-
-
[原创]AspApp golden3.0(中文名称:asp加密锁3.0企业版)加密分析
-
发表于: 2008-4-5 10:01
-
软件名称:AspApp golden3.0(中文名称:asp加密锁3.0企业版)(想传附件可是权限不够,软件可以自己下载)
保护方式:加壳+反跟踪(可能还有别的保护方式)
加壳方式:ASPack 2.12
软件简介: 将IIS + ASP(Active Server Page)实现的网站进行加密、压缩,加密后的应用仍然可以在IIS下使用,但是他人已经无法直接阅读ASP脚本内容,彻底保护您的辛苦劳动成果和知识产权。
加密后的代码样式如下:
<%@ Language="VBSCRIPT" %>
<% 'AspApp Golden - Enterprise (V3.0.0.0)
On Error Resume Next
Set MyAspAppG = Server.CreateObject("AspAppGX.AspDecoder")
If Not IsObject(MyAspAppG) Then
Response.Write "请先运行Setup_Ent.exe并注册组件!" (setup_ent.exe等同于 regsvr32.exe aspappG.dll)
Response.End
End If
MyAspAppG.Tag = "ZY3BywXyuYlp=|X1o"
MyAspAppG.Crc64 = "415r1a|mED;_*AH1HO|@Ppp"
MyAspAppG.Crc32 = "S8ZnhxVfWCV9/B/Y7N4KFClA3fHjAk2dJMBIzwcyHzk="
MyAspAppG.AddCode "jvPFkUtIhuV11sFGCHGKm/+TdNnAqPe3hlINvF3XVuR9TgKHmBxZTFt/JwJJA6gdzXLtgjfj1m4tUoil"
MyAspAppG.AddCode "L/zmqixl9I5+Yo/J61C18UEoyBPKLxlFxtYqqvfPQ7c16oe8Gh5ENl6gF5Snz1IvK72zN4/K8EJyrYsn"
MyAspAppG.AddCode "LQZ+Y0omo3aWUxeqII3+17mycWbajZLKaejTRQO+u9GBnI2emn9UkWCh9nP8G/roDtwsIcbsFLfFKahC"
MyAspAppG.AddCode "fesyREg2R+cXYfaDwzFZNcjkwIU1gASGTmEk4fyMVzMdlyhZ8/jFWgEfpvwbdcrknMtezxX7zTfGiqtM"
MyAspAppG.AddCode "JCiaWalJcLn4Of6Dudkn21gWedShsQXkh4AS/Mau9VLsU48ZYWcnjBgbWDlPGpOEfdHR466Qs6BbN3Vx"
MyAspAppG.AddCode "0s8r8RJX7+yznlqCaJpvFglgNHedXLW82mFgcfNQ/7lUb2D1V4POgd8xwvdnIy8qx2/EwWj3LdCm5LST"
MyAspAppG.AddCode "G/LiX8VfJrihCAZkyV0JbEgE8Y5qdlZK36wPZglLKIZaVOh19U5XnQeSCGKKnMnP/dK5EE8oOOgxD5U5"
MyAspAppG.AddCode "1/ka+h4Q207ED3mx9vYQzr1eTSRa1uSStKxXt0crMdJ6Rksj8VrBO7WAiU5eGN6wK/9Bqg=="
MyAspAppG.Execute
Set MyAspAppG = nothing
%>
经过测试:同一asp源代码,加密后MyAspAppG.Crc32后面的数据是一样的,其它三项:MyAspAppG.Tag\MyAspAppG.Crc64\MyAspAppG.RegCode数据每次都不一样.
加密后的代码要在IIS下使用,必须注册一个组件:aspappG.dll(setup_ent.exe等同于 regsvr32.exe aspappG.dll).
目 的:找出其加密算法(具软件主页说是采用高强度算法进行加密的).
声 明:我是一只菜得不能再菜的菜鸟,没有汇编基础,编程语言只学过QBASIC皮毛。在分析过程中,找不到高手请教,全凭对软件加解密的一腔热情,以下是我一个月以来对这个软件分析过程写的笔记,如有不对之处请高手指教,也许aspappG.dll里有解密的代码,但是对DLL文件不知道要怎么分析,只好做罢。
分析过程:
带壳情况下用OD载入,跟进就退出,说明软件有反动态跟踪,可以用OD的一个插件轻松对付(插件叫什么名字,忘记了)。
首先想到对AspAppEncoder.exe进行脱壳,用PEID查是用ASPack 2.12 -> Alexey Solodovnikov加的壳,脱壳后一运行就退出,认为是文件有CRC校验,用OD载入脱壳后的文件,按F8键一步一步的跟进到005016B5处,如下:
005016B5 |. E8 3292F0FF call 0040A8EC ; 取文件大小
005016BA |. 81FE D8FC0800 cmp esi, 8FCD8 ; 此时ESI值班为001B1600即十进制的:1775104刚好是文件的大小,和8FCD8比较,
005016C0 |. 7E 05 jle short 005016C7 ; 因为脱壳后的文件比较大,所以这个跳转不会实现
005016C2 E8 3D34F0FF call 00404B04。
退出程序。
将上面的8FCD8的值改大一点,这里就会可以过去。
再跟进到00501702处:
00501702 |. 84C0 test al, al ;这里的al=00,然后跳转不会实现,下一步和上面一样:CALL到00404B04处运行,退出程序,我和加壳的源程序对比了一下,加壳的源程序运行到此处al=01,(在信息窗口可以看到)我不知道这里怎么才能让al=01,
00501704 |. 75 05 jnz short 0050170B ;只能改这里,将jnz改成jmp,无条件转移。
00501706 |. E8 F933F0FF call 00404B04
改后,继续跟进,到此处。
00501733 |. E8 6C3CF6FF call 004653A4 ;这个call就会打开那个NAG窗口,不知道为什么,继续跟进到终止运行,窗口里面的字啊什么的全部都没有,我认为:根据壳的原理,程序完全运行后,代码是还原的真的代码,因为我的目的是待程序完全载入后,点开始加密找出加密的方式,所有就没有对脱壳进行下去。(脱壳失败)
以下分析全部是用OD带壳分析的过程,
用OD载入源程序,按F9直接让程序运行,程序完全载入后,代码停在如下位置:
0050164B 56 push esi
0050164C 57 push edi
0050164D 33C0 xor eax, eax
0050164F 8945 E8 mov dword ptr [ebp-18], eax
00501652 8945 EC mov dword ptr [ebp-14], eax
00501655 B8 94115000 mov eax, 00501194
0050165A E8 C15AF0FF call 00407120
0050165F 8B3D B0C15100 mov edi, dword ptr [51C1B0] ; AspAppEn.0051FE58
00501665 33C0 xor eax, eax
00501667 55 push ebp
00501668 68 53175000 push 00501753
0050166D 64:FF30 push dword ptr fs:[eax]
00501670 64:8920 mov dword ptr fs:[eax], esp
00501673 8B07 mov eax, dword ptr [edi]
00501675 E8 923CF6FF call 0046530C
0050167A E8 5DF7FFFF call 00500DDC
0050167F 84C0 test al, al
00501681 74 07 je short 0050168A
00501683 8B07 mov eax, dword ptr [edi]
00501685 E8 063EF6FF call 00465490
0050168A 8D55 EC lea edx, dword ptr [ebp-14]
0050168D 8B07 mov eax, dword ptr [edi]
0050168F E8 E842F6FF call 0046597C
00501694 8B45 EC mov eax, dword ptr [ebp-14]
00501697 BA 40000000 mov edx, 40
0050169C E8 2791F0FF call 0040A7C8
005016A1 8BD8 mov ebx, eax
005016A3 B9 02000000 mov ecx, 2
在OD中右键查找—所有参考文件字符,找到
地址=004FEBC5 反汇编=mov eax, 004FEFC8 文本字串=ASCII "hh:nn:ss"" 开始加密..."""
