能力值:
( LV2,RANK:10 )
|
-
-
3 楼
00430678 8B85 70B6FFFF mov eax, dword ptr [ebp+FFFFB670]
0043067E 83C0 40 add eax, 40
00430681 E8 DA090000 call 00431060
00430686 50 push eax
00430687 FF15 CC535300 call dword ptr [<&kernel32.GetFileTim>; // kernel32.GetFileTime
0043068D 8B95 70B6FFFF mov edx, dword ptr [ebp+FFFFB670]
00430693 83C2 50 add edx, 50
00430696 52 push edx
00430697 8D85 3CFFFFFF lea eax, dword ptr [ebp-C4]
0043069D 50 push eax
0043069E FF15 C8535300 call dword ptr [<&kernel32.FileTimeTo>; //kernel32.FileTimeToSystemTime
004306A4 8B8D 70B6FFFF mov ecx, dword ptr [ebp+FFFFB670]
004306AA 66:C741 5E 0000 mov word ptr [ecx+5E], 0
004306B0 8B95 70B6FFFF mov edx, dword ptr [ebp+FFFFB670]
004306B6 66:C742 54 0000 mov word ptr [edx+54], 0
004306BC 6A 02 push 2
004306BE 6A FF push -1
004306C0 6A F4 push -0C
004306C2 8B8D 70B6FFFF mov ecx, dword ptr [ebp+FFFFB670]
004306C8 83C1 40 add ecx, 40
004306CB 8B85 70B6FFFF mov eax, dword ptr [ebp+FFFFB670]
004306D1 8B50 40 mov edx, dword ptr [eax+40]
004306D4 FF52 28 call dword ptr [edx+28]
004306D7 83C0 0C add eax, 0C
004306DA 8945 B0 mov dword ptr [ebp-50], eax
004306DD 6A 0C push 0C
004306DF 8D45 BC lea eax, dword ptr [ebp-44]
004306E2 50 push eax
004306E3 8B8D 70B6FFFF mov ecx, dword ptr [ebp+FFFFB670]
004306E9 83C1 40 add ecx, 40
004306EC 8B95 70B6FFFF mov edx, dword ptr [ebp+FFFFB670]
004306F2 8B42 40 mov eax, dword ptr [edx+40]
004306F5 FF50 34 call dword ptr [eax+34]
004306F8 8B4D C4 mov ecx, dword ptr [ebp-3C]
004306FB 890D 30D25800 mov dword ptr [58D230], ecx
00430701 813D 30D25800 3>cmp dword ptr [58D230], 35363439
0043070B 75 06 jnz short 00430713
0043070D 8B55 BC mov edx, dword ptr [ebp-44]
00430710 8955 B0 mov dword ptr [ebp-50], edx
00430713 8B8D 70B6FFFF mov ecx, dword ptr [ebp+FFFFB670]
00430719 83C1 40 add ecx, 40
0043071C E8 CFFDFDFF call 004104F0
00430721 6A 00 push 0
00430723 6A 00 push 0
00430725 68 80000000 push 80
0043072A 8B8D 70B6FFFF mov ecx, dword ptr [ebp+FFFFB670]
00430730 83C1 40 add ecx, 40
00430733 8B85 70B6FFFF mov eax, dword ptr [ebp+FFFFB670]
00430739 8B50 40 mov edx, dword ptr [eax+40]
0043073C FF52 28 call dword ptr [edx+28]
0043073F 6A 10 push 10
00430741 68 F4D15800 push 0058D1F4
00430746 8B8D 70B6FFFF mov ecx, dword ptr [ebp+FFFFB670]
0043074C 83C1 40 add ecx, 40
0043074F 8B85 70B6FFFF mov eax, dword ptr [ebp+FFFFB670]
00430755 8B50 40 mov edx, dword ptr [eax+40]
00430758 FF52 34 call dword ptr [edx+34]
0043075B 8B45 B0 mov eax, dword ptr [ebp-50]
0043075E 2D 90000000 sub eax, 90
00430763 8945 B8 mov dword ptr [ebp-48], eax
00430766 8D8D 44FFFFFF lea ecx, dword ptr [ebp-BC]
0043076C 51 push ecx
0043076D E8 9EAA0900 call 004CB210
00430772 83C4 04 add esp, 4
00430775 817D B8 0004000>cmp dword ptr [ebp-48], 400
0043077C 76 26 jbe short 004307A4
0043077E 68 00040000 push 400
00430783 8D95 DCB6FFFF lea edx, dword ptr [ebp+FFFFB6DC]
00430789 52 push edx
0043078A 8B8D 70B6FFFF mov ecx, dword ptr [ebp+FFFFB670]
00430790 83C1 40 add ecx, 40
00430793 8B85 70B6FFFF mov eax, dword ptr [ebp+FFFFB670]
