请救，，救我啊急

楼主^#

更多发布于：2003-03-30 19:42

;本程序部分由YM注释;;;;;;;;;;;;;;;;;;;其他的部分请高手帮YM注释

.386p
.model flat

extrn MessageBoxA: proc

HASH16FACTOR = 1985926h
HASH16 MACRO String,sym
HASH_Reg = 0FFFFFFFFh
IRPC _x, <String>
Ctrl_Byte = (\'&_x&\' XOR (HASH_Reg AND 0FFh))
HASH_Reg = (HASH_Reg SHR 8)
REPT 8
Ctrl_Byte = (Ctrl_Byte SHR 1) XOR (HASH16FACTOR * (Ctrl_Byte AND 1))
ENDM

HASH_Reg = (HASH_Reg XOR Ctrl_Byte)
ENDM

sym DW (HASH_Reg AND 0FFFFh)
ENDM

.data
cap db \'Haha\',0
.code
_start:
call _start_ip_0
_start_ip_0:
_start_ip equ k32_hash_table
pop ebp
add ebp,k32_hash_table-_start_ip_0
mov ebx,[esp]
cmp ebx,80000000h ;比较是不是在WINNT
lea edi,[ebp+k32_hash_table-8-_start_ip]
and ebx,077E80000h
call search_api_addr

call [ebp+addrLoadLibraryA-_start_ip]

push 0
push offset cap
push offset cap
push 0
call MessageBoxA

push large 0
call [ebp+addrExitProcess-_start_ip]

db \'KERNEL32\' ;---------------------------------------|
k32_hash_table equ this word ; |
HASH16 <LoadLibraryA>,hsLoadLibraryA ; |
HASH16 <ExitProcess>,hsExitProcess ; |
   ; |
   ; 程序要搜索的函数名字 |
dw 0 ; |
k32_hash_addr equ this dword ; |
addrLoadLibraryA dd 0 ; |
addrExitProcess dd 0 ; |
   ;---------------------------------------|

;in--ebx is the base to search,edi->the hash table,include dll name

search_api_addr:
pushad ;保持所有的寄存器
pushfd ;保持所有的标志
call search_api_addr_ip
search_api_addr_ip:
pop ebp
push ebp
lea eax,[ebp+search_api_addr_seh-search_api_addr_ip] ;---------------------|
push eax ; |
xor ecx,ecx ; ;安装SEH |
push dword ptr fs:[ecx] ; |
mov fs:[ecx],esp ;---------------------|

sub ebx,10000h
search_api_addr_@1:
add ebx,10000h
;ntoskrnl can be rebased,and it\'s not certain whether can found it,so not to search too high address to avoid blue screen
cmp ebx,80500000h ;
ja short search_api_addr_seh_restore
cmp word ptr [ebx],\'ZM\' ;比较是不是MZ
jnz short search_api_addr_@1 ;不是着跳
mov eax,[ebx+3ch]
add eax,ebx ;现在eax=文件首领
cmp word ptr [eax],\'EP\' ;比较是不是PE
jnz short search_api_addr_@1 ;不是着跳
mov eax,[eax+78h]
add eax,ebx ;得到eax=IMAGE_EXPORT_DIRECTORY入口
mov edx,[eax+3*4]
add edx,ebx ;edx=程序搜索到的函数名字
mov ecx,[edi] ;ecx=程序要找的函数名字
cmp dword ptr [edx],ecx ;--------------------------------------|
jnz short search_api_addr_@1 ; |
mov ecx,[edi+4] ; ;这里是比较匹配的API函数名字 |
cmp dword ptr [edx+4],ecx ; |
jnz short search_api_addr_@1 ;--------------------------------------|

search_api_addr_seh_restore: ;-----------------------|
xor ecx,ecx ;ecx=0 ; |
POP DWord Ptr FS:[ecx] ; restore except chain ; |
pop esi ; ;恢复SEH |
pop esi ; |
add edi,8 ;-----------------------|
or ebx,ebx
jz short search_api_addr_ret
call find_all_exportfunc
search_api_addr_ret:
popfd ;恢复所有的标志
popad ;恢复所有的寄存器
retn

search_api_addr_seh: ;---------------------------|
call search_api_addr_seh_ip ; ;如果程序异常跳到这里 |
search_api_addr_seh_ip: ; |
pop eax ; |
lea eax,[eax-(search_api_addr_seh_ip-search_api_addr_@1)] ; |
seh_cont: ; |
PUSH eax ; |
MOV EAX,[ESP + 00Ch+4] ; context ; |
POP DWord Ptr [EAX + 0B8h] ; context.eip = @ExceptProc ; |
XOR EAX,EAX ; 0 = ExceptionContinueExecution ; |
RET ; |
search_api_addr_end: ;---------------------------|

;;;请帮小妹一句一句的注释下面的这段代码；；；；；；；注释在代码旁 ; 全部
;--------------------------------------------------------------------------------|
find_all_exportfunc: |
cld |
dec ecx ;ecx=FFFFFFFF |
push eax ;保存eax=IMAGE_EXPORT_DIRECTORY入口 |
xor eax,eax ;eax=0 |
repnz scasw ;ecx=FFFFFFFB ;edi+8 |
not ecx ;ecx=00000004 |
dec ecx ;ecx=00000003 |
push ecx ;保存ecx=00000003 |
push edi |
rep stosd ;清楚全部的API地址 ;ecx=00000000 ;esi+12 |
pop edi |
sub edi,4 |
pop ecx ;恢复ecx=00000003 |
pop eax ;恢复eax=IMAGE_EXPORT_DIRECTORY入口 |
   |
mov esi,[eax+8*4] |
add esi,ebx ;esi->name RVA array ;esi=AddressOfNames |
mov esi,[esi] |
add esi,ebx ;esi=程序搜索到的API函数名字 |
xor edx,edx ;edx=0 |
push ecx ;保存ecx=00000003 |
   |
find_exportfunc: |
push ecx ;保存ecx=00000003 |
find_exportfunc_1: |
cmp edx,[eax+6*4] ;[eax+6*4]=NumberOfNames |
pop ecx ;恢复ecx=00000003 |
jz short find_exportfunc_ret |
push ecx ;保存ecx=00000003 |
inc edx ;edx=1 |
push eax ;保存=eax |
call calc_hash16 |
push edi |
std |
mov ecx,[esp+3*4] |
repnz scasw |
pop edi |
pop eax |
jnz short find_exportfunc_1 |
   |
push edx |
dec edx |
push edi |
mov edi,[eax+9*4] |
add edi,ebx ;edi->ordinal array |
movzx edx,word ptr [edi+edx*2] |
mov edi,[eax+7*4] |
add edi,ebx ;edi->function RVA |
mov edx,[edi+edx*4] |
add edx,ebx |
pop edi |
mov [edi+ecx*4+4],edx |
pop edx |
pop ecx |
loop find_exportfunc |
   |
   |
find_exportfunc_ret: |
pop ecx |
retn |
find_exportfunc_end: |
   |
calc_hash16: |
;esi->string |
push edx |
push 0ffffffffh |
pop edx ;edx=FFFFFFFFFF |
cld |
load_character: |
lodsb |
or al, al |
jz exit_calc_crc |
xor dl, al |
mov al, 8 |
crc_byte: |
shr edx, 1 |
jnc loop_crc_byte |
xor edx, HASH16FACTOR ;最奇怪的是这里，HASH16FACTOR这个值可以随便填 |
loop_crc_byte: |
dec al |
jnz crc_byte |
jmp load_character |
exit_calc_crc: |
xchg edx, eax |
;now ax is the hash 16,esi->string after the NULL character after last string |
pop edx |
ret |
calc_hash16_end: |
;--------------------------------------------------------------------------------------
end _start

喜欢0

YM KILL YOU

VanCheer

驱动老牛

注册日期2002-02-21
最后登录2003-08-28
粉丝0
关注0
积分-20分
威望-10点
贡献值0点
好评度0点
原创分0分
专家分0分

加关注写私信

沙发^#

发布于：2003-03-31 11:28

去俺们论坛问吧，这里人少
我可没空
http://bbs.logincom.com/bbs/cgi-bin/leoboard.cgi

[img]http://www.driverdevelop.com/forum/upload/VanCheer/2003-03-21_mon.gif[/img][img]http://www.driverdevelop.com/forum/upload/VanCheer/2002-12-07_smallbaby.jpg[/img]

回复喜欢

您需要登录后才可以回帖，登录或者注册

请救，，救我啊 急

最新喜欢：

请救，，救我啊急