bywg 4.25a 破解笔记-软件逆向-看雪论坛-安全社区|非营利性质技术交流社区

bywg 4.25a 破解笔记

发表于: 2005-12-14 09:49 5033

bywg 4.25a 破解笔记

jskew

2005-12-14 09:49

5033

0040FDA5  |.  59          POP ECX
0040FDA6  \.  C3          RETN
0040FDA7    EA          DB EA
0040FDA8    5C          DB 5C                                  ;  CHAR '\'
0040FDA9    E4          DB E4
0040FDAA    01          DB 01
0040FDAB    55          DB 55                                  ;  CHAR 'U'
0040FDAC    05          DB 05
0040FDAD    F4          DB F4
0040FDAE    05          DB 05
0040FDAF    EB          DB EB
0040FDB0    03          DB 03
0040FDB1    9F          DB 9F
0040FDB2    F1          DB F1
0040FDB3    33          DB 33                                  ;  CHAR '3'
0040FDB4    64          DB 64                                  ;  CHAR 'd'
0040FDB5 .  96          XCHG EAX,ESI
0040FDB6 .  64:A1 0000000>MOV EAX,FS:[0]
0040FDBC .  50          PUSH EAX

0012FFB4 00413494  Entry address
0012FFB8 00430290  PYCQ.00430290
0012FFBC FFFFFFFF
0012FFC0 0012FFF0
0012FFC4 77E8893D  RETURN to KERNEL32.77E8893D

PUSH EBP
MOV EBP,ESP
PUSH -1
PUSH 00430290
PUSH 00413494
MOV EAX,FS:[0]

0040FDA7    55                PUSH EBP
0040FDA8    8BEC                MOV EBP,ESP
0040FDAA    6A FF             PUSH -1
0040FDAC    68 90024300       PUSH 430290
0040FDB1    68 94344100       PUSH 413494                            ;  Entry address
0040FDB6    64:A1 00000000    MOV EAX,FS:[0]

iat
0040FDCD .  FF15 A4C24200       CALL [42C2A4]
42C000

00915BA3             60                   PUSHAD
00915BA4             66:B8 1200          MOV AX,12
00915BA8             B1 04                MOV CL,4
00915BAA          ^ E9 82D6FFFF          JMP 00913231
00915BAF             60                   PUSHAD
00915BB0             66:B8 1300          MOV AX,13
00915BB4             B1 04                MOV CL,4
00915BB6          ^ E9 76D6FFFF          JMP 00913231
00915BBB             60                   PUSHAD
00915BBC             66:B8 1400          MOV AX,14
00915BC0             B1 04                MOV CL,4
00915BC2          ^ E9 6AD6FFFF          JMP 00913231
00915BC7             60                   PUSHAD
00915BC8             66:B8 1500          MOV AX,15
00915BCC             B1 04                MOV CL,4
00915BCE          ^ E9 5ED6FFFF          JMP 00913231

004B44D0             C2 0800             RETN 8
004B44D3             55                   PUSH EBP
004B44D4             8BEC                MOV EBP,ESP
004B44D6             9C                   PUSHFD
004B44D7             F0:FF0D B1434B00    LOCK DEC DWORD PTR [4B43B1]             ; LOCK prefix
004B44DE             9D                   POPFD
004B44DF             - E9 F4BC9C77          JMP 77E801D8                            ; KERNEL32.77E801D8

779cbcf4+004B44DF+5=77E801D8
77E801D8-(x)=iat

;解码
004B4572 8130 F5212FDA XOR DWORD PTR [EAX],DA2F21F5
004B4578 F8             CLC
004B4579 73 06          JNB SHORT 004B4581                      ; 004B4581
004B457B F9             STC
004B457C 07             POP ES                                  ; Modification of segment register
004B457D A3 981DA4C0    MOV [C0A41D98],EAX
004B4582 0821          OR [ECX],AH
004B4584 8028 A2       SUB BYTE PTR [EAX],0A2
004B4587 8128 39098C35 SUB DWORD PTR [EAX],358C0939
004B458D 8130 9A77271E XOR DWORD PTR [EAX],1E27779A
004B4593 83C0 04       ADD EAX,4
004B4596 C1C7 94       ROL EDI,94                            ; Shift constant out of range 1..31
004B4599 83EE 04       SUB ESI,4
004B459C  ^ 0F85 D0FFFFFF JNZ 004B4572                            ; 004B4572
004B45A2 61             POPAD

004B4090  - 66:EB 04       JMP SHORT 00004097
004B4093 DEB1 657E8A06 FIDIV WORD PTR [ECX+68A7E65]
004B4099 EB 01          JMP SHORT 004B409C                      ; 004B409C
004B409B 6A EB          PUSH -15
004B409D 0218          ADD BL,[EAX]
004B409F 66:3C C2       CMP AL,0C2
004B40A2 EB 04          JMP SHORT 004B40A8                      ; 004B40A8
004B40A4 D0144F       RCL BYTE PTR [EDI+ECX*2],1
004B40A7 C00F 84       ROR BYTE PTR [EDI],84                   ; Shift constant out of range 1..31
004B40AA 9A 000000EB 033>CALL FAR 3103:EB000000                ; Far call
004B40B1 F8             CLC
004B40B2 0D 3CC3EB04    OR EAX,4EBC33C
004B40B7 EA BC68780F 848>JMP FAR 8784:0F7868BC                   ; Far jump
004B40BE 0000          ADD [EAX],AL
004B40C0 00EB          ADD BL,CH
004B40C2 010D EB03B163 ADD [63B103EB],ECX
004B40C8 66:3C CD       CMP AL,0CD
004B40CB EB 02          JMP SHORT 004B40CF                      ; 004B40CF
004B40CD C10A 74       ROR DWORD PTR [EDX],74                ; Shift constant out of range 1..31
004B40D0  ^ 77 EB          JA SHORT 004B40BD                      ; 004B40BD
004B40D2 02F6          ADD DH,DH
004B40D4 A5             MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]

;检查api函数机器码
004B40D5 56             PUSH ESI
004B40D6 FF53 40       CALL [EBX+40]
004B40D9 EB 02          JMP SHORT 004B40DD                      ; 004B40DD

004B40DB C59A 83F8FFEB LDS EBX,[EDX+EBFFF883]                ; Modification of segment register
004B40E1 0314C8       ADD EDX,[EAX+ECX*8]
004B40E4 C40F          LES ECX,[EDI]                         ; Modification of segment register
004B40E6 8471 01       TEST [ECX+1],DH
004B40E9 0000          ADD [EAX],AL
004B40EB EB 01          JMP SHORT 004B40EE                      ; 004B40EE
004B40ED A2 F7C20006    MOV [600C2F7],AL
004B40F2 0000          ADD [EAX],AL
004B40F4 EB 01          JMP SHORT 004B40F7                      ; 004B40F7
004B40F6 EA 754FEB03 676>JMP FAR 6D67:03EB4F75                   ; Far jump
;不能识别的机器码
004B40EE F7C2 00060000 TEST EDX,600
004B40F7 /75 4F          JNZ SHORT 004B4148                      ; 004B4148

004B40FD 1AEB          SBB CH,BL
004B40FF 0105 8BC8EB02 ADD [2EBC88B],EAX
004B4105 D05A 8B       RCR BYTE PTR [EDX-75],1
004B4108 D7             XLAT BYTE PTR [EBX+AL]
004B4109 EB 03          JMP SHORT 004B410E                      ; 004B410E
004B410B 04 42          ADD AL,42
004B410D 1BF3          SBB ESI,EBX

;复制api函数机器码
004B410E             F3:A4                REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI>

004B410F A4             MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]
004B4110 EB 01          JMP SHORT 004B4113                      ; 004B4113
004B4112 F7EB          IMUL EBX
004B4114 02A9 1AEB03D5 ADD CH,[ECX+D503EB1A]
004B411A E4 CF          IN AL,0CF                               ; I/O command
004B411C 803A CC       CMP BYTE PTR [EDX],0CC
004B411F EB 01          JMP SHORT 004B4122                      ; 004B4122
004B4121 73 0F          JNB SHORT 004B4132                      ; 004B4132
004B4123 84B1 010000EB TEST [ECX+EB000001],DH
004B4129 0284A1 EB02D01D ADD AL,[ECX+1DD002EB]
004B4130 EB 01          JMP SHORT 004B4133                      ; 004B4133
004B4132 B1 EB          MOV CL,0EB
004B4134 028C52 FF0C24EB ADD CL,[EDX+EDX*2+EB240CFF]
004B413B 013E          ADD [ESI],EDI
004B413D  ^ 0F85 4EFFFFFF JNZ 004B4091                            ; 004B4091

