- UID
- 4011
注册时间2005-10-27
阅读权限10
最后登录1970-1-1
周游历练
TA的每日心情 | 开心
2017-2-23 16:41 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
不小心解了一个ROCKEY6的狗
发表于: 2006-3-19 15:16
--------------------------------------------------------------------------------
今天没事,试试解狗,找到一个软件就不说什么名子了
用PEID查看没壳Borland Delphi 6.0 - 7.0开发的
OD载入
004F6104 <ModuleE> $ 55 PUSH EBP
004F6105 . 8BEC MOV EBP,ESP
004F6107 . 83C4 F0 ADD ESP,-10
004F610A . B8 545C4F00 MOV EAX,addlal.004F5C54
004F610F . E8 7C0EF1FF CALL addlal.00406F90
004F6114 . 6A 00 PUSH 0 ; /Title = NULL
004F6116 . 68 64614F00 PUSH addlal.004F6164 ; |Class = "Camera_Digital"
004F611B . E8 4C16F1FF CALL <JMP.&user32.FindWindowA> ; \FindWindowA
004F6120 . 85C0 TEST EAX,EAX
004F6122 . 74 08 JE SHORT addlal.004F612C
004F6124 . 50 PUSH EAX ; /hWnd
004F6125 . E8 0A15F1FF CALL <JMP.&user32.BringWindowToTop> ; \BringWindowToTop
004F612A . EB 30 JMP SHORT addlal.004F615C
004F612C > A1 5C9E4F00 MOV EAX,DWORD PTR DS:[4F9E5C]
004F6131 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
004F6133 . E8 FCC4F6FF CALL addlal.00462634
004F6138 . 8B0D 849F4F00 MOV ECX,DWORD PTR DS:[4F9F84] ; addlal.004FD22C
004F613E . A1 5C9E4F00 MOV EAX,DWORD PTR DS:[4F9E5C]
004F6143 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
004F6145 . 8B15 80454F00 MOV EDX,DWORD PTR DS:[4F4580] ; addlal.004F45CC
004F614B . E8 FCC4F6FF CALL addlal.0046264C
004F6150 . A1 5C9E4F00 MOV EAX,DWORD PTR DS:[4F9E5C]
004F6155 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
004F6157 . E8 70C5F6FF CALL addlal.004626CC
004F615C > E8 13E5F0FF CALL addlal.00404674
004F6161 . 0000 ADD BYTE PTR DS:[EAX],AL
004F6163 . 0043 61 ADD BYTE PTR DS:[EBX+61],AL
004F6166 . 6D INS DWORD PTR ES:[EDI],DX ; I/O 命令
004F6167 . 65:72 61 JB SHORT addlal.004F61CB ; 多余的前缀
004F616A . 5F POP EDI
004F616B . 44 INC ESP
004F616C . 6967 69 74616>IMUL ESP,DWORD PTR DS:[EDI+69],addlal.00>
004F6173 . 0000 ADD BYTE PTR DS:[EAX],AL
004F6175 . 0000 ADD BYTE PTR DS:[EAX],AL
004F6177 . 0000 ADD BYTE PTR DS:[EAX],AL
004F6179 . 0000 ADD BYTE PTR DS:[EAX],AL
004F617B . 0000 ADD BYTE PTR DS:[EAX],AL
004F617D . 0000 ADD BYTE PTR DS:[EAX],AL
004F617F . 0000 ADD BYTE PTR DS:[EAX],AL
004F6181 . 0000 ADD BYTE PTR DS:[EAX],AL
004F6183 . 0000 ADD BYTE PTR DS:[EAX],AL
004F6185 . 0000 ADD BYTE PTR DS:[EAX],AL
004F6187 . 0000 ADD BYTE PTR DS:[EAX],AL
004F6189 . 0000 ADD BYTE PTR DS:[EAX],AL
004F618B . 0000 ADD BYTE PTR DS:[EAX],AL
004F618D . 0000 ADD BYTE PTR DS:[EAX],AL
004F618F . 0000 ADD BYTE PTR DS:[EAX],AL
004F6191 . 0000 ADD BYTE PTR DS:[EAX],AL
004F6193 . 0000 ADD BYTE PTR DS:[EAX],AL
004F6195 . 0000 ADD BYTE PTR DS:[EAX],AL
004F6197 . 0000 ADD BYTE PTR DS:[EAX],AL
004F6199 . 0000 ADD BYTE PTR DS:[EAX],AL
004F619B . 0000 ADD BYTE PTR DS:[EAX],AL
004F619D . 0000 ADD BYTE PTR DS:[EAX],AL
004F619F . 0000 ADD BYTE PTR DS:[EAX],AL
