|
[讨论]DKOM断链的恢复问题(已解决!)
真是asm式的c语言,看的我要吐血了 pList_Org->Flink = pList_Current->Flink; pList_Org->Blink = pList_Current; pList_Current->Flink = pList_Org; pList_Org->Flink->Blink = pList_Org; |
|
[建议]大学毕业,开始工作
火星终于来人了,地球有救了! |
|
[招聘]年薪15万以上-上海一知名互联网公司招聘反外挂工程师
符合这要求的,一年好好干一回也有20万了,15万确实让人没啥冲动 |
|
[求助] 脱Execryptor如何隐藏OD
真的可以么?乖乖 |
|
遇到在OD反调试
哦,原来是sun啊,我公测那天闲着没事也玩了一把,是themida的壳, 看那个fld指令下一堆FF就知道了,有个脚本自动断在oep的,脱壳不难 主要是脱壳后stolen部分和IAT的修复, stolen可以参考那个sun.exe的开头部分,对于里面几个指针地址,在代码段下两次内存写入断点就能找到了 提供一下我的IAT修复代码 void __stdcall ReplaceMem(BYTE *pbMemAddr,const BYTE *pbMemData,int nLen) { DWORD dwProtectFlag; VirtualProtect(pbMemAddr,nLen,PAGE_EXECUTE_READWRITE,&dwProtectFlag); memcpy(pbMemAddr,pbMemData,nLen); VirtualProtect(pbMemAddr,nLen,dwProtectFlag,NULL); return; } void __stdcall FixImport(void) { int i = 0; HMODULE hCurrDLLHandle; FARPROC hCurrPROCHandle; // DebugBreak(); while(stIMPORTDLL[i].dwProcAddr != 0) { hCurrDLLHandle = LoadLibrary(stIMPORTDLL[i].szDllName); hCurrPROCHandle = GetProcAddress(hCurrDLLHandle, stIMPORTDLL[i].szProcName); ReplaceMem((BYTE *)stIMPORTDLL[i].dwProcAddr, (BYTE *)&hCurrPROCHandle, 4); ++i; } return; } typedef struct tag_IMPORT_DLL_DATA { int dwProcAddr; char *szDllName; char *szProcName; } IMPORT_DLL_DATA; IMPORT_DLL_DATA stIMPORTDLL[274] = { {0x00677000, "ADVAPI32.dll", "CryptEncrypt"}, {0x00677004, "ADVAPI32.dll", "RegQueryValueExA"}, {0x00677008, "ADVAPI32.dll", "RegOpenKeyA"}, {0x0067700C, "ADVAPI32.dll", "GetTokenInformation"}, {0x00677010, "ADVAPI32.dll", "SetEntriesInAclA"}, {0x00677014, "ADVAPI32.dll", "SetSecurityInfo"}, {0x00677018, "ADVAPI32.dll", "OpenProcessToken"}, {0x0067701C, "ADVAPI32.dll", "OpenThreadToken"}, {0x00677020, "ADVAPI32.dll", "ImpersonateSelf"}, {0x00677024, "ADVAPI32.dll", "LookupPrivilegeValueA"}, {0x00677028, "ADVAPI32.dll", "AdjustTokenPrivileges"}, {0x0067702C, "ADVAPI32.dll", "CryptAcquireContextA"}, {0x00677030, "ADVAPI32.dll", "CryptGetHashParam"}, {0x00677034, "ADVAPI32.dll", "CryptDecrypt"}, {0x00677038, "ADVAPI32.dll", "RegCloseKey"}, {0x0067703C, "ADVAPI32.dll", "CryptCreateHash"}, {0x00677040, "ADVAPI32.dll", "CryptHashData"}, {0x00677044, "ADVAPI32.dll", "CryptDeriveKey"}, {0x00677048, "ADVAPI32.dll", "CryptDestroyKey"}, {0x0067704C, "ADVAPI32.dll", "CryptDestroyHash"}, {0x00677050, "ADVAPI32.dll", "CryptReleaseContext"}, {0x00677058, "DINPUT8.dll", "DirectInput8Create"}, {0x00677060, "GDI32.dll", "GetStockObject"}, {0x00677068, "kernel32.dll", "FindNextFileA"}, {0x0067706C, "kernel32.dll", "GetFullPathNameA"}, {0x00677070, "kernel32.dll", "GetFileInformationByHandle"}, {0x00677074, "kernel32.dll", "lstrlenA"}, {0x00677078, "kernel32.dll", "GetTickCount"}, {0x0067707C, "kernel32.dll", "InterlockedExchange"}, {0x00677080, "kernel32.dll", "GetACP"}, {0x00677084, "kernel32.dll", "GetLocaleInfoA"}, {0x00677088, "kernel32.dll", "GetVersionExA"}, {0x0067708C, "kernel32.dll", "MultiByteToWideChar"}, {0x00677090, "kernel32.dll", "WideCharToMultiByte"}, {0x00677094, "kernel32.dll", "RaiseException"}, {0x00677098, "ntdll.dll", "RtlGetLastWin32Error"}, {0x0067709C, "kernel32.dll", "InitializeCriticalSection"}, {0x006770A0, "ntdll.dll", "RtlDeleteCriticalSection"}, {0x006770A4, "kernel32.dll", "CompareStringA"}, {0x006770A8, "kernel32.dll", "CompareStringW"}, {0x006770AC, "kernel32.dll", "IsBadWritePtr"}, {0x006770B0, "kernel32.dll", "IsBadReadPtr"}, {0x006770B4, "kernel32.dll", "FreeLibrary"}, {0x006770B8, "kernel32.dll", "GetProcAddress"}, {0x006770BC, "kernel32.dll", "LoadLibraryA"}, {0x006770C0, "kernel32.dll", "SetCurrentDirectoryA"}, {0x006770C4, "kernel32.dll", "OutputDebugStringA"}, {0x006770C8, "kernel32.dll", "CloseHandle"}, {0x006770CC, "kernel32.dll", "CreateSemaphoreA"}, {0x006770D0, "kernel32.dll", "Module32Next"}, {0x006770D4, "kernel32.dll", "Module32First"}, {0x006770D8, "kernel32.dll", "CreateToolhelp32Snapshot"}, {0x006770DC, "kernel32.dll", "GetCurrentProcessId"}, {0x006770E0, "kernel32.dll", "GetCurrentDirectoryA"}, {0x006770E4, "kernel32.dll", "QueryPerformanceFrequency"}, {0x006770E8, "kernel32.dll", "SetUnhandledExceptionFilter"}, {0x006770EC, "kernel32.dll", "QueryPerformanceCounter"}, {0x006770F0, "kernel32.dll", "GetNumberFormatA"}, {0x006770F4, "kernel32.dll", "GetCommandLineA"}, {0x006770F8, "kernel32.dll", "CreateFileA"}, {0x006770FC, "kernel32.dll", "GetLocalTime"}, {0x00677100, "kernel32.dll", "CreateDirectoryA"}, {0x00677104, "kernel32.dll", "lstrcpyA"}, {0x00677108, "kernel32.dll", "SizeofResource"}, {0x0067710C, "kernel32.dll", "FindResourceA"}, {0x00677110, "kernel32.dll", "GetModuleHandleA"}, {0x00677114, "kernel32.dll", "lstrcmpA"}, {0x00677118, "kernel32.dll", "WritePrivateProfileStringA"}, {0x0067711C, "kernel32.dll", "GetPrivateProfileStringA"}, {0x00677120, "kernel32.dll", "SetFileAttributesA"}, {0x00677124, "kernel32.dll", "GlobalMemoryStatus"}, {0x00677128, "kernel32.dll", "GetSystemInfo"}, {0x0067712C, "kernel32.dll", "IsProcessorFeaturePresent"}, {0x00677130, "kernel32.dll", "SetFileTime"}, {0x00677134, "kernel32.dll", "CopyFileA"}, {0x00677138, "kernel32.dll", "FindFirstFileA"}, {0x0067713C, "kernel32.dll", "FindClose"}, {0x00677140, "kernel32.dll", "RemoveDirectoryA"}, {0x00677144, "kernel32.dll", "GetLocaleInfoW"}, {0x00677148, "kernel32.dll", "SetEnvironmentVariableA"}, {0x0067714C, "kernel32.dll", "CreateProcessA"}, {0x00677150, "kernel32.dll", "GetExitCodeProcess"}, {0x00677154, "kernel32.dll", "SetEndOfFile"}, {0x00677158, "kernel32.dll", "SetStdHandle"}, {0x0067715C, "kernel32.dll", "IsBadCodePtr"}, {0x00677160, "kernel32.dll", "IsValidCodePage"}, {0x00677164, "kernel32.dll", "IsValidLocale"}, {0x00677168, "kernel32.dll", "EnumSystemLocalesA"}, {0x0067716C, "kernel32.dll", "GetUserDefaultLCID"}, {0x00677170, "kernel32.dll", "FlushFileBuffers"}, {0x00677174, "kernel32.dll", "GetFileAttributesA"}, {0x00677178, "kernel32.dll", "SetFilePointer"}, {0x0067717C, "kernel32.dll", "GetFileType"}, {0x00677180, "kernel32.dll", "SetHandleCount"}, {0x00677184, "kernel32.dll", "GetEnvironmentStringsW"}, {0x00677188, "kernel32.dll", "FreeEnvironmentStringsW"}, {0x0067718C, "kernel32.dll", "GetEnvironmentStringsA"}, {0x00677190, "kernel32.dll", "FreeEnvironmentStringsA"}, {0x00677194, "kernel32.dll", "UnhandledExceptionFilter"}, {0x00677198, "kernel32.dll", "GetStdHandle"}, {0x0067719C, "kernel32.dll", "WriteFile"}, {0x006771A0, "kernel32.dll", "GetTimeZoneInformation"}, {0x006771A4, "kernel32.dll", "VirtualFree"}, {0x006771A8, "kernel32.dll", "HeapCreate"}, {0x006771AC, "kernel32.dll", "HeapDestroy"}, {0x006771B0, "ntdll.dll", "RtlSizeHeap"}, {0x006771B4, "kernel32.dll", "GetModuleFileNameA"}, {0x006771B8, "kernel32.dll", "GetStringTypeW"}, {0x006771BC, "kernel32.dll", "GetStringTypeA"}, {0x006771C0, "kernel32.dll", "TlsGetValue"}, {0x006771C4, "kernel32.dll", "TlsSetValue"}, {0x006771C8, "kernel32.dll", "TlsFree"}, {0x006771CC, "kernel32.dll", "GetCurrentThread"}, {0x006771D0, "ntdll.dll", "RtlSetLastWin32Error"}, {0x006771D4, "kernel32.dll", "TlsAlloc"}, {0x006771D8, "kernel32.dll", "LCMapStringW"}, {0x006771DC, "kernel32.dll", "LCMapStringA"}, {0x006771E0, "kernel32.dll", "GetCurrentThreadId"}, {0x006771E4, "kernel32.dll", "CreateThread"}, {0x006771E8, "kernel32.dll", "ExitThread"}, {0x006771EC, "ntdll.dll", "RtlReAllocateHeap"}, {0x006771F0, "kernel32.dll", "GetTimeFormatA"}, {0x006771F4, "kernel32.dll", "MoveFileA"}, {0x006771F8, "kernel32.dll", "DeleteFileA"}, {0x006771FC, "kernel32.dll", "GetStartupInfoA"}, {0x00677200, "kernel32.dll", "GetCurrentProcess"}, {0x00677204, "kernel32.dll", "TerminateProcess"}, {0x00677208, "kernel32.dll", "GetSystemTimeAsFileTime"}, {0x0067720C, "kernel32.dll", "GetExitCodeThread"}, {0x00677210, "kernel32.dll", "ReadProcessMemory"}, {0x00677214, "kernel32.dll", "OpenProcess"}, {0x00677218, "kernel32.dll", "GetPriorityClass"}, {0x0067721C, "kernel32.dll", "GetSystemPowerStatus"}, {0x00677220, "kernel32.dll", "VirtualQuery"}, {0x00677224, "kernel32.dll", "VirtualAlloc"}, {0x00677228, "kernel32.dll", "VirtualProtect"}, {0x0067722C, "kernel32.dll", "Process32Next"}, {0x00677230, "kernel32.dll", "Process32First"}, {0x00677234, "ntdll.dll", "RtlFreeHeap"}, {0x00677238, "ntdll.dll", "RtlAllocateHeap"}, {0x0067723C, "kernel32.dll", "ExitProcess"}, {0x00677240, "kernel32.dll", "GetCPInfo"}, {0x00677244, "kernel32.dll", "GetOEMCP"}, {0x00677248, "ntdll.dll", "RtlUnwind"}, {0x0067724C, "kernel32.dll", "Sleep"}, {0x00677250, "kernel32.dll", "InterlockedIncrement"}, {0x00677254, "kernel32.dll", "InterlockedDecrement"}, {0x00677258, "kernel32.dll", "InitializeCriticalSectionAndSpinCount"}, {0x0067725C, "kernel32.dll", "WaitForMultipleObjects"}, {0x00677260, "kernel32.dll", "SetEvent"}, {0x00677264, "kernel32.dll", "WaitForSingleObject"}, {0x00677268, "ntdll.dll", "RtlEnterCriticalSection"}, {0x0067726C, "ntdll.dll", "RtlLeaveCriticalSection"}, {0x00677270, "kernel32.dll", "UnmapViewOfFile"}, {0x00677274, "kernel32.dll", "MapViewOfFile"}, {0x00677278, "kernel32.dll", "FormatMessageA"}, {0x0067727C, "kernel32.dll", "SearchPathA"}, {0x00677280, "kernel32.dll", "IsBadStringPtrA"}, {0x00677284, "kernel32.dll", "LocalFree"}, {0x00677288, "kernel32.dll", "DuplicateHandle"}, {0x0067728C, "kernel32.dll", "CreateEventA"}, {0x00677290, "kernel32.dll", "CreateFileMappingA"}, {0x00677294, "kernel32.dll", "GetDateFormatA"}, {0x00677298, "kernel32.dll", "GetFileSize"}, {0x0067729C, "kernel32.dll", "ReadFile"}, {0x006772A0, "kernel32.dll", "GetProcessHeap"}, {0x006772A8, "OLEAUT32.dll", "VariantTimeToSystemTime"}, {0x006772B0, "SHELL32.dll", "ShellExecuteExA"}, {0x006772B8, "USER32.dll", "RegisterClassW"}, {0x006772BC, "USER32.dll", "CreateWindowExW"}, {0x006772C0, "USER32.dll", "ValidateRect"}, {0x006772C4, "USER32.dll", "TranslateAcceleratorA"}, {0x006772C8, "USER32.dll", "PeekMessageA"}, {0x006772CC, "USER32.dll", "AdjustWindowRect"}, {0x006772D0, "USER32.dll", "wvsprintfA"}, {0x006772D4, "USER32.dll", "LoadStringA"}, {0x006772D8, "USER32.dll", "UpdateWindow"}, {0x006772DC, "USER32.dll", "EndPaint"}, {0x006772E0, "USER32.dll", "DestroyAcceleratorTable"}, {0x006772E4, "USER32.dll", "SendMessageA"}, {0x006772E8, "USER32.dll", "DefWindowProcA"}, {0x006772EC, "USER32.dll", "CreateWindowExA"}, {0x006772F0, "USER32.dll", "PostQuitMessage"}, {0x006772F4, "USER32.dll", "SetTimer"}, {0x006772F8, "USER32.dll", "SetWindowTextA"}, {0x006772FC, "USER32.dll", "EndDialog"}, {0x00677300, "USER32.dll", "MessageBoxA"}, {0x00677304, "USER32.dll", "KillTimer"}, {0x00677308, "USER32.dll", "RegisterClassExA"}, {0x0067730C, "USER32.dll", "LoadCursorA"}, {0x00677310, "USER32.dll", "LoadIconA"}, {0x00677314, "USER32.dll", "DispatchMessageA"}, {0x00677318, "USER32.dll", "TranslateMessage"}, {0x0067731C, "USER32.dll", "GetMessageA"}, {0x00677320, "USER32.dll", "DialogBoxParamA"}, {0x00677324, "USER32.dll", "SetDlgItemTextA"}, {0x00677328, "USER32.dll", "CharUpperBuffA"}, {0x0067732C, "USER32.dll", "BeginPaint"}, {0x00677330