注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

且行且记录

点滴记录,行的更远!

 
 
 

日志

 
 

补丁对比直接用EXCEL宏比用图形化来的简单!  

2014-07-21 10:05:14|  分类: 方法技巧 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

前两天用EXCEL宏简单比较了下新旧rdpwd.sys两个文件中的call调用,找到了两处补丁的地方。

所用的宏:

补丁对比直接用EXCEL宏比用图形化来的简单! - appall - 且行且记录

 

第一处地方:

补丁对比直接用EXCEL宏比用图形化来的简单! - appall - 且行且记录
 
第二处地方:
补丁对比直接用EXCEL宏比用图形化来的简单! - appall - 且行且记录
 
第二处修正后:
补丁对比直接用EXCEL宏比用图形化来的简单! - appall - 且行且记录
 
上面找到有差异的地方后,再用他的地址在w32asm反汇编文件中找到相关函数。
再用这些函数拷到Autocad中,通过重合对比找到差异。
补丁对比直接用EXCEL宏比用图形化来的简单! - appall - 且行且记录
 
补丁对比直接用EXCEL宏比用图形化来的简单! - appall - 且行且记录
 
最后把相关反汇编做个总结:
 
1、第一处相关函数及差异的地方
[rdpwd_old.sys]
:0001F3D6 8BFF                    mov edi, edi
:0001F3D8 55                      push ebp
:0001F3D9 8BEC                    mov ebp, esp
:0001F3DB 51                      push ecx
:0001F3DC 53                      push ebx
:0001F3DD 56                      push esi
:0001F3DE 8B7508                  mov esi, dword ptr [ebp+08]
:0001F3E1 8B06                    mov eax, dword ptr [esi]
:0001F3E3 33DB                    xor ebx, ebx
:0001F3E5 53                      push ebx
:0001F3E6 895DFC                  mov dword ptr [ebp-04], ebx
:0001F3E9 8B485C                  mov ecx, dword ptr [eax+5C]
:0001F3EC 6A16                    push 00000016
:0001F3EE 8D55FC                  lea edx, dword ptr [ebp-04]
:0001F3F1 E84E58FFFF              call 00014C44
:0001F3F6 85C0                    test eax, eax
:0001F3F8 755C                    jne 0001F456
:0001F3FA 57                      push edi
:0001F3FB 8B7DFC                  mov edi, dword ptr [ebp-04]
:0001F3FE AB                      stosd
:0001F3FF AB                      stosd
:0001F400 AB                      stosd
:0001F401 AB                      stosd
:0001F402 AB                      stosd
:0001F403 8B550C                  mov edx, dword ptr [ebp+0C]
:0001F406 66AB                    stosw
:0001F408 8B45FC                  mov eax, dword ptr [ebp-04]
:0001F40B 66C740021700            mov [eax+02], 0017
:0001F411 66895804                mov word ptr [eax+04], bx
:0001F415 6A16                    push 00000016
:0001F417 59                      pop ecx
:0001F418 668908                  mov word ptr [eax], cx
:0001F41B 895806                  mov dword ptr [eax+06], ebx
:0001F41E C6400B01                mov [eax+0B], 01
:0001F422 6689480C                mov word ptr [eax+0C], cx
:0001F426 88580F                  mov byte ptr [eax+0F], bl
:0001F429 66895810                mov word ptr [eax+10], bx
:0001F42D 8B06                    mov eax, dword ptr [esi]
【对应旧的这里,这里没有条件】
:0001F42F 8B4024                  mov eax, dword ptr [eax+24] //如果为零则下句访问冲突!
:0001F432 014814                  add dword ptr [eax+14], ecx
:0001F435 8B45FC                  mov eax, dword ptr [ebp-04]
:0001F438 6A08                    push 00000008
:0001F43A C6400E2F                mov [eax+0E], 2F
:0001F43E 8B45FC                  mov eax, dword ptr [ebp-04]
:0001F441 53                      push ebx
:0001F442 53                      push ebx
:0001F443 895012                  mov dword ptr [eax+12], edx
:0001F446 8B06                    mov eax, dword ptr [esi]
:0001F448 8B55FC                  mov edx, dword ptr [ebp-04]
:0001F44B 53                      push ebx
:0001F44C 51                      push ecx
:0001F44D 8B485C                  mov ecx, dword ptr [eax+5C]
:0001F450 E81966FFFF              call 00015A6E
