精
精灵猪
Unregistered / Unconfirmed
GUEST, unregistred user!
type<br> TLongJmp = packed record<br> JmpCode: byte; {指令,用$E9来代替系统的指令}<br> FuncAddr: DWORD; {函数地址}<br> end;<br> PLongJmp = ^TLongJmp; <br><br>var<br>code
LongJmp;<br><br>function StrPosB(Str: PChar; iLen: longword; c: Char): longword; assembler;<br>asm<br> PUSH EDI<br> PUSH EBX<br> OR EAX,EAX //Str1<br> JE @@2<br> MOV EDI,EAX<br> MOV EBX,EAX<br><br> MOV AL,CL //c<br> MOV ECX,EDX //iLen<br> INC ECX<br> REPNE SCASB<br> CMP ECX,0<br> JE @@2<br> MOV EAX,EDI<br> SUB EAX,EBX<br> DEC EAX<br> JMP @@3<br>@@2: MOV EAX,0FFFFFFFFH<br>@@3: POP EBX<br> POP EDI<br>end; <br><br>function Comp(const Str1, Str2: PChar; Len: Cardinal): boolean; assembler;<br>asm<br> PUSH EDI<br> PUSH ESI<br> MOV EDI,EDX //str2<br> MOV ESI,EAX //str1<br> MOV EAX,1 //result:=1<br> OR ECX,ECX //if Len=0<br> JE @@1<br> XOR EDX,EDX<br> REPE CMPSB<br> OR ECX,ECX //if Len=0<br> JNE @@Error<br> MOV CL,[EDI-1]<br> CMP CL,[ESI-1]<br> JE @@1<br>@@Error:XOR EAX,EAX<br>@@1: POP ESI<br> POP EDI<br>end; <br><br><br>function FindCode: PLongJmp;<br>const <br> const1 = #$81#$E1#$0F#$0F#$0F#$0F#$8B#$F9#$83#$C4#$10#$33#$FE#$89#$3A#$5F +<br> #$5E#$C1#$E1#$04#$33#$C8#$5D#$89#$4A#$04#$5B#$C3;<br>var<br> SysInfo: _SYSTEM_INFO;<br> MBI: MEMORY_BASIC_INFORMATION;<br> iLen: integer;<br> PMemoAddr: Pointer;<br> p: pchar;<br> nSize, size, d1: DWORD;<br> bBreak: boolean;<br> c: char;<br>begin<br> result := nil;<br> if hasSend then exit;<br> if (not ThreadBusy) then<br> begin<br> ThreadBusy := true;<br> if ProcessHndle <> 0 then<br> begin<br> GetSystemInfo(SysInfo);<br> PMemoAddr := SysInfo.lpMinimumApplicationAddress;<br> bBreak := false;<br> writedat2('fc1');<br> iLen := length(const1);<br> c := pchar(const1)^;<br> while (not bBreak) and (dword(PMemoAddr) < dword(SysInfo.lpMaximumApplicationAddress)) do<br> begin<br> fillchar(MBI, sizeof(MBI), 0);<br> VirtualQueryEx(ProcessHndle, PMemoAddr, MBI, SizeOf(MBI));<br> if MBI.RegionSize = 0 then break;<br> if dword(MBI.BaseAddress) >= $01000000 then break;<br> nSize := MBI.RegionSize;<br>// writedat2('a:' + inttostr(dword(MBI.baseaddress)) + ' ' + inttostr(Mbi.Protect) + ' ' + inttostr(Mbi.RegionSize) + ' ' + inttostr(MBI.State));<br> if (MBI.State = MEM_COMMIT) and<br> ((Mbi.Protect = PAGE_READWRITE) or (Mbi.Protect = PAGE_EXECUTE_READWRITE)) then //2000IceAGE_READWRITE xpAGE_EXECUTE_READWRITE<br> begin<br>// writedat2('b');<br> try<br> p := pchar(MbI.BaseAddress) + $10;<br> size := MbI.RegionSize - $10 - dword(iLen) - $4;<br> while true do<br> begin<br> d1 := StrPosB(p, size, c);<br> if d1 = $FFFFFFFF then break;<br> dec(size, d1 + 1);<br> inc(p, d1);<br> if (plongword(p)^ = plongword(pchar(const1))^) and (comp(p, const1, iLen)) then<br> begin<br> result := pointer(p + iLen - 1); / 0057259b<br> writedat2('fc2:' + inttostr(dword(result)) + ' ' + inttostr(Mbi.Protect) + ' ' + inttostr(Mbi.RegionSize) + ' ' + inttostr(MBI.State));<br> bBreak := true;<br> break;<br> end;<br> inc(p);<br> end;<br> except<br> end;<br> end;<br> PMemoAddr := Pointer(DWORD(PMemoAddr) + nSize);<br> end;<br> end;<br> ThreadBusy := false;<br> end;<br>end; <br><br>以上是代码 在程序中调用code:=findcode;是不是可以得到 #$81#$E1#$0F#$0F#$0F#$0F#$8B#$F9#$83#$C4#$10#$33#$FE#$89#$3A#$5F <br>这里的 内存地址 我试了好多次都没有成功 请教高手是那里错了?<br>另外如果我要搜索 user32.dll下的一段代码得到内存地址用这个代码可以吗? 如果不可以应该如何做? 其实我的目的是要利用这套代码得到user32.dll里的一个地址 由于是内存地址而不是API所以用搜索的方法 希望高手指点一下 应该如何做 小弟感激不尽
