[求助][求助]请问程序多开CPU优化原理是什么，烦请各位给指点好吗？？-付费问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (3)
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 2 楼 : if ( (_DWORD )(v35 + 4) == 1715 ) //这就是CPU优化地方0x6b3 { ST44_4_0 = (int)sub_10002B60; //这是消息循环,和时间有关TICKCOUNT ST40_4_0 = "Sleep"; ST3C_4_0 = L"kernel32.dll"; sub_10001200((int)&unk_10010630, ST3C_4_0, ST40_4_0, ST44_4_0); } //----- (10001200) -------------------------------------------------------- signed int __thiscall sub_10001200(int this, LPCWSTR lpLibFileName, LPCSTR lpString1, int a4) { signed int result; // eax@5 int v5; // [sp+0h] [bp-20h]@1 struct _MEMORY_BASIC_INFORMATION Buffer; // [sp+4h] [bp-1Ch]@11 v5 = this; if ( lpLibFileName ) { (_DWORD )(v5 + 144) = GetModuleHandleW(lpLibFileName); if ( !(_DWORD )(v5 + 144) ) { (_DWORD )(v5 + 144) = LoadLibraryW(lpLibFileName); if ( !(_DWORD )(v5 + 144) ) return 0; (_DWORD )(v5 + 140) = 1; } (_DWORD )(v5 + 4) = GetProcAddress((HMODULE )(v5 + 144), lpString1); if ( !(_DWORD )(v5 + 4) ) //表示地址为空就结束 return 0; } else { (_DWORD )(v5 + 4) = lpString1; } (_DWORD )v5 = GetCurrentProcess(); if ( !(_DWORD )v5 ) return 0; VirtualQueryEx((HANDLE )v5, (LPCVOID )(v5 + 4), &Buffer, 0x1Cu); if ( !VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, 0x40u, &Buffer.Protect) ) goto LABEL_29; if ( !lstrcmpA(lpString1, "RtlQueryProcessDebugInformation") )//如果两个值相等返回为0 { (_BYTE )(v5 + 136) = 12; unknown_libname_1(v5 + 8, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); unknown_libname_1(v5 + 72, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); (_WORD )(v5 + 77) = 23952; (_BYTE )(v5 + 79) = -23; (_DWORD )(v5 + 80) = a4 - ((_DWORD )(v5 + 4) + 7) - 5; (_BYTE )(v5 + 20) = -23; (_DWORD )(v5 + 21) = (_BYTE )(v5 + 136) + (_DWORD )(v5 + 4) - (v5 + 20) - 5; unknown_libname_1((_DWORD )(v5 + 4), v5 + 72, (_BYTE )(v5 + 136)); VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect); return 1; } if ( !lstrcmpA(lpString1, "Module32Next") ) { (_BYTE )(v5 + 136) = 23; unknown_libname_1(v5 + 8, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); unknown_libname_1(v5 + 72, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); (_WORD )(v5 + 83) = -15231; (_DWORD )(v5 + 85) = 1068; (_WORD )(v5 + 89) = -5795; (_DWORD )(v5 + 91) = a4 - ((_DWORD )(v5 + 4) + 18) - 5; (_BYTE )(v5 + 31) = -23; (_DWORD )(v5 + 32) = (_BYTE )(v5 + 136) + (_DWORD )(v5 + 4) - (v5 + 31) - 5; unknown_libname_1((_DWORD )(v5 + 4), v5 + 72, (_BYTE )(v5 + 136));//VirtualProtectEx VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect); return 1; } if ( !lstrcmpA(lpString1, "GetAdaptersInfo") ) { (_BYTE )(v5 + 136) = 15; unknown_libname_1(v5 + 8, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); unknown_libname_1(v5 + 72, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); (_WORD )(v5 + 75) = -28579; (_BYTE )(v5 + 82) = -23; (_DWORD )(v5 + 83) = a4 - ((_DWORD )(v5 + 4) + 10) - 5; (_BYTE )(v5 + 13) = -72; (_DWORD )(v5 + 14) = (_DWORD )(v5 + 4) + (_DWORD )((_DWORD )(v5 + 4) + 6) + (_BYTE )(v5 + 136) - 5; (_WORD )(v5 + 18) = -12033; (_WORD )(v5 + 20) = 1130; (_WORD )(v5 + 22) = 30207; (_BYTE )(v5 + 24) = 12; (_BYTE )(v5 + 25) = -23; (_DWORD )(v5 + 26) = (_BYTE )(v5 + 136) + (_DWORD )(v5 + 4) - (v5 + 25) - 5; unknown_libname_1((_DWORD )(v5 + 4), v5 + 72, (_BYTE )(v5 + 136)); VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect); return 1; } if ( !lstrcmpA(lpString1, "IsIconic") ) { (_BYTE )(v5 + 136) = 13; unknown_libname_1(v5 + 8, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); unknown_libname_1(v5 + 72, (_DWORD )(v5 + 4), 5); (_WORD )(v5 + 77) = 23952; (_BYTE )(v5 + 79) = -23; (_DWORD )(v5 + 80) = a4 - ((_DWORD )(v5 + 4) + 7) - 5; (_BYTE )(v5 + 84) = -112; (_BYTE )(v5 + 16) = -72; (_DWORD )(v5 + 17) = (_BYTE )(v5 + 136) + (_DWORD )(v5 + 4) + (_DWORD )((_DWORD )(v5 + 4) + 9); (_WORD )(v5 + 21) = -12033; (_BYTE )(v5 + 23) = -23; (_DWORD )(v5 + 24) = (_BYTE )(v5 + 136) + (_DWORD )(v5 + 4) - (v5 + 23) - 5; unknown_libname_1((_DWORD )(v5 + 4), v5 + 72, (_BYTE )(v5 + 136)); VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect); return 1; } if ( !lstrcmpA(lpString1, "Sleep") ) { (_BYTE )(v5 + 136) = 10; unknown_libname_1(v5 + 8, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); unknown_libname_1(v5 + 72, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); (_DWORD )(v5 + 72) = 1565917067; (_BYTE )(v5 + 76) = -23; (_DWORD )(v5 + 77) = a4 - ((_DWORD )(v5 + 4) + 4) - 5; (_BYTE )(v5 + 81) = -112; (_BYTE )(v5 + 18) = -23; (_DWORD )(v5 + 19) = (_DWORD )(v5 + 4) - (v5 + 8) - 5; unknown_libname_1((_DWORD )(v5 + 4), v5 + 72, (_BYTE )(v5 + 136)); VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect); return 1; } if ( !lstrcmpA(lpString1, "GetAsyncKeyState") ) { (_BYTE )(v5 + 136) = 13; unknown_libname_1(v5 + 8, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); unknown_libname_1(v5 + 72, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); (_DWORD )(v5 + 72) = 1565917067; (_BYTE )(v5 + 76) = -23; (_DWORD )(v5 + 77) = a4 - ((_DWORD )(v5 + 4) + 4) - 5; (_DWORD )(v5 + 81) = -1869574000; (_BYTE )(v5 + 21) = -23; (_DWORD )(v5 + 22) = (_BYTE )(v5 + 136) + (_DWORD )(v5 + 4) - (v5 + 21) - 5; unknown_libname_1((_DWORD )(v5 + 4), v5 + 72, (_BYTE )(v5 + 136)); VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect); return 1; } if ( ReadProcessMemory((HANDLE )v5, (LPCVOID )(v5 + 4), (LPVOID)(v5 + 8), 5u, 0) ) { (_BYTE )(v5 + 136) = 5; (_BYTE )(v5 + 72) = -23; (_DWORD )(v5 + 73) = a4 - (_DWORD )(v5 + 4) - 5; (_BYTE )(v5 + 13) = -23; (_DWORD )(v5 + 14) = (_DWORD )(v5 + 4) - (v5 + 8) - 5; unknown_libname_1((_DWORD )(v5 + 4), v5 + 72, (_BYTE )(v5 + 136)); VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect); result = 1; } else { LABEL_29: result = 0; } return result; } 2009-11-18 18:13 0
fancily 雪币： 19 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 28 回帖 132 粉丝 0 关注私信	fancily 3 楼看你这代码．不如看汇编直接．应该不是减ＣＰＵ．是ＨＯＯＫ　ＡＰＩ． 2009-12-17 02:33 0
轩辕小聪雪币： 722 活跃值： (123) 能力值： ( LV12，RANK：300 ) 在线值：发帖 10 回帖 547 粉丝 5 关注私信	轩辕小聪 7 4 楼拜托，只是在ida里按了一下F5然后把自动生成的代码贴上来，然后连自己都读不懂这些代码，就能说成是你“逆了某程序”？如楼上所说，这个代码应该是Hook API的，通过拦截程序检测进程、检测调试信息等的操作，来达到使程序误认为没有多开的目的。另外： (_DWORD )v5 = GetCurrentProcess(); if ( !(_DWORD )v5 ) return 0; GetCurrentProcess根本就不会失败（该函数直接返回-1），跟OpenProcess打开自身进程不是一回事。因此下面这个判断根本就是多余的，这说明该程序的作者的编程水平也不高。 2009-12-18 13:26 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (3)
