谁能帮我讲讲，如QQ显IP的反向工程是怎样做到的！-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (7)
arrot 雪币： 206 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 3 粉丝 1 关注私信	arrot 2 楼我也想知道哎！！！！！！！！！！！！！ 2004-4-28 20:30 0
nbw 雪币： 339 活跃值： (1510) 能力值： ( LV13，RANK：970 ) 在线值：发帖 141 回帖 2842 粉丝 23 关注私信	nbw 24 3 楼在精华4或者5里有 2004-4-28 20:48 0
nzinzi 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 33 粉丝 1 关注私信	nzinzi 4 楼这个是木子版本DLL原代码` 正常DIY一般就是在EXE扩展段添加汇编代码DLL修改注意重定位表，还是挂靠DLL实现，需要数据需要实际跟踪~ ;@echo off ;goto compile ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; ; QQ_Plugins.dll 源代码 ; ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: .586 .model flat, stdcall option casemap :none ; case sensitive ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; I N C L U D E F I L E S ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: include \masm32\include\ws2_32.inc include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\comctl32.inc includelib \masm32\lib\comctl32.lib includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\ws2_32.lib includelib .\tooltips.lib includelib .\libc.lib ;从vc6中拷贝过来,如果你要用vc7重新编译tooltips则这三个文件应该要替换 includelib .\oldnames.lib ; includelib .\uuid.lib ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; D A T A ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: .data dwIp dd 0 dwPort dd 0 dwVer dd 0 dwHWND dd 0 dwGetAddress dd 0 dwhLib dd 0 dwhICON dd 0 version dd 38Ch,offset szV1230B3 ,389h,offset szV1230B2 ,336h,offset szV0825B2 ,335h,offset szV0825B dd 334h,offset szV0825D ,321h,offset szV0630C ,320h,offset szV0630B ,2ECH,offset szV0510 dd 2eah,offset szV0305B ,2e9h,offset szV0305 ,2dfh,offset szV0125 ,2deh,offset szV0105 dd 2ddh,offset szV1220 ,2dbh,offset szV1205 ,38dh,offset szV1230 ,3a1h,offset szV2003P dd 3a3h,offset szV2003P ,3A6h,offset szV2003P ,3E9h,offset szV2003P ,3ebh,offset szV2003P dd 3edh,offset szV2003P ,3f5h,offset szV2003P ,3F9h,offset szV2003B ,401h,offset szV2003B dd 402h,offset szV2003B ,403h,offset szV2003B ,404h,offset szV2003B ,405h,offset szV20030805 dd 405h,offset szV20030805 ,453h,offset szV20031105 ,44dh,offset szV20030925,000h,offset szMYIM dd 463h,offset szV2003IIIB2,451h,offset szV2003IIB ,461h,offset szV2003IIIB1 dd 475h,offset szV2003IIIB4,465h,offset szV2003IIIB3,477h,offset szV2003IIIB4 dd 479h,offset szV2003III0115,47bh,offset szV2003III0117,454h,offset szV2003II0925E dd 476h,offset szVTM0116 ,47Fh,offset szV2003III dd -1,-1 ;如果要添加新的版本进来就在dd -1,-1这一行之前 ;按照上面的格式填写好 ;比如:2003III正式版就是47Fh,offset szV2003III ;然后在后面再加上szV2003III db "【2003III正式版】",0这样一行,注意不要重复 szV1230 db "【1230】" ,0 szV1230B3 db "【1230B3】",0 szV1230B2 db "【1230B2】",0 szV0825B2 db "【0825】" ,0 szV0825B db "【0825B1】",0 szV0825D db "【0825D2】",0 szV0630C db "【0630C】" ,0 szV0630B db "【0630B】" ,0 szV0510 db "【0510】" ,0 szV0305B db "【0305B】" ,0 szV0305 db "【0305】" ,0 szV0125 db "【0125】" ,0 szV0105 db "【0105】" ,0 szV1220 db "【1220】" ,0 szV1205 db "【1205】" ,0 szV20031105 db "【2003II正式版】",0 szV2003IIB db "【2003IIBeta版】",0 szV2003IIIB2 db "【2003IIIBeta2版】",0 szV2003IIIB1 db "【2003IIIBeta1版】",0 szV2003IIIB4 db "【2003IIIBeta4版】",0 szV2003IIIB3 db "【2003IIIBeta3版】",0 szV2003III0115 db "【2003IIIB0115】",0 szV2003III0117 db "【2003IIIB0117】",0 szV20030925 db "【2003II0925测试版】",0 szV2003II0925E db "【2003II0925英文版】",0 szV2003P db "【2003预览版】",0 szV2003B db "【2003测试版】",0 szV20030805 db "【2003版】",0 szMYIM db "【MYIM】",0 szVTM0116 db "【TM1.0 0116版】",0 szV2003III db "【2003III正式版】",0 dwV dd 0 szRecentip db "dwIP",0,"dwRecentIP",0 szRecentport db "wPort",0,"wRecentPort",0 szProcotol db "wProcotol",0 szLibName db "ipsearcher.dll",0 szFuncName db "_GetAddress",0 szOffline db "无法取得对方IP，消息将通过服务器中转",0dh,0ah,"请注意保护个人隐私",0 szFormat1 db "%s %s",0dh,0ah,"%s:%u","%s",0 szFormat2 db "%s %s",0dh,0ah,"%s:%u","<未知版本:%04X>",0 szBuffer dw 50 dup(0) CreateMyTooltip PROTO :DWORD,:DWORD ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; C O D E ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: .code LibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD .if reason == DLL_PROCESS_ATTACH invoke LoadLibrary,ADDR szLibName mov dwhLib,eax cmp eax,0 jz failed invoke GetProcAddress,eax,ADDR szFuncName mov dwGetAddress,eax failed: mov eax,1 ret .elseif reason == DLL_PROCESS_DETACH cmp dwhLib,0 jnz free ret free: invoke FreeLibrary,dwhLib .endif ret LibMain Endp SetIP proc pushad ;=================取得IP地址==================; mov eax,dword ptr [ebp-10h] push offset dwIp push offset szRecentip push eax mov ecx, [eax] call dword ptr [ecx+34h] ;=================取得端口号==================; mov eax,dword ptr [ebp-10h] push offset dwPort push offset szRecentport push eax mov ecx, [eax] call dword ptr [ecx+30h] ;=================取得版本号==================; mov eax,dword ptr [ebp-10h] push offset dwVer push offset szProcotol push eax mov ecx, [eax] call dword ptr [ecx+30h] mov ecx,[dwVer] cmp ecx,03f0h jb not2003 cmp ecx,03ffh ja not2003 push offset szV2003B pop [dwV] jmp formatit not2003: pushad mov ebx,offset version-8 loop11: add ebx,8 mov edx,[ebx] cmp edx,-1 jz unknownver cmp ecx,edx jnz loop11 unknownver: push [ebx+4] pop [dwV] popad ;=================形成字符串==================; formatit: mov eax,dword ptr [dwIp] .if eax==0 invoke lstrcpyA,addr szBuffer,addr szOffline .else mov edx,eax push edx invoke inet_ntoa,eax pop edx movzx ebx,word ptr [dwPort] mov ecx,[dwV] cmp ecx,-1 jz weizhibanben push ecx push ebx push eax push eax call dwGetAddress add esp,004 push dword ptr [eax+4] push dword ptr [eax] push offset szFormat1 push offset szBuffer call wsprintfA add esp,01ch jmp okok weizhibanben: push [dwVer] push ebx push eax push eax call dwGetAddress add esp,004 push dword ptr [eax+4] push dword ptr [eax] push offset szFormat2 push offset szBuffer call wsprintfA add esp,01ch okok: .endif mov eax,dword ptr [ebp-24h] push 151 push eax call GetDlgItem ; mov [dwHWND],eax push offset szBuffer push eax call SetWindowTextA mov eax,dword ptr [ebp-24h] push 755 push eax call GetDlgItem ; mov [dwhICON],eax push offset szBuffer push eax call CreateMyTooltip popad jmp SetForegroundWindow ret SetIP endp End LibMain ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :compile if exist QQ_plugins.obj del QQ_plugins.obj if exist QQ_plugins.dll del QQ_plugins.dll \masm32\bin\ml /c /coff QQ_plugins.bat \masm32\bin\Link /SUBSYSTEM:native /DLL /DEF:QQ_plugins.def QQ_plugins.obj /merge:.rdata=.data /merge:.data=.text /section:.text,RWE /IGNORE:4078 dir QQ_plugins.* pause 2004-4-28 22:53 0
poppig 雪币： 193 活跃值： (1389) 能力值： ( LV6，RANK：90 ) 在线值：发帖 23 回帖 157 粉丝 1 关注私信	poppig 2 5 楼以前写的QQ显示的拦截广告是CreateFileA断点，但是具体到显示IP的位置则写的不是很详细！如何得到显示IP的位置的呢？？ 2004-4-29 16:18 0
Coffeetea9 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 15 粉丝 1 关注私信	Coffeetea9 6 楼搂上的~ 能不能把源文件放上来让我我下载~ 这个论坛对代码支持不好的说......... :D :D :D 2004-4-29 17:25 0
littlepotato 雪币： 1 活跃值： (344) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 158 粉丝 1 关注私信	littlepotato 7 楼代码加上code 标签就可以了 2004-5-11 11:53 0
lelfei 雪币： 6051 活跃值： (1441) 能力值： ( LV15，RANK：1473 ) 在线值：发帖 67 回帖 537 粉丝 16 关注私信	lelfei 23 8 楼好东东!!! 感谢了!有空慢慢看...... 2004-5-11 13:22 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

arrot

雪币： 206

活跃值： (40)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

3

粉丝

1

关注

私信

arrot: 2 楼

我也想知道哎！！！！！！！！！！！！！

2004-4-28 20:30

0

nbw

雪币： 339

活跃值： (1510)

能力值：

( LV13，RANK：970 )

在线值：

发帖

141

回帖

2842

粉丝

23

关注

私信

nbw 24: 3 楼

在精华4或者5里有

2004-4-28 20:48

0

nzinzi

雪币： 201

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

33

粉丝

1

关注

私信

nzinzi: 4 楼

这个是木子版本DLL原代码`
正常DIY一般就是在EXE扩展段添加汇编代码DLL修改注意重定位表，还是挂靠DLL实现，需要数据需要实际跟踪~

;@echo off
;goto compile

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
;  QQ_Plugins.dll 源代码
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.586
.model flat, stdcall
option casemap :none ; case sensitive
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                               I N C L U D E F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include \masm32\include\ws2_32.inc
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\comctl32.inc
includelib \masm32\lib\comctl32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\ws2_32.lib

includelib .\tooltips.lib
includelib .\libc.lib       ;从vc6中拷贝过来,如果你要用vc7重新编译tooltips则这三个文件应该要替换
includelib .\oldnames.lib    ;
includelib .\uuid.lib
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                     D A T A
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.data
dwIp          dd  0
dwPort       dd  0
dwVer          dd  0
dwHWND       dd  0
dwGetAddress dd  0
dwhLib       dd  0
dwhICON       dd  0
version       dd  38Ch,offset szV1230B3 ,389h,offset szV1230B2 ,336h,offset szV0825B2  ,335h,offset szV0825B
            dd  334h,offset szV0825D ,321h,offset szV0630C ,320h,offset szV0630B ,2ECH,offset szV0510
            dd  2eah,offset szV0305B ,2e9h,offset szV0305    ,2dfh,offset szV0125 ,2deh,offset szV0105
            dd  2ddh,offset szV1220    ,2dbh,offset szV1205    ,38dh,offset szV1230 ,3a1h,offset szV2003P
            dd  3a3h,offset szV2003P ,3A6h,offset szV2003P ,3E9h,offset szV2003P ,3ebh,offset szV2003P
            dd  3edh,offset szV2003P ,3f5h,offset szV2003P ,3F9h,offset szV2003B ,401h,offset szV2003B
            dd  402h,offset szV2003B ,403h,offset szV2003B ,404h,offset szV2003B ,405h,offset szV20030805
            dd  405h,offset szV20030805 ,453h,offset szV20031105 ,44dh,offset szV20030925,000h,offset szMYIM
            dd  463h,offset szV2003IIIB2,451h,offset szV2003IIB  ,461h,offset szV2003IIIB1
            dd  475h,offset szV2003IIIB4,465h,offset szV2003IIIB3,477h,offset szV2003IIIB4
            dd  479h,offset szV2003III0115,47bh,offset szV2003III0117,454h,offset szV2003II0925E
            dd  476h,offset szVTM0116 ,47Fh,offset szV2003III

         dd  -1,-1
;如果要添加新的版本进来就在dd -1,-1这一行之前
;按照上面的格式填写好
;比如:2003III正式版就是47Fh,offset szV2003III
;然后在后面再加上szV2003III db  "【2003III正式版】",0这样一行,注意不要重复
szV1230       db  "【1230】"  ,0
szV1230B3    db  "【1230B3】",0
szV1230B2    db  "【1230B2】",0
szV0825B2    db  "【0825】"  ,0
szV0825B       db  "【0825B1】",0
szV0825D       db  "【0825D2】",0
szV0630C       db  "【0630C】" ,0
szV0630B       db  "【0630B】" ,0
szV0510       db  "【0510】"  ,0
szV0305B       db  "【0305B】" ,0
szV0305       db  "【0305】"  ,0
szV0125       db  "【0125】"  ,0
szV0105       db  "【0105】"  ,0
szV1220       db  "【1220】"  ,0
szV1205       db  "【1205】"  ,0
szV20031105    db  "【2003II正式版】",0
szV2003IIB    db  "【2003IIBeta版】",0
szV2003IIIB2 db  "【2003IIIBeta2版】",0
szV2003IIIB1 db  "【2003IIIBeta1版】",0
szV2003IIIB4 db  "【2003IIIBeta4版】",0
szV2003IIIB3 db  "【2003IIIBeta3版】",0
szV2003III0115  db  "【2003IIIB0115】",0
szV2003III0117  db  "【2003IIIB0117】",0
szV20030925    db  "【2003II0925测试版】",0
szV2003II0925E  db  "【2003II0925英文版】",0
szV2003P       db  "【2003预览版】",0
szV2003B       db  "【2003测试版】",0
szV20030805    db  "【2003版】",0
szMYIM       db  "【MYIM】",0
szVTM0116    db  "【TM1.0 0116版】",0
szV2003III    db  "【2003III正式版】",0
dwV          dd  0
szRecentip    db  "dwIP",0,"dwRecentIP",0
szRecentport db  "wPort",0,"wRecentPort",0
szProcotol    db  "wProcotol",0
szLibName    db  "ipsearcher.dll",0
szFuncName    db  "_GetAddress",0
szOffline    db  "无法取得对方IP，消息将通过服务器中转",0dh,0ah,"请注意保护个人隐私",0
szFormat1    db  "%s %s",0dh,0ah,"%s:%u","%s",0
szFormat2    db  "%s %s",0dh,0ah,"%s:%u","<未知版本:%04X>",0
szBuffer       dw  50 dup(0)
CreateMyTooltip PROTO :DWORD,:DWORD

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                     C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.code
LibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD
   .if reason == DLL_PROCESS_ATTACH
         invoke LoadLibrary,ADDR szLibName
         mov dwhLib,eax
         cmp eax,0
         jz  failed
         invoke GetProcAddress,eax,ADDR szFuncName
         mov dwGetAddress,eax
failed:
         mov eax,1
         ret
   .elseif reason == DLL_PROCESS_DETACH
         cmp dwhLib,0
         jnz free
         ret

free:
         invoke FreeLibrary,dwhLib
   .endif
         ret
LibMain Endp

SetIP proc
               pushad
               ;=================取得IP地址==================;
               mov    eax,dword ptr [ebp-10h]
               push offset dwIp
               push offset szRecentip
               push eax
               mov    ecx, [eax]
               call dword ptr [ecx+34h]

               ;=================取得端口号==================;
               mov    eax,dword ptr [ebp-10h]
               push offset dwPort
               push offset szRecentport
               push eax
               mov    ecx, [eax]
               call dword ptr [ecx+30h]

               ;=================取得版本号==================;
               mov    eax,dword ptr [ebp-10h]
               push offset dwVer
               push offset szProcotol
               push eax
               mov    ecx, [eax]
               call dword ptr [ecx+30h]
               mov    ecx,[dwVer]
               cmp    ecx,03f0h
               jb    not2003
               cmp    ecx,03ffh
               ja    not2003

               push offset szV2003B
               pop    [dwV]
               jmp    formatit
not2003:
               pushad
               mov    ebx,offset version-8
loop11:
               add    ebx,8
               mov    edx,[ebx]
               cmp    edx,-1
               jz    unknownver
               cmp    ecx,edx
               jnz    loop11
unknownver:
               push [ebx+4]
               pop    [dwV]
               popad
               ;=================形成字符串==================;
formatit:
               mov    eax,dword ptr [dwIp]
   .if  eax==0
               invoke  lstrcpyA,addr szBuffer,addr szOffline
   .else
               mov    edx,eax
               push edx

               invoke  inet_ntoa,eax
               pop    edx
               movzx ebx,word ptr [dwPort]
               mov    ecx,[dwV]
               cmp    ecx,-1
               jz    weizhibanben
               push ecx
               push ebx
               push eax
               push eax
               call dwGetAddress
               add    esp,004
               push dword ptr [eax+4]
               push dword ptr [eax]
               push offset szFormat1
               push offset szBuffer
               call wsprintfA
               add    esp,01ch
               jmp    okok
weizhibanben:
               push [dwVer]
               push ebx
               push eax

               push eax
               call dwGetAddress
               add    esp,004
               push dword ptr [eax+4]
               push dword ptr [eax]

               push offset szFormat2
               push offset szBuffer
               call wsprintfA
               add    esp,01ch

okok:

   .endif

            mov eax,dword ptr [ebp-24h]
            push 151
            push eax
            call GetDlgItem
            ;  mov [dwHWND],eax
            push offset szBuffer
            push eax
            call SetWindowTextA

            mov eax,dword ptr [ebp-24h]
            push 755
push eax
            call GetDlgItem
            ; mov [dwhICON],eax
            push offset szBuffer
            push eax
            call CreateMyTooltip

            popad
jmp SetForegroundWindow
            ret
SetIP endp

End LibMain
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:compile
if exist QQ_plugins.obj del QQ_plugins.obj
if exist QQ_plugins.dll del QQ_plugins.dll

\masm32\bin\ml /c /coff QQ_plugins.bat
\masm32\bin\Link /SUBSYSTEM:native /DLL /DEF:QQ_plugins.def QQ_plugins.obj  /merge:.rdata=.data /merge:.data=.text  /section:.text,RWE /IGNORE:4078
dir QQ_plugins.*
pause

2004-4-28 22:53

0