逆向星际setup.exe文件-rainman001-ChinaUnix博客

Chinaunix首页 | 论坛 | 博客

雨人的BLOG

首页　| 　博文目录　| 　关于我

博客访问： 31547
博文数量： 14
博客积分： 1410
博客等级：上尉
技术积分： 155
用户组：普通用户
注册时间： 2009-10-07 10:01

文章分类

全部博文（14）

未分配的博文（14）

文章存档

2009年（14）

我的朋友

最近访客

推荐博文

相关博文

逆向星际setup.exe文件

分类： WINDOWS

2009-10-07 11:45:59

对星际setup.exe进行逆向,没有复杂算法,没有复杂结构体和类.非常简单.
直接从main开始:

00401000 /$ 55 push ebp 00401001 |. 8BEC mov ebp, esp 00401003 |. 81EC 28020000 sub esp, 228 00401009 |. 6A 00 push 0 ; /Title = NULL 0040100B |. A1 30604000 mov eax, dword ptr [406030] ; | 00401010 |. 50 push eax ; |Class => "RZR1911REGSETUP" 00401011 |. FF15 F0504000 call dword ptr [<&USER32.FindWindowA>>; \FindWindowA 00401017 |. 8945 FC mov dword ptr [ebp-4], eax 0040101A |. 837D FC 00 cmp dword ptr [ebp-4], 0 ; 寻找Class名为RZR1911REGSETUP的窗体 0040101E |. 74 2B je short 0040104B ; 防止两次启动安装程序 ---------------------------------------------------------------------; 以下代码为检测到程序已启动时运行 00401020 |. 8B4D FC mov ecx, dword ptr [ebp-4] 00401023 |. 51 push ecx ; /hWnd 00401024 |. FF15 F4504000 call dword ptr [<&USER32.IsIconic>] ; \IsIconic 0040102A |. 85C0 test eax, eax ; 判断窗体是否最小化 0040102C |. 74 0C je short 0040103A 0040102E |. 6A 09 push 9 ; /ShowState = SW_RESTORE 00401030 |. 8B55 FC mov edx, dword ptr [ebp-4] ; | 00401033 |. 52 push edx ; |hWnd 00401034 |. FF15 F8504000 call dword ptr [<&USER32.ShowWindow>] ; \ShowWindow 显示窗体 0040103A |> 8B45 FC mov eax, dword ptr [ebp-4] 0040103D |. 50 push eax ; /hWnd 0040103E |. FF15 FC504000 call dword ptr [<&USER32.SetForegroun>; \SetForegroundWindow 设置窗体前台显示 00401044 |. 33C0 xor eax, eax 00401046 |. E9 41010000 jmp 0040118C ; 结束程序 ---------------------------------------------------------------------; 以下为检测setup.exe是否在游戏主目录中 0040104B |> 6A 00 push 0 ; /hTemplateFile = NULL 0040104D |. 68 80000000 push 80 ; |Attributes = NORMAL 00401052 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING 00401054 |. 6A 00 push 0 ; |pSecurity = NULL 00401056 |. 6A 00 push 0 ; |ShareMode = 0 00401058 |. 68 00000080 push 80000000 ; |Access = GENERIC_READ 0040105D |. 8B0D 38604000 mov ecx, dword ptr [406038] ; |setup.00406078 00401063 |. 51 push ecx ; |FileName => "STARCRAFT.EXE" 00401064 |. FF15 10504000 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA 0040106A |. 8985 F4FDFFFF mov dword ptr [ebp-20C], eax ; 打开STARCRAFT.EXE文件 00401070 |. 83BD F4FDFFFF>cmp dword ptr [ebp-20C], -1 ; 如果文件不存在，不在游戏主目录中 00401077 |. 75 39 jnz short 004010B2 ; 弹出下面对话框 00401079 |. 8B15 3C604000 mov edx, dword ptr [40603C] ; setup.00406088 0040107F |. 52 push edx ; /<%s> => "Starcraft: Brood War" 00401080 |. 68 34614000 push 00406134 ; |Format = "You must run SETUP from the directory where",LF,"%s has been installed." 00401085 |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; | 0040108B |. 50 push eax ; |s 0040108C |. FF15 00514000 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA 00401092 |. 83C4 0C add esp, 0C 00401095 |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL 00401097 |. 68 78614000 push 00406178 ; |Title = "RAZOR 1911 Registry Setup" 0040109C |. 8D8D FCFEFFFF lea ecx, dword ptr [ebp-104] ; | 004010A2 |. 51 push ecx ; |Text 004010A3 |. 6A 00 push 0 ; |hOwner = NULL 004010A5 |. FF15 04514000 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA 004010AB |. 