-
-
[旧帖] [讨论]剛入行請哪位前輩帶我入門 bp send 0.00雪花
-
发表于: 2008-3-22 11:54 2946
-
請諸位先進 提攜
載入某Online game
因為此Game 一直在送包 所以 不知如何追 加密 call 送包間距極短
0080F728 > $ 6A 60 push 60 <<< 停留在這
0080F72A . 68 E0928D00 push 008D92E0
0080F72F . E8 DC500000 call 00814810
0080F734 . BF 94000000 mov edi, 94
0080F739 . 8BC7 mov eax, edi
0080F73B . E8 F0E5FFFF call 0080DD30
0080F740 . 8965 E8 mov dword ptr [ebp-18], esp
0080F743 . 8BF4 mov esi, esp
0080F745 . 893E mov dword ptr [esi], edi
0080F747 . 56 push esi ; /pVersionInformation
0080F748 . FF15 08518700 call dword ptr [<&KERNEL32.GetVersion>; \GetVersionExA
0080F74E . 8B4E 10 mov ecx, dword ptr [esi+10]
0080F751 . 890D CCF8B002 mov dword ptr [2B0F8CC], ecx
0080F757 . 8B46 04 mov eax, dword ptr [esi+4]
0080F75A . A3 D8F8B002 mov dword ptr [2B0F8D8], eax
0080F75F . 8B56 08 mov edx, dword ptr [esi+8]
0080F762 . 8915 DCF8B002 mov dword ptr [2B0F8DC], edx
0080F768 . 8B76 0C mov esi, dword ptr [esi+C]
0080F76B . 81E6 FF7F0000 and esi, 7FFF
0080F771 . 8935 D0F8B002 mov dword ptr [2B0F8D0], esi
0080F777 . 83F9 02 cmp ecx, 2
0080F77A . 74 0C je short 0080F788
0080F77C . 81CE 00800000 or esi, 8000
0080F782 . 8935 D0F8B002 mov dword ptr [2B0F8D0], esi
0080F788 > C1E0 08 shl eax, 8
0080F78B . 03C2 add eax, edx
0080F78D . A3 D4F8B002 mov dword ptr [2B0F8D4], eax
0080F792 . 33F6 xor esi, esi
0080F794 . 56 push esi ; /pModule => NULL
0080F795 . 8B3D 70518700 mov edi, dword ptr [<&KERNEL32.GetMo>; |kernel32.GetModuleHandleA
0080F79B . FFD7 call edi ; \GetModuleHandleA
0080F79D . 66:8138 4D5A cmp word ptr [eax], 5A4D
0080F7A2 . 75 1F jnz short 0080F7C3
0080F7A4 . 8B48 3C mov ecx, dword ptr [eax+3C]
0080F7A7 . 03C8 add ecx, eax
0080F7A9 . 8139 50450000 cmp dword ptr [ecx], 4550
0080F7AF . 75 12 jnz short 0080F7C3
0080F7B1 . 0FB741 18 movzx eax, word ptr [ecx+18]
0080F7B5 . 3D 0B010000 cmp eax, 10B
0080F7BA . 74 1F je short 0080F7DB
0080F7BC . 3D 0B020000 cmp eax, 20B
0080F7C1 . 74 05 je short 0080F7C8
0080F7C3 > 8975 E4 mov dword ptr [ebp-1C], esi
0080F7C6 . EB 27 jmp short 0080F7EF
0080F7C8 > 83B9 84000000>cmp dword ptr [ecx+84], 0E
0080F7CF .^ 76 F2 jbe short 0080F7C3
0080F7D1 . 33C0 xor eax, eax
bp send 下斷
按 F9
7C812A4E F3:A5 rep movs dword ptr es:[edi], dword p>
7C812A50 5F pop edi
7C812A51 8D45 B0 lea eax, dword ptr [ebp-50]
7C812A54 50 push eax
7C812A55 FF15 0815807C call dword ptr [<&ntdll.RtlRaiseExcep>; ntdll.RtlRaiseException
7C812A5B 5E pop esi ; mss32.2112E8F0 << 停在這
7C812A5C C9 leave
7C812A5D C2 1000 retn 10
7C812A60 85FF test edi, edi
7C812A62 ^ 0F8E 3693FFFF jle 7C80BD9E
7C812A68 8B55 FC mov edx, dword ptr [ebp-4]
7C812A6B 8955 0C mov dword ptr [ebp+C], edx
7C812A6E 0FB716 movzx edx, word ptr [esi]
7C812A71 8B7D F8 mov edi, dword ptr [ebp-8]
7C812A74 8A143A mov dl, byte ptr [edx+edi]
7C812A77 8811 mov byte ptr [ecx], dl
7C812A79 8B78 0C mov edi, dword ptr [eax+C]
7C812A7C 0FB6D2 movzx edx, dl
7C812A7F 66:8B1457 mov dx, word ptr [edi+edx*2]
7C812A83 66:3B16 cmp dx, word ptr [esi]
7C812A86 0F85 99890300 jnz 7C84B425
7C812A8C 8B50 08 mov edx, dword ptr [eax+8]
7C812A8F 66:8B5A 04 mov bx, word ptr [edx+4]
7C812A93 3819 cmp byte ptr [ecx], bl
7C812A95 0F84 97890300 je 7C84B432
7C812A9B 46 inc esi
7C812A9C 46 inc esi
7C812A9D 41 inc ecx
7C812A9E FF4D 0C dec dword ptr [ebp+C]
7C812AA1 ^ 75 CB jnz short 7C812A6E