:0001F455 5F                      pop edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001F3F8(C)
|
:0001F456 5E                      pop esi
:0001F457 5B                      pop ebx
:0001F458 C9                      leave
:0001F459 C20800                  ret 0008
==========================
[rdpwd_gdr_new.sys]
:0001F3FC 8BFF                    mov edi, edi
:0001F3FE 55                      push ebp
:0001F3FF 8BEC                    mov ebp, esp
:0001F401 51                      push ecx
:0001F402 53                      push ebx
:0001F403 56                      push esi
:0001F404 8B7508                  mov esi, dword ptr [ebp+08]
:0001F407 8B06                    mov eax, dword ptr [esi]
:0001F409 33DB                    xor ebx, ebx
:0001F40B 53                      push ebx
:0001F40C 895DFC                  mov dword ptr [ebp-04], ebx
:0001F40F 8B485C                  mov ecx, dword ptr [eax+5C]
:0001F412 6A16                    push 00000016
:0001F414 8D55FC                  lea edx, dword ptr [ebp-04]
:0001F417 E84058FFFF              call 00014C5C
:0001F41C 85C0                    test eax, eax
:0001F41E 7561                    jne 0001F481
:0001F420 57                      push edi
:0001F421 8B7DFC                  mov edi, dword ptr [ebp-04]
:0001F424 AB                      stosd
:0001F425 AB                      stosd
:0001F426 AB                      stosd
:0001F427 AB                      stosd
:0001F428 AB                      stosd
:0001F429 66AB                    stosw
:0001F42B 8B45FC                  mov eax, dword ptr [ebp-04]
:0001F42E 6A16                    push 00000016
:0001F430 59                      pop ecx
:0001F431 66C740021700            mov [eax+02], 0017
:0001F437 66895804                mov word ptr [eax+04], bx
:0001F43B 668908                  mov word ptr [eax], cx
:0001F43E 895806                  mov dword ptr [eax+06], ebx
:0001F441 C6400B01                mov [eax+0B], 01
:0001F445 6689480C                mov word ptr [eax+0C], cx
:0001F449 88580F                  mov byte ptr [eax+0F], bl
:0001F44C 66895810                mov word ptr [eax+10], bx
:0001F450 8B06                    mov eax, dword ptr [esi]
【新增开始】
 :0001F452 395824                  cmp dword ptr [eax+24], ebx
 :0001F455 5F                      pop edi
 :0001F456 7406                    je 0001F45E
【新增结束】
:0001F458 8B4024                  mov eax, dword ptr [eax+24]
:0001F45B 014814                  add dword ptr [eax+14], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001F456(C)
|
:0001F45E 8B45FC                  mov eax, dword ptr [ebp-04]
:0001F461 8B550C                  mov edx, dword ptr [ebp+0C]
:0001F464 6A08                    push 00000008
:0001F466 C6400E2F                mov [eax+0E], 2F
:0001F46A 8B45FC                  mov eax, dword ptr [ebp-04]
:0001F46D 53                      push ebx
:0001F46E 53                      push ebx
:0001F46F 895012                  mov dword ptr [eax+12], edx
:0001F472 8B06                    mov eax, dword ptr [esi]
:0001F474 8B55FC                  mov edx, dword ptr [ebp-04]
:0001F477 53                      push ebx
:0001F478 51                      push ecx
:0001F479 8B485C                  mov ecx, dword ptr [eax+5C]
:0001F47C E80F66FFFF              call 00015A90
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001F41E(C)
|
:0001F481 5E                      pop esi
:0001F482 5B                      pop ebx
:0001F483 C9                      leave
:0001F484 C20800                  ret 0008
 