33C0 xor eax, eax ; 弹出错误对话框 004010AD |. E9 DA000000 jmp 0040118C ; 结束程序 004010B2 |> 8B95 F4FDFFFF mov edx, dword ptr [ebp-20C] 004010B8 |. 52 push edx ; /hObject 004010B9 |. FF15 14504000 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle 关闭文件 ---------------------------------------------------------------------; 004010BF |. 6A 65 push 65 004010C1 |. 8B45 08 mov eax, dword ptr [ebp+8] 004010C4 |. 50 push eax 004010C5 |. E8 C8000000 call 00401192 ; 读取资源、注册窗体类 004010CA |. 83C4 08 add esp, 8 004010CD |. 85C0 test eax, eax 004010CF |. 75 07 jnz short 004010D8 004010D1 |. 33C0 xor eax, eax 004010D3 |. E9 B4000000 jmp 0040118C 004010D8 |> 8B4D 14 mov ecx, dword ptr [ebp+14] 004010DB |. 51 push ecx 004010DC |. 8B55 08 mov edx, dword ptr [ebp+8] 004010DF |. 52 push edx 004010E0 |. E8 61010000 call 00401246 ; 创建窗体 004010E5 |. 83C4 08 add esp, 8 004010E8 |. 8945 FC mov dword ptr [ebp-4], eax 004010EB |. 837D FC 00 cmp dword ptr [ebp-4], 0 004010EF |. 75 07 jnz short 004010F8 004010F1 |. 33C0 xor eax, eax 004010F3 |. E9 94000000 jmp 0040118C 004010F8 |> 8D85 FCFDFFFF lea eax, dword ptr [ebp-204] 004010FE |. 50 push eax ; /Buffer 004010FF |. 68 FF000000 push 0FF ; |BufSize = FF (255.) 00401104 |. FF15 80504000 call dword ptr [<&KERNEL32.GetCurrent>; \GetCurrentDirectoryA 0040110A |. 8D8D FCFDFFFF lea ecx, dword ptr [ebp-204] 00401110 |. 51 push ecx 00401111 |. 8B55 FC mov edx, dword ptr [ebp-4] 00401114 |. 52 push edx 00401115 |. E8 64020000 call 0040137E ; 大量注册表操作 0040111A |. 83C4 08 add esp, 8 0040111D |. 8985 F8FDFFFF mov dword ptr [ebp-208], eax 00401123 |. 83BD F8FDFFFF>cmp dword ptr [ebp-208], 1 0040112A |. 75 14 jnz short 00401140 0040112C |. 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL 0040112E |. 68 94614000 push 00406194 ; |Title = "RAZOR 1911 Registry Setup" 00401133 |. 68 B0614000 push 004061B0 ; |Text = "Registry setup has been successfully completed!" 00401138 |. 6A 00 push 0 ; |hOwner = NULL 0040113A |. FF15 04514000 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA 完成注册，弹出消息框 00401140 |> 6A 00 push 0 ; /lParam = 0 00401142 |. 6A 00 push 0 ; |wParam = 0 00401144 |. 68 41E10000 push 0E141 ; |Message = MSG(E141) 00401149 |. 8B45 FC mov eax, dword ptr [ebp-4] ; | 0040114C |. 50 push eax ; |hWnd 0040114D |. FF15 C8504000 call dword ptr [<&USER32.PostMessageA>; \PostMessageA 发送E141消息 ---------------------------------------------------------------------; 进入窗体消息循环 00401153 |> 6A 00 /push 0 ; /MsgFilterMax = 0 00401155 |. 6A 00 |push 0 ; |MsgFilterMin = 0 00401157 |. 6A 00 |push 0 ; |hWnd = NULL 00401159 |. 8D8D D8FDFFFF |lea ecx, dword ptr [ebp-228] ; | 0040115F |. 51 |push ecx ; |pMsg 00401160 |. FF15 C4504000 |call dword ptr [<&USER32.GetMessageA>; \GetMessageA 00401166 |. 85C0 |test eax, eax 00401168 |. 74 1C |je short 00401186 0040116A |. 8D95 D8FDFFFF |lea edx, dword ptr [ebp-228] 00401170 |. 52 |push edx ; /pMsg 00401171 |. FF15 C0504000 |call dword ptr [<&USER32.TranslateMe>; \TranslateMessage 00401177 |. 8D85 D8FDFFFF |lea eax, dword ptr [ebp-228] 0040117D |. 50 |push eax ; /pMsg 0040117E |. FF15 BC504000 |call dword ptr [<&USER32.DispatchMes>; \DispatchMessageA 00401184 |.^ EB CD \jmp short 00401153 ---------------------------------------------------------------------; main结束，收尾 00401186 |> 8B85 E0FDFFFF mov eax, dword ptr [ebp-220] 0040118C |> 8BE5 mov esp, ebp 0040118E |. 5D pop ebp 0040118F \. C2 1000 retn 10

