类人猿学院
课程推荐

按键X内存汇编库开源(导师作品)

1126
发表时间:2018-04-08 18:07

按键X版本内存汇编库开源:编码形式借助vbs声明和函数,汇编执行位shellcode   类人猿:QQ:578052137

Declare Function Asm Lib  "ToAsm" Alias  "Asm"(ByVal code As String,ByVal 长度 As Long) As Long

Declare Function SetRec Lib  "user32" Alias  "SetRect"(ByVal 矩形 As Any,ByVal 左边 As Long,ByVal 顶边 As Long,ByVal 右边 As Long,ByVal 底边 As Long) As Long

Declare Function LocalAlloc  Lib "kernel32" Alias "LocalAlloc" (ByVal wOemChar As Long,ByVal wOmChar As Long) As Long

Declare Function LocalFree Lib "kernel32" Alias "LocalFree" (ByVal hMem As Long) As Long

Declare Function LocalSize Lib "kernel32" (ByVal hMem As Long) As Long

Declare Function RtlMoveMemory Lib "kernel32" Alias "RtlMoveMemory" (ByVal h As Any, ByRef f As Any, ByVal Length As Long)

Declare Function CallWindowProcA Lib  "user32.dll" Alias  "CallWindowProcA"(ByVal 前1窗口函数地址 As Long,byref 窗口句柄 As Long,ByVal 消息值 As Long,ByVal 附加参数1 As Long,ByVal 附加参数2 As Long) As Long

Declare Function RtlFillMemory Lib  "kernel32.dll" Alias  "RtlFillMemory"(ByVal 目的内存 As String,ByVal 长度 As Long,ByVal 填充内容 As Any) As Long

Declare Function LoadLibraryA Lib  "kernel32.dll" Alias  "LoadLibraryA"(ByVal 动态链接库名称 As String) As Long

Declare Function FreeLibrary Lib "kernel32" Alias "FreeLibrary" (ByVal hLibModule As Long) As Long


Declare Function GetProcAddress Lib  "kernel32.dll" Alias  "GetProcAddress"(ByVal 模块句柄 As Long,ByVal 进程名称 As String) As Long

Declare Function GetModuleHandleA Lib  "kernel32.dll" Alias  "GetModuleHandleA"(ByVal 模块名 As String) As Long

Declare Function SetWindowsHook Lib  "user32.dll" Alias  "SetWindowsHookExA"(ByVal 钩子类型 As Long,ByVal 回调函数地址 As Long,ByVal 实例句柄 As Long,ByVal 线程ID As Long) As Long

Declare Function UnhookWindowsHookEx Lib  "user32.dll" Alias  "UnhookWindowsHookEx"(ByVal 钩子句柄 As Long) As Long

Declare Function RtlZeroMemory Lib  "kernel32.dll" Alias  "RtlZeroMemory"(ByVal 目的内存 As String,ByVal 长度 As Long) As Long

Declare Function MultiByteToWideChar Lib  "kernel32.dll" Alias  "MultiByteToWideChar"(ByVal CodePage As Long,ByVal dwFlags As Long,ByVal lpMultiByteStr As Long,ByVal cchMultiByte As Long,ByVal lpWideCharStr As Long,ByVal lpWideCharStr As Long) As Long

Declare Function CreateThread Lib "kernel32" (lpThreadAttributes As Any, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long

Declare Function  OpenProcess Lib "kernel32" Alias "OpenProcess" (ByVal dwDesiredAccess As Long, ByVal  bInheritHandle As Long, ByVal dwProcessId As Long) As Long

Declare Function  WriteProcessMemory Lib "kernel32" Alias "WriteProcessMemory" ( Handle_Process As Long, lpBaseAddress As long,date As long,  nSize As Long, lpNumberOfBytesWritten As Long) As Long

Declare Function  CloseHandle Lib "kernel32" Alias "CloseHandle" (ByVal hObject As Long) As Long

Declare Function GetCurrentProcessId Lib "kernel32" Alias "GetCurrentProcessId" () As Long

Declare Function ReadProcessMemory Lib "kernel32" Alias "ReadProcessMemory" (ByVal hProcess As Long,ByVal lpBaseAddress As Long, ByRef lpBuffer As Long, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long


Private Declare Function CallAsmCode Lib "user32" Alias "CallWindowProcA" ( lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, lParam As Long) As Long

Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long

Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long

Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long  

Private Declare Function htonl Lib "Wsock32.dll" (ByVal hostlong As Long) As Long //4字节高低位互转 //32位有符号整数 不支持无符号整数  FFFF FFFF

Private Declare Function htons Lib "Wsock32.dll" (ByVal hostshort As Long) As Long //2字节


Private Declare Function SetWindowsHookExA Lib "user32" Alias "SetWindowsHookExW" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long

Private Declare Function GetWindowThreadProcessId Lib "user32" Alias "GetWindowThreadProcessId" (ByVal hwnd As Long, lpdwProcessId As Long) As Long  

Public  Declare Function CallNextHookEx Lib "user32" Alias "CallNextHookEx" (ByVal hHook As Long, ByVal ncode As Long,ByVal wParam As WindowsMessages,lParam As MSLLHOOKSTRUCT) As Long  

Private Declare Function RegisterWindowMessage Lib "user32" Alias "RegisterWindowMessageA" (ByVal lpString As String) As Long

Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long


Public Declare Function VirtualProtectEx Lib "kernel32 " (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal flNewProtect As Integer, ByRef lpflOldProtect As Integer) As Integer

Public Declare Function VirtualQueryEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long) As Long


Function 保护_VirtualQueryEx(ProcessId,Addr,AddrSize)

Dim issuscce,oldVal

issuscce = VirtualProtectEx(ProcessId, Addr, AddrSize, 64, oldVal)

VirtualQueryEx=issuscce

End Function


Function 十进制转二进制(十进制整数)//会出现bug

十进制转二进制=Hex( htonl(十进制整数))

End Function



Function 枚举系统进程名()

Dim WMI,objs

Set WMI = GetObject("WinMgmts:")

Set objs = WMI.InstancesOf("Win32_Process")

For Each obj In objs

    Enum1 = Enum1 + obj.Description + Chr(13) + Chr(10)

Next

//  msgbox Enum1

枚举系统进程名=Enum1

End function


Function 获取系统全部进程和ID()//获取进程ID和进程名字

Dim Pro_And_Name

Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")

Set ps = objWMIService.ExecQuery("select * from Win32_Process")

For Each p In ps

    Pro_And_Name = Pro_And_Name & vbCrLf & p.ProcessId & " " & p.Name

Next

//    MessageBox   Pro_And_Name

Pro_Name_Array = split(Pro_And_Name, vbcrlf)

获取系统全部进程和ID=Pro_And_Name

End Function


Function 根据进程名字枚举进程ID(进程名)//获取进程ID和进程名字

Dim Pro_And_Name  //进程名字和id字符串

Dim Name_Array

Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")

Set ps = objWMIService.ExecQuery("select * from Win32_Process")

For Each p In ps

    Pro_And_Name = Pro_And_Name & vbCrLf & p.ProcessId & " " & p.Name

Next

//        MessageBox   Pro_And_Name

Pro_Name_Array = split(Pro_And_Name, vbcrlf)

i=1

For  UBound (Pro_Name_Array)

    //        TracePrint Pro_Name_Array(i)

    Name_Array = split(Pro_Name_Array(i), " ")

    If Name_Array(1) = 进程名 Then

        根据进程名字枚举进程ID = int(Name_Array(0))

        //            TracePrint  Name_Array(1)

        Exit for

        //            end if

    End if

    i=i+1

Next

End Function


Function 跨进程获取函数名地址S(ProcessId,模块名字,函数名字)//Call 跨进程获取函数名地址(ProcessId,"kernel32","CreateRemoteThread",有保护无法突破参数)

Dim 远程参数地址

Dim 返回值地址

返回值地址 = 申请指定进程空间(ProcessId, 4)

远程参数地址 = 申请指定进程空间(ProcessId, len(模块名字) + 4)

Call 写入字符集ASCII(ProcessId, 远程参数地址, 模块名字)//二进制字符串写入

远程名字参数地址=申请指定进程空间(ProcessId, len(函数名字)+4)

