好友
阅读权限40
听众
最后登录1970-1-1
|
本帖最后由 当红小生 于 2011-3-2 15:59 编辑
先放个图、
昨天上网被P2P了给搞了、哎、被逼无奈只好对抗下(想想、哎,算了吧),我还是弄个P2P邪恶一下吧(不想装arp防火墙之类的东东)~
下了一个P2P终结者4.1.8.0最新版本的。
运行下看看哪里可以搞下、运行居然要改首页、我去。废了它、
上神器OD大牛上场!
思路:
改首页肯定会操作注册表,翻翻有没有操作注册表的API、果然有、管它什么只要操作的全断下、然后看下字符串搜索Main(要往这里 写东西嘛)
00407ADF /$ B8 BC255700 mov eax,p2pover.005725BC //这里 RET 4
00407AE4 |. E8 336D0200 call p2pover.0042E81C
00407AE9 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
00407AEC |. 8365 FC 00 and dword ptr ss:[ebp-4],0
00407AF0 |. 8378 F8 00 cmp dword ptr ds:[eax-8],0
00407AF4 |. 75 0F jnz short p2pover.00407B05
00407AF6 |. 83C1 04 add ecx,4
00407AF9 |. 51 push ecx
00407AFA |. 8D4D 08 lea ecx,dword ptr ss:[ebp+8]
00407AFD |. E8 27521400 call p2pover.0054CD29
00407B02 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
00407B05 |> 8B48 F8 mov ecx,dword ptr ds:[eax-8]
00407B08 |. 6A 02 push 2
00407B0A |. 51 push ecx
00407B0B |. 50 push eax
00407B0C |. 6A 01 push 1
00407B0E |. 68 C4855C00 push p2pover.005C85C4 ; ASCII "Start Page"
00407B13 |. 68 98855C00 push p2pover.005C8598 ; ASCII "Software\Microsoft\Internet Explorer\Main\"
00407B18 |. FF15 C0455800 call dword ptr ds:[<&SHLWAPI.SHRegSetUSValue>; SHLWAPI.SHRegSetUSValueA
00407B1E |. 834D FC FF or dword ptr ss:[ebp-4],FFFFFFFF
00407B22 |. 8D4D 08 lea ecx,dword ptr ss:[ebp+8]
00407B25 |. E8 C6501400 call p2pover.0054CBF0
00407B2A |. 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00407B2D |. 64:890D 00000000 mov dword ptr fs:[0],ecx
00407B34 |. C9 leave
00407B35 \. C2 0400 retn 4
之前埋伏了SHRegSetUSValueA这个断点看来还是奏效的、加上关键操作点、难逃劫难了吧!!
改法很多种、直接00407ADF 处ret 4就行了、注意堆栈平衡啊!
运行下、点提升管理园没反映、杯具鸟、估计有回写、继续Fuck、
心想肯定有地方不断的读操作这个Main这个地方、肯定会读取首页是不是改了、另一个思路是肯定有个定时器或者循环不断的回写、开始找定时器比较多放弃了,就看关键地方操作吧、后来发现关键附近就找到那东西了!
00407B38 /$ B8 E7255700 mov eax,p2pover.005725E7
00407B3D |. E8 DA6C0200 call p2pover.0042E81C
00407B42 |. 81EC 10040000 sub esp,410
00407B48 |. 53 push ebx
00407B49 |. 56 push esi
00407B4A |. 57 push edi
00407B4B |. 6A 01 push 1
00407B4D |. 5E pop esi
00407B4E |. 33DB xor ebx,ebx
00407B50 |. 6A 7F push 7F
00407B52 |. 33C0 xor eax,eax
00407B54 |. 59 pop ecx
00407B55 |. 8DBD E5FDFFFF lea edi,dword ptr ss:[ebp-21B]
00407B5B |. 889D E4FDFFFF mov byte ptr ss:[ebp-21C],bl
00407B61 |. 6A 7F push 7F
00407B63 |. F3:AB rep stos dword ptr es:[edi]
00407B65 |. 66:AB stos word ptr es:[edi]
00407B67 |. AA stos byte ptr es:[edi]
00407B68 |. 59 pop ecx
00407B69 |. 33C0 xor eax,eax
00407B6B |. 8DBD E5FBFFFF lea edi,dword ptr ss:[ebp-41B]
00407B71 |. 889D E4FBFFFF mov byte ptr ss:[ebp-41C],bl
00407B77 |. F3:AB rep stos dword ptr es:[edi]
00407B79 |. 66:AB stos word ptr es:[edi]
00407B7B |. 68 908D5D00 push p2pover.005D8D90
00407B80 |. 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
00407B83 |. 895D E8 mov dword ptr ss:[ebp-18],ebx
00407B86 |. 8975 EC mov dword ptr ss:[ebp-14],esi
00407B89 |. C745 E4 00020000 mov dword ptr ss:[ebp-1C],200
00407B90 |. AA stos byte ptr es:[edi]
00407B91 |. E8 C8501400 call p2pover.0054CC5E
00407B96 |. 8D85 E4FBFFFF lea eax,dword ptr ss:[ebp-41C]
00407B9C |. 68 FF010000 push 1FF
