用HOOK的方法为keynener_Assistant v2.12添加支持拖放功能
keynener_Assistant v2.12是一个非常实用的工具,尤其是其中的密码学算法分析模块,对于密码学分析来说,有很好的辅助作用.
但程序不支持文件拖放,所以使用上不是很方便.
程序有3处需要打开文件路径,一是密码学分析,二是计算文件HASH,三是数据加密和解密
这3处如果支持拖放则会方便很多.
1.分析功能CALL
首先要找到功能CALL,然后要找到其参数.
程序用UPX加壳,脱壳后用DelphiDecompiler分析,找到File Hash计算的Open按钮和密码学算法分析模块的Scan按钮响应事件代码:
(1)计算文件HASH功能,这里需要输入文件路径
Hashing->Calc Hash->File Hash->Open按钮事件响应代码:
0052AA28 55 push ebp
0052AA29 8BEC mov ebp, esp
0052AA2B 6A00 push $00
0052AA2D 53 push ebx
0052AA2E 56 push esi
0052AA2F 57 push edi
0052AA30 8BF2 mov esi, edx //ESI=EDX=0205207C 参数1
0052AA32 8BD8 mov ebx, eax //EBX=EAX=02001074 参数2
0052AA34 33C0 xor eax, eax
0052AA36 55 push ebp
Possible String Reference to: '樽濏?腽_^[Y]?
|
0052AA37 6818AB5200 push $0052AB18
0052AA3C 64FF30 push dword ptr fs:[eax]
0052AA3F 648920 mov fs:[eax], esp
Reference to field TForm1.OFFS_1747
|
0052AA42 80BB7A74010000 cmp byte ptr [ebx+$1747A], $00
0052AA49 740C jz 0052AA57
Reference to field TForm1.OFFS_1747
|
0052AA4B C6837974010001 mov byte ptr [ebx+$17479], $01
0052AA52 E9AB000000 jmp 0052AB02
Reference to control TForm1.OpenDialog2 : TOpenDialog
|
0052AA57 8B8350070000 mov eax, [ebx+$0750]
0052AA5D 8B10 mov edx, [eax]
Possible reference to virtual method TOpenDialog.OFFS_3C
|
0052AA5F FF523C call dword ptr [edx+$3C] //打开文件对话框
0052AA62 84C0 test al, al
0052AA64 0F8498000000 jz 0052AB02
0052AA6A 8D55FC lea edx, [ebp-$04]
Reference to control TForm1.OpenDialog2 : TOpenDialog
|
0052AA6D 8B8350070000 mov eax, [ebx+$0750]
Reference to: Dialogs.TOpenDialog.GetFileName()
|
0052AA73 E82477F1FF call 0044219C //获取文件路径
0052AA78 8B55FC mov edx, [ebp-$04] //EDX为路径
0052AA7B B888505E00 mov eax, $005E5088
|
0052AA80 E8A7A5EDFF call 0040502C //这个CALL是判断是不是修改了默认选项
0052AA85 803D7B625E0001 cmp byte ptr [$005E627B], $01
0052AA8C 7517 jnz 0052AAA5 //如果没有修改默认选项则直接跳到计算HASH的功能CALL
0052AA8E 6A00 push $00
0052AA90 668B0D28AB5200 mov cx, word ptr [$0052AB28]
0052AA97 B203 mov dl, $03
Possible String Reference to: 'Some Hash you use are modified!You want to restore default values?'
