[讨论]某软件的网络验证。大家帮我分析一下。-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

[讨论]某软件的网络验证。大家帮我分析一下。

发表于: 2009-5-22 18:13 4410

[讨论]某软件的网络验证。大家帮我分析一下。

大海大海

2009-5-22 18:13

4410

2个关键跳改了之后。软件一直提示：连接服务器失败，重新连接。怎么回事？

004349B0 .  6A FF       push -1
004349B2 .  68 2B944B00 push 004B942B
004349B7 .  64:A1 0000000>mov    eax, dword ptr fs:[0]
004349BD .  50          push eax
004349BE .  83EC 18    sub    esp, 18
004349C1 .  A1 FCDE4E00 mov    eax, dword ptr [4EDEFC]
004349C6 .  33C4       xor    eax, esp
004349C8 .  894424 14    mov    dword ptr [esp+14], eax
004349CC .  53          push ebx
004349CD .  56          push esi
004349CE .  57          push edi
004349CF .  A1 FCDE4E00 mov    eax, dword ptr [4EDEFC]
004349D4 .  33C4       xor    eax, esp
004349D6 .  50          push eax
004349D7 .  8D4424 28    lea    eax, dword ptr [esp+28]
004349DB .  64:A3 0000000>mov    dword ptr fs:[0], eax
004349E1 .  8B4424 38    mov    eax, dword ptr [esp+38]
004349E5 .  8BF1       mov    esi, ecx
004349E7 .  50          push eax
004349E8 .  8D4C24 14    lea    ecx, dword ptr [esp+14]
004349EC .  E8 DF06FDFF call 004050D0
004349F1 .  8B4424 40    mov    eax, dword ptr [esp+40]
004349F5 .  C74424 30 000>mov    dword ptr [esp+30], 0
004349FD .  85C0       test eax, eax
004349FF .  76 26       jbe    short 00434A27
00434A01 .  0FB64C24 43 movzx ecx, byte ptr [esp+43]
00434A06 .  0FB65424 42 movzx edx, byte ptr [esp+42]
00434A0B .  51          push ecx
00434A0C .  52          push edx
00434A0D .  0FB6CC       movzx ecx, ah
00434A10 .  0FB6D0       movzx edx, al
00434A13 .  51          push ecx
00434A14 .  52          push edx
00434A15 .  8D4424 20    lea    eax, dword ptr [esp+20]
00434A19 .  68 30CD4C00 push 004CCD30                      ;  ASCII "%d.%d.%d.%d"
00434A1E .  50          push eax
00434A1F .  E8 8CCFFCFF call 004019B0
00434A24 .  83C4 18    add    esp, 18
00434A27 >  833D D5F94E00>cmp    dword ptr [4EF9D5], 2
00434A2E .  75 71       jnz    short 00434AA1
00434A30 .  8B0D 0BFA4E00 mov    ecx, dword ptr [4EFA0B]
00434A36 .  68 FFFFFF00 push 0FFFFFF
00434A3B .  68 3CCD4C00 push 004CCD3C
00434A40 .  E8 3B9DFFFF call 0042E780
00434A45 .  8B3D 70134C00 mov    edi, dword ptr [<&kernel32.GetCu>;  kernel32.GetCurrentProcess
00434A4B .  6A 02       push 2
00434A4D .  6A 00       push 0
00434A4F .  6A 00       push 0
00434A51 .  8D4E 0C    lea    ecx, dword ptr [esi+C]
00434A54 .  51          push ecx
00434A55 .  FFD7       call edi                            ; [GetCurrentProcess
00434A57 .  50          push eax
00434A58 .  56          push esi
00434A59 .  6A 00       push 0
00434A5B .  68 E0444300 push 004344E0
00434A60 .  E8 518A0600 call 0049D4B6
00434A65 .  83C4 0C    add    esp, 0C
00434A68 .  50          push eax
00434A69 .  FFD7       call edi
00434A6B .  50          push eax                            ; |hSourceProcess
00434A6C .  FF15 74134C00 call dword ptr [<&kernel32.DuplicateH>; \DuplicateHandle
00434A72 .  8B4424 10    mov    eax, dword ptr [esp+10]
00434A76 .  83C0 F0    add    eax, -10
00434A79 .  C74424 30 FFF>mov    dword ptr [esp+30], -1
00434A81 .  8D50 0C    lea    edx, dword ptr [eax+C]
00434A84 .  83C9 FF    or    ecx, FFFFFFFF
00434A87 .  F0:0FC10A    lock xadd dword ptr [edx], ecx
00434A8B .  49          dec    ecx
00434A8C .  85C9       test ecx, ecx
00434A8E .  7F 0A       jg    short 00434A9A
00434A90 .  8B08       mov    ecx, dword ptr [eax]
00434A92 .  8B11       mov    edx, dword ptr [ecx]
00434A94 .  50          push eax
00434A95 .  8B42 04    mov    eax, dword ptr [edx+4]
00434A98 .  FFD0       call eax
00434A9A >  B0 01       mov    al, 1
00434A9C .  E9 39020000 jmp    00434CDA
00434AA1 >  8B86 10100000 mov    eax, dword ptr [esi+1010]
00434AA7 .  68 55CD4C00 push 004CCD55
00434AAC .  50          push eax
00434AAD .  E8 F7840600 call 0049CFA9
00434AB2 .  83C4 08    add    esp, 8
00434AB5 .  85C0       test eax, eax
00434AB7 .  0F95C0       setne al
00434ABA .  84C0       test al, al
00434ABC .  0F84 C5000000 je    00434B87
00434AC2 .  8B0D 0BFA4E00 mov    ecx, dword ptr [4EFA0B]
00434AC8 .  68 FFFFFF00 push 0FFFFFF
00434ACD .  68 58CD4C00 push 004CCD58
00434AD2 .  E8 A99CFFFF call 0042E780
00434AD7 .  8B4424 3C    mov    eax, dword ptr [esp+3C]
00434ADB .  8B4C24 10    mov    ecx, dword ptr [esp+10]
00434ADF .  8B16       mov    edx, dword ptr [esi]
00434AE1 .  8B52 10    mov    edx, dword ptr [edx+10]
00434AE4 .  50          push eax
00434AE5 .  51          push ecx
00434AE6 .  8BCE       mov    ecx, esi
00434AE8 .  FFD2       call edx
00434AEA .  8AD8       mov    bl, al
00434AEC .  84DB       test bl, bl
00434AEE .  74 2D       je    short 00434B1D
00434AF0 .  8B3D 70134C00 mov    edi, dword ptr [<&kernel32.GetCu>;  kernel32.GetCurrentProcess
00434AF6 .  6A 02       push 2
00434AF8 .  6A 00       push 0
00434AFA .  6A 00       push 0
00434AFC .  8D46 0C    lea    eax, dword ptr [esi+C]
00434AFF .  50          push eax
00434B00 .  FFD7       call edi                            ; [GetCurrentProcess
00434B02 .  50          push eax
00434B03 .  56          push esi
00434B04 .  6A 00       push 0
00434B06 .  68 E0444300 push 004344E0
00434B0B .  E8 A6890600 call 0049D4B6
00434B10 .  83C4 0C    add    esp, 0C
00434B13 .  50          push eax
00434B14 .  FFD7       call edi
00434B16 .  50          push eax                            ; |hSourceProcess
00434B17 .  FF15 74134C00 call dword ptr [<&kernel32.DuplicateH>; \DuplicateHandle
00434B1D >  80BE 28100000>cmp    byte ptr [esi+1028], 0
00434B24 .  75 32       jnz    short 00434B58
00434B26    32DB       xor    bl, bl
00434B28 .  75 2E       jnz    short 00434B58
00434B2A .  8B0D 0BFA4E00 mov    ecx, dword ptr [4EFA0B]
00434B30 .  68 FF000000 push 0FF
00434B35 .  68 6CCD4C00 push 004CCD6C
00434B3A .  E8 419CFFFF call 0042E780
00434B3F .  8B0D FBF94E00 mov    ecx, dword ptr [4EF9FB]
00434B45 .  8B51 30    mov    edx, dword ptr [ecx+30]
00434B48 .  6A 00       push 0                               ; /lParam = 0
00434B4A .  6A 00       push 0                               ; |wParam = 0
00434B4C .  68 01040000 push 401                            ; |Message = WM_USER+1
00434B51 .  52          push edx                            ; |ThreadId
00434B52 .  FF15 94164C00 call dword ptr [<&user32.PostThreadMe>; \PostThreadMessageA
00434B58 >  8B4424 10    mov    eax, dword ptr [esp+10]
00434B5C .  83C0 F0    add    eax, -10
00434B5F .  C74424 30 FFF>mov    dword ptr [esp+30], -1
00434B67 .  8D48 0C    lea    ecx, dword ptr [eax+C]
00434B6A .  83CA FF    or    edx, FFFFFFFF
00434B6D .  F0:0FC111    lock xadd dword ptr [ecx], edx
00434B71 .  4A          dec    edx
00434B72 .  85D2       test edx, edx
00434B74 .  7F 0A       jg    short 00434B80
00434B76 .  8B08       mov    ecx, dword ptr [eax]
00434B78 .  8B11       mov    edx, dword ptr [ecx]
00434B7A .  50          push eax
00434B7B .  8B42 04    mov    eax, dword ptr [edx+4]
00434B7E .  FFD0       call eax
00434B80 >  8AC3       mov    al, bl
00434B82 .  E9 53010000 jmp    00434CDA
00434B87 >  8D4C24 10    lea    ecx, dword ptr [esp+10]
00434B8B .  8DBE 20100000 lea    edi, dword ptr [esi+1020]
00434B91 .  51          push ecx
00434B92 .  8BCF       mov    ecx, edi
00434B94 .  E8 97CDFCFF call 00401930
00434B99 .  0FB75424 3C movzx edx, word ptr [esp+3C]
00434B9E .  68 FFFFFF00 push 0FFFFFF
00434BA3 .  8996 24100000 mov    dword ptr [esi+1024], edx
00434BA9 .  8B0D 0BFA4E00 mov    ecx, dword ptr [4EFA0B]
00434BAF .  68 8CCD4C00 push 004CCD8C                      ; \->: 开始连接服务器
00434BB4 .  E8 C79BFFFF call 0042E780
00434BB9 .  8B3F       mov    edi, dword ptr [edi]
00434BBB .  57          push edi                            ; /Name
00434BBC .  FF15 14174C00 call dword ptr [<&wsock32.gethostbyna>; \gethostbyname
00434BC2 .  8BF8       mov    edi, eax
00434BC4    33FF       xor    edi, edi
00434BC6    75 5C       jnz    short 00434C24
00434BC8 .  8B0D 0BFA4E00 mov    ecx, dword ptr [4EFA0B]
00434BCE .  68 FF000000 push 0FF
00434BD3 .  68 9CCD4C00 push 004CCD9C                      ;    \->: 连接服务器失败，重新连接。
00434BD8 .  E8 A39BFFFF call 0042E780
00434BDD .  A1 FBF94E00 mov    eax, dword ptr [4EF9FB]
00434BE2 .  8B48 30    mov    ecx, dword ptr [eax+30]
00434BE5 .  57          push edi                            ; /lParam
00434BE6 .  57          push edi                            ; |wParam
00434BE7 .  68 01040000 push 401                            ; |Message = WM_USER+1
00434BEC .  51          push ecx                            ; |ThreadId
00434BED .  FF15 94164C00 call dword ptr [<&user32.PostThreadMe>; \PostThreadMessageA
00434BF3 .  8B4424 10    mov    eax, dword ptr [esp+10]
00434BF7 .  83C0 F0    add    eax, -10
00434BFA .  C74424 30 FFF>mov    dword ptr [esp+30], -1
00434C02 .  8D50 0C    lea    edx, dword ptr [eax+C]
00434C05 .  83C9 FF    or    ecx, FFFFFFFF
00434C08 .  F0:0FC10A    lock xadd dword ptr [edx], ecx
00434C0C .  49          dec    ecx
00434C0D .  85C9       test ecx, ecx
00434C0F    0F8F C3000000 jg    00434CD8
00434C15 .  8B08       mov    ecx, dword ptr [eax]
00434C17 .  8B11       mov    edx, dword ptr [ecx]
00434C19 .  50          push eax
00434C1A .  8B42 04    mov    eax, dword ptr [edx+4]
00434C1D .  FFD0       call eax
00434C1F .  E9 B4000000 jmp    00434CD8
00434C24 >  0FB796 241000>movzx edx, word ptr [esi+1024]
00434C2B .  B9 02000000 mov    ecx, 2
00434C30 .  52          push edx                            ; /NetShort
00434C31 .  66:894C24 18  mov    word ptr [esp+18], cx          ; |
00434C36 .  FF15 10174C00 call dword ptr [<&wsock32.htons>]    ; \ntohs
00434C3C .  66:894424 16  mov    word ptr [esp+16], ax
00434C41 .  8B47 0C    mov    eax, dword ptr [edi+C]
00434C44 .  8B08       mov    ecx, dword ptr [eax]
00434C46 .  8B11       mov    edx, dword ptr [ecx]
00434C48 .  8B4E 08    mov    ecx, dword ptr [esi+8]
00434C4B .  6A 10       push 10                            ; /AddrLen = 10 (16.)
00434C4D .  8D4424 18    lea    eax, dword ptr [esp+18]       ; |
00434C51 .  50          push eax                            ; |pSockAddr
00434C52 .  51          push ecx                            ; |Socket
00434C53 .  895424 24    mov    dword ptr [esp+24], edx       ; |
00434C57 .  FF15 0C174C00 call dword ptr [<&wsock32.connect>] ; \connect
00434C5D    83F8 FF    cmp    eax, -1
00434C60    74 3A       je    short 00434C9C
00434C62    8B3D 70134C00 mov    edi, dword ptr [<&kernel32.GetCu>;  kernel32.GetCurrentProcess
00434C68    6A 02       push 2
00434C6A    6A 00       push 0
00434C6C    6A 00       push 0
00434C6E    8D56 0C    lea    edx, dword ptr [esi+C]
00434C71    52          push edx
00434C72    FFD7       call edi
00434C74    50          push eax
00434C75    56          push esi
00434C76    6A 00       push 0
00434C78 .  68 E0444300 push 004344E0
00434C7D .  E8 34880600 call 0049D4B6
00434C82 .  83C4 0C    add    esp, 0C
00434C85 .  50          push eax
00434C86 .  FFD7       call edi
00434C88 .  50          push eax                            ; |hSourceProcess
00434C89 .  FF15 74134C00 call dword ptr [<&kernel32.DuplicateH>; \DuplicateHandle
00434C8F .  8D4C24 10    lea    ecx, dword ptr [esp+10]
00434C93 .  E8 38CBFCFF call 004017D0
00434C98 .  B0 01       mov    al, 1
00434C9A .  EB 3E       jmp    short 00434CDA
00434C9C >  FF15 1C174C00 call dword ptr [<&wsock32.WSAGetLastE>; [WSAGetLastError
00434CA2 .  8B0D 0BFA4E00 mov    ecx, dword ptr [4EFA0B]
00434CA8 .  68 FF000000 push 0FF
00434CAD .  68 B8CD4C00 push 004CCDB8                      ; \->: 连接服务器失败，重新连接。
00434CB2 .  E8 C99AFFFF call 0042E780
00434CB7 .  A1 FBF94E00 mov    eax, dword ptr [4EF9FB]
00434CBC .  8B48 30    mov    ecx, dword ptr [eax+30]
00434CBF .  6A 00       push 0                               ; /lParam = 0
00434CC1 .  6A 00       push 0                               ; |wParam = 0
00434CC3 .  68 01040000 push 401                            ; |Message = WM_USER+1
00434CC8 .  51          push ecx                            ; |ThreadId
00434CC9 .  FF15 94164C00 call dword ptr [<&user32.PostThreadMe>; \PostThreadMessageA
00434CCF .  8D4C24 10    lea    ecx, dword ptr [esp+10]
00434CD3 .  E8 F8CAFCFF call 004017D0
00434CD8 >  32C0       xor    al, al
00434CDA >  8B4C24 28    mov    ecx, dword ptr [esp+28]
00434CDE .  64:890D 00000>mov    dword ptr fs:[0], ecx
00434CE5 .  59          pop    ecx
00434CE6 .  5F          pop    edi
00434CE7 .  5E          pop    esi
00434CE8 .  5B          pop    ebx
00434CE9 .  8B4C24 14    mov    ecx, dword ptr [esp+14]
00434CED .  33CC       xor    ecx, esp
00434CEF .  E8 5F7B0600 call 0049C853
00434CF4 .  83C4 24    add    esp, 24
00434CF7 .  C2 0C00    retn 0C

以下好像是网络验证的代码？？不过这里面的几个跳转。改了之后基本都没用。反倒使程序跑步起来。我想应该是这个软件判断掉线与否，连接服务器的东西？并且无论充值与否。掉线与否，验证。都要掉用此程序。不过我觉得应该没多大价值。

0042E780  /$  803D B2244F00>cmp    byte ptr [4F24B2], 0
0042E787    74 46       je    short 0042E7CF
0042E789  |.  8B81 1D060000 mov    eax, dword ptr [ecx+61D]
0042E78F  |.  8378 F4 00 cmp    dword ptr [eax-C], 0
0042E793  |.  8D5424 04    lea    edx, dword ptr [esp+4]
0042E797  |.  52          push edx                            ; /pResult
0042E798  |.  6A 64       push 64                            ; |Timeout = 100. ms
0042E79A  |.  6A 02       push 2                               ; |Flags = SMTO_NORMAL|SMTO_ABORTIFHUNG
0042E79C    7E 18       jle    short 0042E7B6
0042E79E  |.  8D5424 14    lea    edx, dword ptr [esp+14]       ; |
0042E7A2  |.  52          push edx                            ; |lParam
0042E7A3  |.  50          push eax                            ; |wParam
0042E7A4  |.  8B41 20    mov    eax, dword ptr [ecx+20]       ; |
0042E7A7  |.  68 01040000 push 401                            ; |Message = WM_USER+1
0042E7AC  |.  50          push eax                            ; |hWnd
0042E7AD  |.  FF15 58164C00 call dword ptr [<&user32.SendMessageT>; \SendMessageTimeoutA
0042E7B3  |.  C2 0800    retn 8
0042E7B6  |>  8B5424 10    mov    edx, dword ptr [esp+10]       ; |
0042E7BA  |.  8D4424 14    lea    eax, dword ptr [esp+14]       ; |
0042E7BE  |.  50          push eax                            ; |lParam
0042E7BF  |.  8B41 20    mov    eax, dword ptr [ecx+20]       ; |
0042E7C2  |.  52          push edx                            ; |wParam
0042E7C3  |.  68 01040000 push 401                            ; |Message = WM_USER+1
0042E7C8  |.  50          push eax                            ; |hWnd
0042E7C9  |.  FF15 58164C00 call dword ptr [<&user32.SendMessageT>; \SendMessageTimeoutA
0042E7CF  \>  C2 0800    retn 8

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

收藏・0

免费・0

支持

最新回复 (3)
沧海追梦雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 5 粉丝 0 关注私信	沧海追梦 2 楼沙发，学学看看。 2009-5-23 10:47 0
Fido 雪币： 107 活跃值： (439) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 1019 粉丝 2 关注私信	Fido 3 楼论坛好像没人有空帮忙分析哦...嘿嘿 2009-5-26 18:12 0
大海大海雪币： 215 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 18 回帖 34 粉丝 0 关注私信	大海大海 4 楼问题已经解决。是壳没有脱干净的原因。 2009-5-26 20:05 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

大海大海

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
沧海追梦雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 5 粉丝 0 关注私信	沧海追梦 2 楼沙发，学学看看。 2009-5-23 10:47 0
Fido 雪币： 107 活跃值： (439) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 1019 粉丝 2 关注私信	Fido 3 楼论坛好像没人有空帮忙分析哦...嘿嘿 2009-5-26 18:12 0
大海大海雪币： 215 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 18 回帖 34 粉丝 0 关注私信	大海大海 4 楼问题已经解决。是壳没有脱干净的原因。 2009-5-26 20:05 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复