想做个OD原版基础上包含所有修改代码的dll-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (4)
smczx 雪币： 201 活跃值： (20) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 177 粉丝 0 关注私信	smczx 2 楼这种精神要坚决支持啊，坚决把他给顶起来！！！ 2007-3-30 15:50 0
kanxue 雪币： 47147 活跃值： (20450) 能力值： (RANK：350 ) 在线值：发帖 2375 回帖 17045 粉丝 541 关注私信	kanxue 8 3 楼你将OD原版与ollyice对比一下，当时修改也没做笔记。 2007-4-2 21:32 0
ezme 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 35 粉丝 0 关注私信	ezme 4 楼早就写完了，最近忙别的事忘了发，我测试了下，不太稳定，可能有些地方从ollyice 中提取的代码没写对，ollyice里面的好些代码写的比较晦涩，错误在所难免希望坛主有时间的话，帮忙补充修正一下:) 一共3个文件，Makefile, ollyext.asm, patch.inc 出于兴趣的原因吧，我很喜欢给有价值但没办法得到更新的游戏服务端做补丁dll，欢迎有比较有价值的游戏服务端的朋友，跟我联系交流 //######################################################################## //Makefile //######################################################################## DLL = ollyext OBJS = $(DLL).obj LINK_FLAG = /subsystem:windows /DLL ML_FLAG = /c /coff $(DLL).dll: $(OBJS) Link $(LINK_FLAG) $(OBJS) .asm.obj: ml $(ML_FLAG) $< clean: del .obj //######################################################################## //ollyext.asm //######################################################################## ;****************************************************************** ; OLLYDBG 扩展DLL模块 ; write by ezme, thanks to the "ollyice" ;***************************************************************** .386 .model flat, stdcall option casemap:none include windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib include \work\masm32\macros\macros.asm include \work\masm32\macros\ucmacros.asm include patch.inc .const b_JMPHeader db 0EBh b_JGEHeader db 07Dh b_NOPBytes db 90h,90h,90h,90h,90h,90h,90h,90h bZeroBytes db 00h,00h,00h,00h,00h,00h,00h,00h .data hInstance dd ? .code ;***************************************************************** ;替换内存数据内容 ;***************************************************************** ReplaceMem proc uses ebx esi edi _dwMemAddr, _dwData, _dwLen local @dwProtectFlag invoke VirtualProtect, _dwMemAddr, _dwLen, \ PAGE_EXECUTE_READWRITE, addr @dwProtectFlag invoke RtlMoveMemory, _dwMemAddr, _dwData, _dwLen invoke VirtualProtect, _dwMemAddr, _dwLen, @dwProtectFlag, NULL mov al, TRUE ret ReplaceMem endp ;***************************************************************** ;写入跳转指令 ;***************************************************************** MAXLEN_PATCH_CODE equ 16 PCODE_JUMP_HEADER equ 0E9h PCODE_CALL_HEADER equ 0E8h PCODE_PRET_HEADER equ 068h PCODE_JUMP_LENGTH equ 5 PCODE_CALL_LENGTH equ 5 PCODE_PRET_LENGTH equ 6 WritePatchCode proc uses ebx esi edi _dwMemAddr, _dwFuncAddr, \ _bCodeType:BYTE, _dwCodeLen local @bPatchCode[MAXLEN_PATCH_CODE]:BYTE invoke RtlFillMemory, addr @bPatchCode, MAXLEN_PATCH_CODE, 90h .if _bCodeType == PCODE_JUMP_HEADER mov @bPatchCode, 0E9h mov eax, _dwFuncAddr ;calc RAV sub eax, 1 + 4 sub eax, _dwMemAddr mov dword ptr [@bPatchCode + 1], eax .elseif _bCodeType == PCODE_CALL_HEADER mov @bPatchCode, 0E8h mov eax, _dwFuncAddr ;calc RAV sub eax, 1 + 4 sub eax, _dwMemAddr mov dword ptr [@bPatchCode + 1], eax .elseif _bCodeType == PCODE_PRET_HEADER mov @bPatchCode, 068h mov @bPatchCode + 5, 0C3h mov eax, _dwFuncAddr ;function address mov dword ptr [@bPatchCode + 1], eax .else mov @bPatchCode, 0CCh .endif invoke ReplaceMem, _dwMemAddr, addr @bPatchCode, _dwCodeLen ret WritePatchCode endp ;******************************************************************* ; 打内存补丁 ;#代表第3版汉化修改点 ;代表第2版ollyice修改点 ;****************************************************************** PatchProcMem proc uses ebx esi edi ;--------------------------------------------------- ;替换窗口类名称 ;--------------------------------------------------- ;#### ;--------------------------------------------------- ; fixed: AppendMenuA 删除所有断点 ;0041A735 > 53 push ebx ;0041A736 . 6A 0E push 0E ;0041A738 . 8B55 D8 mov edx, dword ptr ss:[ebp-28] ;--------------------------------------------------- ;invoke WritePatchCode, 0041A735h, fix_0041A735, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH + 1 ;#### ;--------------------------------------------------- ; fixed: _Deletebreakpoints ;0041A920 > 837D FC 0C cmp dword ptr ss:[ebp-4], 0C ;0041A924 . 75 45 jnz short 0041A96B ;--------------------------------------------------- ;invoke WritePatchCode, 0041A920h, fix_0041A920, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH + 1 ; ;--------------------------------------------------- ; ?????? ; fixed: _Findname ;00419B84 . 0355 FC add edx, dword ptr ss:[ebp-4] ;--------------------------------------------------- ;invoke ReplaceMem, 00419B84h, offset b_NOPBytes, 3 ; ;--------------------------------------------------- ; fixed:strings spell error ;0041E2F7 ;--------------------------------------------------- ;快捷键 ; ;--------------------------------------------------- ; fixed: WM_??? 窗口循环扩充 ;func_0057F329 ;0041E623 . 3D 01020000 cmp eax, 201 ;--------------------------------------------------- ;invoke WritePatchCode, 0041E623h, fix_0041E623, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH ; ;--------------------------------------------------- ; fixed: WM_CHAR 1 ;0041F325 . 83C4 1C add esp, 1C ;0041F328 . 8945 A4 mov dword ptr ss:[ebp-5C], eax ;--------------------------------------------------- ;invoke WritePatchCode, 0041F325h, fix_0041F325, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH + 1 ; ;--------------------------------------------------- ; fixed: WM_CHAR 2 ;0042042F > 833D 44274E00 01 cmp dword ptr ds:[4E2744], 1 ;0042044A > \8B55 EC mov edx, dword ptr ss:[ebp-14] ;0042044D . 52 push edx ; /Arg3 ;0042044E . 8B4D F0 mov ecx, dword ptr ss:[ebp-10] ; \| ;--------------------------------------------------- ;invoke ReplaceMem, 0042042Fh, offset b_NOPBytes, 1 ;invoke WritePatchCode, 0042042Fh + 1, fix_0042042F, PCODE_PRET_HEADER, \ ; PCODE_PRET_LENGTH ;## ;--------------------------------------------------- ; fixed: trans to chinese string ;00420BFE, 00420C1D, 00420C43, 00420C5F, 00420C7B, 00420C97 ;--------------------------------------------------- ;#### ;--------------------------------------------------- ; fixed: trans to chinese string ;00421D4D, 0042262D ;--------------------------------------------------- ;--------------------------------------------------- ;Ctrl+Shift+C 二进制复制 ;Ctrl+Shift+V 二进制粘 ;** ;--------------------------------------------------- ; fxied: WM_??? 窗口循环扩充 ;func_0057F329 ;00425E57 . 3D 00020000 cmp eax, 200 ;--------------------------------------------------- ;invoke WritePatchCode, 00425E57h, fix_00425E57, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH ; ;--------------------------------------------------- ; fxied: WM_CHAR ;0042609A > A1 FADD4C00 mov eax, dword ptr ds:[4CDDFA] ;--------------------------------------------------- ;invoke WritePatchCode, 0042609Ah, fix_0042609A, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH ; ;--------------------------------------------------- ; fxied: WM_KEYDOWN ;0042670C . 837D EC 00 cmp dword ptr ss:[ebp-14], 0 ;00426710 . 