能力值:
( LV2,RANK:10 )
|
-
-
3 楼
0402B00 . 52 push edx ; |Arg1
00402B01 . E8 4A4E0400 call chemlib.00447950 ; \chemlib.00447950
00402B06 . 83C4 24 add esp,24
00402B09 . 66:85C0 test ax,ax
00402B0C . 0F85 AF0100>jnz chemlib.00402CC1
00402B12 . 66:C705 643>mov word ptr ds:[533E64],5
00402B1B . 66:C705 903>mov word ptr ds:[533E90],10
00402B24 . 66:C705 923>mov word ptr ds:[533E92],7
00402B2D . 68 983E5300 push chemlib.00533E98 ; /Arg9 = 00533E98
00402B32 . 68 963E5300 push chemlib.00533E96 ; |Arg8 = 00533E96
00402B37 . 68 943E5300 push chemlib.00533E94 ; |Arg7 = 00533E94
00402B3C . 68 923E5300 push chemlib.00533E92 ; |Arg6 = 00533E92 ASCII "O@"
00402B41 . 68 903E5300 push chemlib.00533E90 ; |Arg5 = 00533E90
00402B46 . 68 8C3E5300 push chemlib.00533E8C ; |Arg4 = 00533E8C
00402B4B . 68 883E5300 push chemlib.00533E88 ; |Arg3 = 00533E88
00402B50 . 68 663E5300 push chemlib.00533E66 ; |Arg2 = 00533E66
00402B55 . 66:8B0D 643>mov cx,word ptr ds:[533E64] ; |
00402B5C . 51 push ecx ; |Arg1
00402B5D . E8 EE4D0400 call chemlib.00447950 ; \chemlib.00447950 //读狗10开始7字节
00402B62 . 83C4 24 add esp,24
00402B65 . 66:85C0 test ax,ax //返回0成功
00402B68 . 0F85 240100>jnz chemlib.00402C92 //跳则出错
00402B6E . 803D 983E53>cmp byte ptr ds:[533E98],32
00402B75 . 0F85 E80000>jnz chemlib.00402C63 //402C63是出错吗?
00402B7B . 803D 9A3E53>cmp byte ptr ds:[533E9A],30 //7字节数据不就写在这里吗?好像还差个字节
00402B82 . 0F85 DB0000>jnz chemlib.00402C63
00402B88 . 803D 9B3E53>cmp byte ptr ds:[533E9B],33
00402B8F . 0F85 CE0000>jnz chemlib.00402C63
00402B95 . 803D 9C3E53>cmp byte ptr ds:[533E9C],32
00402B9C . 0F85 C10000>jnz chemlib.00402C63
00402BA2 . 803D 9D3E53>cmp byte ptr ds:[533E9D],31
00402BA9 . 0F85 B40000>jnz chemlib.00402C63
00402BAF . 803D 9E3E53>cmp byte ptr ds:[533E9E],38
00402BB6 . 0F85 A70000>jnz chemlib.00402C63
00402BBC . 66:C705 643>mov word ptr ds:[533E64],0C
00402BC5 . 66:C705 903>mov word ptr ds:[533E90],8
00402BCE . 66:C705 923>mov word ptr ds:[533E92],0
00402BD7 . 68 983E5300 push chemlib.00533E98 ; /Arg9 = 00533E98
00402BDC . 68 963E5300 push chemlib.00533E96 ; |Arg8 = 00533E96
00402BE1 . 68 943E5300 push chemlib.00533E94 ; |Arg7 = 00533E94
00402BE6 . 68 923E5300 push chemlib.00533E92 ; |Arg6 = 00533E92 ASCII "O@"
00402BEB . 68 903E5300 push chemlib.00533E90 ; |Arg5 = 00533E90
00402BF0 . 68 8C3E5300 push chemlib.00533E8C ; |Arg4 = 00533E8C
00402BF5 . 68 883E5300 push chemlib.00533E88 ; |Arg3 = 00533E88
00402BFA . 68 663E5300 push chemlib.00533E66 ; |Arg2 = 00533E66
00402BFF . 66:A1 643E5>mov ax,word ptr ds:[533E64]
以上有跳的地方都要改跳呀,否,则弹出没有狗的对话框,可以用,但有功能限制。自己看啦,不标了!