004F61A1 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61A3 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61A5 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61A7 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61A9 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61AB . 0000 ADD BYTE PTR DS:[EAX],AL
004F61AD . 0000 ADD BYTE PTR DS:[EAX],AL
004F61AF . 0000 ADD BYTE PTR DS:[EAX],AL
004F61B1 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61B3 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61B5 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61B7 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61B9 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61BB . 0000 ADD BYTE PTR DS:[EAX],AL
004F61BD . 0000 ADD BYTE PTR DS:[EAX],AL
004F61BF . 0000 ADD BYTE PTR DS:[EAX],AL
004F61C1 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61C3 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61C5 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61C7 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61C9 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61CB > 0000 ADD BYTE PTR DS:[EAX],AL
004F61CD . 0000 ADD BYTE PTR DS:[EAX],AL
004F61CF . 0000 ADD BYTE PTR DS:[EAX],AL
004F61D1 . 0000 ADD BYTE PTR DS:[EAX],AL
004F61D3 . 0000 ADD BYTE PTR DS:[EAX],AL
之软件打开后会提示找不到加密狗
77E13387 M> 55 PUSH EBP
77E13388 8BEC MOV EBP,ESP
77E1338A 51 PUSH ECX
77E1338B 833D 583BE477 0>CMP DWORD PTR DS:[77E43B58],0
77E13392 74 29 JE SHORT user32.77E133BD
77E13394 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
77E1339A 8B40 24 MOV EAX,DWORD PTR DS:[EAX+24]
77E1339D 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
77E133A0 B8 00000000 MOV EAX,0
77E133A5 B9 2835E477 MOV ECX,user32.77E43528
77E133AA 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
77E133AD F0:0FB111 LOCK CMPXCHG DWORD PTR DS:[ECX],EDX ; 锁定前缀
77E133B1 85C0 TEST EAX,EAX
77E133B3 75 08 JNZ SHORT user32.77E133BD
77E133B5 8B45 04 MOV EAX,DWORD PTR SS:[EBP+4]
77E133B8 A3 2435E477 MOV DWORD PTR DS:[77E43524],EAX
77E133BD 6A 00 PUSH 0
77E133BF FF75 14 PUSH DWORD PTR SS:[EBP+14]
77E133C2 FF75 10 PUSH DWORD PTR SS:[EBP+10]
77E133C5 FF75 0C PUSH DWORD PTR SS:[EBP+C]
77E133C8 FF75 08 PUSH DWORD PTR SS:[EBP+8]
77E133CB E8 C70D0000 CALL user32.MessageBoxExA
77E133D0 C9 LEAVE
77E133D1 C2 1000 RET 10
断下后取消断点
返回
来到这里
0046285C /$ 55 PUSH EBP
0046285D |. 8BEC MOV EBP,ESP
0046285F |. 83C4 AC ADD ESP,-54
00462862 |. 53 PUSH EBX
00462863 |. 56 PUSH ESI
00462864 |. 57 PUSH EDI
00462865 |. 8BF9 MOV EDI,ECX
00462867 |. 8BF2 MOV ESI,EDX
00462869 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0046286C |. 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
0046286F |. E8 084FFAFF CALL <JMP.&user32.GetActiveWindow> ; [GetActiveWindow
00462874 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00462877 |. 6A 02 PUSH 2
00462879 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0046287C |. 50 PUSH EAX
0046287D |. A1 A09C4F00 MOV EAX,DWORD PTR DS:[4F9CA0]
00462882 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00462884 |. FFD0 CALL EAX
