[原创]某电子白板软件逆向分析记要-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]某电子白板软件逆向分析记要

发表于: 2011-6-23 14:12 14167

[原创]某电子白板软件逆向分析记要

AZMC

2011-6-23 14:12

14167

特点如下:

1) 试用次数记录在 0 号物理驱动器第 62 扇区,即使重装系统,也不会被覆盖
2) 启动进程 A.exe,伪装进程 B.exe,实际进程 C.dat, B 和 C 同名
A ---> 读取 C,在内存中解密[ C 其实是个加UPX壳的 exe]
   ---> 创建 B,挂起,得到B的主线程环境
   |
   |_> 在 B 的空间里,写入 C,随后,修改 B 的主线程环境,使得 EIP 为 C 的入口
|_> 启动 B 的主线程(实际上是运行 C)

===============================================================================
Part 1 : rsRSWBSW.exe
===============================================================================

00401DA0  /$  81EC CC020000 sub    esp, 2CC                      ;  加载 "RSWBSW.dat\FGHIJKLMNOP"
00401DA6  |.  A1 4CC04000 mov    eax, dword ptr [40C04C]
00401DAB  |.  33C4       xor    eax, esp
00401DAD  |.  898424 C80200>mov    dword ptr [esp+2C8], eax
00401DB4  |.  56          push esi
00401DB5  |.  57          push edi
00401DB6  |.  68 04010000 push 104                            ; /BufSize = 104 (260.)
00401DBB  |.  8D8424 D00100>lea    eax, dword ptr [esp+1D0]       ; |
00401DC2  |.  50          push eax                            ; |PathBuffer
00401DC3  |.  6A 00       push 0                               ; |hModule = NULL
00401DC5  |.  C74424 18 000>mov    dword ptr [esp+18], 0          ; |
00401DCD  |.  FF15 10904000 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00401DD3  |.  8D8C24 CC0100>lea    ecx, dword ptr [esp+1CC]
00401DDA  |.  6A 5C       push 5C
00401DDC  |.  51          push ecx
00401DDD  |.  E8 AA080000 call 0040268C
00401DE2  |.  8DBC24 D40100>lea    edi, dword ptr [esp+1D4]
00401DE9  |.  83C4 08    add    esp, 8
00401DEC  |.  C640 01 00 mov    byte ptr [eax+1], 0
00401DF0  |.  83C7 FF    add    edi, -1
00401DF3  |>  8A47 01    /mov    al, byte ptr [edi+1]
00401DF6  |.  83C7 01    |add    edi, 1
00401DF9  |.  84C0       |test al, al
00401DFB  |.^ 75 F6       \jnz    short 00401DF3
00401DFD  |.  B9 05000000 mov    ecx, 5
00401E02  |.  BE EC944000 mov    esi, 004094EC                   ;  ASCII "RSWBSW.dat\FGHIJKLMNOP"
00401E07  |.  F3:A5       rep    movs dword ptr es:[edi], dword p>
00401E09  |.  66:A5       movs word ptr es:[edi], word ptr [esi>
00401E0B  |.  8D9424 CC0100>lea    edx, dword ptr [esp+1CC]
00401E12  |.  6A 5C       push 5C
00401E14  |.  52          push edx
00401E15  |.  A4          movs byte ptr es:[edi], byte ptr [esi>
00401E16  |.  E8 71080000 call 0040268C
00401E1B  |.  83C4 08    add    esp, 8                         ;  加载 RSWBSW.dat\FGHIJKLMNOP
00401E1E  |.  6A 00       push 0                               ; /hTemplateFile = NULL
00401E20  |.  6A 01       push 1                               ; |Attributes = READONLY
00401E22  |.  6A 03       push 3                               ; |Mode = OPEN_EXISTING
00401E24  |.  6A 00       push 0                               ; |pSecurity = NULL
00401E26  |.  6A 01       push 1                               ; |ShareMode = FILE_SHARE_READ
00401E28  |.  C600 00    mov    byte ptr [eax], 0             ; |
00401E2B  |.  68 00000080 push 80000000                      ; |Access = GENERIC_READ
00401E30  |.  8D8424 E40100>lea    eax, dword ptr [esp+1E4]       ; |
00401E37  |.  50          push eax                            ; |FileName
00401E38  |.  FF15 48904000 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00401E3E  |.  8BF0       mov    esi, eax
00401E40  |.  83FE FF    cmp    esi, -1
00401E43  |.  0F84 F4020000 je    0040213D
00401E49  |.  53          push ebx
00401E4A  |.  55          push ebp
00401E4B  |.  8D4C24 14    lea    ecx, dword ptr [esp+14]
00401E4F  |.  51          push ecx                            ; /pFileSizeHigh
00401E50  |.  56          push esi                            ; |hFile
00401E51  |.  FF15 44904000 call dword ptr [<&KERNEL32.GetFileSiz>; \GetFileSize
00401E57  |.  8BE8       mov    ebp, eax
00401E59  |.  55          push ebp
00401E5A  |.  E8 9E080000 call 004026FD
00401E5F  |.  55          push ebp
00401E60  |.  8BF8       mov    edi, eax
00401E62  |.  6A 00       push 0
00401E64  |.  57          push edi
00401E65  |.  897C24 20    mov    dword ptr [esp+20], edi
00401E69  |.  E8 62060000 call 004024D0
00401E6E  |.  83C4 10    add    esp, 10
00401E71  |.  6A 00       push 0                               ; /pOverlapped = NULL
00401E73  |.  8D5424 18    lea    edx, dword ptr [esp+18]       ; |
00401E77  |.  52          push edx                            ; |pBytesRead
00401E78  |.  55          push ebp                            ; |BytesToRead
00401E79  |.  57          push edi                            ; |Buffer
00401E7A  |.  56          push esi                            ; |hFile
00401E7B  |.  FF15 40904000 call dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
00401E81  |.  56          push esi                            ; /hObject
00401E82  |.  FF15 3C904000 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle

构造解密数据:

00401E88  |.  B0 09       mov    al, 9
00401E8A  |.  B1 02       mov    cl, 2
00401E8C  |.  B2 08       mov    dl, 8
00401E8E  |.  B3 07       mov    bl, 7
00401E90  |.  888424 540100>mov    byte ptr [esp+154], al
00401E97  |.  C68424 550100>mov    byte ptr [esp+155], 1
00401E9F  |.  889424 560100>mov    byte ptr [esp+156], dl
00401EA6  |.  888424 570100>mov    byte ptr [esp+157], al
00401EAD  |.  C68424 580100>mov    byte ptr [esp+158], 0
00401EB5  |.  888C24 590100>mov    byte ptr [esp+159], cl
00401EBC  |.  889C24 5A0100>mov    byte ptr [esp+15A], bl
00401EC3  |.  888424 5B0100>mov    byte ptr [esp+15B], al
00401ECA  |.  888C24 5C0100>mov    byte ptr [esp+15C], cl
00401ED1  |.  889424 5D0100>mov    byte ptr [esp+15D], dl
00401ED8  |.  C68424 5E0100>mov    byte ptr [esp+15E], 4
00401EE0  |.  C68424 5F0100>mov    byte ptr [esp+15F], 5
00401EE8  |.  888C24 600100>mov    byte ptr [esp+160], cl
00401EEF  |.  889C24 610100>mov    byte ptr [esp+161], bl
00401EF6  |.  888424 620100>mov    byte ptr [esp+162], al
00401EFD  |.  C68424 630100>mov    byte ptr [esp+163], 6
00401F05  |.  889424 640100>mov    byte ptr [esp+164], dl
00401F0C  |.  888424 650100>mov    byte ptr [esp+165], al
00401F13  |.  889C24 660100>mov    byte ptr [esp+166], bl
00401F1A  |.  888C24 670100>mov    byte ptr [esp+167], cl
00401F21  |.  889424 680100>mov    byte ptr [esp+168], dl
00401F28  |.  888424 690100>mov    byte ptr [esp+169], al
00401F2F  |.  C68424 6A0100>mov    byte ptr [esp+16A], 1
00401F37  |.  889424 6B0100>mov    byte ptr [esp+16B], dl
00401F3E  |.  888424 6C0100>mov    byte ptr [esp+16C], al
00401F45  |.  C68424 6D0100>mov    byte ptr [esp+16D], 1
00401F4D  |.  888C24 6E0100>mov    byte ptr [esp+16E], cl
00401F54  |.  889C24 6F0100>mov    byte ptr [esp+16F], bl
00401F5B  |.  888424 700100>mov    byte ptr [esp+170], al
00401F62  |.  C68424 710100>mov    byte ptr [esp+171], 1
00401F6A  |.  889424 720100>mov    byte ptr [esp+172], dl
00401F71  |.  888424 730100>mov    byte ptr [esp+173], al
00401F78  |.  888C24 740100>mov    byte ptr [esp+174], cl
00401F7F  |.  888C24 750100>mov    byte ptr [esp+175], cl
00401F86  |.  C68424 760100>mov    byte ptr [esp+176], 5
00401F8E  |.  888424 770100>mov    byte ptr [esp+177], al
00401F95  |.  888C24 780100>mov    byte ptr [esp+178], cl
00401F9C  |.  C68424 790100>mov    byte ptr [esp+179], 6
00401FA4  |.  C68424 7A0100>mov    byte ptr [esp+17A], 4
00401FAC  |.  C68424 7B0100>mov    byte ptr [esp+17B], 5
00401FB4  |.  888C24 7C0100>mov    byte ptr [esp+17C], cl
00401FBB  |.  889C24 7D0100>mov    byte ptr [esp+17D], bl
00401FC2  |.  888424 7E0100>mov    byte ptr [esp+17E], al
00401FC9  |.  C68424 7F0100>mov    byte ptr [esp+17F], 6
00401FD1  |.  889424 800100>mov    byte ptr [esp+180], dl
00401FD8  |.  888424 810100>mov    byte ptr [esp+181], al
00401FDF  |.  889C24 820100>mov    byte ptr [esp+182], bl
00401FE6  |.  888C24 830100>mov    byte ptr [esp+183], cl
00401FED  |.  889424 840100>mov    byte ptr [esp+184], dl
00401FF4  |.  888424 850100>mov    byte ptr [esp+185], al
00401FFB  |.  C68424 860100>mov    byte ptr [esp+186], 1
00402003  |.  889424 870100>mov    byte ptr [esp+187], dl
0040200A  |.  33C0       xor    eax, eax
0040200C  |.  85ED       test ebp, ebp
0040200E  |.  889424 880100>mov    byte ptr [esp+188], dl
00402015  |.  C68424 890100>mov    byte ptr [esp+189], 1
0040201D  |.  888C24 8A0100>mov    byte ptr [esp+18A], cl
00402024  |.  889C24 8B0100>mov    byte ptr [esp+18B], bl
0040202B  |.  898424 8C0100>mov    dword ptr [esp+18C], eax
00402032  |.  898424 900100>mov    dword ptr [esp+190], eax

解密数据:

0012FDB4  09 01 08 09 00 02 07 09 02 08 04 05 02 07 09 06  .....
0012FDC4  08 09 07 02 08 09 01 08 09 01 02 07 09 01 08 09  .....
0012FDD4  02 02 05 09 02 06 04 05 02 07 09 06 08 09 07 02  ...
0012FDE4  08 09 01 08 08 01 02 07 00 00 00 00 00 00 00 00  .........

解密过程:

00402039  |.  76 65       jbe    short 004020A0
0040203B  |.  8D45 FF    lea    eax, dword ptr [ebp-1]          ; 获取文件长度
0040203E  |.  C1E8 06    shr    eax, 6                         ; 64字节块个数
00402041  |.  83C0 01    add    eax, 1
00402044  |.  8BDF       mov    ebx, edi
00402046  |.  894424 18    mov    dword ptr [esp+18], eax
0040204A  |.  8D9B 00000000 lea    ebx, dword ptr [ebx]          ;  解密 RSWBSW.dat\FGHIJKLMNOP
00402050  |>  8D8424 540100>/lea    eax, dword ptr [esp+154]
00402057  |.  B9 10000000 |mov    ecx, 10
0040205C  |.  8BF3       |mov    esi, ebx
0040205E  |.  8DBC24 940100>|lea    edi, dword ptr [esp+194]
00402065  |.  50          |push eax
00402066  |.  F3:A5       |rep    movs dword ptr es:[edi], dword >
00402068  |.  E8 93EFFFFF |call 00401000
0040206D  |.  8D8C24 980100>|lea    ecx, dword ptr [esp+198]
00402074  |.  6A 01       |push 1
00402076  |.  51          |push ecx
00402077  |.  8BD1       |mov    edx, ecx
00402079  |.  52          |push edx
0040207A  |.  E8 51F3FFFF |call 004013D0
0040207F  |.  8BFB       |mov    edi, ebx
00402081  |.  83C4 10    |add    esp, 10
00402084  |.  B9 10000000 |mov    ecx, 10
00402089  |.  8DB424 940100>|lea    esi, dword ptr [esp+194]
00402090  |.  83C3 40    |add    ebx, 40
00402093  |.  836C24 18 01  |sub    dword ptr [esp+18], 1
00402098  |.  F3:A5       |rep    movs dword ptr es:[edi], dword >;  RSWBSW.dat N 字节解密完成
0040209A  |.^ 75 B4       \jnz    short 00402050
0040209C  |.  8B7C24 10    mov    edi, dword ptr [esp+10]       ;  解密完成!
004020A0  |>  85FF       test edi, edi
004020A2  |.  0F84 93000000 je    0040213B
注: 解密完成后,可以将解密后的数据保存为 .exe 文件

创建进程 RSWBSW.exe\K0123456789,并挂起:

00401A30  /$  81EC 70010000 sub    esp, 170
00401A36  |.  A1 4CC04000 mov    eax, dword ptr [40C04C]
00401A3B  |.  33C4       xor    eax, esp
00401A3D  |.  898424 6C0100>mov    dword ptr [esp+16C], eax
00401A44  |.  8B8424 7C0100>mov    eax, dword ptr [esp+17C]
00401A4B  |.  53          push ebx
00401A4C  |.  8B9C24 7C0100>mov    ebx, dword ptr [esp+17C]
00401A53  |.  55          push ebp
00401A54  |.  8BAC24 7C0100>mov    ebp, dword ptr [esp+17C]
00401A5B  |.  56          push esi
00401A5C  |.  57          push edi
00401A5D  |.  6A 40       push 40
00401A5F  |.  8D4C24 3C    lea    ecx, dword ptr [esp+3C]
00401A63  |.  6A 00       push 0
00401A65  |.  51          push ecx
00401A66  |.  894424 1C    mov    dword ptr [esp+1C], eax
00401A6A  |.  C74424 40 000>mov    dword ptr [esp+40], 0
00401A72  |.  E8 590A0000 call 004024D0
00401A77  |.  83C4 0C    add    esp, 0C
00401A7A  |.  68 04010000 push 104                                        ; /BufSize = 104 (260.)
00401A7F  |.  8D5424 7C    lea    edx, dword ptr [esp+7C]                      ; |
00401A83  |.  52          push edx                                        ; |PathBuffer
00401A84  |.  6A 00       push 0                                           ; |hModule = NULL
00401A86  |.  FF15 10904000 call dword ptr [<&KERNEL32.GetModuleFileNameA>] ; \GetModuleFileNameA
00401A8C  |.  8D4424 78    lea    eax, dword ptr [esp+78]
00401A90  |.  6A 5C       push 5C
00401A92  |.  50          push eax
00401A93  |.  E8 F40B0000 call 0040268C
00401A98  |.  8DBC24 800000>lea    edi, dword ptr [esp+80]
00401A9F  |.  83C4 08    add    esp, 8
00401AA2  |.  C640 01 00 mov    byte ptr [eax+1], 0
00401AA6  |.  83C7 FF    add    edi, -1
00401AA9  |.  8DA424 000000>lea    esp, dword ptr [esp]
00401AB0  |>  8A47 01    /mov    al, byte ptr [edi+1]
00401AB3  |.  83C7 01    |add    edi, 1
00401AB6  |.  84C0       |test al, al
00401AB8  |.^ 75 F6       \jnz    short 00401AB0
00401ABA  |.  B9 05000000 mov    ecx, 5
00401ABF  |.  BE B0944000 mov    esi, 004094B0                               ;  ASCII "RSWBSW.exe\K0123456789"
00401AC4  |.  F3:A5       rep    movs dword ptr es:[edi], dword ptr [esi]
00401AC6  |.  66:A5       movs word ptr es:[edi], word ptr [esi]
00401AC8  |.  8D4C24 78    lea    ecx, dword ptr [esp+78]
00401ACC  |.  6A 5C       push 5C
00401ACE  |.  51          push ecx
00401ACF  |.  A4          movs byte ptr es:[edi], byte ptr [esi]
00401AD0  |.  E8 B70B0000 call 0040268C
00401AD5  |.  83C4 08    add    esp, 8
00401AD8  |.  55          push ebp                                        ; /pProcessInfo
00401AD9  |.  8D5424 38    lea    edx, dword ptr [esp+38]                      ; |
00401ADD  |.  52          push edx                                        ; |pStartupInfo
00401ADE  |.  6A 00       push 0                                           ; |CurrentDir = NULL
00401AE0  |.  6A 00       push 0                                           ; |pEnvironment = NULL
00401AE2  |.  6A 04       push 4                                           ; |CreationFlags = CREATE_SUSPENDED
00401AE4  |.  6A 00       push 0                                           ; |InheritHandles = FALSE
00401AE6  |.  6A 00       push 0                                           ; |pThreadSecurity = NULL
00401AE8  |.  C600 00    mov    byte ptr [eax], 0                            ; |
00401AEB  |.  6A 00       push 0                                           ; |pProcessSecurity = NULL
00401AED  |.  8D8424 980000>lea    eax, dword ptr [esp+98]                      ; |
00401AF4  |.  50          push eax                                        ; |CommandLine
00401AF5  |.  6A 00       push 0                                           ; |ModuleFileName = NULL
00401AF7  |.  FF15 0C904000 call dword ptr [<&KERNEL32.CreateProcessA>]       ; \CreateProcessA
00401AFD  |.  85C0       test eax, eax
00401AFF  |.  74 7B       je    short 00401B7C
00401B01  |.  C703 07000100 mov    dword ptr [ebx], 10007
00401B07  |.  8B4D 04    mov    ecx, dword ptr [ebp+4]
00401B0A  |.  53          push ebx                                        ; /pContext
00401B0B  |.  51          push ecx                                        ; |hThread
00401B0C  |.  FF15 08904000 call dword ptr [<&KERNEL32.GetThreadContext>]    ; \GetThreadContext
00401B12  |.  8B83 A4000000 mov    eax, dword ptr [ebx+A4]
00401B18  |.  8B7C24 10    mov    edi, dword ptr [esp+10]
00401B1C  |.  8B4D 00    mov    ecx, dword ptr [ebp]
00401B1F  |.  8D5424 14    lea    edx, dword ptr [esp+14]
00401B23  |.  52          push edx                                        ; /pBytesRead
00401B24  |.  6A 04       push 4                                           ; |BytesToRead = 4
00401B26  |.  57          push edi                                        ; |Buffer
00401B27  |.  83C0 08    add    eax, 8                                     ; |
00401B2A  |.  50          push eax                                        ; |pBaseAddress
00401B2B  |.  51          push ecx                                        ; |hProcess
00401B2C  |.  FF15 04904000 call dword ptr [<&KERNEL32.ReadProcessMemory>]    ; \ReadProcessMemory
00401B32  |.  8B37       mov    esi, dword ptr [edi]
00401B34  |.  8B45 00    mov    eax, dword ptr [ebp]
00401B37  |.  8B1D 00904000 mov    ebx, dword ptr [<&KERNEL32.VirtualQueryEx>] ;  kernel32.VirtualQueryEx
00401B3D  |.  6A 1C       push 1C                                           ; /BufSize = 1C (28.)
00401B3F  |.  8D5424 1C    lea    edx, dword ptr [esp+1C]                      ; |
00401B43  |.  52          push edx                                        ; |Buffer
00401B44  |.  56          push esi                                        ; |Address
00401B45  |.  50          push eax                                        ; |hProcess
00401B46  |.  FFD3       call ebx                                        ; \VirtualQueryEx
00401B48  |.  85C0       test eax, eax
00401B4A  |.  74 24       je    short 00401B70
00401B4C  |.  8D6424 00    lea    esp, dword ptr [esp]
00401B50  |>  817C24 28 000>/cmp    dword ptr [esp+28], 10000
00401B58  |.  74 16       |je    short 00401B70
00401B5A  |.  037424 24    |add    esi, dword ptr [esp+24]
00401B5E  |.  8B55 00    |mov    edx, dword ptr [ebp]
00401B61  |.  6A 1C       |push 1C
00401B63  |.  8D4C24 1C    |lea    ecx, dword ptr [esp+1C]
00401B67  |.  51          |push ecx
00401B68  |.  56          |push esi
00401B69  |.  52          |push edx
00401B6A  |.  FFD3       |call ebx
00401B6C  |.  85C0       |test eax, eax
00401B6E  |.^ 75 E0       \jnz    short 00401B50
00401B70  |>  2B37       sub    esi, dword ptr [edi]
00401B72  |.  B8 01000000 mov    eax, 1
00401B77  |.  8977 04    mov    dword ptr [edi+4], esi
00401B7A  |.  EB 02       jmp    short 00401B7E
00401B7C  |>  33C0       xor    eax, eax
00401B7E  |>  8B8C24 7C0100>mov    ecx, dword ptr [esp+17C]
00401B85  |.  5F          pop    edi
00401B86  |.  5E          pop    esi
00401B87  |.  5D          pop    ebp
00401B88  |.  5B          pop    ebx
00401B89  |.  33CC       xor    ecx, esp
00401B8B  |.  E8 D70B0000 call 00402767
00401B90  |.  81C4 70010000 add    esp, 170
00401B96  \.  C3          retn

用解密后的 EXE 覆盖写入创建的进程,替换并启动之:

00401BA0  /$  81EC F4020000 sub    esp, 2F4
00401BA6  |.  A1 4CC04000 mov    eax, dword ptr [40C04C]
00401BAB  |.  33C4       xor    eax, esp
00401BAD  |.  898424 F00200>mov    dword ptr [esp+2F0], eax
00401BB4  |.  8B8424 F80200>mov    eax, dword ptr [esp+2F8]
00401BBB  |.  55          push ebp
00401BBC  |.  8BAC24 0C0300>mov    ebp, dword ptr [esp+30C]
00401BC3  |.  56          push esi
00401BC4  |.  8BB424 080300>mov    esi, dword ptr [esp+308]
00401BCB  |.  8D4C24 20    lea    ecx, dword ptr [esp+20]
00401BCF  |.  51          push ecx
00401BD0  |.  8D5424 30    lea    edx, dword ptr [esp+30]
00401BD4  |.  894424 10    mov    dword ptr [esp+10], eax
00401BD8  |.  52          push edx
00401BD9  |.  8D4424 18    lea    eax, dword ptr [esp+18]
00401BDD  |.  50          push eax
00401BDE  |.  E8 4DFEFFFF call 00401A30
00401BE3  |.  83C4 0C    add    esp, 0C
00401BE6  |.  85C0       test eax, eax
00401BE8  |.  0F84 9A010000 je    00401D88
00401BEE  |.  8B4424 20    mov    eax, dword ptr [esp+20]
00401BF2  |.  3946 1C    cmp    dword ptr [esi+1C], eax
00401BF5  |.  53          push ebx
00401BF6  |.  8B9C24 180300>mov    ebx, dword ptr [esp+318]
00401BFD  |.  57          push edi
00401BFE  |.  8B3D 34904000 mov    edi, dword ptr [<&KERNEL32.VirtualAllocEx>;  kernel32.VirtualAllocEx
00401C04  |.  C74424 10 000>mov    dword ptr [esp+10], 0
00401C0C  |.  75 22       jnz    short 00401C30
00401C0E  |.  8B4C24 2C    mov    ecx, dword ptr [esp+2C]
00401C12  |.  3BD9       cmp    ebx, ecx
00401C14  |.  77 1A       ja    short 00401C30
00401C16  |.  8D5424 30    lea    edx, dword ptr [esp+30]
00401C1A  |.  52          push edx                                     ; /pOldProtect
00401C1B  |.  6A 40       push 40                                     ; |NewProtect = PAGE_EXECUTE_READWRITE
00401C1D  |.  51          push ecx                                     ; |Size
00401C1E  |.  50          push eax                                     ; |Address
00401C1F  |.  894424 20    mov    dword ptr [esp+20], eax                ; |
00401C23  |.  8B4424 28    mov    eax, dword ptr [esp+28]                ; |
00401C27  |.  50          push eax                                     ; |hProcess
00401C28  |.  FF15 30904000 call dword ptr [<&KERNEL32.VirtualProtectEx>]  ; \VirtualProtectEx
00401C2E  |.  EB 3E       jmp    short 00401C6E
00401C30  |>  68 D4944000 push 004094D4                               ; /ProcNameOrOrdinal = "ZwUnmapViewOfSection"
00401C35  |.  68 C8944000 push 004094C8                               ; |/pModule = "ntdll.dll"
00401C3A  |.  FF15 2C904000 call dword ptr [<&KERNEL32.GetModuleHandleA>]  ; |\GetModuleHandleA
00401C40  |.  50          push eax                                     ; |hModule
00401C41  |.  FF15 28904000 call dword ptr [<&KERNEL32.GetProcAddress>] ; \GetProcAddress
00401C47  |.  8B4C24 28    mov    ecx, dword ptr [esp+28]
00401C4B  |.  8B5424 18    mov    edx, dword ptr [esp+18]
00401C4F  |.  51          push ecx
00401C50  |.  52          push edx
00401C51  |.  FFD0       call eax
00401C53  |.  85C0       test eax, eax
00401C55  |.  75 17       jnz    short 00401C6E
00401C57  |.  8B46 1C    mov    eax, dword ptr [esi+1C]
00401C5A  |.  8B4C24 18    mov    ecx, dword ptr [esp+18]
00401C5E  |.  6A 40       push 40
00401C60  |.  68 00300000 push 3000
00401C65  |.  53          push ebx
00401C66  |.  50          push eax
00401C67  |.  51          push ecx
00401C68  |.  FFD7       call edi
00401C6A  |.  894424 10    mov    dword ptr [esp+10], eax
00401C6E  |>  837C24 10 00  cmp    dword ptr [esp+10], 0
00401C73  |.  75 62       jnz    short 00401CD7
00401C75  |.  83BE 88000000>cmp    dword ptr [esi+88], 0
00401C7C  |.  0F84 F7000000 je    00401D79
00401C82  |.  83BE 8C000000>cmp    dword ptr [esi+8C], 0
00401C89  |.  0F84 EA000000 je    00401D79
00401C8F  |.  8B5424 18    mov    edx, dword ptr [esp+18]
00401C93  |.  6A 40       push 40
00401C95  |.  68 00300000 push 3000
00401C9A  |.  53          push ebx
00401C9B  |.  6A 00       push 0
00401C9D  |.  52          push edx
00401C9E  |.  FFD7       call edi
00401CA0  |.  85C0       test eax, eax
00401CA2  |.  894424 10    mov    dword ptr [esp+10], eax
00401CA6  |.  0F84 CD000000 je    00401D79
00401CAC  |.  8B8C24 0C0300>mov    ecx, dword ptr [esp+30C]
00401CB3  |.  8B5424 14    mov    edx, dword ptr [esp+14]
00401CB7  |.  50          push eax
00401CB8  |.  8B8424 180300>mov    eax, dword ptr [esp+318]
00401CBF  |.  55          push ebp
00401CC0  |.  50          push eax
00401CC1  |.  56          push esi
00401CC2  |.  51          push ecx
00401CC3  |.  52          push edx
00401CC4  |.  E8 E7FCFFFF call 004019B0
00401CC9  |.  83C4 18    add    esp, 18
00401CCC  |.  837C24 10 00  cmp    dword ptr [esp+10], 0
00401CD1  |.  0F84 A2000000 je    00401D79
00401CD7  |>  8B9424 D80000>mov    edx, dword ptr [esp+D8]
00401CDE  |.  8B3D 24904000 mov    edi, dword ptr [<&KERNEL32.WriteProcessMe>;  kernel32.WriteProcessMemory
00401CE4  |.  8D4424 30    lea    eax, dword ptr [esp+30]
00401CE8  |.  50          push eax                                     ; /pBytesWritten
00401CE9  |.  8B4424 1C    mov    eax, dword ptr [esp+1C]                ; |
00401CED  |.  6A 04       push 4                                        ; |BytesToWrite = 4
00401CEF  |.  8D4C24 18    lea    ecx, dword ptr [esp+18]                ; |
00401CF3  |.  51          push ecx                                     ; |Buffer
00401CF4  |.  83C2 08    add    edx, 8                                  ; |
00401CF7  |.  52          push edx                                     ; |Address
00401CF8  |.  50          push eax                                     ; |hProcess
00401CF9  |.  FFD7       call edi                                     ; \WriteProcessMemory
00401CFB  |.  8B4C24 14    mov    ecx, dword ptr [esp+14]
00401CFF  |.  8B51 3C    mov    edx, dword ptr [ecx+3C]
00401D02  |.  8B4424 10    mov    eax, dword ptr [esp+10]
00401D06  |.  6A 00       push 0                                        ; /pBytesWritten = NULL
00401D08  |.  53          push ebx                                     ; |BytesToWrite
00401D09  |.  89442A 34    mov    dword ptr [edx+ebp+34], eax             ; |
00401D0D  |.  8B4C24 18    mov    ecx, dword ptr [esp+18]                ; |
00401D11  |.  8B5424 20    mov    edx, dword ptr [esp+20]                ; |
00401D15  |.  55          push ebp                                     ; |Buffer
00401D16  |.  51          push ecx                                     ; |Address
00401D17  |.  52          push edx                                     ; |hProcess
00401D18  |.  FFD7       call edi                                     ; \WriteProcessMemory
00401D1A  |.  85C0       test eax, eax
00401D1C  |.  74 52       je    short 00401D70
00401D1E  |.  8B4424 10    mov    eax, dword ptr [esp+10]
00401D22  |.  3B4424 28    cmp    eax, dword ptr [esp+28]
00401D26  |.  C74424 34 070>mov    dword ptr [esp+34], 10007
00401D2E  |.  75 0F       jnz    short 00401D3F
00401D30  |.  8B46 10    mov    eax, dword ptr [esi+10]
00401D33  |.  0346 1C    add    eax, dword ptr [esi+1C]
00401D36  |.  898424 E40000>mov    dword ptr [esp+E4], eax                ;  计算 EXE入口地址
00401D3D  |.  EB 0C       jmp    short 00401D4B
00401D3F  |>  8B4E 10    mov    ecx, dword ptr [esi+10]
00401D42  |.  03C8       add    ecx, eax
00401D44  |.  898C24 E40000>mov    dword ptr [esp+E4], ecx
00401D4B  |>  8B4424 1C    mov    eax, dword ptr [esp+1C]
00401D4F  |.  8D5424 34    lea    edx, dword ptr [esp+34]
00401D53  |.  52          push edx                                     ; /pContext
00401D54  |.  50          push eax                                     ; |hThread
00401D55  |.  FF15 20904000 call dword ptr [<&KERNEL32.SetThreadContext>]  ; \SetThreadContext
00401D5B  |.  6A 00       push 0                                        ; /hThread = NULL
00401D5D  |.  FF15 1C904000 call dword ptr [<&KERNEL32.SuspendThread>]    ; \SuspendThread
00401D63  |.  8B4C24 1C    mov    ecx, dword ptr [esp+1C]
00401D67  |.  51          push ecx                                     ; /hThread
00401D68  |.  FF15 18904000 call dword ptr [<&KERNEL32.ResumeThread>]    ; \ResumeThread
00401D6E  |.  EB 16       jmp    short 00401D86
00401D70  |>  8B5424 18    mov    edx, dword ptr [esp+18]
00401D74  |.  6A 00       push 0
00401D76  |.  52          push edx
00401D77  |.  EB 07       jmp    short 00401D80
00401D79  |>  8B4424 18    mov    eax, dword ptr [esp+18]
00401D7D  |.  6A 00       push 0                                        ; /ExitCode = 0
00401D7F  |.  50          push eax                                     ; |hProcess
00401D80  |>  FF15 14904000 call dword ptr [<&KERNEL32.TerminateProcess>]  ; \TerminateProcess
00401D86  |>  5F          pop    edi
00401D87  |.  5B          pop    ebx
00401D88  |>  8B8C24 F80200>mov    ecx, dword ptr [esp+2F8]
00401D8F  |.  5E          pop    esi
00401D90  |.  5D          pop    ebp
00401D91  |.  33CC       xor    ecx, esp
00401D93  |.  E8 CF090000 call 00402767
00401D98  |.  81C4 F4020000 add    esp, 2F4
00401D9E  \.  C3          retn

