-
-
[原创]飞秋多开
-
发表于:
2012-8-10 22:25
11920
-
纯属今天在公司无聊之举,高手飘过吧
直接OD载入程序在CreateMutexA以及FindWindowA设置参考断点
00472E9C . 68 7C595E00 PUSH 飞秋FeiQ.005E597C ; /MutexName = "LICQ_CLASS"
00472EA1 . 6A 00 PUSH 0 ; |InitialOwner = FALSE
00472EA3 . 6A 00 PUSH 0 ; |pSecurity = NULL
00472EA5 . FF15 80025900 CALL DWORD PTR DS:[<&KERNEL32.CreateMutexA>] ; \CreateMutexA ;创建互斥对象
00472EAB . 6A 32 PUSH 32 ; /Timeout = 50. ms
00472EAD . 50 PUSH EAX ; |hObject
00472EAE . FF15 E4015900 CALL DWORD PTR DS:[<&KERNEL32.WaitForSingleObject>] ; \WaitForSingleObject
00472EB4 . 85C0 TEST EAX,EAX
00472EB6 . 74 59 JE SHORT 飞秋FeiQ.00472F11 ;关键跳转,可修改为JMP
00472EB8 . 6A 40 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00472EBA . 68 40035E00 PUSH 飞秋FeiQ.005E0340 ; |Title = "提示"
00472EBF . 68 58595E00 PUSH 飞秋FeiQ.005E5958 ; |Text = "FeiQ程序已在运行,只能运行一个实例!"
00472EC4 . 6A 00 PUSH 0 ; |hOwner = NULL
00472EC6 . FF15 D40F5900 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
00472ECC . 6A FF PUSH -1 ; /ExitCode = FFFFFFFF
00472ECE . FF15 7C025900 CALL DWORD PTR DS:[<&KERNEL32.ExitProcess>] ; \ExitProcess
00472ED4 . 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
00472ED8 . C68424 4C290000 01 MOV BYTE PTR SS:[ESP+294C],1
00472EE0 . E8 23FC0F00 CALL <JMP.&MFC42.#??1CString@@QAE@XZ_800>
00472EE5 . 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
00472EE9 . C68424 4C290000 00 MOV BYTE PTR SS:[ESP+294C],0
00472EF1 . E8 12FC0F00 CALL <JMP.&MFC42.#??1CString@@QAE@XZ_800>
00472EF6 . 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
00472EFA . C78424 4C290000 FFF>MOV DWORD PTR SS:[ESP+294C],-1
00472F05 . E8 18061000 CALL <JMP.&MFC42.#??1CCommandLineInfo@@UAE@XZ_617>
00472F0A . 33C0 XOR EAX,EAX
00472F0C . E9 DF0E0000 JMP 飞秋FeiQ.00473DF0
00472F11 > 6A 00 PUSH 0 ; /Title = NULL
00472F13 . 68 7C595E00 PUSH 飞秋FeiQ.005E597C ; |Class = "LICQ_CLASS"
00472F18 . FF15 880F5900 CALL DWORD PTR DS:[<&USER32.FindWindowA>] ; \FindWindowA ;查找飞秋窗体
00472F1E . 85C0 TEST EAX,EAX
00472F20 . 74 60 JE SHORT 飞秋FeiQ.00472F82 ;关键跳转,可修改为JMP
00472F22 . 50 PUSH EAX ; /hWnd
00472F23 . FF15 6C0F5900 CALL DWORD PTR DS:[<&USER32.SetForegroundWindow>] ; \SetForegroundWindow
00472F29 . 6A 40 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00472F2B . 68 40035E00 PUSH 飞秋FeiQ.005E0340 ; |Title = "提示"
00472F30 . 68 58595E00 PUSH 飞秋FeiQ.005E5958 ; |Text = "FeiQ程序已在运行,只能运行一个实例!"
00472F35 . 6A 00 PUSH 0 ; |hOwner = NULL
00472F37 . FF15 D40F5900 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
00472F3D . 6A FF PUSH -1 ; /ExitCode = FFFFFFFF
00472F3F . FF15 7C025900 CALL DWORD PTR DS:[<&KERNEL32.ExitProcess>] ; \ExitProcess
以上修改2处关键跳转就避开了互斥对象,以及窗体查找
接下来是飞秋监听端口的修改,飞秋监听端口30985,如果监听端口不修改,监听端口冲突,程序崩溃
OD查找当前模块名称,找到如下调用:
名称位于 飞秋FeiQ, 条目 635
地址=00591188
区段=.rdata
类型=输入 (已知)
名称=WSOCK32.#_bind_2
#_bind_2上设置参考断点后,F9来到如下代码:
F8单步跟踪
0049C04C |> \8B96 8C000000 MOV EDX,DWORD PTR DS:[ESI+8C] ;此处为SOCKET结构体
0049C052 |. 33C9 XOR ECX,ECX
0049C054 |. 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
0049C058 |. 66:8B86 90000000 MOV AX,WORD PTR DS:[ESI+90] ;F8跟踪可以看到,这里是给结构体的成员变量sin_port赋值,也就是监听端口
0049C05F |. 894C24 14 MOV DWORD PTR SS:[ESP+14],ECX
0049C063 |. 895424 14 MOV DWORD PTR SS:[ESP+14],EDX
0049C067 |. 8B56 08 MOV EDX,DWORD PTR DS:[ESI+8]
0049C06A |. 894C24 18 MOV DWORD PTR SS:[ESP+18],ECX
0049C06E |. 894C24 1C MOV DWORD PTR SS:[ESP+1C],ECX
0049C072 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
0049C076 |. 6A 10 PUSH 10 ; /AddrLen = 10 (16.)
0049C078 |. 51 PUSH ECX ; |pSockAddr
0049C079 |. 52 PUSH EDX ; |Socket
0049C07A |. 66:C74424 1C 0200 MOV WORD PTR SS:[ESP+1C],2 ; |
0049C081 |. 66:894424 1E MOV WORD PTR SS:[ESP+1E],AX ; |
0049C086 |. E8 13800D00 CALL <JMP.&WSOCK32.#_bind_2> ; \bind ;绑定端口
对此处代码做如下修改:
0049C04C |> \8B96 8C000000 MOV EDX,DWORD PTR DS:[ESI+8C]
0049C052 C786 90000000 CA1D0>MOV DWORD PTR DS:[ESI+90],1DCA ;修改为冰河木马端口7626呵呵
0049C05C 90 NOP
0049C05D 90 NOP
0049C05E 90 NOP
0049C05F C74424 14 00000000 MOV DWORD PTR SS:[ESP+14],0 ;赋值为0,应为之前修改了XOR ECX,ECX的清零操作
0049C067 |. 8B56 08 MOV EDX,DWORD PTR DS:[ESI+8]
0049C06A |. 894C24 18 MOV DWORD PTR SS:[ESP+18],ECX
0049C06E |. 894C24 1C MOV DWORD PTR SS:[ESP+1C],ECX
0049C072 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
0049C076 |. 6A 10 PUSH 10 ; /AddrLen = 10 (16.)
0049C078 |. 51 PUSH ECX ; |pSockAddr
0049C079 |. 52 PUSH EDX ; |Socket
0049C07A |. 66:C74424 1C 0200 MOV WORD PTR SS:[ESP+1C],2 ; |
0049C081 |. 66:894424 1E MOV WORD PTR SS:[ESP+1E],AX ; |
0049C086 |. E8 13800D00 CALL <JMP.&WSOCK32.#_bind_2> ; \bind
修改完后就可以保存文件了,大功告成~!~!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)