正在学Unpacking ACProtect,看到里面有个小软件是专门对付Code Splicing的,以下是它的源码:
procedure TForm1.Button1Click(Sender: TObject);
var PID,PHD,Start,Size,SPStart,SPSize,Cnt,I,Go,GJMP:DWORD;
Buf:byte; JMP:WORD;
MBuf:array[0..4] of byte;
begin
Memo1.Clear;
PID:=HextoInt(Edit3.Text);
Start:=HextoInt(Edit1.Text);
Size:=HextoInt(Edit2.Text);
SPStart:=HextoInt(Edit4.Text);
SPSize:=HextoInt(Edit5.Text);
PHD:=OpenProcess(PROCESS_ALL_ACCESS,False,PID);
for I:=Start to Start+Size do begin
ReadProcessMemory(PHD,Pointer(I),@Buf,Sizeof(Buf),Cnt);
if (Buf=$E8) and (I+8<Start+Size) then begin
ReadProcessMemory(PHD,Pointer(I+1),@Go,Sizeof(Go),Cnt);
ReadProcessMemory(PHD,Pointer(I+Go+5),@JMP,Sizeof(JMP),Cnt);
if JMP=$25FF then begin
ReadProcessMemory(PHD,Pointer(I+Go+7),@GJMP,Sizeof(GJMP),Cnt);
if (GJMP>=SPStart) and (GJMP<SPStart+SPSize) then begin
ReadProcessMemory(PHD,Pointer(GJMP),@GJMP,Sizeof(GJMP),Cnt);
if (GJMP>=SPStart) and (GJMP<SPStart+SPSize) then begin
Memo1.Lines.Add(inttohex(I,8)+' <-- '+inttohex(GJMP,8));
ReadProcessMemory(PHD,Pointer(GJMP),@MBuf,Sizeof(MBuf),Cnt);
WriteProcessMemory(PHD,Pointer(I),@MBuf,Sizeof(MBuf),Cnt);
end;
end;
end;
end;
end;
Delphi的程序我不懂,看了半天也不知道怎么用脚本现实同样的功能:(
请大侠指点
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
