-
-
[旧帖]
操作HS CRC 然后运行处理的时候 没有操作到的地址反而错误了
0.00雪花
-
发表于:
2012-10-15 05:46
4694
-
[旧帖] 操作HS CRC 然后运行处理的时候 没有操作到的地址反而错误了
0.00雪花
这是我写的处理
////////////////////////////////////////////////////大家好 我是CRC文件//
//HS add
DWORD IcsHsAdd;
DWORD HscrcLong;
DWORD SleepAdd;
DWORD RtlEnterAdd;
///花指令//
DWORD FlowAdd=0x6DA22D35;
///MS内存//
DWORD dwMsMem1=0x410000;
DWORD dwMsMem2=0xe00000;
LPVOID MsMem;
//MS//
DWORD dwMCrc1=0x00D4A4D4;
DWORD dwMCrc2=0x010FFEB7;
DWORD dwMCrc1ret=0x00d4a4d9;
DWORD dwMCrc2ret=0x010fee61;
////HS模块内存
DWORD EhsvcBase;
DWORD EhsvcLengh=0x72a000;
//LPVOID EhsvcMem;
////方括号内的地址- -我个人估计是CMS的内存值//
///CRC4 CMP
//
///MS crc处理////
///////////HS crc处理/////
///HS ICS///
void __declspec(naked) BypassHsIcs()
{
__asm
{
mov eax,EhsvcBase
add eax,0x2915C
cmp [esp+0x50],eax//对比返回地址是不是ehsvc.dll+2915c
jne Ret1//不一样返回跳板函数
lea eax,Hook
call Ret1
Ret1:
push RtlEnterAdd
ret
Hook:
mov [esp+0x1C],eax
cmp edi,ebp
mov [esp+0x14],sp
mov [esp+0x5C],edi
lea esp,[esp+0x50]
jne J3
mov [esp+0x14],eax
mov edi,eax
mov eax,[esi+0xC]
lea ebx,[esi+0x18]
cmp eax,01
jmp J4
J3:
mov eax,[esi+0xC]
lea ebx,[esi+0x18]
cmp eax,01
jmp J4
J4:
mov [esp],ebx
lea esp,[esp+0x24]
jne J5//回到原hook地址 不再处理
mov eax,EhsvcBase//再次放入crc源地址
add eax,0x110478
mov ecx,eax
mov eax,EhsvcBase
call C1
C1:
add eax,0x7650
call C3
C3:
push eax
mov eax,R1
mov [esp+4],eax
pop eax
call C4//调用CRC某处 准备写HOOK
C4:
mov [esp+0x8],eax
push [esp+0x8]
ret//调用ehsvc+7650
R1:
mov [esp+0x4],cx
lea esp,[esp+0x40]
jmp J8
J8:
mov eax,[esp+0x20]
cmp edi,eax
lea esp,[esp+0x24]
jne J10
mov edi,[eax+0x4]
mov ecx,[edi+0x10]
mov edx,[edi+0x8]
cmp edx,0x401000
call C5//和下面的语句一样的 从下面开始跟好了..
J10:
mov ecx,[edi+0x10]
mov edx,[edi+0x8]
cmp edx,0x401000
call C5
C5:
lea esp,[esp+0x4C]
jb J11//低于就跳回原来的位置///
mov [esp+0x8],bh
cmp edx,0xE00000
lea esp,[esp+0x4C]
jg J11//不进行内存dump 直接走人
mov ebx,[MsMem]//放入dump
inc al
lea eax,[edx*0x8]
mov dl,0x4B
movsx eax,cl
sub edx,0x401000//你懂得
cmp sp,0x148C
add [ebx],eax
shl [esi+0xF],cl
mov ebx,[esp+0x20]
test ecx,edx
inc esp
push FlowAdd
mov [esp],0x0000000
push eax
push ecx
mov ax,bx
push edx
mov ecx,esi
test bl,0xF6
mov eax,EhsvcBase
call C6
J11:
inc esp
push FlowAdd
mov [esp],0x0000000
push eax
push ecx
mov ax,bx
push edx
mov ecx,esi
test bl,0xF6
mov eax,EhsvcBase
call C6
C6:
add eax,0xxxxx
push eax
mov eax,R2
mov [esp+4],eax
pop eax
mov [esp+8],eax
push [esp+8]
ret
R2:
test eax,eax
push ebp
push [esp]
lea esp,[esp+0x28]
jne R3
rol ecx,cl
mov ecx,[edi+0x8]
lea eax,[esp+0x10]
push eax
test bl,0xF6
push ecx
mov ecx,esi
mov eax,[EhsvcBase]
call C8
C8:
add eax,0xxxxx
push eax
mov eax,R3
mov [esp+4],eax
pop eax
mov [esp+8],eax
push [esp+8]
ret
R3:
mov ecx,[esp+14]
mov eax,[edi+0xC]
cmp ecx,eax
lea esp,[esp+0x8]
jne J17//上一步的对比 不一样就返回到游戏
mov eax,[esi+0xC]
mov edi,[edi+0x4]
cmp eax,0x1
mov byte ptr [esp+04],0x72
mov [esp+0x8],ebx
lea esp,[esp+0x2C]
jne J22//不一样就跳到原来的地方
mov eax,EhsvcBase
add eax,0xxxxx
mov ecx,eax
call C14
C14:
mov eax,EhsvcBase
add eax,0xxxx
push eax
mov eax,R4
mov [esp+4],eax
pop eax
mov [esp+8],eax
push [esp+8]
ret
R4:
jmp Jret4
Jret4:
lea esp,[esp+0x24]
add edx,ebp
mov eax,FlowAdd
mov [esi+0x498],edx
mov eax,[esp+0x34]
test bx,sp
cmp edi,eax
push edi
call C15
C15:
lea esp,[esp+0x2C]
je J28
cmp ebp,0x23
jng J3
push ebx
lea esp,[esp+0x28]
jmp J28
J28:
call C16
C16:
mov eax,EhsvcBase
call C17
C17:
add eax,0x2925D
mov [esp+0x4],eax
push [esp+0x4]
ret
J22:
mov eax,[EhsvcBase]
add eax,0xED418
call C9//ed418
C9:
push [eax]
mov eax,Jret4
mov [esp+4],eax
pop [eax]
mov [esp+8],eax
push [esp+8]
ret
J17:
mov eax,EhsvcBase
add eax,0x29213
mov [esp+4],eax
push [esp+4]
ret
J5:
push eax
mov eax,J8
mov [esp+4],eax
pop eax
call C2
push SleepAdd//Sleep函数
pop [esp]
pushad
pushfd
push eax
mov eax,FlowAdd
mov [esp],eax
pop eax
pushfd
push [esp+0x28]
ret 0x2C
C2:
push eax
mov eax,[IcsHsAdd]
mov [esp+8],eax
pop eax
push [esp+8]
ret
}
}
/////////////////////////////////////////////////
但是错误的地方完全是我没有接触到的..(这是某辅助的代码 加过花指令..我尝试去了一下)
这个是错误提示:
如果觉得上面的代码不够清晰,这是头文件。
有时间愿意帮我的..感激不尽..如果可以加QQ 了解一下也好,
企鹅:821219421.
[课程]FART 脱壳王!加量不加价!FART作者讲授!