[求助]微狗分析求助-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]微狗分析求助 0.00雪花

发表于: 2013-2-5 20:08 1556

[旧帖] [求助]微狗分析求助 0.00雪花

wclandbb

2013-2-5 20:08

1556

00401760 > $  55          push ebp
00401761 .  8BEC          mov ebp,esp
00401763 .  6A FF       push -0x1
00401765 .  68 B8204000 push 复件_(2).004020B8
0040176A .  68 60194000 push <jmp.&MSVCRT._except_handler3>             ;  SE 处理程序安装
0040176F .  64:A1 00000000 mov eax,dword ptr fs:[0]
00401775 .  50          push eax
00401776 .  64:8925 000000>mov dword ptr fs:[0],esp
0040177D .  83C4 98       add esp,-0x68
00401780 .  53          push ebx
00401781 .  56          push esi
00401782 .  57          push edi
00401783 .  8965 E8       mov dword ptr ss:[ebp-0x18],esp
00401786 .  C745 FC 000000>mov dword ptr ss:[ebp-0x4],0x0
0040178D .  6A 02       push 0x2
0040178F .  FF15 48204000  call dword ptr ds:[<&MSVCRT.__set_app_type>]    ;  MSVCRT.__set_app_type
00401795 .  83C4 04       add esp,0x4
00401798 .  C705 F4354000 >mov dword ptr ds:[0x4035F4],-0x1
004017A2 .  C705 F8354000 >mov dword ptr ds:[0x4035F8],-0x1
004017AC .  FF15 4C204000  call dword ptr ds:[<&MSVCRT.__p__fmode>]       ;  MSVCRT.__p__fmode
004017B2 .  8B0D A4314000  mov ecx,dword ptr ds:[0x4031A4]
004017B8 .  8908          mov dword ptr ds:[eax],ecx
004017BA .  FF15 5C204000  call dword ptr ds:[<&MSVCRT.__p__commode>]       ;  MSVCRT.__p__commode
004017C0 .  8B15 A0314000  mov edx,dword ptr ds:[0x4031A0]
004017C6 .  8910          mov dword ptr ds:[eax],edx
004017C8 .  A1 50204000 mov eax,dword ptr ds:[<&MSVCRT._adjust_fdiv>]
004017CD .  8B08          mov ecx,dword ptr ds:[eax]
004017CF .  890D FC354000  mov dword ptr ds:[0x4035FC],ecx
004017D5 .  E8 76010000 call 复件_(2).00401950
004017DA .  A1 80304000 mov eax,dword ptr ds:[0x403080]
004017DF .  85C0          test eax,eax
004017E1 .  75 0E       jnz X复件_(2).004017F1
004017E3 .  68 40194000 push 复件_(2).00401940
004017E8 .  FF15 60204000  call dword ptr ds:[<&MSVCRT.__setusermatherr>] ;  MSVCRT.__setusermatherr
004017EE .  83C4 04       add esp,0x4
004017F1 >  E8 2A010000 call 复件_(2).00401920
004017F6 .  68 0C304000 push 复件_(2).0040300C
004017FB .  68 08304000 push 复件_(2).00403008
00401800 .  E8 11010000 call <jmp.&MSVCRT._initterm>
00401805 .  83C4 08       add esp,0x8
00401808 .  8B15 9C314000  mov edx,dword ptr ds:[0x40319C]
0040180E .  8955 94       mov dword ptr ss:[ebp-0x6C],edx
00401811 .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
00401814 .  50          push eax
00401815 .  8B0D 98314000  mov ecx,dword ptr ds:[0x403198]
0040181B .  51          push ecx
0040181C .  8D55 9C       lea edx,dword ptr ss:[ebp-0x64]
0040181F .  52          push edx
00401820 .  8D45 90       lea eax,dword ptr ss:[ebp-0x70]
00401823 .  50          push eax
00401824 .  8D4D A0       lea ecx,dword ptr ss:[ebp-0x60]
00401827 .  51          push ecx
00401828 .  FF15 68204000  call dword ptr ds:[<&MSVCRT.__getmainargs>]    ;  MSVCRT.__getmainargs
0040182E .  83C4 14       add esp,0x14
00401831 .  68 04304000 push 复件_(2).00403004
00401836 .  68 00304000 push 复件_(2).00403000
0040183B .  E8 D6000000 call <jmp.&MSVCRT._initterm>
00401840 .  83C4 08       add esp,0x8
