TA的每日心情 | 开心
2015-8-23 23:49 |
|---|
签到天数: 27 天 [LV.4]偶尔看看III
|
注册信息保存在注册表里:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Internet Download Manager]
- "AdvIntDriverEnabled2"=dword:00000001
- "FName"="GG"
- "LName"="LHY"
- "Email"="[email protected]"
- "Serial"="22279-222Q7-222QJ-222QA"
待续...............
20140509.1137
重启,弹窗。。。
搜索所有命令:CMP ECX,17 ,找到段首, 都下断。运行后发现断在:
- 004435F0 |. 8D7D 80 LEA EDI,DWORD PTR SS:[EBP-80] ; (ASCII "22279-222Q7-222QJ-222QA")
- 004435F3 |. 83C9 FF OR ECX,FFFFFFFF
- 004435F6 |. 33C0 XOR EAX,EAX
- 004435F8 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
- 004435FA |. F7D1 NOT ECX
- 004435FC |. 49 DEC ECX
- 004435FD |. 83F9 17 CMP ECX,17
- 00443600 |. 75 1C JNZ SHORT IDMan---.0044361E
- 00443602 |. 807D 85 2D CMP BYTE PTR SS:[EBP-7B],2D
- 00443606 |. 75 16 JNZ SHORT IDMan---.0044361E
- 00443608 |. 807D 8B 2D CMP BYTE PTR SS:[EBP-75],2D
- 0044360C |. 75 10 JNZ SHORT IDMan---.0044361E
- 0044360E |. 807D 91 2D CMP BYTE PTR SS:[EBP-6F],2D
- 00443612 |. 75 0A JNZ SHORT IDMan---.0044361E
- 00443614 |. C705 A43E6900 0>MOV DWORD PTR DS:[693EA4],0 ; 本地全局???貌似意义不大
- (省略部分代码...)
- 00443E64 |. E8 17F90A00 CALL IDMan---.004F3780
- 00443E69 |. B8 03000000 MOV EAX,3 ; 这里应该改为 MOV EAX,0 !!!!!
- 00443E6E |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
- 00443E71 |. 64:890D 0000000>MOV DWORD PTR FS:[0],ECX
- 00443E78 |. 5F POP EDI
- 00443E79 |. 5E POP ESI
- 00443E7A |. 5B POP EBX
- 00443E7B |. 8BE5 MOV ESP,EBP
- 00443E7D |. 5D POP EBP
- 00443E7E |. C3 RETN
- 00443F7D |. 49 DEC ECX
- 00443F7E |. 83F9 17 CMP ECX,17
- 00443F81 |. 75 57 JNZ SHORT IDMan---.00443FDA
- 00443F83 |. 807D 85 2D CMP BYTE PTR SS:[EBP-7B],2D
- 00443F87 |. 75 51 JNZ SHORT IDMan---.00443FDA
- 00443F89 |. 807D 8B 2D CMP BYTE PTR SS:[EBP-75],2D
- 00443F8D |. 75 4B JNZ SHORT IDMan---.00443FDA
- 00443F8F |. 807D 91 2D CMP BYTE PTR SS:[EBP-6F],2D
- 00443F93 |. 75 45 JNZ SHORT IDMan---.00443FDA
- 00443F95 |. A1 84E86B00 MOV EAX,DWORD PTR DS:[6BE884]
- (省略部分代码)
- 00443FC7 |. 33C0 XOR EAX,EAX ; EAX =0 !!!
- 00443FC9 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
- 00443FCC |. 64:890D 0000000>MOV DWORD PTR FS:[0],ECX
- 00443FD3 |. 5F POP EDI
- 00443FD4 |. 5E POP ESI
- 00443FD5 |. 5B POP EBX
- 00443FD6 |. 8BE5 MOV ESP,EBP
- 00443FD8 |. 5D POP EBP
- 00443FD9 |. C3 RETN
启动保存修改后的程序,还会弹窗。。。接着来,老办法CMP EAX,17 找到段首下断
断在:
- 0044C150 /[ DISCUZ_CODE_15 ]nbsp; 55 PUSH EBP ; 2!!!!!
