-
-
[原创]固盾.金钥匙网吧IC卡经营收费管理专家分析
-
发表于: 2007-4-24 14:04 7911
-
比较老的东西了,2005年的研究了一下没成功。不过这个系统设计的真的是不错的,软件协同硬件共同完成工作,软件可以强行跳过,但是如果硬件接收的数据不对,估计是短接电源开关直接关机,狠哪。不知道有侠人也研究过不,除非爆破掉软件系统,但又不能破坏发给读卡器的校验数据,这样也许能够凑效。大家参考,批评指正。
zzhzihui@tom.com
zzhzihui@tom.com
北京雍华和讯信息技术有限公司 固盾.金钥匙网吧IC卡经营收费管理专家
这是一个新的管理系统,的确很了不起.
发现其执行文件有:
MONITOR.EXE 猜测是客户端监测程序
CMonitor.exe
SetMonitor.exe 猜测是设置程序
Report.dll
如果强制关闭前两个执行文件的任意一个,过几分钟就会关闭计算机.
现在看看它主页的说明:
一、 系统组成:
IC卡PR计费器:安装在网吧中的每台微机上,由它控制用户的自由上机和自动计费。
IC卡发行管理程序:安装在网吧收银机上
网络监控程序::安装在网吧的管理服务机上,实现网吧自动收费系统的各种管理功能。
二、系统需求:
客户端微机软硬件需求:
一个空余的COM口 //看来收费器是接在COM口上
微机主板须有power或reset跳线 //看来IC卡收费器上还有控制关机的东东,也就是它把主板电源按钮连线并联,如果发现异常,就发送开通信号,让电源按钮短路一下,WINXP就关机了.(那么我们能不能,在高级电源管理的按下电源按钮选项中动动手脚)
一个空余的3寸或5寸软驱位置 //用来安装读卡器
配置说明:
IC卡计费控制器:每台微机安装一套。其控制管理方式为:只有插入有效的IC卡,微机才可正常运行,否则计算机被锁定;运行的计算机通过IC计费器自动削减IC卡上的金额,从而实现自动收费。
====
我在自己的机器上试验,当然没有读卡器了,它显示错误,照样关机,这个肯定是软件关机,我看过关机时的任务管理器,它好像用的是RUNDLL32来关机.
可是反汇编MONITOR.EXE,CMONITOR.EXE发现它都调用EXITWINDOWEXA来关机.
★ MONITOR.EXE的关机代码
* Possible StringData Ref from Code Obj ->"Windows NT"
|
:004561FB B8E0624500 mov eax, 004562E0
:00456200 E88FDEFAFF call 00404094
:00456205 48 dec eax
:00456206 0F8591000000 jne 0045629D ;跳走完蛋,所以千万不要跳
:0045620C 33C0 xor eax, eax
:0045620E 8945F8 mov dword ptr [ebp-08], eax
:00456211 8D45FC lea eax, dword ptr [ebp-04]
:00456214 50 push eax
:00456215 6A28 push 00000028
* Reference To: kernel32.GetCurrentProcess, Ord:0000h
...............
* Reference To: advapi32.AdjustTokenPrivileges, Ord:0000h
|
:00456275 E87203FBFF Call 004065EC
* Reference To: kernel32.GetLastError, Ord:0000h
|
:0045627A E8B504FBFF Call 00406734
:0045627F 84C0 test al, al
:00456281 7532 jne 004562B5 ;这里必须跳走,否则关机
:00456283 85DB test ebx, ebx
:00456285 740B je 00456292 ;跳走完蛋,不跳还完蛋
:00456287 6A00 push 00000000
:00456289 6A06 push 00000006
* Reference To: user32.ExitWindowsEx, Ord:0000h
|
:0045628B E8E409FBFF Call 00406C74
:00456290 EB23 jmp 004562B5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00456285(C)
|
:00456292 6A00 push 00000000
:00456294 6A0D push 0000000D
* Reference To: user32.ExitWindowsEx, Ord:0000h
|
:00456296 E8D909FBFF Call 00406C74
:0045629B EB18 jmp 004562B5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00456206(C)
|
:0045629D 85DB test ebx, ebx
:0045629F 740B je 004562AC ;跳不跳都完蛋
:004562A1 6A00 push 00000000
:004562A3 6A06 push 00000006
* Reference To: user32.ExitWindowsEx, Ord:0000h
|
:004562A5 E8CA09FBFF Call 00406C74
:004562AA EB09 jmp 004562B5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045629F(C)
|
:004562AC 6A00 push 00000000
:004562AE 6A0D push 0000000D
* Reference To: user32.ExitWindowsEx, Ord:0000h
|
:004562B0 E8BF09FBFF Call 00406C74
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00456224(C), :0045623D(C), :00456251(C), :00456281(C), :00456290(U)
|:0045629B(U), :004562AA(U)
|
:004562B5 33C0 xor eax, eax
:004562B7 5A pop edx
:004562B8 59 pop ecx
:004562B9 59 pop ecx
:004562BA 648910 mov dword ptr fs:[eax], edx
:004562BD 68D2624500 push 004562D2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
查看字符串参考:
可能访问的文件:MMonitor1.exe,MReport1.exe,Mreport_pr1.sys,Report_pr.dll
TMReport.dll,advfile.dat,Monitor1.exe,MReport_pr1.dll,Treport_pr.sys
conerrlog.dat
* Possible StringData Ref from Code Obj ->"w.bat"
|
:00494F00 687C4F4900 push 00494F7C
* Reference To: kernel32.WinExec, Ord:0000h ;可能是删除closecomput.dat的东东.
