|
 | 作者: yongmin [yongmin]
 论坛用户 |
登录 |
| 这是我对比ollyice和原版od得到的,其中汉化和一些无关的修改没有写。 程序中原来有些代码写的很晦涩,我用原版加载这个dll调试了下,还是不太稳定, 希望大家一起查找bug, 另外希望大家也把其他好的修改跟贴发一下 /////////////////////////////////////////////////////////////////////////////////////////////// Makefile /////////////////////////////////////////////////////////////////////////////////////////////// DLL = ollyext OBJS = $(DLL).obj LINK_FLAG = /subsystem:windows /DLL ML_FLAG = /c /coff $(DLL).dll: $(OBJS) Link $(LINK_FLAG) $(OBJS) .asm.obj: ml $(ML_FLAG) $< clean: del *.obj /////////////////////////////////////////////////////////////////////////////////////////////// ollyext.asm /////////////////////////////////////////////////////////////////////////////////////////////// ;********************************************************************* ; OLLYDBG 扩展DLL模块 ; write by ezme, thanks to the "ollyice" ;********************************************************************* .386 .model flat, stdcall option casemap:none include windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib include \work\masm32\macros\macros.asm include \work\masm32\macros\ucmacros.asm include patch.inc .const b_JMPHeader db 0EBh b_JGEHeader db 07Dh b_NOPBytes db 90h,90h,90h,90h,90h,90h,90h,90h bZeroBytes db 00h,00h,00h,00h,00h,00h,00h,00h .data hInstance dd ? .code ;********************************************************************* ;替换内存数据内容 ;********************************************************************* ReplaceMem proc uses ebx esi edi _dwMemAddr, _dwData, _dwLen local @dwProtectFlag invoke VirtualProtect, _dwMemAddr, _dwLen, \ PAGE_EXECUTE_READWRITE, addr @dwProtectFlag invoke RtlMoveMemory, _dwMemAddr, _dwData, _dwLen invoke VirtualProtect, _dwMemAddr, _dwLen, @dwProtectFlag, NULL mov al, TRUE ret ReplaceMem endp ;********************************************************************* ;写入跳转指令 ;********************************************************************* MAXLEN_PATCH_CODE equ 16 PCODE_JUMP_HEADER equ 0E9h PCODE_CALL_HEADER equ 0E8h PCODE_PRET_HEADER equ 068h PCODE_JUMP_LENGTH equ 5 PCODE_CALL_LENGTH equ 5 PCODE_PRET_LENGTH equ 6 WritePatchCode proc uses ebx esi edi _dwMemAddr, _dwFuncAddr, \ _bCodeType:BYTE, _dwCodeLen local @bPatchCode[MAXLEN_PATCH_CODE]:BYTE invoke RtlFillMemory, addr @bPatchCode, MAXLEN_PATCH_CODE, 90h .if _bCodeType == PCODE_JUMP_HEADER mov @bPatchCode, 0E9h mov eax, _dwFuncAddr ;calc RAV sub eax, 1 + 4 sub eax, _dwMemAddr mov dword ptr [@bPatchCode + 1], eax .elseif _bCodeType == PCODE_CALL_HEADER mov @bPatchCode, 0E8h mov eax, _dwFuncAddr ;calc RAV sub eax, 1 + 4 sub eax, _dwMemAddr mov dword ptr [@bPatchCode + 1], eax .elseif _bCodeType == PCODE_PRET_HEADER mov @bPatchCode, 068h mov @bPatchCode + 5, 0C3h mov eax, _dwFuncAddr ;function address mov dword ptr [@bPatchCode + 1], eax .else mov @bPatchCode, 0CCh .endif invoke ReplaceMem, _dwMemAddr, addr @bPatchCode, _dwCodeLen ret WritePatchCode endp ;********************************************************************* ; 打内存补丁 ;********************************************************************* PatchProcMem proc uses ebx esi edi ;1** ;--------------------------------------------------- ; fixed:_Findname ;00419B84 . 0355 FC add edx, dword ptr ss:[ebp-4] ;--------------------------------------------------- invoke ReplaceMem, 00419B84h, offset b_NOPBytes, 3 ;2** ;--------------------------------------------------- ; fixed:strings spell error ;0041E2F7 ;--------------------------------------------------- ;3** ;--------------------------------------------------- ; fixed: WM_??? 