用OD加载程序F9运行后自动退出。
用PEID查无壳 Microsoft Visual C++ 6.0
请大牛帮忙看看。
程序入口代码如下:
00491B11 >/$ 55 PUSH EBP
00491B12 |. 8BEC MOV EBP,ESP
00491B14 |. 6A FF PUSH -1
00491B16 |. 68 70776700 PUSH 试试看.00677770
00491B1B |. 68 5C424900 PUSH 试试看.0049425C ; SE 处理程序安装
00491B20 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00491B26 |. 50 PUSH EAX
00491B27 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00491B2E |. 83EC 58 SUB ESP,58
00491B31 |. 53 PUSH EBX
00491B32 |. 56 PUSH ESI
00491B33 |. 57 PUSH EDI
00491B34 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00491B37 |. FF15 54234B00 CALL DWORD PTR DS:[<&KERNEL32.GetVersion>; kernel32.GetVersion
00491B3D |. 33D2 XOR EDX,EDX
00491B3F |. 8AD4 MOV DL,AH
00491B41 |. 8915 A0D56A00 MOV DWORD PTR DS:[6AD5A0],EDX
00491B47 |. 8BC8 MOV ECX,EAX
00491B49 |. 81E1 FF000000 AND ECX,0FF
00491B4F |. 890D 9CD56A00 MOV DWORD PTR DS:[6AD59C],ECX
00491B55 |. C1E1 08 SHL ECX,8
00491B58 |. 03CA ADD ECX,EDX
00491B5A |. 890D 98D56A00 MOV DWORD PTR DS:[6AD598],ECX
00491B60 |. C1E8 10 SHR EAX,10
00491B63 |. A3 94D56A00 MOV DWORD PTR DS:[6AD594],EAX
00491B68 |. 6A 01 PUSH 1
00491B6A |. E8 E74A0000 CALL 试试看.00496656
在KERNEL32模块中查EXIT如下:
00452C5E . 50 PUSH EAX ; /hWnd
00452C5F . FF15 EC234B00 CALL DWORD PTR DS:[<&USER32.IsWindow>] ; \IsWindow
00452C65 . 85C0 TEST EAX,EAX
00452C67 . 74 15 JE SHORT 试试看.00452C7E
00452C69 . 8B86 F0030000 MOV EAX,DWORD PTR DS:[ESI+3F0]
00452C6F . 6A 00 PUSH 0 ; /lParam = 0
00452C71 . 57 PUSH EDI ; |wParam
00452C72 . 68 E7830000 PUSH 83E7 ; |Message = MSG(83E7)
00452C77 . 50 PUSH EAX ; |hWnd
00452C78 . FF15 E0234B00 CALL DWORD PTR DS:[<&USER32.SendMessageA>; \SendMessageA
00452C7E > 8B86 28040000 MOV EAX,DWORD PTR DS:[ESI+428]
00452C84 . 85C0 TEST EAX,EAX
00452C86 . 0F85 12030000 JNZ 试试看.00452F9E
00452C8C . 57 PUSH EDI ; /ExitCode
00452C8D . FF15 74224B00 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
00452C93 . 5F POP EDI
00452C94 . 5E POP ESI
00452C95 . 5B POP EBX
00452C96 . 8BE5 MOV ESP,EBP
00452C98 . 5D POP EBP
00452C99 . C2 0400 RETN 4
00452C9C > 8BCE MOV ECX,ESI
****************************************************
0045A68E CC INT3
0045A68F CC INT3
0045A690 /$ 55 PUSH EBP
0045A691 |. 8BEC MOV EBP,ESP
0045A693 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0045A696 |. 50 PUSH EAX
0045A697 |. B9 98C96900 MOV ECX,试试看.0069C998
0045A69C |. E8 7F85FFFF CALL 试试看.00452C20
0045A6A1 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0045A6A4 |. 51 PUSH ECX ; /ExitCode
0045A6A5 \. FF15 74224B00 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
0045A6AB . 5D POP EBP
0045A6AC . C3 RETN
0045A6AD CC INT3
0045A6AE CC INT3
****************************************
00491C3D \. C3 RETN
00491C3E /$ 833D 68D56A00>CMP DWORD PTR DS:[6AD568],1
00491C45 |. 75 05 JNZ SHORT 试试看.00491C4C
00491C47 |. E8 674A0000 CALL 试试看.004966B3
00491C4C |> FF7424 04 PUSH DWORD PTR SS:[ESP+4]
00491C50 |. E8 974A0000 CALL 试试看.004966EC
00491C55 |. 59 POP ECX
00491C56 |. 68 FF000000 PUSH 0FF ; /ExitCode = FF
00491C5B \. FF15 74224B00 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
00491C61 . C3 RETN
00491C62 . E8 13000000 CALL 试试看.00491C7A
00491C67 . E8 234C0000 CALL 试试看.0049688F
00491C6C . A3 70D56A00 MOV DWORD PTR DS:[6AD570],EAX
00491C71 . E8 C94B0000 CALL 试试看.0049683F
00491C76 . DBE2 FCLEX
00491C78 . C3 RETN
*********************************
0049502C |. 5F POP EDI
0049502D |. C3 RETN
0049502E |> FF7424 08 PUSH DWORD PTR SS:[ESP+8] ; /ExitCode
00495032 |. 893D D0D56A00 MOV DWORD PTR DS:[6AD5D0],EDI ; |
00495038 \. FF15 74224B00 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
0049503E . 5F POP EDI
0049503F . C3 RETN
00495040 /$ 6A 0D PUSH 0D
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
