我是这样来做破解qq，做QQ外挂的 【－】

/**
 * @file 2005beta2-IQQData_IQQCore_IDynamicData.txt
 *
 * @brief 2005beta2-IQQData_IQQCore_IDynamicData.txt,v1.0 2005/09/08 23:58:18 sunwang
 *
 * QQ的核心接口分析 IQQData IQQCore IDynamicData，主要集中在BasicCtrlDll.dll QQHelperDll.dll，找几个引出函数分析分析
 * 如 CreateQQData IsFriendOnline GetFriendQQVer etc... 这些接口除了00 04 08是IUnknown以外，其他只有分析代码了
 * void __cdecl CreateQQData(struct IQQData * *)
 * int __cdecl IsFriendOnline(struct IQQCore *,unsigned long) [*]
 * int __cdecl GetFriendQQData(struct IQQCore *,unsigned long,struct IQQData * *) [*]
 * int __cdecl GetCurrentUin(struct IQQCore *,unsigned long *)
 * void __cdecl GetCurrentUserData(struct IQQCore *,struct IQQData * *)
 * int __cdecl GetFriendStat(struct IQQCore *,unsigned long)
 * long __cdecl GetQQDataBuf(struct IQQData *,char const *,class CString &) [*]  //<-------刚开始不知道有这个函数，好累
 * long __cdecl GetQQDataStr(struct IQQData *,char const *,class CString &) [*]  //<-------刚开始不知道有这个函数，好累
 *
 * 两个问题:  其他的都可以通过上面的函数搞定!
 * 1.IQQCore* 哪里得到?
 *   1.1 找一个不接口上不需要IQQCore*的函数分析，起内部肯定有引用，看这个引用在哪里，就可以得到了。嘿嘿。
 *   int __cdecl IsFriend3GUser(unsigned long)  //<--------分析太苦难了，自己找苦头
 *   1.2 hook一个带IQQCore*为参数的函数，就可以得到了，如
 *   int __cdecl InitQQShow(struct IQQCore *) [*]
 *   1.3 得到IQQCore*指针后，根据需要，拼凑vtbl就可以了
 *
 * 2.FriendUID 哪里得到? unsigned long 都是uin。tnnd。难点! 和 hook CQQCtrlBarWndEx wndproc一样困难。
 *   2.1 总会有函数初始化这个东西，并放在哪里的，要找准函数分析了
 *       2.1.1 CQQBarCtrlWndEx，只能依赖这个对象的偏移了，它的某个偏移肯定有uid
 *       2.1.2 CQQAllInOneDlg，只能依赖这个对象的偏移了，它的某个偏移肯定有uid。前面分析过CQQAllInStatusBar，上面有拼凑nickname(uid):xxx
 *             的代码，可能有用。void __thiscall CAllInOneStatusBar::GenStrShow(void)，便宜340h就是!!!。 [*]
 *             第一次WM_CREATE时候，得到偏移，此时肯定没有uid，以后得到消息就重新取，并增加自定义消息发给窗口来刷新显示了
 *   2.2 hook函数拦截参数? 呵呵，不合适。我们要在对话框窗口出来和在CQQBarCtrlWndEx出来的时候，就能得到friend uin，呵呵
 *
 * @author sunwang<[email protected]>
 */
 
/* BasicCtrlDll.dll
.text:10001C05 ; Exported entry  42. ?CreateQQData@@YAXPAPAUIQQData@@@Z
.text:10001C05
.text:10001C05 ; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?
