好友
阅读权限20
听众
最后登录1970-1-1
|
小俊
发表于 2017-12-16 14:08
加壳器
[Asm] 纯文本查看 复制代码 .386
.model flat,stdcall
option casemap:none
assume fs:nothing
;[+0] 本模块实例句柄
;[+4] kernel32.dll 模块基址
;[+8] GetProcAddress 函数地址
;[+0Ch] LoadLibraryA 函数地址
;[+10h] user32.dll 模块基址
;[+14h] ClassName
;[+18h]~[+3Ch] WNDCLASSA 结构体
;[+40h] RegisterClassA 函数地址
;[+44h] DefWindowProcA 函数地址
;[+48h] CreateWindowExA 函数地址
;[+4Ch] GetMessageA 函数地址
;[+50h] DispatchMessageA 函数地址
;[+54h]~[+70h] MSG 结构体
;[+74h] 窗口句柄
;[+78h] TranslateMessage 函数地址
;[+7Ch] PostQuitMessage 函数地址
;[+80h] 文件路径字符串
;[+84h] SetWindowTextW 函数地址
;[+88h] GetWindowTextA 函数地址
;[+8Ch] CreateFileW 函数地址
;[+90h] GetFileSize 函数地址
;[+94h] 文件句柄1
;[+98h] 文件1 大小
;[+9Ch] HeapCreate 函数地址
;[+0A0h] HeapAlloc 函数地址
;[+0A4h] HeapFree 函数地址
;[+0A8h] hHeap 句柄
;[+0ACh] 申请出来的堆空间地址
;[+0B0h] ReadFile 函数地址
;[+0B4h] WriteFile 函数地址
;[+0B8h] CloseHandle 函数地址
;[+0BCh] 文件2句柄
;[+0C0h] 壳文件句柄
;[+0C4h] SetFilePointer 函数地址
;[+0C8h] 原始OEP
;[+0CCh] 新OEP
;[+0D0h] 密码
;[+0D4h] GetDlgItemTextA 函数地址
.code
main:
push ebp
mov ebp,esp
call GetGlobal
mov edi,eax
;----------------------------------------------------
mov ebx,fs:[30h]
mov ebx,[ebx+0Ch]
mov ebx,[ebx+0Ch]
mov edx,[ebx+18h]
mov [edi],edx ;[+0]保存本模块实例句柄
mov ebx,[ebx]
mov ebx,[ebx]
mov ebx,[ebx+18h]
mov [edi+4],ebx ;[+4]保存kernel32.dll模块基址
mov eax,[ebx+3Ch] ;取Nt头文件偏移
add eax,ebx ;offset=>VA
mov eax,[eax+78h] ;取导出表RVA
add eax,ebx ;RVA=>VA
mov edx,[eax+20h] ;取名称表RVA
add edx,ebx ;RVA=>VA
xor ecx,ecx ;ecx清零
MyLoop:
mov esi,[edx+ecx*4] ;取函数名RVA
add esi,ebx ;RVA=>VA
inc ecx ;ecx++
cmp byte ptr[esi],'G' ;如果等于ZF会被置为1
jnz MyLoop ;ZF为0则跳转
cmp byte ptr[esi+3],'P'
jnz MyLoop
cmp byte ptr[esi+7],'A'
jnz MyLoop
dec ecx ;ecx-- 真正的下标
mov edx,[eax+24h] ;取序号表RVA
add edx,ebx ;RVA=>VA
mov cx,[edx+ecx*2] ;通过序号表找到地址表下标
mov edx,[eax+1Ch] ;取地址表RVA
add edx,ebx ;RVA=>VA
mov esi,[edx+ecx*4] ;取函数RVA
add esi,ebx ;RVA=>VA
mov [edi+8],esi ;保存GetProcAddress函数地址
call PushStr1 ;将下面的数据地址入栈
db "LoadLibraryA",0 ;参数2:要获取的函数名
PushStr1:
push ebx ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov [edi+0Ch],eax ;保存LoadLibraryA函数地址
call PushStr2 ;将下面的数据地址入栈
db "user32.dll",0 ;参数1:需要Load的DLL名称
PushStr2:
call eax ;LoadLibraryA
mov [edi+10h],eax ;保存user32.dll模块基址
mov dword ptr[edi+14h],434241h ;ClassName "ABC"
mov dword ptr[edi+18h],0 ;style
mov edx,WndProc-main
add edx,edi
sub edx,800h
mov dword ptr[edi+1Ch],edx ;lpfnWndProc
mov dword ptr[edi+20h],0 ;cbClsExtra
mov dword ptr[edi+24h],0 ;cbWndExtra
