网络验证(期限)分析-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] 网络验证(期限)分析 0.00雪花

发表于: 2007-12-29 10:55 2267

[旧帖] 网络验证(期限)分析 0.00雪花

sugarr

2007-12-29 10:55

2267

请朋友指点一下,我找的可疑点是否对,如果不对应该在那,又怎么修改?
004A5316 /7F 29          jg short Stock.004A5341    ; 下断，必需跳到期限（jmp）
004A5318 |B8 E4C74B00    mov eax,Stock.004BC7E4
004A531D |BA 3C6C4A00    mov edx,Stock.004A6C3C       ; 到期日：未知
004A5322 |E8 A1F6F5FF    call Stock.004049C8
004A5327 |A1 C8BA4B00    mov eax,dword ptr ds:[4BBAC8]
004A532C |8B80 64050000 mov eax,dword ptr ds:[eax+564]
004A5332 |BA 546C4A00    mov edx,Stock.004A6C54       ; 到期：未知
004A5337 |E8 849EFAFF    call Stock.0044F1C0
004A533C |E9 8C000000    jmp Stock.004A53CD
004A5341 \DB05 DC604F00 fild dword ptr ds:[4F60DC]    ; ds:[004F60DC]=00000000 (十进制 0.)
004A5347 83C4 F8       add esp,-8                   ; esp=012CFC9C
004A534A DD1C24       fstp qword ptr ss:[esp]       ; st=0.0
004A534D 9B             wait
004A534E 8D85 F0FDFFFF lea eax,dword ptr ss:[ebp-210]  ; 堆栈地址=012CFD90 eax=00000000
004A5354 E8 EF09FFFF    call Stock.00495D48          （跟进）
004A5359 8B8D F0FDFFFF mov ecx,dword ptr ss:[ebp-210]  ; 堆栈 ss:[012CFD90]=00C5DCE8, (ASCII "1899-12-30")
004A535F B8 E4C74B00    mov eax,Stock.004BC7E4       ; eax=00000000
004A5364 BA 686C4A00    mov edx,Stock.004A6C68       ; edx=00c5c010
004A5369 E8 12F9F5FF    call Stock.00404C80
004A536E DB05 DC604F00 fild dword ptr ds:[4F60DC]    ; ds:[004F60DC]=00000000 (十进制 0.)
004A5374 83C4 F8       add esp,-8
004A5377 DD1C24       fstp qword ptr ss:[esp]
004A537A 9B             wait
004A537B 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-218]  ; 堆栈地址=012CFD88 eax=00c5dce8 (ASCII "1899-12-30")
004A5381 E8 B60AFFFF    call Stock.00495E3C          ; 99-12-30 （跟进）
004A5386 8B8D E8FDFFFF mov ecx,dword ptr ss:[ebp-218]  ; 堆栈 ss:[012CFD88]=00C5DD18, (ASCII "99-12-30")
004A538C 8D85 ECFDFFFF lea eax,dword ptr ss:[ebp-214]
004A5392 BA 7C6C4A00    mov edx,Stock.004A6C7C       ; 到期:
004A5397 E8 E4F8F5FF    call Stock.00404C80
004A539C 8B95 ECFDFFFF mov edx,dword ptr ss:[ebp-214]  ; 堆栈 ss:[012CFD8C]=00C3FE18 EDX=00C3FE1D (ASCII "99-12-30"
004A53A2 A1 C8BA4B00    mov eax,dword ptr ds:[4BBAC8] ; ds:[004BBAC8]=00C14050 EAX=00C5DD18( ASCII "99-12-30")
004A53A7 8B80 64050000 mov eax,dword ptr ds:[eax+564]
004A53AD E8 0E9EFAFF    call Stock.0044F1C0
004A53B2 A1 DC604F00    mov eax,dword ptr ds:[4F60DC]
004A53B7 50             push eax
004A53B8 B9 8C6C4A00    mov ecx,Stock.004A6C8C       ; 临亮
004A53BD 8B15 1CC84B00 mov edx,dword ptr ds:[4BC81C]
004A53C3 B8 02000080    mov eax,80000002
004A53C8 E8 7705FFFF    call Stock.00495944
004A53CD A1 C8BA4B00    mov eax,dword ptr ds:[4BBAC8]
004A53D2 8B80 40030000 mov eax,dword ptr ds:[eax+340]
004A53D8 05 80000000    add eax,80
004A53DD 8B15 E4C74B00 mov edx,dword ptr ds:[4BC7E4]
004A53E3 E8 E0F5F5FF    call Stock.004049C8

(跟进)call Stock.00495D48

00495D48 55             push ebp
00495D49 8BEC          mov ebp,esp
00495D4B B9 04000000    mov ecx,4                      ; ecx=00000003
00495D50 6A 00          push 0
00495D52 6A 00          push 0
00495D54 49             dec ecx                      ; ecx=00000004
00495D55  ^ 75 F9          jnz short Stock.00495D50    ; T
00495D57 51             push ecx                      ; ecx=0000000
00495D58 53             push ebx
00495D59 8BD8          mov ebx,eax
00495D5B 33C0          xor eax,eax
00495D5D 55             push ebp
00495D5E 68 155E4900    push Stock.00495E15
00495D63 64:FF30       push dword ptr fs:[eax]
00495D66 64:8920       mov dword ptr fs:[eax],esp
00495D69 FF75 0C       push dword ptr ss:[ebp+C]    ; 堆栈 ss:[012CFC98]=00000000
00495D6C FF75 08       push dword ptr ss:[ebp+8]
00495D6F 8D4D FA       lea ecx,dword ptr ss:[ebp-6] ; ecx=00000000
00495D72 8D55 FC       lea edx,dword ptr ss:[ebp-4]
00495D75 8D45 FE       lea eax,dword ptr ss:[ebp-2]
00495D78 E8 9354F7FF    call Stock.0040B210
00495D7D 8D55 F4       lea edx,dword ptr ss:[ebp-C] ; edx=00000000
00495D80 0FB745 FE    movzx eax,word ptr ss:[ebp-2] ; 堆栈 ss:[012CFC8A]=076B(1899) eax=000000000可疑点取年份值
00495D84 E8 0734F7FF    call Stock.00409190
00495D89 FF75 F4       push dword ptr ss:[ebp-C]    ; 堆栈 ss:[012CFC80]=00C5DD30, (ASCII "1899")
00495D8C 68 2C5E4900    push Stock.00495E2C          ; -
00495D91 8D55 E8       lea edx,dword ptr ss:[ebp-18]
00495D94 0FB745 FC    movzx eax,word ptr ss:[ebp-4] ; 堆栈 ss:[012CFC88]=000C eax=012cf80
00495D98 E8 F333F7FF    call Stock.00409190
00495D9D 8B4D E8       mov ecx,dword ptr ss:[ebp-18] ; 堆栈 ss:[012CFC74]=00C55278, (ASCII "12")
00495DA0 8D45 EC       lea eax,dword ptr ss:[ebp-14]
00495DA3 BA 385E4900    mov edx,Stock.00495E38       ; 0
00495DA8 E8 D3EEF6FF    call Stock.00404C80
00495DAD 8B45 EC       mov eax,dword ptr ss:[ebp-14] ; 堆栈 ss:[012CFC78]=00C55438, (ASCII "012")
00495DB0 8D4D F0       lea ecx,dword ptr ss:[ebp-10]
00495DB3 B2 02          mov dl,2                      ; dl=39 ('9')
00495DB5 E8 06FDFFFF    call Stock.00495AC0
00495DBA FF75 F0       push dword ptr ss:[ebp-10]    ; 堆栈 ss:[012CFC7C]=00C55288, (ASCII "12")
00495DBD 68 2C5E4900    push Stock.00495E2C          ; -
00495DC2 8D55 DC       lea edx,dword ptr ss:[ebp-24]
00495DC5 0FB745 FA    movzx eax,word ptr ss:[ebp-6] ; 堆栈 ss:[012CFC86]=001E
00495DC9 E8 C233F7FF    call Stock.00409190
00495DCE 8B4D DC       mov ecx,dword ptr ss:[ebp-24] ; 堆栈 ss:[012CFC68]=00C55418, (ASCII "30")
00495DD1 8D45 E0       lea eax,dword ptr ss:[ebp-20]
00495DD4 BA 385E4900    mov edx,Stock.00495E38       ; 0
00495DD9 E8 A2EEF6FF    call Stock.00404C80
00495DDE 8B45 E0       mov eax,dword ptr ss:[ebp-20]
00495DE1 8D4D E4       lea ecx,dword ptr ss:[ebp-1C]
00495DE4 B2 02          mov dl,2
00495DE6 E8 D5FCFFFF    call Stock.00495AC0
00495DEB FF75 E4       push dword ptr ss:[ebp-1C]
00495DEE 8BC3          mov eax,ebx
00495DF0 BA 05000000    mov edx,5
00495DF5 E8 FAEEF6FF    call Stock.00404CF4
00495DFA 33C0          xor eax,eax
00495DFC 5A             pop edx
00495DFD 59             pop ecx
00495DFE 59             pop ecx
00495DFF 64:8910       mov dword ptr fs:[eax],edx
00495E02 68 1C5E4900    push Stock.00495E1C
00495E07 8D45 DC       lea eax,dword ptr ss:[ebp-24]
00495E0A BA 07000000    mov edx,7
00495E0F E8 84EBF6FF    call Stock.00404998
00495E14 C3             retn
00495E15  ^\E9 DAE4F6FF    jmp Stock.004042F4
00495E1A  ^ EB EB          jmp short Stock.00495E07
00495E1C 5B             pop ebx
00495E1D 8BE5          mov esp,ebp
00495E1F 5D             pop ebp
00495E20 C2 0800       retn 8

(跟进)call Stock.00495E3C
00495E3C 55             push ebp
00495E3D 8BEC          mov ebp,esp
00495E3F B9 05000000    mov ecx,5
00495E44 6A 00          push 0
00495E46 6A 00          push 0
00495E48 49             dec ecx
00495E49  ^ 75 F9          jnz short Stock.00495E44
00495E4B 53             push ebx
00495E4C 8BD8          mov ebx,eax
00495E4E 33C0          xor eax,eax
00495E50 55             push ebp
00495E51 68 1C5F4900    push Stock.00495F1C
00495E56 64:FF30       push dword ptr fs:[eax]
00495E59 64:8920       mov dword ptr fs:[eax],esp
00495E5C FF75 0C       push dword ptr ss:[ebp+C]
00495E5F FF75 08       push dword ptr ss:[ebp+8]
00495E62 8D4D FA       lea ecx,dword ptr ss:[ebp-6]
00495E65 8D55 FC       lea edx,dword ptr ss:[ebp-4]
00495E68 8D45 FE       lea eax,dword ptr ss:[ebp-2]
00495E6B E8 A053F7FF    call Stock.0040B210
00495E70 53             push ebx
00495E71 8D55 F0       lea edx,dword ptr ss:[ebp-10]
00495E74 0FB745 FE    movzx eax,word ptr ss:[ebp-2]    ; 堆栈 ss:[012CFC8A]=076B(1899)可疑点取年份值
00495E78 E8 1333F7FF    call Stock.00409190
00495E7D FF75 F0       push dword ptr ss:[ebp-10]       ; 堆栈 ss:[012CFC7C]=00C5DDC0, (ASCII "1899")
00495E80 68 345F4900    push Stock.00495F34          ; -
00495E85 8D55 E4       lea edx,dword ptr ss:[ebp-1C]
00495E88 0FB745 FC    movzx eax,word ptr ss:[ebp-4]
00495E8C E8 FF32F7FF    call Stock.00409190
00495E91 8B4D E4       mov ecx,dword ptr ss:[ebp-1C]
00495E94 8D45 E8       lea eax,dword ptr ss:[ebp-18]
00495E97 BA 405F4900    mov edx,Stock.00495F40       ; 0
00495E9C E8 DFEDF6FF    call Stock.00404C80
00495EA1 8B45 E8       mov eax,dword ptr ss:[ebp-18]
00495EA4 8D4D EC       lea ecx,dword ptr ss:[ebp-14]
00495EA7 B2 02          mov dl,2
00495EA9 E8 12FCFFFF    call Stock.00495AC0
00495EAE FF75 EC       push dword ptr ss:[ebp-14]
00495EB1 68 345F4900    push Stock.00495F34          ; -
00495EB6 8D55 D8       lea edx,dword ptr ss:[ebp-28]
00495EB9 0FB745 FA    movzx eax,word ptr ss:[ebp-6]
00495EBD E8 CE32F7FF    call Stock.00409190
00495EC2 8B4D D8       mov ecx,dword ptr ss:[ebp-28]
00495EC5 8D45 DC       lea eax,dword ptr ss:[ebp-24]
00495EC8 BA 405F4900    mov edx,Stock.00495F40       ; 0
00495ECD E8 AEEDF6FF    call Stock.00404C80
00495ED2 8B45 DC       mov eax,dword ptr ss:[ebp-24]
00495ED5 8D4D E0       lea ecx,dword ptr ss:[ebp-20]
00495ED8 B2 02          mov dl,2
00495EDA E8 E1FBFFFF    call Stock.00495AC0
00495EDF FF75 E0       push dword ptr ss:[ebp-20]
00495EE2 8D45 F4       lea eax,dword ptr ss:[ebp-C]
00495EE5 BA 05000000    mov edx,5
00495EEA E8 05EEF6FF    call Stock.00404CF4
00495EEF 8B45 F4       mov eax,dword ptr ss:[ebp-C]    ; 堆栈 ss:[012CFC80]=00C5D1C0, (ASCII "1899-12-30")
00495EF2 B9 08000000    mov ecx,8
00495EF7 BA 03000000    mov edx,3
00495EFC E8 93EFF6FF    call Stock.00404E94
00495F01 33C0          xor eax,eax
00495F03 5A             pop edx
00495F04 59             pop ecx
00495F05 59             pop ecx
00495F06 64:8910       mov dword ptr fs:[eax],edx
00495F09 68 235F4900    push Stock.00495F23
00495F0E 8D45 D8       lea eax,dword ptr ss:[ebp-28]
00495F11 BA 08000000    mov edx,8
00495F16 E8 7DEAF6FF    call Stock.00404998
00495F1B C3             retn
00495F1C  ^ E9 D3E3F6FF    jmp Stock.004042F4
00495F21  ^ EB EB          jmp short Stock.00495F0E
00495F23 5B             pop ebx
00495F24 8BE5          mov esp,ebp
00495F26 5D             pop ebp
00495F27 C2 0800       retn 8

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

收藏・0

免费・0

支持