天龙八部一的登陆封包分析

潇潇 · 发表于 2011-8-3 23:50:49

欢迎您注册加入！这里有您将更精采！

您需要登录才可以下载或查看，没有账号？注册

x

今天整理电脑时整理出来的，仅供参考：

天龙八部登陆帐号分析

OD加载游戏，下断点bp Send，输入登陆帐号11111,密码11111，游戏会向服务器发送数据封包，程序断71A2428A 这个函数调用处！
71A2428A >  8BFF          MOV EDI,EDI
71A2428C 55             PUSH EBP
71A2428D 8BEC          MOV EBP,ESP
71A2428F 83EC 10       SUB ESP,10
71A24292 56             PUSH ESI
71A24293 57             PUSH EDI
71A24294 33FF          XOR EDI,EDI
71A24296 813D 2840A371 4>CMP DWORD PTR DS:[71A34028],ws2_32.71A29>
71A242A0 0F84 AD730000 JE ws2_32.71A2B653

堆栈窗口如下
0013FD48 0052EE8A  /CALL 到 send 来自 Game.0052EE85
0013FD4C 00000430  |Socket = 430
0013FD50 03553F48  |Data = 03553F48　　　//在数据窗口中跟随
0013FD54 00000007  |DataSize = 7
0013FD58 00000004  \Flags = MSG_DONTROUTE
数据窗口如下
03553F48  7B 01 01 00 00 7B 00 00 00 00 00 00 00 00 00 00  {..{..........
03553F58  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
清除断点　bc send　后ALT + F9 后到
0052EE8A .  8BF0       MOV ESI,EAX
0052EE8C .  83FE FF    CMP ESI,-1
0052EE8F .  E9 39020000 JMP Game.0052F0CD
0052EE94    90          NOP
0052EE95 .  E8 FCBF0300 CALL <JMP.&ws2_32.WSAGetLastError>    ; [WSAGetLastError

在03553F49这里下硬件断点，F9运行来到

0052ADF9  |.  F3:A4       REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>　　　断在这里
0052ADFB  |.  8B43 18    MOV EAX,DWORD PTR DS:[EBX+18]
0052ADFE  |.  03C5       ADD EAX,EBP
0052AE00  |.  33D2       XOR EDX,EDX
0052AE02  |.  F773 0C    DIV DWORD PTR DS:[EBX+C]
0052AE05  |.  5F          POP EDI
0052AE06  |.  5E          POP ESI
0052AE07  |.  8BC5       MOV EAX,EBP
0052AE09  |.  5D          POP EBP
0052AE0A  |.  8953 18    MOV DWORD PTR DS:[EBX+18],EDX
0052AE0D  |.  5B          POP EBX
0052AE0E  \.  C2 0800    RETN 8　　　　　　　　　　　　　　　　　　　 F4到这里后F8

之后来到
0052AE41  |.  8B16       MOV EDX,DWORD PTR DS:[ESI]             ;  Game.005A13E0
0052AE43  |.  8BCE       MOV ECX,ESI
0052AE45  |.  FF52 18    CALL DWORD PTR DS:[EDX+18]
{
00500D10 .  B8 5F000000 MOV EAX,5F
00500D15 .  C3          RETN
}
0052AE48  |.  0FB64E 04    MOVZX ECX,BYTE PTR DS:[ESI+4]
0052AE4C  |.  8B5424 0C    MOV EDX,DWORD PTR SS:[ESP+C]
0052AE50  |.  C1E1 18    SHL ECX,18
0052AE53  |.  81E2 FFFFFF00 AND EDX,0FFFFFF
0052AE59  |.  03CA       ADD ECX,EDX
0052AE5B  |.  81E1 000000FF AND ECX,FF000000
0052AE61  |.  03C8       ADD ECX,EAX
0052AE63  |.  6A 04       PUSH 4
0052AE65  |.  8D4424 10    LEA EAX,DWORD PTR SS:[ESP+10]
0052AE69  |.  894C24 10    MOV DWORD PTR SS:[ESP+10],ECX
0052AE6D  |.  50          PUSH EAX
0052AE6E  |.  8BCF       MOV ECX,EDI
0052AE70  |.  E8 DBFEFFFF CALL Game.0052AD50
0052AE75  |.  8B16       MOV EDX,DWORD PTR DS:[ESI]
0052AE77  |.  57          PUSH EDI
0052AE78  |.  8BCE       MOV ECX,ESI
0052AE7A  |.  FF52 0C    CALL DWORD PTR DS:[EDX+C]
0052AE7D  |.  5F          POP EDI
0052AE7E  |.  5E          POP ESI
0052AE7F  \.  C2 0400    RETN 4

