- UID
- 69258
注册时间2010-7-21
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
发表于 2010-12-30 15:55:29
|
显示全部楼层
- 好猥琐,不断创建线程
- 00401740 /$ A1 5C564200 mov eax,dword ptr ds:[0x42565C]
- 00401745 |. 85C0 test eax,eax ; 线程创建
- 00401747 75 18 jnz short First_Cr.00401761
- 00401749 |. 68 5C564200 push First_Cr.0042565C ; /pThreadId = First_Cr.0042565C
- 0040174E |. 6A 00 push 0x0 ; |CreationFlags = 0
- 00401750 |. 6A 00 push 0x0 ; |pThreadParm = NULL
- 00401752 |. 68 40164000 push First_Cr.00401640 ; |ThreadFunction = First_Cr.00401640
- 00401757 |. 6A 00 push 0x0 ; |StackSize = 0
- 00401759 |. 6A 00 push 0x0 ; |pSecurity = NULL
- 0040175B |. FF15 14524100 call dword ptr ds:[<&KERNEL32.CreateThread>] ; \CreateThread
- 00401761 \> C3 retn
- 线程函数
- 00401640 /. 55 push ebp ; 创建一个新线程
- 00401641 |. 8BEC mov ebp,esp
- 00401643 |. 6A FF push -0x1
- 00401645 |. 68 68554100 push First_Cr.00415568
- 0040164A |. 68 44274000 push First_Cr.00402744 ; SE 处理程序安装
- 0040164F |. 64:A1 0000000>mov eax,dword ptr fs:[0]
- 00401655 |. 50 push eax
- 00401656 |. 64:8925 00000>mov dword ptr fs:[0],esp
- 0040165D |. 83EC 14 sub esp,0x14
- 00401660 |. 53 push ebx
- 00401661 |. 56 push esi
- 00401662 |. 57 push edi
- 00401663 |. 8965 E8 mov [local.6],esp
- 00401666 |. 33F6 xor esi,esi
- 00401668 |. 8975 FC mov [local.1],esi
- 0040166B |. 6A 50 push 0x50 ; /Timeout = 80. ms
- 0040166D |. FF15 18524100 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
- 00401673 |. 8975 E4 mov [local.7],esi
- 00401676 |. 56 push esi
- 00401677 |. E8 E10F0000 call First_Cr.0040265D
- 0040167C |. 50 push eax
- 0040167D |. E8 AC0F0000 call First_Cr.0040262E
- 00401682 |. 83C4 08 add esp,0x8
- 00401685 |. E8 B10F0000 call First_Cr.0040263B
- 0040168A |. 99 cdq
- 0040168B |. B9 E8030000 mov ecx,0x3E8
- 00401690 |. F7F9 idiv ecx
- 00401692 |. 8955 E0 mov [local.8],edx
- 00401695 |. 8D34D5 000000>lea esi,dword ptr ds:[edx*8]
- 0040169C |. 2BF2 sub esi,edx
- 0040169E |. D1E6 shl esi,1
- 004016A0 |. 8D9E A81F4200 lea ebx,dword ptr ds:[esi+0x421FA8]
- 004016A6 |. 8BFB mov edi,ebx
- 004016A8 |. 83C9 FF or ecx,-0x1
- 004016AB |. 33C0 xor eax,eax
- 004016AD |. F2:AE repne scas byte ptr es:[edi]
- 004016AF |. F7D1 not ecx
- 004016B1 |. 49 dec ecx
- 004016B2 |. 83F9 0C cmp ecx,0xC
- 004016B5 |. 75 35 jnz short First_Cr.004016EC
- 004016B7 |> 8945 DC /mov [local.9],eax
- 004016BA |. 83F8 0B |cmp eax,0xB
- 004016BD |. 7F 0A |jg short First_Cr.004016C9
- 004016BF |. 0FBE1403 |movsx edx,byte ptr ds:[ebx+eax]
- 004016C3 |. 0155 E4 |add [local.7],edx
- 004016C6 |. 40 |inc eax
- 004016C7 |.^ EB EE \jmp short First_Cr.004016B7
- 004016C9 |> 817D E4 A8030>cmp [local.7],0x3A8
- 004016D0 |. 75 1A jnz short First_Cr.004016EC
- 004016D2 |. 8D86 AE1F4200 lea eax,dword ptr ds:[esi+0x421FAE]
- 004016D8 |. 50 push eax
- 004016D9 |. E8 12FFFFFF call First_Cr.004015F0
- 004016DE |. 68 A8030000 push 0x3A8
- 004016E3 |. 53 push ebx
- 004016E4 |. E8 F7FDFFFF call First_Cr.004014E0
- 004016E9 |. 83C4 0C add esp,0xC
- 004016EC |> C745 FC FFFFF>mov [local.1],-0x1
- 004016F3 |. C705 5C564200>mov dword ptr ds:[0x42565C],0x0
- 004016FD |. 8B4D F0 mov ecx,[local.4]
- 00401700 |. 64:890D 00000>mov dword ptr fs:[0],ecx
- 00401707 |. 5F pop edi