004B40D5 56             PUSH ESI
004B40D6 FF53 40       CALL [EBX+40]                         ; PYCQ.004B2739
004B40D9 EB 02          JMP SHORT 004B40DD                      ; 004B40DD

004B40F7 /75 4F          JNZ SHORT 004B4148                      ; 004B4148

;取api地址
004B25F2 8B0490       MOV EAX,[EAX+EDX*4]
004B25F5 03C3          ADD EAX,EBX
004B25F7 8B55 F8       MOV EDX,[EBP-8]                         ; KERNEL32.77EB4220
004B25FA 3BC2          CMP EAX,EDX
004B25FC 72 71          JB SHORT 004B266F                      ; 004B266F
004B25FE 0355 F4       ADD EDX,[EBP-C]
004B2601 3BC2          CMP EAX,EDX
004B2603 73 6A          JNB SHORT 004B266F                      ; 004B266F

004B2599 8B0483       MOV EAX,[EBX+EAX*4]
004B259C 03C1          ADD EAX,ECX
004B259E EB 57          JMP SHORT 004B25F7                      ; 004B25F7

004B266F 64:67:8F06 0000 POP DWORD PTR FS:[0]                   ; 0012FFB0
004B2675 83C4 04       ADD ESP,4

hook
004B2675          83C4 04       ADD ESP,4

004B691D          60             PUSHAD
004B691E          B8 00C04200    MOV EAX,42C000
004B6923          B9 99090000    MOV ECX,999
004B6928          51             PUSH ECX

0012FD74 004B6933  RETURN to PYCQ.004B6933

0012FD3C 00913364  RETURN to 00913364

0012FD78 0042C000  PYCQ.0042C000

60 B8 00 C0 42 00 B9 99 09 00 00 51 83 38 00 74 14 50 8B 30 FF D6 BC 78 FD 12 00 90 90 90 90 8B
3C 24 89 07 58 83 C0 04 59 E2 E0 61 EB FE 90 90

004B691D          60             PUSHAD
004B691E          B8 00C04200    MOV EAX,42C000
004B6923          B9 99090000    MOV ECX,999
004B6928          51             PUSH ECX
004B6929          8338 00       CMP DWORD PTR [EAX],0
004B692C          74 14          JE SHORT 004B6942                      ; 004B6942
004B692E          50             PUSH EAX
004B692F          8B30          MOV ESI,[EAX]
004B6931          FFD6          CALL ESI
004B6933          BC 78FD1200    MOV ESP,12FD78
004B6938          90             NOP
004B6939          90             NOP
004B693A          90             NOP
004B693B          90             NOP
004B693C          8B3C24       MOV EDI,[ESP]
004B693F          8907          MOV [EDI],EAX
004B6941          58             POP EAX
004B6942          83C0 04       ADD EAX,4
004B6945          59             POP ECX
004B6946       ^ E2 E0          LOOPD SHORT 004B6928                   ; 004B6928
004B6948          61             POPAD
004B6949       - EB FE          JMP SHORT 004B6949                      ; 004B6949
004B694B          90             NOP
004B694C          90             NOP

EB 2E 63 6F 64 65 20 62 79 20 6A 73 6B 65 77 20 30 35 2E 31 31 2E 30 37 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 90 B8 00 C0 42 00 B9 99 09 00 00 51 83 38 00 74 17
50 89 25 20 10 40 00 8B 30 FF D6 8B 25 20 10 40 00 8B 3C 24 89 07 58 83 C0 04 59 E2 DD 90 90 EB
FE

00401047    64:FF35 00000>PUSH DWORD PTR FS:[0]
0040104E    5B          POP EBX
0040104F    891D 24104000 MOV [401024],EBX

00401030    B8 00C04200 MOV EAX,42C000
00401035    B9 99090000 MOV ECX,999
0040103A    51          PUSH ECX
0040103B    8338 00    CMP DWORD PTR [EAX],0
0040103E    74 17       JE SHORT 00401057                      ;  00401057
00401040    50          PUSH EAX
00401041    8925 20104000 MOV [401020],ESP
00401047    8B30       MOV ESI,[EAX]
00401049    FFD6       CALL ESI
0040104B    8B25 20104000 MOV ESP,[401020]
00401051    8B3C24       MOV EDI,[ESP]
00401054    8907       MOV [EDI],EAX
00401056    58          POP EAX
00401057    83C0 04    ADD EAX,4
0040105A    59          POP ECX
0040105B ^ E2 DD       LOOPD SHORT 0040103A                   ;  0040103A
0040105D    90          NOP
0040105E    90          NOP
0040105F - EB FE       JMP SHORT 0040105F                      ;  0040105F

00401000    /EB 2E       JMP SHORT 00401030                      ;  00401030
00401002    |636F 64    ARPL [EDI+64],BP
00401005    |65:2062 79 AND GS:[EDX+79],AH
00401009    |206A 73    AND [EDX+73],CH
0040100C    |6B65 77 20 IMUL ESP,[EBP+77],20
00401010    |3035 2E31312E XOR [2E31312E],DH
00401016    |3037       XOR [EDI],DH
00401018    |0000       ADD [EAX],AL
0040101A    |0000       ADD [EAX],AL
0040101C    |0000       ADD [EAX],AL
0040101E    |0000       ADD [EAX],AL
00401020    |34 F0       XOR AL,0F0
00401022    |1200       ADC AL,[EAX]
00401024    |0000       ADD [EAX],AL
00401026    |0000       ADD [EAX],AL
00401028    |0000       ADD [EAX],AL
0040102A    |0000       ADD [EAX],AL
0040102C    |0000       ADD [EAX],AL
0040102E    |90          NOP
0040102F    |90          NOP
00401030    \64:FF35 00000>PUSH DWORD PTR FS:[0]
00401037    58          POP EAX
00401038    A3 24104000 MOV [401024],EAX
0040103D    B8 00C04200 MOV EAX,42C000
00401042    B9 99090000 MOV ECX,999
00401047    51          PUSH ECX
00401048    8338 00    CMP DWORD PTR [EAX],0
0040104B    74 24       JE SHORT 00401071                      ;  00401071
0040104D    50          PUSH EAX
0040104E    8925 20104000 MOV [401020],ESP
00401054    8B30       MOV ESI,[EAX]
00401056    FFD6       CALL ESI
00401058    FF35 24104000 PUSH DWORD PTR [401024]
0040105E    64:8F05 00000>POP DWORD PTR FS:[0]
00401065    8B25 20104000 MOV ESP,[401020]
0040106B    8B3C24       MOV EDI,[ESP]
0040106E    8907       MOV [EDI],EAX
00401070    58          POP EAX
00401071    83C0 04    ADD EAX,4
00401074    59          POP ECX
00401075 ^ E2 D0       LOOPD SHORT 00401047                   ;  00401047
00401077    90          NOP
00401078    90          NOP
00401079 - EB FE       JMP SHORT 00401079                      ;  00401079

EB 2E 63 6F 64 65 20 62 79 20 6A 73 6B 65 77 20 30 35 2E 31 31 2E 30 37 00 00 00 00 00 00 00 00
34 F0 12 00 00 00 00 00 00 00 00 00 00 00 90 90 64 FF 35 00 00 00 00 58 A3 24 10 40 00 B8 00 C0
42 00 B9 99 09 00 00 51 83 38 00 74 24 50 89 25 20 10 40 00 8B 30 FF D6 FF 35 24 10 40 00 64 8F
05 00 00 00 00 8B 25 20 10 40 00 8B 3C 24 89 07 58 83 C0 04 59 E2 D0 90 90 EB FE 90 90 90 90 90

0002C0D8 ;GetCurrentProcess
0002C110 ;GetCommandLineA
0002C1D4 ;GetModuleFileNameA
0002C280 ;lstrlenA
0002C2A4 ;GetVersion

00414DE0 .  FF35 E8804400 PUSH DWORD PTR [4480E8]                ; /pModule = "?
00414DE6 .  FF15 98C24200 CALL [42C298]                         ; \GetModuleHandleA

