- UID
- 58297
注册时间2009-1-25
阅读权限10
最后登录1970-1-1
周游历练
TA的每日心情 | 无聊
2020-12-6 01:04 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
发表于 2009-2-4 22:57:38
|
显示全部楼层
这个东西效验的东西很多,没有仔细分析。。。
随便乱弄了下,解决与否回复再说
就几个跳转
跟对话框断点,然后回跟到
发现几个地方原程序没跳,但是修改过名称的程序跳了
0040D6E4 /$ B8 8CA44600 mov eax, ultra1.0046A48C
0040D6E9 |. E8 DE680200 call ultra1.00433FCC
0040D6EE |. 83EC 10 sub esp, 10
0040D6F1 |. 53 push ebx
0040D6F2 |. 33DB xor ebx, ebx
0040D6F4 |. 53 push ebx
0040D6F5 |. 6A 20 push 20
0040D6F7 |. 53 push ebx
0040D6F8 |. 8D4D E4 lea ecx, dword ptr ss:[ebp-1C]
0040D6FB |. E8 C44AFFFF call ultra1.004021C4
0040D700 |. FF35 68704900 push dword ptr ds:[497068]
0040D706 |. 8D4D E4 lea ecx, dword ptr ss:[ebp-1C]
0040D709 |. 895D FC mov dword ptr ss:[ebp-4], ebx
0040D70C |. E8 B4000000 call ultra1.0040D7C5
0040D711 |. 395D 08 cmp dword ptr ss:[ebp+8], ebx
0040D714 |. 74 2E je short ultra1.0040D744
0040D716 |. FF75 08 push dword ptr ss:[ebp+8]
0040D719 |. FF35 68704900 push dword ptr ds:[497068]
0040D71F |. E8 4AF6FFFF call ultra1.0040CD6E
0040D724 |. 59 pop ecx
0040D725 |. 50 push eax
0040D726 |. E8 D5FA0200 call ultra1.0043D200
0040D72B |. 59 pop ecx
0040D72C |. 85C0 test eax, eax
0040D72E |. 59 pop ecx
0040D72F |. 74 13 je short ultra1.0040D744 修改后没跳,直接修改为JMP
0040D731 |. 53 push ebx
0040D732 |. 53 push ebx
0040D733 |. 68 1C794800 push ultra1.0048791C ; ASCII "This program's name has been changed; please rename the program to its original name."
0040D738 |. E8 7D5C0400 call ultra1.004533BA
0040D73D |. 6A 02 push 2
0040D73F |. E8 73810200 call ultra1.004358B7
0040D744 |> A1 B0784800 mov eax, dword ptr ds:[4878B0]
0040D749 |. 8B4D E4 mov ecx, dword ptr ss:[ebp-1C]
0040D74C |. 56 push esi
0040D74D |. 57 push edi
0040D74E |. 8B78 04 mov edi, dword ptr ds:[eax+4]
0040D751 |. 8B45 E8 mov eax, dword ptr ss:[ebp-18]
0040D754 |. 2BC1 sub eax, ecx
0040D756 |. 3BF8 cmp edi, eax
0040D758 |. 73 26 jnb short ultra1.0040D780
0040D75A |. 2BC7 sub eax, edi
0040D75C |. 6A FF push -1
0040D75E |. 83E8 08 sub eax, 8
0040D761 |. 50 push eax
0040D762 |. 8D440F 08 lea eax, dword ptr ds:[edi+ecx+8]
0040D766 |. 50 push eax
0040D767 |. E8 E260FFFF call ultra1.0040384E
0040D76C |. 6A FF push -1
0040D76E |. 57 push edi
0040D76F |. FF75 E4 push dword ptr ss:[ebp-1C]
0040D772 |. 8BF0 mov esi, eax
0040D774 |. E8 D560FFFF call ultra1.0040384E
0040D779 |. 83C4 18 add esp, 18
0040D77C |. 03F0 add esi, eax
0040D77E |. EB 02 jmp short ultra1.0040D782
0040D780 |> 33F6 xor esi, esi
0040D782 |> A1 B0784800 mov eax, dword ptr ds:[4878B0]
0040D787 |. 8935 443C4900 mov dword ptr ds:[493C44], esi
0040D78D |. 5F pop edi
0040D78E |. 3B30 cmp esi, dword ptr ds:[eax]
0040D790 |. 5E pop esi
0040D791 |. 74 13 je short ultra1.0040D7A6 修改后没跳,直接JMP
0040D793 |. 53 push ebx
0040D794 |. 53 push ebx
0040D795 |. 68 C4784800 push ultra1.004878C4 ; ASCII "This program has been altered, possibly by a virus; program execution will stop now."
0040D79A |. E8 1B5C0400 call ultra1.004533BA
0040D79F |. 6A 03 push 3
0040D7A1 |. E8 11810200 call ultra1.004358B7
0040D7A6 |> 834D FC FF or dword ptr ss:[ebp-4], FFFFFFFF
0040D7AA |. 395D E4 cmp dword ptr ss:[ebp-1C], ebx
0040D7AD |. 74 09 je short ultra1.0040D7B8 这里没修改的文件没跳,不管他为了安全直接二进制代码给改为74 00 这样跳也只会跳到 0040D7AF
0040D7AF |. FF75 E4 push dword ptr ss:[ebp-1C]
0040D7B2 |. E8 E5E60300 call ultra1.0044BE9C
0040D7B7 |. 59 pop ecx
0040D7B8 |> 8B4D F4 mov ecx, dword ptr ss:[ebp-C]
0040D7BB |. 5B pop ebx
0040D7BC |. 64:890D 00000000 mov dword ptr fs:[0], ecx
0040D7C3 |. C9 leave
0040D7C4 \. C3 retn
我也是新手,没办法,不知道应该怎么写随便写了下自己看看吧,希望对你有帮助!!!!!!
[ 本帖最后由 neptunesoft 于 2009-2-4 23:17 编辑 ] |
|
IP卡
发表于 2009-2-4 16:15:37
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主