-
-
[旧帖] 第一次打开以后不再打开在哪里判断以及JMP是不是跳正确了 0.00雪花
-
发表于: 2011-7-23 18:46
-
叙述的不是很清楚,因为口吃不伶俐,请各位老师谅解
这是我断下的不知道是不是正确的,问题是
1] JMP 003F38A4 '这里跳到003F38A4,是不是就可以让程序跳过这个打开网址?.
2] jmp 003F39FC '自己设个跳走,不知道是不是对的 这里是不是有个判断?因为程序第一次运行回跳到这个http://chion.ys168.com
网址,以后再次运行或再重装这个程序也不会出现跳到这个网址,想知道是怎么回事.如果有判断和验证,那在什么地方?
请前辈们赐教. 有附件
003F3864 |. /75 65 jnz short 003F38CB
003F3866 |. |B3 01 mov bl, 1
003F3868 |. |EB 61 jmp short 003F38CB
003F386A |> /68 F4010000 /push 1F4 ; /Timeout = 500. ms
003F386F |. |E8 587EFFFF |call <jmp.&kernel32.Sleep> ; \Sleep
JMP 003F38A4 '这里跳到003F38A4,是不是就可以让程序跳过这个打开网址?.
003F3874 |. |8D55 FC |lea edx, dword ptr [ebp-4]
003F3877 |. |B8 4C393F00 |mov eax, 003F394C ; ASCII "chion.ys168.com"
003F387C |. |E8 7BFDFFFF |call 003F35FC
003F3881 |. |84C0 |test al, al
003F3883 |. |74 3C |je short 003F38C1
003F3885 |. |6A 01 |push 1 ; /IsShown = 1
003F3887 |. |6A 00 |push 0 ; |DefDir = NULL
003F3889 |. |6A 00 |push 0 ; |Parameters = NULL
003F388B |. |68 5C393F00 |push 003F395C ; |FileName = "http://chion.ys168.com"
003F3890 |. |68 74393F00 |push 003F3974 ; |Operation = "open"
003F3895 |. |6A 00 |push 0 ; |hWnd = NULL
003F3897 |. |E8 1C89FFFF |call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
003F389C |. |E8 AF4DFFFF |call 003E8650
003F38A1 |. |83C4 F8 |add esp, -8
003F38A4 |. |DD1C24 |fstp qword ptr [esp]
003F38A7 |. |9B |wait
003F38A8 |. |8D45 EC |lea eax, dword ptr [ebp-14]
003F38AB |. |E8 E059FFFF |call 003E9290
003F38B0 |. |8B4D EC |mov ecx, dword ptr [ebp-14]
003F38B3 |. |BA 3C393F00 |mov edx, 003F393C ; ASCII "tday"
003F38B8 |. |8BC6 |mov eax, esi
003F38BA |. |E8 31F4FFFF |call 003F2CF0
003F38BF |. |EB 0E |jmp short 003F38CF
003F38C1 |> |68 E8030000 |push 3E8 ; /Timeout = 1000. ms
003F38C6 |. |E8 017EFFFF |call <jmp.&kernel32.Sleep> ; \Sleep
003F38CB |> |84DB test bl, bl
003F38CD |.^\74 9B \je short 003F386A
003F38CF |> 8BC6 mov eax, esi
003F38D1 |. E8 EAF1FFFF call 003F2AC0
003F38D6 |. 8BC6 mov eax, esi
003F38D8 |. E8 E7F8FEFF call 003E31C4
003F38DD |. 33C0 xor eax, eax
003F38DF |. 5A pop edx
003F38E0 |. 59 pop ecx
003F38E1 |. 59 pop ecx
003F38E2 |. 64:8910 mov dword ptr fs:[eax], edx
003F38E5 |. 68 07393F00 push 003F3907
003F38EA |> 8D45 EC lea eax, dword ptr [ebp-14]
003F38ED |. E8 4204FFFF call 003E3D34
003F38F2 |. 8D45 F8 lea eax, dword ptr [ebp-8]
003F38F5 |. BA 02000000 mov edx, 2
003F38FA |. E8 5904FFFF call 003E3D58
003F38FF \. C3 retn
003F3900 .^ E9 A7FDFEFF jmp 003E36AC
003F3905 .^ EB E3 jmp short 003F38EA
003F3907 . 5E pop esi
003F3908 . 5B pop ebx
003F3909 . 8BE5 mov esp, ebp
003F390B . 5D pop ebp
003F390C . C3 retn
003F390D 00 db 00
003F390E 00 db 00
003F390F 00 db 00
003F3910 . FFFFFFFF dd FFFFFFFF
003F3914 . 16000000 dd 00000016
003F3918 . 5C 53 6F 66 7>ascii "\Software\Titan "
003F3928 . 44 65 73 69 6>ascii "Design",0
003F392F 00 db 00
003F3930 . 0000803F dd float 1.000000
003F3934 . FFFFFFFF dd FFFFFFFF
003F3938 . 04000000 dd 00000004
003F393C . 74 64 61 79 0>ascii "tday",0
003F3941 00 db 00
003F3942 00 db 00
003F3943 00 db 00
003F3944 . FFFFFFFF dd FFFFFFFF
003F3948 . 0F000000 dd 0000000F
003F394C . 63 68 69 6F 6>ascii "chion.ys168.com",0
003F395C . 68 74 74 70 3>ascii "http://chion.ys1"
003F396C . 36 38 2E 63 6>ascii "68.com",0
003F3973 00 db 00
003F3974 . 6F 70 65 6E 0>ascii "open",0
003F3979 00 db 00
003F397A 00 db 00
003F397B 00 db 00
jmp 003F39FC '自己设个跳走,不知道是不是对的 这里是不是有个判断?因为程序第一次运行回跳到这个http://chion.ys168.com网址,以后再次运行或再重装这个程序也不会出现跳到这个网址,想知道是怎么回事.如果有判断和验证,那在什么地方?