1 0002C108 kernel32.dll 013F GetModuleHandleA
1 0002C11C kernel32.dll 013F GetModuleHandleA
1 0002C120 kernel32.dll 013F GetModuleHandleA
1 0002C1B8 kernel32.dll 013F GetModuleHandleA
1 0002C200 kernel32.dll 013F GetModuleHandleA
1 0002C208 kernel32.dll 013F GetModuleHandleA
1 0002C214 kernel32.dll 013F GetModuleHandleA
1 0002C28C kernel32.dll 013F GetModuleHandleA
1 0002C294 kernel32.dll 013F GetModuleHandleA
1 0002C298 kernel32.dll 013F GetModuleHandleA

CALL [42C108] null;
00418904 $- FF25 08C14200 JMP [42C108]
;RtlUnwind

CALL [42C11C] ;HeapReAlloc
CALL [42C120] ;RtlSizeHeap
CALL [42C1B8] ;GetModuleHandleA
CALL [42C200] ;EnterCriticalSection
CALL [42C208] ;LeaveCriticalSection
CALL [42C214] ;DeleteCriticalSection
CALL [42C28C]null
004188F2 $- FF25 8CC24200 JMP [42C28C]
;RtlZeroMemory

CALL [42C294] ;HeapFree
CALL [42C298] ;HeapAlloc

oep
0040FDA7    55                PUSH EBP

00403911 .  51          PUSH ECX
00403912 .  FFD7       CALL EDI
00403914 >  FF15 84C54200 CALL [42C584]
0040391A .  6A 00       PUSH 0                                  ; /hWnd = NULL

;逻辑炸弹
00406CF5    CC          INT3

;410
00402349 . /E9 B2DC0500 JMP 00460000                                              ;  00460000

0040233E .  8BB424 B40200>MOV ESI,[ESP+2B4]
00402345 .  8D4C24 28    LEA ECX,[ESP+28]
00402349 .  E9 B2DC0500 JMP 00460000                                              ;  00460000

00460000 > \60          PUSHAD
00460001 .  8BF9       MOV EDI,ECX
00460003 .  B9 80000000 MOV ECX,80
00460008 .  BE 15004600 MOV ESI,460015                                              ;  ASCII "\淖 72"
0046000D .  F3:A4       REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]
0046000F .  61          POPAD
00460010 .^ E9 0C27FAFF JMP 00402721                                              ;  00402721

00402721 >  66:8B5424 3A  MOV DX,[ESP+3A]
00402726 . |8B4424 36    MOV EAX,[ESP+36]
0040272A . |6A 01       PUSH 1
0040272C . |8D8F 88010000 LEA ECX,[EDI+188]
00402732 . |66:8915 5C8C4>MOV [438C5C],DX
00402739 . |A3 F88A4300 MOV [438AF8],EAX
0040273E . |E8 58D80100 CALL 0041FF9B                                              ;  0041FF9B

60 8B F9 B9 80 00 00 00 BE 15 00 46 00 F3 A4 61 E9 BD 2F FA FF 5C C4 57 20 37 32 00 00 01 20 CA
67 40 CC 7F 00 00 01 1F A0 DB 86 12 B2 39 C6 0F 4D 63 7F CC 9D 38 52 81 9E D8 C6 24 D8 BD AF F1
6D 61 75 74 6F 2E 73 65 61 72 63 68 2E 6D 73 6E 2E 63 6F 6D 00 E8 69 CD 77 B9 69 00 77 6A 03 00
00 CF FD CD 77 60 79 16 00 24 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 70 00 00 00 FF FF FF
FF FF FF FF FF 9A B9 42 00 E0 FD 43 00 F8 E7 12 00 BE B9 42 00 60 8B F9 B9 80 00 00 00 BE AA 00
46 00 F3 A4 61 E9 B7 29 FA FF EF 27 0B 20 83 34 00 00 01 20 6C 34 02 00 1F FB 01 00 00 00 7F 00
00 01 20 A0 00 5E 2C 55 8E 6B F7 57 D3 D5 7F 02 3B EC 84 30 61 6F 0A F0 6E 8A FB 75 08 B5 F1 4C
DB 18 39 16 10 8D 3D 6A 19 7A 4C F7 3C 2F A7 C2 45 44 90 0B AF 74 B7 3A C5 C2 CF 37 7E 9B 29 AE
5E FC 5A DD 54 87 94 AF 44 C5 BC F2 7D F0 50 7A 9F C4 16 7A 02 51 50 7A F6 FF 16 7A B2 00 00 00
9C 1E F7 1B 1A 60 A8 C7 3A 62 00 00 00 00 00 00

004029EE    8D4C24 2C    LEA ECX,[ESP+2C]
004029F2    E9 09D60500    JMP 00460000                            ;  00460000

8D 4C 24 2C E9 09 D6 05

;410
004029E1 .  8BBC24 A40100>MOV EDI,[ESP+1A4]
004029E8 .  33ED       XOR EBP,EBP
004029EA .  8D4C24 1C    LEA ECX,[ESP+1C]
004029EE .  8B1D D8A14200 MOV EBX,[42A1D8]                                           ;  KERNEL32.GlobalAlloc
004029F4 .  E9 9CD60500 JMP 00460095                                              ;  00460095

00460095 > \60          PUSHAD
00460096 .  8BF9       MOV EDI,ECX
00460098 .  B9 80000000 MOV ECX,80
0046009D .  BE AA004600 MOV ESI,4600AA
004600A2 .  F3:A4       REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]
004600A4 .  61          POPAD
004600A5 .^ E9 B729FAFF JMP 00402A61                                              ;  00402A61

00402A61 >  F64424 24 01  TEST BYTE PTR [ESP+24],1
00402A66 . |8A4424 25    MOV AL,[ESP+25]
00402A6A . |0F84 DB010000 JE 00402C4B                                                 ;  00402C4B
00402A70 . |A8 01       TEST AL,1
00402A72 . |74 29       JE SHORT 00402A9D                                           ;  00402A9D
00402A74 . |66:8B4C24 2A  MOV CX,[ESP+2A]

;425a
00403291 .  8BBC24 A40100>MOV EDI,[ESP+1A4]
00403298 .  33ED       XOR EBP,EBP
0040329A .  55          PUSH EBP                               ; /Flags => 0
0040329B .  8D4C24 20    LEA ECX,[ESP+20]                      ; |
0040329F .  68 80000000 PUSH 80                               ; |BufSize = 80 (128.)
004032A4 .  51          PUSH ECX                               ; |Buffer
004032A5 .  57          PUSH EDI                               ; |Socket
004032A6 .  E8 69420000 CALL 00407514                         ; \recv

0040329A    8D4C24 1C       LEA ECX,[ESP+1C]
0040329E    8B1D D0C14200 MOV EBX,[42C1D0]                      ;  KERNEL32.GlobalAlloc
004032A4    E9 ECCD0500    JMP 00460095                            ;  00460095

8D 4C 24 1C 8B 1D D0 C1 42 00 E9 EC CD 05 00 90 90

004600A5 ^\E9 6732FAFF    JMP 00403311                            ;  00403311

0012F22C 0012F254  |Arg1 = 0012F254
0012F230 00000080  |Arg2 = 00000080
0012F234 00204090  \Arg3 = 00204090

7A 0C 5B 0C 37 31 00 00 01 40 C0 A8 01 ED 31 A0 80 00 00 00 |CA 67 40 CD |56 A1| 00 6E 08 63 8C AD
02 86 32 BA 32 55 52 93 20 73 4D 91 74 4F B0 1C B7 49 2B A5 9D C2 78 4F F4 3F 02 43 62 3A 30 7A
1C D3 2F D9 1E 72 B5 83 A0 34 E4 4F 41 AD F9 16 34 99 6F F7 30 2E CF 02 78 63 A3 19 B8 A9 D4 2B
23 68 22 A0 79 7A C0 94 3F 7A 5D 01 79 7A A9 AF 3F 7A AF 00 00 00 7F 51 69 73 31 0C 6C 44 E6 7B

7A 0C 5B 0C 37 31 00 00 01 40 C0 A8 01 ED 31 A0 80 00 00 00 7F 00 00 01 20 A0 00 6E 08 63 8C AD
02 86 32 BA 32 55 52 93 20 73 4D 91 74 4F B0 1C B7 49 2B A5 9D C2 78 4F F4 3F 02 43 62 3A 30 7A
1C D3 2F D9 1E 72 B5 83 A0 34 E4 4F 41 AD F9 16 34 99 6F F7 30 2E CF 02 78 63 A3 19 B8 A9 D4 2B
23 68 22 A0 79 7A C0 94 3F 7A 5D 01 79 7A A9 AF 3F 7A AF 00 00 00 7F 51 69 73 31 0C 6C 44 E6 7B

