这是本人自己写的一个简单的MFC的程序,单击上面这个链接原本是弹出一个对话框 (调用MessageBox)
单击下一个 链接调用的是www.baidu.com的网页(调用的是 ShellExecute)
接下来的任务时,直接在生成的.exe 文件中,把单击上面这个链接,弹出的是 www.baidu.com 的网页,也就是把原来调用MessageBox 换成调用 ShellExecute
当然,在最后完成修改也经过一番尝试(高手勿喷)
原理很简单,就是找到 MessageBox 的 Call nop掉,换成一个跳转指令,跳转到一个空白的位置,紧接着在空白位置填充ShellExectue的汇编代码,然后再跳转回去。
源程序在od中主要的反汇编代码
00402810 /> \55 PUSH EBP
00402811 |. 8BEC MOV EBP,ESP
00402813 |. 83EC 64 SUB ESP,64
00402816 |. 53 PUSH EBX
00402817 |. 56 PUSH ESI
00402818 |. 57 PUSH EDI
00402819 |. 51 PUSH ECX
0040281A |. 8D7D 9C LEA EDI,DWORD PTR SS:[EBP-64]
0040281D |. B9 19000000 MOV ECX,19
00402822 |. B8 CCCCCCCC MOV EAX,CCCCCCCC
00402827 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00402829 |. 59 POP ECX
0040282A |. 894D FC MOV DWORD PTR SS:[EBP-4],ECX
0040282D |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00402830 |. 50 PUSH EAX
00402831 |. 68 09040000 PUSH 409
00402836 |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
00402839 |. E8 E6050000 CALL <JMP.&MFC42uD.#2436>
0040283E |. 8BC8 MOV ECX,EAX
00402840 |. E8 D9050000 CALL <JMP.&MFC42uD.#3171>
00402845 |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
00402848 |. 51 PUSH ECX
00402849 |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
0040284C |. E8 C7050000 CALL <JMP.&MFC42uD.#4435>
00402851 |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
00402854 |. 52 PUSH EDX
00402855 |. 68 0B040000 PUSH 40B
0040285A |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
0040285D |. E8 C2050000 CALL <JMP.&MFC42uD.#2436>
00402862 |. 8BC8 MOV ECX,EAX
00402864 |. E8 B5050000 CALL <JMP.&MFC42uD.#3171>
00402869 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0040286C |. 50 PUSH EAX
0040286D |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
00402870 |. E8 A3050000 CALL <JMP.&MFC42uD.#4435>
00402875 |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
00402878 |. 3B4D EC CMP ECX,DWORD PTR SS:[EBP-14]
0040287B |. 7E 29 JLE SHORT 复件_Beg.004028A6
0040287D |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
00402880 |. 3B55 F4 CMP EDX,DWORD PTR SS:[EBP-C]
00402883 |. 7D 21 JGE SHORT 复件_Beg.004028A6
00402885 |. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00402888 |. 3B45 F0 CMP EAX,DWORD PTR SS:[EBP-10]
0040288B |. 7E 19 JLE SHORT 复件_Beg.004028A6
0040288D |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
00402890 |. 3B4D F8 CMP ECX,DWORD PTR SS:[EBP-8]
00402893 |. 7D 11 JGE SHORT 复件_Beg.004028A6
00402895 |. 6A 00 PUSH 0
00402897 |. 6A 00 PUSH 0
00402899 |. 68 E4674100 PUSH 复件_Beg.004167E4 ; hello
0040289E |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
004028A1 |. E8 5A050000 CALL <JMP.&MFC42uD.#3518>
004028A6 |> 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
004028A9 |. 3B55 DC CMP EDX,DWORD PTR SS:[EBP-24]
004028AC |. 7E 3E JLE SHORT 复件_Beg.004028EC
004028AE |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
004028B1 |. 3B45 E4 CMP EAX,DWORD PTR SS:[EBP-1C]
004028B4 |. 7D 36 JGE SHORT 复件_Beg.004028EC
004028B6 |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
004028B9 |. 3B4D E0 CMP ECX,DWORD PTR SS:[EBP-20]
004028BC |. 7E 2E JLE SHORT 复件_Beg.004028EC
004028BE |. 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10]
004028C1 |. 3B55 E8 CMP EDX,DWORD PTR SS:[EBP-18]
004028C4 |. 7D 26 JGE SHORT 复件_Beg.004028EC
004028C6 |. 8BF4 MOV ESI,ESP
004028C8 |. 6A 01 PUSH 1 ; /IsShown = 1
004028CA |. 6A 00 PUSH 0 ; |DefDir = NULL
004028CC |. 6A 00 PUSH 0 ; |Parameters = NULL
004028CE |. 68 38674100 PUSH 复件_Beg.00416738 ; |http://www.baidu.com
004028D3 |. 68 BC624100 PUSH 复件_Beg.004162BC ; |open
004028D8 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; |
004028DB |. 8B48 20 MOV ECX,DWORD PTR DS:[EAX+20] ; |
004028DE |. 51 PUSH ECX ; |hWnd
004028DF |. FF15 6C874100 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; \ShellExecuteW
004028E5 |. 3BF4 CMP ESI,ESP
004028E7 |. E8 6C070000 CALL <JMP.&MSVCRTD._chkesp>
004028EC |> 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10]
004028EF |. 52 PUSH EDX
004028F0 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
004028F3 |. 50 PUSH EAX
004028F4 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
004028F7 |. 51 PUSH ECX
004028F8 |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
004028FB |. E8 2A050000 CALL <JMP.&MFC42uD.#3867>
00402900 |. 5F POP EDI
00402901 |. 5E POP ESI
00402902 |. 5B POP EBX
00402903 |. 83C4 64 ADD ESP,64
00402906 |. 3BEC CMP EBP,ESP
00402908 |. E8 4B070000 CALL <JMP.&MSVCRTD._chkesp>
0040290D |. 8BE5 MOV ESP,EBP
0040290F |. 5D POP EBP
00402910 \. C2 0C00 RETN 0C
红色部分是需要修改的地方,下面是修改后的部分代码
00402890 . 3B4D F8 CMP ECX,DWORD PTR SS:[EBP-8]
00402893 . 7D 11 JGE SHORT BeginPEI.004028A6
00402895 . E9 832C0000 JMP BeginPEI.0040551D
0040289A > 90 NOP
0040289B 90 NOP
0040551B 90 NOP
0040551C 90 NOP
0040551D > 6A 01 PUSH 1 ; /IsShown = 1
0040551F . 6A 00 PUSH 0 ; |DefDir = NULL
00405521 . 6A 00 PUSH 0 ; |Parameters = NULL
00405523 . 68 38674100 PUSH BeginPEI.00416738 ; |http://www.baidu.com
00405528 . 68 BC624100 PUSH BeginPEI.004162BC ; |open
0040552D . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; |
00405530 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; |
00405533 . 8B48 20 MOV ECX,DWORD PTR DS:[EAX+20] ; |
00405536 . 51 PUSH ECX ; |hWnd
00405537 . FF15 6C874100 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; \ShellExecuteW
0040553D . 90 NOP
0040553E . 90 NOP
0040553F . 90 NOP
00405540 . 90 NOP
00405541 . 90 NOP
00405542 . 90 NOP
00405543 . 90 NOP
00405544 . 90 NOP