游侠NETSHOW论坛

标题: 菜鸟求助,谁看的懂这几个37EXE加壳文件 [打印本页]

作者: 清清风风 时间: 2008-5-27 12:27:17 标题: 菜鸟求助,谁看的懂这几个37EXE加壳文件

E:\游戏\SANGO7\dbghelp.dll :: Microsoft Visual C++ 5.0
E:\游戏\SANGO7\SANGO7.BIN :: UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
E:\游戏\SANGO7\SG7.dll :: Microsoft Visual C++ v7.1 DLL
E:\游戏\SANGO7\SG7.exe :: UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
E:\游戏\SANGO7\unins000.exe :: Borland Delphi 2.0 [Overlay]

我什么都看不懂是用peit扫出来的,后面好象是些壳
据说好象用什么PE去掉他们
谁来看看啊~!

这是脱壳后EXE的文件,我先放上来等汇编的高手来修改!
下载地址:http://www.namipan.com/d/30f953b ... 270e2d206b3a9587600

[ 本帖最后由清清风风于 2008-5-28 13:31 编辑 ]

作者: 清清风风 时间: 2008-5-27 13:46:24

我找了个解壳软件upxsheel
大概把壳解掉了SG7.exe文件变成7.63M了?
后面不知道怎么改了

作者: kane.hu 时间: 2008-5-27 14:04:45 标题: 回复 #2 清清风风的帖子

坐等现成的！哪怕是消息也好！！
支持一下

作者: 清清风风 时间: 2008-5-27 14:11:48

我好象成功进EXE文件了,不过里面都是些该死的代码看不懂啊
真苦闷~!

作者: 清清风风 时间: 2008-5-27 14:37:35

先放上段代码大家研究研究
反汇编文件: E:\游戏\SANGO7\SG7.exe
Code Offset = 00000400, Code Size = 00064A00
Data Offset = 00073000, Data Size = 00002A00

Number of Objects = 0004 (dec), Imagebase = 00400000h

Object01: .text RVA: 00001000 Offset: 00000400 Size: 00064A00 Flags: 60000020
Object02: .rdata RVA: 00066000 Offset: 00064E00 Size: 0000E200 Flags: 40000040
Object03: .data RVA: 00075000 Offset: 00073000 Size: 00002A00 Flags: C0000040
Object04: .rsrc RVA: 0008E000 Offset: 00075A00 Size: 00002A00 Flags: 40000040

+++++++++++++++++++  菜单信息 +++++++++++++++++++++++++

Number of Menus = 1 (decimal)

MenuID_00A6

   Context1 {Popup}
         ,俓-[P]  [ID=00A7h]
         {Popup}
                  [ID=00A8h]

+++++++++++++++++ 对话框信息 ++++++++++++++++++++++++++

Number of Dialogs = 1 (decimal)

Name: DialogID_03E8, # of Controls=000, Caption:"", ClassName:""

+++++++++++++++++++ 输入函数 ++++++++++++++++++++++++++++
Number of Imported Modules = 13 (decimal)

Import Module 001: KERNEL32.DLL
Import Module 002: ADVAPI32.dll
Import Module 003: COMCTL32.dll
Import Module 004: comdlg32.dll
Import Module 005: GDI32.dll
Import Module 006: MPR.dll
Import Module 007: ole32.dll
Import Module 008: OLEAUT32.dll
Import Module 009: SHELL32.dll
Import Module 010: USER32.dll
Import Module 011: VERSION.dll
Import Module 012: WINMM.dll
Import Module 013: WSOCK32.dll

