手机qq游戏双倍积分卡大厅升级游戏积分胜率如何变高

来源:蜘蛛抓取(WebSpider) 时间:2014-10-07 18:53 标签: qq游戏大厅欢乐升级
手机QQ游戏大厅斗地主刷分【防城实验高中吧】_百度贴吧
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&签到排名:今日本吧第个签到,本吧因你更精彩,明天继续来努力!
本吧签到人数:0成为超级会员,使用一键签到本月漏签0次!成为超级会员,赠送8张补签卡连续签到:天&&累计签到:天超级会员单次开通12个月以上,赠送连续签到卡3张
关注:11,826贴子:
手机QQ游戏大厅斗地主刷分收藏
看到别人几万十几万分,胜率比珠穆朗玛峰还高,觉得有鬼,后来才自己试过后才懂…昨晚用手机刷斗地主的分,一个小时就飙了1000分!胜率飙到了51%!我靠!原来十几万分是这么来的!
不能这么说,并不是只有多开器存在的…
登录百度帐号推荐应用QQGame浅析系列-多开大厅刷分你也可以
标 题:QQGame浅析系列-多开大厅刷分你也可以
作 者:singsing
时 间:<font color="#08-04-17 11:57 链 接:
QQGame浅析系列(1)--多开大厅刷分你也可以&
&&&&&&&本系列仅以学习交流使用,非法使用者,后果自负。
&&&&&&最近闲来无聊就赔朋友一起打打牌,是QQ游戏斗地主游戏,我们通常在一个桌(Table)打牌,这样配合胜率会高一点.有一次他正在和别人打牌,四人已满,我就不能和他一起打了,就随便点了一下发现能进得此桌,原来游戏提供了&旁观&的功能,不过是当时才知道的.于是我就一个个地&旁观&别人的牌,将牌符告诉我的朋友,他果然&运筹帷幄,决胜千里&,呵呵....
&&&&&&&于是想到了一个&坏点子&:自己开两个号打牌,一个用来旁观,另一个用来打牌,岂不是很容易就取胜?当我兴冲冲地准备&作祟&时,发现QQGame并不能同时运行两个实例,所以我上述的想法就暂时不能实现了.要想实现,就要突破这一关,于是抱着试试看的心理分析下&QQGame不能同时运行两个实例&的原理.
程序实现只能运行一个实例的原理通常是使用互斥元,临界区,信号量等机制.
于是就OD载入,下断:
bp&CreateMutexA
F9运行,中断,再次F9......若干次后会看到堆栈提示:
0013FE90&&&100118DF&&/CALL&到&CreateMutexA&来自&Utility.
0013FE94&&&&&|pSecurity&=&NULL
0013FE98&&&&&|InitialOwner&=&TRUE
0013FE9C&&&00F88700&&\MutexName&=&&QQGame_Mutex03/01/2003&
MutexName为&QQGame_Mutex03/01/2003&的就是我们所关心的.
如果知道了这一点,那么要想绕过&QQGame不能同时运行两个实例&就很简单了,我这里采用的是在不破坏原程序完整性
的方法,现介绍如下:
&&&&&&MutexName为&QQGame_Mutex03/01/2003&的串存放在一个叫做MainLogi.dll文件中,在游戏安装目录下的Logic文件夹里.如果每次运行游戏程序MutexName与上次的都不相同,不就可以绕过了吗?也就是每次运行程序前偷偷地改变MainLogi.dll文件中的MutexName.具体实现见代码及分析:
program&QQgameS&
&&windows,dialogs,sysutils,classes,graphics,shellapi&,&
strPath:string;&
strFileName:string;&
strNewFile:string;&
strGameFile:string;&
strMutex:string;&
hMutex:DWORD;&
hFile:DWORD;&
dwBytesOfRW:C&
buffer:BYTE;&
DstFile:TFileS&
hwnd:DWORD;&
{$r&QQgameSpy.RES}&
function&&&RenameFile(hdl:THlpOrgName,lpNewName:PAnsichar):&
&&&&&&&&shf:TSHFILEOPSTRUCT;&
&&&&&&&&try&
&&&&&&&&&&FillChar(shf,SizeOf(shf),0);&
&&&&&&&&&&shf.Wnd&&&&&&&:=&
&&&&&&&&&&shf.wFunc&&&&&:=FO_RENAME;&
&&&&&&&&&&shf.pFrom&&&&&:=lpOrgN&
&&&&&&&&&&shf.pTo&&&&&&&:=lpNewN&
&&&&&&&&&&shf.fFlags&&&&:=FOF_NOCONFIRMATION+FOF_SILENT;&
&&&&&&&&&&Result:=(0=SHFileOperation(shf));&&&&
&&&&&&&&except&
&&&&&&&&&&&&&&&&Result:=&
&&&&&&&&end;&
{&主程序开始&}&
&&&&&&&&reg:=&TRegistry.C&
&&&&&&&&reg.RootKey:=HKEY_CURRENT_USER;&
&&&&&&&&if&reg.OpenKeyReadOnly('\Software\Tencent\QQGame\SYS')=&false&then&
&&&&&&&&&&&&&&&&&
&&&&&&&&strPath:=reg.ReadString('GameDirectory');&
&&&&&&&&//showmessage(strPath);&
&&&&&&&&reg.CloseK&
&&&&&&&&reg.F&
&&&&&&&&strFileName:=strPath+'Logic\MainLogi.dll';&
&&&&&&&&strMutex:='QQGame_Mutex03/01/2000';&
&&&&&&&&for&i:=0&to&3&do&begin&
&&&&&&&&&&&&&&&&hMutex:=CreateMutex(nil,false,pchar(strMutex));&
&&&&&&&&&&&&&&&&if&hMutex=0&then&
&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&if&GetLastError&&ERROR_ALREADY_EXISTS&then&
&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&Inc(&strMutex[Length(strMutex)]&);&
&&&&&&&&end;&
&&&&&&&&//showmessage(strMutex);&
&&&&&&&&buffer:=BYTE(strMutex[Length(strMutex)]);&
&&&&&&&&if&hMutex=0&then&
&&&&&&&&&&&&&&&&&
&&&&&&&&CloseHandle(hMutex);&
&&&&&&&&//DstFile:=TFileStream.Create(strFileName,fmOpenReadWrite);&
&&&&&&&&//DstFile.Seek($581C1,FILE_BEGIN);&
&&&&&&&&//DstFile.WriteBuffer(buffer,sizeof(buffer));&
&&&&&&&&for&i:=0&to&2&do&begin&
&&&&&&&&&&&&&&&&strNewFile:=strFileName+inttostr(i);&
&&&&&&&&&&&&&&&&DeleteFile(strNewFile);&
&&&&&&&&end;&
&&&&&&&&for&i:=0&to&2&do&begin&
&&&&&&&&&&&&&&&&strNewFile:=strFileName+inttostr(i);&
&&&&&&&&&&&&&&&&if&FileExists(strNewFile)=false&then&
&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&&&&&end;&
&&&&&&&&RenameFile(0,pchar(strFileName),pchar(strNewFile));&
&&&&&&&&CopyFile(pchar(strNewFile),pchar(strFileName),true);&
&&&&&&&&hFile:=CreateFile(pchar(strFileName),GENERIC_WRITE&or&GENERIC_READ,FILE_SHARE_WRITE&or&FILE_SHARE_READ,&
&&&&&&&&&&&&&&&&&&&&&&&&nil,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);&
&&&&&&&&if&hFile=INVALID_HANDLE_VALUE&then&
&&&&&&&&&&&&&&&&&
&&&&&&&&SetFilePointer(hFile,$581C1,nil,FILE_BEGIN);&
&&&&&&&&WriteFile(hFile,buffer,sizeof(buffer),dwBytesOfRW,nil);&
&&&&&&&&CloseHandle(hFile);&
&&&&&&&&strGameFile:=strPath+'QQGame.exe';&
&&&&&&&&//showmessage(strGameFile);&
&&&&&&&&ShellExecute(0,'Open',pchar(strGameFile),nil,nil,SW_SHOWNORMAL);&
&&&&&&&解释:&当程序运行时通过注册表查询QQGame的安装目录,进而获取MainLogi.dll文件的完整文件名。由于QQ游戏一般来说没桌最多不超过四人,所以每次运行前首先查看MutexName为:
'QQGame_Mutex03/01/2000';
'QQGame_Mutex03/01/2001';
'QQGame_Mutex03/01/2002';
'QQGame_Mutex03/01/2000';
的互斥元是否存在,如果遇到有不存在的,说明可以以此互斥元名运行QQ游戏,就改写原MainLogi.dll文件名为其他,复制一份MainLogi.dll文件并更换其中的MutexName,最后ShellExecute&QQ游戏,这样当QQ游戏运行检测时就会使用我们更改过的MutexName,由于我们实现已经检测过这个MutexName还没有被使用,当然可以成功运行了。
&&&&&&&这里你可能很诧异:MainLogi.dll文件被游戏加载过一次,下次还能被改名吗?我试过了,删除此文件不可以,但是可以对其重命名。上面声明的RenameFile就是实现更改文件名功能的。
&&&&&&&运行后,可以开N个大厅,于是乎狂玩了一下午,很快刷到了600多分,胜负率高达60%以上啊!不过也就是当时一会的劲头,再后来就没有玩过了,现在将此方法公布与大家分享一下,希望玩得愉快!
&&&&&&&说明:在我欲发此贴时,QQGame有所更新,使用上述方法不行了,如果不给出一个新的解决方法,总感觉不甚完美,于是重新又跟了一次。思路如下:
&&&&&&&如果已有一个登录窗体运行了,那么再运行实例会给那个已运行的实例一个焦点,让用户知道“你已经运行啦”,然后退出。
Bp&FindWindowA
Bp&FindWindowExA
F9运行,中断一个,看堆栈提示:
0013FE7C&&&&&/CALL&到&FindWindowExA&来自&Utility.1001199D
0013FE80&&&&&|hParent&=&NULL
0013FE84&&&&&|hAfterWnd&=&NULL
0013FE88&&&01069BD0&&|Class&=&&QQGame_MainFrame&
0013FE8C&&&&&\Title&=&NULL
返回到调用的过程:
《Utility领空》
1001199D&&&&FF15&&&&call&&&&dword&ptr&[&&USER32.FindWindowEx&;&USER32.FindWindowExA
&&&&8BF8&&&&&&&&&&&&mov&&&&&edi,&eax
&&&&57&&&&&&&&&&&&&&push&&&&edi
100119A6&&&&FF15&&&&call&&&&dword&ptr&[&&USER32.IsWindow&]&&&;&USER32.IsWindow
100119AC&&&&85C0&&&&&&&&&&&&test&&&&eax,&eax
100119AE&&&&74&0E&&&&&&&&&&&je&&&&&&short&100119BE
&&&&53&&&&&&&&&&&&&&push&&&&ebx
&&&&53&&&&&&&&&&&&&&push&&&&ebx
&&&&FF76&50&&&&&&&&&push&&&&dword&ptr&[esi+50]
&&&&57&&&&&&&&&&&&&&push&&&&edi
&&&&FF15&7C920110&&&call&&&&dword&ptr&[&&USER32.PostMessageA&;&USER32.PostMessageA
100119BC&&&&EB&10&&&&&&&&&&&jmp&&&&&short&100119CE
100119BE&&&&83C6&14&&&&&&&&&add&&&&&esi,&14
&&&&68&1CE70110&&&&&push&&&&1001E71C
&&&&56&&&&&&&&&&&&&&push&&&&esi
&&&&E8&4A4FFFFF&&&&&call&&&&
100119CC&&&&59&&&&&&&&&&&&&&pop&&&&&ecx
100119CD&&&&59&&&&&&&&&&&&&&pop&&&&&ecx
100119CE&&&&5F&&&&&&&&&&&&&&pop&&&&&edi
100119CF&&&&5E&&&&&&&&&&&&&&pop&&&&&esi
&&&&5B&&&&&&&&&&&&&&pop&&&&&ebx
&&&&C3&&&&&&&&&&&&&&retn
执行流程是这样的,检测是否已有窗体运行了,如果有找到它,给它发个消息(这个消息估计就是让那个窗体拥有焦点的)然后退出。
我们由此过程再次返回,发现是
&&&&E8&&&&&&call&&&&1001198C
调用的上述过程,前后浏览一下代码:
《Utility领空》
&&&&55&&&&&&&&&&&&&&push&&&&ebp
&&&&8BEC&&&&&&&&&&&&mov&&&&&ebp,&esp
&&&&51&&&&&&&&&&&&&&push&&&&ecx
1001184A&&&&8B45&18&&&&&&&&&mov&&&&&eax,&dword&ptr&[ebp+18]
1001184D&&&&8365&FC&00&&&&&&and&&&&&dword&ptr&[ebp-4],&0
&&&&53&&&&&&&&&&&&&&push&&&&ebx
&&&&56&&&&&&&&&&&&&&push&&&&esi
&&&&8BF1&&&&&&&&&&&&mov&&&&&esi,&ecx
&&&&57&&&&&&&&&&&&&&push&&&&edi
&&&&BB&&&&&&mov&&&&&ebx,&100
1001185B&&&&8946&54&&&&&&&&&mov&&&&&dword&ptr&[esi+54],&eax
1001185E&&&&8B45&14&&&&&&&&&mov&&&&&eax,&dword&ptr&[ebp+14]
&&&&8DBE&&&&lea&&&&&edi,&dword&ptr&[esi+158]
&&&&8946&50&&&&&&&&&mov&&&&&dword&ptr&[esi+50],&eax
1001186A&&&&85FF&&&&&&&&&&&&test&&&&edi,&edi
1001186C&&&&74&21&&&&&&&&&&&je&&&&&&short&1001188F
1001186E&&&&837D&10&00&&&&&&cmp&&&&&dword&ptr&[ebp+10],&0
&&&&74&1B&&&&&&&&&&&je&&&&&&short&1001188F
&&&&53&&&&&&&&&&&&&&push&&&&ebx
&&&&8D4E&45&&&&&&&&&lea&&&&&ecx,&dword&ptr&[esi+45]
&&&&FF75&10&&&&&&&&&push&&&&dword&ptr&[ebp+10]
