本帖最后由 小俊 于 2018-5-7 18:50 编辑
[Asm] 纯文本查看 复制代码 0163DB50 | PUSH EBP | 明文Send
0163DB51 | LEA EBP,DWORD PTR [ESP-0x40] |
0163DB55 | SUB ESP,0x40 |
0163DB58 | PUSH 0xFFFFFFFF |
0163DB5A | PUSH <pathofexile.sub_1E53DDB> |
0163DB5F | MOV EAX,DWORD PTR FS:[0] |
0163DB65 | PUSH EAX |
0163DB66 | MOV DWORD PTR FS:[0],ESP |
0163DB6D | SUB ESP,0x264 |
0163DB73 | PUSH EBX |
0163DB74 | PUSH ESI |
0163DB75 | MOV ESI,ECX |
0163DB77 | MOV DWORD PTR [EBP+0x3C],0x0 |
0163DB7E | PUSH EDI |
0163DB7F | MOV EDI,DWORD PTR [ESI+0x124] | 封包大小
0163DB85 | MOV EBX,DWORD PTR [ESI+0x128] |
0163DB8B | SUB EDI,EBX |
0163DB8D | MOV ECX,DWORD PTR [ESI+0x98] |
0163DB93 | TEST ECX,ECX |
0163DB95 | JE pathofexile.163DBAA |
0163DB97 | TEST EDI,EDI |
0163DB99 | JE pathofexile.163DBAA |
0163DB9B | MOV EAX,DWORD PTR [ESI+0x138] |
0163DBA1 | MOV EDX,DWORD PTR [ECX] |
0163DBA3 | ADD EAX,EBX |
0163DBA5 | PUSH EDI | 需要加密的字节长度
0163DBA6 | PUSH EAX | 封包内容
0163DBA7 | CALL DWORD PTR [EDX+0x4] | 加密函数
0163DBAA | MOV EAX,DWORD PTR [ESI+0x124] | 封包大小
0163DBB0 | XOR EDI,EDI |
0163DBB2 | MOV DWORD PTR [ESI+0x128],EAX | 封包大小
0163DBB8 | TEST EAX,EAX | 封包是否等于0
0163DBBA | JE pathofexile.163DBF2 |
0163DBBC | MOV EBX,DWORD PTR [<&send>] |
0163DBC2 | MOV ECX,DWORD PTR [ESI+0x138] | 封包内容
0163DBC8 | MOV EAX,DWORD PTR [ESI+0x124] | 封包大小
0163DBCE | PUSH 0x0 |
0163DBD0 | SUB EAX,EDI |
0163DBD2 | PUSH EAX |
0163DBD3 | LEA EAX,DWORD PTR [ECX+EDI] | 取封包内容
0163DBD6 | PUSH EAX | 封包内容Buff
0163DBD7 | PUSH DWORD PTR [ESI] | socket
0163DBD9 | CALL EBX | send
[Asm] 纯文本查看 复制代码 01420F20 | PUSH EBP | 拿起物品
01420F21 | MOV EBP,ESP |
01420F23 | PUSH 0xFFFFFFFF |
01420F25 | PUSH <pathofexile.sub_1E3053C> |
01420F2A | MOV EAX,DWORD PTR FS:[0] |
01420F30 | PUSH EAX |
01420F31 | MOV DWORD PTR FS:[0],ESP |
01420F38 | SUB ESP,0x2C | 开辟栈空间
01420F3B | PUSH EBX |
01420F3C | PUSH ESI |
01420F3D | MOV EBX,ECX | this指针
01420F3F | LEA ECX,DWORD PTR [EBP-0x20] |
01420F42 | PUSH EDI | 物品ID
01420F43 | CALL <pathofexile.sub_1281210> | [EBP-0x20] [EBP-0x1C] 被赋值
01420F48 | PUSH ECX | SEH
01420F49 | LEA ECX,DWORD PTR [EBP-0x18] |
01420F4C | PUSH ECX |
01420F4D | MOV ECX,DWORD PTR [EAX] | [EBP-0x20]
01420F4F | CALL <pathofexile.sub_12885C0> |
01420F54 | MOV DWORD PTR [EBP-0x4],0x1 | 给本地变量1赋值
01420F5B | OR EDI,0xFFFFFFFF |
01420F5E | MOV ESI,DWORD PTR [EBP-0x1C] |
01420F61 | TEST ESI,ESI |
01420F63 | JE pathofexile.1420F84 |