===============================================================================
Part 2 : RSWBSW.exe\K0123456789
===============================================================================
启动 rsRSWBSW.exe

004B270F  |.  FF75 CC    push dword ptr [ebp-34]
004B2712  |.  68 D8274B00 push 004B27D8                                  ;  rs
004B2717  |.  68 E4274B00 push 004B27E4                                  ;  rswbsw.exe
004B271C  |.  8D45 D0    lea    eax, dword ptr [ebp-30]
004B271F  |.  BA 03000000 mov    edx, 3
004B2724  |.  E8 7322F5FF call 0040499C
004B2729  |.  8B45 D0    mov    eax, dword ptr [ebp-30]
004B272C  |.  E8 AB23F5FF call 00404ADC
004B2731  |.  50          push eax                                        ; |FileName
004B2732  |.  68 F0274B00 push 004B27F0                                  ; |open
004B2737  |.  6A 00       push 0                                           ; |hWnd = NULL
004B2739  |.  E8 56FDF7FF call <jmp.&shell32.ShellExecuteA>                ; \ShellExecuteA
004B273E  |.  A1 10494B00 mov    eax, dword ptr [4B4910]
004B2743  |.  8B00       mov    eax, dword ptr [eax]
004B2745  |.  E8 A6DDFBFF call 004704F0                                  ; 结束自己
004B274A  |.  33C0       xor    eax, eax
004B274C  |.  5A          pop    edx
004B274D  |.  59          pop    ecx
004B274E  |.  59          pop    ecx
004B274F  |.  64:8910    mov    dword ptr fs:[eax], edx
004B2752  |.  68 6C274B00 push 004B276C
004B2757  |>  8D45 C8    lea    eax, dword ptr [ebp-38]
004B275A  |.  BA 0D000000 mov    edx, 0D
004B275F  |.  E8 DC1EF5FF call 00404640
004B2764  \.  C3          retn
004B2765 .^ E9 8E18F5FF jmp    00403FF8
004B276A .^ EB EB       jmp    short 004B2757
004B276C .  5F          pop    edi
004B276D .  5E          pop    esi
004B276E .  8BE5       mov    esp, ebp
004B2770 .  5D          pop    ebp
004B2771 .  C3          retn

结束自己:

004704F0  /$  E8 8FDDF9FF call 0040E284
004704F5  |.  84C0       test al, al
004704F7  |.  74 07       je    short 00470500
004704F9  |.  6A 00       push 0                                     ; /ExitCode = 0
004704FB  |.  E8 E070F9FF call <jmp.&user32.PostQuitMessage>          ; \PostQuitMessage
00470500  \>  C3          retn

===============================================================================
Part 3 : RSWBSW.dat 解密后是 exe,加壳
===============================================================================

壳入口:

00DE9001 >  60             pushad
00DE9002 E8 03000000    call 00DE900A
00DE9007  - E9 EB045D45    jmp    463B94F7
00DE900C 55             push ebp
00DE900D C3             retn
00DE900E E8 01000000    call 00DE9014
00DE9013 EB 5D          jmp    short 00DE9072
00DE9015 BB EDFFFFFF    mov    ebx, -13
00DE901A 03DD          add    ebx, ebp
00DE901C 81EB 00909E00 sub    ebx, 009E9000
00DE9022 83BD 22040000 0>cmp    dword ptr [ebp+422], 0
00DE9029 899D 22040000 mov    dword ptr [ebp+422], ebx
00DE902F 0F85 65030000 jnz    00DE939A
00DE9035 8D85 2E040000 lea    eax, dword ptr [ebp+42E]
00DE903B 50             push eax
00DE903C FF95 4D0F0000 call dword ptr [ebp+F4D]
00DE9042 8985 26040000 mov    dword ptr [ebp+426], eax
00DE9048 8BF8          mov    edi, eax
00DE904A 8D5D 5E       lea    ebx, dword ptr [ebp+5E]
00DE904D 53             push ebx
00DE904E 50             push eax
00DE904F FF95 490F0000 call dword ptr [ebp+F49]
00DE9055 8985 4D050000 mov    dword ptr [ebp+54D], eax
00DE905B 8D5D 6B       lea    ebx, dword ptr [ebp+6B]
00DE905E 53             push ebx
00DE905F 57             push edi
00DE9060 FF95 490F0000 call dword ptr [ebp+F49]
00DE9066 8985 51050000 mov    dword ptr [ebp+551], eax
00DE906C 8D45 77       lea    eax, dword ptr [ebp+77]
00DE906F FFE0          jmp    eax
00DE9071 56             push esi
00DE9072 6972 74 75616C4>imul esi, dword ptr [edx+74], 416C6175
00DE9079 6C             ins    byte ptr es:[edi], dx
00DE907A 6C             ins    byte ptr es:[edi], dx
00DE907B 6F             outs dx, dword ptr es:[edi]
00DE907C 6300          arpl word ptr [eax], ax
00DE907E 56             push esi
00DE907F 6972 74 75616C4>imul esi, dword ptr [edx+74], 466C6175
00DE9086 72 65          jb    short 00DE90ED
00DE9088 65:008B 9D31050>add    byte ptr gs:[ebx+5319D], cl
00DE908F 000B          add    byte ptr [ebx], cl
00DE9091 DB             ???                                                          ; 未知命令
00DE9092 74 0A          je    short 00DE909E
00DE9094 8B03          mov    eax, dword ptr [ebx]
00DE9096 8785 35050000 xchg dword ptr [ebp+535], eax
00DE909C 8903          mov    dword ptr [ebx], eax
00DE909E 8DB5 69050000 lea    esi, dword ptr [ebp+569]
00DE90A4 833E 00       cmp    dword ptr [esi], 0
00DE90A7 0F84 21010000 je    00DE91CE
00DE90AD 6A 04          push 4
00DE90AF 68 00100000    push 1000
00DE90B4 68 00180000    push 1800
00DE90B9 6A 00          push 0
00DE90BB FF95 4D050000 call dword ptr [ebp+54D]
00DE90C1 8985 56010000 mov    dword ptr [ebp+156], eax
00DE90C7 8B46 04       mov    eax, dword ptr [esi+4]
00DE90CA 05 0E010000    add    eax, 10E
00DE90CF 6A 04          push 4
00DE90D1 68 00100000    push 1000
00DE90D6 50             push eax
00DE90D7 6A 00          push 0
00DE90D9 FF95 4D050000 call dword ptr [ebp+54D]
00DE90DF 8985 52010000 mov    dword ptr [ebp+152], eax
00DE90E5 56             push esi
00DE90E6 8B1E          mov    ebx, dword ptr [esi]
00DE90E8 039D 22040000 add    ebx, dword ptr [ebp+422]
00DE90EE FFB5 56010000 push dword ptr [ebp+156]
00DE90F4 FF76 04       push dword ptr [esi+4]
00DE90F7 50             push eax
00DE90F8 53             push ebx
00DE90F9 E8 6E050000    call 00DE966C
00DE90FE B3 00          mov    bl, 0
00DE9100 80FB 00       cmp    bl, 0
00DE9103 75 5E          jnz    short 00DE9163
00DE9105 FE85 EC000000 inc    byte ptr [ebp+EC]
00DE910B 8B3E          mov    edi, dword ptr [esi]
00DE910D 03BD 22040000 add    edi, dword ptr [ebp+422]
00DE9113 FF37          push dword ptr [edi]
00DE9115 C607 C3       mov    byte ptr [edi], 0C3
00DE9118 FFD7          call edi
00DE911A 8F07          pop    dword ptr [edi]
00DE911C 50             push eax
00DE911D 51             push ecx
00DE911E 56             push esi
00DE911F 53             push ebx
00DE9120 8BC8          mov    ecx, eax
00DE9122 83E9 06       sub    ecx, 6
00DE9125 8BB5 52010000 mov    esi, dword ptr [ebp+152]
00DE912B 33DB          xor    ebx, ebx
00DE912D 0BC9          or    ecx, ecx
00DE912F 74 2E          je    short 00DE915F
00DE9131 78 2C          js    short 00DE915F
00DE9133 AC             lods byte ptr [esi]
00DE9134 3C E8          cmp    al, 0E8
00DE9136 74 0A          je    short 00DE9142
00DE9138 EB 00          jmp    short 00DE913A
00DE913A 3C E9          cmp    al, 0E9
00DE913C 74 04          je    short 00DE9142
00DE913E 43             inc    ebx
00DE913F 49             dec    ecx
00DE9140  ^ EB EB          jmp    short 00DE912D
00DE9142 8B06          mov    eax, dword ptr [esi]
00DE9144 EB 0A          jmp    short 00DE9150
00DE9146 803E 00       cmp    byte ptr [esi], 0
00DE9149  ^ 75 F3          jnz    short 00DE913E
00DE914B 24 00          and    al, 0
00DE914D C1C0 18       rol    eax, 18
00DE9150 2BC3          sub    eax, ebx
00DE9152 8906          mov    dword ptr [esi], eax
00DE9154 83C3 05       add    ebx, 5
00DE9157 83C6 04       add    esi, 4
00DE915A 83E9 05       sub    ecx, 5
00DE915D  ^ EB CE          jmp    short 00DE912D
00DE915F 5B             pop    ebx
00DE9160 5E             pop    esi
00DE9161 59             pop    ecx
00DE9162 58             pop    eax
00DE9163 EB 08          jmp    short 00DE916D
00DE9165 0000          add    byte ptr [eax], al
00DE9167 0000          add    byte ptr [eax], al
00DE9169 0000          add    byte ptr [eax], al
00DE916B 0000          add    byte ptr [eax], al
00DE916D 8BC8          mov    ecx, eax
00DE916F 8B3E          mov    edi, dword ptr [esi]
00DE9171 03BD 22040000 add    edi, dword ptr [ebp+422]
00DE9177 8BB5 52010000 mov    esi, dword ptr [ebp+152]
00DE917D C1F9 02       sar    ecx, 2
00DE9180 F3:A5          rep    movs dword ptr es:[edi], dword ptr [esi]
00DE9182 8BC8          mov    ecx, eax
00DE9184 83E1 03       and    ecx, 3
00DE9187 F3:A4          rep    movs byte ptr es:[edi], byte ptr [esi]
00DE9189 5E             pop    esi
00DE918A 68 00800000    push 8000
00DE918F 6A 00          push 0
00DE9191 FFB5 52010000 push dword ptr [ebp+152]
00DE9197 FF95 51050000 call dword ptr [ebp+551]
00DE919D 83C6 08       add    esi, 8
00DE91A0 833E 00       cmp    dword ptr [esi], 0
00DE91A3  ^ 0F85 1EFFFFFF jnz    00DE90C7
00DE91A9 68 00800000    push 8000
00DE91AE 6A 00          push 0
00DE91B0 FFB5 56010000 push dword ptr [ebp+156]
00DE91B6 FF95 51050000 call dword ptr [ebp+551]
00DE91BC 8B9D 31050000 mov    ebx, dword ptr [ebp+531]
00DE91C2 0BDB          or    ebx, ebx
00DE91C4 74 08          je    short 00DE91CE
00DE91C6 8B03          mov    eax, dword ptr [ebx]
00DE91C8 8785 35050000 xchg dword ptr [ebp+535], eax
00DE91CE 8B95 22040000 mov    edx, dword ptr [ebp+422]
00DE91D4 8B85 2D050000 mov    eax, dword ptr [ebp+52D]
00DE91DA 2BD0          sub    edx, eax
00DE91DC 74 79          je    short 00DE9257
00DE91DE 8BC2          mov    eax, edx
00DE91E0 C1E8 10       shr    eax, 10
00DE91E3 33DB          xor    ebx, ebx
00DE91E5 8BB5 39050000 mov    esi, dword ptr [ebp+539]
00DE91EB 03B5 22040000 add    esi, dword ptr [ebp+422]
00DE91F1 833E 00       cmp    dword ptr [esi], 0
00DE91F4 74 61          je    short 00DE9257
00DE91F6 8B4E 04       mov    ecx, dword ptr [esi+4]
00DE91F9 83E9 08       sub    ecx, 8
00DE91FC D1E9          shr    ecx, 1
00DE91FE 8B3E          mov    edi, dword ptr [esi]
00DE9200 03BD 22040000 add    edi, dword ptr [ebp+422]
00DE9206 83C6 08       add    esi, 8
00DE9209 66:8B1E       mov    bx, word ptr [esi]
00DE920C C1EB 0C       shr    ebx, 0C
00DE920F 83FB 01       cmp    ebx, 1
00DE9212 74 0C          je    short 00DE9220
00DE9214 83FB 02       cmp    ebx, 2
00DE9217 74 16          je    short 00DE922F
00DE9219 83FB 03       cmp    ebx, 3
00DE921C 74 20          je    short 00DE923E
00DE921E EB 2C          jmp    short 00DE924C
00DE9220 66:8B1E       mov    bx, word ptr [esi]
00DE9223 81E3 FF0F0000 and    ebx, 0FFF
00DE9229 66:01041F    add    word ptr [edi+ebx], ax
00DE922D EB 1D          jmp    short 00DE924C
00DE922F 66:8B1E       mov    bx, word ptr [esi]
00DE9232 81E3 FF0F0000 and    ebx, 0FFF
00DE9238 66:01141F    add    word ptr [edi+ebx], dx
00DE923C EB 0E          jmp    short 00DE924C
00DE923E 66:8B1E       mov    bx, word ptr [esi]
00DE9241 81E3 FF0F0000 and    ebx, 0FFF
00DE9247 01141F       add    dword ptr [edi+ebx], edx
00DE924A EB 00          jmp    short 00DE924C
00DE924C 66:830E FF    or    word ptr [esi], 0FFFF
00DE9250 83C6 02       add    esi, 2
00DE9253  ^ E2 B4          loopd short 00DE9209
00DE9255  ^ EB 9A          jmp    short 00DE91F1
00DE9257 8B95 22040000 mov    edx, dword ptr [ebp+422]
00DE925D 8BB5 41050000 mov    esi, dword ptr [ebp+541]
00DE9263 0BF6          or    esi, esi
00DE9265 74 11          je    short 00DE9278
00DE9267 03F2          add    esi, edx
00DE9269 AD             lods dword ptr [esi]
00DE926A 0BC0          or    eax, eax
00DE926C 74 0A          je    short 00DE9278
00DE926E 03C2          add    eax, edx
00DE9270 8BF8          mov    edi, eax
00DE9272 66:AD          lods word ptr [esi]
00DE9274 66:AB          stos word ptr es:[edi]
00DE9276  ^ EB F1          jmp    short 00DE9269
00DE9278 BE 00504800    mov    esi, 00485000
00DE927D 8B95 22040000 mov    edx, dword ptr [ebp+422]
00DE9283 03F2          add    esi, edx
00DE9285 8B46 0C       mov    eax, dword ptr [esi+C]
00DE9288 85C0          test eax, eax
00DE928A 0F84 0A010000 je    00DE939A
00DE9290 03C2          add    eax, edx
00DE9292 8BD8          mov    ebx, eax
00DE9294 50             push eax
00DE9295 FF95 4D0F0000 call dword ptr [ebp+F4D]
00DE929B 85C0          test eax, eax
00DE929D 75 07          jnz    short 00DE92A6
00DE929F 53             push ebx
00DE92A0 FF95 510F0000 call dword ptr [ebp+F51]
00DE92A6 8985 45050000 mov    dword ptr [ebp+545], eax
00DE92AC C785 49050000 0>mov    dword ptr [ebp+549], 0
00DE92B6 8B95 22040000 mov    edx, dword ptr [ebp+422]
00DE92BC 8B06          mov    eax, dword ptr [esi]
00DE92BE 85C0          test eax, eax
00DE92C0 75 03          jnz    short 00DE92C5
00DE92C2 8B46 10       mov    eax, dword ptr [esi+10]
00DE92C5 03C2          add    eax, edx
00DE92C7 0385 49050000 add    eax, dword ptr [ebp+549]
00DE92CD 8B18          mov    ebx, dword ptr [eax]
00DE92CF 8B7E 10       mov    edi, dword ptr [esi+10]
00DE92D2 03FA          add    edi, edx
00DE92D4 03BD 49050000 add    edi, dword ptr [ebp+549]
00DE92DA 85DB          test ebx, ebx
00DE92DC 0F84 A2000000 je    00DE9384
00DE92E2 F7C3 00000080 test ebx, 80000000
00DE92E8 75 04          jnz    short 00DE92EE
00DE92EA 03DA          add    ebx, edx
00DE92EC 43             inc    ebx
00DE92ED 43             inc    ebx
00DE92EE 53             push ebx
00DE92EF 81E3 FFFFFF7F and    ebx, 7FFFFFFF
00DE92F5 53             push ebx
00DE92F6 FFB5 45050000 push dword ptr [ebp+545]
00DE92FC FF95 490F0000 call dword ptr [ebp+F49]
00DE9302 85C0          test eax, eax
00DE9304 5B             pop    ebx
00DE9305 75 6F          jnz    short 00DE9376
00DE9307 F7C3 00000080 test ebx, 80000000
00DE930D 75 19          jnz    short 00DE9328
00DE930F 57             push edi
00DE9310 8B46 0C       mov    eax, dword ptr [esi+C]
00DE9313 0385 22040000 add    eax, dword ptr [ebp+422]
00DE9319 50             push eax
00DE931A 53             push ebx
00DE931B 8D85 75040000 lea    eax, dword ptr [ebp+475]
00DE9321 50             push eax
00DE9322 57             push edi
00DE9323 E9 98000000    jmp    00DE93C0
00DE9328 81E3 FFFFFF7F and    ebx, 7FFFFFFF
00DE932E 8B85 26040000 mov    eax, dword ptr [ebp+426]
00DE9334 3985 45050000 cmp    dword ptr [ebp+545], eax
00DE933A 75 24          jnz    short 00DE9360
00DE933C 57             push edi
00DE933D 8BD3          mov    edx, ebx
00DE933F 4A             dec    edx
00DE9340 C1E2 02       shl    edx, 2
00DE9343 8B9D 45050000 mov    ebx, dword ptr [ebp+545]
00DE9349 8B7B 3C       mov    edi, dword ptr [ebx+3C]
00DE934C 8B7C3B 78    mov    edi, dword ptr [ebx+edi+78]
00DE9350 035C3B 1C    add    ebx, dword ptr [ebx+edi+1C]
00DE9354 8B0413       mov    eax, dword ptr [ebx+edx]
00DE9357 0385 45050000 add    eax, dword ptr [ebp+545]
00DE935D 5F             pop    edi
00DE935E EB 16          jmp    short 00DE9376
00DE9360 57             push edi
00DE9361 8B46 0C       mov    eax, dword ptr [esi+C]
00DE9364 0385 22040000 add    eax, dword ptr [ebp+422]
00DE936A 50             push eax
00DE936B 53             push ebx
00DE936C 8D85 C6040000 lea    eax, dword ptr [ebp+4C6]
00DE9372 50             push eax
00DE9373 57             push edi
00DE9374 EB 4A          jmp    short 00DE93C0
00DE9376 8907          mov    dword ptr [edi], eax
00DE9378 8385 49050000 0>add    dword ptr [ebp+549], 4
00DE937F  ^ E9 32FFFFFF    jmp    00DE92B6
00DE9384 8906          mov    dword ptr [esi], eax
00DE9386 8946 0C       mov    dword ptr [esi+C], eax
00DE9389 8946 10       mov    dword ptr [esi+10], eax
00DE938C 83C6 14       add    esi, 14
00DE938F 8B95 22040000 mov    edx, dword ptr [ebp+422]
00DE9395  ^ E9 EBFEFFFF    jmp    00DE9285
00DE939A B8 94594600    mov    eax, 00465994
00DE939F 50             push eax
00DE93A0 0385 22040000 add    eax, dword ptr [ebp+422]
00DE93A6 59             pop    ecx
00DE93A7 0BC9          or    ecx, ecx
00DE93A9 8985 A8030000 mov    dword ptr [ebp+3A8], eax

