按键X内存汇编库开源(导师作品)3087
发表时间:2018-04-08 18:07 按键X版本内存汇编库开源:编码形式借助vbs声明和函数,汇编执行位shellcode 类人猿:QQ:578052137 Declare Function Asm Lib "ToAsm" Alias "Asm"(ByVal code As String,ByVal 长度 As Long) As Long Declare Function SetRec Lib "user32" Alias "SetRect"(ByVal 矩形 As Any,ByVal 左边 As Long,ByVal 顶边 As Long,ByVal 右边 As Long,ByVal 底边 As Long) As Long Declare Function LocalAlloc Lib "kernel32" Alias "LocalAlloc" (ByVal wOemChar As Long,ByVal wOmChar As Long) As Long Declare Function LocalFree Lib "kernel32" Alias "LocalFree" (ByVal hMem As Long) As Long Declare Function LocalSize Lib "kernel32" (ByVal hMem As Long) As Long Declare Function RtlMoveMemory Lib "kernel32" Alias "RtlMoveMemory" (ByVal h As Any, ByRef f As Any, ByVal Length As Long) Declare Function CallWindowProcA Lib "user32.dll" Alias "CallWindowProcA"(ByVal 前1窗口函数地址 As Long,byref 窗口句柄 As Long,ByVal 消息值 As Long,ByVal 附加参数1 As Long,ByVal 附加参数2 As Long) As Long Declare Function RtlFillMemory Lib "kernel32.dll" Alias "RtlFillMemory"(ByVal 目的内存 As String,ByVal 长度 As Long,ByVal 填充内容 As Any) As Long Declare Function LoadLibraryA Lib "kernel32.dll" Alias "LoadLibraryA"(ByVal 动态链接库名称 As String) As Long Declare Function FreeLibrary Lib "kernel32" Alias "FreeLibrary" (ByVal hLibModule As Long) As Long Declare Function GetProcAddress Lib "kernel32.dll" Alias "GetProcAddress"(ByVal 模块句柄 As Long,ByVal 进程名称 As String) As Long Declare Function GetModuleHandleA Lib "kernel32.dll" Alias "GetModuleHandleA"(ByVal 模块名 As String) As Long Declare Function SetWindowsHook Lib "user32.dll" Alias "SetWindowsHookExA"(ByVal 钩子类型 As Long,ByVal 回调函数地址 As Long,ByVal 实例句柄 As Long,ByVal 线程ID As Long) As Long Declare Function UnhookWindowsHookEx Lib "user32.dll" Alias "UnhookWindowsHookEx"(ByVal 钩子句柄 As Long) As Long Declare Function RtlZeroMemory Lib "kernel32.dll" Alias "RtlZeroMemory"(ByVal 目的内存 As String,ByVal 长度 As Long) As Long Declare Function MultiByteToWideChar Lib "kernel32.dll" Alias "MultiByteToWideChar"(ByVal CodePage As Long,ByVal dwFlags As Long,ByVal lpMultiByteStr As Long,ByVal cchMultiByte As Long,ByVal lpWideCharStr As Long,ByVal lpWideCharStr As Long) As Long Declare Function CreateThread Lib "kernel32" (lpThreadAttributes As Any, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long Declare Function OpenProcess Lib "kernel32" Alias "OpenProcess" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Declare Function WriteProcessMemory Lib "kernel32" Alias "WriteProcessMemory" ( Handle_Process As Long, lpBaseAddress As long,date As long, nSize As Long, lpNumberOfBytesWritten As Long) As Long Declare Function CloseHandle Lib "kernel32" Alias "CloseHandle" (ByVal hObject As Long) As Long Declare Function GetCurrentProcessId Lib "kernel32" Alias "GetCurrentProcessId" () As Long Declare Function ReadProcessMemory Lib "kernel32" Alias "ReadProcessMemory" (ByVal hProcess As Long,ByVal lpBaseAddress As Long, ByRef lpBuffer As Long, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long Private Declare Function CallAsmCode Lib "user32" Alias "CallWindowProcA" ( lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, lParam As Long) As Long Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long Private Declare Function htonl Lib "Wsock32.dll" (ByVal hostlong As Long) As Long //4字节高低位互转 //32位有符号整数 不支持无符号整数 FFFF FFFF Private Declare Function htons Lib "Wsock32.dll" (ByVal hostshort As Long) As Long //2字节 Private Declare Function SetWindowsHookExA Lib "user32" Alias "SetWindowsHookExW" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long Private Declare Function GetWindowThreadProcessId Lib "user32" Alias "GetWindowThreadProcessId" (ByVal hwnd As Long, lpdwProcessId As Long) As Long Public Declare Function CallNextHookEx Lib "user32" Alias "CallNextHookEx" (ByVal hHook As Long, ByVal ncode As Long,ByVal wParam As WindowsMessages,lParam As MSLLHOOKSTRUCT) As Long Private Declare Function RegisterWindowMessage Lib "user32" Alias "RegisterWindowMessageA" (ByVal lpString As String) As Long Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long Public Declare Function VirtualProtectEx Lib "kernel32 " (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal flNewProtect As Integer, ByRef lpflOldProtect As Integer) As Integer Public Declare Function VirtualQueryEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long) As Long Function 保护_VirtualQueryEx(ProcessId,Addr,AddrSize) Dim issuscce,oldVal issuscce = VirtualProtectEx(ProcessId, Addr, AddrSize, 64, oldVal) VirtualQueryEx=issuscce End Function Function 十进制转二进制(十进制整数)//会出现bug 十进制转二进制=Hex( htonl(十进制整数)) End Function Function 枚举系统进程名() Dim WMI,objs Set WMI = GetObject("WinMgmts:") Set objs = WMI.InstancesOf("Win32_Process") For Each obj In objs Enum1 = Enum1 + obj.Description + Chr(13) + Chr(10) Next // msgbox Enum1 枚举系统进程名=Enum1 End function Function 获取系统全部进程和ID()//获取进程ID和进程名字 Dim Pro_And_Name Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") Set ps = objWMIService.ExecQuery("select * from Win32_Process") For Each p In ps Pro_And_Name = Pro_And_Name & vbCrLf & p.ProcessId & " " & p.Name Next // MessageBox Pro_And_Name Pro_Name_Array = split(Pro_And_Name, vbcrlf) 获取系统全部进程和ID=Pro_And_Name End Function Function 根据进程名字枚举进程ID(进程名)//获取进程ID和进程名字 Dim Pro_And_Name //进程名字和id字符串 Dim Name_Array Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") Set ps = objWMIService.ExecQuery("select * from Win32_Process") For Each p In ps Pro_And_Name = Pro_And_Name & vbCrLf & p.ProcessId & " " & p.Name Next // MessageBox Pro_And_Name Pro_Name_Array = split(Pro_And_Name, vbcrlf) i=1 For UBound (Pro_Name_Array) // TracePrint Pro_Name_Array(i) Name_Array = split(Pro_Name_Array(i), " ") If Name_Array(1) = 进程名 Then 根据进程名字枚举进程ID = int(Name_Array(0)) // TracePrint Name_Array(1) Exit for // end if End if i=i+1 Next End Function Function 跨进程获取函数名地址S(ProcessId,模块名字,函数名字)//Call 跨进程获取函数名地址(ProcessId,"kernel32","CreateRemoteThread",有保护无法突破参数) Dim 远程参数地址 Dim 返回值地址 返回值地址 = 申请指定进程空间(ProcessId, 4) 远程参数地址 = 申请指定进程空间(ProcessId, len(模块名字) + 4) Call 写入字符集ASCII(ProcessId, 远程参数地址, 模块名字)//二进制字符串写入 远程名字参数地址=申请指定进程空间(ProcessId, len(函数名字)+4) Call 写入字符集ASCII(ProcessId, 远程名字参数地址, 函数名字)//二进制字符串写入 //TracePrint Hex(远程参数地址) GetModuleHandleA = 获取函数地址API("kernel32.dll", "GetModuleHandleA")//==这个是固定的,模块基地址 Addr_GetProcAddress = 获取函数地址API("kernel32.dll", "GetProcAddress")//==这个是固定的,获取获取函数的基地址 //TracePrint Hex(GetModuleHandleA) Call AsmClear() call Pushad() Call PUSH(远程参数地址) //,先写入完整call 再调用 这个是基地址不过要保持平衡,PK模式call Call Mov_EDX_Value(GetModuleHandleA) Call Call_EDX() Call Push(远程名字参数地址) Call Push_EAX Call Mov_EDX_Value(Addr_GetProcAddress) Call Call_EDX() Call Mov_DWORD_Ptr_Addr_EAX(返回值地址) Call Popad() Call ret() //这个和上面5个push 是对应关系的 Call RunAsmCode(ProcessId, 1)//核心代码 Delay 100 获取函数地址= 读取四字节整数(ProcessId,返回值地址) // TracePrint "模块地址===" & Hex(模块地址) 跨进程获取函数名地址S=获取函数地址 End Function //HWND = Plugin.Window.Find(0, "form1") //ProcessId = Plugin.SysEx.GetProcessID(Hwnd) //函数字节集 = "55 8B EC 8B E5 5D C2 10 00" //Call 主线程切入口注入(ProcessId, 函数字节集, &H75c0fdcf) Function 主线程切入口注入(ProcessId, 函数字节集,主线程入口地址)//最好先暂停线程再执行线程 Dim NewAddr //这个函数是用来储存的。 