★ CMONITOR.EXE的代码和MONITOR.exe非常相像.
* Possible StringData Ref from Code Obj ->"Windows NT"
|
:00455CB3 B8985D4500 mov eax, 00455D98
:00455CB8 E8D7E3FAFF call 00404094
:00455CBD 48 dec eax
:00455CBE 0F8591000000 jne 00455D55 ;千万不要跳,跳就完蛋
:00455CC4 33C0 xor eax, eax
:00455CC6 8945F8 mov dword ptr [ebp-08], eax
:00455CC9 8D45FC lea eax, dword ptr [ebp-04]
:00455CCC 50 push eax
:00455CCD 6A28 push 00000028
* Reference To: kernel32.GetCurrentProcess, Ord:0000h
................
* Reference To: advapi32.AdjustTokenPrivileges, Ord:0000h
|
:00455D2D E8BA08FBFF Call 004065EC
* Reference To: kernel32.GetLastError, Ord:0000h
|
:00455D32 E8E509FBFF Call 0040671C
:00455D37 84C0 test al, al
:00455D39 7532 jne 00455D6D ;必须跳走
:00455D3B 85DB test ebx, ebx
:00455D3D 740B je 00455D4A
:00455D3F 6A00 push 00000000
:00455D41 6A06 push 00000006
* Reference To: user32.ExitWindowsEx, Ord:0000h
|
:00455D43 E8140FFBFF Call 00406C5C
:00455D48 EB23 jmp 00455D6D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455D3D(C)
|
:00455D4A 6A00 push 00000000
:00455D4C 6A0D push 0000000D
* Reference To: user32.ExitWindowsEx, Ord:0000h
|
:00455D4E E8090FFBFF Call 00406C5C
:00455D53 EB18 jmp 00455D6D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455CBE(C)
|
:00455D55 85DB test ebx, ebx
:00455D57 740B je 00455D64
:00455D59 6A00 push 00000000
:00455D5B 6A06 push 00000006
* Reference To: user32.ExitWindowsEx, Ord:0000h
|
:00455D5D E8FA0EFBFF Call 00406C5C
:00455D62 EB09 jmp 00455D6D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455D57(C)
|
:00455D64 6A00 push 00000000
:00455D66 6A0D push 0000000D
* Reference To: user32.ExitWindowsEx, Ord:0000h
|
:00455D68 E8EF0EFBFF Call 00406C5C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00455CDC(C), :00455CF5(C), :00455D09(C), :00455D39(C), :00455D48(U)
|:00455D53(U), :00455D62(U)
|
:00455D6D 33C0 xor eax, eax
:00455D6F 5A pop edx
:00455D70 59 pop ecx
:00455D71 59 pop ecx
:00455D72 648910 mov dword ptr fs:[eax], edx
:00455D75 688A5D4500 push 00455D8A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455D88(U)
另外,在MONITOR.EXE中有SHELLEXECUTEA执行CMONITOR.EXE,SETMONITOR.EXE,以及打开一个它自己的网站.
同样的功能调用,在CMONITOR.EXE中只有打开CMONITOR.EXE和它自己网站这两个调用.
程序正常运行时,只有MONITOR.EXE驻留,看来CMONITOR纯粹是来搞破坏了,但是它的个头那么大,恐怕不是这么简单.
根据它的字符串参考,发现它访问文件:系统目录的displayinfo.dll,secudll.dll
另外还有madvfile.dat,mmadvfile.dat,vcltest3.dll
访问注册表:
* Possible StringData Ref from Code Obj ->"\Software\Microsoft\Windows\CurrentVersion\Sof"
->"tInt"
|
:00491288 BA28134900 mov edx, 00491328
键名:
* Possible StringData Ref from Code Obj ->"_MicrosoftDefCap"
* Possible StringData Ref from Code Obj ->"aq)_#1htj["
....
