-
-
[旧帖] [求助]帮忙分析这段代码Rockey 0.00雪花
-
发表于: 2008-10-21 14:47 2887
-
初学破解,不知道从何下手了,代码如下,请高手指点
00425360 /$ 81EC 7C020000 sub esp, 27C
00425366 |. B9 78CE4700 mov ecx, 0047CE78 ; ASCII "ROCKEYNT"
0042536B |. 66:C74424 02 >mov word ptr [esp+2], 0
00425372 |. 8D5424 04 lea edx, dword ptr [esp+4]
00425376 |. 53 push ebx
00425377 |. 56 push esi
00425378 |. 8B01 mov eax, dword ptr [ecx]
0042537A |. 57 push edi
0042537B |. 8B59 04 mov ebx, dword ptr [ecx+4]
0042537E |. 55 push ebp
0042537F |. 8902 mov dword ptr [edx], eax
00425381 |. 66:8BB424 900>mov si, word ptr [esp+290]
00425389 |. 8A49 08 mov cl, byte ptr [ecx+8]
0042538C |. 66:85F6 test si, si
0042538F |. 895A 04 mov dword ptr [edx+4], ebx
00425392 |. 884A 08 mov byte ptr [edx+8], cl
00425395 |. 75 0F jnz short 004253A6
00425397 |. 66:B8 0800 mov ax, 8
0042539B |. 5D pop ebp
0042539C |. 5F pop edi
0042539D |. 5E pop esi
0042539E |. 5B pop ebx
0042539F |. 81C4 7C020000 add esp, 27C
004253A5 |. C3 retn
004253A6 |> 833D 18CE4700>cmp dword ptr [47CE18], 0
004253AD |. 0F85 4F020000 jnz 00425602
004253B3 |. FF15 1C434600 call dword ptr [<&KERNEL32.GetVersion>; kernel32.GetVersion
004253B9 |. 6A 00 push 0 ; /hTemplateFile = NULL
004253BB |. 3D 00000080 cmp eax, 80000000 ; |
004253C0 |. 68 80000000 push 80 ; |Attributes = NORMAL
004253C5 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
004253C7 |. 6A 00 push 0 ; |pSecurity = NULL
004253C9 |. 6A 00 push 0 ; |ShareMode = 0
004253CB |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
004253D0 |. 0F83 D0010000 jnb 004255A6 ; |
004253D6 |. 68 68CE4700 push 0047CE68 ; |FileName = "\\.\ROCKEYNT"
004253DB |. 8B3D 80434600 mov edi, dword ptr [<&KERNEL32.Creat>; |kernel32.CreateFileA
004253E1 |. FFD7 call edi ; \CreateFileA
004253E3 |. A3 18CE4700 mov dword ptr [47CE18], eax
004253E8 |. 83F8 FF cmp eax, -1
004253EB |. 0F85 11020000 jnz 00425602
004253F1 |. 68 3F000F00 push 0F003F
004253F6 |. 6A 00 push 0
004253F8 |. 6A 00 push 0
004253FA |. FF15 40404600 call dword ptr [<&ADVAPI32.OpenSCMana>; ADVAPI32.OpenSCManagerA
00425400 |. 8BD8 mov ebx, eax
00425402 |. 85DB test ebx, ebx
00425404 |. 75 0F jnz short 00425415
00425406 |. 66:B8 FFFF mov ax, 0FFFF
0042540A |. 5D pop ebp
0042540B |. 5F pop edi
0042540C |. 5E pop esi
0042540D |. 5B pop ebx
0042540E |. 81C4 7C020000 add esp, 27C
00425414 |. C3 retn
00425415 |> 8D8424 8C0000>lea eax, dword ptr [esp+8C]
0042541C |. 68 00010000 push 100 ; /BufSize = 100 (256.)