双击到反汇编窗口,如下:
004FEBC5 B8 C8EF4F00 mov eax, 004FEFC8 ; ASCII "hh:nn:ss"" 开始加密..."""
004FEBCA E8 0DE4F0FF call 0040CFDC
004FEBCF 8B4D D8 mov ecx, dword ptr [ebp-28]
004FEBD2 B2 01 mov dl, 1
004FEBD4 8B45 F0 mov eax, dword ptr [ebp-10]
004FEBD7 E8 84C9FFFF call 004FB560
004FEBDC A1 B0C15100 mov eax, dword ptr [51C1B0]
004FEBE1 8B00 mov eax, dword ptr [eax]
004FEBE3 E8 1066F6FF call 004651F8
在004FEBC5行按F2下断点,然后切换到aspapp程序(以下称源程序)窗口,点击开始加密,自动跳回OD窗口,并且停在我下断点的位置,按F8跟进,在不停重新载入程序,下断点,删除断点的过程中,最后一次我在004FD469处下断点,程序到了如下位置:
004FD469 E8 EEA1F8FF call 0048765C ; 得到CRC32 每次一样
004FD46E 8B95 94FDFFFF mov edx, dword ptr [ebp-26C]
004FD474 8B45 F4 mov eax, dword ptr [ebp-C]
004FD477 E8 7078F0FF call 00404CEC
004FD47C 33C0 xor eax, eax
004FD47E 5A pop edx
004FD47F 59 pop ecx
004FD480 59 pop ecx
004FD481 64:8910 mov dword ptr fs:[eax], edx
按一下F8键到
004FD46E 8B95 94FDFFFF mov edx, dword ptr [ebp-26C]
此时,信息窗口显示如下:
堆栈 ss:[0012F804]=00FD4668, (ASCII "S8ZnhxVfWCV9/B/Y7N4KFClA3fHjAk2dJMBIzwcyHzk=") 记住这个SS=00FD4668这个值。
edx=00000000
S8ZnhxVfWCV9/B/Y7N4KFClA3fHjAk2dJMBIzwcyHzk=就是密文里面“MyAspAppG.Crc32 =”后面的数据。
再往下跟进(F8)到这里:
004FD49E E8 9160F0FF call 00403534
004FD4A3 8BF0 mov esi, eax
004FD4A5 8D8D DCFDFFFF lea ecx, dword ptr [ebp-224]
004FD4AB 8B45 14 mov eax, dword ptr [ebp+14]
004FD4AE 8B40 F0 mov eax, dword ptr [eax-10]
004FD4B1 BA 10000000 mov edx, 10
按两下F8跟进到
004FD4A5 8D8D DCFDFFFF lea ecx, dword ptr [ebp-224]
此时,信息窗口显示如下:
堆栈地址=0012F84C, (ASCII 14,"wdqT/c7B0p(B?0DecEs6") 这里是MyAspAppG.Crc64, 但是不全。
ecx=00F8C5B0
再跟进,到这里
004FD4BB 8D95 DCFDFFFF lea edx, dword ptr [ebp-224]
004FD4C1 8B45 F8 mov eax, dword ptr [ebp-8]
004FD4C4 E8 2B7AF0FF call 00404EF4
004FD4C9 8BDE mov ebx, esi
004FD4CB 53 push ebx
此时,信息窗口显示如下:
堆栈地址=0012F84C, (ASCII 10,"82|e?Wv_(K!m4!aZ") 这里是MyAspAppG.Tag,但是少第一个字母(不知道为什么)
edx=00FD3340
再跟进,到这里
004FD4E6 8B95 90FDFFFF mov edx, dword ptr [ebp-270]
004FD4EC 8B45 0C mov eax, dword ptr [ebp+C]
004FD4EF E8 F877F0FF call 00404CEC
004FD4F4 53 push ebx
004FD4F5 8D85 8CFDFFFF lea eax, dword ptr [ebp-274]
004FD4FB 50 push eax
此时,信息窗口显示如下:
CAJjPvAxj9j1l68nZ7".)
堆栈 ss:[0012F800]=00F24D48, (ASCII "2aDcyjdIzeko8pda4ilpvRK2J20QERbAk3+LKu0EbPdN/ls1y+4JgREHQx29abeXJUSOLOwKJqsIod7wh14H/Vomv5L56jrKB/y6dxEEw8K6HPVm6l9hMUrwo48HfNtldf586s/7hMffYC7lc5yalmihblOxmHGTyrpdjqmwmCuRXvm6jLLOdfx5yVJzXwD/Is6FNngQHWKggH6XkcsEsTO78clCAJjPvAxj9j1l68nZ7".)
edx=00EC72E8, (ASCII 69,"f StrComp(AspApp_MC_MC, ""346CA61E"", 0) <> 0 then",CR,LF,"Response.write ""<p><center><Font size = 4 color=#FF0000")
堆栈后面的ASCII 就是“MyAspAppG.AddCode”里面的数据。记住这个SS=00F24D48这个值。
按F9让程序运行完,加密后的密文如下:
MyAspAppG.Tag = "Z82|e?Wv_(K!m4!aZ"
MyAspAppG.Crc64 = "V49wdqT/c7B0p(B?0DecEs6"
MyAspAppG.Crc32 = "S8ZnhxVfWCV9/B/Y7N4KFClA3fHjAk2dJMBIzwcyHzk="(是不是和上面的一样)
MyAspAppG.AddCode "2aDcyjdIzeko8pda4ilpvRK2J20QERbAk3+LKu0EbPdN/ls1y+4JgREHQx29abeXJUSOLOwKJqsIod7w"
MyAspAppG.AddCode "h14H/Vomv5L56jrKB/y6dxEEw8K6HPVm6l9hMUrwo48HfNtldf586s/7hMffYC7lc5yalmihblOxmHGT"
MyAspAppG.AddCode "yrpdjqmwmCuRXvm6jLLOdfx5yVJzXwD/Is6FNngQHWKggH6XkcsEsTO78clCAJjPvAxj9j1l68nZ71oW"
MyAspAppG.AddCode "nJmX74qD63kftpkooo4hDzc6yqYGT62ZlOKEhGtjt7nGivcYBzs7BSCA8DQGo/iCyR8aaPV5HUafZjQw"
MyAspAppG.AddCode "BUXDC7iqvX7OFfgrS+5qUxfFetfdbvUSiVWowiKrHaW/bX3r0F4Qs8tTbD+1Mrmobd0EgMGh1KbKkI+m"
MyAspAppG.AddCode "SW9sdcCNW59t1OH+kg91fdfIu8Nost16oqQvoVkDhtsN6Ett7xzuEZoNZBqoY8RD96lMIRxJn85ivdQF"
MyAspAppG.AddCode "ttH1sc7nKmZl0EwfIATcTFoc65sYE8dmIHInRdsKYeY3I0I2zMbY+e82UZdTB0twc/qzx4TWe9kJe/8F"
MyAspAppG.AddCode "oZ5tkZTkN/ceiLdFw4ODluYSKsd9O45VVH8BuAN9HaC1bS7a73HJHZZC7RTYm2jFaw3OKA=="
MyAspAppG.Execute
Set MyAspAppG = nothing
可以看到,每次读到密文的时候,堆栈里面:都是已经全部算好的。我先找MyAspAppG.AddCode的算法
重新载入程序,让程序完全运行后,转入OD在数据窗口转入到00F24D48这个位置,在刚才得到MyAspAppG.Crc32的地方按F2下断点。即:
004FD46E 8B95 94FDFFFF mov edx, dword ptr [ebp-26C]
转到源程序窗口,点击开始加密,程序跳到OD我下断点的位置,可以看到00F24D48里的数据变掉了,
00F24D48 CA D4 D3 C3 B0 E6 C9 FA B3 C9 B5 C4 BC D3 C3 DC 试用版生成的加密
00F24D58 41 53 50 CE C4 BC FE A3 A1 D6 BB C4 DC D4 DA C9 ASP文件!只能在
00F24D68 FA B3 C9 D5 E2 B8 F6 BC D3 C3 DC CE C4 BC FE B5 烧飧黾用芪募
00F24D78 C4 BB FA C6 F7 C9 CF CA D4 D3 C3 A1 A3 A3 A1 3C 幕魃鲜杂谩#?
