[求助]程序修改一闪就消失-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]程序修改一闪就消失 0.00雪花

发表于: 2012-11-7 21:16 1221

[旧帖] [求助]程序修改一闪就消失 0.00雪花

suntan

2012-11-7 21:16

1221

我用PEID检测显示的是Microsoft Visual C++ 8 *，可是载入OD后就来到下面代码了：
0075AFA5 > $  E8 9E050000 call 123.0075B548                      ;  (Initial CPU selection)
0075AFAA .^ E9 36FDFFFF jmp 123.0075ACE5
0075AFAF    CC          int3
0075AFB0 $- FF25 34027700 jmp dword ptr ds:[<&MSVCR90._CIcos>]    ;  MSVCR90._CIcos
0075AFB6 $- FF25 38027700 jmp dword ptr ds:[<&MSVCR90._CIsin>]    ;  MSVCR90._CIsin
0075AFBC $- FF25 3C027700 jmp dword ptr ds:[<&MSVCR90._CIsqrt>] ;  MSVCR90._CIsqrt
0075AFC2 $- FF25 40027700 jmp dword ptr ds:[<&MSVCR90._CIatan2>] ;  MSVCR90._CIatan2
0075AFC8 $- FF25 44027700 jmp dword ptr ds:[<&MSVCR90._CItan>]    ;  MSVCR90._CItan
0075AFCE $- FF25 48027700 jmp dword ptr ds:[<&MSVCR90._CIatan>] ;  MSVCR90._CIatan
0075AFD4 $- FF25 4C027700 jmp dword ptr ds:[<&MSVCR90._CIacos>] ;  MSVCR90._CIacos
0075AFDA $- FF25 50027700 jmp dword ptr ds:[<&MSVCR90._CIasin>] ;  MSVCR90._CIasin
0075AFE0  /$  53          push ebx
0075AFE1  |.  56          push esi
0075AFE2  |.  8B4424 18    mov eax,dword ptr ss:[esp+18]
0075AFE6  |.  0BC0       or eax,eax
0075AFE8  |.  75 18       jnz short 123.0075B002
0075AFEA  |.  8B4C24 14    mov ecx,dword ptr ss:[esp+14]
0075AFEE  |.  8B4424 10    mov eax,dword ptr ss:[esp+10]
0075AFF2  |.  33D2       xor edx,edx
0075AFF4  |.  F7F1       div ecx
0075AFF6  |.  8BD8       mov ebx,eax
0075AFF8  |.  8B4424 0C    mov eax,dword ptr ss:[esp+C]
0075AFFC  |.  F7F1       div ecx
0075AFFE  |.  8BD3       mov edx,ebx
0075B000  |.  EB 41       jmp short 123.0075B043
0075B002  |>  8BC8       mov ecx,eax
0075B004  |.  8B5C24 14    mov ebx,dword ptr ss:[esp+14]
0075B008  |.  8B5424 10    mov edx,dword ptr ss:[esp+10]
0075B00C  |.  8B4424 0C    mov eax,dword ptr ss:[esp+C]
0075B010  |>  D1E9       /shr ecx,1
0075B012  |.  D1DB       |rcr ebx,1
0075B014  |.  D1EA       |shr edx,1
0075B016  |.  D1D8       |rcr eax,1
0075B018  |.  0BC9       |or ecx,ecx
0075B01A  |.^ 75 F4       \jnz short 123.0075B010
0075B01C  |.  F7F3       div ebx
0075B01E  |.  8BF0       mov esi,eax
0075B020  |.  F76424 18    mul dword ptr ss:[esp+18]
0075B024  |.  8BC8       mov ecx,eax
0075B026  |.  8B4424 14    mov eax,dword ptr ss:[esp+14]
0075B02A  |.  F7E6       mul esi
0075B02C  |.  03D1       add edx,ecx
0075B02E  |.  72 0E       jb short 123.0075B03E
0075B030  |.  3B5424 10    cmp edx,dword ptr ss:[esp+10]
0075B034  |.  77 08       ja short 123.0075B03E
0075B036  |.  72 07       jb short 123.0075B03F
0075B038  |.  3B4424 0C    cmp eax,dword ptr ss:[esp+C]
0075B03C  |.  76 01       jbe short 123.0075B03F
0075B03E  |>  4E          dec esi
0075B03F  |>  33D2       xor edx,edx
0075B041  |.  8BC6       mov eax,esi
0075B043  |>  5E          pop esi
0075B044  |.  5B          pop ebx
0075B045  \.  C2 1000    retn 10