- 0044C151 |. 8BEC MOV EBP,ESP
- 0044C153 |. 6A FF PUSH -1
- (省略部分代码..)
- 0044C824 |> /C745 E0 0400000>MOV DWORD PTR SS:[EBP-20],4
- 0044C82B |. |E9 B5010000 JMP IDMan---.0044C9E5
- 0044C830 |> |8A45 90 MOV AL,BYTE PTR SS:[EBP-70] ; 保存的注册码!
- 0044C833 |. |84C0 TEST AL,AL
- 0044C835 |. |74 47 JE SHORT IDMan---.0044C87E
- (省略部分代码..又是那几个字符串与注册码的比较~~~)
- 0044C97E |> \85C0 TEST EAX,EAX
- 0044C980 |. /75 5A JNZ SHORT IDMan---.0044C9DC
- 0044C982 |. 8DBD 4CFFFFFF LEA EDI,DWORD PTR SS:[EBP-B4]
- 0044C988 |. 83C9 FF OR ECX,FFFFFFFF</span>
- 0044C98B |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
- 0044C98D |. F7D1 NOT ECX
- 0044C98F |. 49 DEC ECX
- 0044C990 |.^ 0F84 8EFEFFFF JE IDMan---.0044C824
- 0044C996 |. 8D7D 90 LEA EDI,DWORD PTR SS:[EBP-70]
- 0044C999 |. 83C9 FF OR ECX,FFFFFFFF
- 0044C99C |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
- 0044C99E |. F7D1 NOT ECX
- 0044C9A0 |. 49 DEC ECX
- 0044C9A1 |. 83F9 17 CMP ECX,17
- 0044C9A4 |.^ 0F85 7AFEFFFF JNZ IDMan---.0044C824
- 0044C9AA |. 8A4D 95 MOV CL,BYTE PTR SS:[EBP-6B]
- 0044C9AD |. B0 2D MOV AL,2D
- 0044C9AF |. 3AC8 CMP CL,AL
- 0044C9B1 |.^ 0F85 6DFEFFFF JNZ IDMan---.0044C824
- 0044C9B7 |. 3845 9B CMP BYTE PTR SS:[EBP-65],AL
- 0044C9BA |.^ 0F85 64FEFFFF JNZ IDMan---.0044C824
- 0044C9C0 |. 3845 A1 CMP BYTE PTR SS:[EBP-5F],AL
- 0044C9C3 |.^ 0F85 5BFEFFFF JNZ IDMan---.0044C824
- 0044C9C9 |. 33C0 XOR EAX,EAX ; 猜测EAX清零为正确的选择~~~~
- 0044C9CB |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
- 0044C9CE |. 64:890D 0000000>MOV DWORD PTR FS:[0],ECX
- 0044C9D5 |. 5F POP EDI
- 0044C9D6 |. 5E POP ESI
- 0044C9D7 |. 5B POP EBX
- 0044C9D8 |. 8BE5 MOV ESP,EBP
- 0044C9DA |. 5D POP EBP
- 0044C9DB |. C3 RETN
- 0044C9DC |> 895D E0 MOV DWORD PTR SS:[EBP-20],EBX ; 到这里,小心啦!!!
- 0044C9DF ^ 75 04 JE SHORT IDMan---.0044C9E5 ; 跳过 settimer 试试?或者跳到0044cA52?
