�� - �� TeamX

» TeamX (�� )«

Jordan 63
��

��: ��, ��
��: �� 2007

��: 228 ��
� �� fallout2.exe �� . �� . � �� visual c++ 6.0 visual basic 6.0
masm 9.0

��: 18:50 - 17 ��., 2008

Anchorite
��

��: ��
��: ��. 2003

��: 283 ��
�� , �� - �� (�� ) �� EXE-�� (�� ).

��: 19:35 - 17 ��., 2008

Jordan 63
��

��: ��, ��
��: �� 2007

��: 228 ��
Anchorite

��:
�� , �� - �� (�� )

��!

��: 19:39 - 17 ��., 2008

Tehnokrat
��

��: ��
��: ��. 2003

��: 489 ��
� �� ?

-----
�� , �� . �� , �� .

��: 23:18 - 17 ��., 2008

Jordan 63
��

��: ��, ��
��: �� 2007

��: 228 ��
Tehnokrat

��:
� �� ?

�� .

��: 23:21 - 17 ��., 2008

Anchorite
��

��: ��
��: ��. 2003

��: 283 ��
�� "Windows - �� ". �� .

��: 9:19 - 18 ��., 2008

Jordan 63
��

��: ��, ��
��: �� 2007

��: 228 ��
Anchorite

��

��: Windows �� . �� Win32-�p��o�e�� 64-�� Windows.
��: ��
��: ��, ��
ISBN: 5-272-00384-5, 1-57231-996-8
��: 2001
��: 752
��: ��

�� ?

�� . �� .
WG

��: 10:16 - 18 ��., 2008

Jordan 63
��

��: ��, ��
��: �� 2007

��: 228 ��
�� . �� .

��: 12:56 - 18 ��., 2008

Anchorite
��

��: ��
��: ��. 2003

��: 283 ��
�� WriteProcessMemory.

��: 14:02 - 18 ��., 2008

Ray
��

��: ��,��
��: ��. 2004

��: 746 ��
Anchorite

��
� �� - ��... �� , �� .

�� WriteProcessMemory �� CreateProcess

P.S. �� , �� - �� , �� ...

-----
�� .

��: 14:46 - 18 ��., 2008 | ��: Ray - 13:57 - 18 ��., 2008

Jordan 63
��

��: ��, ��
��: �� 2007

��: 228 ��
Ray

��:
P.S. �� , �� - �� , �� ...

�� (�� )

Anchorite

�� WriteProcessMemory �� CreateProcess �� .

��: 15:07 - 18 ��., 2008

Ray
��

��: ��,��
��: ��. 2004

��: 746 ��
WriteProcessMemory - ��. 552

-----
�� .

��: 17:22 - 18 ��., 2008

Tehnokrat
��

��: ��
��: ��. 2003

��: 489 ��
�� - Sing of Misery, �� -�� . �� , �� . �� . � �� , �� - Neo Sing of Misery. ��, �� . � �� .

-----
�� , �� . �� , �� .

��: 23:27 - 18 ��., 2008

Anchorite
��

��: ��
��: ��. 2003

��: 283 ��
Ray, �� , �� , �� .

Jordan, � �� .

1. � �� CreateProcess ��, �� fallout2.exe (�� CREATE_SUSPENDED)
2. �� WriteProcessMemory � �� .
3. �� fallout2.exe (�� - �� . �� ).

��: 23:29 - 18 ��., 2008

Ray
��

��: ��,��
��: ��. 2004

��: 746 ��
Anchorite
�� . ��
�� : ��/��

Jordan 63

� �� : �� . �� , � �� kernel32.dll �� (SwitchToThread) - �� . � � �� . �� , �� . �� .

� �� (�� VS6 � �� VS2005 - �� -��, �� ...) � �� , �� , �� . �� -�� , �� . � ��. �� - ��.

P.S. �� (fallout2.exe) �� main.exe � �� .

��

��:

�� -�� WriteProcessMemory �� - �� movei, � �� pAddress.

-----
�� .

��: 1:22 - 19 ��., 2008 | ��: Ray - 0:29 - 19 ��., 2008

Jordan 63
��

��: ��, ��
��: �� 2007

��: 228 ��
Ray

��!

� �� Win32 Application � �� Source Files �� main.cpp �� 2 �� Win32 Console Application �� . � �� 2008out. ��
000B0AD8:
�� 75
�� EB

�� 000B0AD8
� �� 75 �� EB

P.S �� 5?

��: 2:24 - 19 ��., 2008 | ��: Jordan 63 - 4:12 - 19 ��., 2008

Freeman
��

��: ��. 2007

��: 24 ��
Jordan 63

��:
��

�� . �� Offsets �� Memory Offset�, �� . �� , � �� .
�� , �� .

Ray

� �� CREATE_SUSPENDED, � �� ResumeThread. � ��, �� , � �� .

��: 9:45 - 19 ��., 2008

Jordan 63
��

��: ��, ��
��: �� 2007

��: 228 ��
�� . � �� .

�� . �� fallout2.exe � ��

//��-��
buf[0x87411]=0xEB;
buf[0x8FDAF]=0x90;
buf[0x8FDB0]=0x90;
//��
buf[0x93B0F]=0xE9;
buf[0x93B10]=0x95;
buf[0x93B11]=0x00;
buf[0x93B14]=0x90;
buf[0x93BB7]=0xEB;
//��
buf[0xAF7BB]=0xEB;
//�� 35� ��, � ��
buf[0xB0AEA]=0x00;
//��
//(� �� )
buf[0x000AD008]=0x000000AD;
//�� Y
//(� �� )
buf[0x000AD00D]=0x0000007A;

�� .

Freeman

��

000B0AD8:
�� 75
�� EB

�� memory �� ?

��: 13:15 - 19 ��., 2008

Freeman
��

��: ��. 2007

��: 24 ��
��:
��

�� , �� PE Tools�. ��
��. �� :
1. �� .
2. �� fallout2.exe, �� Alt+1 �� (�� ).
3. �� . � �� FLC�.
4. �� . � �� File Offset� �� .
5.�� Calculate�. � �� Virtual Address� �� .
��: 000B0AD8 -> 004C06D8

�� .
int pAddress =0x4C06D8;
char movei=0xEB; //�� .
WriteProcessMemory(hNewProcess, (void*)pAddress, &movei, 1, NULL);

��: 15:48 - 19 ��., 2008

��
<< ��. ��. >> ��