0052AA99 B834AB5200 mov eax, $0052AB34
Reference to: Dialogs.MessageDlg(System.AnsiString; Dialogs.TMsgDlgType; System.[Dialogs.TMsgDlgBtn]; Integer)
|
0052AA9E E80D8BF1FF call 004435B0
0052AAA3 8BF8 mov edi, eax
0052AAA5 4F dec edi
0052AAA6 7551 jnz 0052AAF9
0052AAA8 8BD6 mov edx, esi
0052AAAA 8BC3 mov eax, ebx
Reference to : TForm1.BitBtn2Click()
|
0052AAAC E863B4FFFF call 00525F14 //以下都是选项
0052AAB1 8BD6 mov edx, esi
0052AAB3 8BC3 mov eax, ebx
Reference to : TForm1.BitBtn4Click()
|
0052AAB5 E8BAB5FFFF call 00526074
0052AABA 8BD6 mov edx, esi
0052AABC 8BC3 mov eax, ebx
Reference to : TForm1.BitBtn5Click()
|
0052AABE E811B7FFFF call 005261D4
0052AAC3 8BD6 mov edx, esi
0052AAC5 8BC3 mov eax, ebx
Reference to : TForm1.BitBtn8Click()
|
0052AAC7 E830B8FFFF call 005262FC
0052AACC 8BD6 mov edx, esi
0052AACE 8BC3 mov eax, ebx
Reference to : TForm1.BitBtn9Click()
|
0052AAD0 E87BB9FFFF call 00526450
0052AAD5 8BD6 mov edx, esi
0052AAD7 8BC3 mov eax, ebx
Reference to : TForm1.BitBtn11Click()
|
0052AAD9 E8AABBFFFF call 00526688
0052AADE 8BD6 mov edx, esi
0052AAE0 8BC3 mov eax, ebx
Reference to : TForm1.BitBtn13Click()
|
0052AAE2 E825BDFFFF call 0052680C
0052AAE7 8BD6 mov edx, esi
0052AAE9 8BC3 mov eax, ebx
Reference to : TForm1.BitBtn15Click()
|
0052AAEB E80CBFFFFF call 005269FC
0052AAF0 8BD6 mov edx, esi
0052AAF2 8BC3 mov eax, ebx
Reference to : TForm1.BitBtn17Click()
|
0052AAF4 E8F3C0FFFF call 00526BEC //选项结束
0052AAF9 8BD6 mov edx, esi
0052AAFB 8BC3 mov eax, ebx
Reference to : TForm1.FileHashing()
|
0052AAFD E8E6FCFFFF call 0052A7E8 //HASH计算CALL
0052AB02 33C0 xor eax, eax
0052AB04 5A pop edx
0052AB05 59 pop ecx
0052AB06 59 pop ecx
0052AB07 648910 mov fs:[eax], edx
** FINALLY
|
Possible String Reference to: '_^[Y]?
|
0052AB0A 681FAB5200 push $0052AB1F
0052AB0F 8D45FC lea eax, [ebp-$04]
|
0052AB12 E8C1A4EDFF call 00404FD8
0052AB17 C3 ret
0052AB18 E9D79DEDFF jmp 004048F4
0052AB1D EBF0 jmp 0052AB0F
** END
|
0052AB1F 5F pop edi
0052AB20 5E pop esi
0052AB21 5B pop ebx
0052AB22 59 pop ecx
0052AB23 5D pop ebp
0052AB24 C3 ret
(2)密码学分析功能CALL
Scanning->San按钮事件响应代码:
00521734 55 push ebp
00521735 8BEC mov ebp, esp
00521737 6A00 push $00
00521739 53 push ebx
0052173A 8BD8 mov ebx, eax
0052173C 33C0 xor eax, eax
0052173E 55 push ebp
0052173F 688B175200 push $0052178B
00521744 64FF30 push dword ptr fs:[eax]
00521747 648920 mov fs:[eax], esp
Reference to control TForm1.OpenDialog1 : TOpenDialog
|
0052174A 8B8330030000 mov eax, [ebx+$0330]
00521750 8B10 mov edx, [eax]
Possible reference to virtual method TOpenDialog.OFFS_3C
|
00521752 FF523C call dword ptr [edx+$3C]
00521755 84C0 test al, al
00521757 741C jz 00521775
00521759 8D55FC lea edx, [ebp-$04]
Reference to control TForm1.OpenDialog1 : TOpenDialog
|
0052175C 8B8330030000 mov eax, [ebx+$0330]
Reference to: Dialogs.TOpenDialog.GetFileName()
|
00521762 E8350AF2FF call 0044219C
00521767 8B55FC mov edx, [ebp-$04] //EDX为文件路径 参数1
Reference to control TForm1.Traget : TEdit
|
0052176A 8B834C030000 mov eax, [ebx+$034C]//EAX为参数2,$034C为偏移,PATCH代码会用到
Reference to: Controls.TControl.SetText(System.AnsiString)
|
00521770 E8B394F2FF call 0044AC28 //调用密码学分析CALL
00521775 33C0 xor eax, eax
00521777 5A pop edx
00521778 59 pop ecx
00521779 59 pop ecx
0052177A 648910 mov fs:[eax], edx
** FINALLY
|
0052177D 6892175200 push $00521792
00521782 8D45FC lea eax, [ebp-$04]
|
00521785 E84E38EEFF call 00404FD8
0052178A C3 ret
0052178B E96431EEFF jmp 004048F4
00521790 EBF0 jmp 00521782
** END
|
00521792 5B pop ebx
00521793 59 pop ecx
00521794 5D pop ebp
00521795 C3 ret
(3)数据加密解密CALL
00540508 55 push ebp
00540509 8BEC mov ebp, esp
0054050B B905000000 mov ecx, $00000005
00540510 6A00 push $00
00540512 6A00 push $00
00540514 49 dec ecx
00540515 75F9 jnz 00540510
00540517 53 push ebx
00540518 56 push esi
00540519 8BD8 mov ebx, eax
0054051B 33C0 xor eax, eax
0054051D 55 push ebp
* Possible String Reference to: '閄B?脎^[嬪]?'
