OllyDbg插件CheatUtility源码剖析
本帖最后由 元始天尊 于 2015-1-10 12:19 编辑CheatUtility
该插件可以自由修改程序数据且在数据处下断点以捕获修改代码,活像OllyDbg的CheatEngine。含2个对话框,插件目录下可以看到作者特意做了个使用视频,确实是很有用的工具
文件大小11kb,用户代码部分3828b,译得500行c代码,关键反汇编代码如下:
.text:100010E2_ODBG_Pluginaction proc near ;DATA XREF: .rdata:off_100024A8o
.text:100010E2
.text:100010E2origin = dword ptr8
.text:100010E2action = dword ptr0Ch
.text:100010E2item = dword ptr10h
.text:100010E2
.text:100010E2 push ebp
.text:100010E3 mov ebp, esp
.text:100010E5 mov eax,
.text:100010E8 or eax, eax
.text:100010EA jnz short locret_1000115C
.text:100010EC mov eax,
.text:100010EF or eax, eax
.text:100010F1 jnz short loc_10001140
.text:100010F3 push 14h
.text:100010F5 call _Plugingetvalue
.text:100010FA add esp, 4
.text:100010FD mov hProcess, eax
.text:10001102 or eax, eax
.text:10001104 jnz short loc_10001122
.text:10001106 push 40030h ; uType
.text:1000110B push offset Caption; "Cheat Utility Plugin"
.text:10001110 push offset Text ; "No Debugee loaded "
.text:10001115 push hWnd ; hWnd
.text:1000111B call MessageBoxA
.text:10001120 jmp short locret_1000115C
.text:10001122; ---------------------------------------------------------------------------
.text:10001122
.text:10001122loc_10001122: ;CODE XREF: _ODBG_Pluginaction+22j
.text:10001122 push offset ThreadId ; lpThreadId
.text:10001127 push 0 ; dwCreationFlags
.text:10001129 push 0 ; lpParameter
.text:1000112B push offset StartAddress ; lpStartAddress
.text:10001130 push 0 ; dwStackSize
.text:10001132 push 0 ; lpThreadAttributes
.text:10001134 call CreateThread
.text:10001139 mov eax, 1
.text:1000113E jmp short locret_1000115C
.text:10001140; ---------------------------------------------------------------------------
.text:10001140
.text:10001140loc_10001140: ;CODE XREF: _ODBG_Pluginaction+Fj
.text:10001140 cmp eax, 1
.text:10001143 jnz short locret_1000115C
.text:10001145 push 40h ; uType
.text:10001147 push offset aCheatUtility_1 ; "CheatUtility Plugin"
.text:1000114C push offset aCheatUtility_2 ; "CheatUtility Plugin v1.0\r\nCopyright (C"...
.text:10001151 push hWnd ; hWnd
.text:10001157 call MessageBoxA
.text:1000115C
.text:1000115Clocret_1000115C: ;CODE XREF: _ODBG_Pluginaction+8j
.text:1000115C ;_ODBG_Pluginaction+3Ej ...
.text:1000115C leave
.text:1000115D retn
.text:10001172MainDialogFuncproc near ; DATA XREF: StartAddress+7o
.text:10001172
.text:10001172Translated = dword ptr -4
.text:10001172lpParameter = dword ptr8
.text:10001172uMsg = dword ptr0Ch
.text:10001172wParam = dword ptr10h
.text:10001172lParam = dword ptr14h
.text:10001172
.text:10001172 push ebp
.text:10001173 mov ebp, esp
.text:10001175 add esp, 0FFFFFFFCh
.text:10001178 mov eax,
.text:1000117B cmp eax, 110h
.text:10001180 jnz loc_100012AF
.text:10001186 call CreatePopupMenu
.text:1000118B mov hMenu, eax
.text:10001190 push offset NewItem; "Follow in Dump"
.text:10001195 push 1F5h ; uIDNewItem
.text:1000119A push 0 ; uFlags
.text:1000119C push hMenu ; hMenu
.text:100011A2 call AppendMenuA
.text:100011A7 push offset aHardwareBreakp ; "HardwareBreakpoint"
.text:100011AC push 1F6h ; uIDNewItem
.text:100011B1 push 0 ; uFlags
.text:100011B3 push hMenu ; hMenu
.text:100011B9 call AppendMenuA
.text:100011BE push 0 ; lpNewItem
.text:100011C0 push 0 ; uIDNewItem
.text:100011C2 push 800h ; uFlags
.text:100011C7 push hMenu ; hMenu
.text:100011CD call AppendMenuA
.text:100011D2 push offset aChangeValue ; "ChangeValue"
.text:100011D7 push 1F4h ; uIDNewItem
.text:100011DC push 0 ; uFlags
.text:100011DE push hMenu ; hMenu
.text:100011E4 call AppendMenuA
.text:100011E9 push 0 ; lpNewItem
.text:100011EB push 0 ; uIDNewItem
.text:100011ED push 800h ; uFlags
.text:100011F2 push hMenu ; hMenu
.text:100011F8 call AppendMenuA
.text:100011FD push offset aDelete; "Delete"
.text:10001202 push 1F7h ; uIDNewItem
.text:10001207 push 0 ; uFlags
.text:10001209 push hMenu ; hMenu
.text:1000120F call AppendMenuA
.text:10001214 push 3E9h ; nIDDlgItem
.text:10001219 push ; hDlg
.text:1000121C call GetDlgItem
.text:10001221 mov hListView, eax
.text:10001226 call known2
.text:1000122B push 1 ; uCheck
.text:1000122D push 3F6h ; nIDButton
.text:10001232 push ; hDlg
.text:10001235 call CheckDlgButton
.text:1000123A mov bpsize, 4
.text:10001241 push 4 ; flProtect
.text:10001243 push 1000h ; flAllocationType
.text:10001248 push 1000000h ; dwSize
.text:1000124D push 0 ; lpAddress
.text:1000124F call VirtualAlloc
.text:10001254 mov BaseAddrArray, eax
.text:10001259 push 1000000h ; dwSize
.text:1000125E push eax ; lpAddress
.text:1000125F call VirtualLock
.text:10001264 push 4 ; flProtect
.text:10001266 push 1000h ; flAllocationType
.text:1000126B push 1000000h ; dwSize
.text:10001270 push 0 ; lpAddress
.text:10001272 call VirtualAlloc
.text:10001277 mov ResultDataArray, eax
.text:1000127C push 1000000h ; dwSize
.text:10001281 push eax ; lpAddress
.text:10001282 call VirtualLock
.text:10001287 push 4 ; flProtect
.text:10001289 push 1000h ; flAllocationType
.text:1000128E push 1000000h ; dwSize
.text:10001293 push 0 ; lpAddress
.text:10001295 call VirtualAlloc
.text:1000129A mov AddrSizeArray, eax
.text:1000129F push 1000000h ; dwSize
.text:100012A4 push eax ; lpAddress
.text:100012A5 call VirtualLock
.text:100012AA jmp loc_10001768
.text:100012AF; ---------------------------------------------------------------------------
.text:100012AF
.text:100012AFloc_100012AF: ; CODE XREF: MainDialogFunc+Ej
.text:100012AF cmp eax, 111h
.text:100012B4 jnz loc_1000166D
.text:100012BA mov eax,
.text:100012BD cmp , 0
.text:100012C1 jnz loc_100013E5
.text:100012C7 cmp ax, 1F5h
.text:100012CB jnz short loc_10001313
.text:100012CD push 1 ; lParam
.text:100012CF push 0FFFFFFFFh ; wParam
.text:100012D1 push 100Ch ; Msg
.text:100012D6 push 3E9h ; nIDDlgItem
.text:100012DB push ; hDlg
.text:100012DE call SendDlgItemMessageA
.text:100012E3 push 0 ; _DWORD
.text:100012E5 push eax ; _DWORD
.text:100012E6 call ListViewGetItem
.text:100012EB push offset String
.text:100012F0 call GetAddressFromString
.text:100012F5 push 0A0h ; mode
.text:100012FA push 0 ; stackaddr
.text:100012FC push eax ; dumpaddr
.text:100012FD push 0 ; asmaddr
.text:100012FF push 0 ; threadid
.text:10001301 call _Setcpu
.text:10001306 add esp, 14h
.text:10001309 call ZeroMemory
.text:1000130E jmp loc_100013E5
.text:10001313; ---------------------------------------------------------------------------
.text:10001313
.text:10001313loc_10001313: ;CODE XREF: MainDialogFunc+159j
.text:10001313 cmp ax, 1F6h
.text:10001317 jnz short loc_10001360
.text:10001319 push 1 ; lParam
.text:1000131B push 0FFFFFFFFh ; wParam
.text:1000131D push 100Ch ; Msg
.text:10001322 push 3E9h ; nIDDlgItem
.text:10001327 push ; hDlg
.text:1000132A call SendDlgItemMessageA
.text:1000132F push 0 ; _DWORD
.text:10001331 push eax ; _DWORD
.text:10001332 call ListViewGetItem
.text:10001337 push offset String
.text:1000133C call GetAddressFromString
.text:10001341 mov edx, eax
.text:10001343 xor eax, eax
.text:10001345 mov al, bpsize
.text:1000134A push 2
.text:1000134C push eax
.text:1000134D push edx
.text:1000134E call _Sethardwarebreakpoint
.text:10001353 add esp, 0Ch
.text:10001356 call ZeroMemory
.text:1000135B jmp loc_100013E5
.text:10001360; ---------------------------------------------------------------------------
.text:10001360
.text:10001360loc_10001360: ;CODE XREF: MainDialogFunc+1A5j
.text:10001360 cmp ax, 1F4h
.text:10001364 jnz short loc_100013B4
.text:10001366 push 1 ; lParam
.text:10001368 push 0FFFFFFFFh ; wParam
.text:1000136A push 100Ch ; Msg
.text:1000136F push 3E9h ; nIDDlgItem
.text:10001374 push ; hDlg
.text:10001377 call SendDlgItemMessageA
.text:1000137C push 0 ; _DWORD
.text:1000137E push eax ; _DWORD
.text:1000137F call ListViewGetItem
.text:10001384 push offset String
.text:10001389 call GetAddressFromString
.text:1000138E mov ValueAddr, eax
.text:10001393 call ZeroMemory
.text:10001398 push 0 ; dwInitParam
.text:1000139A push offset SetDialogFunc ; lpDialogFunc
.text:1000139F push ; hWndParent
.text:100013A2 push 403h ; lpTemplateName
.text:100013A7 push hInstance ; hInstance
.text:100013AD call DialogBoxParamA
.text:100013B2 jmp short loc_100013E5
.text:100013B4; ---------------------------------------------------------------------------
.text:100013B4
.text:100013B4loc_100013B4: ;CODE XREF: MainDialogFunc+1F2j
.text:100013B4 cmp ax, 1F7h
.text:100013B8 jnz short loc_100013E5
.text:100013BA push 1 ; lParam
.text:100013BC push 0FFFFFFFFh ; wParam
.text:100013BE push 100Ch ; Msg
.text:100013C3 push 3E9h ; nIDDlgItem
.text:100013C8 push ; hDlg
.text:100013CB call SendDlgItemMessageA
.text:100013D0 push 0 ; lParam
.text:100013D2 push eax ; wParam
.text:100013D3 push 1008h ; Msg
.text:100013D8 push 3E9h ; nIDDlgItem
.text:100013DD push ; hDlg
.text:100013E0 call SendDlgItemMessageA
.text:100013E5
.text:100013E5loc_100013E5: ;CODE XREF: MainDialogFunc+14Fj
.text:100013E5 ;MainDialogFunc+19Cj ...