具体的代码如下
0052AE20  /$  56          PUSH ESI
0052AE21  |.  8B7424 08    MOV ESI,DWORD PTR SS:[ESP+8]
0052AE25  |.  8B06       MOV EAX,DWORD PTR DS:[ESI]
0052AE27  |.  57          PUSH EDI
0052AE28  |.  8BF9       MOV EDI,ECX
0052AE2A  |.  8BCE       MOV ECX,ESI
0052AE2C  |.  FF50 14    CALL DWORD PTR DS:[EAX+14]
0052AE2F  |.  6A 02       PUSH 2
0052AE31  |.  8D4C24 10    LEA ECX,DWORD PTR SS:[ESP+10]
0052AE35  |.  51          PUSH ECX
0052AE36  |.  8BCF       MOV ECX,EDI
0052AE38  |.  894424 14    MOV DWORD PTR SS:[ESP+14],EAX
{
0052AD50  /$  53          PUSH EBX
0052AD51  |.  8BD9       MOV EBX,ECX
0052AD53  |.  8B43 14    MOV EAX,DWORD PTR DS:[EBX+14]
0052AD56  |.  8B4B 18    MOV ECX,DWORD PTR DS:[EBX+18]
0052AD59  |.  3BC1       CMP EAX,ECX
0052AD5B  |.  55          PUSH EBP
0052AD5C  |.  77 0B       JA SHORT Game.0052AD69
0052AD5E  |.  8B53 0C    MOV EDX,DWORD PTR DS:[EBX+C]
0052AD61  |.  2BD1       SUB EDX,ECX
0052AD63  |.  8D4402 FF    LEA EAX,DWORD PTR DS:[EDX+EAX-1]
0052AD67  |.  EB 03       JMP SHORT Game.0052AD6C
0052AD69  |>  2BC1       SUB EAX,ECX
0052AD6B  |.  48          DEC EAX
0052AD6C  |>  8B6C24 10    MOV EBP,DWORD PTR SS:[ESP+10]
0052AD70  |.  3BE8       CMP EBP,EAX
0052AD72  |.  72 16       JB SHORT Game.0052AD8A
0052AD74  |.  8BCD       MOV ECX,EBP
0052AD76  |.  2BC8       SUB ECX,EAX
0052AD78  |.  41          INC ECX
0052AD79  |.  51          PUSH ECX
0052AD7A  |.  8BCB       MOV ECX,EBX
0052AD7C  |.  E8 2FFEFFFF CALL Game.0052ABB0
0052AD81  |.  85C0       TEST EAX,EAX
0052AD83  |.  75 05       JNZ SHORT Game.0052AD8A
0052AD85  |.  5D          POP EBP
0052AD86  |.  5B          POP EBX
0052AD87  |.  C2 0800    RETN 8
0052AD8A  |>  8B43 14    MOV EAX,DWORD PTR DS:[EBX+14]
0052AD8D  |.  8B53 18    MOV EDX,DWORD PTR DS:[EBX+18]
0052AD90  |.  3BC2       CMP EAX,EDX
0052AD92  |.  56          PUSH ESI
0052AD93  |.  57          PUSH EDI
0052AD94  |.  77 4C       JA SHORT Game.0052ADE2
0052AD96  |.  85C0       TEST EAX,EAX
0052AD98  |.  74 48       JE SHORT Game.0052ADE2
0052AD9A  |.  8B43 0C    MOV EAX,DWORD PTR DS:[EBX+C]
0052AD9D  |.  8B7B 08    MOV EDI,DWORD PTR DS:[EBX+8]
0052ADA0  |.  8B7424 14    MOV ESI,DWORD PTR SS:[ESP+14]
0052ADA4  |.  2BC2       SUB EAX,EDX
0052ADA6  |.  03FA       ADD EDI,EDX
0052ADA8  |.  3BE8       CMP EBP,EAX
0052ADAA  |.  77 0D       JA SHORT Game.0052ADB9
0052ADAC  |.  8BCD       MOV ECX,EBP
0052ADAE  |.  8BC1       MOV EAX,ECX
0052ADB0  |.  C1E9 02    SHR ECX,2
0052ADB3  |.  F3:A5       REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
0052ADB5  |.  8BC8       MOV ECX,EAX
0052ADB7  |.  EB 3D       JMP SHORT Game.0052ADF6
0052ADB9  |>  8BC8       MOV ECX,EAX
0052ADBB  |.  8BD1       MOV EDX,ECX
0052ADBD  |.  C1E9 02    SHR ECX,2
0052ADC0  |.  F3:A5       REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
0052ADC2  |.  8BCA       MOV ECX,EDX
0052ADC4  |.  8B5424 14    MOV EDX,DWORD PTR SS:[ESP+14]
0052ADC8  |.  83E1 03    AND ECX,3
0052ADCB  |.  F3:A4       REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
0052ADCD  |.  8B7B 08    MOV EDI,DWORD PTR DS:[EBX+8]
0052ADD0  |.  8BCD       MOV ECX,EBP
0052ADD2  |.  2BC8       SUB ECX,EAX
0052ADD4  |.  8D3410       LEA ESI,DWORD PTR DS:[EAX+EDX]
0052ADD7  |.  8BC1       MOV EAX,ECX
0052ADD9  |.  C1E9 02    SHR ECX,2
0052ADDC  |.  F3:A5       REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
0052ADDE  |.  8BC8       MOV ECX,EAX
0052ADE0  |.  EB 14       JMP SHORT Game.0052ADF6
0052ADE2  |>  8B7B 08    MOV EDI,DWORD PTR DS:[EBX+8]
0052ADE5  |.  8B7424 14    MOV ESI,DWORD PTR SS:[ESP+14]
0052ADE9  |.  03FA       ADD EDI,EDX
0052ADEB  |.  8BCD       MOV ECX,EBP
0052ADED  |.  8BD1       MOV EDX,ECX
0052ADEF  |.  C1E9 02    SHR ECX,2
0052ADF2  |.  F3:A5       REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
0052ADF4  |.  8BCA       MOV ECX,EDX
0052ADF6  |>  83E1 03    AND ECX,3
0052ADF9  |.  F3:A4       REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>　　　断在这里
0052ADFB  |.  8B43 18    MOV EAX,DWORD PTR DS:[EBX+18]
0052ADFE  |.  03C5       ADD EAX,EBP
0052AE00  |.  33D2       XOR EDX,EDX
0052AE02  |.  F773 0C    DIV DWORD PTR DS:[EBX+C]
0052AE05  |.  5F          POP EDI
0052AE06  |.  5E          POP ESI
0052AE07  |.  8BC5       MOV EAX,EBP
0052AE09  |.  5D          POP EBP
0052AE0A  |.  8953 18    MOV DWORD PTR DS:[EBX+18],EDX
0052AE0D  |.  5B          POP EBX
0052AE0E  \.  C2 0800    RETN 8
}
0052AE41  |.  8B16       MOV EDX,DWORD PTR DS:[ESI]             ;  Game.005A13E0
0052AE43  |.  8BCE       MOV ECX,ESI
0052AE45  |.  FF52 18    CALL DWORD PTR DS:[EDX+18]
{
00500D10 .  B8 5F000000 MOV EAX,5F
00500D15 .  C3          RETN
}
0052AE48  |.  0FB64E 04    MOVZX ECX,BYTE PTR DS:[ESI+4]
0052AE4C  |.  8B5424 0C    MOV EDX,DWORD PTR SS:[ESP+C]
0052AE50  |.  C1E1 18    SHL ECX,18
0052AE53  |.  81E2 FFFFFF00 AND EDX,0FFFFFF
0052AE59  |.  03CA       ADD ECX,EDX
0052AE5B  |.  81E1 000000FF AND ECX,FF000000
0052AE61  |.  03C8       ADD ECX,EAX
0052AE63  |.  6A 04       PUSH 4
0052AE65  |.  8D4424 10    LEA EAX,DWORD PTR SS:[ESP+10]
0052AE69  |.  894C24 10    MOV DWORD PTR SS:[ESP+10],ECX
0052AE6D  |.  50          PUSH EAX
0052AE6E  |.  8BCF       MOV ECX,EDI 　　　
0052AE70  |.  E8 DBFEFFFF CALL Game.0052AD50　　　　　　　　　　　　　　调用加密函数___

0052AE75  |.  8B16       MOV EDX,DWORD PTR DS:[ESI]
0052AE77  |.  57          PUSH EDI
0052AE78  |.  8BCE       MOV ECX,ESI
0052AE7A  |.  FF52 0C    CALL DWORD PTR DS:[EDX+C]
｛
0055D620 .  56          PUSH ESI
0055D621 .  57          PUSH EDI
0055D622 .  8B7C24 0C    MOV EDI,DWORD PTR SS:[ESP+C]
0055D626 .  8BF1       MOV ESI,ECX
0055D628 .  6A 32       PUSH 32
0055D62A .  8D46 08    LEA EAX,DWORD PTR DS:[ESI+8]
0055D62D .  50          PUSH EAX
0055D62E .  8BCF       MOV ECX,EDI
0055D630 .  E8 1BD7FCFF CALL Game.0052AD50
0055D635 .  6A 20       PUSH 20
0055D637 .  8D4E 3B    LEA ECX,DWORD PTR DS:[ESI+3B]
0055D63A .  51          PUSH ECX
0055D63B .  8BCF       MOV ECX,EDI
0055D63D .  E8 0ED7FCFF CALL Game.0052AD50
0055D642 .  6A 04       PUSH 4
0055D644 .  8D56 5C    LEA EDX,DWORD PTR DS:[ESI+5C]
0055D647 .  52          PUSH EDX
0055D648 .  8BCF       MOV ECX,EDI
0055D64A .  E8 01D7FCFF CALL Game.0052AD50
0055D64F .  6A 09       PUSH 9
0055D651 .  83C6 60    ADD ESI,60
0055D654 .  56          PUSH ESI
0055D655 .  8BCF       MOV ECX,EDI
0055D657 .  E8 F4D6FCFF CALL Game.0052AD50
0055D65C .  5F          POP EDI
0055D65D .  B8 01000000 MOV EAX,1
0055D662 .  5E          POP ESI
0055D663 .  C2 0400    RETN 4

