各位大牛,小弟是新手,目前正在折腾某即时通讯软件,现在已经通过od找出了发送消息的call如下
004733E0 . 8B4424 0C mov eax, dword ptr [esp+C]
004733E4 . 8B5424 08 mov edx, dword ptr [esp+8]
004733E8 . 8B49 34 mov ecx, dword ptr [ecx+34]
004733EB . 50 push eax ; /Flags
004733EC . 8B4424 08 mov eax, dword ptr [esp+8] ; |
004733F0 . 52 push edx ; |DataSize
004733F1 . 50 push eax ; |Data
004733F2 . 51 push ecx ; |Socket
004733F3 . FF15 28FB7200 call dword ptr [<&WS2_32.#19>] ; \send
004733F9 . C2 0C00 retn 0C
跟踪到上一层后,感觉好像不能继续往上找了,就在这段代码里面循环等待了,这样的话问题就是这个call里面的参数中的 Data 究竟是如何组成的小弟没办法找到,这个data里面应该包含了接收方的用户名和加密后的消息
00474949 . C745 0C 00000>mov dword ptr [ebp+C], 0
00474950 > C74424 20 FFF>mov dword ptr [esp+20], -1
00474958 . 8D86 A0000000 lea eax, dword ptr [esi+A0]
0047495E . 50 push eax ; /pCriticalSection
0047495F . FF15 28E37200 call dword ptr [<&KERNEL32.LeaveCriti>; \LeaveCriticalSection
00474965 . 85DB test ebx, ebx
00474967 . 0F84 A8000000 je 00474A15
0047496D . 8B53 04 mov edx, dword ptr [ebx+4]
00474970 . 8B46 5C mov eax, dword ptr [esi+5C]
00474973 . 8B40 10 mov eax, dword ptr [eax+10]
00474976 . 6A 00 push 0
00474978 . 8D4E 5C lea ecx, dword ptr [esi+5C]
0047497B . 52 push edx
0047497C . 8B53 08 mov edx, dword ptr [ebx+8]
0047497F . 52 push edx
00474980 . FFD0 call eax
00474982 . 8BF8 mov edi, eax
00474984 . 85FF test edi, edi
data的内容如下,252个,到AB AB AB AB 前面为止
017B7990 8F 01 01 00 00 00 10 63 6E 74 61 6F 62 61 6F 68 ?...cntaobaoh
017B79A0 65 6C 6C 6F 6B 69 74 74 79 6D 61 6E 5F 32 30 30 ellokittyman_200
017B79B0 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8...............
017B79C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
017B79D0 00 00 00 00 00 00 00 01 01 2B 00 00 00 00 1B 86 .......+....
017B79E0 00 00 00 A8 5B 66 87 B9 FD 01 4C 8E F8 83 D7 D0 ...╗f嚬?L庿冏
017B79F0 AE A7 4E 46 E0 1B 94 B1 84 AD 63 E8 8A 20 B8 8D NF?敱劖c鑺 笉
017B7A00 C7 4D 73 F0 05 D2 BA 8E 4A 64 41 B0 05 D2 BA 8E 荕s?液嶫dA?液
017B7A10 4A 64 41 B0 05 D2 BA 8E 4A 64 41 B0 05 D2 BA 8E JdA?液嶫dA?液
017B7A20 4A 64 41 B0 5B 66 87 B9 FD 01 4C 8E 94 62 55 94 JdA癧f嚬?L帞bU
017B7A30 57 92 85 3D 83 F8 86 8F 0B CD 6D 1B 05 D2 BA 8E W拝=凐啅蚼液
017B7A40 4A 64 41 B0 05 D2 BA 8E 4A 64 41 B0 05 D2 BA 8E JdA?液嶫dA?液
017B7A50 4A 64 41 B0 05 D2 BA 8E 4A 64 41 B0 05 D2 BA 8E JdA?液嶫dA?液
017B7A60 4A 64 41 B0 F7 BB FE 10 05 0C C0 61 26 86 A5 E4 JdA镑箕.繿&啣
017B7A70 3E 4B 51 1B A3 A5 9F 66 33 C1 16 1A 78 57 F2 F0 >KQ%焒3?xW蝠
017B7A80 7C 12 6B 8C 15 66 11 3C 9A C2 7D A4 AB AB AB AB |k?f<毬}か
小弟想知道,有什么办法可以找到生成data的这段代码,或者其他方法得知data是怎么组成的,以下是调用call eax的整段代码,请各位大哥不吝赐教,谢谢了
00474880 . 6A FF push -1
00474882 . 68 48B37000 push 0070B348
00474887 . 64:A1 0000000>mov eax, dword ptr fs:[0]
0047488D . 50 push eax
0047488E . 51 push ecx
0047488F . 53 push ebx
00474890 . 55 push ebp
00474891 . 56 push esi
00474892 . 57 push edi
00474893 . A1 64A07F00 mov eax, dword ptr [7FA064]
00474898 . 33C4 xor eax, esp
0047489A . 50 push eax
0047489B . 8D4424 18 lea eax, dword ptr [esp+18]
0047489F . 64:A3 0000000>mov dword ptr fs:[0], eax
004748A5 . 8B7424 28 mov esi, dword ptr [esp+28]
004748A9 . 8B46 28 mov eax, dword ptr [esi+28]