00401843 .  FF15 6C204000  call dword ptr ds:[<&MSVCRT.__p__acmdln>]       ;  MSVCRT.__p__acmdln
00401849 .  8B30          mov esi,dword ptr ds:[eax]
0040184B .  8975 8C       mov dword ptr ss:[ebp-0x74],esi
0040184E .  803E 22       cmp byte ptr ds:[esi],0x22
00401851 .  0F85 A8000000  jnz 复件_(2).004018FF
00401857 >  46          inc esi
00401858 .  8975 8C       mov dword ptr ss:[ebp-0x74],esi
0040185B .  8A06          mov al,byte ptr ds:[esi]
0040185D .  84C0          test al,al
0040185F .  74 04       je X复件_(2).00401865
00401861 .  3C 22       cmp al,0x22
00401863 .^ 75 F2       jnz X复件_(2).00401857
00401865 >  803E 22       cmp byte ptr ds:[esi],0x22
00401868 .  75 04       jnz X复件_(2).0040186E
0040186A .  46          inc esi
0040186B .  8975 8C       mov dword ptr ss:[ebp-0x74],esi
0040186E >  8A06          mov al,byte ptr ds:[esi]
00401870 .  84C0          test al,al
00401872 .  74 0A       je X复件_(2).0040187E
00401874 .  3C 20       cmp al,0x20
00401876 .  77 06       ja X复件_(2).0040187E
00401878 .  46          inc esi
00401879 .  8975 8C       mov dword ptr ss:[ebp-0x74],esi
0040187C .^ EB F0       jmp X复件_(2).0040186E
0040187E >  C745 D0 000000>mov dword ptr ss:[ebp-0x30],0x0
00401885 .  8D55 A4       lea edx,dword ptr ss:[ebp-0x5C]
00401888 .  52          push edx                                        ; /pStartupinfo
00401889 .  FF15 10204000  call dword ptr ds:[<&KERNEL32.GetStartupInfoA>] ; \GetStartupInfoA
0040188F .  F645 D0 01    test byte ptr ss:[ebp-0x30],0x1
00401893 .  74 0A       je X复件_(2).0040189F
00401895 .  8B45 D4       mov eax,dword ptr ss:[ebp-0x2C]
00401898 .  25 FFFF0000 and eax,0xFFFF
0040189D .  EB 05       jmp X复件_(2).004018A4
0040189F >  B8 0A000000 mov eax,0xA
004018A4 >  50          push eax
004018A5 .  56          push esi
004018A6 .  6A 00       push 0x0
004018A8 .  6A 00       push 0x0                                        ; /pModule = NULL
004018AA .  FF15 14204000  call dword ptr ds:[<&KERNEL32.GetModuleHandleA>]  ; \GetModuleHandleA
004018B0 .  50          push eax
004018B1 .  E8 B8FBFFFF call 复件_(2).0040146E
004018B6 .  8945 98       mov dword ptr ss:[ebp-0x68],eax
004018B9 .  50          push eax                                        ; /status
004018BA .  FF15 70204000  call dword ptr ds:[<&MSVCRT.exit>]             ; \exit
004018C0 .  EB 22       jmp X复件_(2).004018E4
004018C2 .  8B45 EC       mov eax,dword ptr ss:[ebp-0x14]
004018C5 .  8B08          mov ecx,dword ptr ds:[eax]
004018C7 .  8B09          mov ecx,dword ptr ds:[ecx]
004018C9 .  894D 88       mov dword ptr ss:[ebp-0x78],ecx
004018CC .  50          push eax
004018CD .  51          push ecx
004018CE .  E8 3D000000 call <jmp.&MSVCRT._XcptFilter>
004018D3 .  83C4 08       add esp,0x8
004018D6 .  C3          retn
004018D7 .  8B65 E8       mov esp,dword ptr ss:[ebp-0x18]
004018DA .  8B55 88       mov edx,dword ptr ss:[ebp-0x78]
004018DD .  52          push edx                                        ; /status
004018DE .  FF15 78204000  call dword ptr ds:[<&MSVCRT._exit>]             ; \_exit
004018E4 >  83C4 04       add esp,0x4
004018E7 .  C745 FC FFFFFF>mov dword ptr ss:[ebp-0x4],-0x1
004018EE .  8B4D F0       mov ecx,dword ptr ss:[ebp-0x10]
004018F1 .  64:890D 000000>mov dword ptr fs:[0],ecx