壳出口:

00DE93AF 61             popad
00DE93B0 75 08          jnz    short 00DE93BA
00DE93B2 B8 01000000    mov    eax, 1
00DE93B7 C2 0C00       retn 0C
00DE93BA 68 00000000    push 0 !!!!! 这里,未脱壳,地址 = 0
00DE93BF C3             retn

壳代码运行过后:

00DE93AF 61             popad
00DE93B0 75 08          jnz    short 00DE93BA
00DE93B2 B8 01000000    mov    eax, 1
00DE93B7 C2 0C00       retn 0C
00DE93BA 68 94598600    push 00865994 !!!!! 这里,脱壳后,地址 = 00865994 OEP
00DE93BF C3             retn

读硬盘数据: 试用次数

0071C10E 6A 00          push 0
0071C110 6A 00          push 0
0071C112 6A 03          push 3
0071C114 6A 00          push 0
0071C116 6A 03          push 3
0071C118 68 000000C0    push C0000000
0071C11D 68 44C17100    push 0071C144                               ; ASCII "\\.\PHYSICALDRIVE0"
0071C122 E8 99B9CEFF    call 00407AC0                               ; jmp 到 kernel32.CreateFileA
0071C127 8946 04       mov    dword ptr [esi+4], eax
0071C12A 8BC6          mov    eax, esi
0071C12C 84DB          test bl, bl
0071C12E 74 0F          je    short 0071C13F
0071C130 E8 2785CEFF    call 0040465C
0071C135 64:8F05 0000000>pop    dword ptr fs:[0]
0071C13C 83C4 0C       add    esp, 0C
0071C13F 8BC6          mov    eax, esi
0071C141 5E             pop    esi
0071C142 5B             pop    ebx
0071C143 C3             retn
0071C144 5C             pop    esp
0071C145 5C             pop    esp
0071C146 2E:5C          pop    esp
0071C148 50             push eax
0071C149 48             dec    eax
0071C14A 59             pop    ecx
0071C14B 53             push ebx
0071C14C 49             dec    ecx
0071C14D 43             inc    ebx
0071C14E 41             inc    ecx
0071C14F 4C             dec    esp
0071C150 44             inc    esp
0071C151 52             push edx
0071C152 49             dec    ecx
0071C153 56             push esi
0071C154 45             inc    ebp
0071C155 3000          xor    byte ptr [eax], al
0071C157 0053 56       add    byte ptr [ebx+56], dl
0071C15A E8 0D85CEFF    call 0040466C
0071C15F 8BDA          mov    ebx, edx
0071C161 8BF0          mov    esi, eax
0071C163 8B46 04       mov    eax, dword ptr [esi+4]
0071C166 83F8 FF       cmp    eax, -1
0071C169 74 06          je    short 0071C171
0071C16B 50             push eax
0071C16C E8 27B9CEFF    call 00407A98                               ; jmp 到 kernel32.CloseHandle
0071C171 8BD3          mov    edx, ebx
0071C173 80E2 FC       and    dl, 0FC
0071C176 8BC6          mov    eax, esi
0071C178 E8 1381CEFF    call 00404290
0071C17D 84DB          test bl, bl
0071C17F 7E 07          jle    short 0071C188
0071C181 8BC6          mov    eax, esi
0071C183 E8 CC84CEFF    call 00404654
0071C188 5E             pop    esi
0071C189 5B             pop    ebx
0071C18A C3             retn

偏移 7C00h = 62 x 512,即第 62 扇区

0071C19A 6A 00          push 0
0071C19C 6A 00          push 0
0071C19E 68 007C0000    push 7C00
0071C1A3 8B43 04       mov    eax, dword ptr [ebx+4]
0071C1A6 50             push eax
0071C1A7 E8 2CBCCEFF    call 00407DD8                               ; jmp 到 kernel32.SetFilePointer
0071C1AC 6A 00          push 0
0071C1AE 8D4424 04    lea    eax, dword ptr [esp+4]
0071C1B2 50             push eax
0071C1B3 68 00020000    push 200
0071C1B8 8D43 08       lea    eax, dword ptr [ebx+8]
0071C1BB 50             push eax
0071C1BC 8B43 04       mov    eax, dword ptr [ebx+4]
0071C1BF 50             push eax
0071C1C0 E8 D3BBCEFF    call 00407D98                               ; jmp 到 kernel32.ReadFile 连读 4次左右
0071C1C5 85C0          test eax, eax
0071C1C7 0F84 35010000 je    0071C302
0071C1CD 8D53 08       lea    edx, dword ptr [ebx+8]

---------------
02E73998  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E739A8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E739B8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E739C8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E739D8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E739E8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E739F8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E73A08  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E73A18  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E73A28  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E73A38  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E73A48  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E73A58  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E73A68  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E73A78  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E73A88  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E73A98  52 53 57 42 00 1C 00 00 00 00 00 00 00 00 00 00  RSWB........... !!!!!!!!!磁盘扇区数据: 1E = 30次 1C = 28次
02E73AA8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E73AB8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E73AC8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02E73AD8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
---------------

0071C1D0 B9 FF010000    mov    ecx, 1FF
0071C1D5 8BC3          mov    eax, ebx
0071C1D7 E8 30010000    call 0071C30C
0071C1DC 8A83 08010000 mov    al, byte ptr [ebx+108]
0071C1E2 8806          mov    byte ptr [esi], al
0071C1E4 8A83 09010000 mov    al, byte ptr [ebx+109]
0071C1EA 8846 01       mov    byte ptr [esi+1], al
0071C1ED 8A83 0A010000 mov    al, byte ptr [ebx+10A]
0071C1F3 8846 02       mov    byte ptr [esi+2], al
0071C1F6 8A83 0B010000 mov    al, byte ptr [ebx+10B]
0071C1FC 8846 03       mov    byte ptr [esi+3], al
0071C1FF 8A83 0D010000 mov    al, byte ptr [ebx+10D]
0071C205 8846 04       mov    byte ptr [esi+4], al
0071C208 8A83 0E010000 mov    al, byte ptr [ebx+10E]
0071C20E 8846 05       mov    byte ptr [esi+5], al
0071C211 8A83 0F010000 mov    al, byte ptr [ebx+10F]
0071C217 8846 06       mov    byte ptr [esi+6], al
0071C21A 8A83 10010000 mov    al, byte ptr [ebx+110]
0071C220 8846 07       mov    byte ptr [esi+7], al
0071C223 8A83 11010000 mov    al, byte ptr [ebx+111]
0071C229 8846 08       mov    byte ptr [esi+8], al
0071C22C 8A83 12010000 mov    al, byte ptr [ebx+112]
0071C232 8846 09       mov    byte ptr [esi+9], al
0071C235 8A83 13010000 mov    al, byte ptr [ebx+113]
0071C23B 8846 0A       mov    byte ptr [esi+A], al
0071C23E 8A83 14010000 mov    al, byte ptr [ebx+114]
0071C244 8846 0B       mov    byte ptr [esi+B], al
0071C247 8A83 15010000 mov    al, byte ptr [ebx+115]
0071C24D 8846 0C       mov    byte ptr [esi+C], al
0071C250 8A83 16010000 mov    al, byte ptr [ebx+116]
0071C256 8846 0D       mov    byte ptr [esi+D], al
0071C259 8A83 23010000 mov    al, byte ptr [ebx+123]
0071C25F 8846 0E       mov    byte ptr [esi+E], al
0071C262 8A83 24010000 mov    al, byte ptr [ebx+124]
0071C268 8846 0F       mov    byte ptr [esi+F], al
0071C26B 8A83 25010000 mov    al, byte ptr [ebx+125]
0071C271 8846 10       mov    byte ptr [esi+10], al
0071C274 8A83 26010000 mov    al, byte ptr [ebx+126]
0071C27A 8846 11       mov    byte ptr [esi+11], al
0071C27D 8A83 27010000 mov    al, byte ptr [ebx+127]
0071C283 8846 12       mov    byte ptr [esi+12], al
0071C286 8A83 28010000 mov    al, byte ptr [ebx+128]
0071C28C 8846 13       mov    byte ptr [esi+13], al
0071C28F 8A83 29010000 mov    al, byte ptr [ebx+129]
0071C295 8846 14       mov    byte ptr [esi+14], al
0071C298 8A83 2A010000 mov    al, byte ptr [ebx+12A]
0071C29E 8846 15       mov    byte ptr [esi+15], al
0071C2A1 8A83 2B010000 mov    al, byte ptr [ebx+12B]
0071C2A7 8846 16       mov    byte ptr [esi+16], al
0071C2AA 8A83 2C010000 mov    al, byte ptr [ebx+12C]
0071C2B0 8846 17       mov    byte ptr [esi+17], al
0071C2B3 8A83 2D010000 mov    al, byte ptr [ebx+12D]
0071C2B9 8846 18       mov    byte ptr [esi+18], al
0071C2BC 8A83 2E010000 mov    al, byte ptr [ebx+12E]
0071C2C2 8846 19       mov    byte ptr [esi+19], al
0071C2C5 8A83 2F010000 mov    al, byte ptr [ebx+12F]
0071C2CB 8846 1A       mov    byte ptr [esi+1A], al
0071C2CE 8A83 30010000 mov    al, byte ptr [ebx+130]
0071C2D4 8846 1B       mov    byte ptr [esi+1B], al
0071C2D7 8A83 31010000 mov    al, byte ptr [ebx+131]
0071C2DD 8846 1C       mov    byte ptr [esi+1C], al
0071C2E0 8A83 32010000 mov    al, byte ptr [ebx+132]
0071C2E6 8846 1D       mov    byte ptr [esi+1D], al
0071C2E9 8A83 33010000 mov    al, byte ptr [ebx+133]
0071C2EF 8846 1E       mov    byte ptr [esi+1E], al
0071C2F2 8A83 34010000 mov    al, byte ptr [ebx+134]
0071C2F8 8846 1F       mov    byte ptr [esi+1F], al
0071C2FB B9 08000000    mov    ecx, 8
0071C300 F3:A5          rep    movs dword ptr es:[edi], dword ptr [esi]
0071C302 83C4 24       add    esp, 24
0071C305 5F             pop    edi
0071C306 5E             pop    esi
0071C307 5B             pop    ebx
0071C308 C3             retn