00462886 |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00462889 |. 6A 02 PUSH 2
0046288B |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0046288E |. 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
00462891 |. 50 PUSH EAX
00462892 |. A1 A09C4F00 MOV EAX,DWORD PTR DS:[4F9CA0]
00462897 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00462899 |. FFD0 CALL EAX
0046289B |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0046289E |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004628A1 |. 3B45 E8 CMP EAX,DWORD PTR SS:[EBP-18]
004628A4 |. 74 60 JE SHORT addlal.00462906
004628A6 |. C745 BC 28000>MOV DWORD PTR SS:[EBP-44],28
004628AD |. 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
004628B0 |. 50 PUSH EAX
004628B1 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004628B4 |. 50 PUSH EAX
004628B5 |. A1 049B4F00 MOV EAX,DWORD PTR DS:[4F9B04]
004628BA |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004628BC |. FFD0 CALL EAX
004628BE |. 8D45 AC LEA EAX,DWORD PTR SS:[EBP-54]
004628C1 |. 50 PUSH EAX ; /pRect
004628C2 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; |
004628C5 |. 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30] ; |
004628C8 |. 50 PUSH EAX ; |hWnd
004628C9 |. E8 FE4FFAFF CALL <JMP.&user32.GetWindowRect> ; \GetWindowRect
004628CE |. 6A 1D PUSH 1D
004628D0 |. 6A 00 PUSH 0
004628D2 |. 6A 00 PUSH 0
004628D4 |. 8B4D CC MOV ECX,DWORD PTR SS:[EBP-34]
004628D7 |. 8B55 C4 MOV EDX,DWORD PTR SS:[EBP-3C]
004628DA |. 2BCA SUB ECX,EDX
004628DC |. D1F9 SAR ECX,1
004628DE |. 79 03 JNS SHORT addlal.004628E3
004628E0 |. 83D1 00 ADC ECX,0
004628E3 |> 03CA ADD ECX,EDX
004628E5 |. 51 PUSH ECX
004628E6 |. 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38]
004628E9 |. 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40]
004628EC |. 2BD0 SUB EDX,EAX
004628EE |. D1FA SAR EDX,1
004628F0 |. 79 03 JNS SHORT addlal.004628F5
004628F2 |. 83D2 00 ADC EDX,0
004628F5 |> 03D0 ADD EDX,EAX ; |
004628F7 |. 52 PUSH EDX ; |X
004628F8 |. 6A 00 PUSH 0 ; |InsertAfter = HWND_TOP
004628FA |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; |
004628FD |. 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30] ; |
00462900 |. 50 PUSH EAX ; |hWnd
00462901 |. E8 C651FAFF CALL <JMP.&user32.SetWindowPos> ; \SetWindowPos
00462906 |> 33C0 XOR EAX,EAX
00462908 |. E8 DF6DFFFF CALL addlal.004596EC
0046290D |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00462910 |. E8 F36CFFFF CALL addlal.00459608
00462915 |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
00462918 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0046291B |. E8 08EFFFFF CALL addlal.00461828
00462920 |. 84C0 TEST AL,AL
00462922 |. 74 06 JE SHORT addlal.0046292A
00462924 |. 81CB 00001000 OR EBX,100000
0046292A |> 33C9 XOR ECX,ECX
0046292C |. 55 PUSH EBP
0046292D |. 68 B1294600 PUSH addlal.004629B1
00462932 |. 64:FF31 PUSH DWORD PTR FS:[ECX]
00462935 |. 64:8921 MOV DWORD PTR FS:[ECX],ESP
