对文件夹加密狗的简单逆向及分析

ximo

由于同学使用了文件夹加密狗，而今天又忘记了自己的密码，让我帮忙给解出来，没办法，我不会，只能自己逆向分析了文件夹加密狗这个软件了，因此也有了此文。
下面开始吧！

首先定位加密以及解密的按纽事件

PEiD查壳发现，此文件是C++写的，于是，查找所有命令，然后输入sub eax,0a,定位到按纽代码处。
具体的过程请看帖子：
http://www.52pojie.cn/read.php?tid-10308.html
这里不再详细的讲解

下面开始分析加密的过程：

输入密码，点加密，代码如下：

0040AB80 .64:A1 00000000 mov eax,dword ptr fs:[0]0040AB86 .6A FFpush -10040AB88 .68 380D4300push DirWatch.00430D380040AB8D .50 push eax0040AB8E .64:8925 00000000 mov dword ptr fs:[0],esp0040AB95 .83EC 08sub esp,80040AB98 .53 push ebx0040AB99 .55 push ebp0040AB9A .56 push esi0040AB9B .8BF1 mov esi,ecx0040AB9D .57 push edi0040AB9E .33DB xor ebx,ebx0040ABA0 .33C0 xor eax,eax0040ABA2 .8DBE 8C000000lea edi,dword ptr ds:[esi+8C]0040ABA8 >881C07 mov byte ptr ds:[edi+eax],bl0040ABAB .8898 14124400mov byte ptr ds:[eax+441214],bl0040ABB1 .40 inc eax0040ABB2 .83F8 10cmp eax,100040ABB5 .^ 7C F1jl short DirWatch.0040ABA80040ABB7 .8DAE 9C000000lea ebp,dword ptr ds:[esi+9C]0040ABBD .68 E0EA4300push DirWatch.0043EAE0;ASCII "\DirRecyclers"0040ABC2 .8D4424 14lea eax,dword ptr ss:[esp+14]0040ABC6 .55 push ebp0040ABC7 .50 push eax0040ABC8 .E8 29D40100call DirWatch.00427FF60040ABCD .8B86 A0000000mov eax,dword ptr ds:[esi+A0]0040ABD3 .895C24 20mov dword ptr ss:[esp+20],ebx0040ABD7 .3BC3 cmp eax,ebx ;判断加密还是解密，解密则跳0040ABD9 .75 0Cjnz short DirWatch.0040ABE70040ABDB .8BCE mov ecx,esi0040ABDD .E8 0E0B0000call DirWatch.0040B6F00040ABE2 .E9 50010000jmp DirWatch.0040AD370040ABE7 >6A 01push 10040ABE9 .8BCE mov ecx,esi0040ABEB .E8 4ABD0100call DirWatch.0042693A；F7进，开始进行加密0040ABF0 .85C0 test eax,eax0040ABF2 .0F84 3F010000je DirWatch.0040AD370040ABF8 .8B8E F4000000mov ecx,dword ptr ds:[esi+F4] ;解密的密码放ECX0040ABFE .8B41 F8mov eax,dword ptr ds:[ecx-8];位数当EAX0040AC01 .8BC8 mov ecx,eax ;放ECX0040AC03 .83F8 01cmp eax,1 ;和1比较0040AC06 .890D 24124400mov dword ptr ds:[441224],ecx0040AC0C .7D 07jge short DirWatch.0040AC150040AC0E .B9 02000000mov ecx,20040AC13 .EB 0Ajmp short DirWatch.0040AC1F0040AC15 >83F8 10cmp eax,10;和16比较0040AC18 .7E 0Bjle short DirWatch.0040AC250040AC1A .B9 10000000mov ecx,100040AC1F >890D 24124400mov dword ptr ds:[441224],ecx0040AC25 >33C0 xor eax,eax0040AC27 .3BCB cmp ecx,ebx0040AC29 .7E 1Djle short DirWatch.0040AC480040AC2B >8B96 F4000000mov edx,dword ptr ds:[esi+F4]0040AC31 .40 inc eax0040AC32 .8A4C02 FFmov cl,byte ptr ds:[edx+eax-1];逐位取解密的密码0040AC36 .884C07 FFmov byte ptr ds:[edi+eax-1],cl0040AC3A .8888 13124400mov byte ptr ds:[eax+441213],cl0040AC40 .3B05 24124400cmp eax,dword ptr ds:[441224]0040AC46 .^ 7C E3jl short DirWatch.0040AC2B0040AC48 >57 push edi0040AC49 .51 push ecx0040AC4A .8BCC mov ecx,esp0040AC4C .896424 1Cmov dword ptr ss:[esp+1C],esp0040AC50 .55 push ebp0040AC51 .E8 80CE0100call DirWatch.00427AD60040AC56 .E8 05C3FFFFcall DirWatch.00406F60;判断密码是否正确的关键，F7进0040AC5B .83C4 08add esp,80040AC5E .3BC3 cmp eax,ebx0040AC60 .0F84 D1000000je DirWatch.0040AD370040AC66 .51 push ecx0040AC67 .8BCC mov ecx,esp0040AC69 .896424 18mov dword ptr ss:[esp+18],esp0040AC6D .55 push ebp0040AC6E .E8 63CE0100call DirWatch.00427AD60040AC73 .E8 B8BCFFFFcall DirWatch.00406930;出来，然后去掉！0040AC78 .8B4424 14mov eax,dword ptr ss:[esp+14]0040AC7C .83C4 04add esp,40040AC7F .50 push eax; /Path0040AC80 .FF15 F0224300call dword ptr ds:[<&KERNEL32.RemoveDirectoryA>]; \RemoveDirectoryA0040AC86 .85C0 test eax,eax0040AC88 .0F84 9C000000je DirWatch.0040AD2A;全部解密完毕，跳向结束0040AC8E .C786 A4000000 0100>mov dword ptr ds:[esi+A4],10040AC98 .51 push ecx0040AC99 .891D 80EA4300mov dword ptr ds:[43EA80],ebx0040AC9F .891D 10124400mov dword ptr ds:[441210],ebx0040ACA5 .899E B0000000mov dword ptr ds:[esi+B0],ebx0040ACAB .8BCC mov ecx,esp0040ACAD .896424 18mov dword ptr ss:[esp+18],esp0040ACB1 .899E B4000000mov dword ptr ds:[esi+B4],ebx0040ACB7 .55 push ebp0040ACB8 .891D 28124400mov dword ptr ds:[441228],ebx0040ACBE .E8 13CE0100call DirWatch.00427AD60040ACC3 .8BCE mov ecx,esi ; |0040ACC5 .E8 E60E0000call DirWatch.0040BBB0; \DirWatch.0040BBB00040ACCA .8B0D 84EA4300mov ecx,dword ptr ds:[43EA84]0040ACD0 .8B96 D4000000mov edx,dword ptr ds:[esi+D4]0040ACD6 .51 push ecx; /lParam => 10040ACD7 .53 push ebx; |wParam0040ACD8 .68 06040000push 406; |Message = WM_USER+60040ACDD .52 push edx; |hWnd0040ACDE .FF15 48244300call dword ptr ds:[<&USER32.SendMessageA>]; \SendMessageA0040ACE4 .53 push ebx0040ACE5 .6A 01push 10040ACE7 .8BCE mov ecx,esi0040ACE9 .E8 E3C50100call DirWatch.004272D10040ACEE .8BC8 mov ecx,eax0040ACF0 .E8 0FC80100call DirWatch.004275040040ACF5 .53 push ebx0040ACF6 .68 EB030000push 3EB0040ACFB .8BCE mov ecx,esi0040ACFD .E8 CFC50100call DirWatch.004272D10040AD02 .8BC8 mov ecx,eax0040AD04 .E8 FBC70100call DirWatch.004275040040AD09 .8B46 1Cmov eax,dword ptr ds:[esi+1C]0040AD0C .53 push ebx; /Timerproc0040AD0D .68 E8030000push 3E8; |Timeout = 1000. ms0040AD12 .6A 01push 1; |TimerID = 10040AD14 .50 push eax; |hWnd0040AD15 .FF15 8C244300call dword ptr ds:[<&USER32.SetTimer>]; \SetTimer0040AD1B .8B0D 0C124400mov ecx,dword ptr ds:[44120C]0040AD21 .51 push ecx; /hEvent => 00000048 (window)0040AD22 .FF15 80224300call dword ptr ds:[<&KERNEL32.SetEvent>]; \SetEvent0040AD28 .EB 0Djmp short DirWatch.0040AD370040AD2A >8BCE mov ecx,esi0040AD2C .899E A4000000mov dword ptr ds:[esi+A4],ebx0040AD32 .E8 05990100call DirWatch.0042463C0040AD37 >8D4C24 10lea ecx,dword ptr ss:[esp+10]0040AD3B .C74424 20 FFFFFFFF mov dword ptr ss:[esp+20],-10040AD43 .E8 19D00100call DirWatch.00427D610040AD48 .8B4C24 18mov ecx,dword ptr ss:[esp+18]0040AD4C .5F pop edi0040AD4D .5E pop esi0040AD4E .5D pop ebp0040AD4F .64:890D 00000000 mov dword ptr fs:[0],ecx0040AD56 .5B pop ebx0040AD57 .83C4 14add esp,140040AD5A .C3 retn

