Spy Emergency 2005
http://www.download.com/Spy-Emergency-2005/3000-8022_4-10450742.html?tag=lst-0-1
Spy Emergency 2005 is an antispyware software that quickly and
securely removes spyware and other Internet infections, including
spyware, adware, malware, home-page hijackers, remote administration
tools, dialers, and keyloggers.
Version 2.0.310 adds Spanish translation.
无壳食之有味(呵呵,没出息)
搜索字符参考就可以找到这里了,很敏感的提示
00410DA3 . >call SpyEmerg.004115F0 ; [xp-sp2-x002]
00410DA8 . >sub esp, 0C
00410DAB . >test eax, eax ; |
00410DAD . >mov dword ptr ss:[esp+14], esp ; |
00410DB1 . >jnz short SpyEmerg.00410DE8 ; | 这个判断让我不得不看上面的call [xp-sp2-x002]
00410DB3 . >mov ecx, esp ; |
00410DB5 . >push SpyEmerg.004B9D78 ; |/Arg4 = 004B9D78 ASCII "Invalid serial number! Please enter correct
00410DBA . >push SpyEmerg.004B9D68 ; ||Arg3 = 004B9D68 ASCII "DL_N_101_261"
00410DBF . >push SpyEmerg.004B8940 ; ||Arg2 = 004B8940 ASCII "Language"
00410DC4 . >push ecx ; ||Arg1
00410DC5 . >lea ecx, dword ptr ds:[esi+650] ; ||
00410DCB . >call SpyEmerg.004026A0 ; |\SpyEmerg.004026A0
00410DD0 . >lea ecx, dword ptr ss:[esp+44] ; |
00410DD4 . >call SpyEmerg.00410FC0 ; \SpyEmerg.00410FC0
00410DD9 . >mov byte ptr ss:[esp+344], 5
00410DE1 . >push 0BE
00410DE6 . >jmp short SpyEmerg.00410E1B
00410DE8 > >mov edx, esp ; |
00410DEA . >push SpyEmerg.004B9D20 ; |/Arg4 = 004B9D20 ASCII "Your version of Spy Emergency 2004 has been
00410DEF . >push SpyEmerg.004B9D0C ; ||Arg3 = 004B9D0C ASCII "DL_N_101_262"
00410DF4 . >push SpyEmerg.004B8940 ; ||Arg2 = 004B8940 ASCII "Language"
00410DF9 . >push edx ; ||Arg1
00410DFA . >lea ecx, dword ptr ds:[esi+650] ; ||
00410E00 . >call SpyEmerg.004026A0 ; |\SpyEmerg.004026A0
00410E05 . >lea ecx, dword ptr ss:[esp+44] ; |
00410E09 . >call SpyEmerg.00410FC0 ; \SpyEmerg.00410FC0
00410E0E . >mov byte ptr ss:[esp+344], 6
00410E16 . >push 0C7
00410E1B > >lea ecx, dword ptr ss:[esp+3C]
===== [xp-sp2-x002]===================
004115F0 $ >push ebp
004115F1 . >mov ebp, esp
004115F3 . >push -1
004115F5 . >push SpyEmerg.004B0368 ; SE handler installation
004115FA . >mov eax, dword ptr fs:[0]
00411600 . >push eax
00411601 . >mov dword ptr fs:[0], esp
00411608 . >sub esp, 68
0041160B . >push ebx
0041160C . >push esi
0041160D . >push edi
0041160E . >mov esi, ecx
00411610 . >mov dword ptr ss:[ebp-10], esp
00411613 . >mov dword ptr ss:[ebp-14], esi
00411616 . >mov dword ptr ss:[ebp-4], 0
0041161D . >lea eax, dword ptr ss:[ebp-34]
00411620 . >push eax ; /Arg1
00411621 . >mov byte ptr ss:[ebp-4], 3 ; |
00411625 . >call SpyEmerg.0040E470 ; \SpyEmerg.0040E470
0041162A . >push SpyEmerg.004B9EE4 ; ASCII "\Infiltration\SpyEmergency.pfa"
0041162F . >lea ecx, dword ptr ss:[ebp-34]
00411632 . >mov byte ptr ss:[ebp-4], 4
00411636 . >call SpyEmerg.00442BF0
0041163B . >lea ecx, dword ptr ss:[ebp-28]
0041163E . >call SpyEmerg.00401BB0
00411643 . >mov eax, dword ptr ss:[ebp-30]
00411646 . >test eax, eax
00411648 . >mov byte ptr ss:[ebp-4], 5
0041164C . >jnz short SpyEmerg.00411653
0041164E . >mov eax, SpyEmerg.004B8630
00411653 > >push eax ; /Arg1
00411654 . >lea ecx, dword ptr ss:[ebp-28] ; |
00411657 . >call SpyEmerg.00401D40 ; \SpyEmerg.00401D40
0041165C . >or edi, FFFFFFFF
0041165F . >push edi
00411660 . >push SpyEmerg.004B9EC0 ; ASCII "select * from infiltration_serial;"
00411665 . >lea ecx, dword ptr ss:[ebp-4C]
00411668 . >call SpyEmerg.00442D80
0041166D . >mov eax, dword ptr ss:[ebp-48]
00411670 . >test eax, eax
00411672 . >mov byte ptr ss:[ebp-4], 6
00411676 . >jnz short SpyEmerg.0041167D
00411678 . >mov eax, SpyEmerg.004B8630
0041167D > >push eax
0041167E . >lea ecx, dword ptr ss:[ebp-74]
00411681 . >push ecx
00411682 . >lea ecx, dword ptr ss:[ebp-28]
00411685 . >call SpyEmerg.004021B0
