|
一种CreateRemoteThread的另类用法?
不一样吗,我确实没改。。 HANDLE PrepareProcess(){ HWND hWnd = FindWindow(NULL, L"neuchess"); DWORD PID; GetWindowThreadProcessId(hWnd, &PID); return OpenProcess(PROCESS_ALL_ACCESS, false, PID); } |
|
一种CreateRemoteThread的另类用法?
我已经改成注入自己的线程函数了,调好堆栈,程序工作正常。但是发现移植到VC2008就有问题,WriteProcessMemory写进去的内存是乱码,不是线程函数。VC6就没这问题,难道VC2008里需要改什么地方吗?附上代码 线程函数: DWORD __stdcall threadProc(LPVOID lParam){ _asm { MOV EAX,0x0041601A MOV ECX,0x027D7C78 PUSH 0 PUSH 0x0013FAA4 MOV EBX,0x00416015 CALL EBX } return 0; } 主代码: void ImplementInject(BYTE aFrom, BYTE aTo, BYTE aChessman, HANDLE hProcess){ DWORD nBytesWrite; void* pRemoteThread = VirtualAllocEx(hProcess, 0, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); printf("pRemoteThread = 0x%08x\n", pRemoteThread); getchar(); if (!WriteProcessMemory(hProcess, pRemoteThread, &threadProc, 0x1000, &nBytesWrite)){ printf("Write data to target process failed !\n"); } else printf("Write data to target process succeeded! 0x%08x bytes writen\n", nBytesWrite); getchar(); DWORD TID; CreateRemoteThread(hProcess, NULL, 0x1000, (LPTHREAD_START_ROUTINE)pRemoteThread , NULL, 0, &TID); printf("TID = 0x%08x\n", TID); getchar(); } |
|
一种CreateRemoteThread的另类用法?
用RET返回那应该是哪一个RET呢?是线程遇到的第一个RET吗?我想跨越多个CALL,RET怎么办啊 调库函数应该可以但有点小题大做,还要改导入表,IAT什么的 主要是改成Inline汇编太长了,所以不想自己提供线程函数,如下 MOV EBP,DWORD PTR DS:[EAX] PUSH EDI LEA ECX,DWORD PTR SS:[ESP+0x14] MOV DWORD PTR SS:[ESP+0xC],EBP MOV DWORD PTR DS:[ESI+0x20C],0 MOV EBX,0x004D2251 CALL EBX MOV EAX,DWORD PTR DS:[ESI+0x214] CMP EAX,-1 JE 0x00416090 LEA ECX,DWORD PTR SS:[ESP+0x24] PUSH EAX PUSH ECX MOV ECX,ESI MOV EBX,0x004158B0 CALL EBX MOV EDX,DWORD PTR DS:[EAX] PUSH 0 MOV DWORD PTR SS:[ESP+0x18],EDX MOV ECX,DWORD PTR DS:[EAX+0x4] MOV DWORD PTR SS:[ESP+0x1C],ECX LEA ECX,DWORD PTR SS:[ESP+0x18] MOV EDX,DWORD PTR DS:[EAX+0x8] PUSH ECX MOV DWORD PTR SS:[ESP+0x24],EDX MOV ECX,ESI MOV EAX,DWORD PTR DS:[EAX+0xC] MOV DWORD PTR DS:[ESI+0x214],-1 MOV DWORD PTR SS:[ESP+0x28],EAX MOV EBX,0x004CBF7D CALL EBX MOV EAX,DWORD PTR DS:[ESI+0xE8] CMP EAX,-1 JE 0x00416112 MOV EDI,DWORD PTR DS:[ESI+0xEC] CMP EDI,-1 JE 0x00416112 LEA EDX,DWORD PTR SS:[ESP+0x24] PUSH EAX PUSH EDX MOV ECX,ESI MOV EBX,0x004158B0 CALL EBX MOV ECX,DWORD PTR DS:[EAX] PUSH 0 MOV DWORD PTR SS:[ESP+0x18],ECX MOV EDX,DWORD PTR DS:[EAX+0x4] MOV DWORD PTR SS:[ESP+0x1C],EDX MOV ECX,DWORD PTR DS:[EAX+0x8] MOV DWORD