|
 | 作者: yongmin [yongmin]
 论坛用户 |
登录 |
| 【文章标题】: 某网络嗅探类软件去广告分析 【文章作者】: goodcode 【软件名称】: xxxx 【下载地址】: 自己搜索下载 【加壳方式】: 无壳 【编写语言】: delphi 7 【使用工具】: dede+od 【操作平台】: winxpsp2 【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教! -------------------------------------------------------------------------------- 【软件介绍】 xxxx是一款使用WinPcap开发包的嗅探器,经过数据包的智能分析过滤,快速找到你所需要的网络信息。 软件智能化程度高,使用方便快捷。 【详细过程】 首先用Peid查壳, 程序并没有加壳是delphi编写得. 用dede打开程序并分析, 分析得过程中我们就要猜测广告是通过什么方式被设置或下载得. 分析完成后我们首先来看看主窗体中得窗体资源很快可以发现用来播放广告得组件是TWBS1. 代码如下: object pnl3: TPanel Left = 244 Top = 0 Width = 470 Height = 60 Color = clWhite TabOrder = 0 object TWBS1: TWebBrowser Left = -11 Top = -17 Width = 580 Height = 193 TabOrder = 0 ControlData = { 4C000000F23B0000F21300000000000000000000000000000000000000000000 000000004C000000000000000000000001000000E0D057007335CF11AE690800 2B2E126208000000000000004C0000000114020000000000C000000000000046 8000000000000000000000000000000000000000000000000000000000000000 00000000000000000100000000000000000000000000000000000000} end end 懂delphi得朋友可能很快就会想到这个组件通常是通过Navigate或Navigate2来设置url来显示网页的. 如 procedure Navigate(const URL: WideString); overload; 我们猜测Navigate可能是在主窗体的OnCreate或者某个TTimer组件的OnTimer中调用所以来到dede中 选择过程页,接着选择Unit1既主窗体的单元找到FormCreate过程对应与OnCreate事件. 代码如下: 00505F34 55 push ebp 00505F35 8BEC mov ebp, esp 00505F37 6A00 push $00 00505F39 6A00 push $00 00505F3B 6A00 push $00 00505F3D 53 push ebx 00505F3E 56 push esi 00505F3F 8BD8 mov ebx, eax 00505F41 33C0 xor eax, eax 00505F43 55 push ebp * Possible String Reference to: '�k囡�腚^[��]? | 00505F44 68AC605000 push $005060AC ***** TRY | 00505F49 64FF30 push dword ptr fs:[eax] 00505F4C 648920 mov fs:[eax], esp 00505F4F A124175100 mov eax, dword ptr [$00511724] 00505F54 8B00 mov eax, [eax] 00505F56 8B9340020000 mov edx, [ebx+$0240] * Reference to: Chart.TCustomChart.SetTitle(TCustomChart;TChartTitle); | or: Chart.TCustomChart.SetFoot(TCustomChart;TChartTitle); | or: Chart.TCustomChart.SetBackWall(TCustomChart;TChartWall); | or: Chart.TCustomChart.SetLeftWall(TCustomChart;TChartWall); | or: Chart.TCustomChart.SetBottomWall(TCustomChart;TChartWall); | or: ComCtrls.TCustomTreeView.SetTreeNodes(TCustomTreeView;TTreeNodes); | 00505F5C E8630CF8FF call 00486BC4 00505F61 BAC0605000 mov edx, $005060C0 * Reference to control TWBS1 : N.A. | 00505F66 8B830C040000 mov eax, [ebx+$040C] * Reference to : TWebBrowser._PROC_0048FEB4() | 00505F6C E8439FF8FF call 0048FEB4 00505F71 C6052C3E510000 mov byte ptr [$00513E2C], $00 * Possible String Reference to: 'setting.ini' | 00505F78 B808615000 mov eax, $00506108 * Reference to: SysUtils.FileExists(AnsiString):Boolean; | 00505F7D E8F233F0FF call 00409374 00505F82 84C0 test al, al 00505F84 7520 jnz 00505FA6 00505F86 66A114615000 mov ax, word ptr [$00506114] 00505F8C 50 push eax 00505F8D 6A00 push $00 00505F8F B101 mov cl, $01 00505F91 BA20615000 mov edx, $00506120 * Reference to control bsSkinMessage1 : N.A. | 00505F96 8B8398030000 mov eax, [ebx+$0398] | 00505F9C E8170DFFFF call 004F6CB8 00505FA1 E9EB000000 jmp 00506091 00505FA6 8D55F8 lea edx, [ebp-$08] 00505FA9 A124175100 mov eax, dword ptr [$00511724] 00505FAE 8B00 mov eax, [eax] * Reference to: DdeMan.TDdeMgr.GetExeName(TDdeMgr):AnsiString; | or: Forms.TApplication.GetExeName(TApplication):AnsiString; | 00505FB0 E8CB16F8FF call 00487680 00505FB5 8B45F8 mov eax, [ebp-$08] 00505FB8 8D55FC lea edx, [ebp-$04] * Reference to: SysUtils.ExtractFileDir(AnsiString):AnsiString; | 00505FBB E88435F0FF call 00409544 00505FC0 8D45FC lea eax, [ebp-$04] * Possible String Reference to: '\SETTING.INI' | 00505FC3 BA44615000 mov edx, $00506144 * Reference to: System.