看一下
004010C5 call    00401192
004010E0 call    00401246
00401115 call    0040137E
这三个函数具体做了些什么
004010C5 call    00401192 函数:

00401192 /$ 55 push ebp 00401193 |. 8BEC mov ebp, esp 00401195 |. 83EC 30 sub esp, 30 ; 以下为定义/获取WNDCLASSEX各成员变量 00401198 |. C745 D0 30000>mov dword ptr [ebp-30], 30 ; /cbSize 0040119F |. C745 D4 0B000>mov dword ptr [ebp-2C], 0B ; |style 004011A6 |. C745 D8 91124>mov dword ptr [ebp-28], 00401291 ; |lpfnWndProc 消息处理函数所在 004011AD |. C745 DC 00000>mov dword ptr [ebp-24], 0 ; |cbClsExtra 004011B4 |. C745 E0 00000>mov dword ptr [ebp-20], 0 ; |cbWndExtra 004011BB |. 8B45 08 mov eax, dword ptr [ebp+8] 004011BE |. 8945 E4 mov dword ptr [ebp-1C], eax ; |hInstance 004011C1 |. 8B4D 0C mov ecx, dword ptr [ebp+C] 004011C4 |. 81E1 FFFF0000 and ecx, 0FFFF 004011CA |. 51 push ecx ; /RsrcName 004011CB |. 8B55 08 mov edx, dword ptr [ebp+8] ; | 004011CE |. 52 push edx ; |hInst 004011CF |. FF15 DC504000 call dword ptr [<&USER32.LoadIconA>] ; \LoadIconA 读取Icon资源 004011D5 |. 8945 E8 mov dword ptr [ebp-18], eax 004011D8 |. 68 007F0000 push 7F00 ; /RsrcName = IDC_ARROW 004011DD |. 6A 00 push 0 ; |hInst = NULL 004011DF |. FF15 E0504000 call dword ptr [<&USER32.LoadCursorA>>; \LoadCursorA 读取Cursor资源 004011E5 |. 8945 EC mov dword ptr [ebp-14], eax 004011E8 |. C745 F0 06000>mov dword ptr [ebp-10], 6 004011EF |. 8B45 0C mov eax, dword ptr [ebp+C] 004011F2 |. 25 FFFF0000 and eax, 0FFFF 004011F7 |. 8945 F4 mov dword ptr [ebp-C], eax 004011FA |. 8B0D 30604000 mov ecx, dword ptr [406030] ; setup.0040604C 00401200 |. 894D F8 mov dword ptr [ebp-8], ecx ; | lpszClassName = "RZR1911REGSETUP" 窗体类名，前面检测是否重复启动程序时用到 00401203 |. 68 00800000 push 8000 ; /Options = LR_SHARED 00401208 |. 6A 32 push 32 ; |/Index = SM_CYSMICON 0040120A |. FF15 E4504000 call dword ptr [<&USER32.GetSystemMet>; |\GetSystemMetrics 00401210 |. 50 push eax ; |Height 00401211 |. 6A 31 push 31 ; |/Index = SM_CXSMICON 00401213 |. FF15 E4504000 call dword ptr [<&USER32.GetSystemMet>; |\GetSystemMetrics 00401219 |. 50 push eax ; |Width 0040121A |. 6A 01 push 1 ; |Type = IMAGE_ICON 0040121C |. 8B55 0C mov edx, dword ptr [ebp+C] ; | 0040121F |. 81E2 FFFF0000 and edx, 0FFFF ; | 00401225 |. 52 push edx ; |ResourceName 00401226 |. 8B45 08 mov eax, dword ptr [ebp+8] ; | 00401229 |. 50 push eax ; |hInst 0040122A |. FF15 E8504000 call dword ptr [<&USER32.LoadImageA>] ; \LoadImageA 读取Image资源 00401230 |. 8945 FC mov dword ptr [ebp-4], eax 00401233 |. 8D4D D0 lea ecx, dword ptr [ebp-30] 00401236 |. 51 push ecx ; /pWndClassEx 00401237 |. FF15 EC504000 call dword ptr [<&USER32.RegisterClas>; \RegisterClassExA 0040123D |. 25 FFFF0000 and eax, 0FFFF ; 注册Class类， 00401242 |. 8BE5 mov esp, ebp 00401244 |. 5D pop ebp 00401245 \. C3 retn

