CE傻瓜教程七：代码注入

第七关的密码是013370从本关开始，各位会初步接触到CE的反汇编功能，这也是CE最强大的功能之一。在第6关的时候我们说到指针的找法，用基址定位动态地址。但这一关不用指针也可以进行修改，即使对方是动态地址，且功能更加强大。看看教程让我们做什么：原来每按一次按钮减少1点血，改成每按一次按钮增加2点血。还记得第5关的不伤血的修改方法吗？这一关就是第5关的加强版。查找血量的地址，然后再地址上右键=>查找写入的地址然后按一下打我按钮，会出现一行汇编代码0045a063-ff8b10030000-dec[ebx+00000310]双击那行代码，看下详细信息:0045目05日-mo7fs:[eax]fesp0045a05d-movesi.r[ebx4-00000310]»CJt]45aO63-dec[ebx+00000310；0045日069-leaedx,[ebp-04]0045a06c-moveaxJebx+00DD03101DeCTementby1EDX=01E1278C£51=00000063EDI=0018F628EBP=0018F4ACESP=0018F490EDX=01E1278C£51=00000063EDI=0018F628EBP=0018F4ACESP=0018F490田EIP二0045A0&9「E日X=01E0EE18指令执行后寄存精的状态显示在这里确定这行代码什么意思呢？dec大家都知道是英文减少的意思图示红框处：EBX=01e0ee18我们用计算器算一下（注意是16进制的）01e0ee18+310=01E0F128正好是血量的地址。dec[ebx+00000310]=dec[01E0F128]够清楚了吧，这就是让血量减1的代码（1省略了），其实CE中也有提示Decrementby1。明白了这行代码的意思，我们回去看看Tutorial的要求：把减1改成加2。继续操作。选择反汇编程序点击工具，选择自动汇编立件〔5绿(Vi视囹CW)谒试(X)［工mi］闷核工具0)地址指金0t?J5A0e3Q045AQe90045A0^C0045AO720045AO770045A07A0045A0800045A0850045A0860045A08C0045A08D0045A0SE0045A0910045A0930045AO?70045A0g9Ff8b100300,.,dec[ebs-KJOBd55ftleaed^r[ebp'BbS310OSO...moveaxT[sbeSdefafFcall00-407ec-_8b55fi:movedxf[ebSb8300030...movesMf[ebe87bd7fti汗call004378018b8310030...move3K,[eb-995250ad^QZ33d23b5424047503360424cdqpushedxpusheaxleaea^i[esHxoredcmp--jne0045a09i；cmpe3xr[esfM'S冒抽*0045E0000045E010□045E020□045E030□045E040□045E0500000004CEB40E400F8◎0000000000F8408D402040D7CF£800000044FF4072138E8D4000淳4000:CEDBD8分配内存〔N)Ctrl+Alt+MCodeCavesCC]Ctrl-1-Alt-I-C■埴充内存。Ctrl+Alt+F驾建线程(Q)CVlmlXT分析代码〔R〕Ctrl+J倒f数据碍构⑶}Ctrlh-DCtrl+W洽析PE奖文件可CVl+A略P指针扫商U)Ctrl卬监疵存缠W)Shift4-Ctrl+MCtrl+■Alt}±ADLLCD]Ctrl+IA目躇暨(小Ctrl4-A眸掴摩咽CtfkAlt-^A曜不控副台⑥Shift4Ctrl4-CA8E045002409E001@)@)OSDAD9400000CBCC：'G8

CADC-'DDDEDFE0FE$a

展Et£□045E060ElE300E4E58D400045727'^6F7^."008BC0aaaa四Error1A0045E070辑75&E74696D6520657272-:；6F7>?2020.;20Runtimeerror-0045E08020'206174203030303030303030008BC0at[10300000|A0045E090303134353637383S41424T.444546ai2345678?AB0DEF□045E0A000000000000000000000000000004000□045E0B000000000000000000000400000000000©□045E0C000000000OC000000o^-oo000006000000□045E0D001000000BOIDOC00000000003-2：008BC0,2-11□045E0E0IF001C00IF00IE00IF00IE00IFMIF000045E0F0IE00IF00IE00IF00IE'00ID00IE'00IE000045E1.00IF00IE00IF00IF00IE00IF00IE00IF00第一步选择作弊框架代码第二步选择代码注入对应的地址不要搞错了，是0045A063然后按确定，会自动生成汇编代码，这些代码是什么意思，我们先不管，找到关键的一行:dec[ebx+00000310]「琶目动匚竭I口.回i"-把代码注释掉（删除也行），改成add[ebx+00000310],2