1001187B&&&&E8&&&&&&call&&&&10011D96
&&&&85C0&&&&&&&&&&&&test&&&&eax,&eax
&&&&74&0B&&&&&&&&&&&je&&&&&&short&1001188F
&&&&FF75&10&&&&&&&&&push&&&&dword&ptr&[ebp+10]
&&&&57&&&&&&&&&&&&&&push&&&&edi
&&&&E8&&&&&&call&&&&&jmp.&MSVCRT.strcpy&
1001188D&&&&59&&&&&&&&&&&&&&pop&&&&&ecx
1001188E&&&&59&&&&&&&&&&&&&&pop&&&&&ecx
1001188F&&&&8D7E&58&&&&&&&&&lea&&&&&edi,&dword&ptr&[esi+58]
&&&&85FF&&&&&&&&&&&&test&&&&edi,&edi
&&&&74&21&&&&&&&&&&&je&&&&&&short&
&&&&837D&0C&00&&&&&&cmp&&&&&dword&ptr&[ebp+C],&0
1001189A&&&&74&1B&&&&&&&&&&&je&&&&&&short&
1001189C&&&&53&&&&&&&&&&&&&&push&&&&ebx
1001189D&&&&8D4E&45&&&&&&&&&lea&&&&&ecx,&dword&ptr&[esi+45]
&&&&FF75&0C&&&&&&&&&push&&&&dword&ptr&[ebp+C]
&&&&E8&EE040000&&&&&call&&&&10011D96
&&&&85C0&&&&&&&&&&&&test&&&&eax,&eax
100118AA&&&&74&0B&&&&&&&&&&&je&&&&&&short&
100118AC&&&&FF75&0C&&&&&&&&&push&&&&dword&ptr&[ebp+C]
100118AF&&&&57&&&&&&&&&&&&&&push&&&&edi
&&&&E8&F1570000&&&&&call&&&&&jmp.&MSVCRT.strcpy&
&&&&59&&&&&&&&&&&&&&pop&&&&&ecx
&&&&59&&&&&&&&&&&&&&pop&&&&&ecx
&&&&837D&08&00&&&&&&cmp&&&&&dword&ptr&[ebp+8],&0
100118BB&&&&74&5F&&&&&&&&&&&je&&&&&&short&1001191C
100118BD&&&&FF75&08&&&&&&&&&push&&&&dword&ptr&[ebp+8]
&&&&E8&E7570000&&&&&call&&&&&jmp.&MSVCRT.strlen&
&&&&F7D8&&&&&&&&&&&&neg&&&&&eax
&&&&1BC0&&&&&&&&&&&&sbb&&&&&eax,&eax
&&&&59&&&&&&&&&&&&&&pop&&&&&ecx
100118CA&&&&40&&&&&&&&&&&&&&inc&&&&&eax
100118CB&&&&8945&10&&&&&&&&&mov&&&&&dword&ptr&[ebp+10],&eax
100118CE&&&&75&4C&&&&&&&&&&&jnz&&&&&short&1001191C
&&&&FF75&08&&&&&&&&&push&&&&dword&ptr&[ebp+8]
&&&&6A&01&&&&&&&&&&&push&&&&1
&&&&5F&&&&&&&&&&&&&&pop&&&&&edi
&&&&57&&&&&&&&&&&&&&push&&&&edi
&&&&6A&00&&&&&&&&&&&push&&&&0
&&&&FF15&E8900110&&&call&&&&dword&ptr&[&&KERNEL32.CreateMutexA&]&&&;&kernel32.CreateMutexA
100118DF&&&&85C0&&&&&&&&&&&&test&&&&eax,&eax
&&&&8946&4C&&&&&&&&&mov&&&&&dword&ptr&[esi+4C],&eax
&&&&74&24&&&&&&&&&&&je&&&&&&short&1001190A
&&&&FF15&AC900110&&&call&&&&dword&ptr&[&&KERNEL32.GetLastError&]&&&;&ntdll.RtlGetLastWin32Error
100118EC&&&&3D&B7000000&&&&&cmp&&&&&eax,&0B7
100118F1&&&&8BCE&&&&&&&&&&&&mov&&&&&ecx,&esi
100118F3&&&&75&07&&&&&&&&&&&jnz&&&&&short&100118FC
&&&&E8&&&&&&call&&&&1001198C
100118FA&&&&EB&2A&&&&&&&&&&&jmp&&&&&short&
100118FC&&&&E8&&&&&&call&&&&10011A65
&&&&85C0&&&&&&&&&&&&test&&&&eax,&eax
&&&&74&21&&&&&&&&&&&je&&&&&&short&
&&&&897D&FC&&&&&&&&&mov&&&&&dword&ptr&[ebp-4],&edi
&&&&EB&1C&&&&&&&&&&&jmp&&&&&short&
1001190A&&&&83C6&14&&&&&&&&&add&&&&&esi,&14
1001190D&&&&68&F8E60110&&&&&push&&&&
&&&&56&&&&&&&&&&&&&&push&&&&esi
&&&&E8&FE4FFFFF&&&&&call&&&&
&&&&59&&&&&&&&&&&&&&pop&&&&&ecx
&&&&59&&&&&&&&&&&&&&pop&&&&&ecx
1001191A&&&&EB&0A&&&&&&&&&&&jmp&&&&&short&
1001191C&&&&8BCE&&&&&&&&&&&&mov&&&&&ecx,&esi
1001191E&&&&E8&&&&&&call&&&&10011A65
&&&&8945&FC&&&&&&&&&mov&&&&&dword&ptr&[ebp-4],&eax
&&&&8B45&FC&&&&&&&&&mov&&&&&eax,&dword&ptr&[ebp-4]
&&&&5F&&&&&&&&&&&&&&pop&&&&&edi
1001192A&&&&5E&&&&&&&&&&&&&&pop&&&&&esi
1001192B&&&&5B&&&&&&&&&&&&&&pop&&&&&ebx
1001192C&&&&C9&&&&&&&&&&&&&&leave
1001192D&&&&C2&1400&&&&&&&&&retn&&&&14
&&&&FF15&E8900110&&&call&&&&dword&ptr&[&&KERNEL32.CreateMutexA&]&&&;&kernel32.CreateMutexA
一句时,MutexName没有变,就是和我们之前的分析是一样的,只是多了一个对窗口的检测,呵呵,好对付。
再次返回:
《MainLogi领空》
00F6714E&&&&56&&&&&&&&&&&&&&push&&&&esi
00F6714F&&&&8BF1&&&&&&&&&&&&mov&&&&&esi,&ecx
00F67151&&&&57&&&&&&&&&&&&&&push&&&&edi
00F67152&&&&83BE&A&cmp&&&&&dword&ptr&[esi+1A8],&0
00F67159&&&&75&25&&&&&&&&&&&jnz&&&&&short&00F67180
00F6715B&&&&E8&BF0F0100&&&&&call&&&&00F7811F
00F67160&&&&85C0&&&&&&&&&&&&test&&&&eax,&eax
00F67162&&&&74&1C&&&&&&&&&&&je&&&&&&short&00F67180
00F67164&&&&8B10&&&&&&&&&&&&mov&&&&&edx,&dword&ptr&[eax]
00F67166&&&&68&&&&&&push&&&&4009002
00F6716B&&&&68&&&&&&push&&&&00F84084&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&;&ASCII&&Utility.dll&
00F67170&&&&56&&&&&&&&&&&&&&push&&&&esi
00F67171&&&&8BC8&&&&&&&&&&&&mov&&&&&ecx,&eax
00F67173&&&&FF52&08&&&&&&&&&call&&&&dword&ptr&[edx+8]
00F67176&&&&85C0&&&&&&&&&&&&test&&&&eax,&eax
00F67178&&&&74&06&&&&&&&&&&&je&&&&&&short&00F67180
00F6717A&&&&0&&&mov&&&&&dword&ptr&[esi+1A8],&eax
00F67180&&&&8B86&A8010000&&&mov&&&&&eax,&dword&ptr&[esi+1A8]
00F67186&&&&8BD6&&&&&&&&&&&&mov&&&&&edx,&esi
00F67188&&&&F7DA&&&&&&&&&&&&neg&&&&&edx
00F6718A&&&&8D48&04&&&&&&&&&lea&&&&&ecx,&dword&ptr&[eax+4]
00F6718D&&&&8D7E&04&&&&&&&&&lea&&&&&edi,&dword&ptr&[esi+4]
00F67190&&&&1BD2&&&&&&&&&&&&sbb&&&&&edx,&edx
00F67192&&&&6A&00&&&&&&&&&&&push&&&&0
00F67194&&&&8B01&&&&&&&&&&&&mov&&&&&eax,&dword&ptr&[ecx]
00F67196&&&&23D7&&&&&&&&&&&&and&&&&&edx,&edi
00F67198&&&&52&&&&&&&&&&&&&&push&&&&edx
00F67199&&&&FF10&&&&&&&&&&&&call&&&&dword&ptr&[eax]
00F6719B&&&&8B8E&A8010000&&&mov&&&&&ecx,&dword&ptr&[esi+1A8]
00F671A1&&&&68&5E100000&&&&&push&&&&105E
00F671A6&&&&68&861F0000&&&&&push&&&&1F86
00F671AB&&&&68&&&&&&push&&&&00F88718&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&;&ASCII&&QQGame_MainFrame&
00F671B0&&&&8B01&&&&&&&&&&&&mov&&&&&eax,&dword&ptr&[ecx]
00F671B2&&&&68&EC80F800&&&&&push&&&&00F880EC&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&;&ASCII&&QQGame&
00F671B7&&&&68&&&&&&push&&&&00F88700&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&;&ASCII&&QQGame_Mutex03/01/2003&
00F671BC&&&&FF50&0C&&&&&&&&&call&&&&dword&ptr&[eax+C]&&&&&&&&&&&&&&&&&&&&&&;&进
00F671BF&&&&8BF8&&&&&&&&&&&&mov&&&&&edi,&eax
00F671C1&&&&83C6&08&&&&&&&&&add&&&&&esi,&8
00F671C4&&&&57&&&&&&&&&&&&&&push&&&&edi
00F671C5&&&&68&C886F800&&&&&push&&&&00F886C8&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&;&ASCII&&Logout_Optimize&CheckMultiInstanceRunning()&return&[%d]&
00F671CA&&&&56&&&&&&&&&&&&&&push&&&&esi
00F671CB&&&&E8&EEF1FEFF&&&&&call&&&&00F563BE
00F671D0&&&&83C4&0C&&&&&&&&&add&&&&&esp,&0C
00F671D3&&&&8BC7&&&&&&&&&&&&mov&&&&&eax,&edi
00F671D5&&&&5F&&&&&&&&&&&&&&pop&&&&&edi
00F671D6&&&&5E&&&&&&&&&&&&&&pop&&&&&esi
00F671D7&&&&C3&&&&&&&&&&&&&&retn
《QQGame领空》
004010CE&&|.&&FF50&38&&&&&&&call&&&&dword&ptr&[eax+38]&&&&&&&&&&&&&&&&;进
&&|.&&85C0&&&&&&&&&&test&&&&eax,&eax
&&|.&&74&13&&&&&&&&&je&&&&&&short&
注意这个返回值就很重要了,如果暴力一点的话就就将&&je&&&&&&short&
Nop掉就OK了。
&&&&&&&更新的版本主要是多了一个对窗口的检测,标志值存放在eax里,如果想跟踪的话就关键看对eax的修改即可,我就不跟了。
&&&&&&&不过这样有一个缺陷,那就是如果程序中增加了文件校验就会发现程序被修改而拒绝执行,不过“兵来将挡,水来土掩”,知道了这个机理解决办法还是不少的。
《“无法显示网页”是由于我没有联网》
标 题:QQGame浅析系列(2) 从哪里开始
作 者:singsing
时 间:<font color="#08-04-17 13:00
QQGame浅析系列(2)&从哪里开始&
&&&我选择的是对”欢乐斗地主”进行分析,当时我的想法是三人斗地主总比四人斗地主要好分析的,实际上这是个错误的决定。在我具体分析时才知道三人斗地主的限制是多么的多,例如游戏玩家要受“欢乐豆”数量的限制,程序还有检测响应时间的机制,如果你在OD里时间过长,再返回到程序时就不能再玩了,一切还得重来。然而在四人斗地主里则没有上述两点的限制。我既然选择了对”欢乐斗地主”进行分析,那就不能回头了,一如既往!&
让我们先理清一下玩家进行”欢乐斗地主”的过程:
1.&运行QQGame登录程序
2.&进入大厅
3.&选择”欢乐斗地主”游戏
4.&进入某个房间(Room)
5.&选择某个桌子(Table)坐下(sit&down)
7.&当前桌子的玩家齐全且都为准备状态时,游戏开始,进入游戏LOOP
8.&游戏结束
9.&玩家可以离开此桌(stand&up)回到房间,也可以退出此房间重新选择……
&&&总之大致过程是这样的,我没有分析得很细,因为我们并不从这里切入,那要从哪里入手呢?要知道游戏整个过程都在不停地与服务器交换数据(send&and&recv),这些数据的流向才是我们所关心的。所以第一步应该截获网络数据,但是你千万不要使用什么网络数据截获(或者分析)之类的工具,那个对我们没有什么用处。我们这里要确切地知道数据的流向,而那些工具仅仅提供给我们冗余的数据(当然与游戏有关的数据也在其中,但都是加了密的),甚至还要误导我们思路。自己动手丰衣足食,下面开始分析数据的接受过程。
与网络数据发送有关的几个重要函数:send,&recv,&WSASend,&WSARecv。所以我们的断点应该是:bp&send,bp&recv,bp&WSASend,&bp&WSARecv。下完这四个断点后下一步是确定其中哪个与数据的接收发送有关。
相关知识点:如何对recv和WSARecv断点分析。&
&&&&首先讲recv,中断这里后在堆栈窗口对buffer进行数据窗口跟随。按CTRL+F9,发现内存中有了接收的数据,然后在数据的第一个字节下读硬件中断,继续按F9运行,很快会中断到读取内存的地方。
一个实例,下面是欲调用recv时的堆栈提示,可以看清参数序列。
BD4606&/CALL&到&recv&来自&NetMod.03BD4600
000534&|Socket&=&534
3D648&|Buffer&=&
02800&|BufSize&=&.)
