幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略

发表于: 2004-5-1 18:14 37594

幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略

forgot

2004-5-1 18:14

37594

[part 1]
                           幻影之旅
                                             by forgot/uS

                             转载保持完整:D

00420000 > /EB 20           jmp     short Try.00420022
00420002   |0000            add     byte ptr ds:[eax], al
00420004   |40              inc     eax
00420005   |0000            add     byte ptr ds:[eax], al
00420007   |0040 00         add     byte ptr ds:[eax], al
0042000A   |0000            add     byte ptr ds:[eax], al
0042000C   |0000            add     byte ptr ds:[eax], al
0042000E   |0000            add     byte ptr ds:[eax], al
00420010   |0000            add     byte ptr ds:[eax], al
00420012   |0200            add     al, byte ptr ds:[eax]
00420014   |0B00            or      eax, dword ptr ds:[eax]
00420016   |0000            add     byte ptr ds:[eax], al
00420018   |0230            add     dh, byte ptr ds:[eax]
0042001A   |0000            add     byte ptr ds:[eax], al
0042001C   |0000            add     byte ptr ds:[eax], al
0042001E   |0000            add     byte ptr ds:[eax], al
00420020   |0000            add     byte ptr ds:[eax], al
00420022   \9C              pushfd                                   ; 保存标志
00420023    55              push    ebp                              ; 保存寄存器
00420024    57              push    edi
00420025    56              push    esi
00420026    52              push    edx
00420027    51              push    ecx
00420028    53              push    ebx
00420029    9C              pushfd
0042002A    E8 00000000     call    Try.0042002F                     ; 取delta
0042002F    5D              pop     ebp
00420030    81ED FC584000   sub     ebp, Try.004058FC

00420040    50              push    eax                              ; 保存eax

00420058    8B85 F1344200   mov     eax, dword ptr ss:[ebp+4234F1]
00420063    83F8 00         cmp     eax, 0                           ; DLL 重入?
0042007D    0F85 33030000   jnz     Try.004203B6                     ; 第二次进入,无需解压缩,直接跳去执行

0042008D    B8 C7D70100     mov     eax, 1D7C7
00420097    83C0 10         add     eax, 10                          ; 计算所需长度

0042009F    6A 04           push    4
004200A1    68 00100000     push    1000
004200A6    50              push    eax                              ; 所需长度
004200A7    6A 00           push    0
004200A9    FF95 B93D4200   call    dword ptr ss:[ebp+423DB9]        ; 分配内存, VirtualAlloc

004200DC    8BF0            mov     esi, eax                         ; esi -> 分配的内存
00420110    8D9D 835C4000   lea     ebx, dword ptr ss:[ebp+405C83]   ; ebx -> 被压缩的数据

0042011B    50              push    eax                              ; 目的地
0042011C    53              push    ebx                              ; 数据来源
0042011D    E8 15010000     call    Try.00420237                     ; APLib解码, depack

00420127    83C4 08         add     esp, 8                           ; 平衡堆栈

00420134    56              push    esi                              ; 保存内存首地址

0042013A    8BC8            mov     ecx, eax                         ; 数据长度
00420141    8DBD 835C4000   lea     edi, dword ptr ss:[ebp+405C83]   ; 目的地
0042014C    F3:A4           rep     movsb                            ; 传送数据

0042017B    5E              pop     esi                              ; 恢复内存首地址

004201D6    68 00800000     push    8000
004201DB    6A 00           push    0
004201DD    56              push    esi
004201DE    FF95 B53D4200   call    dword ptr ss:[ebp+423DB5]        ; 释放申请的内存, VirtualFree
; * forgot : 干吗不在内存里执行……成了固定地址, 让偶们有机会.哈

00420216    E9 9B010000     jmp     Try.004203B6                     ; 跳向解压缩后的数据

004203B6    90              nop
004203CD    58              pop     eax                              ; 恢复上边保存的eax

004203D3    EB 43           jmp     short Try.00420418               ; 下边放的是一些函数名与其DLL名,跳过他们

---------------------------------------------------------------------------
004203D5  6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 53 6C 65  kernel32.dll.Sle
004203E5  65 70 00 47 65 74 54 69 63 6B 43 6F 75 6E 74 00  ep.GetTickCount.
004203F5  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00420405  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00420415  00 00 00                                         ...
---------------------------------------------------------------------------
; * forgot: 这一段真无聊

00420418    60              pushad                                   ; 保存寄存器
00420419    83BD CA5C4000 0>cmp     dword ptr ss:[ebp+405CCA], 0     ; Sleep 地址
00420420    75 2C           jnz     short Try.0042044E               ; 非零表示已经取得, 不再执行这一段
00420422    8D85 A25C4000   lea     eax, dword ptr ss:[ebp+405CA2]   ; eax -> "kernel32.dll"
00420428    50              push    eax                              ; push FileName
00420429    FF95 C13D4200   call    dword ptr ss:[ebp+423DC1]        ; 载入动态链接库, LoadLibraryA
0042042F    8DB5 AF5C4000   lea     esi, dword ptr ss:[ebp+405CAF]   ; esi -> "Sleep"
00420435    56              push    esi                              ; ProcNameOrOrdinal = "Sleep"
00420436    50              push    eax                              ; hModule = 77E40000 (kernel32)
00420437    FF95 C53D4200   call    dword ptr ss:[ebp+423DC5]        ; 取Sleep地址, GetProcAddress
0042043D    8985 CA5C4000   mov     dword ptr ss:[ebp+405CCA], eax   ; 存入Sleep地址, 隐式链接
00420443    68 F4010000     push    1F4                              ; 500 ms
00420448    FF95 CA5C4000   call    dword ptr ss:[ebp+405CCA]        ; 调用 Sleep 延时
0042044E    61              popad                                    ; 恢复寄存器

00420498    8985 F5344200   mov     dword ptr ss:[ebp+4234F5], eax   ; 这是啥玩艺?十里香-_-;;

004204A8    BE 5C344200     mov     esi, Try.0042345C                ; esi -> 指向一个OSVERSIONINFO结构
004204B2    03F5            add     esi, ebp

; * D.Boy真奇怪, lea esi, 0042345C[ebp] 不行吗?很多都这么写,请大虾们不吝赐教.

004204E1    C706 94000000   mov     dword ptr ds:[esi], 94h          ; sizeof OSVERSIONINFO

004204EC    56              push    esi
004204ED    FF95 BD3D4200   call    dword ptr ss:[ebp+423DBD]        ; 取系统版本.GetVersionExA

004204F8    837E 10 02      cmp     dword ptr ds:[esi+10], 2         ; Windows 98 系列? 这里有个if...else...endif结构
004204FC    75 13           jnz     short Try.00420511

00420503    C685 F0344200 0>mov     byte ptr ss:[ebp+4234F0], 1      ; 设置 NT 标记

0042050F   /EB 39           jmp     short Try.0042054A

00420511    90              nop
00420516    C685 F0344200 0>mov     byte ptr ss:[ebp+4234F0], 0      ; 清零 NT 标记

0042054A    90              nop
00420559    8D85 CF5C4000   lea     eax, dword ptr ss:[ebp+405CCF]   ; eax -> 上边的一小段Buffer,就是刚才放 Sleep 等的地方

004205A9    80BD F0344200 0>cmp     byte ptr ss:[ebp+4234F0], 1      ; 某个标记
004205B0    0F85 114C0000   jnz     Try.004251C7

004205D2    E8 D40D0000     call    Try.004213AB                     ; 取函数地址
                {
                004213AB    90              nop
                004213D8    60              pushad

                004213DE    BB 04714000     mov     ebx, Try.00407104
                004213E8    03DD            add     ebx, ebp
                ; * forgot : 又来了-_-;;

                00421433    807B 08 00      cmp     byte ptr ds:[ebx+8], 0           ; "ntdll.dll"存在?
                00421464   /0F84 5D030000   je      Try.004217C7                     ; 跳过

                0042149C    8BC3            mov     eax, ebx                         ; eax = ebx
                004214CB    83C0 08         add     eax, 8                           ; eax -> "ntdll.dll"

                004214D3    50              push    eax
                004214D4    FF95 C13D4200   call    dword ptr ss:[ebp+423DC1]        ; kernel32.LoadLibraryA
                ; * 载入"NTDLL.DLL"动态链接库, 我觉得是Bug,应该先GetModuleHandleA才对:),有些默认都映射了.

                00421507    8985 FC704000   mov     dword ptr ss:[ebp+4070FC], eax   ; 写入 NTDLL 基地址

                0042153A    83F8 00         cmp     eax, 0                           ; 获得 NTDLL 模块了?
                0042153D    75 46           jnz     short Try.00421585               ; Good...走人

                00421544    C785 00714000 0>mov     dword ptr ss:[ebp+407100], 0     ; 设置失败标记
                00421553    E9 6F020000     jmp     Try.004217C7

                00421585    90              nop

                004215A1    8B33            mov     esi, dword ptr ds:[ebx]          ; Try.00407150
                004215A8    8B7B 04         mov     edi, dword ptr ds:[ebx+4]        ; Try.0040719F
                004215B0    03F5            add     esi, ebp                         ; 指向 dll函数名表
                004215B7    03FD            add     edi, ebp                         ; 指向函数地址表

                004215EC    803E 00         cmp     byte ptr ds:[esi], 0
                004215EF    75 58           jnz     short Try.00421649               ; 处理完了吗?

                004215F6    83C3 08         add     ebx, 8

                004215FE    803B 00         cmp     byte ptr ds:[ebx], 0             ; NULL?
                00421601    74 1F           je      short Try.00421622

                0042161A    43              inc     ebx
                00421620    EB DC           jmp     short Try.004215FE

                00421622    90              nop

                0042167B    56              push    esi                              ; 函数名
                0042167C    FFB5 FC704000   push    dword ptr ss:[ebp+4070FC]        ; NTDLL
                00421682    FF95 C53D4200   call    dword ptr ss:[ebp+423DC5]        ; kernel32.GetProcAddress

                0042169F    83F8 00         cmp     eax, 0
                004216A2    75 30           jnz     short Try.004216D4

                004216A9    C785 00714000 0>mov     dword ptr ss:[ebp+407100], 0
                004216CA   /E9 F8000000     jmp     Try.004217C7

                00421701    8907            mov     dword ptr ds:[edi], eax          ; 写入地址

                00421730    83C7 04         add     edi, 4                           ; 下一个地址

                0042173D    803E 00         cmp     byte ptr ds:[esi], 0             ; NULL?
                00421740    74 31           je      short Try.00421773

                00421759    46              inc     esi

                00421771    EB CA           jmp     short Try.0042173D

                0042178A    46              inc     esi                              ; 上边到达NULL,这里跳过NULL

                004217B8    E9 18FEFFFF     jmp     Try.004215D5                     ; 循环处理 -> 004215EC

                ; * 所有要处理的函数:
                ---------------------------------------------------------------------------
                00421883  52 74 6C 49 6E 69 74 55 6E 69 63 6F 64 65 53 74  RtlInitUnicodeSt
                00421893  72 69 6E 67 00 5A 77 4F 70 65 6E 53 65 63 74 69  ring.ZwOpenSecti
                004218A3  6F 6E 00 5A 77 55 6E 6D 61 70 56 69 65 77 4F 66  on.ZwUnmapViewOf
                004218B3  53 65 63 74 69 6F 6E 00 5A 77 4D 61 70 56 69 65  Section.ZwMapVie
                004218C3  77 4F 66 53 65 63 74 69 6F 6E 00 00 00 00 00 F8  wOfSection.....
                004218D3  41 F9 77 00 00 00 00 00 00 00 00 00 00 00 00 00  A?.............
                004218E3  00 00 00 52 65 6C 65 61 73 65 4D 75 74 65 78 00  ...ReleaseMutex.
                004218F3  43 72 65 61 74 65 4D 75 74 65 78 41 00 44 65 6C  CreateMutexA.Del
                00421903  65 74 65 46 69 6C 65 41 00 44 65 76 69 63 65 49  eteFileA.DeviceI
                00421913  6F 43 6F 6E 74 72 6F 6C 00 47 65 74 4C 61 73 74  oControl.GetLast
                00421923  45 72 72 6F 72 00 47 65 74 53 79 73 74 65 6D 44  Error.GetSystemD
                00421933  69 72 65 63 74 6F 72 79 41 00 43 72 65 61 74 65  irectoryA.Create
                00421943  46 69 6C 65 41 00 57 72 69 74 65 46 69 6C 65 00  FileA.WriteFile.
                00421953  43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 00 00  CloseHandle.....
                00421963  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                00421973  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                00421983  00 00 00 00 00 00 00 00 53 74 61 72 74 53 65 72  ........StartSer
                00421993  76 69 63 65 41 00 44 65 6C 65 74 65 53 65 72 76  viceA.DeleteServ
                004219A3  69 63 65 00 4F 70 65 6E 53 43 4D 61 6E 61 67 65  ice.OpenSCManage
                004219B3  72 41 00 43 72 65 61 74 65 53 65 72 76 69 63 65  rA.CreateService
                004219C3  41 00 4F 70 65 6E 53 65 72 76 69 63 65 41 00 43  A.OpenServiceA.C
                004219D3  6F 6E 74 72 6F 6C 53 65 72 76 69 63 65 00 43 6C  ontrolService.Cl
                004219E3  6F 73 65 53 65 72 76 69 63 65 48 61 6E 64 6C 65  oseServiceHandle
                004219F3  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                00421A03  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                00421A13  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                00421A23  00                                               .
                ---------------------------------------------------------------------------

                0042167B    56              push    esi
                0042167C    FFB5 FC704000   push    dword ptr ss:[ebp+4070FC]
                00421682    FF95 C53D4200   call    dword ptr ss:[ebp+423DC5]        ; kernel32.GetProcAddress, 最后一个函数

                0042169F    83F8 00         cmp     eax, 0                           ; 失败?
                004216A2    75 30           jnz     short Try.004216D4

                004216A9    C785 00714000 0>mov     dword ptr ss:[ebp+407100], 0     ; 失败标记
                004216CA   /E9 F8000000     jmp     Try.004217C7

                00421701    8907            mov     dword ptr ds:[edi], eax          ; 写入地址
                00421730    83C7 04         add     edi, 4

                0042173D    803E 00         cmp     byte ptr ds:[esi], 0
                00421740    74 31           je      short Try.00421773

                00421759    46              inc     esi

                00421771  ^\EB CA           jmp     short Try.0042173D               ; 循环到遇到NULL

                0042178A    46              inc     esi                              ; 跳过NULL,指向下一个函数

                ; * forgot :一大堆取函数地址,不说了
                004217CC    61              popad                                    ; 终于结束了

                004217E4    8B85 00714000   mov     eax, dword ptr ss:[ebp+407100]   ; 设置返回值
                00421801    C3              ret
                }

004205E1    8D85 2E6C4000   lea     eax, dword ptr ss:[ebp+406C2E]               ; 告诉我们要干坏事了;-), 互斥体名称
---------------------------------------------------------------------------
00421361  4C 6F 61 64 69 6E 67 44 42 50 45 00 00 00 00 00  LoadingDBPE.....
00421371  43 64 73 79 73 00 5C 5C 2E 5C 44 62 70 65 44 65  Cdsys.\\.\DbpeDe
00421381  76 69 63 65 30 00 00 00 00 00 00 00 00 00 00 00  vice0...........
00421391  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
004213A1  00 00 00 00 00 00 00 00 00 00                    ..........
---------------------------------------------------------------------------
00420614    50              push    eax
00420615    6A 01           push    1
00420617    6A 00           push    0
00420619    FF95 34724000   call    dword ptr ss:[ebp+407234]        ; 呵呵,创建互斥体,kernel32.CreateMutexA
00420636    83F8 00         cmp     eax, 0
00420666   /0F84 CB490000   je      Try.00425037                     ; 大概装载过了,跳过装载吧

0042069E    8985 2A6C4000   mov     dword ptr ss:[ebp+406C2A], eax   ; 保存互斥体

004206E8    FF95 40724000   call    dword ptr ss:[ebp+407240]        ; ntdll.RtlGetLastWin32Error

00420705    3D B7000000     cmp     eax, 0B7                         ; 忘记是啥了
0042070A    0F85 9B000000   jnz     Try.004207AB

0042073D    FFB5 2A6C4000   push    dword ptr ss:[ebp+406C2A]
00420743    FF95 50724000   call    dword ptr ss:[ebp+407250]        ; 我没到这里,猜想是CloseHandle

0042074E    C785 2A6C4000 0>mov     dword ptr ss:[ebp+406C2A], 0     ; 互斥体清零

00420785    B8 00000000     mov     eax, 0                           ; 返回 FALSE

0042078F   /E9 A3480000     jmp     Try.00425037

004207AB    90              nop
004207B5    83BD 706C4000 0>cmp     dword ptr ss:[ebp+406C70], 0
004207BC    75 5C           jnz     short Try.0042081A

