【文章标题】: 分析一下虚拟分区魔术师
【文章作者】: 小娃崽[DFCG]
【作者邮箱】: wanzailuan@yahoo.com.cn
【作者主页】: 无
【软件名称】: 虚拟分区魔术师
【软件大小】: 404 KB
【下载地址】: http://www.skycn.com/soft/15987.html
【加壳方式】: aspack
【保护方式】: 功能限制
【编写语言】: delphi
【使用工具】: DEDE,OllyDbg
【操作平台】: XP+SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
今天我从天空下了这个软件,目的是想练习一下分析算法的,但是用DEDE没有找到注册按扭的过程。功能限制很容易解除,
,但是怕作者留下暗桩什么的,于是就想看看作者是怎样实现虚拟分区的,没想到很容易分析哦。。
* Possible String Reference to: '殍 ??_^[?]?
|
004B1A83 68EB214B00 push $004B21EB
***** TRY
|
004B1A88 64FF30 push dword ptr fs:[eax]
004B1A8B 648920 mov fs:[eax], esp
* Reference to TfrmVirtualDrive instance
|
004B1A8E A1E87A4B00 mov eax, dword ptr [$004B7AE8]
004B1A93 8B00 mov eax, [eax]
* Reference to control TfrmVirtualDrive.ListView1 : TsuiListView
|
004B1A95 8B8034030000 mov eax, [eax+$0334]
* Reference to field TsuiListView.OFFS_022C
|
004B1A9B 8B802C020000 mov eax, [eax+$022C]
* Reference to: ComCtrls.TTreeNodes.GetCount(TTreeNodes):Integer;
|
004B1AA1 E8CADFFBFF call 0046FA70
//先取得ListView控件中的count,如果大于3就提示要注册
004B1AA6 83F803 cmp eax, +$03
004B1AA9 7C4C jl 004B1AF7
=======================================================================
略。。
=======================================================================
004B1AF7 8D9520FEFFFF lea edx, [ebp+$FFFFFE20]
//小于3跳倒这里
* Reference to control TfrmCreateDrive.Edit1 : TsuiEdit
|
004B1AFD 8B860C030000 mov eax, [esi+$030C]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004B1B03 E81CCFF8FF call 0043EA24
//取得虚拟磁盘盘符
004B1B08 8B8520FEFFFF mov eax, [ebp+$FFFFFE20]
* Reference to: System.@LStrToPChar(String):PAnsiChar;
|
004B1B0E E8ED31F5FF call 00404D00
//看字面的意思应该是转换成PAnsiChar吧
004B1B13 50 push eax
//入栈
* Reference to: ?GetDriveTypeA()
|
004B1B14 E88F53F5FF call 00406EA8
//取得盘符类型
004B1B19 83F802 cmp eax, +$02
//判断是不是移动盘
004B1B1C 752B jnz 004B1B49
//不是跳,否则提示你盘符已经存在!
。。。。。。。。。。。。。。
。。。。。。。。。。。。。略掉一些代码
004B1B49 8D951CFEFFFF lea edx, [ebp+$FFFFFE1C]
* Reference to control TfrmCreateDrive.Edit1 : TsuiEdit
|
004B1B4F 8B860C030000 mov eax, [esi+$030C]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004B1B55 E8CACEF8FF call 0043EA24
004B1B5A 8B851CFEFFFF mov eax, [ebp+$FFFFFE1C]
* Reference to: System.@LStrToPChar(String):PAnsiChar;
|
004B1B60 E89B31F5FF call 00404D00
004B1B65 50 push eax
* Reference to: ?GetDriveTypeA()
|
004B1B66 E83D53F5FF call 00406EA8
004B1B6B 83F804 cmp eax, +$04
//判断是不是DRIVE_REMOTE
004B1B6E 752B jnz 004B1B9B
//不是跳,否则提示你盘符已经存在!
。。。。。。。。。。。。。。。略掉一些代码
004B1B9B 8D9518FEFFFF lea edx, [ebp+$FFFFFE18]
* Reference to control TfrmCreateDrive.Edit1 : TsuiEdit
|
004B1BA1 8B860C030000 mov eax, [esi+$030C]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004B1BA7 E878CEF8FF call 0043EA24
004B1BAC 8B8518FEFFFF mov eax, [ebp+$FFFFFE18]
* Reference to: System.@LStrToPChar(String):PAnsiChar;
|
004B1BB2 E84931F5FF call 00404D00
004B1BB7 50 push eax
* Reference to: ?GetDriveTypeA()
|
004B1BB8 E8EB52F5FF call 00406EA8
004B1BBD 83F805 cmp eax, +$05
//判断是不是CD_ROM
004B1BC0 752B jnz 004B1BED
//不是跳,否则提示你盘符已经存在!
