-
-
[分享]od窗口函数地址修正
-
发表于: 2014-2-19 13:30
-
具体原因参考:
http://bbs.pediy.com/showthread.php?t=121113&highlight=ClsProc
47bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3W2F1N6X3I4H3k6#2)9J5k6h3u0D9L8$3N6K6M7r3!0@1i4K6u0W2j5$3!0E0i4K6u0r3x3U0l9I4x3q4)9J5c8U0l9@1i4K6u0r3L8$3I4D9P5h3c8T1k6#2)9J5k6r3N6W2N6s2y4Q4x3X3c8%4M7X3!0F1k6#2)9J5k6r3y4D9M7%4m8J5L8$3y4Q4x3X3g2Z5N6r3#2D9
摘录问题及解决方案:
修改过程:
在用OD加载OD,然后在GetClassLongA下断,找到调用GetClassLongA的地方,在此段尾部找一块空白处,打如下补丁:
然后将所有对GetClassLongA的调用修改为调用此函数。
此处GetClassLongW使用的是硬编码,不想搞IAT,所以就不上传二进制文件了。
http://bbs.pediy.com/showthread.php?t=121113&highlight=ClsProc
47bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3W2F1N6X3I4H3k6#2)9J5k6h3u0D9L8$3N6K6M7r3!0@1i4K6u0W2j5$3!0E0i4K6u0r3x3U0l9I4x3q4)9J5c8U0l9@1i4K6u0r3L8$3I4D9P5h3c8T1k6#2)9J5k6r3N6W2N6s2y4Q4x3X3c8%4M7X3!0F1k6#2)9J5k6r3y4D9M7%4m8J5L8$3y4Q4x3X3g2Z5N6r3#2D9
摘录问题及解决方案:
OllyDbg uses GetClassLongA to retrieve ClassProc.
On most ansi windows this works fine, but on unicode ones not.
GetClassLongA will return a magic cookie which looks like FFFF1234
instead of the real procedure address.
You can patch Olly by replacing GetClassLongA with GetClassLongW to see the difference:
some values used to be FFFF1234 became meaningful pointers, and vice versa.
here is the solution:
ClsProc = GetClassLongA(hWnd, GCL_WNDPROC)
if ClsProc & 0x80000000:
ClsProc = GetClassLongW(hWnd, GCL_WNDPROC)
修改过程:
在用OD加载OD,然后在GetClassLongA下断,找到调用GetClassLongA的地方,在此段尾部找一块空白处,打如下补丁:
004AF7DD $ FF7424 08 push dword ptr ss:[esp+0x8] ; /Index;复制参数栈 004AF7E1 . FF7424 08 push dword ptr ss:[esp+0x8] ; |hWnd 004AF7E5 . E8 36FCFFFF call <jmp.&USER32.GetClassLongA> ; \GetClassLongA 004AF7EA . 25 00000080 and eax,0x80000000 ;是否是Unicode Window 004AF7EF .- 0F85 04C98677 jnz USER32.GetClassLongW 004AF7F5 . C2 0800 retn 0x8
然后将所有对GetClassLongA的调用修改为调用此函数。
此处GetClassLongW使用的是硬编码,不想搞IAT,所以就不上传二进制文件了。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