- 0044C9E1 |> 85C0 TEST EAX,EAX
- 0044C9E3 |. 74 6D JE SHORT IDMan---.0044CA52
- 0044C9E5 |> 6A 00 PUSH 0 ; 这下面有settimer 、还有 exit PROCESS
- 0044C9E7 |. E8 8FBD1600 CALL IDMan---.005B877B
- 0044C9EC |. 50 PUSH EAX
- 0044C9ED |. E8 DBCB1600 CALL IDMan---.005B95CD
- 0044C9F2 |. 83C4 08 ADD ESP,8
- 0044C9F5 |. E8 E0CB1600 CALL IDMan---.005B95DA
- 0044C9FA |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
- 0044C9FD |. DB45 EC FILD DWORD PTR SS:[EBP-14]
- 0044CA00 |. DC0D 98C56000 FMUL QWORD PTR DS:[60C598]
- 0044CA06 |. E8 FDA91600 CALL IDMan---.005B7408
- 0044CA0B |. 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
- 0044CA0E |. BE E8030000 MOV ESI,3E8
- 0044CA13 |. 8B1D 98176000 MOV EBX,DWORD PTR DS:[<&USER32.SetT>; USER32.SetTimer
- 0044CA19 |. 2BF0 SUB ESI,EAX
- 0044CA1B |. 8B4F 1C MOV ECX,DWORD PTR DS:[EDI+1C]
- 0044CA1E |. 6A 00 PUSH 0 ; /Timerproc = NULL
- 0044CA20 |. 8D86 204E0000 LEA EAX,DWORD PTR DS:[ESI+4E20] ; |
- 0044CA26 |. C787 24020000 B>MOV DWORD PTR DS:[EDI+224],88B8 ; |
- 0044CA30 |. 50 PUSH EAX ; |Timeout
- 0044CA31 |. 6A 01 PUSH 1 ; |TimerID = 1
- 0044CA33 |. 51 PUSH ECX ; |hWnd
- 0044CA34 |. FFD3 CALL EBX ; \SetTimer
- 0044CA36 |. 8A87 FC010000 MOV AL,BYTE PTR DS:[EDI+1FC]
- 0044CA3C |. 84C0 TEST AL,AL
- 0044CA3E |. 75 26 JNZ SHORT IDMan---.0044CA66
- 0044CA40 |. 8B57 1C MOV EDX,DWORD PTR DS:[EDI+1C]
- 0044CA43 |. 6A 00 PUSH 0 ; /Timerproc = NULL
- 0044CA45 |. 56 PUSH ESI ; |Timeout
- 0044CA46 |. 6A 6F PUSH 6F ; |TimerID = 6F (111.)
- 0044CA48 |. 52 PUSH EDX ; |hWnd
- 0044CA49 |. C687 FC010000 0>MOV BYTE PTR DS:[EDI+1FC],1 ; |
- 0044CA50 |. FFD3 CALL EBX ; \SetTimer
- 0044CA52 |> 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
- 0044CA55 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
- 0044CA58 |. 64:890D 0000000>MOV DWORD PTR FS:[0],ECX
- 0044CA5F |. 5F POP EDI
- 0044CA60 |. 5E POP ESI
- 0044CA61 |. 5B POP EBX
- 0044CA62 |. 8BE5 MOV ESP,EBP
- 0044CA64 |. 5D POP EBP
- 0044CA65 |. C3 RETN
- 0044CA66 |> 6A 00 PUSH 0 ; /ExitCode = 0
- 0044CA68 \. FF15 74146000 CALL DWORD PTR DS:[<&KERNEL32.ExitP>; \ExitProcess
OK。。。
貌似还有CMP ECX,17的命令没被断住 估计还有验证弹窗吧。。。。。
待续...........................
哈哈,第3处终于暴露了。。。原来是它!
回去贴出来!
感谢奔腾450兄弟的友情测试!
2014.05.10 12.25
今儿早开电脑后没多久终于弹窗了。。。哈哈
于是,仍然OD载入。。。。。
运行中,发现保存的注册码会与固定字符串“506938841”经常谈心~~~~,于是把所有这个字符串所在的位置下断..
