首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. 编程技术
    3. 发新帖
[原创]R3 Hook CPUID指令
2017-9-22 21:28 9383

[原创]R3 Hook CPUID指令

chengqiyan 活跃值
2017-9-22 21:28
9383
很多厂商对E3 E5 甚至整个志强系列做了特殊照顾,因此通过返回值可以伪造型号 序列号
下面是游戏中的代码
004D9FA0    53              push ebx
004D9FA1    57              push edi
004D9FA2    89D7            mov edi,edx
004D9FA4    31DB            xor ebx,ebx
004D9FA6    31C9            xor ecx,ecx
004D9FA8    31D2            xor edx,edx
004D9FAA    0FA2            cpuid
004D9FAC    8907            mov dword ptr ds:[edi],eax
004D9FAE    895F 04         mov dword ptr ds:[edi+0x4],ebx
004D9FB1    894F 08         mov dword ptr ds:[edi+0x8],ecx
004D9FB4    8957 0C         mov dword ptr ds:[edi+0xC],edx
004D9FB7    5F              pop edi
004D9FB8    5B              pop ebx
004D9FB9    C3              retn

利用调试器HOOK修改型号 序列号
#define  CPUID地址 0x004D9FA0


DebugClass::DebugClass()
{
	
	srand(time(NULL));//整个程序最调用一次
	memset(m_int3, 0, sizeof(Int3Info) * 20);
	int suijishu = 随机数2(1, 4);
	if (suijishu == 1)
	{
		sprintf(CPU型号, "      Intel(R) Core i7-7700K @4.20Hz");//前面6个空格
	}
	else if (suijishu ==2)
	{
		sprintf(CPU型号, "      Intel(R) Core i7-3615QN @2.30Hz");//前面6个空格
	}
	else if (suijishu == 3)
	{
		sprintf(CPU型号, "      Intel(R) Core i5-7440HQ @3.300Hz");//前面6个空格
	}
	else if (suijishu == 4)
	{
		sprintf(CPU型号, "      Intel(R) Core i7-3632QM @2.20Hz");//前面6个空格
	}

}



void DebugClass::loop(DWORD Targpid)
{
	this->pid = Targpid;
	EndDebug = false;
	CWinThread* th= AfxBeginThread(AFX_THREADPROC(debugThread), this);
 	::WaitForSingleObject(th->m_hThread, INFINITE);

}





static DWORD  debugThread(LPVOID lp)
{


	DebugClass* dbg = (DebugClass*)lp;
	
	if (!DebugActiveProcess(dbg->pid))
	{
		AfxMessageBox("无法附加");
		return 0;
	}
	DebugSetProcessKillOnExit(FALSE);
	CString  jj;
	DEBUG_EVENT  event;
	DWORD  dwContinuesStatus = DBG_EXCEPTION_NOT_HANDLED;//默认不处理异常
	while (WaitForDebugEvent(&event, INFINITE))
	{

		switch (event.dwDebugEventCode)
		{
		case  CREATE_PROCESS_DEBUG_EVENT:
			//AfxMessageBox("CREATE_PROCESS_DEBUG_EVENT");
			dbg->Createint3(&event);
			dwContinuesStatus = DBG_CONTINUE; 
			 
			break; 

		case EXCEPTION_DEBUG_EVENT: 
			dwContinuesStatus = dbg->Int3Code(&event); 
			::CloseHandle(event.u.CreateProcessInfo.hThread);
			::CloseHandle(event.u.CreateProcessInfo.hProcess);
			::CloseHandle(event.u.CreateProcessInfo.hFile);

			break;
		case EXIT_PROCESS_DEBUG_EVENT:
			//AfxMessageBox("EXIT_PROCESS_DEBUG_EVENT");
			DebugActiveProcessStop(dbg->pid);
			return 0;


		}
		 
		
		ContinueDebugEvent(event.dwProcessId, event.dwThreadId, dwContinuesStatus);
 
	
	
	}

}





DWORD DebugClass::Int3Code(LPDEBUG_EVENT lpDebugEvent)
{ 
	PEXCEPTION_RECORD per = &lpDebugEvent->u.Exception.ExceptionRecord;
	
	BYTE bInt3 = 0xCC;
	if (per->ExceptionCode == EXCEPTION_BREAKPOINT)
	{
		for (int i = 0; i < 20; i++)
		{
			if (m_int3[i].adr == 0)
			{
				continue;
			}
			if (per->ExceptionAddress == (LPVOID)m_int3[i].adr)
			{
				//AfxMessageBox("地址触发");
				if (m_int3[i].adr == CPUID地址)
				{
					伪造CPUID(lpDebugEvent, i);
				}
				else if (m_int3[i].adr == 查看修改后的CPU地址)
				{
					查看CPU修改结果(lpDebugEvent, i);
				}
				else if (m_int3[i].adr == 查看修改后的序列号地址)
				{
					查看序列号修改结果(lpDebugEvent, i);
				}
				else if (m_int3[i].adr == Game_NtCreateThread)
				{
					线程直接返回(lpDebugEvent, i);
				}
				else if (m_int3[i].adr == Game_CreateDC)
				{
					线程直接返回(lpDebugEvent, i);
				}
				else if (m_int3[i].adr == this->修改网站内存地址)
				{
					//	AfxMessageBox("ADR");
					改网站(lpDebugEvent, i);
				}
				else if (m_int3[i].adr == this->发包地址)
				{
					//	AfxMessageBox("ADR");
					处理发包(lpDebugEvent, i);
				}
				else if (m_int3[i].adr == this->喊话地址)
				{
					//	AfxMessageBox("ADR");
					记录喊话(lpDebugEvent, i);
				}
				else if (m_int3[i].adr == 登录信息地址)
				{
					//	AfxMessageBox("ADR");
					处理登录信息(lpDebugEvent, i);
				}