Call 写入字符集ASCII(ProcessId, 远程名字参数地址, 函数名字)//二进制字符串写入

//TracePrint  Hex(远程参数地址)

GetModuleHandleA = 获取函数地址API("kernel32.dll", "GetModuleHandleA")//==这个是固定的,模块基地址

Addr_GetProcAddress = 获取函数地址API("kernel32.dll", "GetProcAddress")//==这个是固定的,获取获取函数的基地址

//TracePrint Hex(GetModuleHandleA)

Call AsmClear()

call Pushad()

Call PUSH(远程参数地址)  //,先写入完整call 再调用 这个是基地址不过要保持平衡,PK模式call

Call Mov_EDX_Value(GetModuleHandleA)

Call Call_EDX()

Call Push(远程名字参数地址)

Call Push_EAX

Call Mov_EDX_Value(Addr_GetProcAddress)

Call Call_EDX()

Call Mov_DWORD_Ptr_Addr_EAX(返回值地址)

Call Popad()

Call ret()  //这个和上面5个push 是对应关系的

Call RunAsmCode(ProcessId, 1)//核心代码

Delay 100

获取函数地址= 读取四字节整数(ProcessId,返回值地址)

//    TracePrint "模块地址===" & Hex(模块地址)

跨进程获取函数名地址S=获取函数地址

End Function


//HWND = Plugin.Window.Find(0, "form1")

//ProcessId = Plugin.SysEx.GetProcessID(Hwnd)

//函数字节集 = "55 8B EC 8B E5 5D C2 10 00"

//Call 主线程切入口注入(ProcessId, 函数字节集, &H75c0fdcf)

Function 主线程切入口注入(ProcessId, 函数字节集,主线程入口地址)//最好先暂停线程再执行线程

Dim NewAddr //这个函数是用来储存的。

Dim JMP_Value//跳转数值

NewAddr = 申请指定进程空间(ProcessId, len(函数字节集) + 4)

Call 写入字节集(ProcessId, NewAddr, 函数字节集)//这个是写入Fake_HOOK函数

TracePrint Hex(NewAddr)

JMP_Value = HEX(htonl(NewAddr - 主线程入口地址 - 5)) //公式计算

TracePrint JMP_Value

JMP_Value= 十六进制字节集标准化(JMP_Value)

call 写入单字节整数(ProcessId, 主线程入口地址, &He9)

Call 写入字节集(ProcessID, 主线程入口地址+1, JMP_Value) //这个是jmp

End Function



Function 十六进制字节集标准化(十六字节集)

Dim i

dim  PublicCode_1                      

For i = 0 To Len(十六字节集) / 2 - 1

    PublicCode_1 = PublicCode_1 &(" " & Mid(十六字节集, i * 2 + 1, 2)) //======里是字符集转换空格隔开======

Next

十六字节集 = LTrim(PublicCode_1)//重新赋值

十六进制字节集标准化=十六字节集

End function  



Function 创建进程S(ParentProPid, WholePathAndParam, WorkPath)//发神经了,为什么不直接用API,为什么要用shellcode

Dim 参数2,参数8,参数9,参数10

Addr_CreateProcessA = 获取函数地址API("kernel32.dll", "CreateProcessA")

//    TracePrint Hex(Addr_CreateProcessA)

参数2 =  申请指定进程空间(ParentProPid,len(WholePathAndParam)+8) //获取文件路径大小,根据居停情况分配空间

//    TracePrint Hex(参数2)

Call 写入字符集ASCII(ParentProPid, 参数2, WholePathAndParam)  //完整路径和参数

参数8 =  申请指定进程空间(ParentProPid,50)

//    TracePrint Hex(参数8)

Call 写入字符集ASCII(ParentProPid, 参数8, WorkPath)  //工作路径   E:\\moyu"

参数10 = 申请指定进程空间(ParentProPid, 20) //这个结构太小了,根据具体情况,200

参数9 =  申请指定进程空间(ParentProPid,500)  //这个结构太小了,根据具体情况,200

call AsmClear()

Call Push_EBP()

Call mov_ebp_esp()

Call PUSH(参数10) //这个是结构

Call PUSH(参数9)  //这个是结构

Call PUSH(参数8)  //不包括文件名字路径

Call PUSH(0)

Call PUSH(0)

Call PUSH(0)

Call PUSH(0)

Call PUSH(0)

Call PUSH(参数2)

Call PUSH(0)

Call Mov_EAX_Value(Addr_CreateProcessA)

Call Call_EAX

Call Mov_ESP_EBP()

Call pop_ebp()

Call Ret()

//TracePrint W_GetCode()

Call RunAsmCode(ParentProPid, 0)

Delay 100

Call 释放进程分配空间(ParentProPid,参数8)

Call 释放进程分配空间(ParentProPid,参数2)

Call 释放进程分配空间(ParentProPid,参数9)

Call 释放进程分配空间(ParentProPid,参数10)

End function


//call 钩子HOOK实例()

Function 钩子HOOK实例(ProcessId)//==============================//HWND = Plugin.Window.Find(0, "【魔域】")  ProcessId = Plugin.SysEx.GetProcessID(Hwnd)

申请回调函数地址 = 申请指定进程空间(ProcessId, 120)//最长代码是100

Call 写入四字节内存整数(ProcessId, 申请回调函数地址 + 100, 0)

call AsmClear()

Call Push_EBP()

Call mov_ebp_esp()

call Mov_EAX_DWORD_Ptr_Addr(&H12C447C)

Call Push (1)

Call Push(3)

Call Mov_ECX_DWORD_Ptr_EAX

Call Mov_ESI_DWORD_Ptr_Addr(&H12C51D4)

Call Call_ESI

Call Mov_EAX_Value(1)

call Mov_DWORD_Ptr_Addr_EAX(申请回调函数地址+100)

Call Mov_ESP_EBP()

Call pop_ebp()

Call ret  //这个和上面5个push 是对应关系的

Call RunAsmCodetoMainThread(ProcessId, 申请回调函数地址)

End function


Function RunAsmCodetoMainThread(ProcessId, 申请回调函数地址) //============================注入核心代码========================

Dim i

dim  PublicCode_1                      

For i = 0 To Len(PublicCode) / 2 - 1

    PublicCode_1 = PublicCode_1 &(" " & Mid(PublicCode, i * 2 + 1, 2)) //======里是字符集转换空格隔开======

Next

PublicCode=LTrim(PublicCode_1)  //重新赋值

//TracePrint  PublicCode

call 写入字节集(ProcessId, 申请回调函数地址, PublicCode)

Dim 函数是否执行

q=0

For 300

    q=q+1

    TracePrint  q

    Call 钩子HOOK注入执行(HWND, 申请回调函数地址, ProcessId)

    函数是否执行 = 读取四字节整数(ProcessId, 申请回调函数地址 + 100)

    TracePrint  Hex(函数是否执行)

    If 函数是否执行 = 1 Then

        Exit For

    End if

Next

End Function



Function 钩子Hook注入二进制代码(ProcessId, 申请回调函数地址,二进制字节集)//==========================================================

Dim i

Dim PublicCode_1

Dim PublicCode

PublicCode=二进制字节集

For i = 0 To Len(PublicCode) / 2 - 1

    PublicCode_1 = PublicCode_1 &(" " & Mid(PublicCode, i * 2 + 1, 2)) //======里是字符集转换空格隔开======

Next

PublicCode=LTrim(PublicCode_1)  //重新赋值

TracePrint  PublicCode

call 写入字节集(ProcessId, 申请回调函数地址, PublicCode)

//call 写入字节集(ProcessId, 申请回调函数地址, "8B 0D 7C 24 2C 01 6A 01 6A 03 8B 09 FF 15 D4 31 2C 01 C3")

Dim 函数是否执行

q=0

For 300

    q=q+1

    //TracePrint  q

    Call 钩子HOOK注入执行(HWND, 申请回调函数地址, ProcessId)

    函数是否执行 = 读取四字节整数(ProcessId, 申请回调函数地址 + 100)

    //TracePrint  Hex(函数是否执行)

    If 函数是否执行 = 1 Then

        Exit For

    End if

Next

End Function



//=======================================钩子处理================

Function 钩子HOOK注入执行(HWND, 函数地址, ProcessId)

Dim 存放返回值的地址

Dim ThreadPid

存放返回值的地址= 申请指定进程空间(ProcessId, 4)

