-
-
[原创]固盾.金钥匙网吧IC卡经营收费管理专家分析
-
发表于: 2007-4-24 14:04 7911
-
比较老的东西了,2005年的研究了一下没成功。不过这个系统设计的真的是不错的,软件协同硬件共同完成工作,软件可以强行跳过,但是如果硬件接收的数据不对,估计是短接电源开关直接关机,狠哪。不知道有侠人也研究过不,除非爆破掉软件系统,但又不能破坏发给读卡器的校验数据,这样也许能够凑效。大家参考,批评指正。
zzhzihui@tom.com
zzhzihui@tom.com
北京雍华和讯信息技术有限公司 固盾.金钥匙网吧IC卡经营收费管理专家 这是一个新的管理系统,的确很了不起. 发现其执行文件有: MONITOR.EXE 猜测是客户端监测程序 CMonitor.exe SetMonitor.exe 猜测是设置程序 Report.dll 如果强制关闭前两个执行文件的任意一个,过几分钟就会关闭计算机. 现在看看它主页的说明: 一、 系统组成: IC卡PR计费器:安装在网吧中的每台微机上,由它控制用户的自由上机和自动计费。 IC卡发行管理程序:安装在网吧收银机上 网络监控程序::安装在网吧的管理服务机上,实现网吧自动收费系统的各种管理功能。 二、系统需求: 客户端微机软硬件需求: 一个空余的COM口 //看来收费器是接在COM口上 微机主板须有power或reset跳线 //看来IC卡收费器上还有控制关机的东东,也就是它把主板电源按钮连线并联,如果发现异常,就发送开通信号,让电源按钮短路一下,WINXP就关机了.(那么我们能不能,在高级电源管理的按下电源按钮选项中动动手脚) 一个空余的3寸或5寸软驱位置 //用来安装读卡器 配置说明: IC卡计费控制器:每台微机安装一套。其控制管理方式为:只有插入有效的IC卡,微机才可正常运行,否则计算机被锁定;运行的计算机通过IC计费器自动削减IC卡上的金额,从而实现自动收费。 ==== 我在自己的机器上试验,当然没有读卡器了,它显示错误,照样关机,这个肯定是软件关机,我看过关机时的任务管理器,它好像用的是RUNDLL32来关机. 可是反汇编MONITOR.EXE,CMONITOR.EXE发现它都调用EXITWINDOWEXA来关机. ★ MONITOR.EXE的关机代码 * Possible StringData Ref from Code Obj ->"Windows NT" | :004561FB B8E0624500 mov eax, 004562E0 :00456200 E88FDEFAFF call 00404094 :00456205 48 dec eax :00456206 0F8591000000 jne 0045629D ;跳走完蛋,所以千万不要跳 :0045620C 33C0 xor eax, eax :0045620E 8945F8 mov dword ptr [ebp-08], eax :00456211 8D45FC lea eax, dword ptr [ebp-04] :00456214 50 push eax :00456215 6A28 push 00000028 * Reference To: kernel32.GetCurrentProcess, Ord:0000h ............... * Reference To: advapi32.AdjustTokenPrivileges, Ord:0000h | :00456275 E87203FBFF Call 004065EC * Reference To: kernel32.GetLastError, Ord:0000h | :0045627A E8B504FBFF Call 00406734 :0045627F 84C0 test al, al :00456281 7532 jne 004562B5 ;这里必须跳走,否则关机 :00456283 85DB test ebx, ebx :00456285 740B je 00456292 ;跳走完蛋,不跳还完蛋 :00456287 6A00 push 00000000 :00456289 6A06 push 00000006 * Reference To: user32.ExitWindowsEx, Ord:0000h | :0045628B E8E409FBFF Call 00406C74 :00456290 EB23 jmp 004562B5 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00456285(C) | :00456292 6A00 push 00000000 :00456294 6A0D push 0000000D * Reference To: user32.ExitWindowsEx, Ord:0000h | :00456296 E8D909FBFF Call 00406C74 :0045629B EB18 jmp 004562B5 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00456206(C) | :0045629D 85DB test ebx, ebx :0045629F 740B je 004562AC ;跳不跳都完蛋 :004562A1 6A00 push 00000000 :004562A3 6A06 push 00000006 * Reference To: user32.ExitWindowsEx, Ord:0000h | :004562A5 E8CA09FBFF Call 00406C74 :004562AA EB09 jmp 004562B5 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0045629F(C) | :004562AC 6A00 push 00000000 :004562AE 6A0D push 0000000D * Reference To: user32.ExitWindowsEx, Ord:0000h | :004562B0 E8BF09FBFF Call 00406C74 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00456224(C), :0045623D(C), :00456251(C), :00456281(C), :00456290(U) |:0045629B(U), :004562AA(U) | :004562B5 33C0 xor eax, eax :004562B7 5A pop edx :004562B8 59 pop ecx :004562B9 59 pop ecx :004562BA 648910 mov dword ptr fs:[eax], edx :004562BD 68D2624500 push 004562D2 * Referenced by a (U)nconditional or (C)onditional Jump at Address: 查看字符串参考: 可能访问的文件:MMonitor1.exe,MReport1.exe,Mreport_pr1.sys,Report_pr.dll TMReport.dll,advfile.dat,Monitor1.exe,MReport_pr1.dll,Treport_pr.sys conerrlog.dat * Possible StringData Ref from Code Obj ->"w.bat" | :00494F00 687C4F4900 push 00494F7C * Reference To: kernel32.WinExec, Ord:0000h ;可能是删除closecomput.dat的东东. ★ CMONITOR.EXE的代码和MONITOR.exe非常相像. * Possible StringData Ref from Code Obj ->"Windows NT" | :00455CB3 B8985D4500 mov eax, 00455D98 :00455CB8 E8D7E3FAFF call 00404094 :00455CBD 48 dec eax :00455CBE 0F8591000000 jne 00455D55 ;千万不要跳,跳就完蛋 :00455CC4 33C0 xor eax, eax :00455CC6 8945F8 mov dword ptr [ebp-08], eax :00455CC9 8D45FC lea eax, dword ptr [ebp-04] :00455CCC 50 push eax :00455CCD 6A28 push 00000028 * Reference To: kernel32.GetCurrentProcess, Ord:0000h ................ * Reference To: advapi32.AdjustTokenPrivileges, Ord:0000h | :00455D2D E8BA08FBFF Call 004065EC * Reference To: kernel32.GetLastError, Ord:0000h | :00455D32 E8E509FBFF Call 0040671C :00455D37 84C0 test al, al :00455D39 7532 jne 00455D6D ;必须跳走 :00455D3B 85DB test ebx, ebx :00455D3D 740B je 00455D4A :00455D3F 6A00 push 00000000 :00455D41 6A06 push 00000006 * Reference To: user32.ExitWindowsEx, Ord:0000h | :00455D43 E8140FFBFF Call 00406C5C :00455D48 EB23 jmp 00455D6D * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00455D3D(C) | :00455D4A 6A00 push 00000000 :00455D4C 6A0D push 0000000D * Reference To: user32.ExitWindowsEx, Ord:0000h | :00455D4E E8090FFBFF Call 00406C5C :00455D53 EB18 jmp 00455D6D * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00455CBE(C) | :00455D55 85DB test ebx, ebx :00455D57 740B je 00455D64 :00455D59 6A00 push 00000000 :00455D5B 6A06 push 00000006 * Reference To: user32.ExitWindowsEx, Ord:0000h | :00455D5D E8FA0EFBFF Call 00406C5C :00455D62 EB09 jmp 00455D6D * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00455D57(C) | :00455D64 6A00 push 00000000 :00455D66 6A0D push 0000000D * Reference To: user32.ExitWindowsEx, Ord:0000h | :00455D68 E8EF0EFBFF Call 00406C5C * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00455CDC(C), :00455CF5(C), :00455D09(C), :00455D39(C), :00455D48(U) |:00455D53(U), :00455D62(U) | :00455D6D 33C0 xor eax, eax :00455D6F 5A pop edx :00455D70 59 pop ecx :00455D71 59 pop ecx :00455D72 648910 mov dword ptr fs:[eax], edx :00455D75 688A5D4500 push 00455D8A * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00455D88(U) 另外,在MONITOR.EXE中有SHELLEXECUTEA执行CMONITOR.EXE,SETMONITOR.EXE,以及打开一个它自己的网站. 同样的功能调用,在CMONITOR.EXE中只有打开CMONITOR.EXE和它自己网站这两个调用. 程序正常运行时,只有MONITOR.EXE驻留,看来CMONITOR纯粹是来搞破坏了,但是它的个头那么大,恐怕不是这么简单. 根据它的字符串参考,发现它访问文件:系统目录的displayinfo.dll,secudll.dll 另外还有madvfile.dat,mmadvfile.dat,vcltest3.dll 访问注册表: * Possible StringData Ref from Code Obj ->"\Software\Microsoft\Windows\CurrentVersion\Sof" ->"tInt" | :00491288 BA28134900 mov edx, 00491328 键名: * Possible StringData Ref from Code Obj ->"_MicrosoftDefCap" * Possible StringData Ref from Code Obj ->"aq)_#1htj[" .... * Possible StringData Ref from Code Obj ->"server数据解密错误计数:" ;看来真的还有服务器检测 * Possible StringData Ref from Code Obj ->"校验server通讯码失败计数:" | :0049488F 68484B4900 push 00494B48 ★REPORT.DLL 乖乖,不看不知道,这个DLL可不得了,看来它是个接口,读写COM端口都是它来完成的.