当前已通过IDA找到驱动中需要修改的函数地址(00011A36),如何得到该驱动加载到内存(内核)中的对应地址?另:
由于该驱动是windows认证驱动,静态修改后,无法加载驱动,所以才想办法动态修改。
我想使整个函数不执行,想在函数入口处修改,直接jmp到函数结尾。在
(00011A3C)地址使用jmp(E9)到结尾
(00011AFA),堆栈会
不平衡吗?
.text:00011A36 push ebp
.text:00011A37 mov ebp, esp
.text:00011A39 sub esp, 10h
.text:00011A3C mov eax, [ebp+arg_4]
;在此行修改为 {e9 偏移地址}
.text:00011A3F mov edx, dword_14968
.text:00011A45 push ebx
.text:00011A46 mov ebx, dword_14964
.text:00011A4C push esi
.text:00011A4D cmp eax, 140h
.text:00011A52 mov esi, offset dword_1BEA8
.text:00011A57 mov [ebp+var_8], ebx
.text:00011A5A jge short loc_11A70
.text:00011A5C mov ebx, dword_1496C
.text:00011A62 mov edx, dword_14970
.text:00011A68 mov esi, offset dword_14978
.text:00011A6D mov [ebp+var_8], ebx
.text:00011A70
.text:00011A70 loc_11A70: ; CODE XREF: sub_11A36+24j
.text:00011A70 mov ecx, [ebp+arg_0]
.text:00011A73 sub eax, ebx
.text:00011A75 lea eax, [eax+eax*2]
.text:00011A78 add ecx, eax
.text:00011A7A mov [ebp+var_10], eax
.text:00011A7D test edx, edx
.text:00011A7F jle short loc_11AF8
.text:00011A81 push edi
.text:00011A82 mov [ebp+var_C], edx
.text:00011A85 mov edi, 100h
.text:00011A8A
.text:00011A8A loc_11A8A: ; CODE XREF: sub_11A36+BFj
.text:00011A8A test ebx, ebx
.text:00011A8C jle short loc_11AEF
.text:00011A8E mov [ebp+var_4], ebx
.text:00011A91
.text:00011A91 loc_11A91: ; CODE XREF: sub_11A36+B4j
.text:00011A91 movzx edx, byte ptr [esi+3]
.text:00011A95 movzx eax, byte ptr [esi]
.text:00011A98 mov [ebp+arg_4], edi
.text:00011A9B mov [ebp+arg_0], edx
.text:00011A9E sub [ebp+arg_4], edx
.text:00011AA1 imul eax, edx
.text:00011AA4 movzx edx, byte ptr [ecx]
.text:00011AA7 imul edx, [ebp+arg_4]
.text:00011AAB add eax, edx
.text:00011AAD mov ebx, edi
.text:00011AAF cdq
.text:00011AB0 idiv ebx
.text:00011AB2 mov [ecx], al
.text:00011AB4 inc ecx
.text:00011AB5 movzx eax, byte ptr [esi+1]
.text:00011AB9 movzx edx, byte ptr [ecx]
.text:00011ABC imul eax, [ebp+arg_0]
.text:00011AC0 imul edx, [ebp+arg_4]
.text:00011AC4 inc esi
.text:00011AC5 add eax, edx
.text:00011AC7 cdq
.text:00011AC8 idiv ebx
.text:00011ACA mov [ecx], al
.text:00011ACC inc ecx
.text:00011ACD movzx eax, byte ptr [esi+1]
.text:00011AD1 movzx edx, byte ptr [ecx]
.text:00011AD4 imul eax, [ebp+arg_0]
.text:00011AD8 imul edx, [ebp+arg_4]
.text:00011ADC inc esi
.text:00011ADD add eax, edx
.text:00011ADF cdq
.text:00011AE0 idiv ebx
.text:00011AE2 mov [ecx], al
.text:00011AE4 inc ecx
.text:00011AE5 inc esi
.text:00011AE6 inc esi
.text:00011AE7 dec [ebp+var_4]
.text:00011AEA jnz short loc_11A91
.text:00011AEC mov ebx, [ebp+var_8]
.text:00011AEF
.text:00011AEF loc_11AEF: ; CODE XREF: sub_11A36+56j
.text:00011AEF add ecx, [ebp+var_10]
.text:00011AF2 dec [ebp+var_C]
.text:00011AF5 jnz short loc_11A8A
.text:00011AF7 pop edi
.text:00011AF8
.text:00011AF8 loc_11AF8: ; CODE XREF: sub_11A36+49j
.text:00011AF8 pop esi
.text:00011AF9 pop ebx
.text:00011AFA leave
; 直接由00011A39跳转到这里
.text:00011AFB retn 0Ch
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法