//TracePrint  Hex(存放返回值的地址)

ThreadPid=GetWindowThreadProcessId(HWND,0)

Addr_SetWindowsHookEx = 获取函数地址API("user32.dll", "SetWindowsHookExA")

//TracePrint "Addr_SetWindowsHookEx函数地址 === " & Hex(Addr_SetWindowsHookEx)

call AsmClear()

Call Push_EBP()

Call mov_ebp_esp()

Call PUSH(ThreadPid)

Call PUSH(GetModuleHandleA(0)) //窗口句柄基地址 4000000

Call PUSH(函数地址)

Call PUSH(4)  //,先写入完整call 再调用 这个是基地址不过要保持平衡,PK模式call

Call Mov_EDX_Value(Addr_SetWindowsHookEx)

Call Call_EDX()

Call Mov_DWORD_Ptr_Addr_EAX(存放返回值的地址)

Call Mov_ESP_EBP()

Call pop_ebp()

Call ret  //这个和上面5个push 是对应关系的

//TracePrint  PublicCode

Call RunAsmCode(ProcessId, 1)//核心代码

//Delay 100 //============================读取内存一定要延迟,因为HOOK消息要排队的。

//TracePrint "存放返回值的地址 =="&  Hex(存放返回值的地址)

钩子类型= 读取四字节整数(ProcessId,存放返回值的地址)

//TracePrint "钩子类型==" & Hex(钩子类型)

钩子HOOK注入执行= 钩子类型

End Function


//call AsmClear()//========================================================================本地执行汇编运算例子

//Addr_SendMessageA = 获取函数地址API("user32.dll", "SendMessageA")

//TracePrint Addr_SendMessageA

//call AsmClear()

//Call Push_EBP()

//Call mov_ebp_esp()

//Call PUSH(0)

//Call PUSH(0)

//Call PUSH(0)

//Call PUSH(hwnd)

//Call Mov_EAX_Value(Addr_SendMessageA)

//Call Call_EAX

//Call Mov_ESP_EBP()

//Call pop_ebp()

//Call Ret()

//TracePrint W_GetCode()

//Call RunAsmCode(ProcessId, 1)//核心代码


Function 钩子HOOK卸载(钩子句柄)

CALL   UnhookWindowsHookEx(钩子句柄)//释放钩子

End Function

//=======================================钩子处理===================

EndScript


Function 钩子HOOK消息注册(消息字符串)

钩子HOOK消息注册=RegisterWindowMessage(消息字符串)

End Function


Function RunCurAsmCode()//本地执行汇编运算

Dim i                         //==========================================================

dim AsmCode1

AsmCode1=""

ReDim AsmCode(Len(PublicCode) / 2 - 1)

For i = 0 To UBound(AsmCode)

    AsmCode1 = AsmCode1 &(" " & Mid(PublicCode, i * 2 + 1, 2)) //======里是字符集转换空格隔开======

Next

PublicCode = LTrim(AsmCode1)

TracePrint PublicCode

CodeSize = UBound(split(PublicCode, " "))+10 //加10避免空间不够用." "这个是十六进制字符分隔符

//TracePrint  CodeSize

NewWriteCodeAddr = 申请指定进程空间(GetCurrentProcessId(), CodeSize)//申请空

TracePrint Hex(NewWriteCodeAddr )

call 写入字节集(GetCurrentProcessId(), NewWriteCodeAddr, PublicCode)

Call CallWindowProcA(NewWriteCodeAddr,0,0,0,0)

End Function


//call 远程注入汇编代码(ProcessId, "8B 0D 7C 24 2C 01 6A 00 68 38 7C 91 8B 8B 09 A1 E8 29 2C 01 FF D0 C3")  //记住要加上ret

//call 远程注入汇编代码(ProcessId, "8B 0D 7C 24 2C 01 6A 00 68 38 7C 91 8B 8B 09 A1 E8 29 2C 01 FF D0 C3")  //记住要加上ret


Function AsmClear()

PublicCode=""

End Function


Function 窗口的创建者ThreadPId(Hwnd,lpdwProcessId)

窗口的创建者ThreadPId=GetWindowThreadProcessId(Hwnd,lpdwProcessId)

End Function


Function 跨进程模块通讯链接(ProcessId,SendData)

TracePrint "该功能暂停使用!"

end Function  


Function 汇编执行代码(ByteData,Size)//完成,获取返回值暂时还没有办法

WriteAddr= 申请指定进程空间(GetCurrentProcessId(),Size) //这个是存放汇编代码地址的

//TracePrint Hex(WriteAddr)

ByteData = ByteData + " C2 14 00"  //这里是retn 14

//TracePrint ByteData

call 写入字节集(GetCurrentProcessId(), WriteAddr, ByteData)  //retn  14,个参数 。这里是写入汇编代码

call CallWindowProcA(WriteAddr, Hwnd, 0, 0, 0)

End function


Function 读内存数值A(ProcessId,Addr,Size)

Dim i

char = space(2)

For i = 0 To Size-1

    Call ReadProcessMemory(Handle_Process, Addr+i, char, 1, 0)  //读取每个字节的值

    读内存数值A = 读内存数值A + AscB(char) * 256 ^ i

    //        TracePrint  读内存数值A

Next

End Function


//TracePrint 读取八字节整数(Handle_Process,  &H01259F8)


Function 读取单字节整数(ProcessId,Addr)

Dim i

char = space(2)

For i = 0 To 1-1  //一个字节

    Call ReadProcessMemory(Handle_Process, Addr+i, char, 1, 0)  //读取每个字节的值

    读取单字节整数= 读取单字节整数+ AscB(char) * 256 ^ i

    //        TracePrint 读取单字节整数

Next

End Function



Function  读取双字节整数(ProcessId,Addr)

Dim i

char = space(2)

For i = 0 To 2-1  //2个字节

    Call ReadProcessMemory(Handle_Process, Addr+i, char, 1, 0)  //读取每个字节的值

    读取双字节整数= 读取双字节整数+ AscB(char) * 256 ^ i

    //        TracePrint 读取单字节整数

Next

End Function


Function 读取四字节整数(ProcessId, Addr)

Handle_Process = OpenProcess(2035711, false, ProcessId)

Dim i

char = space(2) //这里不知道出不出bug

For i = 0 To (4 - 1)//4个字节

    Call ReadProcessMemory(Handle_Process, Addr+i, char, 1, 0)  //读取每个字节的值

    读取四字节整数= 读取四字节整数+ AscB(char) * 256 ^ i

    //        TracePrint 读取四字节整数

Next

End Function



Function 读取八字节整数(ProcessId, Addr)


Dim i

char = space(2)

For i = 0 To 8-1  //4个字节

    Call ReadProcessMemory(Handle_Process, Addr+i, char, 1, 0)  //读取每个字节的值

    读取八字节整数= 读取八字节整数+ AscB(char) * 256 ^ i

    //        TracePrint 读取八字节整数

Next

End Function


//TracePrint  读取地址二进制字节集(Handle_Process,  &H00290E9C,10)

Function 读取地址二进制字节集(ProcessId, Addr, Size)

Dim i

For i = 0 To (size - 1)

    读取地址二进制字节集 =读取地址二进制字节集+" "+ Hex(读取单字节整数(ProcessId, Addr+i))

Next

读取地址二进制字节集=LTrim(读取地址二进制字节集) //这个是去掉左边空格

End Function


//TracePrint  读取指定长度字符串ASCII(Handle_Process,  &H00290E9C,10)

Function 读取指定长度字符串ASCII(ProcessId, Addr, Size)

Dim i

For i = 0 To (size - 1)

    读取指定长度字符串ASCII=读取指定长度字符串ASCII+chr(读取单字节整数(ProcessId, Addr+i))

Next

读取指定长度字符串ASCII=LTrim(读取指定长度字符串ASCII) //这个是去掉左边空格

End Function


Function 构造汇编代码(字节集)

Dim HeadCode

Dim EndCode

HeadCode="85,139,236,22,21,45,44,45,65"

EndCode="93,194,20,0"  

构造汇编代码=HeadCode&字节集&EndCode

End Function


Function 创建线程(lpStartAddress) //参数就是汇编函数头文件,可以用API函数测试

创建线程=CreateThread(0, 0,返回值 , 0,4, 0) //4这个参数是挂起线程,先不搞这个

End function

//Call 远程卸载dll(iPID,返回值,"dm.dll")


