• 1463阅读
  • 1回复

小技巧轻松解决线程发包找CALL堆栈返回相同数据教程。 [复制链接]

上一主题 下一主题
离线啊冲
 

只看楼主 倒序阅读 使用道具 楼主  发表于: 2016-08-28
----------------
魔鬼作坊
游戏辅助“禁技巧”分析技术揭秘中……
http://www.moguizuofang.com/bbs/
VIP会员办理唯一QQ:8643245
VIP模块办理唯一QQ:7189694
----------------
屏幕 1024*768  
小技巧轻松解决线程发包找CALL堆栈返回相同数据教程。
魔恩QQ:8643245
各位亲爱的朋友:
我们又在VIP绝密课程相会了,那么,这节课,我将与你分享小技巧轻松解决线程发包找CALL堆栈返回相同数据教程。

本课思路:仅用一个命令轻松解决下封包断点找CALL堆栈返回相同数据。

具体操作技巧:

Bp send
6E9E38F1 > /77 73           ja      short 6E9E3966
6E9E38F3   |325F 33         xor     bl, byte ptr [edi+33]
6E9E38F6   |322E            xor     ch, byte ptr [esi]
6E9E38F8   |73 65           jnb     short 6E9E395F
6E9E38FA   |6E              outs    dx, byte ptr es:[edi]


64位系统:
bp ws2_32.send

0018FBDC   083E387D  /CALL 到 send 来自 client_n.083E387B
0018FBE0   00000454  |Socket = 454
0018FBE4   1A710020  |Data = 1A710020  //不变
0018FBE8   00000010  |DataSize = 10 (16.)
0018FBEC   00000000  \Flags = 0

打开NPC功能CALL
调用堆栈:     主线程
地址       堆栈       函数过程                              调用来自                      结构
0018F704   083E387D   包含WS2_32.send                         client_n.083E387B
0018F73C   083E105C   client_n.083E2990                     client_n.083E1057

喊话功能CALL

调用堆栈:     主线程
地址       堆栈       函数过程                              调用来自                      结构
0018EC58  083E387D   包含WS2_32.send                         client_n.083E387B
0018EC90  083E105C   client_n.083E2990                     client_n.083E1057





使用背包物品CALL
喊话CALL。









VIP绝密教程里下载这课学习:
卍解吧!不用bp_send类封包断点找CALL的各种通杀思路。
善者 慈悲心常在 无怨无恨 以苦为乐
默认压缩密码www.hifyl.com
文件分享密码问题:http://www.hifyl.com/read-htm-tid-4444.html
离线啊冲

只看该作者 沙发  发表于: 2016-08-28



使用背包物品CALL


调用堆栈:     主线程
地址       堆栈       函数过程                              调用来自                      结构
0018F120   00630BC4   包含client_n.083E105C                   main_new.00630BC1             0018F11C
0018F140   0052E628   main_new.00630B91                     main_new.0052E623             0018F1E0
0018F1E4   0053E1DA   ? main_new.0052E371                   main_new.0053E1D5             0018F1E0   //测试成功


push 4
push 14200000
push 1c
push 14000e
call 004033c1
mov ecx,eax
call 00630b91
0018F1F0  0B 00 00 00                                      ...

0052E5DE    C745 FC 0700000>mov     dword ptr [ebp-4], 7
0052E5E5    FF15 101CC000   call    dword ptr [<&MSVCP80.std::basic_>; MSVCP80.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> >
0052E5EB    8D45 84         lea     eax, dword ptr [ebp-7C]
0052E5EE    6A 00           push    0
0052E5F0    50              push    eax
0052E5F1    C645 FC 08      mov     byte ptr [ebp-4], 8
0052E5F5    E8 8950EDFF     call    00403683
0052E5FA    8BC8            mov     ecx, eax
0052E5FC    C645 FC 07      mov     byte ptr [ebp-4], 7
0052E600    E8 F8450200     call    00552BFD
0052E605    8D4D 84         lea     ecx, dword ptr [ebp-7C]
0052E608  ^ E9 57FEFFFF     jmp     0052E464
0052E60D    FF75 14         push    dword ptr [ebp+14]               ; 堆栈 ss:[0018F1F4]=00000004
0052E610    8D45 10         lea     eax, dword ptr [ebp+10]
0052E613    50              push    eax
0052E614    FF75 0C         push    dword ptr [ebp+C]                ; 堆栈 ss:[0018F1EC]=0000001C
0052E617    68 0E001400     push    14000E
0052E61C    E8 A04DEDFF     call    004033C1
0052E621    8BC8            mov     ecx, eax
0052E623    E8 69251000     call    00630B91
0052E628    6A 01           push    1
0052E62A    6A 03           push    3
0052E62C    FF75 08         push    dword ptr [ebp+8]
0052E62F    E8 8D4DEDFF     call    004033C1
0052E634    8BC8            mov     ecx, eax
0052E636    E8 FC3D1000     call    00632437
0052E63B    C605 5C651401 0>mov     byte ptr [114655C], 1
0052E642    E8 E6D02000     call    0073B72D
0052E647    C2 1000         retn    10

C7 45 FC 07 00 00 00 FF 15 10 1C C0 00 8D 45 84 6A 00 50 C6 45 FC 08 E8 89 50 ED FF 8B C8 C6 45
FC 07 E8 F8 45 02 00 8D 4D 84 E9 57 FE FF FF FF 75 14 8D 45 10 50 FF 75 0C 68 0E 00 14 00 E8 A0
4D ED FF 8B C8 E8 69 25 10 00 6A 01 6A 03 FF 75 08 E8 8D 4D ED FF 8B C8 E8 FC 3D 10 00 C6 05 5C
65 14 01 01 E8 E6 D0 20 00 C2 10 00



代码注入器测试成功:
push 4
push 0b
push 1c
push 14000e
call 00403301
mov ecx,eax
call 0052e371


0053E19F    C645 FC 11      mov     byte ptr [ebp-4], 11
0053E1A3    E8 DB54ECFF     call    00403683
0053E1A8    8BC8            mov     ecx, eax
0053E1AA    C645 FC 10      mov     byte ptr [ebp-4], 10
0053E1AE    E8 4A4A0100     call    00552BFD
0053E1B3    8D4D BC         lea     ecx, dword ptr [ebp-44]
0053E1B6    834D FC FF      or      dword ptr [ebp-4], FFFFFFFF
0053E1BA    FF15 0C1CC000   call    dword ptr [<&MSVCP80.std::basic_>; MSVCP80.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::~basic_string<char,std::char_traits<char>,std::allocator<char> >
0053E1C0    E9 A0020000     jmp     0053E465
0053E1C5    6A 04           push    4
0053E1C7    FF75 58         push    dword ptr [ebp+58]               ; 堆栈 ss:[0018F520]=0000000B  堆栈 ss:[0018F520]=0000000C
0053E1CA    FF75 68         push    dword ptr [ebp+68]               ; 堆栈 ss:[0018F530]=0000001C  堆栈 ss:[0018F530]=0000001D
0053E1CD    57              push    edi                              ; edi=0014000E
0053E1CE    E8 2E51ECFF     call    00403301
0053E1D3    8BC8            mov     ecx, eax
0053E1D5    E8 9701FFFF     call    0052E371
0053E1DA    E9 86020000     jmp     0053E465                         ; 1
0053E1DF    8B4D 5C         mov     ecx, dword ptr [ebp+5C]
0053E1E2    FF15 8811C000   call    dword ptr [<&CEGUIBase.CEGUI::Wi>; CEGUIBas.CEGUI::Window::getID
0053E1E8    48              dec     eax
0053E1E9    83F8 64         cmp     eax, 64
0053E1EC    73 05           jnb     short 0053E1F3
0053E1EE    83C0 1A         add     eax, 1A
0053E1F1    EB 03           jmp     short 0053E1F6
0053E1F3    83C8 FF         or      eax, FFFFFFFF
0053E1F6    8B4D 54         mov     ecx, dword ptr [ebp+54]
0053E1F9    C681 CC000000 0>mov     byte ptr [ecx+CC], 1


C6 45 FC 11 E8 DB 54 EC FF 8B C8 C6 45 FC 10 E8 4A 4A 01 00 8D 4D BC 83 4D FC FF FF 15 0C 1C C0
00 E9 A0 02 00 00 6A 04 FF 75 58 FF 75 68 57 E8 2E 51 EC FF 8B C8 E8 97 01 FF FF E9 86 02 00 00
8B 4D 5C FF 15 88 11 C0 00 48 83 F8 64 73 05 83 C0 1A EB 03 83 C8 FF 8B 4D 54 C6 81 CC 00 00 00
01


====================================

喊话CALL

调用堆栈:     主线程
地址       堆栈       函数过程                              调用来自                      结构
0018ECC8   00630BC4   包含client_n.083E105C                   main_new.00630BC1             0018ECC4
0018ECE8   0048664A   main_new.00630B91                     main_new.00486645             0018EFEC  //测试 测试成功
0018F2B8   0048671D   ? main_new.004812EB                   main_new.00486718             0018EFEC
0018F394   004868E2   ? main_new.004866BE                   main_new.004868DD             0018F390


32637E38  30 30 30 30 30 30 30 30 C4 A7 B9 ED D7 F7 B7 BB  00000000魔鬼作坊
32637E48  B9 D2 D1 A7 3A 20 33 33 33 33 33 33 33 33 00 00  挂学: 33333333..



28182340  30 30 30 30 30 30 30 30 C4 A7 B9 ED D7 F7 B7 BB  00000000魔鬼作坊
28182350  B9 D2 D1 A7 3A 20 34 34 34 34 34 00              挂学: 44444.

30 30 30 30 30 30 30 30 C4 A7 B9 ED D7 F7 B7 BB B9 D2 D1 A7 3A 20 34 34 34 34 34 00


代码注入器测试成功:

push 1c    //长度
push 14200000
push 1
push 270000
call 004033c1
mov ecx,eax
call 00630b91

14200000  30 30 30 30 30 30 30 30 C4 A7 B9 ED D7 F7 B7 BB  00000000魔鬼作坊
14200010  B9 D2 D1 A7 3A 20 34 34 34 34 35 00 00 00 00 00  挂学: 44445.....




004865F4    50              push    eax
004865F5    FF75 D4         push    dword ptr [ebp-2C]
004865F8    68 33001400     push    140033
004865FD    E8 BFCDF7FF     call    004033C1
00486602    8BC8            mov     ecx, eax
00486604    E8 88A51A00     call    00630B91
00486609    889E 6E090000   mov     byte ptr [esi+96E], bl
0048660F    EB 39           jmp     short 0048664A
00486611    83BE E4010000 0>cmp     dword ptr [esi+1E4], 2
00486618    50              push    eax                              ; eax=0000001F  eax=0000001C
00486619    8D8D 10020000   lea     ecx, dword ptr [ebp+210]
0048661F    75 0B           jnz     short 0048662C                   ; 1
00486621    FF15 601CC000   call    dword ptr [<&MSVCP80.std::basic_>; MSVCP80.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::data
00486627    50              push    eax
00486628    6A 02           push    2
0048662A    EB 0D           jmp     short 00486639                   ; call    dword ptr [C01C60]
0048662C    FF15 601CC000   call    dword ptr [<&MSVCP80.std::basic_>; MSVCP80.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::data
00486632    50              push    eax
00486633    FFB6 E4010000   push    dword ptr [esi+1E4]              ; ds:[0AFAACD4]=00000001
00486639    68 00002700     push    270000
0048663E    E8 7ECDF7FF     call    004033C1
00486643    8BC8            mov     ecx, eax
00486645    E8 47A51A00     call    00630B91                         ; 喊话CALL
0048664A    8D8D 10020000   lea     ecx, dword ptr [ebp+210]         ; 1
00486650    C645 FC A1      mov     byte ptr [ebp-4], 0A1
00486654    FF15 0C1CC000   call    dword ptr [<&MSVCP80.std::basic_>; MSVCP80.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::~basic_string<char,std::char_traits<char>,std::allocator<char> >
0048665A    8D8D D8010000   lea     ecx, dword ptr [ebp+1D8]
00486660    C645 FC 0B      mov     byte ptr [ebp-4], 0B
00486664    FF15 0C1CC000   call    dword ptr [<&MSVCP80.std::basic_>; MSVCP80.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::~basic_string<char,std::char_traits<char>,std::allocator<char> >
0048666A    8D8D 8C020000   lea     ecx, dword ptr [ebp+28C]
00486670    C645 FC 0A      mov     byte ptr [ebp-4], 0A
00486674    FF15 0C1CC000   call    dword ptr [<&MSVCP80.std::basic_>; MSVCP80.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::~basic_string<char,std::char_traits<char>,std::allocator<char> >
0048667A    8D8D BCFEFFFF   lea     ecx, dword ptr [ebp-144]
00486680    885D FC         mov     byte ptr [ebp-4], bl
00486683    FF15 981AC000   call    dword ptr [<&MSVCP80.std::basic_>; MSVCP80.std::basic_istringstream<char,std::char_traits<char>,std::allocator<char> >::`vbase destructor'
00486689    834D FC FF      or      dword ptr [ebp-4], FFFFFFFF
0048668D    8D8D D0020000   lea     ecx, dword ptr [ebp+2D0]
00486693    FF15 0C1CC000   call    dword ptr [<&MSVCP80.std::basic_>; MSVCP80.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::~basic_string<char,std::char_traits<char>,std::allocator<char> >
00486699    8B4D F4         mov     ecx, dword ptr [ebp-C]
0048669C    64:890D 0000000>mov     dword ptr fs:[0], ecx
004866A3    59              pop     ecx
004866A4    5F              pop     edi
004866A5    5E              pop     esi
004866A6    5B              pop     ebx
004866A7    8B8D C4020000   mov     ecx, dword ptr [ebp+2C4]
004866AD    33CD            xor     ecx, ebp
004866AF    E8 924F2B00     call    0073B646
004866B4    81C5 C8020000   add     ebp, 2C8
004866BA    C9              leave
004866BB    C2 1C00         retn    1C
004866BE    68 9C000000     push    9C
004866C3    B8 1BF97900     mov     eax, 0079F91B



50 FF 75 D4 68 33 00 14 00 E8 BF CD F7 FF 8B C8 E8 88 A5 1A 00 88 9E 6E 09 00 00 EB 39 83 BE E4
01 00 00 02 50 8D 8D 10 02 00 00 75 0B FF 15 60 1C C0 00 50 6A 02 EB 0D FF 15 60 1C C0 00 50 FF
B6 E4 01 00 00 68 00 00 27 00 E8 7E CD F7 FF 8B C8 E8 47 A5 1A 00 8D 8D 10 02 00 00 C6 45 FC A1
FF 15 0C 1C C0 00 8D 8D D8 01 00 00 C6 45 FC 0B FF 15 0C 1C C0 00 8D 8D 8C 02 00 00 C6 45 FC 0A
FF 15 0C 1C C0 00 8D 8D BC FE FF FF 88 5D FC FF 15 98 1A C0 00 83 4D FC FF 8D 8D D0 02 00 00 FF
15 0C 1C C0 00 8B 4D F4 64 89 0D 00 00 00 00 59 5F 5E 5B 8B 8D C4 02 00 00 33 CD E8 92 4F 2B 00
81 C5 C8 02 00 00 C9 C2 1C 00 68 9C 00 00 00 B8 1B F9 79 00

善者 慈悲心常在 无怨无恨 以苦为乐
默认压缩密码www.hifyl.com
文件分享密码问题:http://www.hifyl.com/read-htm-tid-4444.html
快速回复
限100 字节
批量上传需要先选择文件,再选择上传
 
上一个 下一个