|
0054051E 6897065400 push $00540697
00540523 64FF30 push dword ptr fs:[eax]
00540526 648920 mov fs:[eax], esp
* Reference to control TForm1.OpenDialog2 : TOpenDialog
|
00540529 8B8350070000 mov eax, [ebx+$0750]
0054052F 8B10 mov edx, [eax]
* Possible reference to virtual method TOpenDialog.OFFS_3C
|
00540531 FF523C call dword ptr [edx+$3C] //打开选择文件对话框
00540534 84C0 test al, al
00540536 0F8430010000 jz 0054066C
0054053C 8D55FC lea edx, [ebp-$04]
* Reference to control TForm1.OpenDialog2 : TOpenDialog
|
0054053F 8B8350070000 mov eax, [ebx+$0750]
* Reference to: Dialogs.TOpenDialog.GetFileName()
|
00540545 E8521CF0FF call 0044219C
0054054A 8B55FC mov edx, [ebp-$04] //EDX为文件完整路径
* Reference to control TForm1.Edit7 : TEdit
|
0054054D 8B83780C0000 mov eax, [ebx+$0C78]
* Reference to: Controls.TControl.SetText(System.AnsiString)
|
00540553 E8D0A6F0FF call 0044AC28 //将文件完整路径设置到控件上
00540558 8D55F4 lea edx, [ebp-$0C]
* Reference to control TForm1.Edit7 : TEdit
|
0054055B 8B83780C0000 mov eax, [ebx+$0C78] //EBX为结构体指针,$0C78为偏移,PATCH代码会用到
* Reference to: Controls.TControl.GetText()
|
00540561 E892A6F0FF call 0044ABF8
00540566 8B45F4 mov eax, [ebp-$0C]
00540569 8D55F8 lea edx, [ebp-$08]
|
0054056C E85766FDFF call 00516BC8
00540571 8B45F8 mov eax, [ebp-$08]
|
00540574 E81F4DECFF call 00405298
00540579 8BF0 mov esi, eax
0054057B 8D55F0 lea edx, [ebp-$10]
* Reference to control TForm1.Edit7 : TEdit
|
0054057E 8B83780C0000 mov eax, [ebx+$0C78]
* Reference to: Controls.TControl.GetText()
|
00540584 E86FA6F0FF call 0044ABF8
00540589 8B55F0 mov edx, [ebp-$10]
* Possible String Reference to: '.encrypted'
|
0054058C B8AC065400 mov eax, $005406AC
|
00540591 E84650ECFF call 004055DC
00540596 85C0 test eax, eax
00540598 756A jnz 00540604
0054059A 8D45EC lea eax, [ebp-$14]
0054059D 50 push eax
0054059E 8D55E8 lea edx, [ebp-$18]
* Reference to control TForm1.Edit7 : TEdit
|
005405A1 8B83780C0000 mov eax, [ebx+$0C78]
* Reference to: Controls.TControl.GetText()
|
005405A7 E84CA6F0FF call 0044ABF8
005405AC 8B45E8 mov eax, [ebp-$18]
|
005405AF E8E44CECFF call 00405298
005405B4 99 cdq
005405B5 52 push edx
005405B6 50 push eax
005405B7 8BC6 mov eax, esi
005405B9 33D2 xor edx, edx
005405BB 290424 sub dword ptr [esp], eax
005405BE 19542404 sbb [esp+$04], edx
005405C2 58 pop eax
005405C3 5A pop edx
005405C4 83E801 sub eax, +$01
