| EBPIG |
|
MHJDQ
|
|
֪ʶ¹²ÏíJ×ÊÔ´¹²ÏíJ×ÊÁϹ²Ïí
|
|
| ¡¾·¢ÐÐʱ¼ä¡¿2001-02-27 |
| ¡¾ÆÚ¿¯ºÅÂë¡¿µÚ¶þÊ®¾ÅÆÚ |
| ¡¾ÍøÕ¾µØÖ·¡¿http://programhunter.myetang.com |
| ¡¾°æȨÉùÃ÷¡¿¡â¨z¨{¨|¨}¨~¨€³ÌʽÁÔÈ˨€¨~¨}¨|¨{¨z¡á |
|
|
´ËÔÓÖ¾ÓɳÌʽÁÔÈ˱༡¢ÖÆ×÷¼°·¢ÐУ»ÔÓÖ¾¿ÉÒÔ×ÔÓÉתÔØ¡¢·Ö·¢ºÍ´«²¥£»ÈκθöÈË»òÍÅÌå²»µÃÔÚδ¾±¾ÈËÊÚȨµÄÇé¿öÏÂÐÞ¸ÄÔÓÖ¾µÄÍâ¹Û¼°ÄÚÈÝ£»ÔÓÖ¾µÄ½âÊÍȨ¹é³ÌʽÁÔÈËËùÓС£ |
|
|
¡¾±à¼¼ÄÓï¡¿
|
{~._.~}
( Y )
()~*~()
(_)-(_)
|
ÔÚ´ó¼ÒµÄÖ§³ÖÏ£¬Õâ¸öÔÓÖ¾½«»á°ìµÄÔ½À´Ô½ºÃ£¬Ï£Íû´ó¼ÒÒÔºóÄܹ»²»¶ÏµÄÖ§³ÖÕâ¸öÔÓÖ¾£¬ÎÒ½«Å¬Á¦Îª´ó¼Ò·þÎñ¡£Ï²»¶ÆƽâµÄÅóÓÑÏÖÔÚÓÐÒ»¸ö·Ç³£¾ªÈ˵ĺÃÏûÏ¢£¬¾ÍÊÇÍøÉÏÃûÈË¿´Ñ©Í¬Ö¾½«ÒÔ×Ô¼ºµÄÐĵÃÒÔ¼°ËùÊÕ¼¯µÄ×ÊÁϳöÒ»±¾¹ØÓÚÈçºÎѧϰÆƽâµÄÒ»Ê飬Èç¹ûµÈµ½Õâ±¾Êé³öÀ´ºó£¬´ó¼Ò¿ÉÊÇÒªÒ»¶¨Òª¿´µÄ°¡£¨Èç¹ûÓÐÇ®µ±È»ÊÇÔÚÊÖÖÐÁË£¬Èç¹ûûǮÂð£¿!)¡£²»ÒªÒÔΪÕâÊǸøËû×ö¹ã¸æ£¬ÎÒÒ²ÊÇΪÁË´ó¼ÒÄܹ»Ñ§Ï°¸ü¶àµÄ֪ʶ²Å˵µÄ°¡£¬ÎÒ¿ÉÊÇÒ»µãºÃ´¦Ò²Ã»ÓеÄ
½ñÌìµÄÔÓÖ¾½«Ïò´ó¼Ò½éÉÜÍøÓÑTAE!µÄÎÄÕ£¬Õâ¸öÍøÓÑÒ²ÊÇÒ»¸öΪÁËÆƽâÊÂÒµµÄ·¢Õ¹¶øĬĬµÄΪŬÁ¦¹¤×÷×Å£¬Èç¹ûÎÒÃÇÆƽâ½ç¶à¼¸¸öÕâÑùµÄÈ˲ţ¬ÄÇô¡¡£¬½«»áÊÇʲôÑù×ÓÄØ£¿
|
|
| |
| ¡¾Ä¿ ÿÿ ¼¡¿ |
|
|
| |
| &¡¾ÆƽâÐĵá¿ |
Ä¿±êÈí¼þ:ÌìÍø·À»ðǽ¸öÈË°æ2.0(beta)
±£»¤·½Ê½:ÐòÁкÅ
Æƽⷽ·¨:±©Á¦Æƽâ
ÆÆ ½â ÈË:TAE!
˵ Ã÷:´ËÈí¼þ¿ÉÒÔÃâ·ÑÔÚÆäÍøÕ¾»ñµÃ×¢²áÂë,µ«Õâ´ÎΪÁËÁ·Ï°Ò»ÏÂ,»¹Êǽ«Æä½âµô°É,±Ï¾¹
¶ÔÎÒÓаÙÀû¶øÎÞÒ»º¦.
ÏÈÔËÐÐÒ»ÏÂ,·¢ÏÖÆô¶¯Ê±ÈÃÄãÊäÈë×¢²áÃû,×¢²áÂë.
°´È¡Ïûºó,Õý³£ÔËÐÐ,ûÓй¦ÄÜÏÞÖÆ.
Ê×ÏÈ,ÊÔ×ÅÓà TRW ÕÒ³öËüµÄ×¢²áÂë,µ«ÓÉÓÚ±¾È˹¦Á¦Ì«Èõ,ûÄÜÆƽâµô.
ËùÒÔ¾ÍÏëÏë±ðµÄ·½·¨¿©,ÓÃW32dasm·´»ã±àËü!Ñ¡Ôñ String data references(×Ö´®Êý¾Ý²Î¿¼),ÕÒ°¡,ÕÒ°¡...
²ÂÎÒÕÒµ½ÁËʲô?