00402607    6A 01       PUSH 1                                  ; [GetTickCount
00402609    6A 00       PUSH 0
0040260B    68 65040000 PUSH 465
00402610    FF76 1C    PUSH DWORD PTR [ESI+1C]
00402613    FF15 14C54200 CALL [42C514]                         ;  USER32.SendMessageA
00402619    EB 30       JMP SHORT 0040264B                      ;  0040264B

6A 01 6A 00 68 65 04 00 00 FF 76 1C FF 15 14 C5 42 00 EB 30

004027D1    6A 01       PUSH 1
004027D3    6A 00       PUSH 0
004027D5    68 66040000 PUSH 466
004027DA    FF76 1C    PUSH DWORD PTR [ESI+1C]
004027DD    FF15 14C54200 CALL [42C514]                         ;  USER32.SendMessageA
004027E3    EB 29       JMP SHORT 0040280E                      ;  0040280E
004027E5    90          NOP

6A 01 6A 00 68 66 04 00 00 FF 76 1C FF 15 14 C5 42 00 EB 29 90

/////////////////////////////////////////////////
dll

00780000 E8 03000000    CALL 00780008

00792000
12000

oep
100100C1 54                   PUSH ESP
100100C2 8BEC                MOV EBP,ESP
100100C4 68 32080410          PUSH 10040832
100100C9 64:FF35 00000000    PUSH DWORD PTR FS:[0]
100100D0 64:8925 00000000    MOV FS:[0],ESP
100100D7 837D 0C 01          CMP DWORD PTR [EBP+C],1

iat
10055000

007905B5             /E9 55030000    JMP 0079090F
007905BA             |90             NOP

0006F964 00789987  /CALL to lstrcmpA
0006F968 00790FA7  |String1 = "LoadLibraryA"
0006F96C 007910C9  \String2 = "TrackPopupMenu"

;直接执行api函数
00790441             - FFE0          JMP EAX                               ; KERNEL32.lstrcmpA

;跳过特殊函数
0078998A             /EB 0B          JMP SHORT 00789997

0078A44C                52             PUSH EDX

0078998A             /E9 BD0A0000    JMP 0078A44C

Run trace, selected line
Back=41.
Thread=Main
Address=007905A8
Command=MOV EDI,[ESP+24]
Modified registers=EDI=007D0006

Run trace, selected line
Back=39.
Thread=Main
Address=007905A8
Command=MOV EDI,[ESP+24]
Modified registers=EDI=007D016E

my code
10053082    6A 01       PUSH 1

10001000          E8 00000000 CALL 10001005                         ;  10001005
10001005          5B          POP EBX
10001006          EB 09       JMP SHORT 10001011                      ; /Protocol
10001008    |.  6A 01       PUSH 1                                  ; |Type = SOCK_STREAM
1000100A    |.  6A 02       PUSH 2                                  ; |Family = AF_INET
1000100C    |.  E8 0F200500 CALL 10053020                         ; \socket
10001011          81EB 05100010 SUB EBX,10001005
10001017          8BC3       MOV EAX,EBX
10001019          05 82300510 ADD EAX,10053082
1000101E          FFE0       JMP EAX

E8 00 00 00 00 5B EB 09 6A 01 6A 02 E8 0F 20 05 00 81 EB 05 10 00 10 8B C3 05 82 30 05 10 FF E0

10001121          E8 00000000 CALL 10001126                         ;  10001126
10001126          5B          POP EBX
10001127          81EB 26110010 SUB EBX,10001126
1000112D          EB 0C       JMP SHORT 1000113B                      ;  1000113B
1000112F          D141 05    ROL DWORD PTR [ECX+5],1
10001132    |?  10FF       ADC BH,BH
10001134    |?  75 0C       JNZ SHORT 10001142                      ;  10001142
10001136    |.  E8 D91E0500 CALL 10053014                         ; \recv
1000113B          8BC3       MOV EAX,EBX
1000113D          05 A0300510 ADD EAX,100530A0
10001142          FFE0       JMP EAX

E8 00 00 00 00 5B 81 EB 26 11 00 10 EB 0C D1 41 05 10 FF 75 0C E8 D9 1E 05 00 8B C3 05 A0 30 05
10 FF E0 00 00 00 68 D1 41 05 10 E8 7E 02 00 00

10053082 .  6A 01          PUSH 1
10053084 .  6A 00          PUSH 0
10053086 .  68 02050000    PUSH 502
1005308B .  FF7424 10       PUSH DWORD PTR [ESP+10]
1005308F .  B8 2E2E0510    MOV EAX,10052E2E                      ;  Entry address
10053094 .  03C3             ADD EAX,EBX
10053096 .  FFD0             CALL EAX
10053098 .  81C3 62100010    ADD EBX,10001062
1005309E .  FFE3             JMP EBX
100530A0 .  B9 38000000    MOV ECX,38
100530A5 .  8BF3             MOV ESI,EBX
100530A7 .  81C6 B8300510    ADD ESI,100530B8
100530AD >  8136 24698724    XOR DWORD PTR [ESI],24876924
100530B3 .  83C6 04          ADD ESI,4
100530B6 .^ E2 F5          LOOPD SHORT 100530AD                   ;  100530AD
100530B8 .  B9 A0000000    MOV ECX,0A0
100530BD .  8BF3             MOV ESI,EBX
100530BF    81C6 F7300510    ADD ESI,100530F7
100530C5 .  8BFB             MOV EDI,EBX
100530C7 .  81C7 D1410510    ADD EDI,100541D1
100530CD .  F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI>
100530CF .  C683 C1620510 01  MOV BYTE PTR [EBX+100562C1],1
100530D6 .  6A 00          PUSH 0
100530D8 .  6A 01          PUSH 1
100530DA .  68 01050000    PUSH 501
100530DF .  FF75 08          PUSH DWORD PTR [EBP+8]
100530E2 .  8BC3             MOV EAX,EBX
100530E4 .  05 162E0510    ADD EAX,10052E16                      ;  Entry address
100530E9    FFD0       CALL EAX
100530EB    90          NOP
100530EC    90          NOP
100530ED    90          NOP
100530EE    8BC3       MOV EAX,EBX
100530F0    05 98310510    ADD EAX,10053198
100530F5 .  FFE0             JMP EAX
...
10053198    B9 38000000 MOV ECX,38
1005319D    8BF3       MOV ESI,EBX
1005319F    81C6 B8300510 ADD ESI,100530B8
100531A5    8136 24698724 XOR DWORD PTR [ESI],24876924
100531AB    83C6 04    ADD ESI,4
100531AE ^ E2 F5       LOOPD SHORT 100531A5                   ;  100531A5
100531B0    33C0       XOR EAX,EAX
100531B2    81C3 B2110010 ADD EBX,100011B2
100531B8    FFE3       JMP EBX

6A 01 6A 00 68 02 05 00 00 FF 74 24 10 B8 2E 2E 05 10 03 C3 FF D0 81 C3 62 10 00 10 FF E3 B9 38
00 00 00 8B F3 81 C6 B8 30 05 10 81 36 24 69 87 24 83 C6 04 E2 F5 9D C9 87 24 24 E2 74 A5 E2 9E
B7 21 34 E2 7C A5 E3 B8 C6 21 34 9A 23 E2 A7 A8 E5 21 34 68 ED 24 4E 68 EF 25 21 69 87 DB 51 61
0C E7 21 7F A9 21 34 96 57 B4 B4 F9 0C E7 21 F1 B6 21 34 96 67 3C 0E C4 8A 08 64 69 87 25 35 61
88 24 9F DF 54 89 EE D0 54 E7 66 30 3F 8C F2 93 3E 80 9A B6 A6 24 1B E6 B3 4F 99 89 D8 5F DD DD
96 30 8D 5F 82 F5 8E DC 17 5E AE E4 42 7E 6C 5A DA F8 2A BF 85 1C 38 FD 1F 91 74 6F B6 41 B3 BD
59 28 E5 BF B7 B9 DB C7 3D 03 AD CD 98 2F 9F 8E 9A 63 28 95 FB CF 29 C5 75 CD 29 3D 2E C8 29 09
F8 CC 29 D9 9B CE 29 21 47 CF 29 3D F4 CF 29 71 AD 89 29 C7 87 24 24 69 87 24 24 69 87 58 AC 6B
87 24 24 69 87 AC 3C 2A 87 AC C3 7B 87 74 C1 7B 87 CD EC 2B 87 B4 B9 38 00 00 00 8B F3 81 C6 B8
30 05 10 81 36 24 69 87 24 83 C6 04 E2 F5 33 C0 81 C3 B2 11 00 10 FF E3 00 00 00 00 00 00 00 00

