能力值:
(RANK:1060 )
2 楼
[part 2]
004207D5 8D85 E15C4000 lea eax , dword ptr ss :[ebp +405CE1]
004207EB E8 34120000 call Try.00421A24
00421A68 60 pushad
00421A80 B8 92764000 mov eax , Try.00407692
00421A9C 03C5 add eax , ebp ; buffer
00421AA3 8BF0 mov esi , eax
00421AAA 68 C8000000 push MAX_PATH
00421AAF 50 push eax
00421AB0 FF95 44724000 call dword ptr ss :[ebp +407244] ; kernel32.GetSystemDirectoryA
00421ABB 90 nop
00421AC0 8A06 mov al , byte ptr ds :[esi ]
00421AC7 46 inc esi
00421ADF 3C 00 cmp al , 0
00421B0E ^\75 AB jnz short Try.00421ABB
00421B15 C646 FF 5C mov byte ptr ds :[esi -1], 5C ; 目录后边加个"\"
00421B1E C706 63646364 mov dword ptr ds :[esi ], 64636463 ; cdcd
00421B29 C746 04 2E73797>mov dword ptr ds :[esi +4], 7379732E ; .sys
00421B5D C746 08 0000000>mov dword ptr ds :[esi +8], 0 ; NULL, 铺张浪费,byte就足够了
; 我这里的文件名
---------------------------------------------------------------------------
00421DB9 ** 3A 5C 57 *:\W
00421DC9 49 4E 44 4F 57 53 5C 53 79 73 74 65 6D 33 32 5C INDOWS\System32\
00421DD9 63 64 63 64 2E 73 79 73 cdcd.sys
---------------------------------------------------------------------------
00421B92 B8 86764000 mov eax , Try.00407686
00421B9C 03C5 add eax , ebp
00421BCB BB 92764000 mov ebx , Try.00407692
00421BFD 03DD add ebx , ebp
00421C2C 6A 00 push 0
00421C2E 6A 20 push 20
00421C30 6A 04 push 4
00421C32 6A 00 push 0
00421C34 6A 02 push 2
00421C36 68 00000040 push 40000000
00421C3B 53 push ebx
00421C3C FF95 48724000 call dword ptr ss :[ebp +407248] ; kernel32.CreateFileA
; 参数,清晰一些:)
---------------------------------------------------------------
0012FF60 00421C42 /CALL to CreateFileA from Try.00421C3C
0012FF64 00421DC5 |FileName = "E:\WINDOWS\System32\cdcd.sys"
0012FF68 40000000 |Access = GENERIC_WRITE
0012FF6C 00000002 |ShareMode = FILE_SHARE_WRITE
0012FF70 00000000 |pSecurity = NULL
0012FF74 00000004 |Mode = OPEN_ALWAYS
0012FF78 00000020 |Attributes = ARCHIVE
0012FF7C 00000000 \hTemplateFile = NULL
---------------------------------------------------------------
00421C4C 83F8 FF cmp eax , -1
00421C54 /0F84 32010000 je Try.00421D8C ; 坏事了...
00421C76 8985 8A764000 mov dword ptr ss :[ebp +40768A], eax ; 保存句柄
00421CC0 B9 8C310000 mov ecx , 318C ; 驱动文件长度
00421CCA B8 8E764000 mov eax , Try.0040768E
00421CE6 03C5 add eax , ebp ; WriteFile返回结构,名字忘了
00421CED BB 5A774000 mov ebx , Try.0040775A
00421D09 03DD add ebx , ebp ; 可爱的驱动程序
00421D10 6A 00 push 0
00421D12 50 push eax
00421D13 51 push ecx
00421D14 53 push ebx
00421D15 FFB5 8A764000 push dword ptr ss :[ebp +40768A] ; hWnd
00421D1B FF95 4C724000 call dword ptr ss :[ebp +40724C] ; kernel32.WriteFile
; 写出驱动,如果想把这个东西拷贝出来研究要关闭程序,它独占了文件
0012FF68 00421D21 /CALL to WriteFile from Try.00421D1B
0012FF6C 00000024 |hFile = 00000024
0012FF70 00421E8D |Buffer = Try.00421E8D
0012FF74 0000318C |nBytesToWrite = 318C (12684.)
0012FF78 00421DC1 |pBytesWritten = Try.00421DC1
0012FF7C 00000000 \pOverlapped = NULL
00421D3D FFB5 8A764000 push dword ptr ss :[ebp +40768A]
00421D43 FF95 50724000 call dword ptr ss :[ebp +407250] ; kernel32.CloseHandle
0012FF78 00421D49 /CALL to CloseHandle from Try.00421D43
0012FF7C 00000024 \hObject = 00000024
00421D76 61 popad
00421D7C B8 01000000 mov eax , TRUE ; 收工
00421D86 C3 ret ; 回家
00421D8C 90 nop
00421D91 61 popad
00421D7C B8 01000000 mov eax , FALSE
00421D86 C3 ret
00420807 83F8 00 cmp eax , FALSE ; 失败?
0042080F /0F84 22480000 je Try.00425037
00425037 50 push eax
00425038 FFB5 2A6C4000 push dword ptr ss :[ebp +406C2A]
0042503E FF95 30724000 call dword ptr ss :[ebp +407230] ; kernel32.ReleaseMutex,释放互斥体
00425044 FFB5 2A6C4000 push dword ptr ss :[ebp +406C2A]
0042504A FF95 50724000 call dword ptr ss :[ebp +407250] ; kernel32.CloseHandle,关闭互斥体句柄
00425050 58 pop eax
00425068 83F8 00 cmp eax , 0
0042506B 0F85 4C010000 jnz Try.004251BD
; ..............我没走这条线,不跟了
0042085E 8D85 E25C4000 lea eax , dword ptr ss :[ebp +405CE2]
00420874 E8 7F060000 call Try.00420EF8
-----------------------------
以后不跟那么多线了,受不了
00420F2A 68 3F000F00 push 0F003F
00420F2F 6A 00 push 0
00420F31 6A 00 push 0
00420F33 FF95 CD724000 call dword ptr ss :[ebp +4072CD] ; advapi32.OpenSCManagerA
00420F50 83F8 00 cmp eax , 0
00420F58 /0F84 8F030000 je Try.004212ED
00420F75 8985 3A6C4000 mov dword ptr ss :[ebp +406C3A], eax
00420F85 B8 3E6C4000 mov eax , Try.00406C3E
00420FA1 03C5 add eax , ebp
00420FBA 68 FF010F00 push 0F01FF
00420FBF 50 push eax
00420FC0 FFB5 3A6C4000 push dword ptr ss :[ebp +406C3A]
00420FC6 FF95 D5724000 call dword ptr ss :[ebp +4072D5] ; advapi32.OpenServiceA
00420FD1 83F8 00 cmp eax , 0
00420FD4 0F85 97000000 jnz Try.00421071 ; Jump
0042109E 83F8 00 cmp eax , 0
004210A6 /0F84 41020000 je Try.004212ED
004210B1 8985 586C4000 mov dword ptr ss :[ebp +406C58], eax
004210C1 6A 00 push 0
004210C3 6A 00 push 0
004210C5 FFB5 586C4000 push dword ptr ss :[ebp +406C58]
004210CB FF95 C5724000 call dword ptr ss :[ebp +4072C5] ; advapi32.StartServiceA
; 启动服务,不好玩^^,我这里服务开启,所以产生了ERROR_SERVICE_ALREADY_RUNNING (00000420)
004210E4 FF95 40724000 call dword ptr ss :[ebp +407240] ; ntdll.RtlGetLastWin32Error
00421101 3D E5030000 cmp eax , 3E5
00421106 /0F84 DD000000 je Try.004211E9
00421123 3D 20040000 cmp eax , 420
00421128 /0F84 B6000000 je Try.004211E4 ; GoGoGo,否则Game Over就不好玩了
0042120A B8 446C4000 mov eax , Try.00406C44
00421226 03C5 add eax , ebp
; Oh God save me!!!
---------------------------------------------------------------------------
00421377 5C 5C 2E 5C 44 62 70 65 44 65 76 69 63 65 30 00 \\.\DbpeDevice0.
---------------------------------------------------------------------------
0042123F 6A 00 push 0
00421241 6A 00 push 0
00421243 6A 03 push 3
00421245 6A 00 push 0
00421247 6A 01 push 1
00421249 68 000000C0 push C0000000
0042124E 50 push eax
0042124F FF95 48724000 call dword ptr ss :[ebp +407248] ; kernel32.CreateFileA
0012FF7C 0012FFE0
0012FF80 00421255 /CALL to CreateFileA from Try.0042124F
0012FF84 00421377 |FileName = "\\.\DbpeDevice0"
0012FF88 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FF8C 00000001 |ShareMode = FILE_SHARE_READ
0012FF90 00000000 |pSecurity = NULL
0012FF94 00000003 |Mode = OPEN_EXISTING
0012FF98 00000000 |Attributes = 0
0012FF9C 00000000 \hTemplateFile = NULL
; 调查一下服务:)
0042126C 83F8 FF cmp eax , -1
00421274 /74 77 je short Try.004212ED ; 没启动走人,加载错误
0042127B 8985 546C4000 mov dword ptr ss :[ebp +406C54], eax ; save handle
004212AE B8 01000000 mov eax , TRUE
004212B8 8985 706C4000 mov dword ptr ss :[ebp +406C70], eax
004212D5 C3 ret ; 回去了
004208A6 83F8 00 cmp eax , 0 ; over?
004208AE /0F84 83470000 je Try.00425037 ; over
004208C3 C785 5C6C4000 0>mov dword ptr ss :[ebp +406C5C], 3
004208FF B8 5C3A4200 mov eax , Try.00423A5C
00420909 03C5 add eax , ebp
; forgot: 老是这个,我$@%@%@^%@$^
00420922 8985 606C4000 mov dword ptr ss :[ebp +406C60], eax ; Try.0043E18F
00420932 B8 746C4000 mov eax , Try.00406C74
0042093C 03C5 add eax , ebp
0042096B 8985 646C4000 mov dword ptr ss :[ebp +406C64], eax ; Try.004213A7
0042097B B8 5C6C4000 mov eax , Try.00406C5C
00420985 03C5 add eax , ebp
0042098C 6A 00 push 0
0042098E 6A 00 push 0
00420990 6A 00 push 0
00420992 6A 00 push 0
00420994 6A 0C push 0C
00420996 50 push eax
00420997 6A 04 push 4
00420999 FFB5 546C4000 push dword ptr ss :[ebp +406C54]
0042099F FF95 3C724000 call dword ptr ss :[ebp +40723C] ; kernel32.DeviceIoControl
0012FF80 004209A5 /CALL to DeviceIoControl from Try.0042099F
0012FF84 0000004C |hDevice = 0000004C
0012FF88 00000004 |IoControlCode = 4
0012FF8C 0042138F |InBuffer = Try.0042138F
0012FF90 0000000C |InBufferSize = C (12.)
0012FF94 00000000 |OutBuffer = NULL
0012FF98 00000000 |OutBufferSize = 0
0012FF9C 00000000 |pBytesReturned = NULL
0012FFA0 00000000 \pOverlapped = NULL
00420A55 B8 00000000 mov eax , 0
00420A5F 81BD 746C4000 8>cmp dword ptr ss :[ebp +406C74], FFFF8888
00420A6E /0F84 C3450000 je Try.00425037 ; 好像是Over
00420AB8 C785 5C6C4000 0>mov dword ptr ss :[ebp +406C5C], 3
00420AF4 B8 5C3A4200 mov eax , Try.00423A5C
00420AFE 03C5 add eax , ebp
00420B17 8985 606C4000 mov dword ptr ss :[ebp +406C60], eax ; Try.0043E18F
00420B61 B8 746C4000 mov eax , Try.00406C74
00420B6B 03C5 add eax , ebp
00420B9A 8985 646C4000 mov dword ptr ss :[ebp +406C64], eax ; Try.004213A7
00420BBC C785 746C4000 0>mov dword ptr ss :[ebp +406C74], 0
00420BE2 B8 5C6C4000 mov eax , Try.00406C5C
00420BEC 03C5 add eax , ebp
00420BF3 6A 00 push 0
00420BF5 6A 00 push 0
00420BF7 6A 00 push 0
00420BF9 6A 00 push 0
00420BFB 6A 0C push 0C
00420BFD 50 push eax
00420BFE 6A 01 push 1
00420C00 FFB5 546C4000 push dword ptr ss :[ebp +406C54]
00420C06 FF95 3C724000 call dword ptr ss :[ebp +40723C] ; kernel32.DeviceIoControl
0012FF80 00420C0C /CALL to DeviceIoControl from Try.00420C06
0012FF84 0000004C |hDevice = 0000004C
0012FF88 00000001 |IoControlCode = 1
0012FF8C 0042138F |InBuffer = Try.0042138F
0012FF90 0000000C |InBufferSize = C (12.)
0012FF94 00000000 |OutBuffer = NULL
0012FF98 00000000 |OutBufferSize = 0
0012FF9C 00000000 |pBytesReturned = NULL
0012FFA0 00000000 \pOverlapped = NULL
; 中断向量被xxx了,不敢用int3乱动阿!用F4走,或者在Debug里设置用hardware breakpoint进行step,否则****自己想象吧
; ****************************************************************
; 千 万 小 心
; ****************************************************************
00420C0C 90 nop ; F4
00420D07 8B85 746C4000 mov eax , dword ptr ss :[ebp +406C74]
00420D3A 83F8 00 cmp eax , 0
00420D42 /0F84 EF420000 je Try.00425037 ; over 00420D7A 66:8985 5434420>mov word ptr ss :[ebp +423454], ax
00420D86 C1E8 10 shr eax , 10
00420D8E 66:8985 5634420>mov word ptr ss :[ebp +423456], ax
00420DC7 B8 01000000 mov eax , 1
00420DD1 8985 6C6C4000 mov dword ptr ss :[ebp +406C6C], eax
00420E09 50 push eax
00420E0F B8 92764000 mov eax , Try.00407692
00420E2B 03C5 add eax , ebp
; 对驱动进行惨无人道的毁尸灭迹……
00420E5A 50 push eax ; Try.00421DC5
00420E5B FF95 38724000 call dword ptr ss :[ebp +407238] ; kernel32.DeleteFileA
0012FF98 00420E61 /CALL to DeleteFileA from Try.00420E5B
0012FF9C 00421DC5 \FileName = "E:\WINDOWS\System32\cdcd.sys"
00420E66 58 pop eax
00420E6C /E9 C6410000 jmp Try.00425037
00425037 50 push eax
00425038 FFB5 2A6C4000 push dword ptr ss :[ebp +406C2A]
0042503E FF95 30724000 call dword ptr ss :[ebp +407230] ; kernel32.ReleaseMutex
0012FF98 00425044 /CALL to ReleaseMutex from Try.0042503E
0012FF9C 00000020 \hMutex = 00000020
00425044 FFB5 2A6C4000 push dword ptr ss :[ebp +406C2A]
0042504A FF95 50724000 call dword ptr ss :[ebp +407250] ; kernel32.CloseHandle
0012FF98 00425050 /CALL to CloseHandle from Try.0042504A
0012FF9C 00000020 \hObject = 00000020
; 没人性,互斥体也惨遭毒手……
00425050 58 pop eax
00425068 83F8 00 cmp eax , 0
0042506B 0F85 4C010000 jnz Try.004251BD ; Go
004251C2 /E9 39010000 jmp Try.00425300
; 花絮:跳过的这段代码还真惹眼:)
----------------------------------------------------------------
004251CC FA cli
004251D2 BE 4E344200 mov esi , Try.0042344E
004251DC 03F5 add esi , ebp
004251E3 0F010E sidt fword ptr ds :[esi ]
004251EB 8B76 02 mov esi , dword ptr ds :[esi +2]
0042520A 66:8B46 18 mov ax , word ptr ds :[esi +18]
00425213 66:8B5E 1E mov bx , word ptr ds :[esi +1E]
00425244 66:8985 5434420>mov word ptr ss :[ebp +423454], ax
00425250 66:899D 5634420>mov word ptr ss :[ebp +423456], bx
00425289 B8 5C3A4200 mov eax , Try.00423A5C
00425293 03C5 add eax , ebp
004252AC 66:8946 18 mov word ptr ds :[esi +18], ax
004252B5 C1E8 10 shr eax , 10
004252E5 66:8946 1E mov word ptr ds :[esi +1E], ax
; 好在我不是9x....哈
----------------------------------------------------------------
能力值:
(RANK:1060 )
3 楼
[part 3]
; ******************************************************************
; 当当当~~~~~ 醒醒啦!!!
