[求助]帮忙找下关键，我是新人大家帮下-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]帮忙找下关键，我是新人大家帮下 0.00雪花

发表于: 2009-2-15 11:34 2449

[旧帖] [求助]帮忙找下关键，我是新人大家帮下 0.00雪花

曹峰

2009-2-15 11:34

2449

谁能看出这个代码关键是在那里？看的懂的帮忙说下
00481DB5这里好象就是开始连接游戏了，前面的是外挂验证！改什么地方能实现不验证直接连接游戏服务器
00481DB5 FF53 78       CALL DWORD PTR DS:[EBX+78]          ; //帐号服务器
我测试了一下他有2个结果，
1下面窗口DS：[00FD67F8]=004D2290是开始连接外挂验证，在来1圈DS：[00FD6318]=004ECE14是去连接游戏服务器
2： DS：[00FB4AC8]=004D2290 外挂窗口就提示未注册

00481BDA E8 49FEFFFF    CALL 00481A28                      ; 网络-游戏验证
00481BDF 84C0          TEST AL,AL
00481BE1 75 63          JNZ    SHORT 00481C46                ; 00481C46
00481BE3 8D53 38       LEA    EDX,DWORD PTR DS:[EBX+38]
00481BE6 8B43 34       MOV    EAX,DWORD PTR DS:[EBX+34]
00481BE9 E8 72FEFFFF    CALL 00481A60                      ; 00481A60
00481BEE 84C0          TEST AL,AL
00481BF0 75 5F          JNZ    SHORT 00481C51                ; 00481C51
00481BF2 C70424 FFFFFFFF MOV    DWORD PTR SS:[ESP],-1
00481BF9 66:837B 6A 00 CMP    WORD PTR DS:[EBX+6A],0
00481BFE 74 0E          JE    SHORT 00481C0E                ; 00481C0E
00481C00 54             PUSH ESP
00481C01 B9 E41D4800    MOV    ECX,481DE4                      ; 解析主机域名失败
00481C06 8BD3          MOV    EDX,EBX
00481C08 8B43 6C       MOV    EAX,DWORD PTR DS:[EBX+6C]
00481C0B FF53 68       CALL DWORD PTR DS:[EBX+68]
00481C0E 833C24 00    CMP    DWORD PTR SS:[ESP],0
00481C12 0F84 BC010000 JE    00481DD4                      ; 00481DD4
00481C18 8B0424       MOV    EAX,DWORD PTR SS:[ESP]          ; 复件_mai.004FA170
00481C1B 894424 04    MOV    DWORD PTR SS:[ESP+4],EAX
00481C1F C64424 08 00 MOV    BYTE PTR SS:[ESP+8],0
00481C24 8D4424 04    LEA    EAX,DWORD PTR SS:[ESP+4]
00481C28 50             PUSH EAX
00481C29 6A 00          PUSH 0
00481C2B B9 001E4800    MOV    ECX,481E00                      ; 解析主机域名失败,错误码:%d
00481C30 B2 01          MOV    DL,1
00481C32 A1 0C0D4800    MOV    EAX,DWORD PTR DS:[480D0C]
00481C37 E8 70BEF8FF    CALL 0040DAAC                      ; 0040DAAC
00481C3C E8 3F2FF8FF    CALL 00404B80                      ; 00404B80
00481C41 E9 8E010000    JMP    00481DD4                      ; 00481DD4
00481C46 8D43 38       LEA    EAX,DWORD PTR DS:[EBX+38]
00481C49 8B53 34       MOV    EDX,DWORD PTR DS:[EBX+34]
00481C4C E8 3B35F8FF    CALL 0040518C                      ; 0040518C
00481C51 8B43 40       MOV    EAX,DWORD PTR DS:[EBX+40]
00481C54 E8 CFFDFFFF    CALL 00481A28                      ; 00481A28
00481C59 84C0          TEST AL,AL
00481C5B 75 5C          JNZ    SHORT 00481CB9                ; 00481CB9
00481C5D 8D53 44       LEA    EDX,DWORD PTR DS:[EBX+44]
00481C60 8B43 40       MOV    EAX,DWORD PTR DS:[EBX+40]
00481C63 E8 F8FDFFFF    CALL 00481A60                      ; 00481A60
00481C68 84C0          TEST AL,AL
00481C6A 75 58          JNZ    SHORT 00481CC4                ; 00481CC4
00481C6C 66:837B 6A 00 CMP    WORD PTR DS:[EBX+6A],0
