Number of visible lines after stepped command
步入下条命令时,保持后面还有几行可见,最多只能是11行,令人很不爽,现修改如下(针对Ollydbg v1.1):
方法一,修改配置文件和一个字节的程序代码,简单快速:用16进制编辑器将OllyDbg的0003739f偏移处的833DC4E54D000A的0A改成7F,就可以破除限制了,而后的步骤是改ollydbg.ini,将[Settings]区段的Number of lines that follow EIP=的后面改为127以内的数比如说12即可(没有则添加)。
方法二,修改一小段程序代码,繁琐但优雅:
具体步骤:
首先,按照方法一中的描述,修改指定的一个字节。
然后,再将这里的图片中的压缩包中的文件中的二进制数据覆盖到Ollydbg或OllyIce的6d5f5h偏移处,如果二者前10个字节不一致,说明文件版本不正确,不可盲目修改。
代码来源——用MUltimate Assembler进行多行汇编patch:我现在认为当初避开重定位的方法不对
<0046DFFC>
push 40A10203 ;增加WS_VSCROLL样式
<0046E038>
push 004C0A1E ;指向"2 lines"字符串,理应与原代码一样
mov eax,esi ;保存esi原先内容
pop esi ;取字符串地址到esi
sub esp,0c ;开辟栈空间
lea edx,byte ptr ss:[esp+1] ;目标缓存地址入edx
push eax ;保存esi
push edi ;保存edi
db 8D,89,00,00,00,00 ;避开重定位
mov edi,edx ;目标缓存地址入edi
cld ;清空DF标志位,方向向右
push 8 ;8个字节
pop ecx ;
rep movs byte ptr es:[edi], byte ptr ds:[esi] ;串操作指令
pop edi ;恢复edi
pop esi ;恢复esi
db 8b,FF ;填充指令
db 8D,89,00,00,00,00 ;避开重定位
pop eax ;更改缓冲区首字节为0
mov al,30 ;
push eax ;
<0046E065>
mov eax,esp ;缓存地址入eax
cmp byte ptr ss:[esp],30 ;判断首字节是否为0
jne 0046E06E ;如果不是0就跳
inc eax ;如果是0缓存地址就加1
<0046E06E>
db B9,00,00,00,00 ;避开重定位
push eax ;参数
push 0 ;参数
push 143 ;参数
push edi ;参数
db 8D,4C,21,00 ;填充指令
call 0x004AF570 ;API,不避开重定位
mov ax, word ptr ss:[esp] ;取缓存首字
inc ah ;个位数加1
cmp ah,0x3a ;判断个位数
jne 0046E09A ;如果没有超过9就跳
inc al ;十位数加1
db B9,00,00,00,00 ;避开重定位
sub ah,0x0a ;个位数超过9,减10
<0046E09A>
mov word ptr ss:[esp], ax ;循环变量入缓存首字
xchg ah,al ;交换十位个位
cmp ax,0x3939 ;判断是否大于99
db B9,00,00,00,00 ;避开重定位
jbe 0046E065 ;如果小于等于99就跳
add esp,0c ;否则恢复栈
jmp 0046E0EC ;跳到结束
;db 90
;db 8b,FF
;db 8D,49,00
;db 8D,4C,21,00
;db B9,00,00,00,00
;db 8D,89,00,00,00,00
;db 8D,8C,21,00,00,00,00PS:
读取配置文件时的参数校验:
00437D8B . A3 C4E54D00 mov dword ptr ds:[4DE5C4], eax
00437D90 . 833D C4E54D00 00 cmp dword ptr ds:[4DE5C4], 0
00437D97 . 7C 09 jl short Shadow.00437DA2
00437D99 . 833D C4E54D00 0A cmp dword ptr ds:[4DE5C4], 0A
00437DA0 . 7C 08 jl short Shadow.00437DAA
00437DA2 > 33C9 xor ecx, ecx
00437DA4 . 890D C4E54D00 mov dword ptr ds:[4DE5C4], ecx
配置对话框初始化:
0046DFCA |. 6A 00 |push 0 ; /lParam = NULL
0046DFCC |. 8B15 783B4D00 |mov edx, dword ptr ds:[4D3B78] ; |
0046DFD2 |. 52 |push edx ; |hInst => NULL
0046DFD3 |. 8D8B E20E0000 |lea ecx, dword ptr ds:[ebx+EE2] ; |
0046DFD9 |. 51 |push ecx ; |hMenu
0046DFDA |. 8B45 D4 |mov eax, [local.11] ; |
