unsigned long alignment(unsigned long size,unsigned long align)
{
	if(size%align!=0)
		return  (size/align+1)*align;
	return size;
}

void _link_push_imm(void * dst,size_t _new_push_rva,void * src,size_t _code_push_rva,size_t _image_base_offset)
{
	/*
	    jmp     xxxxxxxx
        sub     esp, 4
        mov     dword ptr [esp], -1
        jmp     FFFFFFFF
	*/
	unsigned char _rand_reg[] = {0x50, 0x51, 0x52, 0x53, 0x53, 0x54, 0x55, 0x56, 0x57};
	unsigned char push[] = {0x50, 
		                    0xC7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 
                            0xE9, 0x00, 0x00, 0x00, 0x00};
	unsigned char * pdst = (unsigned char *) dst;
	unsigned char * psrc = (unsigned char *) src;
	unsigned long _next_opcode_va = ((unsigned long)psrc + 5 + _code_push_rva + _image_base_offset);
	if(*psrc == 0x68)
	{
		/*mov     dword ptr [esp], xxxxxxxx*/
		memmove(push + 4,psrc + 1,sizeof(unsigned long));
		int index = clock() % 9;
		memset(push,_rand_reg[index],sizeof(unsigned char));
		/*jmp     xxxxxxxx*/
		memset(psrc,0xE9,sizeof(unsigned char));
	    *(unsigned long *) (psrc + 1)  = (unsigned long) (pdst + _new_push_rva + _image_base_offset - _next_opcode_va);
		/*jmp     xxxxxxxx*/
		*(unsigned long *)(push + 9) = (_next_opcode_va - ((unsigned long)pdst + 8 + _new_push_rva  + _image_base_offset + 5));
		memmove(pdst,push,0xD);
	}
}

void _link_call_mem(void * dst,size_t _new_push_rva,void * src,size_t _code_push_rva,size_t _image_base_offset)
{
	unsigned long _next_address = 0;
	unsigned char _rand_reg[] = {0x50, 0x51, 0x52, 0x53, 0x53, 0x54, 0x55, 0x56, 0x57};
	unsigned char call[] = {0x50, 
		                    0xC7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 
		                    0xFF, 0x25, 0x00, 0x00, 0x00, 0x00, 
		                    0xE9, 0x00, 0x00, 0x00, 0x00};
	unsigned char * pdst = (unsigned char *) dst;
	unsigned char * psrc = (unsigned char *) src;
	unsigned long _next_opcode_va = ((unsigned long)psrc + 5 + _code_push_rva + _image_base_offset);

	if(*(unsigned short *)psrc == 0x15ff)
	{
		Sleep(1);
		int index = rand() % 9;
		memset(call,_rand_reg[index],sizeof(unsigned char));
		memmove(call + 10,psrc + 2,sizeof(unsigned long));

		memset(psrc,0xE9,sizeof(unsigned char));
		*(unsigned long *) (psrc + 1)  = (unsigned long) (pdst + _new_push_rva + _image_base_offset - _next_opcode_va);
		memset(psrc + 5,0x90,sizeof(unsigned char));
		/*mov     dword ptr [esp], -1*/
		_next_address = (unsigned long) ((unsigned long)pdst + 14 + _new_push_rva  + _image_base_offset);
		memmove((void *)(call + 4),(void *)&_next_address,sizeof(unsigned long));
		_next_address = (unsigned long) (_next_opcode_va - ((unsigned long)pdst + 14 + _new_push_rva  + _image_base_offset + 5));
		memmove((void *)(call + 15),(void *)&_next_address,sizeof(unsigned long));
		memmove(pdst,call,19);
	}
}

void _link_call_rva(void * dst,size_t _new_push_rva,void * src,size_t _code_push_rva,size_t _image_base_offset)
{
	/*
	    jmp     _new_adderss
        push    exx
	    mov     dword ptr [esp], -1
        jmp     dword ptr[xxxxxxxx]
_next:
        jmp     _ret_address
	*/
	unsigned char _rand_reg[] = {0x50, 0x51, 0x52, 0x53, 0x53, 0x54, 0x55, 0x56, 0x57};
	unsigned char call[] = {0x50, 
		                    0xC7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00,
		                    0xE9, 0x00, 0x00, 0x00, 0x00, 
                            0xE9, 0x00, 0x00, 0x00, 0x00};
	unsigned char * pdst = (unsigned char *) dst;
	unsigned char * psrc = (unsigned char *) src;
	unsigned long _next_opcode_va = ((unsigned long)psrc + 5 + _code_push_rva + _image_base_offset);
	if(*psrc == 0xE8 && *(unsigned short *)(psrc + 3) == 0)
	{
		/*jmp     _new_adderss*/
		unsigned long _jmp_va = ((unsigned long)psrc + (*(unsigned long*)(psrc + 1)) + 6 + _code_push_rva  + _image_base_offset); 
		memset(psrc,0xE9,sizeof(unsigned char));
		*(unsigned long *) (psrc + 1)  = (unsigned long) (pdst + _new_push_rva + _image_base_offset - _next_opcode_va);
		/*push    exx*/
		Sleep(1);
		int index = clock() % 9;
		memset(call,_rand_reg[index],sizeof(unsigned char));
		/*mov     dword ptr [esp], -1*/
		unsigned long _ret_address = (unsigned long) ((unsigned long)pdst + 13 + _new_push_rva  + _image_base_offset);
		memmove((void *)(call + 4),(void *)&_ret_address,sizeof(unsigned long));
		/*jmp     dword ptr[xxxxxxxx]*/
		_jmp_va -= ((unsigned long)pdst + 9 + _new_push_rva  + _image_base_offset + 5);
		memmove((void *)(call + 9),(void *)&_jmp_va,sizeof(unsigned long));
		/*jmp     _ret_address*/
		*(unsigned long *)(call + 14) = (_next_opcode_va - ((unsigned long)pdst + 13 + _new_push_rva  + _image_base_offset + 5));
		memmove(pdst,call,18);
	}
}