// TracePrint 获取动态链接库句柄("kernel32.dll")

Function 获取动态链接库句柄(动态链接库函数名)

获取动态链接库句柄=GetModuleHandleA(动态链接库函数名)

End Function


Function 远程卸载dll(ProcessId, LoadLibraryA_Addr,字符串)

CodeSize = len(字符串)+10 //加10避免空间不够用

//TracePrint CodeSize

NewWriteCodeAddr = 申请指定进程空间(ProcessId, CodeSize)//申请空

CALL 写入字符集ASCII(ProcessId, NewWriteCodeAddr, 字符串)

Handle_Process = OpenProcess(2035711, False, ProcessId)

RThwnd = CreateRemoteThread(Handle_Process, 0, 0, LoadLibraryA_Addr, NewWriteCodeAddr, 0, 0)

End Function


Function 远程获取函数地址(ProcessId, LoadLibraryA_Addr,字符串)//========这个还没有完成的=============

CodeSize = len(字符串)+10 //加10避免空间不够用

//TracePrint  CodeSize

NewWriteCodeAddr = 申请指定进程空间(ProcessId, CodeSize)//申请空

CALL 写入字符集ASCII(ProcessId, NewWriteCodeAddr, 字符串)

Handle_Process = OpenProcess(2035711, False, ProcessId)

RThwnd = CreateRemoteThread(Handle_Process, 0, 0, LoadLibraryA_Addr, NewWriteCodeAddr, 0, 0)

End Function


Function RunAsmCode(ProcessId, AsmType)//核心代码

Dim i                         //==========================================================

dim AsmCode1

AsmCode1=""

ReDim AsmCode(Len(PublicCode) / 2 - 1)

For i = 0 To UBound(AsmCode)

    AsmCode1 = AsmCode1 &(" " & Mid(PublicCode, i * 2 + 1, 2)) //======里是字符集转换空格隔开======

Next

PublicCode = LTrim(AsmCode1)

//TracePrint PublicCode

十六进制字节集=PublicCode           //=========================================================

CodeSize = UBound(split(十六进制字节集, " "))+10 //加10避免空间不够用." "这个是十六进制字符分隔符

//TracePrint  CodeSize

NewWriteCodeAddr = 申请指定进程空间(ProcessId, CodeSize)//申请空

//TracePrint NewWriteCodeAddr

call 写入字节集(ProcessId, NewWriteCodeAddr, 十六进制字节集)

Handle_Process = OpenProcess(2035711, False, ProcessId)

RThwnd = CreateRemoteThread(Handle_Process, 0, 0, NewWriteCodeAddr, 0, 0, 0)

End Function


Function 远程注入汇编代码(ProcessId, 十六进制字节集)

CodeSize = UBound(split(十六进制字节集, " "))+10 //加10避免空间不够用." "这个是十六进制字符分隔符

//MessageBox   CodeSize

NewWriteCodeAddr = 申请指定进程空间(ProcessId, CodeSize)//申请空

call 写入字节集(ProcessId, NewWriteCodeAddr, 十六进制字节集)

Handle_Process = OpenProcess(2035711, False, ProcessId)

RThwnd = CreateRemoteThread(Handle_Process, 0, 0, NewWriteCodeAddr, 0, 0, 0)

End function

//Call 十六进制字节集转化成十进制字节集("55 8B EC A1 7C 24 2C 01 6A 00 8B 08 A1 78 3E 2C 01 8B C0 FF D0 5D C3")

Function 十六进制字节集转化成十进制字节集(HexByteStr)//这个功能是将十六进制字节集转化成十进制字符数组

HexByteStr=Replace(HexByteStr," ","")

Dim i

ReDim HexByteArr(Len(HexByteStr) / 2 - 1)

For i = 0 To UBound(HexByteArr)

    HexByteArr(i) = CByte("&H" & Mid(HexByteStr, i * 2 + 1, 2))


    十六进制字节集转化成十进制字节集=十六进制字节集转化成十进制字节集&" "& HexByteArr(i)

Next

//TracePrint 十六进制字节集转化成十进制字节集

//Get_Result = CallWindowProc(AsmCode(0), 0, 0, 0, 0)

//Get_Result = CallWindowProc(AsmCode(0),0,0,0,0)//=================================================================不懂这里为什么参数会出错

End Function


Function 获取函数地址API(Module, Name_Api)//这个是有缺陷的

//Name_Api=Name_Api &"0000"

Dim Module_Handle,String_Addr,Function_Addr

//Do

Module_Handle = GetModuleHandleA(Module)//获取句柄

//    TracePrint "dll模块的地址="& Hex(Module_Handle)

String_Addr = 字符集ASCII变量指针(Name_Api)//获取名字指针变量

//TracePrint "函数名字变量指针(存数据)="&String_Addr

Function_Addr = GetProcAddress(Module_Handle, String_Addr)//第二个参数是指针变量

//Loop Until Function_Addr <> 0

获取函数地址API = Function_Addr

End Function


Function 远程注入dll(ProcessId, LoadLibraryA_Addr,dll路径字符串)

CodeSize = len(dll路径字符串)+10 //加10避免空间不够用

//TracePrint  CodeSize

NewWriteCodeAddr = 申请指定进程空间(ProcessId, CodeSize)//申请空

CALL 写入字符集ASCII(ProcessId, NewWriteCodeAddr, dll路径字符串)

Handle_Process = OpenProcess(2035711, False, ProcessId)

RThwnd = CreateRemoteThread(Handle_Process, 0, 0, LoadLibraryA_Addr, NewWriteCodeAddr, 0, 0)

End Function


Function 申请指定进程空间(ProcessId,size)

Handle_Process = OpenProcess(2035711, False, ProcessId)

tmp_Addr = VirtualAllocEx(Handle_Process, 0, size, 4096, 64)

//TracePrint tmp_Addr

申请指定进程空间=tmp_Addr

End Function


Function 释放进程分配空间(ProcessId,Addr)

Handle_Process = OpenProcess(2035711, False, ProcessId)

tmp_Addr = VirtualFreeEx(Handle_Process, Addr, 0,32768)  //第三个参数设置大小,直接用0,应该是全部清除

//TracePrint Hex(tmp_Addr)

End Function


Function 写入字符集ASCII(ProcessId, lpBaseAddress, 字符串)

i=1

For len(字符串)

    //TracePrint mid(字符串, i, 1)

    //TracePrint Asc(mid(字符串, i, 1))

    字符代码数值 = Asc(mid(字符串, i, 1))

    Call 写入单字符ASCII(ProcessId, (lpBaseAddress-1+i), 字符代码数值)

    i=i+1

Next

End Function


Function 字符集ASCII变量指针(字符串)

Dim 内存大小

Dim NewAddr

Dim i

内存大小 = Len(字符串)

//TracePrint 内存大小

NewAddr = (LocalAlloc(0, 内存大小 + 2))//这个-1是为了适应下面的代码  /0是表示空字符00000000

//    TracePrint  NewAddr

//TracePrint "申请存放汇编字节集" & Hex(NewAddr)

i=1

For len(字符串)

    //TracePrint mid(字符串, i, 1)

    //TracePrint Asc(mid(字符串, i, 1))

    字符代码数值 = Asc(mid(字符串, i, 1))

    //        TracePrint 字符代码数值

    Call 写入单字符ASCII(GetCurrentProcessId(), (NewAddr - 1 + i), 字符代码数值)

    //        TracePrint NewAddr-1+i

    i=i+1

Next

call 写入双字节内存整数(GetCurrentProcessId(),(NewAddr - 1 + i),0)

//    TracePrint "最后一个整" & NewAddr-1+i

字符集ASCII变量指针=NewAddr

End Function


Function 写入单字符ASCII(ProcessId, lpBaseAddress, WriteValue)

Dim Handle_Process//进程句柄

Handle_Process = OpenProcess(2035711, false, ProcessId)//获取进程句柄

//TracePrint "Handle_Process=" & Handle_Process//要写入的地址

Addr_Low = chrw(WriteValue)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/

