²ÊƱ̽Ë÷ÕßÖ®ÉñͶÊÖ R2001.10.18
ÏÂÔصØÖ·£ºhttp://www.probersoft.com/ ÇëÏÈÏÂÔØËüµÄѧϰ°æºÍÉý¼¶°æÈ»ºó°²×°¼´¿É
±£»¤ÀàÐÍ£ºÓûúÆ÷ÂëÀ´Ëã×¢²áÂ룬ÿ´Î½øÈ붼Ìáʾע²á£¬Î´×¢²á¹¦ÄÜÓÐÏÞÖÆ¡£
×î½üÏÂÔØÁ˼¸¸ö²ÊƱÈí¼þÀ´Í棬¿ÉÊǺü¸¸ö¶¼ÕÒ²»µ½Æƽ⣬ֻºÃ×Ô¼º¶¯ÊÖÀ²¡£Õâ¸öÈí¼þͦ½Æ»«µÄ£¬ËüÓÃÁËASPack v2.11¼Ó¿Ç£¬Õâ¸öºÃ°ìÓÃCaspr¾ÍÄܸãµà£¬Ö»²»¹ýÍÑÁ˿ǺóËüÒ»ÔËÐоͰÑ×Ô¼ºÉ¾³ýÁË£¬µ«»¹ÊÇÄÜÓÃW32DasmÀ´·´»ã±àµÄ¡£¸Õ¿ªÊ¼´ÖÂÔ¸úÁËһϣ¬Ëü²¢²»ÊÇÕû¸ö×¢²áÂëÃ÷Âë¶Ô±ÈµÄ£¬ÂíÉÏÏëµ½ËüÓÃÁËʲô¸´ÔÓµÄËã·¨£¬×Ðϸ¿´Ò»ÏÂÔÀ´Ëü²¢²»¸´ÔÓ£¬¿´¿´ÎÒÏÂÃæµÄ¹ý³Ì°É¡£ÁíÍâÒ»¸ö½Ð²ÊƱÍõ5.01±ê×¼°æµÄÊÇVBµÄ£¬¸ãµÃÎÒÍ·¶¼Í´À²£¬ÎÒµÄϵͳÊÇWindows
MEµÄSmartCheckÓò»ÁË£¬ÆøËÀÎÒÀ²£¬ÓÃTrw2000¸úµÃÔÎͷתÏò¡£
ÏÈ°ÑËü·´»ã±àÕÒµ½ÏÂÃæµÄ³ö´íÐÅÏ¢
--Step 1-----------------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00564D3C(C) <---´ÓÕâÀïÌø¹ýÀ´µÄ£¬ÍùÉÏÕÒ
|
:005651D7 6A30
push 00000030
* Possible StringData Ref from Data Obj ->"ÌáʾÐÅÏ¢"
|
:005651D9 6879158300 push 00831579
* Possible StringData Ref from Data Obj ->"×¢²áʧ°Ü!"
