好友
阅读权限40
听众
最后登录1970-1-1
|
我是用户
发表于 2013-7-17 16:27
【软件名称】: RiskManager
【作者邮箱】: 2714608453@qq.com
【下载地址】: http://www.paconsulting.net.au/uploads/setup.exe
【软件语言】: Delphi
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
1.查壳
如图1:
delphi的无误
2.分析
第一步:
这个程序有14天的使用时间,这14天是由以下三个文件的创建时间和修改时间判断的.
如图2:
因此我们只要把这三个文件删除就能重新计算使用时间,从而免费使用.
第二步:
跳过时间框只需修改一处注册标志位就好,无论过期与否,点击时间框后的Try按钮,都要判断这处标志位。
第三步:
双进程保护,主程序RiskManager.exe使用CreateProcessA创建RiskManager_xshld4.exe,然后自己作为调试器附加上去,RiskManager_xshld4代码不完整,运行时产生异常,RiskManager.exe接收并对异常进行处理,如像他写入正常的代码数据,然后再把执行权教给它。
3.实例分析
判断创建时间和修改时间的代码模型如下:
[C++] 纯文本查看 复制代码 0047A46F . 8D85 34FFFFFF lea eax,dword ptr ss:[ebp-0xCC]
0047A475 . BA FADB9A00 mov edx,RiskMana.009ADBFA
0047A47A . E8 BD9AF8FF call <RiskMana.@@LStrFromPCharLen>
0047A47F . 8D85 E4DDF9FF lea eax,dword ptr ss:[ebp-0x6221C]
0047A485 . E8 06D4FDFF call RiskMana.00457890
0047A48A . FFB5 E4DDF9FF push dword ptr ss:[ebp-0x6221C]
0047A490 . 68 84DA4700 push RiskMana.0047DA84 ; \
0047A495 . FF75 CC push dword ptr ss:[ebp-0x34]
0047A498 . 8D85 ECDDF9FF lea eax,dword ptr ss:[ebp-0x62214]
0047A49E . BA 03000000 mov edx,0x3
0047A4A3 . E8 B09BF8FF call <RiskMana.合并?>
0047A4A8 . 8B85 ECDDF9FF mov eax,dword ptr ss:[ebp-0x62214]
0047A4AE . E8 F9E6F8FF call <RiskMana.@FileAge获取文件创建时间>
0047A4B3 . 84C0 test al,al
0047A4B5 . 0F84 A9000000 je RiskMana.0047A564
此时eax=00EEBA64, (ASCII "C:\Documents andSettings\AllUsers\Documents\{36c8a1524f83f4dd9c0876c205fb2f73}\RISKMANAGER.LIC")
如果过期了则进入以下代码
[C++] 纯文本查看 复制代码
0047A8A3 . 803D 0FDE9A00>cmp byte ptr ds:[0x9ADE0F],0x1 ; 值为1表示已过期
0047A8AA . 75 6C jnz short RiskMana.0047A918
0047A8AC . A1 3C3D4800 mov eax,dword ptr ds:[0x483D3C]
0047A8B1 . E8 6694F8FF call RiskMana.00403D1C
0047A8B6 . 6A 00 push 0x0 ; /pPreviousCount = NULL
0047A8B8 . 6A 01 push 0x1 ; |ReleaseCount = 0x1
0047A8BA . A1 E8009B00 mov eax,dword ptr ds:[<hSemaphore>] ; |
0047A8BF . 50 push eax ; |hSemaphore = 00000001
0047A8C0 . E8 C7C4F8FF call <RiskMana.ReleaseSemaphore> ; \ReleaseSemaphore
0047A8C5 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
0047A8C8 . E8 A3A7FFFF call <RiskMana.弹出过期对话框>
0047A8CD . A1 3C3D4800 mov eax,dword ptr ds:[0x483D3C]
0047A8D2 . 8B00 mov eax,dword ptr ds:[eax]
0047A8D4 . BA 04DE4700 mov edx,<RiskMana.aRegistered_5> ; REGISTERED
0047A8D9 . E8 CA97F8FF call <RiskMana.@@LStrCmp> ; 判断是否为注册标志
0047A8DE . 75 0C jnz short RiskMana.0047A8EC
0047A8E0 . C685 0FFFFFFF>mov byte ptr ss:[ebp-0xF1],0x1 ; 已注册标志位
0047A8E7 . E9 20240000 jmp RiskMana.0047CD0C
下断0047A8CD,点击Try就会断下,把0047A8DE nop掉,让他给标志位赋值。
mov byte ptr ss:[ebp-0xF1],0x1这就是我们的标志位。
如果没过期的话,代码如下:
[C++] 纯文本查看 复制代码 00474D71 . FF92 CC000000 call dword ptr ds:[edx+0xCC]
00474D77 . E9 97000000 jmp RiskMana.00474E13
00474D7C > 837D C4 00 cmp dword ptr ss:[ebp-0x3C],0x0
00474D80 . 0F8F 8D000000 jg RiskMana.00474E13
00474D86 . 833D 74019B00>cmp dword ptr ds:[0x9B0174],0x0
00474D8D . 0F8F 80000000 jg RiskMana.00474E13
00474D93 . 803D 22E19A00>cmp byte ptr ds:[0x9AE122],0x1
00474D9A . 75 15 jnz short RiskMana.00474DB1
00474D9C . 837D C4 00 cmp dword ptr ss:[ebp-0x3C],0x0
00474DA0 . 75 0F jnz short RiskMana.00474DB1
00474DA2 . A1 4C3C4800 mov eax,dword ptr ds:[0x483C4C]
00474DA7 . 8B00 mov eax,dword ptr ds:[eax]
00474DA9 . 8B10 mov edx,dword ptr ds:[eax]
00474DAB . FF92 CC000000 call dword ptr ds:[edx+0xCC] ; 弹出对话框,没过期
00474DB1 > 803D 09019B00>cmp byte ptr ds:[0x9B0109],0x1 ; 值为1继续保持原来对话框
00474DB8 . 75 0F jnz short RiskMana.00474DC9
00474DBA . A1 4C3C4800 mov eax,dword ptr ds:[0x483C4C]
00474DBF . 8B00 mov eax,dword ptr ds:[eax]
00474DC1 . 8B10 mov edx,dword ptr ds:[eax]
00474DC3 . FF92 CC000000 call dword ptr ds:[edx+0xCC]
00474DC9 > 833D A6FF9A00>cmp dword ptr ds:[0x9AFFA6],0x0
00474DD0 . 7E 41 jle short RiskMana.00474E13
要想直接爆破的话且不出现对话框的话,代码如下:
[C++] 纯文本查看 复制代码 0047A433 > \833D 23E19A00>cmp dword ptr ds:[0x9AE123],0x3
0047A43A . 75 07 jnz short RiskMana.0047A443
0047A43C . C605 F8009B00>mov byte ptr ds:[0x9B00F8],0x1
0047A443 > 833D 23E19A00>cmp dword ptr ds:[0x9AE123],0x4
0047A44A . 75 16 jnz short RiskMana.0047A462
0047A44C . C685 0FFFFFFF>mov byte ptr ss:[ebp-0xF1],0x1
0047A453 . C705 23E19A00>mov dword ptr ds:[0x9AE123],0x1
0047A45D . E9 AA280000 jmp RiskMana.0047CD0C
0047A462 > 833D A2FE9A00>cmp dword ptr ds:[0x9AFEA2],0x1
0047A469 . 0F84 F5000000 je RiskMana.0047A564
0047A46F . 8D85 34FFFFFF lea eax,dword ptr ss:[ebp-0xCC]
0047A475 . BA FADB9A00 mov edx,RiskMana.009ADBFA
0047A47A . E8 BD9AF8FF call <RiskMana.@@LStrFromPCharLen>
0047A47F . 8D85 E4DDF9FF lea eax,dword ptr ss:[ebp-0x6221C]
把0047A44A . /75 16 jnz short RiskMana.0047A462处nop掉.
