TA的每日心情 | 奋斗
2018-7-6 21:16 |
|---|
签到天数: 37 天 [LV.5]常住居民I
|
本帖最后由 hpindigo 于 2019-1-22 12:53 编辑
为了测试大白,做了一个简单的程序。只需要释放pyg.dll即可。
程序有一点代码进行简单的异或,0040106C-0040108C,call 00401000是解密的代码。
[Asm] 纯文本查看 复制代码 0040103B |. 68 2C304000 push 0040302C ; /FileName = ".\PYG.dll"
00401040 |. FF15 08204000 call dword ptr [<&KERNEL32.LoadLibraryA>] ; \LoadLibraryA
00401046 |. 8D4D F0 lea ecx, dword ptr [ebp-0x10]
00401049 |. E8 EE000000 call <jmp.&MFC42.#CString::CString_540>
0040104E |. 8D4D EC lea ecx, dword ptr [ebp-0x14]
00401051 |. C745 FC 00000000 mov dword ptr [ebp-0x4], 0x0
00401058 |. E8 DF000000 call <jmp.&MFC42.#CString::CString_540>
0040105D |. C645 FC 01 mov byte ptr [ebp-0x4], 0x1
00401061 |. E8 9AFFFFFF call 00401000
00401066 |. FF15 04204000 call dword ptr [<&KERNEL32.GetVersion>] ; kernel32.GetVersion
0040106C |. 55 push ebp
0040106D |? A6 cmps byte ptr [esi], byte ptr es:[edi]
0040106E |. F626 mul byte ptr [esi]
00401070 |. F6C5 26 test ch, 0x26
00401073 |? 56 push esi
00401074 |? 2666e55b in ax, 0x5b
00401078 |? 2656 push esi
0040107A |? 26:66:67:1368 B7 adc bp, word ptr es:[bx+si+0xFFB7]
00401080 |? A6 cmps byte ptr [esi], byte ptr es:[edi]
00401081 |. DF26 fbld tbyte ptr [esi]
00401083 |? 56 push esi
00401084 |? 2666e58f in ax, 0x8f
00401088 |?^ 76 EF jbe short 00401079
0040108A |? 27 daa
0040108B |?^ 76 F6 jbe short 00401083
0040108D |> 8D45 DC lea eax, dword ptr [ebp-0x24]
00401090 |. 50 push eax ; /pLocaltime
00401091 |. FF15 0C204000 call dword ptr [<&KERNEL32.GetLocalTime>] ; \GetLocalTime
00401097 |. 8B4D E2 mov ecx, dword ptr [ebp-0x1E]
我们先hook一下,为什么要hook呢?因为pyg.dll加载的时候,代码并没有解码,这样会导致搜索特征码不成功的。我们可以在指定位置下执行补
这样代码执行到401066,才会进行特征码的搜索。
[Asm] 纯文本查看 复制代码 00401066 |. FF15 04204000 call dword ptr [<&KERNEL32.GetVersion>] ; kernel32.GetVersion
0040106C |. 33C0 xor eax, eax
0040106E |. 90 nop
0040106F |. 40 inc eax
00401070 |. 90 nop
00401071 |. A3 40304000 mov dword ptr [0x403040], eax
00401076 |. 833D 40304000 01 cmp dword ptr [0x403040], 0x1
0040107D |. 75 0E jnz short 0040108D
0040107F |. D1C0 rol eax, 1 ; 这里eax=1
00401081 |. B940304000 mov ecx, 00403040 ; 这里eax=2,我们在这里修改eax=eax+2,然后保存到变量ID_SAVENAME_1
00401086 |. 83E9 10 sub ecx, 0x10 ; 我们在这里将ID_SAVENAME_1赋值给eax
00401089 |. 8941 10 mov dword ptr [ecx+0x10], eax
0040108C |. 90 nop
0040108D |> 8D45 DC lea eax, dword ptr [ebp-0x24]
00401090 |. 50 push eax ;/pLocaltime
00401091 |. FF15 0C204000 call dword ptr[<&KERNEL32.GetLocalTime>] ;\GetLocalTime
00401097 |. 8B4D E2 mov ecx, dword ptr [ebp-0x1E]
// 这是 Baymax Patch Tools 创建的补丁方案,请勿修改!!!
[BAYMAX]
PROCESS =C:\Users\Administrator\Desktop\testPYG.exe
TITLE =
AUTHOR =
ITEMCOUNT = 1
VERSION = 2
OPTION = 0
下面是大白的工程文件:
[ITEM_0]
PATCHTYPE = 异常中断补丁
PROCESS =C:\Users\Administrator\Desktop\testPYG.exe
MODULE =C:\Users\Administrator\Desktop\testPYG.exe
PROCESSCHECK = 0
MODULECHECK = 0
SHOWNAME = testPYG.exe(testPYG.exe)
SHOWINFO = EAX:[V:2,R:0,B:0,T:0,A:10]:I,D,2
HOOKTYPE = 2
HOOKDLL = testPYG.exe
HOOKAPI =
HOOKDATA1 = 4198502
//上面的数值是0x401066
HOOKDATA2 = 0
PATCHCOUNT = 3
PATCH_VA_0 = 2
PATCH_SRC_0 = D1 C0
PATCH_DEST_0 =EAX:[V:2,R:0,B:0,T:0,A:10]:I,D,2
PATCH_NOTE_0 =
PATCH_VA_1 = 0
PATCH_SRC_1 = 83 E9 10 89 41 10
PATCH_DEST_1 =SD:[V:2,R:0,B:0,T:0]:S,ID_SAVENAME_1,R,D,EAX
PATCH_NOTE_1 =
PATCH_VA_2 = 3
PATCH_SRC_2 = 83 E9 10 89 41 10
PATCH_DEST_2 =EAX:[V:2,R:0,B:0,T:0]:U,D,ID_SAVENAME_1
PATCH_NOTE_2 =
当然hook也可以选址API:
// 这是 Baymax Patch Tools 创建的补丁方案,请勿修改!!!
[BAYMAX]
PROCESS =C:\Users\Administrator\Desktop\testPYG.exe
TITLE =
AUTHOR =
ITEMCOUNT = 1
VERSION = 2
OPTION = 0
[ITEM_0]
PATCHTYPE = 异常中断补丁
PROCESS =C:\Users\Administrator\Desktop\testPYG.exe
MODULE =C:\Users\Administrator\Desktop\testPYG.exe
PROCESSCHECK = 0
MODULECHECK = 0
SHOWNAME = testPYG.exe(testPYG.exe)
SHOWINFO = EAX:[V:2,R:0,B:0,T:0,A:10]:I,D,2
HOOKTYPE = 1
HOOKDLL = kernel32.dll
HOOKAPI = GetVersion
HOOKDATA1 = 0
HOOKDATA2 = 0
PATCHCOUNT = 3
PATCH_VA_0 = 2
PATCH_SRC_0 = D1 C0
PATCH_DEST_0 =EAX:[V:2,R:0,B:0,T:0,A:10]:I,D,2
PATCH_NOTE_0 =
PATCH_VA_1 = 0
PATCH_SRC_1 = 83 E9 10 89 41 10
PATCH_DEST_1 =SD:[V:2,R:0,B:0,T:0]:S,ID_SAVENAME_1,R,D,EAX
PATCH_NOTE_1 =
PATCH_VA_2 = 3
PATCH_SRC_2 = 83 E9 10 89 41 10
PATCH_DEST_2 =EAX:[V:2,R:0,B:0,T:0]:U,D,ID_SAVENAME_1
PATCH_NOTE_2 =
下面我们测试直接修改全局变量,我们先要找到一个可以固定读取全局变量地址的地方:
[Asm] 纯文本查看 复制代码 0040106C |. 33C0 xor eax, eax
0040106E |. 90 nop
0040106F |. 40 inc eax
00401070 |. 90 nop
00401071 |. A3 40304000 mov dword ptr [0x403040], eax ; esi=40106C
00401076 |. 833D 40304000>cmp dword ptr [0x403040], 0x1
所以我们可以在40106C的时候用esi来读取40304000
[Asm] 纯文本查看 复制代码 004010AC |. 51 push ecx ; 我们在这里修改[0x403040]的内容
004010AD |. 52 push edx
004010AE |. 8B15 40304000 mov edx, dword ptr [0x403040]
004010B4 |. 25 FFFF0000 and eax, 0xFFFF
004010B9 |. 8D4D F0 lea ecx, dword ptr [ebp-0x10]
// 这是 Baymax Patch Tools 创建的补丁方案,请勿修改!!!
[BAYMAX]
PROCESS =C:\Users\Administrator\Desktop\testPYG.exe
TITLE =
AUTHOR =
ITEMCOUNT = 1
VERSION = 2
OPTION = 0
[ITEM_0]
PATCHTYPE = 异常中断补丁
PROCESS = C:\Users\Administrator\Desktop\testPYG.exe
MODULE =C:\Users\Administrator\Desktop\testPYG.exe
PROCESSCHECK = 0
MODULECHECK = 0
SHOWNAME = testPYG.exe(testPYG.exe)
SHOWINFO =SD:[V:2,R:0,B:0,T:0]:S,ID_SAVENAME_2,M,D,ESI,6
HOOKTYPE = 2
HOOKDLL = testPYG.exe
HOOKAPI = GetVersion
HOOKDATA1 = 4198
HOOKDATA2 = 0
PATCHCOUNT = 2
PATCH_VA_0 = 0
PATCH_SRC_0 = 33 C0 90 40
PATCH_DEST_0 =SD:[V:2,R:0,B:0,T:0]:S,ID_SAVENAME_2,M,D,ESI,6
PATCH_NOTE_0 =
PATCH_VA_1 = 0
PATCH_SRC_1 = 51 52
PATCH_DEST_1 =SA,0:[V:2,R:0,B:0,T:0]:U,ID_SAVENAME_2,I,D,5
PATCH_NOTE_1 =
程序和工程文件:
|
评分
-
查看全部评分
|
[复制链接]
IP卡
发表于 2019-1-21 22:59:10
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2019-1-21 23:10:44
发表于 2019-1-21 23:23:36
发表于 2019-1-22 10:44:01