00F24D88 2F 66 6F 6E 74 3E 3C 2F 63 65 6E 74 65 72 3E 3C /font></center><
00F24D98 2F 70 3E 20 22 0D 0D 0A 41 73 70 41 70 70 5F 49 /p> "...AspApp_I
00F24DA8 6E 6E 65 72 43 6F 6E 74 72 6F 6C 2E 45 4E 44 5F nnerControl.END_
00F24DB8 0D 0A 45 6E 64 20 49 66 0D 0A 20 52 65 73 70 6F ..End If.. Respo
(用试用版的加密后,aspapp会自动在所加密的asp文件里加入这些提示)
在数据窗口里00F24D48行C3那里下内存写入断点,禁止掉之前F2所下的所有断点,按F9让程序运行,OD会停在这里:
00467BC7 880C06 mov byte ptr [esi+eax], cl ;这里是写密文第一个字母。
00467BCA C1EA 06 shr edx, 6 ; 右移6
00467BCD 48 dec eax ; EAX自减1
00467BCE 83F8 FF cmp eax, -1 ; 和-1比较
00467BD1 ^ 75 D9 jnz short 00467BAC ; ZF=0转移
00467BD3 83C6 04 add esi, 4
00467BD6 85DB test ebx, ebx
向上翻一点,到这里,这段代码就是算MyAspAppG.AddCode密文的。在00467B8A位置下断点,跟进一下,可以看到数据窗口00F24D48的位置密文是4个4个算出来的。
00467B8A 33D2 xor edx, edx
00467B8C B8 03000000 mov eax, 3
00467B91 C1E2 08 shl edx, 8 ; EDX左移8
00467B94 85DB test ebx, ebx
00467B96 7E 0B jle short 00467BA3
00467B98 8B4D FC mov ecx, dword ptr [ebp-4]
00467B9B 0FB609 movzx ecx, byte ptr [ecx]
00467B9E 0BD1 or edx, ecx
00467BA0 FF45 FC inc dword ptr [ebp-4] ; 自加1
00467BA3 4B dec ebx ; EBX自减1
00467BA4 48 dec eax ; EAX自减1
00467BA5 ^ 75 EA jnz short 00467B91 ; ZF=0 跳转
00467BA7 B8 03000000 mov eax, 3 ; EAX加3
00467BAC 85DB test ebx, ebx
00467BAE 7D 0C jge short 00467BBC ; 大于等于转移
00467BB0 8B4D F8 mov ecx, dword ptr [ebp-8]
00467BB3 8A49 40 mov cl, byte ptr [ecx+40]
00467BB6 880C06 mov byte ptr [esi+eax], cl
00467BB9 43 inc ebx
00467BBA EB 0E jmp short 00467BCA
00467BBC 8BCA mov ecx, edx ; 将EDX赋值给ECX
00467BBE 83E1 3F and ecx, 3F ; 与运算,3F=63
00467BC1 8B7D F8 mov edi, dword ptr [ebp-8] ; 指向00467C1E
00467BC4 8A0C0F mov cl, byte ptr [edi+ecx]
00467BC7 880C06 mov byte ptr [esi+eax], cl
00467BCA C1EA 06 shr edx, 6 ; 右移6
00467BCD 48 dec eax ; EAX自减1
00467BCE 83F8 FF cmp eax, -1 ; 和-1比较
00467BD1 ^ 75 D9 jnz short 00467BAC ; ZF=0转移
00467BD3 83C6 04 add esi, 4
00467BD6 85DB test ebx, ebx
00467BD8 ^ 7F B0 jg short 00467B8A
用同样的方法可以得到MyAspAppG.Crc32也是在这里算出来的。程序是先算出MyAspAppG.Crc32的密文,存放在00FD4668,然后再跳转回来算MyAspAppG.AddCode的密文,存放在00F24D48(为什么每次MyAspAppG.Crc32的数据一样,而MyAspAppG.AddCode的数据不一样?)
