By | 2021-05-10
  • 本次分析版本:拼多多商家工作台2.6.6.18
  • 分析消息接收Call【6E1B0000-6E275519=C5519】
6E2754D0    8B5424 0C       mov edx,dword ptr ss:[esp+0xC]           ; DuiLib.DuiLib::CShadowUI::ParentProc
6E2754D4    56              push esi
6E2754D5    8D42 FF         lea eax,dword ptr ds:[edx-0x1]
6E2754D8    83F8 06         cmp eax,0x6
6E2754DB    77 2B           ja short sqlciphe.6E275508
6E2754DD    8B4424 0C       mov eax,dword ptr ss:[esp+0xC]           ; DuiLib.DuiLib::CShadowUI::ParentProc
6E2754E1    0FB692 20372F6E movzx edx,byte ptr ds:[edx+0x6E2F3720]
6E2754E8    8B7424 08       mov esi,dword ptr ss:[esp+0x8]
6E2754EC    57              push edi
6E2754ED    8B08            mov ecx,dword ptr ds:[eax]
6E2754EF    8BFA            mov edi,edx
6E2754F1    8B40 04         mov eax,dword ptr ds:[eax+0x4]
6E2754F4    4A              dec edx
6E2754F5    880C32          mov byte ptr ds:[edx+esi],cl
6E2754F8    0FACC1 08       shrd ecx,eax,0x8
6E2754FC    C1E8 08         shr eax,0x8
6E2754FF    85D2            test edx,edx
6E275501  ^ 75 F1           jnz short sqlciphe.6E2754F4
6E275503    8BC7            mov eax,edi
6E275505    5F              pop edi                                  ; user32.76B9971E
6E275506    5E              pop esi                                  ; user32.76B9971E
6E275507    C3              retn
6E275508    83FA 0C         cmp edx,0xC
6E27550B    72 1F           jb short sqlciphe.6E27552C
6E27550D    8B4424 0C       mov eax,dword ptr ss:[esp+0xC]           ; DuiLib.DuiLib::CShadowUI::ParentProc
6E275511    8B70 0C         mov esi,dword ptr ds:[eax+0xC]
6E275514    85F6            test esi,esi
6E275516    74 10           je short sqlciphe.6E275528
6E275518    56              push esi
6E275519  - E9 E2AAF593     jmp 021D0000                             ; Hook
6E27551E    90              nop
6E27551F    90              nop
6E275520    E8 31C9F3FF     call sqlciphe.6E1B1E56
  • 发送消息Call【00EA6580-00E40000=66580】
0102A661   /E9 C0010000     jmp PddWorkb.0102A826
0102A666   |8D45 CC         lea eax,dword ptr ss:[ebp-0x34]
0102A669   |50              push eax
0102A66A   |E8 716FECFF     call PddWorkb.00EF15E0
0102A66F   |8B75 CC         mov esi,dword ptr ss:[ebp-0x34]
0102A672   |8B7D D0         mov edi,dword ptr ss:[ebp-0x30]
0102A675   |3BF7            cmp esi,edi
0102A677   |0F84 B5000000   je PddWorkb.0102A732
0102A67D   |8B85 B8FCFFFF   mov eax,dword ptr ss:[ebp-0x348]
0102A683   |8D88 90070000   lea ecx,dword ptr ds:[eax+0x790]
0102A689   |898D 9CFCFFFF   mov dword ptr ss:[ebp-0x364],ecx
0102A68F   |EB 06           jmp short PddWorkb.0102A697
0102A691   |8B85 B8FCFFFF   mov eax,dword ptr ss:[ebp-0x348]
0102A697   |8D55 BC         lea edx,dword ptr ss:[ebp-0x44]
0102A69A   |52              push edx
0102A69B   |8D95 24FFFFFF   lea edx,dword ptr ss:[ebp-0xDC]
0102A6A1   |52              push edx
0102A6A2   |51              push ecx
0102A6A3   |56              push esi
0102A6A4   |8D8D 3CFFFFFF   lea ecx,dword ptr ss:[ebp-0xC4]
0102A6AA   |51              push ecx
0102A6AB   |8D8D 6CFFFFFF   lea ecx,dword ptr ss:[ebp-0x94]
0102A6B1   |51              push ecx
0102A6B2   |8D4D 9C         lea ecx,dword ptr ss:[ebp-0x64]
0102A6B5   |51              push ecx
0102A6B6   |8B88 78070000   mov ecx,dword ptr ds:[eax+0x778]
0102A6BC   |E8 BFBEE7FF     call PddWorkb.00EA6580                   ; 发送消息call