F7跟进加密CALL，继续分析：

0040B6F0/$64:A1 00000000 mov eax,dword ptr fs:[0]0040B6F6|.6A FFpush -10040B6F8|.68 200F4300push DirWatch.00430F200040B6FD|.50 push eax0040B6FE|.64:8925 00000000 mov dword ptr fs:[0],esp0040B705|.83EC 14sub esp,140040B708|.53 push ebx0040B709|.55 push ebp0040B70A|.56 push esi0040B70B|.8BF1 mov esi,ecx0040B70D|.57 push edi0040B70E|.33DB xor ebx,ebx0040B710|.33C0 xor eax,eax0040B712|.8DBE 8C000000lea edi,dword ptr ds:[esi+8C]0040B718|>881C07 /mov byte ptr ds:[edi+eax],bl0040B71B|.8898 14124400|mov byte ptr ds:[eax+441214],bl0040B721|.40 |inc eax0040B722|.83F8 10|cmp eax,100040B725|.^ 7C F1\jl short DirWatch.0040B7180040B727|.8DAE 9C000000lea ebp,dword ptr ds:[esi+9C]0040B72D|.68 E0EA4300push DirWatch.0043EAE0;ASCII "\DirRecyclers"0040B732|.8D4424 18lea eax,dword ptr ss:[esp+18]0040B736|.55 push ebp0040B737|.50 push eax0040B738|.C705 80EA4300 0100>mov dword ptr ds:[43EA80],10040B742|.E8 AFC80100call DirWatch.00427FF60040B747|.8B0D ECED4300mov ecx,dword ptr ds:[43EDEC] ;DirWatch.0043EE000040B74D|.895C24 2Cmov dword ptr ss:[esp+2C],ebx0040B751|.894C24 10mov dword ptr ss:[esp+10],ecx0040B755|.8B86 A8000000mov eax,dword ptr ds:[esi+A8]0040B75B|.C64424 2C 01 mov byte ptr ss:[esp+2C],10040B760|.3BC3 cmp eax,ebx0040B762|.75 0Cjnz short DirWatch.0040B7700040B764|.53 push ebx0040B765|.53 push ebx0040B766|.68 64EC4300push DirWatch.0043EC640040B76B|.E9 5F020000jmp DirWatch.0040B9CF0040B770|>6A 01push 10040B772|.8BCE mov ecx,esi0040B774|.E8 C1B10100call DirWatch.0042693A0040B779|.85C0 test eax,eax0040B77B|.0F84 55020000je DirWatch.0040B9D60040B781|.8B86 F8000000mov eax,dword ptr ds:[esi+F8] ;第二次输入的密码0040B787|.8B8E F4000000mov ecx,dword ptr ds:[esi+F4] ;第一次输入的密码0040B78D|.50 push eax; /Arg20040B78E|.51 push ecx; |Arg10040B78F|.E8 F7890000call DirWatch.0041418B; \进行比较0040B794|.83C4 08add esp,80040B797|.85C0 test eax,eax;相等就返回0，不相等则返回10040B799|.0F85 29020000jnz DirWatch.0040B9C8 ;不相等跳向错误0040B79F|.8B96 F4000000mov edx,dword ptr ds:[esi+F4]0040B7A5|.8B42 F8mov eax,dword ptr ds:[edx-8]0040B7A8|.8BC8 mov ecx,eax ;把密码的位数给ECX0040B7AA|.83F8 03cmp eax,3 ;比较密码的位数，小于3则跳到错误0040B7AD|.890D 24124400mov dword ptr ds:[441224],ecx0040B7B3|.7D 0Cjge short DirWatch.0040B7C10040B7B5|.53 push ebx0040B7B6|.53 push ebx0040B7B7|.68 4CEC4300push DirWatch.0043EC4C0040B7BC|.E9 0E020000jmp DirWatch.0040B9CF0040B7C1|>83F8 10cmp eax,10;位数和16比较，大于则跳向错误0040B7C4|.7E 0Bjle short DirWatch.0040B7D10040B7C6|.B9 10000000mov ecx,100040B7CB|.890D 24124400mov dword ptr ds:[441224],ecx0040B7D1|>33C0 xor eax,eax0040B7D3|.3BCB cmp ecx,ebx0040B7D5|.7E 1Djle short DirWatch.0040B7F40040B7D7|>8B8E F4000000/mov ecx,dword ptr ds:[esi+F4];密码放EAX0040B7DD|.40 |inc eax;EAX++0040B7DE|.8A4C01 FF|mov cl,byte ptr ds:[ecx+eax-1] ;逐位取密码放CL0040B7E2|.884C07 FF|mov byte ptr ds:[edi+eax-1],cl0040B7E6|.8888 13124400|mov byte ptr ds:[eax+441213],cl;存到[441213+EAX]的位置0040B7EC|.3B05 24124400|cmp eax,dword ptr ds:[441224]0040B7F2|.^ 7C E3\jl short DirWatch.0040B7D70040B7F4|>399E A4000000cmp dword ptr ds:[esi+A4],ebx0040B7FA|.75 4Djnz short DirWatch.0040B8490040B7FC|.57 push edi0040B7FD|.51 push ecx0040B7FE|.8BCC mov ecx,esp0040B800|.896424 24mov dword ptr ss:[esp+24],esp0040B804|.55 push ebp0040B805|.E8 CCC20100call DirWatch.00427AD60040B80A|.E8 C1BAFFFFcall DirWatch.004072D0;加密关键，F7进0040B80F|.83C4 08add esp,80040B812|.3BC3 cmp eax,ebx0040B814|.74 27je short DirWatch.0040B83D0040B816|.51 push ecx0040B817|.8BCC mov ecx,esp0040B819|.896424 20mov dword ptr ss:[esp+20],esp0040B81D|.55 push ebp0040B81E|.E8 B3C20100call DirWatch.00427AD60040B823|.E8 38AAFFFFcall DirWatch.004062600040B828|.83C4 04add esp,40040B82B|.3BC3 cmp eax,ebx ;加密成功0040B82D|.75 0Ejnz short DirWatch.0040B83D ;则跳，关闭文件夹加密狗0040B82F|.53 push ebx0040B830|.53 push ebx0040B831|.68 40EC4300push DirWatch.0043EC400040B836|.8BCE mov ecx,esi0040B838|.E8 A1A90100call DirWatch.004261DE0040B83D|>8BCE mov ecx,esi0040B83F|.E8 F88D0100call DirWatch.0042463C0040B844|.E9 8D010000jmp DirWatch.0040B9D60040B849|>51 push ecx0040B84A|.891D 10124400mov dword ptr ds:[441210],ebx0040B850|.899E B0000000mov dword ptr ds:[esi+B0],ebx0040B856|.8BCC mov ecx,esp0040B858|.896424 20mov dword ptr ss:[esp+20],esp0040B85C|.899E B4000000mov dword ptr ds:[esi+B4],ebx0040B862|.55 push ebp0040B863|.891D 28124400mov dword ptr ds:[441228],ebx0040B869|.E8 68C20100call DirWatch.00427AD60040B86E|.8BCE mov ecx,esi ; |0040B870|.E8 3B030000call DirWatch.0040BBB0; \DirWatch.0040BBB00040B875|.DD86 B0000000fld qword ptr ds:[esi+B0]0040B87B|.DC0D 28314300fmul qword ptr ds:[433128]0040B881|.E8 268B0000call DirWatch.004143AC0040B886|.8BF8 mov edi,eax0040B888|.897C24 1Cmov dword ptr ss:[esp+1C],edi0040B88C|.DB4424 1Cfild dword ptr ss:[esp+1C]0040B890|.DC0D 20314300fmul qword ptr ds:[433120]0040B896|.E8 118B0000call DirWatch.004143AC0040B89B|.83FF 32cmp edi,320040B89E|.8BC8 mov ecx,eax0040B8A0|.7E 50jle short DirWatch.0040B8F20040B8A2|.99 cdq0040B8A3|.BD 3C000000mov ebp,3C0040B8A8|.F7FD idiv ebp0040B8AA|.B8 89888888mov eax,888888890040B8AF|.52 push edx0040B8B0|.F7E9 imul ecx0040B8B2|.03D1 add edx,ecx0040B8B4|.8D4C24 14lea ecx,dword ptr ss:[esp+14]0040B8B8|.C1FA 05sar edx,50040B8BB|.8BC2 mov eax,edx0040B8BD|.C1E8 1Fshr eax,1F0040B8C0|.03D0 add edx,eax0040B8C2|.52 push edx0040B8C3|.57 push edi0040B8C4|.68 F0EB4300push DirWatch.0043EBF00040B8C9|.51 push ecx0040B8CA|.E8 F4700100call DirWatch.004229C30040B8CF|.8B5424 24mov edx,dword ptr ss:[esp+24]0040B8D3|.83C4 14add esp,140040B8D6|.8BCE mov ecx,esi0040B8D8|.6A 04push 40040B8DA|.53 push ebx0040B8DB|.52 push edx0040B8DC|.E8 FDA80100call DirWatch.004261DE0040B8E1|.83F8 07cmp eax,70040B8E4|.75 0Cjnz short DirWatch.0040B8F20040B8E6|.8BCE mov ecx,esi0040B8E8|.E8 4F8D0100call DirWatch.0042463C0040B8ED|.E9 E4000000jmp DirWatch.0040B9D60040B8F2|>A1 84EA4300mov eax,dword ptr ds:[43EA84]0040B8F7|.8B8E D4000000mov ecx,dword ptr ds:[esi+D4]0040B8FD|.50 push eax; /lParam => 10040B8FE|.53 push ebx; |wParam0040B8FF|.68 06040000push 406; |Message = WM_USER+60040B904|.51 push ecx; |hWnd0040B905|.FF15 48244300call dword ptr ds:[<&USER32.SendMessageA>]; \SendMessageA0040B90B|.8B5424 14mov edx,dword ptr ss:[esp+14]0040B90F|.53 push ebx; /pSecurity0040B910|.52 push edx; |Path0040B911|.FF15 C0224300call dword ptr ds:[<&KERNEL32.CreateDirectoryA>]; \CreateDirectoryA0040B917|.68 68E94300push DirWatch.0043E968;ASCII "attrib +h +s "0040B91C|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]0040B920|.E8 AAC40100call DirWatch.00427DCF0040B925|.8D4424 14lea eax,dword ptr ss:[esp+14]0040B929|.8D4C24 18lea ecx,dword ptr ss:[esp+18]0040B92D|.50 push eax0040B92E|.8D5424 20lea edx,dword ptr ss:[esp+20]0040B932|.51 push ecx0040B933|.52 push edx0040B934|.C64424 38 02 mov byte ptr ss:[esp+38],20040B939|.E8 52C60100call DirWatch.00427F900040B93E|.50 push eax0040B93F|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]0040B943|.C64424 30 03 mov byte ptr ss:[esp+30],30040B948|.E8 4DC50100call DirWatch.00427E9A0040B94D|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]0040B951|.C64424 2C 02 mov byte ptr ss:[esp+2C],20040B956|.E8 06C40100call DirWatch.00427D610040B95B|.51 push ecx0040B95C|.8D4424 1Clea eax,dword ptr ss:[esp+1C]0040B960|.8BCC mov ecx,esp0040B962|.896424 24mov dword ptr ss:[esp+24],esp0040B966|.50 push eax0040B967|.E8 6AC10100call DirWatch.00427AD60040B96C|.E8 6F9EFFFFcall DirWatch.004057E00040B971|.83C4 04add esp,40040B974|.8BCE mov ecx,esi0040B976|.53 push ebx0040B977|.6A 01push 10040B979|.E8 53B90100call DirWatch.004272D10040B97E|.8BC8 mov ecx,eax0040B980|.E8 7FBB0100call DirWatch.004275040040B985|.53 push ebx0040B986|.68 EB030000push 3EB0040B98B|.8BCE mov ecx,esi0040B98D|.E8 3FB90100call DirWatch.004272D10040B992|.8BC8 mov ecx,eax0040B994|.E8 6BBB0100call DirWatch.004275040040B999|.8B4E 1Cmov ecx,dword ptr ds:[esi+1C]0040B99C|.53 push ebx; /Timerproc0040B99D|.68 E8030000push 3E8; |Timeout = 1000. ms0040B9A2|.6A 01push 1; |TimerID = 10040B9A4|.51 push ecx; |hWnd0040B9A5|.FF15 8C244300call dword ptr ds:[<&USER32.SetTimer>]; \SetTimer0040B9AB|.8B15 0C124400mov edx,dword ptr ds:[44120C]0040B9B1|.52 push edx; /hEvent => 00000048 (window)0040B9B2|.FF15 80224300call dword ptr ds:[<&KERNEL32.SetEvent>]; \SetEvent0040B9B8|.8D4C24 18lea ecx,dword ptr ss:[esp+18]0040B9BC|.C64424 2C 01 mov byte ptr ss:[esp+2C],10040B9C1|.E8 9BC30100call DirWatch.00427D610040B9C6|.EB 0Ejmp short DirWatch.0040B9D60040B9C8|>53 push ebx0040B9C9|.53 push ebx0040B9CA|.68 DCEB4300push DirWatch.0043EBDC0040B9CF|>8BCE mov ecx,esi0040B9D1|.E8 08A80100call DirWatch.004261DE0040B9D6|>8D4C24 10lea ecx,dword ptr ss:[esp+10]0040B9DA|.885C24 2Cmov byte ptr ss:[esp+2C],bl0040B9DE|.E8 7EC30100call DirWatch.00427D610040B9E3|.8D4C24 14lea ecx,dword ptr ss:[esp+14]0040B9E7|.C74424 2C FFFFFFFF mov dword ptr ss:[esp+2C],-10040B9EF|.E8 6DC30100call DirWatch.00427D610040B9F4|.8B4C24 24mov ecx,dword ptr ss:[esp+24]0040B9F8|.5F pop edi0040B9F9|.5E pop esi0040B9FA|.5D pop ebp0040B9FB|.64:890D 00000000 mov dword ptr fs:[0],ecx0040BA02|.5B pop ebx0040BA03|.83C4 20add esp,200040BA06\.C3 retn

继续跟进加密CALL，接着分析：

004072D0/$6A FFpush -1004072D2|.68 F5074300push DirWatch.004307F5;SE 句柄安装004072D7|.64:A1 00000000 mov eax,dword ptr fs:[0]004072DD|.50 push eax004072DE|.64:8925 00000000 mov dword ptr fs:[0],esp004072E5|.81EC CC020000sub esp,2CC004072EB|.53 push ebx004072EC|.A1 ECED4300mov eax,dword ptr ds:[43EDEC]004072F1|.C78424 D8020000 00>mov dword ptr ss:[esp+2D8],0004072FC|.894424 04mov dword ptr ss:[esp+4],eax00407300|.894424 0Cmov dword ptr ss:[esp+C],eax00407304|.894424 08mov dword ptr ss:[esp+8],eax00407308|.8D8424 C8000000lea eax,dword ptr ss:[esp+C8]0040730F|.68 04010000push 104; /BufSize = 104 (260.)00407314|.50 push eax; |Buffer00407315|.C68424 E0020000 03 mov byte ptr ss:[esp+2E0],3 ; |0040731D|.FF15 98224300call dword ptr ds:[<&KERNEL32.GetSystemDirectoryA>; \取得Windows系统目录00407323|.8D8C24 CC010000lea ecx,dword ptr ss:[esp+1CC]0040732A|.68 04010000push 104; /BufSize = 104 (260.)0040732F|.51 push ecx; |Buffer00407330|.FF15 9C224300call dword ptr ds:[<&KERNEL32.GetWindowsDirectory>; \取得Windows系统目录的完整路径00407336|.8D9424 C8000000lea edx,dword ptr ss:[esp+C8]0040733D|.8D4C24 0Clea ecx,dword ptr ss:[esp+C]00407341|.52 push edx00407342|.E8 A30B0200call DirWatch.00427EEA00407347|.8D8424 CC010000lea eax,dword ptr ss:[esp+1CC]0040734E|.8D4C24 08lea ecx,dword ptr ss:[esp+8]00407352|.50 push eax00407353|.E8 920B0200call DirWatch.00427EEA00407358|.8B4C24 08mov ecx,dword ptr ss:[esp+8]0040735C|.8B9424 E0020000mov edx,dword ptr ss:[esp+2E0]00407363|.51 push ecx; /Arg200407364|.52 push edx; |Arg100407365|.E8 21CE0000call DirWatch.0041418B; \DirWatch.0041418B0040736A|.83C4 08add esp,80040736D|.85C0 test eax,eax0040736F|.0F84 71030000je DirWatch.004076E600407375|.8B4424 0Cmov eax,dword ptr ss:[esp+C]00407379|.8B8C24 E0020000mov ecx,dword ptr ss:[esp+2E0]00407380|.50 push eax; /Arg200407381|.51 push ecx; |Arg100407382|.E8 04CE0000call DirWatch.0041418B; \DirWatch.0041418B00407387|.83C4 08add esp,80040738A|.85C0 test eax,eax0040738C|.0F84 54030000je DirWatch.004076E600407392|.8B9424 E0020000mov edx,dword ptr ss:[esp+2E0]00407399|.8B42 F8mov eax,dword ptr ds:[edx-8]0040739C|.83F8 04cmp eax,40040739F|.7D 0Ejge short DirWatch.004073AF004073A1|.6A 00push 0004073A3|.6A 00push 0004073A5|.68 D4E64300push DirWatch.0043E6D4004073AA|.E9 40030000jmp DirWatch.004076EF004073AF|>8D8424 E0020000lea eax,dword ptr ss:[esp+2E0]004073B6|.68 20E64300push DirWatch.0043E620;ASCII "\DirRecycler"004073BB|.8D4C24 18lea ecx,dword ptr ss:[esp+18]004073BF|.50 push eax004073C0|.51 push ecx004073C1|.E8 300C0200call DirWatch.00427FF6004073C6|.50 push eax004073C7|.8D4C24 08lea ecx,dword ptr ss:[esp+8]004073CB|.C68424 DC020000 04 mov byte ptr ss:[esp+2DC],4004073D3|.E8 C20A0200call DirWatch.00427E9A004073D8|.8D4C24 14lea ecx,dword ptr ss:[esp+14]004073DC|.C68424 D8020000 03 mov byte ptr ss:[esp+2D8],3004073E4|.E8 78090200call DirWatch.00427D61004073E9|.8B5424 04mov edx,dword ptr ss:[esp+4]004073ED|.6A 00push 0; /pSecurity = NULL004073EF|.52 push edx; |Path004073F0|.FF15 C0224300call dword ptr ds:[<&KERNEL32.CreateDirectoryA>]; \创建一个新目录004073F6|.85C0 test eax,eax;比较是否已经加密004073F8|.75 13jnz short DirWatch.0040740D ;不加密则跳004073FA|.50 push eax; /Style004073FB|.50 push eax; |Title004073FC|.68 C0E64300push DirWatch.0043E6C0; |Text = "文件夹已被移动加密!"00407401|.50 push eax; |hOwner00407402|.FF15 C8244300call dword ptr ds:[<&USER32.MessageBoxA>] ; \MessageBoxA00407408|.E9 E7020000jmp DirWatch.004076F40040740D|>68 60E64300push DirWatch.0043E660;ASCII "\{djp2006}.mem"00407412|.8D4C24 08lea ecx,dword ptr ss:[esp+8]00407416|.E8 220D0200call DirWatch.0042813D0040741B|.8B8424 E4020000mov eax,dword ptr ss:[esp+2E4];密码放EAX00407422|.50 push eax00407423|.E8 68E6FFFFcall DirWatch.00405A9000407428|.8B0D 34654300mov ecx,dword ptr ds:[436534]0040742E|.8B5424 08mov edx,dword ptr ss:[esp+8]00407432|.83C4 04add esp,400407435|.6A 01push 100407437|.51 push ecx00407438|.6A 40push 400040743A|.52 push edx0040743B|.8D8C24 80000000lea ecx,dword ptr ss:[esp+80]00407442|.E8 9D5D0100call DirWatch.0041D1E4;创建{djp2006}.mem文件00407447|.8B4424 70mov eax,dword ptr ss:[esp+70]0040744B|.B3 06mov bl,60040744D|.C68424 D8020000 05 mov byte ptr ss:[esp+2D8],500407455|.8B48 04mov ecx,dword ptr ds:[eax+4]00407458|.845C0C 78test byte ptr ss:[esp+ecx+78],bl0040745C|.74 28je short DirWatch.004074860040745E|.8D4C24 70lea ecx,dword ptr ss:[esp+70]00407462|.E8 83670100call DirWatch.0041DBEA00407467|.8D4C24 78lea ecx,dword ptr ss:[esp+78]0040746B|.C68424 D8020000 03 mov byte ptr ss:[esp+2D8],300407473|.E8 235E0100call DirWatch.0041D29B00407478|.8D4C24 78lea ecx,dword ptr ss:[esp+78]0040747C|.E8 BF5C0100call DirWatch.0041D14000407481|.E9 6E020000jmp DirWatch.004076F400407486|>8B15 88104400mov edx,dword ptr ds:[441088]0040748C|.68 BCE64300push DirWatch.0043E6BC00407491|.52 push edx; /Arg1 => 0000000000407492|.8D4C24 78lea ecx,dword ptr ss:[esp+78] ; |00407496|.E8 33680100call DirWatch.0041DCCE; \DirWatch.0041DCCE0040749B|.8BC8 mov ecx,eax0040749D|.E8 5E5F0100call DirWatch.0041D400004074A2|.A1 8C104400mov eax,dword ptr ds:[44108C]004074A7|.68 BCE64300push DirWatch.0043E6BC004074AC|.50 push eax; /Arg1 => 00000000004074AD|.8D4C24 78lea ecx,dword ptr ss:[esp+78] ; |004074B1|.E8 18680100call DirWatch.0041DCCE; \DirWatch.0041DCCE004074B6|.8BC8 mov ecx,eax004074B8|.E8 435F0100call DirWatch.0041D400004074BD|.8B0D 90104400mov ecx,dword ptr ds:[441090]004074C3|.68 BCE64300push DirWatch.0043E6BC004074C8|.51 push ecx; /Arg1 => 00000000004074C9|.8D4C24 78lea ecx,dword ptr ss:[esp+78] ; |004074CD|.E8 FC670100call DirWatch.0041DCCE; \DirWatch.0041DCCE004074D2|.8BC8 mov ecx,eax004074D4|.E8 275F0100call DirWatch.0041D400004074D9|.8B15 94104400mov edx,dword ptr ds:[441094]004074DF|.68 BCE64300push DirWatch.0043E6BC004074E4|.52 push edx; /Arg1 => 00000000004074E5|.8D4C24 78lea ecx,dword ptr ss:[esp+78] ; |004074E9|.E8 E0670100call DirWatch.0041DCCE; \DirWatch.0041DCCE004074EE|.8BC8 mov ecx,eax004074F0|.E8 0B5F0100call DirWatch.0041D400004074F5|.8D4C24 70lea ecx,dword ptr ss:[esp+70]004074F9|.E8 EC660100call DirWatch.0041DBEA004074FE|.8B4424 04mov eax,dword ptr ss:[esp+4]00407502|.6A 02push 2; /文件属性为隐藏00407504|.50 push eax; |FileName00407505|.FF15 C8224300call dword ptr ds:[<&KERNEL32.SetFileAttributesA>>; \设置文件属性0040750B|.8D8C24 E0020000lea ecx,dword ptr ss:[esp+2E0];把数据写入那文件中00407512|.68 A0E64300push DirWatch.0043E6A0;ASCII "\DirRecycler\Dir800621.ini"00407517|.8D5424 14lea edx,dword ptr ss:[esp+14]0040751B|.51 push ecx0040751C|.52 push edx0040751D|.E8 D40A0200call DirWatch.00427FF600407522|.A1 34654300mov eax,dword ptr ds:[436534]00407527|.8B4C24 10mov ecx,dword ptr ss:[esp+10]0040752B|.6A 01push 10040752D|.50 push eax0040752E|.6A 02push 200407530|.51 push ecx00407531|.8D4C24 28lea ecx,dword ptr ss:[esp+28]00407535|.889C24 E8020000mov byte ptr ss:[esp+2E8],bl0040753C|.E8 A35C0100call DirWatch.0041D1E4;创建Dir800621.ini文件00407541|.8B5424 18mov edx,dword ptr ss:[esp+18]00407545|.C68424 D8020000 07 mov byte ptr ss:[esp+2D8],70040754D|.8B42 04mov eax,dword ptr ds:[edx+4]00407550|.845C04 20test byte ptr ss:[esp+eax+20],bl00407554|.0F85 DA000000jnz DirWatch.004076340040755A|.8B0D B0E84300mov ecx,dword ptr ds:[43E8B0]00407560|.68 BCE64300push DirWatch.0043E6BC00407565|.81F1 FF030000xor ecx,3FF0040756B|.51 push ecx; /Arg10040756C|.8D4C24 20lea ecx,dword ptr ss:[esp+20] ; |00407570|.E8 59670100call DirWatch.0041DCCE; \DirWatch.0041DCCE00407575|.8BC8 mov ecx,eax00407577|.E8 845E0100call DirWatch.0041D4000040757C|.8B15 D4114400mov edx,dword ptr ds:[4411D4]00407582|.68 BCE64300push DirWatch.0043E6BC00407587|.83F2 07xor edx,70040758A|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]0040758E|.52 push edx; /Arg10040758F|.E8 3A670100call DirWatch.0041DCCE; \DirWatch.0041DCCE00407594|.8BC8 mov ecx,eax00407596|.E8 655E0100call DirWatch.0041D4000040759B|.A1 D8114400mov eax,dword ptr ds:[4411D8]004075A0|.68 BCE64300push DirWatch.0043E6BC004075A5|.83F0 1Fxor eax,1F004075A8|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]004075AC|.50 push eax; /Arg1004075AD|.E8 1C670100call DirWatch.0041DCCE; \DirWatch.0041DCCE004075B2|.8BC8 mov ecx,eax004075B4|.E8 475E0100call DirWatch.0041D400004075B9|.8B0D DC114400mov ecx,dword ptr ds:[4411DC]004075BF|.68 BCE64300push DirWatch.0043E6BC004075C4|.83F1 0Fxor ecx,0F004075C7|.51 push ecx; /Arg1004075C8|.8D4C24 20lea ecx,dword ptr ss:[esp+20] ; |004075CC|.E8 FD660100call DirWatch.0041DCCE; \DirWatch.0041DCCE004075D1|.8BC8 mov ecx,eax004075D3|.E8 285E0100call DirWatch.0041D400004075D8|.8B15 E0114400mov edx,dword ptr ds:[4411E0]004075DE|.68 BCE64300push DirWatch.0043E6BC004075E3|.83F2 3Fxor edx,3F004075E6|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]004075EA|.52 push edx; /Arg1004075EB|.E8 DE660100call DirWatch.0041DCCE; \DirWatch.0041DCCE004075F0|.8BC8 mov ecx,eax004075F2|.E8 095E0100call DirWatch.0041D400004075F7|.A1 E4114400mov eax,dword ptr ds:[4411E4]004075FC|.68 BCE64300push DirWatch.0043E6BC00407601|.83F0 3Fxor eax,3F00407604|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]00407608|.50 push eax; /Arg100407609|.E8 C0660100call DirWatch.0041DCCE; \DirWatch.0041DCCE0040760E|.8BC8 mov ecx,eax00407610|.E8 EB5D0100call DirWatch.0041D40000407615|.8B0D E8114400mov ecx,dword ptr ds:[4411E8]0040761B|.68 BCE64300push DirWatch.0043E6BC00407620|.83F1 1Fxor ecx,1F00407623|.51 push ecx; /Arg100407624|.8D4C24 20lea ecx,dword ptr ss:[esp+20] ; |00407628|.E8 F0650100call DirWatch.0041DC1D; \DirWatch.0041DC1D0040762D|.8BC8 mov ecx,eax0040762F|.E8 CC5D0100call DirWatch.0041D40000407634|>8D4C24 18lea ecx,dword ptr ss:[esp+18]00407638|.E8 AD650100call DirWatch.0041DBEA;把数据写入到Dir800621.ini文件里0040763D|.8D4C24 20lea ecx,dword ptr ss:[esp+20]00407641|.889C24 D8020000mov byte ptr ss:[esp+2D8],bl00407648|.E8 4E5C0100call DirWatch.0041D29B0040764D|.8D4C24 20lea ecx,dword ptr ss:[esp+20]00407651|.E8 EA5A0100call DirWatch.0041D14000407656|.8D4C24 10lea ecx,dword ptr ss:[esp+10]0040765A|.C68424 D8020000 05 mov byte ptr ss:[esp+2D8],500407662|.E8 FA060200call DirWatch.00427D6100407667|.8D4C24 78lea ecx,dword ptr ss:[esp+78]0040766B|.C68424 D8020000 03 mov byte ptr ss:[esp+2D8],300407673|.E8 235C0100call DirWatch.0041D29B00407678|.8D4C24 78lea ecx,dword ptr ss:[esp+78]0040767C|.E8 BF5A0100call DirWatch.0041D14000407681|.8D4C24 08lea ecx,dword ptr ss:[esp+8]00407685|.C68424 D8020000 02 mov byte ptr ss:[esp+2D8],20040768D|.E8 CF060200call DirWatch.00427D6100407692|.8D4C24 0Clea ecx,dword ptr ss:[esp+C]00407696|.C68424 D8020000 01 mov byte ptr ss:[esp+2D8],10040769E|.E8 BE060200call DirWatch.00427D61004076A3|.8D4C24 04lea ecx,dword ptr ss:[esp+4]004076A7|.C68424 D8020000 00 mov byte ptr ss:[esp+2D8],0004076AF|.E8 AD060200call DirWatch.00427D61004076B4|.8D8C24 E0020000lea ecx,dword ptr ss:[esp+2E0]004076BB|.C78424 D8020000 FF>mov dword ptr ss:[esp+2D8],-1004076C6|.E8 96060200call DirWatch.00427D61004076CB|.B8 01000000mov eax,1004076D0|.5B pop ebx004076D1|.8B8C24 CC020000mov ecx,dword ptr ss:[esp+2CC]004076D8|.64:890D 00000000 mov dword ptr fs:[0],ecx004076DF|.81C4 D8020000add esp,2D8004076E5|.C3 retn；返回到继续加密的地方004076E6|>6A 00push 0; /Arg3 = 00000000004076E8|.6A 00push 0; |Arg2 = 00000000004076EA|.68 8CE64300push DirWatch.0043E68C; |Arg1 = 0043E68C004076EF|>E8 3A410200call DirWatch.0042B82E; \DirWatch.0042B82E004076F4|>8D4C24 08lea ecx,dword ptr ss:[esp+8]004076F8|.C68424 D8020000 02 mov byte ptr ss:[esp+2D8],200407700|.E8 5C060200call DirWatch.00427D6100407705|.8D4C24 0Clea ecx,dword ptr ss:[esp+C]00407709|.C68424 D8020000 01 mov byte ptr ss:[esp+2D8],100407711|.E8 4B060200call DirWatch.00427D6100407716|.8D4C24 04lea ecx,dword ptr ss:[esp+4]0040771A|.C68424 D8020000 00 mov byte ptr ss:[esp+2D8],000407722|.E8 3A060200call DirWatch.00427D6100407727|.8D8C24 E0020000lea ecx,dword ptr ss:[esp+2E0]0040772E|.C78424 D8020000 FF>mov dword ptr ss:[esp+2D8],-100407739|.E8 23060200call DirWatch.00427D610040773E|.8B8C24 D0020000mov ecx,dword ptr ss:[esp+2D0]00407745|.33C0 xor eax,eax00407747|.5B pop ebx00407748|.64:890D 00000000 mov dword ptr fs:[0],ecx0040774F|.81C4 D8020000add esp,2D800407755\.C3 retn