004010E0 call 00401246 函数:

00401246 /$ 55 push ebp ; 很简单，只创建一个窗体 00401247 |. 8BEC mov ebp, esp ; 窗体大小和位置很奇怪，应该是为了不显示出来 00401249 |. 51 push ecx 0040124A |. 6A 00 push 0 ; /lParam = NULL 0040124C |. 8B45 08 mov eax, dword ptr [ebp+8] ; | 0040124F |. 50 push eax ; |hInst 00401250 |. 6A 00 push 0 ; |hMenu = NULL 00401252 |. 6A 00 push 0 ; |hParent = NULL 00401254 |. 6A 00 push 0 ; |Height = 0 00401256 |. 68 00000080 push 80000000 ; |Width = 80000000 (-2147483648.) 0040125B |. 6A 00 push 0 ; |Y = 0 0040125D |. 68 00000080 push 80000000 ; |X = 80000000 (-2147483648.) 00401262 |. 68 0000CF00 push 0CF0000 ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_MAXIMIZEBOX|WS_SYSMENU|WS_THICKFRAME|WS_CAPTION 00401267 |. 8B0D 34604000 mov ecx, dword ptr [406034] ; |setup.0040605C 0040126D |. 51 push ecx ; |WindowName => "RAZOR 1911 Registry Setup" 0040126E |. 8B15 30604000 mov edx, dword ptr [406030] ; |setup.0040604C 00401274 |. 52 push edx ; |Class => "RZR1911REGSETUP" 00401275 |. 6A 00 push 0 ; |ExtStyle = 0 00401277 |. FF15 D8504000 call dword ptr [<&USER32.CreateWindow>; \CreateWindowExA 创建窗体 0040127D |. 8945 FC mov dword ptr [ebp-4], eax 00401280 |. 837D FC 00 cmp dword ptr [ebp-4], 0 00401284 |. 75 04 jnz short 0040128A 00401286 |. 33C0 xor eax, eax 00401288 |. EB 03 jmp short 0040128D 0040128A |> 8B45 FC mov eax, dword ptr [ebp-4] 0040128D |> 8BE5 mov esp, ebp 0040128F |. 5D pop ebp 00401290 \. C3 retn

00401115 call 0040137E 函数:

0040137E /$ 55 push ebp 0040137F |. 8BEC mov ebp, esp 00401381 |. 81EC 0C010000 sub esp, 10C 00401387 |. 8D85 F4FEFFFF lea eax, dword ptr [ebp-10C] 0040138D |. 50 push eax ; /pHandle 0040138E |. 8B0D 40604000 mov ecx, dword ptr [406040] ; |setup.004060A0 00401394 |. 51 push ecx ; |Subkey => "Software\Blizzard Entertainment\Starcraft" 00401395 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE 0040139A |. FF15 04504000 call dword ptr [<&ADVAPI32.RegCreateK>; \RegCreateKeyA 004013A0 |. 85C0 test eax, eax 004013A2 |. 74 07 je short 004013AB ; 如果创建键值失败，返回 004013A4 |. 33C0 xor eax, eax 004013A6 |. E9 60050000 jmp 0040190B 004013AB |> 8B55 0C mov edx, dword ptr [ebp+C] 004013AE |. 52 push edx 004013AF |. 8D85 F8FEFFFF lea eax, dword ptr [ebp-108] 004013B5 |. 50 push eax 004013B6 |. E8 55050000 call 00401910 004013BB |. 83C4 08 add esp, 8 004013BE |. 8D8D F8FEFFFF lea ecx, dword ptr [ebp-108] 004013C4 |. 51 push ecx ; /Path 004013C5 |. FF15 B0504000 call dword ptr [<&SHLWAPI.PathRemoveB>; \PathRemoveBackslashA 004013CB |. 8D95 F8FEFFFF lea edx, dword ptr [ebp-108] 004013D1 |. 52 push edx 004013D2 |. E8 29060000 call 00401A00 ; 取路径长度 004013D7 |. 83C4 04 add esp, 4 004013DA |. 83C0 01 add eax, 1 ; 设置InstallPath = E:\starcraft 004013DD |. 50 push eax ; /BufSize 004013DE |. 8D85 F8FEFFFF lea eax, dword ptr [ebp-108] ; | 004013E4 |. 50 push eax ; |Buffer 004013E5 |. 6A 01 push 1 ; |ValueType = REG_SZ 004013E7 |. 6A 00 push 0 ; |Reserved = 0 004013E9 |. 68 E0614000 push 004061E0 ; |ValueName = "InstallPath" 004013EE |. 8B8D F4FEFFFF mov ecx, dword ptr [ebp-10C] ; | 004013F4 |. 51 push ecx ; |hKey 004013F5 |. FF15 00504000 call dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueExA 004013FB |. 8D95 F8FEFFFF lea edx, dword ptr [ebp-108] 00401401 |. 52 push edx 00401402 |. E8 F9050000 call 00401A00 00401407 |. 83C4 04 add esp, 4 0040140A |. 83C0 01 add eax, 1 ; 设置StarEdit= E:\starcraft 0040140D |. 50 push eax ; /BufSize 0040140E |. 8D85 F8FEFFFF lea eax, dword ptr [ebp-108] ; | 00401414 |. 50 push eax ; |Buffer 00401415 |. 6A 01 push 1 ; |ValueType = REG_SZ 00401417 |. 6A 00 push 0 ; |Reserved = 0 00401419 |. 68 EC614000 push 004061EC ; |ValueName = "StarEdit" 0040141E |. 8B8D F4FEFFFF mov ecx, dword ptr [ebp-10C] ; | 00401424 |. 51 push ecx ; |hKey 00401425 |. FF15 00504000 call dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueExA 0040142B |. 8D95 F8FEFFFF lea edx, dword ptr [ebp-108] 00401431 |. 52 push edx 00401432 |. E8 4F2D0000 call 00404186 ; 路径所有字符转大写 00401437 |. 83C4 04 add esp, 4 0040143A |. 8D85 F8FEFFFF lea eax, dword ptr [ebp-108] 00401440 |. 50 push eax 00401441 |. E8 BA050000 call 00401A00 00401446 |. 83C4 04 add esp, 4 00401449 |. 83C0 01 add eax, 1 ; 设置StarCD = E:\STARCRAFT 0040144C |. 50 push eax ; /BufSize 0040144D |. 8D8D F8FEFFFF lea ecx, dword ptr [ebp-108] ; | 00401453 |. 51 push ecx ; |Buffer 00401454 |. 6A 01 push 1 ; |ValueType = REG_SZ 00401456 |. 6A 00 push 0 ; |Reserved = 0 00401458 |. 68 F8614000 push 004061F8 ; |ValueName = "StarCD" 0040145D |. 8B95 F4FEFFFF mov edx, dword ptr [ebp-10C] ; | 00401463 |. 52 push edx ; |hKey 00401464 |. FF15 00504000 call dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueExA 0040146A |. 