【流放之路】明文发包分析
本帖最后由 小俊 于 2018-5-7 18:50 编辑0163DB50 | PUSH EBP | 明文Send
0163DB51 | LEA EBP,DWORD PTR |
0163DB55 | SUB ESP,0x40 |
0163DB58 | PUSH 0xFFFFFFFF |
0163DB5A | PUSH <pathofexile.sub_1E53DDB>|
0163DB5F | MOV EAX,DWORD PTR FS: |
0163DB65 | PUSH EAX |
0163DB66 | MOV DWORD PTR FS:,ESP |
0163DB6D | SUB ESP,0x264 |
0163DB73 | PUSH EBX |
0163DB74 | PUSH ESI |
0163DB75 | MOV ESI,ECX |
0163DB77 | MOV DWORD PTR ,0x0 |
0163DB7E | PUSH EDI |
0163DB7F | MOV EDI,DWORD PTR | 封包大小
0163DB85 | MOV EBX,DWORD PTR |
0163DB8B | SUB EDI,EBX |
0163DB8D | MOV ECX,DWORD PTR |
0163DB93 | TEST ECX,ECX |
0163DB95 | JE pathofexile.163DBAA |
0163DB97 | TEST EDI,EDI |
0163DB99 | JE pathofexile.163DBAA |
0163DB9B | MOV EAX,DWORD PTR |
0163DBA1 | MOV EDX,DWORD PTR |
0163DBA3 | ADD EAX,EBX |
0163DBA5 | PUSH EDI | 需要加密的字节长度
0163DBA6 | PUSH EAX | 封包内容
0163DBA7 | CALL DWORD PTR | 加密函数
0163DBAA | MOV EAX,DWORD PTR | 封包大小
0163DBB0 | XOR EDI,EDI |
0163DBB2 | MOV DWORD PTR ,EAX| 封包大小
0163DBB8 | TEST EAX,EAX | 封包是否等于0
0163DBBA | JE pathofexile.163DBF2 |
0163DBBC | MOV EBX,DWORD PTR [<&send>] |
0163DBC2 | MOV ECX,DWORD PTR | 封包内容
0163DBC8 | MOV EAX,DWORD PTR | 封包大小
0163DBCE | PUSH 0x0 |
0163DBD0 | SUB EAX,EDI |
0163DBD2 | PUSH EAX |
0163DBD3 | LEA EAX,DWORD PTR | 取封包内容
0163DBD6 | PUSH EAX | 封包内容Buff
0163DBD7 | PUSH DWORD PTR | socket
0163DBD9 | CALL EBX | send
01420F20 | PUSH EBP | 拿起物品
01420F21 | MOV EBP,ESP |
01420F23 | PUSH 0xFFFFFFFF |
01420F25 | PUSH <pathofexile.sub_1E3053C>|
01420F2A | MOV EAX,DWORD PTR FS: |
01420F30 | PUSH EAX |
01420F31 | MOV DWORD PTR FS:,ESP |
01420F38 | SUB ESP,0x2C | 开辟栈空间
01420F3B | PUSH EBX |
01420F3C | PUSH ESI |
01420F3D | MOV EBX,ECX | this指针
01420F3F | LEA ECX,DWORD PTR |
01420F42 | PUSH EDI | 物品ID
01420F43 | CALL <pathofexile.sub_1281210>| 被赋值
01420F48 | PUSH ECX | SEH
01420F49 | LEA ECX,DWORD PTR |
01420F4C | PUSH ECX |
01420F4D | MOV ECX,DWORD PTR |
01420F4F | CALL <pathofexile.sub_12885C0>|
01420F54 | MOV DWORD PTR ,0x1 | 给本地变量1赋值
01420F5B | OR EDI,0xFFFFFFFF |
01420F5E | MOV ESI,DWORD PTR |
01420F61 | TEST ESI,ESI |
01420F63 | JE pathofexile.1420F84 |
01420F65 | MOV EAX,EDI |
01420F67 | LOCK XADD DWORD PTR ,E |
01420F6C | JNE pathofexile.1420F84 |
01420F6E | MOV EAX,DWORD PTR |
01420F70 | MOV ECX,ESI |
01420F72 | CALL DWORD PTR |
01420F74 | MOV EAX,EDI |
01420F76 | LOCK XADD DWORD PTR ,E |
01420F7B | JNE pathofexile.1420F84 |