* Possible StringData Ref from Code Obj ->"server数据解密错误计数:" ;看来真的还有服务器检测
* Possible StringData Ref from Code Obj ->"校验server通讯码失败计数:"
|
:0049488F 68484B4900 push 00494B48
★REPORT.DLL
乖乖,不看不知道,这个DLL可不得了,看来它是个接口,读写COM端口都是它来完成的.居然还有关机代码,先看看吧:
第一处:
:10005B61 85C0 test eax, eax
:10005B63 7407 je 10005B6C ;这里千万不可以跳
:10005B65 E8BEFFFFFF call 10005B28
:10005B6A EB0A jmp 10005B76
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10005B63(C)
|
:10005B6C 6A00 push 00000000
:10005B6E 6A0D push 0000000D
* Reference To: USER32.ExitWindowsEx, Ord:00D3h
|
:10005B70 FF1558640310 Call dword ptr [10036458]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10005B6A(U)
|
:10005B76 5D pop ebp
:10005B77 C3 ret
第二处:
* Possible StringData Ref from Data Obj ->"SeShutdownPrivilege"
|
:10005B2D 6820DD0310 push 1003DD20
:10005B32 E86BFFFFFF call 10005AA2
:10005B37 83C408 add esp, 00000008
:10005B3A 85C0 test eax, eax
:10005B3C 7419 je 10005B57 ;一定要跳走
:10005B3E 6A00 push 00000000
:10005B40 6A0D push 0000000D
* Reference To: USER32.ExitWindowsEx, Ord:00D3h
|
:10005B42 FF1558640310 Call dword ptr [10036458]
:10005B48 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"SeShutdownPrivilege"
|
:10005B4A 6834DD0310 push 1003DD34
:10005B4F E84EFFFFFF call 10005AA2
:10005B54 83C408 add esp, 00000008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10005B3C(C)
|
:10005B57 5D pop ebp
:10005B58 C3 ret
---
再来看看字符串参考得到的其他信息:
* Reference To: KERNEL32.GetSystemDirectoryA, Ord:0159h
|
:1000403B FF15CC610310 Call dword ptr [100361CC]
:10004041 8B45F0 mov eax, dword ptr [ebp-10]
:10004044 0504020000 add eax, 00000204
:10004049 50 push eax
* Possible StringData Ref from Data Obj ->"%s\csmddsly0.sys" ;系统目录下还有文件csmddsly0.sys和dslycsmd0.exe
|
:1000404A 68B0DB0310 push 1003DBB0
:1000404F 8B4DF0 mov ecx, dword ptr [ebp-10]
:10004052 81C104010000 add ecx, 00000104
:10004058 51 push ecx
:10004059 E832C80100 call 10020890
:1000405E 83C40C add esp, 0000000C
:10004061 8B55F0 mov edx, dword ptr [ebp-10]
:10004064 81C204020000 add edx, 00000204
:1000406A 52 push edx
* Possible StringData Ref from Data Obj ->"%s\dslycsmd0.exe"
....
* Possible StringData Ref from Data Obj ->"D:\傅宏毅-接口\dll\seclib\mwicpk_cx.c" ;原来作者叫:傅宏毅
....
* Possible StringData Ref from Data Obj ->"/dev/urandom" ;这应该是COM读卡设备名吧,也许用来调试的.
....
* Possible StringData Ref from Data Obj ->"\\.\lockkey" ;这个才是真正访问的设备. |
:100089DC 68A8DE0310 push 1003DEA8
* Reference To: KERNEL32.CreateFileA, Ord:0034h
....
* Possible StringData Ref from Data Obj ->"SOFTWARE\Microsoft\Windows\CurrentVersion\gold"
->"key" ;程序信息在注册表的存放地点
|
:1000F0E3 685CE20310 push 1003E25C
:1000F0E8 6802000080 push 80000002
* Reference To: ADVAPI32.RegCreateKeyA, Ord:015Eh
advhdl,advfile
.....
还有注册表
* Possible StringData Ref from Data Obj ->"SOFTWARE\Microsoft\System Control"
|
:10005FCA 6870DD0310 push 1003DD70
:10005FCF 6802000080 push 80000002
:10005FD4 8D4DF0 lea ecx, dword ptr [ebp-10]
:10005FD7 E8C4690000 call 1000C9A0
* Possible StringData Ref from Data Obj ->"Files"
|
:10005FDC 6894DD0310 push 1003DD94
.....
* Possible StringData Ref from Data Obj ->"advfile.bmp"
应该存在文件:advfile.exe .bmp .gif .html .jpg .scr .swf .txt
.....
* Possible StringData Ref from Data Obj ->"madvfile.dat" ;这个文件
|
:100011EE 6800D10310 push 1003D100
....