.text:100013E5 cmp eax, 64h
.text:100013E8 jnz short loc_10001421
.text:100013EA push ; hDlg
.text:100013ED call known1
.text:100013F2 mov stopfind, 0
.text:100013F9 mov eax, hProcess
.text:100013FE push eax ; hProcess
.text:100013FF call SearchFreeMemoryBlock
.text:10001404 push offset firstthreadid ; lpThreadId
.text:10001409 push 0 ; dwCreationFlags
.text:1000140B push ; lpParameter
.text:1000140E push offset FindFirstThread ; lpStartAddress
.text:10001413 push 0 ; dwStackSize
.text:10001415 push 0 ; lpThreadAttributes
.text:10001417 call CreateThread
.text:1000141C jmp loc_10001768
.text:10001421; ---------------------------------------------------------------------------
.text:10001421
.text:10001421loc_10001421: ;CODE XREF: MainDialogFunc+276j
.text:10001421 cmp eax, 65h
.text:10001424 jnz short loc_1000144A
.text:10001426 mov stopfind, 0
.text:1000142D push offset firstthreadid ; lpThreadId
.text:10001432 push 0 ; dwCreationFlags
.text:10001434 push ; lpParameter
.text:10001437 push offset FindNextThread ; lpStartAddress
.text:1000143C push 0 ; dwStackSize
.text:1000143E push 0 ; lpThreadAttributes
.text:10001440 call CreateThread
.text:10001445 jmp loc_10001768
.text:1000144A; ---------------------------------------------------------------------------
.text:1000144A
.text:1000144Aloc_1000144A: ;CODE XREF: MainDialogFunc+2B2j
.text:1000144A cmp eax, 102
.text:1000144D jnz short loc_1000145B
.text:1000144F mov stopfind, 1
.text:10001456 jmp loc_10001768
.text:1000145B; ---------------------------------------------------------------------------
.text:1000145B
.text:1000145Bloc_1000145B: ;CODE XREF: MainDialogFunc+2DBj
.text:1000145B cmp eax, 1043
.text:10001460 jnz loc_100014F0
.text:10001466 cmp IsHex, 0
.text:1000146D jnz short loc_100014A2
.text:1000146F push 1 ; bSigned
.text:10001471 lea eax,
.text:10001474 push eax ; lpTranslated
.text:10001475 push 0C8h ; nIDDlgItem
.text:1000147A push ; hDlg
.text:1000147D call GetDlgItemInt
.text:10001482 cmp , 0
.text:10001486 jz loc_1000176A
.text:1000148C inc eax
.text:1000148D push 1 ; bSigned
.text:1000148F push eax ; uValue
.text:10001490 push 0C8h ; nIDDlgItem
.text:10001495 push ; hDlg
.text:10001498 call SetDlgItemInt
.text:1000149D jmp loc_10001768
.text:100014A2; ---------------------------------------------------------------------------
.text:100014A2
.text:100014A2loc_100014A2: ;CODE XREF: MainDialogFunc+2FBj
.text:100014A2 push 9 ; cchMax
.text:100014A4 push offset String ; lpString
.text:100014A9 push 40Ch ; nIDDlgItem
.text:100014AE push ; hDlg
.text:100014B1 call GetDlgItemTextA
.text:100014B6 push offset String
.text:100014BB call GetAddressFromString
.text:100014C0 call ZeroMemory
.text:100014C5 inc eax
.text:100014C6 push eax
.text:100014C7 push offset a_8x ; "%.8X"
.text:100014CC push offset String ; LPSTR
.text:100014D1 call wsprintfA
.text:100014D6 add esp, 0Ch
.text:100014D9 push offset String ; lpString
.text:100014DE push 0C8h ; nIDDlgItem
.text:100014E3 push ; hDlg
.text:100014E6 call SetDlgItemTextA
.text:100014EB jmp loc_10001768
.text:100014F0; ---------------------------------------------------------------------------
.text:100014F0
.text:100014F0loc_100014F0: ;CODE XREF: MainDialogFunc+2EEj
.text:100014F0 cmp eax, 414h
.text:100014F5 jnz loc_10001585
.text:100014FB cmp IsHex, 0
.text:10001502 jnz short loc_10001537
.text:10001504 push 1 ; bSigned
.text:10001506 lea eax,
.text:10001509 push eax ; lpTranslated
.text:1000150A push 0C8h ; nIDDlgItem
.text:1000150F push ; hDlg
.text:10001512 call GetDlgItemInt
.text:10001517 cmp , 0
.text:1000151B jz loc_1000176A
.text:10001521 dec eax
.text:10001522 push 1 ; bSigned
.text:10001524 push eax ; uValue
.text:10001525 push 0C8h ; nIDDlgItem
.text:1000152A push ; hDlg
.text:1000152D call SetDlgItemInt
.text:10001532 jmp loc_10001768
.text:10001537; ---------------------------------------------------------------------------
.text:10001537
.text:10001537loc_10001537: ;CODE XREF: MainDialogFunc+390j
.text:10001537 push 9 ; cchMax
.text:10001539 push offset String ; lpString
.text:1000153E push 40Ch ; nIDDlgItem
.text:10001543 push ; hDlg
.text:10001546 call GetDlgItemTextA
.text:1000154B push offset String
.text:10001550 call GetAddressFromString
.text:10001555 call ZeroMemory
.text:1000155A dec eax
.text:1000155B push eax
.text:1000155C push offset a_8x_0 ; "%.8X"
.text:10001561 push offset String ; LPSTR
.text:10001566 call wsprintfA
.text:1000156B add esp, 0Ch
.text:1000156E push offset String ; lpString
.text:10001573 push 0C8h ; nIDDlgItem
.text:10001578 push ; hDlg
.text:1000157B call SetDlgItemTextA
.text:10001580 jmp loc_10001768
.text:10001585; ---------------------------------------------------------------------------
.text:10001585
.text:10001585loc_10001585: ;CODE XREF: MainDialogFunc+383j
.text:10001585 cmp eax, 415h
.text:1000158A jnz short loc_10001609
.text:1000158C push 1 ; uCheck
.text:1000158E push 3F6h ; nIDButton
.text:10001593 push ; hDlg
.text:10001596 call CheckDlgButton
.text:1000159B push 0 ; uCheck
.text:1000159D push 3F3h ; nIDButton
.text:100015A2 push ; hDlg
.text:100015A5 call CheckDlgButton
.text:100015AA push 1 ; bSigned
.text:100015AC push 0 ; uValue
.text:100015AE push 0C8h ; nIDDlgItem
.text:100015B3 push ; hDlg
.text:100015B6 call SetDlgItemInt
.text:100015BB push 0 ; lParam
.text:100015BD push 0 ; wParam
.text:100015BF push 1009h ; Msg
.text:100015C4 push 3E9h ; nIDDlgItem
.text:100015C9 push ; hDlg
.text:100015CC call SendDlgItemMessageA
.text:100015D1 mov bpsize, 4
.text:100015D8 mov IsHex, 0
.text:100015DF push 1000000h
.text:100015E4 push BaseAddrArray
.text:100015EA call RtlZeroMemory
.text:100015EF push 1000000h
.text:100015F4 push ResultDataArray
.text:100015FA call RtlZeroMemory
.text:100015FF call ZeroMemory
.text:10001604 jmp loc_10001768
.text:10001609; ---------------------------------------------------------------------------
.text:10001609
.text:10001609loc_10001609: ;CODE XREF: MainDialogFunc+418j
.text:10001609 cmp eax, 410h
.text:1000160E jnz short loc_1000162C
.text:10001610 push 40h ; uType
.text:10001612 push offset aCheatUtility_3 ; "CheatUtility Plugin"
.text:10001617 push offset aCheatUtility_4 ; "CheatUtility Plugin v1.0\r\nCopyright (C"...
