大白baymax 2.9 的hook api和存储变量使用教程
本帖最后由 hpindigo 于 2019-1-22 12:53 编辑为了测试大白,做了一个简单的程序。只需要释放pyg.dll即可。
程序有一点代码进行简单的异或,0040106C-0040108C,call 00401000是解密的代码。
0040103B |.68 2C304000 push 0040302C ; /FileName = ".\PYG.dll"
00401040 |.FF15 08204000 call dword ptr [<&KERNEL32.LoadLibraryA>]; \LoadLibraryA
00401046 |.8D4D F0 lea ecx, dword ptr
00401049 |.E8 EE000000 call <jmp.&MFC42.#CString::CString_540>
0040104E |.8D4D EC lea ecx, dword ptr
00401051 |.C745 FC 00000000mov dword ptr , 0x0
00401058 |.E8 DF000000 call <jmp.&MFC42.#CString::CString_540>
0040105D |.C645 FC 01 mov byte ptr , 0x1
00401061 |.E8 9AFFFFFF call 00401000
00401066 |.FF15 04204000 call dword ptr [<&KERNEL32.GetVersion>] ; kernel32.GetVersion
0040106C |.55 push ebp
0040106D |?A6 cmps byte ptr , byte ptr es:
0040106E |.F626 mul byte ptr
00401070 |.F6C5 26 test ch, 0x26
00401073 |?56 push esi
00401074 |?2666e55b in ax, 0x5b
00401078 |?2656 push esi
0040107A |?26:66:67:1368 B7adc bp, word ptr es:
00401080 |?A6 cmps byte ptr , byte ptr es:
00401081 |.DF26 fbld tbyte ptr
00401083 |?56 push esi
00401084 |?2666e58f in ax, 0x8f
00401088 |?^ 76 EF jbe short 00401079
0040108A |?27 daa
0040108B |?^ 76 F6 jbe short 00401083
0040108D |>8D45 DC lea eax, dword ptr
00401090 |.50 push eax ; /pLocaltime
00401091 |.FF15 0C204000 call dword ptr [<&KERNEL32.GetLocalTime>]; \GetLocalTime
00401097 |.8B4D E2 mov ecx, dword ptr
我们先hook一下,为什么要hook呢?因为pyg.dll加载的时候,代码并没有解码,这样会导致搜索特征码不成功的。我们可以在指定位置下执行补
这样代码执行到401066,才会进行特征码的搜索。
00401066 |.FF15 04204000 call dword ptr [<&KERNEL32.GetVersion>] ; kernel32.GetVersion
0040106C |.33C0 xor eax, eax
0040106E |.90 nop
0040106F |.40 inc eax
00401070 |.90 nop
00401071 |.A3 40304000 mov dword ptr , eax
00401076 |.833D 40304000 01cmp dword ptr , 0x1
0040107D |.75 0E jnz short 0040108D
0040107F |.D1C0 rol eax, 1 ;这里eax=1
00401081|.B940304000 mov ecx, 00403040 ; 这里eax=2,我们在这里修改eax=eax+2,然后保存到变量ID_SAVENAME_1
00401086 |.83E9 10 sub ecx, 0x10 ;我们在这里将ID_SAVENAME_1赋值给eax
00401089 |.8941 10 mov dword ptr , eax
0040108C |.90 nop
0040108D |>8D45 DC lea eax, dword ptr
00401090 |.50 push eax ;/pLocaltime
00401091 |.FF15 0C204000 call dword ptr[<&KERNEL32.GetLocalTime>];\GetLocalTime
00401097 |.8B4D E2 mov ecx, dword ptr
// 这是 Baymax Patch Tools 创建的补丁方案,请勿修改!!!
PROCESS =C:\Users\Administrator\Desktop\testPYG.exe
TITLE =
AUTHOR =
ITEMCOUNT = 1
VERSION = 2
OPTION = 0
下面是大白的工程文件:
PATCHTYPE = 异常中断补丁
PROCESS =C:\Users\Administrator\Desktop\testPYG.exe
MODULE =C:\Users\Administrator\Desktop\testPYG.exe
PROCESSCHECK = 0
MODULECHECK = 0
SHOWNAME = testPYG.exe(testPYG.exe)
SHOWINFO = EAX::I,D,2
HOOKTYPE = 2
HOOKDLL = testPYG.exe
HOOKAPI =
HOOKDATA1 = 4198502
//上面的数值是0x401066
HOOKDATA2 = 0
PATCHCOUNT = 3
PATCH_VA_0 = 2
PATCH_SRC_0 = D1 C0
PATCH_DEST_0 =EAX::I,D,2
PATCH_NOTE_0 =
PATCH_VA_1 = 0
PATCH_SRC_1 = 83 E9 10 89 41 10
PATCH_DEST_1 =SD::S,ID_SAVENAME_1,R,D,EAX
PATCH_NOTE_1 =
PATCH_VA_2 = 3
PATCH_SRC_2 = 83 E9 10 89 41 10
PATCH_DEST_2 =EAX::U,D,ID_SAVENAME_1
PATCH_NOTE_2 =
当然hook也可以选址API:
// 这是 Baymax Patch Tools 创建的补丁方案,请勿修改!!!
PROCESS =C:\Users\Administrator\Desktop\testPYG.exe
TITLE =
AUTHOR =
ITEMCOUNT = 1
VERSION = 2
OPTION = 0
PATCHTYPE = 异常中断补丁
PROCESS =C:\Users\Administrator\Desktop\testPYG.exe
MODULE =C:\Users\Administrator\Desktop\testPYG.exe
PROCESSCHECK = 0
MODULECHECK = 0
SHOWNAME = testPYG.exe(testPYG.exe)
SHOWINFO = EAX::I,D,2
HOOKTYPE = 1
HOOKDLL = kernel32.dll
HOOKAPI = GetVersion
HOOKDATA1 = 0
HOOKDATA2 = 0
PATCHCOUNT = 3
PATCH_VA_0 = 2
PATCH_SRC_0 = D1 C0
PATCH_DEST_0 =EAX::I,D,2
PATCH_NOTE_0 =
PATCH_VA_1 = 0
PATCH_SRC_1 = 83 E9 10 89 41 10
PATCH_DEST_1 =SD::S,ID_SAVENAME_1,R,D,EAX
PATCH_NOTE_1 =
PATCH_VA_2 = 3
PATCH_SRC_2 = 83 E9 10 89 41 10
PATCH_DEST_2 =EAX::U,D,ID_SAVENAME_1
PATCH_NOTE_2 =
下面我们测试直接修改全局变量,我们先要找到一个可以固定读取全局变量地址的地方:
0040106C |.33C0 xor eax, eax
0040106E |.90 nop
0040106F |.40 inc eax
00401070 |.90 nop
00401071 |.A3 40304000 mov dword ptr , eax ;esi=40106C
00401076 |.833D 40304000>cmp dword ptr , 0x1
所以我们可以在40106C的时候用esi来读取40304000
004010AC |.51 push ecx ;我们在这里修改的内容
004010AD |.52 push edx
004010AE |.8B15 40304000 mov edx, dword ptr
004010B4 |.25 FFFF0000 and eax, 0xFFFF
004010B9 |.8D4D F0 lea ecx, dword ptr
// 这是 Baymax Patch Tools 创建的补丁方案,请勿修改!!!
PROCESS =C:\Users\Administrator\Desktop\testPYG.exe
TITLE =
AUTHOR =
ITEMCOUNT = 1
VERSION = 2
OPTION = 0
PATCHTYPE = 异常中断补丁
PROCESS = C:\Users\Administrator\Desktop\testPYG.exe
MODULE =C:\Users\Administrator\Desktop\testPYG.exe
PROCESSCHECK = 0
MODULECHECK = 0
SHOWNAME = testPYG.exe(testPYG.exe)
SHOWINFO =SD::S,ID_SAVENAME_2,M,D,ESI,6
HOOKTYPE = 2
HOOKDLL = testPYG.exe
HOOKAPI = GetVersion
HOOKDATA1 = 4198
HOOKDATA2 = 0
PATCHCOUNT = 2
PATCH_VA_0 = 0
PATCH_SRC_0 = 33 C0 90 40
PATCH_DEST_0 =SD::S,ID_SAVENAME_2,M,D,ESI,6
PATCH_NOTE_0 =
PATCH_VA_1 = 0
PATCH_SRC_1 = 51 52
PATCH_DEST_1 =SA,0::U,ID_SAVENAME_2,I,D,5
PATCH_NOTE_1 =
程序和工程文件:**** Hidden Message *****
看不懂,纯支持 沙发,学习,雷神辛苦 2.9版本没有看到发布。 回复来看看,先谢过楼主! 坐地板,支持雷神.我貌似,一眼有点没看懂,先收藏,再研究.o(* ̄︶ ̄*)o 非常好!GOOD!!辛苦了 感谢分享 {:biggrin:}
謝謝提供好好學習一下 谢谢分享