* Referenced by a CALL at Address:
|:00403CD4
|
:00405F1C 55 push ebp
:00405F1D 8BEC mov ebp, esp
:00405F1F 83C4B4 add esp, FFFFFFB4
:00405F22 53 push ebx
:00405F23 56 push esi
:00405F24 57 push edi
:00405F25 8BD8 mov ebx, eax
:00405F27 8D75B4 lea esi, dword ptr [ebp-4C]
:00405F2A B8580A4C00 mov eax, 004C0A58
:00405F2F E80C8B0900 call 0049EA40
:00405F34 66C746100800 mov [esi+10], 0008
:00405F3A 33D2 xor edx, edx
:00405F3C 33C9 xor ecx, ecx
:00405F3E 8955FC mov dword ptr [ebp-04], edx
:00405F41 BA2DFD4B00 mov edx, 004BFD2D
:00405F46 FF461C inc [esi+1C]
:00405F49 8D45EC lea eax, dword ptr [ebp-14]
:00405F4C 66C746101400 mov [esi+10], 0014
:00405F52 66C746102000 mov [esi+10], 0020
:00405F58 894DF8 mov dword ptr [ebp-08], ecx
:00405F5B FF461C inc [esi+1C]
:00405F5E 66C746101400 mov [esi+10], 0014
:00405F64 66C746102C00 mov [esi+10], 002C
:00405F6A E8F5680B00 call 004BC864
:00405F6F FF461C inc [esi+1C]
:00405F72 8D55E8 lea edx, dword ptr [ebp-18]
:00405F75 8B08 mov ecx, dword ptr [eax]
:00405F77 33C0 xor eax, eax
:00405F79 51 push ecx
:00405F7A 8945E8 mov dword ptr [ebp-18], eax
:00405F7D 52 push edx
* Possible StringData Ref from Data Obj ->"UserName"*********
|
:00405F7E BA24FD4B00 mov edx, 004BFD24
:00405F83 FF461C inc [esi+1C]
:00405F86 8D45F0 lea eax, dword ptr [ebp-10]
:00405F89 E8D6680B00 call 004BC864
:00405F8E FF461C inc [esi+1C]
* Possible StringData Ref from Data Obj ->"Register"*********
|
:00405F91 BA1BFD4B00 mov edx, 004BFD1B
:00405F96 8B08 mov ecx, dword ptr [eax]
:00405F98 8D45F4 lea eax, dword ptr [ebp-0C]
:00405F9B 51 push ecx
:00405F9C E8C3680B00 call 004BC864
:00405FA1 FF461C inc [esi+1C]
:00405FA4 8B10 mov edx, dword ptr [eax]
:00405FA6 8B8300030000 mov eax, dword ptr [ebx+00000300]
:00405FAC 59 pop ecx
:00405FAD 8B38 mov edi, dword ptr [eax]
:00405FAF FF17 call dword ptr [edi]
:00405FB1 8D55E8 lea edx, dword ptr [ebp-18]
:00405FB4 8D45FC lea eax, dword ptr [ebp-04]
:00405FB7 E8F4690B00 call 004BC9B0
:00405FBC FF4E1C dec [esi+1C]
:00405FBF 8D45E8 lea eax, dword ptr [ebp-18]
:00405FC2 BA02000000 mov edx, 00000002
:00405FC7 E8B4690B00 call 004BC980
:00405FCC FF4E1C dec [esi+1C]
:00405FCF 8D45EC lea eax, dword ptr [ebp-14]
:00405FD2 BA02000000 mov edx, 00000002
:00405FD7 E8A4690B00 call 004BC980
:00405FDC FF4E1C dec [esi+1C]
:00405FDF 8D45F0 lea eax, dword ptr [ebp-10]
:00405FE2 BA02000000 mov edx, 00000002
:00405FE7 E894690B00 call 004BC980
:00405FEC FF4E1C dec [esi+1C]
:00405FEF 8D45F4 lea eax, dword ptr [ebp-0C]
:00405FF2 BA02000000 mov edx, 00000002
:00405FF7 E884690B00 call 004BC980
:00405FFC 66C746103800 mov [esi+10], 0038
:00406002 BA43FD4B00 mov edx, 004BFD43
:00406007 8D45DC lea eax, dword ptr [ebp-24]
:0040600A E855680B00 call 004BC864
:0040600F FF461C inc [esi+1C]
:00406012 8D55D8 lea edx, dword ptr [ebp-28]
:00406015 8B08 mov ecx, dword ptr [eax]
:00406017 33C0 xor eax, eax
:00406019 51 push ecx
:0040601A 8945D8 mov dword ptr [ebp-28], eax
:0040601D 52 push edx
* Possible StringData Ref from Data Obj ->"RegisterKey"*********
|
:0040601E BA37FD4B00 mov edx, 004BFD37
:00406023 FF461C inc [esi+1C]
:00406026 8D45E0 lea eax, dword ptr [ebp-20]
:00406029 E836680B00 call 004BC864
:0040602E FF461C inc [esi+1C]
* Possible StringData Ref from Data Obj ->"Register"*********
|
:00406031 BA2EFD4B00 mov edx, 004BFD2E
:00406036 8B08 mov ecx, dword ptr [eax]
:00406038 8D45E4 lea eax, dword ptr [ebp-1C]
:0040603B 51 push ecx
:0040603C E823680B00 call 004BC864
:00406041 FF461C inc [esi+1C]
:00406044 8B10 mov edx, dword ptr [eax]
:00406046 8B8300030000 mov eax, dword ptr [ebx+00000300]
:0040604C 59 pop ecx
:0040604D 8B38 mov edi, dword ptr [eax]
:0040604F FF17 call dword ptr [edi]
