传奇2的数据传输
7000端口
send 'mri152'
recv 收到的的是1串《5454564564》之类的数字形字符串
以下通用声明断
.data?
szReadBuffer3 db 35 dup (?)
szReadBuffer4 db 72 dup (?)
szReadBuffer6 db 256 dup (?)
szReadBuffer7 db 256 dup (?)
jjj dd ?
wpname2 db 256 dup (?)
wpname db 256 dup (?)
wpr20 db 256 dup (?)
szBuffer2 db 256 dup (?)
myebp4 dd 256 dup (?)
myebp1 db 256 dup (?)
myadd db 256 dup (?)
myadd2 dd ?
sss3 dd ?
.data
r2jf1b db 0,0
r2jf1a db 0,0
r2jf14 dd 0,0
r2jf19 db 0,0
r2jf18 dd 0,0
r2jz8 dw 2710h,0
r2jf8 dd 0,0
r2jf4 dd 0,0
r2jz4 db 4,0
kg2 dd 1,0
kg3 dd 0,0
jjj2 dd ?
jjj5 dd 007df667h,0
jjjjj dd 99990099h,0
wpyh2 dd 0h,0
sss2 db 'Fi[jpHGGdiZlhW\kH>xpGo@kH>x!',0 ;'Fi?>kV_JmGBzGo .const dubis db '0123456789ABCDEF',0 kh1 db '<' kh2 db '>' wpyh1 db '#',0 wpyh3 db ' wpyhp db '/',0 wpyhh db '!',0 xuanz db ' xuanj db '#3<<<< ;#<<<<<=D><<<<<<< wp2s db '%s%s',0 wpyong db '%s%s%s',0 wpyong2 db '%s%x%s%s%s',0 szcy db '密码验证成功',0 wp1x db '%x',0 以下是解密在加密代码 _repne1 proc _hSocket inc kg2 .if kg2 == 2 mov jjj2,0 ;dui chen luan ma mov esi,offset szReadBuffer3 mov jjj,esi mov esi,offset szReadBuffer2 @@: mov al,[esi] movzx eax,al mov edi,offset dubis mov ecx,17 repne scasb xor eax,eax mov al,16 sub eax,ecx shl eax,04 mov ecx,jjj mov [ecx],al inc esi mov al,[esi] movzx eax,al mov edi,offset dubis mov ecx,17 repne scasb xor eax,eax mov al,16 sub eax,ecx mov ecx,jjj or [ecx],al inc jjj inc esi inc jjj2 .if jjj2 == 34 jmp @F .endif jmp @B @@: ;__________________________________________________________________________ ;以上字符成乱 mov jjj2,0 mov esi,offset szReadBuffer3 xor ebx,ebx mov edi,jjj5 @@: .if jjj2 == 34 jmp @F .endif mov bl,[esi] mov edx,ebx movzx ecx,di shr ecx,08 xor dl,cl mov [esi],dl mov edx,esi xor eax,eax mov al,bl add di,ax imul ax,di,0ce6dh add ax,58bfh mov edi,eax inc esi inc jjj2 jmp @B @@: mov al,2fh mov [esi],al ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; mov jjj2,0 mov esi,offset szReadBuffer3 xor ebx,ebx mov edi,jjj5 @@: .if jjj2 == 35 jmp @F .endif mov bl,[esi] mov edx,ebx movzx ecx,di shr ecx,08 xor dl,cl mov [esi],dl movzx eax,dl add di,ax imul ax,di,0ce6dh add ax,58bfh mov edi,eax inc esi inc jjj2 jmp @B @@: mov jjj2,0 mov esi,offset szReadBuffer4 mov al,60 mov [esi],al inc esi mov jjj,esi mov esi,offset szReadBuffer3 @@: mov al,[esi] movzx eax,al shr al,04 mov edi,offset dubis add edi,eax mov ecx,jjj mov al,[edi] mov [ecx],al mov al,[esi] movzx eax,al and al,0fh mov edi,offset dubis add edi,eax inc jjj mov ecx,jjj mov al,[edi] mov [ecx],al inc jjj inc esi inc jjj2 .if jjj2 == 35 jmp @F .endif jmp @B @@: mov al,62 mov [esi + 71],al mov al,0 mov [esi + 72],al invoke send,_hSocket,addr szReadBuffer4,72,0 mov kg2,0 .elseif kg2 == 1 add kg3,4 mov esi,kg3 invoke send,[esi],addr mir152,8,0 .endif ret _repne1 endp szReadBuffer4就是的到的答暗了 send szReadBuffer4 recv pass 验证成功 接下来就是验证密码的事了 用户名+/+密码 加密后在加他的封装 代码 ;字符成乱码 用户名 _yongh proc mov r2jf1b,0 mov r2jf4,0 mov r2jf14,0 mov r2jf19,0 mov r2jf18,0 invoke RtlZeroMemory,addr szReadBuffer2,sizeof szReadBuffer2 invoke RtlZeroMemory,addr szReadBuffer,sizeof szReadBuffer invoke wsprintf,addr szBuffer2,addr wpyong,addr namesz,addr wpyhp,addr mimasz mov esi,offset szReadBuffer mov r2jf8,esi mov esi,offset szBuffer2 mov jjj2,esi @@: mov esi,jjj2 add esi,r2jf4 mov al,[esi] mov r2jf1a,al mov ecx,r2jf14 add ecx,2 mov al,r2jf1a shr eax,cl or al,r2jf1b and al,3fh mov r2jf19,al mov eax,r2jf14 add eax,2 mov ecx,8 sub ecx,eax xor eax,eax mov al,r2jf1a shl eax,cl invoke wsprintf,addr szReadBuffer3,addr wp1x,eax invoke MessageBox,hWinMain,addr szReadBuffer3,addr szReadBuffer3,MB_OK shr eax,2 and al,3fh mov r2jf1b,al add r2jf14,2 .if r2jf14 == 6 mov eax,r2jf8 mov edx,r2jf18 mov cl,r2jf19 add cl,3ch mov [eax + edx],cl cmp r2jf1a,0 JZ @F mov cl,r2jf1b add cl,3ch mov [eax + edx + 1],cl mov r2jf14,0 mov r2jf1b,0 inc r2jf18 .else cmp r2jf1a,0 JZ @F mov eax,r2jf8 mov edx,r2jf18 mov cl,r2jf19 add cl,3ch mov [eax + edx],cl .endif cmp r2jf1a,0 JZ @F inc r2jf4 inc r2jf18 jmp @B @@: inc wpyh2 .if wpyh2 > 9h mov wpyh2,0h .endif invoke wsprintf,addr wpr20,addr wpyong2,addr wpyh1,wpyh2,addr wpyh3,addr szReadBuffer,addr wpyhh mov al,wpr20(18) mov wpname(0),al mov al,wpr20(19) mov wpname(1),al mov al,wpr20(20) mov wpname(2),al mov al,wpr20(21) mov wpname(3),al mov al,wpr20(22) mov wpname(4),al mov al,wpr20(23) mov wpname(5),al mov al,wpr20(24) mov wpname(6),al mov al,wpr20(25) mov wpname(7),al mov al,wpr20(26) mov wpname(8),al mov al,wpr20(27) mov wpname(9),al ;_____________________________________________________________________________ ;{{{{{{h=<<<<<<< invoke RtlZeroMemory,addr szReadBuffer6,sizeof szReadBuffer6 mov jjj2,0 mov esi,offset wpr20 mov edi,jjj5 @@: inc jjj2 mov bl,[esi] cmp bl,0 JZ @F mov edx,ebx movzx ecx,di shr ecx,08 xor dl,cl mov [esi],dl movzx eax,dl add di,ax imul ax,di,0ce6dh add ax,58bfh mov edi,eax inc esi jmp @B @@: mov esi,offset szReadBuffer6 mov al,60 mov [esi],al inc esi mov jjj,esi mov esi,offset wpr20 @@: mov al,[esi] movzx eax,al shr al,04 mov edi,offset dubis add edi,eax mov ecx,jjj mov al,[edi] mov [ecx],al mov al,[esi] movzx eax,al and al,0fh mov edi,offset dubis add edi,eax inc jjj mov ecx,jjj mov al,[edi] mov [ecx],al inc jjj inc esi dec jjj2 cmp jjj2,1 JZ @F jmp @B @@: mov al,62 mov [ecx + 1],al invoke lstrlen,addr szReadBuffer6 invoke send,hSocket,addr szReadBuffer6,eax ,0 invoke SendMessage,hWinInfo,EM_REPLACESEL,FALSE,addr wpr20 ret _yongh endp send szReadBuffer6 就是加密后的数据 没有意外收到的就是验证密码成功 (!能不能谈谈你是用什么方法、工具,有什么心得和经验和我们分享吗? 首先用网络工具看看 双方的数据对流 在就是进入代码中看加密方法 最后是什么呢.. 就是自己编程 呵呵说笑了) 首先用网络工具看看 双方的数据对流 在就是进入代码中看加密方法 最后是什么呢.. 就是自己编程 呵呵说笑了 第4步用不用都一样了 接上贴 发送用户名+登陆严正码 收到的就是用户信息 收到的是《〈〈〈〈〈ggh之类的东西 也就是反算《〈〈〈〈〈ggh到中文 用4.5天才搞到这么一段 _yongh2 proc ;;;;;;;;;;;;;;;;;;;;;; mov myadd(0),40h mov myadd(1),0h mov myadd(2),0fch mov myadd(3),0f8h mov myadd(4),0f0h mov myadd(5),0e0h mov myadd(6),0c0h mov myadd(7),8dh mov myadd(8),40h mov myadd(9),0h mov myadd(10),14h mov myadd(14),1h mov myadd(30),0ch mov myadd(31),8dh mov myadd2,offset myadd2 invoke RtlZeroMemory,addr szReadBuffer2,sizeof szReadBuffer2 invoke RtlZeroMemory,addr szReadBuffer,sizeof szReadBuffer invoke RtlZeroMemory,addr myebp4,sizeof myebp4 invoke RtlZeroMemory,addr myebp1,sizeof myebp1 mov esi, offset sss2 MOV myebp4(4),esi mov esi, offset szReadBuffer2 MOV myebp4(8),esi ;mov esi, offset myebp4 ;invoke wsprintf,addr szBuffer2,addr wp1x,esi ;invoke MessageBox,hWinMain,addr szBuffer2,addr sss2,MB_OK mov myebp4(10h),1 mov myebp4(0ch),2710h mov myebp4(14h),18h mov myebp4(18h),02h mov myebp4(28h),15h mov myebp1(23h),0fch ;;;;;;;;;;;;;10 edx ;;;;;;;;;;;;;28 递解 ;;;;;;;;;;;;;18 2 4 6 ;;;;;;;;;;;;; ;;;;;;;;;;;;; ;;;;;;;;;;;;; ;45B13B 8B45FC _a13b: MOV EAX,myebp4(04h) ;45B13E 8B55F0 MOV EDX,myebp4(10h) ;45B141 0FB64410FF MOV al,[EAX+EDX-01] and eax,0ffh ;45B146 83E83C SUB EAX,3Ch ;45B149 7811 JS _a15c ; 0045B15C ;45B14B 8B45FC MOV EAX,myebp4(04h) ;45B14E 8B55F0 MOV EDX,myebp4(10h) ;45B151 8A4410FF MOV AL,[EAX+EDX-01] ;45B155 2C3C SUB AL,3Ch ;45B157 8845DF MOV myebp1(21h),AL ;45B15A EB0A JMP _a166 ; SHORT 0045B166 ;45B15C 33C0 _a15c: XOR EAX,EAX ;45B15E 8945E0 MOV myebp4(20h),EAX ;45B161 E981000000 JMP _a1e7 ; 0045B1E7 ;45B166 8B45E0 _a166: MOV EAX,myebp4(20h) ;45B169 3B45F4 CMP EAX,myebp4(0Ch) ;45B16C 7D79 JNL _a1e7 ; 0045B1E7 ;45B16E 8B45E4 MOV EAX,myebp4(1Ch) ;45B171 83C006 ADD EAX,06 ;45B174 83F808 CMP EAX,08 ;45B177 7C43 JL _a1bc ; 0045B1BC ;45B179 B906000000 MOV ECX,06 ;45B17E 2B4DE8 SUB ECX,myebp4(18h) ;45B181 8A45DF MOV AL,myebp1(21h) ;45B184 243F AND AL,3Fh ;45B186 25FF000000 AND EAX,0FFh ;45B18B D3E8 SHR EAX,CL ;45B18D 0A45DE OR AL,myebp1(22h) ;45B190 8845DD MOV myebp1(23h),AL ;45B193 8B45F8 MOV EAX,myebp4(08h) ;45B196 8B55E0 MOV EDX,myebp4(20h) ;45B199 8A4DDD MOV CL,myebp1(23h) ;45B19C 880C10 MOV [EAX+EDX],CL ;45B19F FF45E0 mov eax,myebp4(20h) INC eax mov myebp4(20h),eax ;45B1A2 33C0 XOR EAX,EAX ;45B1A4 8945E4 MOV myebp4(1Ch),EAX ;45B1A7 837DE806 CMP myebp4(18h),06 ;45B1AB 7D06 JNL _a1b3 ; 0045B1B3 ;45B1AD 8345E802 ADD myebp4(18h),02 ;45B1B1 EB09 JMP _a1bc ; SHORT 0045B1BC ;45B1B3 C745E802000000 _a1b3: MOV myebp4(18h),02 ;45B1BA EB1F JMP _a1db ;SHORT 0045B1DB _a1bc: ;45B1BC 8B4DE8 MOV ECX,myebp4(18h) ;45B1BF 8A45DF MOV AL,myebp1(21h) ;45B1C2 D2E0 SHL AL,CL ;45B1C4 8B55E8 MOV EDX,myebp4(18h) ;45B1C7 2282BE2C4A00 mov esi,offset myadd AND AL,[EDX+esi] ;45B1CD 8845DE MOV myebp1(22h),AL ;45B1D0 B808000000 MOV EAX,08 ;45B1D5 2B45E8 SUB EAX,myebp4(18h) ;45B1D8 0145E4 ADD myebp4(1Ch),EAX ;45B1DB FF45F0 _a1db: INC myebp4(10h) ;45B1DE FF4DD8 DEC myebp4(28h) ;45B1E1 0F8554FFFFFF JNZ _a13b ;NEAR 0045B13B ;45B1E7 8B45F8 _a1e7: MOV EAX,myebp4(08h) ;invoke wsprintf,addr szBuffer2,addr wpyong,addr invoke MessageBox,hWinMain,addr szReadBuffer2,addr sss2,MB_OK ret ret _yongh2 endp 解成szReadBuffer2的内容就是 *你的用户名/性别/等级/和职业 这段我也没算出算法直接把代码拿来用了 完了现在你可以看到 的数据传输了 QQ124020869欢迎大家来交留