+++++++++++++++++++ 输入函数表 ++++++++++++++++++++++++++

Import Module 001: KERNEL32.DLL

Addr:0007231E hint(0000) Name: CopyFileW
Addr:0007232A hint(0000) Name: GetLastError
Addr:00072338 hint(0000) Name: CreateDirectoryW
Addr:0007234A hint(0000) Name: RemoveDirectoryW
Addr:0007235C hint(0000) Name: TerminateProcess
Addr:0007236E hint(0000) Name: WaitForSingleObject
Addr:00072384 hint(0000) Name: SetSystemPowerState
Addr:0007239A hint(0000) Name: SetFileTime
Addr:000723A8 hint(0000) Name: FindResourceW
Addr:000723B8 hint(0000) Name: GetFileAttributesW
Addr:000723CC hint(0000) Name: LoadResource
Addr:000723DA hint(0000) Name: FindFirstFileW
Addr:000723EA hint(0000) Name: LockResource
Addr:000723F8 hint(0000) Name: FindClose
Addr:00072404 hint(0000) Name: SizeofResource
Addr:00072414 hint(0000) Name: EnumResourceNamesW
Addr:00072428 hint(0000) Name: DeleteFileW
Addr:00072436 hint(0000) Name: FindNextFileW
Addr:00072446 hint(0000) Name: lstrcmpiW
Addr:00072452 hint(0000) Name: MoveFileW
Addr:0007245E hint(0000) Name: OutputDebugStringW
Addr:00072472 hint(0000) Name: GetLocalTime
Addr:00072480 hint(0000) Name: MultiByteToWideChar
Addr:00072496 hint(0000) Name: WideCharToMultiByte
Addr:000724AC hint(0000) Name: GetModuleHandleA
Addr:000724BE hint(0000) Name: CompareStringW
Addr:000724CE hint(0000) Name: InterlockedIncrement
Addr:000724E4 hint(0000) Name: InterlockedDecrement
Addr:000724FA hint(0000) Name: GetTempPathW
Addr:00072508 hint(0000) Name: GetTempFileNameW
Addr:0007251A hint(0000) Name: FormatMessageW
Addr:0007252A hint(0000) Name: GetExitCodeProcess
Addr:0007253E hint(0000) Name: DeviceIoControl
Addr:00072550 hint(0000) Name: GetPrivateProfileStringW
Addr:0007256A hint(0000) Name: WritePrivateProfileStringW
Addr:00072586 hint(0000) Name: GetPrivateProfileSectionW
Addr:000725A2 hint(0000) Name: WritePrivateProfileSectionW
Addr:000725C0 hint(0000) Name: SetFileAttributesW
Addr:000725D4 hint(0000) Name: GetPrivateProfileSectionNamesW
Addr:000725F4 hint(0000) Name: GetShortPathNameW
Addr:00072608 hint(0000) Name: FileTimeToLocalFileTime
Addr:00072622 hint(0000) Name: FileTimeToSystemTime
Addr:00072638 hint(0000) Name: SystemTimeToFileTime
Addr:0007264E hint(0000) Name: LocalFileTimeToFileTime
Addr:00072668 hint(0000) Name: GetDriveTypeW
Addr:00072678 hint(0000) Name: SetErrorMode
Addr:00072686 hint(0000) Name: GetDiskFreeSpaceW
Addr:0007269A hint(0000) Name: GetVolumeInformationW
Addr:000726B2 hint(0000) Name: SetVolumeLabelW
Addr:000726C4 hint(0000) Name: CreateFileW
Addr:000726D2 hint(0000) Name: GlobalLock
Addr:000726DE hint(0000) Name: GlobalUnlock
Addr:000726EC hint(0000) Name: GlobalAlloc
Addr:000726FA hint(0000) Name: SetProcessWorkingSetSize
Addr:00072714 hint(0000) Name: GlobalMemoryStatus
Addr:00072728 hint(0000) Name: Beep
Addr:0007272E hint(0000) Name: GetFileSize
Addr:0007273C hint(0000) Name: GetEnvironmentVariableW
Addr:00072756 hint(0000) Name: SetEnvironmentVariableW
Addr:00072770 hint(0000) Name: GetCurrentProcessId
Addr:00072786 hint(0000) Name: GetComputerNameW
Addr:00072798 hint(0000) Name: GetWindowsDirectoryW
Addr:000727AE hint(0000) Name: GetSystemDirectoryW
Addr:000727C4 hint(0000) Name: GetProcessIoCounters
Addr:000727DA hint(0000) Name: CreatePipe
Addr:000727E6 hint(0000) Name: DuplicateHandle
Addr:000727F8 hint(0000) Name: GetStdHandle
Addr:00072806 hint(0000) Name: CreateProcessW
Addr:00072816 hint(0000) Name: SetPriorityClass
Addr:00072828 hint(0000) Name: LoadLibraryW
Addr:00072836 hint(0000) Name: WriteFile
Addr:00072842 hint(0000) Name: GetFileType
Addr:00072850 hint(0000) Name: PeekNamedPipe
Addr:00072860 hint(0000) Name: SetLastError
Addr:0007286E hint(0000) Name: LoadLibraryExW
Addr:0007287E hint(0000) Name: GlobalFindAtomW
Addr:00072890 hint(0000) Name: ResumeThread
Addr:0007289E hint(0000) Name: GetSystemTimeAsFileTime