.text:10001C05
.text:10001C05
.text:10001C05 ; void __cdecl CreateQQData(struct IQQData * *)
.text:10001C05                 public ?CreateQQData@@YAXPAPAUIQQData@@@Z
.text:10001C05 ?CreateQQData@@YAXPAPAUIQQData@@@Z proc near
.text:10001C05
.text:10001C05 arg_0           = dword ptr  8
.text:10001C05
.text:10001C05                 push    edi
.text:10001C06                 mov     edi, [esp+arg_0]
.text:10001C0A                 test    edi, edi
.text:10001C0C                 jz      short loc_10001C33
.text:10001C0E                 push    esi
.text:10001C0F                 mov     ecx, offset off_100229E8
.text:10001C14                 call    ?CreateObject@CRuntimeClass@@QAEPAVCObject@@XZ ; CRuntimeClass::CreateObject(void)
.text:10001C19                 mov     esi, eax
.text:10001C1B                 test    esi, esi
.text:10001C1D                 jnz     short loc_10001C24
.text:10001C1F                 call    ?AfxThrowMemoryException@@YGXXZ ; AfxThrowMemoryException(void)
.text:10001C24
.text:10001C24 loc_10001C24:                           ; CODE XREF: CreateQQData(IQQData * *)+18j
.text:10001C24                 push    offset clsid_IQQData
.text:10001C29                 mov     ecx, esi
.text:10001C2B                 call    ?GetInterface@CCmdTarget@@QAEPAUIUnknown@@PBX@Z ; CCmdTarget::GetInterface(void const *)
.text:10001C30                 mov     [edi], eax      ; *(void**)=IQQData*
.text:10001C32                 pop     esi
.text:10001C33
.text:10001C33 loc_10001C33:                           ; CODE XREF: CreateQQData(IQQData * *)+7j
.text:10001C33                 pop     edi
.text:10001C34                 retn
.text:10001C34 ?CreateQQData@@YAXPAPAUIQQData@@@Z endp
*/

/* BasicCtrlDll.dll
.rdata:100229C8 clsid_IQQData   db  1Eh                 ; DATA XREF: CreateQQData(IQQData * *):loc_10001C24o
.rdata:100229C8                                         ; GetFriendNetwork(IQQCore *,ulong,int &,ulong &,ulong &,int &)+9Ao ...
.rdata:100229C9                 db  3Ah ; :
.rdata:100229CA                 db  86h ; ?
.rdata:100229CB                 db 0BAh ; ?

.rdata:100229CC                 db  79h ; y
.rdata:100229CD                 db 0C9h ; ?

.rdata:100229CE                 db  8Ah ; ?
.rdata:100229CF                 db  49h ; I

.rdata:100229D0                 db  97h ; ?
.rdata:100229D1                 db  5Ch ; /
.rdata:100229D2                 db 0C5h ; ?
.rdata:100229D3                 db    0
.rdata:100229D4                 db  1Ch
.rdata:100229D5                 db  4Fh ; O
.rdata:100229D6                 db  31h ; 1
.rdata:100229D7                 db 0A3h ; ?
*/

/* BasicCtrlDll.dll
static CLSID clsid_QQData=
{
    0xBA863A1E,
    0x0C979,
    0x498A,
    0x97, 0x5C, 0x0C5, 0, 0x1C, 0x4F, 0x31, 0x0A3
};
*/

/* QQHelperDll.dll 怎么使用CreateQQData(IQQData * *)的产生的接口IQQData
.text:60865BD5 loc_60865BD5:                           ; CODE XREF: sub_60865939+291j
.text:60865BD5                 lea     eax, [ebp+8]
.text:60865BD8                 push    eax
.text:60865BD9                 call    ?CreateQQData@@YAXPAPAUIQQData@@@Z ; CreateQQData(IQQData * *)
.text:60865BDE                 mov     eax, [ebp+8]    ; eax=IQQData*
.text:60865BE1                 pop     ecx
.text:60865BE2                 push    dword ptr [ebp-2Ch] ; var_ID
.text:60865BE5                 mov     ecx, [eax]      ; IQQData->vtbl
.text:60865BE7                 push    offset aId      ; param_str_ID
.text:60865BEC                 push    eax             ; (IData*)this
.text:60865BED                 call    dword ptr [ecx+20h] ; IQQData->vf_20h(param_str_ID,(void*)&var_ID)
.text:60865BF0                 mov     eax, [ebp+8]    ; eax=IQQData*
.text:60865BF3                 lea     edx, [ebp-218h] ; var_NUMBER
.text:60865BF9                 push    edx
.text:60865BFA                 push    offset aNumber  ; "NUMBER"
.text:60865BFF                 mov     ecx, [eax]
.text:60865C01                 push    eax
.text:60865C02                 call    dword ptr [ecx+20h] ; IQQData->vf_20h(param_str_NUMBER,(void*)&var_NUMBER)
