-
-
[分享]od窗口函数地址修正
-
发表于:
2014-2-19 13:30
6682
-
具体原因参考:
http://bbs.pediy.com/showthread.php?t=121113&highlight=ClsProc
http://invlpg.blogspot.com/2010/04/ollydbg-gets-wrong-clsproc.html
摘录问题及解决方案:
OllyDbg uses GetClassLongA to retrieve ClassProc.
On most ansi windows this works fine, but on unicode ones not.
GetClassLongA will return a magic cookie which looks like FFFF1234
instead of the real procedure address.
You can patch Olly by replacing GetClassLongA with GetClassLongW to see the difference:
some values used to be FFFF1234 became meaningful pointers, and vice versa.
here is the solution:
ClsProc = GetClassLongA(hWnd, GCL_WNDPROC)
if ClsProc & 0x80000000:
ClsProc = GetClassLongW(hWnd, GCL_WNDPROC)
修改过程:
在用OD加载OD,然后在GetClassLongA下断,找到调用GetClassLongA的地方,在此段尾部找一块空白处,打如下补丁:
004AF7DD $ FF7424 08 push dword ptr ss:[esp+0x8] ; /Index;复制参数栈
004AF7E1 . FF7424 08 push dword ptr ss:[esp+0x8] ; |hWnd
004AF7E5 . E8 36FCFFFF call <jmp.&USER32.GetClassLongA> ; \GetClassLongA
004AF7EA . 25 00000080 and eax,0x80000000 ;是否是Unicode Window
004AF7EF .- 0F85 04C98677 jnz USER32.GetClassLongW
004AF7F5 . C2 0800 retn 0x8
然后将所有对GetClassLongA的调用修改为调用此函数。
此处GetClassLongW使用的是硬编码,不想搞IAT,所以就不上传二进制文件了。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课