写这个小工具是有原因的,我同学老是趁我走开小会的时候,往我QQ群发些消息,无奈,写下这个东西,代码是硬编码(调用API部分),如果有需要,可以自己完善下
代码:
系统:SP3 先找一个群发消息会经过的地方,找到这里 6156DBA3 /7C 57 jl short 6156DBFC ;如果跳的话 群消息就不会收到 6156DBA5 |8BB6 80000000 mov esi, dword ptr [esi+80] 6156DBAB |8B08 mov ecx, dword ptr [eax] 6156DBAD |8B51 18 mov edx, dword ptr [ecx+18] 6156DBB0 |53 push ebx 6156DBB1 |56 push esi 6156DBB2 |53 push ebx 6156DBB3 |57 push edi 6156DBB4 |50 push eax 6156DBB5 |FFD2 call edx 特征码: 52 8B 56 08 52 50 8B 41 0C C6 45 FC 01 FF D0 85 C0 8B 45 F0 7C 57 8B B6 80 00 00 00 8B 08 8B 51 18 53 56 53 57 50 FF D2 然后开始构造 .code 615c5b00 ; 表示在目标DLL的代码段615c5b00位置写入数据 55 8B EC 56 57 53 81 7D 0C 11 01 00 00 75 68 8B 45 10 66 3D EA 03 75 7D 68 00 01 00 00 68 20 A9 60 61 68 E9 03 00 00 FF 75 08 E8 2F 55 7A 16 81 3D 20 A9 60 61 77 6F 72 69 74 26 6A 00 6A 00 68 A0 3B 60 61 6A 00 E8 9F AC 78 16 C7 05 10 A9 60 61 00 00 00 00 90 90 90 90 90 90 90 90 90 90 EB 14 C7 05 10 A9 60 61 01 00 00 00 6A 00 FF 75 08 E8 D9 EE 75 16 EB 1E 83 7D 0C 10 75 0C 6A 00 FF 75 08 E8 C7 EE 75 16 EB 0C B8 00 00 00 00 5B 5F 5E C9 C2 10 00 B8 01 00 00 00 5B 5F 5E C9 C2 10 00 E8 00 00 00 00 81 2C 24 A6 10 40 00 5E 6A 00 68 00 10 40 00 01 34 24 6A 00 68 00 3B 60 61 6A 00 E8 6B 5B 24 1B 50 E8 B1 11 79 16 61 83 3D 10 A9 60 61 00 0F 84 22 80 FA FF 8B B6 80 00 00 00 8B 08 8B 51 18 53 56 53 57 50 FF D2 85 C0 8B 45 F0 E9 C6 7F FA FF .data 61603B00 Dlgdata: 61603B00 01 00 FF FF 00 00 00 00 00 00 00 00 40 00 CF 10 02 00 85 00 7B 00 CF 00 19 00 00 00 00 00 F7 8B 93 8F 65 51 C6 5B 01 78 3A 00 00 00 08 00 00 00 00 01 4D 00 53 00 20 00 53 00 61 00 6E 00 73 00 20 00 53 00 65 00 72 00 69 00 66 00 00 00 00 00 00 00 00 00 00 02 00 00 20 00 01 50 02 00 01 00 86 00 11 00 E9 03 00 00 FF FF 81 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 50 92 00 03 00 34 00 13 00 EA 03 00 00 FF FF 80 00 6E 78 A4 8B szmsg: 61603ba0 C3 DC C2 EB B2 BB D5 FD C8 B7 21 00 ;密码不正确 .data? szbuff: 6160A920 flag data: 6160A910 00 00 00 00 ;判断密码是否正确 需要挂钩位置的数据: 8B B6 80 00 00 00 8B 08 8B 51 18 53 56 53 57 50 FF D2 85 C0 8B 45 F0 6156DBA5 |8BB6 80000000 mov esi, dword ptr [esi+80] 6156DBAB |8B08 mov ecx, dword ptr [eax] 6156DBAD |8B51 18 mov edx, dword ptr [ecx+18] 6156DBB0 |53 push ebx 6156DBB1 |56 push esi 6156DBB2 |53 push ebx 6156DBB3 |57 push edi 6156DBB4 |50 push eax 6156DBB5 |FFD2 call edx 然后改成这样了 6156DBA3 . /7C 57 jl short 6156DBFC ; 群发关键跳 6156DBA5 . |60 pushad 6156DBA6 . |E9 F67F0500 jmp 615C5BA1 6156DBAB |90 nop ........ 615C5B00 /. 55 push ebp 615C5B01 |. 8BEC mov ebp, esp 615C5B03 |. 56 push esi 615C5B04 |. 57 push edi 615C5B05 |. 53 push ebx 615C5B06 |. 817D 0C 11010>cmp dword ptr [ebp+C], 111 615C5B0D |. 75 68 jnz short 615C5B77 615C5B0F |. 8B45 10 mov eax, dword ptr [ebp+10] 615C5B12 |. 66:3D EA03 cmp ax, 3EA 615C5B16 |. 75 7D jnz short 615C5B95 615C5B18 |. 68 00010000 push 100 ; /Count = 100 (256.) 615C5B1D |. 68 20A96061 push 6160A920 ; |Buffer = ChatFram.6160A920 615C5B22 |. 68 E9030000 push 3E9 ; |ControlID = 3E9 (1001.) 615C5B27 |. FF75 08 push dword ptr [ebp+8] ; |hWnd 615C5B2A |. E8 2F557A16 call USER32.GetDlgItemTextA ; \GetDlgItemTextA 615C5B2F |. 813D 20A96061>cmp dword ptr [6160A920], 69726F77 615C5B39 |. 74 26 je short 615C5B61 615C5B3B |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL 615C5B3D |. 6A 00 push 0 ; |Title = NULL 615C5B3F |. 68 A03B6061 push 61603BA0 ; |Text = "密码",B2,"",BB,"正?,B7,"!" 615C5B44 |. 6A 00 push 0 ; |hOwner = NULL 615C5B46 |. E8 9FAC7816 call USER32.MessageBoxA ; \MessageBoxA 615C5B4B |. C705 10A96061>mov dword ptr [6160A910], 0 615C5B55 |. 90 nop 615C5B56 |. 90 nop 615C5B57 |. 90 nop 615C5B58 |. 90 nop 615C5B59 |. 90 nop 615C5B5A |. 90 nop 615C5B5B |. 90 nop 615C5B5C |. 90 nop 615C5B5D |. 90 nop 615C5B5E |. 90 nop 615C5B5F |. EB 14 jmp short 615C5B75 615C5B61 |> C705 10A96061>mov dword ptr [6160A910], 1 615C5B6B |. 6A 00 push 0 ; /Result = 0 615C5B6D |. FF75 08 push dword ptr [ebp+8] ; |hWnd 615C5B70 |. E8 D9EE7516 call USER32.EndDialog ; \EndDialog 615C5B75 |> EB 1E jmp short 615C5B95 615C5B77 |> 837D 0C 10 cmp dword ptr [ebp+C], 10 615C5B7B |. 75 0C jnz short 615C5B89 615C5B7D |. 6A 00 push 0 ; /Result = 0 615C5B7F |. FF75 08 push dword ptr [ebp+8] ; |hWnd 615C5B82 |. E8 C7EE7516 call USER32.EndDialog ; \EndDialog 615C5B87 |. EB 0C jmp short 615C5B95 615C5B89 |> B8 00000000 mov eax, 0 615C5B8E |. 5B pop ebx 615C5B8F |. 5F pop edi 615C5B90 |. 5E pop esi 615C5B91 |. C9 leave 615C5B92 |. C2 1000 retn 10 615C5B95 |> B8 01000000 mov eax, 1 615C5B9A |. 5B pop ebx 615C5B9B |. 5F pop edi 615C5B9C |. 5E pop esi 615C5B9D |. C9 leave 615C5B9E \. C2 1000 retn 10 615C5BA1 > E8 00000000 call 615C5BA6 615C5BA6 $ 812C24 A61040>sub dword ptr [esp], 4010A6 615C5BAD . 5E pop esi 615C5BAE . 6A 00 push 0 ; /lParam = NULL 615C5BB0 . 68 00104000 push 401000 ; |DlgProc = LOADDLL.00401000 615C5BB5 . 013424 add dword ptr [esp], esi ; | 615C5BB8 . 6A 00 push 0 ; |hOwner = NULL 615C5BBA . 68 003B6061 push 61603B00 ; |pTemplate = ChatFram.61603B00 615C5BBF . 6A 00 push 0 ; |/pModule = NULL 615C5BC1 . E8 6B5B241B call kernel32.GetModuleHandleA ; |\GetModuleHandleA 615C5BC6 . 50 push eax ; |hInst 615C5BC7 . E8 B1117916 call USER32.DialogBoxIndirectParamA ; \DialogBoxIndirectParamA 615C5BCC . 61 popad 615C5BCD . 833D 10A96061>cmp dword ptr [6160A910], 0 615C5BD4 .^ 0F84 2280FAFF je 6156DBFC 615C5BDA . 8BB6 80000000 mov esi, dword ptr [esi+80] 615C5BE0 . 8B08 mov ecx, dword ptr [eax] 615C5BE2 . 8B51 18 mov edx, dword ptr [ecx+18] 615C5BE5 . 53 push ebx 615C5BE6 . 56 push esi 615C5BE7 . 53 push ebx 615C5BE8 . 57 push edi 615C5BE9 . 50 push eax 615C5BEA . FFD2 call edx 615C5BEC . 85C0 test eax, eax 615C5BEE . 8B45 F0 mov eax, dword ptr [ebp-10] 615C5BF1 .^ E9 C67FFAFF jmp 6156DBBC 然后保存文件 ,可能要分两次保存,分别保存代码段(code)的和数据段(data)的