Author: hhhkkk [hhkkk@126.com]
After reading the masterpiece of Ilsy "Talk about the mapping of the process and port", it feels very good, use VC to debug on the computer, and find some places to obtain information. Some places cannot be
More strange is that my win2k can be achieved, it is not actually.
And Active Ports is so stable, there is a ghost, even do not believe
The moving OLLYDDG has been debugged, and the program cannot normal display is that the OpenPhysicalMemory of the function is caused to make information.
Below is the OpenPhysicalMemory disassembly section of Active Ports
0040FCF2 8B1D CC124000 MOV EBX, DWORD PTR DS: [<& Keernel32.mapViewOffile>]; kernel32.mapviewoffile
0040FCF8 C745 F8 00000A0> MOV DWORD PTR SS: [EBP-8], 0A0000
0040FCFF BE 00100000 MOV ESI, 1000
0040FD04 FF75 F8 Push DWORD PTR SS: [EBP-8]
0040FD07 8B45 08 MOV EAX, DWORD PTR SS: [EBP 8]
0040FD0A 57 Push EDI
0040FD0B 57 Push EDI
0040FD0C 6A 04 Push 4
0040FD0E FF30 PUSH DWORD PTR DS: [EAX]
0040FD10 FFD3 Call Near EBX MapViewOffile (*, 4, 0, 0, 0x0a0000); 1) MAP
......... //
0040FD2e 837D FC 00 CMP DWORD PTR SS: [EBP-4], 0
0040FD32 76 17 Jbe Short Aports.0040FD4B
0040FD34 6A 67 Push 67
0040FD36 8D88 000c0000 Lea ECX, DWORD PTR DS: [EAX C00]
0040FD3C 5A POP EDX
/// The following is a key part, that is, get the starting position that should be mapped.
0040FD3D 3911 CMP DWORD PTR DS: [ECX], EDX
0040FD3F 74 0A Je Short Aports.0040FD4B
0040FD41 47 Inc EDI
0040FD42 03CE Add ECX, ESI
0040FD44 03D6 Add Edx, ESI
0040FD46 3B7D FC CMP EDI, DWORD PTR SS: [EBP-4]
0040FD49 72 F2 JB Short Aports.0040FD3D
0040FD4B 50 Push EAX
0040FD4C FF15 D0124000 Call Near DWORD PTR DS: [<& kernel32.unmapViewoffile>]; kernel32.unmapviewoffile
0040FD52 3B7D FC CMP EDI, DWORD PTR SS: [EBP-4]
0040FD55 75 03 JNZ Short Aports.0040FD5A
0040FD57 6A 39 PUSH 39
0040FD59 5F POP EDI
0040FD5A 8B45 08 MOV EAX, DWORD PTR SS: [EBP 8]
0040FD5D 56 Push ESI
0040FD5E C1E7 0C SHL EDI, 0C
0040FD61 57 Push EDI
0040FD62 6A 00 Push 0
0040FD64 6A 04 Push 40040FD66 FF30 PUSH DWORD PTR DS: [EAX]
0040FD68 FFD3 Call Near EBX // MapViewOffile (*, 4, 0, EDI, 0X1000);
0040FD6A 5F POP EDI
0040FD6B 5E POP ESI
0040FD6C 5B POP EBX
0040FD6D C9 Leave
0040FD6E C3 RETN
After reading the anti-assessment, the next thing is written, huh, huh, just add this below, this is ok.
PMapphysicalMemory = MapViewOffile (Phandle, 4, 0, 0X0A0000); /// The first map, after the mapping is not successful, it needs to change. I can use this in my computer, I use this to write to write improvement.
DWORD D_BEGIN = 0;
DWORD D_EDX = 0x67;
DWORD D_P = PmapphysicalMemory 0xC00;
While (D_EDx! = D_P)
{
D_Begin ;
D_P = 0x1000;
D_EDX = 0x67; this 0x67 doesn't know what mean, please give an answer is best :)
IF (D_Begin> = 0xA0) Break;
}
UnmapViewoffile (Phandle);
IF (d_begin == 0xA0)
D_Begin = 0x39;
D_Begin = D_EDx << 0xc;
MapViewoffile (Phandle, 4, 0, D_EDx, 0x1000);
Should be added, you can see the effect immediately, and there will be no mapping failure.
Later: Now XP and Win2003 come out for so long, maybe win2k's significance is not very big :), this even said that it is not clear.
If you encounter my same problem while doing this section, add the above code should be solved, but if you do the stability of the program, it is recommended that you carefully analyze its disassembly. Due to time relationship, I don't have much to write.
When doing this, there are many places that don't understand, such as why the hidden address changes, what is the reason why this should change? If you can explain, please tell an even hhkkk@126.com, even thank you first.
That 0x67 is also a quirky data, I don't know why it is using that data, because even from the perspective of crack, it is not familiar with the kernel :(
In addition: The first time I write something, it is more chaotic, I will look at it, and it is also a personal notes. Limited to the level of relationship, please also point out inappropriate.
In this document, if you want to reclaim, please keep your article integrity!
Reference data:
Aports.exe from
http://www.ntutility.com/
Http://www.xfocus.net/articles/200202/344.html