Call WriteProcessMemory(Handle_Process, lpBaseAddress, Addr_Low, 1, 0)  //  lpBaseAddress是存放数据的地址

call  CloseHandle (Handle_Process)//关闭进程对象句柄

End Function



Function 写入字节集(ProcessId, WriteAddr, 十六进制字节集)


NewAddr = WriteAddr //写入头地址

//TracePrint "申请存放汇编字节集地址" & Hex(NewAddr)

字节数组=Split(十六进制字节集," ")

i=0

For UBound(字节数组)+1

    //TracePrint 字节数组(i)

    call 写入单字节整数(ProcessId, NewAddr+i,"&H"&字节数组(i)) //这里我统一加上&H,可以进行运

    i=i+1

Next

End Function


Function 字节集变量指针(十六进制字节集)

NewAddr = LocalAlloc(0, 200)

//TracePrint "申请存放汇编字节集" & Hex(NewAddr)

字节数组=Split(十六进制字节集," ")

i=0

For UBound(字节数组)+1

    //TracePrint 字节数组(i)

    call 写入单字节整数(GetCurrentProcessId(), NewAddr+i,int(字节数组(i)))

    i=i+1

Next

字节集变量指针=NewAddr

End Function


Function 写入单字节整数(ProcessId, lpBaseAddress, WriteValue) //第二个是WriteAddr

Dim Handle_Process//进程句柄

Handle_Process = OpenProcess(2035711, false, ProcessId)//获取进程句柄

//TracePrint "Handle_Process=" & Handle_Process//要写入的地址

Addr_Low = chrw(WriteValue mod 256)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/

//Addr_High = chrw(int(WriteValue / 65536))//读取WriteAddr原来的值//用这个测试的时候,我们检测下2字节的最大值和4字节的最大值,注意数据溢出

Call WriteProcessMemory(Handle_Process, lpBaseAddress, Addr_Low, 1, 0)  //  lpBaseAddress是存放数据的地址

//Call Write(Handle_Process, lpBaseAddress + 2, Addr_High, 2, 0)//读取WriteAddr现在的值

call  CloseHandle (Handle_Process)//关闭进程对象句柄

End Function


Function 写入双字节内存整数(ProcessId, lpBaseAddress, WriteValue) //第二个是WriteAddr

Dim Handle_Process//进程句柄

Handle_Process = OpenProcess(2035711, false, ProcessId)//获取进程句柄

//TracePrint "Handle_Process=" & Handle_Process//要写入的地址

Addr_Low = Chrw(WriteValue)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/

Call WriteProcessMemory(Handle_Process, lpBaseAddress, Addr_Low, 2, 0)  //  lpBaseAddress是存放数据的地址

call  CloseHandle (Handle_Process)//关闭进程对象句柄

End Function


Function 双字节整数变量指针(WriteValue)//第二个是WriteAddr=======================

NewAddr = LocalAlloc(0, 2)

//TracePrint "申请存放汇编字节集" & Hex(NewAddr)

Dim Handle_Process//进程句柄

Handle_Process = OpenProcess(2035711, false, GetCurrentProcessId())//获取进程句柄

//TracePrint "Handle_Process=" & Handle_Process//要写入的地址

Addr_Low = Chrw(WriteValue)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/

Call WriteProcessMemory(Handle_Process, NewAddr, Addr_Low, 2, 0)  //  lpBaseAddress是存放数据的地址

Call CloseHandle(Handle_Process)//关闭进程对象句柄

双字节整数变量指针=NewAddr

End Function



Function 写入四字节内存整数(ProcessId, lpBaseAddress, WriteValue) //第二个是WriteAddr

Dim Handle_Process//进程句柄

Handle_Process = OpenProcess(2035711, false, ProcessId)//获取进程句柄

//TracePrint "Handle_Process=" & Handle_Process//要写入的地址

Addr_Low = Chrw(WriteValue mod 65536)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/

Addr_High = Chrw(int(WriteValue / 65536))//读取WriteAddr原来的值//用这个测试的时候,我们检测下2字节的最大值和4字节的最大值,注意数据溢出

Call WriteProcessMemory(Handle_Process, lpBaseAddress, Addr_Low, 2, 0)  //  lpBaseAddress是存放数据的地址

Call WriteProcessMemory(Handle_Process, lpBaseAddress + 2, Addr_High, 2, 0)//读取WriteAddr现在的值

call  CloseHandle (Handle_Process)//关闭进程对象句柄

End Function


Function 四字节整数变量指针(WriteValue)//第二个是WriteAddr

NewAddr = LocalAlloc(0, 4)

//TracePrint "申请存放汇编字节集" & Hex(NewAddr)

Dim Handle_Process//进程句柄

Handle_Process = OpenProcess(2035711, false, GetCurrentProcessId())//获取进程句柄

//TracePrint "Handle_Process=" & Handle_Process//要写入的地址

Addr_Low = Chrw(WriteValue mod 65536)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/

Addr_High = Chrw(int(WriteValue / 65536))//读取WriteAddr原来的值//用这个测试的时候,我们检测下2字节的最大值和4字节的最大值,注意数据溢出

Call WriteProcessMemory(Handle_Process, NewAddr, Addr_Low, 2, 0)  //  lpBaseAddress是存放数据的地址

Call WriteProcessMemory(Handle_Process, NewAddr + 2, Addr_High, 2, 0)//读取WriteAddr现在的值

call  CloseHandle (Handle_Process)//关闭进程对象句柄

End Function


Function 获取变量数据类型(变量)

获取变量数据类型=TypeName(变量)

End Function



//Private Declare Function CallAsmCode Lib "user32" Alias "CallWindowProcA" ( lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, lParam As Long) As Long

// CallAnyFunc = CallAsmCode(NewAddr, 0, 0, 0, 0)


//======================================================================================这里是常用区


Function 十六进制转十进制(十六进制字符串)

//例子:Msgbox lib.算法.十六进制转十进制("FFFFFF")

Dim D,H,i,Ia

D = 0

H = UCase(十六进制字符串)

For i = 1 To Len(H)

    Ia = Asc(Mid(H, i, 1)) - 48

    If Ia > 9 Then Ia = Ia - 7

    D = D * 16 + Ia

Next

内部使用_十六进制转十进制 = D

End Function



//=======================================================================================常用命令

Function W_GetCode()

W_GetCode = PublicCode

End Function


Function W_HighAndLow(Value , n) '高低位互换

Dim tmp1 , tmp2 , i

tmp1 = Right("0000000" + Hex(Value), n)

For i = 0 To Len(tmp1) / 2 - 1

    tmp2 = tmp2 + Mid(tmp1, Len(tmp1) - 1 - 2 * i, 2)

Next    //=======================================这里出错

W_HighAndLow = tmp2

End Function



//Function W_HighAndLow(Value, n)'高低位互换,这个是更新版本,n是多余的参数,还有bug 0000

//    If Value <255 and Value >16 Then

//        W_HighAndLow = Hex(Value)

//    ElseIf Value < 16 and Value >=0 Then

//      

//            W_HighAndLow = "0" + Hex(Value)

//        

//    Else

//        W_HighAndLow = Hex(htonl(Value))

//    End If

//End Function

//


Function Leave()

PublicCode = PublicCode + "C9"

End Function


Function Pushad()

PublicCode = PublicCode + "60"

End Function


Function Popad()

PublicCode = PublicCode + "61"

End Function


Function Nop()

PublicCode = PublicCode + "90"

End Function


Function Ret()

PublicCode = PublicCode + "C3"

End Function


Function Retn(i)  //这个是新加的

PublicCode = PublicCode + "C2"+ W_HighAndLow(i, 4)

End Function


Function RetA(i )

PublicCode = PublicCode + W_HighAndLow(i, 4)

End Function


Function IN_AL_DX()

PublicCode = PublicCode + "EC"

End Function


Function TEST_EAX_EAX()

PublicCode = PublicCode + "85C0"

End Function


'Add

'+++++++++++++++++++++++++++++++++++

Function Add_EAX_EDX()

PublicCode = PublicCode + "03C2"

End Function


Function Add_EBX_EAX()

PublicCode = PublicCode + "03D8"

End Function


Function Add_EAX_DWORD_Ptr(i )

PublicCode = PublicCode + "0305" + W_HighAndLow(i, 8)

End Function


Function Add_EBX_DWORD_Ptr(i )

PublicCode = PublicCode + "031D" + W_HighAndLow(i, 8)

