好友
阅读权限10
听众
最后登录1970-1-1
|
本帖最后由 李青摸眼回旋踢 于 2021-1-31 01:09 编辑
软件介绍:一款云顶之弈辅助工具,适合新手调查阵容和装备合成
验证逻辑:输入卡密,正确则弹出下面界面,不正确则只有一个输入卡密的窗口
分析的代码1:
004173B2 |. E8 4B380000 call 快乐游小.0041AC02 ; 网络验证
004173B7 |. 8945 F4 mov [local.3],eax
004173BA |. 68 A0268700 push 快乐游小.008726A0 ; 心跳检测
004173BF |. 8B5D 10 mov ebx,[arg.3]
004173C2 |. FF33 push dword ptr ds:[ebx]
004173C4 |. E8 C6A6FEFF call 快乐游小.00401A8F
004173C9 |. 83C4 08 add esp,0x8
004173CC |. 83F8 00 cmp eax,0x0
分析的代码2:
0041AC02 55 push ebp
0041AC03 8BEC mov ebp,esp
0041AC05 81EC 1C000000 sub esp,0x1C
0041AC0B |. C745 FC 00000>mov [local.1],0x0
0041AC12 |. C745 F8 00000>mov [local.2],0x0
0041AC19 |. C745 F4 00000>mov [local.3],0x0
0041AC20 |. C745 FC 01000>mov [local.1],0x1
0041AC27 |. C745 F0 00000>mov [local.4],0x0
0041AC2E |. 6A 00 push 0x0
0041AC30 |. FF75 F0 push [local.4]
0041AC33 |. 6A 01 push 0x1
0041AC35 |. B8 48298700 mov eax,快乐游小.00872948 ; line
0041AC3A |. 8945 EC mov [local.5],eax
0041AC3D |. 8D45 EC lea eax,[local.5]
0041AC40 |. 50 push eax
0041AC41 |. FF75 08 push [arg.1]
0041AC44 |. 8B0424 mov eax,dword ptr ss:[esp] ; user32.GetMessageW
0041AC47 |. 8B00 mov eax,dword ptr ds:[eax]
0041AC49 |. 8B00 mov eax,dword ptr ds:[eax]
0041AC4B |. FF50 2C call dword ptr ds:[eax+0x2C]
0041AC4E |. 8945 E8 mov [local.6],eax
0041AC51 |. 8B5D EC mov ebx,[local.5] ; 快乐游小.00563996
0041AC54 |. 85DB test ebx,ebx ; user32.DispatchMessageW
0041AC56 |. 74 09 je short 快乐游小.0041AC61
0041AC58 |. 53 push ebx ; user32.DispatchMessageW
0041AC59 |. E8 A4EE0800 call 快乐游小.004A9B02
0041AC5E |. 83C4 04 add esp,0x4
0041AC61 |> 68 4D298700 push 快乐游小.0087294D ; 真
0041AC66 |. FF75 E8 push [local.6]
0041AC69 |. E8 216EFEFF call 快乐游小.00401A8F
0041AC6E |. 83C4 08 add esp,0x8
0041AC71 |. 83F8 00 cmp eax,0x0
0041AC74 |. B8 00000000 mov eax,0x0
0041AC79 |. 0f94c0 sete al
0041AC7C |. 8945 E4 mov [local.7],eax
0041AC7F |. 8B5D E8 mov ebx,[local.6]
0041AC82 |. 85DB test ebx,ebx ; user32.DispatchMessageW
0041AC84 |. 74 09 je short 快乐游小.0041AC8F
0041AC86 |. 53 push ebx ; user32.DispatchMessageW
0041AC87 |. E8 76EE0800 call 快乐游小.004A9B02
0041AC8C |. 83C4 04 add esp,0x4
0041AC8F |> 837D E4 00 cmp [local.7],0x0
0041AC93 0F84 7B040000 je 快乐游小.0041B114
0041AC99 |. C745 F0 00000>mov [local.4],0x0
0041ACA0 |. 6A 00 push 0x0
0041ACA2 |. FF75 F0 push [local.4]
0041ACA5 |. 6A 01 push 0x1
0041ACA7 |. B8 0E268700 mov eax,快乐游小.0087260E ; where
0041ACAC |. 8945 EC mov [local.5],eax
0041ACAF |. 8D45 EC lea eax,[local.5]
0041ACB2 |. 50 push eax
0041ACB3 |. FF75 08 push [arg.1]
0041ACB6 |. 8B0424 mov eax,dword ptr ss:[esp] ; user32.GetMessageW
0041ACB9 |. 8B00 mov eax,dword ptr ds:[eax]
0041ACBB |. 8B00 mov eax,dword ptr ds:[eax]
0041ACBD |. FF50 2C call dword ptr ds:[eax+0x2C]
0041ACC0 |. 8945 E8 mov [local.6],eax
0041ACC3 |. 8B5D EC mov ebx,[local.5] ; 快乐游小.00563996
0041ACC6 |. 85DB test ebx,ebx ; user32.DispatchMessageW
0041ACC8 |. 74 09 je short 快乐游小.0041ACD3
0041ACCA |. 53 push ebx ; user32.DispatchMessageW
0041ACCB |. E8 32EE0800 call 快乐游小.004A9B02
0041ACD0 |. 83C4 04 add esp,0x4
0041ACD3 |> 8B45 E8 mov eax,[local.6]
0041ACD6 |. 50 push eax
0041ACD7 |. 8B5D F8 mov ebx,[local.2]
0041ACDA |. 85DB test ebx,ebx ; user32.DispatchMessageW
0041ACDC |. 74 09 je short 快乐游小.0041ACE7
0041ACDE |. 53 push ebx ; user32.DispatchMessageW
0041ACDF |. E8 1EEE0800 call 快乐游小.004A9B02
0041ACE4 |. 83C4 04 add esp,0x4
0041ACE7 |> 58 pop eax ; user32.GetMessageW
0041ACE8 |. 8945 F8 mov [local.2],eax
0041ACEB |. 6A 01 push 0x1
0041ACED |. 68 01000000 push 0x1
0041ACF2 |. 6A 01 push 0x1
0041ACF4 |. B8 A9268700 mov eax,快乐游小.008726A9 ; code
0041ACF9 |. 8945 F0 mov [local.4],eax
0041ACFC |. 8D45 F0 lea eax,[local.4]
0041ACFF |. 50 push eax
0041AD00 |. FF75 08 push [arg.1]
0041AD03 |. 8B0424 mov eax,dword ptr ss:[esp] ; user32.GetMessageW
0041AD06 |. 8B00 mov eax,dword ptr ds:[eax]
0041AD08 |. 8B00 mov eax,dword ptr ds:[eax]
0041AD0A |. FF50 2C call dword ptr ds:[eax+0x2C]
0041AD0D |. 8945 EC mov [local.5],eax
0041AD10 |. 8B5D F0 mov ebx,[local.4]
0041AD13 |. 85DB test ebx,ebx ; user32.DispatchMessageW
0041AD15 |. 74 09 je short 快乐游小.0041AD20
0041AD17 |. 53 push ebx ; user32.DispatchMessageW
0041AD18 |. E8 E5ED0800 call 快乐游小.004A9B02
0041AD1D |. 83C4 04 add esp,0x4
0041AD20 |> 68 04000080 push 0x80000004
0041AD25 |. 6A 00 push 0x0
0041AD27 |. 8B45 EC mov eax,[local.5] ; 快乐游小.00563996
0041AD2A |. 85C0 test eax,eax
0041AD2C |. 75 05 jnz short 快乐游小.0041AD33
0041AD2E |. B8 98208700 mov eax,快乐游小.00872098
0041AD33 |> 50 push eax
0041AD34 |. 68 01000000 push 0x1
0041AD39 |. BB 70A84A00 mov ebx,快乐游小.004AA870
0041AD3E |. E8 C5ED0800 call 快乐游小.004A9B08
0041AD43 |. 83C4 10 add esp,0x10
0041AD46 |. 8945 E8 mov [local.6],eax
0041AD49 |. 8B5D EC mov ebx,[local.5] ; 快乐游小.00563996
0041AD4C |. 85DB test ebx,ebx ; user32.DispatchMessageW
0041AD4E |. 74 09 je short 快乐游小.0041AD59
0041AD50 |. 53 push ebx ; user32.DispatchMessageW
0041AD51 |. E8 ACED0800 call 快乐游小.004A9B02
0041AD56 |. 83C4 04 add esp,0x4
0041AD59 |> 8B45 E8 mov eax,[local.6]
0041AD5C |. 8945 F4 mov [local.3],eax
0041AD5F |. 68 50298700 push 快乐游小.00872950 ; 更新查询
0041AD64 |. FF75 F8 push [local.2]
0041AD67 |. E8 236DFEFF call 快乐游小.00401A8F
0041AD6C |. 83C4 08 add esp,0x8
0041AD6F |. 83F8 00 cmp eax,0x0
0041AD72 |. 0F85 11000000 jnz 快乐游小.0041AD89
0041AD78 |. 837D F4 00 cmp [local.3],0x0
0041AD7C |. 0F85 07000000 jnz 快乐游小.0041AD89
0041AD82 |. B8 01000000 mov eax,0x1
0041AD87 |. EB 05 jmp short 快乐游小.0041AD8E
0041AD89 |> B8 00000000 mov eax,0x0
0041AD8E |> 85C0 test eax,eax
0041AD90 |. 0F84 0D000000 je 快乐游小.0041ADA3 ; 检查更新
0041AD96 |. FF75 08 push [arg.1]
0041AD99 |. E8 9D030000 call 快乐游小.0041B13B
0041AD9E |. E9 8D020000 jmp 快乐游小.0041B030
0041ADA3 |> 68 59298700 push 快乐游小.00872959 ; 权限检查
0041ADA8 |. FF75 F8 push [local.2]
0041ADAB |. E8 DF6CFEFF call 快乐游小.00401A8F
0041ADB0 |. 83C4 08 add esp,0x8
0041ADB3 |. 83F8 00 cmp eax,0x0
0041ADB6 |. 0F84 1D000000 je 快乐游小.0041ADD9
0041ADBC |. 68 07258700 push 快乐游小.00872507 ; 绑定卡密
0041ADC1 |. FF75 F8 push [local.2]
0041ADC4 |. E8 C66CFEFF call 快乐游小.00401A8F
0041ADC9 |. 83C4 08 add esp,0x8
0041ADCC |. 83F8 00 cmp eax,0x0
0041ADCF |. 0F84 04000000 je 快乐游小.0041ADD9
0041ADD5 |. 33C0 xor eax,eax
0041ADD7 |. EB 05 jmp short 快乐游小.0041ADDE
0041ADD9 |> B8 01000000 mov eax,0x1
0041ADDE |> 85C0 test eax,eax
0041ADE0 0F84 B4010000 je 快乐游小.0041AF9A
0041ADE6 837D F4 00 cmp dword ptr ss:[ebp-0xC],0x0
0041ADEA 0F85 F3000000 jnz 快乐游小.0041AEE3 ; 判断是否过期,过期提示购买,跳向淘宝店
0041ADF0 |. B8 98208700 mov eax,快乐游小.00872098
0041ADF5 |. 8945 F0 mov [local.4],eax
0041ADF8 |. 8D45 F0 lea eax,[local.4]
0041ADFB |. 50 push eax
0041ADFC |. E8 C1070000 call 快乐游小.0041B5C2
0041AE01 |. 8B5D F0 mov ebx,[local.4]
0041AE04 |. 85DB test ebx,ebx ; user32.DispatchMessageW
0041AE06 |. 74 09 je short 快乐游小.0041AE11
0041AE08 |. 53 push ebx ; user32.DispatchMessageW
0041AE09 |. E8 F4EC0800 call 快乐游小.004A9B02
0041AE0E |. 83C4 04 add esp,0x4
0041AE11 |> FF75 08 push [arg.1]
0041AE14 |. E8 F5070000 call 快乐游小.0041B60E
0041AE19 |. C745 F0 00000>mov [local.4],0x0
0041AE20 |. 6A 00 push 0x0
0041AE22 |. FF75 F0 push [local.4]
0041AE25 |. 6A 01 push 0x1
0041AE27 |. B8 62298700 mov eax,快乐游小.00872962 ; 淘宝链接
0041AE2C |. 8945 EC mov [local.5],eax
0041AE2F |. 8D45 EC lea eax,[local.5]
0041AE32 |. 50 push eax
0041AE33 |. FF75 08 push [arg.1]
0041AE36 |. 8B0424 mov eax,dword ptr ss:[esp] ; user32.GetMessageW
0041AE39 |. 8B00 mov eax,dword ptr ds:[eax]
0041AE3B |. 8B00 mov eax,dword ptr ds:[eax]
0041AE3D |. FF50 2C call dword ptr ds:[eax+0x2C]
0041AE40 |. 8945 E8 mov [local.6],eax
0041AE43 |. 8B5D EC mov ebx,[local.5] ; 快乐游小.00563996
0041AE46 |. 85DB test ebx,ebx ; user32.DispatchMessageW
0041AE48 |. 74 09 je short 快乐游小.0041AE53
0041AE4A |. 53 push ebx ; user32.DispatchMessageW
0041AE4B |. E8 B2EC0800 call 快乐游小.004A9B02
0041AE50 |. 83C4 04 add esp,0x4
0041AE53 |> 68 98208700 push 快乐游小.00872098
0041AE58 |. FF75 E8 push [local.6]
0041AE5B |. E8 2F6CFEFF call 快乐游小.00401A8F
0041AE60 |. 83C4 08 add esp,0x8
0041AE63 |. 83F8 00 cmp eax,0x0
0041AE66 |. B8 00000000 mov eax,0x0
0041AE6B |. 0f95c0 setne al
0041AE6E |. 8945 E4 mov [local.7],eax
0041AE71 |. 8B5D E8 mov ebx,[local.6]
0041AE74 |. 85DB test ebx,ebx ; user32.DispatchMessageW
0041AE76 |. 74 09 je short 快乐游小.0041AE81
0041AE78 |. 53 push ebx ; user32.DispatchMessageW
0041AE79 |. E8 84EC0800 call 快乐游小.004A9B02
0041AE7E |. 83C4 04 add esp,0x4
0041AE81 |> 837D E4 00 cmp [local.7],0x0
0041AE85 |. 0F84 53000000 je 快乐游小.0041AEDE
0041AE8B |. C745 F0 00000>mov [local.4],0x0
0041AE92 |. 6A 00 push 0x0
0041AE94 |. FF75 F0 push [local.4]
0041AE97 |. 6A 01 push 0x1
0041AE99 |. B8 62298700 mov eax,快乐游小.00872962 ; 淘宝链接
0041AE9E |. 8945 EC mov [local.5],eax
0041AEA1 |. 8D45 EC lea eax,[local.5]
0041AEA4 |. 50 push eax
0041AEA5 |. FF75 08 push [arg.1]
0041AEA8 |. 8B0424 mov eax,dword ptr ss:[esp] ; user32.GetMessageW
0041AEAB |. 8B00 mov eax,dword ptr ds:[eax]
0041AEAD |. 8B00 mov eax,dword ptr ds:[eax]
0041AEAF |. FF50 2C call dword ptr ds:[eax+0x2C]
0041AEB2 |. 8945 E8 mov [local.6],eax
0041AEB5 |. 8B5D EC mov ebx,[local.5] ; 快乐游小.00563996
0041AEB8 |. 85DB test ebx,ebx ; user32.DispatchMessageW
0041AEBA |. 74 09 je short 快乐游小.0041AEC5
0041AEBC |. 53 push ebx ; user32.DispatchMessageW
0041AEBD |. E8 40EC0800 call 快乐游小.004A9B02
0041AEC2 |. 83C4 04 add esp,0x4
0041AEC5 |> 8D45 E8 lea eax,[local.6]
0041AEC8 |. 50 push eax
0041AEC9 |. E8 F0090000 call 快乐游小.0041B8BE
0041AECE |. 8B5D E8 mov ebx,[local.6]
0041AED1 |. 85DB test ebx,ebx ; user32.DispatchMessageW
0041AED3 |. 74 09 je short 快乐游小.0041AEDE
0041AED5 |. 53 push ebx ; user32.DispatchMessageW
0041AED6 |. E8 27EC0800 call 快乐游小.004A9B02
0041AEDB |. 83C4 04 add esp,0x4
0041AEDE |> E9 B2000000 jmp 快乐游小.0041AF95
0041AEE3 |> 837D F4 01 cmp [local.3],0x1 ; 不过期走到这
0041AEE7 0F85 A8000000 jnz 快乐游小.0041AF95
0041AEED |. 68 507EAA00 push 快乐游小.00AA7E50
0041AEF2 |. E8 4AA6FFFF call 快乐游小.00415541
0041AEF7 |. C745 F0 00000>mov [local.4],0x0
0041AEFE |. 6A 00 push 0x0
0041AF00 |. FF75 F0 push [local.4]
0041AF03 |. 6A 01 push 0x1
0041AF05 |. B8 14268700 mov eax,快乐游小.00872614 ; token
0041AF0A |. 8945 EC mov [local.5],eax
0041AF0D |. 8D45 EC lea eax,[local.5]
0041AF10 |. 50 push eax
0041AF11 |. FF75 08 push [arg.1]
0041AF14 |. 8B0424 mov eax,dword ptr ss:[esp] ; user32.GetMessageW
0041AF17 |. 8B00 mov eax,dword ptr ds:[eax]
0041AF19 |. 8B00 mov eax,dword ptr ds:[eax]
0041AF1B |. FF50 2C call dword ptr ds:[eax+0x2C]
0041AF1E |. 8945 E8 mov [local.6],eax
0041AF21 |. 8B5D EC mov ebx,[local.5] ; 快乐游小.00563996
0041AF24 |. 85DB test ebx,ebx ; user32.DispatchMessageW
0041AF26 |. 74 09 je short 快乐游小.0041AF31
0041AF28 |. 53 push ebx ; user32.DispatchMessageW
0041AF29 |. E8 D4EB0800 call 快乐游小.004A9B02
0041AF2E |. 83C4 04 add esp,0x4
0041AF31 |> 8D45 E8 lea eax,[local.6]
0041AF34 |. 50 push eax
0041AF35 |. E8 88060000 call 快乐游小.0041B5C2
0041AF3A |. 8B5D E8 mov ebx,[local.6]
0041AF3D |. 85DB test ebx,ebx ; user32.DispatchMessageW
0041AF3F |. 74 09 je short 快乐游小.0041AF4A
0041AF41 |. 53 push ebx ; user32.DispatchMessageW
0041AF42 |. E8 BBEB0800 call 快乐游小.004A9B02
0041AF47 |. 83C4 04 add esp,0x4
0041AF4A |> 833D F87EAA00>cmp dword ptr ds:[0xAA7EF8],0x0
0041AF51 |. 0F85 12000000 jnz 快乐游小.0041AF69
0041AF57 |. FF75 08 push [arg.1]
0041AF5A |. E8 B5090000 call 快乐游小.0041B914 ; 本地功能启动
0041AF5F |. E8 2B1C0000 call 快乐游小.0041CB8F ; 本地功能启动
ps:
1、第一次卡密验证成功后第二次登陆无需输入卡密,直到卡密过期。应该是有文件建立和文件读取,注册表也有变化(用火绒剑分析过),也考虑过抓包,我看有些高手会弄,奈何我实力不够哇!!
2、文件好像是UPX壳,但是脱壳脱不掉,又好像不是
3、杀毒软件提示有后门病毒,杀掉不影响使用,建议开杀毒软件或者在虚拟机内调试
4、修改程序,XCGUI.DLL会报错,机制不明
请高手给点思路,谢谢!下载地址:https://wws.lanzouj.com/iAUL1l41ypa |
|
发表于 2021-1-31 01:07
|
发表于 2021-2-5 22:41