				return DBG_CONTINUE;
			}
			

		}

	}
	else if (per->ExceptionCode == EXCEPTION_SINGLE_STEP)
	{
		//AfxMessageBox("单步");
		BYTE bInt3 = 0xCC;
		for (int x = 0; x < 20; x++)
		{
			if (m_int3[x].adr != 0)
			{
				WriteProcessMemory(m_process, (LPVOID)m_int3[x].adr, &bInt3, sizeof(BYTE), NULL);
			}
		}
		return DBG_CONTINUE;
	}
	return  DBG_EXCEPTION_NOT_HANDLED; 
}








void  DebugClass::伪造CPUID(LPDEBUG_EVENT lpDebugEvent, DWORD myindex)
{
	CONTEXT cText;
	HANDLE  m_thread = ::OpenThread(THREAD_ALL_ACCESS, FALSE, lpDebugEvent->dwThreadId);
	cText.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;
	if (!GetThreadContext(m_thread, &cText))
	{
		return;
	}

	if (cText.Eax == 0x80000002)
	{ 
		::WriteProcessMemory(m_process, (LPVOID)cText.Edx, CPU型号, 4, NULL);
		::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 4), CPU型号 + 4, 4, NULL);
		::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 0X8), CPU型号 + 8, 4, NULL);
		::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 0XC), CPU型号 + 0xC, 4, NULL);
	}
	else if (cText.Eax == 0x80000003)
	{ 
		::WriteProcessMemory(m_process, (LPVOID)cText.Edx, CPU型号 + 16, 4, NULL);
		::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 4), CPU型号 + 16 + 4, 4, NULL);
		::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 0X8), CPU型号 + 16 + 8, 4, NULL);
		::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 0XC), CPU型号 + 16 + 0xC, 4, NULL);
	}
	else if (cText.Eax == 0x80000004)
	{ 
		::WriteProcessMemory(m_process, (LPVOID)cText.Edx, CPU型号 + 16 * 2, 4, NULL);
		::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 4), CPU型号 + 16 * 2 + 4, 4, NULL);
		::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 0X8), CPU型号 + 16 * 2 + 8, 4, NULL);
		::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 0XC), CPU型号 + 16 * 2 + 0xC, 4, NULL);
	 
	}
	else if (cText.Eax == 1)//获取CPU序列号
	{

		DWORD  meax = 随机数2(0x11111, 0xfffff);
		*((byte*)((DWORD)&meax) + 1) = 0X06;
		char eax_str[256] = { 0 }; 
		sprintf(eax_str, "%x", meax); 



		//2
		DWORD  mebx_1 = 随机数2(0x1, 0xf);
		DWORD mebx = mebx_1 * 0x100000 + 0x800;
		sprintf(eax_str, "%x", mebx); 

		//3 xfxxxxxf
		DWORD  m_ecx = 随机数2(0x11111111, 0xffffffff);
		sprintf(eax_str, "%0.8x", m_ecx);
		eax_str[1] = 'f';
		eax_str[7] = 'f'; 
		 
		char* p = NULL;
		m_ecx = strtol(eax_str, &p, 16);

		DWORD  m_edx = 0xBFEBFBFF;
		
		::WriteProcessMemory(m_process, (LPVOID)cText.Edx, &meax, 4, NULL);
		::WriteProcessMemory(m_process, (LPVOID)(cText.Edx+4), &mebx, 4, NULL);
		::WriteProcessMemory(m_process, (LPVOID)(cText.Edx+8), &m_ecx, 4, NULL);
		::WriteProcessMemory(m_process, (LPVOID)(cText.Edx+0xc), &m_edx, 4, NULL);
		 
		

	}


	WriteProcessMemory(m_process, (LPVOID)m_int3[myindex].adr, &m_int3[myindex].oldByte, sizeof(BYTE), NULL);
	cText.Eip = m_int3[myindex].eipAdr /*目标地址*/;
	cText.EFlags |= 0x100;
	SetThreadContext(m_thread, &cText); 
    CloseHandle(m_thread);
}

[培训]内核驱动高级班,冲击BAT一流互联网大厂工 作,每周日13:00-18:00直播授课

收藏
点赞0
打赏
分享
最新回复 (6)
PYGame
雪    币: 2473
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
PYGame 2017-9-23 03:26
2
0
<br>  是什么鬼

想法很好      请问      EXCEPTION_DEBUG_EVENT    是谁抛的
如果是cpuid抛的    那要vt有何用
hzqst
雪    币: 12839
活跃值: (9008)
能力值: ( LV9,RANK:280 )
在线值:
发帖
回帖
粉丝
私信
hzqst 3 2017-9-24 08:54
3
0
我用的可能是假E3
itiansin
雪    币: 75
活跃值: (70)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
itiansin 2017-12-26 11:03
4
0
中文C++?简直了!!
qqsunche
雪    币: 172
活跃值: (81)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
qqsunche 2017-12-26 11:14
5
0
VS支持中文变量
Tennn
雪    币: 1176
活跃值: (1219)
能力值: ( LV12,RANK:380 )
在线值:
发帖
回帖
粉丝
私信
Tennn 5 2017-12-26 12:00
6
0
我擦  还真支持....
老坛酸菜TM
雪    币: 42
活跃值: (208)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
老坛酸菜TM 2018-10-26 14:23
7
0
itiansin 中文C++?简直了!![em_4]
不奇怪,我也喜欢用中文
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回