一個程式的開機補丁
TUNet是我學校的一個客戶端軟體,裡面包括兩個協議埠認證和閘道器的認證協議,至於協議部分我就不多說,很多同學反映沒有開機自動啟動的功能。我今天想說一下我打的一個開機補丁。也是對MFC的一次實踐吧。
現在該資料夾下加一個配置檔案
peansen.ini
內容如下:
[patch]
AUTORUN=1
檢查輸入表知道我們還需要一個GetPrivateProfileIntA函式的輸入項,於是新增之(具體做法很多,可以用工具)
首先我想把整個程式的狀況說一下:
->Section Header Table
1. item:
Name: .text
VirtualSize: 0x0002E506
VirtualAddress: 0x00001000
SizeOfRawData: 0x0002F000
PointerToRawData: 0x00001000
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0x60000020
(CODE, EXECUTE, READ)
2. item:
Name: .rdata
VirtualSize: 0x0000AA40
VirtualAddress: 0x00030000
SizeOfRawData: 0x0000B000
PointerToRawData: 0x00030000
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0xC0000040
(INITIALIZED_DATA, READ, WRITE)
3. item:
Name: .data
VirtualSize: 0x0000ED04
VirtualAddress: 0x0003B000
SizeOfRawData: 0x00007000
PointerToRawData: 0x0003B000
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0xC0000040
(INITIALIZED_DATA, READ, WRITE)
4. item:
Name: .rsrc
VirtualSize: 0x00066C40
VirtualAddress: 0x0004A000
SizeOfRawData: 0x00067000
PointerToRawData: 0x00042000
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0x40000040
(INITIALIZED_DATA, READ)
5. item:
Name: .gda
VirtualSize: 0x00001000
VirtualAddress: 0x000B1000
SizeOfRawData: 0x00001000
PointerToRawData: 0x000A9000
PointerToRelocations: 0xFFF9F2FD
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0xE0000020
(CODE, EXECUTE, READ, WRITE)
先給她加上一個核取方塊,id=0x5210
然後找到她的訊息處理迴圈,因為那個對話方塊中的很多edit需要初始化,我於是就藉助其中一個在初始化的時候同時也處理我加上去的核取方塊的初始化過程。根據section的結構,我們在程式裡找到很多空白。0x2f510~0x30000都是空白,我們把一些只讀字串放在這邊。從0x2f900開始放如下字串
2E5C5C5045414E53454E2E696E690000706174636800000000000000000000004155544F52554E000000000000000000534F4654574152455C5C4D6963726F736F66745C5C57696E646F77735C5C43757272656E7456657273696F6E5C5C52756E0000000000000054554E455400000000310030000000000000000000000000(這些是16進位制值)
分別是:.\\PEANSEN.ini
patch
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
TUNET
1 0,和上面的16進位制值對號入座就好了
找到了我們要打補丁的地方:0x425cd(不管是初始化還是訊息處理都好經過它)程式碼如下:
B8 5C F0 42 00 mov eax, offset loc_42F05C
.text:00425BF9 E8 3A 2F FF FF call sub_418B38
.text:00425BFE 83 EC 54 sub esp, 54h
.text:00425C01 83 65 F0 00 and dword ptr [ebp-10h], 0
.text:00425C05 53 push ebx
.text:00425C06 8B 5D 08 mov ebx, [ebp+8]
.text:00425C09 56 push esi
.text:00425C0A 57 push edi
.text:00425C0B 81 FB 11 01 00 00 cmp ebx, 111h
.text:00425C11 8B F9 mov edi, ecx
.text:00425C13 75 18 jnz short loc_425C2D
.text:00425C15 FF 75 10 push dword ptr [ebp+10h]控制元件handle-------從這邊開始折向補丁處
.text:00425C18 8B 07 mov eax, [edi]
.text:00425C1A FF 75 0C push dword ptr [ebp+0Ch]控制元件id
.text:00425C1D FF 50 78 call dword ptr [eax+78h] ; 這是cmd命令的開始
.text:00425C20 85 C0 test eax, eax
.text:00425C22 0F 84 55 01 00 00 jz loc_425D7D
.text:00425C28 E9 1D 04 00 00 jmp loc_42604A
打補丁後的
00425C13 . /75 18 jnz short TUNet306.00425C2D
00425C15 . |E9 06990000 jmp TUNet306.0042F520----跳到我們的處理空間
00425C1A > |FF75 0C push dword ptr ss:[ebp+C]
00425C1D . |FF50 78 call dword ptr ds:[eax+78]
00425C20 . |85C0 test eax,eax
補丁的主要程式碼:
每一段返回都要經過這邊,恢復堆疊,加上原來上面用跳轉指令被覆蓋的程式碼
0042F510 > /61 popad
0042F511 . |FF7424 10 push dword ptr ss:[esp+10]
0042F515 . |8B07 mov eax,dword ptr ds:[edi]
0042F517 .^|E9 FE66FFFF jmp TUNet306.00425C1A
0042F51C |00 db 00
0042F51D |00 db 00
0042F51E |00 db 00
0042F51F |00 db 00
我們是從上面跳到這邊的:
0042F520 > |60 pushad
0042F521 . |8B45 0C mov eax,dword ptr ss:[ebp+C]
0042F524 . |3D 16520004 cmp eax,4005216---抓住id=0x5216的初始化過程來初始化我們自己的核取方塊
0042F529 . |74 08 je short TUNet306.0042F533
0042F52B . |66:3D 1052 cmp ax,5210----自己的訊息處理過程
0042F52F . |74 4F je short TUNet306.0042F580
0042F531 .^ EB DD jmp short TUNet306.0042F510
核取方塊的初始化過程
0042F533 > |FF75 10 push dword ptr ss:[ebp+10] ; /hWnd
0042F536 . |FF15 E8034300 call dword ptr ds:[<&USER32.GetParent>] ; \GetParent
因為我們知道我們所抓住的id=0x5216的控制元件的控制程式碼,透過它來獲得id=0x5210的handle(用getparent函式和GetDlgItem函式)
0042F53C . |68 10520000 push 5210 ; /ControlID = 5210 (21008.)
0042F541 . |50 push eax ; |hWnd
0042F542 . |FF15 74034300 call dword ptr ds:[<&USER32.GetDlgItem>] ; \GetDlgItem
0042F548 . |50 push eax
0042F549 . |68 00F94200 push TUNet306.0042F900 ; /IniFileName = ".\\PEANSEN.ini"
0042F54E . |6A 00 push 0 ; |Default = 0
0042F550 . |68 20F94200 push TUNet306.0042F920 ; |Key = "AUTORUN"
0042F555 . |68 10F94200 push TUNet306.0042F910 ; |Section = "patch"
0042F55A . |FF15 25204B00 call dword ptr ds:[<&KERNEL32.GetPrivateProfileIntA>] ; \GetPrivateProfileIntA
取得是否我們在配置檔案中的AUTORUN的值,就是看我們的核取方塊開始時要不要打勾
0042F560 . |5B pop ebx
0042F561 . |6A 00 push 0 ; /lParam = 0
0042F563 . |50 push eax ; |wParam
0042F564 . |68 F1000000 push 0F1 ; |Message = BM_SETCHECK
0042F569 . |53 push ebx ; |hWnd
0042F56A . |FF15 28044300 call dword ptr ds:[<&USER32.SendMessageA>] ; \SendMessageA
0042F570 .^ EB 9E jmp short TUNet306.0042F510
0042F572 |00 db 00
0042F573 |00 db 00
0042F574 |00 db 00
0042F575 |00 db 00
0042F576 |00 db 00
0042F577 |00 db 00
0042F578 |00 db 00
0042F579 |00 db 00
0042F57A |00 db 00
0042F57B |00 db 00
0042F57C |00 db 00
0042F57D |00 db 00
0042F57E |00 db 00
0042F57F |00 db 00
0042F580 > |83EC 50 sub esp,50
0042F583 . |68 00F94200 push TUNet306.0042F900 ; /IniFileName = ".\\PEANSEN.ini"
0042F588 . |6A 00 push 0 ; |Default = 0
0042F58A . |68 20F94200 push TUNet306.0042F920 ; |Key = "AUTORUN"
0042F58F . |68 10F94200 push TUNet306.0042F910 ; |Section = "patch"
0042F594 . |FF15 25204B00 call dword ptr ds:[<&KERNEL32.GetPrivateProfileIntA>] ; \GetPrivateProfileIntA
取得AUTORUN的值開看看要不要在登錄檔的run項裡新增
在這邊為了簡化處理當要開機自啟動時我們在run下的TUNET鍵值新增檔名
如果不要開機自啟動時我們新增0字串
0042F59A . |50 push eax
0042F59B . |8D4424 04 lea eax,dword ptr ss:[esp+4]
0042F59F . |50 push eax ; /pHandle
0042F5A0 . |68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
0042F5A5 . |6A 00 push 0 ; |Reserved = 0
0042F5A7 . |68 30F94200 push TUNet306.0042F930 ; |Subkey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
0042F5AC . |68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
0042F5B1 . |FF15 08004300 call dword ptr ds:[<&ADVAPI32.RegOpenKeyExA>] ; \RegOpenKeyExA
0042F5B7 . |83F8 00 cmp eax,0
0042F5BA . |0F85 94000000 jnz TUNet306.0042F654
0042F5C0 . |8D4424 08 lea eax,dword ptr ss:[esp+8]
0042F5C4 . |6A 40 push 40 ; /BufSize = 40 (64.)
0042F5C6 . |50 push eax ; |PathBuffer
0042F5C7 . |6A 00 push 0 ; |hModule = NULL
0042F5C9 . |FF15 5C024300 call dword ptr ds:[<&KERNEL32.GetModuleFileNameA>] ; \GetModuleFileNameA
0042F5CF . |58 pop eax
0042F5D0 . |83F8 00 cmp eax,0
0042F5D3 . |74 3E je short TUNet306.0042F613
0042F5D5 . |8D0424 lea eax,dword ptr ss:[esp]
0042F5D8 . |90 nop
0042F5D9 . |6A 40 push 40 ; /BufSize = 40 (64.)
0042F5DB . |68 63F94200 push TUNet306.0042F963 ; |Buffer = TUNet306.0042F963
0042F5E0 . |6A 01 push 1 ; |ValueType = REG_SZ
0042F5E2 . |6A 00 push 0 ; |Reserved = 0
0042F5E4 . |68 68F94200 push TUNet306.0042F968 ; |ValueName = "TUNET"
0042F5E9 . |FF30 push dword ptr ds:[eax] ; |hKey
0042F5EB . |FF15 00004300 call dword ptr ds:[<&ADVAPI32.RegSetValueExA>] ; \RegSetValueExA
0042F5F1 . |68 00F94200 push TUNet306.0042F900 ; /FileName = ".\\PEANSEN.ini"
0042F5F6 . |68 73F94200 push TUNet306.0042F973 ; |String = "0"
0042F5FB . |68 20F94200 push TUNet306.0042F920 ; |Key = "AUTORUN"
0042F600 . |68 10F94200 push TUNet306.0042F910 ; |Section = "patch"
0042F605 . |FF15 64014300 call dword ptr ds:[<&KERNEL32.WritePrivateProfileStri>; \WritePrivateProfileStringA
再把啟動結果寫會配置檔案中
0042F60B . |90 nop
0042F60C . |90 nop
0042F60D . |90 nop
0042F60E . |EB 3A jmp short TUNet306.0042F64A
0042F610 |90 nop
0042F611 |90 nop
0042F612 |90 nop
0042F613 > |8D0424 lea eax,dword ptr ss:[esp]
0042F616 . |90 nop
0042F617 . |8D5C24 04 lea ebx,dword ptr ss:[esp+4]
0042F61B . |6A 50 push 50 ; /BufSize = 50 (80.)
0042F61D . |53 push ebx ; |Buffer
0042F61E . |6A 01 push 1 ; |ValueType = REG_SZ
0042F620 . |6A 00 push 0 ; |Reserved = 0
0042F622 . |68 68F94200 push TUNet306.0042F968 ; |ValueName = "TUNET"
0042F627 . |FF30 push dword ptr ds:[eax] ; |hKey
0042F629 . |FF15 00004300 call dword ptr ds:[<&ADVAPI32.RegSetValueExA>] ; \RegSetValueExA
0042F62F . |90 nop
0042F630 . |68 00F94200 push TUNet306.0042F900 ; /FileName = ".\\PEANSEN.ini"
0042F635 . |68 71F94200 push TUNet306.0042F971 ; |String = "1"
0042F63A . |68 20F94200 push TUNet306.0042F920 ; |Key = "AUTORUN"
0042F63F . |68 10F94200 push TUNet306.0042F910 ; |Section = "patch"
0042F644 . |FF15 64014300 call dword ptr ds:[<&KERNEL32.WritePrivateProfileStri>; \WritePrivateProfileStringA
0042F64A > |8B0424 mov eax,dword ptr ss:[esp]
0042F64D . |83C4 50 add esp,50
0042F650 . |EB 0E jmp short TUNet306.0042F660
0042F652 |90 nop
0042F653 |90 nop
0042F654 > |83C4 54 add esp,54
0042F657 .^ E9 B4FEFFFF jmp TUNet306.0042F510
0042F65C |00 db 00
0042F65D |00 db 00
0042F65E |00 db 00
0042F65F |00 db 00
0042F660 > |50 push eax ; /hKey
0042F661 . |FF15 10004300 call dword ptr ds:[<&ADVAPI32.RegCloseKey>] ; \RegCloseKey
0042F667 .^\E9 A4FEFFFF jmp TUNet306.0042F510
0042F66C 00 db 00
0042F66D 00 db 00
0042F66E 00 db 00
好了我想odbg也註釋的很清楚了。
在看雪中也混了一年了,也沒有發過什麼帖子,今天就發一個吧
由於我已經大四,考研在即(唉!當初不努力呀)沒有更多的時間來學習這裡的技術,這篇文章就算是我的一個短暫告別吧。我會回來的,不管我考研的結果怎麼樣。
呵呵,謝謝這裡的各位大蝦,小蝦。
相關文章
- 【補丁】Oracle補丁的知識及術語2020-08-05Oracle
- Oracle補丁介紹一2018-09-02Oracle
- 12. Oracle版本、補丁及升級——12.2. 補丁及補丁集2020-03-18Oracle
- 一次向linux開源社群提交補丁的經歷2019-06-25Linux
- Oracle的OPatch補丁更新2023-01-13Oracle
- 如何做一份完善的補丁分析2018-07-02
- 補丁psu、spu、cpu的意思2018-07-19
- weblogic的版本及打補丁2018-06-27Web
- 有Oracle support identifier的沒?幫下載兩個補丁2021-07-07OracleIDE
- Oracle RAC更新補丁2019-08-21Oracle
- Android熱補丁之Robust(二)自動化補丁原理解析2018-06-11Android
- ORACLE打補丁的方法和案例2018-05-15Oracle
- RIM警告黑莓手機容易被黑已發安全補丁2019-05-14
- 使用vCenter對ESXi主機進行補丁升級2023-03-10
- 如何給esxi打補丁2018-11-12
- weblogic 12 補丁安裝2018-11-09Web
- Weblogic 補丁升級慢2019-01-25Web
- Pycharn破解補丁啟用2018-12-20
- Linux檔案打補丁2019-03-30Linux
- oracle最新補丁查詢2018-07-23Oracle
- c#釋出補丁2020-06-04C#
- oracle打補丁回顧2021-12-02Oracle
- Tungsten Fabric知識庫丨這裡有18個TF補丁程式,建議收藏2020-09-24
- Android外掛化、熱補丁中繞不開的Proguard的坑2018-04-27Android
- Oracle各版本補丁的支援週期2019-01-22Oracle
- 打補丁打出新的BUG來了2019-06-30
- 淺談熱補丁的鉤取方式2024-06-25
- DG環境下打補丁2023-01-16
- 【UP_ORACLE】如何給Oracle DG打補丁(二)備庫安裝補丁步驟2021-10-28Oracle
- 【UP_ORACLE】如何給Oracle DG打補丁(三)主庫安裝補丁步驟2021-11-01Oracle
- 安全漏洞補丁管理的下一步:自動化2022-01-18
- SAP打補丁時需要注意的地方2020-01-09
- Unfolder中的補丁和元素使用方法2020-10-05
- 微軟11月補丁日,修復12個關鍵漏洞2018-11-14微軟
- 谷歌釋出7月Android補丁 修復多個致命漏洞2018-07-09谷歌Android
- Openssl多個安全補丁簡易分析危害及修復方案2020-08-19
- win10怎麼解除安裝補丁_解除安裝win10已安裝更新補丁的方法2020-04-01Win10
- 打補丁時重建Inventory目錄2018-07-20
- 中文最新Illustrator 2024啟用補丁2023-10-26