; ******************************************************************
0042532D 8D85 D05C4000
lea eax ,
dword ptr ss :[
ebp +405CD0]
; 没弄明白,也许是参数
00425334 B0 94
mov al , 94
; 后边用来xor的key
00425336 E8 00000000
call Try.0042533B
0042533B 5E
pop esi ; 取这条信令地址
0042533C 81C6 A6000000
add esi , 0A6
; 加上这段解密代码的长度,指向下一部分,进行SMC解密
00425347 B9 68010000
mov ecx , 168h
; 解码长度
00425356 8A26
mov ah ,
byte ptr ds :[
esi ]
; 读取一个字节
0042535D 32E0
xor ah ,
al
00425376 F6D4
not ah
0042538F 8826
mov byte ptr ds :[
esi ],
ah ; 解密后存回去
004253A8 46
inc esi ; 下一个字节
004253AE 49
dec ecx ; 计数器--
004253B4 83F9 00
cmp ecx , 0
004253B7 ^\75 98
jnz short Try.00425351
; 循环直到都解密完成
; 精彩片断!!!!!!!!!!
004253BE FEC8
dec al ; 换一个key
004253C5 BB 4F434E55
mov ebx , 554E434F
; 不清楚,自己猜吧
0042540E B9 68010000
mov ecx , 168
; 这一块长度
0042542A 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
; 读取一个字节
00425444 88240E
mov byte ptr ds :[
esi +
ecx ],
ah ; 再写进去,什么名堂?
0042545E CC
int 3
; 别乱动,int 3解码
0042545F /E9 E5000000
jmp Try.00425549
; 按 F4 ,int3的向量处理好解码了,过去看看
; 跳过的好像是下一次int3的向量,俺可不敢进去胡闹
00425464 |3D 534E5552
cmp eax , 52554E53
00425469 |75 24
jnz short Try.0042548F
00425482 FFD3
call ebx
00425489 CF
iretd
00425576 B9 68010000
mov ecx , 168
; TMD,没完没了了
00425592 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
004255AC 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
004255C6 CC int3
004255C7 E9 E5000000
jmp Try.004256B1
; F4
004256DE B9 68010000
mov ecx , 168
; KAO....
004256FA 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
00425714 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
0042572E CC int3
0042572F E9 E5000000
jmp Try.00425819
00425846 B9 68010000
mov ecx , 168
; ……
00425862 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
0042587C 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
00425896 CC int3
00425897 E9 E5000000
jmp Try.00425981
004259AE B9 68010000
mov ecx , 168
; my heart will go on
004259CA 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
004259E4 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
004259FE CC int3
004259FF /E9 E5000000
jmp Try.00425AE9
00425B16 B9 68010000
mov ecx , 168
; 没完没了
00425B32 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
00425B4C 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
00425B66 CC int3
00425B67 E9 E5000000
jmp Try.00425C51
00425C7E B9 68010000
mov ecx , 168
; 不见不散
00425C9A 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
00425CB4 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
00425CCE CC int3
00425CCF /E9 E5000000
jmp Try.00425DB9
00425C7E B9 68010000
mov ecx , 168
; 有话好好说
00425C9A 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
00425CB4 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
00425CCE CC int3
00425CCF E9 E5000000
jmp Try.00425DB9
00425DE6 B9 68010000
mov ecx , 168
; 声声慢……
00425E02 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
00425E1C 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
00425E36 CC int3
00425E37 E9 E5000000
jmp Try.00425F21
00425F4E B9 68010000
mov ecx , 168
00425F6A 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
00425F84 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
00425F9E CC int3
00425F9F E9 E5000000
jmp Try.00426089
004260B6 B9 68010000
mov ecx , 168
004260D2 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
004260EC 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
00426106 CC int3
00426107 E9 E5000000
jmp Try.004261F1
0042621E B9 68010000
mov ecx , 168
0042623A 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
00426254 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
0042626E CC int3
0042626F E9 E5000000
jmp Try.00426359
00426386 B9 68010000
mov ecx , 168
004263A2 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
004263BC 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
004263D6 CC int3
004263D7 E9 E5000000
jmp Try.004264C1
004264EE B9 68010000
mov ecx , 168
0042650A 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
00426524 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
0042653E CC int3
0042653F E9 E5000000
jmp Try.00426629
00426656 B9 68010000
mov ecx , 168
00426672 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
0042668C 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
004266A6 CC int3
004266A7 E9 E5000000
jmp Try.00426791
004267BE B9 68010000
mov ecx , 168
004267DA 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
004267F4 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
0042680E CC int3
0042680F E9 E5000000
jmp Try.004268F9
00426926 B9 68010000
mov ecx , 168
00426942 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
0042695C 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
00426976 CC int3
00426977 E9 E5000000
jmp Try.00426A61
00426A8E B9 68010000
mov ecx , 168
00426AAA 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
00426AC4 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
00426ADE CC int3
00426ADF E9 E5000000
jmp Try.00426BC9
00426BF6 B9 68010000
mov ecx , 168
00426C12 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
00426C2C 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
00426C46 CC int3
00426C47 E9 E5000000
jmp Try.00426D31
00426D5E B9 68010000
mov ecx , 168
00426D7A 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
00426D94 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
00426DAE CC int3
00426DAF E9 E5000000
jmp Try.00426E99
00426D5E B9 68010000
mov ecx , 168
00426D7A 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
00426D94 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
00426DAE CC int3
00426DAF E9 E5000000
jmp Try.00426E99
00426EC6 B9 68010000
mov ecx , 168
00426EE2 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
00426EFC 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
00426F16 CC int3
00426F17 E9 E5000000
jmp Try.00427001
0042702E B9 68010000
mov ecx , 168
0042704A 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
00427064 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
0042707E CC int3
0042707F E9 E5000000
jmp Try.00427169
00427196 B9 68010000
mov ecx , 168
004271B2 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
004271CC 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
004271E6 CC int3
004271E7 E9 E5000000
jmp Try.004272D1
004272FE B9 68010000
mov ecx , 168
0042731A 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
00427334 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
0042734E CC int3
0042734F E9 E5000000
jmp Try.00427439
-============================================================-
; 晕倒了快,拿个处理看看,调剂~~~
00429D84 3D 534E5552
cmp eax , 52554E53
00429D89 75 24
jnz short Try.00429DAF
00429DA2 FFD3
call ebx
00429DA9 CF
iretd
00429DAF 81FB 4F434E55
cmp ebx , 554E434F
00429DB5 0F85 AD000000
jnz Try.00429E68
00429DBB 8A26
mov ah ,
byte ptr ds :[
esi ]
00429DC2 32E0
xor ah ,
al
00429DDB F6D4
not ah
00429DE2 8826
mov byte ptr ds :[
esi ],
ah
00429DE9 46
inc esi
00429DEF 49
dec ecx
00429DF5 83F9 00
cmp ecx , 0
00429DF8 ^ 75 C1
jnz short Try.00429DBB
00429DFF FEC8
dec al
00429E06 8DBD 4E344200
lea edi ,
dword ptr ss :[
ebp +42344E]
00429E11 0F010F
sidt fword
ptr ds :[
edi ]
00429E19 8B7F 02
mov edi ,
dword ptr ds :[
edi +2]
00429E1C 8B1C24
mov ebx ,
dword ptr ss :[
esp ]
00429E24 803B E9
cmp byte ptr ds :[
ebx ], 0E9
00429E27 75 05
jnz short Try.00429E2E
00429E29 83C3 05
add ebx , 5
00429E2C EB 03
jmp short Try.00429E31
00429E2E 83C3 02
add ebx , 2
00429E36 66:895F 18
mov word ptr ds :[
edi +18],
bx
00429E3F C1EB 10
shr ebx , 10
00429E47 66:895F 1E
mov word ptr ds :[
edi +1E],
bx
00429E50 BB 55010000
mov ebx , 155
00429E5A 0F23FB
mov dr7 ,
ebx ; Privileged command
00429E62 BB 4F434E55
mov ebx , 554E434F
00429E67 CF
iretd
00429E68 CF
iretd
-============================================================-
0042CB96 B9 68010000
mov ecx , 168
0042CBB2 8A240E
mov ah ,
byte ptr ds :[
esi +
ecx ]
0042CBCC 88240E
mov byte ptr ds :[
esi +
ecx ],
ah
0042CBE6 CC int3
0042CBE7 E9 E5000000
jmp Try.0042CCD1
0042EFF9 E8 00000000
call Try.0042EFFE
0042EFFE 5D
pop ebp
0042EFFF 81ED CB484100
sub ebp , Try.004148CB
; 长征过去……再来取delta
0042F005 58
pop eax
0042F038 80E4 01
and ah , 1
0042F052 32C0
xor al ,
al
0042F081 66:3185 2DD6410>
xor word ptr ss :[
ebp +41D62D],
ax
0042F0BF 8D85 D15C4000
lea eax ,
dword ptr ss :[
ebp +405CD1]
0042F0FE BE 944B4100
mov esi , Try.00414B94
0042F130 03F5
add esi ,
ebp
0042F149 B9 B6E80000
mov ecx , 0E8B6
0042F158 03F1
add esi ,
ecx
0042F187 4E
dec esi
0042F1B5 BB 01000000
mov ebx , 1
; 又解码
0042F1C4 8A06
mov al ,
byte ptr ds :[
esi ]
0042F1F3 3246 01
xor al ,
byte ptr ds :[
esi +1]
0042F1FB 32C3
xor al ,
bl
0042F219 3285 02AC4000
xor al ,
byte ptr ss :[
ebp +40AC02]
0042F251 8806
mov byte ptr ds :[
esi ],
al
0042F258 4E
dec esi
0042F25E 43
inc ebx
0042F264 49
dec ecx
0042F26A 83F9 00
cmp ecx , 0
0042F26D ^\0F85 4CFFFFFF
jnz Try.0042F1BF
0042F278 66:81BD 944B410>
cmp word ptr ss :[
ebp +414B94], 9090
0042F2AE - 75 FE
jnz short Try.0042F2AE
; 搞怪?
0042F2C9 8B85 F1344200
mov eax ,
dword ptr ss :[
ebp +4234F1]
0042F2CF 83F8 00
cmp eax , 0
0042F2D2 B9 7DDB0100
mov ecx , 1DB7D
0042F2D7 0F85 E0020000
jnz Try.0042F5BD
0042F2DD E8 00000000
call Try.0042F2E2
0042F2E2 5A
pop edx
0042F310 2B95 F4D54100
sub edx ,
dword ptr ss :[
ebp +41D5F4]
0042F31B 81EA E2F20000
sub edx , 0F2E2
0042F326 8995 DCD34100
mov dword ptr ss :[
ebp +41D3DC],
edx
0042F3B3 8D85 D25C4000
lea eax ,
dword ptr ss :[
ebp +405CD2]
0042F458 B8 87CC4100
mov eax , Try.0041CC87
0042F462 03C5
add eax ,
ebp ; eax -> IID
0042F469 E8 10890000
call Try.00437D7E
; 取函数地址
00437DAB 60
pushad
----------------------------------------------------------------------
00437DB1 8BD8
mov ebx ,
eax
; ******************************************************************
; 大循环开始
00437DC2 807B 08 00
cmp byte ptr ds :[
ebx +8], 0
00437DCB /0F84 1B030000
je Try.004380EC
; over
00437DED 8BC3
mov eax ,
ebx
00437DF4 83C0 08
add eax , 8
00437DFC 50
push eax
00437DFD FF95 C13D4200
call dword ptr ss :[
ebp +423DC1]
; kernel32.LoadLibraryA 00437E08 8985 7FCC4100
mov dword ptr ss :[
ebp +41CC7F],
eax ; 保存 hModule
00437E13 83F8 00
cmp eax , 0
; faint
00437E16 /75 46
jnz short Try.00437E5E
; JUMP
00437E1D C785 83CC4100 0>
mov dword ptr ss :[
ebp +41CC83], 0
; failed....
00437E54 /E9 93020000
jmp Try.004380EC
; Game Over
00437EA2 8B33
mov esi ,
dword ptr ds :[
ebx ]
; Try.0041CCD4
00437EBB 8B7B 04
mov edi ,
dword ptr ds :[
ebx +4]
00437ED5 03F5
add esi ,
ebp ; 修正地址
00437EDC 03FD
add edi ,
ebp
00437EFF 803E 00
cmp byte ptr ds :[
esi ], 0
; 表处理完了?
00437F02 0F85 BE000000
jnz Try.00437FC6
;没有就处理 -> ***
00437F35 83C3 08
add ebx , 8
; ebx 指向下一个DLL名称
00437F65 803B 00
cmp byte ptr ds :[
ebx ], 0
00437F68 74 1F
je short Try.00437F89
00437F81 43
inc ebx
00437F87 ^\EB DC
jmp short Try.00437F65
00437FB6 43
inc ebx ; Try.004373CE
00437FBC ^\E9 FCFDFFFF
jmp Try.00437DBD
; 大循环结束
; ******************************************************************
;***:
00437FD0 56
push esi
00437FD1 FFB5 7FCC4100
push dword ptr ss :[
ebp +41CC7F]
00437FD7 FF95 C53D4200
call dword ptr ss :[
ebp +423DC5]
; kernel32.GetProcAddress,取地址
00437FE2 83F8 00
cmp eax , 0
00437FE5 75 30
jnz short Try.00438017
; GO
00437FEC C785 83CC4100 0>
mov dword ptr ss :[
ebp +41CC83], 0
; failed again
..........