7C812AA3 ^ E9 F692FFFF jmp 7C80BD9E
7C812AA8 8B4D 10 mov ecx, dword ptr [ebp+10]
7C812AAB E8 2478FFFF call 7C80A2D4
再按下 F9
71A14285 90 nop
71A14286 90 nop
71A14287 90 nop
71A14288 90 nop
71A14289 90 nop
71A1428A > 8BFF mov edi, edi << 停在 send 下斷的地方
71A1428C 55 push ebp
71A1428D 8BEC mov ebp, esp
71A1428F 83EC 10 sub esp, 10
71A14292 56 push esi
71A14293 57 push edi
71A14294 33FF xor edi, edi
71A14296 813D 2840A271 4>cmp dword ptr [71A24028], 71A19448
71A142A0 0F84 AD730000 je 71A1B653
71A142A6 8D45 F8 lea eax, dword ptr [ebp-8]
71A142A9 50 push eax
71A142AA E8 12520000 call 71A194C1
71A142AF 3BC7 cmp eax, edi
71A142B1 8945 FC mov dword ptr [ebp-4], eax
71A142B4 0F85 D9730000 jnz 71A1B693
71A142BA FF75 08 push dword ptr [ebp+8]
71A142BD E8 7FE8FFFF call 71A12B41
71A142C2 8BF0 mov esi, eax
71A142C4 3BF7 cmp esi, edi
71A142C6 0F84 C0730000 je 71A1B68C
71A142CC 8B45 10 mov eax, dword ptr [ebp+10]
71A142CF 53 push ebx
71A142D0 8D4D FC lea ecx, dword ptr [ebp-4]
71A142D3 51 push ecx
71A142D4 FF75 F8 push dword ptr [ebp-8]
71A142D7 8D4D 08 lea ecx, dword ptr [ebp+8]
71A142DA 57 push edi
71A142DB 57 push edi
71A142DC FF75 14 push dword ptr [ebp+14]
71A142DF 8945 F0 mov dword ptr [ebp-10], eax
71A142E2 8B45 0C mov eax, dword ptr [ebp+C]
0012FD4C 006D0C63 /CALL 善 send 懂赻 Onlin.006D0C5D
0012FD50 0000029C |Socket = 29C
0012FD54 0AB778C0 |Data = 0AB778C0
0012FD58 00000019 |DataSize = 19 (25.)
0012FD5C 00000004 \Flags = MSG_DONTROUTE
0012FD60 00000000
0012FD64 08BAE6F8
0012FD68 00000000
按下 ctrl + f9
006D0B93 |. 56 push esi
006D0B94 |. 57 push edi
006D0B95 |. 0F86 A1010000 jbe 006D0D3C
006D0B9B |. 83F8 FF cmp eax, -1
006D0B9E |. 0F84 98010000 je 006D0D3C
006D0BA4 |. 896C24 14 mov dword ptr [esp+14], ebp
006D0BA8 |. 896C24 18 mov dword ptr [esp+18], ebp
006D0BAC |. 896C24 1C mov dword ptr [esp+1C], ebp
006D0BB0 |. 8B7C24 34 mov edi, dword ptr [esp+34]
006D0BB4 |. 57 push edi
006D0BB5 |. 896C24 2C mov dword ptr [esp+2C], ebp
006D0BB9 |. E8 D2100000 call 006D1C90
006D0BBE |. 83C4 04 add esp, 4
006D0BC1 |. 8D70 04 lea esi, dword ptr [eax+4]
006D0BC4 |. 55 push ebp
006D0BC5 |. 56 push esi
006D0BC6 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
006D0BCA |. 894424 3C mov dword ptr [esp+3C], eax
006D0BCE |. E8 7D7BE5FF call 00528750
006D0BD3 |. 8B6C24 14 mov ebp, dword ptr [esp+14]
006D0BD7 |. 8BCF mov ecx, edi
006D0BD9 |. 8D45 04 lea eax, dword ptr [ebp+4]
006D0BDC |. 8BF8 mov edi, eax
006D0BDE |. 8BC1 mov eax, ecx
006D0BE0 |. 8975 00 mov dword ptr [ebp], esi
006D0BE3 |. 8B7424 30 mov esi, dword ptr [esp+30]
006D0BE7 |. C1E9 02 shr ecx, 2
006D0BEA |. F3:A5 rep movs dword ptr es:[edi], dword p>
006D0BEC |. 8BC8 mov ecx, eax
006D0BEE |. 83E1 03 and ecx, 3
006D0BF1 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
006D0BF3 |. E8 50D21300 call 0080DE48
006D0BF8 |. 8B4C24 34 mov ecx, dword ptr [esp+34]
006D0BFC |. 50 push eax
006D0BFD |. 51 push ecx
006D0BFE |. 8D45 04 lea eax, dword ptr [ebp+4]
006D0C01 |. 50 push eax
006D0C02 |. E8 A9100000 call 006D1CB0
006D0C07 |. 83C4 0C add esp, 0C
006D0C0A |. 84C0 test al, al
006D0C0C |. 75 41 jnz short 006D0C4F
006D0C0E |. 83EC 1C sub esp, 1C
006D0C11 |. 8BCC mov ecx, esp
006D0C13 |. 896424 50 mov dword ptr [esp+50], esp
006D0C17 |. 68 50DE8B00 push 008BDE50 ; ASCII "Encode failed!"