003F397C >/$ 51 push ecx
003F397D |. E8 06FEFFFF call 003F3788
003F3982 |. 84C0 test al, al
003F3984 |. 75 28 jnz short 003F39AE
估计下面有个判断ture,false,具体关键在哪呢?
003F3986 |. 68 E4393F00 push 003F39E4 ; /MutexName = "http://chion.ys168.com"
003F398B |. 6A 00 push 0 ; |Inheritable = FALSE
003F398D |. 68 01001F00 push 1F0001 ; |Access = 1F0001
003F3992 |. E8 3523FFFF call <jmp.&kernel32.OpenMutexA> ; \OpenMutexA
003F3997 |. 890424 mov dword ptr [esp], eax
003F399A |. 833C24 00 cmp dword ptr [esp], 0
003F399E |. 76 0E jbe short 003F39AE
003F39A0 |. E8 73F5FFFF call 003F2F18
003F39A5 |. 8B0424 mov eax, dword ptr [esp]
003F39A8 |. 50 push eax ; /hObject
003F39A9 |. E8 1622FFFF call <jmp.&kernel32.CloseHandle> ; \CloseHandle
003F39AE |> BA 043A3F00 mov edx, 003F3A04 ; ASCII "MAINUI.EXE"
003F39B3 |. A1 8C583F00 mov eax, dword ptr [3F588C]
003F39B8 |. E8 2BF5FFFF call 003F2EE8
003F39BD |. 84C0 test al, al
003F39BF |. 74 0E je short 003F39CF
003F39C1 |. 68 E4393F00 push 003F39E4 ; ASCII "http://chion.ys168.com"
003F39C6 |. 6A 00 push 0
003F39C8 |. 6A 00 push 0
003F39CA |. E8 1D22FFFF call 003E5BEC
003F39CF |> 54 push esp ; /pThreadId
003F39D0 |. 6A 00 push 0 ; |CreationFlags = 0
003F39D2 |. 6A 00 push 0 ; |pThreadParm = NULL
003F39D4 |. 68 D0373F00 push 003F37D0 ; |ThreadFunction = libui.003F37D0
003F39D9 |. 6A 00 push 0 ; |StackSize = 0
003F39DB |. 6A 00 push 0 ; |pSecurity = NULL
003F39DD |. E8 2A22FFFF call <jmp.&kernel32.CreateThread> ; \CreateThread
003F39E2 |. 5A pop edx
003F39E3 \. C3 retn
003F39E4 . 68 74 74 70 3>ascii "http://chion.ys1"
003F39F4 . 36 38 2E 63 6>ascii "68.com",0
003F39FB 00 db 00
003F39FC . FFFFFFFF dd FFFFFFFF
003F3A00 . 0A000000 dd 0000000A
003F3A04 . 4D 41 49 4E 5>ascii "MAINUI.EXE",0
003F3A0F 00 db 00
003F3A10 . 55 push ebp
003F3A11 . 8BEC mov ebp, esp
003F3A13 . 33C0 xor eax, eax
003F3A15 . 55 push ebp
003F3A16 . 68 413A3F00 push 003F3A41
003F3A1B . 64:FF30 push dword ptr fs:[eax]
003F3A1E . 64:8920 mov dword ptr fs:[eax], esp
003F3A21 . FF05 90583F00 inc dword ptr [3F5890]
003F3A27 . 75 0A jnz short 003F3A33
003F3A29 . B8 8C583F00 mov eax, 003F588C
003F3A2E . E8 0103FFFF call 003E3D34
003F3A33 > 33C0 xor eax, eax
003F3A35 . 5A pop edx
003F3A36 . 59 pop ecx
003F3A37 . 59 pop ecx
003F3A38 . 64:8910 mov dword ptr fs:[eax], edx
003F3A3B . 68 483A3F00 push 003F3A48
003F3A40 > C3 retn ; RET 用作跳转到 003F3A48
003F3A41 .^ E9 66FCFEFF jmp 003E36AC
003F3A46 .^ EB F8 jmp short 003F3A40
003F3A48 > 5D pop ebp
003F3A49 . C3 retn
003F3A4A 8BC0 mov eax, eax
003F3A4C . 832D 90583F00>sub dword ptr [3F5890], 1
003F3A53 . C3 retn
003F3A54 $ 55 push ebp
003F3A55 . 8BEC mov ebp, esp
003F3A57 . 53 push ebx
003F3A58 . 56 push esi
003F3A59 . 57 push edi
003F3A5A . 33C0 xor eax, eax
003F3A5C . 55 push ebp