00425421 |. 50 push eax ; |Buffer
00425422 |. 8B2D 20434600 mov ebp, dword ptr [<&KERNEL32.GetSy>; |kernel32.GetSystemDirectoryA
00425428 |. FFD5 call ebp ; \GetSystemDirectoryA
0042542A |. 8D8C24 8C0000>lea ecx, dword ptr [esp+8C]
00425431 |. 68 50CE4700 push 0047CE50 ; ASCII "\drivers\rockeynt.sys"
00425436 |. 51 push ecx
00425437 |. E8 24FDFFFF call 00425160
0042543C |. 8D8424 940000>lea eax, dword ptr [esp+94]
00425443 |. 83C4 08 add esp, 8
00425446 |. 8B2D F4434600 mov ebp, dword ptr [<&KERNEL32.GetFi>; kernel32.GetFileAttributesA
0042544C |. 50 push eax ; /FileName
0042544D |. FFD5 call ebp ; \GetFileAttributesA
0042544F |. 83F8 FF cmp eax, -1
00425452 |. 74 39 je short 0042548D
00425454 |. 8D4424 14 lea eax, dword ptr [esp+14]
00425458 |. 68 FF010F00 push 0F01FF
0042545D |. 50 push eax
0042545E |. 53 push ebx
0042545F |. FF15 18404600 call dword ptr [<&ADVAPI32.OpenServic>; ADVAPI32.OpenServiceA
00425465 |. 8BE8 mov ebp, eax
00425467 |. 85ED test ebp, ebp
00425469 |. 0F84 85000000 je 004254F4
0042546F |. 8D4424 70 lea eax, dword ptr [esp+70]
00425473 |. 50 push eax
00425474 |. 6A 01 push 1
00425476 |. 55 push ebp
00425477 |. FF15 44404600 call dword ptr [<&ADVAPI32.ControlSer>; ADVAPI32.ControlService
0042547D |. 55 push ebp
0042547E |. FF15 48404600 call dword ptr [<&ADVAPI32.DeleteServ>; ADVAPI32.DeleteService
00425484 |. 55 push ebp
00425485 |. FF15 10404600 call dword ptr [<&ADVAPI32.CloseServi>; ADVAPI32.CloseServiceHandle
0042548B |. EB 67 jmp short 004254F4
0042548D |> 8D8424 8C0100>lea eax, dword ptr [esp+18C]
00425494 |. 50 push eax ; /Buffer
00425495 |. 68 00010000 push 100 ; |BufSize = 100 (256.)
0042549A |. FF15 94434600 call dword ptr [<&KERNEL32.GetCurrent>; \GetCurrentDirectoryA
004254A0 |. 8D8C24 8C0100>lea ecx, dword ptr [esp+18C]
004254A7 |. 68 40CE4700 push 0047CE40 ; ASCII "\rockeynt.sys"
004254AC |. 51 push ecx
004254AD |. E8 AEFCFFFF call 00425160
004254B2 |. 8D8C24 940100>lea ecx, dword ptr [esp+194]
004254B9 |. 83C4 08 add esp, 8
004254BC |. 51 push ecx
004254BD |. FFD5 call ebp
004254BF |. 83F8 FF cmp eax, -1
004254C2 |. 75 16 jnz short 004254DA
004254C4 |. 53 push ebx
004254C5 |. FF15 10404600 call dword ptr [<&ADVAPI32.CloseServi>; ADVAPI32.CloseServiceHandle
004254CB |. 66:B8 0200 mov ax, 2
004254CF |. 5D pop ebp
004254D0 |. 5F pop edi
004254D1 |. 5E pop esi
004254D2 |. 5B pop ebx
004254D3 |. 81C4 7C020000 add esp, 27C
004254D9 |. C3 retn
004254DA |> 8D8424 8C0000>lea eax, dword ptr [esp+8C]
004254E1 |. 6A 00 push 0 ; /FailIfExists = FALSE
004254E3 |. 8D8C24 900100>lea ecx, dword ptr [esp+190] ; |
004254EA |. 50 push eax ; |NewFileName
004254EB |. 51 push ecx ; |ExistingFileName
004254EC |. 8B2D D8434600 mov ebp, dword ptr [<&KERNEL32.CopyF>; |kernel32.CopyFileA
