|
阅读:1504回复:6
关于windows95 system-programming-secrets一书win32wlk例子的问题
win32wlk例子在ME下不能用了,process database地址根本就找不到,是不是obsfucator的取得方法不对了??还是他的和obsfucator的XOR算法改了???有谁知道啊???各位高手帮帮忙啊~
|
|
|
沙发#
发布于:2001-10-03 18:19
是obsfucator的取得方法不对了,他提供的方法只能在95下用。
在98一版,和二版下就不好使了。由于需要我研究了98一版, 和二版的 obsfucator,ME 的就你自己研究吧。 这上有代码。 http://www.csdn.net/expert/topic/189/189045.shtm |
|
|
|
板凳#
发布于:2001-10-12 02:28
winme的找到了
|
|
|
地板#
发布于:2001-10-12 02:38
请问如何给帖子给分 啊?
|
|
|
地下室#
发布于:2004-03-07 23:28
虽然有点过时了,可是我现在需要了解有关obsfucator的取得方法。如何在98一版,和二版下用啊?这个链接好像看不了,帮帮忙呀!
|
|
|
5楼#
发布于:2004-03-08 11:19
9X的时日不多了,包括VXD在内的9X专用技术研究价值不大,劝你趁早转,那本书里面的OSFUSCATE的方法本来就不对。
.586P .model flat,stdcall option casemap:none include \masm32\include\windows.inc include \masm32\include\kernel32.inc include \masm32\include\user32.inc includelib \masm32\lib\kernel32.lib includelib \masm32\lib\user32.lib UNICODE = FALSE .data xEsp dword ? pentry32 processentry32 <> place sign 11 dup (?) .code text hex2str, </##x/0> text getcpidstack, <obsfucator via getcurrentprocessid and stack/0> text getcpidkernel, <obsfucator via getcurrentprocessid and kernel/0> text getctidstack, <obsfucator via getcurrentthreadid and stack/0> text getctidkernel, <obsfucator via getcurrentthreadid and kernel/0> text th32, <obsfucator from toolhelp32/0> titles dword getcpidstack, getcpidkernel, getctidstack, getctidkernel,\ th32 primarythread: movzx eax, ds sub ecx, ecx test al , 100b ;user 32bit tasks have ldt selectors in 9x jz Notin9x assume fs:nothing push offset SEH ;build xframe (see infos\sehall.zip) push fs: [ecx] mov fs: [ecx], esp mov xEsp, esp mov edi, ecx ;------------------------------------------- call GetCurrentProcessId mov ebx,eax swin32 ebx xor eax, [esp-8] ;bad because it reads from esp-?? swin32 displayobsfucateur ;------------------------------------------- swin32 ebx ;this method is used in atm, apihooks, .. mov ecx, [ebx+1] mov edx, [ecx] xor eax, [edx] ;bad because it reads from kernel space swin32 displayobsfucateur ;------------------------------------------- imov ebx, getcurrentthreadid swin32 ebx xor eax, [esp-8] ;bad because it reads from esp-?? swin32 displayobsfucateur ;------------------------------------------- swin32 ebx mov ecx, [ebx+1] mov edx, [ecx] xor eax, [edx] ;bad because it reads from kernel space swin32 displayobsfucateur ;------------------------------------------- mov esi, offset pentry32 assume esi: ptr processentry32 iwin32 createtoolhelp32snapshot, th32cs_snapprocess, 0 mov ebx, eax mov [esi].dwsize, sizeof processentry32 inc eax je th32failed iwin32 process32first, ebx, esi push eax iwin32 closehandle, ebx pop eax test eax, eax je th32failed mov eax, [esi].th32parentprocessid ; or th32moduleid swin32 displayobsfucateur ;------------------------------------------- th32failed: smoothend: pop fs: [0] ;remove xframe pop ecx ;remove xframe notin9x: iwin32 exitprocess, eax SEH PROC C pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD assume edi:ptr CONTEXT assume esi:ptr EXCEPTION_RECORD mov esi,pExcept mov edi,pContext test dword ptr[esi+4],1 ;Exception flags jnz @f test dword ptr[esi+4],6 jnz @f mov eax,xEsp mov [edi].regEsp,eax ;恢复ESP mov [edi].regEip,offset smoothend ; xor eax,eax mov [edi].regEax,eax ret @@: mov eax,1 ret SEH ENDP displayobsfucateur: icwin32i wsprintf, offset place, shex2str, eax iwin32i messagebox, null, offset place, titles[edi*4], mb_iconinformation inc edi ret end primarythread :translate @echo off ml /c /coff /nologo obsfucator.bat link3 obsfucator /ignore:4078,4060 /nologo /stub:pestub.exe /subsystem:windows /merge:.idata=.text del obsfucator.obj pause cls |
|
|
|
6楼#
发布于:2004-03-08 21:12
谢谢了,现在有一个项目要做,涉及到win98,所以。可是汇编我看不太懂,有没有VC写的。谢谢了!!! :D
|
|