.....................省去一段...................................
00402C06 . E8 454D0400 call chemlib.00447950 ; \chemlib.00447950//检测模块8的属性
00402C0B . 83C4 24 add esp,24
00402C0E . 66:833D 923>cmp word ptr ds:[533E92],1 //模块8属性有效吗?
00402C16 . 75 15 jnz short chemlib.00402C2D //无效就跳到出错
00402C18 . 8B95 D4FEFF>mov edx,dword ptr ss:[ebp-12C]
00402C1E . C782 700400>mov dword ptr ds:[edx+470],1
00402C28 . E9 C1000000 jmp chemlib.00402CEE
00402C2D > 6A 04 push 4
00402C2F . 68 10F85000 push chemlib.0050F810
00402C34 . 68 DEF75000 push chemlib.0050F7DE
00402C39 . 8B85 D4FEFF>mov eax,dword ptr ss:[ebp-12C]
00402C3F . E8 68A20C00 call chemlib.004CCEAC
00402C44 . 50 push eax ; |hOwner
00402C45 . E8 D2BF1000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00402C4A . 83F8 07 cmp eax,7
00402C4D . 0F85 9B0000>jnz chemlib.00402CEE
00402C53 . 8B85 D4FEFF>mov eax,dword ptr ss:[ebp-12C]
|
能力值:
( LV9,RANK:170 )
|
-
-
4 楼
谢谢谢楼的兄弟的分析,402C63是出错的地方。另外在复制时不小心抒一些数据庶住了,因此少了一字节(00)。经你的提示,我今天又分析了一下。大概知道了一点:由于我这软件是从别的机器中直接把安装的文件夹复制来的,所以首先在找狗的驱动时就会没有(此文件并没有在此安装文件夹中),然后分段读狗的模块也会出错。是这样意思吗,3楼兄弟?下面是读狗的call,若兄弟有时间的话,帮我详细的说明一下过程,自己一人看半天,有些还明白,希望得到兄弟的一些指点,谢了!
00447950 /$ 55 push ebp
00447951 |. 8BEC mov ebp,esp
00447953 |. 81C4 88FDFFFF add esp,-278
00447959 |. 8B05 5CB85200 mov eax,dword ptr ds:[52B85C]
0044795F |. 53 push ebx
00447960 |. 56 push esi
00447961 |. 57 push edi
00447962 |. 8B7D 08 mov edi,dword ptr ss:[ebp+8]
00447965 |. 66:C745 FA 0000 mov word ptr ss:[ebp-6],0
0044796B |. 8945 F0 mov dword ptr ss:[ebp-10],eax
0044796E |. 8B05 60B85200 mov eax,dword ptr ds:[52B860]
00447974 |. 66:85FF test di,di
00447977 |. 8945 F4 mov dword ptr ss:[ebp-C],eax
0044797A |. 8A05 64B85200 mov al,byte ptr ds:[52B864]
00447980 |. 8845 F8 mov byte ptr ss:[ebp-8],al
00447983 |. 75 09 jnz short chemlib.0044798E
00447985 |. 66:B8 0800 mov ax,8
00447989 |. E9 AF020000 jmp chemlib.00447C3D
0044798E |> 833D 54B85200 00 cmp dword ptr ds:[52B854],0
00447995 |. 0F85 2C020000 jnz chemlib.00447BC7
0044799B |. E8 686B0C00 call <jmp.&KERNEL32.GetVersion>
004479A0 |. 3D 00000080 cmp eax,80000000
004479A5 |. 0F83 B3010000 jnb chemlib.00447B5E
004479AB |. 6A 00 push 0 ; /hTemplateFile = NULL
004479AD |. 68 80000000 push 80 ; |Attributes = NORMAL
004479B2 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
004479B4 |. 6A 00 push 0 ; |pSecurity = NULL