00438038 8907
mov dword ptr ds :[
edi ],
eax ; 写入函数地址
00438051 83C7 04
add edi , 4
; 下一个Thunk
; 使 esi 指向下一个函数名
0043805E /803E 00
cmp byte ptr ds :[
esi ], 0
00438061 | 74 0D
je short Try.00438070
00438068 | 46
inc esi
0043806E \EB EE
jmp short Try.0043805E
0043809D 46
inc esi ; skip NULL
004380CB ^\E9 2AFEFFFF
jmp Try.00437EFA
004380F1 61
popad
004380F7 8B85 83CC4100
mov eax ,
dword ptr ss :[
ebp +41CC83]
; 返回标志
00438102 C3
ret
----------------------------------------------------------------------
0042F473 BB 3AD34100
mov ebx , Try.0041D33A
0042F47D 03DD
add ebx ,
ebp ; 出错信息
0042F484 66:3D 0000
cmp ax , 0
0042F48D /0F84 3D2B0000
je Try.00431FD0
; 某个错误 0042F4C5 B9 60E50100
mov ecx , 1E560
0042F4E1 83C1 20
add ecx , 20
0042F516 6A 00
push 0
0042F518 51
push ecx
0042F519 6A 00
push 0
0042F51B 6A 04
push 4
0042F51D 6A 00
push 0
0042F51F 6A FF
push -1
0042F521 FF95 C3CE4100
call dword ptr ss :[
ebp +41CEC3]
; kernel32.CreateFileMappingA
0012FF8C 0042F527 /
CALL to CreateFileMappingA from Try.0042F521
0012FF90 FFFFFFFF |hFile = FFFFFFFF
0012FF94 00000000 |pSecurity = NULL
0012FF98 00000004 |Protection = PAGE_READWRITE
0012FF9C 00000000 |MaximumSizeHigh = 0
0012FFA0 0001E580 |MaximumSizeLow = 1E580
0012FFA4 00000000 \MapName = NULL
0042F52C 6A 00
push 0
0042F52E 6A 00
push 0
0042F530 6A 00
push 0
0042F532 6A 02
push 2
0042F534 50
push eax
0042F535 FF95 BFCE4100
call dword ptr ss :[
ebp +41CEBF]
; kernel32.MapViewOfFile
0012FF90 0042F53B /
CALL to
MapViewOfFile from Try.0042F535
0012FF94 00000060 |hMapObject = 00000060 (window)
0012FF98 00000002 |AccessMode = FILE_MAP_WRITE
0012FF9C 00000000 |OffsetHigh = 0
0012FFA0 00000000 |OffsetLow = 0
0012FFA4 00000000 \MapSize = 0
; map it...
0042F557 8985 F1344200
mov dword ptr ss :[
ebp +4234F1],
eax ; 保存
0042F574 B9 60E50100
mov ecx , 1E560
0042F5C2 8BD0
mov edx ,
eax
0042F5C9 8BF8
mov edi ,
eax ; 要解一部分loader代码到内存
0042F5D0 BE CD584000
mov esi , Try.004058CD
0042F5DA 03F5
add esi ,
ebp ; 未还原数据
0042F5F3 F3:A4
rep movsb
0042F5FF 8D85 D35C4000
lea eax ,
dword ptr ss :[
ebp +405CD3]
0042F615 B8 804F4100
mov eax , Try.00414F80
0042F61F 2D CD584000
sub eax , Try.004058CD
0042F629 03C2
add eax ,
edx
0042F642 8B9D F5344200
mov ebx ,
dword ptr ss :[
ebp +4234F5]
0042F64D 50
push eax
0042F67B C3
ret ; funy jump...
0042F67B C3
ret ; 二步瞬移~~~ ==> 003AF6B3
本代码的着色效果由xTiNt自动完成
下载xTiNt
http://211.90.75.84/web/kanaun/download/xTiNt.rar
能力值:
(RANK:1060 )
4 楼
[part 4]
003AF6B3 90
nop
003AF6B8 8BC5
mov eax ,
ebp
003AF6BA E8 00000000
call 003AF6BF
003AF6BF 5D
pop ebp
003AF6C0 81ED 8C4F4100
sub ebp , 414F8C
003AF6DD 50
push eax
003AF70B 53
push ebx
003AF711 B8 534E5552
mov eax , 52554E53
003AF743 8D9D 71504100
lea ebx ,
dword ptr ss :[
ebp +415071]
; 通过int3调用地址
003AF760 CC int3
; 改中断
003AF766 5B
pop ebx
003AF794 58
pop eax
003AF79A /E9 DF000000
jmp 003AF87E
; 走人 -----------------------------------------------------
; 9x的处理
003AF7A9 8DB5 4E344200
lea esi ,
dword ptr ss :[
ebp +42344E]
003AF7B4 0F010E
sidt fword
ptr ds :[
esi ]
003AF7E4 8B76 02
mov esi ,
dword ptr ds :[
esi +2]
003AF803 8D85 5C3A4200
lea eax ,
dword ptr ss :[
ebp +423A5C]
003AF836 66:8946 18
mov word ptr ds :[
esi +18],
ax
003AF83F C1E8 10
shr eax , 10
003AF847 66:8946 1E
mov word ptr ds :[
esi +1E],
ax
003AF850 C3
retn
-----------------------------------------------------
003AF8DD 8985 3FD64100
mov dword ptr ss :[
ebp +41D63F],
eax
003AF8E8 C785 43D64100 C>
mov dword ptr ss :[
ebp +41D643], 4058CD
003AF8F7 0185 43D64100
add dword ptr ss :[
ebp +41D643],
eax ; 修正base
003AF92A 899D F5344200
mov dword ptr ss :[
ebp +4234F5],
ebx
003AF951 BF CD584000
mov edi , 4058CD
003AF95B 03F8
add edi ,
eax ; 还是修正base
003AF962 B9 7DDB0100
mov ecx , 1DB7D
; 长度
003AF96C 32C0
xor al ,
al
003AF973 F3:AA
rep stosb ; 擦除外壳区段里的东西(我们在内存里!)
003AF991 8D85 D45C4000
lea eax ,
dword ptr ss :[
ebp +405CD4]
003AF9F6 60
pushad ; 看到这个肯定要干坏事
003AFA0E B8 534E5552
mov eax , 52554E53
003AFA18 BB C0534100
mov ebx , 4153C0
003AFA22 03DD
add ebx ,
ebp
003AFA29 CC int3
; F4到这里
; 我这里 int3的处理是:3be18f
---------------------------------------------------
003BE194 3D 534E5552
cmp eax , 52554E53
003BE199 75 74
jnz short 003BE20F
003BE1B2 FFD3
call ebx
003BE1E1 CF
iretd
---------------------------------------------------
; 可见是通过int3执行ebx, ebx似乎是通过向量反跟踪
003AFA2F 66:3D 0000
cmp ax , 0
; 再F4到这里
003AFA38 61
popad
003AFA55 9C
pushfd ; 害怕 ZF 出事, 看来一定有鬼:)
003AFA5B BB 8AD34100
mov ebx , 41D38A
003AFA77 03DD
add ebx ,
ebp
003AFA7E 9D
popfd
003AFE1F 83BD 47D64100 0>
cmp dword ptr ss :[
ebp +41D647], 0
003AFE26 0F84 CA000000
je 003AFEF6
003AFF12 83BD 041E4200 0>
cmp dword ptr ss :[
ebp +421E04], 1
003AFF19 0F84 9D000000
je 003AFFBC
003AFFEE 8D85 D55C4000
lea eax ,
dword ptr ss :[
ebp +405CD5]
003B0031 83BD 001E4200 0>
cmp dword ptr ss :[
ebp +421E00], 1
003B0038 0F85 9F000000
jnz 003B00DD
003B0043 8DB5 5C344200
lea esi ,
dword ptr ss :[
ebp +42345C]
; 开始用GetVersionExA获得的版本
003B004E 837E 10 02
cmp dword ptr ds :[
esi +10], 2
003B0052 /75 31
jnz short 003B0085
; 不是9x?
003B0059 837E 04 04
cmp dword ptr ds :[
esi +4], 4
003B005D 77 0F
ja short 003B006E
; 不是未知? 那就是NT
003B00B2 89AD 8A204200
mov dword ptr ss :[
ebp +42208A],
ebp
003B00BD 8D9D 88204200
lea ebx ,
dword ptr ss :[
ebp +422088]
; 怕~~~~
---------------------------------------------------------------------------
003B7ABD 20 20 20 45 72 72 6F 72 20 28 33 29 3A 20 44 65 Error (3): De
003B7ACD 62 75 67 67 65 72 20 64 65 74 65 63 74 69 6F 6E bugger detection
003B7ADD 20 2C 20 41 62 6F 72 74 21 20 00 20 20 20 45 72 , Abort! . Er
003B7AED 72 6F 72 20 28 34 29 3A 20 46 69 6C 65 20 43 52
ror (4): File CR
003B7AFD 43 20 45 72 72 6F 72 2C 20 20 20 41 62 6F 72 74 C Error, Abort
003B7B0D 21 00 !.
---------------------------------------------------------------------------
; 反跟踪定时器,不好玩,干掉他===>how?看下边
003B00C8 53
push ebx
003B00C9 68 F4010000
push 1F4
003B00CE 6A 00
push 0
003B00D0 6A 00
push 0
003B00D2 FF95 68CF4100
call dword ptr ss :[
ebp +41CF68]
; user32.SetTimer
---> F7
进入
77D19160 > B8 1E120000
mov eax , 121E
; 修改为retn 10了事
77D19165 BA 0003FE7F
mov edx , 7FFE0300
77D1916A FFD2
call edx
77D1916C C2 1000
retn 10
0012FF94 003B00D8 /
CALL to
SetTimer from 003B00D2
0012FF98 00000000 |hWnd = NULL
0012FF9C 00000000 |TimerID = 0
0012FFA0 000001F4 |Timeout = 500. ms
0012FFA4 003BC7BB \Timerproc = 003BC7BB
;干坏事,发生mov eax, [eax](eax==0)异常有兴趣可以研究一下
; 恢复刚才的 SetTimer 代码...小心至上
003B0142 8D85 D65C4000
lea eax ,
dword ptr ss :[
ebp +405CD6]
; 无聊
; ==============================================================================
; A n t i - D u m p i n g
;
; 我只知道是Anti-Dumping,原理大概是修改ImageSize,有兴趣自己研究吧.
; ==============================================================================
003B016A 64:67:A1 3000
mov eax ,
dword ptr fs :[30]
003B0174 85C0
test eax ,
eax
003B01A3 78 78
js short 003B021D
; else...根据系统不同决定
003B01C1 8B40 0C
mov eax ,
dword ptr ds :[
eax +C]
003B01DB 8B40 0C
mov eax ,
dword ptr ds :[
eax +C]
003B01F5 C740 20 0010000
mov dword ptr ds :[
eax +20], 1000
003B0201 E9 9E000000
jmp 003B02A4
; anti_dump_over
003B022C 6A 00
push 0
003B022E FF95 F7CE4100
call dword ptr ss :[
ebp +41CEF7]
; GetModuleHandleA
003B023E 85D2
test edx ,
edx
003B0245 79 5D
jns short 003B02A4
; anti_dump_over
003B024C 837A 08 FF
cmp dword ptr ds :[
edx +8], -1
003B0267 75 3B
jnz short 003B02A4
; anti_dump_over
003B026E 8B52 04
mov edx ,
dword ptr ds :[
edx +4]
003B028D C742 50 0010000>
mov dword ptr ds :[
edx +50], 1000
003B0299 66:C742 06 1010
mov word ptr ds :[
edx +6], 1010
; 没见过:P,NumberOfSections?
; ==============================================================================
003B02DB 8D85 D75C4000
lea eax ,
dword ptr ss :[
ebp +405CD7]
; 错误消息
; ==============================================================================
; M e l t I C E
;
; 地球人都知道
; ==============================================================================
003B0303 BE 26CC4100
mov esi , 41CC26
003B031F 03F5
add esi ,
ebp ; esi -> 指向 MeltICE 驱动表
; 不幸儿童:
---------------------------------------------------------------------------
003B7359 5C 5C 2E 5C 62 77 32 6B 00 5C 5C 2E 5C 53 55 50 \\.\bw2k.\\.\SUP
003B7369 45 52 42 50 4D 00 5C 5C 2E 5C 49 43 45 44 55 4D ERBPM.\\.\ICEDUM
003B7379 50 00 5C 5C 2E 5C 52 45 47 56 58 44 00 5C 5C 2E P.\\.\REGVXD.\\.
003B7389 5C 4E 54 49 43 45 00 5C 5C 2E 5C 53 49 57 56 49 \NTICE.\\.\SIWVI
003B7399 44 00 5C 5C 2E 5C 53 49 43 45 00 5C 5C 2E 5C 46 D.\\.\SICE.\\.\F
003B73A9 49 4C 45 56 58 44 00 ILEVXD.
---------------------------------------------------------------------------
003B037C FFB5 DBCE4100
push dword ptr ss :[
ebp +41CEDB]
; kernel32.CreateFileA
003B0382 8F85 F9344200
pop dword ptr ss :[
ebp +4234F9]
; kernel32.CreateFileA
; 无聊的倒腾~~~
003B03CC 6A 00
push 0
003B03CE 6A 00
push 0
003B03D0 6A 00
push 0
003B03D2 6A 00
push 0
003B03D4 6A 00
push 0
003B03D6 6A 00
push 0
003B03D8 56
push esi
003B03D9 FF95 DBCE4100
call dword ptr ss :[
ebp +41CEDB]
; kernel32.CreateFileA
0012FF88 003B03DF /
CALL to CreateFileA from 003B03D9
0012FF8C 003B7359 |FileName =
"\\.\theif" ; -_-;;
0012FF90 00000000 |Access = 0
0012FF94 00000000 |ShareMode = 0
0012FF98 00000000 |pSecurity = NULL
0012FF9C 00000000 |Mode = 0
0012FFA0 00000000 |Attributes = 0
0012FFA4 00000000 \hTemplateFile = NULL
003B03E9 83F8 FF
cmp eax , -1
003B03F1 /0F85 8E000000
jnz 003B0485
; 事情不好办啦^_^
; 循环使esi指向下一个名称
003B041D / 46
inc esi
003B0423 | 803E 00
cmp byte ptr ds :[
esi ], 0
003B042B \ 75 EB
jnz short 003B0418
; ===> 003B041D
003B0432 46
inc esi ; Skip NULL char
003B044A 803E 00
cmp byte ptr ds :[
esi ], 0
; 表示用完了吗?
003B047A ^\0F85 E5FEFFFF
jnz 003B0365
; 没完?接着来……
; ==============================================================================
003B04DF 8D9D 5FD34100
lea ebx ,
dword ptr ss :[
ebp +41D35F]
; 我又怕了
---------------------------------------------------------------------------
003B7A92 20 20 20 45 72 72 6F 72 20 28 32 29 3A 20 44 65 Error (2): De
003B7AA2 62 75 67 67 65 72 20 64 65 74 65 63 74 69 6F 6E bugger detection
003B7AB2 20 2C 20 41 62 6F 72 74 21 20 00 20 20 20 45 72 , Abort! . Er
003B7AC2 72 6F 72 20 28 33 29 3A 20 44 65 62 75 67 67 65
ror (3): Debugge
003B7AD2 72 20 64 65 74 65 63 74 69 6F 6E 20 2C 20 41 62 r detection , Ab
003B7AE2 6F 72 74 21 20 00 ort! .
