但是好象死掉了麻烦大牛帮忙看看 希望看雪老大给个邀请码
HWND hGame = ::FindWindow("dbgviewClass", NULL);
if(hGame == NULL) return ;
DWORD processId;
HANDLE hprocess;
::GetWindowThreadProcessId(hGame, &processId);
hprocess = ::OpenProcess(PROCESS_ALL_ACCESS, false, processId);
BYTE pDistInctCode[10]={0x89,0x84,0x24,0x14,0x02,0x00,0x00,0x80,0x3D,0xF4};
BYTE pDistInctOffSet[10]={0,1,2,3,4,5,6,7,8,9};
/*0040100D 898424 14020000 MOV DWORD PTR SS:[ESP+214],EAX
00401014 803D F4344500 0>CMP BYTE PTR DS:[4534F4],0
0040101B 56 PUSH ESI
0040101C C74424 0C 00000>MOV DWORD PTR SS:[ESP+C],0
00401024 0F84 1C010000 JE Dbgview.00401146
0040102A 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
0040102E 50 PUSH EAX
0040102F 68 D4454300 PUSH Dbgview.004345D4
00401034 68 02000080 PUSH 80000002
*/
char Address[]={""};
int i;
i=::FindDistInctCode(hprocess,
pDistInctOffSet,
pDistInctCode,
10,
Address);
AfxMessageBox(Address);
UINT FindDistInctCode(HANDLE hProcess,
BYTE *DistInctOffSet,
BYTE *DistInctCode,
UINT DistCodeLength,
LPSTR lPAddress)
{
UINT rBet=0;
CONST DWORD BaseAddress=0x400000;
CONST DWORD endAddress=0x7fffffff;
CONST DWORD PageSize=4096;
BYTE page[PageSize]={""}; //返回读取过来的缓冲区地址
BYTE ReadMachineCode[]={0}; //读取的特征吗
DWORD *TmpAddress=(DWORD *)BaseAddress; //弄个临时地址
//循环添加4096字节读取
for(int PageNumer=0;(BaseAddress+PageSize*PageNumer)<endAddress;PageNumer++)
{
TmpAddress+=(PageSize*PageNumer);
ReadProcessMemory(hProcess,TmpAddress,&page,PageSize,NULL);
for (BYTE i=0;i<PageSize;i++) //循环加1遍历
{
BYTE *p= (BYTE *)(page+i);
for(BYTE j=0;j<DistCodeLength;j++) ////循环加1 读取特征码偏移
{
//通过偏移加+P读取机器指令
ReadMachineCode[j] =(*(BYTE *)(p+DistInctOffSet[j]));
}
//比较看是否跟特征码一样
if (memcmp(ReadMachineCode,DistInctCode,DistCodeLength)==0)
{
sprintf((LPSTR)(lPAddress+rBet),"%x",(ULONG)p); //是就写入到 字符串数组中
rBet++;
}
memset((char *)ReadMachineCode,0,DistCodeLength);
}
if (rBet>1) //这里即使只有一个找到 也找不出来郁闷
break;
}
return rBet;
}
不知道哪里错了 编译没出错
[课程]FART 脱壳王!加量不加价!FART作者讲授!