00407BA1 |. 50 push eax
00407BA2 |. 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00407BA5 |. 53 push ebx
00407BA6 |. 50 push eax
00407BA7 |. 8D85 E4FDFFFF lea eax,dword ptr ss:[ebp-21C]
00407BAD |. 8975 FC mov dword ptr ss:[ebp-4],esi
00407BB0 |. 50 push eax
00407BB1 |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
00407BB4 |. 50 push eax
00407BB5 |. 68 C4855C00 push p2pover.005C85C4 ; ASCII "Start Page"
00407BBA |. 68 98855C00 push p2pover.005C8598 ; ASCII "Software\Microsoft\Internet Explorer\Main\"
00407BBF |. FF15 BC455800 call dword ptr ds:[<&SHLWAPI.SHRegGetUSValue>; SHLWAPI.SHRegGetUSValueA
00407BC5 |. 85C0 test eax,eax
00407BC7 |. 75 0F jnz short p2pover.00407BD8
00407BC9 |. 8D85 E4FDFFFF lea eax,dword ptr ss:[ebp-21C]
00407BCF |. 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
00407BD2 |. 50 push eax
00407BD3 |. E8 A1511400 call p2pover.0054CD79
00407BD8 |> 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00407BDB |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00407BDE |. 50 push eax
00407BDF |. E8 814D1400 call p2pover.0054C965
00407BE4 |. 8975 E8 mov dword ptr ss:[ebp-18],esi
00407BE7 |. 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
00407BEA |. 885D FC mov byte ptr ss:[ebp-4],bl
00407BED |. E8 FE4F1400 call p2pover.0054CBF0
00407BF2 |. 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00407BF5 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
00407BF8 |. 5F pop edi
00407BF9 |. 5E pop esi
00407BFA |. 5B pop ebx
00407BFB |. 64:890D 00000000 mov dword ptr fs:[0],ecx
00407C02 |. C9 leave
00407C03 \. C2 0400 retn 4
这里是关键位置、发现断首返回不行、继续回溯查找关键地方、
004099EB /$ 56 push esi
004099EC |. B9 E0905D00 mov ecx,p2pover.005D90E0
004099F1 |. 33F6 xor esi,esi
004099F3 |. E8 0EE2FFFF call p2pover.00407C06
004099F8 |. 85C0 test eax,eax
004099FA 74 03 je short p2pover.004099FF //此处NOP
004099FC |. 6A 20 push 20
004099FE |. 5E pop esi
004099FF |. 8BC6 mov eax,esi
00409A01 |. 5E pop esi
00409A02 \. C3 retn
回到这层看看、这个有点意思、操作eax的值是esi,而esi是受到push 20控制、估计被作者变形了、
把那个跳干掉试试、啊~开门了!完美了!
打开用吧、居然有广告条、Fuck之!不抓包了、(抓包还得找工具!汗!!)
看看串、看到一个好东西
00409F64 . 6A 50 push 50 ; /Arg3 = 00000050
00409F66 . 68 347E5C00 push p2pover.005C7E34 ; |Arg2 = 005C7E34 ASCII "height"
00409F6B . 68 34885C00 push p2pover.005C8834 ; |Arg1 = 005C8834 ASCII "sponsor"
00409F70 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38] ; |
00409F73 . E8 EB88FFFF call p2pover.00402863 ; \p2pover.00402863
sponsor 鸟语的意思是赞助的意思、
00409F64 . 6A 50 push 50 ; /Arg3 = 00000050
00409F66 . 68 347E5C00 push p2pover.005C7E34 ; |Arg2 = 005C7E34 ASCII "height"
00409F6B . 68 34885C00 push p2pover.005C8834 ; |Arg1 = 005C8834 ASCII "sponsor"
00409F70 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38] ; |
00409F73 . E8 EB88FFFF call p2pover.00402863 ; \p2pover.00402863
00409F78 . 50 push eax //这个是广告条的宽 or 高? 改成push ebx
00409F79 . 50 push eax //改成push ebx
00409F7A . 53 push ebx
00409F7B . 8BCE mov ecx,esi
00409F7D . E8 26021500 call p2pover.0055A1A8
跟了下、那几个参数是关键、(宽 or 高)把参数改成0就OK了。
心想代码不够地方了、跳转挺麻烦的、哎!咋办呢、手按快了一下、发现push ebx是 push 0,我艹、这是好东西啊、心里暗喜!!嘿嘿!