程序还访问CMONITOR.EXE,KERNAL32.EXE,KERNEL32.EXE,KERNEL32.DLL,MSTASK.EXE
MU.EXE,REALPLAY.EXE,REPORT_PR.SYS,RUNFILE.EXE,SCRSERVER.SC
==========================
MONITOR.EXE
00493C8E |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00493C91 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00493C94 |. BA 5C3D4900 MOV EDX,MONITOR.00493D5C ; ASCII "70"
00493C99 |. E8 22FFF6FF CALL MONITOR.00403BC0
00493C9E |. 8B83 48030000 MOV EAX,DWORD PTR DS:[EBX+348]
00493CA4 |. 80B8 88020000>CMP BYTE PTR DS:[EAX+288],0
00493CAB |. 74 79 JE SHORT MONITOR.00493D26 ;JMP IT!!
00493CAD |. B8 683D4900 MOV EAX,MONITOR.00493D68 ; ASCII "CloseComput.dat"
00493CB2 |. E8 B14AF7FF CALL MONITOR.00408768
00493CB7 |. 84C0 TEST AL,AL
00493CB9 |. 74 36 JE SHORT MONITOR.00493CF1
00493CBB |. 33F6 XOR ESI,ESI
report.dll
0147899A 51 PUSH ECX
0147899B E8 B9A4FFFF CALL Report.01472E59
014789A0 83C4 08 ADD ESP,8
014789A3 33D2 XOR EDX,EDX
014789A5 8A15 A0FC4B01 MOV DL,BYTE PTR DS:[14BFCA0]
014789AB 85D2 TEST EDX,EDX
014789AD 74 14 JE SHORT Report.014789C3 ;JMP打开report_pr.sys
014789AF C745 FC FFFFFFF>MOV DWORD PTR SS:[EBP-4],-1
014789B6 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
014789B9 E8 A28FFFFF CALL Report.01471960
014789BE E9 5D020000 JMP Report.01478C20
014789C3 C705 A4FC4B01 0>MOV DWORD PTR DS:[14BFCA4],0
014789CD 6A 00 PUSH 0
014789CF 68 00000040 PUSH 40000000
014789D4 6A 03 PUSH 3
014789D6 6A 00 PUSH 0
014789D8 6A 00 PUSH 0
014789DA 6A 00 PUSH 0
014789DC 68 A8DE4A01 PUSH Report.014ADEA8 ; ASCII "\\.\lockkey"
014789E1 FF15 F0624A01 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; kernel32.CreateFileA
014789E7 A3 606A4B01 MOV DWORD PTR DS:[14B6A60],EAX
014789EC 833D 606A4B01 F>CMP DWORD PTR DS:[14B6A60],-1
014789F3 0F85 A4000000 JNZ Report.01478A9D ;jmp显示信息
014789F9 E8 00CCFFFF CALL Report.014755FE
014789FE 85C0 TEST EAX,EAX
01478A00 75 0C JNZ SHORT Report.01478A0E
01478A02 C605 707A4B01 0>MOV BYTE PTR DS:[14B7A70],1
01478A09 E9 8F000000 JMP Report.01478A9D
01478A0E E8 1BCCFFFF CALL Report.0147562E ;操作sys
01478A13 833D D4FC4B01 0>CMP DWORD PTR DS:[14BFCD4],0
===============
Report_pr.sys
他的属性暴露出这是compuware公司的SOFTICE包含组件之一,DRIVESTUIO中的一个例子:*NT KeyBoradFilter,这是一个驱动程序,但是这里不仅有keyboardclass(键盘),而且还有point class(鼠标),所以这个驱动一定是用来锁定键盘和指针(鼠标)设备的。如果把这个文件删除,应该可以屏蔽掉键盘鼠标的限制。但是不知道是否还有驱动加载失败的检测。
看看在report.dll中关于此sys的操作:
* Referenced by a CALL at Addresses:
|:10008A0E , :10008A2D , :10008A43
|
:1000562E 55 push ebp
:1000562F 8BEC mov ebp, esp
:10005631 81EC08010000 sub esp, 00000108
:10005637 E8C2FFFFFF call 100055FE
:1000563C A3D0FC0410 mov dword ptr [1004FCD0], eax
:10005641 833DD0FC041000 cmp dword ptr [1004FCD0], 00000000
:10005648 0F84BD000000 je 1000570B
:1000564E 6804010000 push 00000104
:10005653 8D85F8FEFFFF lea eax, dword ptr [ebp+FFFFFEF8]
:10005659 50 push eax
:1000565A 6A00 push 00000000
* Reference To: KERNEL32.GetModuleHandleA, Ord:0126h
|
:1000565C FF15CC620310 Call dword ptr [100362CC]
:10005662 50 push eax
* Reference To: KERNEL32.GetModuleFileNameA, Ord:0124h
|
:10005663 FF15D0620310 Call dword ptr [100362D0]
:10005669 85C0 test eax, eax
:1000566B 7507 jne 10005674
:1000566D 33C0 xor eax, eax
:1000566F E9A6000000 jmp 1000571A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000566B(C)
|
:10005674 6A5C push 0000005C