0048A3BE 试用命令入口

关键代码段
007EA861 E8 4600F3FF    call 0071A8AC
007EA866 83F8 1E       cmp    eax, 1E !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 和 30次比较
007EA869 7E 05          jle    short 007EA870
007EA86B B8 1E000000    mov    eax, 1E
007EA870 48             dec    eax
007EA871 E8 9200F3FF    call 0071A908
007EA876 C783 4C020000 0>mov    dword ptr [ebx+24C], 1
007EA880 5B             pop    ebx
007EA881 C3             retn
007EA882 C783 4C020000 0>mov    dword ptr [ebx+24C], 2
007EA88C 5B             pop    ebx
007EA88D C3             retn
007EA88E 8BC0          mov    eax, eax
007EA890 55             push ebp
007EA891 8BEC          mov    ebp, esp
007EA893 33C9          xor    ecx, ecx

次数比较,以便决定显示提示信息窗口

007E8BF0 /EB 07          jmp    short 007E8BF9
007E8BF2 |E8 B51CF3FF    call 0071A8AC                   !!!!!!!!!!获取已经使用的次数 EAX
007E8BF7 |8BF0          mov    esi, eax
007E8BF9 \85F6          test esi, esi
007E8BFB 7E 05          jle    short 007E8C02
007E8BFD 83FE 1E       cmp    esi, 1E
007E8C00 7E 04          jle    short 007E8C06
007E8C02 33C0          xor    eax, eax
007E8C04 EB 02          jmp    short 007E8C08
007E8C06 B0 01          mov    al, 1
007E8C08 8883 98030000 mov    byte ptr [ebx+398], al
007E8C0E 85F6          test esi, esi
007E8C10 7E 05          jle    short 007E8C17
007E8C12 83FE 1E       cmp    esi, 1E                   !!!!!!!!!!!!!! 搜索此指令,修改最大次数
007E8C15 7E 4D          jle    short 007E8C64
007E8C17 8B83 48030000 mov    eax, dword ptr [ebx+348]
007E8C1D 8B40 68       mov    eax, dword ptr [eax+68]
007E8C20 BA FF000000    mov    edx, 0FF
007E8C25 E8 9E62C4FF    call 0042EEC8
007E8C2A 68 1C8E7E00    push 007E8E1C                                           ; ASCII "???"
007E8C2F 8D45 F0       lea    eax, dword ptr [ebp-10]
007E8C32 50             push eax
007E8C33 BA BC8D7E00    mov    edx, 007E8DBC                                        ; ASCII "frmMainHint"
007E8C38 B9 288E7E00    mov    ecx, 007E8E28                                        ; ASCII "testhint1"
007E8C3D 8B83 78030000 mov    eax, dword ptr [ebx+378]
007E8C43 8B30          mov    esi, dword ptr [eax]
007E8C45 FF16          call dword ptr [esi]
007E8C47 8B55 F0       mov    edx, dword ptr [ebp-10]
007E8C4A 8B83 48030000 mov    eax, dword ptr [ebx+348]
007E8C50 E8 E301CAFF    call 00488E38
007E8C55 33D2          xor    edx, edx
007E8C57 8B83 38030000 mov    eax, dword ptr [ebx+338]
007E8C5D 8B08          mov    ecx, dword ptr [eax]
007E8C5F FF51 64       call dword ptr [ecx+64]
007E8C62 EB 65          jmp    short 007E8CC9
007E8C64 83FE 1E       cmp    esi, 1E
007E8C67 7F 60          jg    short 007E8CC9
007E8C69 BA FF000000    mov    edx, 0FF
007E8C6E 8B83 48030000 mov    eax, dword ptr [ebx+348]
007E8C74 E8 2F03CAFF    call 00488FA8
007E8C79 8D45 EC       lea    eax, dword ptr [ebp-14]
007E8C7C 50             push eax
007E8C7D 68 3C8E7E00    push 007E8E3C                                           ; ASCII "%d"
007E8C82 8D45 E8       lea    eax, dword ptr [ebp-18]
007E8C85 50             push eax
007E8C86 BA BC8D7E00    mov    edx, 007E8DBC                                        ; ASCII "frmMainHint"
007E8C8B B9 488E7E00    mov    ecx, 007E8E48                                        ; ASCII "TestHint"
007E8C90 8B83 78030000 mov    eax, dword ptr [ebx+378]
007E8C96 8B38          mov    edi, dword ptr [eax]
007E8C98 FF17          call dword ptr [edi]
007E8C9A 8B45 E8       mov    eax, dword ptr [ebp-18]
007E8C9D 8975 E0       mov    dword ptr [ebp-20], esi
007E8CA0 C645 E4 00    mov    byte ptr [ebp-1C], 0
007E8CA4 8D55 E0       lea    edx, dword ptr [ebp-20]
007E8CA7 33C9          xor    ecx, ecx
007E8CA9 E8 0E4BC2FF    call 0040D7BC
007E8CAE 8B55 EC       mov    edx, dword ptr [ebp-14]
007E8CB1 8B83 48030000 mov    eax, dword ptr [ebx+348]
007E8CB7 E8 7C01CAFF    call 00488E38
007E8CBC B2 01          mov    dl, 1
007E8CBE 8B83 38030000 mov    eax, dword ptr [ebx+338]
007E8CC4 8B08          mov    ecx, dword ptr [eax]
007E8CC6 FF51 64       call dword ptr [ecx+64]
007E8CC9 33D2          xor    edx, edx
007E8CCB 8B83 34030000 mov    eax, dword ptr [ebx+334]
007E8CD1 8B08          mov    ecx, dword ptr [eax]
007E8CD3 FF51 64       call dword ptr [ecx+64]
007E8CD6 8BC3          mov    eax, ebx
007E8CD8 E8 2F1E0000    call 007EAB0C
007E8CDD 8B83 3C030000 mov    eax, dword ptr [ebx+33C]
007E8CE3 C780 14020000 0>mov    dword ptr [eax+214], 2
007E8CED 33C0          xor    eax, eax
007E8CEF 5A             pop    edx
007E8CF0 59             pop    ecx
007E8CF1 59             pop    ecx
007E8CF2 64:8910       mov    dword ptr fs:[eax], edx
007E8CF5 68 1F8D7E00    push 007E8D1F
007E8CFA 8D45 E8       lea    eax, dword ptr [ebp-18]
007E8CFD BA 04000000    mov    edx, 4
007E8D02 E8 0DC4C1FF    call 00405114
007E8D07 8D45 F8       lea    eax, dword ptr [ebp-8]
007E8D0A E8 E1C3C1FF    call 004050F0
007E8D0F 8D45 FC       lea    eax, dword ptr [ebp-4]
007E8D12 E8 D9C3C1FF    call 004050F0
007E8D17 C3             retn
007E8D18  ^ E9 17BDC1FF    jmp    00404A34
007E8D1D  ^ EB DB          jmp    short 007E8CFA
007E8D1F 5F             pop    edi
007E8D20 5E             pop    esi
007E8D21 5B             pop    ebx
007E8D22 8BE5          mov    esp, ebp
007E8D24 5D             pop    ebp
007E8D25 C3             retn
007E8D26 0000          add    byte ptr [eax], al
007E8D28 72 00          jb    short 007E8D2A
007E8D2A 0000          add    byte ptr [eax], al
007E8D2C 68 00740074    push 74007400
007E8D31 0070 00       add    byte ptr [eax], dh
007E8D34 3A00          cmp    al, byte ptr [eax]
007E8D36 2F             das
007E8D37 002F          add    byte ptr [edi], ch
007E8D39 0077 00       add    byte ptr [edi], dh
007E8D3C 77 00          ja    short 007E8D3E
007E8D3E 77 00          ja    short 007E8D40
007E8D40 2E:0072 00    add    byte ptr cs:[edx], dh
007E8D44 65:007400 75 add    byte ptr gs:[eax+eax+75], dh
007E8D49 0072 00       add    byte ptr [edx], dh
007E8D4C 6E             outs dx, byte ptr es:[edi]
007E8D4D 0073 00       add    byte ptr [ebx], dh
007E8D50 74 00          je    short 007E8D52
007E8D52 61             popad
007E8D53 0072 00       add    byte ptr [edx], dh
007E8D56 2E:0063 00    add    byte ptr cs:[ebx], ah
007E8D5A 6F             outs dx, dword ptr es:[edi]
007E8D5B 006D 00       add    byte ptr [ebp], ch
007E8D5E 2F             das
007E8D5F 0070 00       add    byte ptr [eax], dh
007E8D62 72 00          jb    short 007E8D64
007E8D64 6F             outs dx, dword ptr es:[edi]
007E8D65 006400 72    add    byte ptr [eax+eax+72], ah
007E8D69 0065 00       add    byte ptr [ebp], ah
007E8D6C 67:0065 00    add    byte ptr [di], ah
007E8D70 64:0069 00    add    byte ptr fs:[ecx], ch
007E8D74 74 00          je    short 007E8D76
007E8D76 2F             das
007E8D77 0043 00       add    byte ptr [ebx], al
007E8D7A 6C             ins    byte ptr es:[edi], dx
007E8D7B 0069 00       add    byte ptr [ecx], ch
007E8D7E 65:006E 00    add    byte ptr gs:[esi], ch
007E8D82 74 00          je    short 007E8D84
007E8D84 52             push edx
007E8D85 0065 00       add    byte ptr [ebp], ah
007E8D88 67:0069 00    add    byte ptr [bx+di], ch
007E8D8C 73 00          jnb    short 007E8D8E
007E8D8E 74 00          je    short 007E8D90
007E8D90 65:0072 00    add    byte ptr gs:[edx], dh
007E8D94 2E:0061 00    add    byte ptr cs:[ecx], ah
007E8D98 73 00          jnb    short 007E8D9A
007E8D9A 70 00          jo    short 007E8D9C
007E8D9C 78 00          js    short 007E8D9E

