By | 2021-09-09
  • 本次分析客户端版本号:2.7.3.26
  • 客户端消息接收CALL【sqlcipher.dll】【5CAA0000】
5CB654CF    CC              int3
5CB654D0    8B5424 0C       mov edx,dword ptr ss:[esp+0xC]
5CB654D4    56              push esi
5CB654D5    8D42 FF         lea eax,dword ptr ds:[edx-0x1]
5CB654D8    83F8 06         cmp eax,0x6
5CB654DB    77 2B           ja short sqlciphe.5CB65508
5CB654DD    8B4424 0C       mov eax,dword ptr ss:[esp+0xC]           ; DuiLib.DuiLib::CShadowUI::ParentProc
5CB654E1    0FB692 2037BE5C movzx edx,byte ptr ds:[edx+0x5CBE3720]
5CB654E8    8B7424 08       mov esi,dword ptr ss:[esp+0x8]
5CB654EC    57              push edi                                 ; user32.TranslateMessage
5CB654ED    8B08            mov ecx,dword ptr ds:[eax]
5CB654EF    8BFA            mov edi,edx
5CB654F1    8B40 04         mov eax,dword ptr ds:[eax+0x4]
5CB654F4    4A              dec edx
5CB654F5    880C32          mov byte ptr ds:[edx+esi],cl
5CB654F8    0FACC1 08       shrd ecx,eax,0x8
5CB654FC    C1E8 08         shr eax,0x8
5CB654FF    85D2            test edx,edx
5CB65501  ^ 75 F1           jnz short sqlciphe.5CB654F4
5CB65503    8BC7            mov eax,edi                              ; user32.TranslateMessage
5CB65505    5F              pop edi                                  ; user32.TranslateMessage
5CB65506    5E              pop esi
5CB65507    C3              retn
5CB65508    83FA 0C         cmp edx,0xC
5CB6550B    72 1F           jb short sqlciphe.5CB6552C
5CB6550D    8B4424 0C       mov eax,dword ptr ss:[esp+0xC]           ; DuiLib.DuiLib::CShadowUI::ParentProc
5CB65511    8B70 0C         mov esi,dword ptr ds:[eax+0xC]
5CB65514    85F6            test esi,esi
5CB65516    74 10           je short sqlciphe.5CB65528
5CB65518    56              push esi
5CB65519    FF70 10         push dword ptr ds:[eax+0x10]
5CB6551C    FF7424 10       push dword ptr ss:[esp+0x10]
5CB65520    E8 31C9F3FF     call sqlciphe.5CAA1E56
  • 客户端消息发送CALL【PddWorkbench.exe】【00A40000】
00BF7018    8D85 0CFFFFFF   lea eax,dword ptr ss:[ebp-0xF4]
00BF701E    C645 FC 1F      mov byte ptr ss:[ebp-0x4],0x1F
00BF7022    8B8F 84070000   mov ecx,dword ptr ds:[edi+0x784]
00BF7028    50              push eax
00BF7029    8D85 54FFFFFF   lea eax,dword ptr ss:[ebp-0xAC]
00BF702F    50              push eax
00BF7030    8D45 84         lea eax,dword ptr ss:[ebp-0x7C]
00BF7033    50              push eax
00BF7034    E8 773AE9FF     call PddWorkb.00A8AAB0