0F85 C2000000 jnz 004267D8 ;--------------------------------------------------- ;invoke WritePatchCode, 0042670Ch, fix_0042670C, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH + 5 ; ;--------------------------------------------------- ; fxied: WM_KEYDOWN ;00426760 . 74 2C je short 0042678E ;--------------------------------------------------- ;.data ;code_00426760 db 0EBh,13h ;.code ;invoke ReplaceMem, 00426760h, offset code_00426760, 2 ;invoke ReplaceMem, 00426775h + 1, offset bZeroBytes, 1 ; ;--------------------------------------------------- ; fixed: 把%替换成空格 ;0043134C . 83C4 10 add esp, 10 ;0043134F . 3BC3 cmp eax, ebx ;--------------------------------------------------- invoke WritePatchCode, 0043134Ch, fix_0043134C, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;## ;--------------------------------------------------- ; fixed: trans to chinese string ;00433BD4, 00433C58, 0043416E ;--------------------------------------------------- ;** ;--------------------------------------------------- ; fixed: "Dangerous command" warnning ;00434C0D . 74 6D je short 00434C7C ;--------------------------------------------------- ;invoke ReplaceMem, 00434C0Dh, offset b_JMPHeader, 1 ;xxxx ;--------------------------------------------------- ; fixed: window name, class name ;00435E46 . 8D96 07180000 lea edx, dword ptr ds:[esi+1807] ;--------------------------------------------------- ;## ;--------------------------------------------------- ; fixed: CreateFontA ;00436C89 . 6A 02 push 2 ;00436C8D . 6A 06 push 6 ;00436CA0 . 6A 05 push 5 ;00436CBC . 6A 00 push 0 ;00436CBE . 6A 00 push 0 ;00436CC2 . 6A 00 push 0 ;00436CC4 . 6A 00 push 0 ;00436CCA . 6A 01 push 1 ;00436CD7 . 6A 0E push 0E ;--------------------------------------------------- .data code_00436CC4 db 01h code_00436CD7 db 0Dh .code invoke ReplaceMem, 00436C89h + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436C8Dh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CA0h + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CBCh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CBEh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CC2h + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CC4h + 1, offset code_00436CC4, 1 invoke ReplaceMem, 00436CCAh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CD7h + 1, offset code_00436CD7, 1 ;xx ;--------------------------------------------------- ; fixed: UDD,plugin dir path ;00437376 . 68 027F0000 push 7F02 ;--------------------------------------------------- invoke WritePatchCode, 00437376h, fix_00437376, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;## ;--------------------------------------------------- ; fixed: menu strings ;00438456 . 8D86 9E290000 lea eax, dword ptr ds:[esi+299E] ;--------------------------------------------------- ;## ;--------------------------------------------------- ; fixed: trans to chinese string ;0043D90E > 68 418F4B00 push 004B8F41 ;--------------------------------------------------- ;http://bbs.pediy.com/showthread.php?threadid=13458 ;OD复制BUG分析和修正 ;xx ;--------------------------------------------------- ; fixed: MultiByteToWideChar ;00446A1C > 68 00020000 push 200 ;--------------------------------------------------- invoke WritePatchCode, 00446A1Ch, fix_00446A1C, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;** ;--------------------------------------------------- ; fixed: ignor an Error (Movefile failed) ;0044D90C . 75 1B jnz short 0044D929 ;--------------------------------------------------- ;invoke ReplaceMem, 0044D90Ch, offset b_JMPHeader, 1 ;增加快捷键 ; ;--------------------------------------------------- ; fxied: WM_CHAR ;func_0057F255 ;0044EF88 . E8 C38C0500 call 004A7C50 ;--------------------------------------------------- ;invoke WritePatchCode, 0044EF88h, fix_0044EF88, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH ;## ;--------------------------------------------------- ; fixed: trans to chinese string ;00450405 . 68 ACAB4B00 push 004BABAC ;0045042B > 68 B8AB4B00 push 004BABB8 ;00450448 . 68 C7AB4B00 push 004BABC7 ;00459E40 > 68 3DB44B00 push 004BB43D ;0045AE7F . 68 62B74B00 push 004BB762 ;#### ;--------------------------------------------------- ;00450F29 . 68 B9AC4B00 push 004BACB9 ;--------------------------------------------------- ;http://bbs.pediy.com/showthread.php?t=17592 ;** ;--------------------------------------------------- ; fixed: 跳过PE文件检测 ;0045C671 . 74 07 je short 0045C67A ;--------------------------------------------------- invoke ReplaceMem, 0045C671h, offset b_JGEHeader, 1 ; ;--------------------------------------------------- ; fixed: "Entry Point Alert" ;0045DB3D . 74 47 je short 0045DB86 ;--------------------------------------------------- invoke ReplaceMem, 0045DB3Dh, offset b_JMPHeader, 1 ;## ;--------------------------------------------------- ; fixed: trans to chinese string ;00462535 > 68 88C64B00 push 004BC688 ;--------------------------------------------------- ;http://bbs.pediy.com/showthread.php?s=&threadid=33102 ;** ;--------------------------------------------------- ; fxied: _Findname 字符串长度检测 ;00464A67 . 8D46 01 lea eax, dword ptr ds:[esi+1] ;00464A6A . 50 push eax ;00464A6B . 8B13 mov edx, dword ptr ds:[ebx] ;--------------------------------------------------- invoke WritePatchCode, 00464A67h, fix_00464A67, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH + 1 ; ;--------------------------------------------------- ; fixed: _Findnextname 字符串长度检测 ;func_0057FAD0 ;00464EC3 . 8BD1 mov edx, ecx ;00464EC5 . 87F7 xchg edi, esi ;00464EC7 . C1E9 02 shr ecx, 2 ;--------------------------------------------------- invoke WritePatchCode, 00464EC3h, func_0057FAD0, PCODE_CALL_HEADER, \ PCODE_CALL_LENGTH + 2 ; ;--------------------------------------------------- ; fxied: _Findlabel 字符串长度检测 ;func_0057FAD0 ;00464F91 . 8BD1 mov edx, ecx ;00464F93 . 87F7 xchg edi, esi ;00464F95 . C1E9 02 shr ecx, 2 ;--------------------------------------------------- invoke WritePatchCode, 00464F91h, func_0057FAD0, PCODE_CALL_HEADER, \ PCODE_CALL_LENGTH + 2 ;xxxx ;004779C5 修改窗口标题 ; ;--------------------------------------------------- ; fixed: 去掉线程ID提示信息 ;00478A5C . B0 54 mov al, 54 ;00478AC2 . B0 54 mov al, 54 ;00478B0B . B1 4D mov cl, 4D ;00478B59 . B0 54 mov al, 54 ;--------------------------------------------------- ;xxxx ;--------------------------------------------------- ; fxied: 浮点数bug ;0047E7D7 > 66:8B45 14 mov ax, word ptr ss:[ebp+14] ;0047E7DB . 50 push eax ;--------------------------------------------------- invoke WritePatchCode, 0047E7D7h, fix_0047E7D7, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;#### ;--------------------------------------------------- ; fixed: trans to chinese string ;0048D196 . 68 C4824C00 push 004C82C4 ;_Defaultbar ;00495EF1 . C783 D0010000 88904C00 mov dword ptr ds:[ebx+1D0], 004C9088 ;--------------------------------------------------- ;http://bbs.pediy.com/showthread.php?s=&threadid=33621 ; ;--------------------------------------------------- ; fxied: 浮点数错误 ;func_0057F0A1 ;004AA2E8 . 