特点如下:
1) 试用次数记录在 0 号物理驱动器第 62 扇区,即使 重装系统,也不会被覆盖
2) 启动进程 A.exe,伪装进程 B.exe,实际进程 C.dat, B 和 C 同名
A ---> 读取 C,在内存中解密[ C 其实是个 加UPX壳 的 exe]
---> 创建 B,挂起,得到B的主线程环境
|
|_> 在 B 的空间里,写入 C,随后,修改 B 的主线程环境,使得 EIP 为 C 的入口
|_> 启动 B 的主线程(实际上是运行 C)
===============================================================================
Part 1 : rsRSWBSW.exe
===============================================================================
00401DA0 /$ 81EC CC020000 sub esp, 2CC ; 加载 "RSWBSW.dat\FGHIJKLMNOP"
00401DA6 |. A1 4CC04000 mov eax, dword ptr [40C04C]
00401DAB |. 33C4 xor eax, esp
00401DAD |. 898424 C80200>mov dword ptr [esp+2C8], eax
00401DB4 |. 56 push esi
00401DB5 |. 57 push edi
00401DB6 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00401DBB |. 8D8424 D00100>lea eax, dword ptr [esp+1D0] ; |
00401DC2 |. 50 push eax ; |PathBuffer
00401DC3 |. 6A 00 push 0 ; |hModule = NULL
00401DC5 |. C74424 18 000>mov dword ptr [esp+18], 0 ; |
00401DCD |. FF15 10904000 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00401DD3 |. 8D8C24 CC0100>lea ecx, dword ptr [esp+1CC]
00401DDA |. 6A 5C push 5C
00401DDC |. 51 push ecx
00401DDD |. E8 AA080000 call 0040268C
00401DE2 |. 8DBC24 D40100>lea edi, dword ptr [esp+1D4]
00401DE9 |. 83C4 08 add esp, 8
00401DEC |. C640 01 00 mov byte ptr [eax+1], 0
00401DF0 |. 83C7 FF add edi, -1
00401DF3 |> 8A47 01 /mov al, byte ptr [edi+1]
00401DF6 |. 83C7 01 |add edi, 1
00401DF9 |. 84C0 |test al, al
00401DFB |.^ 75 F6 \jnz short 00401DF3
00401DFD |. B9 05000000 mov ecx, 5
00401E02 |. BE EC944000 mov esi, 004094EC ; ASCII "RSWBSW.dat\FGHIJKLMNOP"
00401E07 |. F3:A5 rep movs dword ptr es:[edi], dword p>
00401E09 |. 66:A5 movs word ptr es:[edi], word ptr [esi>
00401E0B |. 8D9424 CC0100>lea edx, dword ptr [esp+1CC]
00401E12 |. 6A 5C push 5C
00401E14 |. 52 push edx
00401E15 |. A4 movs byte ptr es:[edi], byte ptr [esi>
00401E16 |. E8 71080000 call 0040268C
00401E1B |. 83C4 08 add esp, 8 ; 加载 RSWBSW.dat\FGHIJKLMNOP
00401E1E |. 6A 00 push 0 ; /hTemplateFile = NULL
00401E20 |. 6A 01 push 1 ; |Attributes = READONLY
00401E22 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
00401E24 |. 6A 00 push 0 ; |pSecurity = NULL
00401E26 |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
00401E28 |. C600 00 mov byte ptr [eax], 0 ; |
00401E2B |. 68 00000080 push 80000000 ; |Access = GENERIC_READ
00401E30 |. 8D8424 E40100>lea eax, dword ptr [esp+1E4] ; |
00401E37 |. 50 push eax ; |FileName
00401E38 |. FF15 48904000 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00401E3E |. 8BF0 mov esi, eax
00401E40 |. 83FE FF cmp esi, -1
00401E43 |. 0F84 F4020000 je 0040213D
00401E49 |. 53 push ebx
00401E4A |. 55 push ebp
00401E4B |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00401E4F |. 51 push ecx ; /pFileSizeHigh
00401E50 |. 56 push esi ; |hFile
00401E51 |. FF15 44904000 call dword ptr [<&KERNEL32.GetFileSiz>; \GetFileSize
00401E57 |. 8BE8 mov ebp, eax
00401E59 |. 55 push ebp
00401E5A |. E8 9E080000 call 004026FD
00401E5F |. 55 push ebp
00401E60 |. 8BF8 mov edi, eax
00401E62 |. 6A 00 push 0
00401E64 |. 57 push edi
00401E65 |. 897C24 20 mov dword ptr [esp+20], edi
00401E69 |. E8 62060000 call 004024D0
00401E6E |. 83C4 10 add esp, 10
00401E71 |. 6A 00 push 0 ; /pOverlapped = NULL
00401E73 |. 8D5424 18 lea edx, dword ptr [esp+18] ; |
00401E77 |. 52 push edx ; |pBytesRead
00401E78 |. 55 push ebp ; |BytesToRead
00401E79 |. 57 push edi ; |Buffer
00401E7A |. 56 push esi ; |hFile
00401E7B |. FF15 40904000 call dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
00401E81 |. 56 push esi ; /hObject
00401E82 |. FF15 3C904000 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
构造解密数据:
00401E88 |. B0 09 mov al, 9
00401E8A |. B1 02 mov cl, 2
00401E8C |. B2 08 mov dl, 8
00401E8E |. B3 07 mov bl, 7
00401E90 |. 888424 540100>mov byte ptr [esp+154], al
00401E97 |. C68424 550100>mov byte ptr [esp+155], 1
00401E9F |. 889424 560100>mov byte ptr [esp+156], dl
00401EA6 |. 888424 570100>mov byte ptr [esp+157], al
00401EAD |. C68424 580100>mov byte ptr [esp+158], 0
00401EB5 |. 888C24 590100>mov byte ptr [esp+159], cl
00401EBC |. 889C24 5A0100>mov byte ptr [esp+15A], bl
00401EC3 |. 888424 5B0100>mov byte ptr [esp+15B], al
00401ECA |. 888C24 5C0100>mov byte ptr [esp+15C], cl
00401ED1 |. 889424 5D0100>mov byte ptr [esp+15D], dl
00401ED8 |. C68424 5E0100>mov byte ptr [esp+15E], 4
00401EE0 |. C68424 5F0100>mov byte ptr [esp+15F], 5
00401EE8 |. 888C24 600100>mov byte ptr [esp+160], cl
00401EEF |. 889C24 610100>mov byte ptr [esp+161], bl
00401EF6 |. 888424 620100>mov byte ptr [esp+162], al
00401EFD |. C68424 630100>mov byte ptr [esp+163], 6
00401F05 |. 889424 640100>mov byte ptr [esp+164], dl
00401F0C |. 888424 650100>mov byte ptr [esp+165], al
00401F13 |. 889C24 660100>mov byte ptr [esp+166], bl
00401F1A |. 888C24 670100>mov byte ptr [esp+167], cl
00401F21 |. 889424 680100>mov byte ptr [esp+168], dl
00401F28 |. 888424 690100>mov byte ptr [esp+169], al
00401F2F |. C68424 6A0100>mov byte ptr [esp+16A], 1
00401F37 |. 889424 6B0100>mov byte ptr [esp+16B], dl
00401F3E |. 888424 6C0100>mov byte ptr [esp+16C], al
00401F45 |. C68424 6D0100>mov byte ptr [esp+16D], 1
00401F4D |. 888C24 6E0100>mov byte ptr [esp+16E], cl
00401F54 |. 889C24 6F0100>mov byte ptr [esp+16F], bl
00401F5B |. 888424 700100>mov byte ptr [esp+170], al
00401F62 |. C68424 710100>mov byte ptr [esp+171], 1
00401F6A |. 889424 720100>mov byte ptr [esp+172], dl
00401F71 |. 888424 730100>mov byte ptr [esp+173], al
00401F78 |. 888C24 740100>mov byte ptr [esp+174], cl
00401F7F |. 888C24 750100>mov byte ptr [esp+175], cl
00401F86 |. C68424 760100>mov byte ptr [esp+176], 5
00401F8E |. 888424 770100>mov byte ptr [esp+177], al
00401F95 |. 888C24 780100>mov byte ptr [esp+178], cl
00401F9C |. C68424 790100>mov byte ptr [esp+179], 6
00401FA4 |. C68424 7A0100>mov byte ptr [esp+17A], 4
00401FAC |. C68424 7B0100>mov byte ptr [esp+17B], 5
00401FB4 |. 888C24 7C0100>mov byte ptr [esp+17C], cl
00401FBB |. 889C24 7D0100>mov byte ptr [esp+17D], bl
00401FC2 |. 888424 7E0100>mov byte ptr [esp+17E], al
00401FC9 |. C68424 7F0100>mov byte ptr [esp+17F], 6
00401FD1 |. 889424 800100>mov byte ptr [esp+180], dl
00401FD8 |. 888424 810100>mov byte ptr [esp+181], al
00401FDF |. 889C24 820100>mov byte ptr [esp+182], bl
00401FE6 |. 888C24 830100>mov byte ptr [esp+183], cl
00401FED |. 889424 840100>mov byte ptr [esp+184], dl
00401FF4 |. 888424 850100>mov byte ptr [esp+185], al
00401FFB |. C68424 860100>mov byte ptr [esp+186], 1
00402003 |. 889424 870100>mov byte ptr [esp+187], dl
0040200A |. 33C0 xor eax, eax
0040200C |. 85ED test ebp, ebp
0040200E |. 889424 880100>mov byte ptr [esp+188], dl
00402015 |. C68424 890100>mov byte ptr [esp+189], 1
0040201D |. 888C24 8A0100>mov byte ptr [esp+18A], cl
00402024 |. 889C24 8B0100>mov byte ptr [esp+18B], bl
0040202B |. 898424 8C0100>mov dword ptr [esp+18C], eax
00402032 |. 898424 900100>mov dword ptr [esp+190], eax
解密数据:
0012FDB4 09 01 08 09 00 02 07 09 02 08 04 05 02 07 09 06 .....
0012FDC4 08 09 07 02 08 09 01 08 09 01 02 07 09 01 08 09 .....
0012FDD4 02 02 05 09 02 06 04 05 02 07 09 06 08 09 07 02 ...
0012FDE4 08 09 01 08 08 01 02 07 00 00 00 00 00 00 00 00 .........
解密过程:
00402039 |. 76 65 jbe short 004020A0
0040203B |. 8D45 FF lea eax, dword ptr [ebp-1] ; 获取 文件长度
0040203E |. C1E8 06 shr eax, 6 ; 64字节块个数
00402041 |. 83C0 01 add eax, 1
00402044 |. 8BDF mov ebx, edi
00402046 |. 894424 18 mov dword ptr [esp+18], eax
0040204A |. 8D9B 00000000 lea ebx, dword ptr [ebx] ; 解密 RSWBSW.dat\FGHIJKLMNOP
00402050 |> 8D8424 540100>/lea eax, dword ptr [esp+154]
00402057 |. B9 10000000 |mov ecx, 10
0040205C |. 8BF3 |mov esi, ebx
0040205E |. 8DBC24 940100>|lea edi, dword ptr [esp+194]
00402065 |. 50 |push eax
00402066 |. F3:A5 |rep movs dword ptr es:[edi], dword >
00402068 |. E8 93EFFFFF |call 00401000
0040206D |. 8D8C24 980100>|lea ecx, dword ptr [esp+198]
00402074 |. 6A 01 |push 1
00402076 |. 51 |push ecx
00402077 |. 8BD1 |mov edx, ecx
00402079 |. 52 |push edx
0040207A |. E8 51F3FFFF |call 004013D0
0040207F |. 8BFB |mov edi, ebx
00402081 |. 83C4 10 |add esp, 10
00402084 |. B9 10000000 |mov ecx, 10
00402089 |. 8DB424 940100>|lea esi, dword ptr [esp+194]
00402090 |. 83C3 40 |add ebx, 40
00402093 |. 836C24 18 01 |sub dword ptr [esp+18], 1
00402098 |. F3:A5 |rep movs dword ptr es:[edi], dword >; RSWBSW.dat N 字节解密完成
0040209A |.^ 75 B4 \jnz short 00402050
0040209C |. 8B7C24 10 mov edi, dword ptr [esp+10] ; 解密完成!
