//This is plugin for the telock0.98b1
//for my comarade:),I try to recovery by hands ,but so many funcions need to be recovered ,so
//I decided to write a plugin
#include <windows.h>
#define DLLEXPORT extern "C" __declspec( dllexport )
// Exported function to use (prototypes)
////////////////////////////////////////////////////////////////////////////////////////////
DLLEXPORT DWORD Trace(DWORD hFileMap, DWORD dwSizeMap, DWORD dwTimeOut, DWORD dwToTrace,
DWORD dwExactCall);
// Global variables
////////////////////////////////////////////////////////////////////////////////////////////
// None
// Initialize all you need
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
return TRUE;
}
// Exported function to use
//
// Parameters:
// -----------
// <hFileMap> : HANDLE of the mapped file
// <dwSizeMap> : Size of that mapped file
// <dwTimeOut> : TimeOut of ImpREC in Options
// <dwToTrace> : Pointer to trace (in VA)
// <dwExactCall> : EIP of the exact call (in VA)
//
// Returned value:
// ---------------
// Use a value greater or equal to 200. It will be shown by ImpREC if no output were created
DLLEXPORT DWORD Trace(DWORD hFileMap, DWORD dwSizeMap, DWORD dwTimeOut, DWORD dwToTrace,
DWORD dwExactCall)
{
// Map the view of the file
DWORD* dwPtrOutput = (DWORD*)MapViewOfFile((HANDLE)hFileMap, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);
if (!dwPtrOutput)
{
// Can't map view
return (201);
}
// Check the size of the map file
if (dwSizeMap < 4)
{
// Invalid map size
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return (203);
}
if (IsBadReadPtr((VOID*)dwToTrace, 4))
{
// Bad pointer!
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return (204);
}
DWORD tmp=*(DWORD *)dwToTrace;
BYTE *to_trace=(BYTE *)tmp;
/////////////////////////////////////////////////////////////////////////////
// Api Wrapper Scheme One
/////////////////////////////////////////////////////////////////////////////
// B8 xxxxxxxx mov eax,xxxxxxxx
// 40 inc eax
// FF30 push dword ptr [eax]
// C3 retn
/////////////////////////////////////////////////////////////////////////////
while(!IsBadReadPtr((VOID*)to_trace, 4))
{
if(to_trace[0]==0xB8&&to_trace[5]==0x40&&to_trace[6]==0xFF&&to_trace[7]==0x30&&to_trace[8]==0xC3)
{
DWORD address=*((DWORD *)(to_trace+1));
++address;
if (!IsBadReadPtr((VOID*)address, 4))
{
// Get the value in XXXXXX and write it to the mapped file
*dwPtrOutput = *((DWORD *)address);
// OK
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return (200);
}
}
to_trace++;
}
UnmapViewOfFile((LPCVOID)dwPtrOutput);
CloseHandle((HANDLE)hFileMap);
return (205);
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法