0046DFDD |. 8B10 |mov edx, dword ptr ds:[eax] ; |
0046DFDF |. 52 |push edx ; |hParent
0046DFE0 |. 8B8D 78FAFFFF |mov ecx, [local.354] ; |
0046DFE6 |. 51 |push ecx ; |Height
0046DFE7 |. 8B85 74FAFFFF |mov eax, [local.355] ; |
0046DFED |. 50 |push eax ; |Width
0046DFEE |. 8B95 70FAFFFF |mov edx, [local.356] ; |
0046DFF4 |. 52 |push edx ; |Y
0046DFF5 |. 8B8D 6CFAFFFF |mov ecx, [local.357] ; |
0046DFFB |. 51 |push ecx ; |X
0046DFFC 68 03028140 |push 40810203 ; |Style = WS_CHILD|WS_TABSTOP|WS_BORDER|203
0046E001 |. 68 44F24B00 |push Shadow.004BF244 ; |WindowName = ""
0046E006 |. 68 22094C00 |push Shadow.004C0922 ; |Class = "COMBOBOX"
0046E00B |. 6A 00 |push 0 ; |ExtStyle = 0
0046E00D |. E8 8A130400 |call <jmp.&USER32.CreateWindowExA> ; \CreateWindowExA
0046E012 |. 8BF8 |mov edi, eax
0046E014 68 0F0A4C00 push Shadow.004C0A0F ; ASCII "Default"
0046E019 |. 6A 00 |push 0 ; |wParam = 0
0046E01B |. 68 43010000 |push 143 ; |Message = CB_ADDSTRING
0046E020 |. 57 |push edi ; |hWnd
0046E021 |. E8 4A150400 |call <jmp.&USER32.SendMessageA> ; \SendMessageA
0046E026 68 170A4C00 push Shadow.004C0A17 ; ASCII "1 line"
0046E02B |. 6A 00 |push 0 ; |wParam = 0
0046E02D |. 68 43010000 |push 143 ; |Message = CB_ADDSTRING
0046E032 |. 57 |push edi ; |hWnd
0046E033 |. E8 38150400 |call <jmp.&USER32.SendMessageA> ; \SendMessageA
0046E038 68 1E0A4C00 push Shadow.004C0A1E ; ASCII "2 lines"
0046E03D 6A 00 |push 0 ; |wParam = 0
0046E03F 68 43010000 |push 143 ; |Message = CB_ADDSTRING
0046E044 57 |push edi ; |hWnd
0046E045 E8 26150400 |call <jmp.&USER32.SendMessageA> ; \SendMessageA
0046E04A 68 260A4C00 push Shadow.004C0A26 ; ASCII "3 lines"
0046E04F 6A 00 |push 0 ; |wParam = 0
0046E051 68 43010000 |push 143 ; |Message = CB_ADDSTRING
0046E056 57 |push edi ; |hWnd
0046E057 E8 14150400 |call <jmp.&USER32.SendMessageA> ; \SendMessageA
0046E05C 68 2E0A4C00 push Shadow.004C0A2E ; ASCII "4 lines"
0046E061 6A 00 |push 0 ; |wParam = 0
0046E063 68 43010000 |push 143 ; |Message = CB_ADDSTRING
0046E068 57 push edi
0046E069 E8 02150400 |call <jmp.&USER32.SendMessageA> ; \SendMessageA
0046E06E 68 360A4C00 push Shadow.004C0A36 ; ASCII "5 lines"
0046E073 6A 00 |push 0 ; |wParam = 0
0046E075 68 43010000 |push 143 ; |Message = CB_ADDSTRING
0046E07A 57 |push edi ; |hWnd
0046E07B E8 F0140400 |call <jmp.&USER32.SendMessageA> ; \SendMessageA
