不小心解了一个ROCKEY6的狗
不小心解了一个ROCKEY6的狗发表于: 2006-3-19 15:16
--------------------------------------------------------------------------------
今天没事,试试解狗,找到一个软件就不说什么名子了
用PEID查看没壳Borland Delphi 6.0 - 7.0开发的
OD载入
004F6104 <ModuleE> $55 PUSH EBP
004F6105 .8BEC MOV EBP,ESP
004F6107 .83C4 F0 ADD ESP,-10
004F610A .B8 545C4F00 MOV EAX,addlal.004F5C54
004F610F .E8 7C0EF1FF CALL addlal.00406F90
004F6114 .6A 00 PUSH 0 ; /Title = NULL
004F6116 .68 64614F00 PUSH addlal.004F6164 ; |Class = "Camera_Digital"
004F611B .E8 4C16F1FF CALL <JMP.&user32.FindWindowA> ; \FindWindowA
004F6120 .85C0 TEST EAX,EAX
004F6122 .74 08 JE SHORT addlal.004F612C
004F6124 .50 PUSH EAX ; /hWnd
004F6125 .E8 0A15F1FF CALL <JMP.&user32.BringWindowToTop> ; \BringWindowToTop
004F612A .EB 30 JMP SHORT addlal.004F615C
004F612C >A1 5C9E4F00 MOV EAX,DWORD PTR DS:
004F6131 .8B00 MOV EAX,DWORD PTR DS:
004F6133 .E8 FCC4F6FF CALL addlal.00462634
004F6138 .8B0D 849F4F00 MOV ECX,DWORD PTR DS: ;addlal.004FD22C
004F613E .A1 5C9E4F00 MOV EAX,DWORD PTR DS:
004F6143 .8B00 MOV EAX,DWORD PTR DS:
004F6145 .8B15 80454F00 MOV EDX,DWORD PTR DS: ;addlal.004F45CC
004F614B .E8 FCC4F6FF CALL addlal.0046264C
004F6150 .A1 5C9E4F00 MOV EAX,DWORD PTR DS:
004F6155 .8B00 MOV EAX,DWORD PTR DS:
004F6157 .E8 70C5F6FF CALL addlal.004626CC
004F615C >E8 13E5F0FF CALL addlal.00404674
004F6161 .0000 ADD BYTE PTR DS:,AL
004F6163 .0043 61 ADD BYTE PTR DS:,AL
004F6166 .6D INS DWORD PTR ES:,DX ;I/O 命令
004F6167 .65:72 61 JB SHORT addlal.004F61CB ;多余的前缀
004F616A .5F POP EDI
004F616B .44 INC ESP
004F616C .6967 69 74616>IMUL ESP,DWORD PTR DS:,addlal.00>
004F6173 .0000 ADD BYTE PTR DS:,AL
004F6175 .0000 ADD BYTE PTR DS:,AL
004F6177 .0000 ADD BYTE PTR DS:,AL
004F6179 .0000 ADD BYTE PTR DS:,AL
004F617B .0000 ADD BYTE PTR DS:,AL
004F617D .0000 ADD BYTE PTR DS:,AL
004F617F .0000 ADD BYTE PTR DS:,AL
004F6181 .0000 ADD BYTE PTR DS:,AL
004F6183 .0000 ADD BYTE PTR DS:,AL
004F6185 .0000 ADD BYTE PTR DS:,AL
004F6187 .0000 ADD BYTE PTR DS:,AL
004F6189 .0000 ADD BYTE PTR DS:,AL
004F618B .0000 ADD BYTE PTR DS:,AL
004F618D .0000 ADD BYTE PTR DS:,AL
004F618F .0000 ADD BYTE PTR DS:,AL
004F6191 .0000 ADD BYTE PTR DS:,AL
004F6193 .0000 ADD BYTE PTR DS:,AL
004F6195 .0000 ADD BYTE PTR DS:,AL
004F6197 .0000 ADD BYTE PTR DS:,AL
004F6199 .0000 ADD BYTE PTR DS:,AL
004F619B .0000 ADD BYTE PTR DS:,AL
004F619D .0000 ADD BYTE PTR DS:,AL
004F619F .0000 ADD BYTE PTR DS:,AL
004F61A1 .0000 ADD BYTE PTR DS:,AL
004F61A3 .0000 ADD BYTE PTR DS:,AL
004F61A5 .0000 ADD BYTE PTR DS:,AL
