /0F84 060D0000 je 003B44AF; 还是nj 003B37D7 E8 060D0000 call 003B44E2 003B44E7 8D85 C1A04100 lea eax, dword ptr ss:[ebp+41A0C1] 003B44F2 68 C8000000 push 0C8 003B44F7 50 push eax ; buffer 003B44F8 FF95 BBCE4100 call dword ptr ss:[ebp+41CEBB] ; kernel32.GetWindowsDirectoryA 0012FF94 003B44FE /CALL to GetWindowsDirectoryA from 003B44F8 0012FF98 003B47F4 |Buffer = 003B47F4 0012FF9C 000000C8 \BufSize = C8 (200.) 003B4503 33C0 xor eax, eax 003B451C B9 C8000000 mov ecx, 0C8 003B4526 8DBD C1A04100 lea edi, dword ptr ss:[ebp+41A0C1] 003B4531 F2:AE repne scas byte ptr es:[edi] ; 复制目录 003B4538 C647 FF 5C mov byte ptr ds:[edi-1], 5C ; \ 003B4541 C707 75736572 mov dword ptr ds:[edi], 72657375 ; user 003B455E C747 04 2E64617>mov dword ptr ds:[edi+4], 7461642E ; .dat 003B4592 C647 08 00 mov byte ptr ds:[edi+8], 0 003B45C4 8D85 C1A04100 lea eax, dword ptr ss:[ebp+41A0C1] 003B45CF 8D9D C1A14100 lea ebx, dword ptr ss:[ebp+41A1C1] 003B45DA 53 push ebx 003B45DB 50 push eax 003B45DC FF95 B7CE4100 call dword ptr ss:[ebp+41CEB7] ; kernel32.FindFirstFileA 003B45F9 8D9D C1A14100 lea ebx, dword ptr ss:[ebp+41A1C1] 003B462C 8D43 14 lea eax, dword ptr ds:[ebx+14] 003B4646 8D9D FCA24100 lea ebx, dword ptr ss:[ebp+41A2FC] 003B4679 53 push ebx 003B467A 50 push eax 003B467B FF95 B3CE4100 call dword ptr ss:[ebp+41CEB3] ; kernel32.FileTimeToSystemTime 0012FF94 003B4681 /CALL to FileTimeToSystemTime from 003B467B 0012FF98 003B4908 |pFileTime = 003B4908 0012FF9C 003B4A2F \pSystemTime = 003B4A2F 003B469D 8D9D FCA24100 lea ebx, dword ptr ss:[ebp+41A2FC] ; 计算一个sum 003B46A8 33C0 xor eax, eax 003B46AF 33D2 xor edx, edx 003B46CD 66:8B03 mov ax, word ptr ds:[ebx] 003B46E7 B9 6D010000 mov ecx, 16D 003B46F1 F7E1 mul ecx 003B470A 8985 80D24100 mov dword ptr ss:[ebp+41D280], eax 003B4742 33C0 xor eax, eax 003B475B 66:8B43 02 mov ax, word ptr ds:[ebx+2] 003B4764 B9 1E000000 mov ecx, 1E 003B476E F7E1 mul ecx 003B4775 0185 80D24100 add dword ptr ss:[ebp+41D280], eax 003B47AD 66:8B43 06 mov ax, word ptr ds:[ebx+6] 003B47B6 0185 80D24100 add dword ptr ss:[ebp+41D280], eax 003B47EE C3 ret ; 班师回朝 003B380E C785 88D24100 0>mov dword ptr ss:[ebp+41D288], 0 003B381D C785 84D24100 0>mov dword ptr ss:[ebp+41D284], 0 003B3836 83BD F01D4200 0>cmp dword ptr ss:[ebp+421DF0], 1 003B383D /0F85 10010000 jnz 003B3953 ; nj 003B3848 FFB5 FECF4100 push dword ptr ss:[ebp+41CFFE] 003B384E 8F85 42344200 pop dword ptr ss:[ebp+423442] 003B3859 FFB5 E41D4200 push dword ptr ss:[ebp+421DE4] 003B385F 8F85 46344200 pop dword ptr ss:[ebp+423446] 003B387C 8B9D E41D4200 mov ebx, dword ptr ss:[ebp+421DE4] 003B3899 399D FECF4100 cmp dword ptr ss:[ebp+41CFFE], ebx 003B389F /0F83 95000000 jnb 003B393A ; j 003B393F C785 84D24100 0>mov dword ptr ss:[ebp+41D284], 1 003B3974 83BD F01D4200 0>cmp dword ptr ss:[ebp+421DF0], 2 003B397B /0F85 E0000000 jnz 003B3A61 ; j 003B3A98 83BD F01D4200 0>cmp dword ptr ss:[ebp+421DF0], 3 003B3A9F 0F85 C3000000 jnz 003B3B68 003B3B9F 33C0 xor eax, eax 003B3BA6 83BD 88D24100 0>cmp dword ptr ss:[ebp+41D288], 1 003B3BAD 74 0D je short 003B3BBC 003B3BAF 83BD 84D24100 0>cmp dword ptr ss:[ebp+41D284], 1 003B3BB6 0F85 F5000000 jnz 003B3CB1 003B3BD3 8D85 081E4200 lea eax, dword ptr ss:[ebp+421E08] ; caption 003B3BDE 8D9D 261E4200 lea ebx, dword ptr ss:[ebp+421E26] ; http... 003B3BE9 8D8D 441E4200 lea ecx, dword ptr ss:[ebp+421E44] ; message ; 此时发现这两个牛插手了…… ---------------------------------------------------------------------------- 003BC777 20 45 6E 63 72 79 70 74 Encrypt 003BC787 65 64 20 62 79 20 7A 65 72 30 21 00 00 00 00 00 ed by zer0!..... 003BC797 00 00 00 00 00 00 63 6F 64 65 5F 69 6E 6A 65 63 ......code_injec 003BC7A7 74 00 00 00 00 00 00 00 00 t........ ---------------------------------------------------------------------------- 003B3C1C 89A5 74894100 mov dword ptr ss:[ebp+418974], esp 003B3C27 FFB5 81C84100 push dword ptr ss:[ebp+41C881] 003B3C2D 8F85 F9344200 pop dword ptr ss:[ebp+4234F9] 003B3C38 51 push ecx 003B3C39 53 push ebx 003B3C3A 50 push eax 003B3C3B FFB5 46344200 push dword ptr ss:[ebp+423446] 003B3C41 FFB5 42344200 push dword ptr ss:[ebp+423442] 003B3C47 E8 39810000 call 003BBD85 ; int3调用,都nop 003B3C7E 8BA5 74894100 mov esp, dword ptr ss:[ebp+418974] 003B3D22 83BD 84D24100 0>cmp dword ptr ss:[ebp+41D284], 1 003B3D29 74 09 je short 003B3D34 003B3D2B 83F8 02 cmp eax, 2 003B3D2E 0F85 C0040000 jnz 003B41F4 003B3D66 8D85 FD344200 lea eax, dword ptr ss:[ebp+4234FD] 003B3D99 8D9D 13354200 lea ebx, dword ptr ss:[ebp+423513] 003B3DA4 8D8D 27354200 lea ecx, dword ptr ss:[ebp+423527] ; 003BDC5A 30 36 37 38 31 46 38 42 06781F8B 003B3DAF 8D95 38204200 lea edx, dword ptr ss:[ebp+422038] 003B3DF9 89A5 74894100 mov dword ptr ss:[ebp+418974], esp 003B3E2C FFB5 85C84100 push dword ptr ss:[ebp+41C885] 003B3E32 8F85 F9344200 pop dword ptr ss:[ebp+4234F9] 003B3E4F 52 push edx 003B3E50 51 push ecx 003B3E51 53 push ebx 003B3E52 50 push eax 003B3E53 E8 2D7F0000 call 003BBD85; 还是他,nop 003B3E74 8BA5 74894100 mov esp, dword ptr ss:[ebp+418974] 003B3E91 83F8 02 cmp eax, 2 003B3E99 B8 00000000 mov eax, 0 003B3EA3 /0F84 C4040000 je 003B436D 003B3EDB B9 2A000000 mov ecx, 2A 003B3EE5 BF 0AD04100 mov edi, 41D00A 003B3EEF 03FD add edi, ebp 003B3F08 BE FD344200 mov esi, 4234FD 003B3F3A 03F5 add esi, ebp 003B3F41 F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi] .................. |
