首先声明本人菜鸟,经营一家小网吧,赖以糊口。最近顾客经常反映浏览器各种问题,然后游戏在首次打开的时候会在有的时候莫名其妙的弹出各种广告,有时候是强制安装很多杀软。鉴于此,估计是无盘或者收费软件在作祟。本着求真的目的跟踪了下收费加载的EXE。发现个有趣的东西
010A0D40 http://media.sunlike.cn/js/eae0fd5f19cf2188f54e
软件会从整个地址加载JS,然后调用*聚合的广告地址,
EAX=010A0C00 (BArggjne.010A0C00), ASCII "(function() {if (!document.body) return setTimeout(arguments.callee, 50);var e = document.createElement
("script");e.type = "text/javascript",e.text = '_guanggao_pub= "eae0fd5f19cf2188f54e";',e.text += '_guanggao_sl
好明显的广告字样,客服别再逼着我截屏了。真没耐性等你的广告加载
经过一系列的获取浏览器的动作后,在下面的地方开始加载com控件
01065C80 /$ 55 PUSH EBP
01065C81 |. 8BEC MOV EBP,ESP
01065C83 |. 6A FF PUSH -1
01065C85 |. 68 5E530901 PUSH 0109535E
01065C8A |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
01065C90 |. 50 PUSH EAX
01065C91 |. 83EC 1C SUB ESP,1C
01065C94 |. 53 PUSH EBX
01065C95 |. 56 PUSH ESI
01065C96 |. A1 CCB40A01 MOV EAX,DWORD PTR DS:[10AB4CC]
01065C9B |. 33C5 XOR EAX,EBP
01065C9D |. 50 PUSH EAX
01065C9E |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
01065CA1 |. 64:A3 0000000>MOV DWORD PTR FS:[0],EAX
01065CA7 |. 33F6 XOR ESI,ESI ; BArggjne.010AE1D8
01065CA9 |. 56 PUSH ESI
01065CAA |. FF15 9CB20901 CALL DWORD PTR DS:[<&ole32.CoInitiali>; ole32.CoInitialize
01065CB0 |. 68 9C0B0A01 PUSH 010A0B9C ; /OLEACC.DLL
01065CB5 |. FF15 58B10901 CALL DWORD PTR DS:[<&KERNEL32.LoadLib>; \LoadLibraryA
01065CBB |. 8BD8 MOV EBX,EAX
01065CBD |. 895D D8 MOV DWORD PTR SS:[EBP-28],EBX
01065CC0 |. 8975 E0 MOV DWORD PTR SS:[EBP-20],ESI
01065CC3 |. 3BDE CMP EBX,ESI
01065CC5 |. 0F84 4E010000 JE 01065E19
01065CCB |. 3BFE CMP EDI,ESI
01065CCD |. 0F84 3F010000 JE 01065E12
01065CD3 |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
01065CD6 |. 50 PUSH EAX ; /lParam
01065CD7 |. 68 405E0601 PUSH 01065E40 ; |Callback = BArggjne.01065E40
01065CDC |. 57 PUSH EDI ; |hParent
01065CDD |. 8975 E4 MOV DWORD PTR SS:[EBP-1C],ESI ; |
01065CE0 |. FF15 6CB20901 CALL DWORD PTR DS:[<&USER32.EnumChild>; \EnumChildWindows
01065CE6 |. 3975 E4 CMP DWORD PTR SS:[EBP-1C],ESI
01065CE9 |. 0F84 23010000 JE 01065E12
01065CEF |. 8975 E8 MOV DWORD PTR SS:[EBP-18],ESI
01065CF2 |. C745 FC 01000>MOV DWORD PTR SS:[EBP-4],1
01065CF9 |. 68 A80B0A01 PUSH 010A0BA8 ; /WM_HTML_GETOBJECT
01065CFE |. FF15 54B20901 CALL DWORD PTR DS:[<&USER32.RegisterW>; \RegisterWindowMessageA
01065D04 |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
01065D07 |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
01065D0A |. 51 PUSH ECX ; /pResult
01065D0B |. 68 E8030000 PUSH 3E8 ; |Timeout = 1000. ms
01065D10 |. 6A 02 PUSH 2 ; |Flags = SMTO_NORMAL|SMTO_ABORTIFHUNG
01065D12 |. 56 PUSH ESI ; |lParam
01065D13 |. 56 PUSH ESI ; |wParam
01065D14 |. 50 PUSH EAX ; |Message
01065D15 |. 52 PUSH EDX ; |hWnd
01065D16 |. FF15 44B20901 CALL DWORD PTR DS:[<&USER32.SendMessa>; \SendMessageTimeoutA
01065D1C |. 68 BC0B0A01 PUSH 010A0BBC ; /ObjectFromLresult
01065D21 |. 53 PUSH EBX ; |hModule
01065D22 |. FF15 50B00901 CALL DWORD PTR DS:[<&KERNEL32.GetProc>; \GetProcAddress
01065D28 |. 3BC6 CMP EAX,ESI
01065D2A |. 0F84 CC000000 JE 01065DFC
01065D30 |. 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
01065D33 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
01065D36 |. 51 PUSH ECX
01065D37 |. 56 PUSH ESI
01065D38 |. 68 5CB30901 PUSH 0109B35C
01065D3D |. 52 PUSH EDX
01065D3E |. FFD0 CALL EAX
01065D40 |. 3BC6 CMP EAX,ESI
01065D42 |. 0F8C B4000000 JL 01065DFC
01065D48 |. 8975 EC MOV DWORD PTR SS:[EBP-14],ESI
01065D4B |. B3 03 MOV BL,3
01065D4D |. 885D FC MOV BYTE PTR SS:[EBP-4],BL
01065D50 |. 8975 F0 MOV DWORD PTR SS:[EBP-10],ESI
01065D53 |. C645 FC 05 MOV BYTE PTR SS:[EBP-4],5
01065D57 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
01065D5A |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
01065D5C |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
01065D5F |. 52 PUSH EDX
01065D60 |. 50 PUSH EAX
01065D61 |. 8B81 B0010000 MOV EAX,DWORD PTR DS:[ECX+1B0]
01065D67 |. FFD0 CALL EAX
01065D69 |. 3BC6 CMP EAX,ESI
01065D6B |. 7C 73 JL SHORT 01065DE0
01065D6D |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
01065D70 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
01065D72 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
01065D75 |. 52 PUSH EDX
01065D76 |. 68 6CB30901 PUSH 0109B36C
01065D7B |. 50 PUSH EAX
01065D7C |. 8B01 MOV EAX,DWORD PTR DS:[ECX]
01065D7E |. FFD0 CALL EAX
01065D80 |. 3BC6 CMP EAX,ESI
01065D82 |. 7C 5C JL SHORT 01065DE0
01065D84 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
01065D87 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
01065D89 |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
01065D8C |. 52 PUSH EDX
01065D8D |. 68 4CB30901 PUSH 0109B34C
01065D92 |. 68 3CB30901 PUSH 0109B33C
01065D97 |. 50 PUSH EAX
01065D98 |. 8B41 0C MOV EAX,DWORD PTR DS:[ECX+C]
01065D9B |. FFD0 CALL EAX
01065D9D |. 3BC6 CMP EAX,ESI
01065D9F |. 7C 3F JL SHORT 01065DE0
01065DA1 |. 8B75 E0 MOV ESI,DWORD PTR SS:[EBP-20]
01065DA4 |. 885D FC MOV BYTE PTR SS:[EBP-4],BL
01065DA7 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
01065DAA |. 51 PUSH ECX
01065DAB |. E8 50EDFFFF CALL 01064B00
01065DB0 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
01065DB4 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
01065DB7 |. 52 PUSH EDX
01065DB8 |. E8 43EDFFFF CALL 01064B00
01065DBD |. C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
01065DC4 |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