登录后可查看完整内容

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

收藏・17

免费・10

支持

最新回复 (66) 1 2 3 ▶
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 2 楼 [part 2] 004207D5 8D85 E15C4000 lea eax, dword ptr ss:[ebp+405CE1] 004207EB E8 34120000 call Try.00421A24 00421A68 60 pushad 00421A80 B8 92764000 mov eax, Try.00407692 00421A9C 03C5 add eax, ebp ; buffer 00421AA3 8BF0 mov esi, eax 00421AAA 68 C8000000 push MAX_PATH 00421AAF 50 push eax 00421AB0 FF95 44724000 call dword ptr ss:[ebp+407244] ; kernel32.GetSystemDirectoryA 00421ABB 90 nop 00421AC0 8A06 mov al, byte ptr ds:[esi] 00421AC7 46 inc esi 00421ADF 3C 00 cmp al, 0 00421B0E ^\75 AB jnz short Try.00421ABB 00421B15 C646 FF 5C mov byte ptr ds:[esi-1], 5C ; 目录后边加个"\" 00421B1E C706 63646364 mov dword ptr ds:[esi], 64636463 ; cdcd 00421B29 C746 04 2E73797>mov dword ptr ds:[esi+4], 7379732E ; .sys 00421B5D C746 08 0000000>mov dword ptr ds:[esi+8], 0 ; NULL, 铺张浪费,byte就足够了 ; 我这里的文件名 --------------------------------------------------------------------------- 00421DB9 ** 3A 5C 57 :\W 00421DC9 49 4E 44 4F 57 53 5C 53 79 73 74 65 6D 33 32 5C INDOWS\System32\ 00421DD9 63 64 63 64 2E 73 79 73 cdcd.sys --------------------------------------------------------------------------- 00421B92 B8 86764000 mov eax, Try.00407686 00421B9C 03C5 add eax, ebp 00421BCB BB 92764000 mov ebx, Try.00407692 00421BFD 03DD add ebx, ebp 00421C2C 6A 00 push 0 00421C2E 6A 20 push 20 00421C30 6A 04 push 4 00421C32 6A 00 push 0 00421C34 6A 02 push 2 00421C36 68 00000040 push 40000000 00421C3B 53 push ebx 00421C3C FF95 48724000 call dword ptr ss:[ebp+407248] ; kernel32.CreateFileA ; 参数,清晰一些:) --------------------------------------------------------------- 0012FF60 00421C42 /CALL to CreateFileA from Try.00421C3C 0012FF64 00421DC5 \|FileName = "E:\WINDOWS\System32\cdcd.sys" 0012FF68 40000000 \|Access = GENERIC_WRITE 0012FF6C 00000002 \|ShareMode = FILE_SHARE_WRITE 0012FF70 00000000 \|pSecurity = NULL 0012FF74 00000004 \|Mode = OPEN_ALWAYS 0012FF78 00000020 \|Attributes = ARCHIVE 0012FF7C 00000000 \hTemplateFile = NULL --------------------------------------------------------------- 00421C4C 83F8 FF cmp eax, -1 00421C54 /0F84 32010000 je Try.00421D8C ; 坏事了... 00421C76 8985 8A764000 mov dword ptr ss:[ebp+40768A], eax ; 保存句柄 00421CC0 B9 8C310000 mov ecx, 318C ; 驱动文件长度 00421CCA B8 8E764000 mov eax, Try.0040768E 00421CE6 03C5 add eax, ebp ; WriteFile返回结构,名字忘了 00421CED BB 5A774000 mov ebx, Try.0040775A 00421D09 03DD add ebx, ebp ; 可爱的驱动程序 00421D10 6A 00 push 0 00421D12 50 push eax 00421D13 51 push ecx 00421D14 53 push ebx 00421D15 FFB5 8A764000 push dword ptr ss:[ebp+40768A] ; hWnd 00421D1B FF95 4C724000 call dword ptr ss:[ebp+40724C] ; kernel32.WriteFile ; 写出驱动,如果想把这个东西拷贝出来研究要关闭程序,它独占了文件 0012FF68 00421D21 /CALL to WriteFile* from Try.00421D1B 0012FF6C 00000024 \|hFile = 00000024 0012FF70 00421E8D \|Buffer = Try.00421E8D 0012FF74 0000318C \|nBytesToWrite = 318C (12684.) 0012FF78 00421DC1 \|pBytesWritten = Try.00421DC1 0012FF7C 00000000 \pOverlapped = NULL 00421D3D FFB5 8A764000 push dword ptr ss:[ebp+40768A] 00421D43 FF95 50724000 call dword ptr ss:[ebp+407250] ; kernel32.CloseHandle 0012FF78 00421D49 /CALL to CloseHandle from Try.00421D43 0012FF7C 00000024 \hObject = 00000024 00421D76 61 popad 00421D7C B8 01000000 mov eax, TRUE ; 收工 00421D86 C3 ret ; 回家 00421D8C 90 nop 00421D91 61 popad 00421D7C B8 01000000 mov eax, FALSE 00421D86 C3 ret 00420807 83F8 00 cmp eax, FALSE ; 失败? 0042080F /0F84 22480000 je Try.00425037 00425037 50 push eax 00425038 FFB5 2A6C4000 push dword ptr ss:[ebp+406C2A] 0042503E FF95 30724000 call dword ptr ss:[ebp+407230] ; kernel32.ReleaseMutex,释放互斥体 00425044 FFB5 2A6C4000 push dword ptr ss:[ebp+406C2A] 0042504A FF95 50724000 call dword ptr ss:[ebp+407250] ; kernel32.CloseHandle,关闭互斥体句柄 00425050 58 pop eax 00425068 83F8 00 cmp eax, 0 0042506B 0F85 4C010000 jnz Try.004251BD ; ..............我没走这条线,不跟了 0042085E 8D85 E25C4000 lea eax, dword ptr ss:[ebp+405CE2] 00420874 E8 7F060000 call Try.00420EF8 ----------------------------- 以后不跟那么多线了,受不了 00420F2A 68 3F000F00 push 0F003F 00420F2F 6A 00 push 0 00420F31 6A 00 push 0 00420F33 FF95 CD724000 call dword ptr ss:[ebp+4072CD] ; advapi32.OpenSCManagerA 00420F50 83F8 00 cmp eax, 0 00420F58 /0F84 8F030000 je Try.004212ED 00420F75 8985 3A6C4000 mov dword ptr ss:[ebp+406C3A], eax 00420F85 B8 3E6C4000 mov eax, Try.00406C3E 00420FA1 03C5 add eax, ebp 00420FBA 68 FF010F00 push 0F01FF 00420FBF 50 push eax 00420FC0 FFB5 3A6C4000 push dword ptr ss:[ebp+406C3A] 00420FC6 FF95 D5724000 call dword ptr ss:[ebp+4072D5] ; advapi32.OpenServiceA 00420FD1 83F8 00 cmp eax, 0 00420FD4 0F85 97000000 jnz Try.00421071 ; Jump 0042109E 83F8 00 cmp eax, 0 004210A6 /0F84 41020000 je Try.004212ED 004210B1 8985 586C4000 mov dword ptr ss:[ebp+406C58], eax 004210C1 6A 00 push 0 004210C3 6A 00 push 0 004210C5 FFB5 586C4000 push dword ptr ss:[ebp+406C58] 004210CB FF95 C5724000 call dword ptr ss:[ebp+4072C5] ; advapi32.StartServiceA ; 启动服务,不好玩^^,我这里服务开启,所以产生了ERROR_SERVICE_ALREADY_RUNNING (00000420) 004210E4 FF95 40724000 call dword ptr ss:[ebp+407240] ; ntdll.RtlGetLastWin32Error 00421101 3D E5030000 cmp eax, 3E5 00421106 /0F84 DD000000 je Try.004211E9 00421123 3D 20040000 cmp eax, 420 00421128 /0F84 B6000000 je Try.004211E4 ; GoGoGo,否则Game Over就不好玩了 0042120A B8 446C4000 mov eax, Try.00406C44 00421226 03C5 add eax, ebp ; Oh God save me!!! --------------------------------------------------------------------------- 00421377 5C 5C 2E 5C 44 62 70 65 44 65 76 69 63 65 30 00 \\.\DbpeDevice0. --------------------------------------------------------------------------- 0042123F 6A 00 push 0 00421241 6A 00 push 0 00421243 6A 03 push 3 00421245 6A 00 push 0 00421247 6A 01 push 1 00421249 68 000000C0 push C0000000 0042124E 50 push eax 0042124F FF95 48724000 call dword ptr ss:[ebp+407248] ; kernel32.CreateFileA 0012FF7C 0012FFE0 0012FF80 00421255 /CALL to CreateFileA from Try.0042124F 0012FF84 00421377 \|FileName = "\\.\DbpeDevice0" 0012FF88 C0000000 \|Access = GENERIC_READ\|GENERIC_WRITE 0012FF8C 00000001 \|ShareMode = FILE_SHARE_READ 0012FF90 00000000 \|pSecurity = NULL 0012FF94 00000003 \|Mode = OPEN_EXISTING 0012FF98 00000000 \|Attributes = 0 0012FF9C 00000000 \hTemplateFile = NULL ; 调查一下服务:) 0042126C 83F8 FF cmp eax, -1 00421274 /74 77 je short Try.004212ED ; 没启动走人,加载错误 0042127B 8985 546C4000 mov dword ptr ss:[ebp+406C54], eax; save handle 004212AE B8 01000000 mov eax, TRUE 004212B8 8985 706C4000 mov dword ptr ss:[ebp+406C70], eax 004212D5 C3 ret ; 回去了 004208A6 83F8 00 cmp eax, 0 ; over? 004208AE /0F84 83470000 je Try.00425037 ; over 004208C3 C785 5C6C4000 0>mov dword ptr ss:[ebp+406C5C], 3 004208FF B8 5C3A4200 mov eax, Try.00423A5C 00420909 03C5 add eax, ebp ; forgot: 老是这个,我$@%@%@^%@$^ 00420922 8985 606C4000 mov dword ptr ss:[ebp+406C60], eax ; Try.0043E18F 00420932 B8 746C4000 mov eax, Try.00406C74 0042093C 03C5 add eax, ebp 0042096B 8985 646C4000 mov dword ptr ss:[ebp+406C64], eax ; Try.004213A7 0042097B B8 5C6C4000 mov eax, Try.00406C5C 00420985 03C5 add eax, ebp 0042098C 6A 00 push 0 0042098E 6A 00 push 0 00420990 6A 00 push 0 00420992 6A 00 push 0 00420994 6A 0C push 0C 00420996 50 push eax 00420997 6A 04 push 4 00420999 FFB5 546C4000 push dword ptr ss:[ebp+406C54] 0042099F FF95 3C724000 call dword ptr ss:[ebp+40723C] ; kernel32.DeviceIoControl 0012FF80 004209A5 /CALL to DeviceIoControl from Try.0042099F 0012FF84 0000004C \|hDevice = 0000004C 0012FF88 00000004 \|IoControlCode = 4 0012FF8C 0042138F \|InBuffer = Try.0042138F 0012FF90 0000000C \|InBufferSize = C (12.) 0012FF94 00000000 \|OutBuffer = NULL 0012FF98 00000000 \|OutBufferSize = 0 0012FF9C 00000000 \|pBytesReturned = NULL 0012FFA0 00000000 \pOverlapped = NULL 00420A55 B8 00000000 mov eax, 0 00420A5F 81BD 746C4000 8>cmp dword ptr ss:[ebp+406C74], FFFF8888 00420A6E /0F84 C3450000 je Try.00425037 ; 好像是Over 00420AB8 C785 5C6C4000 0>mov dword ptr ss:[ebp+406C5C], 3 00420AF4 B8 5C3A4200 mov eax, Try.00423A5C 00420AFE 03C5 add eax, ebp 00420B17 8985 606C4000 mov dword ptr ss:[ebp+406C60], eax ; Try.0043E18F 00420B61 B8 746C4000 mov eax, Try.00406C74 00420B6B 03C5 add eax, ebp 00420B9A 8985 646C4000 mov dword ptr ss:[ebp+406C64], eax ; Try.004213A7 00420BBC C785 746C4000 0>mov dword ptr ss:[ebp+406C74], 0 00420BE2 B8 5C6C4000 mov eax, Try.00406C5C 00420BEC 03C5 add eax, ebp 00420BF3 6A 00 push 0 00420BF5 6A 00 push 0 00420BF7 6A 00 push 0 00420BF9 6A 00 push 0 00420BFB 6A 0C push 0C 00420BFD 50 push eax 00420BFE 6A 01 push 1 00420C00 FFB5 546C4000 push dword ptr ss:[ebp+406C54] 00420C06 FF95 3C724000 call dword ptr ss:[ebp+40723C] ; kernel32.DeviceIoControl 0012FF80 00420C0C /CALL to DeviceIoControl from Try.00420C06 0012FF84 0000004C \|hDevice = 0000004C 0012FF88 00000001 \|IoControlCode = 1 0012FF8C 0042138F \|InBuffer = Try.0042138F 0012FF90 0000000C \|InBufferSize = C (12.) 0012FF94 00000000 \|OutBuffer = NULL 0012FF98 00000000 \|OutBufferSize = 0 0012FF9C 00000000 \|pBytesReturned = NULL 0012FFA0 00000000 \pOverlapped = NULL ; 中断向量被xxx了,不敢用int3乱动阿!用F4走,或者在Debug里设置用hardware breakpoint进行step,否则**自己想象吧 ; ************************************************************ ; 千万小心 ; ************************************************************ 00420C0C 90 nop ; F4 00420D07 8B85 746C4000 mov eax, dword ptr ss:[ebp+406C74] 00420D3A 83F8 00 cmp eax, 0 00420D42 /0F84 EF420000 je Try.00425037 ; over 00420D7A 66:8985 5434420>mov word ptr ss:[ebp+423454], ax 00420D86 C1E8 10 shr eax, 10 00420D8E 66:8985 5634420>mov word ptr ss:[ebp+423456], ax 00420DC7 B8 01000000 mov eax, 1 00420DD1 8985 6C6C4000 mov dword ptr ss:[ebp+406C6C], eax 00420E09 50 push eax 00420E0F B8 92764000 mov eax, Try.00407692 00420E2B 03C5 add eax, ebp ; 对驱动进行惨无人道的毁尸灭迹…… 00420E5A 50 push eax ; Try.00421DC5 00420E5B FF95 38724000 call dword ptr ss:[ebp+407238] ; kernel32.DeleteFileA 0012FF98 00420E61 /CALL to DeleteFileA from Try.00420E5B 0012FF9C 00421DC5 \FileName = "E:\WINDOWS\System32\cdcd.sys" 00420E66 58 pop eax 00420E6C /E9 C6410000 jmp Try.00425037 00425037 50 push eax 00425038 FFB5 2A6C4000 push dword ptr ss:[ebp+406C2A] 0042503E FF95 30724000 call dword ptr ss:[ebp+407230] ; kernel32.ReleaseMutex 0012FF98 00425044 /CALL to ReleaseMutex from Try.0042503E 0012FF9C 00000020 \hMutex = 00000020 00425044 FFB5 2A6C4000 push dword ptr ss:[ebp+406C2A] 0042504A FF95 50724000 call dword ptr ss:[ebp+407250] ; kernel32.CloseHandle 0012FF98 00425050 /CALL to CloseHandle** from Try.0042504A 0012FF9C 00000020 \hObject = 00000020 ; 没人性，互斥体也惨遭毒手…… 00425050 58 pop eax 00425068 83F8 00 cmp eax, 0 0042506B 0F85 4C010000 jnz Try.004251BD ; Go 004251C2 /E9 39010000 jmp Try.00425300 ; 花絮：跳过的这段代码还真惹眼：） ---------------------------------------------------------------- 004251CC FA cli 004251D2 BE 4E344200 mov esi, Try.0042344E 004251DC 03F5 add esi, ebp 004251E3 0F010E sidt fword ptr ds:[esi] 004251EB 8B76 02 mov esi, dword ptr ds:[esi+2] 0042520A 66:8B46 18 mov ax, word ptr ds:[esi+18] 00425213 66:8B5E 1E mov bx, word ptr ds:[esi+1E] 00425244 66:8985 5434420>mov word ptr ss:[ebp+423454], ax 00425250 66:899D 5634420>mov word ptr ss:[ebp+423456], bx 00425289 B8 5C3A4200 mov eax, Try.00423A5C 00425293 03C5 add eax, ebp 004252AC 66:8946 18 mov word ptr ds:[esi+18], ax 004252B5 C1E8 10 shr eax, 10 004252E5 66:8946 1E mov word ptr ds:[esi+1E], ax ; 好在我不是9x....哈 ---------------------------------------------------------------- 2004-5-1 18:14 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 3 楼 [part 3] ; **************************************************************** ; 当当当~~~~~ 醒醒啦！！！ ; ************************************************************** 0042532D 8D85 D05C4000 lea eax, dword ptr ss:[ebp+405CD0] ; 没弄明白，也许是参数 00425334 B0 94 mov al, 94 ; 后边用来xor的key 00425336 E8 00000000 call Try.0042533B 0042533B 5E pop esi ; 取这条信令地址 0042533C 81C6 A6000000 add esi, 0A6 ; 加上这段解密代码的长度，指向下一部分，进行SMC解密 00425347 B9 68010000 mov ecx, 168h ; 解码长度 00425356 8A26 mov ah, byte ptr ds:[esi] ; 读取一个字节 0042535D 32E0 xor ah, al 00425376 F6D4 not ah 0042538F 8826 mov byte ptr ds:[esi], ah ; 解密后存回去 004253A8 46 inc esi ; 下一个字节 004253AE 49 dec ecx ; 计数器-- 004253B4 83F9 00 cmp ecx, 0 004253B7 ^\75 98 jnz short Try.00425351 ; 循环直到都解密完成 ; 精彩片断！！！！！！！！！！ 004253BE FEC8 dec al ; 换一个key 004253C5 BB 4F434E55 mov ebx, 554E434F ; 不清楚，自己猜吧 0042540E B9 68010000 mov ecx, 168 ; 这一块长度 0042542A 8A240E mov ah, byte ptr ds:[esi+ecx] ; 读取一个字节 00425444 88240E mov byte ptr ds:[esi+ecx], ah ; 再写进去，什么名堂？ 0042545E CC int 3 ; 别乱动，int 3解码 0042545F /E9 E5000000 jmp Try.00425549 ; 按 F4 ，int3的向量处理好解码了，过去看看 ; 跳过的好像是下一次int3的向量,俺可不敢进去胡闹 00425464 \|3D 534E5552 cmp eax, 52554E53 00425469 \|75 24 jnz short Try.0042548F 00425482 FFD3 call ebx 00425489 CF iretd 00425576 B9 68010000 mov ecx, 168 ; TMD,没完没了了 00425592 8A240E mov ah, byte ptr ds:[esi+ecx] 004255AC 88240E mov byte ptr ds:[esi+ecx], ah 004255C6 CC int3 004255C7 E9 E5000000 jmp Try.004256B1 ; F4 004256DE B9 68010000 mov ecx, 168 ; KAO.... 004256FA 8A240E mov ah, byte ptr ds:[esi+ecx] 00425714 88240E mov byte ptr ds:[esi+ecx], ah 0042572E CC int3 0042572F E9 E5000000 jmp Try.00425819 00425846 B9 68010000 mov ecx, 168 ; …… 00425862 8A240E mov ah, byte ptr ds:[esi+ecx] 0042587C 88240E mov byte ptr ds:[esi+ecx], ah 00425896 CC int3 00425897 E9 E5000000 jmp Try.00425981 004259AE B9 68010000 mov ecx, 168 ; my heart will go on 004259CA 8A240E mov ah, byte ptr ds:[esi+ecx] 004259E4 88240E mov byte ptr ds:[esi+ecx], ah 004259FE CC int3 004259FF /E9 E5000000 jmp Try.00425AE9 00425B16 B9 68010000 mov ecx, 168 ; 没完没了 00425B32 8A240E mov ah, byte ptr ds:[esi+ecx] 00425B4C 88240E mov byte ptr ds:[esi+ecx], ah 00425B66 CC int3 00425B67 E9 E5000000 jmp Try.00425C51 00425C7E B9 68010000 mov ecx, 168 ; 不见不散 00425C9A 8A240E mov ah, byte ptr ds:[esi+ecx] 00425CB4 88240E mov byte ptr ds:[esi+ecx], ah 00425CCE CC int3 00425CCF /E9 E5000000 jmp Try.00425DB9 00425C7E B9 68010000 mov ecx, 168 ; 有话好好说 00425C9A 8A240E mov ah, byte ptr ds:[esi+ecx] 00425CB4 88240E mov byte ptr ds:[esi+ecx], ah 00425CCE CC int3 00425CCF E9 E5000000 jmp Try.00425DB9 00425DE6 B9 68010000 mov ecx, 168 ; 声声慢…… 00425E02 8A240E mov ah, byte ptr ds:[esi+ecx] 00425E1C 88240E mov byte ptr ds:[esi+ecx], ah 00425E36 CC int3 00425E37 E9 E5000000 jmp Try.00425F21 00425F4E B9 68010000 mov ecx, 168 00425F6A 8A240E mov ah, byte ptr ds:[esi+ecx] 00425F84 88240E mov byte ptr ds:[esi+ecx], ah 00425F9E CC int3 00425F9F E9 E5000000 jmp Try.00426089 004260B6 B9 68010000 mov ecx, 168 004260D2 8A240E mov ah, byte ptr ds:[esi+ecx] 004260EC 88240E mov byte ptr ds:[esi+ecx], ah 00426106 CC int3 00426107 E9 E5000000 jmp Try.004261F1 0042621E B9 68010000 mov ecx, 168 0042623A 8A240E mov ah, byte ptr ds:[esi+ecx] 00426254 88240E mov byte ptr ds:[esi+ecx], ah 0042626E CC int3 0042626F E9 E5000000 jmp Try.00426359 00426386 B9 68010000 mov ecx, 168 004263A2 8A240E mov ah, byte ptr ds:[esi+ecx] 004263BC 88240E mov byte ptr ds:[esi+ecx], ah 004263D6 CC int3 004263D7 E9 E5000000 jmp Try.004264C1 004264EE B9 68010000 mov ecx, 168 0042650A 8A240E mov ah, byte ptr ds:[esi+ecx] 00426524 88240E mov byte ptr ds:[esi+ecx], ah 0042653E CC int3 0042653F E9 E5000000 jmp Try.00426629 00426656 B9 68010000 mov ecx, 168 00426672 8A240E mov ah, byte ptr ds:[esi+ecx] 0042668C 88240E mov byte ptr ds:[esi+ecx], ah 004266A6 CC int3 004266A7 E9 E5000000 jmp Try.00426791 004267BE B9 68010000 mov ecx, 168 004267DA 8A240E mov ah, byte ptr ds:[esi+ecx] 004267F4 88240E mov byte ptr ds:[esi+ecx], ah 0042680E CC int3 0042680F E9 E5000000 jmp Try.004268F9 00426926 B9 68010000 mov ecx, 168 00426942 8A240E mov ah, byte ptr ds:[esi+ecx] 0042695C 88240E mov byte ptr ds:[esi+ecx], ah 00426976 CC int3 00426977 E9 E5000000 jmp Try.00426A61 00426A8E B9 68010000 mov ecx, 168 00426AAA 8A240E mov ah, byte ptr ds:[esi+ecx] 00426AC4 88240E mov byte ptr ds:[esi+ecx], ah 00426ADE CC int3 00426ADF E9 E5000000 jmp Try.00426BC9 00426BF6 B9 68010000 mov ecx, 168 00426C12 8A240E mov ah, byte ptr ds:[esi+ecx] 00426C2C 88240E mov byte ptr ds:[esi+ecx], ah 00426C46 CC int3 00426C47 E9 E5000000 jmp Try.00426D31 00426D5E B9 68010000 mov ecx, 168 00426D7A 8A240E mov ah, byte ptr ds:[esi+ecx] 00426D94 88240E mov byte ptr ds:[esi+ecx], ah 00426DAE CC int3 00426DAF E9 E5000000 jmp Try.00426E99 00426D5E B9 68010000 mov ecx, 168 00426D7A 8A240E mov ah, byte ptr ds:[esi+ecx] 00426D94 88240E mov byte ptr ds:[esi+ecx], ah 00426DAE CC int3 00426DAF E9 E5000000 jmp Try.00426E99 00426EC6 B9 68010000 mov ecx, 168 00426EE2 8A240E mov ah, byte ptr ds:[esi+ecx] 00426EFC 88240E mov byte ptr ds:[esi+ecx], ah 00426F16 CC int3 00426F17 E9 E5000000 jmp Try.00427001 0042702E B9 68010000 mov ecx, 168 0042704A 8A240E mov ah, byte ptr ds:[esi+ecx] 00427064 88240E mov byte ptr ds:[esi+ecx], ah 0042707E CC int3 0042707F E9 E5000000 jmp Try.00427169 00427196 B9 68010000 mov ecx, 168 004271B2 8A240E mov ah, byte ptr ds:[esi+ecx] 004271CC 88240E mov byte ptr ds:[esi+ecx], ah 004271E6 CC int3 004271E7 E9 E5000000 jmp Try.004272D1 004272FE B9 68010000 mov ecx, 168 0042731A 8A240E mov ah, byte ptr ds:[esi+ecx] 00427334 88240E mov byte ptr ds:[esi+ecx], ah 0042734E CC int3 0042734F E9 E5000000 jmp Try.00427439 -============================================================- ; 晕倒了快，拿个处理看看，调剂~~~ 00429D84 3D 534E5552 cmp eax, 52554E53 00429D89 75 24 jnz short Try.00429DAF 00429DA2 FFD3 call ebx 00429DA9 CF iretd 00429DAF 81FB 4F434E55 cmp ebx, 554E434F 00429DB5 0F85 AD000000 jnz Try.00429E68 00429DBB 8A26 mov ah, byte ptr ds:[esi] 00429DC2 32E0 xor ah, al 00429DDB F6D4 not ah 00429DE2 8826 mov byte ptr ds:[esi], ah 00429DE9 46 inc esi 00429DEF 49 dec ecx 00429DF5 83F9 00 cmp ecx, 0 00429DF8 ^ 75 C1 jnz short Try.00429DBB 00429DFF FEC8 dec al 00429E06 8DBD 4E344200 lea edi, dword ptr ss:[ebp+42344E] 00429E11 0F010F sidt fword ptr ds:[edi] 00429E19 8B7F 02 mov edi, dword ptr ds:[edi+2] 00429E1C 8B1C24 mov ebx, dword ptr ss:[esp] 00429E24 803B E9 cmp byte ptr ds:[ebx], 0E9 00429E27 75 05 jnz short Try.00429E2E 00429E29 83C3 05 add ebx, 5 00429E2C EB 03 jmp short Try.00429E31 00429E2E 83C3 02 add ebx, 2 00429E36 66:895F 18 mov word ptr ds:[edi+18], bx 00429E3F C1EB 10 shr ebx, 10 00429E47 66:895F 1E mov word ptr ds:[edi+1E], bx 00429E50 BB 55010000 mov ebx, 155 00429E5A 0F23FB mov dr7, ebx ; Privileged command 00429E62 BB 4F434E55 mov ebx, 554E434F 00429E67 CF iretd 00429E68 CF iretd -============================================================- 0042CB96 B9 68010000 mov ecx, 168 0042CBB2 8A240E mov ah, byte ptr ds:[esi+ecx] 0042CBCC 88240E mov byte ptr ds:[esi+ecx], ah 0042CBE6 CC int3 0042CBE7 E9 E5000000 jmp Try.0042CCD1 0042EFF9 E8 00000000 call Try.0042EFFE 0042EFFE 5D pop ebp 0042EFFF 81ED CB484100 sub ebp, Try.004148CB ; 长征过去……再来取delta 0042F005 58 pop eax 0042F038 80E4 01 and ah, 1 0042F052 32C0 xor al, al 0042F081 66:3185 2DD6410>xor word ptr ss:[ebp+41D62D], ax 0042F0BF 8D85 D15C4000 lea eax, dword ptr ss:[ebp+405CD1] 0042F0FE BE 944B4100 mov esi, Try.00414B94 0042F130 03F5 add esi, ebp 0042F149 B9 B6E80000 mov ecx, 0E8B6 0042F158 03F1 add esi, ecx 0042F187 4E dec esi 0042F1B5 BB 01000000 mov ebx, 1 ; 又解码 0042F1C4 8A06 mov al, byte ptr ds:[esi] 0042F1F3 3246 01 xor al, byte ptr ds:[esi+1] 0042F1FB 32C3 xor al, bl 0042F219 3285 02AC4000 xor al, byte ptr ss:[ebp+40AC02] 0042F251 8806 mov byte ptr ds:[esi], al 0042F258 4E dec esi 0042F25E 43 inc ebx 0042F264 49 dec ecx 0042F26A 83F9 00 cmp ecx, 0 0042F26D ^\0F85 4CFFFFFF jnz Try.0042F1BF 0042F278 66:81BD 944B410>cmp word ptr ss:[ebp+414B94], 9090 0042F2AE - 75 FE jnz short Try.0042F2AE ; 搞怪？ 0042F2C9 8B85 F1344200 mov eax, dword ptr ss:[ebp+4234F1] 0042F2CF 83F8 00 cmp eax, 0 0042F2D2 B9 7DDB0100 mov ecx, 1DB7D 0042F2D7 0F85 E0020000 jnz Try.0042F5BD 0042F2DD E8 00000000 call Try.0042F2E2 0042F2E2 5A pop edx 0042F310 2B95 F4D54100 sub edx, dword ptr ss:[ebp+41D5F4] 0042F31B 81EA E2F20000 sub edx, 0F2E2 0042F326 8995 DCD34100 mov dword ptr ss:[ebp+41D3DC], edx 0042F3B3 8D85 D25C4000 lea eax, dword ptr ss:[ebp+405CD2] 0042F458 B8 87CC4100 mov eax, Try.0041CC87 0042F462 03C5 add eax, ebp ; eax -> IID 0042F469 E8 10890000 call Try.00437D7E ; 取函数地址 00437DAB 60 pushad ---------------------------------------------------------------------- 00437DB1 8BD8 mov ebx, eax ; ************************************************************** ; 大循环开始 00437DC2 807B 08 00 cmp byte ptr ds:[ebx+8], 0 00437DCB /0F84 1B030000 je Try.004380EC ; over 00437DED 8BC3 mov eax, ebx 00437DF4 83C0 08 add eax, 8 00437DFC 50 push eax 00437DFD FF95 C13D4200 call dword ptr ss:[ebp+423DC1] ; kernel32.LoadLibraryA 00437E08 8985 7FCC4100 mov dword ptr ss:[ebp+41CC7F], eax ; 保存 hModule 00437E13 83F8 00 cmp eax, 0 ; faint 00437E16 /75 46 jnz short Try.00437E5E ; JUMP 00437E1D C785 83CC4100 0>mov dword ptr ss:[ebp+41CC83], 0 ; failed.... 00437E54 /E9 93020000 jmp Try.004380EC ; Game Over 00437EA2 8B33 mov esi, dword ptr ds:[ebx] ; Try.0041CCD4 00437EBB 8B7B 04 mov edi, dword ptr ds:[ebx+4] 00437ED5 03F5 add esi, ebp ; 修正地址 00437EDC 03FD add edi, ebp 00437EFF 803E 00 cmp byte ptr ds:[esi], 0 ; 表处理完了？ 00437F02 0F85 BE000000 jnz Try.00437FC6 ;没有就处理 -> * 00437F35 83C3 08 add ebx, 8 ; ebx 指向下一个DLL名称 00437F65 803B 00 cmp byte ptr ds:[ebx], 0 00437F68 74 1F je short Try.00437F89 00437F81 43 inc ebx 00437F87 ^\EB DC jmp short Try.00437F65 00437FB6 43 inc ebx ; Try.004373CE 00437FBC ^\E9 FCFDFFFF jmp Try.00437DBD ; 大循环结束 ; **************************************************************** ;: 00437FD0 56 push esi 00437FD1 FFB5 7FCC4100 push dword ptr ss:[ebp+41CC7F] 00437FD7 FF95 C53D4200 call dword ptr ss:[ebp+423DC5] ; kernel32.GetProcAddress,取地址 00437FE2 83F8 00 cmp eax, 0 00437FE5 75 30 jnz short Try.00438017 ; GO 00437FEC C785 83CC4100 0>mov dword ptr ss:[ebp+41CC83], 0 ; failed again .......... 00438038 8907 mov dword ptr ds:[edi], eax ; 写入函数地址 00438051 83C7 04 add edi, 4 ; 下一个Thunk ; 使 esi 指向下一个函数名 0043805E /803E 00 cmp byte ptr ds:[esi], 0 00438061 \| 74 0D je short Try.00438070 00438068 \| 46 inc esi 0043806E \EB EE jmp short Try.0043805E 0043809D 46 inc esi ; skip NULL 004380CB ^\E9 2AFEFFFF jmp Try.00437EFA 004380F1 61 popad 004380F7 8B85 83CC4100 mov eax, dword ptr ss:[ebp+41CC83] ; 返回标志 00438102 C3 ret ---------------------------------------------------------------------- 0042F473 BB 3AD34100 mov ebx, Try.0041D33A 0042F47D 03DD add ebx, ebp ; 出错信息 0042F484 66:3D 0000 cmp ax, 0 0042F48D /0F84 3D2B0000 je Try.00431FD0 ; 某个错误 0042F4C5 B9 60E50100 mov ecx, 1E560 0042F4E1 83C1 20 add ecx, 20 0042F516 6A 00 push 0 0042F518 51 push ecx 0042F519 6A 00 push 0 0042F51B 6A 04 push 4 0042F51D 6A 00 push 0 0042F51F 6A FF push -1 0042F521 FF95 C3CE4100 call dword ptr ss:[ebp+41CEC3] ; kernel32.CreateFileMappingA 0012FF8C 0042F527 /CALL to CreateFileMappingA from Try.0042F521 0012FF90 FFFFFFFF \|hFile = FFFFFFFF 0012FF94 00000000 \|pSecurity = NULL 0012FF98 00000004 \|Protection = PAGE_READWRITE 0012FF9C 00000000 \|MaximumSizeHigh = 0 0012FFA0 0001E580 \|MaximumSizeLow = 1E580 0012FFA4 00000000 \MapName = NULL 0042F52C 6A 00 push 0 0042F52E 6A 00 push 0 0042F530 6A 00 push 0 0042F532 6A 02 push 2 0042F534 50 push eax 0042F535 FF95 BFCE4100 call dword ptr ss:[ebp+41CEBF] ; kernel32.MapViewOfFile 0012FF90 0042F53B /CALL to MapViewOfFile* from Try.0042F535 0012FF94 00000060 \|hMapObject = 00000060 (window) 0012FF98 00000002 \|AccessMode = FILE_MAP_WRITE 0012FF9C 00000000 \|OffsetHigh = 0 0012FFA0 00000000 \|OffsetLow = 0 0012FFA4 00000000 \MapSize = 0 ; map it... 0042F557 8985 F1344200 mov dword ptr ss:[ebp+4234F1], eax ; 保存 0042F574 B9 60E50100 mov ecx, 1E560 0042F5C2 8BD0 mov edx, eax 0042F5C9 8BF8 mov edi, eax ; 要解一部分loader代码到内存 0042F5D0 BE CD584000 mov esi, Try.004058CD 0042F5DA 03F5 add esi, ebp ; 未还原数据 0042F5F3 F3:A4 rep movsb 0042F5FF 8D85 D35C4000 lea eax, dword ptr ss:[ebp+405CD3] 0042F615 B8 804F4100 mov eax, Try.00414F80 0042F61F 2D CD584000 sub eax, Try.004058CD 0042F629 03C2 add eax, edx 0042F642 8B9D F5344200 mov ebx, dword ptr ss:[ebp+4234F5] 0042F64D 50 push eax 0042F67B C3 ret ; funy jump... 0042F67B C3 ret ; 二步瞬移~~~ ==> 003AF6B3 本代码的着色效果由xTiNt自动完成下载xTiNt http://211.90.75.84/web/kanaun/download/xTiNt.rar 2004-5-1 18:15 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 4 楼 [part 4] 003AF6B3 90 nop 003AF6B8 8BC5 mov eax, ebp 003AF6BA E8 00000000 call 003AF6BF 003AF6BF 5D pop ebp 003AF6C0 81ED 8C4F4100 sub ebp, 414F8C 003AF6DD 50 push eax 003AF70B 53 push ebx 003AF711 B8 534E5552 mov eax, 52554E53 003AF743 8D9D 71504100 lea ebx, dword ptr ss:[ebp+415071] ; 通过int3调用地址 003AF760 CC int3 ; 改中断 003AF766 5B pop ebx 003AF794 58 pop eax 003AF79A /E9 DF000000 jmp 003AF87E ; 走人 ----------------------------------------------------- ; 9x的处理 003AF7A9 8DB5 4E344200 lea esi, dword ptr ss:[ebp+42344E] 003AF7B4 0F010E sidt fword ptr ds:[esi] 003AF7E4 8B76 02 mov esi, dword ptr ds:[esi+2] 003AF803 8D85 5C3A4200 lea eax, dword ptr ss:[ebp+423A5C] 003AF836 66:8946 18 mov word ptr ds:[esi+18], ax 003AF83F C1E8 10 shr eax, 10 003AF847 66:8946 1E mov word ptr ds:[esi+1E], ax 003AF850 C3 retn ----------------------------------------------------- 003AF8DD 8985 3FD64100 mov dword ptr ss:[ebp+41D63F], eax 003AF8E8 C785 43D64100 C>mov dword ptr ss:[ebp+41D643], 4058CD 003AF8F7 0185 43D64100 add dword ptr ss:[ebp+41D643], eax ; 修正base 003AF92A 899D F5344200 mov dword ptr ss:[ebp+4234F5], ebx 003AF951 BF CD584000 mov edi, 4058CD 003AF95B 03F8 add edi, eax ; 还是修正base 003AF962 B9 7DDB0100 mov ecx, 1DB7D ; 长度 003AF96C 32C0 xor al, al 003AF973 F3:AA rep stosb ; 擦除外壳区段里的东西(我们在内存里!) 003AF991 8D85 D45C4000 lea eax, dword ptr ss:[ebp+405CD4] 003AF9F6 60 pushad ; 看到这个肯定要干坏事 003AFA0E B8 534E5552 mov eax, 52554E53 003AFA18 BB C0534100 mov ebx, 4153C0 003AFA22 03DD add ebx, ebp 003AFA29 CC int3 ; F4到这里 ; 我这里 int3的处理是：3be18f --------------------------------------------------- 003BE194 3D 534E5552 cmp eax, 52554E53 003BE199 75 74 jnz short 003BE20F 003BE1B2 FFD3 call ebx 003BE1E1 CF iretd --------------------------------------------------- ; 可见是通过int3执行ebx, ebx似乎是通过向量反跟踪 003AFA2F 66:3D 0000 cmp ax, 0 ; 再F4到这里 003AFA38 61 popad 003AFA55 9C pushfd ; 害怕 ZF 出事, 看来一定有鬼：） 003AFA5B BB 8AD34100 mov ebx, 41D38A 003AFA77 03DD add ebx, ebp 003AFA7E 9D popfd 003AFE1F 83BD 47D64100 0>cmp dword ptr ss:[ebp+41D647], 0 003AFE26 0F84 CA000000 je 003AFEF6 003AFF12 83BD 041E4200 0>cmp dword ptr ss:[ebp+421E04], 1 003AFF19 0F84 9D000000 je 003AFFBC 003AFFEE 8D85 D55C4000 lea eax, dword ptr ss:[ebp+405CD5] 003B0031 83BD 001E4200 0>cmp dword ptr ss:[ebp+421E00], 1 003B0038 0F85 9F000000 jnz 003B00DD 003B0043 8DB5 5C344200 lea esi, dword ptr ss:[ebp+42345C] ; 开始用GetVersionExA获得的版本 003B004E 837E 10 02 cmp dword ptr ds:[esi+10], 2 003B0052 /75 31 jnz short 003B0085 ; 不是9x? 003B0059 837E 04 04 cmp dword ptr ds:[esi+4], 4 003B005D 77 0F ja short 003B006E ; 不是未知？