居然还有关机代码,先看看吧: 第一处: :10005B61 85C0 test eax, eax :10005B63 7407 je 10005B6C ;这里千万不可以跳 :10005B65 E8BEFFFFFF call 10005B28 :10005B6A EB0A jmp 10005B76 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:10005B63(C) | :10005B6C 6A00 push 00000000 :10005B6E 6A0D push 0000000D * Reference To: USER32.ExitWindowsEx, Ord:00D3h | :10005B70 FF1558640310 Call dword ptr [10036458] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:10005B6A(U) | :10005B76 5D pop ebp :10005B77 C3 ret 第二处: * Possible StringData Ref from Data Obj ->"SeShutdownPrivilege" | :10005B2D 6820DD0310 push 1003DD20 :10005B32 E86BFFFFFF call 10005AA2 :10005B37 83C408 add esp, 00000008 :10005B3A 85C0 test eax, eax :10005B3C 7419 je 10005B57 ;一定要跳走 :10005B3E 6A00 push 00000000 :10005B40 6A0D push 0000000D * Reference To: USER32.ExitWindowsEx, Ord:00D3h | :10005B42 FF1558640310 Call dword ptr [10036458] :10005B48 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"SeShutdownPrivilege" | :10005B4A 6834DD0310 push 1003DD34 :10005B4F E84EFFFFFF call 10005AA2 :10005B54 83C408 add esp, 00000008 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:10005B3C(C) | :10005B57 5D pop ebp :10005B58 C3 ret --- 再来看看字符串参考得到的其他信息: * Reference To: KERNEL32.GetSystemDirectoryA, Ord:0159h | :1000403B FF15CC610310 Call dword ptr [100361CC] :10004041 8B45F0 mov eax, dword ptr [ebp-10] :10004044 0504020000 add eax, 00000204 :10004049 50 push eax * Possible StringData Ref from Data Obj ->"%s\csmddsly0.sys" ;系统目录下还有文件csmddsly0.sys和dslycsmd0.exe | :1000404A 68B0DB0310 push 1003DBB0 :1000404F 8B4DF0 mov ecx, dword ptr [ebp-10] :10004052 81C104010000 add ecx, 00000104 :10004058 51 push ecx :10004059 E832C80100 call 10020890 :1000405E 83C40C add esp, 0000000C :10004061 8B55F0 mov edx, dword ptr [ebp-10] :10004064 81C204020000 add edx, 00000204 :1000406A 52 push edx * Possible StringData Ref from Data Obj ->"%s\dslycsmd0.exe" .... * Possible StringData Ref from Data Obj ->"D:\傅宏毅-接口\dll\seclib\mwicpk_cx.c" ;原来作者叫:傅宏毅 .... * Possible StringData Ref from Data Obj ->"/dev/urandom" ;这应该是COM读卡设备名吧,也许用来调试的. .... * Possible StringData Ref from Data Obj ->"\\.\lockkey" ;这个才是真正访问的设备. | :100089DC 68A8DE0310 push 1003DEA8 * Reference To: KERNEL32.CreateFileA, Ord:0034h .... * Possible StringData Ref from Data Obj ->"SOFTWARE\Microsoft\Windows\CurrentVersion\gold" ->"key" ;程序信息在注册表的存放地点 | :1000F0E3 685CE20310 push 1003E25C :1000F0E8 6802000080 push 80000002 * Reference To: ADVAPI32.RegCreateKeyA, Ord:015Eh advhdl,advfile ..... 还有注册表 * Possible StringData Ref from Data Obj ->"SOFTWARE\Microsoft\System Control" | :10005FCA 6870DD0310 push 1003DD70 :10005FCF 6802000080 push 80000002 :10005FD4 8D4DF0 lea ecx, dword ptr [ebp-10] :10005FD7 E8C4690000 call 1000C9A0 * Possible StringData Ref from Data Obj ->"Files" | :10005FDC 6894DD0310 push 1003DD94 ..... * Possible StringData Ref from Data Obj ->"advfile.bmp" 应该存在文件:advfile.exe .bmp .gif .html .jpg .scr .swf .txt ..... * Possible StringData Ref from Data Obj ->"madvfile.dat" ;这个文件 | :100011EE 6800D10310 push 1003D100 .... 程序还访问CMONITOR.EXE,KERNAL32.EXE,KERNEL32.EXE,KERNEL32.DLL,MSTASK.EXE MU.EXE,REALPLAY.EXE,REPORT_PR.SYS,RUNFILE.EXE,SCRSERVER.SC ========================== MONITOR.EXE 00493C8E |. 64:8920 MOV DWORD PTR FS:[EAX],ESP 00493C91 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 00493C94 |. BA 5C3D4900 MOV EDX,MONITOR.00493D5C ; ASCII "70" 00493C99 |. E8 22FFF6FF CALL MONITOR.00403BC0 00493C9E |. 8B83 48030000 MOV EAX,DWORD PTR DS:[EBX+348] 00493CA4 |. 80B8 88020000>CMP BYTE PTR DS:[EAX+288],0 00493CAB |. 