某某游戏的阻止了打开进程hook 了// NtOpenProcess
修改了NtOpenProcess 当前地址的5个字节// JMP到了NtOpenProcess的原始函数地址后,悲剧发生了,几秒后游戏自动的退出!所以来请教下大牛们的建议,如何才能打开这个游戏的进程
////////////////////////////////////////////////////////////////////////////////
下面贴出NtOpenProcess 的当前地址代码:
地址 二进制 汇编
9FCAA42E 8BFF mov edi, edi//此处修改jmp 84086531 几秒后游戏自动的退出 什么问题?
9FCAA430 55 push ebp
9FCAA431 8BEC mov ebp, esp
9FCAA433 56 push esi
9FCAA434 BE 98F3CA9F mov esi, 9FCAF398
9FCAA439 33C9 xor ecx, ecx
9FCAA43B 57 push edi
9FCAA43C 8BC6 mov eax, esi
9FCAA43E 41 inc ecx
9FCAA43F F0:0FC108 lock xadd dword ptr [eax], ecx
9FCAA443 FF75 14 push dword ptr [ebp+14]
9FCAA446 8B3D A0F3CA9F mov edi, dword ptr [9FCAF3A0]
9FCAA44C FF75 10 push dword ptr [ebp+10]
9FCAA44F FF75 0C push dword ptr [ebp+C]
9FCAA452 FF75 08 push dword ptr [ebp+8]
9FCAA455 E8 12FEFFFF call 9FCAA26C
9FCAA45A 85C0 test eax, eax
9FCAA45C 7C 0E jl 9FCAA46C
9FCAA45E FF75 14 push dword ptr [ebp+14]
9FCAA461 FF75 10 push dword ptr [ebp+10]
9FCAA464 FF75 0C push dword ptr [ebp+C]
9FCAA467 FF75 08 push dword ptr [ebp+8]
9FCAA46A FFD7 call edi
9FCAA46C 83C9 FF or ecx, FFFFFFFF
9FCAA46F F0:0FC10E lock xadd dword ptr [esi], ecx
9FCAA473 5F pop edi
9FCAA474 5E pop esi
9FCAA475 5D pop ebp
9FCAA476 C2 1000 retn 10
9FCAA479 CC int3
9FCAA47A CC int3
9FCAA47B CC int3
9FCAA47C CC int3
9FCAA47D CC int3
9FCAA47E 8BFF mov edi, edi
9FCAA480 55 push ebp
9FCAA481 8BEC mov ebp, esp
9FCAA483 56 push esi
9FCAA484 BE A4F3CA9F mov esi, 9FCAF3A4
9FCAA489 33C9 xor ecx, ecx
9FCAA48B 57 push edi
9FCAA48C 8BC6 mov eax, esi
9FCAA48E 41 inc ecx
9FCAA48F F0:0FC108 lock xadd dword ptr [eax], ecx
9FCAA493 FF75 18 push dword ptr [ebp+18]
9FCAA496 8B3D ACF3CA9F mov edi, dword ptr [9FCAF3AC]
9FCAA49C FF75 14 push dword ptr [ebp+14]
9FCAA49F FF75 10 push dword ptr [ebp+10]
9FCAA4A2 FF75 0C push dword ptr [ebp+C]
9FCAA4A5 FF75 08 push dword ptr [ebp+8]
9FCAA4A8 E8 23FEFFFF call 9FCAA2D0
9FCAA4AD 85C0 test eax, eax
9FCAA4AF 7C 11 jl 9FCAA4C2
9FCAA4B1 FF75 18 push dword ptr [ebp+18]
9FCAA4B4 FF75 14 push dword ptr [ebp+14]
9FCAA4B7 FF75 10 push dword ptr [ebp+10]
9FCAA4BA FF75 0C push dword ptr [ebp+C]
9FCAA4BD FF75 08 push dword ptr [ebp+8]
9FCAA4C0 FFD7 call edi
9FCAA4C2 83C9 FF or ecx, FFFFFFFF
9FCAA4C5 F0:0FC10E lock xadd dword ptr [esi], ecx
9FCAA4C9 5F pop edi
9FCAA4CA 5E pop esi
9FCAA4CB 5D pop ebp
9FCAA4CC C2 1400 retn 14
///////////////////////////////////////////////////////////////////////////////////
下面NtOpenProcess 的原始地址代码:
地址 二进制 汇编
84086531 8BFF mov edi, edi
84086533 55 push ebp
84086534 8BEC mov ebp, esp
84086536 51 push ecx
84086537 51 push ecx
84086538 64:A1 24010000 mov eax, dword ptr fs:[124]
8408653E 8A80 3A010000 mov al, byte ptr [eax+13A]
84086544 8B4D 14 mov ecx, dword ptr [ebp+14]
84086547 8B55 10 mov edx, dword ptr [ebp+10]
8408654A 8845 FC mov byte ptr [ebp-4], al
8408654D FF75 FC push dword ptr [ebp-4]
84086550 FF75 FC push dword ptr [ebp-4]
84086553 FF75 0C push dword ptr [ebp+C]
84086556 FF75 08 push dword ptr [ebp+8]
84086559 E8 7276FFFF call 8407DBD0
8408655E C9 leave
8408655F C2 1000 retn 10
84086562 90 nop
84086563 90 nop
84086564 90 nop
84086565 90 nop
84086566 90 nop
84086567 6A 14 push 14
84086569 68 D804E683 push 83E604D8
8408656E E8 95EFDEFF call 83E75508
84086573 64:A1 24010000 mov eax, dword ptr fs:[124]
84086579 8A98 3A010000 mov bl, byte ptr [eax+13A]
8408657F 885D DC mov byte ptr [ebp-24], bl
84086582 84DB test bl, bl
84086584 74 3E je 840865C4
84086586 8365 FC 00 and dword ptr [ebp-4], 00000000
8408658A 8B75 08 mov esi, dword ptr [ebp+8]
8408658D 8BCE mov ecx, esi
8408658F A1 1CD7F683 mov eax, dword ptr [83F6D71C]
84086594 3BF0 cmp esi, eax
84086596 72 02 jc 8408659A
84086598 8BC8 mov ecx, eax
8408659A 8B01 mov eax, dword ptr [ecx]
8408659C 8901 mov dword ptr [ecx], eax
8408659E C745 FC FEFFFFFF mov dword ptr [ebp-4], 0FFFFFFFE
840865A5 EB 20 jmp 840865C7
840865A7 8B45 EC mov eax, dword ptr [ebp-14]
840865AA 8B00 mov eax, dword ptr [eax]
840865AC 8B00 mov eax, dword ptr [eax]
840865AE 8945 E0 mov dword ptr [ebp-20], eax
840865B1 33C0 xor eax, eax
840865B3 40 inc eax
840865B4 C3 retn
840865B5 8B65 E8 mov esp, dword ptr [ebp-18]
840865B8 C745 FC FEFFFFFF mov dword ptr [ebp-4], 0FFFFFFFE
840865BF 8B45 E0 mov eax, dword ptr [ebp-20]
840865C2 EB 50 jmp 84086614
840865C4 8B75 08 mov esi, dword ptr [ebp+8]
840865C7 8D45 E4 lea eax, [ebp-1C]
840865CA 50 push eax
840865CB 6A 00 push 0
840865CD FF75 0C push dword ptr [ebp+C]
840865D0 6A 00 push 0
840865D2 FF75 DC push dword ptr [ebp-24]
840865D5 FF35 10D0F683 push dword ptr [83F6D010]
840865DB FF75 10 push dword ptr [ebp+10]
840865DE E8 115BFCFF call 8404C0F4
840865E3 8945 08 mov dword ptr [ebp+8], eax
840865E6 85C0 test eax, eax
840865E8 7C 27 jl 84086611
840865EA 84DB test bl, bl
840865EC 74 1E je 8408660C
840865EE C745 FC 01000000 mov dword ptr [ebp-4], 1
840865F5 8B45 E4 mov eax, dword ptr [ebp-1C]
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!