先用VC++做一個MFC程式
代碼如下
void CGame1Dlg::OnOK()
{
// TODO: Add extra validation here
hp=hp-10; //在上面已經賦過值了hp=5000
CString lhp;
lhp.Format("%d",hp);
SetDlgItemText(IDC_HP,lhp);
}
///反匯編代碼
00401C90 push ebp
00401C91 mov ebp,esp
00401C93 push 0FFh
00401C95 push offset __ehhandler$?OnOK@CGame1Dlg@@MAEXXZ (004035f9)
00401C9A mov eax,fs:[00000000]
00401CA0 push eax
00401CA1 mov dword ptr fs:[0],esp
00401CA8 sub esp,48h
00401CAB push ebx
00401CAC push esi
00401CAD push edi
00401CAE push ecx
00401CAF lea edi,[ebp-54h]
00401CB2 mov ecx,12h
00401CB7 mov eax,0CCCCCCCCh
00401CBC rep stos dword ptr [edi]
00401CBE pop ecx
00401CBF mov dword ptr [ebp-10h],ecx
175: // TODO: Add extra validation here
176:
177: hp=hp-10;
00401CC2 mov eax,[hp (004166a8)]
00401CC7 sub eax,0Ah
00401CCA mov [hp (004166a8)],eax
178: CString lhp;
00401CCF lea ecx,[ebp-14h]
00401CD2 call CString::CString (00401faa)
00401CD7 mov dword ptr [ebp-4],0
179: lhp.Format("%d",hp);
00401CDE mov ecx,dword ptr [hp (004166a8)]
00401CE4 push ecx
00401CE5 push offset string "%d" (004153d4)
00401CEA lea edx,[ebp-14h]
00401CED push edx
00401CEE call CString::Format (00402004)
00401CF3 add esp,0Ch
180:
181: SetDlgItemText(IDC_HP,lhp);
00401CF6 lea ecx,[ebp-14h]
00401CF9 call CString::operator char const * (00401f92)
00401CFE push eax
00401CFF push 3E8h
00401D04 mov ecx,dword ptr [ebp-10h]
00401D07 call CWnd::SetDlgItemTextA (00401ffe)
182: }
,VB Call代碼
Private Function CallRemote(ByVal Address As Long)
Dim Tmp As String
Dim i As Long
'Dim n As Integer
Dim RThwnd As Long
Dim NewAddress As Long
'Dim AddCode() As Byte
Tmp = "60B8" & Int2Hex(Address, 8) & "FFD061C3" ///Int2He就是互換了一個順序如&H00401C90 -> 90 1C 40 00
MsgBox Tmp
' n = Len(Tmp)
ReDim AddCode(Len(Tmp) / 2 - 1) As Byte
For i = 0 To UBound(AddCode)
AddCode(i) = CByte("&H" & Mid(Tmp, i * 2 + 1, 2))
Next i
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, Combo1.ItemData(Combo1.ListIndex))
If hProcess = 0 Then
Exit Function
End If
NewAddress = VirtualAllocEx(hProcess, ByVal 0&, UBound(AddCode) + 1, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
WriteProcessMemory hProcess, ByVal NewAddress, ByVal VarPtr(AddCode(0)), UBound(AddCode) + 1, ByVal 0&
RThwnd = CreateRemoteThread(hProcess, ByVal 0&, 0, ByVal NewAddress, ByVal 0&, ByVal 0&, ByVal 0&)
VirtualFreeEx hProcess, NewAddress, UBound(AddCode) + 1, MEM_RELEASE
CloseHandle RThwnd
CloseHandle hProcess
End Function
呼叫
CallRemote &H401C90'' 呼叫后 總是崩潰
不知是不是我的C++程式有問題 (本人菜,希望大神指定一二)
uj5u.com熱心網友回復:
崩潰的時候在彈出的對話框按相應按鈕進入除錯,按Alt+7鍵查看Call Stack即“呼叫堆疊”里面從上到下列出的對應從里層到外層的函式呼叫歷史。雙擊某一行可將游標定位到此次呼叫的源代碼或匯編指令處,看不懂時雙擊下一行,直到能看懂為止。uj5u.com熱心網友回復:
但是我用別的的EXE做實驗可以成功呀!
,出錯的是我的
,這是別有的EXE
uj5u.com熱心網友回復:
就這點匯編基礎還搞shellcode?你知道執行緒函式是有引數的嗎 你直接c3 你說堆疊會怎樣
uj5u.com熱心網友回復:
還有你那遠程執行緒的代碼 代碼都沒執行完畢 你就去釋放記憶體 能不崩潰也純屬好運uj5u.com熱心網友回復:
我不釋放也是一樣的效果,按別人的方法呼叫也是這效果,上面那程序是直接寫在command按扭下的,并不是通過command命令呼叫其他的函式,,我看了別人做的EXE ,然后寫了一個程序通過command命令呼叫成功
CGame1Dlg::OnOK
{
subHp();
}
void subHp()
{
hp-=50;
}
uj5u.com熱心網友回復:
先搞懂什么是堆疊平衡了再說吧,有的不崩潰可能是程式里面有錯誤處理而已轉載請註明出處,本文鏈接:https://www.uj5u.com/gongcheng/82871.html
標籤:API
上一篇:VB腳本求助