这个程序是不是还有壳啊？入口怎么这么怪异？还有0075AFAA .^ E9 36FDFFFF jmp 123.0075ACE5
这一句跳转到下面的代码：
0075ACE5 > /6A 58       push 58
0075ACE7 . |68 80E97A00 push 123.007AE980
0075ACEC . |E8 AF050000 call 123.0075B2A0
0075ACF1 . |33DB       xor ebx,ebx
0075ACF3 . |895D E4    mov dword ptr ss:[ebp-1C],ebx
0075ACF6 . |895D FC    mov dword ptr ss:[ebp-4],ebx
0075ACF9 . |8D45 98    lea eax,dword ptr ss:[ebp-68]
0075ACFC . |50          push eax                               ; /pStartupinfo
0075ACFD . |FF15 00017700 call dword ptr ds:[<&KERNEL32.GetStartup>; \GetStartupInfoA
0075AD03 . |C745 FC FEFFF>mov dword ptr ss:[ebp-4],-2
0075AD0A . |C745 FC 01000>mov dword ptr ss:[ebp-4],1
0075AD11 . |64:A1 1800000>mov eax,dword ptr fs:[18]
0075AD17 . |8B70 04    mov esi,dword ptr ds:[eax+4]
0075AD1A . |BF E0128600 mov edi,123.008612E0
0075AD1F > |6A 00       push 0                                  ; /Arg3 = 00000000
0075AD21 . |56          push esi                               ; |Arg2
0075AD22 . |57          push edi                               ; |Arg1
0075AD23 . |FF15 04017700 call dword ptr ds:[<&KERNEL32.Interlocke>; \InterlockedCompareExchange
0075AD29 . |85C0       test eax,eax
0075AD2B . |74 18       je short 123.0075AD45
0075AD2D . |3BC6       cmp eax,esi
0075AD2F . |75 07       jnz short 123.0075AD38
0075AD31 . |33F6       xor esi,esi
0075AD33 . |46          inc esi
0075AD34 . |8BDE       mov ebx,esi
0075AD36 . |EB 10       jmp short 123.0075AD48
0075AD38 > |68 E8030000 push 3E8                               ; /Timeout = 1000. ms
0075AD3D . |FF15 BC017700 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
0075AD43 .^|EB DA       jmp short 123.0075AD1F
0075AD45 > |33F6       xor esi,esi
0075AD47 . |46          inc esi
0075AD48 > |A1 DC128600 mov eax,dword ptr ds:[8612DC]
0075AD4D . |3BC6       cmp eax,esi
0075AD4F . |75 0A       jnz short 123.0075AD5B
0075AD51 . |6A 1F       push 1F
0075AD53 . |E8 0A060000 call <jmp.&MSVCR90._amsg_exit>
0075AD58 . |59          pop ecx
0075AD59 . |EB 2F       jmp short 123.0075AD8A
0075AD5B > |A1 DC128600 mov eax,dword ptr ds:[8612DC]
0075AD60 . |85C0       test eax,eax
0075AD62 . |75 20       jnz short 123.0075AD84
0075AD64 . |8935 DC128600 mov dword ptr ds:[8612DC],esi
0075AD6A . |68 E0177700 push 123.007717E0
0075AD6F . |68 D0177700 push 123.007717D0
0075AD74 . |E8 9B070000 call <jmp.&MSVCR90._initterm_e>
0075AD79 . |59          pop ecx
0075AD7A . |59          pop ecx
0075AD7B . |85C0       test eax,eax
0075AD7D . |74 0B       je short 123.0075AD8A
0075AD7F . |E9 2E010000 jmp 123.0075AEB2
0075AD84 > |8935 900F8600 mov dword ptr ds:[860F90],esi
0075AD8A > |A1 DC128600 mov eax,dword ptr ds:[8612DC]
0075AD8F . |3BC6       cmp eax,esi
0075AD91 . |75 1B       jnz short 123.0075ADAE
0075AD93 . |68 CC177700 push 123.007717CC