66:817A 08 3E40 cmp word ptr ds:[edx+8], 403E ;--------------------------------------------------- invoke WritePatchCode, 004AA2E8h, func_0057F0A1, PCODE_CALL_HEADER, \ PCODE_CALL_LENGTH + 1 mov al, TRUE ret PatchProcMem endp ;***************************************************************** ; 入口地址处,初始化,修改内存 ;***************************************************************** DLLMain proc _hInstance,_dwReason,_dwReserved mov eax,_dwReason .if eax == DLL_PROCESS_ATTACH mov eax,_hInstance mov hInstance,eax invoke GetModuleHandle, NULL mov hInstance, eax invoke PatchProcMem .elseif eax == DLL_THREAD_ATTACH mov eax,TRUE .elseif eax == DLL_THREAD_DETACH mov eax,TRUE .elseif eax == DLL_PROCESS_DETACH mov eax,TRUE .endif ret DLLMain endp end DLLMain //######################################################################## //patch.inc //######################################################################## .const ;OD的一些函数地址 OD_Error dd 0045401Ch OD_Setcpu dd 0042D618h OD_Infoline dd 00431768h OD_Findmemory dd 00461A48h OD_Readmemory dd 0046130Ch OD_Deletebreakpoints dd 00419518h .code ;************************************************************************ ; 新功能函数 ;************************************************************************ ;0057F0A1 ;修复浮点数错误 func_0057F0A1 proc cmp word ptr ds:[edx+8], 403Dh jnz @F cmp dword ptr ds:[edx], -1 jnz @F cmp dword ptr ds:[edx+4], -1 jnz @F mov word ptr ds:[edx+8], 403Eh mov dword ptr ds:[edx], 0 mov dword ptr ds:[edx+4], 80000000h @@: cmp word ptr ds:[edx+8], 403Eh ret func_0057F0A1 endp ;0057FAD0 ;用以检查字符串长度是否超过255 func_0057FAD0 proc cmp ecx, 0FFh jle @F mov ecx, 0FFh xor eax, eax mov byte ptr ds:[ecx+esi], al @@: mov edx, ecx xchg edi, esi shr ecx, 2 ret func_0057FAD0 endp ;0057F255 ;用于新增快捷键功能 func_0057F255 proc mov eax, dword ptr ss:[esp+4] push edi push eax xor edi, edi call OpenClipboard ;<jmp.&USER32.OpenClipboard> test eax, eax je L043 push esi push 1 call GetClipboardData ;<jmp.&USER32.GetClipboardData> mov dword ptr ss:[ebp-0C0h], eax cmp dword ptr ss:[ebp-0C0h], 0 je L041 mov edx, dword ptr ss:[ebp-0C0h] push edx call GlobalLock ;<jmp.&KERNEL32.GlobalLock> test eax, eax je L041 push eax call lstrlenA ;分析得出 push esi mov edi, eax call GlobalUnlock ;<jmp.&KERNEL32.GlobalUnlock> L041: call CloseClipboard ;<jmp.&USER32.CloseClipboard> pop esi L043: mov eax, edi pop edi cdq sub eax, edx sar eax, 1 ret func_0057F255 endp ;---------------------------------------------------------------------------- ; 把数据输出到剪贴板上，用于新增快捷键 ;---------------------------------------------------------------------------- ;0057F329 func_0057F329 proc ;????????? mov eax, dword ptr [ebp+8] push eax call OpenClipboard ;<jmp.&USER32.OpenClipboard> call EmptyClipboard ;<jmp.&USER32.EmptyClipboard> push 10h push 2002h call GlobalAlloc ;<jmp.&KERNEL32.GlobalAlloc> mov ebx, eax test ebx, ebx jnz L016 push esi push 004BB416h ; ASCII "Unable to allocate %li bytes of memory" call dword ptr [OD_Error] add esp, 8 xor eax, eax jmp L047 L016: push ebx call GlobalLock ;<jmp.&KERNEL32.GlobalLock> cmp eax, 0 jnz L032 ;----------0057F2C2h-------错误函数?? push esi push 004BB416h ; ASCII "Unable to allocate %li bytes of memory" call dword ptr [OD_Error] add esp, 8 ;----------005DA39Ch-------错误函数?? push ebx call GlobalUnlock ;<jmp.&KERNEL32.GlobalUnlock> xor eax, eax jmp L047 L032: mov edx, dword ptr [esp+4] push dword ptr [edx] push chr$("%08X") ;分析得出 push eax call wsprintfA ;<jmp.&USER32.wsprintfA> add esp, 0Ch push ebx call GlobalUnlock ;<jmp.&KERNEL32.GlobalUnlock> push ebx push 1 call SetClipboardData ;<jmp.&USER32.SetClipboardData> call CloseClipboard ;<jmp.&USER32.CloseClipboard> ret L047: push ebx call GlobalFree ;<jmp.&KERNEL32.GlobalFree> ret func_0057F329 endp ;************************************************************************ ; 修复函数 ;************************************************************************** ;0057F77C fix_0041E623 proc ;窗口函数调用 cmp eax, 100h je JMP_2 JMP_1: cmp eax, 201h push 0041E628h ret JMP_2: pushad push 11h call GetKeyState ;<USER32.GetKeyState> test ax, 8000h je JMP_3 mov eax, dword ptr [ebp+10h] or al, 20h cmp eax, 78h jnz JMP_3 mov eax, 004CDA2Dh ;推算得出的 push eax call func_0057F329 ;新的修复函数 add esp, 4h popad push 00425E22h ret JMP_3: popad jmp JMP_1 fix_0041E623 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F000 fix_0041F325 proc ;未调用过 cmp dword ptr [ebp-162Ch], 0 jnz L039 pushad push 10000h push 0 cmp dword ptr [ebp-1640h], 0 je L024 cmp dword ptr [ebp-15F8h], 0 je L018 push dword ptr [ebp-15F8h] call dword ptr [OD_Findmemory] pop ecx test eax, eax je L018 push dword ptr [ebp-15F8h] jmp L027 L018: cmp dword ptr [ebp-15F4h], 0 je L022 push dword ptr [ebp-15F4h] jmp L027 L022: push dword ptr [ebp-1640h] jmp L027 L024: cmp dword ptr [ebp-18h], 0 jnz L029 push dword ptr [ebp-163Ch] L027: push 0 jmp L031 L029: push 0 push dword ptr [ebp-163Ch] L031: push 0 cmp dword ptr [esp+8], 100000h jb L037 cmp dword ptr [esp+8], 7FFE0FFFh ja L037 call dword ptr [OD_Setcpu] L037: add esp, 14h popad L039: add esp, 1Ch mov dword ptr [ebp-5Ch], eax push 0041F32Bh ret fix_0041F325 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;004AF780 ;004AF781 fix_0042042F proc ;未调用过 push 10h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h je L015 mov eax, dword ptr [ebp+10h] or al, 20h cmp eax, 63h jnz L011 mov ebx, 13h jmp L014 L011: cmp eax, 76h jnz L015 mov ebx, 14h L014: push 00423151h ret L015: mov eax, 004E2744h cmp dword ptr [eax], 1 push 00420436h ret fix_0042042F endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F3E0 fix_00425E57 proc ;窗口函数调用 mov eax, dword ptr [ebp+0Ch] cmp eax, 200h je JMP_SUB_1 JMP_0_1: cmp eax, 203h je JMP_SUB_2 JMP_0_2: cmp eax, 100h je JMP_SUB_3 JMP_0_3: cmp eax, 200h push 00425E5Ch ret ;------------------ ;0057F4D6 JMP_SUB_2: push 11h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h jnz JMP_2_2 nop pushad mov edx, 004CDDFAh ;算出来的 push edx push dword ptr [edx] call dword ptr [OD_Findmemory] pop ecx pop edx test eax, eax je JMP_2_1 push 1 push 4 push dword ptr [edx] mov ebx, 0050AFE0h ;算出来的 push ebx call dword ptr [OD_Readmemory] add esp, 10h push ebx call func_0057F329 add esp, 4 JMP_2_1: popad jmp JMP_0_2 JMP_2_2: pushad mov ebp, 004CDDFAh ;算出来的 push 1004h push 0 push 0 push dword ptr [ebp] push 0 call dword ptr [OD_Setcpu] add esp, 14h popad jmp JMP_0_2 ;------------------ .data ;0057F5DB arg_00425E57_1A db 0B5h,0B1h,0C7h,0B0h,0D6h,0B5h,03Ah,00,00,00,00 ;0057F5EE arg_00425E57_1B db 0BFh,0E9h,0B4h,0F3h,0D0h,0A1h,03Ah,030h,078h,00,00,00,00,00,00,00 ;0057F608 arg_00425E57_20 db 0BDh,0E1h,0CAh,0F8h,03Ah,00,00,00,00 ;0057F619 arg_00425E57_30 db 0C6h,0F0h,0CAh,0BCh,03Ah,00,00,00,00 ;0057F627 arg_00425E57_40 db 025h,073h,025h,058h,020h,025h,073h,025h,058h,020h,025h,073h,025h,058h,00,00,00,00,00,00,00 .code ;0057F58F JMP_SUB_1: pushad mov ebp, 004CDDFAh ;算出来的 push dword ptr [ebp] call dword ptr [OD_Findmemory] add esp, 4 test eax, eax je JMP_3_1 push 1 push 4 push dword ptr [ebp] mov ebx, 0050B140h ;算出来的,指针入栈 push ebx call dword ptr [OD_Readmemory] add esp, 10h mov ecx, dword ptr [ebp+4] sub ecx, dword ptr [ebp] cmp ecx, 4 ja JMP_1_1 push dword ptr [ebx] ;0057F5DB push offset arg_00425E57_1A JMP_1_1: push ecx ;0057F5EE push offset arg_00425E57_1B mov eax, dword ptr [ebp+4] dec eax push