完整地校验使用次数的函数
--------------------------
007E8AA8 55             push ebp
007E8AA9 8BEC          mov    ebp, esp
007E8AAB 33C9          xor    ecx, ecx
007E8AAD 51             push ecx
007E8AAE 51             push ecx
007E8AAF 51             push ecx
007E8AB0 51             push ecx
007E8AB1 51             push ecx
007E8AB2 51             push ecx
007E8AB3 51             push ecx
007E8AB4 51             push ecx
007E8AB5 53             push ebx
007E8AB6 56             push esi
007E8AB7 57             push edi
007E8AB8 8BD8          mov    ebx, eax
007E8ABA 33C0          xor    eax, eax
007E8ABC 55             push ebp
007E8ABD 68 188D7E00    push 007E8D18
007E8AC2 64:FF30       push dword ptr fs:[eax]
007E8AC5 64:8920       mov    dword ptr fs:[eax], esp
007E8AC8 A1 D0DD8700    mov    eax, dword ptr [87DDD0]
007E8ACD 8B00          mov    eax, dword ptr [eax]
007E8ACF 8998 DC000000 mov    dword ptr [eax+DC], ebx
007E8AD5 C780 D8000000 4>mov    dword ptr [eax+D8], 007E8A4C
007E8ADF BA 2C8D7E00    mov    edx, 007E8D2C                                        ; UNICODE "http://www.returnstar.com/prodregedit/ClientRegister.aspx"
007E8AE4 8B83 F8020000 mov    eax, dword ptr [ebx+2F8]
007E8AEA E8 8999FFFF    call 007E2478
007E8AEF A1 B4DB8700    mov    eax, dword ptr [87DBB4]
007E8AF4 8B00          mov    eax, dword ptr [eax]
007E8AF6 8B10          mov    edx, dword ptr [eax]
007E8AF8 FF52 08       call dword ptr [edx+8]
007E8AFB A1 B4DB8700    mov    eax, dword ptr [87DBB4]
007E8B00 8B00          mov    eax, dword ptr [eax]
007E8B02 8B40 04       mov    eax, dword ptr [eax+4]
007E8B05 3D 04040000    cmp    eax, 404
007E8B0A 74 0D          je    short 007E8B19
007E8B0C 8B15 B4DB8700 mov    edx, dword ptr [87DBB4]                            ; solo.00883D9C
007E8B12 3D 04080000    cmp    eax, 804
007E8B17 75 0D          jnz    short 007E8B26
007E8B19 BA 09000000    mov    edx, 9
007E8B1E 8B43 68       mov    eax, dword ptr [ebx+68]
007E8B21 E8 4266C4FF    call 0042F168
007E8B26 A1 B4DB8700    mov    eax, dword ptr [87DBB4]
007E8B2B 8B00          mov    eax, dword ptr [eax]
007E8B2D 8BD3          mov    edx, ebx
007E8B2F 8B08          mov    ecx, dword ptr [eax]
007E8B31 FF51 14       call dword ptr [ecx+14]
007E8B34 8D45 FC       lea    eax, dword ptr [ebp-4]
007E8B37 50             push eax
007E8B38 A1 B4DB8700    mov    eax, dword ptr [87DBB4]
007E8B3D 8B00          mov    eax, dword ptr [eax]
007E8B3F B9 A88D7E00    mov    ecx, 007E8DA8                                        ; ASCII "softname"
007E8B44 BA BC8D7E00    mov    edx, 007E8DBC                                        ; ASCII "frmMainHint"
007E8B49 E8 F225E4FF    call 0062B140
007E8B4E 8B55 FC       mov    edx, dword ptr [ebp-4]
007E8B51 A1 D0DD8700    mov    eax, dword ptr [87DDD0]
007E8B56 8B00          mov    eax, dword ptr [eax]
007E8B58 E8 9321CCFF    call 004AACF0
007E8B5D 8D55 F8       lea    edx, dword ptr [ebp-8]
007E8B60 8B83 54030000 mov    eax, dword ptr [ebx+354]
007E8B66 E8 9D02CAFF    call 00488E08
007E8B6B 8B55 F8       mov    edx, dword ptr [ebp-8]
007E8B6E 8D83 88030000 lea    eax, dword ptr [ebx+388]
007E8B74 E8 CBC5C1FF    call 00405144
007E8B79 A1 B4DB8700    mov    eax, dword ptr [87DBB4]
007E8B7E 8B00          mov    eax, dword ptr [eax]
007E8B80 8B48 0C       mov    ecx, dword ptr [eax+C]
007E8B83 B2 01          mov    dl, 1
007E8B85 A1 60F04400    mov    eax, dword ptr [44F060]
007E8B8A E8 8165C6FF    call 0044F110
007E8B8F 8BF0          mov    esi, eax
007E8B91 89B3 78030000 mov    dword ptr [ebx+378], esi
007E8B97 68 D08D7E00    push 007E8DD0                                           ; ASCII "quit"
007E8B9C 8D45 F4       lea    eax, dword ptr [ebp-C]
007E8B9F 50             push eax
007E8BA0 B9 E08D7E00    mov    ecx, 007E8DE0                                        ; ASCII "btnQuit"
007E8BA5 8B53 08       mov    edx, dword ptr [ebx+8]
007E8BA8 8BC6          mov    eax, esi
007E8BAA 8B30          mov    esi, dword ptr [eax]
007E8BAC FF16          call dword ptr [esi]
007E8BAE 8B55 F4       mov    edx, dword ptr [ebp-C]
007E8BB1 8B83 3C030000 mov    eax, dword ptr [ebx+33C]
007E8BB7 E8 7C02CAFF    call 00488E38
007E8BBC 33C0          xor    eax, eax
007E8BBE 8983 84030000 mov    dword ptr [ebx+384], eax
007E8BC4 A1 04DC8700    mov    eax, dword ptr [87DC04]
007E8BC9 8B00          mov    eax, dword ptr [eax]
007E8BCB 8078 24 00    cmp    byte ptr [eax+24], 0                               !!!!!!!!!!!!!!!!! 是否注册过期? 不等于0,过期
007E8BCF 74 21          je    short 007E8BF2
007E8BD1 68 E88D7E00    push 007E8DE8                                           ; ASCII "TRS_EBoardService"
007E8BD6 68 FC8D7E00    push 007E8DFC                                           ; ASCII "TfrmRS_EBoard_Service"
007E8BDB E8 F0F8C1FF    call 004084D0                                           ; jmp 到 user32.FindWindowA
007E8BE0 8983 94030000 mov    dword ptr [ebx+394], eax
007E8BE6 A1 04DC8700    mov    eax, dword ptr [87DC04]
007E8BEB 8B00          mov    eax, dword ptr [eax]
007E8BED 8B70 28       mov    esi, dword ptr [eax+28]
007E8BF0 EB 07          jmp    short 007E8BF9
007E8BF2 E8 B51CF3FF    call 0071A8AC
007E8BF7 8BF0          mov    esi, eax
007E8BF9 85F6          test esi, esi
007E8BFB 7E 05          jle    short 007E8C02
007E8BFD 83FE 1E       cmp    esi, 1E
007E8C00 7E 04          jle    short 007E8C06
007E8C02 33C0          xor    eax, eax
007E8C04 EB 02          jmp    short 007E8C08
007E8C06 B0 01          mov    al, 1
007E8C08 8883 98030000 mov    byte ptr [ebx+398], al
007E8C0E 85F6          test esi, esi
007E8C10 7E 05          jle    short 007E8C17
007E8C12 83FE 1E       cmp    esi, 1E
007E8C15 7E 4D          jle    short 007E8C64
007E8C17 8B83 48030000 mov    eax, dword ptr [ebx+348]
007E8C1D 8B40 68       mov    eax, dword ptr [eax+68]
007E8C20 BA FF000000    mov    edx, 0FF
007E8C25 E8 9E62C4FF    call 0042EEC8
007E8C2A 68 1C8E7E00    push 007E8E1C                                           ; ASCII "???"
007E8C2F 8D45 F0       lea    eax, dword ptr [ebp-10]
007E8C32 50             push eax
007E8C33 BA BC8D7E00    mov    edx, 007E8DBC                                        ; ASCII "frmMainHint"
007E8C38 B9 288E7E00    mov    ecx, 007E8E28                                        ; ASCII "testhint1"
007E8C3D 8B83 78030000 mov    eax, dword ptr [ebx+378]
007E8C43 8B30          mov    esi, dword ptr [eax]
007E8C45 FF16          call dword ptr [esi]
007E8C47 8B55 F0       mov    edx, dword ptr [ebp-10]
007E8C4A 8B83 48030000 mov    eax, dword ptr [ebx+348]
007E8C50 E8 E301CAFF    call 00488E38
007E8C55 33D2          xor    edx, edx
007E8C57 8B83 38030000 mov    eax, dword ptr [ebx+338]
007E8C5D 8B08          mov    ecx, dword ptr [eax]
007E8C5F FF51 64       call dword ptr [ecx+64]
007E8C62 EB 65          jmp    short 007E8CC9
007E8C64 83FE 1E       cmp    esi, 1E
007E8C67 7F 60          jg    short 007E8CC9
007E8C69 BA FF000000    mov    edx, 0FF
007E8C6E 8B83 48030000 mov    eax, dword ptr [ebx+348]
007E8C74 E8 2F03CAFF    call 00488FA8
007E8C79 8D45 EC       lea    eax, dword ptr [ebp-14]
007E8C7C 50             push eax
007E8C7D 68 3C8E7E00    push 007E8E3C                                           ; ASCII "%d"
007E8C82 8D45 E8       lea    eax, dword ptr [ebp-18]
007E8C85 50             push eax
007E8C86 BA BC8D7E00    mov    edx, 007E8DBC                                        ; ASCII "frmMainHint"
007E8C8B B9 488E7E00    mov    ecx, 007E8E48                                        ; ASCII "TestHint"
007E8C90 8B83 78030000 mov    eax, dword ptr [ebx+378]
007E8C96 8B38          mov    edi, dword ptr [eax]
007E8C98 FF17          call dword ptr [edi]
007E8C9A 8B45 E8       mov    eax, dword ptr [ebp-18]
007E8C9D 8975 E0       mov    dword ptr [ebp-20], esi
007E8CA0 C645 E4 00    mov    byte ptr [ebp-1C], 0
007E8CA4 8D55 E0       lea    edx, dword ptr [ebp-20]
007E8CA7 33C9          xor    ecx, ecx
007E8CA9 E8 0E4BC2FF    call 0040D7BC
007E8CAE 8B55 EC       mov    edx, dword ptr [ebp-14]
007E8CB1 8B83 48030000 mov    eax, dword ptr [ebx+348]
007E8CB7 E8 7C01CAFF    call 00488E38
007E8CBC B2 01          mov    dl, 1
007E8CBE 8B83 38030000 mov    eax, dword ptr [ebx+338]
007E8CC4 8B08          mov    ecx, dword ptr [eax]
007E8CC6 FF51 64       call dword ptr [ecx+64]
007E8CC9 33D2          xor    edx, edx
007E8CCB 8B83 34030000 mov    eax, dword ptr [ebx+334]
007E8CD1 8B08          mov    ecx, dword ptr [eax]
007E8CD3 FF51 64       call dword ptr [ecx+64]
007E8CD6 8BC3          mov    eax, ebx
007E8CD8 E8 2F1E0000    call 007EAB0C
007E8CDD 8B83 3C030000 mov    eax, dword ptr [ebx+33C]
007E8CE3 C780 14020000 0>mov    dword ptr [eax+214], 2
007E8CED 33C0          xor    eax, eax
007E8CEF 5A             pop    edx
007E8CF0 59             pop    ecx
007E8CF1 59             pop    ecx
007E8CF2 64:8910       mov    dword ptr fs:[eax], edx
007E8CF5 68 1F8D7E00    push 007E8D1F
007E8CFA 8D45 E8       lea    eax, dword ptr [ebp-18]
007E8CFD BA 04000000    mov    edx, 4
007E8D02 E8 0DC4C1FF    call 00405114
007E8D07 8D45 F8       lea    eax, dword ptr [ebp-8]
007E8D0A E8 E1C3C1FF    call 004050F0
007E8D0F 8D45 FC       lea    eax, dword ptr [ebp-4]
007E8D12 E8 D9C3C1FF    call 004050F0
007E8D17 C3             retn
007E8D18  ^ E9 17BDC1FF    jmp    00404A34
007E8D1D  ^ EB DB          jmp    short 007E8CFA
007E8D1F 5F             pop    edi
007E8D20 5E             pop    esi
007E8D21 5B             pop    ebx
007E8D22 8BE5          mov    esp, ebp
007E8D24 5D             pop    ebp
007E8D25 C3             retn

======================

004A374C 53                   push ebx
004A374D 56                   push esi
004A374E 8BD8                   mov    ebx, eax
004A3750 80BB 34020000 00       cmp    byte ptr [ebx+234], 0
004A3757 75 0A                jnz    short 004A3763
004A3759 8BC3                   mov    eax, ebx
004A375B 8B10                   mov    edx, dword ptr [eax]
004A375D FF92 D4000000          call dword ptr [edx+D4]
004A3763 F683 F4020000 20       test byte ptr [ebx+2F4], 20
004A376A 74 12                je    short 004A377E
004A376C 8BC3                   mov    eax, ebx
004A376E 66:BE B3FF             mov    si, 0FFB3
004A3772 E8 250DF6FF          call 0040449C
004A3777 80A3 F4020000 DF       and    byte ptr [ebx+2F4], 0DF
004A377E 5E                   pop    esi
004A377F 5B                   pop    ebx
004A3780 C3                   retn

注册窗口窗口调用入口:

004A3A4C 55             push ebp
004A3A4D 8BEC          mov    ebp, esp
004A3A4F 51             push ecx
004A3A50 53             push ebx
004A3A51 56             push esi
004A3A52 57             push edi
004A3A53 8945 FC       mov    dword ptr [ebp-4], eax
004A3A56 8B45 FC       mov    eax, dword ptr [ebp-4]
004A3A59 66:83B8 D202000>cmp    word ptr [eax+2D2], 0
004A3A61 74 49          je    short 004A3AAC
004A3A63 33C0          xor    eax, eax
004A3A65 55             push ebp
004A3A66 68 8D3A4A00    push 004A3A8D
004A3A6B 64:FF30       push dword ptr fs:[eax]
004A3A6E 64:8920       mov    dword ptr fs:[eax], esp
004A3A71 8B5D FC       mov    ebx, dword ptr [ebp-4]
004A3A74 8B55 FC       mov    edx, dword ptr [ebp-4]
004A3A77 8B83 D4020000 mov    eax, dword ptr [ebx+2D4]
004A3A7D FF93 D0020000 call dword ptr [ebx+2D0]       !!!!!!! 根据 EBX 值调用不同窗口
004A3A83 33C0          xor    eax, eax
004A3A85 5A             pop    edx
004A3A86 59             pop    ecx
004A3A87 59             pop    ecx
004A3A88 64:8910       mov    dword ptr fs:[eax], edx
004A3A8B EB 1F          jmp    short 004A3AAC
004A3A8D  ^ E9 EE0CF6FF    jmp    00404780
004A3A92 8B45 FC       mov    eax, dword ptr [ebp-4]
004A3A95 66:BE ADFF    mov    si, 0FFAD
004A3A99 E8 FE09F6FF    call 0040449C
004A3A9E 84C0          test al, al
004A3AA0 75 05          jnz    short 004A3AA7
004A3AA2 E8 ED0FF6FF    call 00404A94
004A3AA7 E8 3C10F6FF    call 00404AE8
004A3AAC 8B45 FC       mov    eax, dword ptr [ebp-4]
004A3AAF F680 F4020000 0>test byte ptr [eax+2F4], 2
004A3AB6 74 0A          je    short 004A3AC2
004A3AB8 B2 01          mov    dl, 1
004A3ABA 8B45 FC       mov    eax, dword ptr [ebp-4]
004A3ABD E8 42090000    call 004A4404
004A3AC2 5F             pop    edi
004A3AC3 5E             pop    esi
004A3AC4 5B             pop    ebx
004A3AC5 59             pop    ecx
004A3AC6 5D             pop    ebp
004A3AC7 C3             retn

004A372B 8B45 FC                mov    eax, dword ptr [ebp-4]
004A372E 807D FB 00             cmp    byte ptr [ebp-5], 0
004A3732 74 0F                je    short 004A3743
004A3734 E8 230FF6FF          call 0040465C
004A3739 64:8F05 00000000       pop    dword ptr fs:[0]
004A3740 83C4 0C                add    esp, 0C
004A3743 8B45 FC                mov    eax, dword ptr [ebp-4]
004A3746 5B                   pop    ebx
004A3747 8BE5                   mov    esp, ebp
004A3749 5D                   pop    ebp
004A374A C3                   retn

*******************************************************************************
[ 很重要 ] 如下处修改,可以不显示提示注册窗口,完美爆破!
*******************************************************************************

00865BC3 A1 04DC8700          mov    eax, dword ptr [87DC04]
00865BC8 8B00                   mov    eax, dword ptr [eax]
00865BCA 8078 24 00             cmp    byte ptr [eax+24], 0 ********** set to 1 => 8078 24 01
00865BCE 74 28                je    short 00865BF8
00865BD0 A1 04DC8700          mov    eax, dword ptr [87DC04]
00865BD5 8B00                   mov    eax, dword ptr [eax]
00865BD7 8078 25 00             cmp    byte ptr [eax+25], 0 ********** set to 1 => 8078 25 01
00865BDB 74 77                je    short 00865C54
00865BDD B8 20448800          mov    eax, 00884420
00865BE2 E8 518CC9FF          call 004FE838
00865BE7 84C0                   test al, al
00865BE9 74 69                je    short 00865C54    ********** or jnz => 75 69
00865BEB A1 04DC8700          mov    eax, dword ptr [87DC04]
00865BF0 8B00                   mov    eax, dword ptr [eax]
00865BF2 C640 08 01             mov    byte ptr [eax+8], 1
00865BF6 EB 5C                jmp    short 00865C54
00865BF8 B8 FC438800          mov    eax, 008843FC
00865BFD 33C9                   xor    ecx, ecx
00865BFF BA 1E000000          mov    edx, 1E
00865C04 E8 B3DAB9FF          call 004036BC

