-
-
[原创]游戏脱机之路(不知道能不能成功)
-
发表于: 2018-4-26 00:08
-
最近闲的无聊,在玩一款游戏,玩到60级的时候,发现里面的各种宝石刚需量很大,所以突然有个想法:如果能自己刷图就好了,但是我又想,一个号刷太慢了,多开也不行,这游戏太吃硬件了,开一个号感觉都要炸了。而且这游戏的辅助网上已经有卖的了,所以我有个大胆的想法,搞脱机的!
既然要脱机,第一步就是要抓包。毫不犹豫,直接替换掉ws2_32.dll(其实是我根本不知道有什么好用的、可以指定进程、IP、端口、socket号来抓包的工具)。用Depends工具,把ws2_32.dll所有的导出函数,200多个,尼玛,一个一个实现那得到什么时候。我只需要截获socket、connect、send、recv、sendto、recvfrom等几个函数,所以写了个小工具,批量输出了一些代码,然后稍加改动:
PS:我实现的是64位的
1、重写ws2_32.dll
1)函数指针声明(部分):
typedef unsigned int SOCKET;
extern FARPROC real_accept;
typedef int (PASCAL FAR *Bind)(
_In_ SOCKET s,
_In_reads_bytes_(namelen) const struct sockaddr FAR * name,
_In_ int namelen
);
extern Bind real_bind;
typedef int
(PASCAL FAR *CLOSESOCKET_FUNC)(
_In_ SOCKET s
);
extern CLOSESOCKET_FUNC real_closesocket;
typedef int
(PASCAL FAR *Connect)(
_In_ SOCKET s,
_In_reads_bytes_(namelen) const struct sockaddr FAR * name,
_In_ int namelen
);
extern Connect real_connect;
typedef int (PASCAL FAR *Getpeername) (SOCKET s, struct sockaddr FAR *name,
int FAR * namelen);
extern Getpeername real_getpeername;
typedef int
(PASCAL FAR *Getsockname)(
_In_ SOCKET s,
_Out_writes_bytes_to_(*namelen, *namelen) struct sockaddr FAR * name,
_Inout_ int FAR * namelen
);
extern Getsockname real_getsockname;
extern FARPROC real_getsockopt;
typedef u_long (PASCAL FAR *HTONL_FUNC)(_In_ u_long hostlong);
extern HTONL_FUNC real_htonl;
typedef u_short (PASCAL FAR *HTONS_FUNC)( _In_ u_short hostshort);
extern HTONS_FUNC real_htons;
extern FARPROC real_ioctlsocket;
extern FARPROC real_inet_addr;
extern FARPROC real_inet_ntoa;
extern FARPROC real_listen;
extern FARPROC real_ntohl;
extern FARPROC real_ntohs;
2)从真实的ws2_32.dll中获取真实的函数地址(部分):
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
g_hMod = LoadLibrary(_T("real_ws2_32.dll"));
real_accept = GetProcAddress(g_hMod, "accept");
real_bind = (Bind)GetProcAddress(g_hMod, "bind");
real_closesocket = (CLOSESOCKET_FUNC)GetProcAddress(g_hMod, "closesocket");
real_connect = (Connect)GetProcAddress(g_hMod, "connect");
real_getpeername = (Getpeername)GetProcAddress(g_hMod, "getpeername");
real_getsockname = (Getsockname)GetProcAddress(g_hMod, "getsockname");
real_getsockopt = GetProcAddress(g_hMod, "getsockopt");
real_htonl = (HTONL_FUNC)GetProcAddress(g_hMod, "htonl");
real_htons = (HTONS_FUNC)GetProcAddress(g_hMod, "htons");
real_ioctlsocket = GetProcAddress(g_hMod, "ioctlsocket");
real_inet_addr = GetProcAddress(g_hMod, "inet_addr");
real_inet_ntoa = GetProcAddress(g_hMod, "inet_ntoa");
real_listen = GetProcAddress(g_hMod, "listen");
real_ntohl = GetProcAddress(g_hMod, "ntohl");
real_ntohs = GetProcAddress(g_hMod, "ntohs");
real_recv = (Recv)GetProcAddress(g_hMod, "recv");
real_recvfrom = (Recvfrom)GetProcAddress(g_hMod, "recvfrom");
real_select = GetProcAddress(g_hMod, "select");
real_send = (Send)GetProcAddress(g_hMod, "send");
real_sendto = (Sendto)GetProcAddress(g_hMod, "sendto");
......中间还有好多
GetModuleFileNameA(NULL, name, 260);
AnsiLower(name);
if ((strstr(name, "某某某.exe")) && g_pMsgTransmitor == nullptr)
