OllyDbg去除花指令插件DeJunk源码分析
本帖最后由 元始天尊 于 2015-1-13 20:33 编辑该插件为花指令自动去除插件。经多人完善,最初作者为ljtt,本版为flyfancy根据hoto制作的dejunk插件修改而来。文件大小29kb,代码段占4.8kb,逆向代码大约500行。我也是通过逆向分析才第一次了解到花指令是什么以及如何去除花指令。先做个简要介绍:
+0 ; jo label
+2 ; jno label
+4 ; db _junkcode
+5 ;label: ....
; ....
上面的汇编代码,左边序号暗示了指令所占字节数,jo和jno都调到+5处,因此,前5字节是无效的,相当于直接执行+5处代码,而这5字节就是为了迷惑反汇编器而构造的汇编指令,常见的修改方法是把前5字节都用nop指令代替即可。该例比较简单,然而如果作者精心构造的复杂花指令可以很复杂,很大程度提升反汇编分析时间。
该插件经过我分析的反汇编代码,这里列出重要代码:
.data:10001E80 _DllMain@12 proc near ; CODE XREF: DllEntryPoint+4B p
.data:10001E80
.data:10001E80 hModule = dword ptr8
.data:10001E80 fdwReason = dword ptr0Ch
.data:10001E80 lpvReserved = dword ptr10h
.data:10001E80
.data:10001E80 push ebp
.data:10001E81 mov ebp, esp
.data:10001E83 cmp , 1
.data:10001E87 jnz loc_10001F3B
.data:10001E8D mov eax,
.data:10001E90 push ebx
.data:10001E91 push esi
.data:10001E92 push edi
.data:10001E93 mov ebx, offset JunkdbcfgPath
.data:10001E98 push 104h ; nSize
.data:10001E9D push ebx ; lpFilename
.data:10001E9E push eax ; hModule
.data:10001E9F mov hInstance, eax
.data:10001EA4 call GetModuleFileNameA
.data:10001EAA push 5Ch ; Ch
.data:10001EAC push ebx ; Str
.data:10001EAD call _strrchr
.data:10001EB2 and byte ptr , 0
.data:10001EB6 pop ecx
.data:10001EB7 pop ecx
.data:10001EB8 mov edi, ebx
.data:10001EBA or ecx, 0FFFFFFFFh
.data:10001EBD xor eax, eax
.data:10001EBF repne scasb
.data:10001EC1 not ecx
.data:10001EC3 sub edi, ecx
.data:10001EC5 mov edx, offset DeJunkLogPath
.data:10001ECA mov eax, ecx
.data:10001ECC mov esi, edi
.data:10001ECE mov edi, edx
.data:10001ED0 shr ecx, 2
.data:10001ED3 rep movsd
.data:10001ED5 mov ecx, eax
.data:10001ED7 xor eax, eax
.data:10001ED9 and ecx, 3
.data:10001EDC rep movsb
.data:10001EDE mov edi, offset aJunkdb_cfg ; "Junkdb.cfg"
.data:10001EE3 or ecx, 0FFFFFFFFh
.data:10001EE6 repne scasb
.data:10001EE8 not ecx
.data:10001EEA sub edi, ecx
.data:10001EEC mov eax, ecx
.data:10001EEE mov esi, edi
.data:10001EF0 mov , eax
.data:10001EF3 mov edi, ebx
.data:10001EF5 or ecx, 0FFFFFFFFh
.data:10001EF8 xor eax, eax
.data:10001EFA repne scasb
.data:10001EFC mov eax,
.data:10001EFF dec edi
.data:10001F00 mov ecx, eax
.data:10001F02 shr ecx, 2
.data:10001F05 rep movsd
.data:10001F07 mov ecx, eax
.data:10001F09 xor eax, eax
.data:10001F0B and ecx, 3
.data:10001F0E rep movsb
.data:10001F10 mov edi, offset aDejunk_log ; "DeJunk.Log"
.data:10001F15 or ecx, 0FFFFFFFFh
.data:10001F18 repne scasb
.data:10001F1A not ecx
.data:10001F1C sub edi, ecx
.data:10001F1E mov esi, edi
.data:10001F20 mov ebx, ecx
.data:10001F22 mov edi, edx
.data:10001F24 or ecx, 0FFFFFFFFh
.data:10001F27 repne scasb
.data:10001F29 mov ecx, ebx
.data:10001F2B dec edi
.data:10001F2C shr ecx, 2
.data:10001F2F rep movsd
.data:10001F31 mov ecx, ebx
.data:10001F33 and ecx, 3
.data:10001F36 rep movsb
.data:10001F38 pop edi
.data:10001F39 pop esi
.data:10001F3A pop ebx
.data:10001F3B
.data:10001F3B loc_10001F3B: ; CODE XREF: DllMain(x,x,x)+7 j
.data:10001F3B push 1
.data:10001F3D pop eax
.data:10001F3E pop ebp
.data:10001F3F retn 0Ch
.data:10001F77 DeJunkFunc proc near ; DATA XREF: _ODBG_Pluginaction+E4 o
.data:10001F77
.data:10001F77 var_14 = dword ptr -14h
.data:10001F77 lpFileName = dword ptr4
.data:10001F77 uMsg = dword ptr8
.data:10001F77 wParam = dword ptr0Ch
.data:10001F77 lParam = dword ptr10h
.data:10001F77
.data:10001F77 mov eax,
.data:10001F7B push ebx
.data:10001F7C push ebp
.data:10001F7D push esi
.data:10001F7E sub eax, 10h
.data:10001F81 push edi
.data:10001F82 jz loc_100022E5
.data:10001F88 sub eax, 10h
.data:10001F8B jz loc_1000225E
.data:10001F91 sub eax, 0F0h
.data:10001F96 jz loc_100020A6
.data:10001F9C dec eax
.data:10001F9D jnz loc_100022F1
.data:10001FA3 mov eax,
.data:10001FA7 sub eax, 8
.data:10001FAA jz loc_1000209A
.data:10001FB0 sub eax, 3E0h
.data:10001FB5 jz short loc_10001FD0
.data:10001FB7 sub eax, 6
.data:10001FBA jnz loc_100022F1
.data:10001FC0 push offset JunkdbcfgPath ; lpParameters
.data:10001FC5 call known3
.data:10001FCA pop ecx
.data:10001FCB jmp loc_100022F1
.data:10001FD0 ; ---------------------------------------------------------------------------
.data:10001FD0
.data:10001FD0 loc_10001FD0: ; CODE XREF: DeJunkFunc+3E j
.data:10001FD0 mov esi,
.data:10001FD4 mov ebx, 3E9h
.data:10001FD9 push ebx ; nIDDlgItem
.data:10001FDA push esi ; hDlg
.data:10001FDB call IsInputValid
.data:10001FE0 pop ecx
.data:10001FE1 test eax, eax
.data:10001FE3 pop ecx
.data:10001FE4 jz loc_10002082
.data:10001FEA mov ebp, 3EAh
.data:10001FEF push ebp ; nIDDlgItem
.data:10001FF0 push esi ; hDlg
.data:10001FF1 call IsInputValid
.data:10001FF6 pop ecx
.data:10001FF7 test eax, eax
.data:10001FF9 pop ecx
.data:10001FFA jz loc_10002082
.data:10002000 mov edi, offset String1
.data:10002005 push 9 ; cchMax
.data:10002007 push edi ; lpString
.data:10002008 push ebx ; nIDDlgItem
.data:10002009 mov ebx, GetDlgItemTextA
.data:1000200F push esi ; hDlg
.data:10002010 call ebx ; GetDlgItemTextA
.data:10002012 push edi
.data:10002013 call GetNumberFromString
.data:10002018 pop ecx
.data:10002019 mov JunkStartAddr, eax
.data:1000201E push 9 ; cchMax
.data:10002020 push edi ; lpString
.data:10002021 push ebp ; nIDDlgItem
.data:10002022 push esi ; hDlg
.data:10002023 call ebx ; GetDlgItemTextA
.data:10002025 push edi
.data:10002026 call GetNumberFromString
.data:1000202B pop ecx
.data:1000202C xor edi, edi
.data:1000202E push edi ; lParam
.data:1000202F push edi ; wParam
.data:10002030 push 147h ; Msg
.data:10002035 push 3EBh ; nIDDlgItem
.data:1000203A push esi ; hDlg
.data:1000203B mov dword ptr JunkRange, eax
.data:10002040 call SendDlgItemMessageA
.data:10002046 cmp eax, 1
.data:10002049 mov eax, dword ptr JunkRange
.data:1000204E jnz short loc_10002056
.data:10002050 sub JunkStartAddr, eax
.data:10002056
.data:10002056 loc_10002056: ; CODE XREF: DeJunkFunc+D7 j
.data:10002056 push eax ; Size
.data:10002057 push JunkStartAddr ; int
.data:1000205D push esi ; hWnd
.data:1000205E call FindJunk
.data:10002063 add esp, 0Ch
.data:10002066 cmp dword ptr JunkCodeNum, edi
.data:1000206C jz loc_100022F1
.data:10002072 push edi ; lParam
.data:10002073 push edi ; wParam
.data:10002074 push 10h ; Msg
.data:10002076 push esi ; hWnd
.data:10002077
.data:10002077 loc_10002077: ; CODE XREF: DeJunkFunc+12D j
.data:10002077 call SendMessageA
.data:1000207D jmp loc_100022F1
.data:10002082 ; ---------------------------------------------------------------------------
.data:10002082
.data:10002082 loc_10002082: ; CODE XREF: DeJunkFunc+6D j
.data:10002082 ; DeJunkFunc+83 j
.data:10002082 push 30h ; uType
.data:10002084 push offset Caption; "DeJunk plugin v0.12"
.data:10002089 push offset Text ; "Please input HEXadecimal."