如下处修改,也可以不显示提示注册窗口

断点 = 00865C09

00865C09 6A 1E                push 1E
00865C0B 68 FC438800          push 008843FC
00865C10 68 C8648600          push 008664C8                      ; ASCII "RSWBSN"
00865C15 68 D0648600          push 008664D0                      ; ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RSWB"
00865C1A 68 02000080          push 80000002
00865C1F E8 D049EBFF          call 0071A5F4                      ; jmp 到 rslockvc.RSLock_GetDataMM
00865C24 68 FC438800          push 008843FC
00865C29 E8 563AC9FF          call 004F9684                      ; jmp 到 rslockvc.RSLock_YZZCM
00865C2E 84C0                   test al, al ***************************=> Set AL = 1
00865C30 75 09                jnz    short 00865C3B
00865C32 E8 354DEBFF          call 0071A96C
00865C37 84C0                   test al, al
00865C39 74 19                je    short 00865C54
00865C3B B8 20448800          mov    eax, 00884420
00865C40 E8 F38BC9FF          call 004FE838
00865C45 84C0                   test al, al ***************************=> Set AL = 1
00865C47 74 0B                je    short 00865C54
00865C49 A1 04DC8700          mov    eax, dword ptr [87DC04]
00865C4E 8B00                   mov    eax, dword ptr [eax]
00865C50 C640 08 01             mov    byte ptr [eax+8], 1
00865C54 A1 04DC8700          mov    eax, dword ptr [87DC04]
00865C59 8B00                   mov    eax, dword ptr [eax]
00865C5B 83C0 20                add    eax, 20
00865C5E 8B15 20448800          mov    edx, dword ptr [884420]
00865C64 E8 DBF4B9FF          call 00405144
00865C69 B8 10658600          mov    eax, 00866510                   ; ASCII "ReSent.exe"
00865C6E E8 C16AC9FF          call 004FC734
00865C73 84C0                   test al, al
00865C75 74 2D                je    short 00865CA4
00865C77 A1 04DC8700          mov    eax, dword ptr [87DC04]
00865C7C 8B00                   mov    eax, dword ptr [eax]
00865C7E 8078 24 00             cmp    byte ptr [eax+24], 0
00865C82 75 20                jnz    short 00865CA4

另: 启动自动更新检查 WBCUpdate.exe

007F0071  |> \6A 00       push 0
007F0073  |.  6A 00       push 0
007F0075  |.  68 D0037F00 push 007F03D0                      ;  rscheckupdate
007F007A  |.  A1 04DC8700 mov    eax, dword ptr [87DC04]
007F007F  |.  8B00       mov    eax, dword ptr [eax]
007F0081  |.  8B50 04    mov    edx, dword ptr [eax+4]
007F0084  |.  8D45 9C    lea    eax, dword ptr [ebp-64]
007F0087  |.  B9 E8037F00 mov    ecx, 007F03E8                   ;  wbcupdate.exe
007F008C  |.  E8 7B53C1FF call 0040540C
007F0091  |.  8B45 9C    mov    eax, dword ptr [ebp-64]
007F0094  |.  E8 2755C1FF call 004055C0
007F0099  |.  50          push eax
007F009A  |.  68 F8037F00 push 007F03F8                      ;  open
007F009F  |.  8BC3       mov    eax, ebx
007F00A1  |.  E8 6AF6C9FF call 0048F710
007F00A6  |.  50          push eax                            ; |hWnd
007F00A7  |.  E8 C0CBC4FF call <jmp.&shell32.ShellExecuteA>    ; \ShellExecuteA
007F00AC  |>  6A 00       push 0                               ; /lParam = 0
007F00AE  |.  6A 02       push 2                               ; |wParam = 2
007F00B0  |.  8B83 E00A0000 mov    eax, dword ptr [ebx+AE0]       ; |
007F00B6  |.  50          push eax                            ; |Message
007F00B7  |.  68 FFFF0000 push 0FFFF                         ; |hWnd = HWND_BROADCAST
007F00BC  |.  E8 FF86C1FF call <jmp.&user32.PostMessageA>    ; \PostMessageA

另: 启动自动更新 WBUpdate.exe

008008E1 > \6A 05       push 5
008008E3 .  6A 00       push 0
008008E5 .  68 84098000 push 00800984                      ;  rsupdate
008008EA .  A1 04DC8700 mov    eax, dword ptr [87DC04]
008008EF .  8B00       mov    eax, dword ptr [eax]
008008F1 .  8B50 04    mov    edx, dword ptr [eax+4]
008008F4 .  8D45 F8    lea    eax, dword ptr [ebp-8]
008008F7 .  B9 98098000 mov    ecx, 00800998                   ;  wbupdate.exe
008008FC .  E8 0B4BC0FF call 0040540C
00800901 .  8B45 F8    mov    eax, dword ptr [ebp-8]
00800904 .  E8 B74CC0FF call 004055C0
00800909 .  50          push eax
0080090A .  68 A8098000 push 008009A8                      ;  open
0080090F .  8B45 FC    mov    eax, dword ptr [ebp-4]
00800912 .  E8 F9EDC8FF call 0048F710
00800917 .  50          push eax                            ; |hWnd
00800918 .  E8 4FC3C3FF call <jmp.&shell32.ShellExecuteA>    ; \ShellExecuteA
0080091D >  33C0       xor    eax, eax
0080091F .  5A          pop    edx
00800920 .  59          pop    ecx
00800921 .  59          pop    ecx
00800922 .  64:8910    mov    dword ptr fs:[eax], edx
00800925 .  68 3A098000 push 0080093A
0080092A >  8D45 F8    lea    eax, dword ptr [ebp-8]
0080092D .  E8 BE47C0FF call 004050F0
00800932 .  C3          retn

===============================================================================
总结陈述:

1) rsRSWBSW.exe :
加载 RSWBSW.dat,解密; 启动 RSWBSW.exe 进程并挂起;
将解密后的 RSWBSW.dat(实质是加 UPX 壳的 exe 文件)写入 RSWBSW.exe 进程空间,替
换掉 RSWBSW.exe 的内容,随后,启动替换后的 RSWBSW.exe 主线程

2) RSWBSW.dat :
被解密后,可以从 rsRSWBSW.exe 进程中复制出来,另存为一个 exe文件,比如 ppx.exe,
随后,UPX脱壳,然后修改指令,爆破

3) RSWBSW.exe :
启动 rsRSWBSW.exe,完成 1) 2) 动作,随后自己退出

4) 试用次数写在 0号物理驱动器第 62 扇区[ 512字节/扇区 x 62 = 7C00h ]偏移 100h
处,格式是 52 53 57 42 00 1C => R S W B . .
===============================================================================

延伸阅读: 傀儡进程——Exe注入[转贴,谢谢作者]

#include "stdafx.h"
#include <windows.h>
typedef long NTSTATUS;
typedef NTSTATUS (__stdcall *pfnZwUnmapViewOfSection)(
      IN HANDLE ProcessHandle,
      IN LPVOID BaseAddress
      );
BOOL CreateIEProcess();
PROCESS_INFORMATION pi  = {0};
DWORD GetCurModuleSize(DWORD dwModuleBase);
DWORD GetRemoteProcessImageBase(DWORD dwPEB);
DWORD GetNewEntryPoint();
void TestFunc();
//////////////////////////////////////////////////////////////////////////
pfnZwUnmapViewOfSection ZwUnmapViewOfSection;

int _tmain(int argc, _TCHAR* argv[])
{
      ZwUnmapViewOfSection = (pfnZwUnmapViewOfSection)GetProcAddress(
            GetModuleHandleA("ntdll.dll"),"ZwUnmapViewOfSection");
      printf("ZwUnmapViewOfSection : 0x%08X.\n",ZwUnmapViewOfSection);
      if ( !ZwUnmapViewOfSection )
      {
            printf("Get ZwUnmapViewOfSection Error.\n");
            goto __exit;
      }
      if ( !CreateIEProcess() )
      {
            goto __exit;
      }

      printf("TargetProcessId : %d.\n",pi.dwProcessId);

      HMODULE hModuleBase = GetModuleHandleA(NULL);
      printf("hModuleBase : 0x%08X.\n",hModuleBase);
      DWORD dwImageSize = GetCurModuleSize((DWORD)hModuleBase);
      printf("ModuleSize : 0x%08X\n",dwImageSize);

      CONTEXT ThreadCxt;
      ThreadCxt.ContextFlags = CONTEXT_FULL;
      GetThreadContext(pi.hThread,&ThreadCxt);
      printf("Target PEB Addr : 0x%08X.\n",ThreadCxt.Ebx);
      DWORD dwRemoteImageBase = GetRemoteProcessImageBase(ThreadCxt.Ebx);
      printf("RemoteImageBase : 0x%08X.\n",dwRemoteImageBase);

      ZwUnmapViewOfSection(pi.hProcess,(LPVOID)dwRemoteImageBase);

      LPVOID lpAlloAddr = VirtualAllocEx(
            pi.hProcess,
            hModuleBase,
            dwImageSize,
            MEM_RESERVE | MEM_COMMIT,
            PAGE_EXECUTE_READWRITE
            );
      if ( lpAlloAddr )
      {
            printf("Alloc Remote Addr OK.\n");
      }
      else
      {
            printf("Alloc Remote Addr Error.\n");
      }

      WriteProcessMemory(
            pi.hProcess,hModuleBase,
            hModuleBase,dwImageSize,NULL );
      printf("Write Image data OK.\n");
      ThreadCxt.ContextFlags = CONTEXT_FULL;
      ThreadCxt.Eax = GetNewEntryPoint();
      SetThreadContext(pi.hThread,&ThreadCxt);
      ResumeThread(pi.hThread);
      printf("finished.\n");
__exit:
      //TerminateProcess(pi.hProcess,0);
      system("pause");
      return 0;
}

BOOL CreateIEProcess()
{
      wchar_t wszIePath[] = L"C:\\Program Files\\Internet Explorer\\iexplore.exe";
      STARTUPINFO si = {0};
      si.cb = sizeof(si);
      BOOL bRet;

      bRet = CreateProcessW(
            NULL,wszIePath,
            NULL,NULL,FALSE,CREATE_SUSPENDED,
            NULL,NULL,
               &si,&pi );
      if ( bRet )
            printf("Create IE Ok.\n");
      else
            printf("Create IE error.\n");
      return bRet;
}

DWORD GetCurModuleSize(DWORD dwModuleBase)
{
      PIMAGE_DOS_HEADER pDosHdr = (PIMAGE_DOS_HEADER)dwModuleBase;
      PIMAGE_NT_HEADERS pNtHdr = (PIMAGE_NT_HEADERS)(dwModuleBase + pDosHdr->e_lfanew);
      return pNtHdr->OptionalHeader.SizeOfImage;
}

DWORD GetRemoteProcessImageBase(DWORD dwPEB)
{
      DWORD dwBaseRet;
      ReadProcessMemory(pi.hProcess,(LPVOID)(dwPEB+8),&dwBaseRet,sizeof(DWORD),NULL);
      return dwBaseRet;
/*
lkd> dt_peb
nt!_PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged    : UChar
+0x003 BitField       : UChar
+0x003 ImageUsesLargePages : Pos 0, 1 Bit
+0x003 SpareBits       : Pos 1, 7 Bits
+0x004 Mutant          : Ptr32 Void
+0x008 ImageBaseAddress : Ptr32 Void
*/
}

