灰鸽子终结者逆向分析代码

发布时间：2011-04-29 20:37:44作者：知识屋

主页：http://riusksk.blogbus.com

代码:
VxV0:00401000 ; +-------------------------------------------------------------------------+
VxV0:00401000 ; | This file is generated by The Interactive Disassembler (IDA) |
VxV0:00401000 ; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
VxV0:00401000 ; | Licensed t Mach EDV Dienstleistungen, Jan Mach, 1 user, adv, 11/2007 |
VxV0:00401000 ; +-------------------------------------------------------------------------+
VxV0:00401000 ;
VxV0:00401000 ; Input MD5 : FC1B4495CD1276A293C69AA7993D1405
VxV0:00401000
VxV0:00401000 ; File Name : C:Documents and SettingsAdministrator桌面灰鸽子终结者2007.exe
VxV0:00401000 ; Format : Portable executable for 80386 (PE)
VxV0:00401000 ; Imagebase : 400000
VxV0:00401000 ; Section 1. (virtual address 00001000)
VxV0:00401000 ; Virtual size : 0000B000 ( 45056.)
VxV0:00401000 ; Section size in file : 0000B000 ( 45056.)
VxV0:00401000 ; Offset to raw data for section: 00001000
VxV0:00401000 ; Flags E0000060: Text Data Executable Readable Writable
VxV0:00401000 ; Alignment : default
VxV0:00401000 ; OS type : MS Windows
VxV0:00401000 ; Application type: Executable 32bit
VxV0:00401000
VxV0:00401000 include uni.inc ; see unicode subdir of ida for info on unicode[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0:00401000
VxV0:00401000 .686p
VxV0:00401000 .mmx
VxV0:00401000 .model flat
VxV0:00401000
VxV0:00401000 ; ===========================================================================
VxV0:00401000
VxV0:00401000 ; Segment type: Pure code
VxV0:00401000 ; Segment permissions: Read/Write/Execute
VxV0:00401000 VxV0 segment para public 'CODE' use32
VxV0:00401000 assume cs:VxV0
VxV0:00401000 ;org 401000h
VxV0:00401000 assume es:nothing, ss:nothing, ds:VxV0, fs:nothing, gs:nothing
VxV0:00401000
VxV0:00401000 ; =============== S U B R O U T I N E =======================================
VxV0:00401000
VxV0:00401000
VxV0:00401000 ; int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
VxV0:00401000 _WinMain@16 proc near ; CODE XREF: start+C9p
VxV0:00401000 ; DATA XREF: VxV1:0040DA3Co
VxV0:00401000
VxV0:00401000 Msg = tagMSG ptr -4Ch
VxV0:00401000 var_30 = WNDCLASSEXA ptr -30h
VxV0:00401000 hInstance = dword ptr 4
VxV0:00401000 hPrevInstance = dword ptr 8[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0:00401000 lpCmdLine = dword ptr 0Ch
VxV0:00401000 nCmdShow = dword ptr 10h
VxV0:00401000
VxV0:00401000 sub esp, 4Ch
VxV0:00401003 push ebx
VxV0:00401004 push esi
VxV0:00401005 mov esi, [esp+54h+hInstance]
VxV0:00401009 push edi
VxV0:0040100A mov edi, LoadIconA
VxV0:00401010 xor ebx, ebx
VxV0:00401012 push offset IconName ; "ICO"
VxV0:00401017 push esi ; hInstance
VxV0:00401018 mov [esp+60h+var_30.cbSize], 30h
VxV0:00401020 mov [esp+60h+var_30.style], ebx
VxV0:00401024 mov [esp+60h+var_30.lpfnWndProc], offset sub_401130
VxV0:0040102C mov [esp+60h+var_30.cbClsExtra], ebx
VxV0:00401030 mov [esp+60h+var_30.cbWndExtra], ebx
VxV0:00401034 mov [esp+60h+var_30.hInstance], esi
