如何在C调用此组件函数内联ASM ++(DLL注入) [英] How to call this assembly function in Inlined ASM in C++ (DLL Injection)
本文介绍了如何在C调用此组件函数内联ASM ++(DLL注入)的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
seg000:004481D0; ===============子程序================================== =====
seg000:004481D0
seg000:004481D0;属性:BP基于帧
seg000:004481D0
seg000:004481D0 sub_4481D0 PROC附近
seg000:004481D0
seg000:004481D0 ARG_0 = DWORD PTR 8
seg000:004481D0 arg_4 = DWORD PTR 0CH
seg000:004481D0
seg000:004481D0推EBP
seg000:004481D1 MOV EBP,ESP
seg000:004481D3推ESI
seg000:004481D4 MOV ESI,ECX
seg000:004481D6推EDI
seg000:004481D7 MOV EDI,[EBP + ARG_0]
seg000:004481DA MOV EAX,[ESI]
seg000:004481DC推EDI
seg000:004481DD通话DWORD PTR [EAX + 0D4h]
seg000:004481E3 MOV EDI,[ESI + EDI * 4 + 1BBD4h]
seg000:004481EA测试EDI,EDI
seg000:004481EC JZ loc_4482D2
seg000:004481F2 MOV EAX,[EBP + arg_4]
seg000:004481F5 MOV EDX,[EDI]
seg000:004481F7推EBX
seg000:004481F8推EAX
seg000:004481F9 MOV ECX,EDI
seg000:004481FB通话DWORD PTR [EDX + 4CH]
seg000:004481FE MOV人,[EDI + 9CH]
seg000:00448204或EDX,0FFFFFFFFH
seg000:00448207考验人,人
seg000:00448209 MOV [EDI +代上],EDX
seg000:0044820C JZ loc_4482A5
seg000:00448212 MOV EAX,0B1808224h
seg000:00448217 MOV ECX,0B2h
seg000:0044821C MOV EBX,抵消off_4AC700
seg000:00448221
seg000:00448221 loc_448221:; code XREF:sub_4481D0 + 59J
seg000:00448221 XOR EAX,[EBX + ECX * 4-83A30h]
seg000:00448228十二月ECX
seg000:00448229 JNZ短loc_448221
seg000:0044822B MOV DWORD PTR [EAX + ESI + 2C6A010h] 1
seg000:00448236 MOV [ESI + 1BB98h],EDX
seg000:0044823C MOV EDX,[EDI]
seg000:0044823E MOV ECX,EDI
seg000:00448240电话DWORD PTR [EDX + 38H]
seg000:00448243 MOV ECX,[ESI + 5A3Ch]
seg000:00448249 MOV EAX,[EBP + arg_4]
seg000:0044824C CMP EAX,8
seg000:0044824F MOV [ECX + 27FH地址],EAX
seg000:00448255 MOV EDX,[ESI + 878h]
seg000:0044825B MOV DWORD PTR [EDX + 230H] 0
seg000:00448265 JZ短loc_448299
seg000:00448267 MOV [ESI + 87Ch],EAX
seg000:0044826D MOV EAX,[ESI]
seg000:0044826F推0FFFFFFFFH
seg000:00448271 MOV ECX,ESI
seg000:00448273电话DWORD PTR [EAX + 0C0H]
seg000:00448279 MOV ECX,[ESI + 878h]
seg000:0044827F推0FFFFFFFFH
seg000:00448281推0FFFFFFFFH
seg000:00448283 MOV EBX,[ECX]
seg000:00448285电话_rand
seg000:0044828A MOV ECX,[ESI + 878h]
seg000:00448290推EAX
seg000:00448291电话DWORD PTR [EBX + 98H]
seg000:00448297 JMP短loc_4482AC
seg000:00448299; -------------------------------------------------- -------------------------
seg000:00448299
seg000:00448299 loc_448299:; code XREF:sub_4481D0 + 95J
seg000:00448299 MOV DWORD PTR [ESI + 1B654h],0FFFFFFFFH
seg000:004482A3 JMP短loc_4482AC
seg000:004482A5; -------------------------------------------------- -------------------------
seg000:004482A5
seg000:004482A5 loc_4482A5:; code XREF:sub_4481D0 + 3Cj
seg000:004482A5 MOV DWORD PTR [EDI + 4声道],2
seg000:004482AC
seg000:004482AC loc_4482AC:; code XREF:sub_4481D0 + C7j
seg000:004482AC; sub_4481D0 + D3j
seg000:004482AC MOV人,[ESI + 1BB74h]
seg000:004482B2流行EBX
seg000:004482B3考验人,人
seg000:004482B5 JZ短loc_4482D2
seg000:004482B7 MOV EAX,[EDI + 5CH]
seg000:004482BA MOV ECX,[EDI + 58H]
seg000:004482BD MOV EDX,[ESI + 5A3Ch]
seg000:004482C3推EAX
seg000:004482C4加EDI,6Dh个
seg000:004482C7推ECX
seg000:004482C8推EDI
seg000:004482C9通话DWORD PTR [EDX + 23A2h]
seg000:004482CF加ESP,0CH
seg000:004482D2
seg000:004482D2 loc_4482D2:; code XREF:sub_4481D0 + 1Cj
seg000:004482D2; sub_4481D0 + E5j
seg000:004482D2流行EDI
seg000:004482D3流行ESI
seg000:004482D4弹出EBP
seg000:004482D5 RETN 8
seg000:004482D5 sub_4481D0 ENDP
seg000:004482D5
seg000:004482D5; -------------------------------------------------- -------------------------
这是它是如何与六角射线反编译
字符__thiscall sub_4481D0(无效*此,诠释A2,A3 INT)
{
焦炭结果; // @人1
INT V4; // @ EDI 1
无效* V5; // @ ESI 1
烧焦V6; // @人2
符号int V7; // @ EAX 3
符号int V8; // @ ECX 3
INT V9; // @ EBX 6
INT V10; // @ EAX 6 V5 =这一点;
结果=(*(INT(__stdcall **)(INT))(*(_ DWORD *)这+ 212))(A2);
V4 = *((_ DWORD *)V5 + A2 + 28405);
如果(V4)
{
(*(无效(__thiscall **)(INT,INT))(*(_ DWORD *)V4 + 76))(V4,A3);
V6 = *(_ BYTE *)(V4 + 156);
*(_ DWORD *)(V4 + 28)= -1;
如果(V6)
{
V7 = -1316978140;
V8 = 178;
做
V7 ^ = off_4AC700 [v8-- - 134796]。
而(V8);
*(_ DWORD *)(V5 + V7 + 46571536)= 1;
*((_ DWORD *)V5 + 28390)= -1;
(*(无效(__thiscall **)(INT))(*(_ DWORD *)V4 + 56))(V4);
*(_ DWORD *)(*((_ DWORD *)V5 + 5775)+ 639)= A3;
*(_ DWORD *)(*((_ DWORD *)V5 + 542)+ 560)= 0;
如果(A3 == 8)
{
*((_ DWORD *)V5 + 28053)= -1;
}
其他
{
*((_ DWORD *)V5 + 543)= A3;
(*(无效(__thiscall **)(void *的签署INT))(*(_ DWORD *)V5 + 192))(V5,-1);
V9 = **((_ DWORD **)v5 +的542);
V10 = RAND();
(*(无效(__thiscall **)(_ DWORD,INT,符号整数,符号整数))(V9 + 152))(*((_ DWORD *)V5 + 542),V10,-1,-1);
}
}
其他
{
*(_ DWORD *)(V4 + 76)= 2;
}
结果= *((_ BYTE *)V5 + 113524);
如果(结果)
结果=(*(INT(__cdecl **)(INT,_DWORD,_DWORD))(*((_ DWORD *)V5 + 5775)+ 9122))(
V4 + 109,
*(_ DWORD *)(V4 + 88)
*(_ DWORD *)(V4 + 92));
}
返回结果;
}
我的问题是我怎么把它使用的DLL注入?
在 00481D0断点是寄存器
EAX = 004AC4E8
EBX = 00EEC774
ECX = 00EEC774
EDX = 00000000
ESI = 00EEC774
EDI = 0012F040
EBP = 0012E744
ESP = 0012E72C
EIP = 004481D0
这是我..但它崩溃我的目标。
静态DWORD the_hook_address = 0x4481D0;
__asm
{
推EBP
MOV EBP,ESP
推EBX
PUSH 4 // A3
PUSH 4 // A2
CALL [the_hook_address]
// RETN 8 // 4 * 2 ARGS
流行EBX
离开
RET
}
解决方案
看起来你的ASM常规预计,ECX的东西(这一点?)。你需要初始化的调用之前一个有效的指针。
seg000:004481D0 ; =============== S U B R O U T I N E =======================================
seg000:004481D0
seg000:004481D0 ; Attributes: bp-based frame
seg000:004481D0
seg000:004481D0 sub_4481D0 proc near
seg000:004481D0
seg000:004481D0 arg_0 = dword ptr 8
seg000:004481D0 arg_4 = dword ptr 0Ch
seg000:004481D0
seg000:004481D0 push ebp
seg000:004481D1 mov ebp, esp
seg000:004481D3 push esi
seg000:004481D4 mov esi, ecx
seg000:004481D6 push edi
seg000:004481D7 mov edi, [ebp+arg_0]
seg000:004481DA mov eax, [esi]
seg000:004481DC push edi
seg000:004481DD call dword ptr [eax+0D4h]
seg000:004481E3 mov edi, [esi+edi*4+1BBD4h]
seg000:004481EA test edi, edi
seg000:004481EC jz loc_4482D2
seg000:004481F2 mov eax, [ebp+arg_4]
seg000:004481F5 mov edx, [edi]
seg000:004481F7 push ebx
seg000:004481F8 push eax
seg000:004481F9 mov ecx, edi
seg000:004481FB call dword ptr [edx+4Ch]
seg000:004481FE mov al, [edi+9Ch]
seg000:00448204 or edx, 0FFFFFFFFh
seg000:00448207 test al, al
seg000:00448209 mov [edi+1Ch], edx
seg000:0044820C jz loc_4482A5
seg000:00448212 mov eax, 0B1808224h
seg000:00448217 mov ecx, 0B2h
seg000:0044821C mov ebx, offset off_4AC700
seg000:00448221
seg000:00448221 loc_448221: ; CODE XREF: sub_4481D0+59j
seg000:00448221 xor eax, [ebx+ecx*4-83A30h]
seg000:00448228 dec ecx
seg000:00448229 jnz short loc_448221
seg000:0044822B mov dword ptr [eax+esi+2C6A010h], 1
seg000:00448236 mov [esi+1BB98h], edx
seg000:0044823C mov edx, [edi]
seg000:0044823E mov ecx, edi
seg000:00448240 call dword ptr [edx+38h]
seg000:00448243 mov ecx, [esi+5A3Ch]
seg000:00448249 mov eax, [ebp+arg_4]
seg000:0044824C cmp eax, 8
seg000:0044824F mov [ecx+27Fh], eax
seg000:00448255 mov edx, [esi+878h]
seg000:0044825B mov dword ptr [edx+230h], 0
seg000:00448265 jz short loc_448299
seg000:00448267 mov [esi+87Ch], eax
seg000:0044826D mov eax, [esi]
seg000:0044826F push 0FFFFFFFFh
seg000:00448271 mov ecx, esi
seg000:00448273 call dword ptr [eax+0C0h]
seg000:00448279 mov ecx, [esi+878h]
seg000:0044827F push 0FFFFFFFFh
seg000:00448281 push 0FFFFFFFFh
seg000:00448283 mov ebx, [ecx]
seg000:00448285 call _rand
seg000:0044828A mov ecx, [esi+878h]
seg000:00448290 push eax
seg000:00448291 call dword ptr [ebx+98h]
seg000:00448297 jmp short loc_4482AC
seg000:00448299 ; ---------------------------------------------------------------------------
seg000:00448299
seg000:00448299 loc_448299: ; CODE XREF: sub_4481D0+95j
seg000:00448299 mov dword ptr [esi+1B654h], 0FFFFFFFFh
seg000:004482A3 jmp short loc_4482AC
seg000:004482A5 ; ---------------------------------------------------------------------------
seg000:004482A5
seg000:004482A5 loc_4482A5: ; CODE XREF: sub_4481D0+3Cj
seg000:004482A5 mov dword ptr [edi+4Ch], 2
seg000:004482AC
seg000:004482AC loc_4482AC: ; CODE XREF: sub_4481D0+C7j
seg000:004482AC ; sub_4481D0+D3j
seg000:004482AC mov al, [esi+1BB74h]
seg000:004482B2 pop ebx
seg000:004482B3 test al, al
seg000:004482B5 jz short loc_4482D2
seg000:004482B7 mov eax, [edi+5Ch]
seg000:004482BA mov ecx, [edi+58h]
seg000:004482BD mov edx, [esi+5A3Ch]
seg000:004482C3 push eax
seg000:004482C4 add edi, 6Dh
seg000:004482C7 push ecx
seg000:004482C8 push edi
seg000:004482C9 call dword ptr [edx+23A2h]
seg000:004482CF add esp, 0Ch
seg000:004482D2
seg000:004482D2 loc_4482D2: ; CODE XREF: sub_4481D0+1Cj
seg000:004482D2 ; sub_4481D0+E5j
seg000:004482D2 pop edi
seg000:004482D3 pop esi
seg000:004482D4 pop ebp
seg000:004482D5 retn 8
seg000:004482D5 sub_4481D0 endp
seg000:004482D5
seg000:004482D5 ; ---------------------------------------------------------------------------
Here it is how it's decompiled with hex-rays
char __thiscall sub_4481D0(void *this, int a2, int a3)
{
char result; // al@1
int v4; // edi@1
void *v5; // esi@1
char v6; // al@2
signed int v7; // eax@3
signed int v8; // ecx@3
int v9; // ebx@6
int v10; // eax@6
v5 = this;
result = (*(int (__stdcall **)(int))(*(_DWORD *)this + 212))(a2);
v4 = *((_DWORD *)v5 + a2 + 28405);
if ( v4 )
{
(*(void (__thiscall **)(int, int))(*(_DWORD *)v4 + 76))(v4, a3);
v6 = *(_BYTE *)(v4 + 156);
*(_DWORD *)(v4 + 28) = -1;
if ( v6 )
{
v7 = -1316978140;
v8 = 178;
do
v7 ^= off_4AC700[v8-- - 134796];
while ( v8 );
*(_DWORD *)(v5 + v7 + 46571536) = 1;
*((_DWORD *)v5 + 28390) = -1;
(*(void (__thiscall **)(int))(*(_DWORD *)v4 + 56))(v4);
*(_DWORD *)(*((_DWORD *)v5 + 5775) + 639) = a3;
*(_DWORD *)(*((_DWORD *)v5 + 542) + 560) = 0;
if ( a3 == 8 )
{
*((_DWORD *)v5 + 28053) = -1;
}
else
{
*((_DWORD *)v5 + 543) = a3;
(*(void (__thiscall **)(void *, signed int))(*(_DWORD *)v5 + 192))(v5, -1);
v9 = **((_DWORD **)v5 + 542);
v10 = rand();
(*(void (__thiscall **)(_DWORD, int, signed int, signed int))(v9 + 152))(*((_DWORD *)v5 + 542), v10, -1, -1);
}
}
else
{
*(_DWORD *)(v4 + 76) = 2;
}
result = *((_BYTE *)v5 + 113524);
if ( result )
result = (*(int (__cdecl **)(int, _DWORD, _DWORD))(*((_DWORD *)v5 + 5775) + 9122))(
v4 + 109,
*(_DWORD *)(v4 + 88),
*(_DWORD *)(v4 + 92));
}
return result;
}
My question is how do I call it using a injected dll?
The registers at 00481D0 breakpoint are
EAX = 004AC4E8
EBX = 00EEC774
ECX = 00EEC774
EDX = 00000000
ESI = 00EEC774
EDI = 0012F040
EBP = 0012E744
ESP = 0012E72C
EIP = 004481D0
This is what I have.. but it crashes my target.
static DWORD the_hook_address = 0x4481D0;
__asm
{
push ebp
mov ebp, esp
push ebx
PUSH 4//a3
PUSH 4//a2
CALL [the_hook_address]
//RETN 8 //4 * 2 args
pop ebx
leave
ret
}
解决方案
Looks like your asm routine expects something (this?) in ecx. You need to initialize that to a valid pointer before the call.
这篇关于如何在C调用此组件函数内联ASM ++(DLL注入)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
