能力值:
( LV4,RANK:40 )
|
-
-
26 楼
LKNB888
将正常游戏.text拷贝到自己申请的内存中,创建一个maps文件,内容写入刚刚创建的地址十六进制加上libUE4.so让检测识别我们拷贝正常游戏.text的地址为crc目标地址,在通过hook系统fo ...
#include "ace_match_2024_final_bypass.h"
#include "moon/log.h"
#include "moon/utils.h"
#include "moon/dobby.h"
#include "moon/mem/mem.h"
#include <linux/filter.h>
#include <linux/seccomp.h>
namespace ARM::ACEMatch2024Final::Bypass {
uint32_t UE4;
std::string filePath = "/data/user/0/com.tencent.ace.gamematch2024final/files/maps";
void MySyscall(RegisterContext *ctx, const HookEntryInfo *info) {
#if defined(__arm__)
long __number = ctx->general.r[0];
if (__number == 0x21) {
LOG("[AntiCheatExpert::ACE_OK] %s", ctx->general.r[1]);
ctx->general.r[1] = (uint32_t)"ACE_OK";
}
if (__number == 0x17F) {
LOG("[AntiCheatExpert::ACE_OK] seccomp");
struct sock_fprog *prog = (sock_fprog *)ctx->general.r[3];
LOG("[AntiCheatExpert::ACE_OK] prog { len: %d, filter: %p }", prog->len, prog->filter);
for (int i = 0; i < prog->len; ++i) {
LOG("[AntiCheatExpert::ACE_OK] sock_filter[%d] { code: 0x%x, jt: 0x%x, jf: 0x%x, k: 0x%x }", i,
prog->filter[i].code, prog->filter[i].jt, prog->filter[i].jf, prog->filter[i].k);
}
prog->len = 0;
}
#endif
}
void MyFOpen(RegisterContext *ctx, const HookEntryInfo *info) {
#if defined(__arm__)
auto path = (char *)ctx->general.r[0];
if ( strstr(path, "/proc/self/maps") || strstr(path, "/proc/self/task") ) {
LOG("[AntiCheatExpert::ACE_OK] %s", ctx->general.r[0]);
ctx->general.r[0] = (uint32_t)filePath.c_str();
}
#endif
}
void PassCRC() {
int32_t size = 0x0126b000 + 0x36cd000; // 0 -> _FINI_1 -> .text -> end
void *memory = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0 );
memcpy(memory, (void *)(UE4), size);
std::ofstream ofs(filePath);
if (!ofs) {
LOG("Failed to open/create the file at: %s", filePath.c_str());
return;
}
// c9c77000-caee2000 r--p 00000000 08:23 3672211 /data/app/~~1-6MM--LXH4tTbrvqo2Phg==/com.tencent.ace.gamematch2024final-Kuqjz7He2f-hljb1kcudEg==/lib/arm/libUE4.so
char buf[1024];
sprintf(buf, "%X-%X r--p 00000000 00:00 0 libUE4.so",
memory, (char *)memory + size);
ofs << buf;
ofs.close();
}
void PassSeccomp() {
// 0xEA0018 seccomp prog
// 00000020 00000000 01000015 00000129
// 00000006 00000000 00000006 7FFF0000
// 不在 crc 起始范围 0x0126b000
auto address = UE4 + 0xEA0018 + 0x14;
Protect(address, 0x1000);
*(uint32_t*)address = 0x7FFF0000; // RET_KILL_THREAD -> RET_ALLOW
Protect(address, 0x1000, PROT_READ);
}
void SetBase(uint32_t base) {
UE4 = base;
DobbyInstrument((void *)fopen, MyFOpen);
DobbyInstrument((void *)syscall, MySyscall);
PassCRC();
PassSeccomp();
}
}
|
能力值:
( LV1,RANK:0 )
|
-
-
27 楼
#define _GNU_SOURCE
#include <jni.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <malloc.h>
#include <unistd.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <sys/prctl.h>
#include <signal.h>
#include <string.h>
#include <xhook/xhook.h>
#include <xhook/xh_log.h>
#include <sys/syscall.h>
#include <errno.h>
#define SyscallCode 123456
const char *apkPath__;
const char *repPath__;
static void signal_handler(int signum, siginfo_t *siginfo, void *context);
void registerSignalHandler() {
// Register signal handler
struct sigaction sig;
sigset_t sigset;
sigfillset(&sigset);