点 检查更新的时候,出问题的:
- 00450921 50 push eax
- 00450922 51 push ecx
- 00450923 8D55 0C lea edx,dword ptr ss:[ebp+0xC]
- 00450926 68 7C546900 push IDMan.0069547C ; "%%s" /ch %ld /w %I64d
- 0045092B 52 push edx
- 0045092C C645 FC 0D mov byte ptr ss:[ebp-0x4],0xD
- 00450930 E8 53BA1700 call IDMan.005CC388
- 00450935 8BBB E8120000 mov edi,dword ptr ds:[ebx+0x12E8]
- 0045093B 83C4 14 add esp,0x14
- 0045093E 47 inc edi
- 0045093F 33C0 xor eax,eax
- 00450941 89BB E8120000 mov dword ptr ds:[ebx+0x12E8],edi
- 00450947 8985 68FFFFFF mov dword ptr ss:[ebp-0x98],eax
- 0045094D 89B5 70FFFFFF mov dword ptr ss:[ebp-0x90],esi
- 00450953 66:89B5 6CFFFFF>mov word ptr ss:[ebp-0x94],si
- 0045095A 8B4D D4 mov ecx,dword ptr ss:[ebp-0x2C]
(可惜当时前半部分没记录下来断在哪里! )直到:
- <span style="line-height: 1.5;">00450A75 56 push esi</span>
- 00450A76 56 push esi
- 00450A77 6A 30 push 0x30
- 00450A79 6A 01 push 0x1
- 00450A7B 56 push esi
- 00450A7C 56 push esi
- 00450A7D 50 push eax
- 00450A7E 56 push esi
- 00450A7F FF15 78146000 call dword ptr ds:[<&KERNEL32.CreatePro>; KERNEL32.CreateProcessW
- 00450A85 3BC6 cmp eax,esi ; 弹窗了~~~
- 00450A87 74 18 je short IDMan.00450AA1
- 00450A89 8B95 38FEFFFF mov edx,dword ptr ss:[ebp-0x1C8]
- 00450A8F 8B35 AC146000 mov esi,dword ptr ds:[<&KERNEL32.CloseH>; KERNEL32.CloseHandle
在
- 00450882 FF15 AC126000 call dword ptr ds:[<&KERNEL32.GetFileAt>; KERNEL32.GetFileAttributesW
- 00450888 83F8 FF cmp eax,-0x1
于是往上找。看到:
- 00450746 85F6 test esi,esi
- 00450748 0F84 28010000 je IDMan.00450876
- 0045074E B8 94546900 mov eax,IDMan.00695494 ; IDMGrHlp.exe
- 00450753 85C0 test eax,eax
- 00450755 0F84 1B010000 je IDMan.00450876
- 0045075B 33C0 xor eax,eax
- 0045075D 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-0xB0]
- 00450763 50 push eax
- 00450764 52 push edx
- 00450765 8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax
- 0045076B 8985 58FFFFFF mov dword ptr ss:[ebp-0xA8],eax
- 00450771 66:8985 54FFFFFF mov word ptr ss:[ebp-0xAC],ax
- 00450778 E8 1321FBFF call IDMan.00402890
- 0045077D 56 push esi
- 0045077E 8D8D 40FFFFFF lea ecx,dword ptr ss:[ebp-0xC0]
- 00450784 C645 FC 0A mov byte ptr ss:[ebp-0x4],0xA
- 00450788 E8 B3CFFBFF call IDMan.0040D740
- 0045078D 68 94546900 push IDMan.00695494 ; IDMGrHlp.exe
- 00450792 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]
联系到前面弹窗的上面一句
- 00450A7F FF15 78146000 call dword ptr ds:[<&KERNEL32.CreatePro>; KERNEL32.CreateProcessW
猜测这个“IDMGrHlp.exe”偷偷的干了坏事啊!!!
于是找了下,看看有没有能跳过这个“CreateProcessW”的。
很好,找到一句:
- 0045088B /0F84 2B020000 je IDMan.00450ABC ; ???
- 0045088B /E9 2C020000 jmp IDMan.00450ABC ;
等下把这个JE nop掉来比对下~~~看看测试结果如何~~~
到目前为止,未弹窗。附上KO后的程序,望大家都来帮忙测试下。。。。。。。谢谢!
⊙﹏⊙b汗,提示附件超过服务器大小的限制。。。算了,扔PDG群里吧
|
|
IP卡
发表于 2014-5-9 14:02:46
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2014-5-9 19:15:51
楼主
发表于 2015-4-29 17:04:36
发表于 2015-11-27 12:06:03