|
幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略
[part 4] 003AF6B3 90 nop 003AF6B8 8BC5 mov eax, ebp 003AF6BA E8 00000000 call 003AF6BF 003AF6BF 5D pop ebp 003AF6C0 81ED 8C4F4100 sub ebp, 414F8C 003AF6DD 50 push eax 003AF70B 53 push ebx 003AF711 B8 534E5552 mov eax, 52554E53 003AF743 8D9D 71504100 lea ebx, dword ptr ss:[ebp+415071] ; 通过int3调用地址 003AF760 CC int3 ; 改中断 003AF766 5B pop ebx 003AF794 58 pop eax 003AF79A /E9 DF000000 jmp 003AF87E ; 走人 ----------------------------------------------------- ; 9x的处理 003AF7A9 8DB5 4E344200 lea esi, dword ptr ss:[ebp+42344E] 003AF7B4 0F010E sidt fword ptr ds:[esi] 003AF7E4 8B76 02 mov esi, dword ptr ds:[esi+2] 003AF803 8D85 5C3A4200 lea eax, dword ptr ss:[ebp+423A5C] 003AF836 66:8946 18 mov word ptr ds:[esi+18], ax 003AF83F C1E8 10 shr eax, 10 003AF847 66:8946 1E mov word ptr ds:[esi+1E], ax 003AF850 C3 retn ----------------------------------------------------- 003AF8DD 8985 3FD64100 mov dword ptr ss:[ebp+41D63F], eax 003AF8E8 C785 43D64100 C>mov dword ptr ss:[ebp+41D643], 4058CD 003AF8F7 0185 43D64100 add dword ptr ss:[ebp+41D643], eax ; 修正base 003AF92A 899D F5344200 mov dword ptr ss:[ebp+4234F5], ebx 003AF951 BF CD584000 mov edi, 4058CD 003AF95B 03F8 add edi, eax ; 还是修正base 003AF962 B9 7DDB0100 mov ecx, 1DB7D ; 长度 003AF96C 32C0 xor al, al 003AF973 F3:AA rep stosb ; 擦除外壳区段里的东西(我们在内存里!) 003AF991 8D85 D45C4000 lea eax, dword ptr ss:[ebp+405CD4] 003AF9F6 60 pushad ; 看到这个肯定要干坏事 003AFA0E B8 534E5552 mov eax, 52554E53 003AFA18 BB C0534100 mov ebx, 4153C0 003AFA22 03DD add ebx, ebp 003AFA29 CC int3 ; F4到这里 ; 我这里 int3的处理是:3be18f --------------------------------------------------- 003BE194 3D 534E5552 cmp eax, 52554E53 003BE199 75 74 jnz short 003BE20F 003BE1B2 FFD3 call ebx 003BE1E1 CF iretd --------------------------------------------------- ; 可见是通过int3执行ebx, ebx似乎是通过向量反跟踪 003AFA2F 66:3D 0000 cmp ax, 0 ; 再F4到这里 003AFA38 61 popad 003AFA55 9C pushfd ; 害怕 ZF 出事, 看来一定有鬼:) 003AFA5B BB 8AD34100 mov ebx, 41D38A 003AFA77 03DD add ebx, ebp 003AFA7E 9D popfd 003AFE1F 83BD 47D64100 0>cmp dword ptr ss:[ebp+41D647], 0 003AFE26 0F84 CA000000 je 003AFEF6 003AFF12 83BD 041E4200 0>cmp dword ptr ss:[ebp+421E04], 1 003AFF19 0F84 9D000000 je 003AFFBC 003AFFEE 8D85 D55C4000 lea eax, dword ptr ss:[ebp+405CD5] 003B0031 83BD 001E4200 0>cmp dword ptr ss:[ebp+421E00], 1 003B0038 0F85 9F000000 jnz 003B00DD 003B0043 8DB5 5C344200 lea esi, dword ptr ss:[ebp+42345C] ; 开始用GetVersionExA获得的版本 003B004E 837E 10 02 cmp dword ptr ds:[esi+10], 2 003B0052 /75 31 jnz short 003B0085 ; 不是9x? 003B0059 837E 04 04 cmp dword ptr ds:[esi+4], 4 003B005D 77 0F ja short 003B006E ; 不是未知? 那就是NT 003B00B2 89AD 8A204200 mov dword ptr ss:[ebp+42208A], ebp 003B00BD 8D9D 88204200 lea ebx, dword ptr ss:[ebp+422088] ; 怕~~~~ --------------------------------------------------------------------------- 003B7ABD 20 20 20 45 72 72 6F 72 20 28 33 29 3A 20 44 65 Error (3): De 003B7ACD 62 75 67 67 65 72 20 64 65 74 65 63 74 69 6F 6E bugger detection 003B7ADD 20 2C 20 41 62 6F 72 74 21 20 00 20 20 20 45 72 , Abort! . Er 003B7AED 72 6F 72 20 28 34 29 3A 20 46 69 6C 65 20 43 52 ror (4): File CR 003B7AFD 43 20 45 72 72 6F 72 2C 20 20 20 41 62 6F 72 74 C Error, Abort 003B7B0D 21 00 !. --------------------------------------------------------------------------- ; 反跟踪定时器,不好玩,干掉他===>how?看下边 003B00C8 53 push ebx 003B00C9 68 F4010000 push 1F4 003B00CE 6A 00 push 0 003B00D0 6A 00 push 0 003B00D2 FF95 68CF4100 call dword ptr ss:[ebp+41CF68] ; user32.SetTimer ---> F7进入 77D19160 > B8 1E120000 mov eax, 121E ; 修改为retn 10了事 77D19165 BA 0003FE7F mov edx, 7FFE0300 77D1916A FFD2 call edx 77D1916C C2 1000 retn 10 0012FF94 003B00D8 /CALL to SetTimer from 003B00D2 0012FF98 00000000 |hWnd = NULL 0012FF9C 00000000 |TimerID = 0 0012FFA0 000001F4 |Timeout = 500. ms 0012FFA4 003BC7BB \Timerproc = 003BC7BB ;干坏事,发生mov eax, [eax](eax==0)异常有兴趣可以研究一下 ; 恢复刚才的 SetTimer 代码...小心至上 003B0142 8D85 D65C4000 lea eax, dword ptr ss:[ebp+405CD6] ; 无聊 ; ============================================================================== ; A n t i - D u m p i n g ; ; 我只知道是Anti-Dumping,原理大概是修改ImageSize,有兴趣自己研究吧. ; ============================================================================== 003B016A 64:67:A1 3000 mov eax, dword ptr fs:[30] 003B0174 85C0 test eax, eax 003B01A3 78 78 js short 003B021D ; else...