首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
1
[原创] 元气桌面逆向分析
发表于: 2025-3-30 13:37 1848

[原创] 元气桌面逆向分析

白云精灵 活跃值
2025-3-30 13:37
1848

在这里插入图片描述

破解入口点为PostMessageW函数
技术点为API,PostMessage断点。
断点有两个,一个为PostmessageA,另一个为PostMessageW
断点功能为弹出窗口,我是从PostMessageW为入口点破解成功的。
PostMessageW的汇编代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
76AAF680 | 8BFF                   | mov edi,edi                       |
76AAF682 | 55                     | push ebp                          |
76AAF683 | 8BEC                   | mov ebp,esp                       |
76AAF685 | 53                     | push ebx                          |
76AAF686 | 8B5D 08                | mov ebx,dword ptr ss:[ebp+8]      |
76AAF689 | 57                     | push edi                          | edi:L"不支持此接口\r\n"
76AAF68A | 8B7D 0C                | mov edi,dword ptr ss:[ebp+C]      |
76AAF68D | 8BC7                   | mov eax,edi                       | edi:L"不支持此接口\r\n"
76AAF68F | 2D 45010000            | sub eax,145                       |
76AAF694 | 74 4C                  | je user32.76AAF6E2                |
76AAF696 | 83E8 48                | sub eax,48                        |
76AAF699 | 74 47                  | je user32.76AAF6E2                |
76AAF69B | 2D A6000000            | sub eax,A6                        |
76AAF6A0 | 75 3B                  | jne user32.76AAF6DD               |
76AAF6A2 | 56                     | push esi                          |
76AAF6A3 | 64:8B35 18000000       | mov esi,dword ptr fs:[18]         |
76AAF6AA | 50                     | push eax                          |
76AAF6AB | 53                     | push ebx                          |
76AAF6AC | FF15 64DBB476          | call dword ptr ds:[<NtUserQueryWi |
76AAF6B2 | 3B46 20                | cmp eax,dword ptr ds:[esi+20]     |
76AAF6B5 | 5E                     | pop esi                           |
76AAF6B6 | 74 20                  | je user32.76AAF6D8                |
76AAF6B8 | 8B45 10                | mov eax,dword ptr ss:[ebp+10]     |
76AAF6BB | 50                     | push eax                          |
76AAF6BC | 50                     | push eax                          |
76AAF6BD | FF15 F8D2B476          | call dword ptr ds:[<GlobalSize>]  |
76AAF6C3 | 50                     | push eax                          |
76AAF6C4 | 6A 49                  | push 49                           |
76AAF6C6 | 53                     | push ebx                          |
76AAF6C7 | E8 24480000            | call <user32.SendMessageW>        |
76AAF6CC | 8BC8                   | mov ecx,eax                       |
76AAF6CE | 85C9                   | test ecx,ecx                      |
76AAF6D0 | 75 23                  | jne user32.76AAF6F5               |
76AAF6D2 | 5F                     | pop edi                           | edi:L"不支持此接口\r\n"
76AAF6D3 | 5B                     | pop ebx                           |
76AAF6D4 | 5D                     | pop ebp                           |
76AAF6D5 | C2 1000                | ret 10                            |

下断点F9运行跟踪,
跟踪堆栈返回到汇编代码。
0019F8DC 00458D18 返回到 kwallpaper.sub_458C70+A8 自 ???

如下为关键点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
00458C70 | 55                     | push ebp                          |
00458C71 | 8BEC                   | mov ebp,esp                       |
00458C73 | 81EC 20020000          | sub esp,220                       |
00458C79 | A1 30536D00            | mov eax,dword ptr ds:[6D5330]     |
00458C7E | 33C5                   | xor eax,ebp                       |
00458C80 | 8945 F8                | mov dword ptr ss:[ebp-8],eax      |
00458C83 | 53                     | push ebx                          | ebx:PostMessageW
00458C84 | 56                     | push esi                          | esi:&"\tLE"
00458C85 | 8BF1                   | mov esi,ecx                       | esi:&"\tLE", ecx:sub_458DA3+21
00458C87 | 57                     | push edi                          |
00458C88 | 89B5 E8FDFFFF          | mov dword ptr ss:[ebp-218],esi    | [ebp-218]:&"\tLE"
00458C8E | E8 A3AFFFFF            | call <kwallpaper.sub_453C36>      |
00458C93 | 3945 08                | cmp dword ptr ss:[ebp+8],eax      |
00458C96 | 8B1D 30CA6200          | mov ebx,dword ptr ds:[<PostMessag | ebx:PostMessageW
00458C9C | 90                     | nop                               |
00458C9D | 90                     | nop                               |
00458C9E | 90                     | nop                               |
00458C9F | 90                     | nop                               |
00458CA0 | 90                     | nop                               |
00458CA1 | 90                     | nop                               |
00458CA2 | 33FF                   | xor edi,edi                       |
00458CA4 | 68 06020000            | push 206                          |
00458CA9 | 8D85 EEFDFFFF          | lea eax,dword ptr ss:[ebp-212]    |
00458CAF | 57                     | push edi                          |
00458CB0 | 50                     | push eax                          |
00458CB1 | 66:89BD ECFDFFFF       | mov word ptr ss:[ebp-214],di      |
00458CB8 | E8 65CD0E00            | call <JMP.&memset>                |
00458CBD | 83C4 0C                | add esp,C                         |
00458CC0 | 68 04010000            | push 104                          |
00458CC5 | 8D85 ECFDFFFF          | lea eax,dword ptr ss:[ebp-214]    |
00458CCB | 50                     | push eax                          |
00458CCC | FF75 0C                | push dword ptr ss:[ebp+C]         |
00458CCF | FF15 8CC26200          | call dword ptr ds:[<GlobalGetAtom |
00458CD5 | FF75 0C                | push dword ptr ss:[ebp+C]         |
00458CD8 | FF15 90C26200          | call dword ptr ds:[<GlobalDeleteA |
00458CDE | 8D85 ECFDFFFF          | lea eax,dword ptr ss:[ebp-214]    |
00458CE4 | 85C0                   | test eax,eax                      |
00458CE6 | 89BD E4FDFFFF          | mov dword ptr ss:[ebp-21C],edi    |
00458CEC | 74 0E                  | je kwallpaper.458CFC              |
00458CEE | 50                     | push eax                          |
00458CEF | 8DBD E4FDFFFF          | lea edi,dword ptr ss:[ebp-21C]    |
00458CF5 | E8 A9000000            | call <kwallpaper.sub_458DA3>      |
00458CFA | EB 02                  | jmp kwallpaper.458CFE             |
00458CFC | 33C0                   | xor eax,eax                       |
00458CFE | 85C0                   | test eax,eax                      |
00458D00 | 90                     | nop                               |
00458D01 | 90                     | nop                               |
00458D02 | E8 49AFFFFF            | call <kwallpaper.sub_453C50>      |
00458D07 | 8BBD E4FDFFFF          | mov edi,dword ptr ss:[ebp-21C]    |
00458D0D | 6A 00                  | push 0                            |
00458D0F | 57                     | push edi                          |
00458D10 | 50                     | push eax                          |
00458D11 | 68 FFFF0000            | push FFFF                         |
00458D16 | FFD3                   | call ebx                          | ebx:PostMessageW
00458D18 | E8 33AFFFFF            | call <kwallpaper.sub_453C50>      |
00458D1D | 8365 10 00             | and dword ptr ss:[ebp+10],0       |
00458D21 | 8945 08                | mov dword ptr ss:[ebp+8],eax      |
00458D24 | 897D 0C                | mov dword ptr ss:[ebp+C],edi      |
00458D27 | 837D 0C 02             | cmp dword ptr ss:[ebp+C],2        |
00458D2B | 90                     | nop                               |
00458D2C | 90                     | nop                               |
00458D2D | E8 8D440300            | call <kwallpaper.sub_48D1BF>      |
00458D32 | 68 2C996700            | push kwallpaper.67992C            | 67992C:"wp_userinfo_refresh_after_vip_s"
00458D37 | 33D2                   | xor edx,edx                       |
00458D39 | 68 4C996700            | push kwallpaper.67994C            | 67994C:"wp_userinfo"
00458D3E | 42                     | inc edx                           |
00458D3F | 8BC8                   | mov ecx,eax                       | ecx:sub_458DA3+21
00458D41 | E8 FF410300            | call <kwallpaper.sub_48CF45>      |
00458D46 | 69C0 E8030000          | imul eax,eax,3E8                  |
00458D4C | 33D2                   | xor edx,edx                       |
00458D4E | 52                     | push edx                          |
00458D4F | B9 99A14500            | mov ecx,<kwallpaper.sub_45A199>   | ecx:sub_458DA3+21, 45A199:"Q3腋櫋E"
00458D54 | 51                     | push ecx                          | ecx:sub_458DA3+21
00458D55 | 50                     | push eax                          |
00458D56 | 8B85 E8FDFFFF          | mov eax,dword ptr ss:[ebp-218]    | [ebp-218]:&"\tLE"
00458D5C | 83C6 68                | add esi,68                        | esi:&"\tLE"
00458D5F | E8 4B1A0000            | call <kwallpaper.sub_45A7AF>      |
00458D64 | 8BB5 E8FDFFFF          | mov esi,dword ptr ss:[ebp-218]    | [ebp-218]:&"\tLE"
00458D6A | EB 13                  | jmp kwallpaper.458D7F             |
00458D6C | E8 ABAEFFFF            | call <kwallpaper.sub_453C1C>      |
00458D71 | 3945 08                | cmp dword ptr ss:[ebp+8],eax      |
00458D74 | 75 09                  | jne kwallpaper.458D7F             |
00458D76 | 6A 01                  | push 1                            |
00458D78 | 8BFE                   | mov edi,esi                       | esi:&"\tLE"
00458D7A | E8 D1110000            | call <kwallpaper.sub_459F50>      |
00458D7F | FF75 10                | push dword ptr ss:[ebp+10]        |
00458D82 | FF75 0C                | push dword ptr ss:[ebp+C]         |
00458D85 | FF75 08                | push dword ptr ss:[ebp+8]         |
00458D88 | FFB6 98000000          | push dword ptr ds:[esi+98]        | esi+98:public: class std::_Init_locks & __thiscall std::_Init_locks::operator=(class std::_Init_locks const &)+1A5F15
00458D8E | FFD3                   | call ebx                          | ebx:PostMessageW
00458D90 | 8B4D F8                | mov ecx,dword ptr ss:[ebp-8]      | ecx:sub_458DA3+21
00458D93 | 5F                     | pop edi                           |
00458D94 | 5E                     | pop esi                           | esi:&"\tLE"
00458D95 | 33CD                   | xor ecx,ebp                       | ecx:sub_458DA3+21
00458D97 | 33C0                   | xor eax,eax                       |
00458D99 | 5B                     | pop ebx                           | ebx:PostMessageW
00458D9A | E8 55CC0E00            | call kwallpaper.5459F4            |
00458D9F | C9                     | leave                             |
00458DA0 | C2 0C00                | ret C                             |

由于call在复用代码,我只能修改关键跳转,
此处为所有PostMessageW的关键点,
修改后即可破解成功。

下载地址:

链接:https://pan.baidu.com/s/1vJWpDywOei6oBejLYEXJiA?pwd=ztqw
提取码:ztqw 复制这段内容后打开百度网盘手机App,操作更方便哦


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
赞赏记录
参与人
雪币
留言
时间
mb_zhynsmev
+1
期待更多优质内容的分享,论坛有你更精彩!
2025-3-31 08:32
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册
我已同意 《看雪服务条款》 《看雪课程免责声明》 《看雪隐私政策》