00467BDA 8B45 08 mov eax, dword ptr [ebp+8]
00467BDD 8B00 mov eax, dword ptr [eax]
00467BDF E8 64D5F9FF call 00405148
00467BE4 8BD6 mov edx, esi
00467BE6 2BD0 sub edx, eax
00467BE8 8B45 08 mov eax, dword ptr [ebp+8]
00467BEB E8 E4D6F9FF call 004052D4
同样样利用下内存断点的方法可以找到另外两个密文MyAspAppG.Tag和MyAspAppG.Crc64的加密代码,运行到这里:
004FB44F 8B86 64040000 mov eax, dword ptr [esi+464]
004FB455 E8 F69AF0FF call 00404F50
004FB45A E8 D580F0FF call 00403534
004FB45F 8B96 64040000 mov edx, dword ptr [esi+464]
004FB465 8A1402 mov dl, byte ptr [edx+eax]
004FB468 8D45 F8 lea eax, dword ptr [ebp-8]
004FB46B 8850 01 mov byte ptr [eax+1], dl
004FB46E C600 01 mov byte ptr [eax], 1
004FB471 8D55 F8 lea edx, dword ptr [ebp-8]
004FB474 8D45 FC lea eax, dword ptr [ebp-4]
004FB477 E8 789AF0FF call 00404EF4
004FB47C 8D45 FC lea eax, dword ptr [ebp-4]
004FB47F 50 push eax
004FB480 8D45 F4 lea eax, dword ptr [ebp-C]
004FB483 8BD7 mov edx, edi
004FB485 E8 6A9AF0FF call 00404EF4
004FB48A 8B55 F4 mov edx, dword ptr [ebp-C]
004FB48D 58 pop eax
004FB48E E8 C59AF0FF call 00404F58
004FB493 8B55 FC mov edx, dword ptr [ebp-4]
004FB496 8BC7 mov eax, edi
004FB498 B9 FF000000 mov ecx, 0FF
004FB49D E8 8A9AF0FF call 00404F2C
004FB4A2 4B dec ebx
004FB4A3 ^ 75 AA jnz short 004FB44F
信息窗口如下:
ds:[00F668C4]=00F5F778, (ASCII "pSL!FtyZ*X?G(K=HJ)q;12wB{NM}3r4eu_056RgI78hjklzTYU9QWOPasdfxEAD!@CViopcvbnm^$&*/|\")
eax=00000001
下面是对MyAspAppG.Tag加密代码的分析,为了便于理解,我将每一步寄存器的变化都复制下来了,用红色表示,变化的寄存器用蓝色表示。
004FB44F 8B86 >mov eax, dword ptr [esi+464] :将[esi+464] 赋值给eax,此时:ESI=00F66460
dword ptr [esi+464]=ds:[00F668C4]=00F5F778(ds:[00F668C4]=00F5F778, (ASCII "pSL!FtyZ*X?G(K=HJ)q;12wB{NM}3r4eu_056RgI78hjklzTYU9QWOPasdfxEAD!@CViopcvbnm^$&*/|\"))
004FB455 E8 F6>call 00404F50 :转到00404F50处执行子程序如下:
00404F50 85C0 test eax, eax ;测试 eax
00404F52 74 03 je short 00404F57 ;这个跳转不会实现。
00404F54 8B40 >mov eax, dword ptr [eax-4] ;将dword ptr [eax-4]赋值给eax
dword ptr [eax-4]=ds:[00F5F774]=00000052
eax=00F5F778, (ASCII "pSL!FtyZ*X?G(K=HJ)q;12wB{NM}3r4eu_056RgI78hjklzTYU9QWOPasdfxEAD!@CViopcvbnm^$&*/|\")
EAX 00000052
ECX 0012F84C
EDX 00000014
EBX 00000014
ESP 0012F770
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404F57 AspAppEn.00404F57
00404F57 C3 retn ;返回到上一级:004FB45A
004FB45A E8 D5>call 00403534 :转到00403534处执行子程序如下
00403534 53 push ebx ;ebx入栈 ebx=00000014
EAX 00000052
ECX 0012F84C
EDX 00000014
EBX 00000014
ESP 0012F76C
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00403535 AspAppEn.00403535
00403535 31DB xor ebx, ebx ;ebx清零
EAX 00000052
ECX 0012F84C
EDX 00000014
EBX 00000000
ESP 0012F76C
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00403537 AspAppEn.00403537
00403537 6993 >imul edx, dword ptr [ebx+502008], 8088405 ;这是带符号数乘法具体是怎么算的,不知道
[ebx+502008]=ds:[00502008]=006895CD
edx=00000014
EAX 00000052
ECX 0012F84C
EDX 05B0A101
EBX 00000000
ESP 0012F76C
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00403541 AspAppEn.00403541
00403541 42 inc edx ; edx+1
EAX 00000052
ECX 0012F84C
EDX 05B0A102
EBX 00000000
ESP 0012F76C
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00403542 AspAppEn.00403542
00403542 8993 >mov dword ptr [ebx+502008], edx ;将edx赋值给006895CD?
edx=05B0A102
dword ptr [ebx+502008]= ds:[00502008]=006895CD
00403548 F7E2 mul edx ;无符号数乘法?EDX=00000001?
EAX D29392A4 ?变了
ECX 0012F84C
EDX 00000001
EBX 00000000
ESP 0012F76C
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 0040354A AspAppEn.0040354A
0040354A 89D0 mov eax, edx ;将EDX赋值给EAX
EAX 00000001
ECX 0012F84C
EDX 00000001
EBX 00000000
ESP 0012F76C
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 0040354C AspAppEn.0040354C
0040354C 5B pop ebx ;EBX出栈
EAX 00000001
ECX 0012F84C
EDX 00000001
EBX 00000014
ESP 0012F770
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 0040354D AspAppEn.0040354D
0040354D C3 retn ;返回到 004FB45F
EAX 00000001
ECX 0012F84C
EDX 00000001
EBX 00000014
ESP 0012F774
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB45F AspAppEn.004FB45F
004FB45F 8B96 >mov edx, dword ptr [esi+464] ;将dword ptr [esi+464]赋值给EDX dword ptr [esi+464]=ds:[00F668C4]=00F5F778, (ASCII "pSL!FtyZ*X?G(K=HJ)q;12wB{NM}3r4eu_056RgI78hjklzTYU9QWOPasdfxEAD!@CViopcvbnm^$&*/|\")
EAX 00000001
ECX 0012F84C
EDX 00F5F778 ASCII "pSL!FtyZ*X?G(K=HJ)q;12wB{NM}3r4eu_056RgI78hjklzTYU9QWOPasdfxEAD!@CViopcvbnm^$&*/|\"
EBX 00000014
ESP 0012F774
EBP 0012F798
ESI 00F66460
EDI 0012F84C
004FB465 8A140>mov dl, byte ptr [edx+eax] ;将byte ptr [edx+eax]赋值给DL byte ptr [edx+eax]=ds:[00F5F779]=53 ('S') dl=78 ('x')
EAX 00000001
ECX 0012F84C
EDX 00F5F753
EBX 00000014
ESP 0012F774
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB468 AspAppEn.004FB468
004FB468 8D45 >lea eax, dword ptr [ebp-8] ;有效地址传送指令:dword ptr [ebp-8] 到 EAX 堆栈地址=ebp-8=0012F790
EAX 0012F790
ECX 0012F84C
EDX 00F5F753
EBX 00000014
ESP 0012F774
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB46B AspAppEn.004FB46B
004FB46B 8850 >mov byte ptr [eax+1], dl ;dl=53 ('S') 堆栈 ds:[0012F791]=00
004FB46E C600 >mov byte ptr [eax], 1 ;堆栈 ds:[0012F790]=00 运行后0012F790=01
004FB471 8D55 >lea edx, dword ptr [ebp-8] ;将ebp-8赋值给EDX EBP= 0012F798 堆栈地址=0012F790 edx=00F5F753
EAX 0012F790
ECX 0012F84C
EDX 0012F790
EBX 00000014
ESP 0012F774
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB474 AspAppEn.004FB474
004FB474 8D45 >lea eax, dword ptr [ebp-4] ;有效地址传送指令。将0012F794传送给EAX
EAX 0012F794
ECX 0012F84C
EDX 0012F790
EBX 00000014
ESP 0012F774
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB477 AspAppEn.004FB477
004FB477 E8 78>call 00404EF4 ;转入00404EF4处理子程序
EAX 0012F794
ECX 0012F84C
EDX 0012F790
EBX 00000014
ESP 0012F770
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404EF4 AspAppEn.00404EF4
00404EF4 31C9 xor ecx, ecx ;ECX清零
00404EF6 8A0A mov cl, byte ptr [edx] ;堆栈 ds:[0012F790]=01 cl=00
EAX 0012F794
ECX 00000001
EDX 0012F790
EBX 00000014
ESP 0012F770
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404EF8 AspAppEn.00404EF8
00404EF8 42 inc edx ;EDX+1
EAX 0012F794
ECX 00000001
EDX 0012F791
EBX 00000014
ESP 0012F770
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404EF9 AspAppEn.00404EF9
00404EF9 ^ E9 8A>jmp 00404D88 ;无条件跳转到00404D88
00404D88 53 push ebx ;EBX入栈
EAX 0012F794
ECX 00000001
EDX 0012F791
EBX 00000014
ESP 0012F76C