01420F7D | MOV EAX,DWORD PTR |
01420F7F | MOV ECX,ESI |
01420F81 | CALL DWORD PTR |
01420F84 | MOV BYTE PTR ,0x0 | 本地变量1 = 0
01420F88 | MOV EAX,DWORD PTR |
01420F8B | CMP DWORD PTR ,0xF |
01420F92 | JE pathofexile.1420FB9 |
01420F94 | PUSH ECX |
01420F95 | MOV ECX,DWORD PTR |
01420F9B | PUSH 0xFFFFFFFF |
01420F9D | PUSH 0x0 |
01420F9F | PUSH 0x0 |
01420FA1 | PUSH DWORD PTR |
01420FA4 | PUSH DWORD PTR |
01420FAA | PUSH DWORD PTR |
01420FB0 | PUSH 0x3 |
01420FB2 | CALL pathofexile.1411690 |
01420FB7 | JMP pathofexile.1421001 |
01420FB9 | MOV EAX,DWORD PTR | 物品位置 0x1=背包 0xC=药品栏 0x21=仓库
01420FBF | MOV ECX,0x19 | 封包编号
01420FC4 | MOV ESI,DWORD PTR | EBX = this指针
01420FCA | MOV WORD PTR ,CX | 封包编号
01420FCE | MOV DWORD PTR ,<path |
01420FD5 | MOV BYTE PTR ,0x2 |
01420FD9 | LEA ECX,DWORD PTR | 封包首地址
01420FDC | PUSH DWORD PTR |
01420FE2 | MOV DWORD PTR ,EAX | 物品位置
01420FE5 | MOV EAX,DWORD PTR | 物品ID
01420FE8 | MOV DWORD PTR ,EAX | 物品ID
01420FEB | MOV BYTE PTR ,0x0 | 是否为工会
01420FEF | CALL <pathofexile.拿起物品加密函数> |
01420FF4 | MOV ECX,DWORD PTR |
01420FFA | PUSH 0x0 |
01420FFC | CALL <pathofexile.MySend> |
01AAFDF0 | PUSH ECX | 组装拿起物品封包
01AAFDF1 | PUSH EBX |
01AAFDF2 | MOV EBX,ECX | 封包首地址
01AAFDF4 | PUSH EDI |
01AAFDF5 | MOVZX EAX,WORD PTR | 封包ID
01AAFDF9 | PUSH EAX |
01AAFDFA | CALL DWORD PTR [<&ntohs>] | 将网络字节序转为主机字节序
01AAFE00 | MOV EDI,DWORD PTR | arg.1
01AAFE04 | MOV ECX,EDI | this = arg.1
01AAFE06 | MOVZX EAX,AX |
01AAFE09 | MOV DWORD PTR ,EAX |
01AAFE0D | LEA EAX,DWORD PTR |
01AAFE11 | PUSH 0x2 | 字节数
01AAFE13 | PUSH EAX | 封包id
01AAFE14 | CALL <pathofexile.sub_163DA30>|
01AAFE19 | PUSH DWORD PTR | 物品位置
01AAFE1C | MOV ECX,DWORD PTR | arg.1 + 0x58 函数地址
01AAFE1F | CALL <pathofexile.sub_1AB0310>| ???
01AAFE24 | PUSH EAX |
01AAFE25 | CALL DWORD PTR [<&ntohl>] | 将网络字节序转为主机字节序
01AAFE2B | MOV DWORD PTR ,EAX |
01AAFE2F | MOV ECX,EDI | edi:Sleep
01AAFE31 | PUSH 0x4 |
01AAFE33 | LEA EAX,DWORD PTR |
01AAFE37 | PUSH EAX |
01AAFE38 | CALL <pathofexile.sub_163DA30>|
01AAFE3D | PUSH DWORD PTR | 物品ID
01AAFE40 | CALL DWORD PTR [<&ntohl>] | 将网络字节序转为主机字节序
01AAFE46 | MOV DWORD PTR ,EAX |
01AAFE4A | MOV ECX,EDI | arg1
01AAFE4C | PUSH 0x4 | 大小
01AAFE4E | LEA EAX,DWORD PTR |
01AAFE52 | PUSH EAX | 物品ID
01AAFE53 | CALL <pathofexile.sub_163DA30>|
01AAFE58 | MOVZX EAX,BYTE PTR | 是否为工会
01AAFE5C | MOV ECX,DWORD PTR | 函数地址
01AAFE5F | PUSH EAX | 是否为工会
01AAFE60 | CALL <pathofexile.sub_1AB03A0>| ???
