// Hookapi. CPP: defines the entry point for the console application. //// conclusion: add an assembly 0xe9 unconditional jump value to the front of the original API function pointer, and jump the API function called by the system to the custom function to execute # include "stdafx. H "# include <windows. h ># include <iostream> using namespace STD; typedef int (winapi * pmessageboxdef) (hwnd, lpcwstr lptext, lpcwstr lpcaption, uint utype ); char szoldmessagebox [5] = {0}; char szjmpmymessagebox [5] = {(char) 0xe9}; // 0xe9, the program jumps to pmessageboxdef pmessagebox = NULL unconditionally; int winapi mymessagebox (hwnd, lpcwstr lptext, lpcwstr lpcaption, uint utype) {wcout <L "hwnd:" <(INT) hwnd <Endl; wcout <L "lptext:" <lptext <Endl; wcout <L "lpcaption:" <lpcaption <Endl; wcout <L "utype: "<utype <Endl; writeprocessmemory (void *)-1, pmessagebox, szoldmessagebox, 5, null); messageboxw (hwnd, lptext, lpcaption, utype ); writeprocessmemory (void *)-1, pmessagebox, szjmpmymessagebox, 5, null); Return 0 ;}int main () {DWORD dwjmpaddr = 0; hmodule = loadlibrary (_ T ("user32.dll"); pmessagebox = (pmessageboxdef) getprocaddress (hmodule, "messageboxw"); dwjmpaddr = (DWORD) mymessagebox-(DWORD) pmessagebox-5; memcpy (memory + 1, & dwjmpaddr, 4); freelibrary (hmodule); readprocessmemory (void *)-1, pmessagebox, szoldmessagebox, 5, null ); // read the original first five bytes writeprocessmemory (void *)-1, pmessagebox, szjmpmymessagebox, 5, null ); // write the five bytes after processing messageboxw (getforegroundwindow (), L "inline HOOK: MessageBox", l "hook api", mb_ OK); messageboxw (getforegroundwindow (), L "Hello World", l "Win32", mb_ OK); Return 0 ;}
//////////////////////////////////////// //////////////////////////////////////// //////////////
JMP command
Explanation:
N jmp is an unconditional transfer. You can modify only the IP address or CS and IP address at the same time;
The n jmp command provides two types of information:
N transfer destination address
N transfer distance (Inter-segment transfer, intra-segment short transfer, intra-segment near transfer)
Format:
1. Jump short label
In this format, the JMP command implements short transfer within a segment, and its IP address modification range is-128 ~ 127, that is, it can be transferred forward to a maximum of 128 bytes, backward to a maximum of 127 bytes.
Example:
Assume Cs: codesg
Codesg segment
Start: mov ax, 0
JMP short S
Add ax, 1
S: Inc ax
Codesg ends
End start
Note: After the above program is executed, the value in ax is 1, because after JMP short S is executed, the value of add ax, 1 is crossed, and the IP points to the INC ax at S. That is to say, the program only performs one AX plus one operation.
Note:
What are the machine commands corresponding to N Assembly command JMP short s?
N let's take a look at other Assembly commands and their corresponding machine commands.
As you can see, in a general assembly instruction, the idata in the assembly instruction (immediate number), whether it represents a data or the offset address of the memory unit, it appears in the corresponding machine command, because the CPU executes the machine command, it must process the data or address.
N however: when we check the machine code corresponding to JMP short S or JMP 0008, we find the problem.
Have you seen it? The machine code does not contain the immediate number. Why?
N in the machine code corresponding to the "JMP short label" command, it does not contain the destination address of the transfer, but contains the displacement of the transfer.
N, which is calculated by the compiler based on the "Number" in the assembly instruction.
If we add mov BX, 0000 after the first line of the program, you will not change the machine code, or eb03. Why? The offset of JMP 0008 is 0003. you can recall the execution process of commands in the CPU, and you will find that after the execution of eb03, IP = IP + 2 = 0005, you should note that there is a 03 behind eb03, which means three more units are behind, so that the offset of 0008 is reached. So what we say is the displacement of the transfer.
The specific calculation method of transfer displacement is as follows:
2. There is also a command format similar to the command "JMP short label" function:
Jump near PTR label
Achieve near transfer within the time range.
The command "JMP near PTR label" provides the following functions: (IP) = (IP) + 16-bit displacement.
Description of the N command "JMP near PTR number:
N (1) 16-bit displacement = address at the "label"-address of the first byte after the JMP command;
N (2) near PTR indicates that the displacement here is a 16-bit displacement, which is a near transfer within a segment;
The range of N (3) 16-bit displacement is
-32769 ~ 32767, which is indicated by a supplementary code;
The N (4) 16-bit displacement is calculated by the compiler during compilation.
We found that the jump short label is very similar to the jump near PTR label. What are the differences? It is actually the jump range. See the following code:
Assume Cs: codesg
Codesg segment
Start: mov ax, 0
JMP near PTR s
Add ax, 1
DW 200 DUP (2) indicates that several Assembly commands are generated to generate multiple addresses for testing.
S: Inc ax
Codesg ends
End start
If we change the JMP near PTR s here to JMP short S, this error jump out of range by 276 bytes will be reported during compilation, that is, the jump is out of bounds. That is to say:
During compilation, the compiler calculates whether it is 8-bit or 16-bit displacement. The range of the 8-bit displacement is 7 to the power of 2, while that of the 16-bit displacement is 15 to the power of 2.
