好友
阅读权限255
听众
最后登录1970-1-1
|
Hmily
发表于 2009-1-21 23:50
From:cyto http://hi.baidu.com/cyto
ThemIDA Custom Build v.2.0.5.0.exe
code写入断点,第二次在:
01165ADD 8930 mov dword ptr ds:[eax],esi ; comdlg32.PageSetupDlgW
patchCRC:
01162A3A 3985 991AC107 cmp dword ptr ss:[ebp+7C11A99],eax ; Themida_.010012C4
01162A40 0F84 8E000000 je 01162AD4 ; Themida_.01162AD4
Magic jmp:
01163591 2BD9 sub ebx,ecx ; comdlg32.PageSetupDlgW
01163593 0F84 DF000000 je 01163678 ; Themida_.01163678
...
011635BF 2BD9 sub ebx,ecx ; comdlg32.PageSetupDlgW
011635C1 0F84 B1000000 je 01163678 ; Themida_.01163678
...
01163609 2BD9 sub ebx,ecx ; comdlg32.PageSetupDlgW
0116360B 0F84 67000000 je 01163678 ; Themida_.01163678
hookVM:
010EC0FC 3BC8 cmp ecx,eax ; Themida_.010012C4
010EC0FE 9C pushfd
010EC0FF ^\E9 8C73FFFF jmp 010E3490 ; jmp 117f8c0
0117F8C0 3D 0000E677 cmp eax,77E60000 ; kernel32.dll
0117F8C5 74 1A je short 0117F8E1
0117F8C7 3D 00006D79 cmp eax,796D0000 ; advapi32.dll
0117F8CC 74 13 je short 0117F8E1
0117F8CE 3D 0000DF77 cmp eax,77DF0000 ; user32.dll
0117F8D3 74 0C je short 0117F8E1
0117F8D5 EB 11 jmp short 0117F8E8
0117F8D7 0000 add byte ptr ds:[eax],al
0117F8D9 0000 add byte ptr ds:[eax],al
0117F8DB 0000 add byte ptr ds:[eax],al
0117F8DD 0000 add byte ptr ds:[eax],al
0117F8DF 0000 add byte ptr ds:[eax],al
0117F8E1 C70424 87020000 mov dword ptr ss:[esp],287
0117F8E8 ^ E9 A33BF6FF jmp 010E3490 ; Themida_.010E3490
3D 00 00 E6 77 74 1A 3D 00 00 6D 79 74 13 3D 00 00 DF 77 74 0C EB 11 00 00 00 00 00 00 00 00 00
00 C7 04 24 87 02 00 00 E9 A3 3B F6 FF
这样就获得了所有的函数.
Stolen oep修复下.
修改跨平台参考之前的文章. |
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2009-1-21 23:52
发表于 2009-1-22 14:40