004254F2 |. FFD5 call ebp ; \CopyFileA
004254F4 |> 8D8424 8C0000>lea eax, dword ptr [esp+8C]
004254FB |. 6A 00 push 0 ; /Password = NULL
004254FD |. 6A 00 push 0 ; |ServiceStartName = NULL
004254FF |. 6A 00 push 0 ; |pDependencies = NULL
00425501 |. 6A 00 push 0 ; |pTagId = NULL
00425503 |. 6A 00 push 0 ; |LoadOrderGroup = NULL
00425505 |. 8D4C24 28 lea ecx, dword ptr [esp+28] ; |
00425509 |. 50 push eax ; |BinaryPathName
0042550A |. 6A 01 push 1 ; |ErrorControl = SERVICE_ERROR_NORMAL
0042550C |. 6A 02 push 2 ; |StartType = SERVICE_AUTO_START
0042550E |. 6A 01 push 1 ; |ServiceType = SERVICE_KERNEL_DRIVER
00425510 |. 68 FF010F00 push 0F01FF ; |DesiredAccess = SERVICE_ALL_ACCESS
00425515 |. 51 push ecx ; |DisplayName
00425516 |. 8D4C24 40 lea ecx, dword ptr [esp+40] ; |
0042551A |. 51 push ecx ; |ServiceName
0042551B |. 53 push ebx ; |hManager
0042551C |. FF15 4C404600 call dword ptr [<&ADVAPI32.CreateServ>; \CreateServiceA
00425522 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00425526 |. 68 FF010F00 push 0F01FF
0042552B |. 51 push ecx
0042552C |. 53 push ebx
0042552D |. FF15 18404600 call dword ptr [<&ADVAPI32.OpenServic>; ADVAPI32.OpenServiceA
00425533 |. 8BE8 mov ebp, eax
00425535 |. 6A 00 push 0
00425537 |. 6A 00 push 0
00425539 |. 55 push ebp
0042553A |. FF15 14404600 call dword ptr [<&ADVAPI32.StartServi>; ADVAPI32.StartServiceA
00425540 |. 85C0 test eax, eax
00425542 |. 75 07 jnz short 0042554B
00425544 |. 66:C74424 12 >mov word ptr [esp+12], 0FFFF
0042554B |> 55 push ebp
0042554C |. FF15 10404600 call dword ptr [<&ADVAPI32.CloseServi>; ADVAPI32.CloseServiceHandle
00425552 |. 53 push ebx
00425553 |. FF15 10404600 call dword ptr [<&ADVAPI32.CloseServi>; ADVAPI32.CloseServiceHandle
00425559 |. 68 E8030000 push 3E8 ; /Timeout = 1000. ms
0042555E |. FF15 C8434600 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
00425564 |. 6A 00 push 0
00425566 |. 68 80000000 push 80
0042556B |. 6A 03 push 3
0042556D |. 6A 00 push 0
0042556F |. 6A 00 push 0
00425571 |. 68 000000C0 push C0000000
00425576 |. 68 68CE4700 push 0047CE68 ; ASCII "\\.\ROCKEYNT"
0042557B |. FFD7 call edi
0042557D |. A3 18CE4700 mov dword ptr [47CE18], eax
00425582 |. 83F8 FF cmp eax, -1
00425585 |. 75 07 jnz short 0042558E
00425587 |. 66:C74424 12 >mov word ptr [esp+12], 0FFFF
0042558E |> 66:837C24 12 >cmp word ptr [esp+12], 0
00425594 |. 74 6C je short 00425602
00425596 |. 66:8B4424 12 mov ax, word ptr [esp+12]
0042559B |. 5D pop ebp
0042559C |. 5F pop edi
0042559D |. 5E pop esi
0042559E |. 5B pop ebx
0042559F |. 81C4 7C020000 add esp, 27C
004255A5 |. C3 retn
004255A6 |> 68 30CE4700 push 0047CE30 ; |FileName = "\\.\ROCKEY9X"
004255AB |. 8B3D 80434600 mov edi, dword ptr [<&KERNEL32.Creat>; |kernel32.CreateFileA