---------------------------------------------------------------------------
003B04FC 83F8 FF
cmp eax , -1
003B0504 /0F85 C61A0000
jnz 003B1FD0
; 送你去取经
; ==============================================================================
; Ch e c k s u m - C h e c k i n g
;
; 外星人也都知道,但是算法叫什么我不清楚(脸红)
; ==============================================================================
003B055D 8B85 18D64100
mov eax ,
dword ptr ss :[
ebp +41D618]
; 我想是CRC protection flag
003B0568 83F8 00
cmp eax , 0
003B056B /74 51
je short 003B05BE
; 我这里JUMP
003B05F5 8BBD FCD54100
mov edi ,
dword ptr ss :[
ebp +41D5FC]
; 好像是资源段
003B0628 03BD DCD34100
add edi ,
dword ptr ss :[
ebp +41D3DC]
; +ImageBase
003B0633 8B8D 00D64100
mov ecx ,
dword ptr ss :[
ebp +41D600]
; size
003B063E 83F9 00
cmp ecx , 0
003B0641 0F84 C5000000
je 003B070C
; Nothing?
003B064C 33C0
xor eax ,
eax
003B0665 33DB
xor ebx ,
ebx
003B066C 33D2
xor edx ,
edx
003B068A /8A1F
mov bl ,
byte ptr ds :[
edi ]
; get a byte
003B0691 | 32D9
xor bl ,
cl
003B0698 | 03C3
add eax ,
ebx
003B069F | 47
inc edi
003B06A5 | 49
dec ecx
003B06BD | 83F9 00
cmp ecx , 0
003B06C0 ^\75 C3
jnz short 003B0685
; 计算校验和
003B06C7 8D9D B5D34100
lea ebx ,
dword ptr ss :[
ebp +41D3B5]
---------------------------------------------------------------------------
003B7AE8 20 20 20 45 72 72 6F 72 20 28 34 29 3A 20 46 69 Error (4): Fi
003B7AF8 6C 65 20 43 52 43 20 45 72 72 6F 72 2C 20 20 20 le CRC Error,
003B7B08 41 62 6F 72 74 21 00 Abort!.
---------------------------------------------------------------------------
003B06E4 3985 04D64100
cmp dword ptr ss :[
ebp +41D604],
eax ; 比较校验和
003B06EF /0F85 DB180000
jnz 003B1FD0
; 你敢跳?
; ==============================================================================
本代码的着色效果由xTiNt自动完成
下载xTiNt
http://211.90.75.84/web/kanaun/download/xTiNt.rar
能力值:
(RANK:1060 )
5 楼
[part 5]
003B073A E8 4A2A0000 call 003B3189 ; 进去观光
003B31A5 B8 01000000 mov eax , 1
003B31D7 83BD 9ED24100 0>cmp dword ptr ss :[ebp +41D29E], 0
003B31E3 /0F84 C6120000 je 003B44AF ; 不需要注册?跳吧========〉下边在极度困倦下走了弯路
003B31F3 8D85 DD5C4000 lea eax , dword ptr ss :[ebp +405CDD]; ??
003B3209 83BD FC1D4200 0>cmp dword ptr ss :[ebp +421DFC], 0
003B3210 /75 54 jnz short 003B3266; 不知道是啥,我这里没跳
003B3217 E8 A51D0000 call 003B4FC1; ?
003B3249 3C 01 cmp al , 1
003B324B 74 14 je short 003B3261
003B3270 83BD FC1D4200 0>cmp dword ptr ss :[ebp +421DFC], 2
003B3277 75 66 jnz short 003B32DF
003B32FB 83BD FC1D4200 0>cmp dword ptr ss :[ebp +421DFC], 1
003B3302 75 37 jnz short 003B333B
003B3345 83BD FC1D4200 0>cmp dword ptr ss :[ebp +421DFC], 3
003B334C 75 26 jnz short 003B3374
003B33A6 E8 17270000 call 003B5AC2
003B5B06 60 pushad
003B5B0C C785 EAD24100 0>mov dword ptr ss :[ebp +41D2EA], 0
003B5B32 BB CCD24100 mov ebx , 41D2CC
003B5B3C 03DD add ebx , ebp ; buffer
003B5B43 B9 AAD24100 mov ecx , 41D2AA
003B5B4D 03CD add ecx , ebp ; subkey
; 猜想是读注册标记
003B5B54 53 push ebx
003B5B55 68 1F000200 push 2001F
003B5B5A 6A 00 push 0
003B5B5C 51 push ecx
003B5B5D 68 00000080 push 80000000
003B5B62 FF95 D2CF4100 call dword ptr ss :[ebp +41CFD2] ; advapi32.RegOpenKeyExA
0012FF68 003B5B68 /CALL to RegOpenKeyExA from 003B5B62
0012FF6C 80000000 |hKey = HKEY_CLASSES_ROOT
0012FF70 003B79DD |Subkey = "wrifile\shell\open\command\config"
0012FF74 00000000 |Reserved = 0
0012FF78 0002001F |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
0012FF7C 003B79FF \pHandle = 003B79FF
003B5B9A 83F8 00 cmp eax , 0
003B5B9D 0F84 2A010000 je 003B5CCD ; JUMP
003B5D09 BE A6D24100 mov esi , 41D2A6
003B5D13 03F5 add esi , ebp
003B5D1A BF A2D24100 mov edi , 41D2A2
003B5D24 03FD add edi , ebp
003B5D30 B8 FECF4100 mov eax , 41CFFE
003B5D3A 03C5 add eax , ebp
003B5D53 BB DCD24100 mov ebx , 41D2DC
003B5D85 03DD add ebx , ebp
; 用这么多regs,气势逼人~~~
003B5D8C 8B8D CCD24100 mov ecx , dword ptr ss :[ebp +41D2CC] ; Reg的句柄
003B5D97 56 push esi
003B5D98 50 push eax
003B5D99 57 push edi
003B5D9A 6A 00 push 0
003B5D9C 53 push ebx ; 好奇怪的名字,大概是自动计算的
003B5D9D 51 push ecx
003B5D9E FF95 DECF4100 call dword ptr ss :[ebp +41CFDE] ; advapi32.RegQueryValueExA
0012FF64 003B5DA4 /CALL to RegQueryValueExA from 003B5D9E
0012FF68 0000006A |hKey = 6A
0012FF6C 003B7A0F |ValueName = "" 9B,"" ,80,"" ,8B,"" ,80,"?,80," ?,80,"" ,84,"" ,81,""
0012FF70 00000000 |Reserved = NULL
0012FF74 003B79D5 |pValueType = 003B79D5
0012FF78 003B7731 |Buffer = 003B7731
0012FF7C 003B79D9 \pBufSize = 003B79D9
; *** 如果做的DBPE Cleaner,大概就是清理HKEY_CLASSES_ROOT\wrifile\shell\open\command\config\所有子项目
003B5DC0 66:3D 0000 cmp ax , 0
003B5DC9 /0F85 EE020000 jnz 003B60BD ; 做注册部分
003B60C2 8B85 CCD24100 mov eax , dword ptr ss :[ebp +41D2CC]
003B60CD 50 push eax
003B60CE FF95 DACF4100 call dword ptr ss :[ebp +41CFDA] ; advapi32.RegCloseKey
003B6106 61 popad
003B611E 8B85 EAD24100 mov eax , dword ptr ss :[ebp +41D2EA]
003B6129 C3 ret
003B33CC 8B85 7CD24100 mov eax , dword ptr ss :[ebp +41D27C]
003B33FF BB 8CD24100 mov ebx , 41D28C
003B341B 03DD add ebx , ebp
003B3422 B9 27354200 mov ecx , 423527
003B343E 03CD add ecx , ebp
003B3445 50 push eax
003B3446 53 push ebx
003B3447 51 push ecx
003B3448 FF95 64CF4100 call dword ptr ss :[ebp +41CF64] ; user32.wsprintfA
0012FF64 0000006A
0012FF94 003B344E /CALL to wsprintfA from 003B3448
0012FF98 003BDC5A |s = 003BDC5A
0012FF9C 003B79BF |Format = "%08lX"
0012FFA0 06781F8B \<%08lX> = 6781F8B
003B3453 83C4 0C add esp , 0C ; 平衡堆栈
; ecx ->
-------------------------------------------------------------------
003BDC5D 38 31 46 38 42 00 00 00 81F8B...
-------------------------------------------------------------------
003B3488 BE 0AD04100 mov esi , 41D00A
003B34A4 03F5 add esi , ebp
---------------------------------------------------------------------------
003BDC5A 30 36 37 38 31 46 38 42 00 00 00 00 00 00 00 00 06781F8B........
---------------------------------------------------------------------------
003B34BD BF 2CFA4100 mov edi , 41FA2C
003B34EF 03FD add edi , ebp
003B34F6 B9 16000000 mov ecx , 16
003B3500 F3:A4 rep movsb ; 传送...不明飞行物
003B3534 BE 27354200 mov esi , 423527
003B353E 03F5 add esi , ebp
003B3545 BF 42FA4100 mov edi , 41FA42
003B354F 03FD add edi , ebp
003B3556 B9 0A000000 mov ecx , 0A
003B3588 F3:A4 rep movsb
003B3599 E8 A1140000 call 003B4A3F
; 传送某种非0的数据
003B4A5B 8DB5 78D04100 lea esi , dword ptr ss :[ebp +41D078]
003B4A8E 8DBD 0AD04100 lea edi , dword ptr ss :[ebp +41D00A]
003B4AD8 8A07 mov al , byte ptr ds :[edi ]
003B4AF1 8806 mov byte ptr ds :[esi ], al
003B4AF8 47 inc edi
003B4AFE 46 inc esi
003B4B2C 3C 00 cmp al , 0
003B4B2E ^\0F85 77FFFFFF jnz 003B4AAB
003B4B8E 4E dec esi
003B4B94 8DBD 27354200 lea edi , dword ptr ss :[ebp +423527]
---------------------------------------------------------------------------
003BDC5A 30 36 37 38 31 46 38 42 00 00 00 00 00 00 00 00 06781F8B........
---------------------------------------------------------------------------
003B4BDE 8A07 mov al , byte ptr ds :[edi ]
003B4BF7 8806 mov byte ptr ds :[esi ], al
003B4BFE 47 inc edi
003B4C16 46 inc esi
003B4C2E 3C 00 cmp al , 0
003B4C30 ^\0F85 7BFFFFFF jnz 003B4BB1
003B4C3B 8806 mov byte ptr ds :[esi ], al
003B4C6F 8D9D 02D34100 lea ebx , dword ptr ss :[ebp +41D302]
003B4C7A 8D85 78D04100 lea eax , dword ptr ss :[ebp +41D078]
003B4C85 8BF5 mov esi , ebp
003B4CB4 60 pushad
003B4CBA 53 push ebx
003B4CBB 50 push eax
003B4CBC E8 0C810000 call 003BCDCD ; 奇怪的算法解码出奇怪的信息
003B4CC6 61 popad
; 这里的代码把一堆东西拷来拷去,我没耐心也没兴致看算法,不做解说了。
003B4CF9 8DB5 02D34100 lea esi , dword ptr ss :[ebp +41D302]
003B4D04 8B06 mov eax , dword ptr ds :[esi ]
003B4D0B 3385 9ED24100 xor eax , dword ptr ss :[ebp +41D29E]
003B4D16 8985 EED24100 mov dword ptr ss :[ebp +41D2EE], eax
003B4D4E 8B46 04 mov eax , dword ptr ds :[esi +4]
003B4D56 3385 9AD24100 xor eax , dword ptr ss :[ebp +41D29A]
003B4D61 8985 F2D24100 mov dword ptr ss :[ebp +41D2F2], eax
003B4D71 8DBD 20D04100 lea edi , dword ptr ss :[ebp +41D020]
003B4D7C 8DB5 F6D24100 lea esi , dword ptr ss :[ebp +41D2F6]
003B4DDC 8B07 mov eax , dword ptr ds :[edi ]
003B4DE3 8906 mov dword ptr ds :[esi ], eax
003B4DEA 8B47 04 mov eax , dword ptr ds :[edi +4]
003B4DF2 8946 04 mov dword ptr ds :[esi +4], eax
003B4E0C E8 1B1A0000 call 003B682C ; 从代码给我的印象来看,像是检查非法字符
003B4E28 3B85 EED24100 cmp eax , dword ptr ss :[ebp +41D2EE]
003B4E45 /0F85 D7000000 jnz 003B4F22
003B4F39 B8 00000000 mov eax , 0
003B4F43 8985 F2D24100 mov dword ptr ss :[ebp +41D2F2], eax
003B4F76 8985 EED24100 mov dword ptr ss :[ebp +41D2EE], eax
003B4F93 C3 ret
003B35CB 83F8 01 cmp eax , 1
003B35D3 /0F84 D60E0000 je 003B44AF
003B3622 8D85 DE5C4000 lea eax , dword ptr ss :[ebp +405CDE]
003B3660 E8 AF330000 call 003B6A14
003B6A58 60 pushad
003B6A5E 8D85 8FC74100 lea eax , dword ptr ss :[ebp +41C78F]
003B6A69 6A 00 push 0
003B6A6B 6A 20 push 20
003B6A6D 6A 03 push 3
003B6A6F 6A 00 push 0
003B6A71 6A 00 push 0
003B6A73 68 00000080 push 80000000
003B6A78 50 push eax
003B6A79 FF95 DBCE4100 call dword ptr ss :[ebp +41CEDB] ; kernel32.CreateFileA
0012FF60 003B6A7F /CALL to CreateFileA from 003B6A79
0012FF64 003B6EC2 |FileName = "regdial.dat"
0012FF68 80000000 |Access = GENERIC_READ
0012FF6C 00000000 |ShareMode = 0
0012FF70 00000000 |pSecurity = NULL
0012FF74 00000003 |Mode = OPEN_EXISTING
0012FF78 00000020 |Attributes = ARCHIVE
0012FF7C 00000000 \hTemplateFile = NULL
; 搞注册界面库,我们到沙罗双树园啦;-)
003B6A84 83F8 FF cmp eax , -1
003B6A87 /74 2D je short 003B6AB6 ; 读取失败?我们给他行行好,翻转ZF不跳
003B6AA0 50 push eax
003B6AA1 FF95 E3CE4100 call dword ptr ss :[ebp +41CEE3] ; kernel32.CloseHandle
003B6AAC /E9 14030000 jmp 003B6DC5
003B6DDC 61 popad
003B6DE2 B8 01000000 mov eax , 1
003B6DFE C3 ret
003B36A9 8D85 DF5C4000 lea eax , dword ptr ss :[ebp +405CDF] ; 无聊!!!
