/*
* V1.0 01:30:20
* @ Author sunwang <sunwangme@hotmail.com>
*
*/
How can I obtain the uin in the tip box on the qqbar?
When cqqbartipwndex appears, the user ID is displayed. How does this ID come from?
Find several member functions and constructor for analysis and analysis, and try not to use Offset + symbol to get the number, which is too old.
1. qqbaseclassindll! The cqqbartipwndex: onsetcursor function is suspicious, because the users are familiar with cqqbartipwndex, and only the parameters of this function are suspicious.
1.1 BP qqbaseclassindll! Cqqbartipwndex: onsetcursor
1.2 after the interception, it was found that the window was triggered only when the mouse moved over and changed the cursor. At this time, the QQ number: 10608384 (offline) had already appeared.
1.3 ECx = This, search 10608384 in the memory starting from ECx // <--------- 00a1df00
1.4 S-D ECx L200 0n10608384
/*
Breakpoint 0 hit
Eax = 029d09d0 EBX = 10068407 ECx = 029d09d0 edX = 00000000 ESI = 02000001 EDI = 029d09d0
EIP = 10068407 ESP = 0012fb9c EBP = 0012fc1c iopl = 0 NV up ei pl Zr Na Po NC
Cs = 001b Ss = 0023 DS = 0023 es = 0023 FS = 003b GS = 0000 EFL = 00000246
Qqbaseclassindll! Cqqbartipwndex: onsetcursor:
10068407 55 push EBP
0: 000> U
Qqbaseclassindll! Cqqbartipwndex: onsetcursor:
10068407 55 push EBP
10068408 8bec mov EBP, ESP
1006840a 83ec10 sub ESP, 0x10
1006840d 53 push EBX
1006840e 57 push EDI
1006840f 8bf9 mov EDI, ECx
10068411 ff152c110e10 call dword ptr [qqbaseclassindll! Coicqchecklistbox: getruntimeclass + 0x13316 (100e112c)]
10068417 0fbfc8 movsx ECx, ax
0: 000>? 0n10608384
Evaluate expression: 10608384 = 00a1df00 // <----------- 00a1df00
0: 000> dd ECx
029d09d0 100e95e8 00000001 00000000
029d09 E0 00000000 00000001 00000000 02418078
029d09f0 00010a3000010a26 00000000 77d1d4ee
029d0a00 00000000 00000000 00000000
029d0a10 02b80f88 100e2780 00000001 00000000
029d0a20 00000000 00000000 00000001 00000000
029d0a30 02418078 00000000 00000000 00000000
029d0a40 00000000 00000000 00000000 00000000
0: 000> dd
029d0a50 00000000 00000001 00000000
029d0a60 00000000 00000000 ffffffff ffffff
029d0a70 00 ffffff 00000000 00000000 00000000
029d0a80 00000000 00000000 00000000
029d0a90 baadf00d baadf00d baadf00d 00000000
029d0aa000000000 00000000 00000000 00000000
029d0ab0 00000000 baadf00d 00000000 000005ac
029d0ac0 00000000 00000000 00000000
0: 000>
029d0ad0 100e2924 00000000 00000000 00000000
029d0ae0 00000000 00000000 00000000 baadf00d
029d0af0 baadf00d baadf00d baadf00d 00000000
029d0b00 00000001 00000000 00000000 00000000
029d0b10 00000000 00000000 00000000 00000000
029d0b20 00000001 00000000 00a1df00 00010657 // <---------- 00a1df00 [ECx + 158], you can check the m_var_158h In the constructor.
029d0b30 ffffffff 029d0770 100e96a8 02ca2008
029d0b40 00000010 00000011 00000000 100e8fe8
0: 000> dB ECx + 158
029d0b28 00 DF A1 00 57 06 01 00-ff FF 70 07 9d 02 ...... W ...... p.../<------ 00a1df00
029d0b38 A8 96 0e 10 08 20 ca 02-10 00 00 00 11 00 00 00 ...............
029d0b48 00 00 00 00 E8 8f 0e 10-01 00 00 00 00 00 00 ................
029d0b58 00 00 00 00 00 00 00-01 00 00 00 00 00 00 00 ................
029d0b68 78 80 41 02 2C 0a 01 00 00 00 00 00 00 00 00 00 00 x. .,...........
029d0b78 C4 B3 D3 77 00 00 00 00-00 00 00 00 00 00 00 00 ............
029d0b88 00 00 00 00 00 00 00 00 00 00 00 58 1C D1 6B ...... X.
029d0b98 00 00 00 00 00 00 00-38 1E 0e 10 21 0a 05 0C ...... 8 ...!...