005405C7 83DA00 sbb edx, +$00
005405CA 50 push eax
005405CB 8D55E4 lea edx, [ebp-$1C]
* Reference to control TForm1.Edit7 : TEdit
|
005405CE 8B83780C0000 mov eax, [ebx+$0C78]
* Reference to: Controls.TControl.GetText()
|
005405D4 E81FA6F0FF call 0044ABF8
005405D9 8B45E4 mov eax, [ebp-$1C]
005405DC BA01000000 mov edx, $00000001
005405E1 59 pop ecx
|
005405E2 E8114FECFF call 004054F8
005405E7 8D45EC lea eax, [ebp-$14]
* Possible String Reference to: '.encrypted'
|
005405EA BAAC065400 mov edx, $005406AC
|
005405EF E8AC4CECFF call 004052A0
005405F4 8B55EC mov edx, [ebp-$14]
* Reference to control TForm1.Edit8 : TEdit
|
005405F7 8B837C0C0000 mov eax, [ebx+$0C7C] //$0C7C为设置输出文件参加的偏移,PATCH代码会用到
* Reference to: Controls.TControl.SetText(System.AnsiString)
|
005405FD E826A6F0FF call 0044AC28 //设置输出文件完整路径
00540602 EB68 jmp 0054066C
00540604 8D45E0 lea eax, [ebp-$20]
00540607 50 push eax
00540608 8D55DC lea edx, [ebp-$24]
* Reference to control TForm1.Edit7 : TEdit
|
0054060B 8B83780C0000 mov eax, [ebx+$0C78]
* Reference to: Controls.TControl.GetText()
|
00540611 E8E2A5F0FF call 0044ABF8
00540616 8B45DC mov eax, [ebp-$24]
|
00540619 E87A4CECFF call 00405298
0054061E 99 cdq
0054061F 52 push edx
00540620 50 push eax
00540621 8BC6 mov eax, esi
00540623 33D2 xor edx, edx
00540625 290424 sub dword ptr [esp], eax
00540628 19542404 sbb [esp+$04], edx
0054062C 58 pop eax
0054062D 5A pop edx
0054062E 83E801 sub eax, +$01
00540631 83DA00 sbb edx, +$00
00540634 50 push eax
00540635 8D55D8 lea edx, [ebp-$28]
* Reference to control TForm1.Edit7 : TEdit
|
00540638 8B83780C0000 mov eax, [ebx+$0C78]
* Reference to: Controls.TControl.GetText()
|
0054063E E8B5A5F0FF call 0044ABF8
00540643 8B45D8 mov eax, [ebp-$28]
00540646 BA01000000 mov edx, $00000001
0054064B 59 pop ecx
|
0054064C E8A74EECFF call 004054F8
00540651 8D45E0 lea eax, [ebp-$20]
* Possible String Reference to: '.decrypted'
|
00540654 BAC0065400 mov edx, $005406C0
|
00540659 E8424CECFF call 004052A0
0054065E 8B55E0 mov edx, [ebp-$20]
* Reference to control TForm1.Edit8 : TEdit
|
00540661 8B837C0C0000 mov eax, [ebx+$0C7C]
* Reference to: Controls.TControl.SetText(System.AnsiString)
|
00540667 E8BCA5F0FF call 0044AC28
0054066C 33C0 xor eax, eax
0054066E 5A pop edx
0054066F 59 pop ecx
00540670 59 pop ecx
00540671 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '^[嬪]?'