{
g_bFuck = TRUE;
//g_pMsgTransmitor = new CMsgTransmitor(); 后来发现在dll一加载的时候创建线程游戏程序会死掉,改在socket函数里了
//g_pMsgTransmitor->Start();
}
3)需要截获的函数:
SOCKET PASCAL FAR socket(
_In_ int af,
_In_ int type,
_In_ int protocol
)
{
if (g_bFuck && g_pSopRulerManager == NULL)
{
//创建过滤规则管理器,过滤管理是用的共享内存,在消息查看程序中创建共享内存,并设置过滤条件
g_pSopRulerManager = new CStopRulerManager();
if (g_pSopRulerManager->OpenMap())
{
//创建消息转发器,消息转发器会创建一个socket连接,连接到我的消息查看程序,并管理一个消息队列
//并创建两个线程,一个线程轮询消息队列,,将消息发送到消息查看程序,一个线程读取消息查看程序发来的指令,比如过滤掉一些Ip,端口
g_pMsgTransmitor = new CMsgTransmitor();
g_pMsgTransmitor->Start();
}
}
//调用真正的socket函数
SOCKET s = real_socket(af, type, protocol);
//原本我想用getsockname,getpeername来获取套接字的本地和远程IP、端口信息,后来发现该调用会导致recv失败,0x2733错误,
//后来采用这个方法:自己管理一个套接字队列,包含了套接字与IP、端口的对应信息,分别在bind和connect时候将本地地址、远程地址保存起来
//要发送给消息查看程序的时候一并处理
if (s > 0) g_socketManager.Add(s, NULL, NULL); //向套接字管理器中添加一个套接字
//将这条事件压进消息队列
if (g_pMsgTransmitor) g_pMsgTransmitor->PushCreateSocketMsg(s, type, protocol);
return s;
}
int PASCAL FAR bind(
_In_ SOCKET s,
_In_reads_bytes_(namelen) const struct sockaddr FAR * name,
_In_ int namelen
)
{
int rt = 0;
rt = real_bind(s, name, namelen);
if (g_bFuck && rt == 0 )
{
g_socketManager.Add(s, (struct sockaddr_in*)name, NULL); //设置套接字本地地址
}
return rt;
}
int PASCAL FAR closesocket(SOCKET s)
{
int ret = real_closesocket(s);
g_socketManager.Delete(s); //删除一个套接字
if (g_pMsgTransmitor != nullptr)
{
g_pMsgTransmitor->PushCloseSocketMsg(s);
}
return ret;
}
int
PASCAL FAR connect(
_In_ SOCKET s,
_In_reads_bytes_(namelen) const struct sockaddr FAR * name,
_In_ int namelen
)
{
int rt = real_connect(s, name, namelen);
if (s > 0) g_socketManager.Add(s, NULL, (struct sockaddr_in*)name); //设置套接字远程地址
if(g_pMsgTransmitor) g_pMsgTransmitor->PushConnectMsg(s, (struct sockaddr_in *)name);
return rt;
}
4)不需要截获的函数(部分),由于vs2015不支持嵌套汇编,所以研究半天,直接用纯汇编加asm文件:
.code
real_accept PROTO C : vararg ;这句是声明有一个函数/过程real_accept在别处已经定义了
accept PROC
jmp qword ptr [real_accept] ;一开始,我直接用jmp real_accept,调试发现跳不对,的查看原始ws2_32.dll汇编代码后,发现它的跳转是这样的,改过来之后就成功了
accept ENDP
;real_bind PROTO C : vararg
;bind PROC
; jmp qword ptr [real_bind]
;bind ENDP
;real_closesocket PROTO C : vararg
;closesocket PROC
; jmp qword ptr [real_closesocket]
;closesocket ENDP
;real_connect PROTO C : vararg
;connect PROC
; jmp qword ptr [real_connect]
;connect ENDP
real_getpeername PROTO C : vararg
getpeername PROC
jmp qword ptr [real_getpeername]
getpeername ENDP
real_getsockname PROTO C : vararg
getsockname PROC
jmp qword ptr [real_getsockname]
getsockname ENDP
real_getsockopt PROTO C : vararg
getsockopt PROC
jmp qword ptr [real_getsockopt]
getsockopt ENDP
real_htonl PROTO C : vararg
htonl PROC
jmp qword ptr [real_htonl]
htonl ENDP
5)消息转发:
//工作线程
void CMsgTransmitor::_WorkThread()
{
static unsigned int timetickt = 0;
//printf("工作线程启动成功!");
while (WAIT_TIMEOUT == WaitForSingleObject(m_hWorkEndEvent, 20) && m_bRun)
{
++timetickt;
if (timetickt % 500 == 0)
{
SendHeart();
//保持连接
if (!m_bConnected && m_bRun)
{
if (!_ConnectToServer())