==========================
 
2、第二处相关函数及差异的地方
[rdpwd_old.sys]
:0002CAE8 8BFF                    mov edi, edi
:0002CAEA 55                      push ebp
:0002CAEB 8BEC                    mov ebp, esp
:0002CAED 83EC0C                  sub esp, 0000000C
:0002CAF0 8B450C                  mov eax, dword ptr [ebp+0C]
:0002CAF3 56                      push esi
:0002CAF4 8BF1                    mov esi, ecx
:0002CAF6 C70001000000            mov dword ptr [eax], 00000001
:0002CAFC F6461020                test [esi+10], 20
:0002CB00 0F8488000000            je 0002CB8E
:0002CB06 53                      push ebx
:0002CB07 33DB                    xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0002CB1C(C)
|
:0002CB09 8D45FC                  lea eax, dword ptr [ebp-04]
:0002CB0C 50                      push eax
:0002CB0D 53                      push ebx
:0002CB0E 6A0B                    push 0000000B
:0002CB10 6A01                    push 00000001
:0002CB12 53                      push ebx
:0002CB13 FF36                    push dword ptr [esi]
* Reference To: TERMDD.IcaBufferAlloc, Ord:0002h
                                  |
:0002CB15 E8A879FFFF              Call 000244C2
:0002CB1A 85C0                    test eax, eax
:0002CB1C 75EB                    jne 0002CB09
:0002CB1E 8D450F                  lea eax, dword ptr [ebp+0F]
:0002CB21 50                      push eax
:0002CB22 8D45F4                  lea eax, dword ptr [ebp-0C]
:0002CB25 50                      push eax
:0002CB26 8D45F8                  lea eax, dword ptr [ebp-08]
:0002CB29 50                      push eax
:0002CB2A 53                      push ebx
:0002CB2B 53                      push ebx
:0002CB2C 53                      push ebx
:0002CB2D 56                      push esi
:0002CB2E E83BE8FFFF              call 0002B36E
:0002CB33 85C0                    test eax, eax
:0002CB35 8B45FC                  mov eax, dword ptr [ebp-04]
:0002CB38 FF7010                  push [eax+10]
:0002CB3B 7520                    jne 0002CB5D
:0002CB3D 8B45F8                  mov eax, dword ptr [ebp-08]
:0002CB40 FF700C                  push [eax+0C]
:0002CB43 6A01                    push 00000001
:0002CB45 53                      push ebx
:0002CB46 E87FFBFFFF              call 0002C6CA
:0002CB4B 8B45FC                  mov eax, dword ptr [ebp-04]
:0002CB4E C740140B000000          mov [eax+14], 0000000B
:0002CB55 8B45F8                  mov eax, dword ptr [ebp-08]
:0002CB58 885804                  mov byte ptr [eax+04], bl
:0002CB5B EB13                    jmp 0002CB70
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0002CB3B(C)
|
:0002CB5D 53                      push ebx
:0002CB5E 53                      push ebx
:0002CB5F 6A0E                    push 0000000E
:0002CB61 E864FBFFFF              call 0002C6CA
:0002CB66 8B45FC                  mov eax, dword ptr [ebp-04]
:0002CB69 C7401409000000          mov [eax+14], 00000009
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0002CB5B(U)
|
:0002CB70 FF75FC                  push [ebp-04]
:0002CB73 56                      push esi
:0002CB74 E807F7FFFF              call 0002C280
:0002CB79 85C0                    test eax, eax
:0002CB7B 5B                      pop ebx
:0002CB7C 7D10                    jge 0002CB8E
:0002CB7E 8D45F8                  lea eax, dword ptr [ebp-08]
:0002CB81 50                      push eax
:0002CB82 FF75F8                  push [ebp-08]
:0002CB85 83C670                  add esi, 00000070
:0002CB88 56                      push esi
:0002CB89 E81CF5FFFF              call 0002C0AA
【旧的这里为空】
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0002CB00(C), :0002CB7C(C)
|
:0002CB8E B001                    mov al, 01
:0002CB90 5E                      pop esi
:0002CB91 C9                      leave
:0002CB92 C20800                  ret 0008
==================
[rdpwd_gdr_new.sys]
:0002CB44 8BFF                    mov edi, edi
:0002CB46 55                      push ebp
:0002CB47 8BEC                    mov ebp, esp
:0002CB49 83EC0C                  sub esp, 0000000C
:0002CB4C 8B450C                  mov eax, dword ptr [ebp+0C]