窗口循环扩充 ;func_0057F329 ;0041E623 . 3D 01020000 cmp eax, 201 ;--------------------------------------------------- invoke WritePatchCode, 0041E623h, fix_0041E623, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;4** ;--------------------------------------------------- ; fixed: WM_CHAR 1 ;0041F325 . 83C4 1C add esp, 1C ;0041F328 . 8945 A4 mov dword ptr ss:[ebp-5C], eax ;--------------------------------------------------- invoke WritePatchCode, 0041F325h, fix_0041F325, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH + 1 ;5** ;--------------------------------------------------- ; fixed: WM_CHAR 2 ;0042042F > 833D 44274E00 01 cmp dword ptr ds:[4E2744], 1 ;0042044A > \8B55 EC mov edx, dword ptr ss:[ebp-14] ;0042044D . 52 push edx ; /Arg3 ;0042044E . 8B4D F0 mov ecx, dword ptr ss:[ebp-10] ; | ;--------------------------------------------------- invoke ReplaceMem, 0042042Fh, offset b_NOPBytes, 1 invoke WritePatchCode, 0042042Fh + 1, fix_0042042F, PCODE_PRET_HEADER, \ PCODE_PRET_LENGTH ;6 ;--------------------------------------------------- ; fixed: trans to chinese string ;00420BFE, 00420C1D, 00420C43, 00420C5F, 00420C7B, 00420C97 ;--------------------------------------------------- ;7 ;--------------------------------------------------- ; fxied: WM_??? 窗口循环扩充 ;func_0057F329 ;00425E57 . 3D 00020000 cmp eax, 200 ;--------------------------------------------------- invoke WritePatchCode, 00425E57h, fix_00425E57, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;8 ;--------------------------------------------------- ; fxied: WM_CHAR ;0042609A > A1 FADD4C00 mov eax, dword ptr ds:[4CDDFA] ;--------------------------------------------------- invoke WritePatchCode, 0042609Ah, fix_0042609A, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;9 ;--------------------------------------------------- ; fxied: WM_KEYDOWN ;0042670C . 837D EC 00 cmp dword ptr ss:[ebp-14], 0 ;00426710 . 0F85 C2000000 jnz 004267D8 ;--------------------------------------------------- invoke WritePatchCode, 0042670Ch, fix_0042670C, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH + 5 ;10 ;--------------------------------------------------- ; fxied: ;00426760 . 74 2C je short 0042678E ;--------------------------------------------------- .data code_00426760 db 0EBh,13h code_00426775 db 06Ah,00h .code invoke ReplaceMem, 00426760h, offset code_00426760, 2 invoke ReplaceMem, 00426775h, offset code_00426775, 2 ;11 ;--------------------------------------------------- ; fxied: ;0043134C . 83C4 10 add esp, 10 ;0043134F . 3BC3 cmp eax, ebx ;--------------------------------------------------- invoke WritePatchCode, 0043134Ch, fix_0043134C, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;12 ;--------------------------------------------------- ; fixed: trans to chinese string ;00433BD4, 00433C58, 0043416E ;--------------------------------------------------- ;13 ;--------------------------------------------------- ; fixed: "Dangerous command" warnning ;00434C0D . 74 6D je short 00434C7C ;--------------------------------------------------- invoke ReplaceMem, 00434C0Dh, offset b_JMPHeader, 1 ;14 ;--------------------------------------------------- ; fixed: CreateFontA ;00436C89 . 6A 02 push 2 ;00436C8D . 6A 06 push 6 ;00436CA0 . 6A 05 push 5 ;00436CBC . 6A 00 push 0 ;00436CBE . 6A 00 push 0 ;00436CC2 . 