-
-
这么久只看没发帖。今天求助一下。本人新手
-
发表于:
2010-7-7 11:02
4701
-
对这个 登陆 函数的分析 为什么找不到明文密码呢?
他是从文件中保存发送的吗? 请帮分析一下
005CF140 /$ 6A FF PUSH -1
005CF142 |. 68 6B0C7300 PUSH asktao.00730C6B
005CF147 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
005CF14D |. 50 PUSH EAX
005CF14E |. 81EC 48030000 SUB ESP,348
005CF154 |. A1 B4488500 MOV EAX,DWORD PTR DS:[8548B4]
005CF159 |. 33C4 XOR EAX,ESP
005CF15B |. 898424 440300>MOV DWORD PTR SS:[ESP+344],EAX
005CF162 |. 53 PUSH EBX
005CF163 |. 55 PUSH EBP
005CF164 |. 56 PUSH ESI
005CF165 |. 57 PUSH EDI
005CF166 |. A1 B4488500 MOV EAX,DWORD PTR DS:[8548B4]
005CF16B |. 33C4 XOR EAX,ESP
005CF16D |. 50 PUSH EAX
005CF16E |. 8D8424 5C0300>LEA EAX,DWORD PTR SS:[ESP+35C]
005CF175 |. 64:A3 0000000>MOV DWORD PTR FS:[0],EAX
005CF17B |. 8BF1 MOV ESI,ECX
005CF17D |. 8D8E CC020000 LEA ECX,DWORD PTR DS:[ESI+2CC]
005CF183 |. FF15 78F37500 CALL DWORD PTR DS:[<&MSVCP80.?c_str@?$ba>; MSVCP80.?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
005CF189 |. 50 PUSH EAX ; /<%s>
005CF18A |. 8D8424 5C0100>LEA EAX,DWORD PTR SS:[ESP+15C] ; |
005CF191 |. 68 08757900 PUSH asktao.00797508 ; |format = "userdata/%s/friend.ini"
005CF196 |. 50 PUSH EAX ; |s
005CF197 |. FF15 9CF47500 CALL DWORD PTR DS:[<&MSVCR80.sprintf>] ; \sprintf
005CF19D |. 8D8C24 640100>LEA ECX,DWORD PTR SS:[ESP+164]
005CF1A4 |. 51 PUSH ECX ; /path
005CF1A5 |. FF15 00F57500 CALL DWORD PTR DS:[<&MSVCR80.remove>] ; \remove
005CF1AB |. 8B86 F4020000 MOV EAX,DWORD PTR DS:[ESI+2F4]
005CF1B1 |. 83C4 10 ADD ESP,10
005CF1B4 |. 85C0 TEST EAX,EAX
005CF1B6 |. 74 1D JE SHORT asktao.005CF1D5
005CF1B8 |. 8B8E F8020000 MOV ECX,DWORD PTR DS:[ESI+2F8]
005CF1BE |. 2BC8 SUB ECX,EAX
005CF1C0 |. B8 93244992 MOV EAX,92492493
005CF1C5 |. F7E9 IMUL ECX
005CF1C7 |. 03D1 ADD EDX,ECX
005CF1C9 |. C1FA 04 SAR EDX,4
005CF1CC |. 8BC2 MOV EAX,EDX
005CF1CE |. C1E8 1F SHR EAX,1F
005CF1D1 |. 03C2 ADD EAX,EDX
005CF1D3 |. 75 2C JNZ SHORT asktao.005CF201
005CF1D5 |> E8 06E5E9FF CALL asktao.0046D6E0
005CF1DA |. 85C0 TEST EAX,EAX
005CF1DC |. 75 23 JNZ SHORT asktao.005CF201
005CF1DE |. 50 PUSH EAX
005CF1DF |. 50 PUSH EAX
005CF1E0 |. 83EC 1C SUB ESP,1C
005CF1E3 |. 8BCC MOV ECX,ESP
005CF1E5 |. 896424 38 MOV DWORD PTR SS:[ESP+38],ESP
005CF1E9 |. 68 FC747900 PUSH asktao.007974FC
005CF1EE |. FF15 88F37500 CALL DWORD PTR DS:[<&MSVCP80.??0?$basic_>; MSVCP80.??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
005CF1F4 |. E8 772EF3FF CALL asktao.00502070
005CF1F9 |. 83C4 24 ADD ESP,24