eax ;0057F608 push offset arg_00425E57_20 push dword ptr [ebp] ;0057F619 push offset arg_00425E57_30 ;0057F627 push offset arg_00425E57_40 call dword ptr [OD_Infoline] add esp, 1Ch popad jmp JMP_0_3 ;------------------ ;0057F65E JMP_SUB_3: ;未调用过 push eax mov eax, dword ptr [ebp+10h] or al, 20h cmp eax, 74h pop eax jnz JMP_0_3 pushad mov edx, 004CDDFAh ;算出来的 push 1 push 4 push dword ptr [edx] mov ebx, 0050AFE0h ;算出来的 push ebx call dword ptr [OD_Readmemory] add esp, 10h push dword ptr [ebx] call dword ptr [OD_Findmemory] pop ecx test eax, eax je JMP_3_1 push 34h push 0 push 0 push dword ptr [ebx] push 0 call dword ptr [OD_Setcpu] add esp, 14h mov edx, 004CDDFAh ;算出来的 mov eax, dword ptr [edx] lea eax, dword ptr [eax+4] mov dword ptr [edx], eax mov dword ptr [edx+8], eax mov eax, dword ptr [edx+4] lea eax, dword ptr [eax+4] mov dword ptr [edx+4], eax mov ebx, dword ptr [edx-4] cmp eax, ebx jb JMP_3_1 mov dword ptr [edx-8], ebx JMP_3_1: popad jmp JMP_0_3 fix_00425E57 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F15F fix_0042609A proc ;未调用过 pushad mov eax, esi cmp eax, 0Dh jnz L042 mov ebp, 004CDDFAh ;计算得出 mov eax, dword ptr [ebp] push eax push eax call dword ptr [OD_Findmemory] pop ecx test eax, eax pop eax je L042 push 1 push 4 push eax mov ebp, 0050AFE0h ;计算得出,指针入栈 push ebp call dword ptr [OD_Readmemory] add esp, 10h push dword ptr [ebp] ;计算得出 call dword ptr [OD_Findmemory] pop ecx test eax, eax je L042 push 10h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h push 34h push 0 je L037 push dword ptr [ebp] push 0 jmp L039 L037: push 0 push dword ptr [ebp] L039: push 0 call dword ptr [OD_Setcpu] add esp, 14h L042: popad mov eax, 004CDDFBh ;计算得出,是004CDDFBh ????? mov eax, dword ptr [eax] push 0042609Fh ret fix_0042609A endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F100 fix_0042670C proc ;未调用过 cmp dword ptr [ebp-10h], 0 je L028 pushad mov ebp, 004CE1C7h ;算出来的 mov eax, dword ptr [ebp] push 3 push 4 push eax mov eax, 0050AFE0h ;算出来的 push eax call dword ptr [OD_Readmemory] add esp, 10h mov eax, 0050AFE0h ;算出来的 push dword ptr [eax] call dword ptr [OD_Findmemory] pop ecx test eax, eax je L026 push 34h push 0 mov eax, 0050AFE0h ;算出来的 push dword ptr [eax] push 0 push 0 call dword ptr [OD_Setcpu] add esp, 14h L026: popad push 004267D8h ret L028: push 00426716h ret fix_0042670C endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;004AF644 ;把%替换成空格 fix_0043134C proc ;加载新进程时调用 push ecx push eax push edi mov edi, dword ptr [esp+0Ch] mov ecx, dword ptr [esp+14h] mov eax, 25h @@: repne scas byte ptr es:[edi] cmp ecx, 0 je @F mov byte ptr [edi-1], 20h jmp @B @@: pop edi pop eax pop ecx add esp, 10h cmp eax, ebx push 00431351h ret fix_0043134C endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- .data szPatchName db MAX_PATH dup (0) .code ;004AF67A fix_00437376 proc pushad push 100h ; /MemSize = C000 (49152.) push 40h ; \|Flags = GPTR call GlobalAlloc ; \GlobalAlloc test eax, eax jz PROC_END mov ebx, eax mov edi, 004D3868h ;路径名 mov esi, edi xor eax, eax xor ecx, ecx dec ecx repne scas byte ptr es:[edi] neg ecx dec ecx mov edi, ecx ;路径名长度 xchg edi, ebx ;offset szPatchName push esi push edi call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> mov byte ptr [ebx+edi-1], 5Ch mov byte ptr [ebx+edi], 0 push chr$("UDD") mov eax, ebx add eax, edi push eax call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> push 004D53A4h push edi push 004B74FDh push 004B747Eh call WritePrivateProfileStringA ;<jmp.&KERNEL32.WritePrivateProfileStringA> push esi push edi call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> mov byte ptr [ebx+edi-1], 5Ch mov byte ptr [ebx+edi], 0 push chr$("plugin") mov eax, ebx add eax, edi push eax call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> push 004D53A4h push edi push 004B7506h push 004B747Eh call WritePrivateProfileStringA ;<jmp.&KERNEL32.WritePrivateProfileStringA> push edi call GlobalFree PROC_END: popad push 7F02h push 0043737Bh ret fix_00437376 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;004AF740 fix_00446A1C proc lea edx, dword ptr ss:[ebp-588h] lea ecx, dword ptr ss:[ebp-288h] push ecx push edx push 200h push edx push ebx push ecx push 1 push 0 call MultiByteToWideChar ;<jmp.&KERNEL32.MultiByteToWideChar> pop edx pop ecx mov ebx, eax add ebx, ebx add edx, ebx sub edx, 2 movzx ebx, word ptr ds:[edx] cmp ebx, 0 je @F push 00446A39h ret @@: mov byte ptr ds:[edx], 1 push 00446A39h ret fix_00446A1C endp ;---------------------------------------------------------------------------- ; 可能存在错误 ;---------------------------------------------------------------------------- ;0057F1F5 fix_0044EF88 proc ;未调用过 pushad push 10h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h je L105 mov eax, dword ptr ss:[ebp+10h] or al, 20h cmp eax, 63h jnz L011 mov edi, 76h jmp L022 L011: cmp eax, 76h jnz L023 mov edi, 77h push dword ptr ss:[ebp+8] call func_0057F255 add esp, 4 push dword ptr ds:[ebx+385h] pop dword ptr ss:[ebp-50h] push dword ptr ds:[ebx+385h] pop dword ptr ss:[ebp-54h] add dword ptr ss:[ebp-54h], eax L022: ;-----------------------添加代码开始 ;call DebugBreak ;-----------------------添加代码结束 push 00451411h ret L023: popad mov eax, 004A7C50h call eax push 0044EF8Dh ret L105: push 11h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h je L023 mov eax, dword ptr ss:[ebp+10h] or al, 20h cmp eax, 38h jnz L023 lea eax, dword ptr ds:[ebx+385h] push eax call func_0057F329 add esp, 4 jmp L023 fix_0044EF88 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057FAF2 fix_00464A67 proc cmp esi, 0FFh jle @F mov esi, 0FFh @@: xor eax, eax mov byte ptr ds:[esi+edi], al push esi mov edx, dword ptr ds:[ebx] push 00464A6Dh ret fix_00464A67 endp ;============================================================================ ;004AF645 fix_0041A735 proc push 004D7FE5h cmp DWORD ptr [esp], 0 add esp, 4 jle @F pushad push 004C100Ch ;"&Remove all breakpoints" push 2Dh push 0 mov eax, dword ptr ss:[ebp-28h] push eax call AppendMenuA ;<jmp.&USER32.AppendMenuA> popad @@: push ebx push 0Eh mov edx, dword ptr ss:[ebp-28h] push 0041A73Bh ret fix_0041A735 endp ;004AF66D fix_0041A920 proc cmp dword ptr ss:[ebp-4], 0Ch jnz @F push 0041A926h ret @@: cmp dword ptr ss:[ebp-4], 2Dh jnz @F push 0041A96Bh ret @@: pushad mov ebx, 004D7EE1h mov esi, dword ptr ss:[ebx+104h] @@: dec esi cmp esi, 0 jl @F mov eax, esi imul eax, dword ptr ds:[ebx+114h] add eax, dword ptr ds:[ebx+11Ch] mov edx, dword ptr ds:[eax] push 0 mov eax, edx inc edx push edx push eax call dword ptr [OD_Deletebreakpoints] add esp, 0Ch jmp @B @@: popad mov dword ptr ss:[ebp-4], 1 push 0041A985h ret fix_0041A920 endp ;004AF791 fix_0047E7D7 proc cmp dword ptr ss:[ebp+0Ch], -1 jnz @F cmp dword ptr ss:[ebp+10h], -1 jnz @F and byte ptr ss:[ebp+0Ch], 0FEh @@: mov ax, word ptr ss:[ebp+14h] push eax push 0047E7DCh ret fix_0047E7D7 endp 2007-4-22 00:10 0
kanxue 雪币： 47147 活跃值： (20450) 能力值： (RANK：350 ) 在线值：发帖 2375 回帖 17045 粉丝 541 关注私信	kanxue 8 5 楼里面的一些直接寻址的代码，用了相对寻址等方式定位，这样看起来是比较晦涩，当时这样做，是考虑OD自身带有重定位表，在某些特殊情况下，如果OD被重定位了，这些修改的代码也不会影响OD的运行。你提取的时候，可以将这些直接寻址的代码还原。 2007-4-22 09:58 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (4)