那就是NT 003B00B2 89AD 8A204200 mov dword ptr ss:[ebp+42208A], ebp 003B00BD 8D9D 88204200 lea ebx, dword ptr ss:[ebp+422088] ; 怕~~~~ --------------------------------------------------------------------------- 003B7ABD 20 20 20 45 72 72 6F 72 20 28 33 29 3A 20 44 65 Error (3): De 003B7ACD 62 75 67 67 65 72 20 64 65 74 65 63 74 69 6F 6E bugger detection 003B7ADD 20 2C 20 41 62 6F 72 74 21 20 00 20 20 20 45 72 , Abort! . Er 003B7AED 72 6F 72 20 28 34 29 3A 20 46 69 6C 65 20 43 52 ror (4): File CR 003B7AFD 43 20 45 72 72 6F 72 2C 20 20 20 41 62 6F 72 74 C Error, Abort 003B7B0D 21 00 !. --------------------------------------------------------------------------- ; 反跟踪定时器,不好玩,干掉他===>how?看下边 003B00C8 53 push ebx 003B00C9 68 F4010000 push 1F4 003B00CE 6A 00 push 0 003B00D0 6A 00 push 0 003B00D2 FF95 68CF4100 call dword ptr ss:[ebp+41CF68] ; user32.SetTimer ---> F7进入 77D19160 > B8 1E120000 mov eax, 121E ; 修改为retn 10了事 77D19165 BA 0003FE7F mov edx, 7FFE0300 77D1916A FFD2 call edx 77D1916C C2 1000 retn 10 0012FF94 003B00D8 /CALL to SetTimer from 003B00D2 0012FF98 00000000 \|hWnd = NULL 0012FF9C 00000000 \|TimerID = 0 0012FFA0 000001F4 \|Timeout = 500. ms 0012FFA4 003BC7BB \Timerproc = 003BC7BB ;干坏事,发生mov eax, [eax](eax==0)异常有兴趣可以研究一下 ; 恢复刚才的 SetTimer 代码...小心至上 003B0142 8D85 D65C4000 lea eax, dword ptr ss:[ebp+405CD6] ; 无聊 ; ============================================================================== ; A n t i - D u m p i n g ; ; 我只知道是Anti-Dumping,原理大概是修改ImageSize,有兴趣自己研究吧. ; ============================================================================== 003B016A 64:67:A1 3000 mov eax, dword ptr fs:[30] 003B0174 85C0 test eax, eax 003B01A3 78 78 js short 003B021D ; else...根据系统不同决定 003B01C1 8B40 0C mov eax, dword ptr ds:[eax+C] 003B01DB 8B40 0C mov eax, dword ptr ds:[eax+C] 003B01F5 C740 20 0010000 mov dword ptr ds:[eax+20], 1000 003B0201 E9 9E000000 jmp 003B02A4 ; anti_dump_over 003B022C 6A 00 push 0 003B022E FF95 F7CE4100 call dword ptr ss:[ebp+41CEF7] ; GetModuleHandleA 003B023E 85D2 test edx, edx 003B0245 79 5D jns short 003B02A4 ; anti_dump_over 003B024C 837A 08 FF cmp dword ptr ds:[edx+8], -1 003B0267 75 3B jnz short 003B02A4 ; anti_dump_over 003B026E 8B52 04 mov edx, dword ptr ds:[edx+4] 003B028D C742 50 0010000>mov dword ptr ds:[edx+50], 1000 003B0299 66:C742 06 1010 mov word ptr ds:[edx+6], 1010 ; 没见过:P,NumberOfSections? ; ============================================================================== 003B02DB 8D85 D75C4000 lea eax, dword ptr ss:[ebp+405CD7]; 错误消息 ; ============================================================================== ; M e l t I C E ; ; 地球人都知道 ; ============================================================================== 003B0303 BE 26CC4100 mov esi, 41CC26 003B031F 03F5 add esi, ebp ; esi -> 指向 MeltICE 驱动表 ; 不幸儿童: --------------------------------------------------------------------------- 003B7359 5C 5C 2E 5C 62 77 32 6B 00 5C 5C 2E 5C 53 55 50 \\.\bw2k.\\.\SUP 003B7369 45 52 42 50 4D 00 5C 5C 2E 5C 49 43 45 44 55 4D ERBPM.\\.\ICEDUM 003B7379 50 00 5C 5C 2E 5C 52 45 47 56 58 44 00 5C 5C 2E P.\\.\REGVXD.\\. 003B7389 5C 4E 54 49 43 45 00 5C 5C 2E 5C 53 49 57 56 49 \NTICE.\\.\SIWVI 003B7399 44 00 5C 5C 2E 5C 53 49 43 45 00 5C 5C 2E 5C 46 D.\\.\SICE.\\.\F 003B73A9 49 4C 45 56 58 44 00 ILEVXD. --------------------------------------------------------------------------- 003B037C FFB5 DBCE4100 push dword ptr ss:[ebp+41CEDB] ; kernel32.CreateFileA 003B0382 8F85 F9344200 pop dword ptr ss:[ebp+4234F9] ; kernel32.CreateFileA ; 无聊的倒腾~~~ 003B03CC 6A 00 push 0 003B03CE 6A 00 push 0 003B03D0 6A 00 push 0 003B03D2 6A 00 push 0 003B03D4 6A 00 push 0 003B03D6 6A 00 push 0 003B03D8 56 push esi 003B03D9 FF95 DBCE4100 call dword ptr ss:[ebp+41CEDB] ; kernel32.CreateFileA 0012FF88 003B03DF /CALL to CreateFileA from 003B03D9 0012FF8C 003B7359 \|FileName = "\\.\theif" ; -_-;; 0012FF90 00000000 \|Access = 0 0012FF94 00000000 \|ShareMode = 0 0012FF98 00000000 \|pSecurity = NULL 0012FF9C 00000000 \|Mode = 0 0012FFA0 00000000 \|Attributes = 0 0012FFA4 00000000 \hTemplateFile = NULL 003B03E9 83F8 FF cmp eax, -1 003B03F1 /0F85 8E000000 jnz 003B0485 ; 事情不好办啦^_^ ; 循环使esi指向下一个名称 003B041D / 46 inc esi 003B0423 \| 803E 00 cmp byte ptr ds:[esi], 0 003B042B \ 75 EB jnz short 003B0418 ; ===> 003B041D 003B0432 46 inc esi ; Skip NULL char 003B044A 803E 00 cmp byte ptr ds:[esi], 0 ; 表示用完了吗? 003B047A ^\0F85 E5FEFFFF jnz 003B0365 ; 没完?接着来…… ; ============================================================================== 003B04DF 8D9D 5FD34100 lea ebx, dword ptr ss:[ebp+41D35F] ; 我又怕了 --------------------------------------------------------------------------- 003B7A92 20 20 20 45 72 72 6F 72 20 28 32 29 3A 20 44 65 Error (2): De 003B7AA2 62 75 67 67 65 72 20 64 65 74 65 63 74 69 6F 6E bugger detection 003B7AB2 20 2C 20 41 62 6F 72 74 21 20 00 20 20 20 45 72 , Abort! . Er 003B7AC2 72 6F 72 20 28 33 29 3A 20 44 65 62 75 67 67 65 ror (3): Debugge 003B7AD2 72 20 64 65 74 65 63 74 69 6F 6E 20 2C 20 41 62 r detection , Ab 003B7AE2 6F 72 74 21 20 00 ort! . --------------------------------------------------------------------------- 003B04FC 83F8 FF cmp eax, -1 003B0504 /0F85 C61A0000 jnz 003B1FD0 ; 送你去取经 ; ============================================================================== ; Ch e c k s u m - C h e c k i n g ; ; 外星人也都知道,但是算法叫什么我不清楚(脸红) ; ============================================================================== 003B055D 8B85 18D64100 mov eax, dword ptr ss:[ebp+41D618] ; 我想是CRC protection flag 003B0568 83F8 00 cmp eax, 0 003B056B /74 51 je short 003B05BE ; 我这里JUMP 003B05F5 8BBD FCD54100 mov edi, dword ptr ss:[ebp+41D5FC] ; 好像是资源段 003B0628 03BD DCD34100 add edi, dword ptr ss:[ebp+41D3DC] ; +ImageBase 003B0633 8B8D 00D64100 mov ecx, dword ptr ss:[ebp+41D600] ; size 003B063E 83F9 00 cmp ecx, 0 003B0641 0F84 C5000000 je 003B070C ; Nothing? 003B064C 33C0 xor eax, eax 003B0665 33DB xor ebx, ebx 003B066C 33D2 xor edx, edx 003B068A /8A1F mov bl, byte ptr ds:[edi] ; get a byte 003B0691 \| 32D9 xor bl, cl 003B0698 \| 03C3 add eax, ebx 003B069F \| 47 inc edi 003B06A5 \| 49 dec ecx 003B06BD \| 83F9 00 cmp ecx, 0 003B06C0 ^\75 C3 jnz short 003B0685 ; 计算校验和 003B06C7 8D9D B5D34100 lea ebx, dword ptr ss:[ebp+41D3B5] --------------------------------------------------------------------------- 003B7AE8 20 20 20 45 72 72 6F 72 20 28 34 29 3A 20 46 69 Error (4): Fi 003B7AF8 6C 65 20 43 52 43 20 45 72 72 6F 72 2C 20 20 20 le CRC Error, 003B7B08 41 62 6F 72 74 21 00 Abort!. --------------------------------------------------------------------------- 003B06E4 3985 04D64100 cmp dword ptr ss:[ebp+41D604], eax ; 比较校验和 003B06EF /0F85 DB180000 jnz 003B1FD0 ; 你敢跳？ ; ============================================================================== 本代码的着色效果由xTiNt自动完成下载xTiNt http://211.90.75.84/web/kanaun/download/xTiNt.rar 2004-5-1 18:16 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 5 楼 [part 5] 003B073A E8 4A2A0000 call 003B3189 ; 进去观光 003B31A5 B8 01000000 mov eax, 1 003B31D7 83BD 9ED24100 0>cmp dword ptr ss:[ebp+41D29E], 0 003B31E3 /0F84 C6120000 je 003B44AF ; 不需要注册？跳吧========〉下边在极度困倦下走了弯路 003B31F3 8D85 DD5C4000 lea eax, dword ptr ss:[ebp+405CDD]; ?? 003B3209 83BD FC1D4200 0>cmp dword ptr ss:[ebp+421DFC], 0 003B3210 /75 54 jnz short 003B3266; 不知道是啥,我这里没跳 003B3217 E8 A51D0000 call 003B4FC1; ? 003B3249 3C 01 cmp al, 1 003B324B 74 14 je short 003B3261 003B3270 83BD FC1D4200 0>cmp dword ptr ss:[ebp+421DFC], 2 003B3277 75 66 jnz short 003B32DF 003B32FB 83BD FC1D4200 0>cmp dword ptr ss:[ebp+421DFC], 1 003B3302 75 37 jnz short 003B333B 003B3345 83BD FC1D4200 0>cmp dword ptr ss:[ebp+421DFC], 3 003B334C 75 26 jnz short 003B3374 003B33A6 E8 17270000 call 003B5AC2 003B5B06 60 pushad 003B5B0C C785 EAD24100 0>mov dword ptr ss:[ebp+41D2EA], 0 003B5B32 BB CCD24100 mov ebx, 41D2CC 003B5B3C 03DD add ebx, ebp ; buffer 003B5B43 B9 AAD24100 mov ecx, 41D2AA 003B5B4D 03CD add ecx, ebp ; subkey ; 猜想是读注册标记 003B5B54 53 push ebx 003B5B55 68 1F000200 push 2001F 003B5B5A 6A 00 push 0 003B5B5C 51 push ecx 003B5B5D 68 00000080 push 80000000 003B5B62 FF95 D2CF4100 call dword ptr ss:[ebp+41CFD2] ; advapi32.RegOpenKeyExA 0012FF68 003B5B68 /CALL to RegOpenKeyExA from 003B5B62 0012FF6C 80000000 \|hKey = HKEY_CLASSES_ROOT 0012FF70 003B79DD \|Subkey = "wrifile\shell\open\command\config" 0012FF74 00000000 \|Reserved = 0 0012FF78 0002001F \|Access = KEY_QUERY_VALUE\|KEY_SET_VALUE\|KEY_CREATE_SUB_KEY\|KEY_ENUMERATE_SUB_KEYS\|KEY_NOTIFY\|20000 0012FF7C 003B79FF \pHandle = 003B79FF 003B5B9A 83F8 00 cmp eax, 0 003B5B9D 0F84 2A010000 je 003B5CCD ; JUMP 003B5D09 BE A6D24100 mov esi, 41D2A6 003B5D13 03F5 add esi, ebp 003B5D1A BF A2D24100 mov edi, 41D2A2 003B5D24 03FD add edi, ebp 003B5D30 B8 FECF4100 mov eax, 41CFFE 003B5D3A 03C5 add eax, ebp 003B5D53 BB DCD24100 mov ebx, 41D2DC 003B5D85 03DD add ebx, ebp ; 用这么多regs，气势逼人~~~ 003B5D8C 8B8D CCD24100 mov ecx, dword ptr ss:[ebp+41D2CC] ; Reg的句柄 003B5D97 56 push esi 003B5D98 50 push eax 003B5D99 57 push edi 003B5D9A 6A 00 push 0 003B5D9C 53 push ebx ; 好奇怪的名字，大概是自动计算的 003B5D9D 51 push ecx 003B5D9E FF95 DECF4100 call dword ptr ss:[ebp+41CFDE] ; advapi32.RegQueryValueExA 0012FF64 003B5DA4 /CALL to RegQueryValueExA from 003B5D9E 0012FF68 0000006A \|hKey = 6A 0012FF6C 003B7A0F \|ValueName = ""9B,"",80,"",8B,"",80,"?,80,"?,80,"",84,"",81,"" 0012FF70 00000000 \|Reserved = NULL 0012FF74 003B79D5 \|pValueType = 003B79D5 0012FF78 003B7731 \|Buffer = 003B7731 0012FF7C 003B79D9 \pBufSize = 003B79D9 ; * 如果做的DBPE Cleaner，大概就是清理HKEY_CLASSES_ROOT\wrifile\shell\open\command\config\所有子项目 003B5DC0 66:3D 0000 cmp ax, 0 003B5DC9 /0F85 EE020000 jnz 003B60BD ; 做注册部分 003B60C2 8B85 CCD24100 mov eax, dword ptr ss:[ebp+41D2CC] 003B60CD 50 push eax 003B60CE FF95 DACF4100 call dword ptr ss:[ebp+41CFDA] ; advapi32.RegCloseKey 003B6106 61 popad 003B611E 8B85 EAD24100 mov eax, dword ptr ss:[ebp+41D2EA] 003B6129 C3 ret 003B33CC 8B85 7CD24100 mov eax, dword ptr ss:[ebp+41D27C] 003B33FF BB 8CD24100 mov ebx, 41D28C 003B341B 03DD add ebx, ebp 003B3422 B9 27354200 mov ecx, 423527 003B343E 03CD add ecx, ebp 003B3445 50 push eax 003B3446 53 push ebx 003B3447 51 push ecx 003B3448 FF95 64CF4100 call dword ptr ss:[ebp+41CF64] ; user32.wsprintfA 0012FF64 0000006A 0012FF94 003B344E /CALL to wsprintfA from 003B3448 0012FF98 003BDC5A \|s = 003BDC5A 0012FF9C 003B79BF \|Format = "%08lX" 0012FFA0 06781F8B \<%08lX> = 6781F8B 003B3453 83C4 0C add esp, 0C ; 平衡堆栈 ; ecx -> ------------------------------------------------------------------- 003BDC5D 38 31 46 38 42 00 00 00 81F8B... ------------------------------------------------------------------- 003B3488 BE 0AD04100 mov esi, 41D00A 003B34A4 03F5 add esi, ebp --------------------------------------------------------------------------- 003BDC5A 30 36 37 38 31 46 38 42 00 00 00 00 00 00 00 00 06781F8B........ --------------------------------------------------------------------------- 003B34BD BF 2CFA4100 mov edi, 41FA2C 003B34EF 03FD add edi, ebp 003B34F6 B9 16000000 mov ecx, 16 003B3500 F3:A4 rep movsb ; 传送...不明飞行物 003B3534 BE 27354200 mov esi, 423527 003B353E 03F5 add esi, ebp 003B3545 BF 42FA4100 mov edi, 41FA42 003B354F 03FD add edi, ebp 003B3556 B9 0A000000 mov ecx, 0A 003B3588 F3:A4 rep movsb 003B3599 E8 A1140000 call 003B4A3F ; 传送某种非0的数据 003B4A5B 8DB5 78D04100 lea esi, dword ptr ss:[ebp+41D078] 003B4A8E 8DBD 0AD04100 lea edi, dword ptr ss:[ebp+41D00A] 003B4AD8 8A07 mov al, byte ptr ds:[edi] 003B4AF1 8806 mov byte ptr ds:[esi], al 003B4AF8 47 inc edi 003B4AFE 46 inc esi 003B4B2C 3C 00 cmp al, 0 003B4B2E ^\0F85 77FFFFFF jnz 003B4AAB 003B4B8E 4E dec esi 003B4B94 8DBD 27354200 lea edi, dword ptr ss:[ebp+423527] --------------------------------------------------------------------------- 003BDC5A 30 36 37 38 31 46 38 42 00 00 00 00 00 00 00 00 06781F8B........ --------------------------------------------------------------------------- 003B4BDE 8A07 mov al, byte ptr ds:[edi] 003B4BF7 8806 mov byte ptr ds:[esi], al 003B4BFE 47 inc edi 003B4C16 46 inc esi 003B4C2E 3C 00 cmp al, 0 003B4C30 ^\0F85 7BFFFFFF jnz 003B4BB1 003B4C3B 8806 mov byte ptr ds:[esi], al 003B4C6F 8D9D 02D34100 lea ebx, dword ptr ss:[ebp+41D302] 003B4C7A 8D85 78D04100 lea eax, dword ptr ss:[ebp+41D078] 003B4C85 8BF5 mov esi, ebp 003B4CB4 60 pushad 003B4CBA 53 push ebx 003B4CBB 50 push eax 003B4CBC E8 0C810000 call 003BCDCD ; 奇怪的算法解码出奇怪的信息 003B4CC6 61 popad ; 这里的代码把一堆东西拷来拷去，我没耐心也没兴致看算法，不做解说了。 003B4CF9 8DB5 02D34100 lea esi, dword ptr ss:[ebp+41D302] 003B4D04 8B06 mov eax, dword ptr ds:[esi] 003B4D0B 3385 9ED24100 xor eax, dword ptr ss:[ebp+41D29E] 003B4D16 8985 EED24100 mov dword ptr ss:[ebp+41D2EE], eax 003B4D4E 8B46 04 mov eax, dword ptr ds:[esi+4] 003B4D56 3385 9AD24100 xor eax, dword ptr ss:[ebp+41D29A] 003B4D61 8985 F2D24100 mov dword ptr ss:[ebp+41D2F2], eax 003B4D71 8DBD 20D04100 lea edi, dword ptr ss:[ebp+41D020] 003B4D7C 8DB5 F6D24100 lea esi, dword ptr ss:[ebp+41D2F6] 003B4DDC 8B07 mov eax, dword ptr ds:[edi] 003B4DE3 8906 mov dword ptr ds:[esi], eax 003B4DEA 8B47 04 mov eax, dword ptr ds:[edi+4] 003B4DF2 8946 04 mov dword ptr ds:[esi+4], eax 003B4E0C E8 1B1A0000 call 003B682C ; 从代码给我的印象来看，像是检查非法字符 003B4E28 3B85 EED24100 cmp eax, dword ptr ss:[ebp+41D2EE] 003B4E45 /0F85 D7000000 jnz 003B4F22 003B4F39 B8 00000000 mov eax, 0 003B4F43 8985 F2D24100 mov dword ptr ss:[ebp+41D2F2], eax 003B4F76 8985 EED24100 mov dword ptr ss:[ebp+41D2EE], eax 003B4F93 C3 ret 003B35CB 83F8 01 cmp eax, 1 003B35D3 /0F84 D60E0000 je 003B44AF 003B3622 8D85 DE5C4000 lea eax, dword ptr ss:[ebp+405CDE] 003B3660 E8 AF330000 call 003B6A14 003B6A58 60 pushad 003B6A5E 8D85 8FC74100 lea eax, dword ptr ss:[ebp+41C78F] 003B6A69 6A 00 push 0 003B6A6B 6A 20 push 20 003B6A6D 6A 03 push 3 003B6A6F 6A 00 push 0 003B6A71 6A 00 push 0 003B6A73 68 00000080 push 80000000 003B6A78 50 push eax 003B6A79 FF95 DBCE4100 call dword ptr ss:[ebp+41CEDB] ; kernel32.CreateFileA 0012FF60 003B6A7F /CALL to CreateFileA from 003B6A79 0012FF64 003B6EC2 \|FileName = "regdial.dat" 0012FF68 80000000 \|Access = GENERIC_READ 0012FF6C 00000000 \|ShareMode = 0 0012FF70 00000000 \|pSecurity = NULL 0012FF74 00000003 \|Mode = OPEN_EXISTING 0012FF78 00000020 \|Attributes = ARCHIVE 0012FF7C 00000000 \hTemplateFile = NULL ; 搞注册界面库，我们到沙罗双树园啦;-) 003B6A84 83F8 FF cmp eax, -1 003B6A87 /74 2D je short 003B6AB6 ; 读取失败？我们给他行行好，翻转ZF不跳 003B6AA0 50 push eax 003B6AA1 FF95 E3CE4100 call dword ptr ss:[ebp+41CEE3] ; kernel32.CloseHandle 003B6AAC /E9 14030000 jmp 003B6DC5 003B6DDC 61 popad 003B6DE2 B8 01000000 mov eax, 1 003B6DFE C3 ret 003B36A9 8D85 DF5C4000 lea eax, dword ptr ss:[ebp+405CDF] ; 无聊！！！ 003B36E7 B8 87C74100 mov eax, 41C787 003B3703 03C5 add eax, ebp 003B370A E8 6F460000 call 003B7D7E ; 用来得到2个注册功能的窗口函数ShowTryWindow & GetRegister 003B7DAB 60 pushad 003B7DB1 8BD8 mov ebx, eax 003B7DC2 807B 08 00 cmp byte ptr ds:[ebx+8], 0 003B7DCB /0F84 1B030000 je 003B80EC ; nj 003B7DED 8BC3 mov eax, ebx 003B7DF4 83C0 08 add eax, 8 003B7DFC 50 push eax 003B7DFC 50 push eax 003B7DFD FF95 C13D4200 call dword ptr ss:[ebp+423DC1] ; kernel32.LoadLibraryA 0012FF78 003B7E03 /CALL to LoadLibraryA from 003B7DFD 0012FF7C 003B6EC2 \FileName = "regdial.dat" ; 考，居然是lib 003B7E08 8985 7FCC4100 mov dword ptr ss:[ebp+41CC7F], eax 003B7E13 83F8 00 cmp eax, 0 003B7E16 /75 46 jnz short 003B7E5E ; 翻转ZF 003B7EA2 8B33 mov esi, dword ptr ds:[ebx] ; Try.0041C863 003B7EBB 8B7B 04 mov edi, dword ptr ds:[ebx+4] ; Try.0041C881 003B7ED5 03F5 add esi, ebp 003B7EDC 03FD add edi, ebp ; 看名字也知道是要干啥 --------------------------------------------------------------------------- 003B6F96 53 68 6F 77 54 72 79 57 69 6E 64 6F 77 00 47 65 ShowTryWindow.Ge 003B6FA6 74 52 65 67 69 73 74 65 72 00 00 00 00 00 00 00 tRegister....... --------------------------------------------------------------------------- 003B7EFF 803E 00 cmp byte ptr ds:[esi], 0 003B7F02 0F85 BE000000 jnz 003B7FC6 ; 2个都得到了？为了好看，完成后代码下放 003B7FD0 56 push esi 003B7FD1 FFB5 7FCC4100 push dword ptr ss:[ebp+41CC7F] 003B7FD7 FF95 C53D4200 call dword ptr ss:[ebp+423DC5] ; kernel32.GetProcAddress 0012FF74 003B7FDD /CALL to GetProcAddress from 003B7FD7 0012FF78 00000000 \|hModule = NULL ; 我从中作梗 0012FF7C 003B6F96 \ProcNameOrOrdinal = "ShowTryWindow" 003B7FE2 83F8 00 cmp eax, 0 003B7FE5 /75 30 jnz short 003B8017 ; 翻转ZF,j 003B8038 8907 mov dword ptr ds:[edi], eax 003B8051 83C7 04 add edi, 4 ; 指向GetRegister 003B805E 803E 00 cmp byte ptr ds:[esi], 0 003B8061 /74 0D je short 003B8070 003B8068 46 inc esi 003B806E ^\EB EE jmp short 003B805E 003B809D 46 inc esi 003B80CB ^\E9 2AFEFFFF jmp 003B7EFA -------------------------------------------------------------------------- ; 完成以后的代码，接003B7F02 0F85 BE000000 jnz 003B7FC6 ; 2个都得到了？为了好看，完成后代码下放 003B7F35 83C3 08 add ebx, 8 ; 移动指针 003B7F65 803B 00 cmp byte ptr ds:[ebx], 0 003B7F68 /74 1F je short 003B7F89 003B7F81 43 inc ebx 003B7F87 ^\EB DC jmp short 003B7F65 003B7FB6 43 inc ebx 003B7FBC ^\E9 FCFDFFFF jmp 003B7DBD; 回去〉〉〉 003B7DC2 807B 08 00 cmp byte ptr ds:[ebx+8], 0 003B7DCB /0F84 1B030000 je 003B80EC ; 结束,j 003B80F1 61 popad 003B80F7 8B85 83CC4100 mov eax, dword ptr ss:[ebp+41CC83] 003B8102 C3 ret 003B373C B8 FFFFFFFF mov eax, -1 003B3746 83BD 81C84100 0>cmp dword ptr ss:[ebp+41C881], 0 003B3752 /0F84 570D0000 je 003B44AF; nj 003B376F 83BD 85C84100 0>cmp dword ptr ss:[ebp+41C885], 0 003B37A3 /0F84 060D0000 je 003B44AF; 还是nj 003B37D7 E8 060D0000 call 003B44E2 003B44E7 8D85 C1A04100 lea eax, dword ptr ss:[ebp+41A0C1] 003B44F2 68 C8000000 push 0C8 003B44F7 50 push eax ; buffer 003B44F8 FF95 BBCE4100 call dword ptr ss:[ebp+41CEBB] ; kernel32.GetWindowsDirectoryA 0012FF94 003B44FE /CALL to GetWindowsDirectoryA from 003B44F8 0012FF98 003B47F4 \|Buffer = 003B47F4 0012FF9C 000000C8 \BufSize = C8 (200.) 003B4503 33C0 xor eax, eax 003B451C B9 C8000000 mov ecx, 0C8 003B4526 8DBD C1A04100 lea edi, dword ptr ss:[ebp+41A0C1] 003B4531 F2:AE repne scas byte ptr es:[edi] ; 复制目录 003B4538 C647 FF 5C mov byte ptr ds:[edi-1], 5C ; \ 003B4541 C707 75736572 mov dword ptr ds:[edi], 72657375 ; user 003B455E C747 04 2E64617>mov dword ptr ds:[edi+4], 7461642E ; .dat 003B4592 C647 08 00 mov byte ptr ds:[edi+8], 0 003B45C4 8D85 C1A04100 lea eax, dword ptr ss:[ebp+41A0C1] 003B45CF 8D9D C1A14100 lea ebx, dword ptr ss:[ebp+41A1C1] 003B45DA 53 push ebx 003B45DB 50 push eax 003B45DC FF95 B7CE4100 call dword ptr ss:[ebp+41CEB7] ; kernel32.FindFirstFileA 003B45F9 8D9D C1A14100 lea ebx, dword ptr ss:[ebp+41A1C1] 003B462C 8D43 14 lea eax, dword ptr ds:[ebx+14] 003B4646 8D9D FCA24100 lea ebx, dword ptr ss:[ebp+41A2FC] 003B4679 53 push ebx 003B467A 50 push eax 003B467B FF95 B3CE4100 call dword ptr ss:[ebp+41CEB3] ; kernel32.FileTimeToSystemTime 0012FF94 003B4681 /CALL to FileTimeToSystemTime** from 003B467B 0012FF98 003B4908 \|pFileTime = 003B4908 0012FF9C 003B4A2F \pSystemTime = 003B4A2F 003B469D 8D9D FCA24100 lea ebx, dword ptr ss:[ebp+41A2FC] ; 计算一个sum 003B46A8 33C0 xor eax, eax 003B46AF 33D2 xor edx, edx 003B46CD 66:8B03 mov ax, word ptr ds:[ebx] 003B46E7 B9 6D010000 mov ecx, 16D 003B46F1 F7E1 mul ecx 003B470A 8985 80D24100 mov dword ptr ss:[ebp+41D280], eax 003B4742 33C0 xor eax, eax 003B475B 66:8B43 02 mov ax, word ptr ds:[ebx+2] 003B4764 B9 1E000000 mov ecx, 1E 003B476E F7E1 mul ecx 003B4775 0185 80D24100 add dword ptr ss:[ebp+41D280], eax 003B47AD 66:8B43 06 mov ax, word ptr ds:[ebx+6] 003B47B6 0185 80D24100 add dword ptr ss:[ebp+41D280], eax 003B47EE C3 ret ; 班师回朝 003B380E C785 88D24100 0>mov dword ptr ss:[ebp+41D288], 0 003B381D C785 84D24100 0>mov dword ptr ss:[ebp+41D284], 0 003B3836 83BD F01D4200 0>cmp dword ptr ss:[ebp+421DF0], 1 003B383D /0F85 10010000 jnz 003B3953 ; nj 003B3848 FFB5 FECF4100 push dword ptr ss:[ebp+41CFFE] 003B384E 8F85 42344200 pop dword ptr ss:[ebp+423442] 003B3859 FFB5 E41D4200 push dword ptr ss:[ebp+421DE4] 003B385F 8F85 46344200 pop dword ptr ss:[ebp+423446] 003B387C 8B9D E41D4200 mov ebx, dword ptr ss:[ebp+421DE4] 003B3899 399D FECF4100 cmp dword ptr ss:[ebp+41CFFE], ebx 003B389F /0F83 95000000 jnb 003B393A ; j 003B393F C785 84D24100 0>mov dword ptr ss:[ebp+41D284], 1 003B3974 83BD F01D4200 0>cmp dword ptr ss:[ebp+421DF0], 2 003B397B /0F85 E0000000 jnz 003B3A61 ; j 003B3A98 83BD F01D4200 0>cmp dword ptr ss:[ebp+421DF0], 3 003B3A9F 0F85 C3000000 jnz 003B3B68 003B3B9F 33C0 xor eax, eax 003B3BA6 83BD 88D24100 0>cmp dword ptr ss:[ebp+41D288], 1 003B3BAD 74 0D je short 003B3BBC 003B3BAF 83BD 84D24100 0>cmp dword ptr ss:[ebp+41D284], 1 003B3BB6 0F85 F5000000 jnz 003B3CB1 003B3BD3 8D85 081E4200 lea eax, dword ptr ss:[ebp+421E08] ; caption 003B3BDE 8D9D 261E4200 lea ebx, dword ptr ss:[ebp+421E26] ; http... 003B3BE9 8D8D 441E4200 lea ecx, dword ptr ss:[ebp+421E44] ; message ; 此时发现这两个牛插手了…… ---------------------------------------------------------------------------- 003BC777 20 45 6E 63 72 79 70 74 Encrypt 003BC787 65 64 20 62 79 20 7A 65 72 30 21 00 00 00 00 00 ed by zer0!..... 003BC797 00 00 00 00 00 00 63 6F 64 65 5F 69 6E 6A 65 63 ......code_injec 003BC7A7 74 00 00 00 00 00 00 00 00 t........ ---------------------------------------------------------------------------- 003B3C1C 89A5 74894100 mov dword ptr ss:[ebp+418974], esp 003B3C27 FFB5 81C84100 push dword ptr ss:[ebp+41C881] 003B3C2D 8F85 F9344200 pop dword ptr ss:[ebp+4234F9] 003B3C38 51 push ecx 003B3C39 53 push ebx 003B3C3A 50 push eax 003B3C3B FFB5 46344200 push dword ptr ss:[ebp+423446] 003B3C41 FFB5 42344200 push dword ptr ss:[ebp+423442] 003B3C47 E8 39810000 call 003BBD85 ; int3调用，都nop 003B3C7E 8BA5 74894100 mov esp, dword ptr ss:[ebp+418974] 003B3D22 83BD 84D24100 0>cmp dword ptr ss:[ebp+41D284], 1 003B3D29 74 09 je short 003B3D34 003B3D2B 83F8 02 cmp eax, 2 003B3D2E 0F85 C0040000 jnz 003B41F4 003B3D66 8D85 FD344200 lea eax, dword ptr ss:[ebp+4234FD] 003B3D99 8D9D 13354200 lea ebx, dword ptr ss:[ebp+423513] 003B3DA4 8D8D 27354200 lea ecx, dword ptr ss:[ebp+423527] ; 003BDC5A 30 36 37 38 31 46 38 42 06781F8B 003B3DAF 8D95 38204200 lea edx, dword ptr ss:[ebp+422038] 003B3DF9 89A5 74894100 mov dword ptr ss:[ebp+418974], esp 003B3E2C FFB5 85C84100 push dword ptr ss:[ebp+41C885] 003B3E32 8F85 F9344200 pop dword ptr ss:[ebp+4234F9] 003B3E4F 52 push edx 003B3E50 51 push ecx 003B3E51 53 push ebx 003B3E52 50 push eax 003B3E53 E8 2D7F0000 call 003BBD85; 还是他，nop 003B3E74 8BA5 74894100 mov esp, dword ptr ss:[ebp+418974] 003B3E91 83F8 02 cmp eax, 2 003B3E99 B8 00000000 mov eax, 0 003B3EA3 /0F84 C4040000 je 003B436D 003B3EDB B9 2A000000 mov ecx, 2A 003B3EE5 BF 0AD04100 mov edi, 41D00A 003B3EEF 03FD add edi, ebp 003B3F08 BE FD344200 mov esi, 4234FD 003B3F3A 03F5 add esi, ebp 003B3F41 F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi] .................. 2004-5-1 18:16 0
csjwaman 雪币： 319 活跃值： (2439) 能力值： ( LV12，RANK：980 ) 在线值：发帖 74 回帖 883 粉丝 10 关注私信	csjwaman 24 6 楼头都看晕。不过还是顶！！！ 2004-5-1 18:59 0
simonzh2000 雪币： 398 活跃值： (1078) 能力值： ( LV9，RANK：970 ) 在线值：发帖 36 回帖 466 粉丝 6 关注私信	simonzh2000 24 7 楼程序在哪里下载? forgot 给一个了. 2004-5-1 19:01 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 8 楼 GOOD 2004-5-1 19:19 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 9 楼试验程序。:D 2004-5-1 19:36 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 10 楼强烈抗议 fly 改帖，要求赔偿精神损失！:D 2004-5-1 20:28 0
china 雪币： 3638 活跃值： (4197) 能力值： (RANK：215 ) 在线值：发帖 72 回帖 1984 粉丝 9 关注私信	china 5 11 楼老大，把整个文章弄个包包传来吧。便于收藏整理，谢谢先。 2004-5-1 22:49 0
doskey 雪币： 329 活跃值： (343) 能力值： ( LV10，RANK：170 ) 在线值：发帖 36 回帖 462 粉丝 4 关注私信	doskey 4 12 楼好文！收藏 2004-5-1 23:23 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 13 楼 [part 6 ](区段处理) ; ========================================================================================= ; 返回到 Ch e c k s u m - C h e c k i n g 之后的位置 ; 有个稍微快一点的方法解决注册 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 003B073A E8 4A2A0000 call 003B3189 ; nop掉然后置eax =1即可 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 003B076C 66:3D 0100 cmp ax, 1 003B0775 /0F84 E9000000 je 003B0864 ; j,否则Over 003B087B 8D85 D85C4000 lea eax, dword ptr ss:[ebp+405CD8] 003B08F8 BE E4D34100 mov esi, 41D3E4 003B0902 03F5 add esi, ebp ; esi -> 块表 ; esi: ;----------------------- 003B7B17 00001000 ; VOffset 003B7B1B 00006000 ; RSize 003B7B1F 0000F342 ; VSize 003B7B23 E0000021 ; Flags 003B7B27 00017000 ; 一样.... 003B7B2B 00001000 003B7B2F 00000FB8 003B7B33 C0000041 ;----------------------- 003B090E 833E 00 cmp dword ptr ds:[esi], 0 ; 区块解码结束了? 003B0916 /0F84 7E060000 je 003B0F9A ; 结束就走人 003B0921 8B9D DCD34100 mov ebx, dword ptr ss:[ebp+41D3DC] ; ImageBase 003B092C 031E add ebx, dword ptr ds:[esi] ; ebx -> 指向一个Section 003B0945 8B4E 04 mov ecx, dword ptr ds:[esi+4] ; ecx -> Size 003B0952 83F9 00 cmp ecx, 0 003B0955 /75 4E jnz short 003B09A5 ; 长度非零,处理---> (((((((((((((((((((((((((((((((((((((((((((((((((((( ; 跳过处理大小为零的Section 003B096E 83C6 10 add esi, 10 003B0976 ^\EB 91 jmp short 003B0909 )))))))))))))))))))))))))))))))))))))))))))))))))))) 003B09EE D1E9 shr ecx, 1 ; ecx /2 003B09F5 66:8B85 2DD6410>mov ax, word ptr ss:[ebp+41D62D] 003B0A01 66:35 2111 xor ax, 1121 003B0A37 66:C1C8 02 ror ax, 2 003B0A40 66:05 1A00 add ax, 1A 003B0A49 66:05 A100 add ax, 0A1 ; 计算key 003B0A84 66:3103 xor word ptr ds:[ebx], ax 003B0A8C 66:48 dec ax 003B0A93 43 inc ebx ; 指向下一byte 003B0A99 43 inc ebx ; 移动指针 003B0AC7 49 dec ecx 003B0ACD 83F9 00 cmp ecx, 0 003B0AD0 ^\75 AD jnz short 003B0A7F ; 循环解码 003B0B09 8B46 0C mov eax, dword ptr ds:[esi+C] ; flag 003B0B11 83E0 01 and eax, 1 ; 隐藏着什么标记呢? 003B0B30 83BD F81D4200 0>cmp dword ptr ss:[ebp+421DF8], 1 003B0B37 /0F85 60030000 jnz 003B0E9D ; 不知道,nj 003B0B6A 83F8 01 cmp eax, 1 003B0B6D 0F85 25030000 jnz 003B0E98; 还是不知道,nj,$$#@%@#$ 003B0C18 60 pushad 003B0C23 8B46 04 mov eax, dword ptr ds:[esi+4]; RSize 003B0C2B 83F8 00 cmp eax, 0 003B0C33 /0F84 03020000 je 003B0E3C ; RSize==0就不分配空间了 003B0C43 8B46 08 mov eax, dword ptr ds:[esi+8] ;VSize 003B0C73 6A 04 push 4 003B0C75 68 00100000 push 1000 003B0C7A 50 push eax 003B0C7B 6A 00 push 0 003B0C7D FF95 13CF4100 call dword ptr ss:[ebp+41CF13] ; 分配空间存放Section 0012FF74 003B0C83 /CALL to VirtualAlloc from 003B0C7D 0012FF78 00000000 \|Address = NULL 0012FF7C 0000F342 \|Size = F342 (62274.) 0012FF80 00001000 \|AllocationType = MEM_COMMIT 0012FF84 00000004 \Protect = PAGE_READWRITE 003B0CC7 8985 E0D34100 mov dword ptr ss:[ebp+41D3E0], eax ; 得到的空间 003B0CFF 56 push esi ; 保存 Section Table Pointer 003B0D32 8B1E mov ebx, dword ptr ds:[esi] ; ebx -> VOffset 003B0D39 039D DCD34100 add ebx, dword ptr ss:[ebp+41D3DC] ; +ImageBase, 得到VA 003B0D44 50 push eax 003B0D45 53 push ebx 003B0D46 E8 AE620000 call 003B6FF9 ; aplib_depack_asm.解压缩到刚才VirtualAlloc得到的空间 003B0D50 83C4 08 add esp, 8 ; 平衡堆栈，大概用的不是stdcall 003B0D5D 8BC8 mov ecx, eax ; 解压出来的长度 003B0D64 8B3E mov edi, dword ptr ds:[esi] ; edi -> VOffset 003B0D93 03BD DCD34100 add edi, dword ptr ss:[ebp+41D3DC] ; +ImageBase, Get VA ; 要把解压得代码传送回去了 003B0DC6 8BB5 E0D34100 mov esi, dword ptr ss:[ebp+41D3E0]; 解压缩后的数据 003B0DE3 F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi] ; copy all 003B0DEF 5E pop esi ; 恢复 Section Table Pointer ; 这里有点无聊。根本没有修改esi也没用用它，最后都popad 003B0E0C 8B85 E0D34100 mov eax, dword ptr ss:[ebp+41D3E0] ; 申请到的地址 003B0E29 68 00800000 push 8000 003B0E2E 6A 00 push 0 003B0E30 50 push eax 003B0E31 FF95 17CF4100 call dword ptr ss:[ebp+41CF17] ; kernel32.VirtualFree ; 满门抄斩……55555555 003B0E53 61 popad ; -------- 修正页面访问权限 ---------- 003B0EAC 60 pushad 003B0EB2 8B9D DCD34100 mov ebx, dword ptr ss:[ebp+41D3DC] ; ImageBase 003B0ECF 031E add ebx, dword ptr ds:[esi] ; 块表 VA 003B0EE8 8B4E 04 mov ecx, dword ptr ds:[esi+4] ; 长度 003B0EF5 B8 74894100 mov eax, 418974 003B0EFF 03C5 add eax, ebp ; buffer for VirtualProtect 003B0F2E 50 push eax 003B0F2F 6A 04 push 4 003B0F31 51 push ecx 003B0F32 53 push ebx 003B0F33 FF95 27CF4100 call dword ptr ss:[ebp+41CF27] ; kernel32.VirtualProtect 0012FF74 003B0F39 /CALL to VirtualProtect from 003B0F33 0012FF78 00401000 \|Address = Try.00401000 0012FF7C 00006000 \|Size = 6000 (24576.) 0012FF80 00000004 \|NewProtect = PAGE_READWRITE 0012FF84 003B30A7 \pOldProtect = 003B30A7 003B0F3E 61 popad ; -------------- 移动指针，到下一个Section ------------------ 003B0F83 83C6 10 add esi, 10 003B0F8B ^\E9 79F9FFFF jmp 003B0909 ; 循环直到所有Sections都还原 ; ------------------------------------ ; 循环完成到这里，这里其实可以Dump了： 003B0F9A 90 nop 003B0FAE 8D85 D95C4000 lea eax, dword ptr ss:[ebp+405CD9] ; 这东西很无聊，碰到好几次，猜不出来，大概是buffer :D :D 2004-5-1 23:33 0
