PEDIY Ö® ÎÒ×Ô¼ºµÄFlashGet ÃæÏò³õѧÕß
FlashGetµØÇòÈ˶¼ÖªµÀ°É£¬Å¼¿ÉÊÇ´ÓÒÔÇ°µÄJetCarÒ»Ö±ÓùýÀ´µÄ¡£¿´ËüµÄÐû´«ÖÐÆÄΪ×ÔºÀµÄÊǶÔÏÂÔØÀ´µÄÎļþµÄ¹ÜÀí¹¦ÄÜ£¬¿ÉÒÔ·Ö³ÉÈí¼þ¡¢ÓÎÏ·¡¢ÒôÀÖÖ®ÀàÀ´°²ÅÅ¡£¿ÉÊÇż»¹ÊÇÓõò»Ì«Ë¬£¬ÏñżÕâÑùÿÌìDOWNÒ»¶ÑÂÒÆß°ËÔ㶫¶«µÄ£¬¼¸¸öÔ¾ÍÄÜÀÛ»ýÆ𼸰ٸöÎļþ£¬²»ÉÙÕä¹ó»òÊdz¬´óµÄ¶«¶«ÊǾø¶ÔÉá²»µÃÏÈɾÁ˵ÈÐèҪʱÔÙϵġ£ÓÚÊǺõÔÚÆß°Ë°Ù¸öѹËõ°üÖÐÑ°ÕÒÈýÌìÇ°ÏÂÔصÄÒ»·Ý×ÊÁϾͳÉÁËÎҵıØÐ޿Σ¬Í´¿à°¡~~~~~
×î½üºö·¢ÆæÏ룬FLASHGETµÄÎļþ¹ÜÀíÖ»ÊǼòµ¥µÄ°ÑÎļþ·Ö³ÉÁ˼¸À࣬ҪÊÇ°ÑÎļþ°´ÏÂÔصÄÈÕÆÚÀ´·Ö±ð·ÅÈ벻ͬµÄÎļþ¼Ð£¬Æñ²»ÊÇÊ®·Ö·½±ã£¿ÕýºÃ½è´ËÁ·Á·Å¼µÄReversing Engineer¡£
ÏÈÈ·¶¨´ó¸ÅµÄ·½Ïò£¬FLASHGETÓÐÒ»¸öÔ¤ÏÈÖ¸¶¨µÄÏÂÔØĿ¼£¬Ä¬ÈÏʱΪC:\downloads£¬Èç¹ûÏÂÔØʱ²»¼Ó¸Ä±ä¾Í»á±£´æµ½ÕâÀÎÒÃǵÄÄ¿±ê¾ÍÊǸù¾Ý²»Í¬µÄÈÕÆÚ×Ô¶¯¸Ä±äÕâ¸öÏÂÔØĿ¼¡£
Õâ¸öÉ趨ÔÚʲôµØ·½ÄØ£¬×Ô¼ºÕÒÕÒ°É£¬INIÎļþÀïûÓУ¬×¢²á±íÀï~~~~ÕÒµ½ÀÖ£¡ÊÇHKEY_USERS\.DEFAULT\Software\JetCar\JetCar\Download default£¬ÀïÃæÓиö"path"¼üÖµ¾ÍÊÇÁË¡££¨ÎÒµÄFLASHGET°æ±¾Îª1.60£¬Ð°治֪ÓÐûÓб仯£©
ÔõôÐÞ¸ÄÄØ£¬ÎÒÏëµÄ·½·¨ÊÇÔÚÈí¼þÆô¶¯Ê±´Ó×¢²á±í¶ÁÈ¡ÐÅϢ֮ǰ°ÑÓÃϵͳÈÕÆÚ±íʾµÄĬÈÏÏÂÔØĿ¼д½ø×¢²á±íÖС£ÏÈÓÃCÓïÑÔд¸ö£¬¿´ÄãµÄ±à³Ì¹¦Á¦À²£º
´úÂë:
void F() { char path[30]="D:\\downloads\\"; char date[10]={0}; DWORD dw; HKEY hKey; GetDateFormat(NULL,DATE_SHORTDATE,NULL,NULL,date,10); RegCreateKeyEx(HKEY_USERS,".DEFAULT\\Software\\JetCar\\JetCar\\Download default",0,0, REG_OPTION_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,&dw); strcat(path,date); RegSetValueEx(hKey,"path",0,REG_SZ,(byte*)path,30); RegCloseKey(hKey); }
¾Í°ÑÕâ¸öº¯Êý²å½ø³ÌÐò¸ÕÆô¶¯Ê±¾ÍÐÐÁË¡£ºÇºÇ~~~£¬ÍùÈ˼ҵijÌÐòд´úÂë¿É²»ÊÇÄÇô¼òµ¥µÄ£¬ÏÈ×öÒ»µã×¼±¸¹¤×÷£¬°ÑÐèÒªµÄ³£Á¿²é³öÀ´£¨Å¼×îÌÖÑáÕâ¸ö£¡£©
HKEY_USERS=80000003
DATE_SHORTDATE=1
REG_OPTION_VOLATILE=1
KEY_ALL_ACCESS=1F003F £¨Õâ¸öÊǸù¾ÝÏÂÃæÒ»¶ÑÖµ¼Ó³öÀ´µÄ£©
REG_SZ=1
#define KEY_QUERY_VALUE (0x0001)
#define KEY_SET_VALUE (0x0002)
#define KEY_CREATE_SUB_KEY (0x0004)
#define KEY_ENUMERATE_SUB_KEYS (0x0008)
#define KEY_NOTIFY (0x0010)
#define KEY_CREATE_LINK (0x0020)