003B36E7 B8 87C74100 mov eax , 41C787
003B3703 03C5 add eax , ebp
003B370A E8 6F460000 call 003B7D7E
; 用来得到2个注册功能的窗口函数ShowTryWindow & GetRegister
003B7DAB 60 pushad
003B7DB1 8BD8 mov ebx , eax
003B7DC2 807B 08 00 cmp byte ptr ds :[ebx +8], 0
003B7DCB /0F84 1B030000 je 003B80EC ; nj
003B7DED 8BC3 mov eax , ebx
003B7DF4 83C0 08 add eax , 8
003B7DFC 50 push eax
003B7DFC 50 push eax
003B7DFD FF95 C13D4200 call dword ptr ss :[ebp +423DC1] ; kernel32.LoadLibraryA
0012FF78 003B7E03 /CALL to LoadLibraryA from 003B7DFD
0012FF7C 003B6EC2 \FileName = "regdial.dat"
; 考,居然是lib
003B7E08 8985 7FCC4100 mov dword ptr ss :[ebp +41CC7F], eax
003B7E13 83F8 00 cmp eax , 0
003B7E16 /75 46 jnz short 003B7E5E ; 翻转ZF
003B7EA2 8B33 mov esi , dword ptr ds :[ebx ] ; Try.0041C863
003B7EBB 8B7B 04 mov edi , dword ptr ds :[ebx +4] ; Try.0041C881
003B7ED5 03F5 add esi , ebp
003B7EDC 03FD add edi , ebp
; 看名字也知道是要干啥
---------------------------------------------------------------------------
003B6F96 53 68 6F 77 54 72 79 57 69 6E 64 6F 77 00 47 65 ShowTryWindow.Ge
003B6FA6 74 52 65 67 69 73 74 65 72 00 00 00 00 00 00 00 tRegister.......
---------------------------------------------------------------------------
003B7EFF 803E 00 cmp byte ptr ds :[esi ], 0
003B7F02 0F85 BE000000 jnz 003B7FC6 ; 2个都得到了? 为了好看,完成后代码下放
003B7FD0 56 push esi
003B7FD1 FFB5 7FCC4100 push dword ptr ss :[ebp +41CC7F]
003B7FD7 FF95 C53D4200 call dword ptr ss :[ebp +423DC5] ; kernel32.GetProcAddress
0012FF74 003B7FDD /CALL to GetProcAddress from 003B7FD7
0012FF78 00000000 |hModule = NULL ; 我从中作梗
0012FF7C 003B6F96 \ProcNameOrOrdinal = "ShowTryWindow"
003B7FE2 83F8 00 cmp eax , 0
003B7FE5 /75 30 jnz short 003B8017 ; 翻转ZF,j
003B8038 8907 mov dword ptr ds :[edi ], eax
003B8051 83C7 04 add edi , 4
; 指向GetRegister
003B805E 803E 00 cmp byte ptr ds :[esi ], 0
003B8061 /74 0D je short 003B8070
003B8068 46 inc esi
003B806E ^\EB EE jmp short 003B805E
003B809D 46 inc esi
003B80CB ^\E9 2AFEFFFF jmp 003B7EFA
--------------------------------------------------------------------------
; 完成以后的代码,接003B7F02 0F85 BE000000 jnz 003B7FC6 ; 2个都得到了? 为了好看,完成后代码下放
003B7F35 83C3 08 add ebx , 8
; 移动指针
003B7F65 803B 00 cmp byte ptr ds :[ebx ], 0
003B7F68 /74 1F je short 003B7F89
003B7F81 43 inc ebx
003B7F87 ^\EB DC jmp short 003B7F65
003B7FB6 43 inc ebx
003B7FBC ^\E9 FCFDFFFF jmp 003B7DBD; 回去〉〉〉
003B7DC2 807B 08 00 cmp byte ptr ds :[ebx +8], 0
003B7DCB /0F84 1B030000 je 003B80EC ; 结束,j
003B80F1 61 popad
003B80F7 8B85 83CC4100 mov eax , dword ptr ss :[ebp +41CC83]
003B8102 C3 ret 003B373C B8 FFFFFFFF mov eax , -1
003B3746 83BD 81C84100 0>cmp dword ptr ss :[ebp +41C881], 0
003B3752 /0F84 570D0000 je 003B44AF; nj
003B376F 83BD 85C84100 0>cmp dword ptr ss :[ebp +41C885], 0
003B37A3 /0F84 060D0000 je 003B44AF; 还是nj
003B37D7 E8 060D0000 call 003B44E2
003B44E7 8D85 C1A04100 lea eax , dword ptr ss :[ebp +41A0C1]
003B44F2 68 C8000000 push 0C8
003B44F7 50 push eax ; buffer
003B44F8 FF95 BBCE4100 call dword ptr ss :[ebp +41CEBB] ; kernel32.GetWindowsDirectoryA
0012FF94 003B44FE /CALL to GetWindowsDirectoryA from 003B44F8
0012FF98 003B47F4 |Buffer = 003B47F4
0012FF9C 000000C8 \BufSize = C8 (200.)
003B4503 33C0 xor eax , eax
003B451C B9 C8000000 mov ecx , 0C8
003B4526 8DBD C1A04100 lea edi , dword ptr ss :[ebp +41A0C1]
003B4531 F2:AE repne scas byte ptr es :[edi ] ; 复制目录
003B4538 C647 FF 5C mov byte ptr ds :[edi -1], 5C ; \
003B4541 C707 75736572 mov dword ptr ds :[edi ], 72657375 ; user
003B455E C747 04 2E64617>mov dword ptr ds :[edi +4], 7461642E ; .dat
003B4592 C647 08 00 mov byte ptr ds :[edi +8], 0
003B45C4 8D85 C1A04100 lea eax , dword ptr ss :[ebp +41A0C1]
003B45CF 8D9D C1A14100 lea ebx , dword ptr ss :[ebp +41A1C1]
003B45DA 53 push ebx
003B45DB 50 push eax
003B45DC FF95 B7CE4100 call dword ptr ss :[ebp +41CEB7] ; kernel32.FindFirstFileA
003B45F9 8D9D C1A14100 lea ebx , dword ptr ss :[ebp +41A1C1]
003B462C 8D43 14 lea eax , dword ptr ds :[ebx +14]
003B4646 8D9D FCA24100 lea ebx , dword ptr ss :[ebp +41A2FC]
003B4679 53 push ebx
003B467A 50 push eax
003B467B FF95 B3CE4100 call dword ptr ss :[ebp +41CEB3] ; kernel32.FileTimeToSystemTime
0012FF94 003B4681 /CALL to FileTimeToSystemTime from 003B467B
0012FF98 003B4908 |pFileTime = 003B4908
0012FF9C 003B4A2F \pSystemTime = 003B4A2F
003B469D 8D9D FCA24100 lea ebx , dword ptr ss :[ebp +41A2FC]
; 计算一个sum
003B46A8 33C0 xor eax , eax
003B46AF 33D2 xor edx , edx
003B46CD 66:8B03 mov ax , word ptr ds :[ebx ]
003B46E7 B9 6D010000 mov ecx , 16D
003B46F1 F7E1 mul ecx
003B470A 8985 80D24100 mov dword ptr ss :[ebp +41D280], eax
003B4742 33C0 xor eax , eax
003B475B 66:8B43 02 mov ax , word ptr ds :[ebx +2]
003B4764 B9 1E000000 mov ecx , 1E
003B476E F7E1 mul ecx
003B4775 0185 80D24100 add dword ptr ss :[ebp +41D280], eax
003B47AD 66:8B43 06 mov ax , word ptr ds :[ebx +6]
003B47B6 0185 80D24100 add dword ptr ss :[ebp +41D280], eax
003B47EE C3 ret ; 班师回朝
003B380E C785 88D24100 0>mov dword ptr ss :[ebp +41D288], 0
003B381D C785 84D24100 0>mov dword ptr ss :[ebp +41D284], 0
003B3836 83BD F01D4200 0>cmp dword ptr ss :[ebp +421DF0], 1
003B383D /0F85 10010000 jnz 003B3953 ; nj
003B3848 FFB5 FECF4100 push dword ptr ss :[ebp +41CFFE]
003B384E 8F85 42344200 pop dword ptr ss :[ebp +423442]
003B3859 FFB5 E41D4200 push dword ptr ss :[ebp +421DE4]
003B385F 8F85 46344200 pop dword ptr ss :[ebp +423446]
003B387C 8B9D E41D4200 mov ebx , dword ptr ss :[ebp +421DE4]
003B3899 399D FECF4100 cmp dword ptr ss :[ebp +41CFFE], ebx
003B389F /0F83 95000000 jnb 003B393A ; j
003B393F C785 84D24100 0>mov dword ptr ss :[ebp +41D284], 1
003B3974 83BD F01D4200 0>cmp dword ptr ss :[ebp +421DF0], 2
003B397B /0F85 E0000000 jnz 003B3A61 ; j
003B3A98 83BD F01D4200 0>cmp dword ptr ss :[ebp +421DF0], 3
003B3A9F 0F85 C3000000 jnz 003B3B68
003B3B9F 33C0 xor eax , eax
003B3BA6 83BD 88D24100 0>cmp dword ptr ss :[ebp +41D288], 1
003B3BAD 74 0D je short 003B3BBC
003B3BAF 83BD 84D24100 0>cmp dword ptr ss :[ebp +41D284], 1
003B3BB6 0F85 F5000000 jnz 003B3CB1
003B3BD3 8D85 081E4200 lea eax , dword ptr ss :[ebp +421E08] ; caption
003B3BDE 8D9D 261E4200 lea ebx , dword ptr ss :[ebp +421E26] ; http...
003B3BE9 8D8D 441E4200 lea ecx , dword ptr ss :[ebp +421E44] ; message
; 此时发现这两个牛插手了……
----------------------------------------------------------------------------
003BC777 20 45 6E 63 72 79 70 74 Encrypt
003BC787 65 64 20 62 79 20 7A 65 72 30 21 00 00 00 00 00 ed by zer0!.....
003BC797 00 00 00 00 00 00 63 6F 64 65 5F 69 6E 6A 65 63 ......code_injec
003BC7A7 74 00 00 00 00 00 00 00 00 t........
----------------------------------------------------------------------------
003B3C1C 89A5 74894100 mov dword ptr ss :[ebp +418974], esp
003B3C27 FFB5 81C84100 push dword ptr ss :[ebp +41C881]
003B3C2D 8F85 F9344200 pop dword ptr ss :[ebp +4234F9]
003B3C38 51 push ecx
003B3C39 53 push ebx
003B3C3A 50 push eax
003B3C3B FFB5 46344200 push dword ptr ss :[ebp +423446]
003B3C41 FFB5 42344200 push dword ptr ss :[ebp +423442]
003B3C47 E8 39810000 call 003BBD85 ; int3调用,都nop
003B3C7E 8BA5 74894100 mov esp , dword ptr ss :[ebp +418974]
003B3D22 83BD 84D24100 0>cmp dword ptr ss :[ebp +41D284], 1
003B3D29 74 09 je short 003B3D34
003B3D2B 83F8 02 cmp eax , 2
003B3D2E 0F85 C0040000 jnz 003B41F4
003B3D66 8D85 FD344200 lea eax , dword ptr ss :[ebp +4234FD]
003B3D99 8D9D 13354200 lea ebx , dword ptr ss :[ebp +423513]
003B3DA4 8D8D 27354200 lea ecx , dword ptr ss :[ebp +423527]
; 003BDC5A 30 36 37 38 31 46 38 42 06781F8B
003B3DAF 8D95 38204200 lea edx , dword ptr ss :[ebp +422038]
003B3DF9 89A5 74894100 mov dword ptr ss :[ebp +418974], esp
003B3E2C FFB5 85C84100 push dword ptr ss :[ebp +41C885]
003B3E32 8F85 F9344200 pop dword ptr ss :[ebp +4234F9]
003B3E4F 52 push edx
003B3E50 51 push ecx
003B3E51 53 push ebx
003B3E52 50 push eax
003B3E53 E8 2D7F0000 call 003BBD85; 还是他,nop
003B3E74 8BA5 74894100 mov esp , dword ptr ss :[ebp +418974]
003B3E91 83F8 02 cmp eax , 2
003B3E99 B8 00000000 mov eax , 0
003B3EA3 /0F84 C4040000 je 003B436D
003B3EDB B9 2A000000 mov ecx , 2A
003B3EE5 BF 0AD04100 mov edi , 41D00A
003B3EEF 03FD add edi , ebp
003B3F08 BE FD344200 mov esi , 4234FD
003B3F3A 03F5 add esi , ebp
003B3F41 F3:A4 rep movs byte ptr es :[edi ], byte ptr ds :[esi ] ..................
能力值:
( LV12,RANK:980 )
6 楼
头都看晕。不过还是顶!!!
能力值:
( LV9,RANK:970 )
7 楼
程序在哪里下载?
forgot 给一个了.
能力值:
( LV9,RANK:3410 )
8 楼
GOOD
能力值:
(RANK:1060 )
9 楼
试验程序。:D
能力值:
(RANK:1060 )
10 楼
强烈抗议 fly 改帖,要求赔偿精神损失!:D
能力值:
(RANK:215 )
11 楼
老大,把整个文章弄个包包传来吧。便于收藏整理,谢谢先。
能力值:
( LV10,RANK:170 )
12 楼
好文!收藏
能力值:
(RANK:1060 )
13 楼
[part 6 ](区段处理)
; =========================================================================================
; 返回到 Ch e c k s u m - C h e c k i n g 之后的位置
; 有个稍微快一点的方法解决注册
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
003B073A E8 4A2A0000 call 003B3189 ; nop掉然后置eax =1即可
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
003B076C 66:3D 0100 cmp ax , 1
003B0775 /0F84 E9000000 je 003B0864 ; j,否则Over
003B087B 8D85 D85C4000 lea eax , dword ptr ss :[ebp +405CD8]
003B08F8 BE E4D34100 mov esi , 41D3E4
003B0902 03F5 add esi , ebp ; esi -> 块表
; esi:
;-----------------------
003B7B17 00001000 ; VOffset
003B7B1B 00006000 ; RSize
003B7B1F 0000F342 ; VSize
003B7B23 E0000021 ; Flags
003B7B27 00017000 ; 一样....
003B7B2B 00001000
003B7B2F 00000FB8
003B7B33 C0000041
;-----------------------
003B090E 833E 00 cmp dword ptr ds :[esi ], 0 ; 区块解码结束了?