就你啦、别跑!两个都改成push ebx,保存试试!广告条也没有了、界面好爽啊!
当我关闭的时候居然有小动作、被我的监控软件发现了!
居然偷偷运行adbrowser.exe这个鸟东西、搞掉、
断运行的API、关闭的时候就看到关键了
这里是广告部分、我河蟹了界面。要继续的话可以继续河蟹这里!
00409A77 B8 182A5700 mov eax,4.00572A18 //这里改成ret
00409A7C E8 9B4D0200 call 4.0042E81C
00409A81 |. 81EC 14010000 sub esp,114
00409A87 |. A1 C0975C00 mov eax,dword ptr ds:[5C97C0]
00409A8C |. 53 push ebx
00409A8D |. 56 push esi
00409A8E |. 57 push edi
00409A8F |. 8BF1 mov esi,ecx
00409A91 |. 8945 F0 mov dword ptr ss:[ebp-10],eax
00409A94 |. 8365 FC 00 and dword ptr ss:[ebp-4],0
00409A98 |. 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00409A9B |. E8 ED89FFFF call 4.0040248D
00409AA0 |. 80A5 E0FEFFFF 00 and byte ptr ss:[ebp-120],0
00409AA7 |. 6A 3F push 3F
00409AA9 |. 59 pop ecx
00409AAA |. 33C0 xor eax,eax
00409AAC |. 8DBD E1FEFFFF lea edi,dword ptr ss:[ebp-11F]
00409AB2 |. 68 1C815C00 push 4.005C811C ; ASCII "pvt.dat"
00409AB7 |. F3:AB rep stos dword ptr es:[edi]
00409AB9 |. FF35 EC945D00 push dword ptr ds:[5D94EC]
00409ABF |. C645 FC 01 mov byte ptr ss:[ebp-4],1
00409AC3 |. 66:AB stos word ptr es:[edi]
00409AC5 |. AA stos byte ptr es:[edi]
00409AC6 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00409AC9 |. 68 547E5C00 push 4.005C7E54 ; ASCII "%s%s"
00409ACE |. 50 push eax
00409ACF |. E8 0E001400 call 4.00549AE2
00409AD4 |. 83C4 10 add esp,10
00409AD7 |. 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00409ADA |. 6A 01 push 1
00409ADC |. FF75 F0 push dword ptr ss:[ebp-10]
00409ADF |. E8 128AFFFF call 4.004024F6
00409AE4 |. 68 30750000 push 7530 ; /Arg3 = 00007530
00409AE9 |. 68 A0805C00 push 4.005C80A0 ; |Arg2 = 005C80A0 ASCII "delay"
00409AEE |. 68 A0875C00 push 4.005C87A0 ; |Arg1 = 005C87A0 ASCII "today"
00409AF3 |. 8D4D E0 lea ecx,dword ptr ss:[ebp-20] ; |
00409AF6 |. E8 688DFFFF call 4.00402863 ; \4.00402863
00409AFB |. 8986 7C050000 mov dword ptr ds:[esi+57C],eax
00409B01 |. BB FF000000 mov ebx,0FF
00409B06 |. 8D85 E0FEFFFF lea eax,dword ptr ss:[ebp-120]
00409B0C |. 53 push ebx ; /Arg5 => 000000FF
00409B0D |. 50 push eax ; |Arg4
00409B0E |. BF 4C7E5C00 mov edi,4.005C7E4C ; |ASCII "url"
00409B13 |. 68 74875C00 push 4.005C8774 ; |Arg3 = 005C8774 ASCII "http://www.netsoft2005.com/cfg/40/today.dat"
00409B18 |. 57 push edi ; |Arg2 => 005C7E4C ASCII "url"
00409B19 |. 68 A0875C00 push 4.005C87A0 ; |Arg1 = 005C87A0 ASCII "today"
00409B1E |. 8D4D E0 lea ecx,dword ptr ss:[ebp-20] ; |
00409B21 |. E8 F18CFFFF call 4.00402817 ; \4.00402817
00409B26 |. 8D85 E0FEFFFF lea eax,dword ptr ss:[ebp-120]
00409B2C |. 8D8E 80050000 lea ecx,dword ptr ds:[esi+580]
00409B32 |. 50 push eax
00409B33 |. E8 41321400 call 4.0054CD79
00409B38 |. 8D85 E0FEFFFF lea eax,dword ptr ss:[ebp-120]
00409B3E |. 53 push ebx ; /Arg5 => 000000FF
00409B3F |. 50 push eax ; |Arg4
00409B40 |. 68 48875C00 push 4.005C8748 ; |Arg3 = 005C8748 ASCII "http://www.netsoft2005.com/cfg/40/quit.dat"
00409B45 |. 57 push edi ; |Arg2 => 005C7E4C ASCII "url"
00409B46 |. 68 40875C00 push 4.005C8740 ; |Arg1 = 005C8740 ASCII "quit"