根据系统不同决定 003B01C1 8B40 0C mov eax, dword ptr ds:[eax+C] 003B01DB 8B40 0C mov eax, dword ptr ds:[eax+C] 003B01F5 C740 20 0010000 mov dword ptr ds:[eax+20], 1000 003B0201 E9 9E000000 jmp 003B02A4 ; anti_dump_over 003B022C 6A 00 push 0 003B022E FF95 F7CE4100 call dword ptr ss:[ebp+41CEF7] ; GetModuleHandleA 003B023E 85D2 test edx, edx 003B0245 79 5D jns short 003B02A4 ; anti_dump_over 003B024C 837A 08 FF cmp dword ptr ds:[edx+8], -1 003B0267 75 3B jnz short 003B02A4 ; anti_dump_over 003B026E 8B52 04 mov edx, dword ptr ds:[edx+4] 003B028D C742 50 0010000>mov dword ptr ds:[edx+50], 1000 003B0299 66:C742 06 1010 mov word ptr ds:[edx+6], 1010 ; 没见过:P,NumberOfSections? ; ============================================================================== 003B02DB 8D85 D75C4000 lea eax, dword ptr ss:[ebp+405CD7]; 错误消息 ; ============================================================================== ; M e l t I C E ; ; 地球人都知道 ; ============================================================================== 003B0303 BE 26CC4100 mov esi, 41CC26 003B031F 03F5 add esi, ebp ; esi -> 指向 MeltICE 驱动表 ; 不幸儿童: --------------------------------------------------------------------------- 003B7359 5C 5C 2E 5C 62 77 32 6B 00 5C 5C 2E 5C 53 55 50 \\.\bw2k.\\.\SUP 003B7369 45 52 42 50 4D 00 5C 5C 2E 5C 49 43 45 44 55 4D ERBPM.\\.\ICEDUM 003B7379 50 00 5C 5C 2E 5C 52 45 47 56 58 44 00 5C 5C 2E P.\\.\REGVXD.\\. 003B7389 5C 4E 54 49 43 45 00 5C 5C 2E 5C 53 49 57 56 49 \NTICE.\\.\SIWVI 003B7399 44 00 5C 5C 2E 5C 53 49 43 45 00 5C 5C 2E 5C 46 D.\\.\SICE.\\.\F 003B73A9 49 4C 45 56 58 44 00 ILEVXD. --------------------------------------------------------------------------- 003B037C FFB5 DBCE4100 push dword ptr ss:[ebp+41CEDB] ; kernel32.CreateFileA 003B0382 8F85 F9344200 pop dword ptr ss:[ebp+4234F9] ; kernel32.CreateFileA ; 无聊的倒腾~~~ 003B03CC 6A 00 push 0 003B03CE 6A 00 push 0 003B03D0 6A 00 push 0 003B03D2 6A 00 push 0 003B03D4 6A 00 push 0 003B03D6 6A 00 push 0 003B03D8 56 push esi 003B03D9 FF95 DBCE4100 call dword ptr ss:[ebp+41CEDB] ; kernel32.CreateFileA 0012FF88 003B03DF /CALL to CreateFileA from 003B03D9 0012FF8C 003B7359 |FileName = "\\.\theif" ; -_-;; 0012FF90 00000000 |Access = 0 0012FF94 00000000 |ShareMode = 0 0012FF98 00000000 |pSecurity = NULL 0012FF9C 00000000 |Mode = 0 0012FFA0 00000000 |Attributes = 0 0012FFA4 00000000 \hTemplateFile = NULL 003B03E9 83F8 FF cmp eax, -1 003B03F1 /0F85 8E000000 jnz 003B0485 ; 事情不好办啦^_^ ; 循环使esi指向下一个名称 003B041D / 46 inc esi 003B0423 | 803E 00 cmp byte ptr ds:[esi], 0 003B042B \ 75 EB jnz short 003B0418 ; ===> 003B041D 003B0432 46 inc esi ; Skip NULL char 003B044A 803E 00 cmp byte ptr ds:[esi], 0 ; 表示用完了吗? 003B047A ^\0F85 E5FEFFFF jnz 003B0365 ; 没完?接着来…… ; ============================================================================== 003B04DF 8D9D 5FD34100 lea ebx, dword ptr ss:[ebp+41D35F] ; 我又怕了 --------------------------------------------------------------------------- 003B7A92 20 20 20 45 72 72 6F 72 20 28 32 29 3A 20 44 65 Error (2): De 003B7AA2 62 75 67 67 65 72 20 64 65 74 65 63 74 69 6F 6E bugger detection 003B7AB2 20 2C 20 41 62 6F 72 74 21 20 00 20 20 20 45 72 , Abort! . Er 003B7AC2 72 6F 72 20 28 33 29 3A 20 44 65 62 75 67 67 65 ror (3): Debugge 003B7AD2 72 20 64 65 74 65 63 74 69 6F 6E 20 2C 20 41 62 r detection , Ab 003B7AE2 6F 72 74 21 20 00 ort! . --------------------------------------------------------------------------- 003B04FC 83F8 FF cmp eax, -1 003B0504 /0F85 C61A0000 jnz 003B1FD0 ; 送你去取经 ; ============================================================================== ; Ch e c k s u m - C h e c k i n g ; ; 外星人也都知道,但是算法叫什么我不清楚(脸红) ; ============================================================================== 003B055D 8B85 18D64100 mov eax, dword ptr ss:[ebp+41D618] ; 我想是CRC protection flag 003B0568 83F8 00 cmp eax, 0 003B056B /74 51 je short 003B05BE ; 我这里JUMP 003B05F5 8BBD FCD54100 mov edi, dword ptr ss:[ebp+41D5FC] ; 好像是资源段 003B0628 03BD DCD34100 add edi, dword ptr ss:[ebp+41D3DC] ; +ImageBase 003B0633 8B8D 00D64100 mov ecx, dword ptr ss:[ebp+41D600] ; size 003B063E 83F9 00 cmp ecx, 0 003B0641 0F84 C5000000 je 003B070C ; Nothing? 003B064C 33C0 xor eax, eax 003B0665 33DB xor ebx, ebx 003B066C 33D2 xor edx, edx 003B068A /8A1F mov bl, byte ptr ds:[edi] ; get a byte 003B0691 | 32D9 xor bl, cl 003B0698 | 03C3 add eax, ebx 003B069F | 47 inc edi 003B06A5 | 49 dec ecx 003B06BD | 83F9 00 cmp ecx, 0 003B06C0 ^\75 C3 jnz short 003B0685 ; 计算校验和 003B06C7 8D9D B5D34100 lea ebx, dword ptr ss:[ebp+41D3B5] --------------------------------------------------------------------------- 003B7AE8 20 20 20 45 72 72 6F 72 20 28 34 29 3A 20 46 69 Error (4): Fi 003B7AF8 6C 65 20 43 52 43 20 45 72 72 6F 72 2C 20 20 20 le CRC Error, 003B7B08 41 62 6F 72 74 21 00 Abort!. --------------------------------------------------------------------------- 003B06E4 3985 04D64100 cmp dword ptr ss:[ebp+41D604], eax ; 比较校验和 003B06EF /0F85 DB180000 jnz 003B1FD0 ; 你敢跳? ; ============================================================================== 本代码的着色效果由xTiNt自动完成 下载xTiNt http://211.90.75.84/web/kanaun/download/xTiNt.rar |