00481C71 74 0E          JE    SHORT 00481C81                ; 00481C81
00481C73 54             PUSH ESP
00481C74 B9 241E4800    MOV    ECX,481E24                      ; 解析代理域名失败
00481C79 8BD3          MOV    EDX,EBX
00481C7B 8B43 6C       MOV    EAX,DWORD PTR DS:[EBX+6C]
00481C7E FF53 68       CALL DWORD PTR DS:[EBX+68]
00481C81 833C24 00    CMP    DWORD PTR SS:[ESP],0
00481C85 0F84 49010000 JE    00481DD4                      ; 00481DD4
00481C8B 8B0424       MOV    EAX,DWORD PTR SS:[ESP]          ; 复件_mai.004FA170
00481C8E 894424 04    MOV    DWORD PTR SS:[ESP+4],EAX
00481C92 C64424 08 00 MOV    BYTE PTR SS:[ESP+8],0
00481C97 8D4424 04    LEA    EAX,DWORD PTR SS:[ESP+4]
00481C9B 50             PUSH EAX
00481C9C 6A 00          PUSH 0
00481C9E B9 401E4800    MOV    ECX,481E40                      ; 解析代理域名失败,错误码:%d
00481CA3 B2 01          MOV    DL,1
00481CA5 A1 0C0D4800    MOV    EAX,DWORD PTR DS:[480D0C]
00481CAA E8 FDBDF8FF    CALL 0040DAAC                      ; 0040DAAC
00481CAF E8 CC2EF8FF    CALL 00404B80                      ; 00404B80
00481CB4 E9 1B010000    JMP    00481DD4                      ; 00481DD4
00481CB9 8D43 44       LEA    EAX,DWORD PTR DS:[EBX+44]
00481CBC 8B53 40       MOV    EDX,DWORD PTR DS:[EBX+40]
00481CBF E8 C834F8FF    CALL 0040518C                      ; 0040518C
00481CC4 6A 00          PUSH 0
00481CC6 6A 01          PUSH 1
00481CC8 6A 02          PUSH 2
00481CCA E8 05F0FFFF    CALL 00480CD4                      ; <JMP.&WS2_32.socket>
00481CCF 8BF0          MOV    ESI,EAX
00481CD1 89B3 A0000000 MOV    DWORD PTR DS:[EBX+A0],ESI
00481CD7 46             INC    ESI
00481CD8 75 55          JNZ    SHORT 00481D2F                ; 00481D2F
00481CDA E8 15F0FFFF    CALL 00480CF4                      ; <JMP.&WS2_32.WSAGetLastError>
00481CDF 890424       MOV    DWORD PTR SS:[ESP],EAX
00481CE2 66:837B 6A 00 CMP    WORD PTR DS:[EBX+6A],0
00481CE7 74 0E          JE    SHORT 00481CF7                ; 00481CF7
00481CE9 54             PUSH ESP
00481CEA B9 641E4800    MOV    ECX,481E64                      ; 建立socket时发生socket错误
00481CEF 8BD3          MOV    EDX,EBX
00481CF1 8B43 6C       MOV    EAX,DWORD PTR DS:[EBX+6C]
00481CF4 FF53 68       CALL DWORD PTR DS:[EBX+68]
00481CF7 833C24 00    CMP    DWORD PTR SS:[ESP],0
00481CFB 0F84 D3000000 JE    00481DD4                      ; 00481DD4
00481D01 8B0424       MOV    EAX,DWORD PTR SS:[ESP]          ; 复件_mai.004FA170
00481D04 894424 04    MOV    DWORD PTR SS:[ESP+4],EAX
00481D08 C64424 08 00 MOV    BYTE PTR SS:[ESP+8],0
00481D0D 8D4424 04    LEA    EAX,DWORD PTR SS:[ESP+4]
00481D11 50             PUSH EAX
00481D12 6A 00          PUSH 0
00481D14 B9 881E4800    MOV    ECX,481E88                      ; 建立socket时发生socket错误,错误码:%d
00481D19 B2 01          MOV    DL,1
00481D1B A1 0C0D4800    MOV    EAX,DWORD PTR DS:[480D0C]
00481D20 E8 87BDF8FF    CALL 0040DAAC                      ; 0040DAAC