01420F65 | MOV EAX,EDI |
01420F67 | LOCK XADD DWORD PTR [ESI+0x4],E |
01420F6C | JNE pathofexile.1420F84 |
01420F6E | MOV EAX,DWORD PTR [ESI] |
01420F70 | MOV ECX,ESI |
01420F72 | CALL DWORD PTR [EAX] |
01420F74 | MOV EAX,EDI |
01420F76 | LOCK XADD DWORD PTR [ESI+0x8],E |
01420F7B | JNE pathofexile.1420F84 |
01420F7D | MOV EAX,DWORD PTR [ESI] |
01420F7F | MOV ECX,ESI |
01420F81 | CALL DWORD PTR [EAX+0x4] |
01420F84 | MOV BYTE PTR [EBP-0x4],0x0 | 本地变量1 = 0
01420F88 | MOV EAX,DWORD PTR [EBP-0x18] |
01420F8B | CMP DWORD PTR [EAX+0x1990],0xF |
01420F92 | JE pathofexile.1420FB9 |
01420F94 | PUSH ECX |
01420F95 | MOV ECX,DWORD PTR [EBX+0x994] |
01420F9B | PUSH 0xFFFFFFFF |
01420F9D | PUSH 0x0 |
01420F9F | PUSH 0x0 |
01420FA1 | PUSH DWORD PTR [EBP+0x8] |
01420FA4 | PUSH DWORD PTR [EBX+0x8E8] |
01420FAA | PUSH DWORD PTR [EBX+0x8E4] |
01420FB0 | PUSH 0x3 |
01420FB2 | CALL pathofexile.1411690 |
01420FB7 | JMP pathofexile.1421001 |
01420FB9 | MOV EAX,DWORD PTR [EBX+0x8E8] | 物品位置 0x1=背包 0xC=药品栏 0x21=仓库
01420FBF | MOV ECX,0x19 | 封包编号
01420FC4 | MOV ESI,DWORD PTR [EBX+0x97C] | EBX = this指针
01420FCA | MOV WORD PTR [EBP-0x30],CX | 封包编号
01420FCE | MOV DWORD PTR [EBP-0x34],<path |
01420FD5 | MOV BYTE PTR [EBP-0x4],0x2 |
01420FD9 | LEA ECX,DWORD PTR [EBP-0x34] | 封包首地址
01420FDC | PUSH DWORD PTR [ESI+0x471C] |
01420FE2 | MOV DWORD PTR [EBP-0x2C],EAX | 物品位置
01420FE5 | MOV EAX,DWORD PTR [EBP+0x8] | 物品ID
01420FE8 | MOV DWORD PTR [EBP-0x28],EAX | 物品ID
01420FEB | MOV BYTE PTR [EBP-0x24],0x0 | 是否为工会
01420FEF | CALL <pathofexile.拿起物品加密函数> |
01420FF4 | MOV ECX,DWORD PTR [ESI+0x471C] |
01420FFA | PUSH 0x0 |
01420FFC | CALL <pathofexile.MySend> |
[Asm] 纯文本查看 复制代码 01AAFDF0 | PUSH ECX | 组装拿起物品封包
01AAFDF1 | PUSH EBX |
01AAFDF2 | MOV EBX,ECX | 封包首地址
01AAFDF4 | PUSH EDI |
01AAFDF5 | MOVZX EAX,WORD PTR [EBX+0x4] | 封包ID
01AAFDF9 | PUSH EAX |
01AAFDFA | CALL DWORD PTR [<&ntohs>] | 将网络字节序转为主机字节序
01AAFE00 | MOV EDI,DWORD PTR [ESP+0x10] | arg.1
01AAFE04 | MOV ECX,EDI | this = arg.1
01AAFE06 | MOVZX EAX,AX |
01AAFE09 | MOV DWORD PTR [ESP+0x8],EAX |
01AAFE0D | LEA EAX,DWORD PTR [ESP+0x8] |
01AAFE11 | PUSH 0x2 | 字节数
01AAFE13 | PUSH EAX | 封包id
01AAFE14 | CALL <pathofexile.sub_163DA30> |
01AAFE19 | PUSH DWORD PTR [EBX+0x8] | 物品位置
01AAFE1C | MOV ECX,DWORD PTR [EDI+0x58] | arg.1 + 0x58 函数地址
01AAFE1F | CALL <pathofexile.sub_1AB0310> | ???