.text:1000161C push hWnd ; hWnd
.text:10001622 call MessageBoxA
.text:10001627 jmp loc_10001768
.text:1000162C; ---------------------------------------------------------------------------
.text:1000162C
.text:1000162Cloc_1000162C: ;CODE XREF: MainDialogFunc+49Cj
.text:1000162C cmp eax, 411h
.text:10001631 jnz short loc_1000164F
.text:10001633 push 3 ; nShowCmd
.text:10001635 push 0 ; lpDirectory
.text:10001637 push 0 ; lpParameters
.text:10001639 push offset File ; "http://www.at4re.com/"
.text:1000163E push offset Operation ; "Open"
.text:10001643 push 0 ; hwnd
.text:10001645 call ShellExecuteA
.text:1000164A jmp loc_10001768
.text:1000164F; ---------------------------------------------------------------------------
.text:1000164F
.text:1000164Floc_1000164F: ;CODE XREF: MainDialogFunc+4BFj
.text:1000164F cmp eax,412h
.text:10001654 jnz loc_10001768
.text:1000165A push 0 ; lParam
.text:1000165C push 0 ; wParam
.text:1000165E push 10h ; Msg
.text:10001660 push ; hWnd
.text:10001663 call SendMessageA
.text:10001668 jmp loc_10001768
.text:1000166D; ---------------------------------------------------------------------------
.text:1000166D
.text:1000166Dloc_1000166D: ;CODE XREF: MainDialogFunc+142j
.text:1000166D cmp eax, 4Eh
.text:10001670 jnz loc_1000170F
.text:10001676 push edi
.text:10001677 mov edi,
.text:1000167A mov eax,
.text:1000167C cmp eax, hListView
.text:10001682 jnz loc_1000170C
.text:10001688 cmp dword ptr , 0FFFFFFFDh
.text:1000168C jnz short loc_100016DC
.text:1000168E push 1 ; lParam
.text:10001690 push 0FFFFFFFFh ; wParam
.text:10001692 push 100Ch ; Msg
.text:10001697 push 3E9h ; nIDDlgItem
.text:1000169C push ; hDlg
.text:1000169F call SendDlgItemMessageA
.text:100016A4 push 0 ; _DWORD
.text:100016A6 push eax ; _DWORD
.text:100016A7 call ListViewGetItem
.text:100016AC push offset String
.text:100016B1 call GetAddressFromString
.text:100016B6 mov ValueAddr, eax
.text:100016BB call ZeroMemory
.text:100016C0 push 0 ; dwInitParam
.text:100016C2 push offset SetDialogFunc ; lpDialogFunc
.text:100016C7 push ; hWndParent
.text:100016CA push 403h ; lpTemplateName
.text:100016CF push hInstance ; hInstance
.text:100016D5 call DialogBoxParamA
.text:100016DA jmp short loc_1000170C
.text:100016DC; ---------------------------------------------------------------------------
.text:100016DC
.text:100016DCloc_100016DC: ;CODE XREF: MainDialogFunc+51Aj
.text:100016DC cmp dword ptr , 0FFFFFFFBh
.text:100016E0 jnz short loc_1000170C
.text:100016E2 push offset Point ; lpPoint
.text:100016E7 call GetCursorPos
.text:100016EC push 0 ; prcRect
.text:100016EE push ; hWnd
.text:100016F1 push 0 ; nReserved
.text:100016F3 push Point.y ; y
.text:100016F9 push Point.x ; x
.text:100016FF push 0 ; uFlags
.text:10001701 push hMenu ; hMenu
.text:10001707 call TrackPopupMenu
.text:1000170C
.text:1000170Cloc_1000170C: ; CODE XREF:MainDialogFunc+510j
.text:1000170C ;MainDialogFunc+568j ...
.text:1000170C pop edi
.text:1000170D jmp short loc_10001768
.text:1000170F; ---------------------------------------------------------------------------
.text:1000170F
.text:1000170Floc_1000170F: ;CODE XREF: MainDialogFunc+4FEj
.text:1000170F cmp eax, 10h
.text:10001712 jnz short loc_10001768
.text:10001714 push firstthreadid ; hObject
.text:1000171A call CloseHandle
.text:1000171F push 4000h ; dwFreeType
.text:10001724 push 1000000h ; dwSize
.text:10001729 push ResultDataArray ; lpAddress
.text:1000172F call VirtualFree
.text:10001734 push 4000h ; dwFreeType
.text:10001739 push 1000000h ; dwSize
.text:1000173E push BaseAddrArray ; lpAddress
.text:10001744 call VirtualFree
.text:10001749 push 4000h ; dwFreeType
.text:1000174E push 1000000h ; dwSize
.text:10001753 push AddrSizeArray ; lpAddress
.text:10001759 call VirtualFree
.text:1000175E push 0 ; nResult
.text:10001760 push ; hDlg
.text:10001763 call EndDialog
.text:10001768
.text:10001768loc_10001768: ;CODE XREF: MainDialogFunc+138j
.text:10001768 ;MainDialogFunc+2AAj ...
.text:10001768 jmp short loc_10001781
.text:1000176A; ---------------------------------------------------------------------------
.text:1000176A
.text:1000176Aloc_1000176A: ;CODE XREF: MainDialogFunc+314j
.text:1000176A ;MainDialogFunc+3A9j
.text:1000176A push 40010h ; uType
.text:1000176F push offset aCheatUtility_5 ; "CheatUtility Plugin"
.text:10001774 push offset aErrorOccurred ; "Erroroccurred "
.text:10001779 push ; hWnd
.text:1000177C call MessageBoxA
.text:10001781
.text:10001781loc_10001781: ;CODE XREF: MainDialogFunc:loc_10001768j
.text:10001781 xor eax, eax
.text:10001783 leave
.text:10001784 retn 10h
.text:10001787SetDialogFunc proc near ; DATA XREF: MainDialogFunc+228o
.text:10001787 ; MainDialogFunc+550o
.text:10001787
.text:10001787Translated = dword ptr -8
.text:10001787Buffer = dword ptr -4
.text:10001787hwndDlg = dword ptr8
.text:10001787uMsg = dword ptr0Ch
.text:10001787wParam = dword ptr10h
.text:10001787lParam = dword ptr14h
.text:10001787
.text:10001787 push ebp
.text:10001788 mov ebp, esp
.text:1000178A add esp, 0FFFFFFF8h
.text:1000178D mov eax,
.text:10001790 cmp eax, 110h
.text:10001795 jnz short loc_1000179C
.text:10001797 jmp loc_10001843
.text:1000179C; ---------------------------------------------------------------------------
.text:1000179C
.text:1000179Cloc_1000179C: ;CODE XREF: SetDialogFunc+Ej
.text:1000179C cmp eax, 111h
.text:100017A1 jnz loc_10001834
.text:100017A7 mov eax,
.text:100017AA cmp eax, 40Ah
.text:100017AF jnz short loc_10001821
.text:100017B1 cmp IsHex, 0
.text:100017B8 jnz short loc_100017D5
.text:100017BA push 1 ; bSigned
.text:100017BC lea eax,
.text:100017BF push eax ; lpTranslated
.text:100017C0 push 40Ch ; nIDDlgItem
.text:100017C5 push ; hDlg
.text:100017C8 call GetDlgItemInt
.text:100017CD cmp , 0
.text:100017D1 jz short loc_10001845
.text:100017D3 jmp short loc_100017F3
.text:100017D5; ---------------------------------------------------------------------------
.text:100017D5
.text:100017D5loc_100017D5: ;CODE XREF: SetDialogFunc+31j
.text:100017D5 push 9 ; cchMax
.text:100017D7 push offset String ; lpString
.text:100017DC push 40Ch ; nIDDlgItem
.text:100017E1 push ; hDlg
.text:100017E4 call GetDlgItemTextA
.text:100017E9 push offset String
.text:100017EE call GetAddressFromString
.text:100017F3
.text:100017F3loc_100017F3: ;CODE XREF: SetDialogFunc+4Cj
.text:100017F3 mov , eax
.text:100017F6 xor eax, eax
.text:100017F8 mov al, bpsize
.text:100017FD push 0 ; lpNumberOfBytesWritten
.text:100017FF push eax ; nSize
.text:10001800 lea eax,
.text:10001803 push eax ; lpBuffer
.text:10001804 push ValueAddr ; lpBaseAddress
.text:1000180A push hProcess ; hProcess
.text:10001810 call WriteProcessMemory
.text:10001815 push 0 ; nResult
.text:10001817 push ; hDlg
.text:1000181A call EndDialog
.text:1000181F jmp short loc_10001843
.text:10001821; ---------------------------------------------------------------------------
.text:10001821
.text:10001821loc_10001821: ;CODE XREF: SetDialogFunc+28j
.text:10001821 cmp eax, 40Bh
.text:10001826 jnz short loc_10001843
.text:10001828 push 0 ; nResult
.text:1000182A push ; hDlg
.text:1000182D call EndDialog
.text:10001832 jmp short loc_10001843
.text:10001834; ---------------------------------------------------------------------------
.text:10001834
.text:10001834loc_10001834: ; CODE XREF: SetDialogFunc+1Aj
.text:10001834 cmp eax, 10h
.text:10001837 jnz short loc_10001843
.text:10001839 push 0 ; nResult
.text:1000183B push ; hDlg
.text:1000183E call EndDialog
.text:10001843
.text:10001843loc_10001843: ;CODE XREF: SetDialogFunc+10j
.text:10001843 ;SetDialogFunc+98j ...