004479B6 |. 6A 00 push 0 ; |ShareMode = 0
004479B8 |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
004479BD |. 68 65B85200 push chemlib.0052B865 ; |FileName = "\\.\ROCKEYNT"
004479C2 |. E8 276A0C00 call <jmp.&KERNEL32.CreateFileA> ; \CreateFileA
004479C7 |. 8BD8 mov ebx,eax
004479C9 |. 891D 54B85200 mov dword ptr ds:[52B854],ebx
004479CF |. 83FB FF cmp ebx,-1
004479D2 |. 0F85 EF010000 jnz chemlib.00447BC7
004479D8 |. 68 3F000F00 push 0F003F
004479DD |. 6A 00 push 0
004479DF |. 6A 00 push 0
004479E1 |. E8 C6690C00 call <jmp.&ADVAPI32.OpenSCManagerA>
004479E6 |. 8BD8 mov ebx,eax
004479E8 |. 85DB test ebx,ebx
004479EA |. 75 09 jnz short chemlib.004479F5
004479EC |. 66:B8 FFFF mov ax,0FFFF
004479F0 |. E9 48020000 jmp chemlib.00447C3D
004479F5 |> 68 00010000 push 100 ; /BufSize = 100 (256.)
004479FA |. 8D95 88FEFFFF lea edx,dword ptr ss:[ebp-178] ; |
00447A00 |. 52 push edx ; |Buffer
00447A01 |. E8 DE6A0C00 call <jmp.&KERNEL32.GetSystemDirecto>; \GetSystemDirectoryA
00447A06 |. 68 72B85200 push chemlib.0052B872 ; /Arg2 = 0052B872 ASCII "\drivers\rockeynt.sys"
00447A0B |. 8D8D 88FEFFFF lea ecx,dword ptr ss:[ebp-178] ; |
00447A11 |. 51 push ecx ; |Arg1
00447A12 |. E8 75B20B00 call chemlib.00502C8C ; \chemlib.00502C8C
00447A17 |. 83C4 08 add esp,8
00447A1A |. 6A 00 push 0
00447A1C |. 8D85 88FEFFFF lea eax,dword ptr ss:[ebp-178]
00447A22 |. 50 push eax
00447A23 |. E8 B8C60B00 call chemlib.005040E0
00447A28 |. 83C4 08 add esp,8
00447A2B |. 40 inc eax
00447A2C |. 74 2F je short chemlib.00447A5D
00447A2E |. 68 FF010F00 push 0F01FF
00447A33 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00447A36 |. 52 push edx
00447A37 |. 53 push ebx
00447A38 |. E8 75690C00 call <jmp.&ADVAPI32.OpenServiceA>
00447A3D |. 8BF0 mov esi,eax
00447A3F |. 85F6 test esi,esi
00447A41 |. 74 77 je short chemlib.00447ABA
00447A43 |. 8D45 88 lea eax,dword ptr ss:[ebp-78]
00447A46 |. 50 push eax
00447A47 |. 6A 01 push 1
00447A49 |. 56 push esi
00447A4A |. E8 4B690C00 call <jmp.&ADVAPI32.ControlService>
00447A4F |. 56 push esi
00447A50 |. E8 51690C00 call <jmp.&ADVAPI32.DeleteService>
00447A55 |. 56 push esi
00447A56 |. E8 39690C00 call <jmp.&ADVAPI32.CloseServiceHand>
00447A5B |. EB 5D jmp short chemlib.00447ABA
00447A5D |> 8D95 88FDFFFF lea edx,dword ptr ss:[ebp-278]
00447A63 |. 52 push edx ; /Buffer
00447A64 |. 68 00010000 push 100 ; |BufSize = 100 (256.)