End Function


Function Add_EBP_DWORD_Ptr(i )

PublicCode = PublicCode + "032D" + W_HighAndLow(i, 8)

End Function


Function Add_EAX(i )

PublicCode = PublicCode + "05" + W_HighAndLow(i, 8)

End Function


Function Add_EBX(i )

PublicCode = PublicCode + "83C3" + W_HighAndLow(i, 8)

End Function


Function Add_ECX(i )

PublicCode = PublicCode + "83C1" + W_HighAndLow(i, 8)

End Function


Function Add_EDX(i )

PublicCode = PublicCode + "83C2" + W_HighAndLow(i, 8)

End Function


Function Add_ESI(i )

PublicCode = PublicCode + "83C6" + W_HighAndLow(i, 8)

End Function


Function Add_ESP(i )

PublicCode = PublicCode + "83C4" + W_HighAndLow(i, 8)

End Function


'Call

'+++++++++++++++++++++++++++++++++++

Function Call_EAX()

PublicCode = PublicCode + "FFD0"

End Function


Function Call_EBX()

PublicCode = PublicCode + "FFD3"

End Function


Function Call_ECX()

PublicCode = PublicCode + "FFD1"

End Function


Function Call_EDX()

PublicCode = PublicCode + "FFD2"

End Function


Function Call_ESI()

PublicCode = PublicCode + "FFD6"

End Function


Function Call_ESP()

PublicCode = PublicCode + "FFD4"

End Function


Function Call_EBP()

PublicCode = PublicCode + "FFD5"

End Function


Function Call_EDI()

PublicCode = PublicCode + "FFD7"

End Function


Function Call_DWORD_Ptr_Addr(i )

PublicCode = PublicCode + "FF15" + W_HighAndLow(i, 8)

End Function


//Function Call_DWORD_Ptr_Value(i ) //这个是新加进去的,这个时候错误的

//PublicCode = PublicCode + "E8" + W_HighAndLow(i, 8)

//End Function


Function Call_DWORD_Ptr_EAX()

PublicCode = PublicCode + "FF10"

End Function


Function Call_DWORD_Ptr_EBX()

PublicCode = PublicCode + "FF13"

End Function


'Cmp

'+++++++++++++++++++++++++++++++++++

Function Cmp_EAX(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "83F8" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "3D" + W_HighAndLow(i, 8)

End If

End Function


Function Cmp_EAX_EDX()

PublicCode = PublicCode + "3BC2"

End Function


Function Cmp_EAX_DWORD_Ptr(i )

PublicCode = PublicCode + "3B05" + W_HighAndLow(i, 8)

End Function


Function Cmp_DWORD_Ptr_EAX(i )

PublicCode = PublicCode + "3905" + W_HighAndLow(i, 8)

End Function


'DEC

'+++++++++++++++++++++++++++++++++++

Function Dec_EAX()

PublicCode = PublicCode + "48"

End Function


Function Dec_EBX()

PublicCode = PublicCode + "4B"

End Function


Function Dec_ECX()

PublicCode = PublicCode + "49"

End Function


Function Dec_EDX()

PublicCode = PublicCode + "4A"

End Function


'Idiv

'+++++++++++++++++++++++++++++++++++

Function Idiv_EAX()

PublicCode = PublicCode + "F7F8"

End Function


Function Idiv_EBX()

PublicCode = PublicCode + "F7FB"

End Function


Function Idiv_ECX()

PublicCode = PublicCode + "F7F9"

End Function


Function Idiv_EDX()

PublicCode = PublicCode + "F7FA"

End Function


'Imul

'+++++++

//++++++++++++++++++++++++++++

Function Imul_EAX_EDX()

PublicCode = PublicCode + "0FAFC2"

End Function


Function Imul_EAX(i )

PublicCode = PublicCode + "6BC0" + W_HighAndLow(i, 2)

End Function


Function ImulB_EAX(i )

PublicCode = PublicCode + "69C0" + W_HighAndLow(i, 8)

End Function


'INC

'+++++++++++++++++++++++++++++++++++

Function Inc_EAX()

PublicCode = PublicCode + "40"

End Function


Function Inc_EBX()

PublicCode = PublicCode + "43"

End Function


Function Inc_ECX()

PublicCode = PublicCode + "41"

End Function


Function Inc_EDX()

PublicCode = PublicCode + "42"

End Function


Function Inc_EDI()

PublicCode = PublicCode + "47"

End Function


Function Inc_ESI()

PublicCode = PublicCode + "46"

End Function


Function Inc_DWORD_Ptr_EAX()

PublicCode = PublicCode + "FF00"

End Function


Function Inc_DWORD_Ptr_EBX()

PublicCode = PublicCode + "FF03"

End Function


Function Inc_DWORD_Ptr_ECX()

PublicCode = PublicCode + "FF01"

End Function


Function Inc_DWORD_Ptr_EDX()

PublicCode = PublicCode + "FF02"

End Function


'JMP/JE/JNE

'+++++++++++++++++++++++++++++++++++

Function JMP_EAX()

PublicCode = PublicCode + "FFE0"

End Function


'Mov

Function Mov_DWORD_Ptr_Addr_EAX(i)      

PublicCode = PublicCode + "A3" + W_HighAndLow(i, 8)

End Function


Function Mov_DWORD_Ptr_Addr_AL(i)      

PublicCode = PublicCode + "A2" + W_HighAndLow(i, 8)

End Function


Function Mov_DWORD_Ptr_Addr_AH(i)      

PublicCode = PublicCode + "8825" + W_HighAndLow(i, 8)

End Function


Function Mov_EAX_Value(i )

PublicCode = PublicCode + "B8" + W_HighAndLow(i, 8)

End Function


Function Mov_EBX_Value(i )

PublicCode = PublicCode + "BB" + W_HighAndLow(i, 8)

End Function


Function Mov_ECX_Value(i )

PublicCode = PublicCode + "B9" + W_HighAndLow(i, 8)

End Function


Function Mov_EDX_Value(i )

PublicCode = PublicCode + "BA" + W_HighAndLow(i, 8)

End Function


Function Mov_ESI_Value(i )

PublicCode = PublicCode + "BE" + W_HighAndLow(i, 8)

End Function


Function Mov_ESP_Value(i )

PublicCode = PublicCode + "BC" + W_HighAndLow(i, 8)

End Function


Function Mov_EBP_Value(i )

PublicCode = PublicCode + "BD" + W_HighAndLow(i, 8)

End Function


Function Mov_EDI_Value(i )

PublicCode = PublicCode + "BF" + W_HighAndLow(i, 8)

End Function


Function Mov_EBX_DWORD_Ptr(i )

PublicCode = PublicCode + "8B1D" + W_HighAndLow(i, 8)

End Function


Function Mov_ECX_DWORD_Ptr_Addr(i )

PublicCode = PublicCode + "8B0D" + W_HighAndLow(i, 8)

End Function


Function Mov_EAX_DWORD_Ptr_Addr(i )

PublicCode = PublicCode + "A1" + W_HighAndLow(i, 8)

End Function


Function Mov_EDX_DWORD_Ptr_Addr(i )

PublicCode = PublicCode + "8B15" + W_HighAndLow(i, 8)

End Function


Function Mov_ESI_DWORD_Ptr_Addr(i )

PublicCode = PublicCode + "8B35" + W_HighAndLow(i, 8)

End Function


Function Mov_ESP_DWORD_Ptr_Addr(i )

PublicCode = PublicCode + "8B25" + W_HighAndLow(i, 8)

End Function


Function Mov_EBP_DWORD_Ptr_Addr(i )

PublicCode = PublicCode + "8B2D" + W_HighAndLow(i, 8)

End Function


Function Mov_EAX_DWORD_Ptr_EAX()

PublicCode = PublicCode + "8B00"

End Function


Function Mov_EAX_DWORD_Ptr_EBP()

PublicCode = PublicCode + "8B4500"

End Function


Function Mov_EAX_DWORD_Ptr_EBX()

PublicCode = PublicCode + "8B03"

End Function


Function Mov_EAX_DWORD_Ptr_ECX()

PublicCode = PublicCode + "8B01"

End Function


Function Mov_EAX_DWORD_Ptr_EDX()

PublicCode = PublicCode + "8B02"