0: 000> s-d ECx L200 0n10608384
029d0b28 00a1df00 00010657 ffffffff 029d0770 ...... W ...... P...
0: 000>? 029d0b28-ecx
Evaluate expression: 344 = 00000158 // 00a1df00 [ECx + 158]
*/
1.5 Ba W 4 ECx + 158 to see who modified the address. At some point after the constructor
/* Windbg
Qqbaseclassindll! Cdownloadinstalldlg: ondestroy + 0xda1:
10065a80 c20400 RET 0x4 // <---------- uin modified here. Check the code according to Ida. windbg disassembly is not good.
10065a83 8b81b8030000 mov eax, [ECx + 0x3b8]
10065a89 C3 RET
10065a8a 56 push ESI
10065a8b 8db180020000 Lea ESI, [ECx + 0x280]
10065a91 ff36 push dword ptr [esi]
10065a93 ff158c100e10 call dword ptr [qqbaseclassindll! Coicqchecklistbox: getruntimeclass + 0x13276 (100e0000c)]
10065a99 85c0 test eax, eax
*/
/* IDA
. Text: 10065a76 sub_10065a76 proc near; Code xref: cqqoutlookbar: settipdata (ulong) + 4 P
. Text: 10065a76
. Text: 10065a76 arg_0 = dword ptr 4
. Text: 10065a76
. Text: 10065a76 mov eax, [esp + arg_0]
. Text: 10065a7a mov [ECx + 3b8h], eax // <---------- modified uin here. Haha, see if it turns out to be cqqoutlookbar: settipdata (ulong)
. Text: 10065a80 retn 4
. Text: 10065a80 sub_10065a76 endp
*/
/*
. Text: 1007daa2; exported entry 3660 .? Settipdata @ cqqoutlookbar qaexk @ Z
. Text: 1007daa2
. Text: 1007daa2; why? S u B r o u t I n e?
. Text: 1007daa2
. Text: 1007daa2
. Text: 1007daa2; public: void _ thiscall cqqoutlookbar: settipdata (unsigned long)
. Text: 1007daa2 public? Settipdata @ cqqoutlookbar qaexk @ Z
. Text: 1007daa2? Settipdata @ cqqoutlookbar qaexk @ Z proc near
. Text: 1007daa2
. Text: 1007daa2 arg_0 = dword ptr 4
. Text: 1007daa2
. Text: 1007daa2 push [esp + arg_0]
. Text: 1007daa6 call sub_10065a76
. Text: 1007 daab retn 4
. Text: 1007 daab? Settipdata @ cqqoutlookbar qaexk @ Z endp
*/
1.6 according to the above analysis, cqqoutlookbar: m_var_3b8h = uin, and cqqoutlookbar: settipdata (unsigned long) is actually an export function, grandma's
Hook to get the uin. Haha
1.7 cqqbartipwndex is only a subclass embedded in cqqoutlookbar. In this case, let's look at the constructor? I don't want to read it anymore. Bored.
1.8 verify that this qqbaseclassindll! Cqqoutlookbar: settipdata, whether it is called only at the tip.
/*
0: 000>. Restart
CommandLine: "C:/program files/Tencent/QQ/qq.exe"
Symbol search path is: C:/Windows/system32; E:/Symbols
Executable search path is:
Modload: 00400000 0051b000 qq.exe
Modload: 7c920000 7c9b4000 NTDLL. dll
Modload: 7c800000 7c91c000 C:/Windows/system32/kernel32.dll
Modload: 10000000 1015e000 C:/program files/Tencent/QQ/qqbaseclassindll. dll
Modload: 60860000 608b4000 C:/program files/Tencent/QQ/qqhelperdll. dll
Modload: 00370000 003a5000 C:/program files/Tencent/QQ/basicctrldll. dll
Modload: 6bc40000 6bd32000 C:/program files/Tencent/QQ/mfc42.dll
Modload: 77be0000 77c38000 C:/Windows/system32/msvcrt. dll
Modload: 77ef0000 77f36000 C:/Windows/system32/gdi32.dll
Modload: 77d10000 77d9f000 C:/Windows/system32/user32.dll
Modload: 77da0000 77e49000 C:/Windows/system32/advapi32.dll
Modload: 77e50000 77ee1000 C:/Windows/system32/rpcrt4.dll
Modload: 7d590000 7dd81000 C:/Windows/system32/shell32.dll
Modload: 77f40000 77fb6000 C:/Windows/system32/shlwapi. dll
Modload: 76990000 76acd000 C:/Windows/system32/ole32.dll
Modload: 77bd0000 77bd8000 C:/Windows/system32/version. dll
Modload: 71a40000 71a4b000 C:/Windows/system32/wsock32.dll
Modload: 71a20000 71a37000 C:/Windows/system32/ws2_32.dll