004F61A7 .0000 ADD BYTE PTR DS:,AL
004F61A9 .0000 ADD BYTE PTR DS:,AL
004F61AB .0000 ADD BYTE PTR DS:,AL
004F61AD .0000 ADD BYTE PTR DS:,AL
004F61AF .0000 ADD BYTE PTR DS:,AL
004F61B1 .0000 ADD BYTE PTR DS:,AL
004F61B3 .0000 ADD BYTE PTR DS:,AL
004F61B5 .0000 ADD BYTE PTR DS:,AL
004F61B7 .0000 ADD BYTE PTR DS:,AL
004F61B9 .0000 ADD BYTE PTR DS:,AL
004F61BB .0000 ADD BYTE PTR DS:,AL
004F61BD .0000 ADD BYTE PTR DS:,AL
004F61BF .0000 ADD BYTE PTR DS:,AL
004F61C1 .0000 ADD BYTE PTR DS:,AL
004F61C3 .0000 ADD BYTE PTR DS:,AL
004F61C5 .0000 ADD BYTE PTR DS:,AL
004F61C7 .0000 ADD BYTE PTR DS:,AL
004F61C9 .0000 ADD BYTE PTR DS:,AL
004F61CB >0000 ADD BYTE PTR DS:,AL
004F61CD .0000 ADD BYTE PTR DS:,AL
004F61CF .0000 ADD BYTE PTR DS:,AL
004F61D1 .0000 ADD BYTE PTR DS:,AL
004F61D3 .0000 ADD BYTE PTR DS:,AL
之软件打开后会提示找不到加密狗
77E13387 M>55 PUSH EBP
77E13388 8BEC MOV EBP,ESP
77E1338A 51 PUSH ECX
77E1338B 833D 583BE477 0>CMP DWORD PTR DS:,0
77E13392 74 29 JE SHORT user32.77E133BD
77E13394 64:A1 18000000MOV EAX,DWORD PTR FS:
77E1339A 8B40 24 MOV EAX,DWORD PTR DS:
77E1339D 8945 FC MOV DWORD PTR SS:,EAX
77E133A0 B8 00000000 MOV EAX,0
77E133A5 B9 2835E477 MOV ECX,user32.77E43528
77E133AA 8B55 FC MOV EDX,DWORD PTR SS:
77E133AD F0:0FB111 LOCK CMPXCHG DWORD PTR DS:,EDX ; 锁定前缀
77E133B1 85C0 TEST EAX,EAX
77E133B3 75 08 JNZ SHORT user32.77E133BD
77E133B5 8B45 04 MOV EAX,DWORD PTR SS:
77E133B8 A3 2435E477 MOV DWORD PTR DS:,EAX
77E133BD 6A 00 PUSH 0
77E133BF FF75 14 PUSH DWORD PTR SS:
77E133C2 FF75 10 PUSH DWORD PTR SS:
77E133C5 FF75 0C PUSH DWORD PTR SS:
77E133C8 FF75 08 PUSH DWORD PTR SS:
77E133CB E8 C70D0000 CALL user32.MessageBoxExA
77E133D0 C9 LEAVE
77E133D1 C2 1000 RET 10
断下后取消断点
返回
来到这里
0046285C /$55 PUSH EBP
0046285D |.8BEC MOV EBP,ESP
0046285F |.83C4 AC ADD ESP,-54
00462862 |.53 PUSH EBX
00462863 |.56 PUSH ESI
00462864 |.57 PUSH EDI
00462865 |.8BF9 MOV EDI,ECX
00462867 |.8BF2 MOV ESI,EDX
00462869 |.8945 FC MOV DWORD PTR SS:,EAX
0046286C |.8B5D 08 MOV EBX,DWORD PTR SS:
0046286F |.E8 084FFAFF CALL <JMP.&user32.GetActiveWindow> ; [GetActiveWindow
00462874 |.8945 F4 MOV DWORD PTR SS:,EAX
00462877 |.6A 02 PUSH 2
00462879 |.8B45 F4 MOV EAX,DWORD PTR SS:
0046287C |.50 PUSH EAX
0046287D |.A1 A09C4F00 MOV EAX,DWORD PTR DS:
00462882 |.8B00 MOV EAX,DWORD PTR DS:
00462884 |.FFD0 CALL EAX
00462886 |.8945 EC MOV DWORD PTR SS:,EAX
00462889 |.6A 02 PUSH 2
0046288B |.8B45 FC MOV EAX,DWORD PTR SS:
0046288E |.8B40 30 MOV EAX,DWORD PTR DS:
00462891 |.50 PUSH EAX