004020A0 |> 85FF test edi, edi
004020A2 |. 0F84 93000000 je 0040213B
注: 解密完成后,可以将解密后的数据 保存为 .exe 文件 创建进程 RSWBSW.exe\K0123456789,并挂起:
00401A30 /$ 81EC 70010000 sub esp, 170
00401A36 |. A1 4CC04000 mov eax, dword ptr [40C04C]
00401A3B |. 33C4 xor eax, esp
00401A3D |. 898424 6C0100>mov dword ptr [esp+16C], eax
00401A44 |. 8B8424 7C0100>mov eax, dword ptr [esp+17C]
00401A4B |. 53 push ebx
00401A4C |. 8B9C24 7C0100>mov ebx, dword ptr [esp+17C]
00401A53 |. 55 push ebp
00401A54 |. 8BAC24 7C0100>mov ebp, dword ptr [esp+17C]
00401A5B |. 56 push esi
00401A5C |. 57 push edi
00401A5D |. 6A 40 push 40
00401A5F |. 8D4C24 3C lea ecx, dword ptr [esp+3C]
00401A63 |. 6A 00 push 0
00401A65 |. 51 push ecx
00401A66 |. 894424 1C mov dword ptr [esp+1C], eax
00401A6A |. C74424 40 000>mov dword ptr [esp+40], 0
00401A72 |. E8 590A0000 call 004024D0
00401A77 |. 83C4 0C add esp, 0C
00401A7A |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00401A7F |. 8D5424 7C lea edx, dword ptr [esp+7C] ; |
00401A83 |. 52 push edx ; |PathBuffer
00401A84 |. 6A 00 push 0 ; |hModule = NULL
00401A86 |. FF15 10904000 call dword ptr [<&KERNEL32.GetModuleFileNameA>] ; \GetModuleFileNameA
00401A8C |. 8D4424 78 lea eax, dword ptr [esp+78]
00401A90 |. 6A 5C push 5C
00401A92 |. 50 push eax
00401A93 |. E8 F40B0000 call 0040268C
00401A98 |. 8DBC24 800000>lea edi, dword ptr [esp+80]
00401A9F |. 83C4 08 add esp, 8
00401AA2 |. C640 01 00 mov byte ptr [eax+1], 0
00401AA6 |. 83C7 FF add edi, -1
00401AA9 |. 8DA424 000000>lea esp, dword ptr [esp]
00401AB0 |> 8A47 01 /mov al, byte ptr [edi+1]
00401AB3 |. 83C7 01 |add edi, 1
00401AB6 |. 84C0 |test al, al
00401AB8 |.^ 75 F6 \jnz short 00401AB0
00401ABA |. B9 05000000 mov ecx, 5
00401ABF |. BE B0944000 mov esi, 004094B0 ; ASCII "RSWBSW.exe\K0123456789"
00401AC4 |. F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
00401AC6 |. 66:A5 movs word ptr es:[edi], word ptr [esi]
00401AC8 |. 8D4C24 78 lea ecx, dword ptr [esp+78]
00401ACC |. 6A 5C push 5C
00401ACE |. 51 push ecx
00401ACF |. A4 movs byte ptr es:[edi], byte ptr [esi]
00401AD0 |. E8 B70B0000 call 0040268C
00401AD5 |. 83C4 08 add esp, 8
00401AD8 |. 55 push ebp ; /pProcessInfo
00401AD9 |. 8D5424 38 lea edx, dword ptr [esp+38] ; |
00401ADD |. 52 push edx ; |pStartupInfo
00401ADE |. 6A 00 push 0 ; |CurrentDir = NULL
00401AE0 |. 6A 00 push 0 ; |pEnvironment = NULL
00401AE2 |. 6A 04 push 4 ; |CreationFlags = CREATE_SUSPENDED
00401AE4 |. 6A 00 push 0 ; |InheritHandles = FALSE
00401AE6 |. 6A 00 push 0 ; |pThreadSecurity = NULL
00401AE8 |. C600 00 mov byte ptr [eax], 0 ; |
00401AEB |. 6A 00 push 0 ; |pProcessSecurity = NULL
00401AED |. 8D8424 980000>lea eax, dword ptr [esp+98] ; |
00401AF4 |. 50 push eax ; |CommandLine
00401AF5 |. 6A 00 push 0 ; |ModuleFileName = NULL
00401AF7 |. FF15 0C904000 call dword ptr [<&KERNEL32.CreateProcessA>] ; \CreateProcessA
00401AFD |. 85C0 test eax, eax
00401AFF |. 74 7B je short 00401B7C
00401B01 |. C703 07000100 mov dword ptr [ebx], 10007
00401B07 |. 8B4D 04 mov ecx, dword ptr [ebp+4]
00401B0A |. 53 push ebx ; /pContext
00401B0B |. 51 push ecx ; |hThread
00401B0C |. FF15 08904000 call dword ptr [<&KERNEL32.GetThreadContext>] ; \GetThreadContext
00401B12 |. 8B83 A4000000 mov eax, dword ptr [ebx+A4]
00401B18 |. 8B7C24 10 mov edi, dword ptr [esp+10]
00401B1C |. 8B4D 00 mov ecx, dword ptr [ebp]
00401B1F |. 8D5424 14 lea edx, dword ptr [esp+14]
00401B23 |. 52 push edx ; /pBytesRead
00401B24 |. 6A 04 push 4 ; |BytesToRead = 4
00401B26 |. 57 push edi ; |Buffer
00401B27 |. 83C0 08 add eax, 8 ; |
00401B2A |. 50 push eax ; |pBaseAddress
00401B2B |. 51 push ecx ; |hProcess
00401B2C |. FF15 04904000 call dword ptr [<&KERNEL32.ReadProcessMemory>] ; \ReadProcessMemory
00401B32 |. 8B37 mov esi, dword ptr [edi]
00401B34 |. 8B45 00 mov eax, dword ptr [ebp]
00401B37 |. 8B1D 00904000 mov ebx, dword ptr [<&KERNEL32.VirtualQueryEx>] ; kernel32.VirtualQueryEx
00401B3D |. 6A 1C push 1C ; /BufSize = 1C (28.)
00401B3F |. 8D5424 1C lea edx, dword ptr [esp+1C] ; |
00401B43 |. 52 push edx ; |Buffer
00401B44 |. 56 push esi ; |Address
00401B45 |. 50 push eax ; |hProcess
00401B46 |. FFD3 call ebx ; \VirtualQueryEx
00401B48 |. 85C0 test eax, eax
00401B4A |. 74 24 je short 00401B70
00401B4C |. 8D6424 00 lea esp, dword ptr [esp]
00401B50 |> 817C24 28 000>/cmp dword ptr [esp+28], 10000
00401B58 |. 74 16 |je short 00401B70
00401B5A |. 037424 24 |add esi, dword ptr [esp+24]
00401B5E |. 8B55 00 |mov edx, dword ptr [ebp]
00401B61 |. 6A 1C |push 1C
00401B63 |. 8D4C24 1C |lea ecx, dword ptr [esp+1C]
00401B67 |. 51 |push ecx
00401B68 |. 56 |push esi
00401B69 |. 52 |push edx
00401B6A |. FFD3 |call ebx
00401B6C |. 85C0 |test eax, eax
00401B6E |.^ 75 E0 \jnz short 00401B50
00401B70 |> 2B37 sub esi, dword ptr [edi]
00401B72 |. B8 01000000 mov eax, 1
00401B77 |. 8977 04 mov dword ptr [edi+4], esi
00401B7A |. EB 02 jmp short 00401B7E
00401B7C |> 33C0 xor eax, eax
00401B7E |> 8B8C24 7C0100>mov ecx, dword ptr [esp+17C]
00401B85 |. 5F pop edi
00401B86 |. 5E pop esi
00401B87 |. 5D pop ebp
00401B88 |. 5B pop ebx
00401B89 |. 33CC xor ecx, esp
00401B8B |. E8 D70B0000 call 00402767
00401B90 |. 81C4 70010000 add esp, 170
00401B96 \. C3 retn
用解密后的 EXE 覆盖写入 创建的进程,替换并 启动之:
00401BA0 /$ 81EC F4020000 sub esp, 2F4
00401BA6 |. A1 4CC04000 mov eax, dword ptr [40C04C]
00401BAB |. 33C4 xor eax, esp
00401BAD |. 898424 F00200>mov dword ptr [esp+2F0], eax
00401BB4 |. 8B8424 F80200>mov eax, dword ptr [esp+2F8]
00401BBB |. 55 push ebp
00401BBC |. 8BAC24 0C0300>mov ebp, dword ptr [esp+30C]
00401BC3 |. 56 push esi
00401BC4 |. 8BB424 080300>mov esi, dword ptr [esp+308]
00401BCB |. 8D4C24 20 lea ecx, dword ptr [esp+20]
00401BCF |. 51 push ecx
00401BD0 |. 8D5424 30 lea edx, dword ptr [esp+30]
00401BD4 |. 894424 10 mov dword ptr [esp+10], eax
00401BD8 |. 52 push edx
00401BD9 |. 8D4424 18 lea eax, dword ptr [esp+18]
00401BDD |. 50 push eax
00401BDE |. E8 4DFEFFFF call 00401A30
00401BE3 |. 83C4 0C add esp, 0C
00401BE6 |. 85C0 test eax, eax
00401BE8 |. 0F84 9A010000 je 00401D88
00401BEE |. 8B4424 20 mov eax, dword ptr [esp+20]
00401BF2 |. 3946 1C cmp dword ptr [esi+1C], eax
00401BF5 |. 53 push ebx
00401BF6 |. 8B9C24 180300>mov ebx, dword ptr [esp+318]
00401BFD |. 57 push edi
00401BFE |. 8B3D 34904000 mov edi, dword ptr [<&KERNEL32.VirtualAllocEx>; kernel32.VirtualAllocEx
00401C04 |. C74424 10 000>mov dword ptr [esp+10], 0
00401C0C |. 75 22 jnz short 00401C30
00401C0E |. 8B4C24 2C mov ecx, dword ptr [esp+2C]
00401C12 |. 3BD9 cmp ebx, ecx
00401C14 |. 77 1A ja short 00401C30
00401C16 |. 8D5424 30 lea edx, dword ptr [esp+30]
00401C1A |. 52 push edx ; /pOldProtect
00401C1B |. 6A 40 push 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00401C1D |. 51 push ecx ; |Size
00401C1E |. 50 push eax ; |Address
00401C1F |. 894424 20 mov dword ptr [esp+20], eax ; |
00401C23 |. 8B4424 28 mov eax, dword ptr [esp+28] ; |
00401C27 |. 50 push eax ; |hProcess
00401C28 |. FF15 30904000 call dword ptr [<&KERNEL32.VirtualProtectEx>] ; \VirtualProtectEx
00401C2E |. EB 3E jmp short 00401C6E
00401C30 |> 68 D4944000 push 004094D4 ; /ProcNameOrOrdinal = "ZwUnmapViewOfSection"
00401C35 |. 68 C8944000 push 004094C8 ; |/pModule = "ntdll.dll"
00401C3A |. FF15 2C904000 call dword ptr [<&KERNEL32.GetModuleHandleA>] ; |\GetModuleHandleA
00401C40 |. 50 push eax ; |hModule
00401C41 |. FF15 28904000 call dword ptr [<&KERNEL32.GetProcAddress>] ; \GetProcAddress
00401C47 |. 8B4C24 28 mov ecx, dword ptr [esp+28]
00401C4B |. 8B5424 18 mov edx, dword ptr [esp+18]
00401C4F |. 51 push ecx
00401C50 |. 52 push edx
00401C51 |. FFD0 call eax
00401C53 |. 85C0 test eax, eax
00401C55 |. 75 17 jnz short 00401C6E
00401C57 |. 8B46 1C mov eax, dword ptr [esi+1C]
00401C5A |. 8B4C24 18 mov ecx, dword ptr [esp+18]
00401C5E |. 6A 40 push 40
00401C60 |. 68 00300000 push 3000
00401C65 |. 53 push ebx
00401C66 |. 50 push eax
00401C67 |. 51 push ecx
00401C68 |. FFD7 call edi
00401C6A |. 894424 10 mov dword ptr [esp+10], eax
00401C6E |> 837C24 10 00 cmp dword ptr [esp+10], 0
00401C73 |. 75 62 jnz short 00401CD7
00401C75 |. 83BE 88000000>cmp dword ptr [esi+88], 0
00401C7C |. 0F84 F7000000 je 00401D79
00401C82 |. 83BE 8C000000>cmp dword ptr [esi+8C], 0
00401C89 |. 0F84 EA000000 je 00401D79
00401C8F |. 8B5424 18 mov edx, dword ptr [esp+18]