003F3A5D . 68 7E3A3F00 push 003F3A7E
003F3A62 . 64:FF30 push dword ptr fs:[eax]
003F3A65 . 64:8920 mov dword ptr fs:[eax], esp
003F3A68 . 68 98999999 push 99999998 ; /hObject = 99999998
003F3A6D . E8 5221FFFF call <jmp.&kernel32.CloseHandle> ; \CloseHandle
003F3A72 . 33DB xor ebx, ebx
003F3A74 . 33C0 xor eax, eax
003F3A76 . 5A pop edx
003F3A77 . 59 pop ecx
003F3A78 . 59 pop ecx
003F3A79 . 64:8910 mov dword ptr fs:[eax], edx
003F3A7C . EB 0C jmp short 003F3A8A
003F3A7E .^ E9 FDFAFEFF jmp 003E3580
003F3A83 . B3 01 mov bl, 1
003F3A85 . E8 D6FCFEFF call 003E3760
003F3A8A > 8BC3 mov eax, ebx
003F3A8C . 5F pop edi
003F3A8D . 5E pop esi
003F3A8E . 5B pop ebx
003F3A8F . 5D pop ebp
003F3A90 . C3 retn
003F3A91 8D40 00 lea eax, dword ptr [eax]
003F3A94 > E8 BBFFFFFF call 003F3A54
003F3A99 . 68 F4010000 push 1F4 ; /Timeout = 500. ms
003F3A9E . E8 297CFFFF call <jmp.&kernel32.Sleep> ; \Sleep
003F3AA3 .^ EB EF jmp short 003F3A94
003F3AA5 . C3 retn
003F3AA6 8BC0 mov eax, eax
003F3AA8 . 55 push ebp
003F3AA9 . 8BEC mov ebp, esp
003F3AAB . 33C0 xor eax, eax
003F3AAD . 55 push ebp
003F3AAE . 68 C73A3F00 push 003F3AC7
003F3AB3 . 64:FF30 push dword ptr fs:[eax]
003F3AB6 . 64:8920 mov dword ptr fs:[eax], esp
003F3AB9 . 33C0 xor eax, eax
003F3ABB . 5A pop edx
003F3ABC . 59 pop ecx
003F3ABD . 59 pop ecx
003F3ABE . 64:8910 mov dword ptr fs:[eax], edx
003F3AC1 . 68 CE3A3F00 push 003F3ACE
003F3AC6 > C3 retn ; RET 用作跳转到 003F3ACE
003F3AC7 .^ E9 E0FBFEFF jmp 003E36AC
003F3ACC .^ EB F8 jmp short 003F3AC6
003F3ACE > 5D pop ebp
003F3ACF . C3 retn
003F3AD0 13 db 13
003F3AD1 00 db 00
003F3AD2 00 db 00
003F3AD3 00 db 00
003F3AD4 . D83A3F00 dd libui.003F3AD8
003F3AD8 . 545B3E00 dd libui.003E5B54
003F3ADC . 245B3E00 dd libui.003E5B24
003F3AE0 . 98583E00 dd libui.003E5898
003F3AE4 . 44583E00 dd libui.003E5844
003F3AE8 . 8C5B3E00 dd libui.003E5B8C
003F3AEC . 5C5B3E00 dd libui.003E5B5C
003F3AF0 . 7C5D3E00 dd libui.003E5D7C
003F3AF4 . 4C5D3E00 dd libui.003E5D4C
003F3AF8 . 94603E00 dd libui.003E6094
003F3AFC . 64603E00 dd libui.003E6064
003F3B00 . E0C03E00 dd libui.003EC0E0
003F3B04 . 60BF3E00 dd libui.003EBF60
003F3B08 . 28C23E00 dd libui.003EC228
003F3B0C . F8C13E00 dd libui.003EC1F8
003F3B10 . ACF33E00 dd libui.003EF3AC
003F3B14 . 7CF33E00 dd libui.003EF37C
003F3B18 . 28CA3E00 dd libui.003ECA28
003F3B1C . F8C93E00 dd libui.003EC9F8
003F3B20 . 9CF13E00 dd libui.003EF19C
003F3B24 . 24F13E00 dd libui.003EF124
003F3B28 . F0F23E00 dd libui.003EF2F0
003F3B2C . C0F23E00 dd libui.003EF2C0
003F3B30 . 74F33E00 dd libui.003EF374
003F3B34 . 24F33E00 dd libui.003EF324
003F3B38 . F4273F00 dd libui.003F27F4
003F3B3C . 44273F00 dd libui.003F2744
003F3B40 . E8283F00 dd libui.003F28E8
003F3B44 . A0283F00 dd libui.003F28A0