- 00401708 |. 5E pop esi
- 00401709 |. 5B pop ebx
- 0040170A |. 8BE5 mov esp,ebp
- 0040170C |. 5D pop ebp
- 0040170D \. C2 0400 retn 0x4
- 00401710 . B8 01000000 mov eax,0x1
- 00401715 . C3 retn
- 00401716 . 8B65 E8 mov esp,dword ptr ss:[ebp-0x18]
- 00401719 . C705 5C564200>mov dword ptr ds:[0x42565C],0x0
- 00401723 . C745 FC FFFFF>mov dword ptr ss:[ebp-0x4],-0x1
- 0040172A . 8B4D F0 mov ecx,dword ptr ss:[ebp-0x10]
- 0040172D . 64:890D 00000>mov dword ptr fs:[0],ecx
- 00401734 . 5F pop edi
- 00401735 . 5E pop esi
- 00401736 . 5B pop ebx
- 00401737 . 8BE5 mov esp,ebp
- 00401739 . 5D pop ebp
- 0040173A . C2 0400 retn 0x4
- //注册按钮处的核心代码
- 00401770 . 53 push ebx
- 00401771 . 56 push esi ; First_Cr.004154E0
- 00401772 . 57 push edi
- 00401773 . 8BD9 mov ebx,ecx
- 00401775 . 6A 01 push 0x1
- 00401777 . E8 96E80000 call First_Cr.00410012
- 0040177C . 8B43 5C mov eax,dword ptr ds:[ebx+0x5C]
- 0040177F . 8378 F8 0C cmp dword ptr ds:[eax-0x8],0xC ; 注册码的个数要等于0XC
- 00401783 0F85 C1000000 jnz First_Cr.0040184A ; (Initial CPU selection)
- 00401789 . BA 88D14100 mov edx,First_Cr.0041D188 ;
- 0040178E > BF A0A04100 mov edi,First_Cr.0041A0A0 ; 我能更猥琐,呵呵, 直接 把failed 改成 OK!
- 00401793 . 83C9 FF or ecx,-0x1
- 00401796 . 33C0 xor eax,eax
- 00401798 . F2:AE repne scas byte ptr es:[edi]
- 0040179A . F7D1 not ecx
- 0040179C . 2BF9 sub edi,ecx
- 0040179E . 8BC1 mov eax,ecx
- 004017A0 . 8BF7 mov esi,edi
- 004017A2 . 8BFA mov edi,edx
- 004017A4 . 83C2 14 add edx,0x14
- 004017A7 . C1E9 02 shr ecx,0x2
- 004017AA . F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
- 004017AC . 8BC8 mov ecx,eax
- 004017AE . 83E1 03 and ecx,0x3
- 004017B1 . 81FA 941F4200 cmp edx,First_Cr.00421F94
- 004017B7 . F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
- 004017B9 .^ 7E D3 jle short First_Cr.0040178E
- 004017BB . BA A81F4200 mov edx,First_Cr.00421FA8 ; 123
- 004017C0 > 8B7B 5C mov edi,dword ptr ds:[ebx+0x5C]
- 004017C3 . 83C9 FF or ecx,-0x1
- 004017C6 . 33C0 xor eax,eax
- 004017C8 . F2:AE repne scas byte ptr es:[edi]
- 004017CA . F7D1 not ecx
- 004017CC . 2BF9 sub edi,ecx
- 004017CE . 8BC1 mov eax,ecx
- 004017D0 . 8BF7 mov esi,edi
- 004017D2 . 8BFA mov edi,edx
- 004017D4 . 83C2 0E add edx,0xE
- 004017D7 . C1E9 02 shr ecx,0x2
- 004017DA . F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
- 004017DC . 8BC8 mov ecx,eax
- 004017DE . 83E1 03 and ecx,0x3
- 004017E1 . 81FA 4A564200 cmp edx,First_Cr.0042564A
- 004017E7 . F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
- 004017E9 .^ 7E D5 jle short First_Cr.004017C0
- 004017EB . E8 50FFFFFF call First_Cr.00401740
- 004017F0 . 8B35 10524100 mov esi,dword ptr ds:[<&KERNEL32.GetTickCount>] ; kernel32.GetTickCount
- 004017F6 . FFD6 call esi ; [GetTickCount
- 004017F8 . 68 D0070000 push 0x7D0 ; /Timeout = 2000. ms
- 004017FD . 8BF8 mov edi,eax ; |
- 004017FF . FF15 18524100 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
- 00401805 . FFD6 call esi ; [GetTickCount
- 00401807 . 2BC7 sub eax,edi
- 00401809 . 3D 34080000 cmp eax,0x834 ;一个检测时间的反调试,比较2次时间差是否大于0x834ms ,如果大于,就直接return
- 0040180E . 77 3A ja short First_Cr.0040184A
- 00401810 . 33C0 xor eax,eax
- 00401812 . B9 88D14100 mov ecx,First_Cr.0041D188 ; 我能更猥琐,呵呵, 直接 把failed 改成 OK!
