-
-
[求助]能帮忙看下这里哪个是函数起遍历磁盘用的
-
发表于: 2009-5-8 10:54
-
[QUOTE][/QUOTE]反编译一款木马
他会替换目标游戏的主程序,
但是它怎么知道游戏的主程序路径的我想是通过遍历磁盘吧
004013F6 - FF25 C0104000 jmp dword ptr [4010C0] ; MSVBVM60.__vbaExceptHandler
004013FC - FF25 D8104000 jmp dword ptr [4010D8] ; MSVBVM60.__vbaFPException
00401402 - FF25 68104000 jmp dword ptr [401068] ; MSVBVM60._adj_fdiv_m16i
00401408 - FF25 58104000 jmp dword ptr [401058] ; MSVBVM60._adj_fdiv_m32
0040140E - FF25 18114000 jmp dword ptr [401118] ; MSVBVM60._adj_fdiv_m32i
00401414 - FF25 2C104000 jmp dword ptr [40102C] ; MSVBVM60._adj_fdiv_m64
0040141A - FF25 30114000 jmp dword ptr [401130] ; MSVBVM60._adj_fdiv_r
00401420 - FF25 70104000 jmp dword ptr [401070] ; MSVBVM60._adj_fdivr_m16i
00401426 - FF25 28114000 jmp dword ptr [401128] ; MSVBVM60._adj_fdivr_m32
0040142C - FF25 1C114000 jmp dword ptr [40111C] ; MSVBVM60._adj_fdivr_m32i
00401432 - FF25 D0104000 jmp dword ptr [4010D0] ; MSVBVM60._adj_fdivr_m64
00401438 - FF25 A4104000 jmp dword ptr [4010A4] ; MSVBVM60._adj_fpatan
0040143E - FF25 CC104000 jmp dword ptr [4010CC] ; MSVBVM60._adj_fprem
00401444 - FF25 38104000 jmp dword ptr [401038] ; MSVBVM60._adj_fprem1
0040144A - FF25 08104000 jmp dword ptr [401008] ; MSVBVM60._adj_fptan
00401450 - FF25 58114000 jmp dword ptr [401158] ; MSVBVM60._CIatan
00401456 - FF25 04104000 jmp dword ptr [401004] ; MSVBVM60._CIcos
0040145C - FF25 70114000 jmp dword ptr [401170] ; MSVBVM60._CIexp
00401462 - FF25 F8104000 jmp dword ptr [4010F8] ; MSVBVM60._CIlog
00401468 - FF25 7C104000 jmp dword ptr [40107C] ; MSVBVM60._CIsin
0040146E - FF25 B8104000 jmp dword ptr [4010B8] ; MSVBVM60._CIsqrt
00401474 - FF25 68114000 jmp dword ptr [401168] ; MSVBVM60._CItan
0040147A - FF25 64114000 jmp dword ptr [401164] ; MSVBVM60._allmul
00401480 - FF25 9C104000 jmp dword ptr [40109C] ; MSVBVM60.DllFunctionCall
00401486 - FF25 28104000 jmp dword ptr [401028] ; MSVBVM60.__vbaPut3
0040148C - FF25 98104000 jmp dword ptr [401098] ; MSVBVM60.__vbaPutOwner3
00401492 - FF25 14114000 jmp dword ptr [401114] ; MSVBVM60.rtcFreeFile
00401498 - FF25 10114000 jmp dword ptr [401110] ; MSVBVM60.__vbaVar2Vec
0040149E - FF25 14104000 jmp dword ptr [401014] ; MSVBVM60.__vbaAryMove
004014A4 - FF25 54104000 jmp dword ptr [401054] ; MSVBVM60.__vbaNameFile
004014AA - FF25 C8104000 jmp dword ptr [4010C8] ; MSVBVM60.rtcReplace
004014B0 - FF25 24104000 jmp dword ptr [401024] ; MSVBVM60.__vbaEnd
004014B6 - FF25 6C104000 jmp dword ptr [40106C] ; MSVBVM60.__vbaObjSetAddref
004014BC - FF25 B4104000 jmp dword ptr [4010B4] ; MSVBVM60.rtcShell
004014C2 - FF25 C4104000 jmp dword ptr [4010C4] ; MSVBVM60.__vbaPrintFile
004014C8 - FF25 90104000 jmp dword ptr [401090] ; MSVBVM60.__vbaStrCmp
004014CE - FF25 64104000 jmp dword ptr [401064] ; MSVBVM60.__vbaOnError
004014D4 - FF25 20104000 jmp dword ptr [401020] ; MSVBVM60.__vbaFreeVarList
004014DA - FF25 30104000 jmp dword ptr [401030] ; MSVBVM60.__vbaFreeObjList
004014E0 - FF25 78114000 jmp dword ptr [401178] ; MSVBVM60.__vbaFreeStr
004014E6 - FF25 D4104000 jmp dword ptr [4010D4] ; MSVBVM60.rtcVarBstrFromAnsi
004014EC - FF25 EC104000 jmp dword ptr [4010EC] ; MSVBVM60.__vbaVarCat
004014F2 - FF25 E4104000 jmp dword ptr [4010E4] ; MSVBVM60.__vbaStrVarVal
004014F8 - FF25 60104000 jmp dword ptr [401060] ; MSVBVM60.__vbaObjSet
004014FE - FF25 84104000 jmp dword ptr [401084] ; MSVBVM60.__vbaFileClose
00401504 - FF25 E8104000 jmp dword ptr [4010E8] ; MSVBVM60.__vbaGetOwner4
0040150A - FF25 4C114000 jmp dword ptr [40114C] ; MSVBVM60.__vbaFpI4
00401510 - FF25 0C114000 jmp dword ptr [40110C] ; MSVBVM60.rtcFileLength