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404D89 AspAppEn.00404D89
00404D89 56 push esi ;ESI入栈
EAX 0012F794
ECX 00000001
EDX 0012F791
EBX 00000014
ESP 0012F768
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404D8A AspAppEn.00404D8A
00404D8A 57 push edi ;EDI入栈
EAX 0012F794
ECX 00000001
EDX 0012F791
EBX 00000014
ESP 0012F764
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404D8B AspAppEn.00404D8B
00404D8B 89C3 mov ebx, eax ;EAX传送给EBX
EAX 0012F794
ECX 00000001
EDX 0012F791
EBX 0012F794
ESP 0012F764
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404D8D AspAppEn.00404D8D
00404D8D 89D6 mov esi, edx ;EDX传送给ESI
EAX 0012F794
ECX 00000001
EDX 0012F791
EBX 0012F794
ESP 0012F764
EBP 0012F798
ESI 0012F791
EDI 0012F84C
EIP 00404D8F AspAppEn.00404D8F
00404D8F 89CF mov edi, ecx ;ECX传送给EDI
EAX 0012F794
ECX 00000001
EDX 0012F791
EBX 0012F794
ESP 0012F764
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00404D91 AspAppEn.00404D91
00404D91 89F8 mov eax, edi ;EDI传送给EAX
EAX 00000001
ECX 00000001
EDX 0012F791
EBX 0012F794
ESP 0012F764
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00404D93 AspAppEn.00404D93
00404D93 E8 C4>call 00404D5C ;转入00404D5C
00404D5C 85C0 test eax, eax ;这里可能是为了改标志位
00404D5E 7E 24 jle short 00404D84 ;这个跳转不会实现
00404D60 50 push eax ;EAX入栈
EAX 00000001
ECX 00000001
EDX 0012F791
EBX 0012F794
ESP 0012F75C
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00404D61 AspAppEn.00404D61
00404D61 83C0 >add eax, 0A ;EAX+0A(十进制是:10)
EAX 0000000B
ECX 00000001
EDX 0012F791
EBX 0012F794
ESP 0012F75C
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00404D64 AspAppEn.00404D64
00404D64 83E0 >and eax, FFFFFFFE ;逻辑与运算
EAX 0000000A ;为什么=0000000A
ECX 00000001
EDX 0012F791
EBX 0012F794
ESP 0012F75C
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00404D67 AspAppEn.00404D67
00404D67 50 push eax ;EAX入栈
EAX 0000000A
ECX 00000001
EDX 0012F791
EBX 0012F794
ESP 0012F758
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00404D68 AspAppEn.00404D68
00404D68 E8 A3>call 00402A10 ;跑转到:00402A10
EAX 0000000A
ECX 00000001
EDX 0012F791
EBX 0012F794
ESP 0012F754
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00402A10 AspAppEn.00402A10
00402A10 53 push ebx ;入栈
00402A11 85C0 test eax, eax
00402A13 7E 15 jle short 00402A2A ;这个跳转不会实现
00402A15 FF15 >call dword ptr [502030] ;dword ptr [502030]=00408458 跳到:00408458
EAX 0000000A
ECX 00000001
EDX 0012F791
EBX 0012F794
ESP 0012F74C
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00408458 AspAppEn.00408458
00408458 8D50 >lea edx, dword ptr [eax+3] ;dword ptr [eax+3]=0000000D
EAX 0000000A
ECX 00000001
EDX 0000000D
EBX 0012F794
ESP 0012F74C
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 0040845B AspAppEn.0040845B
0040845B C1EA >shr edx, 3 ;逻辑右移指令EDX右移3
EAX 0000000A
ECX 00000001
EDX 00000001
EBX 0012F794
ESP 0012F74C
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 0040845E AspAppEn.0040845E
0040845E 3D 2C>cmp eax, 0A2C ;EAX和0A2C(十进制2604)比较
00408463 53 push ebx ;EBX入栈
EAX 0000000A
ECX 00000001
EDX 00000001
EBX 0012F794
ESP 0012F748
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00408464 AspAppEn.00408464
00408464 8A0D >mov cl, byte ptr [51D04D] ;ds:[0051D04D]=01 cl=01
0040846A 0F87 >ja 0040869C ;跳转不实现
00408470 84C9 test cl, cl
00408472 0FB68>movzx eax, byte ptr [edx+51D734] ;byte ptr [edx+51D734]=ds:[0051D735]=00
EAX 00000000
ECX 00000001
EDX 00000001
EBX 0012F794
ESP 0012F748
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00408479 AspAppEn.00408479
00408479 8D1CC>lea ebx, dword ptr [eax*8+5020DC] ;有效地址传送:地址=005020DC
EAX 00000000
ECX 00000001
EDX 00000001
EBX 005020DC AspAppEn.005020DC
ESP 0012F748
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00408480 AspAppEn.00408480
00408480 75 56 jnz short 004084D8 ;跳转已实现到004084D8
004084D8 B8 00010000 mov eax, 100 ;将100(十进制256)赋值给EAX
EAX 00000100
ECX 00000001
EDX 00000001
EBX 005020DC AspAppEn.005020DC
ESP 0012F748
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 004084DD AspAppEn.004084DD
004084DD F0:0FB023 lock cmpxchg byte ptr [ebx], ah ;锁定 比较数据交换?
ah=01 ds:[005020DC]=00
004084E1 ^\74 9F je short 00408482 ;跳转实现到时00408482
00408482 8B53 >mov edx, dword ptr [ebx+4] ;将dword ptr [EBX+4]赋值给EDX
dword ptr [EBX+4] = ds:[005020E0]=00FC4CE0
EAX 00000100
ECX 00000001
EDX 00FC4CE0
EBX 005020DC AspAppEn.005020DC
ESP 0012F748
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00408485 AspAppEn.00408485
00408485 8B42 >mov eax, dword ptr [edx+8] ;将dword ptr [edx+8]赋值给EAX
dword ptr [edx+8] = ds:[00FC4CE8]=00FC5130
EAX 00FC5130
ECX 00000001
EDX 00FC4CE0
EBX 005020DC AspAppEn.005020DC
ESP 0012F748
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00408488 AspAppEn.00408488
00408488 B9 F8>mov ecx, -8 ;将-8赋值给ECX
EAX 00FC5130
ECX FFFFFFF8
EDX 00FC4CE0
EBX 005020DC AspAppEn.005020DC
ESP 0012F748
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 0040848D AspAppEn.0040848D
0040848D 39DA cmp edx, ebx ;比较EDX 和EBX
0040848F 74 17 je short 004084A8 ;跳转不实现
00408491 8342 >add dword ptr [edx+C], 1 ;+1 edx+C = 00FC4CEC ds:[00FC4CEC]=00000046
00408495 2348 >and ecx, dword ptr [eax-4] ;ECX+dword ptr [eax-4]
ds:[00FC512C]=00FC51A1 ecx=FFFFFFF8
EAX 00FC5130
ECX 00FC51A0
EDX 00FC4CE0
EBX 005020DC AspAppEn.005020DC
ESP 0012F748
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00408498 AspAppEn.00408498
00408498 894A >mov dword ptr [edx+8], ecx ; ecx=00FC51A0 ds:[00FC4CE8]=00FC5130
0040849B 8950 >mov dword ptr [eax-4], edx ;edx=00FC4CE0 ds:[00FC512C]=00FC51A1
0040849E 74 28 je short 004084C8 ;跳转未实现
004084A0 C603 >mov byte ptr [ebx], 0 ;ds:[005020DC]=01
004084A3 5B pop ebx ;EBX出栈 堆栈 [0012F748]=0012F794 (0012F794)
EAX 00FC5130
ECX 00FC51A0
EDX 00FC4CE0
EBX 0012F794
ESP 0012F74C
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 004084A4 AspAppEn.004084A4
004084A4 F3: prefix rep: ;不知道什么意思,运行后跳转到00402A1B
EAX 00FC5130
ECX 00FC51A0
EDX 00FC4CE0
EBX 0012F794
ESP 0012F750
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00402A1B AspAppEn.00402A1B
00402A1B 8BD8 mov ebx, eax ;将EAX传送给EBX
EAX 00FC5130
ECX 00FC51A0
EDX 00FC4CE0
EBX 00FC5130
ESP 0012F750
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00402A1D AspAppEn.00402A1D
00402A1D 85DB test ebx, ebx
00402A1F 75 0B jnz short 00402A2C 跳转已实现 跳转到00402A2C
.