00000&\Flags&=&0
在Buffer处右键“数据窗口中跟随”,这个Buffer就是数据的地址,没有什么复杂的结构,直接写硬件访问断点就OK,F9运行后就能观察哪里的代码使用了这里的数据。
然后是WSARecv,WSARecv的buffer是个结构指针,第一个双字是buffer大小,后面的才是数据,按CTRL+F9,发现接收数据,要在第5个字节地方下硬件访问中断,然后F9运行观看哪里的代码使用了这里的数据。
一个实例,下面是欲调用WSARecv时的堆栈提示,可以看清参数序列。
A42EA3&/CALL&到&WSARecv&来自&WSOCK32.71A42E9E
0000BC&|Socket&=&BC
3FB28&|pBuffers&=&0013FB28
00001&|nBuffers&=&1
3FB40&|pReceivedCount&=&0013FB40
13FB3C&|pFlags&=&0013FB3C
00000&|pOverlapped&=&NULL
00000&\Callback&=&NULL
数据窗口中跟随pBuffers,要对其第五个字节开始的地方下硬件访问中断。
以上是需要知道的知识点,下面我们来确定游戏使用了上述的哪个函数,还是两个都使用了。下完所有断点,开始游戏,发现只有send和recv函数被中断下来。现在只分析接受数据,send中断暂且不理。按照上述知识点,完成对接收数据的硬件访问中断后F9,中断在:
03C54682&|.&57&|push&edi&;&/n
03C54683&|.&51&|push&ecx&;&|src
03C54684&|.&50&|push&eax&;&|dest
03C54685&|.&8946&10&|mov&dword&ptr&[esi+10],&eax&;&|
03C54688&|.&E8&&|call&&jmp.&MSVCRT.memcpy&&;&\memcpy
03C5468D&|.&56&|push&esi
03C5468E&|.&FF75&E8&|push&dword&ptr&[ebp-18]
03C54691&|.&FF75&E4&|push&dword&ptr&[ebp-1C]
03C54694&|.&E8&E6000000&|call&03C5477F
这里是NetMod领空,看看所在的子过程吧:
*NetMod核心代码*&
03C54410&/.&55&push&ebp
03C54411&|.&8BEC&mov&ebp,&esp
03C54413&|.&B8&&mov&eax,&2938
03C54418&|.&E8&&call&03C55840
03C5441D&|.&53&push&ebx
03C5441E&|.&56&push&esi
03C5441F&|.&8B75&08&mov&esi,&dword&ptr&[ebp+8]
03C54422&|.&57&push&edi
03C54423&|.&8D7D&E4&lea&edi,&dword&ptr&[ebp-1C]
03C54426&|.&FF75&08&push&dword&ptr&[ebp+8]
03C54429&|.&A5&movs&dword&ptr&es:[edi],&dword&ptr&[e&
03C5442A&|.&A5&movs&dword&ptr&es:[edi],&dword&ptr&[e&
03C5442B&|.&A5&movs&dword&ptr&es:[edi],&dword&ptr&[e&
03C5442C&|.&A5&movs&dword&ptr&es:[edi],&dword&ptr&[e&
03C5442D&|.&E8&&call&03C5476A
03C54432&|.&33DB&xor&ebx,&ebx
03C54434&|.&33C0&xor&eax,&eax
03C54436&|.&8D7D&D6&lea&edi,&dword&ptr&[ebp-2A]
03C54439&|.&66:895D&D4&mov&word&ptr&[ebp-2C],&bx
03C5443D&|.&AB&stos&dword&ptr&es:[edi]
03C5443E&|.&AB&stos&dword&ptr&es:[edi]
03C5443F&|.&59&pop&ecx
03C54440&|.&AB&stos&dword&ptr&es:[edi]
03C54441&|.&53&push&ebx&;&/Protocol&=&&IPPROTO_IP
03C54442&|.&6A&01&push&1&;&|Type&=&SOCK_STREAM
03C54444&|.&6A&02&push&2&;&|Family&=&AF_INET
03C54446&|.&66:AB&stos&word&ptr&es:[edi]&;&|
03C54448&|.&FF15&&call&dword&ptr&[&&WS2_32.#23&]&;&\socket
03C5444E&|.&8B7D&EC&mov&edi,&dword&ptr&[ebp-14]
03C54451&|.&FF75&F0&push&dword&ptr&[ebp-10]&;&/NetShort
03C54454&|.&8BF0&mov&esi,&eax&;&|
03C54456&|.&66:C745&D4&02&mov&word&ptr&[ebp-2C],&2&;&|
03C5445C&|.&8975&08&mov&dword&ptr&[ebp+8],&esi&;&|
03C5445F&|.&897D&D8&mov&dword&ptr&[ebp-28],&edi&;&|
03C54462&|.&FF15&&call&dword&ptr&[&&WS2_32.#9&]&;&\ntohs
03C54468&|.&66:8945&D6&mov&word&ptr&[ebp-2A],&ax
03C5446C&|.&8B45&E4&mov&eax,&dword&ptr&[ebp-1C]
03C5446F&|.&3958&08&cmp&dword&ptr&[eax+8],&ebx
03C54472&|.&0F85&C4020000&jnz&03C5473C
03C54478&|.&8B1D&4C61C503&mov&ebx,&dword&ptr&[&&WS2_32.#12&]&;&WS2_32.inet_ntoa
03C5447E&|.&57&push&edi
03C5447F&|.&FFD3&call&ebx&;&&&WS2_32.#12&
03C54481&|.&50&push&eax
03C54482&|.&68&BC85C503&push&03C585BC&;&ASCII&&socketthread&start&connect&ip&%s!&,LF
03C54487&|.&56&push&esi
03C54488&|.&E8&3B030000&call&03C547C8
03C5448D&|.&83C4&0C&add&esp,&0C
03C54490&|.&8D45&D4&lea&eax,&dword&ptr&[ebp-2C]
03C54493&|.&6A&10&push&10&;&/AddrLen&=&10&(16.)
03C54495&|.&50&push&eax&;&|pSockAddr
03C54496&|.&56&push&esi&;&|Socket
03C54497&|.&FF15&&call&dword&ptr&[&&WS2_32.#4&]&;&\connect
03C5449D&|.&83F8&FF&cmp&eax,&-1
03C544A0&|.&57&push&edi
03C544A1&|.&75&17&jnz&short&03C544BA
03C544A3&|.&FFD3&call&ebx
03C544A5&|.&50&push&eax
03C544A6&|.&68&&push&03C58598&;&ASCII&&socketthread&connect&ip&%s&failed!&,LF
03C544AB&|.&56&push&esi
03C544AC&|.&E8&&call&03C547C8
03C544B1&|.&83C4&0C&add&esp,&0C
03C544B4&|.&8365&FC&00&and&dword&ptr&[ebp-4],&0
03C544B8&|.&EB&18&jmp&short&03C544D2
03C544BA&|&&FFD3&call&ebx
03C544BC&|.&50&push&eax
03C544BD&|.&68&&push&03C58574&;&ASCII&&socketthread&connect&ip&%s&success!&
03C544C2&|.&56&push&esi
03C544C3&|.&E8&&call&03C547C8
03C544C8&|.&83C4&0C&add&esp,&0C
03C544CB&|.&C745&FC&01000&mov&dword&ptr&[ebp-4],&1
03C544D2&|&&8B45&E4&mov&eax,&dword&ptr&[ebp-1C]
03C544D5&|.&&cmp&dword&ptr&[eax+8],&0
03C544D9&|.&0F85&5D020000&jnz&03C5473C
03C544DF&|.&6A&18&push&18
03C544E1&|.&8970&04&mov&dword&ptr&[eax+4],&esi
03C544E4&|.&E8&&call&03C5474C
03C544E9&|.&8BF8&mov&edi,&eax
03C544EB&|.&59&pop&ecx
03C544EC&|.&85FF&test&edi,&edi
03C544EE&|.&0F84&4F020000&je&03C54743
03C544F4&|.&6A&18&push&18&;&/n&=&18&(24.)
03C544F6&|.&6A&00&push&0&;&|c&=&00
03C544F8&|.&57&push&edi&;&|s
03C544F9&|.&E8&A8120000&call&&jmp.&MSVCRT.memset&&;&\memset
03C544FE&|.&8B45&FC&mov&eax,&dword&ptr&[ebp-4]
03C54501&|.&57&push&edi
03C54502&|.&FF75&E8&push&dword&ptr&[ebp-18]
03C54505&|.&8947&04&mov&dword&ptr&[edi+4],&eax
03C54508&|.&FF75&E4&push&dword&ptr&[ebp-1C]
03C5450B&|.&E8&6F020000&call&03C5477F
03C54510&|.&83C4&18&add&esp,&18
03C54513&|.&837D&FC&00&cmp&dword&ptr&[ebp-4],&0
03C54517&|.&0F84&&je&03C54743
03C5451D&|.&33C0&xor&eax,&eax
03C5451F&|.&8D7D&F6&lea&edi,&dword&ptr&[ebp-A]
03C54522&|.&66:AB&stos&word&ptr&es:[edi]
03C54524&|.&8D45&F4&lea&eax,&dword&ptr&[ebp-C]
03C54527&|.&6A&04&push&4&;&/DataSize&=&4
03C54529&|.&50&push&eax&;&|Data
03C5452A&|.&68&&push&80&;&|Option&=&SO_LINGER
03C5452F&|.&68&FFFF0000&push&0FFFF&;&|Level&=&SOL_SOCKET
03C54534&|.&56&push&esi&;&|Socket
03C54535&|.&66:C745&F4&01&mov&word&ptr&[ebp-C],&1&;&|
03C5453B&|.&66:C745&F6&03&mov&word&ptr&[ebp-A],&3&;&|
03C54541&|.&FF15&1C61C503&call&dword&ptr&[&&WS2_32.#21&]&;&\setsockopt
03C54547&|.&80A5&C8D6FFFF&and&byte&ptr&[ebp-2938],&0
03C5454E&|.&B9&FF090000&mov&ecx,&9FF
03C54553&|.&33C0&xor&eax,&eax
03C54555&|.&8DBD&C9D6FFFF&lea&edi,&dword&ptr&[ebp-2937]
03C5455B&|.&F3:AB&rep&stos&dword&ptr&es:[edi]
03C5455D&|.&66:AB&stos&word&ptr&es:[edi]
03C5455F&|.&AA&stos&byte&ptr&es:[edi]
03C54560&|.&8365&FC&00&and&dword&ptr&[ebp-4],&0
03C54564&|.&6A&40&push&40
03C54566&|.&59&pop&ecx
03C54567&|.&33C0&xor&eax,&eax
03C54569&|.&8DBD&CCFEFFFF&lea&edi,&dword&ptr&[ebp-134]
03C5456F&|.&F3:AB&rep&stos&dword&ptr&es:[edi]
03C54571&|.&8D7D&D0&lea&edi,&dword&ptr&[ebp-30]
03C54574&|.&AB&stos&dword&ptr&es:[edi]
03C54575&|.&2145&CC&and&dword&ptr&[ebp-34],&eax
03C54578&|.&C745&D0&F4010&mov&dword&ptr&[ebp-30],&1F4
03C5457F&|&&8D45&CC&/lea&eax,&dword&ptr&[ebp-34]
03C54582&|.&8D8D&C8FEFFFF&|lea&ecx,&dword&ptr&[ebp-138]
03C54588&|.&50&|push&eax&;&/pTimeout
03C54589&|.&33C0&|xor&eax,&eax&;&|
03C5458B&|.&50&|push&eax&;&|Exceptfds&=&&NULL
03C5458C&|.&50&|push&eax&;&|Writefds&=&&NULL
03C5458D&|.&51&|push&ecx&;&|Readfds
03C5458E&|.&50&|push&eax&;&|nfds&=&&0
03C5458F&|.&89B5&CCFEFFFF&|mov&dword&ptr&[ebp-134],&esi&;&|
03C54595&|.&C785&C8FEFFFF&|mov&dword&ptr&[ebp-138],&1&;&|
03C5459F&|.&FF15&&|call&dword&ptr&[&&WS2_32.#18&]&;&\select
03C545A5&|.&33FF&|xor&edi,&edi
03C545A7&|.&83F8&FF&|cmp&eax,&-1
03C545AA&|.&897D&F8&|mov&dword&ptr&[ebp-8],&edi
03C545AD&|.&74&20&|je&short&03C545CF
03C545AF&|.&8D85&C8FEFFFF&|lea&eax,&dword&ptr&[ebp-138]
03C545B5&|.&50&|push&eax
03C545B6&|.&56&|push&esi
03C545B7&|.&E8&7E100000&|call&&jmp.&WS2_32.#151&
03C545BC&|.&85C0&|test&eax,&eax
03C545BE&|.&75&1E&|jnz&short&03C545DE
03C545C0&|.&8B45&E4&|mov&eax,&dword&ptr&[ebp-1C]
03C545C3&|.&8B40&08&|mov&eax,&dword&ptr&[eax+8]
03C545C6&|.&85C0&|test&eax,&eax
03C545C8&|.&8945&FC&|mov&dword&ptr&[ebp-4],&eax
03C545CB&|.^&74&B2&|je&short&03C5457F
03C545CD&|.&EB&74&|jmp&short&03C54643
03C545CF&|&&68&&|push&03C58564&;&ASCII&&select&error&
03C545D4&|.&56&|push&esi
03C545D5&|.&E8&EE010000&|call&03C547C8
03C545DA&|.&59&|pop&ecx
03C545DB&|.&59&|pop&ecx
03C545DC&|.&EB&65&|jmp&short&03C54643
03C545DE&|&&BF&&|mov&edi,&2800
03C545E3&|.&8D85&C8D6FFFF&|lea&eax,&dword&ptr&[ebp-2938]
03C545E9&|.&57&|push&edi&;&/n&=&&.)