.data:1000208E push esi ; hWnd
.data:1000208F call MessageBoxA
.data:10002095 jmp loc_100022F1
.data:1000209A ; ---------------------------------------------------------------------------
.data:1000209A
.data:1000209A loc_1000209A: ; CODE XREF: DeJunkFunc+33 j
.data:1000209A push 0
.data:1000209C push 0
.data:1000209E push 10h
.data:100020A0 push
.data:100020A4 jmp short loc_10002077
.data:100020A6 ; ---------------------------------------------------------------------------
.data:100020A6
.data:100020A6 loc_100020A6: ; CODE XREF: DeJunkFunc+1F j
.data:100020A6 mov esi,
.data:100020AA push offset Caption; "DeJunk plugin v0.12"
.data:100020AF push esi ; hWnd
.data:100020B0 call SetWindowTextA
.data:100020B6 mov edi, GetDlgItem
.data:100020BC mov ebx, 3E9h
.data:100020C1 push ebx ; nIDDlgItem
.data:100020C2 push esi ; hDlg
.data:100020C3 call edi ; GetDlgItem
.data:100020C5 push 3EAh ; nIDDlgItem
.data:100020CA push esi ; hDlg
.data:100020CB mov hStartAddr, eax
.data:100020D0 call edi ; GetDlgItem
.data:100020D2 mov ebp, 3EBh
.data:100020D7 mov hRang, eax
.data:100020DC push ebp ; nIDDlgItem
.data:100020DD push esi ; hDlg
.data:100020DE call edi ; GetDlgItem
.data:100020E0 push 3EDh ; nIDDlgItem
.data:100020E5 push esi ; hDlg
.data:100020E6 mov hDirection, eax
.data:100020EB call edi ; GetDlgItem
.data:100020ED push 3E8h ; nIDDlgItem
.data:100020F2 push esi ; hDlg
.data:100020F3 mov hJunkType, eax
.data:100020F8 call edi ; GetDlgItem
.data:100020FA push 8 ; nIDDlgItem
.data:100020FC push esi ; hDlg
.data:100020FD mov hStart, eax
.data:10002102 call edi ; GetDlgItem
.data:10002104 push 3EEh ; nIDDlgItem
.data:10002109 push esi ; hDlg
.data:1000210A mov hClose, eax
.data:1000210F call edi ; GetDlgItem
.data:10002111 mov edi, PostMessageA
.data:10002117 push 0 ; lParam
.data:10002119 push 8 ; wParam
.data:1000211B push 0C5h ; Msg
.data:10002120 push hStartAddr ; hWnd
.data:10002126 mov hE, eax
.data:1000212B call edi ; PostMessageA
.data:1000212D push 0 ; lParam
.data:1000212F push 5 ; wParam
.data:10002131 push 0C5h ; Msg
.data:10002136 push hRang ; hWnd
.data:1000213C call edi ; PostMessageA
.data:1000213E call _Getcputhreadid
.data:10002143 test eax, eax
.data:10002145 mov dword_10005F1C, eax
.data:1000214A jnz short loc_10002163
.data:1000214C push eax
.data:1000214D mov edi, offset String1
.data:10002152 push offset a08lx ; "%08lX"
.data:10002157 push edi ; LPSTR
.data:10002158 call wsprintfA
.data:1000215E add esp, 0Ch
.data:10002161 jmp short loc_10002188
.data:10002163 ; ---------------------------------------------------------------------------
.data:10002163 loc_10002163: ; CODE XREF: DeJunkFunc+1D3 j
.data:10002163 push eax
.data:10002164 call _Findthread
.data:10002169 mov curThreadId, eax
.data:1000216E push dword ptr
.data:10002174 mov edi, offset String1
.data:10002179 push offset a08lx ; "%08lX"
.data:1000217E push edi ; LPSTR
.data:1000217F call wsprintfA
.data:10002185 add esp, 10h
.data:10002188
.data:10002188 loc_10002188: ; CODE XREF: DeJunkFunc+1EA j
.data:10002188 push edi ; lpString
.data:10002189 push ebx ; nIDDlgItem
.data:1000218A push esi ; hDlg
.data:1000218B call SetDlgItemTextA
.data:10002191 mov ebx, SendDlgItemMessageA
.data:10002197 push offset aDown ; "Down"
.data:1000219C push 0 ; wParam
.data:1000219E push 143h ; Msg
.data:100021A3 push ebp ; nIDDlgItem
.data:100021A4 push esi ; hDlg
.data:100021A5 call ebx ; SendDlgItemMessageA
.data:100021A7 push offset aUp ; "Up"
.data:100021AC push 0 ; wParam
.data:100021AE push 143h ; Msg
.data:100021B3 push ebp ; nIDDlgItem
.data:100021B4 push esi ; hDlg
.data:100021B5 call ebx ; SendDlgItemMessageA
.data:100021B7 push 0 ; lParam
.data:100021B9 push 0 ; wParam
.data:100021BB push 14Eh ; Msg
.data:100021C0 push ebp ; nIDDlgItem
.data:100021C1 push esi ; hDlg
.data:100021C2 call ebx ; SendDlgItemMessageA
.data:100021C4 push offset aReady_; "Ready."
.data:100021C9 push 0 ; wParam
.data:100021CB push 0Ch ; Msg
.data:100021CD push 3ECh ; nIDDlgItem
.data:100021D2 push esi ; hDlg
.data:100021D3 call ebx ; SendDlgItemMessageA
.data:100021D5 push esi ; hDlg
.data:100021D6 call InitComboBox
.data:100021DB mov ebp, GetPrivateProfileStringA
.data:100021E1 mov , offset JunkdbcfgPath
.data:100021E8 push 6 ; nSize
.data:100021EA push edi ; lpReturnedString
.data:100021EB push 0 ; lpDefault
.data:100021ED push offset KeyName; "DefaultRang"
.data:100021F2 push offset AppName; "OPTION"
.data:100021F7 call ebp ; GetPrivateProfileStringA
.data:100021F9 test eax, eax
.data:100021FB jnz short loc_10002211
.data:100021FD push 1000h
.data:10002202 push offset a05lx ; "%05lX"
.data:10002207 push edi ; LPSTR
.data:10002208 call wsprintfA
.data:1000220E add esp, 0Ch
.data:10002211
.data:10002211 loc_10002211: ; CODE XREF: DeJunkFunc+284 j
.data:10002211 push edi ; lpString
.data:10002212 push 3EAh ; nIDDlgItem
.data:10002217 push esi ; hDlg
.data:10002218 call SetDlgItemTextA
.data:1000221E push offset JunkdbcfgPath ; lpFileName
.data:10002223 mov edi, offset String2
.data:10002228 push 104h ; nSize
.data:1000222D push edi ; lpReturnedString
.data:1000222E push 0 ; lpDefault
.data:10002230 push offset aDefaulttype ; "DefaultType"
.data:10002235 push offset AppName; "OPTION"
.data:1000223A call ebp ; GetPrivateProfileStringA
.data:1000223C test eax, eax
.data:1000223E jnz short loc_10002254
.data:10002240 push eax ; lParam
.data:10002241 push eax ; wParam
.data:10002242 push 14Eh ; Msg
.data:10002247
.data:10002247 loc_10002247: ; CODE XREF: DeJunkFunc+2E5 j
.data:10002247 push 3EDh ; nIDDlgItem
.data:1000224C push esi ; hDlg
.data:1000224D call ebx ; SendDlgItemMessageA
.data:1000224F jmp loc_100022F1
.data:10002254 ; ---------------------------------------------------------------------------
.data:10002254
.data:10002254 loc_10002254: ; CODE XREF: DeJunkFunc+2C7 j
.data:10002254 push edi
.data:10002255 push 0
.data:10002257 push 14Dh
.data:1000225C jmp short loc_10002247
.data:1000225E ; ---------------------------------------------------------------------------
.data:1000225E
.data:1000225E loc_1000225E: ; CODE XREF: DeJunkFunc+14 j
.data:1000225E mov eax,
.data:10002262 cmp eax, hStartAddr
.data:10002268 jnz short loc_10002271
.data:1000226A push offset aDejunkStartAdd ; "DeJunk start address.(hex)"
.data:1000226F jmp short loc_100022C9
.data:10002271 ; ---------------------------------------------------------------------------
.data:10002271
.data:10002271 loc_10002271: ; CODE XREF: DeJunkFunc+2F1 j
.data:10002271 cmp eax, hRang
.data:10002277 jnz short loc_10002280
.data:10002279 push offset aDejunkRang_Hex ; "DeJunk rang.(hex)"
.data:1000227E jmp short loc_100022C9
.data:10002280 ; ---------------------------------------------------------------------------
.data:10002280
.data:10002280 loc_10002280: ; CODE XREF: DeJunkFunc+300 j
.data:10002280 cmp eax, hDirection
.data:10002286 jnz short loc_1000228F
.data:10002288 push offset aSelectDirectio ; "Select Direction."
.data:1000228D jmp short loc_100022C9
.data:1000228F ; ---------------------------------------------------------------------------
.data:1000228F
.data:1000228F loc_1000228F: ; CODE XREF: DeJunkFunc+30F j
.data:1000228F cmp eax, hJunkType
.data:10002295 jnz short loc_1000229E
.data:10002297 push offset aSelectDejunkTy ; "Select Dejunk Type."
.data:1000229C jmp short loc_100022C9
.data:1000229E ; ---------------------------------------------------------------------------
.data:1000229E
.data:1000229E loc_1000229E: ; CODE XREF: DeJunkFunc+31E j
.data:1000229E cmp eax, hStart
.data:100022A4 jnz short loc_100022AD
.data:100022A6 push offset aStartDejunk_ ; "Start DeJunk."
.data:100022AB jmp short loc_100022C9
.data:100022AD ; ---------------------------------------------------------------------------
.data:100022AD
.data:100022AD loc_100022AD: ; CODE XREF: DeJunkFunc+32D j
.data:100022AD cmp eax, hE
.data:100022B3 jnz short loc_100022BC
.data:100022B5 push offset aEditDejunkProf ; "Edit Dejunk profile."
.data:100022BA jmp short loc_100022C9
.data:100022BC ; ---------------------------------------------------------------------------
.data:100022BC
.data:100022BC loc_100022BC: ; CODE XREF: DeJunkFunc+33C j
.data:100022BC cmp eax, hClose
.data:100022C2 jnz short loc_100022DE
.data:100022C4 push offset aEndDialog_ ; "End Dialog."
.data:100022C9
.data:100022C9 loc_100022C9: ; CODE XREF: DeJunkFunc+2F8 j
.data:100022C9 ; DeJunkFunc+307 j ...
.data:100022C9 push 0 ; wParam
.data:100022CB push 0Ch ; Msg
.data:100022CD push 3ECh ; nIDDlgItem
.data:100022D2 push ; hDlg
.data:100022D6 call SendDlgItemMessageA
.data:100022DC jmp short loc_100022F1
.data:100022DE ; ---------------------------------------------------------------------------
.data:100022DE
.data:100022DE loc_100022DE: ; CODE XREF: DeJunkFunc+34B j
.data:100022DE push offset aReady_; "Ready."
.data:100022E3 jmp short loc_100022C9
.data:100022E5 ; ---------------------------------------------------------------------------
.data:100022E5
.data:100022E5 loc_100022E5: ; CODE XREF: DeJunkFunc+B j
.data:100022E5 push 0 ; nResult
.data:100022E7 push ; hDlg
.data:100022EB call EndDialog
.data:100022F1
.data:100022F1 loc_100022F1: ; CODE XREF: DeJunkFunc+26 j
.data:100022F1 ; DeJunkFunc+43 j ...