|
幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略
[part 3] ; ****************************************************************** ; 当当当~~~~~ 醒醒啦!!! ; ****************************************************************** 0042532D 8D85 D05C4000 lea eax, dword ptr ss:[ebp+405CD0] ; 没弄明白,也许是参数 00425334 B0 94 mov al, 94 ; 后边用来xor的key 00425336 E8 00000000 call Try.0042533B 0042533B 5E pop esi ; 取这条信令地址 0042533C 81C6 A6000000 add esi, 0A6 ; 加上这段解密代码的长度,指向下一部分,进行SMC解密 00425347 B9 68010000 mov ecx, 168h ; 解码长度 00425356 8A26 mov ah, byte ptr ds:[esi] ; 读取一个字节 0042535D 32E0 xor ah, al 00425376 F6D4 not ah 0042538F 8826 mov byte ptr ds:[esi], ah ; 解密后存回去 004253A8 46 inc esi ; 下一个字节 004253AE 49 dec ecx ; 计数器-- 004253B4 83F9 00 cmp ecx, 0 004253B7 ^\75 98 jnz short Try.00425351 ; 循环直到都解密完成 ; 精彩片断!!!!!!!!!! 004253BE FEC8 dec al ; 换一个key 004253C5 BB 4F434E55 mov ebx, 554E434F ; 不清楚,自己猜吧 0042540E B9 68010000 mov ecx, 168 ; 这一块长度 0042542A 8A240E mov ah, byte ptr ds:[esi+ecx] ; 读取一个字节 00425444 88240E mov byte ptr ds:[esi+ecx], ah ; 再写进去,什么名堂? 0042545E CC int 3 ; 别乱动,int 3解码 0042545F /E9 E5000000 jmp Try.00425549 ; 按 F4 ,int3的向量处理好解码了,过去看看 ; 跳过的好像是下一次int3的向量,俺可不敢进去胡闹 00425464 |3D 534E5552 cmp eax, 52554E53 00425469 |75 24 jnz short Try.0042548F 00425482 FFD3 call ebx 00425489 CF iretd 00425576 B9 68010000 mov ecx, 168 ; TMD,没完没了了 00425592 8A240E mov ah, byte ptr ds:[esi+ecx] 004255AC 88240E mov byte ptr ds:[esi+ecx], ah 004255C6 CC int3 004255C7 E9 E5000000 jmp Try.004256B1 ; F4 004256DE B9 68010000 mov ecx, 168 ; KAO.... 004256FA 8A240E mov ah, byte ptr ds:[esi+ecx] 00425714 88240E mov byte ptr ds:[esi+ecx], ah 0042572E CC int3 0042572F E9 E5000000 jmp Try.00425819 00425846 B9 68010000 mov ecx, 168 ; …… 00425862 8A240E mov ah, byte ptr ds:[esi+ecx] 0042587C 88240E mov byte ptr ds:[esi+ecx], ah 00425896 CC int3 00425897 E9 E5000000 jmp Try.00425981 004259AE B9 68010000 mov ecx, 168 ; my heart will go on 004259CA 8A240E mov ah, byte ptr ds:[esi+ecx] 004259E4 88240E mov byte ptr ds:[esi+ecx], ah 004259FE CC int3 004259FF /E9 E5000000 jmp Try.00425AE9 00425B16 B9 68010000 mov ecx, 168 ; 没完没了 00425B32 8A240E mov ah, byte ptr ds:[esi+ecx] 00425B4C 88240E mov byte ptr ds:[esi+ecx], ah 00425B66 CC int3 00425B67 E9 E5000000 jmp Try.00425C51 00425C7E B9 68010000 mov ecx, 168 ; 不见不散 00425C9A 8A240E mov ah, byte ptr ds:[esi+ecx] 00425CB4 88240E mov byte ptr ds:[esi+ecx], ah 00425CCE CC int3 00425CCF /E9 E5000000 jmp Try.00425DB9 00425C7E B9 68010000 mov ecx, 168 ; 有话好好说 00425C9A 8A240E mov ah, byte ptr ds:[esi+ecx] 00425CB4 88240E mov byte ptr ds:[esi+ecx], ah 00425CCE CC int3 00425CCF E9 E5000000 jmp Try.00425DB9 00425DE6 B9 68010000 mov ecx, 168 ; 声声慢…… 00425E02 8A240E mov ah, byte ptr ds:[esi+ecx] 00425E1C 88240E mov byte ptr ds:[esi+ecx], ah 00425E36 CC int3 00425E37 E9 E5000000 jmp Try.00425F21 00425F4E B9 68010000 mov ecx, 168 00425F6A 8A240E mov ah, byte ptr ds:[esi+ecx] 00425F84 88240E mov byte ptr ds:[esi+ecx], ah 00425F9E CC int3 00425F9F E9 E5000000 jmp Try.00426089 004260B6 B9 68010000 mov ecx, 168 004260D2 8A240E mov ah, byte ptr ds:[esi+ecx] 004260EC 88240E mov byte ptr ds:[esi+ecx], ah 00426106 CC int3 00426107 E9 E5000000 jmp Try.004261F1 0042621E B9 68010000 mov ecx, 168 0042623A 8A240E mov ah, byte ptr ds:[esi+ecx] 00426254 88240E mov byte ptr ds:[esi+ecx], ah 0042626E CC int3 0042626F E9 E5000000 jmp Try.00426359 00426386 B9 68010000 mov ecx, 168 004263A2 8A240E mov ah, byte ptr ds:[esi+ecx] 004263BC 88240E mov byte ptr ds:[esi+ecx], ah 004263D6 CC int3 004263D7 E9 E5000000 jmp Try.004264C1 004264EE B9 68010000 mov ecx, 168 0042650A 8A240E mov ah, byte ptr ds:[esi+ecx] 00426524 88240E mov byte ptr ds:[esi+ecx], ah 0042653E CC int3 0042653F E9 E5000000 jmp Try.00426629 00426656 B9 68010000 mov ecx, 168 00426672 8A240E mov ah, byte ptr ds:[esi+ecx] 0042668C 88240E mov byte ptr ds:[esi+ecx], ah 004266A6 CC int3 004266A7 E9 E5000000 jmp Try.00426791 004267BE B9 68010000 mov ecx, 168 004267DA 8A240E mov ah, byte ptr ds:[esi+ecx] 004267F4 88240E mov byte ptr ds:[esi+ecx], ah 0042680E CC int3 0042680F E9 E5000000 jmp Try.004268F9 00426926 B9 68010000 mov ecx, 168 00426942 8A240E mov ah, byte ptr ds:[esi+ecx] 0042695C 88240E mov byte ptr ds:[esi+ecx], ah 00426976 CC int3 00426977 E9 E5000000 jmp Try.00426A61 00426A8E B9 68010000 mov ecx, 168 00426AAA 8A240E mov ah, byte ptr ds:[esi+ecx] 00426AC4 88240E mov byte ptr ds:[esi+ecx], ah 00426ADE CC int3 00426ADF E9 E5000000 jmp Try.00426BC9 00426BF6 B9 68010000 mov ecx, 168 00426C12 8A240E mov ah, byte ptr ds:[esi+ecx] 00426C2C 88240E mov byte ptr ds:[esi+ecx], ah 00426C46 CC int3 00426C47 E9 E5000000 jmp Try.00426D31 00426D5E B9 68010000 mov ecx, 168 