关于【CSDN免积分下载器】的分析


刚开始以为是CSDN爆出后门了啥的,免积分,那不是越权XX啥都有了,后来才看到这个帖子:http://topic.csdn.net/u/20111021/14/1fc7f1d7-2cd5-49e1-9750-530e99f90129.html


切入正题:


1,PEID查为Microsoft Visual C++ 6.0

2,字符串搜索:

超级字串参考
地址 反汇编 文本字串
00401092 push 13222453.00407AA8 开始执行程序执,共6步,目前执行第1步...
004010BB push 13222453.00407AA0 错误
004010C0 push 13222453.00407A90 请输入资源ID!
004010F5 mov edi,13222453.004079D8 GET /csdn_action2.php?act=reg HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET4.0E; .NET4.0C)\r\nHost: www.itziy.com\r\n\r\n
0040112D push 13222453.004079C8 www.itziy.com
00401140 push 13222453.00407AA0 错误
00401145 push 13222453.00407984 发送下载请求后程序发生错误,可能是您的网络有问题或者服务器繁忙!
0040116A push 13222453.00407978 Location:
0040117F push 13222453.00407AA0 错误
00401184 push 13222453.0040793C 您的网络状态不稳定,下载请求发送失败,请稍后重试!error:1
004011A2 push 13222453.0040791C 程序执行第1步操作完成,共6步...
004011BA push 13222453.00407918
00401242 mov edi,13222453.004078F0 GET /ajax/accounthandler.ashx?t=reg&un=
004012A3 mov edi,13222453.004078E0 &pwd=wrr717&em=
00401303 mov edi,13222453.00407860 @nepwk.com&ct=%u5317%u4EAC&sex=%u7537&job=CTO&hy=%u79FB%u52A8%u4E0E%u624B%u673A%u5E94%u7528&jy=%u5B66%u751F&cd=4bb9e HTTP/1.1\r\n
00401332 mov edi,13222453.0040783C x-requested-with: XMLHttpRequest\r\n
0040135E mov edi,13222453.00407804 Referer: http://passport.csdn.net/account/register\r\n
0040138D mov edi,13222453.004077D0 Content-Type: application/x-www-form-urlencoded\r\n
004013BC mov edi,13222453.004077AC Accept-Encoding: gzip, deflate\r\n
004013EE mov edi,13222453.00407734 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET4.0E; .NET4.0C)\r\n
0040141A mov edi,13222453.00407718 Host: passport.csdn.net\r\n
00401449 mov edi,13222453.004076E4 Cookie: pp_vc=ZUOc76Ah2sA9PwJB%2bXwoug%3d%3d\r\n\r\n
00401481 push 13222453.004076D0 passport.csdn.net
00401494 push 13222453.00407AA0 错误
00401499 push 13222453.004076A0 发送下载请求后程序发生错误,可能是你网络问题!
004014BE push 13222453.00407698 false
004014D2 push 13222453.00407AA0 错误
004014D7 push 13222453.00407624 对不起,您的IP已经被封,请断开宽带,过会儿重先链接改变外网IP!\n如果更换IP还是不可以请上www.itziy.com看是否有更新!
004014FB push 13222453.00407604 程序执行第2步操作完成,共6步...
00401537 mov edi,13222453.004075DC GET /ajax/accounthandler.ashx?t=act&un=
00401591 mov edi,13222453.004075D0 HTTP/1.1\r\n
004015C0 mov edi,13222453.0040783C x-requested-with: XMLHttpRequest\r\n
004015F2 mov edi,13222453.0040759C Referer: http://passport.csdn.net/account/active\r\n
00401621 mov edi,13222453.004077D0 Content-Type: application/x-www-form-urlencoded\r\n
0040164D mov edi,13222453.00407734 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET4.0E; .NET4.0C)\r\n
0040167C mov edi,13222453.00407718 Host: passport.csdn.net\r\n
004016AB mov edi,13222453.00407590 Cookie: UN=
00401708 mov edi,13222453.00407564 ; pp_vc=ZUOc76Ah2sA9PwJB%2bXwoug%3d%3d\r\n\r\n
00401740 push 13222453.004076D0 passport.csdn.net
00401753 push 13222453.00407AA0 错误
00401758 push 13222453.00407524 发送下载请求后程序发生错误,最大可能是您的网络不稳定等问题!
004017A2 mov edi,13222453.004074FC GET /csdn_action2.php?act=chk&e_addr=
00401805 mov edi,13222453.004074F0 &e_cookie=
0040185E mov edi,13222453.00407458 HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET4.0E; .NET4.0C)\r\nHost: www.itziy.com\r\n\r\n
0040189D push 13222453.004079C8 www.itziy.com
004018B0 push 13222453.00407AA0 错误
004018B5 push 13222453.00407984 发送下载请求后程序发生错误,可能是您的网络有问题或者服务器繁忙!
004018DA push 13222453.00407978 Location:
004018EF push 13222453.00407AA0 错误
004018F4 push 13222453.0040741C 您的网络状态不稳定,下载请求发送失败,请稍后重试!error:2
00401912 push 13222453.004073FC 程序执行第3步操作完成,共6步...
00401926 push 13222453.00407918
0040198A mov edi,13222453.004073F4 GET
004019EE mov edi,13222453.004075D0 HTTP/1.1\r\n
00401A1D mov edi,13222453.00407734 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET4.0E; .NET4.0C)\r\n
00401A4C mov edi,13222453.004073D8 Host: passport.csdn.net\r\n\r\n
00401A84 push 13222453.004076D0 passport.csdn.net
00401A99 push 13222453.004073B8 程序执行4步操作完成,共6步...
00401AD5 mov edi,13222453.00407390 GET /ajax/accounthandler.ashx?t=log&u=
00401B2F mov edi,13222453.0040734C &p=wrr717&c=&remember=0&f=http%3A//passport.csdn.net/account/login