00462892 |.A1 A09C4F00 MOV EAX,DWORD PTR DS:
00462897 |.8B00 MOV EAX,DWORD PTR DS:
00462899 |.FFD0 CALL EAX
0046289B |.8945 E8 MOV DWORD PTR SS:,EAX
0046289E |.8B45 EC MOV EAX,DWORD PTR SS:
004628A1 |.3B45 E8 CMP EAX,DWORD PTR SS:
004628A4 |.74 60 JE SHORT addlal.00462906
004628A6 |.C745 BC 28000>MOV DWORD PTR SS:,28
004628AD |.8D45 BC LEA EAX,DWORD PTR SS:
004628B0 |.50 PUSH EAX
004628B1 |.8B45 EC MOV EAX,DWORD PTR SS:
004628B4 |.50 PUSH EAX
004628B5 |.A1 049B4F00 MOV EAX,DWORD PTR DS:
004628BA |.8B00 MOV EAX,DWORD PTR DS:
004628BC |.FFD0 CALL EAX
004628BE |.8D45 AC LEA EAX,DWORD PTR SS:
004628C1 |.50 PUSH EAX ; /pRect
004628C2 |.8B45 FC MOV EAX,DWORD PTR SS: ; |
004628C5 |.8B40 30 MOV EAX,DWORD PTR DS: ; |
004628C8 |.50 PUSH EAX ; |hWnd
004628C9 |.E8 FE4FFAFF CALL <JMP.&user32.GetWindowRect> ; \GetWindowRect
004628CE |.6A 1D PUSH 1D
004628D0 |.6A 00 PUSH 0
004628D2 |.6A 00 PUSH 0
004628D4 |.8B4D CC MOV ECX,DWORD PTR SS:
004628D7 |.8B55 C4 MOV EDX,DWORD PTR SS:
004628DA |.2BCA SUB ECX,EDX
004628DC |.D1F9 SAR ECX,1
004628DE |.79 03 JNS SHORT addlal.004628E3
004628E0 |.83D1 00 ADC ECX,0
004628E3 |>03CA ADD ECX,EDX
004628E5 |.51 PUSH ECX
004628E6 |.8B55 C8 MOV EDX,DWORD PTR SS:
004628E9 |.8B45 C0 MOV EAX,DWORD PTR SS:
004628EC |.2BD0 SUB EDX,EAX
004628EE |.D1FA SAR EDX,1
004628F0 |.79 03 JNS SHORT addlal.004628F5
004628F2 |.83D2 00 ADC EDX,0
004628F5 |>03D0 ADD EDX,EAX ; |
004628F7 |.52 PUSH EDX ; |X
004628F8 |.6A 00 PUSH 0 ; |InsertAfter = HWND_TOP
004628FA |.8B45 FC MOV EAX,DWORD PTR SS: ; |
004628FD |.8B40 30 MOV EAX,DWORD PTR DS: ; |
00462900 |.50 PUSH EAX ; |hWnd
00462901 |.E8 C651FAFF CALL <JMP.&user32.SetWindowPos> ; \SetWindowPos
00462906 |>33C0 XOR EAX,EAX
00462908 |.E8 DF6DFFFF CALL addlal.004596EC
0046290D |.8945 F0 MOV DWORD PTR SS:,EAX
00462910 |.E8 F36CFFFF CALL addlal.00459608
00462915 |.8945 E4 MOV DWORD PTR SS:,EAX
00462918 |.8B45 FC MOV EAX,DWORD PTR SS:
0046291B |.E8 08EFFFFF CALL addlal.00461828
00462920 |.84C0 TEST AL,AL
00462922 |.74 06 JE SHORT addlal.0046292A
00462924 |.81CB 00001000 OR EBX,100000
0046292A |>33C9 XOR ECX,ECX
0046292C |.55 PUSH EBP
0046292D |.68 B1294600 PUSH addlal.004629B1
00462932 |.64:FF31 PUSH DWORD PTR FS:
00462935 |.64:8921 MOV DWORD PTR FS:,ESP
00462938 |.53 PUSH EBX ; /Style
00462939 |.57 PUSH EDI ; |Title
0046293A |.56 PUSH ESI ; |Text
0046293B |.8B45 FC MOV EAX,DWORD PTR SS: ; |
0046293E |.8B40 30 MOV EAX,DWORD PTR DS: ; |
00462941 |.50 PUSH EAX ; |hOwner
00462942 |.E8 5D50FAFF CALL <JMP.&user32.MessageBoxA> ;