Dim JMP_Value//跳转数值 NewAddr = 申请指定进程空间(ProcessId, len(函数字节集) + 4) Call 写入字节集(ProcessId, NewAddr, 函数字节集)//这个是写入Fake_HOOK函数 TracePrint Hex(NewAddr) JMP_Value = HEX(htonl(NewAddr - 主线程入口地址 - 5)) //公式计算 TracePrint JMP_Value JMP_Value= 十六进制字节集标准化(JMP_Value) call 写入单字节整数(ProcessId, 主线程入口地址, &He9) Call 写入字节集(ProcessID, 主线程入口地址+1, JMP_Value) //这个是jmp End Function Function 十六进制字节集标准化(十六字节集) Dim i dim PublicCode_1 For i = 0 To Len(十六字节集) / 2 - 1 PublicCode_1 = PublicCode_1 &(" " & Mid(十六字节集, i * 2 + 1, 2)) //======里是字符集转换空格隔开====== Next 十六字节集 = LTrim(PublicCode_1)//重新赋值 十六进制字节集标准化=十六字节集 End function Function 创建进程S(ParentProPid, WholePathAndParam, WorkPath)//发神经了,为什么不直接用API,为什么要用shellcode Dim 参数2,参数8,参数9,参数10 Addr_CreateProcessA = 获取函数地址API("kernel32.dll", "CreateProcessA") // TracePrint Hex(Addr_CreateProcessA) 参数2 = 申请指定进程空间(ParentProPid,len(WholePathAndParam)+8) //获取文件路径大小,根据居停情况分配空间 // TracePrint Hex(参数2) Call 写入字符集ASCII(ParentProPid, 参数2, WholePathAndParam) //完整路径和参数 参数8 = 申请指定进程空间(ParentProPid,50) // TracePrint Hex(参数8) Call 写入字符集ASCII(ParentProPid, 参数8, WorkPath) //工作路径 E:\\moyu" 参数10 = 申请指定进程空间(ParentProPid, 20) //这个结构太小了,根据具体情况,200 参数9 = 申请指定进程空间(ParentProPid,500) //这个结构太小了,根据具体情况,200 call AsmClear() Call Push_EBP() Call mov_ebp_esp() Call PUSH(参数10) //这个是结构 Call PUSH(参数9) //这个是结构 Call PUSH(参数8) //不包括文件名字路径 Call PUSH(0) Call PUSH(0) Call PUSH(0) Call PUSH(0) Call PUSH(0) Call PUSH(参数2) Call PUSH(0) Call Mov_EAX_Value(Addr_CreateProcessA) Call Call_EAX Call Mov_ESP_EBP() Call pop_ebp() Call Ret() //TracePrint W_GetCode() Call RunAsmCode(ParentProPid, 0) Delay 100 Call 释放进程分配空间(ParentProPid,参数8) Call 释放进程分配空间(ParentProPid,参数2) Call 释放进程分配空间(ParentProPid,参数9) Call 释放进程分配空间(ParentProPid,参数10) End function //call 钩子HOOK实例() Function 钩子HOOK实例(ProcessId)//==============================//HWND = Plugin.Window.Find(0, "【魔域】") ProcessId = Plugin.SysEx.GetProcessID(Hwnd) 申请回调函数地址 = 申请指定进程空间(ProcessId, 120)//最长代码是100 Call 写入四字节内存整数(ProcessId, 申请回调函数地址 + 100, 0) call AsmClear() Call Push_EBP() Call mov_ebp_esp() call Mov_EAX_DWORD_Ptr_Addr(&H12C447C) Call Push (1) Call Push(3) Call Mov_ECX_DWORD_Ptr_EAX Call Mov_ESI_DWORD_Ptr_Addr(&H12C51D4) Call Call_ESI Call Mov_EAX_Value(1) call Mov_DWORD_Ptr_Addr_EAX(申请回调函数地址+100) Call Mov_ESP_EBP() Call pop_ebp() Call ret //这个和上面5个push 是对应关系的 Call RunAsmCodetoMainThread(ProcessId, 申请回调函数地址) End function Function RunAsmCodetoMainThread(ProcessId, 申请回调函数地址) //============================注入核心代码======================== Dim i dim PublicCode_1 For i = 0 To Len(PublicCode) / 2 - 1 PublicCode_1 = PublicCode_1 &(" " & Mid(PublicCode, i * 2 + 1, 2)) //======里是字符集转换空格隔开====== Next PublicCode=LTrim(PublicCode_1) //重新赋值 //TracePrint PublicCode call 写入字节集(ProcessId, 申请回调函数地址, PublicCode) Dim 函数是否执行 q=0 For 300 q=q+1 TracePrint q Call 钩子HOOK注入执行(HWND, 申请回调函数地址, ProcessId) 函数是否执行 = 读取四字节整数(ProcessId, 申请回调函数地址 + 100) TracePrint Hex(函数是否执行) If 函数是否执行 = 1 Then Exit For End if Next End Function Function 钩子Hook注入二进制代码(ProcessId, 申请回调函数地址,二进制字节集)//========================================================== Dim i Dim PublicCode_1 Dim PublicCode PublicCode=二进制字节集 For i = 0 To Len(PublicCode) / 2 - 1 PublicCode_1 = PublicCode_1 &(" " & Mid(PublicCode, i * 2 + 1, 2)) //======里是字符集转换空格隔开====== Next PublicCode=LTrim(PublicCode_1) //重新赋值 TracePrint PublicCode call 写入字节集(ProcessId, 申请回调函数地址, PublicCode) //call 写入字节集(ProcessId, 申请回调函数地址, "8B 0D 7C 24 2C 01 6A 01 6A 03 8B 09 FF 15 D4 31 2C 01 C3") Dim 函数是否执行 q=0 For 300 q=q+1 //TracePrint q Call 钩子HOOK注入执行(HWND, 申请回调函数地址, ProcessId) 函数是否执行 = 读取四字节整数(ProcessId, 申请回调函数地址 + 100) //TracePrint Hex(函数是否执行) If 函数是否执行 = 1 Then Exit For End if Next End Function //=======================================钩子处理================ Function 钩子HOOK注入执行(HWND, 函数地址, ProcessId) Dim 存放返回值的地址 Dim ThreadPid 存放返回值的地址= 申请指定进程空间(ProcessId, 4) //TracePrint Hex(存放返回值的地址) ThreadPid=GetWindowThreadProcessId(HWND,0) Addr_SetWindowsHookEx = 获取函数地址API("user32.dll", "SetWindowsHookExA") //TracePrint "Addr_SetWindowsHookEx函数地址 === " & Hex(Addr_SetWindowsHookEx) call AsmClear() Call Push_EBP() Call mov_ebp_esp() Call PUSH(ThreadPid) Call PUSH(GetModuleHandleA(0)) //窗口句柄基地址 4000000 Call PUSH(函数地址) Call PUSH(4) //,先写入完整call 再调用 这个是基地址不过要保持平衡,PK模式call Call Mov_EDX_Value(Addr_SetWindowsHookEx) Call Call_EDX() Call Mov_DWORD_Ptr_Addr_EAX(存放返回值的地址) Call Mov_ESP_EBP() Call pop_ebp() Call ret //这个和上面5个push 是对应关系的 //TracePrint PublicCode Call RunAsmCode(ProcessId, 1)//核心代码 //Delay 100 //============================读取内存一定要延迟,因为HOOK消息要排队的。 //TracePrint "存放返回值的地址 =="& Hex(存放返回值的地址) 钩子类型= 读取四字节整数(ProcessId,存放返回值的地址) //TracePrint "钩子类型==" & Hex(钩子类型) 钩子HOOK注入执行= 钩子类型 End Function //call AsmClear()//========================================================================本地执行汇编运算例子 //Addr_SendMessageA = 获取函数地址API("user32.dll", "SendMessageA") //TracePrint Addr_SendMessageA //call AsmClear() //Call Push_EBP() //Call mov_ebp_esp() //Call PUSH(0) //Call PUSH(0) //Call PUSH(0) //Call PUSH(hwnd) //Call Mov_EAX_Value(Addr_SendMessageA) //Call Call_EAX //Call Mov_ESP_EBP() //Call pop_ebp() //Call Ret() //TracePrint W_GetCode() //Call RunAsmCode(ProcessId, 1)//核心代码 Function 钩子HOOK卸载(钩子句柄) CALL UnhookWindowsHookEx(钩子句柄)//释放钩子 End Function //=======================================钩子处理=================== EndScript Function 钩子HOOK消息注册(消息字符串) 钩子HOOK消息注册=RegisterWindowMessage(消息字符串) End Function Function RunCurAsmCode()//本地执行汇编运算 Dim i //========================================================== dim AsmCode1 AsmCode1="" ReDim AsmCode(Len(PublicCode) / 2 - 1) For i = 0 To UBound(AsmCode) AsmCode1 = AsmCode1 &(" " & Mid(PublicCode, i * 2 + 1, 2)) //======里是字符集转换空格隔开====== Next PublicCode = LTrim(AsmCode1) TracePrint PublicCode CodeSize = UBound(split(PublicCode, " "))+10 //加10避免空间不够用." "这个是十六进制字符分隔符 //TracePrint CodeSize NewWriteCodeAddr = 申请指定进程空间(GetCurrentProcessId(), CodeSize)//申请空 TracePrint Hex(NewWriteCodeAddr ) call 写入字节集(GetCurrentProcessId(), NewWriteCodeAddr, PublicCode) Call CallWindowProcA(NewWriteCodeAddr,0,0,0,0) End Function //call 远程注入汇编代码(ProcessId, "8B 0D 7C 24 2C 01 6A 00 68 38 7C 91 8B 8B 09 A1 E8 29 2C 01 FF D0 C3") //记住要加上ret //call 远程注入汇编代码(ProcessId, "8B 0D 7C 24 2C 01 6A 00 68 38 7C 91 8B 8B 09 A1 E8 29 2C 01 FF D0 C3") //记住要加上ret Function AsmClear() PublicCode="" End Function Function 窗口的创建者ThreadPId(Hwnd,lpdwProcessId) 窗口的创建者ThreadPId=GetWindowThreadProcessId(Hwnd,lpdwProcessId) End Function Function 跨进程模块通讯链接(ProcessId,SendData) TracePrint "该功能暂停使用!" end Function Function 汇编执行代码(ByteData,Size)//完成,获取返回值暂时还没有办法 WriteAddr= 申请指定进程空间(GetCurrentProcessId(),Size) //这个是存放汇编代码地址的 //TracePrint Hex(WriteAddr) ByteData = ByteData + " C2 14 00" //这里是retn 14 //TracePrint ByteData call 写入字节集(GetCurrentProcessId(), WriteAddr, ByteData) //retn 14,个参数 。