unsigned long _push(unsigned char * imagebase)
{
	PIMAGE_DOS_HEADER         _dos_header = NULL;
	PIMAGE_NT_HEADERS32       _nt32_header = NULL; 
	PIMAGE_FILE_HEADER        _file_header = NULL;
	PIMAGE_OPTIONAL_HEADER32  _optional32_header = NULL;
	PIMAGE_SECTION_HEADER     _section_header = NULL;
	unsigned long _push_length = 0;
	if(*(unsigned short *) imagebase == IMAGE_DOS_SIGNATURE)
	{
		_dos_header = (PIMAGE_DOS_HEADER) imagebase;
		unsigned char * _uchar_base = imagebase;
		for(char index = 0; index < 0x200; index++)
		{
			if(*(unsigned long *)_uchar_base == IMAGE_NT_SIGNATURE)
			{
				_dos_header->e_lfanew = _uchar_base - imagebase;
				_nt32_header = (PIMAGE_NT_HEADERS32) _uchar_base;
				_file_header = (PIMAGE_FILE_HEADER) &_nt32_header->FileHeader;
				_optional32_header = (PIMAGE_OPTIONAL_HEADER32) &_nt32_header->OptionalHeader;
                _section_header = (PIMAGE_SECTION_HEADER)((unsigned long)_nt32_header + 
					sizeof(IMAGE_OPTIONAL_HEADER32) + sizeof(IMAGE_FILE_HEADER) + sizeof(unsigned long));
				break;
			}
			_uchar_base++;
		}
		if(NULL != _nt32_header)
		{
			unsigned long _min_image_base = _optional32_header->ImageBase;
			unsigned long _max_image_base = _optional32_header->ImageBase + _optional32_header->SizeOfImage;
			unsigned long _section_number = _file_header->NumberOfSections;
			_section_header[_section_number - 1].Characteristics = 0xE0000080;
            unsigned char * _new_push_code = _section_header[_section_number - 1].PointerToRawData + imagebase;
			unsigned long   _new_push_offset = _section_header[_section_number - 1].VirtualAddress - _section_header[_section_number - 1].PointerToRawData;
			for(int i = 0; i < _section_number - 1; i++)
			{
			    unsigned long _section_raw = _section_header[i].PointerToRawData;
				unsigned long _section_raw_sze = _section_header[i].SizeOfRawData;
				unsigned long _section_offset = _section_header[i].VirtualAddress - _section_raw;
				unsigned char * _section_code = (unsigned char *) (imagebase + _section_raw);
                if(IMAGE_SCN_MEM_EXECUTE&_section_header[i].Characteristics)
			    {
				    for(int _index_opcode = 0; _index_opcode < _section_raw_sze; _index_opcode++)
					{
						unsigned long _is_data_address = *(unsigned long *)(_section_code + 1);
						if(*(unsigned char *)_section_code == 0xE8
							&& *(unsigned short *)(_section_code + 3) == 0 && *(unsigned short *)(_section_code + 1) != 0)
						{
							_link_call_rva(_new_push_code,_new_push_offset,_section_code,_section_offset,(_min_image_base - (unsigned long)imagebase));
							_new_push_code += 18;
							_push_length += 18;
							_section_code += 5;
						}
						else if(*(unsigned short *)_section_code == 0x15ff && (*(unsigned long *)(_section_code + 2)) > _min_image_base 
							&& (*(unsigned long *)(_section_code + 2)) < _max_image_base)
						{
							_link_call_mem(_new_push_code,_new_push_offset,_section_code,_section_offset,(_min_image_base - (unsigned long)imagebase));
							_new_push_code += 19;
							_push_length += 19;
							_section_code += 6;
						}
						else if(*(unsigned char *)_section_code == 0x68 && _is_data_address > _min_image_base 
							&& _is_data_address < _max_image_base)
						{
							_link_push_imm(_new_push_code,_new_push_offset,_section_code,_section_offset,(_min_image_base - (unsigned long)imagebase));
							_new_push_code += 0xD;
							_push_length += 0xD;
							_section_code += 5;
						}
						else
							++_section_code;
					}
				}
			}
			if(_push_length)
			{
                _section_header[_section_number - 1].SizeOfRawData = alignment(_push_length,_optional32_header->FileAlignment);
		        _section_header[_section_number - 1].Misc.VirtualSize = alignment(_push_length,_optional32_header->SectionAlignment);
		        unsigned long _new_image_offset = _optional32_header->SizeOfImage -_section_header[_section_number - 1].VirtualAddress;
			    _optional32_header->SizeOfImage -= _new_image_offset;
			    _optional32_header->SizeOfImage += alignment(_push_length,_optional32_header->SectionAlignment);
			}
		}
	}
	return _push_length;
}

void * createmap(char * path)
{
	HANDLE hFile = CreateFile(path, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
	if (hFile==INVALID_HANDLE_VALUE)
	{
		MessageBox(GetActiveWindow(),TEXT("不能打开文件"),TEXT("提示"),MB_ICONSTOP);
		return NULL;
	}
	HANDLE hMap = CreateFileMapping(hFile, NULL, PAGE_READWRITE | SEC_COMMIT, 0, 0, NULL);
	if(NULL ==hMap)
	{
		MessageBox(GetActiveWindow(),TEXT("创建文件映射失败"),TEXT("提示"),MB_ICONSTOP);
		return NULL;
	}
	return MapViewOfFile(hMap, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);
}

_push((unsigned char *)createmap("test.exe"));

[课程]Android-CTF解题方法汇总！