猛牛哥的博客获取网卡mac地址一般需要用到IPHLPAPI模块,下面该模块用来获取mac地址的代码(内部名为: IPHLPAPI.GetAdaptersInfo),如果要查找该地址,可以搜索其前24byte的特征码:8B FF 55 8B EC 51 57 8B 7D 0C 85 FF 0F 84 E2 27 00 00 56 8D 45 FC 50 E8(测试无效,特征码会变)。可以用OD附加目标进程,然后按CTRL+N,查看IPHLPAPI的导出函数表,查找GetAdapterInfo地址。
727A9263 > 8BFF mov edi,edi
727A9265 55 push ebp
727A9266 8BEC mov ebp,esp
727A9268 51 push ecx
727A9269 57 push edi
727A926A 8B7D 0C mov edi,dword ptr ss:[ebp+0xC]
727A926D 85FF test edi,edi
727A926F 0F84 E2270000 je IPHLPAPI.727ABA57
727A9275 56 push esi
727A9276 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
727A9279 50 push eax
727A927A E8 D1FDFFFF call IPHLPAPI.727A9050
727A927F 8BF0 mov esi,eax
727A9281 85F6 test esi,esi
727A9283 0F85 C0000000 jnz IPHLPAPI.727A9349
727A9289 3945 FC cmp dword ptr ss:[ebp-0x4],eax
727A928C 0F84 CD270000 je IPHLPAPI.727ABA5F
727A9292 FF75 FC push dword ptr ss:[ebp-0x4]
727A9295 E8 3FFBFFFF call IPHLPAPI.727A8DD9
727A929A 83F8 FF cmp eax,-0x1
727A929D 0F87 C6270000 ja IPHLPAPI.727ABA69
727A92A3 8B75 08 mov esi,dword ptr ss:[ebp+0x8]
727A92A6 85F6 test esi,esi
727A92A8 0F84 8F000000 je IPHLPAPI.727A933D
727A92AE 8B0F mov ecx,dword ptr ds:[edi]
727A92B0 3BC8 cmp ecx,eax
727A92B2 0F82 85000000 jb IPHLPAPI.727A933D
727A92B8 53 push ebx
727A92B9 51 push ecx
727A92BA 6A 00 push 0x0
727A92BC 56 push esi
727A92BD E8 33A2FFFF call <jmp.&msvcrt.memset>
727A92C2 83C4 0C add esp,0xC
727A92C5 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
727A92C8 50 push eax
727A92C9 8975 0C mov dword ptr ss:[ebp+0xC],esi
727A92CC E8 D3000000 call IPHLPAPI.727A93A4
727A92D1 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]
727A92D4 85DB test ebx,ebx
727A92D6 74 6C je XIPHLPAPI.727A9344
727A92D8 8B7D 0C mov edi,dword ptr ss:[ebp+0xC]
727A92DB 8145 0C 8002000>add dword ptr ss:[ebp+0xC],0x280
727A92E2 8BC7 mov eax,edi
727A92E4 B9 A0000000 mov ecx,0xA0
727A92E9 8BF3 mov esi,ebx
727A92EB F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
727A92ED 8D4D 0C lea ecx,dword ptr ss:[ebp+0xC]
727A92F0 8945 08 mov dword ptr ss:[ebp+0x8],eax
727A92F3 51 push ecx
727A92F4 05 AC010000 add eax,0x1AC
727A92F9 50 push eax
727A92FA FFB3 AC010000 push dword ptr ds:[ebx+0x1AC]
727A9300 E8 80E8FFFF call IPHLPAPI.727A7B85
727A9305 8B75 08 mov esi,dword ptr ss:[ebp+0x8]
727A9308 8D45 0C lea eax,dword ptr ss:[ebp+0xC]
727A930B 50 push eax
727A930C 8D86 D4010000 lea eax,dword ptr ds:[esi+0x1D4]
727A9312 50 push eax
727A9313 FFB3 D4010000 push dword ptr ds:[ebx+0x1D4]
727A9319 E8 67E8FFFF call IPHLPAPI.727A7B85
727A931E 8D45 0C lea eax,dword ptr ss:[ebp+0xC]
727A9321 50 push eax
727A9322 8D86 50020000 lea eax,dword ptr ds:[esi+0x250]
727A9328 50 push eax
727A9329 FFB3 50020000 push dword ptr ds:[ebx+0x250]
727A932F E8 51E8FFFF call IPHLPAPI.727A7B85
727A9334 8B45 0C mov eax,dword ptr ss:[ebp+0xC]
727A9337 8906 mov dword ptr ds:[esi],eax
727A9339 8B1B mov ebx,dword ptr ds:[ebx]
727A933B ^ EB 97 jmp XIPHLPAPI.727A92D4
727A933D 8907 mov dword ptr ds:[edi],eax
727A933F 6A 6F push 0x6F
727A9341 5E pop esi
727A9342 EB 05 jmp XIPHLPAPI.727A9349
727A9344 211E and dword ptr ds:[esi],ebx
727A9346 33F6 xor esi,esi
727A9348 5B pop ebx
727A9349 FF75 FC push dword ptr ss:[ebp-0x4]
727A934C E8 0D000000 call IPHLPAPI.727A935E
727A9351 8BC6 mov eax,esi
727A9353 5E pop esi
727A9354 5F pop edi
727A9355 C9 leave
727A9356 C2 0800 retn 0x8
最新评论