sig.sa_mask = sigset;
sig.sa_flags = SA_SIGINFO;
sig.sa_sigaction = signal_handler;
if (sigaction(SIGSYS, &sig, NULL) == -1) {
perror("sigaction");
//exit(EXIT_FAILURE);
}
XH_LOG_ERROR("Finished registering signal handler");
}
void installFilterForE() {
struct sock_filter filter[] = {
BPF_STMT(BPF_LD + BPF_W + BPF_ABS, offsetof(struct seccomp_data, nr)),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_openat, 0, 3),
BPF_STMT(BPF_LD + BPF_W + BPF_ABS, offsetof(struct seccomp_data, args[5])),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, SyscallCode, 1, 0),
BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_TRAP),
BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),
};
struct sock_fprog prog = {
.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
.filter = filter,
};
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
perror("prctl(PR_SET_NO_NEW_PRIVS)");
//exit(EXIT_FAILURE);
}
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1) {
perror("prctl(PR_SET_SECCOMP)");
//exit(EXIT_FAILURE);
}
XH_LOG_ERROR("Set new filter end");
}
#if defined(__aarch64__)
static void signal_handler(int signum, siginfo_t *siginfo, void *context) {
ucontext_t *uc = static_cast<ucontext_t *>(context);
struct sigcontext *sigc = &uc->uc_mcontext;
int code = sigc->regs[8];
if (code == __NR_openat) {
char *fileName = reinterpret_cast<char *>(sigc->regs[1]);
if (strcmp(fileName, apkPath__) == 0) {
sigc->regs[0] = AT_FDCWD; // dirfdNum = AT_FDCWD;
sigc->regs[1] = reinterpret_cast<long>(repPath__); // fileName = repPath__
sigc->regs[2] = O_RDONLY; // openFlags = O_RDONLY;
sigc->regs[3] = S_IRUSR; // permission: read/write/execute
XH_LOG_ERROR("Redirect apk: %s", repPath__);
}
sigc->regs[0] = syscall(code, sigc->regs[0], sigc->regs[1], sigc->regs[2],
sigc->regs[3], sigc->regs[4], SyscallCode);
}
}
#else
static void signal_handler(int signum, siginfo_t *siginfo, void *context) {
ucontext_t *uc = static_cast<ucontext_t *>(context);
struct sigcontext *sigc = &uc->uc_mcontext;
int code = sigc->arm_r7;
if (code == __NR_openat) {
char *fileName = reinterpret_cast<char *>(sigc->arm_r1);
if (strcmp(fileName, apkPath__) == 0) {
sigc->arm_r0 = AT_FDCWD; // dirfdNum = AT_FDCWD;
sigc->arm_r1 = reinterpret_cast<long>(repPath__); // fileName = repPath__
sigc->arm_r2 = O_RDWR | O_CREAT; // openFlags = O_RDONLY;
sigc->arm_r3 = S_IRUSR | S_IWUSR | S_IXUSR; // permission: read/write/execute
}
sigc->arm_r0 = syscall(code, sigc->arm_r0, sigc->arm_r1, sigc->arm_r2,
sigc->arm_r3, sigc->arm_r4, SyscallCode);
}
}
#endif
void startSvcHook() {
registerSignalHandler();
installFilterForE();
}
extern "C"
JNIEXPORT void JNICALL
Java_bin_mt_signature_KillerApplication_hookApkPath(JNIEnv *env, __attribute__((unused)) jclass clazz, jstring apkPath, jstring repPath) {
apkPath__ = env->GetStringUTFChars(apkPath, nullptr);
repPath__ = env->GetStringUTFChars(repPath, nullptr);
startSvcHook();
}
有人可以帮我修改这个代码吗,我是初学者????
|
能力值:
( LV1,RANK:0 )
|
-
-
28 楼
a'ゞCicada
#include "ace_match_2024_final_bypass.h"
#include " ...
非常感谢你,我的兄弟,如果你使用电报,请告诉我,我有一些付费作品给你
|
能力值:
( LV2,RANK:10 )
|
-
-
30 楼
我列个骚刚
最后于 2024-7-2 10:47
被西瓜帅编辑
,原因:
|
能力值:
( LV2,RANK:10 )
|
-
-
31 楼
大佬用的调试工具是啥
|