004018F8 .  5F          pop edi
004018F9 .  5E          pop esi
004018FA .  5B          pop ebx
004018FB .  8BE5          mov esp,ebp
004018FD .  5D          pop ebp
004018FE .  C3          retn
004018FF >  803E 20       cmp byte ptr ds:[esi],0x20
00401902 .^ 0F86 66FFFFFF  jbe 复件_(2).0040186E
00401908 .  46          inc esi
00401909 .  8975 8C       mov dword ptr ss:[ebp-0x74],esi
0040190C .^ EB F1       jmp X复件_(2).004018FF
0040190E    90          nop
0040190F    90          nop
00401910 $- FF25 74204000  jmp dword ptr ds:[<&MSVCRT._XcptFilter>]       ;  MSVCRT._XcptFilter
00401916 $- FF25 64204000  jmp dword ptr ds:[<&MSVCRT._initterm>]          ;  MSVCRT._initterm
0040191C    CC          int3
0040191D    CC          int3
0040191E    CC          int3
0040191F    CC          int3
00401920  /$  68 00000300 push 0x30000                                     ; /CWmask = 30000
00401925  |.  68 00000100 push 0x10000                                     ; |CWnew = 10000
0040192A  |.  E8 37000000 call <jmp.&MSVCRT._controlfp>                   ; \_controlfp
0040192F  |.  83C4 08       add esp,0x8
00401932  \.  C3          retn
00401933    90          nop
00401934    90          nop
00401935    90          nop
00401936    90          nop
00401937    90          nop
00401938    90          nop
00401939    90          nop
0040193A    90          nop
0040193B    90          nop
0040193C    90          nop
0040193D    90          nop
0040193E    90          nop
0040193F    90          nop
00401940 .  33C0          xor eax,eax
00401942 .  C3          retn
00401943    90          nop
00401944    90          nop
00401945    90          nop
00401946    90          nop
00401947    90          nop
00401948    90          nop
00401949    90          nop
0040194A    90          nop
0040194B    90          nop
0040194C    90          nop
0040194D    90          nop
0040194E    90          nop
0040194F    90          nop
00401950 $  C3          retn
00401951    90          nop
00401952    90          nop
00401953    90          nop
00401954    90          nop
00401955    90          nop
00401956    90          nop
00401957    90          nop
00401958    90          nop
00401959    90          nop
0040195A    90          nop
0040195B    90          nop
0040195C    90          nop
0040195D    90          nop
0040195E    90          nop
0040195F    90          nop
00401960 $- FF25 9C204000  jmp dword ptr ds:[<&MSVCRT._except_handler3>]    ;  MSVCRT._except_handler3; 结构异常处理程序
00401966 $- FF25 54204000  jmp dword ptr ds:[<&MSVCRT._controlfp>]          ;  MSVCRT._controlfp
0040196C    00          db 00
0040196D    00          db 00
0040196E    00          db 00

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (1)
wclandbb 雪币： 44 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 13 粉丝 0 关注私信	wclandbb 2 楼这段检测狗的步骤怎么跳过，求高手指导，检测未加壳 2013-2-5 20:09 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

wclandbb

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
wclandbb 雪币： 44 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 13 粉丝 0 关注私信	wclandbb 2 楼这段检测狗的步骤怎么跳过，求高手指导，检测未加壳 2013-2-5 20:09 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复