VxV0:00401038 call edi ; LoadIconA
VxV0:0040103A push 7F00h ; lpCursorName
VxV0:0040103F push ebx ; hInstance
VxV0:00401040 mov [esp+60h+var_30.hIcon], eax
VxV0:00401044 call LoadCursorA
VxV0:0040104A push offset IconName ; "ICO"
VxV0:0040104F push esi ; hInstance[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0:00401050 mov [esp+60h+var_30.hCursor], eax
VxV0:00401054 mov [esp+60h+var_30.hbrBackground], 10h
VxV0:0040105C mov [esp+60h+var_30.lpszMenuName], ebx
VxV0:00401060 mov [esp+60h+var_30.lpszClassName], offset ClassName ; "VxV"
VxV0:00401068 call edi ; LoadIconA
VxV0:0040106A mov [esp+58h+var_30.hIconSm], eax
VxV0:0040106E lea eax, [esp+58h+var_30]
VxV0:00401072 push eax ; WNDCLASSEXA *
VxV0:00401073 call RegisterClassExA
VxV0:00401079 mov edi, GetSystemMetrics
VxV0:0040107F push ebx ; lpParam
VxV0:00401080 push esi ; hInstance
VxV0:00401081 push ebx ; hMenu
VxV0:00401082 push ebx ; hWndParent
VxV0:00401083 push 0FAh ; nHeight
VxV0:00401088 push 190h ; nWidth
VxV0:0040108D push 1 ; nIndex
VxV0:0040108F call edi ; GetSystemMetrics
VxV0:00401091 sub eax, 0FAh
VxV0:00401096 cdq
VxV0:00401097 sub eax, edx
VxV0:00401099 sar eax, 1
VxV0:0040109B push eax ; Y
VxV0:0040109C push ebx ; nIndex
VxV0:0040109D call edi ; GetSystemMetrics[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0:0040109F sub eax, 190h
VxV0:004010A4 cdq
VxV0:004010A5 sub eax, edx
VxV0:004010A7 sar eax, 1
VxV0:004010A9 push eax ; X
VxV0:004010AA push 80C80000h ; dwStyle
VxV0:004010AF push offset WindowName ; "灰鸽子终结者 2007"VxV0:004010B4 push offset ClassName ; "VxV"
VxV0:004010B9 push ebx ; dwExStyle
VxV0:004010BA call CreateWindowExA
VxV0:004010C0 mov edi, eax
VxV0:004010C2 mov hInstance, esi
VxV0:004010C8 mov ecx, [esp+58h+nCmdShow]
VxV0:004010CC push ecx ; nCmdShow
VxV0:004010CD push edi ; hWnd
VxV0:004010CE call ShowWindow
VxV0:004010D4 push edi ; hWnd
VxV0:004010D5 call UpdateWindow
VxV0:004010DB mov esi, GetMessageA
VxV0:004010E1 push ebx ; wMsgFilterMax
VxV0:004010E2 push ebx ; wMsgFilterMin
VxV0:004010E3 lea edx, [esp+60h+Msg]
VxV0:004010E7 push ebx ; hWnd
VxV0:004010E8 push edx ; lpMsg
VxV0:004010E9 call esi ; GetMessageA
VxV0:004010EB test eax, eax[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0:004010ED jz short loc_401122
VxV0:004010EF mov edi, TranslateMessage
VxV0:004010F5 push ebp
VxV0:004010F6 mov ebp, DispatchMessageA
VxV0:004010FC
VxV0:004010FC loc_4010FC: ; CODE XREF: WinMain(x,x,x,x)+116j
VxV0:004010FC lea eax, [esp+5Ch+Msg]
VxV0:00401100 push eax ; lpMsg
VxV0:00401101 call edi ; TranslateMessage
VxV0:00401103 lea ecx, [esp+5Ch+Msg]
VxV0:00401107 push ecx ; lpMsg
VxV0:00401108 call ebp ; DispatchMessageA
VxV0:0040110A push ebx ; wMsgFilterMax
VxV0:0040110B push ebx ; wMsgFilterMin
VxV0:0040110C lea edx, [esp+64h+Msg]
VxV0:00401110 push ebx ; hWnd
VxV0:00401111 push edx ; lpMsg
VxV0:00401112 call esi ; GetMessageA
VxV0:00401114 test eax, eax
VxV0:00401116 jnz short loc_4010FC
VxV0:00401118 pop ebp
VxV0:00401119 pop edi
VxV0:0040111A pop esi
VxV0:0040111B pop ebx
