QQ Hook算法分析
本帖最后由 shenaset 于 2009-3-11 15:16 编辑【文章标题】: QQ Hook算法分析
【文章作者】: ................
【作者邮箱】: ................
【作者主页】: ................
【作者QQ号】: ..............
【软件名称】: QQ Hook
【下载地址】:
【作者声明】: 无聊呀无聊,好无聊
--------------------------------------------------------------------------------
【详细过程】
0046F134 55 PUSH EBP
0046F135 8BEC MOV EBP,ESP
0046F137 6A 00 PUSH 0
0046F139 6A 00 PUSH 0
0046F13B 53 PUSH EBX
0046F13C 8BD8 MOV EBX,EAX
0046F13E 33C0 XOR EAX,EAX
0046F140 55 PUSH EBP
0046F141 68 C0F14600 PUSH Q-0718_u.0046F1C0
0046F146 64:FF30 PUSH DWORD PTR FS:
0046F149 64:8920 MOV DWORD PTR FS:,ESP
0046F14C 8D55 FC LEA EDX,DWORD PTR SS:
0046F14F 8B83 04030000 MOV EAX,DWORD PTR DS:
0046F155 E8 46C2FCFF CALL Q-0718_u.0043B3A0 ; 取密码位数
0046F15A 8B55 FC MOV EDX,DWORD PTR SS: ; 密码放到EDX里
0046F15D B8 100F4700 MOV EAX,Q-0718_u.00470F10
0046F162 E8 AD4DF9FF CALL Q-0718_u.00403F14
0046F167 8D4D F8 LEA ECX,DWORD PTR SS:
0046F16A 8B15 0C0F4700 MOV EDX,DWORD PTR DS: ; 机器码放到EDX里
0046F170 8BC3 MOV EAX,EBX
0046F172 E8 65000000 CALL Q-0718_u.0046F1DC ; #1-1(算法)
0046F177 8B45 F8 MOV EAX,DWORD PTR SS:
0046F17A 8B15 100F4700 MOV EDX,DWORD PTR DS: ; 密码放到EDX里
0046F180 E8 4751F9FF CALL Q-0718_u.004042CC
0046F185 75 14 JNZ SHORT Q-0718_u.0046F19B
0046F187 C605 080F4700 0>MOV BYTE PTR DS:,0
0046F18E 8B15 100F4700 MOV EDX,DWORD PTR DS: ; Q-0718_u.0046EEDC
0046F194 8BC3 MOV EAX,EBX
0046F196 E8 A5010000 CALL Q-0718_u.0046F340
0046F19B 8BC3 MOV EAX,EBX
0046F19D E8 5E83FEFF CALL Q-0718_u.00457500
0046F1A2 33C0 XOR EAX,EAX
0046F1A4 5A POP EDX
0046F1A5 59 POP ECX
0046F1A6 59 POP ECX
0046F1A7 64:8910 MOV DWORD PTR FS:,EDX
0046F1AA 68 C7F14600 PUSH Q-0718_u.0046F1C7
0046F1AF 8D45 F8 LEA EAX,DWORD PTR SS:
0046F1B2 E8 094DF9FF CALL Q-0718_u.00403EC0
0046F1B7 8D45 FC LEA EAX,DWORD PTR SS:
0046F1BA E8 014DF9FF CALL Q-0718_u.00403EC0
0046F1BF C3 RETN
#1-1
0046F1DC 55 PUSH EBP
0046F1DD 8BEC MOV EBP,ESP
0046F1DF 6A 00 PUSH 0
0046F1E1 6A 00 PUSH 0
0046F1E3 6A 00 PUSH 0
0046F1E5 53 PUSH EBX
0046F1E6 56 PUSH ESI
0046F1E7 57 PUSH EDI
0046F1E8 8BF9 MOV EDI,ECX
0046F1EA 8955 FC MOV DWORD PTR SS:,EDX
0046F1ED 8B45 FC MOV EAX,DWORD PTR SS:
0046F1F0 E8 7B51F9FF CALL Q-0718_u.00404370
0046F1F5 33C0 XOR EAX,EAX
0046F1F7 55 PUSH EBP
0046F1F8 68 8BF24600 PUSH Q-0718_u.0046F28B
0046F1FD 64:FF30 PUSH DWORD PTR FS:
0046F200 64:8920 MOV DWORD PTR FS:,ESP
0046F203 8D45 F8 LEA EAX,DWORD PTR SS:
0046F206 8B55 FC MOV EDX,DWORD PTR SS: ; 注册码放到EDX里
0046F209 E8 4A4DF9FF CALL Q-0718_u.00403F58
0046F20E 8D45 F8 LEA EAX,DWORD PTR SS:
0046F211 E8 1ACFFEFF CALL Q-0718_u.0045C130 ; #1-1-1(算法)得到结果a1
0046F216 8BC7 MOV EAX,EDI
0046F218 E8 A34CF9FF CALL Q-0718_u.00403EC0
0046F21D 8B45 F8 MOV EAX,DWORD PTR SS:
0046F220 E8 5B4FF9FF CALL Q-0718_u.00404180 ; 取机器码位数
0046F225 8BF0 MOV ESI,EAX ; 机器码位数放到EAX里
0046F227 85F6 TEST ESI,ESI
0046F229 7E 45 JLE SHORT Q-0718_u.0046F270
0046F22B BB 01000000 MOV EBX,1 ; 1放到EBX里
0046F230 8B45 F8 MOV EAX,DWORD PTR SS: ; C9DF00放到EAX里
0046F233 8A4418 FF MOV AL,BYTE PTR DS: ; 把a1放入AL里
0046F237 E8 90FFFFFF CALL Q-0718_u.0046F1CC ; a2把a1(n)/10
0046F23C 50 PUSH EAX ; a2入栈
0046F23D 8B45 F8 MOV EAX,DWORD PTR SS:
0046F240 8A4418 FF MOV AL,BYTE PTR DS: ; 把a1(n)放入AL里
0046F244 E8 8FFFFFFF CALL Q-0718_u.0046F1D8 ; a3 把a1(n) and OF
0046F249 8BD0 MOV EDX,EAX ; a3放到EDX里
0046F24B 58 POP EAX ; a2出栈
0046F24C 32C2 XOR AL,DL ; a4=a2 XOR a3
0046F24E 34 08 XOR AL,8 ; a5=a4 xor 8
0046F250 25 FF000000 AND EAX,0FF ; a6=a5 and 0FF
0046F255 8D4D F4 LEA ECX,DWORD PTR SS:
0046F258 BA 01000000 MOV EDX,1
0046F25D E8 1A91F9FF CALL Q-0718_u.0040837C
0046F262 8B55 F4 MOV EDX,DWORD PTR SS:
0046F265 8BC7 MOV EAX,EDI
0046F267 E8 1C4FF9FF CALL Q-0718_u.00404188
0046F26C 43 INC EBX
0046F26D 4E DEC ESI
0046F26E^ 75 C0 JNZ SHORT Q-0718_u.0046F230
0046F270 33C0 XOR EAX,EAX
0046F272 5A POP EDX
0046F273 59 POP ECX
0046F274 59 POP ECX
0046F275 64:8910 MOV DWORD PTR FS:,EDX
0046F278 68 92F24600 PUSH Q-0718_u.0046F292
0046F27D 8D45 F4 LEA EAX,DWORD PTR SS:
0046F280 BA 03000000 MOV EDX,3
0046F285 E8 5A4CF9FF CALL Q-0718_u.00403EE4
0046F28A C3 RETN
#1-1-1
0045C130 53 PUSH EBX
0045C131 56 PUSH ESI
0045C132 57 PUSH EDI
0045C133 8BF8 MOV EDI,EAX
0045C135 8BC7 MOV EAX,EDI
0045C137 E8 9C82FAFF CALL Q-0718_u.004043D8
0045C13C 8BF0 MOV ESI,EAX ; 机器码放到ESI里
0045C13E 33DB XOR EBX,EBX ; EBX清零
0045C140 8B07 MOV EAX,DWORD PTR DS: ; 机器码放到EAX里
0045C142 E8 3980FAFF CALL Q-0718_u.00404180 ; 取机器码位数
0045C147 85C0 TEST EAX,EAX
0045C149 7E 1A JLE SHORT Q-0718_u.0045C165
0045C14B 8A93 740E4700 MOV DL,BYTE PTR DS: ; 6F(o),E6,7C(|),E5,69(i),3F(?),53(S),9D,6F(o)放到DL里
0045C151 3016 XOR BYTE PTR DS:,DL ; 机器码 (N) xor DL
0045C153 46 INC ESI
0045C154 43 INC EBX
0045C155 81E3 07000080 AND EBX,80000007
0045C15B 79 05 JNS SHORT Q-0718_u.0045C162
0045C15D 4B DEC EBX
0045C15E 83CB F8 OR EBX,FFFFFFF8
0045C161 43 INC EBX
0045C162 48 DEC EAX ; 机器码位数递减
0045C163^ 75 E6 JNZ SHORT Q-0718_u.0045C14B ; 循环
0045C165 5F POP EDI
0045C166 5E POP ESI
0045C167 5B POP EBX
0045C168 C3 RETN
========================================================================================
【分析总结】
算法:
SN=6F(o),E6,7C(|),E5,69(i),3F(?),53(S),9D
a1=机器码各位ASCII码 xor SN(机器码各位ASCII码所在的位置)
a2=a1(n)/10
a3=a1(n) and 0F
a4=a2 xor a3
a5=a4 xor 8
a6=a5 and 0FF
注册机: 点击下载
=======================================================================================
【版权信息】没版权.
2009-3-11
-------------------------------------------------------------------------------- 分析的很清楚
、 不错哦,很有学习的意头了
页:
[1]