这里是写入汇编代码 call CallWindowProcA(WriteAddr, Hwnd, 0, 0, 0) End function Function 读内存数值A(ProcessId,Addr,Size) Dim i char = space(2) For i = 0 To Size-1 Call ReadProcessMemory(Handle_Process, Addr+i, char, 1, 0) //读取每个字节的值 读内存数值A = 读内存数值A + AscB(char) * 256 ^ i // TracePrint 读内存数值A Next End Function //TracePrint 读取八字节整数(Handle_Process, &H01259F8) Function 读取单字节整数(ProcessId,Addr) Dim i char = space(2) For i = 0 To 1-1 //一个字节 Call ReadProcessMemory(Handle_Process, Addr+i, char, 1, 0) //读取每个字节的值 读取单字节整数= 读取单字节整数+ AscB(char) * 256 ^ i // TracePrint 读取单字节整数 Next End Function Function 读取双字节整数(ProcessId,Addr) Dim i char = space(2) For i = 0 To 2-1 //2个字节 Call ReadProcessMemory(Handle_Process, Addr+i, char, 1, 0) //读取每个字节的值 读取双字节整数= 读取双字节整数+ AscB(char) * 256 ^ i // TracePrint 读取单字节整数 Next End Function Function 读取四字节整数(ProcessId, Addr) Handle_Process = OpenProcess(2035711, false, ProcessId) Dim i char = space(2) //这里不知道出不出bug For i = 0 To (4 - 1)//4个字节 Call ReadProcessMemory(Handle_Process, Addr+i, char, 1, 0) //读取每个字节的值 读取四字节整数= 读取四字节整数+ AscB(char) * 256 ^ i // TracePrint 读取四字节整数 Next End Function Function 读取八字节整数(ProcessId, Addr) Dim i char = space(2) For i = 0 To 8-1 //4个字节 Call ReadProcessMemory(Handle_Process, Addr+i, char, 1, 0) //读取每个字节的值 读取八字节整数= 读取八字节整数+ AscB(char) * 256 ^ i // TracePrint 读取八字节整数 Next End Function //TracePrint 读取地址二进制字节集(Handle_Process, &H00290E9C,10) Function 读取地址二进制字节集(ProcessId, Addr, Size) Dim i For i = 0 To (size - 1) 读取地址二进制字节集 =读取地址二进制字节集+" "+ Hex(读取单字节整数(ProcessId, Addr+i)) Next 读取地址二进制字节集=LTrim(读取地址二进制字节集) //这个是去掉左边空格 End Function //TracePrint 读取指定长度字符串ASCII(Handle_Process, &H00290E9C,10) Function 读取指定长度字符串ASCII(ProcessId, Addr, Size) Dim i For i = 0 To (size - 1) 读取指定长度字符串ASCII=读取指定长度字符串ASCII+chr(读取单字节整数(ProcessId, Addr+i)) Next 读取指定长度字符串ASCII=LTrim(读取指定长度字符串ASCII) //这个是去掉左边空格 End Function Function 构造汇编代码(字节集) Dim HeadCode Dim EndCode HeadCode="85,139,236,22,21,45,44,45,65" EndCode="93,194,20,0" 构造汇编代码=HeadCode&字节集&EndCode End Function Function 创建线程(lpStartAddress) //参数就是汇编函数头文件,可以用API函数测试 创建线程=CreateThread(0, 0,返回值 , 0,4, 0) //4这个参数是挂起线程,先不搞这个 End function //Call 远程卸载dll(iPID,返回值,"dm.dll") // TracePrint 获取动态链接库句柄("kernel32.dll") Function 获取动态链接库句柄(动态链接库函数名) 获取动态链接库句柄=GetModuleHandleA(动态链接库函数名) End Function Function 远程卸载dll(ProcessId, LoadLibraryA_Addr,字符串) CodeSize = len(字符串)+10 //加10避免空间不够用 //TracePrint CodeSize NewWriteCodeAddr = 申请指定进程空间(ProcessId, CodeSize)//申请空 CALL 写入字符集ASCII(ProcessId, NewWriteCodeAddr, 字符串) Handle_Process = OpenProcess(2035711, False, ProcessId) RThwnd = CreateRemoteThread(Handle_Process, 0, 0, LoadLibraryA_Addr, NewWriteCodeAddr, 0, 0) End Function Function 远程获取函数地址(ProcessId, LoadLibraryA_Addr,字符串)//========这个还没有完成的============= CodeSize = len(字符串)+10 //加10避免空间不够用 //TracePrint CodeSize NewWriteCodeAddr = 申请指定进程空间(ProcessId, CodeSize)//申请空 CALL 写入字符集ASCII(ProcessId, NewWriteCodeAddr, 字符串) Handle_Process = OpenProcess(2035711, False, ProcessId) RThwnd = CreateRemoteThread(Handle_Process, 0, 0, LoadLibraryA_Addr, NewWriteCodeAddr, 0, 0) End Function Function RunAsmCode(ProcessId, AsmType)//核心代码 Dim i //========================================================== dim AsmCode1 AsmCode1="" ReDim AsmCode(Len(PublicCode) / 2 - 1) For i = 0 To UBound(AsmCode) AsmCode1 = AsmCode1 &(" " & Mid(PublicCode, i * 2 + 1, 2)) //======里是字符集转换空格隔开====== Next PublicCode = LTrim(AsmCode1) //TracePrint PublicCode 十六进制字节集=PublicCode //========================================================= CodeSize = UBound(split(十六进制字节集, " "))+10 //加10避免空间不够用." "这个是十六进制字符分隔符 //TracePrint CodeSize NewWriteCodeAddr = 申请指定进程空间(ProcessId, CodeSize)//申请空 //TracePrint NewWriteCodeAddr call 写入字节集(ProcessId, NewWriteCodeAddr, 十六进制字节集) Handle_Process = OpenProcess(2035711, False, ProcessId) RThwnd = CreateRemoteThread(Handle_Process, 0, 0, NewWriteCodeAddr, 0, 0, 0) End Function Function 远程注入汇编代码(ProcessId, 十六进制字节集) CodeSize = UBound(split(十六进制字节集, " "))+10 //加10避免空间不够用." "这个是十六进制字符分隔符 //MessageBox CodeSize NewWriteCodeAddr = 申请指定进程空间(ProcessId, CodeSize)//申请空 call 写入字节集(ProcessId, NewWriteCodeAddr, 十六进制字节集) Handle_Process = OpenProcess(2035711, False, ProcessId) RThwnd = CreateRemoteThread(Handle_Process, 0, 0, NewWriteCodeAddr, 0, 0, 0) End function //Call 十六进制字节集转化成十进制字节集("55 8B EC A1 7C 24 2C 01 6A 00 8B 08 A1 78 3E 2C 01 8B C0 FF D0 5D C3") Function 十六进制字节集转化成十进制字节集(HexByteStr)//这个功能是将十六进制字节集转化成十进制字符数组 HexByteStr=Replace(HexByteStr," ","") Dim i ReDim HexByteArr(Len(HexByteStr) / 2 - 1) For i = 0 To UBound(HexByteArr) HexByteArr(i) = CByte("&H" & Mid(HexByteStr, i * 2 + 1, 2)) 十六进制字节集转化成十进制字节集=十六进制字节集转化成十进制字节集&" "& HexByteArr(i) Next //TracePrint 十六进制字节集转化成十进制字节集 //Get_Result = CallWindowProc(AsmCode(0), 0, 0, 0, 0) //Get_Result = CallWindowProc(AsmCode(0),0,0,0,0)//=================================================================不懂这里为什么参数会出错 End Function Function 获取函数地址API(Module, Name_Api)//这个是有缺陷的 //Name_Api=Name_Api &"0000" Dim Module_Handle,String_Addr,Function_Addr //Do Module_Handle = GetModuleHandleA(Module)//获取句柄 // TracePrint "dll模块的地址="& Hex(Module_Handle) String_Addr = 字符集ASCII变量指针(Name_Api)//获取名字指针变量 //TracePrint "函数名字变量指针(存数据)="&String_Addr Function_Addr = GetProcAddress(Module_Handle, String_Addr)//第二个参数是指针变量 //Loop Until Function_Addr <> 0 获取函数地址API = Function_Addr End Function Function 远程注入dll(ProcessId, LoadLibraryA_Addr,dll路径字符串) CodeSize = len(dll路径字符串)+10 //加10避免空间不够用 //TracePrint CodeSize NewWriteCodeAddr = 申请指定进程空间(ProcessId, CodeSize)//申请空 CALL 写入字符集ASCII(ProcessId, NewWriteCodeAddr, dll路径字符串) Handle_Process = OpenProcess(2035711, False, ProcessId) RThwnd = CreateRemoteThread(Handle_Process, 0, 0, LoadLibraryA_Addr, NewWriteCodeAddr, 0, 0) End Function Function 申请指定进程空间(ProcessId,size) Handle_Process = OpenProcess(2035711, False, ProcessId) tmp_Addr = VirtualAllocEx(Handle_Process, 0, size, 4096, 64) //TracePrint tmp_Addr 申请指定进程空间=tmp_Addr End Function Function 释放进程分配空间(ProcessId,Addr) Handle_Process = OpenProcess(2035711, False, ProcessId) tmp_Addr = VirtualFreeEx(Handle_Process, Addr, 0,32768) //第三个参数设置大小,直接用0,应该是全部清除 //TracePrint