这是简要的分析,这个代码段很长,很磨人,我也跟了好久,他是在From.Show里,其实判断创建的时间以及写入注册等相关信息用了很长的代码段,其中还夹杂着MD5以及SHA1算法,有兴趣的朋友可以自己跟下.
4.关于双进程
以上验证都成功后就开始创建进程了,代码如下:
[C++] 纯文本查看 复制代码 00476CFE . 50 push eax ; |CommandLine = "E:\JBL Risk Manager\RiskManager_xshld4.exe "
00476CFF . 6A 00 push 0x0 ; |ModuleFileName = NULL
00476D01 . E8 36FEF8FF call <RiskMana.CreateProcessA> ; \CreateProcessA
00476D06 > 8B85 78FFFFFF mov eax,dword ptr ss:[ebp-0x88]
00476D0C . A3 D0DA9A00 mov dword ptr ds:[0x9ADAD0],eax
00476D11 . 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-0x90]
00476D17 . A3 F4009B00 mov dword ptr ds:[0x9B00F4],eax
00476D1C . 6A 01 push 0x1 ; /Level = SLE_ERROR
00476D1E . E8 B107F9FF call <RiskMana.SetDebugErrorLevel> ; \SetDebugErrorLevel
00476D23 . 8B85 78FFFFFF mov eax,dword ptr ss:[ebp-0x88]
00476D29 . 33D2 xor edx,edx
00476D2B . 52 push edx
00476D2C . 50 push eax
00476D2D . 8D85 20E2F9FF lea eax,dword ptr ss:[ebp-0x61DE0]
00476D33 . E8 B01CF9FF call <RiskMana.转成十进制> ; 新建立的进程ID转成十进制
00476D38 . 8B95 20E2F9FF mov edx,dword ptr ss:[ebp-0x61DE0]
00476D3E . 8B0D 3C3D4800 mov ecx,dword ptr ds:[0x483D3C] ; RiskMana.00484888
00476D44 . 8B09 mov ecx,dword ptr ds:[ecx]
00476D46 . B8 C4009B00 mov eax,RiskMana.009B00C4
00476D4B . E8 94D2F8FF call <RiskMana.@@LStrCat3>
00476D50 . A1 C4009B00 mov eax,dword ptr ds:[0x9B00C4]
00476D55 . E8 02D4F8FF call <RiskMana.@@LStrToPChar>
00476D5A . 50 push eax ; /MutexName = "E:\JBL Risk Manager\RiskManager_xshld4.exe "
00476D5B . 6A 01 push 0x1 ; |InitialOwner = TRUE
00476D5D . 6A 00 push 0x0 ; |pSecurity = NULL
00476D5F . E8 D0FDF8FF call <RiskMana.CreateMutexA> ; \CreateMutexA
00476D64 . A3 C0009B00 mov dword ptr ds:[<hMutex>],eax ; 创建互斥量对象
00476D69 . 6A 40 push 0x40
00476D6B . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
00476D6E . 8B48 2C mov ecx,dword ptr ds:[eax+0x2C]
00476D71 . B2 01 mov dl,0x1
00476D73 . A1 8CF34000 mov eax,dword ptr ds:[0x40F38C] ; 伢@
00476D78 . E8 3BB8F9FF call <RiskMana.unknown_libname_205>
00476D7D . 8945 E0 mov dword ptr ss:[ebp-0x20],eax
00476D80 . 8D95 D0FEFFFF lea edx,dword ptr ss:[ebp-0x130]
00476D86 . B9 40000000 mov ecx,0x40
00476D8B . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20] ; RiskMana.00403842
00476D8E . 8B18 mov ebx,dword ptr ds:[eax]
00476D90 . FF53 04 call dword ptr ds:[ebx+0x4]
00476D93 . 33C9 xor ecx,ecx
00476D95 . 8B95 0CFFFFFF mov edx,dword ptr ss:[ebp-0xF4]
00476D9B . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20] ; RiskMana.00403842
00476D9E . 8B18 mov ebx,dword ptr ds:[eax]
00476DA0 . FF53 0C call dword ptr ds:[ebx+0xC]
00476DA3 . 8D55 F4 lea edx,dword ptr ss:[ebp-0xC]
00476DA6 . B9 04000000 mov ecx,0x4
00476DAB . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20] ; RiskMana.00403842
00476DAE . 8B18 mov ebx,dword ptr ds:[eax]
00476DB0 . FF53 04 call dword ptr ds:[ebx+0x4]
00476DB3 . 8D95 BCFEFFFF lea edx,dword ptr ss:[ebp-0x144]
00476DB9 . B9 14000000 mov ecx,0x14
00476DBE . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20] ; RiskMana.00403842
00476DC1 . 8B18 mov ebx,dword ptr ds:[eax]
00476DC3 . FF53 04 call dword ptr ds:[ebx+0x4]
00476DC6 . 8D95 34E3F9FF lea edx,dword ptr ss:[ebp-0x61CCC]
00476DCC . B9 28000000 mov ecx,0x28
00476DD1 . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20] ; RiskMana.00403842
00476DD4 . 8B18 mov ebx,dword ptr ds:[eax]
00476DD6 . FF53 04 call dword ptr ds:[ebx+0x4]
00476DD9 . 8D95 5CE3F9FF lea edx,dword ptr ss:[ebp-0x61CA4]
00476DDF . B9 601B0600 mov ecx,0x61B60
00476DE4 . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20] ; RiskMana.00403842
00476DE7 . 8B18 mov ebx,dword ptr ds:[eax]
00476DE9 . FF53 04 call dword ptr ds:[ebx+0x4]
00476DEC . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
00476DEF . 8D0480 lea eax,dword ptr ds:[eax+eax*4]
00476DF2 . 8B84C5 20E4F9>mov eax,dword ptr ss:[ebp+eax*8-0x61BE0]