003F3B48 . E02E3F00 dd libui.003F2EE0
003F3B4C . 982E3F00 dd libui.003F2E98
003F3B50 . F0C13E00 dd libui.003EC1F0
003F3B54 . C0C13E00 dd libui.003EC1C0
003F3B58 . B0C13E00 dd libui.003EC1B0
003F3B5C . 80C13E00 dd libui.003EC180
003F3B60 . 4C3A3F00 dd libui.003F3A4C
003F3B64 . 103A3F00 dd libui.003F3A10
003F3B68 00 db 00
003F3B69 00 db 00
003F3B6A 00 db 00
003F3B6B 00 db 00
003F3B6C . A83A3F00 dd libui.003F3AA8
003F3B70 >/$ 55 push ebp
003F3B71 |. 8BEC mov ebp, esp
003F3B73 |. 83C4 B8 add esp, -48
003F3B76 |. 33C0 xor eax, eax
003F3B78 |. 8945 C0 mov dword ptr [ebp-40], eax
003F3B7B |. 8945 BC mov dword ptr [ebp-44], eax
003F3B7E |. 8945 B8 mov dword ptr [ebp-48], eax
003F3B81 |. B8 D03A3F00 mov eax, 003F3AD0
003F3B86 |. E8 511FFFFF call 003E5ADC
003F3B8B |. 33C0 xor eax, eax
003F3B8D |. 55 push ebp
003F3B8E |. 68 1A3C3F00 push 003F3C1A
003F3B93 |. 64:FF30 push dword ptr fs:[eax]
003F3B96 |. 64:8920 mov dword ptr fs:[eax], esp
003F3B99 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
003F3B9E |. 68 A0583F00 push 003F58A0 ; |PathBuffer = libui.003F58A0
003F3BA3 |. 6A 00 push 0 ; |hModule = NULL
003F3BA5 |. E8 DA20FFFF call <jmp.&kernel32.GetModuleFileName>; \GetModuleFileNameA
003F3BAA |. E8 A5FEFFFF call 003F3A54
003F3BAF |. 84C0 test al, al
003F3BB1 |. 75 4C jnz short 003F3BFF
003F3BB3 |. 8D45 B8 lea eax, dword ptr [ebp-48]
003F3BB6 |. BA A0583F00 mov edx, 003F58A0
003F3BBB |. B9 05010000 mov ecx, 105
003F3BC0 |. E8 DF03FFFF call 003E3FA4
003F3BC5 |. 8B45 B8 mov eax, dword ptr [ebp-48]
003F3BC8 |. 8D55 BC lea edx, dword ptr [ebp-44]
003F3BCB |. E8 B037FFFF call 003E7380
003F3BD0 |. 8B45 BC mov eax, dword ptr [ebp-44]
003F3BD3 |. 8D55 C0 lea edx, dword ptr [ebp-40]
003F3BD6 |. E8 D530FFFF call 003E6CB0
003F3BDB |. 8B55 C0 mov edx, dword ptr [ebp-40]
003F3BDE |. A1 8C453F00 mov eax, dword ptr [3F458C]
003F3BE3 |. E8 A001FFFF call 003E3D88
003F3BE8 |. 68 9C583F00 push 003F589C ; /pThreadId = libui.003F589C
003F3BED |. 6A 00 push 0 ; |CreationFlags = 0
003F3BEF |. 6A 00 push 0 ; |pThreadParm = NULL
003F3BF1 |. 68 943A3F00 push 003F3A94 ; |ThreadFunction = libui.003F3A94
003F3BF6 |. 6A 00 push 0 ; |StackSize = 0
003F3BF8 |. 6A 00 push 0 ; |pSecurity = NULL
003F3BFA |. E8 0D20FFFF call <jmp.&kernel32.CreateThread> ; \CreateThread
003F3BFF |> 33C0 xor eax, eax
003F3C01 |. 5A pop edx
003F3C02 |. 59 pop ecx
003F3C03 |. 59 pop ecx
003F3C04 |. 64:8910 mov dword ptr fs:[eax], edx
003F3C07 |. 68 213C3F00 push 003F3C21
003F3C0C |> 8D45 B8 lea eax, dword ptr [ebp-48]
003F3C0F |. BA 03000000 mov edx, 3
003F3C14 |. E8 3F01FFFF call 003E3D58
003F3C19 \. C3 retn
003F3C1A .^ E9 8DFAFEFF jmp 003E36AC
003F3C1F .^ EB EB jmp short 003F3C0C
这是我断下的不知道是不是正确的,问题是
1] JMP 003F38A4 '这里跳到003F38A4,是不是就可以让程序跳过这个打开网址?.