{
ClearMsg();
}
}
continue;
}
Msg_t * pMsg = _PopMsg();
while (pMsg) {
_SendMsg(pMsg, pMsg->head.len);
delete pMsg;
pMsg = _PopMsg();
}
}
}
BOOL CMsgTransmitor::_SendMsg(void *data, int len)
{
return m_tcp.WriteBytes((char*)data, len);
}
void CMsgTransmitor::_PushMsg(Msg_t * pMsg)
{
EnterCriticalSection(&m_csSend);
m_lstSend.push_back(pMsg);
LeaveCriticalSection(&m_csSend);
}
Msg_t * CMsgTransmitor::_PopMsg()
{
Msg_t *pMsg = NULL;
if (m_lstSend.size() > 0)
{
MsgList::iterator it;
EnterCriticalSection(&m_csSend);
it = m_lstSend.begin();
if (it != m_lstSend.end())
{
pMsg = *it;
m_lstSend.erase(it);
}
LeaveCriticalSection(&m_csSend);
}
return pMsg;
}
void CMsgTransmitor::PushCreateSocketMsg(SOCKET s, int type, int protol)
{
if (m_bNeedToTransmit )
{
MsgCreateSocket_t *pMsg = new MsgCreateSocket_t(s, type, protol, GetLastError());
//_SendMsg(&Msg, Msg.head.len);
_PushMsg(pMsg);
}
}
6)消息定义(部分):
typedef struct _MSG_HEAD
{
int flag; //消息头标识
unsigned int len; //消息体长度
int type; //消息类型
}MsgHead_t;
typedef struct _ST_MSG
{
MsgHead_t head;
}Msg_t;
typedef struct _SOCKET_INFO
{
unsigned int sock;
int type;
int protol;
time_t tm;
struct sockaddr_in localAddr;
struct sockaddr_in remoteAddr;
DWORD nError; //错误码
_SOCKET_INFO & operator=(const _SOCKET_INFO &info)
{
memcpy(this, &info, sizeof(_SOCKET_INFO));
return *this;
}
}SocketInfo_t;
typedef struct _MSG_CREAT_SOCKET :public _ST_MSG
{
SocketInfo_t socketInfo;
_MSG_CREAT_SOCKET()
{
head.flag = MSG_FLAG;
head.len = sizeof(*this);
head.type = MsgType_CreateSocket;
socketInfo.sock = -1;
socketInfo.type = -1;
socketInfo.protol = -1;
ZeroMemory(&socketInfo.localAddr, sizeof(socketInfo.localAddr));
ZeroMemory(&socketInfo.remoteAddr, sizeof(socketInfo.remoteAddr));
}
_MSG_CREAT_SOCKET(unsigned int s, int t, int p, DWORD nerr)
{
head.flag = MSG_FLAG;
head.len = sizeof(*this);
head.type = MsgType_CreateSocket;
socketInfo.sock = s;
socketInfo.type = t;
socketInfo.protol = p;
socketInfo.nError = nerr;
socketInfo.tm = time(NULL);
ZeroMemory(&socketInfo.localAddr, sizeof(socketInfo.localAddr));
ZeroMemory(&socketInfo.remoteAddr, sizeof(socketInfo.remoteAddr));
}
}MsgCreateSocket_t;
typedef struct _MSG_SEND :public _ST_MSG
{
SocketInfo_t socketInfo;
int nLenRequst; //请求长度
int nLenCompleted; //完成长度
char data[1];
private:
_MSG_SEND()
{
}
void init(int len)
{
head.flag = MSG_FLAG;
head.len = len;
head.type = MsgType_Send;
}
public:
static _MSG_SEND *Create(SOCKET s, void *pData, int lenToSend, int lenSended, DWORD nerr)
{
int msg_len = sizeof(_MSG_SEND) + lenToSend - 1;
_MSG_SEND *pMsg = (_MSG_SEND*)new char[msg_len];
if (pMsg != nullptr) {
pMsg->init(msg_len);
pMsg->nLenRequst = lenToSend;
pMsg->nLenCompleted = lenSended;
pMsg->socketInfo.sock = s;
pMsg->socketInfo.nError = nerr;
pMsg->socketInfo.tm = time(NULL);
GetSocketManager().Get(s, &pMsg->socketInfo.localAddr, &pMsg->socketInfo.remoteAddr);
memcpy_s(pMsg->data, lenToSend, pData, lenToSend);
return pMsg;
}
return nullptr;
}
}MsgSend_t;
