朱皮特的博客 自由的飞翔

可能是分析某游戏recieve的逆向代码

2009-09-02
朱皮特
sec
阅读量:

007950FF    56              push    esi
00795100    53              push    ebx
00795101    50              push    eax
00795102    57              push    edi
00795103    BE 01000000     mov     esi, 1
00795108    56              push    esi
00795109    68 DC6CE900     push    00E96CDC                                ; lua_dostring
0079510E    E8 1DFDFFFF     call    00794E30
00795113    83C4 14         add     esp, 14
00795116    8BC6            mov     eax, esi
00795118    5E              pop     esi
00795119    5F              pop     edi
0079511A    5B              pop     ebx
0079511B    C3              retn

////////////////////////////////////////////////////////////////////////////////////
007837F0    6A FF           push    -1
007837F2    68 38E9A900     push    00A9E938
007837F7    64:A1 00000000  mov     eax, dword ptr fs:[0]
007837FD    50              push    eax
007837FE    64:8925 0000000>mov     dword ptr fs:[0], esp
00783805    83EC 0C         sub     esp, 0C
00783808    55              push    ebp
00783809    8B6C24 24       mov     ebp, dword ptr [esp+24]
0078380D    56              push    esi
0078380E    57              push    edi
0078380F    8B7C24 28       mov     edi, dword ptr [esp+28]
00783813    8BF1            mov     esi, ecx
00783815    8B06            mov     eax, dword ptr [esi]
00783817    55              push    ebp
00783818    57              push    edi
00783819    897424 14       mov     dword ptr [esp+14], esi
0078381D    FF50 4C         call    dword ptr [eax+4C]
00783820    85C0            test    eax, eax
00783822    0F85 9C010000   jnz     007839C4
00783828    8B16            mov     edx, dword ptr [esi]
0078382A    53              push    ebx
0078382B    55              push    ebp
0078382C    8BCE            mov     ecx, esi
0078382E    FF52 18         call    dword ptr [edx+18]
00783831    8BD8            mov     ebx, eax
00783833    85DB            test    ebx, ebx
00783835    895C24 30       mov     dword ptr [esp+30], ebx
00783839    75 1A           jnz     short 00783855
0078383B    5B              pop     ebx
0078383C    5F              pop     edi
0078383D    5E              pop     esi
0078383E    B8 11000000     mov     eax, 11
00783843    5D              pop     ebp
00783844    8B4C24 0C       mov     ecx, dword ptr [esp+C]
00783848    64:890D 0000000>mov     dword ptr fs:[0], ecx
0078384F    83C4 18         add     esp, 18
00783852    C2 0C00         retn    0C
00783855    8B4424 34       mov     eax, dword ptr [esp+34]
00783859    A3 A4321501     mov     dword ptr [11532A4], eax
0078385E    892D F4575901   mov     dword ptr [15957F4], ebp
00783864    8B17            mov     edx, dword ptr [edi]
00783866    8BCF            mov     ecx, edi
00783868    FF52 18         call    dword ptr [edx+18]
0078386B    84C0            test    al, al
0078386D    0F84 32010000   je      007839A5
00783873    8B1D 04E7D800   mov     ebx, dword ptr [<&MSVCP71.std::cout>]   ; msvcp71.std::cout
00783879    8BCB            mov     ecx, ebx
0078387B    895C24 18       mov     dword ptr [esp+18], ebx
0078387F    66:C74424 14 0B>mov     word ptr [esp+14], 0B
00783886    FF15 28E8D800   call    dword ptr [<&MSVCP71.std::basic_ostream>; msvcp71.std::basic_ostream<wchar_t,std::char_traits<wchar_t> >::flush
0078388C    F605 9CD21601 0>test    byte ptr [116D29C], 1
00783893    75 1C           jnz     short 007838B1
00783895    8B0D 9CD21601   mov     ecx, dword ptr [116D29C]
0078389B    83C9 01         or      ecx, 1
0078389E    6A F5           push    -0B
007838A0    890D 9CD21601   mov     dword ptr [116D29C], ecx
007838A6    FF15 18E1D800   call    dword ptr [<&KERNEL32.GetStdHandle>]    ; kernel32.GetStdHandle
007838AC    A3 E0C71601     mov     dword ptr [116C7E0], eax
007838B1    68 F0000000     push    0F0
007838B6    6A 02           push    2
007838B8    B9 E0C71601     mov     ecx, 0116C7E0
007838BD    E8 4E73C9FF     call    0041AC10
007838C2    A1 00E7D800     mov     eax, dword ptr [<&MSVCP71.std::endl>]
007838C7    8B0D 04E7D800   mov     ecx, dword ptr [<&MSVCP71.std::cout>]   ; msvcp71.std::cout
007838CD    8B35 08E7D800   mov     esi, dword ptr [<&MSVCP71.??$?6U?$char_>; msvcp71.??$?6U?$char_traits@D@std@@@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
007838D3    50              push    eax
007838D4    68 B42DE900     push    00E92DB4                                ; [tracerecievecmd]
007838D9    51              push    ecx
007838DA    C74424 30 00000>mov     dword ptr [esp+30], 0
007838E2    FFD6            call    esi
007838E4    83C4 08         add     esp, 8
007838E7    8BC8            mov     ecx, eax
007838E9    FF15 0CE7D800   call    dword ptr [<&MSVCP71.std::basic_ostream>; msvcp71.std::basic_ostream<wchar_t,std::char_traits<wchar_t> >::operator<<
007838EF    8B15 00E7D800   mov     edx, dword ptr [<&MSVCP71.std::endl>]   ; msvcp71.std::endl
007838F5    8B4424 34       mov     eax, dword ptr [esp+34]
007838F9    52              push    edx
007838FA    8B17            mov     edx, dword ptr [edi]
007838FC    50              push    eax
007838FD    68 C407D900     push    00D907C4
00783902    55              push    ebp
00783903    68 B4E3E800     push    00E8E3B4                                ;  cmd
00783908    8BCF            mov     ecx, edi
0078390A    FF52 04         call    dword ptr [edx+4]
0078390D    8BCF            mov     ecx, edi
0078390F    50              push    eax
00783910    8B07            mov     eax, dword ptr [edi]
00783912    68 08C1DB00     push    00DBC108                                ;  id
00783917    FF50 10         call    dword ptr [eax+10]
0078391A    8B0D 04E7D800   mov     ecx, dword ptr [<&MSVCP71.std::cout>]   ; msvcp71.std::cout
00783920    50              push    eax
00783921    51              push    ecx
00783922    FFD6            call    esi
00783924    83C4 08         add     esp, 8
00783927    50              push    eax
00783928    FFD6            call    esi
0078392A    83C4 08         add     esp, 8
0078392D    8BC8            mov     ecx, eax
0078392F    FF15 3CE6D800   call    dword ptr [<&MSVCP71.std::basic_ostream>; msvcp71.std::basic_ostream<char,std::char_traits<char> >::operator<<
00783935    50              push    eax
00783936    FFD6            call    esi
00783938    83C4 08         add     esp, 8
0078393B    8BC8            mov     ecx, eax
0078393D    FF15 84E5D800   call    dword ptr [<&MSVCP71.std::basic_ostream>; msvcp71.std::basic_ostream<char,std::char_traits<char> >::operator<<
00783943    50              push    eax
00783944    FFD6            call    esi
00783946    83C4 08         add     esp, 8
00783949    50              push    eax
0078394A    FFD6            call    esi
0078394C    83C4 08         add     esp, 8
0078394F    8BC8            mov     ecx, eax
00783951    FF15 0CE7D800   call    dword ptr [<&MSVCP71.std::basic_ostream>; msvcp71.std::basic_ostream<wchar_t,std::char_traits<wchar_t> >::operator<<
00783957    8BCB            mov     ecx, ebx
00783959    C74424 24 FFFFF>mov     dword ptr [esp+24], -1
00783961    FF15 28E8D800   call    dword ptr [<&MSVCP71.std::basic_ostream>; msvcp71.std::basic_ostream<wchar_t,std::char_traits<wchar_t> >::flush
00783967    F605 9CD21601 0>test    byte ptr [116D29C], 1
0078396E    75 1C           jnz     short 0078398C
00783970    8B0D 9CD21601   mov     ecx, dword ptr [116D29C]
00783976    83C9 01         or      ecx, 1
00783979    6A F5           push    -0B
0078397B    890D 9CD21601   mov     dword ptr [116D29C], ecx
00783981    FF15 18E1D800   call    dword ptr [<&KERNEL32.GetStdHandle>]    ; kernel32.GetStdHandle
00783987    A3 E0C71601     mov     dword ptr [116C7E0], eax
0078398C    68 F0000000     push    0F0
00783991    6A 0B           push    0B
00783993    B9 E0C71601     mov     ecx, 0116C7E0
00783998    E8 7372C9FF     call    0041AC10
0078399D    8B5C24 30       mov     ebx, dword ptr [esp+30]
007839A1    8B7424 10       mov     esi, dword ptr [esp+10]
007839A5    8B7C24 34       mov     edi, dword ptr [esp+34]
007839A9    57              push    edi
007839AA    8BCB            mov     ecx, ebx
007839AC    E8 5F1CFEFF     call    00765610
007839B1    8B76 78         mov     esi, dword ptr [esi+78]
007839B4    85F6            test    esi, esi
007839B6    74 09           je      short 007839C1
007839B8    57              push    edi
007839B9    55              push    ebp
007839BA    8BCE            mov     ecx, esi
007839BC    E8 FFD0FFFF     call    00780AC0
007839C1    33C0            xor     eax, eax
007839C3    5B              pop     ebx
007839C4    8B4C24 18       mov     ecx, dword ptr [esp+18]
007839C8    5F              pop     edi
007839C9    5E              pop     esi
007839CA    5D              pop     ebp
007839CB    64:890D 0000000>mov     dword ptr fs:[0], ecx
007839D2    83C4 18         add     esp, 18
007839D5    C2 0C00         retn    0C

返回上层:
00783740    53              push    ebx
00783741    8B5C24 08       mov     ebx, dword ptr [esp+8]
00783745    56              push    esi
00783746    57              push    edi
00783747    8B7C24 14       mov     edi, dword ptr [esp+14]
0078374B    8BF1            mov     esi, ecx
0078374D    8B06            mov     eax, dword ptr [esi]
0078374F    57              push    edi
00783750    53              push    ebx
00783751    FF50 50         call    dword ptr [eax+50]
00783754    85C0            test    eax, eax
00783756    75 10           jnz     short 00783768
00783758    8B4F 04         mov     ecx, dword ptr [edi+4]
0078375B    8B16            mov     edx, dword ptr [esi]
0078375D    8D47 08         lea     eax, dword ptr [edi+8]
00783760    50              push    eax
00783761    51              push    ecx
00783762    53              push    ebx
00783763    8BCE            mov     ecx, esi
00783765    FF52 10         call    dword ptr [edx+10]                      ; ClientGU.007837F0
00783768    5F              pop     edi
00783769    5E              pop     esi
0078376A    5B              pop     ebx
0078376B    C2 0800         retn    8

返回上层:
007773C0    6A FF           push    -1
007773C2    68 20D0A900     push    00A9D020
007773C7    64:A1 00000000  mov     eax, dword ptr fs:[0]
007773CD    50              push    eax
007773CE    64:8925 0000000>mov     dword ptr fs:[0], esp
007773D5    83EC 38         sub     esp, 38
007773D8    A1 B07C1501     mov     eax, dword ptr [1157CB0]
007773DD    53              push    ebx
007773DE    55              push    ebp
007773DF    56              push    esi
007773E0    8B7424 54       mov     esi, dword ptr [esp+54]
007773E4    57              push    edi
007773E5    8B7C24 5C       mov     edi, dword ptr [esp+5C]
007773E9    8B6F 08         mov     ebp, dword ptr [edi+8]
007773EC    894424 44       mov     dword ptr [esp+44], eax
007773F0    8B06            mov     eax, dword ptr [esi]
007773F2    57              push    edi
007773F3    8BCE            mov     ecx, esi
007773F5    FF50 40         call    dword ptr [eax+40]
007773F8    8B5D 04         mov     ebx, dword ptr [ebp+4]
007773FB    E8 800E0000     call    00778280
00777400    8978 04         mov     dword ptr [eax+4], edi
00777403    8930            mov     dword ptr [eax], esi
00777405    891D E0445901   mov     dword ptr [15944E0], ebx
0077740B    8B47 04         mov     eax, dword ptr [edi+4]
0077740E    8B16            mov     edx, dword ptr [esi]
00777410    55              push    ebp
00777411    50              push    eax                                     ; data
00777412    8BCE            mov     ecx, esi
00777414    C74424 58 00000>mov     dword ptr [esp+58], 0
0077741C    FF52 14         call    dword ptr [edx+14]                      ; !!
0077741F    8BD8            mov     ebx, eax
00777421    A1 A4B05701     mov     eax, dword ptr [157B0A4]
00777426    85C0            test    eax, eax