End Function


Function Mov_EAX_DWORD_Ptr_EDI()

PublicCode = PublicCode + "8B07"

End Function


Function Mov_EAX_DWORD_Ptr_ESP()

PublicCode = PublicCode + "8B0424"

End Function


Function Mov_EAX_DWORD_Ptr_ESI()

PublicCode = PublicCode + "8B06"

End Function


Function Mov_EAX_DWORD_Ptr_EAX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B40" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B80" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EAX_DWORD_Ptr_ESP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B4424" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B8424" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EAX_DWORD_Ptr_EBX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B43" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B83" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EAX_DWORD_Ptr_ECX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B41" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B81" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EAX_DWORD_Ptr_EDX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B42" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B82" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EAX_DWORD_Ptr_EDI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B47" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B87" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EAX_DWORD_Ptr_EBP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B45" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B85" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EAX_DWORD_Ptr_ESI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B46" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B86" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EBX_DWORD_Ptr_EAX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B58" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B98" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EBX_DWORD_Ptr_ESP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B5C24" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B9C24" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EBX_DWORD_Ptr_EBX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B5B" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B9B" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EBX_DWORD_Ptr_ECX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B59" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B99" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EBX_DWORD_Ptr_EDX_Add(i )

If i <= 255  and i >= 0  Then

    PublicCode = PublicCode + "8B5A" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B9A" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EBX_DWORD_Ptr_EDI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B5F" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B9F" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EBX_DWORD_Ptr_EBP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B5D" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B9D" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EBX_DWORD_Ptr_ESI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B5E" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B9E" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_ECX_DWORD_Ptr_EAX_Add(i)  //这里出错过

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B48" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B88" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_ECX_DWORD_Ptr_ESP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B4C24" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B8C24" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_ECX_DWORD_Ptr_EBX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B4B" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B8B" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_ECX_DWORD_Ptr_ECX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B49" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B89" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_ECX_DWORD_Ptr_EDX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B4A" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B8A" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_ECX_DWORD_Ptr_EDI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B4F" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B8F" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_ECX_DWORD_Ptr_EBP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B4D" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B8D" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_ECX_DWORD_Ptr_ESI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B4E" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B8E" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EDX_DWORD_Ptr_EAX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B50" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B90" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EDX_DWORD_Ptr_ESP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B5424" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B9424" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EDX_DWORD_Ptr_EBX_Add(i)

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B53" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B93" + W_HighAndLow(i, 8 ) //这里出错过

End If

End Function


Function Mov_EDX_DWORD_Ptr_ECX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B51" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B91" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EDX_DWORD_Ptr_EDX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B52" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B92" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EDX_DWORD_Ptr_EDI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B57" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B97" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EDX_DWORD_Ptr_EBP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B55" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B95" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EDX_DWORD_Ptr_ESI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8B56" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8B96" + W_HighAndLow(i, 8)

End If

End Function


Function Mov_EBX_DWORD_Ptr_EAX()

PublicCode = PublicCode + "8B18"

End Function


Function Mov_EBX_DWORD_Ptr_EBP()

PublicCode = PublicCode + "8B5D00"

End Function


Function Mov_EBX_DWORD_Ptr_EBX()

PublicCode = PublicCode + "8B1B"

End Function


Function Mov_EBX_DWORD_Ptr_ECX()

PublicCode = PublicCode + "8B19"

End Function


Function Mov_EBX_DWORD_Ptr_EDX()

PublicCode = PublicCode + "8B1A"

End Function


Function Mov_EBX_DWORD_Ptr_EDI()

PublicCode = PublicCode + "8B1F"

End Function


Function Mov_EBX_DWORD_Ptr_ESP()

PublicCode = PublicCode + "8B1C24"

End Function


Function Mov_EBX_DWORD_Ptr_ESI()

PublicCode = PublicCode + "8B1E"

End Function

Function Mov_ECX_DWORD_Ptr_EAX()

PublicCode = PublicCode + "8B08"

End Function


Function Mov_ECX_DWORD_Ptr_EBP()

PublicCode = PublicCode + "8B4D00"

End Function


Function Mov_ECX_DWORD_Ptr_EBX()

PublicCode = PublicCode + "8B0B"

End Function


Function Mov_ECX_DWORD_Ptr_ECX()

PublicCode = PublicCode + "8B09"

End Function


Function Mov_ECX_DWORD_Ptr_EDX()

PublicCode = PublicCode + "8B0A"

End Function


Function Mov_ECX_DWORD_Ptr_EDI()

PublicCode = PublicCode + "8B0F"

End Function


Function Mov_ECX_DWORD_Ptr_ESP()

PublicCode = PublicCode + "8B0C24"

End Function


Function Mov_ECX_DWORD_Ptr_ESI()

PublicCode = PublicCode + "8B0E"

End Function


Function Mov_EDX_DWORD_Ptr_EAX()

PublicCode = PublicCode + "8B10"

End Function


Function Mov_EDX_DWORD_Ptr_EBP()

PublicCode = PublicCode + "8B5500"

End Function


Function Mov_EDX_DWORD_Ptr_EBX()

PublicCode = PublicCode + "8B13"

End Function


Function Mov_EDX_DWORD_Ptr_ECX()

PublicCode = PublicCode + "8B11"

End Function


Function Mov_EDX_DWORD_Ptr_EDX()

PublicCode = PublicCode + "8B12"

End Function


Function Mov_EDX_DWORD_Ptr_EDI()

PublicCode = PublicCode + "8B17"

End Function


Function Mov_EDX_DWORD_Ptr_ESI()

PublicCode = PublicCode + "8B16"

End Function


Function Mov_EDX_DWORD_Ptr_ESP()

PublicCode = PublicCode + "8B1424"

End Function


Function Mov_EAX_EBP()

PublicCode = PublicCode + "8BC5"

End Function


Function Mov_EAX_EBX()

PublicCode = PublicCode + "8BC3"

End Function


Function Mov_EAX_ECX()

PublicCode = PublicCode + "8BC1"

End Function


Function Mov_EAX_EDI()

PublicCode = PublicCode + "8BC7"

End Function


Function Mov_EAX_EDX()

PublicCode = PublicCode + "8BC2"

End Function


Function Mov_EAX_ESI()

PublicCode = PublicCode + "8BC6"

End Function


Function Mov_EAX_ESP()

PublicCode = PublicCode + "8BC4"

End Function


Function Mov_EBX_EBP()

PublicCode = PublicCode + "8BDD"

End Function


Function Mov_EBX_EAX()

PublicCode = PublicCode + "8BD8"

End Function


Function Mov_EBX_ECX()

PublicCode = PublicCode + "8BD9"

End Function


Function Mov_EBX_EDI()

PublicCode = PublicCode + "8BDF"

End Function


Function Mov_EBX_EDX()

PublicCode = PublicCode + "8BDA"

End Function


Function Mov_EBX_ESI()

PublicCode = PublicCode + "8BDE"

End Function


Function Mov_EBX_ESP()

PublicCode = PublicCode + "8BDC"

End Function


Function Mov_ECX_EBP()

PublicCode = PublicCode + "8BCD"

End Function


Function Mov_ECX_EAX()

PublicCode = PublicCode + "8BC8"

End Function


Function Mov_ECX_EBX()

PublicCode = PublicCode + "8BCB"

End Function


Function Mov_ECX_EDI()

PublicCode = PublicCode + "8BCF"

End Function


Function Mov_ECX_EDX()

PublicCode = PublicCode + "8BCA"

End Function


Function Mov_ECX_ESI()

PublicCode = PublicCode + "8BCE"

End Function


Function Mov_ECX_ESP()

PublicCode = PublicCode + "8BCC"

End Function


Function Mov_EDX_EBP()

PublicCode = PublicCode + "8BD5"

End Function


Function Mov_EDX_EBX()

PublicCode = PublicCode + "8BD3"

End Function


Function Mov_EDX_ECX()

PublicCode = PublicCode + "8BD1"

End Function


Function Mov_EDX_EDI()

PublicCode = PublicCode + "8BD7"

End Function


Function Mov_EDX_EAX()

PublicCode = PublicCode + "8BD0"

End Function


Function Mov_EDX_ESI()

PublicCode = PublicCode + "8BD6"

End Function


Function Mov_EDX_ESP()