|
:005651DE 6898158300 push 00831598
:005651E3 8B8574FFFFFF mov eax, dword
ptr [ebp+FFFFFF74]
:005651E9 E822282400 call 007A7A10
:005651EE 50
push eax
* Reference To: USER32.MessageBoxA, Ord:0000h
--Step 2-----------------------------------------------------------------------------------------
:00564D35 E83AB9FBFF call 00520674
:00564D3A 85C0
test eax, eax
:00564D3C 0F8495040000 je 005651D7
<---²»ÄÜÌø£¬¾µä±È½Ï£¬½øÈëÉÏÃæµÄCall¿´¿´
~~~~~~~~
ÏÂÃæ¾ÍÊÇ×¢²áÂëµÄ±È½ÏºËÐÄ£¬ËüÊÇÒ»¸öÒ»¸ö×¢²áÂë·Ö¿ª±È½ÏµÄ
--Step 3-----------------------------------------------------------------------------------------
* Referenced by a CALL at Addresses:
|:005228D1 , :00522954 , :005233AD , :00523430 , :00564B11
|:00564D35 , :00564D47
|
:00520674 55
push ebp
:00520675 8BEC
mov ebp, esp
:00520677 83C4D0
add esp, FFFFFFD0
:0052067A 53
push ebx
:0052067B 56
push esi
:0052067C 57
push edi
:0052067D 8955D4
mov dword ptr [ebp-2C], edx <--d edxÀïÃæÊÇʲô£¿ÓпÉÒÉŶ
:00520680 8945FC
mov dword ptr [ebp-04], eax <--d eaxÀïÃæÊÇÎÒÊäÈëµÄ×¢²áÂë
:00520683 B820DF8100 mov eax,
0081DF20
:00520688 E867932C00 call 007E99F4
:0052068D C745F401000000 mov [ebp-0C], 00000001
:00520694 8D55FC
lea edx, dword ptr [ebp-04]
:00520697 8D45FC
lea eax, dword ptr [ebp-04]
:0052069A E89D3F2D00 call 007F463C
:0052069F FF45F4
inc [ebp-0C]
:005206A2 66C745E80800 mov [ebp-18],
0008
:005206A8 C745D001000000 mov [ebp-30], 00000001
:005206AF 66C745E81400 mov [ebp-18],
0014
:005206B5 66C745E81400 mov [ebp-18],
0014
:005206BB 8B45D4
mov eax, dword ptr [ebp-2C]
:005206BE 33DB
xor ebx, ebx
:005206C0 8BF8
mov edi, eax
:005206C2 EB3E
jmp 00520702 <---Ìø×ßÀ²£¬ÏÈÍùÏ¿´
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00520714(C)
|
:005206C4 8D7301
lea esi, dword ptr [ebx+01]
:005206C7 56
push esi
:005206C8 8D45FC
lea eax, dword ptr [ebp-04]
:005206CB 50
push eax
:005206CC E8AF3E2D00 call 007F4580
:005206D1 83C408
add esp, 00000008
:005206D4 8D45FC
lea eax, dword ptr [ebp-04]
:005206D7 E874432D00 call 007F4A50
<---ÕâÁ½¸öCall¶¼²»Óøú½øÈ¥
:005206DC 8B45D4
mov eax, dword ptr [ebp-2C]
:005206DF 8B0F
mov ecx, dword ptr [edi] <---d edi¿´¿´ÓÖÊǸղÅÄÇ¿ÉÒɵÄÊý¾Ý ecx=00000036
ÕâÀïÓ¦¸ÃÊÇÓÃÎҵĻúÆ÷ÂëËã³öÀ´µÄÊý¾Ý±í£¬¾¹ýÔËËãµÃ³öÕæµÄ×¢²áÂ룬µ«ËüÊÇÔõôËã³öÀ´ÎÒ¾ÍûȥÑо¿
0030:02BB668C 36 00 00 00 29 00 00 00-21 00 00 00 20 00 00 00 6...)...!... ...
0030:02BB669C 0D 00 00 00 09 00 00 00-06 00 00 00 FA FF FF FF ............?ÿÿ
0030:02BB66AC F1 FF FF FF E5 FF FF FF-E7 FF FF FF DA FF FF FF ?ÿÿ?ÿÿ?ÿÿ?ÿÿ
0030:02BB66BC D7 FF FF FF CB FF FF FF-BD FF FF FF BB FF FF FF ?ÿÿ?ÿÿ?ÿÿ?ÿÿ
0030:02BB66CC B9 FF FF FF AB FF FF FF-A9 FF FF FF 95 FF FF FF ?ÿÿ?ÿÿ?ÿÿ?ÿÿ
0030:02BB66DC 97 FF FF FF 8B FF FF FF-80 FF FF FF 81 FF FF FF ?ÿÿ?ÿÿ€ÿÿÿ?ÿÿ
0030:02BB66EC 0F 27 00 00 0F 27 00 00-0F 27 00 00 0F 27 00 00 .'...'...'...'..