005CF1FC |. E9 C8020000 JMP asktao.005CF4C9
005CF201 |> FF15 E0F27500 CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; [GetTickCount
005CF207 |. 85C0 TEST EAX,EAX
005CF209 |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
005CF20D |. DB4424 14 FILD DWORD PTR SS:[ESP+14]
005CF211 |. 7D 06 JGE SHORT asktao.005CF219
005CF213 |. D805 D4047600 FADD DWORD PTR DS:[7604D4]
005CF219 |> D80D F42E8100 FMUL DWORD PTR DS:[812EF4]
005CF21F |. 6A 00 PUSH 0
005CF221 |. D97C24 22 FSTCW WORD PTR SS:[ESP+22]
005CF225 |. 6A 00 PUSH 0
005CF227 |. 0FB74424 26 MOVZX EAX,WORD PTR SS:[ESP+26]
005CF22C |. 0D 000C0000 OR EAX,0C00
005CF231 |. 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
005CF235 |. 68 10127600 PUSH asktao.00761210 ; ASCII "CLEANUP_CM"
005CF23A |. 6A 00 PUSH 0
005CF23C |. D96C24 24 FLDCW WORD PTR SS:[ESP+24]
005CF240 |. 68 A05B7700 PUSH asktao.00775BA0 ; ASCII "SoftKeyBoardDlg"
005CF245 |. DF7C24 28 FISTP QWORD PTR SS:[ESP+28]
005CF249 |. 8B4C24 28 MOV ECX,DWORD PTR SS:[ESP+28]
005CF24D |. 898E 68030000 MOV DWORD PTR DS:[ESI+368],ECX
005CF253 |. D96C24 32 FLDCW WORD PTR SS:[ESP+32]
005CF257 |. E8 7446F3FF CALL asktao.005038D0
005CF25C |. 83C4 14 ADD ESP,14
005CF25F |. 8BCE MOV ECX,ESI
005CF261 |. E8 FAE5FFFF CALL asktao.005CD860
005CF266 |. 6A 00 PUSH 0
005CF268 |. 6A 00 PUSH 0
005CF26A |. 68 1C277600 PUSH asktao.0076271C ; ASCII "GETTEXT_CM"
005CF26F |. 68 848A7700 PUSH asktao.00778A84 ; ASCII "IpEdit"
005CF274 |. 8BCE MOV ECX,ESI
005CF276 |. 8BF8 MOV EDI,EAX
005CF278 |. E8 53FEE4FF CALL asktao.0041F0D0
005CF27D |. 68 D0F17600 PUSH asktao.0076F1D0 ; ASCII "data/Login.ini"
005CF282 |. 8BD8 MOV EBX,EAX
005CF284 |. E8 47D1EAFF CALL asktao.0047C3D0
005CF289 |. 68 A0417600 PUSH asktao.007641A0 ; ASCII "data/Config.ini"
005CF28E |. E8 3DD1EAFF CALL asktao.0047C3D0
005CF293 |. 68 D0F17600 PUSH asktao.0076F1D0 ; ASCII "data/Login.ini"
005CF298 |. 53 PUSH EBX
005CF299 |. 68 88C77600 PUSH asktao.0076C788 ; ASCII "Address"
005CF29E |. 68 90417600 PUSH asktao.00764190 ; ASCII "USER"
005CF2A3 |. E8 A8D2EAFF CALL asktao.0047C550
005CF2A8 |. 68 A0417600 PUSH asktao.007641A0 ; ASCII "data/Config.ini"
005CF2AD |. 57 PUSH EDI
005CF2AE |. 68 3CC17800 PUSH asktao.0078C13C ; ASCII "Account"
005CF2B3 |. 68 90417600 PUSH asktao.00764190 ; ASCII "USER"
005CF2B8 |. E8 93D2EAFF CALL asktao.0047C550
005CF2BD |. 8BC7 MOV EAX,EDI
005CF2BF |. 83C4 28 ADD ESP,28
005CF2C2 |. 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1]
005CF2C5 |> 8A08 /MOV CL,BYTE PTR DS:[EAX]
005CF2C7 |. 83C0 01 |ADD EAX,1
005CF2CA |. 84C9 |TEST CL,CL
005CF2CC |.^ 75 F7 \JNZ SHORT asktao.005CF2C5
005CF2CE |. 2BC2 SUB EAX,EDX
005CF2D0 |. 75 2C JNZ SHORT asktao.005CF2FE
005CF2D2 |. E8 09E4E9FF CALL asktao.0046D6E0
005CF2D7 |. 85C0 TEST EAX,EAX
005CF2D9 |. 75 23 JNZ SHORT asktao.005CF2FE
005CF2DB |. 50 PUSH EAX
005CF2DC |. 50 PUSH EAX
005CF2DD |. 83EC 1C SUB ESP,1C
005CF2E0 |. 8BCC MOV ECX,ESP
005CF2E2 |. 896424 38 MOV DWORD PTR SS:[ESP+38],ESP
005CF2E6 |. 68 E8747900 PUSH asktao.007974E8
005CF2EB |. FF15 88F37500 CALL DWORD PTR DS:[<&MSVCP80.??0?$basic_>; MSVCP80.??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
005CF2F1 |. E8 7A2DF3FF CALL asktao.00502070
005CF2F6 |. 83C4 24 ADD ESP,24
005CF2F9 |. E9 CB010000 JMP asktao.005CF4C9
005CF2FE |> 57 PUSH EDI ; /Arg1
005CF2FF |. 8BCE MOV ECX,ESI ; |
005CF301 |. E8 6AF5FFFF CALL asktao.005CE870 ; \asktao.005CE870
005CF306 |. 8BCE MOV ECX,ESI
005CF308 |. E8 E3DCFFFF CALL asktao.005CCFF0
005CF30D |. 6A 00 PUSH 0
005CF30F |. 6A 00 PUSH 0
005CF311 |. 68 1C277600 PUSH asktao.0076271C ; ASCII "GETTEXT_CM"
005CF316 |. 68 70E17600 PUSH asktao.0076E170 ; ASCII "PasswordEdit"
005CF31B |. 8BCE MOV ECX,ESI
005CF31D |. E8 AEFDE4FF CALL asktao.0041F0D0
005CF322 |. 8BE8 MOV EBP,EAX
005CF324 |. 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1]
005CF327 |> 8A08 /MOV CL,BYTE PTR DS:[EAX]
005CF329 |. 83C0 01 |ADD EAX,1
005CF32C |. 84C9 |TEST CL,CL
005CF32E |.^ 75 F7 \JNZ SHORT asktao.005CF327
005CF330 |. 2BC2 SUB EAX,EDX
005CF332 |. 75 52 JNZ SHORT asktao.005CF386
005CF334 |. E8 A7E3E9FF CALL asktao.0046D6E0
005CF339 |. 85C0 TEST EAX,EAX
005CF33B |. 75 49 JNZ SHORT asktao.005CF386
005CF33D |. 50 PUSH EAX
005CF33E |. 50 PUSH EAX
005CF33F |. 83EC 1C SUB ESP,1C
005CF342 |. 8BCC MOV ECX,ESP
005CF344 |. 896424 38 MOV DWORD PTR SS:[ESP+38],ESP
005CF348 |. 68 D8747900 PUSH asktao.007974D8
005CF34D |. FF15 88F37500 CALL DWORD PTR DS:[<&MSVCP80.??0?$basic_>; MSVCP80.??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
005CF353 |. E8 182DF3FF CALL asktao.00502070
005CF358 |. 83C4 24 ADD ESP,24
005CF35B |. 8D8E 4C030000 LEA ECX,DWORD PTR DS:[ESI+34C]
005CF361 |. FF15 D0F37500 CALL DWORD PTR DS:[<&MSVCP80.?size@?$bas>; MSVCP80.?size@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIXZ
005CF367 |. 85C0 TEST EAX,EAX
005CF369 |. 0F8E 5A010000 JLE asktao.005CF4C9
005CF36F |. 8BCE MOV ECX,ESI
005CF371 |. E8 8AE5FFFF CALL asktao.005CD900
005CF376 |. 6A 00 PUSH 0
005CF378 |. 6A 00 PUSH 0
005CF37A |. 8BCE MOV ECX,ESI
005CF37C |. E8 8FE2FFFF CALL asktao.005CD610
005CF381 |. E9 43010000 JMP asktao.005CF4C9
005CF386 |> 6A 00 PUSH 0
005CF388 |. 6A 00 PUSH 0
005CF38A |. 68 1C277600 PUSH asktao.0076271C ; ASCII "GETTEXT_CM"
005CF38F |. 68 706F7900 PUSH asktao.00796F70 ; ASCII "LockEdit"
005CF394 |. 8BCE MOV ECX,ESI
005CF396 |. E8 35FDE4FF CALL asktao.0041F0D0
005CF39B |. 57 PUSH EDI
005CF39C |. B9 A8E38500 MOV ECX,asktao.0085E3A8
005CF3A1 |. 894424 18 MOV DWORD PTR SS:[ESP+18],EAX
005CF3A5 |. FF15 80F37500 CALL DWORD PTR DS:[<&MSVCP80.??4?$basic_>; MSVCP80.??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
005CF3AB |. 53 PUSH EBX
005CF3AC |. B9 C4E38500 MOV ECX,asktao.0085E3C4
005CF3B1 |. FF15 80F37500 CALL DWORD PTR DS:[<&MSVCP80.??4?$basic_>; MSVCP80.??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
005CF3B7 |. C786 AC020000>MOV DWORD PTR DS:[ESI+2AC],1
005CF3C1 |. 833D 54D48500>CMP DWORD PTR DS:[85D454],0
005CF3C8 |. 0F85 FB000000 JNZ asktao.005CF4C9
005CF3CE |. 68 FF000000 PUSH 0FF ; /n = FF (255.)
005CF3D3 |. 8D5424 5D LEA EDX,DWORD PTR SS:[ESP+5D] ; |
005CF3D7 |. 6A 00 PUSH 0 ; |c = 00
005CF3D9 |. 52 PUSH EDX ; |s
005CF3DA |. C64424 64 00 MOV BYTE PTR SS:[ESP+64],0 ; |
005CF3DF |. E8 B8281400 CALL <JMP.&MSVCR80.memset> ; \memset
005CF3E4 |. 83C4 0C ADD ESP,0C
005CF3E7 |. 55 PUSH EBP
005CF3E8 |. 68 00010000 PUSH 100
005CF3ED |. 8D4424 60 LEA EAX,DWORD PTR SS:[ESP+60]
005CF3F1 |. 50 PUSH EAX
005CF3F2 |. E8 D97CE3FF CALL asktao.004070D0
005CF3F7 |. 68 00010000 PUSH 100
005CF3FC |. 6A 00 PUSH 0
005CF3FE |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
005CF402 |. E8 C9BCFAFF CALL asktao.0057B0D0
005CF407 |. 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
005CF40B |. 51 PUSH ECX
005CF40C |. C78424 680300>MOV DWORD PTR SS:[ESP+368],0
005CF417 |. E8 96261400 CALL <JMP.&Communicate.#23>
005CF41C |. 68 1D067600 PUSH asktao.0076061D ; /Arg2 = 0076061D
005CF421 |. 68 F0727900 PUSH asktao.007972F0 ; |Arg1 = 007972F0 ASCII "mac1"
005CF426 |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28] ; |
005CF42A |. E8 F1B4FAFF CALL asktao.0057A920 ; \asktao.0057A920
005CF42F |. 50 PUSH EAX
005CF430 |. 68 E8727900 PUSH asktao.007972E8 ; ASCII "0000%s"
005CF435 |. 8D9424 600200>LEA EDX,DWORD PTR SS:[ESP+260]
005CF43C |. 68 00010000 PUSH 100
005CF441 |. 52 PUSH EDX
005CF442 |. E8 B97DE3FF CALL asktao.00407200
005CF447 |. 83C4 10 ADD ESP,10
005CF44A |. 8D8E CC020000 LEA ECX,DWORD PTR DS:[ESI+2CC]
005CF450 |. FF15 78F37500 CALL DWORD PTR DS:[<&MSVCP80.?c_str@?$ba>; MSVCP80.?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
005CF456 |. 50 PUSH EAX
005CF457 |. 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
005CF45B |. 50 PUSH EAX
005CF45C |. 68 1D067600 PUSH asktao.0076061D
005CF461 |. 8D8C24 640200>LEA ECX,DWORD PTR SS:[ESP+264]
005CF468 |. 51 PUSH ECX
005CF469 |. 8D5424 68 LEA EDX,DWORD PTR SS:[ESP+68]
005CF46D |. 52 PUSH EDX
005CF46E |. 57 PUSH EDI
005CF46F |. 68 98747900 PUSH asktao.00797498 ; ASCII "account=%s, password=%s, id=%s, data = %s, lock = %s, dist=%s"
005CF474 |. 68 50230000 PUSH 2350
005CF479 |. E8 C24FF8FF CALL asktao.00554440
005CF47E |. 8B0D 30878500 MOV ECX,DWORD PTR DS:[858730]
005CF484 |. 83C4 20 ADD ESP,20
005CF487 |. 8D4424 58 LEA EAX,DWORD PTR SS:[ESP+58]
005CF48B |. 50 PUSH EAX ; /Arg2
005CF48C |. 57 PUSH EDI ; |Arg1
005CF48D |. E8 0EA4EDFF CALL asktao.004A98A0 ; \asktao.004A98A0
005CF492 |. 8B0D 18988500 MOV ECX,DWORD PTR DS:[859818]
005CF498 |. 85C9 TEST ECX,ECX
005CF49A |. 74 12 JE SHORT asktao.005CF4AE
005CF49C |. 57 PUSH EDI ; /Arg1
005CF49D |. E8 BE49F6FF CALL asktao.00533E60 ; \asktao.00533E60
005CF4A2 |. 8B0D 18988500 MOV ECX,DWORD PTR DS:[859818]
005CF4A8 |. 57 PUSH EDI ; /Arg1
005CF4A9 |. E8 1249F6FF CALL asktao.00533DC0 ; \asktao.00533DC0
005CF4AE |> 8BCE MOV ECX,ESI
005CF4B0 |. E8 2BD9FFFF CALL asktao.005CCDE0
005CF4B5 |. 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
005CF4B9 |. C78424 640300>MOV DWORD PTR SS:[ESP+364],-1
005CF4C4 |. E8 67BBFAFF CALL asktao.0057B030
005CF4C9 |> 8B8C24 5C0300>MOV ECX,DWORD PTR SS:[ESP+35C]
005CF4D0 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
005CF4D7 |. 59 POP ECX
005CF4D8 |. 5F POP EDI
005CF4D9 |. 5E POP ESI
005CF4DA |. 5D POP EBP
005CF4DB |. 5B POP EBX
005CF4DC |. 8B8C24 440300>MOV ECX,DWORD PTR SS:[ESP+344]
005CF4E3 |. 33CC XOR ECX,ESP
005CF4E5 |. E8 DA251400 CALL asktao.00711AC4
005CF4EA |. 81C4 54030000 ADD ESP,354
005CF4F0 \. C3 RETN
上面推进的几个字符串是什么意思。 是一个什么样的处理
如这里
005CF30D |. 6A 00 PUSH 0
005CF30F |. 6A 00 PUSH 0
005CF311 |. 68 1C277600 PUSH asktao.0076271C ; ASCII "GETTEXT_CM"
005CF316 |. 68 70E17600 PUSH asktao.0076E170 ; ASCII "PasswordEdit"
005CF31B |. 8BCE MOV ECX,ESI
005CF31D |. E8 AEFDE4FF CALL asktao.0041F0D0
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
