LyScript可以实现自定义汇编指令的替换功能。用户可以自己编写一条汇编指令,对程序中特定的通用功能进行改写和重定向。这个函数的原理是一个简单的Hook操作。插件地址:https://github.com/lyshark/Ly...首先我们实现一个Hook模板,在代码中实现转账机制。下面的代码以MessageBoxA函数为例,实现程序集参数传递的修改。fromLyScript32importMyDebug#传入汇编列表,写入内存defassemble(dbg,address=0,asm_list=[]):asm_len_count=0forindexinrange(0,len(asm_list)):#写入内存dbg.assemble_at(address,asm_list[index])#print("Address:{}-->lengthcounter:{}-->writeout:{}".format(hex(address+asm_len_count),asm_len_count,asm_list[index]))#获取asm长度asm_len_count=dbg.assemble_code_size(asm_list[index])#地址每次递增address=address+asm_len_countif__name__=="__main__":dbg=MyDebug()connect_flag=dbg.connect()print("Connectionstatus:{}".format(connect_flag))#找到MessageBoxAmessagebox_address=dbg.get_module_from_function("user32.dll","MessageBoxA")print("MessageBoxA内存地址={}".format(hex(messagebox_address)))#分配空间HookMem=dbg.create_alloc(1024)print("Custommemoryspace:{}".format(hex(HookMem)))#写入FindWindowA内存地址,跳转地址asm=[f"push{hex(HookMem)}","ret"]#把列表中的汇编指令写到内存中MessageBoxA函数内存地址,然后我们通过dbg.create_alloc(1024)分配一块空间,使用assemble()函数写一个跳转指令。这段代码执行完后,MessageBoxA处的指令会被替换,跳转到我们分配的内存去。然后我们再实现函数重写,将弹窗中的信息替换为自己的版权信息。首先是代码。fromLyScript32importMyDebug#传入汇编列表,写入内存defassemble(dbg,address=0,asm_list=[]):asm_len_count=0forindexinrange(0,len(asm_list)):#写入内存dbg.assemble_at(address,asm_list[index])#print("Address:{}-->lengthcounter:{}-->writeout:{}".format(hex(address+asm_len_count),asm_len_count,asm_list[index]))#获取asm长度asm_len_count=dbg.assemble_code_size(asm_list[index])#地址每次递增address=address+asm_len_countif__name__=="__main__":dbg=MyDebug()connect_flag=dbg.connect()print("Connectionstatus:{}".format(connect_flag))#找到MessageBoxAmessagebox_address=dbg.get_module_from_function("user32.dll","MessageBoxA")print("MessageBoxA内存地址={}".format(hex(messagebox_address)))#分配空间HookMem=dbg.create_alloc(1024)print("Custommemoryspace:{}".format(hex(HookMem)))#写入FindWindowA内存地址,跳转地址asm=[f"push{hex(HookMem)}","ret"]#将列表中的汇编指令写出到内存中assemble(dbg,messagebox_address,asm)#定义两个变量来存储字符串MsgBoxAddr=dbg.create_alloc(512))MsgTextAddr=dbg.create_alloc(512)#填充字符串内容#lyshark标题txt=[0x6c,0x79,0x73,0x68,0x61,0x72,0x6b]#内容lyshark.combox=[0x6C,0x79,0x73,0x68,0x61,0x72,0x6B,0x2E,0x63,0x6F,0x6D]fortxt_countinrange(0,len(txt)):dbg.write_memory_byte(MsgBoxAddr+txt_count,txt[txt_count])forbox_countinrange(0,len(box)):dbg.write_memory_byte(MsgTextAddr+box_count,box[box_count])print("TitleAddress:{}Content:{}".format(hex(MsgBoxAddr),hex(MsgTextAddr)))#这里是替换后的MessageBoxFragmentPatchCode=\["movedi,edi","pushebp","movebp,esp","push-1","push0","pushdwordptrss:[ebp+0x14]",f"push{他x(MsgBoxAddr)}",f"push{hex(MsgTextAddr)}","pushdwordptrss:[ebp+0x8]","call0x76030E20","popebp","ret0x10"]#写入自定义memoryassemble(dbg,HookMem,PatchCode)print("地址已经替换,可以运行了。")dbg.set_debug("Run")dbg.set_debug("Run")dbg.close()程序运行后先,会被assemble(dbg,messagebox_address,asm)编译,这里是一个跳转,直接跳转到我们申请的内存空间,这里EIP来的时候,跳转到我们建的弹窗的位置,这里的代码如下,弹窗运行时,读入了两个内存地址,MsgBoxAddr是消息,MsgTextAddr是文本,这两个位置在python中用push{hex()}代替。弹窗运行的时候,就是执行我们自己的函数。
