• ±ê Ì⣺PEDIY Ö® ÎÒ×Ô¼ºµÄFlashGet ÃæÏò³õѧÕß
  • ×÷ ÕߣºRoBa
  • ʱ ¼ä£º004-07-19,15:18
  • Á´ ½Ó£ºhttp://bbs.pediy.com

PEDIY Ö® ÎÒ×Ô¼ºµÄFlashGet   ÃæÏò³õѧÕß

FlashGetµØÇòÈ˶¼ÖªµÀ°É£¬Å¼¿ÉÊÇ´ÓÒÔÇ°µÄJetCarÒ»Ö±ÓùýÀ´µÄ¡£¿´ËüµÄÐû´«ÖÐÆÄΪ×ÔºÀµÄÊǶÔÏÂÔØÀ´µÄÎļþµÄ¹ÜÀí¹¦ÄÜ£¬¿ÉÒÔ·Ö³ÉÈí¼þ¡¢ÓÎÏ·¡¢ÒôÀÖÖ®ÀàÀ´°²ÅÅ¡£¿ÉÊÇż»¹ÊÇÓõò»Ì«Ë¬£¬ÏñżÕâÑùÿÌìDOWNÒ»¶ÑÂÒÆß°ËÔ㶫¶«µÄ£¬¼¸¸öÔ¾ÍÄÜÀÛ»ýÆ𼸰ٸöÎļþ£¬²»ÉÙÕä¹ó»òÊdz¬´óµÄ¶«¶«ÊǾø¶ÔÉá²»µÃÏÈɾÁ˵ÈÐèҪʱÔÙϵġ£ÓÚÊǺõÔÚÆß°Ë°Ù¸öѹËõ°üÖÐÑ°ÕÒÈýÌìÇ°ÏÂÔصÄÒ»·Ý×ÊÁϾͳÉÁËÎҵıØÐ޿Σ¬Í´¿à°¡~~~~~
×î½üºö·¢ÆæÏ룬FLASHGETµÄÎļþ¹ÜÀíÖ»ÊǼòµ¥µÄ°ÑÎļþ·Ö³ÉÁ˼¸À࣬ҪÊÇ°ÑÎļþ°´ÏÂÔصÄÈÕÆÚÀ´·Ö±ð·ÅÈ벻ͬµÄÎļþ¼Ð£¬Æñ²»ÊÇÊ®·Ö·½±ã£¿ÕýºÃ½è´ËÁ·Á·Å¼µÄReversing Engineer¡£
ÏÈÈ·¶¨´ó¸ÅµÄ·½Ïò£¬FLASHGETÓÐÒ»¸öÔ¤ÏÈÖ¸¶¨µÄÏÂÔØĿ¼£¬Ä¬ÈÏʱΪC:\downloads£¬Èç¹ûÏÂÔØʱ²»¼Ó¸Ä±ä¾Í»á±£´æµ½ÕâÀÎÒÃǵÄÄ¿±ê¾ÍÊǸù¾Ý²»Í¬µÄÈÕÆÚ×Ô¶¯¸Ä±äÕâ¸öÏÂÔØĿ¼¡£
Õâ¸öÉ趨ÔÚʲôµØ·½ÄØ£¬×Ô¼ºÕÒÕÒ°É£¬INIÎļþÀïûÓУ¬×¢²á±íÀï~~~~ÕÒµ½ÀÖ£¡ÊÇHKEY_USERS\.DEFAULT\Software\JetCar\JetCar\Download default£¬ÀïÃæÓиö"path"¼üÖµ¾ÍÊÇÁË¡££¨ÎÒµÄFLASHGET°æ±¾Îª1.60£¬Ð°治֪ÓÐûÓб仯£©
ÔõôÐÞ¸ÄÄØ£¬ÎÒÏëµÄ·½·¨ÊÇÔÚÈí¼þÆô¶¯Ê±´Ó×¢²á±í¶ÁÈ¡ÐÅϢ֮ǰ°ÑÓÃϵͳÈÕÆÚ±íʾµÄĬÈÏÏÂÔØĿ¼д½ø×¢²á±íÖС£ÏÈÓÃCÓïÑÔд¸ö£¬¿´ÄãµÄ±à³Ì¹¦Á¦À²£º