.
.
00402A2C 8BC3 mov eax, ebx ;将EBX传送给EAX
00402A2E 5B pop ebx ;EBX出栈
EAX 00FC5130
ECX 00FC51A0
EDX 00FC4CE0
EBX 0012F794
ESP 0012F754
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00402A2F AspAppEn.00402A2F
00402A2F C3 retn ;返回到 00404D6D
EAX 00FC5130
ECX 00FC51A0
EDX 00FC4CE0
EBX 0012F794
ESP 0012F758
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00404D6D AspAppEn.00404D6D
00404D6D 5A pop edx ;EDX出栈
EAX 00FC5130
ECX 00FC51A0
EDX 0000000A
EBX 0012F794
ESP 0012F75C
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00404D6E AspAppEn.00404D6E
00404D6E 66:C7>mov word ptr [edx+eax-2], 0 ;edx+eax-2=00FC5138 ds:[00FC5138]=3524运行后变为:0000
00404D75 83C0 >add eax, 8 ;EAX+8
EAX 00FC5138
ECX 00FC51A0
EDX 0000000A
EBX 0012F794
ESP 0012F75C
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00404D78 AspAppEn.00404D78
00404D78 5A pop edx ;EDX出栈 堆栈 [0012F75C]=00000001
EAX 00FC5138
ECX 00FC51A0
EDX 00000001
EBX 0012F794
ESP 0012F760
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00404D79 AspAppEn.00404D79
00404D79 8950 >mov dword ptr [eax-4], edx ;eax-4=00FC5134 ds:[00FC5134]=00000003
00404D7C C740 >mov dword ptr [eax-8], 1 ds:[00FC5130]=00000000 运行后 00FC5130=00000001
00404D83 C3 retn ;返回到 00404D98
EAX 00FC5138
ECX 00FC51A0
EDX 00000001
EBX 0012F794
ESP 0012F764
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00404D98 AspAppEn.00404D98
00404D98 89F9 mov ecx, edi ;将EDI传送给ECX
EAX 00FC5138
ECX 00000001
EDX 00000001
EBX 0012F794
ESP 0012F764
EBP 0012F798
ESI 0012F791
EDI 00000001
EIP 00404D9A AspAppEn.00404D9A
00404D9A 89C7 mov edi, eax ;将EAX传送给EDI
EAX 00FC5138
ECX 00000001
EDX 00000001
EBX 0012F794
ESP 0012F764
EBP 0012F798
ESI 0012F791
EDI 00FC5138
EIP 00404D9C AspAppEn.00404D9C
00404D9C 85F6 test esi, esi
00404D9E 74 09 je short 00404DA9 ;跳转未实现
00404DA0 89C2 mov edx, eax ;将EAX传送给EDX
EAX 00FC5138
ECX 00000001
EDX 00FC5138
EBX 0012F794
ESP 0012F764
EBP 0012F798
ESI 0012F791
EDI 00FC5138
EIP 00404DA2 AspAppEn.00404DA2
00404DA2 89F0 mov eax, esi ;将ESI传送给EAX
EAX 0012F791
ECX 00000001
EDX 00FC5138
EBX 0012F794
ESP 0012F764
EBP 0012F798
ESI 0012F791
EDI 00FC5138
EIP 00404DA4 AspAppEn.00404DA4
00404DA4 E8 93>call 00402C3C
00402C3C 56 push esi ;ESI入栈
EAX 0012F791
ECX 00000001
EDX 00FC4FB8
EBX 0012F794
ESP 0012F760
EBP 0012F798
ESI 0012F791
EDI 00FC4FB8
EIP 00402C3C AspAppEn.00402C3C
00402C3D 57 push edi ;EDI入栈
EAX 0012F791
ECX 00000001
EDX 00FC4FB8
EBX 0012F794
ESP 0012F75C
EBP 0012F798
ESI 0012F791
EDI 00FC4FB8
EIP 00402C3D AspAppEn.00402C3D
00402C3E 89C6 mov esi, eax ;将EAX传送给ESI
00402C40 89D7 mov edi, edx ;将EDX传送给EDI
00402C42 89C8 mov eax, ecx ;将ECX传送给EAX
EAX 00000001
ECX 00000001
EDX 00FC4FB8
EBX 0012F794
ESP 0012F758
EBP 0012F798
ESI 0012F791
EDI 00FC4FB8
EIP 00402C44 AspAppEn.00402C44
00402C44 39F7 cmp edi, esi ;比较ESI和EDI ESI(0012F791)=63 EDI(00FC4FB8)=00
00402C46 77 13 ja short 00402C5B ;跳转已实现 到:00402C5B
EAX 00000001
ECX 00000001
EDX 00FC4FB8
EBX 0012F794
ESP 0012F758
EBP 0012F798
ESI 0012F791
EDI 00FC4FB8
EIP 00402C5B AspAppEn.00402C5B
00402C5B 8D7431 FC lea esi, dword ptr [ecx+esi-4] ;有效地址传送 堆栈地址=0012F78E
EAX 00000001
ECX 00000001
EDX 00FC4FB8
EBX 0012F794
ESP 0012F758
EBP 0012F798
ESI 0012F78E
EDI 00FC4FB8
EIP 00402C5F AspAppEn.00402C5F
00402C5F 8D7C39 FC lea edi, dword ptr [ecx+edi-4] ;有效地址传送 堆栈地址=00FC4FB5
EAX 00000001
ECX 00000001
EDX 00FC4FB8
EBX 0012F794
ESP 0012F758
EBP 0012F798
ESI 0012F78E
EDI 00FC4FB5
EIP 00402C63 AspAppEn.00402C63
00402C63 C1F9 02 sar ecx, 2 ;ECX右移2
EAX 00000001
ECX 00000000
EDX 00FC4FB8
EBX 0012F794
ESP 0012F758
EBP 0012F798
ESI 0012F78E
EDI 00FC4FB5
EIP 00402C66 AspAppEn.00402C66
00402C66 78 11 js short 00402C79 ;跳转未实现
00402C68 FD std ;处理器控制指令-标志位操作指令,不知道什么意思
00402C69 F3:A5 rep movs dword ptr es:[edi], dword ptr [esi] ;重复前缀,不知道是什么意思
ecx=00000000 (十进制 0.)
