有一个DLL文件有三小时时间限制。时间一到,就自动退出程序,现在已经把那个dll文件脱好壳了。请问一下有哪位有空的大大能说明一下呢。http://ceety.gbaopan.com/files/8513e7a0b8df454aa3576fe69b060118.gbp 文件在这边。哪位大大能帮个忙。
10001000 >/$ 55 push ebp
10001001 |. 8BEC mov ebp, esp
10001003 |. 837D 0C 01 cmp dword ptr [ebp+C], 1
10001007 |. 75 09 jnz short 10001012
10001009 |. B8 01000000 mov eax, 1
1000100E |. C9 leave
1000100F |. C2 0C00 retn 0C
10001012 |> 837D 0C 00 cmp dword ptr [ebp+C], 0
10001016 |. 75 38 jnz short 10001050
10001018 |. 833D 04300010>cmp dword ptr [10003004], 0
1000101F |. 74 06 je short 10001027
10001021 |. FF15 04300010 call dword ptr [10003004]
10001027 |> 833D 08300010>cmp dword ptr [10003008], 0
1000102E |. 74 0C je short 1000103C
10001030 |. FF35 00300010 push dword ptr [10003000]
10001036 |. FF15 08300010 call dword ptr [10003008]
1000103C |> 833D 0C300010>cmp dword ptr [1000300C], 0
10001043 |. 74 0B je short 10001050
10001045 |. FF35 0C300010 push dword ptr [1000300C] ; /hLibModule = NULL
1000104B |. E8 78020000 call <jmp.&KERNEL32.FreeLibrary> ; \FreeLibrary
10001050 |> C9 leave
10001051 \. C2 0C00 retn 0C
10001054 10 db 10
10001055 . 325486 83 xor dl, byte ptr [esi+eax*4-7D]
10001059 . 3D 10300010 cmp eax, 10003010
1000105E . 0075 07 add byte ptr [ebp+7], dh
10001061 . 60 pushad
10001062 . E8 09000000 call 10001070
10001067 . 61 popad
10001068 . 0305 10300010 add eax, dword ptr [10003010]
1000106E . FFE0 jmp eax
10001070 /$ 55 push ebp
10001071 |. 8BEC mov ebp, esp
10001073 |. 81C4 F4FEFFFF add esp, -10C
10001079 |. E9 BE000000 jmp 1000113C
1000107E |. 52 75 6E 73 2>ascii "Runs.dll",0
10001087 | 00 db 00
10001088 |. 52 75 6E 73 2>ascii "Runs.dll",0
10001091 | 00 db 00
10001092 |. 47 65 74 4E 6>ascii "GetNewSock",0
1000109D |. 73 6F 66 74 7>ascii "software\Y_GUA",0
100010AC |. 5C 45 5C 49 6>ascii "\E\Install",0
100010B7 |. 50 61 74 68 0>ascii "Path",0
100010BC |. 4E 6F 74 20 6>ascii "Not found the ke"
100010CC |. 72 6E 65 6C 2>ascii "rnel library or "
100010DC |. 74 68 65 20 6>ascii "the kernel libra"
100010EC |. 72 79 20 69 7>ascii "ry is invalid!",0
100010FB |. 45 72 72 6F 7>ascii "Error",0
10001101 |. 6B 65 72 6E 6>ascii "kernel library o"
10001111 |. 66 20 74 68 6>ascii "f this edition d"
10001121 |. 6F 65 73 20 6>ascii "oes not support "
10001131 |. 44 4C 4C 21 0>ascii "DLL!",0
10001136 |. 45 72 72 6F 7>ascii "Error",0
1000113C |> 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
10001142 |. 50 push eax
10001143 |. E8 A0010000 call 100012E8
10001148 |. 68 7E100010 push 1000107E ; /StringToAdd = "Runs.dll"
1000114D |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; |
10001153 |. 50 push eax ; |ConcatString
10001154 |. E8 81010000 call <jmp.&KERNEL32.lstrcatA> ; \lstrcatA
10001159 |. 50 push eax ; /FileName
1000115A |. E8 75010000 call <jmp.&KERNEL32.LoadLibraryA> ; \LoadLibraryA
1000115F |. 85C0 test eax, eax
10001161 |. 0F85 A2000000 jnz 10001209