6A 00 push 0 ;--------------------------------------------------- invoke ReplaceMem, 00436C89h + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436C8Dh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CA0h + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CBCh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CBEh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00436CC2h + 1, offset bZeroBytes, 1 ;15 ;--------------------------------------------------- ; fixed: UDD,plugin dir path ;00437376 . 68 027F0000 push 7F02 ;--------------------------------------------------- invoke WritePatchCode, 00437376h, fix_00437376, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;16 ;--------------------------------------------------- ; fixed: menu strings ;00438456 . 8D86 9E290000 lea eax, dword ptr ds:[esi+299E] ;--------------------------------------------------- ;17 ;--------------------------------------------------- ; fixed: trans to chinese string ;0043D90E > 68 418F4B00 push 004B8F41 ;--------------------------------------------------- ;18 ;--------------------------------------------------- ; fixed: MultiByteToWideChar ;00446A1C > 68 00020000 push 200 ;--------------------------------------------------- invoke WritePatchCode, 00446A1Ch, fix_00446A1C, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;19 ;--------------------------------------------------- ; fixed: an Error msg ;0044D90C . 75 1B jnz short 0044D929 ;--------------------------------------------------- invoke ReplaceMem, 0044D90Ch, offset b_JMPHeader, 1 ;20 ;--------------------------------------------------- ; fxied: WM_CHAR ;func_0057F255 ;0044EF88 . E8 C38C0500 call 004A7C50 ;--------------------------------------------------- invoke WritePatchCode, 0044EF88h, fix_0044EF88, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH ;21 ;--------------------------------------------------- ; fixed: trans to chinese string ;00450405 . 68 ACAB4B00 push 004BABAC ;0045042B > 68 B8AB4B00 push 004BABB8 ;00450448 . 68 C7AB4B00 push 004BABC7 ;00459E40 > 68 3DB44B00 push 004BB43D ;0045AE7F . 68 62B74B00 push 004BB762 ;--------------------------------------------------- ;22 ;--------------------------------------------------- ; fixed: ;0045C671 . 74 07 je short 0045C67A ;--------------------------------------------------- invoke ReplaceMem, 0045C671h, offset b_JGEHeader, 1 ;23 ;--------------------------------------------------- ; fixed: ;0045DB3D . 74 47 je short 0045DB86 ;--------------------------------------------------- invoke ReplaceMem, 0045DB3Dh, offset b_JMPHeader, 1 ;24 ;--------------------------------------------------- ; fixed: trans to chinese string ;00462535 > 68 88C64B00 push 004BC688 ;--------------------------------------------------- ;25 x ;--------------------------------------------------- ; fxied: ;00464A67 . 8D46 01 lea eax, dword ptr ds:[esi+1] ;00464A6A . 50 push eax ;00464A6B . 8B13 mov edx, dword ptr ds:[ebx] ;--------------------------------------------------- invoke WritePatchCode, 00464A67h, fix_00464A67, PCODE_JUMP_HEADER, \ PCODE_JUMP_LENGTH + 1 ;26 ;--------------------------------------------------- ; fxied: ;func_0057FAD0 ;00464EC3 . 8BD1 mov edx, ecx ;00464EC5 . 87F7 xchg edi, esi ;00464EC7 . C1E9 02 shr ecx, 2 ;--------------------------------------------------- invoke WritePatchCode, 00464EC3h, func_0057FAD0, PCODE_CALL_HEADER, \ PCODE_CALL_LENGTH + 2 ;27 x ;--------------------------------------------------- ; fxied: ;func_0057FAD0 ;00464F91 . 8BD1 mov edx, ecx ;00464F93 . 