0046E080 68 3E0A4C00 push Shadow.004C0A3E ; ASCII "6 lines"
0046E085 6A 00 |push 0 ; |wParam = 0
0046E087 68 43010000 |push 143 ; |Message = CB_ADDSTRING
0046E08C 57 |push edi ; |hWnd
0046E08D E8 DE140400 |call <jmp.&USER32.SendMessageA> ; \SendMessageA
0046E092 68 460A4C00 push Shadow.004C0A46 ; ASCII "7 lines"
0046E097 6A 00 |push 0 ; |wParam = 0
0046E099 68 43010000 |push 143 ; |Message = CB_ADDSTRING
0046E09E 57 |push edi ; |hWnd
0046E09F E8 CC140400 |call <jmp.&USER32.SendMessageA> ; \SendMessageA
0046E0A4 68 460A4C00 push Shadow.004C0A46 ; ASCII "7 lines"
0046E0A9 6A 00 |push 0 ; |wParam = 0
0046E0AB 68 43010000 |push 143 ; |Message = CB_ADDSTRING
0046E0B0 57 |push edi ; |hWnd
0046E0B1 E8 BA140400 |call <jmp.&USER32.SendMessageA> ; \SendMessageA
0046E0B6 68 4E0A4C00 push Shadow.004C0A4E ; ASCII "8 lines"
0046E0BB 6A 00 |push 0 ; |wParam = 0
0046E0BD 68 43010000 |push 143 ; |Message = CB_ADDSTRING
0046E0C2 57 |push edi ; |hWnd
0046E0C3 E8 A8140400 |call <jmp.&USER32.SendMessageA> ; \SendMessageA
0046E0C8 68 560A4C00 push Shadow.004C0A56 ; ASCII "9 lines"
0046E0CD 6A 00 |push 0 ; |wParam = 0
0046E0CF 68 43010000 |push 143 ; |Message = CB_ADDSTRING
0046E0D4 57 |push edi ; |hWnd
0046E0D5 E8 96140400 |call <jmp.&USER32.SendMessageA> ; \SendMessageA
0046E0DA 68 5E0A4C00 push Shadow.004C0A5E ; ASCII "10 lines"
0046E0DF |. 6A 00 |push 0 ; |wParam = 0
0046E0E1 |. 68 43010000 |push 143 ; |Message = CB_ADDSTRING
0046E0E6 |. 57 |push edi ; |hWnd
0046E0E7 |. E8 84140400 |call <jmp.&USER32.SendMessageA> ; \SendMessageA
0046E0EC |. 6A 00 |push 0 ; /lParam = 0
0046E0EE |. A1 C4E54D00 |mov eax, dword ptr ds:[4DE5C4] ; |
0046E0F3 |. 50 |push eax ; |wParam => 0
0046E0F4 |. 68 4E010000 |push 14E ; |Message = CB_SETCURSEL
0046E0F9 |. 57 |push edi ; |hWnd
0046E0FA |. E8 71140400 |call <jmp.&USER32.SendMessageA> ; \SendMessageA
配置对话框保存行号变量:
0046CAB7 |. 6A 00 push 0 ; /lParam = 0
0046CAB9 |. 6A 00 push 0 ; |wParam = 0
0046CABB |. 68 47010000 push 147 ; |Message = CB_GETCURSEL
0046CAC0 |. 50 push eax ; |ControlID
0046CAC1 |. 8B45 08 mov eax, [arg.1] ; |
0046CAC4 |. 50 push eax ; |hWnd
0046CAC5 |. E8 A02A0400 call <jmp.&USER32.SendDlgItemMessageA> ; \SendDlgItemMessageA
0046CACA |. 8D145B lea edx, dword ptr ds:[ebx+ebx*2]
0046CACD |. 8B0F mov ecx, dword ptr ds:[edi]
