00806184 90 NOP
00806185 > 8B15 308F8200 MOV EDX, DWORD PTR DS:[828F30]
; 向下的jmp长跳转修复代码
0080618B . 2B15 208F8200 SUB EDX, DWORD PTR DS:[828F20]
00806191 . 8B85 34ECFFFF MOV EAX, DWORD PTR SS:[EBP-13CC]
00806197 . 90 NOP
00806198 . 8910 MOV DWORD PTR DS:[EAX], EDX
; 注意写入的dword类型值
0080619A . 90 NOP
0080619B . 90 NOP
0080619C . 90 NOP
0080619D . 90 NOP
0080619E . 90 NOP
0080619F . 90 NOP
008061A0 . 90 NOP
008061A1 . 90 NOP
008061A2 . 90 NOP
008061A3 . 90 NOP
008061A4 . 90 NOP
008061A5 . 90 NOP
008061A6 . 90 NOP
008061A7 . 90 NOP
008061A8 . 90 NOP
008061A9 . 90 NOP
008061AA . 90 NOP
008061AB . 90 NOP
008061AC . 90 NOP
008061AD . 90 NOP
008061AE . 90 NOP
008061AF . 90 NOP
008061B0 . 90 NOP
008061B1 . 90 NOP
008061B2 . 90 NOP
008061B3 . 90 NOP
008061B4 . 90 NOP
008061B5 . 90 NOP
008061B6 . 90 NOP
008061B7 . 90 NOP
008061B8 . 90 NOP
008061B9 > 8305 108F8200 04 ADD DWORD PTR DS:[828F10], 4 ; 参数+1
008061C0 > 8B15 108F8200 MOV EDX, DWORD PTR DS:[828F10] ; ezcddax.00828000
008061C6 . 8B12 MOV EDX, DWORD PTR DS:[EDX]
008061C8 . 8995 34ECFFFF MOV DWORD PTR SS:[EBP-13CC], EDX
008061CE . 83FA 00 CMP EDX, 0
008061D1 .^ 74 E6 JE SHORT ezcddax.008061B9 ; 如果出现00000000,表示这个地址不是CC
008061D3 . 83FA FF CMP EDX, -1
008061D6 . 74 08 JE SHORT ezcddax.008061E0 ; 如果是ffffffff 表示修复结束。
008061D8 . 61 POPAD
008061D9 .^ E9 A5FCFFFF JMP ezcddax.00805E83
008061DE 90 NOP
008061DF 90 NOP
008061E0 > 90 NOP
008061E1 . 90 NOP
008061E2 . 90 NOP
008061E3 . 90 NOP
008061E4 . 90 NOP
008061E5 . 90 NOP
008061E6 . 90 NOP
008061E7 . 90 NOP
008061E8 . 90 NOP
008061E9 . 90 NOP
008061EA . 90 NOP
008061EB . 90 NOP
008061EC . 90 NOP
008061ED . 90 NOP
008061EE . 90 NOP
008061EF . 90 NOP
008061F0 . 90 NOP
008061F1 . 90 NOP
008061F2 . 90 NOP
008061F3 . 90 NOP
008061F4 . 90 NOP
008061F5 . 90 NOP
008061F6 . 90 NOP
008061F7 . 90 NOP
008061F8 . 90 NOP
008061F9 . 90 NOP
008061FA . 90 NOP
008061FB . 90 NOP
008061FC . 90 NOP
008061FD . 90 NOP
008061FE . 90 NOP
008061FF . 90 NOP
00806200 . 90 NOP
00806201 . 90 NOP
00806202 . 90 NOP
00806203 . 90 NOP
00806204 . 90 NOP
00806205 . 90 NOP
00806206 . 90 NOP
00806207 . 90 NOP
00806208 . 90 NOP
00806209 . 90 NOP
0080620A . 90 NOP
0080620B . 52 PUSH EDX
; /pContext
0080620C . 8B85 50EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B0]
; |
00806212 . 50 PUSH EAX
; |hThread
00806213 . FF15 DC808300 CALL DWORD PTR DS
:[<&KERNEL32.SetThreadCo>; \SetThreadContext
50 8B 8D 50 EE FF FF 51 FF 15 E0 80 83 00 90 90 52 8B
15 00 80 82 00 89 15 00 8F 82 00 C7 05 10
8F 82 00 00 80 82 00 5A 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 60 C7
85 78 EB FF FF 00 00 00 00 6A FF 6A 04
8D 95 34 EC FF FF 52 E8 EB 60 FD FF 83 C4 0C 89 85 4C
EE FF FF 8B 85 4C EE FF FF 33 D2 B9 19 00
00 00 F7 F1 89 95 48 EE FF FF 8B 95 34 EC FF FF 52 8B
85 48 EE FF FF FF 14 85 98 CD 83 00 83 C4
04 89 85 78 EB FF FF C7 85 74 EB FF FF 00 00 00 00 8B
8D 48 EE FF FF 8B 14 8D 00 F3 83 00 89 95
54 EE FF FF 8B 85 74 EB FF FF 3B 85 54 EE FF FF 7D
5C 8B 85 54 EE FF FF 2B 85 74 EB FF FF 99 2B
C2 D1 F8 8B 8D 74 EB FF FF 03 C8 89 8D 70 EB FF FF
8B 95 48 EE FF FF 8B 04 95 7C F2 83 00 8B 8D
70 EB FF FF 8B 95 78 EB FF FF 3B 14 88 76 11 8B 85 70
EB FF FF 83 C0 01 89 85 74 EB FF FF EB 0C
8B 8D 70 EB FF FF 89 8D 54 EE FF FF EB 96 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 8B 95 48 EE FF FF 8B 04 95 7C F2 83
00 8B 8D 74 EB FF FF 8B 14 88 3B 95 78 EB FF FF 0F
85 0A 02 00 00 90 90 90 90 E8 97 01 00 00 90
90 90 90 90 90 E8 F9 00 00 00 80 3D 20 8F 82 00 04
7F 15 90 90 90 7C 35 8B 85 34 EC FF FF C6 40
FF E9 E9 0F 01 00 00 90 8B 85 34 EC FF FF C6 40 FF
0F 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 8B 85 48 EE FF
FF 8B 0C 85 64 F3 83 00 8B 95 74 EB FF FF
8B 04 91 89 85 5C EB FF FF 8B 8D 3C EC FF FF 81 E1
D7 0F 00 00 89 8D 6C EB FF FF 8B 95 5C EB FF
FF 81 E2 00 00 00 FF C1 EA 18 89 95 60 EB FF FF 8B
85 5C EB FF FF 25 FF FF FF 00 89 85 64 EB FF
FF 8B 8D 28 EC FF FF 51 8B 95 6C EB FF FF 52 8B 85
64 EB FF FF 50 8B 8D 60 EB FF FF FF 14 8D 0C
88 83 00 83 C4 0C 89 85 68 EB FF FF 8B 95 68 EB FF FF
33 D2 80 3D 20 8F 82 00 04 0F 8C D3 00 00
00 7F 7D 74 51 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 E9 FD
00 00 00 8B 85 48 EE FF FF 8B 0C 85 18 F2 83 00 8B
85 74 EB FF FF 33 D2 BE 17 00 00 00 F7 F6 8B
85 74 EB FF FF 8B 0C 81 33 8C 95 70 EE FF FF 89 0D
30 8F 82 00 C3 66 81 3D 30 8F 82 00 80 FF 0F
8C 87 00 00 00 66 83 3D 30 8F 82 00 7F 7E 2B EB 7B
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
8B 15 30 8F 82 00 2B 15 20 8F 82 00 8B 85 34 EC FF
FF 89 50 01 E9 86 00 00 00 8B 15 30 8F 82 00
2B 15 20 8F 82 00 8B 85 34 EC FF FF 4A 89 10 EB 6F
90 90 90 90 90 8B 85 48 EE FF FF 8B 0C 85 D0
F3 83 00 8B 95 74 EB FF FF 33 C0 8A 04 11 A2 20 8F
82 00 C3 90 8B 15 30 8F 82 00 2B 15 20 8F 82
00 8B 85 34 EC FF FF 88 10 EB 35 90 8B 15 30 8F 82
00 2B 15 20 8F 82 00 8B 85 34 EC FF FF 90 89
10 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90
83 05 10 8F 82 00 04 8B 15 10 8F 82 00 8B 12 89 95 34
EC FF FF 83 FA 00 74 E6 83 FA FF 74 08 61
E9 A5 FC FF FF 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
52 8B 85 50 EE FF FF 50 FF 15 DC 80 83 00
跟着练习的可以复制上面的二进制代码,看看效果。剩下的就是搞定跳转类型并写入代码中就行了。
下面要修复的就是跳转类型了,这是整个修复工作中最烦人,最没有技术含量的工作了,下面就几个例子来看看如何修复。
调整好上面的代码,在修复完成的地址处下个中断,取消其他的所有断点,在下面的函数入口处下中断,运行。
例1----CC发生时地址:0043989E
DS:[00828004]=0043989E (ezcddax.0043989E)
EAX=00828004 (ezcddax.00828004)
007F2BEF 55 PUSH EBP
007F2BF0 8BEC MOV EBP, ESP
007F2BF2 83EC 40 SUB ESP, 40
007F2BF5 C745 D0 D800000>MOV DWORD PTR SS:[EBP-30], 0D8
007F2BFC C745 D4 2400000>MOV DWORD PTR SS:[EBP-2C], 24
007F2C03 C745 D8 E400000>MOV DWORD PTR SS:[EBP-28], 0E4
007F2C0A C745 DC A600000>MOV DWORD PTR SS:[EBP-24], 0A6
007F2C11 C745 E0 9400000>MOV DWORD PTR SS:[EBP-20], 94
007F2C18 C745 E4 2900000>MOV DWORD PTR SS:[EBP-1C], 29
007F2C1F C745 E8 2A00000>MOV DWORD PTR SS:[EBP-18], 2A
007F2C26 C745 EC F300000>MOV DWORD PTR SS:[EBP-14], 0F3
007F2C2D C745 F0 0700000>MOV DWORD PTR SS:[EBP-10], 7
007F2C34 C745 C0 0700000>MOV DWORD PTR SS:[EBP-40], 7
007F2C3B 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007F2C3E C1E8 07 SHR EAX, 7
007F2C41 83E0 07 AND EAX, 7
007F2C44 8B4C85 D0 MOV ECX, DWORD PTR SS:[EBP+EAX*4-30]
007F2C48 894D C4 MOV DWORD PTR SS:[EBP-3C], ECX
007F2C4B 8B45 C4 MOV EAX, DWORD PTR SS:[EBP-3C]
007F2C4E 99 CDQ
007F2C4F B9 19000000 MOV ECX, 19
007F2C54 F7F9 IDIV ECX
007F2C56 8945 CC MOV DWORD PTR SS:[EBP-34], EAX
007F2C59 8B45 C4 MOV EAX, DWORD PTR SS:[EBP-3C]
007F2C5C 99 CDQ
007F2C5D B9 19000000 MOV ECX, 19
007F2C62 F7F9 IDIV ECX
007F2C64 8955 C8 MOV DWORD PTR SS:[EBP-38], EDX
007F2C67 8B55 CC MOV EDX, DWORD PTR SS:[EBP-34]
007F2C6A 3B55 C8 CMP EDX, DWORD PTR SS:[EBP-38]
007F2C6D 75 11 JNZ SHORT ezcddax.007F2C80
007F2C6F 8B45 C8 MOV EAX, DWORD PTR SS:[EBP-38]
007F2C72 83C0 01 ADD EAX, 1
007F2C75 99 CDQ
007F2C76 B9 19000000 MOV ECX, 19
007F2C7B F7F9 IDIV ECX
007F2C7D 8955 C8 MOV DWORD PTR SS:[EBP-38], EDX
007F2C80 8B55 C4 MOV EDX, DWORD PTR SS:[EBP-3C]
007F2C83 8B45 CC MOV EAX, DWORD PTR SS:[EBP-34]
007F2C86 8B0C95 48E48300 MOV ECX, DWORD PTR DS:[EDX*4+83E448]
007F2C8D 330C85 CC828300 XOR ECX, DWORD PTR DS:[EAX*4+8382CC]
007F2C94 8B55 C8 MOV EDX, DWORD PTR SS:[EBP-38]
007F2C97 330C95 CC828300 XOR ECX, DWORD PTR DS:[EDX*4+8382CC]
007F2C9E 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007F2CA1 8B45 0C MOV EAX, DWORD PTR SS:[EBP+C]
007F2CA4 50 PUSH EAX
007F2CA5 8B4D C4 MOV ECX, DWORD PTR SS:[EBP-3C]
007F2CA8 0FBE91 88CC8300 MOVSX EDX, BYTE PTR DS:[ECX+83CC88]
007F2CAF FF1495 C0CB8300 CALL DWORD PTR DS:[EDX*4+83CBC0]
007F2CB6 83C4 04 ADD ESP, 4
007F2CB9 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007F2CBC 8B45 10 MOV EAX, DWORD PTR SS:[EBP+10]
007F2CBF 50 PUSH EAX
007F2CC0 8B4D FC MOV ECX, DWORD PTR SS:[EBP-4]
007F2CC3 51 PUSH ECX
007F2CC4 FF55 F8 CALL DWORD PTR SS:[EBP-8] ; ezcddax.007EB7A0
堆栈 SS:[0012DC5C]=007EB7A0 (ezcddax.007EB7A0)
007F2CC7 83C4 08 ADD ESP, 8
007F2CCA 50 PUSH EAX
007F2CCB 8B55 C4 MOV EDX, DWORD PTR SS:[EBP-3C]
007F2CCE 0FBE82 88CC8300 MOVSX EAX, BYTE PTR DS:[EDX+83CC88]
007F2CD5 FF1485 24CC8300 CALL DWORD PTR DS:[EAX*4+83CC24]
007F2CDC 83C4 04 ADD ESP, 4
007F2CDF 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007F2CE2 8B45 F4 MOV EAX, DWORD PTR SS:[EBP-C]
007F2CE5 83E0 01 AND EAX, 1
007F2CE8 8BE5 MOV ESP, EBP
007F2CEA 5D POP EBP
007F2CEB C3 RETN
007EB7A0 55 PUSH EBP
007EB7A1 8BEC MOV EBP, ESP
007EB7A3 83EC 0C SUB ESP, 0C
007EB7A6 53 PUSH EBX
007EB7A7 56 PUSH ESI
007EB7A8 57 PUSH EDI
007EB7A9 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007EB7AC 50 PUSH EAX
007EB7AD FF15 24CC8300 CALL DWORD PTR DS:[83CC24] ; ezcddax.007DC062
007EB7B3 83C4 04 ADD ESP, 4
007EB7B6 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007EB7B9 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007EB7BC 51 PUSH ECX
007EB7BD B9 00080000 MOV ECX, 800
007EB7C2 B9 0A000000 MOV ECX, 0A
007EB7C7 F7D1 NOT ECX
007EB7C9 0FC8 BSWAP EAX
007EB7CB F7D1 NOT ECX
007EB7CD 41 INC ECX
007EB7CE 41 INC ECX
007EB7CF 41 INC ECX
007EB7D0 41 INC ECX
007EB7D1 41 INC ECX
007EB7D2 41 INC ECX
007EB7D3 41 INC ECX
007EB7D4 41 INC ECX
007EB7D5 41 INC ECX
007EB7D6 41 INC ECX
007EB7D7 41 INC ECX
007EB7D8 41 INC ECX
007EB7D9 41 INC ECX
007EB7DA 41 INC ECX
007EB7DB 41 INC ECX
007EB7DC 41 INC ECX
007EB7DD 41 INC ECX
007EB7DE 41 INC ECX
007EB7DF 41 INC ECX
007EB7E0 49 DEC ECX
007EB7E1 41 INC ECX
007EB7E2 FEC1 INC CL
007EB7E4 FEC1 INC CL
007EB7E6 FEC1 INC CL
007EB7E8 83C1 0D ADD ECX, 0D
007EB7EB FEC1 INC CL
007EB7ED FEC1 INC CL
007EB7EF FEC1 INC CL
007EB7F1 FEC1 INC CL
007EB7F3 FEC1 INC CL
007EB7F5 83C1 0A ADD ECX, 0A
007EB7F8 49 DEC ECX
007EB7F9 52 PUSH EDX
007EB7FA BA 04000000 MOV EDX, 4
007EB7FF 03CA ADD ECX, EDX
007EB801 41 INC ECX
007EB802 5A POP EDX
007EB803 0FC8 BSWAP EAX
007EB805 23C1 AND EAX, ECX
/////////////////////////////////////////////////
EBX=00000040
EAX=00000246
这句才是关键,EFLAGS寄存器值and 40
分析看看,十六进制的40是二进制值10000000 受影响的是第七位ZF位,测试条件是ZF=1
相关知识请看:http://www.pediy.com/tutorial/chap2/Chap2-3.htm
这样就可以判断这个跳转类型是jz/je 判断是短跳转就在CC地址写入类型的代码74;长跳转则在CC发生时的地址写入84
/////////////////////////////////////////////////
007EB807 59 POP ECX
007EB808 F7D8 NEG EAX
007EB80A 1BC0 SBB EAX, EAX
007EB80C F7D8 NEG EAX
/////////////////////////////////////////////////
测试ZF位是否为1
////////////////////////////////////////////////
007EB80E 5A POP EDX
007EB80F 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007EB812 8B0D 94838300 MOV ECX, DWORD PTR DS:[838394]
007EB818 330D 98838300 XOR ECX, DWORD PTR DS:[838398]
007EB81E D1E1 SHL ECX, 1
007EB820 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007EB823 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007EB827 74 09 JE SHORT ezcddax.007EB832
007EB829 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007EB82C 83CA 01 OR EDX, 1
007EB82F 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007EB832 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007EB835 50 PUSH EAX
007EB836 FF15 C0CB8300 CALL DWORD PTR DS:[83CBC0] ; ezcddax.007DBFB0
007EB83C 83C4 04 ADD ESP, 4
007EB83F 5F POP EDI
007EB840 5E POP ESI
007EB841 5B POP EBX
007EB842 8BE5 MOV ESP, EBP
007EB844 5D POP EBP
007EB845 C3 RETN
修改为:
007EB7A0 55 PUSH EBP
007EB7A1 8BEC MOV EBP, ESP
007EB7A3 83EC 0C SUB ESP, 0C
007EB7A6 53 PUSH EBX
007EB7A7 56 PUSH ESI
007EB7A8 57 PUSH EDI
相关文章
