//通用版本调试器检测
//应该是通用的 我只测试了0627 0725
[ENABLE]
aobscanmodule(TIAO_SHI_QI_JIAN_CE_CT,DNF.exe,8B 8E BC 0F 00 00 C6 45 FC 2D 3B CB) // should be unique
alloc(newmem,$1000)
alloc(CETSQ,$1000)
label(return)
CETSQ:
DD 1
newmem:
mov ecx,[esi+00000FBC]
mov byte ptr [ebp-04],2D
cmp [CETSQ],1
jmp return
TIAO_SHI_QI_JIAN_CE_CT:
jmp newmem
nop 7
return:
registersymbol(TIAO_SHI_QI_JIAN_CE_CT)
[DISABLE]
TIAO_SHI_QI_JIAN_CE_CT:
db 8B 8E BC 0F 00 00 C6 45 FC 2D 3B CB
unregistersymbol(TIAO_SHI_QI_JIAN_CE_CT)
dealloc(newmem)
{
//0627 调试器检测
// ORIGINAL CODE - INJECTION POINT: 00755B7C
00755B52: 68 90 C4 53 01 - push 0153C490
00755B57: E8 5E 6A C7 00 - call 013CC5BA
00755B5C: 83 C4 08 - add esp,08
00755B5F: C6 45 FC 02 - mov byte ptr [ebp-04],02
00755B63: EB 07 - jmp 00755B6C
00755B65: BF 08 00 00 00 - mov edi,00000008
00755B6A: 33 DB - xor ebx,ebx
00755B6C: 68 28 F3 A5 01 - push 01A5F328
00755B71: 8D 8D B8 FB FF FF - lea ecx,[ebp-00000448]
00755B77: E8 A4 DB A2 00 - call 01183720
// ---------- INJECTING HERE ----------
00755B7C: 8B 8E BC 0F 00 00 - mov ecx,[esi+00000FBC]
// ---------- DONE INJECTING ----------
00755B82: C6 45 FC 2D - mov byte ptr [ebp-04],2D
00755B86: 3B CB - cmp ecx,ebx
00755B88: 74 05 - je 00755B8F
00755B8A: E8 61 DF 9E 00 - call 01143AF0
00755B8F: 8D 8D B8 FB FF FF - lea ecx,[ebp-00000448]
00755B95: C6 45 FC 02 - mov byte ptr [ebp-04],02
00755B99: E8 32 D8 A2 00 - call 011833D0
00755B9E: B8 00 00 01 00 - mov eax,00010000
00755BA3: 85 05 68 F7 A5 01 - test [01A5F768],eax
00755BA9: 0F 85 85 00 00 00 - jne 00755C34
}
{
//0725 调试器检测
// ORIGINAL CODE - INJECTION POINT: 0075FA7C
0075FA52: 68 F0 7C 54 01 - push 01547CF0
0075FA57: E8 AE 78 C7 00 - call 013D730A
0075FA5C: 83 C4 08 - add esp,08
0075FA5F: C6 45 FC 02 - mov byte ptr [ebp-04],02
0075FA63: EB 07 - jmp 0075FA6C
0075FA65: BF 08 00 00 00 - mov edi,00000008
0075FA6A: 33 DB - xor ebx,ebx
0075FA6C: 68 58 EF A6 01 - push 01A6EF58
0075FA71: 8D 8D B8 FB FF FF - lea ecx,[ebp-00000448]
0075FA77: E8 E4 E8 A2 00 - call 0118E360
// ---------- INJECTING HERE ----------
0075FA7C: 8B 8E BC 0F 00 00 - mov ecx,[esi+00000FBC]
// ---------- DONE INJECTING ----------
0075FA82: C6 45 FC 2D - mov byte ptr [ebp-04],2D
0075FA86: 3B CB - cmp ecx,ebx
0075FA88: 74 05 - je 0075FA8F
0075FA8A: E8 11 E6 9E 00 - call 0114E0A0
0075FA8F: 8D 8D B8 FB FF FF - lea ecx,[ebp-00000448]
0075FA95: C6 45 FC 02 - mov byte ptr [ebp-04],02
0075FA99: E8 22 E6 A2 00 - call 0118E0C0
0075FA9E: B8 00 00 01 00 - mov eax,00010000
0075FAA3: 85 05 98 F3 A6 01 - test [01A6F398],eax
0075FAA9: 0F 85 85 00 00 00 - jne 0075FB34
