吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 14456|回复: 41
收起左侧

[原创] 【流放之路】明文发包分析

  [复制链接]
小俊 发表于 2018-4-22 22:22
本帖最后由 小俊 于 2018-5-7 18:50 编辑

[Asm] 纯文本查看 复制代码
0163DB50 | PUSH    EBP                        | 明文Send
0163DB51 | LEA     EBP,DWORD PTR [ESP-0x40]   |
0163DB55 | SUB     ESP,0x40                   |
0163DB58 | PUSH    0xFFFFFFFF                 |
0163DB5A | PUSH    <pathofexile.sub_1E53DDB>  |
0163DB5F | MOV     EAX,DWORD PTR FS:[0]       |
0163DB65 | PUSH    EAX                        |
0163DB66 | MOV     DWORD PTR FS:[0],ESP       |
0163DB6D | SUB     ESP,0x264                  |
0163DB73 | PUSH    EBX                        |
0163DB74 | PUSH    ESI                        |
0163DB75 | MOV     ESI,ECX                    |
0163DB77 | MOV     DWORD PTR [EBP+0x3C],0x0   |
0163DB7E | PUSH    EDI                        |
0163DB7F | MOV     EDI,DWORD PTR [ESI+0x124]  | 封包大小
0163DB85 | MOV     EBX,DWORD PTR [ESI+0x128]  |
0163DB8B | SUB     EDI,EBX                    |
0163DB8D | MOV     ECX,DWORD PTR [ESI+0x98]   |
0163DB93 | TEST    ECX,ECX                    |
0163DB95 | JE      pathofexile.163DBAA        |
0163DB97 | TEST    EDI,EDI                    |
0163DB99 | JE      pathofexile.163DBAA        |
0163DB9B | MOV     EAX,DWORD PTR [ESI+0x138]  |
0163DBA1 | MOV     EDX,DWORD PTR [ECX]        |
0163DBA3 | ADD     EAX,EBX                    |
0163DBA5 | PUSH    EDI                        | 需要加密的字节长度
0163DBA6 | PUSH    EAX                        | 封包内容
0163DBA7 | CALL    DWORD PTR [EDX+0x4]        | 加密函数
0163DBAA | MOV     EAX,DWORD PTR [ESI+0x124]  | 封包大小
0163DBB0 | XOR     EDI,EDI                    |
0163DBB2 | MOV     DWORD PTR [ESI+0x128],EAX  | 封包大小
0163DBB8 | TEST    EAX,EAX                    | 封包是否等于0
0163DBBA | JE      pathofexile.163DBF2        |
0163DBBC | MOV     EBX,DWORD PTR [<&send>]    |
0163DBC2 | MOV     ECX,DWORD PTR [ESI+0x138]  | 封包内容
0163DBC8 | MOV     EAX,DWORD PTR [ESI+0x124]  | 封包大小
0163DBCE | PUSH    0x0                        |
0163DBD0 | SUB     EAX,EDI                    |
0163DBD2 | PUSH    EAX                        |
0163DBD3 | LEA     EAX,DWORD PTR [ECX+EDI]    | 取封包内容
0163DBD6 | PUSH    EAX                        | 封包内容Buff
0163DBD7 | PUSH    DWORD PTR [ESI]            | socket
0163DBD9 | CALL    EBX                        | send