´úÂë:
void F() {   char path[30]="D:\\downloads\\";   char date[10]={0};   DWORD dw;   HKEY hKey;   GetDateFormat(NULL,DATE_SHORTDATE,NULL,NULL,date,10);   RegCreateKeyEx(HKEY_USERS,".DEFAULT\\Software\\JetCar\\JetCar\\Download default",0,0,     REG_OPTION_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,&dw);   strcat(path,date);   RegSetValueEx(hKey,"path",0,REG_SZ,(byte*)path,30);   RegCloseKey(hKey); }

¾Í°ÑÕâ¸öº¯Êý²å½ø³ÌÐò¸ÕÆô¶¯Ê±¾ÍÐÐÁË¡£ºÇºÇ~~~£¬ÍùÈ˼ҵijÌÐòд´úÂë¿É²»ÊÇÄÇô¼òµ¥µÄ£¬ÏÈ×öÒ»µã×¼±¸¹¤×÷£¬°ÑÐèÒªµÄ³£Á¿²é³öÀ´£¨Å¼×îÌÖÑáÕâ¸ö£¡£©
HKEY_USERS=80000003
DATE_SHORTDATE=1
REG_OPTION_VOLATILE=1
KEY_ALL_ACCESS=1F003F £¨Õâ¸öÊǸù¾ÝÏÂÃæÒ»¶ÑÖµ¼Ó³öÀ´µÄ£©
REG_SZ=1

#define KEY_QUERY_VALUE         (0x0001)
#define KEY_SET_VALUE           (0x0002)
#define KEY_CREATE_SUB_KEY      (0x0004)
#define KEY_ENUMERATE_SUB_KEYS  (0x0008)
#define KEY_NOTIFY              (0x0010)
#define KEY_CREATE_LINK         (0x0020)

#define STANDARD_RIGHTS_ALL              (0x001F0000L)

#define KEY_ALL_ACCESS          ((STANDARD_RIGHTS_ALL        |\
                                  KEY_QUERY_VALUE            |\
                                  KEY_SET_VALUE              |\
                                  KEY_CREATE_SUB_KEY         |\
                                  KEY_ENUMERATE_SUB_KEYS     |\
                                  KEY_NOTIFY                 |\
                                  KEY_CREATE_LINK)            \
                                  &                           \
                                 (~SYNCHRONIZE))

ÕÒÕâ¸öÓÐʲôÓÃÄØ£¿ÔÚÎÒÃÇƽʱ±à³Ìʱºò£¬²»¹ÜÓÃVC»òÊÇDELPHI»¹ÊÇMASMʲô£¬¶¼»á°üº¬Ò»¸öÓдóÁ¿µÄ³£Á¿¶¨ÒåµÄ¡°Í·Îļþ¡±£¬ÃâÈ¥Á˼ÇÒä¸÷ÖÖ²ÎÊýÖµµÄÂé·³£¬¿ÉÊÇÏÖÔÚÎÒÃǼ¸ºõÊÇÓûúÆ÷Âëд³ÌÐò£¬Äã×ܲ»ÄÜÔÚHIEWÀïдÉÏPUSH REG_SZ°É£¨»òÐíÓиßÈËÄܸøHIEWÀ©³äÒ»ÏÂҲ˵²»¶¨£©¡£
³£Á¿¼ÇºÃûÓУ¬×¼±¸¹¤×÷»¹Ã»ÍêÄØ£¬ÕÒÕÒÎÒÃÇÓõ½µÄº¯ÊýµÄµØÖ·£¬ÓÃLordPE¾ÍºÜºÃ£¬¼ÇµÃÑ¡ÉÏÄǸöView always FirstThunk¡£ÆäÖÐGetDateFormatÕâ¸öº¯ÊýûÓУ¬ÓÃLordPE¼ÓÈëÒ²ºÜ·½±ãµÄ£¬ÔÚKERNEL32.DLLÀïÃæ¡£

GetDateFormat  [54001E]
RegCreateKeyEx  [4DC020]
RegSetValueEx  [4DC040]
RegCloseKey  [4DC028]
lstrcat    [4DC370]

