//zwdzjs.cpp:此文件包含"main"函数。程序执行将在此处开始并结束。//#include<iostream>#include<stdio.h>#include"windows.h"intmain(){DWORDPID=0;HANDLEProcess=0;DWORDSumTotal=0;DWORDBaseAddress=0x0075799C;//1.首先我们需要获取到游戏的进程pid,然后读取游戏的内存HWNDHwnd=FindWindow(NULL,L"Plantsvs.Zombies1.2.0.1073RELEASE");if(Hwnd==NULL){printf("植物大战僵尸僵尸没有运行,请先运行游戏\n");return0;}//2获取进程PIDGetWindowThreadProcessId(Hwnd,&PID);//获取进程PIDif(PID==0){printf_s("获取PID失败\n");return0;}//打开进程Process=OpenProcess(PROCESS_ALL_ACCESS,0,PID);if(NULL==Process){printf_s("进程打开失败\n");GetLastError();return0;}//读取进程内容//获取内存地址DWORDSunAddressValue=0;if(ReadProcessMemory(Process,(char*)BaseAddress,&SunAddressValue,4,0)==false){GetLastError();return0;}//获取一级偏移地址DWORDSunAddressFirstValue=0;if(ReadProcessMemory(Process,(char*)(SunAddressValue+0x868),&SunAddressFirstValue,4,0)==false){GetLastError();return0;}//获取二级偏移地址也就是阳光的内存地址if(ReadProcessMemory(Process,(char*)(SunAddressFirstValue+0x5578),&SumTotal,4,0)==false){GetLastError();return0;}printf("阳光的地址%d",SumTotal);//如果阳光小于9999while(SumTotal<9999){DWORDWriteSumTotal=9999;printf_s("没有阳光了");WriteProcessMemory(Process,(char*)(SunAddressFirstValue+0x5578),&WriteSumTotal,4,0);Sleep(5000);}}
voidFun(){inti=10;intk=i++;printf("%d%d\n",k,i);}打印结果为10,11,先赋值,在运算,查看汇编代码0040D768movdwordptr[ebp-4],0Ah将10的值给I0040D76Fmoveax,dwordptr[ebp-4]将10放到eax0040D772movdwordptr[ebp-8],eax将eax的值给k也就是k=100040D775movecx,dwordptr[ebp-4]在将i也就是10放到ecx0040D778addecx,1ecx=ecx+0x1=110040D77Bmovdwordptr[ebp-4],ecx将ecx=11放到i所以I=110040D77Emovedx,dwordptr[ebp-4]0040D781pushedx0040D782moveax,dwordptr[ebp-8]0040D785pusheax0040D786pushoffsetstring"%d\n"(0042201c)0040D78Bcallprintf(004010c0)0040D790addesp,0Ch再看++在前voidFun(){inti=10;intk=++i;printf("%d%d\n",k,i);}打印结果为11,11,先运算,在赋值,查看汇编代码0040D768movdwordptr[ebp-4],0Ahi=100040D76Fmoveax,dwordptr[ebp-4]eax=i=100040D772addeax,1eax=eax+1=0x110040D775movdwordptr[ebp-4],eaxi=eax=0x110040D778movecx,dwordptr[ebp-4]ecx=i=0x110040D77Bmovdwordptr[ebp-8],ecxk=ecx=0x110040D77Emovedx,dwordptr[ebp-4]