liumingabc 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 20 粉丝 0 关注私信	liumingabc 2 楼 : if ( (_DWORD )(v35 + 4) == 1715 ) //这就是CPU优化地方0x6b3 { ST44_4_0 = (int)sub_10002B60; //这是消息循环,和时间有关TICKCOUNT ST40_4_0 = "Sleep"; ST3C_4_0 = L"kernel32.dll"; sub_10001200((int)&unk_10010630, ST3C_4_0, ST40_4_0, ST44_4_0); } //----- (10001200) -------------------------------------------------------- signed int __thiscall sub_10001200(int this, LPCWSTR lpLibFileName, LPCSTR lpString1, int a4) { signed int result; // eax@5 int v5; // [sp+0h] [bp-20h]@1 struct _MEMORY_BASIC_INFORMATION Buffer; // [sp+4h] [bp-1Ch]@11 v5 = this; if ( lpLibFileName ) { (_DWORD )(v5 + 144) = GetModuleHandleW(lpLibFileName); if ( !(_DWORD )(v5 + 144) ) { (_DWORD )(v5 + 144) = LoadLibraryW(lpLibFileName); if ( !(_DWORD )(v5 + 144) ) return 0; (_DWORD )(v5 + 140) = 1; } (_DWORD )(v5 + 4) = GetProcAddress((HMODULE )(v5 + 144), lpString1); if ( !(_DWORD )(v5 + 4) ) //表示地址为空就结束 return 0; } else { (_DWORD )(v5 + 4) = lpString1; } (_DWORD )v5 = GetCurrentProcess(); if ( !(_DWORD )v5 ) return 0; VirtualQueryEx((HANDLE )v5, (LPCVOID )(v5 + 4), &Buffer, 0x1Cu); if ( !VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, 0x40u, &Buffer.Protect) ) goto LABEL_29; if ( !lstrcmpA(lpString1, "RtlQueryProcessDebugInformation") )//如果两个值相等返回为0 { (_BYTE )(v5 + 136) = 12; unknown_libname_1(v5 + 8, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); unknown_libname_1(v5 + 72, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); (_WORD )(v5 + 77) = 23952; (_BYTE )(v5 + 79) = -23; (_DWORD )(v5 + 80) = a4 - ((_DWORD )(v5 + 4) + 7) - 5; (_BYTE )(v5 + 20) = -23; (_DWORD )(v5 + 21) = (_BYTE )(v5 + 136) + (_DWORD )(v5 + 4) - (v5 + 20) - 5; unknown_libname_1((_DWORD )(v5 + 4), v5 + 72, (_BYTE )(v5 + 136)); VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect); return 1; } if ( !lstrcmpA(lpString1, "Module32Next") ) { (_BYTE )(v5 + 136) = 23; unknown_libname_1(v5 + 8, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); unknown_libname_1(v5 + 72, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); (_WORD )(v5 + 83) = -15231; (_DWORD )(v5 + 85) = 1068; (_WORD )(v5 + 89) = -5795; (_DWORD )(v5 + 91) = a4 - ((_DWORD )(v5 + 4) + 18) - 5; (_BYTE )(v5 + 31) = -23; (_DWORD )(v5 + 32) = (_BYTE )(v5 + 136) + (_DWORD )(v5 + 4) - (v5 + 31) - 5; unknown_libname_1((_DWORD )(v5 + 4), v5 + 72, (_BYTE )(v5 + 136));//VirtualProtectEx VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect); return 1; } if ( !lstrcmpA(lpString1, "GetAdaptersInfo") ) { (_BYTE )(v5 + 136) = 15; unknown_libname_1(v5 + 8, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); unknown_libname_1(v5 + 72, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); (_WORD )(v5 + 75) = -28579; (_BYTE )(v5 + 82) = -23; (_DWORD )(v5 + 83) = a4 - ((_DWORD )(v5 + 4) + 10) - 5; (_BYTE )(v5 + 13) = -72; (_DWORD )(v5 + 14) = (_DWORD )(v5 + 4) + (_DWORD )((_DWORD )(v5 + 4) + 6) + (_BYTE )(v5 + 136) - 5; (_WORD )(v5 + 18) = -12033; (_WORD )(v5 + 20) = 1130; (_WORD )(v5 + 22) = 30207; (_BYTE )(v5 + 24) = 12; (_BYTE )(v5 + 25) = -23; (_DWORD )(v5 + 26) = (_BYTE )(v5 + 136) + (_DWORD )(v5 + 4) - (v5 + 25) - 5; unknown_libname_1((_DWORD )(v5 + 4), v5 + 72, (_BYTE )(v5 + 136)); VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect); return 1; } if ( !lstrcmpA(lpString1, "IsIconic") ) { (_BYTE )(v5 + 136) = 13; unknown_libname_1(v5 + 8, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); unknown_libname_1(v5 + 72, (_DWORD )(v5 + 4), 5); (_WORD )(v5 + 77) = 23952; (_BYTE )(v5 + 79) = -23; (_DWORD )(v5 + 80) = a4 - ((_DWORD )(v5 + 4) + 7) - 5; (_BYTE )(v5 + 84) = -112; (_BYTE )(v5 + 16) = -72; (_DWORD )(v5 + 17) = (_BYTE )(v5 + 136) + (_DWORD )(v5 + 4) + (_DWORD )((_DWORD )(v5 + 4) + 9); (_WORD )(v5 + 21) = -12033; (_BYTE )(v5 + 23) = -23; (_DWORD )(v5 + 24) = (_BYTE )(v5 + 136) + (_DWORD )(v5 + 4) - (v5 + 23) - 5; unknown_libname_1((_DWORD )(v5 + 4), v5 + 72, (_BYTE )(v5 + 136)); VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect); return 1; } if ( !lstrcmpA(lpString1, "Sleep") ) { (_BYTE )(v5 + 136) = 10; unknown_libname_1(v5 + 8, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); unknown_libname_1(v5 + 72, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); (_DWORD )(v5 + 72) = 1565917067; (_BYTE )(v5 + 76) = -23; (_DWORD )(v5 + 77) = a4 - ((_DWORD )(v5 + 4) + 4) - 5; (_BYTE )(v5 + 81) = -112; (_BYTE )(v5 + 18) = -23; (_DWORD )(v5 + 19) = (_DWORD )(v5 + 4) - (v5 + 8) - 5; unknown_libname_1((_DWORD )(v5 + 4), v5 + 72, (_BYTE )(v5 + 136)); VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect); return 1; } if ( !lstrcmpA(lpString1, "GetAsyncKeyState") ) { (_BYTE )(v5 + 136) = 13; unknown_libname_1(v5 + 8, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); unknown_libname_1(v5 + 72, (_DWORD )(v5 + 4), (_BYTE )(v5 + 136)); (_DWORD )(v5 + 72) = 1565917067; (_BYTE )(v5 + 76) = -23; (_DWORD )(v5 + 77) = a4 - ((_DWORD )(v5 + 4) + 4) - 5; (_DWORD )(v5 + 81) = -1869574000; (_BYTE )(v5 + 21) = -23; (_DWORD )(v5 + 22) = (_BYTE )(v5 + 136) + (_DWORD )(v5 + 4) - (v5 + 21) - 5; unknown_libname_1((_DWORD )(v5 + 4), v5 + 72, (_BYTE )(v5 + 136)); VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect); return 1; } if ( ReadProcessMemory((HANDLE )v5, (LPCVOID )(v5 + 4), (LPVOID)(v5 + 8), 5u, 0) ) { (_BYTE )(v5 + 136) = 5; (_BYTE )(v5 + 72) = -23; (_DWORD )(v5 + 73) = a4 - (_DWORD )(v5 + 4) - 5; (_BYTE )(v5 + 13) = -23; (_DWORD )(v5 + 14) = (_DWORD )(v5 + 4) - (v5 + 8) - 5; unknown_libname_1((_DWORD )(v5 + 4), v5 + 72, (_BYTE )(v5 + 136)); VirtualProtectEx((HANDLE )v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect); result = 1; } else { LABEL_29: result = 0; } return result; } 2009-11-18 18:13 0
fancily 雪币： 19 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 28 回帖 132 粉丝 0 关注私信	fancily 3 楼看你这代码．不如看汇编直接．应该不是减ＣＰＵ．是ＨＯＯＫ　ＡＰＩ． 2009-12-17 02:33 0
轩辕小聪雪币： 722 活跃值： (123) 能力值： ( LV12，RANK：300 ) 在线值：发帖 10 回帖 547 粉丝 5 关注私信	轩辕小聪 7 4 楼拜托，只是在ida里按了一下F5然后把自动生成的代码贴上来，然后连自己都读不懂这些代码，就能说成是你“逆了某程序”？如楼上所说，这个代码应该是Hook API的，通过拦截程序检测进程、检测调试信息等的操作，来达到使程序误认为没有多开的目的。另外： (_DWORD )v5 = GetCurrentProcess(); if ( !(_DWORD )v5 ) return 0; GetCurrentProcess根本就不会失败（该函数直接返回-1），跟OpenProcess打开自身进程不是一回事。因此下面这个判断根本就是多余的，这说明该程序的作者的编程水平也不高。 2009-12-18 13:26 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[旧帖] [求助][求助]请问程序多开CPU优化原理是什么，烦请各位给指点好吗？？ 0.00雪花