Addr:000728B8 hint(0000) Name: CreateThread
Addr:000728C6 hint(0000) Name: ExitThread
Addr:000728D2 hint(0000) Name: HeapFree
Addr:000728DC hint(0000) Name: HeapAlloc
Addr:000728E8 hint(0000) Name: ExitProcess
Addr:000728F6 hint(0000) Name: GetACP
Addr:000728FE hint(0000) Name: GetOEMCP
Addr:00072908 hint(0000) Name: IsValidCodePage
Addr:0007291A hint(0000) Name: TlsGetValue
Addr:00072928 hint(0000) Name: TlsAlloc
Addr:00072932 hint(0000) Name: TlsSetValue
Addr:00072940 hint(0000) Name: TlsFree
Addr:0007294A hint(0000) Name: UnhandledExceptionFilter
Addr:00072964 hint(0000) Name: SetUnhandledExceptionFilter
Addr:00072982 hint(0000) Name: RaiseException
Addr:00072992 hint(0000) Name: GetModuleFileNameA
Addr:000729A6 hint(0000) Name: DeleteCriticalSection
Addr:000729BE hint(0000) Name: InitializeCriticalSection
Addr:000729DA hint(0000) Name: HeapSize
Addr:000729E4 hint(0000) Name: VirtualFree
Addr:000729F2 hint(0000) Name: VirtualAlloc
Addr:00072A00 hint(0000) Name: HeapReAlloc
Addr:00072A0E hint(0000) Name: HeapDestroy
Addr:00072A1C hint(0000) Name: HeapCreate
Addr:00072A28 hint(0000) Name: SetFilePointer
Addr:00072A38 hint(0000) Name: ReadFile
Addr:00072A42 hint(0000) Name: ReadProcessMemory
Addr:00072A56 hint(0000) Name: WriteProcessMemory
Addr:00072A6A hint(0000) Name: MapViewOfFile
Addr:00072A7A hint(0000) Name: CreateFileMappingW
Addr:00072A8E hint(0000) Name: OpenProcess
Addr:00072A9C hint(0000) Name: UnmapViewOfFile
Addr:00072AAE hint(0000) Name: CloseHandle
Addr:00072ABC hint(0000) Name: QueryPerformanceFrequency
Addr:00072AD8 hint(0000) Name: QueryPerformanceCounter
Addr:00072AF2 hint(0000) Name: GetModuleHandleW
Addr:00072B04 hint(0000) Name: GetSystemInfo
Addr:00072B14 hint(0000) Name: GetCurrentProcess
Addr:00072B28 hint(0000) Name: GetVersionExW
Addr:00072B38 hint(0000) Name: GetCurrentThreadId
Addr:00072B4C hint(0000) Name: Sleep
Addr:00072B54 hint(0000) Name: GetProcAddress
Addr:00072B64 hint(0000) Name: LoadLibraryA
Addr:00072B72 hint(0000) Name: RtlUnwind
Addr:00072B7E hint(0000) Name: GetConsoleCP
Addr:00072B8C hint(0000) Name: GetConsoleMode
Addr:00072B9C hint(0000) Name: FreeLibrary
Addr:00072BAA hint(0000) Name: GetModuleFileNameW
Addr:00072BBE hint(0000) Name: GetFullPathNameW
Addr:00072BD0 hint(0000) Name: SetCurrentDirectoryW
Addr:00072BE6 hint(0000) Name: GetCurrentDirectoryW
Addr:00072BFC hint(0000) Name: EnterCriticalSection
Addr:00072C12 hint(0000) Name: LeaveCriticalSection
Addr:00072C28 hint(0000) Name: GetVersionExA
Addr:00072C38 hint(0000) Name: GetProcessHeap
Addr:00072C48 hint(0000) Name: GetStartupInfoW
Addr:00072C5A hint(0000) Name: SetHandleCount
Addr:00072C6A hint(0000) Name: GetStartupInfoA
Addr:00072C7C hint(0000) Name: SetStdHandle
Addr:00072C8A hint(0000) Name: GetCPInfo
Addr:00072C96 hint(0000) Name: FlushFileBuffers
Addr:00072CA8 hint(0000) Name: LCMapStringA
Addr:00072CB6 hint(0000) Name: LCMapStringW
Addr:00072CC4 hint(0000) Name: GetTimeZoneInformation
Addr:00072CDC hint(0000) Name: FreeEnvironmentStringsA
Addr:00072CF6 hint(0000) Name: GetEnvironmentStrings
Addr:00072D0E hint(0000) Name: FreeEnvironmentStringsW
Addr:00072D28 hint(0000) Name: GetEnvironmentStringsW
Addr:00072D40 hint(0000) Name: GetCommandLineA
Addr:00072D52 hint(0000) Name: GetCommandLineW
Addr:00072D64 hint(0000) Name: GetTickCount
Addr:00072D72 hint(0000) Name: GetStringTypeA
Addr:00072D82 hint(0000) Name: GetStringTypeW
Addr:00072D92 hint(0000) Name: GetLocaleInfoA
Addr:00072DA2 hint(0000) Name: WriteConsoleA
Addr:00072DB2 hint(0000) Name: GetConsoleOutputCP
Addr:00072DC6 hint(0000) Name: WriteConsoleW
Addr:00072DD6 hint(0000) Name: CreateFileA
Addr:00072DE4 hint(0000) Name: SetEndOfFile
Addr:00072DF2 hint(0000) Name: CompareStringA
Addr:00072E02 hint(0000) Name: GlobalFree
Addr:00072E0E hint(0000) Name: SetEnvironmentVariableA