01AAFE65 | MOV BYTE PTR ,AL |
01AAFE69 | MOV ECX,EDI |
01AAFE6B | PUSH 0x1 |
01AAFE6D | LEA EAX,DWORD PTR |
01AAFE71 | PUSH EAX |
01AAFE72 | CALL <pathofexile.sub_163DA30>|
01AAFE77 | POP EDI |
01AAFE78 | POP EBX |
01AAFE79 | POP ECX |
01AAFE7A | RET 0x4 |
注入器
#include <Windows.h>
#include <TlHelp32.h>
int main()
{
// 遍历进程
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe32 = { sizeof(PROCESSENTRY32) };
Process32First(hProcessSnap, &pe32);
do
{
if (!strcmp(pe32.szExeFile, "PathOfExile.exe"))
break;
} while (Process32Next(hProcessSnap, &pe32));
CloseHandle(hProcessSnap);
// 打开进程
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
// 在目标进程申请内存
LPVOID pRemoteAddress = VirtualAllocEx(hProcess, NULL, 1, MEM_COMMIT, PAGE_READWRITE);
CHAR Path[] = "POE_DLL_TEST.dll";
// 将DLL路径写入目标进程
WriteProcessMemory(hProcess, pRemoteAddress, Path, sizeof(Path), NULL);
// 创建远程线程
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)LoadLibraryA, pRemoteAddress, 0, NULL);
// 等待线程结束
WaitForSingleObject(hThread, -1);
// 释放申请的内存
VirtualFreeEx(hProcess, pRemoteAddress, 1, MEM_DECOMMIT);
// 关闭句柄
CloseHandle(hProcess);
CloseHandle(hThread);
return 0;
}
#include <Windows.h>
#pragma comment(lib,"ws2_32.lib")
void salsa20()
{
// PathOfExile.exe 实例句柄
HMODULE hModule = GetModuleHandle(NULL);
__asm
{
MOV EDI, hModule
ADD EDI, 0xFBBCD4
MOV EDI,
MOV EDI,
MOV EDI,
MOV EDI,
ADD EDI, 0xC
MOV ESI, EDI
MOV EDI,
ADD ESI, 0x1C
ADD ESI, 0x8
MOV ESI,
MOVDQAXMM0, XMMWORD PTR
MOVDQAXMM1, XMMWORD PTR
MOVDQAXMM2, XMMWORD PTR
MOVDQAXMM3, XMMWORD PTR
MOV EBX,20
MY_LOOP:
MOVDQAXMM4, XMM3
PADDD XMM4, XMM0
MOVDQAXMM5, XMM4
PSLLD XMM4, 0x7
PSRLD XMM5, 0x19
PXOR XMM1, XMM4
PXOR XMM1, XMM5
MOVDQAXMM4, XMM0
PADDD XMM4, XMM1
MOVDQAXMM5, XMM4
PSLLD XMM4, 0x9
PSRLD XMM5, 0x17
PXOR XMM2, XMM4
PXOR XMM2, XMM5
MOVDQAXMM4, XMM1
PADDD XMM4, XMM2
MOVDQAXMM5, XMM4
PSLLD XMM4, 0xD
PSRLD XMM5, 0x13
PXOR XMM3, XMM4
PXOR XMM3, XMM5
MOVDQAXMM4, XMM2
PADDD XMM4, XMM3
MOVDQAXMM5, XMM4
PSLLD XMM4, 0x12
PSRLD XMM5, 0xE
PXOR XMM0, XMM4
PXOR XMM0, XMM5
PSHUFDXMM1, XMM1, 0x93
PSHUFDXMM2, XMM2, 0x4E
PSHUFDXMM3, XMM3, 0x39
MOVDQAXMM4, XMM1
PADDD XMM4, XMM0
MOVDQAXMM5, XMM4
PSLLD XMM4, 0x7
PSRLD XMM5, 0x19
PXOR XMM3, XMM4
PXOR XMM3, XMM5
MOVDQAXMM4, XMM0
PADDD XMM4, XMM3
MOVDQAXMM5, XMM4
PSLLD XMM4, 0x9
PSRLD XMM5, 0x17
PXOR XMM2, XMM4
PXOR XMM2, XMM5
MOVDQAXMM4, XMM3
PADDD XMM4, XMM2
MOVDQAXMM5, XMM4
PSLLD XMM4, 0xD
PSRLD XMM5, 0x13
PXOR XMM1, XMM4
PXOR XMM1, XMM5
MOVDQAXMM4, XMM2
PADDD XMM4, XMM1