00462938 |. 53 PUSH EBX ; /Style
00462939 |. 57 PUSH EDI ; |Title
0046293A |. 56 PUSH ESI ; |Text
0046293B |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; |
0046293E |. 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30] ; |
00462941 |. 50 PUSH EAX ; |hOwner
00462942 |. E8 5D50FAFF CALL <JMP.&user32.MessageBoxA> ;
00462947 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX //返回到这里了
-------------------------------------------------------------------------------------------------------------------------------
经查询 0046285c处来至 Local Calls from 00462A59, 004B42B4, 004BAEF3, 004BDACF, 004DDDFB, 004DEF15, 004EC9CF, 004F4B92, 004F4C6C, 004F4CEF
跟踪004F4B92
004F4B43 . 55 PUSH EBP
004F4B44 . 68 C54E4F00 PUSH addlal.004F4EC5
004F4B49 . 64:FF30 PUSH DWORD PTR FS:[EAX]
004F4B4C . 64:8920 MOV DWORD PTR FS:[EAX],ESP
004F4B4F . 33C0 XOR EAX,EAX
004F4B51 . 55 PUSH EBP
004F4B52 . 68 B34B4F00 PUSH addlal.004F4BB3
004F4B57 . 64:FF30 PUSH DWORD PTR FS:[EAX]
004F4B5A . 64:8920 MOV DWORD PTR FS:[EAX],ESP
004F4B5D . 8D55 FE LEA EDX,DWORD PTR SS:[EBP-2]
004F4B60 . B0 01 MOV AL,1
004F4B62 . E8 21B8FBFF CALL addlal.004B0388 \\狗call 我们进入去看看
004F4B67 . 84C0 TEST AL,AL
004F4B69 . 75 3E JNZ SHORT addlal.004F4BA9 \\没有狗就不跳 我们就让他跳
004F4B6B . 6A 10 PUSH 10
004F4B6D . 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004F4B70 . A1 5C9E4F00 MOV EAX,DWORD PTR DS:[4F9E5C]
004F4B75 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
004F4B77 . E8 08D7F6FF CALL addlal.00462284
004F4B7C . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004F4B7F . E8 1401F1FF CALL addlal.00404C98
004F4B84 . 8BC8 MOV ECX,EAX
004F4B86 . BA D44E4F00 MOV EDX,addlal.004F4ED4
004F4B8B . A1 5C9E4F00 MOV EAX,DWORD PTR DS:[4F9E5C]
004F4B90 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
004F4B92 . E8 C5DCF6FF CALL addlal.0046285C
004F4B97 . E8 D8FAF0FF CALL addlal.00404674
004F4B9C . 33C0 XOR EAX,EAX
004F4B9E . 5A POP EDX
004F4B9F . 59 POP ECX
===================================================================
读狗部分
004B0388 /$ 53 PUSH EBX
004B0389 |. 56 PUSH ESI
004B038A |. 57 PUSH EDI
004B038B |. 55 PUSH EBP
004B038C |. 81C4 ECFCFFFF ADD ESP,-314
004B0392 |. 895424 04 MOV DWORD PTR SS:[ESP+4],EDX
004B0396 |. 880424 MOV BYTE PTR SS:[ESP],AL
004B0399 |. C64424 08 00 MOV BYTE PTR SS:[ESP+8],0
004B039E |. 68 C8054B00 PUSH addlal.004B05C8 ; /FileName = "Dic32R.dll"
004B03A3 |. E8 0C6FF5FF CALL <JMP.&kernel32.LoadLibraryA> ; \LoadLibraryA
004B03A8 |. 8BF0 MOV ESI,EAX
004B03AA |. 85F6 TEST ESI,ESI
004B03AC |. 0F84 07020000 JE addlal.004B05B9
004B03B2 |. 68 D4054B00 PUSH addlal.004B05D4 ; /ProcNameOrOrdinal = "DIC_Find"
004B03B7 |. 56 PUSH ESI ; |hModule
004B03B8 |. E8 276EF5FF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
004B03BD |. 8B15 0CA14F00 MOV EDX,DWORD PTR DS:[4FA10C] ; addlal.004FBCEC
004B03C3 |. 8902 MOV DWORD PTR DS:[EDX],EAX
004B03C5 |. 68 E0054B00 PUSH addlal.004B05E0 ; /ProcNameOrOrdinal = "DIC_Open"
004B03CA |. 56 PUSH ESI ; |hModule
