ximo 发表于 2008-10-25 23:33

对文件夹加密狗的简单逆向及分析

由于同学使用了文件夹加密狗,而今天又忘记了自己的密码,让我帮忙给解出来,没办法,我不会,只能自己逆向分析了文件夹加密狗这个软件了,因此也有了此文。
下面开始吧!

首先定位加密以及解密的按纽事件

PEiD查壳发现,此文件是C++写的,于是,查找所有命令,然后输入sub eax,0a,定位到按纽代码处。
具体的过程请看帖子:
http://www.52pojie.cn/read.php?tid-10308.html
这里不再详细的讲解

下面开始分析加密的过程:

输入密码,点加密,代码如下:


0040AB80 .64:A1 00000000 mov eax,dword ptr fs:
0040AB86 .6A FFpush -1
0040AB88 .68 380D4300push DirWatch.00430D38
0040AB8D .50 push eax
0040AB8E .64:8925 00000000 mov dword ptr fs:,esp
0040AB95 .83EC 08sub esp,8
0040AB98 .53 push ebx
0040AB99 .55 push ebp
0040AB9A .56 push esi
0040AB9B .8BF1 mov esi,ecx
0040AB9D .57 push edi
0040AB9E .33DB xor ebx,ebx
0040ABA0 .33C0 xor eax,eax
0040ABA2 .8DBE 8C000000lea edi,dword ptr ds:
0040ABA8 >881C07 mov byte ptr ds:,bl
0040ABAB .8898 14124400mov byte ptr ds:,bl
0040ABB1 .40 inc eax
0040ABB2 .83F8 10cmp eax,10
0040ABB5 .^ 7C F1jl short DirWatch.0040ABA8
0040ABB7 .8DAE 9C000000lea ebp,dword ptr ds:
0040ABBD .68 E0EA4300push DirWatch.0043EAE0;ASCII "\DirRecyclers"
0040ABC2 .8D4424 14lea eax,dword ptr ss:
0040ABC6 .55 push ebp
0040ABC7 .50 push eax
0040ABC8 .E8 29D40100call DirWatch.00427FF6
0040ABCD .8B86 A0000000mov eax,dword ptr ds:
0040ABD3 .895C24 20mov dword ptr ss:,ebx
0040ABD7 .3BC3 cmp eax,ebx ;判断加密还是解密,解密则跳
0040ABD9 .75 0Cjnz short DirWatch.0040ABE7
0040ABDB .8BCE mov ecx,esi
0040ABDD .E8 0E0B0000call DirWatch.0040B6F0
0040ABE2 .E9 50010000jmp DirWatch.0040AD37
0040ABE7 >6A 01push 1
0040ABE9 .8BCE mov ecx,esi
0040ABEB .E8 4ABD0100call DirWatch.0042693A;F7进,开始进行加密
0040ABF0 .85C0 test eax,eax
0040ABF2 .0F84 3F010000je DirWatch.0040AD37
0040ABF8 .8B8E F4000000mov ecx,dword ptr ds: ;解密的密码放ECX
0040ABFE .8B41 F8mov eax,dword ptr ds:;位数当EAX
0040AC01 .8BC8 mov ecx,eax ;放ECX
0040AC03 .83F8 01cmp eax,1 ;和1比较
0040AC06 .890D 24124400mov dword ptr ds:,ecx
0040AC0C .7D 07jge short DirWatch.0040AC15
0040AC0E .B9 02000000mov ecx,2
0040AC13 .EB 0Ajmp short DirWatch.0040AC1F
0040AC15 >83F8 10cmp eax,10;和16比较
0040AC18 .7E 0Bjle short DirWatch.0040AC25
0040AC1A .B9 10000000mov ecx,10
0040AC1F >890D 24124400mov dword ptr ds:,ecx
0040AC25 >33C0 xor eax,eax
0040AC27 .3BCB cmp ecx,ebx
0040AC29 .7E 1Djle short DirWatch.0040AC48
0040AC2B >8B96 F4000000mov edx,dword ptr ds:
0040AC31 .40 inc eax
0040AC32 .8A4C02 FFmov cl,byte ptr ds:;逐位取解密的密码
0040AC36 .884C07 FFmov byte ptr ds:,cl
0040AC3A .8888 13124400mov byte ptr ds:,cl
0040AC40 .3B05 24124400cmp eax,dword ptr ds:
0040AC46 .^ 7C E3jl short DirWatch.0040AC2B
0040AC48 >57 push edi
0040AC49 .51 push ecx
0040AC4A .8BCC mov ecx,esp
0040AC4C .896424 1Cmov dword ptr ss:,esp
0040AC50 .55 push ebp
0040AC51 .E8 80CE0100call DirWatch.00427AD6
0040AC56 .E8 05C3FFFFcall DirWatch.00406F60;判断密码是否正确的关键,F7进
0040AC5B .83C4 08add esp,8
0040AC5E .3BC3 cmp eax,ebx
0040AC60 .0F84 D1000000je DirWatch.0040AD37
0040AC66 .51 push ecx
0040AC67 .8BCC mov ecx,esp
0040AC69 .896424 18mov dword ptr ss:,esp
0040AC6D .55 push ebp
0040AC6E .E8 63CE0100call DirWatch.00427AD6
0040AC73 .E8 B8BCFFFFcall DirWatch.00406930;出来,然后去掉!
0040AC78 .8B4424 14mov eax,dword ptr ss:
0040AC7C .83C4 04add esp,4
0040AC7F .50 push eax; /Path
0040AC80 .FF15 F0224300call dword ptr ds:[<&KERNEL32.RemoveDirectoryA>]; \RemoveDirectoryA
0040AC86 .85C0 test eax,eax
0040AC88 .0F84 9C000000je DirWatch.0040AD2A;全部解密完毕,跳向结束
0040AC8E .C786 A4000000 0100>mov dword ptr ds:,1
0040AC98 .51 push ecx
0040AC99 .891D 80EA4300mov dword ptr ds:,ebx
0040AC9F .891D 10124400mov dword ptr ds:,ebx
0040ACA5 .899E B0000000mov dword ptr ds:,ebx
0040ACAB .8BCC mov ecx,esp
0040ACAD .896424 18mov dword ptr ss:,esp
0040ACB1 .899E B4000000mov dword ptr ds:,ebx
0040ACB7 .55 push ebp
0040ACB8 .891D 28124400mov dword ptr ds:,ebx
0040ACBE .E8 13CE0100call DirWatch.00427AD6
0040ACC3 .8BCE mov ecx,esi ; |
0040ACC5 .E8 E60E0000call DirWatch.0040BBB0; \DirWatch.0040BBB0
0040ACCA .8B0D 84EA4300mov ecx,dword ptr ds:
0040ACD0 .8B96 D4000000mov edx,dword ptr ds:
0040ACD6 .51 push ecx; /lParam => 1
0040ACD7 .53 push ebx; |wParam
0040ACD8 .68 06040000push 406; |Message = WM_USER+6
0040ACDD .52 push edx; |hWnd
0040ACDE .FF15 48244300call dword ptr ds:[<&USER32.SendMessageA>]; \SendMessageA
0040ACE4 .53 push ebx
0040ACE5 .6A 01push 1
0040ACE7 .8BCE mov ecx,esi
0040ACE9 .E8 E3C50100call DirWatch.004272D1
0040ACEE .8BC8 mov ecx,eax
0040ACF0 .E8 0FC80100call DirWatch.00427504
0040ACF5 .53 push ebx
0040ACF6 .68 EB030000push 3EB
0040ACFB .8BCE mov ecx,esi
0040ACFD .E8 CFC50100call DirWatch.004272D1
0040AD02 .8BC8 mov ecx,eax
0040AD04 .E8 FBC70100call DirWatch.00427504
0040AD09 .8B46 1Cmov eax,dword ptr ds:
0040AD0C .53 push ebx; /Timerproc
0040AD0D .68 E8030000push 3E8; |Timeout = 1000. ms
0040AD12 .6A 01push 1; |TimerID = 1
0040AD14 .50 push eax; |hWnd
0040AD15 .FF15 8C244300call dword ptr ds:[<&USER32.SetTimer>]; \SetTimer
0040AD1B .8B0D 0C124400mov ecx,dword ptr ds:
0040AD21 .51 push ecx; /hEvent => 00000048 (window)
0040AD22 .FF15 80224300call dword ptr ds:[<&KERNEL32.SetEvent>]; \SetEvent
0040AD28 .EB 0Djmp short DirWatch.0040AD37
0040AD2A >8BCE mov ecx,esi
0040AD2C .899E A4000000mov dword ptr ds:,ebx
0040AD32 .E8 05990100call DirWatch.0042463C
0040AD37 >8D4C24 10lea ecx,dword ptr ss:
0040AD3B .C74424 20 FFFFFFFF mov dword ptr ss:,-1
0040AD43 .E8 19D00100call DirWatch.00427D61
0040AD48 .8B4C24 18mov ecx,dword ptr ss:
0040AD4C .5F pop edi
0040AD4D .5E pop esi
0040AD4E .5D pop ebp
0040AD4F .64:890D 00000000 mov dword ptr fs:,ecx
0040AD56 .5B pop ebx
0040AD57 .83C4 14add esp,14
0040AD5A .C3 retn


F7跟进加密CALL,继续分析:


0040B6F0/$64:A1 00000000 mov eax,dword ptr fs:
0040B6F6|.6A FFpush -1
0040B6F8|.68 200F4300push DirWatch.00430F20
0040B6FD|.50 push eax
0040B6FE|.64:8925 00000000 mov dword ptr fs:,esp
0040B705|.83EC 14sub esp,14
0040B708|.53 push ebx
0040B709|.55 push ebp
0040B70A|.56 push esi
0040B70B|.8BF1 mov esi,ecx
0040B70D|.57 push edi
0040B70E|.33DB xor ebx,ebx
0040B710|.33C0 xor eax,eax
0040B712|.8DBE 8C000000lea edi,dword ptr ds:
0040B718|>881C07 /mov byte ptr ds:,bl
0040B71B|.8898 14124400|mov byte ptr ds:,bl
0040B721|.40 |inc eax
0040B722|.83F8 10|cmp eax,10
0040B725|.^ 7C F1\jl short DirWatch.0040B718
0040B727|.8DAE 9C000000lea ebp,dword ptr ds:
0040B72D|.68 E0EA4300push DirWatch.0043EAE0;ASCII "\DirRecyclers"
0040B732|.8D4424 18lea eax,dword ptr ss:
0040B736|.55 push ebp
0040B737|.50 push eax
0040B738|.C705 80EA4300 0100>mov dword ptr ds:,1
0040B742|.E8 AFC80100call DirWatch.00427FF6
0040B747|.8B0D ECED4300mov ecx,dword ptr ds: ;DirWatch.0043EE00
0040B74D|.895C24 2Cmov dword ptr ss:,ebx
0040B751|.894C24 10mov dword ptr ss:,ecx
0040B755|.8B86 A8000000mov eax,dword ptr ds:
0040B75B|.C64424 2C 01 mov byte ptr ss:,1
0040B760|.3BC3 cmp eax,ebx
0040B762|.75 0Cjnz short DirWatch.0040B770
0040B764|.53 push ebx
0040B765|.53 push ebx
0040B766|.68 64EC4300push DirWatch.0043EC64
0040B76B|.E9 5F020000jmp DirWatch.0040B9CF
0040B770|>6A 01push 1
0040B772|.8BCE mov ecx,esi
0040B774|.E8 C1B10100call DirWatch.0042693A
0040B779|.85C0 test eax,eax
0040B77B|.0F84 55020000je DirWatch.0040B9D6
0040B781|.8B86 F8000000mov eax,dword ptr ds: ;第二次输入的密码
0040B787|.8B8E F4000000mov ecx,dword ptr ds: ;第一次输入的密码
0040B78D|.50 push eax; /Arg2
0040B78E|.51 push ecx; |Arg1
0040B78F|.E8 F7890000call DirWatch.0041418B; \进行比较
0040B794|.83C4 08add esp,8
0040B797|.85C0 test eax,eax;相等就返回0,不相等则返回1
0040B799|.0F85 29020000jnz DirWatch.0040B9C8 ;不相等跳向错误
0040B79F|.8B96 F4000000mov edx,dword ptr ds:
0040B7A5|.8B42 F8mov eax,dword ptr ds:
0040B7A8|.8BC8 mov ecx,eax ;把密码的位数给ECX
0040B7AA|.83F8 03cmp eax,3 ;比较密码的位数,小于3则跳到错误
0040B7AD|.890D 24124400mov dword ptr ds:,ecx
0040B7B3|.7D 0Cjge short DirWatch.0040B7C1
0040B7B5|.53 push ebx
0040B7B6|.53 push ebx
0040B7B7|.68 4CEC4300push DirWatch.0043EC4C
0040B7BC|.E9 0E020000jmp DirWatch.0040B9CF
0040B7C1|>83F8 10cmp eax,10;位数和16比较,大于则跳向错误
0040B7C4|.7E 0Bjle short DirWatch.0040B7D1
0040B7C6|.B9 10000000mov ecx,10
0040B7CB|.890D 24124400mov dword ptr ds:,ecx
0040B7D1|>33C0 xor eax,eax
0040B7D3|.3BCB cmp ecx,ebx
0040B7D5|.7E 1Djle short DirWatch.0040B7F4
0040B7D7|>8B8E F4000000/mov ecx,dword ptr ds:;密码放EAX
0040B7DD|.40 |inc eax;EAX++
0040B7DE|.8A4C01 FF|mov cl,byte ptr ds: ;逐位取密码放CL
0040B7E2|.884C07 FF|mov byte ptr ds:,cl
0040B7E6|.8888 13124400|mov byte ptr ds:,cl;存到的位置
0040B7EC|.3B05 24124400|cmp eax,dword ptr ds:
0040B7F2|.^ 7C E3\jl short DirWatch.0040B7D7
0040B7F4|>399E A4000000cmp dword ptr ds:,ebx
0040B7FA|.75 4Djnz short DirWatch.0040B849
0040B7FC|.57 push edi
0040B7FD|.51 push ecx
0040B7FE|.8BCC mov ecx,esp
0040B800|.896424 24mov dword ptr ss:,esp
0040B804|.55 push ebp
0040B805|.E8 CCC20100call DirWatch.00427AD6
0040B80A|.E8 C1BAFFFFcall DirWatch.004072D0;加密关键,F7进
0040B80F|.83C4 08add esp,8
0040B812|.3BC3 cmp eax,ebx
0040B814|.74 27je short DirWatch.0040B83D
0040B816|.51 push ecx
0040B817|.8BCC mov ecx,esp
0040B819|.896424 20mov dword ptr ss:,esp
0040B81D|.55 push ebp
0040B81E|.E8 B3C20100call DirWatch.00427AD6
0040B823|.E8 38AAFFFFcall DirWatch.00406260
0040B828|.83C4 04add esp,4
0040B82B|.3BC3 cmp eax,ebx ;加密成功
0040B82D|.75 0Ejnz short DirWatch.0040B83D ;则跳,关闭文件夹加密狗
0040B82F|.53 push ebx
0040B830|.53 push ebx
0040B831|.68 40EC4300push DirWatch.0043EC40
0040B836|.8BCE mov ecx,esi
0040B838|.E8 A1A90100call DirWatch.004261DE
0040B83D|>8BCE mov ecx,esi
0040B83F|.E8 F88D0100call DirWatch.0042463C
0040B844|.E9 8D010000jmp DirWatch.0040B9D6
0040B849|>51 push ecx
0040B84A|.891D 10124400mov dword ptr ds:,ebx
0040B850|.899E B0000000mov dword ptr ds:,ebx
0040B856|.8BCC mov ecx,esp
0040B858|.896424 20mov dword ptr ss:,esp
0040B85C|.899E B4000000mov dword ptr ds:,ebx
0040B862|.55 push ebp
0040B863|.891D 28124400mov dword ptr ds:,ebx
0040B869|.E8 68C20100call DirWatch.00427AD6
0040B86E|.8BCE mov ecx,esi ; |
0040B870|.E8 3B030000call DirWatch.0040BBB0; \DirWatch.0040BBB0
0040B875|.DD86 B0000000fld qword ptr ds:
0040B87B|.DC0D 28314300fmul qword ptr ds:
0040B881|.E8 268B0000call DirWatch.004143AC
0040B886|.8BF8 mov edi,eax
0040B888|.897C24 1Cmov dword ptr ss:,edi
0040B88C|.DB4424 1Cfild dword ptr ss:
0040B890|.DC0D 20314300fmul qword ptr ds:
0040B896|.E8 118B0000call DirWatch.004143AC
0040B89B|.83FF 32cmp edi,32
0040B89E|.8BC8 mov ecx,eax
0040B8A0|.7E 50jle short DirWatch.0040B8F2
0040B8A2|.99 cdq
0040B8A3|.BD 3C000000mov ebp,3C
0040B8A8|.F7FD idiv ebp
0040B8AA|.B8 89888888mov eax,88888889
0040B8AF|.52 push edx
0040B8B0|.F7E9 imul ecx
0040B8B2|.03D1 add edx,ecx
0040B8B4|.8D4C24 14lea ecx,dword ptr ss:
0040B8B8|.C1FA 05sar edx,5
0040B8BB|.8BC2 mov eax,edx
0040B8BD|.C1E8 1Fshr eax,1F
0040B8C0|.03D0 add edx,eax
0040B8C2|.52 push edx
0040B8C3|.57 push edi
0040B8C4|.68 F0EB4300push DirWatch.0043EBF0
0040B8C9|.51 push ecx
0040B8CA|.E8 F4700100call DirWatch.004229C3
0040B8CF|.8B5424 24mov edx,dword ptr ss:
0040B8D3|.83C4 14add esp,14
0040B8D6|.8BCE mov ecx,esi
0040B8D8|.6A 04push 4
0040B8DA|.53 push ebx
0040B8DB|.52 push edx
0040B8DC|.E8 FDA80100call DirWatch.004261DE
0040B8E1|.83F8 07cmp eax,7
0040B8E4|.75 0Cjnz short DirWatch.0040B8F2
0040B8E6|.8BCE mov ecx,esi
0040B8E8|.E8 4F8D0100call DirWatch.0042463C
0040B8ED|.E9 E4000000jmp DirWatch.0040B9D6
0040B8F2|>A1 84EA4300mov eax,dword ptr ds:
0040B8F7|.8B8E D4000000mov ecx,dword ptr ds:
0040B8FD|.50 push eax; /lParam => 1
0040B8FE|.53 push ebx; |wParam
0040B8FF|.68 06040000push 406; |Message = WM_USER+6
0040B904|.51 push ecx; |hWnd
0040B905|.FF15 48244300call dword ptr ds:[<&USER32.SendMessageA>]; \SendMessageA
0040B90B|.8B5424 14mov edx,dword ptr ss:
0040B90F|.53 push ebx; /pSecurity
0040B910|.52 push edx; |Path
0040B911|.FF15 C0224300call dword ptr ds:[<&KERNEL32.CreateDirectoryA>]; \CreateDirectoryA
0040B917|.68 68E94300push DirWatch.0043E968;ASCII "attrib +h +s "
0040B91C|.8D4C24 1Clea ecx,dword ptr ss:
0040B920|.E8 AAC40100call DirWatch.00427DCF
0040B925|.8D4424 14lea eax,dword ptr ss:
0040B929|.8D4C24 18lea ecx,dword ptr ss:
0040B92D|.50 push eax
0040B92E|.8D5424 20lea edx,dword ptr ss:
0040B932|.51 push ecx
0040B933|.52 push edx
0040B934|.C64424 38 02 mov byte ptr ss:,2
0040B939|.E8 52C60100call DirWatch.00427F90
0040B93E|.50 push eax
0040B93F|.8D4C24 1Clea ecx,dword ptr ss:
0040B943|.C64424 30 03 mov byte ptr ss:,3
0040B948|.E8 4DC50100call DirWatch.00427E9A
0040B94D|.8D4C24 1Clea ecx,dword ptr ss:
0040B951|.C64424 2C 02 mov byte ptr ss:,2
0040B956|.E8 06C40100call DirWatch.00427D61
0040B95B|.51 push ecx
0040B95C|.8D4424 1Clea eax,dword ptr ss:
0040B960|.8BCC mov ecx,esp
0040B962|.896424 24mov dword ptr ss:,esp
0040B966|.50 push eax
0040B967|.E8 6AC10100call DirWatch.00427AD6
0040B96C|.E8 6F9EFFFFcall DirWatch.004057E0
0040B971|.83C4 04add esp,4
0040B974|.8BCE mov ecx,esi
0040B976|.53 push ebx
0040B977|.6A 01push 1
0040B979|.E8 53B90100call DirWatch.004272D1
0040B97E|.8BC8 mov ecx,eax
0040B980|.E8 7FBB0100call DirWatch.00427504
0040B985|.53 push ebx
0040B986|.68 EB030000push 3EB
0040B98B|.8BCE mov ecx,esi
0040B98D|.E8 3FB90100call DirWatch.004272D1
0040B992|.8BC8 mov ecx,eax
0040B994|.E8 6BBB0100call DirWatch.00427504
0040B999|.8B4E 1Cmov ecx,dword ptr ds:
0040B99C|.53 push ebx; /Timerproc
0040B99D|.68 E8030000push 3E8; |Timeout = 1000. ms
0040B9A2|.6A 01push 1; |TimerID = 1
0040B9A4|.51 push ecx; |hWnd
0040B9A5|.FF15 8C244300call dword ptr ds:[<&USER32.SetTimer>]; \SetTimer
0040B9AB|.8B15 0C124400mov edx,dword ptr ds:
0040B9B1|.52 push edx; /hEvent => 00000048 (window)
0040B9B2|.FF15 80224300call dword ptr ds:[<&KERNEL32.SetEvent>]; \SetEvent
0040B9B8|.8D4C24 18lea ecx,dword ptr ss:
0040B9BC|.C64424 2C 01 mov byte ptr ss:,1
0040B9C1|.E8 9BC30100call DirWatch.00427D61
0040B9C6|.EB 0Ejmp short DirWatch.0040B9D6
0040B9C8|>53 push ebx
0040B9C9|.53 push ebx
0040B9CA|.68 DCEB4300push DirWatch.0043EBDC
0040B9CF|>8BCE mov ecx,esi
0040B9D1|.E8 08A80100call DirWatch.004261DE
0040B9D6|>8D4C24 10lea ecx,dword ptr ss:
0040B9DA|.885C24 2Cmov byte ptr ss:,bl
0040B9DE|.E8 7EC30100call DirWatch.00427D61
0040B9E3|.8D4C24 14lea ecx,dword ptr ss:
0040B9E7|.C74424 2C FFFFFFFF mov dword ptr ss:,-1
0040B9EF|.E8 6DC30100call DirWatch.00427D61
0040B9F4|.8B4C24 24mov ecx,dword ptr ss:
0040B9F8|.5F pop edi
0040B9F9|.5E pop esi
0040B9FA|.5D pop ebp
0040B9FB|.64:890D 00000000 mov dword ptr fs:,ecx
0040BA02|.5B pop ebx
0040BA03|.83C4 20add esp,20
0040BA06\.C3 retn





继续跟进加密CALL,接着分析:


004072D0/$6A FFpush -1
004072D2|.68 F5074300push DirWatch.004307F5;SE 句柄安装
004072D7|.64:A1 00000000 mov eax,dword ptr fs:
004072DD|.50 push eax
004072DE|.64:8925 00000000 mov dword ptr fs:,esp
004072E5|.81EC CC020000sub esp,2CC
004072EB|.53 push ebx
004072EC|.A1 ECED4300mov eax,dword ptr ds:
004072F1|.C78424 D8020000 00>mov dword ptr ss:,0
004072FC|.894424 04mov dword ptr ss:,eax
00407300|.894424 0Cmov dword ptr ss:,eax
00407304|.894424 08mov dword ptr ss:,eax
00407308|.8D8424 C8000000lea eax,dword ptr ss:
0040730F|.68 04010000push 104; /BufSize = 104 (260.)
00407314|.50 push eax; |Buffer
00407315|.C68424 E0020000 03 mov byte ptr ss:,3 ; |
0040731D|.FF15 98224300call dword ptr ds:[<&KERNEL32.GetSystemDirectoryA>; \取得Windows系统目录
00407323|.8D8C24 CC010000lea ecx,dword ptr ss:
0040732A|.68 04010000push 104; /BufSize = 104 (260.)
0040732F|.51 push ecx; |Buffer
00407330|.FF15 9C224300call dword ptr ds:[<&KERNEL32.GetWindowsDirectory>; \取得Windows系统目录的完整路径
00407336|.8D9424 C8000000lea edx,dword ptr ss:
0040733D|.8D4C24 0Clea ecx,dword ptr ss:
00407341|.52 push edx
00407342|.E8 A30B0200call DirWatch.00427EEA
00407347|.8D8424 CC010000lea eax,dword ptr ss:
0040734E|.8D4C24 08lea ecx,dword ptr ss:
00407352|.50 push eax
00407353|.E8 920B0200call DirWatch.00427EEA
00407358|.8B4C24 08mov ecx,dword ptr ss:
0040735C|.8B9424 E0020000mov edx,dword ptr ss:
00407363|.51 push ecx; /Arg2
00407364|.52 push edx; |Arg1
00407365|.E8 21CE0000call DirWatch.0041418B; \DirWatch.0041418B
0040736A|.83C4 08add esp,8
0040736D|.85C0 test eax,eax
0040736F|.0F84 71030000je DirWatch.004076E6
00407375|.8B4424 0Cmov eax,dword ptr ss:
00407379|.8B8C24 E0020000mov ecx,dword ptr ss:
00407380|.50 push eax; /Arg2
00407381|.51 push ecx; |Arg1
00407382|.E8 04CE0000call DirWatch.0041418B; \DirWatch.0041418B
00407387|.83C4 08add esp,8
0040738A|.85C0 test eax,eax
0040738C|.0F84 54030000je DirWatch.004076E6
00407392|.8B9424 E0020000mov edx,dword ptr ss:
00407399|.8B42 F8mov eax,dword ptr ds:
0040739C|.83F8 04cmp eax,4
0040739F|.7D 0Ejge short DirWatch.004073AF
004073A1|.6A 00push 0
004073A3|.6A 00push 0
004073A5|.68 D4E64300push DirWatch.0043E6D4
004073AA|.E9 40030000jmp DirWatch.004076EF
004073AF|>8D8424 E0020000lea eax,dword ptr ss:
004073B6|.68 20E64300push DirWatch.0043E620;ASCII "\DirRecycler"
004073BB|.8D4C24 18lea ecx,dword ptr ss:
004073BF|.50 push eax
004073C0|.51 push ecx
004073C1|.E8 300C0200call DirWatch.00427FF6
004073C6|.50 push eax
004073C7|.8D4C24 08lea ecx,dword ptr ss:
004073CB|.C68424 DC020000 04 mov byte ptr ss:,4
004073D3|.E8 C20A0200call DirWatch.00427E9A
004073D8|.8D4C24 14lea ecx,dword ptr ss:
004073DC|.C68424 D8020000 03 mov byte ptr ss:,3
004073E4|.E8 78090200call DirWatch.00427D61
004073E9|.8B5424 04mov edx,dword ptr ss:
004073ED|.6A 00push 0; /pSecurity = NULL
004073EF|.52 push edx; |Path
004073F0|.FF15 C0224300call dword ptr ds:[<&KERNEL32.CreateDirectoryA>]; \创建一个新目录
004073F6|.85C0 test eax,eax;比较是否已经加密
004073F8|.75 13jnz short DirWatch.0040740D ;不加密则跳
004073FA|.50 push eax; /Style
004073FB|.50 push eax; |Title
004073FC|.68 C0E64300push DirWatch.0043E6C0; |Text = "文件夹已被移动加密!"
00407401|.50 push eax; |hOwner
00407402|.FF15 C8244300call dword ptr ds:[<&USER32.MessageBoxA>] ; \MessageBoxA
00407408|.E9 E7020000jmp DirWatch.004076F4
0040740D|>68 60E64300push DirWatch.0043E660;ASCII "\{djp2006}.mem"
00407412|.8D4C24 08lea ecx,dword ptr ss:
00407416|.E8 220D0200call DirWatch.0042813D
0040741B|.8B8424 E4020000mov eax,dword ptr ss:;密码放EAX
00407422|.50 push eax
00407423|.E8 68E6FFFFcall DirWatch.00405A90
00407428|.8B0D 34654300mov ecx,dword ptr ds:
0040742E|.8B5424 08mov edx,dword ptr ss:
00407432|.83C4 04add esp,4
00407435|.6A 01push 1
00407437|.51 push ecx
00407438|.6A 40push 40
0040743A|.52 push edx
0040743B|.8D8C24 80000000lea ecx,dword ptr ss:
00407442|.E8 9D5D0100call DirWatch.0041D1E4;创建{djp2006}.mem文件
00407447|.8B4424 70mov eax,dword ptr ss:
0040744B|.B3 06mov bl,6
0040744D|.C68424 D8020000 05 mov byte ptr ss:,5
00407455|.8B48 04mov ecx,dword ptr ds:
00407458|.845C0C 78test byte ptr ss:,bl
0040745C|.74 28je short DirWatch.00407486
0040745E|.8D4C24 70lea ecx,dword ptr ss:
00407462|.E8 83670100call DirWatch.0041DBEA
00407467|.8D4C24 78lea ecx,dword ptr ss:
0040746B|.C68424 D8020000 03 mov byte ptr ss:,3
00407473|.E8 235E0100call DirWatch.0041D29B
00407478|.8D4C24 78lea ecx,dword ptr ss:
0040747C|.E8 BF5C0100call DirWatch.0041D140
00407481|.E9 6E020000jmp DirWatch.004076F4
00407486|>8B15 88104400mov edx,dword ptr ds:
0040748C|.68 BCE64300push DirWatch.0043E6BC
00407491|.52 push edx; /Arg1 => 00000000
00407492|.8D4C24 78lea ecx,dword ptr ss: ; |
00407496|.E8 33680100call DirWatch.0041DCCE; \DirWatch.0041DCCE
0040749B|.8BC8 mov ecx,eax
0040749D|.E8 5E5F0100call DirWatch.0041D400
004074A2|.A1 8C104400mov eax,dword ptr ds:
004074A7|.68 BCE64300push DirWatch.0043E6BC
004074AC|.50 push eax; /Arg1 => 00000000
004074AD|.8D4C24 78lea ecx,dword ptr ss: ; |
004074B1|.E8 18680100call DirWatch.0041DCCE; \DirWatch.0041DCCE
004074B6|.8BC8 mov ecx,eax
004074B8|.E8 435F0100call DirWatch.0041D400
004074BD|.8B0D 90104400mov ecx,dword ptr ds:
004074C3|.68 BCE64300push DirWatch.0043E6BC
004074C8|.51 push ecx; /Arg1 => 00000000
004074C9|.8D4C24 78lea ecx,dword ptr ss: ; |
004074CD|.E8 FC670100call DirWatch.0041DCCE; \DirWatch.0041DCCE
004074D2|.8BC8 mov ecx,eax
004074D4|.E8 275F0100call DirWatch.0041D400
004074D9|.8B15 94104400mov edx,dword ptr ds:
004074DF|.68 BCE64300push DirWatch.0043E6BC
004074E4|.52 push edx; /Arg1 => 00000000
004074E5|.8D4C24 78lea ecx,dword ptr ss: ; |
004074E9|.E8 E0670100call DirWatch.0041DCCE; \DirWatch.0041DCCE
004074EE|.8BC8 mov ecx,eax
004074F0|.E8 0B5F0100call DirWatch.0041D400
004074F5|.8D4C24 70lea ecx,dword ptr ss:
004074F9|.E8 EC660100call DirWatch.0041DBEA
004074FE|.8B4424 04mov eax,dword ptr ss:
00407502|.6A 02push 2; /文件属性为隐藏
00407504|.50 push eax; |FileName
00407505|.FF15 C8224300call dword ptr ds:[<&KERNEL32.SetFileAttributesA>>; \设置文件属性
0040750B|.8D8C24 E0020000lea ecx,dword ptr ss:;把数据写入那文件中
00407512|.68 A0E64300push DirWatch.0043E6A0;ASCII "\DirRecycler\Dir800621.ini"
00407517|.8D5424 14lea edx,dword ptr ss:
0040751B|.51 push ecx
0040751C|.52 push edx
0040751D|.E8 D40A0200call DirWatch.00427FF6
00407522|.A1 34654300mov eax,dword ptr ds:
00407527|.8B4C24 10mov ecx,dword ptr ss:
0040752B|.6A 01push 1
0040752D|.50 push eax
0040752E|.6A 02push 2
00407530|.51 push ecx
00407531|.8D4C24 28lea ecx,dword ptr ss:
00407535|.889C24 E8020000mov byte ptr ss:,bl
0040753C|.E8 A35C0100call DirWatch.0041D1E4;创建Dir800621.ini文件
00407541|.8B5424 18mov edx,dword ptr ss:
00407545|.C68424 D8020000 07 mov byte ptr ss:,7
0040754D|.8B42 04mov eax,dword ptr ds:
00407550|.845C04 20test byte ptr ss:,bl
00407554|.0F85 DA000000jnz DirWatch.00407634
0040755A|.8B0D B0E84300mov ecx,dword ptr ds:
00407560|.68 BCE64300push DirWatch.0043E6BC
00407565|.81F1 FF030000xor ecx,3FF
0040756B|.51 push ecx; /Arg1
0040756C|.8D4C24 20lea ecx,dword ptr ss: ; |
00407570|.E8 59670100call DirWatch.0041DCCE; \DirWatch.0041DCCE
00407575|.8BC8 mov ecx,eax
00407577|.E8 845E0100call DirWatch.0041D400
0040757C|.8B15 D4114400mov edx,dword ptr ds:
00407582|.68 BCE64300push DirWatch.0043E6BC
00407587|.83F2 07xor edx,7
0040758A|.8D4C24 1Clea ecx,dword ptr ss:
0040758E|.52 push edx; /Arg1
0040758F|.E8 3A670100call DirWatch.0041DCCE; \DirWatch.0041DCCE
00407594|.8BC8 mov ecx,eax
00407596|.E8 655E0100call DirWatch.0041D400
0040759B|.A1 D8114400mov eax,dword ptr ds:
004075A0|.68 BCE64300push DirWatch.0043E6BC
004075A5|.83F0 1Fxor eax,1F
004075A8|.8D4C24 1Clea ecx,dword ptr ss:
004075AC|.50 push eax; /Arg1
004075AD|.E8 1C670100call DirWatch.0041DCCE; \DirWatch.0041DCCE
004075B2|.8BC8 mov ecx,eax
004075B4|.E8 475E0100call DirWatch.0041D400
004075B9|.8B0D DC114400mov ecx,dword ptr ds:
004075BF|.68 BCE64300push DirWatch.0043E6BC
004075C4|.83F1 0Fxor ecx,0F
004075C7|.51 push ecx; /Arg1
004075C8|.8D4C24 20lea ecx,dword ptr ss: ; |
004075CC|.E8 FD660100call DirWatch.0041DCCE; \DirWatch.0041DCCE
004075D1|.8BC8 mov ecx,eax
004075D3|.E8 285E0100call DirWatch.0041D400
004075D8|.8B15 E0114400mov edx,dword ptr ds:
004075DE|.68 BCE64300push DirWatch.0043E6BC
004075E3|.83F2 3Fxor edx,3F
004075E6|.8D4C24 1Clea ecx,dword ptr ss:
004075EA|.52 push edx; /Arg1
004075EB|.E8 DE660100call DirWatch.0041DCCE; \DirWatch.0041DCCE
004075F0|.8BC8 mov ecx,eax
004075F2|.E8 095E0100call DirWatch.0041D400
004075F7|.A1 E4114400mov eax,dword ptr ds:
004075FC|.68 BCE64300push DirWatch.0043E6BC
00407601|.83F0 3Fxor eax,3F
00407604|.8D4C24 1Clea ecx,dword ptr ss:
00407608|.50 push eax; /Arg1
00407609|.E8 C0660100call DirWatch.0041DCCE; \DirWatch.0041DCCE
0040760E|.8BC8 mov ecx,eax
00407610|.E8 EB5D0100call DirWatch.0041D400
00407615|.8B0D E8114400mov ecx,dword ptr ds:
0040761B|.68 BCE64300push DirWatch.0043E6BC
00407620|.83F1 1Fxor ecx,1F
00407623|.51 push ecx; /Arg1
00407624|.8D4C24 20lea ecx,dword ptr ss: ; |
00407628|.E8 F0650100call DirWatch.0041DC1D; \DirWatch.0041DC1D
0040762D|.8BC8 mov ecx,eax
0040762F|.E8 CC5D0100call DirWatch.0041D400
00407634|>8D4C24 18lea ecx,dword ptr ss:
00407638|.E8 AD650100call DirWatch.0041DBEA;把数据写入到Dir800621.ini文件里
0040763D|.8D4C24 20lea ecx,dword ptr ss:
00407641|.889C24 D8020000mov byte ptr ss:,bl
00407648|.E8 4E5C0100call DirWatch.0041D29B
0040764D|.8D4C24 20lea ecx,dword ptr ss:
00407651|.E8 EA5A0100call DirWatch.0041D140
00407656|.8D4C24 10lea ecx,dword ptr ss:
0040765A|.C68424 D8020000 05 mov byte ptr ss:,5
00407662|.E8 FA060200call DirWatch.00427D61
00407667|.8D4C24 78lea ecx,dword ptr ss:
0040766B|.C68424 D8020000 03 mov byte ptr ss:,3
00407673|.E8 235C0100call DirWatch.0041D29B
00407678|.8D4C24 78lea ecx,dword ptr ss:
0040767C|.E8 BF5A0100call DirWatch.0041D140
00407681|.8D4C24 08lea ecx,dword ptr ss:
00407685|.C68424 D8020000 02 mov byte ptr ss:,2
0040768D|.E8 CF060200call DirWatch.00427D61
00407692|.8D4C24 0Clea ecx,dword ptr ss:
00407696|.C68424 D8020000 01 mov byte ptr ss:,1
0040769E|.E8 BE060200call DirWatch.00427D61
004076A3|.8D4C24 04lea ecx,dword ptr ss:
004076A7|.C68424 D8020000 00 mov byte ptr ss:,0
004076AF|.E8 AD060200call DirWatch.00427D61
004076B4|.8D8C24 E0020000lea ecx,dword ptr ss:
004076BB|.C78424 D8020000 FF>mov dword ptr ss:,-1
004076C6|.E8 96060200call DirWatch.00427D61
004076CB|.B8 01000000mov eax,1
004076D0|.5B pop ebx
004076D1|.8B8C24 CC020000mov ecx,dword ptr ss:
004076D8|.64:890D 00000000 mov dword ptr fs:,ecx
004076DF|.81C4 D8020000add esp,2D8
004076E5|.C3 retn;返回到继续加密的地方
004076E6|>6A 00push 0; /Arg3 = 00000000
004076E8|.6A 00push 0; |Arg2 = 00000000
004076EA|.68 8CE64300push DirWatch.0043E68C; |Arg1 = 0043E68C
004076EF|>E8 3A410200call DirWatch.0042B82E; \DirWatch.0042B82E
004076F4|>8D4C24 08lea ecx,dword ptr ss:
004076F8|.C68424 D8020000 02 mov byte ptr ss:,2
00407700|.E8 5C060200call DirWatch.00427D61
00407705|.8D4C24 0Clea ecx,dword ptr ss:
00407709|.C68424 D8020000 01 mov byte ptr ss:,1
00407711|.E8 4B060200call DirWatch.00427D61
00407716|.8D4C24 04lea ecx,dword ptr ss:
0040771A|.C68424 D8020000 00 mov byte ptr ss:,0
00407722|.E8 3A060200call DirWatch.00427D61
00407727|.8D8C24 E0020000lea ecx,dword ptr ss:
0040772E|.C78424 D8020000 FF>mov dword ptr ss:,-1
00407739|.E8 23060200call DirWatch.00427D61
0040773E|.8B8C24 D0020000mov ecx,dword ptr ss:
00407745|.33C0 xor eax,eax
00407747|.5B pop ebx
00407748|.64:890D 00000000 mov dword ptr fs:,ecx
0040774F|.81C4 D8020000add esp,2D8
00407755\.C3 retn