00481D25 E8 562EF8FF    CALL 00404B80                      ; 00404B80
00481D2A E9 A5000000    JMP    00481DD4                      ; 00481DD4
00481D2F C643 30 01    MOV    BYTE PTR DS:[EBX+30],1
00481D33 6A 33          PUSH 33
00481D35 68 01040000    PUSH 401
00481D3A 8B43 5C       MOV    EAX,DWORD PTR DS:[EBX+5C]
00481D3D 50             PUSH EAX
00481D3E 8B83 A0000000 MOV    EAX,DWORD PTR DS:[EBX+A0]
00481D44 50             PUSH EAX
00481D45 E8 A2EFFFFF    CALL 00480CEC                      ; <JMP.&WS2_32.WSAAsyncSelect>
00481D4A 66:C783 3202000>MOV    WORD PTR DS:[EBX+232],2
00481D53 0FB643 54    MOVZX EAX,BYTE PTR DS:[EBX+54]
00481D57 2C 01          SUB    AL,1
00481D59 72 29          JB    SHORT 00481D84                ; 00481D84
00481D5B 75 4C          JNZ    SHORT 00481DA9                ; 00481DA9
00481D5D 0FB743 48    MOVZX EAX,WORD PTR DS:[EBX+48]
00481D61 50             PUSH EAX
00481D62 E8 45EFFFFF    CALL 00480CAC                      ; <JMP.&WS2_32.htons>
00481D67 66:8983 3402000>MOV    WORD PTR DS:[EBX+234],AX
00481D6E 8B43 44       MOV    EAX,DWORD PTR DS:[EBX+44]
00481D71 E8 5238F8FF    CALL 004055C8                      ; 004055C8
00481D76 50             PUSH EAX
00481D77 E8 38EFFFFF    CALL 00480CB4                      ; <JMP.&WS2_32.inet_addr>
00481D7C 8983 36020000 MOV    DWORD PTR DS:[EBX+236],EAX
00481D82 EB 25          JMP    SHORT 00481DA9                ; 00481DA9
00481D84 0FB743 3C    MOVZX EAX,WORD PTR DS:[EBX+3C]
00481D88 50             PUSH EAX
00481D89 E8 1EEFFFFF    CALL 00480CAC                      ; <JMP.&WS2_32.htons>
00481D8E 66:8983 3402000>MOV    WORD PTR DS:[EBX+234],AX
00481D95 8B43 38       MOV    EAX,DWORD PTR DS:[EBX+38]
00481D98 E8 2B38F8FF    CALL 004055C8                      ; 004055C8
00481D9D 50             PUSH EAX
00481D9E E8 11EFFFFF    CALL 00480CB4                      ; <JMP.&WS2_32.inet_addr>
00481DA3 8983 36020000 MOV    DWORD PTR DS:[EBX+236],EAX
00481DA9 66:837B 7A 00 CMP    WORD PTR DS:[EBX+7A],0
00481DAE 74 08          JE    SHORT 00481DB8                ; 00481DB8
00481DB0 8BD3          MOV    EDX,EBX
00481DB2 8B43 7C       MOV    EAX,DWORD PTR DS:[EBX+7C]
00481DB5 FF53 78       CALL DWORD PTR DS:[EBX+78]          ; //帐号服务器
00481DB8 8BC3          MOV    EAX,EBX
00481DBA E8 D9100000    CALL 00482E98                      ; 00482E98
00481DBF 6A 10          PUSH 10
00481DC1 8D83 32020000 LEA    EAX,DWORD PTR DS:[EBX+232]
00481DC7 50             PUSH EAX
00481DC8 8B83 A0000000 MOV    EAX,DWORD PTR DS:[EBX+A0]
00481DCE 50             PUSH EAX
00481DCF E8 D0EEFFFF    CALL 00480CA4                      ; <JMP.&WS2_32.connect>
00481DD4 83C4 0C       ADD    ESP,0C
00481DD7 5E             POP    ESI                            ; 复件_mai.004FA170
00481DD8 5B             POP    EBX                            ; 复件_mai.004FA170
00481DD9 C3             RET

[课程]Linux pwn 探索篇！

收藏・0

免费・0

支持