00426D7A 8A240E mov ah, byte ptr ds:[esi+ecx] 00426D94 88240E mov byte ptr ds:[esi+ecx], ah 00426DAE CC int3 00426DAF E9 E5000000 jmp Try.00426E99 00426D5E B9 68010000 mov ecx, 168 00426D7A 8A240E mov ah, byte ptr ds:[esi+ecx] 00426D94 88240E mov byte ptr ds:[esi+ecx], ah 00426DAE CC int3 00426DAF E9 E5000000 jmp Try.00426E99 00426EC6 B9 68010000 mov ecx, 168 00426EE2 8A240E mov ah, byte ptr ds:[esi+ecx] 00426EFC 88240E mov byte ptr ds:[esi+ecx], ah 00426F16 CC int3 00426F17 E9 E5000000 jmp Try.00427001 0042702E B9 68010000 mov ecx, 168 0042704A 8A240E mov ah, byte ptr ds:[esi+ecx] 00427064 88240E mov byte ptr ds:[esi+ecx], ah 0042707E CC int3 0042707F E9 E5000000 jmp Try.00427169 00427196 B9 68010000 mov ecx, 168 004271B2 8A240E mov ah, byte ptr ds:[esi+ecx] 004271CC 88240E mov byte ptr ds:[esi+ecx], ah 004271E6 CC int3 004271E7 E9 E5000000 jmp Try.004272D1 004272FE B9 68010000 mov ecx, 168 0042731A 8A240E mov ah, byte ptr ds:[esi+ecx] 00427334 88240E mov byte ptr ds:[esi+ecx], ah 0042734E CC int3 0042734F E9 E5000000 jmp Try.00427439 -============================================================- ; 晕倒了快,拿个处理看看,调剂~~~ 00429D84 3D 534E5552 cmp eax, 52554E53 00429D89 75 24 jnz short Try.00429DAF 00429DA2 FFD3 call ebx 00429DA9 CF iretd 00429DAF 81FB 4F434E55 cmp ebx, 554E434F 00429DB5 0F85 AD000000 jnz Try.00429E68 00429DBB 8A26 mov ah, byte ptr ds:[esi] 00429DC2 32E0 xor ah, al 00429DDB F6D4 not ah 00429DE2 8826 mov byte ptr ds:[esi], ah 00429DE9 46 inc esi 00429DEF 49 dec ecx 00429DF5 83F9 00 cmp ecx, 0 00429DF8 ^ 75 C1 jnz short Try.00429DBB 00429DFF FEC8 dec al 00429E06 8DBD 4E344200 lea edi, dword ptr ss:[ebp+42344E] 00429E11 0F010F sidt fword ptr ds:[edi] 00429E19 8B7F 02 mov edi, dword ptr ds:[edi+2] 00429E1C 8B1C24 mov ebx, dword ptr ss:[esp] 00429E24 803B E9 cmp byte ptr ds:[ebx], 0E9 00429E27 75 05 jnz short Try.00429E2E 00429E29 83C3 05 add ebx, 5 00429E2C EB 03 jmp short Try.00429E31 00429E2E 83C3 02 add ebx, 2 00429E36 66:895F 18 mov word ptr ds:[edi+18], bx 00429E3F C1EB 10 shr ebx, 10 00429E47 66:895F 1E mov word ptr ds:[edi+1E], bx 00429E50 BB 55010000 mov ebx, 155 00429E5A 0F23FB mov dr7, ebx ; Privileged command 00429E62 BB 4F434E55 mov ebx, 554E434F 00429E67 CF iretd 00429E68 CF iretd -============================================================- 0042CB96 B9 68010000 mov ecx, 168 0042CBB2 8A240E mov ah, byte ptr ds:[esi+ecx] 0042CBCC 88240E mov byte ptr ds:[esi+ecx], ah 0042CBE6 CC int3 0042CBE7 E9 E5000000 jmp Try.0042CCD1 0042EFF9 E8 00000000 call Try.0042EFFE 0042EFFE 5D pop ebp 0042EFFF 81ED CB484100 sub ebp, Try.004148CB ; 长征过去……再来取delta 0042F005 58 pop eax 0042F038 80E4 01 and ah, 1 0042F052 32C0 xor al, al 0042F081 66:3185 2DD6410>xor word ptr ss:[ebp+41D62D], ax 0042F0BF 8D85 D15C4000 lea eax, dword ptr ss:[ebp+405CD1] 0042F0FE BE 944B4100 mov esi, Try.00414B94 0042F130 03F5 add esi, ebp 0042F149 B9 B6E80000 mov ecx, 0E8B6 0042F158 03F1 add esi, ecx 0042F187 4E dec esi 0042F1B5 BB 01000000 mov ebx, 1 ; 又解码 0042F1C4 8A06 mov al, byte ptr ds:[esi] 0042F1F3 3246 01 xor al, byte ptr ds:[esi+1] 0042F1FB 32C3 xor al, bl 0042F219 3285 02AC4000 xor al, byte ptr ss:[ebp+40AC02] 0042F251 8806 mov byte ptr ds:[esi], al 0042F258 4E dec esi 0042F25E 43 inc ebx 0042F264 49 dec ecx 0042F26A 83F9 00 cmp ecx, 0 0042F26D ^\0F85 4CFFFFFF jnz Try.0042F1BF 0042F278 66:81BD 944B410>cmp word ptr ss:[ebp+414B94], 9090 0042F2AE - 75 FE jnz short Try.0042F2AE ; 搞怪? 0042F2C9 8B85 F1344200 mov eax, dword ptr ss:[ebp+4234F1] 0042F2CF 83F8 00 cmp eax, 0 0042F2D2 B9 7DDB0100 mov ecx, 1DB7D 0042F2D7 0F85 E0020000 jnz Try.0042F5BD 0042F2DD E8 00000000 call Try.0042F2E2 0042F2E2 5A pop edx 0042F310 2B95 F4D54100 sub edx, dword ptr ss:[ebp+41D5F4] 0042F31B 81EA E2F20000 sub edx, 0F2E2 0042F326 8995 DCD34100 mov dword ptr ss:[ebp+41D3DC], edx 0042F3B3 8D85 D25C4000 lea eax, dword ptr ss:[ebp+405CD2] 0042F458 B8 87CC4100 mov eax, Try.0041CC87 0042F462 03C5 add eax, ebp ; eax -> IID 0042F469 E8 10890000 call Try.00437D7E ; 取函数地址 00437DAB 60 pushad ---------------------------------------------------------------------- 00437DB1 8BD8 mov ebx, eax ; ****************************************************************** ; 大循环开始 00437DC2 807B 08 00 cmp byte ptr ds:[ebx+8], 0 00437DCB /0F84 1B030000 je Try.004380EC ; over 00437DED 8BC3 mov eax, ebx 00437DF4 83C0 08 add eax, 8 00437DFC 50 push eax 00437DFD FF95 C13D4200 call dword ptr ss:[ebp+423DC1] ; kernel32.LoadLibraryA 00437E08 8985 7FCC4100 mov dword ptr ss:[ebp+41CC7F], eax ; 保存 hModule 00437E13 83F8 00 cmp eax, 0 ; faint 00437E16 /75 46 jnz short Try.00437E5E ; JUMP 00437E1D C785 83CC4100 0>mov dword ptr ss:[ebp+41CC83], 0 ; failed.... 00437E54 /E9 93020000 jmp Try.004380EC ; Game Over 00437EA2 8B33 mov esi, dword ptr ds:[ebx] ; Try.0041CCD4 00437EBB 8B7B 04 mov edi, dword ptr ds:[ebx+4] 00437ED5 03F5 add esi, ebp ; 修正地址 00437EDC 03FD add edi, ebp 00437EFF 803E 00 cmp byte ptr ds:[esi], 0 ; 表处理完了? 