.text:10001843 jmp short loc_1000185C
.text:10001845; ---------------------------------------------------------------------------
.text:10001845
.text:10001845loc_10001845: ;CODE XREF: SetDialogFunc+4Aj
.text:10001845 push 40010h ; uType
.text:1000184A push offset aCheatUtility_6 ; "CheatUtility Plugin"
.text:1000184F push offset aErrorOccurre_0 ; "Erroroccurred "
.text:10001854 push ; hWnd
.text:10001857 call MessageBoxA
.text:1000185C
.text:1000185Cloc_1000185C: ;CODE XREF: SetDialogFunc:loc_10001843j
.text:1000185C xor eax, eax
.text:1000185E leave
.text:1000185F retn 10h
.text:100018C5SearchFreeMemoryBlock proc near ;CODE XREF: MainDialogFunc+28Dp
.text:100018C5
.text:100018C5meminfo =_MEMORY_BASIC_INFORMATION ptr -1Ch
.text:100018C5hProcess = dword ptr8
.text:100018C5
.text:100018C5 push ebp
.text:100018C6 mov ebp, esp
.text:100018C8 add esp, 0FFFFFFE4h
.text:100018CB call ZeroMemory
.text:100018D0 push 1000000h
.text:100018D5 push BaseAddrArray
.text:100018DB call RtlZeroMemory
.text:100018E0 push 1000000h
.text:100018E5 push AddrSizeArray
.text:100018EB call RtlZeroMemory
.text:100018F0 mov blockindex, 0
.text:100018FA mov edi, 400000h
.text:100018FF jmp short loc_1000196D
.text:10001901; ---------------------------------------------------------------------------
.text:10001901
.text:10001901loc_10001901: ;CODE XREF: SearchFreeMemoryBlock+AEj
.text:10001901 push 1Ch ; dwLength
.text:10001903 lea eax,
.text:10001906 push eax ; lpBuffer
.text:10001907 push edi ; lpAddress
.text:10001908 push ; hProcess
.text:1000190B call VirtualQueryEx
.text:10001910 cmp , 1
.text:10001914 jz short loc_1000196A
.text:10001916 cmp , 0
.text:1000191A jz short loc_1000196A
.text:1000191C cmp , 200h
.text:10001923 jz short loc_1000196A
.text:10001925 cmp , 10h
.text:10001929 jz short loc_1000196A
.text:1000192B cmp , 10000h
.text:10001932 jz short loc_1000196A
.text:10001934 cmp , 40000h
.text:1000193B jz short loc_1000196A
.text:1000193D lea eax, BaseAddrArray
.text:10001943 mov eax,
.text:10001945 add eax, blockindex
.text:1000194B push
.text:1000194E pop dword ptr
.text:10001950 lea eax, AddrSizeArray
.text:10001956 mov eax,
.text:10001958 add eax, blockindex
.text:1000195E push
.text:10001961 pop dword ptr
.text:10001963 add blockindex, 4
.text:1000196A
.text:1000196Aloc_1000196A: ;CODE XREF: SearchFreeMemoryBlock+4Fj
.text:1000196A ; SearchFreeMemoryBlock+55j ...
.text:1000196A add edi,
.text:1000196D
.text:1000196Dloc_1000196D: ;CODE XREF: SearchFreeMemoryBlock+3Aj
.text:1000196D cmp edi, 70000000h
.text:10001973 jb short loc_10001901
.text:10001975 leave
.text:10001976 retn 4
.text:10001979FindFirstThread proc near ;DATA XREF: MainDialogFunc+29Co
.text:10001979
.text:10001979var_C = dword ptr -0Ch
.text:10001979Translated = dword ptr -8
.text:10001979var_4 = dword ptr -4
.text:10001979hWnd = dword ptr8
.text:10001979
.text:10001979 push ebp
.text:1000197A mov ebp, esp
.text:1000197C add esp, 0FFFFFFF4h
.text:1000197F call ZeroMemory
.text:10001984 push 0 ; lParam
.text:10001986 push 0 ; wParam
.text:10001988 push 1009h ; Msg
.text:1000198D push 3E9h ; nIDDlgItem
.text:10001992 push ; hDlg
.text:10001995 call SendDlgItemMessageA
.text:1000199A mov , 0
.text:100019A1 cmp IsHex, 0
.text:100019A8 jnz short loc_100019C9
.text:100019AA push 1 ; bSigned
.text:100019AC lea eax,
.text:100019AF push eax ; lpTranslated
.text:100019B0 push 0C8h ; nIDDlgItem
.text:100019B5 push ; hDlg
.text:100019B8 call GetDlgItemInt
.text:100019BD cmp , 0
.text:100019C1 jz loc_10001B0E
.text:100019C7 jmp short loc_100019E7
.text:100019C9; ---------------------------------------------------------------------------
.text:100019C9
.text:100019C9loc_100019C9: ;CODE XREF: FindFirstThread+2Fj
.text:100019C9 push 9 ; cchMax
.text:100019CB push offset String ; lpString
.text:100019D0 push 0C8h ; nIDDlgItem
.text:100019D5 push ; hDlg
.text:100019D8 call GetDlgItemTextA
.text:100019DD push offset String
.text:100019E2 call GetAddressFromString
.text:100019E7
.text:100019E7loc_100019E7: ;CODE XREF: FindFirstThread+4Ej
.text:100019E7 mov ToSearch, eax
.text:100019EC mov ecx, BaseAddrArray
.text:100019F2 mov ebx, AddrSizeArray
.text:100019F8 jmp loc_10001B03
.text:100019FD; ---------------------------------------------------------------------------
.text:100019FD
.text:100019FDloc_100019FD: ;CODE XREF: FindFirstThread+18Dj
.text:100019FD cmp stopfind, 1
.text:10001A04 jz locret_10001B25
.text:10001A0A push dword ptr
.text:10001A0C pop
.text:10001A0F push ebx
.text:10001A10 push ecx
.text:10001A11 push 1000000h
.text:10001A16 push ResultDataArray
.text:10001A1C call RtlZeroMemory
.text:10001A21 call ZeroMemory
.text:10001A26 push 0 ; lParam
.text:10001A28 push 0 ; wParam
.text:10001A2A push 1004h ; Msg
.text:10001A2F push 3E9h ; nIDDlgItem
.text:10001A34 push ; hDlg
.text:10001A37 call SendDlgItemMessageA
.text:10001A3C pop ecx
.text:10001A3D push ecx
.text:10001A3E push eax
.text:10001A3F push dword ptr
.text:10001A41 push offset aScanning_8xDIt ; "Scanning :%.8X || %d item(s) found"
.text:10001A46 push offset String ; LPSTR
.text:10001A4B call wsprintfA
.text:10001A50 add esp, 10h
.text:10001A53 push offset String ; lpString
.text:10001A58 push 3ECh ; nIDDlgItem
.text:10001A5D push ; hDlg
.text:10001A60 call SetDlgItemTextA
.text:10001A65 pop ecx
.text:10001A66 pop ebx
.text:10001A67 push ebx
.text:10001A68 push ecx
.text:10001A69 push offset NumberOfBytesRead ;lpNumberOfBytesRead
.text:10001A6E push dword ptr ; nSize
.text:10001A70 push ResultDataArray ; lpBuffer
.text:10001A76 push dword ptr ; lpBaseAddress
.text:10001A78 push hProcess ; hProcess
.text:10001A7E call ReadProcessMemory
.text:10001A83 xor edi, edi
.text:10001A85 jmp short loc_10001AF6
.text:10001A87; ---------------------------------------------------------------------------
.text:10001A87
.text:10001A87loc_10001A87: ;CODE XREF: FindFirstThread+180j
.text:10001A87 cmp stopfind, 1
.text:10001A8E jnz short loc_10001A96
.text:10001A90 pop ecx
.text:10001A91 jmp locret_10001B25
.text:10001A96; ---------------------------------------------------------------------------
.text:10001A96
.text:10001A96loc_10001A96: ;CODE XREF: FindFirstThread+115j
.text:10001A96 xor eax, eax
.text:10001A98 xor ecx, ecx
.text:10001A9A cmp bpsize, 4
.text:10001AA1 jnz short loc_10001AB4
.text:10001AA3 mov eax, ToSearch
.text:10001AA8 mov edx, ResultDataArray
.text:10001AAE add edx, edi
.text:10001AB0 mov ecx,
.text:10001AB2 jmp short loc_10001ADF
.text:10001AB4; ---------------------------------------------------------------------------
.text:10001AB4
.text:10001AB4loc_10001AB4: ;CODE XREF: FindFirstThread+128j
.text:10001AB4 cmp bpsize, 2
.text:10001ABB jnz short loc_10001AD0
.text:10001ABD mov ax, word ptr ToSearch
.text:10001AC3 mov edx, ResultDataArray
.text:10001AC9 add edx, edi
.text:10001ACB mov cx,
.text:10001ACE jmp short loc_10001ADF
.text:10001AD0; ---------------------------------------------------------------------------
.text:10001AD0
.text:10001AD0loc_10001AD0: ;CODE XREF: FindFirstThread+142j
.text:10001AD0 mov al, byte ptr ToSearch
.text:10001AD5 mov edx, ResultDataArray
.text:10001ADB add edx, edi
.text:10001ADD mov cl,
.text:10001ADF
.text:10001ADFloc_10001ADF: ;CODE XREF: FindFirstThread+139j
.text:10001ADF ;FindFirstThread+155j
.text:10001ADF cmp ecx, eax
.text:10001AE1 jnz short loc_10001AF5
.text:10001AE3 pop ecx
.text:10001AE4 push ecx
.text:10001AE5 mov eax,
.text:10001AE7 add eax, edi
.text:10001AE9 push ToSearch
.text:10001AEF push eax
.text:10001AF0 call ListViewAddItem
.text:10001AF5
.text:10001AF5loc_10001AF5: ;CODE XREF: FindFirstThread+168j
.text:10001AF5 inc edi
.text:10001AF6
.text:10001AF6loc_10001AF6: ;CODE XREF: FindFirstThread+10Cj
.text:10001AF6 cmp edi,
.text:10001AF9 jbe short loc_10001A87
.text:10001AFB pop ecx
.text:10001AFC pop ebx
.text:10001AFD add ebx, 4
.text:10001B00 add ecx, 4
.text:10001B03
.text:10001B03loc_10001B03: ; CODE XREF: FindFirstThread+7Fj
.text:10001B03 cmp dword ptr , 0
.text:10001B06 jnz loc_100019FD
.text:10001B0C jmp short locret_10001B25
.text:10001B0E; ---------------------------------------------------------------------------
.text:10001B0E
.text:10001B0Eloc_10001B0E: ;CODE XREF: FindFirstThread+48j
.text:10001B0E push 40010h ; uType
.text:10001B13 push offset aCheatUtility_7 ; "Cheat UtilityPlugin"
.text:10001B18 push offset aErrorOccurre_1 ; "Erroroccurred "
.text:10001B1D push ; hWnd
.text:10001B20 call MessageBoxA
.text:10001B25
.text:10001B25locret_10001B25: ;CODE XREF: FindFirstThread+8Bj
.text:10001B25 ;FindFirstThread+118j ...
.text:10001B25 leave
.text:10001B26 retn 4
.text:10001B29FindNextThreadproc near ; DATA XREF: MainDialogFunc+2C5o
.text:10001B29
.text:10001B29Translated = dword ptr -3Ch
.text:10001B29Buffer = dword ptr -10h
.text:10001B29lpBaseAddress = dword ptr -0Ch
.text:10001B29var_8 = dword ptr -8
.text:10001B29var_4 = dword ptr -4
.text:10001B29hWnd = dword ptr8
.text:10001B29
.text:10001B29 push ebp
.text:10001B2A mov ebp, esp
.text:10001B2C add esp, 0FFFFFFC4h
.text:10001B2F push 1000000h
.text:10001B34 push ResultDataArray
.text:10001B3A call RtlZeroMemory
.text:10001B3F cmp IsHex, 0
.text:10001B46 jnz short loc_10001B67
.text:10001B48 push 1 ; bSigned
.text:10001B4A lea eax,
.text:10001B4D push eax ; lpTranslated
.text:10001B4E push 0C8h ; nIDDlgItem
.text:10001B53 push ; hDlg
.text:10001B56 call GetDlgItemInt
.text:10001B5B cmp , 0
.text:10001B5F jz loc_10001CE6
.text:10001B65 jmp short loc_10001B85
.text:10001B67; ---------------------------------------------------------------------------
.text:10001B67
.text:10001B67loc_10001B67: ;CODE XREF: FindNextThread+1Dj
.text:10001B67 push 9 ; cchMax
.text:10001B69 push offset String ; lpString
.text:10001B6E push 0C8h ; nIDDlgItem
.text:10001B73 push ; hDlg
.text:10001B76 call GetDlgItemTextA
.text:10001B7B push offset String
.text:10001B80 call GetAddressFromString
.text:10001B85
.text:10001B85loc_10001B85: ; CODE XREF: FindNextThread+3Cj
.text:10001B85 mov ToSearch, eax
.text:10001B8A mov , 0
.text:10001B91 push 0 ; lParam
.text:10001B93 push 0 ; wParam
.text:10001B95 push 1004h ; Msg
.text:10001B9A push 3E9h ; nIDDlgItem
.text:10001B9F push ; hDlg
.text:10001BA2 call SendDlgItemMessageA
.text:10001BA7 or eax, eax
.text:10001BA9 jz loc_10001CA4
.text:10001BAF cmp eax, 0FFFFFFFFh
.text:10001BB2 jz loc_10001CA4
.text:10001BB8 mov , eax
.text:10001BBB
.text:10001BBBloc_10001BBB: ;CODE XREF: FindNextThread+129j
.text:10001BBB cmp stopfind, 1
.text:10001BC2 jz locret_10001CFD
.text:10001BC8 dec
.text:10001BCB push 0 ; _DWORD
.text:10001BCD push ; _DWORD
.text:10001BD0 call ListViewGetItem
.text:10001BD5 push offset String
.text:10001BDA call GetAddressFromString
.text:10001BDF mov , eax
.text:10001BE2 call ZeroMemory
.text:10001BE7 push eax
.text:10001BE8 push offset aScanning_8x ; "Scanning :%.8X"
.text:10001BED push offset String ; LPSTR
.text:10001BF2 call wsprintfA
.text:10001BF7 add esp, 0Ch
.text:10001BFA push offset String ; lpString
.text:10001BFF push 3ECh ; nIDDlgItem
.text:10001C04 push ; hDlg
.text:10001C07 call SetDlgItemTextA
.text:10001C0C xor eax, eax
.text:10001C0E mov al, bpsize
.text:10001C13 mov , 0
.text:10001C1A push 0 ; lpNumberOfBytesRead
.text:10001C1C push eax ; nSize
.text:10001C1D lea eax,
.text:10001C20 push eax ; lpBuffer
.text:10001C21 push ; lpBaseAddress
.text:10001C24 push hProcess ; hProcess
.text:10001C2A call ReadProcessMemory
.text:10001C2F mov edx,
.text:10001C32 cmp edx, ToSearch
.text:10001C38 jnz short loc_10001C4E
.text:10001C3A mov eax,
.text:10001C3D imul eax, 4
.text:10001C40 add eax, ResultDataArray
.text:10001C46 mov edx,
.text:10001C49 mov , edx
.text:10001C4B inc
.text:10001C4E
.text:10001C4Eloc_10001C4E: ;CODE XREF: FindNextThread+10Fj
.text:10001C4E cmp , 0
.text:10001C52 jnz loc_10001BBB
.text:10001C58 push offset aGeneratingList ; "GeneratingList ..."