:10005676 8D8DF8FEFFFF lea ecx, dword ptr [ebp+FFFFFEF8]
:1000567C 51 push ecx
:1000567D E81EBB0100 call 100211A0
:10005682 83C408 add esp, 00000008
:10005685 8945FC mov dword ptr [ebp-04], eax
:10005688 837DFC00 cmp dword ptr [ebp-04], 00000000
:1000568C 7409 je 10005697
:1000568E 8B55FC mov edx, dword ptr [ebp-04]
:10005691 C6420100 mov [edx+01], 00
:10005695 EB04 jmp 1000569B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000568C(C)
|
:10005697 33C0 xor eax, eax
:10005699 EB7F jmp 1000571A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10005695(U)
|
* Possible StringData Ref from Data Obj ->"report_pr.sys" ;开始打开设备驱动程序
|
:1000569B 68D4DC0310 push 1003DCD4
:100056A0 8D85F8FEFFFF lea eax, dword ptr [ebp+FFFFFEF8]
:100056A6 50 push eax
:100056A7 E804B10100 call 100207B0
:100056AC 83C408 add esp, 00000008
:100056AF 68D8FC0410 push 1004FCD8
:100056B4 8D8DF8FEFFFF lea ecx, dword ptr [ebp+FFFFFEF8]
:100056BA 51 push ecx
* Possible StringData Ref from Data Obj ->"hycontrol"
|
:100056BB 68E4DC0310 push 1003DCE4
:100056C0 E825E0FFFF call 100036EA
:100056C5 83C40C add esp, 0000000C
:100056C8 85C0 test eax, eax
:100056CA 753F jne 1000570B
* Possible StringData Ref from Data Obj ->"hycontrol"
|
:100056CC 68F0DC0310 push 1003DCF0
:100056D1 E85BDFFFFF call 10003631
:100056D6 83C404 add esp, 00000004
:100056D9 68D8FC0410 push 1004FCD8
:100056DE 8D95F8FEFFFF lea edx, dword ptr [ebp+FFFFFEF8]
:100056E4 52 push edx
* Possible StringData Ref from Data Obj ->"hycontrol"
|
:100056E5 68FCDC0310 push 1003DCFC
:100056EA E88BDFFFFF call 1000367A
:100056EF 83C40C add esp, 0000000C
:100056F2 85C0 test eax, eax
:100056F4 7411 je 10005707
:100056F6 C705D4FC041001000000 mov dword ptr [1004FCD4], 00000001
:10005700 B801000000 mov eax, 00000001
:10005705 EB13 jmp 1000571A ;到这里操作无误
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100056F4(C)
|
:10005707 33C0 xor eax, eax
:10005709 EB0F jmp 1000571A
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10005648(C), :100056CA(C)
|
:1000570B C705D4FC041001000000 mov dword ptr [1004FCD4], 00000001 ;看来104fcd4应该是失败标志
:10005715 B801000000 mov eax, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000566F(U), :10005699(U), :10005705(U), :10005709(U)
|
:1000571A 8BE5 mov esp, ebp
:1000571C 5D pop ebp
:1000571D C3 ret
文件REPORT_PR.SYS不能删除,否则报告"系统损坏",然后关机.
========
尝试方法:
1.>
scrprotect->power mangment
Patch %systemdir%/Cmonitor.exe
:00455CBE 0F8591000000 jne 00455D55 ;no jmp,jmp shutdown
:00455CC4 33C0 xor eax, eax
...
:00455D39 7532 jne 00455D6D ;must jmp,no jmp shut
:00455D3B 85DB test ebx, ebx
The Monitor.exe&Report.dll are current in the memory.so can't modifiy org module file.but can use winhex->memedit. patch they.
winhex->memedit->report.dll
:10005B3A 85C0 test eax, eax
:10005B3C 7419 je 10005B57 ;must jmp
:10005B3E 6A00 push 00000000
...
:10005B61 85C0 test eax, eax
:10005B63 7407 je 10005B6C ;no jmp
monitor.exe
:00456206 0F8591000000 jne 0045629D ;no jmp
:0045620C 33C0 xor eax, eax
.....
:00456281 7532 jne 004562B5 ;must jmp
:00456283 85DB test ebx, ebx
2.>
backup report_pr.sys,then delete it.(the keyboard and pointer locker)
=========
14:12 2005-3-10
nwusbd.dll,xcapi.dll
=============
来看monitor.exe的这段代码,恶毒啊,难道它每次要重新从服务器更新自己的文件,黑啊.!!!这样patch文件都没有用了.