00401C93 |. 6A 40 push 40
00401C95 |. 68 00300000 push 3000
00401C9A |. 53 push ebx
00401C9B |. 6A 00 push 0
00401C9D |. 52 push edx
00401C9E |. FFD7 call edi
00401CA0 |. 85C0 test eax, eax
00401CA2 |. 894424 10 mov dword ptr [esp+10], eax
00401CA6 |. 0F84 CD000000 je 00401D79
00401CAC |. 8B8C24 0C0300>mov ecx, dword ptr [esp+30C]
00401CB3 |. 8B5424 14 mov edx, dword ptr [esp+14]
00401CB7 |. 50 push eax
00401CB8 |. 8B8424 180300>mov eax, dword ptr [esp+318]
00401CBF |. 55 push ebp
00401CC0 |. 50 push eax
00401CC1 |. 56 push esi
00401CC2 |. 51 push ecx
00401CC3 |. 52 push edx
00401CC4 |. E8 E7FCFFFF call 004019B0
00401CC9 |. 83C4 18 add esp, 18
00401CCC |. 837C24 10 00 cmp dword ptr [esp+10], 0
00401CD1 |. 0F84 A2000000 je 00401D79
00401CD7 |> 8B9424 D80000>mov edx, dword ptr [esp+D8]
00401CDE |. 8B3D 24904000 mov edi, dword ptr [<&KERNEL32.WriteProcessMe>; kernel32.WriteProcessMemory
00401CE4 |. 8D4424 30 lea eax, dword ptr [esp+30]
00401CE8 |. 50 push eax ; /pBytesWritten
00401CE9 |. 8B4424 1C mov eax, dword ptr [esp+1C] ; |
00401CED |. 6A 04 push 4 ; |BytesToWrite = 4
00401CEF |. 8D4C24 18 lea ecx, dword ptr [esp+18] ; |
00401CF3 |. 51 push ecx ; |Buffer
00401CF4 |. 83C2 08 add edx, 8 ; |
00401CF7 |. 52 push edx ; |Address
00401CF8 |. 50 push eax ; |hProcess
00401CF9 |. FFD7 call edi ; \WriteProcessMemory
00401CFB |. 8B4C24 14 mov ecx, dword ptr [esp+14]
00401CFF |. 8B51 3C mov edx, dword ptr [ecx+3C]
00401D02 |. 8B4424 10 mov eax, dword ptr [esp+10]
00401D06 |. 6A 00 push 0 ; /pBytesWritten = NULL
00401D08 |. 53 push ebx ; |BytesToWrite
00401D09 |. 89442A 34 mov dword ptr [edx+ebp+34], eax ; |
00401D0D |. 8B4C24 18 mov ecx, dword ptr [esp+18] ; |
00401D11 |. 8B5424 20 mov edx, dword ptr [esp+20] ; |
00401D15 |. 55 push ebp ; |Buffer
00401D16 |. 51 push ecx ; |Address
00401D17 |. 52 push edx ; |hProcess
00401D18 |. FFD7 call edi ; \WriteProcessMemory
00401D1A |. 85C0 test eax, eax
00401D1C |. 74 52 je short 00401D70
00401D1E |. 8B4424 10 mov eax, dword ptr [esp+10]
00401D22 |. 3B4424 28 cmp eax, dword ptr [esp+28]
00401D26 |. C74424 34 070>mov dword ptr [esp+34], 10007
00401D2E |. 75 0F jnz short 00401D3F
00401D30 |. 8B46 10 mov eax, dword ptr [esi+10]
00401D33 |. 0346 1C add eax, dword ptr [esi+1C]
00401D36 |. 898424 E40000>mov dword ptr [esp+E4], eax ; 计算 EXE入口地址
00401D3D |. EB 0C jmp short 00401D4B
00401D3F |> 8B4E 10 mov ecx, dword ptr [esi+10]
00401D42 |. 03C8 add ecx, eax
00401D44 |. 898C24 E40000>mov dword ptr [esp+E4], ecx
00401D4B |> 8B4424 1C mov eax, dword ptr [esp+1C]
00401D4F |. 8D5424 34 lea edx, dword ptr [esp+34]
00401D53 |. 52 push edx ; /pContext
00401D54 |. 50 push eax ; |hThread
00401D55 |. FF15 20904000 call dword ptr [<&KERNEL32.SetThreadContext>] ; \SetThreadContext
00401D5B |. 6A 00 push 0 ; /hThread = NULL
00401D5D |. FF15 1C904000 call dword ptr [<&KERNEL32.SuspendThread>] ; \SuspendThread
00401D63 |. 8B4C24 1C mov ecx, dword ptr [esp+1C]
00401D67 |. 51 push ecx ; /hThread
00401D68 |. FF15 18904000 call dword ptr [<&KERNEL32.ResumeThread>] ; \ResumeThread
00401D6E |. EB 16 jmp short 00401D86
00401D70 |> 8B5424 18 mov edx, dword ptr [esp+18]
00401D74 |. 6A 00 push 0
00401D76 |. 52 push edx
00401D77 |. EB 07 jmp short 00401D80
00401D79 |> 8B4424 18 mov eax, dword ptr [esp+18]
00401D7D |. 6A 00 push 0 ; /ExitCode = 0
00401D7F |. 50 push eax ; |hProcess
00401D80 |> FF15 14904000 call dword ptr [<&KERNEL32.TerminateProcess>] ; \TerminateProcess
00401D86 |> 5F pop edi
00401D87 |. 5B pop ebx
00401D88 |> 8B8C24 F80200>mov ecx, dword ptr [esp+2F8]
00401D8F |. 5E pop esi
00401D90 |. 5D pop ebp
00401D91 |. 33CC xor ecx, esp
00401D93 |. E8 CF090000 call 00402767
00401D98 |. 81C4 F4020000 add esp, 2F4
00401D9E \. C3 retn
===============================================================================
Part 2 : RSWBSW.exe\K0123456789
===============================================================================
启动 rsRSWBSW.exe
004B270F |. FF75 CC push dword ptr [ebp-34]
004B2712 |. 68 D8274B00 push 004B27D8 ; rs
004B2717 |. 68 E4274B00 push 004B27E4 ; rswbsw.exe
004B271C |. 8D45 D0 lea eax, dword ptr [ebp-30]
004B271F |. BA 03000000 mov edx, 3
004B2724 |. E8 7322F5FF call 0040499C
004B2729 |. 8B45 D0 mov eax, dword ptr [ebp-30]
004B272C |. E8 AB23F5FF call 00404ADC
004B2731 |. 50 push eax ; |FileName
004B2732 |. 68 F0274B00 push 004B27F0 ; |open
004B2737 |. 6A 00 push 0 ; |hWnd = NULL
004B2739 |. E8 56FDF7FF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
004B273E |. A1 10494B00 mov eax, dword ptr [4B4910]
004B2743 |. 8B00 mov eax, dword ptr [eax]
004B2745 |. E8 A6DDFBFF call 004704F0 ; 结束自己
004B274A |. 33C0 xor eax, eax
004B274C |. 5A pop edx
004B274D |. 59 pop ecx
004B274E |. 59 pop ecx
004B274F |. 64:8910 mov dword ptr fs:[eax], edx
004B2752 |. 68 6C274B00 push 004B276C
004B2757 |> 8D45 C8 lea eax, dword ptr [ebp-38]
004B275A |. BA 0D000000 mov edx, 0D
004B275F |. E8 DC1EF5FF call 00404640
004B2764 \. C3 retn
004B2765 .^ E9 8E18F5FF jmp 00403FF8
004B276A .^ EB EB jmp short 004B2757
004B276C . 5F pop edi
004B276D . 5E pop esi
004B276E . 8BE5 mov esp, ebp
004B2770 . 5D pop ebp
004B2771 . C3 retn
结束自己:
004704F0 /$ E8 8FDDF9FF call 0040E284
004704F5 |. 84C0 test al, al
004704F7 |. 74 07 je short 00470500
004704F9 |. 6A 00 push 0 ; /ExitCode = 0
004704FB |. E8 E070F9FF call <jmp.&user32.PostQuitMessage> ; \PostQuitMessage
00470500 \> C3 retn
===============================================================================
Part 3 : RSWBSW.dat 解密后是 exe,加壳
===============================================================================
壳入口:
00DE9001 > 60 pushad
00DE9002 E8 03000000 call 00DE900A
00DE9007 - E9 EB045D45 jmp 463B94F7
00DE900C 55 push ebp
00DE900D C3 retn
00DE900E E8 01000000 call 00DE9014
00DE9013 EB 5D jmp short 00DE9072
00DE9015 BB EDFFFFFF mov ebx, -13
00DE901A 03DD add ebx, ebp
00DE901C 81EB 00909E00 sub ebx, 009E9000
00DE9022 83BD 22040000 0>cmp dword ptr [ebp+422], 0
00DE9029 899D 22040000 mov dword ptr [ebp+422], ebx
00DE902F 0F85 65030000 jnz 00DE939A
00DE9035 8D85 2E040000 lea eax, dword ptr [ebp+42E]
00DE903B 50 push eax
00DE903C FF95 4D0F0000 call dword ptr [ebp+F4D]
00DE9042 8985 26040000 mov dword ptr [ebp+426], eax
00DE9048 8BF8 mov edi, eax
00DE904A 8D5D 5E lea ebx, dword ptr [ebp+5E]
00DE904D 53 push ebx
00DE904E 50 push eax
00DE904F FF95 490F0000 call dword ptr [ebp+F49]
00DE9055 8985 4D050000 mov dword ptr [ebp+54D], eax
00DE905B 8D5D 6B lea ebx, dword ptr [ebp+6B]
00DE905E 53 push ebx
00DE905F 57 push edi
00DE9060 FF95 490F0000 call dword ptr [ebp+F49]
00DE9066 8985 51050000 mov dword ptr [ebp+551], eax
00DE906C 8D45 77 lea eax, dword ptr [ebp+77]
00DE906F FFE0 jmp eax
00DE9071 56 push esi
00DE9072 6972 74 75616C4>imul esi, dword ptr [edx+74], 416C6175
00DE9079 6C ins byte ptr es:[edi], dx
00DE907A 6C ins byte ptr es:[edi], dx
00DE907B 6F outs dx, dword ptr es:[edi]
00DE907C 6300 arpl word ptr [eax], ax
00DE907E 56 push esi
00DE907F 6972 74 75616C4>imul esi, dword ptr [edx+74], 466C6175
00DE9086 72 65 jb short 00DE90ED
00DE9088 65:008B 9D31050>add byte ptr gs:[ebx+5319D], cl
00DE908F 000B add byte ptr [ebx], cl
00DE9091 DB ??? ; 未知命令
00DE9092 74 0A je short 00DE909E
00DE9094 8B03 mov eax, dword ptr [ebx]
00DE9096 8785 35050000 xchg dword ptr [ebp+535], eax
00DE909C 8903 mov dword ptr [ebx], eax
00DE909E 8DB5 69050000 lea esi, dword ptr [ebp+569]
00DE90A4 833E 00 cmp dword ptr [esi], 0
00DE90A7 0F84 21010000 je 00DE91CE
00DE90AD 6A 04 push 4
00DE90AF 68 00100000 push 1000
00DE90B4 68 00180000 push 1800
00DE90B9 6A 00 push 0
00DE90BB FF95 4D050000 call dword ptr [ebp+54D]
00DE90C1 8985 56010000 mov dword ptr [ebp+156], eax
00DE90C7 8B46 04 mov eax, dword ptr [esi+4]
00DE90CA 05 0E010000 add eax, 10E
00DE90CF 6A 04 push 4
00DE90D1 68 00100000 push 1000
00DE90D6 50 push eax
00DE90D7 6A 00 push 0
00DE90D9 FF95 4D050000 call dword ptr [ebp+54D]
00DE90DF 8985 52010000 mov dword ptr [ebp+152], eax
00DE90E5 56 push esi
00DE90E6 8B1E mov ebx, dword ptr [esi]
00DE90E8 039D 22040000 add ebx, dword ptr [ebp+422]
00DE90EE FFB5 56010000 push dword ptr [ebp+156]
00DE90F4 FF76 04 push dword ptr [esi+4]
00DE90F7 50 push eax
00DE90F8 53 push ebx
00DE90F9 E8 6E050000 call 00DE966C
00DE90FE B3 00 mov bl, 0
00DE9100 80FB 00 cmp bl, 0