00401516 - FF25 24114000 jmp dword ptr [401124] ; MSVBVM60.__vbaFreeStrList
0040151C - FF25 00114000 jmp dword ptr [401100] ; MSVBVM60.__vbaFileOpen
00401522 - FF25 44104000 jmp dword ptr [401044] ; MSVBVM60.__vbaStrCat
00401528 - FF25 60114000 jmp dword ptr [401160] ; MSVBVM60.rtcRightCharVar
0040152E - FF25 38114000 jmp dword ptr [401138] ; MSVBVM60.__vbaVarTstNe
00401534 - FF25 74114000 jmp dword ptr [401174] ; MSVBVM60.__vbaFreeObj
0040153A - FF25 50104000 jmp dword ptr [401050] ; MSVBVM60.__vbaHresultCheckObj
00401540 - FF25 08114000 jmp dword ptr [401108] ; MSVBVM60.__vbaNew2
00401546 - FF25 FC104000 jmp dword ptr [4010FC] ; MSVBVM60.__vbaErrorOverflow
0040154C - FF25 5C104000 jmp dword ptr [40105C] ; MSVBVM60.__vbaAryDestruct
00401552 - FF25 20114000 jmp dword ptr [401120] ; MSVBVM60.__vbaStrCopy
00401558 - FF25 10104000 jmp dword ptr [401010] ; MSVBVM60.__vbaFreeVar
0040155E - FF25 E0104000 jmp dword ptr [4010E0] ; MSVBVM60.rtcStrConvVar2
00401564 - FF25 1C104000 jmp dword ptr [40101C] ; MSVBVM60.__vbaStrVarMove
0040156A - FF25 5C114000 jmp dword ptr [40115C] ; MSVBVM60.__vbaStrMove
00401570 - FF25 6C114000 jmp dword ptr [40116C] ; MSVBVM60.__vbaAryUnlock
00401576 - FF25 8C104000 jmp dword ptr [40108C] ; MSVBVM60.__vbaGenerateBoundsError
0040157C - FF25 40114000 jmp dword ptr [401140] ; MSVBVM60.__vbaAryLock
00401582 - FF25 A8104000 jmp dword ptr [4010A8] ; MSVBVM60.__vbaRedim
00401588 - FF25 4C104000 jmp dword ptr [40104C] ; MSVBVM60.__vbaSetSystemError
0040158E - FF25 F4104000 jmp dword ptr [4010F4] ; MSVBVM60.rtcBstrFromAnsi
00401594 - FF25 2C114000 jmp dword ptr [40112C] ; MSVBVM60.__vbaPowerR8
0040159A - FF25 54114000 jmp dword ptr [401154] ; MSVBVM60.__vbaR8IntI2
004015A0 - FF25 0C104000 jmp dword ptr [40100C] ; MSVBVM60.rtcLog
004015A6 - FF25 18104000 jmp dword ptr [401018] ; MSVBVM60.__vbaLenBstr
004015AC - FF25 A0104000 jmp dword ptr [4010A0] ; MSVBVM60.__vbaRedimPreserve
004015B2 - FF25 34104000 jmp dword ptr [401034] ; MSVBVM60.rtcAnsiValueBstr
004015B8 - FF25 48104000 jmp dword ptr [401048] ; MSVBVM60.__vbaLsetFixstr
004015BE - FF25 78104000 jmp dword ptr [401078] ; MSVBVM60.__vbaStrFixstr
004015C4 - FF25 04114000 jmp dword ptr [401104] ; MSVBVM60.__vbaInStr
004015CA - FF25 48114000 jmp dword ptr [401148] ; MSVBVM60.rtcLeftCharBstr
004015D0 - FF25 74104000 jmp dword ptr [401074] ; MSVBVM60.rtcDoEvents
004015D6 - FF25 40104000 jmp dword ptr [401040] ; MSVBVM60.__vbaRecAnsiToUni
004015DC - FF25 44114000 jmp dword ptr [401144] ; MSVBVM60.__vbaStrToAnsi
004015E2 - FF25 AC104000 jmp dword ptr [4010AC] ; MSVBVM60.__vbaRecUniToAnsi
004015E8 - FF25 94104000 jmp dword ptr [401094] ; MSVBVM60.__vbaVarTstEq
004015EE - FF25 50114000 jmp dword ptr [401150] ; MSVBVM60.rtcLeftCharVar
004015F4 - FF25 3C104000 jmp dword ptr [40103C] ; MSVBVM60.rtcLowerCaseVar
004015FA - FF25 DC104000 jmp dword ptr [4010DC] ; MSVBVM60.__vbaInStrVar
00401600 - FF25 F0104000 jmp dword ptr [4010F0] ; MSVBVM60.__vbaI2Var
00401606 - FF25 00104000 jmp dword ptr [401000] ; MSVBVM60.rtcSaveSetting
0040160C - FF25 3C114000 jmp dword ptr [40113C] ; MSVBVM60.rtcGetSetting
00401612 - FF25 BC104000 jmp dword ptr [4010BC] ; MSVBVM60.EVENT_SINK_QueryInterface
00401618 - FF25 88104000 jmp dword ptr [401088] ; MSVBVM60.EVENT_SINK_AddRef
0040161E - FF25 B0104000 jmp dword ptr [4010B0] ; MSVBVM60.EVENT_SINK_Release
00401624 - FF25 34114000 jmp dword ptr [401134] ; MSVBVM60.ThunRTMain
这里是它调用的vb函数
这里哪个是起遍历磁盘用的?
附件为脱壳后的东东谁帮分析下
|
|
|---|---|
|
|
 ,如果是猜测的话,我猜测是从注册表里读取路径...
|
|
|
|
|
|
|