0046CACF |. 8B54D1 10 mov edx, dword ptr ds:[ecx+edx*8+10]
0046CAD3 |. 8902 mov dword ptr ds:[edx], eax ; 更改行数时负责写入
0046CAD5 |. 833D 4CB34E00 01 cmp dword ptr ds:[4EB34C], 1
0046CADC |. 0F85 F6000000 jnz Shadow.0046CBD8
0046CAE2 |. C745 FC 01000000 mov [local.1], 1
0046CAE9 |. E9 EA000000 jmp Shadow.0046CBD8
F8步过回调函数子程序关键部分(包含默认行数是3的代码,禁止行数大于显示区域的一半的代码):
0044B964 |> \8B15 C4E54D00 mov edx, dword ptr ds:[4DE5C4] ; 取得设置的行号
0044B96A |. 85D2 test edx, edx
0044B96C |. 7E 75 jle short Shadow.0044B9E3 ; 行数是否等于0
0044B96E |. 8955 F8 mov [local.2], edx
0044B971 |. 8BD7 mov edx, edi
0044B973 |. D1FA sar edx, 1
0044B975 |. 79 03 jns short Shadow.0044B97A
0044B977 |. 83D2 00 adc edx, 0
0044B97A |> 42 inc edx
0044B97B |. 3B55 F8 cmp edx, [local.2]
0044B97E |. 7D 03 jge short Shadow.0044B983 ; 禁止行数大于edx=显示区域(edi)的一半+1
0044B980 |. 8955 F8 mov [local.2], edx
0044B983 |> 8BD7 mov edx, edi ; edx=显示区域的总行数
0044B985 |. 8B4D F8 mov ecx, [local.2]
0044B988 |. 2B55 FC sub edx, [local.1] ; edx=当前剩余的行数(当前行以下的行数(包括当前行));[local.1] = 显示区域中当前行上面的行数
0044B98B |. 41 inc ecx ; ecx=应当剩余的行数+1
0044B98C |. 2BCA sub ecx, edx
0044B98E |. 894D F8 mov [local.2], ecx ; 二者之间的距离,正常为负
0044B991 |. 837D F8 00 cmp [local.2], 0
0044B995 |. 7C 1E jl short Shadow.0044B9B5
0044B997 |. 8B4D F8 mov ecx, [local.2] ; 为正或0(不正常)时的调整
0044B99A |. 3B4D E4 cmp ecx, [local.7] ; [local.7]=下面栈中数组的大小
0044B99D |. 73 16 jnb short Shadow.0044B9B5
0044B99F |. 3BF0 cmp esi, eax
0044B9A1 |. 75 12 jnz short Shadow.0044B9B5
0044B9A3 |. 8B45 F8 mov eax, [local.2]
0044B9A6 |. 8B4485 A0 mov eax, dword ptr ss:[ebp+eax*4-60]
0044B9AA |. 8983 7D030000 mov dword ptr ds:[ebx+37D], eax ; 设置向上滚动eax行(设置页的起始地址)
0044B9B0 |. E9 C6000000 jmp Shadow.0044BA7B
0044B9B5 |> 3B7D FC cmp edi, [local.1] ; 为负(正常)时的处理
0044B9B8 |. 7E 0F jle short Shadow.0044B9C9
0044B9BA |. 3BF0 cmp esi, eax
0044B9BC |. 73 0B jnb short Shadow.0044B9C9
0044B9BE |. 89B3 7D030000 mov dword ptr ds:[ebx+37D], esi
0044B9C4 |. E9 B2000000 jmp Shadow.0044BA7B
0044B9C9 |> 3BF0 cmp esi, eax
0044B9CB |. 0F84 AA000000 je Shadow.0044BA7B
0044B9D1 |. 89B3 7D030000 mov dword ptr ds:[ebx+37D], esi
0044B9D7 |. C745 EC 01000000 mov [local.5], 1
0044B9DE |. E9 98000000 jmp Shadow.0044BA7B ; 大于0的处理结束
0044B9E3 |> 3BF0 cmp esi, eax ; 如果等于0的处理
0044B9E5 |. 75 18 jnz short Shadow.0044B9FF
0044B9E7 |. 83FF 0A cmp edi, 0A