, "USER32.dll", "GetDesktopWindow"}, {0x00677334, "USER32.dll", "SetRect"}, {0x00677338, "USER32.dll", "ShowCursor"}, {0x0067733C, "USER32.dll", "CharNextA"}, {0x00677340, "USER32.dll", "InvalidateRect"}, {0x00677344, "USER32.dll", "SetScrollInfo"}, {0x00677348, "USER32.dll", "ShowWindow"}, {0x0067734C, "USER32.dll", "wsprintfA"}, {0x00677350, "USER32.dll", "GetSystemMetrics"}, {0x00677354, "USER32.dll", "SetCursor"}, {0x00677358, "USER32.dll", "DestroyIcon"}, {0x0067735C, "USER32.dll", "SetCapture"}, {0x00677360, "USER32.dll", "ReleaseCapture"}, {0x00677364, "USER32.dll", "SystemParametersInfoA"}, {0x00677368, "USER32.dll", "ScreenToClient"}, {0x0067736C, "USER32.dll", "SetCursorPos"}, {0x00677370, "USER32.dll", "GetCursorPos"}, {0x00677374, "USER32.dll", "SetRectEmpty"}, {0x00677378, "USER32.dll", "GetAsyncKeyState"}, {0x0067737C, "USER32.dll", "LoadCursorFromFileA"}, {0x00677384, "VMProxy.dll", "VMAPI_MuteSound"}, {0x00677388, "VMProxy.dll", "VMAPI_ExitSession"}, {0x0067738C, "VMProxy.dll", "VMAPI_MuteMic"}, {0x00677390, "VMProxy.dll", "VMAPI_JoinSession"}, {0x00677394, "VMProxy.dll", "VMAPI_Terminate"}, {0x00677398, "VMProxy.dll", "VMAPI_InitProxy"}, {0x0067739C, "VMProxy.dll", "VMAPI_SetCallbackFuncPointer"}, {0x006773A0, "VMProxy.dll", "VMAPI_HostSession"}, {0x006773A8, "winmm.dll", "timeGetTime"}, {0x006773B0, "WS2_32.dll", "WSAGetOverlappedResult"}, {0x006773B4, "WS2_32.dll", "WSASocketA"}, {0x006773B8, "WS2_32.dll", "inet_addr"}, {0x006773BC, "WS2_32.dll", "gethostbyname"}, {0x006773C0, "WS2_32.dll", "WSAStartup"}, {0x006773C4, "WS2_32.dll", "WSACleanup"}, {0x006773C8, "WS2_32.dll", "closesocket"}, {0x006773CC, "WS2_32.dll", "WSARecv"}, {0x006773D0, "WS2_32.dll", "connect"}, {0x006773D4, "WS2_32.dll", "WSASend"}, {0x006773D8, "WS2_32.dll", "ntohs"}, {0x006773DC, "WS2_32.dll", "WSAGetLastError"}, /* {0x006773E4, "binkw32.dll", "BinkOpenDirectSound"}, {0x006773E8, "binkw32.dll", "BinkSetSoundSystem"}, {0x006773EC, "binkw32.dll", "BinkWait"}, {0x006773F0, "binkw32.dll", "BinkClose"}, {0x006773F4, "binkw32.dll", "BinkDoFrame"}, {0x006773F8, "binkw32.dll", "BinkCopyToBuffer"}, {0x006773FC, "binkw32.dll", "BinkNextFrame"}, {0x00677400, "binkw32.dll", "BinkOpen"}, */ {0x00677408, "imagehlp.dll", "MapFileAndCheckSumA"}, {0x00677410, "ole32.dll", "GetRunningObjectTable"}, {0x00677418, "wzSound.dll", "wzsnd_play_ambi"}, {0x0067741C, "wzSound.dll", "wzsnd_set_loop_ambi"}, {0x00677420, "wzSound.dll", "wzsnd_play_voice"}, {0x00677424, "wzSound.dll", "wzsnd_play_ui"}, {0x00677428, "wzSound.dll", "wzsnd_play"}, {0x0067742C, "wzSound.dll", "wzsnd_stop_voice"}, {0x00677430, "wzSound.dll", "wzsnd_set_volume_all_bgm"}, {0x00677434, "wzSound.dll", "wzsnd_stop_all_bgm"}, {0x00677438, "wzSound.dll", "wzsnd_stop_bgm"}, {0x0067743C, "wzSound.dll", "wzsnd_pause_bgm"}, {0x00677440, "wzSound.dll", "wzsnd_play_bgm"}, {0x00677444, "wzSound.dll", "wzsnd_set_mic_input_vol"}, {0x00677448, "wzSound.dll", "wzsnd_get_mic_input_vol"}, {0x0067744C, "wzSound.dll", "wzsnd_get_wav_vol"}, {0x00677450, "wzSound.dll", "wzsnd_get_master_vol"}, {0x00677454, "wzSound.dll", "wzsnd_set_wav_vol"}, {0x00677458, "wzSound.dll", "wzsnd_set_master_vol"}, {0x0067745C, "wzSound.dll", "wzsnd_update_listener"}, {0x00677460, "wzSound.dll", "wzsnd_stop_all"}, {0x00677464, "wzSound.dll", "wzsnd_uninit"}, {0x00677468, "wzSound.dll", "wzsnd_init"}, {0x0067746C, "wzSound.dll", "wzsnd_load_ui"}, {0x00677470, "wzSound.dll", "wzsnd_load_gameplay"}, {0x00677474, "wzSound.dll", "wzsnd_set_mic_output_mute"}, {0x00677478, "wzSound.dll", "wzsnd_env_supported"}, {0x0067747C, "wzSound.dll", "wzsnd_play_3d"}, {0x00677480, "wzSound.dll", "wzsnd_set_volume_all_ambi"}, {0x00677484, "wzSound.dll", "wzsnd_stop_ambi"}, {0x00677488, "wzSound.dll", "wzsnd_stop_all_ambi"}, {0x0067748C, "wzSound.dll", "wzsnd_getState_voice"}, {0x00677490, "wzSound.dll", "wzsnd_update_3d_source"}, {0x00677494, "wzSound.dll", "wzsnd_stop"}, {0x00000000, "",""} }; -------------------------------- |
|
想做个OD原版基础上包含所有修改代码的dll
早就写完了,最近忙别的事忘了发,我测试了下,不太稳定,可能有些地方从ollyice 中提取的代码没写对,ollyice里面的好些代码写的比较晦涩,错误在所难免 希望坛主有时间的话,帮忙补充修正一下:) 一共3个文件,Makefile, ollyext.asm, patch.inc 出于兴趣的原因吧,我很喜欢给有价值但没办法得到更新的游戏服务端做补丁dll, 欢迎有比较有价值的游戏服务端的朋友,跟我联系交流 //######################################################################## //Makefile //######################################################################## DLL = ollyext OBJS = $(DLL).obj LINK_FLAG = /subsystem:windows /DLL ML_FLAG = /c /coff $(DLL).dll: $(OBJS) Link $(LINK_FLAG) $(OBJS) .asm.obj: ml $(ML_FLAG) $< clean: del *.obj //######################################################################## //ollyext.asm //######################################################################## ;********************************************************************* ; OLLYDBG 扩展DLL模块 ; write by ezme, thanks to the "ollyice" ;********************************************************************* .386 .model flat, stdcall option casemap:none include windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib include \work\masm32\macros\macros.asm include \work\masm32\macros\ucmacros.asm include patch.inc .const b_JMPHeader db 0EBh b_JGEHeader db 07Dh b_NOPBytes db 90h,90h,90h,90h,90h,90h,90h,90h bZeroBytes db 00h,00h,00h,00h,00h,00h,00h,00h .data hInstance dd ? .code ;********************************************************************* ;替换内存数据内容 ;********************************************************************* ReplaceMem