STNManager__MMStartTask下面的sub_10444A99C 函数
taskid 4位 cmdId 4位 8位的某个东西,反正都是0 00030001 固定 cgi 字符串指针
task信息:
175ED6600 - D6607: E2 00 00 00 0A 02 00 00 ; 数据 (可能是 ID + 类型) 175ED6608 - D660F: 00 00 00 00 00 00 00 00 ; 填充 175ED6610 - D6617: 03 00 00 00 01 00 00 00 ; 计数值 (3, 1) 175ED6618 - D661F: 30 5B 58 D9 0C 00 00 00 ; 内存指针: 0xC D9585B30 175ED6620 - D6627: 20 00 00 00 00 00 00 00 ; 长度/偏移 (32) 175ED6628 - D662F: 30 00 00 00 00 00 00 80 ; 标志位 175ED6630 - D6637: 00 01 01 01 00 AA AA AA ; 状态字节 + 对齐填充 175ED6638 - D663F: 00 00 00 00 03 00 00 00 ; 填充 + 计数 (3) 175ED6640 - D6647: 01 00 00 00 FF FF FF FF ; 计数 (1) + 结束符/错误码 (-1) 175ED6648 - D664F: FF FF FF FF 00 AA AA AA ; 结束符 (-1) + 填充 175ED6650 - D6657: FF FF FF FF AA AA AA AA ; 填充/未初始化内存 175ED6658 - D665F: 00 00 00 00 00 00 00 00 ; 填充 175ED6660 - D6667: 0A 02 00 00 00 00 00 00 ; 类型标识 175ED6668 - D666F: 64 65 66 61 75 6C 74 2D ; ASCII "default-" 175ED6670 - D6677: 6C 6F 6E 67 6C 69 6E 6B ; ASCII "longlink" 175ED6678 - D667F: 00 AA AA AA AA AA AA 10 ; 字符串结束 + 填充 + 长度 175ED6680 - D66F7: [... 全 00 填充区域 ...] ; 连续空内存 175ED66F8 - D66FF: 00 00 00 00 00 00 00 00 ; 填充 175ED6700 - D6747: [... 全 00 填充区域 ...] ; 连续空内存 175ED6748 - D674F: 01 00 00 00 AA AA AA AA ; 布尔值/计数 + 填充 175ED6750 - D677F: [... 全 00 填充区域 ...] ; 连续空内存 175ED6780 - D6787: 03 00 00 00 00 00 00 00 ; 计数 (3) 175ED6788 - D678F: 00 00 AA AA AA AA AA AA ; 填充 175ED6790 - D6797: 98 67 ED 75 01 00 00 00 ; 指针: 0x1 75ED6798 175ED6798 - D679F: 00 00 00 00 00 00 00 00 ; 结尾填充
mar发送的格式
task start long
short taskid:1067
cmdid:522
need_authed:true
cgi:/cgi-bin/micromsg-bin/newsendmsg
channel_select:3
limit_flow:true
channel_name:default-longlink
taskid:1134,
cmdid:522,
need_authed:true,
cgi:/cgi-bin/micromsg-bin/newsendmsg,
channel_select:3,
limit_flow:true,
channel_name:default-longlink
[x0,#0x60]赋值给x0 [x0,#0x28]赋值给x0 X0=X0+#0xB8就是消息的指针
第二个指针 7d88fbfc0 第一个指针 7d3f60a80 第一个指针 107f968a0 函数 第二个指针 7d74ae4a0 第一个指针 7d3fd9a20 是接收者id 第三个指针 7d3fdb500 消息内容,如果长的话是消息的指针 紧接着4位是1 紧接着4位是时间戳 第5个指针是html标签指针:1 接着8位是数字 可能是消息id?
后面就有时一个相同的指针,也是消息的一些内容,但是和上面的指针不是同一个
7D3F60A80 - 60A87: A0 68 F9 07 01 00 00 00 ; 指针: 0x107F968A0 7D3F60A88 - 60A8F: A0 E4 4A D7 07 00 00 00 ; 指针: 0x7D74AE4A0 7D3F60A90 - 60A97: 00 B5 FD D3 07 00 00 00 ; 指针: 0x7D3FDB500 7D3F60A98 - 60A9F: 01 00 00 00 B8 2B 4A 69 ; 数据 (数字 1 + 部分 Hash?) 7D3F60AA0 - 60AA7: 20 B5 FD D3 07 00 00 00 ; 指针: 0x7D3FDB520 7D3F60AA8 - 60AAF: 30 35 AE 8C 00 00 00 00 ; 整数/时间戳 7D3F60AB0 - 60AB7: 00 00 00 00 3F 00 00 00 ; 标志位/长度 (63) 7D3F60AB8 - 60ABF: 00 00 00 00 00 00 00 00 ; 填充 7D3F60AC0 - 60AC7: A0 68 F9 07 01 00 00 00 ; 指针: 0x107F968A0 (重复) 7D3F60AC8 - 60ACF: C0 6B 62 D7 07 00 00 00 ; 指针: 0x7D7D7626BC0 7D3F60AD0 - 60AD7: 20 AC FD D3 07 00 00 00 ; 指针: 0x7D3FDBAC0 7D3F60AD8 - 60ADF: 01 00 00 00 B8 2B 4A 69 ; 重复出现的模式数据 7D3F60AE0 - 60AE7: 00 BE FD D3 07 00 00 00 ; 指针: 0x7D3FDBE00 7D3F60AE8 - 60AEF: 30 35 AE 8C 00 00 00 00 ; 重复的整数 7D3F60AF0 - 60AF7: 00 00 00 00 3F 00 00 00 ; 重复的标志 7D3F60AF8 - 60AFF: 00 00 00 00 00 00 00 00 ; 填充 7D3F60B00 - 60B07: 43 55 CB A4 55 7C E4 96 ; 随机数据/加密负载 7D3F60B08 - 60B0F: F0 90 52 ... ; 截断处
req2Buf的X0寄存器:
0x00: C0 1D F9 07 01 00 00 00 ; 回调函数指针 (0x107F91DC0) 0x08: 10 1F F9 07 01 00 00 00 ; 回调函数指针 (0x107F91F10) 0x10: 40 1F F9 07 01 00 00 00 ; 回调函数指针 (0x107F91F40) 0x18: 01 00 00 00 00 00 00 00 ; 数字 1 (64位整数) 0x20: 50 B7 E2 24 07 00 00 00 ; 内存地址/指针 client信息 0x28: C8 34 DC 0E 01 00 00 00 ; 内存地址/指针 填充ZTUM 0x30: 40 93 05 25 07 00 00 00 ; 内存地址/指针 回调函数 0x38: 50 93 05 25 07 00 00 00 ; 内存地址/指针 回调函数 0x40: 50 43 C9 24 07 00 00 00 ; 内存地址/指针 回调函数 0x48: 30 CC 09 25 07 00 00 00 ; 内存地址/指针 回调函数 0x50: 60 93 05 25 07 00 00 00 ; 内存地址/指针 回调函数 0x58: 60 C0 47 24 07 00 00 00 ; 消息字段指针 0x60: 60 C0 47 24 07 00 00 00 ; 消息字段指针 0x68: 01 00 00 00 00 00 00 00 ; 数字 1 0x70: 5A 54 55 4D 00 00 00 00 ; ASCII "ZTUM" 填充 0x78: 00 00 00 00 A0 20 00 00 ; cmdid 0x80: 00 00 00 00 5A 54 55 4D ; ASCII "ZTUM" 填充 0x88: 00 00 00 00 00 00 00 00 ; 全零填充 0x90: 00 28 00 00 00 28 00 00 ; 偏移量/长度 (40, 40) 0x98: FF FF FF FF FF FF FF FF ; -1 (64位) 0xa0: 07 43 24 F1 FE FF FF FF ; 特殊标志/补码地址 0xa8: 5A 54 55 4D 5A 54 55 4D ; ASCII "ZTUMZTUM" 填充
消息字段指针:
地址范围| 字节内容 (Hex) | 解释/备注 0x00, 00,00,00,00,00,00,00,00 0x08, 00,00,00,00,00,00,00,00, 0x10, 78,46,DB,0E,01,00,00,00, 某个回调函数 0x18, 01,00,00,00,00,00,00,00, 数字1 0x20, A9,03,00,00,00,00,00,00, taskId 0x28, 00,77,B6,BE,0B,00,00,00, 消息体
type SendMessage struct { num1_0 int64 num2_0 int64 func1 uintptr // 10edb4678 确认一下 num3_1 int64 taskId int64 message Message }
消息体指针: 0x00: 70 4F F0 07 01 00 00 00 回调函数 0x08: BF 03 00 00 0A 02 00 00 tasId cmdId 0x10: 03 00 00 00 00 00 00 00 数字3 0x18: 60 2A 4F B3 05 00 00 00 cgi 0x20: 20 00 00 00 00 00 00 00 固定 0x28: 30 00 00 00 00 00 00 80 固定 0x30: 00 01 01 01 00 00 00 00 固定 0x38: 00 00 00 00 00 00 00 00 固定 0x40: 00 00 00 00 00 00 00 00 固定 0x48: 00 00 00 00 00 00 00 00 固定 0x50: 00 00 00 00 00 00 00 00 固定 0x58: 01 00 00 00 01 01 01 01 固定 0x60: 00 00 00 00 00 00 00 00 固定 0x68: 00 00 00 00 00 00 00 00 固定 0x70: 00 00 00 00 00 00 00 00 固定 0x78: 00 00 00 00 00 00 00 00 固定 0x80: 00 00 00 00 00 00 00 00 固定 0x88: 00 00 00 00 00 00 00 00 固定 0x90: 00 00 00 00 00 00 00 00 固定 0x98: 90 6D 69 BE 0B 00 00 00 函数指针 107f04fc8 0xa0: 00 00 00 00 00 00 00 00 固定 0xa8: 00 00 00 00 00 00 00 00 固定 0xb0: 00 00 00 00 00 00 00 00 固定 0xb8: 18 69 F9 07 01 00 00 00 回调函数 0xc0: 80 4E 97 BE 0B 00 00 00 消息体 0xc8: 01 00 00 00 01 00 00 00 固定 0xd0: 04 00 00 00 00 00 00 00 固定 0xd8: 01 00 00 00 00 00 00 00 固定 0xe0: 01 00 00 00 00 00 00 00 固定 0xe8: 08 6A F9 07 01 00 00 00 回调函数
type Message struct { func1 uintptr // 107f04f70 taskId int32 cmdId int32 num1_3 int32 cgi uintptr // cgi的字符串指针 num2_20 int64 num3_30 int64 num4_31 int64 num5_0 int64 num6_0 int64 num7_0 int64 num8_0 int64 num9_51 int64 }
type SendMessage struct { num1_0 int64 num2_0 int64 func1 uintptr // 10edb4678 确认一下 num3_1 int64 taskId int64 message Message }
type Message struct { func1 uintptr // 107f04f70 taskId int32 cmdId int32 num1_3 int32 cgi uintptr // cgi的字符串指针 num2_20 int64 num3_30 int64 num4_31 int64 num5_0 int64 num6_0 int64 num7_0 int64 num8_0 int64 num9_51 int64 }