......略掉一些代码
004B1BED 8D9514FEFFFF lea edx, [ebp+$FFFFFE14]
* Reference to control TfrmCreateDrive.Edit1 : TsuiEdit
|
004B1BF3 8B860C030000 mov eax, [esi+$030C]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004B1BF9 E826CEF8FF call 0043EA24
004B1BFE 8B8514FEFFFF mov eax, [ebp+$FFFFFE14]
* Reference to: System.@LStrToPChar(String):PAnsiChar;
|
004B1C04 E8F730F5FF call 00404D00
004B1C09 50 push eax
* Reference to: ?GetDriveTypeA()
|
004B1C0A E89952F5FF call 00406EA8
004B1C0F 83F806 cmp eax, +$06
//判断是不是RAMDISK
004B1C12 752B jnz 004B1C3F
//不是跳,否则提示你盘符已经存在!
。。。。。。。。。。略掉一些代码
**********************************************************************************
到这里我发现作者的判断似乎比较累赘,通过查GetDriveTypeA这个函数发现,如果指定的磁盘
不存在,返回值为1,所以我认为只要比较返回值是不是1就可以判断我们要创建的虚拟盘符是
不是已经存在了,而不用判断那么多次吧~!
**********************************************************************************
。。。。。。。。。。略掉一些代码
――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
* Reference to field TsuiCheckBox.OFFS_0260
|
004B1D21 80B86002000000 cmp byte ptr [eax+$0260], $00
//这里判断有没有选择加密
004B1D28 0F85A4000000 jnz 004B1DD2
004B1D2E 33DB xor ebx, ebx
004B1D30 8D8508FEFFFF lea eax, [ebp+$FFFFFE08]
* Reference to control TfrmCreateDrive.DriveComboBox1 : TDriveComboBox
|
004B1D36 8B9630030000 mov edx, [esi+$0330]
//EDX<----DriveComboBox1
* Reference to field TDriveComboBox.Drive : Char
|
004B1D3C 8A9294020000 mov dl, byte ptr [edx+$0294]
//dl<-----DriveComboBox1.Drive
* Reference to: System.@LStrFromChar(String;String;Char);
|
004B1D42 E8E92CF5FF call 00404A30
004B1D47 FFB508FEFFFF push dword ptr [ebp+$FFFFFE08]
* Possible String Reference to: ':\Disk'
|
004B1D4D 68DC224B00 push $004B22DC
004B1D52 8D9504FEFFFF lea edx, [ebp+$FFFFFE04]
004B1D58 8BC3 mov eax, ebx
* Reference to: Unit_00407DD8.Proc_00408F0C
|
004B1D5A E8AD71F5FF call 00408F0C
//这个call的作用是:DriveComboBox1.Drive+'disk'+'.{00021401-0000-0000-C000-000000000046}'
004B1D5F FFB504FEFFFF push dword ptr [ebp+$FFFFFE04]
* Possible String Reference to: '.{00021401-0000-0000-C000-000000000
| 046}'
|
004B1D65 68EC224B00 push $004B22EC
004B1D6A 8D45FC lea eax, [ebp-$04]
004B1D6D BA04000000 mov edx, $00000004
* Reference to: System.Proc_00404BC8
|
004B1D72 E8512EF5FF call 00404BC8
//这个call的作用是:DriveComboBox1.Drive+'disk'+'.{00021401-0000-0000-C000-000000000046}'
004B1D77 EB48 jmp 004B1DC1
//////////////////////////////004B1D79---004B1DCB之间是一个循环////////////////////////////////////////////////////
004B1D79 43 inc ebx
004B1D7A 8D8500FEFFFF lea eax, [ebp+$FFFFFE00]
* Reference to control TfrmCreateDrive.DriveComboBox1 : TDriveComboBox
|
004B1D80 8B9630030000 mov edx, [esi+$0330]
//EDX<----DriveComboBox1
* Reference to field TDriveComboBox.Drive : Char
|
004B1D86 8A9294020000 mov dl, byte ptr [edx+$0294]
//dl<-----DriveComboBox1.Drive
* Reference to: System.@LStrFromChar(String;String;Char);
