首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 付费问答
    3. 发新帖
[旧帖] [求助][求助]请问程序多开CPU优化原理是什么,烦请各位给指点好吗?? 0.00雪花
发表于: 2009-11-18 10:35 8572

[旧帖] [求助][求助]请问程序多开CPU优化原理是什么,烦请各位给指点好吗?? 0.00雪花

liumingabc 活跃值
2009-11-18 10:35
8572
请问程序多开CPU优化原理是什么,烦请各位给指点好吗??

[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

收藏
免费 0
支持
分享
最新回复 (3)
liumingabc
雪    币: 205
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
:   if ( *(_DWORD *)(v35 + 4) == 1715 )  //这就是CPU优化地方0x6b3
    {
      ST44_4_0 = (int)sub_10002B60;  //这是消息循环,和时间有关TICKCOUNT
      ST40_4_0 = "Sleep";
      ST3C_4_0 = L"kernel32.dll";
      sub_10001200((int)&unk_10010630, ST3C_4_0, ST40_4_0, ST44_4_0);
    }

//----- (10001200) --------------------------------------------------------
signed int __thiscall sub_10001200(int this, LPCWSTR lpLibFileName, LPCSTR lpString1, int a4)
{
  signed int result; // eax@5
  int v5; // [sp+0h] [bp-20h]@1
  struct _MEMORY_BASIC_INFORMATION Buffer; // [sp+4h] [bp-1Ch]@11