橡皮泥雪币： 209 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 87 粉丝 1 关注私信	橡皮泥 14 楼而且又详细，的确不错，希望多多发这种！好有收藏价值！ 2004-5-2 01:47 0
simonzh2000 雪币： 398 活跃值： (1078) 能力值： ( LV9，RANK：970 ) 在线值：发帖 36 回帖 466 粉丝 6 关注私信	simonzh2000 24 15 楼 Linson 你再加个图标. 2004-5-2 07:56 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 16 楼 [part 7]输入表处理 ; ********************************************************************************* ; 阿赖耶识 ―― 输入表处理觉醒 ; ******************************************************************************* 003B0FC4 E8 34140000 call 003B23FD ; 当然要进去了 003B242F 60 pushad 003B2474 FF95 1BCF4100 call dword ptr ss:[ebp+41CF1B] ; kernel32.GetCurrentProcessId 003B24A8 8985 20FA4100 mov dword ptr ss:[ebp+41FA20], eax ; save process Id 003B24B3 8B85 1BCF4100 mov eax, dword ptr ss:[ebp+41CF1B] ; kernel32.GetCurrentProcessId 003B24D0 8985 24FA4100 mov dword ptr ss:[ebp+41FA24], eax ; kernel32.GetCurrentProcessId ; 不知道搞什么名堂 003B2508 B8 B8FA4100 mov eax, 41FAB8 003B2512 03C5 add eax, ebp 003B2519 8985 ACDC4100 mov dword ptr ss:[ebp+41DCAC], eax 003B254C 8B9D 08D64100 mov ebx, dword ptr ss:[ebp+41D608] ; Import Table RVA ------------------- 0041F023 78750000 0041F027 00000000 0041F02B 00000000 0041F02F 82750000 0041F033 7D910000 0041F037 25350000 ............ ------------------- 003B2557 83FB 00 cmp ebx, 0 ; 没有import么？ 003B2587 /0F84 1F0A0000 je 003B2FAC ; 当然有，不跳 003B25D1 039D DCD34100 add ebx, dword ptr ss:[ebp+41D3DC] ; +ImageBase,得到IT VA ; ebx -> IID(s) 003B25E6 8B43 0C mov eax, dword ptr ds:[ebx+C] ;pointer to DLL asciz name 003B25EE 83F8 00 cmp eax, 0 003B25F6 /0F84 B0090000 je 003B2FAC ; Game Over? 003B2601 53 push ebx ; Try.0041F023 003B262F 51 push ecx 003B2647 52 push edx 003B2648 33D2 xor edx, edx 003B264F B9 20000000 mov ecx, 20 003B2654 33DB xor ebx, ebx ; Try.0041F023 003B2656 D1F8 sar eax, 1 003B265D 0F92C3 setb bl 003B2660 D3E3 shl ebx, cl 003B2667 03D3 add edx, ebx 003B2669 ^\E2 E9 loopd short 003B2654 ; DLL Name 的RVA解码,结果在edx输出 003B266B 8BC2 mov eax, edx ; eax = edx = dll name rva 003B2684 5A pop edx 003B2685 59 pop ecx 003B268B 5B pop ebx 003B2696 0385 DCD34100 add eax, dword ptr ss:[ebp+41D3DC] ; +ImageBase = VA 003B26C9 8BF0 mov esi, eax 003B26D5 C685 78894100 0>mov byte ptr ss:[ebp+418978], 0 ; -------------- 是否是特殊 DLL, 包括 Windows Kernel32 & User32, 与 VB 的MSVB ------------------------ 003B2709 50 push eax 003B270F 8B00 mov eax, dword ptr ds:[eax]; 取dll name开头4个字节 003B2716 25 DFDFDFDF and eax, DFDFDFDF; 转换为大写 003B2720 3D 4B45524E cmp eax, 4E52454B ; KERN 003B2725 74 07 je short 003B272E 003B2727 3D 55534552 cmp eax, 52455355 ; USER 003B272C 75 11 jnz short 003B273F 003B2733 C685 78894100 0>mov byte ptr ss:[ebp+418978], 1 ; 特殊dll标记 003B2744 58 pop eax 003B2777 50 push eax ; Try.00415C82 003B277D 8B00 mov eax, dword ptr ds:[eax] 003B2784 25 DFDFDFDF and eax, DFDFDFDF 003B278E 3D 4D535642 cmp eax, 4256534D ; MSVB** 003B2793 75 11 jnz short 003B27A6 003B279A C685 78894100 0>mov byte ptr ss:[ebp+418978], 1 ; 特殊dll标记 003B27D3 58 pop eax ; Try.00415C82 ; 为何不一起判断? D.boy大概写到这里喝多了:0 ; ---------------------------------------------------------------------------------------------------- 003B27DE 50 push eax 003B27DF FF95 C13D4200 call dword ptr ss:[ebp+423DC1] ; kernel32.LoadLibraryA ; 载入dll 003B27EA 8985 7FCC4100 mov dword ptr ss:[ebp+41CC7F], eax ; 保存dll module base 003B2822 33C0 xor eax, eax 003B2851 8703 xchg dword ptr ds:[ebx], eax ; 清掉IID的OriginalFirstThunk,然后把它读到eax ; 如果改为mov eax, dword ptr [ebx]可以避免...我偷懒,不改了,下面也是这样 003B2858 53 push ebx 003B2886 51 push ecx 003B289E 52 push edx 003B289F 33D2 xor edx, edx 003B28A6 B9 20000000 mov ecx, 20 003B28AB 33DB xor ebx, ebx 003B28AD D1F8 sar eax, 1 003B28B4 0F92C3 setb bl 003B28B7 D3E3 shl ebx, cl 003B28BE 03D3 add edx, ebx 003B28C0 ^\E2 E9 loopd short 003B28AB 003B28C2 8BC2 mov eax, edx 003B28DB 5A pop edx 003B28DC 59 pop ecx 003B28E2 5B pop ebx 003B28E8 8BF0 mov esi, eax ; OriginalFirstThunk解码 -> esi 003B292E 33C0 xor eax, eax 003B295D 8743 10 xchg dword ptr ds:[ebx+10], eax ; eax -> FirstThunk, & erase rva 003B2965 53 push ebx 003B2993 51 push ecx 003B29AB 52 push edx 003B29AC 33D2 xor edx, edx 003B29B3 B9 20000000 mov ecx, 20 003B29B8 33DB xor ebx, ebx 003B29BA D1F8 sar eax, 1 003B29C1 0F92C3 setb bl 003B29C4 D3E3 shl ebx, cl 003B29CB 03D3 add edx, ebx 003B29CD ^\E2 E9 loopd short 003B29B8 003B29CF 8BC2 mov eax, edx 003B29E8 5A pop edx 003B29E9 59 pop ecx 003B29EF 5B pop ebx 003B29F5 8BF8 mov edi, eax ; FirstThunk解码 -> edi 003B2A01 83FE 00 cmp esi, 0 ; OriginalFirstThunk不能用? 003B2A04 /75 34 jnz short 003B2A3A; 能就走 003B2A33 8BF7 mov esi, edi ; 它不行就使用第二个表 FirstThunk 003B2A67 03B5 DCD34100 add esi, dword ptr ss:[ebp+41D3DC] ; +ImageBase,Get VA 003B2A72 03BD DCD34100 add edi, dword ptr ss:[ebp+41D3DC] ; +ImageBase,Get VA ; offset to function name ( and hint) 003B2A99 8B06 mov eax, dword ptr ds:[esi]; 要do hint... 003B2AA0 83F8 00 cmp eax, 0 003B2AA3 /75 29 jnz short 003B2ACE ; 未完? 003B2ABC 83C3 14 add ebx, 14 003B2AC4 ^\E9 13FBFFFF jmp 003B25DC ; 下一个IID 003B2B00 807E 03 80 cmp byte ptr ds:[esi+3], 80 ; is imported by ordinal? 003B2B04 75 6C jnz short 003B2B72 ; ord... 003B2B0B 33C0 xor eax, eax 003B2B12 66:8706 xchg word ptr ds:[esi], ax 003B2B42 50 push eax 003B2B43 FFB5 7FCC4100 push dword ptr ss:[ebp+41CC7F] 003B2B49 FF95 C53D4200 call dword ptr ss:[ebp+423DC5] 003B2B54 8BC8 mov ecx, eax 003B2B6D /E9 84000000 jmp 003B2BF6 ; str... 003B2B77 33C0 xor eax, eax 003B2B7E 8706 xchg dword ptr ds:[esi], eax 003B2B85 0385 DCD34100 add eax, dword ptr ss:[ebp+41D3DC] ; +ImageBase,这句话打过无数次了,累!!! 003B2BA2 83C0 02 add eax, 2 ; 跳过hint值(sizeof word == 2) 003B2BD2 50 push eax 003B2BD3 FFB5 7FCC4100 push dword ptr ss:[ebp+41CC7F] 003B2BD9 FF95 C53D4200 call dword ptr ss:[ebp+423DC5] ; kernel32.GetProcAddress 003B2C00 80BD 78894100 0>cmp byte ptr ss:[ebp+418978], 1 ; 特殊函数? 003B2C07 /0F85 87020000 jnz 003B2E94 ; magic jump...改为jmp吧,省得心烦 ; --------------------------- 加密输入表 ---------------------------------------- ; 具体不说了,跟到这里有点筋疲力尽了 003B2C3F 60 pushad 003B2C45 8BF8 mov edi, eax 003B2C63 8B85 A7DC4100 mov eax, dword ptr ss:[ebp+41DCA7] 003B2C6E 3D F4010000 cmp eax, 1F4 003B2C73 /75 1A jnz short 003B2C8F 003B2C7A 89BD 70894100 mov dword ptr ss:[ebp+418970], edi 003B2C85 /E9 C9010000 jmp 003B2E53 003B2CC1 B9 04000000 mov ecx, 4 003B2CCB 33D2 xor edx, edx 003B2CD2 F7E1 mul ecx 003B2CD9 BE B1DC4100 mov esi, 41DCB1 003B2CE3 03F5 add esi, ebp 003B2CFC 33BD 20FA4100 xor edi, dword ptr ss:[ebp+41FA20] 003B2D07 893C06 mov dword ptr ds:[esi+eax], edi 003B2D26 8B85 A7DC4100 mov eax, dword ptr ss:[ebp+41DCA7] 003B2D31 B9 0B000000 mov ecx, 0B 003B2D3B 33D2 xor edx, edx 003B2D42 F7E1 mul ecx 003B2D49 BF 85E44100 mov edi, 41E485 003B2D7B 03FD add edi, ebp 003B2DAA 03F8 add edi, eax 003B2DB6 89BD 70894100 mov dword ptr ss:[ebp+418970], edi 003B2DEE BE A6DC4100 mov esi, 41DCA6 003B2DF8 03F5 add esi, ebp 003B2E27 B9 0B000000 mov ecx, 0B 003B2E31 F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi] 003B2E38 FF85 A7DC4100 inc dword ptr ss:[ebp+41DCA7] ; 计数器,被加密的应该是push count...push address...ret 003B2E43 8BBD 70894100 mov edi, dword ptr ss:[ebp+418970] 003B2E6A 61 popad 003B2E70 8B8D 70894100 mov ecx, dword ptr ss:[ebp+418970] 003B2E92 /EB 1E jmp short 003B2EB2 ; ----------------------------------------------------------------------------- 003B2EAB 8BC8 mov ecx, eax ; NETAPI32.Netbios ; 函数地址 003B2ECE 39BD 33D64100 cmp dword ptr ss:[ebp+41D633], edi 003B2ED4 76 10 jbe short 003B2EE6 ; 不知道,没跳 003B2EDB 89BD 33D64100 mov dword ptr ss:[ebp+41D633], edi 003B2EEB 39BD 2FD64100 cmp dword ptr ss:[ebp+41D62F], edi 003B2EF1 73 10 jnb short 003B2F03; 不知道,还是没跳 003B2EF8 89BD 2FD64100 mov dword ptr ss:[ebp+41D62F], edi 003B2F24 890F mov dword ptr ds:[edi], ecx ; 填充IAT 003B2F3D 83C6 04 add esi, 4 003B2F45 83C7 04 add edi, 4 ; 移动Thunk指针 003B2F4D ^\E9 42FBFFFF jmp 003B2A94; 循环--- ; --------------------------------------------------------------------------------------------------- ; 从老上边的003B25F6 /0F84 B0090000 je 003B2FAC出来,完成patch iat 003B2FB1 E8 16000000 call 003B2FCC ; 取User32.GetClassNameA...居然专门弄个call... 003B2FBB 61 popad ; 解放了 003B2FC1 C3 ret 2004-5-2 10:30 0
辉仔Yock 雪币： 228 活跃值： (165) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 109 粉丝 1 关注私信	辉仔Yock 17 楼最初由 simonzh2000 发布 Linson 你再加个图标. 我加你QQ了.你怎么不通过啊? 2004-5-2 10:43 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 18 楼 [part 8]:D ; --------------------------- 不明飞行物 ----------------------------------- 003B0FD3 8D85 DA5C4000 lea eax, dword ptr ss:[ebp+405CDA] 003B1011 E8 96200000 call 003B30AC ; 没看懂 ; ************************************************************************* ; 处理调用表 & 跳转表 ( 还原指针 ) ; ************************************************************************* 003B105F 8D85 DB5C4000 lea eax, dword ptr ss:[ebp+405CDB] ; fly 写的文章里提到，但没有说为什么，这里详细说明一下 ; ---------------call dword ptr ds:[xxxxxxxx]，其中xxxxxxxx是80xxxxxxxx---------------- 003B108C 60 pushad 003B10A4 8B9D 08D64100 mov ebx, dword ptr ss:[ebp+41D608] 003B10AF 039D DCD34100 add ebx, dword ptr ss:[ebp+41D3DC] ; 还是Imagebase 003B110F BE E4D34100 mov esi, 41D3E4 ; 块表 003B1119 03F5 add esi, ebp 003B1120 8B9D DCD34100 mov ebx, dword ptr ss:[ebp+41D3DC] ; Try.00400000 003B112B 031E add ebx, dword ptr ds:[esi] ; ebx -> a section,应该是代码段 003B1132 8BFB mov edi, ebx ; Try.00401000 003B1139 8B4E 08 mov ecx, dword ptr ds:[esi+8] ; VSize 003B1141 83F9 00 cmp ecx, 0 003B115B /0F84 93050000 je 003B16F4 ; 0?不玩了 003B1178 D1E9 shr ecx, 1 ; ecx/2 003B11A7 49 dec ecx 003B11AD 66:B8 FF15 mov ax, 15FF ; call dword ptr ds:[xxxxxxxx] 003B11CD BE 31354200 mov esi, 423531 003B11FF 03F5 add esi, ebp 003B124A F2:66:AF repne scas word ptr es:[edi] ; 寻找call dword ptr ds:[xxxxxxxx] ; forgot:如果没有就……不好玩了，看Ding Boy怎么收场 ; edi -> xxxxxxxx,而不是call dword ptr 003B1264 8B1F mov ebx, dword ptr ds:[edi]; 要call的地址->Ebx 003B127D 81E3 00000080 and ebx, 80000000 ; 取高位 003B129A 81FB 00000080 cmp ebx, 80000000 ; 是80xxxxxxx的形势？ 003B12A0 /0F85 13010000 jnz 003B13B9 ; 不是算了 003B12AB 8B1F mov ebx, dword ptr ds:[edi]; 加密过的指针 003B12B2 81E3 FFFFFF7F and ebx, 7FFFFFFF ; 去掉31st bit,还原指针 003B12BD 3B9D 33D64100 cmp ebx, dword ptr ss:[ebp+41D633] 003B12C3 0F82 C3000000 jb 003B138C ; 判断地址范围 003B12CE 3B9D 2FD64100 cmp ebx, dword ptr ss:[ebp+41D62F] ; Try.0041F01B 003B12D4 /0F87 AD000000 ja 003B1387 003B12DF 833E FF cmp dword ptr ds:[esi], -1 ; ??? 003B130F /0F84 DF030000 je 003B16F4 003B131A 8B1B mov ebx, dword ptr ds:[ebx] ; 把指针指向的内容读出来 003B1321 891E mov dword ptr ds:[esi], ebx ; 写到esi 003B1350 8937 mov dword ptr ds:[edi], esi ; 地址重定位,nop掉,下同 003B1357 83C6 04 add esi, 4 ; 移动指针 003B13BE 83F9 00 cmp ecx, 0 003B13C1 ^ 0F85 56FEFFFF jnz 003B121D ; 循环直到所有都搞定 ; ----------------------- jmp dword ptr ds:[xxxxxxxx]---------------------------------- ; 方法如出一辙，不多解释 003B140B 56 push esi;剩下的buffer 003B1416 8B9D 08D64100 mov ebx, dword ptr ss:[ebp+41D608] 003B1449 039D DCD34100 add ebx, dword ptr ss:[ebp+41D3DC] ; Try.00400000 003B1459 BE E4D34100 mov esi, 41D3E4 003B148B 03F5 add esi, ebp 003B1492 8B9D DCD34100 mov ebx, dword ptr ss:[ebp+41D3DC] ; Try.00400000 003B149D 031E add ebx, dword ptr ds:[esi] 003B14A4 8BFB mov edi, ebx ; Try.00401000 003B14AB 8B4E 08 mov ecx, dword ptr ds:[esi+8] 003B14C5 D1E9 shr ecx, 1 003B14DE 49 dec ecx 003B150C 66:B8 FF25 mov ax, 25FF ; jmp dword ptr ds:[xxxxxxxx] 003B151A 5E pop esi 003B152A F2:66:AF repne scas word ptr es:[edi] 003B1532 8B1F mov ebx, dword ptr ds:[edi] 003B1539 81E3 00000080 and ebx, 80000000 003B1556 81FB 00000080 cmp ebx, 80000000 003B155C /0F85 5B010000 jnz 003B16BD 003B158F 8B1F mov ebx, dword ptr ds:[edi] 003B15BE 81E3 FFFFFF7F and ebx, 7FFFFFFF 003B15F1 3B9D 33D64100 cmp ebx, dword ptr ss:[ebp+41D633] ; Try.00411000 003B15F7 /0F82 A9000000 jb 003B16A6 003B1614 3B9D 2FD64100 cmp ebx, dword ptr ss:[ebp+41D62F] ; Try.0041F01B 003B161A /77 5D ja short 003B1679 003B1621 833E FF cmp dword ptr ds:[esi], -1 003B1629 /0F84 C5000000 je 003B16F4 003B1634 8B1B mov ebx, dword ptr ds:[ebx] 003B163B 891E mov dword ptr ds:[esi], ebx 003B166A 8937 mov dword ptr ds:[edi], esi 003B166A 8937 mov dword ptr ds:[edi], esi 003B16D4 83F9 00 cmp ecx, 0 003B16D7 ^ 0F85 48FEFFFF jnz 003B1525 ; 循环处理所有 003B170B 61 popad ; 文革结束啦:D 2004-5-2 10:55 0
辉仔Yock 雪币： 228 活跃值： (165) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 109 粉丝 1 关注私信	辉仔Yock 19 楼最初由 forgot 发布你在线怎么不回话?:D 被我抓到了~~ 刚睡醒,头晕...... 昨晚要我跟的东西我忘记了!看[圣斗士]睡着了. :D 2004-5-2 11:03 0
baron 雪币： 194 活跃值： (25) 能力值： ( LV3，RANK：30 ) 在线值：发帖 1 回帖 58 粉丝 1 关注私信	baron 20 楼的确不错，看了头晕 2004-5-2 11:19 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 21 楼 [最后的战役]:) ; ------------------------------------------------------最后的战役 003B174E 8B85 DBCE4100 mov eax, dword ptr ss:[ebp+41CEDB] ; kernel32.CreateFileA 003B1759 8985 A0FA4100 mov dword ptr ss:[ebp+41FAA0], eax ; kernel32.CreateFileA 003B177B 8B85 CFCE4100 mov eax, dword ptr ss:[ebp+41CECF] ; kernel32.ReadFile 003B1786 8985 A4FA4100 mov dword ptr ss:[ebp+41FAA4], eax ; kernel32.ReadFile 003B1796 8B85 DFCE4100 mov eax, dword ptr ss:[ebp+41CEDF] ; kernel32.WriteFile 003B17A1 8985 A8FA4100 mov dword ptr ss:[ebp+41FAA8], eax ; kernel32.WriteFile 003B17D9 8B85 CBCE4100 mov eax, dword ptr ss:[ebp+41CECB] ; kernel32.SetFilePointer 003B17F6 8985 ACFA4100 mov dword ptr ss:[ebp+41FAAC], eax ; kernel32.SetFilePointer 003B182E 8B85 E3CE4100 mov eax, dword ptr ss:[ebp+41CEE3] ; kernel32.CloseHandle 003B184B 8985 B0FA4100 mov dword ptr ss:[ebp+41FAB0], eax ; kernel32.CloseHandle 003B1895 8B85 EFCE4100 mov eax, dword ptr ss:[ebp+41CEEF] ; kernel32.DeleteFileA 003B18A0 8985 B4FA4100 mov dword ptr ss:[ebp+41FAB4], eax ; kernel32.DeleteFileA 003B18F4 8D85 DC5C4000 lea eax, dword ptr ss:[ebp+405CDC] ; 最后来个int3,还原中断向量 003B1949 60 pushad 003B194F B8 534E5552 mov eax, 52554E53 003B1959 BB 0ECA4100 mov ebx, 41CA0E 003B1975 03DD add ebx, ebp 003B197C CC int3; 收尾 003B1982 61 popad 003B198D 80BD F0344200 0>cmp byte ptr ss:[ebp+4234F0], 1 ; NT? 释放驱动，我们用来夺取ring0的嘛 003B1994 /0F85 93010000 jnz 003B1B2D 003B19C7 8D85 E35C4000 lea eax, dword ptr ss:[ebp+405CE3]; 垃圾 003B1A37 FFB5 546C4000 push dword ptr ss:[ebp+406C54] ; 驱动句柄 003B1A3D FF95 50724000 call dword ptr ss:[ebp+407250] ; kernel32.CloseHandle 003B1A89 FFB5 586C4000 push dword ptr ss:[ebp+406C58] ; 服务 003B1A8F FF95 DD724000 call dword ptr ss:[ebp+4072DD] ; advapi32.CloseServiceHandle 003B1AEF FFB5 3A6C4000 push dword ptr ss:[ebp+406C3A] 003B1AF5 FF95 DD724000 call dword ptr ss:[ebp+4072DD] ; advapi32.CloseServiceHandle ; 解密OEP~~~ 003B1B5F 8B85 F8D54100 mov eax, dword ptr ss:[ebp+41D5F8] 003B1B81 53 push ebx ; Try.00418000 003B1BAF 51 push ecx ; advapi32.77DA214E 003B1BC7 52 push edx 003B1BC8 33D2 xor edx, edx 003B1BCF B9 20000000 mov ecx, 20 003B1BD4 33DB xor ebx, ebx ; Try.00418000 003B1BD6 D1F8 sar eax, 1 003B1BDD 0F92C3 setb bl 003B1BE0 D3E3 shl ebx, cl 003B1BE7 03D3 add edx, ebx 003B1BE9 ^\E2 E9 loopd short 003B1BD4 003B1BEB 8BC2 mov eax, edx 003B1C04 5A pop edx 003B1C05 59 pop ecx 003B1C0B 5B pop ebx ; Try.00418000 003B1C43 8B9D DCD34100 mov ebx, dword ptr ss:[ebp+41D3DC] ; Try.00400000 003B1C76 03C3 add eax, ebx ; Try.00400000 ; now eax is 0040E2FD, the OEP :),可以直接Dump修正...我们走完吧 003B1C7D 8985 3BD64100 mov dword ptr ss:[ebp+41D63B], eax ; Try.0040E2FD 003B1CD1 80BD 24D64100 0>cmp byte ptr ss:[ebp+41D624], 1 003B1CD8 0F85 04010000 jnz 003B1DE2 ; 跳了，不知道跳过什么冬冬 003B1DF9 /E9 C4000000 jmp 003B1EC2 003B1EE3 8D85 E45C4000 lea eax, dword ptr ss:[ebp+405CE4] 003B1F0B C785 55384200 0>mov dword ptr ss:[ebp+423855], 0 003B1F1A 8BC5 mov eax, ebp 003B1F21 5B pop ebx 003B1F22 59 pop ecx 003B1F23 5A pop edx 003B1F24 5E pop esi 003B1F25 5F pop edi 003B1F26 5D pop ebp 003B1F3E 9D popfd 003B1F6D FFB0 3BD64100 push dword ptr ds:[eax+41D63B] 003B1F78 C780 3BD64100 0>mov dword ptr ds:[eax+41D63B], 0 003B1FAF /E9 CE620000 jmp 003B8282 003B8287 56 push esi ; ntdll.77F57D70 003B82B5 51 push ecx 003B82BB BE CD584000 mov esi, 4058CD 003B82C5 03F0 add esi, eax 003B82CC B9 82820100 mov ecx, 18282 003B8330 C606 00 mov byte ptr ds:[esi], 0 ; erase the loader 003B8338 46 inc esi 003B833E 49 dec ecx 003B8356 83F9 00 cmp ecx, 0 003B8359 ^ 75 A8 jnz short 003B8303 003B839F 59 pop ecx ; 0012FFB0 003B83B7 5E pop esi 003B83CF /E9 81390000 jmp 003BBD55 003BBD55 60 pushad 003BBD56 8BF0 mov esi, eax 003BBD58 B8 4A344200 mov eax, 42344A 003BBD5D 03C6 add eax, esi 003BBD5F BB 59384200 mov ebx, 423859 003BBD64 03DE add ebx, esi 003BBD66 803B 00 cmp byte ptr ds:[ebx], 0 003BBD69 74 0C je short 003BBD77 003BBD6B 6A 00 push 0 003BBD6D 50 push eax 003BBD6E 53 push ebx 003BBD6F 6A 00 push 0 003BBD71 FF96 55384200 call dword ptr ds:[esi+423855] 003BBD77 61 popad 003BBD78 58 pop eax 003BBD79 83F8 FF cmp eax, -1 003BBD7C 75 05 jnz short 003BBD83 003BBD7E 33C0 xor eax, eax 003BBD80 C2 0C00 retn 0C 003BBD83 FFE0 jmp eax ; 飞向光明之巅！！！ 0040E2FD 55 push ebp ; Dump & Fix Dump .优化一下即可 0040E2FE 8BEC mov ebp, esp 0040E300 6A FF push -1 0040E302 68 F83A4100 push Try.00413AF8 0040E307 68 84E44000 push Try.0040E484 ; jmp to msvcrt._except_handler3 0040E30C 64:A1 00000000 mov eax, dword ptr fs:[0] ......... ; 这是IAT,ImportRec可以全部找到,因为修改了Magic Jump,所以都有效。 OEP: 0000E2FD IATRVA: 00011000 IATSize: 000003B8 FThunk: 00011000 NbFunc: 00000005 1 00011000 advapi32.dll 01CD RegCreateKeyExA 1 00011004 advapi32.dll 01E2 RegOpenKeyExA 1 00011008 advapi32.dll 01D9 RegEnumValueA 1 0001100C advapi32.dll 01F9 RegSetValueExA 1 00011010 advapi32.dll 01C9 RegCloseKey FThunk: 00011018 NbFunc: 00000003 1 00011018 gdi32.dll 0196 GetObjectA 1 0001101C gdi32.dll 002E CreateCompatibleDC 1 00011020 gdi32.dll 0013 BitBlt FThunk: 00011028 NbFunc: 00000017 1 00011028 kernel32.dll 0385 WriteFile 1 0001102C kernel32.dll 0374 WaitForSingleObject 1 00011030 kernel32.dll 0185 GetOverlappedResult 1 00011034 kernel32.dll 004A CreateEventA 1 00011038 kernel32.dll 0030 CloseHandle 1 0001103C kernel32.dll 004E CreateFileA 1 00011040 kernel32.dll 0162 GetLastError 1 00011044 kernel32.dll 00AF EscapeCommFunction 1 00011048 kernel32.dll 0101 GetCommState 1 0001104C kernel32.dll 0284 PurgeComm 1 00011050 kernel32.dll 02CB SetCommMask 1 00011054 kernel32.dll 02CC SetCommState 1 00011058 kernel32.dll 02CD SetCommTimeouts 1 0001105C kernel32.dll 0334 SetupComm 1 00011060 kernel32.dll 0084 DeviceIoControl 1 00011064 kernel32.dll 01D5 GetVersionExA 1 00011068 kernel32.dll 016D GetModuleFileNameA 1 0001106C kernel32.dll 016F GetModuleHandleA 1 00011070 kernel32.dll 01D7 GetVolumeInformationA 1 00011074 kernel32.dll 01B5 GetSystemTime 1 00011078 kernel32.dll 01A6 GetStartupInfoA 1 0001107C kernel32.dll 002E ClearCommError 1 00011080 kernel32.dll 029D ReadFile FThunk: 00011088 NbFunc: 0000009D 1 00011088 mfc42.dll 0BA9 1 0001108C mfc42.dll 0BA6 1 00011090 mfc42.dll 13C9 1 00011094 mfc42.dll 06BF 1 00011098 mfc42.dll 148D 1 0001109C mfc42.dll 098E 1 000110A0 mfc42.dll 084C 1 000110A4 mfc42.dll 1479 1 000110A8 mfc42.dll 0BA6 1 000110AC mfc42.dll 0BA6 1 000110B0 mfc42.dll 0BA6 1 000110B4 mfc42.dll 06F0 1 000110B8 mfc42.dll 0C40 1 000110BC mfc42.dll 0807 1 000110C0 mfc42.dll 18E8 1 000110C4 mfc42.dll 0C09 1 000110C8 mfc42.dll 0BA0 1 000110CC mfc42.dll 0EF6 1 000110D0 mfc42.dll 0EF1 1 000110D4 mfc42.dll 0EF1 1 000110D8 mfc42.dll 0BA6 1 000110DC mfc42.dll 0FF0 1 000110E0 mfc42.dll 1213 1 000110E4 mfc42.dll 1149 1 000110E8 mfc42.dll 0E0D 1 000110EC mfc42.dll 0144 1 000110F0 mfc42.dll 0281 1 000110F4 mfc42.dll 108A 1 000110F8 mfc42.dll 0CBE 1 000110FC mfc42.dll 08F1 1 00011100 mfc42.dll 1021 1 00011104 mfc42.dll 03AB 1 00011108 mfc42.dll 0B02 1 0001110C mfc42.dll 0A36 1 00011110 mfc42.dll 0490 1 00011114 mfc42.dll 0219 1 00011118 mfc42.dll 0486 1 0001111C mfc42.dll 03AD 1 00011120 mfc42.dll 1613 1 00011124 mfc42.dll 0C37 1 00011128 mfc42.dll 0E20 1 0001112C mfc42.dll 0299 1 00011130 mfc42.dll 07BB 1 00011134 mfc42.dll 18F1 1 00011138 mfc42.dll 1442 1 0001113C mfc42.dll 015E 1 00011140 mfc42.dll 0162 1 00011144 mfc42.dll 04B0 1 00011148 mfc42.dll 18BE 1 0001114C mfc42.dll 16E0 1 00011150 mfc42.dll 0A52 1 00011154 mfc42.dll 175D 1 00011158 mfc42.dll 0C14 1 0001115C mfc42.dll 1542 1 00011160 mfc42.dll 1837 1 00011164 mfc42.dll 1A7A 1 00011168 mfc42.dll 188B 1 0001116C mfc42.dll 19F8 1 00011170 mfc42.dll 0942 1 00011174 mfc42.dll 12E5 1 00011178 mfc42.dll 10B2 1 0001117C mfc42.dll 18E7 1 00011180 mfc42.dll 1186 1 00011184 mfc42.dll 1159 1 00011188 mfc42.dll 0A58 1 0001118C mfc42.dll 1663 1 00011190 mfc42.dll 0F52 1 00011194 mfc42.dll 0441 1 00011198 mfc42.dll 144F 1 0001119C mfc42.dll 095C 1 000111A0 mfc42.dll 0D12 1 000111A4 mfc42.dll 14B4 1 000111A8 mfc42.dll 14B6 1 000111AC mfc42.dll 0AA5 1 000111B0 mfc42.dll 0FEF 1 000111B4 mfc42.dll 125A 1 000111B8 mfc42.dll 14BB 1 000111BC mfc42.dll 14A9 1 000111C0 mfc42.dll 1652 1 000111C4 mfc42.dll 120E 1 000111C8 mfc42.dll 1148 1 000111CC mfc42.dll 0E9A 1 000111D0 mfc42.dll 0231 1 000111D4 mfc42.dll 032F 1 000111D8 mfc42.dll 035C 1 000111DC mfc42.dll 0A3D 1 000111E0 mfc42.dll 046E 1 000111E4 mfc42.dll 096B 1 000111E8 mfc42.dll 0BA6 1 000111EC mfc42.dll 06F0 1 000111F0 mfc42.dll 112C 1 000111F4 mfc42.dll 14AA 1 000111F8 mfc42.dll 0D4A 1 000111FC mfc42.dll 0DF6 1 00011200 mfc42.dll 047A 1 00011204 mfc42.dll 0237 1 00011208 mfc42.dll 08FB 1 0001120C mfc42.dll 08FE 1 00011210 mfc42.dll 06F7 1 00011214 mfc42.dll 1040 1 00011218 mfc42.dll 0B2F 1 0001121C mfc42.dll 094B 1 00011220 mfc42.dll 0DF3 1 00011224 mfc42.dll 0E2A 1 00011228 mfc42.dll 096E 1 0001122C mfc42.dll 02F3 1 00011230 mfc42.dll 01D6 1 00011234 mfc42.dll 0280 1 00011238 mfc42.dll 1699 1 0001123C mfc42.dll 0668 1 00011240 mfc42.dll 0143 1 00011244 mfc42.dll 0669 1 00011248 mfc42.dll 0B2B 1 0001124C mfc42.dll 0A5C 1 00011250 mfc42.dll 1631 1 00011254 mfc42.dll 0685 1 00011258 mfc42.dll 0CF6 1 0001125C mfc42.dll 10B5 1 00011260 mfc42.dll 168D 1 00011264 mfc42.dll 039E 1 00011268 mfc42.dll 021C 1 0001126C mfc42.dll 0E4F 1 00011270 mfc42.dll 19AB 1 00011274 mfc42.dll 074F 1 00011278 mfc42.dll 0337 1 0001127C mfc42.dll 0339 1 00011280 mfc42.dll 0320 1 00011284 mfc42.dll 0ED6 1 00011288 mfc42.dll 14A0 1 0001128C mfc42.dll 1101 1 00011290 mfc42.dll 18E6 1 00011294 mfc42.dll 142B 1 00011298 mfc42.dll 0951 1 0001129C mfc42.dll 1479 1 000112A0 mfc42.dll 1137 1 000112A4 mfc42.dll 06EF 1 000112A8 mfc42.dll 0EF1 1 000112AC mfc42.dll 17A4 1 000112B0 mfc42.dll 09D2 1 000112B4 mfc42.dll 1266 1 000112B8 mfc42.dll 0A18 1 000112BC mfc42.dll 12F5 1 000112C0 mfc42.dll 1118 1 000112C4 mfc42.dll 1479 1 000112C8 mfc42.dll 184F 1 000112CC mfc42.dll 10B6 1 000112D0 mfc42.dll 164E 1 000112D4 mfc42.dll 035A 1 000112D8 mfc42.dll 039A 1 000112DC mfc42.dll 0217 1 000112E0 mfc42.dll 106C 1 000112E4 mfc42.dll 09FA 1 000112E8 mfc42.dll 09D0 1 000112EC mfc42.dll 0B67 1 000112F0 mfc42.dll 1241 1 000112F4 mfc42.dll 0261 1 000112F8 mfc42.dll 0628 FThunk: 00011300 NbFunc: 0000001E 1 00011300 msvcrt.dll 00EE _except_handler3 1 00011304 msvcrt.dll 009A __set_app_type 1 00011308 msvcrt.dll 0087 __p__fmode 1 0001130C msvcrt.dll 0082 __p__commode 1 00011310 msvcrt.dll 00B7 _adjust_fdiv 1 00011314 msvcrt.dll 009C __setusermatherr 1 00011318 msvcrt.dll 013B _initterm 1 0001131C msvcrt.dll 006F __getmainargs 1 00011320 msvcrt.dll 00A9 _acmdln 1 00011324 msvcrt.dll 0290 exit 1 00011328 msvcrt.dll 0050 _XcptFilter 1 0001132C msvcrt.dll 00F7 _exit 1 00011330 msvcrt.dll 01B4 _onexit 1 00011334 msvcrt.dll 006C __dllonexit 1 00011338 msvcrt.dll 0284 atoi 1 0001133C msvcrt.dll 018C _mbsicmp 1 00011340 msvcrt.dll 02FB srand 1 00011344 msvcrt.dll 02ED rand 1 00011348 msvcrt.dll 02D8 malloc 1 0001134C msvcrt.dll 02A5 free 1 00011350 msvcrt.dll 00D7 _controlfp 1 00011354 msvcrt.dll 0317 time 1 00011358 msvcrt.dll 0307 strncmp 1 0001135C msvcrt.dll 0160 _itoa 1 00011360 msvcrt.dll 0054 __CxxFrameHandler 1 00011364 msvcrt.dll 0186 _mbscmp 1 00011368 msvcrt.dll 02F9 sprintf 1 0001136C msvcrt.dll 030A strrchr 1 00011370 msvcrt.dll 0308 strncpy 1 00011374 msvcrt.dll 01DE _setmbcp FThunk: 0001137C NbFunc: 00000001 1 0001137C netapi32.dll 0100 Netbios FThunk: 00011384 NbFunc: 0000000C 1 00011384 user32.dll 010D GetDC 1 00011388 user32.dll 01B6 LoadBitmapA 1 0001138C user32.dll 01A7 IsIconic 1 00011390 user32.dll 0009 AppendMenuA 1 00011394 user32.dll 0100 GetClientRect 1 00011398 user32.dll 00B7 DrawIcon 1 0001139C user32.dll 015D GetSystemMenu 1 000113A0 user32.dll 015E GetSystemMetrics 1 000113A4 user32.dll 0194 InvalidateRect 1 000113A8 user32.dll 01BC LoadIconA 1 000113AC user32.dll 00C5 EnableWindow 1 000113B0 user32.dll 023C SendMessageA 2004-5-2 11:25 0
辉仔Yock 雪币： 228 活跃值： (165) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 109 粉丝 1 关注私信	辉仔Yock 22 楼最初由 forgot 发布有没有冥王完结篇？我昨天睡的也太晚了，头昏。跟完了上来。不知道啊!我还没有看最后一张碟是什么呢1 你要的东西! 003B073A E8 4A2A0000 CALL 003B3189 //CALL----> 003B31A5 B8 01000000 MOV EAX, 1 003B31D7 83BD 9ED24100 0>CMP DWORD PTR [EBP+41D29E], 0 003B31E3 /0F84 C6120000 JE 003B44AF //JMP就跳过注册选项了! 003B44DC C3 RETN //返回到另外一个地方.注意了哦... 003B44DC C3 RETN //再返回 2004-5-2 12:07 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 23 楼全部贴完. 2004-5-2 12:24 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 24 楼在5楼贴上part 5 2004-5-2 12:47 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 25 楼 13楼贴上part 6. 下一步到IAT了,呵呵. 2004-5-2 14:40 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