JCC指令也只影响EIP首先要明确一点,所有的判断跳转指令都是根据标志位来进行判断的1、JE,JZ结果为零则跳转(相等时跳转)ZF=12、JNE,JNZ结果不为零则跳转(不相等时跳转)ZF=03、JS结果为负则跳转SF=14、JNS结果为非负则跳转SF=05、JP,JPE结果中1的个数为偶数则跳转PF=16、JNP,JPO结果中1的个数为偶数则跳转PF=07、JO结果溢出了则跳OF=18、JNO结果没有溢出则跳转OF=09、JB,JNAE小于则跳转(无符号数)CF=110、JNB,JAE大于等于则跳转(无符号数)CF=011、JBE,JNA小于等于则跳转(无符号数)CF=1orZF=112、JNBE,JA大于则跳转(无符号数)CF=0andZF=013、JL,JNGE小于则跳转(有符号数)SF≠OF14、JNL,JGE大于等于则跳转(有符号数)SF=OF15、JLE,JNG小于等于则跳转(有符号数)ZF=1orSF≠OF16、JNLE,JG大于则跳转(有符号数)ZF=0andSF=OF有符号无符号的区别:CMPAL,CLJG0x12345678JA0x12345678英文全称含义判断标志位JE,JZjumpequal,jumpzero结果为零则跳转(相等时跳转)ZF=1JNE,JNZjumpnotequal,jumpnotzero结果不为零则跳转(不相等时跳转)ZF=0JSjumpsign结果为负则跳转SF=1JNSjumpnotsign结果为非负则跳转SF=0JP,JPEjumpparity,jumpparityeven结果中1的个数为偶数则跳转PF=1JNP,JPOjumpnotparity,jumpparityodd结果中1的个数为偶数则跳转PF=0JOjumpoverflow结果溢出了则跳转OF=1JNOjumpnotoverflow结果没有溢出则跳转OF=0JB,JNAEjumpbelow,jumpnotaboveequal小于则跳转(无符号数)CF=1JNB,JAEjumpnotbelow,jumpaboveequal大于等于则跳转(无符号数)CF=0JBE,JNAjumpbelowequal,jumpnotabove小于等于则跳转(无符号数)CF=1orZF=1JNBE,JAjumpnotbelowequal,jumpabove大于则跳转(无符号数)CF=0andZF=0JL,JNGEjumpless,jumpnotgreaterequal小于则跳转(有符号数)SF≠OFJNL,JGEjumpnotless,jumpgreaterequal大于等于则跳转(有符号数)SF=OFJLE,JNGjumplessequal,jumpnotgreater小于等于则跳转(有符号数)ZF=1orSF≠OFJNLE,JGjumpnotlessequal,jumpgreater大于则跳转(有符号数)ZF=0andSF=OF
寻址公式寻址公式一:[立即数]读取内存的值:MOVEAX,DWORDPTRDS:[0x13FFC4]MOVEAX,DWORDPTRDS:[0x13FFC8]向内存中写入数据:MOVDWORDPTRDS:[0x13FFC4],eaxMOVDWORDPTRDS:[0x13FFC8],ebx获取内存编号:LEAEAX,DWORDPTRDS:[0X13FFC4]LEAEAX,DWORDPTRDS:[ESP+8]寻址公式二:[寄存器]reg代表寄存器可以是8个通用寄存器中的任意一个读取内存的值:MOVECX,0x13FFD0MOVEAX,DWORDPTRDS:[ECX]向内存中写入数据:MOVEDX,0x13FFD8MOVDWORDPTRDS:[EDX],0x87654321获取内存编号:LEAEAX,DWORDPTRDS:[EDX]寻址公式三:[reg+立即数]读取内存的值:MOVECX,0x13FFD0MOVEAX,DWORDPTRDS:[ECX+4]向内存中写入数据:MOVEDX,0x13FFD8MOVDWORDPTRDS:[EDX+0xC],0x87654321获取内存编号:LEAEAX,DWORDPTRDS:[EDX+4]寻址公式四:[reg+reg*{1,2,4,8}]读取内存的值:MOVEAX,13FFC4MOVECX,2MOVEDX,DWORDPTRDS:[EAX+ECX*4]向内存中写入数据:MOVEAX,13FFC4MOVECX,2MOVDWORDPTRDS:[EAX+ECX*4],87654321获取内存编号:LEAEAX,DWORDPTRDS:[EAX+ECX*4]寻址公式五:[reg+reg*{1,2,4,8}+立即数]读取内存的值:MOVEAX,13FFC4MOVECX,2MOVEDX,DWORDPTRDS:[EAX+ECX*4+4]向内存中写入数据:MOVEAX,13FFC4MOVECX,2MOVDWORDPTRDS:[EAX+ECX*4+4],87654321获取内存编号:LEAEAX,DWORDPTRDS:[EAX+ECX*4+2]
滴水逆向视频笔记:符号含义r寄存器m内存imm立即数r88位通用寄存器m88位内存imm88位立即数#MOV指令MOV目标操作数,源操作数MOVr/m8,r8MOVr/m16,r16MOVr/m32,r32MOVr8,r/m8MOVr16,r/m16MOVr32,r/m32MOVr8,imm8MOVr16,imm16MOVr32,imm32作用:拷贝源操作数到目标操作数源操作数可以是立即数、通用寄存器、段寄存器、或者内存单元目标操作数可以是通用寄存器、段寄存器或者内存单元操作数的宽度必须一样源操作数和目标操作数不能同时为内存单元#ADD指令ADDr/m8,imm8ADDr/m16,imm16ADDr/m32,imm32ADDr/m16,imm8ADDr/m32,imm8ADDr/m8,r8ADDr/m16,r16ADDr/m32,r32ADDr8,r/m8ADDr16,r/m16ADDr32,r/m32MOVeax,1addeax,2eax值最后为3ADD目标操作数,源操作数作用:将源操作数加到目标操作数上#SUB指令SUB的语法:SUBr/m8,imm8SUBr/m16,imm16SUBr/m32,imm32SUBr/m16,imm8SUBr/m32,imm8SUBr/m8,r8SUBr/m16,r16SUBr/m32,r32SUBr8,r/m8SUBr16,r/m16SUBr32,r/m32SUB目标操作数,源操作数作用:将源操作数减到目标操作数上#AND指令AND的语法:ANDr/m8,imm8ANDr/m16,imm16ANDr/m32,imm32ANDr/m16,imm8ANDr/m32,imm8ANDr/m8,r8ANDr/m16,r16ANDr/m32,r32ANDr8,r/m8ANDr16,r/m16ANDr32,r/m32AND目标操作数,源操作数作用:将源操作数与目标操作数与运算后将结果保存到目标操作数中moveax,2addEAX,32的二进制00103的二进制00110010and0011值为2#OR指令OR的语法:ORr/m8,imm8ORr/m16,imm16ORr/m32,imm32ORr/m16,imm8ORr/m8,r8ORr/m16,r16ORr/m32,r32ORr8,r/m8ORr16,r/m16ORr32,r/m32OR目标操作数,源操作数作用:将源操作数与目标操作数或运算后将结果保存到目标操作数中moveax,2OREAX,30010|0011结果为3#XOR指令XOR的语法:XORr/m8,imm8XORr/m16,imm16XORr/m32,imm32XORr/m16,imm8XORr/m8,r8XORr/m32,r32XORr8,r/m8XORr16,r/m16XORr32,r/m32XOR目标操作数,源操作数作用:将源操作数与目标操作数异或运算后将结果保存到目标操作数中moveax,2xorEAX,30010XOR0011结果为0001结果为1#NOT指令NOT的语法:NOTr/m8NOTr/m16NOTr/m32NOT操作数作用:取反moveax,2NOTEAX2的二进制0010取反11011101的值为D
主要代码//异常捕捉DWORDNTAPIExceptionHandler(EXCEPTION_POINTERS*ExceptionInfo){if((DWORD)ExceptionInfo->ExceptionRecord->ExceptionAddress==0x00401053){ExceptionInfo->ContextRecord->Eip+=6;//已经处理了异常,不需要再调用下一个异常处理来处理此异常returnEXCEPTION_CONTINUE_EXECUTION;}//调用下一个处理器returnEXCEPTION_CONTINUE_SEARCH;}voidSetHwBreakPoint(){CONTEXTctx;ctx.ContextFlags=CONTEXT_ALL;GetThreadContext(GetCurrentThread(),&ctx);ctx.Dr7=0x1;ctx.Dr0=0x00401053;SetThreadContext(GetCurrentThread(),&ctx);GetThreadContext(GetCurrentThread(),&ctx);}//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////入口函数BOOLWINAPIDllMain(HMODULEhModule,DWORDdwReason,PVOIDpvReserved){if(dwReason==DLL_PROCESS_ATTACH){//注册全局异常AddVectoredExceptionHandler(1,(PVECTORED_EXCEPTION_HANDLER)ExceptionHandler);SetHwBreakPoint();returnLoad();}elseif(dwReason==DLL_PROCESS_DETACH){Free();}returnTRUE;}////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
直接拖入od按ALT+M,搜索FF55FC5F5E895DF4(这个是易语言按钮事件特征码)CTRL+G转到0041B00D4D、运行程序、下断点,输入错误的注册码F8跟进发现正确密码。EAX00000001ECX00030002EDX00030001EBX04DA7BF0ASCII"19489543632"ESP0018F5F0EBP0018F61CESI04DA7BE1EDI04DA7C60EIP0041AFD0测试1.0041AFD0C0ES002B32位0(FFFFFFFF)P1CS002332位0(FFFFFFFF)A0SS002B32位0(FFFFFFFF)Z0DS002B32位0(FFFFFFFF)S0FS005332位7EFDD000(FFF)T0GS002B32位0(FFFFFFFF)D0O0LastErrERROR_SUCCESS(00000000)EFL00000206(NO,NB,NE,A,NS,PE,GE,G)ST0empty0.0ST1empty0.0ST2empty0.0ST3empty0.0ST4empty0.0ST5empty0.0ST6empty4.0000000000000000000ST7empty-1.00000000000000000003210ESPUOZDIFST4000Cond1000Err00000000(EQ)FCW037FPrecNEAR,64掩码111111