004255B1 |. FFD7 call edi ; \CreateFileA
004255B3 |. A3 18CE4700 mov dword ptr [47CE18], eax
004255B8 |. 83F8 FF cmp eax, -1
004255BB |. 75 45 jnz short 00425602
004255BD |. 6A 00 push 0 ; /hTemplateFile = NULL
004255BF |. 68 00000004 push 4000000 ; |Attributes = DELETE_ON_CLOSE
004255C4 |. 6A 01 push 1 ; |Mode = CREATE_NEW
004255C6 |. 6A 00 push 0 ; |pSecurity = NULL
004255C8 |. 6A 00 push 0 ; |ShareMode = 0
004255CA |. 6A 00 push 0 ; |Access = 0
004255CC |. 68 1CCE4700 push 0047CE1C ; |FileName = "\\.\rockey9x.vxd"
004255D1 |. FFD7 call edi ; \CreateFileA
004255D3 |. A3 18CE4700 mov dword ptr [47CE18], eax
004255D8 |. 83F8 FF cmp eax, -1
004255DB |. 75 25 jnz short 00425602
004255DD |. FF15 70434600 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError
004255E3 |. 83F8 32 cmp eax, 32
004255E6 |. 75 0B jnz short 004255F3
004255E8 |. 68 30CE4700 push 0047CE30 ; /FileName = "\\.\ROCKEY9X"
004255ED |. FF15 E8434600 call dword ptr [<&KERNEL32.DeleteFile>; \DeleteFileA
004255F3 |> 66:B8 0200 mov ax, 2
004255F7 |. 5D pop ebp
004255F8 |. 5F pop edi
004255F9 |. 5E pop esi
004255FA |. 5B pop ebx
004255FB |. 81C4 7C020000 add esp, 27C
00425601 |. C3 retn
00425602 |> 8B8C24 940200>mov ecx, dword ptr [esp+294]
00425609 |. 8B9424 980200>mov edx, dword ptr [esp+298]
00425610 |. 894C24 24 mov dword ptr [esp+24], ecx
00425614 |. 895424 28 mov dword ptr [esp+28], edx
00425618 |. 8B8C24 A00200>mov ecx, dword ptr [esp+2A0]
0042561F |. 8B9424 A40200>mov edx, dword ptr [esp+2A4]
00425626 |. 894C24 30 mov dword ptr [esp+30], ecx
0042562A |. 895424 34 mov dword ptr [esp+34], edx
0042562E |. 0FB7C6 movzx eax, si
00425631 |. 8B8C24 AC0200>mov ecx, dword ptr [esp+2AC]
00425638 |. 894424 20 mov dword ptr [esp+20], eax
0042563C |. 8B8424 9C0200>mov eax, dword ptr [esp+29C]
00425643 |. 8B9424 B00200>mov edx, dword ptr [esp+2B0]
0042564A |. 894424 2C mov dword ptr [esp+2C], eax
0042564E |. 894C24 3C mov dword ptr [esp+3C], ecx
00425652 |. 8B8424 A80200>mov eax, dword ptr [esp+2A8]
00425659 |. 8D4C24 20 lea ecx, dword ptr [esp+20]
0042565D |. 894424 38 mov dword ptr [esp+38], eax
00425661 |. 895424 40 mov dword ptr [esp+40], edx
00425665 |. 8D4424 48 lea eax, dword ptr [esp+48]
00425669 |. 50 push eax
0042566A |. 51 push ecx
0042566B |. E8 20FBFFFF call 00425190
00425670 |. 8D4C24 4C lea ecx, dword ptr [esp+4C]
00425674 |. 8D5424 1A lea edx, dword ptr [esp+1A]
00425678 |. 8D4424 50 lea eax, dword ptr [esp+50]
0042567C |. 83C4 08 add esp, 8
0042567F |. 6A 00 push 0 ; /pOverlapped = NULL
00425681 |. 51 push ecx ; |pBytesReturned
00425682 |. 6A 02 push 2 ; |OutBufferSize = 2
00425684 |. 8B0D 18CE4700 mov ecx, dword ptr [47CE18] ; |
0042568A |. 52 push edx ; |OutBuffer
0042568B |. 6A 28 push 28 ; |InBufferSize = 28 (40.)
