我们都知道标准delphi程序一开始肯定会调用到GetModuleHandleA这个涵数,很多壳都把OEP处理了,也就是运行过后清楚什么的,代码偷取什么的,我们只要Hook这个函数,然后让程序暂停下来,那么是不是壳就还没有完成代码的清楚什么的,我们dump出来的代码就是完整的或者是可分析的.当然这个工具很容易就可以改来Hook其他函数.我给出代码,大家自己研究好了.
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, Grids;
type
TForm1 = class(TForm)
lbl1: TLabel;
lbl2: TLabel;
StringGrid1: TStringGrid;
btn1: TButton;
procedure btn1Click(Sender: TObject);
procedure FormShow(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
_kernel32hwnd:cardinal;
_oldPage:Cardinal;
_hgetadr:cardinal;
_modulehwnd:Cardinal;
__modulehwnd:Cardinal;
__kernel32hwnd:cardinal;
_esp,_ebp:Cardinal;
_msgnum:Cardinal;
procedure Hook;
implementation
{$R *.dfm}
procedure Transact;
var
_tsetp:Cardinal;
_tvalue:Cardinal;
_tesp:Cardinal;
begin
Form1.StringGrid1.Cells[0,0]:='Address';
Form1.StringGrid1.Cells[1,0]:='Value';
for _tsetp :=0 to 100 do
begin
_tesp:=_esp+(_tsetp*4)+36;
Form1.StringGrid1.Cells[0,_tsetp+1]:=IntToHex(_tesp,8);
asm
push eax;
push ebx;
mov eax,_Tesp;
Mov ebx,[eax];
Mov _tvalue,ebx;
pop ebx;
pop eax;
end;
Form1.StringGrid1.Cells[1,_tsetp+1]:=IntToHex(_tvalue,8);
end;
MessageBox(0, PChar(inttohex(_msgnum,8)), '警告', MB_OK + MB_ICONINFORMATION);
_msgnum:=_msgnum+1;
end;
procedure HGetmoduleHandleA;
label _label1;
begin
asm
pushad;
pushfd;
mov _esp,esp;
mov _ebp,ebp;
pushad;
pushad;
pushad;
pushad;
call transact;
mov ebp,_ebp;
mov esp,_esp;
popfd;
popad;
jmp __modulehwnd;
end;
end;
procedure Hook;
begin
_kernel32hwnd:=LoadLibrary('kernel32.dll');
__kernel32hwnd:=LoadLibrary('C:\HooKDLLs\_kernel32.dll');
__modulehwnd:=Cardinal(GetProcAddress(__kernel32hwnd,'GetModuleHandleA'));
_kernel32hwnd:=Cardinal(GetProcAddress(_kernel32hwnd,'GetModuleHandleA'));
VirtualProtect(Pointer(_kernel32hwnd),100,PAGE_READWRITE,_oldPage);
_hgetadr:=Cardinal(@HGetmoduleHandleA);
asm
push eax;
push ebx;
mov eax,_kernel32hwnd;
mov bl,$B8;
mov Byte[eax],bl;
add eax,1;
mov ebx,_hgetadr;
mov dword[eax],ebx;
add eax,4;
mov bl,$FF;
mov Byte[eax],bl;
add eax,1;
mov bl,$E0;
mov Byte[eax],bl;
pop ebx;
pop eax;
end;
VirtualProtect(Pointer(_kernel32hwnd),100,_oldPage,_oldPage);
end;
procedure TForm1.btn1Click(Sender: TObject);
begin
Hook;
end;
procedure TForm1.FormShow(Sender: TObject);
begin
hook;
end;
end.
/
library hying7xUpK;
uses
Windows,
Unit1 in 'Unit1.pas' {Form1};
{$R *.res}
exports HooK;
begin
Form1:=TForm1.Create(form1);
form1.Show;
end.
/
object Form1: TForm1
Left = 525
Top = 164
BorderIcons = [biSystemMenu, biMinimize]
BorderStyle = bsSingle
Caption = 'Form1'
ClientHeight = 533
ClientWidth = 664
Color = clBtnFace
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
OldCreateOrder = False
OnShow = FormShow
PixelsPerInch = 96
TextHeight = 13
object lbl1: TLabel
Left = 456
Top = 24
Width = 30
Height = 12
Caption = 'ESP->'
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
ParentFont = False
end
object lbl2: TLabel
Left = 456
Top = 224
Width = 30
Height = 12
Caption = 'EBP->'
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
ParentFont = False
end
object StringGrid1: TStringGrid
Left = 493
Top = 0
Width = 171
Height = 241
ColCount = 2
Ctl3D = True
DefaultRowHeight = 16
FixedCols = 0
RowCount = 50
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
Options = [goFixedVertLine, goFixedHorzLine, goVertLine, goHorzLine, goRangeSelect, goDrawFocusSelected, goRowSizing, goColSizing, goEditing, goTabs]
ParentCtl3D = False
ParentFont = False
ScrollBars = ssVertical
TabOrder = 0
ColWidths = (
74
77)
end
object btn1: TButton
Left = 16
Top = 16
Width = 121
Height = 33
Caption = 'HoOk'
TabOrder = 1
OnClick = btn1Click
end
end
/
注入自己想办法,
要在被注入的程序目录下拷贝一个kernel32.dll为_kernel32.dll
大家其实一看代码就知道。我也不废话拉哈。希望对大家有用.让脱壳越来越简单,也是从另外一种思路去理解壳,不一定要去分析壳的代码才能脱壳.