00DE9103 75 5E jnz short 00DE9163
00DE9105 FE85 EC000000 inc byte ptr [ebp+EC]
00DE910B 8B3E mov edi, dword ptr [esi]
00DE910D 03BD 22040000 add edi, dword ptr [ebp+422]
00DE9113 FF37 push dword ptr [edi]
00DE9115 C607 C3 mov byte ptr [edi], 0C3
00DE9118 FFD7 call edi
00DE911A 8F07 pop dword ptr [edi]
00DE911C 50 push eax
00DE911D 51 push ecx
00DE911E 56 push esi
00DE911F 53 push ebx
00DE9120 8BC8 mov ecx, eax
00DE9122 83E9 06 sub ecx, 6
00DE9125 8BB5 52010000 mov esi, dword ptr [ebp+152]
00DE912B 33DB xor ebx, ebx
00DE912D 0BC9 or ecx, ecx
00DE912F 74 2E je short 00DE915F
00DE9131 78 2C js short 00DE915F
00DE9133 AC lods byte ptr [esi]
00DE9134 3C E8 cmp al, 0E8
00DE9136 74 0A je short 00DE9142
00DE9138 EB 00 jmp short 00DE913A
00DE913A 3C E9 cmp al, 0E9
00DE913C 74 04 je short 00DE9142
00DE913E 43 inc ebx
00DE913F 49 dec ecx
00DE9140 ^ EB EB jmp short 00DE912D
00DE9142 8B06 mov eax, dword ptr [esi]
00DE9144 EB 0A jmp short 00DE9150
00DE9146 803E 00 cmp byte ptr [esi], 0
00DE9149 ^ 75 F3 jnz short 00DE913E
00DE914B 24 00 and al, 0
00DE914D C1C0 18 rol eax, 18
00DE9150 2BC3 sub eax, ebx
00DE9152 8906 mov dword ptr [esi], eax
00DE9154 83C3 05 add ebx, 5
00DE9157 83C6 04 add esi, 4
00DE915A 83E9 05 sub ecx, 5
00DE915D ^ EB CE jmp short 00DE912D
00DE915F 5B pop ebx
00DE9160 5E pop esi
00DE9161 59 pop ecx
00DE9162 58 pop eax
00DE9163 EB 08 jmp short 00DE916D
00DE9165 0000 add byte ptr [eax], al
00DE9167 0000 add byte ptr [eax], al
00DE9169 0000 add byte ptr [eax], al
00DE916B 0000 add byte ptr [eax], al
00DE916D 8BC8 mov ecx, eax
00DE916F 8B3E mov edi, dword ptr [esi]
00DE9171 03BD 22040000 add edi, dword ptr [ebp+422]
00DE9177 8BB5 52010000 mov esi, dword ptr [ebp+152]
00DE917D C1F9 02 sar ecx, 2
00DE9180 F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
00DE9182 8BC8 mov ecx, eax
00DE9184 83E1 03 and ecx, 3
00DE9187 F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
00DE9189 5E pop esi
00DE918A 68 00800000 push 8000
00DE918F 6A 00 push 0
00DE9191 FFB5 52010000 push dword ptr [ebp+152]
00DE9197 FF95 51050000 call dword ptr [ebp+551]
00DE919D 83C6 08 add esi, 8
00DE91A0 833E 00 cmp dword ptr [esi], 0
00DE91A3 ^ 0F85 1EFFFFFF jnz 00DE90C7
00DE91A9 68 00800000 push 8000
00DE91AE 6A 00 push 0
00DE91B0 FFB5 56010000 push dword ptr [ebp+156]
00DE91B6 FF95 51050000 call dword ptr [ebp+551]
00DE91BC 8B9D 31050000 mov ebx, dword ptr [ebp+531]
00DE91C2 0BDB or ebx, ebx
00DE91C4 74 08 je short 00DE91CE
00DE91C6 8B03 mov eax, dword ptr [ebx]
00DE91C8 8785 35050000 xchg dword ptr [ebp+535], eax
00DE91CE 8B95 22040000 mov edx, dword ptr [ebp+422]
00DE91D4 8B85 2D050000 mov eax, dword ptr [ebp+52D]
00DE91DA 2BD0 sub edx, eax
00DE91DC 74 79 je short 00DE9257
00DE91DE 8BC2 mov eax, edx
00DE91E0 C1E8 10 shr eax, 10
00DE91E3 33DB xor ebx, ebx
00DE91E5 8BB5 39050000 mov esi, dword ptr [ebp+539]
00DE91EB 03B5 22040000 add esi, dword ptr [ebp+422]
00DE91F1 833E 00 cmp dword ptr [esi], 0
00DE91F4 74 61 je short 00DE9257
00DE91F6 8B4E 04 mov ecx, dword ptr [esi+4]
00DE91F9 83E9 08 sub ecx, 8
00DE91FC D1E9 shr ecx, 1
00DE91FE 8B3E mov edi, dword ptr [esi]
00DE9200 03BD 22040000 add edi, dword ptr [ebp+422]
00DE9206 83C6 08 add esi, 8
00DE9209 66:8B1E mov bx, word ptr [esi]
00DE920C C1EB 0C shr ebx, 0C
00DE920F 83FB 01 cmp ebx, 1
00DE9212 74 0C je short 00DE9220
00DE9214 83FB 02 cmp ebx, 2
00DE9217 74 16 je short 00DE922F
00DE9219 83FB 03 cmp ebx, 3
00DE921C 74 20 je short 00DE923E
00DE921E EB 2C jmp short 00DE924C
00DE9220 66:8B1E mov bx, word ptr [esi]
00DE9223 81E3 FF0F0000 and ebx, 0FFF
00DE9229 66:01041F add word ptr [edi+ebx], ax
00DE922D EB 1D jmp short 00DE924C
00DE922F 66:8B1E mov bx, word ptr [esi]
00DE9232 81E3 FF0F0000 and ebx, 0FFF
00DE9238 66:01141F add word ptr [edi+ebx], dx
00DE923C EB 0E jmp short 00DE924C
00DE923E 66:8B1E mov bx, word ptr [esi]
00DE9241 81E3 FF0F0000 and ebx, 0FFF
00DE9247 01141F add dword ptr [edi+ebx], edx
00DE924A EB 00 jmp short 00DE924C
00DE924C 66:830E FF or word ptr [esi], 0FFFF
00DE9250 83C6 02 add esi, 2
00DE9253 ^ E2 B4 loopd short 00DE9209
00DE9255 ^ EB 9A jmp short 00DE91F1
00DE9257 8B95 22040000 mov edx, dword ptr [ebp+422]
00DE925D 8BB5 41050000 mov esi, dword ptr [ebp+541]
00DE9263 0BF6 or esi, esi
00DE9265 74 11 je short 00DE9278
00DE9267 03F2 add esi, edx
00DE9269 AD lods dword ptr [esi]
00DE926A 0BC0 or eax, eax
00DE926C 74 0A je short 00DE9278
00DE926E 03C2 add eax, edx
00DE9270 8BF8 mov edi, eax
00DE9272 66:AD lods word ptr [esi]
00DE9274 66:AB stos word ptr es:[edi]
00DE9276 ^ EB F1 jmp short 00DE9269
00DE9278 BE 00504800 mov esi, 00485000
00DE927D 8B95 22040000 mov edx, dword ptr [ebp+422]
00DE9283 03F2 add esi, edx
00DE9285 8B46 0C mov eax, dword ptr [esi+C]
00DE9288 85C0 test eax, eax
00DE928A 0F84 0A010000 je 00DE939A
00DE9290 03C2 add eax, edx
00DE9292 8BD8 mov ebx, eax
00DE9294 50 push eax
00DE9295 FF95 4D0F0000 call dword ptr [ebp+F4D]
00DE929B 85C0 test eax, eax
00DE929D 75 07 jnz short 00DE92A6
00DE929F 53 push ebx
00DE92A0 FF95 510F0000 call dword ptr [ebp+F51]
00DE92A6 8985 45050000 mov dword ptr [ebp+545], eax
00DE92AC C785 49050000 0>mov dword ptr [ebp+549], 0
00DE92B6 8B95 22040000 mov edx, dword ptr [ebp+422]
00DE92BC 8B06 mov eax, dword ptr [esi]
00DE92BE 85C0 test eax, eax
00DE92C0 75 03 jnz short 00DE92C5
00DE92C2 8B46 10 mov eax, dword ptr [esi+10]
00DE92C5 03C2 add eax, edx
00DE92C7 0385 49050000 add eax, dword ptr [ebp+549]
00DE92CD 8B18 mov ebx, dword ptr [eax]
00DE92CF 8B7E 10 mov edi, dword ptr [esi+10]
00DE92D2 03FA add edi, edx
00DE92D4 03BD 49050000 add edi, dword ptr [ebp+549]
00DE92DA 85DB test ebx, ebx
00DE92DC 0F84 A2000000 je 00DE9384
00DE92E2 F7C3 00000080 test ebx, 80000000
00DE92E8 75 04 jnz short 00DE92EE
00DE92EA 03DA add ebx, edx
00DE92EC 43 inc ebx
00DE92ED 43 inc ebx
00DE92EE 53 push ebx
00DE92EF 81E3 FFFFFF7F and ebx, 7FFFFFFF
00DE92F5 53 push ebx
00DE92F6 FFB5 45050000 push dword ptr [ebp+545]
00DE92FC FF95 490F0000 call dword ptr [ebp+F49]
00DE9302 85C0 test eax, eax
00DE9304 5B pop ebx
00DE9305 75 6F jnz short 00DE9376
00DE9307 F7C3 00000080 test ebx, 80000000
00DE930D 75 19 jnz short 00DE9328
00DE930F 57 push edi
00DE9310 8B46 0C mov eax, dword ptr [esi+C]
00DE9313 0385 22040000 add eax, dword ptr [ebp+422]
00DE9319 50 push eax
00DE931A 53 push ebx
00DE931B 8D85 75040000 lea eax, dword ptr [ebp+475]
00DE9321 50 push eax
00DE9322 57 push edi
00DE9323 E9 98000000 jmp 00DE93C0
00DE9328 81E3 FFFFFF7F and ebx, 7FFFFFFF
00DE932E 8B85 26040000 mov eax, dword ptr [ebp+426]
00DE9334 3985 45050000 cmp dword ptr [ebp+545], eax
00DE933A 75 24 jnz short 00DE9360
00DE933C 57 push edi
00DE933D 8BD3 mov edx, ebx
00DE933F 4A dec edx
00DE9340 C1E2 02 shl edx, 2
00DE9343 8B9D 45050000 mov ebx, dword ptr [ebp+545]
00DE9349 8B7B 3C mov edi, dword ptr [ebx+3C]
00DE934C 8B7C3B 78 mov edi, dword ptr [ebx+edi+78]
00DE9350 035C3B 1C add ebx, dword ptr [ebx+edi+1C]
00DE9354 8B0413 mov eax, dword ptr [ebx+edx]
00DE9357 0385 45050000 add eax, dword ptr [ebp+545]
00DE935D 5F pop edi
00DE935E EB 16 jmp short 00DE9376
00DE9360 57 push edi
00DE9361 8B46 0C mov eax, dword ptr [esi+C]
00DE9364 0385 22040000 add eax, dword ptr [ebp+422]
00DE936A 50 push eax
00DE936B 53 push ebx
00DE936C 8D85 C6040000 lea eax, dword ptr [ebp+4C6]
00DE9372 50 push eax
00DE9373 57 push edi
00DE9374 EB 4A jmp short 00DE93C0
00DE9376 8907 mov dword ptr [edi], eax
00DE9378 8385 49050000 0>add dword ptr [ebp+549], 4
00DE937F ^ E9 32FFFFFF jmp 00DE92B6
00DE9384 8906 mov dword ptr [esi], eax
00DE9386 8946 0C mov dword ptr [esi+C], eax
00DE9389 8946 10 mov dword ptr [esi+10], eax
00DE938C 83C6 14 add esi, 14
00DE938F 8B95 22040000 mov edx, dword ptr [ebp+422]
00DE9395 ^ E9 EBFEFFFF jmp 00DE9285
00DE939A B8 94594600 mov eax, 00465994
00DE939F 50 push eax
00DE93A0 0385 22040000 add eax, dword ptr [ebp+422]
00DE93A6 59 pop ecx
00DE93A7 0BC9 or ecx, ecx
00DE93A9 8985 A8030000 mov dword ptr [ebp+3A8], eax
壳出口:
00DE93AF 61 popad
00DE93B0 75 08 jnz short 00DE93BA
00DE93B2 B8 01000000 mov eax, 1
00DE93B7 C2 0C00 retn 0C
00DE93BA 68 00000000 push 0 !!!!! 这里,未脱壳,地址 = 0
00DE93BF C3 retn
壳代码运行过后:
00DE93AF 61 popad
00DE93B0 75 08 jnz short 00DE93BA
00DE93B2 B8 01000000 mov eax, 1
00DE93B7 C2 0C00 retn 0C