#define STANDARD_RIGHTS_ALL (0x001F0000L)
#define KEY_ALL_ACCESS ((STANDARD_RIGHTS_ALL |\
KEY_QUERY_VALUE |\
KEY_SET_VALUE |\
KEY_CREATE_SUB_KEY |\
KEY_ENUMERATE_SUB_KEYS |\
KEY_NOTIFY |\
KEY_CREATE_LINK) \
& \
(~SYNCHRONIZE))
ÕÒÕâ¸öÓÐʲôÓÃÄØ£¿ÔÚÎÒÃÇƽʱ±à³Ìʱºò£¬²»¹ÜÓÃVC»òÊÇDELPHI»¹ÊÇMASMʲô£¬¶¼»á°üº¬Ò»¸öÓдóÁ¿µÄ³£Á¿¶¨ÒåµÄ¡°Í·Îļþ¡±£¬ÃâÈ¥Á˼ÇÒä¸÷ÖÖ²ÎÊýÖµµÄÂé·³£¬¿ÉÊÇÏÖÔÚÎÒÃǼ¸ºõÊÇÓûúÆ÷Âëд³ÌÐò£¬Äã×ܲ»ÄÜÔÚHIEWÀïдÉÏPUSH REG_SZ°É£¨»òÐíÓиßÈËÄܸøHIEWÀ©³äÒ»ÏÂҲ˵²»¶¨£©¡£
³£Á¿¼ÇºÃûÓУ¬×¼±¸¹¤×÷»¹Ã»ÍêÄØ£¬ÕÒÕÒÎÒÃÇÓõ½µÄº¯ÊýµÄµØÖ·£¬ÓÃLordPE¾ÍºÜºÃ£¬¼ÇµÃÑ¡ÉÏÄǸöView always FirstThunk¡£ÆäÖÐGetDateFormatÕâ¸öº¯ÊýûÓУ¬ÓÃLordPE¼ÓÈëÒ²ºÜ·½±ãµÄ£¬ÔÚKERNEL32.DLLÀïÃæ¡£
GetDateFormat [54001E]
RegCreateKeyEx [4DC020]
RegSetValueEx [4DC040]
RegCloseKey [4DC028]
lstrcat [4DC370]
ºÃÁË£¬¿ªÊ¼Ð´´úÂëÁË¡£ÎÒÃÇÔÚ³ÌÐòÈë¿Úµã´¦¾ÍÇ¿ÐÐÌøתµ½ºóÃæµÄ´óƬ¿Õ°×´¦Ð´ÎÒÃǵĴúÂ룺
ÔÀ´µÄ´úÂ룺
´úÂë:
//******************** Program Entry Point ******** :0049DDF1 55 push ebp :0049DDF2 8BEC mov ebp, esp :0049DDF4 6AFF push FFFFFFFF :0049DDF6 68A8AA4E00 push 004EAAA8 :0049DDFB 68DC214A00 push 004A21DC :0049DE00 64A100000000 mov eax, dword ptr fs:[00000000] :0049DE06 50 push eax :0049DE07 64892500000000 mov dword ptr fs:[00000000], esp /////////////////////////////////////////////////////////// :004DBC38 B8C0055000 mov eax, 005005C0 :004DBC3D E999F8FBFF jmp 0049B4DB :004DBC42 00000000000000000000 BYTE 10 DUP(0) :004DBC4C 00000000000000000000 BYTE 10 DUP(0) :004DBC56 00000000000000000000 BYTE 10 DUP(0) :004DBC60 00000000000000000000 BYTE 10 DUP(0) :004DBC6A 00000000000000000000 BYTE 10 DUP(0) :004DBC74 00000000000000000000 BYTE 10 DUP(0) :004DBC7E 00000000000000000000 BYTE 10 DUP(0) ÏÂÃæÊÇÔÚHIEWÀïÃæÑ¡EDITģʽʱӦÊäÈëµÄÐÎʽ£¬Òª×¢ÒâµÄµØ·½Ò»¿´¾ÍÃ÷°×ÁË£¬ÊäÈëÍêÒÔºó°´F9 Updateºó»áÓÐËù±ä»¯£¬ÕâÒ»µãÇë×¢Òâ¡£ 000DBC42: 6A0A push 00A 000DBC44: 6800BE4D00 push 0004DBE00 ;" M?" 000DBC49: 6A00 push 000 000DBC4B: 6A00 push 000 000DBC4D: 6A01 push 001 000DBC4F: 6A00 push 000 000DBC51: FF151E005400 call d,[0054001E] 000DBC57: 680BBE4D00 push 0004DBE0B ;" M?" 000DBC5C: 6810BE4D00 push 0004DBE10 ;" M?" 000DBC61: 6A00 push 000 000DBC63: 683F001F00 push 0001F003F ;" ?" 