我自己汇编写了一个
{
// ORIGINAL CODE - INJECTION POINT: san11pk.exe+95982
san11pk.exe+9596D: CC - int 3
san11pk.exe+9596E: CC - int 3
san11pk.exe+9596F: CC - int 3
san11pk.exe+95970: 8B 44 24 04 - mov eax,[esp+04]
san11pk.exe+95974: 83 F8 FF - cmp eax,-01
san11pk.exe+95977: 74 09 - je san11pk.exe+95982
san11pk.exe+95979: 85 C0 - test eax,eax
san11pk.exe+9597B: 7C 08 - jl san11pk.exe+95985
san11pk.exe+9597D: 83 F8 0C - cmp eax,0C
san11pk.exe+95980: 7F 03 - jg san11pk.exe+95985
// ---------- INJECTING HERE ----------
san11pk.exe+95982: 89 41 2C - mov [ecx+2C],eax
// ---------- DONE INJECTING ----------
san11pk.exe+95985: C2 04 00 - ret 0004
san11pk.exe+95988: CC - int 3
san11pk.exe+95989: CC - int 3
san11pk.exe+9598A: CC - int 3
san11pk.exe+9598B: CC - int 3
san11pk.exe+9598C: CC - int 3
san11pk.exe+9598D: CC - int 3
san11pk.exe+9598E: CC - int 3
san11pk.exe+9598F: CC - int 3
san11pk.exe+95990: 66 8B 44 24 04 - mov ax,[esp+04]
}
san11pk.exe+95982: 89 41 2C - mov [ecx+2C],eax
这里的这个就是命令函数了,得换,我用CE写了个
cmp eax,#03
je match
mov [ecx+2C],eax
ret 0004
jmp return
match:
mov [ecx+2C],#09
ret 0004
jmp return
就是如果检测到是03就换成09(攻击改征服)