.text:60865C05                 mov     eax, [ebp+8]
.text:60865C08                 lea     edx, [ebp-218h]
.text:60865C0E                 push    edx
.text:60865C0F                 push    offset aNumsave ; "NUMSAVE"
.text:60865C14                 mov     ecx, [eax]
.text:60865C16                 push    eax
.text:60865C17                 call    dword ptr [ecx+20h] ; IQQData->vf_20h(param_str_NUMSAVE,(void*)&var_NUMSAVE)
.text:60865C1A                 mov     eax, [ebp+8]
.text:60865C1D                 lea     edx, [ebp-248h]
.text:60865C23                 push    edx
.text:60865C24                 push    offset aName    ; "NAME"
.text:60865C29                 mov     ecx, [eax]
.text:60865C2B                 push    eax
.text:60865C2C                 call    dword ptr [ecx+20h] ; IQQData->vf_20h(param_str_NAME,(void*)&var_NAME)
.text:60865C2F                 mov     eax, [ebp+8]    ; eax=IQQData*
.text:60865C32                 mov     esi, eax        ; esi=IQQData*
.text:60865C34                 mov     edi, [eax]      ; edi=IQQData*->vtbl
.text:60865C36                 lea     eax, [ebp-228h] ; var_UIN
.text:60865C3C                 push    eax             ; char *
.text:60865C3D                 call    ds:atol
.text:60865C43                 pop     ecx
.text:60865C44                 push    eax             ; var_UIN
.text:60865C45                 push    offset aUin     ; "UIN"
.text:60865C4A                 push    esi             ; (IQQData*)this
.text:60865C4B                 call    dword ptr [edi+18h] ; IQQData*->vf_18h(var_UIN,str_UIN)
.text:60865C4E                 mov     eax, [ebp+8]
.text:60865C51                 push    dword ptr [ebp-25Ch]
.text:60865C57                 mov     ecx, [eax]
.text:60865C59                 push    offset aType    ; "TYPE"
.text:60865C5E                 push    eax
.text:60865C5F                 call    dword ptr [ecx+10h] ; IQQData*->vf_10h(str_TYPE,var_TYPE)
.text:60865C62                 mov     eax, [ebp+8]
.text:60865C65                 push    dword ptr [ebp-25Bh]
.text:60865C6B                 mov     ecx, [eax]
.text:60865C6D                 push    offset aImage   ; "IMAGE"
.text:60865C72                 push    eax
.text:60865C73                 call    dword ptr [ecx+10h] ; IQQData*->vf_10h(str_IMAGE,var_IMAGE)
.text:60865C76                 mov     eax, [ebp+8]
.text:60865C79                 push    dword ptr [ebp-250h]
.text:60865C7F                 mov     ecx, [eax]
.text:60865C81                 push    offset aGender  ; "GENDER"
.text:60865C86                 push    eax
.text:60865C87                 call    dword ptr [ecx+0Ch] ; IQQData*->vf_0ch(str_GENDER,var_GENDER)
.text:60865C8A                 mov     eax, [ebp+8]
.text:60865C8D                 push    dword ptr [ebp-254h]
.text:60865C93                 mov     ecx, [eax]
.text:60865C95                 push    offset aFace    ; "FACE"
.text:60865C9A                 push    eax
.text:60865C9B                 call    dword ptr [ecx+14h] ; IQQData*->vf_14h(str_FACE,var_FACE)
.text:60865C9E                 mov     eax, [ebp+8]
.text:60865CA1                 push    dword ptr [ebp-24Ch]
.text:60865CA7                 mov     ecx, [eax]
.text:60865CA9                 push    offset aLantype ; "LANTYPE"
.text:60865CAE                 push    eax
.text:60865CAF                 call    dword ptr [ecx+0Ch] ; IQQData*->vf_0ch(str_LANTYPE,var_LANTYPE)
.text:60865CB2                 mov     eax, [ebp+8]
.text:60865CB5                 lea     edx, [ebp-1F8h]
.text:60865CBB                 push    edx
.text:60865CBC                 push    offset aNote    ; "NOTE"
.text:60865CC1                 mov     ecx, [eax]
.text:60865CC3                 push    eax
.text:60865CC4                 call    dword ptr [ecx+20h]
.text:60865CC7                 mov     eax, [ebp+8]
.text:60865CCA                 mov     ecx, [eax]
.text:60865CCC                 lea     edx, [ebp-178h]