000DBC68: 6A01 push 001 000DBC6A: 6A00 push 000 000DBC6C: 6A00 push 000 000DBC6E: 6896805000 push 000508096 ;" P€? 000DBC73: 6803000080 push 080000003 ;"€ " 000DBC78: FF1520C04D00 call d,[004DC020] 000DBC7E: 6800BE4D00 push 0004DBE00 ;" M?" 000DBC83: 68C7805000 push 0005080C7 ;" P€? 000DBC88: FF1570C34D00 call d,[004DC370] 000DBC8E: 6A30 push 030 000DBC90: 68C7805000 push 0005080C7 ;" P€? 000DBC95: 6A01 push 001 000DBC97: 6A00 push 000 000DBC99: 6891805000 push 000508091 ;" P€? 000DBC9E: FF3510BE4D00 push d,[004DBE10] 000DBCA4: FF1540C04D00 call d,[004DC040] 000DBCAA: FF3510BE4D00 push d,[004DBE10] 000DBCB0: FF1528C04D00 call d,[004DC028] 000DBCB6: 55 push ebp 000DBCB7: 8BEC mov ebp,esp 000DBCB9: 6AFF push 0FF 000DBCBB: E93621FCFF jmp 00009DDF6 000DBCC0: 0000 add [eax],al 000DBCC2: 0000 add [eax],al ÏÂÃæÊÇÔÚW32DASMÀïµÄÑù×Ó£¬¼ÓÁË×¢ÊÍ£º //******************** Program Entry Point ******** :0049DDF1 E94CDE0300 jmp 004DBC42 ;Ìøµ½ºóÃæ * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004DBCBB(U) | :0049DDF6 68A8AA4E00 push 004EAAA8 :0049DDFB 68DC214A00 push 004A21DC :0049DE00 64A100000000 mov eax, dword ptr fs:[00000000] :0049DE06 50 push eax :0049DE07 64892500000000 mov dword ptr fs:[00000000], esp /////////////////////////////////////////////////////////// :004DBC38 B8C0055000 mov eax, 005005C0 :004DBC3D E999F8FBFF jmp 0049B4DB * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0049DDF1(U) | :004DBC42 6A0A push 0000000A ;»º³åÇøµÄ³¤¶È :004DBC44 6800BE4D00 push 004DBE00 ;·µ»ØµÄÈÕÆÚ×Ö´®µÄµØÖ· :004DBC49 6A00 push 00000000 :004DBC4B 6A00 