01AAFE24 | PUSH EAX |
01AAFE25 | CALL DWORD PTR [<&ntohl>] | 将网络字节序转为主机字节序
01AAFE2B | MOV DWORD PTR [ESP+0x10],EAX |
01AAFE2F | MOV ECX,EDI | edi:Sleep
01AAFE31 | PUSH 0x4 |
01AAFE33 | LEA EAX,DWORD PTR [ESP+0x14] |
01AAFE37 | PUSH EAX |
01AAFE38 | CALL <pathofexile.sub_163DA30> |
01AAFE3D | PUSH DWORD PTR [EBX+0xC] | 物品ID
01AAFE40 | CALL DWORD PTR [<&ntohl>] | 将网络字节序转为主机字节序
01AAFE46 | MOV DWORD PTR [ESP+0x10],EAX |
01AAFE4A | MOV ECX,EDI | arg1
01AAFE4C | PUSH 0x4 | 大小
01AAFE4E | LEA EAX,DWORD PTR [ESP+0x14] |
01AAFE52 | PUSH EAX | 物品ID
01AAFE53 | CALL <pathofexile.sub_163DA30> |
01AAFE58 | MOVZX EAX,BYTE PTR [EBX+0x10] | 是否为工会
01AAFE5C | MOV ECX,DWORD PTR [EDI+0x58] | 函数地址
01AAFE5F | PUSH EAX | 是否为工会
01AAFE60 | CALL <pathofexile.sub_1AB03A0> | ???
01AAFE65 | MOV BYTE PTR [ESP+0x10],AL |
01AAFE69 | MOV ECX,EDI |
01AAFE6B | PUSH 0x1 |
01AAFE6D | LEA EAX,DWORD PTR [ESP+0x14] |
01AAFE71 | PUSH EAX |
01AAFE72 | CALL <pathofexile.sub_163DA30> |
01AAFE77 | POP EDI |
01AAFE78 | POP EBX |
01AAFE79 | POP ECX |
01AAFE7A | RET 0x4 |
注入器
[C] 纯文本查看 复制代码
#include <Windows.h>
#include <TlHelp32.h>
int main()
{
// 遍历进程
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe32 = { sizeof(PROCESSENTRY32) };
Process32First(hProcessSnap, &pe32);
do
{
if (!strcmp(pe32.szExeFile, "PathOfExile.exe"))
break;
} while (Process32Next(hProcessSnap, &pe32));
CloseHandle(hProcessSnap);
// 打开进程
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
// 在目标进程申请内存
LPVOID pRemoteAddress = VirtualAllocEx(hProcess, NULL, 1, MEM_COMMIT, PAGE_READWRITE);
CHAR Path[] = "POE_DLL_TEST.dll";
// 将DLL路径写入目标进程
WriteProcessMemory(hProcess, pRemoteAddress, Path, sizeof(Path), NULL);
// 创建远程线程
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)LoadLibraryA, pRemoteAddress, 0, NULL);
// 等待线程结束
WaitForSingleObject(hThread, -1);
// 释放申请的内存
VirtualFreeEx(hProcess, pRemoteAddress, 1, MEM_DECOMMIT);
// 关闭句柄
CloseHandle(hProcess);
CloseHandle(hThread);
return 0;
}
[C] 纯文本查看 复制代码 #include <Windows.h>
#pragma comment(lib,"ws2_32.lib")