recv
18 2A AD 0D 2C 40 00 00 01 11 08 0F 00 BB B6 D3 AD CA B9 D3 C3 42 59 B8 A8 D6 FA B9 A4 BE DF 21
00 3F 8F 34 6B BD E0 5F 7B F9 B4 11 14 A9 36 05 D1 AA B5 90 7A 8A 8D C5 5A 48 33 5D DC 0E D6 02
38 1C 94 98 B5 50 06 31 65 97 D4 DE 0C C1 D6 30 9D FF AE BA 27 89 A4 1F 0B BB E7 1D 47 0C FC 7C
EB 0D AC F2 E9 0D 54 A9 EC 0D 60 7F E8 0D B0 1C EA 0D 48 C0 EB 0D 54 73 EB 0D 18 2A AD 0D AE 00
00 00 00 00 00 00 00 00 7C 88 02 00 00 00 00 00 88 18 43 00 88 E7 12 00 50 E5 12 00 E9 C8 42 00

//////////////
crack pycq.dll

;s MOV AX,[EAX+6]
;检查pycq.dll节数
10010AAC  |> \C605 CD610510>MOV BYTE PTR [100561CD],1
10010AB3  |.  A1 24400510 MOV EAX,[10054024]
10010AB8  |.  0340 3C    ADD EAX,[EAX+3C]
10010ABB  |.  66:8B40 06 MOV AX,[EAX+6]
10010ABF  |.  66:83F8 07 CMP AX,7
10010AC3  |.  75 07       JNZ SHORT 10010ACC                      ;  10010ACC
10010AC5  |.  C605 CD610510>MOV BYTE PTR [100561CD],0
10010ACC  |>  0FB685 F4FEFF>MOVZX EAX,BYTE PTR [EBP-10C]

10010AC3    90          NOP
10010AC4    90          NOP

;s CMP AX,??(oep)
;检查pycq.dll的oep
1002C0DC  |.  8D05 709B7F10  LEA EAX,[107F9B70]
1002C0E2  |.  8B80 B4A485FF  MOV EAX,[EAX+FF85A4B4]
1002C0E8  |>  66:8B80 F10000>MOV AX,[EAX+F1]
1002C0EF  |.  66:3D 5F08    CMP AX,85F ;00085FC2
1002C0F3  |.  74 0B       JE SHORT 1002C100                      ;  1002C100
1002C0F5  |.  66:C705 8B6105>MOV WORD PTR [1005618B],1
1002C0FE  |.  EB 09       JMP SHORT 1002C109                      ;  1002C109
1002C100  |>  66:C705 8B6105>MOV WORD PTR [1005618B],0
1002C109  |>  E8 D46D0200 CALL 10052EE2                         ; [GetTickCount

1002C0F3    /EB 0B       JMP SHORT 1002C100                      ;  1002C100

100000F0 C1000100 DD 000100C1       ;  AddressOfEntryPoint = 100C1
new oep = 0008D001

;s CMP ECX,190
;检查pycq.exe pe头1
1003C8B6  |> \803D C3620510 >CMP BYTE PTR [100562C3],0
1003C8BD  |.  75 13       JNZ SHORT 1003C8D2                      ;  1003C8D2
1003C8BF  |.  3D 7F140000 CMP EAX,147F
1003C8C4  |.  74 1D       JE SHORT 1003C8E3                      ;  1003C8E3
1003C8C6  |.  812D 24400510 >SUB DWORD PTR [10054024],10000          ;  UNICODE "=::=::\"
1003C8D0  |.  EB 11       JMP SHORT 1003C8E3                      ;  1003C8E3
1003C8D2  |>  3D C2150000 CMP EAX,15C2
1003C8D7  |.  74 0A       JE SHORT 1003C8E3                      ;  1003C8E3
1003C8D9  |.  812D 24400510 >SUB DWORD PTR [10054024],10000          ;  UNICODE "=::=::\"
1003C8E3  |>  C9          LEAVE

1003C8BD    /EB 24       JMP SHORT 1003C8E3                      ;  1003C8E3

new pe head = 00001B48
;s CMP ECX,190
;检查pycq.exe pe头2
1002B216    803D C3620510 >CMP BYTE PTR [100562C3],0
1002B21D    75 26       JNZ SHORT 1002B245                      ;  1002B245
1002B21F    81FB 7F140000  CMP EBX,147F

1002B21D    EB 4A       JMP SHORT 1002B269                      ;  1002B269

;s CMP ECX,190
;检查pycq.exe pe头3
100309A0    803D C3620510 >CMP BYTE PTR [100562C3],0
100309A7    75 24       JNZ SHORT 100309CD                      ;  100309CD
100309A9    81FB 498C0000  CMP EBX,8C49

100309A7    EB 46       JMP SHORT 100309EF                      ;  100309EF
new pe head = 00001B48 xor 9836 = 0000837E
/////////
;teb
Names in PYCQ, item 17
Address=10055104
Type=Import  (Known)
Name=kernel32.CreateToolhelp32Snapshot

10040801  |> \803D 23600510>CMP BYTE PTR [10056023],3
10040808    75 05       JNZ SHORT 1004080F                      ;  1004080F
1004080A  |.  E8 F66CFCFF CALL 10007505                         ;  10007505
;CreateToolhelp32Snapshot TH32CS_SNAPMODULE
1004080F  |>  EB 10       JMP SHORT 10040821                      ;  10040821

10040808    /EB 05       JMP SHORT 1004080F                      ;  1004080F

//////
;CreateDialogParamA
0012FD9C  |034A04BB  RETURN to pycq.034A04BB from <JMP.&user32.CreateDialogParamA>
0012FDA0  |03460000  pycq.03460000
0012FDA4  |000003EB
0012FDA8  |001C0D0A
0012FDAC  |034AA62F  pycq.034AA62F
0012FDB0  |03460000  pycq.03460000
0012FDB4  |00000000
0012FDB8  |00000001
0012FDBC  |00000000
0012FDC0  |00000000
0012FDC4  |034A0310  pycq.034A0310
0012FDC8  |00000104
0012FDCC  |00000000
0012FDD0  |00000000
0012FDD4  ]0012FDF4
0012FDD8  |034A032A  RETURN to pycq.034A032A from pycq.034A045F

;recv date xor
10052CBD .  833D 48600510 00          CMP DWORD PTR [10056048],0
10052CC4 .  74 1E                   JE SHORT 10052CE4                      ;  10052CE4
10052CC6 .  A1 48600510             MOV EAX,[10056048]
10052CCB .  3B05 60110610             CMP EAX,[10061160]
10052CD1 .  74 05                   JE SHORT 10052CD8                      ;  10052CD8

10052CD1    /EB 05             JMP SHORT 10052CD8                      ;  10052CD8

/////////
03 E1 2E 20 44 41 00 00 01 4C 1C 0A 00 BB B6 D3 AD CA B9 D3 C3 62 79 77 67 20 76 34 2E 31 30 B1
BE B5 D8 C6 C6 BD E2 B0 E6 B1 BE 2E 20 43 72 61 63 6B 65 64 20 62 79 20 D0 A1 C8 AB 20 32 30 30
35 2D 37 2D 31 31 20 2E 2E 2E 2E 2E 00 00 00 00 00 00 00 00 8D B0 BA 27 B6 97 96 0D D8 88 E7 B7
68 20 B7 39 6A 20 4F 62 6F 20 7B B4 6B 20 AB D7 69 20 53 0B 68 20 4F B8 68 20 03 E1 2E 20 0F 27