00447A69 |. E8 FE690C00 call <jmp.&KERNEL32.GetCurrentDirect>; \GetCurrentDirectoryA
00447A6E |. 68 88B85200 push chemlib.0052B888 ; /Arg2 = 0052B888 ASCII "\rockeynt.sys"
00447A73 |. 8D8D 88FDFFFF lea ecx,dword ptr ss:[ebp-278] ; |
00447A79 |. 51 push ecx ; |Arg1
00447A7A |. E8 0DB20B00 call chemlib.00502C8C ; \chemlib.00502C8C
00447A7F |. 83C4 08 add esp,8
00447A82 |. 6A 00 push 0
00447A84 |. 8D85 88FDFFFF lea eax,dword ptr ss:[ebp-278]
00447A8A |. 50 push eax
00447A8B |. E8 50C60B00 call chemlib.005040E0
00447A90 |. 83C4 08 add esp,8
00447A93 |. 40 inc eax
00447A94 |. 75 0F jnz short chemlib.00447AA5
00447A96 |. 53 push ebx
00447A97 |. E8 F8680C00 call <jmp.&ADVAPI32.CloseServiceHand>
00447A9C |. 66:B8 0200 mov ax,2
00447AA0 |. E9 98010000 jmp chemlib.00447C3D
00447AA5 |> 6A 00 push 0 ; /FailIfExists = FALSE
00447AA7 |. 8D95 88FEFFFF lea edx,dword ptr ss:[ebp-178] ; |
00447AAD |. 52 push edx ; |NewFileName
00447AAE |. 8D8D 88FDFFFF lea ecx,dword ptr ss:[ebp-278] ; |
00447AB4 |. 51 push ecx ; |ExistingFileName
00447AB5 |. E8 22690C00 call <jmp.&KERNEL32.CopyFileA> ; \CopyFileA
00447ABA |> 6A 00 push 0 ; /Password = NULL
00447ABC |. 6A 00 push 0 ; |ServiceStartName = NULL
00447ABE |. 6A 00 push 0 ; |pDependencies = NULL
00447AC0 |. 6A 00 push 0 ; |pTagId = NULL
00447AC2 |. 6A 00 push 0 ; |LoadOrderGroup = NULL
00447AC4 |. 8D85 88FEFFFF lea eax,dword ptr ss:[ebp-178] ; |
00447ACA |. 50 push eax ; |BinaryPathName
00447ACB |. 6A 01 push 1 ; |ErrorControl = SERVICE_ERROR_NORMAL
00447ACD |. 6A 02 push 2 ; |StartType = SERVICE_AUTO_START
00447ACF |. 6A 01 push 1 ; |ServiceType = SERVICE_KERNEL_DRIVER
00447AD1 |. 68 FF010F00 push 0F01FF ; |DesiredAccess = SERVICE_ALL_ACCESS
00447AD6 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10] ; |
00447AD9 |. 52 push edx ; |DisplayName
00447ADA |. 8D4D F0 lea ecx,dword ptr ss:[ebp-10] ; |
00447ADD |. 51 push ecx ; |ServiceName
00447ADE |. 53 push ebx ; |hManager
00447ADF |. E8 BC680C00 call <jmp.&ADVAPI32.CreateServiceA> ; \CreateServiceA
00447AE4 |. 68 FF010F00 push 0F01FF
00447AE9 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00447AEC |. 50 push eax
00447AED |. 53 push ebx
00447AEE |. E8 BF680C00 call <jmp.&ADVAPI32.OpenServiceA>
00447AF3 |. 8BF0 mov esi,eax
00447AF5 |. 6A 00 push 0
00447AF7 |. 6A 00 push 0
00447AF9 |. 56 push esi
00447AFA |. E8 CB680C00 call <jmp.&ADVAPI32.StartServiceA>
00447AFF |. 85C0 test eax,eax
00447B01 |. 75 06 jnz short chemlib.00447B09
00447B03 |. 66:C745 FA FFFF mov word ptr ss:[ebp-6],0FFFF
00447B09 |> 56 push esi
00447B0A |. E8 85680C00 call <jmp.&ADVAPI32.CloseServiceHand>
00447B0F |. 53 push ebx
00447B10 |. E8 7F680C00 call <jmp.&ADVAPI32.CloseServiceHand>
