Hmily 发表于 2008-10-9 19:34

静态注射功能DLL,附身程式胴体

静态注射功能DLL,附身程式胴体

Written by golds7n,Released@UnPackCn

[说明]:
功能DLL--完成破解任务的DLL

还记得lpk.dll么?对,就是这样子的顽强战士!今天,让我们为战士完成变身,增加更多理性,完成破解伟业

[思路]:
由于lpk.dll之类使用,不是100%的兼容性,很多壳已经做了anti,我们必须有新的方式让我们的dll入驻。

本教程的思路是:

在exe的00 00 00 00 00 ...魔幻空间里建立新oep,注射载入DLL的Shellcode代码,载入后jmp OldOep原先的Exe入口,完成任务。
提醒:当然如果壳有校验,你注射代码后得修复校验码或直接patch掉校验。

[示范代码]:
此代码调用目录下的usdisp.dll,具体您可进行ascii修改。
复制内容到剪贴板代码:
00ADE4B5 >E8 07000000 CALL Client.00ADE4C1//**执行shellcode,载入目标DLL
00ADE4BA^ E9 556BF6FF JMP Client.00A45014 //**跳回原始OEP,要根据具体情况进行修改jmp
00ADE4BF0000ADD BYTE PTR DS:,AL
00ADE4C155PUSH EBP
00ADE4C28BECMOV EBP,ESP
00ADE4C483C4 EC ADD ESP,-14
00ADE4C7EB 56 JMP SHORT Client.00ADE51F
00ADE4C98B45 FC MOV EAX,DWORD PTR SS:
00ADE4CC8B40 3C MOV EAX,DWORD PTR DS:
00ADE4CF0345 FC ADD EAX,DWORD PTR SS:
00ADE4D28B40 78 MOV EAX,DWORD PTR DS:
00ADE4D50345 FC ADD EAX,DWORD PTR SS:
00ADE4D889C6MOV ESI,EAX
00ADE4DA8B48 18 MOV ECX,DWORD PTR DS:
00ADE4DD8B40 20 MOV EAX,DWORD PTR DS:
00ADE4E00345 FC ADD EAX,DWORD PTR SS:
00ADE4E389C3MOV EBX,EAX
00ADE4E531D2XOR EDX,EDX
00ADE4E751PUSH ECX
00ADE4E856PUSH ESI
00ADE4E98B00MOV EAX,DWORD PTR DS:
00ADE4EB0345 FC ADD EAX,DWORD PTR SS:
00ADE4EE8B75 F8 MOV ESI,DWORD PTR SS:
00ADE4F189C7MOV EDI,EAX
00ADE4F38B4D F4 MOV ECX,DWORD PTR SS:
00ADE4F6FCCLD
00ADE4F7F3:A6 REPE CMPS BYTE PTR ES:,BYTE PTR DS:>
00ADE4F95EPOP ESI
00ADE4FA74 09 JE SHORT Client.00ADE505
00ADE4FC42INC EDX
00ADE4FD83C3 04 ADD EBX,4
00ADE50089D8MOV EAX,EBX
00ADE50259POP ECX
00ADE503^ E2 E2 LOOPD SHORT Client.00ADE4E7
00ADE50583C4 04 ADD ESP,4
00ADE50889F0MOV EAX,ESI
00ADE50A8B40 1C MOV EAX,DWORD PTR DS:
00ADE50D0345 FC ADD EAX,DWORD PTR SS:
00ADE510C1E2 02 SHL EDX,2
00ADE51301D0ADD EAX,EDX
00ADE5158B00MOV EAX,DWORD PTR DS:
00ADE5170345 FC ADD EAX,DWORD PTR SS:
00ADE51AEB 02 JMP SHORT Client.00ADE51E
00ADE51C31C0XOR EAX,EAX
00ADE51EC3RETN
00ADE51F64:8B05 3000000>MOV EAX,DWORD PTR FS:
00ADE5268B40 0C MOV EAX,DWORD PTR DS:
00ADE5298B70 1C MOV ESI,DWORD PTR DS:
00ADE52CADLODS DWORD PTR DS:
00ADE52D8B40 08 MOV EAX,DWORD PTR DS:
00ADE5308945 F0 MOV DWORD PTR SS:,EAX
00ADE5338945 FC MOV DWORD PTR SS:,EAX
00ADE536C745 F4 0C00000>MOV DWORD PTR SS:,0C
00ADE53DE8 0D000000 CALL Client.00ADE54F
00ADE5424CDEC ESP
00ADE5436FOUTS DX,DWORD PTR ES: ; I/O command
00ADE54461POPAD
00ADE54564:4C DEC ESP; Superfluous prefix
00ADE5476962 72 6172794>IMUL ESP,DWORD PTR DS:,41797261
00ADE54E0058 89 ADD BYTE PTR DS:,BL
00ADE55145INC EBP
00ADE552F8CLC
00ADE553E8 71FFFFFF CALL Client.00ADE4C9
00ADE5588945 EC MOV DWORD PTR SS:,EAX
00ADE55BE8 0B000000 CALL Client.00ADE56B
00ADE56075 73 JNZ SHORT Client.00ADE5D5 //**ASCII usdisp.dll
00ADE56264:6973 70 2E64>IMUL ESI,DWORD PTR FS:,6C6C642E
00ADE56A00FFADD BH,BH
00ADE56C55PUSH EBP
00ADE56DECIN AL,DX ; I/O command
00ADE56E8BE5MOV ESP,EBP
00ADE5705DPOP EBP
00ADE571C3RETN
十六进制序列:
E8 07 00 00 00 E9 55 6B F6 FF 00 00 55 8B EC 83 C4 EC EB 56 8B 45 FC 8B 40 3C 03 45 FC 8B 40 78
03 45 FC 89 C6 8B 48 18 8B 40 20 03 45 FC 89 C3 31 D2 51 56 8B 00 03 45 FC 8B 75 F8 89 C7 8B 4D
F4 FC F3 A6 5E 74 09 42 83 C3 04 89 D8 59 E2 E2 83 C4 04 89 F0 8B 40 1C 03 45 FC C1 E2 02 01 D0
8B 00 03 45 FC EB 02 31 C0 C3 64 8B 05 30 00 00 00 8B 40 0C 8B 70 1C AD 8B 40 08 89 45 F0 89 45
FC C7 45 F4 0C 00 00 00 E8 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 58 89 45 F8 E8 71
FF FF FF 89 45 EC E8 0B 00 00 00 75 73 64 69 73 70 2E 64 6C 6C 00 FF 55 EC 8B E5 5D C3

完成修改后,用Loadpe之类工具,把oep设置到Shellcode开始的Call位置,完成任务。

Hmily 发表于 2008-10-9 19:38

太阳太神气了,补丁方式好裤~

wesley 发表于 2008-10-9 20:42

不错 LPK好像真的要倒 这个牛貌似我晚上做梦的时候“看”到过这种方法就是不会写。。。

wesley 发表于 2008-10-9 20:50

再膜拜一次。。。。这个代码真的好牛。,,

wajwh33 发表于 2008-12-2 20:52

支持一下 ····
页: [1]
查看完整版本: 静态注射功能DLL,附身程式胴体