一个无花无壳无反调试CM--CM有问题作废

SeriousSnow

CM有问题作废 感谢  苏紫方璇 为我修改代码

虚无空幻

vs2015写的.我喜欢

苏紫方璇

还没下，看楼主的代码，我猜是Hook了MessageBox

SeriousSnow

苏紫方璇 发表于 2016-8-9 19:46
还没下，看楼主的代码，我猜是Hook了MessageBox

这肯定有不过不止这样

苏紫方璇

wjdxs1 发表于 2016-8-9 20:00
这肯定有不过不止这样

下来看了下，不知道是我没有找对地方，还是楼主代码有问题，RVA:0x1350这个函数获取到MessageBoxW的地址，并且构造出jmp后，函数地址却变成了WriteProcessMemory，并且句柄也变了，导致后面的设置保护、写入内存全部因为句柄无效而失败。

SeriousSnow

苏紫方璇 发表于 2016-8-9 20:54
下来看了下，不知道是我没有找对地方，还是楼主代码有问题，RVA:0x1350这个函数获取到MessageBoxW的地址 ...

。。其实我真的也是第一次写这种东西。。只是自己测试了一下貌似达到了预期的目的就发上来了。附上源码好了，大牛看看吧，指正一下

[C] 纯文本查看 复制代码

#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <malloc.h>

int WINAPI MyMessageBox(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType);
void GetHookData();
void HookOn();
void HookOff();

DWORD OldProtect, RETAddr;
FARPROC OldAddr;
BYTE OldCode[5], NewCode[5];
HANDLE hProcess;
char str1[100], str2[100];
FARPROC pp;
int main()
{
	char ch;
	pp = malloc(150);
	GetHookData();
	printf("Please Input Name:");
	scanf("%99s", str1);
	while ((ch = getchar()) != '\n');
	printf("Please Input Password:");
	scanf("%99s", str2);
	while ((ch = getchar()) != '\n');
	HookOn();
	MessageBoxW(0, L"Faild!", L"O(∩_∩)O哈哈~", 0);
	return 0;
}


int WINAPI MyMessageBox(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType)
{
	int ret;
	int len1 = strlen(str1);
	int len2 = strlen(str2);
	char * suc = "SUCCESS!";
	char * fai = "Faild!";
	int i, j;
	int sum1 = 0, sum2 = 0;
	HookOff();
	for (i = 1; i < len1; i++)
		sum1 += str1[i] - str1[i - 1];
	for (j = 0; j < len2 - 1; j++)
		sum2 += str1[i] - str2[i + 1];
	if (sum1 == sum2)
		ret = MessageBoxW(hWnd, L"SUCCESS!", L"O(∩_∩)O哈哈~", uType);
	else
		ret = MessageBoxW(hWnd, L"Faild!", L"O(∩_∩)O哈哈~", uType);
	HookOn();
	return ret;
}

void GetHookData()
{
	hProcess = GetCurrentProcess();
	OldAddr = GetProcAddress(LoadLibraryA((LPCSTR)"user32.dll"), (LPCSTR)"MessageBoxW");
	if (OldAddr)
	{
		_asm
		{
			lea edi, OldCode
			mov esi, OldAddr
			mov ecx, 5
			rep movsb
		}

		_asm
		{
			lea edi, pp
			lea esi, MyMessageBox
			mov ecx, 150
			rep movsb
		}


		NewCode[0] = 0xe9;
		_asm
		{
			cld
			mov eax,pp
			mov ebx, OldAddr
			sub eax, ebx
			sub eax, 5
			mov dword ptr[NewCode + 1], eax
		}
	}
	else
	{
		exit(0);
	}

}


void HookOn()
{
	VirtualProtectEx(hProcess, OldAddr, 5, PAGE_EXECUTE_READWRITE, &OldProtect);
	WriteProcessMemory(hProcess, OldAddr, NewCode, 5, 0);
	VirtualProtectEx(hProcess, OldAddr, 5, OldProtect, &OldProtect);
}

void HookOff()
{
	VirtualProtectEx(hProcess, OldAddr, 5, PAGE_EXECUTE_READWRITE, &OldProtect);
	WriteProcessMemory(hProcess, OldAddr, OldCode, 5, 0);
	VirtualProtectEx(hProcess, OldAddr, 5, OldProtect, &OldProtect);
}

苏紫方璇

我对照仔细看了下  貌似是这句的问题

把MyMessageBox的内容赋值给pp时把OldAddr给覆盖了造成的

苏紫方璇

我把楼主的代码稍微修改了下，去掉了内联汇编

[C] 纯文本查看 复制代码

#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <malloc.h>

int WINAPI MyMessageBox(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType);
void GetHookData();
void HookOn();
void HookOff();

DWORD OldProtect, RETAddr;
FARPROC OldAddr;
BYTE OldCode[5], NewCode[5];
HANDLE hProcess;
char str1[100], str2[100];
void *pp;
int main()
{
	char ch;
	pp = malloc(150);
	GetHookData();
	printf("Please Input Name:");
	scanf("%99s", str1);
	while ((ch = getchar()) != '\n');
	printf("Please Input Password:");
	scanf("%99s", str2);
	while ((ch = getchar()) != '\n');
	HookOn();
	MessageBoxW(0, L"Faild!", L"O(∩_∩)O哈哈~", 0);
	return 0;
}


int WINAPI MyMessageBox(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType)
{
	int ret;
	int len1 = strlen(str1);
	int len2 = strlen(str2);
	char * suc = "SUCCESS!";
	char * fai = "Faild!";
	int i, j;
	int sum1 = 0, sum2 = 0;
	HookOff();
	for (i = 1; i < len1; i++)
		sum1 += str1[i] - str1[i - 1];
	for (j = 0; j < len2 - 1; j++)
		sum2 += str1[i] - str2[i + 1];
	if (sum1 == sum2)
		ret = MessageBoxW(hWnd, L"SUCCESS!", L"O(∩_∩)O哈哈~", uType);
	else
		ret = MessageBoxW(hWnd, L"Faild!", L"O(∩_∩)O哈哈~", uType);
	HookOn();
	return ret;
}

void GetHookData()
{
	hProcess = GetCurrentProcess();
	OldAddr = GetProcAddress(LoadLibraryA((LPCSTR)"user32.dll"), (LPCSTR)"MessageBoxW");
	if (OldAddr)
	{
		memcpy(OldCode, OldAddr, 5);
		memcpy(pp, MyMessageBox, 150);
		NewCode[0] = 0xe9;
		DWORD JmpAddr = (DWORD)pp - (DWORD)OldAddr - 5;
		memcpy(&NewCode[1], &JmpAddr, 5);
	}
	else
	{
		exit(0);
	}

}


void HookOn()
{
	VirtualProtectEx(hProcess, OldAddr, 5, PAGE_EXECUTE_READWRITE, &OldProtect);
	WriteProcessMemory(hProcess, OldAddr, NewCode, 5, 0);
	VirtualProtectEx(hProcess, OldAddr, 5, OldProtect, &OldProtect);
	VirtualProtectEx(hProcess, pp, 150, PAGE_EXECUTE_READWRITE, &OldProtect);
}

void HookOff()
{
	VirtualProtectEx(hProcess, OldAddr, 5, PAGE_EXECUTE_READWRITE, &OldProtect);
	WriteProcessMemory(hProcess, OldAddr, OldCode, 5, 0);
	VirtualProtectEx(hProcess, OldAddr, 5, OldProtect, &OldProtect);
	VirtualProtectEx(hProcess, pp, 150, PAGE_READWRITE, &OldProtect);
}

此外此代码只能用于Release编译模式，debug模式下，MyMessageBox函数下面是一堆jmp，导致pp里面也是一堆混乱的jmp而访问到不可预料的地方。

SeriousSnow

苏紫方璇 发表于 2016-8-9 21:46
我把楼主的代码稍微修改了下，去掉了内联汇编
[mw_shl_code=c,true]#include
#include

这个我知道~