:0002CB4F 53                      push ebx
:0002CB50 56                      push esi
:0002CB51 8BF1                    mov esi, ecx
:0002CB53 C70001000000            mov dword ptr [eax], 00000001
:0002CB59 F6461020                test [esi+10], 20
:0002CB5D 0F849A000000            je 0002CBFD
:0002CB63 33DB                    xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0002CB78(C)
|
:0002CB65 8D45FC                  lea eax, dword ptr [ebp-04]
:0002CB68 50                      push eax
:0002CB69 53                      push ebx
:0002CB6A 6A0B                    push 0000000B
:0002CB6C 6A01                    push 00000001
:0002CB6E 53                      push ebx
:0002CB6F FF36                    push dword ptr [esi]
* Reference To: TERMDD.IcaBufferAlloc, Ord:0002h
                                  |
:0002CB71 E88079FFFF              Call 000244F6
:0002CB76 85C0                    test eax, eax
:0002CB78 75EB                    jne 0002CB65
:0002CB7A 8D450F                  lea eax, dword ptr [ebp+0F]
:0002CB7D 50                      push eax
:0002CB7E 8D45F4                  lea eax, dword ptr [ebp-0C]
:0002CB81 50                      push eax
:0002CB82 8D45F8                  lea eax, dword ptr [ebp-08]
:0002CB85 50                      push eax
:0002CB86 53                      push ebx
:0002CB87 53                      push ebx
:0002CB88 53                      push ebx
:0002CB89 56                      push esi
:0002CB8A E81FE8FFFF              call 0002B3AE
:0002CB8F 85C0                    test eax, eax
:0002CB91 8B45FC                  mov eax, dword ptr [ebp-04]
:0002CB94 FF7010                  push [eax+10]
:0002CB97 7520                    jne 0002CBB9
:0002CB99 8B45F8                  mov eax, dword ptr [ebp-08]
:0002CB9C FF700C                  push [eax+0C]
:0002CB9F 6A01                    push 00000001
:0002CBA1 53                      push ebx
:0002CBA2 E87FFBFFFF              call 0002C726
:0002CBA7 8B45FC                  mov eax, dword ptr [ebp-04]
:0002CBAA C740140B000000          mov [eax+14], 0000000B
:0002CBB1 8B45F8                  mov eax, dword ptr [ebp-08]
:0002CBB4 885804                  mov byte ptr [eax+04], bl
:0002CBB7 EB13                    jmp 0002CBCC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0002CB97(C)
|
:0002CBB9 53                      push ebx
:0002CBBA 53                      push ebx
:0002CBBB 6A0E                    push 0000000E
:0002CBBD E864FBFFFF              call 0002C726
:0002CBC2 8B45FC                  mov eax, dword ptr [ebp-04]
:0002CBC5 C7401409000000          mov [eax+14], 00000009
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0002CBB7(U)
|
:0002CBCC FF75FC                  push [ebp-04]
:0002CBCF 56                      push esi
:0002CBD0 E803F7FFFF              call 0002C2D8
:0002CBD5 85C0                    test eax, eax
:0002CBD7 7D24                    jge 0002CBFD
:0002CBD9 8D45F8                  lea eax, dword ptr [ebp-08]
:0002CBDC 50                      push eax
:0002CBDD FF75F8                  push [ebp-08]
:0002CBE0 83C670                  add esi, 00000070
:0002CBE3 56                      push esi
:0002CBE4 E819F5FFFF              call 0002C102
【新增开始】
 :0002CBE9 8B45F8                  mov eax, dword ptr [ebp-08]
 :0002CBEC 3BC3                    cmp eax, ebx
 :0002CBEE 740D                    je 0002CBFD
 :0002CBF0 385805                  cmp byte ptr [eax+05], bl
 :0002CBF3 7508                    jne 0002CBFD
 :0002CBF5 53                      push ebx
 :0002CBF6 50                      push eax
 * Reference To: ntoskrnl.ExFreePoolWithTag, Ord:004Eh
       |
 :0002CBF7 FF15B8E00200            Call dword ptr [0002E0B8]
 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
 |:0002CB5D(C), :0002CBD7(C), :0002CBEE(C), :0002CBF3(C)
 |
 :0002CBFD 5E                      pop esi
【新增结束】
:0002CBFE B001                    mov al, 01
:0002CC00 5B                      pop ebx
:0002CC01 C9                      leave
:0002CC02 C20800                  ret 0008
  评论这张
 
阅读(358)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017