.text:60865CD2                 push    edx
.text:60865CD3                 push    offset aState   ; "STATE"
.text:60865CD8                 push    eax
.text:60865CD9                 call    dword ptr [ecx+20h]
.text:60865CDC                 mov     eax, [ebp+8]
.text:60865CDF                 push    dword ptr [ebp-0F8h]
.text:60865CE5                 mov     ecx, [eax]
.text:60865CE7                 push    offset aGrpclr  ; "GRPCLR"
.text:60865CEC                 push    eax
.text:60865CED                 call    dword ptr [ecx+18h]
.text:60865CF0                 mov     eax, [ebp-34h]
.text:60865CF3                 cmp     [eax+20h], ebx
.text:60865CF6                 mov     eax, [ebp+8]
.text:60865CF9                 mov     ecx, [eax]
.text:60865CFB                 jz      loc_60865E50
.text:60865D01                 push    dword ptr [ebp-0F4h]
.text:60865D07                 push    offset aMbltype ; "MBLTYPE"
.text:60865D0C                 push    eax
.text:60865D0D                 call    dword ptr [ecx+1Ch]
.text:60865D10                 mov     eax, [ebp+8]
.text:60865D13                 push    dword ptr [ebp-0F0h]
.text:60865D19                 mov     ecx, [eax]
.text:60865D1B                 push    offset aMbrand  ; "MBRAND"
.text:60865D20                 push    eax
.text:60865D21                 call    dword ptr [ecx+1Ch]
.text:60865D24                 mov     eax, [ebp+8]
.text:60865D27                 lea     edx, [ebp-0ECh]
.text:60865D2D                 push    edx
.text:60865D2E                 mov     ecx, [eax]
.text:60865D30                 jmp     loc_60865E75
.text:60865D35 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
*/

/* QQHelperDll.dll 怎么使用CreateQQData(IQQData * *)的产生的接口IQQData
ext:6087289F ; Exported entry 352. ?IsFriendOnline@@YAHPAUIQQCore@@K@Z
.text:6087289F
.text:6087289F ; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?
.text:6087289F
.text:6087289F
.text:6087289F ; int __cdecl IsFriendOnline(struct IQQCore *,unsigned long)
.text:6087289F                 public ?IsFriendOnline@@YAHPAUIQQCore@@K@Z
.text:6087289F ?IsFriendOnline@@YAHPAUIQQCore@@K@Z proc near
.text:6087289F                                         ; CODE XREF: IsAllowAddToGAudioChat(ulong,int,HWND__ *)+18Fp
.text:6087289F                                         ; IsAllowAddToInGAudioChat(ulong,ulong,int,HWND__ *)+125p
.text:6087289F                 mov     eax, offset loc_60895A2C
.text:608728A4                 call    __EH_prolog
.text:608728A9                 push    ecx
.text:608728AA                 push    ebx
.text:608728AB                 xor     ebx, ebx
.text:608728AD                 mov     [ebp-10h], ebx  ; ebx = 0
.text:608728B0                 lea     eax, [ebp-10h]  ; var_IQQData**
.text:608728B3                 mov     [ebp-4], ebx
.text:608728B6                 push    eax             ; var_IQQData**
.text:608728B7                 push    dword ptr [ebp+0Ch] ; arg_QQID
.text:608728BA                 push    dword ptr [ebp+8] ; arg_IQQCore*
.text:608728BD                 call    ?GetFriendQQData@@YAHPAUIQQCore@@KPAPAUIQQData@@@Z ; GetFriendQQData(IQQCore *,ulong,IQQData * *)
.text:608728C2                 add     esp, 0Ch
.text:608728C5                 test    eax, eax        ; if(IQQData* == NULL)
.text:608728C7                 jz      short loc_60872933
.text:608728C9                 mov     [ebp+0Ch], ebx  ; arg_QQID = 0
.text:608728CC                 mov     eax, [ebp-10h]  ; eax = IQQData*
.text:608728CF                 lea     edx, [ebp+0Ch]  ; edx = &arg_QQID,IDynamicData*
.text:608728D2                 push    edx
.text:608728D3                 push    offset clsid_IQQData
.text:608728D8                 mov     ecx, [eax]      ; ecx = IQQData*->vtbl
.text:608728DA                 push    offset aQquser_dynamic ; "QQUSER_DYNAMIC_DATA"
.text:608728DF                 push    eax             ; (IQQData*)this
.text:608728E0                 mov     byte ptr [ebp-4], 1 ; *var_4 = 1
