- 注册时间
- 2012-3-21
- 最后登录
- 1970-1-1
该用户从未签到
|
本帖最后由 sxpp520 于 2012-4-22 14:46 编辑
0050BA9F 6A 00 push 0x0
0050BAA1 6A 00 push 0x0
0050BAA3 53 push ebx ; 保存28eb860
0050BAA4 56 push esi ; 101 12fba0
0050BAA5 8BF2 mov esi,edx ; c10f60
0050BAA7 8BD8 mov ebx,eax ; 2deb5e0
0050BAA9 33C0 xor eax,eax
0050BAAB 55 push ebp ; 0002 12fb8c
0050BAAC 68 3EBB5000 push Mir3.0050BB3E ; 50bb3e
0050BAB1 64:FF30 push dword ptr fs:[eax]
0050BAB4 64:8920 mov dword ptr fs:[eax],esp ; 01D72F10 12fdf4
0050BAB7 8B06 mov eax,dword ptr ds:[esi] ; esi=00C10F60 12fba0
0050BAB9 83B8 80000000 0>cmp dword ptr ds:[eax+0x80],0x0 ; c10f60+80=2b6dd40任务ID
0050BAC0 74 61 je XMir3.0050BB23 ; 等于0就跳
0050BAC2 8B5B 0C mov ebx,dword ptr ds:[ebx+0xC] ; 02DEB5E0+c=1d69530
0050BAC5 E8 52BDEFFF call Mir3.0040781C ; jmp 到 kernel32.GetTickCount
0050BACA 8B93 F8000000 mov edx,dword ptr ds:[ebx+0xF8]
0050BAD0 85D2 test edx,edx
0050BAD2 74 0C je XMir3.0050BAE0
0050BAD4 8BC8 mov ecx,eax
0050BAD6 2BCA sub ecx,edx
0050BAD8 81F9 E8030000 cmp ecx,0x3E8
0050BADE 76 43 jbe XMir3.0050BB23
0050BAE0 8983 F8000000 mov dword ptr ds:[ebx+0xF8],eax ; 19F818B8 =01D69530+F8
0050BAE6 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
0050BAE9 8B16 mov edx,dword ptr ds:[esi]
0050BAEB 8B92 80000000 mov edx,dword ptr ds:[edx+0x80] ; c114b0+80选项ID
0050BAF1 E8 B295EFFF call Mir3.004050A8
0050BAF6 8D55 F8 lea edx,dword ptr ss:[ebp-0x8]
0050BAF9 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
0050BAFC E8 6F24F0FF call Mir3.0040DF70
0050BB01 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
0050BB04 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
0050BB07 E8 9C95EFFF call Mir3.004050A8
0050BB0C 8B15 F0325800 mov edx,dword ptr ds:[0x5832F0] ; Mir3.005A07D0
0050BB12 8B12 mov edx,dword ptr ds:[edx] ; 5A07D0
0050BB14 A1 24365800 mov eax,dword ptr ds:[0x583624]
0050BB19 8B00 mov eax,dword ptr ds:[eax] ; CA6E90
0050BB1B 8B4D FC mov ecx,dword ptr ss:[ebp-0x4];这是字符串CALL地址
0050BB1E E8 6D280100 call Mir3.0051E390
0050BB23 33C0 xor eax,eax
0050BB25 5A pop edx
0050BB26 59 pop ecx
0050BB27 59 pop ecx
被调用的CALL
0051E390 55 push ebp ; esp+20=2
0051E391 8BEC mov ebp,esp ; esp被减4 12fb68=ebp
0051E393 51 push ecx ; 压入选项ID@task105=ebp-4
0051E394 B9 06000000 mov ecx,0x6
0051E399 6A 00 push 0x0
0051E39B 6A 00 push 0x0
0051E39D 49 dec ecx
0051E39E ^ 75 F9 jnz XMir3.0051E399
0051E3A0 874D FC xchg dword ptr ss:[ebp-0x4],ecx ; 交换ebp-4和ecx的值
0051E3A3 53 push ebx ; 压入1d68530到ebo-38
0051E3A4 56 push esi ; c10f60任务基质ebp-42 12fba0
0051E3A5 894D FC mov dword ptr ss:[ebp-0x4],ecx ; 将ECX 任务ID压入ebp-4
0051E3A8 8BDA mov ebx,edx ; EDX38268F0
0051E3AA 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
0051E3AD E8 DE70EEFF call Mir3.00405490
0051E3B2 33C0 xor eax,eax
0051E3B4 55 push ebp ; 保存EBP 12FB68
0051E3B5 68 F1E55100 push Mir3.0051E5F1
0051E3BA 64:FF30 push dword ptr fs:[eax]
0051E3BD 64:8920 mov dword ptr fs:[eax],esp
0051E3C0 8B75 FC mov esi,dword ptr ss:[ebp-0x4]
0051E3C3 8BC6 mov eax,esi
0051E3C5 85C0 test eax,eax
0051E3C7 74 05 je XMir3.0051E3CE
0051E3C9 83E8 04 sub eax,0x4
0051E3CC 8B00 mov eax,dword ptr ds:[eax]
0051E3CE 83F8 02 cmp eax,0x2
0051E3D1 0F8C CB010000 jl Mir3.0051E5A2
0051E3D7 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]
0051E3DA 50 push eax
0051E3DB B9 0A000000 mov ecx,0xA
0051E3E0 BA 01000000 mov edx,0x1
0051E3E5 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
0051E3E8 E8 1B71EEFF call Mir3.00405508
0051E3ED 8B45 E0 mov eax,dword ptr ss:[ebp-0x20]
0051E3F0 BA 08E65100 mov edx,Mir3.0051E608 ; ASCII "@_automove"
0051E3F5 E8 1AFBEEFF call Mir3.0040DF14
0051E3FA 84C0 test al,al
0051E3FC 74 31 je XMir3.0051E42F
0051E3FE 8BDE mov ebx,esi
0051E400 85DB test ebx,ebx
0051E402 74 05 je XMir3.0051E409
0051E404 83EB 04 sub ebx,0x4
0051E407 8B1B mov ebx,dword ptr ds:[ebx]
0051E409 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
0051E40C 50 push eax
0051E40D 8BCB mov ecx,ebx
0051E40F 83E9 0A sub ecx,0xA
0051E412 83E9 02 sub ecx,0x2
0051E415 BA 0C000000 mov edx,0xC
0051E41A 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
0051E41D E8 E670EEFF call Mir3.00405508
0051E422 8B45 DC mov eax,dword ptr ss:[ebp-0x24]
0051E425 E8 6AFDFFFF call Mir3.0051E194
0051E42A E9 9A010000 jmp Mir3.0051E5C9
0051E42F 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
0051E432 50 push eax
0051E433 B9 05000000 mov ecx,0x5
0051E438 BA 01000000 mov edx,0x1
0051E43D 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
0051E440 E8 C370EEFF call Mir3.00405508
0051E445 8B45 D8 mov eax,dword ptr ss:[ebp-0x28]
0051E448 BA 1CE65100 mov edx,Mir3.0051E61C ; ASCII "@_url"
0051E44D E8 C2FAEEFF call Mir3.0040DF14
我在这里把字符串用CE指定了一个地址
mov edx,dword ptr ds:[edx] ; 5A07D0
mov eax,dword ptr ds:[0x583624]
mov eax,dword ptr ds:[eax] ; CA6E90
mov ecx,dword ptr ss:[ebp-0x4];这是字符串CALL地址
call 0051E390
xor eax,eax
这段CALL还是没反应,大家帮忙分析一下 谢谢 |
|