上面的过程是把输入的一些密码信息存放到2个文件Dir800621.ini，{djp2006}.mem中
具体的加密过程以及加密的数据所对应的数据不再具体分析，因为只分析加密与解密的过程和原理，这些数据不是特别的重要，有兴趣的朋友可以自己去分析下，呵呵。

返回到继续加密处：

0040B80F|.83C4 08add esp,80040B812|.3BC3 cmp eax,ebx0040B814|.74 27je short DirWatch.0040B83D0040B816|.51 push ecx0040B817|.8BCC mov ecx,esp0040B819|.896424 20mov dword ptr ss:[esp+20],esp0040B81D|.55 push ebp0040B81E|.E8 B3C20100call DirWatch.00427AD60040B823|.E8 38AAFFFFcall DirWatch.00406260；还是关键，接着F70040B828|.83C4 04add esp,40040B82B|.3BC3 cmp eax,ebx ;加密成功0040B82D|.75 0Ejnz short DirWatch.0040B83D ;则跳，关闭文件夹加密狗0040B82F|.53 push ebx0040B830|.53 push ebx0040B831|.68 40EC4300push DirWatch.0043EC400040B836|.8BCE mov ecx,esi

再次F7进；

00406260/$6A FFpush -100406262|.68 72064300push DirWatch.00430672;SE 句柄安装00406267|.64:A1 00000000 mov eax,dword ptr fs:[0]0040626D|.50 push eax0040626E|.64:8925 00000000 mov dword ptr fs:[0],esp00406275|.81EC 90000000sub esp,900040627B|.53 push ebx0040627C|.A1 ECED4300mov eax,dword ptr ds:[43EDEC]00406281|.C78424 9C000000 00>mov dword ptr ss:[esp+9C],00040628C|.894424 0Cmov dword ptr ss:[esp+C],eax00406290|.894424 20mov dword ptr ss:[esp+20],eax00406294|.894424 24mov dword ptr ss:[esp+24],eax00406298|.8D8424 A4000000lea eax,dword ptr ss:[esp+A4]0040629F|.68 20E64300push DirWatch.0043E620;ASCII "\DirRecycler"004062A4|.8D4C24 08lea ecx,dword ptr ss:[esp+8]004062A8|.50 push eax004062A9|.51 push ecx004062AA|.C68424 A8000000 03 mov byte ptr ss:[esp+A8],3004062B2|.E8 3F1D0200call DirWatch.00427FF6004062B7|.50 push eax004062B8|.8D4C24 10lea ecx,dword ptr ss:[esp+10]004062BC|.C68424 A0000000 04 mov byte ptr ss:[esp+A0],4004062C4|.E8 D11B0200call DirWatch.00427E9A004062C9|.8D4C24 04lea ecx,dword ptr ss:[esp+4]004062CD|.C68424 9C000000 03 mov byte ptr ss:[esp+9C],3004062D5|.E8 871A0200call DirWatch.00427D61004062DA|.A1 ECED4300mov eax,dword ptr ds:[43EDEC]004062DF|.894424 14mov dword ptr ss:[esp+14],eax004062E3|.894424 08mov dword ptr ss:[esp+8],eax004062E7|.68 1CE64300push DirWatch.0043E61C004062EC|.8D4C24 0Clea ecx,dword ptr ss:[esp+C]004062F0|.C68424 A0000000 06 mov byte ptr ss:[esp+A0],6004062F8|.E8 ED1B0200call DirWatch.00427EEA004062FD|.8D5424 0Clea edx,dword ptr ss:[esp+C]00406301|.8D4C24 08lea ecx,dword ptr ss:[esp+8]00406305|.52 push edx00406306|.E8 591E0200call DirWatch.004281640040630B|.68 1CE64300push DirWatch.0043E61C00406310|.8D4C24 0Clea ecx,dword ptr ss:[esp+C]00406314|.E8 241E0200call DirWatch.0042813D00406319|.8D4424 08lea eax,dword ptr ss:[esp+8]0040631D|.8D4C24 04lea ecx,dword ptr ss:[esp+4]00406321|.50 push eax00406322|.68 04E64300push DirWatch.0043E604;ASCII "cmd /c attrib +h +s "00406327|.51 push ecx00406328|.E8 3D1D0200call DirWatch.0042806A;设置文件夹的属性0040632D|.50 push eax;-H为隐藏0040632E|.8D4C24 18lea ecx,dword ptr ss:[esp+18] ;-S为系统文件属性00406332|.C68424 A0000000 07 mov byte ptr ss:[esp+A0],70040633A|.E8 5B1B0200call DirWatch.00427E9A0040633F|.8D4C24 04lea ecx,dword ptr ss:[esp+4]00406343|.C68424 9C000000 06 mov byte ptr ss:[esp+9C],60040634B|.E8 111A0200call DirWatch.00427D6100406350|.51 push ecx00406351|.8D5424 18lea edx,dword ptr ss:[esp+18]00406355|.8BCC mov ecx,esp00406357|.896424 08mov dword ptr ss:[esp+8],esp0040635B|.52 push edx0040635C|.E8 75170200call DirWatch.00427AD600406361|.E8 7AF4FFFFcall DirWatch.004057E0;执行上述命令，伪装成系统文件夹00406366|.83C4 04add esp,400406369|.8D4424 0Clea eax,dword ptr ss:[esp+C]0040636D|.8D4C24 34lea ecx,dword ptr ss:[esp+34]00406371|.50 push eax00406372|.E8 5F170200call DirWatch.00427AD600406377|.68 FCE54300push DirWatch.0043E5FC;ASCII "\nul"0040637C|.8D4C24 38lea ecx,dword ptr ss:[esp+38] ;所要创建的新的文件夹名00406380|.C68424 A0000000 08 mov byte ptr ss:[esp+A0],800406388|.E8 B01D0200call DirWatch.0042813D0040638D|.A1 ECED4300mov eax,dword ptr ds:[43EDEC]00406392|.894424 30mov dword ptr ss:[esp+30],eax00406396|.894424 18mov dword ptr ss:[esp+18],eax0040639A|.68 ECE54300push DirWatch.0043E5EC;ASCII "cmd /c mkdir "0040639F|.8D4C24 34lea ecx,dword ptr ss:[esp+34] ;用mkdir命令创建新的文件夹004063A3|.C68424 A0000000 0A mov byte ptr ss:[esp+A0],0A004063AB|.E8 3A1B0200call DirWatch.00427EEA004063B0|.8D4C24 34lea ecx,dword ptr ss:[esp+34]004063B4|.51 push ecx004063B5|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]004063B9|.E8 DC1A0200call DirWatch.00427E9A004063BE|.8D5424 18lea edx,dword ptr ss:[esp+18]004063C2|.8D4424 04lea eax,dword ptr ss:[esp+4]004063C6|.52 push edx004063C7|.68 1CE64300push DirWatch.0043E61C004063CC|.50 push eax004063CD|.E8 981C0200call DirWatch.0042806A004063D2|.50 push eax004063D3|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]004063D7|.C68424 A0000000 0B mov byte ptr ss:[esp+A0],0B004063DF|.E8 B61A0200call DirWatch.00427E9A004063E4|.8D4C24 04lea ecx,dword ptr ss:[esp+4]004063E8|.C68424 9C000000 0A mov byte ptr ss:[esp+9C],0A004063F0|.E8 6C190200call DirWatch.00427D61004063F5|.68 1CE64300push DirWatch.0043E61C004063FA|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]004063FE|.E8 3A1D0200call DirWatch.0042813D00406403|.8D4C24 18lea ecx,dword ptr ss:[esp+18]00406407|.51 push ecx00406408|.8D4C24 34lea ecx,dword ptr ss:[esp+34]0040640C|.E8 531D0200call DirWatch.0042816400406411|.51 push ecx00406412|.8D5424 34lea edx,dword ptr ss:[esp+34]00406416|.8BCC mov ecx,esp00406418|.896424 08mov dword ptr ss:[esp+8],esp0040641C|.52 push edx0040641D|.E8 B4160200call DirWatch.00427AD600406422|.E8 B9F3FFFFcall DirWatch.004057E0;执行上述命令，创建NUL文件夹成功00406427|.83C4 04add esp,40040642A|.8D4424 0Clea eax,dword ptr ss:[esp+C]0040642E|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]00406432|.50 push eax00406433|.E8 9E160200call DirWatch.00427AD600406438|.68 74104400push DirWatch.004410740040643D|.8D4C24 20lea ecx,dword ptr ss:[esp+20]00406441|.C68424 A0000000 0C mov byte ptr ss:[esp+A0],0C00406449|.E8 161D0200call DirWatch.004281640040644E|.A1 ECED4300mov eax,dword ptr ds:[43EDEC]00406453|.894424 2Cmov dword ptr ss:[esp+2C],eax00406457|.894424 10mov dword ptr ss:[esp+10],eax0040645B|.B3 0Emov bl,0E0040645D|.68 ECE54300push DirWatch.0043E5EC;ASCII "cmd /c mkdir "00406462|.8D4C24 30lea ecx,dword ptr ss:[esp+30] ;继续创建00406466|.889C24 A0000000mov byte ptr ss:[esp+A0],bl0040646D|.E8 781A0200call DirWatch.00427EEA00406472|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]00406476|.51 push ecx00406477|.8D4C24 14lea ecx,dword ptr ss:[esp+14]0040647B|.E8 1A1A0200call DirWatch.00427E9A00406480|.8D5424 10lea edx,dword ptr ss:[esp+10]00406484|.8D4424 04lea eax,dword ptr ss:[esp+4]00406488|.52 push edx00406489|.68 1CE64300push DirWatch.0043E61C0040648E|.50 push eax0040648F|.E8 D61B0200call DirWatch.0042806A00406494|.50 push eax00406495|.8D4C24 14lea ecx,dword ptr ss:[esp+14]00406499|.C68424 A0000000 0F mov byte ptr ss:[esp+A0],0F004064A1|.E8 F4190200call DirWatch.00427E9A004064A6|.8D4C24 04lea ecx,dword ptr ss:[esp+4]004064AA|.889C24 9C000000mov byte ptr ss:[esp+9C],bl004064B1|.E8 AB180200call DirWatch.00427D61004064B6|.68 1CE64300push DirWatch.0043E61C004064BB|.8D4C24 14lea ecx,dword ptr ss:[esp+14]004064BF|.E8 791C0200call DirWatch.0042813D004064C4|.8D4C24 10lea ecx,dword ptr ss:[esp+10]004064C8|.51 push ecx004064C9|.8D4C24 30lea ecx,dword ptr ss:[esp+30]004064CD|.E8 921C0200call DirWatch.00428164004064D2|.51 push ecx004064D3|.8D5424 30lea edx,dword ptr ss:[esp+30]004064D7|.8BCC mov ecx,esp004064D9|.896424 08mov dword ptr ss:[esp+8],esp004064DD|.52 push edx004064DE|.E8 F3150200call DirWatch.00427AD6004064E3|.E8 F8F2FFFFcall DirWatch.004057E0;执行上述命令，创建system.