VxV0:0040111C add esp, 4Ch
VxV0:0040111F retn 10h[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0:00401122 ; ---------------------------------------------------------------------------
VxV0:00401122
VxV0:00401122 loc_401122: ; CODE XREF: WinMain(x,x,x,x)+EDj
VxV0:00401122 pop edi
VxV0:00401123 pop esi
VxV0:00401124 xor eax, eax
VxV0:00401126 pop ebx
VxV0:00401127 add esp, 4Ch
VxV0:0040112A retn 10h
VxV0:0040112A _WinMain@16 endp
VxV0:0040112A
VxV0:0040112A ; ---------------------------------------------------------------------------
VxV0:0040112D align 10h
VxV0:00401130
VxV0:00401130 ; =============== S U B R O U T I N E =======================================
VxV0:00401130
VxV0:00401130
VxV0:00401130 sub_401130 proc near ; DATA XREF: WinMain(x,x,x,x)+24o
VxV0:00401130
VxV0:00401130 hWndParent = dword ptr 4
VxV0:00401130 Msg = dword ptr 8
VxV0:00401130 wParam = dword ptr 0Ch
VxV0:00401130 lParam = dword ptr 10h
VxV0:00401130
VxV0:00401130 mov ecx, [esp+Msg]
VxV0:00401134 push esi[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0:00401135 mov eax, ecx
VxV0:00401137 dec eax
VxV0:00401138 jz loc_4011E2
VxV0:0040113E dec eax
VxV0:0040113F jz loc_4011D4
VxV0:00401145 sub eax, 10Fh
VxV0:0040114A jz short loc_401166
VxV0:0040114C mov eax, [esp+4+lParam]
VxV0:00401150 mov edx, [esp+4+wParam]
VxV0:00401154 push eax ; lParam
VxV0:00401155 mov eax, [esp+8+hWndParent]
VxV0:00401159 push edx ; wParam
VxV0:0040115A push ecx ; Msg
VxV0:0040115B push eax ; hWnd
VxV0:0040115C call DefWindowProcA
VxV0:00401162 pop esi
VxV0:00401163 retn 10h
VxV0:00401166 ; ---------------------------------------------------------------------------
VxV0:00401166
VxV0:00401166 loc_401166: ; CODE XREF: sub_401130+1Aj
VxV0:00401166 mov eax, [esp+4+wParam]
VxV0:0040116A dec eax
VxV0:0040116B jz short loc_40118E
VxV0:0040116D dec eax
VxV0:0040116E jnz loc_401270
VxV0:00401174 push 40h ; uType[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0:00401176 push offset asc_407290 ; "关于"
VxV0:0040117B push offset asc_40708C ; "n"
VxV0:00401180 push 0 ; hWnd
VxV0:00401182 call MessageBoxA
VxV0:00401188 xor eax, eax
VxV0:0040118A pop esi
VxV0:0040118B retn 10h
VxV0:0040118E ; ---------------------------------------------------------------------------
VxV0:0040118E
VxV0:0040118E loc_40118E: ; CODE XREF: sub_401130+3Bj
VxV0:0040118E mov ecx, hWnd
VxV0:00401194 mov esi, SendMessageA
VxV0:0040119A push 0 ; lParam
VxV0:0040119C push 0 ; wParam
VxV0:0040119E push 0Ch ; Msg
VxV0:004011A0 push ecx ; hWnd
VxV0:004011A1 mov byte_409800, 0
VxV0:004011A8 call esi ; SendMessageA
VxV0:004011AA call sub_401280
VxV0:004011AF mov al, byte_409800
VxV0:004011B4 test al, al
VxV0:004011B6 jnz loc_401270
VxV0:004011BC mov edx, hWnd
VxV0:004011C2 push offset aVI ; "rnrnrnrnrnt没有发现灰鸽子"
VxV0:004011C7 push 0 ; wParam
VxV0:004011C9 push 0Ch ; Msg[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0:004011CB push edx ; hWnd
VxV0:004011CC call esi ; SendMessageAVxV0:004011CE xor eax, eax
VxV0:004011D0 pop esi
VxV0:004011D1 retn 10h