Import Module 002: ADVAPI32.dll

Addr:00072E28 hint(0000) Name: RegEnumValueW
Addr:00072E38 hint(0000) Name: RegDeleteValueW
Addr:00072E4A hint(0000) Name: RegDeleteKeyW
Addr:00072E5A hint(0000) Name: RegSetValueExW
Addr:00072E6A hint(0000) Name: RegCreateKeyExW
Addr:00072E7C hint(0000) Name: GetUserNameW
Addr:00072E8A hint(0000) Name: RegConnectRegistryW
Addr:00072EA0 hint(0000) Name: RegEnumKeyExW
Addr:00072EB0 hint(0000) Name: AdjustTokenPrivileges
Addr:00072EC8 hint(0000) Name: LookupPrivilegeValueW
Addr:00072EE0 hint(0000) Name: OpenProcessToken
Addr:00072EF2 hint(0000) Name: CloseServiceHandle
Addr:00072F06 hint(0000) Name: UnlockServiceDatabase
Addr:00072F1E hint(0000) Name: LockServiceDatabase
Addr:00072F34 hint(0000) Name: OpenSCManagerW
Addr:00072F44 hint(0000) Name: RegCloseKey
Addr:00072F52 hint(0000) Name: RegQueryValueExW
Addr:00072F64 hint(0000) Name: RegOpenKeyExW

Import Module 003: COMCTL32.dll

Addr:00072F74 hint(0000) Name: ImageList_BeginDrag
Addr:00072F8A hint(0000) Name: ImageList_SetDragCursorImage
Addr:00072FA8 hint(0000) Name: ImageList_EndDrag
Addr:00072FBC hint(0000) Name: ImageList_DragLeave
Addr:00072FD2 hint(0000) Name: ImageList_DragMove
Addr:00072FE6 hint(0000) Name: ImageList_DragEnter
Addr:00072FFC hint(0000) Name: ImageList_Destroy
Addr:00073010 hint(0000) Name: ImageList_ReplaceIcon
Addr:00073028 hint(0000) Name: ImageList_Create
Addr:0007303A hint(0000) Name: InitCommonControlsEx
Addr:00073050 hint(0000) Name: ImageList_Remove

Import Module 004: comdlg32.dll

Addr:00073062 hint(0000) Name: GetSaveFileNameW
Addr:00073074 hint(0000) Name: GetOpenFileNameW

Import Module 005: GDI32.dll

Addr:00073086 hint(0000) Name: ExtCreatePen
Addr:00073094 hint(0000) Name: StrokeAndFillPath
Addr:000730A8 hint(0000) Name: StrokePath
Addr:000730B4 hint(0000) Name: EndPath
Addr:000730BE hint(0000) Name: SetPixel
Addr:000730C8 hint(0000) Name: CloseFigure
Addr:000730D6 hint(0000) Name: SetBkColor
Addr:000730E2 hint(0000) Name: CreatePen
Addr:000730EE hint(0000) Name: CreateSolidBrush
Addr:00073100 hint(0000) Name: SetTextColor
Addr:0007310E hint(0000) Name: GetObjectW
Addr:0007311A hint(0000) Name: PolyBezierTo
Addr:00073128 hint(0000) Name: SetViewportOrgEx
Addr:0007313A hint(0000) Name: Rectangle
Addr:00073146 hint(0000) Name: BeginPath
Addr:00073152 hint(0000) Name: PolyDraw
Addr:0007315C hint(0000) Name: Ellipse
Addr:00073166 hint(0000) Name: MoveToEx
Addr:00073170 hint(0000) Name: AngleArc
Addr:0007317A hint(0000) Name: LineTo
Addr:00073182 hint(0000) Name: SetBkMode
Addr:0007318E hint(0000) Name: RoundRect
Addr:0007319A hint(0000) Name: CreateCompatibleBitmap
Addr:000731B2 hint(0000) Name: GetPixel
Addr:000731BC hint(0000) Name: DeleteDC
Addr:000731C6 hint(0000) Name: GetDIBits
Addr:000731D2 hint(0000) Name: BitBlt
Addr:000731DA hint(0000) Name: SelectObject
Addr:000731E8 hint(0000) Name: CreateDIBSection
Addr:000731FA hint(0000) Name: CreateCompatibleDC
Addr:0007320E hint(0000) Name: CreateFontW
Addr:0007321C hint(0000) Name: GetDeviceCaps
Addr:0007322C hint(0000) Name: GetTextFaceW
Addr:0007323A hint(0000) Name: GetStockObject
Addr:0007324A hint(0000) Name: CreateDCW
Addr:00073256 hint(0000) Name: GetTextExtentPoint32W
Addr:0007326E hint(0000) Name: DeleteObject

Import Module 006: MPR.dll

Addr:0007327C hint(0000) Name: WNetUseConnectionW
Addr:00073290 hint(0000) Name: WNetGetConnectionW
Addr:000732A4 hint(0000) Name: WNetAddConnection2W
Addr:000732BA hint(0000) Name: WNetCancelConnection2W