@LStrCat; | 00505FC8 E897EAEFFF call 00404A64 00505FCD 8B4DFC mov ecx, [ebp-$04] 00505FD0 B201 mov dl, $01 00505FD2 A1705B4300 mov eax, dword ptr [$00435B70] * Reference to: AxCtrls.TOleStream.Create(TOleStream;boolean;IStream); | or: HelpIntfs.THelpViewerNode.Create(THelpViewerNode;boolean;ICustomHelpViewer); | or: IniFiles.TCustomIniFile.Create(TCustomIniFile;boolean;AnsiString); | or: SysUtils.Exception.Create(Exception;boolean;AnsiString); | 00505FD7 E844FCF2FF call 00435C20 00505FDC 8BF0 mov esi, eax 00505FDE 89B390040000 mov [ebx+$0490], esi 00505FE4 685C615000 push $0050615C 00505FE9 8D45F4 lea eax, [ebp-$0C] 00505FEC 50 push eax * Possible String Reference to: 'title' | 00505FED B97C615000 mov ecx, $0050617C * Possible String Reference to: 'system' | 00505FF2 BA8C615000 mov edx, $0050618C 00505FF7 8BC6 mov eax, esi 00505FF9 8B30 mov esi, [eax] 00505FFB FF16 call dword ptr [esi] 00505FFD 8B55F4 mov edx, [ebp-$0C] 00506000 8BC3 mov eax, ebx * Reference to: Controls.TControl.SetText(TControl;TCaption); | 00506002 E8C913F6FF call 004673D0 00506007 B201 mov dl, $01 * Reference to control btn3 : N.A. | 00506009 8B83EC030000 mov eax, [ebx+$03EC] 0050600F 8B08 mov ecx, [eax] 00506011 FF5164 call dword ptr [ecx+$64] 00506014 C6839804000000 mov byte ptr [ebx+$0498], $00 0050601B 33D2 xor edx, edx * Reference to control bsSkinNotebook1 : N.A. | 0050601D 8B83BC030000 mov eax, [ebx+$03BC] * Reference to : TbsPageAccess._PROC_004C5988() | 00506023 E860F9FBFF call 004C5988 00506028 803D483E510000 cmp byte ptr [$00513E48], $00 0050602F 752B jnz 0050605C 00506031 6A01 push $01 * Possible String Reference to: 'autoRun' | 00506033 B99C615000 mov ecx, $0050619C * Possible String Reference to: 'system' | 00506038 BA8C615000 mov edx, $0050618C 0050603D 8B8390040000 mov eax, [ebx+$0490] 00506043 8B30 mov esi, [eax] 00506045 FF5610 call dword ptr [esi+$10] 00506048 84C0 test al, al 0050604A 7410 jz 0050605C 0050604C BAB80B0000 mov edx, $00000BB8 * Reference to control tmr2 : N.A. | 00506051 8B834C030000 mov eax, [ebx+$034C] * Reference to: ExtCtrls.TTimer.SetInterval(TTimer;Cardinal); | or: IBDatabase.TIBTimer.SetInterval(TIBTimer;Cardinal); | 00506057 E8F4E2F2FF call 00434350 0050605C 8D83A8040000 lea eax, [ebx+$04A8] * Reference to: System.@LStrClr(void;void); | 00506062 E835E7EFFF call 0040479C 00506067 8D83AC040000 lea eax, [ebx+$04AC] * Reference to: System.@LStrClr(void;void); | 0050606D E82AE7EFFF call 0040479C 00506072 33C0 xor eax, eax 00506074 8983B4040000 mov [ebx+$04B4], eax 0050607A 33C0 xor eax, eax 0050607C 8983B8040000 mov [ebx+$04B8], eax 00506082 33C0 xor eax, eax 00506084 8983BC040000 mov [ebx+$04BC], eax 0050608A C605353E510000 mov byte ptr [$00513E35], $00 00506091 33C0 xor eax, eax 00506093 5A pop edx 00506094 59 pop ecx 00506095 59 pop ecx 00506096 648910 mov fs:[eax], edx ****** FINALLY | * Possible String Reference to: '^[��]? | 00506099 68B3605000 push $005060B3 0050609E 8D45F4 lea eax, [ebp-$0C] 005060A1 BA03000000 mov edx, $00000003 * Reference to: System.@LStrArrayClr(void;void;Integer); | 005060A6 E815E7EFFF call 004047C0 005060AB C3 ret * Reference to: System.@HandleFinally; | 005060AC E96BE0EFFF jmp 0040411C 005060B1 EBEB jmp 0050609E ****** END | 005060B3 5E pop esi 005060B4 5B pop ebx 005060B5 8BE5 mov esp, ebp 005060B7 5D pop ebp 005060B8 C3 ret 看完上面代码很多朋友可能已经发现了关键位置在这里 00505F61 BAC0605000 mov edx, $005060C0 * Reference to control TWBS1 : N.A. | 00505F66 8B830C040000 mov eax, [ebx+$040C] * Reference to : TWebBrowser._PROC_0048FEB4() 它就是设置广告的地方了只要nop掉软件的广告就去掉了 这个call的参数为 edx: 要设置的url eax: self指针(TWebBrowser类的) TWebBrowser._PROC_0048FEB4()可能就是Navigate. 补丁后运行程序, 程序不在显示广告去除完成. -------------------------------------------------------------------------------- 【经验总结】 多借助分析工具给出的提示可以让我们事半功倍. -------------------------------------------------------------------------------- 【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢! |
| 地主 发表时间: 07-01-14 22:50 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 编程破解
标题: [转帖]某网络嗅探类软件去广告分析