0075AD98 . |68 80167700 push 123.00771680
0075AD9D . |E8 6C070000 call <jmp.&MSVCR90._initterm>
0075ADA2 . |59          pop ecx
0075ADA3 . |59          pop ecx
0075ADA4 . |C705 DC128600>mov dword ptr ds:[8612DC],2
0075ADAE > |85DB       test ebx,ebx
0075ADB0 . |75 08       jnz short 123.0075ADBA
0075ADB2 . |53          push ebx                               ; /NewValue
0075ADB3 . |57          push edi                               ; |pTarget
0075ADB4 . |FF15 08017700 call dword ptr ds:[<&KERNEL32.Interlocke>; \InterlockedExchange
0075ADBA > |833D E8128600>cmp dword ptr ds:[8612E8],0
0075ADC1 . |74 1B       je short 123.0075ADDE
0075ADC3 . |68 E8128600 push 123.008612E8
0075ADC8 . |E8 83060000 call 123.0075B450
0075ADCD . |59          pop ecx
0075ADCE . |85C0       test eax,eax
0075ADD0 . |74 0C       je short 123.0075ADDE
0075ADD2 . |6A 00       push 0
0075ADD4 . |6A 02       push 2
0075ADD6 . |6A 00       push 0
0075ADD8 . |FF15 E8128600 call dword ptr ds:[8612E8]
0075ADDE > |A1 94027700 mov eax,dword ptr ds:[<&MSVCR90._acmdln>>
0075ADE3 . |8B30       mov esi,dword ptr ds:[eax]
0075ADE5 > |8975 E0    mov dword ptr ss:[ebp-20],esi
0075ADE8 . |8A06       mov al,byte ptr ds:[esi]
0075ADEA . |3C 20       cmp al,20
0075ADEC . |77 4C       ja short 123.0075AE3A
0075ADEE . |84C0       test al,al
0075ADF0 . |74 06       je short 123.0075ADF8
0075ADF2 . |837D E4 00 cmp dword ptr ss:[ebp-1C],0
0075ADF6 . |75 42       jnz short 123.0075AE3A
0075ADF8 > |8A06       mov al,byte ptr ds:[esi]
0075ADFA . |84C0       test al,al
0075ADFC . |74 0A       je short 123.0075AE08
0075ADFE . |3C 20       cmp al,20
0075AE00 . |77 06       ja short 123.0075AE08
0075AE02 . |46          inc esi
0075AE03 . |8975 E0    mov dword ptr ss:[ebp-20],esi
0075AE06 .^|EB F0       jmp short 123.0075ADF8
0075AE08 > |F645 C4 01 test byte ptr ss:[ebp-3C],1
0075AE0C . |74 06       je short 123.0075AE14
0075AE0E . |0FB745 C8    movzx eax,word ptr ss:[ebp-38]
0075AE12 . |EB 03       jmp short 123.0075AE17
0075AE14 > |6A 0A       push 0A
0075AE16 . |58          pop eax
0075AE17 > |50          push eax
0075AE18 . |56          push esi
0075AE19 . |6A 00       push 0
0075AE1B . |68 00004000 push 123.00400000
0075AE20 . |E8 3D080000 call 123.0075B662
0075AE25 . |A3 8C0F8600 mov dword ptr ds:[860F8C],eax
0075AE2A . |833D 800F8600>cmp dword ptr ds:[860F80],0
0075AE31 . |75 5B       jnz short 123.0075AE8E
0075AE33 . |50          push eax                               ; /status
0075AE34 . |FF15 14027700 call dword ptr ds:[<&MSVCR90.exit>]    ; \exit
0075AE3A > |3C 22       cmp al,22
0075AE3C . |75 0B       jnz short 123.0075AE49
0075AE3E . |33C9       xor ecx,ecx
0075AE40 . |394D E4    cmp dword ptr ss:[ebp-1C],ecx
0075AE43 . |0F94C1       sete cl