006D0C1C |. E8 5F3FD3FF call 00404B80
006D0C21 |. 8B13 mov edx, dword ptr [ebx]
006D0C23 |. 6A 00 push 0
006D0C25 |. 6A 01 push 1
006D0C27 |. 8BCB mov ecx, ebx
006D0C29 |. FF92 90000000 call dword ptr [edx+90]
006D0C2F |. 55 push ebp
006D0C30 |. E8 35BE1300 call 0080CA6A
006D0C35 |. 83C4 04 add esp, 4
006D0C38 |. 33C0 xor eax, eax
006D0C3A |. 8B4C24 20 mov ecx, dword ptr [esp+20]
006D0C3E |. 64:890D 00000>mov dword ptr fs:[0], ecx
006D0C45 |. 5F pop edi
006D0C46 |. 5E pop esi
006D0C47 |. 5D pop ebp
006D0C48 |. 5B pop ebx
006D0C49 |. 83C4 1C add esp, 1C
006D0C4C |. C2 0800 retn 8
006D0C4F |> 8B7424 18 mov esi, dword ptr [esp+18]
006D0C53 |. 8B43 30 mov eax, dword ptr [ebx+30]
006D0C56 |. 6A 04 push 4 ; /Flags = MSG_DONTROUTE
006D0C58 |. 2BF5 sub esi, ebp ; |
006D0C5A |. 56 push esi ; |DataSize
006D0C5B |. 55 push ebp ; |Data
006D0C5C |. 50 push eax ; |Socket
006D0C5D |. FF15 B4538700 call dword ptr [<&WS2_32.#19>] ; \send
006D0C63 |. 83F8 FF cmp eax, -1 <<<<<<<<停在這
006D0C66 |. 0F85 91000000 jnz 006D0CFD
006D0C6C |. FF15 04548700 call dword ptr [<&WS2_32.#111>] ; [WSAGetLastError
006D0C72 |. 8BF8 mov edi, eax
006D0C74 |. 81FF E5030000 cmp edi, 3E5
006D0C7A |. 74 6E je short 006D0CEA
006D0C7C |. 81FF 33270000 cmp edi, 2733
006D0C82 |. 74 66 je short 006D0CEA
006D0C84 |. 8B0B mov ecx, dword ptr [ebx]
006D0C86 |. 68 30DE8B00 push 008BDE30 ; ASCII "Socket Client:WSASend fialed!"
006D0C8B |. 6A 01 push 1
006D0C8D |. 53 push ebx
006D0C8E |. FF91 D8000000 call dword ptr [ecx+D8]
006D0C94 |. 83EC 10 sub esp, 10
006D0C97 |. 8BCC mov ecx, esp
006D0C99 |. 896424 50 mov dword ptr [esp+50], esp
006D0C9D |. 68 6C568700 push 0087566C
006D0CA2 |. E8 D93ED3FF call 00404B80
006D0CA7 |. 8B13 mov edx, dword ptr [ebx]
006D0CA9 |. 57 push edi
006D0CAA |. 6A 06 push 6
006D0CAC |. 8BCB mov ecx, ebx
006D0CAE |. FF92 90000000 call dword ptr [edx+90]
006D0CB4 |. 8B43 30 mov eax, dword ptr [ebx+30]
006D0CB7 |. 83F8 FF cmp eax, -1
006D0CBA |. 74 07 je short 006D0CC3
006D0CBC |. 50 push eax ; /Socket
006D0CBD |. FF15 18548700 call dword ptr [<&WS2_32.#3>] ; \closesocket
006D0CC3 |> 8D4C24 10 lea ecx, dword ptr [esp+10]
006D0CC7 |. C743 30 FFFFF>mov dword ptr [ebx+30], -1
006D0CCE |. E8 EDAAD4FF call 0041B7C0
006D0CD3 |. 33C0 xor eax, eax
006D0CD5 |. 8B4C24 20 mov ecx, dword ptr [esp+20]
006D0CD9 |. 64:890D 00000>mov dword ptr fs:[0], ecx
006D0CE0 |. 5F pop edi
再 CTRL + F9
006CC10B CC int3
006CC10C CC int3
006CC10D CC int3
006CC10E CC int3
006CC10F CC int3
006CC110 /$ 6A FF push -1
006CC112 |. 68 58D38500 push 0085D358 ; SE 揭燴最唗假蚾
006CC117 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
006CC11D |. 50 push eax
006CC11E |. 64:8925 00000>mov dword ptr fs:[0], esp
006CC125 |. 83EC 14 sub esp, 14
006CC128 |. 56 push esi
006CC129 |. 57 push edi
006CC12A |. 33FF xor edi, edi
006CC12C |. 8BF1 mov esi, ecx
006CC12E |. 897C24 0C mov dword ptr [esp+C], edi
006CC132 |. 897C24 10 mov dword ptr [esp+10], edi
006CC136 |. 897C24 14 mov dword ptr [esp+14], edi
006CC13A |. 897C24 18 mov dword ptr [esp+18], edi
006CC13E |. 8B4E 50 mov ecx, dword ptr [esi+50]
006CC141 |. 41 inc ecx
006CC142 |. 57 push edi
006CC143 |. 894E 50 mov dword ptr [esi+50], ecx
006CC146 |. 6A 04 push 4
006CC148 |. 8D4C24 10 lea ecx, dword ptr [esp+10]
006CC14C |. 897C24 2C mov dword ptr [esp+2C], edi
006CC150 |. E8 FBC5E5FF call 00528750
006CC155 |. 8B46 50 mov eax, dword ptr [esi+50]
006CC158 |. 8B4C24 0C mov ecx, dword ptr [esp+C]
006CC15C |. 8B5424 18 mov edx, dword ptr [esp+18]
006CC160 |. 89040A mov dword ptr [edx+ecx], eax
006CC163 |. 8B4424 30 mov eax, dword ptr [esp+30]
006CC167 |. 8B4C24 2C mov ecx, dword ptr [esp+2C]
006CC16B |. 50 push eax
006CC16C |. 51 push ecx
006CC16D |. 8D4C24 10 lea ecx, dword ptr [esp+10]
006CC171 |. C74424 20 040>mov dword ptr [esp+20], 4
006CC179 |. E8 B25CFFFF call 006C1E30
006CC17E |. 8B5424 18 mov edx, dword ptr [esp+18]
006CC182 |. 8B4424 0C mov eax, dword ptr [esp+C]
006CC186 |. 52 push edx
006CC187 |. 50 push eax
006CC188 |. 8BCE mov ecx, esi
006CC18A |. E8 E1490000 call 006D0B70
006CC18F |. 8BF0 mov esi, eax <<<<<停留在這
006CC191 |. 8B4424 0C mov eax, dword ptr [esp+C]
006CC195 |. 3BC7 cmp eax, edi
006CC197 |. 74 09 je short 006CC1A2
006CC199 |. 50 push eax
006CC19A |. E8 CB081400 call 0080CA6A
006CC19F |. 83C4 04 add esp, 4
006CC1A2 |> 8B4C24 1C mov ecx, dword ptr [esp+1C]
006CC1A6 |. 5F pop edi
006CC1A7 |. 8BC6 mov eax, esi
006CC1A9 |. 5E pop esi
006CC1AA |. 64:890D 00000>mov dword ptr fs:[0], ecx
006CC1B1 |. 83C4 20 add esp, 20
006CC1B4 \. C2 0800 retn 8
006CC1B7 CC int3
006CC1B8 CC int3
006CC1B9 CC int3
006CC1BA CC int3
006CC1BB CC int3
006CC1BC CC int3
006CC1BD CC int3
006CC1BE CC int3
006CC1BF CC int3
006CC1C0 /$ 6A FF push -1
006CC1C2 |. 68 38D38500 push 0085D338 ; SE 揭燴最唗假蚾
006CC1C7 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
006CC1CD |. 50 push eax
006CC1CE |. 64:8925 00000>mov dword ptr fs:[0], esp
006CC1D5 |. 83EC 20 sub esp, 20
006CC1D8 |. 53 push ebx
006CC1D9 |. 55 push ebp
006CC1DA |. 56 push esi
006CC1DB |. 8BF1 mov esi, ecx
006CC1DD |. 8D8E 58010000 lea ecx, dword ptr [esi+158]
006CC1E3 |. 57 push edi
006CC1E4 |. 894C24 14 mov dword ptr [esp+14], ecx
006CC1E8 |. E8 83031400 call 0080C570
006CC1ED |. C64424 18 01 mov byte ptr [esp+18], 1
006CC1F2 |. 8A86 60010000 mov al, byte ptr [esi+160]
006CC1F8 |. 33ED xor ebp, ebp
006CC1FA |. 84C0 test al, al
006CC1FC |. 896C24 38 mov dword ptr [esp+38], ebp
006CC200 |. 0F84 D5000000 je 006CC2DB
006CC206 |. 8B06 mov eax, dword ptr [esi]
006CC208 |. 8BCE mov ecx, esi
006CC20A |. FF50 04 call dword ptr [eax+4]
006CC20D |. D95C24 10 fstp dword ptr [esp+10]
006CC211 |. 896C24 20 mov dword ptr [esp+20], ebp
006CC215 |. 896C24 24 mov dword ptr [esp+24], ebp
006CC219 |. 896C24 28 mov dword ptr [esp+28], ebp
006CC21D |. 896C24 2C mov dword ptr [esp+2C], ebp
006CC221 |. 55 push ebp
006CC222 |. 6A 01 push 1
006CC224 |. 8D4C24 24 lea ecx, dword ptr [esp+24]
006CC228 |. C64424 40 01 mov byte ptr [esp+40], 1
006CC22D |. E8 1EC5E5FF call 00528750
006CC232 |. 8B7C24 20 mov edi, dword ptr [esp+20]
006CC236 |. 3BFD cmp edi, ebp
006CC238 |. 8B4C24 2C mov ecx, dword ptr [esp+2C]
006CC23C |. C60439 03 mov byte ptr [ecx+edi], 3
006CC240 |. C74424 2C 010>mov dword ptr [esp+2C], 1
006CC248 |. 74 0D je short 006CC257
006CC24A |. 8B4C24 24 mov ecx, dword ptr [esp+24]
006CC24E |. 8BC1 mov eax, ecx
006CC250 |. 2BC7 sub eax, edi
006CC252 |. 83F8 05 cmp eax, 5
006CC255 |. 73 14 jnb short 006CC26B
006CC257 |> 55 push ebp
006CC258 |. 6A 05 push 5
006CC25A |. 8D4C24 24 lea ecx, dword ptr [esp+24]
006CC25E |. E8 EDC4E5FF call 00528750
006CC263 |. 8B4C24 24 mov ecx, dword ptr [esp+24]
006CC267 |. 8B7C24 20 mov edi, dword ptr [esp+20]
006CC26B |> 3BFD cmp edi, ebp
006CC26D |. 8B4424 2C mov eax, dword ptr [esp+2C]
006CC271 |. 8B96 64010000 mov edx, dword ptr [esi+164]
006CC277 |. 891438 mov dword ptr [eax+edi], edx
006CC27A |. C74424 2C 050>mov dword ptr [esp+2C], 5
006CC282 |. 74 09 je short 006CC28D
006CC284 |. 8BC1 mov eax, ecx
006CC286 |. 2BC7 sub eax, edi
006CC288 |. 83F8 09 cmp eax, 9
006CC28B |. 73 14 jnb short 006CC2A1
006CC28D |> 55 push ebp
006CC28E |. 6A 09 push 9
載入某Online game
因為此Game 一直在送包 所以 不知如何追 加密 call 送包間距極短
0080F728 > $ 6A 60 push 60 <<< 停留在這
0080F72A . 68 E0928D00 push 008D92E0
0080F72F . E8 DC500000 call 00814810
0080F734 . BF 94000000 mov edi, 94
0080F739 . 8BC7 mov eax, edi
0080F73B . E8 F0E5FFFF call 0080DD30
0080F740 . 8965 E8 mov dword ptr [ebp-18], esp
0080F743 . 8BF4 mov esi, esp
0080F745 . 893E mov dword ptr [esi], edi
0080F747 . 56 push esi ; /pVersionInformation
0080F748 . FF15 08518700 call dword ptr [<&KERNEL32.GetVersion>; \GetVersionExA
0080F74E . 8B4E 10 mov ecx, dword ptr [esi+10]
0080F751 . 890D CCF8B002 mov dword ptr [2B0F8CC], ecx
0080F757 . 8B46 04 mov eax, dword ptr [esi+4]
0080F75A . A3 D8F8B002 mov dword ptr [2B0F8D8], eax
0080F75F . 8B56 08 mov edx, dword ptr [esi+8]
0080F762 . 8915 DCF8B002 mov dword ptr [2B0F8DC], edx
0080F768 . 8B76 0C mov esi, dword ptr [esi+C]
0080F76B . 81E6 FF7F0000 and esi, 7FFF
0080F771 . 8935 D0F8B002 mov dword ptr [2B0F8D0], esi
0080F777 . 83F9 02 cmp ecx, 2
0080F77A . 74 0C je short 0080F788
0080F77C . 81CE 00800000 or esi, 8000
0080F782 . 8935 D0F8B002 mov dword ptr [2B0F8D0], esi
0080F788 > C1E0 08 shl eax, 8
0080F78B . 03C2 add eax, edx
0080F78D . A3 D4F8B002 mov dword ptr [2B0F8D4], eax
0080F792 . 33F6 xor esi, esi
0080F794 . 56 push esi ; /pModule => NULL
0080F795 . 8B3D 70518700 mov edi, dword ptr [<&KERNEL32.GetMo>; |kernel32.GetModuleHandleA
0080F79B . FFD7 call edi ; \GetModuleHandleA
0080F79D . 66:8138 4D5A cmp word ptr [eax], 5A4D
0080F7A2 . 75 1F jnz short 0080F7C3
0080F7A4 . 8B48 3C mov ecx, dword ptr [eax+3C]
0080F7A7 . 03C8 add ecx, eax
0080F7A9 . 8139 50450000 cmp dword ptr [ecx], 4550
0080F7AF . 75 12 jnz short 0080F7C3
0080F7B1 . 0FB741 18 movzx eax, word ptr [ecx+18]
0080F7B5 . 3D 0B010000 cmp eax, 10B
0080F7BA . 74 1F je short 0080F7DB
0080F7BC . 3D 0B020000 cmp eax, 20B
0080F7C1 . 74 05 je short 0080F7C8
0080F7C3 > 8975 E4 mov dword ptr [ebp-1C], esi
0080F7C6 . EB 27 jmp short 0080F7EF
0080F7C8 > 83B9 84000000>cmp dword ptr [ecx+84], 0E
0080F7CF .^ 76 F2 jbe short 0080F7C3
0080F7D1 . 33C0 xor eax, eax
bp send 下斷
按 F9
7C812A4E F3:A5 rep movs dword ptr es:[edi], dword p>
7C812A50 5F pop edi
7C812A51 8D45 B0 lea eax, dword ptr [ebp-50]
7C812A54 50 push eax
7C812A55 FF15 0815807C call dword ptr [<&ntdll.RtlRaiseExcep>; ntdll.RtlRaiseException
7C812A5B 5E pop esi ; mss32.2112E8F0 << 停在這
7C812A5C C9 leave
7C812A5D C2 1000 retn 10
7C812A60 85FF test edi, edi
7C812A62 ^ 0F8E 3693FFFF jle 7C80BD9E
7C812A68 8B55 FC mov edx, dword ptr [ebp-4]
7C812A6B 8955 0C mov dword ptr [ebp+C], edx
7C812A6E 0FB716 movzx edx, word ptr [esi]
7C812A71 8B7D F8 mov edi, dword ptr [ebp-8]
7C812A74 8A143A mov dl, byte ptr [edx+edi]
7C812A77 8811 mov byte ptr [ecx], dl
7C812A79 8B78 0C mov edi, dword ptr [eax+C]
7C812A7C 0FB6D2 movzx edx, dl
7C812A7F 66:8B1457 mov dx, word ptr [edi+edx*2]
7C812A83 66:3B16 cmp dx, word ptr [esi]
7C812A86 0F85 99890300 jnz 7C84B425
7C812A8C 8B50 08 mov edx, dword ptr [eax+8]
7C812A8F 66:8B5A 04 mov bx, word ptr [edx+4]
7C812A93 3819 cmp byte ptr [ecx], bl
7C812A95 0F84 97890300 je 7C84B432
7C812A9B 46 inc esi
7C812A9C 46 inc esi
7C812A9D 41 inc ecx
7C812A9E FF4D 0C dec dword ptr [ebp+C]
7C812AA1 ^ 75 CB jnz short 7C812A6E
7C812AA3 ^ E9 F692FFFF jmp 7C80BD9E
7C812AA8 8B4D 10 mov ecx, dword ptr [ebp+10]
7C812AAB E8 2478FFFF call 7C80A2D4
再按下 F9
71A14285 90 nop
71A14286 90 nop
71A14287 90 nop
71A14288 90 nop
71A14289 90 nop
71A1428A > 8BFF mov edi, edi << 停在 send 下斷的地方
71A1428C 55 push ebp
71A1428D 8BEC mov ebp, esp
71A1428F 83EC 10 sub esp, 10
71A14292 56 push esi
71A14293 57 push edi
71A14294 33FF xor edi, edi
71A14296 813D 2840A271 4>cmp dword ptr [71A24028], 71A19448
71A142A0 0F84 AD730000 je 71A1B653
71A142A6 8D45 F8 lea eax, dword ptr [ebp-8]
71A142A9 50 push eax
71A142AA E8 12520000 call 71A194C1
71A142AF 3BC7 cmp eax, edi
71A142B1 8945 FC mov dword ptr [ebp-4], eax
71A142B4 0F85 D9730000 jnz 71A1B693
71A142BA FF75 08 push dword ptr [ebp+8]
71A142BD E8 7FE8FFFF call 71A12B41
71A142C2 8BF0 mov esi, eax
71A142C4 3BF7 cmp esi, edi
71A142C6 0F84 C0730000 je 71A1B68C
71A142CC 8B45 10 mov eax, dword ptr [ebp+10]
71A142CF 53 push ebx
71A142D0 8D4D FC lea ecx, dword ptr [ebp-4]
71A142D3 51 push ecx
71A142D4 FF75 F8 push dword ptr [ebp-8]
71A142D7 8D4D 08 lea ecx, dword ptr [ebp+8]
71A142DA 57 push edi
71A142DB 57 push edi
71A142DC FF75 14 push dword ptr [ebp+14]
71A142DF 8945 F0 mov dword ptr [ebp-10], eax
71A142E2 8B45 0C mov eax, dword ptr [ebp+C]
0012FD4C 006D0C63 /CALL 善 send 懂赻 Onlin.006D0C5D
0012FD50 0000029C |Socket = 29C
0012FD54 0AB778C0 |Data = 0AB778C0
0012FD58 00000019 |DataSize = 19 (25.)
0012FD5C 00000004 \Flags = MSG_DONTROUTE
0012FD60 00000000
0012FD64 08BAE6F8
0012FD68 00000000
按下 ctrl + f9
006D0B93 |. 56 push esi
006D0B94 |. 57 push edi
006D0B95 |. 0F86 A1010000 jbe 006D0D3C
006D0B9B |. 83F8 FF cmp eax, -1
006D0B9E |. 0F84 98010000 je 006D0D3C
006D0BA4 |. 896C24 14 mov dword ptr [esp+14], ebp
006D0BA8 |. 896C24 18 mov dword ptr [esp+18], ebp
006D0BAC |. 896C24 1C mov dword ptr [esp+1C], ebp
006D0BB0 |. 8B7C24 34 mov edi, dword ptr [esp+34]
006D0BB4 |. 57 push edi
006D0BB5 |. 896C24 2C mov dword ptr [esp+2C], ebp
006D0BB9 |. E8 D2100000 call 006D1C90
006D0BBE |. 83C4 04 add esp, 4
006D0BC1 |. 8D70 04 lea esi, dword ptr [eax+4]
006D0BC4 |. 55 push ebp
006D0BC5 |. 56 push esi
006D0BC6 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
006D0BCA |. 894424 3C mov dword ptr [esp+3C], eax
006D0BCE |. E8 7D7BE5FF call 00528750
006D0BD3 |. 8B6C24 14 mov ebp, dword ptr [esp+14]
006D0BD7 |. 8BCF mov ecx, edi
006D0BD9 |. 8D45 04 lea eax, dword ptr [ebp+4]
006D0BDC |. 8BF8 mov edi, eax
006D0BDE |. 8BC1 mov eax, ecx
006D0BE0 |. 8975 00 mov dword ptr [ebp], esi
006D0BE3 |. 8B7424 30 mov esi, dword ptr [esp+30]
006D0BE7 |. C1E9 02 shr ecx, 2
006D0BEA |. F3:A5 rep movs dword ptr es:[edi], dword p>
006D0BEC |. 8BC8 mov ecx, eax
006D0BEE |. 83E1 03 and ecx, 3
006D0BF1 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
006D0BF3 |. E8 50D21300 call 0080DE48
006D0BF8 |. 8B4C24 34 mov ecx, dword ptr [esp+34]
006D0BFC |. 50 push eax
006D0BFD |. 51 push ecx
006D0BFE |. 8D45 04 lea eax, dword ptr [ebp+4]
006D0C01 |. 50 push eax
006D0C02 |. E8 A9100000 call 006D1CB0
006D0C07 |. 83C4 0C add esp, 0C
006D0C0A |. 84C0 test al, al
006D0C0C |. 75 41 jnz short 006D0C4F
006D0C0E |. 83EC 1C sub esp, 1C
006D0C11 |. 8BCC mov ecx, esp
006D0C13 |. 896424 50 mov dword ptr [esp+50], esp
006D0C17 |. 68 50DE8B00 push 008BDE50 ; ASCII "Encode failed!"
006D0C1C |. E8 5F3FD3FF call 00404B80
006D0C21 |. 8B13 mov edx, dword ptr [ebx]
006D0C23 |. 6A 00 push 0
006D0C25 |. 6A 01 push 1
006D0C27 |. 8BCB mov ecx, ebx
006D0C29 |. FF92 90000000 call dword ptr [edx+90]
006D0C2F |. 55 push ebp
006D0C30 |. E8 35BE1300 call 0080CA6A
006D0C35 |. 83C4 04 add esp, 4
006D0C38 |. 33C0 xor eax, eax
006D0C3A |. 8B4C24 20 mov ecx, dword ptr [esp+20]
006D0C3E |. 64:890D 00000>mov dword ptr fs:[0], ecx
006D0C45 |. 5F pop edi
006D0C46 |. 5E pop esi
006D0C47 |. 5D pop ebp
006D0C48 |. 5B pop ebx
006D0C49 |. 83C4 1C add esp, 1C
006D0C4C |. C2 0800 retn 8
006D0C4F |> 8B7424 18 mov esi, dword ptr [esp+18]
006D0C53 |. 8B43 30 mov eax, dword ptr [ebx+30]
006D0C56 |. 6A 04 push 4 ; /Flags = MSG_DONTROUTE
006D0C58 |. 2BF5 sub esi, ebp ; |
006D0C5A |. 56 push esi ; |DataSize
006D0C5B |. 55 push ebp ; |Data
006D0C5C |. 50 push eax ; |Socket
006D0C5D |. FF15 B4538700 call dword ptr [<&WS2_32.#19>] ; \send
006D0C63 |. 83F8 FF cmp eax, -1 <<<<<<<<停在這
006D0C66 |. 0F85 91000000 jnz 006D0CFD
006D0C6C |. FF15 04548700 call dword ptr [<&WS2_32.#111>] ; [WSAGetLastError
006D0C72 |. 8BF8 mov edi, eax
006D0C74 |. 81FF E5030000 cmp edi, 3E5
006D0C7A |. 74 6E je short 006D0CEA
006D0C7C |. 81FF 33270000 cmp edi, 2733
006D0C82 |. 74 66 je short 006D0CEA
006D0C84 |. 8B0B mov ecx, dword ptr [ebx]
006D0C86 |. 68 30DE8B00 push 008BDE30 ; ASCII "Socket Client:WSASend fialed!"
006D0C8B |. 6A 01 push 1
006D0C8D |. 53 push ebx
006D0C8E |. FF91 D8000000 call dword ptr [ecx+D8]
006D0C94 |. 83EC 10 sub esp, 10
006D0C97 |. 8BCC mov ecx, esp
006D0C99 |. 896424 50 mov dword ptr [esp+50], esp
006D0C9D |. 68 6C568700 push 0087566C
006D0CA2 |. E8 D93ED3FF call 00404B80
006D0CA7 |. 8B13 mov edx, dword ptr [ebx]
006D0CA9 |. 57 push edi
006D0CAA |. 6A 06 push 6
006D0CAC |. 8BCB mov ecx, ebx
006D0CAE |. FF92 90000000 call dword ptr [edx+90]
006D0CB4 |. 8B43 30 mov eax, dword ptr [ebx+30]
006D0CB7 |. 83F8 FF cmp eax, -1
006D0CBA |. 74 07 je short 006D0CC3
006D0CBC |. 50 push eax ; /Socket
006D0CBD |. FF15 18548700 call dword ptr [<&WS2_32.#3>] ; \closesocket
006D0CC3 |> 8D4C24 10 lea ecx, dword ptr [esp+10]
006D0CC7 |. C743 30 FFFFF>mov dword ptr [ebx+30], -1
006D0CCE |. E8 EDAAD4FF call 0041B7C0
006D0CD3 |. 33C0 xor eax, eax
006D0CD5 |. 8B4C24 20 mov ecx, dword ptr [esp+20]
006D0CD9 |. 64:890D 00000>mov dword ptr fs:[0], ecx
006D0CE0 |. 5F pop edi
再 CTRL + F9
006CC10B CC int3
006CC10C CC int3
006CC10D CC int3
006CC10E CC int3
006CC10F CC int3
006CC110 /$ 6A FF push -1
006CC112 |. 68 58D38500 push 0085D358 ; SE 揭燴最唗假蚾
006CC117 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
006CC11D |. 50 push eax
006CC11E |. 64:8925 00000>mov dword ptr fs:[0], esp
006CC125 |. 83EC 14 sub esp, 14
006CC128 |. 56 push esi
006CC129 |. 57 push edi
006CC12A |. 33FF xor edi, edi
006CC12C |. 8BF1 mov esi, ecx
006CC12E |. 897C24 0C mov dword ptr [esp+C], edi
006CC132 |. 897C24 10 mov dword ptr [esp+10], edi
006CC136 |. 897C24 14 mov dword ptr [esp+14], edi
006CC13A |. 897C24 18 mov dword ptr [esp+18], edi
006CC13E |. 8B4E 50 mov ecx, dword ptr [esi+50]
006CC141 |. 41 inc ecx
006CC142 |. 57 push edi
006CC143 |. 894E 50 mov dword ptr [esi+50], ecx
006CC146 |. 6A 04 push 4
006CC148 |. 8D4C24 10 lea ecx, dword ptr [esp+10]
006CC14C |. 897C24 2C mov dword ptr [esp+2C], edi
006CC150 |. E8 FBC5E5FF call 00528750
006CC155 |. 8B46 50 mov eax, dword ptr [esi+50]
006CC158 |. 8B4C24 0C mov ecx, dword ptr [esp+C]
006CC15C |. 8B5424 18 mov edx, dword ptr [esp+18]
006CC160 |. 89040A mov dword ptr [edx+ecx], eax
006CC163 |. 8B4424 30 mov eax, dword ptr [esp+30]
006CC167 |. 8B4C24 2C mov ecx, dword ptr [esp+2C]
006CC16B |. 50 push eax
006CC16C |. 51 push ecx
006CC16D |. 8D4C24 10 lea ecx, dword ptr [esp+10]
006CC171 |. C74424 20 040>mov dword ptr [esp+20], 4
006CC179 |. E8 B25CFFFF call 006C1E30
006CC17E |. 8B5424 18 mov edx, dword ptr [esp+18]
006CC182 |. 8B4424 0C mov eax, dword ptr [esp+C]
006CC186 |. 52 push edx
006CC187 |. 50 push eax
006CC188 |. 8BCE mov ecx, esi
006CC18A |. E8 E1490000 call 006D0B70
006CC18F |. 8BF0 mov esi, eax <<<<<停留在這
006CC191 |. 8B4424 0C mov eax, dword ptr [esp+C]
006CC195 |. 3BC7 cmp eax, edi
006CC197 |. 74 09 je short 006CC1A2
006CC199 |. 50 push eax
006CC19A |. E8 CB081400 call 0080CA6A
006CC19F |. 83C4 04 add esp, 4
006CC1A2 |> 8B4C24 1C mov ecx, dword ptr [esp+1C]
006CC1A6 |. 5F pop edi
006CC1A7 |. 8BC6 mov eax, esi
006CC1A9 |. 5E pop esi
006CC1AA |. 64:890D 00000>mov dword ptr fs:[0], ecx
006CC1B1 |. 83C4 20 add esp, 20
006CC1B4 \. C2 0800 retn 8
006CC1B7 CC int3
006CC1B8 CC int3
006CC1B9 CC int3
006CC1BA CC int3
006CC1BB CC int3
006CC1BC CC int3
006CC1BD CC int3
006CC1BE CC int3
006CC1BF CC int3
006CC1C0 /$ 6A FF push -1
006CC1C2 |. 68 38D38500 push 0085D338 ; SE 揭燴最唗假蚾
006CC1C7 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
006CC1CD |. 50 push eax
006CC1CE |. 64:8925 00000>mov dword ptr fs:[0], esp
006CC1D5 |. 83EC 20 sub esp, 20
006CC1D8 |. 53 push ebx
006CC1D9 |. 55 push ebp
006CC1DA |. 56 push esi
006CC1DB |. 8BF1 mov esi, ecx
006CC1DD |. 8D8E 58010000 lea ecx, dword ptr [esi+158]
006CC1E3 |. 57 push edi
006CC1E4 |. 894C24 14 mov dword ptr [esp+14], ecx
006CC1E8 |. E8 83031400 call 0080C570
006CC1ED |. C64424 18 01 mov byte ptr [esp+18], 1
006CC1F2 |. 8A86 60010000 mov al, byte ptr [esi+160]
006CC1F8 |. 33ED xor ebp, ebp
006CC1FA |. 84C0 test al, al
006CC1FC |. 896C24 38 mov dword ptr [esp+38], ebp
006CC200 |. 0F84 D5000000 je 006CC2DB
006CC206 |. 8B06 mov eax, dword ptr [esi]
006CC208 |. 8BCE mov ecx, esi
006CC20A |. FF50 04 call dword ptr [eax+4]
006CC20D |. D95C24 10 fstp dword ptr [esp+10]
006CC211 |. 896C24 20 mov dword ptr [esp+20], ebp
006CC215 |. 896C24 24 mov dword ptr [esp+24], ebp
006CC219 |. 896C24 28 mov dword ptr [esp+28], ebp
006CC21D |. 896C24 2C mov dword ptr [esp+2C], ebp
006CC221 |. 55 push ebp
006CC222 |. 6A 01 push 1
006CC224 |. 8D4C24 24 lea ecx, dword ptr [esp+24]
006CC228 |. C64424 40 01 mov byte ptr [esp+40], 1
006CC22D |. E8 1EC5E5FF call 00528750
006CC232 |. 8B7C24 20 mov edi, dword ptr [esp+20]
006CC236 |. 3BFD cmp edi, ebp
006CC238 |. 8B4C24 2C mov ecx, dword ptr [esp+2C]
006CC23C |. C60439 03 mov byte ptr [ecx+edi], 3
006CC240 |. C74424 2C 010>mov dword ptr [esp+2C], 1
006CC248 |. 74 0D je short 006CC257
006CC24A |. 8B4C24 24 mov ecx, dword ptr [esp+24]
006CC24E |. 8BC1 mov eax, ecx
006CC250 |. 2BC7 sub eax, edi
006CC252 |. 83F8 05 cmp eax, 5
006CC255 |. 73 14 jnb short 006CC26B
006CC257 |> 55 push ebp
006CC258 |. 6A 05 push 5
006CC25A |. 8D4C24 24 lea ecx, dword ptr [esp+24]
006CC25E |. E8 EDC4E5FF call 00528750
006CC263 |. 8B4C24 24 mov ecx, dword ptr [esp+24]
006CC267 |. 8B7C24 20 mov edi, dword ptr [esp+20]
006CC26B |> 3BFD cmp edi, ebp
006CC26D |. 8B4424 2C mov eax, dword ptr [esp+2C]
006CC271 |. 8B96 64010000 mov edx, dword ptr [esi+164]
006CC277 |. 891438 mov dword ptr [eax+edi], edx
006CC27A |. C74424 2C 050>mov dword ptr [esp+2C], 5
006CC282 |. 74 09 je short 006CC28D
006CC284 |. 8BC1 mov eax, ecx
006CC286 |. 2BC7 sub eax, edi
006CC288 |. 83F8 09 cmp eax, 9
006CC28B |. 73 14 jnb short 006CC2A1
006CC28D |> 55 push ebp
006CC28E |. 6A 09 push 9
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
|
|
|---|---|
|
|
他的文章
- [求助]台版 武戰online 封包解密求教 3750
- 請問如何更改窗口的類名 4518
- [讨论]剛入行請哪位前輩帶我入門 bp send 2947
- [求助]如何切换显示方式 及 如何 "调用"..已解决 4439
- [求助]再次求教 PeCompact压缩草后的DLL 附加壳档 4518
赞赏
雪币:
留言:
