[求助]烦请各位高手看一下，这是个什么函数-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]烦请各位高手看一下，这是个什么函数 0.00雪花

发表于: 2009-10-2 17:43 3821

[旧帖] [求助]烦请各位高手看一下，这是个什么函数 0.00雪花

liumingabc 活跃值

2009-10-2 17:43

3821

text:10001120                jz    short loc_10001165
.text:10001122                push ecx
.text:10001123                pop    ecx
.text:10001124                mov    ecx, [ebp-20h]  ; //相当V5
.text:10001127                movzx edx, byte ptr [ecx+88h] ; //相当于136
.text:1000112E                push edx
.text:1000112F                mov    eax, [ebp-20h]
.text:10001132                add    eax, 48h       ; //相当于72
.text:10001135                push eax
.text:10001136                mov    ecx, [ebp-20h]
.text:10001139                mov    edx, [ecx+4] ; //相当于4
.text:1000113C                push edx
.text:1000113D                call unknown_libname_1 ; Microsoft VisualC 2-8/net runtime

以下对应的C
if ( !lstrcmpA(lpString1, "Sleep") )
  {
*(_BYTE *)(v5 + 136) = 10;
unknown_libname_1(v5 + 8, *(_DWORD *)(v5 + 4), *(_BYTE *)(v5 + 136));
unknown_libname_1(v5 + 72, *(_DWORD *)(v5 + 4), *(_BYTE *)(v5 + 136));
*(_DWORD *)(v5 + 72) = 1565917067;
*(_BYTE *)(v5 + 76) = -23;
*(_DWORD *)(v5 + 77) = a4 - (*(_DWORD *)(v5 + 4) + 4) - 5;
*(_BYTE *)(v5 + 81) = -112;
*(_BYTE *)(v5 + 18) = -23;
*(_DWORD *)(v5 + 19) = *(_DWORD *)(v5 + 4) - (v5 + 8) - 5;
unknown_libname_1(*(_DWORD *)(v5 + 4), v5 + 72, *(_BYTE *)(v5 + 136));
VirtualProtectEx(*(HANDLE *)v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect);
return 1;
  }
unknown_libname_1(*(_DWORD *)(v5 + 4), v5 + 72, *(_BYTE *)(v5 + 136));

