1.用LordPE为ei增加一个大小大概200-300H的Section, (如果你的ei本身后面有一大片空白,你可以不增加!)
2.用HEX WORKSHOP 以00或者90填充该段 注意大小.
3.用OD载入ei,CONTRL+G 输入该段开始的VA,在该开始,汇编入下面代码: 124000+00400000=524000=VA
-----------------------------------------------------------------
CMP BYTE PTR DS:[EAX],21 ★ 记下这个地址 设为 addr1=524309 QINGREN=524EEA
JNZ 004F165B
CMP BYTE PTR DS:[EAX+1],23
JNZ 004F136B
MOV EAX,DWORD PTR SS:[EBP-4]
MOV EAX,DWORD PTR DS:[EAX+3FC]
CMP BYTE PTR DS:[EAX+30],0
JNZ 004F164A
CALL 00407B08
MOV EDX,DWORD PTR SS:[EBP-4]
SUB EAX,DWORD PTR DS:[EDX+378]
CMP EAX,2710
JBE 004F15F9
MOV EAX,DWORD PTR SS:[EBP-4]
CMP BYTE PTR DS:[EAX+34],28
JB 004F1677
CALL 00407B08
MOV EDX,DWORD PTR SS:[EBP-4]
MOV DWORD PTR DS:[EDX+378],EAX
LEA EAX,DWORD PTR SS:[EBP-C]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-8]
CALL 00403FD4
MOV ECX,EAX
SUB ECX,2
MOV EDX,3
MOV EAX,DWORD PTR SS:[EBP-8]
CALL 004041DC
MOV EAX,DWORD PTR SS:[EBP-4]
MOV EAX,DWORD PTR DS:[EAX+24]
PUSH EAX
MOV EAX,DWORD PTR SS:[EBP-4]
MOV EAX,DWORD PTR DS:[EAX+28]
PUSH EAX
PUSH 32
MOV EDX,004F2BAC
LEA EAX,DWORD PTR SS:[EBP-360]
CALL 00402AB8
MOV EAX,DWORD PTR SS:[EBP-4]
LEA EDX,DWORD PTR DS:[EAX+15]
LEA EAX,DWORD PTR SS:[EBP-360]
MOV CL,11
CALL 00402A88
LEA EDX,DWORD PTR SS:[EBP-360]
LEA EAX,DWORD PTR SS:[EBP-138]
CALL 00402AB8
MOV EDX,004F2B64
LEA EAX,DWORD PTR SS:[EBP-138]
MOV CL,12
CALL 00402A88
LEA EDX,DWORD PTR SS:[EBP-138]
LEA EAX,DWORD PTR SS:[EBP-34C]
CALL 00403F78
LEA EAX,DWORD PTR SS:[EBP-34C]
MOV EDX,DWORD PTR SS:[EBP-C]
CALL 00403FDC
MOV BYTE PTR DS:[5241A0],1
MOV EAX,DWORD PTR DS:[502D9C]
MOV EAX,DWORD PTR DS:[EAX]
MOV EDX,DWORD PTR SS:[EBP-34C]
CALL 004B0484
MOV EAX,DWORD PTR SS:[EBP-34C]
PUSH EAX
MOV ECX,DWORD PTR DS:[502F58]
MOV ECX,DWORD PTR DS:[ECX]
MOV EAX,DWORD PTR DS:[502D9C]
MOV EAX,DWORD PTR DS:[EAX]
MOV EDX,0CC
CALL 004B10C8
JMP 004F1677
MOV EAX,DWORD PTR SS:[EBP-4] ★ 记下这个地址 addr2=524434 QINGRENJIE=525015
CMP BYTE PTR DS:[EAX+35D],2
JB 004F672E
JMP 004F6612
------------------------------------------------------------------------
4.完成后全选刚才汇编入的代码,点击鼠标右键,选择"复制到可执行程序"-->"选择部分",弹出窗口后,再点击鼠标右键"保存文件" 另存为:nei.exe 名字随便
5.用OD载入新的nei.exe contrl+g 到 4f1362 双击该处代码 汇编 JMP XXXXXXXX (这里xxxxxxxx为addr1的值) 把 "用nop填充" 打勾,然后确定.
6.重复步骤4.假设保存为nnei.exe
7.用OD载入新的nnei.exe contrl+g 到 4F64CE 双击该处代码 汇编 JE xxxxxxxx(这里xxxxxxxx为addr2的值)
8.重复步骤4.完成.
注:OD为Ollydbg 现最高版本为1.10 下载中文版吧 是著名的ring3调试工具.
BTW:写入和修改代码的时候 可以用其他工具 HIEW等,但我比较喜欢用OD,因为不用计算 :)
TyroPE
黑金论坛
2022-07-15 21:56:25