|
|
|
咱们来讨论一下NP CRC吧
如果说成功过了crc,那“停止”扫描也很正常。hs的crc利用挂钩到Sleep函数也是暂停了检测嘛。 |
|
咱们来讨论一下NP CRC吧
哦,听你真么说,倒是有点像HS内的一个函数。是用来处理各种出错结果的(包括crc)。肯德基。 006C2480 - 55 - push ebp //直接返回HS的CRC就等于"停止了" 006C2481 - 8B EC - mov ebp,esp 006C2483 - 81 EC 64020000 - sub esp,00000264 006C2489 - 57 - push edi 006C248A - 89 8D A4FDFFFF - mov [ebp-0000025C],ecx 006C2490 - C6 45 FB 00 - mov byte ptr [ebp-05],00 006C2494 - 68 00CEAF00 - push 00AFCE00 : [""xxxxxxxxx""] 某XX游戏。 006C2499 - 8D 45 FC - lea eax,[ebp-04] 006C249C - 50 - push eax 006C249D - E8 1E682D00 - call 00998CC0 006C24A2 - 8B C8 - mov ecx,eax 006C24A4 - E8 87692D00 - call 00998E30 006C24A9 - 8B 4D 08 - mov ecx,[ebp+08] 006C24AC - 89 8D A0FDFFFF - mov [ebp-00000260],ecx //[ebp-00000260]传递进了ecx,ecx == HS出错误代码。 006C24B2 - 81 BD A0FDFFFF 08030100 - cmp [ebp-00000260],00010308 : [00000000] 006C24BC - 77 76 - ja 006C2534 006C24BE - 81 BD A0FDFFFF 07030100 - cmp [ebp-00000260],00010307 : [00000000] 006C24C8 - 0F83 C8010000 - jae 006C2696 006C24CE - 81 BD A0FDFFFF 02030100 - cmp [ebp-00000260],00010302 : [00000000] 006C24D8 - 77 35 - ja 006C250F 006C24DA - 81 BD A0FDFFFF 01030100 - cmp [ebp-00000260],00010301 : [00000000] 006C24E4 - 0F83 14030000 - jae 006C27FE 006C24EA - 81 BD A0FDFFFF 02010100 - cmp [ebp-00000260],00010102 : [00000001] 006C24F4 - 0F84 04030000 - je 006C27FE 006C24FA - 81 BD A0FDFFFF 04010100 - cmp [ebp-00000260],00010104 : [00000000] 006C2504 - 0F84 04020000 - je 006C270E 006C250A - E9 D7030000 - jmp 006C28E6 006C250F - 81 BD A0FDFFFF 03030100 - cmp [ebp-00000260],00010303 : [00000000] 006C2519 - 0F84 FF000000 - je 006C261E 006C251F - 81 BD A0FDFFFF 06030100 - cmp [ebp-00000260],00010306 : [00000000] 006C2529 - 0F84 CF020000 - je 006C27FE 006C252F - E9 B2030000 - jmp 006C28E6 006C2534 - 81 BD A0FDFFFF 04070100 - cmp [ebp-00000260],00010704 : [00000000] 006C253E - 77 31 - ja 006C2571 006C2540 - 81 BD A0FDFFFF 01070100 - cmp [ebp-00000260],00010701 : [00000000] 006C254A - 0F83 AE020000 - jae 006C27FE 006C2550 - 81 BD A0FDFFFF 01050100 - cmp [ebp-00000260],00010501 : [00000100] 006C255A - 74 4A - je 006C25A6 006C255C - 81 BD A0FDFFFF 01060100 - cmp [ebp-00000260],00010601 : [00000000] 006C2566 - 0F84 1A020000 - je 006C2786 006C256C - E9 75030000 - jmp 006C28E6 006C2571 - 81 BD A0FDFFFF 05070100 - cmp [ebp-00000260],00010705 : [00000000] 006C257B - 0F84 F2020000 - je 006C2873 006C2581 - 81 BD A0FDFFFF 000A0100 - cmp [ebp-00000260],00010A00 : [00000000] 006C258B - 0F86 55030000 - jbe 006C28E6 006C2591 - 81 BD A0FDFFFF 020A0100 - cmp [ebp-00000260],00010A02 : [00000000] 006C259B - 0F86 5D020000 - jbe 006C27FE 006C25A1 - E9 40030000 - jmp 006C28E6 006C25A6 - 8D 4D F4 - lea ecx,[ebp-0C] 006C25A9 - E8 0265D4FF - call 00408AB0 006C25AE - 8B 55 08 - mov edx,[ebp+08] 006C25B1 - 52 - push edx 006C25B2 - 68 248DB100 - push 00B18D24 : [""HS_ENGINE_DETECT_GAME_HACK""] 006C25B7 - 8D 85 CCFDFFFF - lea eax,[ebp-00000234] 006C25BD - 50 - push eax 006C25BE - E8 FD662D00 - call 00998CC0 006C25C3 - 8B C8 - mov ecx,eax 006C25C5 - E8 66682D00 - call 00998E30 006C25CA - 8B C8 - mov ecx,eax 006C25CC - E8 DFBAD8FF - call 0044E0B0 006C25D1 - 50 - push eax 006C25D2 - 8D 4D F4 - lea ecx,[ebp-0C] 006C25D5 - 51 - push ecx 006C25D6 - E8 65BF2C00 - call 0098E540 006C25DB - 83 C4 0C - add esp,0C 006C25DE - 8D 8D CCFDFFFF - lea ecx,[ebp-00000234] 006C25E4 - E8 E772D4FF - call 004098D0 006C25E9 - 6A 00 - push 00 006C25EB - 8D 4D FC - lea ecx,[ebp-04] 006C25EE - E8 BDBAD8FF - call 0044E0B0 006C25F3 - 50 - push eax 006C25F4 - 8D 4D F4 - lea ecx,[ebp-0C] 006C25F7 - E8 B4BAD8FF - call 0044E0B0 006C25FC - 50 - push eax 006C25FD - 8B 95 A4FDFFFF - mov edx,[ebp-0000025C] 006C2603 - 8B 42 6C - mov eax,[edx+6C] 006C2606 - 50 - push eax 006C2607 - FF 15 C095BE00 - call dword ptr [00BE95C0] 006C260D - C6 45 FB 01 - mov byte ptr [ebp-05],01 006C2611 - 8D 4D F4 - lea ecx,[ebp-0C] 006C2614 - E8 B772D4FF - call 004098D0 006C2619 - E9 C8020000 - jmp 006C28E6 006C261E - 8D 4D F0 - lea ecx,[ebp-10] 006C2621 - E8 8A64D4FF - call 00408AB0 006C2626 - 8B 4D 08 - mov ecx,[ebp+08] 006C2629 - 51 - push ecx 006C262A - 68 EC8CB100 - push 00B18CEC : [""HS_ACTAPC_DETECT_SPEEDHACK""] 006C262F - 8D 95 C8FDFFFF - lea edx,[ebp-00000238] 006C2635 - 52 - push edx 006C2636 - E8 85662D00 - call 00998CC0 006C263B - 8B C8 - mov ecx,eax 006C263D - E8 EE672D00 - call 00998E30 006C2642 - 8B C8 - mov ecx,eax 006C2644 - E8 67BAD8FF - call 0044E0B0 006C2649 - 50 - push eax 006C264A - 8D 45 F0 - lea eax,[ebp-10] 006C264D - 50 - push eax 006C264E - E8 EDBE2C00 - call 0098E540 006C2653 - 83 C4 0C - add esp,0C 006C2656 - 8D 8D C8FDFFFF - lea ecx,[ebp-00000238] 006C265C - E8 6F72D4FF - call 004098D0 006C2661 - 6A 00 - push 00 006C2663 - 8D 4D FC - lea ecx,[ebp-04] 006C2666 - E8 45BAD8FF - call 0044E0B0 006C266B - 50 - push eax 006C266C - 8D 4D F0 - lea ecx,[ebp-10] 006C266F - E8 3CBAD8FF - call 0044E0B0 006C2674 - 50 - push eax 006C2675 - 8B 8D A4FDFFFF - mov ecx,[ebp-0000025C] 006C267B - 8B 51 6C - mov edx,[ecx+6C] 006C267E - 52 - push edx 006C267F - FF 15 C095BE00 - call dword ptr [00BE95C0] 