00401B5E mov edi,13222453.004075D0 HTTP/1.1\r\n
00401B90 mov edi,13222453.0040783C x-requested-with: XMLHttpRequest\r\n
00401BBF mov edi,13222453.00407304 Referer: http://passport.csdn.net/account/loginbox?callback=logined\r\n
00401BEB mov edi,13222453.004077D0 Content-Type: application/x-www-form-urlencoded\r\n
00401C1A mov edi,13222453.00407734 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET4.0E; .NET4.0C)\r\n
00401C49 mov edi,13222453.004073D8 Host: passport.csdn.net\r\n\r\n
00401C81 push 13222453.004076D0 passport.csdn.net
00401CA7 mov edi,13222453.00407590 Cookie: UN=
00401D08 mov edi,13222453.004072F8 ; UserName=
00401D65 mov edi,13222453.004072EC ; UserInfo=
00401D92 push 13222453.004072D4 Set-Cookie: UserInfo=
00401DA9 push 13222453.00407AA0 错误
00401DAE push 13222453.004072A4 对不起,服务器繁忙,请稍候重试!error:no active
00401DCC push 13222453.00407284 程序执行第5步操作完成,共6步...
00401DE0 push 13222453.00407280 =
00401E83 mov edi,13222453.00407264 download.csdn.net/source/
00401EF5 push 13222453.00407978 Location:
00401F08 push 13222453.00407AA0 错误
00401F0D push 13222453.00407224 您的网络状态不稳定,下载请求发送失败,请稍后重试!error:2_2
00401F2B push 13222453.00407918
00401F72 mov edi,13222453.00407208 download.csdn.net/download
00401FDA push 13222453.004071E8 /index.php/source/do_download
00401FFC push 13222453.00407AA0 错误
00402001 push 13222453.004071AC 您的网络状态不稳定,下载请求发送失败,请稍后重试!error:3
0040206C mov edi,13222453.004071A4 POST
004020CD mov edi,13222453.004075D0 HTTP/1.1\r\n
004020FC mov edi,13222453.00407178 Referer: http://download.csdn.net/download/
00402126 push 13222453.0040716C do_download
004021BA mov edi,13222453.00407168 /
00402214 mov edi,13222453.00407164 \r\n
00402243 mov edi,13222453.00407734 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET4.0E; .NET4.0C)\r\n
00402275 mov edi,13222453.004077D0 Content-Type: application/x-www-form-urlencoded\r\n
004022A4 mov edi,13222453.00407148 Host: download.csdn.net\r\n
004022D0 mov edi,13222453.00407134 Content-Length: 5\r\n
00402330 mov edi,13222453.0040712C \r\n\r\n
0040235F mov edi,13222453.00407124 ds=dx
00402397 push 13222453.00407110 download.csdn.net
004023AA push 13222453.00407AA0 错误
004023AF push 13222453.004070F0 发送下载请求后程序发生错误!
004023D4 push 13222453.00407978 Location:
004023E7 push 13222453.00407AA0 错误
004023EC push 13222453.004070C0 对不起,服务器繁忙,过会儿重试!error:no cookie
004023F3 push 13222453.00407918
00402499 push 13222453.00407098 程序执行第6步操作完成,程序执行完成.
004024BB push 13222453.00407090 open
004024CA push 13222453.00407080 获取地址成功
004024CF push 13222453.00407048 下载地址已经复制到剪切板,请打开浏览器黏贴即可下载!
004024E6 push 13222453.00407044 1
004024F3 push 13222453.00407030 程序处于默认状态...
0040279E mov edi,13222453.004073F4 GET
00402807 mov edi,13222453.004075D0 HTTP/1.1\r\n
0040283B mov edi,13222453.00407B04 HOST:
00402898 mov edi,13222453.00407AEC \r\nConnection: Close\r\n\r\n
00402910 push 13222453.00407AD8 source/do_download/
0040292D push 13222453.00407AD0 [CSDN]
00402A8F push ebp (Initial CPU selection)
004035D9 push 13222453.0040612C __MSVCRT_HEAP_SELECT
00403618 push 13222453.00406114 __GLOBAL_HEAP_SELECTED
004039B6 push 13222453.00406418 <program name unknown>
004039F8 push 13222453.00406414 ...
00403A0C push 13222453.004063F8 Runtime Error!\n\nProgram:
00403A2A push 13222453.004063F4 \n\n
00403A52 push 13222453.004063CC Microsoft Visual C++ Runtime Library
00404F46 mov esi,13222453.00407D50 P}@
00404F46 mov esi,13222453.00407D50 P}@
00404F46 mov esi,13222453.00407D50 P}@
00404FA2 mov eax,13222453.00407D50 P}@
00404FA2 mov eax,13222453.00407D50 P}@
00404FA2 mov eax,13222453.00407D50 P}@
00405199 mov edx,13222453.00407D50 P}@
00405199 mov edx,13222453.00407D50 P}@
00405199 mov edx,13222453.00407D50 P}@
0040530C mov eax,13222453.00407D50 P}@
0040530C mov eax,13222453.00407D50 P}@
0040530C mov eax,13222453.00407D50 P}@
0040556A push 13222453.00406460 user32.dll
00405581 push 13222453.00406454 MessageBoxA
00405592 push 13222453.00406444 GetActiveWindow
0040559A push 13222453.00406430 GetLastActivePopup


得,不用分析封包了,连顺序都写的很规范。





评论 39
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值