[求助]修改函数返回值,hook hook一会就出错了-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]修改函数返回值,hook hook一会就出错了 0.00雪花

发表于: 2008-3-8 08:19 4267

[旧帖] [求助]修改函数返回值,hook hook一会就出错了 0.00雪花

roben

2008-3-8 08:19

4267

// 转入处理程序
//recv
//71A2615A >  8BFF          MOV EDI,EDI
//71A2615C 55             PUSH EBP
//71A2615D 8BEC          MOV EBP,ESP
//71A2615F 83EC 10       SUB ESP,10
//71A26162 53             PUSH EBX
//71A26163 33DB          XOR EBX,EBX
//71A26165 813D 2840A371 4>CMP DWORD PTR DS:[71A34028],WS2_32.71A29>
//71A2616F 56             PUSH ESI
//71A26170 0F84 5E500000 JE WS2_32.71A2B1D4
//71A26176 8D45 F8       LEA EAX,DWORD PTR SS:[EBP-8]
//71A26179 50             PUSH EAX

//send
//71A2428A >  8BFF          MOV EDI,EDI
//71A2428C 55             PUSH EBP
//71A2428D 8BEC          MOV EBP,ESP
//71A2428F 83EC 10       SUB ESP,10
//71A24292 56             PUSH ESI
//71A24293 57             PUSH EDI
//71A24294 33FF          XOR EDI,EDI
//71A24296 813D 2840A371 4>CMP DWORD PTR DS:[71A34028],WS2_32.71A29>

DWORD jmp_next_address_recv = 0x71A26162;
DWORD jmp_next_address_send = 0x71A24292;

BYTE btOldRecvBytes[5];
BYTE btOldSendBytes[5];

DWORD old_adress_recv = 0x71A2615D;
DWORD old_adress_send = 0x71A2428D;

DWORD ret_addres_recv = 0;
DWORD ret_addres_send = 0;
DWORD inbuf_recv  = 0;
DWORD inbuf_send  = 0;
DWORD inbuf_recv_longth = 0;
DWORD inbuf_send_longth = 0;

HANDLE hFile = INVALID_HANDLE_VALUE;

void __stdcall PrintBin(unsigned char* pBuf, int u32Len)
{
if(u32Len <= 0)
return;
unsigned row_len = 16;
unsigned int hexlen = 0;
static unsigned char strHex[1024*1024];
memset(strHex,0,sizeof(strHex));
unsigned int row = u32Len / row_len ;

unsigned int count = 0 ;

for (unsigned int i = 0; i < row; i++)
{
// Output Hex value

unsigned char a;
unsigned char b;

for (unsigned j = 0; j < row_len; j++,hexlen+=3)
{
a = pBuf[count + j];
b = a&0x0F;
a = a>>4;
if(a>9)
{
strHex[hexlen] = 'a' + (a-10);
}
else
{
strHex[hexlen] = '0' + (a-0);
}
if(b>9)
{
strHex[hexlen+1] = 'a' + (b-10);
}
else
{
strHex[hexlen+1] = '0' + (b-0);
}
strHex[hexlen+2] = ' ';
}

strHex[hexlen] = '\t';
hexlen++;

// Output ASCII value

for (unsigned int k = 0; k < row_len; k++,hexlen++)
{
if((pBuf[count + k] < 32) || (pBuf[count + k] >= 127) )
{
strHex[hexlen] = '.';
}
else
{
strHex[hexlen] = pBuf[count + k];
}
}
strHex[hexlen] = '\r';
hexlen++;
strHex[hexlen] = '\n';
hexlen++;
count += row_len ;
}

// Then we should output the rest
unsigned int rest = u32Len % row_len ;
if (rest != 0)
{
// Output Hex value

unsigned char a;
unsigned char b;

for (unsigned int i = 0; i < rest; i++,hexlen+=3)
{
a = pBuf[count + i];
b = a&0x0F;
a = a>>4;
if(a>9)
strHex[hexlen] = 'a' + (a-10);
else
strHex[hexlen] = '0' + (a-0);
if(b>9)
strHex[hexlen+1] = 'a' + (b-10);
else
strHex[hexlen+1] = '0' + (b-0);
strHex[hexlen+2] = ' ';
}
//          // Calculate how many ' ' we should output
unsigned int space_num = row_len*3 - rest*3;
for (unsigned int j = 0; j < space_num; j++,hexlen++)
{
strHex[hexlen] = ' ';
}
strHex[hexlen] = '\t';
hexlen++;
for (unsigned int k = 0; k < rest; k++,hexlen++)
{
if((pBuf[count + k] < 32) || (pBuf[count + k] >= 127))
{
strHex[hexlen] = '.';
}
else
{
strHex[hexlen] = pBuf[count + k];
}
}
strHex[hexlen] = '\r';
hexlen++;
strHex[hexlen] = '\n';
hexlen++;

