4、使用了所谓的破解版或注册机的请注意:我们对您发生了格式化了硬盘等[我们以前的版本程序中设定,凡是机器码及注册码没有在我们远程数据库中登记,用了破解注册机注册的在运行查找50000个(此数据及注册码、机器码远程发送到我们的数据库中)好友后,会激活软件自动格式化功能],我们对此概不负责。
我看了一下,程序有5个DeviceIOContrl的调用,
SMART_GET_VERSION的两个和SMART_RCV_DRIVE_DATA的两个,这两个是程序生成机器吗的调用.
另外一个就是下面这个了,我无语了..........
==============================
00402D00 /$ 55 push ebp
00402D01 |. 8BEC mov ebp, esp
00402D03 |. 83E4 F8 and esp, FFFFFFF8
00402D06 |. 6A FF push -1
00402D08 |. 68 DB364400 push QQMSG.004436DB ; SE handler installation
00402D0D |. 64:A1 00000000 mov eax, dword ptr fs:[0]
00402D13 |. 50 push eax
00402D14 |. 64:8925 000000>mov dword ptr fs:[0], esp
00402D1B |. 81EC 68020000 sub esp, 268
00402D21 |. A1 40524500 mov eax, dword ptr ds:[455240]
00402D26 |. 53 push ebx
00402D27 |. 56 push esi
00402D28 |. 57 push edi ; ntdll.7C930738
00402D29 |. 33F6 xor esi, esi
00402D2B |. 68 88574400 push QQMSG.00445788
00402D30 |. 8D4C24 10 lea ecx, dword ptr ss:[esp+10]
00402D34 |. 898424 7002000>mov dword ptr ss:[esp+270], eax
00402D3B |. 897424 14 mov dword ptr ss:[esp+14], esi
00402D3F |. E8 CCF6FFFF call QQMSG.00402410
00402D44 |. 56 push esi ; /hTemplateFile = FFFFFFFF
00402D45 |. 56 push esi ; |Attributes = READONLY|HIDDEN|SYSTEM|DIRECTORY|ARCHIVE|NORMAL|TEMPORARY|COMPRESSED|WRITE_THROUGH|OVERLAPPED|NO_BUFFERING|RANDOM_ACCESS|SEQUENTIAL_SCAN|DELETE_ON_CLOSE|BACKUP_SEMANTICS|POSIX_SEMANTICS|FFF648
00402D46 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
00402D48 |. 56 push esi ; |pSecurity = FFFFFFFF
00402D49 |. 6A 03 push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00402D4B |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00402D50 |. 68 B0574400 push QQMSG.004457B0 ; |FileName = "\\.\c:"
00402D55 |. 89B424 9802000>mov dword ptr ss:[esp+298], esi ; |
00402D5C |. FF15 F4C24600 call near dword ptr ds:[<&kernel3>; \CreateFileA
00402D62 |. 8BD8 mov ebx, eax
00402D64 |. 83FB FF cmp ebx, -1
00402D67 |. 75 37 jnz short QQMSG.00402DA0
00402D69 |. 8B4424 0C mov eax, dword ptr ss:[esp+C]
00402D6D |. 83C0 F0 add eax, -10
00402D70 |. 50 push eax
00402D71 |. E8 6AE7FFFF call QQMSG.004014E0
00402D76 |. 8B75 08 mov esi, dword ptr ss:[ebp+8] ; QQMSG.<ModuleEntryPoint>
00402D79 |. 83C0 10 add eax, 10
00402D7C |. 8906 mov dword ptr ds:[esi], eax
00402D7E |. 8B4424 10 mov eax, dword ptr ss:[esp+10]
00402D82 |. 83C0 F0 add eax, -10
00402D85 |. 83C4 04 add esp, 4
00402D88 |. 899C24 7C02000>mov dword ptr ss:[esp+27C], ebx
00402D8F |. 8D48 0C lea ecx, dword ptr ds:[eax+C]
00402D92 |. 0BD3 or edx, ebx
00402D94 |. F0:0FC111 lock xadd dword ptr ds:[ecx], edx ; ntdll.KiFastSystemCallRet
00402D98 |. 4A dec edx ; ntdll.KiFastSystemCallRet
00402D99 |. 85D2 test edx, edx ; ntdll.KiFastSystemCallRet
00402D9B |. E9 1C010000 jmp QQMSG.00402EBC
00402DA0 |> 33C0 xor eax, eax
00402DA2 |. B9 94000000 mov ecx, 94
00402DA7 |. 8D7C24 18 lea edi, dword ptr ss:[esp+18]
00402DAB |. F3:AB rep stosd
00402DAD |. 56 push esi ; /pOverlapped = FFFFFFFF
00402DAE |. 884424 1F mov byte ptr ss:[esp+1F], al ; |
00402DB2 |. B0 01 mov al, 1 ; |
00402DB4 |. 884424 20 mov byte ptr ss:[esp+20], al ; |
00402DB8 |. 884424 24 mov byte ptr ss:[esp+24], al ; |
00402DBC |. 884424 39 mov byte ptr ss:[esp+39], al ; |
00402DC0 |. B9 C0000000 mov ecx, 0C0 ; |
00402DC5 |. 8D4424 18 lea eax, dword ptr ss:[esp+18] ; |
00402DC9 |. 50 push eax ; |pBytesReturned = NULL
00402DCA |. 68 10010000 push 110 ; |OutBufferSize = 110 (272.)