003B0916 /0F84 7E060000 je 003B0F9A ; 结束就走人
003B0921 8B9D DCD34100 mov ebx , dword ptr ss :[ebp +41D3DC] ; ImageBase
003B092C 031E add ebx , dword ptr ds :[esi ] ; ebx -> 指向一个Section
003B0945 8B4E 04 mov ecx , dword ptr ds :[esi +4] ; ecx -> Size
003B0952 83F9 00 cmp ecx , 0
003B0955 /75 4E jnz short 003B09A5 ; 长度非零,处理--->
((((((((((((((((((((((((((((((((((((((((((((((((((((
; 跳过处理大小为零的Section
003B096E 83C6 10 add esi , 10
003B0976 ^\EB 91 jmp short 003B0909
))))))))))))))))))))))))))))))))))))))))))))))))))))
003B09EE D1E9 shr ecx , 1 ; ecx /2
003B09F5 66:8B85 2DD6410>mov ax , word ptr ss :[ebp +41D62D]
003B0A01 66:35 2111 xor ax , 1121
003B0A37 66:C1C8 02 ror ax , 2
003B0A40 66:05 1A00 add ax , 1A
003B0A49 66:05 A100 add ax , 0A1
; 计算key
003B0A84 66:3103 xor word ptr ds :[ebx ], ax
003B0A8C 66:48 dec ax
003B0A93 43 inc ebx ; 指向下一byte
003B0A99 43 inc ebx ; 移动指针
003B0AC7 49 dec ecx
003B0ACD 83F9 00 cmp ecx , 0
003B0AD0 ^\75 AD jnz short 003B0A7F
; 循环解码
003B0B09 8B46 0C mov eax , dword ptr ds :[esi +C] ; flag
003B0B11 83E0 01 and eax , 1 ; 隐藏着什么标记呢?
003B0B30 83BD F81D4200 0>cmp dword ptr ss :[ebp +421DF8], 1
003B0B37 /0F85 60030000 jnz 003B0E9D ; 不知道,nj
003B0B6A 83F8 01 cmp eax , 1
003B0B6D 0F85 25030000 jnz 003B0E98; 还是不知道,nj,$$#@%@#$
003B0C18 60 pushad
003B0C23 8B46 04 mov eax , dword ptr ds :[esi +4]; RSize
003B0C2B 83F8 00 cmp eax , 0
003B0C33 /0F84 03020000 je 003B0E3C ; RSize==0就不分配空间了
003B0C43 8B46 08 mov eax , dword ptr ds :[esi +8] ;VSize
003B0C73 6A 04 push 4
003B0C75 68 00100000 push 1000
003B0C7A 50 push eax
003B0C7B 6A 00 push 0
003B0C7D FF95 13CF4100 call dword ptr ss :[ebp +41CF13] ; 分配空间存放Section
0012FF74 003B0C83 /CALL to VirtualAlloc from 003B0C7D
0012FF78 00000000 |Address = NULL
0012FF7C 0000F342 |Size = F342 (62274.)
0012FF80 00001000 |AllocationType = MEM_COMMIT
0012FF84 00000004 \Protect = PAGE_READWRITE
003B0CC7 8985 E0D34100 mov dword ptr ss :[ebp +41D3E0], eax ; 得到的空间
003B0CFF 56 push esi ; 保存 Section Table Pointer
003B0D32 8B1E mov ebx , dword ptr ds :[esi ] ; ebx -> VOffset
003B0D39 039D DCD34100 add ebx , dword ptr ss :[ebp +41D3DC] ; +ImageBase, 得到VA
003B0D44 50 push eax
003B0D45 53 push ebx
003B0D46 E8 AE620000 call 003B6FF9 ; aplib_depack_asm.解压缩到刚才VirtualAlloc得到的空间
003B0D50 83C4 08 add esp , 8 ; 平衡堆栈,大概用的不是stdcall
003B0D5D 8BC8 mov ecx , eax ; 解压出来的长度
003B0D64 8B3E mov edi , dword ptr ds :[esi ] ; edi -> VOffset
003B0D93 03BD DCD34100 add edi , dword ptr ss :[ebp +41D3DC] ; +ImageBase, Get VA
; 要把解压得代码传送回去了
003B0DC6 8BB5 E0D34100 mov esi , dword ptr ss :[ebp +41D3E0]; 解压缩后的数据
003B0DE3 F3:A4 rep movs byte ptr es :[edi ], byte ptr ds :[esi ] ; copy all
003B0DEF 5E pop esi ; 恢复 Section Table Pointer
; 这里有点无聊。根本没有修改esi也没用用它,最后都popad
003B0E0C 8B85 E0D34100 mov eax , dword ptr ss :[ebp +41D3E0] ; 申请到的地址
003B0E29 68 00800000 push 8000
003B0E2E 6A 00 push 0
003B0E30 50 push eax
003B0E31 FF95 17CF4100 call dword ptr ss :[ebp +41CF17] ; kernel32.VirtualFree
; 满门抄斩……55555555
003B0E53 61 popad
; -------- 修正页面访问权限 ----------
003B0EAC 60 pushad
003B0EB2 8B9D DCD34100 mov ebx , dword ptr ss :[ebp +41D3DC] ; ImageBase
003B0ECF 031E add ebx , dword ptr ds :[esi ] ; 块表 VA
003B0EE8 8B4E 04 mov ecx , dword ptr ds :[esi +4] ; 长度
003B0EF5 B8 74894100 mov eax , 418974
003B0EFF 03C5 add eax , ebp ; buffer for VirtualProtect
003B0F2E 50 push eax
003B0F2F 6A 04 push 4
003B0F31 51 push ecx
003B0F32 53 push ebx
003B0F33 FF95 27CF4100 call dword ptr ss :[ebp +41CF27] ; kernel32.VirtualProtect
0012FF74 003B0F39 /CALL to VirtualProtect from 003B0F33
0012FF78 00401000 |Address = Try.00401000
0012FF7C 00006000 |Size = 6000 (24576.)
0012FF80 00000004 |NewProtect = PAGE_READWRITE
0012FF84 003B30A7 \pOldProtect = 003B30A7
003B0F3E 61 popad
; -------------- 移动指针,到下一个Section ------------------
003B0F83 83C6 10 add esi , 10
003B0F8B ^\E9 79F9FFFF jmp 003B0909 ; 循环直到所有Sections都还原
; ------------------------------------
; 循环完成到这里,这里其实可以Dump了:
003B0F9A 90 nop
003B0FAE 8D85 D95C4000 lea eax , dword ptr ss :[ebp +405CD9] ; 这东西很无聊,碰到好几次,猜不出来,大概是buffer
:D :D
能力值:
( LV2,RANK:10 )
14 楼
而且又详细,的确不错,希望多多发这种!好有收藏价值!
能力值:
( LV9,RANK:970 )
15 楼
Linson 你再加个图标.
能力值:
(RANK:1060 )
16 楼
[part 7]输入表处理
; ***********************************************************************************
; 阿 赖 耶 识 ―― 输 入 表 处 理 觉 醒
; ***********************************************************************************
003B0FC4 E8 34140000 call 003B23FD ; 当然要进去了
003B242F 60 pushad
003B2474 FF95 1BCF4100 call dword ptr ss :[ebp +41CF1B] ; kernel32.GetCurrentProcessId
003B24A8 8985 20FA4100 mov dword ptr ss :[ebp +41FA20], eax ; save process Id
003B24B3 8B85 1BCF4100 mov eax , dword ptr ss :[ebp +41CF1B] ; kernel32.GetCurrentProcessId
003B24D0 8985 24FA4100 mov dword ptr ss :[ebp +41FA24], eax ; kernel32.GetCurrentProcessId
; 不知道搞什么名堂
003B2508 B8 B8FA4100 mov eax , 41FAB8
003B2512 03C5 add eax , ebp
003B2519 8985 ACDC4100 mov dword ptr ss :[ebp +41DCAC], eax
003B254C 8B9D 08D64100 mov ebx , dword ptr ss :[ebp +41D608] ; Import Table RVA
-------------------
0041F023 78750000
0041F027 00000000
0041F02B 00000000
0041F02F 82750000
0041F033 7D910000
0041F037 25350000
............
-------------------
003B2557 83FB 00 cmp ebx , 0 ; 没有import么?
003B2587 /0F84 1F0A0000 je 003B2FAC ; 当然有,不跳
003B25D1 039D DCD34100 add ebx , dword ptr ss :[ebp +41D3DC] ; +ImageBase,得到IT VA
; ebx -> IID(s)
003B25E6 8B43 0C mov eax , dword ptr ds :[ebx +C] ;pointer to DLL asciz name
003B25EE 83F8 00 cmp eax , 0
003B25F6 /0F84 B0090000 je 003B2FAC ; Game Over?
003B2601 53 push ebx ; Try.0041F023
003B262F 51 push ecx
003B2647 52 push edx
003B2648 33D2 xor edx , edx
003B264F B9 20000000 mov ecx , 20
003B2654 33DB xor ebx , ebx ; Try.0041F023
003B2656 D1F8 sar eax , 1
003B265D 0F92C3 setb bl
003B2660 D3E3 shl ebx , cl
003B2667 03D3 add edx , ebx
003B2669 ^\E2 E9 loopd short 003B2654
; DLL Name 的RVA解码,结果在edx输出
003B266B 8BC2 mov eax , edx ; eax = edx = dll name rva
003B2684 5A pop edx
003B2685 59 pop ecx
003B268B 5B pop ebx
003B2696 0385 DCD34100 add eax , dword ptr ss :[ebp +41D3DC] ; +ImageBase = VA
003B26C9 8BF0 mov esi , eax
003B26D5 C685 78894100 0>mov byte ptr ss :[ebp +418978], 0
; -------------- 是否是特殊 DLL, 包括 Windows Kernel32 & User32, 与 VB 的MSVB ------------------------
003B2709 50 push eax
003B270F 8B00 mov eax , dword ptr ds :[eax ]; 取dll name开头4个字节
003B2716 25 DFDFDFDF and eax , DFDFDFDF; 转换为大写
003B2720 3D 4B45524E cmp eax , 4E52454B ; KERN****
003B2725 74 07 je short 003B272E
003B2727 3D 55534552 cmp eax , 52455355 ; USER****
003B272C 75 11 jnz short 003B273F
003B2733 C685 78894100 0>mov byte ptr ss :[ebp +418978], 1 ; 特殊dll标记
003B2744 58 pop eax
003B2777 50 push eax ; Try.00415C82
003B277D 8B00 mov eax , dword ptr ds :[eax ]
003B2784 25 DFDFDFDF and eax , DFDFDFDF
003B278E 3D 4D535642 cmp eax , 4256534D ; MSVB****
003B2793 75 11 jnz short 003B27A6
003B279A C685 78894100 0>mov byte ptr ss :[ebp +418978], 1 ; 特殊dll标记
003B27D3 58 pop eax ; Try.00415C82
; 为何不一起判断? D.boy大概写到这里喝多了:0
; ----------------------------------------------------------------------------------------------------
003B27DE 50 push eax
003B27DF FF95 C13D4200 call dword ptr ss :[ebp +423DC1] ; kernel32.LoadLibraryA
; 载入dll
003B27EA 8985 7FCC4100 mov dword ptr ss :[ebp +41CC7F], eax ; 保存dll module base
003B2822 33C0 xor eax , eax
003B2851 8703 xchg dword ptr ds :[ebx ], eax ; 清掉IID的OriginalFirstThunk,然后把它读到eax
; 如果改为mov eax, dword ptr [ebx]可以避免...我偷懒,不改了,下面也是这样
003B2858 53 push ebx
003B2886 51 push ecx
003B289E 52 push edx
003B289F 33D2 xor edx , edx
003B28A6 B9 20000000 mov ecx , 20
003B28AB 33DB xor ebx , ebx
003B28AD D1F8 sar eax , 1
003B28B4 0F92C3 setb bl
003B28B7 D3E3 shl ebx , cl
003B28BE 03D3 add edx , ebx
003B28C0 ^\E2 E9 loopd short 003B28AB
003B28C2 8BC2 mov eax , edx
003B28DB 5A pop edx
003B28DC 59 pop ecx
003B28E2 5B pop ebx
003B28E8 8BF0 mov esi , eax
; OriginalFirstThunk解码 -> esi
003B292E 33C0 xor eax , eax
003B295D 8743 10 xchg dword ptr ds :[ebx +10], eax ; eax -> FirstThunk, & erase rva
003B2965 53 push ebx
003B2993 51 push ecx
003B29AB 52 push edx
003B29AC 33D2 xor edx , edx
003B29B3 B9 20000000 mov ecx , 20
003B29B8 33DB xor ebx , ebx
003B29BA D1F8 sar eax , 1
003B29C1 0F92C3 setb bl
003B29C4 D3E3 shl ebx , cl
003B29CB 03D3 add edx , ebx
003B29CD ^\E2 E9 loopd short 003B29B8
003B29CF 8BC2 mov eax , edx
003B29E8 5A pop edx
003B29E9 59 pop ecx
003B29EF 5B pop ebx
003B29F5 8BF8 mov edi , eax
; FirstThunk解码 -> edi
003B2A01 83FE 00 cmp esi , 0 ; OriginalFirstThunk不能用?
003B2A04 /75 34 jnz short 003B2A3A; 能就走
003B2A33 8BF7 mov esi , edi ; 它不行就使用第二个表 FirstThunk
003B2A67 03B5 DCD34100 add esi , dword ptr ss :[ebp +41D3DC] ; +ImageBase,Get VA
003B2A72 03BD DCD34100 add edi , dword ptr ss :[ebp +41D3DC] ; +ImageBase,Get VA
; offset to function name ( and hint)
003B2A99 8B06 mov eax , dword ptr ds :[esi ]; 要do hint...
003B2AA0 83F8 00 cmp eax , 0
003B2AA3 /75 29 jnz short 003B2ACE ; 未完?
003B2ABC 83C3 14 add ebx , 14
003B2AC4 ^\E9 13FBFFFF jmp 003B25DC ; 下一个IID
003B2B00 807E 03 80 cmp byte ptr ds :[esi +3], 80 ; is imported by ordinal?
003B2B04 75 6C jnz short 003B2B72
; ord...
003B2B0B 33C0 xor eax , eax
003B2B12 66:8706 xchg word ptr ds :[esi ], ax
003B2B42 50 push eax
003B2B43 FFB5 7FCC4100 push dword ptr ss :[ebp +41CC7F]
003B2B49 FF95 C53D4200 call dword ptr ss :[ebp +423DC5]
003B2B54 8BC8 mov ecx , eax
003B2B6D /E9 84000000 jmp 003B2BF6
; str...
003B2B77 33C0 xor eax , eax
003B2B7E 8706 xchg dword ptr ds :[esi ], eax
003B2B85 0385 DCD34100 add eax , dword ptr ss :[ebp +41D3DC] ; +ImageBase,这句话打过无数次了,累!!!
003B2BA2 83C0 02 add eax , 2 ; 跳过hint值(sizeof word == 2)
003B2BD2 50 push eax
003B2BD3 FFB5 7FCC4100 push dword ptr ss :[ebp +41CC7F]
003B2BD9 FF95 C53D4200 call dword ptr ss :[ebp +423DC5] ; kernel32.GetProcAddress
003B2C00 80BD 78894100 0>cmp byte ptr ss :[ebp +418978], 1 ; 特殊函数?