0041168A . >mov byte ptr ss:[ebp-4], 7
0041168E . >mov bl, 8
00411690 > >lea ecx, dword ptr ss:[ebp-74]
00411693 . >call SpyEmerg.00402010
00411698 . >test al, al
0041169A . >jnz SpyEmerg.00411721
004116A0 . >push SpyEmerg.004B8630
004116A5 . >push 1
004116A7 . >lea ecx, dword ptr ss:[ebp-74]
004116AA . >call SpyEmerg.00402330
004116AF . >push edi
004116B0 . >push eax
004116B1 . >lea ecx, dword ptr ss:[ebp-40]
004116B4 . >call SpyEmerg.00442D80
004116B9 . >lea edx, dword ptr ss:[ebp+20]
004116BC . >push edx
004116BD . >lea ecx, dword ptr ss:[ebp-40]
004116C0 . >mov byte ptr ss:[ebp-4], bl
004116C3 . >call SpyEmerg.004421A0
004116C8 . >test eax, eax
004116CA . >je short SpyEmerg.00411708
004116CC . >lea ecx, dword ptr ss:[ebp-40]
004116CF . >mov byte ptr ss:[ebp-4], 7
004116D3 . >call SpyEmerg.00442110
004116D8 . >lea ecx, dword ptr ss:[ebp-74]
004116DB . >mov byte ptr ss:[ebp-4], 6
004116DF . >call SpyEmerg.00401ED0
004116E4 . >lea ecx, dword ptr ss:[ebp-4C]
004116E7 . >mov byte ptr ss:[ebp-4], 5
004116EB . >call SpyEmerg.00442110
004116F0 . >lea ecx, dword ptr ss:[ebp-28]
004116F3 . >mov byte ptr ss:[ebp-4], 4
004116F7 . >call SpyEmerg.00401D10
004116FC . >mov byte ptr ss:[ebp-4], 3
00411700 . >lea ecx, dword ptr ss:[ebp-34]
00411703 . >jmp SpyEmerg.0041197C
00411708 > >lea ecx, dword ptr ss:[ebp-74]
0041170B . >call SpyEmerg.00402020
00411710 . >lea ecx, dword ptr ss:[ebp-40]
00411713 . >mov byte ptr ss:[ebp-4], 7
00411717 . >call SpyEmerg.00442110
0041171C .^ >jmp SpyEmerg.00411690
00411721 > >lea ecx, dword ptr ss:[ebp-28]
00411724 . >call SpyEmerg.00401BD0
00411729 . >lea ecx, dword ptr ss:[ebp-74]
0041172C . >mov byte ptr ss:[ebp-4], 6
00411730 . >call SpyEmerg.00401ED0
00411735 . >lea ecx, dword ptr ss:[ebp-4C]
00411738 . >mov byte ptr ss:[ebp-4], 5
0041173C . >call SpyEmerg.00442110
00411741 . >lea ecx, dword ptr ss:[ebp-28]
00411744 . >mov byte ptr ss:[ebp-4], 4
00411748 . >call SpyEmerg.00401D10
0041174D . >lea ecx, dword ptr ss:[ebp-34]
00411750 . >mov byte ptr ss:[ebp-4], 3
00411754 . >call SpyEmerg.00442110
00411759 . >jmp short SpyEmerg.00411767
0041175B . >mov eax, SpyEmerg.00411761
00411760 . >ret
00411761 . >mov esi, dword ptr ss:[ebp-14]
00411764 . >or edi, FFFFFFFF
00411767 > >sub esp, 0C
0041176A . >lea eax, dword ptr ss:[ebp+14]
0041176D . >mov ecx, esp
0041176F . >mov dword ptr ss:[ebp-14], esp
00411772 . >push eax
00411773 . >mov dword ptr ss:[ebp-4], 2
0041177A . >call SpyEmerg.004420E0
0041177F . >sub esp, 0C
00411782 . >lea edx, dword ptr ss:[ebp+8]
00411785 . >mov ecx, esp
00411787 . >mov dword ptr ss:[ebp-18], esp
0041178A . >push edx
0041178B . >mov byte ptr ss:[ebp-4], 0A
0041178F . >call SpyEmerg.004420E0
00411794 . >lea eax, dword ptr ss:[ebp-58]
00411797 . >push eax
00411798 . >mov byte ptr ss:[ebp-4], 2
0041179C . >call SpyEmerg.004324A0 ; [xp-sp2-x006]
004117A1 . >add esp, 1C
004117A4 . >lea ecx, dword ptr ss:[ebp+20]
004117A7 . >push ecx
004117A8 . >mov bl, 0B
004117AA . >lea ecx, dword ptr ss:[ebp-58]
004117AD . >mov byte ptr ss:[ebp-4], bl
004117B0 . >call SpyEmerg.004421A0 ; [xp-sp2-x004]
004117B5 . >test eax, eax
004117B7 . >je SpyEmerg.00411975 这个call跳得很远,足以引起注意,如果不跳走,
004117BD . >sub esp, 0C 下面即是将用户信息写入注册表
004117C0 . >lea edx, dword ptr ss:[ebp+8] 所以我们一定要看上面的call啦,当然是看[xp-sp2-x004]
004117C3 . >mov ecx, esp
004117C5 . >mov dword ptr ss:[ebp-18], esp
004117C8 . >push edx
004117C9 . >call SpyEmerg.004420E0
004117CE . >sub esp, 0C
004117D1 . >mov ecx, esp
004117D3 . >mov dword ptr ss:[ebp-14], esp
004117D6 . >push edi
004117D7 . >push SpyEmerg.004B9EAC ; ASCII "RegisteredUserName"
004117DC . >mov byte ptr ss:[ebp-4], 0C
004117E0 . >call SpyEmerg.00442D80
004117E5 . >mov ecx, esi ; |
004117E7 . >mov byte ptr ss:[ebp-4], bl ; |