smczx 雪币： 201 活跃值： (20) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 177 粉丝 0 关注私信	smczx 2 楼这种精神要坚决支持啊，坚决把他给顶起来！！！ 2007-3-30 15:50 0
kanxue 雪币： 47147 活跃值： (20450) 能力值： (RANK：350 ) 在线值：发帖 2375 回帖 17045 粉丝 541 关注私信	kanxue 8 3 楼你将OD原版与ollyice对比一下，当时修改也没做笔记。 2007-4-2 21:32 0
ezme 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 35 粉丝 0 关注私信	ezme 4 楼早就写完了，最近忙别的事忘了发，我测试了下，不太稳定，可能有些地方从ollyice 中提取的代码没写对，ollyice里面的好些代码写的比较晦涩，错误在所难免希望坛主有时间的话，帮忙补充修正一下:) 一共3个文件，Makefile, ollyext.asm, patch.inc 出于兴趣的原因吧，我很喜欢给有价值但没办法得到更新的游戏服务端做补丁dll，欢迎有比较有价值的游戏服务端的朋友，跟我联系交流 //######################################################################## //Makefile //######################################################################## DLL = ollyext OBJS = $(DLL).obj LINK_FLAG = /subsystem:windows /DLL ML_FLAG = /c /coff $(DLL).dll: $(OBJS) Link $(LINK_FLAG) $(OBJS) .asm.obj: ml $(ML_FLAG) $< clean: del .obj //######################################################################## //ollyext.asm //######################################################################## ;****************************************************************** ; OLLYDBG 扩展DLL模块 ; write by ezme, thanks to the "ollyice" ;***************************************************************** .386 .model flat, stdcall option casemap:none include windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib include \work\masm32\macros\macros.asm include \work\masm32\macros\ucmacros.asm include patch.inc .const b_JMPHeader db 0EBh b_JGEHeader db 07Dh b_NOPBytes db 90h,90h,90h,90h,90h,90h,90h,90h bZeroBytes db 00h,00h,00h,00h,00h,00h,00h,00h .data hInstance dd ? .code ;***************************************************************** ;替换内存数据内容 ;***************************************************************** ReplaceMem proc uses ebx esi edi _dwMemAddr, _dwData, _dwLen local @dwProtectFlag invoke VirtualProtect, _dwMemAddr, _dwLen, \ PAGE_EXECUTE_READWRITE, addr @dwProtectFlag invoke RtlMoveMemory, _dwMemAddr, _dwData, _dwLen invoke VirtualProtect, _dwMemAddr, _dwLen, @dwProtectFlag, NULL mov al, TRUE ret ReplaceMem endp ;***************************************************************** ;写入跳转指令 ;***************************************************************** MAXLEN_PATCH_CODE equ 16 PCODE_JUMP_HEADER equ 0E9h PCODE_CALL_HEADER equ 0E8h PCODE_PRET_HEADER equ 068h PCODE_JUMP_LENGTH equ 5 PCODE_CALL_LENGTH equ 5 PCODE_PRET_LENGTH equ 6 WritePatchCode proc uses ebx esi edi _dwMemAddr, _dwFuncAddr, \ _bCodeType:BYTE, _dwCodeLen local @bPatchCode[MAXLEN_PATCH_CODE]:BYTE invoke RtlFillMemory, addr @bPatchCode, MAXLEN_PATCH_CODE, 90h .if _bCodeType == PCODE_JUMP_HEADER mov @bPatchCode, 0E9h mov eax, _dwFuncAddr ;calc RAV sub eax, 1 + 4 sub eax, _dwMemAddr mov dword ptr [@bPatchCode + 1], eax .elseif _bCodeType == PCODE_CALL_HEADER mov @bPatchCode, 0E8h mov eax, _dwFuncAddr ;calc RAV sub eax, 1 + 4 sub eax, _dwMemAddr mov dword ptr [@bPatchCode + 1], eax .elseif _bCodeType == PCODE_PRET_HEADER mov @bPatchCode, 068h mov @bPatchCode + 5, 0C3h mov eax, _dwFuncAddr ;function address mov dword ptr [@bPatchCode + 1], eax .else mov @bPatchCode, 0CCh .endif invoke ReplaceMem, _dwMemAddr, addr @bPatchCode, _dwCodeLen ret WritePatchCode endp ;******************************************************************* ; 打内存补丁 ;#代表第3版汉化修改点 ;代表第2版ollyice修改点 ;****************************************************************** PatchProcMem proc uses ebx esi edi ;--------------------------------------------------- ;替换窗口类名称 ;--------------------------------------------------- ;#### ;--------------------------------------------------- ; fixed: AppendMenuA 删除所有断点 ;0041A735 > 53 push ebx ;0041A736 . 6A 0E push 0E ;0041A738 . 8B55 D8 mov edx, dword ptr ss:[ebp-28] ;--------------------------------------------------- ;invoke WritePatchCode, 0041A735h, fix_0041A735, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH + 1 ;#### ;--------------------------------------------------- ; fixed: _Deletebreakpoints ;0041A920 > 837D FC 0C cmp dword ptr ss:[ebp-4], 0C ;0041A924 . 75 45 jnz short 0041A96B ;--------------------------------------------------- ;invoke WritePatchCode, 0041A920h, fix_0041A920, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH + 1 ; ;--------------------------------------------------- ; ?????? ; fixed: _Findname ;00419B84 . 0355 FC add edx, dword ptr ss:[ebp-4] ;--------------------------------------------------- ;invoke ReplaceMem, 00419B84h, offset b_NOPBytes, 3 ; ;--------------------------------------------------- ; fixed:strings spell error ;0041E2F7 ;--------------------------------------------------- ;快捷键 ; ;--------------------------------------------------- ; fixed: WM_??? 窗口循环扩充 ;func_0057F329 ;0041E623 . 3D 01020000 cmp eax, 201 ;--------------------------------------------------- ;invoke WritePatchCode, 0041E623h, fix_0041E623, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH ; ;--------------------------------------------------- ; fixed: WM_CHAR 1 ;0041F325 . 83C4 1C add esp, 1C ;0041F328 . 8945 A4 mov dword ptr ss:[ebp-5C], eax ;--------------------------------------------------- ;invoke WritePatchCode, 0041F325h, fix_0041F325, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH + 1 ; ;--------------------------------------------------- ; fixed: WM_CHAR 2 ;0042042F > 833D 44274E00 01 cmp dword ptr ds:[4E2744], 1 ;0042044A > \8B55 EC mov edx, dword ptr ss:[ebp-14] ;0042044D . 52 push edx ; /Arg3 ;0042044E . 8B4D F0 mov ecx, dword ptr ss:[ebp-10] ; \| ;--------------------------------------------------- ;invoke ReplaceMem, 0042042Fh, offset b_NOPBytes, 1 ;invoke WritePatchCode, 0042042Fh + 1, fix_0042042F, PCODE_PRET_HEADER, \ ; PCODE_PRET_LENGTH ;## ;--------------------------------------------------- ; fixed: trans to chinese string ;00420BFE, 00420C1D, 00420C43, 00420C5F, 00420C7B, 00420C97 ;--------------------------------------------------- ;#### ;--------------------------------------------------- ; fixed: trans to chinese string ;00421D4D, 0042262D ;--------------------------------------------------- ;--------------------------------------------------- ;Ctrl+Shift+C 二进制复制 ;Ctrl+Shift+V 二进制粘 ;** ;--------------------------------------------------- ; fxied: WM_??? 窗口循环扩充 ;func_0057F329 ;00425E57 . 3D 00020000 cmp eax, 200 ;--------------------------------------------------- ;invoke WritePatchCode, 00425E57h, fix_00425E57, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH ; ;--------------------------------------------------- ; fxied: WM_CHAR ;0042609A > A1 FADD4C00 mov eax, dword ptr ds:[4CDDFA] ;--------------------------------------------------- ;invoke WritePatchCode, 0042609Ah, fix_0042609A, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH ; ;--------------------------------------------------- ; fxied: WM_KEYDOWN ;0042670C . 837D EC 00 cmp dword ptr ss:[ebp-14], 0 ;00426710 . 0F85 C2000000 jnz 004267D8 ;--------------------------------------------------- ;invoke WritePatchCode, 0042670Ch, fix_0042670C, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH + 5 ; ;--------------------------------------------------- ; fxied: WM_KEYDOWN ;00426760 . 