proc uses ebx esi edi _dwMemAddr, _dwData, _dwLen local @dwProtectFlag invoke VirtualProtect, _dwMemAddr, _dwLen, \ PAGE_EXECUTE_READWRITE, addr @dwProtectFlag invoke RtlMoveMemory, _dwMemAddr, _dwData, _dwLen invoke VirtualProtect, _dwMemAddr, _dwLen, @dwProtectFlag, NULL mov al, TRUE ret ReplaceMem endp ;********************************************************************* ;写入跳转指令 ;********************************************************************* MAXLEN_PATCH_CODE equ 16 PCODE_JUMP_HEADER equ 0E9h PCODE_CALL_HEADER equ 0E8h PCODE_PRET_HEADER equ 068h PCODE_JUMP_LENGTH equ 5 PCODE_CALL_LENGTH equ 5 PCODE_PRET_LENGTH equ 6 WritePatchCode proc uses ebx esi edi _dwMemAddr, _dwFuncAddr, \ _bCodeType:BYTE, _dwCodeLen local @bPatchCode[MAXLEN_PATCH_CODE]:BYTE invoke RtlFillMemory, addr @bPatchCode, MAXLEN_PATCH_CODE, 90h .if _bCodeType == PCODE_JUMP_HEADER mov @bPatchCode, 0E9h mov eax, _dwFuncAddr ;calc RAV sub eax, 1 + 4 sub eax, _dwMemAddr mov dword ptr [@bPatchCode + 1], eax .elseif _bCodeType == PCODE_CALL_HEADER mov @bPatchCode, 0E8h mov eax, _dwFuncAddr ;calc RAV sub eax, 1 + 4 sub eax, _dwMemAddr mov dword ptr [@bPatchCode + 1], eax .elseif _bCodeType == PCODE_PRET_HEADER mov @bPatchCode, 068h mov @bPatchCode + 5, 0C3h mov eax, _dwFuncAddr ;function address mov dword ptr [@bPatchCode + 1], eax .else mov @bPatchCode, 0CCh .endif invoke ReplaceMem, _dwMemAddr, addr @bPatchCode, _dwCodeLen ret WritePatchCode endp ;********************************************************************* ; 打内存补丁 ;#代表第3版汉化修改点 ;*代表第2版ollyice修改点 ;********************************************************************* PatchProcMem proc uses ebx esi edi ;--------------------------------------------------- ;替换窗口类名称 ;--------------------------------------------------- ;#### ;--------------------------------------------------- ; fixed: AppendMenuA 删除所有断点 ;0041A735 > 53 push ebx ;0041A736 . 6A 0E push 0E ;0041A738 . 8B55 D8 mov edx, dword ptr ss:[ebp-28] ;--------------------------------------------------- ;invoke WritePatchCode, 0041A735h, fix_0041A735, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH + 1 ;#### ;--------------------------------------------------- ; fixed: _Deletebreakpoints ;0041A920 > 837D FC 0C cmp dword ptr ss:[ebp-4], 0C ;0041A924 . 75 45 jnz short 0041A96B ;--------------------------------------------------- ;invoke WritePatchCode, 0041A920h, fix_0041A920, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH + 1 ;**** ;--------------------------------------------------- ; ?????? ; fixed: _Findname ;00419B84 . 0355 FC add edx, dword ptr ss:[ebp-4] ;--------------------------------------------------- ;invoke ReplaceMem, 00419B84h, offset b_NOPBytes, 3 ;**** ;--------------------------------------------------- ; fixed:strings spell error ;0041E2F7 ;--------------------------------------------------- ;快捷键 ;**** ;--------------------------------------------------- ; fixed: WM_??? 窗口循环扩充 ;func_0057F329 ;0041E623 . 3D 01020000 cmp eax, 201 ;--------------------------------------------------- ;invoke WritePatchCode, 0041E623h, fix_0041E623, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH ;**** ;--------------------------------------------------- ; fixed: WM_CHAR 1 ;0041F325 . 83C4 1C add esp, 1C ;0041F328 . 8945 A4 mov dword ptr ss:[ebp-5C], eax ;--------------------------------------------------- ;invoke WritePatchCode, 0041F325h, fix_0041F325, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH + 1 ;**** ;--------------------------------------------------- ; fixed: WM_CHAR 2 ;0042042F > 833D 44274E00 01 cmp dword ptr ds:[4E2744], 1 ;0042044A > \8B55 EC mov edx, dword ptr ss:[ebp-14] ;0042044D . 52 push edx ; /Arg3 ;0042044E . 8B4D F0 mov ecx, dword ptr ss:[ebp-10] ; | ;--------------------------------------------------- ;invoke ReplaceMem, 0042042Fh, offset b_NOPBytes, 1 ;invoke WritePatchCode, 0042042Fh + 1, fix_0042042F, PCODE_PRET_HEADER, \ ; PCODE_PRET_LENGTH ;**## ;--------------------------------------------------- ; fixed: trans to chinese string ;00420BFE, 00420C1D, 00420C43, 00420C5F, 00420C7B, 00420C97 ;--------------------------------------------------- ;#### ;--------------------------------------------------- ; fixed: trans to chinese string ;00421D4D, 0042262D ;--------------------------------------------------- ;--------------------------------------------------- ;Ctrl+Shift+C 二进制复制 ;Ctrl+Shift+V 二进制粘 ;**** ;--------------------------------------------------- ; fxied: WM_??? 窗口循环扩充 ;func_0057F329 ;00425E57 . 3D 00020000 cmp eax, 200 ;--------------------------------------------------- ;invoke WritePatchCode, 00425E57h, fix_00425E57, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH ;**** ;--------------------------------------------------- ; fxied: WM_CHAR ;0042609A > A1 FADD4C00 mov eax, dword ptr ds:[4CDDFA] ;--------------------------------------------------- ;invoke WritePatchCode, 0042609Ah, fix_0042609A, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH ;**** ;--------------------------------------------------- ; fxied: WM_KEYDOWN ;0042670C . 837D EC 00 cmp dword ptr ss:[ebp-14], 0 ;00426710 . 0F85 C2000000 jnz 004267D8 ;--------------------------------------------------- ;invoke WritePatchCode, 0042670Ch, fix_0042670C, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH + 5 ;**** ;--------------------------------------------------- ; fxied: WM_KEYDOWN ;00426760 . 