:005206E1 0375FC
add esi, dword ptr [ebp-04]
:005206E4 4E
dec esi
<---esiÊǼÙ×¢²áÂëµÄµØÖ·
:005206E5 8B80D0000000 mov eax, dword
ptr [eax+000000D0] <--Õâ¸öºÜºÜÖØÒª eax=FFFFFFF8
:005206EB 0FAFC3
imul eax, ebx <---ebxÊǼÆÊýÆ÷
:005206EE 0FBE16
movsx edx, byte ptr [esi] <---¼Ù×¢²áÂëµÄµÄµÚһλ
:005206F1 2BC8
sub ecx, eax <---ÓÃecxºÍeaxÏà¼õ¾ÍµÃ³öÕæ×¢²áÂëµÄµÄµÚһ룬ÕâÀï
µ±Ëãµ½µÚ5.10.15.20λµÄʱºòecx¶¼ÊÇ2D¼´ÊÇ'-'
ËùÒÔ×¢²áÂëµÄÐÎʽÊÇxxxx-xxxx-xxxx-xxxx-xxxx
:005206F3 3BD1
cmp edx, ecx <---ÓбȽÏÁË£¬ÓÃÎҵļÙ×¢²áÂëµÄµÄµÚһλºÍ¸Õ²ÅÔË
ËãµÄ½á¹û±È½Ï£¬ÎÒÕâÀïÊÇËã³öµÄ½á¹ûÊÇ36£¬¼´ÊÇ
Êý×Ö6¡£
:005206F5 7407
je 005206FE <---ÏàµÈ¾ÍÍùÏÂÌø£¬ÕâÀï¿ÉÒÔ¸ÄΪjne²¢ÔÚ´ËÉè¶Ïµãÿ
´ÎÔËÐе½´Ëʱ¿´ecxµÄÖµ¾ÍÄÜ¿´µ½ËùÓеÄ×¢²áÂë¡£
ÁíÍâÓиöÎÊÌ⣬ÎÒÃÇÔõô֪µÀ×¢²áÂëµÄ¸öÊý¾¿¾¹
¼¸¸öÄØ¡¢ÇëÍùÏ¿´¡£
:005206F7 33D2
xor edx, edx
:005206F9 8955D0
mov dword ptr [ebp-30], edx
:005206FC EB18
jmp 00520716
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005206F5(C)
|
:005206FE 43
inc ebx <---¼ÆÊýÆ÷¼ÓÒ»
:005206FF 83C704
add edi, 00000004 <---ediÖ¸Ïò¿ÉÒÉÊý¾ÝµÄÏÂËÄλ29£¬ÓÃÀ´ÔËËãÏÂһλע²áÂë
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005206C2(U)
|
:00520702 837DFC00 cmp
dword ptr [ebp-04], 00000000
:00520706 7408
je 00520710 <--Õâ¸öÖ»ÊǼì²éµØÖ·£¬²»»áÌø×ßµÄ
:00520708 8B4DFC
mov ecx, dword ptr [ebp-04] <--¼Ù×¢²áÂëµÄµØÖ·
:0052070B 8B41FC
mov eax, dword ptr [ecx-04] <--¼Ù×¢²áÂëµÄ¸öÊý
:0052070E EB02
jmp 00520712
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00520706(C)
|
:00520710 33C0
xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052070E(U)
|
:00520712 3BD8
cmp ebx, eax <---ebxÊǼÆÊýÆ÷£¬×¢²áÂëÊÇÒ»¸öÒ»¸ö±È½ÏµÄ
:00520714 7CAE
jl 005206C4 <---ÍùÉÏÌøÀ²
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005206FC(U)
|
:00520716 837DD001 cmp
dword ptr [ebp-30], 00000001
:0052071A 7539
jne 00520755
:0052071C 837DFC00 cmp
dword ptr [ebp-04], 00000000
:00520720 7408
je 0052072A <---Èç¹û×¢²áÂëÕýÈ·µÄ»°ÕâÁ½¸ö±È½Ï¶¼²»»áÌøµÄ£¬¼ÇסÕâÁ½¸ö´íÎóµÄ³ö¿ÚµØÖ·
:00520722 8B55FC
mov edx, dword ptr [ebp-04]
:00520725 8B42FC
mov eax, dword ptr [edx-04]
:00520728 EB02