00447B15 |. 68 E8030000 push 3E8 ; /Timeout = 1000. ms
00447B1A |. E8 D36A0C00 call <jmp.&KERNEL32.Sleep> ; \Sleep
00447B1F |. 6A 00 push 0 ; /hTemplateFile = NULL
00447B21 |. 68 80000000 push 80 ; |Attributes = NORMAL
00447B26 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
00447B28 |. 6A 00 push 0 ; |pSecurity = NULL
00447B2A |. 6A 00 push 0 ; |ShareMode = 0
00447B2C |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00447B31 |. 68 96B85200 push chemlib.0052B896 ; |FileName = "\\.\ROCKEYNT"
00447B36 |. E8 B3680C00 call <jmp.&KERNEL32.CreateFileA> ; \CreateFileA
00447B3B |. 8BD8 mov ebx,eax
00447B3D |. 891D 54B85200 mov dword ptr ds:[52B854],ebx
00447B43 |. 83FB FF cmp ebx,-1
00447B46 |. 75 06 jnz short chemlib.00447B4E
00447B48 |. 66:C745 FA FFFF mov word ptr ss:[ebp-6],0FFFF
00447B4E |> 66:837D FA 00 cmp word ptr ss:[ebp-6],0
00447B53 |. 74 72 je short chemlib.00447BC7
00447B55 |. 66:8B45 FA mov ax,word ptr ss:[ebp-6]
00447B59 |. E9 DF000000 jmp chemlib.00447C3D
00447B5E |> 6A 00 push 0 ; /hTemplateFile = NULL
00447B60 |. 68 80000000 push 80 ; |Attributes = NORMAL
00447B65 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
00447B67 |. 6A 00 push 0 ; |pSecurity = NULL
00447B69 |. 6A 00 push 0 ; |ShareMode = 0
00447B6B |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00447B70 |. 68 A3B85200 push chemlib.0052B8A3 ; |FileName = "\\.\ROCKEY9X"
00447B75 |. E8 74680C00 call <jmp.&KERNEL32.CreateFileA> ; \CreateFileA
00447B7A |. 8BD8 mov ebx,eax
00447B7C |. 891D 54B85200 mov dword ptr ds:[52B854],ebx
00447B82 |. 83FB FF cmp ebx,-1
00447B85 |. 75 40 jnz short chemlib.00447BC7
00447B87 |. 6A 00 push 0 ; /hTemplateFile = NULL
00447B89 |. 68 00000004 push 4000000 ; |Attributes = DELETE_ON_CLOSE
00447B8E |. 6A 01 push 1 ; |Mode = CREATE_NEW
00447B90 |. 6A 00 push 0 ; |pSecurity = NULL
00447B92 |. 6A 00 push 0 ; |ShareMode = 0
00447B94 |. 6A 00 push 0 ; |Access = 0
00447B96 |. 68 B0B85200 push chemlib.0052B8B0 ; |FileName = "\\.\rockey9x.vxd"
00447B9B |. E8 4E680C00 call <jmp.&KERNEL32.CreateFileA> ; \CreateFileA
00447BA0 |. 8BD8 mov ebx,eax
00447BA2 |. 891D 54B85200 mov dword ptr ds:[52B854],ebx
00447BA8 |. 83FB FF cmp ebx,-1
00447BAB |. 75 1A jnz short chemlib.00447BC7
00447BAD |. E8 F0680C00 call <jmp.&KERNEL32.GetLastError> ; [GetLastError
00447BB2 |. 83F8 32 cmp eax,32
00447BB5 |. 75 0A jnz short chemlib.00447BC1
00447BB7 |. 68 C1B85200 push chemlib.0052B8C1 ; /FileName = "\\.\ROCKEY9X"
00447BBC |. E8 45680C00 call <jmp.&KERNEL32.DeleteFileA> ; \DeleteFileA
00447BC1 |> 66:B8 0200 mov ax,2
00447BC5 |. EB 76 jmp short chemlib.00447C3D
00447BC7 |> 0FB7D7 movzx edx,di
00447BCA |. 8955 CC mov dword ptr ss:[ebp-34],edx