74 2C je short 0042678E ;--------------------------------------------------- ;.data ;code_00426760 db 0EBh,13h ;.code ;invoke ReplaceMem, 00426760h, offset code_00426760, 2 ;invoke ReplaceMem, 00426775h + 1, offset bZeroBytes, 1 ; ;--------------------------------------------------- ; fixed: 把%替换成空格 ;0043134C . 83C4 10 add esp, 10 ;0043134F . 3BC3 cmp eax, ebx ;--------------------------------------------------- invoke WritePatchCode, 0043134Ch, fix_0043134C, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;## ;--------------------------------------------------- ; fixed: trans to chinese string ;00433BD4, 00433C58, 0043416E ;--------------------------------------------------- ;** ;--------------------------------------------------- ; fixed: "Dangerous command" warnning ;00434C0D . 74 6D je short 00434C7C ;--------------------------------------------------- ;invoke ReplaceMem, 00434C0Dh, offset b_JMPHeader, 1 ;xxxx ;--------------------------------------------------- ; fixed: window name, class name ;00435E46 . 8D96 07180000 lea edx, dword ptr ds:[esi+1807] ;--------------------------------------------------- ;## ;--------------------------------------------------- ; fixed: CreateFontA ;00436C89 . 6A 02 push 2 ;00436C8D . 6A 06 push 6 ;00436CA0 . 6A 05 push 5 ;00436CBC . 6A 00 push 0 ;00436CBE . 6A 00 push 0 ;00436CC2 . 6A 00 push 0 ;00436CC4 . 6A 00 push 0 ;00436CCA . 6A 01 push 1 ;00436CD7 . 6A 0E push 0E ;--------------------------------------------------- .data code_00436CC4 db 01h code_00436CD7 db 0Dh .code invoke ReplaceMem, 00436C89h + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436C8Dh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CA0h + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CBCh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CBEh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CC2h + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CC4h + 1, offset code_00436CC4, 1 invoke ReplaceMem, 00436CCAh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CD7h + 1, offset code_00436CD7, 1 ;xx ;--------------------------------------------------- ; fixed: UDD,plugin dir path ;00437376 . 68 027F0000 push 7F02 ;--------------------------------------------------- invoke WritePatchCode, 00437376h, fix_00437376, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;## ;--------------------------------------------------- ; fixed: menu strings ;00438456 . 8D86 9E290000 lea eax, dword ptr ds:[esi+299E] ;--------------------------------------------------- ;## ;--------------------------------------------------- ; fixed: trans to chinese string ;0043D90E > 68 418F4B00 push 004B8F41 ;--------------------------------------------------- ;http://bbs.pediy.com/showthread.php?threadid=13458 ;OD复制BUG分析和修正 ;xx ;--------------------------------------------------- ; fixed: MultiByteToWideChar ;00446A1C > 68 00020000 push 200 ;--------------------------------------------------- invoke WritePatchCode, 00446A1Ch, fix_00446A1C, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;** ;--------------------------------------------------- ; fixed: ignor an Error (Movefile failed) ;0044D90C . 75 1B jnz short 0044D929 ;--------------------------------------------------- ;invoke ReplaceMem, 0044D90Ch, offset b_JMPHeader, 1 ;增加快捷键 ; ;--------------------------------------------------- ; fxied: WM_CHAR ;func_0057F255 ;0044EF88 . E8 C38C0500 call 004A7C50 ;--------------------------------------------------- ;invoke WritePatchCode, 0044EF88h, fix_0044EF88, PCODE_JUMP_HEADER, \ ; PCODE_JUMP_LENGTH ;## ;--------------------------------------------------- ; fixed: trans to chinese string ;00450405 . 68 ACAB4B00 push 004BABAC ;0045042B > 68 B8AB4B00 push 004BABB8 ;00450448 . 68 C7AB4B00 push 004BABC7 ;00459E40 > 68 3DB44B00 push 004BB43D ;0045AE7F . 68 62B74B00 push 004BB762 ;#### ;--------------------------------------------------- ;00450F29 . 68 B9AC4B00 push 004BACB9 ;--------------------------------------------------- ;http://bbs.pediy.com/showthread.php?t=17592 ;** ;--------------------------------------------------- ; fixed: 跳过PE文件检测 ;0045C671 . 74 07 je short 0045C67A ;--------------------------------------------------- invoke ReplaceMem, 0045C671h, offset b_JGEHeader, 1 ; ;--------------------------------------------------- ; fixed: "Entry Point Alert" ;0045DB3D . 74 47 je short 0045DB86 ;--------------------------------------------------- invoke ReplaceMem, 0045DB3Dh, offset b_JMPHeader, 1 ;## ;--------------------------------------------------- ; fixed: trans to chinese string ;00462535 > 68 88C64B00 push 004BC688 ;--------------------------------------------------- ;http://bbs.pediy.com/showthread.php?s=&threadid=33102 ;** ;--------------------------------------------------- ; fxied: _Findname 字符串长度检测 ;00464A67 . 8D46 01 lea eax, dword ptr ds:[esi+1] ;00464A6A . 50 push eax ;00464A6B . 8B13 mov edx, dword ptr ds:[ebx] ;--------------------------------------------------- invoke WritePatchCode, 00464A67h, fix_00464A67, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH + 1 ; ;--------------------------------------------------- ; fixed: _Findnextname 字符串长度检测 ;func_0057FAD0 ;00464EC3 . 8BD1 mov edx, ecx ;00464EC5 . 87F7 xchg edi, esi ;00464EC7 . C1E9 02 shr ecx, 2 ;--------------------------------------------------- invoke WritePatchCode, 00464EC3h, func_0057FAD0, PCODE_CALL_HEADER, \ PCODE_CALL_LENGTH + 2 ; ;--------------------------------------------------- ; fxied: _Findlabel 字符串长度检测 ;func_0057FAD0 ;00464F91 . 8BD1 mov edx, ecx ;00464F93 . 87F7 xchg edi, esi ;00464F95 . C1E9 02 shr ecx, 2 ;--------------------------------------------------- invoke WritePatchCode, 00464F91h, func_0057FAD0, PCODE_CALL_HEADER, \ PCODE_CALL_LENGTH + 2 ;xxxx ;004779C5 修改窗口标题 ; ;--------------------------------------------------- ; fixed: 去掉线程ID提示信息 ;00478A5C . B0 54 mov al, 54 ;00478AC2 . B0 54 mov al, 54 ;00478B0B . B1 4D mov cl, 4D ;00478B59 . B0 54 mov al, 54 ;--------------------------------------------------- ;xxxx ;--------------------------------------------------- ; fxied: 浮点数bug ;0047E7D7 > 66:8B45 14 mov ax, word ptr ss:[ebp+14] ;0047E7DB . 50 push eax ;--------------------------------------------------- invoke WritePatchCode, 0047E7D7h, fix_0047E7D7, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;#### ;--------------------------------------------------- ; fixed: trans to chinese string ;0048D196 . 68 C4824C00 push 004C82C4 ;_Defaultbar ;00495EF1 . C783 D0010000 88904C00 mov dword ptr ds:[ebx+1D0], 004C9088 ;--------------------------------------------------- ;http://bbs.pediy.com/showthread.php?s=&threadid=33621 ; ;--------------------------------------------------- ; fxied: 浮点数错误 ;func_0057F0A1 ;004AA2E8 . 