|
@@ -11,6 +11,7 @@ CALLDATA _cd_Go;
|
|
|
CALLDATA _cd_Connect;
|
|
CALLDATA _cd_Connect;
|
|
|
CALLDATA _cd_Disconnect;
|
|
CALLDATA _cd_Disconnect;
|
|
|
CALLDATA _cd_CheckFW;
|
|
CALLDATA _cd_CheckFW;
|
|
|
|
|
+CALLDATA _cd_CheckFW_CommunicationError;
|
|
|
CALLDATA _cd_SaveAsOutputData;
|
|
CALLDATA _cd_SaveAsOutputData;
|
|
|
CALLDATA _cd_Go_SN;
|
|
CALLDATA _cd_Go_SN;
|
|
|
CALLDATA _cd_Go_CommunicationError;
|
|
CALLDATA _cd_Go_CommunicationError;
|
|
@@ -41,6 +42,7 @@ void Call_MyConnect();
|
|
|
void Call_MyGo();
|
|
void Call_MyGo();
|
|
|
void Call_MyGoSN();
|
|
void Call_MyGoSN();
|
|
|
void Call_MyCheckFW();
|
|
void Call_MyCheckFW();
|
|
|
|
|
+void Call_MyCheckFWCommunicationError();
|
|
|
void Call_MySaveAsOutputData();
|
|
void Call_MySaveAsOutputData();
|
|
|
void Call_MyInitial_Failed();
|
|
void Call_MyInitial_Failed();
|
|
|
void Call_MyGoCommunicationError();
|
|
void Call_MyGoCommunicationError();
|
|
@@ -55,6 +57,10 @@ void ChangeSDK(int nSDK); // 0=410SDK, 1=310SDK;
|
|
|
void InitCallData()
|
|
void InitCallData()
|
|
|
{
|
|
{
|
|
|
#pragma region 启动时Initial Communication:需要程序启动时注入;
|
|
#pragma region 启动时Initial Communication:需要程序启动时注入;
|
|
|
|
|
+ /*
|
|
|
|
|
+ 此劫持需要在程序刚启动时注入,即在弹框出现前实现注入;
|
|
|
|
|
+ 目前不实现程序时注入!
|
|
|
|
|
+ */
|
|
|
// 00401EB8 | E8 7BCB0C00 | call demo.4CEA38 | # 弹出Messagebox:Initial Communication Failed!
|
|
// 00401EB8 | E8 7BCB0C00 | call demo.4CEA38 | # 弹出Messagebox:Initial Communication Failed!
|
|
|
_cd_Initial_failed.myCall = Call_MyInitial_Failed;
|
|
_cd_Initial_failed.myCall = Call_MyInitial_Failed;
|
|
|
// 00401EBD | FF4D CC | dec dword ptr ss:[ebp-34] |
|
|
// 00401EBD | FF4D CC | dec dword ptr ss:[ebp-34] |
|
|
@@ -70,6 +76,10 @@ void InitCallData()
|
|
|
#pragma endregion
|
|
#pragma endregion
|
|
|
|
|
|
|
|
#pragma region Connect按钮劫持
|
|
#pragma region Connect按钮劫持
|
|
|
|
|
+ /*
|
|
|
|
|
+ Connect存在External expection 异常弹框;
|
|
|
|
|
+ 出现External弹框时,结束进程,统一由Call_MyExternalException处理;
|
|
|
|
|
+ */
|
|
|
//00415ECB | 0F84 6A040000 | je demo.41633B | # 关键跳:如果Connect失败实现跳转
|
|
//00415ECB | 0F84 6A040000 | je demo.41633B | # 关键跳:如果Connect失败实现跳转
|
|
|
_cd_Connect.myCall = Call_MyConnect;
|
|
_cd_Connect.myCall = Call_MyConnect;
|
|
|
// 00415ED1 | 6A 00 | push 0 |
|
|
// 00415ED1 | 6A 00 | push 0 |
|
|
@@ -84,6 +94,10 @@ void InitCallData()
|
|
|
#pragma endregion
|
|
#pragma endregion
|
|
|
|
|
|
|
|
#pragma region Disconnect按钮劫持
|
|
#pragma region Disconnect按钮劫持
|
|
|
|
|
+ /*
|
|
|
|
|
+ disconnect时,同样存在External expection 异常弹框;
|
|
|
|
|
+ 出现External弹框时,结束进程,统一由Call_MyExternalException处理;
|
|
|
|
|
+ */
|
|
|
// 0043790B | E8 E4C90900 | call demo.4D42F4 | # 此处可能用于SetWindowText之类处理
|
|
// 0043790B | E8 E4C90900 | call demo.4D42F4 | # 此处可能用于SetWindowText之类处理
|
|
|
// 00437910 | FF4D F4 | dec dword ptr ss:[ebp-C] |
|
|
// 00437910 | FF4D F4 | dec dword ptr ss:[ebp-C] |
|
|
|
_cd_Disconnect.myCall = Call_MyDisconnect;
|
|
_cd_Disconnect.myCall = Call_MyDisconnect;
|
|
@@ -114,7 +128,7 @@ void InitCallData()
|
|
|
#pragma endregion
|
|
#pragma endregion
|
|
|
|
|
|
|
|
#pragma region Go按钮劫持
|
|
#pragma region Go按钮劫持
|
|
|
- // Go
|
|
|
|
|
|
|
+ /* 成功执行后的处理 */
|
|
|
_cd_Go.myCall = Call_MyGo;
|
|
_cd_Go.myCall = Call_MyGo;
|
|
|
_cd_Go.dwBack2Addr = 0x004376B0;
|
|
_cd_Go.dwBack2Addr = 0x004376B0;
|
|
|
// 004376AB | E8 50A30C00 | call demo.501A00
|
|
// 004376AB | E8 50A30C00 | call demo.501A00
|
|
@@ -126,7 +140,7 @@ void InitCallData()
|
|
|
_cd_Go.szMyCallData[0] = 0xE9; // 汇编硬编码:jmp [4字节地址];
|
|
_cd_Go.szMyCallData[0] = 0xE9; // 汇编硬编码:jmp [4字节地址];
|
|
|
*(LPDWORD)(&_cd_Go.szMyCallData[1]) = (DWORD)_cd_Go.myCall - _cd_Go.dwOriginalAddr - JMP_DLEN;
|
|
*(LPDWORD)(&_cd_Go.szMyCallData[1]) = (DWORD)_cd_Go.myCall - _cd_Go.dwOriginalAddr - JMP_DLEN;
|
|
|
|
|
|
|
|
- // Go SN
|
|
|
|
|
|
|
+ // 获取SN字符串;
|
|
|
// 00417AEC | E8 9BA5FEFF | call demo.40208C |
|
|
// 00417AEC | E8 9BA5FEFF | call demo.40208C |
|
|
|
// 00417AF1 | E8 722C0700 | call demo.48A768 |
|
|
// 00417AF1 | E8 722C0700 | call demo.48A768 |
|
|
|
_cd_Go_SN.myCall = Call_MyGoSN;
|
|
_cd_Go_SN.myCall = Call_MyGoSN;
|
|
@@ -140,7 +154,7 @@ void InitCallData()
|
|
|
_cd_Go_SN.szMyCallData[0] = 0xE9; // 汇编硬编码:jmp [4字节地址];
|
|
_cd_Go_SN.szMyCallData[0] = 0xE9; // 汇编硬编码:jmp [4字节地址];
|
|
|
*(LPDWORD)(&_cd_Go_SN.szMyCallData[1]) = (DWORD)_cd_Go_SN.myCall - _cd_Go_SN.dwOriginalAddr - JMP_DLEN;
|
|
*(LPDWORD)(&_cd_Go_SN.szMyCallData[1]) = (DWORD)_cd_Go_SN.myCall - _cd_Go_SN.dwOriginalAddr - JMP_DLEN;
|
|
|
|
|
|
|
|
- // Go Set Communication Error
|
|
|
|
|
|
|
+ // 消除 Set Communication Error 弹框;
|
|
|
// 00417FCD | E8 666A0B00 | call demo.4CEA38 |
|
|
// 00417FCD | E8 666A0B00 | call demo.4CEA38 |
|
|
|
_cd_Go_SetCommunicationError.myCall = Call_MyGoSetCommunicationError;
|
|
_cd_Go_SetCommunicationError.myCall = Call_MyGoSetCommunicationError;
|
|
|
_cd_Go_SetCommunicationError.dwBack2Addr = 0x00417FD2;
|
|
_cd_Go_SetCommunicationError.dwBack2Addr = 0x00417FD2;
|
|
@@ -153,7 +167,7 @@ void InitCallData()
|
|
|
_cd_Go_SetCommunicationError.szMyCallData[0] = 0xE9; // 汇编硬编码:jmp [4字节地址];
|
|
_cd_Go_SetCommunicationError.szMyCallData[0] = 0xE9; // 汇编硬编码:jmp [4字节地址];
|
|
|
*(LPDWORD)(&_cd_Go_SetCommunicationError.szMyCallData[1]) = (DWORD)_cd_Go_SetCommunicationError.myCall - _cd_Go_SetCommunicationError.dwOriginalAddr - JMP_DLEN;
|
|
*(LPDWORD)(&_cd_Go_SetCommunicationError.szMyCallData[1]) = (DWORD)_cd_Go_SetCommunicationError.myCall - _cd_Go_SetCommunicationError.dwOriginalAddr - JMP_DLEN;
|
|
|
|
|
|
|
|
- // Go Communication Error
|
|
|
|
|
|
|
+ // 消除Communication Error弹框;
|
|
|
// 00404408 | E8 2BA60C00| call demo.4CEA38|
|
|
// 00404408 | E8 2BA60C00| call demo.4CEA38|
|
|
|
_cd_Go_CommunicationError.myCall = Call_MyGoCommunicationError;
|
|
_cd_Go_CommunicationError.myCall = Call_MyGoCommunicationError;
|
|
|
_cd_Go_CommunicationError.dwBack2Addr = 0x0040440D;
|
|
_cd_Go_CommunicationError.dwBack2Addr = 0x0040440D;
|
|
@@ -167,6 +181,32 @@ void InitCallData()
|
|
|
*(LPDWORD)(&_cd_Go_CommunicationError.szMyCallData[1]) = (DWORD)_cd_Go_CommunicationError.myCall - _cd_Go_CommunicationError.dwOriginalAddr - JMP_DLEN;
|
|
*(LPDWORD)(&_cd_Go_CommunicationError.szMyCallData[1]) = (DWORD)_cd_Go_CommunicationError.myCall - _cd_Go_CommunicationError.dwOriginalAddr - JMP_DLEN;
|
|
|
#pragma endregion
|
|
#pragma endregion
|
|
|
|
|
|
|
|
|
|
+#pragma region CheckFW按钮处理
|
|
|
|
|
+ // 00404458 | E8 E7F70400 | call demo.453C44 | # 此处应该是执行I2CReadEx
|
|
|
|
|
+ _cd_CheckFW.myCall = Call_MyCheckFW; // 成功获取版本后跳转处理;
|
|
|
|
|
+ // 0040445D | 83C4 1C | add esp,1C |
|
|
|
|
|
+ _cd_CheckFW.dwBack2Addr = 0x0040445D;
|
|
|
|
|
+ _cd_CheckFW.dwOriginalAddr = 0x00404458;
|
|
|
|
|
+ _cd_CheckFW.dwOriginalCallAddr = 0x453C44;
|
|
|
|
|
+
|
|
|
|
|
+ _cd_CheckFW.nMyCallDataLen = JMP_DLEN;
|
|
|
|
|
+ memset(_cd_CheckFW.szMyCallData, 0x90, CALL_LEN);
|
|
|
|
|
+ _cd_CheckFW.szMyCallData[0] = 0xE9; // 汇编硬编码:jmp [4字节地址];
|
|
|
|
|
+ *(LPDWORD)(&_cd_CheckFW.szMyCallData[1]) = (DWORD)_cd_CheckFW.myCall - _cd_CheckFW.dwOriginalAddr - JMP_DLEN;
|
|
|
|
|
+
|
|
|
|
|
+ /* 针对弹框Communication Error的消除处理 */
|
|
|
|
|
+ // 00404408 | E8 2BA60C00 | call demo.4CEA38 | # Dailogs::ShowMessage(string) 弹出提示框:Communication Error
|
|
|
|
|
+ _cd_CheckFW_CommunicationError.myCall = Call_MyCheckFWCommunicationError; // 成功获取版本后跳转处理;
|
|
|
|
|
+ // 0040440D | FF4D BC | dec dword ptr ss:[ebp-44] | [ebp-44]:&"脥I"
|
|
|
|
|
+ _cd_CheckFW_CommunicationError.dwBack2Addr = 0x0040440D;
|
|
|
|
|
+ _cd_CheckFW_CommunicationError.dwOriginalAddr = 0x00404408;
|
|
|
|
|
+ _cd_CheckFW_CommunicationError.dwOriginalCallAddr = 0x4CEA38;
|
|
|
|
|
+
|
|
|
|
|
+ _cd_CheckFW_CommunicationError.nMyCallDataLen = JMP_DLEN;
|
|
|
|
|
+ memset(_cd_CheckFW_CommunicationError.szMyCallData, 0x90, CALL_LEN);
|
|
|
|
|
+ _cd_CheckFW_CommunicationError.szMyCallData[0] = 0xE9; // 汇编硬编码:jmp [4字节地址];
|
|
|
|
|
+ *(LPDWORD)(&_cd_CheckFW_CommunicationError.szMyCallData[1]) = (DWORD)_cd_CheckFW_CommunicationError.myCall - _cd_CheckFW_CommunicationError.dwOriginalAddr - JMP_DLEN;
|
|
|
|
|
+#pragma endregion
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
BOOL HijackedAllCall()
|
|
BOOL HijackedAllCall()
|
|
@@ -193,6 +233,12 @@ BOOL HijackedAllCall()
|
|
|
if ( !(bHijack = HijackedCall(&_cd_ExternalException)) )
|
|
if ( !(bHijack = HijackedCall(&_cd_ExternalException)) )
|
|
|
goto end;
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
+ if ( !(bHijack = HijackedCall(&_cd_CheckFW)) )
|
|
|
|
|
+ goto end;
|
|
|
|
|
+
|
|
|
|
|
+ if ( !(bHijack = HijackedCall(&_cd_CheckFW_CommunicationError)) )
|
|
|
|
|
+ goto end;
|
|
|
|
|
+
|
|
|
end:
|
|
end:
|
|
|
return bHijack;
|
|
return bHijack;
|
|
|
}
|
|
}
|
|
@@ -593,34 +639,38 @@ void __declspec(naked) Call_MyDisconnect()
|
|
|
void __declspec(naked) Call_MyCheckFW()
|
|
void __declspec(naked) Call_MyCheckFW()
|
|
|
{
|
|
{
|
|
|
// 备份寄存器;
|
|
// 备份寄存器;
|
|
|
|
|
+ __asm pushad;
|
|
|
|
|
+
|
|
|
|
|
+
|
|
|
|
|
+ MessageBox(NULL, _T("Call_MyCheckFW"), _T("MyCheckFW"), MB_OK);
|
|
|
|
|
+
|
|
|
|
|
+
|
|
|
__asm{
|
|
__asm{
|
|
|
- // 保存寄存器;
|
|
|
|
|
- mov dwEAX, EAX;
|
|
|
|
|
- mov dwEBX, EBX;
|
|
|
|
|
- mov dwECX, ECX;
|
|
|
|
|
- mov dwEDX, EDX;
|
|
|
|
|
- mov dwEBP, EBP;
|
|
|
|
|
- mov dwESP, ESP;
|
|
|
|
|
- mov dwESI, ESI;
|
|
|
|
|
- mov dwEDI, EDI;
|
|
|
|
|
|
|
+ // 恢复寄存器;
|
|
|
|
|
+ popad;
|
|
|
|
|
+ // 执行原call;
|
|
|
|
|
+ call _cd_CheckFW.dwOriginalCallAddr;
|
|
|
|
|
+ // 最后返回原Call地址下一行;
|
|
|
|
|
+ jmp _cd_CheckFW.dwBack2Addr;
|
|
|
}
|
|
}
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
+void __declspec(naked) Call_MyCheckFWCommunicationError()
|
|
|
|
|
+{
|
|
|
|
|
+ // 备份寄存器;
|
|
|
|
|
+ __asm pushad;
|
|
|
|
|
|
|
|
|
|
|
|
|
- MessageBox(NULL, _T("MyGo Function"), _T("MyGo"), MB_OK);
|
|
|
|
|
|
|
+ MessageBox(NULL, _T("Call_MyCheckFWCommunicationError"), _T("MyCheckFWCommunicationError"), MB_OK);
|
|
|
|
|
|
|
|
|
|
|
|
|
__asm{
|
|
__asm{
|
|
|
// 恢复寄存器;
|
|
// 恢复寄存器;
|
|
|
- mov EAX, dwEAX;
|
|
|
|
|
- mov EBX, dwEBX;
|
|
|
|
|
- mov ECX, dwECX;
|
|
|
|
|
- mov EDX, dwEDX;
|
|
|
|
|
- mov EBP, dwEBP;
|
|
|
|
|
- mov ESP, dwESP;
|
|
|
|
|
- mov ESI, dwESI;
|
|
|
|
|
- mov EDI, dwEDI;
|
|
|
|
|
|
|
+ popad;
|
|
|
|
|
+ // 消除原call;
|
|
|
|
|
+ // call _cd_CheckFW.dwOriginalCallAddr;
|
|
|
// 最后返回原Call地址下一行;
|
|
// 最后返回原Call地址下一行;
|
|
|
- jmp _cd_Go.dwBack2Addr;
|
|
|
|
|
|
|
+ jmp _cd_CheckFW_CommunicationError.dwBack2Addr;
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
|
|
|
