// 转入处理程序
//recv
//71A2615A > 8BFF MOV EDI,EDI
//71A2615C 55 PUSH EBP
//71A2615D 8BEC MOV EBP,ESP
//71A2615F 83EC 10 SUB ESP,10
//71A26162 53 PUSH EBX
//71A26163 33DB XOR EBX,EBX
//71A26165 813D 2840A371 4>CMP DWORD PTR DS:[71A34028],WS2_32.71A29>
//71A2616F 56 PUSH ESI
//71A26170 0F84 5E500000 JE WS2_32.71A2B1D4
//71A26176 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
//71A26179 50 PUSH EAX
//send
//71A2428A > 8BFF MOV EDI,EDI
//71A2428C 55 PUSH EBP
//71A2428D 8BEC MOV EBP,ESP
//71A2428F 83EC 10 SUB ESP,10
//71A24292 56 PUSH ESI
//71A24293 57 PUSH EDI
//71A24294 33FF XOR EDI,EDI
//71A24296 813D 2840A371 4>CMP DWORD PTR DS:[71A34028],WS2_32.71A29>
DWORD jmp_next_address_recv = 0x71A26162;
DWORD jmp_next_address_send = 0x71A24292;
BYTE btOldRecvBytes[5];
BYTE btOldSendBytes[5];
DWORD old_adress_recv = 0x71A2615D;
DWORD old_adress_send = 0x71A2428D;
DWORD ret_addres_recv = 0;
DWORD ret_addres_send = 0;
DWORD inbuf_recv = 0;
DWORD inbuf_send = 0;
DWORD inbuf_recv_longth = 0;
DWORD inbuf_send_longth = 0;
HANDLE hFile = INVALID_HANDLE_VALUE;
void __stdcall PrintBin(unsigned char* pBuf, int u32Len)
{
if(u32Len <= 0)
return;
unsigned row_len = 16;
unsigned int hexlen = 0;
static unsigned char strHex[1024*1024];
memset(strHex,0,sizeof(strHex));
unsigned int row = u32Len / row_len ;
unsigned int count = 0 ;
for (unsigned int i = 0; i < row; i++)
{
// Output Hex value
unsigned char a;
unsigned char b;
for (unsigned j = 0; j < row_len; j++,hexlen+=3)
{
a = pBuf[count + j];
b = a&0x0F;
a = a>>4;
if(a>9)
{
strHex[hexlen] = 'a' + (a-10);
}
else
{
strHex[hexlen] = '0' + (a-0);
}
if(b>9)
{
strHex[hexlen+1] = 'a' + (b-10);
}
else
{
strHex[hexlen+1] = '0' + (b-0);
}
strHex[hexlen+2] = ' ';
}
strHex[hexlen] = '\t';
hexlen++;
// Output ASCII value
for (unsigned int k = 0; k < row_len; k++,hexlen++)
{
if((pBuf[count + k] < 32) || (pBuf[count + k] >= 127) )
{
strHex[hexlen] = '.';
}
else
{
strHex[hexlen] = pBuf[count + k];
}
}
strHex[hexlen] = '\r';
hexlen++;
strHex[hexlen] = '\n';
hexlen++;
count += row_len ;
}
// Then we should output the rest
unsigned int rest = u32Len % row_len ;
if (rest != 0)
{
// Output Hex value
unsigned char a;
unsigned char b;
for (unsigned int i = 0; i < rest; i++,hexlen+=3)
{
a = pBuf[count + i];
b = a&0x0F;
a = a>>4;
if(a>9)
strHex[hexlen] = 'a' + (a-10);
else
strHex[hexlen] = '0' + (a-0);
if(b>9)
strHex[hexlen+1] = 'a' + (b-10);
else
strHex[hexlen+1] = '0' + (b-0);
strHex[hexlen+2] = ' ';
}
// // Calculate how many ' ' we should output
unsigned int space_num = row_len*3 - rest*3;
for (unsigned int j = 0; j < space_num; j++,hexlen++)
{
strHex[hexlen] = ' ';
}
strHex[hexlen] = '\t';
hexlen++;
for (unsigned int k = 0; k < rest; k++,hexlen++)
{
