一段很老的汇编补丁代码是天草课程里面的三人行师父做的 由于本人实在是不懂 麻烦好心师父帮我转成易语言的书写格式 先谢谢了
100看雪币不成敬意 如果嫌少 我在充值 !
为感
By:商品国际 2015 4月18日
第一次发帖 如有失误之处 还请版主师父 见谅.
附件我已经上传了
代码如下:
.586
.model flat,stdcall
include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
.data
szReg db 'wynney',0
szcap db 'Loader by wynney',0
szerr db 'Could not found :'
db 100h dup (0)
RegAddr dd 007DB850h
PatchAddr1 dd 006930FDh
PatchAddr2 dd 007DB870h
raddr dd 006C92F4h
pdat db 0C7h,45h,08h,50h,0B8h,7Dh,00h,0C7h,05h,0FDh,30h,69h,00h
db 0E8h,82h,00h,00h,0E9h,77h,78h,0EBh,0FFh,0,0
pdat1 db 0E9h,6Eh,87h,14h,00h
rbuffer dd 100h dup(0)
szapppath db 100h dup(0)
appname db 'IconSearcher.exe',0
apialloc dd CreateFileA
.data?
align dword
startinfo STARTUPINFO <>
pi PROCESS_INFORMATION <>
handle dd ?
.code
start:
;获取程序所在的路径
invoke GetCurrentDirectory,100h,addr szapppath
lea ebx,[eax+offset szapppath]
cmp byte ptr [ebx-1],'\'
je @F
mov byte ptr [ebx],'\'
@@:
invoke lstrcat,addr szapppath,addr appname
invoke GetStartupInfo,addr startinfo
invoke CreateProcess,addr szapppath,NULL,NULL,NULL,NULL,CREATE_SUSPENDED,NULL,NULL,addr startinfo,addr pi
.if eax==0
invoke lstrcat,addr szerr,addr szapppath
invoke MessageBox,NULL,addr szerr,addr szcap,MB_OK OR MB_ICONSTOP
jmp @@end
.endif
mov handle,eax
mov ebx,[apialloc]
mov ebx,[ebx+2]
mov ebx,[ebx]
@@:
invoke ResumeThread,pi.hThread
invoke Sleep,10h
invoke SuspendThread,pi.hThread
invoke ReadProcessMemory,pi.hProcess,raddr,addr rbuffer,4,NULL
mov edx,[rbuffer]
cmp ebx,edx
jne @B
;如果解压完毕则添加相关信息
invoke WriteProcessMemory,pi.hProcess,RegAddr,addr szReg,24,NULL ;写入注册名
invoke WriteProcessMemory,pi.hProcess,PatchAddr2,addr pdat,24,NULL ;写入patch代码
invoke WriteProcessMemory,pi.hProcess,PatchAddr1,addr pdat1,5,NULL ;修改原流程
invoke ResumeThread,pi.hThread
invoke CloseHandle,handle
@@end:
invoke ExitProcess,NULL
end start
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