004748AC . 83F8 03 cmp eax, 3
004748AF . 8DAE D0000000 lea ebp, dword ptr [esi+D0]
004748B5 . 0F85 86010000 jnz 00474A41
004748BB . EB 03 jmp short 004748C0
004748BD 8D49 00 lea ecx, dword ptr [ecx]
004748C0 > 8D86 A0000000 lea eax, dword ptr [esi+A0]
004748C6 . 50 push eax ; /pCriticalSection
004748C7 . 33DB xor ebx, ebx ; |
004748C9 . 894424 18 mov dword ptr [esp+18], eax ; |
004748CD . FF15 24E37200 call dword ptr [<&KERNEL32.EnterCriti>; \EnterCriticalSection
004748D3 . 895C24 20 mov dword ptr [esp+20], ebx
004748D7 . 8B45 10 mov eax, dword ptr [ebp+10]
004748DA . 3BC3 cmp eax, ebx
004748DC . 74 72 je short 00474950
004748DE . 8B5D 0C mov ebx, dword ptr [ebp+C]
004748E1 . 03C3 add eax, ebx
004748E3 . 3BD8 cmp ebx, eax
004748E5 . 76 06 jbe short 004748ED
004748E7 . FF15 4CF77200 call dword ptr [<&MSVCR80._invalid_pa>; MSVCR80._invalid_parameter_noinfo
004748ED > 8B4D 10 mov ecx, dword ptr [ebp+10]
004748F0 . 034D 0C add ecx, dword ptr [ebp+C]
004748F3 . 8BFB mov edi, ebx
004748F5 . 8BC3 mov eax, ebx
004748F7 . 83E0 03 and eax, 3
004748FA . C1EF 02 shr edi, 2
004748FD . 3BD9 cmp ebx, ecx
004748FF . 894424 28 mov dword ptr [esp+28], eax
00474903 . 72 0A jb short 0047490F
00474905 . FF15 4CF77200 call dword ptr [<&MSVCR80._invalid_pa>; MSVCR80._invalid_parameter_noinfo
0047490B . 8B4424 28 mov eax, dword ptr [esp+28]
0047490F > 8B4D 08 mov ecx, dword ptr [ebp+8]
00474912 . 3BCF cmp ecx, edi
00474914 . 77 02 ja short 00474918
00474916 . 2BF9 sub edi, ecx
00474918 > 8B55 04 mov edx, dword ptr [ebp+4]
0047491B . 8B0CBA mov ecx, dword ptr [edx+edi*4]
0047491E . 8B1C81 mov ebx, dword ptr [ecx+eax*4]
00474921 . 8B45 10 mov eax, dword ptr [ebp+10]
00474924 . 85C0 test eax, eax
00474926 . 74 28 je short 00474950
00474928 . 8B55 08 mov edx, dword ptr [ebp+8]
0047492B . 8345 0C 01 add dword ptr [ebp+C], 1
0047492F . 8B4D 0C mov ecx, dword ptr [ebp+C]
00474932 . 03D2 add edx, edx
00474934 . 03D2 add edx, edx
00474936 . 3BD1 cmp edx, ecx
00474938 . 77 07 ja short 00474941
0047493A . C745 0C 00000>mov dword ptr [ebp+C], 0
00474941 > 83C0 FF add eax, -1
00474944 . 8945 10 mov dword ptr [ebp+10], eax
00474947 . 75 07 jnz short 00474950
00474949 . C745 0C 00000>mov dword ptr [ebp+C], 0
00474950 > C74424 20 FFF>mov dword ptr [esp+20], -1
00474958 . 8D86 A0000000 lea eax, dword ptr [esi+A0]
0047495E . 50 push eax ; /pCriticalSection
0047495F . FF15 28E37200 call dword ptr [<&KERNEL32.LeaveCriti>; \LeaveCriticalSection
00474965 . 85DB test ebx, ebx
00474967 . 0F84 A8000000 je 00474A15
0047496D . 8B53 04 mov edx, dword ptr [ebx+4]
00474970 . 8B46 5C mov eax, dword ptr [esi+5C]
00474973 . 8B40 10 mov eax, dword ptr [eax+10]
00474976 . 6A 00 push 0
00474978 . 8D4E 5C lea ecx, dword ptr [esi+5C]
0047497B . 52 push edx
0047497C . 8B53 08 mov edx, dword ptr [ebx+8]
0047497F . 52 push edx
00474980 . FFD0 call eax
00474982 . 8BF8 mov edi, eax
00474984 . 85FF test edi, edi
00474986 . C74424 28 000>mov dword ptr [esp+28], 0
0047498E . 7E 3D jle short 004749CD
00474990 > 3B7B 04 cmp edi, dword ptr [ebx+4]