003B2C07 /0F85 87020000 jnz 003B2E94 ; magic jump...改为jmp吧,省得心烦
; --------------------------- 加密输入表 ----------------------------------------
; 具体不说了,跟到这里有点筋疲力尽了
003B2C3F 60 pushad
003B2C45 8BF8 mov edi , eax
003B2C63 8B85 A7DC4100 mov eax , dword ptr ss :[ebp +41DCA7]
003B2C6E 3D F4010000 cmp eax , 1F4
003B2C73 /75 1A jnz short 003B2C8F
003B2C7A 89BD 70894100 mov dword ptr ss :[ebp +418970], edi
003B2C85 /E9 C9010000 jmp 003B2E53
003B2CC1 B9 04000000 mov ecx , 4
003B2CCB 33D2 xor edx , edx
003B2CD2 F7E1 mul ecx
003B2CD9 BE B1DC4100 mov esi , 41DCB1
003B2CE3 03F5 add esi , ebp
003B2CFC 33BD 20FA4100 xor edi , dword ptr ss :[ebp +41FA20]
003B2D07 893C06 mov dword ptr ds :[esi +eax ], edi
003B2D26 8B85 A7DC4100 mov eax , dword ptr ss :[ebp +41DCA7]
003B2D31 B9 0B000000 mov ecx , 0B
003B2D3B 33D2 xor edx , edx
003B2D42 F7E1 mul ecx
003B2D49 BF 85E44100 mov edi , 41E485
003B2D7B 03FD add edi , ebp
003B2DAA 03F8 add edi , eax
003B2DB6 89BD 70894100 mov dword ptr ss :[ebp +418970], edi
003B2DEE BE A6DC4100 mov esi , 41DCA6
003B2DF8 03F5 add esi , ebp
003B2E27 B9 0B000000 mov ecx , 0B
003B2E31 F3:A4 rep movs byte ptr es :[edi ], byte ptr ds :[esi ]
003B2E38 FF85 A7DC4100 inc dword ptr ss :[ebp +41DCA7] ; 计数器,被加密的应该是push count...push address...ret
003B2E43 8BBD 70894100 mov edi , dword ptr ss :[ebp +418970]
003B2E6A 61 popad
003B2E70 8B8D 70894100 mov ecx , dword ptr ss :[ebp +418970]
003B2E92 /EB 1E jmp short 003B2EB2
; -----------------------------------------------------------------------------
003B2EAB 8BC8 mov ecx , eax ; NETAPI32.Netbios
; 函数地址
003B2ECE 39BD 33D64100 cmp dword ptr ss :[ebp +41D633], edi
003B2ED4 76 10 jbe short 003B2EE6 ; 不知道,没跳
003B2EDB 89BD 33D64100 mov dword ptr ss :[ebp +41D633], edi
003B2EEB 39BD 2FD64100 cmp dword ptr ss :[ebp +41D62F], edi
003B2EF1 73 10 jnb short 003B2F03; 不知道,还是没跳
003B2EF8 89BD 2FD64100 mov dword ptr ss :[ebp +41D62F], edi
003B2F24 890F mov dword ptr ds :[edi ], ecx ; 填充IAT
003B2F3D 83C6 04 add esi , 4
003B2F45 83C7 04 add edi , 4
; 移动Thunk指针
003B2F4D ^\E9 42FBFFFF jmp 003B2A94; 循环---
; ---------------------------------------------------------------------------------------------------
; 从老上边的003B25F6 /0F84 B0090000 je 003B2FAC出来,完成patch iat
003B2FB1 E8 16000000 call 003B2FCC ; 取User32.GetClassNameA...居然专门弄个call...
003B2FBB 61 popad ; 解放了
003B2FC1 C3 ret
能力值:
( LV2,RANK:10 )
17 楼
最初由 simonzh2000 发布 Linson 你再加个图标.
我加你QQ了.你怎么不通过啊?
能力值:
(RANK:1060 )
18 楼
[part 8]:D; --------------------------- 不明飞行物 -----------------------------------
003B0FD3 8D85 DA5C4000 lea eax , dword ptr ss :[ebp +405CDA]
003B1011 E8 96200000 call 003B30AC ; 没看懂
; ***************************************************************************
; 处 理 调 用 表 & 跳 转 表 ( 还 原 指 针 )
; ***************************************************************************
003B105F 8D85 DB5C4000 lea eax , dword ptr ss :[ebp +405CDB]
; fly 写的文章里提到,但没有说为什么,这里详细说明一下
; ---------------call dword ptr ds:[xxxxxxxx],其中xxxxxxxx是80xxxxxxxx----------------
003B108C 60 pushad
003B10A4 8B9D 08D64100 mov ebx , dword ptr ss :[ebp +41D608]
003B10AF 039D DCD34100 add ebx , dword ptr ss :[ebp +41D3DC] ; 还是Imagebase
003B110F BE E4D34100 mov esi , 41D3E4 ; 块表
003B1119 03F5 add esi , ebp
003B1120 8B9D DCD34100 mov ebx , dword ptr ss :[ebp +41D3DC] ; Try.00400000
003B112B 031E add ebx , dword ptr ds :[esi ]
; ebx -> a section,应该是代码段
003B1132 8BFB mov edi , ebx ; Try.00401000
003B1139 8B4E 08 mov ecx , dword ptr ds :[esi +8] ; VSize
003B1141 83F9 00 cmp ecx , 0
003B115B /0F84 93050000 je 003B16F4 ; 0?不玩了
003B1178 D1E9 shr ecx , 1 ; ecx/2
003B11A7 49 dec ecx
003B11AD 66:B8 FF15 mov ax , 15FF ; call dword ptr ds:[xxxxxxxx]
003B11CD BE 31354200 mov esi , 423531
003B11FF 03F5 add esi , ebp
003B124A F2:66:AF repne scas word ptr es :[edi ] ; 寻找call dword ptr ds:[xxxxxxxx]
; forgot:如果没有就……不好玩了,看Ding Boy怎么收场
; edi -> xxxxxxxx,而不是call dword ptr
003B1264 8B1F mov ebx , dword ptr ds :[edi ]; 要call的地址->Ebx
003B127D 81E3 00000080 and ebx , 80000000 ; 取高位
003B129A 81FB 00000080 cmp ebx , 80000000 ; 是80xxxxxxx的形势?
003B12A0 /0F85 13010000 jnz 003B13B9 ; 不是算了
003B12AB 8B1F mov ebx , dword ptr ds :[edi ]; 加密过的指针
003B12B2 81E3 FFFFFF7F and ebx , 7FFFFFFF ; 去掉31st bit,还原指针
003B12BD 3B9D 33D64100 cmp ebx , dword ptr ss :[ebp +41D633]
003B12C3 0F82 C3000000 jb 003B138C ; 判断地址范围
003B12CE 3B9D 2FD64100 cmp ebx , dword ptr ss :[ebp +41D62F] ; Try.0041F01B
003B12D4 /0F87 AD000000 ja 003B1387
003B12DF 833E FF cmp dword ptr ds :[esi ], -1 ; ???
003B130F /0F84 DF030000 je 003B16F4
003B131A 8B1B mov ebx , dword ptr ds :[ebx ] ; 把指针指向的内容读出来
003B1321 891E mov dword ptr ds :[esi ], ebx
; 写到esi
003B1350 8937 mov dword ptr ds :[edi ], esi ; 地址重定位,nop掉,下同
003B1357 83C6 04 add esi , 4 ; 移动指针
003B13BE 83F9 00 cmp ecx , 0
003B13C1 ^ 0F85 56FEFFFF jnz 003B121D ; 循环直到所有都搞定
; ----------------------- jmp dword ptr ds:[xxxxxxxx]----------------------------------
; 方法如出一辙,不多解释
003B140B 56 push esi ;剩下的buffer
003B1416 8B9D 08D64100 mov ebx , dword ptr ss :[ebp +41D608]
003B1449 039D DCD34100 add ebx , dword ptr ss :[ebp +41D3DC] ; Try.00400000
003B1459 BE E4D34100 mov esi , 41D3E4
003B148B 03F5 add esi , ebp
003B1492 8B9D DCD34100 mov ebx , dword ptr ss :[ebp +41D3DC] ; Try.00400000
003B149D 031E add ebx , dword ptr ds :[esi ]
003B14A4 8BFB mov edi , ebx ; Try.00401000
003B14AB 8B4E 08 mov ecx , dword ptr ds :[esi +8]
003B14C5 D1E9 shr ecx , 1
003B14DE 49 dec ecx
003B150C 66:B8 FF25 mov ax , 25FF ; jmp dword ptr ds:[xxxxxxxx]
003B151A 5E pop esi
003B152A F2:66:AF repne scas word ptr es :[edi ]
003B1532 8B1F mov ebx , dword ptr ds :[edi ]
003B1539 81E3 00000080 and ebx , 80000000
003B1556 81FB 00000080 cmp ebx , 80000000
003B155C /0F85 5B010000 jnz 003B16BD
003B158F 8B1F mov ebx , dword ptr ds :[edi ]
003B15BE 81E3 FFFFFF7F and ebx , 7FFFFFFF
003B15F1 3B9D 33D64100 cmp ebx , dword ptr ss :[ebp +41D633] ; Try.00411000
003B15F7 /0F82 A9000000 jb 003B16A6
003B1614 3B9D 2FD64100 cmp ebx , dword ptr ss :[ebp +41D62F] ; Try.0041F01B
003B161A /77 5D ja short 003B1679
003B1621 833E FF cmp dword ptr ds :[esi ], -1
003B1629 /0F84 C5000000 je 003B16F4
003B1634 8B1B mov ebx , dword ptr ds :[ebx ]
003B163B 891E mov dword ptr ds :[esi ], ebx
003B166A 8937 mov dword ptr ds :[edi ], esi
003B166A 8937 mov dword ptr ds :[edi ], esi
003B16D4 83F9 00 cmp ecx , 0
003B16D7 ^ 0F85 48FEFFFF jnz 003B1525 ; 循环处理所有
003B170B 61 popad ; 文革结束啦 :D
能力值:
( LV2,RANK:10 )
19 楼
最初由 forgot 发布 你在线怎么不回话?:D 被我抓到了~~
刚睡醒,头晕......
昨晚要我跟的东西我忘记了!看[圣斗士]睡着了. :D
能力值:
( LV3,RANK:30 )
20 楼
的确不错,看了头晕
能力值:
(RANK:1060 )
21 楼
[最后的战役]:)
; ------------------------------------------------------最后的战役
003B174E 8B85 DBCE4100 mov eax , dword ptr ss :[ebp +41CEDB] ; kernel32.CreateFileA
003B1759 8985 A0FA4100 mov dword ptr ss :[ebp +41FAA0], eax ; kernel32.CreateFileA
003B177B 8B85 CFCE4100 mov eax , dword ptr ss :[ebp +41CECF] ; kernel32.ReadFile
003B1786 8985 A4FA4100 mov dword ptr ss :[ebp +41FAA4], eax ; kernel32.ReadFile
003B1796 8B85 DFCE4100 mov eax , dword ptr ss :[ebp +41CEDF] ; kernel32.WriteFile
003B17A1 8985 A8FA4100 mov dword ptr ss :[ebp +41FAA8], eax ; kernel32.WriteFile
003B17D9 8B85 CBCE4100 mov eax , dword ptr ss :[ebp +41CECB] ; kernel32.SetFilePointer
003B17F6 8985 ACFA4100 mov dword ptr ss :[ebp +41FAAC], eax ; kernel32.SetFilePointer
003B182E 8B85 E3CE4100 mov eax , dword ptr ss :[ebp +41CEE3] ; kernel32.CloseHandle
003B184B 8985 B0FA4100 mov dword ptr ss :[ebp +41FAB0], eax ; kernel32.CloseHandle
003B1895 8B85 EFCE4100 mov eax , dword ptr ss :[ebp +41CEEF] ; kernel32.DeleteFileA
003B18A0 8985 B4FA4100 mov dword ptr ss :[ebp +41FAB4], eax ; kernel32.DeleteFileA
003B18F4 8D85 DC5C4000 lea eax , dword ptr ss :[ebp +405CDC]
; 最后来个int3,还原中断向量
003B1949 60 pushad
003B194F B8 534E5552 mov eax , 52554E53
003B1959 BB 0ECA4100 mov ebx , 41CA0E
003B1975 03DD add ebx , ebp
003B197C CC int3; 收尾
003B1982 61 popad 003B198D 80BD F0344200 0>cmp byte ptr ss :[ebp +4234F0], 1 ; NT? 释放驱动,我们用来夺取ring0的嘛
003B1994 /0F85 93010000 jnz 003B1B2D
003B19C7 8D85 E35C4000 lea eax , dword ptr ss :[ebp +405CE3]; 垃圾
003B1A37 FFB5 546C4000 push dword ptr ss :[ebp +406C54] ; 驱动句柄
003B1A3D FF95 50724000 call dword ptr ss :[ebp +407250] ; kernel32.CloseHandle
003B1A89 FFB5 586C4000 push dword ptr ss :[ebp +406C58] ; 服务
003B1A8F FF95 DD724000 call dword ptr ss :[ebp +4072DD] ; advapi32.CloseServiceHandle
003B1AEF FFB5 3A6C4000 push dword ptr ss :[ebp +406C3A]
003B1AF5 FF95 DD724000 call dword ptr ss :[ebp +4072DD] ; advapi32.CloseServiceHandle
; 解密OEP~~~
003B1B5F 8B85 F8D54100 mov eax , dword ptr ss :[ebp +41D5F8]
003B1B81 53 push ebx ; Try.00418000
003B1BAF 51 push ecx ; advapi32.77DA214E
003B1BC7 52 push edx
003B1BC8 33D2 xor edx , edx
003B1BCF B9 20000000 mov ecx , 20
003B1BD4 33DB xor ebx , ebx ; Try.00418000
003B1BD6 D1F8 sar eax , 1
003B1BDD 0F92C3 setb bl
003B1BE0 D3E3 shl ebx , cl
003B1BE7 03D3 add edx , ebx
003B1BE9 ^\E2 E9 loopd short 003B1BD4
003B1BEB 8BC2 mov eax , edx
003B1C04 5A pop edx
003B1C05 59 pop ecx
003B1C0B 5B pop ebx ; Try.00418000
003B1C43 8B9D DCD34100 mov ebx , dword ptr ss :[ebp +41D3DC] ; Try.00400000
003B1C76 03C3 add eax , ebx ; Try.00400000
; now eax is 0040E2FD, the OEP :),可以直接Dump修正...我们走完吧
003B1C7D 8985 3BD64100 mov dword ptr ss :[ebp +41D63B], eax ; Try.0040E2FD
003B1CD1 80BD 24D64100 0>cmp byte ptr ss :[ebp +41D624], 1
003B1CD8 0F85 04010000 jnz 003B1DE2 ; 跳了,不知道跳过什么冬冬
003B1DF9 /E9 C4000000 jmp 003B1EC2
003B1EE3 8D85 E45C4000 lea eax , dword ptr ss :[ebp +405CE4]
003B1F0B C785 55384200 0>mov dword ptr ss :[ebp +423855], 0
003B1F1A 8BC5 mov eax , ebp
003B1F21 5B pop ebx
003B1F22 59 pop ecx
003B1F23 5A pop edx
003B1F24 5E pop esi
003B1F25 5F pop edi
003B1F26 5D pop ebp
003B1F3E 9D popfd 003B1F6D FFB0 3BD64100 push dword ptr ds :[eax +41D63B]
003B1F78 C780 3BD64100 0>mov dword ptr ds :[eax +41D63B], 0
003B1FAF /E9 CE620000 jmp 003B8282
003B8287 56 push esi ; ntdll.77F57D70
003B82B5 51 push ecx
003B82BB BE CD584000 mov esi , 4058CD
003B82C5 03F0 add esi , eax
003B82CC B9 82820100 mov ecx , 18282
003B8330 C606 00 mov byte ptr ds :[esi ], 0 ; erase the loader
003B8338 46 inc esi
003B833E 49 dec ecx
003B8356 83F9 00 cmp ecx , 0
003B8359 ^ 75 A8 jnz short 003B8303
003B839F 59 pop ecx ; 0012FFB0
003B83B7 5E pop esi
003B83CF /E9 81390000 jmp 003BBD55
003BBD55 60 pushad
003BBD56 8BF0 mov esi , eax
003BBD58 B8 4A344200 mov eax , 42344A
003BBD5D 03C6 add eax , esi
003BBD5F BB 59384200 mov ebx , 423859
003BBD64 03DE add ebx , esi
003BBD66 803B 00 cmp byte ptr ds :[ebx ], 0
003BBD69 74 0C je short 003BBD77
003BBD6B 6A 00 push 0
003BBD6D 50 push eax
003BBD6E 53 push ebx
003BBD6F 6A 00 push 0
003BBD71 FF96 55384200 call dword ptr ds :[esi +423855]
003BBD77 61 popad
003BBD78 58 pop eax
003BBD79 83F8 FF cmp eax , -1
003BBD7C 75 05 jnz short 003BBD83
003BBD7E 33C0 xor eax , eax
003BBD80 C2 0C00 retn 0C
003BBD83 FFE0 jmp eax ; 飞向光明之巅!!!