00437F02 0F85 BE000000 jnz Try.00437FC6 ;没有就处理 -> *** 00437F35 83C3 08 add ebx, 8 ; ebx 指向下一个DLL名称 00437F65 803B 00 cmp byte ptr ds:[ebx], 0 00437F68 74 1F je short Try.00437F89 00437F81 43 inc ebx 00437F87 ^\EB DC jmp short Try.00437F65 00437FB6 43 inc ebx ; Try.004373CE 00437FBC ^\E9 FCFDFFFF jmp Try.00437DBD ; 大循环结束 ; ****************************************************************** ;***: 00437FD0 56 push esi 00437FD1 FFB5 7FCC4100 push dword ptr ss:[ebp+41CC7F] 00437FD7 FF95 C53D4200 call dword ptr ss:[ebp+423DC5] ; kernel32.GetProcAddress,取地址 00437FE2 83F8 00 cmp eax, 0 00437FE5 75 30 jnz short Try.00438017 ; GO 00437FEC C785 83CC4100 0>mov dword ptr ss:[ebp+41CC83], 0 ; failed again .......... 00438038 8907 mov dword ptr ds:[edi], eax ; 写入函数地址 00438051 83C7 04 add edi, 4 ; 下一个Thunk ; 使 esi 指向下一个函数名 0043805E /803E 00 cmp byte ptr ds:[esi], 0 00438061 | 74 0D je short Try.00438070 00438068 | 46 inc esi 0043806E \EB EE jmp short Try.0043805E 0043809D 46 inc esi ; skip NULL 004380CB ^\E9 2AFEFFFF jmp Try.00437EFA 004380F1 61 popad 004380F7 8B85 83CC4100 mov eax, dword ptr ss:[ebp+41CC83] ; 返回标志 00438102 C3 ret ---------------------------------------------------------------------- 0042F473 BB 3AD34100 mov ebx, Try.0041D33A 0042F47D 03DD add ebx, ebp ; 出错信息 0042F484 66:3D 0000 cmp ax, 0 0042F48D /0F84 3D2B0000 je Try.00431FD0 ; 某个错误 0042F4C5 B9 60E50100 mov ecx, 1E560 0042F4E1 83C1 20 add ecx, 20 0042F516 6A 00 push 0 0042F518 51 push ecx 0042F519 6A 00 push 0 0042F51B 6A 04 push 4 0042F51D 6A 00 push 0 0042F51F 6A FF push -1 0042F521 FF95 C3CE4100 call dword ptr ss:[ebp+41CEC3] ; kernel32.CreateFileMappingA 0012FF8C 0042F527 /CALL to CreateFileMappingA from Try.0042F521 0012FF90 FFFFFFFF |hFile = FFFFFFFF 0012FF94 00000000 |pSecurity = NULL 0012FF98 00000004 |Protection = PAGE_READWRITE 0012FF9C 00000000 |MaximumSizeHigh = 0 0012FFA0 0001E580 |MaximumSizeLow = 1E580 0012FFA4 00000000 \MapName = NULL 0042F52C 6A 00 push 0 0042F52E 6A 00 push 0 0042F530 6A 00 push 0 0042F532 6A 02 push 2 0042F534 50 push eax 0042F535 FF95 BFCE4100 call dword ptr ss:[ebp+41CEBF] ; kernel32.MapViewOfFile 0012FF90 0042F53B /CALL to MapViewOfFile from Try.0042F535 0012FF94 00000060 |hMapObject = 00000060 (window) 0012FF98 00000002 |AccessMode = FILE_MAP_WRITE 0012FF9C 00000000 |OffsetHigh = 0 0012FFA0 00000000 |OffsetLow = 0 0012FFA4 00000000 \MapSize = 0 ; map it... 0042F557 8985 F1344200 mov dword ptr ss:[ebp+4234F1], eax ; 保存 0042F574 B9 60E50100 mov ecx, 1E560 0042F5C2 8BD0 mov edx, eax 0042F5C9 8BF8 mov edi, eax ; 要解一部分loader代码到内存 0042F5D0 BE CD584000 mov esi, Try.004058CD 0042F5DA 03F5 add esi, ebp ; 未还原数据 0042F5F3 F3:A4 rep movsb 0042F5FF 8D85 D35C4000 lea eax, dword ptr ss:[ebp+405CD3] 0042F615 B8 804F4100 mov eax, Try.00414F80 0042F61F 2D CD584000 sub eax, Try.004058CD 0042F629 03C2 add eax, edx 0042F642 8B9D F5344200 mov ebx, dword ptr ss:[ebp+4234F5] 0042F64D 50 push eax 0042F67B C3 ret ; funy jump... 0042F67B C3 ret ; 二步瞬移~~~ ==> 003AF6B3 本代码的着色效果由xTiNt自动完成 下载xTiNt http://211.90.75.84/web/kanaun/download/xTiNt.rar |
|
幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略
[part 2] 004207D5 8D85 E15C4000 lea eax, dword ptr ss:[ebp+405CE1] 004207EB E8 34120000 call Try.00421A24 00421A68 60 pushad 00421A80 B8 92764000 mov eax, Try.00407692 00421A9C 03C5 add eax, ebp ; buffer 00421AA3 8BF0 mov esi, eax 00421AAA 68 C8000000 push MAX_PATH 00421AAF 50 push eax 00421AB0 FF95 44724000 call dword ptr ss:[ebp+407244] ; kernel32.GetSystemDirectoryA 00421ABB 90 nop 00421AC0 8A06 mov al, byte ptr ds:[esi] 00421AC7 46 inc esi 00421ADF 3C 00 cmp al, 0 00421B0E ^\75 AB jnz short Try.00421ABB 00421B15 C646 FF 5C mov byte ptr ds:[esi-1], 5C ; 目录后边加个"\" 00421B1E C706 63646364 mov dword ptr ds:[esi], 64636463 ; cdcd 00421B29 C746 04 2E73797>mov dword ptr ds:[esi+4], 7379732E ; .sys 00421B5D C746 08 0000000>mov dword ptr ds:[esi+8], 0 ; NULL, 铺张浪费,byte就足够了 ; 我这里的文件名 --------------------------------------------------------------------------- 00421DB9 ** 3A 5C 57 *:\W 00421DC9 49 4E 44 4F 57 53 5C 53 79 73 74 65 6D 33 32 5C INDOWS\System32\ 00421DD9 63 64 63 64 2E 73 79 73 cdcd.sys --------------------------------------------------------------------------- 00421B92 B8 86764000 mov eax, Try.00407686 00421B9C 03C5 add eax, ebp 00421BCB BB 92764000 mov ebx, Try.00407692 00421BFD 03DD add ebx, ebp 00421C2C 6A 00 push 0 00421C2E 6A 20 push 20 00421C30 6A 04 push 4 00421C32 6A 00 push 0 00421C34 6A 02 push 2 00421C36 68 00000040 push 40000000 00421C3B 53 push ebx 00421C3C FF95 48724000 call dword ptr ss:[ebp+407248] ; kernel32.CreateFileA ; 参数,清晰一些:) --------------------------------------------------------------- 0012FF60 00421C42 /CALL to CreateFileA from Try.00421C3C 0012FF64 00421DC5 |FileName = "E:\WINDOWS\System32\cdcd.sys" 