能力值:
( LV4,RANK:50 )
|
-
-
2 楼
为什么没有人回复啊,是不是破解起来非常简单的缘故啊
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
没看明白,4个字不让回复
|
能力值:
( LV13,RANK:320 )
|
-
-
4 楼
只要检测网卡数据就可以了,不管你拆解的有多么支离破碎,正常运行总要有完整的时候吧?
这种破解要么是NDIS驱动过滤,要么转发目的IP,然后自己写服务器返回数据,和模拟有算法的狗一样。一般来上上层SPI转发比较方便,下面是我用SPI来实现的例子(一个外挂破解例子)
第一步。拦截并且分析网卡数据,得到算法
...
第二步。自己写服务器响应外挂验证请求
...
第三步。转发请求地址或者请求内容
很简单,只要把发送目标就是IP地址改过来就可以了(需要在 WSPConnect 中处理)
int WSPAPI WSPConnect(
SOCKET s,
const struct sockaddr FAR * name,
int namelen,
LPWSABUF lpCallerData,
LPWSABUF lpCalleeData,
LPQOS lpSQOS,
LPQOS lpGQOS,
LPINT lpErrno
)
{
int ret;
SOCKADDR_IN mysock;
CString strTemp;
memcpy(&mysock,name,sizeof(sockaddr));
strTemp.Format("before IP:%u.%u.%u.%u"
, mysock.sin_addr.S_un.S_un_b.s_b1
, mysock.sin_addr.S_un.S_un_b.s_b2
, mysock.sin_addr.S_un.S_un_b.s_b3
, mysock.sin_addr.S_un.S_un_b.s_b4
);
// ret = strTemp.Find("174.139.101.",0); // DNF犀利外挂的请求地址,有很多,比较前三段即可
if (ret != -1)
{
// 修改成自己服务器所在IP
mysock.sin_addr.S_un.S_un_b.s_b1 = 192;
mysock.sin_addr.S_un.S_un_b.s_b2 = 168;
mysock.sin_addr.S_un.S_un_b.s_b3 = 1;
mysock.sin_addr.S_un.S_un_b.s_b4 = 229;
}
ret = NextProcTable.lpWSPConnect(s, (sockaddr *)&mysock, namelen, lpCallerData
, lpCalleeData, lpSQOS, lpGQOS, lpErrno);
return ret;
}
二、修改发送数据
int WSPAPI WSPSend(
SOCKET s,
LPWSABUF lpBuffers,
DWORD dwBufferCount,
LPDWORD lpNumberOfBytesSent,
DWORD dwFlags,
LPWSAOVERLAPPED lpOverlapped,
LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine,
LPWSATHREADID lpThreadId,
LPINT lpErrno
)
{
int ret;
CString strTemp;
SOCKADDR_IN remote_addr;
int remote_addr_len = sizeof(remote_addr);
getpeername(s, (SOCKADDR*)&remote_addr, &remote_addr_len);
strTemp.Format("SEND IP:%u.%u.%u.%u"
, remote_addr.sin_addr.S_un.S_un_b.s_b1
, remote_addr.sin_addr.S_un.S_un_b.s_b2
, remote_addr.sin_addr.S_un.S_un_b.s_b3
, remote_addr.sin_addr.S_un.S_un_b.s_b4
);
ret = strTemp.Find("192.168.1.229",0); // DNF犀利
if (ret != -1)
{
// 在这里处理数据,修改lpBuffers->buf 处内容
}
ret = NextProcTable.lpWSPSend(s, lpBuffers, dwBufferCount
, lpNumberOfBytesSent, dwFlags, lpOverlapped
, lpCompletionRoutine, lpThreadId, lpErrno);
return ret;
}
最后在 WSPStartup 中挂钩
int WSPAPI WSPStartup(
WORD wVersionRequested,
LPWSPDATA lpWSPData,
LPWSAPROTOCOL_INFOW lpProtocolInfo,
WSPUPCALLTABLE upcallTable,
LPWSPPROC_TABLE lpProcTable
)
{
TCHAR sLibraryPath[512];
LPWSPSTARTUP WSPStartupFunc = NULL;
HMODULE hLibraryHandle = NULL;
INT ErrorCode = 0;
if (!GetHookProvider(lpProtocolInfo, sLibraryPath)
|| (hLibraryHandle = LoadLibrary(sLibraryPath)) == NULL
|| (WSPStartupFunc = (LPWSPSTARTUP)GetProcAddress(
hLibraryHandle, "WSPStartup")) == NULL
)
return WSAEPROVIDERFAILEDINIT;
if ((ErrorCode = WSPStartupFunc(wVersionRequested, lpWSPData
, lpProtocolInfo, upcallTable, lpProcTable)) != ERROR_SUCCESS)
return ErrorCode;
NextProcTable = *lpProcTable;
// 挂钩
lpProcTable->lpWSPConnect = WSPConnect;
lpProcTable->lpWSPSend = WSPSend;
return 0;
}
|