:00492CF9 000000 BYTE 3 DUP(0)
:00492CFC 55 push ebp
:00492CFD 8BEC mov ebp, esp
:00492CFF 33C9 xor ecx, ecx
:00492D01 51 push ecx
:00492D02 51 push ecx
:00492D03 51 push ecx
:00492D04 51 push ecx
:00492D05 51 push ecx
:00492D06 51 push ecx
:00492D07 51 push ecx
:00492D08 53 push ebx
:00492D09 56 push esi
:00492D0A 57 push edi
:00492D0B 8BFA mov edi, edx
:00492D0D 8BF0 mov esi, eax
:00492D0F 33C0 xor eax, eax
:00492D11 55 push ebp
:00492D12 68182F4900 push 00492F18
:00492D17 64FF30 push dword ptr fs:[eax]
:00492D1A 648920 mov dword ptr fs:[eax], esp
:00492D1D B8FF000000 mov eax, 000000FF
:00492D22 E8D5F9F6FF call 004026FC
:00492D27 8BD8 mov ebx, eax
:00492D29 8BC3 mov eax, ebx
:00492D2B 33C9 xor ecx, ecx
:00492D2D BAFF000000 mov edx, 000000FF
:00492D32 E8DDFDF6FF call 00402B14
:00492D37 68FF000000 push 000000FF
:00492D3C 53 push ebx
* Reference To: kernel32.GetSystemDirectoryA, Ord:0000h
|
:00492D3D E8223AF7FF Call 00406764
:00492D42 817F04DF040000 cmp dword ptr [edi+04], 000004DF
:00492D49 0F8568010000 jne 00492EB7
:00492D4F E8546AF7FF call 004097A8
:00492D54 83C4F8 add esp, FFFFFFF8
:00492D57 DD1C24 fstp qword ptr [esp]
:00492D5A 9B wait
:00492D5B 8D55F8 lea edx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"yyyy-MM-dd hh:mm:ss"
|
:00492D5E B8302F4900 mov eax, 00492F30
:00492D63 E83C76F7FF call 0040A3A4
:00492D68 8B4DF8 mov ecx, dword ptr [ebp-08]
:00492D6B 8D45FC lea eax, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"文件接收成功。时间:"
|
:00492D6E BA4C2F4900 mov edx, 00492F4C
:00492D73 E87C10F7FF call 00403DF4
:00492D78 8B4DFC mov ecx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"ConnErrLog.dat"
|
:00492D7B BA6C2F4900 mov edx, 00492F6C
:00492D80 8BC6 mov eax, esi
:00492D82 E8E9C1FFFF call 0048EF70
:00492D87 A1E8F94900 mov eax, dword ptr [0049F9E8]
:00492D8C E88B00F7FF call 00402E1C
:00492D91 C605D4F9490001 mov byte ptr [0049F9D4], 01
:00492D98 33C0 xor eax, eax
:00492D9A A3E8F94900 mov dword ptr [0049F9E8], eax
:00492D9F 8D45F4 lea eax, dword ptr [ebp-0C]
:00492DA2 8BD3 mov edx, ebx
:00492DA4 E8370FF7FF call 00403CE0
:00492DA9 8D45F4 lea eax, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"\Monitor1.exe" ;临时的监控程序文件
|
:00492DAC BA842F4900 mov edx, 00492F84
:00492DB1 E8FA0FF7FF call 00403DB0
:00492DB6 8B55F4 mov edx, dword ptr [ebp-0C]
:00492DB9 8BC6 mov eax, esi
:00492DBB E8D0030000 call 00493190
:00492DC0 84C0 test al, al
:00492DC2 0F84C3000000 je 00492E8B
:00492DC8 8D45F0 lea eax, dword ptr [ebp-10]
:00492DCB 8BD3 mov edx, ebx
:00492DCD E80E0FF7FF call 00403CE0
:00492DD2 8D45F0 lea eax, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"\Report1.dll" ;临时接口dll
|
:00492DD5 BA9C2F4900 mov edx, 00492F9C
:00492DDA E8D10FF7FF call 00403DB0
:00492DDF 8B55F0 mov edx, dword ptr [ebp-10]
:00492DE2 8BC6 mov eax, esi
:00492DE4 E8A7030000 call 00493190
:00492DE9 84C0 test al, al
:00492DEB 0F849A000000 je 00492E8B
:00492DF1 8D45EC lea eax, dword ptr [ebp-14]
:00492DF4 8BD3 mov edx, ebx
:00492DF6 E8E50EF7FF call 00403CE0
:00492DFB 8D45EC lea eax, dword ptr [ebp-14]
* Possible StringData Ref from Code Obj ->"\AdvFile.Dat" ;锁定机器时的全屏图像
|
:00492DFE BAB42F4900 mov edx, 00492FB4
:00492E03 E8A80FF7FF call 00403DB0
:00492E08 8B55EC mov edx, dword ptr [ebp-14]
:00492E0B 8BC6 mov eax, esi
:00492E0D E87E030000 call 00493190
:00492E12 84C0 test al, al
:00492E14 7475 je 00492E8B
:00492E16 8BC6 mov eax, esi
:00492E18 E827FBFFFF call 00492944
:00492E1D 84C0 test al, al
:00492E1F 0F8592000000 jne 00492EB7
:00492E25 E87E69F7FF call 004097A8
