.586
.model flat,stdcall
option casemap:none
include autoinstruct.Inc
include hook.asm
.data
x3_base dd 0
mbi MEMORY_BASIC_INFORMATION<0>
pAddress dd 0
hprocess dd 0
maintid dd 0
x3_fun1 dd ?
.code
mysleep proc
invoke OutputDebugString,SADD("mysleep")
ret
mysleep endp
kill_e019100b proc haddr
pushad
mov eax,haddr
add eax,06900876h-068ED000h
invoke hook_it_eb,eax
mov eax,haddr
add eax,kill_e_1
invoke hook_it_eb,eax
mov eax,haddr
add eax,kill_e_2
invoke hook_it_eb,eax
mov eax,haddr
add eax,kill_e_3
invoke hook_it_eb,eax
mov eax,haddr
add eax,kill_e_4
invoke hook_it_eb,eax
mov eax,haddr
add eax,kill_e_5
invoke hook_it_eb,eax
mov eax,haddr
add eax,kill_e_6
invoke hook_it_9090,eax
mov eax,haddr
add eax,kill_e_7
invoke hook_it_eb,eax
mov eax,haddr
add eax,kill_e_8
invoke hook_it_eb,eax
mov eax,haddr
add eax,kill_e_9
invoke hook_it_eb,eax
mov eax,haddr
add eax,kill_e_10
invoke hook_it_eb,eax
mov eax,haddr
add eax,kill_e_11
invoke hook_it_eb,eax
mov eax,haddr
add eax,kill_e_12
invoke hook_it_ret,eax
mov eax,haddr
add eax,kill_e_13
invoke hook_it_eb,eax
mov eax,haddr
add eax,kill_e_14
invoke hook_it_ret_0,eax
invoke OutputDebugString,SADD("killed")
popad
ret
kill_e019100b endp
my_064C12CB proc
pushad
mov edi,esp
assume edi:ptr hookesp_s
push edi
invoke GetCurrentThreadId
invoke wsprintf,addr szbuf,SADD("my_064C12CB ret:%08X arg1:%08x TID:%08X",0),\
[edi].call_ret,[edi].arg1,eax
invoke OutputDebugString,addr szbuf
pop edi
popad
ret
my_064C12CB endp
my_0649334A proc
pushad
mov edi,esp
assume edi:ptr hookesp_s
push edi
invoke GetCurrentThreadId
invoke wsprintf,addr szbuf,SADD("my_0649334A ret:%08X arg1:%08x TID:%08X",0),\
[edi].call_ret,[edi].arg1,eax
invoke OutputDebugString,addr szbuf
pop edi
popad
ret
my_0649334A endp
my_064BBC60 proc
pushad
mov edi,esp
assume edi:ptr hookesp_s
push edi
invoke GetCurrentThreadId
invoke wsprintf,addr szbuf,SADD("my_064BBC60 ret:%08X arg1:%08x TID:%08X",0),\
[edi].call_ret,[edi].arg1,eax
invoke OutputDebugString,addr szbuf
pop edi
;如果有线程执行到这里.结束本线程
invoke ExitThread,0
popad
ret
my_064BBC60 endp
my_064BBC7E proc
pushad
mov edi,esp
assume edi:ptr hookesp_s
push edi
invoke GetCurrentThreadId
invoke wsprintf,addr szbuf,SADD("my_064BBC7E ret:%08X arg1:%08x TID:%08X",0),\
[edi].call_ret,[edi].arg1,eax
invoke OutputDebugString,addr szbuf
pop edi
popad
ret
my_064BBC7E endp
my_064BBC9F proc
pushad
mov edi,esp
assume edi:ptr hookesp_s
push edi
invoke GetCurrentThreadId
invoke wsprintf,addr szbuf,SADD("my_064BBC9F ret:%08X arg1:%08x TID:%08X",0),\
[edi].call_ret,[edi].arg1,eax
invoke OutputDebugString,addr szbuf
pop edi
;如果有线程执行到这里.结束本线程
invoke ExitThread,0
popad
ret
my_064BBC9F endp
my_064C06AD proc
pushad
mov edi,esp
assume edi:ptr hookesp_s
push edi
invoke GetCurrentThreadId
invoke wsprintf,addr szbuf,SADD("my_064C06AD ret:%08X arg1:%08x TID:%08X",0),\
[edi].call_ret,[edi].arg1,eax
invoke OutputDebugString,addr szbuf
pop edi
popad
ret
my_064C06AD endp
my_06952E22 proc
pushad
mov edi,esp
assume edi:ptr hookesp_s
push edi
invoke GetCurrentThreadId
invoke wsprintf,addr szbuf,SADD("my_06952E22 ret:%08X arg1:%08x TID:%08X",0),\
[edi].call_ret,[edi].arg1,eax
invoke OutputDebugString,addr szbuf
pop edi
popad
ret
my_06952E22 endp
emun_mem_region proc
;枚举内存区域
invoke GetCurrentProcessId
invoke OpenProcess,PROCESS_QUERY_INFORMATION,FALSE,eax
.if !eax
invoke OutputDebugString,SADD("OpenProcess ERROR")
ret
.endif
mov pAddress,0
mov hprocess,eax
.while TRUE
invoke VirtualQueryEx,hprocess,pAddress,addr mbi,sizeof mbi
.break .if eax!=sizeof mbi
.if mbi.RegionSize==0a1000h
.if mbi.Protect==20h
;如果RegionSize==a1000h Protect==20h 为x3校验内存的代码
;因为有好几个.所以hook所有的函数
invoke wsprintf,addr szbuf,\
SADD("BaseAddress:%08X RegionSize:%08X Protect:%08X lType:%08X",0),\
mbi.BaseAddress,\
mbi.RegionSize,\
mbi.Protect,\
mbi.lType
invoke OutputDebugString,addr szbuf
mov edi,mbi.BaseAddress
add edi,379A6h
;偏移 379a6h 为校验的代码.