18 2A AD 0D 2C 40 00 00 01 |11 08 0F 00| BB B6 D3 AD CA B9 D3 C3 42 59 B8 A8 D6 FA B9 A4 BE DF 21
00 3F 8F 34 6B BD E0 5F 7B F9 B4 11 14 A9 36 05 D1 AA B5 90 7A 8A 8D C5 5A 48 33 5D DC 0E D6 02
38 1C 94 98 B5 50 06 31 65 97 D4 DE 0C C1 D6 30 9D FF AE BA 27 89 A4 1F 0B BB E7 1D 47 0C |FC 7C
EB 0D AC F2 E9 0D 54 A9 EC 0D 60 7F E8 0D B0 1C EA 0D 48 C0 EB 0D 54 73 EB 0D 18 2A AD 0D AE 00
00 00 00 00 00 00 00 00 7C 88 02 00 00 00 00 00 88 18 43 00 88 E7 12 00 50 E5 12 00 E9 C8 42 00

0348FCE3 8B5E 1C       MOV EBX,[ESI+1C]
DS:[034B424B]=0DAD2A18
EBX=0077F658
034B422F

00000050                                           FC 7C
00000060 EB 0D AC F2 E9 0D 54 A9  EC 0D 60 7F E8 0D B0 1C
00000070 EA 0D 48 C0 EB 0D 54 73  EB 0D 18 2A AD 0D

0348FCDE B9 07000000    MOV ECX,7
0348FCE3 8B5E 1C       MOV EBX,[ESI+1C]
0348FCE6 8B06          /MOV EAX,[ESI]
0348FCE8 33C3          |XOR EAX,EBX
0348FCEA 8907          |MOV [EDI],EAX
0348FCEC 49             |DEC ECX
0348FCED 83C6 04       |ADD ESI,4
0348FCF0 83C7 04       |ADD EDI,4
0348FCF3 0BC9          |OR ECX,ECX
0348FCF5  ^ 75 EF          \JNZ SHORT 0348FCE6                   ; 0348FCE6

034A072E A1 59614B03    MOV EAX,[34B6159]
034A0733 0305 59424B03 ADD EAX,[34B4259]
034A0739 A3 18134C03    MOV [34C1318],EAX
034A073E C605 88414B03 0>MOV BYTE PTR [34B4188],1
034A0745 803D C2624B03 0>CMP BYTE PTR [34B62C2],0
034A074C 74 1A          JE SHORT 034A0768                      ; 034A0768

DS:[034B4259]=0002887C

Offset    0  1  2  3  4  5  6  7 8  9  A  B  C  D  E  F

00000070                                           AE 00
00000080 00 00 00 00 00 00 00 00  7C 88 02 00 00 00 00 00
00000090 88 18 43 00 88 E7 12 00  50 E5 12 00 E9 C8 42 00

;打印欢迎信息
034A078E 803D DE414B03 0>CMP BYTE PTR [34B41DE],0
034A0795 74 78          JE SHORT 034A080F                      ; 034A080F
034A0797 68 0000FF00    PUSH 0FF0000
034A079C 68 FFFFFF00    PUSH 0FFFFFF
034A07A1 68 DE414B03    PUSH 34B41DE
034A07A6 E8 0CC1FEFF    CALL 0348C8B7                         ; 0348C8B7

;剩余次数
034B422F  FC 7C EB 0D AC F2 E9 0D 54 A9 EC 0D 60 7F E8 0D  ??.蜷.T╈.`.?
034B423F  B0 1C EA 0D 48 C0 EB 0D 54 73 EB 0D 18 2A AD 0D  ..?H离.Ts?.*..
034B424F  AE 00 00 00 00 00 00 00 00 00 7C 88 02 00 00 00  ?........|.....
AE=174

;recv data xor
034B41DA  11 08 0F 00 00 A3 C2 A3 D9 B8 A8 D6 FA B9 A4 BE  .....ＢＹ..助?
DS:[034B41DA]=000F0811
EAX=0000004E

;欢迎使用bywg v4.25a本地破解版本,Cracked by 小全 2005-11-8 ...
182AAD0D2C4000000111080F00BBB6D3ADCAB9D3C3627977672076342E323561B1BEB5D8C6C6BDE2B0E6B1BE2C437261636B656420627920D0A1C8AB20323030352D31312D38202E2E2E00DE0CC1D6309DFFAEBA2789A41F0BBBE71D470CFC7CEB0DACF2E90D54A9EC0D607FE80DB01CEA0D48C0EB0D5473EB0D182AAD0D0F2700000000000000007C880200000000008818430088E7120050E51200E9C84200

xor after
3C 0E C4 8A 08 64 69 87 25 35 61 88 24 9F DF 54 89 EE D0 54 E7 46 10 F0 43 04 1F B3 0A 16 5C E6
95 9A DC 5F E2 E2 D4 65 94 C2 D8 39 08 67 1B E6 47 4F 0C E3 04 46 10 A7 F4 85 A1 2C 04 16 59 B7
11 09 58 B6 09 1C 49 A9 0A 0A 69 59 28 E5 BF B7 B9 DB C7 3D 03 AD CD 98 2F 9F 8E 9A 63 28 95 FB
CF 29 C5 75 CD 29 3D 2E C8 29 09 F8 CC 29 D9 9B CE 29 21 47 CF 29 3D F4 CF 29 71 AD 89 29 66 A0
24 24 69 87 24 24 69 87 58 AC 6B 87 24 24 69 87 AC 3C 2A 87 AC C3 7B 87 74 C1 7B 87 CD EC 2B 87

100530F7  3C 0E C4 8A 08 64 69 87 25 35 61 88 24 9F DF 54  <.?.di.%5a.$?T

送给:
热血传奇28区乾坤
阳光¤柠檬草
祝她开心每一天
2005.11.08

///////////////////////////////
crack pycq.exe
;s PUSH 4A
;检查pycq.dll节数1
0040443F .  8B4C24 64    MOV ECX,[ESP+64]
00404443 .  33C0       XOR EAX,EAX
00404445 .  66:8B440C 2E  MOV AX,[ESP+ECX+2E]
0040444A .  8B0D 90B44300 MOV ECX,[43B490]
00404450 .  3BC1       CMP EAX,ECX
00404452 .  75 39       JNZ SHORT 0040448D                      ;  0040448D

00404452    90          NOP
00404453    90          NOP

;s PUSH 4A
;检查pycq.dll节数2
00404894 .  8B4424 5C    MOV EAX,[ESP+5C]
00404898 .  33D2       XOR EDX,EDX
0040489A .  66:8B5404 26  MOV DX,[ESP+EAX+26]
0040489F .  A1 90B44300 MOV EAX,[43B490]
004048A4 .  3BD0       CMP EDX,EAX
004048A6 .  75 26       JNZ SHORT 004048CE                      ;  004048CE

004048A6    90          NOP
004048A7    90          NOP

;s PUSH 65
;检查图片
00402339 .  6A 02       PUSH 2                                  ; /ResourceType = RT_BITMAP
0040233B .  6A 65       PUSH 65                               ; |ResourceName = 65
0040233D .  8B48 68    MOV ECX,[EAX+68]                      ; |
00402340 .  51          PUSH ECX                               ; |hModule
00402341 .  FF15 B4C14200 CALL [42C1B4]                         ; \FindResourceA

00405BF0  |> /03048E       /ADD EAX,[ESI+ECX*4]
00405BF3  |. |41          |INC ECX
00405BF4  |. |81F9 409C0000 |CMP ECX,9C40
00405BFA  |.^\76 F4       \JBE SHORT 00405BF0                   ;  00405BF0
00405BFC  |.  EB 05       JMP SHORT 00405C03                      ;  00405C03
00405BFE  |.  54 49 4D 45 0>ASCII "TIME",0
00405C03  |>  8D0D FE5B4000 LEA ECX,[405BFE]
00405C09  |.  2D D82A515A SUB EAX,5A512AD8
00405C0E  |>  0BC0       OR EAX,EAX
00405C10  |.  74 11       JE SHORT 00405C23                      ;  00405C23

eax=C3CE85D1
00405C09    2D D185CEC3    SUB EAX,C3CE85D1

2005-11-9 23:59

Call stack of main thread
Address Stack    Procedure / arguments                Called from                Frame
0012FCA4 034953D9 pycq.0348CFDA                      pycq.034953D4                0012FCA0
0012FDCC 0047AA1B pycq.03494EFB                      m1r.0047AA16                0012FDC8
0012FE3C 00460D31 ? m1r.0047A6C4                      m1r.00460D2C                0012FE38

