• ExeIco V2.0
  • ±ê Ì⣺ͼ±ê¸ü»»Æ÷(ExeIco) V2.0Ëã·¨Êּǡ¡
  • ×÷ ÕߣºÀîåÐÒ£
  • ʱ ¼ä£º2003/07/26 03:58pm
  • Á´ ½Ó£ºhttp://bbs.pediy.com

ͼ±ê¸ü»»Æ÷(ExeIco) V2.0Ëã·¨ÊÖ¼Ç

»úÆ÷Â룺WZUT-CWZA-FELM-OPQR-EI20
¼Ù  Â룺1234-5678-90ab-cdef-hijk
Õæ  Â룺QEGO-GKKO-SOIA-SYMO-****

Ö÷ÎļþExeIco.exe£¬ASPack 2.001 -> Alexey SolodovnikovµÄ¿Ç£¬C++±à³Ì¡£×Ô¶¯ÍѿǺóÎÞ·¨ÔËÐС£¿´À´ÎÒÖ»ÓÐÓÃtrwÀ²¡£^_^

0187:0040C288 8D55FC           LEA      EDX,[EBP-04]    
0187:0040C28B FF32             PUSH     DWORD [EDX]    //¼ÙÂëѹջ
0187:0040C28D E812070000       CALL     0040C9A4     //Ëã·¨call£¬¸ú½ø
0187:0040C292 59               POP      ECX
0187:0040C293 8B0D88DD4A00     MOV      ECX,[004ADD88]
0187:0040C299 8B11             MOV      EDX,[ECX]
0187:0040C29B 888285030000     MOV      [EDX+0385],AL
0187:0040C2A1 FF4DD4           DEC      DWORD [EBP-2C]
0187:0040C2A4 8D45FC           LEA      EAX,[EBP-04]
0187:0040C2A7 BA02000000       MOV      EDX,02
0187:0040C2AC E8BF230800       CALL     0048E670
0187:0040C2B1 A188DD4A00       MOV      EAX,[004ADD88]
0187:0040C2B6 8B08             MOV      ECX,[EAX]
0187:0040C2B8 80B98503000000   CMP      BYTE [ECX+0385],00
0187:0040C2BF 0F846A010000     JZ       NEAR 0040C42F     //ÏÂr fl zÌáʾע²á³É¹¦¡£
0187:0040C2C5 66C745C81400     MOV      WORD [EBP-38],14

***************************************************************

¸ú½ø0040C28D E812070000       CALL     0040C9A4 ´Ëcall£º

* Referenced by a CALL at Addresses:
|:0040C28D   , :0040D00D  
|
:0040C9A4 55                      push ebp
:0040C9A5 8BEC                    mov ebp, esp
:0040C9A7 81C42CFFFFFF            add esp, FFFFFF2C
:0040C9AD 56                      push esi
:0040C9AE 57                      push edi
:0040C9AF B8EC6D4A00              mov eax, 004A6DEC
:0040C9B4 E84B6C0700              call 00483604
:0040C9B9 C745F801000000          mov [ebp-08], 00000001
:0040C9C0 8D5508                  lea edx, dword ptr [ebp+08]     //È¡¼ÙÂëËÍedx
:0040C9C3 8D4508                  lea eax, dword ptr [ebp+08]
:0040C9C6 E8D91B0800              call 0048E5A4
:0040C9CB FF45F8                  inc [ebp-08]
:0040C9CE 66C745EC0800            mov [ebp-14], 0008
:0040C9D4 C645DB00                mov [ebp-25], 00
:0040C9D8 837D0800                cmp dword ptr [ebp+08], 00000000    //±È½Ï×¢²áÂëÊÇ·ñÊäÈë¡£
:0040C9DC 7408                    je 0040C9E6     //ûÓÐÔòover
:0040C9DE 8B5508                  mov edx, dword ptr [ebp+08]   //ecx=¼ÙÂë
:0040C9E1 8B4AFC                  mov ecx, dword ptr [edx-04]     //ecx=¼ÙÂëµÄλÊý0x18h