0040E2FD 55 push ebp ; Dump & Fix Dump .优化一下即可
0040E2FE 8BEC mov ebp , esp
0040E300 6A FF push -1
0040E302 68 F83A4100 push Try.00413AF8
0040E307 68 84E44000 push Try.0040E484 ; jmp to msvcrt._except_handler3
0040E30C 64:A1 00000000 mov eax , dword ptr fs :[0]
.........
; 这是IAT,ImportRec可以全部找到,因为修改了Magic Jump,所以都有效。
OEP: 0000E2FD IATRVA: 00011000 IATSize: 000003B8
FThunk: 00011000 NbFunc: 00000005
1 00011000 advapi32.dll 01CD RegCreateKeyExA
1 00011004 advapi32.dll 01E2 RegOpenKeyExA
1 00011008 advapi32.dll 01D9 RegEnumValueA
1 0001100C advapi32.dll 01F9 RegSetValueExA
1 00011010 advapi32.dll 01C9 RegCloseKey
FThunk: 00011018 NbFunc: 00000003
1 00011018 gdi32.dll 0196 GetObjectA
1 0001101C gdi32.dll 002E CreateCompatibleDC
1 00011020 gdi32.dll 0013 BitBlt
FThunk: 00011028 NbFunc: 00000017
1 00011028 kernel32.dll 0385 WriteFile
1 0001102C kernel32.dll 0374 WaitForSingleObject
1 00011030 kernel32.dll 0185 GetOverlappedResult
1 00011034 kernel32.dll 004A CreateEventA
1 00011038 kernel32.dll 0030 CloseHandle
1 0001103C kernel32.dll 004E CreateFileA
1 00011040 kernel32.dll 0162 GetLastError
1 00011044 kernel32.dll 00AF EscapeCommFunction
1 00011048 kernel32.dll 0101 GetCommState
1 0001104C kernel32.dll 0284 PurgeComm
1 00011050 kernel32.dll 02CB SetCommMask
1 00011054 kernel32.dll 02CC SetCommState
1 00011058 kernel32.dll 02CD SetCommTimeouts
1 0001105C kernel32.dll 0334 SetupComm
1 00011060 kernel32.dll 0084 DeviceIoControl
1 00011064 kernel32.dll 01D5 GetVersionExA
1 00011068 kernel32.dll 016D GetModuleFileNameA
1 0001106C kernel32.dll 016F GetModuleHandleA
1 00011070 kernel32.dll 01D7 GetVolumeInformationA
1 00011074 kernel32.dll 01B5 GetSystemTime
1 00011078 kernel32.dll 01A6 GetStartupInfoA
1 0001107C kernel32.dll 002E ClearCommError
1 00011080 kernel32.dll 029D ReadFile
FThunk: 00011088 NbFunc: 0000009D
1 00011088 mfc42.dll 0BA9
1 0001108C mfc42.dll 0BA6
1 00011090 mfc42.dll 13C9
1 00011094 mfc42.dll 06BF
1 00011098 mfc42.dll 148D
1 0001109C mfc42.dll 098E
1 000110A0 mfc42.dll 084C
1 000110A4 mfc42.dll 1479
1 000110A8 mfc42.dll 0BA6
1 000110AC mfc42.dll 0BA6
1 000110B0 mfc42.dll 0BA6
1 000110B4 mfc42.dll 06F0
1 000110B8 mfc42.dll 0C40
1 000110BC mfc42.dll 0807
1 000110C0 mfc42.dll 18E8
1 000110C4 mfc42.dll 0C09
1 000110C8 mfc42.dll 0BA0
1 000110CC mfc42.dll 0EF6
1 000110D0 mfc42.dll 0EF1
1 000110D4 mfc42.dll 0EF1
1 000110D8 mfc42.dll 0BA6
1 000110DC mfc42.dll 0FF0
1 000110E0 mfc42.dll 1213
1 000110E4 mfc42.dll 1149
1 000110E8 mfc42.dll 0E0D
1 000110EC mfc42.dll 0144
1 000110F0 mfc42.dll 0281
1 000110F4 mfc42.dll 108A
1 000110F8 mfc42.dll 0CBE
1 000110FC mfc42.dll 08F1
1 00011100 mfc42.dll 1021
1 00011104 mfc42.dll 03AB
1 00011108 mfc42.dll 0B02
1 0001110C mfc42.dll 0A36
1 00011110 mfc42.dll 0490
1 00011114 mfc42.dll 0219
1 00011118 mfc42.dll 0486
1 0001111C mfc42.dll 03AD
1 00011120 mfc42.dll 1613
1 00011124 mfc42.dll 0C37
1 00011128 mfc42.dll 0E20
1 0001112C mfc42.dll 0299
1 00011130 mfc42.dll 07BB
1 00011134 mfc42.dll 18F1
1 00011138 mfc42.dll 1442
1 0001113C mfc42.dll 015E
1 00011140 mfc42.dll 0162
1 00011144 mfc42.dll 04B0
1 00011148 mfc42.dll 18BE
1 0001114C mfc42.dll 16E0
1 00011150 mfc42.dll 0A52
1 00011154 mfc42.dll 175D
1 00011158 mfc42.dll 0C14
1 0001115C mfc42.dll 1542
1 00011160 mfc42.dll 1837
1 00011164 mfc42.dll 1A7A
1 00011168 mfc42.dll 188B
1 0001116C mfc42.dll 19F8
1 00011170 mfc42.dll 0942
1 00011174 mfc42.dll 12E5
1 00011178 mfc42.dll 10B2
1 0001117C mfc42.dll 18E7
1 00011180 mfc42.dll 1186
1 00011184 mfc42.dll 1159
1 00011188 mfc42.dll 0A58
1 0001118C mfc42.dll 1663
1 00011190 mfc42.dll 0F52
1 00011194 mfc42.dll 0441
1 00011198 mfc42.dll 144F
1 0001119C mfc42.dll 095C
1 000111A0 mfc42.dll 0D12
1 000111A4 mfc42.dll 14B4
1 000111A8 mfc42.dll 14B6
1 000111AC mfc42.dll 0AA5
1 000111B0 mfc42.dll 0FEF
1 000111B4 mfc42.dll 125A
1 000111B8 mfc42.dll 14BB
1 000111BC mfc42.dll 14A9
1 000111C0 mfc42.dll 1652
1 000111C4 mfc42.dll 120E
1 000111C8 mfc42.dll 1148
1 000111CC mfc42.dll 0E9A
1 000111D0 mfc42.dll 0231
1 000111D4 mfc42.dll 032F
1 000111D8 mfc42.dll 035C
1 000111DC mfc42.dll 0A3D
1 000111E0 mfc42.dll 046E
1 000111E4 mfc42.dll 096B
1 000111E8 mfc42.dll 0BA6
1 000111EC mfc42.dll 06F0
1 000111F0 mfc42.dll 112C
1 000111F4 mfc42.dll 14AA
1 000111F8 mfc42.dll 0D4A
1 000111FC mfc42.dll 0DF6
1 00011200 mfc42.dll 047A
1 00011204 mfc42.dll 0237
1 00011208 mfc42.dll 08FB
1 0001120C mfc42.dll 08FE
1 00011210 mfc42.dll 06F7
1 00011214 mfc42.dll 1040
1 00011218 mfc42.dll 0B2F
1 0001121C mfc42.dll 094B
1 00011220 mfc42.dll 0DF3
1 00011224 mfc42.dll 0E2A
1 00011228 mfc42.dll 096E
1 0001122C mfc42.dll 02F3
1 00011230 mfc42.dll 01D6
1 00011234 mfc42.dll 0280
1 00011238 mfc42.dll 1699
1 0001123C mfc42.dll 0668
1 00011240 mfc42.dll 0143
1 00011244 mfc42.dll 0669
1 00011248 mfc42.dll 0B2B
1 0001124C mfc42.dll 0A5C
1 00011250 mfc42.dll 1631
1 00011254 mfc42.dll 0685
1 00011258 mfc42.dll 0CF6
1 0001125C mfc42.dll 10B5
1 00011260 mfc42.dll 168D
1 00011264 mfc42.dll 039E
1 00011268 mfc42.dll 021C
1 0001126C mfc42.dll 0E4F
1 00011270 mfc42.dll 19AB
1 00011274 mfc42.dll 074F
1 00011278 mfc42.dll 0337
1 0001127C mfc42.dll 0339
1 00011280 mfc42.dll 0320
1 00011284 mfc42.dll 0ED6
1 00011288 mfc42.dll 14A0
1 0001128C mfc42.dll 1101
1 00011290 mfc42.dll 18E6
1 00011294 mfc42.dll 142B
1 00011298 mfc42.dll 0951
1 0001129C mfc42.dll 1479
1 000112A0 mfc42.dll 1137
1 000112A4 mfc42.dll 06EF
1 000112A8 mfc42.dll 0EF1
1 000112AC mfc42.dll 17A4
1 000112B0 mfc42.dll 09D2
1 000112B4 mfc42.dll 1266
1 000112B8 mfc42.dll 0A18
1 000112BC mfc42.dll 12F5
1 000112C0 mfc42.dll 1118
1 000112C4 mfc42.dll 1479
1 000112C8 mfc42.dll 184F
1 000112CC mfc42.dll 10B6
1 000112D0 mfc42.dll 164E
1 000112D4 mfc42.dll 035A
1 000112D8 mfc42.dll 039A
1 000112DC mfc42.dll 0217
1 000112E0 mfc42.dll 106C
1 000112E4 mfc42.dll 09FA
1 000112E8 mfc42.dll 09D0
1 000112EC mfc42.dll 0B67
1 000112F0 mfc42.dll 1241
1 000112F4 mfc42.dll 0261
1 000112F8 mfc42.dll 0628
FThunk: 00011300 NbFunc: 0000001E
1 00011300 msvcrt.dll 00EE _except_handler3
1 00011304 msvcrt.dll 009A __set_app_type
1 00011308 msvcrt.dll 0087 __p__fmode
1 0001130C msvcrt.dll 0082 __p__commode
1 00011310 msvcrt.dll 00B7 _adjust_fdiv
1 00011314 msvcrt.dll 009C __setusermatherr
1 00011318 msvcrt.dll 013B _initterm
1 0001131C msvcrt.dll 006F __getmainargs
1 00011320 msvcrt.dll 00A9 _acmdln
1 00011324 msvcrt.dll 0290 exit
1 00011328 msvcrt.dll 0050 _XcptFilter
1 0001132C msvcrt.dll 00F7 _exit
1 00011330 msvcrt.dll 01B4 _onexit
1 00011334 msvcrt.dll 006C __dllonexit
1 00011338 msvcrt.dll 0284 atoi
1 0001133C msvcrt.dll 018C _mbsicmp
1 00011340 msvcrt.dll 02FB srand
1 00011344 msvcrt.dll 02ED rand
1 00011348 msvcrt.dll 02D8 malloc
1 0001134C msvcrt.dll 02A5 free
1 00011350 msvcrt.dll 00D7 _controlfp
1 00011354 msvcrt.dll 0317 time
1 00011358 msvcrt.dll 0307 strncmp
1 0001135C msvcrt.dll 0160 _itoa
1 00011360 msvcrt.dll 0054 __CxxFrameHandler
1 00011364 msvcrt.dll 0186 _mbscmp
1 00011368 msvcrt.dll 02F9 sprintf
1 0001136C msvcrt.dll 030A strrchr
1 00011370 msvcrt.dll 0308 strncpy
1 00011374 msvcrt.dll 01DE _setmbcp
FThunk: 0001137C NbFunc: 00000001
1 0001137C netapi32.dll 0100 Netbios
FThunk: 00011384 NbFunc: 0000000C
1 00011384 user32.dll 010D GetDC
1 00011388 user32.dll 01B6 LoadBitmapA
1 0001138C user32.dll 01A7 IsIconic
1 00011390 user32.dll 0009 AppendMenuA
1 00011394 user32.dll 0100 GetClientRect
1 00011398 user32.dll 00B7 DrawIcon
1 0001139C user32.dll 015D GetSystemMenu
1 000113A0 user32.dll 015E GetSystemMetrics
1 000113A4 user32.dll 0194 InvalidateRect
1 000113A8 user32.dll 01BC LoadIconA
1 000113AC user32.dll 00C5 EnableWindow
1 000113B0 user32.dll 023C SendMessageA
能力值:
( LV2,RANK:10 )
22 楼
最初由 forgot 发布 有没有冥王完结篇? 我昨天睡的也太晚了,头昏。 跟完了上来。
不知道啊!我还没有看最后一张碟是什么呢1
你要的东西!
003B073A E8 4A2A0000 CALL 003B3189
//CALL---->
003B31A5 B8 01000000 MOV EAX, 1
003B31D7 83BD 9ED24100 0>CMP DWORD PTR [EBP+41D29E], 0
003B31E3 /0F84 C6120000 JE 003B44AF
//JMP就跳过注册选项了!
003B44DC C3 RETN
//返回到另外一个地方.注意了哦...
003B44DC C3 RETN
//再返回
能力值:
(RANK:1060 )
23 楼
全部贴完.
能力值:
(RANK:1060 )
24 楼
在5楼贴上part 5
能力值:
(RANK:1060 )
25 楼
13楼贴上part 6.
下一步到IAT了,呵呵.