03C545EA&|.&6A&00&|push&0&;&|c&=&00
03C545EC&|.&50&|push&eax&;&|s
03C545ED&|.&E8&B4110000&|call&&jmp.&MSVCRT.memset&&;&\memset
03C545F2&|.&83C4&0C&|add&esp,&0C
03C545F5&|.&8D85&C8D6FFFF&|lea&eax,&dword&ptr&[ebp-2938]
03C545FB&|.&6A&00&|push&0&;&/Flags&=&0
03C545FD&|.&57&|push&edi&;&|BufSize
03C545FE&|.&50&|push&eax&;&|Buffer
03C545FF&|.&56&|push&esi&;&|Socket
03C54600&|.&FF15&&|call&dword&ptr&[&&WS2_32.#16&]&;&\recv
03C54606&|.&8BF8&|mov&edi,&eax
03C54608&|.&FF15&&|call&dword&ptr&[&&WS2_32.#111&]&;&[WSAGetLastError
03C5460E&|.&8B4D&E4&|mov&ecx,&dword&ptr&[ebp-1C]
03C54611&|.&8945&F8&|mov&dword&ptr&[ebp-8],&eax
03C54614&|.&&|cmp&dword&ptr&[ecx+8],&0
03C54618&|.&74&1D&|je&short&03C54637
03C5461A&|.&FF75&EC&|push&dword&ptr&[ebp-14]
03C5461D&|.&FFD3&|call&ebx
03C5461F&|.&50&|push&eax
03C54620&|.&68&3C85C503&|push&03C5853C&;&ASCII&&socketthread&connect&ip&%s&notify&exit!&
03C54625&|.&56&|push&esi
03C54626&|.&E8&9D010000&|call&03C547C8
03C5462B&|.&83C4&0C&|add&esp,&0C
03C5462E&|.&C745&FC&01000&|mov&dword&ptr&[ebp-4],&1
03C54635&|.&EB&0C&|jmp&short&03C54643
03C54637&|&&83FF&FF&|cmp&edi,&-1
03C5463A&|.&75&07&|jnz&short&03C54643
03C5463C&|.&3D&4C270000&|cmp&eax,&274C
03C54641&|.&74&5C&|je&short&03C5469F
03C54643&|&&6A&18&|push&18
03C54645&|.&E8&&|call&03C5474C
03C5464A&|.&8BF0&|mov&esi,&eax
03C5464C&|.&59&|pop&ecx
03C5464D&|.&85F6&|test&esi,&esi
03C5464F&|.&0F84&DD000000&|je&03C54732
03C54655&|.&6A&18&|push&18&;&/n&=&18&(24.)
03C54657&|.&6A&00&|push&0&;&|c&=&00
03C54659&|.&56&|push&esi&;&|s
03C5465A&|.&E8&&|call&&jmp.&MSVCRT.memset&&;&\memset
03C5465F&|.&83C4&0C&|add&esp,&0C
03C54662&|.&85FF&|test&edi,&edi
03C54664&|.&7E&4A&|jle&short&03C546B0
03C54666&|.&837D&FC&00&|cmp&dword&ptr&[ebp-4],&0
03C5466A&|.&75&42&|jnz&short&03C546AE
03C5466C&|.&57&|push&edi
03C5466D&|.&C746&08&01000&|mov&dword&ptr&[esi+8],&1
03C54674&|.&897E&14&|mov&dword&ptr&[esi+14],&edi
03C54677&|.&E8&D0000000&|call&03C5474C
03C5467C&|.&8D8D&C8D6FFFF&|lea&ecx,&dword&ptr&[ebp-2938]
03C54682&|.&57&|push&edi&;&/n
03C54683&|.&51&|push&ecx&;&|src
03C54684&|.&50&|push&eax&;&|dest
03C54685&|.&8946&10&|mov&dword&ptr&[esi+10],&eax&;&|
03C54688&|.&E8&&|call&&jmp.&MSVCRT.memcpy&&;&\memcpy
03C5468D&|.&56&|push&esi
03C5468E&|.&FF75&E8&|push&dword&ptr&[ebp-18]
03C54691&|.&FF75&E4&|push&dword&ptr&[ebp-1C]
03C54694&|.&E8&E6000000&|call&03C5477F&;&向窗体发送消息
03C54699&|.&8B75&08&|mov&esi,&dword&ptr&[ebp+8]
03C5469C&|.&83C4&1C&|add&esp,&1C
03C5469F&|&&837D&FC&00&|cmp&dword&ptr&[ebp-4],&0
03C546A3&|.^&0F84&D6FEFFFF&\je&03C5457F
03C546A9&|.&E9&&jmp&03C54735
03C546AE&|&&85FF&test&edi,&edi
03C546B0&|&&FF75&D8&push&dword&ptr&[ebp-28]
03C546B3&|.&75&24&jnz&short&03C546D9
03C546B5&|.&FFD3&call&ebx
03C546B7&|.&FF75&D6&push&dword&ptr&[ebp-2A]&;&/NetShort
03C546BA&|.&8BF8&mov&edi,&eax&;&|
03C546BC&|.&FF15&2C61C503&call&dword&ptr&[&&WS2_32.#15&]&;&\ntohs
03C546C2&|.&0FB7C0&movzx&eax,&ax
03C546C5&|.&50&push&eax
03C546C6&|.&57&push&edi
03C546C7&|.&68&FC84C503&push&03C584FC
03C546CC&|.&FF75&08&push&dword&ptr&[ebp+8]
03C546CF&|.&E8&F4000000&call&03C547C8
03C546D4&|.&83C4&10&add&esp,&10
03C546D7&|.&EB&25&jmp&short&03C546FE
03C546D9&|&&FFD3&call&ebx
03C546DB&|.&FF75&F8&push&dword&ptr&[ebp-8]
03C546DE&|.&8BF8&mov&edi,&eax
03C546E0&|.&FF75&D6&push&dword&ptr&[ebp-2A]&;&/NetShort
03C546E3&|.&FF15&2C61C503&call&dword&ptr&[&&WS2_32.#15&]&;&\ntohs
03C546E9&|.&0FB7C0&movzx&eax,&ax
03C546EC&|.&50&push&eax
03C546ED&|.&57&push&edi
03C546EE&|.&68&C084C503&push&03C584C0
03C546F3&|.&FF75&08&push&dword&ptr&[ebp+8]
03C546F6&|.&E8&CD000000&call&03C547C8
03C546FB&|.&83C4&14&add&esp,&14
03C546FE&|&&6A&01&push&1
03C54700&|.&58&pop&eax
03C54701&|.&56&push&esi
03C54702&|.&8946&08&mov&dword&ptr&[esi+8],&eax
03C54705&|.&FF75&E8&push&dword&ptr&[ebp-18]
03C54708&|.&8946&0C&mov&dword&ptr&[esi+C],&eax
03C5470B&|.&FF75&E4&push&dword&ptr&[ebp-1C]
03C5470E&|.&E8&6C000000&call&03C5477F
03C54713&|.&83C4&0C&add&esp,&0C
03C54716&|.&FF75&F8&push&dword&ptr&[ebp-8]
03C54719&|.&FF75&FC&push&dword&ptr&[ebp-4]
03C5471C&|.&FF75&EC&push&dword&ptr&[ebp-14]
03C5471F&|.&FFD3&call&ebx
03C54721&|.&50&push&eax
03C54722&|.&68&7C84C503&push&03C5847C
03C54727&|.&FF75&08&push&dword&ptr&[ebp+8]
03C5472A&|.&E8&&call&03C547C8
03C5472F&|.&83C4&14&add&esp,&14
03C54732&|&&8B75&08&mov&esi,&dword&ptr&[ebp+8]
03C54735&|&&8B45&E4&mov&eax,&dword&ptr&[ebp-1C]
03C54738&|.&8348&04&FF&or&dword&ptr&[eax+4],&FFFFFFFF
03C5473C&|&&56&push&esi&;&/Socket
03C5473D&|.&FF15&&call&dword&ptr&[&&WS2_32.#3&]&;&\closesocket
03C54743&|&&5F&pop&edi
03C54744&|.&5E&pop&esi
03C54745&|.&33C0&xor&eax,&eax
03C54747&|.&5B&pop&ebx
03C54748&|.&C9&leave
03C54749&\.&C2&0400&retn&4
相信不用我多做解释也能弄清这断代码的功能:
socket-&connect-&…&-&recv-&memcpy-&call&sub_03C5477F&&closesocket
创建套接字,连接,进入数据接收Loop,每接收到数据后把数据copy到另一个地方,进入sub_03C5477F过程进行处理,最后是关闭套接字。
进入sub_03C5477F后会发现向窗体发送了自定义消息:
03C5477F&/$&8B4424&04&mov&eax,&dword&ptr&[esp+4]
03C54783&|.&56&push&esi
03C54784&|.&8B7424&10&mov&esi,&dword&ptr&[esp+10]
03C54788&|.&FF7424&0C&push&dword&ptr&[esp+C]&;&/hWnd&=&0023020E&
('TCPModuleWindow_6_',class='TCPModuleWindow_6_')
03C5478C&|.&8B40&10&mov&eax,&dword&ptr&[eax+10]&;&|
03C5478F&|.&8906&mov&dword&ptr&[esi],&eax&;&|
03C54791&|.&FF15&CC60C503&call&dword&ptr&[&&USER32.IsWindow&]&;&\IsWindow
03C54797&|.&85C0&test&eax,&eax
03C54799&|.&74&16&je&short&03C547B1
03C5479B&|.&6A&00&push&0&;&/lParam&=&0
03C5479D&|.&56&push&esi&;&|wParam
03C5479E&|.&68&D3050000&push&5D3&;&|Message&=&MSG(5D3)
03C547A3&|.&FF7424&18&push&dword&ptr&[esp+18]&;&|hWnd
03C547A7&|.&FF15&D060C503&call&dword&ptr&[&&USER32.PostMessageA&;&\PostMessageA
03C547AD&|.&85C0&test&eax,&eax
03C547AF&|.&75&15&jnz&short&03C547C6
03C547B1&|&&8B46&10&mov&eax,&dword&ptr&[esi+10]
03C547B4&|.&85C0&test&eax,&eax
03C547B6&|.&74&07&je&short&03C547BF
03C547B8&|.&50&push&eax
03C547B9&|.&E8&ACFFFFFF&call&03C5476A
03C547BE&|.&59&pop&ecx
03C547BF&|&&56&push&esi
03C547C0&|.&E8&A5FFFFFF&call&03C5476A
03C547C5&|.&59&pop&ecx
03C547C6&|&&5E&pop&esi
03C547C7&\.&C3&retn
07FDD608&0023020E&|hWnd&=&23020E
07FDD60C&&|Message&=&MSG(5D3)
07FDD610&015FFD48&|wParam&=&15FFD48
07FDD614&&\lParam&=&0
我们关心的是:
D0248&\hWnd&=&001D0248&
('TCPModuleWindow_11_1',class='TCPModuleWindow_11_1')
然而这个窗体在哪里呢?不好找啊,毕竟它是隐藏的,于是做做测试。
&见楼下.......&
标 题:QQGame浅析系列(2) 从哪里开始
作 者:singsing
时 间:<font color="#08-04-17 13:03
QQGame浅析系列(2)&从哪里开始&续楼上.....&&
以下是我做的测试数据(使用“窗体列举”相关的工具检测窗体):
TCPModuleWindow_7_0
TCPModuleWindow_4_6
TCPModuleWindow_2_3
进入[欢乐斗地主]房间或者开始打牌
TCPModuleWindow_11_2
TCPModuleWindow_10_2
TCPModuleWindow_4_6
TCPModuleWindow_2_3
当从房间里退出到大厅时,TCPModuleWindow_10_2消失.
TCPModuleWindow_11_2
TCPModuleWindow_4_6
TCPModuleWindow_2_3
当又要进入房间时,TCPModuleWindow_11_2消失
第二次进入房间:
TCPModuleWindow_16_8
TCPModuleWindow_15_5
TCPModuleWindow_4_6
TCPModuleWindow_2_3
退出之大厅然后第三次进入房间:
TCPModuleWindow_18_6
TCPModuleWindow_17_3
TCPModuleWindow_4_6
TCPModuleWindow_2_3
至此可以确定的是:与游戏相关的是后来出现的那两个,但不知具体是哪一个。
确定方法,在大厅时下断bp&RegisterClassA,双击某个节点(选择某一场)准备进入房间,中断。
堆栈提示:
C1468&/CALL&到&RegisterClassA&来自&SocialUI.039C1462
13CAA4&\pWndClass&=&0013CAA4
数据跟随pWndClass:
0013CAA8&039C146E&SocialUI.039C146E
0013CAB4&039C0000&SocialUI.039C0000
0013CAC8&039CC010&ASCII&&ANIMATE&
不是我们需要的,F9,第二次中断:
BC3B2B&/CALL&到&RegisterClassA&来自&NetMod.03BC3B25
3D318&\pWndClass&=&
数据跟随pWndClass:
0013D31C&03BC37C9&NetMod.03BC37C9
13D358&ASCII&&TCPModuleWindow_6_&
这个是我们需要的,记下lpfnWndProc:03BC37C9(F9继续,第3,4,5..中断,不是我们需要的.之后很多都不是,有点厌倦.但是最后我还是发现了第二个TCPModuleWindow……窗口与第一个的回调处理函数地址相同)。
转到地址:03BC37C9
03BC37C9&/.&55&push&ebp
03BC37CA&|.&8BEC&mov&ebp,&esp
03BC37CC&|.&817D&0C&D3050&cmp&dword&ptr&[ebp+C],&5D3
03BC37D3&|.&75&22&jnz&short&03BC37F7
03BC37D5&|.&56&push&esi
03BC37D6&|.&BE&789CBC03&mov&esi,&03BC9C78
03BC37DB&|.&56&push&esi&;&/pCriticalSection&=&&NetMod.03BC9C78
03BC37DC&|.&FF15&1860BC03&call&dword&ptr&[&&KERNEL32.EnterCriti&;&\EnterCriticalSection
03BC37E2&|.&FF75&10&push&dword&ptr&[ebp+10]
03BC37E5&|.&B9&689CBC03&mov&ecx,&03BC9C68
03BC37EA&|.&E8&1E000000&call&03BC380D
03BC37EF&|.&56&push&esi&;&/pCriticalSection
03BC37F0&|.&FF15&1C60BC03&call&dword&ptr&[&&KERNEL32.LeaveCriti&;&\LeaveCriticalSection
03BC37F6&|.&5E&pop&esi
03BC37F7&|&&FF75&14&push&dword&ptr&[ebp+14]&;&/lParam
03BC37FA&|.&FF75&10&push&dword&ptr&[ebp+10]&;&|wParam
03BC37FD&|.&FF75&0C&push&dword&ptr&[ebp+C]&;&|Message
03BC3800&|.&FF75&08&push&dword&ptr&[ebp+8]&;&|hWnd
03BC3803&|.&FF15&F460BC03&call&dword&ptr&[&&USER32.DefWindowPro&;&\DefWindowProcA
03BC3809&|.&5D&pop&ebp
03BC380A&\.&C2&1000&retn&10
看见没有?这里就是消息处理过程了,很容易就发现了5D3,那就是我们需要的.看下代码就知道:只处理自定义消息5D3,其他的就交给DefWindowProcA默认处理.我们主要看sub_03BC380D,此过程需要传递来的wParam参数作为参数。.