2] jmp 003F39FC '自己设个跳走,不知道是不是对的 这里是不是有个判断?因为程序第一次运行回跳到这个http://chion.ys168.com
网址,以后再次运行或再重装这个程序也不会出现跳到这个网址,想知道是怎么回事.如果有判断和验证,那在什么地方?
请前辈们赐教. 有附件
003F3864 |. /75 65 jnz short 003F38CB
003F3866 |. |B3 01 mov bl, 1
003F3868 |. |EB 61 jmp short 003F38CB
003F386A |> /68 F4010000 /push 1F4 ; /Timeout = 500. ms
003F386F |. |E8 587EFFFF |call <jmp.&kernel32.Sleep> ; \Sleep
JMP 003F38A4 '这里跳到003F38A4,是不是就可以让程序跳过这个打开网址?.
003F3874 |. |8D55 FC |lea edx, dword ptr [ebp-4]
003F3877 |. |B8 4C393F00 |mov eax, 003F394C ; ASCII "chion.ys168.com"
003F387C |. |E8 7BFDFFFF |call 003F35FC
003F3881 |. |84C0 |test al, al
003F3883 |. |74 3C |je short 003F38C1
003F3885 |. |6A 01 |push 1 ; /IsShown = 1
003F3887 |. |6A 00 |push 0 ; |DefDir = NULL
003F3889 |. |6A 00 |push 0 ; |Parameters = NULL
003F388B |. |68 5C393F00 |push 003F395C ; |FileName = "http://chion.ys168.com"
003F3890 |. |68 74393F00 |push 003F3974 ; |Operation = "open"
003F3895 |. |6A 00 |push 0 ; |hWnd = NULL
003F3897 |. |E8 1C89FFFF |call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
003F389C |. |E8 AF4DFFFF |call 003E8650
003F38A1 |. |83C4 F8 |add esp, -8
003F38A4 |. |DD1C24 |fstp qword ptr [esp]
003F38A7 |. |9B |wait
003F38A8 |. |8D45 EC |lea eax, dword ptr [ebp-14]
003F38AB |. |E8 E059FFFF |call 003E9290
003F38B0 |. |8B4D EC |mov ecx, dword ptr [ebp-14]
003F38B3 |. |BA 3C393F00 |mov edx, 003F393C ; ASCII "tday"
003F38B8 |. |8BC6 |mov eax, esi
003F38BA |. |E8 31F4FFFF |call 003F2CF0
003F38BF |. |EB 0E |jmp short 003F38CF
003F38C1 |> |68 E8030000 |push 3E8 ; /Timeout = 1000. ms
003F38C6 |. |E8 017EFFFF |call <jmp.&kernel32.Sleep> ; \Sleep
003F38CB |> |84DB test bl, bl
003F38CD |.^\74 9B \je short 003F386A
003F38CF |> 8BC6 mov eax, esi
003F38D1 |. E8 EAF1FFFF call 003F2AC0
003F38D6 |. 8BC6 mov eax, esi
003F38D8 |. E8 E7F8FEFF call 003E31C4
003F38DD |. 33C0 xor eax, eax
003F38DF |. 5A pop edx
003F38E0 |. 59 pop ecx
003F38E1 |. 59 pop ecx
003F38E2 |. 64:8910 mov dword ptr fs:[eax], edx
003F38E5 |. 68 07393F00 push 003F3907
003F38EA |> 8D45 EC lea eax, dword ptr [ebp-14]
003F38ED |. E8 4204FFFF call 003E3D34
003F38F2 |. 8D45 F8 lea eax, dword ptr [ebp-8]
003F38F5 |. BA 02000000 mov edx, 2
003F38FA |. E8 5904FFFF call 003E3D58
003F38FF \. C3 retn
003F3900 .^ E9 A7FDFEFF jmp 003E36AC
003F3905 .^ EB E3 jmp short 003F38EA
003F3907 . 5E pop esi
003F3908 . 5B pop ebx
003F3909 . 8BE5 mov esp, ebp
003F390B . 5D pop ebp
003F390C . C3 retn
003F390D 00 db 00
003F390E 00 db 00
003F390F 00 db 00
003F3910 . FFFFFFFF dd FFFFFFFF
003F3914 . 16000000 dd 00000016
003F3918 . 5C 53 6F 66 7>ascii "\Software\Titan "
003F3928 . 44 65 73 69 6>ascii "Design",0
003F392F 00 db 00
003F3930 . 0000803F dd float 1.000000
003F3934 . FFFFFFFF dd FFFFFFFF
003F3938 . 04000000 dd 00000004
003F393C . 74 64 61 79 0>ascii "tday",0
003F3941 00 db 00
003F3942 00 db 00
003F3943 00 db 00
003F3944 . FFFFFFFF dd FFFFFFFF
003F3948 . 0F000000 dd 0000000F
003F394C . 63 68 69 6F 6>ascii "chion.ys168.com",0
003F395C . 68 74 74 70 3>ascii "http://chion.ys1"
003F396C . 36 38 2E 63 6>ascii "68.com",0
003F3973 00 db 00
003F3974 . 6F 70 65 6E 0>ascii "open",0
003F3979 00 db 00
003F397A 00 db 00
003F397B 00 db 00
jmp 003F39FC '自己设个跳走,不知道是不是对的 这里是不是有个判断?因为程序第一次运行回跳到这个http://chion.ys168.com网址,以后再次运行或再重装这个程序也不会出现跳到这个网址,想知道是怎么回事.如果有判断和验证,那在什么地方?