.text:608728E4                 call    dword ptr [ecx+54h] ; IQQData*->vf_54h(str_QQUSER_DYNAMIC_DATA,clsid_IQQData,void*)
.text:608728E7                 mov     eax, [ebp+0Ch]  ; if(IDynamicData* == 0)
.text:608728EA                 cmp     eax, ebx
.text:608728EC                 jz      short loc_60872933
.text:608728EE                 mov     ecx, [eax]      ; ecx = IDynamicData*->vtbl
.text:608728F0                 lea     edx, [ebp+8]    ; &var_8
.text:608728F3                 push    edx
.text:608728F4                 push    offset aQqdd_status ; "QQDD_STATUS"
.text:608728F9                 push    eax             ; (IDynamicData*)this
.text:608728FA                 call    dword ptr [ecx+38h] ; IDynamicData*->vf_38h(str_QQDD_STATUS,void*)
.text:608728FD                 cmp     dword ptr [ebp+8], 14h ; if(var_8 == 14h)
.text:60872901                 mov     eax, [ebp+0Ch]  ; eax = IDynamicData*
.text:60872904                 mov     [ebp-4], bl
.text:60872907                 jz      short loc_60872929
.text:60872909                 cmp     eax, ebx        ; if (IDynamicData* == 0)，操，没有优化的代码
.text:6087290B                 jz      short loc_60872913 ; eax = IQQData*
.text:6087290D                 mov     ecx, [eax]      ; ecx = IDynamicData*->vtbl
.text:6087290F                 push    eax             ; (IDynamicData*)this
.text:60872910                 call    dword ptr [ecx+8] ; IDynamicData*->vf_08h_Release()
.text:60872913
.text:60872913 loc_60872913:                           ; CODE XREF: IsFriendOnline(IQQCore *,ulong)+6Cj
.text:60872913                 mov     eax, [ebp-10h]  ; eax = IQQData*
.text:60872916                 or      dword ptr [ebp-4], 0FFFFFFFFh
.text:6087291A                 cmp     eax, ebx
.text:6087291C                 jz      short loc_60872924
.text:6087291E                 mov     ecx, [eax]      ; ecx = IQQData*->vtbl
.text:60872920                 push    eax             ; (IQQData*)this
.text:60872921                 call    dword ptr [ecx+8] ; IQQData*->vf_08h_Release()
.text:60872924
.text:60872924 loc_60872924:                           ; CODE XREF: IsFriendOnline(IQQCore *,ulong)+7Dj
.text:60872924                 push    1
.text:60872926                 pop     eax
.text:60872927                 jmp     short loc_60872946
.text:60872929 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:60872929
.text:60872929 loc_60872929:                           ; CODE XREF: IsFriendOnline(IQQCore *,ulong)+68j
.text:60872929                 cmp     eax, ebx
.text:6087292B                 jz      short loc_60872933
.text:6087292D                 mov     ecx, [eax]
.text:6087292F                 push    eax
.text:60872930                 call    dword ptr [ecx+8]
.text:60872933
.text:60872933 loc_60872933:                           ; CODE XREF: IsFriendOnline(IQQCore *,ulong)+28j
.text:60872933                                         ; IsFriendOnline(IQQCore *,ulong)+4Dj ...
.text:60872933                 mov     eax, [ebp-10h]
.text:60872936                 or      dword ptr [ebp-4], 0FFFFFFFFh
.text:6087293A                 cmp     eax, ebx
.text:6087293C                 jz      short loc_60872944
.text:6087293E                 mov     ecx, [eax]
.text:60872940                 push    eax
.text:60872941                 call    dword ptr [ecx+8]
.text:60872944
.text:60872944 loc_60872944:                           ; CODE XREF: IsFriendOnline(IQQCore *,ulong)+9Dj
.text:60872944                 xor     eax, eax
.text:60872946
.text:60872946 loc_60872946:                           ; CODE XREF: IsFriendOnline(IQQCore *,ulong)+88j
.text:60872946                 mov     ecx, [ebp-0Ch]
.text:60872949                 pop     ebx
.text:6087294A                 mov     large fs:0, ecx
.text:60872951                 leave
.text:60872952                 retn
.text:60872952 ?IsFriendOnline@@YAHPAUIQQCore@@K@Z endp ; sp =  4

*/

/*
.text:6087E8F2 ; Exported entry 349. ?IsFriend3GUser@@YAHK@Z
.text:6087E8F2
.text:6087E8F2 ; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?