74 2C je short 0042678E ;--------------------------------------------------- ;.data ;code_00426760 db 0EBh,13h ;.code ;invoke ReplaceMem, 00426760h, offset code_00426760, 2 ;invoke ReplaceMem, 00426775h + 1, offset bZeroBytes, 1 ;**** ;--------------------------------------------------- ; fixed: 把%替换成空格 ;0043134C . 83C4 10 add esp, 10 ;0043134F . 3BC3 cmp eax, ebx ;--------------------------------------------------- invoke WritePatchCode, 0043134Ch, fix_0043134C, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;**## ;--------------------------------------------------- ; fixed: trans to chinese string ;00433BD4, 00433C58, 0043416E ;--------------------------------------------------- ;**** ;--------------------------------------------------- ; fixed: "Dangerous command" warnning ;00434C0D . 74 6D je short 00434C7C ;--------------------------------------------------- ;invoke ReplaceMem, 00434C0Dh, offset b_JMPHeader, 1 ;xxxx ;--------------------------------------------------- ; fixed: window name, class name ;00435E46 . 8D96 07180000 lea edx, dword ptr ds:[esi+1807] ;--------------------------------------------------- ;##** ;--------------------------------------------------- ; fixed: CreateFontA ;00436C89 . 6A 02 push 2 ;00436C8D . 6A 06 push 6 ;00436CA0 . 6A 05 push 5 ;00436CBC . 6A 00 push 0 ;00436CBE . 6A 00 push 0 ;00436CC2 . 6A 00 push 0 ;00436CC4 . 6A 00 push 0 ;00436CCA . 6A 01 push 1 ;00436CD7 . 6A 0E push 0E ;--------------------------------------------------- .data code_00436CC4 db 01h code_00436CD7 db 0Dh .code invoke ReplaceMem, 00436C89h + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436C8Dh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CA0h + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CBCh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CBEh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CC2h + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CC4h + 1, offset code_00436CC4, 1 invoke ReplaceMem, 00436CCAh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CD7h + 1, offset code_00436CD7, 1 ;**xx ;--------------------------------------------------- ; fixed: UDD,plugin dir path ;00437376 . 68 027F0000 push 7F02 ;--------------------------------------------------- invoke WritePatchCode, 00437376h, fix_00437376, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;**## ;--------------------------------------------------- ; fixed: menu strings ;00438456 . 8D86 9E290000 lea eax, dword ptr ds:[esi+299E] ;--------------------------------------------------- ;**## ;--------------------------------------------------- ; fixed: trans to chinese string ;0043D90E > 68 418F4B00 push 004B8F41 ;--------------------------------------------------- ;http://bbs.pediy.com/showthread.php?threadid=13458 ;OD复制BUG分析和修正 ;**xx ;--------------------------------------------------- ; fixed: MultiByteToWideChar ;00446A1C > 68 00020000 push 200 ;--------------------------------------------------- invoke WritePatchCode, 00446A1Ch, fix_00446A1C, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;**** ;--------------------------------------------------- ; fixed: ignor an Error (Movefile failed) ;0044D90C . 75 1B jnz short 0044D929 ;--------------------------------------------------- ;invoke ReplaceMem, 0044D90Ch, offset b_JMPHeader, 1 ;增加快捷键 ;**** ;--------------------------------------------------- ; fxied: WM_CHAR ;func_0057F255 ;0044EF88 . E8 C38C0500 call 004A7C50 ;--------------------------------------------------- ;invoke WritePatchCode, 0044EF88h, fix_0044EF88, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH ;**## ;--------------------------------------------------- ; fixed: trans to chinese string ;00450405 . 68 ACAB4B00 push 004BABAC ;0045042B > 68 B8AB4B00 push 004BABB8 ;00450448 . 68 C7AB4B00 push 004BABC7 ;00459E40 > 68 3DB44B00 push 004BB43D ;0045AE7F . 68 62B74B00 push 004BB762 ;#### ;--------------------------------------------------- ;00450F29 . 68 B9AC4B00 push 004BACB9 ;--------------------------------------------------- ;http://bbs.pediy.com/showthread.php?t=17592 ;**** ;--------------------------------------------------- ; fixed: 跳过PE文件检测 ;0045C671 . 74 07 je short 0045C67A ;--------------------------------------------------- invoke ReplaceMem, 0045C671h, offset b_JGEHeader, 1 ;**** ;--------------------------------------------------- ; fixed: "Entry Point Alert" ;0045DB3D . 74 47 je short 0045DB86 ;--------------------------------------------------- invoke ReplaceMem, 0045DB3Dh, offset b_JMPHeader, 1 ;**## ;--------------------------------------------------- ; fixed: trans to chinese string ;00462535 > 68 88C64B00 push 004BC688 ;--------------------------------------------------- ;http://bbs.pediy.com/showthread.php?s=&threadid=33102 ;**** ;--------------------------------------------------- ; fxied: _Findname 字符串长度检测 ;00464A67 . 8D46 01 lea eax, dword ptr ds:[esi+1] ;00464A6A . 50 push eax ;00464A6B . 8B13 mov edx, dword ptr ds:[ebx] ;--------------------------------------------------- invoke WritePatchCode, 00464A67h, fix_00464A67, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH + 1 ;**** ;--------------------------------------------------- ; fixed: _Findnextname 字符串长度检测 ;func_0057FAD0 ;00464EC3 . 8BD1 mov edx, ecx ;00464EC5 . 87F7 xchg edi, esi ;00464EC7 . C1E9 02 shr ecx, 2 ;--------------------------------------------------- invoke WritePatchCode, 00464EC3h, func_0057FAD0, PCODE_CALL_HEADER, \ PCODE_CALL_LENGTH + 2 ;**** ;--------------------------------------------------- ; fxied: _Findlabel 字符串长度检测 ;func_0057FAD0 ;00464F91 . 