jmp 0052072C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00520720(C)
|
:0052072A 33C0
xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00520728(U)
|
:0052072C 66C745E81400 mov [ebp-18],
0014
:00520732 8B55D4
mov edx, dword ptr [ebp-2C]
:00520735 83F834
cmp eax, 00000034 <--eaxÊÇÎÒÊäÈëµÄ×¢²áÂëµÄ¸öÊý£¬²»ÄÜ´óÓÚ52¸ö
:00520738 8D1482
lea edx, dword ptr [edx+4*eax] <--edxÖ¸ÏòÊý¾Ý±íµÄµØÖ·
:0052073B 7D18
jge 00520755
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00520753(C)
|
:0052073D 813A0F270000 cmp dword ptr
[edx], 0000270F
:00520743 7407
je 0052074C <--±È½Ï£¬ÕâÀïÒ»¶¨ÒªÌø£¬»¹¼ÇµÃÏÂÃæµÄ´íÎóµØÖ·Âð£¿
¿´¿´Êý¾Ý±í£¬¿´À´0000270FÊǽáÊø±êÖ¾¡£ËãÁËËãÇ°Ãæ
µÄÊý¾ÝÒ»¹²ÄÜËã³ö24λע²áÂë³öÀ´£¬ËùÒԵóöÁËÉÏÃæ
×¢²áÂëµÄÐÎʽ¡£
:00520745 33C0
xor eax, eax
:00520747 8945D0
mov dword ptr [ebp-30], eax
:0052074A EB09
jmp 00520755
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00520743(C)
|
:0052074C 40
inc eax
:0052074D 83C204
add edx, 00000004
:00520750 83F834
cmp eax, 00000034
:00520753 7CE8
jl 0052073D
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0052071A(C), :0052073B(C), :0052074A(U)
|
:00520755 66C745E80800 mov [ebp-18],
0008
:0052075B 8B45D0
mov eax, dword ptr [ebp-30]
:0052075E BA02000000 mov edx,
00000002
:00520763 50
push eax
:00520764 8D45FC
lea eax, dword ptr [ebp-04]
:00520767 FF4DF4
dec [ebp-0C]
:0052076A E8E9402D00 call 007F4858
:0052076F 58
pop eax
:00520770 8B55D8
mov edx, dword ptr [ebp-28]
:00520773 64891500000000 mov dword ptr fs:[00000000],
edx
:0052077A 5F
pop edi
:0052077B 5E
pop esi
:0052077C 5B
pop ebx
:0052077D 8BE5
mov esp, ebp
:0052077F 5D
pop ebp
:00520780 C3
ret
--End--------------------------------------------------------------------------------------------
×ܽáһϣºÈí¼þ×¢²áʱ²úÉúÒ»¸öΨһµÄ»úÆ÷Â룬ȻºóÓûúÆ÷ÂëËã³öÒ»¸öÊý¾Ý±í£¬ÔÙÓÃÒ»¸ö¹Ì¶¨µÄÊýFFFFFFF8ÒÀ´ÎºÍÊý¾Ý±íÖеÄÊýÏà¼õµÃ³öÕýÈ·µÄ×¢²áÂ룬¾ÍÕâô¼òµ¥¡£ÕýÈ·µÄ×¢²áÂëÊDZ£´æÔÚÈí¼þ°²×°Ä¿Â¼µÄsupercp.iniÀïµÄ¡£
3:58 2001-11-7
- ±ê Ì⣺²ÊƱ̽Ë÷ÕßÖ®ÉñͶÊÖ R2001.10.18Æƽâ~~~~~×£¸÷λºÃÔË (10ǧ×Ö)
- ×÷ ÕߣºSam.com
- ʱ ¼ä£º2001-11-7 5:54:12
- Á´ ½Ó£ºhttp://bbs.pediy.com