004B03CB |. E8 146EF5FF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
004B03D0 |. 8B15 C49A4F00 MOV EDX,DWORD PTR DS:[4F9AC4] ; addlal.004FBCF0
004B03D6 |. 8902 MOV DWORD PTR DS:[EDX],EAX
004B03D8 |. 68 EC054B00 PUSH addlal.004B05EC ; /ProcNameOrOrdinal = "DIC_Close"
004B03DD |. 56 PUSH ESI ; |hModule
004B03DE |. E8 016EF5FF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
004B03E3 |. 8B15 289D4F00 MOV EDX,DWORD PTR DS:[4F9D28] ; addlal.004FBCF4
004B03E9 |. 8902 MOV DWORD PTR DS:[EDX],EAX
004B03EB |. 68 F8054B00 PUSH addlal.004B05F8 ; /ProcNameOrOrdinal = "DIC_Set"
004B03F0 |. 56 PUSH ESI ; |hModule
004B03F1 |. E8 EE6DF5FF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
004B03F6 |. 8B15 149D4F00 MOV EDX,DWORD PTR DS:[4F9D14] ; addlal.004FBD00
004B03FC |. 8902 MOV DWORD PTR DS:[EDX],EAX
004B03FE |. 68 00064B00 PUSH addlal.004B0600 ; /ProcNameOrOrdinal = "DIC_Command"
004B0403 |. 56 PUSH ESI ; |hModule
004B0404 |. E8 DB6DF5FF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
004B0409 |. 8B15 249C4F00 MOV EDX,DWORD PTR DS:[4F9C24] ; addlal.004FBCF8
004B040F |. 8902 MOV DWORD PTR DS:[EDX],EAX
004B0411 |. 68 0C064B00 PUSH addlal.004B060C ; /ProcNameOrOrdinal = "DIC_Get"
004B0416 |. 56 PUSH ESI ; |hModule
004B0417 |. E8 C86DF5FF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
004B041C |. 8B15 78A14F00 MOV EDX,DWORD PTR DS:[4FA178] ; addlal.004FBCFC
004B0422 |. 8902 MOV DWORD PTR DS:[EDX],EAX
004B0424 |. A1 0CA14F00 MOV EAX,DWORD PTR DS:[4FA10C]
004B0429 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B042B |. FFD0 CALL EAX
004B042D |. 894424 0C MOV DWORD PTR SS:[ESP+C],EAX
004B0431 |. 837C24 0C 00 CMP DWORD PTR SS:[ESP+C],0
004B0436 |. 0F8E 7D010000 JLE addlal.004B05B9
004B043C |. 8B5C24 0C MOV EBX,DWORD PTR SS:[ESP+C]
004B0440 |. 4B DEC EBX
004B0441 |. 85DB TEST EBX,EBX
004B0443 |. 7C 19 JL SHORT addlal.004B045E
004B0445 |. 43 INC EBX
004B0446 |. 33FF XOR EDI,EDI
004B0448 |> 6A 00 /PUSH 0
004B044A |. 57 |PUSH EDI
004B044B |. A1 C49A4F00 |MOV EAX,DWORD PTR DS:[4F9AC4]
004B0450 |. 8B00 |MOV EAX,DWORD PTR DS:[EAX]
004B0452 |. FFD0 |CALL EAX
004B0454 |. 8BE8 |MOV EBP,EAX
004B0456 |. 85ED |TEST EBP,EBP
004B0458 |. 73 04 |JNB SHORT addlal.004B045E
004B045A |. 47 |INC EDI
004B045B |. 4B |DEC EBX
004B045C |.^ 75 EA \JNZ SHORT addlal.004B0448
004B045E |> 3B7C24 0C CMP EDI,DWORD PTR SS:[ESP+C]
004B0462 |. 0F84 51010000 JE addlal.004B05B9
004B0468 |. 54 PUSH ESP
004B0469 |. 6A 00 PUSH 0
004B046B |. A1 64994F00 MOV EAX,DWORD PTR DS:[4F9964]
004B0470 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B0472 |. 83C8 01 OR EAX,1
004B0475 |. 50 PUSH EAX
004B0476 |. 6A 00 PUSH 0
004B0478 |. 8D8424 230200>LEA EAX,DWORD PTR SS:[ESP+223]
004B047F |. 50 PUSH EAX
004B0480 |. A1 149D4F00 MOV EAX,DWORD PTR DS:[4F9D14]
004B0485 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B0487 |. FFD0 CALL EAX
004B0489 |. 8D8424 130200>LEA EAX,DWORD PTR SS:[ESP+213]
004B0490 |. 50 PUSH EAX
