首页
社区
课程
招聘
[原创]R3 Hook CPUID指令
发表于: 2017-9-22 21:28 10458

[原创]R3 Hook CPUID指令

2017-9-22 21:28
10458
很多厂商对E3 E5 甚至整个志强系列做了特殊照顾,因此通过返回值可以伪造型号 序列号
下面是游戏中的代码
004D9FA0    53              push ebx
004D9FA1    57              push edi
004D9FA2    89D7            mov edi,edx
004D9FA4    31DB            xor ebx,ebx
004D9FA6    31C9            xor ecx,ecx
004D9FA8    31D2            xor edx,edx
004D9FAA    0FA2            cpuid
004D9FAC    8907            mov dword ptr ds:[edi],eax
004D9FAE    895F 04         mov dword ptr ds:[edi+0x4],ebx
004D9FB1    894F 08         mov dword ptr ds:[edi+0x8],ecx
004D9FB4    8957 0C         mov dword ptr ds:[edi+0xC],edx
004D9FB7    5F              pop edi
004D9FB8    5B              pop ebx
004D9FB9    C3              retn



利用调试器HOOK修改型号 序列号
#define  CPUID地址 0x004D9FA0
DebugClass::DebugClass() { srand(time(NULL));//整个程序最调用一次 memset(m_int3, 0, sizeof(Int3Info) * 20); int suijishu = 随机数2(1, 4); if (suijishu == 1) { sprintf(CPU型号, " Intel(R) Core i7-7700K @4.20Hz");//前面6个空格 } else if (suijishu ==2) { sprintf(CPU型号, " Intel(R) Core i7-3615QN @2.30Hz");//前面6个空格 } else if (suijishu == 3) { sprintf(CPU型号, " Intel(R) Core i5-7440HQ @3.300Hz");//前面6个空格 } else if (suijishu == 4) { sprintf(CPU型号, " Intel(R) Core i7-3632QM @2.20Hz");//前面6个空格 } }

void DebugClass::loop(DWORD Targpid) { this->pid = Targpid; EndDebug = false; CWinThread* th= AfxBeginThread(AFX_THREADPROC(debugThread), this); ::WaitForSingleObject(th->m_hThread, INFINITE); }

static DWORD debugThread(LPVOID lp) { DebugClass* dbg = (DebugClass*)lp; if (!DebugActiveProcess(dbg->pid)) { AfxMessageBox("无法附加"); return 0; } DebugSetProcessKillOnExit(FALSE); CString jj; DEBUG_EVENT event; DWORD dwContinuesStatus = DBG_EXCEPTION_NOT_HANDLED;//默认不处理异常 while (WaitForDebugEvent(&event, INFINITE)) { switch (event.dwDebugEventCode) { case CREATE_PROCESS_DEBUG_EVENT: //AfxMessageBox("CREATE_PROCESS_DEBUG_EVENT"); dbg->Createint3(&event); dwContinuesStatus = DBG_CONTINUE; break; case EXCEPTION_DEBUG_EVENT: dwContinuesStatus = dbg->Int3Code(&event); ::CloseHandle(event.u.CreateProcessInfo.hThread); ::CloseHandle(event.u.CreateProcessInfo.hProcess); ::CloseHandle(event.u.CreateProcessInfo.hFile); break; case EXIT_PROCESS_DEBUG_EVENT: //AfxMessageBox("EXIT_PROCESS_DEBUG_EVENT"); DebugActiveProcessStop(dbg->pid); return 0; } ContinueDebugEvent(event.dwProcessId, event.dwThreadId, dwContinuesStatus); } }

DWORD DebugClass::Int3Code(LPDEBUG_EVENT lpDebugEvent) { PEXCEPTION_RECORD per = &lpDebugEvent->u.Exception.ExceptionRecord; BYTE bInt3 = 0xCC; if (per->ExceptionCode == EXCEPTION_BREAKPOINT) { for (int i = 0; i < 20; i++) { if (m_int3[i].adr == 0) { continue; } if (per->ExceptionAddress == (LPVOID)m_int3[i].adr) { //AfxMessageBox("地址触发"); if (m_int3[i].adr == CPUID地址) { 伪造CPUID(lpDebugEvent, i); } else if (m_int3[i].adr == 查看修改后的CPU地址) { 查看CPU修改结果(lpDebugEvent, i); } else if (m_int3[i].adr == 查看修改后的序列号地址) { 查看序列号修改结果(lpDebugEvent, i); } else if (m_int3[i].adr == Game_NtCreateThread) { 线程直接返回(lpDebugEvent, i); } else if (m_int3[i].adr == Game_CreateDC) { 线程直接返回(lpDebugEvent, i); } else if (m_int3[i].adr == this->修改网站内存地址) { // AfxMessageBox("ADR"); 改网站(lpDebugEvent, i); } else if (m_int3[i].adr == this->发包地址) { // AfxMessageBox("ADR"); 处理发包(lpDebugEvent, i); } else if (m_int3[i].adr == this->喊话地址) { // AfxMessageBox("ADR"); 记录喊话(lpDebugEvent, i); } else if (m_int3[i].adr == 登录信息地址) { // AfxMessageBox("ADR"); 处理登录信息(lpDebugEvent, i); } return DBG_CONTINUE; } } } else if (per->ExceptionCode == EXCEPTION_SINGLE_STEP) { //AfxMessageBox("单步"); BYTE bInt3 = 0xCC; for (int x = 0; x < 20; x++) { if (m_int3[x].adr != 0) { WriteProcessMemory(m_process, (LPVOID)m_int3[x].adr, &bInt3, sizeof(BYTE), NULL); } } return DBG_CONTINUE; } return DBG_EXCEPTION_NOT_HANDLED; }