Hex(tmp_Addr) End Function Function 写入字符集ASCII(ProcessId, lpBaseAddress, 字符串) i=1 For len(字符串) //TracePrint mid(字符串, i, 1) //TracePrint Asc(mid(字符串, i, 1)) 字符代码数值 = Asc(mid(字符串, i, 1)) Call 写入单字符ASCII(ProcessId, (lpBaseAddress-1+i), 字符代码数值) i=i+1 Next End Function Function 字符集ASCII变量指针(字符串) Dim 内存大小 Dim NewAddr Dim i 内存大小 = Len(字符串) //TracePrint 内存大小 NewAddr = (LocalAlloc(0, 内存大小 + 2))//这个-1是为了适应下面的代码 /0是表示空字符00000000 // TracePrint NewAddr //TracePrint "申请存放汇编字节集" & Hex(NewAddr) i=1 For len(字符串) //TracePrint mid(字符串, i, 1) //TracePrint Asc(mid(字符串, i, 1)) 字符代码数值 = Asc(mid(字符串, i, 1)) // TracePrint 字符代码数值 Call 写入单字符ASCII(GetCurrentProcessId(), (NewAddr - 1 + i), 字符代码数值) // TracePrint NewAddr-1+i i=i+1 Next call 写入双字节内存整数(GetCurrentProcessId(),(NewAddr - 1 + i),0) // TracePrint "最后一个整" & NewAddr-1+i 字符集ASCII变量指针=NewAddr End Function Function 写入单字符ASCII(ProcessId, lpBaseAddress, WriteValue) Dim Handle_Process//进程句柄 Handle_Process = OpenProcess(2035711, false, ProcessId)//获取进程句柄 //TracePrint "Handle_Process=" & Handle_Process//要写入的地址 Addr_Low = chrw(WriteValue)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/ Call WriteProcessMemory(Handle_Process, lpBaseAddress, Addr_Low, 1, 0) // lpBaseAddress是存放数据的地址 call CloseHandle (Handle_Process)//关闭进程对象句柄 End Function Function 写入字节集(ProcessId, WriteAddr, 十六进制字节集) NewAddr = WriteAddr //写入头地址 //TracePrint "申请存放汇编字节集地址" & Hex(NewAddr) 字节数组=Split(十六进制字节集," ") i=0 For UBound(字节数组)+1 //TracePrint 字节数组(i) call 写入单字节整数(ProcessId, NewAddr+i,"&H"&字节数组(i)) //这里我统一加上&H,可以进行运 i=i+1 Next End Function Function 字节集变量指针(十六进制字节集) NewAddr = LocalAlloc(0, 200) //TracePrint "申请存放汇编字节集" & Hex(NewAddr) 字节数组=Split(十六进制字节集," ") i=0 For UBound(字节数组)+1 //TracePrint 字节数组(i) call 写入单字节整数(GetCurrentProcessId(), NewAddr+i,int(字节数组(i))) i=i+1 Next 字节集变量指针=NewAddr End Function Function 写入单字节整数(ProcessId, lpBaseAddress, WriteValue) //第二个是WriteAddr Dim Handle_Process//进程句柄 Handle_Process = OpenProcess(2035711, false, ProcessId)//获取进程句柄 //TracePrint "Handle_Process=" & Handle_Process//要写入的地址 Addr_Low = chrw(WriteValue mod 256)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/ //Addr_High = chrw(int(WriteValue / 65536))//读取WriteAddr原来的值//用这个测试的时候,我们检测下2字节的最大值和4字节的最大值,注意数据溢出 Call WriteProcessMemory(Handle_Process, lpBaseAddress, Addr_Low, 1, 0) // lpBaseAddress是存放数据的地址 //Call Write(Handle_Process, lpBaseAddress + 2, Addr_High, 2, 0)//读取WriteAddr现在的值 call CloseHandle (Handle_Process)//关闭进程对象句柄 End Function Function 写入双字节内存整数(ProcessId, lpBaseAddress, WriteValue) //第二个是WriteAddr Dim Handle_Process//进程句柄 Handle_Process = OpenProcess(2035711, false, ProcessId)//获取进程句柄 //TracePrint "Handle_Process=" & Handle_Process//要写入的地址 Addr_Low = Chrw(WriteValue)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/ Call WriteProcessMemory(Handle_Process, lpBaseAddress, Addr_Low, 2, 0) // lpBaseAddress是存放数据的地址 call CloseHandle (Handle_Process)//关闭进程对象句柄 End Function Function 双字节整数变量指针(WriteValue)//第二个是WriteAddr======================= NewAddr = LocalAlloc(0, 2) //TracePrint "申请存放汇编字节集" & Hex(NewAddr) Dim Handle_Process//进程句柄 Handle_Process = OpenProcess(2035711, false, GetCurrentProcessId())//获取进程句柄 //TracePrint "Handle_Process=" & Handle_Process//要写入的地址 Addr_Low = Chrw(WriteValue)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/ Call WriteProcessMemory(Handle_Process, NewAddr, Addr_Low, 2, 0) // lpBaseAddress是存放数据的地址 Call CloseHandle(Handle_Process)//关闭进程对象句柄 双字节整数变量指针=NewAddr End Function Function 写入四字节内存整数(ProcessId, lpBaseAddress, WriteValue) //第二个是WriteAddr Dim Handle_Process//进程句柄 Handle_Process = OpenProcess(2035711, false, ProcessId)//获取进程句柄 //TracePrint "Handle_Process=" & Handle_Process//要写入的地址 Addr_Low = Chrw(WriteValue mod 65536)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/ Addr_High = Chrw(int(WriteValue / 65536))//读取WriteAddr原来的值//用这个测试的时候,我们检测下2字节的最大值和4字节的最大值,注意数据溢出 Call WriteProcessMemory(Handle_Process, lpBaseAddress, Addr_Low, 2, 0) // lpBaseAddress是存放数据的地址 Call WriteProcessMemory(Handle_Process, lpBaseAddress + 2, Addr_High, 2, 0)//读取WriteAddr现在的值 call CloseHandle (Handle_Process)//关闭进程对象句柄 End Function Function 四字节整数变量指针(WriteValue)//第二个是WriteAddr NewAddr = LocalAlloc(0, 4) //TracePrint "申请存放汇编字节集" & Hex(NewAddr) Dim Handle_Process//进程句柄 Handle_Process = OpenProcess(2035711, false, GetCurrentProcessId())//获取进程句柄 //TracePrint "Handle_Process=" & Handle_Process//要写入的地址 Addr_Low = Chrw(WriteValue mod 65536)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/ Addr_High = Chrw(int(WriteValue / 65536))//读取WriteAddr原来的值//用这个测试的时候,我们检测下2字节的最大值和4字节的最大值,注意数据溢出 Call WriteProcessMemory(Handle_Process, NewAddr, Addr_Low, 2, 0) // lpBaseAddress是存放数据的地址 Call WriteProcessMemory(Handle_Process, NewAddr + 2, Addr_High, 2, 0)//读取WriteAddr现在的值 call CloseHandle (Handle_Process)//关闭进程对象句柄 End Function Function 获取变量数据类型(变量) 获取变量数据类型=TypeName(变量) End Function //Private Declare Function CallAsmCode Lib "user32" Alias "CallWindowProcA" ( lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, lParam As Long) As Long // CallAnyFunc = CallAsmCode(NewAddr, 0, 0, 0, 0) //======================================================================================这里是常用区 Function 十六进制转十进制(十六进制字符串) //例子:Msgbox lib.算法.十六进制转十进制("FFFFFF") Dim D,H,i,Ia D = 0 H = UCase(十六进制字符串) For i = 1 To Len(H) Ia = Asc(Mid(H, i, 1)) - 48 If Ia > 9 Then Ia = Ia - 7 D = D * 16 + Ia Next 内部使用_十六进制转十进制 = D End Function //=======================================================================================常用命令 Function W_GetCode() W_GetCode = PublicCode End Function Function W_HighAndLow(Value , n) '高低位互换 Dim tmp1 , tmp2 , i tmp1 = Right("0000000" + Hex(Value), n) For i = 0 To Len(tmp1) / 2 - 1 tmp2 = tmp2 + Mid(tmp1, Len(tmp1) - 1 - 2 * i, 2) Next //=======================================这里出错 W_HighAndLow = tmp2 End Function //Function W_HighAndLow(Value, n)'高低位互换,这个是更新版本,n是多余的参数,还有bug 0000 // If Value <255 and Value >16 Then // W_HighAndLow = Hex(Value) // ElseIf Value < 16 and Value >=0 Then // // W_HighAndLow = "0" + Hex(Value) // // Else // W_HighAndLow = Hex(htonl(Value)) // End If //End Function // Function Leave() PublicCode = PublicCode + "C9" End Function Function Pushad() PublicCode = PublicCode + "60" End Function Function Popad() PublicCode = PublicCode + "61" End Function Function Nop() PublicCode = PublicCode + "90" End Function Function Ret() PublicCode = PublicCode + "C3" End Function Function Retn(i) //这个是新加的 PublicCode = PublicCode + "C2"+ W_HighAndLow(i, 4) End Function Function RetA(i ) PublicCode = PublicCode + W_HighAndLow(i, 4) End Function Function IN_AL_DX() PublicCode = PublicCode + "EC" End Function Function TEST_EAX_EAX() PublicCode = PublicCode + "85C0" End Function 'Add '+++++++++++++++++++++++++++++++++++ Function Add_EAX_EDX() PublicCode = PublicCode + "03C2" End Function Function Add_EBX_EAX() PublicCode = PublicCode + "03D8" End Function Function Add_EAX_DWORD_Ptr(i ) PublicCode = PublicCode + "0305" + W_HighAndLow(i, 8) End Function Function Add_EBX_DWORD_Ptr(i ) PublicCode = PublicCode + "031D" + W_HighAndLow(i, 8) End Function Function Add_EBP_DWORD_Ptr(i ) PublicCode = PublicCode + "032D" + W_HighAndLow(i, 8) End Function Function Add_EAX(i ) PublicCode = PublicCode + "05" + W_HighAndLow(i, 8) End Function Function Add_EBX(i ) PublicCode = PublicCode + "83C3" + W_HighAndLow(i, 8) End Function Function Add_ECX(i ) PublicCode = PublicCode + "83C1" + W_HighAndLow(i, 8) End Function Function Add_EDX(i ) PublicCode = PublicCode + "83C2" + W_HighAndLow(i, 8) End Function Function Add_ESI(i ) PublicCode = PublicCode + "83C6" + W_HighAndLow(i, 8) End Function Function Add_ESP(i ) PublicCode = PublicCode + "83C4" + W_HighAndLow(i, 8) End Function 'Call '+++++++++++++++++++++++++++++++++++ Function Call_EAX() PublicCode = PublicCode + "FFD0" End Function Function Call_EBX() PublicCode = PublicCode + "FFD3" End Function Function Call_ECX() PublicCode = PublicCode + "FFD1" End Function Function Call_EDX() PublicCode = PublicCode + "FFD2" End Function Function Call_ESI() PublicCode = PublicCode + "FFD6" End Function Function Call_ESP() PublicCode = PublicCode + "FFD4" End Function Function Call_EBP() PublicCode = PublicCode + "FFD5" End Function Function Call_EDI() PublicCode = PublicCode + "FFD7" End Function Function Call_DWORD_Ptr_Addr(i ) PublicCode = PublicCode + "FF15" + W_HighAndLow(i, 8) End Function //Function Call_DWORD_Ptr_Value(i ) //这个是新加进去的,这个时候错误的 //PublicCode = PublicCode + "E8" + W_HighAndLow(i, 8) //End Function Function Call_DWORD_Ptr_EAX() PublicCode = PublicCode + "FF10" End Function Function Call_DWORD_Ptr_EBX() PublicCode = PublicCode + "FF13" End Function 'Cmp '+++++++++++++++++++++++++++++++++++ Function Cmp_EAX(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "83F8" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "3D" + W_HighAndLow(i, 8) End If End Function Function Cmp_EAX_EDX() PublicCode = PublicCode + "3BC2" End Function Function Cmp_EAX_DWORD_Ptr(i ) PublicCode = PublicCode + "3B05" + W_HighAndLow(i, 8) End Function Function Cmp_DWORD_Ptr_EAX(i ) PublicCode = PublicCode + "3905" + W_HighAndLow(i, 8) End Function 'DEC '+++++++++++++++++++++++++++++++++++ Function Dec_EAX() PublicCode = PublicCode + "48" End Function Function Dec_EBX() PublicCode = PublicCode + "4B" End Function Function Dec_ECX() PublicCode = PublicCode + "49" End Function Function Dec_EDX() PublicCode = PublicCode + "4A" End Function 'Idiv '+++++++++++++++++++++++++++++++++++ Function Idiv_EAX() PublicCode = PublicCode + "F7F8" End Function Function Idiv_EBX() PublicCode = PublicCode + "F7FB" End Function Function Idiv_ECX() PublicCode = PublicCode + "F7F9" End Function Function Idiv_EDX() PublicCode = PublicCode + "F7FA" End Function 'Imul '+++++++ //++++++++++++++++++++++++++++ Function Imul_EAX_EDX() PublicCode = PublicCode + "0FAFC2" End Function Function Imul_EAX(i ) PublicCode = PublicCode + "6BC0" + W_HighAndLow(i, 2) End Function Function ImulB_EAX(i ) PublicCode = PublicCode + "69C0" + W_HighAndLow(i, 8) End Function 'INC '+++++++++++++++++++++++++++++++++++ Function Inc_EAX() PublicCode = PublicCode + "40" End Function Function Inc_EBX() PublicCode = PublicCode + "43" End Function Function Inc_ECX() PublicCode = PublicCode + "41" End Function Function Inc_EDX() PublicCode = PublicCode + "42" End Function Function Inc_EDI() PublicCode = PublicCode + "47" End Function Function Inc_ESI() PublicCode = PublicCode + "46" End Function Function Inc_DWORD_Ptr_EAX() PublicCode = PublicCode + "FF00" End Function Function Inc_DWORD_Ptr_EBX() PublicCode = PublicCode + "FF03" End Function Function Inc_DWORD_Ptr_ECX() PublicCode = PublicCode + "FF01" End Function Function Inc_DWORD_Ptr_EDX() PublicCode = PublicCode + "FF02" End Function 'JMP/JE/JNE '+++++++++++++++++++++++++++++++++++ Function JMP_EAX() PublicCode = PublicCode + "FFE0" End Function 'Mov Function Mov_DWORD_Ptr_Addr_EAX(i) PublicCode = PublicCode + "A3" + W_HighAndLow(i, 8) End Function Function Mov_DWORD_Ptr_Addr_AL(i) PublicCode = PublicCode + "A2" + W_HighAndLow(i, 8) End Function Function Mov_DWORD_Ptr_Addr_AH(i) PublicCode = PublicCode + "8825" + W_HighAndLow(i, 8) End Function Function Mov_EAX_Value(i ) PublicCode = PublicCode + "B8" + W_HighAndLow(i, 8) End Function Function Mov_EBX_Value(i ) PublicCode = PublicCode + "BB" + W_HighAndLow(i, 8) End Function Function Mov_ECX_Value(i ) PublicCode = PublicCode + "B9" + W_HighAndLow(i, 8) End Function Function Mov_EDX_Value(i ) PublicCode = PublicCode + "BA" + W_HighAndLow(i, 8) End Function Function Mov_ESI_Value(i ) PublicCode = PublicCode + "BE" + W_HighAndLow(i, 8) End Function Function Mov_ESP_Value(i ) PublicCode = PublicCode + "BC" + W_HighAndLow(i, 8) End Function Function Mov_EBP_Value(i ) PublicCode = PublicCode + "BD" + W_HighAndLow(i, 8) End Function Function Mov_EDI_Value(i ) PublicCode = PublicCode + "BF" + W_HighAndLow(i, 8) End Function Function Mov_EBX_DWORD_Ptr(i ) PublicCode = PublicCode + "8B1D" + W_HighAndLow(i, 8) End Function Function Mov_ECX_DWORD_Ptr_Addr(i ) PublicCode = PublicCode + "8B0D" + W_HighAndLow(i, 8) End Function Function Mov_EAX_DWORD_Ptr_Addr(i ) PublicCode = PublicCode + "A1" + W_HighAndLow(i, 8) End Function Function Mov_EDX_DWORD_Ptr_Addr(i ) PublicCode = PublicCode + "8B15" + W_HighAndLow(i, 8) End Function Function Mov_ESI_DWORD_Ptr_Addr(i ) PublicCode = PublicCode + "8B35" + W_HighAndLow(i, 8) End Function Function Mov_ESP_DWORD_Ptr_Addr(i ) PublicCode = PublicCode + "8B25" + W_HighAndLow(i, 8) End Function Function Mov_EBP_DWORD_Ptr_Addr(i ) PublicCode = PublicCode + "8B2D" + W_HighAndLow(i, 8) End Function Function Mov_EAX_DWORD_Ptr_EAX() PublicCode = PublicCode + "8B00" End Function Function Mov_EAX_DWORD_Ptr_EBP() PublicCode = PublicCode + "8B4500" End Function Function Mov_EAX_DWORD_Ptr_EBX() PublicCode = PublicCode + "8B03" End Function Function Mov_EAX_DWORD_Ptr_ECX() PublicCode = PublicCode + "8B01" End Function Function Mov_EAX_DWORD_Ptr_EDX() PublicCode = PublicCode + "8B02" End Function Function Mov_EAX_DWORD_Ptr_EDI() PublicCode = PublicCode + "8B07" End Function Function Mov_EAX_DWORD_Ptr_ESP() PublicCode = PublicCode + "8B0424" End Function Function Mov_EAX_DWORD_Ptr_ESI() PublicCode = PublicCode + "8B06" End Function Function