004117EA . >call SpyEmerg.004119C0 ; \SpyEmerg.004119C0
=======[xp-sp2-x004]=============================================================
004421A0 /$ 8>mov eax, dword ptr ss:[esp+4]
004421A4 |. 3>cmp eax, ecx
004421A6 |. 7>je short SpyEmerg.004421C9
004421A8 |. 8>mov ecx, dword ptr ds:[ecx+4]
004421AB |. 8>test ecx, ecx
004421AD |. 7>je short SpyEmerg.004421C4
004421AF |. 8>mov eax, dword ptr ds:[eax+4]
004421B2 |. 8>test eax, eax
004421B4 |. 7>je short SpyEmerg.004421C4
004421B6 |. 5>push eax
004421B7 |. 5>push ecx
004421B8 |. E>call SpyEmerg.0049E689
004421BD |. 8>add esp, 8
004421C0 |. 8>test eax, eax ==1==
004421C2 |. 7>je short SpyEmerg.004421C9
004421C4 |> 3>xor eax, eax ==2==
004421C6 |. C>ret 4
004421C9 |> B>mov eax, 1 ==3== 三步曲,最常见的标志位设置,说明信息已经处理完毕
004421CE \. C>ret 4 所以我们要看此同一层的上一个call [xp-sp2-x006]
=======[xp-sp2-x006]================================================================
004324A0 /$ 6>push -1
004324A2 |. 6>push SpyEmerg.004B4CD0 ; SE handler installation
004324A7 |. 6>mov eax, dword ptr fs:[0]
004324AD |. 5>push eax
004324AE |. 6>mov dword ptr fs:[0], esp
004324B5 |. 8>sub esp, 0E8
004324BB |. 5>push esi
004324BC |. C>mov dword ptr ss:[esp+20], 0
004324C4 |. 6>push 38
004324C6 |. 8>lea eax, dword ptr ss:[esp+104]
004324CD |. 5>push eax
004324CE |. 8>lea ecx, dword ptr ss:[esp+AC]
004324D5 |. 5>push ecx
004324D6 |. C>mov dword ptr ss:[esp+100], 2
004324E1 |. E>call SpyEmerg.00432420
004324E6 |. 6>push 62
004324E8 |. 5>push eax
004324E9 |. 8>lea edx, dword ptr ss:[esp+88]
004324F0 |. 5>push edx
004324F1 |. C>mov byte ptr ss:[esp+10C], 3
004324F9 |. E>call SpyEmerg.00432420
004324FE |. 6>push 33
00432500 |. 5>push eax
00432501 |. 8>lea eax, dword ptr ss:[esp+AC]
00432508 |. 5>push eax
00432509 |. C>mov byte ptr ss:[esp+118], 4
00432511 |. E>call SpyEmerg.00432420
00432516 |. 6>push 7A
00432518 |. 5>push eax
00432519 |. 8>lea ecx, dword ptr ss:[esp+E8]
00432520 |. 5>push ecx
00432521 |. C>mov byte ptr ss:[esp+124], 5
00432529 |. E>call SpyEmerg.00432420
0043252E |. 6>push 6F
00432530 |. 5>push eax
00432531 |. 8>lea edx, dword ptr ss:[esp+68]
00432535 |. 5>push edx
00432536 |. C>mov byte ptr ss:[esp+130], 6
0043253E |. E>call SpyEmerg.00432420
00432543 |. 8>add esp, 3C
00432546 |. 8>lea ecx, dword ptr ss:[esp+BC]
0043254D |. C>mov byte ptr ss:[esp+F4], 0B
00432555 |. E>call SpyEmerg.00442110
0043255A |. 8>lea ecx, dword ptr ss:[esp+8C]
00432561 |. C>mov byte ptr ss:[esp+F4], 0A
00432569 |. E>call SpyEmerg.00442110
0043256E |. 8>lea ecx, dword ptr ss:[esp+74]
00432572 |. C>mov byte ptr ss:[esp+F4], 9
0043257A |. E>call SpyEmerg.00442110
0043257F |. 8>lea ecx, dword ptr ss:[esp+A4]
00432586 |. C>mov byte ptr ss:[esp+F4], 8
0043258E |. E>call SpyEmerg.00442110
00432593 |. 8>mov eax, dword ptr ss:[esp+34]
/////////////停在这里看堆栈//////////////////////////////////////
//Stack ss:[0011A138]=00D2AEEC, (ASCII "HUNTER-BOY8b3zo")
//eax=00000001
//////////////////////////////////////////////////////////////
00432597 |. 8>test eax, eax 用户名+8b3zo
00432599 |. 7>je short SpyEmerg.004325A0
0043259B |. 8>mov ecx, dword ptr ds:[eax-8]
0043259E |. E>jmp short SpyEmerg.004325A7
004325A0 |> 3>xor ecx, ecx
004325A2 |. B>mov eax, SpyEmerg.004B8630
004325A7 |> 6>push 0 ; /Arg4 = 00000000
004325A9 |. 6>push SpyEmerg.004B8630 ; |Arg3 = 004B8630
004325AE |. 5>push ecx ; |Arg2
004325AF |. 5>push eax ; |Arg1
004325B0 |. E>call SpyEmerg.00432040 ; \SpyEmerg.00432040 [xp-sp2-x008]
004325B5 |. 8>mov eax, dword ptr ss:[esp+44] 通过字典对字符串处理,看[xp-sp2-x008]
//////////////停在这里看堆栈////////////////////////////////////
//Stack ss:[0011A138]=00D2AEEC 地址
//eax=0000000F 长度
//转存中跟随,获得
//00D2AEEC C6 F6 5C 7A 9A 68 5B D6 E4 5C EB 5B 96 8F 8C 00 砌\z歨[咒\隱枏?
