Home > Cloud Computing > Cloud Security

Detailed cracking process of qq Sixth Sense

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Dream from 0kee

OD loading/obviously UPX.
0047AE50> $60 pushad
0047AE51. BE 00B04400 mov esi, 0044B000
0047AE56. 8DBE 0060 FBFF lea edi, dword ptr [esi + FFFB6000]
0047AE5C. 57 push edi
0047AE5D. 83CD FF or ebp, FFFFFFFF
0047AE60. EB 10 jmp short 0047AE72
0047AE62 90 nop
0047AE63 90 nop
0047AE64 90 nop
0047AE65 90 nop
0047AE66 90 nop
0047AE67 90 nop
0047AE68> 8A06 mov al, byte ptr [esi]

Simple ESP off. It can run normally.
This program pops up the window. Remove it first.
C32 load. Search for OPEN
Open http://www.v2233.com /? 399
00 fill out. OK does not talk about the window.
Start blasting
Search for character transfer.
The window just popped up. That sentence.
Thank you for using ...... double-click it.
00406C88 E8 7 FACFFFF call 0040366c // key CALL. Follow in.
00406C8D 84C0 test al, al
00406C8F 75 13 jnz short 00406CA4 // This jump modification is useless, just don't let him pop up a prompt
00406C91 6A 40 push 40
00406C93 68 BCDF4300 push 0043 DFBC; Welcome to register!
00406C98 68 A8DE4300 push 0043DEA8; Hello, thank you for using "QQ sixth sense". This software is a shared software. You are using an unregistered version. The Unregistered version of the listener can only get the first five digits of qq. After registration, you can use all functions without restriction and use subsequent versions for free for life. For better use and support for subsequent development by the author, please register! Registered users can use the old version of the registration code ..

Key CALL follow-up:
00401_c 51 push ecx
0040190D 56 push esi
0040da-e 8BF1 mov esi, ecx
00401910 FF76 28 push dword ptr [esi + 28]
00401913 8D46 04 lea eax, dword ptr [esi + 4]
00401916 FF76 24 push dword ptr [esi + 24]
00401919 83EC 1C sub esp, 1C
0040191C 8BCC mov ecx, esp
0040191E 896424 28 mov dword ptr [esp + 28], esp
00401922 50 push eax
00401923 E8 C2FFFFFF call 004018EA
00401928 8BCE mov ecx, esi
0040192A E8 59 FFFFFF call 00401888
0040192F 5E pop esi
00401930 59 pop ecx
00401931 C3 retn // There Is a retn. Follow up with the above CALL to see.

Follow up CALL ..........
00401888 6A 08 push 8
0040188A B8 DF814300 mov eax, 004381DF
0040188F E8 6D470200 call 00426001
00401894 8BF1 mov esi, ecx
00401896 8365 FC 00 and dword ptr [ebp-4], 0
0040189A 8D45 F0 lea eax, dword ptr [ebp-10]
0040189D 50 push eax
0040189E 8D45 EC lea eax, dword ptr [ebp-14]
004018A1 50 push eax
004018A2 83EC 1C sub esp, 1C
004018A5 8D45 08 lea eax, dword ptr [ebp + 8]
004018A8 8BCC mov ecx, esp
004018AA 8965 F0 mov dword ptr [ebp-10], esp
004018AD 50 push eax
004018AE E8 92 FFFFFF call 00401845
004018B3 8BCE mov ecx, esi
004018B5 E8 8 AFCFFFF call 00401544
004018BA 8B45 EC mov eax, dword ptr [ebp-14]
004018BD 3306 xor eax, dword ptr [esi]
004018BF 8B4D F0 mov ecx, dword ptr [ebp-10]
004018C2 33C8 xor ecx, eax
004018C4 3B45 24 cmp eax, dword ptr [ebp + 24]
004018C7 75 09 jnz short 004018D2 // jump to the zeroth place
004018C9 3B4D 28 cmp ecx, dword ptr [ebp + 28]
004018CC 75 04 jnz short 004018D2 // jump to the zeroth place
004018CE B3 01 mov bl, 1
004018D0 EB 02 jmp short 004018D4
004018D2 32DB xor bl, bl // cleared.
004018D4 6A 00 push 0

Modify both JNZ To JE. Save.
Restart the program and you can see that the cracking has been completed.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
explain process of cloning get pid of process find pid of process process of domain name registration five steps of etl process qq qw limit cpu usage of process
Related Article
How does personal cloud security guarantee data security?
Model-driven cloud security-automating cloud security with cl...
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More