00A328B0 /> \55 push ebp ;注册事件段首
00A328B1 |. 8BEC mov ebp,esp
00A328B3 |. 6A FF push -0x1
00A328B5 |. 68 A04EA300 push ZCDLOG.00A34EA0 ; SE 处理程序安装
00A328BA |. 64:A1 0000000>mov eax,dword ptr fs:[0]
00A328C0 |. 50 push eax
00A328C1 |. 64:8925 00000>mov dword ptr fs:[0],esp
00A328C8 |. 81EC 44020000 sub esp,0x244
00A328CE |. 53 push ebx
00A328CF |. 56 push esi
00A328D0 |. 57 push edi
00A328D1 |. 51 push ecx
00A328D2 |. 8DBD B0FDFFFF lea edi,[local.148]
00A328D8 |. B9 91000000 mov ecx,0x91
00A328DD |. B8 CCCCCCCC mov eax,0xCCCCCCCC
00A328E2 |. F3:AB rep stos dword ptr es:[edi]
00A328E4 |. 59 pop ecx
00A328E5 |. 894D F0 mov [local.4],ecx
00A328E8 |. 68 F0550000 push 0x55F0
00A328ED |. 8B4D F0 mov ecx,[local.4]
00A328F0 |. E8 7B100000 call <jmp.&MFC42D.#2435>
00A328F5 |. 8945 EC mov [local.5],eax
00A328F8 |. B9 07000000 mov ecx,0x7
00A328FD |. BE 4463A400 mov esi,ZCDLOG.00A46344 ; ASCII "EFXSR3H8DE5U3FGY4AC1ND8F5KL"
00A32902 |. 8D7D 88 lea edi,[local.30]
00A32905 |. F3:A5 rep movs dword ptr es:[edi],dword pt>
00A32907 |. B9 12000000 mov ecx,0x12
00A3290C |. 33C0 xor eax,eax
00A3290E |. 8D7D A4 lea edi,[local.23]
00A32911 |. F3:AB rep stos dword ptr es:[edi]
00A32913 |. 6A 64 push 0x64
00A32915 |. 8D85 24FFFFFF lea eax,[local.55]
00A3291B |. 50 push eax
00A3291C |. 8B4D EC mov ecx,[local.5]
00A3291F |. E8 46100000 call <jmp.&MFC42D.#3173>
00A32924 |. 8D4D 88 lea ecx,[local.30]
00A32927 |. 51 push ecx ; /s
00A32928 |. E8 A9100000 call <jmp.&MSVCRTD.strlen> ; \strlen
00A3292D |. 83C4 04 add esp,0x4
00A32930 |. 8985 1CFFFFFF mov [local.57],eax
00A32936 |. EB 0F jmp short ZCDLOG.00A32947
00A32938 |> 8B95 1CFFFFFF /mov edx,[local.57]
00A3293E |. 83EA 01 |sub edx,0x1
00A32941 |. 8995 1CFFFFFF |mov [local.57],edx
00A32947 |> 83BD 1CFFFFFF> cmp [local.57],0x0
00A3294E |. 7C 16 |jl short ZCDLOG.00A32966
00A32950 |. 8B85 1CFFFFFF |mov eax,[local.57]
00A32956 |. 8B8D 1CFFFFFF |mov ecx,[local.57]
00A3295C |. 8A540D 88 |mov dl,byte ptr ss:[ebp+ecx-0x78]
00A32960 |. 885405 8E |mov byte ptr ss:[ebp+eax-0x72],dl
00A32964 |.^ EB D2 \jmp short ZCDLOG.00A32938
00A32966 |> C785 1CFFFFFF>mov [local.57],0x0
00A32970 |. EB 0F jmp short ZCDLOG.00A32981
00A32972 |> 8B85 1CFFFFFF /mov eax,[local.57] ;取机器码前6位(A)
00A32978 |. 83C0 01 |add eax,0x1
00A3297B |. 8985 1CFFFFFF |mov [local.57],eax
00A32981 |> 83BD 1CFFFFFF> cmp [local.57],0x5
00A32988 |. 7F 19 |jg short ZCDLOG.00A329A3
00A3298A |. 8B8D 1CFFFFFF |mov ecx,[local.57]
00A32990 |. 8B95 1CFFFFFF |mov edx,[local.57]
00A32996 |. 8A8415 24FFFF>|mov al,byte ptr ss:[ebp+edx-0xDC]
00A3299D |. 88440D 88 |mov byte ptr ss:[ebp+ecx-0x78],al
00A329A1 |.^ EB CF \jmp short ZCDLOG.00A32972
