分类: WINDOWS
2009-05-18 16:12:24
.586
.model flat, stdcall
option casemap :none
include windows.inc
include masm32.inc
include gdi32.inc
include ole32.inc
include user32.inc
include comctl32.inc
include kernel32.inc
include shell32.inc
includelib masm32.lib
includelib gdi32.lib
includelib ole32.lib
includelib oleaut32.lib
includelib user32.lib
includelib comctl32.lib
includelib kernel32.lib
includelib shell32.lib
RET_EAX EQU dword ptr [esp+1ch]
RET_EBX EQU dword ptr [esp+10h]
RET_ECX EQU dword ptr [esp+18h]
RET_EDX EQU dword ptr [esp+14h]
GetShell32Base proto :DWORD,:DWORD
HookData proto
CTEXT MACRO y:VARARG
LOCAL sym
CONST segment
ifidni
sym db 0
else
sym db y,0
endif
CONST ends
exitm
ENDM
.data
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;下断处原程序代码
;0046B747 8A4C01 CF mov cl, byte ptr [ecx+eax-31h] ;此时ECX是注册码
;0046B74B 8B75 FC mov esi, dword ptr [ebp-4h]
;0046B74E 3A4C06 CF cmp cl, byte ptr [esi+eax-31h]
;整理出来的二进制码:8A 4C 01 CF 8B 75 FC 3A 4C 06 CF
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
KeyCode DD 0CF014C8Ah, 03AFC758Bh, 075CF064Ch, 0FA2CA162h
SN DD 0
;==============================
;所设置断点处的代码,7个字节,push MyAPI,ret
MyAPI DB 068h
DD offset HookData
DB 0c3h,090h
;==============================
Msg DB "本机注册码:",0
.data?
hInstance dd ?
ProcessId dd ?
ThreadId dd ?
ThreadId2 dd ?
lpbaseaddr dd ?
hProcess dd ?
hThread dd ?
hDlg dd ?
BreakIP DD ? ;设置断点的地址,通过搜索关键字符串获得
BreakRet DD ? ;准备返回的地址
.code
include lpk.inc
Main proc hinstdll:DWORD , reason:DWORD , reserved1:DWORD
pushad
.if reason == DLL_PROCESS_ATTACH
push hinstdll
pop hInstance
call LoadDebug
call Process
;invoke StartDebug
.elseif reason == DLL_PROCESS_DETACH
.elseif reason == DLL_THREAD_ATTACH
.endif
@@Exit:
popad
mov eax,TRUE
ret
Main endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
HookData Proc
pushad
invoke MessageBox,0,ecx,addr Msg,MB_OK ;弹出注册码,注册码在ECX中
popad
mov cl, byte ptr [ecx+eax-31h] ;原程序代码,4个字节
mov esi, dword ptr [ebp-4h] ;原程序代码,3个字节
pushad
mov eax,BreakIP ;下断地址
add eax,7 ;加7个字节
mov BreakRet,eax ;返回地址
popad
push BreakRet
ret
HookData endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
StrFind proc @@Address :DWORD , @@Len : DWORD , @@Str :DWORD , @@strLen :DWORD
pushad
mov edx,@@Len
inc edx
mov edi,@@Address
.while edx > 1
push edi
mov ecx,@@strLen
mov esi,@@Str
repe cmpsb
jz StrFindFound
pop edi
inc edi
dec edx
.endw
xor eax,eax
jmp short StrFindRet
StrFindFound:
pop eax
ret
StrFindRet:
xor eax,eax
popad
RET
StrFind endp
Process proc
invoke GetCurrentProcessId
mov ProcessId,eax
invoke OpenProcess , PROCESS_ALL_ACCESS ,0, ProcessId
mov hProcess,eax
invoke StrFind ,401000h ,40000h, addr KeyCode , sizeof KeyCode
.if eax != 0
mov BreakIP,eax
invoke WriteProcessMemory,hProcess,BreakIP,addr MyAPI,7,0
.endif
invoke CloseHandle,hProcess
ret
Process endp
END Main