0042568D |. 50 push eax ; |InBuffer
0042568E |. 68 00E410A4 push A410E400 ; |IoControlCode = A410E400
00425693 |. 51 push ecx ; |hDevice => NULL
00425694 |. FF15 24434600 call dword ptr [<&KERNEL32.DeviceIoCo>; \DeviceIoControl
0042569A |. 85C0 test eax, eax
0042569C |. 75 0F jnz short 004256AD
0042569E |. 66:B8 FFFF mov ax, 0FFFF
004256A2 |. 5D pop ebp
004256A3 |. 5F pop edi
004256A4 |. 5E pop esi
004256A5 |. 5B pop ebx
004256A6 |. 81C4 7C020000 add esp, 27C
004256AC |. C3 retn
004256AD |> 66:8B4424 12 mov ax, word ptr [esp+12]
004256B2 |. 5D pop ebp
004256B3 |. 5F pop edi
004256B4 |. 5E pop esi
004256B5 |. 5B pop ebx
004256B6 |. 81C4 7C020000 add esp, 27C
004256BC \. C3 retn
00425360 /$ 81EC 7C020000 sub esp, 27C
00425366 |. B9 78CE4700 mov ecx, 0047CE78 ; ASCII "ROCKEYNT"
0042536B |. 66:C74424 02 >mov word ptr [esp+2], 0
00425372 |. 8D5424 04 lea edx, dword ptr [esp+4]
00425376 |. 53 push ebx
00425377 |. 56 push esi
00425378 |. 8B01 mov eax, dword ptr [ecx]
0042537A |. 57 push edi
0042537B |. 8B59 04 mov ebx, dword ptr [ecx+4]
0042537E |. 55 push ebp
0042537F |. 8902 mov dword ptr [edx], eax
00425381 |. 66:8BB424 900>mov si, word ptr [esp+290]
00425389 |. 8A49 08 mov cl, byte ptr [ecx+8]
0042538C |. 66:85F6 test si, si
0042538F |. 895A 04 mov dword ptr [edx+4], ebx
00425392 |. 884A 08 mov byte ptr [edx+8], cl
00425395 |. 75 0F jnz short 004253A6
00425397 |. 66:B8 0800 mov ax, 8
0042539B |. 5D pop ebp
0042539C |. 5F pop edi
0042539D |. 5E pop esi
0042539E |. 5B pop ebx
0042539F |. 81C4 7C020000 add esp, 27C
004253A5 |. C3 retn
004253A6 |> 833D 18CE4700>cmp dword ptr [47CE18], 0
004253AD |. 0F85 4F020000 jnz 00425602
004253B3 |. FF15 1C434600 call dword ptr [<&KERNEL32.GetVersion>; kernel32.GetVersion
004253B9 |. 6A 00 push 0 ; /hTemplateFile = NULL
004253BB |. 3D 00000080 cmp eax, 80000000 ; |
004253C0 |. 68 80000000 push 80 ; |Attributes = NORMAL
004253C5 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
004253C7 |. 6A 00 push 0 ; |pSecurity = NULL
004253C9 |. 6A 00 push 0 ; |ShareMode = 0
004253CB |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
004253D0 |. 0F83 D0010000 jnb 004255A6 ; |
004253D6 |. 68 68CE4700 push 0047CE68 ; |FileName = "\\.\ROCKEYNT"
004253DB |. 8B3D 80434600 mov edi, dword ptr [<&KERNEL32.Creat>; |kernel32.CreateFileA
004253E1 |. FFD7 call edi ; \CreateFileA
004253E3 |. A3 18CE4700 mov dword ptr [47CE18], eax
004253E8 |. 83F8 FF cmp eax, -1
004253EB |. 0F85 11020000 jnz 00425602
004253F1 |. 68 3F000F00 push 0F003F
004253F6 |. 6A 00 push 0
004253F8 |. 6A 00 push 0
004253FA |. FF15 40404600 call dword ptr [<&ADVAPI32.OpenSCMana>; ADVAPI32.OpenSCManagerA
00425400 |. 8BD8 mov ebx, eax
00425402 |. 85DB test ebx, ebx
00425404 |. 75 0F jnz short 00425415
00425406 |. 66:B8 FFFF mov ax, 0FFFF
0042540A |. 5D pop ebp
0042540B |. 5F pop edi
0042540C |. 5E pop esi
0042540D |. 5B pop ebx
0042540E |. 81C4 7C020000 add esp, 27C
00425414 |. C3 retn
00425415 |> 8D8424 8C0000>lea eax, dword ptr [esp+8C]
0042541C |. 68 00010000 push 100 ; /BufSize = 100 (256.)