UNKNOWN_LIBNAME_1,神呀请给个答案吧

[课程]FART 脱壳王！加量不加价！FART作者讲授！

收藏・0

免费・0

支持

最新回复 (10)
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 2 楼请各位高手看一下吧 2009-10-3 13:10 0
loqich 雪币： 962 活跃值： (1681) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 642 粉丝 0 关注私信	loqich 3 楼看起来好像是memcpy 2009-10-3 15:43 0
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 4 楼 to loqich 谢谢你的关注，我试一下，VC看能不能出现这个结果 2009-10-3 16:30 0
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 5 楼我试一下，IDA，能够看出MEMCPY text:004017C3 mov edx, [ebp+var_10] .text:004017C6 mov [ebp+var_4], edx .text:004017C9 push 4 .text:004017CB lea eax, [ebp+var_4] .text:004017CE push eax .text:004017CF lea ecx, [ebp+var_8] .text:004017D2 push ecx .text:004017D3 call memcpy 2009-10-3 17:05 0
loqich 雪币： 962 活跃值： (1681) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 642 粉丝 0 关注私信	loqich 6 楼不一定能识别的.我经常遇到识别不了~~ 这里应该是hook 的代码.我怎么看都像是memcpy 保存数据要不.你把unknown_libname_1处的汇编贴一下看看 2009-10-3 20:21 0
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 7 楼 .text:10003F30 unknown_libname_1 proc near ; CODE XREF: .text:1000113Dp .text:10003F30 ; sub_10001170+5Dp ... .text:10003F30 .text:10003F30 arg_0 = dword ptr 8 .text:10003F30 arg_4 = dword ptr 0Ch .text:10003F30 arg_8 = dword ptr 10h .text:10003F30 .text:10003F30 push ebp .text:10003F31 mov ebp, esp .text:10003F33 push edi .text:10003F34 push esi .text:10003F35 mov esi, [ebp+arg_4] .text:10003F38 mov ecx, [ebp+arg_8] .text:10003F3B mov edi, [ebp+arg_0] .text:10003F3E mov eax, ecx .text:10003F40 mov edx, ecx .text:10003F42 add eax, esi .text:10003F44 cmp edi, esi .text:10003F46 jbe short unknown_libname_2 ; Microsoft VisualC 2-8/net runtime .text:10003F48 cmp edi, eax .text:10003F4A jb unknown_libname_22 ; Microsoft VisualC 2-8/net runtime .text:10003F50 .text:10003F50 unknown_libname_2: ; CODE XREF: unknown_libname_1+16j .text:10003F50 cmp ecx, 100h ; Microsoft VisualC 2-8/net runtime .text:10003F56 jb short unknown_libname_3 ; Microsoft VisualC 2-8/net runtime .text:10003F58 cmp dword_10011460, 0 .text:10003F5F jz short unknown_libname_3 ; Microsoft VisualC 2-8/net runtime .text:10003F61 push edi .text:10003F62 push esi .text:10003F63 and edi, 0Fh .text:10003F66 and esi, 0Fh .text:10003F69 cmp edi, esi .text:10003F6B pop esi .text:10003F6C pop edi .text:10003F6D jnz short unknown_libname_3 ; Microsoft VisualC 2-8/net runtime .text:10003F6F pop esi .text:10003F70 pop edi .text:10003F71 pop ebp .text:10003F72 jmp unknown_libname_45 ; Microsoft VisualC 2-8/net runtime .text:10003F77 ; --------------------------------------------------------------------------- .text:10003F77 .text:10003F77 unknown_libname_3: ; CODE XREF: unknown_libname_1+26j .text:10003F77 ; unknown_libname_1+2Fj ... .text:10003F77 test edi, 3 ; Microsoft VisualC 2-8/net runtime .text:10003F7D jnz short unknown_libname_4 ; Microsoft VisualC 2-8/net runtime .text:10003F7F shr ecx, 2 .text:10003F82 and edx, 3 .text:10003F85 cmp ecx, 8 .text:10003F88 jb short unknown_libname_6 ; Microsoft VisualC 2-8/net runtime .text:10003F8A rep movsd .text:10003F8C jmp ds:off_100040A4[edx4] ; Microsoft VisualC 2-8/net runtime .text:10003F8C ; --------------------------------------------------------------------------- .text:10003F93 align 4 .text:10003F94 .text:10003F94 unknown_libname_4: ; CODE XREF: unknown_libname_1+4Dj .text:10003F94 mov eax, edi ; Microsoft VisualC 2-8/net runtime .text:10003F96 mov edx, 3 .text:10003F9B sub ecx, 4 .text:10003F9E jb short unknown_libname_5 ; Microsoft VisualC 2-8/net runtime .text:10003FA0 and eax, 3 .text:10003FA3 add ecx, eax .text:10003FA5 jmp dword ptr ds:(unknown_libname_6+4)[eax4] ; Microsoft VisualC 2-8/net runtime .text:10003FAC ; --------------------------------------------------------------------------- .text:10003FAC .text:10003FAC unknown_libname_5: ; CODE XREF: unknown_libname_1+6Ej .text:10003FAC jmp dword ptr ds:unknown_libname_18[ecx4] ; Microsoft VisualC 2-8/net runtime .text:10003FAC ; --------------------------------------------------------------------------- .text:10003FB3 align 4 .text:10003FB4 .text:10003FB4 unknown_libname_6: ; CODE XREF: unknown_libname_1+58j .text:10003FB4 ; unknown_libname_1+B6j ... .text:10003FB4 jmp ds:off_10004038[ecx4] ; Microsoft VisualC 2-8/net runtime .text:10003FB4 ; --------------------------------------------------------------------------- .text:10003FBB align 4 .text:10003FBC dd offset unknown_libname_7 ; Microsoft VisualC 2-8/net runtime .text:10003FC0 dd offset unknown_libname_8 ; Microsoft VisualC 2-8/net runtime .text:10003FC4 dd offset unknown_libname_9 ; Microsoft VisualC 2-8/net runtime .text:10003FC8 ; --------------------------------------------------------------------------- .text:10003FC8 .text:10003FC8 unknown_libname_7: ; DATA XREF: unknown_libname_1+8Co .text:10003FC8 and edx, ecx ; Microsoft VisualC 2-8/net runtime .text:10003FCA mov al, [esi] .text:10003FCC mov [edi], al .text:10003FCE mov al, [esi+1] .text:10003FD1 mov [edi+1], al .text:10003FD4 mov al, [esi+2] .text:10003FD7 shr ecx, 2 .text:10003FDA mov [edi+2], al .text:10003FDD add esi, 3 .text:10003FE0 add edi, 3 .text:10003FE3 cmp ecx, 8 .text:10003FE6 jb short unknown_libname_6 ; Microsoft VisualC 2-8/net runtime .text:10003FE8 rep movsd .text:10003FEA jmp ds:off_100040A4[edx4] ; Microsoft VisualC 2-8/net runtime .text:10003FEA ; --------------------------------------------------------------------------- .text:10003FF1 align 4 .text:10003FF4 .text:10003FF4 unknown_libname_8: ; DATA XREF: unknown_libname_1+90o .text:10003FF4 and edx, ecx ; Microsoft VisualC 2-8/net runtime .text:10003FF6 mov al, [esi] .text:10003FF8 mov [edi], al .text:10003FFA mov al, [esi+1] .text:10003FFD shr ecx, 2 .text:10004000 mov [edi+1], al .text:10004003 add esi, 2 .text:10004006 add edi, 2 .text:10004009 cmp ecx, 8 .text:1000400C jb short unknown_libname_6 ; Microsoft VisualC 2-8/net runtime .text:1000400E rep movsd .text:10004010 jmp ds:off_100040A4[edx4] ; Microsoft VisualC 2-8/net runtime .text:10004010 ; --------------------------------------------------------------------------- .text:10004017 align 4 .text:10004018 .text:10004018 unknown_libname_9: ; DATA XREF: unknown_libname_1+94o .text:10004018 and edx, ecx ; Microsoft VisualC 2-8/net runtime .text:1000401A mov al, [esi] .text:1000401C mov [edi], al .text:1000401E add esi, 1 .text:10004021 shr ecx, 2 .text:10004024 add edi, 1 .text:10004027 cmp ecx, 8 .text:1000402A jb short unknown_libname_6 ; Microsoft VisualC 2-8/net runtime .text:1000402C rep movsd .text:1000402E jmp ds:off_100040A4[edx4] ; Microsoft VisualC 2-8/net runtime .text:1000402E ; --------------------------------------------------------------------------- .text:10004035 align 4 .text:10004038 off_10004038 dd offset unknown_libname_17 .text:10004038 ; DATA XREF: unknown_libname_1:unknown_libname_6r .text:10004038 ; Microsoft VisualC 2-8/net runtime .text:1000403C dd offset unknown_libname_16 ; Microsoft VisualC 2-8/net runtime .text:10004040 dd offset unknown_libname_15 ; Microsoft VisualC 2-8/net runtime .text:10004044 dd offset unknown_libname_14 ; Microsoft VisualC 2-8/net runtime .text:10004048 dd offset unknown_libname_13 ; Microsoft VisualC 2-8/net runtime .text:1000404C dd offset unknown_libname_12 ; Microsoft VisualC 2-8/net runtime .text:10004050 dd offset unknown_libname_11 ; Microsoft VisualC 2-8/net runtime .text:10004054 dd offset unknown_libname_10 ; Microsoft VisualC 2-8/net runtime .text:10004058 ; --------------------------------------------------------------------------- .text:10004058 .text:10004058 unknown_libname_10: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:10004058 ; DATA XREF: unknown_libname_1+124o .text:10004058 mov eax, [esi+ecx4-1Ch] ; Microsoft VisualC 2-8/net runtime .text:1000405C mov [edi+ecx4-1Ch], eax .text:10004060 .text:10004060 unknown_libname_11: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:10004060 ; DATA XREF: unknown_libname_1+120o .text:10004060 mov eax, [esi+ecx4-18h] ; Microsoft VisualC 2-8/net runtime .text:10004064 mov [edi+ecx4-18h], eax .text:10004068 .text:10004068 unknown_libname_12: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:10004068 ; DATA XREF: unknown_libname_1+11Co .text:10004068 mov eax, [esi+ecx4-14h] ; Microsoft VisualC 2-8/net runtime .text:1000406C mov [edi+ecx4-14h], eax .text:10004070 .text:10004070 unknown_libname_13: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:10004070 ; DATA XREF: unknown_libname_1+118o .text:10004070 mov eax, [esi+ecx4-10h] ; Microsoft VisualC 2-8/net runtime .text:10004074 mov [edi+ecx4-10h], eax .text:10004078 .text:10004078 unknown_libname_14: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:10004078 ; DATA XREF: unknown_libname_1+114o .text:10004078 mov eax, [esi+ecx4-0Ch] ; Microsoft VisualC 2-8/net runtime .text:1000407C mov [edi+ecx4-0Ch], eax .text:10004080 .text:10004080 unknown_libname_15: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:10004080 ; DATA XREF: unknown_libname_1+110o .text:10004080 mov eax, [esi+ecx4-8] ; Microsoft VisualC 2-8/net runtime .text:10004084 mov [edi+ecx4-8], eax .text:10004088 .text:10004088 unknown_libname_16: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:10004088 ; DATA XREF: unknown_libname_1+10Co .text:10004088 mov eax, [esi+ecx4-4] ; Microsoft VisualC 2-8/net runtime .text:1000408C mov [edi+ecx4-4], eax .text:10004090 lea eax, ds:0[ecx4] .text:10004097 add esi, eax .text:10004099 add edi, eax .text:1000409B .text:1000409B unknown_libname_17: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:1000409B ; DATA XREF: unknown_libname_1:off_10004038o .text:1000409B jmp ds:off_100040A4[edx4] ; Microsoft VisualC 2-8/net runtime .text:1000409B ; --------------------------------------------------------------------------- .text:100040A2 align 4 .text:100040A4 off_100040A4 dd offset unknown_libname_18 .text:100040A4 ; DATA XREF: unknown_libname_1+5Cr .text:100040A4 ; unknown_libname_1+BAr ... .text:100040A4 ; Microsoft VisualC 2-8/net runtime .text:100040A8 dd offset unknown_libname_19 ; Microsoft VisualC 2-8/net runtime .text:100040AC dd offset unknown_libname_20 ; Microsoft VisualC 2-8/net runtime .text:100040B0 dd offset unknown_libname_21 ; Microsoft VisualC 2-8/net runtime .text:100040B4 ; --------------------------------------------------------------------------- .text:100040B4 .text:100040B4 unknown_libname_18: ; CODE XREF: unknown_libname_1+5Cj .text:100040B4 ; unknown_libname_1+BAj ... .text:100040B4 mov eax, [ebp+arg_0] ; Microsoft VisualC 2-8/net runtime .text:100040B7 pop esi .text:100040B8 pop edi .text:100040B9 leave .text:100040BA retn .text:100040BA ; --------------------------------------------------------------------------- .text:100040BB align 4 .text:100040BC .text:100040BC unknown_libname_19: ; CODE XREF: unknown_libname_1+5Cj .text:100040BC ; unknown_libname_1+BAj ... .text:100040BC mov al, [esi] ; Microsoft VisualC 2-8/net runtime .text:100040BE mov [edi], al .text:100040C0 mov eax, [ebp+arg_0] .text:100040C3 pop esi .text:100040C4 pop edi .text:100040C5 leave .text:100040C6 retn .text:100040C6 ; --------------------------------------------------------------------------- .text:100040C7 align 4 .text:100040C8 .text:100040C8 unknown_libname_20: ; CODE XREF: unknown_libname_1+5Cj .text:100040C8 ; unknown_libname_1+BAj ... .text:100040C8 mov al, [esi] ; Microsoft VisualC 2-8/net runtime .text:100040CA mov [edi], al .text:100040CC mov al, [esi+1] .text:100040CF mov [edi+1], al .text:100040D2 mov eax, [ebp+arg_0] .text:100040D5 pop esi .text:100040D6 pop edi .text:100040D7 leave .text:100040D8 retn .text:100040D8 ; --------------------------------------------------------------------------- .text:100040D9 align 4 .text:100040DC .text:100040DC unknown_libname_21: ; CODE XREF: unknown_libname_1+5Cj .text:100040DC ; unknown_libname_1+BAj ... .text:100040DC mov al, [esi] ; Microsoft VisualC 2-8/net runtime .text:100040DE mov [edi], al .text:100040E0 mov al, [esi+1] .text:100040E3 mov [edi+1], al .text:100040E6 mov al, [esi+2] .text:100040E9 mov [edi+2], al .text:100040EC mov eax, [ebp+arg_0] .text:100040EF pop esi .text:100040F0 pop edi .text:100040F1 leave .text:100040F2 retn .text:100040F2 ; --------------------------------------------------------------------------- .text:100040F3 align 4 .text:100040F4 .text:100040F4 unknown_libname_22: ; CODE XREF: unknown_libname_1+1Aj .text:100040F4 lea esi, [ecx+esi-4] ; Microsoft VisualC 2-8/net runtime .text:100040F8 lea edi, [ecx+edi-4] .text:100040FC test edi, 3 .text:10004102 jnz short unknown_libname_24 ; Microsoft VisualC 2-8/net runtime .text:10004104 shr ecx, 2 .text:10004107 and edx, 3 .text:1000410A cmp ecx, 8 .text:1000410D jb short unknown_libname_23 ; Microsoft VisualC 2-8/net runtime .text:1000410F std .text:10004110 rep movsd .text:10004112 cld .text:10004113 jmp ds:off_10004240[edx4] ; Microsoft VisualC 2-8/net runtime .text:10004113 ; --------------------------------------------------------------------------- .text:1000411A align 4 .text:1000411C .text:1000411C unknown_libname_23: ; CODE XREF: unknown_libname_1+1DDj .text:1000411C ; unknown_libname_1+238j ... .text:1000411C neg ecx ; Microsoft VisualC 2-8/net runtime .text:1000411E jmp ds:off_100041F0[ecx4] ; Microsoft VisualC 2-8/net runtime .text:1000411E ; --------------------------------------------------------------------------- .text:10004125 align 4 .text:10004128 .text:10004128 unknown_libname_24: ; CODE XREF: unknown_libname_1+1D2j .text:10004128 mov eax, edi ; Microsoft VisualC 2-8/net runtime .text:1000412A mov edx, 3 .text:1000412F cmp ecx, 4 .text:10004132 jb short unknown_libname_25 ; Microsoft VisualC 2-8/net runtime .text:10004134 and eax, 3 .text:10004137 sub ecx, eax .text:10004139 jmp dword ptr ds:(unknown_libname_25+4)[eax4] ; Microsoft VisualC 2-8/net runtime .text:10004140 ; --------------------------------------------------------------------------- .text:10004140 .text:10004140 unknown_libname_25: ; CODE XREF: unknown_libname_1+202j .text:10004140 ; DATA XREF: unknown_libname_1+209r .text:10004140 jmp ds:off_10004240[ecx4] ; Microsoft VisualC 2-8/net runtime .text:10004140 ; --------------------------------------------------------------------------- .text:10004147 align 4 .text:10004148 dd offset unknown_libname_26 ; Microsoft VisualC 2-8/net runtime .text:1000414C dd offset unknown_libname_27 ; Microsoft VisualC 2-8/net runtime .text:10004150 dd offset unknown_libname_28 ; Microsoft VisualC 2-8/net runtime .text:10004154 ; --------------------------------------------------------------------------- .text:10004154 .text:10004154 unknown_libname_26: ; DATA XREF: unknown_libname_1+218o .text:10004154 mov al, [esi+3] ; Microsoft VisualC 2-8/net runtime .text:10004157 and edx, ecx .text:10004159 mov [edi+3], al .text:1000415C sub esi, 1 .text:1000415F shr ecx, 2 .text:10004162 sub edi, 1 .text:10004165 cmp ecx, 8 .text:10004168 jb short unknown_libname_23 ; Microsoft VisualC 2-8/net runtime .text:1000416A std .text:1000416B rep movsd .text:1000416D cld .text:1000416E jmp ds:off_10004240[edx4] ; Microsoft VisualC 2-8/net runtime .text:1000416E ; --------------------------------------------------------------------------- .text:10004175 align 4 .text:10004178 .text:10004178 unknown_libname_27: ; DATA XREF: unknown_libname_1+21Co .text:10004178 mov al, [esi+3] ; Microsoft VisualC 2-8/net runtime .text:1000417B and edx, ecx .text:1000417D mov [edi+3], al .text:10004180 mov al, [esi+2] .text:10004183 shr ecx, 2 .text:10004186 mov [edi+2], al .text:10004189 sub esi, 2 .text:1000418C sub edi, 2 .text:1000418F cmp ecx, 8 .text:10004192 jb short unknown_libname_23 ; Microsoft VisualC 2-8/net runtime .text:10004194 std .text:10004195 rep movsd .text:10004197 cld .text:10004198 jmp ds:off_10004240[edx4] ; Microsoft VisualC 2-8/net runtime .text:10004198 ; --------------------------------------------------------------------------- .text:1000419F align 10h .text:100041A0 .text:100041A0 unknown_libname_28: ; DATA XREF: unknown_libname_1+220o .text:100041A0 mov al, [esi+3] ; Microsoft VisualC 2-8/net runtime .text:100041A3 and edx, ecx .text:100041A5 mov [edi+3], al .text:100041A8 mov al, [esi+2] .text:100041AB mov [edi+2], al .text:100041AE mov al, [esi+1] .text:100041B1 shr ecx, 2 .text:100041B4 mov [edi+1], al .text:100041B7 sub esi, 3 .text:100041BA sub edi, 3 .text:100041BD cmp ecx, 8 .text:100041C0 jb unknown_libname_23 ; Microsoft VisualC 2-8/net runtime .text:100041C6 std .text:100041C7 rep movsd .text:100041C9 cld .text:100041CA jmp ds:off_10004240[edx4] ; Microsoft VisualC 2-8/net runtime .text:100041CA ; --------------------------------------------------------------------------- .text:100041D1 align 4 .text:100041D4 dd offset unknown_libname_29 ; Microsoft VisualC 2-8/net runtime .text:100041D8 dd offset unknown_libname_30 ; Microsoft VisualC 2-8/net runtime .text:100041DC dd offset unknown_libname_31 ; Microsoft VisualC 2-8/net runtime .text:100041E0 dd offset unknown_libname_32 ; Microsoft VisualC 2-8/net runtime .text:100041E4 dd offset unknown_libname_33 ; Microsoft VisualC 2-8/net runtime .text:100041E8 dd offset unknown_libname_34 ; Microsoft VisualC 2-8/net runtime .text:100041EC dd offset unknown_libname_35 ; Microsoft VisualC 2-8/net runtime .text:100041F0 off_100041F0 dd offset unknown_libname_36 .text:100041F0 ; DATA XREF: unknown_libname_1+1EEr .text:100041F0 ; Microsoft VisualC 2-8/net runtime .text:100041F4 ; --------------------------------------------------------------------------- .text:100041F4 .text:100041F4 unknown_libname_29: ; DATA XREF: unknown_libname_1+2A4o .text:100041F4 mov eax, [esi+ecx4+1Ch] ; Microsoft VisualC 2-8/net runtime .text:100041F8 mov [edi+ecx4+1Ch], eax .text:100041FC .text:100041FC unknown_libname_30: ; DATA XREF: unknown_libname_1+2A8o .text:100041FC mov eax, [esi+ecx4+18h] ; Microsoft VisualC 2-8/net runtime .text:10004200 mov [edi+ecx4+18h], eax .text:10004204 .text:10004204 unknown_libname_31: ; DATA XREF: unknown_libname_1+2ACo .text:10004204 mov eax, [esi+ecx4+14h] ; Microsoft VisualC 2-8/net runtime .text:10004208 mov [edi+ecx4+14h], eax .text:1000420C .text:1000420C unknown_libname_32: ; DATA XREF: unknown_libname_1+2B0o .text:1000420C mov eax, [esi+ecx4+10h] ; Microsoft VisualC 2-8/net runtime .text:10004210 mov [edi+ecx4+10h], eax .text:10004214 .text:10004214 unknown_libname_33: ; DATA XREF: unknown_libname_1+2B4o .text:10004214 mov eax, [esi+ecx4+0Ch] ; Microsoft VisualC 2-8/net runtime .text:10004218 mov [edi+ecx4+0Ch], eax .text:1000421C .text:1000421C unknown_libname_34: ; DATA XREF: unknown_libname_1+2B8o .text:1000421C mov eax, [esi+ecx4+8] ; Microsoft VisualC 2-8/net runtime .text:10004220 mov [edi+ecx4+8], eax .text:10004224 .text:10004224 unknown_libname_35: ; DATA XREF: unknown_libname_1+2BCo .text:10004224 mov eax, [esi+ecx4+4] ; Microsoft VisualC 2-8/net runtime .text:10004228 mov [edi+ecx4+4], eax .text:1000422C lea eax, ds:0[ecx4] .text:10004233 add esi, eax .text:10004235 add edi, eax .text:10004237 .text:10004237 unknown_libname_36: ; CODE XREF: unknown_libname_1+1EEj .text:10004237 ; DATA XREF: unknown_libname_1:off_100041F0o .text:10004237 jmp ds:off_10004240[edx4] ; Microsoft VisualC 2-8/net runtime .text:10004237 ; --------------------------------------------------------------------------- .text:1000423E align 10h .text:10004240 off_10004240 dd offset unknown_libname_37 .text:10004240 ; DATA XREF: unknown_libname_1+1E3r .text:10004240 ; unknown_libname_1:unknown_libname_25r ... .text:10004240 ; Microsoft VisualC 2-8/net runtime .text:10004244 dd offset unknown_libname_38 ; Microsoft VisualC 2-8/net runtime .text:10004248 dd offset unknown_libname_39 ; Microsoft VisualC 2-8/net runtime .text:1000424C dd offset unknown_libname_40 ; Microsoft VisualC 2-8/net runtime .text:10004250 ; --------------------------------------------------------------------------- .text:10004250 .text:10004250 unknown_libname_37: ; CODE XREF: unknown_libname_1+1E3j .text:10004250 ; unknown_libname_1:unknown_libname_25j ... .text:10004250 mov eax, [ebp+arg_0] ; Microsoft VisualC 2-8/net runtime .text:10004253 