.text:10001C5D push 3ECh ; nIDDlgItem
.text:10001C62 push ; hDlg
.text:10001C65 call SetDlgItemTextA
.text:10001C6A push 0 ; lParam
.text:10001C6C push 0 ; wParam
.text:10001C6E push 1009h ; Msg
.text:10001C73 push 3E9h ; nIDDlgItem
.text:10001C78 push ; hDlg
.text:10001C7B call SendDlgItemMessageA
.text:10001C80 jmp short loc_10001C9E
.text:10001C82; ---------------------------------------------------------------------------
.text:10001C82
.text:10001C82loc_10001C82: ;CODE XREF: FindNextThread+179j
.text:10001C82 dec
.text:10001C85 mov eax,
.text:10001C88 imul eax, 4
.text:10001C8B add eax, ResultDataArray
.text:10001C91 push ToSearch
.text:10001C97 push dword ptr
.text:10001C99 call ListViewAddItem
.text:10001C9E
.text:10001C9Eloc_10001C9E: ;CODE XREF: FindNextThread+157j
.text:10001C9E cmp , 0
.text:10001CA2 jnz short loc_10001C82
.text:10001CA4
.text:10001CA4loc_10001CA4: ; CODE XREF: FindNextThread+80j
.text:10001CA4 ;FindNextThread+89j
.text:10001CA4 call ZeroMemory
.text:10001CA9 push 0 ; lParam
.text:10001CAB push 0 ; wParam
.text:10001CAD push 1004h ; Msg
.text:10001CB2 push 3E9h ; nIDDlgItem
.text:10001CB7 push ; hDlg
.text:10001CBA call SendDlgItemMessageA
.text:10001CBF push eax
.text:10001CC0 push offset aDItemSFound ; "%d item(s)found"
.text:10001CC5 push offset String ; LPSTR
.text:10001CCA call wsprintfA
.text:10001CCF add esp, 0Ch
.text:10001CD2 push offset String ; lpString
.text:10001CD7 push 3ECh ; nIDDlgItem
.text:10001CDC push ; hDlg
.text:10001CDF call SetDlgItemTextA
.text:10001CE4 jmp short locret_10001CFD
.text:10001CE6; ---------------------------------------------------------------------------
.text:10001CE6
.text:10001CE6loc_10001CE6: ; CODE XREF:FindNextThread+36j
.text:10001CE6 push 40010h ; uType
.text:10001CEB push offset aCheatUtility_8 ; "CheatUtility Plugin"
.text:10001CF0 push offset aErrorOccurre_2 ; "Erroroccurred "
.text:10001CF5 push ; hWnd
.text:10001CF8 call MessageBoxA
.text:10001CFD
.text:10001CFDlocret_10001CFD: ;CODE XREF: FindNextThread+99j
.text:10001CFD ;FindNextThread+1BBj
.text:10001CFD leave
.text:10001CFE retn 4
.text:10001D99ListViewAddItem proc near ;CODE XREF: FindFirstThread+177p
.text:10001D99 ;FindNextThread+170p
.text:10001D99
.text:10001D99lParam = LVITEMA ptr -28h
.text:10001D99arg_0 = dword ptr8
.text:10001D99tosearch = dword ptr0Ch
.text:10001D99
.text:10001D99 push ebp
.text:10001D9A mov ebp, esp
.text:10001D9C add esp, 0FFFFFFC4h
.text:10001D9F push edi
.text:10001DA0 mov , 1
.text:10001DA7 push 0 ; lParam
.text:10001DA9 push 0 ; wParam
.text:10001DAB push 1004h ; Msg
.text:10001DB0 push hListView ; hWnd
.text:10001DB6 call SendMessageA
.text:10001DBB mov , eax
.text:10001DBE mov , 0
.text:10001DC5 call ZeroMemory
.text:10001DCA push
.text:10001DCD push offset a_8x_1 ; "%.8X"
.text:10001DD2 push offset String ; LPSTR
.text:10001DD7 call wsprintfA
.text:10001DDC add esp, 0Ch
.text:10001DDF mov , offset String
.text:10001DE6 lea eax,
.text:10001DE9 push eax ; lParam
.text:10001DEA push 0 ; wParam
.text:10001DEC push 1007h ; Msg
.text:10001DF1 push hListView ; hWnd
.text:10001DF7 call SendMessageA
.text:10001DFC mov , 1
.text:10001E03 inc
.text:10001E06 call ZeroMemory
.text:10001E0B push
.text:10001E0E push offset aD ; "%d"
.text:10001E13 push offset String ; LPSTR
.text:10001E18 call wsprintfA
.text:10001E1D add esp, 0Ch
.text:10001E20 mov , offset String
.text:10001E27 lea eax,
.text:10001E2A push eax ; lParam
.text:10001E2B push 0 ; wParam
.text:10001E2D push 1006h ; Msg
.text:10001E32 push hListView ; hWnd
.text:10001E38 call SendMessageA
.text:10001E3D pop edi
.text:10001E3E leave
.text:10001E3F retn 8
.text:10001E44GetAddressFromString proc near ;CODE XREF: MainDialogFunc+17Ep
.text:10001E44 ; MainDialogFunc+1CAp ...
.text:10001E44
.text:10001E44str2 = dword ptr8
.text:10001E44
.text:10001E44 push ebp
.text:10001E45 mov ebp, esp
.text:10001E47 push ebx
.text:10001E48 push esi
.text:10001E49 push edi
.text:10001E4A mov edi,
.text:10001E4D mov esi,
.text:10001E50
.text:10001E50loc_10001E50: ;CODE XREF: GetAddressFromString+11j
.text:10001E50 mov al,
.text:10001E52 inc edi
.text:10001E53 or al, al
.text:10001E55 jnz short loc_10001E50
.text:10001E57 sub esi, edi
.text:10001E59 xor ebx, ebx
.text:10001E5B add edi, esi
.text:10001E5D xor edx, edx
.text:10001E5F not esi
.text:10001E61 jmp short loc_10001E86
.text:10001E63; ---------------------------------------------------------------------------
.text:10001E63
.text:10001E63loc_10001E63: ;CODE XREF: GetAddressFromString+44j
.text:10001E63 mov al,
.text:10001E65 cmp al, 41h
.text:10001E67 jb short loc_10001E75
.text:10001E69 sub al, 57h
.text:10001E6B adc dl, 0
.text:10001E6E shl dl, 5
.text:10001E71 add al, dl
.text:10001E73 jmp short loc_10001E77
.text:10001E75; ---------------------------------------------------------------------------
.text:10001E75
.text:10001E75loc_10001E75: ; CODE XREF: GetAddressFromString+23j
.text:10001E75 sub al, 30h
.text:10001E77
.text:10001E77loc_10001E77: ;CODE XREF: GetAddressFromString+2Fj
.text:10001E77 lea ecx,
.text:10001E7A and eax, 0Fh
.text:10001E7D shl ecx, 2
.text:10001E80 shl eax, cl
.text:10001E82 add ebx, eax
.text:10001E84 inc edi
.text:10001E85 dec esi
.text:10001E86
.text:10001E86loc_10001E86: ;CODE XREF: GetAddressFromString+1Dj
.text:10001E86 or esi, esi
.text:10001E88 jnz short loc_10001E63
.text:10001E8A mov eax, ebx
.text:10001E8C pop edi
.text:10001E8D pop esi
.text:10001E8E pop ebx
.text:10001E8F leave
.text:10001E90 retn 4
#define IDC_BTFIRST 100//First Scan Button
#define IDC_BTNEXT 101//Next Scan Button
#define IDC_BTSTOP 102//Stop Button
#define IDC_ETVAL 200//Value Edit
#define IDM_CHANGE 500//Change Value
#define IDM_FOLLOW 501//Follow in Dump
#define IDM_HARDWARE 502//Hardware Breakpoint
#define IDM_DELETE 503//Delete Button
#define IDD_MAINDLG 1000//Main Dialog
#define IDC_LVLIST 1001//Address ListView
#define IDC_SBSTATU 1004//Bottom Statu Bar
#define IDC_CBISHEX 1011//Is Hex Check Button
#define IDC_RBDWORD 1014//DOUBLE WORD Radio
#define IDC_RBWORD 1015//WORD Radio
#define IDC_RBBYTE 1016//BYTE Radio
#define IDD_SETDIALOG 1027//Set Dialog
#define IDC_BTOK 1034//OK Button
#define IDC_BTCANCEL 1035//Cancel Button
#define IDC_ETNEWVALUE 1036//Change Value
