蜗牛的疑问: HOOK + 汇编

先谢过了....
long dwID;
long dwSysID;
long dwAddress;
long dwWAddress;

ReadProcessMemory(g_hProcess, (LPCVOID)BASEADDR, &dwAddress, 4, 0);
ReadProcessMemory(g_hProcess, (LPCVOID)(dwAddress+0x8), &dwAddress, 4, 0);
ReadProcessMemory(g_hProcess, (LPCVOID)(dwAddress+0x24), &dwAddress, 4, 0);
ReadProcessMemory(g_hProcess, (LPCVOID)(dwAddress+0x18), &dwAddress, 4, 0);
for(int i = 0; i <= 768; i++)
{
ReadProcessMemory(g_hProcess, (LPCVOID)(dwAddress+0x4*i), &dwWAddress, 4, 0);
if(dwWAddress > 0)
{

ReadProcessMemory(g_hProcess, (LPCVOID)(dwWAddress+0x4), &dwWAddress, 4, 0);
ReadProcessMemory(g_hProcess, (LPCVOID)(dwWAddress+0x110), &dwID, 4, 0);
ReadProcessMemory(g_hProcess, (LPCVOID)(dwWAddress+0x10c), &dwSysID, 4, 0);
CString str;
str.Format("%x:%x", dwID, dwSysID);
MessageBox(NULL, str, "", MB_OK);
__asm
{
pushad

mov ecx, dword ptr [CALLBASE]
mov edx, dwID
mov eax, dwSysID
push edx
mov ecx, dword ptr [ecx+0x20]
push eax
add ecx, 0xd4
mov ebx, CALL_PICK //程序到此好像就没有跳出来为什么不解中....
call ebx

popad
}
Sleep(100);
}
}
以上是我写挂自动拾取的代码. __asm块独立使用CreateRemoteThread就可以正确执行

解决方案 »

免费领取超大流量手机卡，每月29元包185G流量+100分钟通话, 中国电信官方发货

CALL_PICK存在于目标进程，跟本地进程地址不是一个东西。
注入到目标进程后才能正确执行。
恩谢谢是的
我利用HOOK将Dll映射到目标进程中
我的攻击Call 打坐Call (无参) 可以正确执行
声明: dwID dwSysID  参数正确
哈。。汇编这东西就是难搞mov ecx, dword ptr [CALLBASE]  ==》  mov ecx, CALLBASE
                                     mov ecx, dword ptr [ecx]
你这样改看看。。