MOVDQAXMM5, XMM4
PSLLD XMM4, 0x12
PSRLD XMM5, 0xE
PXOR XMM0, XMM4
PXOR XMM0, XMM5
PSHUFDXMM1, XMM1, 0x39
PSHUFDXMM2, XMM2, 0x4E
PSHUFDXMM3, XMM3, 0x93
SUB EBX, 0x2
JNE MY_LOOP
PADDD XMM0, XMMWORD PTR
PADDD XMM1, XMMWORD PTR
PADDD XMM2, XMMWORD PTR
PADDD XMM3, XMMWORD PTR
ADD DWORD PTR, 0x1
ADC DWORD PTR, 0x0
PCMPEQB XMM6, XMM6
PSRLQ XMM6, 0x20
PSHUFDXMM7, XMM6, 0x1B
MOVDQAXMM4, XMM0
MOVDQAXMM5, XMM3
PAND XMM0, XMM7
PAND XMM4, XMM6
PAND XMM3, XMM6
PAND XMM5, XMM7
POR XMM4, XMM5
MOVDQAXMM5, XMM1
PAND XMM1, XMM7
PAND XMM5, XMM6
POR XMM0, XMM5
PAND XMM6, XMM2
PAND XMM2, XMM7
POR XMM1, XMM6
POR XMM2, XMM3
MOVDQAXMM5, XMM4
MOVDQAXMM6, XMM0
SHUFPDXMM4, XMM1, 0x2
SHUFPDXMM0, XMM2, 0x2
SHUFPDXMM1, XMM5, 0x2
SHUFPDXMM2, XMM6, 0x2
MOVDQAXMMWORD PTR, XMM4
MOVDQAXMMWORD PTR, XMM0
MOVDQAXMMWORD PTR, XMM1
MOVDQAXMMWORD PTR, XMM2
}
}
void DownItem(BYTE Pos, BYTE X, BYTE Y)
{
// 封包
CHAR Buff[] = { 00,0x1B,00,00,00,Pos,00,00,00,X,00,00,00,Y,00 };
DWORD BuffSize = sizeof(Buff);
SOCKET * sock = 0;
// 加密需要的数据指针
CHAR * temp = 0;
// 索引
DWORD * index = 0;
// PathOfExile.exe 实例句柄
HMODULE hModule = GetModuleHandle(NULL);
__asm
{
mov edi, hModule
add edi, 0xFBBCD4
mov edi,
mov edi,
mov edi,
mov sock, edi
mov esi,
add esi, 0xC
mov eax,
mov temp, eax
lea eax,
mov index, eax
}
if (*index > BuffSize)
{
temp = (temp + 0x40) - *index;
for (int i = 0; i < BuffSize; i++)
{
Buff = Buff ^ temp;
}
*index = *index - BuffSize;
}
else if (*index == BuffSize)
{
temp = (temp + 0x40) - *index;
for (int i = 0; i < BuffSize; i++)
{
Buff = Buff ^ temp;
}
*index = 0x40;
salsa20();
}
else if (*index == 0)
{
salsa20();
for (int i = 0; i < BuffSize; i++)
{
Buff = Buff ^ temp;
}
*index = 0x40 - BuffSize;
}
else if (*index < BuffSize)
{
int NextSize = BuffSize - *index;
CHAR * temp1 = (temp + 0x40) - *index;
for (int i = 0; i < *index; i++)
{
Buff = Buff ^ temp1;
}
salsa20();
for (int i = 0; i < NextSize; i++)
{
Buff = Buff ^ temp;
}
*index = 0x40 - NextSize;
}
send(*sock, Buff, BuffSize, 0);
}
DWORD WINAPI DllThread(LPVOID lpParam)
{
while (!GetAsyncKeyState(VK_XBUTTON2))
{
if (GetAsyncKeyState(VK_XBUTTON1))
{
DownItem(1, 1, 1);
}
Sleep(200);
}
FreeLibraryAndExitThread((HMODULE)lpParam, 0);
return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
CreateThread(0, 0, DllThread, hModule, 0, 0);
break;
default:
break;
}
return TRUE;
}
分析视频下载:https://dwz.mn/eJKF 感谢楼主分享 看不懂,好高级的样子 感谢楼主分享 怎么弄得怎么评论啥的都带一道杠 {:301_999:}被T10虐得不要不要的 历害历害,这代码一看就6666 谢谢分享 非常感谢楼主的分享!支持... 虽然看不懂是什么,不过感觉好厉害的样子