forgot

155

发帖

3771

回帖

1060

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (66) 1 2 3 ▶
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 2 楼 [part 2] 004207D5 8D85 E15C4000 lea eax, dword ptr ss:[ebp+405CE1] 004207EB E8 34120000 call Try.00421A24 00421A68 60 pushad 00421A80 B8 92764000 mov eax, Try.00407692 00421A9C 03C5 add eax, ebp ; buffer 00421AA3 8BF0 mov esi, eax 00421AAA 68 C8000000 push MAX_PATH 00421AAF 50 push eax 00421AB0 FF95 44724000 call dword ptr ss:[ebp+407244] ; kernel32.GetSystemDirectoryA 00421ABB 90 nop 00421AC0 8A06 mov al, byte ptr ds:[esi] 00421AC7 46 inc esi 00421ADF 3C 00 cmp al, 0 00421B0E ^\75 AB jnz short Try.00421ABB 00421B15 C646 FF 5C mov byte ptr ds:[esi-1], 5C ; 目录后边加个"\" 00421B1E C706 63646364 mov dword ptr ds:[esi], 64636463 ; cdcd 00421B29 C746 04 2E73797>mov dword ptr ds:[esi+4], 7379732E ; .sys 00421B5D C746 08 0000000>mov dword ptr ds:[esi+8], 0 ; NULL, 铺张浪费,byte就足够了 ; 我这里的文件名 --------------------------------------------------------------------------- 00421DB9 ** 3A 5C 57 :\W 00421DC9 49 4E 44 4F 57 53 5C 53 79 73 74 65 6D 33 32 5C INDOWS\System32\ 00421DD9 63 64 63 64 2E 73 79 73 cdcd.sys --------------------------------------------------------------------------- 00421B92 B8 86764000 mov eax, Try.00407686 00421B9C 03C5 add eax, ebp 00421BCB BB 92764000 mov ebx, Try.00407692 00421BFD 03DD add ebx, ebp 00421C2C 6A 00 push 0 00421C2E 6A 20 push 20 00421C30 6A 04 push 4 00421C32 6A 00 push 0 00421C34 6A 02 push 2 00421C36 68 00000040 push 40000000 00421C3B 53 push ebx 00421C3C FF95 48724000 call dword ptr ss:[ebp+407248] ; kernel32.CreateFileA ; 参数,清晰一些:) --------------------------------------------------------------- 0012FF60 00421C42 /CALL to CreateFileA from Try.00421C3C 0012FF64 00421DC5 \|FileName = "E:\WINDOWS\System32\cdcd.sys" 0012FF68 40000000 \|Access = GENERIC_WRITE 0012FF6C 00000002 \|ShareMode = FILE_SHARE_WRITE 0012FF70 00000000 \|pSecurity = NULL 0012FF74 00000004 \|Mode = OPEN_ALWAYS 0012FF78 00000020 \|Attributes = ARCHIVE 0012FF7C 00000000 \hTemplateFile = NULL --------------------------------------------------------------- 00421C4C 83F8 FF cmp eax, -1 00421C54 /0F84 32010000 je Try.00421D8C ; 坏事了... 00421C76 8985 8A764000 mov dword ptr ss:[ebp+40768A], eax ; 保存句柄 00421CC0 B9 8C310000 mov ecx, 318C ; 驱动文件长度 00421CCA B8 8E764000 mov eax, Try.0040768E 00421CE6 03C5 add eax, ebp ; WriteFile返回结构,名字忘了 00421CED BB 5A774000 mov ebx, Try.0040775A 00421D09 03DD add ebx, ebp ; 可爱的驱动程序 00421D10 6A 00 push 0 00421D12 50 push eax 00421D13 51 push ecx 00421D14 53 push ebx 00421D15 FFB5 8A764000 push dword ptr ss:[ebp+40768A] ; hWnd 00421D1B FF95 4C724000 call dword ptr ss:[ebp+40724C] ; kernel32.WriteFile ; 写出驱动,如果想把这个东西拷贝出来研究要关闭程序,它独占了文件 0012FF68 00421D21 /CALL to WriteFile* from Try.00421D1B 0012FF6C 00000024 \|hFile = 00000024 0012FF70 00421E8D \|Buffer = Try.00421E8D 0012FF74 0000318C \|nBytesToWrite = 318C (12684.) 0012FF78 00421DC1 \|pBytesWritten = Try.00421DC1 0012FF7C 00000000 \pOverlapped = NULL 00421D3D FFB5 8A764000 push dword ptr ss:[ebp+40768A] 00421D43 FF95 50724000 call dword ptr ss:[ebp+407250] ; kernel32.CloseHandle 0012FF78 00421D49 /CALL to CloseHandle from Try.00421D43 0012FF7C 00000024 \hObject = 00000024 00421D76 61 popad 00421D7C B8 01000000 mov eax, TRUE ; 收工 00421D86 C3 ret ; 回家 00421D8C 90 nop 00421D91 61 popad 00421D7C B8 01000000 mov eax, FALSE 00421D86 C3 ret 00420807 83F8 00 cmp eax, FALSE ; 失败? 0042080F /0F84 22480000 je Try.00425037 00425037 50 push eax 00425038 FFB5 2A6C4000 push dword ptr ss:[ebp+406C2A] 0042503E FF95 30724000 call dword ptr ss:[ebp+407230] ; kernel32.ReleaseMutex,释放互斥体 00425044 FFB5 2A6C4000 push dword ptr ss:[ebp+406C2A] 0042504A FF95 50724000 call dword ptr ss:[ebp+407250] ; kernel32.CloseHandle,关闭互斥体句柄 00425050 58 pop eax 00425068 83F8 00 cmp eax, 0 0042506B 0F85 4C010000 jnz Try.004251BD ; ..............我没走这条线,不跟了 0042085E 8D85 E25C4000 lea eax, dword ptr ss:[ebp+405CE2] 00420874 E8 7F060000 call Try.00420EF8 ----------------------------- 以后不跟那么多线了,受不了 00420F2A 68 3F000F00 push 0F003F 00420F2F 6A 00 push 0 00420F31 6A 00 push 0 00420F33 FF95 CD724000 call dword ptr ss:[ebp+4072CD] ; advapi32.OpenSCManagerA 00420F50 83F8 00 cmp eax, 0 00420F58 /0F84 8F030000 je Try.004212ED 00420F75 8985 3A6C4000 mov dword ptr ss:[ebp+406C3A], eax 00420F85 B8 3E6C4000 mov eax, Try.00406C3E 00420FA1 03C5 add eax, ebp 00420FBA 68 FF010F00 push 0F01FF 00420FBF 50 push eax 00420FC0 FFB5 3A6C4000 push dword ptr ss:[ebp+406C3A] 00420FC6 FF95 D5724000 call dword ptr ss:[ebp+4072D5] ; advapi32.OpenServiceA 00420FD1 83F8 00 cmp eax, 0 00420FD4 0F85 97000000 jnz Try.00421071 ; Jump 0042109E 83F8 00 cmp eax, 0 004210A6 /0F84 41020000 je Try.004212ED 004210B1 8985 586C4000 mov dword ptr ss:[ebp+406C58], eax 004210C1 6A 00 push 0 004210C3 6A 00 push 0 004210C5 FFB5 586C4000 push dword ptr ss:[ebp+406C58] 004210CB FF95 C5724000 call dword ptr ss:[ebp+4072C5] ; advapi32.StartServiceA ; 启动服务,不好玩^^,我这里服务开启,所以产生了ERROR_SERVICE_ALREADY_RUNNING (00000420) 004210E4 FF95 40724000 call dword ptr ss:[ebp+407240] ; ntdll.RtlGetLastWin32Error 00421101 3D E5030000 cmp eax, 3E5 00421106 /0F84 DD000000 je Try.004211E9 00421123 3D 20040000 cmp eax, 420 00421128 /0F84 B6000000 je Try.004211E4 ; GoGoGo,否则Game Over就不好玩了 0042120A B8 446C4000 mov eax, Try.00406C44 00421226 03C5 add eax, ebp ; Oh God save me!!! --------------------------------------------------------------------------- 00421377 5C 5C 2E 5C 44 62 70 65 44 65 76 69 63 65 30 00 \\.\DbpeDevice0. --------------------------------------------------------------------------- 0042123F 6A 00 push 0 00421241 6A 00 push 0 00421243 6A 03 push 3 00421245 6A 00 push 0 00421247 6A 01 push 1 00421249 68 000000C0 push C0000000 0042124E 50 push eax 0042124F FF95 48724000 call dword ptr ss:[ebp+407248] ; kernel32.CreateFileA 0012FF7C 0012FFE0 0012FF80 00421255 /CALL to CreateFileA from Try.0042124F 0012FF84 00421377 \|FileName = "\\.\DbpeDevice0" 0012FF88 C0000000 \|Access = GENERIC_READ\|GENERIC_WRITE 0012FF8C 00000001 \|ShareMode = FILE_SHARE_READ 0012FF90 00000000 \|pSecurity = NULL 0012FF94 00000003 \|Mode = OPEN_EXISTING 0012FF98 00000000 \|Attributes = 0 0012FF9C 00000000 \hTemplateFile = NULL ; 调查一下服务:) 0042126C 83F8 FF cmp eax, -1 00421274 /74 77 je short Try.004212ED ; 没启动走人,加载错误 0042127B 8985 546C4000 mov dword ptr ss:[ebp+406C54], eax; save handle 004212AE B8 01000000 mov eax, TRUE 004212B8 8985 706C4000 mov dword ptr ss:[ebp+406C70], eax 004212D5 C3 ret ; 回去了 004208A6 83F8 00 cmp eax, 0 ; over? 004208AE /0F84 83470000 je Try.00425037 ; over 004208C3 C785 5C6C4000 0>mov dword ptr ss:[ebp+406C5C], 3 004208FF B8 5C3A4200 mov eax, Try.00423A5C 00420909 03C5 add eax, ebp ; forgot: 老是这个,我$@%@%@^%@$^ 00420922 8985 606C4000 mov dword ptr ss:[ebp+406C60], eax ; Try.0043E18F 00420932 B8 746C4000 mov eax, Try.00406C74 0042093C 03C5 add eax, ebp 0042096B 8985 646C4000 mov dword ptr ss:[ebp+406C64], eax ; Try.004213A7 0042097B B8 5C6C4000 mov eax, Try.00406C5C 00420985 03C5 add eax, ebp 0042098C 6A 00 push 0 0042098E 6A 00 push 0 00420990 6A 00 push 0 00420992 6A 00 push 0 00420994 6A 0C push 0C 00420996 50 push eax 00420997 6A 04 push 4 00420999 FFB5 546C4000 push dword ptr ss:[ebp+406C54] 0042099F FF95 3C724000 call dword ptr ss:[ebp+40723C] ; kernel32.DeviceIoControl 0012FF80 004209A5 /CALL to DeviceIoControl from Try.0042099F 0012FF84 0000004C \|hDevice = 0000004C 0012FF88 00000004 \|IoControlCode = 4 0012FF8C 0042138F \|InBuffer = Try.0042138F 0012FF90 0000000C \|InBufferSize = C (12.) 0012FF94 00000000 \|OutBuffer = NULL 0012FF98 00000000 \|OutBufferSize = 0 0012FF9C 00000000 \|pBytesReturned = NULL 0012FFA0 00000000 \pOverlapped = NULL 00420A55 B8 00000000 mov eax, 0 00420A5F 81BD 746C4000 8>cmp dword ptr ss:[ebp+406C74], FFFF8888 00420A6E /0F84 C3450000 je Try.00425037 ; 好像是Over 00420AB8 C785 5C6C4000 0>mov dword ptr ss:[ebp+406C5C], 3 00420AF4 B8 5C3A4200 mov eax, Try.00423A5C 00420AFE 03C5 add eax, ebp 00420B17 8985 606C4000 mov dword ptr ss:[ebp+406C60], eax ; Try.0043E18F 00420B61 B8 746C4000 mov eax, Try.00406C74 00420B6B 03C5 add eax, ebp 00420B9A 8985 646C4000 mov dword ptr ss:[ebp+406C64], eax ; Try.004213A7 00420BBC C785 746C4000 0>mov dword ptr ss:[ebp+406C74], 0 00420BE2 B8 5C6C4000 mov eax, Try.00406C5C 00420BEC 03C5 add eax, ebp 00420BF3 6A 00 push 0 00420BF5 6A 00 push 0 00420BF7 6A 00 push 0 00420BF9 6A 00 push 0 00420BFB 6A 0C push 0C 00420BFD 50 push eax 00420BFE 6A 01 push 1 00420C00 FFB5 546C4000 push dword ptr ss:[ebp+406C54] 00420C06 FF95 3C724000 call dword ptr ss:[ebp+40723C] ; kernel32.DeviceIoControl 0012FF80 00420C0C /CALL to DeviceIoControl from Try.00420C06 0012FF84 0000004C \|hDevice = 0000004C 0012FF88 00000001 \|IoControlCode = 1 0012FF8C 0042138F \|InBuffer = Try.0042138F 0012FF90 0000000C \|InBufferSize = C (12.) 0012FF94 00000000 \|OutBuffer = NULL 0012FF98 00000000 \|OutBufferSize = 0 0012FF9C 00000000 \|pBytesReturned = NULL 0012FFA0 00000000 \pOverlapped = NULL ; 中断向量被xxx了,不敢用int3乱动阿!用F4走,或者在Debug里设置用hardware breakpoint进行step,否则**自己想象吧 ; ************************************************************ ; 千万小心 ; ************************************************************ 00420C0C 90 nop ; F4 00420D07 8B85 746C4000 mov eax, dword ptr ss:[ebp+406C74] 00420D3A 83F8 00 cmp eax, 0 00420D42 /0F84 EF420000 je Try.00425037 ; over 00420D7A 66:8985 5434420>mov word ptr ss:[ebp+423454], ax 00420D86 C1E8 10 shr eax, 10 00420D8E 66:8985 5634420>mov word ptr ss:[ebp+423456], ax 00420DC7 B8 01000000 mov eax, 1 00420DD1 8985 6C6C4000 mov dword ptr ss:[ebp+406C6C], eax 00420E09 50 push eax 00420E0F B8 92764000 mov eax, Try.00407692 00420E2B 03C5 add eax, ebp ; 对驱动进行惨无人道的毁尸灭迹…… 00420E5A 50 push eax ; Try.00421DC5 00420E5B FF95 38724000 call dword ptr ss:[ebp+407238] ; kernel32.DeleteFileA 0012FF98 00420E61 /CALL to DeleteFileA from Try.00420E5B 0012FF9C 00421DC5 \FileName = "E:\WINDOWS\System32\cdcd.sys" 00420E66 58 pop eax 00420E6C /E9 C6410000 jmp Try.00425037 00425037 50 push eax 00425038 FFB5 2A6C4000 push dword ptr ss:[ebp+406C2A] 0042503E FF95 30724000 call dword ptr ss:[ebp+407230] ; kernel32.ReleaseMutex 0012FF98 00425044 /CALL to ReleaseMutex from Try.0042503E 0012FF9C 00000020 \hMutex = 00000020 00425044 FFB5 2A6C4000 push dword ptr ss:[ebp+406C2A] 0042504A FF95 50724000 call dword ptr ss:[ebp+407250] ; kernel32.CloseHandle 0012FF98 00425050 /CALL to CloseHandle** from Try.0042504A 0012FF9C 00000020 \hObject = 00000020 ; 没人性，互斥体也惨遭毒手…… 00425050 58 pop eax 00425068 83F8 00 cmp eax, 0 0042506B 0F85 4C010000 jnz Try.004251BD ; Go 004251C2 /E9 39010000 jmp Try.00425300 ; 花絮：跳过的这段代码还真惹眼：） ---------------------------------------------------------------- 004251CC FA cli 004251D2 BE 4E344200 mov esi, Try.0042344E 004251DC 03F5 add esi, ebp 004251E3 0F010E sidt fword ptr ds:[esi] 004251EB 8B76 02 mov esi, dword ptr ds:[esi+2] 0042520A 66:8B46 18 mov ax, word ptr ds:[esi+18] 00425213 66:8B5E 1E mov bx, word ptr ds:[esi+1E] 00425244 66:8985 5434420>mov word ptr ss:[ebp+423454], ax 00425250 66:899D 5634420>mov word ptr ss:[ebp+423456], bx 00425289 B8 5C3A4200 mov eax, Try.00423A5C 00425293 03C5 add eax, ebp 004252AC 66:8946 18 mov word ptr ds:[esi+18], ax 004252B5 C1E8 10 shr eax, 10 004252E5 66:8946 1E mov word ptr ds:[esi+1E], ax ; 好在我不是9x....哈 ---------------------------------------------------------------- 2004-5-1 18:14 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 3 楼 [part 3] ; **************************************************************** ; 当当当~~~~~ 醒醒啦！！！ ; ************************************************************** 0042532D 8D85 D05C4000 lea eax, dword ptr ss:[ebp+405CD0] ; 没弄明白，也许是参数 00425334 B0 94 mov al, 94 ; 后边用来xor的key 00425336 E8 00000000 call Try.0042533B 0042533B 5E pop esi ; 取这条信令地址 0042533C 81C6 A6000000 add esi, 0A6 ; 加上这段解密代码的长度，指向下一部分，进行SMC解密 00425347 B9 68010000 mov ecx, 168h ; 解码长度 00425356 8A26 mov ah, byte ptr ds:[esi] ; 读取一个字节 0042535D 32E0 xor ah, al 00425376 F6D4 not ah 0042538F 8826 mov byte ptr ds:[esi], ah ; 解密后存回去 004253A8 46 inc esi ; 下一个字节 004253AE 49 dec ecx ; 计数器-- 004253B4 83F9 00 cmp ecx, 0 004253B7 ^\75 98 jnz short Try.00425351 ; 循环直到都解密完成 ; 精彩片断！！！！！！！！！！ 004253BE FEC8 dec al ; 换一个key 004253C5 BB 4F434E55 mov ebx, 554E434F ; 不清楚，自己猜吧 0042540E B9 68010000 mov ecx, 168 ; 这一块长度 0042542A 8A240E mov ah, byte ptr ds:[esi+ecx] ; 读取一个字节 00425444 88240E mov byte ptr ds:[esi+ecx], ah ; 再写进去，什么名堂？ 0042545E CC int 3 ; 别乱动，int 3解码 0042545F /E9 E5000000 jmp Try.00425549 ; 按 F4 ，int3的向量处理好解码了，过去看看 ; 跳过的好像是下一次int3的向量,俺可不敢进去胡闹 00425464 \|3D 534E5552 cmp eax, 52554E53 00425469 \|75 24 jnz short Try.0042548F 00425482 FFD3 call ebx 00425489 CF iretd 00425576 B9 68010000 mov ecx, 168 ; TMD,没完没了了 00425592 8A240E mov ah, byte ptr ds:[esi+ecx] 004255AC 88240E mov byte ptr ds:[esi+ecx], ah 004255C6 CC int3 004255C7 E9 E5000000 jmp Try.004256B1 ; F4 004256DE B9 68010000 mov ecx, 168 ; KAO.... 004256FA 8A240E mov ah, byte ptr ds:[esi+ecx] 00425714 88240E mov byte ptr ds:[esi+ecx], ah 0042572E CC int3 0042572F E9 E5000000 jmp Try.00425819 00425846 B9 68010000 mov ecx, 168 ; …… 00425862 8A240E mov ah, byte ptr ds:[esi+ecx] 0042587C 88240E mov byte ptr ds:[esi+ecx], ah 00425896 CC int3 00425897 E9 E5000000 jmp Try.00425981 004259AE B9 68010000 mov ecx, 168 ; my heart will go on 004259CA 8A240E mov ah, byte ptr ds:[esi+ecx] 004259E4 88240E mov byte ptr ds:[esi+ecx], ah 004259FE CC int3 004259FF /E9 E5000000 jmp Try.00425AE9 00425B16 B9 68010000 mov ecx, 168 ; 没完没了 00425B32 8A240E mov ah, byte ptr ds:[esi+ecx] 00425B4C 88240E mov byte ptr ds:[esi+ecx], ah 00425B66 CC int3 00425B67 E9 E5000000 jmp Try.00425C51 00425C7E B9 68010000 mov ecx, 168 ; 不见不散 00425C9A 8A240E mov ah, byte ptr ds:[esi+ecx] 00425CB4 88240E mov byte ptr ds:[esi+ecx], ah 00425CCE CC int3 00425CCF /E9 E5000000 jmp Try.00425DB9 00425C7E B9 68010000 mov ecx, 168 ; 有话好好说 00425C9A 8A240E mov ah, byte ptr ds:[esi+ecx] 00425CB4 88240E mov byte ptr ds:[esi+ecx], ah 00425CCE CC int3 00425CCF E9 E5000000 jmp Try.00425DB9 00425DE6 B9 68010000 mov ecx, 168 ; 声声慢…… 00425E02 8A240E mov ah, byte ptr ds:[esi+ecx] 00425E1C 88240E mov byte ptr ds:[esi+ecx], ah 00425E36 CC int3 00425E37 E9 E5000000 jmp Try.00425F21 00425F4E B9 68010000 mov ecx, 168 00425F6A 8A240E mov ah, byte ptr ds:[esi+ecx] 00425F84 88240E mov byte ptr ds:[esi+ecx], ah 00425F9E CC int3 00425F9F E9 E5000000 jmp Try.00426089 004260B6 B9 68010000 mov ecx, 168 004260D2 8A240E mov ah, byte ptr ds:[esi+ecx] 004260EC 88240E mov byte ptr ds:[esi+ecx], ah 00426106 CC int3 00426107 E9 E5000000 jmp Try.004261F1 0042621E B9 68010000 mov ecx, 168 0042623A 8A240E mov ah, byte ptr ds:[esi+ecx] 00426254 88240E mov byte ptr ds:[esi+ecx], ah 0042626E CC int3 0042626F E9 E5000000 jmp Try.00426359 00426386 B9 68010000 mov ecx, 168 004263A2 8A240E mov ah, byte ptr ds:[esi+ecx] 004263BC 88240E mov byte ptr ds:[esi+ecx], ah 004263D6 CC int3 004263D7 E9 E5000000 jmp Try.004264C1 004264EE B9 68010000 mov ecx, 168 0042650A 8A240E mov ah, byte ptr ds:[esi+ecx] 00426524 88240E mov byte ptr ds:[esi+ecx], ah 0042653E CC int3 0042653F E9 E5000000 jmp Try.00426629 00426656 B9 68010000 mov ecx, 168 00426672 8A240E mov ah, byte ptr ds:[esi+ecx] 0042668C 88240E mov byte ptr ds:[esi+ecx], ah 004266A6 CC int3 004266A7 E9 E5000000 jmp Try.00426791 004267BE B9 68010000 mov ecx, 168 004267DA 8A240E mov ah, byte ptr ds:[esi+ecx] 004267F4 88240E mov byte ptr ds:[esi+ecx], ah 0042680E CC int3 0042680F E9 E5000000 jmp Try.004268F9 00426926 B9 68010000 mov ecx, 168 00426942 8A240E mov ah, byte ptr ds:[esi+ecx] 0042695C 88240E mov byte ptr ds:[esi+ecx], ah 00426976 CC int3 00426977 E9 E5000000 jmp Try.00426A61 00426A8E B9 68010000 mov ecx, 168 00426AAA 8A240E mov ah, byte ptr ds:[esi+ecx] 00426AC4 88240E mov byte ptr ds:[esi+ecx], ah 00426ADE CC int3 00426ADF E9 E5000000 jmp Try.00426BC9 00426BF6 B9 68010000 mov ecx, 168 00426C12 8A240E mov ah, byte ptr ds:[esi+ecx] 00426C2C 88240E mov byte ptr ds:[esi+ecx], ah 00426C46 CC int3 00426C47 E9 E5000000 jmp Try.00426D31 00426D5E B9 68010000 mov ecx, 168 00426D7A 8A240E mov ah, byte ptr ds:[esi+ecx] 00426D94 88240E mov byte ptr ds:[esi+ecx], ah 00426DAE CC int3 00426DAF E9 E5000000 jmp Try.00426E99 00426D5E B9 68010000 mov ecx, 168 00426D7A 8A240E mov ah, byte ptr ds:[esi+ecx] 00426D94 88240E mov byte ptr ds:[esi+ecx], ah 00426DAE CC int3 00426DAF E9 E5000000 jmp Try.00426E99 00426EC6 B9 68010000 mov ecx, 168 00426EE2 8A240E mov ah, byte ptr ds:[esi+ecx] 00426EFC 88240E mov byte ptr ds:[esi+ecx], ah 00426F16 CC int3 00426F17 E9 E5000000 jmp Try.00427001 0042702E B9 68010000 mov ecx, 168 0042704A 8A240E mov ah, byte ptr ds:[esi+ecx] 00427064 88240E mov byte ptr ds:[esi+ecx], ah 0042707E CC int3 0042707F E9 E5000000 jmp Try.00427169 00427196 B9 68010000 mov ecx, 168 004271B2 8A240E mov ah, byte ptr ds:[esi+ecx] 004271CC 88240E mov byte ptr ds:[esi+ecx], ah 004271E6 CC int3 004271E7 E9 E5000000 jmp Try.004272D1 004272FE B9 68010000 mov ecx, 168 0042731A 8A240E mov ah, byte ptr ds:[esi+ecx] 00427334 88240E mov byte ptr ds:[esi+ecx], ah 0042734E CC int3 0042734F E9 E5000000 jmp Try.00427439 -============================================================- ; 晕倒了快，拿个处理看看，调剂~~~ 00429D84 3D 534E5552 cmp eax, 52554E53 00429D89 75 24 jnz short Try.00429DAF 00429DA2 FFD3 call ebx 00429DA9 CF iretd 00429DAF 81FB 4F434E55 cmp ebx, 554E434F 00429DB5 0F85 AD000000 jnz Try.00429E68 00429DBB 8A26 mov ah, byte ptr ds:[esi] 00429DC2 32E0 xor ah, al 00429DDB F6D4 not ah 00429DE2 8826 mov byte ptr ds:[esi], ah 00429DE9 46 inc esi 00429DEF 49 dec ecx 00429DF5 83F9 00 cmp ecx, 0 00429DF8 ^ 75 C1 jnz short Try.00429DBB 00429DFF FEC8 dec al 00429E06 8DBD 4E344200 lea edi, dword ptr ss:[ebp+42344E] 00429E11 0F010F sidt fword ptr ds:[edi] 00429E19 8B7F 02 mov edi, dword ptr ds:[edi+2] 00429E1C 8B1C24 mov ebx, dword ptr ss:[esp] 00429E24 803B E9 cmp byte ptr ds:[ebx], 0E9 00429E27 75 05 jnz short Try.00429E2E 00429E29 83C3 05 add ebx, 5 00429E2C EB 03 jmp short Try.00429E31 00429E2E 83C3 02 add ebx, 2 00429E36 66:895F 18 mov word ptr ds:[edi+18], bx 00429E3F C1EB 10 shr ebx, 10 00429E47 66:895F 1E mov word ptr ds:[edi+1E], bx 00429E50 BB 55010000 mov ebx, 155 00429E5A 0F23FB mov dr7, ebx ; Privileged command 00429E62 BB 4F434E55 mov ebx, 554E434F 00429E67 CF iretd 00429E68 CF iretd -============================================================- 0042CB96 B9 68010000 mov ecx, 168 0042CBB2 8A240E mov ah, byte ptr ds:[esi+ecx] 0042CBCC 88240E mov byte ptr ds:[esi+ecx], ah 0042CBE6 CC int3 0042CBE7 E9 E5000000 jmp Try.0042CCD1 0042EFF9 E8 00000000 call Try.0042EFFE 0042EFFE 5D pop ebp 0042EFFF 81ED CB484100 sub ebp, Try.004148CB ; 长征过去……再来取delta 0042F005 58 pop eax 0042F038 80E4 01 and ah, 1 0042F052 32C0 xor al, al 0042F081 66:3185 2DD6410>xor word ptr ss:[ebp+41D62D], ax 0042F0BF 8D85 D15C4000 lea eax, dword ptr ss:[ebp+405CD1] 0042F0FE BE 944B4100 mov esi, Try.00414B94 0042F130 03F5 add esi, ebp 0042F149 B9 B6E80000 mov ecx, 0E8B6 0042F158 03F1 add esi, ecx 0042F187 4E dec esi 0042F1B5 BB 01000000 mov ebx, 1 ; 又解码 0042F1C4 8A06 mov al, byte ptr ds:[esi] 0042F1F3 3246 01 xor al, byte ptr ds:[esi+1] 0042F1FB 32C3 xor al, bl 0042F219 3285 02AC4000 xor al, byte ptr ss:[ebp+40AC02] 0042F251 8806 mov byte ptr ds:[esi], al 0042F258 4E dec esi 0042F25E 43 inc ebx 0042F264 49 dec ecx 0042F26A 83F9 00 cmp ecx, 0 0042F26D ^\0F85 4CFFFFFF jnz Try.0042F1BF 0042F278 66:81BD 944B410>cmp word ptr ss:[ebp+414B94], 9090 0042F2AE - 75 FE jnz short Try.0042F2AE ; 搞怪？ 