00A329A3 |> 8D4D 88 lea ecx,[local.30]
00A329A6 |. 51 push ecx ; /s
00A329A7 |. E8 2A100000 call <jmp.&MSVCRTD.strlen> ; \strlen
00A329AC |. 83C4 04 add esp,0x4
00A329AF |. 8985 18FFFFFF mov [local.58],eax
00A329B5 |. C785 1CFFFFFF>mov [local.57],0x0
00A329BF |. EB 0F jmp short ZCDLOG.00A329D0 ;从机器码第7位开始取7位(B)
00A329C1 |> 8B95 1CFFFFFF /mov edx,[local.57]
00A329C7 |. 83C2 01 |add edx,0x1
00A329CA |. 8995 1CFFFFFF |mov [local.57],edx
00A329D0 |> 83BD 1CFFFFFF> cmp [local.57],0x6
00A329D7 |. 7F 1F |jg short ZCDLOG.00A329F8
00A329D9 |. 8B85 18FFFFFF |mov eax,[local.58]
00A329DF |. 0385 1CFFFFFF |add eax,[local.57]
00A329E5 |. 8B8D 1CFFFFFF |mov ecx,[local.57] ;A+"EFXSR3H8DE5U3FGY4AC1ND8F5KL"+B
00A329EB |. 8A940D 2AFFFF>|mov dl,byte ptr ss:[ebp+ecx-0xD6]
00A329F2 |. 885405 88 |mov byte ptr ss:[ebp+eax-0x78],dl
00A329F6 |.^ EB C9 \jmp short ZCDLOG.00A329C1
00A329F8 |> C785 20FFFFFF>mov [local.56],0x0
00A32A02 |. C785 1CFFFFFF>mov [local.57],0x0
00A32A0C |. EB 0F jmp short ZCDLOG.00A32A1D
00A32A0E |> 8B85 1CFFFFFF /mov eax,[local.57]
00A32A14 |. 83C0 01 |add eax,0x1
00A32A17 |. 8985 1CFFFFFF |mov [local.57],eax
00A32A1D |> 8D4D 88 lea ecx,[local.30]
00A32A20 |. 51 |push ecx ; /s
00A32A21 |. E8 B00F0000 |call <jmp.&MSVCRTD.strlen> ; \strlen
00A32A26 |. 83C4 04 |add esp,0x4
00A32A29 |. 83E8 01 |sub eax,0x1
00A32A2C |. 3985 1CFFFFFF |cmp [local.57],eax
00A32A32 |. 77 35 |ja short ZCDLOG.00A32A69
00A32A34 |. 8B95 20FFFFFF |mov edx,[local.56]
00A32A3A |. 81EA 41621C4A |sub edx,0x4A1C6241 ;EDX - 0x4A1C6241
00A32A40 |. 8995 20FFFFFF |mov [local.56],edx
00A32A46 |. 8B85 1CFFFFFF |mov eax,[local.57]
00A32A4C |. 0FBE4C05 88 |movsx ecx,byte ptr ss:[ebp+eax-0x78] ;取ASCII
00A32A51 |. B8 5A040000 |mov eax,0x45A
00A32A56 |. 99 |cdq
00A32A57 |. F7F9 |idiv ecx ;0x45A\ASCII
00A32A59 |. 8B85 20FFFFFF |mov eax,[local.56]
00A32A5F |. 2BC2 |sub eax,edx ;EAX - 0x45A Mod ASCII
00A32A61 |. 8985 20FFFFFF |mov [local.56],eax
00A32A67 |.^ EB A5 \jmp short ZCDLOG.00A32A0E
00A32A69 |> 8D8D 14FFFFFF lea ecx,[local.59]
00A32A6F |. E8 5A0E0000 call <jmp.&MFC42D.#492>
00A32A74 |. C745 FC 00000>mov [local.1],0x0
00A32A7B |. 8D8D 10FFFFFF lea ecx,[local.60]
00A32A81 |. E8 480E0000 call <jmp.&MFC42D.#492>
00A32A86 |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00A32A8A |. 8B8D 20FFFFFF mov ecx,[local.56]
00A32A90 |. 51 push ecx
00A32A91 |. 68 EC64A400 push ZCDLOG.00A464EC ; ASCII "%x"
00A32A96 |. 8D95 14FFFFFF lea edx,[local.59]
00A32A9C |. 52 push edx
00A32A9D |. E8 C20E0000 call <jmp.&MFC42D.#2168>
00A32AA2 |. 83C4 0C add esp,0xC
00A32AA5 |. 8D85 14FFFFFF lea eax,[local.59]
00A32AAB |. 50 push eax
00A32AAC |. 68 A860A400 push ZCDLOG.00A460A8 ; ASCII "HDCDUSB"