8BD1 mov edx, ecx ;00464F93 . 87F7 xchg edi, esi ;00464F95 . C1E9 02 shr ecx, 2 ;--------------------------------------------------- invoke WritePatchCode, 00464F91h, func_0057FAD0, PCODE_CALL_HEADER, \ PCODE_CALL_LENGTH + 2 ;xxxx ;004779C5 修改窗口标题 ;**** ;--------------------------------------------------- ; fixed: 去掉线程ID提示信息 ;00478A5C . B0 54 mov al, 54 ;00478AC2 . B0 54 mov al, 54 ;00478B0B . B1 4D mov cl, 4D ;00478B59 . B0 54 mov al, 54 ;--------------------------------------------------- ;xxxx ;--------------------------------------------------- ; fxied: 浮点数bug ;0047E7D7 > 66:8B45 14 mov ax, word ptr ss:[ebp+14] ;0047E7DB . 50 push eax ;--------------------------------------------------- invoke WritePatchCode, 0047E7D7h, fix_0047E7D7, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;#### ;--------------------------------------------------- ; fixed: trans to chinese string ;0048D196 . 68 C4824C00 push 004C82C4 ;_Defaultbar ;00495EF1 . C783 D0010000 88904C00 mov dword ptr ds:[ebx+1D0], 004C9088 ;--------------------------------------------------- ;http://bbs.pediy.com/showthread.php?s=&threadid=33621 ;**** ;--------------------------------------------------- ; fxied: 浮点数错误 ;func_0057F0A1 ;004AA2E8 . 66:817A 08 3E40 cmp word ptr ds:[edx+8], 403E ;--------------------------------------------------- invoke WritePatchCode, 004AA2E8h, func_0057F0A1, PCODE_CALL_HEADER, \ PCODE_CALL_LENGTH + 1 mov al, TRUE ret PatchProcMem endp ;********************************************************************* ; 入口地址处,初始化,修改内存 ;********************************************************************* DLLMain proc _hInstance,_dwReason,_dwReserved mov eax,_dwReason .if eax == DLL_PROCESS_ATTACH mov eax,_hInstance mov hInstance,eax invoke GetModuleHandle, NULL mov hInstance, eax invoke PatchProcMem .elseif eax == DLL_THREAD_ATTACH mov eax,TRUE .elseif eax == DLL_THREAD_DETACH mov eax,TRUE .elseif eax == DLL_PROCESS_DETACH mov eax,TRUE .endif ret DLLMain endp end DLLMain //######################################################################## //patch.inc //######################################################################## .const ;OD的一些函数地址 OD_Error dd 0045401Ch OD_Setcpu dd 0042D618h OD_Infoline dd 00431768h OD_Findmemory dd 00461A48h OD_Readmemory dd 0046130Ch OD_Deletebreakpoints dd 00419518h .code ;**************************************************************************** ; 新功能函数 ;**************************************************************************** ;0057F0A1 ;修复浮点数错误 func_0057F0A1 proc cmp word ptr ds:[edx+8], 403Dh jnz @F cmp dword ptr ds:[edx], -1 jnz @F cmp dword ptr ds:[edx+4], -1 jnz @F mov word ptr ds:[edx+8], 403Eh mov dword ptr ds:[edx], 0 mov dword ptr ds:[edx+4], 80000000h @@: cmp word ptr ds:[edx+8], 403Eh ret func_0057F0A1 endp ;0057FAD0 ;用以检查字符串长度是否超过255 func_0057FAD0 proc cmp ecx, 0FFh jle @F mov ecx, 0FFh xor eax, eax mov byte ptr ds:[ecx+esi], al @@: mov edx, ecx xchg edi, esi shr ecx, 2 ret func_0057FAD0 endp ;0057F255 ;用于新增快捷键功能 func_0057F255 proc mov eax, dword ptr ss:[esp+4] push edi push eax xor edi, edi call OpenClipboard ;<jmp.&USER32.OpenClipboard> test eax, eax je L043 push esi push 1 call GetClipboardData ;<jmp.&USER32.GetClipboardData> mov dword ptr ss:[ebp-0C0h], eax cmp dword ptr ss:[ebp-0C0h], 0 je L041 mov edx, dword ptr ss:[ebp-0C0h] push edx call GlobalLock ;<jmp.&KERNEL32.GlobalLock> test eax, eax je L041 push eax call lstrlenA ;分析得出 push esi mov edi, eax call GlobalUnlock ;<jmp.&KERNEL32.GlobalUnlock> L041: call CloseClipboard ;<jmp.&USER32.CloseClipboard> pop esi L043: mov eax, edi pop edi cdq sub eax, edx sar eax, 1 ret func_0057F255 endp ;---------------------------------------------------------------------------- ; 把数据输出到剪贴板上,用于新增快捷键 ;---------------------------------------------------------------------------- ;0057F329 func_0057F329 proc ;????????? mov eax, dword ptr [ebp+8] push eax call OpenClipboard ;<jmp.&USER32.OpenClipboard> call EmptyClipboard ;<jmp.&USER32.EmptyClipboard> push 10h push 2002h call GlobalAlloc ;<jmp.&KERNEL32.GlobalAlloc> mov ebx, eax test ebx, ebx jnz L016 push esi push 004BB416h ; ASCII "Unable to allocate %li bytes of memory" call dword ptr [OD_Error] add esp, 8 xor eax, eax jmp L047 L016: push ebx call GlobalLock ;<jmp.&KERNEL32.GlobalLock> cmp eax, 0 jnz L032 ;----------0057F2C2h-------错误函数?? push esi push 004BB416h ; ASCII "Unable to allocate %li bytes of memory" call dword ptr [OD_Error] add esp, 8 ;----------005DA39Ch-------错误函数?? push ebx call GlobalUnlock ;<jmp.&KERNEL32.GlobalUnlock> xor eax, eax jmp L047 L032: mov edx, dword ptr [esp+4] push dword ptr [edx] push chr$("%08X") ;分析得出 push eax call wsprintfA ;<jmp.&USER32.wsprintfA> add esp, 0Ch push ebx call GlobalUnlock ;<jmp.&KERNEL32.GlobalUnlock> push ebx push 1 call SetClipboardData ;<jmp.&USER32.SetClipboardData> call CloseClipboard ;<jmp.&USER32.CloseClipboard> ret L047: push ebx call GlobalFree ;<jmp.