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, Grids;
type
TForm1 = class(TForm)
lbl1: TLabel;
lbl2: TLabel;
StringGrid1: TStringGrid;
btn1: TButton;
procedure btn1Click(Sender: TObject);
procedure FormShow(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
_kernel32hwnd:cardinal;
_oldPage:Cardinal;
_hgetadr:cardinal;
_modulehwnd:Cardinal;
__modulehwnd:Cardinal;
__kernel32hwnd:cardinal;
_esp,_ebp:Cardinal;
_msgnum:Cardinal;
procedure Hook;
implementation
{$R *.dfm}
procedure Transact;
var
_tsetp:Cardinal;
_tvalue:Cardinal;
_tesp:Cardinal;
begin
Form1.StringGrid1.Cells[0,0]:='Address';
Form1.StringGrid1.Cells[1,0]:='Value';
for _tsetp :=0 to 100 do
begin
_tesp:=_esp+(_tsetp*4)+36;
Form1.StringGrid1.Cells[0,_tsetp+1]:=IntToHex(_tesp,8);
asm
push eax;
push ebx;
mov eax,_Tesp;
Mov ebx,[eax];
Mov _tvalue,ebx;
pop ebx;
pop eax;
end;
Form1.StringGrid1.Cells[1,_tsetp+1]:=IntToHex(_tvalue,8);
end;
MessageBox(0, PChar(inttohex(_msgnum,8)), '警告', MB_OK + MB_ICONINFORMATION);
_msgnum:=_msgnum+1;
end;
procedure HGetmoduleHandleA;
label _label1;
begin
asm
pushad;
pushfd;
mov _esp,esp;
mov _ebp,ebp;
pushad;
pushad;
pushad;
pushad;
call transact;
mov ebp,_ebp;
mov esp,_esp;
popfd;
popad;
jmp __modulehwnd;
end;
end;
procedure Hook;
begin
_kernel32hwnd:=LoadLibrary('kernel32.dll');
__kernel32hwnd:=LoadLibrary('C:\HooKDLLs\_kernel32.dll');
__modulehwnd:=Cardinal(GetProcAddress(__kernel32hwnd,'GetModuleHandleA'));
_kernel32hwnd:=Cardinal(GetProcAddress(_kernel32hwnd,'GetModuleHandleA'));
VirtualProtect(Pointer(_kernel32hwnd),100,PAGE_READWRITE,_oldPage);
_hgetadr:=Cardinal(@HGetmoduleHandleA);
asm
push eax;
push ebx;
mov eax,_kernel32hwnd;
mov bl,$B8;
mov Byte[eax],bl;
add eax,1;
mov ebx,_hgetadr;
mov dword[eax],ebx;
add eax,4;
mov bl,$FF;
mov Byte[eax],bl;
add eax,1;
mov bl,$E0;
mov Byte[eax],bl;
pop ebx;
pop eax;
end;
VirtualProtect(Pointer(_kernel32hwnd),100,_oldPage,_oldPage);
end;
procedure TForm1.btn1Click(Sender: TObject);
begin
Hook;
end;
procedure TForm1.FormShow(Sender: TObject);
begin
hook;
end;
end.
/
library hying7xUpK;
uses
Windows,
Unit1 in 'Unit1.pas' {Form1};
{$R *.res}
exports HooK;
begin
Form1:=TForm1.Create(form1);
form1.Show;
end.
/
object Form1: TForm1
Left = 525
Top = 164
BorderIcons = [biSystemMenu, biMinimize]
BorderStyle = bsSingle
Caption = 'Form1'
ClientHeight = 533
ClientWidth = 664
Color = clBtnFace
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
OldCreateOrder = False
OnShow = FormShow
PixelsPerInch = 96
TextHeight = 13
object lbl1: TLabel
Left = 456
Top = 24
Width = 30
Height = 12
Caption = 'ESP->'
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
ParentFont = False
end
object lbl2: TLabel
Left = 456
Top = 224
Width = 30
Height = 12
Caption = 'EBP->'
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
ParentFont = False
end
object StringGrid1: TStringGrid
Left = 493
Top = 0
Width = 171
Height = 241
ColCount = 2
Ctl3D = True
DefaultRowHeight = 16
FixedCols = 0
RowCount = 50
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
Options = [goFixedVertLine, goFixedHorzLine, goVertLine, goHorzLine, goRangeSelect, goDrawFocusSelected, goRowSizing, goColSizing, goEditing, goTabs]
ParentCtl3D = False
ParentFont = False
ScrollBars = ssVertical
TabOrder = 0
ColWidths = (
74
77)
end
object btn1: TButton
Left = 16
Top = 16
Width = 121
Height = 33
Caption = 'HoOk'
TabOrder = 1
OnClick = btn1Click
end
end
/
注入自己想办法,
要在被注入的程序目录下拷贝一个kernel32.dll为_kernel32.dll
大家其实一看代码就知道。我也不废话拉哈。希望对大家有用.让脱壳越来越简单,也是从另外一种思路去理解壳,不一定要去分析壳的代码才能脱壳.
转载于:https://blog.51cto.com/95545/99139
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
