顶层初始特征码
5A3E6985 8BC1 mov eax,ecx
5A3E6987 6A FF push -0x1
5A3E6989 C600 00 mov byte ptr ds:[eax],0x0
5A3E698C 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
5A3E698F 6A 00 push 0x0
5A3E6991 50 push eax
5A3E6992 E8 F9249EFF call WeChatWi.59DC8E90
5A3E6997 81EC 30010000 sub esp,0x130
5A3E699D 8BCC mov ecx,esp
5A3E699F 57 push edi
5A3E69A0 E8 BBA7A8FF call WeChatWi.59E71160 ; 不确定地址1
5A3E69A5 E8 56000000 call WeChatWi.5A3E6A00 ; 不确定地址2
中间层特征码
5A3E6A8B /74 06 je short WeChatWi.5A3E6A93
5A3E6A8D |66:8338 00 cmp word ptr ds:[eax],0x0
5A3E6A91 |75 05 jnz short WeChatWi.5A3E6A98
5A3E6A93 \B8 047CE15A mov eax,WeChatWi.5AE17C04
5A3E6A98 FF75 40 push dword ptr ss:[ebp+0x40]
5A3E6A9B 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
5A3E6A9E 50 push eax
5A3E6A9F E8 1CB1E0FF call WeChatWi.5A1F1BC0
5A3E6AA4 8B45 34 mov eax,dword ptr ss:[ebp+0x34]
5A3E6AA7 83EC 30 sub esp,0x30
5A3E6AAA 8945 D0 mov dword ptr ss:[ebp-0x30],eax
5A3E6AAD 8BCC mov ecx,esp
5A3E6AAF 8D45 A8 lea eax,dword ptr ss:[ebp-0x58]
5A3E6AB2 C745 D4 0000000>mov dword ptr ss:[ebp-0x2C],0x0
5A3E6AB9 50 push eax
5A3E6ABA E8 51000000 call WeChatWi.5A3E6B10 ; 中间层地址1,获取此call的地址
5A3E6ABF E8 CC000000 call WeChatWi.5A3E6B90 ; 中间层地址2,获取此call的地址
5A3E6AC4 83C4 30 add esp,0x30
5A3E6AC7 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
5A3E6ACA E8 410B9EFF call WeChatWi.59DC7610
5A3E6ACF 8D4D 08 lea ecx,dword ptr ss:[ebp+0x8]
5A3E6AD2 E8 F91AA0FF call WeChatWi.59DE85D0
5A3E6AD7 8B85 4C010000 mov eax,dword ptr ss:[ebp+0x14C]
5A3E6ADD 83F8 10 cmp eax,0x10
5A3E6AE0 72 12 jb short WeChatWi.5A3E6AF4
收钱特征码1
5A3E6B10 55 push ebp ; 第一个call特征
5A3E6B11 8BEC mov ebp,esp
5A3E6B13 56 push esi
5A3E6B14 8B75 08 mov esi,dword ptr ss:[ebp+0x8]
5A3E6B17 57 push edi
5A3E6B18 8BF9 mov edi,ecx
5A3E6B1A 6A FF push -0x1
5A3E6B1C C707 00000000 mov dword ptr ds:[edi],0x0
5A3E6B22 C747 04 0000000>mov dword ptr ds:[edi+0x4],0x0
5A3E6B29 C747 08 0000000>mov dword ptr ds:[edi+0x8],0x0
5A3E6B30 C747 0C 0000000>mov dword ptr ds:[edi+0xC],0x0
5A3E6B37 C747 10 0000000>mov dword ptr ds:[edi+0x10],0x0
5A3E6B3E FF36 push dword ptr ds:[esi]
5A3E6B40 E8 7BB0E0FF call WeChatWi.5A1F1BC0
5A3E6B45 8D4F 14 lea ecx,dword ptr ds:[edi+0x14]
5A3E6B48 C701 00000000 mov dword ptr ds:[ecx],0x0
5A3E6B4E C741 04 0000000>mov dword ptr ds:[ecx+0x4],0x0
5A3E6B55 C741 08 0000000>mov dword ptr ds:[ecx+0x8],0x0
5A3E6B5C 6A FF push -0x1
5A3E6B5E C741 0C 0000000>mov dword ptr ds:[ecx+0xC],0x0
5A3E6B65 C741 10 0000000>mov dword ptr ds:[ecx+0x10],0x0
5A3E6B6C FF76 14 push dword ptr ds:[esi+0x14]
5A3E6B6F E8 4CB0E0FF call WeChatWi.5A1F1BC0
5A3E6B74 8B46 28 mov eax,dword ptr ds:[esi+0x28]
5A3E6B77 8947 28 mov dword ptr ds:[edi+0x28],eax
5A3E6B7A 8B46 2C mov eax,dword ptr ds:[esi+0x2C]
5A3E6B7D 8947 2C mov dword ptr ds:[edi+0x2C],eax
5A3E6B80 8BC7 mov eax,edi
5A3E6B82 5F pop edi ; WeChatWi.5A3E6ABF
5A3E6B83 5E pop esi ; WeChatWi.5A3E6ABF
5A3E6B84 5D pop ebp ; WeChatWi.5A3E6ABF
5A3E6B85 C2 0400 retn 0x4
收钱特征码2
5A3E6B8B CC int3
5A3E6B8C CC int3
5A3E6B8D CC int3
5A3E6B8E CC int3
5A3E6B8F CC int3
5A3E6B90 55 push ebp ; 第一个call特征
5A3E6B91 8BEC mov ebp,esp
5A3E6B93 6A FF push -0x1
5A3E6B95 68 D6ACBF5A push WeChatWi.5ABFACD6
5A3E6B9A 64:A1 00000000 mov eax,dword ptr fs:[0]
5A3E6BA0 50 push eax
5A3E6BA1 83EC 5C sub esp,0x5C
5A3E6BA4 A1 C480F75A mov eax,dword ptr ds:[0x5AF780C4]
5A3E6BA9 33C5 xor eax,ebp
5A3E6BAB 8945 F0 mov dword ptr ss:[ebp-0x10],eax
5A3E6BAE 53 push ebx
5A3E6BAF 56 push esi
5A3E6BB0 57 push edi
5A3E6BB1 50 push eax
5A3E6BB2 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
5A3E6BB5 64:A3 00000000 mov dword ptr fs:[0],eax
5A3E6BBB C745 FC 0000000>mov dword ptr ss:[ebp-0x4],0x0
5A3E6BC2 837D 0C 00 cmp dword ptr ss:[ebp+0xC],0x0
5A3E6BC6 0F9EC0 setle al
5A3E6BC9 84C0 test al,al
5A3E6BCB 0F85 1C040000 jnz WeChatWi.5A3E6FED
5A3E6BD1 837D 20 00 cmp dword ptr ss:[ebp+0x20],0x0
5A3E6BD5 0F9EC0 setle al
5A3E6BD8 84C0 test al,al
5A3E6BDA 0F85 0D040000 jnz WeChatWi.5A3E6FED
5A3E6BE0 A1 74EDFD5A mov eax,dword ptr ds:[0x5AFDED74]
5A3E6BE5 83CF FF or edi,-0x1
5A3E6BE8 85C0 test eax,eax
5A3E6BEA 74 76 je short WeChatWi.5A3E6C62
5A3E6BEC 50 push eax
5A3E6BED 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
5A3E6BF0 50 push eax
5A3E6BF1 E8 0A449FFF call WeChatWi.59DDB000
5A3E6BF6 8BC8 mov ecx,eax
5A3E6BF8 E8 43D2CCFF call WeChatWi.5A0B3E40
5A3E6BFD C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
5A3E6C01 8B4D A4 mov ecx,dword ptr ss:[ebp-0x5C]
5A3E6C04 85C9 test ecx,ecx
5A3E6C06 0f94c0 sete al
5A3E6C09 34 01 xor al,0x1
5A3E6C0B 74 27 je short WeChatWi.5A3E6C34
5A3E6C0D 8B01 mov eax,dword ptr ds:[ecx]
5A3E6C0F FF50 18 call dword ptr ds:[eax+0x18]
5A3E6C12 8D45 B8 lea eax,dword ptr ss:[ebp-0x48]
5A3E6C15 C745 B8 0000000>mov dword ptr ss:[ebp-0x48],0x0
5A3E6C1C 50 push eax
5A3E6C1D 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
5A3E6C20 C745 BC 0000000>mov dword ptr ss:[ebp-0x44],0x0
5A3E6C27 E8 A40F0000 call WeChatWi.5A3E7BD0
5A3E6C2C 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48]
5A3E6C2F E8 5C409FFF call WeChatWi.59DDAC90
5A3E6C34 C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
5A3E6C38 8B75 A8 mov esi,dword ptr ss:[ebp-0x58]
5A3E6C3B 85F6 test esi,esi
5A3E6C3D 74 1F je short WeChatWi.5A3E6C5E
5A3E6C3F 8BC7 mov eax,edi
5A3E6C41 f0:0fc146 04 lock xadd dword ptr ds:[esi+0x4],eax
5A3E6C46 75 16 jnz short WeChatWi.5A3E6C5E
5A3E6C48 8B06 mov eax,dword ptr ds:[esi]
5A3E6C4A 8BCE mov ecx,esi
5A3E6C4C FF10 call dword ptr ds:[eax]
5A3E6C4E 8BC7 mov eax,edi
5A3E6C50 f0:0fc146 08 lock xadd dword ptr ds:[esi+0x8],eax
5A3E6C55 75 07 jnz short WeChatWi.5A3E6C5E
5A3E6C57 8B06 mov eax,dword ptr ds:[esi]
5A3E6C59 8BCE mov ecx,esi
5A3E6C5B FF50 04 call dword ptr ds:[eax+0x4]
5A3E6C5E C645 FC 00 mov byte ptr ss:[ebp-0x4],0x0
5A3E6C62 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
5A3E6C65 C745 B0 0000000>mov dword ptr ss:[ebp-0x50],0x0
5A3E6C6C C745 B4 0000000>mov dword ptr ss:[ebp-0x4C],0x0
5A3E6C73 E8 28D9A8FF call WeChatWi.59E745A0
5A3E6C78 8945 B0 mov dword ptr ss:[ebp-0x50],eax
5A3E6C7B 68 9872D85A push WeChatWi.5AD87298
5A3E6C80 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
5A3E6C83 C645 FC 03 mov byte ptr ss:[ebp-0x4],0x3
5A3E6C87 E8 04309FFF call WeChatWi.59DD9C90
5A3E6C8C C645 FC 04 mov byte ptr ss:[ebp-0x4],0x4
5A3E6C90 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
5A3E6C93 85C9 test ecx,ecx
5A3E6C95 74 20 je short WeChatWi.5A3E6CB7
5A3E6C97 66:8339 00 cmp word ptr ds:[ecx],0x0
5A3E6C9B 74 1A je short WeChatWi.5A3E6CB7
5A3E6C9D 6A 00 push 0x0
5A3E6C9F 51 push ecx
5A3E6CA0 8D55 14 lea edx,dword ptr ss:[ebp+0x14]
5A3E6CA3 E8 1855E1FF call WeChatWi.5A1FC1C0