003F397C >/$ 51 push ecx
003F397D |. E8 06FEFFFF call 003F3788
003F3982 |. 84C0 test al, al
003F3984 |. 75 28 jnz short 003F39AE
估计下面有个判断ture,false,具体关键在哪呢?
003F3986 |. 68 E4393F00 push 003F39E4 ; /MutexName = "http://chion.ys168.com"
003F398B |. 6A 00 push 0 ; |Inheritable = FALSE
003F398D |. 68 01001F00 push 1F0001 ; |Access = 1F0001
003F3992 |. E8 3523FFFF call <jmp.&kernel32.OpenMutexA> ; \OpenMutexA
003F3997 |. 890424 mov dword ptr [esp], eax
003F399A |. 833C24 00 cmp dword ptr [esp], 0
003F399E |. 76 0E jbe short 003F39AE
003F39A0 |. E8 73F5FFFF call 003F2F18
003F39A5 |. 8B0424 mov eax, dword ptr [esp]
003F39A8 |. 50 push eax ; /hObject
003F39A9 |. E8 1622FFFF call <jmp.&kernel32.CloseHandle> ; \CloseHandle
003F39AE |> BA 043A3F00 mov edx, 003F3A04 ; ASCII "MAINUI.EXE"
003F39B3 |. A1 8C583F00 mov eax, dword ptr [3F588C]
003F39B8 |. E8 2BF5FFFF call 003F2EE8
003F39BD |. 84C0 test al, al
003F39BF |. 74 0E je short 003F39CF
003F39C1 |. 68 E4393F00 push 003F39E4 ; ASCII "http://chion.ys168.com"
003F39C6 |. 6A 00 push 0
003F39C8 |. 6A 00 push 0
003F39CA |. E8 1D22FFFF call 003E5BEC
003F39CF |> 54 push esp ; /pThreadId
003F39D0 |. 6A 00 push 0 ; |CreationFlags = 0
003F39D2 |. 6A 00 push 0 ; |pThreadParm = NULL
003F39D4 |. 68 D0373F00 push 003F37D0 ; |ThreadFunction = libui.003F37D0
003F39D9 |. 6A 00 push 0 ; |StackSize = 0
003F39DB |. 6A 00 push 0 ; |pSecurity = NULL
003F39DD |. E8 2A22FFFF call <jmp.&kernel32.CreateThread> ; \CreateThread
003F39E2 |. 5A pop edx
003F39E3 \. C3 retn
003F39E4 . 68 74 74 70 3>ascii "http://chion.ys1"
003F39F4 . 36 38 2E 63 6>ascii "68.com",0
003F39FB 00 db 00
003F39FC . FFFFFFFF dd FFFFFFFF
003F3A00 . 0A000000 dd 0000000A
003F3A04 . 4D 41 49 4E 5>ascii "MAINUI.EXE",0
003F3A0F 00 db 00
003F3A10 . 55 push ebp
003F3A11 . 8BEC mov ebp, esp
003F3A13 . 33C0 xor eax, eax
003F3A15 . 55 push ebp
003F3A16 . 68 413A3F00 push 003F3A41
003F3A1B . 64:FF30 push dword ptr fs:[eax]
003F3A1E . 64:8920 mov dword ptr fs:[eax], esp
003F3A21 . FF05 90583F00 inc dword ptr [3F5890]
003F3A27 . 75 0A jnz short 003F3A33
003F3A29 . B8 8C583F00 mov eax, 003F588C
003F3A2E . E8 0103FFFF call 003E3D34
003F3A33 > 33C0 xor eax, eax
003F3A35 . 5A pop edx
003F3A36 . 59 pop ecx
003F3A37 . 59 pop ecx
003F3A38 . 64:8910 mov dword ptr fs:[eax], edx
003F3A3B . 68 483A3F00 push 003F3A48
003F3A40 > C3 retn ; RET 用作跳转到 003F3A48
003F3A41 .^ E9 66FCFEFF jmp 003E36AC
003F3A46 .^ EB F8 jmp short 003F3A40
003F3A48 > 5D pop ebp
003F3A49 . C3 retn
003F3A4A 8BC0 mov eax, eax
003F3A4C . 832D 90583F00>sub dword ptr [3F5890], 1
003F3A53 . C3 retn
003F3A54 $ 55 push ebp
003F3A55 . 8BEC mov ebp, esp
003F3A57 . 53 push ebx
003F3A58 . 56 push esi
003F3A59 . 57 push edi
003F3A5A . 33C0 xor eax, eax
003F3A5C . 55 push ebp