void salsa20()
{
// PathOfExile.exe 实例句柄
HMODULE hModule = GetModuleHandle(NULL);
__asm
{
MOV EDI, hModule
ADD EDI, 0xFBBCD4
MOV EDI, [EDI]
MOV EDI, [EDI + 0x97C]
MOV EDI, [EDI + 0x471C]
MOV EDI, [EDI + 0x98]
ADD EDI, 0xC
MOV ESI, EDI
MOV EDI, [EDI + 0x10]
ADD ESI, 0x1C
ADD ESI, 0x8
MOV ESI, [ESI + 0x54]
MOVDQA XMM0, XMMWORD PTR[ESI]
MOVDQA XMM1, XMMWORD PTR[ESI + 0x10]
MOVDQA XMM2, XMMWORD PTR[ESI + 0x20]
MOVDQA XMM3, XMMWORD PTR[ESI + 0x30]
MOV EBX, 20
MY_LOOP:
MOVDQA XMM4, XMM3
PADDD XMM4, XMM0
MOVDQA XMM5, XMM4
PSLLD XMM4, 0x7
PSRLD XMM5, 0x19
PXOR XMM1, XMM4
PXOR XMM1, XMM5
MOVDQA XMM4, XMM0
PADDD XMM4, XMM1
MOVDQA XMM5, XMM4
PSLLD XMM4, 0x9
PSRLD XMM5, 0x17
PXOR XMM2, XMM4
PXOR XMM2, XMM5
MOVDQA XMM4, XMM1
PADDD XMM4, XMM2
MOVDQA XMM5, XMM4
PSLLD XMM4, 0xD
PSRLD XMM5, 0x13
PXOR XMM3, XMM4
PXOR XMM3, XMM5
MOVDQA XMM4, XMM2
PADDD XMM4, XMM3
MOVDQA XMM5, XMM4
PSLLD XMM4, 0x12
PSRLD XMM5, 0xE
PXOR XMM0, XMM4
PXOR XMM0, XMM5
PSHUFD XMM1, XMM1, 0x93
PSHUFD XMM2, XMM2, 0x4E
PSHUFD XMM3, XMM3, 0x39
MOVDQA XMM4, XMM1
PADDD XMM4, XMM0
MOVDQA XMM5, XMM4
PSLLD XMM4, 0x7
PSRLD XMM5, 0x19
PXOR XMM3, XMM4
PXOR XMM3, XMM5
MOVDQA XMM4, XMM0
PADDD XMM4, XMM3
MOVDQA XMM5, XMM4
PSLLD XMM4, 0x9
PSRLD XMM5, 0x17
PXOR XMM2, XMM4
PXOR XMM2, XMM5
MOVDQA XMM4, XMM3
PADDD XMM4, XMM2
MOVDQA XMM5, XMM4
PSLLD XMM4, 0xD
PSRLD XMM5, 0x13
PXOR XMM1, XMM4
PXOR XMM1, XMM5
MOVDQA XMM4, XMM2
PADDD XMM4, XMM1
MOVDQA XMM5, XMM4
PSLLD XMM4, 0x12
PSRLD XMM5, 0xE
PXOR XMM0, XMM4
PXOR XMM0, XMM5
PSHUFD XMM1, XMM1, 0x39
PSHUFD XMM2, XMM2, 0x4E
PSHUFD XMM3, XMM3, 0x93
SUB EBX, 0x2
JNE MY_LOOP
PADDD XMM0, XMMWORD PTR[ESI]
PADDD XMM1, XMMWORD PTR[ESI + 0x10]
PADDD XMM2, XMMWORD PTR[ESI + 0x20]
PADDD XMM3, XMMWORD PTR[ESI + 0x30]
ADD DWORD PTR[ESI + 0x20], 0x1
ADC DWORD PTR[ESI + 0x14], 0x0
PCMPEQB XMM6, XMM6
PSRLQ XMM6, 0x20
PSHUFD XMM7, XMM6, 0x1B
MOVDQA XMM4, XMM0
MOVDQA XMM5, XMM3
PAND XMM0, XMM7
PAND XMM4, XMM6
PAND XMM3, XMM6
PAND XMM5, XMM7
POR XMM4, XMM5
MOVDQA XMM5, XMM1
PAND XMM1, XMM7
PAND XMM5, XMM6