00476DF9 . A3 BC009B00 mov dword ptr ds:[0x9B00BC],eax
00476DFE . 8D95 F4E2F9FF lea edx,dword ptr ss:[ebp-0x61D0C]
00476E04 . B9 40000000 mov ecx,0x40
00476E09 . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20] ; RiskMana.00403842
00476E0C . 8B18 mov ebx,dword ptr ds:[eax]
00476E0E . FF53 04 call dword ptr ds:[ebx+0x4]
00476E11 . 33C9 xor ecx,ecx
00476E13 . 8B95 0CFFFFFF mov edx,dword ptr ss:[ebp-0xF4]
00476E19 . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20] ; RiskMana.00403842
00476E1C . 8B18 mov ebx,dword ptr ds:[eax]
00476E1E . FF53 0C call dword ptr ds:[ebx+0xC]
00476E21 . BA 40BE9400 mov edx,RiskMana.0094BE40
00476E26 . B9 781B0600 mov ecx,0x61B78
00476E2B . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20] ; RiskMana.00403842
00476E2E . 8B18 mov ebx,dword ptr ds:[eax]
00476E30 . FF53 04 call dword ptr ds:[ebx+0x4]
00476E33 . A1 68BE9400 mov eax,dword ptr ds:[0x94BE68]
00476E38 . A3 B8D99A00 mov dword ptr ds:[0x9AD9B8],eax
00476E3D . A1 74BE9400 mov eax,dword ptr ds:[0x94BE74]
00476E42 . A3 C8DA9A00 mov dword ptr ds:[0x9ADAC8],eax
00476E47 . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20] ; RiskMana.00403842
00476E4A . E8 A9C2F8FF call RiskMana.004030F8
00476E4F . 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-0x90]
00476E55 . A3 3CBE9400 mov dword ptr ds:[0x94BE3C],eax
00476E5A . A1 C8DA9A00 mov eax,dword ptr ds:[0x9ADAC8]
00476E5F . 0305 BC009B00 add eax,dword ptr ds:[0x9B00BC]
00476E65 . 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
00476E68 . 803D D8DA9A00>cmp byte ptr ds:[0x9ADAD8],0x1
00476E6F . 75 0E jnz short RiskMana.00476E7F
00476E71 . A1 C8DA9A00 mov eax,dword ptr ds:[0x9ADAC8]
00476E76 . 0305 B8D99A00 add eax,dword ptr ds:[0x9AD9B8]
00476E7C . 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
00476E7F > 8B15 E83C4800 mov edx,dword ptr ds:[0x483CE8] ; tHH
00476E85 . 8B12 mov edx,dword ptr ds:[edx]
00476E87 . 8D85 20E2F9FF lea eax,dword ptr ss:[ebp-0x61DE0]
00476E8D . B9 C0754700 mov ecx,<RiskMana.aLicense_4> ; license
00476E92 . E8 4DD1F8FF call <RiskMana.@@LStrCat3>
00476E97 . 8B85 20E2F9FF mov eax,dword ptr ss:[ebp-0x61DE0]
00476E9D . E8 0A1DF9FF call <RiskMana.@FileAge获取文件创建时间>
00476EA2 . 84C0 test al,al
00476EA4 . 74 23 je short RiskMana.00476EC9
00476EA6 . 8B15 E83C4800 mov edx,dword ptr ds:[0x483CE8] ; tHH
00476EAC . 8B12 mov edx,dword ptr ds:[edx]
00476EAE . 8D85 20E2F9FF lea eax,dword ptr ss:[ebp-0x61DE0]
00476EB4 . B9 C0754700 mov ecx,<RiskMana.aLicense_4> ; license
00476EB9 . E8 26D1F8FF call <RiskMana.@@LStrCat3>
00476EBE . 8B85 20E2F9FF mov eax,dword ptr ss:[ebp-0x61DE0]
00476EC4 . E8 BF1EF9FF call <RiskMana.删除文件>
00476EC9 > 8B15 E83C4800 mov edx,dword ptr ds:[0x483CE8] ; tHH
00476ECF . 8B12 mov edx,dword ptr ds:[edx]
00476ED1 . 8D85 20E2F9FF lea eax,dword ptr ss:[ebp-0x61DE0]
00476ED7 . B9 D0754700 mov ecx,<RiskMana.aVlicense_0> ; vlicense
00476EDC . E8 03D1F8FF call <RiskMana.@@LStrCat3>
00476EE1 . 8B85 20E2F9FF mov eax,dword ptr ss:[ebp-0x61DE0]
00476EE7 . E8 C01CF9FF call <RiskMana.@FileAge获取文件创建时间>
00476EEC . 84C0 test al,al
00476EEE . 74 23 je short RiskMana.00476F13
00476EF0 . 8B15 E83C4800 mov edx,dword ptr ds:[0x483CE8] ; tHH
00476EF6 . 8B12 mov edx,dword ptr ds:[edx]
00476EF8 . 8D85 20E2F9FF lea eax,dword ptr ss:[ebp-0x61DE0]
00476EFE . B9 D0754700 mov ecx,<RiskMana.aVlicense_0> ; vlicense
00476F03 . E8 DCD0F8FF call <RiskMana.@@LStrCat3>
00476F08 . 8B85 20E2F9FF mov eax,dword ptr ss:[ebp-0x61DE0]
00476F0E . E8 751EF9FF call <RiskMana.删除文件>
00476F13 > 8D45 CC lea eax,dword ptr ss:[ebp-0x34]
00476F16 . 50 push eax ; /pOldProtect = 00ED5064
00476F17 . 6A 40 push 0x40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00476F19 . A1 D4DA9A00 mov eax,dword ptr ds:[<dwSize>] ; |
00476F1E . 50 push eax ; |Size = ED5064 (15552612.)