VxV0:004011D4 ; ---------------------------------------------------------------------------
VxV0:004011D4
VxV0:004011D4 loc_4011D4: ; CODE XREF: sub_401130+Fj
VxV0:004011D4 push 0 ; nExitCode
VxV0:004011D6 call PostQuitMessage
VxV0:004011DC xor eax, eax
VxV0:004011DE pop esi
VxV0:004011DF retn 10h
VxV0:004011E2 ; ---------------------------------------------------------------------------
VxV0:004011E2
VxV0:004011E2 loc_4011E2: ; CODE XREF: sub_401130+8j
VxV0:004011E2 mov eax, hInstance
VxV0:004011E7 mov esi, [esp+4+hWndParent]
VxV0:004011EB push edi
VxV0:004011EC push 0 ; lpParam
VxV0:004011EE push eax ; hInstance
VxV0:004011EF push 1 ; hMenu
VxV0:004011F1 push esi ; hWndParent
VxV0:004011F2 mov edi, CreateWindowExA
VxV0:004011F8 push 1Ch ; nHeight
VxV0:004011FA push 64h ; nWidth[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0:004011FC push 0Ah ; Y
VxV0:004011FE push 118h ; X
VxV0:00401203 push 50000000h ; dwStyle
VxV0:00401208 push offset aIS ; "扫描"
VxV0:0040120D push offset aButton ; "BUTTON"
VxV0:00401212 push 0 ; dwExStyle
VxV0:00401214 call edi ; CreateWindowExA
VxV0:00401216 mov ecx, hInstance
VxV0:0040121C push 0 ; lpParam
VxV0:0040121E push ecx ; hInstance
VxV0:0040121F push 2 ; hMenu
VxV0:00401221 push esi ; hWndParent
VxV0:00401222 push 1Ch ; nHeight
VxV0:00401224 push 64h ; nWidth
VxV0:00401226 push 32h ; Y
VxV0:00401228 push 118h ; X
VxV0:0040122D push 50000000h ; dwStyle
VxV0:00401232 push offset asc_407054 ; "关于"
VxV0:00401237 push offset aButton ; "BUTTON"
VxV0:0040123C push 0 ; dwExStyle
VxV0:0040123E call edi ; CreateWindowExA
VxV0:00401240 mov edx, hInstance
VxV0:00401246 push 0 ; lpParam
VxV0:00401248 push edx ; hInstance
VxV0:00401249 push 0 ; hMenu
VxV0:0040124B push esi ; hWndParent[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0:0040124C push 0C8h ; nHeight
VxV0:00401251 push 0FAh ; nWidth
VxV0:00401256 push 0Ah ; Y
VxV0:00401258 push 0Ah ; X
VxV0:0040125A push 50000804h ; dwStyle
VxV0:0040125F push 0 ; lpWindowName
VxV0:00401261 push offset aEdit ; "EDIT"
VxV0:00401266 push 0 ; dwExStyle
VxV0:00401268 call edi ; CreateWindowExA
VxV0:0040126A mov hWnd, eax
VxV0:0040126F pop edi
VxV0:00401270
VxV0:00401270 loc_401270: ; CODE XREF: sub_401130+3Ej
VxV0:00401270 ; sub_401130+86j
VxV0:00401270 xor eax, eax
VxV0:00401272 pop esi
VxV0:00401273 retn 10h
VxV0:00401273 sub_401130 endp
VxV0:00401273
VxV0:00401273 ; ---------------------------------------------------------------------------
VxV0:00401276 align 10h
VxV0:00401280
VxV0:00401280 ; =============== S U B R O U T I N E =======================================
VxV0:00401280
VxV0:00401280
VxV0:00401280 sub_401280 proc near ; CODE XREF: sub_401130+7Ap[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0:00401280
VxV0:00401280 hKey = dword ptr -27F4h
VxV0:00401280 ServicesReturned= dword ptr -27F0h
VxV0:00401280 cSubKeys = dword ptr -27ECh
VxV0:00401280 var_27E8 = dword ptr -27E8h
VxV0:00401280 cchName = dword ptr -27E4h
VxV0:00401280 pcbBytesNeeded = dword ptr -27E0h
VxV0:00401280 lParam = byte ptr -27DCh