if((pBuf[count + k] < 32) || (pBuf[count + k] >= 127))
{
strHex[hexlen] = '.';
}
else
{
strHex[hexlen] = pBuf[count + k];
}
}
strHex[hexlen] = '\r';
hexlen++;
strHex[hexlen] = '\n';
hexlen++;
}
strHex[hexlen] = '\r';
hexlen++;
strHex[hexlen] = '\n';
hexlen++;
if(hFile != INVALID_HANDLE_VALUE)
{
DWORD BytesOfWrited;
char achTemp[256];
memset(achTemp,0,sizeof(achTemp));
SYSTEMTIME stTime ;
::GetLocalTime(&stTime) ;
DWORD dwtime =timeGetTime();
sprintf(achTemp, "%d-%d-%d %d:%d:%d %x--",
stTime.wYear, stTime.wMonth, stTime.wDay,
stTime.wHour, stTime.wMinute, stTime.wSecond,dwtime);
strcat(achTemp,"Recv\r\n");
WriteFile(hFile,achTemp,strlen(achTemp),&BytesOfWrited,NULL);
WriteFile(hFile,strHex,hexlen,&BytesOfWrited,NULL);
}
}
void __stdcall PrintBin01(unsigned char* pBuf, int u32Len)
{
if(u32Len <= 0)
return;
unsigned row_len = 16;
unsigned int hexlen = 0;
static unsigned char strHex[1024*1024];
memset(strHex,0,sizeof(strHex));
unsigned int row = u32Len / row_len ;
unsigned int count = 0 ;
for (unsigned int i = 0; i < row; i++)
{
// Output Hex value
unsigned char a;
unsigned char b;
for (unsigned j = 0; j < row_len; j++,hexlen+=3)
{
a = pBuf[count + j];
b = a&0x0F;
a = a>>4;
if(a>9)
{
strHex[hexlen] = 'a' + (a-10);
}
else
{
strHex[hexlen] = '0' + (a-0);
}
if(b>9)
{
strHex[hexlen+1] = 'a' + (b-10);
}
else
{
strHex[hexlen+1] = '0' + (b-0);
}
strHex[hexlen+2] = ' ';
}
strHex[hexlen] = '\t';
hexlen++;
// Output ASCII value
for (unsigned int k = 0; k < row_len; k++,hexlen++)
{
if((pBuf[count + k] < 32) || (pBuf[count + k] >= 127) )
{
strHex[hexlen] = '.';
}
else
{
strHex[hexlen] = pBuf[count + k];
}
}
strHex[hexlen] = '\r';
hexlen++;
strHex[hexlen] = '\n';
hexlen++;
count += row_len ;
}
// Then we should output the rest
unsigned int rest = u32Len % row_len ;
if (rest != 0)
{
// Output Hex value
unsigned char a;
unsigned char b;
for (unsigned int i = 0; i < rest; i++,hexlen+=3)
{
a = pBuf[count + i];
b = a&0x0F;
a = a>>4;
if(a>9)
strHex[hexlen] = 'a' + (a-10);
else
strHex[hexlen] = '0' + (a-0);
if(b>9)
strHex[hexlen+1] = 'a' + (b-10);
else
strHex[hexlen+1] = '0' + (b-0);
strHex[hexlen+2] = ' ';
}
// // Calculate how many ' ' we should output
unsigned int space_num = row_len*3 - rest*3;
for (unsigned int j = 0; j < space_num; j++,hexlen++)
{
strHex[hexlen] = ' ';
}
strHex[hexlen] = '\t';
hexlen++;
for (unsigned int k = 0; k < rest; k++,hexlen++)
{
if((pBuf[count + k] < 32) || (pBuf[count + k] >= 127))
{
strHex[hexlen] = '.';
}
else
{
strHex[hexlen] = pBuf[count + k];
}
}
strHex[hexlen] = '\r';
hexlen++;
strHex[hexlen] = '\n';
hexlen++;
}
strHex[hexlen] = '\r';
hexlen++;
strHex[hexlen] = '\n';
hexlen++;
if(hFile != INVALID_HANDLE_VALUE)
{
DWORD BytesOfWrited;
char achTemp[256];