03BC37E2&|.&FF75&10&push&dword&ptr&[ebp+10]一句就是引用了wParam参数,进入sub_03BC380D:
03BC380D&/$&8BC1&mov&eax,&ecx
03BC380F&|.&56&push&esi
03BC3810&|.&8B7424&08&mov&esi,&dword&ptr&[esp+8]
03BC3814&|.&57&push&edi
03BC3815&|.&8B50&04&mov&edx,&dword&ptr&[eax+4]
03BC3818&|.&8B0E&mov&ecx,&dword&ptr&[esi]
03BC381A&|.&8B02&mov&eax,&dword&ptr&[edx]
03BC381C&|&&3BC2&/cmp&eax,&edx
03BC381E&|.&74&37&|je&short&03BC3857
03BC3820&|.&3B48&08&|cmp&ecx,&dword&ptr&[eax+8]
03BC3823&|.&74&04&|je&short&03BC3829
03BC3825&|.&8B00&|mov&eax,&dword&ptr&[eax]
03BC3827&|.^&EB&F3&\jmp&short&03BC381C
03BC3829&|&&837E&08&00&cmp&dword&ptr&[esi+8],&0
03BC382D&|.&75&10&jnz&short&03BC383F
03BC382F&|.&33C0&xor&eax,&eax
03BC3831&|.&3946&04&cmp&dword&ptr&[esi+4],&eax
03BC3834&|.&0F94C0&sete&al
03BC3837&|.&50&push&eax
03BC3838&|.&E8&&call&03BC3F94
03BC383D&|.&EB&18&jmp&short&03BC3857
03BC383F&|&&837E&0C&00&cmp&dword&ptr&[esi+C],&0
03BC3843&|.&74&07&je&short&03BC384C
03BC3845&|.&E8&0F080000&call&03BC4059
03BC384A&|.&EB&0B&jmp&short&03BC3857
03BC384C&|&&FF76&14&push&dword&ptr&[esi+14]
03BC384F&|.&FF76&10&push&dword&ptr&[esi+10]
03BC3852&|.&E8&B9070000&call&03BC4010
03BC3857&|&&E8&0C1F0000&call&03BC5768
03BC385C&|.&8BF8&mov&edi,&eax
03BC385E&|.&85FF&test&edi,&edi
03BC3860&|.&74&17&je&short&03BC3879
03BC3862&|.&8B46&10&mov&eax,&dword&ptr&[esi+10]
03BC3865&|.&85C0&test&eax,&eax
03BC3867&|.&74&08&je&short&03BC3871
03BC3869&|.&8B17&mov&edx,&dword&ptr&[edi]
03BC386B&|.&50&push&eax
03BC386C&|.&8BCF&mov&ecx,&edi
03BC386E&|.&FF52&0C&call&dword&ptr&[edx+C]
03BC3871&|&&8B07&mov&eax,&dword&ptr&[edi]
03BC3873&|.&56&push&esi
03BC3874&|.&8BCF&mov&ecx,&edi
03BC3876&|.&FF50&0C&call&dword&ptr&[eax+C]
03BC3879&|&&5F&pop&edi
03BC387A&|.&5E&pop&esi
03BC387B&\.&C2&0400&retn&4
03BC3810&|.&8B7424&08&mov&esi,&dword&ptr&[esp+8]一句引用了参数,从
03BC384C&|&&FF76&14&push&dword&ptr&[esi+14]
03BC384F&|.&FF76&10&push&dword&ptr&[esi+10]
03BC3852&|.&E8&B9070000&call&03BC4010
可以看出这个参数应该是一个结构指针,把重要的字段压栈调用sub_03BC4010:
03BC4010&/$&56&push&esi
03BC4011&|.&8BF1&mov&esi,&ecx
03BC4013&|.&FF7424&0C&push&dword&ptr&[esp+C]
03BC4017&|.&68&EC82BC03&push&03BC82EC&;&ASCII&&OnRead&%d&,LF
03BC401C&|.&56&push&esi
03BC401D&|.&E8&67FEFFFF&call&03BC3E89
03BC4022&|.&8B46&30&mov&eax,&dword&ptr&[esi+30]
03BC4025&|.&83C4&0C&add&esp,&0C
03BC4028&|.&83F8&03&cmp&eax,&3
03BC402B&|.&74&14&je&short&03BC4041
03BC402D&|.&83F8&04&cmp&eax,&4
03BC4030&|.&74&0F&je&short&03BC4041
03BC4032&|.&50&push&eax
03BC4033&|.&68&CC82BC03&push&03BC82CC&;&ASCII&&status&error&to&onread&:&%d&,LF
03BC4038&|.&56&push&esi
03BC4039&|.&E8&82FEFFFF&call&03BC3EC0
03BC403E&|.&83C4&0C&add&esp,&0C
03BC4041&|&&8B4E&14&mov&ecx,&dword&ptr&[esi+14]
03BC4044&|.&5E&pop&esi
03BC4045&|.&85C9&test&ecx,&ecx
03BC4047&|.&74&0D&je&short&03BC4056
03BC4049&|.&FF7424&08&push&dword&ptr&[esp+8]
03BC404D&|.&8B01&mov&eax,&dword&ptr&[ecx]
03BC404F&|.&FF7424&08&push&dword&ptr&[esp+8]
03BC4053&|.&FF50&0C&call&dword&ptr&[eax+C]
03BC4056&\&&C2&0800&retn&8
有个提示:&&OnRead&%d&,说明这里开始读取接收到的数据。注意了,中间有个&status&error&to&onread&:&%d&提示,上面有两个跳转是跳过&status&error&to&onread&:&%d&的,说明那两个跳是跳到正确的地方处理,直接从03BC4041地址向下看。由于离子程序结束还有一个call,所以一定很重要,跟进。
02D22022&55&push&ebp
02D22023&8BEC&mov&ebp,&esp
02D22025&51&push&ecx
02D22026&53&push&ebx
02D22027&56&push&esi
02D22028&57&push&edi
02DD&0C&mov&edi,&dword&ptr&[ebp+C]
02D&mov&esi,&ecx
02D2202E&57&push&edi
02DF3D302&push&02D3F388&;&ASCII&&Begin&OnReceived&is&invoked&length=%d&
02DE&14&lea&ebx,&dword&ptr&[esi+14]
02D22037&53&push&ebx
02DD&FC&mov&dword&ptr&[ebp-4],&ebx
02D2203B&E8&878D0000&call&02D2ADC7
02D&D0060000&mov&eax,&dword&ptr&[esi+6D0]
02D&0C&add&esp,&0C
02DC38&lea&ecx,&dword&ptr&[eax+edi]
02D&&cmp&ecx,&10000&
02DF&A1000000&jg&02D220F9
02D22058&57&push&edi
02D0&D6060200&lea&eax,&dword&ptr&[eax+esi+206D6]&;&数据copy到这里
02D22060&FF75&08&push&dword&ptr&[ebp+8]
02D22063&50&push&eax
02D2D590100&call&&jmp.&MSVCRT.memcpy&
02D&0C&add&esp,&0C
02D2206C&01BE&D0060000&add&dword&ptr&[esi+6D0],&edi&;&数据大小保存在这里
02D&08&lea&eax,&dword&ptr&[ebp+8]
02D&0C&00&and&dword&ptr&[ebp+C],&0
02D22079&50&push&eax
02D&08&00&and&dword&ptr&[ebp+8],&0
02D&0C&lea&eax,&dword&ptr&[ebp+C]
02DE&D6060200&lea&ebx,&dword&ptr&[esi+206D6]&;&数据地址
02D22087&50&push&eax
02DE&FC&lea&ecx,&dword&ptr&[esi-4]
02D2208B&FFB6&D0060000&push&dword&ptr&[esi+6D0]&;&数据大小
02D22091&53&push&ebx&;&数据地址
02D210000&call&02D2226D
02D&mov&edi,&eax
02D22099&85FF&test&edi,&edi
02DD&jle&short&02D220BA
02D&D0060000&mov&eax,&dword&ptr&[esi+6D0]
02D220A3&2BC7&sub&eax,&edi
02D220A5&50&push&eax
02D220A6&8D043B&lea&eax,&dword&ptr&[ebx+edi]
02D220A9&50&push&eax
02D220AA&53&push&ebx
02D220AB&FF15&C8A0D302&call&dword&ptr&[&&MSVCRT.memmove&]&;&MSVCRT.memmove
02D220B1&83C4&0C&add&esp,&0C
02D220B4&29BE&D0060000&sub&dword&ptr&[esi+6D0],&edi
02D220BA&837D&0C&00&cmp&dword&ptr&[ebp+C],&0
02D220BE&74&26&je&short&02D220E6
02D220C0&FF75&08&push&dword&ptr&[ebp+8]
02D220C3&8D4E&FC&lea&ecx,&dword&ptr&[esi-4]
02D220C6&FF75&0C&push&dword&ptr&[ebp+C]
02D220C9&E8&F7020000&call&02D223C5
02D220CE&8B5D&0C&mov&ebx,&dword&ptr&[ebp+C]
02D220D1&E8&BA580100&call&02D37990
02D220D6&85C0&test&eax,&eax
02D220D8&74&0C&je&short&02D220E6
02D220DA&85DB&test&ebx,&ebx
02D220DC&74&08&je&short&02D220E6
02D220DE&8B10&mov&edx,&dword&ptr&[eax]
02D220E0&53&push&ebx
02D220E1&8BC8&mov&ecx,&eax
02D220E3&FF52&0C&call&dword&ptr&[edx+C]
02D220E6&85FF&test&edi,&edi
02D220E8&7E&1C&jle&short&02D22106
02D220EA&83BE&D&cmp&dword&ptr&[esi+6D0],&0
02D220F1&^&0F8F&7BFFFFFF&jg&02D22072
02D220F7&EB&0D&jmp&short&02D22106
02D220F9&68&70F3D302&push&02D3F370&;&ASCII&&Receivebuffer&overflow!&
02D220FE&53&push&ebx
02D220FF&E8&25D90000&call&02D2FA29
02D22104&59&pop&ecx
02D22105&59&pop&ecx
02DF3D302&push&02D3F360&;&ASCII&&End&OnReceived&
02D2210B&FF75&FC&push&dword&ptr&[ebp-4]
02D2210E&E8&B48C0000&call&02D2ADC7
02D22113&59&pop&ecx
02D22114&59&pop&ecx
02D22115&5F&pop&edi
02D22116&5E&pop&esi
02D22117&5B&pop&ebx
02D22118&C9&leave
02D20&retn&8
整体浏览一下就会发现这里是进一步处理接受数据的,02D22029地址往下使用格式串&Begin&OnReceived&is&invoked&length=%d&,很明显参数[ebp+C]是数据大小.