#define IDC_BTABOUT 1040//About Button
#define IDC_BTAT4RE 1041//AT4RE Button
#define IDC_BTEXIT 1042//Exit Button
#define IDC_BTINC 1043//Inc Button
#define IDC_BTDEC 1044//Dec Button
#define IDC_BTRESET 1045//Reset Button
HWND hWnd;
HANDLE hProcess;
DWORD ThreadId;
HINSTANCE hInstance;
HMENU hMenu;
HWND hListView;//查找内存地址结果列表
int bpsize;//硬件断点大小
PVOID* BaseAddrArray;//内存区块基址数组,用于查找
DWORD* AddrSizeArray;//内存区块大小数组,用于查找
BYTE** ResultDataArray;//结果地址数组
LPVOID ValueAddr;//要改写数据的地址
char String;//临时数组
bool IsHex,StopFind;//是否为16进制;是否停止搜索
int ToSearch;//要搜索的数据
DWORD WINAPI CreateMainDialog(LPVOID lpParameter)
{
InitCommonControls();
return DialogBoxParam(hInstance,MAKEINTRESOURCE(IDD_MAINDLG),NULL,MainDialogFunc,0);//打开主窗口
}
void WINAPI ListViewAddItem(DWORD addr,DWORD tosearch)
{
LVITEM item;
item.mask=LVIF_TEXT;
item.iItem=SendMessage(hListView,LVM_GETITEMCOUNT,0,0);//获取当前项数目作为下次加入项的序号
item.iSubItem=0;
RtlZeroMemory(String, 256);
wsprintf(String,"%.8X",(DWORD)BaseAddrArray+j);
item.pszText=String;
SendMessage(hListView,LVM_INSERTITEM,0,(LPARAM)&item);//加入该项第一列地址
item.mask=LVIF_TEXT;
item.iSubItem++;
RtlZeroMemory(String, 256);
wsprintf(String,"%d",ToSearch);
item.pszText=String;
SendMessage(hListView,LVM_SETITEM,0,(LPARAM)&item);//加入该项第二列数据
}
DWORD WINAPI FindFirstThread(LPVOID lpParameter)//首次查找所启动的线程
{
HWND hWnd=(HWND)lpParameter;
RtlZeroMemory(String, 256);
SendDlgItemMessage(hWnd,IDC_LVLIST,LVM_DELETEALLITEMS,0,0);
//获取输入框内目标整数
if(IsHex)
{
GetDlgItemText(hWnd,IDC_ETVAL,String,9);
ToSearch=GetAddressFromString(String);
}
else
{
BOOL Translated;
ToSearch=GetDlgItemInt(hWnd,IDC_ETVAL,&Translated,TRUE);
if(!Translated)
return MessageBox(hWnd,"Error occurred ","Cheat Utility Plugin",MB_TOPMOST|MB_ICONHAND);
}
//在各个内存区快中寻找目标数字
for(int i=0;AddrSizeArray && !StopFind;i++)
{
RtlZeroMemory(ResultDataArray,0x1000000);
RtlZeroMemory(String, 256);
int itemcount=SendDlgItemMessage(hWnd,IDC_LVLIST,LVM_GETITEMCOUNT,0,0);
wsprintf(String,"Scanning : %.8X || %d item(s) found",BaseAddrArray,itemcount);
SetDlgItemText(hWnd,IDC_SBSTATU,String);
static DWORD NumberOfBytesRead;
ReadProcessMemory(hProcess,BaseAddrArray,ResultDataArray,AddrSizeArray,&NumberOfBytesRead);
for(int j=0;j<=AddrSizeArray && !StopFind;j++)
{
DWORD data1=0,data2=0;
if(bpsize == 4)
{
data1=ToSearch;
data2=*(DWORD*)(ResultDataArray+j);
}
else if(bpsize == 2)
{
data1=ToSearch;
data2=*(WORD*)(ResultDataArray+j);
}
else
{
data1=ToSearch;
data2=*(BYTE*)(ResultDataArray+j);
}
if(data1 == data2)
ListViewAddItem((DWORD)BaseAddrArray+j,ToSearch);
}
}
return 0;
}
DWORD WINAPI FindNextThread(LPVOID lpParameter)//再次搜索所启动的线程
{
RtlZeroMemory(ResultDataArray,0x1000000);
if(IsHex)
{
GetDlgItemText(hWnd,IDC_ETVAL,String,9);
ToSearch=GetAddressFromString(String);
}
else
{
BOOL Translated;
ToSearch=GetDlgItemInt(hWnd,IDC_ETVAL,&Translated,TRUE);
if(!Translated)
{
MessageBox(hWnd,"Error occurred ","Cheat Utility Plugin",MB_TOPMOST|MB_ICONHAND);
return 0;
}
}
int resultaddrcount=0;
int itemcount=SendDlgItemMessage(hWnd,IDC_LVLIST,LVM_GETITEMCOUNT,0,0);
if(itemcount && itemcount != -1)
{
while(!StopFind && itemcount)
{
itemcount--;
ListViewGetItem(itemcount,0);
ulong addr=GetAddressFromString(String);
RtlZeroMemory(String, 256);
wsprintf(String,"Scanning : %.8X",addr);
SetDlgItemText(hWnd,IDC_SBSTATU,String);
DWORD data;
ReadProcessMemory(hProcess,addr,&data,bpsize,NULL);
if(data == ToSearch)
{
ResultDataArray=addr;
resultaddrcount++;
}
}
if(itemcount)
return 0;
SetDlgItemText(hWnd,IDC_SBSTATU,"Generating List ...");
SendDlgItemMessage(hWnd,IDC_LVLIST,LVM_DELETEALLITEMS,0,0);
while(resultaddrcount--)
{
ListViewAddItem((DWORD)ResultDataArray,ToSearch);
}
}
RtlZeroMemory(String, 256);
itemcount=SendDlgItemMessage(hWnd,IDC_LVLIST,LVM_GETITEMCOUNT,0,0);
wsprintf(String,"%d item(s) found",itemcount);
SetDlgItemText(hWnd,IDC_SBSTATU,String);
return 0;
}
extc void cdecl ODBG_Pluginaction(int origin,int action,void *item)
{
if(origin != PM_MAIN)
return;
if(action == 0)
{
hProcess=(HANDLE)Plugingetvalue(VAL_HPROCESS);
if(!hProcess)//未调试程序时不能打开窗口
MessageBox(hWnd,"No Debugee loaded ","Cheat Utility Plugin",MB_TOPMOST|
MB_ICONEXCLAMATION);
else
CreateThread(NULL,0,CreateMainDialog,NULL,0,&ThreadId);//这里其实也可以不用多线程
}
else if(action == 1)//关于信息
MessageBox(hWnd,"Cheat Utility Plugin v1.0\r\nCopyright (C) 2007 by GamingMasteR-AT4RE",
"Cheat Utility Plugin",MB_ICONASTERISK);
}
extc int cdecl ODBG_Plugindata(char shortname)
{
lstrcpy(shortname,"Cheat Utility");
return 108;
}
extc int cdecl ODBG_Pluginmenu(int origin,char data,void *item)
{
if(origin != PM_MAIN)
return 0;
lstrcpy(data,"0 &Start|1 &About");
return 1;
}
extc int cdecl ODBG_Plugininit(int ollydbgversion,HWND hw,ulong *features)
{
if(ollydbgversion < 108)
return -1;
Addtolist(0,0,"Cheat Utility Plugin v1.0");
hWnd=hw;
return 0;
}
void WINAPI ListViewGetItem(int iItem,int iSubItem)
{//获取该项数据到String中
LVITEM itemdata;
itemdata.iItem=iItem;
itemdata.iSubItem=iSubItem;
itemdata.mask=LVIF_TEXT;
itemdata.pszText=String;
itemdata.cchTextMax=256;
SendMessage(hListView,LVM_GETITEM,0,(LPARAM)&itemdata);
}
ulong GetAddressFromString(char* str)
{//作者秀了一下16进制字符串转整数的算法
int len=strlen(str);
ulong addr=0;
int x1,x2=0;
for(int i=0;i<len;i++)
{
if(str < 'A')//0-9
{
x1=str-'0';
}
else//A-F
{
x2=32*((str<'W')+x2);
x1=x2+str-'W';
}
addr += ((x1&0xF)<<(4*i-1));
}
return addr;
}
int WINAPI SetDialogFunc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{//更改数据窗口
switch (uMsg)
{
case WM_INITDIALOG:
break;
case WM_COMMAND:
if(wParam == IDC_BTOK)
{
ulong addr;
if(IsHex)//如果为16进制数
{
GetDlgItemText(hwndDlg,IDC_ETNEWVALUE,String,9);
addr=GetAddressFromString(String);
}
else
{
BOOL Translated;
addr=GetDlgItemInt(hwndDlg,IDC_ETNEWVALUE,&Translated,TRUE);
if(!Translated)
{
MessageBox(hwndDlg,"Error occurred ","Cheat Utility Plugin",MB_TOPMOST|MB_ICONHAND);
return 0;
}
}
WriteProcessMemory(hProcess,ValueAddr,&addr,bpsize,NULL);//改写数据
}
else if(wParam == IDC_BTCANCEL)
EndDialog(hwndDlg,0);
break;
case WM_CLOSE:
EndDialog(hwndDlg,0);
break;
}
return 0;
}
void WINAPI SearchFreeMemoryBlock(HANDLE hProcess)
{
MEMORY_BASIC_INFORMATION meminfo;
RtlZeroMemory(String, 256);
RtlZeroMemory(BaseAddrArray,0x1000000);
RtlZeroMemory(AddrSizeArray,0x1000000);
static int blockindex=0;