0012FF68 40000000 |Access = GENERIC_WRITE 0012FF6C 00000002 |ShareMode = FILE_SHARE_WRITE 0012FF70 00000000 |pSecurity = NULL 0012FF74 00000004 |Mode = OPEN_ALWAYS 0012FF78 00000020 |Attributes = ARCHIVE 0012FF7C 00000000 \hTemplateFile = NULL --------------------------------------------------------------- 00421C4C 83F8 FF cmp eax, -1 00421C54 /0F84 32010000 je Try.00421D8C ; 坏事了... 00421C76 8985 8A764000 mov dword ptr ss:[ebp+40768A], eax ; 保存句柄 00421CC0 B9 8C310000 mov ecx, 318C ; 驱动文件长度 00421CCA B8 8E764000 mov eax, Try.0040768E 00421CE6 03C5 add eax, ebp ; WriteFile返回结构,名字忘了 00421CED BB 5A774000 mov ebx, Try.0040775A 00421D09 03DD add ebx, ebp ; 可爱的驱动程序 00421D10 6A 00 push 0 00421D12 50 push eax 00421D13 51 push ecx 00421D14 53 push ebx 00421D15 FFB5 8A764000 push dword ptr ss:[ebp+40768A] ; hWnd 00421D1B FF95 4C724000 call dword ptr ss:[ebp+40724C] ; kernel32.WriteFile ; 写出驱动,如果想把这个东西拷贝出来研究要关闭程序,它独占了文件 0012FF68 00421D21 /CALL to WriteFile from Try.00421D1B 0012FF6C 00000024 |hFile = 00000024 0012FF70 00421E8D |Buffer = Try.00421E8D 0012FF74 0000318C |nBytesToWrite = 318C (12684.) 0012FF78 00421DC1 |pBytesWritten = Try.00421DC1 0012FF7C 00000000 \pOverlapped = NULL 00421D3D FFB5 8A764000 push dword ptr ss:[ebp+40768A] 00421D43 FF95 50724000 call dword ptr ss:[ebp+407250] ; kernel32.CloseHandle 0012FF78 00421D49 /CALL to CloseHandle from Try.00421D43 0012FF7C 00000024 \hObject = 00000024 00421D76 61 popad 00421D7C B8 01000000 mov eax, TRUE ; 收工 00421D86 C3 ret ; 回家 00421D8C 90 nop 00421D91 61 popad 00421D7C B8 01000000 mov eax, FALSE 00421D86 C3 ret 00420807 83F8 00 cmp eax, FALSE ; 失败? 0042080F /0F84 22480000 je Try.00425037 00425037 50 push eax 00425038 FFB5 2A6C4000 push dword ptr ss:[ebp+406C2A] 0042503E FF95 30724000 call dword ptr ss:[ebp+407230] ; kernel32.ReleaseMutex,释放互斥体 00425044 FFB5 2A6C4000 push dword ptr ss:[ebp+406C2A] 0042504A FF95 50724000 call dword ptr ss:[ebp+407250] ; kernel32.CloseHandle,关闭互斥体句柄 00425050 58 pop eax 00425068 83F8 00 cmp eax, 0 0042506B 0F85 4C010000 jnz Try.004251BD ; ..............我没走这条线,不跟了 0042085E 8D85 E25C4000 lea eax, dword ptr ss:[ebp+405CE2] 00420874 E8 7F060000 call Try.00420EF8 ----------------------------- 以后不跟那么多线了,受不了 00420F2A 68 3F000F00 push 0F003F 00420F2F 6A 00 push 0 00420F31 6A 00 push 0 00420F33 FF95 CD724000 call dword ptr ss:[ebp+4072CD] ; advapi32.OpenSCManagerA 00420F50 83F8 00 cmp eax, 0 00420F58 /0F84 8F030000 je Try.004212ED 00420F75 8985 3A6C4000 mov dword ptr ss:[ebp+406C3A], eax 00420F85 B8 3E6C4000 mov eax, Try.00406C3E 00420FA1 03C5 add eax, ebp 00420FBA 68 FF010F00 push 0F01FF 00420FBF 50 push eax 00420FC0 FFB5 3A6C4000 push dword ptr ss:[ebp+406C3A] 00420FC6 FF95 D5724000 call dword ptr ss:[ebp+4072D5] ; advapi32.OpenServiceA 00420FD1 83F8 00 cmp eax, 0 00420FD4 0F85 97000000 jnz Try.00421071 ; Jump 0042109E 83F8 00 cmp eax, 0 004210A6 /0F84 41020000 je Try.004212ED 004210B1 8985 586C4000 mov dword ptr ss:[ebp+406C58], eax 004210C1 6A 00 push 0 004210C3 6A 00 push 0 004210C5 FFB5 586C4000 push dword ptr ss:[ebp+406C58] 004210CB FF95 C5724000 call dword ptr ss:[ebp+4072C5] ; advapi32.StartServiceA ; 启动服务,不好玩^^,我这里服务开启,所以产生了ERROR_SERVICE_ALREADY_RUNNING (00000420) 004210E4 FF95 40724000 call dword ptr ss:[ebp+407240] ; ntdll.RtlGetLastWin32Error 00421101 3D E5030000 cmp eax, 3E5 00421106 /0F84 DD000000 je Try.004211E9 00421123 3D 20040000 cmp eax, 420 00421128 /0F84 B6000000 je Try.004211E4 ; GoGoGo,否则Game Over就不好玩了 0042120A B8 446C4000 mov eax, Try.00406C44 00421226 03C5 add eax, ebp ; Oh God save me!!! --------------------------------------------------------------------------- 00421377 5C 5C 2E 5C 44 62 70 65 44 65 76 69 63 65 30 00 \\.\DbpeDevice0. --------------------------------------------------------------------------- 0042123F 6A 00 push 0 00421241 6A 00 push 0 00421243 6A 03 push 3 00421245 6A 00 push 0 00421247 6A 01 push 1 00421249 68 000000C0 push C0000000 0042124E 50 push eax 0042124F FF95 48724000 call dword ptr ss:[ebp+407248] ; kernel32.CreateFileA 0012FF7C 0012FFE0 0012FF80 00421255 /CALL to CreateFileA from Try.0042124F 0012FF84 00421377 |FileName = "\\.