-
-
[原创]王之凝视修改资源数量
-
发表于: 1天前
-
新手第一次修改,记录一下
常规的CE多级指针就不多说了,其中有两个地方需要用到逆向:
第一个这里 mov rbx, [rcx + r9 * 8]
表面上看rcx+98*8偏移就行了,但实际上发现这个偏移每个资源都不同,到底跟什么相关跟进去看了一下
The King is Watching.exe+14230E8 - E8 63090000 - call "The King is Watching.exe"+1423A50
The King is Watching.exe+14230ED - 4C 8B 03 - mov r8,[rbx]
The King is Watching.exe+14230F0 - 48 63 F8 - movsxd rdi,eax
The King is Watching.exe+14230F3 - 4D 63 48 08 - movsxd r9,dword ptr [r8+08]
The King is Watching.exe+14230FA - 4C 23 CF - and r9,rdi
The King is Watching.exe+14230FD - 4D 03 C9 - add r9,r9
The King is Watching.exe+1423100 - 4A 8B 1C C9 - mov rbx,[rcx+r9*8]
结合之前分析的 rcx是一个基于基址的多级偏移,所以此处影响r9的只有eax,就是上一个函数的返回值,继续跟上个函数
因为不知道如何倒着调试所以想到了一个方法可以关注某个寄存器能够倒着算出来原寄存器的值然后打条件断点
The King is Watching.exe+1460F20 - 4C 8B C1 - mov r8,rcx
The King is Watching.exe+1460F23 - B8 FFFFFFFF - mov eax,FFFFFFFF
The King is Watching.exe+1460F28 - 48 85 C9 - test rcx,rcx
The King is Watching.exe+1460F2B - 74 31 - je "The King is Watching.exe"+1460F5E
The King is Watching.exe+1460F2D - 0FB6 09 - movzx ecx,byte ptr [rcx]
The King is Watching.exe+1460F30 - 84 C9 - test cl,cl
The King is Watching.exe+1460F32 - 74 2A - je "The King is Watching.exe"+1460F5E
The King is Watching.exe+1460F34 - 4C 8D 0D D548D700 - lea r9,["The King is Watching.exe"+21D5810]
The King is Watching.exe+1460F3B - 0F1F 44 00 00 - nop dword ptr [rax+rax+00]
The King is Watching.exe+1460F40 - 0FB6 D1 - movzx edx,cl
The King is Watching.exe+1460F43 - 4D 8D 40 01 - lea r8,[r8+01]
The King is Watching.exe+1460F47 - 8B C8 - mov ecx,eax
The King is Watching.exe+1460F49 - C1 E8 08 - shr eax,08
The King is Watching.exe+1460F4C - 48 33 D1 - xor rdx,rcx
The King is Watching.exe+1460F4F - 0FB6 CA - movzx ecx,dl
The King is Watching.exe+1460F52 - 41 33 04 89 - xor eax,[r9+rcx*4]
The King is Watching.exe+1460F56 - 41 0FB6 08 - movzx ecx,byte ptr [r8]
The King is Watching.exe+1460F5A - 84 C9 - test cl,cl
The King is Watching.exe+1460F5C - 75 E2 - jne "The King is Watching.exe"+1460F40
The King is Watching.exe+1460F5E - C3 - ret
比如这段代码我们可以从返回值先打一个断点,然后发现r8每次循环加1并且r8是指向一个字符串,所以用r8指向字符串首个字符就可以成功断下来
这个函数跟一下可以发现就是计算资源名称的英文做一个固定的运算,所以此上r9的偏移应该就是跟每个资源一一对应的
第二个这里 cmp qword ptr [rax + rbx * 8], 00
此处的 rax 很容发现是一个基址相关的多级指针,而这个 rbx 每次打开游戏都不一样,所以只能跟进去看一下
The King is Watching.exe+13E5360 - 48 89 5C 24 08 - mov [rsp+08],rbx
The King is Watching.exe+13E5365 - 48 89 7C 24 10 - mov [rsp+10],rdi
The King is Watching.exe+13E536A - 44 8B 49 08 - mov r9d,[rcx+08]
The King is Watching.exe+13E536E - 44 8D 5A 01 - lea r11d,[rdx+01]
The King is Watching.exe+13E5372 - 48 8B 79 10 - mov rdi,[rcx+10]
The King is Watching.exe+13E5376 - 41 0FBA F3 1F - btr r11d,1F
The King is Watching.exe+13E537B - 41 8B C1 - mov eax,r9d
The King is Watching.exe+13E537E - 45 33 D2 - xor r10d,r10d
The King is Watching.exe+13E5381 - 41 23 C3 - and eax,r11d
The King is Watching.exe+13E5384 - 44 8B C0 - mov r8d,eax
The King is Watching.exe+13E5387 - 48 C1 E0 04 - shl rax,04
The King is Watching.exe+13E538B - 48 03 C7 - add rax,rdi
跟进函数中发现 rbx 就是这个 rax 取地址,所以可以等价转化为 [[[[rcx+48]+10]+1430]]
再往上找 rcx 可以找到对应的基址
The King is Watching.exe+13FCCC5 - 4C 8B 15 5C9DDD00 - mov r10,["The King is Watching.exe"+21D6A28]
The King is Watching.exe+13FCCD8 - 4D 63 5A 08 - movsxd r11,dword ptr [r10+08]
The King is Watching.exe+13FCCCF - 48 63 D9 - movsxd rbx,ecx
The King is Watching.exe+13FCCDF - 4C 23 DB - and r11,rbx
The King is Watching.exe+13FCCE2 - 4D 03 DB - add r11,r11
The King is Watching.exe+13FCCDC - 49 8B 02 - mov rax,[r10]
The King is Watching.exe+13FCCE5 - 4E 8B 14 D8 - mov r10,[rax+r11*8]
The King is Watching.exe+13FCD31 - 49 8B 42 18 - mov rax,[r10+18]
The King is Watching.exe+13FCD3A - 48 8B 40 68 - mov rax,[rax+68]
The King is Watching.exe+13FCD45 - 48 8B 48 10 - mov rcx,[rax+10]
总结:
修改游戏因为只有最终结果,所以只能倒着调试,关注每个寄存器的变化,将断点不断提前,找到基址相关即可结束
[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!
|
|
|---|---|
