004015CC . C68424 BC0900>mov byte ptr [esp+9BC], 1
004015D4 . E8 29A30900 call <jmp.&MFC42.#3874> ; 取假码
004015D9 . 8D4C24 1C lea ecx, dword ptr [esp+1C]
004015DD . 51 push ecx
004015DE . 8D8D A0010000 lea ecx, dword ptr [ebp+1A0]
004015E4 . E8 19A30900 call <jmp.&MFC42.#3874> ; 取用户名
004015E9 . 8B5424 18 mov edx, dword ptr [esp+18]
004015ED . 8B42 F8 mov eax, dword ptr [edx-8]
004015F0 . 85C0 test eax, eax ; 检查假码长度
004015F2 . 0F84 0B030000 je 00401903
004015F8 . 8B4424 1C mov eax, dword ptr [esp+1C]
004015FC . 8B48 F8 mov ecx, dword ptr [eax-8]
004015FF . 85C9 test ecx, ecx
00401601 . 0F84 FC020000 je 00401903 ; 检查用户名长度
00401607 . 8D4C24 10 lea ecx, dword ptr [esp+10]
0040160B . E8 C2A20900 call <jmp.&MFC42.#540>
00401610 . 66:8B0D 54005>mov cx, word ptr [550054]
00401617 . 33C0 xor eax, eax
00401619 . 66:894C24 2C mov word ptr [esp+2C], cx
0040161E . B9 40000000 mov ecx, 40
00401623 . 8D7C24 2E lea edi, dword ptr [esp+2E]
00401627 . 8D5424 2C lea edx, dword ptr [esp+2C]
0040162B . F3:AB rep stos dword ptr es:[edi]
0040162D . 68 04010000 push 104 ; /BufSize = 104 (260.)
00401632 . BB 02000000 mov ebx, 2 ; |
00401637 . 52 push edx ; |PathBuffer
00401638 . 6A 00 push 0 ; |hModule = NULL
0040163A . 889C24 C40900>mov byte ptr [esp+9C4], bl ; |
00401641 . 66:AB stos word ptr es:[edi] ; |
00401643 . FF15 1CC25000 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00401649 . 8D4424 2C lea eax, dword ptr [esp+2C]
0040164D . 8D4C24 10 lea ecx, dword ptr [esp+10]
00401651 . 50 push eax
00401652 . E8 75A20900 call <jmp.&MFC42.#860>
00401657 . 83CF FF or edi, FFFFFFFF
0040165A . 8D4C24 10 lea ecx, dword ptr [esp+10]
0040165E . 57 push edi
0040165F . E8 62A20900 call <jmp.&MFC42.#5572>
00401664 . 6A 5C push 5C
00401666 . 8D4C24 14 lea ecx, dword ptr [esp+14]
0040166A . E8 51A20900 call <jmp.&MFC42.#5683>
0040166F . 8D4C24 28 lea ecx, dword ptr [esp+28]
00401673 . 50 push eax
00401674 . 51 push ecx
00401675 . 8D4C24 18 lea ecx, dword ptr [esp+18]
00401679 . E8 3CA20900 call <jmp.&MFC42.#4129>
0040167E . 50 push eax
0040167F . 8D4C24 14 lea ecx, dword ptr [esp+14]
00401683 . C68424 BC0900>mov byte ptr [esp+9BC], 3
0040168B . E8 24A20900 call <jmp.&MFC42.#858>
00401690 . 8D4C24 28 lea ecx, dword ptr [esp+28]
00401694 . 889C24 B80900>mov byte ptr [esp+9B8], bl
0040169B . E8 0EA20900 call <jmp.&MFC42.#800>
004016A0 . 8D4C24 20 lea ecx, dword ptr [esp+20]
004016A4 . E8 29A20900 call <jmp.&MFC42.#540>
004016A9 . 8D4C24 24 lea ecx, dword ptr [esp+24]
004016AD . C68424 B80900>mov byte ptr [esp+9B8], 4
004016B5 . E8 18A20900 call <jmp.&MFC42.#540>
004016BA . 8D5424 20 lea edx, dword ptr [esp+20]
004016BE . 8BCE mov ecx, esi
004016C0 . 52 push edx
004016C1 . C68424 BC0900>mov byte ptr [esp+9BC], 5
004016C9 . E8 34A20900 call <jmp.&MFC42.#3874>
004016CE . 8D4424 20 lea eax, dword ptr [esp+20]
004016D2 . 8D4C24 24 lea ecx, dword ptr [esp+24]
004016D6 . 50 push eax
004016D7 . E8 D8A10900 call <jmp.&MFC42.#858> ; 关键call
004016DC . 8D4C24 28 lea ecx, dword ptr [esp+28]
004016E0 . 6A 0A push 0A
004016E2 . 51 push ecx
004016E3 . 8D4C24 28 lea ecx, dword ptr [esp+28]
004016E7 . E8 10A20900 call <jmp.&MFC42.#4277>
004016EC . 8B00 mov eax, dword ptr [eax]
004016EE . BE 24D35300 mov esi, 0053D324 ; ASCII "CCRM"
004016F3 > 8A10 mov dl, byte ptr [eax]
004016F5 . 8ACA mov cl, dl
004016F7 . 3A16 cmp dl, byte ptr [esi]
004016F9 75 1A jnz short 00401715
004016FB . 84C9 test cl, cl
004016FD 74 12 je short 00401711
004016FF . 8A50 01 mov dl, byte ptr [eax+1]
00401702 . 8ACA mov cl, dl
00401704 . 3A56 01 cmp dl, byte ptr [esi+1]
00401707 75 0C jnz short 00401715
00401709 . 03C3 add eax, ebx
0040170B . 03F3 add esi, ebx
0040170D . 84C9 test cl, cl
0040170F .^ 75 E2 jnz short 004016F3
00401711 > 33C0 xor eax, eax
00401713 . EB 04 jmp short 00401719
00401715 > 1BC0 sbb eax, eax
00401717 . 1BC7 sbb eax, edi
00401719 > 85C0 test eax, eax
0040171B . 8D4C24 28 lea ecx, dword ptr [esp+28]
0040171F . 0F944424 17 sete byte ptr [esp+17]
00401724 . E8 85A10900 call <jmp.&MFC42.#800>
00401729 . 8A4424 17 mov al, byte ptr [esp+17]
0040172D . 84C0 test al, al
0040172F . 74 30 je short 00401761
00401731 . 6A 40 push 40
00401733 . 68 18D35300 push 0053D318
00401738 . 68 DCD15300 push 0053D1DC
0040173D . 8BCD mov ecx, ebp
0040173F . E8 B2A10900 call <jmp.&MFC42.#4224>
00401744 . 6A 03 push 3 ; /IsShown = 3
00401746 . 6A 00 push 0 ; |DefDir = NULL
00401748 . 6A 00 push 0 ; |Parameters = NULL
0040174A . 68 B0D15300 push 0053D1B0 ; |FileName = "http://www.powerrsoft.com/rm/userlogin.asp"
0040174F . 68 A8D15300 push 0053D1A8 ; |Operation = "open"
00401754 . 6A 00 push 0 ; |hWnd = NULL
00401756 . FF15 5CCA5000 call dword ptr [<&SHELL32.ShellExecut>; \ShellExecuteA
0040175C . E9 56010000 jmp 004018B7
00401761 > 6A 41 push 41
00401763 . 68 18D35300 push 0053D318
00401768 . 68 08D15300 push 0053D108
0040176D . 8BCD mov ecx, ebp
0040176F . E8 82A10900 call <jmp.&MFC42.#4224> ; 注册失败
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法