POR XMM0, XMM5
PAND XMM6, XMM2
PAND XMM2, XMM7
POR XMM1, XMM6
POR XMM2, XMM3
MOVDQA XMM5, XMM4
MOVDQA XMM6, XMM0
SHUFPD XMM4, XMM1, 0x2
SHUFPD XMM0, XMM2, 0x2
SHUFPD XMM1, XMM5, 0x2
SHUFPD XMM2, XMM6, 0x2
MOVDQA XMMWORD PTR[EDI], XMM4
MOVDQA XMMWORD PTR[EDI + 0x10], XMM0
MOVDQA XMMWORD PTR[EDI + 0x20], XMM1
MOVDQA XMMWORD PTR[EDI + 0x30], XMM2
}
}
void DownItem(BYTE Pos, BYTE X, BYTE Y)
{
// 封包
CHAR Buff[] = { 00,0x1B,00,00,00,Pos,00,00,00,X,00,00,00,Y,00 };
DWORD BuffSize = sizeof(Buff);
SOCKET * sock = 0;
// 加密需要的数据指针
CHAR * temp = 0;
// 索引
DWORD * index = 0;
// PathOfExile.exe 实例句柄
HMODULE hModule = GetModuleHandle(NULL);
__asm
{
mov edi, hModule
add edi, 0xFBBCD4
mov edi, [edi]
mov edi, [edi + 0x97C]
mov edi, [edi + 0x471C]
mov sock, edi
mov esi, [edi + 0x98]
add esi, 0xC
mov eax, [esi + 0x10]
mov temp, eax
lea eax, [esi + 0x14]
mov index, eax
}
if (*index > BuffSize)
{
temp = (temp + 0x40) - *index;
for (int i = 0; i < BuffSize; i++)
{
Buff[i] = Buff[i] ^ temp[i];
}
*index = *index - BuffSize;
}
else if (*index == BuffSize)
{
temp = (temp + 0x40) - *index;
for (int i = 0; i < BuffSize; i++)
{
Buff[i] = Buff[i] ^ temp[i];
}
*index = 0x40;
salsa20();
}
else if (*index == 0)
{
salsa20();
for (int i = 0; i < BuffSize; i++)
{
Buff[i] = Buff[i] ^ temp[i];
}
*index = 0x40 - BuffSize;
}
else if (*index < BuffSize)
{
int NextSize = BuffSize - *index;
CHAR * temp1 = (temp + 0x40) - *index;
for (int i = 0; i < *index; i++)
{
Buff[i] = Buff[i] ^ temp1[i];
}
salsa20();
for (int i = 0; i < NextSize; i++)
{
Buff[i + *index] = Buff[i + *index] ^ temp[i];
}
*index = 0x40 - NextSize;
}
send(*sock, Buff, BuffSize, 0);
}
DWORD WINAPI DllThread(LPVOID lpParam)
{
while (!GetAsyncKeyState(VK_XBUTTON2))
{
if (GetAsyncKeyState(VK_XBUTTON1))
{
DownItem(1, 1, 1);
}
Sleep(200);
}
FreeLibraryAndExitThread((HMODULE)lpParam, 0);
return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
CreateThread(0, 0, DllThread, hModule, 0, 0);
break;
default:
break;
}
return TRUE;
}
分析视频下载:https://dwz.mn/eJKF |