00430799 8B50 40 mov edx, dword ptr [eax+40]
0043079C FF52 34 call dword ptr [edx+34]
0043079F 8945 B4 mov dword ptr [ebp-4C], eax
004307A2 EB 23 jmp short 004307C7
004307A4 8B45 B8 mov eax, dword ptr [ebp-48]
004307A7 50 push eax
004307A8 8D8D DCB6FFFF lea ecx, dword ptr [ebp+FFFFB6DC]
004307AE 51 push ecx
004307AF 8B8D 70B6FFFF mov ecx, dword ptr [ebp+FFFFB670]
004307B5 83C1 40 add ecx, 40
004307B8 8B95 70B6FFFF mov edx, dword ptr [ebp+FFFFB670]
004307BE 8B42 40 mov eax, dword ptr [edx+40]
004307C1 FF50 34 call dword ptr [eax+34]
004307C4 8945 B4 mov dword ptr [ebp-4C], eax
004307C7 8B4D B8 mov ecx, dword ptr [ebp-48]
004307CA 2B4D B4 sub ecx, dword ptr [ebp-4C]
004307CD 894D B8 mov dword ptr [ebp-48], ecx
004307D0 8B55 B4 mov edx, dword ptr [ebp-4C]
004307D3 52 push edx
004307D4 8D85 DCB6FFFF lea eax, dword ptr [ebp+FFFFB6DC]
004307DA 50 push eax
004307DB 8D8D 44FFFFFF lea ecx, dword ptr [ebp-BC]
004307E1 51 push ecx
004307E2 E8 49A60900 call 004CAE30
004307E7 83C4 0C add esp, 0C
004307EA 817D B4 0004000>cmp dword ptr [ebp-4C], 400
004307F1 ^ 74 82 je short 00430775
004307F3 8D95 44FFFFFF lea edx, dword ptr [ebp-BC]
004307F9 52 push edx
004307FA 68 04D25800 push 0058D204
004307FF E8 CCA80900 call 004CB0D0
00430804 83C4 08 add esp, 8
00430807 C785 D0B6FFFF 0>mov dword ptr [ebp+FFFFB6D0], 0
00430811 EB 0F jmp short 00430822
00430813 8B85 D0B6FFFF mov eax, dword ptr [ebp+FFFFB6D0]
00430819 83C0 01 add eax, 1
0043081C 8985 D0B6FFFF mov dword ptr [ebp+FFFFB6D0], eax
00430822 83BD D0B6FFFF 1>cmp dword ptr [ebp+FFFFB6D0], 10
00430829 7D 3E jge short 00430869 //大于等与则跳(关键跳)
0043082B 8B8D D0B6FFFF mov ecx, dword ptr [ebp+FFFFB6D0]
00430831 0FB691 F4D15800 movzx edx, byte ptr [ecx+58D1F4]
00430838 8B85 D0B6FFFF mov eax, dword ptr [ebp+FFFFB6D0]
0043083E 0FB688 04D25800 movzx ecx, byte ptr [eax+58D204]
00430845 3BD1 cmp edx, ecx
00430847 74 1E je short 00430867
00430849 64:8B0D 0400000>mov ecx, dword ptr fs:[4]
00430850 83E9 04 sub ecx, 4
00430853 8BFC mov edi, esp
00430855 8BE1 mov esp, ecx
00430857 2BCF sub ecx, edi
00430859 FC cld
0043085A F3:AA rep stos byte ptr es:[edi]
0043085C 33ED xor ebp, ebp
0043085E 8BF5 mov esi, ebp
00430860 8BFD mov edi, ebp
00430862 ^ E9 29FDFFFF jmp 00430590 //
00430867 ^ EB AA jmp short 00430813 //这两个无条件跳则挂掉
00430869 8B8D 70B6FFFF mov ecx, dword ptr [ebp+FFFFB670] //jge跳到此处
0043086F 83C1 40 add ecx, 40
00430872 E8 79FCFDFF call 004104F0
//两个jmp都跳到此处
00430590 6A 00 push 0
00430592 68 E8455600 push 005645E8 ; ASCII "Virus Alert"
00430597 68 C0455600 push 005645C0 ; ASCII "Application was modified by a virus
!!!"
0043059C 6A 00 push 0
0043059E FF15 34565300 call dword ptr [<&USER32.MessageBoxA>>; USER32.MessageBoxA
004305A4 6A 00 push 0
004305A6 FF15 58535300 call dword ptr [<&kernel32.ExitProces>; kernel32.ExitProcess
004305AC CC int3
004305AD CC int3
004305AE CC int3
004305AF CC int3
保存之后运行还有问题,我也想过用其他方式高,但功底不够,没有成功,找不到程序将原来的程序修改时间时间值保存在哪里
找到了直接修改可能会更好一些,高手帮看看
附件发不上来,加qq 22318837 或留email小弟发过去
|