//C6F65C7A9A685BD6E45CEB5B968F8C (hex) (00是终结符)
//////////////////////////////////////////////////////////////
004325B9 |. 8>add esp, 10
004325BC |. 8>test eax, eax
004325BE |. 7>jnz short SpyEmerg.004325C5
004325C0 |. B>mov eax, SpyEmerg.004B8630
004325C5 |> 6>push -1
004325C7 |. 5>push eax
004325C8 |. E>call SpyEmerg.00403410 ; [xp-sp2-x00A] MD5运算(标准)
//////////////停在这里看堆栈////////////////////////////////////
//hex string C6F65C7A9A685BD6E45CEB5B968F8C
//md5 hash 3ce3e64f4ef7f65d023666760273e0b9
////////////////////////////////////////////////////////////////////
004325CD |. 8>add esp, 4
004325D0 |. 5>push eax
004325D1 |. 8>lea ecx, dword ptr ss:[esp+70]
004325D5 |. E>call SpyEmerg.00442D80
004325DA |. 6>push 63
004325DC |. 8>lea eax, dword ptr ss:[esp+110]
004325E3 |. 5>push eax
004325E4 |. 8>lea ecx, dword ptr ss:[esp+B8]
004325EB |. 5>push ecx
004325EC |. C>mov byte ptr ss:[esp+100], 0C
004325F4 |. E>call SpyEmerg.00432420
004325F9 |. 6>push 36
004325FB |. 5>push eax
004325FC |. 8>lea edx, dword ptr ss:[esp+AC]
00432603 |. 5>push edx
00432604 |. C>mov byte ptr ss:[esp+10C], 0D
0043260C |. E>call SpyEmerg.00432420
00432611 |. 6>push 65
00432613 |. 5>push eax
00432614 |. 8>lea eax, dword ptr ss:[esp+A0]
0043261B |. 5>push eax
0043261C |. C>mov byte ptr ss:[esp+118], 0E
00432624 |. E>call SpyEmerg.00432420
00432629 |. 6>push 74
0043262B |. 5>push eax
0043262C |. 8>lea ecx, dword ptr ss:[esp+100]
00432633 |. 5>push ecx
00432634 |. C>mov byte ptr ss:[esp+124], 0F
0043263C |. E>call SpyEmerg.00432420
00432641 |. 6>push 65
00432643 |. 5>push eax
00432644 |. 8>lea edx, dword ptr ss:[esp+5C]
00432648 |. 5>push edx
00432649 |. C>mov byte ptr ss:[esp+130], 10
00432651 |. E>call SpyEmerg.00432420
00432656 |. 8>add esp, 3C
00432659 |. 8>lea ecx, dword ptr ss:[esp+D4]
00432660 |. C>mov byte ptr ss:[esp+F4], 15
00432668 |. E>call SpyEmerg.00442110
0043266D |. 8>lea ecx, dword ptr ss:[esp+80]
00432674 |. C>mov byte ptr ss:[esp+F4], 14
0043267C |. E>call SpyEmerg.00442110
00432681 |. 8>lea ecx, dword ptr ss:[esp+98]
00432688 |. C>mov byte ptr ss:[esp+F4], 13
00432690 |. E>call SpyEmerg.00442110
00432695 |. 8>lea ecx, dword ptr ss:[esp+B0]
0043269C |. C>mov byte ptr ss:[esp+F4], 12
004326A4 |. E>call SpyEmerg.00442110
004326A9 |. 8>mov eax, dword ptr ss:[esp+28]
/////////////停在这里看堆栈//////////////////////////////////////
//Stack ss:[0011A12C]=00D355D4, (ASCII "draw.dragon@msn.comc6ete")
//eax=00000001
//////////////////////////////////////////////////////////////////
004326AD |. 8>test eax, eax 邮件地址+c6ete
004326AF |. 7>je short SpyEmerg.004326B6
004326B1 |. 8>mov ecx, dword ptr ds:[eax-8]
004326B4 |. E>jmp short SpyEmerg.004326BD
004326B6 |> 3>xor ecx, ecx
004326B8 |. B>mov eax, SpyEmerg.004B8630
004326BD |> 6>push 0 ; /Arg4 = 00000000
004326BF |. 6>push SpyEmerg.004B8630 ; |Arg3 = 004B8630
004326C4 |. 5>push ecx ; |Arg2
004326C5 |. 5>push eax ; |Arg1
004326C6 |. E>call SpyEmerg.00432040 ; \SpyEmerg.00432040 [xp-sp2-x008]
004326CB |. 8>mov eax, dword ptr ss:[esp+38] 通过字典对字符串处理,看[xp-sp2-x008]
/////////////停在这里看堆栈////////////////////////////////////
//Stack ss:[0011A12C]=00D355D4 地址
//eax=00000018 长度
//转存中跟随,获得
//00D355D4 EA D1 73 59 F1 5E 04 F5 CC 6A BD 79 C8 86 8D 71 暄sY馸跆j統葐峲
//00D355E4 B8 85 E6 D3 25 EB F5 E1 00 竻嬗%膈?瓠?瓠
//EAD17359F15E04F5CC6ABD79C8868D71B885E6D325EBF5E1 (hex) (00是终结符)
/////////////////////////////////////////////////////////////////
004326CF |. 8>add esp, 10
004326D2 |. 8>test eax, eax
004326D4 |. 7>jnz short SpyEmerg.004326DB
004326D6 |. B>mov eax, SpyEmerg.004B8630
004326DB |> 6>push -1
004326DD |. 5>push eax
004326DE |. E>call SpyEmerg.00403410 ; [xp-sp2-x00A] MD5运算(标准)
//////////////停在这里看堆栈////////////////////////////////////
//hex string EAD17359F15E04F5CC6ABD79C8868D71B885E6D325EBF5E1
//md5 hash 05861f2f698e5125a8c5fca2dc6532d2
////////////////////////////////////////////////////////////////
004326E3 |. 8>add esp, 4
004326E6 |. 5>push eax
004326E7 |. 8>lea ecx, dword ptr ss:[esp+44]