}
strHex[hexlen] = '\r';
hexlen++;
strHex[hexlen] = '\n';
hexlen++;
if(hFile != INVALID_HANDLE_VALUE)
{
DWORD BytesOfWrited;
char achTemp[256];
memset(achTemp,0,sizeof(achTemp));
SYSTEMTIME stTime ;
::GetLocalTime(&stTime) ;
DWORD dwtime =timeGetTime();

sprintf(achTemp, "%d-%d-%d %d:%d:%d %x--",
stTime.wYear, stTime.wMonth, stTime.wDay,
stTime.wHour, stTime.wMinute, stTime.wSecond,dwtime);
strcat(achTemp,"Recv\r\n");
WriteFile(hFile,achTemp,strlen(achTemp),&BytesOfWrited,NULL);
WriteFile(hFile,strHex,hexlen,&BytesOfWrited,NULL);
}
}

void __stdcall PrintBin01(unsigned char* pBuf, int u32Len)
{
if(u32Len <= 0)
return;
unsigned row_len = 16;
unsigned int hexlen = 0;
static unsigned char strHex[1024*1024];
memset(strHex,0,sizeof(strHex));
unsigned int row = u32Len / row_len ;
unsigned int count = 0 ;

for (unsigned int i = 0; i < row; i++)
{
// Output Hex value

unsigned char a;
unsigned char b;

for (unsigned j = 0; j < row_len; j++,hexlen+=3)
{
a = pBuf[count + j];
b = a&0x0F;
a = a>>4;
if(a>9)
{
strHex[hexlen] = 'a' + (a-10);
}
else
{
strHex[hexlen] = '0' + (a-0);
}
if(b>9)
{
strHex[hexlen+1] = 'a' + (b-10);
}
else
{
strHex[hexlen+1] = '0' + (b-0);
}
strHex[hexlen+2] = ' ';
}

strHex[hexlen] = '\t';
hexlen++;

// Output ASCII value

for (unsigned int k = 0; k < row_len; k++,hexlen++)
{
if((pBuf[count + k] < 32) || (pBuf[count + k] >= 127) )
{
strHex[hexlen] = '.';
}
else
{
strHex[hexlen] = pBuf[count + k];
}
}
strHex[hexlen] = '\r';
hexlen++;
strHex[hexlen] = '\n';
hexlen++;
count += row_len ;
}

// Then we should output the rest
unsigned int rest = u32Len % row_len ;
if (rest != 0)
{
// Output Hex value

unsigned char a;
unsigned char b;

for (unsigned int i = 0; i < rest; i++,hexlen+=3)
{
a = pBuf[count + i];
b = a&0x0F;
a = a>>4;
if(a>9)
strHex[hexlen] = 'a' + (a-10);
else
strHex[hexlen] = '0' + (a-0);
if(b>9)
strHex[hexlen+1] = 'a' + (b-10);
else
strHex[hexlen+1] = '0' + (b-0);
strHex[hexlen+2] = ' ';
}
//          // Calculate how many ' ' we should output
unsigned int space_num = row_len*3 - rest*3;
for (unsigned int j = 0; j < space_num; j++,hexlen++)
{
strHex[hexlen] = ' ';
}
strHex[hexlen] = '\t';
hexlen++;
for (unsigned int k = 0; k < rest; k++,hexlen++)
{
if((pBuf[count + k] < 32) || (pBuf[count + k] >= 127))
{
strHex[hexlen] = '.';
}
else
{
strHex[hexlen] = pBuf[count + k];
}
}
strHex[hexlen] = '\r';
hexlen++;
strHex[hexlen] = '\n';
hexlen++;

}
strHex[hexlen] = '\r';
hexlen++;
strHex[hexlen] = '\n';
hexlen++;
if(hFile != INVALID_HANDLE_VALUE)
{
DWORD BytesOfWrited;
char achTemp[256];
memset(achTemp,0,sizeof(achTemp));
SYSTEMTIME stTime ;
::GetLocalTime(&stTime) ;

DWORD dwtime =timeGetTime();

sprintf(achTemp, "%d-%d-%d %d:%d:%d %x--",
stTime.wYear, stTime.wMonth, stTime.wDay,
stTime.wHour, stTime.wMinute, stTime.wSecond,dwtime);
strcat(achTemp,"Send\r\n");
WriteFile(hFile,achTemp,strlen(achTemp),&BytesOfWrited,NULL);
WriteFile(hFile,strHex,hexlen,&BytesOfWrited,NULL);
}
}
void __declspec(naked) MyRecv()
{
__asm
{
push eax
mov eax,DWORD PTR [esp+0x08]
mov ret_addres_recv,eax
mov eax,offset recvret
mov DWORD PTR [esp+0x08],eax
mov eax,dword ptr [esp+0x10]
mov inbuf_recv,eax
pop eax
mov ebp,esp
sub esp,0x10
jmp jmp_next_address_recv
recvret:
mov inbuf_recv_longth,eax
pushad
push inbuf_recv_longth
      push inbuf_recv
call PrintBin
popad
push ret_addres_recv
ret
}

}
void __declspec(naked) MySend()
{
//保存现场
__asm
{
push eax
mov eax,DWORD PTR [esp+0x08]
mov ret_addres_send,eax
mov eax,offset sendret
mov DWORD PTR [esp+0x08],eax
mov eax,dword ptr [esp+0x10]
mov inbuf_send,eax
pop eax
mov ebp,esp
sub esp,0x10
jmp jmp_next_address_send
sendret:
mov inbuf_send_longth,eax
pushad
push inbuf_send_longth
      push inbuf_send
call PrintBin01
popad
push ret_addres_send
ret
}
}

void __stdcall InitRecv()
{
HANDLE hGame = GetCurrentProcess();

DWORD dwCodeSize = 0;

ReadProcessMemory(hGame, (void *)old_adress_recv, (void *)btOldRecvBytes, sizeof(btOldRecvBytes), &dwCodeSize);

BYTE btNewBytes[5] = {0xe9,0x00,0x00,0x00,0x00 };

*(DWORD *)( btNewBytes + 1) = (DWORD)MyRecv-old_adress_recv-5;

dwCodeSize = 0;

DWORD fNew, fOld;

fNew = PAGE_READWRITE;

VirtualProtect((void*)old_adress_recv, sizeof(btOldRecvBytes), fNew, &fOld);

WriteProcessMemory(hGame, (void *)old_adress_recv, (void *)btNewBytes, sizeof(btOldRecvBytes), &dwCodeSize);

VirtualProtect((void*)old_adress_recv, sizeof(btOldRecvBytes), fOld, &fNew);

}
void __stdcall InitSend()
{
HANDLE hGame = GetCurrentProcess();

DWORD dwCodeSize = 0;

ReadProcessMemory(hGame, (void *)old_adress_send, (void *)btOldSendBytes, sizeof(btOldSendBytes), &dwCodeSize);

BYTE btNewBytes[5] = {0xe9,0x00,0x00,0x00,0x00};

*(DWORD *)( btNewBytes + 1) = (DWORD)MySend-old_adress_send-5;

dwCodeSize = 0;

DWORD fNew, fOld;

fNew = PAGE_READWRITE;

VirtualProtect((void*)old_adress_send, sizeof(btOldSendBytes), fNew, &fOld);

WriteProcessMemory(hGame, (void *)old_adress_send, (void *)btNewBytes, sizeof(btOldSendBytes), &dwCodeSize);

VirtualProtect((void*)old_adress_send, sizeof(btOldSendBytes), fOld, &fNew);

}
void InitHook()
{
const char *filename = "f:\\01.txt";
hFile = CreateFile(filename, GENERIC_WRITE, FILE_SHARE_WRITE, NULL,OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
InitRecv();
//InitSend();
}

[课程]Android-CTF解题方法汇总！

收藏・0

免费・0

支持

最新回复 (4)
roben 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 5 回帖 23 粉丝 0 关注私信	roben 2 楼我问的问题真是没有一个人回答啊. 2008-3-8 08:59 0
roben 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 5 回帖 23 粉丝 0 关注私信	roben 3 楼没有人吗?问下这种思路可行不. 2008-3-8 09:08 0
roben 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 5 回帖 23 粉丝 0 关注私信	roben 4 楼呵呵.论坛里是不是都是女人,今天过节去了。 2008-3-8 09:13 0
roben 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 5 回帖 23 粉丝 0 关注私信	roben 5 楼真的不明白什么问题,有时候一点问题也没有,有时候咚死瞧瞧了 2008-3-8 15:24 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

roben

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (4)
roben 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 5 回帖 23 粉丝 0 关注私信	roben 2 楼我问的问题真是没有一个人回答啊. 2008-3-8 08:59 0
roben 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 5 回帖 23 粉丝 0 关注私信	roben 3 楼没有人吗?问下这种思路可行不. 2008-3-8 09:08 0
roben 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 5 回帖 23 粉丝 0 关注私信	roben 4 楼呵呵.论坛里是不是都是女人,今天过节去了。 2008-3-8 09:13 0
roben 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 5 回帖 23 粉丝 0 关注私信	roben 5 楼真的不明白什么问题,有时候一点问题也没有,有时候咚死瞧瞧了 2008-3-8 15:24 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复