87F7 xchg edi, esi ;00464F95 . C1E9 02 shr ecx, 2 ;--------------------------------------------------- invoke WritePatchCode, 00464F91h, func_0057FAD0, PCODE_CALL_HEADER, \ PCODE_CALL_LENGTH + 2 ;23 ;--------------------------------------------------- ; fixed: ;00478A5C . B0 54 mov al, 54 ;00478AC2 . B0 54 mov al, 54 ;00478B0B . B1 4D mov cl, 4D ;00478B59 . B0 54 mov al, 54 ;--------------------------------------------------- invoke ReplaceMem, 00478A5Ch + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00478AC2h + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00478B0Bh + 1, offset bZeroBytes, 1 invoke ReplaceMem, 00478B59h + 1, offset bZeroBytes, 1 ;27 ;--------------------------------------------------- ; fxied: ;func_0057F0A1 ;004AA2E8 . 66:817A 08 3E40 cmp word ptr ds:[edx+8], 403E ;--------------------------------------------------- invoke WritePatchCode, 004AA2E8h, func_0057F0A1, PCODE_CALL_HEADER, \ PCODE_CALL_LENGTH + 1 mov al, TRUE ret PatchProcMem endp ;********************************************************************* ; 入口地址处,初始化,修改内存 ;********************************************************************* DLLMain proc _hInstance,_dwReason,_dwReserved mov eax,_dwReason .if eax == DLL_PROCESS_ATTACH mov eax,_hInstance mov hInstance,eax invoke GetModuleHandle, NULL mov hInstance, eax invoke PatchProcMem .elseif eax == DLL_THREAD_ATTACH mov eax,TRUE .elseif eax == DLL_THREAD_DETACH mov eax,TRUE .elseif eax == DLL_PROCESS_DETACH mov eax,TRUE .endif ret DLLMain endp end DLLMain /////////////////////////////////////////////////////////////////////////////////////////////// patch.inc /////////////////////////////////////////////////////////////////////////////////////////////// .const ;OD的一些函数地址 OD_Error dd 0045401Ch OD_Setcpu dd 0042D618h OD_Infoline dd 00431768h OD_Findmemory dd 00461A48h OD_Readmemory dd 0046130Ch .code ;**************************************************************************** ; 新功能函数 ;**************************************************************************** ;0057F0A1 func_0057F0A1 proc ;????????? cmp word ptr ds:[edx+8], 403Dh jnz L009 cmp dword ptr ds:[edx], -1 jnz L009 cmp dword ptr ds:[edx+4], -1 jnz L009 mov word ptr ds:[edx+8], 403Eh mov dword ptr ds:[edx], 0 mov dword ptr ds:[edx+4], 80000000h L009: cmp word ptr ds:[edx+8], 403Eh ret func_0057F0A1 endp ;0057FAD0 func_0057FAD0 proc ;????????? cmp ecx, 0FFh jle L005 mov ecx, 0FFh xor eax, eax mov byte ptr ds:[ecx+esi], al L005: mov edx, ecx xchg edi, esi shr ecx, 2 ret func_0057FAD0 endp ;0057F255 func_0057F255 proc ;????????? mov eax, dword ptr ss:[esp+4] push edi push eax xor edi, edi call OpenClipboard ;<jmp.&USER32.OpenClipboard> test eax, eax je L043 push esi push 1 call GetClipboardData ;<jmp.&USER32.GetClipboardData> mov dword ptr ss:[ebp-0C0h], eax cmp dword ptr ss:[ebp-0C0h], 0 je L041 mov edx, dword ptr ss:[ebp-0C0h] push edx call GlobalLock ;<jmp.&KERNEL32.GlobalLock> test eax, eax je L041 push eax call lstrlenA ;分析得出 push esi mov edi, eax call GlobalUnlock ;<jmp.&KERNEL32.GlobalUnlock> L041: call CloseClipboard ;<jmp.&USER32.CloseClipboard> pop esi L043: mov eax, edi pop edi cdq sub eax, edx sar eax, 1 ret func_0057F255 endp ;---------------------------------------------------------------------------- ; 把数据输出到剪贴板上 ; 可能存在错误 ;---------------------------------------------------------------------------- ;0057F329 func_0057F329 proc ;????????? mov eax, dword ptr [ebp+8] push eax call OpenClipboard ;<jmp.&USER32.OpenClipboard> call EmptyClipboard ;<jmp.&USER32.EmptyClipboard> push 10h push 2002h call GlobalAlloc ;<jmp.&KERNEL32.GlobalAlloc> mov ebx, eax test ebx, ebx jnz L016 push esi push 004BB416h ; ASCII "Unable to allocate %li bytes of memory" call dword ptr [OD_Error] add esp, 8 xor eax, eax jmp L047 L016: push ebx call GlobalLock ;<jmp.&KERNEL32.GlobalLock> cmp eax, 0 jnz L032 ;----------0057F2C2h-------错误函数?? push esi push 004BB416h ; ASCII "Unable to allocate %li bytes of memory" call dword ptr [OD_Error] add esp, 8 ;----------005DA39Ch-------错误函数?? push ebx call GlobalUnlock ;<jmp.&KERNEL32.GlobalUnlock> xor eax, eax jmp L047 L032: mov edx, dword ptr [esp+4] push dword ptr [edx] push chr$("%08X") ;分析得出 push eax call wsprintfA ;<jmp.&USER32.wsprintfA> add esp, 0Ch push ebx call GlobalUnlock ;<jmp.&KERNEL32.GlobalUnlock> push ebx push 1 call SetClipboardData ;<jmp.&USER32.SetClipboardData> call CloseClipboard ;<jmp.&USER32.CloseClipboard> ret L047: push ebx call GlobalFree ;<jmp.&KERNEL32.GlobalFree> ret func_0057F329 endp ;**************************************************************************** ; 修复函数 ;**************************************************************************** ;0057F77C fix_0041E623 proc ;窗口函数调用 ;call DebugBreak cmp eax, 100h je JMP_2 JMP_1: cmp eax, 201h push 0041E628h ret JMP_2: pushad push 11h call GetKeyState ;<USER32.GetKeyState> test ax, 8000h je JMP_3 mov eax, dword ptr [ebp+10h] or al, 20h cmp eax, 78h jnz JMP_3 mov eax, 004CDA2Dh ;推算得出的 push eax call func_0057F329 ;新的修复函数 add esp, 4h popad push 00425E22h ret JMP_3: popad jmp JMP_1 fix_0041E623 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F000 fix_0041F325 proc ;未调用过 ;call DebugBreak cmp dword ptr [ebp-162Ch], 0 jnz L039 pushad push 10000h push 0 cmp dword ptr [ebp-1640h], 0 je L024 cmp dword ptr [ebp-15F8h], 0 je L018 push dword ptr [ebp-15F8h] call dword ptr [OD_Findmemory] pop ecx test eax, eax je L018 push dword ptr [ebp-15F8h] jmp L027 L018: cmp dword ptr [ebp-15F4h], 0 je L022 push dword ptr [ebp-15F4h] jmp L027 L022: push dword ptr [ebp-1640h] jmp L027 L024: cmp dword ptr [ebp-18h], 0 jnz L029 push dword ptr [ebp-163Ch] L027: push 0 jmp L031 L029: push 0 push dword ptr [ebp-163Ch] L031: push 0 cmp dword ptr [esp+8], 100000h jb L037 cmp dword ptr [esp+8], 7FFE0FFFh ja L037 call dword ptr [OD_Setcpu] L037: add esp, 14h popad L039: add esp, 1Ch mov dword ptr [ebp-5Ch], eax push 0041F32Bh ret fix_0041F325 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;004AF780 ;004AF781 fix_0042042F proc ;未调用过 ;call DebugBreak push 10h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h je L015 mov eax, dword ptr [ebp+10h] or al, 20h cmp eax, 63h jnz L011 mov ebx, 13h jmp L014 L011: cmp eax, 76h jnz L015 mov ebx, 14h L014: push 00423151h ret L015: mov eax, 004E2744h cmp dword ptr [eax], 1 push 00420436h ret fix_0042042F endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F3E0 fix_00425E57 proc ;窗口函数调用 ;call DebugBreak mov eax, dword ptr [ebp+0Ch] cmp eax, 200h je JMP_SUB_1 JMP_0_1: cmp eax, 203h je JMP_SUB_2 JMP_0_2: cmp eax, 100h je JMP_SUB_3 JMP_0_3: cmp eax, 200h push 00425E5Ch ret ;------------------ ;0057F4D6 JMP_SUB_2: push 11h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h jnz JMP_2_2 nop pushad mov edx, 004CDDFAh ;算出来的 push edx push dword ptr [edx] call dword ptr [OD_Findmemory] pop ecx pop edx test eax, eax je JMP_2_1 push 1 push 4 push dword ptr [edx] mov ebx, 0050AFE0h ;算出来的 push ebx call dword ptr [OD_Readmemory] add esp, 10h push ebx call func_0057F329 add esp, 4 JMP_2_1: popad jmp JMP_0_2 JMP_2_2: pushad mov ebp, 004CDDFAh ;算出来的 push 1004h push 0 push 0 push dword ptr [ebp] push 0 call dword ptr [OD_Setcpu] add esp, 14h popad jmp JMP_0_2 ;------------------ .data ;0057F5DB arg_00425E57_1A db 0B5h,0B1h,0C7h,0B0h,0D6h,0B5h,03Ah,00,00,00,00 ;0057F5EE arg_00425E57_1B db 0BFh,0E9h,0B4h,0F3h,0D0h,0A1h,03Ah,030h,078h,00,00,00,00,00,00,00 ;0057F608 arg_00425E57_20 db 0BDh,0E1h,0CAh,0F8h,03Ah,00,00,00,00 ;0057F619 arg_00425E57_30 db 0C6h,0F0h,0CAh,0BCh,03Ah,00,00,00,00 ;0057F627 arg_00425E57_40 db 025h,073h,025h,058h,020h,025h,073h,025h,058h,020h,025h,073h,025h,058h,00,00,00,00,00,00,00 .code ;0057F58F JMP_SUB_1: pushad mov ebp, 004CDDFAh ;算出来的 push dword ptr [ebp] call dword ptr [OD_Findmemory] add esp, 4 test eax, eax je JMP_3_1 push 1 push 4 push dword ptr [ebp] mov ebx, 0050B140h ;算出来的,指针入栈 push ebx call dword ptr [OD_Readmemory] add esp, 10h mov ecx, dword ptr [ebp+4] sub ecx, dword ptr [ebp] cmp ecx, 4 ja JMP_1_1 push dword ptr [ebx] ;0057F5DB push offset arg_00425E57_1A JMP_1_1: push ecx ;0057F5EE push offset arg_00425E57_1B mov eax, dword ptr [ebp+4] dec eax push eax ;0057F608 push offset arg_00425E57_20 push dword ptr [ebp] ;0057F619 push offset arg_00425E57_30 ;0057F627 push offset arg_00425E57_40 call dword ptr [OD_Infoline] add esp, 1Ch popad jmp JMP_0_3 ;------------------ ;0057F65E JMP_SUB_3: ;未调用过 ;call DebugBreak push eax mov eax, dword ptr [ebp+10h] or al, 20h cmp eax, 74h pop eax jnz JMP_0_3 pushad mov edx, 004CDDFAh ;算出来的 push 1 push 4 push dword ptr [edx] mov ebx, 0050AFE0h ;算出来的 push ebx call dword ptr [OD_Readmemory] add esp, 10h push dword ptr [ebx] call dword ptr [OD_Findmemory] pop ecx test eax, eax je JMP_3_1 push 34h push 0 push 0 push dword ptr [ebx] push 0 call dword ptr [OD_Setcpu] add esp, 14h mov edx, 004CDDFAh ;算出来的 mov eax, dword ptr [edx] lea eax, dword ptr [eax+4] mov dword ptr [edx], eax mov dword ptr [edx+8], eax mov eax, dword ptr [edx+4] lea eax, dword ptr [eax+4] mov dword ptr [edx+4], eax mov ebx, dword ptr [edx-4] cmp eax, ebx jb JMP_3_1 mov dword ptr [edx-8], ebx JMP_3_1: popad jmp JMP_0_3 fix_00425E57 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F15F fix_0042609A proc ;未调用过 ;call DebugBreak pushad mov eax, esi cmp eax, 0Dh jnz L042 mov ebp, 004CDDFAh ;计算得出 mov eax, dword ptr [ebp] push eax push eax call dword ptr [OD_Findmemory] pop ecx test eax, eax pop eax je L042 push 1 push 4 push eax mov ebp, 0050AFE0h ;计算得出,指针入栈 push ebp call dword ptr [OD_Readmemory] add esp, 10h push dword ptr [ebp] ;计算得出 call dword ptr [OD_Findmemory] pop ecx test eax, eax je L042 push 10h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h push 34h push 0 je L037 push dword ptr [ebp] push 0 jmp L039 L037: push 0 push dword ptr [ebp] L039: push 0 call dword ptr [OD_Setcpu] add esp, 14h L042: popad mov eax, 004CDDFBh ;计算得出,是004CDDFBh ????? mov eax, dword ptr [eax] push 0042609Fh ret fix_0042609A endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057F100 fix_0042670C proc ;未调用过 ;call DebugBreak cmp dword ptr [ebp-10h], 0 je L028 pushad mov ebp, 004CE1C7h ;算出来的 mov eax, dword ptr [ebp] push 3 push 4 push eax mov eax, 0050AFE0h ;算出来的 push eax call dword ptr [OD_Readmemory] add esp, 10h mov eax, 0050AFE0h ;算出来的 push dword ptr [eax] call dword ptr [OD_Findmemory] pop ecx test eax, eax je L026 push 34h push 0 mov eax, 0050AFE0h ;算出来的 push dword ptr [eax] push 0 push 0 call dword ptr [OD_Setcpu] add esp, 14h L026: popad push 004267D8h ret L028: push 00426716h ret fix_0042670C endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;004AF644 fix_0043134C proc ;加载新进程时调用 ;call DebugBreak push ecx push eax push edi mov edi, dword ptr [esp+0Ch] mov ecx, dword ptr [esp+14h] mov eax, 25h L006: repne scas byte ptr es:[edi] cmp ecx, 0 je L011 mov byte ptr [edi-1], 20h jmp L006 L011: pop edi pop eax pop ecx add esp, 10h cmp eax, ebx push 00431351h ret fix_0043134C endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- .data szPatchName db MAX_PATH dup (0) .code ;004AF67A fix_00437376 proc ;????????? pushad mov edi, 004D3868h ;路径名 mov esi, edi xor eax, eax xor ecx, ecx dec ecx repne scas byte ptr es:[edi] neg ecx dec ecx mov ebx, ecx ;路径名长度 mov edi, offset szPatchName push esi push edi call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> mov byte ptr [ebx+edi-1], 5Ch mov byte ptr [ebx+edi], 0 push chr$("UDD") mov eax, ebx add eax, edi push eax call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> push 004D53A4h push edi push 004B74FDh push 004B747Eh call WritePrivateProfileStringA ;<jmp.&KERNEL32.WritePrivateProfileStringA> push esi push edi call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> mov byte ptr [ebx+edi-1], 5Ch mov byte ptr [ebx+edi], 0 push chr$("plugin") mov eax, ebx add eax, edi push eax call lstrcpyA ;<jmp.&KERNEL32.lstrcpyA> push 004D53A4h push edi push 004B7506h push 004B747Eh call WritePrivateProfileStringA ;<jmp.&KERNEL32.WritePrivateProfileStringA> popad push 7F02h push 0043737Bh ret fix_00437376 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;004AF740 fix_00446A1C proc ;未调用过 ;call DebugBreak lea edx, dword ptr ss:[ebp-588h] lea ecx, dword ptr ss:[ebp-288h] push ecx push edx push 200h push edx push ebx push ecx push 1 push 0 call MultiByteToWideChar ;<jmp.&KERNEL32.MultiByteToWideChar> pop edx pop ecx mov ebx, eax add ebx, ebx add edx, ebx sub edx, 2 movzx ebx, word ptr ds:[edx] cmp ebx, 0 je L021 push 00446A39h ret L021: mov byte ptr ds:[edx], 1 push 00446A39h ret fix_00446A1C endp ;---------------------------------------------------------------------------- ; 可能存在错误 ;---------------------------------------------------------------------------- ;0057F1F5 fix_0044EF88 proc ;未调用过 ;call DebugBreak pushad push 10h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h je L105 mov eax, dword ptr ss:[ebp+10h] or al, 20h cmp eax, 63h jnz L011 mov edi, 76h jmp L022 L011: cmp eax, 76h jnz L023 mov edi, 77h push dword ptr ss:[ebp+8] call func_0057F255 add esp, 4 push dword ptr ds:[ebx+385h] pop dword ptr ss:[ebp-50h] push dword ptr ds:[ebx+385h] pop dword ptr ss:[ebp-54h] add dword ptr ss:[ebp-54h], eax L022: ;-----------------------添加代码开始 ;call DebugBreak ;-----------------------添加代码结束 push 00451411h ret L023: popad mov eax, 004A7C50h call eax push 0044EF8Dh ret L105: push 11h call GetKeyState ;<jmp.&USER32.GetKeyState> test ax, 8000h je L023 mov eax, dword ptr ss:[ebp+10h] or al, 20h cmp eax, 38h jnz L023 lea eax, dword ptr ds:[ebx+385h] push eax call func_0057F329 add esp, 4 jmp L023 fix_0044EF88 endp ;---------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ;0057FAF2 fix_00464A67 proc ;加载新进程时调用 ;call DebugBreak cmp esi, 0FFh jle L003 mov esi, 0FFh L003: xor eax, eax mov byte ptr ds:[esi+edi], al push esi mov edx, dword ptr ds:[ebx] push 00464A6Dh ret fix_00464A67 endp |
| 地主 发表时间: 07-04-07 23:11 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 编程破解
标题: [转帖]从Ollyice中整理的全部程序修改代码(masm32版)