QQ\u53bb\u5e7f\u544a+\u672c\u5730\u4f1a\u5458+\u663e\u793aIP\u5916\u6302\u539f\u7406<\/title><\/head><body><\/p>\n<h1 style=\"display:none\">QQ\u53bb\u5e7f\u544a+\u672c\u5730\u4f1a\u5458+\u663e\u793aIP\u5916\u6302\u539f\u7406<\/h1>\n<div>\n[\u672c\u6587\u9488\u5bf9QQ2007\u800c\u5199]<\/p>\n\u4e3b\u8981\u6280\u672f\u539f\u7406:<\/p>\n\u505aIPQQ,\u90a3\u4e48\u8fd9\u51e0\u4e2a\u5fc5\u5907\u5de5\u5177\u662f\u4e0d\u53ef\u7f3a\u7684:OllyDbg,PEExplorer,DASM32,MFCSpy2 \nQQ\u662f\u57fa\u4e8e\u63a5\u53e3\u8c03\u7528\u67b6\u6784\u7684,\u8fd9\u4e3a\u7aa5\u63a2\u5176\u5185\u90e8\u63d0\u4f9b\u4e86\u65b9\u4fbf\u4e4b\u95e8<\/p>\n0) \u7ecf\u8fc7\u5206\u6790,\u83b7\u77e5QQ\u83b7\u53d6IP\u4fe1\u606f\u662f\u901a\u8fc7\u63a5\u53e3\u8c03\u7528\u5b9e\u73b0\u7684,\u5176\u6b65\u9aa4\u4e3a \nIQQCore->IQQData->IQQUserDynData->dwIP\u65b9\u6cd5<\/p>\n1) \u83b7\u5f97IQQCore.\u8981\u83b7\u5f97\u6b64\u5168\u5c40\u63cf\u8ff0\u63a5\u53e3\u7684\u65b9\u6cd5\u6709\u5f88\u591a,\u6700\u597d\u7684\u5c31\u662f\u901a\u8fc7QQHelperDll.dll\u7684 ?IsLogin@@YAHPAUIQQCore@@@Z\u65b9\u6cd5\u83b7\u5f97,\u51fd\u6570\u8868\u8fbe\u4e3aint __cdecl IsLogin (struct IQQCore **).\u56e0\u4e3a\u8fd9\u4e2aIsLogIn\u65b9\u6cd5\u88abQQ\u9891\u7e41\u8c03\u7528,\u4e8e\u662fHook\u8fd9\u4e2a\u51fd\u6570,\u4fbf\u80fd\u8f7b\u6613\u83b7\u5f97IQQCore\u4e86<\/p>\nfunction IsLogin(pQQCore: Pointer): Integer; cdecl; \nbegin \nResult := Call original Func; \u8c03\u7528\u539f\u51fd\u6570 \npIQQCore := pQQCore; \u83b7\u5f97IQQCore \nend;<\/p>\n2) \u4eceIQQCore\u83b7\u5f97IQQData.\u8fd9\u4e2a\u4e8b\u60c5\u597d\u529e,QQ\u7684BasicCtrlDll.dll\u7684?GetFriendQQData@@YAHPAUIQQCore@@KPAPAUIQQData@@@Z\u65b9\u6cd5,\u5c31\u662f\u4eceIQQCore\u548cUIN\u83b7\u5f97IQQData,\u51fd\u6570\u8868\u8fbe\u4e3aint __cdecl GetFriendQQData(struct IQQCore *,unsigned long,struct IQQData * *)<\/p>\nasm \n\/\/ int __cdecl GetFriendQQData(struct IQQCore *,unsigned long,struct IQQData * *) \nmov eax, pIQQCore \nmov edx, UIN \/\/ QQ Uin (QQ number) \nlea ecx, Result \/\/ return = pIQQData \npush ecx \npush edx \npush eax \ncall GetFriendQQData \nadd esp, $C \/\/ fix call stack \nend;<\/p>\n3) \u4eceIQQData\u83b7\u5f97IQQUserDynData.\u5f88\u4e0d\u5e78,QQ\u6ca1\u6709\u76f4\u63a5\u63d0\u4f9b\u8be5\u65b9\u6cd5,\u53ea\u597dDASM QQ\u7684\u5185\u90e8,\u6765\u6a21\u62df\u6b64\u8fc7\u7a0b\u7684\u8c03\u7528. \nconst \nszQQUSER_DYNAMIC_DATA : PChar = ‘QQUSER_DYNAMIC_DATA’; \nclsid_IQQData : TGUID = ‘{BA863A1E-C979-498A-975C-C501C4F310A3}’; \nasm \n\/\/ pIQQData = Pointer(IQQData); \nmov ecx, pIQQData \nmov ecx, [ecx] \/\/ ecx = IQQData.vtbl \nmov eax, pIQQData \/\/ this pIQQData \nlea edx, Result \/\/ return = pIQQUDD \npush edx \nlea edx, clsid_IQQData \/\/ clsid_IQQData \npush edx \npush szQQUSER_DYNAMIC_DATA \npush eax \ncall [ecx + $54] \/\/ IQQData.vf_54h QQUSER_DYNAMIC_DATA proc entry \nend;<\/p>\n4) \u4eceIQQUserDynData\u83b7\u5f97IP\u4fe1\u606f. \nconst \nszdwIP : PChar = ‘dwIP’; \nszwPort : PChar = ‘wPort’; \nasm \n\/\/ get Uin info \nmov eax, pIQQUDD \nmov ecx, [eax] \nlea edx, dwIP \npush edx \npush szdwIP \npush eax\u3000\u3000\u3000 \ncall [ecx + $34] \/\/ IQQUDD.vf_34h \nmov eax, pIQQUDD \nmov ecx, [eax] \nlea edx, wPort \npush edx \npush szwPort \npush eax\u3000\u3000\u3000 \ncall [ecx + $30] \/\/ IQQUDD.vf_30h \nend;<\/p>\n\u4e0a\u9762\u7684\u4ee3\u7801,\u61c2ASM\u7684\u4eba\u5f88\u5bb9\u6613\u5c31\u80fd\u7406\u89e3\u7684,\u5176\u5b9e\u8fd9\u4e9b\u4ee3\u7801\u4e5f\u662f\u6765\u81eaQQ\u7684DASM\u5de5\u7a0b. \n\u6ce8\u610f\u4e00\u4e0b\u63a5\u53e3\u8c03\u7528\u548cCdecl\u5c31\u884c\u4e86,\u56e0\u4e3a\u7528Delphi\u5199\u7684,\u6240\u4ee5\u4e0d\u597d\u76f4\u63a5\u652f\u6301C++\u7684thiscall,\u6545\u91c7\u7528BASM\u65b9\u5f0f\u6765\u8c03\u7528~<\/p>\n\u81f3\u4e8e\u53bb\u5e7f\u544a,\u628a\u76ee\u5f55AD\u4e0b\u5168\u90e8\u6587\u4ef6\u548cDat\u4e0bAd.gif\u5220\u9664\u4e86,\u5e7f\u544a\u5c31\u4e0d\u4f1a\u51fa\u6765\u4e86. \n\u53ef\u662f\u8fd9\u6837QQ\u8fd8\u662f\u4f1a\u4e0b\u8f7d\u65b0\u7684\u5e7f\u544a\u7684,\u600e\u4e48\u529e\u5462?\u53ea\u597d\u4fee\u6539QQ\u5185\u90e8\u4e86,\u8fd9\u662f\u5c5e\u4e8e\u7834\u89e3\u7684\u8303\u7574,\u505a\u8d77\u6765\u4e5f\u5e76\u4e0d\u590d\u6742.<\/p>\nDASM\u5206\u6790QQ.EXE\u5373\u53ef\u67e5\u8be2\u5230"\u5e7f\u544a"\u548c"\u4e0b\u8f7d\u903b\u8f91"\u7684\u6587\u672c\u5e38\u91cf\u548cOD\u67e5\u627e\u5b57\u7b26\u4e32\u5e38\u91cf"Download_Start",\u5b83\u7684\u4e0a\u9762\u662f"SECTION_AD",\u7136\u540e\u628a\u76f8\u5173\u7684\u5730\u65b9NOP\u4e86\u5c31\u80fd\u4f7fQQ\u4e0d\u518d\u4e0b\u8f7d\u5e7f\u544a.\u4e0d\u540c\u7684\u7248\u672c\u8981\u4fee\u6539\u7684\u5730\u65b9\u4e0d\u4e00\u6837,\u8fd9\u91cc\u5c31\u4ec5\u4ee5QQ2007II Beta1\u4e3a\u4f8b<\/p>\n004E9D49 |. 57 push edi \n004E9D4A |. 50 push eax \n004E9D4B |. 57 push edi \n004E9D4C |. 53 push ebx \n004E9D4D |. 68 EFB14E00 push 004EB1EF ; Entry address \n^ \u8fd9\u91cc\u662f\u5e7f\u544a\u4e0b\u8f7d\u8fc7\u7a0b\u5165\u53e3,\u5230\u5165\u53e3\u6539\u4e3aretn\u76f4\u63a5\u8fd4\u56de\u5c31OK\u4e86 \n004E9D52 |. E8 DE4EF2FF call 0040EC35 \n004E9D57 |. 83C4 14 add esp, 14 \n004E9D5A |. BF 7CF55A00 mov edi, 005AF57C ; ASCII "C:\\config_asam.ini" \n004E9D5F |. C745 10 60EA0>mov dword ptr [ebp+10], 0EA60 \n004E9D66 |. 57 push edi ; \/FileName => "C:\\config_asam.ini" \n004E9D67 |. FF15 E0035400 call dword ptr [<&KERNEL32.GetFileAtt>; \\GetFileAttributesA \n004E9D6D |. 83F8 FF cmp eax, -1 \n004E9D70 |. 74 64 je short 004E9DD6 \n004E9D72 |. A8 10 test al, 10 \n004E9D74 |. 75 60 jnz short 004E9DD6 \n004E9D76 |. 57 push edi \n004E9D77 |. 8D4D B8 lea ecx, dword ptr [ebp-48] \n004E9D7A |. E8 657BFAFF call <jmp.&MFC42.#537_CString::CStrin> \n004E9D7F |. BF 84DB5500 mov edi, 0055DB84 \n004E9D84 |. C645 FC 0C mov byte ptr [ebp-4], 0C \n004E9D88 |. 897D B4 mov dword ptr [ebp-4C], edi \n004E9D8B |. B8 70F55A00 mov eax, 005AF570 ; ASCII "SECTION_AD" \n004E9D90 |. C645 FC 0D mov byte ptr [ebp-4], 0D \n004E9D94 |. 8BC8 mov ecx, eax \n004E9D96 |. 85C9 test ecx, ecx \n004E9D98 |. 74 1A je short 004E9DB4 \n004E9D9A |. B9 60F55A00 mov ecx, 005AF560 ; ASCII "Download_Start" \n004E9D9F |. 8BD1 mov edx, ecx \n004E9DA1 |. 85D2 test edx, edx \n004E9DA3 |. 74 0F je short 004E9DB4 \n004E9DA5 |. FF75 B8 push dword ptr [ebp-48] ; \/IniFileName \n004E9DA8 |. 6A 00 push 0 ; |Default = 0 \n004E9DAA |. 51 push ecx ; |Key => "Download_Start" \n004E9DAB |. 50 push eax ; |Section => "SECTION_AD" \n004E9DAC |. FF15 3C035400 call dword ptr [<&KERNEL32.GetPrivate>; \\GetPrivateProfileIntA \n004E9DB2 |. EB 02 jmp short 004E9DB6 \n004E9DB4 |> 33C0 xor eax, eax \n004E9DB6 |> 85C0 test eax, eax \n004E9DB8 |. 74 09 je short 004E9DC3 \n004E9DBA |. 69C0 E8030000 imul eax, eax, 3E8 \n004E9DC0 |. 8945 10 mov dword ptr [ebp+10], eax \n004E9DC3 |> C645 FC 0B mov byte ptr [ebp-4], 0B \n004E9DC7 |. 897D B4 mov dword ptr [ebp-4C], edi \n004E9DCA |. 8D4D B8 lea ecx, dword ptr [ebp-48] \n004E9DCD |. C645 FC 0B mov byte ptr [ebp-4], 0B \n004E9DD1 |. E8 D679FAFF call <jmp.&MFC42.#800_CString::~CStri> \n004E9DD6 |> 68 A0F45A00 push 005AF4A0 ; ASCII<\/p>\n"D:\\QQ\\qqbuilder_QQ2007IIbeta1Proj_int\\Basic_QQ_VOB\\QQ\\QQMainApp\\QQCSCenterSubApp.cpp" \n004E9DDB |. B9 886C5B00 mov ecx, 005B6C88 \n004E9DE0 |. E8 997AFAFF call <jmp.&MFC42.#860_CString::operat> \n004E9DE5 |. BF 906C5B00 mov edi, 005B6C90 \n004E9DEA |. 68 40165400 push 00541640 \n004E9DEF |. 8BCF mov ecx, edi \n004E9DF1 |. C705 8C6C5B00>mov dword ptr [5B6C8C], 470 \n004E9DFB |. E8 7E7AFAFF call <jmp.&MFC42.#860_CString::operat> \n004E9E00 |. 8B45 10 mov eax, dword ptr [ebp+10] \n004E9E03 |. 33D2 xor edx, edx \n004E9E05 |. B9 E8030000 mov ecx, 3E8 \n004E9E0A |. F7F1 div ecx \n004E9E0C |. 50 push eax \n004E9E0D |. 68 40F55A00 push 005AF540 \n004E9E12 |. 68 38F55A00 push 005AF538 ; ASCII "AD|asam" \n004E9E17 |. E8 AE78F1FF call 004016CA \n004E9E1C |. 83C4 0C add esp, 0C \n004E9E1F |. 837D EC 00 cmp dword ptr [ebp-14], 0 \n004E9E23 |. 74 17 je short 004E9E3C \n004E9E25 |. 6A FF push -1 \n004E9E27 |. FF75 EC push dword ptr [ebp-14] \n004E9E2A |. 56 push esi \n004E9E2B |. FF75 10 push dword ptr [ebp+10] \n004E9E2E |. 6A 0B push 0B \n004E9E30 |. E8 ED4CF2FF call 0040EB22 \n004E9E35 |. 83C4 14 add esp, 14 \n004E9E38 |. 85C0 test eax, eax \n004E9E3A |. 74 3D je short 004E9E79 \n^ \u8fd9\u91cc\u662f\u5224\u65ad\u5e7f\u544a\u662f\u5426\u8981\u4e0b\u8f7d, \u76f4\u63a5JMP\u5c31\u53ef\u4ee5\u8df3\u8fc7\u5e7f\u544a\u4e0b\u8f7d\u4e86 \n004E9E3C |> 68 A0F45A00 push 005AF4A0 ; ASCII<\/p>\n"D:\\QQ\\qqbuilder_QQ2007IIbeta1Proj_int\\Basic_QQ_VOB\\QQ\\QQMainApp\\QQCSCenterSubApp.cpp" \n004E9E41 |. B9 886C5B00 mov ecx, 005B6C88 \n004E9E46 |. E8 337AFAFF call <jmp.&MFC42.#860_CString::operat> \n004E9E4B |. 68 40165400 push 00541640 \n004E9E50 |. 8BCF mov ecx, edi \n004E9E52 |. C705 8C6C5B00>mov dword ptr [5B6C8C], 476 \n004E9E5C |. E8 1D7AFAFF call <jmp.&MFC42.#860_CString::operat> \n004E9E61 |. 68 18F55A00 push 005AF518 \n004E9E66 |. 68 38F55A00 push 005AF538 ; ASCII "AD|asam" \n004E9E6B |. E8 5A78F1FF call 004016CA \n004E9E70 |. 59 pop ecx \n004E9E71 |. 59 pop ecx \n004E9E72 |. 8BCB mov ecx, ebx \n004E9E74 |. E8 76130000 call 004EB1EF \n004E9E79 |> 8B45 EC mov eax, dword ptr [ebp-14] \n004E9E7C |. 33FF xor edi, edi \n004E9E7E |. 3BC7 cmp eax, edi \n004E9E80 |. 74 09 je short 004E9E8B<\/p>\n\u53ef\u662f\u5e7f\u544a\u7a97\u53e3\u8fd8\u662f\u7167\u6837\u5b58\u5728\u7684,\u800c\u4e14\u70b9\u51fb\u4e86\u4ecd\u65e7\u4f1a\u6709\u54cd\u5e94\u7684.\u8fd9\u5c31\u9760\u5916\u6302\u624d\u597d\u5904\u7406\u7684.\u8981\u627e\u5230QQ\u804a\u5929\u7a97\u53e3\u4e2d\u4efb\u610f\u4e00\u4e2aWinControl\u7684Handle\u5c31\u80fd\u8f7b\u677e\u7528\u4ee3\u7801\u5e72\u6389\u5e7f\u544a\u7a97\u53e3\u7684.<\/p>\nprocedure DisableQQAd(Wnd: LongInt); \nlabel DoNext; \nvar \nh, t: THandle; \ncn: array [0..254] of Char; \nfunction RemoveAdLabel(hStatic: THandle): Boolean; \nbegin \nResult := False; \nGetClassName(hStatic, @cn, SizeOf(cn)); \nif cn = ‘Static’ then \/\/ class name should be "Static" \nif GetWindowText(hStatic, @cn, SizeOf(cn)) > 0 then \nif Trim(cn) <> ” then \/\/ if Static control contain any Text \nbegin \nDestroyWindow(hStatic); \/\/ remove it! \nResult := True; \nExit; \nend; \nend; \nbegin \n\/\/ get root Win control \nwhile GetParent(Wnd) > 0 do Wnd := GetParent(Wnd); \n\/\/ remove QQ Ad url label \nh := GetWindow(Wnd, GW_CHILD or GW_HWNDFIRST); \nwhile h > 0 do \nbegin \/\/ search child controls in chat dialog root \ncn := ”; \n\/\/ for QQ 2008 final or above \nif RemoveAdLabel(h) then goto DoNext; \n\/\/ for QQ 2007 II to 2008 beta \nif cn = ‘#32770’ then \/\/ QQ frame \nbegin \/\/ searh child controls in frame control "#32770" \nh := GetWindow(h, GW_CHILD or GW_HWNDFIRST); \nwhile h > 0 do \nbegin \nif RemoveAdLabel(h) then goto DoNext; \nh := GetWindow(h, GW_HWNDNEXT); \nend; \nend; \nh := GetWindow(h, GW_HWNDNEXT); \nend; \nDoNext: \n\/\/ remove QQ AD panel \nh := GetWindow(Wnd, GW_CHILD or GW_HWNDFIRST); \nwhile h > 0 do \nbegin \ncn := ”; \nGetClassName(h, @cn, SizeOf(cn)); \nif cn = ‘#32770’ then \/\/ QQ frame \nbegin \nh := GetWindow(h, GW_CHILD or GW_HWNDFIRST); \nwhile h > 0 do \nbegin \nt := GetWindow(h, GW_CHILD or GW_HWNDFIRST); \nif t > 0 then \/\/ has child control \nbegin \nGetClassName(h, @cn, SizeOf(cn)); \nif cn = ‘Static’ then \/\/ found! \nbegin \nDestroyWindow(t); \/\/ destroy Ad window \n{ CreateWindow(‘Static’, ‘Hello world!!!’, \/\/ \u8fd9\u91cc\u53ef\u4ee5\u505a\u4ec0\u4e48? \n\/\/ \u521b\u5efa\u4e00\u4e2aForm,\u7528SetParent\u8ba9\u4f60\u7684Form\u9644\u7740\u5728\u4e0a\u9762\u7684, \n\/\/ \u8fd9\u6837\u53ef\u4ee5\u7528\u4f60\u81ea\u5df1\u7684\u7a97\u53e3\u66ff\u6362QQ\u7684\u5e7f\u544a\u680f,TX\u4e00\u5b9a\u4f1a\u975e\u5e38\u751f\u6c14\u7684, \n\/\/ \u4e3a\u4e86\u907f\u514d\u9ebb\u70e6,\u6700\u597d\u8fd8\u662f\u4e0d\u8981\u505a\u6b64\u7c7b\u4e8b\u60c5\u5566.\u8fd9\u91cc\u53ea\u662f\u8ba8\u8bba\u65b9\u6cd5\u800c\u5df2. \n\/\/ \u5982\u679c\u8981\u6dfb\u52a0\u81ea\u5df1\u7684Form,\u90a3\u4e48\u4f60\u8fd8\u5f97\u7528SetWindowLong\u6765Hook WndProc\u8fc7\u7a0b, \n\/\/ \u4ee5\u7528\u6765\u5904\u7406WM_CLOSE,\u786e\u4fdd\u5173\u95ed\u804a\u5929\u7a97\u53e3\u65f6\u80fd\u91ca\u653e\u4f60\u7684Form. \nWS_VISIBLE or WS_CHILD or SS_LEFT, \n0, 0, 242, 36, h, 0, h, nil); }<\/p>\nExit; \nend; \nend; \nh := GetWindow(h, GW_HWNDNEXT); \nend; \nend; \nh := GetWindow(h, GW_HWNDNEXT); \nend; \nend;<\/p>\n\u95ee\u9898\u662f\u5982\u4f55\u627e\u5230QQ\u804a\u5929\u7a97\u53e3\u4e2d\u7684\u4efb\u610f\u4e2a\u5bf9\u8c61\u7684Handle? \n\u65b9\u6cd5\u53ef\u4ee5\u662fEnumWindows\u5217\u4e3e\u7a97\u53e3,\u4ece\u6807\u9898\u680f\u5165\u624b,\u4f46\u662f\u8fd9\u4e2a\u65b9\u6cd5\u4e0d\u4fdd\u9669.\u6700\u597d\u7684\u505a\u6cd5\u5c31\u662f \nHook QQBaseClassInDll.dll\u4e2d\u7684\u51fd\u6570, \nQQ2007\u4e3a?SetUin@CAllInOneStatusBar@@QAEX_JH@Z \nQQ2007II Beta\u4e3a?SetUin@CAllInOneStatusBar@@QAEX_JKH@Z \n\u8fd9\u4e2a\u51fd\u6570\u7528\u4e8e\u8bbe\u7f6eQQ\u804a\u5929\u7a97\u53e3\u4e2d\u5bf9\u65b9\u53f7\u7801\u7684\u4fe1\u606f\u7528\u7684,\u8c03\u7528\u6b64\u51fd\u6570\u5fc5\u5b9a\u4f20\u9012\u4e00\u4e2aHandle,\u8fd9\u4e2aHandle\u5fc5\u5b9a\u5728\u804a\u5929\u7a97\u53e3\u4e2d\u7684,\u4e8e\u662f\u4e00\u5207\u597d\u529e,\u5269\u4e0b\u8981\u6ce8\u610f\u7684\u5c31\u662fDelphi\u4e0d\u652f\u6301thiscall\u7684,\u6240\u4ee5Hook\u8fd9\u4e2a\u51fd\u6570\u5fc5\u987b\u7528assembler\u65b9\u5f0f. \n\u81f3\u4e8eHandle\u5728\u90a3\u91cc,\u7528MFCSpy2\u5206\u6790\u5c31\u77e5\u9053,\u5728+0x20\u90a3\u91cc\u561b~ \n\u53e6\u5916\u6b64\u51fd\u6570\u540c\u65f6\u4f20\u9012\u5bf9\u65b9\u7684QQ\u53f7\u7801,\u4e5f\u662f\u76ee\u524d\u5f88\u591a\u5728\u7a97\u53e3\u4e0a\u73b0\u5b9eIP\u663e\u793a\u7684\u5916\u6302\u6240\u559c\u6b22Hook\u7684\u51fd\u6570\u4e4b\u4e00.<\/p>\n\u5230\u6b64\u65f6,\u5c31\u663eIP+\u53bb\u5e7f\u544a\u4e0a\u4e00\u5207OK\u4e86,\u82b1\u4e86\u4ffa2\u5929\u529f\u592b,\u5927\u529f\u544a\u6210!!<\/p>\n\u987a\u4fbf\u516c\u5f00\u53e6\u5916\u4e00\u4e2a\u53bb\u9664\u5e7f\u544a\u7684\u65b9\u6cd5,\u6b64\u65b9\u6cd5\u4e0d\u5fc5\u7ed9QQ\u7a0b\u5e8f\u4e2d\u6253\u786c\u8865\u4e01,\u800c\u4e14\u517c\u5bb9\u6027\u66f4\u7406\u60f3,\u4f46\u662fQQ\u5e7f\u544a\u4e0b\u8f7d\u8fd8\u662f\u5fc5\u987bNop\u6389, \u4e0d\u7136\u5e7f\u544a\u4f1a\u7167\u6837\u4e0b\u8f7d\u800c\u53ea\u662f\u4e0d\u663e\u793a\u800c\u5df2. \n\u8fd9\u5c31\u662fBasicCtrlDll\u4e2d\u7684?IsVIP@@YAHPAUIQQCore@@@Z\u5176\u539f\u578b\u4e3aint __cdecl IsVIP(struct IQQCore *) \n\u548cQQHelperDll.dll\u4e2d\u7684?GetSysBoolData@@YAHPBDAAHH@Z. \nOD\u5206\u6790QQAllInOne\u6709:<\/p>\n03605EFF FF15 38506C03 call dword ptr [<&BasicCtrlDll.IsVIP>] ; BasicCtr.IsVIP \n* ^\u5224\u65ad\u5f53\u524d\u767b\u9646\u7684QQ\u662f\u5426\u4e3aVIP,\u56e0\u4e3aVIP\u7528\u6237\u662f\u53ef\u4ee5\u5173\u95edQQ\u5e7f\u544a\u7684 \n03605F05 8365 FC 00 and dword ptr [ebp-4], 0 \n03605F09 8BF0 mov esi, eax \n03605F0B 8D45 FC lea eax, dword ptr [ebp-4] \n03605F0E 6A 01 push 1 \n03605F10 50 push eax \n03605F11 68 E8A76D03 push 036DA7E8 ; ASCII "m_bMemberDisableAD" \n03605F16 FF15 206D6C03 call dword ptr [<&QQHelperDll.GetSysBoolData’>; QQHelper.GetSysBoolData \n* ^\u83b7\u53d6\u5e7f\u544a\u663e\u793a\u8bbe\u7f6e \n03605F1C 83C4 10 add esp, 10 \n03605F1F 85F6 test esi, esi \n03605F21 5E pop esi \n03605F22 74 0B je short 03605F2F \n* ^\u5173\u952e!!! \u4e0d\u662fVIP\u5c31\u8df3\u7684,\u6240\u4ee5\u628a\u8fd9\u4e2aNOP\u4e86 \n03605F24 837D FC 00 cmp dword ptr [ebp-4], 0 \n03605F28 74 05 je short 03605F2F \n* ^\u5173\u952e!!! \u6ca1\u5173\u95edAD\u5c31\u8df3,\u6240\u4ee5\u518d\u628a\u8fd9\u4e2aNOP\u4e86 \n03605F2A 6A 01 push 1 \n03605F2C 58 pop eax \n\u8fd9\u6837,\u5c31\u5b9e\u73b0\u4e86\u53bbAD\u4e86<\/p>\n\u5177\u4f53\u53ef\u4ee5\u4f7f\u76f4\u63a5NOP\u4ee3\u7801,\u6216\u8005\u91c7\u7528Hook\u65b9\u6cd5: \nfunction IsVIP(pQQCore: Pointer): Integer; cdecl; \nbegin \nResult := 1; \nend;<\/p>\nfunction GetSysBoolData(AText: PChar; p: Pointer; bIsVIP: Boolean): Integer; cdecl; \n\/\/ int __cdecl GetSysBoolData(char const *,int &,int) \nbegin \nif AText = ‘m_bMemberDisableAD’ then \nbegin \nInteger(p^) := 1; \nResult := 1; \nExit; \nend; \nResult := Call original Func; \u8c03\u7528\u539f\u51fd\u6570 \nend;<\/p>\n\u8bf4\u5230\u8fd9\u91cc,\u80af\u5b9a\u6709\u4eba\u4f1a\u8bf4,\u5982\u679c\u5b9e\u73b0\u4e86\u672c\u5730\u4f1a\u5458,\u90a3\u5c31\u4e0d\u7528\u8fd9\u4e48\u9ebb\u70e6\u4e86\u561b?! \n\u663e\u7136,\u8fd9\u662f\u4e2a\u6377\u5f84,\u5b9e\u73b0\u8d77\u6765\u4e5f\u4e0d\u96be,\u5173\u952e\u662f\u627e\u5230\u7a81\u7834\u53e3 \n\u7ecf\u8fc7DASM\u5206\u6790,QQHelperDll\u662f\u4e2a\u5165\u624b\u70b9 \n\u7528PEExplorer\u8ba4\u771f\u67e5\u627e\u770b\u770b,\u679c\u7136\u6709\u53d1\u73b0,\u90a3\u5c31\u662fIsVipUser@qdatCurrentUser@@QAEHXZ \n\u4e00\u4e2a\u65e0\u53c2\u6570\u51fd\u6570,Hook\u4e86,\u5e76\u8ba9\u5176\u8fd4\u56deEAX=1,\u563f\u563f,\u679c\u7136\u6210\u4e86\u672c\u5730VIP,\u8fd9\u4e2a\u672c\u5730VIP\u53ef\u4ee5\u4eab\u53d7QQ2007II\u7684\u6d82\u9e26\u8868\u60c5\u54e6~ \n\u53ef\u662f\u5230\u4e86\u8fd9\u91cc\u5374\u4ecd\u65e7\u53d1\u73b0QQ\u7684\u8bbe\u7f6e\u4e0a,\u8fd8\u662f\u8bf4\u4f60\u662f"\u975e\u4f1a\u5458",\u4e0d\u80fd\u5c4f\u853d\u5e7f\u544a,\u548b\u529e? \n\u663e\u7136\u7684\u662fQQQSettingCtrl.dll\u5e76\u6ca1\u6709\u8c03\u7528qdatCurrentUser::IsVipUser\u6765\u5224\u65ad.\u90a3\u5b83\u8c03\u7528\u4e86\u90a3\u4e2a\u51fd\u6570\u5462? \n\u7ee7\u7eed\u52aa\u529b…N\u5c0f\u65f6\u540e\u53d1\u73b0!\u539f\u6765\u662fIsQQServiceEnable@@YAHI@Z \n\u8fd9\u662f\u4e00\u4e2aunsigned int\u5165\u53e3\u7684\u51fd\u6570,\u4f30\u8ba1\u662f\u670d\u52a1\u529f\u80fd\u53f7,\u7531\u6b64\u51fd\u6570\u5224\u65ad\u5f53\u524d\u767b\u5f55QQ\u7528\u6237\u53ef\u7528\u7684\u670d\u52a1,\u4e8e\u662fHook\u4e86,\u4e0d\u7ba1\u4e09\u4e03\u4e8c\u5341\u4e00,\u4e00\u5f8b\u8fd4\u56deEAX=1,\u518d\u6d4b\u8bd5…\u4e00\u5207OK!<\/p>\n\u81f3\u6b64,QQ\u5916\u6302\u53ef\u544a\u4e00\u6bb5\u843d\u4e5f~~<\/p>\n<\/div>\n<\/body><\/html><\/p>\n","protected":false},"excerpt":{"rendered":"QQ\u53bb\u5e7f\u544a+\u672c\u5730\u4f1a\u5458+\u663e\u793aIP\u5916\u6302\u539f\u7406 QQ\u53bb\u5e7f\u544a+\u672c\u5730\u4f1a\u5458+\u663e\u793aIP\u5916\u6302\u539f\u7406 [\u672c\u6587\u9488\u5bf9QQ2007\u800c\u5199] […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-183","post","type-post","status-publish","format-standard","hentry","category-skill"],"_links":{"self":[{"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/posts\/183","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/comments?post=183"}],"version-history":[{"count":0,"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/posts\/183\/revisions"}],"wp:attachment":[{"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/media?parent=183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/categories?post=183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kyle.ai\/blog\/wp-json\/wp\/v2\/tags?post=183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":183,"date":"2009-01-05T18:15:00","date_gmt":"2009-01-05T10:15:00","guid":{"rendered":""},"modified":"2009-01-05T18:15:00","modified_gmt":"2009-01-05T10:15:00","slug":"","status":"publish","type":"post","link":"https:\/\/kyle.ai\/blog\/183.html","title":{"rendered":"QQ\u53bb\u5e7f\u544a+\u672c\u5730\u4f1a\u5458+\u663e\u793aIP\u5916\u6302\u539f\u7406"},"content":{"rendered":"