10001167 |. 8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
1000116D |. 50 push eax ; /pHandle
1000116E |. 68 19000200 push 20019 ; |Access = KEY_READ
10001173 |. 6A 00 push 0 ; |Reserved = 0
10001175 |. 68 9D100010 push 1000109D ; |Subkey = "software\Y_GUA"
1000117A |. 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
1000117F |. E8 92010000 call <jmp.&ADVAPI32.RegOpenKeyExA> ; \RegOpenKeyExA
10001184 |. 83F8 00 cmp eax, 0
10001187 |. 0F85 E1000000 jnz 1000126E
1000118D |. C785 F4FEFFFF>mov dword ptr [ebp-10C], 103
10001197 |. 8D85 F4FEFFFF lea eax, dword ptr [ebp-10C]
1000119D |. 50 push eax ; /pBufSize
1000119E |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; |
100011A4 |. 50 push eax ; |Buffer
100011A5 |. 6A 00 push 0 ; |pValueType = NULL
100011A7 |. 6A 00 push 0 ; |Reserved = NULL
100011A9 |. 68 B7100010 push 100010B7 ; |ValueName = "Path"
100011AE |. FFB5 F8FEFFFF push dword ptr [ebp-108] ; |hKey
100011B4 |. E8 63010000 call <jmp.&ADVAPI32.RegQueryValueExA> ; \RegQueryValueExA
100011B9 |. 50 push eax
100011BA |. FFB5 F8FEFFFF push dword ptr [ebp-108] ; /hKey
100011C0 |. E8 4B010000 call <jmp.&ADVAPI32.RegCloseKey> ; \RegCloseKey
100011C5 |. 58 pop eax
100011C6 |. 83F8 00 cmp eax, 0
100011C9 |. 0F85 9F000000 jnz 1000126E
100011CF |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
100011D5 |. 50 push eax ; /String
100011D6 |. E8 05010000 call <jmp.&KERNEL32.lstrlenA> ; \lstrlenA
100011DB |. 8D9D FCFEFFFF lea ebx, dword ptr [ebp-104]
100011E1 |. 03D8 add ebx, eax
100011E3 |. 4B dec ebx
100011E4 |. 803B 5C cmp byte ptr [ebx], 5C
100011E7 |. 74 05 je short 100011EE
100011E9 |. 66:C703 5C00 mov word ptr [ebx], 5C
100011EE |> 68 88100010 push 10001088 ; /StringToAdd = "Runs.dll"
100011F3 |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; |
100011F9 |. 50 push eax ; |ConcatString
100011FA |. E8 DB000000 call <jmp.&KERNEL32.lstrcatA> ; \lstrcatA
100011FF |. 50 push eax ; /FileName
10001200 |. E8 CF000000 call <jmp.&KERNEL32.LoadLibraryA> ; \LoadLibraryA
10001205 |. 85C0 test eax, eax
10001207 |. 74 65 je short 1000126E
10001209 |> A3 0C300010 mov dword ptr [1000300C], eax
1000120E |. 68 92100010 push 10001092 ; /ProcNameOrOrdinal = "GetNewSock"
10001213 |. 50 push eax ; |hModule
10001214 |. E8 B5000000 call <jmp.&KERNEL32.GetProcAddress> ; \GetProcAddress
10001219 |. 85C0 test eax, eax
1000121B |. 74 46 je short 10001263
1000121D |. 50 push eax
1000121E |. 68 EA030000 push 3EA
10001223 |. FFD0 call eax
10001225 |. 5A pop edx
10001226 |. 85C0 test eax, eax
10001228 |. 74 39 je short 10001263
1000122A |. A3 08300010 mov dword ptr [10003008], eax
1000122F |. 68 EB030000 push 3EB
10001234 |. BB 00300010 mov ebx, 10003000
10001239 |. FFD2 call edx
1000123B |. 85C0 test eax, eax
1000123D |. 74 24 je short 10001263
1000123F |. 8915 00300010 mov dword ptr [10003000], edx
10001245 |. E8 00000000 call 1000124A
1000124A |$ 810424 B63D00>add dword ptr [esp], 3DB6