00476F1F . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] ; |RiskMana.00400000
00476F22 . 50 push eax ; |Address = 00ED5064
00476F23 . 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-0x90] ; |
00476F29 . 50 push eax ; |hProcess = 00ED5064
00476F2A . E8 EDFEF8FF call <RiskMana.VirtualProtectEx> ; \VirtualProtectEx
00476F2F . A1 6C3E4800 mov eax,dword ptr ds:[0x483E6C]
00476F34 . C600 00 mov byte ptr ds:[eax],0x0
00476F37 > C645 FB 00 mov byte ptr ss:[ebp-0x5],0x0
00476F3B . A1 6C3E4800 mov eax,dword ptr ds:[0x483E6C]
00476F40 . 8038 00 cmp byte ptr ds:[eax],0x0
00476F43 . 75 0E jnz short RiskMana.00476F53
00476F45 . 6A FF push -0x1 ; /Timeout = INFINITE
00476F47 . 8D85 10FFFFFF lea eax,dword ptr ss:[ebp-0xF0] ; |
00476F4D . 50 push eax ; |pDebugEvent = 00ED5064
00476F4E . E8 D9FEF8FF call <RiskMana.WaitForDebugEvent> ; \WaitForDebugEvent
00476F53 > A1 6C3E4800 mov eax,dword ptr ds:[0x483E6C]
00476F58 . 8038 01 cmp byte ptr ds:[eax],0x1
00476F5B . 75 0E jnz short RiskMana.00476F6B
00476F5D . 6A 64 push 0x64 ; /Timeout = 100. ms
00476F5F . 8D85 10FFFFFF lea eax,dword ptr ss:[ebp-0xF0] ; |
00476F65 . 50 push eax ; |pDebugEvent = 00ED5064
00476F66 . E8 C1FEF8FF call <RiskMana.WaitForDebugEvent> ; \WaitForDebugEvent
00476F6B > 8B85 10FFFFFF mov eax,dword ptr ss:[ebp-0xF0]
00476F71 . 48 dec eax ; Switch (cases 1..5)
00476F72 . 0F84 87000000 je RiskMana.00476FFF
00476F78 . 83E8 02 sub eax,0x2
00476F7B . 74 0E je short RiskMana.00476F8B
00476F7D . 83E8 02 sub eax,0x2
00476F80 . 0F84 E1030000 je RiskMana.00477367
00476F86 . E9 0B050000 jmp RiskMana.00477496
00476F8B > 837D DC 00 cmp dword ptr ss:[ebp-0x24],0x0 ; Case 3 of switch 00476F71
00476F8F . 0F85 01050000 jnz RiskMana.00477496
00476F95 . C745 DC 01000>mov dword ptr ss:[ebp-0x24],0x1
00476F9C . 8B85 78FFFFFF mov eax,dword ptr ss:[ebp-0x88]
00476FA2 . 50 push eax ; /ProcessId = 0xED5064
00476FA3 . E8 ACFBF8FF call <RiskMana.DebugActiveProcess> ; \DebugActiveProcess
00476FA8 . F7D8 neg eax ; 将自己处为调试器附加
00476FAA . 1BC0 sbb eax,eax
00476FAC . F7D8 neg eax
00476FAE . 8845 FA mov byte ptr ss:[ebp-0x6],al
00476FB1 . 803D D8DA9A00>cmp byte ptr ds:[0x9ADAD8],0x0 ; 1
00476FB8 . 0F85 D8040000 jnz RiskMana.00477496
00476FBE . 8B85 74FFFFFF mov eax,dword ptr ss:[ebp-0x8C]
00476FC4 . 50 push eax ; /hThread = 00ED5064
00476FC5 . E8 32FEF8FF call <RiskMana.SuspendThread> ; \SuspendThread
00476FCA . 8D45 EC lea eax,dword ptr ss:[ebp-0x14] ; 暂停线程执行
00476FCD . 50 push eax ; /pBytesWritten = 00ED5064
00476FCE . A1 D4DA9A00 mov eax,dword ptr ds:[<dwSize>] ; |
00476FD3 . 50 push eax ; |BytesToWrite = ED5064 (15552612.)
00476FD4 . 68 E04B4800 push RiskMana.00484BE0 ; |Buffer = RiskMana.00484BE0
00476FD9 . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] ; |RiskMana.00400000
00476FDC . 50 push eax ; |Address = 0xED5064
00476FDD . 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-0x90] ; |
00476FE3 . 50 push eax ; |hProcess = 00ED5064
00476FE4 . E8 63FEF8FF call <RiskMana.WriteProcessMemory> ; \WriteProcessMemory
00476FE9 . E8 D25FF9FF call <RiskMana.unknown_libname_186> ; 写入数据
00476FEE . 8B85 74FFFFFF mov eax,dword ptr ss:[ebp-0x8C]
00476FF4 . 50 push eax ; /hThread = 00ED5064
00476FF5 . E8 9AFDF8FF call <RiskMana.ResumeThread> ; \ResumeThread
00476FFA . E9 97040000 jmp RiskMana.00477496 ; 恢复线程运行
00476FFF > 8B85 1CFFFFFF mov eax,dword ptr ss:[ebp-0xE4] ; Case 1 of switch 00476F71
00477005 . 2D 03000080 sub eax,0x80000003
0047700A . 0F85 4E030000 jnz RiskMana.0047735E
00477010 . 6A 7B push 0x7B ; /Key = VK_F12
00477012 . E8 ED01F9FF call <RiskMana.GetAsyncKeyState> ; \GetAsyncKeyState
00477017 . 66:85C0 test ax,ax
0047701A . 0F8C C4020000 jl RiskMana.004772E4
00477020 . FF05 CC009B00 inc dword ptr ds:[0x9B00CC]
00477026 . 833D CC009B00>cmp dword ptr ds:[0x9B00CC],0x1
0047702D . 0F8E B1020000 jle RiskMana.004772E4
00477033 . C705 CC009B00>mov dword ptr ds:[0x9B00CC],0x2
0047703D . 803D 30BE9400>cmp byte ptr ds:[0x94BE30],0x1
00477044 . 0F85 97000000 jnz RiskMana.004770E1
0047704A . C605 30BE9400>mov byte ptr ds:[0x94BE30],0x0
00477051 . 8B85 74FFFFFF mov eax,dword ptr ss:[ebp-0x8C]
00477057 . 50 push eax ; /hThread = 00ED5064
00477058 . E8 9FFDF8FF call <RiskMana.SuspendThread> ; \SuspendThread
0047705D . 8D45 CC lea eax,dword ptr ss:[ebp-0x34]
00477060 . 50 push eax ; /pOldProtect = 00ED5064
00477061 . 6A 40 push 0x40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00477063 . 68 00100000 push 0x1000 ; |Size = 1000 (4096.)