7)消息查看程序就不说了,界面就是MFC dialog,通信是用的完成端口,主要用的以前项目的现在代码
既然要脱机,第一步就是要抓包。毫不犹豫,直接替换掉ws2_32.dll(其实是我根本不知道有什么好用的、可以指定进程、IP、端口、socket号来抓包的工具)。用Depends工具,把ws2_32.dll所有的导出函数,200多个,尼玛,一个一个实现那得到什么时候。我只需要截获socket、connect、send、recv、sendto、recvfrom等几个函数,所以写了个小工具,批量输出了一些代码,然后稍加改动:
PS:我实现的是64位的
1、重写ws2_32.dll
1)函数指针声明(部分):
typedef unsigned int SOCKET;
extern FARPROC real_accept;
typedef int (PASCAL FAR *Bind)(
_In_ SOCKET s,
_In_reads_bytes_(namelen) const struct sockaddr FAR * name,
_In_ int namelen
);
extern Bind real_bind;
typedef int
(PASCAL FAR *CLOSESOCKET_FUNC)(
_In_ SOCKET s
);
extern CLOSESOCKET_FUNC real_closesocket;
typedef int
(PASCAL FAR *Connect)(
_In_ SOCKET s,
_In_reads_bytes_(namelen) const struct sockaddr FAR * name,
_In_ int namelen
);
extern Connect real_connect;
typedef int (PASCAL FAR *Getpeername) (SOCKET s, struct sockaddr FAR *name,
int FAR * namelen);
extern Getpeername real_getpeername;
typedef int
(PASCAL FAR *Getsockname)(
_In_ SOCKET s,
_Out_writes_bytes_to_(*namelen, *namelen) struct sockaddr FAR * name,
_Inout_ int FAR * namelen
);
extern Getsockname real_getsockname;
extern FARPROC real_getsockopt;
typedef u_long (PASCAL FAR *HTONL_FUNC)(_In_ u_long hostlong);
extern HTONL_FUNC real_htonl;
typedef u_short (PASCAL FAR *HTONS_FUNC)( _In_ u_short hostshort);
extern HTONS_FUNC real_htons;
extern FARPROC real_ioctlsocket;
extern FARPROC real_inet_addr;
extern FARPROC real_inet_ntoa;
extern FARPROC real_listen;
extern FARPROC real_ntohl;
extern FARPROC real_ntohs;
2)从真实的ws2_32.dll中获取真实的函数地址(部分):
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
g_hMod = LoadLibrary(_T("real_ws2_32.dll"));
real_accept = GetProcAddress(g_hMod, "accept");
real_bind = (Bind)GetProcAddress(g_hMod, "bind");
real_closesocket = (CLOSESOCKET_FUNC)GetProcAddress(g_hMod, "closesocket");
real_connect = (Connect)GetProcAddress(g_hMod, "connect");
real_getpeername = (Getpeername)GetProcAddress(g_hMod, "getpeername");
real_getsockname = (Getsockname)GetProcAddress(g_hMod, "getsockname");
real_getsockopt = GetProcAddress(g_hMod, "getsockopt");
real_htonl = (HTONL_FUNC)GetProcAddress(g_hMod, "htonl");
real_htons = (HTONS_FUNC)GetProcAddress(g_hMod, "htons");
real_ioctlsocket = GetProcAddress(g_hMod, "ioctlsocket");
real_inet_addr = GetProcAddress(g_hMod, "inet_addr");
real_inet_ntoa = GetProcAddress(g_hMod, "inet_ntoa");
real_listen = GetProcAddress(g_hMod, "listen");
real_ntohl = GetProcAddress(g_hMod, "ntohl");
real_ntohs = GetProcAddress(g_hMod, "ntohs");
real_recv = (Recv)GetProcAddress(g_hMod, "recv");
real_recvfrom = (Recvfrom)GetProcAddress(g_hMod, "recvfrom");
real_select = GetProcAddress(g_hMod, "select");
real_send = (Send)GetProcAddress(g_hMod, "send");
real_sendto = (Sendto)GetProcAddress(g_hMod, "sendto");
......中间还有好多
GetModuleFileNameA(NULL, name, 260);
AnsiLower(name);
if ((strstr(name, "某某某.exe")) && g_pMsgTransmitor == nullptr)
{
g_bFuck = TRUE;
//g_pMsgTransmitor = new CMsgTransmitor(); 后来发现在dll一加载的时候创建线程游戏程序会死掉,改在socket函数里了
//g_pMsgTransmitor->Start();
}
3)需要截获的函数:
SOCKET PASCAL FAR socket(
_In_ int af,
_In_ int type,
_In_ int protocol
)
{
if (g_bFuck && g_pSopRulerManager == NULL)
{
//创建过滤规则管理器,过滤管理是用的共享内存,在消息查看程序中创建共享内存,并设置过滤条件
g_pSopRulerManager = new CStopRulerManager();
if (g_pSopRulerManager->OpenMap())
{
//创建消息转发器,消息转发器会创建一个socket连接,连接到我的消息查看程序,并管理一个消息队列
//并创建两个线程,一个线程轮询消息队列,,将消息发送到消息查看程序,一个线程读取消息查看程序发来的指令,比如过滤掉一些Ip,端口
g_pMsgTransmitor = new CMsgTransmitor();
g_pMsgTransmitor->Start();
}
}
//调用真正的socket函数
SOCKET s = real_socket(af, type, protocol);
//原本我想用getsockname,getpeername来获取套接字的本地和远程IP、端口信息,后来发现该调用会导致recv失败,0x2733错误,
//后来采用这个方法:自己管理一个套接字队列,包含了套接字与IP、端口的对应信息,分别在bind和connect时候将本地地址、远程地址保存起来
//要发送给消息查看程序的时候一并处理
if (s > 0) g_socketManager.Add(s, NULL, NULL); //向套接字管理器中添加一个套接字
//将这条事件压进消息队列
if (g_pMsgTransmitor) g_pMsgTransmitor->PushCreateSocketMsg(s, type, protocol);
return s;
}
int PASCAL FAR bind(
_In_ SOCKET s,
_In_reads_bytes_(namelen) const struct sockaddr FAR * name,
_In_ int namelen
)
{
int rt = 0;
rt = real_bind(s, name, namelen);
if (g_bFuck && rt == 0 )
{
g_socketManager.Add(s, (struct sockaddr_in*)name, NULL); //设置套接字本地地址
}
return rt;
}
int PASCAL FAR closesocket(SOCKET s)
{
int ret = real_closesocket(s);
g_socketManager.Delete(s); //删除一个套接字
if (g_pMsgTransmitor != nullptr)
{
g_pMsgTransmitor->PushCloseSocketMsg(s);
}
return ret;
}
int
PASCAL FAR connect(
_In_ SOCKET s,
_In_reads_bytes_(namelen) const struct sockaddr FAR * name,
_In_ int namelen
)
{
int rt = real_connect(s, name, namelen);
if (s > 0) g_socketManager.Add(s, NULL, (struct sockaddr_in*)name); //设置套接字远程地址
if(g_pMsgTransmitor) g_pMsgTransmitor->PushConnectMsg(s, (struct sockaddr_in *)name);
return rt;
}
4)不需要截获的函数(部分),由于vs2015不支持嵌套汇编,所以研究半天,直接用纯汇编加asm文件:
.code
real_accept PROTO C : vararg ;这句是声明有一个函数/过程real_accept在别处已经定义了
accept PROC
jmp qword ptr [real_accept] ;一开始,我直接用jmp real_accept,调试发现跳不对,的查看原始ws2_32.dll汇编代码后,发现它的跳转是这样的,改过来之后就成功了
accept ENDP
;real_bind PROTO C : vararg
;bind PROC
; jmp qword ptr [real_bind]
;bind ENDP
;real_closesocket PROTO C : vararg
;closesocket PROC
; jmp qword ptr [real_closesocket]
;closesocket ENDP
;real_connect PROTO C : vararg
;connect PROC
; jmp qword ptr [real_connect]
;connect ENDP
real_getpeername PROTO C : vararg
getpeername PROC
jmp qword ptr [real_getpeername]
getpeername ENDP
real_getsockname PROTO C : vararg
getsockname PROC
jmp qword ptr [real_getsockname]
getsockname ENDP
real_getsockopt PROTO C : vararg
getsockopt PROC
jmp qword ptr [real_getsockopt]
getsockopt ENDP
real_htonl PROTO C : vararg
htonl PROC
jmp qword ptr [real_htonl]
htonl ENDP
5)消息转发:
//工作线程
void CMsgTransmitor::_WorkThread()
{
static unsigned int timetickt = 0;
//printf("工作线程启动成功!");
while (WAIT_TIMEOUT == WaitForSingleObject(m_hWorkEndEvent, 20) && m_bRun)
{
++timetickt;
if (timetickt % 500 == 0)
{
SendHeart();
//保持连接
if (!m_bConnected && m_bRun)
{
if (!_ConnectToServer())
{
ClearMsg();
}
}
continue;
}
Msg_t * pMsg = _PopMsg();
while (pMsg) {
_SendMsg(pMsg, pMsg->head.len);
delete pMsg;
pMsg = _PopMsg();
}
}
}