|
004B1D8C E89F2CF5FF call 00404A30
004B1D91 FFB500FEFFFF push dword ptr [ebp+$FFFFFE00]
* Possible String Reference to: ':\Disk'
|
004B1D97 68DC224B00 push $004B22DC
004B1D9C 8D95FCFDFFFF lea edx, [ebp+$FFFFFDFC]
004B1DA2 8BC3 mov eax, ebx
* Reference to: Unit_00407DD8.Proc_00408F0C
|
004B1DA4 E86371F5FF call 00408F0C
004B1DA9 FFB5FCFDFFFF push dword ptr [ebp+$FFFFFDFC]
* Possible String Reference to: '.{00021401-0000-0000-C000-000000000
| 046}'
|
004B1DAF 68EC224B00 push $004B22EC
004B1DB4 8D45FC lea eax, [ebp-$04]
004B1DB7 BA04000000 mov edx, $00000004
* Reference to: System.Proc_00404BC8
|
004B1DBC E8072EF5FF call 00404BC8
//这个call返回'空间来源盘:\Disk0.{00021401-0000-0000-C000-000000000046}'
//比如:F:\Disk0.{00021401-0000-0000-C000-000000000046}
跳转来自 004B1D77
004B1DC1 8B45FC mov eax, [ebp-$04]
* Reference to: FileCtrl.DirectoryExists(AnsiString):Boolean;
|
004B1DC4 E807D9FFFF call 004AF6D0 //这个call测试目录
004B1DC9 84C0 test al, al
004B1DCB 75AC jnz 004B1D79
//////////////////////////////004B1D79---004B1DCB之间是一个循环////////////////////////////////////////////////////
这个循环的作用是测试目录'空间来源盘:\Disk.{00021401-0000-0000-C000-000000000046}'等是否存在,DISK0,DISK1依次类推
004B1DCD E9A9000000 jmp 004B1E7B
//判断完跳哦
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@这里是选择加密的代码@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
004B1DD2 33DB xor ebx, ebx
004B1DD4 8D85F8FDFFFF lea eax, [ebp+$FFFFFDF8]
* Reference to control TfrmCreateDrive.DriveComboBox1 : TDriveComboBox
|
004B1DDA 8B9630030000 mov edx, [esi+$0330]
* Reference to field TDriveComboBox.Drive : Char
|
004B1DE0 8A9294020000 mov dl, byte ptr [edx+$0294]
* Reference to: System.@LStrFromChar(String;String;Char);
|
004B1DE6 E8452CF5FF call 00404A30
004B1DEB FFB5F8FDFFFF push dword ptr [ebp+$FFFFFDF8]
* Possible String Reference to: ':\Recycled\VDSys.{00021401-0000-000
| 0-C000-000000000046}\'
|
004B1DF1 681C234B00 push $004B231C
* Possible String Reference to: 'Disk'
|
004B1DF6 6860234B00 push $004B2360
004B1DFB 8D95F4FDFFFF lea edx, [ebp+$FFFFFDF4]
004B1E01 8BC3 mov eax, ebx
* Reference to: Unit_00407DD8.Proc_00408F0C
|
004B1E03 E80471F5FF call 00408F0C
004B1E08 FFB5F4FDFFFF push dword ptr [ebp+$FFFFFDF4]
* Possible String Reference to: '.{00021401-0000-0000-C000-000000000
| 046}'
|
004B1E0E 68EC224B00 push $004B22EC
004B1E13 8D45FC lea eax, [ebp-$04]
004B1E16 BA05000000 mov edx, $00000005
* Reference to: System.Proc_00404BC8
|
004B1E1B E8A82DF5FF call 00404BC8
004B1E20 EB4D jmp 004B1E6F
///////////////////////////////////////////////004B1E22--004B1E79之间也是一个循环//////////////////////////
004B1E22 43 inc ebx
004B1E23 8D85F0FDFFFF lea eax, [ebp+$FFFFFDF0]
* Reference to control TfrmCreateDrive.DriveComboBox1 : TDriveComboBox
|
004B1E29 8B9630030000 mov edx, [esi+$0330]
* Reference to field TDriveComboBox.Drive : Char