LongJmp;<br><br>function StrPosB(Str: PChar; iLen: longword; c: Char): longword; assembler;<br>asm<br> PUSH EDI<br> PUSH EBX<br> OR EAX,EAX //Str1<br> JE @@2<br> MOV EDI,EAX<br> MOV EBX,EAX<br><br> MOV AL,CL //c<br> MOV ECX,EDX //iLen<br> INC ECX<br> REPNE SCASB<br> CMP ECX,0<br> JE @@2<br> MOV EAX,EDI<br> SUB EAX,EBX<br> DEC EAX<br> JMP @@3<br>@@2: MOV EAX,0FFFFFFFFH<br>@@3: POP EBX<br> POP EDI<br>end; <br><br>function Comp(const Str1, Str2: PChar; Len: Cardinal): boolean; assembler;<br>asm<br> PUSH EDI<br> PUSH ESI<br> MOV EDI,EDX //str2<br> MOV ESI,EAX //str1<br> MOV EAX,1 //result:=1<br> OR ECX,ECX //if Len=0<br> JE @@1<br> XOR EDX,EDX<br> REPE CMPSB<br> OR ECX,ECX //if Len=0<br> JNE @@Error<br> MOV CL,[EDI-1]<br> CMP CL,[ESI-1]<br> JE @@1<br>@@Error:XOR EAX,EAX<br>@@1: POP ESI<br> POP EDI<br>end; <br><br><br>function FindCode: PLongJmp;<br>const <br> const1 = #$81#$E1#$0F#$0F#$0F#$0F#$8B#$F9#$83#$C4#$10#$33#$FE#$89#$3A#$5F +<br> #$5E#$C1#$E1#$04#$33#$C8#$5D#$89#$4A#$04#$5B#$C3;<br>var<br> SysInfo: _SYSTEM_INFO;<br> MBI: MEMORY_BASIC_INFORMATION;<br> iLen: integer;<br> PMemoAddr: Pointer;<br> p: pchar;<br> nSize, size, d1: DWORD;<br> bBreak: boolean;<br> c: char;<br>begin<br> result := nil;<br> if hasSend then exit;<br> if (not ThreadBusy) then<br> begin<br> ThreadBusy := true;<br> if ProcessHndle <> 0 then<br> begin<br> GetSystemInfo(SysInfo);<br> PMemoAddr := SysInfo.lpMinimumApplicationAddress;<br> bBreak := false;<br> writedat2('fc1');<br> iLen := length(const1);<br> c := pchar(const1)^;<br> while (not bBreak) and (dword(PMemoAddr) < dword(SysInfo.lpMaximumApplicationAddress)) do<br> begin<br> fillchar(MBI, sizeof(MBI), 0);<br> VirtualQueryEx(ProcessHndle, PMemoAddr, MBI, SizeOf(MBI));<br> if MBI.RegionSize = 0 then break;<br> if dword(MBI.BaseAddress) >= $01000000 then break;<br> nSize := MBI.RegionSize;<br>// writedat2('a:' + inttostr(dword(MBI.baseaddress)) + ' ' + inttostr(Mbi.Protect) + ' ' + inttostr(Mbi.RegionSize) + ' ' + inttostr(MBI.State));<br> if (MBI.State = MEM_COMMIT) and<br> ((Mbi.Protect = PAGE_READWRITE) or (Mbi.Protect = PAGE_EXECUTE_READWRITE)) then //2000IceAGE_READWRITE xpAGE_EXECUTE_READWRITE<br> begin<br>// writedat2('b');<br> try<br> p := pchar(MbI.BaseAddress) + $10;<br> size := MbI.RegionSize - $10 - dword(iLen) - $4;<br> while true do<br> begin<br> d1 := StrPosB(p, size, c);<br> if d1 = $FFFFFFFF then break;<br> dec(size, d1 + 1);<br> inc(p, d1);<br> if (plongword(p)^ = plongword(pchar(const1))^) and (comp(p, const1, iLen)) then<br> begin<br> result := pointer(p + iLen - 1); / 0057259b<br> writedat2('fc2:' + inttostr(dword(result)) + ' ' + inttostr(Mbi.Protect) + ' ' + inttostr(Mbi.RegionSize) + ' ' + inttostr(MBI.State));<br> bBreak := true;<br> break;<br> end;<br> inc(p);<br> end;<br> except<br> end;<br> end;<br> PMemoAddr := Pointer(DWORD(PMemoAddr) + nSize);<br> end;<br> end;<br> ThreadBusy := false;<br> end;<br>end; <br><br>以上是代码 在程序中调用code:=findcode;是不是可以得到 #$81#$E1#$0F#$0F#$0F#$0F#$8B#$F9#$83#$C4#$10#$33#$FE#$89#$3A#$5F <br>这里的 内存地址 我试了好多次都没有成功 请教高手是那里错了?<br>另外如果我要搜索 user32.dll下的一段代码得到内存地址用这个代码可以吗? 如果不可以应该如何做? 其实我的目的是要利用这套代码得到user32.dll里的一个地址 由于是内存地址而不是API所以用搜索的方法 希望高手指点一下 应该如何做 小弟感激不尽