Modload: 71a10000 71a18000 C:/Windows/system32/ws2help. dll
Modload: 76b10000 76b3a000 C:/Windows/system32/winmm. dll
Modload: 5d170000 5d207000 C:/Windows/system32/comctl32.dll
Modload: 5efe0000 5eff7000 C:/Windows/system32/olepro32.dll
Modload: 770f0000 7717c000 C:/Windows/system32/oleaut32.dll
Modload: 73b40000 73b60000 C:/Windows/system32/msvfw32.dll
Modload: 76680000 76722000 C:/Windows/system32/wininet. dll
Modload: 765e0000 76672000 C:/Windows/system32/crypt32.dll
Modload: 76db0000 76dc2000 C:/Windows/system32/MSASN1.DLL
(Cc4.f3c): Break instruction exception-code 80000003 (first chance)
Eax = 00241eb4 EBX = 7ffde000 ECx = 00000005 edX = 00000020 ESI = 00241f48 EDI = 00241eb4
EIP = 7c921230 ESP = 0012fb20 EBP = 0012fc94 iopl = 0 NV up ei pl nz na PE NC
Cs = 001b Ss = 0023 DS = 0023 es = 0023 FS = 003b GS = 0000 EFL = 00000202
Ntdll! Dbgbreakpoint:
7c921230 cc int 3
0: 000> BP qqbaseclassindll! Cqqoutlookbar: settipdata
0: 000> BL
0 e 1007daa2 0001 (0001) 0: ***** qqbaseclassindll! Cqqoutlookbar: settipdata
0: 000> G
Modload: 76300000 7631d000 C:/Windows/system32/imm32.dll
Modload: 62c20000 62c29000 C:/Windows/system32/LPK. dll
Modload: 73fa0000 7400b000 C:/Windows/system32/usp10.dll
Modload: 61be0000 61bed000 C:/Windows/system32/mfc42loc. dll
Modload: 77180000 77282000 C:/Windows/winsxs/x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9/comctl32.dll
Modload: 5ce30000 5ce37000 C:/Windows/system32/serwvdrv. dll
Modload: 5b0f0000 5b0f7000 C:/Windows/system32/umdmxfrm. dll
Modload: 5adc0000 5adf7000 C:/Windows/system32/uxtheme. dll
Modload: 74680000 746cb000 C:/Windows/system32/msctf. dll
Modload: 00af0000 00af5000 C:/program files/Tencent/QQ/riched32.dll
Modload: 74b80000 74be8000 C:/program files/Tencent/QQ/riched1_dll
Modload: 60630000 6065d000 C:/program files/Tencent/QQ/qqapi. dll
Modload: 76fa0000 7701f000 C:/Windows/system32/clbcatq. dll
Modload: 77020000 770ba000 C:/Windows/system32/comres. dll
Modload: 20000000 20549000 C:/Windows/system32/xpsp2res. dll
Modload: 60400000 6040f000 C:/program files/Tencent/QQ/timproxy. dll
Modload: 73640000 7366e000 C:/Windows/system32/msctfime. ime
Modload: 01280000 01546000 C:/Windows/system32/MSI. dll
Modload: 75e00000 75eae000 C:/Windows/system32/sxs. dll
Modload: 60170000 601fe000 C:/program files/Tencent/QQ/hostingmgr. dll
Modload: 60220000 60276000 C:/program files/Tencent/QQ/loginctrl. dll
Modload: 01950000 01c52000 C:/program files/Tencent/QQ/qqres. dll
Modload: 608d0000 60934000 C:/program files/Tencent/QQ/qqmainframe. dll
Modload: 70e20000 70e33000 C:/Windows/system32/asycfilt. dll
Modload: 02300000 023a5000 C:/program files/Tencent/QQ/cqqapplication. dll
Modload: 60300000 6034e000 C:/program files/Tencent/QQ/newskin. dll
Modload: 75ff0000 76055000 C:/Windows/system32/msvcp60.dll
Modload: 023d0000 023df000 C:/program files/Tencent/QQ/personaldesktop. dll
Modload: 02560000 026a6000 C:/program files/Tencent/QQ/qqaddr. dll
Modload: 60f00000 60f1c000 C:/program files/Tencent/QQ/qqspace. dll
Modload: 719c0000 719fe000 C:/Windows/system32/mswsock. dll
Modload: 60fd0000 61025000 C:/Windows/system32/hnetcfg. dll
Modload: 71a00000 71a08000 C:/Windows/system32/wshtcpip. dll
Modload: 76ef0000 76f17000 C:/Windows/system32/dnsapi. dll
Modload: 76d30000 76d48000 C:/Windows/system32/iphlpapi. dll
Modload: 76f80000 76f88000 C:/Windows/system32/winrnr. dll
Modload: 76f30000 76f5c000 C:/Windows/system32/wldap32.dll
Modload: 76f90000 76f96000 C:/Windows/system32/rasadhlp. dll
