飘云阁程序的自删除 - Powered by Discuz! Archiver

网站 › 『新手求助』 › 程序的自删除

xinldy 发表于 2008-7-16 17:52:41

程序的自删除

最近一直调试一个软件但是一直没有解决：这个软件是个调用bat实现自删除的！
使了很多的办法可是都行不通！
希望大家提出意见！谢谢！！
软件的地址：http://www.skycn.com/soft/24459.html
期待听到你的建议！！谢谢！！

[ 本帖最后由 xinldy 于 2008-8-25 10:00 编辑 ]

ws027302 发表于 2008-7-16 20:46:31

OD载入，搜索字串符找到 "$$a$$.bat" 来到段首，发现有二十二处调用，将这些CALL上面的条件跳转改掉既可

xinldy 发表于 2008-7-17 10:02:18

不知道是我的电脑有问题还是什么原因，我来到了$$a$$.bat段首处可是没有发现有什么跳转！

004BAE7C/$55          push ebp
004BAE7D|.8BEC       mov ebp, esp
004BAE7F|.81C4 BCFDFFFF add esp, -244
004BAE85|.33C0       xor eax, eax
004BAE87|.8985 C4FDFFFF mov dword ptr , eax
004BAE8D|.8985 C0FDFFFF mov dword ptr , eax
004BAE93|.8985 BCFDFFFF mov dword ptr , eax
004BAE99|.8985 D0FDFFFF mov dword ptr , eax
004BAE9F|.8985 CCFDFFFF mov dword ptr , eax
004BAEA5|.8985 C8FDFFFF mov dword ptr , eax
004BAEAB|.8985 D8FDFFFF mov dword ptr , eax
004BAEB1|.8985 D4FDFFFF mov dword ptr , eax
004BAEB7|.8945 FC    mov dword ptr , eax
004BAEBA|.33C0       xor eax, eax
004BAEBC|.55          push ebp
004BAEBD|.68 E3B04B00 push 004BB0E3
004BAEC2|.64:FF30    push dword ptr fs:
004BAEC5|.64:8920    mov dword ptr fs:, esp
004BAEC8|.8D95 D4FDFFFF lea edx, dword ptr
004BAECE|.33C0       xor eax, eax
004BAED0|.E8 A784F4FF call 0040337C
004BAED5|.8B85 D4FDFFFF mov eax, dword ptr
004BAEDB|.8D95 D8FDFFFF lea edx, dword ptr
004BAEE1|.E8 72FEF4FF call 0040AD58
004BAEE6|.8B95 D8FDFFFF mov edx, dword ptr
004BAEEC|.8D45 FC    lea eax, dword ptr
004BAEEF|.B9 F8B04B00 mov ecx, 004BB0F8                ;$$a$$.bat
004BAEF4|.E8 93A6F4FF call 0040558C
004BAEF9|.8B55 FC    mov edx, dword ptr
004BAEFC|.8D85 30FEFFFF lea eax, dword ptr
004BAF02|.E8 1D88F4FF call 00403724
004BAF07|.8D85 30FEFFFF lea eax, dword ptr
004BAF0D|.E8 AE85F4FF call 004034C0
004BAF12|.E8 9D81F4FF call 004030B4
004BAF17|.BA 0CB14B00 mov edx, 004BB10C                ;:try
004BAF1C|.8D85 30FEFFFF lea eax, dword ptr
004BAF22|.E8 FDAAF4FF call 00405A24
004BAF27|.E8 888EF4FF call 00403DB4
004BAF2C|.E8 8381F4FF call 004030B4
004BAF31|.68 1CB14B00 push 004BB11C                      ;ASCII "del """
004BAF36|.8D95 C8FDFFFF lea edx, dword ptr
004BAF3C|.33C0       xor eax, eax
004BAF3E|.E8 3984F4FF call 0040337C
004BAF43|.8B85 C8FDFFFF mov eax, dword ptr
004BAF49|.8D95 CCFDFFFF lea edx, dword ptr
004BAF4F|.E8 9CFEFFFF call 004BADF0
004BAF54|.FFB5 CCFDFFFF push dword ptr
004BAF5A|.68 2CB14B00 push 004BB12C
004BAF5F|.8D85 D0FDFFFF lea eax, dword ptr
004BAF65|.BA 03000000 mov edx, 3
004BAF6A|.E8 99A6F4FF call 00405608
004BAF6F|.8B95 D0FDFFFF mov edx, dword ptr
004BAF75|.8D85 30FEFFFF lea eax, dword ptr
004BAF7B|.E8 A4AAF4FF call 00405A24
004BAF80|.E8 2F8EF4FF call 00403DB4
004BAF85|.E8 2A81F4FF call 004030B4
004BAF8A|.68 38B14B00 push 004BB138                      ;ASCII "if exist """
004BAF8F|.8D95 BCFDFFFF lea edx, dword ptr
004BAF95|.33C0       xor eax, eax
004BAF97|.E8 E083F4FF call 0040337C
004BAF9C|.8B85 BCFDFFFF mov eax, dword ptr
004BAFA2|.8D95 C0FDFFFF lea edx, dword ptr
004BAFA8|.E8 43FEFFFF call 004BADF0
004BAFAD|.FFB5 C0FDFFFF push dword ptr