跟进sub_02D2ADC7后,分析这个子过程不是我们所关心的。
*******************************************************************************&
*后面还有很多类似的带有字符串提示的子过程,其实都不需要跟进,估计是调试需要*&
*******************************************************************************初步判断:
02D210000&call&02D2226D&;进入解密
02D220C9&E8&F7020000&call&02D223C5&;明文派发
为什么会有这样的结论呢?看看上下文的字符串提示,以及夹在中间的memmove,可以这样假想:进入sub_02D2226D解密,解密完成之后把数据copy到一个地址,然后进入sub_02D223C5进一步对数据处理。当然这里只是猜测,还不一定对。
02D&&cmp&ecx,&10000&是判断接受的数据大小是否太大的.然后使用memcpy将数据内容copy到一个地址中.然后进入sub_02D2226D处理,跟进:
02D2226D&55&push&ebp
02D2226E&8BEC&mov&ebp,&esp
02D22270&51&push&ecx
02D22271&51&push&ecx
02D22272&53&push&ebx
02D22273&56&push&esi
02D&mov&esi,&ecx
02D22276&57&push&edi
02DCF4D302&push&02D3F48C&;&ASCII&&Begin&OnReadPackage&
02DE&18&lea&edi,&dword&ptr&[esi+18]
02D2227F&57&push&edi
02DD&FC&mov&dword&ptr&[ebp-4],&edi
02D2F8B0000&call&02D2ADC7
02DD&08&mov&ebx,&dword&ptr&[ebp+8]
02D&xor&eax,&eax
02D2228D&59&pop&ecx
02D&cmp&ebx,&eax
02D22290&59&pop&ecx
02D&F8&mov&dword&ptr&[ebp-8],&eax
02D&FA000000&je&02D22394
02D&0C&cmp&dword&ptr&[ebp+C],&eax
02DE&F1000000&jle&02D22394
02D222A3&0&cmp&dword&ptr&[esi+6C8],&eax
02D222A9&0F84&E5000000&je&02D22394
02D222AF&8D7E&5C&lea&edi,&dword&ptr&[esi+5C]
02D222B2&68&&push&118
02D222B7&50&push&eax
02D222B8&57&push&edi
02D222B9&E8&4E570100&call&&jmp.&MSVCRT.memset&
02D222BE&8B8E&C8060000&mov&ecx,&dword&ptr&[esi+6C8]
02D222C4&&and&dword&ptr&[ebp+8],&0
02D222C8&83C4&0C&add&esp,&0C
02D222CB&66:C707&1801&mov&word&ptr&[edi],&118
02D222D0&8B7D&0C&mov&edi,&dword&ptr&[ebp+C]
02D222D3&8B01&mov&eax,&dword&ptr&[ecx]
02D222D5&57&push&edi
02D222D6&53&push&ebx
02D222D7&FF50&0C&call&dword&ptr&[eax+C]
02D222DA&83FF&02&cmp&edi,&2
02D222DD&0F8C&A2000000&jl&02D22385
02D222E3&8B8E&C8060000&mov&ecx,&dword&ptr&[esi+6C8]
02D222E9&8D55&08&lea&edx,&dword&ptr&[ebp+8]
02D222EC&52&push&edx
02D222ED&8B01&mov&eax,&dword&ptr&[ecx]
02D222EF&FF50&1C&call&dword&ptr&[eax+1C]
02D222F2&8B45&08&mov&eax,&dword&ptr&[ebp+8]
02D222F5&0FB7C8&movzx&ecx,&ax
02D222F8&3BF9&cmp&edi,&ecx
02D222FA&7C&77&jl&short&02D22373
02D222FC&FFB6&C8060000&push&dword&ptr&[esi+6C8]
02DD&F8&mov&dword&ptr&[ebp-8],&ecx
02D22305&8BCE&mov&ecx,&esi
02D6&5E&mov&word&ptr&[esi+5E],&ax
02D2230B&E8&31E10000&call&02D30441
02DE&C8060000&mov&ecx,&dword&ptr&[esi+6C8]
02D&mov&eax,&dword&ptr&[ecx]
02D22318&FF50&24&call&dword&ptr&[eax+24]
02DD&08&movzx&edi,&word&ptr&[ebp+8]
02D&add&ebx,&eax
02D&sub&edi,&eax
02D2&01&test&byte&ptr&[esi+70],&1
02D&je&short&02D2233A
02D22329&FF75&14&push&dword&ptr&[ebp+14]
02D2232C&8BCE&mov&ecx,&esi
02D2232E&FF75&10&push&dword&ptr&[ebp+10]
02D22331&57&push&edi
02D22332&53&push&ebx
02D2E10000&call&02D304AC
02D22338&EB&24&jmp&short&02D2235E
02D2233A&57&push&edi
02DE&49&lea&ecx,&dword&ptr&[esi+49]
02D2233E&FF75&10&push&dword&ptr&[ebp+10]
02D2D0000&call&02D2309C
02D&test&eax,&eax
02D&je&short&02D2235E
02D&10&mov&eax,&dword&ptr&[ebp+10]
02D2234D&57&push&edi
02D2234E&53&push&ebx
02D2234F&FF30&push&dword&ptr&[eax]
02D260100&call&&jmp.&MSVCRT.memcpy&
02D&14&mov&eax,&dword&ptr&[ebp+14]
02D&0C&add&esp,&0C
02D&mov&dword&ptr&[eax],&edi
02D2235E&FF75&F8&push&dword&ptr&[ebp-8]
02DCF4D302&push&02D3F46C&;&ASCII&&Dispatch&one&package&length=%d&
02D22366&FF75&FC&push&dword&ptr&[ebp-4]
02D2A0000&call&02D2ADC7
02D&0C&add&esp,&0C
02D22371&EB&12&jmp&short&02D22385
02D22373&51&push&ecx
02D22374&57&push&edi
02DF4D302&push&02D3F448&;&ASCII&&Not&enougth&to&be&one&package&%d&%d&
02D2237A&FF75&FC&push&dword&ptr&[ebp-4]
02D2237D&E8&458A0000&call&02D2ADC7
02D&10&add&esp,&10
02D&C8060000&mov&esi,&dword&ptr&[esi+6C8]
02D2238B&8BCE&mov&ecx,&esi
02D&mov&eax,&dword&ptr&[esi]
02D2238F&FF50&10&call&dword&ptr&[eax+10]
02D22392&EB&18&jmp&short&02D223AC
02D22394&FFB6&C8060000&push&dword&ptr&[esi+6C8]
02D2239A&FF75&0C&push&dword&ptr&[ebp+C]
02D2239D&53&push&ebx
02DF4D302&push&02D3F430&;&ASCII&&param&error&%p&%d&%p&
02D223A3&57&push&edi
02D223A4&E8&80D60000&call&02D2FA29
02D223A9&83C4&14&add&esp,&14
02D223AC&68&1CF4D302&push&02D3F41C&;&ASCII&&End&OnReadPackage&
02D223B1&FF75&FC&push&dword&ptr&[ebp-4]
02D223B4&E8&0E8A0000&call&02D2ADC7
02D223B9&8B45&F8&mov&eax,&dword&ptr&[ebp-8]
02D223BC&59&pop&ecx
02D223BD&59&pop&ecx
02D223BE&5F&pop&edi
02D223BF&5E&pop&esi
02D223C0&5B&pop&ebx
02D223C1&C9&leave
02D223C2&C2&1000&retn&10
整体浏览一下发现这里是解读封包参数的。如果有call到Utility领空的都不需要跟进,那里是解密的过程,否则就一去不能回了(主要是在代码的海洋里很容易晕的)。例如在Utility领空有这样的字符串提示:
&DecodeInt16&%p&,LF
&DecodeBuffer&0x%p&%d&,LF
&Param&Error!&,LF
ASCII&&Read&to&end!&,LF
所以可以暂时认为sub_02D2226D是解读数据参数的,下一步跟进
02D220C9&E8&F7020000&call&02D223C5
02D423C5&B8&4C7DD502&mov&eax,&02D57D4C
02D423CA&E8&&call&02D579E0
02D423CF&83EC&24&sub&esp,&24
02D423D2&56&push&esi
02D423D3&8BF1&mov&esi,&ecx
02D423D5&&and&dword&ptr&[ebp-1C],&0
02D423D9&8D4D&F3&lea&ecx,&dword&ptr&[ebp-D]
02D423DC&8B46&58&mov&eax,&dword&ptr&[esi+58]
02D423DF&51&push&ecx
02D423E0&8D4D&E4&lea&ecx,&dword&ptr&[ebp-1C]
02D423E3&51&push&ecx
02D423E4&50&push&eax
02D423E5&8D4D&D0&lea&ecx,&dword&ptr&[ebp-30]
02D423E8&E8&D3020000&call&02D426C0
02D423ED&8B46&50&mov&eax,&dword&ptr&[esi+50]
02D423F0&8365&FC&00&and&dword&ptr&[ebp-4],&0
02D423F4&8B08&mov&ecx,&dword&ptr&[eax]
02D423F6&3BC8&cmp&ecx,&eax
02D423F8&894D&EC&mov&dword&ptr&[ebp-14],&ecx
02D423FB&74&23&je&short&02D42420
02D423FD&57&push&edi
02D423FE&33FF&xor&edi,&edi
02D&EC&mov&eax,&dword&ptr&[ebp-14]
02DD&D4&mov&ecx,&dword&ptr&[ebp-2C]
02D&0C&mov&eax,&dword&ptr&[eax+C]
02DF&mov&dword&ptr&[edi+ecx],&eax
02DD&EC&lea&ecx,&dword&ptr&[ebp-14]
02D4240F&E8&0F050000&call&02D42923
02D&50&mov&eax,&dword&ptr&[esi+50]
02D&04&add&edi,&4
02D&EC&cmp&dword&ptr&[ebp-14],&eax
02D4241D&^&75&E1&jnz&short&02D42400
02D4241F&5F&pop&edi
02DD&D4&00&cmp&dword&ptr&[ebp-2C],&0
02D&je&short&02D42486
02D&D8&mov&eax,&dword&ptr&[ebp-28]
02D&mov&ecx,&eax
02DD&D4&sub&ecx,&dword&ptr&[ebp-2C]
02D4242E&F7C1&FCFFFFFF&test&ecx,&FFFFFFFC
02D&je&short&02D42486
02D&FC&mov&ecx,&dword&ptr&[eax-4]
02D&FC&add&eax,&-4
02DD&E8&mov&dword&ptr&[ebp-18],&ecx
02D4243F&50&push&eax
02DD&D0&lea&ecx,&dword&ptr&[ebp-30]
02D450000&call&02D42959
02D&E8&lea&eax,&dword&ptr&[ebp-18]
02DE&4C&lea&ecx,&dword&ptr&[esi+4C]
02D4244E&50&push&eax
02D&E0&lea&eax,&dword&ptr&[ebp-20]
02D42452&50&push&eax
02D440000&call&02D428E9
02D&E0&mov&eax,&dword&ptr&[ebp-20]
02D&50&cmp&eax,&dword&ptr&[esi+50]
02D4245E&^&74&C0&je&short&02D42420
02DD&E8&mov&ecx,&dword&ptr&[ebp-18]
02D&test&ecx,&ecx
02D42465&^&74&B9&je&short&02D42420
02D42467&FF75&0C&push&dword&ptr&[ebp+C]
02D&mov&eax,&dword&ptr&[ecx]
02D4246C&FF75&08&push&dword&ptr&[ebp+8]
02D4246F&FF50&14&call&dword&ptr&[eax+14]
02D&test&eax,&eax
02D42474&^&74&AA&je&short&02D42420
02DD&E8&mov&ecx,&dword&ptr&[ebp-18]
02D42479&FF75&0C&push&dword&ptr&[ebp+C]
02D&mov&eax,&dword&ptr&[ecx]
02D4247E&FF75&08&push&dword&ptr&[ebp+8]
02D42481&FF50&10&call&dword&ptr&[eax+10]&;&进
02D42484&^&EB&9A&jmp&short&02D42420
02DD&FC&FF&or&dword&ptr&[ebp-4],&FFFFFFFF
02DD&D0&lea&ecx,&dword&ptr&[ebp-30]
02D4248D&E8&7E020000&call&02D42710&;&善后处理
02DD&F4&mov&ecx,&dword&ptr&[ebp-C]
02D42495&5E&pop&esi
02DD&0000000&mov&dword&ptr&fs:[0],&ecx
02D4249D&C9&leave
02D4249E&C2&0800&retn&8
分析的结果反应在注释里,我们跟进
02D42481&call&dword&ptr&[eax+10]
这时从BaseProt领空进入了ScatProt领空。
标 题:QQGame浅析系列(3) ---山重水复疑无路(上)
作 者:singsing
时 间:<font color="#08-04-17 13:11
QQGame浅析系列(3)&---山重水复疑无路(上)
从BaseProt领空进入ScatProt领空:
043F60B7&.&56&push&esi
043F60B8&.&57&push&edi
043F60B9&FF7424&10&push&dword&ptr&[esp+10]&&&;&数据大小
043F60BD&.&8BF1&mov&esi,&ecx&;&|
043F60BF&.&FF7424&10&push&dword&ptr&[esp+10]&;&|Arg1
043F60C3&E8&1268FFFF&call&043EC8DA&;&\ScatProt.1000C8DA
043F60C8&.&8BF8&mov&edi,&eax
043F60CA&B8&44D04004&mov&eax,&&&&;&ASCII&&sucessfully&
043F60CF&.&85FF&test&edi,&edi
043F60D1&.&75&05&jnz&short&043F60D8
043F60D3&.&B8&3CD04004&mov&eax,&0440D03C&;&ASCII&&failed&
043F60D8&&&50&push&eax
043F60D9&.&83C6&14&add&esi,&14
043F60DC&.&68&28D04004&push&&&&&&&&&&&&&;&ASCII&&Package&decoded&%s&
043F60E1&.&56&push&esi
043F60E2&.&E8&C2290000&call&043F8AA9
043F60E7&.&83C4&0C&add&esp,&0C
043F60EA&.&8BC7&mov&eax,&edi
043F60EC&.&5F&pop&edi
043F60ED&.&5E&pop&esi
043F60EE&.&C2&0800&retn&8
看到那个&sucessfully&串提示了吗?说明前面一个call&043EC8DA完成了解密工作。当然要跟进了。
043EC8DA&/$&55&push&ebp
043EC8DB&|.&8BEC&mov&ebp,&esp
043EC8DD&|.&83EC&10&sub&esp,&10
043EC8E0&|.&53&push&ebx
043EC8E1&|.&8B5D&0C&mov&ebx,&dword&ptr&[ebp+C]
043EC8E4&|.&56&push&esi
043EC8E5&|.&8BF1&mov&esi,&ecx
043EC8E7&|.&57&push&edi
043EC8E8&|.&53&push&ebx
043EC8E9&|.&8B4E&4C&mov&ecx,&dword&ptr&[esi+4C]
043EC8EC&|.&FF75&08&push&dword&ptr&[ebp+8]
043EC8EF&|.&895E&60&mov&dword&ptr&[esi+60],&ebx