00462947 |.8945 F8 MOV DWORD PTR SS:,EAX //返回到这里了
-------------------------------------------------------------------------------------------------------------------------------
经查询0046285c处来至 Local Calls from 00462A59, 004B42B4, 004BAEF3, 004BDACF, 004DDDFB, 004DEF15, 004EC9CF, 004F4B92, 004F4C6C, 004F4CEF
跟踪004F4B92
004F4B43 .55 PUSH EBP
004F4B44 .68 C54E4F00 PUSH addlal.004F4EC5
004F4B49 .64:FF30 PUSH DWORD PTR FS:
004F4B4C .64:8920 MOV DWORD PTR FS:,ESP
004F4B4F .33C0 XOR EAX,EAX
004F4B51 .55 PUSH EBP
004F4B52 .68 B34B4F00 PUSH addlal.004F4BB3
004F4B57 .64:FF30 PUSH DWORD PTR FS:
004F4B5A .64:8920 MOV DWORD PTR FS:,ESP
004F4B5D .8D55 FE LEA EDX,DWORD PTR SS:
004F4B60 .B0 01 MOV AL,1
004F4B62 .E8 21B8FBFF CALL addlal.004B0388 \\狗call 我们进入去看看
004F4B67 .84C0 TEST AL,AL
004F4B69 .75 3E JNZ SHORT addlal.004F4BA9 \\没有狗就不跳我们就让他跳
004F4B6B .6A 10 PUSH 10
004F4B6D .8D55 F8 LEA EDX,DWORD PTR SS:
004F4B70 .A1 5C9E4F00 MOV EAX,DWORD PTR DS:
004F4B75 .8B00 MOV EAX,DWORD PTR DS:
004F4B77 .E8 08D7F6FF CALL addlal.00462284
004F4B7C .8B45 F8 MOV EAX,DWORD PTR SS:
004F4B7F .E8 1401F1FF CALL addlal.00404C98
004F4B84 .8BC8 MOV ECX,EAX
004F4B86 .BA D44E4F00 MOV EDX,addlal.004F4ED4
004F4B8B .A1 5C9E4F00 MOV EAX,DWORD PTR DS:
004F4B90 .8B00 MOV EAX,DWORD PTR DS:
004F4B92 .E8 C5DCF6FF CALL addlal.0046285C
004F4B97 .E8 D8FAF0FF CALL addlal.00404674
004F4B9C .33C0 XOR EAX,EAX
004F4B9E .5A POP EDX
004F4B9F .59 POP ECX
===================================================================
读狗部分
004B0388 /$53 PUSH EBX
004B0389 |.56 PUSH ESI
004B038A |.57 PUSH EDI
004B038B |.55 PUSH EBP
004B038C |.81C4 ECFCFFFF ADD ESP,-314
004B0392 |.895424 04 MOV DWORD PTR SS:,EDX
004B0396 |.880424 MOV BYTE PTR SS:,AL
004B0399 |.C64424 08 00MOV BYTE PTR SS:,0
004B039E |.68 C8054B00 PUSH addlal.004B05C8 ; /FileName = "Dic32R.dll"
004B03A3 |.E8 0C6FF5FF CALL <JMP.&kernel32.LoadLibraryA> ; \LoadLibraryA
004B03A8 |.8BF0 MOV ESI,EAX
004B03AA |.85F6 TEST ESI,ESI
004B03AC |.0F84 07020000 JE addlal.004B05B9
004B03B2 |.68 D4054B00 PUSH addlal.004B05D4 ; /ProcNameOrOrdinal = "DIC_Find"
004B03B7 |.56 PUSH ESI ; |hModule
004B03B8 |.E8 276EF5FF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
004B03BD |.8B15 0CA14F00 MOV EDX,DWORD PTR DS: ;addlal.004FBCEC
004B03C3 |.8902 MOV DWORD PTR DS:,EAX
004B03C5 |.68 E0054B00 PUSH addlal.004B05E0 ; /ProcNameOrOrdinal = "DIC_Open"
004B03CA |.56 PUSH ESI ; |hModule
004B03CB |.E8 146EF5FF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
004B03D0 |.8B15 C49A4F00 MOV EDX,DWORD PTR DS: ;addlal.004FBCF0
004B03D6 |.8902 MOV DWORD PTR DS:,EAX
004B03D8 |.68 EC054B00 PUSH addlal.004B05EC ; /ProcNameOrOrdinal = "DIC_Close"
004B03DD |.56 PUSH ESI ; |hModule
004B03DE |.E8 016EF5FF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
004B03E3 |.8B15 289D4F00 MOV EDX,DWORD PTR DS: ;addlal.004FBCF4
004B03E9 |.8902 MOV DWORD PTR DS:,EAX
004B03EB |.68 F8054B00 PUSH addlal.004B05F8 ; /ProcNameOrOrdinal = "DIC_Set"
004B03F0 |.56 PUSH ESI ; |hModule
004B03F1 |.E8 EE6DF5FF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
004B03F6 |.8B15 149D4F00 MOV EDX,DWORD PTR DS: ;addlal.004FBD00
004B03FC |.8902 MOV DWORD PTR DS:,EAX
004B03FE |.68 00064B00 PUSH addlal.004B0600 ; /ProcNameOrOrdinal = "DIC_Command"
004B0403 |.56 PUSH ESI ; |hModule
004B0404 |.E8 DB6DF5FF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
004B0409 |.8B15 249C4F00 MOV EDX,DWORD PTR DS: ;addlal.004FBCF8
004B040F |.8902 MOV DWORD PTR DS:,EAX
004B0411 |.68 0C064B00 PUSH addlal.004B060C ; /ProcNameOrOrdinal = "DIC_Get"
004B0416 |.56 PUSH ESI ; |hModule
004B0417 |.E8 C86DF5FF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
004B041C |.8B15 78A14F00 MOV EDX,DWORD PTR DS: ;addlal.004FBCFC
004B0422 |.8902 MOV DWORD PTR DS:,EAX
004B0424 |.A1 0CA14F00 MOV EAX,DWORD PTR DS:
004B0429 |.8B00 MOV EAX,DWORD PTR DS:
004B042B |.FFD0 CALL EAX
004B042D |.894424 0C MOV DWORD PTR SS:,EAX
004B0431 |.837C24 0C 00CMP DWORD PTR SS:,0
004B0436 |.0F8E 7D010000 JLE addlal.004B05B9
004B043C |.8B5C24 0C MOV EBX,DWORD PTR SS:
004B0440 |.4B DEC EBX
004B0441 |.85DB TEST EBX,EBX
004B0443 |.7C 19 JL SHORT addlal.004B045E
004B0445 |.43 INC EBX
004B0446 |.33FF XOR EDI,EDI
004B0448 |>6A 00 /PUSH 0
004B044A |.57 |PUSH EDI
004B044B |.A1 C49A4F00 |MOV EAX,DWORD PTR DS:
004B0450 |.8B00 |MOV EAX,DWORD PTR DS:
004B0452 |.FFD0 |CALL EAX
004B0454 |.8BE8 |MOV EBP,EAX
004B0456 |.85ED |TEST EBP,EBP
004B0458 |.73 04 |JNB SHORT addlal.004B045E
004B045A |.47 |INC EDI
004B045B |.4B |DEC EBX
004B045C |.^ 75 EA \JNZ SHORT addlal.004B0448
004B045E |>3B7C24 0C CMP EDI,DWORD PTR SS:
004B0462 |.0F84 51010000 JE addlal.004B05B9
004B0468 |.54 PUSH ESP
004B0469 |.6A 00 PUSH 0
004B046B |.A1 64994F00 MOV EAX,DWORD PTR DS:
004B0470 |.8B00 MOV EAX,DWORD PTR DS:
004B0472 |.83C8 01 OR EAX,1
004B0475 |.50 PUSH EAX
004B0476 |.6A 00 PUSH 0
004B0478 |.8D8424 230200>LEA EAX,DWORD PTR SS:
004B047F |.50 PUSH EAX
004B0480 |.A1 149D4F00 MOV EAX,DWORD PTR DS:
004B0485 |.8B00 MOV EAX,DWORD PTR DS:
004B0487 |.FFD0 CALL EAX