004BAFB3|.68 2CB14B00 push 004BB12C
004BAFB8|.68 4CB14B00 push 004BB14C                      ;ASCII " goto try"
004BAFBD|.8D85 C4FDFFFF lea eax, dword ptr
004BAFC3|.BA 04000000 mov edx, 4
004BAFC8|.E8 3BA6F4FF call 00405608
004BAFCD|.8B95 C4FDFFFF mov edx, dword ptr
004BAFD3|.8D85 30FEFFFF lea eax, dword ptr
004BAFD9|.E8 46AAF4FF call 00405A24
004BAFDE|.E8 D18DF4FF call 00403DB4
004BAFE3|.E8 CC80F4FF call 004030B4
004BAFE8|.BA 60B14B00 mov edx, 004BB160                ;ASCII "del %0"
004BAFED|.8D85 30FEFFFF lea eax, dword ptr
004BAFF3|.E8 2CAAF4FF call 00405A24
004BAFF8|.E8 B78DF4FF call 00403DB4
004BAFFD|.E8 B280F4FF call 004030B4
004BB002|.BA 70B14B00 mov edx, 004BB170                ;ASCII "cls"
004BB007|.8D85 30FEFFFF lea eax, dword ptr
004BB00D|.E8 12AAF4FF call 00405A24
004BB012|.E8 9D8DF4FF call 00403DB4
004BB017|.E8 9880F4FF call 004030B4
004BB01C|.BA 7CB14B00 mov edx, 004BB17C                ;ASCII "exit"
004BB021|.8D85 30FEFFFF lea eax, dword ptr
004BB027|.E8 F8A9F4FF call 00405A24
004BB02C|.E8 838DF4FF call 00403DB4
004BB031|.E8 7E80F4FF call 004030B4
004BB036|.8D85 30FEFFFF lea eax, dword ptr
004BB03C|.E8 6388F4FF call 004038A4
004BB041|.E8 6E80F4FF call 004030B4
004BB046|.8D85 DCFDFFFF lea eax, dword ptr
004BB04C|.33C9       xor ecx, ecx
004BB04E|.BA 44000000 mov edx, 44
004BB053|.E8 B489F4FF call 00403A0C
004BB058|.C785 08FEFFFF>mov dword ptr , 1
004BB062|.66:C785 0CFEF>mov word ptr , 0
004BB06B|.8D85 20FEFFFF lea eax, dword ptr
004BB071|.50          push eax
004BB072|.8D85 DCFDFFFF lea eax, dword ptr
004BB078|.50          push eax
004BB079|.6A 00       push 0
004BB07B|.6A 00       push 0
004BB07D|.6A 40       push 40
004BB07F|.6A 00       push 0
004BB081|.6A 00       push 0
004BB083|.6A 00       push 0
004BB085|.8B45 FC    mov eax, dword ptr
004BB088|.E8 77A6F4FF call 00405704
004BB08D|.50          push eax                            ; |CommandLine
004BB08E|.6A 00       push 0                            ; |ModuleFileName = NULL
004BB090|.E8 A7C9F4FF call <jmp.&kernel32.CreateProcessA> ; \CreateProcessA
004BB095|.85C0       test eax, eax
004BB097|.74 24       je    short 004BB0BD
004BB099|.8B85 24FEFFFF mov eax, dword ptr
004BB09F|.50          push eax                            ; /hObject
004BB0A0|.E8 4FC9F4FF call <jmp.&kernel32.CloseHandle>    ; \CloseHandle
004BB0A5|.8B85 20FEFFFF mov eax, dword ptr
004BB0AB|.50          push eax                            ; /hObject
004BB0AC|.E8 43C9F4FF call <jmp.&kernel32.CloseHandle>    ; \CloseHandle
004BB0B1|.A1 74054D00 mov eax, dword ptr
004BB0B6|.8B00       mov eax, dword ptr
004BB0B8|.E8 B7ADFBFF call 00475E74
004BB0BD|>33C0       xor eax, eax
004BB0BF|.5A          pop edx
004BB0C0|.59          pop ecx
004BB0C1|.59          pop ecx
004BB0C2|.64:8910    mov dword ptr fs:, edx
004BB0C5|.68 EAB04B00 push 004BB0EA
004BB0CA|>8D85 BCFDFFFF lea eax, dword ptr
004BB0D0|.BA 08000000 mov edx, 8
004BB0D5|.E8 BEA1F4FF call 00405298
004BB0DA|.8D45 FC    lea eax, dword ptr
004BB0DD|.E8 92A1F4FF call 00405274
004BB0E2\.C3          retn