0075AE46 . |894D E4    mov dword ptr ss:[ebp-1C],ecx
0075AE49 > |0FB6C0       movzx eax,al
0075AE4C . |50          push eax                               ; /c
0075AE4D . |FF15 90027700 call dword ptr ds:[<&MSVCR90._ismbblead>>; \_ismbblead
0075AE53 . |59          pop ecx
0075AE54 . |85C0       test eax,eax
0075AE56 . |74 04       je short 123.0075AE5C
0075AE58 . |46          inc esi
0075AE59 . |8975 E0    mov dword ptr ss:[ebp-20],esi
0075AE5C > |46          inc esi
0075AE5D .^|EB 86       jmp short 123.0075ADE5
0075AE5F . |8B45 EC    mov eax,dword ptr ss:[ebp-14]
0075AE62 . |8B08       mov ecx,dword ptr ds:[eax]
0075AE64 . |8B09       mov ecx,dword ptr ds:[ecx]
0075AE66 . |894D DC    mov dword ptr ss:[ebp-24],ecx
0075AE69 . |50          push eax
0075AE6A . |51          push ecx
0075AE6B . |E8 44050000 call <jmp.&MSVCR90._XcptFilter>
0075AE70 . |59          pop ecx
0075AE71 . |59          pop ecx
0075AE72 . |C3          retn
0075AE73 . |8B65 E8    mov esp,dword ptr ss:[ebp-18]
0075AE76 . |8B45 DC    mov eax,dword ptr ss:[ebp-24]
0075AE79 . |A3 8C0F8600 mov dword ptr ds:[860F8C],eax
0075AE7E . |833D 800F8600>cmp dword ptr ds:[860F80],0
0075AE85 . |75 07       jnz short 123.0075AE8E
0075AE87 . |50          push eax                               ; /status
0075AE88 . |FF15 88027700 call dword ptr ds:[<&MSVCR90._exit>]    ; \_exit
0075AE8E > |833D 900F8600>cmp dword ptr ds:[860F90],0
0075AE95 . |75 06       jnz short 123.0075AE9D
0075AE97 . |FF15 84027700 call dword ptr ds:[<&MSVCR90._cexit>] ;  MSVCR90._cexit
0075AE9D > |C745 FC FEFFF>mov dword ptr ss:[ebp-4],-2
0075AEA4 . |A1 8C0F8600 mov eax,dword ptr ds:[860F8C]
0075AEA9 . |EB 13       jmp short 123.0075AEBE
0075AEAB . |33C0       xor eax,eax
0075AEAD . |40          inc eax
0075AEAE . |C3          retn
0075AEAF . |8B65 E8    mov esp,dword ptr ss:[ebp-18]
0075AEB2 > |C745 FC FEFFF>mov dword ptr ss:[ebp-4],-2
0075AEB9 . |B8 FF000000 mov eax,0FF
0075AEBE > |E8 22040000 call 123.0075B2E5
0075AEC3 . |C3          retn
0075AEC4 . |B8 4D5A0000 mov eax,5A4D
0075AEC9 . |66:3905 00004>cmp word ptr ds:[400000],ax
0075AED0 . |74 04       je short 123.0075AED6
0075AED2 > |33C0       xor eax,eax
0075AED4 . |EB 4D       jmp short 123.0075AF23
0075AED6 > |A1 3C004000 mov eax,dword ptr ds:[40003C]
0075AEDB . |8D80 00004000 lea eax,dword ptr ds:[eax+400000]
0075AEE1 . |8138 50450000 cmp dword ptr ds:[eax],4550
0075AEE7 .^|75 E9       jnz short 123.0075AED2
0075AEE9 . |0FB748 18    movzx ecx,word ptr ds:[eax+18]
0075AEED . |81F9 0B010000 cmp ecx,10B
0075AEF3 . |74 1B       je short 123.0075AF10
0075AEF5 . |81F9 0B020000 cmp ecx,20B
0075AEFB .^|75 D5       jnz short 123.0075AED2
0075AEFD . |83B8 84000000>cmp dword ptr ds:[eax+84],0E
0075AF04 .^|76 CC       jbe short 123.0075AED2
0075AF06 . |33C9       xor ecx,ecx