\DbpeDevice0" 0012FF88 C0000000 |Access = GENERIC_READ|GENERIC_WRITE 0012FF8C 00000001 |ShareMode = FILE_SHARE_READ 0012FF90 00000000 |pSecurity = NULL 0012FF94 00000003 |Mode = OPEN_EXISTING 0012FF98 00000000 |Attributes = 0 0012FF9C 00000000 \hTemplateFile = NULL ; 调查一下服务:) 0042126C 83F8 FF cmp eax, -1 00421274 /74 77 je short Try.004212ED ; 没启动走人,加载错误 0042127B 8985 546C4000 mov dword ptr ss:[ebp+406C54], eax; save handle 004212AE B8 01000000 mov eax, TRUE 004212B8 8985 706C4000 mov dword ptr ss:[ebp+406C70], eax 004212D5 C3 ret ; 回去了 004208A6 83F8 00 cmp eax, 0 ; over? 004208AE /0F84 83470000 je Try.00425037 ; over 004208C3 C785 5C6C4000 0>mov dword ptr ss:[ebp+406C5C], 3 004208FF B8 5C3A4200 mov eax, Try.00423A5C 00420909 03C5 add eax, ebp ; forgot: 老是这个,我$@%@%@^%@$^ 00420922 8985 606C4000 mov dword ptr ss:[ebp+406C60], eax ; Try.0043E18F 00420932 B8 746C4000 mov eax, Try.00406C74 0042093C 03C5 add eax, ebp 0042096B 8985 646C4000 mov dword ptr ss:[ebp+406C64], eax ; Try.004213A7 0042097B B8 5C6C4000 mov eax, Try.00406C5C 00420985 03C5 add eax, ebp 0042098C 6A 00 push 0 0042098E 6A 00 push 0 00420990 6A 00 push 0 00420992 6A 00 push 0 00420994 6A 0C push 0C 00420996 50 push eax 00420997 6A 04 push 4 00420999 FFB5 546C4000 push dword ptr ss:[ebp+406C54] 0042099F FF95 3C724000 call dword ptr ss:[ebp+40723C] ; kernel32.DeviceIoControl 0012FF80 004209A5 /CALL to DeviceIoControl from Try.0042099F 0012FF84 0000004C |hDevice = 0000004C 0012FF88 00000004 |IoControlCode = 4 0012FF8C 0042138F |InBuffer = Try.0042138F 0012FF90 0000000C |InBufferSize = C (12.) 0012FF94 00000000 |OutBuffer = NULL 0012FF98 00000000 |OutBufferSize = 0 0012FF9C 00000000 |pBytesReturned = NULL 0012FFA0 00000000 \pOverlapped = NULL 00420A55 B8 00000000 mov eax, 0 00420A5F 81BD 746C4000 8>cmp dword ptr ss:[ebp+406C74], FFFF8888 00420A6E /0F84 C3450000 je Try.00425037 ; 好像是Over 00420AB8 C785 5C6C4000 0>mov dword ptr ss:[ebp+406C5C], 3 00420AF4 B8 5C3A4200 mov eax, Try.00423A5C 00420AFE 03C5 add eax, ebp 00420B17 8985 606C4000 mov dword ptr ss:[ebp+406C60], eax ; Try.0043E18F 00420B61 B8 746C4000 mov eax, Try.00406C74 00420B6B 03C5 add eax, ebp 00420B9A 8985 646C4000 mov dword ptr ss:[ebp+406C64], eax ; Try.004213A7 00420BBC C785 746C4000 0>mov dword ptr ss:[ebp+406C74], 0 00420BE2 B8 5C6C4000 mov eax, Try.00406C5C 00420BEC 03C5 add eax, ebp 00420BF3 6A 00 push 0 00420BF5 6A 00 push 0 00420BF7 6A 00 push 0 00420BF9 6A 00 push 0 00420BFB 6A 0C push 0C 00420BFD 50 push eax 00420BFE 6A 01 push 1 00420C00 FFB5 546C4000 push dword ptr ss:[ebp+406C54] 00420C06 FF95 3C724000 call dword ptr ss:[ebp+40723C] ; kernel32.DeviceIoControl 0012FF80 00420C0C /CALL to DeviceIoControl from Try.00420C06 0012FF84 0000004C |hDevice = 0000004C 0012FF88 00000001 |IoControlCode = 1 0012FF8C 0042138F |InBuffer = Try.0042138F 0012FF90 0000000C |InBufferSize = C (12.) 0012FF94 00000000 |OutBuffer = NULL 0012FF98 00000000 |OutBufferSize = 0 0012FF9C 00000000 |pBytesReturned = NULL 0012FFA0 00000000 \pOverlapped = NULL ; 中断向量被xxx了,不敢用int3乱动阿!用F4走,或者在Debug里设置用hardware breakpoint进行step,否则****自己想象吧 ; **************************************************************** ; 千 万 小 心 ; **************************************************************** 00420C0C 90 nop ; F4 00420D07 8B85 746C4000 mov eax, dword ptr ss:[ebp+406C74] 00420D3A 83F8 00 cmp eax, 0 00420D42 /0F84 EF420000 je Try.00425037 ; over 00420D7A 66:8985 5434420>mov word ptr ss:[ebp+423454], ax 00420D86 C1E8 10 shr eax, 10 00420D8E 66:8985 5634420>mov word ptr ss:[ebp+423456], ax 00420DC7 B8 01000000 mov eax, 1 00420DD1 8985 6C6C4000 mov dword ptr ss:[ebp+406C6C], eax 00420E09 50 push eax 00420E0F B8 92764000 mov eax, Try.00407692 00420E2B 03C5 add eax, ebp ; 对驱动进行惨无人道的毁尸灭迹…… 00420E5A 50 push eax ; Try.00421DC5 00420E5B FF95 38724000 call dword ptr ss:[ebp+407238] ; kernel32.DeleteFileA 0012FF98 00420E61 /CALL to DeleteFileA from Try.00420E5B 0012FF9C 00421DC5 \FileName = "E:\WINDOWS\System32\cdcd.sys" 00420E66 58 pop eax 00420E6C /E9 C6410000 jmp Try.00425037 00425037 50 push eax 00425038 FFB5 2A6C4000 push dword ptr ss:[ebp+406C2A] 0042503E FF95 30724000 call dword ptr ss:[ebp+407230] ; kernel32.ReleaseMutex 0012FF98 00425044 /CALL to ReleaseMutex from Try.0042503E 0012FF9C 00000020 \hMutex = 00000020 00425044 FFB5 2A6C4000 push dword ptr ss:[ebp+406C2A] 0042504A FF95 50724000 call dword ptr ss:[ebp+407250] ; kernel32.CloseHandle 0012FF98 00425050 /CALL to CloseHandle from Try.0042504A 0012FF9C 00000020 \hObject = 00000020 ; 没人性,互斥体也惨遭毒手…… 00425050 58 pop eax 00425068 83F8 00 cmp eax, 0 0042506B 0F85 4C010000 jnz Try.004251BD ; Go 004251C2 /E9 39010000 jmp Try.00425300 ; 花絮:跳过的这段代码还真惹眼:) ---------------------------------------------------------------- 004251CC FA cli 004251D2 BE 4E344200 mov esi, Try.0042344E 004251DC 03F5 add esi, ebp 004251E3 0F010E sidt fword ptr ds:[esi] 004251EB 8B76 02 mov esi, dword ptr ds:[esi+2] 0042520A 66:8B46 18 mov ax, word ptr ds:[esi+18] 00425213 66:8B5E 1E mov bx, word ptr ds:[esi+1E] 00425244 66:8985 5434420>mov word ptr ss:[ebp+423454], ax 00425250 66:899D 5634420>mov word ptr ss:[ebp+423456], bx 00425289 B8 5C3A4200 mov eax, Try.00423A5C 00425293 03C5 add eax, ebp 004252AC 66:8946 18 mov word ptr ds:[esi+18], ax 004252B5 C1E8 10 shr eax, 10 004252E5 66:8946 1E mov word ptr ds:[esi+1E], ax ; 好在我不是9x....哈 ---------------------------------------------------------------- |
|
linson的eXcalibur V1.03脱壳―eXcalibur.exe 主程序
8成下的不是时候:) |
|
|
|
DArmadillo 2.5x - 2.6x的壳怎么对会付呀?
"DArmadillo"是什么版本? |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值