.data:100022F1 pop edi
.data:100022F2 pop esi
.data:100022F3 pop ebp
.data:100022F4 xor eax, eax
.data:100022F6 pop ebx
.data:100022F7 retn
.data:100022F8 OptionFunc proc near ; DATA XREF: _ODBG_Pluginaction+54 o
.data:100022F8
.data:100022F8 hDlg = dword ptr4
.data:100022F8 a2 = dword ptr8
.data:100022F8 wParam = dword ptr0Ch
.data:100022F8 lParam = dword ptr10h
.data:100022F8
.data:100022F8 mov eax,
.data:100022FC push ebx
.data:100022FD push ebp
.data:100022FE push esi
.data:100022FF sub eax, 10h
.data:10002302 push edi
.data:10002303 jz loc_100025D3
.data:10002309 sub eax, 10h
.data:1000230C jz loc_1000256A
.data:10002312 sub eax, 0F0h
.data:10002317 jz loc_1000244D
.data:1000231D dec eax
.data:1000231E jnz loc_100025DF
.data:10002324 mov eax,
.data:10002328 sub eax, 8
.data:1000232B jz loc_10002438
.data:10002331 sub eax, 3E0h
.data:10002336 jz short loc_1000239B
.data:10002338 sub eax, 6
.data:1000233B jnz loc_100025DF
.data:10002341 mov eax, hInstance
.data:10002346 push 41h
.data:10002348 mov edx, offset String2
.data:1000234D mov filestruct.hInstance, eax
.data:10002352 pop ecx
.data:10002353 xor eax, eax
.data:10002355 mov edi, edx
.data:10002357 push offset filestruct ; LPOPENFILENAMEA
.data:1000235C rep stosd
.data:1000235E mov filestruct.lStructSize, 4Ch
.data:10002368 mov filestruct.nMaxFile, 104h
.data:10002372 mov filestruct.lpstrFile, edx
.data:10002378 mov filestruct.Flags, 281804h
.data:10002382 mov filestruct.lpstrFilter, offset aExeFile ; "Exe File"
.data:1000238C call GetOpenFileNameA
.data:10002391 mov dword ptr IsAccepted, eax
.data:10002396 jmp loc_100025DF
.data:1000239B ; ---------------------------------------------------------------------------
.data:1000239B
.data:1000239B loc_1000239B: ; CODE XREF: OptionFunc+3E j
.data:1000239B xor ebp, ebp
.data:1000239D mov ebx, offset JunkdbcfgPath
.data:100023A2 cmp dword ptr IsAccepted, ebp
.data:100023A8 mov esi, offset AppName ; "OPTION"
.data:100023AD jz short loc_100023C4
.data:100023AF mov edi, offset String2
.data:100023B4 push ebx ; lpFileName
.data:100023B5 push edi ; lpString
.data:100023B6 push offset aEditor; "Editor"
.data:100023BB push esi ; lpAppName
.data:100023BC call WritePrivateProfileStringA
.data:100023C2 jmp short loc_100023C9
.data:100023C4 ; ---------------------------------------------------------------------------
.data:100023C4
.data:100023C4 loc_100023C4: ; CODE XREF: OptionFunc+B5 j
.data:100023C4 mov edi, offset String2
.data:100023C9
.data:100023C9 loc_100023C9: ; CODE XREF: OptionFunc+CA j
.data:100023C9 push edi ; lParam
.data:100023CA push ebp ; lParam
.data:100023CB push ebp ; wParam
.data:100023CC mov ebp, 3EDh
.data:100023D1 push 147h ; Msg
.data:100023D6 push ebp ; nIDDlgItem
.data:100023D7 push ; hDlg
.data:100023DB call SendDlgItemMessageA
.data:100023E1 push eax ; wParam
.data:100023E2 push 148h ; Msg
.data:100023E7 push ebp ; nIDDlgItem
.data:100023E8 push ; hDlg
.data:100023EC call SendDlgItemMessageA
.data:100023F2 mov ebp, WritePrivateProfileStringA
.data:100023F8 push ebx ; lpFileName
.data:100023F9 push edi ; lpString
.data:100023FA push offset aDefaulttype ; "DefaultType"
.data:100023FF push esi ; lpAppName
.data:10002400 call ebp ; WritePrivateProfileStringA
.data:10002402 mov edi, 3EAh
.data:10002407 push edi ; nIDDlgItem
.data:10002408 push ; hDlg
.data:1000240C call IsInputValid
.data:10002411 pop ecx
.data:10002412 cmp eax, 1
.data:10002415 pop ecx
.data:10002416 jnz short loc_10002438
.data:10002418 push 6 ; cchMax
.data:1000241A push offset String1; lpString
.data:1000241F push edi ; nIDDlgItem
.data:10002420 push ; hDlg
.data:10002424 call GetDlgItemTextA
.data:1000242A push ebx ; lpFileName
.data:1000242B push offset String1; lpString
.data:10002430 push offset KeyName; "DefaultRang"
.data:10002435 push esi ; lpAppName
.data:10002436 call ebp ; WritePrivateProfileStringA
.data:10002438
.data:10002438 loc_10002438: ; CODE XREF: OptionFunc+33 j
.data:10002438 ; OptionFunc+11E j
.data:10002438 push 0 ; lParam
.data:1000243A push 0 ; wParam
.data:1000243C push 10h ; Msg
.data:1000243E push ; hWnd
.data:10002442 call SendMessageA
.data:10002448 jmp loc_100025DF
.data:1000244D ; ---------------------------------------------------------------------------
.data:1000244D
.data:1000244D loc_1000244D: ; CODE XREF: OptionFunc+1F j
.data:1000244D mov edi,
.data:10002451 mov esi, GetDlgItem
.data:10002457 push 3EAh ; nIDDlgItem
.data:1000245C push edi ; hDlg
.data:1000245D call esi ; GetDlgItem
.data:1000245F mov ebp, 3EDh
.data:10002464 mov hRang, eax
.data:10002469 push ebp ; nIDDlgItem
.data:1000246A push edi ; hDlg
.data:1000246B call esi ; GetDlgItem
.data:1000246D push 3E8h ; nIDDlgItem
.data:10002472 push edi ; hDlg
.data:10002473 mov hJunkType, eax
.data:10002478 call esi ; GetDlgItem
.data:1000247A push 8 ; nIDDlgItem
.data:1000247C push edi ; hDlg
.data:1000247D mov hStart, eax
.data:10002482 call esi ; GetDlgItem
.data:10002484 push 3EEh ; nIDDlgItem
.data:10002489 push edi ; hDlg
.data:1000248A mov hClose, eax
.data:1000248F call esi ; GetDlgItem
.data:10002491 push 3E9h ; nIDDlgItem
.data:10002496 push edi ; hDlg
.data:10002497 mov hE, eax
.data:1000249C call esi ; GetDlgItem
.data:1000249E mov ebx, EnableWindow
.data:100024A4 push 0 ; bEnable
.data:100024A6 push eax ; hWnd
.data:100024A7 mov dword_10006344, eax
.data:100024AC call ebx ; EnableWindow
.data:100024AE push 3EBh ; nIDDlgItem
.data:100024B3 push edi ; hDlg
.data:100024B4 call esi ; GetDlgItem
.data:100024B6 push 0 ; bEnable
.data:100024B8 push eax ; hWnd
.data:100024B9 mov dword_10006344, eax
.data:100024BE call ebx ; EnableWindow
.data:100024C0 push 3E8h ; nIDDlgItem
.data:100024C5 push edi ; hDlg
.data:100024C6 call esi ; GetDlgItem
.data:100024C8 mov esi, SetWindowTextA
.data:100024CE push offset aSave ; "&Save"
.data:100024D3 push eax ; hWnd
.data:100024D4 mov dword_10006344, eax
.data:100024D9 call esi ; SetWindowTextA
.data:100024DB push offset aOption; "Option"
.data:100024E0 push edi ; hWnd
.data:100024E1 call esi ; SetWindowTextA
.data:100024E3 push edi ; hDlg
.data:100024E4 call InitComboBox
.data:100024E9 pop ecx
.data:100024EA mov ebx, offset JunkdbcfgPath
.data:100024EF push ebx ; lpFileName
.data:100024F0 push 6 ; nSize
.data:100024F2 push offset String1; lpReturnedString
.data:100024F7 push 0 ; lpDefault
.data:100024F9 mov esi, offset AppName ; "OPTION"
.data:100024FE push offset KeyName; "DefaultRang"
.data:10002503 push esi ; lpAppName
.data:10002504 call GetPrivateProfileStringA
.data:1000250A test eax, eax
.data:1000250C jnz short loc_10002526
.data:1000250E push 1000h
.data:10002513 push offset a05lx ; "%05lX"
.data:10002518 push offset String1; LPSTR
.data:1000251D call wsprintfA
.data:10002523 add esp, 0Ch
.data:10002526
.data:10002526 loc_10002526: ; CODE XREF: OptionFunc+214 j
.data:10002526 push offset String1; lpString
.data:1000252B push 3EAh ; nIDDlgItem
.data:10002530 push edi ; hDlg
.data:10002531 call SetDlgItemTextA
.data:10002537 push ebx ; lpFileName
.data:10002538 mov ebx, offset String2
.data:1000253D push 104h ; nSize
.data:10002542 push ebx ; lpReturnedString
.data:10002543 push 0 ; lpDefault
.data:10002545 push offset aDefaulttype ; "DefaultType"
.data:1000254A push esi ; lpAppName
.data:1000254B call GetPrivateProfileStringA
.data:10002551 test eax, eax
.data:10002553 jnz short loc_1000255E
.data:10002555 push eax
.data:10002556 push eax
.data:10002557 push 14Eh
.data:1000255C jmp short loc_10002566
.data:1000255E ; ---------------------------------------------------------------------------
.data:1000255E
.data:1000255E loc_1000255E: ; CODE XREF: OptionFunc+25B j
.data:1000255E push ebx
.data:1000255F push 0
.data:10002561 push 14Dh
.data:10002566
.data:10002566 loc_10002566: ; CODE XREF: OptionFunc+264 j
.data:10002566 push ebp
.data:10002567 push edi
.data:10002568 jmp short loc_100025C4
.data:1000256A ; ---------------------------------------------------------------------------
.data:1000256A
.data:1000256A loc_1000256A: ; CODE XREF: OptionFunc+14 j
.data:1000256A mov eax,
.data:1000256E cmp eax, hRang
.data:10002574 jnz short loc_1000257D
.data:10002576 push offset aDejunkRang_Hex ; "DeJunk rang.(hex)"
.data:1000257B jmp short loc_100025B7
.data:1000257D ; ---------------------------------------------------------------------------
.data:1000257D
.data:1000257D loc_1000257D: ; CODE XREF: OptionFunc+27C j
.data:1000257D cmp eax, hJunkType
.data:10002583 jnz short loc_1000258C
.data:10002585 push offset aSelectDejunkTy ; "Select Dejunk Type."
.data:1000258A jmp short loc_100025B7
.data:1000258C ; ---------------------------------------------------------------------------
.data:1000258C
.data:1000258C loc_1000258C: ; CODE XREF: OptionFunc+28B j
.data:1000258C cmp eax, hE
.data:10002592 jnz short loc_1000259B
.data:10002594 push offset aSelectDefaultE ; "Select default editor."
.data:10002599 jmp short loc_100025B7
.data:1000259B ; ---------------------------------------------------------------------------
.data:1000259B
.data:1000259B loc_1000259B: ; CODE XREF: OptionFunc+29A j
.data:1000259B cmp eax, hStart
.data:100025A1 jnz short loc_100025AA
.data:100025A3 push offset aSaveOption ; "Save option"
.data:100025A8 jmp short loc_100025B7
.data:100025AA ; ---------------------------------------------------------------------------
.data:100025AA
.data:100025AA loc_100025AA: ; CODE XREF: OptionFunc+2A9 j
.data:100025AA cmp eax, hClose
.data:100025B0 jnz short loc_100025CC
.data:100025B2 push offset aEndDialog_ ; "End Dialog."
.data:100025B7
.data:100025B7 loc_100025B7: ; CODE XREF: OptionFunc+283 j
.data:100025B7 ; OptionFunc+292 j ...
.data:100025B7 push 0 ; wParam
.data:100025B9 push 0Ch ; Msg
.data:100025BB push 3ECh ; nIDDlgItem
.data:100025C0 push ; hDlg
.data:100025C4
.data:100025C4 loc_100025C4: ; CODE XREF: OptionFunc+270 j
.data:100025C4 call SendDlgItemMessageA
.data:100025CA jmp short loc_100025DF
.data:100025CC ; ---------------------------------------------------------------------------
.data:100025CC
.data:100025CC loc_100025CC: ; CODE XREF: OptionFunc+2B8 j
.data:100025CC push offset aReady_; "Ready."
.data:100025D1 jmp short loc_100025B7
.data:100025D3 ; ---------------------------------------------------------------------------
.data:100025D3
.data:100025D3 loc_100025D3: ; CODE XREF: OptionFunc+B j
.data:100025D3 push 0 ; nResult
.data:100025D5 push ; hDlg
.data:100025D9 call EndDialog
.data:100025DF
.data:100025DF loc_100025DF: ; CODE XREF: OptionFunc+26 j
.data:100025DF ; OptionFunc+43 j ...
.data:100025DF pop edi
.data:100025E0 pop esi
.data:100025E1 pop ebp
.data:100025E2 xor eax, eax
.data:100025E4 pop ebx
.data:100025E5 retn
.data:10002651 _ODBG_Pluginaction proc near ; CODE XREF: _ODBG_Pluginshortcut:loc_100028A4 p
.data:10002651 ; DATA XREF: .data:off_10006F78 o
.data:10002651
.data:10002651 origin = dword ptr4
.data:10002651 action = dword ptr8
.data:10002651 item = dword ptr0Ch
.data:10002651
.data:10002651 mov eax,
.data:10002655 push ebx
.data:10002656 xor ebx, ebx
.data:10002658 sub eax, ebx
.data:1000265A jz loc_1000273F
.data:10002660 dec eax
.data:10002661 jz loc_10002734
.data:10002667 dec eax
.data:10002668 jz short loc_100026C0
.data:1000266A dec eax
.data:1000266B jz short loc_100026A4
.data:1000266D dec eax
.data:1000266E jz short loc_10002684
.data:10002670 dec eax
.data:10002671 jnz loc_10002757
.data:10002677 push offset DeJunkLogPath ; lpParameters
.data:1000267C call known3
.data:10002681
.data:10002681 loc_10002681: ; CODE XREF: _ODBG_Pluginaction+51 j
.data:10002681 pop ecx
.data:10002682 pop ebx
.data:10002683 retn
.data:10002684 ; ---------------------------------------------------------------------------
.data:10002684
.data:10002684 loc_10002684: ; CODE XREF: _ODBG_Pluginaction+1D j
.data:10002684 cmp , 1Fh
.data:10002689 jnz loc_10002757
.data:1000268F cmp , ebx
.data:10002693 jz loc_10002757
.data:10002699 push
.data:1000269D call known1
.data:100026A2 jmp short loc_10002681
.data:100026A4 ; ---------------------------------------------------------------------------
.data:100026A4
.data:100026A4 loc_100026A4: ; CODE XREF: _ODBG_Pluginaction+1A j
.data:100026A4 push ebx ; dwInitParam
.data:100026A5 push offset OptionFunc ; lpDialogFunc
.data:100026AA
.data:100026AA loc_100026AA: ; CODE XREF: _ODBG_Pluginaction+E9 j
.data:100026AA push hOllyWnd ; hWndParent
.data:100026B0 push 65h ; lpTemplateName
.data:100026B2 push hInstance ; hInstance
.data:100026B8 call DialogBoxParamA
.data:100026BE pop ebx
.data:100026BF retn
.data:100026C0 ; ---------------------------------------------------------------------------
.data:100026C0
.data:100026C0 loc_100026C0: ; CODE XREF: _ODBG_Pluginaction+17 j
.data:100026C0 cmp IsMallocSuccess, 1
.data:100026C7 jnz short loc_10002726
.data:100026C9 push 2 ; mode
.data:100026CB push dword ptr JunkRange ; size
.data:100026D1 push JunkStartAddr ; addr
.data:100026D7 push JunkUndoData ; buf
.data:100026DD call _Writememory
.data:100026E2 add esp, 10h
.data:100026E5 test eax, eax
.data:100026E7 jnz short loc_100026F7
.data:100026E9 push 30h
.data:100026EB push offset aWarning ; "Warning"
.data:100026F0 push offset aCanTExecuteUnd ; "Can't execute undo operation!"
.data:100026F5 jmp short loc_1000274B
.data:100026F7 ; ---------------------------------------------------------------------------
.data:100026F7
.data:100026F7 loc_100026F7: ; CODE XREF: _ODBG_Pluginaction+96 j
.data:100026F7 push JunkUndoData ; Memory
.data:100026FD mov IsMallocSuccess, bl
.data:10002703 call _free
.data:10002708 push 8
.data:1000270A mov JunkUndoData, ebx
.data:10002710 push dword ptr JunkRange
.data:10002716 push JunkStartAddr
.data:1000271C call _Setdisasm
.data:10002721 add esp, 10h
.data:10002724 pop ebx
.data:10002725 retn
.data:10002726 ; ---------------------------------------------------------------------------
.data:10002726
.data:10002726 loc_10002726: ; CODE XREF: _ODBG_Pluginaction+76 j
.data:10002726 push 40h
.data:10002728 push offset Caption; "DeJunk plugin v0.12"
.data:1000272D push offset aUndoDataIsNull ; "Undo data is NULL."
.data:10002732 jmp short loc_1000274B
.data:10002734 ; ---------------------------------------------------------------------------
.data:10002734
.data:10002734 loc_10002734: ; CODE XREF: _ODBG_Pluginaction+10 j
.data:10002734 push ebx
.data:10002735 push offset DeJunkFunc ; ok
.data:1000273A jmp loc_100026AA
.data:1000273F ; ---------------------------------------------------------------------------
.data:1000273F
.data:1000273F loc_1000273F: ; CODE XREF: _ODBG_Pluginaction+9 j
.data:1000273F push 40h ; uType
.data:10002741 push offset Caption; "DeJunk plugin v0.12"
.data:10002746 push offset aDejunkPluginWr ; "DeJunk plugin\nWritten by flyfancy\nT"...
.data:1000274B
.data:1000274B loc_1000274B: ; CODE XREF: _ODBG_Pluginaction+A4 j
.data:1000274B ; _ODBG_Pluginaction+E1 j
.data:1000274B push hOllyWnd ; hWnd
.data:10002751 call MessageBoxA
.data:10002757
.data:10002757 loc_10002757: ; CODE XREF: _ODBG_Pluginaction+20 j
.data:10002757 ; _ODBG_Pluginaction+38 j ...
.data:10002757 pop ebx
.data:10002758 retn
.data:100028B5 FindJunk proc near ; CODE XREF: DeJunkFunc+E7 p
.data:100028B5 ; known1+2C p
.data:100028B5
.data:100028B5 ptr = dword ptr -0F20h
.data:100028B5 Slen = dword ptr -0F1Ch
.data:100028B5 var_F18 = dword ptr -0F18h
.data:100028B5 SearchType = byte ptr -0F14h
.data:100028B5 JunkTypeName = byte ptr -0E10h
.data:100028B5 SectionName = byte ptr -0D0Ch
.data:100028B5 Snewserial = byte ptr -0B0Ch
.data:100028B5 Text = byte ptr -0A08h
.data:100028B5 Rnewserial = byte ptr -904h
.data:100028B5 JunkTypeStr = byte ptr -800h
.data:100028B5 Soriserial = byte ptr -600h
.data:100028B5 PrePatStr = byte ptr -400h
.data:100028B5 Roriserial = byte ptr -200h
.data:100028B5 hWnd = dword ptr4
.data:100028B5 StartAddr = dword ptr8
.data:100028B5 Range = dword ptr0Ch
.data:100028B5
.data:100028B5 sub esp, 0F20h
.data:100028BB push ebx
.data:100028BC push ebp
.data:100028BD push esi
.data:100028BE push edi
.data:100028BF mov edi,
.data:100028C6 xor esi, esi
.data:100028C8 cmp edi, esi
.data:100028CA jnz short loc_100028DA
.data:100028CC push 30h
.data:100028CE push offset aWarning ; "Warning"
.data:100028D3 push offset aPleaseGiveDeju ; "Please give deJunk rang!"
.data:100028D8 jmp short loc_1000291C
.data:100028DA ; ---------------------------------------------------------------------------
.data:100028DA
.data:100028DA loc_100028DA: ; CODE XREF: FindJunk+15 j
.data:100028DA push esi ; hTemplateFile
.data:100028DB push 80h ; dwFlagsAndAttributes
.data:100028E0 push 2 ; dwCreationDisposition
.data:100028E2 push esi ; lpSecurityAttributes
.data:100028E3 push 3 ; dwShareMode
.data:100028E5 push 0C0000000h ; dwDesiredAccess
.data:100028EA push offset DeJunkLogPath ; lpFileName
.data:100028EF call CreateFileA
.data:100028F5 push edi ; Size
.data:100028F6 mov hLogFile, eax
.data:100028FB call _malloc
.data:10002900 cmp eax, esi
.data:10002902 pop ecx
.data:10002903 mov JunkData, eax
.data:10002908 mov dword ptr JunkCodeNum, esi
.data:1000290E jnz short loc_1000292E
.data:10002910 push 30h ; uType
.data:10002912 push offset aWarning ; "Warning"
.data:10002917 push offset aCanTAllocatesM ; "Can't allocates memory blocks!"
.data:1000291C
.data:1000291C loc_1000291C: ; CODE XREF: FindJunk+23 j
.data:1000291C push ; hWnd
.data:10002923 call MessageBoxA
.data:10002929 jmp loc_10002E41
.data:1000292E ; ---------------------------------------------------------------------------
.data:1000292E
.data:1000292E loc_1000292E: ; CODE XREF: FindJunk+59 j
.data:1000292E push 2
.data:10002930 push edi
.data:10002931 push
.data:10002938 push eax
.data:10002939 call _Readmemory
.data:1000293E add esp, 10h
.data:10002941 mov ebp, offset byte_10006028
.data:10002946 test eax, eax
.data:10002948 jnz short loc_10002968
.data:1000294A push 30h ; uType
.data:1000294C push offset aWarning ; "Warning"
.data:10002951 push offset aCanTReadTheMem ; "Can't read the memory space!"
.data:10002956 push ; hWnd
.data:1000295D call MessageBoxA
.data:10002963 jmp loc_10002DED
.data:10002968 ; ---------------------------------------------------------------------------
.data:10002968
.data:10002968 loc_10002968: ; CODE XREF: FindJunk+93 j
.data:10002968 cmp IsDefaultType, 1
.data:1000296F mov ebx, GetPrivateProfileStringA
.data:10002975 jnz short loc_1000299C
.data:10002977 push offset JunkdbcfgPath ; lpFileName
.data:1000297C lea eax,
.data:10002980 push 104h ; nSize
.data:10002985 push eax ; lpReturnedString
.data:10002986 push esi ; lpDefault
.data:10002987 push offset aDefaulttype ; "DefaultType"
.data:1000298C push offset AppName; "OPTION"
.data:10002991 call ebx ; GetPrivateProfileStringA
.data:10002993 and IsDefaultType, 0
.data:1000299A jmp short loc_100029CD
.data:1000299C ; ---------------------------------------------------------------------------
.data:1000299C
.data:1000299C loc_1000299C: ; CODE XREF: FindJunk+C0 j
.data:1000299C push esi ; lParam
.data:1000299D push esi ; wParam
.data:1000299E mov esi, SendDlgItemMessageA
.data:100029A4 mov edi, 3EDh
.data:100029A9 push 147h ; Msg
.data:100029AE push edi ; nIDDlgItem
.data:100029AF push ; hDlg
.data:100029B6 call esi ; SendDlgItemMessageA
.data:100029B8 lea ecx,
.data:100029BC push ecx ; lParam
.data:100029BD push eax ; wParam
.data:100029BE push 148h ; Msg
.data:100029C3 push edi ; nIDDlgItem
.data:100029C4 push ; hDlg
.data:100029CB call esi ; SendDlgItemMessageA
.data:100029CD
.data:100029CD loc_100029CD: ; CODE XREF: FindJunk+E5 j
.data:100029CD mov edi, offset aPatlist_ ; "PatList_"
.data:100029D2 or ecx, 0FFFFFFFFh
.data:100029D5 xor eax, eax
.data:100029D7 lea edx,
.data:100029DE repne scasb
.data:100029E0 not ecx
.data:100029E2 sub edi, ecx
.data:100029E4 push offset SystemTime ; lpSystemTime
.data:100029E9 mov eax, ecx
.data:100029EB mov esi, edi
.data:100029ED mov edi, edx
.data:100029EF lea edx,
.data:100029F6 shr ecx, 2
.data:100029F9 rep movsd
.data:100029FB mov ecx, eax
.data:100029FD xor eax, eax
.data:100029FF and ecx, 3
.data:10002A02 rep movsb
.data:10002A04 lea edi,
.data:10002A08 or ecx, 0FFFFFFFFh
.data:10002A0B repne scasb
.data:10002A0D not ecx
.data:10002A0F sub edi, ecx
.data:10002A11 mov esi, edi
.data:10002A13 mov edi, edx
.data:10002A15 mov edx, ecx
.data:10002A17 or ecx, 0FFFFFFFFh
.data:10002A1A repne scasb
.data:10002A1C mov ecx, edx
.data:10002A1E dec edi
.data:10002A1F shr ecx, 2
.data:10002A22 rep movsd
.data:10002A24 mov ecx, edx
.data:10002A26 and ecx, 3
.data:10002A29 rep movsb
.data:10002A2B call GetLocalTime
.data:10002A31 mov ecx, dword ptr JunkRange
.data:10002A37 lea eax,
.data:10002A3B push eax
.data:10002A3C mov eax, JunkStartAddr
.data:10002A41 add ecx, eax
.data:10002A43 push ecx
.data:10002A44 push eax
.data:10002A45 movzx eax, SystemTime.wSecond
.data:10002A4C push eax
.data:10002A4D movzx eax, SystemTime.wMinute
.data:10002A54 push eax
.data:10002A55 movzx eax, SystemTime.wHour
.data:10002A5C push eax
.data:10002A5D movzx eax, SystemTime.wDay
.data:10002A64 push eax
.data:10002A65 movzx eax, SystemTime.wMonth
.data:10002A6C push eax
.data:10002A6D movzx eax, SystemTime.wYear
.data:10002A74 push eax
.data:10002A75 push offset aDejunkLastLogL ; "[-= DeJunk Last Log =-]\r\n\r\nLog Time: %0"...
.data:10002A7A push ebp ; LPSTR
.data:10002A7B call wsprintfA
.data:10002A81 mov edi, ebp
.data:10002A83 or ecx, 0FFFFFFFFh
.data:10002A86 xor eax, eax
.data:10002A88 add esp, 2Ch
.data:10002A8B repne scasb
.data:10002A8D not ecx
.data:10002A8F push 0 ; lpOverlapped
.data:10002A91 dec ecx
.data:10002A92 push offset NumberOfBytesWritten ; lpNumberOfBytesWritten
.data:10002A97 push ecx ; nNumberOfBytesToWrite
.data:10002A98 push ebp ; lpBuffer
.data:10002A99 push hLogFile ; hFile
.data:10002A9F call WriteFile
.data:10002AA5 mov edi, 200h
.data:10002AAA push offset JunkdbcfgPath ; lpFileName
.data:10002AAF lea eax,
.data:10002AB6 push edi ; nSize
.data:10002AB7 push eax ; lpReturnedString
.data:10002AB8 push 0 ; lpDefault
.data:10002ABA mov esi, offset AppName ; "OPTION"
.data:10002ABF push offset aPrepatname ; "PrePatName"
.data:10002AC4 push esi ; lpAppName
.data:10002AC5 call ebx ; GetPrivateProfileStringA
.data:10002AC7 push offset JunkdbcfgPath ; lpFileName
.data:10002ACC lea eax,
.data:10002AD3 push edi ; nSize
.data:10002AD4 push eax ; lpReturnedString
.data:10002AD5 lea eax,
.data:10002ADC push 0 ; lpDefault
.data:10002ADE push eax ; lpKeyName
.data:10002ADF push esi ; lpAppName
.data:10002AE0 call ebx ; GetPrivateProfileStringA
.data:10002AE2 cmp , 0
.data:10002AEA lea eax,
.data:10002AF1 mov , eax
.data:10002AF5 jz loc_10002C7F
.data:10002AFB
.data:10002AFB loc_10002AFB: ; CODE XREF: FindJunk+3C4 j
.data:10002AFB push 2Ch ; Val
.data:10002AFD push ; Str
.data:10002B01 call _strchr
.data:10002B06 pop ecx
.data:10002B07 mov edx, eax
.data:10002B09 pop ecx
.data:10002B0A lea edi,
.data:10002B11 or ecx, 0FFFFFFFFh
.data:10002B14 xor eax, eax
.data:10002B16 repne scasb
.data:10002B18 not ecx
.data:10002B1A lea esi,
.data:10002B21 sub edi, ecx
.data:10002B23 mov eax, ecx
.data:10002B25 mov , esi
.data:10002B29 mov esi, edi
.data:10002B2B mov edi,
.data:10002B2F shr ecx, 2
.data:10002B32 rep movsd
.data:10002B34 mov ecx, eax
.data:10002B36 mov , edx
.data:10002B3A and ecx, 3
.data:10002B3D test edx, edx
.data:10002B3F rep movsb
.data:10002B41 jnz short loc_10002B75
.data:10002B43 mov edi,
.data:10002B47 or ecx, 0FFFFFFFFh
.data:10002B4A xor eax, eax
.data:10002B4C lea edx,
.data:10002B53 repne scasb
.data:10002B55 not ecx
.data:10002B57 sub edi, ecx
.data:10002B59 mov esi, edi
.data:10002B5B mov edi, edx
.data:10002B5D mov edx, ecx
.data:10002B5F or ecx, 0FFFFFFFFh
.data:10002B62 repne scasb
.data:10002B64 mov ecx, edx
.data:10002B66 dec edi
.data:10002B67 shr ecx, 2
.data:10002B6A rep movsd
.data:10002B6C mov ecx, edx
.data:10002B6E and ecx, 3
.data:10002B71 rep movsb
.data:10002B73 jmp short loc_10002BB1
.data:10002B75 ; ---------------------------------------------------------------------------
.data:10002B75
.data:10002B75 loc_10002B75: ; CODE XREF: FindJunk+28C j
.data:10002B75 mov edi,
.data:10002B79 and byte ptr , 0
.data:10002B7C or ecx, 0FFFFFFFFh
.data:10002B7F xor eax, eax
.data:10002B81 repne scasb
.data:10002B83 not ecx
.data:10002B85 sub edi, ecx
.data:10002B87 lea edx,
.data:10002B8E mov esi, edi
.data:10002B90 mov edi, edx
.data:10002B92 mov edx, ecx
.data:10002B94 or ecx, 0FFFFFFFFh
.data:10002B97 repne scasb
.data:10002B99 mov ecx, edx
.data:10002B9B dec edi
.data:10002B9C shr ecx, 2
.data:10002B9F rep movsd
.data:10002BA1 mov eax,
.data:10002BA5 mov ecx, edx
.data:10002BA7 and ecx, 3
.data:10002BAA inc eax
.data:10002BAB rep movsb
.data:10002BAD mov , eax
.data:10002BB1
.data:10002BB1 loc_10002BB1: ; CODE XREF: FindJunk+2BE j
.data:10002BB1 mov edi, offset JunkdbcfgPath
.data:10002BB6 mov esi, 200h
.data:10002BBB push edi ; lpFileName
.data:10002BBC lea eax,
.data:10002BC3 push esi ; nSize
.data:10002BC4 push eax ; lpReturnedString
.data:10002BC5 push 0 ; lpDefault
.data:10002BC7 lea eax,
.data:10002BCE push offset aS ; "S"
.data:10002BD3 push eax ; lpAppName
.data:10002BD4 call ebx ; GetPrivateProfileStringA
.data:10002BD6 mov , eax
.data:10002BDA push edi ; lpFileName
.data:10002BDB lea eax,
.data:10002BE2 push esi ; nSize
.data:10002BE3 push eax ; lpReturnedString
.data:10002BE4 push 0 ; lpDefault
.data:10002BE6 lea eax,
.data:10002BED push offset aR ; "R"
.data:10002BF2 push eax ; lpAppName
.data:10002BF3 call ebx ; GetPrivateProfileStringA
.data:10002BF5 mov edi, eax
.data:10002BF7 mov eax,
.data:10002BFB cmp eax, edi
.data:10002BFD jnz loc_10002CCE
.data:10002C03 test eax, eax
.data:10002C05 jz loc_10002CCE
.data:10002C0B cdq
.data:10002C0C sub eax, edx
.data:10002C0E mov esi, eax
.data:10002C10 lea eax,
.data:10002C17 sar esi, 1
.data:10002C19 push esi ; a3
.data:10002C1A push eax ; Source
.data:10002C1B lea eax,
.data:10002C22 push eax ; Dest
.data:10002C23 call Transform
.data:10002C28 mov eax, edi
.data:10002C2A cdq
.data:10002C2B sub eax, edx
.data:10002C2D sar eax, 1
.data:10002C2F push eax ; a3
.data:10002C30 lea eax,
.data:10002C37 push eax ; Source
.data:10002C38 lea eax,
.data:10002C3F push eax ; Dest
.data:10002C40 call Transform
.data:10002C45 push ; Range
.data:10002C4C lea eax,
.data:10002C53 push esi ; Slen
.data:10002C54 push eax ; R
.data:10002C55 lea eax,
.data:10002C5C push eax ; S
.data:10002C5D push JunkData ; data
.data:10002C63 call FindMatch
.data:10002C68 add esp, 2Ch
.data:10002C6B cmp , 0
.data:10002C70 jz short loc_10002C7F
.data:10002C72 mov eax,
.data:10002C76 cmp byte ptr , 0
.data:10002C79 jnz loc_10002AFB
.data:10002C7F
.data:10002C7F loc_10002C7F: ; CODE XREF: FindJunk+240 j
.data:10002C7F ; FindJunk+3BB j
.data:10002C7F cmp dword ptr JunkCodeNum, 0
.data:10002C86 jz loc_10002DC8
.data:10002C8C mov eax, JunkUndoData
.data:10002C91 test eax, eax
.data:10002C93 jz short loc_10002CA3
.data:10002C95 push eax ; Memory
.data:10002C96 call _free
.data:10002C9B and JunkUndoData, 0
.data:10002CA2 pop ecx
.data:10002CA3
.data:10002CA3 loc_10002CA3: ; CODE XREF: FindJunk+3DE j
.data:10002CA3 push ; Size
.data:10002CAA call _malloc
.data:10002CAF mov esi, MessageBoxA
.data:10002CB5 pop ecx
.data:10002CB6 test eax, eax
.data:10002CB8 mov JunkUndoData, eax
.data:10002CBD mov edi, offset aWarning ; "Warning"
.data:10002CC2 jnz short loc_10002D20
.data:10002CC4 push 30h
.data:10002CC6 push edi
.data:10002CC7 push offset aCanTAllocatesU ; "Can't allocates Undo memory blocks!\nU"...
.data:10002CCC jmp short loc_10002D4C
.data:10002CCE ; ---------------------------------------------------------------------------
.data:10002CCE
.data:10002CCE loc_10002CCE: ; CODE XREF: FindJunk+348 j
.data:10002CCE ; FindJunk+350 j
.data:10002CCE lea eax,
.data:10002CD5 push eax
.data:10002CD6 lea eax,
.data:10002CDD push offset aJunkdbFileSSec ; "Junkdb file [%s] section read error."
.data:10002CE2 push eax ; LPSTR
.data:10002CE3 call wsprintfA
.data:10002CE9 add esp, 0Ch
.data:10002CEC lea eax,
.data:10002CF3 push 40h ; uType
.data:10002CF5 push offset Caption; "DeJunk plugin v0.12"
.data:10002CFA push eax ; lpText
.data:10002CFB push ; hWnd
.data:10002D02 call MessageBoxA
.data:10002D08 push JunkData ; Memory
.data:10002D0E call _free
.data:10002D13 and JunkData, 0
.data:10002D1A pop ecx
.data:10002D1B jmp loc_10002E41
.data:10002D20 ; ---------------------------------------------------------------------------
.data:10002D20
.data:10002D20 loc_10002D20: ; CODE XREF: FindJunk+40D j
.data:10002D20 push 2
.data:10002D22 mov IsMallocSuccess, 1
.data:10002D29 push
.data:10002D30 push
.data:10002D37 push eax
.data:10002D38 call _Readmemory
.data:10002D3D add esp, 10h
.data:10002D40 test eax, eax
.data:10002D42 jnz short loc_10002D55
.data:10002D44 push 30h ; uType
.data:10002D46 push edi ; lpCaption
.data:10002D47 push offset aCanTReadTheUnd ; "Can't read the Undo data!"
.data:10002D4C
.data:10002D4C loc_10002D4C: ; CODE XREF: FindJunk+417 j
.data:10002D4C push ; hWnd
.data:10002D53 call esi ; MessageBoxA
.data:10002D55
.data:10002D55 loc_10002D55: ; CODE XREF: FindJunk+48D j
.data:10002D55 push 2 ; mode
.data:10002D57 push ; size
.data:10002D5E push ; addr
.data:10002D65 push JunkData ; buf
.data:10002D6B call _Writememory
.data:10002D70 add esp, 10h
.data:10002D73 test eax, eax
.data:10002D75 jnz short loc_10002D8A
.data:10002D77 push 30h ; uType
.data:10002D79 push edi ; lpCaption
.data:10002D7A push offset aCanTWriteTheMe ; "Can't Write the memory space!"
.data:10002D7F push ; hWnd
.data:10002D86 call esi ; MessageBoxA
.data:10002D88 jmp short loc_10002DEB
.data:10002D8A ; ---------------------------------------------------------------------------
.data:10002D8A
.data:10002D8A loc_10002D8A: ; CODE XREF: FindJunk+4C0 j
.data:10002D8A push dword ptr JunkCodeNum
.data:10002D90 push offset aDJunkCodeWereR ; "%d junk code were replace."
.data:10002D95 push ebp ; LPSTR
.data:10002D96 call wsprintfA
.data:10002D9C add esp, 0Ch
.data:10002D9F push 40h ; uType
.data:10002DA1 push offset Caption; "DeJunk plugin v0.12"
.data:10002DA6 push ebp ; lpText
.data:10002DA7 push ; hWnd
.data:10002DAE call esi ; MessageBoxA
.data:10002DB0 push 8
.data:10002DB2 push dword ptr JunkRange
.data:10002DB8 push JunkStartAddr
.data:10002DBE call _Setdisasm
.data:10002DC3 add esp, 0Ch
.data:10002DC6 jmp short loc_10002DEB
.data:10002DC8 ; ---------------------------------------------------------------------------
.data:10002DC8
.data:10002DC8 loc_10002DC8: ; CODE XREF: FindJunk+3D1 j
.data:10002DC8 push offset aCannotFindJunk ; "Cannot find Junk code."
.data:10002DCD push ebp ; LPSTR
.data:10002DCE call wsprintfA
.data:10002DD4 pop ecx
.data:10002DD5 pop ecx
.data:10002DD6 push 40h ; uType
.data:10002DD8 push offset Caption; "DeJunk plugin v0.12"
.data:10002DDD push ebp ; lpText
.data:10002DDE push ; hWnd
.data:10002DE5 call MessageBoxA
.data:10002DEB
.data:10002DEB loc_10002DEB: ; CODE XREF: FindJunk+4D3 j
.data:10002DEB ; FindJunk+511 j
.data:10002DEB xor esi, esi
.data:10002DED
.data:10002DED loc_10002DED: ; CODE XREF: FindJunk+AE j
.data:10002DED mov edi, offset NumberOfBytesWritten
.data:10002DF2 push esi ; lpOverlapped
.data:10002DF3 push edi ; lpNumberOfBytesWritten
.data:10002DF4 push 2 ; nNumberOfBytesToWrite
.data:10002DF6 push offset asc_100013EC ; "\r\n"
.data:10002DFB push hLogFile ; hFile
.data:10002E01 call WriteFile
.data:10002E07 push esi ; lpOverlapped
.data:10002E08 push edi ; lpNumberOfBytesWritten
.data:10002E09 mov edi, ebp
.data:10002E0B or ecx, 0FFFFFFFFh
.data:10002E0E xor eax, eax
.data:10002E10 repne scasb
.data:10002E12 not ecx
.data:10002E14 dec ecx
.data:10002E15 push ecx ; nNumberOfBytesToWrite
.data:10002E16 push ebp ; lpBuffer
.data:10002E17 push hLogFile ; hFile
.data:10002E1D call WriteFile
.data:10002E23 push hLogFile ; hObject
.data:10002E29 call CloseHandle
.data:10002E2F push JunkData ; Memory
.data:10002E35 call _free
.data:10002E3A pop ecx
.data:10002E3B mov JunkData, esi
.data:10002E41
.data:10002E41 loc_10002E41: ; CODE XREF: FindJunk+74 j
.data:10002E41 ; FindJunk+466 j
.data:10002E41 pop edi
.data:10002E42 pop esi
.data:10002E43 pop ebp
.data:10002E44 pop ebx
.data:10002E45 add esp, 0F20h
.data:10002E4B retn
.data:10002E4C FindMatch proc near ; CODE XREF: FindJunk+3AE p
.data:10002E4C
.data:10002E4C i = dword ptr -0Ch
.data:10002E4C var_8 = dword ptr -8
.data:10002E4C ptr = dword ptr -4
.data:10002E4C data = dword ptr8
.data:10002E4C S = dword ptr0Ch
.data:10002E4C R = dword ptr10h
.data:10002E4C len = dword ptr14h
.data:10002E4C Range = dword ptr18h
.data:10002E4C
.data:10002E4C push ebp
.data:10002E4D mov ebp, esp
.data:10002E4F sub esp, 0Ch
.data:10002E52 mov eax,
.data:10002E55 push ebx
.data:10002E56 push esi
.data:10002E57 push edi
.data:10002E58 mov , eax
.data:10002E5B mov ebx, offset byte_10006028
.data:10002E60
.data:10002E60 loc_10002E60: ; CODE XREF: FindMatch+58 j
.data:10002E60 ; FindMatch+DF j ...
.data:10002E60 mov eax,
.data:10002E63 mov esi,
.data:10002E66 sub eax,
.data:10002E69 mov , eax
.data:10002E6C sub esi, eax
.data:10002E6E mov eax,
.data:10002E71 mov al,
.data:10002E73 cmp al, 90h
.data:10002E75 jz short loc_10002E8A
.data:10002E77 movzx eax, al
.data:10002E7A push esi ; MaxCount
.data:10002E7B push eax ; Val
.data:10002E7C push ; Buf
.data:10002E7F call _memchr
.data:10002E84 add esp, 0Ch
.data:10002E87 mov , eax
.data:10002E8A
.data:10002E8A loc_10002E8A: ; CODE XREF: FindMatch+29 j
.data:10002E8A xor eax, eax
.data:10002E8C cmp , eax
.data:10002E8F jz loc_10002F39
.data:10002E95 cmp esi,
.data:10002E98 jb loc_10002F39
.data:10002E9E cmp , eax
.data:10002EA1 mov , eax
.data:10002EA4 jbe short loc_10002E60
.data:10002EA6
.data:10002EA6 loc_10002EA6: ; CODE XREF: FindMatch+D9 j
.data:10002EA6 mov ecx,
.data:10002EA9 mov edi,
.data:10002EAC mov cl,
.data:10002EAF cmp cl,
.data:10002EB2 jz short loc_10002EB9
.data:10002EB4 cmp cl, 90h
.data:10002EB7 jnz short loc_10002F30
.data:10002EB9
.data:10002EB9 loc_10002EB9: ; CODE XREF: FindMatch+66 j
.data:10002EB9 mov ecx,
.data:10002EBC lea edx,
.data:10002EBF cmp eax, edx
.data:10002EC1 jnz short loc_10002F1E
.data:10002EC3 mov esi,
.data:10002EC6 mov eax, ecx
.data:10002EC8 shr ecx, 2
.data:10002ECB rep movsd
.data:10002ECD mov ecx, eax
.data:10002ECF and ecx, 3
.data:10002ED2 rep movsb
.data:10002ED4 mov eax, JunkStartAddr
.data:10002ED9 mov ecx,
.data:10002EDC add eax, ecx
.data:10002EDE push eax
.data:10002EDF push offset a0x08lx; "\t0x%08lX\r\n"
.data:10002EE4 push ebx ; LPSTR
.data:10002EE5 call wsprintfA
.data:10002EEB mov edi, ebx
.data:10002EED or ecx, 0FFFFFFFFh
.data:10002EF0 xor eax, eax
.data:10002EF2 add esp, 0Ch
.data:10002EF5 repne scasb
.data:10002EF7 not ecx
.data:10002EF9 push 0 ; lpOverlapped
.data:10002EFB dec ecx
.data:10002EFC push offset NumberOfBytesWritten ; lpNumberOfBytesWritten
.data:10002F01 push ecx ; nNumberOfBytesToWrite
.data:10002F02 push ebx ; lpBuffer
.data:10002F03 push hLogFile ; hFile
.data:10002F09 call WriteFile
.data:10002F0F mov eax,
.data:10002F12 add , eax
.data:10002F15 inc dword ptr JunkCodeNum
.data:10002F1B mov eax,
.data:10002F1E
.data:10002F1E loc_10002F1E: ; CODE XREF: FindMatch+75 j
.data:10002F1E inc eax
.data:10002F1F cmp eax,
.data:10002F22 mov , eax
.data:10002F25 jb loc_10002EA6
.data:10002F2B jmp loc_10002E60
.data:10002F30 ; ---------------------------------------------------------------------------
.data:10002F30
.data:10002F30 loc_10002F30: ; CODE XREF: FindMatch+6B j
.data:10002F30 inc edi
.data:10002F31 mov , edi
.data:10002F34 jmp loc_10002E60
.data:10002F39 ; ---------------------------------------------------------------------------
.data:10002F39
.data:10002F39 loc_10002F39: ; CODE XREF: FindMatch+43 j
.data:10002F39 ; FindMatch+4C j
.data:10002F39 pop edi
.data:10002F3A pop esi
.data:10002F3B pop ebx
.data:10002F3C leave
.data:10002F3D retn
#include <windows.h>
#include <commctrl.h>
#include "Plugin.h"
#define IDC_BTClOSE 8//Close按钮
#define IDD_MAINDLG 101//主对话框
#define IDC_BTSTART 1000//Start按钮
#define IDC_ETSTARTADDR 1001//Start Addr编辑框
#define IDC_ETRANG 1002//Rang编辑框
#define IDC_CBDIRECTION 1003 //Direction选择框
#define IDC_SBSTATU 1004//状态栏
#define IDC_CBJUNKTYPE 1005//Junk Type选择框
#define IDC_BTE 1006//E按钮
HINSTANCE hInstance;
char JunkdbcfgPath,DeJunkLogPath,String2;
HWND hOllyWnd;//OllyDbg窗口句柄
char classname;//插件主窗口类名
HWND hStartAddr,hRang,hDirection,hJunkType,hStart,hClose,hE;//和资源对应
char String1;//临时存储
ulong JunkStartAddr,JunkRange;
ulong JunkCodeNum;
bool IsDefaultType;
bool IsMallocSuccess;//是否成功分配了空间
void* JunkUndoData=NULL,*JunkData=NULL;
HANDLE hLogFile;
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvvReserved)
{
if(fdwReason == DLL_PROCESS_ATTACH)
{
hInstance=hinstDLL;
GetModuleFileName(hinstDLL,,260);
strrchr(JunkdbcfgPath,'\\')='\0';//便于连接成文件路径
strcpy(DeJunkLogPath,JunkdbcfgPath);
strcat(JunkdbcfgPath,"Junkdb.cfg");
strcat(DeJunkLogPath,"DeJunk.Log");
}
}
LRESULT WINAPI MainProc(HWND hWnd,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
switch (uMsg)
{
case WM_DESTROY:
case WM_SETFOCUS:
case WM_PAINT:
break;
default:
return DefWindowProc(hWnd,uMsg,wParam,lParam);
}
return 0;
}
BOOL IsInputValid(HWND hDlg,int nID)
{//检测输入值是否为合法16进制数
int len=SendDlgItemMessage(hDlg,nID,WM_GETTEXTLENGTH,0,0);
GetDlgItemText(hDlg,nID,String1,9);
for(int i=0;i<len;i++)
{
if(!isxdigit(String1))
return FALSE;
}
return TRUE;
}
ulong GetNumberFromString(char* str)
{//和上一个插件例子是同一个函数,将字符串转16进制数,可见是一个作者
int len=strlen(str);
ulong addr=0;
int x1,x2=0;
for(int i=0;i<len;i++)
{
if(str < 'A')//0-9
{
x1=str-'0';
}
else//A-F
{
x2=32*((str<'W')+x2);
x1=x2+str-'W';
}
addr += ((x1&0xF)<<(4*i-1));
}
return addr;
}
/*---------Junkdb.cfg-----------
; default value
DefaultRang=01000
DefaultType=Custom
EnableLog=1
;set JunkType combol list
JunkType=Common,TELock,UltraProtect,Custom
*/
void InitComboBox(HWND hWnd)
{//从配置文件读取类型,并添加到花指令类型列表框
char JunkTypeStr,content;
memset(JunkTypeStr,0,260);
GetPrivateProfileString("OPTION","JunkType",NULL,JunkTypeStr,260,JunkdbcfgPath);
char* ptr=JunkTypeStr;
while(ptr != '\0')
{//拆分字符串 string1,string2,string3,...
char* pos1=strchr(ptr,',');
if(pos1)
{
*pos1='\0';
strcpy(content,ptr);
ptr=pos1+1;
}
else
strcpy(content,ptr);
SendDlgItemMessage(hWnd,IDC_CBJUNKTYPE,CB_ADDSTRING,0,(LPARAM)content);
if(!pos1)
{
SendDlgItemMessage(hWnd,IDC_CBJUNKTYPE,CB_SETCURSEL,0,0);
break;
}
}
if(!GetPrivateProfileString("OPTION","DefaultRang",NULL,String1,6,JunkdbcfgPath))
wsprintf(String1,"%05lX",4096);//默认搜索区块大小
SetDlgItemText(hWnd,IDC_ETRANG,String1);
if(!GetPrivateProfileString("OPTION","DefaultType",NULL,String2,260,JunkdbcfgPath))
SendDlgItemMessage(hWnd,IDC_CBJUNKTYPE,CB_SETCURSEL,0,0);
else
SendDlgItemMessage(hWnd,IDC_CBJUNKTYPE,CB_SELECTSTRING,0,(LPARAM)String2);
}
void Transform(uchar* Dest,const char* Source,int len)
{//16进制字符串按2位转换成字节码数据
char d;
int curnum;
memset(Dest,0,260);
if(len <= 0)
return;
do
{
strncpy(d,Source,2);
d='\0';
Source+=2;
curnum=GetNumberFromString(d);
if(d == '?')
*Dest=0x90;
else
*Dest=curnum;
Dest++;
}
while (--len);
}
void FindMatch(uchar* data,BYTE* S,BYTE* R,int len,int Range)
{//查找目的范围内匹配的花指令,本程序核心算法之所在
char buf;
DWORD writenum;
uchar* ptr=data;
int i,j;
while(true)
{
i=ptr-data;
if(S != 0x90)
ptr=(uchar*)memchr(ptr,S,Range-i);
if(!ptr || Range-i<len)//找不到花指令
break;
for(j=0;j<len;j++)
{
if(S != ptr && S != 0x90)
{//原S串的'?'代表任意1个16进制数,经过Transform函数处理成0x90,因此如果遇到S串为0x90,则为统配符,直接跳过,否则要进行对比
ptr++;
break;
}
}
if(j == len-1)
{//长度匹配因此找到一个花指令
memcpy(ptr,R,len);//写入对应的R串以去除花指令并能正常运行
wsprintf(buf,"\t0x%08lX\r\n",JunkStartAddr+i);
WriteFile(hLogFile,buf,strlen(buf),&writenum,NULL);
ptr += len;
JunkCodeNum++;
}
}
}
void FindJunk(HWND hWnd,ulong StartAddr,ulong Range)
{//查找花指令
char buf;
DWORD writenum;
static SYSTEMTIME SystemTime;
char PrePatStr,JunkTypeStr;
char SearchType,JunkTypeName,SectionName;
int Slen,Rlen;
char Soriserial,Roriserial;
uchar Snewserial,Rnewserial;
if(Range == 0)
{
MessageBox(hWnd,"Please give deJunk rang!","Warning",MB_OK|MB_ICONEXCLAMATION);
return;
}
hLogFile=CreateFile(DeJunkLogPath,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
JunkData=malloc(Range);
JunkCodeNum=0;
if(!JunkData)
{
MessageBox(hWnd,"Can't allocates memory blocks!","Warning",MB_OK|MB_ICONEXCLAMATION);
return;
}
if(!Readmemory(JunkData,StartAddr,Range,MM_SILENT))//读取程序目标地址字节码
{
DWORD writenum;
MessageBox(hWnd,"Can't read the memory space!","Warning",MB_OK|MB_ICONEXCLAMATION);
goto RET;
}
if(IsDefaultType)
{
GetPrivateProfileString("OPTION","DefaultType",0,SearchType,260,JunkdbcfgPath);
IsDefaultType=false;
}
else
{
int index=SendDlgItemMessage(hWnd,IDC_CBJUNKTYPE,CB_GETCURSEL,0,0);
SendDlgItemMessage(hWnd,IDC_CBJUNKTYPE,CB_GETLBTEXT,index,(LPARAM)SearchType);
}
strcpy(JunkTypeName,"PatList_");
strcat(JunkTypeName,SearchType);
GetLocalTime(&SystemTime);
wsprintf(buf,"[-= DeJunk Last Log =-]\r\n\r\nLog Time: %04d-%02d-%02d%02d:%02d:%02d\r\n\r\nSearch Address:\r\n"
"\t0x%08lX ~ 0x%08lX\r\n\r\nSearch Type:\r\n\t%s\r\n\r\nFind junk code in:\r\n",SystemTime.wYear,SystemTime.wMonth,
SystemTime.wDay,SystemTime.wHour,SystemTime.wMinute,SystemTime.wSecond,JunkStartAddr,
JunkStartAddr+JunkRange,SearchType);
WriteFile(hLogFile,buf,strlen(buf),&writenum,NULL);
GetPrivateProfileString("OPTION","PrePatName",NULL,PrePatStr,512,JunkdbcfgPath);
GetPrivateProfileString("OPTION",JunkTypeName,NULL,JunkTypeStr,512,JunkdbcfgPath);
char* ptr=JunkTypeStr,*pos1=NULL;
while(pos1 && *ptr)
{//对该模式下所有花指令类型,作如下操作
/* 模式列表几对应花指令集合:
---------Junkdb.cfg-----------
PatList_Common=_T1,_T2,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
PatList_TELock=_jmp02,_jnz01,_jmp01,_telock_call02_1,_telock_call02_2,_slc_jb01,_slc_jb02,_clc_jnb01,_clc_jnb02
PatList_UltraProtect=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,_jmp01,_jmp11,_jmp12,_jmp13,_jmp15,_call01,_call011,_call012
PatList_Custom=_jmp02,_jnz01,_jmp01
*/
pos1=strchr(ptr,',');
strcpy(SectionName,PrePatStr);
if(pos1)
{
*pos1='\0';
strcat(SectionName,ptr);
ptr=pos1+1;
}
else
strcat(SectionName,ptr);
Slen=GetPrivateProfileString(SectionName,"S",NULL,Soriserial,512,JunkdbcfgPath);//S串为识别出的花指令序列模式
Rlen=GetPrivateProfileString(SectionName,"R",NULL,Roriserial,512,JunkdbcfgPath);//R串为对应S串的正常指令序列模式
/* 例如Custom模式:
---------Junkdb.cfg-----------
S = 7501??
R = 909090
S = EB01??
R = 909090
S = EB02????
R = 90909090
*/
if(Slen !=Rlen || !Slen)//S串的长度应该和R匹配,否则无法正常替换
{
wsprintf(buf,"Junkdb file [%s] section read error.",SectionName);
MessageBox(hWnd,buf,"DeJunk plugin v0.12",MB_OK|MB_ICONASTERISK);
free(JunkUndoData);
JunkUndoData=NULL;
return;
}
Transform(Snewserial,Soriserial,Slen/2);//字符串转换为字节码
Transform(Rnewserial,Roriserial,Rlen/2);
FindMatch((uchar*)JunkData,Snewserial,Rnewserial,Slen/2,Range);//查找并替换花指令为正常代码
}
if(JunkCodeNum == 0)
{
wsprintf(buf,"Cannot find Junk code.");
MessageBox(hWnd,buf,"DeJunk plugin v0.12",MB_OK|MB_ICONASTERISK);
}
else//如果找到则需要把原始字节码保存以便恢复
{
if(JunkUndoData)
{
free(JunkUndoData);
JunkUndoData=NULL;
}
JunkUndoData=malloc(Range);
if(!JunkUndoData)
MessageBox(hWnd,"Can't allocates Undo memory blocks!\nUndo function invalid.",
"Warning",MB_OK|MB_ICONEXCLAMATION);
IsMallocSuccess=true;
if(!Readmemory(JunkUndoData,StartAddr,Range,MM_SILENT))//将原始字节码保存在JunkUndoData中
MessageBox(hWnd,"Can't read the Undo data!","Warning",MB_OK|MB_ICONEXCLAMATION);
if(!Writememory(JunkData,StartAddr,Range,MM_SILENT))//将修改后的字节码覆盖内存中原始代码段
MessageBox(hWnd,"Can't Write the memory space!","Warning",MB_OK|MB_ICONEXCLAMATION);
wsprintf(buf,"%d junk code were replace.",JunkCodeNum);
MessageBox(hWnd,buf,"DeJunk plugin v0.12",MB_OK|MB_ICONASTERISK);
Setdisasm(JunkStartAddr,JunkRange,CPU_ASMFOCUS);//将修改的结果在反汇编窗口显示
}
RET:
WriteFile(hLogFile,"\r\n",2,&writenum,NULL);
WriteFile(hLogFile,buf,260,&writenum,NULL);
CloseHandle(hLogFile);
free(JunkData);
JunkData=NULL;
}
int WINAPI DeJunkFunc(HWND hWnd,UINT uMsg,WPARAM wParam,LPARAM lParam)
{//去除花指令窗口界面
switch (uMsg)
{
case WM_CLOSE:
EndDialog(hWnd,0);
break;
case WM_SETCURSOR:
{
char* str;
if( (HWND)wParam == hStartAddr)
str="DeJunk start address.(hex)";
else if((HWND)wParam == hRang)
str="DeJunk rang.(hex)";
else if((HWND)wParam == hDirection)
str="Select Direction.";
else if((HWND)wParam == hJunkType)
str="Select Dejunk Type.";
else if((HWND)wParam == hStart)
str="Start DeJunk.";
else if((HWND)wParam == hE)
str="Edit Dejunk profile.";
else if((HWND)wParam == hClose)
str="End Dialog.";
else
str="Ready.";
SendDlgItemMessage(hWnd,IDC_SBSTATU,WM_SETTEXT,0,(LPARAM)str);
}
break;
case WM_INITDIALOG://初始化
SetWindowText(hWnd,"DeJunk plugin v0.12");
hStartAddr=GetDlgItem(hWnd,IDC_ETSTARTADDR);
hRang=GetDlgItem(hWnd,IDC_ETRANG);
hDirection=GetDlgItem(hWnd,IDC_CBDIRECTION);
hJunkType=GetDlgItem(hWnd,IDC_CBJUNKTYPE);
hStart=GetDlgItem(hWnd,IDC_BTSTART);
hClose=GetDlgItem(hWnd,IDC_BTClOSE);
hE=GetDlgItem(hWnd,IDC_BTE);
PostMessage(hStartAddr,EM_SETLIMITTEXT,8,0);
PostMessage(hRang,EM_SETLIMITTEXT,5,0);
ulong curthreadid=Getcputhreadid();
if(curthreadid)
wsprintf(String1,"%08lX",Findthread(curthreadid)->reg.ip);//EIP
else
wsprintf(String1,"%08lX",0);
SetDlgItemText(hWnd,IDC_ETSTARTADDR,String1);//起始地址设置为当前EIP
SendDlgItemMessage(hWnd,IDC_CBDIRECTION,CB_ADDSTRING,0,(LPARAM)"Down");
SendDlgItemMessage(hWnd,IDC_CBDIRECTION,CB_ADDSTRING,0,(LPARAM)"Up");