Modload: 60040000 6005d000 C:/program files/Tencent/QQ/bqqapplication. dll
Modload: 76370000 764dc000 C:/Windows/system32/shdocvw. dll
Modload: 75430000 754a1000 C:/Windows/system32/cryptui. dll
Modload: 76c00000 76c2e000 C:/Windows/system32/wintrust. dll
Modload: 76c60000 76c88000 C:/Windows/system32/imagehlp. dll
Modload: 5fdd0000 5fe24000 C:/Windows/system32/netapi32.dll
Modload: 77fc0000 77fd1000 C:/Windows/system32/secur32.dll
Modload: 75c60000 75cfc000 C:/Windows/system32/urlmon. dll
Modload: 6b600000 6b671000 C:/program files/Tencent/QQ/VBScript. dll
Breakpoint 0 hit
Eax = 0012f5d8 EBX = 029501c8 ECx = 02950808 edX = 00000000 ESI = 00000000 EDI = 00000001
EIP = 1007daa2 ESP = 0012eda4 EBP = 0012f75c iopl = 0 NV up ei pl Zr Na Po NC
Cs = 001b Ss = 0023 DS = 0023 es = 0023 FS = 003b GS = 0000 EFL = 00000246
Qqbaseclassindll! Cqqoutlookbar: settipdata:
1007daa2 ff742404 push dword ptr [esp + 0x4] ss: 0023: 0012eda8 = 00a1df00 // <--------- uin got !!!!!
*/
1.9 indeed, it is called only when cqqbartipwndex appears and there is only one window. [Do it, take it when sw_showwindow is true,
When it is set to false, it is equal to 0. If there is no need to create another 2. x, you can track the 0x158. The 0x158 has already ran out of cqqbartipwndex.
Because its size is only 0x40, it is based on mfcspy2.
The next task is to analyze the suspicious void _ thiscall callinonestatusbar: genstrshow (void )]
2. Summary
2.1 since we can find the handles of callinonedlg and cqqbartipwndex cqqoutlookbar, we hope to find a member variable in the two files that stores uin
2.2 The difficulty lies in analyzing what ECx ESI is and where it comes from. From the member function to the constructor to the vtbl to the creation function, only the creation function is found.
You can clearly know what ECx is. Be sure to distinguish member sub-objects. Sometimes they use the same ECx ESI as the inclusion object. In this way
It is not the offset of the cqqbartipwndex object we want.
2.3 Because 0x158 is not in cqqbartipwndex, give up. Analysis of cqqoutlookbar: settipdata, know that this + 3b8h is uin, when not used,
You can set it to zero, such as the sw_hide window. Check whether this is cqqoutlookbar.
2.4 who calls the cqqoutlookbar constructor? Use IDA or windbg for analysis
Cqqapplication: X-> cqqmapoutlookbar: cqqmapoutlookbar-> cqqoutlookbar: cqqoutlookbar-> cqqbartipwndex: cqqbartipwndex
/*
. Text: 1005b6bb Lea ECx, [EBX + 260 H]; 260 + 158 = 3b8
. Text: 1005b6c1 mov byte PTR [ebp-4], 9
. Text: 1005b6c5 call ?? 0cqqbartipwndex @ Qae @ xz; cqqbartipwndex: cqqbartipwndex (void)
*/
Here, cqqmapoutlookbar and cqqoutlookbar are the same ECx, while cqqbartipwndex's ECx is equal to 260 H. Cqqbartipwndex is cqqoutlookbar
Member variable. This also explains why cqqbartipwndex + 158 = uin = cqqoutlookbar + 3b8 can be used. Haha.
3. Solution
3.1 decompile cqqbartipwndex. settipdata to get the m_uin offset, and then get the base value when registering the cqqmapoutlookbar (RTC is cqqbarex), so as to get the uin address.
If the cqqmapoutlookbar quilt class is disabled and wndclass or mfc rtc name cannot be found, you can directly apply bp to and from cqqbartipwndex: onsetcursor, and then
S-d ECx L200 <uin>, you can find the offset, and add the base address of cqqbartipwndex. Cqqbartipwndex base address Interception
Wndclass = afx: cqqapplication: 3 and convert it to cwnd.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
