破解入口点为PostMessageW函数
技术点为API,PostMessage断点。
断点有两个,一个为PostmessageA,另一个为PostMessageW
断点功能为弹出窗口,我是从PostMessageW为入口点破解成功的。
PostMessageW的汇编代码如下
76AAF680 | 8BFF | mov edi,edi |
76AAF682 | 55 | push ebp |
76AAF683 | 8BEC | mov ebp,esp |
76AAF685 | 53 | push ebx |
76AAF686 | 8B5D 08 | mov ebx,dword ptr ss:[ebp+8] |
76AAF689 | 57 | push edi | edi:L"不支持此接口\r\n"
76AAF68A | 8B7D 0C | mov edi,dword ptr ss:[ebp+C] |
76AAF68D | 8BC7 | mov eax,edi | edi:L"不支持此接口\r\n"
76AAF68F | 2D 45010000 | sub eax,145 |
76AAF694 | 74 4C | je user32.76AAF6E2 |
76AAF696 | 83E8 48 | sub eax,48 |
76AAF699 | 74 47 | je user32.76AAF6E2 |
76AAF69B | 2D A6000000 | sub eax,A6 |
76AAF6A0 | 75 3B | jne user32.76AAF6DD |
76AAF6A2 | 56 | push esi |
76AAF6A3 | 64:8B35 18000000 | mov esi,dword ptr fs:[18] |
76AAF6AA | 50 | push eax |
76AAF6AB | 53 | push ebx |
76AAF6AC | FF15 64DBB476 | call dword ptr ds:[<NtUserQueryWi |
76AAF6B2 | 3B46 20 | cmp eax,dword ptr ds:[esi+20] |
76AAF6B5 | 5E | pop esi |
76AAF6B6 | 74 20 | je user32.76AAF6D8 |
76AAF6B8 | 8B45 10 | mov eax,dword ptr ss:[ebp+10] |
76AAF6BB | 50 | push eax |
76AAF6BC | 50 | push eax |
76AAF6BD | FF15 F8D2B476 | call dword ptr ds:[<GlobalSize>] |
76AAF6C3 | 50 | push eax |
76AAF6C4 | 6A 49 | push 49 |
76AAF6C6 | 53 | push ebx |
76AAF6C7 | E8 24480000 | call <user32.SendMessageW> |
76AAF6CC | 8BC8 | mov ecx,eax |
76AAF6CE | 85C9 | test ecx,ecx |
76AAF6D0 | 75 23 | jne user32.76AAF6F5 |
76AAF6D2 | 5F | pop edi | edi:L"不支持此接口\r\n"
76AAF6D3 | 5B | pop ebx |
76AAF6D4 | 5D | pop ebp |
76AAF6D5 | C2 1000 | ret 10 |
下断点F9运行跟踪,
跟踪堆栈返回到汇编代码。
0019F8DC 00458D18 返回到 kwallpaper.sub_458C70+A8 自 ???
如下为关键点
00458C70 | 55 | push ebp |
00458C71 | 8BEC | mov ebp,esp |
00458C73 | 81EC 20020000 | sub esp,220 |
00458C79 | A1 30536D00 | mov eax,dword ptr ds:[6D5330] |
00458C7E | 33C5 | xor eax,ebp |
00458C80 | 8945 F8 | mov dword ptr ss:[ebp-8],eax |
00458C83 | 53 | push ebx | ebx:PostMessageW
00458C84 | 56 | push esi | esi:&"\tLE"
00458C85 | 8BF1 | mov esi,ecx | esi:&"\tLE", ecx:sub_458DA3+21
00458C87 | 57 | push edi |
00458C88 | 89B5 E8FDFFFF | mov dword ptr ss:[ebp-218],esi | [ebp-218]:&"\tLE"
00458C8E | E8 A3AFFFFF | call <kwallpaper.sub_453C36> |
00458C93 | 3945 08 | cmp dword ptr ss:[ebp+8],eax |
00458C96 | 8B1D 30CA6200 | mov ebx,dword ptr ds:[<PostMessag | ebx:PostMessageW
00458C9C | 90 | nop |
00458C9D | 90 | nop |
00458C9E | 90 | nop |
00458C9F | 90 | nop |
00458CA0 | 90 | nop |
00458CA1 | 90 | nop |
00458CA2 | 33FF | xor edi,edi |
00458CA4 | 68 06020000 | push 206 |
00458CA9 | 8D85 EEFDFFFF | lea eax,dword ptr ss:[ebp-212] |
00458CAF | 57 | push edi |
00458CB0 | 50 | push eax |
00458CB1 | 66:89BD ECFDFFFF | mov word ptr ss:[ebp-214],di |
00458CB8 | E8 65CD0E00 | call <JMP.&memset> |
00458CBD | 83C4 0C | add esp,C |
00458CC0 | 68 04010000 | push 104 |
00458CC5 | 8D85 ECFDFFFF | lea eax,dword ptr ss:[ebp-214] |
00458CCB | 50 | push eax |
00458CCC | FF75 0C | push dword ptr ss:[ebp+C] |
00458CCF | FF15 8CC26200 | call dword ptr ds:[<GlobalGetAtom |
00458CD5 | FF75 0C | push dword ptr ss:[ebp+C] |
00458CD8 | FF15 90C26200 | call dword ptr ds:[<GlobalDeleteA |
00458CDE | 8D85 ECFDFFFF | lea eax,dword ptr ss:[ebp-214] |
00458CE4 | 85C0 | test eax,eax |
