csmss.exe 是一个网游外挂
用PEID查是Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks,
打开OD,隐藏OD,只保留内存异常,其它全取消.
载入程序:
0094E660 c>/$ 55 push ebp
0094E661 |. 8BEC mov ebp,esp
0094E663 |. 6A FF push -1
0094E665 |. 68 909A9600 push csmss.00969A90
0094E66A |. 68 38E39400 push csmss.0094E338 ; SE handler installation
0094E66F |. 64:A1 00000000 mov eax,dword ptr fs:[0]
0094E675 |. 50 push eax
0094E676 |. 64:8925 00000000 mov dword ptr fs:[0],esp
0094E67D |. 83EC 58 sub esp,58
0094E680 |. 53 push ebx
0094E681 |. 56 push esi
0094E682 |. 57 push edi
0094E683 |. 8965 E8 mov dword ptr ss:[ebp-18],esp
0094E686 |. FF15 78419600 call dword ptr ds:[<&KERNEL32.GetV>; kernel32.GetVersion
0094E68C |. 33D2 xor edx,edx
0094E68E |. 8AD4 mov dl,ah
0094E690 |. 8915 CCAB9600 mov dword ptr ds:[96ABCC],edx
alt+M 打开内存映像,在00401000,处下内存访问断点
F9运行中断在
010578F5 ED in eax,dx
010578F6 81FB 68584D56 cmp ebx,564D5868
010578FC 75 04 jnz short 01057902
010578FE C645 FF 01 mov byte ptr ss:[ebp-1],1
01057902 8A45 FF mov al,byte ptr ss:[ebp-1]
01057905 5B pop ebx
01057906 C9 leave
01057907 C3 retn
//提示特权级指令,shift+F9 来到
00401438 /EB 10 jmp short csmss.0040144A //这就是OEP?
0040143A |66:623A bound di,dword ptr ds:[edx]
0040143D |43 inc ebx
0040143E |2B2B sub ebp,dword ptr ds:[ebx]
00401440 |48 dec eax
00401441 |4F dec edi
00401442 |4F dec edi
00401443 |4B dec ebx
00401444 |90 nop
00401445 -|E9 98904E00 jmp csmss.008EA4E2
0040144A \A1 8B904E00 mov eax,dword ptr ds:[4E908B]
0040144F C1E0 02 shl eax,2
00401452 A3 8F904E00 mov dword ptr ds:[4E908F],eax
00401457 52 push edx
00401458 6A 00 push 0
0040145A E8 19700E00 call csmss.004E8478
0040145F 8BD0 mov edx,eax
在00401438处dump
接下来该怎么办啊?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