:00406051 8D55D8 lea edx, dword ptr [ebp-28]
:00406054 8D45F8 lea eax, dword ptr [ebp-08]
:00406057 E854690B00 call 004BC9B0
:0040605C FF4E1C dec [esi+1C]
:0040605F 8D45D8 lea eax, dword ptr [ebp-28]
:00406062 BA02000000 mov edx, 00000002
:00406067 E814690B00 call 004BC980
:0040606C FF4E1C dec [esi+1C]
:0040606F 8D45DC lea eax, dword ptr [ebp-24]
:00406072 BA02000000 mov edx, 00000002
:00406077 E804690B00 call 004BC980
:0040607C FF4E1C dec [esi+1C]
:0040607F 8D45E0 lea eax, dword ptr [ebp-20]
:00406082 BA02000000 mov edx, 00000002
:00406087 E8F4680B00 call 004BC980
:0040608C FF4E1C dec [esi+1C]
:0040608F 8D45E4 lea eax, dword ptr [ebp-1C]
:00406092 BA02000000 mov edx, 00000002
:00406097 E8E4680B00 call 004BC980
:0040609C 8B4DF8 mov ecx, dword ptr [ebp-08]
:0040609F 8B55FC mov edx, dword ptr [ebp-04]
:004060A2 8BC3 mov eax, ebx
:004060A4 E85FFCFFFF call 00405D08
:004060A9 888305030000 mov byte ptr [ebx+00000305], al
:004060AF BA02000000 mov edx, 00000002
:004060B4 8A8305030000 mov al, byte ptr [ebx+00000305]
:004060BA 50 push eax
:004060BB 8D45F8 lea eax, dword ptr [ebp-08]
:004060BE FF4E1C dec [esi+1C]
:004060C1 E8BA680B00 call 004BC980
:004060C6 FF4E1C dec [esi+1C]
:004060C9 8D45FC lea eax, dword ptr [ebp-04]
:004060CC BA02000000 mov edx, 00000002
:004060D1 E8AA680B00 call 004BC980
:004060D6 58 pop eax
:004060D7 8B16 mov edx, dword ptr [esi]
:004060D9 64891500000000 mov dword ptr fs:[00000000], edx
:004060E0 5F pop edi
:004060E1 5E pop esi
:004060E2 5B pop ebx
:004060E3 8BE5 mov esp, ebp
:004060E5 5D pop ebp
:004060E6 C3 ret
à¸~,¿´µ½Ê¤ÀûÖ®ÉñÔÚÏòÎÒÕÐÊÖÁË!
Õâ·ÖÃ÷¾ÍÊÇÎļþÖдæ·Å×¢²áÐÅÏ¢µÄ±êÖ¾×Ö·û´®(¿ÉÒÔÕâô½ÐÂð?)
ʲô,Ìý²»¶®?¾Ù¸öÀý×Ó°É!
ÓеÄÈí¼þ½«×¢²áÐÅÏ¢·ÅÔÚÒ»¸öÎļþÀï,ͨ³£ÊÇ<Èí¼þÃû>.ini »ò<Èí¼þÃû>.dat ÖÐ,Èç:WinZip Self-Extract 2.2.
Äã×¢²áºó,ÄÇôÔÚÌìÍø·À»ðǽµÄ .ini Îļþ,Ò²¾ÍÊÇÅäÖÃÎļþÖоÍÓ¦¸ÃÓÐÒÔϼ¸Ïî:
[register]
username=ÄãµÄ×¢²áÃû
registerkey=ÄúµÄ×¢²áÂë
ÏëÏë¿´,ËùÒÔÈí¼þÿ´ÎÆô¶¯µÄʱºò¶¼»á¶ÁÈ¡.iniÖÐÓÐûÓÐÕ⼸Ïî,ÈôÓоͼì²é×¢²áÃûºÍÄãµÄ×¢²áÂëÊDz»ÊÇÆ¥Åä;
ÈôûÓз¢ÏÖÕ⼸Ïî,¾ÍÖ±½ÓÅжÏÄú»¹Ã»ÓÐ×¢²á,¾ÍÌø³öÌáʾ¿òÀ²!
ËùÒÔÎÒÃÇ¿ÉÒÔ´ÓÕâÀïÈëÊÖ,ÏòÉÏ¿´·¢ÏÖËüÊÇ 00403CD4 Call ¹ýÀ´µÄ.
ÓÚÊÇÎÒÀ´µ½ÁËÕâÀï:
¹ûÈ»Êǽ«×¢²áÐÅÏ¢·ÅÔÚÁË SNFW.INI ÎļþÖÐ!
* Possible StringData Ref from Data Obj ->"SNFW.INI"
|
:00403C50 BA2BFB4B00 mov edx, 004BFB2B
:00403C55 8D45F0 lea eax, dword ptr [ebp-10]
:00403C58 E8078C0B00 call 004BC864
:00403C5D FF45D4 inc [ebp-2C]
:00403C60 33C0 xor eax, eax
:00403C62 8945EC mov dword ptr [ebp-14], eax
:00403C65 8D55F0 lea edx, dword ptr [ebp-10]
:00403C68 FF45D4 inc [ebp-2C]
:00403C6B 8D4DEC lea ecx, dword ptr [ebp-14]
:00403C6E 58 pop eax
:00403C6F E8648D0B00 call 004BC9D8
:00403C74 8D4DEC lea ecx, dword ptr [ebp-14]
:00403C77 8B09 mov ecx, dword ptr [ecx]
:00403C79 B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"Ø·C"
|
:00403C7B A110B14300 mov eax, dword ptr [0043B110]
:00403C80 E83B010000 call 00403DC0
:00403C85 898300030000 mov dword ptr [ebx+00000300], eax
:00403C8B FF4DD4 dec [ebp-2C]
:00403C8E 8D45EC lea eax, dword ptr [ebp-14]
:00403C91 BA02000000 mov edx, 00000002
:00403C96 E8E58C0B00 call 004BC980
:00403C9B FF4DD4 dec [ebp-2C]
:00403C9E 8D45F0 lea eax, dword ptr [ebp-10]
:00403CA1 BA02000000 mov edx, 00000002
:00403CA6 E8D58C0B00 call 004BC980
:00403CAB FF4DD4 dec [ebp-2C]
:00403CAE 8D45F4 lea eax, dword ptr [ebp-0C]
:00403CB1 BA02000000 mov edx, 00000002
:00403CB6 E8C58C0B00 call 004BC980
:00403CBB FF4DD4 dec [ebp-2C]
:00403CBE 8D45F8 lea eax, dword ptr [ebp-08]
:00403CC1 BA02000000 mov edx, 00000002
:00403CC6 E8B58C0B00 call 004BC980
:00403CCB C6830503000000 mov byte ptr [ebx+00000305], 00
:00403CD2 8BC3 mov eax, ebx
:00403CD4 E843220000 call 00405F1C \<------À´µ½ÁËÕâ¶ù
:00403CD9 84C0 test al, al - ß×!ºÜÑÛÊìà¸.