00474993 . 7D 38 jge short 004749CD
00474995 . 6A 64 push 64 ; /Timeout = 100. ms
00474997 . FF15 B4E17200 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
0047499D . 8B43 04 mov eax, dword ptr [ebx+4]
004749A0 . 8B56 5C mov edx, dword ptr [esi+5C]
004749A3 . 8B52 10 mov edx, dword ptr [edx+10]
004749A6 . 2BC7 sub eax, edi
004749A8 . 6A 00 push 0
004749AA . 50 push eax
004749AB . 8B43 08 mov eax, dword ptr [ebx+8]
004749AE . 8D4E 5C lea ecx, dword ptr [esi+5C]
004749B1 . 03C7 add eax, edi
004749B3 . 50 push eax
004749B4 . FFD2 call edx
004749B6 . 83F8 FF cmp eax, -1
004749B9 . 74 08 je short 004749C3
004749BB . 03F8 add edi, eax
004749BD . 85C0 test eax, eax
004749BF .^ 7F CF jg short 00474990
004749C1 . EB 0A jmp short 004749CD
004749C3 > FF15 40FB7200 call dword ptr [<&WS2_32.#111>] ; [WSAGetLastError
004749C9 . 894424 28 mov dword ptr [esp+28], eax
004749CD > 6A 0F push 0F ; /Timeout = 15. ms
004749CF . FF15 B4E17200 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
004749D5 . 2B7B 04 sub edi, dword ptr [ebx+4]
004749D8 . 8B46 58 mov eax, dword ptr [esi+58]
004749DB . F7DF neg edi
004749DD . 1BFF sbb edi, edi
004749DF . 237C24 28 and edi, dword ptr [esp+28]
004749E3 . 57 push edi ; /lParam
004749E4 . 56 push esi ; |wParam
004749E5 . 68 E9070000 push 7E9 ; |Message = MSG(7E9)
004749EA . 50 push eax ; |hWnd
004749EB . FF15 40FA7200 call dword ptr [<&USER32.PostMessageA>; \PostMessageA
004749F1 . 8B13 mov edx, dword ptr [ebx]
004749F3 . 8B02 mov eax, dword ptr [edx]
004749F5 . 6A 01 push 1
004749F7 . 8BCB mov ecx, ebx
004749F9 . FFD0 call eax
004749FB . C746 34 00000>mov dword ptr [esi+34], 0
00474A02 . FF15 F4E27200 call dword ptr [<&KERNEL32.GetTickCou>; [GetTickCount
00474A08 . 8946 38 mov dword ptr [esi+38], eax
00474A0B . 05 50C30000 add eax, 0C350
00474A10 . 8946 3C mov dword ptr [esi+3C], eax
00474A13 . EB 08 jmp short 00474A1D
00474A15 > 6A 64 push 64 ; /Timeout = 100. ms
00474A17 . FF15 B4E17200 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
00474A1D > E8 AE010000 call 00474BD0
00474A22 . 85C0 test eax, eax
00474A24 . 75 11 jnz short 00474A37
00474A26 . 8B4E 58 mov ecx, dword ptr [esi+58]
00474A29 . 50 push eax ; /lParam
00474A2A . 56 push esi ; |wParam
00474A2B . 68 EB070000 push 7EB ; |Message = MSG(7EB)
00474A30 . 51 push ecx ; |hWnd
00474A31 . FF15 40FA7200 call dword ptr [<&USER32.PostMessageA>; \PostMessageA
00474A37 > 837E 28 03 cmp dword ptr [esi+28], 3
00474A3B .^ 0F84 7FFEFFFF je 004748C0
00474A41 > 837E 28 04 cmp dword ptr [esi+28], 4
00474A45 . 75 0E jnz short 00474A55
00474A47 . 8D86 A0000000 lea eax, dword ptr [esi+A0]
00474A4D . 50 push eax
00474A4E . 55 push ebp
00474A4F . 56 push esi
00474A50 . E8 1B000000 call 00474A70
00474A55 > 33C0 xor eax, eax
00474A57 . 8B4C24 18 mov ecx, dword ptr [esp+18]
00474A5B . 64:890D 00000>mov dword ptr fs:[0], ecx
00474A62 . 59 pop ecx
00474A63 . 5F pop edi
00474A64 . 5E pop esi
00474A65 . 5D pop ebp
00474A66 . 5B pop ebx
00474A67 . 83C4 10 add esp, 10
00474A6A . C3 retn
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)