Iii. Review the preceding JMP command. The corresponding machine code does not contain the destination address for transfer, but the transfer displacement relative to the current IP address.
Command "JMP far PTR number"
Inter-segment transfer, also known as remote Transfer
The "JMP far PTR label" function of the N command is as follows:
N (CS) = the segment address of the label;
N (IP) = the offset address in the segment where the label is located.
N far PTR specifies the CIDR block address and offset address of the instruction to modify CS and IP addresses.
Instance:
Assume Cs: codesg
Codesg segment
Start: mov ax, 0
MoV BX, 0
JMP far PTR s
DB 256 DUP (0)
S: Add ax, 1
INC ax
Codesg ends
End start
Analysis: run the U command to view
"0b 01 BD 0b" is the storage order of the destination address in the instruction, and "BD 0b" of the high address is the transfer segment address: 0 bbdh, the "0b 01" of the low address is the offset address: 010bh. Have you seen it? The segment address and offset address of the label are 0bbd: 010b, which may be in another segment.
The difference between the above three is summarized in the Code and you will understand it at a Glance:
JMP short XXX and JMP near PTR xxx can be written as JMP xx
Example :...
JMP exit
...
Exit: mov ax, 4c00h
Int 21 h
...
2. JMP far PTR xxx
Code1 segment
...
JMP far PTR new_seg
...
Code1 ends
Code2 segment
...
New_seg:
...
Code2 ends
Now let's look at the fourth type:
4. Let's take a look at the code and explain it again:
Jmp dword ptr xxxx is inter-segment indirect addressing
The offset address obtained from the addressing method of xxxx (for example, after adress), [adress] and [adress + 2] Are the offset address and segment address of the destination address to be transferred respectively.
For example:
Code1 segment
...
Jmp dword ptr [BX] [di]
...
Code1 ends
Code2 segment
...
Jmp_here:
...
Code2 ends
If (DS) = 1000 h, (DI) = 0300 h, (BX) = 0150 h, then adress = 10000 h + 150 h + 300 h = 10450 H, that is, the value of the transferred Destination Address jmp_here is stored in four bytes starting with the 10h H address.
JMP word PTR Adress is the inband indirect addressing.
The code is clearly described.
Now, I will summarize the usage of jump in a single figure:
Format |
Description |
Example |
Category |
Description |
JMP 16-bit register |
Change IP address with 16-bit register value |
JMP ax |
Intra-segment Transfer |
|
JMP segment address: Offset address |
Change the segment address and offset address in number immediately |
JMP 0045 H: 0020 H |
Inter-segment Transfer |
|
JMP short label |
Change the IP address based on the address of the first byte after the address label. In fact, this function can be described as follows: |
JMP short sign |
Intra-segment short transfer |
The range of IP address modification is-128-> 127. The actual algorithm is that the compiler calculates the number of bytes to point to the next instruction based on the current IP pointer, the following code will cause a compilation error. |
JMP near PTR label |
Change the IP address in the first word after the address label, |
JMP near PTR sign |
Intra-segment near Transfer |
The IP address range is-32768-> 32767. |
JMP far PTR label |
Change Both CS and IP addresses at the same time as the segment address and command address of the label |
JMP far PTR sign |
Inter-segment Transfer |
|
JMP word PTR memory address |
Modify the IP address by the word at the memory address unit. The memory unit can be given in any legal way. |
JMP word ptr ds: [Si] |
Intra-segment Transfer |
|
Jmp dword ptr memory address |
The command is changed by double-word at the memory address unit. The high address content modifies CS and the low address content modifies IP addresses. The memory address can be given in any legal way. |
Jmp dword ptr [BX] |
Inter-segment Transfer |
S1 segment |
As we mentioned above, JMP refers to unconditional jump. We know that in C, Java, or C #, there will always be one or another condition judgment, so how does one perform conditional jump in the assembly?
1. The jcxz command jcxz is a conditional transfer instruction. All conditional transfer instructions are short transfer instructions. The corresponding machine code contains the transfer displacement, not the target address. The IP address ranges from-128 ~ 127.
Command Format: jcxz label
(If (CX) = 0, it is transferred to the label for execution .)
2. Meaning:
N jcxz label command operation:
N when (CX) = 0, (IP) = (IP) + 8-bit shift)
N 8-bit displacement = address at the "label"-address of the first byte after the jcxz command;
The range of N 8-bit displacement is-128 ~ 127, which is indicated by a supplementary code;
The N 8-bit displacement is calculated by the compiler during compilation.
N when (CX) = 0, nothing is done (the program runs down ).
3. instance:
We can see from the jcxz function that the command "jcxz label" function is equivalent:
If (CX) = 0) JMP short label;
(This comprehensive description in C and assembly languages may give you a clearer understanding of conditional commands .)
Of course, there are many other cases of conditional jump, but the principle is the same. Now let's take a look at the loop commands commonly used in cracking plug-ins: loop
N loop commands are cyclic commands, and all cyclic commands are short transfer. The corresponding machine code contains the shift, not the target address. The IP address ranges from-128 ~ 127.
N Command Format: loop label
(CX) = (CX)-1. If (CX) is less than 0, it is transferred to the label for execution.
From: http://www.cnblogs.com/sunt/archive/2010/11/25/1887657.htmlStart building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