BOOL CMsgTransmitor::_SendMsg(void *data, int len)
{
return m_tcp.WriteBytes((char*)data, len);
}
void CMsgTransmitor::_PushMsg(Msg_t * pMsg)
{
EnterCriticalSection(&m_csSend);
m_lstSend.push_back(pMsg);
LeaveCriticalSection(&m_csSend);
}
Msg_t * CMsgTransmitor::_PopMsg()
{
Msg_t *pMsg = NULL;
if (m_lstSend.size() > 0)
{
MsgList::iterator it;
EnterCriticalSection(&m_csSend);
it = m_lstSend.begin();
if (it != m_lstSend.end())
{
pMsg = *it;
m_lstSend.erase(it);
}
LeaveCriticalSection(&m_csSend);
}
return pMsg;
}
void CMsgTransmitor::PushCreateSocketMsg(SOCKET s, int type, int protol)
{
if (m_bNeedToTransmit )
{
MsgCreateSocket_t *pMsg = new MsgCreateSocket_t(s, type, protol, GetLastError());
//_SendMsg(&Msg, Msg.head.len);
_PushMsg(pMsg);
}
}
6)消息定义(部分):
typedef struct _MSG_HEAD
{
int flag; //消息头标识
unsigned int len; //消息体长度
int type; //消息类型
}MsgHead_t;
typedef struct _ST_MSG
{
MsgHead_t head;
}Msg_t;
typedef struct _SOCKET_INFO
{
unsigned int sock;
int type;
int protol;
time_t tm;
struct sockaddr_in localAddr;
struct sockaddr_in remoteAddr;
DWORD nError; //错误码
_SOCKET_INFO & operator=(const _SOCKET_INFO &info)
{
memcpy(this, &info, sizeof(_SOCKET_INFO));
return *this;
}
}SocketInfo_t;
typedef struct _MSG_CREAT_SOCKET :public _ST_MSG
{
SocketInfo_t socketInfo;
_MSG_CREAT_SOCKET()
{
head.flag = MSG_FLAG;
head.len = sizeof(*this);
head.type = MsgType_CreateSocket;
socketInfo.sock = -1;
socketInfo.type = -1;
socketInfo.protol = -1;
ZeroMemory(&socketInfo.localAddr, sizeof(socketInfo.localAddr));
ZeroMemory(&socketInfo.remoteAddr, sizeof(socketInfo.remoteAddr));
}
_MSG_CREAT_SOCKET(unsigned int s, int t, int p, DWORD nerr)
{
head.flag = MSG_FLAG;
head.len = sizeof(*this);
head.type = MsgType_CreateSocket;
socketInfo.sock = s;
socketInfo.type = t;
socketInfo.protol = p;
socketInfo.nError = nerr;
socketInfo.tm = time(NULL);
ZeroMemory(&socketInfo.localAddr, sizeof(socketInfo.localAddr));
ZeroMemory(&socketInfo.remoteAddr, sizeof(socketInfo.remoteAddr));
}
}MsgCreateSocket_t;
typedef struct _MSG_SEND :public _ST_MSG
{
SocketInfo_t socketInfo;
int nLenRequst; //请求长度
int nLenCompleted; //完成长度
char data[1];
private:
_MSG_SEND()
{
}
void init(int len)
{
head.flag = MSG_FLAG;
head.len = len;
head.type = MsgType_Send;
}
public:
static _MSG_SEND *Create(SOCKET s, void *pData, int lenToSend, int lenSended, DWORD nerr)
{
int msg_len = sizeof(_MSG_SEND) + lenToSend - 1;
_MSG_SEND *pMsg = (_MSG_SEND*)new char[msg_len];
if (pMsg != nullptr) {
pMsg->init(msg_len);
pMsg->nLenRequst = lenToSend;
pMsg->nLenCompleted = lenSended;
pMsg->socketInfo.sock = s;
pMsg->socketInfo.nError = nerr;
pMsg->socketInfo.tm = time(NULL);
GetSocketManager().Get(s, &pMsg->socketInfo.localAddr, &pMsg->socketInfo.remoteAddr);
memcpy_s(pMsg->data, lenToSend, pData, lenToSend);
return pMsg;
}
return nullptr;
}
}MsgSend_t;
7)消息查看程序就不说了,界面就是MFC dialog,通信是用的完成端口,主要用的以前项目的现在代码
用深度工具制作U盘启动,进入PE系统,将原版ws2_32.dll(注意,system32下的为64位,也是我想要的,32位版本在wow64里面)改名为real_ws2_32.dll,然后将自己的重命名为ws2_32.dll放在system32目录下。
