09-13-2010, 05:41 PM
Видел такую штуку в некоторых защитах. Стало интересно как такое можно сделать.
Как вариант для ct25:
Как вариант для ct25:
host.asm
Код:
; eurooff ct25 live
;.text:203E4614 mov ebp, ds:htons
;.text:203E461A lea edi, [esi+3Ch]
;.text:203E461D push 83Ah ; hostshort
;.text:203E4622 mov word ptr [edi], 2 ; AF_INET
;.text:203E4627 call ebp ; htons
;.text:203E4629 mov edx, [esi+38h]
;.text:203E462C push 10h ; namelen
;.text:203E462E push edi ; name
;.text:203E462F push edx ; s
;.text:203E4630 mov [esi+3Eh], ax
;.text:203E4634 call ds:connect
format PE GUI 4.0 DLL
entry DllMain
include '%fasminc%\win32a.inc'
section '.data' data readable writeable
dd 0
enginedll db 'engine.dll',0
lpflOP dd 0
dwConnFunc dd ?
dd 0
sin sockaddr_in
dd 0
szIP db '127.0.0.1',0 ; ip
dd 0
wPort dw 2106 ; port
dd 0
IsPatched dd 0
section '.text' code readable executable
proc DllMain
cmp dword [IsPatched], 1
je @F
call FindAndHook
call FillSockaddr
@@:
mov eax, 1
ret
endp
proc FillSockaddr ; fill scokaddr_in struct
pushad
mov ebp, esp
push szIP
call [inet_addr]
mov [sin.sin_addr], eax
push [wPort]
call [htons]
mov word [sin.sin_port], ax
mov word [sin.sin_family], AF_INET
mov esp, ebp
popad
ret
endp
proc FindAndHook
pushad
mov ebp, esp
push enginedll
call [GetModuleHandleA] ; Search from engine.dll base
mov edi, eax
cld
mov ecx, 02000000h ; not more 02000000h
mov al, 08Dh ;
mov ebx, 03A683C7Eh ;
mov edx, 066000008h ;
@@:
repne scasb
jcxz @F
cmp dword[edi], ebx
jne @B
cmp dword[edi + 4h], edx
jne @B
dec edi
cld
push lpflOP
push 40h
push 0Fh
push edi
call [VirtualProtect] ; in some dll`s code section have RE attr
mov [dwConnFunc], edi
mov eax, 090909090h ; nop old code
mov [edi + 06h], eax
mov [edi + 07h], eax
mov [edi + 0Bh], eax
mov esi, ClientConnHook
mov byte [edi], 068h ; push imm32
mov [edi + 1h], esi
mov byte [edi + 5h], 0C3h ; ret
mov [IsPatched], 1
@@:
mov esp, ebp
popad
ret
endp
proc ClientConnHook
mov edi, dword [dwConnFunc]
add di, 0Eh ; ret lil far
push edi
mov edi, sin ; edi - ptr to sockaddr_in
ret
endp
section '.idata' import data readable
library kernel32, 'kernel32.dll',\
ws2_32, 'ws2_32.dll'
import kernel32,\
GetModuleHandleA, 'GetModuleHandleA',\
VirtualProtect, 'VirtualProtect'
import ws2_32,\
inet_addr, 'inet_addr',\
htons, 'htons'
section '.edata' export data readable
export 'host.dll',\
DllMain, 'DllMain'
section '.reloc' data discardable fixups