韩国奇迹1.04 main跳NP去弹网页汇编
第一处
OD查找二进制字串83C40425FF00000085C0755568
00602712 . FF15 78347C00 call dword ptr [<&USER32.SendMessageA>; \SendMessageA
00602718 > E8 73F9FFFF call 00602090
0060271D . 85C0 test eax, eax
0060271F . 75 20 jnz short 00602741
00602721 . C785 48F2FFFF>mov dword ptr [ebp-DB8], 0
0060272B . 8D8D 40FFFFFF lea ecx, dword ptr [ebp-C0]
00602731 . E8 0A180000 call 00603F40
00602736 . 8B85 48F2FFFF mov eax, dword ptr [ebp-DB8]
0060273C . E9 FA160000 jmp 00603E3B
00602741 > 8D8D 40FFFFFF lea ecx, dword ptr [ebp-C0]
00602747 . 51 push ecx
00602748 . E8 A35B1700 call 007782F0
0060274D . 83C4 04 add esp, 4
00602750 . 25 FF000000 and eax, 0FF
00602755 . 85C0 test eax, eax
00602757 . 75 55 jnz short 006027AE //这里无条件给它跳了改75=EB
00602757 . EB 55 jmp short 006027AE
00602759 . 68 ECFF7F00 push 007FFFEC ; /Arg2 = 007FFFEC
0060275E . 68 10E4F707 push 07F7E410 ; |Arg1 = 07F7E410
00602763 . E8 49DF0B00 call 006C06B1 ; \main1_04.006C06B1
00602768 . 83C4 08 add esp, 8
0060276B . 68 FCF97F00 push 007FF9FC ; ASCII "mu.exe"
00602770 . 8D95 14FEFFFF lea edx, dword ptr [ebp-1EC]
00602776 . 52 push edx
00602777 . E8 84BD1900 call 0079E500
0060277C . 83C4 08 add esp, 8
0060277F . 6A 05 push 5 ; /ShowState = SW_SHOW
00602781 . 8D85 14FEFFFF lea eax, dword ptr [ebp-1EC] ; |
00602787 . 50 push eax ; |CmdLine
00602788 . FF15 B0317C00 call dword ptr [<&KERNEL32.WinExec>] ; \WinExec
0060278E . C785 44F2FFFF>mov dword ptr [ebp-DBC], 0
00602798 . 8D8D 40FFFFFF lea ecx, dword ptr [ebp-C0]
0060279E . E8 9D170000 call 00603F40
第二处到第八处
OD查找二进制字串85C0753268
00602A08 |. /E9 2E140000 jmp 00603E3B
00602A0D |> |68 6C008000 push 0080006C ; ASCII "Data\Enc1.dat"
00602A12 |. |B9 6864F807 mov ecx, 07F86468
00602A17 |. |E8 A4111800 call 00783BC0
00602A1C |. |68 7C008000 push 0080007C ; ASCII "Data\Dec2.dat"
00602A21 |. |B9 B064F807 mov ecx, 07F864B0
00602A26 |. |E8 D5111800 call 00783C00
00602A2B |. |68 8C008000 push 0080008C ; /Arg2 = 0080008C ASCII "> To read config.ini.",CR,LF,""
00602A30 |. |68 10E4F707 push 07F7E410 ; |Arg1 = 07F7E410
00602A35 |. |E8 77DC0B00 call 006C06B1 ; \main104.006C06B1
00602A3A |. |83C4 08 add esp, 8
00602A3D |. |E8 96EEFFFF call 006018D8
00602A42 |. |85C0 test eax, eax
00602A44 |. |75 32 jnz short 00602A78 //这里给它灭了,无条件过了它 75=EB
00602A44 |. |EB 32 jmp short 00602A78