74 79 JE SHORT MONITOR.00493D26 ;JMP IT!! 00493CAD |. B8 683D4900 MOV EAX,MONITOR.00493D68 ; ASCII "CloseComput.dat" 00493CB2 |. E8 B14AF7FF CALL MONITOR.00408768 00493CB7 |. 84C0 TEST AL,AL 00493CB9 |. 74 36 JE SHORT MONITOR.00493CF1 00493CBB |. 33F6 XOR ESI,ESI report.dll 0147899A 51 PUSH ECX 0147899B E8 B9A4FFFF CALL Report.01472E59 014789A0 83C4 08 ADD ESP,8 014789A3 33D2 XOR EDX,EDX 014789A5 8A15 A0FC4B01 MOV DL,BYTE PTR DS:[14BFCA0] 014789AB 85D2 TEST EDX,EDX 014789AD 74 14 JE SHORT Report.014789C3 ;JMP打开report_pr.sys 014789AF C745 FC FFFFFFF>MOV DWORD PTR SS:[EBP-4],-1 014789B6 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10] 014789B9 E8 A28FFFFF CALL Report.01471960 014789BE E9 5D020000 JMP Report.01478C20 014789C3 C705 A4FC4B01 0>MOV DWORD PTR DS:[14BFCA4],0 014789CD 6A 00 PUSH 0 014789CF 68 00000040 PUSH 40000000 014789D4 6A 03 PUSH 3 014789D6 6A 00 PUSH 0 014789D8 6A 00 PUSH 0 014789DA 6A 00 PUSH 0 014789DC 68 A8DE4A01 PUSH Report.014ADEA8 ; ASCII "\\.\lockkey" 014789E1 FF15 F0624A01 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; kernel32.CreateFileA 014789E7 A3 606A4B01 MOV DWORD PTR DS:[14B6A60],EAX 014789EC 833D 606A4B01 F>CMP DWORD PTR DS:[14B6A60],-1 014789F3 0F85 A4000000 JNZ Report.01478A9D ;jmp显示信息 014789F9 E8 00CCFFFF CALL Report.014755FE 014789FE 85C0 TEST EAX,EAX 01478A00 75 0C JNZ SHORT Report.01478A0E 01478A02 C605 707A4B01 0>MOV BYTE PTR DS:[14B7A70],1 01478A09 E9 8F000000 JMP Report.01478A9D 01478A0E E8 1BCCFFFF CALL Report.0147562E ;操作sys 01478A13 833D D4FC4B01 0>CMP DWORD PTR DS:[14BFCD4],0 =============== Report_pr.sys 他的属性暴露出这是compuware公司的SOFTICE包含组件之一,DRIVESTUIO中的一个例子:*NT KeyBoradFilter,这是一个驱动程序,但是这里不仅有keyboardclass(键盘),而且还有point class(鼠标),所以这个驱动一定是用来锁定键盘和指针(鼠标)设备的。如果把这个文件删除,应该可以屏蔽掉键盘鼠标的限制。但是不知道是否还有驱动加载失败的检测。 看看在report.dll中关于此sys的操作: * Referenced by a CALL at Addresses: |:10008A0E , :10008A2D , :10008A43 | :1000562E 55 push ebp :1000562F 8BEC mov ebp, esp :10005631 81EC08010000 sub esp, 00000108 :10005637 E8C2FFFFFF call 100055FE :1000563C A3D0FC0410 mov dword ptr [1004FCD0], eax :10005641 833DD0FC041000 cmp dword ptr [1004FCD0], 00000000 :10005648 0F84BD000000 je 1000570B :1000564E 6804010000 push 00000104 :10005653 8D85F8FEFFFF lea eax, dword ptr [ebp+FFFFFEF8] :10005659 50 push eax :1000565A 6A00 push 00000000 * Reference To: KERNEL32.GetModuleHandleA, Ord:0126h | :1000565C FF15CC620310 Call dword ptr [100362CC] :10005662 50 push eax * Reference To: KERNEL32.GetModuleFileNameA, Ord:0124h | :10005663 FF15D0620310 Call dword ptr [100362D0] :10005669 85C0 test eax, eax :1000566B 7507 jne 10005674 :1000566D 33C0 xor eax, eax :1000566F E9A6000000 jmp 1000571A * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:1000566B(C) | :10005674 6A5C push 0000005C :10005676 8D8DF8FEFFFF lea ecx, dword ptr [ebp+FFFFFEF8] :1000567C 51 push ecx :1000567D E81EBB0100 call 100211A0 :10005682 83C408 add esp, 00000008 :10005685 8945FC mov dword ptr [ebp-04], eax :10005688 837DFC00 cmp dword ptr [ebp-04], 00000000 :1000568C 7409 je 10005697 :1000568E 8B55FC mov edx, dword ptr [ebp-04] :10005691 C6420100 mov [edx+01], 00 :10005695 EB04 jmp 1000569B * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:1000568C(C) | :10005697 33C0 xor eax, eax :10005699 EB7F jmp 1000571A * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:10005695(U) | * Possible StringData Ref from Data Obj ->"report_pr.sys" ;开始打开设备驱动程序 | :1000569B 68D4DC0310 push 1003DCD4 :100056A0 8D85F8FEFFFF lea eax, dword ptr [ebp+FFFFFEF8] :100056A6 50 push eax :100056A7 E804B10100 call 100207B0 :100056AC 83C408 add esp, 00000008 :100056AF 68D8FC0410 push 1004FCD8 :100056B4 8D8DF8FEFFFF lea ecx, dword ptr [ebp+FFFFFEF8] :100056BA 51 push ecx * Possible StringData Ref from Data Obj ->"hycontrol" | :100056BB 68E4DC0310 push 1003DCE4 :100056C0 E825E0FFFF call 100036EA :100056C5 83C40C add esp, 0000000C :100056C8 85C0 test eax, eax :100056CA 753F jne 1000570B * Possible StringData Ref from Data Obj ->"hycontrol" | :100056CC 68F0DC0310 push 1003DCF0 :100056D1 E85BDFFFFF call 10003631 :100056D6 83C404 add esp, 00000004 :100056D9 68D8FC0410 push 1004FCD8 :100056DE 8D95F8FEFFFF lea edx, dword ptr [ebp+FFFFFEF8] :100056E4 52 push edx * Possible StringData Ref from Data Obj ->"hycontrol" | :100056E5 68FCDC0310 push 1003DCFC :100056EA E88BDFFFFF call 1000367A :100056EF 83C40C add esp, 0000000C :100056F2 85C0 test eax, eax :100056F4 7411 je 10005707 :100056F6 C705D4FC041001000000 mov dword ptr [1004FCD4], 00000001 :10005700 B801000000 mov eax, 00000001 :10005705 EB13 jmp 1000571A ;到这里操作无误 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:100056F4(C) | :10005707 33C0 xor eax, eax :10005709 EB0F jmp 1000571A * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:10005648(C), :100056CA(C) | :1000570B C705D4FC041001000000 mov dword ptr [1004FCD4], 00000001 ;看来104fcd4应该是失败标志 :10005715 B801000000 mov eax, 00000001 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:1000566F(U), :10005699(U), :10005705(U), :10005709(U) | :1000571A 8BE5 mov esp, ebp :1000571C 5D pop ebp :1000571D C3 ret 文件REPORT_PR.SYS不能删除,否则报告"系统损坏",然后关机. ======== 尝试方法: 1.> scrprotect->power mangment Patch %systemdir%/Cmonitor.exe :00455CBE 0F8591000000 jne 00455D55 ;no jmp,jmp shutdown :00455CC4 33C0 xor eax, eax ... :00455D39 7532 jne 00455D6D ;must jmp,no jmp shut :00455D3B 85DB test ebx, ebx The Monitor.exe&Report.dll are current in the memory.so can't modifiy org module file.but can use winhex->memedit. patch they. winhex->memedit->report.dll :10005B3A 85C0 test eax, eax :10005B3C 7419 je 10005B57 ;must jmp :10005B3E 6A00 push 00000000 ... :10005B61 85C0 test eax, eax :10005B63 7407 je 10005B6C ;no jmp monitor.exe :00456206 0F8591000000 jne 0045629D ;no jmp :0045620C 33C0 xor eax, eax ..... :00456281 7532 jne 004562B5 ;must jmp :00456283 85DB test ebx, ebx 2.> backup report_pr.sys,then delete it.(the keyboard and pointer locker) ========= 14:12 2005-3-10 nwusbd.dll,xcapi.dll ============= 来看monitor.exe的这段代码,恶毒啊,难道它每次要重新从服务器更新自己的文件,黑啊.!!!