效果就是这样:
效果就是这样:
下一楼接着追踪数据加密。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2018-4-26 00:11
被Flove编辑
,原因:
|
|
|---|---|
|
|
网络包似乎就这样拿到了,有HTTP请求,也有加密的tcp、udp报文,下一步就是追踪加密函数了。 2、加密函数的追踪定位 我觉得加密函数是很难定位的,以我写程序的经验,加密的动作可以放在数据刚产生的时候,也可以放在数据将要发送前,还可以放在两者之间,即:数据产生了,把它缓存到一个队列,这个队列是未加密的数据队列,然后有个线程专门来加密数据,从这个队列提取未加密的数据进行加密,然后放到待发送队列,这种情况是最难的,因为没有源头也没有终点供我们追踪,如果目标程序无法调试,只能静态分析的话,要定位到这样的加密代码,如同大海捞针。还好,也许是这种方法会影响实时性,这个游戏不是这样的。 摸索过程就不讲太多了,简单说一下。CE可以打开进程,无法调试,看不到汇编代码,OD无法附加到进程。Dump出来的数据也无法用IDA分析。过驱动保护我是不会的,太难了。瞎猫碰到死耗子,我用vs调试dump出来的数据时候,试着用vs到附加到进程,居然成功了。然后我设了个函数断点。成功在send函数中断,并且这个send是我自己的send,就是那个假ws2_32.dll中的send,它还能定位到我的源码(难道是因为我用的debug版本的dll?)。  停在中断的方不动,我CE加载进程,这时候可以看到汇编代码了,赶紧保存一份内存。Vs中可以看到各个模块的地址范围,然后把这个范围的内存用ce保存起来,不包含CE头。用IDA直接加载这个.CEM,IDA成功识别出了是64位exe文件,根据send函数调用的返回地址,在IDA中找到它,发现地下不对,没办法,16进制搜索,最后发现IDA中的地址比与vs中运行时的地址大了C00H。  这个ws2_send是我重命名的,IDA无法识别出任何系统API,通过调试,发现数据在上面那次函数调用时加密了 64位汇编函数调用参数传递顺序:function(rcx, rdx, r8x, r9x, 栈0,栈8,栈16),其中,当调用对象的方法时,rcx为this指针, 加密调用,一次封装:  加密处理:  加密函数1:这段代码根据数据长度小于8、8-32之间,大于32,作了优化,最终结果就是:原始数据[i]=原始数据[i] xor 密钥[i] EncryptFunc1 proc near ; CODE XREF: sub_140E37EC0+42↓p ; sub_140E37EC0+1AE↓p ... arg_0 = qword ptr 8 arg_8 = qword ptr 10h arg_10 = qword ptr 18h arg_18 = qword ptr 20h mov [rsp+arg_8], rbx mov [rsp+arg_10], rbp mov [rsp+arg_18], rsi push rdi xor ebx, ebx mov r11, r9 shr r11, 3 ; 数据长度/8 mov r10, rcx mov edi, ebx test r11, r11 jz loc_140E3136A ; 数据长度/8==0则跳转 cmp r11, 4 jb loc_140E31327 add rcx, 0FFFFFFFFFFFFFFF8h lea rax, [r8-8] lea rax, [rax+r11*8] lea rcx, [rcx+r11*8] cmp r10, rax ja short loc_140E312BB cmp rcx, r8 jnb short loc_140E31327 loc_140E312BB: ; CODE XREF: EncryptFunc1+44↑j lea rax, [rdx-8] lea rax, [rax+r11*8] cmp r10, rax ja short loc_140E312CD cmp rcx, rdx jnb short loc_140E31327 loc_140E312CD: ; CODE XREF: EncryptFunc1+56↑j mov rax, r11 mov rbp, r11 and eax, 3 mov rcx, r10 sub rbp, rax sub rcx, rdx mov rsi, r8 lea rax, [rdx+10h] sub rsi, rdx nop dword ptr [rax+00000000h] loc_140E312F0: ; CODE XREF: EncryptFunc1+B5↓j movdqu xmm0, xmmword ptr [rax-10h] add rdi, 4 movdqu xmm1, xmmword ptr [rsi+rax-10h] lea rax, [rax+20h] pxor xmm1, xmm0 movdqu xmmword ptr [rcx+rax-30h], xmm1 movdqu xmm1, xmmword ptr [rsi+rax-20h] movdqu xmm0, xmmword ptr [rax-20h] pxor xmm1, xmm0 movdqu xmmword ptr [rcx+rax-20h], xmm1 cmp rdi, rbp jb short loc_140E312F0 loc_140E31327: ; CODE XREF: EncryptFunc1+2B↑j ; EncryptFunc1+49↑j ... cmp rdi, r11 jnb short loc_140E3136A mov [rsp+8+arg_0], r14 lea rcx, [r8+rdi*8] mov r14, r10 mov rsi, rdx sub r14, r8 sub rsi, r8 sub r11, rdi add rdi, r11 nop word ptr [rax+rax+00000000h] loc_140E31350: ; CODE XREF: EncryptFunc1+F3↓j mov rax, [rsi+rcx] xor rax, [rcx] mov [r14+rcx], rax lea rcx, [rcx+8] sub r11, 1 jnz short loc_140E31350 mov r14, [rsp+8+arg_0] loc_140E3136A: ; CODE XREF: EncryptFunc1+21↑j ; EncryptFunc1+BA↑j lea rdi, ds:0[rdi*8] sub r9, rdi jz loc_140E31534 add r10, rdi add rdx, rdi add r8, rdi mov r11, r9 shr r11, 2 mov rdi, rbx test r11, r11 jz loc_140E31462 cmp r11, 8 jb