00458CE6 | 89BD E4FDFFFF | mov dword ptr ss:[ebp-21C],edi |
00458CEC | 74 0E | je kwallpaper.458CFC |
00458CEE | 50 | push eax |
00458CEF | 8DBD E4FDFFFF | lea edi,dword ptr ss:[ebp-21C] |
00458CF5 | E8 A9000000 | call <kwallpaper.sub_458DA3> |
00458CFA | EB 02 | jmp kwallpaper.458CFE |
00458CFC | 33C0 | xor eax,eax |
00458CFE | 85C0 | test eax,eax |
00458D00 | 90 | nop |
00458D01 | 90 | nop |
00458D02 | E8 49AFFFFF | call <kwallpaper.sub_453C50> |
00458D07 | 8BBD E4FDFFFF | mov edi,dword ptr ss:[ebp-21C] |
00458D0D | 6A 00 | push 0 |
00458D0F | 57 | push edi |
00458D10 | 50 | push eax |
00458D11 | 68 FFFF0000 | push FFFF |
00458D16 | FFD3 | call ebx | ebx:PostMessageW
00458D18 | E8 33AFFFFF | call <kwallpaper.sub_453C50> |
00458D1D | 8365 10 00 | and dword ptr ss:[ebp+10],0 |
00458D21 | 8945 08 | mov dword ptr ss:[ebp+8],eax |
00458D24 | 897D 0C | mov dword ptr ss:[ebp+C],edi |
00458D27 | 837D 0C 02 | cmp dword ptr ss:[ebp+C],2 |
00458D2B | 90 | nop |
00458D2C | 90 | nop |
00458D2D | E8 8D440300 | call <kwallpaper.sub_48D1BF> |
00458D32 | 68 2C996700 | push kwallpaper.67992C | 67992C:"wp_userinfo_refresh_after_vip_s"
00458D37 | 33D2 | xor edx,edx |
00458D39 | 68 4C996700 | push kwallpaper.67994C | 67994C:"wp_userinfo"
00458D3E | 42 | inc edx |
00458D3F | 8BC8 | mov ecx,eax | ecx:sub_458DA3+21
00458D41 | E8 FF410300 | call <kwallpaper.sub_48CF45> |
00458D46 | 69C0 E8030000 | imul eax,eax,3E8 |
00458D4C | 33D2 | xor edx,edx |
00458D4E | 52 | push edx |
00458D4F | B9 99A14500 | mov ecx,<kwallpaper.sub_45A199> | ecx:sub_458DA3+21, 45A199:"Q3腋櫋E"
00458D54 | 51 | push ecx | ecx:sub_458DA3+21
00458D55 | 50 | push eax |
00458D56 | 8B85 E8FDFFFF | mov eax,dword ptr ss:[ebp-218] | [ebp-218]:&"\tLE"
00458D5C | 83C6 68 | add esi,68 | esi:&"\tLE"
00458D5F | E8 4B1A0000 | call <kwallpaper.sub_45A7AF> |
00458D64 | 8BB5 E8FDFFFF | mov esi,dword ptr ss:[ebp-218] | [ebp-218]:&"\tLE"
00458D6A | EB 13 | jmp kwallpaper.458D7F |
00458D6C | E8 ABAEFFFF | call <kwallpaper.sub_453C1C> |
00458D71 | 3945 08 | cmp dword ptr ss:[ebp+8],eax |
00458D74 | 75 09 | jne kwallpaper.458D7F |
00458D76 | 6A 01 | push 1 |
00458D78 | 8BFE | mov edi,esi | esi:&"\tLE"
00458D7A | E8 D1110000 | call <kwallpaper.sub_459F50> |
00458D7F | FF75 10 | push dword ptr ss:[ebp+10] |
00458D82 | FF75 0C | push dword ptr ss:[ebp+C] |
00458D85 | FF75 08 | push dword ptr ss:[ebp+8] |
00458D88 | FFB6 98000000 | push dword ptr ds:[esi+98] | esi+98:public: class std::_Init_locks & __thiscall std::_Init_locks::operator=(class std::_Init_locks const &)+1A5F15
00458D8E | FFD3 | call ebx | ebx:PostMessageW
00458D90 | 8B4D F8 | mov ecx,dword ptr ss:[ebp-8] | ecx:sub_458DA3+21
00458D93 | 5F | pop edi |
00458D94 | 5E | pop esi | esi:&"\tLE"
00458D95 | 33CD | xor ecx,ebp | ecx:sub_458DA3+21
00458D97 | 33C0 | xor eax,eax |
00458D99 | 5B | pop ebx | ebx:PostMessageW
00458D9A | E8 55CC0E00 | call kwallpaper.5459F4 |
00458D9F | C9 | leave |
00458DA0 | C2 0C00 | ret C |
由于call在复用代码,我只能修改关键跳转,
此处为所有PostMessageW的关键点,
修改后即可破解成功。
下载地址:
链接:https://pan.baidu.com/s/1vJWpDywOei6oBejLYEXJiA?pwd=ztqw
提取码:ztqw 复制这段内容后打开百度网盘手机App,操作更方便哦
|RSS|手机版|小黑屋|帮助|吾爱汇编
( 
京公网安备11011502005403号 , 京ICP备20003498号-6 )|网站地图
窥视卡
雷达卡