00425421 |. 50 push eax ; |Buffer
00425422 |. 8B2D 20434600 mov ebp, dword ptr [<&KERNEL32.GetSy>; |kernel32.GetSystemDirectoryA
00425428 |. FFD5 call ebp ; \GetSystemDirectoryA
0042542A |. 8D8C24 8C0000>lea ecx, dword ptr [esp+8C]
00425431 |. 68 50CE4700 push 0047CE50 ; ASCII "\drivers\rockeynt.sys"
00425436 |. 51 push ecx
00425437 |. E8 24FDFFFF call 00425160
0042543C |. 8D8424 940000>lea eax, dword ptr [esp+94]
00425443 |. 83C4 08 add esp, 8
00425446 |. 8B2D F4434600 mov ebp, dword ptr [<&KERNEL32.GetFi>; kernel32.GetFileAttributesA
0042544C |. 50 push eax ; /FileName
0042544D |. FFD5 call ebp ; \GetFileAttributesA
0042544F |. 83F8 FF cmp eax, -1
00425452 |. 74 39 je short 0042548D
00425454 |. 8D4424 14 lea eax, dword ptr [esp+14]
00425458 |. 68 FF010F00 push 0F01FF
0042545D |. 50 push eax
0042545E |. 53 push ebx
0042545F |. FF15 18404600 call dword ptr [<&ADVAPI32.OpenServic>; ADVAPI32.OpenServiceA
00425465 |. 8BE8 mov ebp, eax
00425467 |. 85ED test ebp, ebp
00425469 |. 0F84 85000000 je 004254F4
0042546F |. 8D4424 70 lea eax, dword ptr [esp+70]
00425473 |. 50 push eax
00425474 |. 6A 01 push 1
00425476 |. 55 push ebp
00425477 |. FF15 44404600 call dword ptr [<&ADVAPI32.ControlSer>; ADVAPI32.ControlService
0042547D |. 55 push ebp
0042547E |. FF15 48404600 call dword ptr [<&ADVAPI32.DeleteServ>; ADVAPI32.DeleteService
00425484 |. 55 push ebp
00425485 |. FF15 10404600 call dword ptr [<&ADVAPI32.CloseServi>; ADVAPI32.CloseServiceHandle
0042548B |. EB 67 jmp short 004254F4
0042548D |> 8D8424 8C0100>lea eax, dword ptr [esp+18C]
00425494 |. 50 push eax ; /Buffer
00425495 |. 68 00010000 push 100 ; |BufSize = 100 (256.)
0042549A |. FF15 94434600 call dword ptr [<&KERNEL32.GetCurrent>; \GetCurrentDirectoryA
004254A0 |. 8D8C24 8C0100>lea ecx, dword ptr [esp+18C]
004254A7 |. 68 40CE4700 push 0047CE40 ; ASCII "\rockeynt.sys"
004254AC |. 51 push ecx
004254AD |. E8 AEFCFFFF call 00425160
004254B2 |. 8D8C24 940100>lea ecx, dword ptr [esp+194]
004254B9 |. 83C4 08 add esp, 8
004254BC |. 51 push ecx
004254BD |. FFD5 call ebp
004254BF |. 83F8 FF cmp eax, -1
004254C2 |. 75 16 jnz short 004254DA
004254C4 |. 53 push ebx
004254C5 |. FF15 10404600 call dword ptr [<&ADVAPI32.CloseServi>; ADVAPI32.CloseServiceHandle
004254CB |. 66:B8 0200 mov ax, 2
004254CF |. 5D pop ebp
004254D0 |. 5F pop edi
004254D1 |. 5E pop esi
004254D2 |. 5B pop ebx
004254D3 |. 81C4 7C020000 add esp, 27C
004254D9 |. C3 retn
004254DA |> 8D8424 8C0000>lea eax, dword ptr [esp+8C]
004254E1 |. 6A 00 push 0 ; /FailIfExists = FALSE
004254E3 |. 8D8C24 900100>lea ecx, dword ptr [esp+190] ; |
004254EA |. 50 push eax ; |NewFileName
004254EB |. 51 push ecx ; |ExistingFileName
004254EC |. 8B2D D8434600 mov ebp, dword ptr [<&KERNEL32.CopyF>; |kernel32.CopyFileA
004254F2 |. FFD5 call ebp ; \CopyFileA
004254F4 |> 8D8424 8C0000>lea eax, dword ptr [esp+8C]
004254FB |. 6A 00 push 0 ; /Password = NULL
004254FD |. 6A 00 push 0 ; |ServiceStartName = NULL
004254FF |. 6A 00 push 0 ; |pDependencies = NULL
