添加Co按钮弹框时的劫持动作。

Source/Assist/Assist/Assist.cpp

@@ -12,6 +12,8 @@ CALLDATA _cd_Disconnect;
 CALLDATA _cd_CheckFW;
 CALLDATA _cd_SaveAsOutputData;
 CALLDATA _cd_Go_SN;
+CALLDATA _cd_Go_CommunicationError;
+CALLDATA _cd_Go_SetCommunicationError;
 CALLDATA _cd_Initial_failed;
 
 // 调试耗时值ms;
@@ -35,10 +37,13 @@ DWORD dwEDI = 0;
 void Call_MyDisconnect();
 void Call_MyConnect();
 void Call_MyGo();
+void Call_MyGoSN();
 void Call_MyCheckFW();
 void Call_MySaveAsOutputData();
-void Call_MyGoSN();
 void Call_MyInitial_Failed();
+void Call_MyGoCommunicationError();
+void Call_MyGoSetCommunicationError();
+
 // 其他函数;
 void SetChannel(int nChannel);
 void SetSN(LPCTSTR lpSN);
@@ -75,12 +80,20 @@ void InitCallData()
 	*(LPDWORD)(&_cd_Connect.szMyCallData[1]) = (DWORD)_cd_Connect.myCall - _cd_Connect.dwOriginalAddr - JMP_DLEN;
 #pragma endregion
 
-
 #pragma region Disconnect按钮劫持
-
+	// 0043790B | E8 E4C90900 | call demo.4D42F4 | # 此处可能用于SetWindowText之类处理
+	// 00437910 | FF4D F4 | dec dword ptr ss:[ebp-C]                 |
+	_cd_Disconnect.myCall = Call_MyDisconnect;
+	_cd_Disconnect.dwBack2Addr = 0x00437910;
+	_cd_Disconnect.dwOriginalAddr = 0x0043790B;
+	_cd_Disconnect.dwOriginalCallAddr = 0x004D42F4;
+
+	_cd_Disconnect.nMyCallDataLen = JMP_DLEN;
+	memset(_cd_Disconnect.szMyCallData, 0x90, CALL_LEN);
+	_cd_Disconnect.szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
+	*(LPDWORD)(&_cd_Disconnect.szMyCallData[1]) = (DWORD)_cd_Disconnect.myCall - _cd_Disconnect.dwOriginalAddr - JMP_DLEN;
 #pragma endregion
 
-
 #pragma region Go按钮劫持
 	// Go 
 	_cd_Go.myCall = Call_MyGo;
@@ -107,107 +120,157 @@ void InitCallData()
 	memset(_cd_Go_SN.szMyCallData, 0x90, CALL_LEN);
 	_cd_Go_SN.szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
 	*(LPDWORD)(&_cd_Go_SN.szMyCallData[1]) = (DWORD)_cd_Go_SN.myCall - _cd_Go_SN.dwOriginalAddr - JMP_DLEN;
+
+	// Go Set Communication Error 
+	// 00417FCD | E8 666A0B00 | call demo.4CEA38 |
+	_cd_Go_SetCommunicationError.myCall = Call_MyGoSetCommunicationError;
+	_cd_Go_SetCommunicationError.dwBack2Addr = 0x00417FD2;
+	// 00417FD2 | FF8D F4E8FFFF| dec dword ptr ss:[ebp-170C]|
+	_cd_Go_SetCommunicationError.dwOriginalAddr = 0x00417FCD;
+	_cd_Go_SetCommunicationError.dwOriginalCallAddr = 0x004CEA38;
+
+	_cd_Go_SetCommunicationError.nMyCallDataLen = JMP_DLEN;
+	memset(_cd_Go_SetCommunicationError.szMyCallData, 0x90, CALL_LEN);
+	_cd_Go_SetCommunicationError.szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
+	*(LPDWORD)(&_cd_Go_SetCommunicationError.szMyCallData[1]) = (DWORD)_cd_Go_SetCommunicationError.myCall - _cd_Go_SetCommunicationError.dwOriginalAddr - JMP_DLEN;
+
+	// Go Communication Error 
+	// 00404408 | E8 2BA60C00| call demo.4CEA38| 
+	_cd_Go_CommunicationError.myCall = Call_MyGoCommunicationError;
+	_cd_Go_CommunicationError.dwBack2Addr = 0x0040440D;
+	// 0040440D | FF4D BC | dec dword ptr ss:[ebp-44] | 
+	_cd_Go_CommunicationError.dwOriginalAddr = 0x00404408;
+	_cd_Go_CommunicationError.dwOriginalCallAddr = 0x004CEA38;
+
+	_cd_Go_CommunicationError.nMyCallDataLen = JMP_DLEN;
+	memset(_cd_Go_CommunicationError.szMyCallData, 0x90, CALL_LEN);
+	_cd_Go_CommunicationError.szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
+	*(LPDWORD)(&_cd_Go_CommunicationError.szMyCallData[1]) = (DWORD)_cd_Go_CommunicationError.myCall - _cd_Go_CommunicationError.dwOriginalAddr - JMP_DLEN;
 #pragma endregion
 
+}
+
+BOOL HijackedAllCall()
+{
+	BOOL bHijack=FALSE;
+	if ( !(bHijack = HijackedCall(&_cd_Connect)) )
+		goto end;
+
+	if ( !(bHijack = HijackedCall(&_cd_Disconnect)) )
+		goto end;
+
+	if ( !(bHijack = HijackedCall(&_cd_Go)) )
+		goto end;
+
+	if ( !(bHijack = HijackedCall(&_cd_Go_SN)) )
+		goto end;
 
+	if ( !(bHijack = HijackedCall(&_cd_Go_CommunicationError)) )
+		goto end;
+
+	if ( !(bHijack = HijackedCall(&_cd_Go_SetCommunicationError)) )
+		goto end;
+
+end:
+	return bHijack;
 }
 
 // 劫持原始地址;
 BOOL HijackedCall2(CALLDATA *pCallData)
 {
-    if ( !pCallData )
-        return FALSE;
-
-    memset(pCallData->szMyCallData, 0x90, CALL_LEN);
-    pCallData->szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
-    *(LPDWORD)(&pCallData->szMyCallData[1]) = (DWORD)pCallData->myCall - pCallData->dwOriginalAddr - 5;
-
-
-    HANDLE hProc = GetCurrentProcess();
-    // 将要劫持的地址指令备份下来;
-    memset(pCallData->szOriginalAddrData, 0, CALL_LEN);
-    if ( !ReadProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szOriginalAddrData, pCallData->nOriginalAddrDataLen, NULL) )
-    {
-        MessageBox(NULL, _T("读取内存失败"), _T("提示"),MB_OK);
-        return FALSE;
-    }
-
-    // 将我们的Call地址指令写入目标地址;
-    if ( !WriteProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szMyCallData, pCallData->nMyCallDataLen, NULL) )
-    {
-        MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
-        return FALSE;
-    }
-
-    return TRUE;
+	if ( !pCallData )
+		return FALSE;
+
+	memset(pCallData->szMyCallData, 0x90, CALL_LEN);
+	pCallData->szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
+	*(LPDWORD)(&pCallData->szMyCallData[1]) = (DWORD)pCallData->myCall - pCallData->dwOriginalAddr - 5;
+
+
+	HANDLE hProc = GetCurrentProcess();
+	// 将要劫持的地址指令备份下来;
+	memset(pCallData->szOriginalAddrData, 0, CALL_LEN);
+	if ( !ReadProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szOriginalAddrData, pCallData->nOriginalAddrDataLen, NULL) )
+	{
+		MessageBox(NULL, _T("读取内存失败"), _T("提示"),MB_OK);
+		return FALSE;
+	}
+
+	// 将我们的Call地址指令写入目标地址;
+	if ( !WriteProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szMyCallData, pCallData->nMyCallDataLen, NULL) )
+	{
+		MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
+		return FALSE;
+	}
+
+	return TRUE;
 }
 
 BOOL HijackedCall(CALLDATA *pCallData)
 {
-    if ( !pCallData )
-        return FALSE;
-
-    memset(pCallData->szMyCallData, 0, CALL_LEN);
-    pCallData->szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
-    *(LPDWORD)(&pCallData->szMyCallData[1]) = (DWORD)pCallData->myCall - pCallData->dwOriginalAddr - CALL_LEN;
-
-    HANDLE hProc = GetCurrentProcess();
-    // 将要劫持的地址指令备份下来;
-    memset(pCallData->szOriginalAddrData, 0, CALL_LEN);
-    if ( !ReadProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szOriginalAddrData, CALL_LEN, NULL) )
-    {
-        MessageBox(NULL, _T("读取内存失败"), _T("提示"),MB_OK);
-        return FALSE;
-    }
-
-    // 将我们的Call地址指令写入目标地址;
-    if ( !WriteProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szMyCallData, CALL_LEN, NULL) )
-    {
-        MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
-        return FALSE;
-    }
-
-    return TRUE;
+	if ( !pCallData )
+		return FALSE;
+
+	memset(pCallData->szMyCallData, 0, CALL_LEN);
+	pCallData->szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
+	*(LPDWORD)(&pCallData->szMyCallData[1]) = (DWORD)pCallData->myCall - pCallData->dwOriginalAddr - CALL_LEN;
+
+	HANDLE hProc = GetCurrentProcess();
+	// 将要劫持的地址指令备份下来;
+	memset(pCallData->szOriginalAddrData, 0, CALL_LEN);
+	if ( !ReadProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szOriginalAddrData, CALL_LEN, NULL) )
+	{
+		MessageBox(NULL, _T("读取内存失败"), _T("提示"),MB_OK);
+		return FALSE;
+	}
+
+	// 将我们的Call地址指令写入目标地址;
+	if ( !WriteProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szMyCallData, CALL_LEN, NULL) )
+	{
+		MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
+		return FALSE;
+	}
+
+	return TRUE;
 }
 
 // 劫持原始地址;
 BOOL HijackedCall(LPVOID MyCall, LPVOID OriginalCall, BYTE (&szOriginalCallData)[CALL_LEN])
 {
-    BYTE szMyCallData[CALL_LEN] = {0};
-    szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
-    *(LPDWORD)(&szMyCallData[1]) = (DWORD)MyCall - (DWORD)OriginalCall - CALL_LEN;
-
-    HANDLE hProc = GetCurrentProcess();
-    // 将要劫持的地址指令备份下来;
-    if ( !ReadProcessMemory(hProc, OriginalCall, szOriginalCallData, CALL_LEN, NULL) )
-    {
-        MessageBox(NULL, _T("读取内存失败"), _T("提示"),MB_OK);
-        return FALSE;
-    }
-
-    // 将我们的Call地址指令写入目标地址;
-    if ( !WriteProcessMemory(hProc, OriginalCall, szMyCallData, CALL_LEN, NULL) )
-    {
-        MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
-        return FALSE;
-    }
-
-    return TRUE;
+	BYTE szMyCallData[CALL_LEN] = {0};
+	szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
+	*(LPDWORD)(&szMyCallData[1]) = (DWORD)MyCall - (DWORD)OriginalCall - CALL_LEN;
+
+	HANDLE hProc = GetCurrentProcess();
+	// 将要劫持的地址指令备份下来;
+	if ( !ReadProcessMemory(hProc, OriginalCall, szOriginalCallData, CALL_LEN, NULL) )
+	{
+		MessageBox(NULL, _T("读取内存失败"), _T("提示"),MB_OK);
+		return FALSE;
+	}
+
+	// 将我们的Call地址指令写入目标地址;
+	if ( !WriteProcessMemory(hProc, OriginalCall, szMyCallData, CALL_LEN, NULL) )
+	{
+		MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
+		return FALSE;
+	}
+
+	return TRUE;
 }
 
 BOOL RecoveryCall(CALLDATA *pCallData)
 {
-    if ( !pCallData )
-        return FALSE;
+	if ( !pCallData )
+		return FALSE;
 
-    // 将我们的Call地址指令写入目标地址;
-    if ( !WriteProcessMemory(GetCurrentProcess(), (LPVOID)pCallData->dwOriginalAddr, pCallData->szOriginalAddrData, CALL_LEN, NULL) )
-    {
-        MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
-        return FALSE;
-    }
+	// 将我们的Call地址指令写入目标地址;
+	if ( !WriteProcessMemory(GetCurrentProcess(), (LPVOID)pCallData->dwOriginalAddr, pCallData->szOriginalAddrData, CALL_LEN, NULL) )
+	{
+		MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
+		return FALSE;
+	}
 
-    return TRUE;
+	return TRUE;
 }
 
 void MyInitialFailed()
@@ -220,126 +283,204 @@ void __declspec(naked) Call_MyInitial_Failed()
 	__asm pushad;
 	MyInitialFailed();
 	__asm popad;
-	// 不执行原call;
+	// 不执行原call:原Call是Messagebox弹框，需要消除掉它;
 	// __asm call _cd_Initial_failed.dwOriginalCallAddr;
 	__asm jmp _cd_Initial_failed.dwBack2Addr;
 }
 
 void __declspec(naked) Call_MySaveAsOutputData()
 {
-    //004AB3FC
-    __asm {
-        // 保存寄存器;
-        mov dwEAX, EAX;
-        mov dwEBX, EBX;
-        mov dwECX, ECX;
-        mov dwEDX, EDX;
-        mov dwEBP, EBP;
-        mov dwESP, ESP;
-        mov dwESI, ESI;
-        mov dwEDI, EDI;
-        // my call
-        mov eax,0x004AB3FC
-            mov dl,1
-            call dword ptr[eax]
-        // 恢复寄存器; 
-        mov EAX, dwEAX;
-        mov EBX, dwEBX;
-        mov ECX, dwECX;
-        mov EDX, dwEDX;
-        mov EBP, dwEBP;
-        mov ESP, dwESP;
-        mov ESI, dwESI;
-        mov EDI, dwEDI;
-        // 返回
-        ret
-    }
+	//004AB3FC
+	__asm {
+		// 保存寄存器;
+		mov dwEAX, EAX;
+		mov dwEBX, EBX;
+		mov dwECX, ECX;
+		mov dwEDX, EDX;
+		mov dwEBP, EBP;
+		mov dwESP, ESP;
+		mov dwESI, ESI;
+		mov dwEDI, EDI;
+		// my call
+		mov eax,0x004AB3FC
+			mov dl,1
+			call dword ptr[eax]
+		// 恢复寄存器; 
+		mov EAX, dwEAX;
+		mov EBX, dwEBX;
+		mov ECX, dwECX;
+		mov EDX, dwEDX;
+		mov EBP, dwEBP;
+		mov ESP, dwESP;
+		mov ESI, dwESI;
+		mov EDI, dwEDI;
+		// 返回
+		ret
+	}
 }
 
 void MyGo()
 {   
-    CHAR szMsg[MAX_PATH];
-    DWORD dwElapsedAddr = 0x0052DF54;
-    DWORD dwSNAddr = dwEBP - 0x5D0;
-    sprintf_s(szMsg, "MyGo耗时:%ldms, SN:%08X, %s", *(LPDWORD)dwElapsedAddr, dwSNAddr, (CHAR*)(*(LPDWORD)dwSNAddr));
-    MessageBoxA(NULL, szMsg, "MyGo", MB_OK);
+	CHAR szMsg[MAX_PATH];
+	DWORD dwElapsedAddr = 0x0052DF54;
+	DWORD dwSNAddr = dwEBP - 0x5D0;
+	sprintf_s(szMsg, "MyGo耗时:%ldms, SN:%08X, %s", *(LPDWORD)dwElapsedAddr, dwSNAddr, (CHAR*)(*(LPDWORD)dwSNAddr));
+	MessageBoxA(NULL, szMsg, "MyGo", MB_OK);
 }
 
 void __declspec(naked) Call_MyGo()
 {
-    // 备份寄存器;
-    __asm{
-        // 保存寄存器;
-        mov dwEAX, EAX;
-        mov dwEBX, EBX;
-        mov dwECX, ECX;
-        mov dwEDX, EDX;
-        mov dwEBP, EBP;
-        mov dwESP, ESP;
-        mov dwESI, ESI;
-        mov dwEDI, EDI;
-    }
-    
-    MyGo();
-
-    __asm{
-        // 恢复寄存器; 
-        mov EAX, dwEAX;
-        mov EBX, dwEBX;
-        mov ECX, dwECX;
-        mov EDX, dwEDX;
-        mov EBP, dwEBP;
-        mov ESP, dwESP;
-        mov ESI, dwESI;
-        mov EDI, dwEDI;
-        // 执行原Call;
-        call _cd_Go.dwOriginalCallAddr
-        // 返回劫持地址下一行;
-        jmp _cd_Go.dwBack2Addr
-    }
+	// 备份寄存器;
+	__asm{
+		// 保存寄存器;
+		mov dwEAX, EAX;
+		mov dwEBX, EBX;
+		mov dwECX, ECX;
+		mov dwEDX, EDX;
+		mov dwEBP, EBP;
+		mov dwESP, ESP;
+		mov dwESI, ESI;
+		mov dwEDI, EDI;
+	}
+
+	MyGo();
+
+	__asm{
+		// 恢复寄存器; 
+		mov EAX, dwEAX;
+		mov EBX, dwEBX;
+		mov ECX, dwECX;
+		mov EDX, dwEDX;
+		mov EBP, dwEBP;
+		mov ESP, dwESP;
+		mov ESI, dwESI;
+		mov EDI, dwEDI;
+		// 执行原Call;
+		call _cd_Go.dwOriginalCallAddr
+			// 返回劫持地址下一行;
+			jmp _cd_Go.dwBack2Addr
+	}
 }
 
 void MyGoSN()
 {
-    CHAR szMsg[MAX_PATH];
-    DWORD dwSNAddr = dwEBP - 0x5D0;
-    //_stprintf_s(szMsg, _T("MyGo %08X, %08X, %08X, %s"), dwEAX, dwSNAddr, DWORD(*(LPDWORD)dwSNAddr), (TCHAR*)(*(LPDWORD)dwSNAddr));
-    sprintf_s(szMsg, "MyGo %08X, %08X, %08X, %s", dwEAX, dwSNAddr, DWORD(*(LPDWORD)dwSNAddr), (CHAR*)(*(LPDWORD)dwSNAddr));
-    MessageBoxA(NULL, szMsg, "MyGoSN", MB_OK);
+	CHAR szMsg[MAX_PATH];
+	DWORD dwSNAddr = dwEBP - 0x5D0;
+	//_stprintf_s(szMsg, _T("MyGo %08X, %08X, %08X, %s"), dwEAX, dwSNAddr, DWORD(*(LPDWORD)dwSNAddr), (TCHAR*)(*(LPDWORD)dwSNAddr));
+	sprintf_s(szMsg, "MyGo %08X, %08X, %08X, %s", dwEAX, dwSNAddr, DWORD(*(LPDWORD)dwSNAddr), (CHAR*)(*(LPDWORD)dwSNAddr));
+	MessageBoxA(NULL, szMsg, "MyGoSN", MB_OK);
 }
 
 void __declspec(naked) Call_MyGoSN()
 {
-    // 备份寄存器;
-    __asm{
-        // 保存寄存器;
-        mov dwEAX, EAX;
-        mov dwEBX, EBX;
-        mov dwECX, ECX;
-        mov dwEDX, EDX;
-        mov dwEBP, EBP;
-        mov dwESP, ESP;
-        mov dwESI, ESI;
-        mov dwEDI, EDI;
-    }
-
-    MyGoSN();
-
-    __asm{
-        // 恢复寄存器; 
-        mov EAX, dwEAX;
-        mov EBX, dwEBX;
-        mov ECX, dwECX;
-        mov EDX, dwEDX;
-        mov EBP, dwEBP;
-        mov ESP, dwESP;
-        mov ESI, dwESI;
-        mov EDI, dwEDI;
-        // 执行原Call;
-        call _cd_Go_SN.dwOriginalCallAddr
-        // 返回劫持地址下一行;
-        jmp _cd_Go_SN.dwBack2Addr
-    }
+	// 备份寄存器;
+	__asm{
+		// 保存寄存器;
+		mov dwEAX, EAX;
+		mov dwEBX, EBX;
+		mov dwECX, ECX;
+		mov dwEDX, EDX;
+		mov dwEBP, EBP;
+		mov dwESP, ESP;
+		mov dwESI, ESI;
+		mov dwEDI, EDI;
+	}
+
+	MyGoSN();
+
+	__asm{
+		// 恢复寄存器; 
+		mov EAX, dwEAX;
+		mov EBX, dwEBX;
+		mov ECX, dwECX;
+		mov EDX, dwEDX;
+		mov EBP, dwEBP;
+		mov ESP, dwESP;
+		mov ESI, dwESI;
+		mov EDI, dwEDI;
+		// 执行原Call;
+		call _cd_Go_SN.dwOriginalCallAddr
+		// 返回劫持地址下一行;
+		jmp _cd_Go_SN.dwBack2Addr
+	}
+}
+
+void MyGoSetCommunicationError()
+{
+	MessageBox(NULL, _T("MyGoSetCommunicationError"), _T("劫持"), MB_OK);
+}
+
+void __declspec(naked) Call_MyGoSetCommunicationError()
+{
+	// 备份寄存器;
+	__asm{
+		// 保存寄存器;
+		mov dwEAX, EAX;
+		mov dwEBX, EBX;
+		mov dwECX, ECX;
+		mov dwEDX, EDX;
+		mov dwEBP, EBP;
+		mov dwESP, ESP;
+		mov dwESI, ESI;
+		mov dwEDI, EDI;
+	}
+
+	MyGoSetCommunicationError();
+
+	__asm{
+		// 恢复寄存器; 
+		mov EAX, dwEAX;
+		mov EBX, dwEBX;
+		mov ECX, dwECX;
+		mov EDX, dwEDX;
+		mov EBP, dwEBP;
+		mov ESP, dwESP;
+		mov ESI, dwESI;
+		mov EDI, dwEDI;
+		// 执行原Call;
+		//call _cd_Go_SetCommunicationError.dwOriginalCallAddr
+		// 返回劫持地址下一行;
+		jmp _cd_Go_SetCommunicationError.dwBack2Addr
+	}
+}
+
+void MyGoCommunicationError()
+{
+	MessageBox(NULL, _T("MyGoCommunicationError"), _T("劫持"), MB_OK);
+}
+
+void __declspec(naked) Call_MyGoCommunicationError()
+{
+	// 备份寄存器;
+	__asm{
+		// 保存寄存器;
+		mov dwEAX, EAX;
+		mov dwEBX, EBX;
+		mov dwECX, ECX;
+		mov dwEDX, EDX;
+		mov dwEBP, EBP;
+		mov dwESP, ESP;
+		mov dwESI, ESI;
+		mov dwEDI, EDI;
+	}
+
+	MyGoCommunicationError();
+
+	__asm{
+		// 恢复寄存器; 
+		mov EAX, dwEAX;
+		mov EBX, dwEBX;
+		mov ECX, dwECX;
+		mov EDX, dwEDX;
+		mov EBP, dwEBP;
+		mov ESP, dwESP;
+		mov ESI, dwESI;
+		mov EDI, dwEDI;
+		// 执行原Call;
+		//call _cd_Go_CommunicationError.dwOriginalCallAddr
+		// 返回劫持地址下一行;
+		jmp _cd_Go_CommunicationError.dwBack2Addr
+	}
 }
 
 BOOL MyConnect()
@@ -360,12 +501,11 @@ BOOL MyConnect()
 
 void __declspec(naked) Call_MyConnect()
 {
-    // 备份寄存器;
+	// 备份寄存器;
 	__asm mov dwEAX, eax;
-    __asm pushad;
-
+	__asm pushad;
 
-    if ( MyConnect() )
+	if ( MyConnect() )
 	{
 		__asm{
 			// 恢复寄存器; 
@@ -386,106 +526,89 @@ void __declspec(naked) Call_MyConnect()
 	}   
 }
 
+void MyDisconnect()
+{
+	MessageBox(NULL, _T("MyDisconnect Function"), _T("MyDisconnect"), MB_OK);
+}
+
 void __declspec(naked) Call_MyDisconnect()
 {
-    // 备份寄存器;
-    __asm{
-        // 保存寄存器;
-        mov dwEAX, EAX;
-        mov dwEBX, EBX;
-        mov dwECX, ECX;
-        mov dwEDX, EDX;
-        mov dwEBP, EBP;
-        mov dwESP, ESP;
-        mov dwESI, ESI;
-        mov dwEDI, EDI;
-    }
-
-
-    MessageBox(NULL, _T("MyGo Function"), _T("MyGo"), MB_OK);
-
-
-    __asm{
-        // 恢复寄存器; 
-        mov EAX, dwEAX;
-        mov EBX, dwEBX;
-        mov ECX, dwECX;
-        mov EDX, dwEDX;
-        mov EBP, dwEBP;
-        mov ESP, dwESP;
-        mov ESI, dwESI;
-        mov EDI, dwEDI;
-        // 最后返回原Call地址下一行;
-        jmp _cd_Go.dwBack2Addr;
-    }
+	__asm pushad;
+	MyDisconnect();
+	__asm
+	{
+		popad;
+		call _cd_Disconnect.dwOriginalCallAddr;
+		jmp _cd_Disconnect.dwBack2Addr;
+	}
 }
 
 void __declspec(naked) Call_MyCheckFW()
 {
-    // 备份寄存器;
-    __asm{
-        // 保存寄存器;
-        mov dwEAX, EAX;
-        mov dwEBX, EBX;
-        mov dwECX, ECX;
-        mov dwEDX, EDX;
-        mov dwEBP, EBP;
-        mov dwESP, ESP;
-        mov dwESI, ESI;
-        mov dwEDI, EDI;
-    }
-
-
-    MessageBox(NULL, _T("MyGo Function"), _T("MyGo"), MB_OK);
-
-
-    __asm{
-        // 恢复寄存器; 
-        mov EAX, dwEAX;
-        mov EBX, dwEBX;
-        mov ECX, dwECX;
-        mov EDX, dwEDX;
-        mov EBP, dwEBP;
-        mov ESP, dwESP;
-        mov ESI, dwESI;
-        mov EDI, dwEDI;
-        // 最后返回原Call地址下一行;
-        jmp _cd_Go.dwBack2Addr;
-    }
+	// 备份寄存器;
+	__asm{
+		// 保存寄存器;
+		mov dwEAX, EAX;
+		mov dwEBX, EBX;
+		mov dwECX, ECX;
+		mov dwEDX, EDX;
+		mov dwEBP, EBP;
+		mov dwESP, ESP;
+		mov dwESI, ESI;
+		mov dwEDI, EDI;
+	}
+
+
+	MessageBox(NULL, _T("MyGo Function"), _T("MyGo"), MB_OK);
+
+
+	__asm{
+		// 恢复寄存器; 
+		mov EAX, dwEAX;
+		mov EBX, dwEBX;
+		mov ECX, dwECX;
+		mov EDX, dwEDX;
+		mov EBP, dwEBP;
+		mov ESP, dwESP;
+		mov ESI, dwESI;
+		mov EDI, dwEDI;
+		// 最后返回原Call地址下一行;
+		jmp _cd_Go.dwBack2Addr;
+	}
 }
 
 void __declspec(naked) SetChannel()
 {
-    // 备份寄存器;
-    __asm{
-        // 保存寄存器;
-        mov dwEAX, EAX;
-        mov dwEBX, EBX;
-        mov dwECX, ECX;
-        mov dwEDX, EDX;
-        mov dwEBP, EBP;
-        mov dwESP, ESP;
-        mov dwESI, ESI;
-        mov dwEDI, EDI;
-    }
-
-
-    MessageBox(NULL, _T("MyGo Function"), _T("MyGo"), MB_OK);
-
-
-    __asm{
-        // 恢复寄存器; 
-        mov EAX, dwEAX;
-        mov EBX, dwEBX;
-        mov ECX, dwECX;
-        mov EDX, dwEDX;
-        mov EBP, dwEBP;
-        mov ESP, dwESP;
-        mov ESI, dwESI;
-        mov EDI, dwEDI;
-        // 最后返回原Call地址下一行;
-        jmp _cd_Go.dwBack2Addr;
-    }
+	// 备份寄存器;
+	__asm{
+		// 保存寄存器;
+		mov dwEAX, EAX;
+		mov dwEBX, EBX;
+		mov dwECX, ECX;
+		mov dwEDX, EDX;
+		mov dwEBP, EBP;
+		mov dwESP, ESP;
+		mov dwESI, ESI;
+		mov dwEDI, EDI;
+	}
+
+
+	MessageBox(NULL, _T("MyGo Function"), _T("MyGo"), MB_OK);
+
+
+	__asm{
+		// 恢复寄存器; 
+		mov EAX, dwEAX;
+		mov EBX, dwEBX;
+		mov ECX, dwECX;
+		mov EDX, dwEDX;
+		mov EBP, dwEBP;
+		mov ESP, dwESP;
+		mov ESI, dwESI;
+		mov EDI, dwEDI;
+		// 最后返回原Call地址下一行;
+		jmp _cd_Go.dwBack2Addr;
+	}
 }
 
 void SetSN(LPCTSTR lpSN)

Source/Assist/Assist/Assist.h

@@ -35,6 +35,7 @@ extern CALLDATA _cd_Initial_failed;
 
 
 void InitCallData();
+BOOL HijackedAllCall();
 BOOL HijackedCall(CALLDATA *pCallData);
 BOOL HijackedCall(LPVOID MyCall, LPVOID OriginalCall, BYTE (&szOriginalCallData)[CALL_LEN]);
 

Source/Assist/Assist/Assist.rc

@@ -63,6 +63,7 @@ BEGIN
     PUSHBUTTON      "SaveAsOutputData",BTN_SAVE_AS_OUTPUT_DATA,19,18,92,14
     PUSHBUTTON      "MyGo",BTN_GO,27,43,50,14
     PUSHBUTTON      "Call_Connect",BTN_CONNECT,112,44,50,14
+    PUSHBUTTON      "HijactAllCall",BTN_HIJACT_ALL_CALL,28,82,50,14
 END
 
 

Source/Assist/Assist/dllmain.cpp

@@ -112,6 +112,12 @@ BOOL CALLBACK DialogProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
 					}
 				}
 				break;
+			case BTN_HIJACT_ALL_CALL:
+				if ( HijackedAllCall() )
+				{
+					MessageBox(hwndDlg, _T("½Ù³ÖAll Call³É¹¦"), _T("½Ù³Ö"), MB_OK);
+				}
+				break;
             default:
                 break;
             }                

Source/Assist/Assist/resource.h

@@ -6,8 +6,9 @@
 #define IDD_DLG_ASSIST                  101
 #define BTN_SAVE_AS_OUTPUT_DATA         1001
 #define BTN_GO                          1002
-#define IDC_BUTTON1                     1003
 #define BTN_CONNECT                     1003
+#define IDC_BUTTON1                     1004
+#define BTN_HIJACT_ALL_CALL             1004
 
 // Next default values for new objects
 // 
@@ -15,7 +16,7 @@
 #ifndef APSTUDIO_READONLY_SYMBOLS
 #define _APS_NEXT_RESOURCE_VALUE        102
 #define _APS_NEXT_COMMAND_VALUE         40001
-#define _APS_NEXT_CONTROL_VALUE         1004
+#define _APS_NEXT_CONTROL_VALUE         1005
 #define _APS_NEXT_SYMED_VALUE           101
 #endif
 #endif