-
-
[原创]TX某游戏内存加载d3d9的一个HOOK思路
-
发表于: 2016-9-17 13:08
-
首先声明:本帖内容仅供技术交流,不涉及任何与过保护、作弊功能等任何违法行为有关的内容。
玩儿过TX某F的同学应该知道,某F在vista以上系统会加载d3d9.dll,而xp环境下就不加载d3d9.dll了,而且模块列表里也找不到d3d9.dll,这是为什么呢?
(因为没有xp系统的真机,所以就不放测试截图了)
有些同学以为*F是加载了D3D\\d3d9xpsp3.dll这个文件,其实不是,这个文件只是*f用来做内存校验的
真正的d3d9.dll被打包进了cross****Base.dll中,在运行时解密出来当做内存dll加载,所以你只能在模块列表里看到一个d3d8thk.dll(因为这是d3d9.dll的依赖库)。
那碰到这种内存dll的情况该如何做d3d hook呢?ida打开d3d9xpsp3.dll看一看,找到我们最亲切的D3DCreateDevice9同学
加载符号之后基本就能看个大概了
IDirect3D9 *__stdcall Direct3DCreate9(UINT SDKVersion)
{
HMODULE v1; // eax@3
FARPROC v2; // eax@4
UINT v4; // eax@6
BYTE Data[4]; // [sp+0h] [bp-108h]@1
CHAR OutputString; // [sp+4h] [bp-104h]@10
if ( GetD3DRegValue(4, "LoadDebugRuntime", Data, 4) )
{
if ( *(_DWORD *)Data )
{
v1 = LoadLibraryA("d3d9d.dll");
if ( v1 )
{
v2 = GetProcAddress(v1, "Direct3DCreate9");
if ( v2 )
return (IDirect3D9 *)((int (__stdcall *)(_DWORD))v2)(SDKVersion);
}
}
}
v4 = SDKVersion & 0x7FFFFFFF;
if ( (SDKVersion & 0x7FFFFFFF) != 31 && (v4 < 0x20 || v4 > 0x20 && v4 < 0x84) )
{
StringCbPrintfA(
&OutputString,
0x100u,
"\nD3D ERROR: D3D header version mismatch.\nThe application was compiled against and will only work with D3D_SDK_VERSION (%d), but the currently installed runtime is version (%d).\nRecompile the application against the appropriate SDK for the installed runtime.\n\n",
SDKVersion & 0x7FFFFFFF,
32);
OutputDebugStringA(&OutputString);
return 0;
}
if ( !operator new(0x47B8u) )
return 0;
return (IDirect3D9 *)CEnum::CEnum(SDKVersion);
}
if ( !RegOpenKeyExA(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\DirectDraw\\GammaCalibrator", 0, 1u, &phkResult) )
*((_DWORD *)v2 + 4520) = 0; *((_DWORD *)v2 + 4521) = 0; *((_DWORD *)v2 + 4522) = 0; *((_DWORD *)v2 + 4523) = 0;
mov [ebx+46A0h], esi .text:4B66ADA7 mov [ebx+46A4h], esi .text:4B66ADAD mov [ebx+46A8h], esi .text:4B66ADB3 mov [ebx+46ACh], esi .text:4B66ADB9 call ds:__imp__RegOpenKeyExA@20
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