Import Module 007: ole32.dll

Addr:000732D2 hint(0000) Name: OleSetMenuDescriptor
Addr:000732E8 hint(0000) Name: MkParseDisplayName
Addr:000732FC hint(0000) Name: OleSetContainedObject
Addr:00073314 hint(0000) Name: CoCreateInstance
Addr:00073326 hint(0000) Name: CoInitialize
Addr:00073334 hint(0000) Name: CoUninitialize
Addr:00073344 hint(0000) Name: CreateStreamOnHGlobal
Addr:0007335C hint(0000) Name: CoInitializeSecurity
Addr:00073372 hint(0000) Name: CoCreateInstanceEx
Addr:00073386 hint(0000) Name: CoSetProxyBlanket
Addr:0007339A hint(0000) Name: StringFromCLSID
Addr:000733AC hint(0000) Name: OleUninitialize
Addr:000733BE hint(0000) Name: CoTaskMemAlloc
Addr:000733CE hint(0000) Name: CoTaskMemFree
Addr:000733DE hint(0000) Name: IIDFromString
Addr:000733EE hint(0000) Name: StringFromIID
Addr:000733FE hint(0000) Name: CLSIDFromString
Addr:00073410 hint(0000) Name: OleInitialize
Addr:00073420 hint(0000) Name: CreateBindCtx
Addr:00073430 hint(0000) Name: CLSIDFromProgID

Import Module 008: OLEAUT32.dll

Addr:800000A2 hint(00A2) Name: CLSIDFromProgID
Addr:80000026 hint(0026) Name: CLSIDFromProgID
Addr:80000027 hint(0027) Name: CLSIDFromProgID
Addr:80000025 hint(0025) Name: CLSIDFromProgID
Addr:80000029 hint(0029) Name: CLSIDFromProgID
Addr:80000002 hint(0002) Name: CLSIDFromProgID
Addr:800001A2 hint(01A2) Name: CLSIDFromProgID
Addr:80000018 hint(0018) Name: CLSIDFromProgID
Addr:80000017 hint(0017) Name: CLSIDFromProgID
Addr:800000D8 hint(00D8) Name: CLSIDFromProgID
Addr:800000B9 hint(00B9) Name: CLSIDFromProgID
Addr:80000008 hint(0008) Name: CLSIDFromProgID
Addr:80000009 hint(0009) Name: CLSIDFromProgID
Addr:8000000A hint(000A) Name: CLSIDFromProgID
Addr:80000023 hint(0023) Name: CLSIDFromProgID

Import Module 009: SHELL32.dll

Addr:00073442 hint(0000) Name: DragQueryPoint
Addr:00073452 hint(0000) Name: ShellExecuteExW
Addr:00073464 hint(0000) Name: DragQueryFileW
Addr:00073474 hint(0000) Name: SHBrowseForFolderW
Addr:00073488 hint(0000) Name: SHGetPathFromIDListW
Addr:0007349E hint(0000) Name: SHGetDesktopFolder
Addr:000734B2 hint(0000) Name: SHGetMalloc
Addr:000734C0 hint(0000) Name: SHFileOperationW
Addr:000734D2 hint(0000) Name: ExtractIconExW
Addr:000734E2 hint(0000) Name: Shell_NotifyIconW
Addr:000734F6 hint(0000) Name: ShellExecuteW
Addr:00073506 hint(0000) Name: DragFinish

Import Module 010: USER32.dll

作者: kane.hu 时间: 2008-5-27 14:46:24 标题: 回复 #5 清清风风的帖子

这些MS都是媒体平台的联接！！！！
在往后面的看看！

作者: 清清风风 时间: 2008-5-27 15:03:24

太长了只能放一小段上来,先看看吧
+++++++++++++++++++++++++ 汇编代码列表+++++++++++++++++++
//************************ 代码开始 .text ***************
Program Entry Point = 0045372D (E:\游戏\SANGO7\SG7.exe File Offset:000B852D)

:00401000 B9E8A74800             mov ecx, 0048A7E8
:00401005 E8ADD20000             call 0040E2B7
:0040100A 33C0                   xor eax, eax
:0040100C A3F8854700             mov dword ptr [004785F8], eax
:00401011 A3F4854700             mov dword ptr [004785F4], eax
:00401016 A3E0854700             mov dword ptr [004785E0], eax
:0040101B A3DC854700             mov dword ptr [004785DC], eax
:00401020 A3D8854700             mov dword ptr [004785D8], eax
:00401025 A3F0854700             mov dword ptr [004785F0], eax
:0040102A A3EC854700             mov dword ptr [004785EC], eax
:0040102F A3E8854700             mov dword ptr [004785E8], eax
:00401034 A3E4854700             mov dword ptr [004785E4], eax
:00401039 A2BE854700             mov byte ptr [004785BE], al
:0040103E A2FEA94800             mov byte ptr [0048A9FE], al
:00401043 A2E4A74800             mov byte ptr [0048A7E4], al
:00401048 A2C0854700             mov byte ptr [004785C0], al
:0040104D A2BD854700             mov byte ptr [004785BD], al
:00401052 A2BC854700             mov byte ptr [004785BC], al
:00401057 A2BB854700             mov byte ptr [004785BB], al
:0040105C A2BA854700             mov byte ptr [004785BA], al
:00401061 A2B9854700             mov byte ptr [004785B9], al
:00401066 A2B8854700             mov byte ptr [004785B8], al
:0040106B A3D4A74800             mov dword ptr [0048A7D4], eax
:00401070 C705E0A7480003000000 mov dword ptr [0048A7E0], 00000003
:0040107A C605BF85470001       mov byte ptr [004785BF], 01
:00401081 B8D0A74800             mov eax, 0048A7D0
:00401086 C3                   ret