上面的过程是把输入的一些密码信息存放到2个文件Dir800621.ini,{djp2006}.mem中
具体的加密过程以及加密的数据所对应的数据不再具体分析,因为只分析加密与解密的过程和原理,这些数据不是特别的重要,有兴趣的朋友可以自己去分析下,呵呵。

返回到继续加密处:


0040B80F|.83C4 08add esp,8
0040B812|.3BC3 cmp eax,ebx
0040B814|.74 27je short DirWatch.0040B83D
0040B816|.51 push ecx
0040B817|.8BCC mov ecx,esp
0040B819|.896424 20mov dword ptr ss:,esp
0040B81D|.55 push ebp
0040B81E|.E8 B3C20100call DirWatch.00427AD6
0040B823|.E8 38AAFFFFcall DirWatch.00406260;还是关键,接着F7
0040B828|.83C4 04add esp,4
0040B82B|.3BC3 cmp eax,ebx ;加密成功
0040B82D|.75 0Ejnz short DirWatch.0040B83D ;则跳,关闭文件夹加密狗
0040B82F|.53 push ebx
0040B830|.53 push ebx
0040B831|.68 40EC4300push DirWatch.0043EC40
0040B836|.8BCE mov ecx,esi


再次F7进;


00406260/$6A FFpush -1
00406262|.68 72064300push DirWatch.00430672;SE 句柄安装
00406267|.64:A1 00000000 mov eax,dword ptr fs:
0040626D|.50 push eax
0040626E|.64:8925 00000000 mov dword ptr fs:,esp
00406275|.81EC 90000000sub esp,90
0040627B|.53 push ebx
0040627C|.A1 ECED4300mov eax,dword ptr ds:
00406281|.C78424 9C000000 00>mov dword ptr ss:,0
0040628C|.894424 0Cmov dword ptr ss:,eax
00406290|.894424 20mov dword ptr ss:,eax
00406294|.894424 24mov dword ptr ss:,eax
00406298|.8D8424 A4000000lea eax,dword ptr ss:
0040629F|.68 20E64300push DirWatch.0043E620;ASCII "\DirRecycler"
004062A4|.8D4C24 08lea ecx,dword ptr ss:
004062A8|.50 push eax
004062A9|.51 push ecx
004062AA|.C68424 A8000000 03 mov byte ptr ss:,3
004062B2|.E8 3F1D0200call DirWatch.00427FF6
004062B7|.50 push eax
004062B8|.8D4C24 10lea ecx,dword ptr ss:
004062BC|.C68424 A0000000 04 mov byte ptr ss:,4
004062C4|.E8 D11B0200call DirWatch.00427E9A
004062C9|.8D4C24 04lea ecx,dword ptr ss:
004062CD|.C68424 9C000000 03 mov byte ptr ss:,3
004062D5|.E8 871A0200call DirWatch.00427D61
004062DA|.A1 ECED4300mov eax,dword ptr ds:
004062DF|.894424 14mov dword ptr ss:,eax
004062E3|.894424 08mov dword ptr ss:,eax
004062E7|.68 1CE64300push DirWatch.0043E61C
004062EC|.8D4C24 0Clea ecx,dword ptr ss:
004062F0|.C68424 A0000000 06 mov byte ptr ss:,6
004062F8|.E8 ED1B0200call DirWatch.00427EEA
004062FD|.8D5424 0Clea edx,dword ptr ss:
00406301|.8D4C24 08lea ecx,dword ptr ss:
00406305|.52 push edx
00406306|.E8 591E0200call DirWatch.00428164
0040630B|.68 1CE64300push DirWatch.0043E61C
00406310|.8D4C24 0Clea ecx,dword ptr ss:
00406314|.E8 241E0200call DirWatch.0042813D
00406319|.8D4424 08lea eax,dword ptr ss:
0040631D|.8D4C24 04lea ecx,dword ptr ss:
00406321|.50 push eax
00406322|.68 04E64300push DirWatch.0043E604;ASCII "cmd /c attrib +h +s "
00406327|.51 push ecx
00406328|.E8 3D1D0200call DirWatch.0042806A;设置文件夹的属性
0040632D|.50 push eax;-H为隐藏
0040632E|.8D4C24 18lea ecx,dword ptr ss: ;-S为系统文件属性
00406332|.C68424 A0000000 07 mov byte ptr ss:,7
0040633A|.E8 5B1B0200call DirWatch.00427E9A
0040633F|.8D4C24 04lea ecx,dword ptr ss:
00406343|.C68424 9C000000 06 mov byte ptr ss:,6
0040634B|.E8 111A0200call DirWatch.00427D61
00406350|.51 push ecx
00406351|.8D5424 18lea edx,dword ptr ss:
00406355|.8BCC mov ecx,esp
00406357|.896424 08mov dword ptr ss:,esp
0040635B|.52 push edx
0040635C|.E8 75170200call DirWatch.00427AD6
00406361|.E8 7AF4FFFFcall DirWatch.004057E0;执行上述命令,伪装成系统文件夹
00406366|.83C4 04add esp,4
00406369|.8D4424 0Clea eax,dword ptr ss:
0040636D|.8D4C24 34lea ecx,dword ptr ss:
00406371|.50 push eax
00406372|.E8 5F170200call DirWatch.00427AD6
00406377|.68 FCE54300push DirWatch.0043E5FC;ASCII "\nul\"
0040637C|.8D4C24 38lea ecx,dword ptr ss: ;所要创建的新的文件夹名
00406380|.C68424 A0000000 08 mov byte ptr ss:,8
00406388|.E8 B01D0200call DirWatch.0042813D
0040638D|.A1 ECED4300mov eax,dword ptr ds:
00406392|.894424 30mov dword ptr ss:,eax
00406396|.894424 18mov dword ptr ss:,eax
0040639A|.68 ECE54300push DirWatch.0043E5EC;ASCII "cmd /c mkdir "
0040639F|.8D4C24 34lea ecx,dword ptr ss: ;用mkdir命令创建新的文件夹
004063A3|.C68424 A0000000 0A mov byte ptr ss:,0A
004063AB|.E8 3A1B0200call DirWatch.00427EEA
004063B0|.8D4C24 34lea ecx,dword ptr ss:
004063B4|.51 push ecx
004063B5|.8D4C24 1Clea ecx,dword ptr ss:
004063B9|.E8 DC1A0200call DirWatch.00427E9A
004063BE|.8D5424 18lea edx,dword ptr ss:
004063C2|.8D4424 04lea eax,dword ptr ss:
004063C6|.52 push edx
004063C7|.68 1CE64300push DirWatch.0043E61C
004063CC|.50 push eax
004063CD|.E8 981C0200call DirWatch.0042806A
004063D2|.50 push eax
004063D3|.8D4C24 1Clea ecx,dword ptr ss:
004063D7|.C68424 A0000000 0B mov byte ptr ss:,0B
004063DF|.E8 B61A0200call DirWatch.00427E9A
004063E4|.8D4C24 04lea ecx,dword ptr ss:
004063E8|.C68424 9C000000 0A mov byte ptr ss:,0A
004063F0|.E8 6C190200call DirWatch.00427D61
004063F5|.68 1CE64300push DirWatch.0043E61C
004063FA|.8D4C24 1Clea ecx,dword ptr ss:
004063FE|.E8 3A1D0200call DirWatch.0042813D
00406403|.8D4C24 18lea ecx,dword ptr ss:
00406407|.51 push ecx
00406408|.8D4C24 34lea ecx,dword ptr ss:
0040640C|.E8 531D0200call DirWatch.00428164
00406411|.51 push ecx
00406412|.8D5424 34lea edx,dword ptr ss:
00406416|.8BCC mov ecx,esp
00406418|.896424 08mov dword ptr ss:,esp
0040641C|.52 push edx
0040641D|.E8 B4160200call DirWatch.00427AD6
00406422|.E8 B9F3FFFFcall DirWatch.004057E0;执行上述命令,创建NUL文件夹成功
00406427|.83C4 04add esp,4
0040642A|.8D4424 0Clea eax,dword ptr ss:
0040642E|.8D4C24 1Clea ecx,dword ptr ss:
00406432|.50 push eax
00406433|.E8 9E160200call DirWatch.00427AD6
00406438|.68 74104400push DirWatch.00441074
0040643D|.8D4C24 20lea ecx,dword ptr ss:
00406441|.C68424 A0000000 0C mov byte ptr ss:,0C
00406449|.E8 161D0200call DirWatch.00428164
0040644E|.A1 ECED4300mov eax,dword ptr ds:
00406453|.894424 2Cmov dword ptr ss:,eax
00406457|.894424 10mov dword ptr ss:,eax
0040645B|.B3 0Emov bl,0E
0040645D|.68 ECE54300push DirWatch.0043E5EC;ASCII "cmd /c mkdir "
00406462|.8D4C24 30lea ecx,dword ptr ss: ;继续创建
00406466|.889C24 A0000000mov byte ptr ss:,bl
0040646D|.E8 781A0200call DirWatch.00427EEA
00406472|.8D4C24 1Clea ecx,dword ptr ss:
00406476|.51 push ecx
00406477|.8D4C24 14lea ecx,dword ptr ss:
0040647B|.E8 1A1A0200call DirWatch.00427E9A
00406480|.8D5424 10lea edx,dword ptr ss:
00406484|.8D4424 04lea eax,dword ptr ss:
00406488|.52 push edx
00406489|.68 1CE64300push DirWatch.0043E61C
0040648E|.50 push eax
0040648F|.E8 D61B0200call DirWatch.0042806A
00406494|.50 push eax
00406495|.8D4C24 14lea ecx,dword ptr ss:
00406499|.C68424 A0000000 0F mov byte ptr ss:,0F
004064A1|.E8 F4190200call DirWatch.00427E9A
004064A6|.8D4C24 04lea ecx,dword ptr ss:
004064AA|.889C24 9C000000mov byte ptr ss:,bl
004064B1|.E8 AB180200call DirWatch.00427D61
004064B6|.68 1CE64300push DirWatch.0043E61C
004064BB|.8D4C24 14lea ecx,dword ptr ss:
004064BF|.E8 791C0200call DirWatch.0042813D
004064C4|.8D4C24 10lea ecx,dword ptr ss:
004064C8|.51 push ecx
004064C9|.8D4C24 30lea ecx,dword ptr ss:
004064CD|.E8 921C0200call DirWatch.00428164
004064D2|.51 push ecx
004064D3|.8D5424 30lea edx,dword ptr ss:
004064D7|.8BCC mov ecx,esp
004064D9|.896424 08mov dword ptr ss:,esp
004064DD|.52 push edx
004064DE|.E8 F3150200call DirWatch.00427AD6
004064E3|.E8 F8F2FFFFcall DirWatch.004057E0;执行上述命令,创建system.文件夹成功
004064E8|.83C4 04add esp,4
004064EB|.8D4424 1Clea eax,dword ptr ss:
004064EF|.8D4C24 04lea ecx,dword ptr ss:
004064F3|.68 1CE14300push DirWatch.0043E11C;ASCII "\dogtmpdir"
004064F8|.50 push eax
004064F9|.51 push ecx
004064FA|.E8 F71A0200call DirWatch.00427FF6
004064FF|.50 push eax
00406500|.8D4C24 0Clea ecx,dword ptr ss:
00406504|.C68424 A0000000 10 mov byte ptr ss:,10
0040650C|.E8 89190200call DirWatch.00427E9A
00406511|.8D4C24 04lea ecx,dword ptr ss:
00406515|.889C24 9C000000mov byte ptr ss:,bl
0040651C|.E8 40180200call DirWatch.00427D61
00406521|.8D5424 08lea edx,dword ptr ss:
00406525|.8D4424 04lea eax,dword ptr ss:
00406529|.52 push edx