003F3A5D . 68 7E3A3F00 push 003F3A7E
003F3A62 . 64:FF30 push dword ptr fs:[eax]
003F3A65 . 64:8920 mov dword ptr fs:[eax], esp
003F3A68 . 68 98999999 push 99999998 ; /hObject = 99999998
003F3A6D . E8 5221FFFF call <jmp.&kernel32.CloseHandle> ; \CloseHandle
003F3A72 . 33DB xor ebx, ebx
003F3A74 . 33C0 xor eax, eax
003F3A76 . 5A pop edx
003F3A77 . 59 pop ecx
003F3A78 . 59 pop ecx
003F3A79 . 64:8910 mov dword ptr fs:[eax], edx
003F3A7C . EB 0C jmp short 003F3A8A
003F3A7E .^ E9 FDFAFEFF jmp 003E3580
003F3A83 . B3 01 mov bl, 1
003F3A85 . E8 D6FCFEFF call 003E3760
003F3A8A > 8BC3 mov eax, ebx
003F3A8C . 5F pop edi
003F3A8D . 5E pop esi
003F3A8E . 5B pop ebx
003F3A8F . 5D pop ebp
003F3A90 . C3 retn
003F3A91 8D40 00 lea eax, dword ptr [eax]
003F3A94 > E8 BBFFFFFF call 003F3A54
003F3A99 . 68 F4010000 push 1F4 ; /Timeout = 500. ms
003F3A9E . E8 297CFFFF call <jmp.&kernel32.Sleep> ; \Sleep
003F3AA3 .^ EB EF jmp short 003F3A94
003F3AA5 . C3 retn
003F3AA6 8BC0 mov eax, eax
003F3AA8 . 55 push ebp
003F3AA9 . 8BEC mov ebp, esp
003F3AAB . 33C0 xor eax, eax
003F3AAD . 55 push ebp
003F3AAE . 68 C73A3F00 push 003F3AC7
003F3AB3 . 64:FF30 push dword ptr fs:[eax]
003F3AB6 . 64:8920 mov dword ptr fs:[eax], esp
003F3AB9 . 33C0 xor eax, eax
003F3ABB . 5A pop edx
003F3ABC . 59 pop ecx
003F3ABD . 59 pop ecx
003F3ABE . 64:8910 mov dword ptr fs:[eax], edx
003F3AC1 . 68 CE3A3F00 push 003F3ACE
003F3AC6 > C3 retn ; RET 用作跳转到 003F3ACE
003F3AC7 .^ E9 E0FBFEFF jmp 003E36AC
003F3ACC .^ EB F8 jmp short 003F3AC6
003F3ACE > 5D pop ebp
003F3ACF . C3 retn
003F3AD0 13 db 13
003F3AD1 00 db 00
003F3AD2 00 db 00
003F3AD3 00 db 00
003F3AD4 . D83A3F00 dd libui.003F3AD8
003F3AD8 . 545B3E00 dd libui.003E5B54
003F3ADC . 245B3E00 dd libui.003E5B24
003F3AE0 . 98583E00 dd libui.003E5898
003F3AE4 . 44583E00 dd libui.003E5844
003F3AE8 . 8C5B3E00 dd libui.003E5B8C
003F3AEC . 5C5B3E00 dd libui.003E5B5C
003F3AF0 . 7C5D3E00 dd libui.003E5D7C
003F3AF4 . 4C5D3E00 dd libui.003E5D4C
003F3AF8 . 94603E00 dd libui.003E6094
003F3AFC . 64603E00 dd libui.003E6064
003F3B00 . E0C03E00 dd libui.003EC0E0
003F3B04 . 60BF3E00 dd libui.003EBF60
003F3B08 . 28C23E00 dd libui.003EC228
003F3B0C . F8C13E00 dd libui.003EC1F8
003F3B10 . ACF33E00 dd libui.003EF3AC
003F3B14 . 7CF33E00 dd libui.003EF37C
003F3B18 . 28CA3E00 dd libui.003ECA28
003F3B1C . F8C93E00 dd libui.003EC9F8
003F3B20 . 9CF13E00 dd libui.003EF19C
003F3B24 . 24F13E00 dd libui.003EF124
003F3B28 . F0F23E00 dd libui.003EF2F0
003F3B2C . C0F23E00 dd libui.003EF2C0
003F3B30 . 74F33E00 dd libui.003EF374
003F3B34 . 24F33E00 dd libui.003EF324
003F3B38 . F4273F00 dd libui.003F27F4
003F3B3C . 44273F00 dd libui.003F2744
003F3B40 . E8283F00 dd libui.003F28E8
003F3B44 . A0283F00 dd libui.003F28A0
003F3B48 . E02E3F00 dd libui.003F2EE0