0348CFDA 55             PUSH EBP
0348CFDB 8BEC          MOV EBP,ESP
0348CFDD 56             PUSH ESI
0348CFDE 57             PUSH EDI
0348CFDF 837D 0C 04    CMP DWORD PTR [EBP+C],4
0348CFE3 73 2F          JNB SHORT 0348D014                      ; 0348D014
0348CFE5 8B0D 18134C03 MOV ECX,[34C1318]
0348CFEB 8B45 0C       MOV EAX,[EBP+C]
0348CFEE 8D1440       LEA EDX,[EAX+EAX*2]
0348CFF1 8D0490       LEA EAX,[EAX+EDX*4]
0348CFF4 8D0481       LEA EAX,[ECX+EAX*4]
0348CFF7 8D70 01       LEA ESI,[EAX+1]
0348CFFA 0FB608       MOVZX ECX,BYTE PTR [EAX] ;???
0348CFFD 0BC9          OR ECX,ECX
0348CFFF 74 0E          JE SHORT 0348D00F                      ; 0348D00F

DS:[0002887C]=???
ECX=0002887C

1004072E .  A1 59610510 MOV EAX,[10056159]
10040733 .  0305 59420510 ADD EAX,[10054259]
10040739 .  A3 18130610 MOV [10061318],EAX

033A0739 A3 18133C03    MOV [33C1318],EAX

ad message
78 FB CD 19 FA 34 00 00 01 61 CA 67 43 B4 |CA 67 40 CD 56 A1| DB 85 5A CB F4 3F 02 43 FF 67 D7 D1
12 33 6A A3 D8 C6 24 D8 50 19 8B 26 61 75 74 6F 2E 73 65 61 72 63 68 2E 6D 73 6E 2E 63 6F 6D 00
00 E5 12 00 C8 C4 C3 BF C8 D5 D7 EE D0 C2 B4 AB C6 E6 CB BD B7 FE BF AA BB FA D4 A4 B8 E6 00 00
07 00 00 00 28 0E 44 00 14 0F 44 00 01 00 00 00 70 18 43 00 88 E7 12 00 50 E5 12 00 E9 C8 42 00

CA 67 43 B4 CA 67

78 FB CD 19 FA 34 00 00 01 61 CA 67 43 B4 CA 67
40 CD 56 A1 DB 85 5A CB F4 3F 02 43 FF 67 D7 D1

send2
004031F1 > \66:3D 1000 CMP AX,10
004031F5 .  0F85 8C000000 JNZ 00403287                            ;  00403287
004031FB .  8D8424 9C0000>LEA EAX,[ESP+9C]
00403202 .  68 04010000 PUSH 104                               ; /BufSize = 104 (260.)
00403207 .  50          PUSH EAX                               ; |PathBuffer

00404310  /$  55          PUSH EBP
00404311  |.  8BEC       MOV EBP,ESP
00404313  |.  81EC 80000000 SUB ESP,80
00404319  |.  53          PUSH EBX
0040431A  |.  56          PUSH ESI
0040431B  |.  8B75 08    MOV ESI,[EBP+8]
0040431E  |.  8D45 80    LEA EAX,[EBP-80]
00404321  |.  57          PUSH EDI

00403221 .  E8 B4410000 CALL 004073DA                         ; \pycq.004073DA
00403226 .  83F8 FF    CMP EAX,-1
00403229 .  A3 704C4400 MOV [444C70],EAX
0040322E    75 36       JNZ SHORT 00403266                      ;  00403266
00403230    8B9424 A40100>MOV EDX,[ESP+1A4]

eax=43023FF4

00403226    B8 F43F0243    MOV EAX,43023FF4
0040322B    A3 704C4400    MOV [444C70],EAX
00403230    EB 34          JMP SHORT 00403266                      ;  00403266
00403232    90             NOP

B8 F4 3F 02 43 A3 70 4C 44 00 EB 34 90 90 90 90

1002CFE5  |.  8B0D 18130610 MOV ECX,[10061318]

10040725 > \833D 59420510>CMP DWORD PTR [10054259],0
1004072C .  74 3A       JE SHORT 10040768                      ;  10040768
1004072E .  A1 59610510 MOV EAX,[10056159] ;0
10040733 .  0305 59420510 ADD EAX,[10054259] ;2887C
10040739 .  A3 18130610 MOV [10061318],EAX
1004073E .  C605 88410510>MOV BYTE PTR [10054188],1

LEA EDX,[EAX+EAX*2]
LEA EAX,[EAX+EDX*4]
LEA EAX,[ECX+EAX*4]
LEA ESI,[EAX+1]

MOV AL,[EAX]
CMP AL,7D

0357CFE3 /73 2F          JNB SHORT 0357D014                      ; 0357D014
0357CFE5 |8B0D 18135B03 MOV ECX,[35B1318]                      ; m1r.004F8000
0357CFEB |8B45 0C       MOV EAX,[EBP+C]
0357CFEE |8D1440       LEA EDX,[EAX+EAX*2]
0357CFF1 |8D0490       LEA EAX,[EAX+EDX*4]
0357CFF4 |8D0481       LEA EAX,[ECX+EAX*4]
0357CFF7 |8D70 01       LEA ESI,[EAX+1]
0357CFFA |0FB608       MOVZX ECX,BYTE PTR [EAX]

10053177  24 24 69 87 24 24 69 87 24 24 69 87 24 24 69 87  $$i.$$i.$$i.$$i.

new
DD 83 17 1F 94 3D 00 00 01 CF 03 13 00 00 A3 C2 A3 D9 B8 A8 D6 FA B9 A4 BE DF CA A3 D3 E0 B4 CE
CA FD A3 BA 31 36 35 00 D4 68 89 80 8B 99 61 32 7D F3 CE D5 A3 9F 42 14 4A DA 0F 21 08 B9 07 4C
F3 63 7D 89 72 6B F0 D8 56 44 62 5A 35 BB 11 89 5A 80 34 C6 D6 1B 37 14 17 40 A9 4A C2 56 39 D5
51 1F 69 5B 53 1F 91 00 56 1F A5 D6 52 1F 75 B5 50 1F 8D 69 51 1F 91 DA 51 1F DD 83 17 1F A5 00
00 00 00 00 00 00 00 00 7C 88 02 00 00 00 00 00 88 18 43 00 88 E7 12 00 50 E5 12 00 E9 C8 42 00

old
18 2A AD 0D 2C 40 00 00 01 |11 08 0F 00| BB B6 D3 AD CA B9 D3 C3 42 59 B8 A8 D6 FA B9 A4 BE DF 21
00 3F 8F 34 6B BD E0 5F 7B F9 B4 11 14 A9 36 05 D1 AA B5 90 7A 8A 8D C5 5A 48 33 5D DC 0E D6 02
38 1C 94 98 B5 50 06 31 65 97 D4 DE 0C C1 D6 30 9D FF AE BA 27 89 A4 1F 0B BB E7 1D 47 0C |FC 7C
EB 0D AC F2 E9 0D 54 A9 EC 0D 60 7F E8 0D B0 1C EA 0D 48 C0 EB 0D 54 73 EB 0D 18 2A AD 0D AE 00
00 00 00 00 00 00 00 00 7C 88 02 00 00 00 00 00 88 18 43 00 88 E7 12 00 50 E5 12 00 E9 C8 42 00

1002CFEB                8B45 0C          MOV EAX,[EBP+C]                         ;  PYCQ.10000000
1002CFEE                8D1440          LEA EDX,[EAX+EAX*2]
1002CFF1             .  8D0490          LEA EAX,[EAX+EDX*4]
1002CFF4             .  8D0481          LEA EAX,[ECX+EAX*4]
1002CFF7             .  8D70 01          LEA ESI,[EAX+1]

1002CFEB                /E9 CA610200    JMP 100531BA                            ;  <mycode>
1002CFF0                |90             NOP
1002CFF1             . |8D0490          LEA EAX,[EAX+EDX*4]
1002CFF4             . |8D0481          LEA EAX,[ECX+EAX*4]

<mycode> 100531BA       E8 00000000    CALL 100531BF                         ;  100531BF
100531BF                59             POP ECX
100531C0                81E9 BF310510    SUB ECX,100531BF
100531C6                81C1 F1CF0210    ADD ECX,1002CFF1
100531CC                51             PUSH ECX
100531CD                B9 00804F00    MOV ECX,4F8000
100531D2                8B45 0C          MOV EAX,[EBP+C]
100531D5                8D1440          LEA EDX,[EAX+EAX*2]
100531D8                C3             RETN

E8 00 00 00 00 59 81 E9 BF 31 05 10 81 C1 F1 CF 02 10 51 B9 00 80 4F 00 8B 45 0C 8D 14 40 C3 00

1002D025  |. /73 49          JNB SHORT 1002D070                      ;  1002D070
<hook tab>|. |8B45 10       MOV EAX,[EBP+10]
1002D02A  |. |8B0D 18130610 MOV ECX,[10061318]
1002D030  |. |8D1440          LEA EDX,[EAX+EAX*2]
1002D033  |. |8D0490          LEA EAX,[EAX+EDX*4]
1002D036  |. |0FB75481 30    MOVZX EDX,WORD PTR [ECX+EAX*4+30]
1002D03B  |. |0FB74481 32    MOVZX EAX,WORD PTR [ECX+EAX*4+32]

1002D030    /E9 A4610200 JMP 100531D9                            ;  100531D9
1002D035    |90          NOP
1002D036 . |0FB75481 30 MOVZX EDX,WORD PTR [ECX+EAX*4+30]

100531D9    E8 00000000    CALL 100531DE                         ;  100531DE
100531DE    59             POP ECX
100531DF    81E9 DE310510 SUB ECX,100531DE
100531E5    81C1 36D00210 ADD ECX,1002D036
100531EB    51             PUSH ECX
100531EC    B9 00804F00    MOV ECX,4F8000
100531F1    8D1440          LEA EDX,[EAX+EAX*2]
100531F4    8D0490          LEA EAX,[EAX+EDX*4]
100531F7    C3             RETN

E8 00 00 00 00 59 81 E9 DE 31 05 10 81 C1 36 D0 02 10 51 B9 00 80 4F 00 8D 14 40 8D 04 90 C3 00

0348EDF7 56             PUSH ESI
0348EDF8 57             PUSH EDI
0348EDF9 803D AF6F4B03 0>CMP BYTE PTR [34B6FAF],0
0348EE00 74 2E          JE SHORT 0348EE30                      ; 0348EE30
0348EE02 8B35 18134C03 MOV ESI,[34C1318] ;!!!
0348EE08 803E 00       CMP BYTE PTR [ESI],0
0348EE0B 74 23          JE SHORT 0348EE30                      ; 0348EE30
0348EE0D 66:8B46 30    MOV AX,[ESI+30]
0348EE11 46             INC ESI
0348EE12 8D3D B06F4B03 LEA EDI,[34B6FB0]
0348EE18 0FB60F       MOVZX ECX,BYTE PTR [EDI]
0348EE1B 47             INC EDI
0348EE1C FC             CLD
0348EE1D F3:A6          REPE CMPS BYTE PTR ES:[EDI],BYTE PTR [ES>
0348EE1F 75 0F          JNZ SHORT 0348EE30                      ; 0348EE30
0348EE21 66:83F8 64    CMP AX,64
0348EE25 72 04          JB SHORT 0348EE2B                      ; 0348EE2B
0348EE27 32C0          XOR AL,AL
0348EE29 EB 02          JMP SHORT 0348EE2D                      ; 0348EE2D
0348EE2B 0C FF          OR AL,0FF
0348EE2D 5F             POP EDI
0348EE2E 5E             POP ESI
0348EE2F C3             RETN

0348CFE5 B9 00804F00    MOV ECX,4F8000

0348D075 8A83 41744B03 MOV AL,[EBX+34B7441]
0348D07B 3C 02          CMP AL,2
0348D07D 0F85 50010000 JNZ 0348D1D3                            ; 0348D1D3
0348D083 E8 6F1D0000    CALL 0348EDF7                         ; 比较手位置
0348D088 0AC0          OR AL,AL
0348D08A 0F84 AB000000 JE 0348D13B                            ; 0348D13B
0348D090 A1 18134C03    MOV EAX,[34C1318]
0348D095 8078 0F 19    CMP BYTE PTR [EAX+F],19
0348D099 74 0E          JE SHORT 0348D0A9                      ; 0348D0A9
0348D09B 8038 00       CMP BYTE PTR [EAX],0
0348D09E 74 09          JE SHORT 0348D0A9                      ; 0348D0A9
0348D0A0 FF70 2C       PUSH DWORD PTR [EAX+2C]
0348D0A3 8F05 FF614B03 POP DWORD PTR [34B61FF]
0348D0A9 0FB605 D5714B03 MOVZX EAX,BYTE PTR [34B71D5]
0348D0B0 50             PUSH EAX
0348D0B1 E8 0D660100    CALL 034A36C3                         ; 比较毒位置
0348D0B6 83F8 FF       CMP EAX,-1
0348D0B9 74 45          JE SHORT 0348D100                      ; 0348D100
0348D0BB 803D D5714B03 0>CMP BYTE PTR [34B71D5],0
0348D0C2 75 09          JNZ SHORT 0348D0CD                      ; 0348D0CD
0348D0C4 C605 79614B03 0>MOV BYTE PTR [34B6179],0
0348D0CB EB 07          JMP SHORT 0348D0D4                      ; 0348D0D4
0348D0CD C605 79614B03 0>MOV BYTE PTR [34B6179],1
0348D0D4 803D 88414B03 0>CMP BYTE PTR [34B4188],0
0348D0DB 74 16          JE SHORT 0348D0F3                      ; 0348D0F3
0348D0DD 803D D7714B03 0>CMP BYTE PTR [34B71D7],0
0348D0E4 75 0D          JNZ SHORT 0348D0F3                      ; 0348D0F3
0348D0E6 50             PUSH EAX
0348D0E7 6A 09          PUSH 9
0348D0E9 E8 0C640100    CALL 034A34FA                         ; 034A34FA
0348D0EE E9 9C010000    JMP 0348D28F                            ; 0348D28F
0348D0F3 50             PUSH EAX
0348D0F4 6A 05          PUSH 5
0348D0F6 E8 FF630100    CALL 034A34FA                         ; 034A34FA
0348D0FB E9 8F010000    JMP 0348D28F                            ; 0348D28F

10040725 > \833D 59420510>CMP DWORD PTR [10054259],0
1004072C .  74 3A       JE SHORT 10040768                      ;  10040768
1004072E .  A1 59610510 MOV EAX,[10056159]
10040733 .  0305 59420510 ADD EAX,[10054259]
10040739 .  A3 18130610 MOV [10061318],EAX
1004073E .  C605 88410510>MOV BYTE PTR [10054188],1
10040745 .  803D C2620510>CMP BYTE PTR [100562C2],0

1004072C    /74 3A       JE SHORT 10040768                      ;  10040768

1004072C    /74 10       JE SHORT 1004073E                      ;  1004073E

[培训]传播安全知识、拓宽行业人脉——看雪讲师团队等你加入！

收藏・0

免费・0

支持

最新回复 (3)
wynney 雪币： 224 活跃值： (147) 能力值： ( LV9，RANK：970 ) 在线值：发帖 65 回帖 1109 粉丝 9 关注私信	wynney 24 2 楼不知所云。。。 2005-12-14 09:53 0
南蛮妈妈雪币： 233 活跃值： (130) 能力值： ( LV8，RANK：130 ) 在线值：发帖 6 回帖 472 粉丝 0 关注私信	南蛮妈妈 3 3 楼好像没贴完整啊 2005-12-14 10:01 0
jskew 雪币： 124 活跃值： (70) 能力值： ( LV4，RANK：50 ) 在线值：发帖 30 回帖 352 粉丝 0 关注私信	jskew 1 4 楼完整了，这个注释是最多，破解了前几个版本，这次都是记录重点地方，多余的错误的分析过程很少 2005-12-14 10:06 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

jskew

发帖

352

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
wynney 雪币： 224 活跃值： (147) 能力值： ( LV9，RANK：970 ) 在线值：发帖 65 回帖 1109 粉丝 9 关注私信	wynney 24 2 楼不知所云。。。 2005-12-14 09:53 0
南蛮妈妈雪币： 233 活跃值： (130) 能力值： ( LV8，RANK：130 ) 在线值：发帖 6 回帖 472 粉丝 0 关注私信	南蛮妈妈 3 3 楼好像没贴完整啊 2005-12-14 10:01 0
jskew 雪币： 124 活跃值： (70) 能力值： ( LV4，RANK：50 ) 在线值：发帖 30 回帖 352 粉丝 0 关注私信	jskew 1 4 楼完整了，这个注释是最多，破解了前几个版本，这次都是记录重点地方，多余的错误的分析过程很少 2005-12-14 10:06 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复