006C2685 - C6 45 FB 01 - mov byte ptr [ebp-05],01 006C2689 - 8D 4D F0 - lea ecx,[ebp-10] 006C268C - E8 3F72D4FF - call 004098D0 006C2691 - E9 50020000 - jmp 006C28E6 006C2696 - 8D 4D EC - lea ecx,[ebp-14] 006C2699 - E8 1264D4FF - call 00408AB0 006C269E - 8B 45 08 - mov eax,[ebp+08] 006C26A1 - 50 - push eax 006C26A2 - 68 B88CB100 - push 00B18CB8 : [""HS_ACTAPC_DETECT_KDTRACE""] 006C26A7 - 8D 8D C4FDFFFF - lea ecx,[ebp-0000023C] 006C26AD - 51 - push ecx 006C26AE - E8 0D662D00 - call 00998CC0 006C26B3 - 8B C8 - mov ecx,eax 006C26B5 - E8 76672D00 - call 00998E30 006C26BA - 8B C8 - mov ecx,eax 006C26BC - E8 EFB9D8FF - call 0044E0B0 006C26C1 - 50 - push eax 006C26C2 - 8D 55 EC - lea edx,[ebp-14] 006C26C5 - 52 - push edx 006C26C6 - E8 75BE2C00 - call 0098E540 006C26CB - 83 C4 0C - add esp,0C 006C26CE - 8D 8D C4FDFFFF - lea ecx,[ebp-0000023C] 006C26D4 - E8 F771D4FF - call 004098D0 006C26D9 - 6A 00 - push 00 006C26DB - 8D 4D FC - lea ecx,[ebp-04] 006C26DE - E8 CDB9D8FF - call 0044E0B0 006C26E3 - 50 - push eax 006C26E4 - 8D 4D EC - lea ecx,[ebp-14] 006C26E7 - E8 C4B9D8FF - call 0044E0B0 006C26EC - 50 - push eax 006C26ED - 8B 85 A4FDFFFF - mov eax,[ebp-0000025C] 006C26F3 - 8B 48 6C - mov ecx,[eax+6C] 006C26F6 - 51 - push ecx 006C26F7 - FF 15 C095BE00 - call dword ptr [00BE95C0] 006C26FD - C6 45 FB 01 - mov byte ptr [ebp-05],01 006C2701 - 8D 4D EC - lea ecx,[ebp-14] 006C2704 - E8 C771D4FF - call 004098D0 006C2709 - E9 D8010000 - jmp 006C28E6 006C270E - 8D 4D E8 - lea ecx,[ebp-18] 006C2711 - E8 9A63D4FF - call 00408AB0 006C2716 - 8B 55 08 - mov edx,[ebp+08] 006C2719 - 52 - push edx 006C271A - 68 808CB100 - push 00B18C80 : [""HS_ACTAPC_DETECT_AUTOMACRO""] 006C271F - 8D 85 C0FDFFFF - lea eax,[ebp-00000240] 006C2725 - 50 - push eax 006C2726 - E8 95652D00 - call 00998CC0 006C272B - 8B C8 - mov ecx,eax 006C272D - E8 FE662D00 - call 00998E30 006C2732 - 8B C8 - mov ecx,eax 006C2734 - E8 77B9D8FF - call 0044E0B0 006C2739 - 50 - push eax 006C273A - 8D 4D E8 - lea ecx,[ebp-18] 006C273D - 51 - push ecx 006C273E - E8 FDBD2C00 - call 0098E540 006C2743 - 83 C4 0C - add esp,0C 006C2746 - 8D 8D C0FDFFFF - lea ecx,[ebp-00000240] 006C274C - E8 7F71D4FF - call 004098D0 006C2751 - 6A 00 - push 00 006C2753 - 8D 4D FC - lea ecx,[ebp-04] 006C2756 - E8 55B9D8FF - call 0044E0B0 006C275B - 50 - push eax 006C275C - 8D 4D E8 - lea ecx,[ebp-18] 006C275F - E8 4CB9D8FF - call 0044E0B0 006C2764 - 50 - push eax 006C2765 - 8B 95 A4FDFFFF - mov edx,[ebp-0000025C] 006C276B - 8B 42 6C - mov eax,[edx+6C] 006C276E - 50 - push