mov edx,[edi] ;取实例句柄
mov dword ptr[edi+28h],edx ;hInstance
mov dword ptr[edi+2Ch],0 ;hIcon
mov dword ptr[edi+30h],0 ;hCursor
mov dword ptr[edi+34h],0 ;hbrBackground
mov dword ptr[edi+38h],0 ;lpszMenuName
lea edx,[edi+14h] ;取字符串地址
mov dword ptr[edi+3Ch],edx ;lpszClassName
call PushStr3 ;将下面的数据地址入栈
db "RegisterClassA",0 ;参数2:要获取的函数名
PushStr3:
push [edi+10h] ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov [edi+40h],eax ;保存RegisterClassA函数地址
lea edx,[edi+18h] ;取WNDCLASSA结构体地址
push edx ;参数1:&WNDCLASSA
call eax ;RegisterClassA
call PushStr4 ;将下面的数据地址入栈
db "DefWindowProcA",0 ;参数2:要获取的函数名
PushStr4:
push [edi+10h] ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov [edi+44h],eax ;保存DefWindowProcA函数地址
call PushStr9 ;将下面的数据地址入栈
db "PostQuitMessage",0 ;参数2:要获取的函数名
PushStr9:
push [edi+10h] ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov [edi+7Ch],eax ;保存PostQuitMessage函数地址
call PushStr20 ;将下面的数据地址入栈
db "SetWindowTextW",0 ;参数2:要获取的函数名
PushStr20:
push [edi+10h] ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov [edi+84h],eax ;保存SetWindowTextW函数地址
call PushStr21 ;将下面的数据地址入栈
db "GetWindowTextA",0 ;参数2:要获取的函数名
PushStr21:
push [edi+10h] ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov [edi+88h],eax ;保存GetWindowTextA函数地址
call PushStr22 ;将下面的数据地址入栈
db "CreateFileW",0 ;参数2:要获取的函数名
PushStr22:
push [edi+4h] ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov [edi+8Ch],eax ;保存CreateFileW函数地址
call PushStr23 ;将下面的数据地址入栈
db "GetFileSize",0 ;参数2:要获取的函数名
PushStr23:
push [edi+4h] ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov [edi+90h],eax ;保存GetFileSize函数地址
call PushStr24 ;将下面的数据地址入栈
db "HeapCreate",0 ;参数2:要获取的函数名
PushStr24:
push [edi+4h] ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov [edi+9Ch],eax ;保存HeapCreate函数地址
call PushStr25 ;将下面的数据地址入栈
db "HeapAlloc",0 ;参数2:要获取的函数名
PushStr25:
push [edi+4h] ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov [edi+0A0h],eax ;保存HeapAlloc函数地址
call PushStr26 ;将下面的数据地址入栈
db "HeapFree",0 ;参数2:要获取的函数名
PushStr26:
push [edi+4h] ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov [edi+0A4h],eax ;保存HeapFree函数地址
call PushStr27 ;将下面的数据地址入栈
db "ReadFile",0 ;参数2:要获取的函数名
PushStr27:
push [edi+4h] ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov [edi+0B0h],eax ;保存ReadFile函数地址
call PushStr28 ;将下面的数据地址入栈
db "WriteFile",0 ;参数2:要获取的函数名
PushStr28:
push [edi+4h] ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov [edi+0B4h],eax ;保存WriteFile函数地址