00DE93BA 68 94598600 push 00865994 !!!!! 这里,脱壳后,地址 = 00865994 OEP
00DE93BF C3 retn
读硬盘数据: 试用次数
0071C10E 6A 00 push 0
0071C110 6A 00 push 0
0071C112 6A 03 push 3
0071C114 6A 00 push 0
0071C116 6A 03 push 3
0071C118 68 000000C0 push C0000000
0071C11D 68 44C17100 push 0071C144 ; ASCII "\\.\PHYSICALDRIVE0"
0071C122 E8 99B9CEFF call 00407AC0 ; jmp 到 kernel32.CreateFileA
0071C127 8946 04 mov dword ptr [esi+4], eax
0071C12A 8BC6 mov eax, esi
0071C12C 84DB test bl, bl
0071C12E 74 0F je short 0071C13F
0071C130 E8 2785CEFF call 0040465C
0071C135 64:8F05 0000000>pop dword ptr fs:[0]
0071C13C 83C4 0C add esp, 0C
0071C13F 8BC6 mov eax, esi
0071C141 5E pop esi
0071C142 5B pop ebx
0071C143 C3 retn
0071C144 5C pop esp
0071C145 5C pop esp
0071C146 2E:5C pop esp
0071C148 50 push eax
0071C149 48 dec eax
0071C14A 59 pop ecx
0071C14B 53 push ebx
0071C14C 49 dec ecx
0071C14D 43 inc ebx
0071C14E 41 inc ecx
0071C14F 4C dec esp
0071C150 44 inc esp
0071C151 52 push edx
0071C152 49 dec ecx
0071C153 56 push esi
0071C154 45 inc ebp
0071C155 3000 xor byte ptr [eax], al
0071C157 0053 56 add byte ptr [ebx+56], dl
0071C15A E8 0D85CEFF call 0040466C
0071C15F 8BDA mov ebx, edx
0071C161 8BF0 mov esi, eax
0071C163 8B46 04 mov eax, dword ptr [esi+4]
0071C166 83F8 FF cmp eax, -1
0071C169 74 06 je short 0071C171
0071C16B 50 push eax
0071C16C E8 27B9CEFF call 00407A98 ; jmp 到 kernel32.CloseHandle
0071C171 8BD3 mov edx, ebx
0071C173 80E2 FC and dl, 0FC
0071C176 8BC6 mov eax, esi
0071C178 E8 1381CEFF call 00404290
0071C17D 84DB test bl, bl
0071C17F 7E 07 jle short 0071C188
0071C181 8BC6 mov eax, esi
0071C183 E8 CC84CEFF call 00404654
0071C188 5E pop esi
0071C189 5B pop ebx
0071C18A C3 retn
偏移 7C00h = 62 x 512,即 第 62 扇区
0071C19A 6A 00 push 0
0071C19C 6A 00 push 0
0071C19E 68 007C0000 push 7C00
0071C1A3 8B43 04 mov eax, dword ptr [ebx+4]
0071C1A6 50 push eax
0071C1A7 E8 2CBCCEFF call 00407DD8 ; jmp 到 kernel32.SetFilePointer
0071C1AC 6A 00 push 0
0071C1AE 8D4424 04 lea eax, dword ptr [esp+4]
0071C1B2 50 push eax
0071C1B3 68 00020000 push 200
0071C1B8 8D43 08 lea eax, dword ptr [ebx+8]
0071C1BB 50 push eax
0071C1BC 8B43 04 mov eax, dword ptr [ebx+4]
0071C1BF 50 push eax
0071C1C0 E8 D3BBCEFF call 00407D98 ; jmp 到 kernel32.ReadFile 连读 4次左右
0071C1C5 85C0 test eax, eax
0071C1C7 0F84 35010000 je 0071C302
0071C1CD 8D53 08 lea edx, dword ptr [ebx+8]
---------------
02E73998 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E739A8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E739B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E739C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E739D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E739E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E739F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E73A08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E73A18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E73A28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E73A38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E73A48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E73A58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E73A68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E73A78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E73A88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E73A98 52 53 57 42 00 1C 00 00 00 00 00 00 00 00 00 00 RSWB........... !!!!!!!!!磁盘扇区数据: 1E = 30次 1C = 28次
02E73AA8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E73AB8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E73AC8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02E73AD8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
---------------
0071C1D0 B9 FF010000 mov ecx, 1FF
0071C1D5 8BC3 mov eax, ebx
0071C1D7 E8 30010000 call 0071C30C
0071C1DC 8A83 08010000 mov al, byte ptr [ebx+108]
0071C1E2 8806 mov byte ptr [esi], al
0071C1E4 8A83 09010000 mov al, byte ptr [ebx+109]
0071C1EA 8846 01 mov byte ptr [esi+1], al
0071C1ED 8A83 0A010000 mov al, byte ptr [ebx+10A]
0071C1F3 8846 02 mov byte ptr [esi+2], al
0071C1F6 8A83 0B010000 mov al, byte ptr [ebx+10B]
0071C1FC 8846 03 mov byte ptr [esi+3], al
0071C1FF 8A83 0D010000 mov al, byte ptr [ebx+10D]
0071C205 8846 04 mov byte ptr [esi+4], al
0071C208 8A83 0E010000 mov al, byte ptr [ebx+10E]
0071C20E 8846 05 mov byte ptr [esi+5], al
0071C211 8A83 0F010000 mov al, byte ptr [ebx+10F]
0071C217 8846 06 mov byte ptr [esi+6], al
0071C21A 8A83 10010000 mov al, byte ptr [ebx+110]
0071C220 8846 07 mov byte ptr [esi+7], al
0071C223 8A83 11010000 mov al, byte ptr [ebx+111]
0071C229 8846 08 mov byte ptr [esi+8], al
0071C22C 8A83 12010000 mov al, byte ptr [ebx+112]
0071C232 8846 09 mov byte ptr [esi+9], al
0071C235 8A83 13010000 mov al, byte ptr [ebx+113]
0071C23B 8846 0A mov byte ptr [esi+A], al
0071C23E 8A83 14010000 mov al, byte ptr [ebx+114]
0071C244 8846 0B mov byte ptr [esi+B], al
0071C247 8A83 15010000 mov al, byte ptr [ebx+115]
0071C24D 8846 0C mov byte ptr [esi+C], al
0071C250 8A83 16010000 mov al, byte ptr [ebx+116]
0071C256 8846 0D mov byte ptr [esi+D], al
0071C259 8A83 23010000 mov al, byte ptr [ebx+123]
0071C25F 8846 0E mov byte ptr [esi+E], al
0071C262 8A83 24010000 mov al, byte ptr [ebx+124]
0071C268 8846 0F mov byte ptr [esi+F], al
0071C26B 8A83 25010000 mov al, byte ptr [ebx+125]
0071C271 8846 10 mov byte ptr [esi+10], al
0071C274 8A83 26010000 mov al, byte ptr [ebx+126]
0071C27A 8846 11 mov byte ptr [esi+11], al
0071C27D 8A83 27010000 mov al, byte ptr [ebx+127]
0071C283 8846 12 mov byte ptr [esi+12], al
0071C286 8A83 28010000 mov al, byte ptr [ebx+128]
0071C28C 8846 13 mov byte ptr [esi+13], al
0071C28F 8A83 29010000 mov al, byte ptr [ebx+129]
0071C295 8846 14 mov byte ptr [esi+14], al
0071C298 8A83 2A010000 mov al, byte ptr [ebx+12A]
0071C29E 8846 15 mov byte ptr [esi+15], al
0071C2A1 8A83 2B010000 mov al, byte ptr [ebx+12B]
0071C2A7 8846 16 mov byte ptr [esi+16], al
0071C2AA 8A83 2C010000 mov al, byte ptr [ebx+12C]
0071C2B0 8846 17 mov byte ptr [esi+17], al
0071C2B3 8A83 2D010000 mov al, byte ptr [ebx+12D]
0071C2B9 8846 18 mov byte ptr [esi+18], al
0071C2BC 8A83 2E010000 mov al, byte ptr [ebx+12E]
0071C2C2 8846 19 mov byte ptr [esi+19], al
0071C2C5 8A83 2F010000 mov al, byte ptr [ebx+12F]
0071C2CB 8846 1A mov byte ptr [esi+1A], al
0071C2CE 8A83 30010000 mov al, byte ptr [ebx+130]
0071C2D4 8846 1B mov byte ptr [esi+1B], al
0071C2D7 8A83 31010000 mov al, byte ptr [ebx+131]
0071C2DD 8846 1C mov byte ptr [esi+1C], al
0071C2E0 8A83 32010000 mov al, byte ptr [ebx+132]
0071C2E6 8846 1D mov byte ptr [esi+1D], al
0071C2E9 8A83 33010000 mov al, byte ptr [ebx+133]
0071C2EF 8846 1E mov byte ptr [esi+1E], al
0071C2F2 8A83 34010000 mov al, byte ptr [ebx+134]
0071C2F8 8846 1F mov byte ptr [esi+1F], al
0071C2FB B9 08000000 mov ecx, 8
0071C300 F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
0071C302 83C4 24 add esp, 24
0071C305 5F pop edi
0071C306 5E pop esi
0071C307 5B pop ebx
0071C308 C3 retn
0048A3BE 试用 命令入口
关键代码段
007EA861 E8 4600F3FF call 0071A8AC
007EA866 83F8 1E cmp eax, 1E !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 和 30次 比较
007EA869 7E 05 jle short 007EA870
007EA86B B8 1E000000 mov eax, 1E
007EA870 48 dec eax
007EA871 E8 9200F3FF call 0071A908
007EA876 C783 4C020000 0>mov dword ptr [ebx+24C], 1
007EA880 5B pop ebx
007EA881 C3 retn
007EA882 C783 4C020000 0>mov dword ptr [ebx+24C], 2
007EA88C 5B pop ebx
007EA88D C3 retn
007EA88E 8BC0 mov eax, eax
007EA890 55 push ebp
007EA891 8BEC mov ebp, esp
007EA893 33C9 xor ecx, ecx
次数比较,以便决定显示 提示 信息窗口
007E8BF0 /EB 07 jmp short 007E8BF9
007E8BF2 |E8 B51CF3FF call 0071A8AC !!!!!!!!!!获取 已经使用的次数 EAX
007E8BF7 |8BF0 mov esi, eax
007E8BF9 \85F6 test esi, esi
007E8BFB 7E 05 jle short 007E8C02
007E8BFD 83FE 1E cmp esi, 1E
007E8C00 7E 04 jle short 007E8C06
007E8C02 33C0 xor eax, eax
007E8C04 EB 02 jmp short 007E8C08
007E8C06 B0 01 mov al, 1
007E8C08 8883 98030000 mov byte ptr [ebx+398], al
007E8C0E 85F6 test esi, esi
007E8C10 7E 05 jle short 007E8C17
007E8C12 83FE 1E cmp esi, 1E !!!!!!!!!!!!!! 搜索此指令,修改 最大次数
007E8C15 7E 4D jle short 007E8C64
007E8C17 8B83 48030000 mov eax, dword ptr [ebx+348]
007E8C1D 8B40 68 mov eax, dword ptr [eax+68]
007E8C20 BA FF000000 mov edx, 0FF
007E8C25 E8 9E62C4FF call 0042EEC8
007E8C2A 68 1C8E7E00 push 007E8E1C ; ASCII "???"