C目动匚编.口回保存即可，然后在地址栏就可以看到这个脚本了，点击前面的单选框执行，然后点击Tutorial中的打我，这关就可以过了。ATTn.ATTn.你感觉到他的神奇了吗？逆天级的修改：1、怪物每次打我从伤血变成加血。2、子弹越打越多。3、钱越花越多。如果你学会了这一关，你已经脱离菜鸟的行列了，不要再提金山游侠，FPE，GM8之类的修改工具了，告诉你们的朋友快来学习CE吧。最后，再强调一下CE中的模块地址：在第6关的后面有提到过CE的模块地址，我说过这是科学的添加方法。这一关也同样适用，就是在代码注入的时候。文件(U)醵(V)r地址LJ.子T0045A063ffabl0045A0698d55•0Q45A06C8b830045A072eS4ck0045AO77Sb5510045A07A文件(U)醵(V)r地址LJ.子T0045A063ffabl0045A0698d55•0Q45A06C8b830045A072eS4ck0045AO77Sb5510045A07ASbSSI0045A080e87b(0045A0858b830045A08B99OIM5AOSC520045A08D500045A08E8d46(0045A09L33d20045A0933b54：0045A09775030045AOg93b加Ea_一Alocation?rotect=Exei00堆程追踪CN断蔚蕉。澹忒学符号【Q)Ctrl+BCtrl-Alt-i-D中用的字符串泯)Ctrl-Alt4-R内存区域⑤Ctrl4-R堆械携CDCtrl4H列举口LL'却字符:D)Ctrl卜Alt+S藉用户定宓字符：冷显示注释'列苗CtrkU模玦弛址0045E0000045E0100045E0S00045E0^00045E0400045E0500045E0600045E0700045E0800045E0900045E0A00045E0E00045E0C00045E0D0004EE0E00045E0F00045E1004CUUL'T?KITB4FS400G721目；008D4000008DF8'2D400089C9D7CFC8囱CEDBDSElE352203000no00U1IF00IE00IF0CIE00IF00IE00IE004trU78BCO40004000bU02;A808EE00E0云DiD975203100000000户1e=1000r^odule=Titorial.exeA4U00LlKl.yizyilO00Le®DyfS-'1®008D4000J409E00100CBCG.CBCtrl4-V可uuuEECO套U04090U00CADCDDDEDFE0■■旎£3?£xl£ltO0WtfVMa00E4EE8D40004572726F7^JO3B：CQ翁aa@Error|A6E746；6D652065:7272GF2020^20Runl._mterror61742C：3I)30：GO30：3J030JO8B.C0at00000000|A32323^3S36373^-33414243U45460123456739ABCDEF00000COO00000000CO0000DO4000@ooorncoooooonooo40noooooooon@0000ocoo00000200000006DO0000UUUCBUIDOOU：UUUU00UUJZJOSBCUW|A1C0CIF00IE00IF00IE00IFDOIF00IF00IF00IF00IE00ID00IF00IFDOIE00IE00If000045A063变成了Tutorial.exe+5A063___'牛：内存到苴■器vIn回卜宓―文件(U)<^(V)祖囹［W］就凶二具gTutonal.exe+5A0d3地址字节指会.注鞋"ff8b100300rrnd?r[Ft^+nnarmifi]■TutDral.exe4-5AG693d55ftleaedsx[ebp-O4]-Tutnral.exe45AG6CSb83UO030...mweax^tebx+OODOO^10]Tutor^Lexe-bSAOZZeS*tldefarfcaltut3ria.exe+7ec4Tutoral.exe45AC77Sb55fcmovedxj[ebp-O4]Tutoral.exe-+5A07A8b8300030...moweaxr[ebx4-00D00]00]TutDr^l.exe4-5AG80eS^dTfdlfcaltutoria.£xe+3780DTutnral.exe+5A0858b8310030...moveasT[ebx4-OODOO31O]Tutor司,exc-+5AC0B99油kTutorial.exe45A08C52pushedM均TutDral.exe45AG8D50pusheaxTutorjI.ese+5AG8E8d4502leeea3tf[esi+Q2]Tutoral.exe-i-5AOS133dZxoredKredxTutoral.exe45A0933b542404arpedxr[eBp4O4]TutDrdl.exe4-5AC977503r■jnetutDria.exe+5a09cTutnral.exe+5AC993b0424:□rpeaXjCespIDecrementbu1

注入的时候也应该是€内存浏」筮薪玄!WE游（VJ况囹无试凶_臣J具国Tutorial,ese+5A063地址Tutorsi,eke45AC63Tutnral.exe4-5AG69Tutnral.exe45AG6CTutDral.exe4-5AG72Tutnral.exe+5AQ77Tutor^l.exe45AG7ATutDr^l.ese4-5A08OTutnral.exe45A085TutDral.Exe+5AC8BTutDral.exe4-5AQSCTutoral.exe45AQSDTutDrjl.exe4-5A08ETutorsi,eke45AC63Tutnral.exe4-5AG69Tutnral.exe45AG6CTutDral.exe4-5AG72Tutnral.exe+5AQ77Tutor^l.exe45AG7ATutDr^l.ese4-5A08OTutnral.exe45A085TutDral.Exe+5AC8BTutDral.exe4-5AQSCTutoral.exe45AQSDTutDrjl.exe4-5A08ETutnral.exe+5AC91TutDral.exe45AC93Tutnrdl.exe4-5AG37Tutoral.exe45AC99~r,1匚■,-「门厂Alocation?rotect=Exeojte/0045EU00OU000004EE0104CEB40045E02J0B4FS40045E0f3tf0045E0400045E0500045E0600045E0700045E0800045E0900045E0A00D4SE0B00045E0C00045E0D00045E0E00045E0F00045E10044co6_.b3_uo_uoUM-11D_u7-35_uloo_un-ooo82DE?■23oDon-ooon-no_H-12_u_u_uo_u1FEFuFcE523_uD_un-111ffSbU00300...dec[etx1-000008d55ftleaedirEebp-C^l8b8310030...moweax,[ebx4-0^-430000000r7-3_uoooo_uoh-OJ-OOOOFEF23oooB111-u5-uo-uE-u-uo33ooo1_uoo-ubooon-EFF33_uDon-111JO41CO4n00DOIEIDIF_u_H-oo2oFFE33_uooo11107000000033oDouooo_u2_uDon-o_uon-_u-uoo3oDA-2FFE

3400