分析 // 正如一楼所说成功失败都会调用不同的 dll
//第一步: xtz1.dll 在这个dll里面下 按钮事件断点,跟到如下代码
10001222 85DB test ebx,ebx
10001224 74 09 je short xtz1.1000122F ; jmp
10001226 53 push ebx
10001227 E8 B4240000 call xtz1.100036E0 ; GG
1000122C 83C4 04 add esp,0x4
1000122F 58 pop eax
10001230 A3 C0252110 mov dword ptr ds:[0x102125C0],eax
10001235 E8 850A0000 call xtz1.10001CBF ;
//跟进 call xtz1.10001CBF
10001E1B 6A FF push -0x1
10001E1D 6A 08 push 0x8
10001E1F 68 05000116 push 0x16010005
10001E24 68 04000152 push 0x52010004
10001E29 E8 CA180000 call xtz1.100036F8 ; GetText 发现得到我输入的假码,继续跟
10001E6A 83C4 04 add esp,0x4
10001E6D 837D F8 12 cmp dword ptr ss:[ebp-0x8],0x12
10001E71 0F84 AF000000 je xtz1.10001F26 ; JMP 一定要跳,下面 GG
10001E77 68 010100A0 push 0xA0000101
10001E7C 6A 00 push 0x0
10001E7E 68 78290810 push xtz1.10082978
10001E83 68 01000000 push 0x1
10001E88 BB 303A0010 mov ebx,xtz1.10003A30
10001E8D E8 54180000 call xtz1.100036E6
10001E92 83C4 10 add esp,0x10
10001E95 8945 FC mov dword ptr ss:[ebp-0x4],eax
10001E98 68 010100A0 push 0xA0000101
10001E9D 6A 00 push 0x0
10001E9F 68 8A290810 push xtz1.1008298A
10001EA4 68 01000000 push 0x1
10001EA9 BB 303A0010 mov ebx,xtz1.10003A30
10001EAE E8 33180000 call xtz1.100036E6
10001EB3 83C4 10 add esp,0x10 ; \xtzgg.dll
10001EB6 8945 F8 mov dword ptr ss:[ebp-0x8],eax
//上面 JMP 了 到达这个位置
10001F26 E8 57010000 call xtz1.10002082 //这个CALL和昨天那个 差不多,只不过多了许多嵌套的 CALL,跟进
//下面是嵌套CALL的明显特征
10002195 833D C4252110 F>cmp dword ptr ds:[0x102125C4],-0x1
1000219C 0F84 0A000000 je xtz1.100021AC ; NOP掉
100021A2 E8 16020000 call xtz1.100023BD ; 进入嵌套CALL
100021A7 E9 AA000000 jmp xtz1.10002256
//进入多次,可以发现没有想上面有这种嵌套CALL的特征,发现如昨天CM1.0的 特征 如下
10002F15 A3 C0252110 mov dword ptr ds:[0x102125C0],eax
10002F1A 833D C4252110 F>cmp dword ptr ds:[0x102125C4],-0x1
10002F21 0F84 3B000000 je xtz1.10002F62
10002F27 833D C8252110 F>cmp dword ptr ds:[0x102125C8],-0x1
10002F2E 0F84 2E000000 je xtz1.10002F62
10002F34 833D CC252110 F>cmp dword ptr ds:[0x102125CC],-0x1
10002F3B 0F84 21000000 je xtz1.10002F62
10002F41 833D D0252110 F>cmp dword ptr ds:[0x102125D0],-0x1
10002F48 0F84 14000000 je xtz1.10002F62
10002F4E 833D D4252110 F>cmp dword ptr ds:[0x102125D4],-0x1
10002F55 0F84 07000000 je xtz1.10002F62
10002F5B B8 01000000 mov eax,0x1
10002F60 EB 05 jmp short xtz1.10002F67
10002F62 B8 00000000 mov eax,0x0
10002F67 85C0 test eax,eax
10002F69 0F84 AF000000 je xtz1.1000301E ; 大跳转,JMP = GG NOP
//然后结果就如上图所示
|