Opens Blog整理一下亂七八糟的筆記。應是上二個月的事吧.接著上回。就當帶帶你們有些不會的入下門吧！上次偶寫了一篇這次就不寫那麼詳細了（沒有看過第一篇的。可以在偶的BLOG中找找）上回逆向的WOW木馬。用戶信息（收信地址）是經過加密後以附加數據的方式添加到文件的尾端。這次要說的WOW木馬。不同於上一次。它把用戶信息直接直接寫到文件內。如何定位。其實相對來說是件很簡單的問題。很明顯這是預留的空位 再用十六進制編輯軟件打開查找:用OD跟蹤發現:粉紅色圈著的是要讀取的長度 選譯了的是經過加密後的用戶信息 紅色圈數據是檢證數據的合法性貼上OD中的匯編碼: 0040604A . 8D45 F0 lea eax, dword ptr [ebp-10]0040604D . BA DC624000 mov edx, 004062DC00406052 . E8 4DD6FFFF call 004036A400406057 . 8B45 F0 mov eax, dword ptr [ebp-10]0040605A . E8 49100000 call 004070A8 ; [color=Red]验证数据的合法性[/color]0040605F . 85C0 test eax, eax00406061 . EB 11 jmp short 00406074 ; [color=Red]这里原本是je偶现在改为jmp[/color]00406063 . 6A 00 push 0 ; /ExitCode = 000406065 . E8 26DFFFFF call ; \ExitProcess0040606A .^ E9 FBFEFFFF jmp 00405F6A0040606F . E8 A8D4FFFF call 0040351C00406074 > 8B03 mov eax, dword ptr [ebx]00406076 . 33D2 xor edx, edx00406078 . 8990 15110000 mov dword ptr [eax+1115], edx0040607E . 8D55 CC lea edx, dword ptr [ebp-34]00406081 . B8 04654000 mov eax, 00406504 ; ASCII "潇?00406086 . E8 1DEBFFFF call 00404BA80040608B . FF75 CC push dword ptr [ebp-34]0040608E . A1 D8804000 mov eax, dword ptr [4080D8]00406093 . FF30 push dword ptr [eax]00406095 . 8D55 C8 lea edx, dword ptr [ebp-38]00406098 . B8 10654000 mov eax, 00406510 ; ASCII "?祆"0040609D . E8 06EBFFFF call 00404BA8004060A2 . FF75 C8 push dword ptr [ebp-38]004060A5 . 8D45 F8 lea eax, dword ptr [ebp-8]004060A8 . BA 03000000 mov edx, 3004060AD . E8 92D7FFFF call 00403844004060B2 . 8D45 C4 lea eax, dword ptr [ebp-3C]004060B5 . E8 7EEFFFFF call 00405038004060BA . 8B55 C4 mov edx, dword ptr [ebp-3C]004060BD . 8D45 F4 lea eax, dword ptr [ebp-C]004060C0 . 8B4D F8 mov ecx, dword ptr [ebp-8]004060C3 . E8 08D7FFFF call 004037D0004060C8 . 8B45 F4 mov eax, dword ptr [ebp-C]004060CB . E8 F8E1FFFF call 004042C8004060D0 . 84C0 test al, al004060D2 . 74 0E je short 004060E2004060D4 . 8B45 F4 mov eax, dword ptr [ebp-C]004060D7 . E8 A8D8FFFF call 00403984004060DC . 50 push eax ; /FileName004060DD . E8 A6DEFFFF call ; \DeleteFileA004060E2 > 6A 01 push 1004060E4 . 8D55 C0 lea edx, dword ptr [ebp-40]004060E7 . B8 20654000 mov eax, 00406520 ; ASCII "潇毂"004060EC . E8 B7EAFFFF call 00404BA8004060F1 . 8B45 C0 mov eax, dword ptr [ebp-40]004060F4 . 50 push eax004060F5 . 8D55 BC lea edx, dword ptr [ebp-44]004060F8 . B8 04654000 mov eax, 00406504 ; ASCII "潇?004060FD . E8 A6EAFFFF call 00404BA800406102 . 8B45 BC mov eax, dword ptr [ebp-44]00406105 . 8B4D F4 mov ecx, dword ptr [ebp-C]00406108 . 5A pop edx00406109 . E8 3AE9FFFF call 00404A480040610E . 8B45 F8 mov eax, dword ptr [ebp-8]00406111 . E8 6ED8FFFF call 0040398400406116 . 50 push eax ; /FileName00406117 . E8 14DFFFFF call ; \LoadLibraryA0040611C . 8BF0 mov esi, eax0040611E . 85F6 test esi, esi00406120 . 75 10 jnz short 0040613200406122 . 8B45 F4 mov eax, dword ptr [ebp-C]00406125 . E8 5AD8FFFF call 004039840040612A . 50 push eax ; /FileName0040612B . E8 00DFFFFF call ; \LoadLibraryA00406130 . 8BF0 mov esi, eax00406132 > 85F6 test esi, esi00406134 . 0F84 53010000 je 0040628D0040613A . 8D55 B8 lea edx, dword ptr [ebp-48]0040613D . B8 30654000 mov eax, 0040653000406142 . E8 61EAFFFF call 00404BA800406147 . 8B45 B8 mov eax, dword