PTR SS:[ESP+0x20],ECX MOV ECX,ESI MOV EDX,DWORD PTR DS:[EAX+0xC] LEA EAX,DWORD PTR SS:[ESP+0x18] PUSH EAX MOV DWORD PTR SS:[ESP+0x28],EDX MOV EBX,0x004CBF7D CALL EBX LEA ECX,DWORD PTR SS:[ESP+0x24] PUSH EDI PUSH ECX MOV ECX,ESI MOV EBX,0x004158B0 CALL EBX MOV EDX,DWORD PTR DS:[EAX] PUSH 0 MOV DWORD PTR SS:[ESP+0x18],EDX MOV ECX,DWORD PTR DS:[EAX+0x4] MOV DWORD PTR SS:[ESP+0x1C],ECX LEA ECX,DWORD PTR SS:[ESP+0x18] MOV EDX,DWORD PTR DS:[EAX+0x8] PUSH ECX MOV DWORD PTR SS:[ESP+0x24],EDX MOV ECX,ESI MOV EAX,DWORD PTR DS:[EAX+0xC] MOV DWORD PTR SS:[ESP+0x28],EAX MOV EBX,0x004CBF7D CALL EBX MOV ECX,DWORD PTR SS:[ESP+0xD] MOV EAX,EBP MOV EDI,ECX AND EAX,0xFF AND EDI,0xFF LEA EDX,DWORD PTR SS:[ESP+0x24] MOV BYTE PTR DS:[EAX+ESI+0x40],0 PUSH EAX MOV BYTE PTR DS:[EDI+ESI+0x40],CH PUSH EDX MOV ECX,ESI MOV DWORD PTR DS:[ESI+0xE8],EAX MOV DWORD PTR DS:[ESI+0xEC],EDI MOV EBX,0x004158B0 CALL EBX MOV ECX,DWORD PTR DS:[EAX] PUSH 0 MOV DWORD PTR SS:[ESP+0x18],ECX MOV EDX,DWORD PTR DS:[EAX+0x4] MOV DWORD PTR SS:[ESP+0x1C],EDX MOV ECX,DWORD PTR DS:[EAX+0x8] MOV DWORD PTR SS:[ESP+0x20],ECX MOV ECX,ESI MOV EDX,DWORD PTR DS:[EAX+0xC] LEA EAX,DWORD PTR SS:[ESP+0x18] PUSH EAX MOV DWORD PTR SS:[ESP+0x28],EDX MOV EBX,0x004CBF7D CALL EBX LEA ECX,DWORD PTR SS:[ESP+0x24] PUSH EDI PUSH ECX MOV ECX,ESI MOV EBX,0x004158B0 CALL EBX MOV EDX,DWORD PTR DS:[EAX] PUSH 0 MOV DWORD PTR SS:[ESP+0x18],EDX MOV ECX,DWORD PTR DS:[EAX+0x4] MOV DWORD PTR SS:[ESP+0x1C],ECX LEA ECX,DWORD PTR SS:[ESP+0x18] MOV EDX,DWORD PTR DS:[EAX+0x8] PUSH ECX MOV DWORD PTR SS:[ESP+0x24],EDX MOV ECX,ESI MOV EAX,DWORD PTR DS:[EAX+0xC] MOV DWORD PTR SS:[ESP+0x28],EAX MOV EBX,0x004CBF7D CALL EBX LEA EDX,DWORD PTR SS:[ESP+0x38] PUSH EBP PUSH EDX MOV ECX,ESI MOV EBX,0x00416910 CALL EBX MOV EAX,DWORD PTR DS:[EAX] MOV ECX,DWORD PTR DS:[0x553630] PUSH EAX MOV EBX,0x00411F20 CALL EBX POP EDI POP ESI XOR EAX,EAX POP EBP ADD ESP,0x28 RETN 0x8 |
|
求教D3D9.DLL为什么没有被游戏进程加载?
按照你的思路,也就是说任何的代码都可以以数据的方式载入内存,比如将DLL中的内容做成一个buffer,再将这个buffer所在的页面用VirtualAlloc等API提交,映射至物理内存,最后调用时直接嵌入汇编,push完参数,call一下函数地址,返回eax处理也是可行的。这也就构成了调用DLL的第三种方式。。。但这样的话就导致TX必须修改游戏源代码,把所有D3D9的调用改成汇编,或做成宏什么的。而棒子公司是不可能让TX碰源代码的,毕竟此游戏的外国版本根本不用这样的保护。 |
|
求教D3D9.DLL为什么没有被游戏进程加载?
现在初步确定,d3d9.dll已经在游戏里自备了,因为我把硬盘中所有的d3d9.dll都替换成我的wrapper,或删除,或改名,都对它没影响。可是d3d9.dll也是受MS版权保护的,有什么技术可以把对一个不开放源代码的DLL的封装起来? |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值