004326EB |. E>call SpyEmerg.00442D80
004326F0 |. 6>push -1
004326F2 |. 6>push SpyEmerg.004B8630
004326F7 |. 8>lea ecx, dword ptr ss:[esp+18]
004326FB |. C>mov byte ptr ss:[esp+FC], 16
00432703 |. E>call SpyEmerg.00442D80
00432708 |. 6>push 36CEC ; /Arg1 = 00036CEC
0043270D |. 8>lea ecx, dword ptr ss:[esp+14] ; |
00432711 |. C>mov byte ptr ss:[esp+F8], 17 ; |
00432719 |. E>call SpyEmerg.00443090 ; \SpyEmerg.00443090
0043271E |. 6>push 1F6 ; /Arg1 = 000001F6
00432723 |. 8>lea ecx, dword ptr ss:[esp+14] ; |
00432727 |. E>call SpyEmerg.00443090 ; \SpyEmerg.00443090
//////////////停在这里看堆栈////////////////////////////////////
//Stack ss:[0011A118]=00D6B144, (ASCII "224492502")
//eax=0011A114
//对push进去的两个值做运算,这样应该就是一个固定值了吧
//运算 循环除A将余数连接"224492"+"502"
//////////////////////////////////////////////////////////////
0043272C |. 8>mov eax, dword ptr ss:[esp+14]
00432730 |. 8>test eax, eax
00432732 |. 7>je short SpyEmerg.00432739
00432734 |. 8>mov ecx, dword ptr ds:[eax-8]
00432737 |. E>jmp short SpyEmerg.00432740
00432739 |> 3>xor ecx, ecx
0043273B |. B>mov eax, SpyEmerg.004B8630
00432740 |> 6>push 0 ; /Arg4 = 00000000
00432742 |. 6>push SpyEmerg.004B8630 ; |Arg3 = 004B8630
00432747 |. 5>push ecx ; |Arg2
00432748 |. 5>push eax ; |Arg1
00432749 |. E>call SpyEmerg.00432040 ; \SpyEmerg.00432040 [xp-sp2-x008]
0043274E |. 8>mov eax, dword ptr ss:[esp+24] 通过字典对字符串处理,看[xp-sp2-x008]
/////////////停在这里看堆栈////////////////////////////////////
//Stack ss:[0011A118]=00D6B144
//eax=00000009
//00D6B144 BC 91 26 1A E6 08 43 A4 99 00 紤&?C..瓠
//BC91261AE60843A499 (hex)
//////////////////////////////////////////////////////////////////
00432752 |. 8>add esp, 10
00432755 |. 8>test eax, eax
00432757 |. 7>jnz short SpyEmerg.0043275E
00432759 |. B>mov eax, SpyEmerg.004B8630
0043275E |> 6>push -1
00432760 |. 5>push eax
00432761 |. E>call SpyEmerg.00403410 ; [xp-sp2-x00A] MD5运算(标准)
//////////////停在这里看堆栈////////////////////////////////////
//hex string BC91261AE60843A499
//md5 hash 87b5a586aa0d78fbb23c5d48a4fce316
//////////////////////////////////////////////////////////////////
00432766 |. 8>add esp, 4
00432769 |. 5>push eax
0043276A |. 8>lea ecx, dword ptr ss:[esp+50]
0043276E |. E>call SpyEmerg.00442D80
00432773 |. 8>sub esp, 0C
00432776 |. 8>lea eax, dword ptr ss:[esp+54]
0043277A |. 8>mov ecx, esp
0043277C |. 8>mov dword ptr ss:[esp+64], esp
00432780 |. 5>push eax
00432781 |. C>mov byte ptr ss:[esp+104], 18
00432789 |. E>call SpyEmerg.004420E0
0043278E |. 6>push SpyEmerg.004B8FE8
00432793 |. 8>sub esp, 0C
00432796 |. 8>mov dword ptr ss:[esp+38], esp
0043279A |. 8>mov esi, esp
0043279C |. 8>sub esp, 0C
0043279F |. 8>lea edx, dword ptr ss:[esp+64]
004327A3 |. 8>mov ecx, esp
004327A5 |. 8>mov dword ptr ss:[esp+44], esp
004327A9 |. 5>push edx
004327AA |. C>mov byte ptr ss:[esp+120], 19
004327B2 |. E>call SpyEmerg.004420E0
004327B7 |. 6>push SpyEmerg.004B8FE8
004327BC |. 8>sub esp, 0C
004327BF |. 8>lea eax, dword ptr ss:[esp+A0]
004327C6 |. 8>mov ecx, esp
004327C8 |. 8>mov dword ptr ss:[esp+8C], esp
004327CF |. 5>push eax
004327D0 |. C>mov byte ptr ss:[esp+130], 1A
004327D8 |. E>call SpyEmerg.004420E0
004327DD |. 8>lea ecx, dword ptr ss:[esp+118]
004327E4 |. 5>push ecx
004327E5 |. E>call SpyEmerg.0040D1F0
004327EA |. 8>add esp, 14
004327ED |. 5>push eax
004327EE |. 5>push esi
004327EF |. C>mov byte ptr ss:[esp+124], 1C
004327F7 |. E>call SpyEmerg.0040D160
004327FC |. 8>lea edx, dword ptr ss:[esp+F8]
00432803 |. 8>add esp, 14
00432806 |. 5>push edx
00432807 |. E>call SpyEmerg.0040D1F0
0043280C |. 8>add esp, 14
0043280F |. 5>push eax
00432810 |. 8>lea eax, dword ptr ss:[esp+14]
00432814 |. 5>push eax
00432815 |. C>mov byte ptr ss:[esp+108], 1F
0043281D |. E>call SpyEmerg.0040D160
00432822 |. 8>add esp, 14
00432825 |. 8>lea ecx, dword ptr ss:[esp+C8]
0043282C |. C>mov byte ptr ss:[esp+F4], 22
00432834 |. E>call SpyEmerg.00442110
00432839 |. 8>lea ecx, dword ptr ss:[esp+E0]
00432840 |. C>mov byte ptr ss:[esp+F4], 21
00432848 |. E>call SpyEmerg.00442110