[ 本帖最后由 xinldy 于 2008-7-17 10:03 编辑 ]

flyskey 发表于 2008-7-17 10:04:46

分析下就会看到调用地址了

xinldy 发表于 2008-7-17 10:12:12

功力不够，还得继续学习才行！！

ggyy3000 发表于 2008-7-17 22:04:31

鼠标选中 004BAE7C/$55          push ebp
可以看到下面显示本地调用来自 004BB25F, 004BB30E, 004BB36E, 004BB3EC, 004BB43A, 004BB46C, 004BB5F4, 004BB678, 004BB6A4, 004BB6F4, 004BB7C2, 004BB8E6, 004BB985, 004BB9DE, 004BBA54, 004BBA98, 004BBDFD, 004BBE1A, 004BBFBF, 004BC10B, 004BC257, 004BC3A7
这就是2楼说的22处调用
从004BB25F的调用再查上个调用来自 004BC419
004BC40C .44 69 45 2E 6>ASCII "DiE.exe",0
004BC414    E8 E3F8FFFF CALL AloudKin.004BBCFC
004BC419    E8 66EDFFFF CALL AloudKin.004BB184
004BC41E    E8 ADEEFFFF CALL AloudKin.004BB2D0
004BC423    E8 08EFFFFF CALL AloudKin.004BB330
004BC428    E8 AFEFFFFF CALL AloudKin.004BB3DC
004BC42D    E8 6EF0FFFF CALL AloudKin.004BB4A0
004BC432    E8 15F0FFFF CALL AloudKin.004BB44C
004BC437    E8 C4EFFFFF CALL AloudKin.004BB400
004BC43C    E8 CBF2FFFF CALL AloudKin.004BB70C
004BC441    E8 22F2FFFF CALL AloudKin.004BB668
004BC446    E8 E5F3FFFF CALL AloudKin.004BB830
004BC44B    E8 44F2FFFF CALL AloudKin.004BB694
004BC450    E8 8FF2FFFF CALL AloudKin.004BB6E4
004BC455    E8 FAF4FFFF CALL AloudKin.004BB954
004BC45A    E8 4DF5FFFF CALL AloudKin.004BB9AC
004BC45F    E8 A0F5FFFF CALL AloudKin.004BBA04
004BC464    E8 13F6FFFF CALL AloudKin.004BBA7C
004BC469    E8 1AEFFFFF CALL AloudKin.004BB388
004BC46E    E8 09FDFFFF CALL AloudKin.004BC17C
004BC473    E8 B8FBFFFF CALL AloudKin.004BC030
004BC478    E8 67FAFFFF CALL AloudKin.004BBEE4
004BC47D    E8 4AFEFFFF CALL AloudKin.004BC2CC

把那几个连续的CALL都nop掉就可以去掉程序的自删除

xinldy 发表于 2008-7-18 15:16:23

问题已经解决，谢谢大家的指教！！！
我是通过不断向上走的办法找到关键位置的，谢谢苍茫提供的我不曾注意的方法！

[ 本帖最后由 xinldy 于 2008-7-18 15:31 编辑 ]

页: [1]

查看完整版本: 程序的自删除