|
00540674 689E065400 push $0054069E
00540679 8D45D8 lea eax, [ebp-$28]
0054067C BA08000000 mov edx, $00000008
|
00540681 E87649ECFF call 00404FFC
00540686 8D45F8 lea eax, [ebp-$08]
|
00540689 E84A49ECFF call 00404FD8
0054068E 8D45FC lea eax, [ebp-$04]
|
00540691 E84249ECFF call 00404FD8
00540696 C3 ret
00540697 E95842ECFF jmp 004048F4
0054069C EBDB jmp 00540679
****** END
|
0054069E 5E pop esi
0054069F 5B pop ebx
005406A0 8BE5 mov esp, ebp
005406A2 5D pop ebp
005406A3 C3 ret
2.找到程序处理消息循环
0044BEC1 |. 8BD6 MOV EDX,ESI
0044BEC3 |. 8B38 MOV EDI,DWORD PTR DS:[EAX]
0044BEC5 |. FF57 24 CALL DWORD PTR DS:[EDI+0x24]
0044BEC8 |. 84C0 TEST AL,AL
0044BECA |. 0F85 3F010000 JNZ 0044C00F
0044BED0 |> 8B03 MOV EAX,DWORD PTR DS:[EBX] //取出消息值
0044BED2 |. 3D 00010000 CMP EAX,0x100 //这里CALL补丁函数
0044BED7 |. 72 37 JB SHORT 0044BF10
0044BED9 |. 3D 08010000 CMP EAX,0x108
0044BEDE |. 77 30 JA SHORT 0044BF10
0044BEE0 |. 8BC6 MOV EAX,ESI
0044BEE2 |. E8 C95E0100 CALL 00461DB0
0044BEE7 |. 8945 EC MOV DWORD PTR SS:[EBP-0x14],EAX
0044BEEA |. 837D EC 00 CMP DWORD PTR SS:[EBP-0x14],0x0
0044BEEE |. 0F84 12010000 JE 0044C006
0044BEF4 |. 8BCB MOV ECX,EBX
0044BEF6 |. 8BD6 MOV EDX,ESI
0044BEF8 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-0x14]
3.HOOK代码调用DLL函数
用AheadLib转发winspool.drv输出函数,只要用直接转发就行.
然后HOOK "ntdll.dll", "ZwDeviceIoControlFile"
DWORD patchaddr=0x0044BED2;//CALL到DLL补丁处
typedef LONG (WINAPI *__pfnZwDeviceIoControlFile)(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN ULONG ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PVOID IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);
LONG WINAPI MyZwDeviceIoControlFile(
DWORD RetAddr,
__pfnZwDeviceIoControlFile pfnZwDeviceIoControlFile,
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN ULONG ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PVOID IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
)
{
if (*(BYTE*)patchaddr == 0x3d) //判断是否解码结束和是否已经补丁过
{
DWORD lpfOld;
VirtualProtect((PVOID *)0x401000,0x26d000,PAGE_EXECUTE_READWRITE,&lpfOld); //代码段
*(unsigned char*)patchaddr = 0xe8; //CALL DropFileAdd
*(DWORD*)((unsigned char*)patchaddr+1) = (DWORD)DropFileAdd - patchaddr - 5;//
*(unsigned char*)0x00402B3B = 0xeb;//跳过退出时的异常
}
LONG ret = pfnZwDeviceIoControlFile(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, IoControlCode, InputBuffer, InputBufferLength,OutputBuffer,OutputBufferLength);
return ret;
}
4.写处理代码函数
程序代码分析清楚了,下步只要将参数传递过去,然后调用相应的功能CALL即可.
我把相关的功能放在一个函数里处理了.
这些代码全部放到一个DLL中,然后调用.