0043284D |. 8>mov eax, dword ptr ss:[esp+8]
//////////////停在这里看堆栈////////////////////////////////////
//Stack ss:[0011A10C]=00D070BC, (ASCII "3ce3e64f4ef7f65d023666760273e0b9-05861f2f698e5125a8c5fca2dc6532d2
//-87b5a586aa0d78fbb23c5d48a4fce316")
//eax=00000001 将三个hash值联起来作为text string
/////////////////////////////////////////////////////////////////
00432851 |. 8>test eax, eax
00432853 |. 7>jnz short SpyEmerg.0043285A
00432855 |. B>mov eax, SpyEmerg.004B8630
0043285A |> 6>push -1
0043285C |. 5>push eax
0043285D |. E>call SpyEmerg.00403410 ; [xp-sp2-x00A] MD5运算(标准)
//////////////停在这里看堆栈////////////////////////////////////
// text string 3ce3e64f4ef7f65d023666760273e0b9-05861f2f698e5125a8c5fca2dc6532d2-87b5a586aa0d78fbb23c5d48a4fce316
// md5 hash f9c67d47ef264d325acda0f89f8a118b
/////////////////////////////////////////////////////////////////////////
00432862 |. 8>add esp, 4
00432865 |. 5>push eax
00432866 |. 8>lea ecx, dword ptr ss:[esp+64]
0043286A |. E>call SpyEmerg.00442D80
0043286F |. 8>lea ecx, dword ptr ss:[esp+5C]
00432873 |. 5>push ecx
00432874 |. 8>lea ecx, dword ptr ss:[esp+8]
00432878 |. C>mov byte ptr ss:[esp+F8], 23
00432880 |. E>call SpyEmerg.00442210
00432885 |. 8>mov eax, dword ptr ss:[esp+8]
00432889 |. 8>test eax, eax
0043288B |. 7>je short SpyEmerg.004328DB
0043288D |. 8>mov ecx, dword ptr ds:[eax-8]
00432890 |. 8>cmp ecx, 8
00432893 |. 7>jl short SpyEmerg.004328A7
00432895 |. 6>push 7
00432897 |. 8>lea ecx, dword ptr ss:[esp+8]
0043289B |. E>call SpyEmerg.00441FD0
004328A0 |. C>mov byte ptr ds:[eax], 2D
004328A3 |. 8>mov eax, dword ptr ss:[esp+8]
004328A7 |> 8>test eax, eax
004328A9 |. 7>je short SpyEmerg.004328DB
004328AB |. 8>cmp dword ptr ds:[eax-8], 10
004328AF |. 7>jl short SpyEmerg.004328C3
004328B1 |. 6>push 0F
004328B3 |. 8>lea ecx, dword ptr ss:[esp+8]
004328B7 |. E>call SpyEmerg.00441FD0
004328BC |. C>mov byte ptr ds:[eax], 2D
004328BF |. 8>mov eax, dword ptr ss:[esp+8]
004328C3 |> 8>test eax, eax
004328C5 |. 7>je short SpyEmerg.004328DB
004328C7 |. 8>cmp dword ptr ds:[eax-8], 18
004328CB |. 7>jl short SpyEmerg.004328DB
004328CD |. 6>push 17
004328CF |. 8>lea ecx, dword ptr ss:[esp+8]
004328D3 |. E>call SpyEmerg.00441FD0
004328D8 |. C>mov byte ptr ds:[eax], 2D
004328DB |> 8>lea ecx, dword ptr ss:[esp+4]
004328DF |. E>call SpyEmerg.00442750
004328E4 |. 8>mov esi, dword ptr ss:[esp+FC]
004328EB |. 8>lea edx, dword ptr ss:[esp+4]
004328EF |. 5>push edx
004328F0 |. 8>mov ecx, esi
//////////////停在这里看堆栈////////////////////////////////////
//F9C67D4-EF264D3-5ACDA0F-9F8A118B
//将hash值转大写,每7位用"-"替换下一个字符
//Serial key! enjoy it !
///////////////////////////////////////////////////////////////
004328F2 |. E>call SpyEmerg.004420E0
004328F7 |. 8>lea ecx, dword ptr ss:[esp+5C]
004328FB |. C>mov dword ptr ss:[esp+20], 1
00432903 |. C>mov byte ptr ss:[esp+F4], 21
0043290B |. E>call SpyEmerg.00442110
00432910 |. 8>lea ecx, dword ptr ss:[esp+4]
00432914 |. C>mov byte ptr ss:[esp+F4], 18
0043291C |. E>call SpyEmerg.00442110
00432921 |. 8>lea ecx, dword ptr ss:[esp+48]
00432925 |. C>mov byte ptr ss:[esp+F4], 17
0043292D |. E>call SpyEmerg.00442110
00432932 |. 8>lea ecx, dword ptr ss:[esp+10]
00432936 |. C>mov byte ptr ss:[esp+F4], 16
0043293E |. E>call SpyEmerg.00442110
00432943 |. 8>lea ecx, dword ptr ss:[esp+3C]
00432947 |. C>mov byte ptr ss:[esp+F4], 12
0043294F |. E>call SpyEmerg.00442110
00432954 |. 8>lea ecx, dword ptr ss:[esp+24]
00432958 |. C>mov byte ptr ss:[esp+F4], 0C
00432960 |. E>call SpyEmerg.00442110
00432965 |. 8>lea ecx, dword ptr ss:[esp+68]
00432969 |. C>mov byte ptr ss:[esp+F4], 8
00432971 |. E>call SpyEmerg.00442110
00432976 |. 8>lea ecx, dword ptr ss:[esp+30]
0043297A |. C>mov byte ptr ss:[esp+F4], 2
00432982 |. E>call SpyEmerg.00442110
00432987 |. 8>lea ecx, dword ptr ss:[esp+100]
0043298E |. C>mov byte ptr ss:[esp+F4], 1
00432996 |. E>call SpyEmerg.00442110
0043299B |. 8>lea ecx, dword ptr ss:[esp+10C]
004329A2 |. C>mov byte ptr ss:[esp+F4], 0
004329AA |. E>call SpyEmerg.00442110