* Referenced by a CALL at Address:
|:004019FA
|
:00401087 55                   push ebp
:00401088 8BEC                   mov ebp, esp
:0040108A 81EC28040000          sub esp, 00000428
:00401090 57                   push edi
:00401091 8D85E4FDFFFF          lea eax, dword ptr [ebp+FFFFFDE4]
:00401097 50                   push eax
:00401098 BF04010000             mov edi, 00000104
:0040109D 57                   push edi
:0040109E C645FE00             mov [ebp-02], 00
:004010A2 C645FF00             mov [ebp-01], 00

* Reference To: KERNEL32.GetCurrentDirectoryW, Ord:0000h
                              |
:004010A6 FF1514634600          Call dword ptr [00466314]
:004010AC FF7508                push [ebp+08]
:004010AF E845030000             call 004013F9
:004010B4 E8D5D10000             call 0040E28E
:004010B9 85C0                   test eax, eax
:004010BB 7419                   je 004010D6
:004010BD 6A10                   push 00000010
:004010BF 6886AD4600             push 0046AD86
:004010C4 6888AD4600             push 0046AD88
:004010C9 6A00                   push 00000000

* Reference To: USER32.MessageBoxA, Ord:0000h
                              |
:004010CB FF1550664600          Call dword ptr [00466650]
:004010D1 E9DA010000             jmp 004012B0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010BB(C)
|
:004010D6 833DE0A7480000       cmp dword ptr [0048A7E0], 00000000
:004010DD 53                   push ebx
:004010DE 56                   push esi
:004010DF BBF4A74800             mov ebx, 0048A7F4
:004010E4 7520                   jne 00401106
:004010E6 6AFF                   push FFFFFFFF
:004010E8 FF35E8A74800          push dword ptr [0048A7E8]
:004010EE BE98C84800             mov esi, 0048C898
:004010F3 6A01                   push 00000001
:004010F5 E8CE530000             call 004064C8
:004010FA A0BC854700             mov al, byte ptr [004785BC]
:004010FF A29AC84800             mov byte ptr [0048C89A], al
:00401104 EB4E                   jmp 00401154

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010E4(C)
|
:00401106 8D45FE                lea eax, dword ptr [ebp-02]
:00401109 50                   push eax
:0040110A 68E0A74800             push 0048A7E0
:0040110F 8BF3                   mov esi, ebx
:00401111 B898C84800             mov eax, 0048C898
:00401116 E8075A0000             call 00406B22
:0040111B 84C0                   test al, al
:0040111D 750F                   jne 0040112E
:0040111F C705D485470001000000 mov dword ptr [004785D4], 00000001
:00401129 E973010000             jmp 004012A1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040111D(C)
|
:0040112E A098C84800             mov al, byte ptr [0048C898]
:00401133 A2E4A74800             mov byte ptr [0048A7E4], al
:00401138 A099C84800             mov al, byte ptr [0048C899]
:0040113D 68DCA74800             push 0048A7DC
:00401142 8845FF                mov byte ptr [ebp-01], al
:00401145 8D85D8FBFFFF          lea eax, dword ptr [ebp+FFFFFBD8]
:0040114B 50                   push eax
:0040114C 57                   push edi
:0040114D 53                   push ebx

* Reference To: KERNEL32.GetFullPathNameW, Ord:0000h
                              |
:0040114E FF150C634600          Call dword ptr [0046630C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401104(U)
|
:00401154 FF35E0A74800          push dword ptr [0048A7E0]
:0040115A 53                   push ebx
:0040115B E86B810100             call 004192CB
:00401160 85C0                   test eax, eax
:00401162 7426                   je 0040118A
:00401164 BF98C84800             mov edi, 0048C898
:00401169 E826550000             call 00406694
:0040116E 8D85E4FDFFFF          lea eax, dword ptr [ebp+FFFFFDE4]
:00401174 50                   push eax

* Reference To: KERNEL32.SetCurrentDirectoryW, Ord:0000h
                              |
:00401175 FF1510634600          Call dword ptr [00466310]
:0040117B C705D485470001000000 mov dword ptr [004785D4], 00000001
:00401185 E924010000             jmp 004012AE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401162(C)
|
:0040118A 807DFF01             cmp byte ptr [ebp-01], 01
:0040118E 0F85A8000000          jne 0040123C
:00401194 803DB5A7480001       cmp byte ptr [0048A7B5], 01
:0040119B 0F859B000000          jne 0040123C
:004011A1 E8D2C70000             call 0040D978
:004011A6 84C0                   test al, al
:004011A8 0F858E000000          jne 0040123C
:004011AE 57                   push edi
:004011AF 8D85D8FBFFFF          lea eax, dword ptr [ebp+FFFFFBD8]
:004011B5 50                   push eax
:004011B6 6A00                   push 00000000

