TA的每日心情 | 开心
2017-10-25 13:07 |
|---|
签到天数: 15 天 [LV.4]偶尔看看III
|
发表于 2009-10-13 12:02:30
|
显示全部楼层
思路 注册框出现 会弹出网站
所以我们下bp ShellExecuteA这个断点
7D611200 s> 8BFF mov edi,edi ; 1.004E4D30 这里断下
7D611202 55 push ebp
7D611203 8BEC mov ebp,esp
7D611205 83EC 3C sub esp,3C
7D611208 8B45 08 mov eax,dword ptr ss:[ebp+8]
看堆栈
0012F7B0 004E91BF /CALL 到 ShellExecuteA 来自 1.004E91BA 右键-反汇编跟随 不要用alt+f9不能返回程序空间
0012F7B4 002D076A |hWnd = 002D076A ('私人保险箱(登录窗口)',class='TfrmSafeBox',parent=004905F2)
0012F7B8 004E92C0 |Operation = "Open"
0012F7BC 004E9288 |FileName = "http://www.sharebank.com.cn/soft/softbuy.php?soid=10816"
0012F7C0 004E9284 |Parameters = ""
0012F7C4 004E9284 |DefDir = ""
0012F7C8 00000001 \IsShown = 1
0012F7CC 0012F9E0 指针到下一个 SEH 记录
0012F7D0 004E91EC SE 句柄
来到这004E911E |. E8 C19EF1FF call 1.00402FE4
004E9123 |. 8D85 30FEFFFF lea eax,dword ptr ss:[ebp-1D0]
004E9129 |. E8 529CF1FF call 1.00402D80
004E912E |. E8 E597F1FF call 1.00402918
004E9133 |. BA 44934E00 mov edx,1.004E9344 ; ASCII "15" 次数
004E9138 |. 8D85 30FEFFFF lea eax,dword ptr ss:[ebp-1D0]
004E913E |. E8 59C2F1FF call 1.0040539C
004E9143 |. E8 68A8F1FF call 1.004039B0
004E9148 |. E8 CB97F1FF call 1.00402918
004E914D |. 8D85 30FEFFFF lea eax,dword ptr ss:[ebp-1D0]
004E9153 |. E8 08A0F1FF call 1.00403160
004E9158 |. E8 BB97F1FF call 1.00402918
004E915D |. EB 60 jmp short 1.004E91BF
004E915F |> 33D2 xor edx,edx
004E9161 |. 8B86 2C030000 mov eax,dword ptr ds:[esi+32C]
004E9167 |. 8B08 mov ecx,dword ptr ds:[eax]
004E9169 |. FF51 64 call dword ptr ds:[ecx+64]
004E916C |. B2 01 mov dl,1
004E916E |. 8B86 6C030000 mov eax,dword ptr ds:[esi+36C]
004E9174 |. E8 C3EEF5FF call 1.0044803C
004E9179 |. BA 58924E00 mov edx,1.004E9258
004E917E |. 8B86 74030000 mov eax,dword ptr ds:[esi+374]
004E9184 |. E8 C3EFF5FF call 1.0044814C
004E9189 |. BA 48924E00 mov edx,1.004E9248
004E918E |. 8B86 78030000 mov eax,dword ptr ds:[esi+378]
004E9194 |. E8 FB1DFBFF call 1.0049AF94
004E9199 |. 6A 01 push 1
004E919B |. 68 84924E00 push 1.004E9284
004E91A0 |. 68 84924E00 push 1.004E9284
004E91A5 |. 68 88924E00 push 1.004E9288 ; ASCII "http://www.sharebank.com.cn/soft/softbuy.php?soid=10816"
004E91AA |. 68 C0924E00 push 1.004E92C0 ; ASCII "Open"
004E91AF |. A1 68DE4E00 mov eax,dword ptr ds:[4EDE68]
004E91B4 |. E8 6F56F6FF call 1.0044E828 ; ? 提示注册框并弹出网站
004E91B9 |. 50 push eax ; |hWnd
004E91BA |. E8 C9F4F4FF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
004E91BF |> 8BC3 mov eax,ebx 来这里
004E91C1 |. E8 7EADF1FF call 1.00403F44
004E91C6 |> 33C0 xor eax,eax
004E91C8 |. 5A pop edx
我们在程序头下F2
发现 Local Call from 004E754A 这个CALL调用这个段程序 我们在跟随
004E7522 > \8D85 14FCFFFF lea eax,dword ptr ss:[ebp-3EC]
004E7528 . E8 23ECFFFF call 1.004E6150
004E752D . 8D85 14FCFFFF lea eax,dword ptr ss:[ebp-3EC]
004E7533 . BA 907A4E00 mov edx,1.004E7A90 ; ASCII "\SafLst2.dll"
004E7538 . E8 53DAF1FF call 1.00404F90
004E753D . 8B85 14FCFFFF mov eax,dword ptr ss:[ebp-3EC]
004E7543 . E8 5425F2FF call 1.00409A9C
004E7548 > 8BC3 mov eax,ebx
004E754A E8 59180000 call 1.004E8DA8 来到这个CAll 直接NOP 注册框消失
004E754F . B2 01 mov dl,1
004E7551 . A1 C8B24600 mov eax,dword ptr ds:[46B2C8]
004E7556 . E8 6D3EF8FF call 1.0046B3C8
004E755B . 8BF0 mov esi,eax
004E755D . BA 00000080 mov edx,80000000
总结 网站广告 出卖这个程序 做广告不容易啊 |
|
楼主: 2005ljb
IP卡
发表于 2009-10-11 09:56:32
显身卡
发表于 2009-10-11 17:02:48
楼主
发表于 2009-10-13 20:56:28