004B0489 |.8D8424 130200>LEA EAX,DWORD PTR SS:
004B0490 |.50 PUSH EAX
004B0491 |.68 22650000 PUSH 6522
004B0496 |.6A 14 PUSH 14
004B0498 |.A1 9C9F4F00 MOV EAX,DWORD PTR DS:
004B049D |.8B00 MOV EAX,DWORD PTR DS:
004B049F |.50 PUSH EAX
004B04A0 |.8D4424 22 LEA EAX,DWORD PTR SS:
004B04A4 |.50 PUSH EAX
004B04A5 |.A1 149D4F00 MOV EAX,DWORD PTR DS:
004B04AA |.8B00 MOV EAX,DWORD PTR DS:
004B04AC |.FFD0 CALL EAX
004B04AE |.8D4424 12 LEA EAX,DWORD PTR SS:
004B04B2 |.50 PUSH EAX
004B04B3 |.A1 F09E4F00 MOV EAX,DWORD PTR DS:
004B04B8 |.8B00 MOV EAX,DWORD PTR DS:
004B04BA |.50 PUSH EAX
004B04BB |.55 PUSH EBP
004B04BC |.A1 249C4F00 MOV EAX,DWORD PTR DS:
004B04C1 |.8B00 MOV EAX,DWORD PTR DS:
004B04C3 |.FFD0 CALL EAX
004B04C5 |.85C0 TEST EAX,EAX
004B04C7 |.0F85 EC000000 JNZ addlal.004B05B9
004B04CD |.8D8424 130200>LEA EAX,DWORD PTR SS:
004B04D4 |.50 PUSH EAX
004B04D5 |.A1 64994F00 MOV EAX,DWORD PTR DS:
004B04DA |.8B00 MOV EAX,DWORD PTR DS:
004B04DC |.50 PUSH EAX
004B04DD |.A1 9C9F4F00 MOV EAX,DWORD PTR DS:
004B04E2 |.8B00 MOV EAX,DWORD PTR DS:
004B04E4 |.50 PUSH EAX
004B04E5 |.8D4424 1E LEA EAX,DWORD PTR SS:
004B04E9 |.50 PUSH EAX
004B04EA |.A1 78A14F00 MOV EAX,DWORD PTR DS:
004B04EF |.8B00 MOV EAX,DWORD PTR DS:
004B04F1 |.FFD0 CALL EAX
004B04F3 |.8D4424 10 LEA EAX,DWORD PTR SS:
004B04F7 |.50 PUSH EAX
004B04F8 |.A1 64994F00 MOV EAX,DWORD PTR DS:
004B04FD |.8B00 MOV EAX,DWORD PTR DS:
004B04FF |.83C8 01 OR EAX,1
004B0502 |.50 PUSH EAX
004B0503 |.6A 02 PUSH 2
004B0505 |.8D8424 1F0200>LEA EAX,DWORD PTR SS:
004B050C |.50 PUSH EAX
004B050D |.A1 78A14F00 MOV EAX,DWORD PTR DS:
004B0512 |.8B00 MOV EAX,DWORD PTR DS:
004B0514 |.FFD0 CALL EAX
004B0516 |.8D4424 11 LEA EAX,DWORD PTR SS:
004B051A |.50 PUSH EAX
004B051B |.A1 64994F00 MOV EAX,DWORD PTR DS:
004B0520 |.8B00 MOV EAX,DWORD PTR DS:
004B0522 |.83C8 01 OR EAX,1
004B0525 |.50 PUSH EAX
004B0526 |.6A 03 PUSH 3
004B0528 |.8D8424 1F0200>LEA EAX,DWORD PTR SS:
004B052F |.50 PUSH EAX
004B0530 |.A1 78A14F00 MOV EAX,DWORD PTR DS:
004B0535 |.8B00 MOV EAX,DWORD PTR DS:
004B0537 |.FFD0 CALL EAX
004B0539 |.8A4424 10 MOV AL,BYTE PTR SS:
004B053D |.324424 11 XOR AL,BYTE PTR SS:
004B0541 |.24 FF AND AL,0FF
004B0543 |.25 FF000000 AND EAX,0FF
004B0548 |.8B5424 04 MOV EDX,DWORD PTR SS:
004B054C |.66:8902 MOV WORD PTR DS:,AX
004B054F |.8D4424 10 LEA EAX,DWORD PTR SS:
004B0553 |.50 PUSH EAX
004B0554 |.A1 64994F00 MOV EAX,DWORD PTR DS:
004B0559 |.8B00 MOV EAX,DWORD PTR DS:
004B055B |.83C8 01 OR EAX,1
004B055E |.50 PUSH EAX