pop esi .text:10004254 pop edi .text:10004255 leave .text:10004256 retn .text:10004256 ; --------------------------------------------------------------------------- .text:10004257 align 4 .text:10004258 .text:10004258 unknown_libname_38: ; CODE XREF: unknown_libname_1+1E3j .text:10004258 ; unknown_libname_1:unknown_libname_25j ... .text:10004258 mov al, [esi+3] ; Microsoft VisualC 2-8/net runtime .text:1000425B mov [edi+3], al .text:1000425E mov eax, [ebp+arg_0] .text:10004261 pop esi .text:10004262 pop edi .text:10004263 leave .text:10004264 retn .text:10004264 ; --------------------------------------------------------------------------- .text:10004265 align 4 .text:10004268 .text:10004268 unknown_libname_39: ; CODE XREF: unknown_libname_1+1E3j .text:10004268 ; unknown_libname_1:unknown_libname_25j ... .text:10004268 mov al, [esi+3] ; Microsoft VisualC 2-8/net runtime .text:1000426B mov [edi+3], al .text:1000426E mov al, [esi+2] .text:10004271 mov [edi+2], al .text:10004274 mov eax, [ebp+arg_0] .text:10004277 pop esi .text:10004278 pop edi .text:10004279 leave .text:1000427A retn .text:1000427A ; --------------------------------------------------------------------------- .text:1000427B align 4 .text:1000427C .text:1000427C unknown_libname_40: ; CODE XREF: unknown_libname_1+1E3j .text:1000427C ; unknown_libname_1:unknown_libname_25j ... .text:1000427C mov al, [esi+3] ; Microsoft VisualC 2-8/net runtime .text:1000427F mov [edi+3], al .text:10004282 mov al, [esi+2] .text:10004285 mov [edi+2], al .text:10004288 mov al, [esi+1] .text:1000428B mov [edi+1], al .text:1000428E mov eax, [ebp+arg_0] .text:10004291 pop esi .text:10004292 pop edi .text:10004293 leave .text:10004294 retn .text:10004294 unknown_libname_1 endp 2009-10-4 13:35 0
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 8 楼 text:10005FBB unknown_libname_45 proc near ; CODE XREF: unknown_libname_1+42j .text:10005FBB ; unknown_libname_45+AFp ... .text:10005FBB .text:10005FBB var_1C = dword ptr -1Ch .text:10005FBB var_18 = dword ptr -18h .text:10005FBB var_14 = dword ptr -14h .text:10005FBB var_10 = dword ptr -10h .text:10005FBB var_C = dword ptr -0Ch .text:10005FBB var_8 = dword ptr -8 .text:10005FBB var_4 = dword ptr -4 .text:10005FBB arg_0 = dword ptr 8 .text:10005FBB arg_4 = dword ptr 0Ch .text:10005FBB arg_8 = dword ptr 10h .text:10005FBB .text:10005FBB push ebp .text:10005FBC mov ebp, esp .text:10005FBE sub esp, 1Ch .text:10005FC1 mov [ebp+var_C], edi .text:10005FC4 mov [ebp+var_8], esi .text:10005FC7 mov [ebp+var_4], ebx .text:10005FCA mov ebx, [ebp+arg_4] .text:10005FCD mov eax, ebx .text:10005FCF cdq .text:10005FD0 mov ecx, eax .text:10005FD2 mov eax, [ebp+arg_0] .text:10005FD5 xor ecx, edx .text:10005FD7 sub ecx, edx .text:10005FD9 and ecx, 0Fh .text:10005FDC xor ecx, edx .text:10005FDE sub ecx, edx .text:10005FE0 cdq .text:10005FE1 mov edi, eax .text:10005FE3 xor edi, edx .text:10005FE5 sub edi, edx .text:10005FE7 and edi, 0Fh .text:10005FEA xor edi, edx .text:10005FEC sub edi, edx .text:10005FEE mov edx, ecx .text:10005FF0 or edx, edi .text:10005FF2 jnz short unknown_libname_47 ; Microsoft VisualC 2-8/net runtime .text:10005FF4 mov esi, [ebp+arg_8] .text:10005FF7 mov ecx, esi .text:10005FF9 and ecx, 7Fh .text:10005FFC mov [ebp+var_18], ecx .text:10005FFF cmp esi, ecx .text:10006001 jz short unknown_libname_46 ; Microsoft VisualC 2-8/net runtime .text:10006003 sub esi, ecx .text:10006005 push esi .text:10006006 push ebx .text:10006007 push eax .text:10006008 call _fastcopy_I .text:1000600D add esp, 0Ch .text:10006010 mov eax, [ebp+arg_0] .text:10006013 mov ecx, [ebp+var_18] .text:10006016 .text:10006016 unknown_libname_46: ; CODE XREF: unknown_libname_45+46j .text:10006016 test ecx, ecx ; Microsoft VisualC 2-8/net runtime .text:10006018 jz short unknown_libname_49 ; Microsoft VisualC 2-8/net runtime .text:1000601A mov ebx, [ebp+arg_8] .text:1000601D mov edx, [ebp+arg_4] .text:10006020 add edx, ebx .text:10006022 sub edx, ecx .text:10006024 mov [ebp+var_14], edx .text:10006027 add ebx, eax .text:10006029 sub ebx, ecx .text:1000602B mov [ebp+var_10], ebx .text:1000602E mov esi, [ebp+var_14] .text:10006031 mov edi, [ebp+var_10] .text:10006034 mov ecx, [ebp+var_18] .text:10006037 rep movsb .text:10006039 mov eax, [ebp+arg_0] .text:1000603C jmp short unknown_libname_49 ; Microsoft VisualC 2-8/net runtime .text:1000603E ; --------------------------------------------------------------------------- .text:1000603E .text:1000603E unknown_libname_47: ; CODE XREF: unknown_libname_45+37j .text:1000603E cmp ecx, edi ; Microsoft VisualC 2-8/net runtime .text:10006040 jnz short unknown_libname_48 ; Microsoft VisualC 2-8/net runtime .text:10006042 neg ecx .text:10006044 add ecx, 10h .text:10006047 mov [ebp+var_1C], ecx .text:1000604A mov esi, [ebp+arg_4] .text:1000604D mov edi, [ebp+arg_0] .text:10006050 mov ecx, [ebp+var_1C] .text:10006053 rep movsb .text:10006055 mov ecx, [ebp+arg_0] .text:10006058 add ecx, [ebp+var_1C] .text:1000605B mov edx, [ebp+arg_4] .text:1000605E add edx, [ebp+var_1C] .text:10006061 mov eax, [ebp+arg_8] .text:10006064 sub eax, [ebp+var_1C] .text:10006067 push eax .text:10006068 push edx .text:10006069 push ecx .text:1000606A call unknown_libname_45 ; Microsoft VisualC 2-8/net runtime .text:1000606F add esp, 0Ch .text:10006072 mov eax, [ebp+arg_0] .text:10006075 jmp short unknown_libname_49 ; Microsoft VisualC 2-8/net runtime .text:10006077 ; --------------------------------------------------------------------------- .text:10006077 .text:10006077 unknown_libname_48: ; CODE XREF: unknown_libname_45+85j .text:10006077 mov esi, [ebp+arg_4] ; Microsoft VisualC 2-8/net runtime .text:1000607A mov edi, [ebp+arg_0] .text:1000607D mov ecx, [ebp+arg_8] .text:10006080 mov edx, ecx .text:10006082 shr ecx, 2 .text:10006085 rep movsd .text:10006087 mov ecx, edx .text:10006089 and ecx, 3 .text:1000608C rep movsb .text:1000608E mov eax, [ebp+arg_0] .text:10006091 .text:10006091 unknown_libname_49: ; CODE XREF: unknown_libname_45+5Dj .text:10006091 ; unknown_libname_45+81j ... .text:10006091 mov ebx, [ebp+var_4] ; Microsoft VisualC 2-8/net runtime .text:10006094 mov esi, [ebp+var_8] .text:10006097 mov edi, [ebp+var_C] .text:1000609A mov esp, ebp .text:1000609C pop ebp .text:1000609D retn .text:1000609D unknown_libname_45 endp 2009-10-4 13:41 0
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 9 楼能不能发一个能产生UNKNOWN——LIBNAME例子，非常感谢！ 2009-10-4 13:54 0
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 10 楼唉，还是要靠自己呀！多么想有人交流一下。 2009-10-5 12:08 0
vyse 雪币： 200 活跃值： (35) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 2 粉丝 0 关注私信	vyse 11 楼用OD分析下？ 2009-10-5 13:00 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