00477068 . A1 38BE9400 mov eax,dword ptr ds:[<lpAddress>] ; |
0047706D . 50 push eax ; |Address = 00ED5064
0047706E . 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-0x90] ; |
00477074 . 50 push eax ; |hProcess = 00ED5064
00477075 . E8 A2FDF8FF call <RiskMana.VirtualProtectEx> ; \VirtualProtectEx
0047707A . 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
0047707D . 50 push eax ; /pBytesWritten = 00ED5064
0047707E . A1 34BE9400 mov eax,dword ptr ds:[<nSize>] ; |
00477083 . 50 push eax ; |BytesToWrite = ED5064 (15552612.)
00477084 . 68 A8AA9400 push RiskMana.0094AAA8 ; |Buffer = RiskMana.0094AAA8
00477089 . A1 38BE9400 mov eax,dword ptr ds:[<lpAddress>] ; |
0047708E . 50 push eax ; |Address = 0xED5064
0047708F . 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-0x90] ; |
00477095 . 50 push eax ; |hProcess = 00ED5064
00477096 . E8 B1FDF8FF call <RiskMana.WriteProcessMemory> ; \WriteProcessMemory
0047709B . E8 205FF9FF call <RiskMana.unknown_libname_186>
004770A0 . 8B45 EC mov eax,dword ptr ss:[ebp-0x14] ; RiskMana.00402486
004770A3 . 50 push eax ; /RegionSize = 0xED5064
004770A4 . A1 38BE9400 mov eax,dword ptr ds:[<lpAddress>] ; |
004770A9 . 50 push eax ; |RegionBase = 00ED5064
004770AA . 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-0x90] ; |
004770B0 . 50 push eax ; |hProcess = 00ED5064
004770B1 . E8 0EFBF8FF call <RiskMana.FlushInstructionCache> ; \FlushInstructionCache
004770B6 . 8D45 CC lea eax,dword ptr ss:[ebp-0x34]
004770B9 . 50 push eax ; /pOldProtect = 00ED5064
004770BA . 8B45 CC mov eax,dword ptr ss:[ebp-0x34] ; |
004770BD . 50 push eax ; |NewProtect = PAGE_READWRITE|PAGE_EXECUTE_READ|PAGE_EXECUTE_READWRITE|MEM_COMMIT|MEM_DECOMMIT|MEM_FREE|MEM_MAPPED|SEC_FILE|680000
004770BE . 68 00100000 push 0x1000 ; |Size = 1000 (4096.)
004770C3 . A1 38BE9400 mov eax,dword ptr ds:[<lpAddress>] ; |
004770C8 . 50 push eax ; |Address = 00ED5064
004770C9 . 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-0x90] ; |
004770CF . 50 push eax ; |hProcess = 00ED5064
004770D0 . E8 47FDF8FF call <RiskMana.VirtualProtectEx> ; \VirtualProtectEx
004770D5 . 8B85 74FFFFFF mov eax,dword ptr ss:[ebp-0x8C]
004770DB . 50 push eax ; /hThread = 00ED5064
004770DC . E8 B3FCF8FF call <RiskMana.ResumeThread> ; \ResumeThread
004770E1 > C785 28E2F9FF>mov dword ptr ss:[ebp-0x61DD8],0x10001
004770EB . 8D85 28E2F9FF lea eax,dword ptr ss:[ebp-0x61DD8]
004770F1 . 50 push eax ; /pContext = 00ED5064
004770F2 . 8B85 74FFFFFF mov eax,dword ptr ss:[ebp-0x8C] ; |
004770F8 . 50 push eax ; |hThread = 00ED5064
004770F9 . E8 8EFBF8FF call <RiskMana.GetThreadContext> ; \GetThreadContext
004770FE . 8B85 74FFFFFF mov eax,dword ptr ss:[ebp-0x8C]
00477104 . 50 push eax ; /hThread = 00ED5064
00477105 . E8 F2FCF8FF call <RiskMana.SuspendThread> ; \SuspendThread
0047710A . 8D45 CC lea eax,dword ptr ss:[ebp-0x34]
0047710D . 50 push eax ; /pOldProtect = 00ED5064
0047710E . 6A 40 push 0x40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00477110 . 68 00100000 push 0x1000 ; |Size = 1000 (4096.)
00477115 . 8B85 E0E2F9FF mov eax,dword ptr ss:[ebp-0x61D20] ; |
0047711B . 48 dec eax ; |
0047711C . 50 push eax ; |Address = 00ED5064
0047711D . 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-0x90] ; |
00477123 . 50 push eax ; |hProcess = 00ED5064
00477124 . E8 F3FCF8FF call <RiskMana.VirtualProtectEx> ; \VirtualProtectEx
00477129 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
0047712C . 50 push eax ; /pBytesRead = 00ED5064
0047712D . 68 00100000 push 0x1000 ; |BytesToRead = 1000 (4096.)
00477132 . 68 20979400 push RiskMana.00949720 ; |Buffer = RiskMana.00949720
00477137 . 8B85 E0E2F9FF mov eax,dword ptr ss:[ebp-0x61D20] ; |
0047713D . 48 dec eax ; |
0047713E . 50 push eax ; |pBaseAddress = 0xED5064
0047713F . 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-0x90] ; |
00477145 . 50 push eax ; |hProcess = 00ED5064
00477146 . E8 31FCF8FF call <RiskMana.ReadProcessMemory> ; \ReadProcessMemory
0047714B . E8 705EF9FF call <RiskMana.unknown_libname_186>
00477150 . 68 34BE9400 push offset <RiskMana.nSize> ; /pBytesRead = offset <RiskMana.nSize>
00477155 . 68 00100000 push 0x1000 ; |BytesToRead = 1000 (4096.)