007E8C2F 8D45 F0 lea eax, dword ptr [ebp-10]
007E8C32 50 push eax
007E8C33 BA BC8D7E00 mov edx, 007E8DBC ; ASCII "frmMainHint"
007E8C38 B9 288E7E00 mov ecx, 007E8E28 ; ASCII "testhint1"
007E8C3D 8B83 78030000 mov eax, dword ptr [ebx+378]
007E8C43 8B30 mov esi, dword ptr [eax]
007E8C45 FF16 call dword ptr [esi]
007E8C47 8B55 F0 mov edx, dword ptr [ebp-10]
007E8C4A 8B83 48030000 mov eax, dword ptr [ebx+348]
007E8C50 E8 E301CAFF call 00488E38
007E8C55 33D2 xor edx, edx
007E8C57 8B83 38030000 mov eax, dword ptr [ebx+338]
007E8C5D 8B08 mov ecx, dword ptr [eax]
007E8C5F FF51 64 call dword ptr [ecx+64]
007E8C62 EB 65 jmp short 007E8CC9
007E8C64 83FE 1E cmp esi, 1E
007E8C67 7F 60 jg short 007E8CC9
007E8C69 BA FF000000 mov edx, 0FF
007E8C6E 8B83 48030000 mov eax, dword ptr [ebx+348]
007E8C74 E8 2F03CAFF call 00488FA8
007E8C79 8D45 EC lea eax, dword ptr [ebp-14]
007E8C7C 50 push eax
007E8C7D 68 3C8E7E00 push 007E8E3C ; ASCII "%d"
007E8C82 8D45 E8 lea eax, dword ptr [ebp-18]
007E8C85 50 push eax
007E8C86 BA BC8D7E00 mov edx, 007E8DBC ; ASCII "frmMainHint"
007E8C8B B9 488E7E00 mov ecx, 007E8E48 ; ASCII "TestHint"
007E8C90 8B83 78030000 mov eax, dword ptr [ebx+378]
007E8C96 8B38 mov edi, dword ptr [eax]
007E8C98 FF17 call dword ptr [edi]
007E8C9A 8B45 E8 mov eax, dword ptr [ebp-18]
007E8C9D 8975 E0 mov dword ptr [ebp-20], esi
007E8CA0 C645 E4 00 mov byte ptr [ebp-1C], 0
007E8CA4 8D55 E0 lea edx, dword ptr [ebp-20]
007E8CA7 33C9 xor ecx, ecx
007E8CA9 E8 0E4BC2FF call 0040D7BC
007E8CAE 8B55 EC mov edx, dword ptr [ebp-14]
007E8CB1 8B83 48030000 mov eax, dword ptr [ebx+348]
007E8CB7 E8 7C01CAFF call 00488E38
007E8CBC B2 01 mov dl, 1
007E8CBE 8B83 38030000 mov eax, dword ptr [ebx+338]
007E8CC4 8B08 mov ecx, dword ptr [eax]
007E8CC6 FF51 64 call dword ptr [ecx+64]
007E8CC9 33D2 xor edx, edx
007E8CCB 8B83 34030000 mov eax, dword ptr [ebx+334]
007E8CD1 8B08 mov ecx, dword ptr [eax]
007E8CD3 FF51 64 call dword ptr [ecx+64]
007E8CD6 8BC3 mov eax, ebx
007E8CD8 E8 2F1E0000 call 007EAB0C
007E8CDD 8B83 3C030000 mov eax, dword ptr [ebx+33C]
007E8CE3 C780 14020000 0>mov dword ptr [eax+214], 2
007E8CED 33C0 xor eax, eax
007E8CEF 5A pop edx
007E8CF0 59 pop ecx
007E8CF1 59 pop ecx
007E8CF2 64:8910 mov dword ptr fs:[eax], edx
007E8CF5 68 1F8D7E00 push 007E8D1F
007E8CFA 8D45 E8 lea eax, dword ptr [ebp-18]
007E8CFD BA 04000000 mov edx, 4
007E8D02 E8 0DC4C1FF call 00405114
007E8D07 8D45 F8 lea eax, dword ptr [ebp-8]
007E8D0A E8 E1C3C1FF call 004050F0
007E8D0F 8D45 FC lea eax, dword ptr [ebp-4]
007E8D12 E8 D9C3C1FF call 004050F0
007E8D17 C3 retn
007E8D18 ^ E9 17BDC1FF jmp 00404A34
007E8D1D ^ EB DB jmp short 007E8CFA
007E8D1F 5F pop edi
007E8D20 5E pop esi
007E8D21 5B pop ebx
007E8D22 8BE5 mov esp, ebp
007E8D24 5D pop ebp
007E8D25 C3 retn
007E8D26 0000 add byte ptr [eax], al
007E8D28 72 00 jb short 007E8D2A
007E8D2A 0000 add byte ptr [eax], al
007E8D2C 68 00740074 push 74007400
007E8D31 0070 00 add byte ptr [eax], dh
007E8D34 3A00 cmp al, byte ptr [eax]
007E8D36 2F das
007E8D37 002F add byte ptr [edi], ch
007E8D39 0077 00 add byte ptr [edi], dh
007E8D3C 77 00 ja short 007E8D3E
007E8D3E 77 00 ja short 007E8D40
007E8D40 2E:0072 00 add byte ptr cs:[edx], dh
007E8D44 65:007400 75 add byte ptr gs:[eax+eax+75], dh
007E8D49 0072 00 add byte ptr [edx], dh
007E8D4C 6E outs dx, byte ptr es:[edi]
007E8D4D 0073 00 add byte ptr [ebx], dh
007E8D50 74 00 je short 007E8D52
007E8D52 61 popad
007E8D53 0072 00 add byte ptr [edx], dh
007E8D56 2E:0063 00 add byte ptr cs:[ebx], ah
007E8D5A 6F outs dx, dword ptr es:[edi]
007E8D5B 006D 00 add byte ptr [ebp], ch
007E8D5E 2F das
007E8D5F 0070 00 add byte ptr [eax], dh
007E8D62 72 00 jb short 007E8D64
007E8D64 6F outs dx, dword ptr es:[edi]
007E8D65 006400 72 add byte ptr [eax+eax+72], ah
007E8D69 0065 00 add byte ptr [ebp], ah
007E8D6C 67:0065 00 add byte ptr [di], ah
007E8D70 64:0069 00 add byte ptr fs:[ecx], ch
007E8D74 74 00 je short 007E8D76
007E8D76 2F das
007E8D77 0043 00 add byte ptr [ebx], al
007E8D7A 6C ins byte ptr es:[edi], dx
007E8D7B 0069 00 add byte ptr [ecx], ch
007E8D7E 65:006E 00 add byte ptr gs:[esi], ch
007E8D82 74 00 je short 007E8D84
007E8D84 52 push edx
007E8D85 0065 00 add byte ptr [ebp], ah
007E8D88 67:0069 00 add byte ptr [bx+di], ch
007E8D8C 73 00 jnb short 007E8D8E
007E8D8E 74 00 je short 007E8D90
007E8D90 65:0072 00 add byte ptr gs:[edx], dh
007E8D94 2E:0061 00 add byte ptr cs:[ecx], ah
007E8D98 73 00 jnb short 007E8D9A
007E8D9A 70 00 jo short 007E8D9C
007E8D9C 78 00 js short 007E8D9E
完整地 校验使用次数的 函数
--------------------------
007E8AA8 55 push ebp
007E8AA9 8BEC mov ebp, esp
007E8AAB 33C9 xor ecx, ecx
007E8AAD 51 push ecx
007E8AAE 51 push ecx
007E8AAF 51 push ecx
007E8AB0 51 push ecx
007E8AB1 51 push ecx
007E8AB2 51 push ecx
007E8AB3 51 push ecx
007E8AB4 51 push ecx
007E8AB5 53 push ebx
007E8AB6 56 push esi
007E8AB7 57 push edi
007E8AB8 8BD8 mov ebx, eax
007E8ABA 33C0 xor eax, eax
007E8ABC 55 push ebp
007E8ABD 68 188D7E00 push 007E8D18
007E8AC2 64:FF30 push dword ptr fs:[eax]
007E8AC5 64:8920 mov dword ptr fs:[eax], esp
007E8AC8 A1 D0DD8700 mov eax, dword ptr [87DDD0]
007E8ACD 8B00 mov eax, dword ptr [eax]
007E8ACF 8998 DC000000 mov dword ptr [eax+DC], ebx
007E8AD5 C780 D8000000 4>mov dword ptr [eax+D8], 007E8A4C
007E8ADF BA 2C8D7E00 mov edx, 007E8D2C ; UNICODE "http://www.returnstar.com/prodregedit/ClientRegister.aspx"
007E8AE4 8B83 F8020000 mov eax, dword ptr [ebx+2F8]
007E8AEA E8 8999FFFF call 007E2478
007E8AEF A1 B4DB8700 mov eax, dword ptr [87DBB4]
007E8AF4 8B00 mov eax, dword ptr [eax]
007E8AF6 8B10 mov edx, dword ptr [eax]
007E8AF8 FF52 08 call dword ptr [edx+8]
007E8AFB A1 B4DB8700 mov eax, dword ptr [87DBB4]
007E8B00 8B00 mov eax, dword ptr [eax]
007E8B02 8B40 04 mov eax, dword ptr [eax+4]
007E8B05 3D 04040000 cmp eax, 404
007E8B0A 74 0D je short 007E8B19
007E8B0C 8B15 B4DB8700 mov edx, dword ptr [87DBB4] ; solo.00883D9C
007E8B12 3D 04080000 cmp eax, 804
007E8B17 75 0D jnz short 007E8B26
007E8B19 BA 09000000 mov edx, 9
007E8B1E 8B43 68 mov eax, dword ptr [ebx+68]
007E8B21 E8 4266C4FF call 0042F168
007E8B26 A1 B4DB8700 mov eax, dword ptr [87DBB4]
007E8B2B 8B00 mov eax, dword ptr [eax]
007E8B2D 8BD3 mov edx, ebx
007E8B2F 8B08 mov ecx, dword ptr [eax]
007E8B31 FF51 14 call dword ptr [ecx+14]
007E8B34 8D45 FC lea eax, dword ptr [ebp-4]
007E8B37 50 push eax
007E8B38 A1 B4DB8700 mov eax, dword ptr [87DBB4]
007E8B3D 8B00 mov eax, dword ptr [eax]
007E8B3F B9 A88D7E00 mov ecx, 007E8DA8 ; ASCII "softname"
007E8B44 BA BC8D7E00 mov edx, 007E8DBC ; ASCII "frmMainHint"
007E8B49 E8 F225E4FF call 0062B140
007E8B4E 8B55 FC mov edx, dword ptr [ebp-4]
007E8B51 A1 D0DD8700 mov eax, dword ptr [87DDD0]
007E8B56 8B00 mov eax, dword ptr [eax]
007E8B58 E8 9321CCFF call 004AACF0
007E8B5D 8D55 F8 lea edx, dword ptr [ebp-8]
007E8B60 8B83 54030000 mov eax, dword ptr [ebx+354]
007E8B66 E8 9D02CAFF call 00488E08
007E8B6B 8B55 F8 mov edx, dword ptr [ebp-8]
007E8B6E 8D83 88030000 lea eax, dword ptr [ebx+388]
007E8B74 E8 CBC5C1FF call 00405144
007E8B79 A1 B4DB8700 mov eax, dword ptr [87DBB4]
007E8B7E 8B00 mov eax, dword ptr [eax]
007E8B80 8B48 0C mov ecx, dword ptr [eax+C]
007E8B83 B2 01 mov dl, 1
007E8B85 A1 60F04400 mov eax, dword ptr [44F060]
007E8B8A E8 8165C6FF call 0044F110
007E8B8F 8BF0 mov esi, eax
007E8B91 89B3 78030000 mov dword ptr [ebx+378], esi
007E8B97 68 D08D7E00 push 007E8DD0 ; ASCII "quit"
007E8B9C 8D45 F4 lea eax, dword ptr [ebp-C]
007E8B9F 50 push eax
007E8BA0 B9 E08D7E00 mov ecx, 007E8DE0 ; ASCII "btnQuit"
007E8BA5 8B53 08 mov edx, dword ptr [ebx+8]
007E8BA8 8BC6 mov eax, esi
007E8BAA 8B30 mov esi, dword ptr [eax]
007E8BAC FF16 call dword ptr [esi]
007E8BAE 8B55 F4 mov edx, dword ptr [ebp-C]
007E8BB1 8B83 3C030000 mov eax, dword ptr [ebx+33C]
007E8BB7 E8 7C02CAFF call 00488E38
007E8BBC 33C0 xor eax, eax
007E8BBE 8983 84030000 mov dword ptr [ebx+384], eax
007E8BC4 A1 04DC8700 mov eax, dword ptr [87DC04]
007E8BC9 8B00 mov eax, dword ptr [eax]
007E8BCB 8078 24 00 cmp byte ptr [eax+24], 0 !!!!!!!!!!!!!!!!! 是否注册过期? 不等于0,过期
007E8BCF 74 21 je short 007E8BF2
007E8BD1 68 E88D7E00 push 007E8DE8 ; ASCII "TRS_EBoardService"
007E8BD6 68 FC8D7E00 push 007E8DFC ; ASCII "TfrmRS_EBoard_Service"
007E8BDB E8 F0F8C1FF call 004084D0 ; jmp 到 user32.FindWindowA
007E8BE0 8983 94030000 mov dword ptr [ebx+394], eax
007E8BE6 A1 04DC8700 mov eax, dword ptr [87DC04]
007E8BEB 8B00 mov eax, dword ptr [eax]
007E8BED 8B70 28 mov esi, dword ptr [eax+28]
007E8BF0 EB 07 jmp short 007E8BF9
007E8BF2 E8 B51CF3FF call 0071A8AC
007E8BF7 8BF0 mov esi, eax
007E8BF9 85F6 test esi, esi
007E8BFB 7E 05 jle short 007E8C02
007E8BFD 83FE 1E cmp esi, 1E
007E8C00 7E 04 jle short 007E8C06
007E8C02 33C0 xor eax, eax
007E8C04 EB 02 jmp short 007E8C08
007E8C06 B0 01 mov al, 1
007E8C08 8883 98030000 mov byte ptr [ebx+398], al
007E8C0E 85F6 test esi, esi
007E8C10 7E 05 jle short 007E8C17
007E8C12 83FE 1E cmp esi, 1E
007E8C15 7E 4D jle short 007E8C64
007E8C17 8B83 48030000 mov eax, dword ptr [ebx+348]
007E8C1D 8B40 68 mov eax, dword ptr [eax+68]
007E8C20 BA FF000000 mov edx, 0FF
007E8C25 E8 9E62C4FF call 0042EEC8
007E8C2A 68 1C8E7E00 push 007E8E1C ; ASCII "???"