liumingabc

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (10)
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 2 楼请各位高手看一下吧 2009-10-3 13:10 0
loqich 雪币： 962 活跃值： (1681) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 642 粉丝 0 关注私信	loqich 3 楼看起来好像是memcpy 2009-10-3 15:43 0
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 4 楼 to loqich 谢谢你的关注，我试一下，VC看能不能出现这个结果 2009-10-3 16:30 0
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 5 楼我试一下，IDA，能够看出MEMCPY text:004017C3 mov edx, [ebp+var_10] .text:004017C6 mov [ebp+var_4], edx .text:004017C9 push 4 .text:004017CB lea eax, [ebp+var_4] .text:004017CE push eax .text:004017CF lea ecx, [ebp+var_8] .text:004017D2 push ecx .text:004017D3 call memcpy 2009-10-3 17:05 0
loqich 雪币： 962 活跃值： (1681) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 642 粉丝 0 关注私信	loqich 6 楼不一定能识别的.我经常遇到识别不了~~ 这里应该是hook 的代码.我怎么看都像是memcpy 保存数据要不.你把unknown_libname_1处的汇编贴一下看看 2009-10-3 20:21 0
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 7 楼 .text:10003F30 unknown_libname_1 proc near ; CODE XREF: .text:1000113Dp .text:10003F30 ; sub_10001170+5Dp ... .text:10003F30 .text:10003F30 arg_0 = dword ptr 8 .text:10003F30 arg_4 = dword ptr 0Ch .text:10003F30 arg_8 = dword ptr 10h .text:10003F30 .text:10003F30 push ebp .text:10003F31 mov ebp, esp .text:10003F33 push edi .text:10003F34 push esi .text:10003F35 mov esi, [ebp+arg_4] .text:10003F38 mov ecx, [ebp+arg_8] .text:10003F3B mov edi, [ebp+arg_0] .text:10003F3E mov eax, ecx .text:10003F40 mov edx, ecx .text:10003F42 add eax, esi .text:10003F44 cmp edi, esi .text:10003F46 jbe short unknown_libname_2 ; Microsoft VisualC 2-8/net runtime .text:10003F48 cmp edi, eax .text:10003F4A jb unknown_libname_22 ; Microsoft VisualC 2-8/net runtime .text:10003F50 .text:10003F50 unknown_libname_2: ; CODE XREF: unknown_libname_1+16j .text:10003F50 cmp ecx, 100h ; Microsoft VisualC 2-8/net runtime .text:10003F56 jb short unknown_libname_3 ; Microsoft VisualC 2-8/net runtime .text:10003F58 cmp dword_10011460, 0 .text:10003F5F jz short unknown_libname_3 ; Microsoft VisualC 2-8/net runtime .text:10003F61 push edi .text:10003F62 push esi .text:10003F63 and edi, 0Fh .text:10003F66 and esi, 0Fh .text:10003F69 cmp edi, esi .text:10003F6B pop esi .text:10003F6C pop edi .text:10003F6D jnz short unknown_libname_3 ; Microsoft VisualC 2-8/net runtime .text:10003F6F pop esi .text:10003F70 pop edi .text:10003F71 pop ebp .text:10003F72 jmp unknown_libname_45 ; Microsoft VisualC 2-8/net runtime .text:10003F77 ; --------------------------------------------------------------------------- .text:10003F77 .text:10003F77 unknown_libname_3: ; CODE XREF: unknown_libname_1+26j .text:10003F77 ; unknown_libname_1+2Fj ... .text:10003F77 test edi, 3 ; Microsoft VisualC 2-8/net runtime .text:10003F7D jnz short unknown_libname_4 ; Microsoft VisualC 2-8/net runtime .text:10003F7F shr ecx, 2 .text:10003F82 and edx, 3 .text:10003F85 cmp ecx, 8 .text:10003F88 jb short unknown_libname_6 ; Microsoft VisualC 2-8/net runtime .text:10003F8A rep movsd .text:10003F8C jmp ds:off_100040A4[edx4] ; Microsoft VisualC 2-8/net runtime .text:10003F8C ; --------------------------------------------------------------------------- .text:10003F93 align 4 .text:10003F94 .text:10003F94 unknown_libname_4: ; CODE XREF: unknown_libname_1+4Dj .text:10003F94 mov eax, edi ; Microsoft VisualC 2-8/net runtime .text:10003F96 mov edx, 3 .text:10003F9B sub ecx, 4 .text:10003F9E jb short unknown_libname_5 ; Microsoft VisualC 2-8/net runtime .text:10003FA0 and eax, 3 .text:10003FA3 add ecx, eax .text:10003FA5 jmp dword ptr ds:(unknown_libname_6+4)[eax4] ; Microsoft VisualC 2-8/net runtime .text:10003FAC ; --------------------------------------------------------------------------- .text:10003FAC .text:10003FAC unknown_libname_5: ; CODE XREF: unknown_libname_1+6Ej .text:10003FAC jmp dword ptr ds:unknown_libname_18[ecx4] ; Microsoft VisualC 2-8/net runtime .text:10003FAC ; --------------------------------------------------------------------------- .text:10003FB3 align 4 .text:10003FB4 .text:10003FB4 unknown_libname_6: ; CODE XREF: unknown_libname_1+58j .text:10003FB4 ; unknown_libname_1+B6j ... .text:10003FB4 jmp ds:off_10004038[ecx4] ; Microsoft VisualC 2-8/net runtime .text:10003FB4 ; --------------------------------------------------------------------------- .text:10003FBB align 4 .text:10003FBC dd offset unknown_libname_7 ; Microsoft VisualC 2-8/net runtime .text:10003FC0 dd offset unknown_libname_8 ; Microsoft VisualC 2-8/net runtime .text:10003FC4 dd offset unknown_libname_9 ; Microsoft VisualC 2-8/net runtime .text:10003FC8 ; --------------------------------------------------------------------------- .text:10003FC8 .text:10003FC8 unknown_libname_7: ; DATA XREF: unknown_libname_1+8Co .text:10003FC8 and edx, ecx ; Microsoft VisualC 2-8/net runtime .text:10003FCA mov al, [esi] .text:10003FCC mov [edi], al .text:10003FCE mov al, [esi+1] .text:10003FD1 mov [edi+1], al .text:10003FD4 mov al, [esi+2] .text:10003FD7 shr ecx, 2 .text:10003FDA mov [edi+2], al .text:10003FDD add esi, 3 .text:10003FE0 add edi, 3 .text:10003FE3 cmp ecx, 8 .text:10003FE6 jb short unknown_libname_6 ; Microsoft VisualC 2-8/net runtime .text:10003FE8 rep movsd .text:10003FEA jmp ds:off_100040A4[edx4] ; Microsoft VisualC 2-8/net runtime .text:10003FEA ; --------------------------------------------------------------------------- .text:10003FF1 align 4 .text:10003FF4 .text:10003FF4 unknown_libname_8: ; DATA XREF: unknown_libname_1+90o .text:10003FF4 and edx, ecx ; Microsoft VisualC 2-8/net runtime .text:10003FF6 mov al, [esi] .text:10003FF8 mov [edi], al .text:10003FFA mov al, [esi+1] .text:10003FFD shr ecx, 2 .text:10004000 mov [edi+1], al .text:10004003 add esi, 2 .text:10004006 add edi, 2 .text:10004009 cmp ecx, 8 .text:1000400C jb short unknown_libname_6 ; Microsoft VisualC 2-8/net runtime .text:1000400E rep movsd .text:10004010 jmp ds:off_100040A4[edx4] ; Microsoft VisualC 2-8/net runtime .text:10004010 ; --------------------------------------------------------------------------- .text:10004017 align 4 .text:10004018 .text:10004018 unknown_libname_9: ; DATA XREF: unknown_libname_1+94o .text:10004018 and edx, ecx ; Microsoft VisualC 2-8/net runtime .text:1000401A mov al, [esi] .text:1000401C mov [edi], al .text:1000401E add esi, 1 .text:10004021 shr ecx, 2 .text:10004024 add edi, 1 .text:10004027 cmp ecx, 8 .text:1000402A jb short unknown_libname_6 ; Microsoft VisualC 2-8/net runtime .text:1000402C rep movsd .text:1000402E jmp ds:off_100040A4[edx4] ; Microsoft VisualC 2-8/net runtime .text:1000402E ; --------------------------------------------------------------------------- .text:10004035 align 4 .text:10004038 off_10004038 dd offset unknown_libname_17 .text:10004038 ; DATA XREF: unknown_libname_1:unknown_libname_6r .text:10004038 ; Microsoft VisualC 2-8/net runtime .text:1000403C dd offset unknown_libname_16 ; Microsoft VisualC 2-8/net runtime .text:10004040 dd offset unknown_libname_15 ; Microsoft VisualC 2-8/net runtime .text:10004044 dd offset unknown_libname_14 ; Microsoft VisualC 2-8/net runtime .text:10004048 dd offset unknown_libname_13 ; Microsoft VisualC 2-8/net runtime .text:1000404C dd offset unknown_libname_12 ; Microsoft VisualC 2-8/net runtime .text:10004050 dd offset unknown_libname_11 ; Microsoft VisualC 2-8/net runtime .text:10004054 dd offset unknown_libname_10 ; Microsoft VisualC 2-8/net runtime .text:10004058 ; --------------------------------------------------------------------------- .text:10004058 .text:10004058 unknown_libname_10: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:10004058 ; DATA XREF: unknown_libname_1+124o .text:10004058 mov eax, [esi+ecx4-1Ch] ; Microsoft VisualC 2-8/net runtime .text:1000405C mov [edi+ecx4-1Ch], eax .text:10004060 .text:10004060 unknown_libname_11: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:10004060 ; DATA XREF: unknown_libname_1+120o .text:10004060 mov eax, [esi+ecx4-18h] ; Microsoft VisualC 2-8/net runtime .text:10004064 mov [edi+ecx4-18h], eax .text:10004068 .text:10004068 unknown_libname_12: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:10004068 ; DATA XREF: unknown_libname_1+11Co .text:10004068 mov eax, [esi+ecx4-14h] ; Microsoft VisualC 2-8/net runtime .text:1000406C mov [edi+ecx4-14h], eax .text:10004070 .text:10004070 unknown_libname_13: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:10004070 ; DATA XREF: unknown_libname_1+118o .text:10004070 mov eax, [esi+ecx4-10h] ; Microsoft VisualC 2-8/net runtime .text:10004074 mov [edi+ecx4-10h], eax .text:10004078 .text:10004078 unknown_libname_14: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:10004078 ; DATA XREF: unknown_libname_1+114o .text:10004078 mov eax, [esi+ecx4-0Ch] ; Microsoft VisualC 2-8/net runtime .text:1000407C mov [edi+ecx4-0Ch], eax .text:10004080 .text:10004080 unknown_libname_15: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:10004080 ; DATA XREF: unknown_libname_1+110o .text:10004080 mov eax, [esi+ecx4-8] ; Microsoft VisualC 2-8/net runtime .text:10004084 mov [edi+ecx4-8], eax .text:10004088 .text:10004088 unknown_libname_16: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:10004088 ; DATA XREF: unknown_libname_1+10Co .text:10004088 mov eax, [esi+ecx4-4] ; Microsoft VisualC 2-8/net runtime .text:1000408C mov [edi+ecx4-4], eax .text:10004090 lea eax, ds:0[ecx4] .text:10004097 add esi, eax .text:10004099 add edi, eax .text:1000409B .text:1000409B unknown_libname_17: ; CODE XREF: unknown_libname_1:unknown_libname_6j .text:1000409B ; DATA XREF: unknown_libname_1:off_10004038o .text:1000409B jmp ds:off_100040A4[edx4] ; Microsoft VisualC 2-8/net runtime .text:1000409B ; --------------------------------------------------------------------------- .text:100040A2 align 4 .text:100040A4 off_100040A4 dd offset unknown_libname_18 .text:100040A4 ; DATA XREF: unknown_libname_1+5Cr .text:100040A4 ; unknown_libname_1+BAr ... .text:100040A4 ; Microsoft VisualC 2-8/net runtime .text:100040A8 dd offset unknown_libname_19 ; Microsoft VisualC 2-8/net runtime .text:100040AC dd offset unknown_libname_20 ; Microsoft VisualC 2-8/net runtime .text:100040B0 dd offset unknown_libname_21 ; Microsoft VisualC 2-8/net runtime .text:100040B4 ; --------------------------------------------------------------------------- .text:100040B4 .text:100040B4 unknown_libname_18: ; CODE XREF: unknown_libname_1+5Cj .text:100040B4 ; unknown_libname_1+BAj ... .text:100040B4 mov eax, [ebp+arg_0] ; Microsoft VisualC 2-8/net runtime .text:100040B7 pop esi .text:100040B8 pop edi .text:100040B9 leave .text:100040BA retn .text:100040BA ; --------------------------------------------------------------------------- .text:100040BB align 4 .text:100040BC .text:100040BC unknown_libname_19: ; CODE XREF: unknown_libname_1+5Cj .text:100040BC ; unknown_libname_1+BAj ... .text:100040BC mov al, [esi] ; Microsoft VisualC 2-8/net runtime .text:100040BE mov [edi], al .text:100040C0 mov eax, [ebp+arg_0] .text:100040C3 pop esi .text:100040C4 pop edi .text:100040C5 leave .text:100040C6 retn .text:100040C6 ; --------------------------------------------------------------------------- .text:100040C7 align 4 .text:100040C8 .text:100040C8 unknown_libname_20: ; CODE XREF: unknown_libname_1+5Cj .text:100040C8 ; unknown_libname_1+BAj ... .text:100040C8 mov al, [esi] ; Microsoft VisualC 2-8/net runtime .text:100040CA mov [edi], al .text:100040CC mov al, [esi+1] .text:100040CF mov [edi+1], al .text:100040D2 mov eax, [ebp+arg_0] .text:100040D5 pop esi .text:100040D6 pop edi .text:100040D7 leave .text:100040D8 retn .text:100040D8 ; --------------------------------------------------------------------------- .text:100040D9 align 4 .text:100040DC .text:100040DC unknown_libname_21: ; CODE XREF: unknown_libname_1+5Cj .text:100040DC ; unknown_libname_1+BAj ... .text:100040DC mov al, [esi] ; Microsoft VisualC 2-8/net runtime .text:100040DE mov [edi], al .text:100040E0 mov al, [esi+1] .text:100040E3 mov [edi+1], al .text:100040E6 mov al, [esi+2] .text:100040E9 mov [edi+2], al .text:100040EC mov eax, [ebp+arg_0] .text:100040EF pop esi .text:100040F0 pop edi .text:100040F1 leave .text:100040F2 retn .text:100040F2 ; --------------------------------------------------------------------------- .text:100040F3 align 4 .text:100040F4 .text:100040F4 unknown_libname_22: ; CODE XREF: unknown_libname_1+1Aj .text:100040F4 lea esi, [ecx+esi-4] ; Microsoft VisualC 2-8/net runtime .text:100040F8 lea edi, [ecx+edi-4] .text:100040FC test edi, 3 .text:10004102 jnz short unknown_libname_24 ; Microsoft VisualC 2-8/net runtime .text:10004104 shr ecx, 2 .text:10004107 and edx, 3 .text:1000410A cmp ecx, 8 .text:1000410D jb short unknown_libname_23 ; Microsoft VisualC 2-8/net runtime .text:1000410F std .text:10004110 rep movsd .text:10004112 cld .text:10004113 jmp ds:off_10004240[edx4] ; Microsoft VisualC 2-8/net runtime .text:10004113 ; --------------------------------------------------------------------------- .text:1000411A align 4 .text:1000411C .text:1000411C unknown_libname_23: ; CODE XREF: unknown_libname_1+1DDj .text:1000411C ; unknown_libname_1+238j ... .text:1000411C neg ecx ; Microsoft VisualC 2-8/net runtime .text:1000411E jmp ds:off_100041F0[ecx4] ; Microsoft VisualC 2-8/net runtime .text:1000411E ; --------------------------------------------------------------------------- .text:10004125 align 4 .text:10004128 .text:10004128 unknown_libname_24: ; CODE XREF: unknown_libname_1+1D2j .text:10004128 mov eax, edi ; Microsoft VisualC 2-8/net runtime .text:1000412A mov edx, 3 .text:1000412F cmp ecx, 4 .text:10004132 jb short unknown_libname_25 ; Microsoft VisualC 2-8/net runtime .text:10004134 and eax, 3 .text:10004137 sub ecx, eax .text:10004139 jmp dword ptr ds:(unknown_libname_25+4)[eax4] ; Microsoft VisualC 2-8/net runtime .text:10004140 ; --------------------------------------------------------------------------- .text:10004140 .text:10004140 unknown_libname_25: ; CODE XREF: unknown_libname_1+202j .text:10004140 ; DATA XREF: unknown_libname_1+209r .text:10004140 jmp ds:off_10004240[ecx4] ; Microsoft VisualC 2-8/net runtime .text:10004140 ; --------------------------------------------------------------------------- .text:10004147 align 4 .text:10004148 dd offset unknown_libname_26 ; Microsoft VisualC 2-8/net runtime .text:1000414C dd offset unknown_libname_27 ; Microsoft VisualC 2-8/net runtime .text:10004150 dd offset unknown_libname_28 ; Microsoft VisualC 2-8/net runtime .text:10004154 ; --------------------------------------------------------------------------- .text:10004154 .text:10004154 unknown_libname_26: ; DATA XREF: unknown_libname_1+218o .text:10004154 mov al, [esi+3] ; Microsoft VisualC 2-8/net runtime .text:10004157 and edx, ecx .text:10004159 mov [edi+3], al .text:1000415C sub esi, 1 .text:1000415F shr ecx, 2 .text:10004162 sub edi, 1 .text:10004165 cmp ecx, 8 .text:10004168 jb short unknown_libname_23 ; Microsoft VisualC 2-8/net runtime .text:1000416A std .text:1000416B rep movsd .text:1000416D cld .text:1000416E jmp ds:off_10004240[edx4] ; Microsoft VisualC 2-8/net runtime .text:1000416E ; --------------------------------------------------------------------------- .text:10004175 align 4 .text:10004178 .text:10004178 unknown_libname_27: ; DATA XREF: unknown_libname_1+21Co .text:10004178 mov al, [esi+3] ; Microsoft VisualC 2-8/net runtime .text:1000417B and edx, ecx .text:1000417D mov [edi+3], al .text:10004180 mov al, [esi+2] .text:10004183 shr ecx, 2 .text:10004186 mov [edi+2], al .text:10004189 sub esi, 2 .text:1000418C sub edi, 2 .text:1000418F cmp ecx, 8 .text:10004192 jb short unknown_libname_23 ; Microsoft VisualC 2-8/net runtime .text:10004194 std .text:10004195 rep movsd .text:10004197 cld .text:10004198 jmp ds:off_10004240[edx4] ; Microsoft VisualC 2-8/net runtime .text:10004198 ; --------------------------------------------------------------------------- .text:1000419F align 10h .text:100041A0 .text:100041A0 unknown_libname_28: ; DATA XREF: unknown_libname_1+220o .text:100041A0 mov al, [esi+3] ; Microsoft VisualC 2-8/net runtime .text:100041A3 and edx, ecx .text:100041A5 mov [edi+3], al .text:100041A8 mov al, [esi+2] .text:100041AB mov [edi+2], al .text:100041AE mov al, [esi+1] .text:100041B1 shr ecx, 2 .text:100041B4 mov [edi+1], al .text:100041B7 sub esi, 3 .text:100041BA sub edi, 3 .text:100041BD cmp ecx, 8 .text:100041C0 jb unknown_libname_23 ; Microsoft VisualC 2-8/net runtime .text:100041C6 std .text:100041C7 rep movsd .text:100041C9 cld .text:100041CA jmp ds:off_10004240[edx4] ; Microsoft VisualC 2-8/net runtime .text:100041CA ; --------------------------------------------------------------------------- .text:100041D1 align 4 .text:100041D4 dd offset unknown_libname_29 ; Microsoft VisualC 2-8/net runtime .text:100041D8 dd offset unknown_libname_30 ; Microsoft VisualC 2-8/net runtime .text:100041DC dd offset unknown_libname_31 ; Microsoft VisualC 2-8/net runtime .text:100041E0 dd offset unknown_libname_32 ; Microsoft VisualC 2-8/net runtime .text:100041E4 dd offset unknown_libname_33 ; Microsoft VisualC 2-8/net runtime .text:100041E8 dd offset unknown_libname_34 ; Microsoft VisualC 2-8/net runtime .text:100041EC dd offset unknown_libname_35 ; Microsoft VisualC 2-8/net runtime .text:100041F0 off_100041F0 dd offset unknown_libname_36 .text:100041F0 ; DATA XREF: unknown_libname_1+1EEr .text:100041F0 ; Microsoft VisualC 2-8/net runtime .text:100041F4 ; --------------------------------------------------------------------------- .text:100041F4 .text:100041F4 unknown_libname_29: ; DATA XREF: unknown_libname_1+2A4o .text:100041F4 mov eax, [esi+ecx4+1Ch] ; Microsoft VisualC 2-8/net runtime .text:100041F8 mov [edi+ecx4+1Ch], eax .text:100041FC .text:100041FC unknown_libname_30: ; DATA XREF: unknown_libname_1+2A8o .text:100041FC mov eax, [esi+ecx4+18h] ; Microsoft VisualC 2-8/net runtime .text:10004200 mov [edi+ecx4+18h], eax .text:10004204 .text:10004204 unknown_libname_31: ; DATA XREF: unknown_libname_1+2ACo .text:10004204 mov eax, [esi+ecx4+14h] ; Microsoft VisualC 2-8/net runtime .text:10004208 mov [edi+ecx4+14h], eax .text:1000420C .text:1000420C unknown_libname_32: ; DATA XREF: unknown_libname_1+2B0o .text:1000420C mov eax, [esi+ecx4+10h] ; Microsoft VisualC 2-8/net runtime .text:10004210 mov [edi+ecx4+10h], eax .text:10004214 .text:10004214 unknown_libname_33: ; DATA XREF: unknown_libname_1+2B4o .text:10004214 mov eax, [esi+ecx4+0Ch] ; Microsoft VisualC 2-8/net runtime .text:10004218 mov [edi+ecx4+0Ch], eax .text:1000421C .text:1000421C unknown_libname_34: ; DATA XREF: unknown_libname_1+2B8o .text:1000421C mov eax, [esi+ecx4+8] ; Microsoft VisualC 2-8/net runtime .text:10004220 mov [edi+ecx4+8], eax .text:10004224 .text:10004224 unknown_libname_35: ; DATA XREF: unknown_libname_1+2BCo .text:10004224 mov eax, [esi+ecx4+4] ; Microsoft VisualC 2-8/net runtime .text:10004228 mov [edi+ecx4+4], eax .text:1000422C lea eax, ds:0[ecx4] .text:10004233 add esi, eax .text:10004235 add edi, eax .text:10004237 .text:10004237 unknown_libname_36: ; CODE XREF: unknown_libname_1+1EEj .text:10004237 ; DATA XREF: unknown_libname_1:off_100041F0o .text:10004237 jmp ds:off_10004240[edx4] ; Microsoft VisualC 2-8/net runtime .text:10004237 ; --------------------------------------------------------------------------- .text:1000423E align 10h .text:10004240 off_10004240 dd offset unknown_libname_37 .text:10004240 ; DATA XREF: unknown_libname_1+1E3r .text:10004240 ; unknown_libname_1:unknown_libname_25r ... .text:10004240 ; Microsoft VisualC 2-8/net runtime .text:10004244 dd offset unknown_libname_38 ; Microsoft VisualC 2-8/net runtime .text:10004248 dd offset unknown_libname_39 ; Microsoft VisualC 2-8/net runtime .text:1000424C dd offset unknown_libname_40 ; Microsoft VisualC 2-8/net runtime .text:10004250 ; --------------------------------------------------------------------------- .text:10004250 .text:10004250 unknown_libname_37: ; CODE XREF: unknown_libname_1+1E3j .text:10004250 ; unknown_libname_1:unknown_libname_25j ... .text:10004250 mov eax, [ebp+arg_0] ; Microsoft VisualC 2-8/net runtime .text:10004253 pop esi .text:10004254 pop edi .text:10004255 leave .text:10004256 retn .text:10004256 ; --------------------------------------------------------------------------- .text:10004257 align 4 .text:10004258 .text:10004258 unknown_libname_38: ; CODE XREF: unknown_libname_1+1E3j .text:10004258 ; unknown_libname_1:unknown_libname_25j ... .text:10004258 mov al, [esi+3] ; Microsoft VisualC 2-8/net runtime .text:1000425B mov [edi+3], al .text:1000425E mov eax, [ebp+arg_0] .text:10004261 pop esi .text:10004262 pop edi .text:10004263 leave .text:10004264 retn .text:10004264 ; --------------------------------------------------------------------------- .text:10004265 align 4 .text:10004268 .text:10004268 unknown_libname_39: ; CODE XREF: unknown_libname_1+1E3j .text:10004268 ; unknown_libname_1:unknown_libname_25j ... .text:10004268 mov al, [esi+3] ; Microsoft VisualC 2-8/net runtime .text:1000426B mov [edi+3], al .text:1000426E mov al, [esi+2] .text:10004271 mov [edi+2], al .text:10004274 mov eax, [ebp+arg_0] .text:10004277 pop esi .text:10004278 pop edi .text:10004279 leave .text:1000427A retn .text:1000427A ; --------------------------------------------------------------------------- .text:1000427B align 4 .text:1000427C .text:1000427C unknown_libname_40: ; CODE XREF: unknown_libname_1+1E3j .text:1000427C ; unknown_libname_1:unknown_libname_25j ... .text:1000427C mov al, [esi+3] ; Microsoft VisualC 2-8/net runtime .text:1000427F mov [edi+3], al .text:10004282 mov al, [esi+2] .text:10004285 mov [edi+2], al .text:10004288 mov al, [esi+1] .text:1000428B mov [edi+1], al .text:1000428E mov eax, [ebp+arg_0] .text:10004291 pop esi .text:10004292 pop edi .text:10004293 leave .text:10004294 retn .text:10004294 unknown_libname_1 endp 2009-10-4 13:35 0
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 8 楼 text:10005FBB unknown_libname_45 proc near ; CODE XREF: unknown_libname_1+42j .text:10005FBB ; unknown_libname_45+AFp ... .text:10005FBB .text:10005FBB var_1C = dword ptr -1Ch .text:10005FBB var_18 = dword ptr -18h .text:10005FBB var_14 = dword ptr -14h .text:10005FBB var_10 = dword ptr -10h .text:10005FBB var_C = dword ptr -0Ch .text:10005FBB var_8 = dword ptr -8 .text:10005FBB var_4 = dword ptr -4 .text:10005FBB arg_0 = dword ptr 8 .text:10005FBB arg_4 = dword ptr 0Ch .text:10005FBB arg_8 = dword ptr 10h .text:10005FBB .text:10005FBB push ebp .text:10005FBC mov ebp, esp .text:10005FBE sub esp, 1Ch .text:10005FC1 mov [ebp+var_C], edi .text:10005FC4 mov [ebp+var_8], esi .text:10005FC7 mov [ebp+var_4], ebx .text:10005FCA mov ebx, [ebp+arg_4] .text:10005FCD mov eax, ebx .text:10005FCF cdq .text:10005FD0 mov ecx, eax .text:10005FD2 mov eax, [ebp+arg_0] .text:10005FD5 xor ecx, edx .text:10005FD7 sub ecx, edx .text:10005FD9 and ecx, 0Fh .text:10005FDC xor ecx, edx .text:10005FDE sub ecx, edx .text:10005FE0 cdq .text:10005FE1 mov edi, eax .text:10005FE3 xor edi, edx .text:10005FE5 sub edi, edx .text:10005FE7 and edi, 0Fh .text:10005FEA xor edi, edx .text:10005FEC sub edi, edx .text:10005FEE mov edx, ecx .text:10005FF0 or edx, edi .text:10005FF2 jnz short unknown_libname_47 ; Microsoft VisualC 2-8/net runtime .text:10005FF4 mov esi, [ebp+arg_8] .text:10005FF7 mov ecx, esi .text:10005FF9 and ecx, 7Fh .text:10005FFC mov [ebp+var_18], ecx .text:10005FFF cmp esi, ecx .text:10006001 jz short unknown_libname_46 ; Microsoft VisualC 2-8/net runtime .text:10006003 sub esi, ecx .text:10006005 push esi .text:10006006 push ebx .text:10006007 push eax .text:10006008 call _fastcopy_I .text:1000600D add esp, 0Ch .text:10006010 mov eax, [ebp+arg_0] .text:10006013 mov ecx, [ebp+var_18] .text:10006016 .text:10006016 unknown_libname_46: ; CODE XREF: unknown_libname_45+46j .text:10006016 test ecx, ecx ; Microsoft VisualC 2-8/net runtime .text:10006018 jz short unknown_libname_49 ; Microsoft VisualC 2-8/net runtime .text:1000601A mov ebx, [ebp+arg_8] .text:1000601D mov edx, [ebp+arg_4] .text:10006020 add edx, ebx .text:10006022 sub edx, ecx .text:10006024 mov [ebp+var_14], edx .text:10006027 add ebx, eax .text:10006029 sub ebx, ecx .text:1000602B mov [ebp+var_10], ebx .text:1000602E mov esi, [ebp+var_14] .text:10006031 mov edi, [ebp+var_10] .text:10006034 mov ecx, [ebp+var_18] .text:10006037 rep movsb .text:10006039 mov eax, [ebp+arg_0] .text:1000603C jmp short unknown_libname_49 ; Microsoft VisualC 2-8/net runtime .text:1000603E ; --------------------------------------------------------------------------- .text:1000603E .text:1000603E unknown_libname_47: ; CODE XREF: unknown_libname_45+37j .text:1000603E cmp ecx, edi ; Microsoft VisualC 2-8/net runtime .text:10006040 jnz short unknown_libname_48 ; Microsoft VisualC 2-8/net runtime .text:10006042 neg ecx .text:10006044 add ecx, 10h .text:10006047 mov [ebp+var_1C], ecx .text:1000604A mov esi, [ebp+arg_4] .text:1000604D mov edi, [ebp+arg_0] .text:10006050 mov ecx, [ebp+var_1C] .text:10006053 rep movsb .text:10006055 mov ecx, [ebp+arg_0] .text:10006058 add ecx, [ebp+var_1C] .text:1000605B mov edx, [ebp+arg_4] .text:1000605E add edx, [ebp+var_1C] .text:10006061 mov eax, [ebp+arg_8] .text:10006064 sub eax, [ebp+var_1C] .text:10006067 push eax .text:10006068 push edx .text:10006069 push ecx .text:1000606A call unknown_libname_45 ; Microsoft VisualC 2-8/net runtime .text:1000606F add esp, 0Ch .text:10006072 mov eax, [ebp+arg_0] .text:10006075 jmp short unknown_libname_49 ; Microsoft VisualC 2-8/net runtime .text:10006077 ; --------------------------------------------------------------------------- .text:10006077 .text:10006077 unknown_libname_48: ; CODE XREF: unknown_libname_45+85j .text:10006077 mov esi, [ebp+arg_4] ; Microsoft VisualC 2-8/net runtime .text:1000607A mov edi, [ebp+arg_0] .text:1000607D mov ecx, [ebp+arg_8] .text:10006080 mov edx, ecx .text:10006082 shr ecx, 2 .text:10006085 rep movsd .text:10006087 mov ecx, edx .text:10006089 and ecx, 3 .text:1000608C rep movsb .text:1000608E mov eax, [ebp+arg_0] .text:10006091 .text:10006091 unknown_libname_49: ; CODE XREF: unknown_libname_45+5Dj .text:10006091 ; unknown_libname_45+81j ... .text:10006091 mov ebx, [ebp+var_4] ; Microsoft VisualC 2-8/net runtime .text:10006094 mov esi, [ebp+var_8] .text:10006097 mov edi, [ebp+var_C] .text:1000609A mov esp, ebp .text:1000609C pop ebp .text:1000609D retn .text:1000609D unknown_libname_45 endp 2009-10-4 13:41 0
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 9 楼能不能发一个能产生UNKNOWN——LIBNAME例子，非常感谢！ 2009-10-4 13:54 0
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 10 楼唉，还是要靠自己呀！多么想有人交流一下。 2009-10-5 12:08 0
vyse 雪币： 200 活跃值： (35) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 2 粉丝 0 关注私信	vyse 11 楼用OD分析下？ 2009-10-5 13:00 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复