DWORD GetNewEntryPoint()
{
      return (DWORD)TestFunc;
}

void TestFunc()
{
      MessageBoxA(0,"Injected OK","123",0);
}

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

#调试逆向

收藏・7

免费・7

支持

最新回复 (24)
shelldiy 雪币： 2 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 9 粉丝 0 关注私信	shelldiy 2 楼沙发了再看！！！ 2011-6-23 16:24 0
zbzb 雪币： 59 活跃值： (1481) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 377 粉丝 0 关注私信	zbzb 3 楼很久之前我也分析过，这个软件写的很有特色。能脱壳，破解，不过，到别的电脑上运行，似乎有跨平台问题。 RSWBSW.dat : 被解密后,可以从 rsRSWBSW.exe 进程中复制出来,另存为一个 exe文件,比如 ppx.exe, 随后,UPX脱壳,然后修改指令,爆破请问，复制的时机在什么地方？还有复制的文件大小是多少？我以前也尝试过，不过提取失败了。 2011-6-23 17:43 0
AZMC 雪币： 305 活跃值： (36) 能力值： ( LV12，RANK：250 ) 在线值：发帖 12 回帖 129 粉丝 0 关注私信	AZMC 6 4 楼第一: 知道 .dat 加载的地址第二: 知道 .dat 的大小所以: 解密过程: 00402039 \|. 76 65 jbe short 004020A0 0040203B \|. 8D45 FF lea eax, dword ptr [ebp-1] ; 获取文件长度 0040203E \|. C1E8 06 shr eax, 6 ; 64字节块个数 00402041 \|. 83C0 01 add eax, 1 00402044 \|. 8BDF mov ebx, edi 00402046 \|. 894424 18 mov dword ptr [esp+18], eax 0040204A \|. 8D9B 00000000 lea ebx, dword ptr [ebx] ; 解密 RSWBSW.dat\FGHIJKLMNOP 00402050 \|> 8D8424 540100>/lea eax, dword ptr [esp+154] 00402057 \|. B9 10000000 \|mov ecx, 10 0040205C \|. 8BF3 \|mov esi, ebx 0040205E \|. 8DBC24 940100>\|lea edi, dword ptr [esp+194] 00402065 \|. 50 \|push eax 00402066 \|. F3:A5 \|rep movs dword ptr es:[edi], dword > 00402068 \|. E8 93EFFFFF \|call 00401000 0040206D \|. 8D8C24 980100>\|lea ecx, dword ptr [esp+198] 00402074 \|. 6A 01 \|push 1 00402076 \|. 51 \|push ecx 00402077 \|. 8BD1 \|mov edx, ecx 00402079 \|. 52 \|push edx 0040207A \|. E8 51F3FFFF \|call 004013D0 0040207F \|. 8BFB \|mov edi, ebx 00402081 \|. 83C4 10 \|add esp, 10 00402084 \|. B9 10000000 \|mov ecx, 10 00402089 \|. 8DB424 940100>\|lea esi, dword ptr [esp+194] 00402090 \|. 83C3 40 \|add ebx, 40 00402093 \|. 836C24 18 01 \|sub dword ptr [esp+18], 1 00402098 \|. F3:A5 \|rep movs dword ptr es:[edi], dword >; RSWBSW.dat N 字节解密完成 0040209A \|.^ 75 B4 \jnz short 00402050 0040209C \|. 8B7C24 10 mov edi, dword ptr [esp+10] ; 解密完成! 004020A0 \|> 85FF test edi, edi 004020A2 \|. 0F84 93000000 je 0040213B 注: 解密完成后,可以将解密后的数据保存为 .exe 文件复制大小就是 .dat 的大小. 在 OD 中,在数据窗口找到加载 .dat的地址,右键菜单选择备份,就会保存为 _00410000.mem 随后,用 UE打开,修剪一下头部/尾部,使得大小匹配 .dat的原始大小,然后,另存为 .exe 使用 PE工具,修改一下校验和,保存即可得到一个加UPX壳的exe. 2011-6-24 08:43 0
风谣雪币： 123 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 81 粉丝 0 关注私信	风谣 5 楼楼主调试能力强大、、膜拜、、 2011-6-26 11:52 0
liuqiangni 雪币： 69 活跃值： (157) 能力值： ( LV8，RANK：130 ) 在线值：发帖 32 回帖 436 粉丝 2 关注私信	liuqiangni 2 6 楼现在的东西都写磁盘扇区了...重装都不顶用了.都越来越强大...呵呵 2011-6-26 13:29 0
大头和尚雪币： 421 活跃值： (83) 能力值： ( LV3，RANK：20 ) 在线值：发帖 15 回帖 483 粉丝 1 关注私信	大头和尚 7 楼很少见到这么复杂的调试了，多谢分享。 2011-6-26 20:02 0
热火朝天雪币： 210 活跃值： (20) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 172 粉丝 0 关注私信	热火朝天 8 楼分析的太精辟了，支持 2011-6-26 21:49 0
fairynull 雪币： 421 活跃值： (60) 能力值： ( LV3，RANK：20 ) 在线值：发帖 26 回帖 292 粉丝 0 关注私信	fairynull 9 楼 ;mark.很复杂！ 2011-6-26 21:57 0
aaa2520 雪币： 156 活跃值： (48) 能力值： ( LV4，RANK：50 ) 在线值：发帖 107 回帖 401 粉丝 1 关注私信	aaa2520 1 10 楼厉害，学习学习 2011-6-26 22:06 0
willapple 雪币： 7140 活跃值： (1145) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 145 粉丝 0 关注私信	willapple 11 楼楼主强人，膜拜，学习！ 2011-6-26 23:44 0
imbadyc 雪币： 181 活跃值： (27) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 86 粉丝 0 关注私信	imbadyc 12 楼分析的不错，学习 2011-6-27 10:55 0
AZMC 雪币： 305 活跃值： (36) 能力值： ( LV12，RANK：250 ) 在线值：发帖 12 回帖 129 粉丝 0 关注私信	AZMC 6 13 楼想起了"潜伏"里面,谢若琳结结巴巴的一句话: "一个整编师,就 2 根金条" 2011-6-27 10:56 0
莫子雪币： 42 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 46 粉丝 0 关注私信	莫子 14 楼很强大。感谢分享 2011-6-27 15:20 0
AZMC 雪币： 305 活跃值： (36) 能力值： ( LV12，RANK：250 ) 在线值：发帖 12 回帖 129 粉丝 0 关注私信	AZMC 6 15 楼为什么重装 Windows 或者克隆,都不能覆盖 0号物理磁盘前面的扇区? 莫非: 低格才行?[如今,低格重装系统的代价太大了,也许~~~~~~~~~~~~~~] 2011-6-28 09:01 0
tornodo 雪币： 437 活跃值： (110) 能力值： ( LV5，RANK：70 ) 在线值：发帖 7 回帖 232 粉丝 0 关注私信	tornodo 1 16 楼调试能力好强。佩服 2011-6-28 19:34 0
sunlulu 雪币： 20 活跃值： (99) 能力值： ( LV5，RANK：60 ) 在线值：发帖 7 回帖 104 粉丝 0 关注私信	sunlulu 1 17 楼分析的很好，学习学习！！！ 2011-6-28 21:45 0
cppcoffee 雪币： 248 活跃值： (188) 能力值： ( LV12，RANK：300 ) 在线值：发帖 11 回帖 51 粉丝 3 关注私信	cppcoffee 6 18 楼 [QUOTE=AZMC;974496]为什么重装 Windows 或者克隆,都不能覆盖 0号物理磁盘前面的扇区? 莫非: 低格才行?[如今,低格重装系统的代价太大了,也许~~~~~~~~~~~~~~] [/QUOTE] 0号物理扇区是存放分区表链表头.除非重新分区才能重写到MBR easy-board 加密这么复杂了 2011-6-29 11:02 0
AZMC 雪币： 305 活跃值： (36) 能力值： ( LV12，RANK：250 ) 在线值：发帖 12 回帖 129 粉丝 0 关注私信	AZMC 6 19 楼这年头,为了保护版权,真可谓"费尽心机"! 呵呵: 往往在防护上下的功夫比软件本身开发还要多! 苍天啊!大地啊! 2011-6-29 11:49 0
广海混沌雪币： 220 活跃值： (15) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 272 粉丝 1 关注私信	广海混沌 20 楼哈哈一个整编师就两根金条 2011-6-29 12:24 0
elance 雪币： 716 活跃值： (162) 能力值： ( LV9，RANK：250 ) 在线值：发帖 13 回帖 570 粉丝 0 关注私信	elance 6 21 楼分析的很透彻啊，谢谢AZMC 2011-6-29 19:54 0
生命SM 雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 26 粉丝 0 关注私信	生命SM 22 楼复杂的东西，努力学习 2011-6-29 23:34 0
5151 雪币： 195 活跃值： (57) 能力值： ( LV2，RANK：10 ) 在线值：发帖 26 回帖 159 粉丝 0 关注私信	5151 23 楼强呀，只有学习的份 2011-6-30 12:00 0
pojiemyie 雪币： 90 活跃值： (25) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 52 粉丝 0 关注私信	pojiemyie 24 楼这个软件不厚道，连写扇区都用上了，重装系统都不行 2011-7-3 16:21 0
AZMC 雪币： 305 活跃值： (36) 能力值： ( LV12，RANK：250 ) 在线值：发帖 12 回帖 129 粉丝 0 关注私信	AZMC 6 25 楼理论上: 只要能运行,就能被 Crack! 曾经的曾经在逆向过程中,有些坚持不住但在某种精神的鼓舞下,还是坚持走了下去~~~~~~~~~~ 2011-7-4 10:40 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

AZMC

发帖

129

回帖

250

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (24)
shelldiy 雪币： 2 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 9 粉丝 0 关注私信	shelldiy 2 楼沙发了再看！！！ 2011-6-23 16:24 0
zbzb 雪币： 59 活跃值： (1481) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 377 粉丝 0 关注私信	zbzb 3 楼很久之前我也分析过，这个软件写的很有特色。能脱壳，破解，不过，到别的电脑上运行，似乎有跨平台问题。 RSWBSW.dat : 被解密后,可以从 rsRSWBSW.exe 进程中复制出来,另存为一个 exe文件,比如 ppx.exe, 随后,UPX脱壳,然后修改指令,爆破请问，复制的时机在什么地方？还有复制的文件大小是多少？我以前也尝试过，不过提取失败了。 2011-6-23 17:43 0
AZMC 雪币： 305 活跃值： (36) 能力值： ( LV12，RANK：250 ) 在线值：发帖 12 回帖 129 粉丝 0 关注私信	AZMC 6 4 楼第一: 知道 .dat 加载的地址第二: 知道 .dat 的大小所以: 解密过程: 00402039 \|. 76 65 jbe short 004020A0 0040203B \|. 8D45 FF lea eax, dword ptr [ebp-1] ; 获取文件长度 0040203E \|. C1E8 06 shr eax, 6 ; 64字节块个数 00402041 \|. 83C0 01 add eax, 1 00402044 \|. 8BDF mov ebx, edi 00402046 \|. 894424 18 mov dword ptr [esp+18], eax 0040204A \|. 8D9B 00000000 lea ebx, dword ptr [ebx] ; 解密 RSWBSW.dat\FGHIJKLMNOP 00402050 \|> 8D8424 540100>/lea eax, dword ptr [esp+154] 00402057 \|. B9 10000000 \|mov ecx, 10 0040205C \|. 8BF3 \|mov esi, ebx 0040205E \|. 8DBC24 940100>\|lea edi, dword ptr [esp+194] 00402065 \|. 50 \|push eax 00402066 \|. F3:A5 \|rep movs dword ptr es:[edi], dword > 00402068 \|. E8 93EFFFFF \|call 00401000 0040206D \|. 8D8C24 980100>\|lea ecx, dword ptr [esp+198] 00402074 \|. 6A 01 \|push 1 00402076 \|. 51 \|push ecx 00402077 \|. 8BD1 \|mov edx, ecx 00402079 \|. 52 \|push edx 0040207A \|. E8 51F3FFFF \|call 004013D0 0040207F \|. 8BFB \|mov edi, ebx 00402081 \|. 83C4 10 \|add esp, 10 00402084 \|. B9 10000000 \|mov ecx, 10 00402089 \|. 8DB424 940100>\|lea esi, dword ptr [esp+194] 00402090 \|. 83C3 40 \|add ebx, 40 00402093 \|. 836C24 18 01 \|sub dword ptr [esp+18], 1 00402098 \|. F3:A5 \|rep movs dword ptr es:[edi], dword >; RSWBSW.dat N 字节解密完成 0040209A \|.^ 75 B4 \jnz short 00402050 0040209C \|. 8B7C24 10 mov edi, dword ptr [esp+10] ; 解密完成! 004020A0 \|> 85FF test edi, edi 004020A2 \|. 0F84 93000000 je 0040213B 注: 解密完成后,可以将解密后的数据保存为 .exe 文件复制大小就是 .dat 的大小. 在 OD 中,在数据窗口找到加载 .dat的地址,右键菜单选择备份,就会保存为 _00410000.mem 随后,用 UE打开,修剪一下头部/尾部,使得大小匹配 .dat的原始大小,然后,另存为 .exe 使用 PE工具,修改一下校验和,保存即可得到一个加UPX壳的exe. 2011-6-24 08:43 0
风谣雪币： 123 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 81 粉丝 0 关注私信	风谣 5 楼楼主调试能力强大、、膜拜、、 2011-6-26 11:52 0
liuqiangni 雪币： 69 活跃值： (157) 能力值： ( LV8，RANK：130 ) 在线值：发帖 32 回帖 436 粉丝 2 关注私信	liuqiangni 2 6 楼现在的东西都写磁盘扇区了...重装都不顶用了.都越来越强大...呵呵 2011-6-26 13:29 0
大头和尚雪币： 421 活跃值： (83) 能力值： ( LV3，RANK：20 ) 在线值：发帖 15 回帖 483 粉丝 1 关注私信	大头和尚 7 楼很少见到这么复杂的调试了，多谢分享。 2011-6-26 20:02 0
热火朝天雪币： 210 活跃值： (20) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 172 粉丝 0 关注私信	热火朝天 8 楼分析的太精辟了，支持 2011-6-26 21:49 0
fairynull 雪币： 421 活跃值： (60) 能力值： ( LV3，RANK：20 ) 在线值：发帖 26 回帖 292 粉丝 0 关注私信	fairynull 9 楼 ;mark.很复杂！ 2011-6-26 21:57 0
aaa2520 雪币： 156 活跃值： (48) 能力值： ( LV4，RANK：50 ) 在线值：发帖 107 回帖 401 粉丝 1 关注私信	aaa2520 1 10 楼厉害，学习学习 2011-6-26 22:06 0
willapple 雪币： 7140 活跃值： (1145) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 145 粉丝 0 关注私信	willapple 11 楼楼主强人，膜拜，学习！ 2011-6-26 23:44 0
imbadyc 雪币： 181 活跃值： (27) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 86 粉丝 0 关注私信	imbadyc 12 楼分析的不错，学习 2011-6-27 10:55 0
AZMC 雪币： 305 活跃值： (36) 能力值： ( LV12，RANK：250 ) 在线值：发帖 12 回帖 129 粉丝 0 关注私信	AZMC 6 13 楼想起了"潜伏"里面,谢若琳结结巴巴的一句话: "一个整编师,就 2 根金条" 2011-6-27 10:56 0
莫子雪币： 42 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 46 粉丝 0 关注私信	莫子 14 楼很强大。感谢分享 2011-6-27 15:20 0
AZMC 雪币： 305 活跃值： (36) 能力值： ( LV12，RANK：250 ) 在线值：发帖 12 回帖 129 粉丝 0 关注私信	AZMC 6 15 楼为什么重装 Windows 或者克隆,都不能覆盖 0号物理磁盘前面的扇区? 莫非: 低格才行?[如今,低格重装系统的代价太大了,也许~~~~~~~~~~~~~~] 2011-6-28 09:01 0
tornodo 雪币： 437 活跃值： (110) 能力值： ( LV5，RANK：70 ) 在线值：发帖 7 回帖 232 粉丝 0 关注私信	tornodo 1 16 楼调试能力好强。佩服 2011-6-28 19:34 0
sunlulu 雪币： 20 活跃值： (99) 能力值： ( LV5，RANK：60 ) 在线值：发帖 7 回帖 104 粉丝 0 关注私信	sunlulu 1 17 楼分析的很好，学习学习！！！ 2011-6-28 21:45 0
cppcoffee 雪币： 248 活跃值： (188) 能力值： ( LV12，RANK：300 ) 在线值：发帖 11 回帖 51 粉丝 3 关注私信	cppcoffee 6 18 楼 [QUOTE=AZMC;974496]为什么重装 Windows 或者克隆,都不能覆盖 0号物理磁盘前面的扇区? 莫非: 低格才行?[如今,低格重装系统的代价太大了,也许~~~~~~~~~~~~~~] [/QUOTE] 0号物理扇区是存放分区表链表头.除非重新分区才能重写到MBR easy-board 加密这么复杂了 2011-6-29 11:02 0
AZMC 雪币： 305 活跃值： (36) 能力值： ( LV12，RANK：250 ) 在线值：发帖 12 回帖 129 粉丝 0 关注私信	AZMC 6 19 楼这年头,为了保护版权,真可谓"费尽心机"! 呵呵: 往往在防护上下的功夫比软件本身开发还要多! 苍天啊!大地啊! 2011-6-29 11:49 0
广海混沌雪币： 220 活跃值： (15) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 272 粉丝 1 关注私信	广海混沌 20 楼哈哈一个整编师就两根金条 2011-6-29 12:24 0
elance 雪币： 716 活跃值： (162) 能力值： ( LV9，RANK：250 ) 在线值：发帖 13 回帖 570 粉丝 0 关注私信	elance 6 21 楼分析的很透彻啊，谢谢AZMC 2011-6-29 19:54 0
生命SM 雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 26 粉丝 0 关注私信	生命SM 22 楼复杂的东西，努力学习 2011-6-29 23:34 0
5151 雪币： 195 活跃值： (57) 能力值： ( LV2，RANK：10 ) 在线值：发帖 26 回帖 159 粉丝 0 关注私信	5151 23 楼强呀，只有学习的份 2011-6-30 12:00 0
pojiemyie 雪币： 90 活跃值： (25) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 52 粉丝 0 关注私信	pojiemyie 24 楼这个软件不厚道，连写扇区都用上了，重装系统都不行 2011-7-3 16:21 0
AZMC 雪币： 305 活跃值： (36) 能力值： ( LV12，RANK：250 ) 在线值：发帖 12 回帖 129 粉丝 0 关注私信	AZMC 6 25 楼理论上: 只要能运行,就能被 Crack! 曾经的曾经在逆向过程中,有些坚持不住但在某种精神的鼓舞下,还是坚持走了下去~~~~~~~~~~ 2011-7-4 10:40 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[原创]某 电子白板 软件逆向分析 记要

[原创]某电子白板软件逆向分析记要