PublicCode = PublicCode + "8BD4"

End Function


Function Mov_ESI_EBP()

PublicCode = PublicCode + "8BF5"

End Function


Function Mov_ESI_EBX()

PublicCode = PublicCode + "8BF3"

End Function


Function Mov_ESI_ECX()

PublicCode = PublicCode + "8BF1"

End Function


Function Mov_ESI_EDI()

PublicCode = PublicCode + "8BF7"

End Function


Function Mov_ESI_EAX()

PublicCode = PublicCode + "8BF0"

End Function


Function Mov_ESI_EDX()

PublicCode = PublicCode + "8BF2"

End Function


Function Mov_ESI_ESP()

PublicCode = PublicCode + "8BF4"

End Function


Function Mov_ESP_EBP()

PublicCode = PublicCode + "8BE5"

End Function


Function Mov_ESP_EBX()

PublicCode = PublicCode + "8BE3"

End Function


Function Mov_ESP_ECX()

PublicCode = PublicCode + "8BE1"

End Function


Function Mov_ESP_EDI()

PublicCode = PublicCode + "8BE7"

End Function


Function Mov_ESP_EAX()

PublicCode = PublicCode + "8BE0"

End Function


Function Mov_ESP_EDX()

PublicCode = PublicCode + "8BE2"

End Function


Function Mov_ESP_ESI()

PublicCode = PublicCode + "8BE6"

End Function


Function Mov_EDI_EBP()

PublicCode = PublicCode + "8BFD"

End Function


Function Mov_EDI_EAX()

PublicCode = PublicCode + "8BF8"

End Function


Function Mov_EDI_EBX()

PublicCode = PublicCode + "8BFB"

End Function


Function Mov_EDI_ECX()

PublicCode = PublicCode + "8BF9"

End Function


Function Mov_EDI_EDX()

PublicCode = PublicCode + "8BFA"

End Function


Function Mov_EDI_ESI()

PublicCode = PublicCode + "8BFE"

End Function


Function Mov_EDI_ESP()

PublicCode = PublicCode + "8BFC"

End Function

Function Mov_EBP_EDI()

PublicCode = PublicCode + "8BDF"

End Function


Function Mov_EBP_EAX()

PublicCode = PublicCode + "8BE8"

End Function


Function Mov_EBP_EBX()

PublicCode = PublicCode + "8BEB"

End Function


Function Mov_EBP_ECX()

PublicCode = PublicCode + "8BE9"

End Function


Function Mov_EBP_EDX()

PublicCode = PublicCode + "8BEA"

End Function


Function Mov_EBP_ESI()

PublicCode = PublicCode + "8BEE"

End Function


Function Mov_EBP_ESP()

PublicCode = PublicCode + "8BEC"

End Function

'Push

'+++++++++++++++++++++++++++++++++++

Function Push(i)

If i <= 127  and i >= 0 Then

    PublicCode = PublicCode + "6A" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "68" + W_HighAndLow(i, 8)

End If

End Function


Function Push_DWORD_Ptr_Addr(i )

PublicCode = PublicCode + "FF35" + W_HighAndLow(i, 8)

End Function


Function Push_EAX()

PublicCode = PublicCode + "50"

End Function


Function Push_ECX()

PublicCode = PublicCode + "51"

End Function


Function Push_EDX()

PublicCode = PublicCode + "52"

End Function


Function Push_EBX()

PublicCode = PublicCode + "53"

End Function

Function Push_ESP()

PublicCode = PublicCode + "54"

End Function


Function Push_EBP()

PublicCode = PublicCode + "55"

End Function


Function Push_ESI()

PublicCode = PublicCode + "56"

End Function


Function Push_EDI()

PublicCode = PublicCode + "57"

End Function

'LEA

Function Lea_EAX_DWORD_Ptr_EAX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D40" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D80" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EAX_DWORD_Ptr_EBX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D43" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D83" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EAX_DWORD_Ptr_ECX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D41" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D81" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EAX_DWORD_Ptr_EDX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D42" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D82" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EAX_DWORD_Ptr_ESI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D46" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D86" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EAX_DWORD_Ptr_ESP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D40" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D80" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EAX_DWORD_Ptr_EBP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D4424" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D8424" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EAX_DWORD_Ptr_EDI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D47" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D87" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EBX_DWORD_Ptr_EAX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D58" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D98" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EBX_DWORD_Ptr_ESP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D5C24" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D9C24" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EBX_DWORD_Ptr_EBX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D5B" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D9B" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EBX_DWORD_Ptr_ECX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D59" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D99" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EBX_DWORD_Ptr_EDX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D5A" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D9A" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EBX_DWORD_Ptr_EDI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D5F" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D9F" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EBX_DWORD_Ptr_EBP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D5D" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D9D" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EBX_DWORD_Ptr_ESI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D5E" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D9E" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_ECX_DWORD_Ptr_EAX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D48" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D88" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_ECX_DWORD_Ptr_ESP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D4C24" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D8C24" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_ECX_DWORD_Ptr_EBX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D4B" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D8B" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_ECX_DWORD_Ptr_ECX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D49" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D89" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_ECX_DWORD_Ptr_EDX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D4A" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D8A" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_ECX_DWORD_Ptr_EDI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D4F" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D8F" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_ECX_DWORD_Ptr_EBP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D4D" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D8D" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_ECX_DWORD_Ptr_ESI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D4E" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D8E" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EDX_DWORD_Ptr_EAX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D50" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D90" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EDX_DWORD_Ptr_ESP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D5424" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D9424" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EDX_DWORD_Ptr_EBX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D53" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D93" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EDX_DWORD_Ptr_ECX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D51" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D91" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EDX_DWORD_Ptr_EDX_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D52" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D92" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EDX_DWORD_Ptr_EDI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D57" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D97" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EDX_DWORD_Ptr_EBP_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D55" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D95" + W_HighAndLow(i, 8)

End If

End Function


Function Lea_EDX_DWORD_Ptr_ESI_Add(i )

If i <= 255  and i >= 0 Then

    PublicCode = PublicCode + "8D56" + W_HighAndLow(i, 2)

Else

    PublicCode = PublicCode + "8D96" + W_HighAndLow(i, 8)

End If

End Function



Function Pop_EAX()

PublicCode = PublicCode + "58"

End Function


Function Pop_EBX()

PublicCode = PublicCode + "5B"

End Function


Function Pop_ECX()

PublicCode = PublicCode + "59"

End Function


Function Pop_EDX()

PublicCode = PublicCode + "5A"

End Function


Function Pop_ESI()

PublicCode = PublicCode + "5E"

End Function


Function Pop_ESP()

PublicCode = PublicCode + "5C"

End Function


Function Pop_EDI()

PublicCode = PublicCode + "5F"

End Function


Function Pop_EBP()

PublicCode = PublicCode + "5D"

End Function




Function ABC交流_类人猿技术群_526897608() //这个功能是将字节集转化成空格形式55 8B EC A1 7C 24

TracePrint "技术联系类人猿Q: 578052137"

End Function


Function ABC交流_类人猿技术Q_578052137() //这个功能是将字节集转化成空格形式55 8B EC A1 7C 24

TracePrint "技术联系类人猿Q: 578052137"

End Function


Function ABC说明_结束按键精灵不能内联汇编历史(希望大家喜欢按键) //这个功能是将字节集转化成空格形式55 8B EC A1 7C 24

TracePrint "技术联系类人猿Q: 578052137"

End Function

Function ABC说明_该版本是更新3版本(具体说明咨询群主,期望大神们给我指导建议完善) //这个功能是将字节集转化成空格形式55 8B EC A1 7C 24

TracePrint "技术联系类人猿Q: 578052137"

End Function

Function ABC说明_休息(暂停工作两周) //这个功能是将字节集转化成空格形式55 8B EC A1 7C 24

TracePrint "技术联系类人猿Q: 578052137"

End Function


Function ABC感谢_大神们技术上支持和建议完成本库()//这个功能是将字节集转化成空格形式55 8B EC A1 7C 24

TracePrint "技术联系类人猿Q: 578052137"

End Function

Function ABC说明下面是代码库()//这个功能是将字节集转化成空格形式55 8B EC A1 7C 24

TracePrint "技术联系类人猿Q: 578052137"

End Function

//=======================================================测试阶段=======================