* Reference To: KERNEL32.GetModuleFileNameW, Ord:0000h
                              |
:004011B8 FF1508634600          Call dword ptr [00466308]
:004011BE 807DFE00             cmp byte ptr [ebp-02], 00
:004011C2 7451                   je 00401215
:004011C4 BFF0AD4600             mov edi, 0046ADF0
:004011C9 57                   push edi
:004011CA 8D75F0                lea esi, dword ptr [ebp-10]
:004011CD E811D10000             call 0040E2E3
:004011D2 53                   push ebx
:004011D3 8BC6                   mov eax, esi
:004011D5 E804D30000             call 0040E4DE
:004011DA 57                   push edi
:004011DB 8BC6                   mov eax, esi
:004011DD E8FCD20000             call 0040E4DE
:004011E2 6A01                   push 00000001
:004011E4 8D85E4FDFFFF          lea eax, dword ptr [ebp+FFFFFDE4]
:004011EA 50                   push eax
:004011EB FF75F0                push [ebp-10]
:004011EE 8D85D8FBFFFF          lea eax, dword ptr [ebp+FFFFFBD8]
:004011F4 50                   push eax
:004011F5 68F4AD4600             push 0046ADF4

* Reference To: USER32.GetForegroundWindow, Ord:0000h
                              |
:004011FA FF15F4654600          Call dword ptr [004665F4]
:00401200 50                   push eax

* Reference To: SHELL32.ShellExecuteW, Ord:0000h
                              |
:00401201 FF1514644600          Call dword ptr [00466414]
:00401207 FF75F0                push [ebp-10]
:0040120A E837D10400             call 0044E346
:0040120F 59                   pop ecx
:00401210 E982000000             jmp 00401297

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011C2(C)
|
:00401215 6A01                   push 00000001
:00401217 8D85E4FDFFFF          lea eax, dword ptr [ebp+FFFFFDE4]
:0040121D 50                   push eax
:0040121E FF7508                push [ebp+08]
:00401221 8D85D8FBFFFF          lea eax, dword ptr [ebp+FFFFFBD8]
:00401227 50                   push eax
:00401228 68F4AD4600             push 0046ADF4

* Reference To: USER32.GetForegroundWindow, Ord:0000h
                              |
:0040122D FF15F4654600          Call dword ptr [004665F4]
:00401233 50                   push eax

* Reference To: SHELL32.ShellExecuteW, Ord:0000h
                              |
:00401234 FF1514644600          Call dword ptr [00466414]
:0040123A EB5B                   jmp 00401297

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040118E(C), :0040119B(C), :004011A8(C)
|
:0040123C E874000000             call 004012B5
:00401241 E842010000             call 00401388
:00401246 803DE4A7480000       cmp byte ptr [0048A7E4], 00
:0040124D 750A                   jne 00401259
:0040124F BF40B24800             mov edi, 0048B240
:00401254 E8D68C0000             call 00409F2F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040124D(C)
|
:00401259 6A01                   push 00000001
:0040125B B800AA4800             mov eax, 0048AA00
:00401260 E8C8810100             call 0041942D
:00401265 803DE4A7480000       cmp byte ptr [0048A7E4], 00
:0040126C 7529                   jne 00401297
:0040126E BF64C04800             mov edi, 0048C064

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401295(C)
|
:00401273 8B37                   mov esi, dword ptr [edi]
:00401275 85F6                   test esi, esi
:00401277 7413                   je 0040128C
:00401279 FF7608                push [esi+08]
:0040127C E8C5D00400             call 0044E346
:00401281 56                   push esi
:00401282 E8BFD00400             call 0044E346
:00401287 832700                and dword ptr [edi], 00000000
:0040128A 59                   pop ecx
:0040128B 59                   pop ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401277(C)
|
:0040128C 83C704                add edi, 00000004
:0040128F 81FF80C84800          cmp edi, 0048C880
:00401295 7CDC                   jl 00401273

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401210(U), :0040123A(U), :0040126C(C)
|
:00401297 BF98C84800             mov edi, 0048C898
:0040129C E8F3530000             call 00406694

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401129(U)
|
:004012A1 8D85E4FDFFFF          lea eax, dword ptr [ebp+FFFFFDE4]
:004012A7 50                   push eax

* Reference To: KERNEL32.SetCurrentDirectoryW, Ord:0000h
                              |
:004012A8 FF1510634600          Call dword ptr [00466310]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401185(U)
|
:004012AE 5E                   pop esi
:004012AF 5B                   pop ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010D1(U)
|
:004012B0 5F                   pop edi
:004012B1 C9                   leave
:004012B2 C20400                ret 0004

* Referenced by a CALL at Address:
|:0040123C
|
:004012B5 55                   push ebp
:004012B6 8BEC                   mov ebp, esp
:004012B8 83EC34                sub esp, 00000034
:004012BB 53                   push ebx
:004012BC 56                   push esi
:004012BD 57                   push edi
:004012BE 6A0F                   push 0000000F

