Armadillo COPYMEMEIIÖ®DUMPµÄÒ»¸öLOADPEС²å¼þ
,ÏÂÔØ£¨»òÊó±êÓÒ¼üÁí´æΪ£©
ÓÃËüÀ´DUMP ARM COPYMEMIIµÄ³ÌÐò£¬·Ç³£¿á¡£
ºÜ¶àÅóÓѲ»ÖªÈçºÎʹÓÃÏÖ¸½ÉÏʹÓ÷½·¨
ÏȰѲå¼þ·ÅÔÚLOADPEµÄLDEĿ¼ÏÂ(ûÓÐÕâ¸öĿ¼µÄ¾Í×Ô¼º½¨£©
ÓÃOD´ò¿ªÒªÍѿǵijÌÐòÎÒÕâÀïÒÔÒ»¸ö×ÔçÉС³ÌÐòΪÀý£º
϶ÏBP WaitForDebugEvent,¶ÏϺ󿴶ÑÕ»£º
0012DAC0 004AAD67 /CALL to WaitForDebugEvent from ScreenCo.004AAD61
0012DAC4 0012EB84 |pDebugEvent = 0012EB84
0012DAC8 000003E8 Timeout = 1000. ms
ÔÚÄÚ´æÇø¶¨Î»ÔÚ12eb84´¦ÕâÑùºÃ¿´OEP¡£
Çå¶ÏºóÔÙbp WriteProcessMemory,F9ºó¿´¿´
0012D960 004AEC6E /CALL to WriteProcessMemory from ScreenCo.004AEC68
0012D964 0000005C |hProcess = 0000005C (window)
0012D968 00484000 |Address = 484000
0012D96C 00CF3FF0 |Buffer = 00CF3FF0
0012D970 00001000 |BytesToWrite = 1000 (4096.)
0012D974 0012DA7C pBytesWritten = 0012DA7C
ÕâÀï¾ÍÊÇ°Ñ»º³åÇøcf3ff0´¦µÄ´úÂë¹²1000H×Ö½Úд½ø484000´¦£¬OEPÒ²ÔÚ¸½½üÁË
0012EB84 01 00 00 00 00 05 00 00 E0 02 00 00 01 00 00 80 ......?....€
0012EB94 00 00 00 00 00 00 00 00 A0 40 48 00 02 00 00 00 ........ @H....
0012EBA4 00 00 00 00 A0 40 48 00 A0 40 48 00 00 47 12 81 .... @H. @H..G
OEPΪ4840a0
ÏÖÔÚÎÒÃÇÒª×öÁ½¼þÊÂÒ»Òª¸ÄOEPΪËÀÑ»·¶þÒªNOPµô¼ÓÃÜCALL
1¡£¸ÄOEP£¬¿ÉÒÔÓÃPUPE¸ÄÒ²¿ÉÒÔÔÚ»º³åÇøÖ±½Ó¸Ä£¬ÎÒÓúóÒ»ÖÖCTRL+G,ÊäÈë 00cf3ff0+0a0 (ÕâÀïCF3FF0ÊÇ»º³åÇø¿ªÊ¼´¦£¬0a0=4840a0-484000,Ç°Ãæ¼Ó¸ö0·ÀÖ¹ODÅжÏΪ¸ºÊý£©£¬¶¨Î»µ½ÕâÀï
00CF4090 55 PUSH EBP
00CF4091 8BEC MOV EBP, ESP
00CF4093 83C4 F0 ADD ESP, -10
00CF4096 B8 A03E4800 MOV EAX, 483EA0
00CF409B E8 D01CF8FF CALL 00C75D70
Õâ¾ÍÊdzÌÐòOEP´¦µÄ´úÂëÁË£¬558B¸ÄΪEBFE
2£¬NOPµô¼ÓÃÜCALL£¬ÀÏ°æ¿ÉÓÃALT+KÕÒаæ¿ÉÔÚSTACKÍùÏÂÕÒÕҾͿÉÒÔÁËÕâÀïÓÐÕâÑùÒ»¾ä£º
0012D960 004AEC6E /CALL to WriteProcessMemory from ScreenCo.004AEC68
0012D964 0000005C |hProcess = 0000005C (window)
0012D968 00484000 |Address = 484000
0012D96C 00CF3FF0 |Buffer = 00CF3FF0
0012D970 00001000 |BytesToWrite = 1000 (4096.)
0012D974 0012DA7C pBytesWritten = 0012DA7C
0012D978 00000009
0012D97C 00000839
0012D980 0012F590
0012D984 00000000
0012D988 00000000
0012D98C 00000000
0012D990 00000000
0012D994 00000000
0012D998 00000000
0012D99C 00000000
0012D9A0 00000000
0012D9A4 00000000
0012D9A8 00000000
0012D9AC 00000000
0012D9B0 00000000
0012D9B4 00000000
0012D9B8 00000000
0012D9BC 00000000
0012D9C0 00000000
0012D9C4 00000000
0012D9C8 00000000
0012D9CC 00000000
0012D9D0 00000000
0012D9D4 00000000
0012D9D8 00000000
0012D9DC 00000000
0012D9E0 00000000
0012D9E4 00000000
0012D9E8 00000000
0012D9EC 00000000
0012D9F0 00000000
0012D9F4 00000000
0012D9F8 00000000
0012D9FC 00000000
0012DA00 00000000
0012DA04 00000000
0012DA08 00000000
0012DA0C 00000000
0012DA10 00000000
0012DA14 00000000
0012DA18 00000000
0012DA1C 00000000
0012DA20 00000000
0012DA24 00000000
0012DA28 00000000
0012DA2C 00000000
0012DA30 00000000
0012DA34 00000000
0012DA38 00000000
0012DA3C 00000000
0012DA40 00000000
0012DA44 00000000
0012DA48 00000000
0012DA4C 00000000
0012DA50 00000000
0012DA54 00000000
0012DA58 3255BC34
0012DA5C 00CF4FF0
0012DA60 00CF4FF0
0012DA64 000000E3
0012DA68 00000000
0012DA6C 00000020
0012DA70 00484000 ScreenCo.00484000
0012DA74 00000020
0012DA78 00CF4FF0
0012DA7C 00001000
0012DA80 00CF4FF0
0012DA84 /0012DAB8
0012DA88 |004AD8DC RETURN to ScreenCo.004AD8DC from ScreenCo.004ADC24
0012DA8C |00000083
¿´µ½ºóÃæÄǸöRETURNÁË°É£¬Õâ¾ÍÊǼÓÃÜCALLËùÔÚÔÚÄÇÀïÓÒ¼ü¡ª¡ª¡ªFOLLOW IN DESASMBLERµ½ÕâÀï
004AD8D7 . E8 48030000 CALL 004ADC24 £¨Õâ¾ÍÊǽâÂëCALL) ; ScreenCo.004ADC24
004AD8DC > 83C4 0C ADD ESP, 0C £¨·µ»Øµ½Õ⣩
ÎÒÃÇËÑË÷ÁíÒ»¸öcall 004adc24,ÔÚÕâÀ
004ADBAB . 50 PUSH EAX
004ADBAC . E8 73000000 CALL 004ADC24 ; ScreenCo.004ADC24
°Ñ4adbac´¦NOPµô£¬Çå³ýËùÓжϵãÈ»ºóF9ÔËÐÐÕâÑù¾Í¿ÉÒÔÓÃLOADPEÀ´DUMPÁË
ÓÃLOADPEÑ¡ÖÐ×Ó½ø³Ì£¬ÓÒ¼ü¡ª¡ª¡ªÑ¡ÔñÍÑ¿ÇÒýÇæ------armadmp,È»ºóÔÙÔÚ×Ó½ø³ÌÓÒ¼ü--ÍêÈ«ÍÑ¿Ç
OK£¬ÄãÒѾ³É¹¦DUMPÁË£¬¼ÇµÃÒª°ÑOEP´úÂë¸Ä»ØÀ´
¾²âÊÔÔÚ2000/XP¶¼¿ÉÒԳɹ¦DUMP¡£98ûÊÔ¹ýÒòΪÎÒÃÇÕâÒѾûÓÐÓÃ98µÄ»ú×ÓÁË¡£