-
-
[旧帖] 网络验证(期限)分析 0.00雪花
-
发表于: 2008-1-12 19:51
-
请朋友指点一下,我找的可疑点是否对,如果不对应该在那,又怎么修改?
004A5316 /7F 29 jg short Stock.004A5341 ; 下断,必需跳到期限(jmp)
004A5318 |B8 E4C74B00 mov eax,Stock.004BC7E4
004A531D |BA 3C6C4A00 mov edx,Stock.004A6C3C ; 到期日:未知
004A5322 |E8 A1F6F5FF call Stock.004049C8
004A5327 |A1 C8BA4B00 mov eax,dword ptr ds:[4BBAC8]
004A532C |8B80 64050000 mov eax,dword ptr ds:[eax+564]
004A5332 |BA 546C4A00 mov edx,Stock.004A6C54 ; 到期:未知
004A5337 |E8 849EFAFF call Stock.0044F1C0
004A533C |E9 8C000000 jmp Stock.004A53CD
004A5341 \DB05 DC604F00 fild dword ptr ds:[4F60DC] ; ds:[004F60DC]=00000000 (十进制 0.)
004A5347 83C4 F8 add esp,-8 ; esp=012CFC9C
004A534A DD1C24 fstp qword ptr ss:[esp] ; st=0.0
004A534D 9B wait
004A534E 8D85 F0FDFFFF lea eax,dword ptr ss:[ebp-210] ; 堆栈地址=012CFD90 eax=00000000
004A5354 E8 EF09FFFF call Stock.00495D48 (跟进 )
004A5359 8B8D F0FDFFFF mov ecx,dword ptr ss:[ebp-210] ; 堆栈 ss:[012CFD90]=00C5DCE8, (ASCII "1899-12-30")
004A535F B8 E4C74B00 mov eax,Stock.004BC7E4 ; eax=00000000
004A5364 BA 686C4A00 mov edx,Stock.004A6C68 ; edx=00c5c010
004A5369 E8 12F9F5FF call Stock.00404C80
004A536E DB05 DC604F00 fild dword ptr ds:[4F60DC] ; ds:[004F60DC]=00000000 (十进制 0.)
004A5374 83C4 F8 add esp,-8
004A5377 DD1C24 fstp qword ptr ss:[esp]
004A537A 9B wait
004A537B 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-218] ; 堆栈地址=012CFD88 eax=00c5dce8 (ASCII "1899-12-30")
004A5381 E8 B60AFFFF call Stock.00495E3C ; 99-12-30 (跟进)
004A5386 8B8D E8FDFFFF mov ecx,dword ptr ss:[ebp-218] ; 堆栈 ss:[012CFD88]=00C5DD18, (ASCII "99-12-30")
004A538C 8D85 ECFDFFFF lea eax,dword ptr ss:[ebp-214]
004A5392 BA 7C6C4A00 mov edx,Stock.004A6C7C ; 到期:
004A5397 E8 E4F8F5FF call Stock.00404C80
004A539C 8B95 ECFDFFFF mov edx,dword ptr ss:[ebp-214] ; 堆栈 ss:[012CFD8C]=00C3FE18 EDX=00C3FE1D (ASCII "99-12-30"
004A53A2 A1 C8BA4B00 mov eax,dword ptr ds:[4BBAC8] ; ds:[004BBAC8]=00C14050 EAX=00C5DD18( ASCII "99-12-30")
004A53A7 8B80 64050000 mov eax,dword ptr ds:[eax+564]
004A53AD E8 0E9EFAFF call Stock.0044F1C0
004A53B2 A1 DC604F00 mov eax,dword ptr ds:[4F60DC]
004A53B7 50 push eax
004A53B8 B9 8C6C4A00 mov ecx,Stock.004A6C8C ; 临亮
004A53BD 8B15 1CC84B00 mov edx,dword ptr ds:[4BC81C]
004A53C3 B8 02000080 mov eax,80000002
004A53C8 E8 7705FFFF call Stock.00495944
004A53CD A1 C8BA4B00 mov eax,dword ptr ds:[4BBAC8]
004A53D2 8B80 40030000 mov eax,dword ptr ds:[eax+340]
004A53D8 05 80000000 add eax,80
004A53DD 8B15 E4C74B00 mov edx,dword ptr ds:[4BC7E4]
004A53E3 E8 E0F5F5FF call Stock.004049C8
(跟进)call Stock.00495D48
00495D48 55 push ebp
00495D49 8BEC mov ebp,esp
00495D4B B9 04000000 mov ecx,4 ; ecx=00000003
00495D50 6A 00 push 0
00495D52 6A 00 push 0
00495D54 49 dec ecx ; ecx=00000004
00495D55 ^ 75 F9 jnz short Stock.00495D50 ; T
00495D57 51 push ecx ; ecx=0000000
00495D58 53 push ebx
00495D59 8BD8 mov ebx,eax
00495D5B 33C0 xor eax,eax
00495D5D 55 push ebp
00495D5E 68 155E4900 push Stock.00495E15
00495D63 64:FF30 push dword ptr fs:[eax]
00495D66 64:8920 mov dword ptr fs:[eax],esp
00495D69 FF75 0C push dword ptr ss:[ebp+C] ; 堆栈 ss:[012CFC98]=00000000
00495D6C FF75 08 push dword ptr ss:[ebp+8]
00495D6F 8D4D FA lea ecx,dword ptr ss:[ebp-6] ; ecx=00000000
00495D72 8D55 FC lea edx,dword ptr ss:[ebp-4]
00495D75 8D45 FE lea eax,dword ptr ss:[ebp-2]
00495D78 E8 9354F7FF call Stock.0040B210
00495D7D 8D55 F4 lea edx,dword ptr ss:[ebp-C] ; edx=00000000
00495D80 0FB745 FE movzx eax,word ptr ss:[ebp-2] ; 堆栈 ss:[012CFC8A]=076B(1899) eax=000000000可疑点取年份值
00495D84 E8 0734F7FF call Stock.00409190 此CALL好像是计算年份的?如果是正版的就计算出正确的年份,如果不是正确的帐号的年份就是1899. 跟进下面的A
00495D89 FF75 F4 push dword ptr ss:[ebp-C] ; 堆栈 ss:[012CFC80]=00C5DD30, (ASCII "1899")
00495D8C 68 2C5E4900 push Stock.00495E2C ; -
00495D91 8D55 E8 lea edx,dword ptr ss:[ebp-18]
00495D94 0FB745 FC movzx eax,word ptr ss:[ebp-4] ; 堆栈 ss:[012CFC88]=000C eax=012cf80
00495D98 E8 F333F7FF call Stock.00409190
00495D9D 8B4D E8 mov ecx,dword ptr ss:[ebp-18] ; 堆栈 ss:[012CFC74]=00C55278, (ASCII "12")
00495DA0 8D45 EC lea eax,dword ptr ss:[ebp-14]
00495DA3 BA 385E4900 mov edx,Stock.00495E38 ; 0
00495DA8 E8 D3EEF6FF call Stock.00404C80
00495DAD 8B45 EC mov eax,dword ptr ss:[ebp-14] ; 堆栈 ss:[012CFC78]=00C55438, (ASCII "012")
00495DB0 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
00495DB3 B2 02 mov dl,2 ; dl=39 ('9')
00495DB5 E8 06FDFFFF call Stock.00495AC0
00495DBA FF75 F0 push dword ptr ss:[ebp-10] ; 堆栈 ss:[012CFC7C]=00C55288, (ASCII "12")
00495DBD 68 2C5E4900 push Stock.00495E2C ; -
00495DC2 8D55 DC lea edx,dword ptr ss:[ebp-24]
00495DC5 0FB745 FA movzx eax,word ptr ss:[ebp-6] ; 堆栈 ss:[012CFC86]=001E
00495DC9 E8 C233F7FF call Stock.00409190
00495DCE 8B4D DC mov ecx,dword ptr ss:[ebp-24] ; 堆栈 ss:[012CFC68]=00C55418, (ASCII "30")
00495DD1 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00495DD4 BA 385E4900 mov edx,Stock.00495E38 ; 0
00495DD9 E8 A2EEF6FF call Stock.00404C80
00495DDE 8B45 E0 mov eax,dword ptr ss:[ebp-20]
00495DE1 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00495DE4 B2 02 mov dl,2
00495DE6 E8 D5FCFFFF call Stock.00495AC0
00495DEB FF75 E4 push dword ptr ss:[ebp-1C]
00495DEE 8BC3 mov eax,ebx
00495DF0 BA 05000000 mov edx,5
00495DF5 E8 FAEEF6FF call Stock.00404CF4
00495DFA 33C0 xor eax,eax
00495DFC 5A pop edx
00495DFD 59 pop ecx
00495DFE 59 pop ecx
00495DFF 64:8910 mov dword ptr fs:[eax],edx
00495E02 68 1C5E4900 push Stock.00495E1C
00495E07 8D45 DC lea eax,dword ptr ss:[ebp-24]
00495E0A BA 07000000 mov edx,7
00495E0F E8 84EBF6FF call Stock.00404998
00495E14 C3 retn
00495E15 ^\E9 DAE4F6FF jmp Stock.004042F4
00495E1A ^ EB EB jmp short Stock.00495E07
00495E1C 5B pop ebx
00495E1D 8BE5 mov esp,ebp
00495E1F 5D pop ebp
00495E20 C2 0800 retn 8
A:
00409190 /$ 56 PUSH ESI ; Stock.004BBACC
00409191 |. 89E6 MOV ESI,ESP
00409193 |. 83EC 10 SUB ESP,10
00409196 |. 31C9 XOR ECX,ECX
00409198 |. 52 PUSH EDX
00409199 |. 31D2 XOR EDX,EDX
0040919B |. E8 A4FFFFFF CALL YjStock.00409144
004091A0 |. 89F2 MOV EDX,ESI
004091A2 |. 58 POP EAX
004091A3 |. E8 BCB8FFFF CALL YjStock.00404A64
004091A8 |. 83C4 10 ADD ESP,10
004091AB |. 5E POP ESI
004091AC \. C3 RETN
请高手指点指点。谢谢
004A5316 /7F 29 jg short Stock.004A5341 ; 下断,必需跳到期限(jmp)
004A5318 |B8 E4C74B00 mov eax,Stock.004BC7E4
004A531D |BA 3C6C4A00 mov edx,Stock.004A6C3C ; 到期日:未知
004A5322 |E8 A1F6F5FF call Stock.004049C8
004A5327 |A1 C8BA4B00 mov eax,dword ptr ds:[4BBAC8]
004A532C |8B80 64050000 mov eax,dword ptr ds:[eax+564]
004A5332 |BA 546C4A00 mov edx,Stock.004A6C54 ; 到期:未知
004A5337 |E8 849EFAFF call Stock.0044F1C0
004A533C |E9 8C000000 jmp Stock.004A53CD
004A5341 \DB05 DC604F00 fild dword ptr ds:[4F60DC] ; ds:[004F60DC]=00000000 (十进制 0.)
004A5347 83C4 F8 add esp,-8 ; esp=012CFC9C
004A534A DD1C24 fstp qword ptr ss:[esp] ; st=0.0
004A534D 9B wait
004A534E 8D85 F0FDFFFF lea eax,dword ptr ss:[ebp-210] ; 堆栈地址=012CFD90 eax=00000000
004A5354 E8 EF09FFFF call Stock.00495D48 (跟进 )
004A5359 8B8D F0FDFFFF mov ecx,dword ptr ss:[ebp-210] ; 堆栈 ss:[012CFD90]=00C5DCE8, (ASCII "1899-12-30")
004A535F B8 E4C74B00 mov eax,Stock.004BC7E4 ; eax=00000000
004A5364 BA 686C4A00 mov edx,Stock.004A6C68 ; edx=00c5c010
004A5369 E8 12F9F5FF call Stock.00404C80
004A536E DB05 DC604F00 fild dword ptr ds:[4F60DC] ; ds:[004F60DC]=00000000 (十进制 0.)
004A5374 83C4 F8 add esp,-8
004A5377 DD1C24 fstp qword ptr ss:[esp]
004A537A 9B wait
004A537B 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-218] ; 堆栈地址=012CFD88 eax=00c5dce8 (ASCII "1899-12-30")
004A5381 E8 B60AFFFF call Stock.00495E3C ; 99-12-30 (跟进)
004A5386 8B8D E8FDFFFF mov ecx,dword ptr ss:[ebp-218] ; 堆栈 ss:[012CFD88]=00C5DD18, (ASCII "99-12-30")
004A538C 8D85 ECFDFFFF lea eax,dword ptr ss:[ebp-214]
004A5392 BA 7C6C4A00 mov edx,Stock.004A6C7C ; 到期:
004A5397 E8 E4F8F5FF call Stock.00404C80
004A539C 8B95 ECFDFFFF mov edx,dword ptr ss:[ebp-214] ; 堆栈 ss:[012CFD8C]=00C3FE18 EDX=00C3FE1D (ASCII "99-12-30"
004A53A2 A1 C8BA4B00 mov eax,dword ptr ds:[4BBAC8] ; ds:[004BBAC8]=00C14050 EAX=00C5DD18( ASCII "99-12-30")
004A53A7 8B80 64050000 mov eax,dword ptr ds:[eax+564]
004A53AD E8 0E9EFAFF call Stock.0044F1C0
004A53B2 A1 DC604F00 mov eax,dword ptr ds:[4F60DC]
004A53B7 50 push eax
004A53B8 B9 8C6C4A00 mov ecx,Stock.004A6C8C ; 临亮
004A53BD 8B15 1CC84B00 mov edx,dword ptr ds:[4BC81C]
004A53C3 B8 02000080 mov eax,80000002
004A53C8 E8 7705FFFF call Stock.00495944
004A53CD A1 C8BA4B00 mov eax,dword ptr ds:[4BBAC8]
004A53D2 8B80 40030000 mov eax,dword ptr ds:[eax+340]
004A53D8 05 80000000 add eax,80
004A53DD 8B15 E4C74B00 mov edx,dword ptr ds:[4BC7E4]
004A53E3 E8 E0F5F5FF call Stock.004049C8
(跟进)call Stock.00495D48
00495D48 55 push ebp
00495D49 8BEC mov ebp,esp
00495D4B B9 04000000 mov ecx,4 ; ecx=00000003
00495D50 6A 00 push 0
00495D52 6A 00 push 0
00495D54 49 dec ecx ; ecx=00000004
00495D55 ^ 75 F9 jnz short Stock.00495D50 ; T
00495D57 51 push ecx ; ecx=0000000
00495D58 53 push ebx
00495D59 8BD8 mov ebx,eax
00495D5B 33C0 xor eax,eax
00495D5D 55 push ebp
00495D5E 68 155E4900 push Stock.00495E15
00495D63 64:FF30 push dword ptr fs:[eax]
00495D66 64:8920 mov dword ptr fs:[eax],esp
00495D69 FF75 0C push dword ptr ss:[ebp+C] ; 堆栈 ss:[012CFC98]=00000000
00495D6C FF75 08 push dword ptr ss:[ebp+8]
00495D6F 8D4D FA lea ecx,dword ptr ss:[ebp-6] ; ecx=00000000
00495D72 8D55 FC lea edx,dword ptr ss:[ebp-4]
00495D75 8D45 FE lea eax,dword ptr ss:[ebp-2]
00495D78 E8 9354F7FF call Stock.0040B210
00495D7D 8D55 F4 lea edx,dword ptr ss:[ebp-C] ; edx=00000000
00495D80 0FB745 FE movzx eax,word ptr ss:[ebp-2] ; 堆栈 ss:[012CFC8A]=076B(1899) eax=000000000可疑点取年份值
00495D84 E8 0734F7FF call Stock.00409190 此CALL好像是计算年份的?如果是正版的就计算出正确的年份,如果不是正确的帐号的年份就是1899. 跟进下面的A
00495D89 FF75 F4 push dword ptr ss:[ebp-C] ; 堆栈 ss:[012CFC80]=00C5DD30, (ASCII "1899")
00495D8C 68 2C5E4900 push Stock.00495E2C ; -
00495D91 8D55 E8 lea edx,dword ptr ss:[ebp-18]
00495D94 0FB745 FC movzx eax,word ptr ss:[ebp-4] ; 堆栈 ss:[012CFC88]=000C eax=012cf80
00495D98 E8 F333F7FF call Stock.00409190
00495D9D 8B4D E8 mov ecx,dword ptr ss:[ebp-18] ; 堆栈 ss:[012CFC74]=00C55278, (ASCII "12")
00495DA0 8D45 EC lea eax,dword ptr ss:[ebp-14]
00495DA3 BA 385E4900 mov edx,Stock.00495E38 ; 0
00495DA8 E8 D3EEF6FF call Stock.00404C80
00495DAD 8B45 EC mov eax,dword ptr ss:[ebp-14] ; 堆栈 ss:[012CFC78]=00C55438, (ASCII "012")
00495DB0 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
00495DB3 B2 02 mov dl,2 ; dl=39 ('9')
00495DB5 E8 06FDFFFF call Stock.00495AC0
00495DBA FF75 F0 push dword ptr ss:[ebp-10] ; 堆栈 ss:[012CFC7C]=00C55288, (ASCII "12")
00495DBD 68 2C5E4900 push Stock.00495E2C ; -
00495DC2 8D55 DC lea edx,dword ptr ss:[ebp-24]
00495DC5 0FB745 FA movzx eax,word ptr ss:[ebp-6] ; 堆栈 ss:[012CFC86]=001E
00495DC9 E8 C233F7FF call Stock.00409190
00495DCE 8B4D DC mov ecx,dword ptr ss:[ebp-24] ; 堆栈 ss:[012CFC68]=00C55418, (ASCII "30")
00495DD1 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00495DD4 BA 385E4900 mov edx,Stock.00495E38 ; 0
00495DD9 E8 A2EEF6FF call Stock.00404C80
00495DDE 8B45 E0 mov eax,dword ptr ss:[ebp-20]
00495DE1 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00495DE4 B2 02 mov dl,2
00495DE6 E8 D5FCFFFF call Stock.00495AC0
00495DEB FF75 E4 push dword ptr ss:[ebp-1C]
00495DEE 8BC3 mov eax,ebx
00495DF0 BA 05000000 mov edx,5
00495DF5 E8 FAEEF6FF call Stock.00404CF4
00495DFA 33C0 xor eax,eax
00495DFC 5A pop edx
00495DFD 59 pop ecx
00495DFE 59 pop ecx
00495DFF 64:8910 mov dword ptr fs:[eax],edx
00495E02 68 1C5E4900 push Stock.00495E1C
00495E07 8D45 DC lea eax,dword ptr ss:[ebp-24]
00495E0A BA 07000000 mov edx,7
00495E0F E8 84EBF6FF call Stock.00404998
00495E14 C3 retn
00495E15 ^\E9 DAE4F6FF jmp Stock.004042F4
00495E1A ^ EB EB jmp short Stock.00495E07
00495E1C 5B pop ebx
00495E1D 8BE5 mov esp,ebp
00495E1F 5D pop ebp
00495E20 C2 0800 retn 8
A:
00409190 /$ 56 PUSH ESI ; Stock.004BBACC
00409191 |. 89E6 MOV ESI,ESP
00409193 |. 83EC 10 SUB ESP,10
00409196 |. 31C9 XOR ECX,ECX
00409198 |. 52 PUSH EDX
00409199 |. 31D2 XOR EDX,EDX
0040919B |. E8 A4FFFFFF CALL YjStock.00409144
004091A0 |. 89F2 MOV EDX,ESI
004091A2 |. 58 POP EAX
004091A3 |. E8 BCB8FFFF CALL YjStock.00404A64
004091A8 |. 83C4 10 ADD ESP,10
004091AB |. 5E POP ESI
004091AC \. C3 RETN
请高手指点指点。谢谢
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