文件夹成功004064E8|.83C4 04add esp,4004064EB|.8D4424 1Clea eax,dword ptr ss:[esp+1C]004064EF|.8D4C24 04lea ecx,dword ptr ss:[esp+4]004064F3|.68 1CE14300push DirWatch.0043E11C;ASCII "\dogtmpdir"004064F8|.50 push eax004064F9|.51 push ecx004064FA|.E8 F71A0200call DirWatch.00427FF6004064FF|.50 push eax00406500|.8D4C24 0Clea ecx,dword ptr ss:[esp+C]00406504|.C68424 A0000000 10 mov byte ptr ss:[esp+A0],100040650C|.E8 89190200call DirWatch.00427E9A00406511|.8D4C24 04lea ecx,dword ptr ss:[esp+4]00406515|.889C24 9C000000mov byte ptr ss:[esp+9C],bl0040651C|.E8 40180200call DirWatch.00427D6100406521|.8D5424 08lea edx,dword ptr ss:[esp+8]00406525|.8D4424 04lea eax,dword ptr ss:[esp+4]00406529|.52 push edx0040652A|.68 1CE64300push DirWatch.0043E61C0040652F|.50 push eax00406530|.E8 351B0200call DirWatch.0042806A00406535|.50 push eax00406536|.8D4C24 0Clea ecx,dword ptr ss:[esp+C]0040653A|.C68424 A0000000 11 mov byte ptr ss:[esp+A0],1100406542|.E8 53190200call DirWatch.00427E9A00406547|.8D4C24 04lea ecx,dword ptr ss:[esp+4]0040654B|.889C24 9C000000mov byte ptr ss:[esp+9C],bl00406552|.E8 0A180200call DirWatch.00427D6100406557|.68 1CE64300push DirWatch.0043E61C0040655C|.8D4C24 0Clea ecx,dword ptr ss:[esp+C]00406560|.E8 D81B0200call DirWatch.0042813D00406565|.68 ECE54300push DirWatch.0043E5EC;ASCII "cmd /c mkdir "0040656A|.8D4C24 18lea ecx,dword ptr ss:[esp+18] ;继续创建0040656E|.E8 77190200call DirWatch.00427EEA00406573|.8D4C24 08lea ecx,dword ptr ss:[esp+8]00406577|.51 push ecx00406578|.8D4C24 18lea ecx,dword ptr ss:[esp+18]0040657C|.E8 E31B0200call DirWatch.0042816400406581|.51 push ecx00406582|.8D5424 18lea edx,dword ptr ss:[esp+18]00406586|.8BCC mov ecx,esp00406588|.896424 08mov dword ptr ss:[esp+8],esp0040658C|.52 push edx0040658D|.E8 44150200call DirWatch.00427AD600406592|.E8 49F2FFFFcall DirWatch.004057E000406597|.83C4 04add esp,40040659A|.8D4424 0Clea eax,dword ptr ss:[esp+C]0040659E|.8D4C24 28lea ecx,dword ptr ss:[esp+28]004065A2|.68 74104400push DirWatch.00441074004065A7|.50 push eax004065A8|.51 push ecx004065A9|.E8 E2190200call DirWatch.00427F90004065AE|.68 1CE14300push DirWatch.0043E11C;ASCII "\dogtmpdir"004065B3|.8D4C24 2Clea ecx,dword ptr ss:[esp+2C]004065B7|.C68424 A0000000 12 mov byte ptr ss:[esp+A0],12004065BF|.E8 791B0200call DirWatch.0042813D004065C4|.A1 D0114400mov eax,dword ptr ds:[4411D0]004065C9|.85C0 test eax,eax004065CB|.75 3Fjnz short DirWatch.0040660C004065CD|.51 push ecx004065CE|.8D5424 2Clea edx,dword ptr ss:[esp+2C]004065D2|.8BCC mov ecx,esp004065D4|.896424 08mov dword ptr ss:[esp+8],esp004065D8|.52 push edx004065D9|.E8 F8140200call DirWatch.00427AD6004065DE|.51 push ecx004065DF|.8D8424 AC000000lea eax,dword ptr ss:[esp+AC]004065E6|.8BCC mov ecx,esp004065E8|.896424 40mov dword ptr ss:[esp+40],esp004065EC|.50 push eax004065ED|.C68424 A8000000 13 mov byte ptr ss:[esp+A8],13004065F5|.E8 DC140200call DirWatch.00427AD6004065FA|.C68424 A4000000 12 mov byte ptr ss:[esp+A4],1200406602|.E8 D9F5FFFFcall DirWatch.00405BE0;把所要加密的文件全放在了system.点的文件夹里00406607|.83C4 08add esp,80040660A|.EB 3Fjmp short DirWatch.0040664B0040660C|>6A 00push 00040660E|.51 push ecx0040660F|.8D5424 30lea edx,dword ptr ss:[esp+30]00406613|.8BCC mov ecx,esp00406615|.896424 40mov dword ptr ss:[esp+40],esp00406619|.52 push edx0040661A|.E8 B7140200call DirWatch.00427AD60040661F|.51 push ecx00406620|.8D8424 B0000000lea eax,dword ptr ss:[esp+B0]00406627|.8BCC mov ecx,esp00406629|.896424 10mov dword ptr ss:[esp+10],esp0040662D|.50 push eax0040662E|.C68424 AC000000 14 mov byte ptr ss:[esp+AC],1400406636|.E8 9B140200call DirWatch.00427AD60040663B|.C68424 A8000000 12 mov byte ptr ss:[esp+A8],1200406643|.E8 D8F7FFFFcall DirWatch.00405E2000406648|.83C4 0Cadd esp,0C0040664B|>85C0 test eax,eax0040664D|.0F84 BC010000je DirWatch.0040680F00406653|.68 E4E54300push DirWatch.0043E5E4;ASCII "CLSID="00406658|.8D4C24 28lea ecx,dword ptr ss:[esp+28]0040665C|.E8 89180200call DirWatch.00427EEA00406661|.8D4C24 0Clea ecx,dword ptr ss:[esp+C]00406665|.68 34E14300push DirWatch.0043E134;ASCII "\desktop.ini"0040666A|.8D5424 08lea edx,dword ptr ss:[esp+8];所要创建的新的文件名0040666E|.51 push ecx0040666F|.52 push edx00406670|.E8 81190200call DirWatch.00427FF600406675|.50 push eax00406676|.8D4C24 24lea ecx,dword ptr ss:[esp+24]0040667A|.C68424 A0000000 15 mov byte ptr ss:[esp+A0],1500406682|.E8 13180200call DirWatch.00427E9A00406687|.8D4C24 04lea ecx,dword ptr ss:[esp+4]0040668B|.C68424 9C000000 12 mov byte ptr ss:[esp+9C],1200406693|.E8 C9160200call DirWatch.00427D6100406698|.A1 34654300mov eax,dword ptr ds:[436534]0040669D|.8B4C24 20mov ecx,dword ptr ss:[esp+20]004066A1|.6A 01push 1004066A3|.50 push eax004066A4|.6A 02push 2004066A6|.51 push ecx004066A7|.8D4C24 4Clea ecx,dword ptr ss:[esp+4C]004066AB|.E8 346B0100call DirWatch.0041D1E4004066B0|.68 BCE54300push DirWatch.0043E5BC;ASCII "{645FF040-5081-101B-9F08-00AA002F954E}"004066B5|.8D4C24 28lea ecx,dword ptr ss:[esp+28]004066B9|.C68424 A0000000 16 mov byte ptr ss:[esp+A0],16004066C1|.E8 771A0200call DirWatch.0042813D004066C6|.68 A8E54300push DirWatch.0043E5A8;ASCII "[.ShellClassInfo]"004066CB|.8D4C24 40lea ecx,dword ptr ss:[esp+40]004066CF|.E8 2C6D0100call DirWatch.0041D400;成功创建desktop.ini004066D4|.8B5424 24mov edx,dword ptr ss:[esp+24] ;CLSID号放EDX004066D8|.8D4C24 3Clea ecx,dword ptr ss:[esp+3C]004066DC|.52 push edx004066DD|.E8 1E6D0100call DirWatch.0041D400004066E2|.8D4C24 3Clea ecx,dword ptr ss:[esp+3C]004066E6|.E8 FF740100call DirWatch.0041DBEA;把数据全放到了ini文件里004066EB|.8B4424 20mov eax,dword ptr ss:[esp+20]004066EF|.6A 01push 1; /属性为只读004066F1|.50 push eax; |FileName004066F2|.FF15 C8224300call dword ptr ds:[<&KERNEL32.SetFileAttributesA>>; \设置文件属性004066F8|.8D4C24 44lea ecx,dword ptr ss:[esp+44] ;创建1个desktop.ini文件004066FC|.C68424 9C000000 12 mov byte ptr ss:[esp+9C],12 ;成功执行，把文件夹伪装成回收站的样子00406704|.E8 926B0100call DirWatch.0041D29B;并把里面的文件全隐藏起来00406709|.8D4C24 44lea ecx,dword ptr ss:[esp+44]0040670D|.E8 2E6A0100call DirWatch.0041D14000406712|.8D4C24 28lea ecx,dword ptr ss:[esp+28]00406716|.889C24 9C000000mov byte ptr ss:[esp+9C],bl0040671D|.E8 3F160200call DirWatch.00427D6100406722|.8D4C24 10lea ecx,dword ptr ss:[esp+10]00406726|.C68424 9C000000 0D mov byte ptr ss:[esp+9C],0D0040672E|.E8 2E160200call DirWatch.00427D6100406733|.8D4C24 2Clea ecx,dword ptr ss:[esp+2C]00406737|.C68424 9C000000 0C mov byte ptr ss:[esp+9C],0C0040673F|.E8 1D160200call DirWatch.00427D6100406744|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]00406748|.C68424 9C000000 0A mov byte ptr ss:[esp+9C],0A00406750|.E8 0C160200call DirWatch.00427D6100406755|.8D4C24 18lea ecx,dword ptr ss:[esp+18]00406759|.C68424 9C000000 09 mov byte ptr ss:[esp+9C],900406761|.E8 FB150200call DirWatch.00427D6100406766|.8D4C24 30lea ecx,dword ptr ss:[esp+30]0040676A|.C68424 9C000000 08 mov byte ptr ss:[esp+9C],800406772|.E8 EA150200call DirWatch.00427D6100406777|.8D4C24 34lea ecx,dword ptr ss:[esp+34]0040677B|.C68424 9C000000 06 mov byte ptr ss:[esp+9C],600406783|.E8 D9150200call DirWatch.00427D6100406788|.8D4C24 08lea ecx,dword ptr ss:[esp+8]0040678C|.C68424 9C000000 05 mov byte ptr ss:[esp+9C],500406794|.E8 C8150200call DirWatch.00427D6100406799|.8D4C24 14lea ecx,dword ptr ss:[esp+14]0040679D|.C68424 9C000000 03 mov byte ptr ss:[esp+9C],3004067A5|.E8 B7150200call DirWatch.00427D61004067AA|.8D4C24 24lea ecx,dword ptr ss:[esp+24]004067AE|.C68424 9C000000 02 mov byte ptr ss:[esp+9C],2004067B6|.E8 A6150200call DirWatch.00427D61004067BB|.8D4C24 20lea ecx,dword ptr ss:[esp+20]004067BF|.C68424 9C000000 01 mov byte ptr ss:[esp+9C],1004067C7|.E8 95150200call DirWatch.00427D61004067CC|.8D4C24 0Clea ecx,dword ptr ss:[esp+C]004067D0|.C68424 9C000000 00 mov byte ptr ss:[esp+9C],0004067D8|.E8 84150200call DirWatch.00427D61004067DD|.8D8C24 A4000000lea ecx,dword ptr ss:[esp+A4]004067E4|.C78424 9C000000 FF>mov dword ptr ss:[esp+9C],-1004067EF|.E8 6D150200call DirWatch.00427D61004067F4|.B8 01000000mov eax,1004067F9|.8B8C24 94000000mov ecx,dword ptr ss:[esp+94]00406800|.64:890D 00000000 mov dword ptr fs:[0],ecx00406807|.5B pop ebx00406808|.81C4 9C000000add esp,9C0040680E|.C3 retn

上述的过程是，创建了2个文件夹，nul和特殊的文件夹system.（因为这样的命名系统是不会接受的）
然后把所要加密的文件放进了system.文件夹里面
接着有创建了desktop.ini文件，把此文件夹伪装成回收站

加密过程到此结束。

总结一下，其加密的过程和原理还是比较简单的：

文件夹加密狗在要加密的文件夹里先建立了一个名字为DirRecycler的文件夹，然后把此文件夹设置成系统文件并给隐藏了起来，最后把它伪装成回收站，因此，正常情况下我们是看不见这个文件夹的，我们把隐藏系统重要文件前的勾去掉，可以看到这个文件夹，而看见的就是一个回收站的样子的图标。点进去可以发现，DirRecycler文件夹里面有2个文件夹和3个文件，分别为nul，system.两个文件夹，和Dir800621.ini，desktop.ini，{djp2006}.mem三个文件。Dir800621.ini和{djp2006}.mem是保存重要的密码和加密信息的，而desktop.ini文件是把DirRecycler文件夹伪装成回收站的文件的属性信息。因此，我们只要把desktop.ini给删除，DirRecycler文件夹的图标就会从回收站的图标变成普通文件夹的图标了。
system.在普通情况下是创建不了的，而且也是点不进去的，而我们的所要加密的文件，就会保存在这个文件夹里面。至于nul文件夹，一般情况是可以进去的，具体的作用暂时没发现，知道的请告诉我。