003F3B4C . 982E3F00 dd libui.003F2E98
003F3B50 . F0C13E00 dd libui.003EC1F0
003F3B54 . C0C13E00 dd libui.003EC1C0
003F3B58 . B0C13E00 dd libui.003EC1B0
003F3B5C . 80C13E00 dd libui.003EC180
003F3B60 . 4C3A3F00 dd libui.003F3A4C
003F3B64 . 103A3F00 dd libui.003F3A10
003F3B68 00 db 00
003F3B69 00 db 00
003F3B6A 00 db 00
003F3B6B 00 db 00
003F3B6C . A83A3F00 dd libui.003F3AA8
003F3B70 >/$ 55 push ebp
003F3B71 |. 8BEC mov ebp, esp
003F3B73 |. 83C4 B8 add esp, -48
003F3B76 |. 33C0 xor eax, eax
003F3B78 |. 8945 C0 mov dword ptr [ebp-40], eax
003F3B7B |. 8945 BC mov dword ptr [ebp-44], eax
003F3B7E |. 8945 B8 mov dword ptr [ebp-48], eax
003F3B81 |. B8 D03A3F00 mov eax, 003F3AD0
003F3B86 |. E8 511FFFFF call 003E5ADC
003F3B8B |. 33C0 xor eax, eax
003F3B8D |. 55 push ebp
003F3B8E |. 68 1A3C3F00 push 003F3C1A
003F3B93 |. 64:FF30 push dword ptr fs:[eax]
003F3B96 |. 64:8920 mov dword ptr fs:[eax], esp
003F3B99 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
003F3B9E |. 68 A0583F00 push 003F58A0 ; |PathBuffer = libui.003F58A0
003F3BA3 |. 6A 00 push 0 ; |hModule = NULL
003F3BA5 |. E8 DA20FFFF call <jmp.&kernel32.GetModuleFileName>; \GetModuleFileNameA
003F3BAA |. E8 A5FEFFFF call 003F3A54
003F3BAF |. 84C0 test al, al
003F3BB1 |. 75 4C jnz short 003F3BFF
003F3BB3 |. 8D45 B8 lea eax, dword ptr [ebp-48]
003F3BB6 |. BA A0583F00 mov edx, 003F58A0
003F3BBB |. B9 05010000 mov ecx, 105
003F3BC0 |. E8 DF03FFFF call 003E3FA4
003F3BC5 |. 8B45 B8 mov eax, dword ptr [ebp-48]
003F3BC8 |. 8D55 BC lea edx, dword ptr [ebp-44]
003F3BCB |. E8 B037FFFF call 003E7380
003F3BD0 |. 8B45 BC mov eax, dword ptr [ebp-44]
003F3BD3 |. 8D55 C0 lea edx, dword ptr [ebp-40]
003F3BD6 |. E8 D530FFFF call 003E6CB0
003F3BDB |. 8B55 C0 mov edx, dword ptr [ebp-40]
003F3BDE |. A1 8C453F00 mov eax, dword ptr [3F458C]
003F3BE3 |. E8 A001FFFF call 003E3D88
003F3BE8 |. 68 9C583F00 push 003F589C ; /pThreadId = libui.003F589C
003F3BED |. 6A 00 push 0 ; |CreationFlags = 0
003F3BEF |. 6A 00 push 0 ; |pThreadParm = NULL
003F3BF1 |. 68 943A3F00 push 003F3A94 ; |ThreadFunction = libui.003F3A94
003F3BF6 |. 6A 00 push 0 ; |StackSize = 0
003F3BF8 |. 6A 00 push 0 ; |pSecurity = NULL
003F3BFA |. E8 0D20FFFF call <jmp.&kernel32.CreateThread> ; \CreateThread
003F3BFF |> 33C0 xor eax, eax
003F3C01 |. 5A pop edx
003F3C02 |. 59 pop ecx
003F3C03 |. 59 pop ecx
003F3C04 |. 64:8910 mov dword ptr fs:[eax], edx
003F3C07 |. 68 213C3F00 push 003F3C21
003F3C0C |> 8D45 B8 lea eax, dword ptr [ebp-48]
003F3C0F |. BA 03000000 mov edx, 3
003F3C14 |. E8 3F01FFFF call 003E3D58
003F3C19 \. C3 retn
003F3C1A .^ E9 8DFAFEFF jmp 003E36AC
003F3C1F .^ EB EB jmp short 003F3C0C
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
 第2个问题就是找不到在哪个文件里有判断之前的CALL不是很清楚,也许是时间延迟判断(乱猜的),后面的跳转是我下的目的是跳过以下程序的执行,以后估计就是到了第2个问题上
|