:00492E2A 83C4F8 add esp, FFFFFFF8
:00492E2D DD1C24 fstp qword ptr [esp]
:00492E30 9B wait
:00492E31 8D55E4 lea edx, dword ptr [ebp-1C]
* Possible StringData Ref from Code Obj ->"yyyy-MM-dd hh:mm:ss"
|
:00492E34 B8302F4900 mov eax, 00492F30
:00492E39 E86675F7FF call 0040A3A4
:00492E3E 8B4DE4 mov ecx, dword ptr [ebp-1C]
:00492E41 8D45E8 lea eax, dword ptr [ebp-18]
* Possible StringData Ref from Code Obj ->"启动SetMonitor.exe 失败。重新下载 "
->"Monitor.exe。 时间:"
|
:00492E44 BACC2F4900 mov edx, 00492FCC
:00492E49 E8A60FF7FF call 00403DF4
:00492E4E 8B4DE8 mov ecx, dword ptr [ebp-18]
* Possible StringData Ref from Code Obj ->"ConnErrLog.dat"
|
:00492E51 BA6C2F4900 mov edx, 00492F6C
:00492E56 8BC6 mov eax, esi
:00492E58 E813C1FFFF call 0048EF70
:00492E5D A1ECF94900 mov eax, dword ptr [0049F9EC]
:00492E62 50 push eax
:00492E63 68D2070000 push 000007D2
:00492E68 66A1A0F84900 mov ax, word ptr [0049F8A0]
:00492E6E 50 push eax
:00492E6F 8BC6 mov eax, esi
:00492E71 E8361AFBFF call 004448AC
:00492E76 8BC8 mov ecx, eax
:00492E78 B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"TWSocket岪"
|
:00492E7A A1DCD64800 mov eax, dword ptr [0048D6DC]
:00492E7F E814B5FFFF call 0048E398
:00492E84 A3E8F94900 mov dword ptr [0049F9E8], eax
:00492E89 EB2C jmp 00492EB7
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00492DC2(C), :00492DEB(C), :00492E14(C)
|
:00492E8B A1ECF94900 mov eax, dword ptr [0049F9EC]
:00492E90 50 push eax
:00492E91 68D2070000 push 000007D2
:00492E96 66A1A0F84900 mov ax, word ptr [0049F8A0]
:00492E9C 50 push eax
:00492E9D 8BC6 mov eax, esi
:00492E9F E8081AFBFF call 004448AC
:00492EA4 8BC8 mov ecx, eax
:00492EA6 B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"TWSocket岪"
|
:00492EA8 A1DCD64800 mov eax, dword ptr [0048D6DC]
:00492EAD E8E6B4FFFF call 0048E398
:00492EB2 A3E8F94900 mov dword ptr [0049F9E8], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00492D49(C), :00492E1F(C), :00492E89(U)
|
:00492EB7 817F04E0040000 cmp dword ptr [edi+04], 000004E0
:00492EBE 753D jne 00492EFD
:00492EC0 A1E8F94900 mov eax, dword ptr [0049F9E8]
:00492EC5 E852FFF6FF call 00402E1C
:00492ECA 33C0 xor eax, eax
:00492ECC A3E8F94900 mov dword ptr [0049F9E8], eax
:00492ED1 A1ECF94900 mov eax, dword ptr [0049F9EC]
:00492ED6 50 push eax
:00492ED7 68D2070000 push 000007D2
:00492EDC 66A1A0F84900 mov ax, word ptr [0049F8A0]
:00492EE2 50 push eax
:00492EE3 8BC6 mov eax, esi
:00492EE5 E8C219FBFF call 004448AC
:00492EEA 8BC8 mov ecx, eax
:00492EEC B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"TWSocket岪"
|
:00492EEE A1DCD64800 mov eax, dword ptr [0048D6DC]
:00492EF3 E8A0B4FFFF call 0048E398
:00492EF8 A3E8F94900 mov dword ptr [0049F9E8], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00492EBE(C)
|
:00492EFD 33C0 xor eax, eax
:00492EFF 5A pop edx
:00492F00 59 pop ecx
:00492F01 59 pop ecx
:00492F02 648910 mov dword ptr fs:[eax], edx
:00492F05 681F2F4900 push 00492F1F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00492F1D(U)
|
:00492F0A 8D45E4 lea eax, dword ptr [ebp-1C]
:00492F0D BA07000000 mov edx, 00000007
:00492F12 E8350CF7FF call 00403B4C
:00492F17 C3 ret
===========
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497A18(C)
|
:00497A8E FFD0 call eax
:00497A90 84C0 test al, al
:00497A92 7532 jne 00497AC6 ;jmp
:00497A94 6A00 push 00000000
:00497A96 6A01 push 00000001
:00497A98 A150D74900 mov eax, dword ptr [0049D750]
:00497A9D 8B00 mov eax, dword ptr [eax]
:00497A9F 33C9 xor ecx, ecx
* Possible StringData Ref from Code Obj ->"没有检测到系统板卡,请确定是否安装板卡或驱动程?