void DebugClass::伪造CPUID(LPDEBUG_EVENT lpDebugEvent, DWORD myindex) { CONTEXT cText; HANDLE m_thread = ::OpenThread(THREAD_ALL_ACCESS, FALSE, lpDebugEvent->dwThreadId); cText.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS; if (!GetThreadContext(m_thread, &cText)) { return; } if (cText.Eax == 0x80000002) { ::WriteProcessMemory(m_process, (LPVOID)cText.Edx, CPU型号, 4, NULL); ::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 4), CPU型号 + 4, 4, NULL); ::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 0X8), CPU型号 + 8, 4, NULL); ::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 0XC), CPU型号 + 0xC, 4, NULL); } else if (cText.Eax == 0x80000003) { ::WriteProcessMemory(m_process, (LPVOID)cText.Edx, CPU型号 + 16, 4, NULL); ::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 4), CPU型号 + 16 + 4, 4, NULL); ::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 0X8), CPU型号 + 16 + 8, 4, NULL); ::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 0XC), CPU型号 + 16 + 0xC, 4, NULL); } else if (cText.Eax == 0x80000004) { ::WriteProcessMemory(m_process, (LPVOID)cText.Edx, CPU型号 + 16 * 2, 4, NULL); ::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 4), CPU型号 + 16 * 2 + 4, 4, NULL); ::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 0X8), CPU型号 + 16 * 2 + 8, 4, NULL); ::WriteProcessMemory(m_process, (LPVOID)(cText.Edx + 0XC), CPU型号 + 16 * 2 + 0xC, 4, NULL); } else if (cText.Eax == 1)//获取CPU序列号 { DWORD meax = 随机数2(0x11111, 0xfffff); *((byte*)((DWORD)&meax) + 1) = 0X06; char eax_str[256] = { 0 }; sprintf(eax_str, "%x", meax); //2 DWORD mebx_1 = 随机数2(0x1, 0xf); DWORD mebx = mebx_1 * 0x100000 + 0x800; sprintf(eax_str, "%x", mebx); //3 xfxxxxxf DWORD m_ecx = 随机数2(0x11111111, 0xffffffff); sprintf(eax_str, "%0.8x", m_ecx); eax_str[1] = 'f'; eax_str[7] = 'f'; char* p = NULL; m_ecx = strtol(eax_str, &p, 16); DWORD m_edx = 0xBFEBFBFF; ::WriteProcessMemory(m_process, (LPVOID)cText.Edx, &meax, 4, NULL); ::WriteProcessMemory(m_process, (LPVOID)(cText.Edx+4), &mebx, 4, NULL); ::WriteProcessMemory(m_process, (LPVOID)(cText.Edx+8), &m_ecx, 4, NULL); ::WriteProcessMemory(m_process, (LPVOID)(cText.Edx+0xc), &m_edx, 4, NULL); } WriteProcessMemory(m_process, (LPVOID)m_int3[myindex].adr, &m_int3[myindex].oldByte, sizeof(BYTE), NULL); cText.Eip = m_int3[myindex].eipAdr /*目标地址*/; cText.EFlags |= 0x100; SetThreadContext(m_thread, &cText); CloseHandle(m_thread); }

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (6)
雪    币: 2473
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
<br>  是什么鬼

想法很好      请问      EXCEPTION_DEBUG_EVENT    是谁抛的
如果是cpuid抛的    那要vt有何用
2017-9-23 03:26
0
雪    币: 12857
活跃值: (9172)
能力值: ( LV9,RANK:280 )
在线值:
发帖
回帖
粉丝
3
我用的可能是假E3
2017-9-24 08:54
0
雪    币: 75
活跃值: (125)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
中文C++?简直了!!
2017-12-26 11:03
0
雪    币: 172
活跃值: (81)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
VS支持中文变量
2017-12-26 11:14
0
雪    币: 1176
活跃值: (1269)
能力值: ( LV12,RANK:380 )
在线值:
发帖
回帖
粉丝
6
我擦  还真支持....
2017-12-26 12:00
0
雪    币: 42
活跃值: (208)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
itiansin 中文C++?简直了!![em_4]
不奇怪,我也喜欢用中文
2018-10-26 14:23
0
游客
登录 | 注册 方可回帖
返回
//