0040652A|.68 1CE64300push DirWatch.0043E61C
0040652F|.50 push eax
00406530|.E8 351B0200call DirWatch.0042806A
00406535|.50 push eax
00406536|.8D4C24 0Clea ecx,dword ptr ss:
0040653A|.C68424 A0000000 11 mov byte ptr ss:,11
00406542|.E8 53190200call DirWatch.00427E9A
00406547|.8D4C24 04lea ecx,dword ptr ss:
0040654B|.889C24 9C000000mov byte ptr ss:,bl
00406552|.E8 0A180200call DirWatch.00427D61
00406557|.68 1CE64300push DirWatch.0043E61C
0040655C|.8D4C24 0Clea ecx,dword ptr ss:
00406560|.E8 D81B0200call DirWatch.0042813D
00406565|.68 ECE54300push DirWatch.0043E5EC;ASCII "cmd /c mkdir "
0040656A|.8D4C24 18lea ecx,dword ptr ss: ;继续创建
0040656E|.E8 77190200call DirWatch.00427EEA
00406573|.8D4C24 08lea ecx,dword ptr ss:
00406577|.51 push ecx
00406578|.8D4C24 18lea ecx,dword ptr ss:
0040657C|.E8 E31B0200call DirWatch.00428164
00406581|.51 push ecx
00406582|.8D5424 18lea edx,dword ptr ss:
00406586|.8BCC mov ecx,esp
00406588|.896424 08mov dword ptr ss:,esp
0040658C|.52 push edx
0040658D|.E8 44150200call DirWatch.00427AD6
00406592|.E8 49F2FFFFcall DirWatch.004057E0
00406597|.83C4 04add esp,4
0040659A|.8D4424 0Clea eax,dword ptr ss:
0040659E|.8D4C24 28lea ecx,dword ptr ss:
004065A2|.68 74104400push DirWatch.00441074
004065A7|.50 push eax
004065A8|.51 push ecx
004065A9|.E8 E2190200call DirWatch.00427F90
004065AE|.68 1CE14300push DirWatch.0043E11C;ASCII "\dogtmpdir"
004065B3|.8D4C24 2Clea ecx,dword ptr ss:
004065B7|.C68424 A0000000 12 mov byte ptr ss:,12
004065BF|.E8 791B0200call DirWatch.0042813D
004065C4|.A1 D0114400mov eax,dword ptr ds:
004065C9|.85C0 test eax,eax
004065CB|.75 3Fjnz short DirWatch.0040660C
004065CD|.51 push ecx
004065CE|.8D5424 2Clea edx,dword ptr ss:
004065D2|.8BCC mov ecx,esp
004065D4|.896424 08mov dword ptr ss:,esp
004065D8|.52 push edx
004065D9|.E8 F8140200call DirWatch.00427AD6
004065DE|.51 push ecx
004065DF|.8D8424 AC000000lea eax,dword ptr ss:
004065E6|.8BCC mov ecx,esp
004065E8|.896424 40mov dword ptr ss:,esp
004065EC|.50 push eax
004065ED|.C68424 A8000000 13 mov byte ptr ss:,13
004065F5|.E8 DC140200call DirWatch.00427AD6
004065FA|.C68424 A4000000 12 mov byte ptr ss:,12
00406602|.E8 D9F5FFFFcall DirWatch.00405BE0;把所要加密的文件全放在了system.点的文件夹里
00406607|.83C4 08add esp,8
0040660A|.EB 3Fjmp short DirWatch.0040664B
0040660C|>6A 00push 0
0040660E|.51 push ecx
0040660F|.8D5424 30lea edx,dword ptr ss:
00406613|.8BCC mov ecx,esp
00406615|.896424 40mov dword ptr ss:,esp
00406619|.52 push edx
0040661A|.E8 B7140200call DirWatch.00427AD6
0040661F|.51 push ecx
00406620|.8D8424 B0000000lea eax,dword ptr ss:
00406627|.8BCC mov ecx,esp
00406629|.896424 10mov dword ptr ss:,esp
0040662D|.50 push eax
0040662E|.C68424 AC000000 14 mov byte ptr ss:,14
00406636|.E8 9B140200call DirWatch.00427AD6
0040663B|.C68424 A8000000 12 mov byte ptr ss:,12
00406643|.E8 D8F7FFFFcall DirWatch.00405E20
00406648|.83C4 0Cadd esp,0C
0040664B|>85C0 test eax,eax
0040664D|.0F84 BC010000je DirWatch.0040680F
00406653|.68 E4E54300push DirWatch.0043E5E4;ASCII "CLSID="
00406658|.8D4C24 28lea ecx,dword ptr ss:
0040665C|.E8 89180200call DirWatch.00427EEA
00406661|.8D4C24 0Clea ecx,dword ptr ss:
00406665|.68 34E14300push DirWatch.0043E134;ASCII "\desktop.ini"
0040666A|.8D5424 08lea edx,dword ptr ss:;所要创建的新的文件名
0040666E|.51 push ecx
0040666F|.52 push edx
00406670|.E8 81190200call DirWatch.00427FF6
00406675|.50 push eax
00406676|.8D4C24 24lea ecx,dword ptr ss:
0040667A|.C68424 A0000000 15 mov byte ptr ss:,15
00406682|.E8 13180200call DirWatch.00427E9A
00406687|.8D4C24 04lea ecx,dword ptr ss:
0040668B|.C68424 9C000000 12 mov byte ptr ss:,12
00406693|.E8 C9160200call DirWatch.00427D61
00406698|.A1 34654300mov eax,dword ptr ds:
0040669D|.8B4C24 20mov ecx,dword ptr ss:
004066A1|.6A 01push 1
004066A3|.50 push eax
004066A4|.6A 02push 2
004066A6|.51 push ecx
004066A7|.8D4C24 4Clea ecx,dword ptr ss:
004066AB|.E8 346B0100call DirWatch.0041D1E4
004066B0|.68 BCE54300push DirWatch.0043E5BC;ASCII "{645FF040-5081-101B-9F08-00AA002F954E}"
004066B5|.8D4C24 28lea ecx,dword ptr ss:
004066B9|.C68424 A0000000 16 mov byte ptr ss:,16
004066C1|.E8 771A0200call DirWatch.0042813D
004066C6|.68 A8E54300push DirWatch.0043E5A8;ASCII "[.ShellClassInfo]
"
004066CB|.8D4C24 40lea ecx,dword ptr ss:
004066CF|.E8 2C6D0100call DirWatch.0041D400;成功创建desktop.ini
004066D4|.8B5424 24mov edx,dword ptr ss: ;CLSID号放EDX
004066D8|.8D4C24 3Clea ecx,dword ptr ss:
004066DC|.52 push edx
004066DD|.E8 1E6D0100call DirWatch.0041D400
004066E2|.8D4C24 3Clea ecx,dword ptr ss:
004066E6|.E8 FF740100call DirWatch.0041DBEA;把数据全放到了ini文件里
004066EB|.8B4424 20mov eax,dword ptr ss:
004066EF|.6A 01push 1; /属性为只读
004066F1|.50 push eax; |FileName
004066F2|.FF15 C8224300call dword ptr ds:[<&KERNEL32.SetFileAttributesA>>; \设置文件属性
004066F8|.8D4C24 44lea ecx,dword ptr ss: ;创建1个desktop.ini文件
004066FC|.C68424 9C000000 12 mov byte ptr ss:,12 ;成功执行,把文件夹伪装成回收站的样子
00406704|.E8 926B0100call DirWatch.0041D29B;并把里面的文件全隐藏起来
00406709|.8D4C24 44lea ecx,dword ptr ss:
0040670D|.E8 2E6A0100call DirWatch.0041D140
00406712|.8D4C24 28lea ecx,dword ptr ss:
00406716|.889C24 9C000000mov byte ptr ss:,bl
0040671D|.E8 3F160200call DirWatch.00427D61
00406722|.8D4C24 10lea ecx,dword ptr ss:
00406726|.C68424 9C000000 0D mov byte ptr ss:,0D
0040672E|.E8 2E160200call DirWatch.00427D61
00406733|.8D4C24 2Clea ecx,dword ptr ss:
00406737|.C68424 9C000000 0C mov byte ptr ss:,0C
0040673F|.E8 1D160200call DirWatch.00427D61
00406744|.8D4C24 1Clea ecx,dword ptr ss:
00406748|.C68424 9C000000 0A mov byte ptr ss:,0A
00406750|.E8 0C160200call DirWatch.00427D61
00406755|.8D4C24 18lea ecx,dword ptr ss:
00406759|.C68424 9C000000 09 mov byte ptr ss:,9
00406761|.E8 FB150200call DirWatch.00427D61
00406766|.8D4C24 30lea ecx,dword ptr ss:
0040676A|.C68424 9C000000 08 mov byte ptr ss:,8
00406772|.E8 EA150200call DirWatch.00427D61
00406777|.8D4C24 34lea ecx,dword ptr ss:
0040677B|.C68424 9C000000 06 mov byte ptr ss:,6
00406783|.E8 D9150200call DirWatch.00427D61
00406788|.8D4C24 08lea ecx,dword ptr ss:
0040678C|.C68424 9C000000 05 mov byte ptr ss:,5
00406794|.E8 C8150200call DirWatch.00427D61
00406799|.8D4C24 14lea ecx,dword ptr ss:
0040679D|.C68424 9C000000 03 mov byte ptr ss:,3
004067A5|.E8 B7150200call DirWatch.00427D61
004067AA|.8D4C24 24lea ecx,dword ptr ss:
004067AE|.C68424 9C000000 02 mov byte ptr ss:,2
004067B6|.E8 A6150200call DirWatch.00427D61
004067BB|.8D4C24 20lea ecx,dword ptr ss:
004067BF|.C68424 9C000000 01 mov byte ptr ss:,1
004067C7|.E8 95150200call DirWatch.00427D61
004067CC|.8D4C24 0Clea ecx,dword ptr ss:
004067D0|.C68424 9C000000 00 mov byte ptr ss:,0
004067D8|.E8 84150200call DirWatch.00427D61
004067DD|.8D8C24 A4000000lea ecx,dword ptr ss:
004067E4|.C78424 9C000000 FF>mov dword ptr ss:,-1
004067EF|.E8 6D150200call DirWatch.00427D61
004067F4|.B8 01000000mov eax,1
004067F9|.8B8C24 94000000mov ecx,dword ptr ss:
00406800|.64:890D 00000000 mov dword ptr fs:,ecx
00406807|.5B pop ebx
00406808|.81C4 9C000000add esp,9C
0040680E|.C3 retn



上述的过程是,创建了2个文件夹,nul和特殊的文件夹system.(因为这样的命名系统是不会接受的)
然后把所要加密的文件放进了system.文件夹里面
接着有创建了desktop.ini文件,把此文件夹伪装成回收站

加密过程到此结束。

总结一下,其加密的过程和原理还是比较简单的:

文件夹加密狗在要加密的文件夹里先建立了一个名字为DirRecycler的文件夹,然后把此文件夹设置成系统文件并给隐藏了起来,最后把它伪装成回收站,因此,正常情况下我们是看不见这个文件夹的,我们把隐藏系统重要文件前的勾去掉,可以看到这个文件夹,而看见的就是一个回收站的样子的图标。点进去可以发现,DirRecycler文件夹里面有2个文件夹和3个文件,分别为nul,system.两个文件夹,和Dir800621.ini,desktop.ini,{djp2006}.mem三个文件。Dir800621.ini和{djp2006}.mem是保存重要的密码和加密信息的,而desktop.ini文件是把DirRecycler文件夹伪装成回收站的文件的属性信息。因此,我们只要把desktop.ini给删除,DirRecycler文件夹的图标就会从回收站的图标变成普通文件夹的图标了。
system.在普通情况下是创建不了的,而且也是点不进去的,而我们的所要加密的文件,就会保存在这个文件夹里面。至于nul文件夹,一般情况是可以进去的,具体的作用暂时没发现,知道的请告诉我。

下面进入解密过程:

输入解密的密码,点解密按纽,来到关键代码处:


0040AB80 .64:A1 00000000 mov eax,dword ptr fs:
0040AB86 .6A FFpush -1
0040AB88 .68 380D4300push DirWatch.00430D38
0040AB8D .50 push eax
0040AB8E .64:8925 00000000 mov dword ptr fs:,esp
0040AB95 .83EC 08sub esp,8
0040AB98 .53 push ebx
0040AB99 .55 push ebp
0040AB9A .56 push esi
0040AB9B .8BF1 mov esi,ecx
0040AB9D .57 push edi
0040AB9E .33DB xor ebx,ebx
0040ABA0 .33C0 xor eax,eax
0040ABA2 .8DBE 8C000000lea edi,dword ptr ds:
0040ABA8 >881C07 mov byte ptr ds:,bl
0040ABAB .8898 14124400mov byte ptr ds:,bl
0040ABB1 .40 inc eax
0040ABB2 .83F8 10cmp eax,10
0040ABB5 .^ 7C F1jl short DirWatch.0040ABA8
0040ABB7 .8DAE 9C000000lea ebp,dword ptr ds:
0040ABBD .68 E0EA4300push DirWatch.0043EAE0;ASCII "\DirRecyclers"
0040ABC2 .8D4424 14lea eax,dword ptr ss:
0040ABC6 .55 push ebp
0040ABC7 .50 push eax
0040ABC8 .E8 29D40100call DirWatch.00427FF6
0040ABCD .8B86 A0000000mov eax,dword ptr ds:
0040ABD3 .895C24 20mov dword ptr ss:,ebx
0040ABD7 .3BC3 cmp eax,ebx ;判断加密还是解密,解密则跳
0040ABD9 .75 0Cjnz short DirWatch.0040ABE7
0040ABDB .8BCE mov ecx,esi
0040ABDD .E8 0E0B0000call DirWatch.0040B6F0
0040ABE2 .E9 50010000jmp DirWatch.0040AD37
0040ABE7 >6A 01push 1
0040ABE9 .8BCE mov ecx,esi
0040ABEB .E8 4ABD0100call DirWatch.0042693A
0040ABF0 .85C0 test eax,eax
0040ABF2 .0F84 3F010000je DirWatch.0040AD37
0040ABF8 .8B8E F4000000mov ecx,dword ptr ds: ;解密的密码放ECX
0040ABFE .8B41 F8mov eax,dword ptr ds:;位数当EAX
0040AC01 .8BC8 mov ecx,eax ;放ECX
0040AC03 .83F8 01cmp eax,1 ;和1比较
0040AC06 .890D 24124400mov dword ptr ds:,ecx
0040AC0C .7D 07jge short DirWatch.0040AC15
0040AC0E .B9 02000000mov ecx,2
0040AC13 .EB 0Ajmp short DirWatch.0040AC1F
0040AC15 >83F8 10cmp eax,10;和16比较
0040AC18 .7E 0Bjle short DirWatch.0040AC25
0040AC1A .B9 10000000mov ecx,10
0040AC1F >890D 24124400mov dword ptr ds:,ecx
0040AC25 >33C0 xor eax,eax
0040AC27 .3BCB cmp ecx,ebx
0040AC29 .7E 1Djle short DirWatch.0040AC48
0040AC2B >8B96 F4000000mov edx,dword ptr ds:
0040AC31 .40 inc eax
0040AC32 .8A4C02 FFmov cl,byte ptr ds:;逐位取解密的密码
0040AC36 .884C07 FFmov byte ptr ds:,cl
0040AC3A .8888 13124400mov byte ptr ds:,cl
0040AC40 .3B05 24124400cmp eax,dword ptr ds:
0040AC46 .^ 7C E3jl short DirWatch.0040AC2B
0040AC48 >57 push edi
0040AC49 .51 push ecx
0040AC4A .8BCC mov ecx,esp
0040AC4C .896424 1Cmov dword ptr ss:,esp
0040AC50 .55 push ebp
0040AC51 .E8 80CE0100call DirWatch.00427AD6
0040AC56 .E8 05C3FFFFcall DirWatch.00406F60;判断密码是否正确的关键,F7进
0040AC5B .83C4 08add esp,8
0040AC5E .3BC3 cmp eax,ebx
0040AC60 .0F84 D1000000je DirWatch.0040AD37
0040AC66 .51 push ecx
0040AC67 .8BCC mov ecx,esp
0040AC69 .896424 18mov dword ptr ss:,esp
0040AC6D .55 push ebp
0040AC6E .E8 63CE0100call DirWatch.00427AD6
0040AC73 .E8 B8BCFFFFcall DirWatch.00406930;解密加密的文件的重要CALL,F7!
0040AC78 .8B4424 14mov eax,dword ptr ss:
0040AC7C .83C4 04add esp,4
0040AC7F .50 push eax; /Path




进入解密关键代码:



00406930/$6A FFpush -1
00406932|.68 38074300push DirWatch.00430738;SE 句柄安装
00406937|.64:A1 00000000 mov eax,dword ptr fs:
0040693D|.50 push eax
0040693E|.64:8925 00000000 mov dword ptr fs:,esp
00406945|.83EC 3Csub esp,3C
00406948|.53 push ebx
00406949|.55 push ebp
0040694A|.56 push esi
0040694B|.57 push edi
0040694C|.A1 ECED4300mov eax,dword ptr ds:
00406951|.C74424 54 00000000 mov dword ptr ss:,0
00406959|.894424 10mov dword ptr ss:,eax
0040695D|.8D4C24 5Clea ecx,dword ptr ss:
00406961|.68 44E14300push DirWatch.0043E144
00406966|.8D5424 44lea edx,dword ptr ss:
0040696A|.51 push ecx
0040696B|.52 push edx
0040696C|.C64424 60 01 mov byte ptr ss:,1
00406971|.E8 80160200call DirWatch.00427FF6
00406976|.50 push eax
00406977|.8D4C24 14lea ecx,dword ptr ss:
0040697B|.C64424 58 02 mov byte ptr ss:,2
00406980|.E8 15150200call DirWatch.00427E9A
00406985|.8D4C24 40lea ecx,dword ptr ss:
00406989|.C64424 54 01 mov byte ptr ss:,1
0040698E|.E8 CE130200call DirWatch.00427D61
00406993|.68 A0104400push DirWatch.004410A0
00406998|.8D4C24 14lea ecx,dword ptr ss:
0040699C|.E8 C3170200call DirWatch.00428164
004069A1|.8D4424 10lea eax,dword ptr ss:
004069A5|.B9 98104400mov ecx,DirWatch.00441098
004069AA|.50 push eax
004069AB|.E8 EA140200call DirWatch.00427E9A
004069B0|.8D4C24 10lea ecx,dword ptr ss:
004069B4|.68 74104400push DirWatch.00441074
004069B9|.8D5424 30lea edx,dword ptr ss:
004069BD|.51 push ecx
004069BE|.52 push edx
004069BF|.E8 CC150200call DirWatch.00427F90
004069C4|.68 1CE14300push DirWatch.0043E11C;ASCII "\dogtmpdir"
004069C9|.8D4C24 30lea ecx,dword ptr ss:
004069CD|.C64424 58 03 mov byte ptr ss:,3
004069D2|.E8 66170200call DirWatch.0042813D
004069D7|.68 40E64300push DirWatch.0043E640;ASCII "cmd /c rmdir "
004069DC|.8D4C24 3Clea ecx,dword ptr ss: ;用rmdir文件删除文件
004069E0|.E8 EA130200call DirWatch.00427DCF
004069E5|.68 40E64300push DirWatch.0043E640;ASCII "cmd /c rmdir "
004069EA|.8D4C24 38lea ecx,dword ptr ss: ;用rmdir文件删除文件
004069EE|.C64424 58 04 mov byte ptr ss:,4
004069F3|.E8 D7130200call DirWatch.00427DCF
004069F8|.8D4424 10lea eax,dword ptr ss:
004069FC|.68 FCE54300push DirWatch.0043E5FC;ASCII "\nul\"
00406A01|.8D4C24 40lea ecx,dword ptr ss:
00406A05|.50 push eax
00406A06|.51 push ecx
00406A07|.C64424 60 05 mov byte ptr ss:,5
00406A0C|.E8 E5150200call DirWatch.00427FF6
00406A11|.A1 ECED4300mov eax,dword ptr ds:
00406A16|.894424 28mov dword ptr ss:,eax
00406A1A|.894424 1Cmov dword ptr ss:,eax
00406A1E|.68 40E64300push DirWatch.0043E640;ASCII "cmd /c rmdir "
00406A23|.8D4C24 2Clea ecx,dword ptr ss: ;用rmdir文件删除文件
00406A27|.C64424 58 08 mov byte ptr ss:,8
00406A2C|.E8 B9140200call DirWatch.00427EEA
00406A31|.8D5424 3Clea edx,dword ptr ss:
00406A35|.8D4C24 1Clea ecx,dword ptr ss:
00406A39|.52 push edx
00406A3A|.E8 5B140200call DirWatch.00427E9A
00406A3F|.8D4424 1Clea eax,dword ptr ss:
00406A43|.8D4C24 40lea ecx,dword ptr ss:
00406A47|.50 push eax
00406A48|.68 1CE64300push DirWatch.0043E61C
00406A4D|.51 push ecx
00406A4E|.E8 17160200call DirWatch.0042806A
00406A53|.C64424 54 09 mov byte ptr ss:,9
00406A58|.50 push eax
00406A59|.8D4C24 20lea ecx,dword ptr ss:
00406A5D|.E8 38140200call DirWatch.00427E9A
00406A62|.8D4C24 40lea ecx,dword ptr ss:
00406A66|.C64424 54 08 mov byte ptr ss:,8
00406A6B|.E8 F1120200call DirWatch.00427D61
00406A70|.68 1CE64300push DirWatch.0043E61C
00406A75|.8D4C24 20lea ecx,dword ptr ss:
00406A79|.E8 BF160200call DirWatch.0042813D
00406A7E|.8D5424 1Clea edx,dword ptr ss:
00406A82|.8D4C24 28lea ecx,dword ptr ss:
00406A86|.52 push edx
00406A87|.E8 D8160200call DirWatch.00428164
00406A8C|.A1 ECED4300mov eax,dword ptr ds:
00406A91|.894424 18mov dword ptr ss:,eax
00406A95|.68 1CE14300push DirWatch.0043E11C;ASCII "\dogtmpdir"
00406A9A|.8D4C24 44lea ecx,dword ptr ss:
00406A9E|.B3 0Amov bl,0A
00406AA0|.68 74104400push DirWatch.00441074
00406AA5|.51 push ecx
00406AA6|.885C24 60mov byte ptr ss:,bl
00406AAA|.E8 47150200call DirWatch.00427FF6
00406AAF|.50 push eax
00406AB0|.8D4C24 1Clea ecx,dword ptr ss:
00406AB4|.C64424 58 0B mov byte ptr ss:,0B
00406AB9|.E8 DC130200call DirWatch.00427E9A
00406ABE|.8D4C24 40lea ecx,dword ptr ss:
00406AC2|.885C24 54mov byte ptr ss:,bl
00406AC6|.E8 96120200call DirWatch.00427D61
00406ACB|.8D5424 18lea edx,dword ptr ss:
00406ACF|.8D4424 10lea eax,dword ptr ss:
00406AD3|.52 push edx
00406AD4|.8D4C24 44lea ecx,dword ptr ss:
00406AD8|.50 push eax
00406AD9|.51 push ecx
00406ADA|.E8 B1140200call DirWatch.00427F90
00406ADF|.50 push eax
00406AE0|.8D4C24 1Clea ecx,dword ptr ss:
00406AE4|.C64424 58 0C mov byte ptr ss:,0C
00406AE9|.E8 AC130200call DirWatch.00427E9A
00406AEE|.8D4C24 40lea ecx,dword ptr ss:
00406AF2|.885C24 54mov byte ptr ss:,bl
00406AF6|.E8 66120200call DirWatch.00427D61
00406AFB|.8D5424 18lea edx,dword ptr ss:
00406AFF|.8D4424 40lea eax,dword ptr ss:
00406B03|.52 push edx
00406B04|.68 1CE64300push DirWatch.0043E61C
00406B09|.50 push eax
00406B0A|.E8 5B150200call DirWatch.0042806A
00406B0F|.50 push eax
00406B10|.8D4C24 1Clea ecx,dword ptr ss:
00406B14|.C64424 58 0D mov byte ptr ss:,0D
00406B19|.E8 7C130200call DirWatch.00427E9A
00406B1E|.8D4C24 40lea ecx,dword ptr ss:
00406B22|.885C24 54mov byte ptr ss:,bl
00406B26|.E8 36120200call DirWatch.00427D61
00406B2B|.68 1CE64300push DirWatch.0043E61C
00406B30|.8D4C24 1Clea ecx,dword ptr ss:
00406B34|.E8 04160200call DirWatch.0042813D
00406B39|.8D4C24 18lea ecx,dword ptr ss:
00406B3D|.51 push ecx
00406B3E|.8D4C24 3Clea ecx,dword ptr ss:
00406B42|.E8 1D160200call DirWatch.00428164
00406B47|.8B15 ECED4300mov edx,dword ptr ds: ;DirWatch.0043EE00
00406B4D|.895424 14mov dword ptr ss:,edx
00406B51|.68 74104400push DirWatch.00441074
00406B56|.8D4C24 18lea ecx,dword ptr ss:
00406B5A|.C64424 58 0E mov byte ptr ss:,0E
00406B5F|.E8 36130200call DirWatch.00427E9A
00406B64|.8D4424 14lea eax,dword ptr ss:
00406B68|.8D4C24 10lea ecx,dword ptr ss:
00406B6C|.50 push eax
00406B6D|.8D5424 44lea edx,dword ptr ss:
00406B71|.51 push ecx
00406B72|.52 push edx
00406B73|.E8 18140200call DirWatch.00427F90
00406B78|.50 push eax
00406B79|.8D4C24 18lea ecx,dword ptr ss:
00406B7D|.C64424 58 0F mov byte ptr ss:,0F
00406B82|.E8 13130200call DirWatch.00427E9A
00406B87|.8D4C24 40lea ecx,dword ptr ss:
00406B8B|.C64424 54 0E mov byte ptr ss:,0E
00406B90|.E8 CC110200call DirWatch.00427D61
00406B95|.8D4424 14lea eax,dword ptr ss:
00406B99|.8D4C24 40lea ecx,dword ptr ss:
00406B9D|.50 push eax
00406B9E|.68 1CE64300push DirWatch.0043E61C
00406BA3|.51 push ecx
00406BA4|.E8 C1140200call DirWatch.0042806A
00406BA9|.50 push eax
00406BAA|.8D4C24 18lea ecx,dword ptr ss:
00406BAE|.C64424 58 10 mov byte ptr ss:,10
00406BB3|.E8 E2120200call DirWatch.00427E9A
00406BB8|.8D4C24 40lea ecx,dword ptr ss:
00406BBC|.C64424 54 0E mov byte ptr ss:,0E
00406BC1|.E8 9B110200call DirWatch.00427D61
00406BC6|.68 1CE64300push DirWatch.0043E61C
00406BCB|.8D4C24 18lea ecx,dword ptr ss:
00406BCF|.E8 69150200call DirWatch.0042813D
00406BD4|.8D5424 14lea edx,dword ptr ss:
00406BD8|.8D4C24 34lea ecx,dword ptr ss:
00406BDC|.52 push edx
00406BDD|.E8 82150200call DirWatch.00428164
00406BE2|.68 34E14300push DirWatch.0043E134;ASCII "\desktop.ini"
00406BE7|.B9 98104400mov ecx,DirWatch.00441098
00406BEC|.E8 4C150200call DirWatch.0042813D
00406BF1|.8D4424 5Clea eax,dword ptr ss:
00406BF5|.68 44E14300push DirWatch.0043E144
00406BFA|.8D4C24 28lea ecx,dword ptr ss:
00406BFE|.50 push eax
00406BFF|.51 push ecx
00406C00|.E8 F1130200call DirWatch.00427FF6
00406C05|.68 A0104400push DirWatch.004410A0
00406C0A|.8D4C24 28lea ecx,dword ptr ss:
00406C0E|.C64424 58 11 mov byte ptr ss:,11
00406C13|.E8 4C150200call DirWatch.00428164
00406C18|.68 30E64300push DirWatch.0043E630;ASCII "\Dir800621.ini"
00406C1D|.8D4C24 28lea ecx,dword ptr ss:
00406C21|.E8 17150200call DirWatch.0042813D
00406C26|.8D5424 10lea edx,dword ptr ss:
00406C2A|.68 1CE14300push DirWatch.0043E11C;ASCII "\dogtmpdir"
00406C2F|.8D4424 34lea eax,dword ptr ss:
00406C33|.52 push edx
00406C34|.50 push eax
00406C35|.E8 BC130200call DirWatch.00427FF6
00406C3A|.8D4C24 10lea ecx,dword ptr ss:
00406C3E|.68 74104400push DirWatch.00441074
00406C43|.8D5424 24lea edx,dword ptr ss:
00406C47|.51 push ecx
00406C48|.52 push edx
00406C49|.C64424 60 12 mov byte ptr ss:,12
00406C4E|.E8 3D130200call DirWatch.00427F90
00406C53|.8B4424 30mov eax,dword ptr ss:
00406C57|.8B3D F0224300mov edi,dword ptr ds:[<&KERNEL32.RemoveDirectoryA>;删除指定目录
00406C5D|.50 push eax; /Path
00406C5E|.C64424 58 13 mov byte ptr ss:,13 ; |目录名
00406C63|.FFD7 call edi; \RemoveDirectoryA
00406C65|.FF15 A0224300call dword ptr ds:[<&KERNEL32.GetLastError>]; [GetLastError
00406C6B|.8B2D C8224300mov ebp,dword ptr ds:[<&KERNEL32.SetFileAttribute>;设置文件属性
00406C71|.8B35 CC224300mov esi,dword ptr ds:[<&KERNEL32.DeleteFileA>];删除文件
00406C77|.83F8 02cmp eax,2
00406C7A|.74 56je short DirWatch.00406CD2
00406C7C|.8B4C24 20mov ecx,dword ptr ss:
00406C80|.8B5424 30mov edx,dword ptr ss:
00406C84|.51 push ecx
00406C85|.52 push edx
00406C86|.E8 65EEFFFFcall DirWatch.00405AF0
00406C8B|.83C4 08add esp,8
00406C8E|.8D4424 10lea eax,dword ptr ss:
00406C92|.8D4C24 40lea ecx,dword ptr ss:
00406C96|.68 28E14300push DirWatch.0043E128;ASCII "\djp.txt"
00406C9B|.50 push eax
00406C9C|.51 push ecx
00406C9D|.E8 54130200call DirWatch.00427FF6
00406CA2|.50 push eax
00406CA3|.8D4C24 24lea ecx,dword ptr ss:
00406CA7|.C64424 58 14 mov byte ptr ss:,14
00406CAC|.E8 E9110200call DirWatch.00427E9A
00406CB1|.8D4C24 40lea ecx,dword ptr ss:
00406CB5|.C64424 54 13 mov byte ptr ss:,13
00406CBA|.E8 A2100200call DirWatch.00427D61
00406CBF|.8B5424 20mov edx,dword ptr ss:
00406CC3|.68 80000000push 80 ; /FileAttributes = NORMAL
00406CC8|.52 push edx; |FileName
00406CC9|.FFD5 call ebp; \SetFileAttributesA
00406CCB|.8B4424 20mov eax,dword ptr ss:
00406CCF|.50 push eax; /FileName
00406CD0|.FFD6 call esi; \DeleteFileA
00406CD2|>A1 D0114400mov eax,dword ptr ds:
00406CD7|.85C0 test eax,eax
00406CD9|.75 36jnz short DirWatch.00406D11
00406CDB|.51 push ecx
00406CDC|.8D5424 60lea edx,dword ptr ss:
00406CE0|.8BCC mov ecx,esp
00406CE2|.896424 48mov dword ptr ss:,esp
00406CE6|.52 push edx
00406CE7|.E8 EA0D0200call DirWatch.00427AD6
00406CEC|.51 push ecx
00406CED|.8D4424 34lea eax,dword ptr ss:
00406CF1|.8BCC mov ecx,esp
00406CF3|.896424 50mov dword ptr ss:,esp
00406CF7|.50 push eax
00406CF8|.C64424 60 15 mov byte ptr ss:,15
00406CFD|.E8 D40D0200call DirWatch.00427AD6
00406D02|.C64424 5C 13 mov byte ptr ss:,13
00406D07|.E8 D4EEFFFFcall DirWatch.00405BE0;解出文件的关键,F7进
00406D0C|.83C4 08add esp,8
00406D0F|.EB 36jmp short DirWatch.00406D47
00406D11|>6A 00push 0
00406D13|.51 push ecx
00406D14|.8D5424 64lea edx,dword ptr ss:
00406D18|.8BCC mov ecx,esp
00406D1A|.896424 50mov dword ptr ss:,esp
00406D1E|.52 push edx
00406D1F|.E8 B20D0200call DirWatch.00427AD6
00406D24|.51 push ecx
00406D25|.8D4424 38lea eax,dword ptr ss:
00406D29|.8BCC mov ecx,esp
00406D2B|.896424 50mov dword ptr ss:,esp
00406D2F|.50 push eax
00406D30|.C64424 64 16 mov byte ptr ss:,16
00406D35|.E8 9C0D0200call DirWatch.00427AD6
00406D3A|.C64424 60 13 mov byte ptr ss:,13
00406D3F|.E8 DCF0FFFFcall DirWatch.00405E20
00406D44|.83C4 0Cadd esp,0C
00406D47|>85C0 test eax,eax
00406D49|.0F84 40010000je DirWatch.00406E8F
00406D4F|.8B0D 9C104400mov ecx,dword ptr ds:
00406D55|.51 push ecx
00406D56|.FFD6 call esi
00406D58|.8B15 98104400mov edx,dword ptr ds: ;DirWatch.0043EE00
00406D5E|.68 80000000push 80
00406D63|.52 push edx
00406D64|.FFD5 call ebp
00406D66|.A1 98104400mov eax,dword ptr ds:
00406D6B|.50 push eax
00406D6C|.FFD6 call esi
00406D6E|.8B4C24 24mov ecx,dword ptr ss:
00406D72|.51 push ecx
00406D73|.FFD6 call esi
00406D75|.51 push ecx
00406D76|.8D5424 3Clea edx,dword ptr ss:
00406D7A|.8BCC mov ecx,esp
00406D7C|.896424 4Cmov dword ptr ss:,esp
00406D80|.52 push edx
00406D81|.E8 500D0200call DirWatch.00427AD6
00406D86|.E8 55EAFFFFcall DirWatch.004057E0;恢复主文件夹原有的属性和图标
00406D8B|.8D4424 38lea eax,dword ptr ss:
00406D8F|.8BCC mov ecx,esp
00406D91|.896424 4Cmov dword ptr ss:,esp
00406D95|.50 push eax
00406D96|.E8 3B0D0200call DirWatch.00427AD6
00406D9B|.E8 40EAFFFFcall DirWatch.004057E0;nul文件夹恢复
00406DA0|.8D5424 2Clea edx,dword ptr ss:
00406DA4|.8BCC mov ecx,esp
00406DA6|.896424 4Cmov dword ptr ss:,esp
00406DAA|.52 push edx
00406DAB|.E8 260D0200call DirWatch.00427AD6
00406DB0|.E8 2BEAFFFFcall DirWatch.004057E0;成功删除nul文件夹
00406DB5|.8B4424 14mov eax,dword ptr ss:
00406DB9|.83C4 04add esp,4
00406DBC|.50 push eax
00406DBD|.FFD7 call edi
00406DBF|.8D4C24 20lea ecx,dword ptr ss:
00406DC3|.C64424 54 12 mov byte ptr ss:,12
00406DC8|.E8 940F0200call DirWatch.00427D61;成功删除DirRecycler文件夹
00406DCD|.8D4C24 30lea ecx,dword ptr ss:
00406DD1|.C64424 54 11 mov byte ptr ss:,11
00406DD6|.E8 860F0200call DirWatch.00427D61
00406DDB|.8D4C24 24lea ecx,dword ptr ss:
00406DDF|.C64424 54 0E mov byte ptr ss:,0E
00406DE4|.E8 780F0200call DirWatch.00427D61
00406DE9|.8D4C24 14lea ecx,dword ptr ss:
00406DED|.885C24 54mov byte ptr ss:,bl
00406DF1|.E8 6B0F0200call DirWatch.00427D61
00406DF6|.8D4C24 18lea ecx,dword ptr ss:
00406DFA|.C64424 54 08 mov byte ptr ss:,8
00406DFF|.E8 5D0F0200call DirWatch.00427D61
00406E04|.8D4C24 1Clea ecx,dword ptr ss:
00406E08|.C64424 54 07 mov byte ptr ss:,7
00406E0D|.E8 4F0F0200call DirWatch.00427D61
00406E12|.8D4C24 28lea ecx,dword ptr ss:
00406E16|.C64424 54 06 mov byte ptr ss:,6
00406E1B|.E8 410F0200call DirWatch.00427D61
00406E20|.8D4C24 3Clea ecx,dword ptr ss:
00406E24|.C64424 54 05 mov byte ptr ss:,5
00406E29|.E8 330F0200call DirWatch.00427D61
00406E2E|.8D4C24 34lea ecx,dword ptr ss:
00406E32|.C64424 54 04 mov byte ptr ss:,4
00406E37|.E8 250F0200call DirWatch.00427D61
00406E3C|.8D4C24 38lea ecx,dword ptr ss:
00406E40|.C64424 54 03 mov byte ptr ss:,3
00406E45|.E8 170F0200call DirWatch.00427D61
00406E4A|.8D4C24 2Clea ecx,dword ptr ss:
00406E4E|.C64424 54 01 mov byte ptr ss:,1
00406E53|.E8 090F0200call DirWatch.00427D61
00406E58|.8D4C24 10lea ecx,dword ptr ss:
00406E5C|.C64424 54 00 mov byte ptr ss:,0
00406E61|.E8 FB0E0200call DirWatch.00427D61
00406E66|.8D4C24 5Clea ecx,dword ptr ss:
00406E6A|.C74424 54 FFFFFFFF mov dword ptr ss:,-1
00406E72|.E8 EA0E0200call DirWatch.00427D61
00406E77|.B8 01000000mov eax,1
00406E7C|.8B4C24 4Cmov ecx,dword ptr ss:
00406E80|.64:890D 00000000 mov dword ptr fs:,ecx
00406E87|.5F pop edi
00406E88|.5E pop esi
00406E89|.5D pop ebp
00406E8A|.5B pop ebx
00406E8B|.83C4 48add esp,48
00406E8E|.C3 retn





继续进关键:


00405BE0/$6A FFpush -1
00405BE2|.68 F1044300push DirWatch.004304F1;SE 句柄安装
00405BE7|.64:A1 00000000 mov eax,dword ptr fs:
00405BED|.50 push eax
00405BEE|.64:8925 00000000 mov dword ptr fs:,esp
00405BF5|.81EC 4C010000sub esp,14C
00405BFB|.53 push ebx
00405BFC|.56 push esi
00405BFD|.C78424 5C010000 00>mov dword ptr ss:,0
00405C08|.A1 ECED4300mov eax,dword ptr ds:
00405C0D|.894424 0Cmov dword ptr ss:,eax
00405C11|.894424 08mov dword ptr ss:,eax
00405C15|.8D8424 64010000lea eax,dword ptr ss:
00405C1C|.68 44E14300push DirWatch.0043E144
00405C21|.8D4C24 14lea ecx,dword ptr ss:
00405C25|.B3 03mov bl,3
00405C27|.50 push eax
00405C28|.51 push ecx
00405C29|.889C24 68010000mov byte ptr ss:,bl
00405C30|.E8 C1230200call DirWatch.00427FF6
00405C35|.50 push eax
00405C36|.8D4C24 0Clea ecx,dword ptr ss:
00405C3A|.C68424 60010000 04 mov byte ptr ss:,4
00405C42|.E8 53220200call DirWatch.00427E9A
00405C47|.8D4C24 10lea ecx,dword ptr ss:
00405C4B|.889C24 5C010000mov byte ptr ss:,bl
00405C52|.E8 0A210200call DirWatch.00427D61
00405C57|.8D5424 08lea edx,dword ptr ss:
00405C5B|.8D4C24 0Clea ecx,dword ptr ss:
00405C5F|.52 push edx
00405C60|.E8 35220200call DirWatch.00427E9A
00405C65|.68 90E14300push DirWatch.0043E190;ASCII "\*"
00405C6A|.8D8C24 68010000lea ecx,dword ptr ss:;所有文件
00405C71|.E8 C7240200call DirWatch.0042813D
00405C76|.8B8C24 64010000mov ecx,dword ptr ss:
00405C7D|.8D4424 14lea eax,dword ptr ss:
00405C81|.50 push eax; /pFindFileData
00405C82|.51 push ecx; |FileName
00405C83|.FF15 D4224300call dword ptr ds:[<&KERNEL32.FindFirstFileA>]; \查找第一个文件
00405C89|.8BF0 mov esi,eax
00405C8B|.83FE FFcmp esi,-1
00405C8E|.75 69jnz short DirWatch.00405CF9
00405C90|.50 push eax; /hSearch
00405C91|.FF15 E0224300call dword ptr ds:[<&KERNEL32.FindClose>] ; \FindClose
00405C97|.8D4C24 08lea ecx,dword ptr ss:
00405C9B|.C68424 5C010000 02 mov byte ptr ss:,2
00405CA3|.E8 B9200200call DirWatch.00427D61
00405CA8|.8D4C24 0Clea ecx,dword ptr ss:
00405CAC|.C68424 5C010000 01 mov byte ptr ss:,1
00405CB4|.E8 A8200200call DirWatch.00427D61
00405CB9|.8D8C24 64010000lea ecx,dword ptr ss:
00405CC0|.C68424 5C010000 00 mov byte ptr ss:,0
00405CC8|.E8 94200200call DirWatch.00427D61
00405CCD|.8D8C24 68010000lea ecx,dword ptr ss:
00405CD4|.89B424 5C010000mov dword ptr ss:,esi
00405CDB|.E8 81200200call DirWatch.00427D61
00405CE0|.5E pop esi
00405CE1|.33C0 xor eax,eax
00405CE3|.5B pop ebx
00405CE4|.8B8C24 4C010000mov ecx,dword ptr ss:
00405CEB|.64:890D 00000000 mov dword ptr fs:,ecx
00405CF2|.81C4 58010000add esp,158
00405CF8|.C3 retn
00405CF9|>8B1D DC224300mov ebx,dword ptr ds:[<&KERNEL32.FindNextFileA>];继续查找文件
00405CFF|.57 push edi;删除指定目录
00405D00|.8B3D D8224300mov edi,dword ptr ds:[<&KERNEL32.lstrcmpA>] ;比较字符串
00405D06|>8D5424 44/lea edx,dword ptr ss:;循环处理,把文件给解出来
00405D0A|.68 8CE14300|push DirWatch.0043E18C
00405D0F|.52 |push edx
00405D10|.FFD7 |call edi
00405D12|.85C0 |test eax,eax
00405D14|.74 76|je short DirWatch.00405D8C
00405D16|.8D4424 44|lea eax,dword ptr ss:
00405D1A|.68 88E14300|push DirWatch.0043E188 ;ASCII ".."
00405D1F|.50 |push eax
00405D20|.FFD7 |call edi
00405D22|.85C0 |test eax,eax
00405D24|.74 66|je short DirWatch.00405D8C
00405D26|.8D4C24 44|lea ecx,dword ptr ss:
00405D2A|.51 |push ecx
00405D2B|.8D4C24 10|lea ecx,dword ptr ss:
00405D2F|.E8 09240200|call DirWatch.0042813D
00405D34|.8B5424 0C|mov edx,dword ptr ss:
00405D38|.A1 C8114400|mov eax,dword ptr ds:
00405D3D|.52 |push edx ; /Arg2
00405D3E|.50 |push eax ; |Arg1 => 00A58260
00405D3F|.E8 47E40000|call DirWatch.0041418B ; \DirWatch.0041418B
00405D44|.83C4 08|add esp,8
00405D47|.85C0 |test eax,eax
00405D49|.74 2C|je short DirWatch.00405D77
00405D4B|.8D4424 44|lea eax,dword ptr ss:
00405D4F|.68 9CE54300|push DirWatch.0043E59C ;ASCII "DirRecycler"
00405D54|.50 |push eax
00405D55|.FFD7 |call edi
00405D57|.85C0 |test eax,eax
00405D59|.74 1C|je short DirWatch.00405D77
00405D5B|.8B8C24 6C010000|mov ecx,dword ptr ss:
00405D62|.8B5424 0C|mov edx,dword ptr ss:
00405D66|.51 |push ecx
00405D67|.52 |push edx
00405D68|.E8 83FDFFFF|call DirWatch.00405AF0
00405D6D|.83C4 08|add esp,8
00405D70|.8D4424 10|lea eax,dword ptr ss:
00405D74|.50 |push eax
00405D75|.EB 05|jmp short DirWatch.00405D7C
00405D77|>8D4C24 10|lea ecx,dword ptr ss:
00405D7B|.51 |push ecx
00405D7C|>8D4C24 10|lea ecx,dword ptr ss:
00405D80|.E8 15210200|call DirWatch.00427E9A
00405D85|.8D5424 18|lea edx,dword ptr ss:
00405D89|.52 |push edx
00405D8A|.EB 05|jmp short DirWatch.00405D91
00405D8C|>8D4424 18|lea eax,dword ptr ss:
00405D90|.50 |push eax
00405D91|>56 |push esi
00405D92|.FFD3 |call ebx
00405D94|.F7D8 |neg eax
00405D96|.1BC0 |sbb eax,eax
00405D98|.40 |inc eax
00405D99|.85C0 |test eax,eax
00405D9B|.^ 0F84 65FFFFFF\je DirWatch.00405D06
00405DA1|.56 push esi; /解完后,跳出
00405DA2|.FF15 E0224300call dword ptr ds:[<&KERNEL32.FindClose>] ; \FindClose
00405DA8|.8D4C24 0Clea ecx,dword ptr ss:
00405DAC|.C68424 60010000 02 mov byte ptr ss:,2
00405DB4|.E8 A81F0200call DirWatch.00427D61
00405DB9|.8D4C24 10lea ecx,dword ptr ss:
00405DBD|.C68424 60010000 01 mov byte ptr ss:,1
00405DC5|.E8 971F0200call DirWatch.00427D61
00405DCA|.8D8C24 68010000lea ecx,dword ptr ss:
00405DD1|.C68424 60010000 00 mov byte ptr ss:,0
00405DD9|.E8 831F0200call DirWatch.00427D61
00405DDE|.8D8C24 6C010000lea ecx,dword ptr ss:
00405DE5|.C78424 60010000 FF>mov dword ptr ss:,-1
00405DF0|.E8 6C1F0200call DirWatch.00427D61
00405DF5|.8B8C24 58010000mov ecx,dword ptr ss:
00405DFC|.5F pop edi
00405DFD|.5E pop esi
00405DFE|.B8 01000000mov eax,1
00405E03|.5B pop ebx
00405E04|.64:890D 00000000 mov dword ptr fs:,ecx
00405E0B|.81C4 58010000add esp,158
00405E11\.C3 retn



OK,上面的过程就是把所有的被加密的文件从system.文件夹里个解出来,并且删除在加密过程中所创建的一些信息文件和文件夹

同样来总结一下:

先删除desktop.ini文件,把文件还原成普通的文件夹,接着删除其他2个保存信息的文件,然后把加密的文件从system.夹里给解出来,再删除system. 和nul文件夹,最后删除DirRecycler文件夹恢复原来的样子!



根据上面的加密与解密过程,我们自己完全可以手动来创建加密的文件,并且能在不知道密码的情况下,把被文件夹加密狗加密的文件给解出来;

(1),加密:

自己创建个jiami.文件夹,但要知道,系统中,实际的名为jiami..文件夹,而显示的为jiami.
但是,一般的创建是创建不了的,必须DOS命令来创建
如:MD c:\jiami..\

然后把所要加密的文件给放进去,当然普通方式也是访问不了的,也必须用DOS命令

copy c:\ximo.exe c:\jiami..\\
就是把C盘下的ximo.exe文件给复制进了jiami..文件夹

这样,文件就算是被“加密”了

(2)解密被文件夹加密狗加密的文件:

按照上面的分析,可以按下面3个步骤(比如加密文件为C:\ximo)

1) 删除desktop.ini文件, del c:\ximo\DirRecycler\desktop.ini
2) 修改新创建的加密文件夹DirRecycler属性,attrib c:\ximo\DirRecycler -h -s
3) 手动创建 system.文件,(由于本来有1个.而系统所认的实际名为2个.因此一共有3个.)
md c:\ximo\DirRecycler\system...\

OK,下面可以自己进入 system..的文件夹里访问了

把里面的文件给复制出来,下面就删除那些无用的文件,由于一般情况下是删不了的,也必须用DOS命令

rd c:\irRecycler\system..\ /s 

OK,这样算是完美解密了


本文仅为学习分析之用,有不妥之处,尽请谅解。

---ximo

小生我怕怕 发表于 2008-10-25 23:35

支持超兄的大作!
期待dll重定位的讲解!

unpack 发表于 2008-10-25 23:38

很长啊看得头都晕了啊 很牛的超神一说

zapline 发表于 2008-10-25 23:55

很好啊!

都分析清楚了

zzage 发表于 2008-10-26 11:04

~~
超神写代码,发我一份啊~~

niliu 发表于 2008-10-26 11:07

神超.!顶. 我顶.

wesley 发表于 2008-10-26 11:37

我顶死你。。。。。楼上的牛比JJ大小是吧看谁顶的远

史路比 发表于 2008-10-26 13:21

好长吖!!
顶了
(*^__^*)...嘻嘻

shaopeng 发表于 2008-10-28 17:34

好长呀,
没耐心看。

bearwinnie 发表于 2008-10-28 22:15

仔细看了~分析得好棒啊~ 不知谁说过一句话,“加密文件都可以通过一个软件简单嗅探到的,由此可见加密水平之一般”
页: [1] 2 3
查看完整版本: 对文件夹加密狗的简单逆向及分析


免责声明:
吾爱破解所发布的一切破解补丁、注册机和注册信息及软件的解密分析文章仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。

Mail To:Service@52pojie.cn