:00403CDB 7541 jne 00403D1E /
:00403CDD 33C9 xor ecx, ecx
:00403CDF B201 mov dl, 01
* Possible StringData Ref from Data Obj ->"�@F"
|
:00403CE1 A1DC304C00 mov eax, dword ptr [004C30DC]
:00403CE6 E8D1700000 call 0040ADBC
:00403CEB 8BF8 mov edi, eax
:00403CED 8BC7 mov eax, edi
:00403CEF 8B10 mov edx, dword ptr [eax]
:00403CF1 FF92D8000000 call dword ptr [edx+000000D8]
:00403CF7 8BF7 mov esi, edi
:00403CF9 8975E4 mov dword ptr [ebp-1C], esi
:00403CFC 85F6 test esi, esi
:00403CFE 741E je 00403D1E
:00403D00 8B06 mov eax, dword ptr [esi]
:00403D02 8945E8 mov dword ptr [ebp-18], eax
:00403D05 66C745C82C00 mov [ebp-38], 002C
:00403D0B BA03000000 mov edx, 00000003
:00403D10 8B45E4 mov eax, dword ptr [ebp-1C]
:00403D13 8B08 mov ecx, dword ptr [eax]
:00403D15 FF51FC call [ecx-04]
:00403D18 66C745C82000 mov [ebp-38], 0020
ÊÔ׎« :00403CDB jne 00403D1E
¸ÄΪ :00403CDB je 00403D1E
Ò²¾ÍÊǽ« 7541
¸ÄΪ 7441
ÔËÐÐÒ»ÏÂ,àÅ!ºÜºÃ,ÄǸöÌÖÑáµÄ×¢²áÌáʾ¿òÔÙÒ²²»»á³öÏÖÁË.
ÕâÓ¦¸ÃÊÇÎҵĵÚһƪÆƽâ½Ì³Ì,°¦!ÎÒÖÕÓÚÌå»áµ½¸÷λ´ó¸çµÄÐÁ¿àÁË,дÕⶫÎ÷µÄÈ·ºÄʱ¼ä.ÎÒ¿ÉÊÇÓÃÆ´ÒôÊäÈë·¨´òµÄà¸!
|
|
|
ÎÒ(TAE!)µÄµÚ¶þƪÆƽâ½Ì³Ì
Ä¿±êÈí¼þ:The Cleaner 3.2 BUILD 3205
±£»¤·½Ê½:ÐòÁкÅ
Æƽⷽ·¨:±©Á¦Æƽâ
ÏÂÔصØÖ·:http://www.moosoft.com
Èí¼þ¼ò½é:The Cleaner searches your hard drive cleans it of all known
Trojans. Using a unique patent-pending technology, The Cleaner
compares each file against a list of all know Trojans. You
can scan your entire system or just one file. The program
also allows you to periodically update your Trojan database
file to keep it current with the latest research. If you're
going to expose your system to the dangers of the internet,
keep it clean with The Cleaner!
´ËÈí¼þÒÔÇ°µÄ°æ±¾Èç3.1ºÜºÃÆƽâ,µ«Õâ¸ö3.2°æµÄ×¢²áÂëʼÖո㲻¶¨,¸ú×ÙµÄʱºò
·¢ÏÖÄÚ´æÖгöÏÖÁË3.1°æ±¾µÄÁ½¸ö×¢²áÂë,µ«ÔÚ´Ë°æ±¾Öв»ÄÜÓÃ.
µ«±©Á¦ÆƽâÈ´·Ç³£¼òµ¥,ÏÈÓÃfileinfo¼ì²éÒ»ÏÂËü´©ÁËʲô"Ò·þ",Ŷ,ÔÀ´ÊÇUPX0.9?
ÓÃTRWÔØÈë³ÌÐò,¸ú×Ù,ÍÑ¿Ç.
˳±ãÎÊÒ»ÏÂ
:XXXX:XXXXXXXX PUSH EAX <-----ΪʲôÎÒÔÚÕâÒ»ÐÐÓÃTRWµÄmakepeÃüÁîʱ,Ëü»á˵:
........ Rebuild Import Table error!
ÍѿǺ󷴻ã±àËü,²éÕÒ´®Ê½Êý¾Ý,·¢ÏÖ³öÏÖÁËÒÔÇ°°æ±¾µÄ×¢²áÂë3310-EEC2-21D0-0C82ÓÚÊÇ
Ë«»÷Ëü,³öÏÖÏÂÃæµÄ³ÌÐò.