|
004B1E2F 8A9294020000 mov dl, byte ptr [edx+$0294]
* Reference to: System.@LStrFromChar(String;String;Char);
|
004B1E35 E8F62BF5FF call 00404A30
004B1E3A FFB5F0FDFFFF push dword ptr [ebp+$FFFFFDF0]
* Possible String Reference to: ':\Recycled\VDSys.{00021401-0000-000
| 0-C000-000000000046}\'
|
004B1E40 681C234B00 push $004B231C
* Possible String Reference to: 'Disk'
|
004B1E45 6860234B00 push $004B2360
004B1E4A 8D95ECFDFFFF lea edx, [ebp+$FFFFFDEC]
004B1E50 8BC3 mov eax, ebx
* Reference to: Unit_00407DD8.Proc_00408F0C
|
004B1E52 E8B570F5FF call 00408F0C
004B1E57 FFB5ECFDFFFF push dword ptr [ebp+$FFFFFDEC]
* Possible String Reference to: '.{00021401-0000-0000-C000-000000000
| 046}'
|
004B1E5D 68EC224B00 push $004B22EC
004B1E62 8D45FC lea eax, [ebp-$04]
004B1E65 BA05000000 mov edx, $00000005
* Reference to: System.Proc_00404BC8
|
004B1E6A E8592DF5FF call 00404BC8
004B1E6F 8B45FC mov eax, [ebp-$04]
* Reference to: FileCtrl.DirectoryExists(AnsiString):Boolean;
|
004B1E72 E859D8FFFF call 004AF6D0
004B1E77 84C0 test al, al
004B1E79 75A7 jnz 004B1E22
///////////////////////////////////////////////004B1E22--004B1E79之间也是一个循环//////////////////////////
//加密跟没加密差不多,区别就是创建的目录不同而已,加密的就是创建了 空间来源盘符:\Recycled\VDSys.{00021401-0000-0000-C000-000000000046}目录,VDSys,VDSys0,VDSys1依次类推
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
//跳到这里
004B1E7B 8B45FC mov eax, [ebp-$04]
* Reference to: FileCtrl.DirectoryExists(AnsiString):Boolean;
|
004B1E7E E855D8FFFF call 004AF6D8
//累哦,又判断目录是不是存在。
004B1E83 8D95E8FDFFFF lea edx, [ebp+$FFFFFDE8]
* Reference to control TfrmCreateDrive.Edit1 : TsuiEdit
|
004B1E89 8B860C030000 mov eax, [esi+$030C]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004B1E8F E890CBF8FF call 0043EA24
//取得虚拟磁盘盘符
004B1E94 8B85E8FDFFFF mov eax, [ebp+$FFFFFDE8]
004B1E9A 8D4DF8 lea ecx, [ebp-$08]
004B1E9D BA01000000 mov edx, $00000001
* Reference to: Clipbrd.Proc_00438440
|
004B1EA2 E89965F8FF call 00438440
004B1EA7 6A00 push $00
* Possible String Reference to: 'subst '
|
004B1EA9 6870234B00 push $004B2370
004B1EAE FF75F8 push dword ptr [ebp-$08]
* Possible String Reference to: ': '
|
004B1EB1 6880234B00 push $004B2380
004B1EB6 FF75FC push dword ptr [ebp-$04]
//[ebp-$04]=F:\Disk.{00021401-0000-0000-C000-000000000046}
004B1EB9 8D85E4FDFFFF lea eax, [ebp+$FFFFFDE4]
004B1EBF BA04000000 mov edx, $00000004
* Reference to: System.Proc_00404BC8
|
004B1EC4 E8FF2CF5FF call 00404BC8
//这个call的作用是连接字符串
004B1EC9 8B85E4FDFFFF mov eax, [ebp+$FFFFFDE4]
//返回值到eax,也就是 "subst H: F:\Disk1.{00021401-0000-0000-C000-000000000046}"
* Reference to: System.@LStrToPChar(String):PAnsiChar;
|
004B1ECF E82C2EF5FF call 00404D00
//转换成PAnsiChar
004B1ED4 50 push eax
* Reference to: ?WinExec()
|
004B1ED5 E83651F5FF call 00407010
//执行WinExec( "subst H: F:\Disk1.{00021401-0000-0000-C000-000000000046}",0)