043EC8F2&|.&8B01&mov&eax,&dword&ptr&[ecx]
043EC8F4&|.&FF50&0C&call&dword&ptr&[eax+C]
043EC8F7&|.&66:&and&word&ptr&[ebp-10],&0
043EC8FC&|.&33C0&xor&eax,&eax
043EC8FE&|.&8D7D&F2&lea&edi,&dword&ptr&[ebp-E]
043EC901&|.&8BCE&mov&ecx,&esi
043EC903&|.&AB&stos&dword&ptr&es:[edi]
043EC904&|.&AB&stos&dword&ptr&es:[edi]
043EC905&|.&AB&stos&dword&ptr&es:[edi]
043EC906&|.&66:AB&stos&word&ptr&es:[edi]
043EC908&|.&8D45&F0&lea&eax,&dword&ptr&[ebp-10]
043EC90B&|.&50&push&eax
043EC90C&|.&FF76&4C&push&dword&ptr&[esi+4C]
043EC90F&|.&E8&2573FFFF&call&043E3C39
043EC914&|.&8B4E&4C&mov&ecx,&dword&ptr&[esi+4C]
043EC917&|.&&and&dword&ptr&[ebp+C],&0
043EC91B&|.&8BF8&mov&edi,&eax
043EC91D&|.&8D55&0C&lea&edx,&dword&ptr&[ebp+C]
043EC920&|.&8B01&mov&eax,&dword&ptr&[ecx]
043EC922&|.&52&push&edx
043EC923&|.&FF50&1C&call&dword&ptr&[eax+1C]
043EC926&|.&395D&0C&cmp&dword&ptr&[ebp+C],&ebx
043EC929&|.&7F&21&jg&short&043EC94C
043EC92B&|.&8B4E&4C&mov&ecx,&dword&ptr&[esi+4C]
043EC92E&|.&836D&0C&02&sub&dword&ptr&[ebp+C],&2
043EC932&|.&8B1E&mov&ebx,&dword&ptr&[esi]
043EC934&|.&8B01&mov&eax,&dword&ptr&[ecx]
043EC936&|.&FF50&30&call&dword&ptr&[eax+30]
043EC939&50&push&eax
043EC93A&8D45&F0&lea&eax,&dword&ptr&[ebp-10]
043EC93D&|.&FF75&0C&push&dword&ptr&[ebp+C]
043EC940&8BCE&mov&ecx,&esi
043EC942&|.&57&push&edi
043EC943&|.&50&push&eax
043EC944&|.&FF76&4C&push&dword&ptr&[esi+4C]
043EC947&|.&FF53&24&call&dword&ptr&[ebx+24]&;&进
043EC94A&|.&EB&37&jmp&short&043EC983
043EC94C&|&&8D7E&14&lea&edi,&dword&ptr&[esi+14]
043EC94F&|.&68&D0D04004&push&&
;&ASCII&LF,LF,&************************************&
043EC954&|.&57&push&edi
043EC955&|.&E8&2D91FFFF&call&043E5A87
043EC95A&|.&59&pop&ecx
043EC95B&|.&59&pop&ecx
043EC95C&|.&68&90D04004&push&&
;&ASCII&&Length&specified&in&package&is&bigger&than&total&package&size&
043EC961&|.&57&push&edi
043EC962&|.&E8&2091FFFF&call&043E5A87
043EC967&|.&59&pop&ecx
043EC968&|.&59&pop&ecx
043EC969&|.&68&78D04004&push&&;&ASCII&&Package&is&discarded!&
043EC96E&|.&57&push&edi
043EC96F&|.&E8&1391FFFF&call&043E5A87
043EC974&|.&59&pop&ecx
043EC975&|.&59&pop&ecx
043EC976&|.&68&50D04004&push&&
;&ASCII&&************************************&,LF,LF
043EC97B&|.&57&push&edi
043EC97C&|.&E8&0691FFFF&call&043E5A87
043EC981&|.&59&pop&ecx
043EC982&|.&59&pop&ecx
043EC983&|&&8B4E&4C&mov&ecx,&dword&ptr&[esi+4C]
043EC986&|.&8B01&mov&eax,&dword&ptr&[ecx]
043EC988&|.&FF50&10&call&dword&ptr&[eax+10]&;&过
043EC98B&|.&6A&01&push&1
043EC98D&|.&58&pop&eax
043EC98E&|.&5F&pop&edi
043EC98F&|.&5E&pop&esi
043EC990&|.&5B&pop&ebx
043EC991&|.&C9&leave
043EC992&\.&C2&0800&retn&8
跟进043EC947&|.&FF53&24&call&dword&ptr&[ebx+24]&:
043ED50A&/.&55&push&ebp
043ED50B&|.&8BEC&mov&ebp,&esp
043ED50D&|.&56&push&esi
043ED50E&|.&57&push&edi
043ED50F&|.&8B7D&0C&mov&edi,&dword&ptr&[ebp+C]
043ED512&|.&8BF1&mov&esi,&ecx
043ED514&|.&66:837F&02&02&cmp&word&ptr&[edi+2],&2
043ED519&0F85&&jnz&043ED627
043ED51F&|.&0FBF07&movsx&eax,&word&ptr&[edi]
043ED522&|.&83E8&7D&sub&eax,&7D&;&Switch&(cases&7D..AF)
043ED525&0F84&E1000000&je&043ED60C
043ED52B&|.&83E8&03&sub&eax,&3
043ED52E&|.&0F84&B8000000&je&043ED5EC
043ED534&|.&48&dec&eax
043ED535&|.&0F84&&je&043ED5CC
043ED53B&|.&48&dec&eax
043ED53C&|.&48&dec&eax
043ED53D&|.&74&70&je&short&043ED5AF
043ED53F&|.&83E8&09&sub&eax,&9
043ED542&|.&74&4E&je&short&043ED592
043ED544&|.&83E8&1D&sub&eax,&1D
043ED547&|.&74&29&je&short&043ED572
043ED549&|.&83E8&06&sub&eax,&6
043ED54C&|.&0F85&D5000000&jnz&043ED627
043ED552&|.&8D46&14&lea&eax,&dword&ptr&[esi+14];&Case&AF&of&switch&043ED522
043ED555&|.&68&E8DB4004&push&0440DBE8&
;&ASCII&&Receive&notify&game&avatar&event&item&message&package&
043ED55A&|.&50&push&eax
043ED55B&|.&E8&49B50000&call&043F8AA9
043ED560&|.&59&pop&ecx
043ED561&|.&59&pop&ecx
043ED562&|.&FF75&08&push&dword&ptr&[ebp+8]&;&/Arg2
043ED565&|.&8BCE&mov&ecx,&esi&;&|
043ED567&|.&57&push&edi&;&|Arg1
043ED568&|.&E8&F9080000&call&043EDE66&;&\ScatProt.1000DE66
043ED56D&|.&E9&B5000000&jmp&043ED627
043ED572&|&&8D46&14&lea&eax,&dword&ptr&[esi+14]&;&Case&A9&of&switch&043ED522
043ED575&|.&68&B4DB4004&push&0440DBB4&
;&ASCII&&Receive&notify&update&game&avatar&message&package&
043ED57A&|.&50&push&eax
043ED57B&|.&E8&29B50000&call&043F8AA9
043ED580&|.&59&pop&ecx
043ED581&|.&59&pop&ecx
043ED582&|.&FF75&08&push&dword&ptr&[ebp+8]&;&/Arg2
043ED585&|.&8BCE&mov&ecx,&esi&;&|
043ED587&|.&57&push&edi&;&|Arg1
043ED588&|.&E8&FD070000&call&043EDD8A&;&\ScatProt.1000DD8A
043ED58D&|.&E9&&jmp&043ED627
043ED592&|&&8D46&14&lea&eax,&dword&ptr&[esi+14]&;&Case&8C&of&switch&043ED522
043ED595&|.&68&8CDB4004&push&0440DB8C&
;&ASCII&&Receive&notify&system&message&package&
043ED59A&|.&50&push&eax
043ED59B&|.&E8&09B50000&call&043F8AA9
043ED5A0&|.&59&pop&ecx
043ED5A1&|.&59&pop&ecx
043ED5A2&|.&FF75&08&push&dword&ptr&[ebp+8]&;&/Arg2
043ED5A5&|.&8BCE&mov&ecx,&esi&;&|
043ED5A7&|.&57&push&edi&;&|Arg1
043ED5A8&|.&E8&&call&043EDCF6&;&\ScatProt.1000DCF6
043ED5AD&|.&EB&78&jmp&short&043ED627
043ED5AF&|&&8D46&14&lea&eax,&dword&ptr&[esi+14]&;&Case&83&of&switch&043ED522
043ED5B2&|.&68&64DB4004&push&0440DB64&
;&ASCII&&Receive&notify&invite&to&play&package&
043ED5B7&|.&50&push&eax
043ED5B8&|.&E8&ECB40000&call&043F8AA9
043ED5BD&|.&59&pop&ecx
043ED5BE&|.&59&pop&ecx
043ED5BF&|.&FF75&08&push&dword&ptr&[ebp+8]&;&/Arg2
043ED5C2&|.&8BCE&mov&ecx,&esi&;&|
043ED5C4&|.&57&push&edi&;&|Arg1
043ED5C5&|.&E8&AE060000&call&043EDC78&;&\ScatProt.1000DC78
043ED5CA&|.&EB&5B&jmp&short&043ED627
043ED5CC&|&&8D46&14&lea&eax,&dword&ptr&[esi+14]&;&Case&81&of&switch&043ED522
043ED5CF&|.&68&3CDB4004&push&0440DB3C&
;&ASCII&&Receive&notify&table&message&package&
043ED5D4&|.&50&push&eax
043ED5D5&|.&E8&CFB40000&call&043F8AA9
043ED5DA&|.&59&pop&ecx
043ED5DB&|.&59&pop&ecx
043ED5DC&|.&FF75&14&push&dword&ptr&[ebp+14]
043ED5DF&|.&8BCE&mov&ecx,&esi
043ED5E1&|.&FF75&08&push&dword&ptr&[ebp+8]
043ED5E4&|.&57&push&edi
043ED5E5&|.&E8&3D050000&call&043EDB27
043ED5EA&|.&EB&3B&jmp&short&043ED627
043ED5EC&|&&8D46&14&lea&eax,&dword&ptr&[esi+14]&;&Case&80&of&switch&043ED522
043ED5EF&|.&68&18DB4004&push&0440DB18&
;&ASCII&&Receive&notify&room&message&package&
043ED5F4&|.&50&push&eax
043ED5F5&|.&E8&AFB40000&call&043F8AA9
043ED5FA&|.&59&pop&ecx
043ED5FB&|.&59&pop&ecx
043ED5FC&|.&FF75&14&push&dword&ptr&[ebp+14]
043ED5FF&|.&8BCE&mov&ecx,&esi
043ED601&|.&FF75&08&push&dword&ptr&[ebp+8]
043ED604&|.&57&push&edi
043ED605&|.&E8&D4030000&call&043ED9DE
043ED60A&|.&EB&1B&jmp&short&043ED627
043ED60C&8D46&14&lea&eax,&dword&ptr&[esi+14]
043ED60F&|.&68&F4DA4004&push&0440DAF4&;&ASCII&&Receive&notify&room&event&package&
043ED614&|.&50&push&eax
043ED615&|.&E8&8FB40000&call&043F8AA9
043ED61A&|.&59&pop&ecx
043ED61B&|.&59&pop&ecx
043ED61C&|.&FF75&08&push&dword&ptr&[ebp+8]
043ED61F&|.&8BCE&mov&ecx,&esi
043ED621&|.&57&push&edi
043ED622&|.&E8&&call&043ED66C
043ED627&|&&5F&pop&edi&;&Default&case&of&switch&043ED522
043ED628&|.&5E&pop&esi
043ED629&|.&5D&pop&ebp
043ED62A&\.&C2&1400&retn&14
跟进043ED622&|.&E8&&call&043ED66C:
043ED66C&/$&55&push&ebp
043ED66D&|.&8BEC&mov&ebp,&esp
043ED66F&|.&B8&9C510000&mov&eax,&519C
043ED674&|.&E8&271F0100&call&043FF5A0
043ED679&|.&53&push&ebx
043ED67A&|.&56&push&esi
043ED67B&|.&894D&FC&mov&dword&ptr&[ebp-4],&ecx
043ED67E&|.&57&push&edi
043ED67F&|.&33DB&xor&ebx,&ebx
043ED681&|.&8B75&0C&mov&esi,&dword&ptr&[ebp+C]
043ED684&|.&B9&&mov&ecx,&1464
043ED689&|.&33C0&xor&eax,&eax
043ED68B&|.&8DBD&66AEFFFF&lea&edi,&dword&ptr&[ebp+FFFFAE66]
043ED691&|.&66:899D&64AEF&mov&word&ptr&[ebp+FFFFAE64],&bx
043ED698&|.&F3:AB&rep&stos&dword&ptr&es:[edi]
043ED69A&|.&8D8D&64AEFFFF&lea&ecx,&dword&ptr&[ebp+FFFFAE64]
043ED6A0&|.&66:AB&stos&word&ptr&es:[edi]
043ED6A2&|.&8B06&mov&eax,&dword&ptr&[esi]
043ED6A4&|.&51&push&ecx
043ED6A5&|.&8BCE&mov&ecx,&esi
043ED6A7&|.&FF50&1C&call&dword&ptr&[eax+1C]
043ED6AA&|.&8B06&mov&eax,&dword&ptr&[esi]
043ED6AC&|.&8D8D&66AEFFFF&lea&ecx,&dword&ptr&[ebp+FFFFAE66]
043ED6B2&|.&51&push&ecx
043ED6B3&|.&8BCE&mov&ecx,&esi
043ED6B5&|.&FF50&1C&call&dword&ptr&[eax+1C]
043ED6B8&|.&66:8B85&66AEF&mov&ax,&word&ptr&[ebp+FFFFAE66]
043ED6BF&|.&66:3D&5A00&cmp&ax,&5A
043ED6C3&|.&66:8985&66AEF&mov&word&ptr&[ebp+FFFFAE66],&ax
043ED6CA&|.&7C&09&jl&short&043ED6D5
043ED6CC&|.&66:C785&66AEF&mov&word&ptr&[ebp+FFFFAE66],&5A
043ED6D5&|&&66:399D&66AEF&cmp&word&ptr&[ebp+FFFFAE66],&bx
043ED6DC&|.&895D&0C&mov&dword&ptr&[ebp+C],&ebx
043ED6DF&|.&0F8E&CA020000&jle&043ED9AF
043ED6E5&|.&8DBD&F6AEFFFF&lea&edi,&dword&ptr&[ebp+FFFFAEF6]
043ED6EB&|&&8B06&/mov&eax,&dword&ptr&[esi]
043ED6ED&|.&8D8F&72FFFFFF&|lea&ecx,&dword&ptr&[edi-8E]
043ED6F3&|.&51&|push&ecx
043ED6F4&|.&8BCE&|mov&ecx,&esi