00409B4B |. 8D4D E0 lea ecx,dword ptr ss:[ebp-20] ; |
00409B4E |. E8 C48CFFFF call 4.00402817 ; \4.00402817
00409B53 |. 8D85 E0FEFFFF lea eax,dword ptr ss:[ebp-120]
00409B59 |. 8D8E 84050000 lea ecx,dword ptr ds:[esi+584]
00409B5F |. 50 push eax
00409B60 |. E8 14321400 call 4.0054CD79
00409B65 |. 8D85 E0FEFFFF lea eax,dword ptr ss:[ebp-120]
00409B6B |. 53 push ebx ; /Arg5 => 000000FF
00409B6C |. 50 push eax ; |Arg4
00409B6D |. 68 28875C00 push 4.005C8728 ; |Arg3 = 005C8728 ASCII "http://www.moxia.net/"
00409B72 |. 57 push edi ; |Arg2 => 005C7E4C ASCII "url"
00409B73 |. 68 1C875C00 push 4.005C871C ; |Arg1 = 005C871C ASCII "homepage"
00409B78 |. 8D4D E0 lea ecx,dword ptr ss:[ebp-20] ; |
00409B7B |. E8 978CFFFF call 4.00402817 ; \4.00402817
00409B80 |. 8D85 E0FEFFFF lea eax,dword ptr ss:[ebp-120]
00409B86 |. 8D8E 88050000 lea ecx,dword ptr ds:[esi+588]
00409B8C |. 50 push eax
00409B8D |. E8 E7311400 call 4.0054CD79
00409B92 |. 8065 FC 00 and byte ptr ss:[ebp-4],0
00409B96 |. 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00409B99 |. E8 1F89FFFF call 4.004024BD
00409B9E |. 834D FC FF or dword ptr ss:[ebp-4],FFFFFFFF
00409BA2 |. 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
00409BA5 |. E8 46301400 call 4.0054CBF0
00409BAA |. 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00409BAD |. 5F pop edi
00409BAE |. 5E pop esi
00409BAF |. 5B pop ebx
00409BB0 |. 64:890D 00000000 mov dword ptr fs:[0],ecx
00409BB7 |. C9 leave
00409BB8 \. C3 retn
0040A4C7 /$ B8 BC2A5700 mov eax,3.00572ABC //这里返回就行了!
0040A4CC |. E8 4B430200 call 3.0042E81C
0040A4D1 |. 51 push ecx
0040A4D2 |. 66:813D F0945D00 0408 cmp word ptr ds:[5D94F0],804
0040A4DB |. 75 45 jnz short 3.0040A522
0040A4DD |. A1 C0975C00 mov eax,dword ptr ds:[5C97C0]
0040A4E2 |. 8945 F0 mov dword ptr ss:[ebp-10],eax
0040A4E5 |. FFB1 84050000 push dword ptr ds:[ecx+584]
0040A4EB |. 8365 FC 00 and dword ptr ss:[ebp-4],0
0040A4EF |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0040A4F2 |. 68 84865C00 push 3.005C8684 ; ASCII "adbrowser.exe"
0040A4F7 |. FF35 EC945D00 push dword ptr ds:[5D94EC]
0040A4FD |. 68 5C885C00 push 3.005C885C ; ASCII "%s%s "%s""
0040A502 |. 50 push eax
0040A503 |. E8 DAF51300 call 3.00549AE2
0040A508 |. 83C4 14 add esp,14
0040A50B |. 6A 05 push 5 ; /ShowState = SW_SHOW
0040A50D |. FF75 F0 push dword ptr ss:[ebp-10] ; |CmdLine
0040A510 |. FF15 CC445800 call dword ptr ds:[<&KERNEL32.WinExec>] ; \WinExec
0040A516 |. 834D FC FF or dword ptr ss:[ebp-4],FFFFFFFF
0040A51A |. 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
0040A51D |. E8 CE261400 call 3.0054CBF0
0040A522 |> 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
0040A525 |. 64:890D 00000000 mov dword ptr fs:[0],ecx
0040A52C |. C9 leave
0040A52D \. C3 retn
这里在搞鬼、直接断首RET
让河蟹来的更猛烈些吧!
写文章真累!终于写完了!收工!还看啥加分啊!!!哈哈~
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2011-3-2 14:54
|
发表于 2011-3-2 15:00
|楼主
发表于 2011-3-3 08:20
收藏
淘帖
有用
分享到朋友圈