ºÃÁË£¬¿ªÊ¼Ð´´úÂëÁË¡£ÎÒÃÇÔÚ³ÌÐòÈë¿Úµã´¦¾ÍÇ¿ÐÐÌøתµ½ºóÃæµÄ´óƬ¿Õ°×´¦Ð´ÎÒÃǵĴúÂ룺

Ô­À´µÄ´úÂ룺
´úÂë:
//******************** Program Entry Point ******** :0049DDF1 55                      push ebp :0049DDF2 8BEC                    mov ebp, esp :0049DDF4 6AFF                    push FFFFFFFF :0049DDF6 68A8AA4E00              push 004EAAA8 :0049DDFB 68DC214A00              push 004A21DC :0049DE00 64A100000000            mov eax, dword ptr fs:[00000000] :0049DE06 50                      push eax :0049DE07 64892500000000          mov dword ptr fs:[00000000], esp /////////////////////////////////////////////////////////// :004DBC38 B8C0055000              mov eax, 005005C0 :004DBC3D E999F8FBFF              jmp 0049B4DB :004DBC42 00000000000000000000    BYTE 10 DUP(0) :004DBC4C 00000000000000000000    BYTE 10 DUP(0) :004DBC56 00000000000000000000    BYTE 10 DUP(0) :004DBC60 00000000000000000000    BYTE 10 DUP(0) :004DBC6A 00000000000000000000    BYTE 10 DUP(0) :004DBC74 00000000000000000000    BYTE 10 DUP(0) :004DBC7E 00000000000000000000    BYTE 10 DUP(0) ÏÂÃæÊÇÔÚHIEWÀïÃæÑ¡EDITģʽʱӦÊäÈëµÄÐÎʽ£¬Òª×¢ÒâµÄµØ·½Ò»¿´¾ÍÃ÷°×ÁË£¬ÊäÈëÍêÒÔºó°´F9 Updateºó»áÓÐËù±ä»¯£¬ÕâÒ»µãÇë×¢Òâ¡£ 000DBC42: 6A0A                         push        00A 000DBC44: 6800BE4D00                   push        0004DBE00 ;" M?" 000DBC49: 6A00                         push        000 000DBC4B: 6A00                         push        000 000DBC4D: 6A01                         push        001 000DBC4F: 6A00                         push        000 000DBC51: FF151E005400                 call        d,[0054001E] 000DBC57: 680BBE4D00                   push        0004DBE0B ;" M?" 000DBC5C: 6810BE4D00                   push        0004DBE10 ;" M?" 000DBC61: 6A00                         push        000 000DBC63: 683F001F00                   push        0001F003F ;"  ?" 000DBC68: 6A01                         push        001 000DBC6A: 6A00                         push        000 000DBC6C: 6A00                         push        000 000DBC6E: 6896805000                   push        000508096 ;" P€? 000DBC73: 6803000080                   push        080000003 ;"€  " 000DBC78: FF1520C04D00                 call        d,[004DC020] 000DBC7E: 6800BE4D00                   push        0004DBE00 ;" M?" 000DBC83: 68C7805000                   push        0005080C7 ;" P€? 000DBC88: FF1570C34D00                 call        d,[004DC370] 000DBC8E: 6A30                         push        030 000DBC90: 68C7805000                   push        0005080C7 ;" P€? 000DBC95: 6A01                         push        001 000DBC97: 6A00                         push        000 000DBC99: 6891805000                   push        000508091 ;" P€? 000DBC9E: FF3510BE4D00                 push        d,[004DBE10] 000DBCA4: FF1540C04D00                 call        d,[004DC040] 000DBCAA: FF3510BE4D00                 push        d,[004DBE10] 000DBCB0: FF1528C04D00                 call        d,[004DC028] 000DBCB6: 55                           push        ebp 000DBCB7: 8BEC                         mov         ebp,esp 000DBCB9: 6AFF                         push        0FF 000DBCBB: E93621FCFF                   jmp         00009DDF6 000DBCC0: 0000                         add         [eax],al 000DBCC2: 0000                         add         [eax],al ÏÂÃæÊÇÔÚW32DASMÀïµÄÑù×Ó£¬¼ÓÁË×¢ÊÍ£º //******************** Program Entry Point ******** :0049DDF1 E94CDE0300              jmp 004DBC42    ;Ìøµ½ºóÃæ * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004DBCBB(U) | :0049DDF6 68A8AA4E00              push 004EAAA8 :0049DDFB 68DC214A00              push 004A21DC :0049DE00 64A100000000            mov eax, dword ptr fs:[00000000] :0049DE06 50                      push eax :0049DE07 64892500000000          mov dword ptr fs:[00000000], esp /////////////////////////////////////////////////////////// :004DBC38 B8C0055000              mov eax, 005005C0 :004DBC3D E999F8FBFF              jmp 0049B4DB * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0049DDF1(U) | :004DBC42 6A0A                    push 0000000A  ;»º³åÇøµÄ³¤¶È :004DBC44 6800BE4D00              push 004DBE00 ;·µ»ØµÄÈÕÆÚ×Ö´®µÄµØÖ· :004DBC49 6A00                    push 00000000 :004DBC4B 6A00                    push 00000000 :004DBC4D 6A01                    push 00000001 ;DATE_SHORTDATE,¶ÌÈÕÆÚ :004DBC4F 6A00                    push 00000000 :004DBC51 FF151E005400            call dword ptr [0054001E]  ;GetDateFormat :004DBC57 680BBE4D00              push 004DBE0B  ;·µ»ØÖµµÄµØÖ·,ûÓà :004DBC5C 6810BE4D00              push 004DBE10 ;hKeyµÄµØÖ·,ÖØÒª :004DBC61 6A00                    push 00000000 :004DBC63 683F001F00              push 001F003F ;KEY_ALL_ACCESS :004DBC68 6A01                    push 00000001 ;REG_OPTION_VOLATILE :004DBC6A 6A00                    push 00000000 :004DBC6C 6A00                    push 00000000 * Possible StringData Ref from Data Obj ->".DEFAULT\Software\JetCar\JetCar\Download "                                         ->"default"                                   | :004DBC6E 6896805000              push 00508096  ;´ò¿ªµÄ×Ó¼ü,×¢ÒâÏÈÔÚ[508096]ÕâÀïдºÃ :004DBC73 6803000080              push 80000003  ;HKEY_USERS :004DBC78 FF1520C04D00            call dword ptr [004DC020]  ;RegCreateKeyEx :004DBC7E 6800BE4D00              push 004DBE00  ;Ç°ÃæµÃµ½µÄϵͳÈÕÆÚ * Possible StringData Ref from Data Obj ->"D:\downloads\"                                   | :004DBC83 68C7805000              push 005080C7 ;Òª±£´æµÄÎļþ¼Ð,ÊÂÏÈдºÃ :004DBC88 FF1570C34D00            call dword ptr [004DC370]  ;lstrcat,×éºÏÆðÀ´ :004DBC8E 6A30                    push 00000030  ;»º³åÇø³¤¶È * Possible StringData Ref from Data Obj ->"D:\downloads\"                                   | :004DBC90 68C7805000              push 005080C7  ;×éºÏºóµÄÍêÕûĿ¼ :004DBC95 6A01                    push 00000001  ;REG_SZ :004DBC97 6A00                    push 00000000 * Possible StringData Ref from Data Obj ->"path"                                   | :004DBC99 6891805000              push 00508091  ;¼üÖµ,ÊÂÏÈдºÃ :004DBC9E FF3510BE4D00            push dword ptr [004DBE10]  ;hKey :004DBCA4 FF1540C04D00            call dword ptr [004DC040]  ;RegSetValueEx :004DBCAA FF3510BE4D00            push dword ptr [004DBE10]  ;hKey :004DBCB0 FF1528C04D00            call dword ptr [004DC028]  ;RegCloseKey :004DBCB6 55                      push ebp :004DBCB7 8BEC                    mov ebp, esp :004DBCB9 6AFF                    push FFFFFFFF  ;Ô­À´µÄ¿ªÍ·²¿·Ö :004DBCBB E93621FCFF              jmp 0049DDF6  ;·µ»Øච:004DBCC0 00000000000000000000    BYTE 10 DUP(0) :004DBCCA 00000000000000000000    BYTE 10 DUP(0)

дºÃÁË£¬ÔËÐÐһϣ¬¹þ¹þ£¬Ä¬ÈÏĿ¼×Ô¶¯¸Ä±ä³ÉÁËD:\downloads\04-7-19ÕâÖÖÐÎʽ,´Ó´ËÇåÇå³þ³þÁË.