004B0491 |. 68 22650000 PUSH 6522
004B0496 |. 6A 14 PUSH 14
004B0498 |. A1 9C9F4F00 MOV EAX,DWORD PTR DS:[4F9F9C]
004B049D |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B049F |. 50 PUSH EAX
004B04A0 |. 8D4424 22 LEA EAX,DWORD PTR SS:[ESP+22]
004B04A4 |. 50 PUSH EAX
004B04A5 |. A1 149D4F00 MOV EAX,DWORD PTR DS:[4F9D14]
004B04AA |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B04AC |. FFD0 CALL EAX
004B04AE |. 8D4424 12 LEA EAX,DWORD PTR SS:[ESP+12]
004B04B2 |. 50 PUSH EAX
004B04B3 |. A1 F09E4F00 MOV EAX,DWORD PTR DS:[4F9EF0]
004B04B8 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B04BA |. 50 PUSH EAX
004B04BB |. 55 PUSH EBP
004B04BC |. A1 249C4F00 MOV EAX,DWORD PTR DS:[4F9C24]
004B04C1 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B04C3 |. FFD0 CALL EAX
004B04C5 |. 85C0 TEST EAX,EAX
004B04C7 |. 0F85 EC000000 JNZ addlal.004B05B9
004B04CD |. 8D8424 130200>LEA EAX,DWORD PTR SS:[ESP+213]
004B04D4 |. 50 PUSH EAX
004B04D5 |. A1 64994F00 MOV EAX,DWORD PTR DS:[4F9964]
004B04DA |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B04DC |. 50 PUSH EAX
004B04DD |. A1 9C9F4F00 MOV EAX,DWORD PTR DS:[4F9F9C]
004B04E2 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B04E4 |. 50 PUSH EAX
004B04E5 |. 8D4424 1E LEA EAX,DWORD PTR SS:[ESP+1E]
004B04E9 |. 50 PUSH EAX
004B04EA |. A1 78A14F00 MOV EAX,DWORD PTR DS:[4FA178]
004B04EF |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B04F1 |. FFD0 CALL EAX
004B04F3 |. 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
004B04F7 |. 50 PUSH EAX
004B04F8 |. A1 64994F00 MOV EAX,DWORD PTR DS:[4F9964]
004B04FD |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B04FF |. 83C8 01 OR EAX,1
004B0502 |. 50 PUSH EAX
004B0503 |. 6A 02 PUSH 2
004B0505 |. 8D8424 1F0200>LEA EAX,DWORD PTR SS:[ESP+21F]
004B050C |. 50 PUSH EAX
004B050D |. A1 78A14F00 MOV EAX,DWORD PTR DS:[4FA178]
004B0512 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B0514 |. FFD0 CALL EAX
004B0516 |. 8D4424 11 LEA EAX,DWORD PTR SS:[ESP+11]
004B051A |. 50 PUSH EAX
004B051B |. A1 64994F00 MOV EAX,DWORD PTR DS:[4F9964]
004B0520 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B0522 |. 83C8 01 OR EAX,1
004B0525 |. 50 PUSH EAX
004B0526 |. 6A 03 PUSH 3
004B0528 |. 8D8424 1F0200>LEA EAX,DWORD PTR SS:[ESP+21F]
004B052F |. 50 PUSH EAX
004B0530 |. A1 78A14F00 MOV EAX,DWORD PTR DS:[4FA178]
004B0535 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B0537 |. FFD0 CALL EAX
004B0539 |. 8A4424 10 MOV AL,BYTE PTR SS:[ESP+10]
004B053D |. 324424 11 XOR AL,BYTE PTR SS:[ESP+11]
004B0541 |. 24 FF AND AL,0FF
004B0543 |. 25 FF000000 AND EAX,0FF
004B0548 |. 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
004B054C |. 66:8902 MOV WORD PTR DS:[EDX],AX
004B054F |. 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
004B0553 |. 50 PUSH EAX
004B0554 |. A1 64994F00 MOV EAX,DWORD PTR DS:[4F9964]
004B0559 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B055B |. 83C8 01 OR EAX,1
004B055E |. 50 PUSH EAX