68 00624000 push 00406200 ; ASCII "\Starcraft.exe" 0040146F |. 8D85 F8FEFFFF lea eax, dword ptr [ebp-108] 00401475 |. 50 push eax 00401476 |. E8 A5040000 call 00401920 ; 字符连接E:\STARCRAFT\Starcraft.exe 0040147B |. 83C4 08 add esp, 8 0040147E |. 8D8D F8FEFFFF lea ecx, dword ptr [ebp-108] 00401484 |. 51 push ecx 00401485 |. E8 76050000 call 00401A00 0040148A |. 83C4 04 add esp, 4 0040148D |. 83C0 01 add eax, 1 ; 设置Program = E:\STARCRAFT\Starcraft.exe 00401490 |. 50 push eax ; /BufSize 00401491 |. 8D95 F8FEFFFF lea edx, dword ptr [ebp-108] ; | 00401497 |. 52 push edx ; |Buffer 00401498 |. 6A 01 push 1 ; |ValueType = REG_SZ 0040149A |. 6A 00 push 0 ; |Reserved = 0 0040149C |. 68 10624000 push 00406210 ; |ValueName = "Program" 004014A1 |. 8B85 F4FEFFFF mov eax, dword ptr [ebp-10C] ; | 004014A7 |. 50 push eax ; |hKey 004014A8 |. FF15 00504000 call dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueExA 004014AE |. 68 18624000 push 00406218 004014B3 |. 8D8D F8FEFFFF lea ecx, dword ptr [ebp-108] 004014B9 |. 51 push ecx 004014BA |. E8 51040000 call 00401910 004014BF |. 83C4 08 add esp, 8 004014C2 |. 8D95 F8FEFFFF lea edx, dword ptr [ebp-108] 004014C8 |. 52 push edx 004014C9 |. E8 32050000 call 00401A00 004014CE |. 83C4 04 add esp, 4 004014D1 |. 83C0 01 add eax, 1 ; 设置Retail = y 004014D4 |. 50 push eax ; /BufSize 004014D5 |. 8D85 F8FEFFFF lea eax, dword ptr [ebp-108] ; | 004014DB |. 50 push eax ; |Buffer 004014DC |. 6A 01 push 1 ; |ValueType = REG_SZ 004014DE |. 6A 00 push 0 ; |Reserved = 0 004014E0 |. 68 1C624000 push 0040621C ; |ValueName = "Retail" 004014E5 |. 8B8D F4FEFFFF mov ecx, dword ptr [ebp-10C] ; | 004014EB |. 51 push ecx ; |hKey 004014EC |. FF15 00504000 call dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueExA 004014F2 |. 8D95 F8FEFFFF lea edx, dword ptr [ebp-108] 004014F8 |. 52 push edx 004014F9 |. E8 02050000 call 00401A00 004014FE |. 83C4 04 add esp, 4 00401501 |. 83C0 01 add eax, 1 ; 设置Brood War = y 00401504 |. 50 push eax ; /BufSize 00401505 |. 8D85 F8FEFFFF lea eax, dword ptr [ebp-108] ; | 0040150B |. 50 push eax ; |Buffer 0040150C |. 6A 01 push 1 ; |ValueType = REG_SZ 0040150E |. 6A 00 push 0 ; |Reserved = 0 00401510 |. 68 24624000 push 00406224 ; |ValueName = "Brood War" 00401515 |. 8B8D F4FEFFFF mov ecx, dword ptr [ebp-10C] ; | 0040151B |. 51 push ecx ; |hKey 0040151C |. FF15 00504000 call dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueExA 00401522 |. C745 FC 00000>mov dword ptr [ebp-4], 0 ; 设置Recent Maps = 00 00 00401529 |. 6A 02 push 2 ; /BufSize = 2 0040152B |. 8D55 FC lea edx, dword ptr [ebp-4] ; | 0040152E |. 52 push edx ; |Buffer 0040152F |. 6A 03 push 3 ; |ValueType = REG_BINARY 00401531 |. 6A 00 push 0 ; |Reserved = 0 00401533 |. 68 30624000 push 00406230 ; |ValueName = "Recent Maps" 00401538 |. 8B85 F4FEFFFF mov eax, dword ptr [ebp-10C] ; | 0040153E |. 50 push eax ; |hKey 0040153F |. FF15 00504000 call dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueExA 00401545 |. 8B8D F4FEFFFF mov ecx, dword ptr [ebp-10C] ; 关闭注册表 0040154B |. 51 push ecx ; /hKey = 00000098 (window) 0040154C |. FF15 08504000 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey ... ... 以下类似,都是一些注册表操作