10001251 |. FFD0 call eax
10001253 |. A3 04300010 mov dword ptr [10003004], eax
10001258 |. 83EC 04 sub esp, 4
1000125B |. 8F05 10300010 pop dword ptr [10003010]
10001261 |. C9 leave
10001262 |. C3 retn
10001263 |> FF35 0C300010 push dword ptr [1000300C] ; /hLibModule = NULL
10001269 |. E8 5A000000 call <jmp.&KERNEL32.FreeLibrary> ; \FreeLibrary
1000126E |> C705 0C300010>mov dword ptr [1000300C], 0
10001278 |. C705 00300010>mov dword ptr [10003000], -1
10001282 |. C705 10300010>mov dword ptr [10003010], 0
1000128C |. C705 04300010>mov dword ptr [10003004], 0
10001296 |. C705 08300010>mov dword ptr [10003008], 0
100012A0 |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
100012A2 |. 68 36110010 push 10001136 ; |Title = "Error"
100012A7 |. 68 BC100010 push 100010BC ; |Text = "Not found the kernel library or the kernel library is invalid!"
100012AC |. 6A 00 push 0 ; |hOwner = NULL
100012AE |. E8 09000000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
100012B3 |. 6A FF push -1 ; /ExitCode = FFFFFFFF
100012B5 \. E8 08000000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
100012BA . C9 leave
100012BB . C3 retn
100012BC $- FF25 30200010 jmp dword ptr [<&USER32.MessageBoxA>>; USER32.MessageBoxA
100012C2 .- FF25 1C200010 jmp dword ptr [<&KERNEL32.ExitProces>; kernel32.ExitProcess
100012C8 $- FF25 10200010 jmp dword ptr [<&KERNEL32.FreeLibrar>; kernel32.FreeLibrary
100012CE $- FF25 24200010 jmp dword ptr [<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
100012D4 $- FF25 20200010 jmp dword ptr [<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
100012DA $- FF25 14200010 jmp dword ptr [<&KERNEL32.lstrcatA>] ; kernel32.lstrcatA
100012E0 $- FF25 28200010 jmp dword ptr [<&KERNEL32.lstrlenA>] ; kernel32.lstrlenA
100012E6 CC int3
100012E7 CC int3
100012E8 /$ 55 push ebp
100012E9 |. 8BEC mov ebp, esp
100012EB |. 68 80000000 push 80 ; /BufSize = 80 (128.)
100012F0 |. FF75 08 push dword ptr [ebp+8] ; |PathBuffer
100012F3 |. 6A 00 push 0 ; |hModule = NULL
100012F5 |. E8 28000000 call <jmp.&KERNEL32.GetModuleFileName>; \GetModuleFileNameA
100012FA |. 8B4D 08 mov ecx, dword ptr [ebp+8]
100012FD |. 8D4C08 FA lea ecx, dword ptr [eax+ecx-6]
10001301 |> 8A01 mov al, byte ptr [ecx]
10001303 |. 49 dec ecx
10001304 |. 3C 5C cmp al, 5C
10001306 |.^ 75 F9 jnz short 10001301
10001308 |. C641 02 00 mov byte ptr [ecx+2], 0
1000130C |. C9 leave
1000130D \. C2 0400 retn 4
10001310 $- FF25 04200010 jmp dword ptr [<&ADVAPI32.RegCloseKe>; ADVAPI32.RegCloseKey
10001316 $- FF25 08200010 jmp dword ptr [<&ADVAPI32.RegOpenKey>; ADVAPI32.RegOpenKeyExA
1000131C $- FF25 00200010 jmp dword ptr [<&ADVAPI32.RegQueryVa>; ADVAPI32.RegQueryValueExA
10001322 $- FF25 18200010 jmp dword ptr [<&KERNEL32.GetModuleF>; kernel32.GetModuleFileNameA
10001328 00 db 00
10001329 00 db 00
1000132A 00 db 00
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)