【反蓝屏】轻羽网络验证的蓝屏处理
00403565/$55 push ebp00403566|.8BEC mov ebp,esp
00403568|.81EC 14000000 sub esp,0x14
0040356E|.68 0C000000 push 0xC
00403573|.E8 7B4A0000 call 客户端.00407FF3
00403578|.83C4 04 add esp,0x4
0040357B|.8945 FC mov ,eax
0040357E|.8BD8 mov ebx,eax
00403580|.C703 00000000 mov dword ptr ds:,0x0
00403586|.C743 04 00000>mov dword ptr ds:,0x0
0040358D|.C743 08 00000>mov dword ptr ds:,0x0
00403594|.68 18000000 push 0x18
00403599|.E8 554A0000 call 客户端.00407FF3
0040359E|.83C4 04 add esp,0x4
004035A1|.8945 F8 mov ,eax
004035A4|.8BF8 mov edi,eax
004035A6|.BE 95884900 mov esi,客户端.00498895
004035AB|.AD lods dword ptr ds:
004035AC|.AB stos dword ptr es:
004035AD|.AD lods dword ptr ds:
004035AE|.AB stos dword ptr es:
004035AF|.33C0 xor eax,eax
004035B1|.B9 04000000 mov ecx,0x4
004035B6|.F3:AB rep stos dword ptr es:
004035B8|.8965 F4 mov ,esp
004035BB|.B8 00000000 mov eax,0x0
004035C0|.8945 F0 mov ,eax
004035C3|.8D45 F0 lea eax,
004035C6|.50 push eax
004035C7|.68 00000000 push 0x0
004035CC|.68 01000000 push 0x1
004035D1|.68 13000000 push 0x13
004035D6|.B8 02000000 mov eax,0x2
004035DB|.E8 254A0000 call 客户端.00408005
004035E0|.3965 F4 cmp ,esp
004035E3|.74 0D je X客户端.004035F2
004035E5|.68 06000000 push 0x6
004035EA|.E8 104A0000 call 客户端.00407FFF
004035EF|.83C4 04 add esp,0x4
004035F2|>8965 F4 mov ,esp
004035F5|.68 85884900 push 客户端.00498885 ;Session Manager
004035FA|.FF75 FC push
004035FD|.B8 03000000 mov eax,0x3
00403602|.E8 FE490000 call 客户端.00408005
00403607|.3965 F4 cmp ,esp
0040360A|.74 0D je X客户端.00403619
0040360C|.68 06000000 push 0x6
00403611|.E8 E9490000 call 客户端.00407FFF
00403616|.83C4 04 add esp,0x4
00403619|>8B5D F8 mov ebx,
0040361C|.E8 A5DEFFFF call 客户端.004014C6
00403621|.B8 00000000 mov eax,0x0
00403626|.3BC1 cmp eax,ecx
00403628|.7C 0D jl X客户端.00403637
0040362A|.68 01000000 push 0x1
0040362F|.E8 CB490000 call 客户端.00407FFF
00403634|.83C4 04 add esp,0x4
00403637|>C1E0 02 shl eax,0x2
0040363A|.03D8 add ebx,eax
0040363C|.895D F4 mov ,ebx
0040363F|.8965 F0 mov ,esp
00403642|.68 00000000 push 0x0
00403647|.FF75 FC push
0040364A|.FF75 FC push
0040364D|.B8 04000000 mov eax,0x4
00403652|.E8 AE490000 call 客户端.00408005
00403657|.3965 F0 cmp ,esp
0040365A|.74 0D je X客户端.00403669
0040365C|.68 06000000 push 0x6
00403661|.E8 99490000 call 客户端.00407FFF
00403666|.83C4 04 add esp,0x4
00403669|>8B5D F4 mov ebx,
0040366C|.8903 mov dword ptr ds:,eax
0040366E|.8B5D F8 mov ebx,
00403671|.E8 50DEFFFF call 客户端.004014C6
00403676|.B8 01000000 mov eax,0x1
0040367B|.3BC1 cmp eax,ecx
0040367D|.7C 0D jl X客户端.0040368C
0040367F|.68 01000000 push 0x1
00403684|.E8 76490000 call 客户端.00407FFF
00403689|.83C4 04 add esp,0x4
0040368C|>C1E0 02 shl eax,0x2
0040368F|.03D8 add ebx,eax
00403691|.895D F4 mov ,ebx
00403694|.8B5D FC mov ebx,
00403697|.895D F0 mov ,ebx
0040369A|.8B5D F0 mov ebx,
0040369D|.8B03 mov eax,dword ptr ds:
0040369F|.8B5D F4 mov ebx,
004036A2|.8903 mov dword ptr ds:,eax
004036A4|.8B5D F8 mov ebx,
004036A7|.E8 1ADEFFFF call 客户端.004014C6
004036AC|.B8 02000000 mov eax,0x2
004036B1|.3BC1 cmp eax,ecx
004036B3|.7C 0D jl X客户端.004036C2
004036B5|.68 01000000 push 0x1
004036BA|.E8 40490000 call 客户端.00407FFF
004036BF|.83C4 04 add esp,0x4
004036C2|>C1E0 02 shl eax,0x2
004036C5|.03D8 add ebx,eax
004036C7|.895D F4 mov ,ebx
004036CA|.8B5D F8 mov ebx,
004036CD|.E8 F4DDFFFF call 客户端.004014C6
004036D2|.B8 00000000 mov eax,0x0
004036D7|.3BC1 cmp eax,ecx
004036D9|.7C 0D jl X客户端.004036E8
004036DB|.68 01000000 push 0x1
004036E0|.E8 1A490000 call 客户端.00407FFF
004036E5|.83C4 04 add esp,0x4
004036E8|>C1E0 02 shl eax,0x2
004036EB|.03D8 add ebx,eax
004036ED|.895D F0 mov ,ebx
004036F0|.8B5D F0 mov ebx,
004036F3|.8B03 mov eax,dword ptr ds:
004036F5|.8B5D F4 mov ebx,
004036F8|.8903 mov dword ptr ds:,eax
004036FA|.8B5D F8 mov ebx,
004036FD|.E8 C4DDFFFF call 客户端.004014C6
00403702|.B8 03000000 mov eax,0x3
00403707|.3BC1 cmp eax,ecx
00403709|.7C 0D jl X客户端.00403718
0040370B|.68 01000000 push 0x1
00403710|.E8 EA480000 call 客户端.00407FFF
00403715|.83C4 04 add esp,0x4
00403718|>C1E0 02 shl eax,0x2
0040371B|.03D8 add ebx,eax
0040371D|.895D F4 mov ,ebx
00403720|.8B5D F8 mov ebx,
00403723|.E8 9EDDFFFF call 客户端.004014C6
00403728|.B8 00000000 mov eax,0x0
0040372D|.3BC1 cmp eax,ecx
0040372F|.7C 0D jl X客户端.0040373E
00403731|.68 01000000 push 0x1
00403736|.E8 C4480000 call 客户端.00407FFF
0040373B|.83C4 04 add esp,0x4
0040373E|>C1E0 02 shl eax,0x2
00403741|.03D8 add ebx,eax
00403743|.895D F0 mov ,ebx
00403746|.8B5D F0 mov ebx,
00403749|.8B03 mov eax,dword ptr ds:
0040374B|.8B5D F4 mov ebx,
0040374E|.8903 mov dword ptr ds:,eax
00403750|.8965 F4 mov ,esp
00403753|.B8 00000000 mov eax,0x0
00403758|.8945 F0 mov ,eax
0040375B|.8D45 F0 lea eax,
0040375E|.50 push eax
0040375F|.68 06000000 push 0x6
00403764|.8B5D F8 mov ebx,
00403767|.E8 5ADDFFFF call 客户端.004014C6
0040376C|.53 push ebx
0040376D|.68 01000000 push 0x1
00403772|.68 04000000 push 0x4
00403777|.68 1A0200C0 push 0xC000021A
0040377C|.B8 05000000 mov eax,0x5
00403781|.E8 7F480000 call 客户端.00408005
00403786|.3965 F4 cmp ,esp
00403789|.74 0D je X客户端.00403798
0040378B|.68 06000000 push 0x6
00403790|.E8 6A480000 call 客户端.00407FFF
00403795|.83C4 04 add esp,0x4
00403798|>8B5D FC mov ebx,
0040379B|.53 push ebx
0040379C|.E8 58480000 call 客户端.00407FF9
004037A1|.83C4 04 add esp,0x4
004037A4|.8B5D F8 mov ebx,
004037A7|.53 push ebx
004037A8|.E8 4C480000 call 客户端.00407FF9
004037AD|.83C4 04 add esp,0x4
004037B0|.8BE5 mov esp,ebp
004037B2|.5D pop ebp
004037B3\.C3 retn
以上 是整个蓝屏的代码段 但没有VM 大家可以随意抓特征码定位
但最简单的 在不VM字符串的情况下 搜索ascall码 “Session Manager”段首retn 完美过蓝屏
膜拜大神,谢谢分享。 飘零其实也是调用这个函数Session Manager 我想知道被VM 了 怎么 搞定。 膜拜 。。。 。小菜 想请教下 如果飘零蓝屏被VM 了有什么简单 或则很有效的方法去掉吗 提前膜拜Qs师傅 QS大V5 膜拜K大
页:
[1]