//终于露出真面目了,原来是调用一个cmd命令而已。。。。。。。
总结一下:
F代表空间来源盘符
1.先取得ListView控件中的count,如果大于3项就提示要注册。
2.判断虚拟盘符是不是已经存在了,存在就提示用户
3.有没有选择加密,没有就执行执行WinExec( "subst 虚拟盘: 来源盘符:\Disk.{00021401-0000-0000-C000-000000000046}",0)
有就执行执行WinExec( "subst 虚拟盘: 来源盘符:\Recycled\VDSys.{00021401-0000-0000-C000-000000000046}",0)
来源盘符使用了一次就是disk,两次就是disk0,3次就是disk1,加密那个也是这样类推
继续。。。。。
* Reference to TfrmVirtualDrive instance
|
004B1EDA A1E87A4B00 mov eax, dword ptr [$004B7AE8]
004B1EDF 8B00 mov eax, [eax]
* Reference to control TfrmVirtualDrive.ListView1 : TsuiListView
|
004B1EE1 8B8034030000 mov eax, [eax+$0334]
* Reference to field TsuiListView.OFFS_022C
|
004B1EE7 8B802C020000 mov eax, [eax+$022C]
* Reference to: ComCtrls.THeaderSections.Add(THeaderSections):THeaderSection;
|
004B1EED E822DBFBFF call 0046FA14
004B1EF2 8BF8 mov edi, eax
004B1EF4 8D95E0FDFFFF lea edx, [ebp+$FFFFFDE0]
* Reference to control TfrmCreateDrive.Edit1 : TsuiEdit
|
004B1EFA 8B860C030000 mov eax, [esi+$030C]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004B1F00 E81FCBF8FF call 0043EA24
//取得虚拟盘符
004B1F05 8B95E0FDFFFF mov edx, [ebp+$FFFFFDE0]
004B1F0B 8BC7 mov eax, edi
* Reference to: ComCtrls.TListItem.SetCaption(TListItem;AnsiString);
|
004B1F0D E8A2D5FBFF call 0046F4B4
004B1F12 8D85D8FDFFFF lea eax, [ebp+$FFFFFDD8]
* Reference to control TfrmCreateDrive.DriveComboBox1 : TDriveComboBox
|
004B1F18 8B9630030000 mov edx, [esi+$0330]
DriveComboBox1---edx
* Reference to field TDriveComboBox.Drive : Char
|
004B1F1E 8A9294020000 mov dl, byte ptr [edx+$0294]
DriveComboBox1.Drive-->dl
* Reference to: System.@LStrFromChar(String;String;Char);
|
004B1F24 E8072BF5FF call 00404A30
004B1F29 FFB5D8FDFFFF push dword ptr [ebp+$FFFFFDD8]
* Possible String Reference to: ':\Disk'
|
004B1F2F 68DC224B00 push $004B22DC
004B1F34 8D95D4FDFFFF lea edx, [ebp+$FFFFFDD4]
004B1F3A 8BC3 mov eax, ebx
* Reference to: Unit_00407DD8.Proc_00408F0C
|
004B1F3C E8CB6FF5FF call 00408F0C
004B1F41 FFB5D4FDFFFF push dword ptr [ebp+$FFFFFDD4]
004B1F47 8D85DCFDFFFF lea eax, [ebp+$FFFFFDDC]
004B1F4D BA03000000 mov edx, $00000003
* Reference to: System.Proc_00404BC8
|
004B1F52 E8712CF5FF call 00404BC8
//返回:来源盘符:\disk
004B1F57 8B95DCFDFFFF mov edx, [ebp+$FFFFFDDC]
//来源盘符:\disk-->edx
004B1F5D 8B4708 mov eax, [edi+$08]
004B1F60 8B08 mov ecx, [eax]
004B1F62 FF5138 call dword ptr [ecx+$38]
//印射路径
* Reference to control TfrmCreateDrive.Check2 : TsuiCheckBox
|
004B1F65 8B863C030000 mov eax, [esi+$033C]
* Reference to field TsuiCheckBox.OFFS_0260
|
004B1F6B 80B86002000001 cmp byte ptr [eax+$0260], $01
//这个是判断有没有加密
004B1F72 750F jnz 004B1F83
004B1F74 8B4708 mov eax, [edi+$08]
* Possible String Reference to: '☆'
|
004B1F77 BA8C234B00 mov edx, $004B238C
//选择的话就是☆
004B1F7C 8B08 mov ecx, [eax]
* Possible reference to virtual method TsuiCheckBox.OFFS_38