00447BCD |. 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
00447BD0 |. 894D D0 mov dword ptr ss:[ebp-30],ecx
00447BD3 |. 8B45 10 mov eax,dword ptr ss:[ebp+10]
00447BD6 |. 8945 D4 mov dword ptr ss:[ebp-2C],eax
00447BD9 |. 8B55 14 mov edx,dword ptr ss:[ebp+14]
00447BDC |. 8955 D8 mov dword ptr ss:[ebp-28],edx
00447BDF |. 8B4D 18 mov ecx,dword ptr ss:[ebp+18]
00447BE2 |. 894D DC mov dword ptr ss:[ebp-24],ecx
00447BE5 |. 8B45 1C mov eax,dword ptr ss:[ebp+1C]
00447BE8 |. 8945 E0 mov dword ptr ss:[ebp-20],eax
00447BEB |. 8B55 20 mov edx,dword ptr ss:[ebp+20]
00447BEE |. 8955 E4 mov dword ptr ss:[ebp-1C],edx
00447BF1 |. 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
00447BF4 |. 8B4D 24 mov ecx,dword ptr ss:[ebp+24]
00447BF7 |. 894D E8 mov dword ptr ss:[ebp-18],ecx
00447BFA |. 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00447BFD |. 8B45 28 mov eax,dword ptr ss:[ebp+28]
00447C00 |. 8945 EC mov dword ptr ss:[ebp-14],eax
00447C03 |. 52 push edx ; /Arg2
00447C04 |. 51 push ecx ; |Arg1
00447C05 |. E8 26FBFFFF call chemlib.00447730 ; \chemlib.00447730
00447C0A |. 83C4 08 add esp,8
00447C0D |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
00447C10 |. 8D55 FA lea edx,dword ptr ss:[ebp-6]
00447C13 |. 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00447C16 |. 6A 00 push 0 ; /pOverlapped = NULL
00447C18 |. 50 push eax ; |pBytesReturned
00447C19 |. 6A 02 push 2 ; |OutBufferSize = 2
00447C1B |. 52 push edx ; |OutBuffer
00447C1C |. 6A 28 push 28 ; |InBufferSize = 28 (40.)
00447C1E |. 51 push ecx ; |InBuffer
00447C1F |. A1 54B85200 mov eax,dword ptr ds:[52B854] ; |
00447C24 |. 68 00E410A4 push A410E400 ; |IoControlCode = A410E400
00447C29 |. 50 push eax ; |hDevice => FFFFFFFF
00447C2A |. E8 DD670C00 call <jmp.&KERNEL32.DeviceIoControl> ; \DeviceIoControl
00447C2F |. 85C0 test eax,eax
00447C31 |. 75 06 jnz short chemlib.00447C39
00447C33 |. 66:B8 FFFF mov ax,0FFFF
00447C37 |. EB 04 jmp short chemlib.00447C3D
00447C39 |> 66:8B45 FA mov ax,word ptr ss:[ebp-6]
00447C3D |> 5F pop edi
00447C3E |. 5E pop esi
00447C3F |. 5B pop ebx
00447C40 |. 8BE5 mov esp,ebp
00447C42 |. 5D pop ebp
00447C43 \. C3 retn
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
00447C2F |. 85C0 test eax,eax
00447C31 |. 75 06 jnz short chemlib.00447C39
00447C33 |. 66:B8 FFFF mov ax,0FFFF
00447C37 |. EB 04 jmp short chemlib.00447C3D
00447C39 |> 66:8B45 FA mov ax,word ptr ss:[ebp-6]
00447C3D |> 5F pop edi
00447C3E |. 5E pop esi
00447C3F |. 5B pop ebx
00447C40 |. 8BE5 mov esp,ebp
00447C42 |. 5D pop ebp
00447C43 \. C3 retn
这里ax返回里即为有狗,即解决了读狗问题
00447C39 |> 66:8B45 FA mov ax,word ptr ss:[ebp-6]
程序还有一些比较,直接返回正确的值即可,都是现成的比较,比较好搞的.
|