004329AF |. 8>mov ecx, dword ptr ss:[esp+EC]
004329B6 |. 8>mov eax, esi
004329B8 |. 6>mov dword ptr fs:[0], ecx
004329BF |. 5>pop esi
004329C0 |. 8>add esp, 0F4
004329C6 \. C>ret
========[xp-sp2-x008]=============================================================================
00432040 /$ 5>push ebp
00432041 |. 8>mov ebp, esp
00432043 |. 8>and esp, FFFFFFF8
00432046 |. 8>sub esp, 214
0043204C |. B>mov al, 41
0043204E |. 5>push ebx
0043204F |. A>mov byte ptr ds:[4E0FA0], al
00432054 |. A>mov byte ptr ds:[4E0FA1], al
00432059 |. B>mov al, 31
0043205B |. 5>push esi
0043205C |. A>mov byte ptr ds:[4E0FA5], al
00432061 |. A>mov byte ptr ds:[4E0FA8], al
00432066 |. 5>push edi
00432067 |. C>mov byte ptr ds:[4E0FA2], 37
0043206E |. C>mov byte ptr ds:[4E0FA3], 39
00432075 |. C>mov byte ptr ds:[4E0FA4], 65
0043207C |. C>mov byte ptr ds:[4E0FA6], 30
00432083 |. C>mov byte ptr ds:[4E0FA7], 64
0043208A |. C>mov byte ptr ds:[4E0FA9], 35
00432091 |. C>mov byte ptr ds:[4E0FAA], 6C
00432098 |. C>mov byte ptr ds:[4E0FAB], 36
0043209F |. C>mov byte ptr ds:[4E0FAC], 6F
004320A6 |. C>mov byte ptr ds:[4E0FAD], 32
004320AD |. C>mov byte ptr ds:[4E0FAE], 74
004320B4 |. C>mov byte ptr ds:[4E0FAF], 38
004320BB |. 3>xor eax, eax ;
004320BD |. 8>lea ecx, dword ptr ds:[ecx]
004320C0 |> 8>/mov cl, byte ptr ds:[eax+4E0FA0]
004320C6 |. 8>|xor cl, 0A4
004320C9 |. 8>|mov byte ptr ds:[eax+4E0F90], cl ;
004320CF |. 4>|inc eax
004320D0 |. 8>|cmp eax, 10
004320D3 |.^ 7>\jb short SpyEmerg.004320C0
004320D5 |. 3>xor eax, eax ;
004320D7 |. B>mov ecx, 40
004320DC |. 8>lea edi, dword ptr ss:[esp+10]
004320E0 |. F>rep stosd
004320E2 |. A>stosb
004320E3 |. 3>xor eax, eax
004320E5 |. B>mov ecx, 40
004320EA |. 8>lea edi, dword ptr ss:[esp+118]
004320F1 |. F>rep stosd
004320F3 |. A>stosb
004320F4 |. 3>xor eax, eax
004320F6 |> 8>/mov byte ptr ss:[esp+eax+10], al
004320FA |. 4>|inc eax
004320FB |. 3>|cmp eax, 100
00432100 |.^ 7>\jb short SpyEmerg.004320F6
00432102 |. 8>mov edi, dword ptr ss:[ebp+14]
00432105 |. 3>xor eax, eax
00432107 |. 3>xor ecx, ecx
00432109 |. 8>test edi, edi
0043210B |. 7>je short SpyEmerg.00432130
0043210D |. 8>mov esi, dword ptr ss:[ebp+10]
00432110 |> 3>/cmp eax, edi
00432112 |. 7>|jnz short SpyEmerg.00432116
00432114 |. 3>|xor eax, eax
00432116 |> 8>|mov dl, byte ptr ds:[eax+esi]
00432119 |. 4>|inc eax
0043211A |. 8>|mov byte ptr ss:[esp+ecx+118], dl
00432121 |. 4>|inc ecx
00432122 |. 8>|cmp ecx, 100
00432128 |.^ 7>\jb short SpyEmerg.00432110
0043212A |. E>jmp short SpyEmerg.0043214E
0043212C | 8>lea esp, dword ptr ss:[esp]
00432130 |> 8>/cmp eax, 10
00432133 |. 7>|jnz short SpyEmerg.00432137
00432135 |. 3>|xor eax, eax
00432137 |> 8>|mov dl, byte ptr ds:[eax+4E0F90]
0043213D |. 4>|inc eax
0043213E |. 8>|mov byte ptr ss:[esp+ecx+118], dl
00432145 |. 4>|inc ecx
00432146 |. 8>|cmp ecx, 100
0043214C |.^ 7>\jb short SpyEmerg.00432130
0043214E |> 3>xor esi, esi
00432150 |. 3>xor eax, eax
00432152 |> 8>/mov cl, byte ptr ss:[esp+eax+10]
00432156 |. 3>|xor edx, edx
00432158 |. 8>|mov dl, byte ptr ss:[esp+eax+118]
0043215F |. 3>|xor ebx, ebx
00432161 |. 8>|mov bl, cl
00432163 |. 8>|add eax, 4
00432166 |. 0>|add ebx, esi
00432168 |. 0>|add edx, ebx
0043216A |. 8>|and edx, 0FF
00432170 |. 8>|mov esi, edx
00432172 |. 8>|mov dl, byte ptr ss:[esp+esi+10]
00432176 |. 8>|mov byte ptr ss:[esp+eax+C], dl
0043217A |. 8>|mov byte ptr ss:[esp+esi+10], cl
0043217E |. 8>|mov cl, byte ptr ss:[esp+eax+D]
00432182 |. 3>|xor edx, edx
00432184 |. 8>|mov dl, byte ptr ss:[esp+eax+115]
0043218B |. 3>|xor ebx, ebx
0043218D |. 8>|mov bl, cl
0043218F |. 0>|add ebx, esi
00432191 |. 0>|add edx, ebx
00432193 |. 8>|and edx, 0FF
00432199 |. 8>|mov esi, edx
0043219B |. 8>|mov dl, byte ptr ss:[esp+esi+10]
0043219F |. 8>|mov byte ptr ss:[esp+eax+D], dl
004321A3 |. 8>|mov byte ptr ss:[esp+esi+10], cl
004321A7 |. 8>|mov cl, byte ptr ss:[esp+eax+E]
004321AB |. 3>|xor edx, edx
004321AD |. 8>|mov dl, byte ptr ss:[esp+eax+116]
004321B4 |. 3>|xor ebx, ebx
004321B6 |. 8>|mov bl, cl