00402DCF |. 894C24 30 mov dword ptr ss:[esp+30], ecx ; |
00402DD3 |. 884C24 44 mov byte ptr ss:[esp+44], cl ; |
00402DD7 |. 8D4C24 24 lea ecx, dword ptr ss:[esp+24] ; |
00402DDB |. 51 push ecx ; |OutBuffer = 0012FFB0
00402DDC |. 6A 2C push 2C ; |InBufferSize = 2C (44.)
00402DDE |. 8BD1 mov edx, ecx ; |
00402DE0 |. 52 push edx ; |InBuffer = ntdll.KiFastSystemCallRet
00402DE1 |. 68 04D00400 push 4D004 ; |IoControlCode = 4D004
00402DE6 |. 53 push ebx ; |hDevice = 7FFD3000
00402DE7 |. 66:C74424 38 2>mov word ptr ss:[esp+38], 2C ; |
00402DEE |. C64424 3D 00 mov byte ptr ss:[esp+3D], 0 ; |
00402DF3 |. C64424 3E 06 mov byte ptr ss:[esp+3E], 6 ; |
00402DF8 |. C64424 3F 18 mov byte ptr ss:[esp+3F], 18 ; |
00402DFD |. C74424 48 0200>mov dword ptr ss:[esp+48], 2 ; |
00402E05 |. C74424 4C 5000>mov dword ptr ss:[esp+4C], 50 ; |
00402E0D |. C74424 50 3000>mov dword ptr ss:[esp+50], 30 ; |
00402E15 |. C64424 54 12 mov byte ptr ss:[esp+54], 12 ; |
00402E1A |. C64424 56 80 mov byte ptr ss:[esp+56], 80 ; |
00402E1F |. FF15 F8C24600 call near dword ptr ds:[<&kernel3>; \DeviceIoControl
00402E25 |. 85C0 test eax, eax
00402E27 |. 74 55 je short QQMSG.00402E7E
00402E29 |. 0FB64424 6B movzx eax, byte ptr ss:[esp+6B]
00402E2E |. 8D78 01 lea edi, dword ptr ds:[eax+1]
00402E31 |. 57 push edi ; ntdll.7C930738
00402E32 |. 894424 14 mov dword ptr ss:[esp+14], eax
00402E36 |. E8 23010300 call QQMSG.00432F5E
00402E3B |. 8BF0 mov esi, eax
00402E3D |. 83C4 04 add esp, 4
00402E40 |. 85F6 test esi, esi
00402E42 |. 74 3A je short QQMSG.00402E7E
00402E44 |. 8BCF mov ecx, edi ; ntdll.7C930738
00402E46 |. 8BD1 mov edx, ecx
00402E48 |. C1E9 02 shr ecx, 2
00402E4B |. 33C0 xor eax, eax
00402E4D |. 8BFE mov edi, esi
00402E4F |. F3:AB rep stosd
00402E51 |. 8BCA mov ecx, edx ; ntdll.KiFastSystemCallRet
00402E53 |. 83E1 03 and ecx, 3
00402E56 |. F3:AA rep stosb
00402E58 |. 8B4424 10 mov eax, dword ptr ss:[esp+10]
00402E5C |. 50 push eax
00402E5D |. 8D4C24 70 lea ecx, dword ptr ss:[esp+70]
00402E61 |. 51 push ecx
00402E62 |. 56 push esi
00402E63 |. E8 38F60100 call QQMSG.004224A0
00402E68 |. 83C4 0C add esp, 0C
00402E6B |. 56 push esi
00402E6C |. 8D4C24 10 lea ecx, dword ptr ss:[esp+10]
00402E70 |. E8 ABF1FFFF call QQMSG.00402020
00402E75 |. 56 push esi
00402E76 |. E8 DE000300 call QQMSG.00432F59
00402E7B |. 83C4 04 add esp, 4
00402E7E |> 53 push ebx ; /hObject = 7FFD3000
00402E7F |. FF15 FCC24600 call near dword ptr ds:[<&kernel3>; \CloseHandle
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法