|
004B1F7E FF5138 call dword ptr [ecx+$38]
004B1F81 EB0D jmp 004B1F90
004B1F83 8B4708 mov eax, [edi+$08]
* Possible String Reference to: '无'
|
004B1F86 BA98234B00 mov edx, $004B2398
//没有加密就是一个'无'
004B1F8B 8B08 mov ecx, [eax]
* Possible reference to virtual method TsuiCheckBox.OFFS_38
|
004B1F8D FF5138 call dword ptr [ecx+$38]
//判断当前状态
004B1F90 8B4708 mov eax, [edi+$08]
* Possible String Reference to: '已打开'
|
004B1F93 BAA4234B00 mov edx, $004B23A4
004B1F98 8B08 mov ecx, [eax]
* Possible reference to virtual method TsuiCheckBox.OFFS_38
|
004B1F9A FF5138 call dword ptr [ecx+$38]
//判断正常加载
004B1F9D 8B4708 mov eax, [edi+$08]
* Possible String Reference to: '是'
|
004B1FA0 BAB4234B00 mov edx, $004B23B4
004B1FA5 8B08 mov ecx, [eax]
* Possible reference to virtual method TsuiCheckBox.OFFS_38
|
004B1FA7 FF5138 call dword ptr [ecx+$38]
004B1FAA 8D85D0FDFFFF lea eax, [ebp+$FFFFFDD0]
* Reference to: VirtualDrive.Proc_004B3CB4
|
004B1FB0 E8FF1C0000 call 004B3CB4
004B1FB5 8D85D0FDFFFF lea eax, [ebp+$FFFFFDD0]
* Possible String Reference to: '\Disk.VxD'
|
004B1FBB BAC0234B00 mov edx, $004B23C0
* Reference to: System.@LStrCat;
|
004B1FC0 E84B2BF5FF call 00404B10
004B1FC5 8B95D0FDFFFF mov edx, [ebp+$FFFFFDD0]
004B1FCB 8D8524FEFFFF lea eax, [ebp+$FFFFFE24]
总结一下:应该是在listiew控件中显示 |虚拟分区 印射路径 加密保护 当前状态 正常加载 |
Go On。。。
* Reference to: System.@Assign(TTextRec;TTextRec;String):Integer;
|
004B1FD1 E8EA0EF5FF call 00402EC0
//将这个Disk.VxD文件和TextFile类型关联
004B1FD6 8D8524FEFFFF lea eax, [ebp+$FFFFFE24]
* Reference to: System.@RewritText(TTextRec;TTextRec):Integer;
|
004B1FDC E87B0CF5FF call 00402C5C
//写文件
* Reference to: System.Proc_004028A4
|
004B1FE1 E8BE08F5FF call 004028A4
* Reference to TfrmVirtualDrive instance
|
004B1FE6 A1E87A4B00 mov eax, dword ptr [$004B7AE8]
004B1FEB 8B00 mov eax, [eax]
* Reference to control TfrmVirtualDrive.ListView1 : TsuiListView
|
004B1FED 8B8034030000 mov eax, [eax+$0334]
* Reference to field TsuiListView.OFFS_022C
|
004B1FF3 8B802C020000 mov eax, [eax+$022C]
* Reference to: ComCtrls.TTreeNodes.GetCount(TTreeNodes):Integer;
|
004B1FF9 E872DAFBFF call 0046FA70
004B1FFE 48 dec eax
004B1FFF 85C0 test eax, eax
004B2001 0F8C52010000 jl 004B2159
004B2007 40 inc eax
004B2008 8945F0 mov [ebp-$10], eax
004B200B 33DB xor ebx, ebx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~依据ListItems中的内容循环disk.vxd文件~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Reference to TfrmVirtualDrive instance
|
004B200D A1E87A4B00 mov eax, dword ptr [$004B7AE8]
004B2012 8B00 mov eax, [eax]
* Reference to control TfrmVirtualDrive.ListView1 : TsuiListView
|
004B2014 8B8034030000 mov eax, [eax+$0334]
* Reference to field TsuiListView.OFFS_022C
|
004B201A 8B802C020000 mov eax, [eax+$022C]
004B2020 8BD3 mov edx, ebx
* Reference to: ComCtrls.TListItems.GetItem(TListItems;Integer):TListItem;