* Referenced by a CALL at Addresses:
|:00495B11 , :004A98CD , :004AD6B2
|
:004B252C 55 push ebp
:004B252D 8BEC mov ebp, esp
:004B252F 81C4F0FDFFFF add esp, FFFFFDF0
:004B2535 53 push ebx
:004B2536 56 push esi
:004B2537 57 push edi
:004B2538 33D2 xor edx, edx
:004B253A 8995F4FDFFFF mov dword ptr [ebp+FFFFFDF4], edx
:004B2540 8995F0FDFFFF mov dword ptr [ebp+FFFFFDF0], edx
:004B2546 8955FC mov dword ptr [ebp-04], edx
:004B2549 8955F8 mov dword ptr [ebp-08], edx
:004B254C 8BF8 mov edi, eax
:004B254E B908000000 mov ecx, 00000008
:004B2553 8D8508FEFFFF lea eax, dword ptr [ebp+FFFFFE08]
* Possible StringData Ref from Data Obj ->"
�String?�@"
|
:004B2559 8B15AC104000 mov edx, dword ptr [004010AC]
:004B255F E8441DF5FF call 004042A8
:004B2564 33C0 xor eax, eax
:004B2566 55 push ebp
:004B2567 68F1284B00 push 004B28F1
:004B256C 64FF30 push dword ptr fs:[eax]
:004B256F 648920 mov dword ptr fs:[eax], esp
:004B2572 33C0 xor eax, eax
:004B2574 55 push ebp
:004B2575 68A4284B00 push 004B28A4
:004B257A 64FF30 push dword ptr fs:[eax]
:004B257D 648920 mov dword ptr fs:[eax], esp
:004B2580 8B9750530000 mov edx, dword ptr [edi+00005350]
:004B2586 8D45FC lea eax, dword ptr [ebp-04]
* Possible StringData Ref from Data Obj ->"ibu.dll"
|
:004B2589 B90C294B00 mov ecx, 004B290C
:004B258E E8F517F5FF call 00403D88
:004B2593 8D8770B35101 lea eax, dword ptr [edi+0151B370]
* Possible StringData Ref from Data Obj ->"Unregistered Shareware"
|
:004B2599 BA1C294B00 mov edx, 004B291C
:004B259E E87115F5FF call 00403B14
:004B25A3 8D8774B35101 lea eax, dword ptr [edi+0151B374]
:004B25A9 E81215F5FF call 00403AC0
:004B25AE 8B45FC mov eax, dword ptr [ebp-04]
:004B25B1 E89E55F5FF call 00407B54
:004B25B6 84C0 test al, al
:004B25B8 0F84BA020000 je 004B2878
:004B25BE 8B55FC mov edx, dword ptr [ebp-04]
:004B25C1 8D8528FEFFFF lea eax, dword ptr [ebp+FFFFFE28]
:004B25C7 E8562CF5FF call 00405222
:004B25CC 8D8528FEFFFF lea eax, dword ptr [ebp+FFFFFE28]
:004B25D2 E8502FF5FF call 00405527
:004B25D7 8D9770B35101 lea edx, dword ptr [edi+0151B370]
:004B25DD 8D8528FEFFFF lea eax, dword ptr [ebp+FFFFFE28]
:004B25E3 E8101BF5FF call 004040F8
:004B25E8 8D8528FEFFFF lea eax, dword ptr [ebp+FFFFFE28]
:004B25EE E8D12EF5FF call 004054C4
:004B25F3 8D55F8 lea edx, dword ptr [ebp-08]
:004B25F6 8D8528FEFFFF lea eax, dword ptr [ebp+FFFFFE28]
:004B25FC E8F71AF5FF call 004040F8
:004B2601 8D8528FEFFFF lea eax, dword ptr [ebp+FFFFFE28]
:004B2607 E8B82EF5FF call 004054C4
:004B260C 8D8528FEFFFF lea eax, dword ptr [ebp+FFFFFE28]
:004B2612 E8112DF5FF call 00405328
:004B2617 8D8774B35101 lea eax, dword ptr [edi+0151B374]
:004B261D 8B55F8 mov edx, dword ptr [ebp-08]
:004B2620 E8EF14F5FF call 00403B14
:004B2625 8B45F8 mov eax, dword ptr [ebp-08]
* Possible StringData Ref from Data Obj ->"3310-EEC2-21D0-0C82"***
|
:004B2628 BA3C294B00 mov edx, 004B293C
:004B262D E81A18F5FF call 00403E4C
:004B2632 740F je 004B2643
:004B2634 8B45F8 mov eax, dword ptr [ebp-08]
* Possible StringData Ref from Data Obj ->"27F9-996A-BBBA-793E"***
|
:004B2637 BA58294B00 mov edx, 004B2958
:004B263C E80B18F5FF call 00403E4C
:004B2641 752A jne 004B266D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B2632(C)
|
:004B2643 8D8770B35101 lea eax, dword ptr [edi+0151B370]
* Possible StringData Ref from Data Obj ->"Unregistered Shareware"
|
:004B2649 BA1C294B00 mov edx, 004B291C
:004B264E E8C114F5FF call 00403B14
:004B2653 8D8774B35101 lea eax, dword ptr [edi+0151B374]
:004B2659 E86214F5FF call 00403AC0
:004B265E 33DB xor ebx, ebx
:004B2660 33C0 xor eax, eax
:004B2662 5A pop edx
:004B2663 59 pop ecx
:004B2664 59 pop ecx
:004B2665 648910 mov dword ptr fs:[eax], edx
:004B2668 E943020000 jmp 004B28B0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B2641(C)
|
:004B266D 8B45F8 mov eax, dword ptr [ebp-08]
:004B2670 E8C716F5FF call 00403D3C
:004B2675 83F813 cmp eax, 00000013
:004B2678 742A je 004B26A4
:004B267A 8D8770B35101 lea eax, dword ptr [edi+0151B370]
* Possible StringData Ref from Data Obj ->"Unregistered Shareware"
|
:004B2680 BA1C294B00 mov edx, 004B291C
:004B2685 E88A14F5FF call 00403B14
:004B268A 8D8774B35101 lea eax, dword ptr [edi+0151B374]
:004B2690 E82B14F5FF call 00403AC0
:004B2695 33DB xor ebx, ebx
:004B2697 33C0 xor eax, eax
:004B2699 5A pop edx
:004B269A 59 pop ecx
:004B269B 59 pop ecx
:004B269C 648910 mov dword ptr fs:[eax], edx
:004B269F E90C020000 jmp 004B28B0
Ò»¿´¾ÍÖªµÀÓÐÈý¸öµØ·½µ÷ÓÃ,¾¹ý·ÖÎö·¢ÏÖµÚÒ»¸öCallÊÇÊäÈë×¢²áÊý¾ÝʱµÄµ÷ÓÃ.µÚ¶þ¸öδ֪,¶øµÚÈý¸ö¾ÍÊdzÌÐòÆô¶¯Ê±
¼ì²éÄãÊÇ·ñÒѾע²á,ËùÒÔÀ´µ½ÁËÕâÀï
* Possible StringData Ref from Data Obj ->"Windows Directory: "
|
:004AD69A BA2CDE4A00 mov edx, 004ADE2C
:004AD69F E8E466F5FF call 00403D88
:004AD6A4 8B8574FFFFFF mov eax, dword ptr [ebp+FFFFFF74]
:004AD6AA E849F1FDFF call 0048C7F8
:004AD6AF 8B45FC mov eax, dword ptr [ebp-04]
:004AD6B2 E8754E0000 call 004B252C \ <----- À´µ½ÕâÀï
:004AD6B7 84C0 test al, al - ¿´ÆðÀ´ºÜÑÛÊìѽ!