Mov_EAX_DWORD_Ptr_EAX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B40" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B80" + W_HighAndLow(i, 8) End If End Function Function Mov_EAX_DWORD_Ptr_ESP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B4424" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B8424" + W_HighAndLow(i, 8) End If End Function Function Mov_EAX_DWORD_Ptr_EBX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B43" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B83" + W_HighAndLow(i, 8) End If End Function Function Mov_EAX_DWORD_Ptr_ECX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B41" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B81" + W_HighAndLow(i, 8) End If End Function Function Mov_EAX_DWORD_Ptr_EDX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B42" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B82" + W_HighAndLow(i, 8) End If End Function Function Mov_EAX_DWORD_Ptr_EDI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B47" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B87" + W_HighAndLow(i, 8) End If End Function Function Mov_EAX_DWORD_Ptr_EBP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B45" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B85" + W_HighAndLow(i, 8) End If End Function Function Mov_EAX_DWORD_Ptr_ESI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B46" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B86" + W_HighAndLow(i, 8) End If End Function Function Mov_EBX_DWORD_Ptr_EAX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B58" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B98" + W_HighAndLow(i, 8) End If End Function Function Mov_EBX_DWORD_Ptr_ESP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B5C24" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B9C24" + W_HighAndLow(i, 8) End If End Function Function Mov_EBX_DWORD_Ptr_EBX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B5B" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B9B" + W_HighAndLow(i, 8) End If End Function Function Mov_EBX_DWORD_Ptr_ECX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B59" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B99" + W_HighAndLow(i, 8) End If End Function Function Mov_EBX_DWORD_Ptr_EDX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B5A" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B9A" + W_HighAndLow(i, 8) End If End Function Function Mov_EBX_DWORD_Ptr_EDI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B5F" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B9F" + W_HighAndLow(i, 8) End If End Function Function Mov_EBX_DWORD_Ptr_EBP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B5D" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B9D" + W_HighAndLow(i, 8) End If End Function Function Mov_EBX_DWORD_Ptr_ESI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B5E" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B9E" + W_HighAndLow(i, 8) End If End Function Function Mov_ECX_DWORD_Ptr_EAX_Add(i) //这里出错过 If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B48" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B88" + W_HighAndLow(i, 8) End If End Function Function Mov_ECX_DWORD_Ptr_ESP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B4C24" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B8C24" + W_HighAndLow(i, 8) End If End Function Function Mov_ECX_DWORD_Ptr_EBX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B4B" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B8B" + W_HighAndLow(i, 8) End If End Function Function Mov_ECX_DWORD_Ptr_ECX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B49" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B89" + W_HighAndLow(i, 8) End If End Function Function Mov_ECX_DWORD_Ptr_EDX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B4A" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B8A" + W_HighAndLow(i, 8) End If End Function Function Mov_ECX_DWORD_Ptr_EDI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B4F" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B8F" + W_HighAndLow(i, 8) End If End Function Function Mov_ECX_DWORD_Ptr_EBP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B4D" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B8D" + W_HighAndLow(i, 8) End If End Function Function Mov_ECX_DWORD_Ptr_ESI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B4E" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B8E" + W_HighAndLow(i, 8) End If End Function Function Mov_EDX_DWORD_Ptr_EAX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B50" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B90" + W_HighAndLow(i, 8) End If End Function Function Mov_EDX_DWORD_Ptr_ESP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B5424" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B9424" + W_HighAndLow(i, 8) End If End Function Function Mov_EDX_DWORD_Ptr_EBX_Add(i) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B53" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B93" + W_HighAndLow(i, 8 ) //这里出错过 End If End Function Function Mov_EDX_DWORD_Ptr_ECX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B51" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B91" + W_HighAndLow(i, 8) End If End Function Function Mov_EDX_DWORD_Ptr_EDX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B52" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B92" + W_HighAndLow(i, 8) End If End Function Function Mov_EDX_DWORD_Ptr_EDI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B57" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B97" + W_HighAndLow(i, 8) End If End Function Function Mov_EDX_DWORD_Ptr_EBP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B55" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B95" + W_HighAndLow(i, 8) End If End Function Function Mov_EDX_DWORD_Ptr_ESI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8B56" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8B96" + W_HighAndLow(i, 8) End If End Function Function Mov_EBX_DWORD_Ptr_EAX() PublicCode = PublicCode + "8B18" End Function Function Mov_EBX_DWORD_Ptr_EBP() PublicCode = PublicCode + "8B5D00" End Function Function Mov_EBX_DWORD_Ptr_EBX() PublicCode = PublicCode + "8B1B" End Function Function Mov_EBX_DWORD_Ptr_ECX() PublicCode = PublicCode + "8B19" End Function Function Mov_EBX_DWORD_Ptr_EDX() PublicCode = PublicCode + "8B1A" End Function Function Mov_EBX_DWORD_Ptr_EDI() PublicCode = PublicCode + "8B1F" End Function Function Mov_EBX_DWORD_Ptr_ESP() PublicCode = PublicCode + "8B1C24" End Function Function Mov_EBX_DWORD_Ptr_ESI() PublicCode = PublicCode + "8B1E" End Function Function Mov_ECX_DWORD_Ptr_EAX() PublicCode = PublicCode + "8B08" End Function Function Mov_ECX_DWORD_Ptr_EBP() PublicCode = PublicCode + "8B4D00" End Function Function Mov_ECX_DWORD_Ptr_EBX() PublicCode = PublicCode + "8B0B" End Function Function Mov_ECX_DWORD_Ptr_ECX() PublicCode = PublicCode + "8B09" End Function Function Mov_ECX_DWORD_Ptr_EDX() PublicCode = PublicCode + "8B0A" End Function Function Mov_ECX_DWORD_Ptr_EDI() PublicCode = PublicCode + "8B0F" End Function Function Mov_ECX_DWORD_Ptr_ESP() PublicCode = PublicCode + "8B0C24" End Function Function Mov_ECX_DWORD_Ptr_ESI() PublicCode = PublicCode + "8B0E" End Function Function Mov_EDX_DWORD_Ptr_EAX() PublicCode = PublicCode + "8B10" End Function Function Mov_EDX_DWORD_Ptr_EBP() PublicCode = PublicCode + "8B5500" End Function Function Mov_EDX_DWORD_Ptr_EBX() PublicCode = PublicCode + "8B13" End Function Function Mov_EDX_DWORD_Ptr_ECX() PublicCode = PublicCode + "8B11" End Function Function Mov_EDX_DWORD_Ptr_EDX() PublicCode = PublicCode + "8B12" End Function Function Mov_EDX_DWORD_Ptr_EDI() PublicCode = PublicCode + "8B17" End Function Function Mov_EDX_DWORD_Ptr_ESI() PublicCode = PublicCode + "8B16" End Function Function Mov_EDX_DWORD_Ptr_ESP() PublicCode = PublicCode + "8B1424" End Function Function Mov_EAX_EBP() PublicCode = PublicCode + "8BC5" End Function Function Mov_EAX_EBX() PublicCode = PublicCode + "8BC3" End Function Function Mov_EAX_ECX() PublicCode = PublicCode + "8BC1" End Function Function Mov_EAX_EDI() PublicCode = PublicCode + "8BC7" End Function Function Mov_EAX_EDX() PublicCode = PublicCode + "8BC2" End Function Function Mov_EAX_ESI() PublicCode = PublicCode + "8BC6" End Function Function Mov_EAX_ESP() PublicCode = PublicCode + "8BC4" End Function Function Mov_EBX_EBP() PublicCode = PublicCode + "8BDD" End Function Function Mov_EBX_EAX() PublicCode = PublicCode + "8BD8" End Function Function Mov_EBX_ECX() PublicCode = PublicCode + "8BD9" End Function Function Mov_EBX_EDI() PublicCode = PublicCode + "8BDF" End Function Function Mov_EBX_EDX() PublicCode = PublicCode + "8BDA" End Function Function Mov_EBX_ESI() PublicCode = PublicCode + "8BDE" End Function Function Mov_EBX_ESP() PublicCode = PublicCode + "8BDC" End Function Function Mov_ECX_EBP() PublicCode = PublicCode + "8BCD" End Function Function Mov_ECX_EAX() PublicCode = PublicCode + "8BC8" End Function Function Mov_ECX_EBX() PublicCode = PublicCode + "8BCB" End Function Function Mov_ECX_EDI() PublicCode = PublicCode + "8BCF" End Function Function Mov_ECX_EDX() PublicCode = PublicCode + "8BCA" End Function Function Mov_ECX_ESI() PublicCode = PublicCode + "8BCE" End Function Function Mov_ECX_ESP() PublicCode = PublicCode + "8BCC" End Function Function Mov_EDX_EBP() PublicCode = PublicCode + "8BD5" End Function Function Mov_EDX_EBX() PublicCode = PublicCode + "8BD3" End Function Function Mov_EDX_ECX() PublicCode = PublicCode + "8BD1" End Function Function Mov_EDX_EDI() PublicCode = PublicCode + "8BD7" End Function Function Mov_EDX_EAX() PublicCode = PublicCode + "8BD0" End Function Function Mov_EDX_ESI() PublicCode = PublicCode + "8BD6" End Function Function Mov_EDX_ESP() PublicCode = PublicCode + "8BD4" End Function Function Mov_ESI_EBP() PublicCode = PublicCode + "8BF5" End Function Function Mov_ESI_EBX() PublicCode = PublicCode + "8BF3" End Function Function Mov_ESI_ECX() PublicCode = PublicCode + "8BF1" End Function Function Mov_ESI_EDI() PublicCode = PublicCode + "8BF7" End Function Function Mov_ESI_EAX() PublicCode = PublicCode + "8BF0" End Function Function Mov_ESI_EDX() PublicCode = PublicCode + "8BF2" End Function Function Mov_ESI_ESP() PublicCode = PublicCode + "8BF4" End Function Function Mov_ESP_EBP() PublicCode = PublicCode + "8BE5" End Function Function Mov_ESP_EBX() PublicCode = PublicCode + "8BE3" End Function Function Mov_ESP_ECX() PublicCode = PublicCode + "8BE1" End Function Function Mov_ESP_EDI() PublicCode = PublicCode + "8BE7" End Function Function Mov_ESP_EAX() PublicCode = PublicCode + "8BE0" End Function Function Mov_ESP_EDX() PublicCode = PublicCode + "8BE2" End Function Function Mov_ESP_ESI() PublicCode = PublicCode + "8BE6" End Function Function Mov_EDI_EBP() PublicCode = PublicCode + "8BFD" End Function Function Mov_EDI_EAX() PublicCode = PublicCode + "8BF8" End Function Function Mov_EDI_EBX() PublicCode = PublicCode + "8BFB" End Function Function Mov_EDI_ECX() PublicCode = PublicCode + "8BF9" End Function Function Mov_EDI_EDX() PublicCode = PublicCode + "8BFA" End Function Function Mov_EDI_ESI() PublicCode = PublicCode + "8BFE" End Function Function Mov_EDI_ESP() PublicCode = PublicCode + "8BFC" End Function Function Mov_EBP_EDI() PublicCode = PublicCode + "8BDF" End Function Function Mov_EBP_EAX() PublicCode = PublicCode + "8BE8" End Function Function Mov_EBP_EBX() PublicCode = PublicCode + "8BEB" End Function Function Mov_EBP_ECX() PublicCode = PublicCode + "8BE9" End Function Function Mov_EBP_EDX() PublicCode = PublicCode + "8BEA" End Function Function Mov_EBP_ESI() PublicCode = PublicCode + "8BEE" End Function Function Mov_EBP_ESP() PublicCode = PublicCode + "8BEC" End Function 'Push '+++++++++++++++++++++++++++++++++++ Function Push(i) If i <= 127 and i >= 0 Then PublicCode = PublicCode + "6A" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "68" + W_HighAndLow(i, 8) End If End Function Function Push_DWORD_Ptr_Addr(i ) PublicCode = PublicCode + "FF35" + W_HighAndLow(i, 8) End Function Function Push_EAX() PublicCode = PublicCode + "50" End Function Function Push_ECX() PublicCode = PublicCode + "51" End Function Function Push_EDX() PublicCode = PublicCode + "52" End Function Function Push_EBX() PublicCode = PublicCode + "53" End Function Function Push_ESP() PublicCode = PublicCode + "54" End Function Function Push_EBP() PublicCode = PublicCode + "55" End Function Function Push_ESI() PublicCode = PublicCode + "56" End Function Function Push_EDI() PublicCode = PublicCode + "57" End Function 'LEA Function Lea_EAX_DWORD_Ptr_EAX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D40" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D80" + W_HighAndLow(i, 8) End If End Function Function Lea_EAX_DWORD_Ptr_EBX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D43" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D83" + W_HighAndLow(i, 8) End If End Function Function Lea_EAX_DWORD_Ptr_ECX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D41" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D81" + W_HighAndLow(i, 8) End If End Function Function Lea_EAX_DWORD_Ptr_EDX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D42" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D82" + W_HighAndLow(i, 8) End If End Function Function Lea_EAX_DWORD_Ptr_ESI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D46" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D86" + W_HighAndLow(i, 8) End If End Function Function Lea_EAX_DWORD_Ptr_ESP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D40" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D80" + W_HighAndLow(i, 8) End If End Function Function Lea_EAX_DWORD_Ptr_EBP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D4424" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D8424" + W_HighAndLow(i, 8) End If End Function Function Lea_EAX_DWORD_Ptr_EDI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D47" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D87" + W_HighAndLow(i, 8) End If End Function Function Lea_EBX_DWORD_Ptr_EAX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D58" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D98" + W_HighAndLow(i, 8) End If End Function Function Lea_EBX_DWORD_Ptr_ESP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D5C24" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D9C24" + W_HighAndLow(i, 8) End If End Function Function Lea_EBX_DWORD_Ptr_EBX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D5B" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D9B" + W_HighAndLow(i, 8) End If End Function Function Lea_EBX_DWORD_Ptr_ECX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D59" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D99" + W_HighAndLow(i, 8) End If End Function Function Lea_EBX_DWORD_Ptr_EDX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D5A" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D9A" + W_HighAndLow(i, 8) End If End Function Function Lea_EBX_DWORD_Ptr_EDI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D5F" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D9F" + W_HighAndLow(i, 8) End If End Function Function Lea_EBX_DWORD_Ptr_EBP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D5D" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D9D" + W_HighAndLow(i, 8) End If End Function Function Lea_EBX_DWORD_Ptr_ESI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D5E" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D9E" + W_HighAndLow(i, 8) End If End Function Function Lea_ECX_DWORD_Ptr_EAX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D48" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D88" + W_HighAndLow(i, 8) End If End Function Function Lea_ECX_DWORD_Ptr_ESP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D4C24" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D8C24" + W_HighAndLow(i, 8) End If End Function Function Lea_ECX_DWORD_Ptr_EBX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D4B" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D8B" + W_HighAndLow(i, 8) End If End Function Function Lea_ECX_DWORD_Ptr_ECX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D49" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D89" + W_HighAndLow(i, 8) End If End Function Function Lea_ECX_DWORD_Ptr_EDX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D4A" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D8A" + W_HighAndLow(i, 8) End If End Function Function Lea_ECX_DWORD_Ptr_EDI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D4F" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D8F" + W_HighAndLow(i, 8) End If End Function Function Lea_ECX_DWORD_Ptr_EBP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D4D" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D8D" + W_HighAndLow(i, 8) End If End Function Function Lea_ECX_DWORD_Ptr_ESI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D4E" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D8E" + W_HighAndLow(i, 8) End If End Function Function Lea_EDX_DWORD_Ptr_EAX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D50" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D90" + W_HighAndLow(i, 8) End If End Function Function Lea_EDX_DWORD_Ptr_ESP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D5424" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D9424" + W_HighAndLow(i, 8) End If End Function Function Lea_EDX_DWORD_Ptr_EBX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D53" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D93" + W_HighAndLow(i, 8) End If End Function Function Lea_EDX_DWORD_Ptr_ECX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D51" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D91" + W_HighAndLow(i, 8) End If End Function Function Lea_EDX_DWORD_Ptr_EDX_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D52" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D92" + W_HighAndLow(i, 8) End If End Function Function Lea_EDX_DWORD_Ptr_EDI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D57" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D97" + W_HighAndLow(i, 8) End If End Function Function Lea_EDX_DWORD_Ptr_EBP_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D55" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D95" + W_HighAndLow(i, 8) End If End Function Function Lea_EDX_DWORD_Ptr_ESI_Add(i ) If i <= 255 and i >= 0 Then PublicCode = PublicCode + "8D56" + W_HighAndLow(i, 2) Else PublicCode = PublicCode + "8D96" + W_HighAndLow(i, 8) End If End Function Function Pop_EAX() PublicCode = PublicCode + "58" End Function Function Pop_EBX() PublicCode = PublicCode + "5B" End Function Function Pop_ECX() PublicCode = PublicCode + "59" End Function Function Pop_EDX() PublicCode = PublicCode + "5A" End Function Function Pop_ESI() PublicCode = PublicCode + "5E" End Function Function Pop_ESP() PublicCode = PublicCode + "5C" End Function Function Pop_EDI() PublicCode = PublicCode + "5F" End Function Function Pop_EBP() PublicCode = PublicCode + "5D" End Function Function ABC交流_类人猿技术群_526897608() //这个功能是将字节集转化成空格形式55 8B EC A1 7C 24 TracePrint "技术联系类人猿Q: 578052137" End Function Function ABC交流_类人猿技术Q_578052137() //这个功能是将字节集转化成空格形式55 8B EC A1 7C 24 TracePrint "技术联系类人猿Q: 578052137" End Function Function ABC说明_结束按键精灵不能内联汇编历史(希望大家喜欢按键) //这个功能是将字节集转化成空格形式55 8B EC A1 7C 24 TracePrint "技术联系类人猿Q: 578052137" End Function Function ABC说明_该版本是更新3版本(具体说明咨询群主,期望大神们给我指导建议完善) //这个功能是将字节集转化成空格形式55 8B EC A1 7C 24 TracePrint "技术联系类人猿Q: 578052137" End Function Function ABC说明_休息(暂停工作两周) //这个功能是将字节集转化成空格形式55 8B EC A1 7C 24 TracePrint "技术联系类人猿Q: 578052137" End Function Function ABC感谢_大神们技术上支持和建议完成本库()//这个功能是将字节集转化成空格形式55 8B EC A1 7C 24 TracePrint "技术联系类人猿Q: 578052137" End Function Function ABC说明下面是代码库()//这个功能是将字节集转化成空格形式55 8B EC A1 7C 24 TracePrint "技术联系类人猿Q: 578052137" End Function //=======================================================测试阶段======================= |