再看一下窗体消息处理函数 00401291:

00401291 /. 55 push ebp 00401292 |. 8BEC mov ebp, esp 00401294 |. 51 push ecx 00401295 |. 8B45 0C mov eax, dword ptr [ebp+C] 00401298 |. 8945 FC mov dword ptr [ebp-4], eax 0040129B |. 837D FC 02 cmp dword ptr [ebp-4], 2 0040129F |. 74 44 je short 004012E5 004012A1 |. 817D FC 11010>cmp dword ptr [ebp-4], 111 004012A8 |. 74 0B je short 004012B5 004012AA |. 817D FC 41E10>cmp dword ptr [ebp-4], 0E141 ;处理0E141消息 004012B1 |. 74 42 je short 004012F5 004012B3 |. EB 51 jmp short 00401306 004012B5 |> 8B4D 10 mov ecx, dword ptr [ebp+10] 004012B8 |. C1E9 10 shr ecx, 10 004012BB |. 81E1 FFFF0000 and ecx, 0FFFF 004012C1 |. 81E1 FFFF0000 and ecx, 0FFFF 004012C7 |. 51 push ecx 004012C8 |. 8B55 14 mov edx, dword ptr [ebp+14] 004012CB |. 52 push edx 004012CC |. 8B45 10 mov eax, dword ptr [ebp+10] 004012CF |. 25 FFFF0000 and eax, 0FFFF 004012D4 |. 50 push eax 004012D5 |. 8B4D 08 mov ecx, dword ptr [ebp+8] 004012D8 |. 51 push ecx 004012D9 |. E8 44000000 call 00401322 004012DE |. 83C4 10 add esp, 10 004012E1 |. 33C0 xor eax, eax 004012E3 |. EB 37 jmp short 0040131C 004012E5 |> 8B55 08 mov edx, dword ptr [ebp+8] 004012E8 |. 52 push edx 004012E9 |. E8 83000000 call 00401371 004012EE |. 83C4 04 add esp, 4 004012F1 |. 33C0 xor eax, eax 004012F3 |. EB 27 jmp short 0040131C 004012F5 |> 8B45 08 mov eax, dword ptr [ebp+8] ; 0E141消息过来后，直接销毁窗体，结束程序 004012F8 |. 50 push eax ; /hWnd 004012F9 |. FF15 D0504000 call dword ptr [<&USER32.DestroyWindo>; \DestroyWindow 004012FF |. B8 01000000 mov eax, 1 00401304 |. EB 16 jmp short 0040131C 00401306 |> 8B4D 14 mov ecx, dword ptr [ebp+14] 00401309 |. 51 push ecx ; /lParam 0040130A |. 8B55 10 mov edx, dword ptr [ebp+10] ; | 0040130D |. 52 push edx ; |wParam 0040130E |. 8B45 0C mov eax, dword ptr [ebp+C] ; | 00401311 |. 50 push eax ; |Message 00401312 |. 8B4D 08 mov ecx, dword ptr [ebp+8] ; | 00401315 |. 51 push ecx ; |hWnd 00401316 |. FF15 D4504000 call dword ptr [<&USER32.DefWindowPro>; \DefWindowProcA 0040131C |> 8BE5 mov esp, ebp 0040131E |. 5D pop ebp 0040131F \. C2 1000 retn 10

在窗体消息处理函数中,实际起主要作用的是0E141消息
完成大致分析后setup.exe工作流程为:
启动程序->检测是否重复执行->创建一个看不见的窗体->进行注册,设置大量注册表信息->弹出对话框,显示setup完成->发送0E141消息销毁窗体->程序结束

文件:	setup.rar
大小:	9KB
下载:	下载

阅读(1495) | 评论(0) | 转发(0) |

0

上一篇：扫雷

下一篇：netbotms5.5服务器端启动部分逆向

给主人留下些什么吧！~~

关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们