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C973(C)
|
:0040C9E4 EB02                    jmp 0040C9E8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C9DC(C)
|
:0040C9E6 33C9                    xor ecx, ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C9E4(U)
|
:0040C9E8 83F918                  cmp ecx, 00000018      //±È½Ï×¢²áÂëÊÇ·ñ24λ
:0040C9EB 0F8590000000            jne 0040CA81      //²»µÈÔòover

* Possible StringData Ref from Data Obj ->"1z1h+2a0n-0g8y*9a1n|"
                                 |
:0040C9F1 BEC1684A00              mov esi, 004A68C1      //ÃÜÂë±íѹջ
:0040C9F6 8D7D84                  lea edi, dword ptr [ebp-7C]
:0040C9F9 B905000000              mov ecx, 00000005
:0040C9FE F3                      repz
:0040C9FF A5                      movsd
:0040CA00 A4                      movsb

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C996(C)
|
:0040CA01 837D0800                cmp dword ptr [ebp+08], 00000000     //ÔٴαȽÏ×¢²áÂëÊäÈëÁËûÓÐ
:0040CA05 7405                    je 0040CA0C      //ûÓÐÔòover
:0040CA07 8B4508                  mov eax, dword ptr [ebp+08]     //eax=¼ÙÂë
:0040CA0A EB05                    jmp 0040CA11

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CA05(C)
|
:0040CA0C B84D694A00              mov eax, 004A694D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CA0A(U)
|
:0040CA11 50                      push eax     //¼ÙÂëѹջ
:0040CA12 8D559C                  lea edx, dword ptr [ebp-64]
:0040CA15 52                      push edx
:0040CA16 E845690700              call 00483360
:0040CA1B 83C408                  add esp, 00000008
:0040CA1E C645DB01                mov [ebp-25], 01
:0040CA22 33C9                    xor ecx, ecx      //ecxÇåÁã
:0040CA24 894DD4                  mov dword ptr [ebp-2C], ecx    //[ebp-2c]ÖÃ0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CA7F(C)
|
:0040CA27 8B45D4                  mov eax, dword ptr [ebp-2C]     //eax=0
:0040CA2A 40                      inc eax     //eax¼Ó1
:0040CA2B B905000000              mov ecx, 00000005     //ecx=5
:0040CA30 99                      cdq
:0040CA31 F7F9                    idiv ecx
:0040CA33 85D2                    test edx, edx
:0040CA35 7441                    je 0040CA78     //µ±eax¿ÉÒÔ±»5Õû³ýµÄʱºòÔòÌø£¬Ò²¾ÍÊÇ×Ö·û¡°-¡±²»ÔÚ×¢²áÂë¼ÆËãÖ®ÄÚ¡£
:0040CA37 8B45D4                  mov eax, dword ptr [ebp-2C]    //eax=[ebp-2c]
:0040CA3A 8A9028384B00            mov dl, byte ptr [eax+004B3828]     //ÒÀ´ÎÈ¡»úÆ÷Âë×Ö·û(³ý×Ö·û¡°-¡±ÒÔÍâ)µÄhexÖµËÍdl:57,5A,55,54,43¡£¡£¡£¡£(ÂÔ)
:0040CA40 8B4DD4                  mov ecx, dword ptr [ebp-2C]     //ecx=[ebp-2c]
:0040CA43 32540D84                xor dl, byte ptr [ebp+ecx-7C]     //dlºÍ±íÖжÔӦλÊýµÄ×Ö·ûÒì»ò£¬Èç57 xor 31£¬43 xor 32£¬¡£¡£¡£¡£¡£(ÂÔ)

¡ó¡ó¡ó¡ô¡ô¡ôÏÂÃæÊÇÄÚ´æÖеÄ×Ö·û±í¡ó¡ó¡ó¡ô¡ô¡ô
¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù
018F:004A68C1 31 7A 31 68 2B 32 61 30-6E 2D 30 67 38 79 2A 39 1z1h+2a0n-0g8y*9
018F:004A68D1 61 31 6E 7C 00 31 7A 31-68 2B 32 61 30 6E 2D 30 a1n|.1z1h+2a0n-0
018F:004A68E1 67 38 79 2A 39 61 31 6E-7C 00 00 FF FF FF FF 53 g8y*9a1n|..ÿÿÿ
¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù¡ù