push 00000000 :004DBC4D 6A01 push 00000001 ;DATE_SHORTDATE,¶ÌÈÕÆÚ :004DBC4F 6A00 push 00000000 :004DBC51 FF151E005400 call dword ptr [0054001E] ;GetDateFormat :004DBC57 680BBE4D00 push 004DBE0B ;·µ»ØÖµµÄµØÖ·,ûÓà :004DBC5C 6810BE4D00 push 004DBE10 ;hKeyµÄµØÖ·,ÖØÒª :004DBC61 6A00 push 00000000 :004DBC63 683F001F00 push 001F003F ;KEY_ALL_ACCESS :004DBC68 6A01 push 00000001 ;REG_OPTION_VOLATILE :004DBC6A 6A00 push 00000000 :004DBC6C 6A00 push 00000000 * Possible StringData Ref from Data Obj ->".DEFAULT\Software\JetCar\JetCar\Download " ->"default" | :004DBC6E 6896805000 push 00508096 ;´ò¿ªµÄ×Ó¼ü,×¢ÒâÏÈÔÚ[508096]ÕâÀïдºÃ :004DBC73 6803000080 push 80000003 ;HKEY_USERS :004DBC78 FF1520C04D00 call dword ptr [004DC020] ;RegCreateKeyEx :004DBC7E 6800BE4D00 push 004DBE00 ;Ç°ÃæµÃµ½µÄϵͳÈÕÆÚ * Possible StringData Ref from Data Obj ->"D:\downloads\" | :004DBC83 68C7805000 push 005080C7 ;Òª±£´æµÄÎļþ¼Ð,ÊÂÏÈдºÃ :004DBC88 FF1570C34D00 call dword ptr [004DC370] ;lstrcat,×éºÏÆðÀ´ :004DBC8E 6A30 push 00000030 ;»º³åÇø³¤¶È * Possible StringData Ref from Data Obj ->"D:\downloads\" | :004DBC90 68C7805000 push 005080C7 ;×éºÏºóµÄÍêÕûĿ¼ :004DBC95 6A01 push 00000001 ;REG_SZ :004DBC97 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"path" | :004DBC99 6891805000 push 00508091 ;¼üÖµ,ÊÂÏÈдºÃ :004DBC9E FF3510BE4D00 push dword ptr [004DBE10] ;hKey :004DBCA4 FF1540C04D00 call dword ptr [004DC040] ;RegSetValueEx :004DBCAA FF3510BE4D00 push dword ptr [004DBE10] ;hKey :004DBCB0 FF1528C04D00 call dword ptr [004DC028] ;RegCloseKey :004DBCB6 55 push ebp :004DBCB7 8BEC mov ebp, esp :004DBCB9 6AFF push FFFFFFFF ;ÔÀ´µÄ¿ªÍ·²¿·Ö :004DBCBB E93621FCFF jmp 0049DDF6 ;·µ»Øච:004DBCC0 00000000000000000000 BYTE 10 DUP(0) :004DBCCA 00000000000000000000 BYTE 10 DUP(0)
дºÃÁË£¬ÔËÐÐһϣ¬¹þ¹þ£¬Ä¬ÈÏĿ¼×Ô¶¯¸Ä±ä³ÉÁËD:\downloads\04-7-19ÕâÖÖÐÎʽ,´Ó´ËÇåÇå³þ³þÁË.