.text:6087E8F2
.text:6087E8F2
.text:6087E8F2 ; int __cdecl IsFriend3GUser(unsigned long)
.text:6087E8F2                 public ?IsFriend3GUser@@YAHK@Z
.text:6087E8F2 ?IsFriend3GUser@@YAHK@Z proc near       ; CODE XREF: StartTrayAnimate(IQQCore *)+708p
.text:6087E8F2                 mov     eax, offset loc_60897220
.text:6087E8F7                 call    __EH_prolog
.text:6087E8FC                 sub     esp, 10h
.text:6087E8FF                 push    ebx
.text:6087E900                 xor     ebx, ebx
.text:6087E902                 push    esi
.text:6087E903                 mov     [ebp-18h], ebx
.text:6087E906                 mov     [ebp-4], ebx
.text:6087E909                 call    ?AfxGetAppModuleState@@YGPAVAFX_MODULE_STATE@@XZ ; AfxGetAppModuleState(void)
.text:6087E90E                 mov     eax, [eax+4]
.text:6087E911                 lea     ecx, [ebp-18h]
.text:6087E914                 push    ecx             ; var_IQQData*
.text:6087E915                 push    dword ptr [ebp+8] ; arg_UIN
.text:6087E918                 mov     eax, [eax+0D4h]
.text:6087E91E                 push    eax             ; IQQCore*
.text:6087E91F                 call    ?GetFriendQQData@@YAHPAUIQQCore@@KPAPAUIQQData@@@Z ; GetFriendQQData(IQQCore *,ulong,IQQData * *)
.text:6087E924                 add     esp, 0Ch
.text:6087E927                 test    eax, eax
.text:6087E929                 jz      loc_6087E9E7
.text:6087E92F                 mov     [ebp-1Ch], ebx
.text:6087E932                 mov     [ebp-0Dh], bl
.text:6087E935                 mov     [ebp-14h], ebx
.text:6087E938                 mov     eax, [ebp-18h]
.text:6087E93B                 lea     edx, [ebp-0Dh]
.text:6087E93E                 mov     esi, offset aQquser_dynamic ; "QQUSER_DYNAMIC_DATA"
.text:6087E943                 push    edx
.text:6087E944                 mov     ecx, [eax]
.text:6087E946                 push    esi
.text:6087E947                 push    eax
.text:6087E948                 mov     byte ptr [ebp-4], 1
.text:6087E94C                 call    dword ptr [ecx+70h]
.text:6087E94F                 test    eax, eax
.text:6087E951                 jl      loc_6087E9D7
.text:6087E957                 cmp     byte ptr [ebp-0Dh], 8
.text:6087E95B                 jnz     short loc_6087E9D7
.text:6087E95D                 mov     eax, [ebp-14h]
.text:6087E960                 cmp     eax, ebx
.text:6087E962                 jz      short loc_6087E96D
.text:6087E964                 mov     ecx, [eax]
.text:6087E966                 push    eax
.text:6087E967                 call    dword ptr [ecx+8]
.text:6087E96A                 mov     [ebp-14h], ebx
.text:6087E96D
.text:6087E96D loc_6087E96D:                           ; CODE XREF: IsFriend3GUser(ulong)+70j
.text:6087E96D                 mov     eax, [ebp-18h]
.text:6087E970                 lea     edx, [ebp-14h]
.text:6087E973                 push    edx
.text:6087E974                 push    offset clsid_IQQData
.text:6087E979                 mov     ecx, [eax]
.text:6087E97B                 push    esi
.text:6087E97C                 push    eax
.text:6087E97D                 call    dword ptr [ecx+54h]
.text:6087E980                 test    eax, eax
.text:6087E982                 jl      short loc_6087E9D7
.text:6087E984                 mov     eax, [ebp-14h]
.text:6087E987                 lea     edx, [ebp-0Dh]
.text:6087E98A                 mov     esi, offset aQquser_3g_user ; "QQUSER_3G_USERLOGIN"
.text:6087E98F                 push    edx
.text:6087E990                 mov     ecx, [eax]