0042F2C9 8B85 F1344200 mov eax, dword ptr ss:[ebp+4234F1] 0042F2CF 83F8 00 cmp eax, 0 0042F2D2 B9 7DDB0100 mov ecx, 1DB7D 0042F2D7 0F85 E0020000 jnz Try.0042F5BD 0042F2DD E8 00000000 call Try.0042F2E2 0042F2E2 5A pop edx 0042F310 2B95 F4D54100 sub edx, dword ptr ss:[ebp+41D5F4] 0042F31B 81EA E2F20000 sub edx, 0F2E2 0042F326 8995 DCD34100 mov dword ptr ss:[ebp+41D3DC], edx 0042F3B3 8D85 D25C4000 lea eax, dword ptr ss:[ebp+405CD2] 0042F458 B8 87CC4100 mov eax, Try.0041CC87 0042F462 03C5 add eax, ebp ; eax -> IID 0042F469 E8 10890000 call Try.00437D7E ; 取函数地址 00437DAB 60 pushad ---------------------------------------------------------------------- 00437DB1 8BD8 mov ebx, eax ; ************************************************************** ; 大循环开始 00437DC2 807B 08 00 cmp byte ptr ds:[ebx+8], 0 00437DCB /0F84 1B030000 je Try.004380EC ; over 00437DED 8BC3 mov eax, ebx 00437DF4 83C0 08 add eax, 8 00437DFC 50 push eax 00437DFD FF95 C13D4200 call dword ptr ss:[ebp+423DC1] ; kernel32.LoadLibraryA 00437E08 8985 7FCC4100 mov dword ptr ss:[ebp+41CC7F], eax ; 保存 hModule 00437E13 83F8 00 cmp eax, 0 ; faint 00437E16 /75 46 jnz short Try.00437E5E ; JUMP 00437E1D C785 83CC4100 0>mov dword ptr ss:[ebp+41CC83], 0 ; failed.... 00437E54 /E9 93020000 jmp Try.004380EC ; Game Over 00437EA2 8B33 mov esi, dword ptr ds:[ebx] ; Try.0041CCD4 00437EBB 8B7B 04 mov edi, dword ptr ds:[ebx+4] 00437ED5 03F5 add esi, ebp ; 修正地址 00437EDC 03FD add edi, ebp 00437EFF 803E 00 cmp byte ptr ds:[esi], 0 ; 表处理完了？ 00437F02 0F85 BE000000 jnz Try.00437FC6 ;没有就处理 -> * 00437F35 83C3 08 add ebx, 8 ; ebx 指向下一个DLL名称 00437F65 803B 00 cmp byte ptr ds:[ebx], 0 00437F68 74 1F je short Try.00437F89 00437F81 43 inc ebx 00437F87 ^\EB DC jmp short Try.00437F65 00437FB6 43 inc ebx ; Try.004373CE 00437FBC ^\E9 FCFDFFFF jmp Try.00437DBD ; 大循环结束 ; **************************************************************** ;: 00437FD0 56 push esi 00437FD1 FFB5 7FCC4100 push dword ptr ss:[ebp+41CC7F] 00437FD7 FF95 C53D4200 call dword ptr ss:[ebp+423DC5] ; kernel32.GetProcAddress,取地址 00437FE2 83F8 00 cmp eax, 0 00437FE5 75 30 jnz short Try.00438017 ; GO 00437FEC C785 83CC4100 0>mov dword ptr ss:[ebp+41CC83], 0 ; failed again .......... 00438038 8907 mov dword ptr ds:[edi], eax ; 写入函数地址 00438051 83C7 04 add edi, 4 ; 下一个Thunk ; 使 esi 指向下一个函数名 0043805E /803E 00 cmp byte ptr ds:[esi], 0 00438061 \| 74 0D je short Try.00438070 00438068 \| 46 inc esi 0043806E \EB EE jmp short Try.0043805E 0043809D 46 inc esi ; skip NULL 004380CB ^\E9 2AFEFFFF jmp Try.00437EFA 004380F1 61 popad 004380F7 8B85 83CC4100 mov eax, dword ptr ss:[ebp+41CC83] ; 返回标志 00438102 C3 ret ---------------------------------------------------------------------- 0042F473 BB 3AD34100 mov ebx, Try.0041D33A 0042F47D 03DD add ebx, ebp ; 出错信息 0042F484 66:3D 0000 cmp ax, 0 0042F48D /0F84 3D2B0000 je Try.00431FD0 ; 某个错误 0042F4C5 B9 60E50100 mov ecx, 1E560 0042F4E1 83C1 20 add ecx, 20 0042F516 6A 00 push 0 0042F518 51 push ecx 0042F519 6A 00 push 0 0042F51B 6A 04 push 4 0042F51D 6A 00 push 0 0042F51F 6A FF push -1 0042F521 FF95 C3CE4100 call dword ptr ss:[ebp+41CEC3] ; kernel32.CreateFileMappingA 0012FF8C 0042F527 /CALL to CreateFileMappingA from Try.0042F521 0012FF90 FFFFFFFF \|hFile = FFFFFFFF 0012FF94 00000000 \|pSecurity = NULL 0012FF98 00000004 \|Protection = PAGE_READWRITE 0012FF9C 00000000 \|MaximumSizeHigh = 0 0012FFA0 0001E580 \|MaximumSizeLow = 1E580 0012FFA4 00000000 \MapName = NULL 0042F52C 6A 00 push 0 0042F52E 6A 00 push 0 0042F530 6A 00 push 0 0042F532 6A 02 push 2 0042F534 50 push eax 0042F535 FF95 BFCE4100 call dword ptr ss:[ebp+41CEBF] ; kernel32.MapViewOfFile 0012FF90 0042F53B /CALL to MapViewOfFile* from Try.0042F535 0012FF94 00000060 \|hMapObject = 00000060 (window) 0012FF98 00000002 \|AccessMode = FILE_MAP_WRITE 0012FF9C 00000000 \|OffsetHigh = 0 0012FFA0 00000000 \|OffsetLow = 0 0012FFA4 00000000 \MapSize = 0 ; map it... 0042F557 8985 F1344200 mov dword ptr ss:[ebp+4234F1], eax ; 保存 0042F574 B9 60E50100 mov ecx, 1E560 0042F5C2 8BD0 mov edx, eax 0042F5C9 8BF8 mov edi, eax ; 要解一部分loader代码到内存 0042F5D0 BE CD584000 mov esi, Try.004058CD 0042F5DA 03F5 add esi, ebp ; 未还原数据 0042F5F3 F3:A4 rep movsb 0042F5FF 8D85 D35C4000 lea eax, dword ptr ss:[ebp+405CD3] 0042F615 B8 804F4100 mov eax, Try.00414F80 0042F61F 2D CD584000 sub eax, Try.004058CD 0042F629 03C2 add eax, edx 0042F642 8B9D F5344200 mov ebx, dword ptr ss:[ebp+4234F5] 0042F64D 50 push eax 0042F67B C3 ret ; funy jump... 0042F67B C3 ret ; 二步瞬移~~~ ==> 003AF6B3 本代码的着色效果由xTiNt自动完成下载xTiNt http://211.90.75.84/web/kanaun/download/xTiNt.rar 2004-5-1 18:15 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 4 楼 [part 4] 003AF6B3 90 nop 003AF6B8 8BC5 mov eax, ebp 003AF6BA E8 00000000 call 003AF6BF 003AF6BF 5D pop ebp 003AF6C0 81ED 8C4F4100 sub ebp, 414F8C 003AF6DD 50 push eax 003AF70B 53 push ebx 003AF711 B8 534E5552 mov eax, 52554E53 003AF743 8D9D 71504100 lea ebx, dword ptr ss:[ebp+415071] ; 通过int3调用地址 003AF760 CC int3 ; 改中断 003AF766 5B pop ebx 003AF794 58 pop eax 003AF79A /E9 DF000000 jmp 003AF87E ; 走人 ----------------------------------------------------- ; 9x的处理 003AF7A9 8DB5 4E344200 lea esi, dword ptr ss:[ebp+42344E] 003AF7B4 0F010E sidt fword ptr ds:[esi] 003AF7E4 8B76 02 mov esi, dword ptr ds:[esi+2] 003AF803 8D85 5C3A4200 lea eax, dword ptr ss:[ebp+423A5C] 003AF836 66:8946 18 mov word ptr ds:[esi+18], ax 003AF83F C1E8 10 shr eax, 10 003AF847 66:8946 1E mov word ptr ds:[esi+1E], ax 003AF850 C3 retn ----------------------------------------------------- 003AF8DD 8985 3FD64100 mov dword ptr ss:[ebp+41D63F], eax 003AF8E8 C785 43D64100 C>mov dword ptr ss:[ebp+41D643], 4058CD 003AF8F7 0185 43D64100 add dword ptr ss:[ebp+41D643], eax ; 修正base 003AF92A 899D F5344200 mov dword ptr ss:[ebp+4234F5], ebx 003AF951 BF CD584000 mov edi, 4058CD 003AF95B 03F8 add edi, eax ; 还是修正base 003AF962 B9 7DDB0100 mov ecx, 1DB7D ; 长度 003AF96C 32C0 xor al, al 003AF973 F3:AA rep stosb ; 擦除外壳区段里的东西(我们在内存里!) 003AF991 8D85 D45C4000 lea eax, dword ptr ss:[ebp+405CD4] 003AF9F6 60 pushad ; 看到这个肯定要干坏事 003AFA0E B8 534E5552 mov eax, 52554E53 003AFA18 BB C0534100 mov ebx, 4153C0 003AFA22 03DD add ebx, ebp 003AFA29 CC int3 ; F4到这里 ; 我这里 int3的处理是：3be18f --------------------------------------------------- 003BE194 3D 534E5552 cmp eax, 52554E53 003BE199 75 74 jnz short 003BE20F 003BE1B2 FFD3 call ebx 003BE1E1 CF iretd --------------------------------------------------- ; 可见是通过int3执行ebx, ebx似乎是通过向量反跟踪 003AFA2F 66:3D 0000 cmp ax, 0 ; 再F4到这里 003AFA38 61 popad 003AFA55 9C pushfd ; 害怕 ZF 出事, 看来一定有鬼：） 003AFA5B BB 8AD34100 mov ebx, 41D38A 003AFA77 03DD add ebx, ebp 003AFA7E 9D popfd 003AFE1F 83BD 47D64100 0>cmp dword ptr ss:[ebp+41D647], 0 003AFE26 0F84 CA000000 je 003AFEF6 003AFF12 83BD 041E4200 0>cmp dword ptr ss:[ebp+421E04], 1 003AFF19 0F84 9D000000 je 003AFFBC 003AFFEE 8D85 D55C4000 lea eax, dword ptr ss:[ebp+405CD5] 003B0031 83BD 001E4200 0>cmp dword ptr ss:[ebp+421E00], 1 003B0038 0F85 9F000000 jnz 003B00DD 003B0043 8DB5 5C344200 lea esi, dword ptr ss:[ebp+42345C] ; 开始用GetVersionExA获得的版本 003B004E 837E 10 02 cmp dword ptr ds:[esi+10], 2 003B0052 /75 31 jnz short 003B0085 ; 不是9x? 003B0059 837E 04 04 cmp dword ptr ds:[esi+4], 4 003B005D 77 0F ja short 003B006E ; 不是未知？那就是NT 003B00B2 89AD 8A204200 mov dword ptr ss:[ebp+42208A], ebp 003B00BD 8D9D 88204200 lea ebx, dword ptr ss:[ebp+422088] ; 怕~~~~ --------------------------------------------------------------------------- 003B7ABD 20 20 20 45 72 72 6F 72 20 28 33 29 3A 20 44 65 Error (3): De 003B7ACD 62 75 67 67 65 72 20 64 65 74 65 63 74 69 6F 6E bugger detection 003B7ADD 20 2C 20 41 62 6F 72 74 21 20 00 20 20 20 45 72 , Abort! . Er 003B7AED 72 6F 72 20 28 34 29 3A 20 46 69 6C 65 20 43 52 ror (4): File CR 003B7AFD 43 20 45 72 72 6F 72 2C 20 20 20 41 62 6F 72 74 C Error, Abort 003B7B0D 21 00 !. --------------------------------------------------------------------------- ; 反跟踪定时器,不好玩,干掉他===>how?看下边 003B00C8 53 push ebx 003B00C9 68 F4010000 push 1F4 003B00CE 6A 00 push 0 003B00D0 6A 00 push 0 003B00D2 FF95 68CF4100 call dword ptr ss:[ebp+41CF68] ; user32.SetTimer ---> F7进入 77D19160 > B8 1E120000 mov eax, 121E ; 修改为retn 10了事 77D19165 BA 0003FE7F mov edx, 7FFE0300 77D1916A FFD2 call edx 77D1916C C2 1000 retn 10 0012FF94 003B00D8 /CALL to SetTimer from 003B00D2 0012FF98 00000000 \|hWnd = NULL 0012FF9C 00000000 \|TimerID = 0 0012FFA0 000001F4 \|Timeout = 500. ms 0012FFA4 003BC7BB \Timerproc = 003BC7BB ;干坏事,发生mov eax, [eax](eax==0)异常有兴趣可以研究一下 ; 恢复刚才的 SetTimer 代码...小心至上 003B0142 8D85 D65C4000 lea eax, dword ptr ss:[ebp+405CD6] ; 无聊 ; ============================================================================== ; A n t i - D u m p i n g ; ; 我只知道是Anti-Dumping,原理大概是修改ImageSize,有兴趣自己研究吧. ; ============================================================================== 003B016A 64:67:A1 3000 mov eax, dword ptr fs:[30] 003B0174 85C0 test eax, eax 003B01A3 78 78 js short 003B021D ; else...根据系统不同决定 003B01C1 8B40 0C mov eax, dword ptr ds:[eax+C] 003B01DB 8B40 0C mov eax, dword ptr ds:[eax+C] 003B01F5 C740 20 0010000 mov dword ptr ds:[eax+20], 1000 003B0201 E9 9E000000 jmp 003B02A4 ; anti_dump_over 003B022C 6A 00 push 0 003B022E FF95 F7CE4100 call dword ptr ss:[ebp+41CEF7] ; GetModuleHandleA 003B023E 85D2 test edx, edx 003B0245 79 5D jns short 003B02A4 ; anti_dump_over 003B024C 837A 08 FF cmp dword ptr ds:[edx+8], -1 003B0267 75 3B jnz short 003B02A4 ; anti_dump_over 003B026E 8B52 04 mov edx, dword ptr ds:[edx+4] 003B028D C742 50 0010000>mov dword ptr ds:[edx+50], 1000 003B0299 66:C742 06 1010 mov word ptr ds:[edx+6], 1010 ; 没见过:P,NumberOfSections? ; ============================================================================== 003B02DB 8D85 D75C4000 lea eax, dword ptr ss:[ebp+405CD7]; 错误消息 ; ============================================================================== ; M e l t I C E ; ; 地球人都知道 ; ============================================================================== 003B0303 BE 26CC4100 mov esi, 41CC26 003B031F 03F5 add esi, ebp ; esi -> 指向 MeltICE 驱动表 ; 不幸儿童: --------------------------------------------------------------------------- 003B7359 5C 5C 2E 5C 62 77 32 6B 00 5C 5C 2E 5C 53 55 50 \\.\bw2k.\\.\SUP 003B7369 45 52 42 50 4D 00 5C 5C 2E 5C 49 43 45 44 55 4D ERBPM.\\.\ICEDUM 003B7379 50 00 5C 5C 2E 5C 52 45 47 56 58 44 00 5C 5C 2E P.\\.\REGVXD.\\. 003B7389 5C 4E 54 49 43 45 00 5C 5C 2E 5C 53 49 57 56 49 \NTICE.\\.\SIWVI 003B7399 44 00 5C 5C 2E 5C 53 49 43 45 00 5C 5C 2E 5C 46 D.\\.\SICE.\\.\F 003B73A9 49 4C 45 56 58 44 00 ILEVXD. --------------------------------------------------------------------------- 003B037C FFB5 DBCE4100 push dword ptr ss:[ebp+41CEDB] ; kernel32.CreateFileA 003B0382 8F85 F9344200 pop dword ptr ss:[ebp+4234F9] ; kernel32.CreateFileA ; 无聊的倒腾~~~ 003B03CC 6A 00 push 0 003B03CE 6A 00 push 0 003B03D0 6A 00 push 0 003B03D2 6A 00 push 0 003B03D4 6A 00 push 0 003B03D6 6A 00 push 0 003B03D8 56 push esi 003B03D9 FF95 DBCE4100 call dword ptr ss:[ebp+41CEDB] ; kernel32.CreateFileA 0012FF88 003B03DF /CALL to CreateFileA from 003B03D9 0012FF8C 003B7359 \|FileName = "\\.\theif" ; -_-;; 0012FF90 00000000 \|Access = 0 0012FF94 00000000 \|ShareMode = 0 0012FF98 00000000 \|pSecurity = NULL 0012FF9C 00000000 \|Mode = 0 0012FFA0 00000000 \|Attributes = 0 0012FFA4 00000000 \hTemplateFile = NULL 003B03E9 83F8 FF cmp eax, -1 003B03F1 /0F85 8E000000 jnz 003B0485 ; 事情不好办啦^_^ ; 循环使esi指向下一个名称 003B041D / 46 inc esi 003B0423 \| 803E 00 cmp byte ptr ds:[esi], 0 003B042B \ 75 EB jnz short 003B0418 ; ===> 003B041D 003B0432 46 inc esi ; Skip NULL char 003B044A 803E 00 cmp byte ptr ds:[esi], 0 ; 表示用完了吗? 003B047A ^\0F85 E5FEFFFF jnz 003B0365 ; 没完?接着来…… ; ============================================================================== 003B04DF 8D9D 5FD34100 lea ebx, dword ptr ss:[ebp+41D35F] ; 我又怕了 --------------------------------------------------------------------------- 003B7A92 20 20 20 45 72 72 6F 72 20 28 32 29 3A 20 44 65 Error (2): De 003B7AA2 62 75 67 67 65 72 20 64 65 74 65 63 74 69 6F 6E bugger detection 003B7AB2 20 2C 20 41 62 6F 72 74 21 20 00 20 20 20 45 72 , Abort! . Er 003B7AC2 72 6F 72 20 28 33 29 3A 20 44 65 62 75 67 67 65 ror (3): Debugge 003B7AD2 72 20 64 65 74 65 63 74 69 6F 6E 20 2C 20 41 62 r detection , Ab 003B7AE2 6F 72 74 21 20 00 ort! . --------------------------------------------------------------------------- 003B04FC 83F8 FF cmp eax, -1 003B0504 /0F85 C61A0000 jnz 003B1FD0 ; 送你去取经 ; ============================================================================== ; Ch e c k s u m - C h e c k i n g ; ; 外星人也都知道,但是算法叫什么我不清楚(脸红) ; ============================================================================== 003B055D 8B85 18D64100 mov eax, dword ptr ss:[ebp+41D618] ; 我想是CRC protection flag 003B0568 83F8 00 cmp eax, 0 003B056B /74 51 je short 003B05BE ; 我这里JUMP 003B05F5 8BBD FCD54100 mov edi, dword ptr ss:[ebp+41D5FC] ; 好像是资源段 003B0628 03BD DCD34100 add edi, dword ptr ss:[ebp+41D3DC] ; +ImageBase 003B0633 8B8D 00D64100 mov ecx, dword ptr ss:[ebp+41D600] ; size 003B063E 83F9 00 cmp ecx, 0 003B0641 0F84 C5000000 je 003B070C ; Nothing? 003B064C 33C0 xor eax, eax 003B0665 33DB xor ebx, ebx 003B066C 33D2 xor edx, edx 003B068A /8A1F mov bl, byte ptr ds:[edi] ; get a byte 003B0691 \| 32D9 xor bl, cl 003B0698 \| 03C3 add eax, ebx 003B069F \| 47 inc edi 003B06A5 \| 49 dec ecx 003B06BD \| 83F9 00 cmp ecx, 0 003B06C0 ^\75 C3 jnz short 003B0685 ; 计算校验和 003B06C7 8D9D B5D34100 lea ebx, dword ptr ss:[ebp+41D3B5] --------------------------------------------------------------------------- 003B7AE8 20 20 20 45 72 72 6F 72 20 28 34 29 3A 20 46 69 Error (4): Fi 003B7AF8 6C 65 20 43 52 43 20 45 72 72 6F 72 2C 20 20 20 le CRC Error, 003B7B08 41 62 6F 72 74 21 00 Abort!. --------------------------------------------------------------------------- 003B06E4 3985 04D64100 cmp dword ptr ss:[ebp+41D604], eax ; 比较校验和 003B06EF /0F85 DB180000 jnz 003B1FD0 ; 你敢跳？ ; ============================================================================== 本代码的着色效果由xTiNt自动完成下载xTiNt http://211.90.75.84/web/kanaun/download/xTiNt.rar 2004-5-1 18:16 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 5 楼 [part 5] 003B073A E8 4A2A0000 call 003B3189 ; 进去观光 003B31A5 B8 01000000 mov eax, 1 003B31D7 83BD 9ED24100 0>cmp dword ptr ss:[ebp+41D29E], 0 003B31E3 /0F84 C6120000 je 003B44AF ; 不需要注册？跳吧========〉下边在极度困倦下走了弯路 003B31F3 8D85 DD5C4000 lea eax, dword ptr ss:[ebp+405CDD]; ?? 003B3209 83BD FC1D4200 0>cmp dword ptr ss:[ebp+421DFC], 0 003B3210 /75 54 jnz short 003B3266; 不知道是啥,我这里没跳 003B3217 E8 A51D0000 call 003B4FC1; ? 003B3249 3C 01 cmp al, 1 003B324B 74 14 je short 003B3261 003B3270 83BD FC1D4200 0>cmp dword ptr ss:[ebp+421DFC], 2 003B3277 75 66 jnz short 003B32DF 003B32FB 83BD FC1D4200 0>cmp dword ptr ss:[ebp+421DFC], 1 003B3302 75 37 jnz short 003B333B 003B3345 83BD FC1D4200 0>cmp dword ptr ss:[ebp+421DFC], 3 003B334C 75 26 jnz short 003B3374 003B33A6 E8 17270000 call 003B5AC2 003B5B06 60 pushad 003B5B0C C785 EAD24100 0>mov dword ptr ss:[ebp+41D2EA], 0 003B5B32 BB CCD24100 mov ebx, 41D2CC 003B5B3C 03DD add ebx, ebp ; buffer 003B5B43 B9 AAD24100 mov ecx, 41D2AA 003B5B4D 03CD add ecx, ebp ; subkey ; 猜想是读注册标记 003B5B54 53 push ebx 003B5B55 68 1F000200 push 2001F 003B5B5A 6A 00 push 0 003B5B5C 51 push ecx 003B5B5D 68 00000080 push 80000000 003B5B62 FF95 D2CF4100 call dword ptr ss:[ebp+41CFD2] ; advapi32.RegOpenKeyExA 0012FF68 003B5B68 /CALL to RegOpenKeyExA from 003B5B62 0012FF6C 80000000 \|hKey = HKEY_CLASSES_ROOT 0012FF70 003B79DD \|Subkey = "wrifile\shell\open\command\config" 0012FF74 00000000 \|Reserved = 0 0012FF78 0002001F \|Access = KEY_QUERY_VALUE\|KEY_SET_VALUE\|KEY_CREATE_SUB_KEY\|KEY_ENUMERATE_SUB_KEYS\|KEY_NOTIFY\|20000 0012FF7C 003B79FF \pHandle = 003B79FF 003B5B9A 83F8 00 cmp eax, 0 003B5B9D 0F84 2A010000 je 003B5CCD ; JUMP 003B5D09 BE A6D24100 mov esi, 41D2A6 003B5D13 03F5 add esi, ebp 003B5D1A BF A2D24100 mov edi, 41D2A2 003B5D24 03FD add edi, ebp 003B5D30 B8 FECF4100 mov eax, 41CFFE 003B5D3A 03C5 add eax, ebp 003B5D53 BB DCD24100 mov ebx, 41D2DC 003B5D85 03DD add ebx, ebp ; 用这么多regs，气势逼人~~~ 003B5D8C 8B8D CCD24100 mov ecx, dword ptr ss:[ebp+41D2CC] ; Reg的句柄 003B5D97 56 push esi 003B5D98 50 push eax 003B5D99 57 push edi 003B5D9A 6A 00 push 0 003B5D9C 53 push ebx ; 好奇怪的名字，大概是自动计算的 003B5D9D 51 push ecx 003B5D9E FF95 DECF4100 call dword ptr ss:[ebp+41CFDE] ; advapi32.RegQueryValueExA 0012FF64 003B5DA4 /CALL to RegQueryValueExA from 003B5D9E 0012FF68 0000006A \|hKey = 6A 0012FF6C 003B7A0F \|ValueName = ""9B,"",80,"",8B,"",80,"?,80,"?,80,"",84,"",81,"" 0012FF70 00000000 \|Reserved = NULL 0012FF74 003B79D5 \|pValueType = 003B79D5 0012FF78 003B7731 \|Buffer = 003B7731 0012FF7C 003B79D9 \pBufSize = 003B79D9 ; * 如果做的DBPE Cleaner，大概就是清理HKEY_CLASSES_ROOT\wrifile\shell\open\command\config\所有子项目 003B5DC0 66:3D 0000 cmp ax, 0 003B5DC9 /0F85 EE020000 jnz 003B60BD ; 做注册部分 003B60C2 8B85 CCD24100 mov eax, dword ptr ss:[ebp+41D2CC] 003B60CD 50 push eax 003B60CE FF95 DACF4100 call dword ptr ss:[ebp+41CFDA] ; advapi32.RegCloseKey 003B6106 61 popad 003B611E 8B85 EAD24100 mov eax, dword ptr ss:[ebp+41D2EA] 003B6129 C3 ret 003B33CC 8B85 7CD24100 mov eax, dword ptr ss:[ebp+41D27C] 003B33FF BB 8CD24100 mov ebx, 41D28C 003B341B 03DD add ebx, ebp 003B3422 B9 27354200 mov ecx, 423527 003B343E 03CD add ecx, ebp 003B3445 50 push eax 003B3446 53 push ebx 003B3447 51 push ecx 003B3448 FF95 64CF4100 call dword ptr ss:[ebp+41CF64] ; user32.wsprintfA 0012FF64 0000006A 0012FF94 003B344E /CALL to wsprintfA from 003B3448 0012FF98 003BDC5A \|s = 003BDC5A 0012FF9C 003B79BF \|Format = "%08lX" 0012FFA0 06781F8B \<%08lX> = 6781F8B 003B3453 83C4 0C add esp, 0C ; 平衡堆栈 ; ecx -> ------------------------------------------------------------------- 003BDC5D 38 31 46 38 42 00 00 00 81F8B... ------------------------------------------------------------------- 003B3488 BE 0AD04100 mov esi, 41D00A 003B34A4 03F5 add esi, ebp --------------------------------------------------------------------------- 003BDC5A 30 36 37 38 31 46 38 42 00 00 00 00 00 00 00 00 06781F8B........ --------------------------------------------------------------------------- 003B34BD BF 2CFA4100 mov edi, 41FA2C 003B34EF 03FD add edi, ebp 003B34F6 B9 16000000 mov ecx, 16 003B3500 F3:A4 rep movsb ; 传送...不明飞行物 003B3534 BE 27354200 mov esi, 423527 003B353E 03F5 add esi, ebp 003B3545 BF 42FA4100 mov edi, 41FA42 003B354F 03FD add edi, ebp 003B3556 B9 0A000000 mov ecx, 0A 003B3588 F3:A4 rep movsb 003B3599 E8 A1140000 call 003B4A3F ; 传送某种非0的数据 003B4A5B 8DB5 78D04100 lea esi, dword ptr ss:[ebp+41D078] 003B4A8E 8DBD 0AD04100 lea edi, dword ptr ss:[ebp+41D00A] 003B4AD8 8A07 mov al, byte ptr ds:[edi] 003B4AF1 8806 mov byte ptr ds:[esi], al 003B4AF8 47 inc edi 003B4AFE 46 inc esi 003B4B2C 3C 00 cmp al, 0 003B4B2E ^\0F85 77FFFFFF jnz 003B4AAB 003B4B8E 4E dec esi 003B4B94 8DBD 27354200 lea edi, dword ptr ss:[ebp+423527] --------------------------------------------------------------------------- 003BDC5A 30 36 37 38 31 46 38 42 00 00 00 00 00 00 00 00 06781F8B........ --------------------------------------------------------------------------- 003B4BDE 8A07 mov al, byte ptr ds:[edi] 003B4BF7 8806 mov byte ptr ds:[esi], al 003B4BFE 47 inc edi 003B4C16 46 inc esi 003B4C2E 3C 00 cmp al, 0 003B4C30 ^\0F85 7BFFFFFF jnz 003B4BB1 003B4C3B 8806 mov byte ptr ds:[esi], al 003B4C6F 8D9D 02D34100 lea ebx, dword ptr ss:[ebp+41D302] 003B4C7A 8D85 78D04100 lea eax, dword ptr ss:[ebp+41D078] 003B4C85 8BF5 mov esi, ebp 003B4CB4 60 pushad 003B4CBA 53 push ebx 003B4CBB 50 push eax 003B4CBC E8 0C810000 call 003BCDCD ; 奇怪的算法解码出奇怪的信息 003B4CC6 61 popad ; 这里的代码把一堆东西拷来拷去，我没耐心也没兴致看算法，不做解说了。 003B4CF9 8DB5 02D34100 lea esi, dword ptr ss:[ebp+41D302] 003B4D04 8B06 mov eax, dword ptr ds:[esi] 003B4D0B 3385 9ED24100 xor eax, dword ptr ss:[ebp+41D29E] 003B4D16 8985 EED24100 mov dword ptr ss:[ebp+41D2EE], eax 003B4D4E 8B46 04 mov eax, dword ptr ds:[esi+4] 003B4D56 3385 9AD24100 xor eax, dword ptr ss:[ebp+41D29A] 003B4D61 8985 F2D24100 mov dword ptr ss:[ebp+41D2F2], eax 003B4D71 8DBD 20D04100 lea edi, dword ptr ss:[ebp+41D020] 003B4D7C 8DB5 F6D24100 lea esi, dword ptr ss:[ebp+41D2F6] 003B4DDC 8B07 mov eax, dword ptr ds:[edi] 003B4DE3 8906 mov dword ptr ds:[esi], eax 003B4DEA 8B47 04 mov eax, dword ptr ds:[edi+4] 003B4DF2 8946 04 mov dword ptr ds:[esi+4], eax 003B4E0C E8 1B1A0000 call 003B682C ; 从代码给我的印象来看，像是检查非法字符 003B4E28 3B85 EED24100 cmp eax, dword ptr ss:[ebp+41D2EE] 003B4E45 /0F85 D7000000 jnz 003B4F22 003B4F39 B8 00000000 mov eax, 0 003B4F43 8985 F2D24100 mov dword ptr ss:[ebp+41D2F2], eax 003B4F76 8985 EED24100 mov dword ptr ss:[ebp+41D2EE], eax 003B4F93 C3 ret 003B35CB 83F8 01 cmp eax, 1 003B35D3 /0F84 D60E0000 je 003B44AF 003B3622 8D85 DE5C4000 lea eax, dword ptr ss:[ebp+405CDE] 003B3660 E8 AF330000 call 003B6A14 003B6A58 60 pushad 003B6A5E 8D85 8FC74100 lea eax, dword ptr ss:[ebp+41C78F] 003B6A69 6A 00 push 0 003B6A6B 6A 20 push 20 003B6A6D 6A 03 push 3 003B6A6F 6A 00 push 0 003B6A71 6A 00 push 0 003B6A73 68 00000080 push 80000000 003B6A78 50 push eax 003B6A79 FF95 DBCE4100 call dword ptr ss:[ebp+41CEDB] ; kernel32.CreateFileA 0012FF60 003B6A7F /CALL to CreateFileA from 003B6A79 0012FF64 003B6EC2 \|FileName = "regdial.dat" 0012FF68 80000000 \|Access = GENERIC_READ 0012FF6C 00000000 \|ShareMode = 0 0012FF70 00000000 \|pSecurity = NULL 0012FF74 00000003 \|Mode = OPEN_EXISTING 0012FF78 00000020 \|Attributes = ARCHIVE 0012FF7C 00000000 \hTemplateFile = NULL ; 搞注册界面库，我们到沙罗双树园啦;-) 003B6A84 83F8 FF cmp eax, -1 003B6A87 /74 2D je short 003B6AB6 ; 读取失败？