- 00401817 > 8039 66 cmp byte ptr ds:[ecx],0x66
- 0040181A . 75 32 jnz short First_Cr.0040184E ;比较地址 0x0041d188处的第一个字节是不是 0x66 [f,也就是failed的第一字符] ,如果不是就弹出提示窗口,可能是成功把。
- 0040181C . 83C1 14 add ecx,0x14
- 0040181F . 40 inc eax
- 00401820 . 81F9 941F4200 cmp ecx,First_Cr.00421F94
- 00401826 .^ 7E EF jle short First_Cr.00401817
- 00401828 . 6A 30 push 0x30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
- 0040182A . 68 C0A04100 push First_Cr.0041A0C0 ; |提示
- 0040182F . 68 88D14100 push First_Cr.0041D188 ; |failed
- 00401834 . 6A 00 push 0x0 ; |hOwner = NULL
- 00401836 . FF15 90534100 call dword ptr ds:[<&USER32.MessageBoxA>] ; \MessageBoxA
- 0040183C . B9 AC0D0000 mov ecx,0xDAC
- 00401841 . 33C0 xor eax,eax
- 00401843 . BF A81F4200 mov edi,First_Cr.00421FA8 ; 123
- 00401848 . F3:AB rep stos dword ptr es:[edi]
- 0040184A > 5F pop edi
- 0040184B . 5E pop esi
- 0040184C . 5B pop ebx
- 0040184D . C3 retn
- 0040184E > 8D0480 lea eax,dword ptr ds:[eax+eax*4]
- 00401851 . 6A 30 push 0x30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
- 00401853 . 68 C0A04100 push First_Cr.0041A0C0 ; |提示
- 00401858 . 8D1C85 88D141>lea ebx,dword ptr ds:[eax*4+0x41D188] ; |
- 0040185F . 53 push ebx ; |Text
- 00401860 . 6A 00 push 0x0 ; |hOwner = NULL
- 00401862 . FF15 90534100 call dword ptr ds:[<&USER32.MessageBoxA>] ; \MessageBoxA
- 00401868 . B9 AC0D0000 mov ecx,0xDAC
- 0040186D . 33C0 xor eax,eax
- 0040186F . BF A81F4200 mov edi,First_Cr.00421FA8 ; 123
- 00401874 . F3:AB rep stos dword ptr es:[edi]
- 00401876 . BF A0A04100 mov edi,First_Cr.0041A0A0 ; failed
- 0040187B . 83C9 FF or ecx,-0x1
- 0040187E . F2:AE repne scas byte ptr es:[edi]
- 00401880 . F7D1 not ecx
- 00401882 . 2BF9 sub edi,ecx
- 00401884 . 8BD1 mov edx,ecx
- 00401886 . 8BF7 mov esi,edi
- 00401888 . 8BFB mov edi,ebx
- 0040188A . C1E9 02 shr ecx,0x2
- 0040188D . F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
- 0040188F . 8BCA mov ecx,edx
- 00401891 . 83E1 03 and ecx,0x3
- 00401894 . F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
- 00401896 . 5F pop edi
- 00401897 . 5E pop esi
- 00401898 . 5B pop ebx
- 00401899 . C3 retn
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
[复制链接]
IP卡
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2010-6-4 12:25:56
发表于 2010-6-4 12:27:43
发表于 2010-6-4 12:31:15
发表于 2010-7-31 14:51:56