SendDlgItemMessage(hWnd,IDC_CBDIRECTION,CB_SETCURSEL,0,0);
SendDlgItemMessage(hWnd,IDC_SBSTATU,WM_SETTEXT,0,(LPARAM)"Ready.");
InitComboBox(hWnd);
break;
case WM_COMMAND:
switch(wParam)
{
case IDC_BTClOSE:
SendMessage(hWnd,WM_CLOSE,0,0);
break;
case IDC_BTSTART:
if(!IsInputValid(hWnd,IDC_ETSTARTADDR) || !IsInputValid(hWnd,IDC_ETRANG))//检查输入合法性
{
MessageBox(hWnd,"Please input HEXadecimal.","DeJunk plugin v0.12",MB_OK|MB_ICONEXCLAMATION);
return 0;
}
//从输入获取数据
GetDlgItemText(hWnd,IDC_ETSTARTADDR,String1,9);
JunkStartAddr=GetNumberFromString(String1);
GetDlgItemText(hWnd,IDC_ETRANG,String1,0);
JunkRange=GetNumberFromString(String1);
if(SendDlgItemMessage(hWnd,IDC_CBDIRECTION,CB_GETCURSEL,0,0) == 1)//"Up"如果向上查找则调整起始地址
JunkStartAddr -= JunkRange;
FindJunk(hWnd,JunkStartAddr,JunkRange);//找到并修改花指令
if(JunkCodeNum)
SendMessage(hWnd,WM_CLOSE,0,0);
break;
case IDC_BTE://打开cfg配置文件进行编辑
GetPrivateProfileString("OPTION","Editor",NULL,String2,260,JunkdbcfgPath);
ShellExecute(NULL,"Open",String2,JunkdbcfgPath,NULL,SW_SHOWDEFAULT);
break;
default:
break;
}
default:
break;
}
return 0;
};
int WINAPI OptionFunc(HWND hWnd,UINT uMsg,WPARAM wParam,LPARAM lParam)
{//选项对话框窗口回调函数
BOOL IsAccepted;
switch(uMsg)
{
case WM_CLOSE:
EndDialog(hWnd,0);
return 0;
case WM_SETCURSOR:
{//鼠标移动
char* str;
if((HWND)wParam == hRang)
str="DeJunk rang.(hex)";
else if((HWND)wParam == hJunkType)
str="Select Dejunk Type.";
else if((HWND)wParam == hE)
str="Select default editor.";
else if((HWND)wParam == hStart)
str="Save option";
else if((HWND)wParam == hClose)
str="End Dialog.";
else
str="Ready.";
SendDlgItemMessage(hWnd,IDC_SBSTATU,WM_SETTEXT,0,(LPARAM)str);
}
break;
case WM_INITDIALOG://初始化
hRang=GetDlgItem(hWnd,IDC_ETRANG);
hJunkType=GetDlgItem(hWnd,IDC_CBJUNKTYPE);
hStart=GetDlgItem(hWnd,IDC_BTSTART);
hClose=GetDlgItem(hWnd,IDC_BTClOSE);
hE=GetDlgItem(hWnd,IDC_BTE);
EnableWindow(GetDlgItem(hWnd,IDC_ETSTARTADDR),FALSE);
EnableWindow(GetDlgItem(hWnd,IDC_CBDIRECTION),FALSE);
SetWindowText(GetDlgItem(hWnd,IDC_BTSTART),"&Save");
SetWindowText(hWnd,"Option");
InitComboBox(hWnd);
//读取配置文件
if(!GetPrivateProfileString("OPTION","DefaultRang",NULL,String1,6,JunkdbcfgPath))
wsprintf(String1,"%05lX",4096);
SetDlgItemText(hWnd,IDC_ETRANG,String1);
if(!GetPrivateProfileString("OPTION","DefaultType",NULL,String2,260,JunkdbcfgPath))
SendDlgItemMessage(hWnd,IDC_CBJUNKTYPE,CB_SETCURSEL,0,0);
else
SendDlgItemMessage(hWnd,IDC_CBJUNKTYPE,CB_SELECTSTRING,0,(LPARAM)String2);
break;
case WM_COMMAND:
if(wParam == IDC_BTClOSE)
SendMessage(hWnd,WM_CLOSE,0,0);
else if(wParam == IDC_BTSTART)
{
if(IsAccepted)
WritePrivateProfileString("OPTION","Editor",String2,JunkdbcfgPath);//设置cfg文件默认打开软件
int index=SendDlgItemMessage(hWnd,IDC_CBJUNKTYPE,CB_GETCURSEL,0,0);
SendDlgItemMessage(hWnd,IDC_CBJUNKTYPE,CB_GETLBTEXT,index,(LPARAM)String2);
WritePrivateProfileString("OPTION","DefaultType",String2,JunkdbcfgPath);
if(IsInputValid(hWnd,IDC_ETRANG))
{
GetDlgItemText(hWnd,IDC_ETRANG,String1,6);
WritePrivateProfileString("OPTION","DefaultRang",String1,JunkdbcfgPath);
}
SendMessage(hWnd,WM_CLOSE,0,0);
}
else if(wParam == IDC_BTE)
{//选择cfg文件默认打开软件
static OPENFILENAME filestruct;
memset(String2,0,sizeof(String2));
filestruct.hInstance=hInstance;
filestruct.lStructSize=sizeof(OPENFILENAME);
filestruct.nMaxFile=260;
filestruct.lpstrFile=String2;
filestruct.Flags=OFN_LONGNAMES|OFN_EXPLORER|OFN_FILEMUSTEXIST|OFN_PATHMUSTEXIST|OFN_HIDEREADONLY;
filestruct.lpstrFilter="Exe File";
IsAccepted=GetOpenFileName(&filestruct);
}
break;
default:
break;
}
return 0;
}
extc int_export cdecl ODBG_Plugininit(int ollydbgversion,HWND hw,ulong *features)
{
hOllyWnd=hw;
if(Registerpluginclass(classname,NULL,hInstance,MainProc) < 0)
return -1;
char str;
strcpy(str,"DeJunk plugin v0.12");
strcat(str," by flyfancy");
Addtolist(0,0,str);
return 0;
}
extc int_export cdecl ODBG_Plugindata(char shortname)
{
strcpy(shortname,"DeJunk");
return 108;
}
extc void _export cdecl ODBG_Plugindestroy(void)
{
if(IsMallocSuccess)
{
free(JunkUndoData);
JunkUndoData=NULL;
}
return Unregisterpluginclass(classname);
}
extc void _export cdecl ODBG_Pluginaction(int origin,int action,void *item)
{
switch(action)
{
case 0://About
MessageBox(hOllyWnd,"DeJunk plugin\nWritten by flyfancy\nThx: ljtt","DeJunk plugin v0.12",MB_OK|MB_ICONASTERISK);
break;
case 1://DeJunk
DialogBoxParam(hInstance,MAKEINTRESOURCE(IDD_MAINDLG),hOllyWnd,DeJunkFunc,0);
break;
case 2://Undo
if(!IsMallocSuccess)
{
MessageBox(hOllyWnd,"Undo data is NULL.","DeJunk plugin v0.12",MB_OK|MB_ICONASTERISK);
return;
}
if(!Writememory(JunkUndoData,JunkStartAddr,JunkRange,MM_SILENT))
{
MessageBox(hOllyWnd,"Can't execute undo operation!","Warning",MB_OK|MB_ICONEXCLAMATION);
return;
}
IsMallocSuccess=false;
free(JunkUndoData);
JunkUndoData=NULL;
Setdisasm(JunkStartAddr,JunkRange,CPU_ASMFOCUS);
break;
case 3://Option
DialogBoxParam(hInstance,MAKEINTRESOURCE(IDD_MAINDLG),hOllyWnd,OptionFunc,0);
break;
case 4://Dejunk selection
if(origin == PM_DISASM && item != NULL)
{
t_dump* dump=(t_dump*)item;
IsDefaultType=true;//设置当前JunkType为默认JunkType
JunkStartAddr=dump->sel0;//根据反汇编窗口选择范围设置花指令范围
JunkRange=dump->sel1 - JunkStartAddr;
FindJunk(hOllyWnd,JunkStartAddr,JunkRange);
}
break;
case 5://View last log
GetPrivateProfileString("OPTION","Editor",NULL,String2,260,JunkdbcfgPath);
ShellExecute(NULL,"Open",String2,JunkdbcfgPath,NULL,SW_SHOWDEFAULT);
break;
}
}
extc int_export cdecl ODBG_Pluginmenu(int origin,char data,void *item)
{
if(origin != PM_MAIN)
return 0;
strcpy(data,"1 &DeJunk\tAlt+Shift+S, 2 &Undo\tAlt+Shift+Z, 4 D&ejunk selection\tAlt+Shift+Q|3 "\
"&Option, 5 &View last log\tAlt+Shift+G|0 &About");
return 1;
}
extc int_export cdecl ODBG_Pluginshortcut(int origin,int ctrl,int alt,int shift,int key,void *item)
{
if(ctrl == 0 && alt == 1 && shift == 1)
{
switch(key)
{
case 'S':
ODBG_Pluginaction(PM_MAIN,1,NULL);//DeJunk
return 1;
case 'Q':
if(origin == PM_DISASM && item != NULL)
{
ODBG_Pluginaction(PM_DISASM,4,item);//Dejunk selection
return 1;
}
break;
case 'G':
ODBG_Pluginaction(PM_MAIN,5,NULL);//View last log
return 1;
case 'Z':
ODBG_Pluginaction(PM_MAIN,2,NULL);//Undo
return 1;
default:
break;
}
return 0;
}
弄懂了代码来进行实例分析,目标源码如下:TestDejunk.asm
.386
.model flat,stdcall
option casemap:none
include windows.inc
include Masm32.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
.data
szCap db "Test",0
szFind db "Debugger present",0
szNoFind db "Debugger NOT present",0
szNote db "Test Last Error Message",0
.code
start:
;test dejunk
jmp @junk1
db 075h
db 001h
@junk1:
;test GetLastError
invoke MessageBox, NULL, addr szNote, addr szCap, MB_OK
;error usage function.
invoke LoadIcon, NULL, NULL
invoke SetWindowText, NULL, NULL
;test IsDebuggerPresent
invoke IsDebuggerPresent
or eax, eax
jne @Find
invoke MessageBox, NULL, addr szNoFind, addr szCap, MB_OK
@exit:
invoke ExitProcess, 0
@Find:
invoke MessageBox, NULL, addr szFind, addr szCap, MB_OK
jmp @exit
end start
编译成exe放入OllyDbg调试,得到:
00401000 >/$ EB 02 JMP SHORT TestDeju.00401004
00401002|75 DB 75 ;CHAR 'u'
00401003|01 DB 01
00401004|> 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
对照Junkdb.cfg,可见对应于:
S = EB02????
R = 90909090
运行插件,果然将前4个字节改成了nop,跳过了。。。
页:
[1]