eax 006C276F - FF 15 C095BE00 - call dword ptr [00BE95C0] 006C2775 - C6 45 FB 01 - mov byte ptr [ebp-05],01 006C2779 - 8D 4D E8 - lea ecx,[ebp-18] 006C277C - E8 4F71D4FF - call 004098D0 006C2781 - E9 60010000 - jmp 006C28E6 006C2786 - 8D 4D E4 - lea ecx,[ebp-1C] 006C2789 - E8 2263D4FF - call 00408AB0 006C278E - 8B 4D 08 - mov ecx,[ebp+08] 006C2791 - 51 - push ecx 006C2792 - 68 308CB100 - push 00B18C30 : [""HS_ACTAPC_DETECT_ABNORMAL_MEMORY_ACCESS""] 006C2797 - 8D 95 BCFDFFFF - lea edx,[ebp-00000244] 006C279D - 52 - push edx 006C279E - E8 1D652D00 - call 00998CC0 006C27A3 - 8B C8 - mov ecx,eax 006C27A5 - E8 86662D00 - call 00998E30 006C27AA - 8B C8 - mov ecx,eax 006C27AC - E8 FFB8D8FF - call 0044E0B0 006C27B1 - 50 - push eax 006C27B2 - 8D 45 E4 - lea eax,[ebp-1C] 006C27B5 - 50 - push eax 006C27B6 - E8 85BD2C00 - call 0098E540 006C27BB - 83 C4 0C - add esp,0C 006C27BE - 8D 8D BCFDFFFF - lea ecx,[ebp-00000244] 006C27C4 - E8 0771D4FF - call 004098D0 006C27C9 - 6A 00 - push 00 006C27CB - 8D 4D FC - lea ecx,[ebp-04] 006C27CE - E8 DDB8D8FF - call 0044E0B0 006C27D3 - 50 - push eax 006C27D4 - 8D 4D E4 - lea ecx,[ebp-1C] 006C27D7 - E8 D4B8D8FF - call 0044E0B0 006C27DC - 50 - push eax 006C27DD - 8B 8D A4FDFFFF - mov ecx,[ebp-0000025C] 006C27E3 - 8B 51 6C - mov edx,[ecx+6C] 006C27E6 - 52 - push edx 006C27E7 - FF 15 C095BE00 - call dword ptr [00BE95C0] 006C27ED - C6 45 FB 01 - mov byte ptr [ebp-05],01 006C27F1 - 8D 4D E4 - lea ecx,[ebp-1C] 006C27F4 - E8 D770D4FF - call 004098D0 006C27F9 - E9 E8000000 - jmp 006C28E6 006C27FE - 8D 4D E0 - lea ecx,[ebp-20] 006C2801 - E8 AA62D4FF - call 00408AB0 006C2806 - 8B 45 08 - mov eax,[ebp+08] 006C2809 - 50 - push eax 006C280A - 68 148CB100 - push 00B18C14 : [""HS_ERR_ETC""] 006C280F - 8D 8D B8FDFFFF - lea ecx,[ebp-00000248] 006C2815 - 51 - push ecx 006C2816 - E8 A5642D00 - call 00998CC0 006C281B - 8B C8 - mov ecx,eax 006C281D - E8 0E662D00 - call 00998E30 006C2822 - 8B C8 - mov ecx,eax 006C2824 - E8 87B8D8FF - call 0044E0B0 006C2829 - 50 - push eax 006C282A - 8D 55 E0 - lea edx,[ebp-20] 006C282D - 52 - push edx 006C282E - E8 0DBD2C00 - call 0098E540 006C2833 - 83 C4 0C - add esp,0C 006C2836 - 8D 8D B8FDFFFF - lea ecx,[ebp-00000248] 006C283C - E8 8F70D4FF - call 004098D0 006C2841 - 6A 00 - push 00 006C2843 - 8D 4D FC - lea ecx,[ebp-04] 006C2846 - E8 65B8D8FF - call 0044E0B0 006C284B - 50 - push eax 006C284C - 8D 4D E0 - lea ecx,[ebp-20] 006C284F - E8 5CB8D8FF - call 0044E0B0 006C2854 - 50 - push eax 006C2855 - 8B 85 A4FDFFFF - mov eax,[ebp-0000025C] 006C285B - 8B 48 6C - mov ecx,[eax+6C] 006C285E - 51 - push ecx 006C285F - FF 15 C095BE00 - call dword ptr [00BE95C0] 006C2865 - C6 45 FB 01 - mov byte ptr [ebp-05],01 006C2869 - 8D 4D E0 - lea ecx,[ebp-20] 006C286C - E8 5F70D4FF - call 004098D0 006C2871 - EB 73 - jmp 006C28E6 006C2873 - 8D 4D DC - lea ecx,[ebp-24] 006C2876 - E8 3562D4FF - call 00408AB0 006C287B - 8B 55 08 - mov edx,[ebp+08] 006C287E - 52 - push edx 006C287F - 68 D08BB100 - push 00B18BD0 : [""HS_ERR_DETECT_MEM_MODIFY_FROM_LMP""] 006C2884 - 8D 85 B4FDFFFF - lea eax,[ebp-0000024C] 006C288A - 50 - push eax 006C288B - E8 30642D00 - call 00998CC0 006C2890 - 8B C8 - mov ecx,eax 006C2892 - E8 99652D00 - call 00998E30 006C2897 - 8B C8 - mov ecx,eax 006C2899 - E8 12B8D8FF - call 0044E0B0 006C289E - 50 - push eax 006C289F - 8D 4D DC - lea ecx,[ebp-24] 006C28A2 - 51 - push ecx 006C28A3 - E8 98BC2C00 - call 0098E540 006C28A8 - 83 C4 0C - add esp,0C 006C28AB - 8D 8D B4FDFFFF - lea ecx,[ebp-0000024C] 006C28B1 - E8 1A70D4FF - call 004098D0 006C28B6 - 6A 00 - push 00 006C28B8 - 8D 4D FC - lea ecx,[ebp-04] 006C28BB - E8 F0B7D8FF - call 0044E0B0 006C28C0 - 50 - push eax 006C28C1 - 8D 4D DC - lea ecx,[ebp-24] 006C28C4 - E8 E7B7D8FF - call 0044E0B0 006C28C9 - 50 - push eax 006C28CA - 8B 95 A4FDFFFF - mov edx,[ebp-0000025C] 006C28D0 - 8B 42 6C - mov eax,[edx+6C] 006C28D3 - 50 - push eax 006C28D4 - FF 15 C095BE00 - call dword ptr [00BE95C0] 006C28DA - C6 45 FB 01 - mov byte ptr [ebp-05],01 006C28DE - 8D 4D DC - lea ecx,[ebp-24] 006C28E1 - E8 EA6FD4FF - call 004098D0 006C28E6 - 0FB6 4D FB - movzx ecx,byte ptr [ebp-05] 006C28EA - 85 C9 - test ecx,ecx 006C28EC - 0F84 4B010000 - je 006C2A3D 006C28F2 - 66 C7 85 D0FDFFFF 0000 - mov word ptr [ebp-00000230],0000 006C28FB - B9 7F000000 - mov ecx,0000007F 006C2900 - 33 C0 - xor eax,eax 006C2902 - 8D BD D2FDFFFF - lea edi,[ebp-0000022E] 006C2908 - F3 AB - repe stosd 006C290A - 68 FE000000 - push 000000FE 006C290F - 8D 95 D0FDFFFF - lea edx,[ebp-00000230] 006C2915 - 52 - push edx 006C2916 - 6A FF - push FF 006C2918 - 8B 45 0C - mov eax,[ebp+0C] 006C291B - 50 - push eax 006C291C - 6A 00 - push 00 006C291E - 6A 00 - push 00 006C2920 - FF 15 4895BE00 - call dword ptr [00BE9548] 006C2926 - 8D 8D D0FDFFFF - lea ecx,[ebp-00000230] 006C292C - 51 - push ecx 006C292D - 8B 55 08 - mov edx,[ebp+08] 006C2930 - 52 - push edx 006C2931 - B9 CCFACC00 - mov ecx,00CCFACC : [01010000] 006C2936 - E8 3566E1FF - call 004D8F70 006C293B - 8B C8 - mov ecx,eax 006C293D - E8 2E70E2FF - call 004E9970 006C2942 - 8D 85 D0FDFFFF - lea eax,[ebp-00000230] 006C2948 - 50 - push eax 006C2949 - 8D 4D D4 - lea ecx,[ebp-2C] 006C294C - E8 AFF7D3FF - call 00402100 006C2951 - 6A 18 - push 18 006C2953 - E8 80662A00 - call 00968FD8 006C2958 - 83 C4 04 - add esp,04 006C295B - 89 85 B0FDFFFF - mov [ebp-00000250],eax 006C2961 - 83 BD B0FDFFFF 00 - cmp dword ptr [ebp-00000250],00 006C2968 - 74 13 - je 006C297D 006C296A - 8B 8D B0FDFFFF - mov ecx,[ebp-00000250] 006C2970 - E8 DB000000 - call 006C2A50 006C2975 - 89 85 9CFDFFFF - mov [ebp-00000264],eax 006C297B - EB 0A - jmp 006C2987 006C297D - C7 85 9CFDFFFF 00000000 - mov [ebp-00000264],00000000 006C2987 - 6A 01 - push 01 006C2989 - 8B 8D 9CFDFFFF - mov ecx,[ebp-00000264] 006C298F - 51 - push ecx 006C2990 - 8D 4D D8 - lea ecx,[ebp-28] 006C2993 - E8 0839E7FF - call 005362A0 006C2998 - 8D 4D D8 - lea ecx,[ebp-28] 006C299B - E8 9006EDFF - call 00593030 006C29A0 - 8B 55 08 - mov edx,[ebp+08] 006C29A3 - 89 50 10 - mov [eax+10],edx 006C29A6 - 8D 45 D4 - lea eax,[ebp-2C] 006C29A9 - 50 - push eax 006C29AA - 8D 4D D8 - lea ecx,[ebp-28] 006C29AD - E8 7E06EDFF - call 00593030 006C29B2 - 83 C0 14 - add eax,14 006C29B5 - 8B C8 - mov ecx,eax 006C29B7 - E8 64F7D3FF - call 00402120 006C29BC - 8B 8D A4FDFFFF - mov ecx,[ebp-0000025C] 006C29C2 - 0FB6 91 9C000000 - movzx edx,byte ptr [ecx+0000009C] 006C29C9 - 85 D2 - test edx,edx 006C29CB - 74 26 - je 006C29F3 006C29CD - 51 - push ecx 006C29CE - 8B CC - mov ecx,esp 006C29D0 - 8D 45 D8 - lea eax,[ebp-28] 006C29D3 - 50 - push eax 006C29D4 - E8 E7EEF3FF - call 006018C0 006C29D9 - B9 ECB2BE00 - mov ecx,00BEB2EC : [00000000] 006C29DE - E8 ED57D4FF - call 004081D0 006C29E3 - 8B C8 - mov ecx,eax 006C29E5 - E8 86C2F3FF - call 005FEC70 006C29EA - 8B C8 - mov ecx,eax 006C29EC - E8 EF643700 - call 00A38EE0 006C29F1 - EB 32 - jmp 006C2A25 006C29F3 - 8D 4D D8 - lea ecx,[ebp-28] 006C29F6 - 51 - push ecx 006C29F7 - 8D 8D A8FDFFFF - lea ecx,[ebp-00000258] 006C29FD - E8 BEEEF3FF - call 006018C0 006C2A02 - 8D 95 A8FDFFFF - lea edx,[ebp-00000258] 006C2A08 - 52 - push edx 006C2A09 - 8B 8D A4FDFFFF - mov ecx,[ebp-0000025C] 006C2A0F - 81 C1 A0000000 - add ecx,000000A0 006C2A15 - E8 86000000 - call 006C2AA0 006C2A1A - 8D 8D A8FDFFFF - lea ecx,[ebp-00000258] 006C2A20 - E8 9B68F5FF - call 006192C0 006C2A25 - 6A 00 - push 00 006C2A27 - FF 15 9C03AF00 - call dword ptr [00AF039C] 006C2A2D - 8D 4D D8 - lea ecx,[ebp-28] 006C2A30 - E8 8B68F5FF - call 006192C0 006C2A35 - 8D 4D D4 - lea ecx,[ebp-2C] 006C2A38 - E8 936ED4FF - call 004098D0 006C2A3D - 8D 4D FC - lea ecx,[ebp-04] 006C2A40 - E8 8B6ED4FF - call 004098D0 006C2A45 - 5F - pop edi 006C2A46 - 8B E5 - mov esp,ebp 006C2A48 - 5D - pop ebp 006C2A49 - C2 0800 - ret 0008 006C2A4C - CC - int 3 006C2A4D - CC - int 3 006C2A4E - CC - int 3 006C2A4F - CC - int 3 006C2A50 - 55 - push ebp |
|
|
|
修改IAT实现HOOK API函数的问题
EAT HOOK是导出表HOOK( dll ),IAT HOOK是导入表HOOK( exe ). 调用WIN32 API时,如果是通过lib静态库调用到win32 api,则是通过IAT的方式。(即文件dll随程序的加载而装载) 如果是动态调用(函数指针方式),则是从LoadLibrary获得的hModule开始定位dll文件EAT内所需要用到的导出函数地址, 而后用GetProcAddress读取dll内保存所有导出函数地址的EAT表,将所需要用到的函数地址存入调用方内的函数指针变量。(文件dll在必要时通过LoadLibrary装载)。 需要注意时的是,EAT HOOK必须在程序调用GetProcAddress之前就进行,否则是不一定成功的。 |
|
dll中如何获取LoadLibrary的返回地址
DWORD RetAddr = 0; HANDLE __declspec(NAKED) Proxy_LoadLibraryA( _In_ LPCTSTR lpFileName) { __asm { ███mov ebx,[ebp+4] mov [RetAddr],ebx push lpFileName call [OriginFunction] //stdcall ret } } |
|
[讨论]C语言变态乱码
#include <stdio.h> #define _(_) putchar(_); int main() {int i = 0;_( ++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++ ++++i)_(++++++++++++++++++++ ++++++++++++++++++++++++++++ ++++++++++i)_(++++++++++++++ i)_(--++i)_(++++++i)_(------ ---------------------------- ---------------------------- ---------------------------- ---------------------------- ----------------i)_(-------- ----------------i)_(++++++++ ++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++ ++++++++++++++++++++++++++i) _(----------------i)_(++++++ i)_(------------i)_(-------- --------i)_(---------------- ---------------------------- ---------------------------- ---------------------------- ---------------------------- ------i)_(------------------ ---------------------------- i)return i;} 写出这类程序的人,在业内或许被称为高手,但是一般的初学者都会误以为是变态。 |
|
在线等,求助wdk7600.16385.1安装问题
都有点不好意思来答题了,问题解决了一般都不给加分的。 |
|
关于INT 3的系统处理
你看一下EXPCEPTION_RECORD的ExceptionAddress字段,和CONTEXT的EIP字段是不一样的。 ExceptionAddress字段记录的是发生异常的地址,也就是EIP-1。 |
|
关于INT 3的系统处理
INT3是一个软中断,其实可以理解其为异常。发生异常时EIP的值+N [COLOR="Lime"]不管任何情况,每执行完一条指令eip立即指向下一条,执行完INT3后thread context结构中的EIP已经移下[/COLOR] /*因此在调试循环中获取的EIP并非INT3所在地址*/ N的值为中断指令长度。(如:INT3 (0xCC 1Byte)) 若处理成功,则当前EIP被保存,若处理不成功,则EIP-N重新指向INT3,取得再次处理的机会。直至异常被成功处理。 调试循环中若处理成功则EIP=0X0068404F,不成功则0X0068404E 其实自陷和异常还是有区别的,自陷一般用于系统调用,而异常则大部分是随机产生,并且发生异常后,EIP并不会转移至下一条指令,直到异常被完全处理才可以执行 (真正的中断处理方式与异常和自陷以及中止的处理方式不一样)。另外,我爱你。 |
|
线程局部存储TLS的纠结问题
线程局部存储是这样的,每个数组都有TLS_MINIMUM_AVAILABLE个元素,TLS_MINIMUM_AVAILABLE被定义为64个, 也就意味着,线程1分配的牵引,在线程2和线程3中都有没用到的话,这个数组的元素仍然是64个元素,再者,线程1只分配一个牵引号的话,数组的元素个数依然是64个。 这是固定的,一点点空间而已,一个数组的大小为64*4 = 256个字节。 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值