下面进入解密过程：

输入解密的密码，点解密按纽，来到关键代码处：

0040AB80 .64:A1 00000000 mov eax,dword ptr fs:[0]0040AB86 .6A FFpush -10040AB88 .68 380D4300push DirWatch.00430D380040AB8D .50 push eax0040AB8E .64:8925 00000000 mov dword ptr fs:[0],esp0040AB95 .83EC 08sub esp,80040AB98 .53 push ebx0040AB99 .55 push ebp0040AB9A .56 push esi0040AB9B .8BF1 mov esi,ecx0040AB9D .57 push edi0040AB9E .33DB xor ebx,ebx0040ABA0 .33C0 xor eax,eax0040ABA2 .8DBE 8C000000lea edi,dword ptr ds:[esi+8C]0040ABA8 >881C07 mov byte ptr ds:[edi+eax],bl0040ABAB .8898 14124400mov byte ptr ds:[eax+441214],bl0040ABB1 .40 inc eax0040ABB2 .83F8 10cmp eax,100040ABB5 .^ 7C F1jl short DirWatch.0040ABA80040ABB7 .8DAE 9C000000lea ebp,dword ptr ds:[esi+9C]0040ABBD .68 E0EA4300push DirWatch.0043EAE0;ASCII "\DirRecyclers"0040ABC2 .8D4424 14lea eax,dword ptr ss:[esp+14]0040ABC6 .55 push ebp0040ABC7 .50 push eax0040ABC8 .E8 29D40100call DirWatch.00427FF60040ABCD .8B86 A0000000mov eax,dword ptr ds:[esi+A0]0040ABD3 .895C24 20mov dword ptr ss:[esp+20],ebx0040ABD7 .3BC3 cmp eax,ebx ;判断加密还是解密，解密则跳0040ABD9 .75 0Cjnz short DirWatch.0040ABE70040ABDB .8BCE mov ecx,esi0040ABDD .E8 0E0B0000call DirWatch.0040B6F00040ABE2 .E9 50010000jmp DirWatch.0040AD370040ABE7 >6A 01push 10040ABE9 .8BCE mov ecx,esi0040ABEB .E8 4ABD0100call DirWatch.0042693A0040ABF0 .85C0 test eax,eax0040ABF2 .0F84 3F010000je DirWatch.0040AD370040ABF8 .8B8E F4000000mov ecx,dword ptr ds:[esi+F4] ;解密的密码放ECX0040ABFE .8B41 F8mov eax,dword ptr ds:[ecx-8];位数当EAX0040AC01 .8BC8 mov ecx,eax ;放ECX0040AC03 .83F8 01cmp eax,1 ;和1比较0040AC06 .890D 24124400mov dword ptr ds:[441224],ecx0040AC0C .7D 07jge short DirWatch.0040AC150040AC0E .B9 02000000mov ecx,20040AC13 .EB 0Ajmp short DirWatch.0040AC1F0040AC15 >83F8 10cmp eax,10;和16比较0040AC18 .7E 0Bjle short DirWatch.0040AC250040AC1A .B9 10000000mov ecx,100040AC1F >890D 24124400mov dword ptr ds:[441224],ecx0040AC25 >33C0 xor eax,eax0040AC27 .3BCB cmp ecx,ebx0040AC29 .7E 1Djle short DirWatch.0040AC480040AC2B >8B96 F4000000mov edx,dword ptr ds:[esi+F4]0040AC31 .40 inc eax0040AC32 .8A4C02 FFmov cl,byte ptr ds:[edx+eax-1];逐位取解密的密码0040AC36 .884C07 FFmov byte ptr ds:[edi+eax-1],cl0040AC3A .8888 13124400mov byte ptr ds:[eax+441213],cl0040AC40 .3B05 24124400cmp eax,dword ptr ds:[441224]0040AC46 .^ 7C E3jl short DirWatch.0040AC2B0040AC48 >57 push edi0040AC49 .51 push ecx0040AC4A .8BCC mov ecx,esp0040AC4C .896424 1Cmov dword ptr ss:[esp+1C],esp0040AC50 .55 push ebp0040AC51 .E8 80CE0100call DirWatch.00427AD60040AC56 .E8 05C3FFFFcall DirWatch.00406F60;判断密码是否正确的关键，F7进0040AC5B .83C4 08add esp,80040AC5E .3BC3 cmp eax,ebx0040AC60 .0F84 D1000000je DirWatch.0040AD370040AC66 .51 push ecx0040AC67 .8BCC mov ecx,esp0040AC69 .896424 18mov dword ptr ss:[esp+18],esp0040AC6D .55 push ebp0040AC6E .E8 63CE0100call DirWatch.00427AD60040AC73 .E8 B8BCFFFFcall DirWatch.00406930;解密加密的文件的重要CALL，F7！0040AC78 .8B4424 14mov eax,dword ptr ss:[esp+14]0040AC7C .83C4 04add esp,40040AC7F .50 push eax; /Path

进入解密关键代码：

00406930/$6A FFpush -100406932|.68 38074300push DirWatch.00430738;SE 句柄安装00406937|.64:A1 00000000 mov eax,dword ptr fs:[0]0040693D|.50 push eax0040693E|.64:8925 00000000 mov dword ptr fs:[0],esp00406945|.83EC 3Csub esp,3C00406948|.53 push ebx00406949|.55 push ebp0040694A|.56 push esi0040694B|.57 push edi0040694C|.A1 ECED4300mov eax,dword ptr ds:[43EDEC]00406951|.C74424 54 00000000 mov dword ptr ss:[esp+54],000406959|.894424 10mov dword ptr ss:[esp+10],eax0040695D|.8D4C24 5Clea ecx,dword ptr ss:[esp+5C]00406961|.68 44E14300push DirWatch.0043E14400406966|.8D5424 44lea edx,dword ptr ss:[esp+44]0040696A|.51 push ecx0040696B|.52 push edx0040696C|.C64424 60 01 mov byte ptr ss:[esp+60],100406971|.E8 80160200call DirWatch.00427FF600406976|.50 push eax00406977|.8D4C24 14lea ecx,dword ptr ss:[esp+14]0040697B|.C64424 58 02 mov byte ptr ss:[esp+58],200406980|.E8 15150200call DirWatch.00427E9A00406985|.8D4C24 40lea ecx,dword ptr ss:[esp+40]00406989|.C64424 54 01 mov byte ptr ss:[esp+54],10040698E|.E8 CE130200call DirWatch.00427D6100406993|.68 A0104400push DirWatch.004410A000406998|.8D4C24 14lea ecx,dword ptr ss:[esp+14]0040699C|.E8 C3170200call DirWatch.00428164004069A1|.8D4424 10lea eax,dword ptr ss:[esp+10]004069A5|.B9 98104400mov ecx,DirWatch.00441098004069AA|.50 push eax004069AB|.E8 EA140200call DirWatch.00427E9A004069B0|.8D4C24 10lea ecx,dword ptr ss:[esp+10]004069B4|.68 74104400push DirWatch.00441074004069B9|.8D5424 30lea edx,dword ptr ss:[esp+30]004069BD|.51 push ecx004069BE|.52 push edx004069BF|.E8 CC150200call DirWatch.00427F90004069C4|.68 1CE14300push DirWatch.0043E11C;ASCII "\dogtmpdir"004069C9|.8D4C24 30lea ecx,dword ptr ss:[esp+30]004069CD|.C64424 58 03 mov byte ptr ss:[esp+58],3004069D2|.E8 66170200call DirWatch.0042813D004069D7|.68 40E64300push DirWatch.0043E640;ASCII "cmd /c rmdir "004069DC|.8D4C24 3Clea ecx,dword ptr ss:[esp+3C] ;用rmdir文件删除文件004069E0|.E8 EA130200call DirWatch.00427DCF004069E5|.68 40E64300push DirWatch.0043E640;ASCII "cmd /c rmdir "004069EA|.8D4C24 38lea ecx,dword ptr ss:[esp+38] ;用rmdir文件删除文件004069EE|.C64424 58 04 mov byte ptr ss:[esp+58],4004069F3|.E8 D7130200call DirWatch.00427DCF004069F8|.8D4424 10lea eax,dword ptr ss:[esp+10]004069FC|.68 FCE54300push DirWatch.0043E5FC;ASCII "\nul"00406A01|.8D4C24 40lea ecx,dword ptr ss:[esp+40]00406A05|.50 push eax00406A06|.51 push ecx00406A07|.C64424 60 05 mov byte ptr ss:[esp+60],500406A0C|.E8 E5150200call DirWatch.00427FF600406A11|.A1 ECED4300mov eax,dword ptr ds:[43EDEC]00406A16|.894424 28mov dword ptr ss:[esp+28],eax00406A1A|.894424 1Cmov dword ptr ss:[esp+1C],eax00406A1E|.68 40E64300push DirWatch.0043E640;ASCII "cmd /c rmdir "00406A23|.8D4C24 2Clea ecx,dword ptr ss:[esp+2C] ;用rmdir文件删除文件00406A27|.C64424 58 08 mov byte ptr ss:[esp+58],800406A2C|.E8 B9140200call DirWatch.00427EEA00406A31|.8D5424 3Clea edx,dword ptr ss:[esp+3C]00406A35|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]00406A39|.52 push edx00406A3A|.E8 5B140200call DirWatch.00427E9A00406A3F|.8D4424 1Clea eax,dword ptr ss:[esp+1C]00406A43|.8D4C24 40lea ecx,dword ptr ss:[esp+40]00406A47|.50 push eax00406A48|.68 1CE64300push DirWatch.0043E61C00406A4D|.51 push ecx00406A4E|.E8 17160200call DirWatch.0042806A00406A53|.C64424 54 09 mov byte ptr ss:[esp+54],900406A58|.50 push eax00406A59|.8D4C24 20lea ecx,dword ptr ss:[esp+20]00406A5D|.E8 38140200call DirWatch.00427E9A00406A62|.8D4C24 40lea ecx,dword ptr ss:[esp+40]00406A66|.C64424 54 08 mov byte ptr ss:[esp+54],800406A6B|.E8 F1120200call DirWatch.00427D6100406A70|.68 1CE64300push DirWatch.0043E61C00406A75|.8D4C24 20lea ecx,dword ptr ss:[esp+20]00406A79|.E8 BF160200call DirWatch.0042813D00406A7E|.8D5424 1Clea edx,dword ptr ss:[esp+1C]00406A82|.8D4C24 28lea ecx,dword ptr ss:[esp+28]00406A86|.52 push edx00406A87|.E8 D8160200call DirWatch.0042816400406A8C|.A1 ECED4300mov eax,dword ptr ds:[43EDEC]00406A91|.894424 18mov dword ptr ss:[esp+18],eax00406A95|.68 1CE14300push DirWatch.0043E11C;ASCII "\dogtmpdir"00406A9A|.8D4C24 44lea ecx,dword ptr ss:[esp+44]00406A9E|.B3 0Amov bl,0A00406AA0|.68 74104400push DirWatch.0044107400406AA5|.51 push ecx00406AA6|.885C24 60mov byte ptr ss:[esp+60],bl00406AAA|.E8 47150200call DirWatch.00427FF600406AAF|.50 push eax00406AB0|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]00406AB4|.C64424 58 0B mov byte ptr ss:[esp+58],0B00406AB9|.E8 DC130200call DirWatch.00427E9A00406ABE|.8D4C24 40lea ecx,dword ptr ss:[esp+40]00406AC2|.885C24 54mov byte ptr ss:[esp+54],bl00406AC6|.E8 96120200call DirWatch.00427D6100406ACB|.8D5424 18lea edx,dword ptr ss:[esp+18]00406ACF|.8D4424 10lea eax,dword ptr ss:[esp+10]00406AD3|.52 push edx00406AD4|.8D4C24 44lea ecx,dword ptr ss:[esp+44]00406AD8|.50 push eax00406AD9|.51 push ecx00406ADA|.E8 B1140200call DirWatch.00427F9000406ADF|.50 push eax00406AE0|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]00406AE4|.C64424 58 0C mov byte ptr ss:[esp+58],0C00406AE9|.E8 AC130200call DirWatch.00427E9A00406AEE|.8D4C24 40lea ecx,dword ptr ss:[esp+40]00406AF2|.885C24 54mov byte ptr ss:[esp+54],bl00406AF6|.E8 66120200call DirWatch.00427D6100406AFB|.8D5424 18lea edx,dword ptr ss:[esp+18]00406AFF|.8D4424 40lea eax,dword ptr ss:[esp+40]00406B03|.52 push edx00406B04|.68 1CE64300push DirWatch.0043E61C00406B09|.50 push eax00406B0A|.E8 5B150200call DirWatch.0042806A00406B0F|.50 push eax00406B10|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]00406B14|.C64424 58 0D mov byte ptr ss:[esp+58],0D00406B19|.E8 7C130200call DirWatch.00427E9A00406B1E|.8D4C24 40lea ecx,dword ptr ss:[esp+40]00406B22|.885C24 54mov byte ptr ss:[esp+54],bl00406B26|.E8 36120200call DirWatch.00427D6100406B2B|.68 1CE64300push DirWatch.0043E61C00406B30|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]00406B34|.E8 04160200call DirWatch.0042813D00406B39|.8D4C24 18lea ecx,dword ptr ss:[esp+18]00406B3D|.51 push ecx00406B3E|.8D4C24 3Clea ecx,dword ptr ss:[esp+3C]00406B42|.E8 1D160200call DirWatch.0042816400406B47|.8B15 ECED4300mov edx,dword ptr ds:[43EDEC] ;DirWatch.0043EE0000406B4D|.895424 14mov dword ptr ss:[esp+14],edx00406B51|.68 74104400push DirWatch.0044107400406B56|.8D4C24 18lea ecx,dword ptr ss:[esp+18]00406B5A|.C64424 58 0E mov byte ptr ss:[esp+58],0E00406B5F|.E8 36130200call DirWatch.00427E9A00406B64|.8D4424 14lea eax,dword ptr ss:[esp+14]00406B68|.8D4C24 10lea ecx,dword ptr ss:[esp+10]00406B6C|.50 push eax00406B6D|.8D5424 44lea edx,dword ptr ss:[esp+44]00406B71|.51 push ecx00406B72|.52 push edx00406B73|.E8 18140200call DirWatch.00427F9000406B78|.50 push eax00406B79|.8D4C24 18lea ecx,dword ptr ss:[esp+18]00406B7D|.C64424 58 0F mov byte ptr ss:[esp+58],0F00406B82|.E8 13130200call DirWatch.00427E9A00406B87|.8D4C24 40lea ecx,dword ptr ss:[esp+40]00406B8B|.C64424 54 0E mov byte ptr ss:[esp+54],0E00406B90|.E8 CC110200call DirWatch.00427D6100406B95|.8D4424 14lea eax,dword ptr ss:[esp+14]00406B99|.8D4C24 40lea ecx,dword ptr ss:[esp+40]00406B9D|.50 push eax00406B9E|.68 1CE64300push DirWatch.0043E61C00406BA3|.51 push ecx00406BA4|.E8 C1140200call DirWatch.0042806A00406BA9|.50 push eax00406BAA|.8D4C24 18lea ecx,dword ptr ss:[esp+18]00406BAE|.C64424 58 10 mov byte ptr ss:[esp+58],1000406BB3|.E8 E2120200call DirWatch.00427E9A00406BB8|.8D4C24 40lea ecx,dword ptr ss:[esp+40]00406BBC|.C64424 54 0E mov byte ptr ss:[esp+54],0E00406BC1|.E8 9B110200call DirWatch.00427D6100406BC6|.68 1CE64300push DirWatch.0043E61C00406BCB|.8D4C24 18lea ecx,dword ptr ss:[esp+18]00406BCF|.E8 69150200call DirWatch.0042813D00406BD4|.8D5424 14lea edx,dword ptr ss:[esp+14]00406BD8|.8D4C24 34lea ecx,dword ptr ss:[esp+34]00406BDC|.52 push edx00406BDD|.E8 82150200call DirWatch.0042816400406BE2|.68 34E14300push DirWatch.0043E134;ASCII "\desktop.ini"00406BE7|.B9 98104400mov ecx,DirWatch.0044109800406BEC|.E8 4C150200call DirWatch.0042813D00406BF1|.8D4424 5Clea eax,dword ptr ss:[esp+5C]00406BF5|.68 44E14300push DirWatch.0043E14400406BFA|.8D4C24 28lea ecx,dword ptr ss:[esp+28]00406BFE|.50 push eax00406BFF|.51 push ecx00406C00|.E8 F1130200call DirWatch.00427FF600406C05|.68 A0104400push DirWatch.004410A000406C0A|.8D4C24 28lea ecx,dword ptr ss:[esp+28]00406C0E|.C64424 58 11 mov byte ptr ss:[esp+58],1100406C13|.E8 4C150200call DirWatch.0042816400406C18|.68 30E64300push DirWatch.0043E630;ASCII "\Dir800621.ini"00406C1D|.8D4C24 28lea ecx,dword ptr ss:[esp+28]00406C21|.E8 17150200call DirWatch.0042813D00406C26|.8D5424 10lea edx,dword ptr ss:[esp+10]00406C2A|.68 1CE14300push DirWatch.0043E11C;ASCII "\dogtmpdir"00406C2F|.8D4424 34lea eax,dword ptr ss:[esp+34]00406C33|.52 push edx00406C34|.50 push eax00406C35|.E8 BC130200call DirWatch.00427FF600406C3A|.8D4C24 10lea ecx,dword ptr ss:[esp+10]00406C3E|.68 74104400push DirWatch.0044107400406C43|.8D5424 24lea edx,dword ptr ss:[esp+24]00406C47|.51 push ecx00406C48|.52 push edx00406C49|.C64424 60 12 mov byte ptr ss:[esp+60],1200406C4E|.E8 3D130200call DirWatch.00427F9000406C53|.8B4424 30mov eax,dword ptr ss:[esp+30]00406C57|.8B3D F0224300mov edi,dword ptr ds:[<&KERNEL32.RemoveDirectoryA>;删除指定目录00406C5D|.50 push eax; /Path00406C5E|.C64424 58 13 mov byte ptr ss:[esp+58],13 ; |目录名00406C63|.FFD7 call edi; \RemoveDirectoryA00406C65|.FF15 A0224300call dword ptr ds:[<&KERNEL32.GetLastError>]; [GetLastError00406C6B|.8B2D C8224300mov ebp,dword ptr ds:[<&KERNEL32.SetFileAttribute>;设置文件属性00406C71|.8B35 CC224300mov esi,dword ptr ds:[<&KERNEL32.DeleteFileA>];删除文件00406C77|.83F8 02cmp eax,200406C7A|.74 56je short DirWatch.00406CD200406C7C|.8B4C24 20mov ecx,dword ptr ss:[esp+20]00406C80|.8B5424 30mov edx,dword ptr ss:[esp+30]00406C84|.51 push ecx00406C85|.52 push edx00406C86|.E8 65EEFFFFcall DirWatch.00405AF000406C8B|.83C4 08add esp,800406C8E|.8D4424 10lea eax,dword ptr ss:[esp+10]00406C92|.8D4C24 40lea ecx,dword ptr ss:[esp+40]00406C96|.68 28E14300push DirWatch.0043E128;ASCII "\djp.txt"00406C9B|.50 push eax00406C9C|.51 push ecx00406C9D|.E8 54130200call DirWatch.00427FF600406CA2|.50 push eax00406CA3|.8D4C24 24lea ecx,dword ptr ss:[esp+24]00406CA7|.C64424 58 14 mov byte ptr ss:[esp+58],1400406CAC|.E8 E9110200call DirWatch.00427E9A00406CB1|.8D4C24 40lea ecx,dword ptr ss:[esp+40]00406CB5|.C64424 54 13 mov byte ptr ss:[esp+54],1300406CBA|.E8 A2100200call DirWatch.00427D6100406CBF|.8B5424 20mov edx,dword ptr ss:[esp+20]00406CC3|.68 80000000push 80 ; /FileAttributes = NORMAL00406CC8|.52 push edx; |FileName00406CC9|.FFD5 call ebp; \SetFileAttributesA00406CCB|.8B4424 20mov eax,dword ptr ss:[esp+20]00406CCF|.50 push eax; /FileName00406CD0|.FFD6 call esi; \DeleteFileA00406CD2|>A1 D0114400mov eax,dword ptr ds:[4411D0]00406CD7|.85C0 test eax,eax00406CD9|.75 36jnz short DirWatch.00406D1100406CDB|.51 push ecx00406CDC|.8D5424 60lea edx,dword ptr ss:[esp+60]00406CE0|.8BCC mov ecx,esp00406CE2|.896424 48mov dword ptr ss:[esp+48],esp00406CE6|.52 push edx00406CE7|.E8 EA0D0200call DirWatch.00427AD600406CEC|.51 push ecx00406CED|.8D4424 34lea eax,dword ptr ss:[esp+34]00406CF1|.8BCC mov ecx,esp00406CF3|.896424 50mov dword ptr ss:[esp+50],esp00406CF7|.50 push eax00406CF8|.C64424 60 15 mov byte ptr ss:[esp+60],1500406CFD|.E8 D40D0200call DirWatch.00427AD600406D02|.C64424 5C 13 mov byte ptr ss:[esp+5C],1300406D07|.E8 D4EEFFFFcall DirWatch.00405BE0;解出文件的关键，F7进00406D0C|.83C4 08add esp,800406D0F|.EB 36jmp short DirWatch.00406D4700406D11|>6A 00push 000406D13|.51 push ecx00406D14|.8D5424 64lea edx,dword ptr ss:[esp+64]00406D18|.8BCC mov ecx,esp00406D1A|.896424 50mov dword ptr ss:[esp+50],esp00406D1E|.52 push edx00406D1F|.E8 B20D0200call DirWatch.00427AD600406D24|.51 push ecx00406D25|.8D4424 38lea eax,dword ptr ss:[esp+38]00406D29|.8BCC mov ecx,esp00406D2B|.896424 50mov dword ptr ss:[esp+50],esp00406D2F|.50 push eax00406D30|.C64424 64 16 mov byte ptr ss:[esp+64],1600406D35|.E8 9C0D0200call DirWatch.00427AD600406D3A|.C64424 60 13 mov byte ptr ss:[esp+60],1300406D3F|.E8 DCF0FFFFcall DirWatch.00405E2000406D44|.83C4 0Cadd esp,0C00406D47|>85C0 test eax,eax00406D49|.0F84 40010000je DirWatch.00406E8F00406D4F|.8B0D 9C104400mov ecx,dword ptr ds:[44109C]00406D55|.51 push ecx00406D56|.FFD6 call esi00406D58|.8B15 98104400mov edx,dword ptr ds:[441098] ;DirWatch.0043EE0000406D5E|.68 80000000push 8000406D63|.52 push edx00406D64|.FFD5 call ebp00406D66|.A1 98104400mov eax,dword ptr ds:[441098]00406D6B|.50 push eax00406D6C|.FFD6 call esi00406D6E|.8B4C24 24mov ecx,dword ptr ss:[esp+24]00406D72|.51 push ecx00406D73|.FFD6 call esi00406D75|.51 push ecx00406D76|.8D5424 3Clea edx,dword ptr ss:[esp+3C]00406D7A|.8BCC mov ecx,esp00406D7C|.896424 4Cmov dword ptr ss:[esp+4C],esp00406D80|.52 push edx00406D81|.E8 500D0200call DirWatch.00427AD600406D86|.E8 55EAFFFFcall DirWatch.004057E0;恢复主文件夹原有的属性和图标00406D8B|.8D4424 38lea eax,dword ptr ss:[esp+38]00406D8F|.8BCC mov ecx,esp00406D91|.896424 4Cmov dword ptr ss:[esp+4C],esp00406D95|.50 push eax00406D96|.E8 3B0D0200call DirWatch.00427AD600406D9B|.E8 40EAFFFFcall DirWatch.004057E0;nul文件夹恢复00406DA0|.8D5424 2Clea edx,dword ptr ss:[esp+2C]00406DA4|.8BCC mov ecx,esp00406DA6|.896424 4Cmov dword ptr ss:[esp+4C],esp00406DAA|.52 push edx00406DAB|.E8 260D0200call DirWatch.00427AD600406DB0|.E8 2BEAFFFFcall DirWatch.004057E0;成功删除nul文件夹00406DB5|.8B4424 14mov eax,dword ptr ss:[esp+14]00406DB9|.83C4 04add esp,400406DBC|.50 push eax00406DBD|.FFD7 call edi00406DBF|.8D4C24 20lea ecx,dword ptr ss:[esp+20]00406DC3|.C64424 54 12 mov byte ptr ss:[esp+54],1200406DC8|.E8 940F0200call DirWatch.00427D61;成功删除DirRecycler文件夹00406DCD|.8D4C24 30lea ecx,dword ptr ss:[esp+30]00406DD1|.C64424 54 11 mov byte ptr ss:[esp+54],1100406DD6|.E8 860F0200call DirWatch.00427D6100406DDB|.8D4C24 24lea ecx,dword ptr ss:[esp+24]00406DDF|.C64424 54 0E mov byte ptr ss:[esp+54],0E00406DE4|.E8 780F0200call DirWatch.00427D6100406DE9|.8D4C24 14lea ecx,dword ptr ss:[esp+14]00406DED|.885C24 54mov byte ptr ss:[esp+54],bl00406DF1|.E8 6B0F0200call DirWatch.00427D6100406DF6|.8D4C24 18lea ecx,dword ptr ss:[esp+18]00406DFA|.C64424 54 08 mov byte ptr ss:[esp+54],800406DFF|.E8 5D0F0200call DirWatch.00427D6100406E04|.8D4C24 1Clea ecx,dword ptr ss:[esp+1C]00406E08|.C64424 54 07 mov byte ptr ss:[esp+54],700406E0D|.E8 4F0F0200call DirWatch.00427D6100406E12|.8D4C24 28lea ecx,dword ptr ss:[esp+28]00406E16|.C64424 54 06 mov byte ptr ss:[esp+54],600406E1B|.E8 410F0200call DirWatch.00427D6100406E20|.8D4C24 3Clea ecx,dword ptr ss:[esp+3C]00406E24|.C64424 54 05 mov byte ptr ss:[esp+54],500406E29|.E8 330F0200call DirWatch.00427D6100406E2E|.8D4C24 34lea ecx,dword ptr ss:[esp+34]00406E32|.C64424 54 04 mov byte ptr ss:[esp+54],400406E37|.E8 250F0200call DirWatch.00427D6100406E3C|.8D4C24 38lea ecx,dword ptr ss:[esp+38]00406E40|.C64424 54 03 mov byte ptr ss:[esp+54],300406E45|.E8 170F0200call DirWatch.00427D6100406E4A|.8D4C24 2Clea ecx,dword ptr ss:[esp+2C]00406E4E|.C64424 54 01 mov byte ptr ss:[esp+54],100406E53|.E8 090F0200call DirWatch.00427D6100406E58|.8D4C24 10lea ecx,dword ptr ss:[esp+10]00406E5C|.C64424 54 00 mov byte ptr ss:[esp+54],000406E61|.E8 FB0E0200call DirWatch.00427D6100406E66|.8D4C24 5Clea ecx,dword ptr ss:[esp+5C]00406E6A|.C74424 54 FFFFFFFF mov dword ptr ss:[esp+54],-100406E72|.E8 EA0E0200call DirWatch.00427D6100406E77|.B8 01000000mov eax,100406E7C|.8B4C24 4Cmov ecx,dword ptr ss:[esp+4C]00406E80|.64:890D 00000000 mov dword ptr fs:[0],ecx00406E87|.5F pop edi00406E88|.5E pop esi00406E89|.5D pop ebp00406E8A|.5B pop ebx00406E8B|.83C4 48add esp,4800406E8E|.C3 retn