0044B9EA |. 7E 13 jle short Shadow.0044B9FF
0044B9EC |. 8D57 FF lea edx, dword ptr ds:[edi-1]
0044B9EF |. 3B55 FC cmp edx, [local.1]
0044B9F2 |. 75 0B jnz short Shadow.0044B9FF
0044B9F4 |. 8B4D A8 mov ecx, [local.22]
0044B9F7 |. 898B 7D030000 mov dword ptr ds:[ebx+37D], ecx ; 设置向上滚动3行
0044B9FD |. EB 7C jmp short Shadow.0044BA7B
0044B9FF |> 3BF0 cmp esi, eax
0044BA01 |. 75 25 jnz short Shadow.0044BA28
0044BA03 |. 83FF 0A cmp edi, 0A
0044BA06 |. 7E 08 jle short Shadow.0044BA10
0044BA08 |. 8D57 FE lea edx, dword ptr ds:[edi-2]
0044BA0B |. 3B55 FC cmp edx, [local.1]
0044BA0E |. 74 0D je short Shadow.0044BA1D
0044BA10 |> 83FF 04 cmp edi, 4
0044BA13 |. 7E 13 jle short Shadow.0044BA28
0044BA15 |. 8D4F FF lea ecx, dword ptr ds:[edi-1]
0044BA18 |. 3B4D FC cmp ecx, [local.1]
0044BA1B |. 75 0B jnz short Shadow.0044BA28
0044BA1D |> 8B45 A4 mov eax, [local.23]
0044BA20 |. 8983 7D030000 mov dword ptr ds:[ebx+37D], eax ; 设置向上滚动2行
0044BA26 |. EB 53 jmp short Shadow.0044BA7B
0044BA28 |> 3BF0 cmp esi, eax
0044BA2A |. 75 2D jnz short Shadow.0044BA59
0044BA2C |. 83FF 0A cmp edi, 0A
0044BA2F |. 7E 08 jle short Shadow.0044BA39
0044BA31 |. 8D57 FD lea edx, dword ptr ds:[edi-3]
0044BA34 |. 3B55 FC cmp edx, [local.1]
0044BA37 |. 74 15 je short Shadow.0044BA4E
0044BA39 |> 83FF 04 cmp edi, 4
0044BA3C |. 7E 08 jle short Shadow.0044BA46
0044BA3E |. 8D4F FE lea ecx, dword ptr ds:[edi-2]
0044BA41 |. 3B4D FC cmp ecx, [local.1]
0044BA44 |. 74 08 je short Shadow.0044BA4E
0044BA46 |> 8D57 FF lea edx, dword ptr ds:[edi-1]
0044BA49 |. 3B55 FC cmp edx, [local.1]
0044BA4C |. 75 0B jnz short Shadow.0044BA59
0044BA4E |> 8B45 A0 mov eax, [local.24]
0044BA51 |. 8983 7D030000 mov dword ptr ds:[ebx+37D], eax ; 设置向上滚动1行
0044BA57 |. EB 22 jmp short Shadow.0044BA7B
0044BA59 |> 3B7D FC cmp edi, [local.1]
0044BA5C |. 7E 0C jle short Shadow.0044BA6A
0044BA5E |. 3BF0 cmp esi, eax
0044BA60 |. 73 08 jnb short Shadow.0044BA6A
0044BA62 |. 89B3 7D030000 mov dword ptr ds:[ebx+37D], esi
0044BA68 |. EB 11 jmp short Shadow.0044BA7B
0044BA6A |> 3BF0 cmp esi, eax
0044BA6C |. 74 0D je short Shadow.0044BA7B
0044BA6E |. 89B3 7D030000 mov dword ptr ds:[ebx+37D], esi
0044BA74 |. C745 EC 01000000 mov [local.5], 1
0044BA7B |> 83FF 02 cmp edi, 2 ; 大于或等于0的处理均结束
END
1022
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
