本人xp sp2
一准备
1. 自己用vc6写了一个win32的hello world
2. 研究一下一些函数和参数的定义
3. 用iconxp画了个图标
二分析
当然是研究那个函数
77EFB067 GD> 8BFF mov edi,edi
77EFB069 55 push ebp
77EFB06A 8BEC mov ebp,esp
77EFB06C 83EC 68 sub esp,68
77EFB06F 8B45 08 mov eax,dword ptr ss:[ebp+8]
77EFB072 53 push ebx
77EFB073 56 push esi
77EFB074 8B75 30 mov esi,dword ptr ss:[ebp+30]
77EFB077 57 push edi
77EFB078 33FF xor edi,edi
77EFB07A 25 00007F00 and eax,7F0000
77EFB07F BB 00000100 mov ebx,10000
77EFB084 3BC3 cmp eax,ebx
77EFB086 897D C4 mov dword ptr ss:[ebp-3C],edi
77EFB089 897D F0 mov dword ptr ss:[ebp-10],edi
77EFB08C 897D F4 mov dword ptr ss:[ebp-C],edi
77EFB08F 897D FC mov dword ptr ss:[ebp-4],edi
77EFB092 897D B8 mov dword ptr ss:[ebp-48],edi
77EFB095 0F85 4A220100 jnz GDI32.77F0D2E5
77EFB09B 3BF7 cmp esi,edi
77EFB09D 0F84 E7150100 je GDI32.77F0C68A
77EFB0A3 57 push edi
77EFB0A4 8D45 D8 lea eax,dword ptr ss:[ebp-28]
77EFB0A7 50 push eax
77EFB0A8 FF75 34 push dword ptr ss:[ebp+34]
77EFB0AB 56 push esi
77EFB0AC E8 2FE6FFFF call GDI32.77EF96E0
77EFB0B1 3BC7 cmp eax,edi
77EFB0B3 8945 F0 mov dword ptr ss:[ebp-10],eax
77EFB0B6 0F84 C7150100 je GDI32.77F0C683
77EFB0BC 8B75 F0 mov esi,dword ptr ss:[ebp-10]
77EFB0BF 56 push esi
77EFB0C0 E8 3AFBFFFF call GDI32.77EFABFF 算出点阵的总字节数
77EFB0C5 8945 D4 mov dword ptr ss:[ebp-2C],eax
77EFB0C8 64:A1 18000000 mov eax,dword ptr fs:[18]
77EFB0CE F645 2C 03 test byte ptr ss:[ebp+2C],3 这里引起了我的兴趣
77EFB0D2 89B8 D0060000 mov dword ptr ds:[eax+6D0],edi
77EFB0D8 0F85 46150100 jnz GDI32.77F0C624
77EFB0DE 8B45 08 mov eax,dword ptr ss:[ebp+8]
77EFB0E1 25 FFFF0000 and eax,0FFFF
77EFB0E6 3BC3 cmp eax,ebx
77EFB0E8 73 3D jnb short GDI32.77EFB127
77EFB0EA C1E0 04 shl eax,4
77EFB0ED 0305 0030F377 add eax,dword ptr ds:[77F33000]
77EFB0F3 8078 0A 01 cmp byte ptr ds:[eax+A],1
77EFB0F7 75 2E jnz short GDI32.77EFB127
77EFB0F9 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
77EFB0FC C1E9 10 shr ecx,10
77EFB0FF 66:3948 08 cmp word ptr ds:[eax+8],cx
77EFB103 75 22 jnz short GDI32.77EFB127
77EFB105 8B48 04 mov ecx,dword ptr ds:[eax+4]
77EFB108 83E1 FE and ecx,FFFFFFFE
77EFB10B 3B0D 0430F377 cmp ecx,dword ptr ds:[77F33004]
77EFB111 75 14 jnz short GDI32.77EFB127
77EFB113 8B40 0C mov eax,dword ptr ds:[eax+C]
77EFB116 3BC7 cmp eax,edi
77EFB118 8945 9C mov dword ptr ss:[ebp-64],eax
77EFB11B 74 0A je short GDI32.77EFB127
77EFB11D F640 5C 03 test byte ptr ds:[eax+5C],3
77EFB121 0F85 BE7D0100 jnz GDI32.77F12EE5
77EFB127 57 push edi
77EFB128 FF75 D4 push dword ptr ss:[ebp-2C]
77EFB12B FF75 D8 push dword ptr ss:[ebp-28]
77EFB12E FF75 38 push dword ptr ss:[ebp+38]
77EFB131 FF75 34 push dword ptr ss:[ebp+34]
77EFB134 56 push esi
77EFB135 FF75 2C push dword ptr ss:[ebp+2C]
77EFB138 FF75 28 push dword ptr ss:[ebp+28]
77EFB13B FF75 24 push dword ptr ss:[ebp+24]
77EFB13E FF75 20 push dword ptr ss:[ebp+20]
77EFB141 FF75 1C push dword ptr ss:[ebp+1C]
77EFB144 FF75 18 push dword ptr ss:[ebp+18]
77EFB147 FF75 14 push dword ptr ss:[ebp+14]
77EFB14A FF75 10 push dword ptr ss:[ebp+10]
77EFB14D FF75 0C push dword ptr ss:[ebp+C]
77EFB150 FF75 08 push dword ptr ss:[ebp+8]
77EFB153 E8 2B000000 call GDI32.77EFB183
77EFB158 8BF8 mov edi,eax
77EFB15A 33F6 xor esi,esi
77EFB15C 3975 C4 cmp dword ptr ss:[ebp-3C],esi
77EFB15F 0F85 03150100 jnz GDI32.77F0C668
77EFB165 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
77EFB168 3BCE cmp ecx,esi
77EFB16A 74 09 je short GDI32.77EFB175
77EFB16C 3B4D 30 cmp ecx,dword ptr ss:[ebp+30]
77EFB16F 0F85 F8810100 jnz GDI32.77F1336D
77EFB175 8BC7 mov eax,edi
77EFB177 5F pop edi
77EFB178 5E pop esi
77EFB179 5B pop ebx
77EFB17A C9 leave
77EFB17B C2 3400 retn 34
77EFB0CE这句话是比较pBits的地址是否4对齐,我估计这东西进0环必须要对齐才行,于是这里先检查一下,如果不是4对齐的,那么就在堆里malloc一块内存,然后copy进去,好,既然有memcpy, 那么可能有问题
三,研究
我发现要让pBits的地址不是4对齐,是需要满足一些条件的. 经过我的一些实验,凑了一个pBitmapInfo的结构,可以让pBits所在的地址在.rsrc里
结构类似这样
0C 00 00 00 10 00 20 00 01 00 20 00
当然用28 00 00 00 的也行,关键是最后的0x20,表示点是32位的,如果是24位的话就不行,至于为什么不清楚。
四,再研究
现在可以把pBits控制在.rsrc段了,但还是不4对齐,于是自然想到改资源段里的目录
我这个例子中,实体目录原是在
00406160 C0 61 00 00 A8 0C 00 00 00 00 00 00 00 00 00 00 繿..?..........
那么好,改掉
00406160 C1 61 00 00 A7 0C 00 00 00 00 00 00 00 00 00 00 繿..?..........
五,再再研究
好,现在通这样改它会去malloc了,接下来要做的,就是让它malloc一个超大的值,让它去memcpy, 大到超过pe本身, 这样就异常,就会挂了
这就比较好办了,把pBitmapInfo结构表示宽高的都改大就行了
0C 00 00 00 XX XX YY YY 01 00 20 00