define(address,"dnf.exe"+E10B96)
define(bytes,8A 8E 15 08 00 00)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000)
alloc(diejia,$1000)
label(code)
label(return)
newmem:
cmp [esi+00000804],00010020
jne @f
jmp code
@@:
mov cl,[esi+00000815]
mov [diejia],0
jmp return
code:
mov cl,[esi+00000815]
mov [ebp-00000806],cl
mov al,[esi+00000814]
mov ecx,[edi+24]
mov [ebp-00000805],al
movzx ebx,word ptr [esi+00000804]
mov edx,[ecx]
mov edx,[edx+04]
push ebx
movzx eax,al
lea ebx,[esi+04]
push ebx
push eax
call edx
inc [diejia]
cmp dword ptr [diejia],#10//叠加数量
jb code
jmp return
address:
jmp newmem
nop
return:
[DISABLE]
address:
db bytes
// mov cl,[esi+00000815]
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 01210B96
01210B77: 89 A5 DC F7 FF FF - mov [ebp-00000824],esp
01210B7D: 85 D2 - test edx,edx
01210B7F: 74 04 - je 01210B85
01210B81: 8B 12 - mov edx,[edx]
01210B83: 89 10 - mov [eax],edx
01210B85: 89 48 08 - mov [eax+08],ecx
01210B88: 8D 85 C4 F7 FF FF - lea eax,[ebp-0000083C]
01210B8E: 50 - push eax
01210B8F: 8B CB - mov ecx,ebx
01210B91: E8 5A 57 3C FF - call 005D62F0
// ---------- INJECTING HERE ----------
01210B96: 8A 8E 15 08 00 00 - mov cl,[esi+00000815]
// ---------- DONE INJECTING ----------
01210B9C: 88 8D FA F7 FF FF - mov [ebp-00000806],cl
01210BA2: 8A 86 14 08 00 00 - mov al,[esi+00000814]
01210BA8: 8B 4F 24 - mov ecx,[edi+24]
01210BAB: 88 85 FB F7 FF FF - mov [ebp-00000805],al
01210BB1: 0F B7 9E 04 08 00 00 - movzx ebx,word ptr [esi+00000804]
01210BB8: 8B 11 - mov edx,[ecx]
01210BBA: 8B 52 04 - mov edx,[edx+04]
01210BBD: 53 - push ebx
01210BBE: 0F B6 C0 - movzx eax,al
01210BC1: 8D 5E 04 - lea ebx,[esi+04]
}