ds:[esi]=stack [0012F78E]=63010000
es:[edi]=[00FC4FB5]=00000000
00402C6B 89C1 mov ecx, eax ;将EAX传送给ECX
EAX 00000001
ECX 00000001
EDX 00FC4FB8
EBX 0012F794
ESP 0012F758
EBP 0012F798
ESI 0012F78E
EDI 00FC4FB5
EIP 00402C6D AspAppEn.00402C6D
00402C6D 83E1 03 and ecx, 3 ;与运算ecx, 3
00402C70 83C6 03 add esi, 3 ;esi+ 3
EAX 00000001
ECX 00000001
EDX 00FC4FB8
EBX 0012F794
ESP 0012F758
EBP 0012F798
ESI 0012F791
EDI 00FC4FB5
EIP 00402C73 AspAppEn.00402C73
00402C73 83C7 03 add edi, 3 ;edi+ 3
EAX 00000001
ECX 00000001
EDX 00FC4FB8
EBX 0012F794
ESP 0012F758
EBP 0012F798
ESI 0012F791
EDI 00FC4FB8
EIP 00402C76 AspAppEn.00402C76
00402C76 F3:A>rep movs byte ptr es:[edi], byte ptr [esi] ;重复前缀,不知道是什么意思
EAX 00000001
ECX 00000000
EDX 00FC4FB8
EBX 0012F794
ESP 0012F758
EBP 0012F798
ESI 0012F790
EDI 00FC4FB7
EIP 00402C78 AspAppEn.00402C78
00402C78 FC cld ;处理器控制指令-标志位操作指令,不知道什么意思
00402C79 5F pop edi ;EDI出栈 堆栈 [0012F758]=00FC4FB8
EAX 00000001
ECX 00000000
EDX 00FC4FB8
EBX 0012F794
ESP 0012F75C
EBP 0012F798
ESI 0012F790
EDI 00FC4FB8
EIP 00402C7A AspAppEn.00402C7A
00402C7A 5E pop esi ;ESI出栈 堆栈 [0012F75C]=0012F791
EAX 00000001
ECX 00000000
EDX 00FC4FB8
EBX 0012F794
ESP 0012F760
EBP 0012F798
ESI 0012F791
EDI 00FC4FB8
EIP 00402C7B AspAppEn.00402C7B
00402C7B C3 retn ;返回到 00404DA9
EAX 00000001
ECX 00000000
EDX 00FC4FB8
EBX 0012F794
ESP 0012F764
EBP 0012F798
ESI 0012F791
EDI 00FC4FB8
EIP 00404DA9 AspAppEn.00404DA9
00404DA9 89D8 mov eax, ebx ;将EBX传送给EAX
EAX 0012F794
ECX 00000000
EDX 00FC4FB8
EBX 0012F794
ESP 0012F764
EBP 0012F798
ESI 0012F791
EDI 00FC4FB8
EIP 00404DAB AspAppEn.00404DAB
00404DAB E8 E8>call 00404C98 ;转入00404C98处理
EAX 0012F794
ECX 00000000
EDX 00FC4FB8
EBX 0012F794
ESP 0012F760
EBP 0012F798
ESI 0012F791
EDI 00FC4FB8
EIP 00404C98 AspAppEn.00404C98
00404C98 8B10 mov edx, dword ptr [eax] ;堆栈ds:[0012F794]=00000000
EAX 0012F794
ECX 00000000
EDX 00000000
EBX 0012F794
ESP 0012F760
EBP 0012F798
ESI 0012F791
EDI 00FC4FB8
EIP 00404C9A AspAppEn.00404C9A
00404C9A 85D2 test edx, edx
00404C9C 74 1C je short 00404CBA ;跳转已实现 到00404CBA
.
.
.
00404CBA C3 retn ;返回到 00404DB0
EAX 0012F794
ECX 00000000
EDX 00000000
EBX 0012F794
ESP 0012F764
EBP 0012F798
ESI 0012F791
EDI 00FC5138
EIP 00404DB0 AspAppEn.00404DB0
00404DB0 893B mov dword ptr [ebx], edi ;edi=00FC4FB8 堆栈 ds:[0012F794]=00000000
00404DB2 5F pop edi ;EDI出栈
EAX 0012F794
ECX 00000000
EDX 00000000
EBX 0012F794
ESP 0012F768
EBP 0012F798
ESI 0012F791
EDI 0012F84C
EIP 00404DB3 AspAppEn.00404DB3
00404DB3 5E pop esi ;ESI出栈 堆栈 [0012F768]=00F66460
EAX 0012F794
ECX 00000000
EDX 00000000
EBX 0012F794
ESP 0012F76C
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404DB4 AspAppEn.00404DB4
00404DB4 5B pop ebx ;EBX出栈 堆栈 [0012F76C]=00000014
EAX 0012F794
ECX 00000000
EDX 00000000
EBX 00000014
ESP 0012F770
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404DB5 AspAppEn.00404DB5
00404DB5 C3 retn ;返回到 004FB47C
EAX 0012F794
ECX 00000000
EDX 00000000
EBX 00000014
ESP 0012F774
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB47C AspAppEn.004FB47C
004FB47C 8D45 >lea eax, dword ptr [ebp-4] ;堆栈地址=EBP-4=0012F794
004FB47F 50 push eax
EAX 0012F794
ECX 00000000
EDX 00000000
EBX 00000014
ESP 0012F770
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB480 AspAppEn.004FB480
004FB480 8D45 >lea eax, dword ptr [ebp-C] ;ebp-C = 0012F78C 有效地址传送
EAX 0012F78C
ECX 00000000
EDX 00000000
EBX 00000014
ESP 0012F770
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB483 AspAppEn.004FB483
004FB483 8BD7 mov edx, edi ;将EDI传送给EDX
EAX 0012F78C
ECX 00000000
EDX 0012F84C
EBX 00000014
ESP 0012F770
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB485 AspAppEn.004FB485
004FB485 E8 6A>call 00404EF4 ;继续转入00404EF4处理子程序
和上面一样,(这里略...)运行完寄存器如下:
EAX 0012F78C
ECX 00000000
EDX 00000000
EBX 00000014
ESP 0012F770
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB48A AspAppEn.004FB48A
004FB48A 8B55 >mov edx, dword ptr [ebp-C] ;ebp-C=0012F78C 堆栈 ss:[0012F78C]=00000000
004FB48D 58 pop eax ;堆栈 [0012F770]=0012F794
EAX 0012F794
ECX 00000000
EDX 00000000
EBX 00000014
ESP 0012F774
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB48E AspAppEn.004FB48E
004FB48E E8 C5>call 00404F58 ;转入00404F58处理子程序
00404F58 85D2 test edx, edx
00404F5A 74 3F je short 00404F9B 跳转实现,转到00404F8F
.
.
.
00404F8F C3 retn ;返回到 004FB493
EAX 0012F794
ECX 00000000
EDX 00000000
EBX 00000014
ESP 0012F774
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB493 AspAppEn.004FB493
004FB493 8B55 >mov edx, dword ptr [ebp-4] ;ebp-4=0012F794 堆栈 ss:[0012F794]=00FC5138
EAX 0012F794
ECX 00000000
EDX 00FC5138
EBX 00000014
ESP 0012F774
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB496 AspAppEn.004FB496
004FB496 8BC7 mov eax, edi ;将EDI传送给EAX
EAX 0012F84C
ECX 00000000
EDX 00FC5138
EBX 00000014
ESP 0012F774
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB498 AspAppEn.004FB498
004FB498 B9 FF>mov ecx, 0FF ;将0FF(十进制:255)传送给ECX
EAX 0012F84C
ECX 000000FF
EDX 00FC5138
EBX 00000014
ESP 0012F774
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB49D AspAppEn.004FB49D
004FB49D E8 8A>call 00404F2C ;转入00404F2C处理子程序
EAX 0012F84C
ECX 000000FF
EDX 00FC5138
EBX 00000014
ESP 0012F770
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404F2C AspAppEn.00404F2C
00404F2C 53 push ebx ;EBX入栈
EAX 0012F84C
ECX 000000FF
EDX 00FC5138
EBX 00000014
ESP 0012F76C
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404F2D AspAppEn.00404F2D
00404F2D 85D2 test edx, edx
00404F2F 74 18 je short 00404F49 ;跳转未实现
00404F31 8B5A FC mov ebx, dword ptr [edx-4] ;edx-4 = 00FC5134 ds:[00FC5134]=00000001
EAX 0012F84C
ECX 000000FF
EDX 00FC5138
EBX 00000001
ESP 0012F76C
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404F34 AspAppEn.00404F34
00404F34 85DB test ebx, ebx
00404F36 74 11 je short 00404F49 ;跳转未实现
00404F38 39D9 cmp ecx, ebx ;比较EBX和ECX
EAX 0012F84C
ECX 000000FF
EDX 00FC5138
EBX 00000001
ESP 0012F76C
EBP 0012F798
ESI 00F66460
EDI 0012F84C
00404F3A 7C 02 jl short 00404F3E ;跳转未实现
00404F3C 89D9 mov ecx, ebx ;将EBX传送给ECX
EAX 0012F84C
ECX 00000001
EDX 00FC5138
EBX 00000001
ESP 0012F76C
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404F3E AspAppEn.00404F3E
00404F3E 8808 mov byte ptr [eax], cl ;将CL传送到byte ptr [eax] cl=01 堆栈 ds:[0012F84C]=00运行后0012F84C=01
00404F40 40 inc eax ;EAX+1
EAX 0012F84D
ECX 00000001
EDX 00FC5138
EBX 00000001
ESP 0012F76C
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404F41 AspAppEn.00404F41
00404F41 92 xchg eax, edx 数据交换,EDX和EAX数据交换
EAX 00FC5138
ECX 00000001
EDX 0012F84D
EBX 00000001
ESP 0012F76C
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404F42 AspAppEn.00404F42
00404F42 E8 F5DCFFFF call 00402C3C ;继续转入00402C3C处理子程序
00402C3C 56 push esi
EAX 00FC5138
ECX 00000001
EDX 0012F84D
EBX 00000001
ESP 0012F764
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00402C3D AspAppEn.00402C3D
00402C3D 57 push edi
EAX 00FC5138
ECX 00000001
EDX 0012F84D
EBX 00000001
ESP 0012F760
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00402C3E AspAppEn.00402C3E
00402C3E 89C6 mov esi, eax
EAX 00FC5138
ECX 00000001
EDX 0012F84D
EBX 00000001
ESP 0012F760
EBP 0012F798
ESI 00FC5138
EDI 0012F84C
EIP 00402C40 AspAppEn.00402C40
00402C40 89D7 mov edi, edx
EAX 00FC5138
ECX 00000001
EDX 0012F84D
EBX 00000001
ESP 0012F760
EBP 0012F798
ESI 00FC5138
EDI 0012F84D
EIP 00402C42 AspAppEn.00402C42
00402C42 89C8 mov eax, ecx
EAX 00000001
ECX 00000001
EDX 0012F84D
EBX 00000001
ESP 0012F760
EBP 0012F798
ESI 00FC5138
EDI 0012F84D
EIP 00402C44 AspAppEn.00402C44
00402C44 39F7 cmp edi, esi ;比较
00402C46 77 13 ja short 00402C5B ;跳转不实现
00402C48 74 2F je short 00402C79 ;跳不了
00402C4A C1F9 02 sar ecx, 2 ;ECX右移2
EAX 00000001
ECX 00000000
EDX 0012F84D
EBX 00000001
ESP 0012F760
EBP 0012F798
ESI 00FC5138
EDI 0012F84D
EIP 00402C4D AspAppEn.00402C4D
00402C4D 78 2A js short 00402C79 ;跳转不了
00402C4F F3:A5 rep movs dword ptr es:[edi], dword ptr [esi] ;重复前缀,不知道是什么意思
00402C51 89C1 mov ecx, eax
EAX 00000001
ECX 00000001
EDX 0012F84D
EBX 00000001
ESP 0012F760
EBP 0012F798
ESI 00FC5138
EDI 0012F84D
EIP 00402C53 AspAppEn.00402C53
00402C53 83E1 03 and ecx, 3 ;与运算
00402C56 F3:A4 rep movs byte ptr es:[edi], byte ptr [esi] ;重复前缀,不知道是什么意思
EAX 00000001
ECX 00000000
EDX 0012F84D
EBX 00000001
ESP 0012F760
EBP 0012F798
ESI 00FC5139
EDI 0012F84E
EIP 00402C58 AspAppEn.00402C58
00402C58 5F pop edi ;出栈
EAX 00000001
ECX 00000000
EDX 0012F84D
EBX 00000001
ESP 0012F764
EBP 0012F798
ESI 00FC5139
EDI 0012F84C
EIP 00402C59 AspAppEn.00402C59
00402C59 5E pop esi ;出栈
EAX 00000001
ECX 00000000
EDX 0012F84D
EBX 00000001
ESP 0012F768
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00402C5A AspAppEn.00402C5A
00402C5A C3 retn 返回到 00404F47
00404F47 5B pop ebx ;出栈
EAX 00000001
ECX 00000000
EDX 0012F84D
EBX 00000014
ESP 0012F770
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 00404F48 AspAppEn.00404F48
00404F48 C3 retn ;返回到 004FB4A2
004FB4A2 4B dec ebx ;EBX减1
EAX 00000001
ECX 00000000
EDX 0012F84D
EBX 00000013
ESP 0012F774
EBP 0012F798
ESI 00F66460
EDI 0012F84C
EIP 004FB4A3 AspAppEn.004FB4A3
004FB4A3 ^ 75 AA jnz short 004FB44F 向上跳,继续跳转到 004FB44F处理第二个字符。
只分析到这里,迫不急待的想发点东西上来(其实也进行不下去了),
想请高手帮忙.想传附件,可是权限不够
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
不懂算法
|
|
|
|
|
|
不懂算法.
|
|
|
|
|
|
|
|
|
|
|
|
文章好长,赞一个
|
|
|
如果要找使用的算法,peid的插件可以看到
如果不是想重新做一个一模一样的软件,分析他的算法意义不是太大 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
