-
2010. 12. 10. 03:15 프로그래밍 언어/C++
해킹완료시 대상을 메모리상에서 크래킹할때, 주로 사용하는 C++ 함수들이다.
Fixed : JMP E9 JMP_Address-address-5
주소가 현재보다 낮든 높든 -5 를 적용 한다 AI-32 JMP XXXXXXXX
//Data 의 바이트 배열을 Address 에 적용하는 함수.
void ReplaceCode(DWORD Address,byte Data[]){
DWORD old;
VirtualProtect(LPVOID(Address),sizeof(Data),PAGE_EXECUTE_READWRITE,&old);
for(DWORD i=0;i<sizeof(Data);i++)
((BYTE*)Address)[i]=Data[i];
VirtualProtect(LPVOID(Address),sizeof(Data),old,&old);
}
//Hex 값을 Int 값으로 변환
DWORD HexToInt(WCHAR *a){
DWORD v=0;
for(int i=0;i<wcslen(a);i++){
v *= 0x10;
if( ( a[i] >= 0x30 ) && ( a[i] <= 0x39 ) ){
v += a[i]-0x30;
}else if( ( a[i] >= 0x61 ) && ( a[i] <= 0x66 ) ){
v += a[i]-0x57;
}else if( ( a[i] >= 0x41 ) && ( a[i] <= 0x46 ) ){
v += a[i]-0x37;
}
}
return v;
}
//Hex 255이하 값을 변환
DWORD HexToInt2(WCHAR *a){
DWORD v=0;
for(int i=0;i<2;i++){
v *= 0x10;
if( ( a[i] >= 0x30 ) && ( a[i] <= 0x39 ) ){
v += a[i]-0x30;
}else if( ( a[i] >= 0x61 ) && ( a[i] <= 0x66 ) ){
v += a[i]-0x57;
}else if( ( a[i] >= 0x41 ) && ( a[i] <= 0x46 ) ){
v += a[i]-0x37;
}
}
return v;
}
//문자열 비교
int StrMatchW(LPCWCHAR One,LPCWCHAR Two){
DWORD i=0;
while( ((WORD*)One)[i] >0 || ((WORD*)Two)[i] > 0 ){
if( toupper(((WORD*)One)[i]) != toupper(((WORD*)Two)[i]) ) return false;
i++;
}
return (int)true;
}
//특별한 핫패치의 경우 사용하는 인라인 후킹 함수
//메모리 스캔 함수이다. 이함수는 사용하던것임으로 정리하여 사용 해야 한다. 스캔 바이트배열 등.
void ScanReplace(){
MEMORY_BASIC_INFORMATION MBI;
DWORD oldPAGE;
DWORD Found=0,i,fromAddress,startAddress,finishAddress,scanAddress;
fromAddress = 0x00000000;
startAddress = fromAddress;
memset(&MBI,0,sizeof(MBI));
while(fromAddress<=0x7FFFFFFF){
if( VirtualQueryEx(hProcess,(LPVOID)fromAddress,&MBI,sizeof(MBI)) ){
if( ((MBI.Protect & PAGE_READONLY)==PAGE_READONLY) ||
((MBI.Protect & PAGE_EXECUTE_READ)==PAGE_EXECUTE_READ) ||
((MBI.Protect & PAGE_READWRITE)==PAGE_READWRITE) ||
((MBI.Protect & PAGE_EXECUTE_READWRITE)==PAGE_EXECUTE_READWRITE) &&
((MBI.Protect & PAGE_GUARD)!=PAGE_GUARD) ){
finishAddress = startAddress + MBI.RegionSize - ScanLength;
while( fromAddress < finishAddress ){
for( scanAddress=fromAddress; scanAddress<fromAddress+ScanLength; scanAddress++){//Find
i = scanAddress - fromAddress;
if( ( PBYTE(scanAddress)[0] != ScanArray[i] ) &&
( NoScanArray[i] == 0 ) ) goto Scan_JMP0000;
}
if( scanAddress >= (DWORD)ScanArray && scanAddress <= (DWORD)ScanArray+1024 ) goto Scan_JMP0000;//No MyCode
Found++;//Found
fromAddress += ReplaceOffset;
VirtualProtectEx(hProcess,LPVOID(fromAddress),ReplaceLength,PAGE_EXECUTE_READWRITE,&oldPAGE);
for( scanAddress=fromAddress; scanAddress<fromAddress+ReplaceLength; scanAddress++ ){//Replace
i = scanAddress - fromAddress;//index
if( NoReplaceArray[i] == 0 )
PBYTE((DWORD)scanAddress)[0] = ReplaceArray[i];
}
VirtualProtectEx(GetCurrentProcess(),LPVOID(fromAddress),ReplaceLength,oldPAGE,&oldPAGE);
Scan_JMP0000:
fromAddress++;
}
}
}
startAddress = startAddress + MBI.RegionSize;
fromAddress = startAddress;
}
if( Found == 0 ){
MainCall++;
}else{
}
}
Fixed : JMP E9 JMP_Address-address-5
주소가 현재보다 낮든 높든 -5 를 적용 한다 AI-32 JMP XXXXXXXX
HANDLE hProcess;
int ScanArray[1024],ReplaceArray[1024],NoScanArray[1024],NoReplaceArray[1024],ScanLength,ReplaceOffset,ReplaceLength,MainCall;
byte Data1[5]={0xC3,0x90,0x90,0x90,0x90};
byte Data2[2]={0xEB,0x0E};
byte Data3[5]={0xEB, 0x0B, 0x90, 0x90, 0x90};
BYTE JMP_Back[2]={0xEB, 0xF9};
BYTE JMP_Code=0xE9;
//Data 의 바이트 배열을 Address 에 적용하는 함수.
void ReplaceCode(DWORD Address,byte Data[]){
DWORD old;
VirtualProtect(LPVOID(Address),sizeof(Data),PAGE_EXECUTE_READWRITE,&old);
for(DWORD i=0;i<sizeof(Data);i++)
((BYTE*)Address)[i]=Data[i];
VirtualProtect(LPVOID(Address),sizeof(Data),old,&old);
}
//Hex 값을 Int 값으로 변환
DWORD HexToInt(WCHAR *a){
DWORD v=0;
for(int i=0;i<wcslen(a);i++){
v *= 0x10;
if( ( a[i] >= 0x30 ) && ( a[i] <= 0x39 ) ){
v += a[i]-0x30;
}else if( ( a[i] >= 0x61 ) && ( a[i] <= 0x66 ) ){
v += a[i]-0x57;
}else if( ( a[i] >= 0x41 ) && ( a[i] <= 0x46 ) ){
v += a[i]-0x37;
}
}
return v;
}
//Hex 255이하 값을 변환
DWORD HexToInt2(WCHAR *a){
DWORD v=0;
for(int i=0;i<2;i++){
v *= 0x10;
if( ( a[i] >= 0x30 ) && ( a[i] <= 0x39 ) ){
v += a[i]-0x30;
}else if( ( a[i] >= 0x61 ) && ( a[i] <= 0x66 ) ){
v += a[i]-0x57;
}else if( ( a[i] >= 0x41 ) && ( a[i] <= 0x46 ) ){
v += a[i]-0x37;
}
}
return v;
}
//문자열 비교
int StrMatchW(LPCWCHAR One,LPCWCHAR Two){
DWORD i=0;
while( ((WORD*)One)[i] >0 || ((WORD*)Two)[i] > 0 ){
if( toupper(((WORD*)One)[i]) != toupper(((WORD*)Two)[i]) ) return false;
i++;
}
return (int)true;
}
//특별한 핫패치의 경우 사용하는 인라인 후킹 함수
void mkTrap(DWORD address,DWORD JMP_Address){//CC CC or 90 90 Function 핫패치공간 4바이트 등
DWORD old;
address-=4;
VirtualProtect(LPVOID(address),7,PAGE_EXECUTE_READWRITE,&old);
((BYTE*)address)[0] = JMP_Code;
address+=1;JMP_Address-=4;
// 7C7D1D53 10001320
((DWORD*)address)[0] = JMP_Address-address;//(address<JMP_Address)?JMP_Address-address-5:JMP_Address-address-5;
address+=4;
((WORD*)address)[0] = ((WORD*)JMP_Back)[0];
VirtualProtect(LPVOID(address-5),7,old,&old);
}
//MOV EDI,EDI 등의 핫패치를 위한 후킹 함수
void mkHot(DWORD address,DWORD JMP_Address){//CC CC or 90 90 Function 핫패치공간 5바이트 전용
DWORD old;
address-=5;
VirtualProtect(LPVOID(address),7,PAGE_EXECUTE_READWRITE,&old);
((BYTE*)address)[0] = JMP_Code;
address+=1;JMP_Address-=4;
// 7C7D1D53 10001320
((DWORD*)address)[0] = JMP_Address-address;//(address<JMP_Address)?JMP_Address-address-5:JMP_Address-address-5;
address+=4;
((WORD*)address)[0] = ((WORD*)JMP_Back)[0];
VirtualProtect(LPVOID(address-5),7,old,&old);
}
//단순 인라인 후킹 함수. 5~6바이트를 소실 함으로 5~6바이트는 복사하여 후킹된 함수에 넣는다. _asm{ nop nop nop nop nop nop }
void mkHook(DWORD address,DWORD JMP_Address){//Direct Hook 단순 JMP
DWORD old;
VirtualProtect(LPVOID(address),5,PAGE_EXECUTE_READWRITE,&old);
((BYTE*)address)[0] = JMP_Code;
address+=1;
((DWORD*)address)[0] = JMP_Address-address-4;//(address<JMP_Address)?JMP_Address-address-5:JMP_Address-address-4;
VirtualProtect(LPVOID(address),5,old,&old);
}
void ScanReplace(){
MEMORY_BASIC_INFORMATION MBI;
DWORD oldPAGE;
DWORD Found=0,i,fromAddress,startAddress,finishAddress,scanAddress;
fromAddress = 0x00000000;
startAddress = fromAddress;
memset(&MBI,0,sizeof(MBI));
while(fromAddress<=0x7FFFFFFF){
if( VirtualQueryEx(hProcess,(LPVOID)fromAddress,&MBI,sizeof(MBI)) ){
if( ((MBI.Protect & PAGE_READONLY)==PAGE_READONLY) ||
((MBI.Protect & PAGE_EXECUTE_READ)==PAGE_EXECUTE_READ) ||
((MBI.Protect & PAGE_READWRITE)==PAGE_READWRITE) ||
((MBI.Protect & PAGE_EXECUTE_READWRITE)==PAGE_EXECUTE_READWRITE) &&
((MBI.Protect & PAGE_GUARD)!=PAGE_GUARD) ){
finishAddress = startAddress + MBI.RegionSize - ScanLength;
while( fromAddress < finishAddress ){
for( scanAddress=fromAddress; scanAddress<fromAddress+ScanLength; scanAddress++){//Find
i = scanAddress - fromAddress;
if( ( PBYTE(scanAddress)[0] != ScanArray[i] ) &&
( NoScanArray[i] == 0 ) ) goto Scan_JMP0000;
}
if( scanAddress >= (DWORD)ScanArray && scanAddress <= (DWORD)ScanArray+1024 ) goto Scan_JMP0000;//No MyCode
Found++;//Found
fromAddress += ReplaceOffset;
VirtualProtectEx(hProcess,LPVOID(fromAddress),ReplaceLength,PAGE_EXECUTE_READWRITE,&oldPAGE);
for( scanAddress=fromAddress; scanAddress<fromAddress+ReplaceLength; scanAddress++ ){//Replace
i = scanAddress - fromAddress;//index
if( NoReplaceArray[i] == 0 )
PBYTE((DWORD)scanAddress)[0] = ReplaceArray[i];
}
VirtualProtectEx(GetCurrentProcess(),LPVOID(fromAddress),ReplaceLength,oldPAGE,&oldPAGE);
Scan_JMP0000:
fromAddress++;
}
}
}
startAddress = startAddress + MBI.RegionSize;
fromAddress = startAddress;
}
if( Found == 0 ){
MainCall++;
}else{
}
}
|