0047715A . 68 A8AA9400 push RiskMana.0094AAA8 ; |Buffer = RiskMana.0094AAA8
0047715F . 8B85 E0E2F9FF mov eax,dword ptr ss:[ebp-0x61D20] ; |
00477165 . 48 dec eax ; |
00477166 . 50 push eax ; |pBaseAddress = 0xED5064
00477167 . 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-0x90] ; |
0047716D . 50 push eax ; |hProcess = 00ED5064
0047716E . E8 09FCF8FF call <RiskMana.ReadProcessMemory> ; \ReadProcessMemory
00477173 . E8 485EF9FF call <RiskMana.unknown_libname_186>
00477178 . 8B85 E0E2F9FF mov eax,dword ptr ss:[ebp-0x61D20]
0047717E . 48 dec eax
0047717F . A3 38BE9400 mov dword ptr ds:[<lpAddress>],eax
00477184 . 803D 20979400>cmp byte ptr ds:[0x949720],0xCC
0047718B . 75 15 jnz short RiskMana.004771A2
0047718D . 803D 21979400>cmp byte ptr ds:[0x949721],0x3
00477194 . 74 0C je short RiskMana.004771A2
00477196 . 8B85 74FFFFFF mov eax,dword ptr ss:[ebp-0x8C]
0047719C . 50 push eax ; /hThread = 00ED5064
0047719D . E8 F2FBF8FF call <RiskMana.ResumeThread> ; \ResumeThread
004771A2 > 803D 20979400>cmp byte ptr ds:[0x949720],0xCC
004771A9 . 0F85 35010000 jnz RiskMana.004772E4
004771AF . 803D 21979400>cmp byte ptr ds:[0x949721],0x3
004771B6 . 0F85 28010000 jnz RiskMana.004772E4
004771BC . 803D 22979400>cmp byte ptr ds:[0x949722],0xD6
004771C3 . 0F85 1B010000 jnz RiskMana.004772E4
004771C9 . 803D 23979400>cmp byte ptr ds:[0x949723],0xD7
004771D0 . 0F85 0E010000 jnz RiskMana.004772E4
004771D6 . C745 D8 06000>mov dword ptr ss:[ebp-0x28],0x6
004771DD > 8B45 D8 mov eax,dword ptr ss:[ebp-0x28] ; RiskMana.00402485
004771E0 . 80B8 1F979400>cmp byte ptr ds:[eax+0x94971F],0xEB
004771E7 . 75 24 jnz short RiskMana.0047720D
004771E9 . 8B45 D8 mov eax,dword ptr ss:[ebp-0x28] ; RiskMana.00402485
004771EC . 80B8 20979400>cmp byte ptr ds:[eax+0x949720],0x3
004771F3 . 75 18 jnz short RiskMana.0047720D
004771F5 . 8B45 D8 mov eax,dword ptr ss:[ebp-0x28] ; RiskMana.00402485
004771F8 . 80B8 21979400>cmp byte ptr ds:[eax+0x949721],0xD6
004771FF . 75 0C jnz short RiskMana.0047720D
00477201 . 8B45 D8 mov eax,dword ptr ss:[ebp-0x28] ; RiskMana.00402485
00477204 . 80B8 22979400>cmp byte ptr ds:[eax+0x949722],0xD7
0047720B . 74 0C je short RiskMana.00477219
0047720D > FF45 D8 inc dword ptr ss:[ebp-0x28] ; RiskMana.00402485
00477210 . 817D D8 01100>cmp dword ptr ss:[ebp-0x28],0x1001
00477217 .^ 75 C4 jnz short RiskMana.004771DD
00477219 > C605 20979400>mov byte ptr ds:[0x949720],0xEB
00477220 . 8B45 D8 mov eax,dword ptr ss:[ebp-0x28] ; RiskMana.00402485
00477223 . 48 dec eax
00477224 . 83E8 06 sub eax,0x6
00477227 . 7C 30 jl short RiskMana.00477259
00477229 . 40 inc eax
0047722A . 8945 C8 mov dword ptr ss:[ebp-0x38],eax
0047722D . C745 D4 06000>mov dword ptr ss:[ebp-0x2C],0x6
00477234 > 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C]
00477237 . 0FB680 1F9794>movzx eax,byte ptr ds:[eax+0x94971F]
0047723E . 8945 D0 mov dword ptr ss:[ebp-0x30],eax
00477241 . 8375 D0 02 xor dword ptr ss:[ebp-0x30],0x2
00477245 . 8A45 D0 mov al,byte ptr ss:[ebp-0x30]
00477248 . 8B55 D4 mov edx,dword ptr ss:[ebp-0x2C]
0047724B . 8882 1F979400 mov byte ptr ds:[edx+0x94971F],al
00477251 . FF45 D4 inc dword ptr ss:[ebp-0x2C]
00477254 . FF4D C8 dec dword ptr ss:[ebp-0x38]
00477257 .^ 75 DB jnz short RiskMana.00477234
00477259 > 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
0047725C . 50 push eax ; /pBytesWritten = 00ED5064
0047725D . 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] ; |
00477260 . 50 push eax ; |BytesToWrite = ED5064 (15552612.)
00477261 . 68 20979400 push RiskMana.00949720 ; |Buffer = RiskMana.00949720
00477266 . 8B85 E0E2F9FF mov eax,dword ptr ss:[ebp-0x61D20] ; |
0047726C . 48 dec eax ; |
0047726D . 50 push eax ; |Address = 0xED5064
0047726E . 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-0x90] ; |
00477274 . 50 push eax ; |hProcess = 00ED5064
00477275 . E8 D2FBF8FF call <RiskMana.WriteProcessMemory> ; \WriteProcessMemory
0047727A . E8 415DF9FF call <RiskMana.unknown_libname_186>
0047727F . FF8D E0E2F9FF dec dword ptr ss:[ebp-0x61D20]
00477285 . 8D85 28E2F9FF lea eax,dword ptr ss:[ebp-0x61DD8]
0047728B . 50 push eax ; /pContext = 00ED5064
0047728C . 8B85 74FFFFFF mov eax,dword ptr ss:[ebp-0x8C] ; |
00477292 . 50 push eax ; |hThread = 00ED5064
00477293 . E8 44FBF8FF call <RiskMana.SetThreadContext> ; \SetThreadContext
00477298 . 8B45 EC mov eax,dword ptr ss:[ebp-0x14] ; RiskMana.00402486
0047729B . 50 push eax ; /RegionSize = 0xED5064
0047729C . 8B85 E0E2F9FF mov eax,dword ptr ss:[ebp-0x61D20] ; |
004772A2 . 48 dec eax ; |
004772A3 . 50 push eax ; |RegionBase = 00ED5064
004772A4 . 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-0x90] ; |
004772AA . 50 push eax ; |hProcess = 00ED5064
004772AB . E8 14F9F8FF call <RiskMana.FlushInstructionCache> ; \FlushInstructionCache
004772B0 . 8D45 CC lea eax,dword ptr ss:[ebp-0x34]
004772B3 . 50 push eax ; /pOldProtect = 00ED5064
004772B4 . 8B45 CC mov eax,dword ptr ss:[ebp-0x34] ; |
004772B7 . 50 push eax ; |NewProtect = PAGE_READWRITE|PAGE_EXECUTE_READ|PAGE_EXECUTE_READWRITE|MEM_COMMIT|MEM_DECOMMIT|MEM_FREE|MEM_MAPPED|SEC_FILE|680000
004772B8 . 68 00100000 push 0x1000 ; |Size = 1000 (4096.)
004772BD . 8B85 E0E2F9FF mov eax,dword ptr ss:[ebp-0x61D20] ; |
004772C3 . 48 dec eax ; |
004772C4 . 50 push eax ; |Address = 00ED5064
004772C5 . 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-0x90] ; |
004772CB . 50 push eax ; |hProcess = 00ED5064
004772CC . E8 4BFBF8FF call <RiskMana.VirtualProtectEx> ; \VirtualProtectEx
004772D1 . 8B85 74FFFFFF mov eax,dword ptr ss:[ebp-0x8C]
004772D7 . 50 push eax ; /hThread = 00ED5064
004772D8 . E8 B7FAF8FF call <RiskMana.ResumeThread> ; \ResumeThread
004772DD . C605 30BE9400>mov byte ptr ds:[0x94BE30],0x1
004772E4 > 803D D8DA9A00>cmp byte ptr ds:[0x9ADAD8],0x1
004772EB . 75 20 jnz short RiskMana.0047730D
004772ED . 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
004772F0 . 50 push eax ; /pBytesWritten = 00ED5064
004772F1 . 6A 04 push 0x4 ; |BytesToWrite = 0x4
004772F3 . 68 E04B4800 push RiskMana.00484BE0 ; |Buffer = RiskMana.00484BE0
004772F8 . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] ; |RiskMana.00400000
004772FB . 50 push eax ; |Address = 0xED5064
004772FC . 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-0x90] ; |
00477302 . 50 push eax ; |hProcess = 00ED5064
00477303 . E8 44FBF8FF call <RiskMana.WriteProcessMemory> ; \WriteProcessMemory
00477308 . E8 B35CF9FF call <RiskMana.unknown_libname_186>
0047730D > 833D CC009B00>cmp dword ptr ds:[0x9B00CC],0x1
00477314 . 75 09 jnz short RiskMana.0047731F
00477316 . 803D F8009B00>cmp byte ptr ds:[0x9B00F8],0x0
0047731D . 75 04 jnz short RiskMana.00477323
0047731F > 33C0 xor eax,eax
00477321 . EB 02 jmp short RiskMana.00477325
00477323 > B0 01 mov al,0x1
00477325 > 84C0 test al,al
00477327 . 75 15 jnz short RiskMana.0047733E
00477329 . A1 D84B4800 mov eax,dword ptr ds:[0x484BD8]
0047732E . 8B80 C4020000 mov eax,dword ptr ds:[eax+0x2C4]
00477334 . BA B80B0000 mov edx,0xBB8
00477339 . E8 1A26FEFF call <RiskMana.@THTMLTableAttributes@Set>
0047733E > 803D F8009B00>cmp byte ptr ds:[0x9B00F8],0x1
00477345 . 75 17 jnz short RiskMana.0047735E
00477347 . A1 D84B4800 mov eax,dword ptr ds:[0x484BD8]
0047734C . 8078 47 01 cmp byte ptr ds:[eax+0x47],0x1
00477350 . 75 0C jnz short RiskMana.0047735E
00477352 . 33D2 xor edx,edx
00477354 . A1 D84B4800 mov eax,dword ptr ds:[0x484BD8]
00477359 . E8 DE9BFCFF call RiskMana.00440F3C
0047735E > C645 FB 01 mov byte ptr ss:[ebp-0x5],0x1
00477362 . E9 2F010000 jmp RiskMana.00477496
00477367 > 8B85 14FFFFFF mov eax,dword ptr ss:[ebp-0xEC] ; Case 5 of switch 00476F71
0047736D . 3B85 78FFFFFF cmp eax,dword ptr ss:[ebp-0x88]
00477373 . 0F85 1D010000 jnz RiskMana.00477496
00477379 . A1 7C019B00 mov eax,dword ptr ds:[<lpNewFileName>]
0047737E . E8 11C5FFFF call RiskMana.00473894
00477383 . 84C0 test al,al
00477385 . 0F84 D1000000 je RiskMana.0047745C
0047738B . 33C0 xor eax,eax
0047738D . 55 push ebp
0047738E . 68 52744700 push RiskMana.00477452
00477393 . 64:FF30 push dword ptr fs:[eax]
00477396 . 64:8920 mov dword ptr fs:[eax],esp
00477399 . 6A 00 push 0x0
0047739B . 8D85 20E2F9FF lea eax,dword ptr ss:[ebp-0x61DE0]
004773A1 . B9 E4754700 mov ecx,RiskMana.004775E4 ; \netctrl.ini
004773A6 . 8B15 7C019B00 mov edx,dword ptr ds:[<lpNewFileName>]
004773AC . E8 33CCF8FF call <RiskMana.@@LStrCat3>
004773B1 . 8B85 20E2F9FF mov eax,dword ptr ss:[ebp-0x61DE0]
004773B7 . E8 A0CDF8FF call <RiskMana.@@LStrToPChar>
004773BC . 50 push eax
004773BD . 8B15 243F4800 mov edx,dword ptr ds:[0x483F24] ; RiskMana.004848A0
004773C3 . 8B12 mov edx,dword ptr ds:[edx]
004773C5 . 8D85 1CE2F9FF lea eax,dword ptr ss:[ebp-0x61DE4]
004773CB . B9 E4754700 mov ecx,RiskMana.004775E4 ; \netctrl.ini
004773D0 . E8 0FCCF8FF call <RiskMana.@@LStrCat3>
004773D5 . 8B85 1CE2F9FF mov eax,dword ptr ss:[ebp-0x61DE4]
004773DB . E8 7CCDF8FF call <RiskMana.@@LStrToPChar>
004773E0 . 50 push eax ; |ExistingFileName = "E:\JBL Risk Manager\RiskManager_xshld4.exe "
004773E1 . E8 36F7F8FF call <RiskMana.CopyFileA> ; \CopyFileA
004773E6 . 6A 00 push 0x0
004773E8 . FF35 7C019B00 push dword ptr ds:[<lpNewFileName>]
004773EE . 68 FC754700 push RiskMana.004775FC ; \
004773F3 . FF35 80019B00 push dword ptr ds:[0x9B0180] ; T项
004773F9 . 8D85 20E2F9FF lea eax,dword ptr ss:[ebp-0x61DE0]
004773FF . BA 03000000 mov edx,0x3
00477404 . E8 4FCCF8FF call <RiskMana.合并?>
00477409 . 8B85 20E2F9FF mov eax,dword ptr ss:[ebp-0x61DE0]
0047740F . E8 48CDF8FF call <RiskMana.@@LStrToPChar>
00477414 . 50 push eax
00477415 . A1 243F4800 mov eax,dword ptr ds:[0x483F24]
0047741A . FF30 push dword ptr ds:[eax]
0047741C . 68 FC754700 push RiskMana.004775FC ; \
00477421 . FF35 80019B00 push dword ptr ds:[0x9B0180] ; T项
00477427 . 8D85 1CE2F9FF lea eax,dword ptr ss:[ebp-0x61DE4]
0047742D . BA 03000000 mov edx,0x3
00477432 . E8 21CCF8FF call <RiskMana.合并?>
00477437 . 8B85 1CE2F9FF mov eax,dword ptr ss:[ebp-0x61DE4]
0047743D . E8 1ACDF8FF call <RiskMana.@@LStrToPChar>
00477442 . 50 push eax ; |ExistingFileName = "E:\JBL Risk Manager\RiskManager_xshld4.exe "
00477443 . E8 D4F6F8FF call <RiskMana.CopyFileA> ; \CopyFileA
00477448 . 33C0 xor eax,eax
0047744A . 5A pop edx
0047744B . 59 pop ecx
0047744C . 59 pop ecx
0047744D . 64:8910 mov dword ptr fs:[eax],edx
00477450 . EB 0A jmp short RiskMana.0047745C
00477452 .^ E9 F9C0F8FF jmp RiskMana.00403550
00477457 . E8 A4C3F8FF call <RiskMana.@@DoneExcept>
0047745C > A1 6C3E4800 mov eax,dword ptr ds:[0x483E6C]
00477461 . C600 01 mov byte ptr ds:[eax],0x1
00477464 . 833D C0009B00>cmp dword ptr ds:[<hMutex>],0x0
0047746B . 76 0B jbe short RiskMana.00477478
0047746D . A1 C0009B00 mov eax,dword ptr ds:[<hMutex>]
00477472 . 50 push eax ; /hMutex = 00ED5064
00477473 . E8 0CF9F8FF call <RiskMana.ReleaseMutex> ; \ReleaseMutex
00477478 > 803D F8009B00>cmp byte ptr ds:[0x9B00F8],0x1
0047747F . 75 15 jnz short RiskMana.00477496
00477481 . A1 D84B4800 mov eax,dword ptr ds:[0x484BD8]
00477486 . 8B80 C4020000 mov eax,dword ptr ds:[eax+0x2C4]
0047748C . BA 64000000 mov edx,0x64
00477491 . E8 C224FEFF call <RiskMana.@THTMLTableAttributes@Set>
00477496 > 807D FB 00 cmp byte ptr ss:[ebp-0x5],0x0 ; Default case of switch 00476F71
0047749A . 74 50 je short RiskMana.004774EC
0047749C . 81BD 1CFFFFFF>cmp dword ptr ss:[ebp-0xE4],0x80000003
004774A6 . 75 22 jnz short RiskMana.004774CA
004774A8 . 68 02000100 push 0x10002 ; /ContinueStatus = DBG_CONTINUE
004774AD . 8B85 18FFFFFF mov eax,dword ptr ss:[ebp-0xE8] ; |
004774B3 . 50 push eax ; |ThreadId = 0xED5064
004774B4 . 8B85 14FFFFFF mov eax,dword ptr ss:[ebp-0xEC] ; |
004774BA . 50 push eax ; |ProcessId = 0xED5064
004774BB . E8 54F6F8FF call <RiskMana.ContinueDebugEvent> ; \ContinueDebugEvent
004774C0 . E8 FB5AF9FF call <RiskMana.unknown_libname_186>
004774C5 .^ E9 6DFAFFFF jmp RiskMana.00476F37
004774CA > 68 01000180 push 0x80010001 ; /ContinueStatus = DBG_EXCEPTION_NOT_HANDLED
004774CF . 8B85 18FFFFFF mov eax,dword ptr ss:[ebp-0xE8] ; |
004774D5 . 50 push eax ; |ThreadId = 0xED5064
004774D6 . 8B85 14FFFFFF mov eax,dword ptr ss:[ebp-0xEC] ; |
004774DC . 50 push eax ; |ProcessId = 0xED5064
004774DD . E8 32F6F8FF call <RiskMana.ContinueDebugEvent> ; \ContinueDebugEvent
004774E2 . E8 D95AF9FF call <RiskMana.unknown_libname_186>
004774E7 .^ E9 4BFAFFFF jmp RiskMana.00476F37
004774EC > 68 02000100 push 0x10002 ; /ContinueStatus = DBG_CONTINUE
004774F1 . 8B85 18FFFFFF mov eax,dword ptr ss:[ebp-0xE8] ; |
004774F7 . 50 push eax ; |ThreadId = 0xED5064
004774F8 . 8B85 14FFFFFF mov eax,dword ptr ss:[ebp-0xEC] ; |
004774FE . 50 push eax ; |ProcessId = 0xED5064
004774FF . E8 10F6F8FF call <RiskMana.ContinueDebugEvent> ; \ContinueDebugEvent
00477504 . E8 B75AF9FF call <RiskMana.unknown_libname_186> ; 返回
00477509 .^ E9 29FAFFFF jmp RiskMana.00476F37
0047750E . 33C0 xor eax,eax
00477510 . 5A pop edx
00477511 . 59 pop ecx
00477512 . 59 pop ecx
00477513 . 64:8910 mov dword ptr fs:[eax],edx
00477516 .^ E9 05C1F8FF jmp RiskMana.00403620
流程大至如下:
先用CreateProcessA创建进程,然后用CreateMutexA创建互斥对象,接着用VirtualProtectEx来使子进程的代码段可写,再用DebugActiveProcess将自己作为调试器附加,当子进程报错时,父进程用WaitForDebugEvent来接收异常,并对他进行相应的处理。
如以下两个处理,是用WriteProcessMemory从父进程向子进程写入数据
00476FE4 向子进程写入数据1
数据地址1
子进程00401000+01C5E10=5C6E10
父进程00484BE0+01C5E10=64A9F0
00477BE7 向子进程写入数据2
子进程005C6CF8+08=5C6D00
父进程00484BE0+08=484BE8
所以我们把要单独把子进程提取出来是要花一定的工夫的。
最后这个程序是由@wjl 提供的,感谢!
PS:修改后的程序要把程序名改成原来的,不然会报错。
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2013-7-17 16:30