004321B8 |. 0>|add ebx, esi
004321BA |. 0>|add edx, ebx
004321BC |. 8>|and edx, 0FF
004321C2 |. 8>|mov esi, edx
004321C4 |. 8>|mov dl, byte ptr ss:[esp+esi+10]
004321C8 |. 8>|mov byte ptr ss:[esp+eax+E], dl
004321CC |. 8>|mov byte ptr ss:[esp+esi+10], cl
004321D0 |. 8>|mov cl, byte ptr ss:[esp+eax+F]
004321D4 |. 3>|xor edx, edx
004321D6 |. 8>|mov dl, byte ptr ss:[esp+eax+117]
004321DD |. 3>|xor ebx, ebx
004321DF |. 8>|mov bl, cl
004321E1 |. 0>|add ebx, esi
004321E3 |. 0>|add edx, ebx
004321E5 |. 8>|and edx, 0FF
004321EB |. 3>|cmp eax, 100
004321F0 |. 8>|mov esi, edx
004321F2 |. 8>|mov dl, byte ptr ss:[esp+esi+10]
004321F6 |. 8>|mov byte ptr ss:[esp+eax+F], dl
004321FA |. 8>|mov byte ptr ss:[esp+esi+10], cl
004321FE |.^ 0>\jb SpyEmerg.00432152
00432204 |. 8>mov ecx, dword ptr ss:[ebp+C]
////////////////////////////////////////////////////////////////////
//生成字典,应该是固定的吧
//00119ED8 19 CB 60 C1 C5 5F 67 C0 5D 70 0D 4E 3D E0 58 69
//00119EE8 9B 15 06 55 F0 5A D2 1E 0B 3B E2 F2 2F 77 44 6B
//00119EF8 AC BB 05 84 37 F1 6A 22 87 EA B8 99 8D 53 51 76
//00119F08 20 2E 66 DB 79 9A 75 6F 28 42 E1 93 CF 31 40 F5
//00119F18 A2 36 FA 3F D5 88 41 C3 4F 18 68 ED 5C 03 08 61
//00119F28 D6 91 BC FE E8 34 17 7F C2 97 04 A6 BD 57 81 89
//00119F38 0E 7C 13 62 AF A0 39 F9 8A B5 B7 B4 EB EE F4 48
//00119F48 82 7B 95 09 6E 86 CD 1F DC 71 E6 83 D4 AD 8E 07
//00119F58 B0 B1 F6 DE 52 59 3A 3C 6D 92 0A CE 49 74 54 C8
//00119F68 94 2C 32 AE 33 BA FC FD 78 1C E3 2D 29 AA 56 5E
//00119F78 D8 27 96 A8 4A 16 BE 64 B2 26 25 02 D7 5B 43 23
//00119F88 12 6C 30 1D A5 73 F3 21 98 01 24 BF C9 EC CA DD
//00119F98 A1 C4 50 14 E5 8B 8C 4D 4C 10 F7 B3 A9 7A E9 FB
//00119FA8 CC B9 9C 72 E7 2B 7D D3 3E 47 11 A4 AB 2A DA 9E
//00119FB8 80 A7 D0 F8 65 46 63 0C 1A D1 B6 00 EF 35 FF 0F
//00119FC8 7E E4 8F 38 90 45 C6 85 1B A3 DF D9 9D C7 9F 4B
//00119FD8 00 EE 92 7C C8 6A 94 7C E5 E5 93 9D C1 95 94 C0
/////////////////////////////////////////////////////////////
00432207 |. 3>xor edi, edi
00432209 |. 3>xor esi, esi
0043220B |. 3>xor eax, eax
0043220D |. 8>test ecx, ecx
0043220F |. 7>jbe short SpyEmerg.0043225B
00432211 |. 8>mov edx, dword ptr ss:[ebp+8]
00432214 |> 3>/xor ebx, ebx
00432216 |. 4>|inc esi
00432217 |. 8>|and esi, 0FF
0043221D |. 8>|mov cl, byte ptr ss:[esp+esi+10]
00432221 |. 8>|mov bl, cl
00432223 |. 0>|add ebx, edi
00432225 |. 8>|and ebx, 0FF
0043222B |. 8>|mov edi, ebx
0043222D |. 8>|mov bl, byte ptr ss:[esp+edi+10]
00432231 |. 8>|mov byte ptr ss:[esp+esi+10], bl
00432235 |. 3>|xor ebx, ebx
00432237 |. 8>|mov byte ptr ss:[esp+edi+10], cl
0043223B |. 8>|mov bl, byte ptr ss:[esp+esi+10]
0043223F |. 0>|add ebx, ecx
00432241 |. 8>|and ebx, 0FF
00432247 |. 8>|mov cl, byte ptr ss:[esp+ebx+10]
0043224B |. 8>|mov bl, byte ptr ds:[eax+edx]
0043224E |. 3>|xor bl, cl
00432250 |. 8>|mov ecx, dword ptr ss:[ebp+C]
00432253 |. 8>|mov byte ptr ds:[eax+edx], bl
00432256 |. 4>|inc eax
00432257 |. 3>|cmp eax, ecx
00432259 |.^ 7>\jb short SpyEmerg.00432214
/////////////////////////////////////////////////////////////
//通过字典和目标字符串做xor运算
//for (int i = 0; i < cs.length; i++)
// {
// hs1 = (map.key[i + 1] + hs1) & 0xFF;
// hs2 = (map.key[hs1] + map.key[i + 1]) & 0xFF;
// int tmp = map.key[i + 1];
// map.key[i + 1] = map.key[hs1];
// map.key[hs1 & 0xFF] = tmp;
// hs3 = map.key[hs2] ^ cs[i];
// }
////////////////////////////////////////////////////////////
0043225B |> 5>pop edi
0043225C |. 5>pop esi
0043225D |. 5>pop ebx
0043225E |. 8>mov esp, ebp
00432260 |. 5>pop ebp
00432261 \. C>ret
/////////////////////////////////////////////////////////////////////////////
Serial key = case(md5_text("md5_hex(dict(name+8b3zo))-md5_hex(dict(email+c6ete))-md5_hex(dict(224492502))"))
Build: 2.0.310.0
Name: HUNTER-BOY
Email: draw.dragon@msn.com
Serial key: F9C67D4-EF264D3-5ACDA0F-9F8A118B
附件中是一点java代码,由于自己的水平很菜,main时只能获得待md5的hex string 和 text string
的md5 hash,我自己是用论坛提供的HashCalc.exe获得hex string 的 md5 hash的,另外没有写字典的生成过程,
只是将字典直接拷贝进来了。工作太忙,好久没有写东西了,动手了才发现自己要学习的东西是多么的多呀
附件:java_code.rar