[Asm] 纯文本查看 复制代码
01420F20 | PUSH    EBP                        | 拿起物品
01420F21 | MOV     EBP,ESP                    |
01420F23 | PUSH    0xFFFFFFFF                 |
01420F25 | PUSH    <pathofexile.sub_1E3053C>  |
01420F2A | MOV     EAX,DWORD PTR FS:[0]       |
01420F30 | PUSH    EAX                        |
01420F31 | MOV     DWORD PTR FS:[0],ESP       |
01420F38 | SUB     ESP,0x2C                   | 开辟栈空间
01420F3B | PUSH    EBX                        |
01420F3C | PUSH    ESI                        |
01420F3D | MOV     EBX,ECX                    | this指针
01420F3F | LEA     ECX,DWORD PTR [EBP-0x20]   |
01420F42 | PUSH    EDI                        | 物品ID
01420F43 | CALL    <pathofexile.sub_1281210>  | [EBP-0x20] [EBP-0x1C] 被赋值
01420F48 | PUSH    ECX                        | SEH
01420F49 | LEA     ECX,DWORD PTR [EBP-0x18]   |
01420F4C | PUSH    ECX                        |
01420F4D | MOV     ECX,DWORD PTR [EAX]        | [EBP-0x20]
01420F4F | CALL    <pathofexile.sub_12885C0>  |
01420F54 | MOV     DWORD PTR [EBP-0x4],0x1    | 给本地变量1赋值
01420F5B | OR      EDI,0xFFFFFFFF             |
01420F5E | MOV     ESI,DWORD PTR [EBP-0x1C]   |
01420F61 | TEST    ESI,ESI                    |
01420F63 | JE      pathofexile.1420F84        |
01420F65 | MOV     EAX,EDI                    |
01420F67 | LOCK XADD    DWORD PTR [ESI+0x4],E |
01420F6C | JNE     pathofexile.1420F84        |
01420F6E | MOV     EAX,DWORD PTR [ESI]        |
01420F70 | MOV     ECX,ESI                    |
01420F72 | CALL    DWORD PTR [EAX]            |
01420F74 | MOV     EAX,EDI                    |
01420F76 | LOCK XADD    DWORD PTR [ESI+0x8],E |
01420F7B | JNE     pathofexile.1420F84        |
01420F7D | MOV     EAX,DWORD PTR [ESI]        |
01420F7F | MOV     ECX,ESI                    |
01420F81 | CALL    DWORD PTR [EAX+0x4]        |
01420F84 | MOV     BYTE PTR [EBP-0x4],0x0     | 本地变量1 = 0
01420F88 | MOV     EAX,DWORD PTR [EBP-0x18]   |
01420F8B | CMP     DWORD PTR [EAX+0x1990],0xF |
01420F92 | JE      pathofexile.1420FB9        |
01420F94 | PUSH    ECX                        |
01420F95 | MOV     ECX,DWORD PTR [EBX+0x994]  |
01420F9B | PUSH    0xFFFFFFFF                 |
01420F9D | PUSH    0x0                        |
01420F9F | PUSH    0x0                        |
01420FA1 | PUSH    DWORD PTR [EBP+0x8]        |
01420FA4 | PUSH    DWORD PTR [EBX+0x8E8]      |
01420FAA | PUSH    DWORD PTR [EBX+0x8E4]      |
01420FB0 | PUSH    0x3                        |
01420FB2 | CALL    pathofexile.1411690        |
01420FB7 | JMP     pathofexile.1421001        |
01420FB9 | MOV     EAX,DWORD PTR [EBX+0x8E8]  | 物品位置 0x1=背包 0xC=药品栏 0x21=仓库
01420FBF | MOV     ECX,0x19                   | 封包编号
01420FC4 | MOV     ESI,DWORD PTR [EBX+0x97C]  | EBX = this指针
01420FCA | MOV     WORD PTR [EBP-0x30],CX     | 封包编号
01420FCE | MOV     DWORD PTR [EBP-0x34],<path |
01420FD5 | MOV     BYTE PTR [EBP-0x4],0x2     |
01420FD9 | LEA     ECX,DWORD PTR [EBP-0x34]   | 封包首地址
01420FDC | PUSH    DWORD PTR [ESI+0x471C]     |
01420FE2 | MOV     DWORD PTR [EBP-0x2C],EAX   | 物品位置
01420FE5 | MOV     EAX,DWORD PTR [EBP+0x8]    | 物品ID
01420FE8 | MOV     DWORD PTR [EBP-0x28],EAX   | 物品ID
01420FEB | MOV     BYTE PTR [EBP-0x24],0x0    | 是否为工会
01420FEF | CALL    <pathofexile.拿起物品加密函数> |
01420FF4 | MOV     ECX,DWORD PTR [ESI+0x471C] |
01420FFA | PUSH    0x0                        |
01420FFC | CALL    <pathofexile.MySend>       |