继续进关键：

00405BE0/$6A FFpush -100405BE2|.68 F1044300push DirWatch.004304F1;SE 句柄安装00405BE7|.64:A1 00000000 mov eax,dword ptr fs:[0]00405BED|.50 push eax00405BEE|.64:8925 00000000 mov dword ptr fs:[0],esp00405BF5|.81EC 4C010000sub esp,14C00405BFB|.53 push ebx00405BFC|.56 push esi00405BFD|.C78424 5C010000 00>mov dword ptr ss:[esp+15C],000405C08|.A1 ECED4300mov eax,dword ptr ds:[43EDEC]00405C0D|.894424 0Cmov dword ptr ss:[esp+C],eax00405C11|.894424 08mov dword ptr ss:[esp+8],eax00405C15|.8D8424 64010000lea eax,dword ptr ss:[esp+164]00405C1C|.68 44E14300push DirWatch.0043E14400405C21|.8D4C24 14lea ecx,dword ptr ss:[esp+14]00405C25|.B3 03mov bl,300405C27|.50 push eax00405C28|.51 push ecx00405C29|.889C24 68010000mov byte ptr ss:[esp+168],bl00405C30|.E8 C1230200call DirWatch.00427FF600405C35|.50 push eax00405C36|.8D4C24 0Clea ecx,dword ptr ss:[esp+C]00405C3A|.C68424 60010000 04 mov byte ptr ss:[esp+160],400405C42|.E8 53220200call DirWatch.00427E9A00405C47|.8D4C24 10lea ecx,dword ptr ss:[esp+10]00405C4B|.889C24 5C010000mov byte ptr ss:[esp+15C],bl00405C52|.E8 0A210200call DirWatch.00427D6100405C57|.8D5424 08lea edx,dword ptr ss:[esp+8]00405C5B|.8D4C24 0Clea ecx,dword ptr ss:[esp+C]00405C5F|.52 push edx00405C60|.E8 35220200call DirWatch.00427E9A00405C65|.68 90E14300push DirWatch.0043E190;ASCII "\*"00405C6A|.8D8C24 68010000lea ecx,dword ptr ss:[esp+168];所有文件00405C71|.E8 C7240200call DirWatch.0042813D00405C76|.8B8C24 64010000mov ecx,dword ptr ss:[esp+164]00405C7D|.8D4424 14lea eax,dword ptr ss:[esp+14]00405C81|.50 push eax; /pFindFileData00405C82|.51 push ecx; |FileName00405C83|.FF15 D4224300call dword ptr ds:[<&KERNEL32.FindFirstFileA>]; \查找第一个文件00405C89|.8BF0 mov esi,eax00405C8B|.83FE FFcmp esi,-100405C8E|.75 69jnz short DirWatch.00405CF900405C90|.50 push eax; /hSearch00405C91|.FF15 E0224300call dword ptr ds:[<&KERNEL32.FindClose>] ; \FindClose00405C97|.8D4C24 08lea ecx,dword ptr ss:[esp+8]00405C9B|.C68424 5C010000 02 mov byte ptr ss:[esp+15C],200405CA3|.E8 B9200200call DirWatch.00427D6100405CA8|.8D4C24 0Clea ecx,dword ptr ss:[esp+C]00405CAC|.C68424 5C010000 01 mov byte ptr ss:[esp+15C],100405CB4|.E8 A8200200call DirWatch.00427D6100405CB9|.8D8C24 64010000lea ecx,dword ptr ss:[esp+164]00405CC0|.C68424 5C010000 00 mov byte ptr ss:[esp+15C],000405CC8|.E8 94200200call DirWatch.00427D6100405CCD|.8D8C24 68010000lea ecx,dword ptr ss:[esp+168]00405CD4|.89B424 5C010000mov dword ptr ss:[esp+15C],esi00405CDB|.E8 81200200call DirWatch.00427D6100405CE0|.5E pop esi00405CE1|.33C0 xor eax,eax00405CE3|.5B pop ebx00405CE4|.8B8C24 4C010000mov ecx,dword ptr ss:[esp+14C]00405CEB|.64:890D 00000000 mov dword ptr fs:[0],ecx00405CF2|.81C4 58010000add esp,15800405CF8|.C3 retn00405CF9|>8B1D DC224300mov ebx,dword ptr ds:[<&KERNEL32.FindNextFileA>];继续查找文件00405CFF|.57 push edi;删除指定目录00405D00|.8B3D D8224300mov edi,dword ptr ds:[<&KERNEL32.lstrcmpA>] ;比较字符串00405D06|>8D5424 44/lea edx,dword ptr ss:[esp+44];循环处理，把文件给解出来00405D0A|.68 8CE14300|push DirWatch.0043E18C00405D0F|.52 |push edx00405D10|.FFD7 |call edi00405D12|.85C0 |test eax,eax00405D14|.74 76|je short DirWatch.00405D8C00405D16|.8D4424 44|lea eax,dword ptr ss:[esp+44]00405D1A|.68 88E14300|push DirWatch.0043E188 ;ASCII ".."00405D1F|.50 |push eax00405D20|.FFD7 |call edi00405D22|.85C0 |test eax,eax00405D24|.74 66|je short DirWatch.00405D8C00405D26|.8D4C24 44|lea ecx,dword ptr ss:[esp+44]00405D2A|.51 |push ecx00405D2B|.8D4C24 10|lea ecx,dword ptr ss:[esp+10]00405D2F|.E8 09240200|call DirWatch.0042813D00405D34|.8B5424 0C|mov edx,dword ptr ss:[esp+C]00405D38|.A1 C8114400|mov eax,dword ptr ds:[4411C8]00405D3D|.52 |push edx ; /Arg200405D3E|.50 |push eax ; |Arg1 => 00A5826000405D3F|.E8 47E40000|call DirWatch.0041418B ; \DirWatch.0041418B00405D44|.83C4 08|add esp,800405D47|.85C0 |test eax,eax00405D49|.74 2C|je short DirWatch.00405D7700405D4B|.8D4424 44|lea eax,dword ptr ss:[esp+44]00405D4F|.68 9CE54300|push DirWatch.0043E59C ;ASCII "DirRecycler"00405D54|.50 |push eax00405D55|.FFD7 |call edi00405D57|.85C0 |test eax,eax00405D59|.74 1C|je short DirWatch.00405D7700405D5B|.8B8C24 6C010000|mov ecx,dword ptr ss:[esp+16C]00405D62|.8B5424 0C|mov edx,dword ptr ss:[esp+C]00405D66|.51 |push ecx00405D67|.52 |push edx00405D68|.E8 83FDFFFF|call DirWatch.00405AF000405D6D|.83C4 08|add esp,800405D70|.8D4424 10|lea eax,dword ptr ss:[esp+10]00405D74|.50 |push eax00405D75|.EB 05|jmp short DirWatch.00405D7C00405D77|>8D4C24 10|lea ecx,dword ptr ss:[esp+10]00405D7B|.51 |push ecx00405D7C|>8D4C24 10|lea ecx,dword ptr ss:[esp+10]00405D80|.E8 15210200|call DirWatch.00427E9A00405D85|.8D5424 18|lea edx,dword ptr ss:[esp+18]00405D89|.52 |push edx00405D8A|.EB 05|jmp short DirWatch.00405D9100405D8C|>8D4424 18|lea eax,dword ptr ss:[esp+18]00405D90|.50 |push eax00405D91|>56 |push esi00405D92|.FFD3 |call ebx00405D94|.F7D8 |neg eax00405D96|.1BC0 |sbb eax,eax00405D98|.40 |inc eax00405D99|.85C0 |test eax,eax00405D9B|.^ 0F84 65FFFFFF\je DirWatch.00405D0600405DA1|.56 push esi; /解完后，跳出00405DA2|.FF15 E0224300call dword ptr ds:[<&KERNEL32.FindClose>] ; \FindClose00405DA8|.8D4C24 0Clea ecx,dword ptr ss:[esp+C]00405DAC|.C68424 60010000 02 mov byte ptr ss:[esp+160],200405DB4|.E8 A81F0200call DirWatch.00427D6100405DB9|.8D4C24 10lea ecx,dword ptr ss:[esp+10]00405DBD|.C68424 60010000 01 mov byte ptr ss:[esp+160],100405DC5|.E8 971F0200call DirWatch.00427D6100405DCA|.8D8C24 68010000lea ecx,dword ptr ss:[esp+168]00405DD1|.C68424 60010000 00 mov byte ptr ss:[esp+160],000405DD9|.E8 831F0200call DirWatch.00427D6100405DDE|.8D8C24 6C010000lea ecx,dword ptr ss:[esp+16C]00405DE5|.C78424 60010000 FF>mov dword ptr ss:[esp+160],-100405DF0|.E8 6C1F0200call DirWatch.00427D6100405DF5|.8B8C24 58010000mov ecx,dword ptr ss:[esp+158]00405DFC|.5F pop edi00405DFD|.5E pop esi00405DFE|.B8 01000000mov eax,100405E03|.5B pop ebx00405E04|.64:890D 00000000 mov dword ptr fs:[0],ecx00405E0B|.81C4 58010000add esp,15800405E11\.C3 retn

OK，上面的过程就是把所有的被加密的文件从system.文件夹里个解出来，并且删除在加密过程中所创建的一些信息文件和文件夹

同样来总结一下：

先删除desktop.ini文件，把文件还原成普通的文件夹，接着删除其他2个保存信息的文件，然后把加密的文件从system.夹里给解出来，再删除system. 和nul文件夹，最后删除DirRecycler文件夹恢复原来的样子！



根据上面的加密与解密过程，我们自己完全可以手动来创建加密的文件，并且能在不知道密码的情况下，把被文件夹加密狗加密的文件给解出来；

(1)，加密：

自己创建个jiami.文件夹，但要知道，系统中，实际的名为jiami..文件夹，而显示的为jiami.
但是，一般的创建是创建不了的，必须DOS命令来创建
如：MD c:\jiami..\

然后把所要加密的文件给放进去，当然普通方式也是访问不了的，也必须用DOS命令

copy c:\ximo.exe c:\jiami..\\
就是把C盘下的ximo.exe文件给复制进了jiami..文件夹

这样，文件就算是被“加密”了

(2)解密被文件夹加密狗加密的文件：

按照上面的分析，可以按下面3个步骤（比如加密文件为C：\ximo）

1) 删除desktop.ini文件， del c:\ximo\DirRecycler\desktop.ini
2) 修改新创建的加密文件夹DirRecycler属性，attrib c:\ximo\DirRecycler -h -s
3) 手动创建 system.文件，(由于本来有1个.而系统所认的实际名为2个.因此一共有3个.)
md c:\ximo\DirRecycler\system...\

OK,下面可以自己进入 system..的文件夹里访问了

把里面的文件给复制出来，下面就删除那些无用的文件，由于一般情况下是删不了的，也必须用DOS命令

rd c:\irRecycler\system..\ /s　

OK,这样算是完美解密了


本文仅为学习分析之用，有不妥之处，尽请谅解。

---ximo[LCG]

小生我怕怕

支持超兄的大作！
期待dll重定位的讲解！

unpack

[s:40] 很长啊看得头都晕了啊 很牛的超神一说[s:40]

zapline

很好啊！

都分析清楚了

zzage

[s:40] ~~
超神写代码，发我一份啊~~

niliu

神超.!顶. 我顶.

wesley

我顶死你。。。。。楼上的牛比JJ大小是吧看谁顶的远[s:43]

史路比

好长吖!!
顶了
(*^__^*)...嘻嘻

shaopeng

好长呀，
没耐心看。
汗

bearwinnie

仔细看了~分析得好棒啊~ [s:39]不知谁说过一句话，“加密文件都可以通过一个软件简单嗅探到的，由此可见加密水平之一般”