&KERNEL32.GlobalFree> ret func_0057F329 endp ;**************************************************************************** ; 修复函数 ;**************************************************************************** ;0057F77C fix_0041E623 proc ;窗口函数调用 cmp eax, 100h je JMP_2 JMP_1: cmp eax, 201h push 0041E628h ret JMP_2: pushad push 11h call GetKeyState ;<USER32.GetKeyState> test ax, 8000h je JMP_3 mov eax, dword ptr [ebp+10h] or al, 20h cmp eax, 78h jnz JMP_3 mov eax, 004CDA2Dh ;推算得出的 push eax call func_0057F329 ;新的修复函数 add esp, 4h popad push 00425E22h ret JMP_3: popad jmp JMP_1 fix_0041E623 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F000 fix_0041F325 proc ;未调用过 cmp dword ptr [ebp-162Ch], 0 jnz L039 pushad push 10000h push 0 cmp dword ptr [ebp-1640h], 0 je L024 cmp dword ptr [ebp-15F8h], 0 je L018 push dword ptr [ebp-15F8h] call dword ptr [OD_Findmemory] pop ecx test eax, eax je L018 push dword ptr [ebp-15F8h] jmp L027 L018: cmp dword ptr [ebp-15F4h], 0 je L022 push dword ptr [ebp-15F4h] jmp L027 L022: push dword ptr [ebp-1640h] jmp L027 L024: cmp dword ptr [ebp-18h], 0 jnz L029 push dword ptr [ebp-163Ch] L027: push 0 jmp L031 L029: push 0 push dword ptr [ebp-163Ch] L031: push 0 cmp dword ptr [esp+8], 100000h jb L037 cmp dword ptr [esp+8], 7FFE0FFFh ja L037 call dword ptr [OD_Setcpu] L037: add esp, 14h popad L039: add esp, 1Ch mov dword ptr [ebp-5Ch], eax push 0041F32Bh ret fix_0041F325 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;004AF780 ;004AF781 fix_0042042F proc ;未调用过 push 10h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h je L015 mov eax, dword ptr [ebp+10h] or al, 20h cmp eax, 63h jnz L011 mov ebx, 13h jmp L014 L011: cmp eax, 76h jnz L015 mov ebx, 14h L014: push 00423151h ret L015: mov eax, 004E2744h cmp dword ptr [eax], 1 push 00420436h ret fix_0042042F endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F3E0 fix_00425E57 proc ;窗口函数调用 mov eax, dword ptr [ebp+0Ch] cmp eax, 200h je JMP_SUB_1 JMP_0_1: cmp eax, 203h je JMP_SUB_2 JMP_0_2: cmp eax, 100h je JMP_SUB_3 JMP_0_3: cmp eax, 200h push 00425E5Ch ret ;------------------ ;0057F4D6 JMP_SUB_2: push 11h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h jnz JMP_2_2 nop pushad mov edx, 004CDDFAh ;算出来的 push edx push dword ptr [edx] call dword ptr [OD_Findmemory] pop ecx pop edx test eax, eax je JMP_2_1 push 1 push 4 push dword ptr [edx] mov ebx, 0050AFE0h ;算出来的 push ebx call dword ptr [OD_Readmemory] add esp, 10h push ebx call func_0057F329 add esp, 4 JMP_2_1: popad jmp JMP_0_2 JMP_2_2: pushad mov ebp, 004CDDFAh ;算出来的 push 1004h push 0 push 0 push dword ptr [ebp] push 0 call dword ptr [OD_Setcpu] add esp, 14h popad jmp JMP_0_2 ;------------------ .data ;0057F5DB arg_00425E57_1A db 0B5h,0B1h,0C7h,0B0h,0D6h,0B5h,03Ah,00,00,00,00 ;0057F5EE arg_00425E57_1B db 0BFh,0E9h,0B4h,0F3h,0D0h,0A1h,03Ah,030h,078h,00,00,00,00,00,00,00 ;0057F608 arg_00425E57_20 db 0BDh,0E1h,0CAh,0F8h,03Ah,00,00,00,00 ;0057F619 arg_00425E57_30 db 0C6h,0F0h,0CAh,0BCh,03Ah,00,00,00,00 ;0057F627 arg_00425E57_40 db 025h,073h,025h,058h,020h,025h,073h,025h,058h,020h,025h,073h,025h,058h,00,00,00,00,00,00,00 .code ;0057F58F JMP_SUB_1: pushad mov ebp, 004CDDFAh ;算出来的 push dword ptr [ebp] call dword ptr [OD_Findmemory] add esp, 4 test eax, eax je JMP_3_1 push 1 push 4 push dword ptr [ebp] mov ebx, 0050B140h ;算出来的,指针入栈 push ebx call dword ptr [OD_Readmemory] add esp, 10h mov ecx, dword ptr [ebp+4] sub ecx, dword ptr [ebp] cmp ecx, 4 ja JMP_1_1 push dword ptr [ebx] ;0057F5DB push offset arg_00425E57_1A JMP_1_1: push ecx ;0057F5EE push offset arg_00425E57_1B mov eax, dword ptr [ebp+4] dec eax push eax ;0057F608 push offset arg_00425E57_20 push dword ptr [ebp] ;0057F619 push offset arg_00425E57_30 ;0057F627 push offset arg_00425E57_40 call dword ptr [OD_Infoline] add esp, 1Ch popad jmp JMP_0_3 ;------------------ ;0057F65E JMP_SUB_3: ;未调用过 push eax mov eax, dword ptr [ebp+10h] or al, 20h cmp eax, 74h pop eax jnz JMP_0_3 pushad mov edx, 004CDDFAh ;算出来的 push 1 push 4 push dword ptr [edx] mov ebx, 0050AFE0h ;算出来的 push ebx call dword ptr [OD_Readmemory] add esp, 10h push dword ptr [ebx] call dword ptr [OD_Findmemory] pop ecx test eax, eax je JMP_3_1 push 34h push 0 push 0 push dword ptr [ebx] push 0 call dword ptr [OD_Setcpu] add esp, 14h mov edx, 004CDDFAh ;算出来的 mov eax, dword ptr [edx] lea eax, dword ptr [eax+4] mov dword ptr [edx], eax mov dword ptr [edx+8], eax mov eax, dword ptr [edx+4] lea eax, dword ptr [eax+4] mov dword ptr [edx+4], eax mov ebx, dword ptr [edx-4] cmp eax, ebx jb JMP_3_1 mov dword ptr [edx-8], ebx JMP_3_1: popad jmp JMP_0_3 fix_00425E57 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F15F fix_0042609A proc ;未调用过 pushad mov eax, esi cmp eax, 0Dh jnz L042 mov ebp, 004CDDFAh ;计算得出 mov eax, dword ptr [ebp] push eax push eax call dword ptr [OD_Findmemory] pop ecx test eax, eax pop eax je L042 push 1 push 4 push eax mov ebp, 0050AFE0h ;计算得出,指针入栈 push ebp call dword ptr [OD_Readmemory] add esp, 10h push dword ptr [ebp] ;计算得出 call dword ptr [OD_Findmemory] pop ecx test eax, eax je L042 push 10h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h push 34h push 0 je L037 push dword ptr [ebp] push 0 jmp L039 L037: push 0 push dword ptr [ebp] L039: push 0 call dword ptr [OD_Setcpu] add esp, 14h L042: popad mov eax, 004CDDFBh ;计算得出,是004CDDFBh ????? mov eax, dword ptr [eax] push 0042609Fh ret fix_0042609A endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F100 fix_0042670C proc ;未调用过 cmp dword ptr [ebp-10h], 0 je L028 pushad mov ebp, 004CE1C7h ;算出来的 mov eax, dword ptr [ebp] push 3 push 4 push eax mov eax, 0050AFE0h ;算出来的 push eax call dword ptr [OD_Readmemory] add esp, 10h mov eax, 0050AFE0h ;算出来的 push dword ptr [eax] call dword ptr [OD_Findmemory] pop ecx test eax, eax je L026 push 34h push 0 mov eax, 0050AFE0h ;算出来的 push dword ptr [eax] push 0 push 0 call dword ptr [OD_Setcpu] add esp, 14h L026: popad push 004267D8h ret L028: push 00426716h ret fix_0042670C endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;004AF644 ;把%替换成空格 fix_0043134C proc ;加载新进程时调用 push ecx push eax push edi mov edi, dword ptr [esp+0Ch] mov ecx, dword ptr [esp+14h] mov eax, 25h @@: repne scas byte ptr es:[edi] cmp ecx, 0 je @F mov byte ptr [edi-1], 20h jmp @B @@: pop edi pop eax pop ecx add esp, 10h cmp eax, ebx push 00431351h ret fix_0043134C endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- .data szPatchName db MAX_PATH dup (0) .code ;004AF67A fix_00437376 proc pushad push 100h ; /MemSize = C000 (49152.) push 40h ; |Flags = GPTR call GlobalAlloc ; \GlobalAlloc test eax, eax jz PROC_END mov ebx, eax mov edi, 004D3868h ;路径名 mov esi, edi xor eax, eax xor ecx, ecx dec ecx repne scas byte ptr es:[edi] neg ecx dec ecx mov edi, ecx ;路径名长度 xchg edi, ebx ;offset szPatchName push esi push edi call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> mov byte ptr [ebx+edi-1], 5Ch mov byte ptr [ebx+edi], 0 push chr$("UDD") mov eax, ebx add eax, edi push eax call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> push 004D53A4h push edi push 004B74FDh push 004B747Eh call WritePrivateProfileStringA ;<jmp.&KERNEL32.WritePrivateProfileStringA> push esi push edi call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> mov byte ptr [ebx+edi-1], 5Ch mov byte ptr [ebx+edi], 0 push chr$("plugin") mov eax, ebx add eax, edi push eax call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> push 004D53A4h push edi push 004B7506h push 004B747Eh call WritePrivateProfileStringA ;<jmp.&KERNEL32.WritePrivateProfileStringA> push edi call GlobalFree PROC_END: popad push 7F02h push 0043737Bh ret fix_00437376 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;004AF740 fix_00446A1C proc lea edx, dword ptr ss:[ebp-588h] lea ecx, dword ptr ss:[ebp-288h] push ecx push edx push 200h push edx push ebx push ecx push 1 push 0 call MultiByteToWideChar ;<jmp.&KERNEL32.MultiByteToWideChar> pop edx pop ecx mov ebx, eax add ebx, ebx add edx, ebx sub edx, 2 movzx ebx, word ptr ds:[edx] cmp ebx, 0 je @F push 00446A39h ret @@: mov byte ptr ds:[edx], 1 push 00446A39h ret fix_00446A1C endp ;---------------------------------------------------------------------------- ; 可能存在错误 ;---------------------------------------------------------------------------- ;0057F1F5 fix_0044EF88 proc ;未调用过 pushad push 10h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h je L105 mov eax, dword ptr ss:[ebp+10h] or al, 20h cmp eax, 63h jnz L011 mov edi, 76h jmp L022 L011: cmp eax, 76h jnz L023 mov edi, 77h push dword ptr ss:[ebp+8] call func_0057F255 add esp, 4 push dword ptr ds:[ebx+385h] pop dword ptr ss:[ebp-50h] push dword ptr ds:[ebx+385h] pop dword ptr ss:[ebp-54h] add dword ptr ss:[ebp-54h], eax L022: ;-----------------------添加代码开始 ;call DebugBreak ;-----------------------添加代码结束 push 00451411h ret L023: popad mov eax, 004A7C50h call eax push 0044EF8Dh ret L105: push 11h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h je L023 mov eax, dword ptr ss:[ebp+10h] or al, 20h cmp eax, 38h jnz L023 lea eax, dword ptr ds:[ebx+385h] push eax call func_0057F329 add esp, 4 jmp L023 fix_0044EF88 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057FAF2 fix_00464A67 proc cmp esi, 0FFh jle @F mov esi, 0FFh @@: xor eax, eax mov byte ptr ds:[esi+edi], al push esi mov edx, dword ptr ds:[ebx] push 00464A6Dh ret fix_00464A67 endp ;============================================================================ ;004AF645 fix_0041A735 proc push 004D7FE5h cmp DWORD ptr [esp], 0 add esp, 4 jle @F pushad push 004C100Ch ;"&Remove all breakpoints" push 2Dh push 0 mov eax, dword ptr ss:[ebp-28h] push eax call AppendMenuA ;<jmp.&USER32.AppendMenuA> popad @@: push ebx push 0Eh mov edx, dword ptr ss:[ebp-28h] push 0041A73Bh ret fix_0041A735 endp ;004AF66D fix_0041A920 proc cmp dword ptr ss:[ebp-4], 0Ch jnz @F push 0041A926h ret @@: cmp dword ptr ss:[ebp-4], 2Dh jnz @F push 0041A96Bh ret @@: pushad mov ebx, 004D7EE1h mov esi, dword ptr ss:[ebx+104h] @@: dec esi cmp esi, 0 jl @F mov eax, esi imul eax, dword ptr ds:[ebx+114h] add eax, dword ptr ds:[ebx+11Ch] mov edx, dword ptr ds:[eax] push 0 mov eax, edx inc edx push edx push eax call dword ptr [OD_Deletebreakpoints] add esp, 0Ch jmp @B @@: popad mov dword ptr ss:[ebp-4], 1 push 0041A985h ret fix_0041A920 endp ;004AF791 fix_0047E7D7 proc cmp dword ptr ss:[ebp+0Ch], -1 jnz @F cmp dword ptr ss:[ebp+10h], -1 jnz @F and byte ptr ss:[ebp+0Ch], 0FEh @@: mov ax, word ptr ss:[ebp+14h] push eax push 0047E7DCh ret fix_0047E7D7 endp |
|
[求助]关于np保护下把内存dump出来
你先试着把np去掉,这个不难的,耐心分析,找到启动np线程的函数,nop掉就好了 |
|
[原创]昨天写的一个GetProcAddress
这个里面用了一个hash压缩算法,把函数名转换为唯一32位整数,这个算法只用在写溢出攻击代码等一些特殊环境里 个人感觉速度不一定会比串扫描快,另外既然是写程序么,最好还是走常规的路,我觉得微软的程序员再厉害也不会这样去写这个函数, ------------- pExploit 是我自己定义的一种数据类型... ------------- 这个大可不必吧,不就是个dword么?各人觉得还是搞简明点的好 比较佩服楼主“吹”的功夫,网上几乎每个shellcode都用到的技术,居然好意思用原创两个字 |
|
ACPROTECT 2.0 LAST VERSION
有点奇怪,楼主英文这么烂,干吗非得用英文? 既然是中国人,干吗非得标美圆价格? 根据语法错误,我给你X个不要用英文写的理由! hi are you want acprotect v2.0 last version ? 1.这个有2个错误,hi应该说hi everybody here, 2.不要说are your want,应该说do you want --------------------------------- orjinal这个单词应该这么写original --------------------------------- mag这个我猜应该是nag吧? --------------------------------- ups sorry error program please wait 1 day 我觉得应该这样说吧, i have found a lack in this new version! please wait for 1 more day and i'll fix it! 还好大家都是中国人,还能看懂中国式英语。。。 |
|
|
|
为什么没人破解游戏做外挂 ?
违法,最好别干, |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值