明天台版的潘朵拉傳奇就要OB了,在這兒發個CB能用的多開。
抱歉我住台灣,所以貼的是繁體字。如有需要…請自行轉為簡體。
這次iplayer代理的這個潘朵拉並沒有神盾,所以也就給了我機會。希望可以弄個精華變成正式會員囉!
首先看看程式的入口點:
.text:0040D6E0 public fakeoep
.text:0040D6E0 fakeoep proc near
.text:0040D6E0 000 push offset realoep
.text:0040D6E5 004 push offset fakeoep
.text:0040D6EA 008 call launcher
.text:0040D6EF 008 add esp, 8
.text:0040D6F2 000 retn
.text:0040D6F2 fakeoep endp
.text:0040D6E0 000 jmp realoep
if (!CreateProcess(NULL, szExeCmd, NULL, NULL, FALSE, DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS,
NULL, szExeDir, &startInfo, &procInfo))
return EXIT_FAILURE;
DEBUG_EVENT debugEvent;
DWORD nStatus;
CONTEXT context;
LPVOID startAddr; // fakeoep
LPVOID targetAddr; // realoep
BYTE bStart = 0xCC;
BOOL blFirstTime = TRUE;
while (WaitForDebugEvent(&debugEvent, INFINITE))
{
nStatus = DBG_EXCEPTION_NOT_HANDLED;
if (debugEvent.dwDebugEventCode == EXIT_PROCESS_DEBUG_EVENT)
break;
else if (debugEvent.dwDebugEventCode == EXCEPTION_DEBUG_EVENT)
{
if (debugEvent.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_BREAKPOINT)
{
if (blFirstTime)
{
// ...
blFirstTime = FALSE;
}
else if (debugEvent.u.Exception.ExceptionRecord.ExceptionAddress == startAddr)
{
// ...
context.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(procInfo.hThread, &context);
context.Eip = (DWORD)targetAddr;
SetThreadContext(procInfo.hThread, &context);
}
}
nStatus = DBG_CONTINUE;
}
if (!ContinueDebugEvent(procInfo.dwProcessId, procInfo.dwThreadId, nStatus))
break;
}
.text:0040D464 loc_40D464: ; uType
.text:0040D464 994 push ebx
.text:0040D465 998 push offset Caption ; lpCaption
.text:0040D46A 99C push eax ; lpText
.text:0040D46B 9A0 push ebx ; hWnd
.text:0040D46C 9A4 call ds:MessageBoxW
.text:0040D43E loc_40D43E:
.text:0040D43E 994 cmp al, bl
.text:0040D440 994 jz short loc_40D491
.text:007AC0E5 loc_7AC0E5:
.text:007AC0E5 030 mov eax, [ebp+arg_0]
.text:007AC0E8 030 push 0 ; hTemplateFile
.text:007AC0EA 034 push esi ; dwFlagsAndAttributes
.text:007AC0EB 038 push [ebp+dwCreationDisposition] ; dwCreationDisposition
.text:007AC0EE 03C mov dword ptr [eax], 1
.text:007AC0F4 03C mov eax, [ebp+arg_4]
.text:007AC0F7 03C mov [eax], edi
.text:007AC0F9 03C lea eax, [ebp+SecurityAttributes]
.text:007AC0FC 03C push eax ; lpSecurityAttributes
.text:007AC0FD 040 push [ebp+dwShareMode] ; dwShareMode
.text:007AC100 044 push [ebp+lDistanceToMove] ; dwDesiredAccess
.text:007AC103 048 push [ebp+lpFileName] ; lpFileName
.text:007AC106 04C call ds:CreateFileW
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!