这样patch文件都没有用了. :00492CF9 000000 BYTE 3 DUP(0) :00492CFC 55 push ebp :00492CFD 8BEC mov ebp, esp :00492CFF 33C9 xor ecx, ecx :00492D01 51 push ecx :00492D02 51 push ecx :00492D03 51 push ecx :00492D04 51 push ecx :00492D05 51 push ecx :00492D06 51 push ecx :00492D07 51 push ecx :00492D08 53 push ebx :00492D09 56 push esi :00492D0A 57 push edi :00492D0B 8BFA mov edi, edx :00492D0D 8BF0 mov esi, eax :00492D0F 33C0 xor eax, eax :00492D11 55 push ebp :00492D12 68182F4900 push 00492F18 :00492D17 64FF30 push dword ptr fs:[eax] :00492D1A 648920 mov dword ptr fs:[eax], esp :00492D1D B8FF000000 mov eax, 000000FF :00492D22 E8D5F9F6FF call 004026FC :00492D27 8BD8 mov ebx, eax :00492D29 8BC3 mov eax, ebx :00492D2B 33C9 xor ecx, ecx :00492D2D BAFF000000 mov edx, 000000FF :00492D32 E8DDFDF6FF call 00402B14 :00492D37 68FF000000 push 000000FF :00492D3C 53 push ebx * Reference To: kernel32.GetSystemDirectoryA, Ord:0000h | :00492D3D E8223AF7FF Call 00406764 :00492D42 817F04DF040000 cmp dword ptr [edi+04], 000004DF :00492D49 0F8568010000 jne 00492EB7 :00492D4F E8546AF7FF call 004097A8 :00492D54 83C4F8 add esp, FFFFFFF8 :00492D57 DD1C24 fstp qword ptr [esp] :00492D5A 9B wait :00492D5B 8D55F8 lea edx, dword ptr [ebp-08] * Possible StringData Ref from Code Obj ->"yyyy-MM-dd hh:mm:ss" | :00492D5E B8302F4900 mov eax, 00492F30 :00492D63 E83C76F7FF call 0040A3A4 :00492D68 8B4DF8 mov ecx, dword ptr [ebp-08] :00492D6B 8D45FC lea eax, dword ptr [ebp-04] * Possible StringData Ref from Code Obj ->"文件接收成功。时间:" | :00492D6E BA4C2F4900 mov edx, 00492F4C :00492D73 E87C10F7FF call 00403DF4 :00492D78 8B4DFC mov ecx, dword ptr [ebp-04] * Possible StringData Ref from Code Obj ->"ConnErrLog.dat" | :00492D7B BA6C2F4900 mov edx, 00492F6C :00492D80 8BC6 mov eax, esi :00492D82 E8E9C1FFFF call 0048EF70 :00492D87 A1E8F94900 mov eax, dword ptr [0049F9E8] :00492D8C E88B00F7FF call 00402E1C :00492D91 C605D4F9490001 mov byte ptr [0049F9D4], 01 :00492D98 33C0 xor eax, eax :00492D9A A3E8F94900 mov dword ptr [0049F9E8], eax :00492D9F 8D45F4 lea eax, dword ptr [ebp-0C] :00492DA2 8BD3 mov edx, ebx :00492DA4 E8370FF7FF call 00403CE0 :00492DA9 8D45F4 lea eax, dword ptr [ebp-0C] * Possible StringData Ref from Code Obj ->"\Monitor1.exe" ;临时的监控程序文件 | :00492DAC BA842F4900 mov edx, 00492F84 :00492DB1 E8FA0FF7FF call 00403DB0 :00492DB6 8B55F4 mov edx, dword ptr [ebp-0C] :00492DB9 8BC6 mov eax, esi :00492DBB E8D0030000 call 00493190 :00492DC0 84C0 test al, al :00492DC2 0F84C3000000 je 00492E8B :00492DC8 8D45F0 lea eax, dword ptr [ebp-10] :00492DCB 8BD3 mov edx, ebx :00492DCD E80E0FF7FF call 00403CE0 :00492DD2 8D45F0 lea eax, dword ptr [ebp-10] * Possible StringData Ref from Code Obj ->"\Report1.dll" ;临时接口dll | :00492DD5 BA9C2F4900 mov edx, 00492F9C :00492DDA E8D10FF7FF call 00403DB0 :00492DDF 8B55F0 mov edx, dword ptr [ebp-10] :00492DE2 8BC6 mov eax, esi :00492DE4 E8A7030000 call 00493190 :00492DE9 84C0 test al, al :00492DEB 0F849A000000 je 00492E8B :00492DF1 8D45EC lea eax, dword ptr [ebp-14] :00492DF4 8BD3 mov edx, ebx :00492DF6 E8E50EF7FF call 00403CE0 :00492DFB 8D45EC lea eax, dword ptr [ebp-14] * Possible StringData Ref from Code Obj ->"\AdvFile.Dat" ;锁定机器时的全屏图像 | :00492DFE BAB42F4900 mov edx, 00492FB4 :00492E03 E8A80FF7FF call 00403DB0 :00492E08 8B55EC mov edx, dword ptr [ebp-14] :00492E0B 8BC6 mov eax, esi :00492E0D E87E030000 call 00493190 :00492E12 84C0 test al, al :00492E14 7475 je 00492E8B :00492E16 8BC6 mov eax, esi :00492E18 E827FBFFFF call 00492944 :00492E1D 84C0 test al, al :00492E1F 0F8592000000 jne 00492EB7 :00492E25 E87E69F7FF call 004097A8 :00492E2A 83C4F8 add esp, FFFFFFF8 :00492E2D DD1C24 fstp qword ptr [esp] :00492E30 9B wait :00492E31 8D55E4 lea edx, dword ptr [ebp-1C] * Possible StringData Ref from Code Obj ->"yyyy-MM-dd hh:mm:ss" | :00492E34 B8302F4900 mov eax, 00492F30 :00492E39 E86675F7FF call 0040A3A4 :00492E3E 8B4DE4 mov ecx, dword ptr [ebp-1C] :00492E41 8D45E8 lea eax, dword ptr [ebp-18] * Possible StringData Ref from Code Obj ->"启动SetMonitor.exe 失败。重新下载 " ->"Monitor.exe。 时间:" | :00492E44 BACC2F4900 mov edx, 00492FCC :00492E49 E8A60FF7FF call 00403DF4 :00492E4E 8B4DE8 mov ecx, dword ptr [ebp-18] * Possible StringData Ref from Code Obj ->"ConnErrLog.dat" | :00492E51 BA6C2F4900 mov edx, 00492F6C :00492E56 8BC6 mov eax, esi :00492E58 E813C1FFFF call 0048EF70 :00492E5D A1ECF94900 mov eax, dword ptr [0049F9EC] :00492E62 50 push eax :00492E63 68D2070000 push 000007D2 :00492E68 66A1A0F84900 mov ax, word ptr [0049F8A0] :00492E6E 50 push eax :00492E6F 8BC6 mov eax, esi :00492E71 E8361AFBFF call 004448AC :00492E76 8BC8 mov ecx, eax :00492E78 B201 mov dl, 01 * Possible StringData Ref from Code Obj ->"TWSocket岪" | :00492E7A A1DCD64800 mov eax, dword ptr [0048D6DC] :00492E7F E814B5FFFF call 0048E398 :00492E84 A3E8F94900 mov dword ptr [0049F9E8], eax :00492E89 EB2C jmp 00492EB7 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00492DC2(C), :00492DEB(C), :00492E14(C) | :00492E8B A1ECF94900 mov eax, dword ptr [0049F9EC] :00492E90 50 push eax :00492E91 68D2070000 push 000007D2 :00492E96 66A1A0F84900 mov ax, word ptr [0049F8A0] :00492E9C 50 push eax :00492E9D 8BC6 mov eax, esi :00492E9F E8081AFBFF call 004448AC :00492EA4 8BC8 mov ecx, eax :00492EA6 B201 mov dl, 01 * Possible StringData Ref from Code Obj ->"TWSocket岪" | :00492EA8 A1DCD64800 mov eax, dword ptr [0048D6DC] :00492EAD E8E6B4FFFF call 0048E398 :00492EB2 A3E8F94900 mov dword ptr [0049F9E8], eax * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00492D49(C), :00492E1F(C), :00492E89(U) | :00492EB7 817F04E0040000 cmp dword ptr [edi+04], 000004E0 :00492EBE 753D jne 00492EFD :00492EC0 A1E8F94900 mov eax, dword ptr [0049F9E8] :00492EC5 E852FFF6FF call 00402E1C :00492ECA 33C0 xor eax, eax :00492ECC A3E8F94900 mov dword ptr [0049F9E8], eax :00492ED1 A1ECF94900 mov eax, dword ptr [0049F9EC] :00492ED6 50 push eax :00492ED7 68D2070000 push 000007D2 :00492EDC 66A1A0F84900 mov ax, word ptr [0049F8A0] :00492EE2 50 push eax :00492EE3 8BC6 mov eax, esi :00492EE5 E8C219FBFF call 004448AC :00492EEA 8BC8 mov ecx, eax :00492EEC B201 mov dl, 01 * Possible StringData Ref from Code Obj ->"TWSocket岪" | :00492EEE A1DCD64800 mov eax, dword ptr [0048D6DC] :00492EF3 E8A0B4FFFF call 0048E398 :00492EF8 A3E8F94900 mov dword ptr [0049F9E8], eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00492EBE(C) | :00492EFD 33C0 xor eax, eax :00492EFF 5A pop edx :00492F00 59 pop ecx :00492F01 59 pop ecx :00492F02 648910 mov dword ptr fs:[eax], edx :00492F05 681F2F4900 push 00492F1F * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00492F1D(U) | :00492F0A 8D45E4 lea eax, dword ptr [ebp-1C] :00492F0D BA07000000 mov edx, 00000007 :00492F12 E8350CF7FF call 00403B4C :00492F17 C3 ret =========== * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00497A18(C) | :00497A8E FFD0 call eax :00497A90 84C0 test al, al :00497A92 7532 jne 00497AC6 ;jmp :00497A94 6A00 push 00000000 :00497A96 6A01 push 00000001 :00497A98 A150D74900 mov eax, dword ptr [0049D750] :00497A9D 8B00 mov eax, dword