for(int i=0x00400000;i<0x70000000;i+=meminfo.RegionSize,blockindex++)
{//exe基址一般是0x00400000,而0x80000000以上为系统领空
VirtualQueryEx(hProcess,i,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
if(meminfo.Protect && meminfo.Protect != PAGE_NOACCESS && meminfo.Protect != PAGE_EXECUTE &&
meminfo.Protect != PAGE_NOCACHE)
{
if(meminfo.State != MEM_FREE && meminfo.Type != MEM_MAPPED)
{
BaseAddrArray=meminfo.BaseAddress;
AddrSizeArray=meminfo.RegionSize;
}
}
}
}
intWINAPI MainDialogFunc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{//该回调将过程驱动编程转换为事件驱动编程
static DWORD firstthreadid,nextthreadid;
switch(uMsg)
{
case WM_INITDIALOG:
hMenu=CreatePopupMenu();
AppendMenu(hMenu,MF_ENABLED,IDM_FOLLOW,"Follow in Dump");
AppendMenu(hMenu,MF_ENABLED,IDM_HARDWARE,"Hardware Breakpoint");
AppendMenu(hMenu,MF_SEPARATOR,0,NULL);
AppendMenu(hMenu,MF_ENABLED,IDM_CHANGE,"Change Value");
AppendMenu(hMenu,MF_SEPARATOR,0,NULL);
AppendMenu(hMenu,MF_ENABLED,IDM_DELETE,"Delete");
//以下几行代码对列表框控件添加2列表头
hListView=GetDlgItem(hwndDlg,1001);
LVCOLUMN coldata;
coldata.mask=LVCF_WIDTH|LVCF_TEXT;
coldata.pszText="Address";
coldata.cx=100;
SendMessage(hListView,LVM_INSERTCOLUMN,0,(LPARAM)&coldata);
coldata.pszText="Value";
coldata.cx=100;
SendMessage(hListView,LVM_INSERTCOLUMN,1,(WPARAM)&coldata);
//默认数据(断点)为双字大小
CheckDlgButton(hwndDlg,IDC_RBDWORD,BST_CHECKED);
bpsize=sizeof(DWORD);
BaseAddrArray=(PVOID*)VirtualAlloc(NULL,0x1000000,MEM_COMMIT,PAGE_READWRITE);
VirtualLock(BaseAddrArray,0x1000000);
ResultDataArray=(BYTE**)VirtualAlloc(NULL,0x1000000,MEM_COMMIT,PAGE_READWRITE);
VirtualLock(ResultDataArray,0x1000000);
AddrSizeArray=(DWORD*)VirtualAlloc(NULL,0x1000000,MEM_COMMIT,PAGE_READWRITE);
VirtualLock(AddrSizeArray,0x1000000);
break;
case WM_COMMAND:
if(lParam == 0)//选中菜单
{
switch(LOWORD(wParam))
{//IDM_*
case IDM_FOLLOW://跟随该地址
{
int index=SendDlgItemMessage(hwndDlg,IDC_LVLIST,LVM_GETNEXTITEM,
-1,LVNI_FOCUSED);//找到第一个选中项
//这里处理的不好,居然是通过消息获取字符串再转换成地址,还不如事先存在数据结构中
ListViewGetItem(index,0);
Setcpu(0,0,GetAddressFromString(String),0,CPU_DUMPFIRST|CPU_DUMPFOCUS);
RtlZeroMemory(String,256);
}
break;
case IDM_HARDWARE://在该地址处下硬件断点
{
int index=SendDlgItemMessage(hwndDlg,IDC_LVLIST,LVM_GETNEXTITEM,
-1,LVNI_FOCUSED);//找到第一个选中项
ListViewGetItem(index,0);
Sethardwarebreakpoint(GetAddressFromString(String),bpsize,HB_ACCESS);
RtlZeroMemory(String,256);
}
break;
case IDM_CHANGE://修改该地址数据
{
int index=SendDlgItemMessage(hwndDlg,IDC_LVLIST,LVM_GETNEXTITEM,
-1,LVNI_FOCUSED);//找到第一个选中项
ListViewGetItem(index,0);
ValueAddr=(LPVOID)GetAddressFromString(String);
RtlZeroMemory(String,256);
DialogBoxParam(hInstance,MAKEINTRESOURCE(IDD_SETDIALOG),hwndDlg,
SetDialogFunc,0);
}
break;
case IDM_DELETE://删除该结果项
{
int index=SendDlgItemMessage(hwndDlg,IDC_LVLIST,LVM_GETNEXTITEM,
-1,LVNI_FOCUSED);//找到第一个选中项
SendDlgItemMessage(hwndDlg,IDC_LVLIST,LVM_DELETEITEM,index,0);
}
break;
}
}
switch(wParam)
{
case IDC_BTFIRST://首次查找
if(IsDlgButtonChecked(hwndDlg,IDC_RBBYTE))
bpsize=sizeof(BYTE);
else if(IsDlgButtonChecked(hwndDlg,IDC_RBWORD))
bpsize=sizeof(WORD);
else
bpsize=sizeof(DWORD);
if(IsDlgButtonChecked(hwndDlg,IDC_CBISHEX))
IsHex=true;
else
IsHex=false;
StopFind=false;
SearchFreeMemoryBlock(hProcess);
CreateThread(NULL,0,FindFirstThread,hwndDlg,0,&firstthreadid);//这里应该存储句柄以待后用
break;
case IDC_BTNEXT://再次查找
StopFind=false;
CreateThread(NULL,0,FindNextThread,hwndDlg,0,&nextthreadid);//这里应该存储句柄以待后用
break;
case IDC_BTSTOP://停止查找
StopFind=true;
break;
case IDC_BTINC://自增数据
{
ulong addr;
if(IsHex)
{
GetDlgItemText(hwndDlg,IDC_ETNEWVALUE,String,9);//这句有误,控件ID作者搞错了
addr=GetAddressFromString(String);
RtlZeroMemory(String, 256);
wsprintf(String,"%.8X",addr+1);
SetDlgItemText(hwndDlg,IDC_ETVAL,String);
}
else
{
BOOL Translated;
addr=GetDlgItemInt(hwndDlg,IDC_ETVAL,&Translated,TRUE);
if(!Translated)
MessageBox(hwndDlg,"Error occurred ","Cheat Utility Plugin",MB_TOPMOST|
MB_ICONHAND);
else
SetDlgItemInt(hwndDlg,IDC_ETVAL,addr+1,TRUE);
}
}
break;
case IDC_BTDEC://自减数据
{
ulong addr;
if(IsHex)
{
GetDlgItemText(hwndDlg,IDC_ETNEWVALUE,String,9);//这句有误,该控件不在主窗口中
addr=GetAddressFromString(String);
RtlZeroMemory(String, 256);
wsprintf(String,"%.8X",addr-1);
SetDlgItemText(hwndDlg,IDC_ETVAL,String);
}
else
{
BOOL Translated;
addr=GetDlgItemInt(hwndDlg,IDC_ETVAL,&Translated,TRUE);
if(!Translated)
MessageBox(hwndDlg,"Error occurred ","Cheat Utility Plugin",MB_TOPMOST|
MB_ICONHAND);
else
SetDlgItemInt(hwndDlg,IDC_ETVAL,addr-1,TRUE);
}
}
break;
case IDC_BTRESET://重新初始化数据
CheckDlgButton(hwndDlg,IDC_RBDWORD,BST_CHECKED);
CheckDlgButton(hwndDlg,IDC_CBISHEX,BST_UNCHECKED);
SetDlgItemInt(hwndDlg,IDC_ETVAL,0,TRUE);
SendDlgItemMessage(hwndDlg,IDC_LVLIST,LVM_DELETEALLITEMS,0,0);
bpsize=sizeof(DWORD);
IsHex=false;
RtlZeroMemory(BaseAddrArray,0x1000000);
RtlZeroMemory(ResultDataArray,0x1000000);
RtlZeroMemory(String,256);
break;
case IDC_BTABOUT:
MessageBox(hWnd,"Cheat Utility Plugin v1.0\r\nCopyright (C) 2007 by GamingMasteR-AT4RE",
"Cheat Utility Plugin",MB_ICONASTERISK);
break;
case IDC_BTAT4RE:
ShellExecute(NULL,"Open","http://www.at4re.com/",NULL,NULL,SW_MAXIMIZE);
break;
case IDC_BTEXIT:
SendMessage(hwndDlg,WM_CLOSE,0,0);
break;
}
break;
case WM_NOTIFY:
{
NMHDR* nmhdr=(NMHDR*)lParam;
if(nmhdr->hwndFrom == hListView)
{
if(nmhdr->code == NM_DBLCLK)//双击项目则打开修改数据对话框
{
int index=SendDlgItemMessage(hwndDlg,IDC_LVLIST,LVM_GETNEXTITEM,
-1,LVNI_FOCUSED);//找到第一个选中项
ListViewGetItem(index,0);
ValueAddr=(LPVOID)GetAddressFromString(String);
RtlZeroMemory(String, 256);
DialogBoxParam(hInstance,MAKEINTRESOURCE(IDD_SETDIALOG),hwndDlg,SetDialogFunc,0);
}
else if(nmhdr->code == NM_RCLICK)//右击项目
{
static POINT Point;
GetCursorPos(&Point);
TrackPopupMenu(hMenu,TPM_LEFTALIGN|TPM_TOPALIGN|TPM_LEFTBUTTON,
Point.x,Point.y,0,hwndDlg,NULL);
}
}
}
break;
case WM_CLOSE:
CloseHandle(firstthreadid);//错误用法
VirtualFree(ResultDataArray,0x1000000,MEM_DECOMMIT);
VirtualFree(BaseAddrArray,0x1000000,MEM_DECOMMIT);
VirtualFree(AddrSizeArray,0x1000000,MEM_DECOMMIT);
EndDialog(hwndDlg,0);
break;
}
return 0;
}
本插件确实有用类似于CheatEngine修改数据,鉴于CheatEngine开源,有时间我会加以完善,同时在逆向过程中也发现了一些不足之处,如下:
1. 只支持整数
2. 有些逻辑不够全面,例如IsHex选中的处理
3. 我逆向的结果证明作者源码中存在一些小错误,例如Inc/Dec按钮消息和WM_CLOSE消息处理
4. 16进制转换代码是有函数库可以完成,且更完善易用
5. 某些数据应通过数据结构存储,而不是通过API函数发送消息再获得,这样效率低
我就感叹一句 超兄这逆向功力已经很强了啊...
有时候领导要的不是你自己能看懂某段功能 逆出标准c/c++代码意义就又提了一层
顶!
页:
[1]