043ED6F6&|.&FF50&18&|call&dword&ptr&[eax+18]
043ED6F9&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED6FB&|.&8D8F&76FFFFFF&|lea&ecx,&dword&ptr&[edi-8A]
043ED701&|.&51&|push&ecx
043ED702&|.&8BCE&|mov&ecx,&esi
043ED704&|.&FF50&1C&|call&dword&ptr&[eax+1C]
043ED707&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED709&|.&8D8F&78FFFFFF&|lea&ecx,&dword&ptr&[edi-88]
043ED70F&|.&51&|push&ecx
043ED710&|.&8BCE&|mov&ecx,&esi
043ED712&|.&FF50&1C&|call&dword&ptr&[eax+1C]
043ED715&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED717&|.&8D8F&7AFFFFFF&|lea&ecx,&dword&ptr&[edi-86]
043ED71D&|.&51&|push&ecx
043ED71E&|.&8BCE&|mov&ecx,&esi
043ED720&|.&FF50&14&|call&dword&ptr&[eax+14]
043ED723&|.&8B16&|mov&edx,&dword&ptr&[esi]
043ED725&|.&8D87&7BFFFFFF&|lea&eax,&dword&ptr&[edi-85]
043ED72B&|.&50&|push&eax
043ED72C&|.&8BCE&|mov&ecx,&esi
043ED72E&|.&FF52&14&|call&dword&ptr&[edx+14]
043ED731&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED733&|.&8D9F&7CFFFFFF&|lea&ebx,&dword&ptr&[edi-84]
043ED739&|.&53&|push&ebx
043ED73A&|.&8BCE&|mov&ecx,&esi
043ED73C&|.&FF50&1C&|call&dword&ptr&[eax+1C]
043ED73F&|.&66:8B03&|mov&ax,&word&ptr&[ebx]
043ED742&|.&66:3D&1000&|cmp&ax,&10
043ED746&|.&73&05&|jnb&short&043ED74D
043ED748&|.&0FBFC0&|movsx&eax,&ax
043ED74B&|.&EB&03&|jmp&short&043ED750
043ED74D&|&&6A&10&|push&10
043ED74F&|.&58&|pop&eax
043ED750&|&&66:85C0&|test&ax,&ax
043ED753&|.&66:8903&|mov&word&ptr&[ebx],&ax
043ED756&|.&7E&12&|jle&short&043ED76A
043ED758&|.&8B16&|mov&edx,&dword&ptr&[esi]
043ED75A&|.&8BCE&|mov&ecx,&esi
043ED75C&|.&0FBFC0&|movsx&eax,&ax
043ED75F&|.&50&|push&eax
043ED760&|.&8D87&7EFFFFFF&|lea&eax,&dword&ptr&[edi-82]
043ED766&|.&50&|push&eax
043ED767&|.&FF52&20&|call&dword&ptr&[edx+20]
043ED76A&|&&8A87&7BFFFFFF&|mov&al,&byte&ptr&[edi-85]
043ED770&|.&3C&30&|cmp&al,&30&;&Switch&(cases&1..30)
043ED772&|.&0F85&AB000000&|jnz&043ED823
043ED778&|.&8B06&|mov&eax,&dword&ptr&[esi]&;&Case&30&of&switch&043ED770
043ED77A&|.&8D4F&FA&|lea&ecx,&dword&ptr&[edi-6]
043ED77D&|.&51&|push&ecx
043ED77E&|.&8BCE&|mov&ecx,&esi
043ED780&|.&FF50&18&|call&dword&ptr&[eax+18]
043ED783&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED785&|.&8D4F&FE&|lea&ecx,&dword&ptr&[edi-2]
043ED788&|.&51&|push&ecx
043ED789&|.&8BCE&|mov&ecx,&esi
043ED78B&|.&FF50&1C&|call&dword&ptr&[eax+1C]
043ED78E&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED790&|.&57&|push&edi
043ED791&|.&8BCE&|mov&ecx,&esi
043ED793&|.&FF50&1C&|call&dword&ptr&[eax+1C]
043ED796&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED798&|.&8D4F&02&|lea&ecx,&dword&ptr&[edi+2]
043ED79B&|.&51&|push&ecx
043ED79C&|.&8BCE&|mov&ecx,&esi
043ED79E&|.&FF50&1C&|call&dword&ptr&[eax+1C]
043ED7A1&|.&8B5D&FC&|mov&ebx,&dword&ptr&[ebp-4]
043ED7A4&|.&8D47&04&|lea&eax,&dword&ptr&[edi+4]
043ED7A7&|.&6A&10&|push&10
043ED7A9&|.&50&|push&eax
043ED7AA&|.&56&|push&esi
043ED7AB&|.&8BCB&|mov&ecx,&ebx
043ED7AD&|.&E8&641B0100&|call&043FF316
043ED7B2&|.&8D47&14&|lea&eax,&dword&ptr&[edi+14]
043ED7B5&|.&6A&14&|push&14
043ED7B7&|.&50&|push&eax
043ED7B8&|.&56&|push&esi
043ED7B9&|.&8BCB&|mov&ecx,&ebx
043ED7BB&|.&E8&561B0100&|call&043FF316
043ED7C0&|.&8D47&28&|lea&eax,&dword&ptr&[edi+28]
043ED7C3&|.&6A&14&|push&14
043ED7C5&|.&50&|push&eax
043ED7C6&|.&56&|push&esi
043ED7C7&|.&8BCB&|mov&ecx,&ebx
043ED7C9&|.&E8&481B0100&|call&043FF316
043ED7CE&|.&8D47&3C&|lea&eax,&dword&ptr&[edi+3C]
043ED7D1&|.&6A&14&|push&14
043ED7D3&|.&50&|push&eax
043ED7D4&|.&56&|push&esi
043ED7D5&|.&8BCB&|mov&ecx,&ebx
043ED7D7&|.&E8&3A1B0100&|call&043FF316
043ED7DC&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED7DE&|.&8D4F&50&|lea&ecx,&dword&ptr&[edi+50]
043ED7E1&|.&51&|push&ecx
043ED7E2&|.&8BCE&|mov&ecx,&esi
043ED7E4&|.&FF50&1C&|call&dword&ptr&[eax+1C]
043ED7E7&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED7E9&|.&8D4F&52&|lea&ecx,&dword&ptr&[edi+52]
043ED7EC&|.&51&|push&ecx
043ED7ED&|.&8BCE&|mov&ecx,&esi
043ED7EF&|.&FF50&14&|call&dword&ptr&[eax+14]
043ED7F2&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED7F4&|.&8D4F&53&|lea&ecx,&dword&ptr&[edi+53]
043ED7F7&|.&51&|push&ecx
043ED7F8&|.&8BCE&|mov&ecx,&esi
043ED7FA&|.&FF50&14&|call&dword&ptr&[eax+14]
043ED7FD&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED7FF&|.&8D4F&54&|lea&ecx,&dword&ptr&[edi+54]
043ED802&|.&51&|push&ecx
043ED803&|.&8BCE&|mov&ecx,&esi
043ED805&|.&FF50&14&|call&dword&ptr&[eax+14]
043ED808&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED80A&|.&8D4F&55&|lea&ecx,&dword&ptr&[edi+55]
043ED80D&|.&51&|push&ecx
043ED80E&|.&8BCE&|mov&ecx,&esi
043ED810&|.&FF50&14&|call&dword&ptr&[eax+14]
043ED813&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED815&|.&8D4F&56&|lea&ecx,&dword&ptr&[edi+56]
043ED818&|.&51&|push&ecx
043ED819&|.&8BCE&|mov&ecx,&esi
043ED81B&|.&FF50&14&|call&dword&ptr&[eax+14]
043ED81E&|.&E9&&|jmp&043ED996
043ED823&|&&3C&01&|cmp&al,&1
043ED825&|.&0F85&F8000000&|jnz&043ED923
043ED82B&|.&8B06&|mov&eax,&dword&ptr&[esi]&;&Case&1&of&switch&043ED770
043ED82D&|.&8D4F&8E&|lea&ecx,&dword&ptr&[edi-72]
043ED830&|.&51&|push&ecx
043ED831&|.&8BCE&|mov&ecx,&esi
043ED833&|.&FF50&18&|call&dword&ptr&[eax+18]
043ED836&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED838&|.&8D4F&92&|lea&ecx,&dword&ptr&[edi-6E]
043ED83B&|.&51&|push&ecx
043ED83C&|.&8BCE&|mov&ecx,&esi
043ED923&|&&3C&0B&|cmp&al,&0B
043ED925&|.&75&6F&|jnz&short&043ED996
043ED927&|.&8B06&|mov&eax,&dword&ptr&[esi]&;&Case&B&of&switch&043ED770
043ED929&|.&8D4F&C2&|lea&ecx,&dword&ptr&[edi-3E]
043ED92C&|.&51&|push&ecx
043ED92D&|.&8BCE&|mov&ecx,&esi
043ED92F&|.&FF50&18&|call&dword&ptr&[eax+18]
043ED932&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED934&|.&8D4F&C6&|lea&ecx,&dword&ptr&[edi-3A]
043ED937&|.&51&|push&ecx
043ED938&|.&8BCE&|mov&ecx,&esi
043ED93A&|.&FF50&18&|call&dword&ptr&[eax+18]
043ED93D&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED93F&|.&8D4F&CA&|lea&ecx,&dword&ptr&[edi-36]
043ED942&|.&51&|push&ecx
043ED943&|.&8BCE&|mov&ecx,&esi
043ED945&|.&FF50&18&|call&dword&ptr&[eax+18]
043ED948&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED94A&|.&8D4F&CE&|lea&ecx,&dword&ptr&[edi-32]
043ED94D&|.&51&|push&ecx
043ED94E&|.&8BCE&|mov&ecx,&esi
043ED950&|.&FF50&18&|call&dword&ptr&[eax+18]
043ED953&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED955&|.&8D4F&D2&|lea&ecx,&dword&ptr&[edi-2E]
043ED958&|.&51&|push&ecx
043ED959&|.&8BCE&|mov&ecx,&esi
043ED95B&|.&FF50&18&|call&dword&ptr&[eax+18]
043ED95E&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED960&|.&8D4F&BD&|lea&ecx,&dword&ptr&[edi-43]
043ED963&|.&51&|push&ecx
043ED964&|.&8BCE&|mov&ecx,&esi
043ED966&|.&FF50&14&|call&dword&ptr&[eax+14]
043ED969&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED96B&|.&8D4F&BE&|lea&ecx,&dword&ptr&[edi-42]
043ED96E&|.&51&|push&ecx
043ED96F&|.&8BCE&|mov&ecx,&esi
043ED971&|.&FF50&14&|call&dword&ptr&[eax+14]
043ED974&|&&8B06&|mov&eax,&dword&ptr&[esi]
043ED976&|.&8D5F&D6&|lea&ebx,&dword&ptr&[edi-2A]
043ED979&|.&53&|push&ebx
043ED97A&|.&8BCE&|mov&ecx,&esi
043ED97C&|.&FF50&1C&|call&dword&ptr&[eax+1C]
043ED97F&|.&66:8B1B&|mov&bx,&word&ptr&[ebx]
043ED982&|.&66:85DB&|test&bx,&bx
043ED985&|.&7E&0F&|jle&short&043ED996
043ED987&|.&8B06&|mov&eax,&dword&ptr&[esi]
043ED989&|.&0FBFCB&|movsx&ecx,&bx
043ED98C&|.&51&|push&ecx
043ED98D&|.&8D4F&D8&|lea&ecx,&dword&ptr&[edi-28]
043ED990&|.&51&|push&ecx
043ED991&|.&8BCE&|mov&ecx,&esi
043ED993&|.&FF50&20&|call&dword&ptr&[eax+20]
043ED996&|&&0FBF85&66AEFF&|movsx&eax,&word&ptr&[ebp+FFFFAE66]&
;&Default&case&of&switch&043ED770
043ED99D&|.&FF45&0C&|inc&dword&ptr&[ebp+C]
043ED9A0&|.&81C7&E8000000&|add&edi,&0E8
043ED9A6&|.&3945&0C&|cmp&dword&ptr&[ebp+C],&eax
043ED9A9&|.^&0F8C&3CFDFFFF&\jl&043ED6EB
043ED9AF&|&&8D85&64AEFFFF&lea&eax,&dword&ptr&[ebp+FFFFAE64]
043ED9B5&|.&8B4D&FC&mov&ecx,&dword&ptr&[ebp-4]
043ED9B8&|.&8945&F8&mov&dword&ptr&[ebp-8],&eax
043ED9BB&|.&8B45&08&mov&eax,&dword&ptr&[ebp+8]
043ED9BE&|.&66:8B40&0A&mov&ax,&word&ptr&[eax+A]
043ED9C2&|.&66:8945&0C&mov&word&ptr&[ebp+C],&ax
043ED9C6&|.&FF75&0C&push&dword&ptr&[ebp+C]
043ED9C9&|.&8D45&F8&lea&eax,&dword&ptr&[ebp-8]
043ED9CC&|.&50&push&eax
043ED9CD&|.&68&9A1E3E04&push&043E1E9A
043ED9D2&|.&E8&C4050000&call&043EDF9B
043ED9D7&|.&5F&pop&edi&;&0013FA94
043ED9D8&|.&5E&pop&esi
043ED9D9&|.&5B&pop&ebx
043ED9DA&|.&C9&leave
043ED9DB&\.&C2&0800&retn&8
这里有很多的call,单步跟踪时只要显示是到Utility领空的均步过,
跟进043ED9D2&|.&E8&C4050000&call&043EDF9B:
《ScatProt》
043EDF9B&/$&B8&BC044004&mov&eax,&044004BC
043EDFA0&|.&E8&BB150100&call&043FF560
043EDFA5&|.&83EC&

我要回帖

更多关于 qq游戏大厅欢乐升级 的文章

 

随机推荐