01065DC7 |. 50 PUSH EAX
01065DC8 |. E8 33EDFFFF CALL 01064B00
01065DCD |. 8BC6 MOV EAX,ESI
01065DCF |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
01065DD2 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
01065DD9 |. 59 POP ECX
01065DDA |. 5E POP ESI
01065DDB |. 5B POP EBX
01065DDC |. 8BE5 MOV ESP,EBP
01065DDE |. 5D POP EBP
01065DDF |. C3 RETN
01065DE0 |> 885D FC MOV BYTE PTR SS:[EBP-4],BL
01065DE3 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
01065DE6 |. 51 PUSH ECX
01065DE7 |. E8 14EDFFFF CALL 01064B00
01065DEC |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
01065DF0 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
01065DF3 |. 52 PUSH EDX
01065DF4 |. E8 07EDFFFF CALL 01064B00
01065DF9 |. 8B5D D8 MOV EBX,DWORD PTR SS:[EBP-28]
01065DFC |> C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
01065E03 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
01065E06 |. 3BC6 CMP EAX,ESI
01065E08 |. 74 08 JE SHORT 01065E12
01065E0A |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
01065E0C |. 8B51 08 MOV EDX,DWORD PTR DS:[ECX+8]
01065E0F |. 50 PUSH EAX
01065E10 |. FFD2 CALL EDX
01065E12 |> 53 PUSH EBX ; /hLibModule
01065E13 |. FF15 9CB00901 CALL DWORD PTR DS:[<&KERNEL32.FreeLib>; \FreeLibrary
01065E19 |> FF15 98B20901 CALL DWORD PTR DS:[<&ole32.CoUninitia>; ole32.CoUninitialize
01065E1F |. 33C0 XOR EAX,EAX
01065E21 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
01065E24 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
01065E2B |. 59 POP ECX
01065E2C |. 5E POP ESI
01065E2D |. 5B POP EBX
01065E2E |. 8BE5 MOV ESP,EBP
01065E30 |. 5D POP EBP
01065E31 \. C3 RETN
============================
其中窗口的回调函数
=============================================窗口过程回调函数==================
01065E40 /. 55 PUSH EBP
01065E41 |. 8BEC MOV EBP,ESP
01065E43 |. 83EC 68 SUB ESP,68
01065E46 |. A1 CCB40A01 MOV EAX,DWORD PTR DS:[10AB4CC]
01065E4B |. 33C5 XOR EAX,EBP
01065E4D |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
01065E50 |. 56 PUSH ESI
01065E51 |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
01065E54 |. 57 PUSH EDI
01065E55 |. 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
01065E58 |. 6A 64 PUSH 64 ; /Count = 64 (100.)
01065E5A |. 8D45 98 LEA EAX,DWORD PTR SS:[EBP-68] ; |
01065E5D |. 50 PUSH EAX ; |Buffer
01065E5E |. 56 PUSH ESI ; |hWnd
01065E5F |. FF15 48B20901 CALL DWORD PTR DS:[<&USER32.GetClassN>; \GetClassNameA
01065E65 |. 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68]
01065E68 |. 68 D00B0A01 PUSH 010A0BD0 ; Internet Explorer_Server
01065E6D |. 51 PUSH ECX
01065E6E |. E8 2EAD0100 CALL 01080BA1
01065E73 |. 83C4 08 ADD ESP,8
01065E76 |. 85C0 TEST EAX,EAX
