-
-
[原创]迅雷死循环
-
发表于: 2013-5-28 23:42
-
Executable modules, item 76
Base=03170000
Size=000CE000 (843776.)
Entry=031E61FF XAppLuaT.<ModuleEntryPoint>
Name=XAppLuaT
File version=1, 0, 0, 70
Path=C:\Users\Public\Thunder Network\KanKan\Pusher\XAppLuaTool.1.0.0.70.dll
LPVOID __cdecl sub_10077B30(int a1, unsigned int a2)
{
LPVOID v3; // [sp+0h] [bp-24h]@9
struct _MEMORY_BASIC_INFORMATION Buffer; // [sp+4h] [bp-20h]@6
LPCVOID lpAddress; // [sp+20h] [bp-4h]@1
lpAddress = (LPCVOID)sub_10077C00(a1);
while ( (unsigned int)lpAddress < a2 )
{
if ( (unsigned int)lpAddress < 0x50000000 || (unsigned int)lpAddress > 0x80000000 )
{
memset(&Buffer, 0, 0x1Cu);
if ( !VirtualQuery(lpAddress, &Buffer, 0x1Cu) ) return 0;
if ( Buffer.State != MEM_FREE || Buffer.RegionSize < 0x10000 )
{
lpAddress = (LPCVOID)sub_10077C00((char *)Buffer.BaseAddress + Buffer.RegionSize);
}
else
{
v3 = VirtualAlloc((LPVOID)lpAddress, 0x10000u, 0x3000u, 0x40u);
if ( v3 ) return v3;
lpAddress = (char *)lpAddress + 0x10000;
}
}
else
{
lpAddress = (LPCVOID)0x80010000;
}
}
return 0;
}
int __cdecl sub_10077C00(int a1)
{
if ( (_WORD)a1 )
a1 -= 0x10000 - (unsigned __int16)a1;
return a1;
}
Buffer.BaseAddress = 0x01F6E000
Buffer.RegionSize = 0x1000
sub_10077C00应该是对齐0x10000
问题就出在,每次都减去0x1000,又回到BaseAddress
一直VirtualQuery,导致cpu占用30%
如果不是这个问题,我还不怎么关注迅雷的垃圾进程
有必要写个软件干掉所有迅雷的垃圾进程
这函数的作用是找MEM_FREE && Buffer.RegionSize >= 0x10000的内存,重新分配利用起来
可惜代码没写好,对齐导致死循环
把 - 改成 +, 就正常了
a1 += 0x10000 - (unsigned __int16)a1;
原始
031E7C00 55 PUSH EBP
031E7C01 8BEC MOV EBP,ESP
031E7C03 83EC 08 SUB ESP,8
031E7C06 8B45 08 MOV EAX,[EBP+8]
031E7C09 25 FFFF0000 AND EAX,0FFFF
031E7C0E 8945 FC MOV [EBP-4],EAX
031E7C11 74 14 JE SHORT 031E7C27
031E7C13 B9 00000100 MOV ECX,10000
031E7C18 2B4D FC SUB ECX,[EBP-4]
031E7C1B 894D F8 MOV [EBP-8],ECX
031E7C1E 8B55 08 MOV EDX,[EBP+8]
031E7C21 2B55 F8 SUB EDX,[EBP-8] ;sub
031E7C24 8955 08 MOV [EBP+8],EDX
031E7C27 8B45 08 MOV EAX,[EBP+8]
031E7C2A 8BE5 MOV ESP,EBP
031E7C2C 5D POP EBP
031E7C2D C3 RETN
修改后
031E7C00 55 PUSH EBP
031E7C01 8BEC MOV EBP,ESP
031E7C03 83EC 08 SUB ESP,8
031E7C06 8B45 08 MOV EAX,[EBP+8]
031E7C09 25 FFFF0000 AND EAX,0FFFF
031E7C0E 8945 FC MOV [EBP-4],EAX
031E7C11 74 14 JE SHORT 031E7C27
031E7C13 B9 00000100 MOV ECX,10000
031E7C18 2B4D FC SUB ECX,[EBP-4]
031E7C1B 894D F8 MOV [EBP-8],ECX
031E7C1E 8B55 08 MOV EDX,[EBP+8]
031E7C21 0355 F8 ADD EDX,[EBP-8] ;add
031E7C24 8955 08 MOV [EBP+8],EDX
031E7C27 8B45 08 MOV EAX,[EBP+8]
031E7C2A 8BE5 MOV ESP,EBP
031E7C2C 5D POP EBP
031E7C2D C3 RETN
这种对齐以前没看过,顺便收集起来,对齐的4种算法
//(1)最容易想到的算法:
unsigned int calc_align1(unsigned int n,unsigned align)
{
if ( n / align * align == n) return n;
return (n / align + 1) * align;
}
//(2)更好的算法:
unsigned int calc_align2(unsigned int n,unsigned align)
{
return ((n + align - 1) & (~(align - 1)));
}
unsigned int calc_align3(unsigned int n,unsigned align)
{
if (n%align) return (n/align+1)*align;
else return n;
}
//迅雷
unsigned int calc_align4(unsigned int n,unsigned align)
{
if (n%align) return n += align - n%align;
else return n;
}
//hellotong
unsigned int calc_align5(unsigned int n,unsigned align)
{
return (n+align-1)/align*align;
}
最好的是第2种算法,其他是绿叶衬红花
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 我指的头像。。。没说此人哈哈
|
|
|
|
|
|
|
|
|
|
|
|
我晕..他不是我的啊..这误会可闹大了啊..
|
|
|
|
|
|
|
|
|
膜拜
|