->"虬沧笆欠裾罚?
|
:00497AA1 BA507B4900 mov edx, 00497B50
:00497AA6 E88584FBFF call 0044FF30
:00497AAB 6A01 push 00000001
:00497AAD 6A01 push 00000001
:00497AAF 6809070000 push 00000709
:00497AB4 A154D54900 mov eax, dword ptr [0049D554]
:00497AB9 8B00 mov eax, dword ptr [eax]
:00497ABB E8ECCDFAFF call 004448AC
------------
:00493C9E 8B8348030000 mov eax, dword ptr [ebx+00000348]
:00493CA4 80B88802000000 cmp byte ptr [eax+00000288], 00
:00493CAB 7479 je 00493D26 ;jmp
* Possible StringData Ref from Code Obj ->"CloseComput.dat"
|
:00493CAD B8683D4900 mov eax, 00493D68
:00493CB2 E8B14AF7FF call 00408768
:00493CB7 84C0 test al, al
:00493CB9 7436 je 00493CF1
:00493CBB 33F6 xor esi, esi
:00493CBD EB06 jmp 00493CC5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00493CD1(C)
|
:00493CBF 46 inc esi
:00493CC0 83FE64 cmp esi, 00000064
:00493CC3 7D0E jge 00493CD3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00493CBD(U)
|
* Possible StringData Ref from Code Obj ->"CloseComput.dat"
|
:00493CC5 B8683D4900 mov eax, 00493D68
:00493CCA E8A94AF7FF call 00408778
:00493CCF 84C0 test al, al
:00493CD1 74EC je 00493CBF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00493CC3(C)
|
* Possible StringData Ref from Code Obj ->"计费器工作异常,系统无数30秒之内关机!"
=========
cmonitor.exe
:00497924 84C0 test al, al
:00497926 0F8406010000 je 00497A32
:0049792C 80BB8802000000 cmp byte ptr [ebx+00000288], 00
:00497933 0F8452010000 je 00497A8B
:00497939 6A03 push 00000003
:0049793B 6A01 push 00000001
:0049793D A1ECB64900 mov eax, dword ptr [0049B6EC]
:00497942 8B00 mov eax, dword ptr [eax]
:00497944 33C9 xor ecx, ecx
* Possible StringData Ref from Code Obj ->"收不到计费器信息系统将关闭,系统重新启动!"
|
:00497946 BAC47A4900 mov edx, 00497AC4
:0049794B E8C480FBFF call 0044FA14
:00497950 A1F4B44900 mov eax, dword ptr [0049B4F4]
:00497955 8B00 mov eax, dword ptr [eax]
* Possible StringData Ref from Code Obj ->"收不到计费器信息系统将关闭,系统重新启动!"
|
:00497957 B9C47A4900 mov ecx, 00497AC4
* Possible StringData Ref from Code Obj ->"CloseCommput.txt"
|
:0049795C BAF87A4900 mov edx, 00497AF8
:00497961 E83A61FFFF call 0048DAA0
:00497966 8D55FC lea edx, dword ptr [ebp-04]
:00497969 B846000000 mov eax, 00000046
:0049796E E8ED0BF7FF call 00408560
:00497973 33D2 xor edx, edx
:00497975 8B83F0000000 mov eax, dword ptr [ebx+000000F0]
:0049797B E884C4FFFF call 00493E04
* Possible StringData Ref from Code Obj ->"close goldkey monitor"
|
:00497980 680C7B4900 push 00497B0C
:00497985 6AFF push FFFFFFFF
:00497987 6801001F00 push 001F0001
* Reference To: kernel32.OpenMutexA, Ord:0000h
====
21:20 2005-5-16
再尝试,用游戏修改器:
★ Monitor.exe(insystem)
00456206 0F8591000000 jne 0045629D ;nop
00456281 7532 jne 004562B5 ;j
456206 word 37008(十进制数字,表示9090H,就是NOP)
456208 word 37008
45620a word 37008
456281 byte 235 (十进制数字,表示EBH,就是jmp)
★ CMonitor.exe
00455CBE 0F8591000000 jne 00455D55 ;nop
00455D39 7532 jne 00455D6D ;j
★ REPORT.dll
10005B63 7407 je 10005B6C ;nop
10005B3C 7419 je 10005B57 ;j
14f5b63 word 37008
14f5b3c byte 235
==========
8:24 2005-6-22
看来它真的坚不可摧了,可能它如果发现主机发来的校验数据不对,就把电源连接线短接n秒,一般的机器4秒就OVER了,除了拆机.
另外还要联网检查.
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
他的文章
赞赏
雪币:
留言:
