淘宝的npaliedit在mb下会崩溃的问题解决了

这个np控件会在“确认收货”按钮里用到。点了后会出现6个格子，要填入密码。但mb一到这就会崩溃在

npObjectGetProperty的npObject->_class->getProperty(npObject, identifier, &result)

没办法，只能逆向下这个dll。

其实原因很简单，dll的setwindow_1000128C里会调用 CreateWindow_1000197D创建隐藏的windows

char __thiscall CreateWindow_1000197D(LONG dwNewLong, int npWindow)
{LONG v2; // esi@1char result; // al@2HWND v4; // eax@3int v5; // eax@4int v6; // ecx@4HWND v7; // eax@8HWND v8; // ST2C_4@8LONG v9; // eax@10HWND v10; // ST24_4@10LONG v11; // eax@10HWND v12; // ST24_4@10int v13; // eax@10struct tagRECT Rect; // [sp+Ch] [bp-10h]@4v2 = dwNewLong;if ( npWindow && (v4 = *(HWND *)npWindow, *(_DWORD *)(dwNewLong + 104) = *(_DWORD *)npWindow, v4) ){GetClientRect(v4, &Rect);v5 = Rect.right - Rect.left;v6 = Rect.bottom - Rect.top;if ( Rect.right == Rect.left )v5 = *(_DWORD *)(npWindow + 12);if ( Rect.bottom == Rect.top )v6 = *(_DWORD *)(npWindow + 16);v7 = CreateWindowExA(0x200u,"EDIT",WindowName,0x56810080u,Rect.left,Rect.top,v5,v6,*(HWND *)(v2 + 104),0,0,0);v8 = *(HWND *)(v2 + 104);*(_DWORD *)(v2 + 20) = v7;SetParent(v7, v8);SendMessageA(*(HWND *)(v2 + 20), 0xC5u, *(_DWORD *)(v2 + 44), 0);if ( *(_DWORD *)(v2 + 32) )SendMessageA(*(HWND *)(v2 + 20), 0xCCu, 0x2Au, 0);v9 = SetWindowLongA(*(HWND *)(v2 + 20), -4, (LONG)hook_win_proc_1000178A);v10 = *(HWND *)(v2 + 104);::dwNewLong = (WNDPROC)v9;v11 = SetWindowLongA(v10, -4, (LONG)sub_10001680);v12 = *(HWND *)(v2 + 20);dword_1008E54C = v11;SetWindowLongA(v12, -21, v2);SetWindowLongA(*(HWND *)(v2 + 104), -21, v2);v13 = init_this_24_10037264();*(_DWORD *)(v2 + 24) = v13;sub_100366C7(v13);sub_10036216(*(_DWORD *)(v2 + 24));sub_100358FD(*(_DWORD *)(v2 + 24));sub_10004340(*(_DWORD *)(v2 + 24));sub_10034FCC(*(_DWORD *)(v2 + 24), "支付宝安全控件 Gecko/win32 aliedit/1,2,0,2");sub_10035314(*(_DWORD *)(v2 + 24), -10002, "alieditversion");sub_10006254(*(_DWORD *)(v2 + 24));*(_DWORD *)(v2 + 4) = npWindow;*(_BYTE *)(v2 + 12) = 1;result = 1;}else{result = 0;}return result;
}

signed int __cdecl setwindow_1000128C(LONG *a1, int npWindow)
{LONG v3; // edi@5if ( !a1 )return 2;if ( !npWindow )return 1;v3 = *a1;if ( !*a1 )return 1;if ( !sub_10001717(*a1) ){if ( !*(_DWORD *)npWindow )goto LABEL_12;if ( !CreateWindow_1000197D(v3, npWindow) ){sub_10001D3F(v3);operator delete((void *)v3);return 4;}}if ( *(_DWORD *)npWindow )goto LABEL_13;
LABEL_12:if ( !sub_10001717(v3) ){
LABEL_13:sub_10001717(v3);if ( !*(_DWORD *)npWindow )sub_10001717(v3);}return 0;
}