  v5 = this;
  if ( lpLibFileName )
  {
    *(_DWORD *)(v5 + 144) = GetModuleHandleW(lpLibFileName);
    if ( !*(_DWORD *)(v5 + 144) )
    {
      *(_DWORD *)(v5 + 144) = LoadLibraryW(lpLibFileName);
      if ( !*(_DWORD *)(v5 + 144) )
        return 0;
      *(_DWORD *)(v5 + 140) = 1;
    }
    *(_DWORD *)(v5 + 4) = GetProcAddress(*(HMODULE *)(v5 + 144), lpString1);
    if ( !*(_DWORD *)(v5 + 4) )  //表示地址为空就结束
      return 0;
  }
  else
  {
    *(_DWORD *)(v5 + 4) = lpString1;  
  }
  *(_DWORD *)v5 = GetCurrentProcess();
  if ( !*(_DWORD *)v5 )
    return 0;
  VirtualQueryEx(*(HANDLE *)v5, *(LPCVOID *)(v5 + 4), &Buffer, 0x1Cu);
  if ( !VirtualProtectEx(*(HANDLE *)v5, Buffer.BaseAddress, Buffer.RegionSize, 0x40u, &Buffer.Protect) )
    goto LABEL_29;
  if ( !lstrcmpA(lpString1, "RtlQueryProcessDebugInformation") )//如果两个值相等返回为0
  {
    *(_BYTE *)(v5 + 136) = 12;
    unknown_libname_1(v5 + 8, *(_DWORD *)(v5 + 4), *(_BYTE *)(v5 + 136));
    unknown_libname_1(v5 + 72, *(_DWORD *)(v5 + 4), *(_BYTE *)(v5 + 136));
    *(_WORD *)(v5 + 77) = 23952;
    *(_BYTE *)(v5 + 79) = -23;
    *(_DWORD *)(v5 + 80) = a4 - (*(_DWORD *)(v5 + 4) + 7) - 5;
    *(_BYTE *)(v5 + 20) = -23;
    *(_DWORD *)(v5 + 21) = *(_BYTE *)(v5 + 136) + *(_DWORD *)(v5 + 4) - (v5 + 20) - 5;
    unknown_libname_1(*(_DWORD *)(v5 + 4), v5 + 72, *(_BYTE *)(v5 + 136));
    VirtualProtectEx(*(HANDLE *)v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect);
    return 1;
  }
  if ( !lstrcmpA(lpString1, "Module32Next") )
  {
    *(_BYTE *)(v5 + 136) = 23;
    unknown_libname_1(v5 + 8, *(_DWORD *)(v5 + 4), *(_BYTE *)(v5 + 136));
    unknown_libname_1(v5 + 72, *(_DWORD *)(v5 + 4), *(_BYTE *)(v5 + 136));
    *(_WORD *)(v5 + 83) = -15231;
    *(_DWORD *)(v5 + 85) = 1068;
    *(_WORD *)(v5 + 89) = -5795;
    *(_DWORD *)(v5 + 91) = a4 - (*(_DWORD *)(v5 + 4) + 18) - 5;
    *(_BYTE *)(v5 + 31) = -23;
    *(_DWORD *)(v5 + 32) = *(_BYTE *)(v5 + 136) + *(_DWORD *)(v5 + 4) - (v5 + 31) - 5;
    unknown_libname_1(*(_DWORD *)(v5 + 4), v5 + 72, *(_BYTE *)(v5 + 136));//VirtualProtectEx
    VirtualProtectEx(*(HANDLE *)v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect);
    return 1;
  }
  if ( !lstrcmpA(lpString1, "GetAdaptersInfo") )
  {
    *(_BYTE *)(v5 + 136) = 15;
    unknown_libname_1(v5 + 8, *(_DWORD *)(v5 + 4), *(_BYTE *)(v5 + 136));
    unknown_libname_1(v5 + 72, *(_DWORD *)(v5 + 4), *(_BYTE *)(v5 + 136));
    *(_WORD *)(v5 + 75) = -28579;
    *(_BYTE *)(v5 + 82) = -23;
    *(_DWORD *)(v5 + 83) = a4 - (*(_DWORD *)(v5 + 4) + 10) - 5;
    *(_BYTE *)(v5 + 13) = -72;
    *(_DWORD *)(v5 + 14) = *(_DWORD *)(v5 + 4) + *(_DWORD *)(*(_DWORD *)(v5 + 4) + 6) + *(_BYTE *)(v5 + 136) - 5;
    *(_WORD *)(v5 + 18) = -12033;
    *(_WORD *)(v5 + 20) = 1130;
    *(_WORD *)(v5 + 22) = 30207;
    *(_BYTE *)(v5 + 24) = 12;
    *(_BYTE *)(v5 + 25) = -23;
    *(_DWORD *)(v5 + 26) = *(_BYTE *)(v5 + 136) + *(_DWORD *)(v5 + 4) - (v5 + 25) - 5;
    unknown_libname_1(*(_DWORD *)(v5 + 4), v5 + 72, *(_BYTE *)(v5 + 136));
    VirtualProtectEx(*(HANDLE *)v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect);
    return 1;
  }
  if ( !lstrcmpA(lpString1, "IsIconic") )
  {
    *(_BYTE *)(v5 + 136) = 13;
    unknown_libname_1(v5 + 8, *(_DWORD *)(v5 + 4), *(_BYTE *)(v5 + 136));