call PushStr29 ;将下面的数据地址入栈
db "CloseHandle",0 ;参数2:要获取的函数名
PushStr29:
push [edi+4h] ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov [edi+0B8h],eax ;保存CloseHandle函数地址
call PushStr30 ;将下面的数据地址入栈
db "SetFilePointer",0 ;参数2:要获取的函数名
PushStr30:
push [edi+4h] ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov [edi+0C4h],eax ;保存SetFilePointer函数地址
call PushStr31 ;将下面的数据地址入栈
db "GetDlgItemTextA",0 ;参数2:要获取的函数名
PushStr31:
push [edi+10h] ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov [edi+0D4h],eax ;保存GetDlgItemTextA函数地址
call PushStr5 ;将下面的数据地址入栈
db "CreateWindowExA",0 ;参数2:要获取的函数名
PushStr5:
push [edi+10h] ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov [edi+48h],eax ;保存CreateWindowExA函数地址
push 0 ;lpParam
push [edi] ;hInstance
push 0 ;hMenu
push 0 ;hWndParent
push 59 ;nHeight
push 316 ;nWidth
push 300 ;Y
push 500 ;X
push 10080000h ;dwStyle
push 0 ;lpWindowName
lea edx,[edi+14h] ;取字符串地址
push edx ;lpClassName
push 00000010h ;dwExStyle
call eax ;CreateWindowExA
mov [edi+74h],eax ;保存窗口句柄
call CreateControl ;创建控件
call PushStr6 ;将下面的数据地址入栈
db "GetMessageA",0 ;参数2:要获取的函数名
PushStr6:
push [edi+10h] ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov [edi+4Ch],eax ;保存GetMessageA函数地址
call PushStr7 ;将下面的数据地址入栈
db "DispatchMessageA",0 ;参数2:要获取的函数名
PushStr7:
push [edi+10h] ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov [edi+50h],eax ;保存DispatchMessageA函数地址
call PushStr8 ;将下面的数据地址入栈
db "TranslateMessage",0 ;参数2:要获取的函数名
PushStr8:
push [edi+10h] ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov [edi+78h],eax ;保存TranslateMessage函数地址
MsgLoop:
call GetGlobal
mov edi,eax
push 0
push 0
push 0
lea edx,[edi+54h]
push edx
call dword ptr[edi+4Ch]
test eax,eax
je Exit1
lea edx,[edi+54h]
push edx
call dword ptr[edi+78h]
lea edx,[edi+54h]
push edx
call dword ptr[edi+50h]
jmp MsgLoop
;----------------------------------------------------
Exit1:
pop ebp
ret
WndProc:
push ebp
mov ebp,esp
call GetGlobal
mov edi,eax
;------------------------------------------
WM_DESTROY:
cmp dword ptr[ebp+0Ch],2h
jnz WM_DROPFILES
push 0
call dword ptr[edi+7Ch]
WM_DROPFILES:
cmp dword ptr[ebp+0Ch],233h
jnz WM_COMMAND
mov edx,[ebp+10h]
mov edx,[edx]
add edx,14h
mov [edi+80h],edx ;保存文件路径字符串
push edx
push [ebp+08h]
call dword ptr[edi+84h] ;SetWindowTextW
WM_COMMAND:
cmp dword ptr[ebp+0Ch],111h
jnz DefWindowProcA
cmp word ptr[ebp+10h],2
jnz DefWindowProcA
push 4 ;cchMax
lea edx,[edi+0D0h]
push edx ;lpString
push 1 ;nIDDlgItem