[Asm] 纯文本查看 复制代码
01AAFDF0 | PUSH    ECX                        | 组装拿起物品封包
01AAFDF1 | PUSH    EBX                        |
01AAFDF2 | MOV     EBX,ECX                    | 封包首地址
01AAFDF4 | PUSH    EDI                        |
01AAFDF5 | MOVZX   EAX,WORD PTR [EBX+0x4]     | 封包ID
01AAFDF9 | PUSH    EAX                        |
01AAFDFA | CALL    DWORD PTR [<&ntohs>]       | 将网络字节序转为主机字节序
01AAFE00 | MOV     EDI,DWORD PTR [ESP+0x10]   | arg.1
01AAFE04 | MOV     ECX,EDI                    | this = arg.1
01AAFE06 | MOVZX   EAX,AX                     |
01AAFE09 | MOV     DWORD PTR [ESP+0x8],EAX    |
01AAFE0D | LEA     EAX,DWORD PTR [ESP+0x8]    |
01AAFE11 | PUSH    0x2                        | 字节数
01AAFE13 | PUSH    EAX                        | 封包id
01AAFE14 | CALL    <pathofexile.sub_163DA30>  |
01AAFE19 | PUSH    DWORD PTR [EBX+0x8]        | 物品位置
01AAFE1C | MOV     ECX,DWORD PTR [EDI+0x58]   | arg.1 + 0x58 函数地址
01AAFE1F | CALL    <pathofexile.sub_1AB0310>  | ???
01AAFE24 | PUSH    EAX                        |
01AAFE25 | CALL    DWORD PTR [<&ntohl>]       | 将网络字节序转为主机字节序
01AAFE2B | MOV     DWORD PTR [ESP+0x10],EAX   |
01AAFE2F | MOV     ECX,EDI                    | edi:Sleep
01AAFE31 | PUSH    0x4                        |
01AAFE33 | LEA     EAX,DWORD PTR [ESP+0x14]   |
01AAFE37 | PUSH    EAX                        |
01AAFE38 | CALL    <pathofexile.sub_163DA30>  |
01AAFE3D | PUSH    DWORD PTR [EBX+0xC]        | 物品ID
01AAFE40 | CALL    DWORD PTR [<&ntohl>]       | 将网络字节序转为主机字节序
01AAFE46 | MOV     DWORD PTR [ESP+0x10],EAX   |
01AAFE4A | MOV     ECX,EDI                    | arg1
01AAFE4C | PUSH    0x4                        | 大小
01AAFE4E | LEA     EAX,DWORD PTR [ESP+0x14]   |
01AAFE52 | PUSH    EAX                        | 物品ID
01AAFE53 | CALL    <pathofexile.sub_163DA30>  |
01AAFE58 | MOVZX   EAX,BYTE PTR [EBX+0x10]    | 是否为工会
01AAFE5C | MOV     ECX,DWORD PTR [EDI+0x58]   | 函数地址
01AAFE5F | PUSH    EAX                        | 是否为工会
01AAFE60 | CALL    <pathofexile.sub_1AB03A0>  | ???
01AAFE65 | MOV     BYTE PTR [ESP+0x10],AL     |
01AAFE69 | MOV     ECX,EDI                    |
01AAFE6B | PUSH    0x1                        |
01AAFE6D | LEA     EAX,DWORD PTR [ESP+0x14]   |
01AAFE71 | PUSH    EAX                        |
01AAFE72 | CALL    <pathofexile.sub_163DA30>  |
01AAFE77 | POP     EDI                        |
01AAFE78 | POP     EBX                        |
01AAFE79 | POP     ECX                        |
01AAFE7A | RET     0x4                        |

注入器
[C] 纯文本查看 复制代码
#include <Windows.h>
#include <TlHelp32.h>

int main()
{
        // 遍历进程
        HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
        PROCESSENTRY32 pe32 = { sizeof(PROCESSENTRY32) };
        Process32First(hProcessSnap, &pe32);
        do
        {
                if (!strcmp(pe32.szExeFile, "PathOfExile.exe"))
                        break;
        } while (Process32Next(hProcessSnap, &pe32));
        CloseHandle(hProcessSnap);

        // 打开进程
        HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);

        // 在目标进程申请内存
        LPVOID pRemoteAddress = VirtualAllocEx(hProcess, NULL, 1, MEM_COMMIT, PAGE_READWRITE);

        CHAR Path[] = "POE_DLL_TEST.dll";
        // 将DLL路径写入目标进程
        WriteProcessMemory(hProcess, pRemoteAddress, Path, sizeof(Path), NULL);

        // 创建远程线程
        HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
                (LPTHREAD_START_ROUTINE)LoadLibraryA, pRemoteAddress, 0, NULL);

        // 等待线程结束
        WaitForSingleObject(hThread, -1);

        // 释放申请的内存
        VirtualFreeEx(hProcess, pRemoteAddress, 1, MEM_DECOMMIT);

        // 关闭句柄
        CloseHandle(hProcess);
        CloseHandle(hThread);

        return 0;
}


[C] 纯文本查看 复制代码
#include <Windows.h>
#pragma comment(lib,"ws2_32.lib")

void salsa20()
{
	// PathOfExile.exe 实例句柄
	HMODULE hModule = GetModuleHandle(NULL);

	__asm
	{
		MOV EDI, hModule
		ADD EDI, 0xFBBCD4
		MOV EDI, [EDI]
		MOV EDI, [EDI + 0x97C]
		MOV EDI, [EDI + 0x471C]
		MOV EDI, [EDI + 0x98]
		ADD EDI, 0xC
		MOV ESI, EDI
		MOV EDI, [EDI + 0x10]
		ADD ESI, 0x1C
		ADD ESI, 0x8
		MOV ESI, [ESI + 0x54]
		MOVDQA  XMM0, XMMWORD PTR[ESI]
		MOVDQA  XMM1, XMMWORD PTR[ESI + 0x10]
		MOVDQA  XMM2, XMMWORD PTR[ESI + 0x20]
		MOVDQA  XMM3, XMMWORD PTR[ESI + 0x30]
		MOV     EBX,  20
		MY_LOOP:
		MOVDQA  XMM4, XMM3
		PADDD   XMM4, XMM0
		MOVDQA  XMM5, XMM4
		PSLLD   XMM4, 0x7
		PSRLD   XMM5, 0x19
		PXOR    XMM1, XMM4
		PXOR    XMM1, XMM5
		MOVDQA  XMM4, XMM0
		PADDD   XMM4, XMM1
		MOVDQA  XMM5, XMM4
		PSLLD   XMM4, 0x9
		PSRLD   XMM5, 0x17
		PXOR    XMM2, XMM4
		PXOR    XMM2, XMM5
		MOVDQA  XMM4, XMM1
		PADDD   XMM4, XMM2
		MOVDQA  XMM5, XMM4
		PSLLD   XMM4, 0xD
		PSRLD   XMM5, 0x13
		PXOR    XMM3, XMM4
		PXOR    XMM3, XMM5
		MOVDQA  XMM4, XMM2
		PADDD   XMM4, XMM3
		MOVDQA  XMM5, XMM4
		PSLLD   XMM4, 0x12
		PSRLD   XMM5, 0xE
		PXOR    XMM0, XMM4
		PXOR    XMM0, XMM5
		PSHUFD  XMM1, XMM1, 0x93
		PSHUFD  XMM2, XMM2, 0x4E
		PSHUFD  XMM3, XMM3, 0x39
		MOVDQA  XMM4, XMM1
		PADDD   XMM4, XMM0
		MOVDQA  XMM5, XMM4
		PSLLD   XMM4, 0x7
		PSRLD   XMM5, 0x19
		PXOR    XMM3, XMM4
		PXOR    XMM3, XMM5
		MOVDQA  XMM4, XMM0
		PADDD   XMM4, XMM3
		MOVDQA  XMM5, XMM4
		PSLLD   XMM4, 0x9
		PSRLD   XMM5, 0x17
		PXOR    XMM2, XMM4
		PXOR    XMM2, XMM5
		MOVDQA  XMM4, XMM3
		PADDD   XMM4, XMM2
		MOVDQA  XMM5, XMM4
		PSLLD   XMM4, 0xD
		PSRLD   XMM5, 0x13
		PXOR    XMM1, XMM4
		PXOR    XMM1, XMM5
		MOVDQA  XMM4, XMM2
		PADDD   XMM4, XMM1
		MOVDQA  XMM5, XMM4
		PSLLD   XMM4, 0x12
		PSRLD   XMM5, 0xE
		PXOR    XMM0, XMM4
		PXOR    XMM0, XMM5
		PSHUFD  XMM1, XMM1, 0x39
		PSHUFD  XMM2, XMM2, 0x4E
		PSHUFD  XMM3, XMM3, 0x93
		SUB     EBX, 0x2
		JNE     MY_LOOP
		PADDD   XMM0, XMMWORD PTR[ESI]
		PADDD   XMM1, XMMWORD PTR[ESI + 0x10]
		PADDD   XMM2, XMMWORD PTR[ESI + 0x20]
		PADDD   XMM3, XMMWORD PTR[ESI + 0x30]
		ADD     DWORD PTR[ESI + 0x20], 0x1
		ADC     DWORD PTR[ESI + 0x14], 0x0
		PCMPEQB XMM6, XMM6
		PSRLQ   XMM6, 0x20
		PSHUFD  XMM7, XMM6, 0x1B
		MOVDQA  XMM4, XMM0
		MOVDQA  XMM5, XMM3
		PAND    XMM0, XMM7
		PAND    XMM4, XMM6
		PAND    XMM3, XMM6
		PAND    XMM5, XMM7
		POR     XMM4, XMM5
		MOVDQA  XMM5, XMM1
		PAND    XMM1, XMM7
		PAND    XMM5, XMM6
		POR     XMM0, XMM5
		PAND    XMM6, XMM2
		PAND    XMM2, XMM7
		POR     XMM1, XMM6
		POR     XMM2, XMM3
		MOVDQA  XMM5, XMM4
		MOVDQA  XMM6, XMM0
		SHUFPD  XMM4, XMM1, 0x2
		SHUFPD  XMM0, XMM2, 0x2
		SHUFPD  XMM1, XMM5, 0x2
		SHUFPD  XMM2, XMM6, 0x2
		MOVDQA  XMMWORD PTR[EDI], XMM4
		MOVDQA  XMMWORD PTR[EDI + 0x10], XMM0
		MOVDQA  XMMWORD PTR[EDI + 0x20], XMM1
		MOVDQA  XMMWORD PTR[EDI + 0x30], XMM2
	}
}

void DownItem(BYTE Pos, BYTE X, BYTE Y)
{
	// 封包
	CHAR Buff[] = { 00,0x1B,00,00,00,Pos,00,00,00,X,00,00,00,Y,00 };

	DWORD BuffSize = sizeof(Buff);

	SOCKET * sock = 0;

	// 加密需要的数据指针
	CHAR * temp = 0;

	// 索引
	DWORD * index = 0;

	// PathOfExile.exe 实例句柄
	HMODULE hModule = GetModuleHandle(NULL);
	__asm
	{
		mov edi, hModule
		add edi, 0xFBBCD4
		mov edi, [edi]
		mov edi, [edi + 0x97C]
		mov edi, [edi + 0x471C]
		mov sock, edi

		mov esi, [edi + 0x98]
		add esi, 0xC
		mov eax, [esi + 0x10]
		mov temp, eax
		lea eax, [esi + 0x14]
		mov index, eax
	}

	if (*index > BuffSize)
	{
		temp = (temp + 0x40) - *index;
		for (int i = 0; i < BuffSize; i++)
		{
			Buff[i] = Buff[i] ^ temp[i];
		}
		*index = *index - BuffSize;
	}
	else if (*index == BuffSize)
	{
		temp = (temp + 0x40) - *index;
		for (int i = 0; i < BuffSize; i++)
		{
			Buff[i] = Buff[i] ^ temp[i];
		}
		*index = 0x40;
		salsa20();
	}
	else if (*index == 0)
	{
		salsa20();
		for (int i = 0; i < BuffSize; i++)
		{
			Buff[i] = Buff[i] ^ temp[i];
		}
		*index = 0x40 - BuffSize;
	}
	else if (*index < BuffSize)
	{
		int NextSize = BuffSize - *index;
		CHAR * temp1 = (temp + 0x40) - *index;
		for (int i = 0; i < *index; i++)
		{
			Buff[i] = Buff[i] ^ temp1[i];
		}
		salsa20();
		for (int i = 0; i < NextSize; i++)
		{
			Buff[i + *index] = Buff[i + *index] ^ temp[i];
		}
		*index = 0x40 - NextSize;
	}
	send(*sock, Buff, BuffSize, 0);
}

DWORD WINAPI DllThread(LPVOID lpParam)
{
	while (!GetAsyncKeyState(VK_XBUTTON2))
	{
		if (GetAsyncKeyState(VK_XBUTTON1))
		{
			DownItem(1, 1, 1);
		}
		Sleep(200);
	}
	FreeLibraryAndExitThread((HMODULE)lpParam, 0);
	return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
{
	switch (dwReason)
	{
	case DLL_PROCESS_ATTACH:
		CreateThread(0, 0, DllThread, hModule, 0, 0);
		break;
	default:
		break;
	}
	return TRUE;
}


分析视频下载:https://dwz.mn/eJKF

免费评分

参与人数 16威望 +1 吾爱币 +27 热心值 +16 收起 理由
gxz1999320 + 1 + 1 热心回复!
pig334901 + 1 + 1 我很赞同!
love-farry + 1 + 1 谢谢@Thanks!
Hmily + 1 + 10 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
bobo53051 + 1 + 1 热心回复!
JingAn湛蓝 + 1 + 1 厉害厉害
朱朱你堕落了 + 1 + 1 好风骚的C++代码。
chijianshizhi + 1 + 1 谢谢@Thanks!
Ganlv + 3 + 1 手动单步跟踪确实很累,给楼主个赞
谶谶 + 1 + 1 厉害
二逼159 + 1 + 1 谢谢@Thanks!
一牛神一 + 1 + 1 用心讨论,共获提升!
栀蓝 + 1 + 1 谢谢@Thanks!
贝优妮塔 + 1 + 1 我很赞同!
天使3号 + 1 + 1 看完了,我现在回来评分感谢楼主,学到了新姿势
二娃 + 1 + 1 我很赞同!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

二娃 发表于 2018-4-22 22:34
感谢楼主分享
lijun9088 发表于 2018-4-22 22:37
一片小朵朵 发表于 2018-4-22 22:38
枷锁 发表于 2018-4-22 22:41 来自手机
怎么弄得怎么评论啥的都带一道杠
a425869651 发表于 2018-4-22 22:47
被T10虐得不要不要的
gunxsword 发表于 2018-4-22 22:52
历害历害,这代码一看就6666
jmpengbo 发表于 2018-4-22 22:58
谢谢分享
hairch 发表于 2018-4-22 23:07
非常感谢楼主的分享!支持...
shghe 发表于 2018-4-22 23:37
虽然看不懂是什么,不过感觉好厉害的样子
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则 警告:本版块禁止灌水或回复与主题无关内容,违者重罚!

快速回复 收藏帖子 返回列表 搜索

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-3-29 20:04

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表