;05E309A6 3B7A 10 CMP EDI,DWORD PTR DS:[EDX+10]
;05E309A9 0F84 F5000000 JE 05E30AA4
;cmp 3bh 改为mov 8bh
;0F84 改为 90 e9 nop jmp
.if dword ptr[edi]==0f107a3bh
invoke write_it,edi,08bh
add edi,3
invoke hook_it_90e9,edi
invoke OutputDebugString,SADD("path____1111111__________")
.endif
mov edi,mbi.BaseAddress
add edi,38A6Dh
;偏移 38A6Dh 为校验的代码.
;同上
.if dword ptr[edi]==0f187a3bh
invoke write_it,edi,08bh
add edi,3
invoke hook_it_90e9,edi
invoke OutputDebugString,SADD("path____2222222__________")
.endif
.endif
.endif
.if mbi.RegionSize==06a000h
.if mbi.Protect==20h
invoke wsprintf,addr szbuf,\
SADD("BaseAddress:%08X RegionSize:%08X Protect:%08X lType:%08X",0),\
mbi.BaseAddress,\
mbi.RegionSize,\
mbi.Protect,\
mbi.lType
invoke OutputDebugString,addr szbuf
mov edi,mbi.BaseAddress
add edi,064C12CBh-0647C000h
.if word ptr[edi]==046ah
invoke hook_addr_jump,edi,offset my_064C12CB,7
invoke OutputDebugString,SADD("PATH 064C12CB")
invoke kill_e019100b,mbi.BaseAddress ;path 弹E019100B 错误框
.endif
;path 以下这些函数为暂停检测线程做准备
mov edi,mbi.BaseAddress
add edi,0649334Ah-0647C000h
.if word ptr[edi]==8b55h
invoke hook_addr_jump,edi,offset my_0649334A,9
invoke OutputDebugString,SADD("PATH 0649334Ah")
.endif
mov edi,mbi.BaseAddress
add edi,064BBC60h-0647C000h
.if word ptr[edi]==74ffh
invoke hook_addr_jump,edi,offset my_064BBC60,8
invoke OutputDebugString,SADD("PATH 064BBC60h")
.endif
mov edi,mbi.BaseAddress
add edi,064BBC7Eh-0647C000h
.if word ptr[edi]==8b55h
invoke hook_addr_jump,edi,offset my_064BBC7E,6
invoke OutputDebugString,SADD("PATH 064BBC7Eh")
.endif
mov edi,mbi.BaseAddress
add edi,064BBC9Fh-0647C000h
.if word ptr[edi]==8b55h
invoke hook_addr_jump,edi,offset my_064BBC9F,6
invoke OutputDebugString,SADD("PATH 064BBC9Fh")
.endif
mov edi,mbi.BaseAddress
add edi,064C06ADh-0647C000h
.if word ptr[edi]==8155h
invoke hook_addr_jump,edi,offset my_064C06AD,7
invoke OutputDebugString,SADD("PATH 064C06ADh")
.endif
mov edi,mbi.BaseAddress
add edi,066F3FEBh-066AF000h
.if word ptr[edi]==6974h
invoke hook_it_eb,edi
invoke OutputDebugString,SADD("PATH 066F3FEB")
.endif
mov edi,mbi.BaseAddress
add edi,069FD95Eh-069DE000h
.if word ptr[edi]==2d75h
invoke hook_it_eb,edi
invoke OutputDebugString,SADD("PATH 069FD95E")
.endif
mov edi,mbi.BaseAddress
add edi,06952E22h-06933000h
.if word ptr[edi]==8155h
; invoke hook_it_ret_0,edi
invoke hook_addr_jump,edi,offset my_06952E22,7
invoke OutputDebugString,SADD("PATH 06952E22h")
.endif
.endif
.endif
mov eax,mbi.BaseAddress
add eax,mbi.RegionSize
mov pAddress,eax
.endw
ret
emun_mem_region endp
my34b proc
;输出34b线程的调用参数和新线程id
pushad
mov edi,esp
assume edi:ptr hookesp_s
push edi
invoke GetCurrentThreadId
invoke wsprintf,addr szbuf,SADD("my34b arg1:%08X TID:%08X",0),[edi].arg1,eax
invoke OutputDebugString,addr szbuf
pop edi
popad
ret
my34b endp
myf01 proc
;输出f01线程的调用参数和新线程id
pushad
mov edi,esp
assume edi:ptr hookesp_s
push edi
invoke GetCurrentThreadId