66:817A 08 3E40 cmp word ptr ds:[edx+8], 403E ;--------------------------------------------------- invoke WritePatchCode, 004AA2E8h, func_0057F0A1, PCODE_CALL_HEADER, \ PCODE_CALL_LENGTH + 1 mov al, TRUE ret PatchProcMem endp ;***************************************************************** ; 入口地址处,初始化,修改内存 ;***************************************************************** DLLMain proc _hInstance,_dwReason,_dwReserved mov eax,_dwReason .if eax == DLL_PROCESS_ATTACH mov eax,_hInstance mov hInstance,eax invoke GetModuleHandle, NULL mov hInstance, eax invoke PatchProcMem .elseif eax == DLL_THREAD_ATTACH mov eax,TRUE .elseif eax == DLL_THREAD_DETACH mov eax,TRUE .elseif eax == DLL_PROCESS_DETACH mov eax,TRUE .endif ret DLLMain endp end DLLMain //######################################################################## //patch.inc //######################################################################## .const ;OD的一些函数地址 OD_Error dd 0045401Ch OD_Setcpu dd 0042D618h OD_Infoline dd 00431768h OD_Findmemory dd 00461A48h OD_Readmemory dd 0046130Ch OD_Deletebreakpoints dd 00419518h .code ;************************************************************************ ; 新功能函数 ;************************************************************************ ;0057F0A1 ;修复浮点数错误 func_0057F0A1 proc cmp word ptr ds:[edx+8], 403Dh jnz @F cmp dword ptr ds:[edx], -1 jnz @F cmp dword ptr ds:[edx+4], -1 jnz @F mov word ptr ds:[edx+8], 403Eh mov dword ptr ds:[edx], 0 mov dword ptr ds:[edx+4], 80000000h @@: cmp word ptr ds:[edx+8], 403Eh ret func_0057F0A1 endp ;0057FAD0 ;用以检查字符串长度是否超过255 func_0057FAD0 proc cmp ecx, 0FFh jle @F mov ecx, 0FFh xor eax, eax mov byte ptr ds:[ecx+esi], al @@: mov edx, ecx xchg edi, esi shr ecx, 2 ret func_0057FAD0 endp ;0057F255 ;用于新增快捷键功能 func_0057F255 proc mov eax, dword ptr ss:[esp+4] push edi push eax xor edi, edi call OpenClipboard ;<jmp.&USER32.OpenClipboard> test eax, eax je L043 push esi push 1 call GetClipboardData ;<jmp.&USER32.GetClipboardData> mov dword ptr ss:[ebp-0C0h], eax cmp dword ptr ss:[ebp-0C0h], 0 je L041 mov edx, dword ptr ss:[ebp-0C0h] push edx call GlobalLock ;<jmp.&KERNEL32.GlobalLock> test eax, eax je L041 push eax call lstrlenA ;分析得出 push esi mov edi, eax call GlobalUnlock ;<jmp.&KERNEL32.GlobalUnlock> L041: call CloseClipboard ;<jmp.&USER32.CloseClipboard> pop esi L043: mov eax, edi pop edi cdq sub eax, edx sar eax, 1 ret func_0057F255 endp ;---------------------------------------------------------------------------- ; 把数据输出到剪贴板上，用于新增快捷键 ;---------------------------------------------------------------------------- ;0057F329 func_0057F329 proc ;????????? mov eax, dword ptr [ebp+8] push eax call OpenClipboard ;<jmp.&USER32.OpenClipboard> call EmptyClipboard ;<jmp.&USER32.EmptyClipboard> push 10h push 2002h call GlobalAlloc ;<jmp.&KERNEL32.GlobalAlloc> mov ebx, eax test ebx, ebx jnz L016 push esi push 004BB416h ; ASCII "Unable to allocate %li bytes of memory" call dword ptr [OD_Error] add esp, 8 xor eax, eax jmp L047 L016: push ebx call GlobalLock ;<jmp.&KERNEL32.GlobalLock> cmp eax, 0 jnz L032 ;----------0057F2C2h-------错误函数?? push esi push 004BB416h ; ASCII "Unable to allocate %li bytes of memory" call dword ptr [OD_Error] add esp, 8 ;----------005DA39Ch-------错误函数?? push ebx call GlobalUnlock ;<jmp.&KERNEL32.GlobalUnlock> xor eax, eax jmp L047 L032: mov edx, dword ptr [esp+4] push dword ptr [edx] push chr$("%08X") ;分析得出 push eax call wsprintfA ;<jmp.&USER32.wsprintfA> add esp, 0Ch push ebx call GlobalUnlock ;<jmp.&KERNEL32.GlobalUnlock> push ebx push 1 call SetClipboardData ;<jmp.&USER32.SetClipboardData> call CloseClipboard ;<jmp.&USER32.CloseClipboard> ret L047: push ebx call GlobalFree ;<jmp.&KERNEL32.GlobalFree> ret func_0057F329 endp ;************************************************************************ ; 修复函数 ;************************************************************************** ;0057F77C fix_0041E623 proc ;窗口函数调用 cmp eax, 100h je JMP_2 JMP_1: cmp eax, 201h push 0041E628h ret JMP_2: pushad push 11h call GetKeyState ;<USER32.GetKeyState> test ax, 8000h je JMP_3 mov eax, dword ptr [ebp+10h] or al, 20h cmp eax, 78h jnz JMP_3 mov eax, 004CDA2Dh ;推算得出的 push eax call func_0057F329 ;新的修复函数 add esp, 4h popad push 00425E22h ret JMP_3: popad jmp JMP_1 fix_0041E623 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F000 fix_0041F325 proc ;未调用过 cmp dword ptr [ebp-162Ch], 0 jnz L039 pushad push 10000h push 0 cmp dword ptr [ebp-1640h], 0 je L024 cmp dword ptr [ebp-15F8h], 0 je L018 push dword ptr [ebp-15F8h] call dword ptr [OD_Findmemory] pop ecx test eax, eax je L018 push dword ptr [ebp-15F8h] jmp L027 L018: cmp dword ptr [ebp-15F4h], 0 je L022 push dword ptr [ebp-15F4h] jmp L027 L022: push dword ptr [ebp-1640h] jmp L027 L024: cmp dword ptr [ebp-18h], 0 jnz L029 push dword ptr [ebp-163Ch] L027: push 0 jmp L031 L029: push 0 push dword ptr [ebp-163Ch] L031: push 0 cmp dword ptr [esp+8], 100000h jb L037 cmp dword ptr [esp+8], 7FFE0FFFh ja L037 call dword ptr [OD_Setcpu] L037: add esp, 14h popad L039: add esp, 1Ch mov dword ptr [ebp-5Ch], eax push 0041F32Bh ret fix_0041F325 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;004AF780 ;004AF781 fix_0042042F proc ;未调用过 push 10h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h je L015 mov eax, dword ptr [ebp+10h] or al, 20h cmp eax, 63h jnz L011 mov ebx, 13h jmp L014 L011: cmp eax, 76h jnz L015 mov ebx, 14h L014: push 00423151h ret L015: mov eax, 004E2744h cmp dword ptr [eax], 1 push 00420436h ret fix_0042042F endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F3E0 fix_00425E57 proc ;窗口函数调用 mov eax, dword ptr [ebp+0Ch] cmp eax, 200h je JMP_SUB_1 JMP_0_1: cmp eax, 203h je JMP_SUB_2 JMP_0_2: cmp eax, 100h je JMP_SUB_3 JMP_0_3: cmp eax, 200h push 00425E5Ch ret ;------------------ ;0057F4D6 JMP_SUB_2: push 11h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h jnz JMP_2_2 nop pushad mov edx, 004CDDFAh ;算出来的 push edx push dword ptr [edx] call dword ptr [OD_Findmemory] pop ecx pop edx test eax, eax je JMP_2_1 push 1 push 4 push dword ptr [edx] mov ebx, 0050AFE0h ;算出来的 push ebx call dword ptr [OD_Readmemory] add esp, 10h push ebx call func_0057F329 add esp, 4 JMP_2_1: popad jmp JMP_0_2 JMP_2_2: pushad mov ebp, 004CDDFAh ;算出来的 push 1004h push 0 push 0 push dword ptr [ebp] push 0 call dword ptr [OD_Setcpu] add esp, 14h popad jmp JMP_0_2 ;------------------ .data ;0057F5DB arg_00425E57_1A db 0B5h,0B1h,0C7h,0B0h,0D6h,0B5h,03Ah,00,00,00,00 ;0057F5EE arg_00425E57_1B db 0BFh,0E9h,0B4h,0F3h,0D0h,0A1h,03Ah,030h,078h,00,00,00,00,00,00,00 ;0057F608 arg_00425E57_20 db 0BDh,0E1h,0CAh,0F8h,03Ah,00,00,00,00 ;0057F619 arg_00425E57_30 db 0C6h,0F0h,0CAh,0BCh,03Ah,00,00,00,00 ;0057F627 arg_00425E57_40 db 025h,073h,025h,058h,020h,025h,073h,025h,058h,020h,025h,073h,025h,058h,00,00,00,00,00,00,00 .code ;0057F58F JMP_SUB_1: pushad mov ebp, 004CDDFAh ;算出来的 push dword ptr [ebp] call dword ptr [OD_Findmemory] add esp, 4 test eax, eax je JMP_3_1 push 1 push 4 push dword ptr [ebp] mov ebx, 0050B140h ;算出来的,指针入栈 push ebx call dword ptr [OD_Readmemory] add esp, 10h mov ecx, dword ptr [ebp+4] sub ecx, dword ptr [ebp] cmp ecx, 4 ja JMP_1_1 push dword ptr [ebx] ;0057F5DB push offset arg_00425E57_1A JMP_1_1: push ecx ;0057F5EE push offset arg_00425E57_1B mov eax, dword ptr [ebp+4] dec eax push eax ;0057F608 push offset arg_00425E57_20 push