:004AD6B9 754C jne 004AD707 / ½«ÕâÀï¸ÄΪjeÊÔÊÔ
:004AD6BB 8B45FC mov eax, dword ptr [ebp-04]
:004AD6BE 0570B35101 add eax, 0151B370
* Possible StringData Ref from Data Obj ->"Unregistered Shareware"
|
:004AD6C3 BA48DE4A00 mov edx, 004ADE48
:004AD6C8 E84764F5FF call 00403B14
:004AD6CD 8B0DF06F4B00 mov ecx, dword ptr [004B6FF0]
:004AD6D3 A1B86F4B00 mov eax, dword ptr [004B6FB8]
:004AD6D8 8B00 mov eax, dword ptr [eax]
* Possible StringData Ref from Data Obj ->"Äî@"
|
:004AD6DA 8B15548D4900 mov edx, dword ptr [00498D54]
:004AD6E0 E85F37F8FF call 00430E44
:004AD6E5 A1F06F4B00 mov eax, dword ptr [004B6FF0]
:004AD6EA 8B00 mov eax, dword ptr [eax]
:004AD6EC E8DB18F8FF call 0042EFCC
:004AD6F1 83F802 cmp eax, 00000002
:004AD6F4 7511 jne 004AD707
:004AD6F6 A1B86F4B00 mov eax, dword ptr [004B6FB8]
:004AD6FB 8B00 mov eax, dword ptr [eax]
:004AD6FD E88238F8FF call 00430F84
:004AD702 E951060000 jmp 004ADD58
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004AD6B9(C), :004AD6F4(C)
|
* Possible StringData Ref from Data Obj ->"Load Database"
|
:004AD707 B868DE4A00 mov eax, 004ADE68
:004AD70C E8E7F0FDFF call 0048C7F8
:004AD711 8B45FC mov eax, dword ptr [ebp-04]
:004AD714 80B86053000000 cmp byte ptr [eax+00005360], 00
:004AD71B 7417 je 004AD734
:004AD71D A12C6F4B00 mov eax, dword ptr [004B6F2C]
:004AD722 8B00 mov eax, dword ptr [eax]
:004AD724 8B80E4010000 mov eax, dword ptr [eax+000001E4]
* Possible StringData Ref from Data Obj ->"Loading database..."
|
:004AD72A BA80DE4A00 mov edx, 004ADE80
:004AD72F E88C57F9FF call 00442EC0
½«:004AD6B9 754C jne 004AD707
¸ÄΪ: 744C je 004ad707
ÔËÐÐÒ»ÏÂ,¹ûÈ»×¢²á³É¹¦,ÔÙÒ²²»»á³öÏÖ×¢²áÌáʾ¿òÁË.
|
|
|
±©Á¦ÆƽâµÚÈý»Ø Button Studio 1.41
Ä¿±êÈí¼þ:Button Studio 1.41
±£»¤·½Ê½:KeyFile
Æƽⷽ·¨:±©Á¦Æƽâ(Ôõôÿ´Î¶¼ÊDZ¬ÆÆ,ÄãÓб©Á¦ÇãÏòѽ!@#@&^&$#)
ÆÆ ½â ÈË:TAE!
Èí¼þ½éÉÜ:Ò»¸öÖÆÔì¸÷ÖÖƯÁÁ°´Å¥µÄ¹¤¾ß,ÌصãÊÇСÇÉ,Ò×ÓÃ,×ö³öµÄ°´Å¥ºÜƯÁÁ.
ÏÂÔصØÖ·:www.interkodex.com
Ê×ÏÈÉùÃ÷±¾ÈËÐÄÀí½¡¿µ,ÀÖ¹ÛÏòÉÏ,¾ø¶ÔûÓб©Á¦ÇãÏò,Ö»ÊÇÓÉÓÚѧÒÕ²»¾«,Ö»Óб¬ÆÆÁË:)
Õâ¸öÈí¼þûÓÐÈÃÄãÊäÈë×¢²áÂëµÄµØ·½,ÎÒÏë¿ÉÄÜÊÇKeyFile±£»¤µÄ.ËùÒÔ¾ÍÔËÐÐFilemon
ÔÙÔËÐÐButton Studio·¢ÏÖËü¶ÁÈ¡buttonstudio.rgÕâ¸öÎļþ.²ÂÏëÕâ¸öÎļþÓ¦¸ÃÊÇKeyFile.