功能函数代码:
extern "C" __declspec(dllexport) void DropFileAdd(); //声明输出响应拖放消息并处理的函数
char ScanningWindow[] = "Keygener_Assistant v2.1.2 - Scanning : Hash & Crypto Detector"; //相应的窗口名
char HashingWindow[] = "Keygener_Assistant v2.1.2 - Hashing , Analyzer & Brute Forcer"; //相应的窗口名
char EncryptWindow[] = "Keygener_Assistant v2.1.2 - Crypto Operations : Symmetric & Asymmetric"; //相应的窗口名
DWORD _ESI = 0; //保存ESI参数
DWORD hMywindow = 0; //保存找到的窗口句柄
__declspec(naked) void DropFileAdd() //响应拖放消息并处理
{
__asm{
mov eax,[ebx] //原代码
pushad
cmp eax,0x233 //拖放消息ID
jne _next
mov _ESI,esi //此时ESI为一个结构体指针,参数都可以通过这个指针寻址,所以要保存ESI指针
lea eax,[edx+4]
mov eax,[eax]
mov eax,[eax]
lea eax,[eax+0x14] //EAX为拖放文件完整路径,为宽字符格式
mov edx,eax //保存一下宽字符串指针
xor ecx,ecx
_looper: //循环计算宽字符串长度
movzx ebx,word ptr ss:[eax]
cmp ebx,0
je _loop_over
add eax,2
inc ecx
jmp _looper
//以下为保存文件路径
_loop_over:
push 0
push 0
push 0xfff //多字符串的最大长度
push 0x5D7E80 //保存多字符串的指针
add ecx,1 //增加1就是在字符串最后加个0,用于截断后面的字符
push ecx //宽字符串长度
push edx //宽字符串地址指针
push 0
push 3
mov eax,0x401388 //kernel32.WideCharToMultiByte
call eax //将宽字符串转换为多字符串
sub eax,1 //返回的长度包括结束符0,所以真实长度要-1
mov dword ptr ss:[0x5D7E7C],eax //保存长度
//以下为密码学分析
push offset ScanningWindow
push 0
mov eax,0x00407FB8 //user32.FindWindowA
call eax //查找窗口以判断是否切换到Scan窗口
cmp eax,0
je _hash
mov eax,_ESI
add eax,0x34c
mov eax,[eax] //另外一个参数
mov edx,0x5D7E80 //文件路径
mov ecx,0x44ac28 //调用密码学分析CALL
call ecx
jmp _next
//以下为计算文件HASH
_hash:
push offset HashingWindow
push 0
mov eax,0x00407FB8
call eax //查找窗口以判断是否切换到hashing窗口,没有这个判断则会将所有拖放文件都进行Hashing
cmp eax,0
je _Encryption
call MyHashingWindow //通过模拟鼠标点击,激活相关的选项页
mov eax,_ESI //_ESI 为保存的结构体指针
add eax,0x6f4 //获取HASH函数参数
mov eax,[eax]
mov ebx,esi
mov esi,eax
mov edx,0x5D7E80
MOV EAX,0x5E5088 // //以下为原程序代码
mov ecx,0x0040502C
CALL ecx
MOV EDX,ESI
MOV EAX,EBX
mov ecx,0x00525F14
CALL ecx
MOV EDX,ESI
MOV EAX,EBX
mov ecx,0x00526074
CALL ecx
MOV EDX,ESI
MOV EAX,EBX
mov ecx,0x005261D4
CALL ecx
MOV EDX,ESI
MOV EAX,EBX
mov ecx,0x005262FC
CALL ecx
MOV EDX,ESI
MOV EAX,EBX
mov ecx,0x00526450
CALL ecx
MOV EDX,ESI
MOV EAX,EBX
mov ecx,0x00526688
CALL ecx
MOV EDX,ESI
MOV EAX,EBX
mov ecx,0x0052680C
CALL ecx
MOV EDX,ESI
MOV EAX,EBX
mov ecx,0x005269FC
CALL ecx
MOV EDX,ESI
MOV EAX,EBX
mov ecx,0x00526BEC
CALL ecx
MOV EDX,ESI
MOV EAX,EBX
mov ecx,0x0052A7E8
CALL ecx
jmp _next
//以下为加密解密CALL功能
_Encryption:
push offset EncryptWindow
push 0
mov eax,0x00407FB8
call eax //查找窗口以判断是否切换到hashing窗口,没有这个判断则会将所有拖放文件都进行Hashing
cmp eax,0
je _next
call MyInputWindow
mov eax,_ESI //_ESI为结构体指针
add eax,0xc78 //加上偏移,用来得到输入框参数
mov eax,[eax]
mov edx,0x5D7E80
mov ecx,0x0044AC28 //设置字符串,调用原代码
call ecx
//输出文件名会自动修改为后缀名.decrypted或者.encrypted,所以直接用输入文件名
mov eax,_ESI
add eax,0xc7c //输出框参数
mov eax,[eax]
mov edx,0x5D7E80
mov ecx,0x0044AC28
call ecx
_next:
popad
CMP EAX,0x100 //原代码
ret
}
}
下面是模拟鼠标点击选择选项页的代码:
// 以下是查找窗口 TPageControl 的代码:
// 在窗口标题不能确定的情况下可将标题设为NULL
HWND MyHashingWindow()
{
const int MyMaxParentWinCount = 6;
// 父窗口类名数组
char *A_szClassName[MyMaxParentWinCount] =
{
"TForm1",
"TPageControl", //找到这个窗口时模拟点击Hashing
"TTabSheet",
"TPageControl", //找到这个窗口时模拟点击Calc Hash
"TTabSheet",
"TPageControl" //找到这个窗口时模拟点击File Hash
};
// 父窗口标题数组
char *A_szWinName[MyMaxParentWinCount] =
{
"Keygener_Assistant v2.1.2 - Hashing , Analyzer & Brute Forcer",
"",
" Hashing ",
"",
" Calc Hash ",
""
};
// 首先求得顶级父窗口
HWND hLastWin = FindWindow(A_szClassName[0], A_szWinName[0]);
// 逐次用FindWindowEx函数求出各级子窗口
for(int i=1; i<MyMaxParentWinCount; i++)
{
hLastWin = FindWindowEx(hLastWin, NULL,A_szClassName[i], A_szWinName[i]);
switch (i)
{
case 1: SendMessage(hLastWin,WM_LBUTTONDOWN,0,0X000a00c8);Sleep(100);SendMessage(hLastWin,WM_LBUTTONUP,0,0X000a00c8); //找到这个窗口时模拟点击Hashing
break;
case 3: SendMessage(hLastWin,WM_LBUTTONDOWN,0,0X00090026);Sleep(100);SendMessage(hLastWin,WM_LBUTTONUP,0,0X00090026); //找到这个窗口时模拟点击Calc Hash
break;
case 5: SendMessage(hLastWin,WM_LBUTTONDOWN,0,0X000e0079);Sleep(100);SendMessage(hLastWin,WM_LBUTTONUP,0,0X000e0079); //找到这个窗口时模拟点击File Hash
break;
}
}
return hLastWin;
}
// 举例: HWND hLastWin = MyFindWindow();
HWND MyInputWindow()
{
const int MyMaxParentWinCount = 9;
// 父窗口类名数组
char *A_szClassName[MyMaxParentWinCount] =
{
"TForm1",
"TPageControl",
"TTabSheet",
"TPageControl",
"TTabSheet",
"TPageControl",
"TTabSheet",
"TGroupBox",
"TEdit"
};
// 父窗口标题数组
char *A_szWinName[MyMaxParentWinCount] =
{
"Keygener_Assistant v2.1.2 - Crypto Operations : Symmetric & Asymmetric",
"",
" Encryption ",
"",
" Symmetric ",
"",
"File Encryption",
" Encrypt Data ",
""
};
// 首先求得顶级父窗口
HWND hLastWin = FindWindow(A_szClassName[0], A_szWinName[0]);
// 逐次用FindWindowEx函数求出各级子窗口
for(int i=1; i<MyMaxParentWinCount; i++)
{
hLastWin = FindWindowEx(hLastWin, NULL,A_szClassName[i], A_szWinName[i]);
switch (i)
{
case 1: SendMessage(hLastWin,WM_LBUTTONDOWN,0,0X000a0113);Sleep(100);SendMessage(hLastWin,WM_LBUTTONUP,0,0X000a0113); //找到这个窗口时模拟点击Hashing
break;
case 3: SendMessage(hLastWin,WM_LBUTTONDOWN,0,0X000b0026);Sleep(100);SendMessage(hLastWin,WM_LBUTTONUP,0,0X000b0026); //找到这个窗口时模拟点击Calc Hash
break;
case 5: SendMessage(hLastWin,WM_LBUTTONDOWN,0,0X000b009e);Sleep(100);SendMessage(hLastWin,WM_LBUTTONUP,0,0X000b009e); //找到这个窗口时模拟点击File Hash
break;
}
}
return hLastWin;
}
//以上是老妖的SPY4WIN生成的查找窗口代码,特别好用
附件为成品.放到EXE相同目录下即可.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工
作,每周日13:00-18:00直播授课
