我自己写了个程序A.exe,运行时调用b.dll,现在我希望用补丁的方法调用我写的另一个dll文件,C.dll,于是在下面b.dll的代码空间
10009B47 |> \8BC6 mov eax,esi
10009B49 |. 5E pop esi
10009B4A \. C3 retn
10009B4B 8B4424 08 mov eax,dword ptr ss:[esp+8] //
从这里开始补丁代码 修改为: call 1000F100 (1000F100是程序的空白地址)
10009B4F 56 push esi
10009B50 |. 85C0 test eax,eax
10009B52 |. 8BF1 mov esi,ecx
10009B54 |. 75 08 jnz short Regula_1.10009B5E
10009B56 |. E8 13470000 call Regula_1.1000E26E
10009B5B |. 8B40 10 mov eax,dword ptr ds:[eax+10]
10009B5E |> 85F6 test esi,esi
10009B60 |. 75 04 jnz short Regula_1.10009B66
10009B62 |. 33C9 xor ecx,ecx
10009B64 |. EB 03 jmp short Regula_1.10009B69
10009B66 |> 8B4E 1C mov ecx,dword ptr ds:[esi+1C]
10009B69 |> FF7424 10 push dword ptr ss:[esp+10] ; /Style
10009B6D |. 50 push eax ; |Title
10009B6E |. FF7424 10 push dword ptr ss:[esp+10] ; |Text
10009B72 |. 51 push ecx ; |hOwner
10009B73 |. FF15 84020110 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
10009B79 |. 5E pop esi
10009B7A \. C2 0C00 retn 0C
补丁处代码
1000F100 50 push eax
1000F101 53 push ebx
1000F102 51 push ecx
1000F103 52 push edx
1000F104 55 push ebp
1000F105 56 push esi
1000F106 57 push edi
1000F107 |. E8 10000000 call Regula_1.1000F11C //使用LoadLiabraryA和GetProcAddress调用我自己的dll
1000F10C 5F pop edi
1000F10D 5E pop esi
1000F10E 5D pop ebp
1000F10F 5A pop edx
1000F110 59 pop ecx
1000F111 5B pop ebx
1000F112 58 pop eax
1000F113 |. 8B4424 08 mov eax,dword ptr ss:[esp+8]
1000F117 |. 56 push esi
1000F118 |. 83C4 04 add esp,4 //恢复esp
1000F11B \. C3 retn //成功返回到10009B50
执行1000F107处的CALL,利用LoadLiabraryA和GetProcAddress成功加载了c.dll并调用了里面的函数,并且顺利返回到1000F10C,但发现执行代码mov eax,dword ptr ss:[esp+8]时eax的值不对了,应该改为mov eax,dword ptr ss:[esp+0C]才是正确的.堆栈肯定出了问题,但为什么可以正常返回呢?
返回后执行10009B73处函数MessageBoxA时又出错了,而且在10009B7A处返回到了不正确的地址,程序出错了.
请问错在哪里?
不知我有没有把问题表达清楚,请路过的大侠前辈们指点一下,堆栈出错在哪里?
附 1000F107 |. E8 10000000 call Regula_1.1000F11C 代码
如下:
1000F11C /$ E8 3F000000 call Regula_1.1000F160
1000F121 |. 05 3F4F0000 add eax,4F3F
1000F126 |. E8 39000000 call Regula_1.1000F164
1000F12B |. 8BF8 mov edi,eax
1000F12D |. 85C0 test eax,eax
1000F12F |. 74 0F je short Regula_1.1000F142
1000F131 |. E8 2A000000 call Regula_1.1000F160
1000F136 |. 05 3A4F0000 add eax,4F3A
1000F13B |. E8 32000000 call Regula_1.1000F172
1000F140 |> FFD0 call eax
1000F142 \. C3 retn
................
1000F160 /$ 8B0424 mov eax,dword ptr ss:[esp]
1000F163 \. C3 retn
1000F164 /$ 50 push eax
1000F165 |. E8 F6FFFFFF call Regula_1.1000F160
1000F16A |. 05 22100000 add eax,1022
1000F16F |. FF10 call dword ptr ds:[eax] ; kernel32.LoadLibraryA
1000F171 \. C3 retn
1000F172 /$ 50 push eax
1000F173 |. 57 push edi
1000F174 |. E8 E7FFFFFF call Regula_1.1000F160
1000F179 |. 05 43100000 add eax,1043
1000F17E |. FF10 call dword ptr ds:[eax] ; kernel32.GetProcAddress
1000F180 \. C3 retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课