004B055F |. 6A 06 PUSH 6
004B0561 |. 8D8424 1F0200>LEA EAX,DWORD PTR SS:[ESP+21F]
004B0568 |. 50 PUSH EAX
004B0569 |. A1 78A14F00 MOV EAX,DWORD PTR DS:[4FA178]
004B056E |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B0570 |. FFD0 CALL EAX
004B0572 |. 8D4424 11 LEA EAX,DWORD PTR SS:[ESP+11]
004B0576 |. 50 PUSH EAX
004B0577 |. A1 64994F00 MOV EAX,DWORD PTR DS:[4F9964]
004B057C |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B057E |. 83C8 01 OR EAX,1
004B0581 |. 50 PUSH EAX
004B0582 |. 6A 07 PUSH 7
004B0584 |. 8D8424 1F0200>LEA EAX,DWORD PTR SS:[ESP+21F]
004B058B |. 50 PUSH EAX
004B058C |. A1 78A14F00 MOV EAX,DWORD PTR DS:[4FA178]
004B0591 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B0593 |. FFD0 CALL EAX
004B0595 |. 8A4424 10 MOV AL,BYTE PTR SS:[ESP+10]
004B0599 |. 324424 11 XOR AL,BYTE PTR SS:[ESP+11]
004B059D |. 24 FF AND AL,0FF
004B059F |. 25 FF000000 AND EAX,0FF
004B05A4 |. C1E0 08 SHL EAX,8
004B05A7 |. 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
004B05AB |. 66:0902 OR WORD PTR DS:[EDX],AX
004B05AE |. 56 PUSH ESI ; /hLibModule
004B05AF |. E8 906BF5FF CALL <JMP.&kernel32.FreeLibrary> ; \FreeLibrary
004B05B4 |. C64424 08 01 MOV BYTE PTR SS:[ESP+8],1
004B05B9 |> 8A4424 08 MOV AL,BYTE PTR SS:[ESP+8]
004B05BD |. 81C4 14030000 ADD ESP,314
004B05C3 |. 5D POP EBP
004B05C4 |. 5F POP EDI
004B05C5 |. 5E POP ESI
004B05C6 |. 5B POP EBX
004B05C7 \. C3 RET
==========================================================================
跟踪004EC9CF
同样
004EC98E |. 55 PUSH EBP
004EC98F |. 68 7ED04E00 PUSH addlal.004ED07E
004EC994 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004EC997 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004EC99A |. 8D55 F6 LEA EDX,DWORD PTR SS:[EBP-A]
004EC99D |. B0 01 MOV AL,1
004EC99F |. E8 E439FCFF CALL addlal.004B0388 //读狗
004EC9A4 |. 84C0 TEST AL,AL
004EC9A6 |. 75 42 JNZ SHORT addlal.004EC9EA //让它跳
004EC9A8 |. 6A 10 PUSH 10
004EC9AA |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004EC9AD |. A1 5C9E4F00 MOV EAX,DWORD PTR DS:[4F9E5C]
004EC9B2 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004EC9B4 |. E8 CB58F7FF CALL addlal.00462284
004EC9B9 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004EC9BC |. E8 D782F1FF CALL addlal.00404C98
004EC9C1 |. 8BC8 MOV ECX,EAX
004EC9C3 |. BA 8CD04E00 MOV EDX,addlal.004ED08C
004EC9C8 |. A1 5C9E4F00 MOV EAX,DWORD PTR DS:[4F9E5C]
004EC9CD |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004EC9CF |. E8 885EF7FF CALL addlal.0046285C
004EC9D4 |. A1 5C9E4F00 MOV EAX,DWORD PTR DS:[4F9E5C]
004EC9D9 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004EC9DB |. E8 D85DF7FF CALL addlal.004627B8
004EC9E0 |. E8 8F7CF1FF CALL addlal.00404674
004EC9E5 |. E9 7E060000 JMP addlal.004ED068
004EC9EA |> 8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]
004EC9F0 |. 8B50 48 MOV EDX,DWORD PTR DS:[EAX+48]
004EC9F3 |. 8BC3 MOV EAX,EBX
004EC9F5 |. E8 3655F5FF CALL addlal.00441F30
004EC9FA |. 8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]