.text:6087E992                 push    esi
.text:6087E993                 push    eax
.text:6087E994                 call    dword ptr [ecx+70h]
.text:6087E997                 test    eax, eax
.text:6087E999                 jl      short loc_6087E9D7
.text:6087E99B                 cmp     byte ptr [ebp-0Dh], 1
.text:6087E99F                 jnz     short loc_6087E9D7
.text:6087E9A1                 mov     eax, [ebp-14h]
.text:6087E9A4                 lea     edx, [ebp-1Ch]
.text:6087E9A7                 push    edx
.text:6087E9A8                 push    esi
.text:6087E9A9                 mov     ecx, [eax]
.text:6087E9AB                 push    eax
.text:6087E9AC                 call    dword ptr [ecx+28h]
.text:6087E9AF                 mov     eax, [ebp-14h]
.text:6087E9B2                 mov     esi, [ebp-1Ch]
.text:6087E9B5                 cmp     eax, ebx
.text:6087E9B7                 mov     [ebp-4], bl
.text:6087E9BA                 jz      short loc_6087E9C2
.text:6087E9BC                 mov     ecx, [eax]
.text:6087E9BE                 push    eax
.text:6087E9BF                 call    dword ptr [ecx+8]
.text:6087E9C2
.text:6087E9C2 loc_6087E9C2:                           ; CODE XREF: IsFriend3GUser(ulong)+C8j
.text:6087E9C2                 mov     eax, [ebp-18h]
.text:6087E9C5                 or      dword ptr [ebp-4], 0FFFFFFFFh
.text:6087E9C9                 cmp     eax, ebx
.text:6087E9CB                 jz      short loc_6087E9D3
.text:6087E9CD                 mov     ecx, [eax]
.text:6087E9CF                 push    eax
.text:6087E9D0                 call    dword ptr [ecx+8]
.text:6087E9D3
.text:6087E9D3 loc_6087E9D3:                           ; CODE XREF: IsFriend3GUser(ulong)+D9j
.text:6087E9D3                 mov     eax, esi
.text:6087E9D5                 jmp     short loc_6087E9FA
.text:6087E9D7 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:6087E9D7
.text:6087E9D7 loc_6087E9D7:                           ; CODE XREF: IsFriend3GUser(ulong)+5Fj
.text:6087E9D7                                         ; IsFriend3GUser(ulong)+69j ...
.text:6087E9D7                 mov     eax, [ebp-14h]
.text:6087E9DA                 mov     [ebp-4], bl
.text:6087E9DD                 cmp     eax, ebx
.text:6087E9DF                 jz      short loc_6087E9E7
.text:6087E9E1                 mov     ecx, [eax]
.text:6087E9E3                 push    eax
.text:6087E9E4                 call    dword ptr [ecx+8]
.text:6087E9E7
.text:6087E9E7 loc_6087E9E7:                           ; CODE XREF: IsFriend3GUser(ulong)+37j
.text:6087E9E7                                         ; IsFriend3GUser(ulong)+EDj
.text:6087E9E7                 mov     eax, [ebp-18h]
.text:6087E9EA                 or      dword ptr [ebp-4], 0FFFFFFFFh
.text:6087E9EE                 cmp     eax, ebx
.text:6087E9F0                 jz      short loc_6087E9F8
.text:6087E9F2                 mov     ecx, [eax]
.text:6087E9F4                 push    eax
.text:6087E9F5                 call    dword ptr [ecx+8]
.text:6087E9F8
.text:6087E9F8 loc_6087E9F8:                           ; CODE XREF: IsFriend3GUser(ulong)+FEj
.text:6087E9F8                 xor     eax, eax
.text:6087E9FA
.text:6087E9FA loc_6087E9FA:                           ; CODE XREF: IsFriend3GUser(ulong)+E3j
.text:6087E9FA                 mov     ecx, [ebp-0Ch]
.text:6087E9FD                 pop     esi
.text:6087E9FE                 pop     ebx
.text:6087E9FF                 mov     large fs:0, ecx
.text:6087EA06                 leave
.text:6087EA07                 retn
.text:6087EA07 ?IsFriend3GUser@@YAHK@Z endp ; sp =  4

*/