00A32AB1 |. 8D8D 04FEFFFF lea ecx,[local.127]
00A32AB7 |. E8 A20E0000 call <jmp.&MFC42D.#487>
00A32ABC |. 8985 FCFDFFFF mov [local.129],eax
00A32AC2 |. 8B8D FCFDFFFF mov ecx,[local.129]
00A32AC8 |. 898D F8FDFFFF mov [local.130],ecx
00A32ACE |. C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
00A32AD2 |. 8B95 F8FDFFFF mov edx,[local.130]
00A32AD8 |. 52 push edx
00A32AD9 |. 8D85 00FEFFFF lea eax,[local.128]
00A32ADF |. 50 push eax
00A32AE0 |. E8 730E0000 call <jmp.&MFC42D.#899>
00A32AE5 |. 8985 F4FDFFFF mov [local.131],eax
00A32AEB |. 8B8D F4FDFFFF mov ecx,[local.131]
00A32AF1 |. 898D F0FDFFFF mov [local.132],ecx
00A32AF7 |. C645 FC 03 mov byte ptr ss:[ebp-0x4],0x3
00A32AFB |. 8B95 F0FDFFFF mov edx,[local.132]
00A32B01 |. 52 push edx
00A32B02 |. 8D8D 14FFFFFF lea ecx,[local.59]
00A32B08 |. E8 450E0000 call <jmp.&MFC42D.#734>
00A32B0D |. C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
00A32B11 |. 8D8D 00FEFFFF lea ecx,[local.128]
00A32B17 |. E8 9A0D0000 call <jmp.&MFC42D.#684>
00A32B1C |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00A32B20 |. 8D8D 04FEFFFF lea ecx,[local.127]
00A32B26 |. E8 8B0D0000 call <jmp.&MFC42D.#684>
00A32B2B |. 8D8D 14FFFFFF lea ecx,[local.59]
00A32B31 |. E8 160E0000 call <jmp.&MFC42D.#3483>
00A32B36 |. 8D85 10FFFFFF lea eax,[local.60]
00A32B3C |. 50 push eax
00A32B3D |. 68 F1550000 push 0x55F1
00A32B42 |. 8B4D F0 mov ecx,[local.4]
00A32B45 |. E8 260E0000 call <jmp.&MFC42D.#2435>
00A32B4A |. 8BC8 mov ecx,eax
00A32B4C |. E8 F50D0000 call <jmp.&MFC42D.#3174>
00A32B51 |. 8D8D 14FFFFFF lea ecx,[local.59]
00A32B57 |. 51 push ecx
00A32B58 |. 8D95 10FFFFFF lea edx,[local.60]
00A32B5E |. 52 push edx
00A32B5F |. E8 DC0D0000 call <jmp.&MFC42D.#812>
00A32B64 |. 25 FF000000 and eax,0xFF
00A32B69 |. 85C0 test eax,eax
00A32B6B |. 0F84 DD040000 je ZCDLOG.00A3304E ;关键跳
00A32B71 |. C685 10FEFFFF>mov byte ptr ss:[ebp-0x1F0],0x0
00A32B78 |. B9 3F000000 mov ecx,0x3F
00A32B7D |. 33C0 xor eax,eax
00A32B7F |. 8DBD 11FEFFFF lea edi,dword ptr ss:[ebp-0x1EF]
00A32B85 |. F3:AB rep stos dword ptr es:[edi]
00A32B87 |. 66:AB stos word ptr es:[edi]
00A32B89 |. 8BF4 mov esi,esp
00A32B8B |. 8D85 10FEFFFF lea eax,[local.124]
00A32B91 |. 50 push eax ; /s
00A32B92 |. FF15 8886A400 call dword ptr ds:[<&MSVCRTD.atoi>] ; \atoi
00A32B98 |. 83C4 04 add esp,0x4
00A32B9B |. 3BF4 cmp esi,esp
00A32B9D |. E8 040E0000 call <jmp.&MSVCRTD._chkesp>
00A32BA2 |. 8985 08FEFFFF mov [local.126],eax
00A32BA8 |. 83BD 08FEFFFF>cmp [local.126],0x0
00A32BAF |. 0F85 80040000 jnz ZCDLOG.00A33035
00A32BB5 |. 8BF4 mov esi,esp
00A32BB7 |. 8D8D 0CFEFFFF lea ecx,[local.125]
......
...... ;写注册表部分
......
00A330A4 \. C3 retn
[复制链接]
发表于 2011-5-15 00:30
