昨天在论坛看到AU3可以内联汇编了,多年的愿望实现了,我骄傲....于是就尝试着用≈※爖※≈大神的内联汇编代码开始转换原来的一段DELPHI代码,于是各种问题都来了.gif) ,废话少说我先把代码贴出来
//选怪call
function GetGwCall(p: PGetGwCallParam):DWORD; Stdcall;
var
edx1: DWORD;
address:Pointer;
begin
address:=Pointer($00583980);
edx1 := p^.EDX;
asm
pushad
mov esi, edx1
push esi
mov ecx, dword ptr [$009497B4]
mov ecx, dword ptr [ecx+$20]
add ecx,$D4
call address
popad;
end;
result:=0;
end;
这段代码是用delphi写的内联汇编的选怪CALL
我用AU3转化了一下
Func GetGwCall()
Local $edx1,$address
$address=Ptr(0x00583980)
$edx1 =DllStructGetPtr ( $PGetGwCallParam,"EDX")
Pushad()
Mov_ESI($edx1)
;mov esi, edx1
Push_ESI()
;push esi
Mov_ECX_DWORD_Ptr(0x009497B4)
;mov ecx, dword ptr [$009497B4]
Mov_ECX_DWORD_Ptr_ECX_Add(0x20)
;mov ecx, dword ptr [ecx+$20]
Add_ECX(0x0D4)
;add ecx,$D4
Mov_EAX($address)
Call_EAX()
;Call_Ptr($address)
;call address
Popad()
;popad;
; ret()
Run_ASM($Hawd)
Return(0)
EndFunc
Func Call_Ptr($i) ;Call 地址
;~算法:要调用代码的地址 - 自身地址 - 5 =e8后面的数
;~例:OD里:0042AAFC|E8 D7790000|Call 004324D8
;~要调用代码的地址=004324D8
;~自身地址=0042AAFC
;最终算法为:004324D8-0042AAFC-5=79D7
;再把79D7高地位转换,就得出了D7790000
;再加上E8这个CALL代码,得出:E8 D7790000
$x="0x"&Hex($i-$tmp_Addr-5)
$OPcode=$OPcode & "E8" & Exchange($x, 8)
$OPcode=$OPcode & "E8" & $i
EndFunc
结果以后不管我怎么运行都有错误,想请教下高手应该怎么改,下面贴出来全部的代码
#include <Masm.au3>
#include <Array.au3>
;$jcid=WinGetProcess ( "Element Client")
Dim $v_ProcessID,$v_EAX,$v_EBX,$v_ECX,$v_EDX,$v_ESI,$tmp_Addr
$guaiwu=2147488188;怪物ID
$Hawd = WinGetHandle("Element Client")
GetWindowThreadProcessId($Hawd, $pid)
$hd = OpenProcess($PROCESS_ALL_ACCESS, False, $pid)
$v_ProcessID=$hd
;NoCall(0x005B0A80)
$PGetGwCallParam=DllStructCreate ( "dword EDX;dword EAX;ulong zx;ulong zy;ulong zz")
DllStructSetData($PGetGwCallParam,"EDX",$guaiwu);把怪物ID送入结构中
$c=DllStructGetPtr ( $PGetGwCallParam,"EDX");获得EDX的地址
$vhandle=DllCallbackRegister ( "GetGwCall", "int", "hwnd;lparam" )
$d=DllCallbackGetPtr($vhandle);获得函数的地址
Funin($Hawd,$d,$c,StringLen($guaiwu))
DllCallbackFree ( $vhandle )
Func Nocall($pDaima)
Local $v_TempppHandle,$v_Num
$v_TempppHandle = CreateRemoteThread($v_ProcessID, 0, 0,$pDaima, 0, 0, $v_num)
WaitForSingleObject($v_TempppHandle, $INFINITE);
CloseHandle($v_TempppHandle);
CloseHandle($v_ProcessID);
EndFunc
Func Funin($InHWND,$Funcv,$Param,$ParamSize)
Local $ThreadAdd, $ParamAdd,$hThread,$ThreadID,$lpNumberOfBytes
; $v_ProcessID = OpenProcess($PROCESS_ALL_ACCESS, False, $v_ProcessID);//打开被注入的进程
$ThreadAdd = VirtualAllocEx($v_ProcessID, 0, 4096, $MEM_COMMIT, $PAGE_READWRITE);
$tmp_Addr=$ThreadAdd
WriteProcessMemory($v_ProcessID, $ThreadAdd, $Funcv, 4096, $lpNumberOfBytes); //写入函数地址
$ParamAdd = VirtualAllocEx($v_ProcessID, 0, $ParamSize, $MEM_COMMIT, $PAGE_READWRITE);
WriteProcessMemory($v_ProcessID, $ParamAdd, $Param, $ParamSize, $lpNumberOfBytes); //写入参数地址
$hThread = CreateRemoteThread($v_ProcessID,0, 0, $ThreadAdd, $ParamAdd, 0, $lpNumberOfBytes); //创建远程线程
WaitForSingleObject($hThread, $INFINITE);//等待线程结束
VirtualFreeEx($v_ProcessID, $ThreadAdd, 0, $MEM_RELEASE);
VirtualFreeEx($v_ProcessID, $ParamAdd, 0, $MEM_RELEASE); //释放申请的地址
CloseHandle($hThread);
CloseHandle($v_ProcessID); //关闭打开的句柄
EndFunc
Func GetGwCall()
Local $edx1,$address
$address=Ptr(0x00583980)
$edx1 = DllStructGetPtr ( $PGetGwCallParam,"EDX")
Pushad()
Mov_ESI($edx1)
;mov esi, edx1
Push_ESI()
;push esi
Mov_ECX_DWORD_Ptr(0x009497B4)
;mov ecx, dword ptr [$009497B4]
Mov_ECX_DWORD_Ptr_ECX_Add(0x20)
;mov ecx, dword ptr [ecx+$20]
Add_ECX(0x0D4)
;add ecx,$D4
Mov_EAX($address)
Call_EAX()
;Call_Ptr($address)
;call address
Popad()
;popad;
; ret()
Run_ASM($Hawd)
Return(0)
EndFunc
Func Call_Ptr($i) ;Call 地址
;~算法:要调用代码的地址 - 自身地址 - 5 =e8后面的数
;~例:OD里:0042AAFC|E8 D7790000|Call 004324D8
;~要调用代码的地址=004324D8
;~自身地址=0042AAFC
;最终算法为:004324D8-0042AAFC-5=79D7
;再把79D7高地位转换,就得出了D7790000
;再加上E8这个CALL代码,得出:E8 D7790000
$x="0x"&Hex($i-$tmp_Addr-5)
$OPcode=$OPcode & "E8" & Exchange($x, 8)
$OPcode=$OPcode & "E8" & $i
EndFunc
大家一起讨论下吧,相信都会有收获的.gif)
[ 本帖最后由 35888894 于 2009-2-6 08:54 编辑 ] |
|手机版|小黑屋|AUTOIT CN
( 鲁ICP备19019924号-1 )谷歌
百度
发表于 2009-2-4 12:17:52
发表于 2009-2-5 23:27:05
.gif)