Agreement plug-in production four
BY RIX
Last time we said the construction of Apidhook and basic platforms, but only using APIHOOK in most, no company will put network package encrypted decryption unpacking programs in DLL in the form of functions You can view it. So this section explains to the target program to make the memory patch to modify the execution path of the program, and make the target procedure into our slaves through this way.
Due to the relationship between the project in the first two days, I went to the two-day tutorial, I was sorry for everyone. I found that when I wrote the tutorial today, I was used at the time of the study, and I had just replaced it to 4.7 from the previous period. Although the current version is better than before, the version is not compatible but let me headache, and finally there is no way to find a version of 4.17. Another tool that needs to be used in this section is W32DASM, W32DASM's quick and convenient for playing patch for program. It is my favorite reason. Ida 4.7 supports the function like W32DASM. I still don't know, after all, I just put it on , Haven't used it yet.
If you don't say nonsense, don't make much in order to make a memory patch and do the game modifier. It is only the data of the game modifier. The memory patch is modified by the instruction. Before doing, please be a good prayer. Although I will say it as much as possible, I still don't dare to guarantee whether you will have illegal instructions, the memory, more than a blue screen, you must buy lottery tickets, anyway, I have never encountered.
Regarding how to do memory patches, there is a detailed discussion on the "Encryption and Decryption" of the snow, and let's take a look at you:
1. The function of the program itself as much as possible, unless there is no way to load the function.
2. Before calling the function, be sure to save the contents of the registers of the related functions. After the call is completed, the content is restored.
3, pay attention to the stack balance.
4. Since we want to add a code to the source program, try to find an empty amount as much as possible (memory page 4K is aligned, such memory should not be found), if the luck is poor, you can only apply for memory .
For XY2.EXE programs, the SENDMESSAGE function is used in the program. This function is very convenient, and it is very wide to say. So we are ready to use this function to send the relevant content to the plunger. However, before doing this, I am going to give the program to the program to prevent the target program from being upgraded to practice.
The most important job in handling is the analysis of the target procedure. The analyst is mainly used by the assembly knowledge. Sometimes I want to put the compilation as a more exact, because I am using the compiler. There are only a few part of the time to use the compute program.
The XY2.exe's program is compiled with iDA. The version of XY2.exe used is 9.16. From 8.12 to 9.16 before XY2.exe's program, there is no change, so any of this time is allowed.
Move to the address. TEXT: 0042BB80, this is not given, the code is too long, and there is 8 pages in foot. It is probably a Winmain function, I don't know that Ida4.7 will use the function name here, I use 4.17, the function name given is: SUB_0_42BB80 Proc NEAR. By studying this code, we can find this code is the main program of the function, and the features have the following points:
1, check the update, start the update.
2, check if the video file is played, and set the program to the appropriate state.
3, set the speed of the program run.
I will not write the C code after the program organized, and the program flow chart given by IDA is easy to write.
The research program can find that after the address .Text: 0042bc13, the research will check the five main versions of the big call program, by calling the following function: .text: 0042bc15 0b8 call sub_0_4480e0
.TEXT: 0042BC
1A
0B8 CALL SUB_0_0_
4481C
0
.TEXT: 0042BC
Allf
0B8 CALL SUB_0_0_
4482A
0
.TEXT: 0042BC24 0B8 CALL SUB_0_448380
.TEXT: 0042BC29 0B8 CALL SUB_0_448460
.TEXT: 0042BC2E 0B8 PUSH EBX
.TEXT: 0042BC
2F
0BC CALL SUB_0_4488E0
.TEXT: 0042BC34 0BC Add ESP, 4
For previous judgments, I think it may be played. After the next five calls, the SUB_0_4488E0 calls the SUB_0_4488E0 to call the upgrade dialog box. To modify the program, avoid upgrading, just use this jump to jump over. Here, you don't have to consider the balance of the stack. From the stack pointer given by IDA, the stack before and after the jump is the same.
So after we call CREATEPROCESS, you can modify it through WriteProcessMemory, change the previous byte of the jump instruction to 0xeb, the one byte behind, the byte behind is used to control the jump Distance. This way, the original code is:
.TEXT: 0042BBE9 0B8 JZ Short LOC_0_42BBF1
Become
.TEXT: 0042BE9 0B8 JMP Short Loc_0_42bbf1
.
If you don't want to call through the program, you can also modify the XY2.exe file directly, but it is recommended to back up the XY2.exe file, which is easy to upgrade.
For avoiding pop-up homepages, you can also pass the same approach, but modified is not a jump instruction. Just give a little prompt here, you can try it yourself:
1, XY2.EXE pops up the home page by calling the shellexecute function, and can quickly find the way of calling according to the reference segment.
2, when modified, pay attention to the balance point of the stack.
The above is the version before 9.16, and the previous version did not give the program and can be made. But the procedures after 9.16 are plus housings, so they can't do it. However, you can take the program first. The Narrow of the big story is used by the Shell of Pecompact, and there is a fastest way to take off this shell. This is also what I was depressed after a few hours. When I started, I used the peid version too low, I didn't know this shell, I had to manually take her housing. After taking it, turn around to see the snow, see if there is any new idea, find the PEID V.92 version, more than my new, download it, find that it is pecompact2.x shell, more Important discovery is that this version of PEID can take off the simple shell, just in the plugin, just try it, find that it can take off directly, this is more process not for 1 minute. After the shell, you can get it in accordance with the previous approach, but the target program is changed to the shell-behind file, the latest version of the XY2.EXE program (before 10.30) exemption jump point in .Text: 0042BA7B JNZ Short Loc_42baa8
. Exemption from the home page modified address in:
.TEXT: 00444840 MOV EAX, [ESP 8 VAR_8]
Today, this section explains these and does not use W32DASM. The next section mainly explains the memory patch used to intercept data, which will frequently use W32DASM.
I am very grateful to the enthusiastic netizen Alan to organize the previous tutorial to the VC version. If you have any questions about this version, you can send him e-mail: tyr_alan@hotmal.com. ALAN I organize the source file I will paste the version of the source file in www.gameres.com as the version I get the version, the version of the source file may not match the content of the tutorial.
Alan's file address: http://blog.gameres.com/upload/sf_20041030104834.rar
This article is only attached to the blog of www.9cbs.net and www.gameres.com, do not use the article for any business, if this tutorial causes other consequences, it has nothing to do with I, I only talk about technology. . If you want to post, please indicate the source, if you have questions or negotiate, please send E-mail to Zeze0556@sina.com or QQ: 23033206 message, msn: zeze0556@msn.com. In addition, please don't give me a spam. When you add your friends, you must write a good post. I have been scared by inexplicably advertising letters and rumors. It is, I ask you prawn.