00425501 |. 6A 00 push 0 ; |pTagId = NULL
00425503 |. 6A 00 push 0 ; |LoadOrderGroup = NULL
00425505 |. 8D4C24 28 lea ecx, dword ptr [esp+28] ; |
00425509 |. 50 push eax ; |BinaryPathName
0042550A |. 6A 01 push 1 ; |ErrorControl = SERVICE_ERROR_NORMAL
0042550C |. 6A 02 push 2 ; |StartType = SERVICE_AUTO_START
0042550E |. 6A 01 push 1 ; |ServiceType = SERVICE_KERNEL_DRIVER
00425510 |. 68 FF010F00 push 0F01FF ; |DesiredAccess = SERVICE_ALL_ACCESS
00425515 |. 51 push ecx ; |DisplayName
00425516 |. 8D4C24 40 lea ecx, dword ptr [esp+40] ; |
0042551A |. 51 push ecx ; |ServiceName
0042551B |. 53 push ebx ; |hManager
0042551C |. FF15 4C404600 call dword ptr [<&ADVAPI32.CreateServ>; \CreateServiceA
00425522 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00425526 |. 68 FF010F00 push 0F01FF
0042552B |. 51 push ecx
0042552C |. 53 push ebx
0042552D |. FF15 18404600 call dword ptr [<&ADVAPI32.OpenServic>; ADVAPI32.OpenServiceA
00425533 |. 8BE8 mov ebp, eax
00425535 |. 6A 00 push 0
00425537 |. 6A 00 push 0
00425539 |. 55 push ebp
0042553A |. FF15 14404600 call dword ptr [<&ADVAPI32.StartServi>; ADVAPI32.StartServiceA
00425540 |. 85C0 test eax, eax
00425542 |. 75 07 jnz short 0042554B
00425544 |. 66:C74424 12 >mov word ptr [esp+12], 0FFFF
0042554B |> 55 push ebp
0042554C |. FF15 10404600 call dword ptr [<&ADVAPI32.CloseServi>; ADVAPI32.CloseServiceHandle
00425552 |. 53 push ebx
00425553 |. FF15 10404600 call dword ptr [<&ADVAPI32.CloseServi>; ADVAPI32.CloseServiceHandle
00425559 |. 68 E8030000 push 3E8 ; /Timeout = 1000. ms
0042555E |. FF15 C8434600 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
00425564 |. 6A 00 push 0
00425566 |. 68 80000000 push 80
0042556B |. 6A 03 push 3
0042556D |. 6A 00 push 0
0042556F |. 6A 00 push 0
00425571 |. 68 000000C0 push C0000000
00425576 |. 68 68CE4700 push 0047CE68 ; ASCII "\\.\ROCKEYNT"
0042557B |. FFD7 call edi
0042557D |. A3 18CE4700 mov dword ptr [47CE18], eax
00425582 |. 83F8 FF cmp eax, -1
00425585 |. 75 07 jnz short 0042558E
00425587 |. 66:C74424 12 >mov word ptr [esp+12], 0FFFF
0042558E |> 66:837C24 12 >cmp word ptr [esp+12], 0
00425594 |. 74 6C je short 00425602
00425596 |. 66:8B4424 12 mov ax, word ptr [esp+12]
0042559B |. 5D pop ebp
0042559C |. 5F pop edi
0042559D |. 5E pop esi
0042559E |. 5B pop ebx
0042559F |. 81C4 7C020000 add esp, 27C
004255A5 |. C3 retn
004255A6 |> 68 30CE4700 push 0047CE30 ; |FileName = "\\.\ROCKEY9X"
004255AB |. 8B3D 80434600 mov edi, dword ptr [<&KERNEL32.Creat>; |kernel32.CreateFileA
004255B1 |. FFD7 call edi ; \CreateFileA
004255B3 |. A3 18CE4700 mov dword ptr [47CE18], eax
004255B8 |. 83F8 FF cmp eax, -1
004255BB |. 75 45 jnz short 00425602
004255BD |. 6A 00 push 0 ; /hTemplateFile = NULL
004255BF |. 68 00000004 push 4000000 ; |Attributes = DELETE_ON_CLOSE
004255C4 |. 6A 01 push 1 ; |Mode = CREATE_NEW
004255C6 |. 6A 00 push 0 ; |pSecurity = NULL
004255C8 |. 6A 00 push 0 ; |ShareMode = 0
004255CA |. 6A 00 push 0 ; |Access = 0
004255CC |. 68 1CCE4700 push 0047CE1C ; |FileName = "\\.\rockey9x.vxd"