我们给他行行好，翻转ZF不跳 003B6AA0 50 push eax 003B6AA1 FF95 E3CE4100 call dword ptr ss:[ebp+41CEE3] ; kernel32.CloseHandle 003B6AAC /E9 14030000 jmp 003B6DC5 003B6DDC 61 popad 003B6DE2 B8 01000000 mov eax, 1 003B6DFE C3 ret 003B36A9 8D85 DF5C4000 lea eax, dword ptr ss:[ebp+405CDF] ; 无聊！！！ 003B36E7 B8 87C74100 mov eax, 41C787 003B3703 03C5 add eax, ebp 003B370A E8 6F460000 call 003B7D7E ; 用来得到2个注册功能的窗口函数ShowTryWindow & GetRegister 003B7DAB 60 pushad 003B7DB1 8BD8 mov ebx, eax 003B7DC2 807B 08 00 cmp byte ptr ds:[ebx+8], 0 003B7DCB /0F84 1B030000 je 003B80EC ; nj 003B7DED 8BC3 mov eax, ebx 003B7DF4 83C0 08 add eax, 8 003B7DFC 50 push eax 003B7DFC 50 push eax 003B7DFD FF95 C13D4200 call dword ptr ss:[ebp+423DC1] ; kernel32.LoadLibraryA 0012FF78 003B7E03 /CALL to LoadLibraryA from 003B7DFD 0012FF7C 003B6EC2 \FileName = "regdial.dat" ; 考，居然是lib 003B7E08 8985 7FCC4100 mov dword ptr ss:[ebp+41CC7F], eax 003B7E13 83F8 00 cmp eax, 0 003B7E16 /75 46 jnz short 003B7E5E ; 翻转ZF 003B7EA2 8B33 mov esi, dword ptr ds:[ebx] ; Try.0041C863 003B7EBB 8B7B 04 mov edi, dword ptr ds:[ebx+4] ; Try.0041C881 003B7ED5 03F5 add esi, ebp 003B7EDC 03FD add edi, ebp ; 看名字也知道是要干啥 --------------------------------------------------------------------------- 003B6F96 53 68 6F 77 54 72 79 57 69 6E 64 6F 77 00 47 65 ShowTryWindow.Ge 003B6FA6 74 52 65 67 69 73 74 65 72 00 00 00 00 00 00 00 tRegister....... --------------------------------------------------------------------------- 003B7EFF 803E 00 cmp byte ptr ds:[esi], 0 003B7F02 0F85 BE000000 jnz 003B7FC6 ; 2个都得到了？为了好看，完成后代码下放 003B7FD0 56 push esi 003B7FD1 FFB5 7FCC4100 push dword ptr ss:[ebp+41CC7F] 003B7FD7 FF95 C53D4200 call dword ptr ss:[ebp+423DC5] ; kernel32.GetProcAddress 0012FF74 003B7FDD /CALL to GetProcAddress from 003B7FD7 0012FF78 00000000 \|hModule = NULL ; 我从中作梗 0012FF7C 003B6F96 \ProcNameOrOrdinal = "ShowTryWindow" 003B7FE2 83F8 00 cmp eax, 0 003B7FE5 /75 30 jnz short 003B8017 ; 翻转ZF,j 003B8038 8907 mov dword ptr ds:[edi], eax 003B8051 83C7 04 add edi, 4 ; 指向GetRegister 003B805E 803E 00 cmp byte ptr ds:[esi], 0 003B8061 /74 0D je short 003B8070 003B8068 46 inc esi 003B806E ^\EB EE jmp short 003B805E 003B809D 46 inc esi 003B80CB ^\E9 2AFEFFFF jmp 003B7EFA -------------------------------------------------------------------------- ; 完成以后的代码，接003B7F02 0F85 BE000000 jnz 003B7FC6 ; 2个都得到了？为了好看，完成后代码下放 003B7F35 83C3 08 add ebx, 8 ; 移动指针 003B7F65 803B 00 cmp byte ptr ds:[ebx], 0 003B7F68 /74 1F je short 003B7F89 003B7F81 43 inc ebx 003B7F87 ^\EB DC jmp short 003B7F65 003B7FB6 43 inc ebx 003B7FBC ^\E9 FCFDFFFF jmp 003B7DBD; 回去〉〉〉 003B7DC2 807B 08 00 cmp byte ptr ds:[ebx+8], 0 003B7DCB /0F84 1B030000 je 003B80EC ; 结束,j 003B80F1 61 popad 003B80F7 8B85 83CC4100 mov eax, dword ptr ss:[ebp+41CC83] 003B8102 C3 ret 003B373C B8 FFFFFFFF mov eax, -1 003B3746 83BD 81C84100 0>cmp dword ptr ss:[ebp+41C881], 0 003B3752 /0F84 570D0000 je 003B44AF; nj 003B376F 83BD 85C84100 0>cmp dword ptr ss:[ebp+41C885], 0 003B37A3 /0F84 060D0000 je 003B44AF; 还是nj 003B37D7 E8 060D0000 call 003B44E2 003B44E7 8D85 C1A04100 lea eax, dword ptr ss:[ebp+41A0C1] 003B44F2 68 C8000000 push 0C8 003B44F7 50 push eax ; buffer 003B44F8 FF95 BBCE4100 call dword ptr ss:[ebp+41CEBB] ; kernel32.GetWindowsDirectoryA 0012FF94 003B44FE /CALL to GetWindowsDirectoryA from 003B44F8 0012FF98 003B47F4 \|Buffer = 003B47F4 0012FF9C 000000C8 \BufSize = C8 (200.) 003B4503 33C0 xor eax, eax 003B451C B9 C8000000 mov ecx, 0C8 003B4526 8DBD C1A04100 lea edi, dword ptr ss:[ebp+41A0C1] 003B4531 F2:AE repne scas byte ptr es:[edi] ; 复制目录 003B4538 C647 FF 5C mov byte ptr ds:[edi-1], 5C ; \ 003B4541 C707 75736572 mov dword ptr ds:[edi], 72657375 ; user 003B455E C747 04 2E64617>mov dword ptr ds:[edi+4], 7461642E ; .dat 003B4592 C647 08 00 mov byte ptr ds:[edi+8], 0 003B45C4 8D85 C1A04100 lea eax, dword ptr ss:[ebp+41A0C1] 003B45CF 8D9D C1A14100 lea ebx, dword ptr ss:[ebp+41A1C1] 003B45DA 53 push ebx 003B45DB 50 push eax 003B45DC FF95 B7CE4100 call dword ptr ss:[ebp+41CEB7] ; kernel32.FindFirstFileA 003B45F9 8D9D C1A14100 lea ebx, dword ptr ss:[ebp+41A1C1] 003B462C 8D43 14 lea eax, dword ptr ds:[ebx+14] 003B4646 8D9D FCA24100 lea ebx, dword ptr ss:[ebp+41A2FC] 003B4679 53 push ebx 003B467A 50 push eax 003B467B FF95 B3CE4100 call dword ptr ss:[ebp+41CEB3] ; kernel32.FileTimeToSystemTime 0012FF94 003B4681 /CALL to FileTimeToSystemTime** from 003B467B 0012FF98 003B4908 \|pFileTime = 003B4908 0012FF9C 003B4A2F \pSystemTime = 003B4A2F 003B469D 8D9D FCA24100 lea ebx, dword ptr ss:[ebp+41A2FC] ; 计算一个sum 003B46A8 33C0 xor eax, eax 003B46AF 33D2 xor edx, edx 003B46CD 66:8B03 mov ax, word ptr ds:[ebx] 003B46E7 B9 6D010000 mov ecx, 16D 003B46F1 F7E1 mul ecx 003B470A 8985 80D24100 mov dword ptr ss:[ebp+41D280], eax 003B4742 33C0 xor eax, eax 003B475B 66:8B43 02 mov ax, word ptr ds:[ebx+2] 003B4764 B9 1E000000 mov ecx, 1E 003B476E F7E1 mul ecx 003B4775 0185 80D24100 add dword ptr ss:[ebp+41D280], eax 003B47AD 66:8B43 06 mov ax, word ptr ds:[ebx+6] 003B47B6 0185 80D24100 add dword ptr ss:[ebp+41D280], eax 003B47EE C3 ret ; 班师回朝 003B380E C785 88D24100 0>mov dword ptr ss:[ebp+41D288], 0 003B381D C785 84D24100 0>mov dword ptr ss:[ebp+41D284], 0 003B3836 83BD F01D4200 0>cmp dword ptr ss:[ebp+421DF0], 1 003B383D /0F85 10010000 jnz 003B3953 ; nj 003B3848 FFB5 FECF4100 push dword ptr ss:[ebp+41CFFE] 003B384E 8F85 42344200 pop dword ptr ss:[ebp+423442] 003B3859 FFB5 E41D4200 push dword ptr ss:[ebp+421DE4] 003B385F 8F85 46344200 pop dword ptr ss:[ebp+423446] 003B387C 8B9D E41D4200 mov ebx, dword ptr ss:[ebp+421DE4] 003B3899 399D FECF4100 cmp dword ptr ss:[ebp+41CFFE], ebx 003B389F /0F83 95000000 jnb 003B393A ; j 003B393F C785 84D24100 0>mov dword ptr ss:[ebp+41D284], 1 003B3974 83BD F01D4200 0>cmp dword ptr ss:[ebp+421DF0], 2 003B397B /0F85 E0000000 jnz 003B3A61 ; j 003B3A98 83BD F01D4200 0>cmp dword ptr ss:[ebp+421DF0], 3 003B3A9F 0F85 C3000000 jnz 003B3B68 003B3B9F 33C0 xor eax, eax 003B3BA6 83BD 88D24100 0>cmp dword ptr ss:[ebp+41D288], 1 003B3BAD 74 0D je short 003B3BBC 003B3BAF 83BD 84D24100 0>cmp dword ptr ss:[ebp+41D284], 1 003B3BB6 0F85 F5000000 jnz 003B3CB1 003B3BD3 8D85 081E4200 lea eax, dword ptr ss:[ebp+421E08] ; caption 003B3BDE 8D9D 261E4200 lea ebx, dword ptr ss:[ebp+421E26] ; http... 003B3BE9 8D8D 441E4200 lea ecx, dword ptr ss:[ebp+421E44] ; message ; 此时发现这两个牛插手了…… ---------------------------------------------------------------------------- 003BC777 20 45 6E 63 72 79 70 74 Encrypt 003BC787 65 64 20 62 79 20 7A 65 72 30 21 00 00 00 00 00 ed by zer0!..... 003BC797 00 00 00 00 00 00 63 6F 64 65 5F 69 6E 6A 65 63 ......code_injec 003BC7A7 74 00 00 00 00 00 00 00 00 t........ ---------------------------------------------------------------------------- 003B3C1C 89A5 74894100 mov dword ptr ss:[ebp+418974], esp 003B3C27 FFB5 81C84100 push dword ptr ss:[ebp+41C881] 003B3C2D 8F85 F9344200 pop dword ptr ss:[ebp+4234F9] 003B3C38 51 push ecx 003B3C39 53 push ebx 003B3C3A 50 push eax 003B3C3B FFB5 46344200 push dword ptr ss:[ebp+423446] 003B3C41 FFB5 42344200 push dword ptr ss:[ebp+423442] 003B3C47 E8 39810000 call 003BBD85 ; int3调用，都nop 003B3C7E 8BA5 74894100 mov esp, dword ptr ss:[ebp+418974] 003B3D22 83BD 84D24100 0>cmp dword ptr ss:[ebp+41D284], 1 003B3D29 74 09 je short 003B3D34 003B3D2B 83F8 02 cmp eax, 2 003B3D2E 0F85 C0040000 jnz 003B41F4 003B3D66 8D85 FD344200 lea eax, dword ptr ss:[ebp+4234FD] 003B3D99 8D9D 13354200 lea ebx, dword ptr ss:[ebp+423513] 003B3DA4 8D8D 27354200 lea ecx, dword ptr ss:[ebp+423527] ; 003BDC5A 30 36 37 38 31 46 38 42 06781F8B 003B3DAF 8D95 38204200 lea edx, dword ptr ss:[ebp+422038] 003B3DF9 89A5 74894100 mov dword ptr ss:[ebp+418974], esp 003B3E2C FFB5 85C84100 push dword ptr ss:[ebp+41C885] 003B3E32 8F85 F9344200 pop dword ptr ss:[ebp+4234F9] 003B3E4F 52 push edx 003B3E50 51 push ecx 003B3E51 53 push ebx 003B3E52 50 push eax 003B3E53 E8 2D7F0000 call 003BBD85; 还是他，nop 003B3E74 8BA5 74894100 mov esp, dword ptr ss:[ebp+418974] 003B3E91 83F8 02 cmp eax, 2 003B3E99 B8 00000000 mov eax, 0 003B3EA3 /0F84 C4040000 je 003B436D 003B3EDB B9 2A000000 mov ecx, 2A 003B3EE5 BF 0AD04100 mov edi, 41D00A 003B3EEF 03FD add edi, ebp 003B3F08 BE FD344200 mov esi, 4234FD 003B3F3A 03F5 add esi, ebp 003B3F41 F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi] .................. 2004-5-1 18:16 0
csjwaman 雪币： 319 活跃值： (2439) 能力值： ( LV12，RANK：980 ) 在线值：发帖 74 回帖 883 粉丝 10 关注私信	csjwaman 24 6 楼头都看晕。不过还是顶！！！ 2004-5-1 18:59 0
simonzh2000 雪币： 398 活跃值： (1078) 能力值： ( LV9，RANK：970 ) 在线值：发帖 36 回帖 466 粉丝 6 关注私信	simonzh2000 24 7 楼程序在哪里下载? forgot 给一个了. 2004-5-1 19:01 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 8 楼 GOOD 2004-5-1 19:19 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 9 楼试验程序。:D 2004-5-1 19:36 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 10 楼强烈抗议 fly 改帖，要求赔偿精神损失！:D 2004-5-1 20:28 0
china 雪币： 3638 活跃值： (4197) 能力值： (RANK：215 ) 在线值：发帖 72 回帖 1984 粉丝 9 关注私信	china 5 11 楼老大，把整个文章弄个包包传来吧。便于收藏整理，谢谢先。 2004-5-1 22:49 0
doskey 雪币： 329 活跃值： (343) 能力值： ( LV10，RANK：170 ) 在线值：发帖 36 回帖 462 粉丝 4 关注私信	doskey 4 12 楼好文！收藏 2004-5-1 23:23 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 13 楼 [part 6 ](区段处理) ; ========================================================================================= ; 返回到 Ch e c k s u m - C h e c k i n g 之后的位置 ; 有个稍微快一点的方法解决注册 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 003B073A E8 4A2A0000 call 003B3189 ; nop掉然后置eax =1即可 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 003B076C 66:3D 0100 cmp ax, 1 003B0775 /0F84 E9000000 je 003B0864 ; j,否则Over 003B087B 8D85 D85C4000 lea eax, dword ptr ss:[ebp+405CD8] 003B08F8 BE E4D34100 mov esi, 41D3E4 003B0902 03F5 add esi, ebp ; esi -> 块表 ; esi: ;----------------------- 003B7B17 00001000 ; VOffset 003B7B1B 00006000 ; RSize 003B7B1F 0000F342 ; VSize 003B7B23 E0000021 ; Flags 003B7B27 00017000 ; 一样.... 003B7B2B 00001000 003B7B2F 00000FB8 003B7B33 C0000041 ;----------------------- 003B090E 833E 00 cmp dword ptr ds:[esi], 0 ; 区块解码结束了? 003B0916 /0F84 7E060000 je 003B0F9A ; 结束就走人 003B0921 8B9D DCD34100 mov ebx, dword ptr ss:[ebp+41D3DC] ; ImageBase 003B092C 031E add ebx, dword ptr ds:[esi] ; ebx -> 指向一个Section 003B0945 8B4E 04 mov ecx, dword ptr ds:[esi+4] ; ecx -> Size 003B0952 83F9 00 cmp ecx, 0 003B0955 /75 4E jnz short 003B09A5 ; 长度非零,处理---> (((((((((((((((((((((((((((((((((((((((((((((((((((( ; 跳过处理大小为零的Section 003B096E 83C6 10 add esi, 10 003B0976 ^\EB 91 jmp short 003B0909 )))))))))))))))))))))))))))))))))))))))))))))))))))) 003B09EE D1E9 shr ecx, 1 ; ecx /2 003B09F5 66:8B85 2DD6410>mov ax, word ptr ss:[ebp+41D62D] 003B0A01 66:35 2111 xor ax, 1121 003B0A37 66:C1C8 02 ror ax, 2 003B0A40 66:05 1A00 add ax, 1A 003B0A49 66:05 A100 add ax, 0A1 ; 计算key 003B0A84 66:3103 xor word ptr ds:[ebx], ax 003B0A8C 66:48 dec ax 003B0A93 43 inc ebx ; 指向下一byte 003B0A99 43 inc ebx ; 移动指针 003B0AC7 49 dec ecx 003B0ACD 83F9 00 cmp ecx, 0 003B0AD0 ^\75 AD jnz short 003B0A7F ; 循环解码 003B0B09 8B46 0C mov eax, dword ptr ds:[esi+C] ; flag 003B0B11 83E0 01 and eax, 1 ; 隐藏着什么标记呢? 003B0B30 83BD F81D4200 0>cmp dword ptr ss:[ebp+421DF8], 1 003B0B37 /0F85 60030000 jnz 003B0E9D ; 不知道,nj 003B0B6A 83F8 01 cmp eax, 1 003B0B6D 0F85 25030000 jnz 003B0E98; 还是不知道,nj,$$#@%@#$ 003B0C18 60 pushad 003B0C23 8B46 04 mov eax, dword ptr ds:[esi+4]; RSize 003B0C2B 83F8 00 cmp eax, 0 003B0C33 /0F84 03020000 je 003B0E3C ; RSize==0就不分配空间了 003B0C43 8B46 08 mov eax, dword ptr ds:[esi+8] ;VSize 003B0C73 6A 04 push 4 003B0C75 68 00100000 push 1000 003B0C7A 50 push eax 003B0C7B 6A 00 push 0 003B0C7D FF95 13CF4100 call dword ptr ss:[ebp+41CF13] ; 分配空间存放Section 0012FF74 003B0C83 /CALL to VirtualAlloc from 003B0C7D 0012FF78 00000000 \|Address = NULL 0012FF7C 0000F342 \|Size = F342 (62274.) 0012FF80 00001000 \|AllocationType = MEM_COMMIT 0012FF84 00000004 \Protect = PAGE_READWRITE 003B0CC7 8985 E0D34100 mov dword ptr ss:[ebp+41D3E0], eax ; 得到的空间 003B0CFF 56 push esi ; 保存 Section Table Pointer 003B0D32 8B1E mov ebx, dword ptr ds:[esi] ; ebx -> VOffset 003B0D39 039D DCD34100 add ebx, dword ptr ss:[ebp+41D3DC] ; +ImageBase, 得到VA 003B0D44 50 push eax 003B0D45 53 push ebx 003B0D46 E8 AE620000 call 003B6FF9 ; aplib_depack_asm.解压缩到刚才VirtualAlloc得到的空间 003B0D50 83C4 08 add esp, 8 ; 平衡堆栈，大概用的不是stdcall 003B0D5D 8BC8 mov ecx, eax ; 解压出来的长度 003B0D64 8B3E mov edi, dword ptr ds:[esi] ; edi -> VOffset 003B0D93 03BD DCD34100 add edi, dword ptr ss:[ebp+41D3DC] ; +ImageBase, Get VA ; 要把解压得代码传送回去了 003B0DC6 8BB5 E0D34100 mov esi, dword ptr ss:[ebp+41D3E0]; 解压缩后的数据 003B0DE3 F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi] ; copy all 003B0DEF 5E pop esi ; 恢复 Section Table Pointer ; 这里有点无聊。根本没有修改esi也没用用它，最后都popad 003B0E0C 8B85 E0D34100 mov eax, dword ptr ss:[ebp+41D3E0] ; 申请到的地址 003B0E29 68 00800000 push 8000 003B0E2E 6A 00 push 0 003B0E30 50 push eax 003B0E31 FF95 17CF4100 call dword ptr ss:[ebp+41CF17] ; kernel32.VirtualFree ; 满门抄斩……55555555 003B0E53 61 popad ; -------- 修正页面访问权限 ---------- 003B0EAC 60 pushad 003B0EB2 8B9D DCD34100 mov ebx, dword ptr ss:[ebp+41D3DC] ; ImageBase 003B0ECF 031E add ebx, dword ptr ds:[esi] ; 块表 VA 003B0EE8 8B4E 04 mov ecx, dword ptr ds:[esi+4] ; 长度 003B0EF5 B8 74894100 mov eax, 418974 003B0EFF 03C5 add eax, ebp ; buffer for VirtualProtect 003B0F2E 50 push eax 003B0F2F 6A 04 push 4 003B0F31 51 push ecx 003B0F32 53 push ebx 003B0F33 FF95 27CF4100 call dword ptr ss:[ebp+41CF27] ; kernel32.VirtualProtect 0012FF74 003B0F39 /CALL to VirtualProtect from 003B0F33 0012FF78 00401000 \|Address = Try.00401000 0012FF7C 00006000 \|Size = 6000 (24576.) 0012FF80 00000004 \|NewProtect = PAGE_READWRITE 0012FF84 003B30A7 \pOldProtect = 003B30A7 003B0F3E 61 popad ; -------------- 移动指针，到下一个Section ------------------ 003B0F83 83C6 10 add esi, 10 003B0F8B ^\E9 79F9FFFF jmp 003B0909 ; 循环直到所有Sections都还原 ; ------------------------------------ ; 循环完成到这里，这里其实可以Dump了： 003B0F9A 90 nop 003B0FAE 8D85 D95C4000 lea eax, dword ptr ss:[ebp+405CD9] ; 这东西很无聊，碰到好几次，猜不出来，大概是buffer :D :D 2004-5-1 23:33 0
橡皮泥雪币： 209 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 87 粉丝 1 关注私信	橡皮泥 14 楼而且又详细，的确不错，希望多多发这种！好有收藏价值！ 2004-5-2 01:47 0
simonzh2000 雪币： 398 活跃值： (1078) 能力值： ( LV9，RANK：970 ) 在线值：发帖 36 回帖 466 粉丝 6 关注私信	simonzh2000 24 15 楼 Linson 你再加个图标. 2004-5-2 07:56 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 16 楼 [part 7]输入表处理 ; ********************************************************************************* ; 阿赖耶识 ―― 输入表处理觉醒 ; ******************************************************************************* 003B0FC4 E8 34140000 call 003B23FD ; 当然要进去了 003B242F 60 pushad 003B2474 FF95 1BCF4100 call dword ptr ss:[ebp+41CF1B] ; kernel32.GetCurrentProcessId 003B24A8 8985 20FA4100 mov dword ptr ss:[ebp+41FA20], eax ; save process Id 003B24B3 8B85 1BCF4100 mov eax, dword ptr ss:[ebp+41CF1B] ; kernel32.GetCurrentProcessId 003B24D0 8985 24FA4100 mov dword ptr ss:[ebp+41FA24], eax ; kernel32.GetCurrentProcessId ; 不知道搞什么名堂 003B2508 B8 B8FA4100 mov eax, 41FAB8 003B2512 03C5 add eax, ebp 003B2519 8985 ACDC4100 mov dword ptr ss:[ebp+41DCAC], eax 003B254C 8B9D 08D64100 mov ebx, dword ptr ss:[ebp+41D608] ; Import Table RVA ------------------- 0041F023 78750000 0041F027 00000000 0041F02B 00000000 0041F02F 82750000 0041F033 7D910000 0041F037 25350000 ............ ------------------- 003B2557 83FB 00 cmp ebx, 0 ; 没有import么？ 003B2587 /0F84 1F0A0000 je 003B2FAC ; 当然有，不跳 003B25D1 039D DCD34100 add ebx, dword ptr ss:[ebp+41D3DC] ; +ImageBase,得到IT VA ; ebx -> IID(s) 003B25E6 8B43 0C mov eax, dword ptr ds:[ebx+C] ;pointer to DLL asciz name 003B25EE 83F8 00 cmp eax, 0 003B25F6 /0F84 B0090000 je 003B2FAC ; Game Over? 003B2601 53 push ebx ; Try.0041F023 003B262F 51 push ecx 003B2647 52 push edx 003B2648 33D2 xor edx, edx 003B264F B9 20000000 mov ecx, 20 003B2654 33DB xor ebx, ebx ; Try.0041F023 003B2656 D1F8 sar eax, 1 003B265D 0F92C3 setb bl 003B2660 D3E3 shl ebx, cl 003B2667 03D3 add edx, ebx 003B2669 ^\E2 E9 loopd short 003B2654 ; DLL Name 的RVA解码,结果在edx输出 003B266B 8BC2 mov eax, edx ; eax = edx = dll name rva 003B2684 5A pop edx 003B2685 59 pop ecx 003B268B 5B pop ebx 003B2696 0385 DCD34100 add eax, dword ptr ss:[ebp+41D3DC] ; +ImageBase = VA 003B26C9 8BF0 mov esi, eax 003B26D5 C685 78894100 0>mov byte ptr ss:[ebp+418978], 0 ; -------------- 是否是特殊 DLL, 包括 Windows Kernel32 & User32, 与 VB 的MSVB ------------------------ 003B2709 50 push eax 003B270F 8B00 mov eax, dword ptr ds:[eax]; 取dll name开头4个字节 003B2716 25 DFDFDFDF and eax, DFDFDFDF; 转换为大写 003B2720 3D 4B45524E cmp eax, 4E52454B ; KERN 003B2725 74 07 je short 003B272E 003B2727 3D 55534552 cmp eax, 52455355 ; USER 003B272C 75 11 jnz short 003B273F 003B2733 C685 78894100 0>mov byte ptr ss:[ebp+418978], 1 ; 特殊dll标记 003B2744 58 pop eax 003B2777 50 push eax ; Try.00415C82 003B277D 8B00 mov eax, dword ptr ds:[eax] 003B2784 25 DFDFDFDF and eax, DFDFDFDF 003B278E 3D 4D535642 cmp eax, 4256534D ; MSVB** 003B2793 75 11 jnz short 003B27A6 003B279A C685 78894100 0>mov byte ptr ss:[ebp+418978], 1 ; 特殊dll标记 003B27D3 58 pop eax ; Try.00415C82 ; 为何不一起判断? D.boy大概写到这里喝多了:0 ; ---------------------------------------------------------------------------------------------------- 003B27DE 50 push eax 003B27DF FF95 C13D4200 call dword ptr ss:[ebp+423DC1] ; kernel32.LoadLibraryA ; 载入dll 003B27EA 8985 7FCC4100 mov dword ptr ss:[ebp+41CC7F], eax ; 保存dll module base 003B2822 33C0 xor eax, eax 003B2851 8703 xchg dword ptr ds:[ebx], eax ; 清掉IID的OriginalFirstThunk,然后把它读到eax ; 如果改为mov eax, dword ptr [ebx]可以避免...我偷懒,不改了,下面也是这样 003B2858 53 push ebx 003B2886 51 push ecx 003B289E 52 push edx 003B289F 33D2 xor edx, edx 003B28A6 B9 20000000 mov ecx, 20 003B28AB 33DB xor ebx, ebx 003B28AD D1F8 sar eax, 1 003B28B4 0F92C3 setb bl 003B28B7 D3E3 shl ebx, cl 003B28BE 03D3 add edx, ebx 003B28C0 ^\E2 E9 loopd short 003B28AB 003B28C2 8BC2 mov eax, edx 003B28DB 5A pop edx 003B28DC 59 pop ecx 003B28E2 5B pop ebx 003B28E8 8BF0 mov esi, eax ; OriginalFirstThunk解码 -> esi 003B292E 33C0 xor eax, eax 003B295D 8743 10 xchg dword ptr ds:[ebx+10], eax ; eax -> FirstThunk, & erase rva 003B2965 53 push ebx 003B2993 51 push ecx 003B29AB 52 push edx 003B29AC 33D2 xor edx, edx 003B29B3 B9 20000000 mov ecx, 20 003B29B8 33DB xor ebx, ebx 003B29BA D1F8 sar eax, 1 003B29C1 0F92C3 setb bl 003B29C4 D3E3 shl ebx, cl 003B29CB 03D3 add edx, ebx 003B29CD ^\E2 E9 loopd short 003B29B8 003B29CF 8BC2 mov eax, edx 003B29E8 5A pop edx 003B29E9 59 pop ecx 003B29EF 5B pop ebx 003B29F5 8BF8 mov edi, eax ; FirstThunk解码 -> edi 003B2A01 83FE 00 cmp esi, 0 ; OriginalFirstThunk不能用? 003B2A04 /75 34 jnz short 003B2A3A; 能就走 003B2A33 8BF7 mov esi, edi ; 它不行就使用第二个表 FirstThunk 003B2A67 03B5 DCD34100 add esi, dword ptr ss:[ebp+41D3DC] ; +ImageBase,Get VA 003B2A72 03BD DCD34100 add edi, dword ptr ss:[ebp+41D3DC] ; +ImageBase,Get VA ; offset to function name ( and hint) 003B2A99 8B06 mov eax, dword ptr ds:[esi]; 要do hint... 003B2AA0 83F8 00 cmp eax, 0 003B2AA3 /75 29 jnz short 003B2ACE ; 未完? 003B2ABC 83C3 14 add ebx, 14 003B2AC4 ^\E9 13FBFFFF jmp 003B25DC ; 下一个IID 003B2B00 807E 03 80 cmp byte ptr ds:[esi+3], 80 ; is imported by ordinal? 003B2B04 75 6C jnz short 003B2B72 ; ord... 003B2B0B 33C0 xor eax, eax 003B2B12 66:8706 xchg word ptr ds:[esi], ax 003B2B42 50 push eax 003B2B43 FFB5 7FCC4100 push dword ptr ss:[ebp+41CC7F] 003B2B49 FF95 C53D4200 call dword ptr ss:[ebp+423DC5] 003B2B54 8BC8 mov ecx, eax 003B2B6D /E9 84000000 jmp 003B2BF6 ; str... 003B2B77 33C0 xor eax, eax 003B2B7E 8706 xchg dword ptr ds:[esi], eax 003B2B85 0385 DCD34100 add eax, dword ptr ss:[ebp+41D3DC] ; +ImageBase,这句话打过无数次了,累!!! 003B2BA2 83C0 02 add eax, 2 ; 跳过hint值(sizeof word == 2) 003B2BD2 50 push eax 003B2BD3 FFB5 7FCC4100 push dword ptr ss:[ebp+41CC7F] 003B2BD9 FF95 C53D4200 call dword ptr ss:[ebp+423DC5] ; kernel32.GetProcAddress 003B2C00 80BD 78894100 0>cmp byte ptr ss:[ebp+418978], 1 ; 特殊函数? 003B2C07 /0F85 87020000 jnz 003B2E94 ; magic jump...改为jmp吧,省得心烦 ; --------------------------- 加密输入表 ---------------------------------------- ; 具体不说了,跟到这里有点筋疲力尽了 003B2C3F 60 pushad 003B2C45 8BF8 mov edi, eax 003B2C63 8B85 A7DC4100 mov eax, dword ptr ss:[ebp+41DCA7] 003B2C6E 3D F4010000 cmp eax, 1F4 003B2C73 /75 1A jnz short 003B2C8F 003B2C7A 89BD 70894100 mov dword ptr ss:[ebp+418970], edi 003B2C85 /E9 C9010000 jmp 003B2E53 003B2CC1 B9 04000000 mov ecx, 4 003B2CCB 33D2 xor edx, edx 003B2CD2 F7E1 mul ecx 003B2CD9 BE B1DC4100 mov esi, 41DCB1 003B2CE3 03F5 add esi, ebp 003B2CFC 33BD 20FA4100 xor edi, dword ptr ss:[ebp+41FA20] 003B2D07 893C06 mov dword ptr ds:[esi+eax], edi 003B2D26 8B85 A7DC4100 mov eax, dword ptr ss:[ebp+41DCA7] 003B2D31 B9 0B000000 mov ecx, 0B 003B2D3B 33D2 xor edx, edx 003B2D42 F7E1 mul ecx 003B2D49 BF 85E44100 mov edi, 41E485 003B2D7B 03FD add edi, ebp 003B2DAA 03F8 add edi, eax 003B2DB6 89BD 70894100 mov dword ptr ss:[ebp+418970], edi 003B2DEE BE A6DC4100 mov esi, 41DCA6 003B2DF8 03F5 add esi, ebp 003B2E27 B9 0B000000 mov ecx, 0B 003B2E31 F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi] 003B2E38 FF85 A7DC4100 inc dword ptr ss:[ebp+41DCA7] ; 计数器,被加密的应该是push count...push address...ret 003B2E43 8BBD 70894100 mov edi, dword ptr ss:[ebp+418970] 003B2E6A 61 popad 003B2E70 8B8D 70894100 mov ecx, dword ptr ss:[ebp+418970] 003B2E92 /EB 1E jmp short 003B2EB2 ; ----------------------------------------------------------------------------- 003B2EAB 8BC8 mov ecx, eax ; NETAPI32.Netbios ; 函数地址 003B2ECE 39BD 33D64100 cmp dword ptr ss:[ebp+41D633], edi 003B2ED4 76 10 jbe short 003B2EE6 ; 不知道,没跳 003B2EDB 89BD 33D64100 mov dword ptr ss:[ebp+41D633], edi 003B2EEB 39BD 2FD64100 cmp dword ptr ss:[ebp+41D62F], edi 003B2EF1 73 10 jnb short 003B2F03; 不知道,还是没跳 003B2EF8 89BD 2FD64100 mov dword ptr ss:[ebp+41D62F], edi 003B2F24 890F mov dword ptr ds:[edi], ecx ; 填充IAT 003B2F3D 83C6 04 add esi, 4 003B2F45 83C7 04 add edi, 4 ; 移动Thunk指针 003B2F4D ^\E9 42FBFFFF jmp 003B2A94; 循环--- ; --------------------------------------------------------------------------------------------------- ; 从老上边的003B25F6 /0F84 B0090000 je 003B2FAC出来,完成patch iat 003B2FB1 E8 16000000 call 003B2FCC ; 取User32.GetClassNameA...居然专门弄个call... 003B2FBB 61 popad ; 解放了 003B2FC1 C3 ret 2004-5-2 10:30 0