004ECA00 |. 8B50 4C MOV EDX,DWORD PTR DS:[EAX+4C]
004ECA03 |. 8BC3 MOV EAX,EBX
004ECA05 |. E8 4A55F5FF CALL addlal.00441F54
004ECA0A |. 33D2 XOR EDX,EDX
004ECA0C |. 8B83 78030000 MOV EAX,DWORD PTR DS:[EBX+378]
004ECA12 |. E8 CD54F5FF CALL addlal.00441EE4
004ECA17 |. BA 3B000000 MOV EDX,3B
004ECA1C |. 8B83 78030000 MOV EAX,DWORD PTR DS:[EBX+378]
004ECA22 |. E8 E154F5FF CALL addlal.00441F08
004ECA27 |. 8B83 7C030000 MOV EAX,DWORD PTR DS:[EBX+37C]
004ECA2D |. 8B50 48 MOV EDX,DWORD PTR DS:[EAX+48]
004ECA30 |. 8B83 78030000 MOV EAX,DWORD PTR DS:[EBX+378]
004ECA36 |. E8 F554F5FF CALL addlal.00441F30
004ECA3B |. 8B83 7C030000 MOV EAX,DWORD PTR DS:[EBX+37C]
004ECA41 |. 8B50 4C MOV EDX,DWORD PTR DS:[EAX+4C]
004ECA44 |. 8B83 78030000 MOV EAX,DWORD PTR DS:[EBX+378]
004ECA4A |. E8 0555F5FF CALL addlal.00441F54
004ECA4F |. B2 03 MOV DL,3
004ECA51 |. 8BC3 MOV EAX,EBX
004ECA53 |. E8 94FFF6FF CALL addlal.0045C9EC
004ECA58 |. 68 84C64E00 PUSH addlal.004EC684
004ECA5D |. 6A FC PUSH -4
004ECA5F |. 8B83 D4030000 MOV EAX,DWORD PTR DS:[EBX+3D4]
004ECA65 |. E8 C6C3F5FF CALL addlal.00448E30
004ECA6A |. 50 PUSH EAX ; |hWnd
004ECA6B |. E8 4CB0F1FF CALL <JMP.&user32.SetWindowLongA> ; \SetWindowLongA
004ECA70 |. A3 28D24F00 MOV DWORD PTR DS:[4FD228],EAX
004ECA75 |. BA 66030000 MOV EDX,366
004ECA7A |. 8B83 D4030000 MOV EAX,DWORD PTR DS:[EBX+3D4]
004ECA80 |. E8 5F54F5FF CALL addlal.00441EE4
004ECA85 |. BA 4E000000 MOV EDX,4E
004ECA8A |. 8B83 D4030000 MOV EAX,DWORD PTR DS:[EBX+3D4]
004ECA90 |. E8 7354F5FF CALL addlal.00441F08
004ECA95 |. BA 98000000 MOV EDX,98
004ECA9A |. 8B83 D4030000 MOV EAX,DWORD PTR DS:[EBX+3D4]
004ECAA0 |. E8 8B54F5FF CALL addlal.00441F30
004ECAA5 |. BA 20020000 MOV EDX,220
004ECAAA |. 8B83 D4030000 MOV EAX,DWORD PTR DS:[EBX+3D4]
004ECAB0 |. E8 9F54F5FF CALL addlal.00441F54
004ECAB5 |. 8B83 D4030000 MOV EAX,DWORD PTR DS:[EBX+3D4]
004ECABB |. E8 780CF8FF CALL addlal.0046D738
004ECAC0 |. A1 18994F00 MOV EAX,DWORD PTR DS:[4F9918]
004ECAC5 |. 8338 00 CMP DWORD PTR DS:[EAX],0
004ECAC8 |. 74 19 JE SHORT addlal.004ECAE3
004ECACA |. 8B15 18994F00 MOV EDX,DWORD PTR DS:[4F9918] ; addlal.004F90F8
004ECAD0 |. 8B12 MOV EDX,DWORD PTR DS:[EDX]
004ECAD2 |. 8B83 F4030000 MOV EAX,DWORD PTR DS:[EBX+3F4]
004ECAD8 |. 8B80 68010000 MOV EAX,DWORD PTR DS:[EAX+168]
004ECADE |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004ECAE0 |. FF51 08 CALL DWORD PTR DS:[ECX+8]
004ECAE3 |> B2 05 MOV DL,5
004ECAE5 |. 8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004ECAEB |. E8 9851F5FF CALL addlal.00441C88
004ECAF0 |. B2 01 MOV DL,1
004ECAF2 |. A1 10B34100 MOV EAX,DWORD PTR DS:[41B310]
004ECAF7 |. E8 EC6DF1FF CALL addlal.004038E8
004ECAFC |. 8983 24040000 MOV DWORD PTR DS:[EBX+424],EAX
004ECB02 |. B2 01 MOV DL,1
004ECB04 |. A1 10B34100 MOV EAX,DWORD PTR DS:[41B310]
保存OK软件可以运行了,
不知道这个狗怎么会这么简单,
两下就能运行了真是不明白, |
|
IP卡
发表于 2006-7-28 11:16:10
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-7-28 12:29:41
