.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
.data
szAppName db "Anti memory break point - By 堕落天才",0
szText db "Hi,try to set a memory break point here!",0
szFound db "A memory break point was found!",0
.data?
dwOldProtect dd ?
.code
_start:
invoke lstrlen,addr szText
inc eax
invoke VirtualProtect,addr szText,eax,PAGE_READWRITE,addr dwOldProtect
.if eax == FALSE
invoke GetLastError
.if eax == ERROR_NOACCESS
invoke MessageBox,NULL,addr szFound,addr szAppName,MB_OK
jmp @ExitMain
.endif
.endif
invoke MessageBox,NULL,addr szText,addr szAppName,MB_OK
@ExitMain:
invoke ExitProcess,0
end _start
用OD载入附件中AntiMBP_ASM.exe,对00403026-00403057(szText)内存范围下内存访问断点,F9运行,很快就中断了,是在lstrlen的内部。一直F9,如无意外程序将会显示“A memory break point was found!”提示框(在我的电脑里面是这样)。因为lstrlen后面的VirtualProtect试图改变szText所在内存范围的属性,失败后,LastError == ERROR_NOACCESS,这样我们就知道szText被设置内存断点了。
4,代码2
#include<windows.h>
char szAppName [] = "Anti memory break point - By 堕落天才";
char szFound[] = "A memory break point was found!";
char szText[] = "Hi! try to set a memory break point here! Success?";
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd )
{
DWORD dwOldProtect;
int nLen = lstrlen( szText );
nLen++;
if(! VirtualProtect( &szText,nLen,PAGE_READWRITE,&dwOldProtect ) ){
if(GetLastError() == ERROR_NOACCESS ){
MessageBox( NULL,szFound,szAppName,MB_OK );
}
}else{
MessageBox(NULL,szText,szAppName,MB_OK);
}
return 0;
}
用OD载入附件中的AntiMBP_CPP.exe,对00405078-004050A9(szText)内存范围下内存访问断点,F9运行,一样很快就中断在lstrlen内部。一直F9,如无意外程序将会显示“Hi! try to set a memory break point here! Success?”提示框(在我的电脑上是这样)。因为lstrlen后面的VirtualProtect试图改变szText所在内存范围的属性,成功后,下面的MessageBox函数对szText读取,不会再中断,这样szText上面设置的内存断点就失效了。