|
004B2022 E879DAFBFF call 0046FAA0
//取得虚拟分区的内容
004B2027 8B5024 mov edx, [eax+$24]
004B202A 8D45F4 lea eax, [ebp-$0C]
* Reference to: System.@LStrLAsg(void;void;void;void);
|
004B202D E8B628F5FF call 004048E8
//转换成字符传
004B2032 8B55F4 mov edx, [ebp-$0C]
004B2035 8D8524FEFFFF lea eax, [ebp+$FFFFFE24]
* Reference to: System.@Write0Bool(TTextRec;TTextRec;Boolean):Pointer;
|
004B203B E8DC2EF5FF call 00404F1C
* Reference to: System.@WriteLn(TTextRec;TTextRec):Pointer;
|
004B2040 E8E314F5FF call 00403528
//写入‘虚拟分区’
* Reference to: System.Proc_004028A4
|
004B2045 E85A08F5FF call 004028A4
* Reference to TfrmVirtualDrive instance
|
004B204A A1E87A4B00 mov eax, dword ptr [$004B7AE8]
004B204F 8B00 mov eax, [eax]
* Reference to control TfrmVirtualDrive.ListView1 : TsuiListView
|
004B2051 8B8034030000 mov eax, [eax+$0334]
* Reference to field TsuiListView.OFFS_022C
|
004B2057 8B802C020000 mov eax, [eax+$022C]
004B205D 8BD3 mov edx, ebx
* Reference to: ComCtrls.TListItems.GetItem(TListItems;Integer):TListItem;
|
004B205F E83CDAFBFF call 0046FAA0
//取得印射路径的内容
004B2064 8B4008 mov eax, [eax+$08]
004B2067 8D4DF4 lea ecx, [ebp-$0C]
004B206A 33D2 xor edx, edx
004B206C 8B38 mov edi, [eax]
004B206E FF570C call dword ptr [edi+$0C]
004B2071 8B55F4 mov edx, [ebp-$0C]
004B2074 8D8524FEFFFF lea eax, [ebp+$FFFFFE24]
* Reference to: System.@Write0Bool(TTextRec;TTextRec;Boolean):Pointer;
|
004B207A E89D2EF5FF call 00404F1C
* Reference to: System.@WriteLn(TTextRec;TTextRec):Pointer;
|
004B207F E8A414F5FF call 00403528
//写入
* Reference to: System.Proc_004028A4
|
004B2084 E81B08F5FF call 004028A4
* Reference to TfrmVirtualDrive instance
|
004B2089 A1E87A4B00 mov eax, dword ptr [$004B7AE8]
004B208E 8B00 mov eax, [eax]
* Reference to control TfrmVirtualDrive.ListView1 : TsuiListView
|
004B2090 8B8034030000 mov eax, [eax+$0334]
* Reference to field TsuiListView.OFFS_022C
|
004B2096 8B802C020000 mov eax, [eax+$022C]
004B209C 8BD3 mov edx, ebx
* Reference to: ComCtrls.TListItems.GetItem(TListItems;Integer):TListItem;
|
004B209E E8FDD9FBFF call 0046FAA0
//取得加密保护的内容
004B20A3 8B4008 mov eax, [eax+$08]
004B20A6 8D4DF4 lea ecx, [ebp-$0C]
004B20A9 BA01000000 mov edx, $00000001
004B20AE 8B38 mov edi, [eax]
004B20B0 FF570C call dword ptr [edi+$0C]
004B20B3 8B55F4 mov edx, [ebp-$0C]
004B20B6 8D8524FEFFFF lea eax, [ebp+$FFFFFE24]
* Reference to: System.@Write0Bool(TTextRec;TTextRec;Boolean):Pointer;
|
004B20BC E85B2EF5FF call 00404F1C
* Reference to: System.@WriteLn(TTextRec;TTextRec):Pointer;
写入
|
004B20C1 E86214F5FF call 00403528
* Reference to: System.Proc_004028A4
|
004B20C6 E8D907F5FF call 004028A4
* Reference to TfrmVirtualDrive instance
|
004B20CB A1E87A4B00 mov eax, dword ptr [$004B7AE8]
004B20D0 8B00 mov eax, [eax]
* Reference to control TfrmVirtualDrive.ListView1 : TsuiListView