01065E78 |. 74 48 JE SHORT 01065EC2
01065E7A |. B9 D00B0A01 MOV ECX,010A0BD0 ; Internet Explorer_Server
01065E7F |. 8D45 98 LEA EAX,DWORD PTR SS:[EBP-68]
01065E82 |> 8A10 /MOV DL,BYTE PTR DS:[EAX]
01065E84 |. 3A11 |CMP DL,BYTE PTR DS:[ECX]
01065E86 |. 75 1A |JNZ SHORT 01065EA2
01065E88 |. 84D2 |TEST DL,DL
01065E8A |. 74 12 |JE SHORT 01065E9E
01065E8C |. 8A50 01 |MOV DL,BYTE PTR DS:[EAX+1]
01065E8F |. 3A51 01 |CMP DL,BYTE PTR DS:[ECX+1]
01065E92 |. 75 0E |JNZ SHORT 01065EA2
01065E94 |. 83C0 02 |ADD EAX,2
01065E97 |. 83C1 02 |ADD ECX,2
01065E9A |. 84D2 |TEST DL,DL
01065E9C |.^ 75 E4 \JNZ SHORT 01065E82
01065E9E |> 33C0 XOR EAX,EAX
01065EA0 |. EB 05 JMP SHORT 01065EA7
01065EA2 |> 1BC0 SBB EAX,EAX
01065EA4 |. 83D8 FF SBB EAX,-1
01065EA7 |> 85C0 TEST EAX,EAX
01065EA9 |. 74 17 JE SHORT 01065EC2
01065EAB |. 5F POP EDI
01065EAC |. B8 01000000 MOV EAX,1
01065EB1 |. 5E POP ESI
01065EB2 |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
01065EB5 |. 33CD XOR ECX,EBP
01065EB7 |. E8 A0680100 CALL 0107C75C
01065EBC |. 8BE5 MOV ESP,EBP
01065EBE |. 5D POP EBP
01065EBF |. C2 0800 RETN 8
01065EC2 |> 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
01065EC5 |. 8937 MOV DWORD PTR DS:[EDI],ESI
01065EC7 |. 5F POP EDI
01065EC8 |. 33CD XOR ECX,EBP
01065ECA |. 33C0 XOR EAX,EAX
01065ECC |. 5E POP ESI
01065ECD |. E8 8A680100 CALL 0107C75C
01065ED2 |. 8BE5 MOV ESP,EBP
01065ED4 |. 5D POP EBP
01065ED5 \. C2 0800 RETN 8
==============================
可以很明显的看出是在获取IE控件类
跟踪时写的伪代码如下,
char * szDll="OLEACC.DLL";
CoInitialize(NULL);
HMoudule=LoadLibraryA(szDll);
if(HMoudule!=NULL&&HwndPop!=NULL)
{
EnumChildWindows(HwndPop,callbackproc,06F9FB34) ;//这里获取IE控件类
RegisterWindowMessageA(WM_HTML_GETOBJECT);//
01065D0A |. 51 PUSH ECX ; /06F9FB2C
|1000
|SMTO_NORMAL|SMTO_ABORTIFHUNG
|0
|0
|MSG(0XC1A4)
|NULL
\SendMessageTimeoutA //向窗口发送消息,消息类型为MSG(0XC1A4)
==============
01065D1C |. 68 BC0B0A01 PUSH 010A0BBC ; /010A0BBC=010A0BBC (ASCII "ObjectFromLresult")
01065D21 |. 53 PUSH EBX ; |73D90000
01065D22 |. FF15 50B00901 CALL DWORD PTR DS:[<&KERNEL32.GetProc>; \GetProcAddress //取函数地址
================
01065D30 |. 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
01065D33 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
01065D36 |. 51 PUSH ECX
01065D37 |. 56 PUSH ESI
01065D38 |. 68 5CB30901 PUSH 0109B35C
01065D3D |. 52 PUSH EDX
01065D3E |. FFD0 CALL EAX ; EAX=73D9540D (oleacc.ObjectFromLresult)
======================调用oleacc.ObjectFromLresult
}
真希望能给我尽快从后台去除掉。如果这家收费软件的技术也上这个论坛的话,请记得
给我去掉!!
给我去掉!
给我去掉!
我的电脑,注意!这是我的电脑,无论你要做啥,最起码得征得主人的同意吧?客服还牛的要命,这样的软件公司怎么活下来的!!!
另外顺网的无盘越来越差劲了。竟然会后台加载虚拟机,然后伺机给USB设备安装APP。挣钱要有个度啊。。。。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