VxV0:00401280 SubKey = byte ptr -26DCh
VxV0:00401280 ServiceName = byte ptr -25DCh
VxV0:00401280 Buffer = byte ptr -24DCh
VxV0:00401280 Services = _ENUM_SERVICE_STATUSA ptr -23DCh
VxV0:00401280
VxV0:00401280 mov eax, 27F4h
VxV0:00401285 call __alloca_probe
VxV0:0040128A push esi
VxV0:0040128B push edi
VxV0:0040128C push 0F003Fh ; dwDesiredAccess
VxV0:00401291 xor edi, edi
VxV0:00401293 push offset DatabaseName ; "ServicesActive"
VxV0:00401298 push edi ; lpMachineName
VxV0:00401299 call OpenSCManagerA
VxV0:0040129F mov esi, eax
VxV0:004012A1 lea eax, [esp+27FCh+ServicesReturned]
VxV0:004012A5 push edi ; lpResumeHandle[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0:004012A6 lea ecx, [esp+2800h+pcbBytesNeeded]
VxV0:004012AA push eax ; lpServicesReturned
VxV0:004012AB push ecx ; pcbBytesNeeded
VxV0:004012AC lea edx, [esp+2808h+Services]
VxV0:004012B3 push 23DCh ; cbBufSize
VxV0:004012B8 push edx ; lpServices
VxV0:004012B9 push 3 ; dwServiceState
VxV0:004012BB push 30h ; dwServiceType
VxV0:004012BD push esi ; hSCManager
VxV0:004012BE mov [esp+281Ch+pcbBytesNeeded], edi
VxV0:004012C2 mov [esp+281Ch+ServicesReturned], edi
VxV0:004012C6 call EnumServicesStatusA
VxV0:004012CC push esi ; hSCObject
VxV0:004012CD call CloseServiceHandle
VxV0:004012D3 lea eax, [esp+27FCh+hKey]
VxV0:004012D7 mov [esp+27FCh+hKey], ediVxV0：004012DB推的EAX; phkResult
[!--empirenews.page--]分页标题[/!--empirenews.page--]VxV0：004012DC推0F003Fh; samDesired
VxV0：004012E1推动电子数据交换; ulOptions
VxV0：004012E2推抵消子项，“系统 CurrentControlSet 服务”
VxV0：004012E7推80000002h;能被hKey[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0：004012EC呼吁RegOpenKeyExA
VxV0：004012F2推动电子数据交换; lpftLastWriteTime
VxV0：004012F3推动电子数据交换; lpcbSecurityDescriptor
[!--empirenews.page--]分页标题[/!--empirenews.page--]VxV0：004012F4 MOV的edx中，[H +的能被hKey尤2804]
VxV0：004012F8推动电子数据交换; lpcbMaxValueLen
VxV0：004012F9推动电子数据交换; lpcbMaxValueNameLen
VxV0：004012FA推动电子数据交换; lpcValues[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0：004012FB推动电子数据交换; lpcbMaxClassLen
VxV0：004012FC执法机关ecx中，[H +的cSubKeys尤2814]
VxV0：00401300推电子数据交换; lpcbMaxSubKeyLen
[!--empirenews.page--]分页标题[/!--empirenews.page--]VxV0：00401301推ecx中; lpcSubKeys
VxV0：00401302推电子数据交换; lpReserved
VxV0：00401303推电子数据交换; lpcchClass
VxV0：00401304推电子数据交换; lpClass[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0：00401305推能谱;能被hKey
VxV0：00401306 MOV的[尤282频道+ cSubKeys]，电子数据交换
VxV0：0040130A呼吁RegQueryInfoKeyA
[!--empirenews.page--]分页标题[/!--empirenews.page--]VxV0：00401310 MOV的ecx中，[尤指27字节FCH + cSubKeys]
VxV0：00401314异或的EAX，EAX中
VxV0：00401316测试ecx中，电子数据交换
VxV0：00401318 MOV的[丰产+ var_27E8尤27]，eax中[!--empirenews.page--]分页标题[/!--empirenews.page--]
VxV0：0040131C jle loc_401770
VxV0：00401322 ebx中推
VxV0：00401323 EBX的检验手段，MessageBoxA
[!--empirenews.page--]分页标题[/!--empirenews.page--]VxV0：00401329 EBP的推
VxV0：0040132A MOV的EBP的，SendMessageA
VxV0：00401330就业选配计划短期loc_401334
VxV0：00401332; ---------------------------------------------- -----------------------------[!--empirenews.page--]分页标题[/!--empirenews.page--]