007E8C2F 8D45 F0 lea eax, dword ptr [ebp-10]
007E8C32 50 push eax
007E8C33 BA BC8D7E00 mov edx, 007E8DBC ; ASCII "frmMainHint"
007E8C38 B9 288E7E00 mov ecx, 007E8E28 ; ASCII "testhint1"
007E8C3D 8B83 78030000 mov eax, dword ptr [ebx+378]
007E8C43 8B30 mov esi, dword ptr [eax]
007E8C45 FF16 call dword ptr [esi]
007E8C47 8B55 F0 mov edx, dword ptr [ebp-10]
007E8C4A 8B83 48030000 mov eax, dword ptr [ebx+348]
007E8C50 E8 E301CAFF call 00488E38
007E8C55 33D2 xor edx, edx
007E8C57 8B83 38030000 mov eax, dword ptr [ebx+338]
007E8C5D 8B08 mov ecx, dword ptr [eax]
007E8C5F FF51 64 call dword ptr [ecx+64]
007E8C62 EB 65 jmp short 007E8CC9
007E8C64 83FE 1E cmp esi, 1E
007E8C67 7F 60 jg short 007E8CC9
007E8C69 BA FF000000 mov edx, 0FF
007E8C6E 8B83 48030000 mov eax, dword ptr [ebx+348]
007E8C74 E8 2F03CAFF call 00488FA8
007E8C79 8D45 EC lea eax, dword ptr [ebp-14]
007E8C7C 50 push eax
007E8C7D 68 3C8E7E00 push 007E8E3C ; ASCII "%d"
007E8C82 8D45 E8 lea eax, dword ptr [ebp-18]
007E8C85 50 push eax
007E8C86 BA BC8D7E00 mov edx, 007E8DBC ; ASCII "frmMainHint"
007E8C8B B9 488E7E00 mov ecx, 007E8E48 ; ASCII "TestHint"
007E8C90 8B83 78030000 mov eax, dword ptr [ebx+378]
007E8C96 8B38 mov edi, dword ptr [eax]
007E8C98 FF17 call dword ptr [edi]
007E8C9A 8B45 E8 mov eax, dword ptr [ebp-18]
007E8C9D 8975 E0 mov dword ptr [ebp-20], esi
007E8CA0 C645 E4 00 mov byte ptr [ebp-1C], 0
007E8CA4 8D55 E0 lea edx, dword ptr [ebp-20]
007E8CA7 33C9 xor ecx, ecx
007E8CA9 E8 0E4BC2FF call 0040D7BC
007E8CAE 8B55 EC mov edx, dword ptr [ebp-14]
007E8CB1 8B83 48030000 mov eax, dword ptr [ebx+348]
007E8CB7 E8 7C01CAFF call 00488E38
007E8CBC B2 01 mov dl, 1
007E8CBE 8B83 38030000 mov eax, dword ptr [ebx+338]
007E8CC4 8B08 mov ecx, dword ptr [eax]
007E8CC6 FF51 64 call dword ptr [ecx+64]
007E8CC9 33D2 xor edx, edx
007E8CCB 8B83 34030000 mov eax, dword ptr [ebx+334]
007E8CD1 8B08 mov ecx, dword ptr [eax]
007E8CD3 FF51 64 call dword ptr [ecx+64]
007E8CD6 8BC3 mov eax, ebx
007E8CD8 E8 2F1E0000 call 007EAB0C
007E8CDD 8B83 3C030000 mov eax, dword ptr [ebx+33C]
007E8CE3 C780 14020000 0>mov dword ptr [eax+214], 2
007E8CED 33C0 xor eax, eax
007E8CEF 5A pop edx
007E8CF0 59 pop ecx
007E8CF1 59 pop ecx
007E8CF2 64:8910 mov dword ptr fs:[eax], edx
007E8CF5 68 1F8D7E00 push 007E8D1F
007E8CFA 8D45 E8 lea eax, dword ptr [ebp-18]
007E8CFD BA 04000000 mov edx, 4
007E8D02 E8 0DC4C1FF call 00405114
007E8D07 8D45 F8 lea eax, dword ptr [ebp-8]
007E8D0A E8 E1C3C1FF call 004050F0
007E8D0F 8D45 FC lea eax, dword ptr [ebp-4]
007E8D12 E8 D9C3C1FF call 004050F0
007E8D17 C3 retn
007E8D18 ^ E9 17BDC1FF jmp 00404A34
007E8D1D ^ EB DB jmp short 007E8CFA
007E8D1F 5F pop edi
007E8D20 5E pop esi
007E8D21 5B pop ebx
007E8D22 8BE5 mov esp, ebp
007E8D24 5D pop ebp
007E8D25 C3 retn
======================
004A374C 53 push ebx
004A374D 56 push esi
004A374E 8BD8 mov ebx, eax
004A3750 80BB 34020000 00 cmp byte ptr [ebx+234], 0
004A3757 75 0A jnz short 004A3763
004A3759 8BC3 mov eax, ebx
004A375B 8B10 mov edx, dword ptr [eax]
004A375D FF92 D4000000 call dword ptr [edx+D4]
004A3763 F683 F4020000 20 test byte ptr [ebx+2F4], 20
004A376A 74 12 je short 004A377E
004A376C 8BC3 mov eax, ebx
004A376E 66:BE B3FF mov si, 0FFB3
004A3772 E8 250DF6FF call 0040449C
004A3777 80A3 F4020000 DF and byte ptr [ebx+2F4], 0DF
004A377E 5E pop esi
004A377F 5B pop ebx
004A3780 C3 retn 注册窗口 窗口调用入口:
004A3A4C 55 push ebp
004A3A4D 8BEC mov ebp, esp
004A3A4F 51 push ecx
004A3A50 53 push ebx
004A3A51 56 push esi
004A3A52 57 push edi
004A3A53 8945 FC mov dword ptr [ebp-4], eax
004A3A56 8B45 FC mov eax, dword ptr [ebp-4]
004A3A59 66:83B8 D202000>cmp word ptr [eax+2D2], 0
004A3A61 74 49 je short 004A3AAC
004A3A63 33C0 xor eax, eax
004A3A65 55 push ebp
004A3A66 68 8D3A4A00 push 004A3A8D
004A3A6B 64:FF30 push dword ptr fs:[eax]
004A3A6E 64:8920 mov dword ptr fs:[eax], esp
004A3A71 8B5D FC mov ebx, dword ptr [ebp-4]
004A3A74 8B55 FC mov edx, dword ptr [ebp-4]
004A3A77 8B83 D4020000 mov eax, dword ptr [ebx+2D4]
004A3A7D FF93 D0020000 call dword ptr [ebx+2D0] !!!!!!! 根据 EBX 值调用不同窗口
004A3A83 33C0 xor eax, eax
004A3A85 5A pop edx
004A3A86 59 pop ecx
004A3A87 59 pop ecx
004A3A88 64:8910 mov dword ptr fs:[eax], edx
004A3A8B EB 1F jmp short 004A3AAC
004A3A8D ^ E9 EE0CF6FF jmp 00404780
004A3A92 8B45 FC mov eax, dword ptr [ebp-4]
004A3A95 66:BE ADFF mov si, 0FFAD
004A3A99 E8 FE09F6FF call 0040449C
004A3A9E 84C0 test al, al
004A3AA0 75 05 jnz short 004A3AA7
004A3AA2 E8 ED0FF6FF call 00404A94
004A3AA7 E8 3C10F6FF call 00404AE8
004A3AAC 8B45 FC mov eax, dword ptr [ebp-4]
004A3AAF F680 F4020000 0>test byte ptr [eax+2F4], 2
004A3AB6 74 0A je short 004A3AC2
004A3AB8 B2 01 mov dl, 1
004A3ABA 8B45 FC mov eax, dword ptr [ebp-4]
004A3ABD E8 42090000 call 004A4404
004A3AC2 5F pop edi
004A3AC3 5E pop esi
004A3AC4 5B pop ebx
004A3AC5 59 pop ecx
004A3AC6 5D pop ebp
004A3AC7 C3 retn
004A372B 8B45 FC mov eax, dword ptr [ebp-4]
004A372E 807D FB 00 cmp byte ptr [ebp-5], 0
004A3732 74 0F je short 004A3743
004A3734 E8 230FF6FF call 0040465C
004A3739 64:8F05 00000000 pop dword ptr fs:[0]
004A3740 83C4 0C add esp, 0C
004A3743 8B45 FC mov eax, dword ptr [ebp-4]
004A3746 5B pop ebx
004A3747 8BE5 mov esp, ebp
004A3749 5D pop ebp
004A374A C3 retn
*******************************************************************************
[ 很重要 ] 如下处修改,可以不显示 提示 注册窗口,完美爆破!