memset(achTemp,0,sizeof(achTemp));
SYSTEMTIME stTime ;
::GetLocalTime(&stTime) ;
DWORD dwtime =timeGetTime();
sprintf(achTemp, "%d-%d-%d %d:%d:%d %x--",
stTime.wYear, stTime.wMonth, stTime.wDay,
stTime.wHour, stTime.wMinute, stTime.wSecond,dwtime);
strcat(achTemp,"Send\r\n");
WriteFile(hFile,achTemp,strlen(achTemp),&BytesOfWrited,NULL);
WriteFile(hFile,strHex,hexlen,&BytesOfWrited,NULL);
}
}
void __declspec(naked) MyRecv()
{
__asm
{
push eax
mov eax,DWORD PTR [esp+0x08]
mov ret_addres_recv,eax
mov eax,offset recvret
mov DWORD PTR [esp+0x08],eax
mov eax,dword ptr [esp+0x10]
mov inbuf_recv,eax
pop eax
mov ebp,esp
sub esp,0x10
jmp jmp_next_address_recv
recvret:
mov inbuf_recv_longth,eax
pushad
push inbuf_recv_longth
push inbuf_recv
call PrintBin
popad
push ret_addres_recv
ret
}
}
void __declspec(naked) MySend()
{
//保存现场
__asm
{
push eax
mov eax,DWORD PTR [esp+0x08]
mov ret_addres_send,eax
mov eax,offset sendret
mov DWORD PTR [esp+0x08],eax
mov eax,dword ptr [esp+0x10]
mov inbuf_send,eax
pop eax
mov ebp,esp
sub esp,0x10
jmp jmp_next_address_send
sendret:
mov inbuf_send_longth,eax
pushad
push inbuf_send_longth
push inbuf_send
call PrintBin01
popad
push ret_addres_send
ret
}
}
void __stdcall InitRecv()
{
HANDLE hGame = GetCurrentProcess();
DWORD dwCodeSize = 0;
ReadProcessMemory(hGame, (void *)old_adress_recv, (void *)btOldRecvBytes, sizeof(btOldRecvBytes), &dwCodeSize);
BYTE btNewBytes[5] = {0xe9,0x00,0x00,0x00,0x00 };
*(DWORD *)( btNewBytes + 1) = (DWORD)MyRecv-old_adress_recv-5;
dwCodeSize = 0;
DWORD fNew, fOld;
fNew = PAGE_READWRITE;
VirtualProtect((void*)old_adress_recv, sizeof(btOldRecvBytes), fNew, &fOld);
WriteProcessMemory(hGame, (void *)old_adress_recv, (void *)btNewBytes, sizeof(btOldRecvBytes), &dwCodeSize);
VirtualProtect((void*)old_adress_recv, sizeof(btOldRecvBytes), fOld, &fNew);
}
void __stdcall InitSend()
{
HANDLE hGame = GetCurrentProcess();
DWORD dwCodeSize = 0;
ReadProcessMemory(hGame, (void *)old_adress_send, (void *)btOldSendBytes, sizeof(btOldSendBytes), &dwCodeSize);
BYTE btNewBytes[5] = {0xe9,0x00,0x00,0x00,0x00};
*(DWORD *)( btNewBytes + 1) = (DWORD)MySend-old_adress_send-5;
dwCodeSize = 0;
DWORD fNew, fOld;
fNew = PAGE_READWRITE;
VirtualProtect((void*)old_adress_send, sizeof(btOldSendBytes), fNew, &fOld);
WriteProcessMemory(hGame, (void *)old_adress_send, (void *)btNewBytes, sizeof(btOldSendBytes), &dwCodeSize);
VirtualProtect((void*)old_adress_send, sizeof(btOldSendBytes), fOld, &fNew);
}
void InitHook()
{
const char *filename = "f:\\01.txt";
hFile = CreateFile(filename, GENERIC_WRITE, FILE_SHARE_WRITE, NULL,OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
InitRecv();
//InitSend();
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)