½¨Á¢buttonstudio.rgÎļþ.ÔËÐÐÈí¼þ,Ææ¹Ö,û·´Ó¦,²»ÄÜÔËÐÐ!!ÎҲ¶ÔÁË,¿Ï¶¨ÊdzÌÐòÔËÐÐ
ʱ,¼ì²éKeyFile,µ«ÎÒ½¨Á¢µÄÎļþ¿Ï¶¨²»ÊÇÕæÕýµÄKeyFile(·Ñ»°!)ËùÒÔ³ÌÐò·¢ÏÖÁË,¾Í²»ÈÃÔËÐÐ
ÁË.
ÔËÐÐTRW 1.23(BTW:ΪʲôÓÐʱºòCTRL+N²»Äܺô½Ð?)ÉèÖöϵã bpx CreateFileA,ÔËÐÐ
³ÌÐò,±»ÖжÏ,ÕâʱÏÂD EAX²é¿´,°´F5ÔËÐгÌÐò,ÓÖ±»ÖжÏÒ»¶¨¼ÇסҪ²é¿´EAXµÄÖµ,¾ÍÕâÑù°´
ÁË´óÔ¼6´ÎF5,Õâʱ³ÌÐòÒѾ¿ªÊ¼¶ÁÈ¡buttonstudio.rgÎļþÁË,ÏÂPmodule,»Øµ½Button Studio
µÄ³ÌÐò¶Î.
* Reference To: kernel32.CreateFileA, Ord:0000h
|
:0040636B E8B0AEFFFF Call 00401220
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406395(U)
|
:00406370 83F8FF cmp eax, FFFFFFFF //»Øµ½ÕâÀï.
:00406373 7429 je 0040639E
:00406375 8903 mov dword ptr [ebx], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004063AF(U)
|
:00406377 5F pop edi
:00406378 5E pop esi
:00406379 5B pop ebx
:0040637A C3 ret
ÉÔºó±ã»áÔËÐе½ÕâÀï:
* Possible StringData Ref from Code Obj ->"buttonstudio.rg"
|
:004B3196 684C344B00 push 004B344C
:004B319B 8D852CFDFFFF lea eax, dword ptr [ebp+FFFFFD2C]
:004B31A1 BA03000000 mov edx, 00000003
:004B31A6 E8590FF5FF call 00404104
:004B31AB 8B952CFDFFFF mov edx, dword ptr [ebp+FFFFFD2C]
:004B31B1 8D8554FDFFFF lea eax, dword ptr [ebp+FFFFFD54]
:004B31B7 E8F22CF5FF call 00405EAE
:004B31BC BA01000000 mov edx, 00000001
:004B31C1 8D8554FDFFFF lea eax, dword ptr [ebp+FFFFFD54]
:004B31C7 E80532F5FF call 004063D1
:004B31CC 6A00 push 00000000
:004B31CE 8D55F0 lea edx, dword ptr [ebp-10]
:004B31D1 B901000000 mov ecx, 00000001
:004B31D6 8D8554FDFFFF lea eax, dword ptr [ebp+FFFFFD54]
:004B31DC E86F2DF5FF call 00405F50
:004B31E1 B8FF000000 mov eax, 000000FF
:004B31E6 2B45F0 sub eax, dword ptr [ebp-10]
:004B31E9 8945EC mov dword ptr [ebp-14], eax
:004B31EC 8B75EC mov esi, dword ptr [ebp-14]
:004B31EF 85F6 test esi, esi
:004B31F1 7E49 jle 004B323C
:004B31F3 C745FC01000000 mov [ebp-04], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B323A(C)
|
:004B31FA 6A00 push 00000000 //
:004B31FC 8D55F0 lea edx, dword ptr [ebp-10] .
:004B31FF B901000000 mov ecx, 00000001 .
:004B3204 8D8554FDFFFF lea eax, dword ptr [ebp+FFFFFD54] .
:004B320A E8412DF5FF call 00405F50 .
:004B320F B8FF000000 mov eax, 000000FF .
:004B3214 2B45F0 sub eax, dword ptr [ebp-10] .ÕâÀïÊǸöÑ»·,ºÃÏñÊǶÁÈ¡ÎļþÖÐ
:004B3217 8945F0 mov dword ptr [ebp-10], eax .µÄAscii,²¢ÇÒÔËËã±àÂë,ÀÁµÃ¿´ÁË.
:004B321A 8D8520FDFFFF lea eax, dword ptr [ebp+FFFFFD20] .
:004B3220 8B55F0 mov edx, dword ptr [ebp-10] .
:004B3223 E8440DF5FF call 00403F6C .
:004B3228 8B9520FDFFFF mov edx, dword ptr [ebp+FFFFFD20] .
:004B322E 8D45F8 lea eax, dword ptr [ebp-08] .
:004B3231 E8160EF5FF call 0040404C .
:004B3236 FF45FC inc [ebp-04] .
:004B3239 4E dec esi .