    unknown_libname_1(v5 + 72, *(_DWORD *)(v5 + 4), 5);
    *(_WORD *)(v5 + 77) = 23952;
    *(_BYTE *)(v5 + 79) = -23;
    *(_DWORD *)(v5 + 80) = a4 - (*(_DWORD *)(v5 + 4) + 7) - 5;
    *(_BYTE *)(v5 + 84) = -112;
    *(_BYTE *)(v5 + 16) = -72;
    *(_DWORD *)(v5 + 17) = *(_BYTE *)(v5 + 136) + *(_DWORD *)(v5 + 4) + *(_DWORD *)(*(_DWORD *)(v5 + 4) + 9);
    *(_WORD *)(v5 + 21) = -12033;
    *(_BYTE *)(v5 + 23) = -23;
    *(_DWORD *)(v5 + 24) = *(_BYTE *)(v5 + 136) + *(_DWORD *)(v5 + 4) - (v5 + 23) - 5;
    unknown_libname_1(*(_DWORD *)(v5 + 4), v5 + 72, *(_BYTE *)(v5 + 136));
    VirtualProtectEx(*(HANDLE *)v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect);
    return 1;
  }
  if ( !lstrcmpA(lpString1, "Sleep") )
  {
    *(_BYTE *)(v5 + 136) = 10;
    unknown_libname_1(v5 + 8, *(_DWORD *)(v5 + 4), *(_BYTE *)(v5 + 136));
    unknown_libname_1(v5 + 72, *(_DWORD *)(v5 + 4), *(_BYTE *)(v5 + 136));
    *(_DWORD *)(v5 + 72) = 1565917067;
    *(_BYTE *)(v5 + 76) = -23;
    *(_DWORD *)(v5 + 77) = a4 - (*(_DWORD *)(v5 + 4) + 4) - 5;
    *(_BYTE *)(v5 + 81) = -112;
    *(_BYTE *)(v5 + 18) = -23;
    *(_DWORD *)(v5 + 19) = *(_DWORD *)(v5 + 4) - (v5 + 8) - 5;
    unknown_libname_1(*(_DWORD *)(v5 + 4), v5 + 72, *(_BYTE *)(v5 + 136));
    VirtualProtectEx(*(HANDLE *)v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect);
    return 1;
  }
  if ( !lstrcmpA(lpString1, "GetAsyncKeyState") )
  {
    *(_BYTE *)(v5 + 136) = 13;
    unknown_libname_1(v5 + 8, *(_DWORD *)(v5 + 4), *(_BYTE *)(v5 + 136));
    unknown_libname_1(v5 + 72, *(_DWORD *)(v5 + 4), *(_BYTE *)(v5 + 136));
    *(_DWORD *)(v5 + 72) = 1565917067;
    *(_BYTE *)(v5 + 76) = -23;
    *(_DWORD *)(v5 + 77) = a4 - (*(_DWORD *)(v5 + 4) + 4) - 5;
    *(_DWORD *)(v5 + 81) = -1869574000;
    *(_BYTE *)(v5 + 21) = -23;
    *(_DWORD *)(v5 + 22) = *(_BYTE *)(v5 + 136) + *(_DWORD *)(v5 + 4) - (v5 + 21) - 5;
    unknown_libname_1(*(_DWORD *)(v5 + 4), v5 + 72, *(_BYTE *)(v5 + 136));
    VirtualProtectEx(*(HANDLE *)v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect);
    return 1;
  }
  if ( ReadProcessMemory(*(HANDLE *)v5, *(LPCVOID *)(v5 + 4), (LPVOID)(v5 + 8), 5u, 0) )
  {
    *(_BYTE *)(v5 + 136) = 5;
    *(_BYTE *)(v5 + 72) = -23;
    *(_DWORD *)(v5 + 73) = a4 - *(_DWORD *)(v5 + 4) - 5;
    *(_BYTE *)(v5 + 13) = -23;
    *(_DWORD *)(v5 + 14) = *(_DWORD *)(v5 + 4) - (v5 + 8) - 5;
    unknown_libname_1(*(_DWORD *)(v5 + 4), v5 + 72, *(_BYTE *)(v5 + 136));
    VirtualProtectEx(*(HANDLE *)v5, Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &Buffer.Protect);
    result = 1;
  }
  else
  {
LABEL_29:
    result = 0;
  }
  return result;
}
2009-11-18 18:13
0
fancily
雪    币: 19
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
看你这代码.不如看汇编直接.应该不是减CPU.是HOOK API.
2009-12-17 02:33
0
轩辕小聪
雪    币: 722
活跃值: (123)
能力值: ( LV12,RANK:300 )
在线值:
发帖
回帖
粉丝
私信
4
拜托,只是在ida里按了一下F5然后把自动生成的代码贴上来,然后连自己都读不懂这些代码,就能说成是你“逆了某程序”?

如楼上所说,这个代码应该是Hook API的,通过拦截程序检测进程、检测调试信息等的操作,来达到使程序误认为没有多开的目的。

另外:
  *(_DWORD *)v5 = GetCurrentProcess();
  if ( !*(_DWORD *)v5 )
    return 0;

GetCurrentProcess根本就不会失败(该函数直接返回-1),跟OpenProcess打开自身进程不是一回事。因此下面这个判断根本就是多余的,这说明该程序的作者的编程水平也不高。
2009-12-18 13:26
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//