00602A46 |. |68 A4008000 push 008000A4 ; /Arg2 = 008000A4 ASCII "config.ini read error",CR,LF,""
00602A4B |. |68 10E4F707 push 07F7E410 ; |Arg1 = 07F7E410
00602A50 |. |E8 5CDC0B00 call 006C06B1 ; \main104.006C06B1
00602A55 |. |83C4 08 add esp, 8
00602A58 |. |C785 3CF2FFFF>mov dword ptr [ebp-DC4], 0
00602A62 |. |8D8D 40FFFFFF lea ecx, dword ptr [ebp-C0]
00602A68 |. |E8 D3140000 call 00603F40
00602A6D |. |8B85 3CF2FFFF mov eax, dword ptr [ebp-DC4]
00602A73 |. |E9 C3130000 jmp 00603E3B
00602A78 |> |6A 01 push 1
00602A7A |. |E8 1BB61900 call 0079E09A
00602A7F |. |83C4 04 add esp, 4
00602A82 |. |8985 34F2FFFF mov dword ptr [ebp-DCC], eax
00602A88 |. |83BD 34F2FFFF>cmp dword ptr [ebp-DCC], 0
00602A8F |. |74 19 je short 00602AAA //这里给它灭了,无条件过了它 74=EB
00602A8F |. |74 19 jmp short 00602AAA
00602A91 |. A1 F8F97F00 mov eax, dword ptr [7FF9F8]
00602A96 |. 50 push eax ; /Arg1 => 007FFA10 ASCII "Mu"
00602A97 |. 8B8D 34F2FFFF mov ecx, dword ptr [ebp-DCC] ; |
00602A9D |. E8 3E200000 call 00604AE0 ; \main104.00604AE0
00602AA2 |. 8985 68F1FFFF mov dword ptr [ebp-E98], eax
00602AA8 |. EB 0A jmp short 00602AB4
00602AAA |> C785 68F1FFFF>mov dword ptr [ebp-E98], 0
00602AB4 |> 8B8D 68F1FFFF mov ecx, dword ptr [ebp-E98]
00602ABA |. 898D 38F2FFFF mov dword ptr [ebp-DC8], ecx
00602AC0 |. 8B95 38F2FFFF mov edx, dword ptr [ebp-DC8]
00602AC6 |. 8915 28E8F707 mov dword ptr [7F7E828], edx
00602ACC |. E8 1FBA0B00 call 006BE4F0
00602AD1 |. 25 FF000000 and eax, 0FF
00602AD6 |. 85C0 test eax, eax
00602AD8 |. /0F85 89000000 jnz 00602B67 //干掉它让它跳过去00602B67改成
00602AD8 . /E9 8A000000 jmp 00602B67
00602ADD |90 nop //多了字节nop了它
00602ADE |. |68 BC008000 push 008000BC ; /Arg2 = 008000BC ASCII "gg init error",CR,LF,""
00602AE3 |. |68 10E4F707 push 07F7E410 ; |Arg1 = 07F7E410
00602AE8 |. |E8 C4DB0B00 call 006C06B1 ; \main104.006C06B1
00602AED |. |83C4 08 add esp, 8
00602AF0 |. |E8 AFCFFFFF call 005FFAA4
00602AF5 |. |833D 28E8F707>cmp dword ptr [7F7E828], 0
00602AFC |. |74 49 je short 00602B47
00602AFE |. |A1 28E8F707 mov eax, dword ptr [7F7E828]
00602B03 |. |8985 2CF2FFFF mov dword ptr [ebp-DD4], eax
00602B09 |. |8B8D 2CF2FFFF mov ecx, dword ptr [ebp-DD4]
00602B0F |. |898D 30F2FFFF mov dword ptr [ebp-DD0], ecx
00602B15 |. |83BD 30F2FFFF>cmp dword ptr [ebp-DD0], 0
00602B1C |. |74 15 je short 00602B33
00602B1E |. |6A 01 push 1 ; /Arg1 = 00000001