辉仔Yock 雪币： 228 活跃值： (165) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 109 粉丝 1 关注私信	辉仔Yock 17 楼最初由 simonzh2000 发布 Linson 你再加个图标. 我加你QQ了.你怎么不通过啊? 2004-5-2 10:43 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 18 楼 [part 8]:D ; --------------------------- 不明飞行物 ----------------------------------- 003B0FD3 8D85 DA5C4000 lea eax, dword ptr ss:[ebp+405CDA] 003B1011 E8 96200000 call 003B30AC ; 没看懂 ; ************************************************************************* ; 处理调用表 & 跳转表 ( 还原指针 ) ; ************************************************************************* 003B105F 8D85 DB5C4000 lea eax, dword ptr ss:[ebp+405CDB] ; fly 写的文章里提到，但没有说为什么，这里详细说明一下 ; ---------------call dword ptr ds:[xxxxxxxx]，其中xxxxxxxx是80xxxxxxxx---------------- 003B108C 60 pushad 003B10A4 8B9D 08D64100 mov ebx, dword ptr ss:[ebp+41D608] 003B10AF 039D DCD34100 add ebx, dword ptr ss:[ebp+41D3DC] ; 还是Imagebase 003B110F BE E4D34100 mov esi, 41D3E4 ; 块表 003B1119 03F5 add esi, ebp 003B1120 8B9D DCD34100 mov ebx, dword ptr ss:[ebp+41D3DC] ; Try.00400000 003B112B 031E add ebx, dword ptr ds:[esi] ; ebx -> a section,应该是代码段 003B1132 8BFB mov edi, ebx ; Try.00401000 003B1139 8B4E 08 mov ecx, dword ptr ds:[esi+8] ; VSize 003B1141 83F9 00 cmp ecx, 0 003B115B /0F84 93050000 je 003B16F4 ; 0?不玩了 003B1178 D1E9 shr ecx, 1 ; ecx/2 003B11A7 49 dec ecx 003B11AD 66:B8 FF15 mov ax, 15FF ; call dword ptr ds:[xxxxxxxx] 003B11CD BE 31354200 mov esi, 423531 003B11FF 03F5 add esi, ebp 003B124A F2:66:AF repne scas word ptr es:[edi] ; 寻找call dword ptr ds:[xxxxxxxx] ; forgot:如果没有就……不好玩了，看Ding Boy怎么收场 ; edi -> xxxxxxxx,而不是call dword ptr 003B1264 8B1F mov ebx, dword ptr ds:[edi]; 要call的地址->Ebx 003B127D 81E3 00000080 and ebx, 80000000 ; 取高位 003B129A 81FB 00000080 cmp ebx, 80000000 ; 是80xxxxxxx的形势？ 003B12A0 /0F85 13010000 jnz 003B13B9 ; 不是算了 003B12AB 8B1F mov ebx, dword ptr ds:[edi]; 加密过的指针 003B12B2 81E3 FFFFFF7F and ebx, 7FFFFFFF ; 去掉31st bit,还原指针 003B12BD 3B9D 33D64100 cmp ebx, dword ptr ss:[ebp+41D633] 003B12C3 0F82 C3000000 jb 003B138C ; 判断地址范围 003B12CE 3B9D 2FD64100 cmp ebx, dword ptr ss:[ebp+41D62F] ; Try.0041F01B 003B12D4 /0F87 AD000000 ja 003B1387 003B12DF 833E FF cmp dword ptr ds:[esi], -1 ; ??? 003B130F /0F84 DF030000 je 003B16F4 003B131A 8B1B mov ebx, dword ptr ds:[ebx] ; 把指针指向的内容读出来 003B1321 891E mov dword ptr ds:[esi], ebx ; 写到esi 003B1350 8937 mov dword ptr ds:[edi], esi ; 地址重定位,nop掉,下同 003B1357 83C6 04 add esi, 4 ; 移动指针 003B13BE 83F9 00 cmp ecx, 0 003B13C1 ^ 0F85 56FEFFFF jnz 003B121D ; 循环直到所有都搞定 ; ----------------------- jmp dword ptr ds:[xxxxxxxx]---------------------------------- ; 方法如出一辙，不多解释 003B140B 56 push esi;剩下的buffer 003B1416 8B9D 08D64100 mov ebx, dword ptr ss:[ebp+41D608] 003B1449 039D DCD34100 add ebx, dword ptr ss:[ebp+41D3DC] ; Try.00400000 003B1459 BE E4D34100 mov esi, 41D3E4 003B148B 03F5 add esi, ebp 003B1492 8B9D DCD34100 mov ebx, dword ptr ss:[ebp+41D3DC] ; Try.00400000 003B149D 031E add ebx, dword ptr ds:[esi] 003B14A4 8BFB mov edi, ebx ; Try.00401000 003B14AB 8B4E 08 mov ecx, dword ptr ds:[esi+8] 003B14C5 D1E9 shr ecx, 1 003B14DE 49 dec ecx 003B150C 66:B8 FF25 mov ax, 25FF ; jmp dword ptr ds:[xxxxxxxx] 003B151A 5E pop esi 003B152A F2:66:AF repne scas word ptr es:[edi] 003B1532 8B1F mov ebx, dword ptr ds:[edi] 003B1539 81E3 00000080 and ebx, 80000000 003B1556 81FB 00000080 cmp ebx, 80000000 003B155C /0F85 5B010000 jnz 003B16BD 003B158F 8B1F mov ebx, dword ptr ds:[edi] 003B15BE 81E3 FFFFFF7F and ebx, 7FFFFFFF 003B15F1 3B9D 33D64100 cmp ebx, dword ptr ss:[ebp+41D633] ; Try.00411000 003B15F7 /0F82 A9000000 jb 003B16A6 003B1614 3B9D 2FD64100 cmp ebx, dword ptr ss:[ebp+41D62F] ; Try.0041F01B 003B161A /77 5D ja short 003B1679 003B1621 833E FF cmp dword ptr ds:[esi], -1 003B1629 /0F84 C5000000 je 003B16F4 003B1634 8B1B mov ebx, dword ptr ds:[ebx] 003B163B 891E mov dword ptr ds:[esi], ebx 003B166A 8937 mov dword ptr ds:[edi], esi 003B166A 8937 mov dword ptr ds:[edi], esi 003B16D4 83F9 00 cmp ecx, 0 003B16D7 ^ 0F85 48FEFFFF jnz 003B1525 ; 循环处理所有 003B170B 61 popad ; 文革结束啦:D 2004-5-2 10:55 0
辉仔Yock 雪币： 228 活跃值： (165) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 109 粉丝 1 关注私信	辉仔Yock 19 楼最初由 forgot 发布你在线怎么不回话?:D 被我抓到了~~ 刚睡醒,头晕...... 昨晚要我跟的东西我忘记了!看[圣斗士]睡着了. :D 2004-5-2 11:03 0
baron 雪币： 194 活跃值： (25) 能力值： ( LV3，RANK：30 ) 在线值：发帖 1 回帖 58 粉丝 1 关注私信	baron 20 楼的确不错，看了头晕 2004-5-2 11:19 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 21 楼 [最后的战役]:) ; ------------------------------------------------------最后的战役 003B174E 8B85 DBCE4100 mov eax, dword ptr ss:[ebp+41CEDB] ; kernel32.CreateFileA 003B1759 8985 A0FA4100 mov dword ptr ss:[ebp+41FAA0], eax ; kernel32.CreateFileA 003B177B 8B85 CFCE4100 mov eax, dword ptr ss:[ebp+41CECF] ; kernel32.ReadFile 003B1786 8985 A4FA4100 mov dword ptr ss:[ebp+41FAA4], eax ; kernel32.ReadFile 003B1796 8B85 DFCE4100 mov eax, dword ptr ss:[ebp+41CEDF] ; kernel32.WriteFile 003B17A1 8985 A8FA4100 mov dword ptr ss:[ebp+41FAA8], eax ; kernel32.WriteFile 003B17D9 8B85 CBCE4100 mov eax, dword ptr ss:[ebp+41CECB] ; kernel32.SetFilePointer 003B17F6 8985 ACFA4100 mov dword ptr ss:[ebp+41FAAC], eax ; kernel32.SetFilePointer 003B182E 8B85 E3CE4100 mov eax, dword ptr ss:[ebp+41CEE3] ; kernel32.CloseHandle 003B184B 8985 B0FA4100 mov dword ptr ss:[ebp+41FAB0], eax ; kernel32.CloseHandle 003B1895 8B85 EFCE4100 mov eax, dword ptr ss:[ebp+41CEEF] ; kernel32.DeleteFileA 003B18A0 8985 B4FA4100 mov dword ptr ss:[ebp+41FAB4], eax ; kernel32.DeleteFileA 003B18F4 8D85 DC5C4000 lea eax, dword ptr ss:[ebp+405CDC] ; 最后来个int3,还原中断向量 003B1949 60 pushad 003B194F B8 534E5552 mov eax, 52554E53 003B1959 BB 0ECA4100 mov ebx, 41CA0E 003B1975 03DD add ebx, ebp 003B197C CC int3; 收尾 003B1982 61 popad 003B198D 80BD F0344200 0>cmp byte ptr ss:[ebp+4234F0], 1 ; NT? 释放驱动，我们用来夺取ring0的嘛 003B1994 /0F85 93010000 jnz 003B1B2D 003B19C7 8D85 E35C4000 lea eax, dword ptr ss:[ebp+405CE3]; 垃圾 003B1A37 FFB5 546C4000 push dword ptr ss:[ebp+406C54] ; 驱动句柄 003B1A3D FF95 50724000 call dword ptr ss:[ebp+407250] ; kernel32.CloseHandle 003B1A89 FFB5 586C4000 push dword ptr ss:[ebp+406C58] ; 服务 003B1A8F FF95 DD724000 call dword ptr ss:[ebp+4072DD] ; advapi32.CloseServiceHandle 003B1AEF FFB5 3A6C4000 push dword ptr ss:[ebp+406C3A] 003B1AF5 FF95 DD724000 call dword ptr ss:[ebp+4072DD] ; advapi32.CloseServiceHandle ; 解密OEP~~~ 003B1B5F 8B85 F8D54100 mov eax, dword ptr ss:[ebp+41D5F8] 003B1B81 53 push ebx ; Try.00418000 003B1BAF 51 push ecx ; advapi32.77DA214E 003B1BC7 52 push edx 003B1BC8 33D2 xor edx, edx 003B1BCF B9 20000000 mov ecx, 20 003B1BD4 33DB xor ebx, ebx ; Try.00418000 003B1BD6 D1F8 sar eax, 1 003B1BDD 0F92C3 setb bl 003B1BE0 D3E3 shl ebx, cl 003B1BE7 03D3 add edx, ebx 003B1BE9 ^\E2 E9 loopd short 003B1BD4 003B1BEB 8BC2 mov eax, edx 003B1C04 5A pop edx 003B1C05 59 pop ecx 003B1C0B 5B pop ebx ; Try.00418000 003B1C43 8B9D DCD34100 mov ebx, dword ptr ss:[ebp+41D3DC] ; Try.00400000 003B1C76 03C3 add eax, ebx ; Try.00400000 ; now eax is 0040E2FD, the OEP :),可以直接Dump修正...我们走完吧 003B1C7D 8985 3BD64100 mov dword ptr ss:[ebp+41D63B], eax ; Try.0040E2FD 003B1CD1 80BD 24D64100 0>cmp byte ptr ss:[ebp+41D624], 1 003B1CD8 0F85 04010000 jnz 003B1DE2 ; 跳了，不知道跳过什么冬冬 003B1DF9 /E9 C4000000 jmp 003B1EC2 003B1EE3 8D85 E45C4000 lea eax, dword ptr ss:[ebp+405CE4] 003B1F0B C785 55384200 0>mov dword ptr ss:[ebp+423855], 0 003B1F1A 8BC5 mov eax, ebp 003B1F21 5B pop ebx 003B1F22 59 pop ecx 003B1F23 5A pop edx 003B1F24 5E pop esi 003B1F25 5F pop edi 003B1F26 5D pop ebp 003B1F3E 9D popfd 003B1F6D FFB0 3BD64100 push dword ptr ds:[eax+41D63B] 003B1F78 C780 3BD64100 0>mov dword ptr ds:[eax+41D63B], 0 003B1FAF /E9 CE620000 jmp 003B8282 003B8287 56 push esi ; ntdll.77F57D70 003B82B5 51 push ecx 003B82BB BE CD584000 mov esi, 4058CD 003B82C5 03F0 add esi, eax 003B82CC B9 82820100 mov ecx, 18282 003B8330 C606 00 mov byte ptr ds:[esi], 0 ; erase the loader 003B8338 46 inc esi 003B833E 49 dec ecx 003B8356 83F9 00 cmp ecx, 0 003B8359 ^ 75 A8 jnz short 003B8303 003B839F 59 pop ecx ; 0012FFB0 003B83B7 5E pop esi 003B83CF /E9 81390000 jmp 003BBD55 003BBD55 60 pushad 003BBD56 8BF0 mov esi, eax 003BBD58 B8 4A344200 mov eax, 42344A 003BBD5D 03C6 add eax, esi 003BBD5F BB 59384200 mov ebx, 423859 003BBD64 03DE add ebx, esi 003BBD66 803B 00 cmp byte ptr ds:[ebx], 0 003BBD69 74 0C je short 003BBD77 003BBD6B 6A 00 push 0 003BBD6D 50 push eax 003BBD6E 53 push ebx 003BBD6F 6A 00 push 0 003BBD71 FF96 55384200 call dword ptr ds:[esi+423855] 003BBD77 61 popad 003BBD78 58 pop eax 003BBD79 83F8 FF cmp eax, -1 003BBD7C 75 05 jnz short 003BBD83 003BBD7E 33C0 xor eax, eax 003BBD80 C2 0C00 retn 0C 003BBD83 FFE0 jmp eax ; 飞向光明之巅！！！ 0040E2FD 55 push ebp ; Dump & Fix Dump .优化一下即可 0040E2FE 8BEC mov ebp, esp 0040E300 6A FF push -1 0040E302 68 F83A4100 push Try.00413AF8 0040E307 68 84E44000 push Try.0040E484 ; jmp to msvcrt._except_handler3 0040E30C 64:A1 00000000 mov eax, dword ptr fs:[0] ......... ; 这是IAT,ImportRec可以全部找到,因为修改了Magic Jump,所以都有效。 OEP: 0000E2FD IATRVA: 00011000 IATSize: 000003B8 FThunk: 00011000 NbFunc: 00000005 1 00011000 advapi32.dll 01CD RegCreateKeyExA 1 00011004 advapi32.dll 01E2 RegOpenKeyExA 1 00011008 advapi32.dll 01D9 RegEnumValueA 1 0001100C advapi32.dll 01F9 RegSetValueExA 1 00011010 advapi32.dll 01C9 RegCloseKey FThunk: 00011018 NbFunc: 00000003 1 00011018 gdi32.dll 0196 GetObjectA 1 0001101C gdi32.dll 002E CreateCompatibleDC 1 00011020 gdi32.dll 0013 BitBlt FThunk: 00011028 NbFunc: 00000017 1 00011028 kernel32.dll 0385 WriteFile 1 0001102C kernel32.dll 0374 WaitForSingleObject 1 00011030 kernel32.dll 0185 GetOverlappedResult 1 00011034 kernel32.dll 004A CreateEventA 1 00011038 kernel32.dll 0030 CloseHandle 1 0001103C kernel32.dll 004E CreateFileA 1 00011040 kernel32.dll 0162 GetLastError 1 00011044 kernel32.dll 00AF EscapeCommFunction 1 00011048 kernel32.dll 0101 GetCommState 1 0001104C kernel32.dll 0284 PurgeComm 1 00011050 kernel32.dll 02CB SetCommMask 1 00011054 kernel32.dll 02CC SetCommState 1 00011058 kernel32.dll 02CD SetCommTimeouts 1 0001105C kernel32.dll 0334 SetupComm 1 00011060 kernel32.dll 0084 DeviceIoControl 1 00011064 kernel32.dll 01D5 GetVersionExA 1 00011068 kernel32.dll 016D GetModuleFileNameA 1 0001106C kernel32.dll 016F GetModuleHandleA 1 00011070 kernel32.dll 01D7 GetVolumeInformationA 1 00011074 kernel32.dll 01B5 GetSystemTime 1 00011078 kernel32.dll 01A6 GetStartupInfoA 1 0001107C kernel32.dll 002E ClearCommError 1 00011080 kernel32.dll 029D ReadFile FThunk: 00011088 NbFunc: 0000009D 1 00011088 mfc42.dll 0BA9 1 0001108C mfc42.dll 0BA6 1 00011090 mfc42.dll 13C9 1 00011094 mfc42.dll 06BF 1 00011098 mfc42.dll 148D 1 0001109C mfc42.dll 098E 1 000110A0 mfc42.dll 084C 1 000110A4 mfc42.dll 1479 1 000110A8 mfc42.dll 0BA6 1 000110AC mfc42.dll 0BA6 1 000110B0 mfc42.dll 0BA6 1 000110B4 mfc42.dll 06F0 1 000110B8 mfc42.dll 0C40 1 000110BC mfc42.dll 0807 1 000110C0 mfc42.dll 18E8 1 000110C4 mfc42.dll 0C09 1 000110C8 mfc42.dll 0BA0 1 000110CC mfc42.dll 0EF6 1 000110D0 mfc42.dll 0EF1 1 000110D4 mfc42.dll 0EF1 1 000110D8 mfc42.dll 0BA6 1 000110DC mfc42.dll 0FF0 1 000110E0 mfc42.dll 1213 1 000110E4 mfc42.dll 1149 1 000110E8 mfc42.dll 0E0D 1 000110EC mfc42.dll 0144 1 000110F0 mfc42.dll 0281 1 000110F4 mfc42.dll 108A 1 000110F8 mfc42.dll 0CBE 1 000110FC mfc42.dll 08F1 1 00011100 mfc42.dll 1021 1 00011104 mfc42.dll 03AB 1 00011108 mfc42.dll 0B02 1 0001110C mfc42.dll 0A36 1 00011110 mfc42.dll 0490 1 00011114 mfc42.dll 0219 1 00011118 mfc42.dll 0486 1 0001111C mfc42.dll 03AD 1 00011120 mfc42.dll 1613 1 00011124 mfc42.dll 0C37 1 00011128 mfc42.dll 0E20 1 0001112C mfc42.dll 0299 1 00011130 mfc42.dll 07BB 1 00011134 mfc42.dll 18F1 1 00011138 mfc42.dll 1442 1 0001113C mfc42.dll 015E 1 00011140 mfc42.dll 0162 1 00011144 mfc42.dll 04B0 1 00011148 mfc42.dll 18BE 1 0001114C mfc42.dll 16E0 1 00011150 mfc42.dll 0A52 1 00011154 mfc42.dll 175D 1 00011158 mfc42.dll 0C14 1 0001115C mfc42.dll 1542 1 00011160 mfc42.dll 1837 1 00011164 mfc42.dll 1A7A 1 00011168 mfc42.dll 188B 1 0001116C mfc42.dll 19F8 1 00011170 mfc42.dll 0942 1 00011174 mfc42.dll 12E5 1 00011178 mfc42.dll 10B2 1 0001117C mfc42.dll 18E7 1 00011180 mfc42.dll 1186 1 00011184 mfc42.dll 1159 1 00011188 mfc42.dll 0A58 1 0001118C mfc42.dll 1663 1 00011190 mfc42.dll 0F52 1 00011194 mfc42.dll 0441 1 00011198 mfc42.dll 144F 1 0001119C mfc42.dll 095C 1 000111A0 mfc42.dll 0D12 1 000111A4 mfc42.dll 14B4 1 000111A8 mfc42.dll 14B6 1 000111AC mfc42.dll 0AA5 1 000111B0 mfc42.dll 0FEF 1 000111B4 mfc42.dll 125A 1 000111B8 mfc42.dll 14BB 1 000111BC mfc42.dll 14A9 1 000111C0 mfc42.dll 1652 1 000111C4 mfc42.dll 120E 1 000111C8 mfc42.dll 1148 1 000111CC mfc42.dll 0E9A 1 000111D0 mfc42.dll 0231 1 000111D4 mfc42.dll 032F 1 000111D8 mfc42.dll 035C 1 000111DC mfc42.dll 0A3D 1 000111E0 mfc42.dll 046E 1 000111E4 mfc42.dll 096B 1 000111E8 mfc42.dll 0BA6 1 000111EC mfc42.dll 06F0 1 000111F0 mfc42.dll 112C 1 000111F4 mfc42.dll 14AA 1 000111F8 mfc42.dll 0D4A 1 000111FC mfc42.dll 0DF6 1 00011200 mfc42.dll 047A 1 00011204 mfc42.dll 0237 1 00011208 mfc42.dll 08FB 1 0001120C mfc42.dll 08FE 1 00011210 mfc42.dll 06F7 1 00011214 mfc42.dll 1040 1 00011218 mfc42.dll 0B2F 1 0001121C mfc42.dll 094B 1 00011220 mfc42.dll 0DF3 1 00011224 mfc42.dll 0E2A 1 00011228 mfc42.dll 096E 1 0001122C mfc42.dll 02F3 1 00011230 mfc42.dll 01D6 1 00011234 mfc42.dll 0280 1 00011238 mfc42.dll 1699 1 0001123C mfc42.dll 0668 1 00011240 mfc42.dll 0143 1 00011244 mfc42.dll 0669 1 00011248 mfc42.dll 0B2B 1 0001124C mfc42.dll 0A5C 1 00011250 mfc42.dll 1631 1 00011254 mfc42.dll 0685 1 00011258 mfc42.dll 0CF6 1 0001125C mfc42.dll 10B5 1 00011260 mfc42.dll 168D 1 00011264 mfc42.dll 039E 1 00011268 mfc42.dll 021C 1 0001126C mfc42.dll 0E4F 1 00011270 mfc42.dll 19AB 1 00011274 mfc42.dll 074F 1 00011278 mfc42.dll 0337 1 0001127C mfc42.dll 0339 1 00011280 mfc42.dll 0320 1 00011284 mfc42.dll 0ED6 1 00011288 mfc42.dll 14A0 1 0001128C mfc42.dll 1101 1 00011290 mfc42.dll 18E6 1 00011294 mfc42.dll 142B 1 00011298 mfc42.dll 0951 1 0001129C mfc42.dll 1479 1 000112A0 mfc42.dll 1137 1 000112A4 mfc42.dll 06EF 1 000112A8 mfc42.dll 0EF1 1 000112AC mfc42.dll 17A4 1 000112B0 mfc42.dll 09D2 1 000112B4 mfc42.dll 1266 1 000112B8 mfc42.dll 0A18 1 000112BC mfc42.dll 12F5 1 000112C0 mfc42.dll 1118 1 000112C4 mfc42.dll 1479 1 000112C8 mfc42.dll 184F 1 000112CC mfc42.dll 10B6 1 000112D0 mfc42.dll 164E 1 000112D4 mfc42.dll 035A 1 000112D8 mfc42.dll 039A 1 000112DC mfc42.dll 0217 1 000112E0 mfc42.dll 106C 1 000112E4 mfc42.dll 09FA 1 000112E8 mfc42.dll 09D0 1 000112EC mfc42.dll 0B67 1 000112F0 mfc42.dll 1241 1 000112F4 mfc42.dll 0261 1 000112F8 mfc42.dll 0628 FThunk: 00011300 NbFunc: 0000001E 1 00011300 msvcrt.dll 00EE _except_handler3 1 00011304 msvcrt.dll 009A __set_app_type 1 00011308 msvcrt.dll 0087 __p__fmode 1 0001130C msvcrt.dll 0082 __p__commode 1 00011310 msvcrt.dll 00B7 _adjust_fdiv 1 00011314 msvcrt.dll 009C __setusermatherr 1 00011318 msvcrt.dll 013B _initterm 1 0001131C msvcrt.dll 006F __getmainargs 1 00011320 msvcrt.dll 00A9 _acmdln 1 00011324 msvcrt.dll 0290 exit 1 00011328 msvcrt.dll 0050 _XcptFilter 1 0001132C msvcrt.dll 00F7 _exit 1 00011330 msvcrt.dll 01B4 _onexit 1 00011334 msvcrt.dll 006C __dllonexit 1 00011338 msvcrt.dll 0284 atoi 1 0001133C msvcrt.dll 018C _mbsicmp 1 00011340 msvcrt.dll 02FB srand 1 00011344 msvcrt.dll 02ED rand 1 00011348 msvcrt.dll 02D8 malloc 1 0001134C msvcrt.dll 02A5 free 1 00011350 msvcrt.dll 00D7 _controlfp 1 00011354 msvcrt.dll 0317 time 1 00011358 msvcrt.dll 0307 strncmp 1 0001135C msvcrt.dll 0160 _itoa 1 00011360 msvcrt.dll 0054 __CxxFrameHandler 1 00011364 msvcrt.dll 0186 _mbscmp 1 00011368 msvcrt.dll 02F9 sprintf 1 0001136C msvcrt.dll 030A strrchr 1 00011370 msvcrt.dll 0308 strncpy 1 00011374 msvcrt.dll 01DE _setmbcp FThunk: 0001137C NbFunc: 00000001 1 0001137C netapi32.dll 0100 Netbios FThunk: 00011384 NbFunc: 0000000C 1 00011384 user32.dll 010D GetDC 1 00011388 user32.dll 01B6 LoadBitmapA 1 0001138C user32.dll 01A7 IsIconic 1 00011390 user32.dll 0009 AppendMenuA 1 00011394 user32.dll 0100 GetClientRect 1 00011398 user32.dll 00B7 DrawIcon 1 0001139C user32.dll 015D GetSystemMenu 1 000113A0 user32.dll 015E GetSystemMetrics 1 000113A4 user32.dll 0194 InvalidateRect 1 000113A8 user32.dll 01BC LoadIconA 1 000113AC user32.dll 00C5 EnableWindow 1 000113B0 user32.dll 023C SendMessageA 2004-5-2 11:25 0
辉仔Yock 雪币： 228 活跃值： (165) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 109 粉丝 1 关注私信	辉仔Yock 22 楼最初由 forgot 发布有没有冥王完结篇？我昨天睡的也太晚了，头昏。跟完了上来。不知道啊!我还没有看最后一张碟是什么呢1 你要的东西! 003B073A E8 4A2A0000 CALL 003B3189 //CALL----> 003B31A5 B8 01000000 MOV EAX, 1 003B31D7 83BD 9ED24100 0>CMP DWORD PTR [EBP+41D29E], 0 003B31E3 /0F84 C6120000 JE 003B44AF //JMP就跳过注册选项了! 003B44DC C3 RETN //返回到另外一个地方.注意了哦... 003B44DC C3 RETN //再返回 2004-5-2 12:07 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 23 楼全部贴完. 2004-5-2 12:24 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 24 楼在5楼贴上part 5 2004-5-2 12:47 0
forgot 雪币： 6075 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3771 粉丝 15 关注私信	forgot 26 25 楼 13楼贴上part 6. 下一步到IAT了,呵呵. 2004-5-2 14:40 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复