｝
0052AE7D  |.  5F          POP EDI
0052AE7E  |.  5E          POP ESI
0052AE7F  \.  C2 0400    RETN 4

数据窗口
03553F48  60 01 5F 00 00 7C 31 31 31 31 31 40 67 61 6D 65  `_..|11111@game
03553F58  2E 73 6F 68 75 2E 63 6F 6D 00 00 00 00 00 00 00  .sohu.com.......
03553F68  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
03553F78  00 00 00 00 00 00 00 00 62 30 62 61 65 65 39 64  ........b0baee9d
03553F88  32 37 39 64 33 34 66 61 31 64 66 64 37 31 61 61  279d34fa1dfd71aa
03553F98  64 62 39 30 38 63 33 66 06 20 00 00 00 00 00 00  db908c3f ......
b0baee9d279d34fa1dfd71aadb908c3f
62 30 62 61 65 65 39 64 32 37 39 64 33 34 66 61 31 64 66 64 37 31 61 61 64 62 39 30 38 63 33 66

03548CE4  E4 75 5A 00 7C 8C 54 03 48 3F 55 03 00 20 00 00  鋟Z.|孴H?U. ..
03548CF4  00 90 01 00 00 00 00 00 38 00 00 00 FF FF FF FF  .?.....8...

账号		自动登录	找回密码
密码			注册

[原创] 天龙八部一的登陆封包分析

欢迎您注册加入！这里有您将更精采！