|
|
@@ -4,6 +4,7 @@
|
|
|
#include "stdafx.h"
|
|
|
#include "Assist.h"
|
|
|
#include <stdio.h>
|
|
|
+#include <process.h>
|
|
|
|
|
|
// 全局CallData;
|
|
|
CALLDATA _cd_Go;
|
|
|
@@ -15,6 +16,7 @@ CALLDATA _cd_Go_SN;
|
|
|
CALLDATA _cd_Go_CommunicationError;
|
|
|
CALLDATA _cd_Go_SetCommunicationError;
|
|
|
CALLDATA _cd_Initial_failed;
|
|
|
+CALLDATA _cd_ExternalException;
|
|
|
|
|
|
// 调试耗时值ms;
|
|
|
DWORD dwElapsed = 0;
|
|
|
@@ -43,6 +45,7 @@ void Call_MySaveAsOutputData();
|
|
|
void Call_MyInitial_Failed();
|
|
|
void Call_MyGoCommunicationError();
|
|
|
void Call_MyGoSetCommunicationError();
|
|
|
+void Call_MyExternalException();
|
|
|
|
|
|
// 其他函数;
|
|
|
void SetChannel(int nChannel);
|
|
|
@@ -94,6 +97,22 @@ void InitCallData()
|
|
|
*(LPDWORD)(&_cd_Disconnect.szMyCallData[1]) = (DWORD)_cd_Disconnect.myCall - _cd_Disconnect.dwOriginalAddr - JMP_DLEN;
|
|
|
#pragma endregion
|
|
|
|
|
|
+#pragma region ExternalException
|
|
|
+ // 必须获取模块地址:ca210ctrl.dll
|
|
|
+ HMODULE hModule = GetModuleHandle(_T("Ca210Ctrl.dll"));
|
|
|
+ // 044D677C | FF15 78645404 | call dword ptr ds:[<&RaiseException>] |
|
|
|
+ _cd_ExternalException.myCall = Call_MyExternalException;
|
|
|
+ // 044D6782 | 5F | pop edi |
|
|
|
+ _cd_ExternalException.dwBack2Addr = (DWORD)hModule + 0x106782;
|
|
|
+ _cd_ExternalException.dwOriginalAddr = (DWORD)hModule + 0x10677C;
|
|
|
+ _cd_ExternalException.dwOriginalCallAddr = 0x769F05B0;
|
|
|
+
|
|
|
+ _cd_ExternalException.nMyCallDataLen = JMP_DLEN;
|
|
|
+ memset(_cd_ExternalException.szMyCallData, 0x90, CALL_LEN);
|
|
|
+ _cd_ExternalException.szMyCallData[0] = 0xE9; // 汇编硬编码:jmp [4字节地址];
|
|
|
+ *(LPDWORD)(&_cd_ExternalException.szMyCallData[1]) = (DWORD)_cd_ExternalException.myCall - _cd_ExternalException.dwOriginalAddr - JMP_DLEN;
|
|
|
+#pragma endregion
|
|
|
+
|
|
|
#pragma region Go按钮劫持
|
|
|
// Go
|
|
|
_cd_Go.myCall = Call_MyGo;
|
|
|
@@ -171,6 +190,9 @@ BOOL HijackedAllCall()
|
|
|
if ( !(bHijack = HijackedCall(&_cd_Go_SetCommunicationError)) )
|
|
|
goto end;
|
|
|
|
|
|
+ if ( !(bHijack = HijackedCall(&_cd_ExternalException)) )
|
|
|
+ goto end;
|
|
|
+
|
|
|
end:
|
|
|
return bHijack;
|
|
|
}
|
|
|
@@ -438,7 +460,7 @@ void __declspec(naked) Call_MyGoSetCommunicationError()
|
|
|
mov ESI, dwESI;
|
|
|
mov EDI, dwEDI;
|
|
|
// 执行原Call;
|
|
|
- //call _cd_Go_SetCommunicationError.dwOriginalCallAddr
|
|
|
+ //call _cd_Go_SetCommunicationError.dwOriginalCallAddr // 经验证,即使不执行原call,也会弹异常框;
|
|
|
// 返回劫持地址下一行;
|
|
|
jmp _cd_Go_SetCommunicationError.dwBack2Addr
|
|
|
}
|
|
|
@@ -526,6 +548,31 @@ void __declspec(naked) Call_MyConnect()
|
|
|
}
|
|
|
}
|
|
|
|
|
|
+void MyExternalException()
|
|
|
+{
|
|
|
+ MessageBox(NULL, _T("MyExternalExceptionE06D7363,重启异常待重启"), _T("提示"), MB_OK);
|
|
|
+ ::exit(0);
|
|
|
+}
|
|
|
+
|
|
|
+void __declspec(naked) Call_MyExternalException()
|
|
|
+{
|
|
|
+ // 备份寄存器;
|
|
|
+ __asm {
|
|
|
+ pushad;
|
|
|
+ }
|
|
|
+
|
|
|
+ MyExternalException();
|
|
|
+
|
|
|
+ __asm
|
|
|
+ {
|
|
|
+ // 恢复寄存器;
|
|
|
+ popad;
|
|
|
+ // 失败:JMP到出错处理;
|
|
|
+ call _cd_ExternalException.dwOriginalCallAddr;
|
|
|
+ jmp _cd_ExternalException.dwBack2Addr;
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
void MyDisconnect()
|
|
|
{
|
|
|
MessageBox(NULL, _T("MyDisconnect Function"), _T("MyDisconnect"), MB_OK);
|