00602B20 |. |8B8D 30F2FFFF mov ecx, dword ptr [ebp-DD0] ; |
00602B26 |. |E8 C5130000 call 00603EF0 ; \main104.00603EF0
00602B2B |. |8985 64F1FFFF mov dword ptr [ebp-E9C], eax
00602B31 |. |EB 0A jmp short 00602B3D
00602B33 |> |C785 64F1FFFF>mov dword ptr [ebp-E9C], 0
00602B3D |> |C705 28E8F707>mov dword ptr [7F7E828], 0
00602B47 |> |C785 28F2FFFF>mov dword ptr [ebp-DD8], 0
00602B51 |. |8D8D 40FFFFFF lea ecx, dword ptr [ebp-C0]
00602B57 |. |E8 E4130000 call 00603F40
00602B5C |. |8B85 28F2FFFF mov eax, dword ptr [ebp-DD8]
00602B62 |. |E9 D4120000 jmp 00603E3B
00602B67 |> \68 CC008000 push 008000CC ; /Arg2 = 008000CC ASCII "> gg init success.",CR,LF,""
00602B6C |. 68 10E4F707 push 07F7E410 ; |Arg1 = 07F7E410
00602B71 |. E8 3BDB0B00 call 006C06B1 ; \main104.006C06B1
00602B76 |. 83C4 08 add esp, 8
00602B79 |. B9 10E4F707 mov ecx, 07F7E410
00602B7E |. E8 BCDD0B00 call 006C093F
第九处
OD查找二进制字串83C40484DB7447B9
0062E2B6 |. /74 1C je short 0062E2D4
0062E2B8 |. |8A48 FF mov cl, byte ptr [eax-1]
0062E2BB |. |48 dec eax
0062E2BC |. |84C9 test cl, cl
0062E2BE |. |74 0B je short 0062E2CB
0062E2C0 |. |80F9 FF cmp cl, 0FF
0062E2C3 |. |74 06 je short 0062E2CB
0062E2C5 |. |FEC9 dec cl
0062E2C7 |. |8808 mov byte ptr [eax], cl
0062E2C9 |. |EB 09 jmp short 0062E2D4
0062E2CB |> |50 push eax
0062E2CC |. |E8 CF131600 call 0078F6A0
0062E2D1 |. |83C4 04 add esp, 4
0062E2D4 |> \84DB test bl, bl
0062E2D6 |. 74 47 je short 0062E31F //这里给它干掉跳了它74=EB
0062E2D6 . /EB 47 jmp short 0062E31F
0062E2D8 |. B9 E022F807 mov ecx, 07F822E0
0062E2DD |. E8 2E110300 call 0065F410
0062E2E2 |. 8D9424 8C0900>lea edx, dword ptr [esp+98C]
0062E2E9 |. 52 push edx ; /Arg3
0062E2EA |. 68 64108000 push 00801064 ; |Arg2 = 00801064 ASCII "> ResourceGuard Error!!(%s)",CR,LF,""
0062E2EF |. 68 10E4F707 push 07F7E410 ; |Arg1 = 07F7E410
0062E2F4 |. E8 B8230900 call 006C06B1 ; \main104.006C06B1
0062E2F9 |. 83C4 0C add esp, 0C
0062E2FC |. 8D4C24 54 lea ecx, dword ptr [esp+54]
0062E300 |. C74424 4C 585>mov dword ptr [esp+4C], 007C5D58
0062E308 |. C78424 981B00>mov dword ptr [esp+1B98], -1
0062E313 |. E8 E8D91400 call 0077BD00
0062E318 |. 33C0 xor eax, eax
0062E31A |. E9 C5020000 jmp 0062E5E4
0062E31F |> 8B0D 18E8F707 mov ecx, dword ptr [7F7E818]
0062E325 |. E8 72B3E2FF call 0045969C
0062E32A |. 8D4424 38 lea eax, dword ptr [esp+38]
0062E32E |. 8D4C24 30 lea ecx, dword ptr [esp+30]