0075AF08 . |3988 F8000000 cmp dword ptr ds:[eax+F8],ecx
0075AF0E . |EB 0E       jmp short 123.0075AF1E
0075AF10 > |8378 74 0E cmp dword ptr ds:[eax+74],0E
0075AF14 .^|76 BC       jbe short 123.0075AED2
0075AF16 . |33C9       xor ecx,ecx
0075AF18 . |3988 E8000000 cmp dword ptr ds:[eax+E8],ecx
0075AF1E > |0F95C1       setne cl
0075AF21 . |8BC1       mov eax,ecx
0075AF23 > |6A 02       push 2
0075AF25 . |A3 800F8600 mov dword ptr ds:[860F80],eax
0075AF2A . |FF15 B4027700 call dword ptr ds:[<&MSVCR90.__set_app_t>;  MSVCR90.__set_app_type
0075AF30 . |6A FF       push -1
0075AF32 . |FF15 68027700 call dword ptr ds:[<&MSVCR90._encode_poi>;  MSVCR90._encode_pointer
0075AF38 . |59          pop ecx
0075AF39 . |59          pop ecx
0075AF3A . |A3 EC128600 mov dword ptr ds:[8612EC],eax
0075AF3F . |A3 F0128600 mov dword ptr ds:[8612F0],eax
0075AF44 . |FF15 B0027700 call dword ptr ds:[<&MSVCR90.__p__fmode>>;  MSVCR90.__p__fmode
0075AF4A . |8B0D CC128600 mov ecx,dword ptr ds:[8612CC]
0075AF50 . |8908       mov dword ptr ds:[eax],ecx
0075AF52 . |FF15 AC027700 call dword ptr ds:[<&MSVCR90.__p__commod>;  MSVCR90.__p__commode
0075AF58 . |8B0D C8128600 mov ecx,dword ptr ds:[8612C8]
0075AF5E . |8908       mov dword ptr ds:[eax],ecx
0075AF60 . |A1 A8027700 mov eax,dword ptr ds:[<&MSVCR90._adjust_>
0075AF65 . |8B00       mov eax,dword ptr ds:[eax]
0075AF67 . |A3 D8128600 mov dword ptr ds:[8612D8],eax
0075AF6C . |E8 F7030000 call 123.0075B368
0075AF71 . |E8 CF050000 call 123.0075B545
0075AF76 . |833D CC8C7B00>cmp dword ptr ds:[7B8CCC],0
0075AF7D . |75 0C       jnz short 123.0075AF8B
0075AF7F . |68 45B57500 push 123.0075B545                      ;  入口地址
0075AF84 . |FF15 A4027700 call dword ptr ds:[<&MSVCR90.__setuserma>;  MSVCR90.__setusermatherr
0075AF8A . |59          pop ecx
0075AF8B > |E8 8A050000 call 123.0075B51A
0075AF90 . |833D C88C7B00>cmp dword ptr ds:[7B8CC8],-1
0075AF97 . |75 09       jnz short 123.0075AFA2
0075AF99 . |6A FF       push -1
0075AF9B . |FF15 A0027700 call dword ptr ds:[<&MSVCR90._configthre>;  MSVCR90._configthreadlocale
0075AFA1 . |59          pop ecx
0075AFA2 > |33C0       xor eax,eax
0075AFA4 . |C3          retn
0075AFA5 > $ |E8 9E050000 call 123.0075B548                      ;  (Initial CPU selection)
0075AFAA .^\E9 36FDFFFF jmp 123.0075ACE5

求高人帮忙分析分析，这段代码实现的什么？还有我随便改一处代码保存后，运行程序后只是闪一下程序的欢迎界面就没了，但是在任务管理器中还有程序进程，这是怎么回事啊？

[课程]Android-CTF解题方法汇总！

收藏・0

免费・0

支持

最新回复 (1)
l理雪币： 9 活跃值： (57) 能力值： (RANK：10 ) 在线值：发帖 92 回帖 289 粉丝 0 关注私信	l理 2 楼你程序不发上来，谁帮你啊 2012-11-7 22:26 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

suntan

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
l理雪币： 9 活跃值： (57) 能力值： (RANK：10 ) 在线值：发帖 92 回帖 289 粉丝 0 关注私信	l理 2 楼你程序不发上来，谁帮你啊 2012-11-7 22:26 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复