loc_140E31427 lea rax, [r11-1] lea rax, [r8+rax*4] lea rcx, [r11-1] lea rcx, [r10+rcx*4] cmp r10, rax ja short loc_140E313BB cmp rcx, r8 jnb short loc_140E31427 loc_140E313BB: ; CODE XREF: EncryptFunc1+144↑j lea rax, [r11-1] lea rax, [rdx+rax*4] cmp r10, rax ja short loc_140E313CD cmp rcx, rdx jnb short loc_140E31427 loc_140E313CD: ; CODE XREF: EncryptFunc1+156↑j mov rax, r11 mov rbp, r11 and eax, 7 mov rcx, r10 sub rbp, rax sub rcx, rdx mov rsi, r8 lea rax, [rdx+10h] sub rsi, rdx nop dword ptr [rax+00000000h] loc_140E313F0: ; CODE XREF: EncryptFunc1+1B5↓j movdqu xmm0, xmmword ptr [rax-10h] add rdi, 8 movdqu xmm1, xmmword ptr [rax+rsi-10h] lea rax, [rax+20h] pxor xmm1, xmm0 movdqu xmmword ptr [rax+rcx-30h], xmm1 movdqu xmm1, xmmword ptr [rax+rsi-20h] movdqu xmm0, xmmword ptr [rax-20h] pxor xmm1, xmm0 movdqu xmmword ptr [rax+rcx-20h], xmm1 cmp rdi, rbp jb short loc_140E313F0 loc_140E31427: ; CODE XREF: EncryptFunc1+12B↑j ; EncryptFunc1+149↑j ... cmp rdi, r11 jnb short loc_140E31462 mov rsi, rdx lea rcx, [r8+rdi*4] mov rbp, r10 sub rsi, r8 sub rbp, r8 sub r11, rdi add rdi, r11 nop dword ptr [rax+00h] db 66h, 66h nop word ptr [rax+rax+00000000h] loc_140E31450: ; CODE XREF: EncryptFunc1+1F0↓j mov eax, [rcx+rsi] xor eax, [rcx] mov [rcx+rbp], eax lea rcx, [rcx+4] sub r11, 1 jnz short loc_140E31450 loc_140E31462: ; CODE XREF: EncryptFunc1+121↑j ; EncryptFunc1+1BA↑j lea rdi, ds:0[rdi*4] sub r9, rdi jz loc_140E31534 add r10, rdi add rdx, rdi add r8, rdi test r9, r9 jz loc_140E31534 cmp r9, 20h jb short loc_140E31507 lea rcx, [r10-1] lea rax, [r8-1] add rcx, r9 add rax, r9 cmp r10, rax ja short loc_140E314A3 cmp rcx, r8 jnb short loc_140E31507 loc_140E314A3: ; CODE XREF: EncryptFunc1+22C↑j lea rax, [rdx-1] add rax, r9 cmp r10, rax ja short loc_140E314B4 cmp rcx, rdx jnb short loc_140E31507 loc_140E314B4: ; CODE XREF: EncryptFunc1+23D↑j mov rax, r9 mov rdi, r9 and eax, 1Fh mov rcx, r10 sub rdi, rax sub rcx, rdx mov r11, r8 mov rax, rdx sub r11, rdx nop loc_140E314D0: ; CODE XREF: EncryptFunc1+295↓j movdqu xmm0, xmmword ptr [rax] add rbx, 20h movdqu xmm1, xmmword ptr [rax+r11] lea rax, [rax+20h] pxor xmm1, xmm0 movdqu xmmword ptr [rax+rcx-20h], xmm1 movdqu xmm1, xmmword ptr [r11+rax-10h] movdqu xmm0, xmmword ptr [rax-10h] pxor xmm1, xmm0 movdqu xmmword ptr [rcx+rax-10h], xmm1 cmp rbx, rdi jb short loc_140E314D0 loc_140E31507: ; CODE XREF: EncryptFunc1+219↑j ; EncryptFunc1+231↑j ... cmp rbx, r9 jnb short loc_140E31534 sub rdx, r8 lea rcx, [rbx+r8] sub r10, r8 sub r9, rbx nop dword ptr [rax+00000000h] loc_140E31520: ; CODE XREF: EncryptFunc1+2C2↓j movzx eax, byte ptr [rcx+rdx] xor al, [rcx] mov [rcx+r10], al lea rcx, [rcx+1] sub r9, 1 jnz short loc_140E31520 loc_140E31534: ; CODE XREF: EncryptFunc1+105↑j ; EncryptFunc1+1FD↑j ... mov rbx, [rsp+8+arg_8] mov rbp, [rsp+8+arg_10] mov rsi, [rsp+8+arg_18] pop rdi retn EncryptFunc1 endp |
|
|
|
|
|
虽然看不懂,但是感觉贼6!!!
|
|
|
|
|
|
|
|
|
多谢! |
|
|
原始密钥为64个字节,有几个字节是固定的,有8个字节表示序号,每产一次新密钥就递增1,剩下的又不知道哪来的了 |
|
|
|
|
|
|
|
|
|