004255D1 |. FFD7 call edi ; \CreateFileA
004255D3 |. A3 18CE4700 mov dword ptr [47CE18], eax
004255D8 |. 83F8 FF cmp eax, -1
004255DB |. 75 25 jnz short 00425602
004255DD |. FF15 70434600 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError
004255E3 |. 83F8 32 cmp eax, 32
004255E6 |. 75 0B jnz short 004255F3
004255E8 |. 68 30CE4700 push 0047CE30 ; /FileName = "\\.\ROCKEY9X"
004255ED |. FF15 E8434600 call dword ptr [<&KERNEL32.DeleteFile>; \DeleteFileA
004255F3 |> 66:B8 0200 mov ax, 2
004255F7 |. 5D pop ebp
004255F8 |. 5F pop edi
004255F9 |. 5E pop esi
004255FA |. 5B pop ebx
004255FB |. 81C4 7C020000 add esp, 27C
00425601 |. C3 retn
00425602 |> 8B8C24 940200>mov ecx, dword ptr [esp+294]
00425609 |. 8B9424 980200>mov edx, dword ptr [esp+298]
00425610 |. 894C24 24 mov dword ptr [esp+24], ecx
00425614 |. 895424 28 mov dword ptr [esp+28], edx
00425618 |. 8B8C24 A00200>mov ecx, dword ptr [esp+2A0]
0042561F |. 8B9424 A40200>mov edx, dword ptr [esp+2A4]
00425626 |. 894C24 30 mov dword ptr [esp+30], ecx
0042562A |. 895424 34 mov dword ptr [esp+34], edx
0042562E |. 0FB7C6 movzx eax, si
00425631 |. 8B8C24 AC0200>mov ecx, dword ptr [esp+2AC]
00425638 |. 894424 20 mov dword ptr [esp+20], eax
0042563C |. 8B8424 9C0200>mov eax, dword ptr [esp+29C]
00425643 |. 8B9424 B00200>mov edx, dword ptr [esp+2B0]
0042564A |. 894424 2C mov dword ptr [esp+2C], eax
0042564E |. 894C24 3C mov dword ptr [esp+3C], ecx
00425652 |. 8B8424 A80200>mov eax, dword ptr [esp+2A8]
00425659 |. 8D4C24 20 lea ecx, dword ptr [esp+20]
0042565D |. 894424 38 mov dword ptr [esp+38], eax
00425661 |. 895424 40 mov dword ptr [esp+40], edx
00425665 |. 8D4424 48 lea eax, dword ptr [esp+48]
00425669 |. 50 push eax
0042566A |. 51 push ecx
0042566B |. E8 20FBFFFF call 00425190
00425670 |. 8D4C24 4C lea ecx, dword ptr [esp+4C]
00425674 |. 8D5424 1A lea edx, dword ptr [esp+1A]
00425678 |. 8D4424 50 lea eax, dword ptr [esp+50]
0042567C |. 83C4 08 add esp, 8
0042567F |. 6A 00 push 0 ; /pOverlapped = NULL
00425681 |. 51 push ecx ; |pBytesReturned
00425682 |. 6A 02 push 2 ; |OutBufferSize = 2
00425684 |. 8B0D 18CE4700 mov ecx, dword ptr [47CE18] ; |
0042568A |. 52 push edx ; |OutBuffer
0042568B |. 6A 28 push 28 ; |InBufferSize = 28 (40.)
0042568D |. 50 push eax ; |InBuffer
0042568E |. 68 00E410A4 push A410E400 ; |IoControlCode = A410E400
00425693 |. 51 push ecx ; |hDevice => NULL
00425694 |. FF15 24434600 call dword ptr [<&KERNEL32.DeviceIoCo>; \DeviceIoControl
0042569A |. 85C0 test eax, eax
0042569C |. 75 0F jnz short 004256AD
0042569E |. 66:B8 FFFF mov ax, 0FFFF
004256A2 |. 5D pop ebp
004256A3 |. 5F pop edi
004256A4 |. 5E pop esi
004256A5 |. 5B pop ebx
004256A6 |. 81C4 7C020000 add esp, 27C
004256AC |. C3 retn
004256AD |> 66:8B4424 12 mov ax, word ptr [esp+12]
004256B2 |. 5D pop ebp
004256B3 |. 5F pop edi
004256B4 |. 5E pop esi
004256B5 |. 5B pop ebx
004256B6 |. 81C4 7C020000 add esp, 27C
004256BC \. C3 retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
赞赏
雪币:
留言:
