[求助]即时通讯软件消息加密方法的查找-经典问答-看雪-安全社区|安全招聘|kanxue.com

[求助]即时通讯软件消息加密方法的查找

发表于: 2008-12-31 11:01 3641

[求助]即时通讯软件消息加密方法的查找

uncooldog

2008-12-31 11:01

3641

各位大牛，小弟是新手，目前正在折腾某即时通讯软件，现在已经通过od找出了发送消息的call如下

004733E0 .  8B4424 0C    mov    eax, dword ptr [esp+C]
004733E4 .  8B5424 08    mov    edx, dword ptr [esp+8]
004733E8 .  8B49 34    mov    ecx, dword ptr [ecx+34]
004733EB .  50          push eax                            ; /Flags
004733EC .  8B4424 08    mov    eax, dword ptr [esp+8]          ; |
004733F0 .  52          push edx                            ; |DataSize
004733F1 .  50          push eax                            ; |Data
004733F2 .  51          push ecx                            ; |Socket
004733F3 .  FF15 28FB7200 call dword ptr [<&WS2_32.#19>]       ; \send
004733F9 .  C2 0C00    retn 0C

跟踪到上一层后，感觉好像不能继续往上找了，就在这段代码里面循环等待了，这样的话问题就是这个call里面的参数中的 Data 究竟是如何组成的小弟没办法找到，这个data里面应该包含了接收方的用户名和加密后的消息

00474949 .  C745 0C 00000>mov    dword ptr [ebp+C], 0
00474950 >  C74424 20 FFF>mov    dword ptr [esp+20], -1
00474958 .  8D86 A0000000 lea    eax, dword ptr [esi+A0]
0047495E .  50          push eax                            ; /pCriticalSection
0047495F .  FF15 28E37200 call dword ptr [<&KERNEL32.LeaveCriti>; \LeaveCriticalSection
00474965 .  85DB       test ebx, ebx
00474967 .  0F84 A8000000 je    00474A15
0047496D .  8B53 04    mov    edx, dword ptr [ebx+4]
00474970 .  8B46 5C    mov    eax, dword ptr [esi+5C]
00474973 .  8B40 10    mov    eax, dword ptr [eax+10]
00474976 .  6A 00       push 0
00474978 .  8D4E 5C    lea    ecx, dword ptr [esi+5C]
0047497B .  52          push edx
0047497C .  8B53 08    mov    edx, dword ptr [ebx+8]
0047497F .  52          push edx
00474980 .  FFD0       call eax
00474982 .  8BF8       mov    edi, eax
00474984 .  85FF       test edi, edi

data的内容如下，252个，到AB AB AB AB 前面为止

017B7990  8F 01 01 00 00 00 10 63 6E 74 61 6F 62 61 6F 68  ?...cntaobaoh
017B79A0  65 6C 6C 6F 6B 69 74 74 79 6D 61 6E 5F 32 30 30  ellokittyman_200
017B79B0  38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  8...............
017B79C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
017B79D0  00 00 00 00 00 00 00 01 01 2B 00 00 00 00 1B 86  .......+....
017B79E0  00 00 00 A8 5B 66 87 B9 FD 01 4C 8E F8 83 D7 D0  ...╗f嚬?L庿冏
017B79F0  AE A7 4E 46 E0 1B 94 B1 84 AD 63 E8 8A 20 B8 8D  NF?敱劖c鑺笉
017B7A00  C7 4D 73 F0 05 D2 BA 8E 4A 64 41 B0 05 D2 BA 8E  荕s?液嶫dA?液
017B7A10  4A 64 41 B0 05 D2 BA 8E 4A 64 41 B0 05 D2 BA 8E  JdA?液嶫dA?液
017B7A20  4A 64 41 B0 5B 66 87 B9 FD 01 4C 8E 94 62 55 94  JdA癧f嚬?L帞bU
017B7A30  57 92 85 3D 83 F8 86 8F 0B CD 6D 1B 05 D2 BA 8E  W拝=凐啅蚼液
017B7A40  4A 64 41 B0 05 D2 BA 8E 4A 64 41 B0 05 D2 BA 8E  JdA?液嶫dA?液
017B7A50  4A 64 41 B0 05 D2 BA 8E 4A 64 41 B0 05 D2 BA 8E  JdA?液嶫dA?液
017B7A60  4A 64 41 B0 F7 BB FE 10 05 0C C0 61 26 86 A5 E4  JdA镑箕.繿&啣
017B7A70  3E 4B 51 1B A3 A5 9F 66 33 C1 16 1A 78 57 F2 F0  >KQ％焒3?xW蝠
017B7A80  7C 12 6B 8C 15 66 11 3C 9A C2 7D A4 AB AB AB AB  |k?f<毬}か

小弟想知道，有什么办法可以找到生成data的这段代码，或者其他方法得知data是怎么组成的，以下是调用call eax的整段代码，请各位大哥不吝赐教，谢谢了

00474880 .  6A FF       push -1
00474882 .  68 48B37000 push 0070B348
00474887 .  64:A1 0000000>mov    eax, dword ptr fs:[0]
0047488D .  50          push eax
0047488E .  51          push ecx
0047488F .  53          push ebx
00474890 .  55          push ebp
00474891 .  56          push esi
00474892 .  57          push edi
00474893 .  A1 64A07F00 mov    eax, dword ptr [7FA064]
00474898 .  33C4       xor    eax, esp
0047489A .  50          push eax
0047489B .  8D4424 18    lea    eax, dword ptr [esp+18]
0047489F .  64:A3 0000000>mov    dword ptr fs:[0], eax
004748A5 .  8B7424 28    mov    esi, dword ptr [esp+28]
004748A9 .  8B46 28    mov    eax, dword ptr [esi+28]
004748AC .  83F8 03    cmp    eax, 3
004748AF .  8DAE D0000000 lea    ebp, dword ptr [esi+D0]
004748B5 .  0F85 86010000 jnz    00474A41
004748BB .  EB 03       jmp    short 004748C0
004748BD    8D49 00    lea    ecx, dword ptr [ecx]
004748C0 >  8D86 A0000000 lea    eax, dword ptr [esi+A0]
004748C6 .  50          push eax                            ; /pCriticalSection
004748C7 .  33DB       xor    ebx, ebx                      ; |
004748C9 .  894424 18    mov    dword ptr [esp+18], eax       ; |
004748CD .  FF15 24E37200 call dword ptr [<&KERNEL32.EnterCriti>; \EnterCriticalSection
004748D3 .  895C24 20    mov    dword ptr [esp+20], ebx
004748D7 .  8B45 10    mov    eax, dword ptr [ebp+10]
004748DA .  3BC3       cmp    eax, ebx
004748DC .  74 72       je    short 00474950
004748DE .  8B5D 0C    mov    ebx, dword ptr [ebp+C]
004748E1 .  03C3       add    eax, ebx
004748E3 .  3BD8       cmp    ebx, eax
004748E5 .  76 06       jbe    short 004748ED
004748E7 .  FF15 4CF77200 call dword ptr [<&MSVCR80._invalid_pa>;  MSVCR80._invalid_parameter_noinfo
004748ED >  8B4D 10    mov    ecx, dword ptr [ebp+10]
004748F0 .  034D 0C    add    ecx, dword ptr [ebp+C]
004748F3 .  8BFB       mov    edi, ebx
004748F5 .  8BC3       mov    eax, ebx
004748F7 .  83E0 03    and    eax, 3
004748FA .  C1EF 02    shr    edi, 2
004748FD .  3BD9       cmp    ebx, ecx
004748FF .  894424 28    mov    dword ptr [esp+28], eax
00474903 .  72 0A       jb    short 0047490F
00474905 .  FF15 4CF77200 call dword ptr [<&MSVCR80._invalid_pa>;  MSVCR80._invalid_parameter_noinfo
0047490B .  8B4424 28    mov    eax, dword ptr [esp+28]
0047490F >  8B4D 08    mov    ecx, dword ptr [ebp+8]
00474912 .  3BCF       cmp    ecx, edi
00474914 .  77 02       ja    short 00474918
00474916 .  2BF9       sub    edi, ecx
00474918 >  8B55 04    mov    edx, dword ptr [ebp+4]
0047491B .  8B0CBA       mov    ecx, dword ptr [edx+edi*4]
0047491E .  8B1C81       mov    ebx, dword ptr [ecx+eax*4]
00474921 .  8B45 10    mov    eax, dword ptr [ebp+10]
00474924 .  85C0       test eax, eax
00474926 .  74 28       je    short 00474950
00474928 .  8B55 08    mov    edx, dword ptr [ebp+8]
0047492B .  8345 0C 01 add    dword ptr [ebp+C], 1
0047492F .  8B4D 0C    mov    ecx, dword ptr [ebp+C]
00474932 .  03D2       add    edx, edx
00474934 .  03D2       add    edx, edx
00474936 .  3BD1       cmp    edx, ecx
00474938 .  77 07       ja    short 00474941
0047493A .  C745 0C 00000>mov    dword ptr [ebp+C], 0
00474941 >  83C0 FF    add    eax, -1
00474944 .  8945 10    mov    dword ptr [ebp+10], eax
00474947 .  75 07       jnz    short 00474950
00474949 .  C745 0C 00000>mov    dword ptr [ebp+C], 0
00474950 >  C74424 20 FFF>mov    dword ptr [esp+20], -1
00474958 .  8D86 A0000000 lea    eax, dword ptr [esi+A0]
0047495E .  50          push eax                            ; /pCriticalSection
0047495F .  FF15 28E37200 call dword ptr [<&KERNEL32.LeaveCriti>; \LeaveCriticalSection
00474965 .  85DB       test ebx, ebx
00474967 .  0F84 A8000000 je    00474A15
0047496D .  8B53 04    mov    edx, dword ptr [ebx+4]
00474970 .  8B46 5C    mov    eax, dword ptr [esi+5C]
00474973 .  8B40 10    mov    eax, dword ptr [eax+10]
00474976 .  6A 00       push 0
00474978 .  8D4E 5C    lea    ecx, dword ptr [esi+5C]
0047497B .  52          push edx
0047497C .  8B53 08    mov    edx, dword ptr [ebx+8]
0047497F .  52          push edx
00474980 .  FFD0       call eax
00474982 .  8BF8       mov    edi, eax
00474984 .  85FF       test edi, edi
00474986 .  C74424 28 000>mov    dword ptr [esp+28], 0
0047498E .  7E 3D       jle    short 004749CD
00474990 >  3B7B 04    cmp    edi, dword ptr [ebx+4]
00474993 .  7D 38       jge    short 004749CD
00474995 .  6A 64       push 64                            ; /Timeout = 100. ms
00474997 .  FF15 B4E17200 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
0047499D .  8B43 04    mov    eax, dword ptr [ebx+4]
004749A0 .  8B56 5C    mov    edx, dword ptr [esi+5C]
004749A3 .  8B52 10    mov    edx, dword ptr [edx+10]
004749A6 .  2BC7       sub    eax, edi
004749A8 .  6A 00       push 0
004749AA .  50          push eax
004749AB .  8B43 08    mov    eax, dword ptr [ebx+8]
004749AE .  8D4E 5C    lea    ecx, dword ptr [esi+5C]
004749B1 .  03C7       add    eax, edi
004749B3 .  50          push eax
004749B4 .  FFD2       call edx
004749B6 .  83F8 FF    cmp    eax, -1
004749B9 .  74 08       je    short 004749C3
004749BB .  03F8       add    edi, eax
004749BD .  85C0       test eax, eax
004749BF .^ 7F CF       jg    short 00474990
004749C1 .  EB 0A       jmp    short 004749CD
004749C3 >  FF15 40FB7200 call dword ptr [<&WS2_32.#111>]    ; [WSAGetLastError
004749C9 .  894424 28    mov    dword ptr [esp+28], eax
004749CD >  6A 0F       push 0F                            ; /Timeout = 15. ms
004749CF .  FF15 B4E17200 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
004749D5 .  2B7B 04    sub    edi, dword ptr [ebx+4]
004749D8 .  8B46 58    mov    eax, dword ptr [esi+58]
004749DB .  F7DF       neg    edi
004749DD .  1BFF       sbb    edi, edi
004749DF .  237C24 28    and    edi, dword ptr [esp+28]
004749E3 .  57          push edi                            ; /lParam
004749E4 .  56          push esi                            ; |wParam
004749E5 .  68 E9070000 push 7E9                            ; |Message = MSG(7E9)
004749EA .  50          push eax                            ; |hWnd
004749EB .  FF15 40FA7200 call dword ptr [<&USER32.PostMessageA>; \PostMessageA
004749F1 .  8B13       mov    edx, dword ptr [ebx]
004749F3 .  8B02       mov    eax, dword ptr [edx]
004749F5 .  6A 01       push 1
004749F7 .  8BCB       mov    ecx, ebx
004749F9 .  FFD0       call eax
004749FB .  C746 34 00000>mov    dword ptr [esi+34], 0
00474A02 .  FF15 F4E27200 call dword ptr [<&KERNEL32.GetTickCou>; [GetTickCount
00474A08 .  8946 38    mov    dword ptr [esi+38], eax
00474A0B .  05 50C30000 add    eax, 0C350
00474A10 .  8946 3C    mov    dword ptr [esi+3C], eax
00474A13 .  EB 08       jmp    short 00474A1D
00474A15 >  6A 64       push 64                            ; /Timeout = 100. ms
00474A17 .  FF15 B4E17200 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
00474A1D >  E8 AE010000 call 00474BD0
00474A22 .  85C0       test eax, eax
00474A24 .  75 11       jnz    short 00474A37
00474A26 .  8B4E 58    mov    ecx, dword ptr [esi+58]
00474A29 .  50          push eax                            ; /lParam
00474A2A .  56          push esi                            ; |wParam
00474A2B .  68 EB070000 push 7EB                            ; |Message = MSG(7EB)
00474A30 .  51          push ecx                            ; |hWnd
00474A31 .  FF15 40FA7200 call dword ptr [<&USER32.PostMessageA>; \PostMessageA
00474A37 >  837E 28 03 cmp    dword ptr [esi+28], 3
00474A3B .^ 0F84 7FFEFFFF je    004748C0
00474A41 >  837E 28 04 cmp    dword ptr [esi+28], 4
00474A45 .  75 0E       jnz    short 00474A55
00474A47 .  8D86 A0000000 lea    eax, dword ptr [esi+A0]
00474A4D .  50          push eax
00474A4E .  55          push ebp
00474A4F .  56          push esi
00474A50 .  E8 1B000000 call 00474A70
00474A55 >  33C0       xor    eax, eax
00474A57 .  8B4C24 18    mov    ecx, dword ptr [esp+18]
00474A5B .  64:890D 00000>mov    dword ptr fs:[0], ecx
00474A62 .  59          pop    ecx
00474A63 .  5F          pop    edi
00474A64 .  5E          pop    esi
00474A65 .  5D          pop    ebp
00474A66 .  5B          pop    ebx
00474A67 .  83C4 10    add    esp, 10
00474A6A .  C3          retn

[课程]Android-CTF解题方法汇总！

收藏・0

免费・0

支持

最新回复 (3)
北极狐狸雪币： 2368 活跃值： (81) 能力值： (RANK：300 ) 在线值：发帖 46 回帖 1342 粉丝 0 关注私信	北极狐狸 7 2 楼分析的不错，继续努力.要相到，正巧和你分析同一个软件的娃们不多...所以自己就更加努力了.... 2008-12-31 12:58 0
uncooldog 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 5 粉丝 0 关注私信	uncooldog 3 楼版主的鼓励让我大受鼓舞啊要是有更深层次一点的鼓励就好了 2008-12-31 13:26 0
zheng郑雪币： 212 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 42 粉丝 0 关注私信	zheng郑 4 楼这个消息内容采用转为乱码保护 2008-12-31 16:24 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

uncooldog

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
北极狐狸雪币： 2368 活跃值： (81) 能力值： (RANK：300 ) 在线值：发帖 46 回帖 1342 粉丝 0 关注私信	北极狐狸 7 2 楼分析的不错，继续努力.要相到，正巧和你分析同一个软件的娃们不多...所以自己就更加努力了.... 2008-12-31 12:58 0
uncooldog 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 5 粉丝 0 关注私信	uncooldog 3 楼版主的鼓励让我大受鼓舞啊要是有更深层次一点的鼓励就好了 2008-12-31 13:26 0
zheng郑雪币： 212 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 42 粉丝 0 关注私信	zheng郑 4 楼这个消息内容采用转为乱码保护 2008-12-31 16:24 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复