1、/fuck Zrotectect1.4.9/thanks hmily/1漸IATStartIATEnd/212/320,0/4bp CreateFileAdll/just for fun/ximoLCG/var countask whitch step?mov count,$RESULTcmp count,1je step1cmp count,2je step2retstep1:var imagebasevar addrvar tmpvar valuevar sizeoffuckvar VirtualAllocAddrbphwcallbpmc gpa VirtualAlloc,kernel32
2、.dllcmp $RESULT,0je Exitmov VirtualAllocAddr,$RESULTbp VirtualAllocAddrrunbc VirtualAllocAddrfind eip,#c21000#cmp $RESULT,0je Exitbp $RESULTrunbc $RESULTmov imagebase,eax mov addr,imagebase/*00944754 FF4424 14 inc dword ptr ss:esp+1400944758 FF4424 10 inc dword ptr ss:esp+10 */add addr,14758 /汾İmov
3、sizeoffuck,0a /bphws addr,xloopfind:runmov tmp,espadd tmp,10mov value,tmpcmp value,sizeoffuck,1jne loopfindbphwc addrmov eip,valuelog eipMSG eipMSG retExit:retstep2: bphwcall bpmc var fuckhook ask 1 mov fuckhook,$RESULT mov fuckhook,#00# var tmp var local var l var oep var ThreadAddr var ThreadProc
4、var HookExitAddr var CreateFileAddr var count var fuckflag var IsHook var regist mov count,1fuckregist: gpa DialogBoxIndirectParamA,user32.dll mov regist,$RESULT mov regist,#b82c230000c21400#fuckexit: gpa ExitProcess,kernel32.dll mov HookExitAddr,$RESULT mov HookExitAddr,#c20800# found: mov tmp,eip
5、cmp tmp,60,1 je start sti jmp found start: sti mov tmp,esp bphws tmp,r gpa CreateThread,kernel32.dll mov ThreadAddr,$RESULT bphws ThreadAddr,x gpa GetModuleHandleA,kernel32.dll mov local, $RESULT add local,20 bp localloop: run mov l,eip cmp l,CC,1 je loop cmp eip,7c000000 jb goesp bphwc ThreadAddr m
6、ov ThreadProc,esp+c mov ThreadProc,#C390# jmp loopgoesp: bphwc tmp bc local mov oep,esp bphws oep,x run bphwc oepmov oep,eipvar IATStartvar IATEndvar IATAddrvar fixtmpvar GetIATbpvar ExitFlagvar guolvmov IATStart,01001000 /IATStartmov IATEnd,01001344 /IATEndmov IATAddr,IATStartfixloop:mov guolv,IATA
7、ddrcmp IATAddr,IATEndje Exit2cmp IATAddr,0je nextcmp guolv,68,1je getapicmp guolv,50,1jne nextgetapi:mov eip,IATAddrstiloop:mov fixtmp,eipcmp fixtmp,E8,1je startfixstijmp stiloopstartfix:stifind eip,#7457#cmp $RESULT,0je goonmov GetIATbp,$RESULTmov GetIATbp,#EB#goon:find eip,#C20400#mov GetIATbp,$RESULTBPHWS GetIATbp,xrunbphwc GetIATbpmov IATAddr,eaxnext:add IATAddr,4jmp fixloopExit2:mov eip,oepret