其中问题就在init_this_24_10037264里，这里会初始化NPObject* npObject附带的一个结构体里的另外个

结构体A（+24偏移），这个会在

int __cdecl crash_1_10034A84(int a1, int a2)
{int result; // eax@1int v3; // ecx@2int v4; // esi@3result = a1;if ( a2 < 0 ){*(_DWORD *)(a1 + 8) += 8 * a2 + 8;}else{v3 = 8 * a2;if ( *(_DWORD *)(a1 + 8) < (unsigned int)(8 * a2 + *(_DWORD *)(a1 + 0xC)) ){do{*(_DWORD *)(*(_DWORD *)(a1 + 8) + 4) = 0;v4 = *(_DWORD *)(a1 + 12);*(_DWORD *)(a1 + 8) += 8;}while ( *(_DWORD *)(a1 + 8) < (unsigned int)(v3 + v4) );}*(_DWORD *)(a1 + 8) = v3 + *(_DWORD *)(a1 + 12);}return result;
}

里用到，而这个函数是在

int __thiscall crash_2_10002320(int this, int a2)
{int v2; // esi@1HWND hWnd; // ST0C_4@1HWND hWnd_1; // ST0C_4@3char *v5; // eax@4int v6; // eax@6char *v7; // eax@9char *v8; // eax@11char *v9; // eax@15int v11; // [sp+Ch] [bp-90h]@6int v12; // [sp+28h] [bp-74h]@1int v13; // [sp+2Ch] [bp-70h]@1char v14; // [sp+30h] [bp-6Ch]@16char *v15; // [sp+34h] [bp-68h]@4unsigned int v16; // [sp+48h] [bp-54h]@4LPARAM lParam; // [sp+4Ch] [bp-50h]@3int v18; // [sp+98h] [bp-4h]@3v2 = this;hWnd = *(HWND *)(this + 20);v13 = a2;v12 = 0;if ( (unsigned int)SendMessageA(hWnd, 0xEu, 0, 0) < 0x40 )// WM_GETTEXTLENGTH{memset(&lParam, 0, 0x40u);hWnd_1 = *(HWND *)(v2 + 20);*(_BYTE *)(v2 + 28) = 1;SendMessageA(hWnd_1, 0xDu, 0x3Fu, (LPARAM)&lParam);// WM_GETTEXTstd::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>((char *)&lParam);v18 = 0;if ( *(_DWORD *)(v2 + 32) ){v5 = v15;if ( v16 < 0x10 )v5 = (char *)&v15;v6 = sub_10002231((int)&v11, v5);LOBYTE(v18) = 1;sub_10001D6A(v6, 0, -1);LOBYTE(v18) = 0;std::basic_string<char,std::char_traits<char>,std::allocator<char>>::_Tidy(1, 0);}if ( *(_DWORD *)(v2 + 36) ){crash_1_10034A84(*(_DWORD *)(v2 + 24), 0);sub_10035165(*(_DWORD *)(v2 + 24), -10002, "encode");sub_10034F77(*(_DWORD *)(v2 + 24), *(_DWORD *)(v2 + 40));if ( *(_DWORD *)(v2 + 72) < 0x10u )v7 = (char *)(v2 + 52);elsev7 = *(char **)(v2 + 52);sub_10034FCC(*(_DWORD *)(v2 + 24), v7);v8 = v15;if ( v16 < 0x10 )v8 = (char *)&v15;sub_10034FCC(*(_DWORD *)(v2 + 24), v8);if ( sub_1003554B(*(_DWORD *)(v2 + 24), 3, 1, 0) )crash_1_10034A84(*(_DWORD *)(v2 + 24), -2);v9 = (char *)sub_10034E11(*(_DWORD *)(v2 + 24), -1, 0);std::basic_string<char,std::char_traits<char>,std::allocator<char>>::assign(v9);crash_1_10034A84(*(_DWORD *)(v2 + 24), -2);}std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(&v14);std::basic_string<char,std::char_traits<char>,std::allocator<char>>::_Tidy(1, 0);}else{std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(v13);}return sub_1004737E();
}

里被调用到的。

char __thiscall sub_10002492(int this, int a2, int a3)
{char *v3; // edi@2void *v4; // eax@2size_t v5; // eax@4char result; // al@4char v7; // [sp+4h] [bp-20h]@2char *v8; // [sp+8h] [bp-1Ch]@2int v9; // [sp+18h] [bp-Ch]@2unsigned int v10; // [sp+1Ch] [bp-8h]@2*(_DWORD *)a3 = 0;*(_DWORD *)(a3 + 8) = 0;if ( a2 == txtData_1008E514 ){crash_2_10002320(**(_DWORD **)(this + 12), (int)&v7);v3 = (char *)((int (__cdecl *)(int))sub_100013D6)(v9 + 1);v4 = v8;if ( v10 < 0x10 )v4 = &v8;strcpy(v3, (const char *)v4);*(_DWORD *)a3 = 5;v5 = strlen(v3);*(_DWORD *)(a3 + 8) = v3;*(_DWORD *)(a3 + 12) = v5;std::basic_string<char,std::char_traits<char>,std::allocator<char>>::_Tidy(1, 0);result = 1;}else if ( a2 == dword_1008E528 ){*(_DWORD *)a3 = 2;*(_BYTE *)(a3 + 8) = 0;result = 1;}else{result = 0;}return result;
}

所以现在逻辑就清楚了：

js里去请求“txtData”的值，dll里就发windows消息到隐藏窗口里去取，此时那个结构体A没被初始化。

没初始化的原因是setwindow没被调用。

原因就是mb做了个优化，会异步调用setwindow（在 WebPluginImpl::platformStartAsyn()）。

现在把异步改成同步就搞定了

淘宝的npaliedit在mb下会崩溃的问题解决了相关推荐

比淘宝还藏龙卧虎的线下手机卖场，靠什么走天下？
本文讲的是比淘宝还藏龙卧虎的线下手机卖场,靠什么走天下?,每个城市,都会有一个手机卖场,品牌专卖店.渠道商城.运营商门店.私人摊点.二手交易方.配件零售商--鱼龙混杂地挤在一起. 电商还欠发达的时候, ...
3D模型代下【淘宝店3D模型代下渠道】解密
3D模型代下[淘宝店3D模型代下渠道]解密
极测未来|淘宝千人千面内容下的智能评测技术与实践
背景挑战全面个性化.内容化的淘宝,构造了基于内容的丰富的导购场景,包括猜你喜欢.有好货.每日好店.必买清单.哇哦视频.微淘.买家秀.头条.洋葱盒子-..个性化,给消费者带来更精准的货品分发.内容化为 ...
「优知学院」淘宝架构的前世今生（下）
" 淘宝技术架构前世今生就是一部架构活教材,今天仍然由陈睿mikechen为大家解读淘宝架构. 我稍微把前面淘宝架构的三个阶段简短总结: 淘宝1.0 采用LAMP mysql读写操作淘宝2 ...
用Swift实现淘宝和大众点评的下拉刷新
来自Leo的原创博客,转载请著名出处我的StackOverflow 我的Github https://github.com/LeoMobileDeveloper 效果淘宝大众点评项目地址其中 ...
淘宝线上线下“出淘”欲打造零售业航母
2010年1月16日,杭州首批150家代购店正式营业. 2010伊始,淘宝网连番"大动作",变身的速度势不可挡.一方面集结联想.美的等大型品牌厂家组建3C电器城,摆脱"小 ...
Android 仿淘宝商品详情页下拉足迹Demo
DropDownMultiPager 仿淘宝等商品详情页下拉足迹效果SimpleDemo 可colne之后看MainActivity的调用,方便二次开发依赖 compile 'com.nineold ...
淘宝线下代购店网店和消费者同时受益
淘宝线下代购店网店和消费者同时受益宏毅互联网的发展,让网购深入人心,而作为网购的老大,淘宝几乎成了网购的代名词,如今,作为亚洲最大的网络零售商圈淘宝网已不再满足于只在线上发展,2010年1月14 ...
伏威谈淘宝网的高并发处理与压力测试（转）
其实到现在为止距离淘宝双十一事件已经过去蛮多天了,但在整个技术圈里面大家还是津津乐道.我这次在采访之前在和一些网友做沟通的时候,他们也提出了非常多非常有意思的问题,包括一些高并发的,一些压力测试的等 ...
金九银十，做一个百度喜欢的淘宝客网站
随着淘宝销售旺季-金九银十的到来,淘宝客一词似乎又一次火爆起来,这一群人似乎依然热情高涨,无论新手,老鸟,都忘乎所以的奔向这片炙手可热的红海,毕竟类似淘宝客这种超低门槛的网赚手段还是十分的吸引人,更不 ...

淘宝的npaliedit在mb下会崩溃的问题解决了

淘宝的npaliedit在mb下会崩溃的问题解决了相关推荐

最新文章

热门文章