dword ptr [ebp] ;0057F619 push offset arg_00425E57_30 ;0057F627 push offset arg_00425E57_40 call dword ptr [OD_Infoline] add esp, 1Ch popad jmp JMP_0_3 ;------------------ ;0057F65E JMP_SUB_3: ;未调用过 push eax mov eax, dword ptr [ebp+10h] or al, 20h cmp eax, 74h pop eax jnz JMP_0_3 pushad mov edx, 004CDDFAh ;算出来的 push 1 push 4 push dword ptr [edx] mov ebx, 0050AFE0h ;算出来的 push ebx call dword ptr [OD_Readmemory] add esp, 10h push dword ptr [ebx] call dword ptr [OD_Findmemory] pop ecx test eax, eax je JMP_3_1 push 34h push 0 push 0 push dword ptr [ebx] push 0 call dword ptr [OD_Setcpu] add esp, 14h mov edx, 004CDDFAh ;算出来的 mov eax, dword ptr [edx] lea eax, dword ptr [eax+4] mov dword ptr [edx], eax mov dword ptr [edx+8], eax mov eax, dword ptr [edx+4] lea eax, dword ptr [eax+4] mov dword ptr [edx+4], eax mov ebx, dword ptr [edx-4] cmp eax, ebx jb JMP_3_1 mov dword ptr [edx-8], ebx JMP_3_1: popad jmp JMP_0_3 fix_00425E57 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F15F fix_0042609A proc ;未调用过 pushad mov eax, esi cmp eax, 0Dh jnz L042 mov ebp, 004CDDFAh ;计算得出 mov eax, dword ptr [ebp] push eax push eax call dword ptr [OD_Findmemory] pop ecx test eax, eax pop eax je L042 push 1 push 4 push eax mov ebp, 0050AFE0h ;计算得出,指针入栈 push ebp call dword ptr [OD_Readmemory] add esp, 10h push dword ptr [ebp] ;计算得出 call dword ptr [OD_Findmemory] pop ecx test eax, eax je L042 push 10h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h push 34h push 0 je L037 push dword ptr [ebp] push 0 jmp L039 L037: push 0 push dword ptr [ebp] L039: push 0 call dword ptr [OD_Setcpu] add esp, 14h L042: popad mov eax, 004CDDFBh ;计算得出,是004CDDFBh ????? mov eax, dword ptr [eax] push 0042609Fh ret fix_0042609A endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F100 fix_0042670C proc ;未调用过 cmp dword ptr [ebp-10h], 0 je L028 pushad mov ebp, 004CE1C7h ;算出来的 mov eax, dword ptr [ebp] push 3 push 4 push eax mov eax, 0050AFE0h ;算出来的 push eax call dword ptr [OD_Readmemory] add esp, 10h mov eax, 0050AFE0h ;算出来的 push dword ptr [eax] call dword ptr [OD_Findmemory] pop ecx test eax, eax je L026 push 34h push 0 mov eax, 0050AFE0h ;算出来的 push dword ptr [eax] push 0 push 0 call dword ptr [OD_Setcpu] add esp, 14h L026: popad push 004267D8h ret L028: push 00426716h ret fix_0042670C endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;004AF644 ;把%替换成空格 fix_0043134C proc ;加载新进程时调用 push ecx push eax push edi mov edi, dword ptr [esp+0Ch] mov ecx, dword ptr [esp+14h] mov eax, 25h @@: repne scas byte ptr es:[edi] cmp ecx, 0 je @F mov byte ptr [edi-1], 20h jmp @B @@: pop edi pop eax pop ecx add esp, 10h cmp eax, ebx push 00431351h ret fix_0043134C endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- .data szPatchName db MAX_PATH dup (0) .code ;004AF67A fix_00437376 proc pushad push 100h ; /MemSize = C000 (49152.) push 40h ; \|Flags = GPTR call GlobalAlloc ; \GlobalAlloc test eax, eax jz PROC_END mov ebx, eax mov edi, 004D3868h ;路径名 mov esi, edi xor eax, eax xor ecx, ecx dec ecx repne scas byte ptr es:[edi] neg ecx dec ecx mov edi, ecx ;路径名长度 xchg edi, ebx ;offset szPatchName push esi push edi call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> mov byte ptr [ebx+edi-1], 5Ch mov byte ptr [ebx+edi], 0 push chr$("UDD") mov eax, ebx add eax, edi push eax call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> push 004D53A4h push edi push 004B74FDh push 004B747Eh call WritePrivateProfileStringA ;<jmp.&KERNEL32.WritePrivateProfileStringA> push esi push edi call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> mov byte ptr [ebx+edi-1], 5Ch mov byte ptr [ebx+edi], 0 push chr$("plugin") mov eax, ebx add eax, edi push eax call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> push 004D53A4h push edi push 004B7506h push 004B747Eh call WritePrivateProfileStringA ;<jmp.&KERNEL32.WritePrivateProfileStringA> push edi call GlobalFree PROC_END: popad push 7F02h push 0043737Bh ret fix_00437376 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;004AF740 fix_00446A1C proc lea edx, dword ptr ss:[ebp-588h] lea ecx, dword ptr ss:[ebp-288h] push ecx push edx push 200h push edx push ebx push ecx push 1 push 0 call MultiByteToWideChar ;<jmp.&KERNEL32.MultiByteToWideChar> pop edx pop ecx mov ebx, eax add ebx, ebx add edx, ebx sub edx, 2 movzx ebx, word ptr ds:[edx] cmp ebx, 0 je @F push 00446A39h ret @@: mov byte ptr ds:[edx], 1 push 00446A39h ret fix_00446A1C endp ;---------------------------------------------------------------------------- ; 可能存在错误 ;---------------------------------------------------------------------------- ;0057F1F5 fix_0044EF88 proc ;未调用过 pushad push 10h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h je L105 mov eax, dword ptr ss:[ebp+10h] or al, 20h cmp eax, 63h jnz L011 mov edi, 76h jmp L022 L011: cmp eax, 76h jnz L023 mov edi, 77h push dword ptr ss:[ebp+8] call func_0057F255 add esp, 4 push dword ptr ds:[ebx+385h] pop dword ptr ss:[ebp-50h] push dword ptr ds:[ebx+385h] pop dword ptr ss:[ebp-54h] add dword ptr ss:[ebp-54h], eax L022: ;-----------------------添加代码开始 ;call DebugBreak ;-----------------------添加代码结束 push 00451411h ret L023: popad mov eax, 004A7C50h call eax push 0044EF8Dh ret L105: push 11h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h je L023 mov eax, dword ptr ss:[ebp+10h] or al, 20h cmp eax, 38h jnz L023 lea eax, dword ptr ds:[ebx+385h] push eax call func_0057F329 add esp, 4 jmp L023 fix_0044EF88 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057FAF2 fix_00464A67 proc cmp esi, 0FFh jle @F mov esi, 0FFh @@: xor eax, eax mov byte ptr ds:[esi+edi], al push esi mov edx, dword ptr ds:[ebx] push 00464A6Dh ret fix_00464A67 endp ;============================================================================ ;004AF645 fix_0041A735 proc push 004D7FE5h cmp DWORD ptr [esp], 0 add esp, 4 jle @F pushad push 004C100Ch ;"&Remove all breakpoints" push 2Dh push 0 mov eax, dword ptr ss:[ebp-28h] push eax call AppendMenuA ;<jmp.&USER32.AppendMenuA> popad @@: push ebx push 0Eh mov edx, dword ptr ss:[ebp-28h] push 0041A73Bh ret fix_0041A735 endp ;004AF66D fix_0041A920 proc cmp dword ptr ss:[ebp-4], 0Ch jnz @F push 0041A926h ret @@: cmp dword ptr ss:[ebp-4], 2Dh jnz @F push 0041A96Bh ret @@: pushad mov ebx, 004D7EE1h mov esi, dword ptr ss:[ebx+104h] @@: dec esi cmp esi, 0 jl @F mov eax, esi imul eax, dword ptr ds:[ebx+114h] add eax, dword ptr ds:[ebx+11Ch] mov edx, dword ptr ds:[eax] push 0 mov eax, edx inc edx push edx push eax call dword ptr [OD_Deletebreakpoints] add esp, 0Ch jmp @B @@: popad mov dword ptr ss:[ebp-4], 1 push 0041A985h ret fix_0041A920 endp ;004AF791 fix_0047E7D7 proc cmp dword ptr ss:[ebp+0Ch], -1 jnz @F cmp dword ptr ss:[ebp+10h], -1 jnz @F and byte ptr ss:[ebp+0Ch], 0FEh @@: mov ax, word ptr ss:[ebp+14h] push eax push 0047E7DCh ret fix_0047E7D7 endp 2007-4-22 00:10 0
kanxue 雪币： 47147 活跃值： (20450) 能力值： (RANK：350 ) 在线值：发帖 2375 回帖 17045 粉丝 541 关注私信	kanxue 8 5 楼里面的一些直接寻址的代码，用了相对寻址等方式定位，这样看起来是比较晦涩，当时这样做，是考虑OD自身带有重定位表，在某些特殊情况下，如果OD被重定位了，这些修改的代码也不会影响OD的运行。你提取的时候，可以将这些直接寻址的代码还原。 2007-4-22 09:58 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复