004B055F |.6A 06 PUSH 6
004B0561 |.8D8424 1F0200>LEA EAX,DWORD PTR SS:
004B0568 |.50 PUSH EAX
004B0569 |.A1 78A14F00 MOV EAX,DWORD PTR DS:
004B056E |.8B00 MOV EAX,DWORD PTR DS:
004B0570 |.FFD0 CALL EAX
004B0572 |.8D4424 11 LEA EAX,DWORD PTR SS:
004B0576 |.50 PUSH EAX
004B0577 |.A1 64994F00 MOV EAX,DWORD PTR DS:
004B057C |.8B00 MOV EAX,DWORD PTR DS:
004B057E |.83C8 01 OR EAX,1
004B0581 |.50 PUSH EAX
004B0582 |.6A 07 PUSH 7
004B0584 |.8D8424 1F0200>LEA EAX,DWORD PTR SS:
004B058B |.50 PUSH EAX
004B058C |.A1 78A14F00 MOV EAX,DWORD PTR DS:
004B0591 |.8B00 MOV EAX,DWORD PTR DS:
004B0593 |.FFD0 CALL EAX
004B0595 |.8A4424 10 MOV AL,BYTE PTR SS:
004B0599 |.324424 11 XOR AL,BYTE PTR SS:
004B059D |.24 FF AND AL,0FF
004B059F |.25 FF000000 AND EAX,0FF
004B05A4 |.C1E0 08 SHL EAX,8
004B05A7 |.8B5424 04 MOV EDX,DWORD PTR SS:
004B05AB |.66:0902 OR WORD PTR DS:,AX
004B05AE |.56 PUSH ESI ; /hLibModule
004B05AF |.E8 906BF5FF CALL <JMP.&kernel32.FreeLibrary> ; \FreeLibrary
004B05B4 |.C64424 08 01MOV BYTE PTR SS:,1
004B05B9 |>8A4424 08 MOV AL,BYTE PTR SS:
004B05BD |.81C4 14030000 ADD ESP,314
004B05C3 |.5D POP EBP
004B05C4 |.5F POP EDI
004B05C5 |.5E POP ESI
004B05C6 |.5B POP EBX
004B05C7 \.C3 RET
==========================================================================
跟踪004EC9CF
同样
004EC98E|.55 PUSH EBP
004EC98F|.68 7ED04E00 PUSH addlal.004ED07E
004EC994|.64:FF30 PUSH DWORD PTR FS:
004EC997|.64:8920 MOV DWORD PTR FS:,ESP
004EC99A|.8D55 F6 LEA EDX,DWORD PTR SS:
004EC99D|.B0 01 MOV AL,1
004EC99F|.E8 E439FCFF CALL addlal.004B0388 //读狗
004EC9A4|.84C0 TEST AL,AL
004EC9A6|.75 42 JNZ SHORT addlal.004EC9EA //让它跳
004EC9A8|.6A 10 PUSH 10
004EC9AA|.8D55 F0 LEA EDX,DWORD PTR SS:
004EC9AD|.A1 5C9E4F00 MOV EAX,DWORD PTR DS:
004EC9B2|.8B00 MOV EAX,DWORD PTR DS:
004EC9B4|.E8 CB58F7FF CALL addlal.00462284
004EC9B9|.8B45 F0 MOV EAX,DWORD PTR SS:
004EC9BC|.E8 D782F1FF CALL addlal.00404C98
004EC9C1|.8BC8 MOV ECX,EAX
004EC9C3|.BA 8CD04E00 MOV EDX,addlal.004ED08C
004EC9C8|.A1 5C9E4F00 MOV EAX,DWORD PTR DS:
004EC9CD|.8B00 MOV EAX,DWORD PTR DS:
004EC9CF|.E8 885EF7FF CALL addlal.0046285C
004EC9D4|.A1 5C9E4F00 MOV EAX,DWORD PTR DS:
004EC9D9|.8B00 MOV EAX,DWORD PTR DS:
004EC9DB|.E8 D85DF7FF CALL addlal.004627B8
004EC9E0|.E8 8F7CF1FF CALL addlal.00404674
004EC9E5|.E9 7E060000 JMP addlal.004ED068
004EC9EA|>8B83 F0020000 MOV EAX,DWORD PTR DS:
004EC9F0|.8B50 48 MOV EDX,DWORD PTR DS:
004EC9F3|.8BC3 MOV EAX,EBX
004EC9F5|.E8 3655F5FF CALL addlal.00441F30
004EC9FA|.8B83 F0020000 MOV EAX,DWORD PTR DS:
004ECA00|.8B50 4C MOV EDX,DWORD PTR DS:
004ECA03|.8BC3 MOV EAX,EBX
004ECA05|.E8 4A55F5FF CALL addlal.00441F54
004ECA0A|.33D2 XOR EDX,EDX
004ECA0C|.8B83 78030000 MOV EAX,DWORD PTR DS:
004ECA12|.E8 CD54F5FF CALL addlal.00441EE4
004ECA17|.BA 3B000000 MOV EDX,3B
004ECA1C|.8B83 78030000 MOV EAX,DWORD PTR DS:
004ECA22|.E8 E154F5FF CALL addlal.00441F08
004ECA27|.8B83 7C030000 MOV EAX,DWORD PTR DS:
004ECA2D|.8B50 48 MOV EDX,DWORD PTR DS:
004ECA30|.8B83 78030000 MOV EAX,DWORD PTR DS:
004ECA36|.E8 F554F5FF CALL addlal.00441F30
004ECA3B|.8B83 7C030000 MOV EAX,DWORD PTR DS:
004ECA41|.8B50 4C MOV EDX,DWORD PTR DS:
004ECA44|.8B83 78030000 MOV EAX,DWORD PTR DS:
004ECA4A|.E8 0555F5FF CALL addlal.00441F54
004ECA4F|.B2 03 MOV DL,3
004ECA51|.8BC3 MOV EAX,EBX
004ECA53|.E8 94FFF6FF CALL addlal.0045C9EC
004ECA58|.68 84C64E00 PUSH addlal.004EC684
004ECA5D|.6A FC PUSH -4
004ECA5F|.8B83 D4030000 MOV EAX,DWORD PTR DS:
004ECA65|.E8 C6C3F5FF CALL addlal.00448E30
004ECA6A|.50 PUSH EAX ; |hWnd
004ECA6B|.E8 4CB0F1FF CALL <JMP.&user32.SetWindowLongA> ; \SetWindowLongA
004ECA70|.A3 28D24F00 MOV DWORD PTR DS:,EAX
004ECA75|.BA 66030000 MOV EDX,366
004ECA7A|.8B83 D4030000 MOV EAX,DWORD PTR DS:
004ECA80|.E8 5F54F5FF CALL addlal.00441EE4
004ECA85|.BA 4E000000 MOV EDX,4E
004ECA8A|.8B83 D4030000 MOV EAX,DWORD PTR DS:
004ECA90|.E8 7354F5FF CALL addlal.00441F08
004ECA95|.BA 98000000 MOV EDX,98
004ECA9A|.8B83 D4030000 MOV EAX,DWORD PTR DS:
004ECAA0|.E8 8B54F5FF CALL addlal.00441F30
004ECAA5|.BA 20020000 MOV EDX,220
004ECAAA|.8B83 D4030000 MOV EAX,DWORD PTR DS:
004ECAB0|.E8 9F54F5FF CALL addlal.00441F54
004ECAB5|.8B83 D4030000 MOV EAX,DWORD PTR DS:
004ECABB|.E8 780CF8FF CALL addlal.0046D738
004ECAC0|.A1 18994F00 MOV EAX,DWORD PTR DS:
004ECAC5|.8338 00 CMP DWORD PTR DS:,0
004ECAC8|.74 19 JE SHORT addlal.004ECAE3
004ECACA|.8B15 18994F00 MOV EDX,DWORD PTR DS: ;addlal.004F90F8
004ECAD0|.8B12 MOV EDX,DWORD PTR DS:
004ECAD2|.8B83 F4030000 MOV EAX,DWORD PTR DS:
004ECAD8|.8B80 68010000 MOV EAX,DWORD PTR DS:
004ECADE|.8B08 MOV ECX,DWORD PTR DS:
004ECAE0|.FF51 08 CALL DWORD PTR DS:
004ECAE3|>B2 05 MOV DL,5
004ECAE5|.8B83 F8020000 MOV EAX,DWORD PTR DS:
004ECAEB|.E8 9851F5FF CALL addlal.00441C88
004ECAF0|.B2 01 MOV DL,1
004ECAF2|.A1 10B34100 MOV EAX,DWORD PTR DS:
004ECAF7|.E8 EC6DF1FF CALL addlal.004038E8
004ECAFC|.8983 24040000 MOV DWORD PTR DS:,EAX
004ECB02|.B2 01 MOV DL,1
004ECB04|.A1 10B34100 MOV EAX,DWORD PTR DS:
保存OK软件可以运行了,
不知道这个狗怎么会这么简单,
两下就能运行了真是不明白, 学习好教程,分点狗肉吃~ 打狗用什么工具:棍子,刀,还是枪!!呵呵!!
页:
[1]