* Reference To: USER32.GetSysColorBrush, Ord:0000h
                              |
:004012C0 FF15F0654600          Call dword ptr [004665F0]
:004012C6 68007F0000             push 00007F00
:004012CB 33DB                   xor ebx, ebx
:004012CD 53                   push ebx
:004012CE 8BF8                   mov edi, eax

* Reference To: USER32.LoadCursorW, Ord:0000h
                              |
:004012D0 FF15EC654600          Call dword ptr [004665EC]

* Reference To: USER32.LoadIconW, Ord:0000h
                              |
:004012D6 8B35E8654600          mov esi, dword ptr [004665E8]

* Possible Reference to String Resource ID=00161: ""If" ?舺 "
                              |
:004012DC 68A1000000             push 000000A1
:004012E1 FF3500864700          push dword ptr [00478600]
:004012E7 8945FC                mov dword ptr [ebp-04], eax
:004012EA FFD6                   call esi

* Possible Reference to String Resource ID=00164: "
龏"
                              |
:004012EC 68A4000000             push 000000A4
:004012F1 FF3500864700          push dword ptr [00478600]
:004012F7 A3D0A74800             mov dword ptr [0048A7D0], eax
:004012FC FFD6                   call esi
:004012FE 381DB1A74800          cmp byte ptr [0048A7B1], bl
:00401304 A3D8A74800             mov dword ptr [0048A7D8], eax
:00401309 750D                   jne 00401318
:0040130B 381DBFA74800          cmp byte ptr [0048A7BF], bl
:00401311 7505                   jne 00401318
:00401313 6A04                   push 00000004
:00401315 58                   pop eax
:00401316 EB03                   jmp 0040131B

作者: 长风吹云 时间: 2008-5-27 18:46:49 标题: 回复 #7 清清风风的帖子

加油，很有前图的说！！

作者: starcat2 时间: 2008-5-27 19:17:34

VC5.0~

Delphi2.0~~

光看汇编还是有点眼晕~~~~

作者: 清清风风 时间: 2008-5-27 19:49:08

谁懂汇编或者提供个教程给我都行
我现在有时间可以研究下

现在对着一堆代码无从下手...

[ 本帖最后由清清风风于 2008-5-27 19:51 编辑 ]

作者: starcat2 时间: 2008-5-27 20:05:42

我懂点~~~但是要教你是不可能的~~~~

不了解计算机的机理和你说再多也白搭~

作者: 清清风风 时间: 2008-5-27 20:09:12

那你有时间么把这个EXE的程序代码看下好么?
可以的话帮我们修改下万分感谢!!

作者: gaoqi143 时间: 2008-5-27 20:38:11

很好，完全的看不懂的说~~~~~~~

坐着等成果~~~~~~~~~~~·

作者: starcat2 时间: 2008-5-27 20:39:01

我只是知道点汇编,要我看程序我还需要修炼2年~

作者: 清清风风 时间: 2008-5-27 20:42:15

晕倒那偶们只有坐着等成果拉..

作者: margay 时间: 2008-5-28 00:28:09

。。。没看到大家都等着清风你啦？！继续吧。。。
作为小白我非常认真的路过...

作者: 长风吹云 时间: 2008-5-28 13:07:17

清清风风起码你吧代码弄出来了，

至于读懂，这的确是个技术含量太高的问题！！

汇编是所有语言中最难的，因为他接近硬件！！

只能在精神上支持你了，

建议你吧代码打包，放出来，也许有高手会看看的说！！

作者: 清清风风 时间: 2008-5-28 13:20:05

我把exe的文件放上来吧~!代码我发现每换个汇编软件都不一样~!

作者: 长风吹云 时间: 2008-5-28 13:43:51 标题: 回复 #18 清清风风的帖子

啊不会是去壳不彻底吧！！

作者: starcat2 时间: 2008-5-28 17:59:08

原帖由 长风吹云 于 2008-5-28 13:07 发表
清清风风起码你吧代码弄出来了，

至于读懂，这的确是个技术含量太高的问题！！

汇编是所有语言中最难的，因为他接近硬件！！

只能在精神上支持你了，

建议你吧代码打包，放出来，也许有高手会看看的说！！ ...

小子~汇编是最难的?
外行了你吧!
最难的是二进制机器码!!!

看汇编我还能看懂点,二进制机器码我完全摸不着头绪

作者: kane.hu 时间: 2008-5-28 18:08:05 标题: 回复 #20 starcat2 的帖子

那你就先看着嘛！2进制码到时大家一起来猜！人多力量大么！
2进制？偶好象N的N年前学过！不过现在基本都忘了！
[喔呵呵]

作者: 长风吹云 时间: 2008-5-28 20:43:51 标题: 回复 #20 starcat2 的帖子

你说对了,我真的是大外行!!

所以和狐狸一样希望哪个高手给个现成的!!

那位高手研究一下吧!!

欢迎光临游侠NETSHOW论坛 (https://game.ali213.net/)