:004B323A 75BE jne 004B31FA //
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B31F1(C)
|
:004B323C 8B75EC mov esi, dword ptr [ebp-14] //½«¹â±ê¶¨Î»ÔÚÕâÀï,°´F7,¼ÌÐøÏòÏÂÔËÐÐ
:004B323F 85F6 test esi, esi
:004B3241 7E40 jle 004B3283
:004B3243 C745FC01000000 mov [ebp-04], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3281(C)
|
:004B324A 6A00 push 00000000
:004B324C 8D55F0 lea edx, dword ptr [ebp-10]
:004B324F B901000000 mov ecx, 00000001
:004B3254 8D8554FDFFFF lea eax, dword ptr [ebp+FFFFFD54]
:004B325A E8F12CF5FF call 00405F50
:004B325F 8B45F8 mov eax, dword ptr [ebp-08]
:004B3262 8B55FC mov edx, dword ptr [ebp-04]
:004B3265 8A4410FF mov al, byte ptr [eax+edx-01]
:004B3269 34FF xor al, FF
:004B326B 25FF000000 and eax, 000000FF
:004B3270 0345FC add eax, dword ptr [ebp-04]
:004B3273 3B45F0 cmp eax, dword ptr [ebp-10] //µ½ÕâÀïͣһͣ,±È½Ï!¿Éϧ¾¹ý±àÂë
:004B3276 7405 je 004B327D //ÔÚÕâÀïÒ»¶¨ÒªÌø,ÏÂÃ滹ÓÐÒ»´¦
:004B3278 E88B09F5FF call 00403C08 //ÔËÐе½ÕâÀï³ÌÐò±ãÍ˳öÁË
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3276(C)
|
:004B327D FF45FC inc [ebp-04]
:004B3280 4E dec esi
:004B3281 75C7 jne 004B324A //ÓÖÉÏÈ¥ÁË.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3241(C)
|
:004B3283 6A00 push 00000000
:004B3285 8D55F0 lea edx, dword ptr [ebp-10]
:004B3288 B901000000 mov ecx, 00000001
:004B328D 8D8554FDFFFF lea eax, dword ptr [ebp+FFFFFD54]
:004B3293 E8B82CF5FF call 00405F50
:004B3298 8B45F8 mov eax, dword ptr [ebp-08]
:004B329B E8A40DF5FF call 00404044
:004B32A0 3B45F0 cmp eax, dword ptr [ebp-10] //ÓÖÊDZȽÏ
:004B32A3 7405 je 004B32AA //Ò»¶¨ÒªÌø!
:004B32A5 E85E09F5FF call 00403C08 //½øÈ¥¾ÍÍêÁË!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B32A3(C)
|
:004B32AA 8D8554FDFFFF lea eax, dword ptr [ebp+FFFFFD54]
:004B32B0 E8632DF5FF call 00406018
:004B32B5 B8849C4D00 mov eax, 004D9C84
:004B32BA 8B55F8 mov edx, dword ptr [ebp-08]
:004B32BD E8560BF5FF call 00403E18
:004B32C2 33C0 xor eax, eax
:004B32C4 A3809C4D00 mov dword ptr [004D9C80], eax
½«ÉÏÃæµÄÁ½¸öÌøת¸ÄΪ Jmp,ÊÔÔËÐÐ,ûÓÐNagÁË,¿´¿´About,ÄǸöÌÖÑáµÄNot registered±ä³ÉÁË
Registered to:(ÂÒÂë),ÒòΪ½¨Á¢KeyFileÖеÄAscii²»¶Ô,ËùÒÔÕâÀïÏÔʾµÄÊÇÂÒÂë.ÎÞÂÛÈçºÎÆƽⶼ
³É¹¦ÁË!
ÕâÀïÕæÊǸöºÜºÃµÄµØ·½,Äܺ͸÷λѧµ½²»ÉÙ¶«Î÷,¿ÉϧÂíÉϾÍÒª¿ªÑ§,ÎÒ½ñÄêÖÐרÈýÄ꼶,Òª±ÏÒµÁË,
ÒÔºó¾ÍûÄÇô¶àʱ¼ä¸ãCrackÁË,ºÃ¿à°¡!°¦!»¹ÓÐÕâ¸öÔµĵ绰·Ñ¡¡,·´ÕýÃâ²»ÁË°¤ÂèÂèÒ»¶ÙÂî.
¸½:
ÆƽâtKC Tutor Viewer 2000 v1.7ÂÔ̸
Ïë±ØÕâÀïµÄÈ˶¼ÖªµÀtKCдµÄÕâ¸öÈí¼þ°É?ʲô?²»ÖªµÀ?!ÎÒKAO,¿È...¿È..ÈÃÎÒ´¿ÚÆø.
ÄÇÄãÓ¦¸ÃÖªµÀtKCÕâ¸öÈË°É?ÕâÊÇËûдµÄÒ»¸ö½Ì³Ì²é¿´Æ÷.×öµÄÌýºÃµÄ,Ö»ÊÇÓÐÒ»µãÎÒ²»ÂúÒâ,
ÔÚÎÒµÄÏÔʾÆ÷ÉÏ,ËüÓÐÒ»²¿·Ö¿´²»¼û,ËùÒÔÎÒÏëÐÞ¸Äһϴ°¿Ú´óС,ºº»¯Ò»ÏÂ,ÈÃÎÒÃÇ×öµÄ¸üºÃ!(Äã×ö¹ã¸æѽ!),
FileInfoÏÔʾËüÓÃAspack2.11¼ÓµÄ¿Ç,Õâ¸öºÃ°ì,TRW ³ö³¡,ÊÖ¶¯ÍѿǺó,ÊÔ×ÅÔËÐÐÒ»ÏÂ,TMD,ÓÐ×ÔУÑé!¿´ÎÒ²»
·ÏÁËÄã.
µ«ÎÒ²»ÂÛÓÃʲô¶ÏµãÎÒ¶¼À¹²»ÏÂÀ´,Ö»ºÃÓÃ×îÍ´¿àµÄÒ»ÕÐÁË,TRW¼ÓÔØ,Ò»²½²½¸ú×Ù,¾ßÌå¹ý³ÌÎÒÏë¾Í²»Ð´ÁË
Ö»Òª:
²éÕÒ84db74388d4df8
¸ÄΪ EB
¼´¿É!(˵µÃÈÝÒ×,µ±Ê±¿ÉÊÇ»¨ÁËÎҺܳ¤Ê±¼äѽ!)
|
|
|
|
,¡¾ÔÓÖ¾ÐÅÏä¡¿
|
| Ͷ¸åÐÅÏ䣺discoveredit@china.com |
| ´ðÒÉÐÅÏ䣺discoveranswer@china.com |
| °ßÖñÐÅÏ䣺programhunter@china.com |
|
|
|