push [edi+74h] ;hDlg
call dword ptr[edi+0D4h] ;GetDlgItemTextA
push 0 ;hTemplateFile
push 80h ;dwFlagsAndAttributes
push 3 ;dwCreationDisposition
push 0 ;lpSecurityAttributes
push 0 ;dwShareMode
push 0C0000000h ;dwDesiredAccess
push [edi+80h] ;lpFileName
call dword ptr[edi+8Ch] ;CreateFileW
cmp eax,0FFFFFFFFh
je DefWindowProcA ;打开文件失败
mov [edi+94h],eax ;保存文件句柄
push 0 ;lpFileSizeHigh
push eax ;hFile
call dword ptr[edi+90h] ;GetFileSize
mov [edi+98h],eax ;保存文件大小
inc eax ;eax++
push eax ;dwMaximumSize
push eax ;dwInitialSize
push 0 ;flOptions
call dword ptr[edi+9Ch] ;HeapCreate
mov [edi+0A8h],eax ;保存堆句柄
push [edi+98h] ;dwBytes
push 8 ;dwFlags
push eax ;hHeap
call dword ptr[edi+0A0h] ;HeapAlloc
mov [edi+0ACh],eax ;保存堆空间地址
push 0 ;lpOverlapped
lea edx,[edi+98h] ;取文件大小地址
push edx ;lpNumberOfBytesRead
push [edi+98h] ;nNumberOfBytesToRead
push eax ;lpBuffer
push [edi+94h] ;hFile
call dword ptr[edi+0B0h] ;ReadFile
push [edi+94h] ;参数1:需要关闭的句柄
call dword ptr[edi+0B8h] ;CloseHandle
mov ebx,[edi+0ACh] ;取Dos头
cmp word ptr[ebx],5A4Dh ;判断MZ
jnz DefWindowProcA
mov edx,[ebx+3Ch] ;取Nt头文件偏移
add edx,ebx ;offset=>RVA
add dword ptr[edx+50h],1000h ;修改内存镜像大小
mov byte ptr[edx+5Eh],0 ;清除重定位
movzx ecx,word ptr[edx+6] ;取区段个数
inc word ptr[edx+6] ;修改文件头的区段个数
add edx,0F8h ;取区段首地址
imul ecx,28h
add edx,ecx ;取区段表末尾
mov dword ptr[edx],004A582Eh ;.XJ
mov eax,[edx-1Ch]
add eax,[edx-18h]
and eax,0FFFFF000h
add eax,1000h
mov [edx+0Ch],eax ;区段RVA
mov [edi+0CCh],eax ;保存新OEP
mov dword ptr[edx+10h],400h ;区段大小
mov eax,[edi+98h]
mov [edx+14h],eax ;文件偏移
mov dword ptr[edx+24h],0E0000020h ;区段属性
mov ebx,[edi+0ACh]
mov edx,[ebx+3Ch]
add edx,ebx
mov eax,[edx+28h]
mov [edi+0C8h],eax ;保存原始OEP
mov eax,[edi+0CCh] ;取新OEP
mov [edx+28h],eax ;修改OEP
push 0 ;hTemplateFile
push 80h ;dwFlagsAndAttributes
push 2 ;dwCreationDisposition
push 0 ;lpSecurityAttributes
push 0 ;dwShareMode
push 0C0000000h ;dwDesiredAccess
call PushFileName
db 'X',0,'J',0,0,0 ;lpFileName
PushFileName:
call dword ptr[edi+8Ch] ;CreateFileW
mov [edi+0BCh],eax ;保存文件句柄
push 0 ;lpOverlapped
lea edx,[edi+98h]
push edx ;lpNumberOfBytesWritten
push [edi+98h] ;nNumberOfBytesToWrite
push [edi+0ACh] ;lpBuffer
push eax ;hFile
call dword ptr[edi+0B4h] ;WriteFile
;-------------------------
push 0 ;hTemplateFile
push 80h ;dwFlagsAndAttributes
push 3 ;dwCreationDisposition
push 0 ;lpSecurityAttributes
push 0 ;dwShareMode
push 0C0000000h ;dwDesiredAccess
call PushFileName2 ;lpFileName
db 'P',0,'a',0,'c',0,'k',0,0,0