00777428    74 35           je      short 0077745F
0077742A    6A 01           push    1
0077742C    6A 64           push    64
0077742E    83C5 08         add     ebp, 8
00777431    55              push    ebp
00777432    68 7C12E900     push    00E9127C                                ; cmd.lua
00777437    8D4C24 24       lea     ecx, dword ptr [esp+24]
0077743B    E8 3042CBFF     call    0042B670
00777440    8B0D A4B05701   mov     ecx, dword ptr [157B0A4]
00777446    55              push    ebp
00777447    C64424 54 01    mov     byte ptr [esp+54], 1
0077744C    E8 9FE70100     call    00795BF0
00777451    8D4C24 14       lea     ecx, dword ptr [esp+14]
00777455    C64424 50 00    mov     byte ptr [esp+50], 0
0077745A    E8 8142CBFF     call    0042B6E0
0077745F    83FB 11         cmp     ebx, 11
00777462    75 37           jnz     short 0077749B
00777464    8B16            mov     edx, dword ptr [esi]
00777466    8BCE            mov     ecx, esi
00777468    FF52 0C         call    dword ptr [edx+C]
0077746B    85C0            test    eax, eax
0077746D    74 2C           je      short 0077749B
0077746F    8B06            mov     eax, dword ptr [esi]
00777471    8BCE            mov     ecx, esi
00777473    FF50 0C         call    dword ptr [eax+C]
00777476    8B17            mov     edx, dword ptr [edi]
00777478    8B4F 04         mov     ecx, dword ptr [edi+4]
0077747B    8BD8            mov     ebx, eax
0077747D    8B47 08         mov     eax, dword ptr [edi+8]
00777480    8B2B            mov     ebp, dword ptr [ebx]
00777482    52              push    edx
00777483    8B11            mov     edx, dword ptr [ecx]
00777485    50              push    eax
00777486    FF52 04         call    dword ptr [edx+4]
00777489    8BCB            mov     ecx, ebx
0077748B    50              push    eax
0077748C    FF55 00         call    dword ptr [ebp]
0077748F    F6D8            neg     al
00777491    1BC0            sbb     eax, eax
00777493    83E0 EB         and     eax, FFFFFFEB
00777496    83C0 15         add     eax, 15
00777499    8BD8            mov     ebx, eax
0077749B    8B06            mov     eax, dword ptr [esi]
0077749D    53              push    ebx
0077749E    8BCE            mov     ecx, esi
007774A0    FF50 44         call    dword ptr [eax+44]
007774A3    8D4C24 10       lea     ecx, dword ptr [esp+10]
007774A7    C74424 50 FFFFF>mov     dword ptr [esp+50], -1
007774AF    E8 0C0C0000     call    007780C0
007774B4    8B4C24 48       mov     ecx, dword ptr [esp+48]
007774B8    5F              pop     edi
007774B9    5E              pop     esi
007774BA    5D              pop     ebp
007774BB    64:890D 0000000>mov     dword ptr fs:[0], ecx
007774C2    8B4C24 38       mov     ecx, dword ptr [esp+38]
007774C6    8BC3            mov     eax, ebx
007774C8    5B              pop     ebx
007774C9    E8 41BD1600     call    008E320F
007774CE    83C4 44         add     esp, 44
007774D1    C2 0800         retn    8

Comments

Content