:0040CA47 0FBEC2                  movsx eax, dl     //Òì»òºóµÄÖµËÍeax
:0040CA4A 8945D0                  mov dword ptr [ebp-30], eax
:0040CA4D 8B45D0                  mov eax, dword ptr [ebp-30]    
:0040CA50 99                      cdq      //edxÇåÁã
:0040CA51 33C2                    xor eax, edx     //eaxºÍ0Òì»ò
:0040CA53 2BC2                    sub eax, edx     //eax=eax-0
:0040CA55 69C0F00A0000            imul eax, 00000AF0      //eax=eax *0xAF0h
:0040CA5B B91A000000              mov ecx, 0000001A      //ecx=1A
:0040CA60 99                      cdq  
:0040CA61 F7F9                    idiv ecx      //eax ³ýÒÔ ecx
:0040CA63 83C241                  add edx, 00000041     //edx=ÓàÊý
+0x41h£¬ËûµÄ×Ö·ûÐÎʽ¾ÍÊÇÿһλµÄ×¢²áÂë
:0040CA66 8B45D4                  mov eax, dword ptr [ebp-2C]
:0040CA69 0FBE4C059C              movsx ecx, byte ptr [ebp+eax-64]    //ÒÀ´ÎÈ¡¶ÔÓ¦»úÆ÷ÂëλÖõļÙÂë×Ö·ûµÄhexÖµËÍecx
:0040CA6E 3BD1                    cmp edx, ecx     //¹Ø¼ü±È½Ï
:0040CA70 7406                    je 0040CA78      //ÏàµÈÔòÌø£¬ÓÐһλ²»µÈÔòover
:0040CA72 C645DB00                mov [ebp-25], 00
:0040CA76 EB09                    jmp 0040CA81

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040CA35(C), :0040CA70(C)
|
:0040CA78 FF45D4                  inc [ebp-2C]    //¼ÆÊýÆ÷[ebp-2C]¼Ó1
:0040CA7B 837DD414                cmp dword ptr [ebp-2C], 00000014
:0040CA7F 7CA6                    jl 0040CA27     //±È½Ï20´Î£¬Ò²¾ÍÊÇÖ»Òª±È½Ï×¢²áÂëµÄÇ°20(d)룬ºó4λÊÇÈÎÒâÊý×Ö»ò×Öĸ¡£

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040C9EB(C), :0040CA76(U)
|
:0040CA81 837D0800                cmp dword ptr [ebp+08], 00000000
:0040CA85 7408                    je 0040CA8F
:0040CA87 8B5508                  mov edx, dword ptr [ebp+08]
:0040CA8A 8B42FC                  mov eax, dword ptr [edx-04]
:0040CA8D EB02                    jmp 0040CA91

Ëã·¨×ܽ᣺
×¢²áÂë×ܹ²Îª24(d)룬¸ñʽΪxxxx-xxxx-xxxx-xxxx-xxxxµÄÐÎʽ£¬ÆäÖÐ×îºóËÄλΪÈÎÒâ×Ö·û¡£
»úÆ÷ÂëÇ°20(d)λÿһ¸ö×Ö·û(³ý×Ö·û¡°-¡±ÒÔÍâ)µÄhexÖµºÍÃÜÂë±í¡°1z1h+2a0n-0g8y*9a1n|¡±ÖжÔÓ¦µÄλÖÃ×Ö·ûµÄhexÖµÒì»ò£¬µÃµ½µÄÖµ³ËÒÔ0xAF0h£¬Ôٴεõ½µÄÖµ³ýÒÔ0x1AhµÄÓàÊý¼ÓÉÏ0x41h£¬Õâ¸öÖµ¶ÔÓ¦µÄ×Ö·û¾ÍÊÇÕâһλÉϵÄ×¢²áÂë¡£

     
                                                  ÀîåÐÒ£[cschina]
                                                     2003.07.25