|
004B20D2 8B8034030000 mov eax, [eax+$0334]
* Reference to field TsuiListView.OFFS_022C
|
004B20D8 8B802C020000 mov eax, [eax+$022C]
004B20DE 8BD3 mov edx, ebx
* Reference to: ComCtrls.TListItems.GetItem(TListItems;Integer):TListItem;
|
004B20E0 E8BBD9FBFF call 0046FAA0
//取得当前状态中的内容
004B20E5 8B4008 mov eax, [eax+$08]
004B20E8 8D4DF4 lea ecx, [ebp-$0C]
004B20EB BA02000000 mov edx, $00000002
004B20F0 8B38 mov edi, [eax]
004B20F2 FF570C call dword ptr [edi+$0C]
004B20F5 8B55F4 mov edx, [ebp-$0C]
004B20F8 8D8524FEFFFF lea eax, [ebp+$FFFFFE24]
* Reference to: System.@Write0Bool(TTextRec;TTextRec;Boolean):Pointer;
|
004B20FE E8192EF5FF call 00404F1C
* Reference to: System.@WriteLn(TTextRec;TTextRec):Pointer;
|
004B2103 E82014F5FF call 00403528
//写入
* Reference to: System.Proc_004028A4
|
004B2108 E89707F5FF call 004028A4
* Reference to TfrmVirtualDrive instance
|
004B210D A1E87A4B00 mov eax, dword ptr [$004B7AE8]
004B2112 8B00 mov eax, [eax]
* Reference to control TfrmVirtualDrive.ListView1 : TsuiListView
|
004B2114 8B8034030000 mov eax, [eax+$0334]
* Reference to field TsuiListView.OFFS_022C
|
004B211A 8B802C020000 mov eax, [eax+$022C]
004B2120 8BD3 mov edx, ebx
* Reference to: ComCtrls.TListItems.GetItem(TListItems;Integer):TListItem;
|
004B2122 E879D9FBFF call 0046FAA0
//取得正常加载当中的内容
004B2127 8B4008 mov eax, [eax+$08]
004B212A 8D4DF4 lea ecx, [ebp-$0C]
004B212D BA03000000 mov edx, $00000003
004B2132 8B38 mov edi, [eax]
004B2134 FF570C call dword ptr [edi+$0C]
004B2137 8B55F4 mov edx, [ebp-$0C]
004B213A 8D8524FEFFFF lea eax, [ebp+$FFFFFE24]
* Reference to: System.@Write0Bool(TTextRec;TTextRec;Boolean):Pointer;
|
004B2140 E8D72DF5FF call 00404F1C
* Reference to: System.@WriteLn(TTextRec;TTextRec):Pointer;
|
004B2145 E8DE13F5FF call 00403528
//写入
* Reference to: System.Proc_004028A4
|
004B214A E85507F5FF call 004028A4
004B214F 43 inc ebx
004B2150 FF4DF0 dec dword ptr [ebp-$10]
004B2153 0F85B4FEFFFF jnz 004B200D
//还有就继续循环
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~依据ListItems中的内容循环disk.vxd文件~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
004B2159 8D8524FEFFFF lea eax, [ebp+$FFFFFE24]
* Reference to: System.@Close(TTextRec;TTextRec):Integer;
|
004B215F E8240EF5FF call 00402F88
//关闭文件。。
总结一下:
程序将|虚拟分区 印射路径 加密保护 当前状态 正常加载 |内容以writeln方式写入程序目录当中的Disk.VxD
文件中,你用记事本打开这个记事本开一下就知道了!程序开始的时候应该是从这个文件读取内容放到listview控件中
--------------------------------------------------------------------------------
【经验总结】
分析了一天了,眼睛困了,到这里我想如果懂编程的话,你也可以写一个虚拟分区魔术师了,代码都分析的差不多了,
我认为还缺少的就是当前状态, 正常加载这两个如果是以否方式的代码。
删除分区很容易:查了一下subst命令知道是执行"subst 盘符: /d"这个命令
收尾工作当然还有清除disk.vxd中相关内容以及删除 空间来源盘符:\Disk1.{00021401-0000-0000-C000-000000000046}之
类的目录
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年12月06日 15:55:47
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法