|
|
@@ -3,6 +3,7 @@
|
|
|
|
|
|
#include "stdafx.h"
|
|
|
#include "Assist.h"
|
|
|
+#include <stdio.h>
|
|
|
|
|
|
// 全局CallData;
|
|
|
CALLDATA _cd_Go;
|
|
|
@@ -10,10 +11,13 @@ CALLDATA _cd_Connect;
|
|
|
CALLDATA _cd_Disconnect;
|
|
|
CALLDATA _cd_CheckFW;
|
|
|
CALLDATA _cd_SaveAsOutputData;
|
|
|
+CALLDATA _cd_Go_SN;
|
|
|
|
|
|
// 调试耗时值ms;
|
|
|
DWORD dwElapsed = 0;
|
|
|
|
|
|
+TCHAR g_szGoSN[32] = {0};
|
|
|
+
|
|
|
// 8组寄存器存储;
|
|
|
DWORD dwEAX = 0;
|
|
|
DWORD dwEBX = 0;
|
|
|
@@ -30,6 +34,7 @@ void Call_MyConnect();
|
|
|
void Call_MyGo();
|
|
|
void Call_MyCheckFW();
|
|
|
void Call_MySaveAsOutputData();
|
|
|
+void Call_MyGoSN();
|
|
|
// 其他函数;
|
|
|
void SetChannel(int nChannel);
|
|
|
void SetSN(LPCTSTR lpSN);
|
|
|
@@ -49,27 +54,20 @@ void InitCallData()
|
|
|
_cd_Go.szMyCallData[0] = 0xE9; // 汇编硬编码:jmp [4字节地址];
|
|
|
*(LPDWORD)(&_cd_Go.szMyCallData[1]) = (DWORD)_cd_Go.myCall - _cd_Go.dwOriginalAddr - JMP_DLEN;
|
|
|
|
|
|
+ // Go SN
|
|
|
+ // 00417AEC | E8 9BA5FEFF | call demo.40208C |
|
|
|
+ // 00417AF1 | E8 722C0700 | call demo.48A768 |
|
|
|
+ _cd_Go_SN.myCall = Call_MyGoSN;
|
|
|
+ _cd_Go_SN.dwBack2Addr = 0x00417AF1;
|
|
|
+ // 004376AB | E8 50A30C00 | call demo.501A00
|
|
|
+ _cd_Go_SN.dwOriginalAddr = 0x00417AEC;
|
|
|
+ _cd_Go_SN.dwOriginalCallAddr = 0x0040208C;
|
|
|
|
|
|
- // Connect
|
|
|
- _cd_Connect.myCall = Call_MyConnect;
|
|
|
- _cd_Connect.dwBack2Addr = 0x00417B2A;
|
|
|
- _cd_Connect.dwOriginalAddr = 0x00417B25;
|
|
|
-
|
|
|
- // Disconnect
|
|
|
- _cd_Disconnect.myCall = Call_MyDisconnect;
|
|
|
- _cd_Disconnect.dwBack2Addr = 0x00417B2A;
|
|
|
- _cd_Disconnect.dwOriginalAddr = 0x00417B25;
|
|
|
-
|
|
|
- // CheckFW
|
|
|
- _cd_CheckFW.myCall = Call_MyCheckFW;
|
|
|
- _cd_CheckFW.dwBack2Addr = 0x00417B2A;
|
|
|
- _cd_CheckFW.dwOriginalAddr = 0x00417B25;
|
|
|
+ _cd_Go_SN.nMyCallDataLen = JMP_DLEN;
|
|
|
+ memset(_cd_Go_SN.szMyCallData, 0x90, CALL_LEN);
|
|
|
+ _cd_Go_SN.szMyCallData[0] = 0xE9; // 汇编硬编码:jmp [4字节地址];
|
|
|
+ *(LPDWORD)(&_cd_Go_SN.szMyCallData[1]) = (DWORD)_cd_Go_SN.myCall - _cd_Go_SN.dwOriginalAddr - JMP_DLEN;
|
|
|
|
|
|
- // SaveAsOutputData
|
|
|
- // 004376AB
|
|
|
- _cd_SaveAsOutputData.myCall = Call_MySaveAsOutputData;
|
|
|
- _cd_SaveAsOutputData.dwBack2Addr = 0x00417B2A;
|
|
|
- _cd_SaveAsOutputData.dwOriginalAddr = 0x00417B25;
|
|
|
}
|
|
|
|
|
|
// 劫持原始地址;
|
|
|
@@ -205,7 +203,8 @@ void MyGo()
|
|
|
{
|
|
|
TCHAR szMsg[MAX_PATH];
|
|
|
DWORD dwElapsedAddr = 0x0052DF54;
|
|
|
- _stprintf_s(szMsg, _T("MyGo耗时:%ldms"), *(LPDWORD)dwElapsedAddr);
|
|
|
+ DWORD dwSNAddr = dwEBP - 0x5D0;
|
|
|
+ _stprintf_s(szMsg, _T("MyGo耗时:%ldms, SN:%08X, %s"), *(LPDWORD)dwElapsedAddr, dwSNAddr, (TCHAR*)(*(LPDWORD)dwSNAddr));
|
|
|
MessageBox(NULL, szMsg, _T("MyGo"), MB_OK);
|
|
|
}
|
|
|
|
|
|
@@ -226,9 +225,6 @@ void __declspec(naked) Call_MyGo()
|
|
|
|
|
|
MyGo();
|
|
|
|
|
|
- //MessageBox(NULL, _T("MyGo Function"), _T("MyGo"), MB_OK);
|
|
|
- //RecoveryCall(&_cd_Go);
|
|
|
-
|
|
|
__asm{
|
|
|
// 恢复寄存器;
|
|
|
mov EAX, dwEAX;
|
|
|
@@ -246,6 +242,50 @@ void __declspec(naked) Call_MyGo()
|
|
|
}
|
|
|
}
|
|
|
|
|
|
+void MyGoSN()
|
|
|
+{
|
|
|
+ CHAR szMsg[MAX_PATH];
|
|
|
+ DWORD dwSNAddr = dwEBP - 0x5D0;
|
|
|
+ //_stprintf_s(szMsg, _T("MyGo %08X, %08X, %08X, %s"), dwEAX, dwSNAddr, DWORD(*(LPDWORD)dwSNAddr), (TCHAR*)(*(LPDWORD)dwSNAddr));
|
|
|
+ sprintf_s(szMsg, "MyGo %08X, %08X, %08X, %s", dwEAX, dwSNAddr, DWORD(*(LPDWORD)dwSNAddr), (CHAR*)(*(LPDWORD)dwSNAddr));
|
|
|
+ MessageBoxA(NULL, szMsg, "MyGoSN", MB_OK);
|
|
|
+}
|
|
|
+
|
|
|
+void __declspec(naked) Call_MyGoSN()
|
|
|
+{
|
|
|
+ // 备份寄存器;
|
|
|
+ __asm{
|
|
|
+ // 保存寄存器;
|
|
|
+ mov dwEAX, EAX;
|
|
|
+ mov dwEBX, EBX;
|
|
|
+ mov dwECX, ECX;
|
|
|
+ mov dwEDX, EDX;
|
|
|
+ mov dwEBP, EBP;
|
|
|
+ mov dwESP, ESP;
|
|
|
+ mov dwESI, ESI;
|
|
|
+ mov dwEDI, EDI;
|
|
|
+ }
|
|
|
+
|
|
|
+ MyGoSN();
|
|
|
+
|
|
|
+ __asm{
|
|
|
+ // 恢复寄存器;
|
|
|
+ mov EAX, dwEAX;
|
|
|
+ mov EBX, dwEBX;
|
|
|
+ mov ECX, dwECX;
|
|
|
+ mov EDX, dwEDX;
|
|
|
+ mov EBP, dwEBP;
|
|
|
+ mov ESP, dwESP;
|
|
|
+ mov ESI, dwESI;
|
|
|
+ mov EDI, dwEDI;
|
|
|
+ // 执行原Call;
|
|
|
+ call _cd_Go_SN.dwOriginalCallAddr
|
|
|
+ // 返回劫持地址下一行;
|
|
|
+ jmp _cd_Go_SN.dwBack2Addr
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+
|
|
|
void __declspec(naked) Call_MyConnect()
|
|
|
{
|
|
|
// 备份寄存器;
|