*******************************************************************************
00865BC3 A1 04DC8700 mov eax, dword ptr [87DC04]
00865BC8 8B00 mov eax, dword ptr [eax]
00865BCA 8078 24 00 cmp byte ptr [eax+24], 0 ********** set to 1 => 8078 24 01
00865BCE 74 28 je short 00865BF8
00865BD0 A1 04DC8700 mov eax, dword ptr [87DC04]
00865BD5 8B00 mov eax, dword ptr [eax]
00865BD7 8078 25 00 cmp byte ptr [eax+25], 0 ********** set to 1 => 8078 25 01
00865BDB 74 77 je short 00865C54
00865BDD B8 20448800 mov eax, 00884420
00865BE2 E8 518CC9FF call 004FE838
00865BE7 84C0 test al, al
00865BE9 74 69 je short 00865C54 ********** or jnz => 75 69
00865BEB A1 04DC8700 mov eax, dword ptr [87DC04]
00865BF0 8B00 mov eax, dword ptr [eax]
00865BF2 C640 08 01 mov byte ptr [eax+8], 1
00865BF6 EB 5C jmp short 00865C54
00865BF8 B8 FC438800 mov eax, 008843FC
00865BFD 33C9 xor ecx, ecx
00865BFF BA 1E000000 mov edx, 1E
00865C04 E8 B3DAB9FF call 004036BC 如下处修改,也可以不显示 提示 注册窗口
断点 = 00865C09
00865C09 6A 1E push 1E
00865C0B 68 FC438800 push 008843FC
00865C10 68 C8648600 push 008664C8 ; ASCII "RSWBSN"
00865C15 68 D0648600 push 008664D0 ; ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RSWB"
00865C1A 68 02000080 push 80000002
00865C1F E8 D049EBFF call 0071A5F4 ; jmp 到 rslockvc.RSLock_GetDataMM
00865C24 68 FC438800 push 008843FC
00865C29 E8 563AC9FF call 004F9684 ; jmp 到 rslockvc.RSLock_YZZCM
00865C2E 84C0 test al, al ***************************=> Set AL = 1
00865C30 75 09 jnz short 00865C3B
00865C32 E8 354DEBFF call 0071A96C
00865C37 84C0 test al, al
00865C39 74 19 je short 00865C54
00865C3B B8 20448800 mov eax, 00884420
00865C40 E8 F38BC9FF call 004FE838
00865C45 84C0 test al, al ***************************=> Set AL = 1
00865C47 74 0B je short 00865C54
00865C49 A1 04DC8700 mov eax, dword ptr [87DC04]
00865C4E 8B00 mov eax, dword ptr [eax]
00865C50 C640 08 01 mov byte ptr [eax+8], 1
00865C54 A1 04DC8700 mov eax, dword ptr [87DC04]
00865C59 8B00 mov eax, dword ptr [eax]
00865C5B 83C0 20 add eax, 20
00865C5E 8B15 20448800 mov edx, dword ptr [884420]
00865C64 E8 DBF4B9FF call 00405144
00865C69 B8 10658600 mov eax, 00866510 ; ASCII "ReSent.exe"
00865C6E E8 C16AC9FF call 004FC734
00865C73 84C0 test al, al
00865C75 74 2D je short 00865CA4
00865C77 A1 04DC8700 mov eax, dword ptr [87DC04]
00865C7C 8B00 mov eax, dword ptr [eax]
00865C7E 8078 24 00 cmp byte ptr [eax+24], 0
00865C82 75 20 jnz short 00865CA4
另: 启动 自动更新检查 WBCUpdate.exe
007F0071 |> \6A 00 push 0
007F0073 |. 6A 00 push 0
007F0075 |. 68 D0037F00 push 007F03D0 ; rscheckupdate
007F007A |. A1 04DC8700 mov eax, dword ptr [87DC04]
007F007F |. 8B00 mov eax, dword ptr [eax]
007F0081 |. 8B50 04 mov edx, dword ptr [eax+4]
007F0084 |. 8D45 9C lea eax, dword ptr [ebp-64]
007F0087 |. B9 E8037F00 mov ecx, 007F03E8 ; wbcupdate.exe
007F008C |. E8 7B53C1FF call 0040540C
007F0091 |. 8B45 9C mov eax, dword ptr [ebp-64]
007F0094 |. E8 2755C1FF call 004055C0
007F0099 |. 50 push eax
007F009A |. 68 F8037F00 push 007F03F8 ; open
007F009F |. 8BC3 mov eax, ebx
007F00A1 |. E8 6AF6C9FF call 0048F710
007F00A6 |. 50 push eax ; |hWnd
007F00A7 |. E8 C0CBC4FF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
007F00AC |> 6A 00 push 0 ; /lParam = 0
007F00AE |. 6A 02 push 2 ; |wParam = 2
007F00B0 |. 8B83 E00A0000 mov eax, dword ptr [ebx+AE0] ; |
007F00B6 |. 50 push eax ; |Message
007F00B7 |. 68 FFFF0000 push 0FFFF ; |hWnd = HWND_BROADCAST
007F00BC |. E8 FF86C1FF call <jmp.&user32.PostMessageA> ; \PostMessageA
另: 启动 自动更新 WBUpdate.exe
008008E1 > \6A 05 push 5
008008E3 . 6A 00 push 0
008008E5 . 68 84098000 push 00800984 ; rsupdate
008008EA . A1 04DC8700 mov eax, dword ptr [87DC04]
008008EF . 8B00 mov eax, dword ptr [eax]
008008F1 . 8B50 04 mov edx, dword ptr [eax+4]
008008F4 . 8D45 F8 lea eax, dword ptr [ebp-8]
008008F7 . B9 98098000 mov ecx, 00800998 ; wbupdate.exe
008008FC . E8 0B4BC0FF call 0040540C
00800901 . 8B45 F8 mov eax, dword ptr [ebp-8]
00800904 . E8 B74CC0FF call 004055C0
00800909 . 50 push eax
0080090A . 68 A8098000 push 008009A8 ; open
0080090F . 8B45 FC mov eax, dword ptr [ebp-4]
00800912 . E8 F9EDC8FF call 0048F710
00800917 . 50 push eax ; |hWnd
00800918 . E8 4FC3C3FF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
0080091D > 33C0 xor eax, eax
0080091F . 5A pop edx
00800920 . 59 pop ecx
00800921 . 59 pop ecx
00800922 . 64:8910 mov dword ptr fs:[eax], edx
00800925 . 68 3A098000 push 0080093A
0080092A > 8D45 F8 lea eax, dword ptr [ebp-8]
0080092D . E8 BE47C0FF call 004050F0
00800932 . C3 retn
===============================================================================
总结陈述:
1) rsRSWBSW.exe :
加载 RSWBSW.dat,解密; 启动 RSWBSW.exe 进程并挂起;
将解密后的 RSWBSW.dat(实质是加 UPX 壳的 exe 文件)写入 RSWBSW.exe 进程空间,替
换掉 RSWBSW.exe 的内容,随后,启动替换后的 RSWBSW.exe 主线程
2) RSWBSW.dat :
被解密后,可以从 rsRSWBSW.exe 进程中复制出来,另存为一个 exe文件,比如 ppx.exe,
随后,UPX脱壳,然后修改指令,爆破
3) RSWBSW.exe :
启动 rsRSWBSW.exe,完成 1) 2) 动作,随后自己退出
4) 试用次数写在 0号物理驱动器第 62 扇区[ 512字节/扇区 x 62 = 7C00h ]偏移 100h
处,格式是 52 53 57 42 00 1C => R S W B . .
===============================================================================
延伸阅读: 傀儡进程——Exe注入[转贴,谢谢作者]
#include "stdafx.h"
#include <windows.h>
typedef long NTSTATUS;
typedef NTSTATUS (__stdcall *pfnZwUnmapViewOfSection)(
IN HANDLE ProcessHandle,
IN LPVOID BaseAddress
);
BOOL CreateIEProcess();
PROCESS_INFORMATION pi = {0};
DWORD GetCurModuleSize(DWORD dwModuleBase);
DWORD GetRemoteProcessImageBase(DWORD dwPEB);
DWORD GetNewEntryPoint();
void TestFunc();
//////////////////////////////////////////////////////////////////////////
pfnZwUnmapViewOfSection ZwUnmapViewOfSection;
int _tmain(int argc, _TCHAR* argv[])
{
ZwUnmapViewOfSection = (pfnZwUnmapViewOfSection)GetProcAddress(
GetModuleHandleA("ntdll.dll"),"ZwUnmapViewOfSection");
printf("ZwUnmapViewOfSection : 0x%08X.\n",ZwUnmapViewOfSection);
if ( !ZwUnmapViewOfSection )
{
printf("Get ZwUnmapViewOfSection Error.\n");
goto __exit;
}
if ( !CreateIEProcess() )
{
goto __exit;
}
printf("TargetProcessId : %d.\n",pi.dwProcessId);
HMODULE hModuleBase = GetModuleHandleA(NULL);
printf("hModuleBase : 0x%08X.\n",hModuleBase);
DWORD dwImageSize = GetCurModuleSize((DWORD)hModuleBase);
printf("ModuleSize : 0x%08X\n",dwImageSize);
CONTEXT ThreadCxt;
ThreadCxt.ContextFlags = CONTEXT_FULL;
GetThreadContext(pi.hThread,&ThreadCxt);
printf("Target PEB Addr : 0x%08X.\n",ThreadCxt.Ebx);
DWORD dwRemoteImageBase = GetRemoteProcessImageBase(ThreadCxt.Ebx);
printf("RemoteImageBase : 0x%08X.\n",dwRemoteImageBase);
ZwUnmapViewOfSection(pi.hProcess,(LPVOID)dwRemoteImageBase);
LPVOID lpAlloAddr = VirtualAllocEx(
pi.hProcess,
hModuleBase,
dwImageSize,
MEM_RESERVE | MEM_COMMIT,
PAGE_EXECUTE_READWRITE
);
if ( lpAlloAddr )
{
printf("Alloc Remote Addr OK.\n");
}
else
{
printf("Alloc Remote Addr Error.\n");
}
WriteProcessMemory(
pi.hProcess,hModuleBase,
hModuleBase,dwImageSize,NULL );
printf("Write Image data OK.\n");
ThreadCxt.ContextFlags = CONTEXT_FULL;
ThreadCxt.Eax = GetNewEntryPoint();
SetThreadContext(pi.hThread,&ThreadCxt);
ResumeThread(pi.hThread);
printf("finished.\n");
__exit:
//TerminateProcess(pi.hProcess,0);
system("pause");
return 0;
}
BOOL CreateIEProcess()
{
wchar_t wszIePath[] = L"C:\\Program Files\\Internet Explorer\\iexplore.exe";
STARTUPINFO si = {0};
si.cb = sizeof(si);
BOOL bRet;
bRet = CreateProcessW(
NULL,wszIePath,
NULL,NULL,FALSE,CREATE_SUSPENDED,
NULL,NULL,
&si,&pi );
if ( bRet )
printf("Create IE Ok.\n");
else
printf("Create IE error.\n");
return bRet;
}
DWORD GetCurModuleSize(DWORD dwModuleBase)
{
PIMAGE_DOS_HEADER pDosHdr = (PIMAGE_DOS_HEADER)dwModuleBase;
PIMAGE_NT_HEADERS pNtHdr = (PIMAGE_NT_HEADERS)(dwModuleBase + pDosHdr->e_lfanew);
return pNtHdr->OptionalHeader.SizeOfImage;
}
DWORD GetRemoteProcessImageBase(DWORD dwPEB)
{
DWORD dwBaseRet;
ReadProcessMemory(pi.hProcess,(LPVOID)(dwPEB+8),&dwBaseRet,sizeof(DWORD),NULL);
return dwBaseRet;
/*
lkd> dt_peb
nt!_PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 BitField : UChar
+0x003 ImageUsesLargePages : Pos 0, 1 Bit
+0x003 SpareBits : Pos 1, 7 Bits
+0x004 Mutant : Ptr32 Void
+0x008 ImageBaseAddress : Ptr32 Void
*/
}
DWORD GetNewEntryPoint()
{
return (DWORD)TestFunc;
}
void TestFunc()
{
MessageBoxA(0,"Injected OK","123",0);
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)