invoke wsprintf,addr szbuf,SADD("myf01 arg1:%08X TID:%08X",0),[edi].arg1,eax
invoke OutputDebugString,addr szbuf
pop edi
popad
ret
myf01 endp
myctdex proc
pushad
mov edi,esp
assume edi:ptr hookesp_s
push edi
invoke GetCurrentThreadId
invoke wsprintf,addr szbuf,SADD("ctdex ret:%08X addr=%08X,param=%08X tid=%08X",0),\
[edi].arg10,[edi].arg4,[edi].arg5,eax
invoke OutputDebugString,addr szbuf
pop edi
;X3更新失败
mov eax,[edi].arg4
mov ebx,[edi].arg4
and ebx,0fffh
.if ebx==9a0h
;bypass 更新失败时弹的框 可以不处理
sub eax,09a0h
add eax,087bh
invoke hook_it_eb,eax
invoke OutputDebugString,SADD("path updata")
;记录主线程的id 后面要用
invoke GetCurrentThreadId
mov maintid,eax
.endif
mov ebx,[edi].arg4
and ebx,0fffh
.if ebx==0f01h
mov eax,[edi].arg4
mov eax,[eax]
.if eax==08b55ff8bh
;hook 线程函数.输出线程信息
invoke hook_addr_jump,[edi].arg4,offset myf01,5
.endif
;比较是不是由主线程创建的.不是 path 掉
invoke GetCurrentThreadId
.if eax!=maintid
mov eax,offset mysleep
mov [edi].arg4,eax
.endif
; db 0ebh
; db 0feh
;
.elseif ebx==34bh
pushad
invoke emun_mem_region ;枚举内存区域
popad
mov eax,[edi].arg4
mov eax,[eax]
.if eax==08b55ff8bh
;hook 线程函数.输出线程信息
invoke hook_addr_jump,[edi].arg4,offset my34b,5
.endif
.endif
assume edi:nothing
popad
ret
myctdex endp
mycrc proc arg1,arg2,arg3
;x3代码校验
mov eax,dword ptr[edi+10h]
ret
mycrc endp
myx3_1 proc
;输出调用x3时的参数. 没什么用.
pushad
mov edi,esp
assume edi:ptr hookesp_s
push edi
invoke GetCurrentThreadId
invoke wsprintf,addr szbuf,\
SADD("myx3_1 retaddr:%08X arg1:%08X arg2:%08X arg3:%08X TID:%08X",0),\
[edi].call_ret,[edi].arg1,[edi].arg2,[edi].arg3,eax
invoke OutputDebugString,addr szbuf
pop edi
popad
ret
myx3_1 endp
mainthread proc
invoke OutputDebugString,SADD("path_x3 START")
invoke hook_api_jump,SADD("KERNELBASE.dll"),\
SADD("CreateRemoteThreadEx"),offset myctdex,5
;hook 创建线程函数
;在创建线程时path 代码
.while TRUE
invoke GetModuleHandle,SADD("x3.xem")
.break .IF EAX
.endw
mov x3_base,eax
invoke GetProcAddress,eax,1
.if eax
mov x3_fun1,eax
invoke hook_addr_jump,x3_fun1,offset myx3_1,6
invoke wsprintf,addr szbuf,SADD("X3 fun1:%08X"),eax
invoke OutputDebugString,addr szbuf
.endif
invoke OutputDebugString,SADD("hook x3.xem")
mov eax,x3_base
add eax,43894h
mov eax,dword ptr[eax]
mov eax,dword ptr[eax]
mov ebx,offset mycrc
mov dword ptr[eax+328h],ebx ;bypass x3代码校验
invoke OutputDebugString,SADD("path_x3 end")
deq1133e`1az1
ret
mainthread endp
DllEntry proc hInst:HINSTANCE, reason:DWORD, reserved1:DWORD
push hInst
pop hInstance
.if reason==DLL_PROCESS_ATTACH
pushad
invoke GetModuleHandle,SADD("C9.exe")
.if eax
invoke OutputDebugString,SADD("KILL X3")
mov eax,offset mainthread
invoke CreateThread,NULL,NULL,eax,\
NULL,0,\
ADDR ThreadID
invoke CloseHandle,eax
invoke OutputDebugString,SADD("KILL X3 __end")
.endif
popad
.elseif reason == DLL_THREAD_ATTACH
.endif
mov eax,TRUE
ret
DllEntry Endp
End DllEntry
注在游戏启动时注入dll
本代码只是方法.其它游戏不通用...
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