ptr [eax] :00497A9F 33C9 xor ecx, ecx * Possible StringData Ref from Code Obj ->"没有检测到系统板卡,请确定是否安装板卡或驱动程? ->"虬沧笆欠裾罚? | :00497AA1 BA507B4900 mov edx, 00497B50 :00497AA6 E88584FBFF call 0044FF30 :00497AAB 6A01 push 00000001 :00497AAD 6A01 push 00000001 :00497AAF 6809070000 push 00000709 :00497AB4 A154D54900 mov eax, dword ptr [0049D554] :00497AB9 8B00 mov eax, dword ptr [eax] :00497ABB E8ECCDFAFF call 004448AC ------------ :00493C9E 8B8348030000 mov eax, dword ptr [ebx+00000348] :00493CA4 80B88802000000 cmp byte ptr [eax+00000288], 00 :00493CAB 7479 je 00493D26 ;jmp * Possible StringData Ref from Code Obj ->"CloseComput.dat" | :00493CAD B8683D4900 mov eax, 00493D68 :00493CB2 E8B14AF7FF call 00408768 :00493CB7 84C0 test al, al :00493CB9 7436 je 00493CF1 :00493CBB 33F6 xor esi, esi :00493CBD EB06 jmp 00493CC5 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00493CD1(C) | :00493CBF 46 inc esi :00493CC0 83FE64 cmp esi, 00000064 :00493CC3 7D0E jge 00493CD3 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00493CBD(U) | * Possible StringData Ref from Code Obj ->"CloseComput.dat" | :00493CC5 B8683D4900 mov eax, 00493D68 :00493CCA E8A94AF7FF call 00408778 :00493CCF 84C0 test al, al :00493CD1 74EC je 00493CBF * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00493CC3(C) | * Possible StringData Ref from Code Obj ->"计费器工作异常,系统无数30秒之内关机!" ========= cmonitor.exe :00497924 84C0 test al, al :00497926 0F8406010000 je 00497A32 :0049792C 80BB8802000000 cmp byte ptr [ebx+00000288], 00 :00497933 0F8452010000 je 00497A8B :00497939 6A03 push 00000003 :0049793B 6A01 push 00000001 :0049793D A1ECB64900 mov eax, dword ptr [0049B6EC] :00497942 8B00 mov eax, dword ptr [eax] :00497944 33C9 xor ecx, ecx * Possible StringData Ref from Code Obj ->"收不到计费器信息系统将关闭,系统重新启动!" | :00497946 BAC47A4900 mov edx, 00497AC4 :0049794B E8C480FBFF call 0044FA14 :00497950 A1F4B44900 mov eax, dword ptr [0049B4F4] :00497955 8B00 mov eax, dword ptr [eax] * Possible StringData Ref from Code Obj ->"收不到计费器信息系统将关闭,系统重新启动!" | :00497957 B9C47A4900 mov ecx, 00497AC4 * Possible StringData Ref from Code Obj ->"CloseCommput.txt" | :0049795C BAF87A4900 mov edx, 00497AF8 :00497961 E83A61FFFF call 0048DAA0 :00497966 8D55FC lea edx, dword ptr [ebp-04] :00497969 B846000000 mov eax, 00000046 :0049796E E8ED0BF7FF call 00408560 :00497973 33D2 xor edx, edx :00497975 8B83F0000000 mov eax, dword ptr [ebx+000000F0] :0049797B E884C4FFFF call 00493E04 * Possible StringData Ref from Code Obj ->"close goldkey monitor" | :00497980 680C7B4900 push 00497B0C :00497985 6AFF push FFFFFFFF :00497987 6801001F00 push 001F0001 * Reference To: kernel32.OpenMutexA, Ord:0000h ==== 21:20 2005-5-16 再尝试,用游戏修改器: ★ Monitor.exe(insystem) 00456206 0F8591000000 jne 0045629D ;nop 00456281 7532 jne 004562B5 ;j 456206 word 37008(十进制数字,表示9090H,就是NOP) 456208 word 37008 45620a word 37008 456281 byte 235 (十进制数字,表示EBH,就是jmp) ★ CMonitor.exe 00455CBE 0F8591000000 jne 00455D55 ;nop 00455D39 7532 jne 00455D6D ;j ★ REPORT.dll 10005B63 7407 je 10005B6C ;nop 10005B3C 7419 je 10005B57 ;j 14f5b63 word 37008 14f5b3c byte 235 ========== 8:24 2005-6-22 看来它真的坚不可摧了,可能它如果发现主机发来的校验数据不对,就把电源连接线短接n秒,一般的机器4秒就OVER了,除了拆机. 另外还要联网检查.
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
他的文章
看原图
赞赏
雪币:
留言: