【文章标题】: 莱鸟破外挂--系列(1)
【文章作者】: 小三
【作者邮箱】: 75967489@qq.com
【作者QQ号】: 75967489
【软件名称】: 中天测试版本
【下载地址】: http://www.5201000n.cn
【加壳方式】: 没有
【保护方式】: 没有加密
【编写语言】: c++
【操作平台】: xp
【软件介绍】: QQ群发外挂
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
小莱不才,破解QQ群发外挂,献给像我一样的莱鸟.别乱发垃圾信息给我呀!!我们先来看一下外挂的功能,这个外挂是个测试
版,测试版的只能发一条信息(
-------------------------------------------------
您现在使用的是 [中天QQ群发王]演示版,软件支持好友群发,群群发,多QQ同时群发等!欲购买正式版者请联系 QQ:895966146!
------------------------------------------------- )
软件要花980元才能买到正版,小莱我没有钱只能改之。小莱我决对支持正版的,所以我们给外挂添加功能好了,让这个外挂从文本文件
读取我们要发的信息,然后覆盖掉演示版的信息.
Od打开,给sendto下断点。
0040638B . /75 36 jnz short 004063C3
0040638D . |8B15 C4EE4900 mov edx, dword ptr [49EEC4]
00406393 . |52 push edx
00406394 . |6A 00 push 0
00406396 . |E8 C5800000 call 0040E460
0040639B . |A1 C4EE4900 mov eax, dword ptr [49EEC4]
004063A0 . |8B0D 988C4B00 mov ecx, dword ptr [4B8C98]
004063A6 . |83C4 08 add esp, 8
004063A9 . |C1E0 04 shl eax, 4
004063AC . |05 78404C00 add eax, 004C4078
004063B1 . |6A 10 push 10 ; /ToLength = 10 (16.)
004063B3 . |50 push eax ; |pTo
004063B4 . |6A 00 push 0 ; |Flags = 0
004063B6 . |6A 24 push 24 ; |DataSize = 24 (36.)
004063B8 . |68 6C6F4C00 push 004C6F6C ; |Data = 2008-02-.004C6F6C
004063BD . |51 push ecx ; |Socket => 0
004063BE . |E8 3D880000 call <jmp.&WS2_32.sendto> ; \sendto
004063C3 > \E8 F81B0000 call 00407FC0 演示版的信息在这,跟进去
004063C8 . 8B15 C4EE4900 mov edx, dword ptr [49EEC4]
004063CE . A1 446F4C00 mov eax, dword ptr [4C6F44]
004063D3 . 8B0D 988C4B00 mov ecx, dword ptr [4B8C98]
004063D9 . 6A 10 push 10 ; /ToLength = 10 (16.)
004063DB . C1E2 04 shl edx, 4 ; |
004063DE . 81C2 78404C00 add edx, 004C4078 ; |
004063E4 . 52 push edx ; |pTo
004063E5 . 6A 00 push 0 ; |Flags = 0
004063E7 . 50 push eax ; |DataSize => 0
004063E8 . 68 44474C00 push 004C4744 ; |Data = 2008-02-.004C4744
004063ED . 51 push ecx ; |Socket => 0
004063EE . E8 0D880000 call <jmp.&WS2_32.sendto> ; \sendto
004063F3 . A1 C4464C00 mov eax, dword ptr [4C46C4]
004063F8 . 8D5424 10 lea edx, dword ptr [esp+10]
004063FC . 40 inc eax
004063FD . 50 push eax
004063FE . 68 24414100 push 00414124 ; ASCII "%d"
00406403 . 52 push edx
00406404 . A3 C4464C00 mov dword ptr [4C46C4], eax
00406409 . FFD3 call ebx
004063C3 > \E8 F81B0000 call 00407FC0 跟进
00408022 |. 884424 30 mov byte ptr [esp+30], al 以下是外挂演示版发的信息
00408026 |. 884424 31 mov byte ptr [esp+31], al
0040802A |. 884424 32 mov byte ptr [esp+32], al
0040802E |. 884424 33 mov byte ptr [esp+33], al
00408032 |. 884424 34 mov byte ptr [esp+34], al
00408036 |. 884424 35 mov byte ptr [esp+35], al
0040803A |. 884424 36 mov byte ptr [esp+36], al
0040803E |. 884424 37 mov byte ptr [esp+37], al
00408042 |. 884424 38 mov byte ptr [esp+38], al
00408046 |. 884424 39 mov byte ptr [esp+39], al
0040804A |. 884424 3A mov byte ptr [esp+3A], al
0040804E |. 884424 3B mov byte ptr [esp+3B], al
00408052 |. 884424 3C mov byte ptr [esp+3C], al
00408056 |. 884424 3D mov byte ptr [esp+3D], al
0040805A |. 884424 3E mov byte ptr [esp+3E], al
0040805E |. 884424 3F mov byte ptr [esp+3F], al
00408062 |. 884424 40 mov byte ptr [esp+40], al
00408066 |. 884424 41 mov byte ptr [esp+41], al
0040806A |. 884424 42 mov byte ptr [esp+42], al
0040806E |. 884424 43 mov byte ptr [esp+43], al
00408072 |. 884424 44 mov byte ptr [esp+44], al
00408076 |. 884424 45 mov byte ptr [esp+45], al
0040807A |. 884424 46 mov byte ptr [esp+46], al
0040807E |. 884424 47 mov byte ptr [esp+47], al
00408082 |. 884424 48 mov byte ptr [esp+48], al
00408086 |. 884424 49 mov byte ptr [esp+49], al
0040808A |. 884424 4A mov byte ptr [esp+4A], al
0040808E |. 884424 4B mov byte ptr [esp+4B], al
00408092 |. 884424 4C mov byte ptr [esp+4C], al
00408096 |. 884424 4D mov byte ptr [esp+4D], al
0040809A |. 884424 4E mov byte ptr [esp+4E], al
0040809E |. 884424 4F mov byte ptr [esp+4F], al
004080A2 |. 884424 50 mov byte ptr [esp+50], al
004080A6 |. 884424 51 mov byte ptr [esp+51], al
004080AA |. 884424 52 mov byte ptr [esp+52], al
004080AE |. 884424 53 mov byte ptr [esp+53], al
004080B2 |. 884424 54 mov byte ptr [esp+54], al
004080B6 |. 884424 55 mov byte ptr [esp+55], al
004080BA |. 884424 56 mov byte ptr [esp+56], al
004080BE |. 884424 57 mov byte ptr [esp+57], al
004080C2 |. 884424 58 mov byte ptr [esp+58], al
004080C6 |. 884424 59 mov byte ptr [esp+59], al
004080CA |. 884424 5A mov byte ptr [esp+5A], al
004080CE |. 884424 5B mov byte ptr [esp+5B], al
004080D2 |. 884424 5C mov byte ptr [esp+5C], al
004080D6 |. 884424 5D mov byte ptr [esp+5D], al
004080DA |. 884424 5E mov byte ptr [esp+5E], al
004080DE |. 884424 5F mov byte ptr [esp+5F], al
004080E2 |. 884424 60 mov byte ptr [esp+60], al
004080E6 |. C64424 61 0D mov byte ptr [esp+61], 0D
004080EB |. C64424 62 0A mov byte ptr [esp+62], 0A
004080F0 |. 885424 63 mov byte ptr [esp+63], dl
004080F4 |. C64424 64 FA mov byte ptr [esp+64], 0FA
004080F9 |. C64424 65 CF mov byte ptr [esp+65], 0CF
004080FE |. C64424 66 D6 mov byte ptr [esp+66], 0D6
00408103 |. C64424 67 D4 mov byte ptr [esp+67], 0D4
00408108 |. C64424 68 DA mov byte ptr [esp+68], 0DA
0040810D |. B3 C8 mov bl, 0C8
0040810F |. 885424 6E mov byte ptr [esp+6E], dl
00408113 |. 885C24 79 mov byte ptr [esp+79], bl
00408117 |. 889C24 870000>mov byte ptr [esp+87], bl
0040811E |. 889C24 930000>mov byte ptr [esp+93], bl
00408125 |. 889C24 990000>mov byte ptr [esp+99], bl
0040812C |. 889C24 9B0000>mov byte ptr [esp+9B], bl
00408133 |. 889C24 A90000>mov byte ptr [esp+A9], bl
0040813A |. 889C24 AE0000>mov byte ptr [esp+AE], bl
00408141 |. B2 BA mov dl, 0BA
00408143 |. B3 A1 mov bl, 0A1
00408145 |. C64424 69 CA mov byte ptr [esp+69], 0CA
0040814A |. C64424 6A B9 mov byte ptr [esp+6A], 0B9
0040814F |. C64424 6B D3 mov byte ptr [esp+6B], 0D3
00408154 |. C64424 6C C3 mov byte ptr [esp+6C], 0C3
00408159 |. C64424 6D B5 mov byte ptr [esp+6D], 0B5
0040815E |. C64424 6F CA mov byte ptr [esp+6F], 0CA
00408163 |. C64424 70 C7 mov byte ptr [esp+70], 0C7
00408168 |. C64424 71 20 mov byte ptr [esp+71], 20
0040816D |. C64424 72 5B mov byte ptr [esp+72], 5B
00408172 C64424 73 D6 mov byte ptr [esp+73], 0D6
00408177 C64424 74 D0 mov byte ptr [esp+74], 0D0
0040817C C64424 75 CC mov byte ptr [esp+75], 0CC
00408181 C64424 76 EC mov byte ptr [esp+76], 0EC
00408186 |. C64424 77 51 mov byte ptr [esp+77], 51
0040818B |. C64424 78 51 mov byte ptr [esp+78], 51
00408190 |. 885424 7A mov byte ptr [esp+7A], dl
00408194 |. C64424 7B B7 mov byte ptr [esp+7B], 0B7
00408199 |. C64424 7C A2 mov byte ptr [esp+7C], 0A2
0040819E |. C64424 7D CD mov byte ptr [esp+7D], 0CD
004081A3 |. C64424 7E F5 mov byte ptr [esp+7E], 0F5
004081A8 |. C64424 7F 5D mov byte ptr [esp+7F], 5D
004081AD |. C68424 800000>mov byte ptr [esp+80], 0D1
004081B5 |. C68424 810000>mov byte ptr [esp+81], 0DD
004081BD |. C68424 820000>mov byte ptr [esp+82], 0CA
004081C5 |. C68424 830000>mov byte ptr [esp+83], 0BE
004081CD |. C68424 840000>mov byte ptr [esp+84], 0B0
004081D5 |. C68424 850000>mov byte ptr [esp+85], 0E6
004081DD |. C68424 860000>mov byte ptr [esp+86], 2C
004081E5 |. C68424 880000>mov byte ptr [esp+88], 0ED
004081ED |. C68424 890000>mov byte ptr [esp+89], 0BC
004081F5 |. C68424 8A0000>mov byte ptr [esp+8A], 0FE
004081FD |. C68424 8B0000>mov byte ptr [esp+8B], 0D6
00408205 |. C68424 8C0000>mov byte ptr [esp+8C], 0A7
0040820D |. C68424 8D0000>mov byte ptr [esp+8D], 0B3
00408215 |. C68424 8E0000>mov byte ptr [esp+8E], 0D6
0040821D |. 889424 8F0000>mov byte ptr [esp+8F], dl
00408224 |. C68424 900000>mov byte ptr [esp+90], 0C3
0040822C |. C68424 910000>mov byte ptr [esp+91], 0D3
00408234 |. C68424 920000>mov byte ptr [esp+92], 0D1
0040823C |. 889424 940000>mov byte ptr [esp+94], dl
00408243 |. C68424 950000>mov byte ptr [esp+95], 0B7
0040824B |. C68424 960000>mov byte ptr [esp+96], 0A2
00408253 |. C68424 970000>mov byte ptr [esp+97], 0A3
0040825B |. C68424 980000>mov byte ptr [esp+98], 0AC
00408263 |. 889424 9A0000>mov byte ptr [esp+9A], dl
0040826A |. 889424 9C0000>mov byte ptr [esp+9C], dl
00408271 |. C68424 9D0000>mov byte ptr [esp+9D], 0B7
00408279 |. C68424 9E0000>mov byte ptr [esp+9E], 0A2
00408281 |. C68424 9F0000>mov byte ptr [esp+9F], 0A3
00408289 |. C68424 A00000>mov byte ptr [esp+A0], 0AC
00408291 |. C68424 A10000>mov byte ptr [esp+A1], 0B6
00408299 |. C68424 A20000>mov byte ptr [esp+A2], 0E0
004082A1 |. C68424 A30000>mov byte ptr [esp+A3], 51
004082A9 |. C68424 A40000>mov byte ptr [esp+A4], 51
004082B1 |. C68424 A50000>mov byte ptr [esp+A5], 0CD
004082B9 |. C68424 A60000>mov byte ptr [esp+A6], 0AC
004082C1 |. C68424 A70000>mov byte ptr [esp+A7], 0CA
004082C9 |. C68424 A80000>mov byte ptr [esp+A8], 0B1
004082D1 |. 889424 AA0000>mov byte ptr [esp+AA], dl
004082D8 |. C68424 AB0000>mov byte ptr [esp+AB], 0B7
004082E0 |. C68424 AC0000>mov byte ptr [esp+AC], 0A2
004082E8 |. C68424 AD0000>mov byte ptr [esp+AD], 0B5
004082F0 |. C68424 AF0000>mov byte ptr [esp+AF], 0A3
004082F8 |. 889C24 B00000>mov byte ptr [esp+B0], bl
004082FF |. C68424 B10000>mov byte ptr [esp+B1], 0D3
00408307 |. C68424 B20000>mov byte ptr [esp+B2], 0FB
0040830F |. C68424 B30000>mov byte ptr [esp+B3], 0B9
00408317 |. 889424 B40000>mov byte ptr [esp+B4], dl
0040831E |. C68424 B50000>mov byte ptr [esp+B5], 0C2
00408326 |. C68424 B60000>mov byte ptr [esp+B6], 0F2
0040832E |. B2 D5 mov dl, 0D5
00408330 |. C68424 B80000>mov byte ptr [esp+B8], 0FD
00408338 |. 889424 B70000>mov byte ptr [esp+B7], dl
0040833F |. 889424 BD0000>mov byte ptr [esp+BD], dl
00408346 |. B2 39 mov dl, 39
00408348 |. C68424 B90000>mov byte ptr [esp+B9], 0CA
00408350 |. 889424 CA0000>mov byte ptr [esp+CA], dl
00408357 |. 889424 CC0000>mov byte ptr [esp+CC], dl
0040835E |. B2 36 mov dl, 36
00408360 |. C68424 BA0000>mov byte ptr [esp+BA], 0BD
00408368 |. C68424 BB0000>mov byte ptr [esp+BB], 0B0
00408370 |. C68424 BC0000>mov byte ptr [esp+BC], 0E6
00408378 |. C68424 BE0000>mov byte ptr [esp+BE], 0DF
00408380 |. C68424 BF0000>mov byte ptr [esp+BF], 0C7
00408388 |. C68424 C00000>mov byte ptr [esp+C0], 0EB
00408390 |. C68424 C10000>mov byte ptr [esp+C1], 0C1
00408398 |. C68424 C20000>mov byte ptr [esp+C2], 0AA
004083A0 |. C68424 C30000>mov byte ptr [esp+C3], 0CF
004083A8 |. C68424 C40000>mov byte ptr [esp+C4], 0B5
004083B0 |. C68424 C50000>mov byte ptr [esp+C5], 20
004083B8 |. C68424 C60000>mov byte ptr [esp+C6], 51
004083C0 |. C68424 C70000>mov byte ptr [esp+C7], 51
004083C8 |. C68424 C80000>mov byte ptr [esp+C8], 3A
004083D0 C68424 C90000>mov byte ptr [esp+C9], 38
004083D8 |. C68424 CB0000>mov byte ptr [esp+CB], 35
004083E0 |. 889424 CD0000>mov byte ptr [esp+CD], dl
004083E7 |. 889424 CE0000>mov byte ptr [esp+CE], dl
004083EE |. C68424 CF0000>mov byte ptr [esp+CF], 31
004083F6 |. C68424 D00000>mov byte ptr [esp+D0], 34
004083FE 889424 D10000>mov byte ptr [esp+D1], dl
知道信息在哪了,现在我们来改信息.
小莱我很莱,先用vc6.0写个读文件的功能,然后用od打开看代码,然后添加到外挂里。
代码如下:
CString str="aa";
BOOL success;
DWORD numRead;
char s[200];
HANDLE fileHandle=CreateFile("hts.txt",GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
success=SetFilePointer(fileHandle,0,0,FILE_BEGIN);
success=ReadFile(fileHandle,s,200,&numRead,NULL);
编译,然后od打开
00403550 /> \55 push ebp
00403551 |. 8BEC mov ebp, esp
00403553 |. 81EC 1C010000 sub esp, 11C
00403559 |. 53 push ebx
0040355A |. 56 push esi
0040355B |. 57 push edi
0040355C |. 51 push ecx
0040355D |. 8DBD E4FEFFFF lea edi, dword ptr [ebp-11C]
00403563 |. B9 47000000 mov ecx, 47
00403568 |. B8 CCCCCCCC mov eax, CCCCCCCC
0040356D |. F3:AB rep stos dword ptr es:[edi]
0040356F |. 59 pop ecx
00403570 |. 894D FC mov dword ptr [ebp-4], ecx
00403573 |. 68 1C804100 push 0041801C ; ASCII "aa"
00403578 |. 8D4D F8 lea ecx, dword ptr [ebp-8]
0040357B |. E8 FADDFFFF call <jmp.&MFC42D.#487>
00403580 |. 8BF4 mov esi, esp
00403582 |. 6A 00 push 0 ; /hTemplateFile = NULL
00403584 |. 68 80000000 push 80 ; |Attributes = NORMAL
00403589 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
0040358B |. 6A 00 push 0 ; |pSecurity = NULL
0040358D |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
0040358F |. 68 00000080 push 80000000 ; |Access = GENERIC_READ
00403594 |. 68 48864100 push 00418648 ; |FileName = "hts.txt"
00403599 |. FF15 3CA54100 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
0040359F |. 3BF4 cmp esi, esp
004035A1 |. E8 581F0000 call <jmp.&MSVCRTD._chkesp>
004035A6 |. 8985 24FFFFFF mov dword ptr [ebp-DC], eax
004035AC |. 8BF4 mov esi, esp
004035AE |. 6A 00 push 0 ; /Origin = FILE_BEGIN
004035B0 |. 6A 00 push 0 ; |pOffsetHi = NULL
004035B2 |. 6A 00 push 0 ; |OffsetLo = 0
004035B4 |. 8B85 24FFFFFF mov eax, dword ptr [ebp-DC] ; |
004035BA |. 50 push eax ; |hFile
004035BB |. FF15 50A54100 call dword ptr [<&KERNEL32.SetFilePoi>; \SetFilePointer
004035C1 |. 3BF4 cmp esi, esp
004035C3 |. E8 361F0000 call <jmp.&MSVCRTD._chkesp>
004035C8 |. 8945 F4 mov dword ptr [ebp-C], eax
004035CB |. 8BF4 mov esi, esp
004035CD |. 6A 00 push 0 ; /pOverlapped = NULL
004035CF |. 8D4D F0 lea ecx, dword ptr [ebp-10] ; |
004035D2 |. 51 push ecx ; |pBytesRead
004035D3 |. 68 C8000000 push 0C8 ; |BytesToRead = C8 (200.)
004035D8 |. 8D95 28FFFFFF lea edx, dword ptr [ebp-D8] ; |
004035DE |. 52 push edx ; |Buffer
004035DF |. 8B85 24FFFFFF mov eax, dword ptr [ebp-DC] ; |
004035E5 |. 50 push eax ; |hFile
004035E6 |. FF15 4CA54100 call dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
然后把这段代码copy一下粘贴到外挂.
od打开外挂,找块干净的地方,来到00412937粘贴,为了方便我粘贴了改了一下代码。
00412937 > \50 push eax
00412938 . 51 push ecx
00412939 . 52 push edx
0041293A . 54 push esp
0041293B . 6A 00 push 0 ; /hTemplateFile = NULL
0041293D . 68 80000000 push 80 ; |Attributes = NORMAL
00412942 . 6A 03 push 3 ; |Mode = OPEN_EXISTING
00412944 . 6A 00 push 0 ; |pSecurity = NULL
00412946 . 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
00412948 . 68 00000080 push 80000000 ; |Access = GENERIC_READ
0041294D . 68 B0494100 push 004149B0 ; |FileName = "g:\hts.txt" 读取的文件,找到004149B0
00412952 . FF15 10304100 call dword ptr [<&kernel32.CreateFile>; \CreateFileA
00412958 . 6A 00 push 0 ; /pOverlapped = NULL
0041295A . 8D8C24 50020000 lea ecx, dword ptr [esp+250] ; |
00412961 . 51 push ecx ; |pBytesRead
00412962 . 68 C8000000 push 0C8 ; |BytesToRead = C8 (200.)
00412967 . 8D5424 50 lea edx, dword ptr [esp+50] ; |
0041296B . 52 push edx ; |Buffer
0041296C . 50 push eax ; |hFile
0041296D . FF15 4414E94A call dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
00412973 . 5C pop esp
00412974 . 5A pop edx
00412975 . 59 pop ecx
00412976 . 58 pop eax
00412977 .^ E9 895AFFFF jmp 00408405
数据窗口ctrl+G 来到004149B0改 数据窗口的数据,改成要读取文件的路经"g:\hts.txt"
到004083FE处改为
004083FE . /E9 34A50000 jmp 00412937
00408403 |90 nop
00408404 |90 nop
代码改完了,dump出来,不要告诉我你不会dump呀。这样就给QQ群发外挂添加了新的功能,在
g:\hts.txt写在你在写的信息吧,系列(2)小莱再来分析QQ的通讯!大过年的给大家拜年了!!!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008年02月08日 14:32:17
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课