}
//应该是通用的 我只测试了0627 0725
[ENABLE]
aobscanmodule(TIAO_SHI_QI_JIAN_CE_CT,DNF.exe,8B 8E BC 0F 00 00 C6 45 FC 2D 3B CB) // should be unique
alloc(newmem,$1000)
alloc(CETSQ,$1000)
label(return)
CETSQ:
DD 1
newmem:
mov ecx,[esi+00000FBC]
mov byte ptr [ebp-04],2D
cmp [CETSQ],1
jmp return
TIAO_SHI_QI_JIAN_CE_CT:
jmp newmem
nop 7
return:
registersymbol(TIAO_SHI_QI_JIAN_CE_CT)
[DISABLE]
TIAO_SHI_QI_JIAN_CE_CT:
db 8B 8E BC 0F 00 00 C6 45 FC 2D 3B CB
unregistersymbol(TIAO_SHI_QI_JIAN_CE_CT)
dealloc(newmem)
{
//0627 调试器检测
// ORIGINAL CODE - INJECTION POINT: 00755B7C
00755B52: 68 90 C4 53 01 - push 0153C490
00755B57: E8 5E 6A C7 00 - call 013CC5BA
00755B5C: 83 C4 08 - add esp,08
00755B5F: C6 45 FC 02 - mov byte ptr [ebp-04],02
00755B63: EB 07 - jmp 00755B6C
00755B65: BF 08 00 00 00 - mov edi,00000008
00755B6A: 33 DB - xor ebx,ebx
00755B6C: 68 28 F3 A5 01 - push 01A5F328
00755B71: 8D 8D B8 FB FF FF - lea ecx,[ebp-00000448]
00755B77: E8 A4 DB A2 00 - call 01183720
// ---------- INJECTING HERE ----------
00755B7C: 8B 8E BC 0F 00 00 - mov ecx,[esi+00000FBC]
// ---------- DONE INJECTING ----------
00755B82: C6 45 FC 2D - mov byte ptr [ebp-04],2D
00755B86: 3B CB - cmp ecx,ebx
00755B88: 74 05 - je 00755B8F
00755B8A: E8 61 DF 9E 00 - call 01143AF0
00755B8F: 8D 8D B8 FB FF FF - lea ecx,[ebp-00000448]
00755B95: C6 45 FC 02 - mov byte ptr [ebp-04],02
00755B99: E8 32 D8 A2 00 - call 011833D0
00755B9E: B8 00 00 01 00 - mov eax,00010000
00755BA3: 85 05 68 F7 A5 01 - test [01A5F768],eax
00755BA9: 0F 85 85 00 00 00 - jne 00755C34
}
{
//0725 调试器检测
// ORIGINAL CODE - INJECTION POINT: 0075FA7C
0075FA52: 68 F0 7C 54 01 - push 01547CF0
0075FA57: E8 AE 78 C7 00 - call 013D730A
0075FA5C: 83 C4 08 - add esp,08
0075FA5F: C6 45 FC 02 - mov byte ptr [ebp-04],02
0075FA63: EB 07 - jmp 0075FA6C
0075FA65: BF 08 00 00 00 - mov edi,00000008
0075FA6A: 33 DB - xor ebx,ebx
0075FA6C: 68 58 EF A6 01 - push 01A6EF58
0075FA71: 8D 8D B8 FB FF FF - lea ecx,[ebp-00000448]
0075FA77: E8 E4 E8 A2 00 - call 0118E360
// ---------- INJECTING HERE ----------
0075FA7C: 8B 8E BC 0F 00 00 - mov ecx,[esi+00000FBC]
// ---------- DONE INJECTING ----------
0075FA82: C6 45 FC 2D - mov byte ptr [ebp-04],2D
0075FA86: 3B CB - cmp ecx,ebx
0075FA88: 74 05 - je 0075FA8F
0075FA8A: E8 11 E6 9E 00 - call 0114E0A0
0075FA8F: 8D 8D B8 FB FF FF - lea ecx,[ebp-00000448]
0075FA95: C6 45 FC 02 - mov byte ptr [ebp-04],02
0075FA99: E8 22 E6 A2 00 - call 0118E0C0
0075FA9E: B8 00 00 01 00 - mov eax,00010000
0075FAA3: 85 05 98 F3 A6 01 - test [01A6F398],eax
0075FAA9: 0F 85 85 00 00 00 - jne 0075FB34
}