PushFileName2:
call dword ptr[edi+8Ch] ;CreateFileW
cmp eax,0FFFFFFFFh
je DefWindowProcA ;打开文件失败
mov [edi+0C0h],eax ;保存文件句柄
push 1000h ;dwMaximumSize
push 1000h ;dwInitialSize
push 0 ;flOptions
call dword ptr[edi+9Ch] ;HeapCreate
push 999h ;dwBytes
push 8 ;dwFlags
push eax ;hHeap
call dword ptr[edi+0A0h] ;HeapAlloc
mov esi,eax ;保存堆空间地址
push 0 ;lpOverlapped
lea edx,[edi+98h] ;取文件大小地址
push edx ;lpNumberOfBytesRead
push 400h ;nNumberOfBytesToRead
push esi ;lpBuffer
push [edi+0C0h] ;hFile
call dword ptr[edi+0B0h] ;ReadFile
add esi,400h
mov edx,[edi+0D0h]
mov [esi-4],edx
mov edx,[edi+0C8h]
mov [esi-8],edx
sub esi,400h
push 0 ;lpOverlapped
lea edx,[edi+98h]
push edx ;lpNumberOfBytesWritten
push 400h ;nNumberOfBytesToWrite
push esi ;lpBuffer
push [edi+0BCh] ;hFile
call dword ptr[edi+0B4h] ;WriteFile
;-------------------------
push [edi+0BCh] ;参数1:需要关闭的句柄
call dword ptr[edi+0B8h] ;CloseHandle
DefWindowProcA:
push [ebp+14h] ;lParam
push [ebp+10h] ;wParam
push [ebp+0Ch] ;uMsg
push [ebp+08h] ;hWnd
call dword ptr[edi+44h] ;DefWindowProcA
;------------------------------------------
pop ebp
ret 10h
CreateControl:
call GetGlobal
mov edi,eax
push 0 ;lpParam
push [edi] ;hInstance
push 1 ;hMenu
push [edi+74h] ;hWndParent
push 20 ;nHeight
push 250 ;nWidth
push 0 ;Y
push 0 ;X
push 50800000h ;dwStyle
push 0 ;lpWindowName
call PushStr10
db "Edit",0 ;lpClassName
PushStr10:
push 0 ;dwExStyle
call dword ptr[edi+48h] ;CreateWindowExA
call GetGlobal
mov edi,eax
push 0 ;lpParam
push [edi] ;hInstance
push 2 ;hMenu
push [edi+74h] ;hWndParent
push 20 ;nHeight
push 50 ;nWidth
push 0 ;Y
push 250 ;X
push 50800000h ;dwStyle
call PushStr11
db "OK",0 ;lpWindowName
PushStr11:
call PushStr12
db "Button",0 ;lpClassName
PushStr12:
push 0 ;dwExStyle
call dword ptr[edi+48h] ;CreateWindowExA
ret
GetGlobal:
mov eax,[esp]
and eax,0FFFFF000h
add eax,800h
ret
end main
壳
[Asm] 纯文本查看 复制代码 .386
.model flat,stdcall
option casemap:none
assume fs:nothing
;[-4] Password
;[-8] OEP
;[+100h] 实例句柄
;[+104h] kernel32.dll 模块基址
;[+108h] user32.dll 模块基址
;[+10Ch]~[+130h] WNDCLASSA 结构体
;[+134h]~[+150h] MSG 结构体
;[+154h] Password
;[+0] GetProcAddress
;[+4] LoadLibraryA
;[+8] RegisterClassA
;[+0Ch] CreateWindowExA
;[+10h] DefWindowProcA
;[+14h] GetMessageA
;[+18h] TranslateMessage
;[+1Ch] DispatchMessageA
;[+20h] GetDlgItemTextA
;[+24h] ExitProcess
;[+28h] PostQuitMessage
.code
main:
call GetGlobal ;获取全局基址保存在edi中
;mov ebx,fs:[30h] ;进入OPE的时候ebx默认是PEB
mov ebx,[ebx+0Ch]
mov ebx,[ebx+0Ch]
mov edx,[ebx+18h]
mov [edi+100h],edx ;保存实例句柄
mov ebx,[ebx]
mov ebx,[ebx]
mov ebx,[ebx+18h]
mov [edi+104h],ebx ;保存"kernel32.dll"模块基址
mov eax,[ebx+3Ch] ;取"kernel32.dll"Nt头文件偏移
add eax,ebx ;offset=>VA
mov eax,[eax+78h] ;取导出表RVA
add eax,ebx ;RVA=>VA eax=导出表
mov edx,[eax+20h] ;取名称表RVA
add edx,ebx ;RVA=>VA
xor ecx,ecx ;ecx清零
MyLoop:
mov esi,[edx+ecx*4] ;取函数名RVA
add esi,ebx ;RVA=>VA
inc ecx ;ecx++
cmp byte ptr[esi],'G' ;如果等于ZF会被置为1
jnz MyLoop ;ZF为0则跳转
cmp byte ptr[esi+3],'P' ;
jnz MyLoop ;
cmp byte ptr[esi+7],'A' ;
jnz MyLoop
dec ecx ;取真正的的下标
mov edx,[eax+24h] ;取序号表RVA
add edx,ebx ;RVA=>VA
mov cx,[edx+ecx*2] ;通过序号表找到地址表下标
mov edx,[eax+1Ch] ;取地址表RVA
add edx,ebx ;RVA=>VA
mov esi,[edx+ecx*4] ;取函数地址RVA
add esi,ebx ;RVA=>VA
mov [edi],esi ;保存GetProcAddress函数地址
call PushStr1 ;将EIP入栈
db "LoadLibraryA",0 ;函数名
PushStr1:
push ebx ;"kernel32.dll"模块基址
call esi ;"GetProcAddress"
mov [edi+4],eax ;保存"LoadLibraryA"函数地址
call PushStr2
db "user32.dll",0
PushStr2:
call eax ;LoadLibraryA
mov [edi+108h],eax ;保存user32.dll模块基址
call MyGetProcAddress ;获取很多函数地址
call CreateWindow ;创建窗口
call MessageLoop
push 0
call dword ptr[edi+24h]
CreateWindow:
mov dword ptr[edi+10Ch],0 ;style
mov edx,WndProc-main
add edx,edi
sub edx,400h
mov dword ptr[edi+110h],edx ;lpfnWndProc
mov dword ptr[edi+114h],0 ;cbClsExtra
mov dword ptr[edi+118h],0 ;cbWndExtra
mov edx,[edi+100h] ;取实例句柄
mov dword ptr[edi+11Ch],edx ;hInstance
mov dword ptr[edi+120h],0 ;hIcon
mov dword ptr[edi+124h],0 ;hCursor
mov dword ptr[edi+128h],0 ;hbrBackground
mov dword ptr[edi+12Ch],0 ;lpszMenuName
call PushStr30
db "XiaoJun",0
PushStr30:
pop edx
mov dword ptr[edi+130h],edx ;lpszClassName
lea edx,[edi+10Ch]
push edx
call dword ptr[edi+8] ;RegisterClassA
push 0 ;lpParam
push [edi+100h] ;hInstance
push 0 ;hMenu
push 0 ;hWndParent
push 59 ;nHeight
push 316 ;nWidth
push 300 ;Y
push 500 ;X
push 10080000h ;dwStyle
push 0 ;lpWindowName
call PushStr31
db "XiaoJun",0 ;lpClassName
PushStr31:
push 0 ;dwExStyle
call dword ptr[edi+0Ch] ;CreateWindowExA
mov esi,eax ;临时保存窗口句柄
push 0 ;lpParam
push [edi+100h] ;hInstance
push 1 ;hMenu
push esi ;hWndParent
push 20 ;nHeight
push 250 ;nWidth
push 0 ;Y
push 0 ;X
push 50800000h ;dwStyle
push 0 ;lpWindowName
call PushStr32
db "Edit",0 ;lpClassName
PushStr32:
push 0 ;dwExStyle
call dword ptr[edi+0Ch] ;CreateWindowExA
push 0 ;lpParam
push [edi+100h] ;hInstance
push 2 ;hMenu
push esi ;hWndParent
push 20 ;nHeight
push 50 ;nWidth
push 0 ;Y
push 250 ;X
push 50800000h ;dwStyle
call PushStr33
db "OK",0 ;lpWindowName
PushStr33:
call PushStr34
db "Button",0 ;lpClassName
PushStr34:
push 0 ;dwExStyle
call dword ptr[edi+0Ch] ;CreateWindowExA
ret
MessageLoop:
call GetGlobal
push 0
push 0
push 0
lea esi,[edi+134h]
push esi
call dword ptr[edi+14h] ;GetMessageA
test eax,eax
je Exit
push esi
call dword ptr[edi+18h] ;TranslateMessage
push esi
call dword ptr[edi+1Ch] ;DispatchMessageA
jmp MessageLoop
Exit:
ret
MyGetProcAddress:
call PushStr3
db "RegisterClassA",0
PushStr3:
push [edi+108h]
call dword ptr[edi]
mov [edi+8],eax
call PushStr4
db "CreateWindowExA",0
PushStr4:
push [edi+108h]
call dword ptr[edi]
mov [edi+0Ch],eax
call PushStr5
db "DefWindowProcA",0
PushStr5:
push [edi+108h]
call dword ptr[edi]
mov [edi+10h],eax
call PushStr6
db "GetMessageA",0
PushStr6:
push [edi+108h]
call dword ptr[edi]
mov [edi+14h],eax
call PushStr7
db "TranslateMessage",0
PushStr7:
push [edi+108h]
call dword ptr[edi]
mov [edi+18h],eax
call PushStr8
db "DispatchMessageA",0
PushStr8:
push [edi+108h]
call dword ptr[edi]
mov [edi+1Ch],eax
call PushStr9
db "GetDlgItemTextA",0
PushStr9:
push [edi+108h]
call dword ptr[edi]
mov [edi+20h],eax
call PushStr10
db "ExitProcess",0
PushStr10:
push [edi+104h]
call dword ptr[edi]
mov [edi+24h],eax
call PushStr11
db "PostQuitMessage",0
PushStr11:
push [edi+108h]
call dword ptr[edi]
mov [edi+28h],eax
ret
;获取全局变量基址 返回值:Edi
GetGlobal:
mov edi,[esp]
and edi,0FFFFF000h
add edi,400h
ret
WndProc:
push ebp
mov ebp,esp
call GetGlobal
;----------------
WM_DESTROY:
cmp dword ptr[ebp+0Ch],2h
jnz WM_COMMAND
;关闭窗口
push 0
call dword ptr[edi+28h];PostQuitMessage
WM_COMMAND:
cmp dword ptr[ebp+0Ch],111h
jnz DefWindowProcA
cmp word ptr[ebp+10h],2
jnz DefWindowProcA
mov dword ptr[edi+154h],0
push 4 ;cchMax
lea edx,[edi+154h]
push edx ;lpString
push 1 ;nIDDlgItem
push [ebp+08h] ;hDlg
call dword ptr[edi+20h] ;GetDlgItemTextA
mov eax,[edi+154h]
cmp eax,[edi-4]
jnz DefWindowProcA
;密码正确
mov edx,[edi-8]
add edx,[edi+100h]
jmp edx ;jmp OEP
DefWindowProcA:
push [ebp+14h] ;lParam
push [ebp+10h] ;wParam
push [ebp+0Ch] ;uMsg
push [ebp+08h] ;hWnd
call dword ptr[edi+10h] ;DefWindowProcA
;----------------
pop ebp
ret 10h
end main |
免费评分
-
| 参与人数 4 | 威望 +1 |
吾爱币 +13 |
热心值 +4 |
收起
理由
|
 Sound
| + 1 |
+ 9 |
+ 1 |
已经处理,感谢您对吾爱破解论坛的支持! |
 都同学
| |
+ 1 |
+ 1 |
谢谢@Thanks! |
 hejialong
| |
+ 2 |
+ 1 |
谢谢@Thanks! |
 UserXCH
| |
+ 1 |
+ 1 |
感谢发布原创作品,吾爱破解论坛因你更精彩! |
查看全部评分
|
|
发表于 2017-12-18 20:50
