能力值:
( LV3,RANK:20 )
|
-
-
2 楼
在退出的函数想exitprocess上下断点? 然后往前找
|
能力值:
( LV9,RANK:140 )
|
-
-
3 楼
拦截不住程序啊,他一开始就是推出的函数
00401000 未>/$ E8 06000000 CALL 未破.0040100B
00401005 |. 50 PUSH EAX ; /ExitCode
00401006 \. E8 BB010000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess
0040100B /$ 55 PUSH EBP
0040100C |. 8BEC MOV EBP,ESP
0040100E |. 81C4 F0FEFFFF ADD ESP,-110
00401014 |. E9 83000000 JMP 未破.0040109C
00401019 |. 6B 72 6E 6C 6E 2E>ASCII "krnln.fnr",0
00401023 |. 6B 72 6E 6C 6E 2E>ASCII "krnln.fne",0
0040102D |. 47 65 74 4E 65 77>ASCII "GetNewSock",0
00401038 |. 53 6F 66 74 77 61>ASCII "Software\FlySky\"
00401048 |. 45 5C 49 6E 73 74>ASCII "E\Install",0
00401052 |. 50 61 74 68 00 ASCII "Path",0
00401057 |. 4E 6F 74 20 66 6F>ASCII "Not found the ke"
00401067 |. 72 6E 65 6C 20 6C>ASCII "rnel library or "
00401077 |. 74 68 65 20 6B 65>ASCII "the kernel libra"
00401087 |. 72 79 20 69 73 20>ASCII "ry is invalid!",0
00401096 |. 45 72 72 6F 72 00>ASCII "Error",0
0040109C |> 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
004010A2 |. 50 PUSH EAX
004010A3 |. E8 44010000 CALL 未破.004011EC
004010A8 |. 68 19104000 PUSH 未破.00401019 ; /StringToAdd = "krnln.fnr"
004010AD |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] ; |
004010B3 |. 50 PUSH EAX ; |ConcatString
004010B4 |. E8 25010000 CALL <JMP.&KERNEL32.lstrcatA> ; \lstrcatA
004010B9 |. 50 PUSH EAX ; /FileName
004010BA |. E8 19010000 CALL <JMP.&KERNEL32.LoadLibraryA> ; \LoadLibraryA
004010BF |. 85C0 TEST EAX,EAX
004010C1 |. 0F85 9E000000 JNZ 未破.00401165
004010C7 |. 8D85 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP-10C]
004010CD |. 50 PUSH EAX ; /pHandle
004010CE |. 68 19000200 PUSH 20019 ; |Access = KEY_READ
004010D3 |. 6A 00 PUSH 0 ; |Reserved = 0
004010D5 |. 68 38104000 PUSH 未破.00401038 ; |Subkey = "Software\FlySky\E\Install"
004010DA |. 68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
004010DF |. E8 36010000 CALL <JMP.&ADVAPI32.RegOpenKeyExA> ; \RegOpenKeyExA
004010E4 |. 83F8 00 CMP EAX,0
004010E7 |. 0F85 B8000000 JNZ 未破.004011A5
004010ED |. C785 F0FEFFFF 030>MOV DWORD PTR SS:[EBP-110],103
004010F7 |. 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
004010FD |. 50 PUSH EAX ; /pBufSize
004010FE |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] ; |
00401104 |. 50 PUSH EAX ; |Buffer
00401105 |. 6A 00 PUSH 0 ; |pValueType = NULL
00401107 |. 6A 00 PUSH 0 ; |Reserved = NULL
00401109 |. 68 52104000 PUSH 未破.00401052 ; |ValueName = "Path"
0040110E |. FFB5 F4FEFFFF PUSH DWORD PTR SS:[EBP-10C] ; |hKey
00401114 |. E8 07010000 CALL <JMP.&ADVAPI32.RegQueryValueExA> ; \RegQueryValueExA
00401119 |. 50 PUSH EAX
0040111A |. FFB5 F4FEFFFF PUSH DWORD PTR SS:[EBP-10C] ; /hKey
00401120 |. E8 EF000000 CALL <JMP.&ADVAPI32.RegCloseKey> ; \RegCloseKey
00401125 |. 58 POP EAX
00401126 |. 83F8 00 CMP EAX,0
00401129 |. 75 7A JNZ SHORT 未破.004011A5
0040112B |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00401131 |. 50 PUSH EAX ; /String
00401132 |. E8 AD000000 CALL <JMP.&KERNEL32.lstrlenA> ; \lstrlenA
00401137 |. 8D9D FCFEFFFF LEA EBX,DWORD PTR SS:[EBP-104]
0040113D |. 03D8 ADD EBX,EAX
0040113F |. 4B DEC EBX
00401140 |. 803B 5C CMP BYTE PTR DS:[EBX],5C
00401143 |. 74 05 JE SHORT 未破.0040114A
00401145 |. 66:C703 5C00 MOV WORD PTR DS:[EBX],5C
0040114A |> 68 23104000 PUSH 未破.00401023 ; /StringToAdd = "krnln.fne"
0040114F |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] ; |
00401155 |. 50 PUSH EAX ; |ConcatString
00401156 |. E8 83000000 CALL <JMP.&KERNEL32.lstrcatA> ; \lstrcatA
0040115B |. 50 PUSH EAX ; /FileName
0040115C |. E8 77000000 CALL <JMP.&KERNEL32.LoadLibraryA> ; \LoadLibraryA
00401161 |. 85C0 TEST EAX,EAX
00401163 |. 74 40 JE SHORT 未破.004011A5
00401165 |> 8985 F8FEFFFF MOV DWORD PTR SS:[EBP-108],EAX
0040116B |. 68 2D104000 PUSH 未破.0040102D ; /ProcNameOrOrdinal = "GetNewSock"
00401170 |. 50 PUSH EAX ; |hModule
00401171 |. E8 5C000000 CALL <JMP.&KERNEL32.GetProcAddress> ; \GetProcAddress
00401176 |. 85C0 TEST EAX,EAX
00401178 |. 74 20 JE SHORT 未破.0040119A
0040117A |. 68 E8030000 PUSH 3E8
0040117F |. FFD0 CALL EAX
00401181 |. 85C0 TEST EAX,EAX
00401183 |. 74 15 JE SHORT 未破.0040119A
00401185 |. E8 00000000 CALL 未破.0040118A
0040118A |$ 810424 761E0000 ADD DWORD PTR SS:[ESP],1E76
00401191 |. FFD0 CALL EAX
00401193 |. 6A 00 PUSH 0 ; /ExitCode = 0
00401195 |. E8 2C000000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess
0040119A |> FFB5 F8FEFFFF PUSH DWORD PTR SS:[EBP-108] ; /hLibModule
004011A0 |. E8 27000000 CALL <JMP.&KERNEL32.FreeLibrary> ; \FreeLibrary
004011A5 |> 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004011A7 |. 68 96104000 PUSH 未破.00401096 ; |Title = "Error"
004011AC |. 68 57104000 PUSH 未破.00401057 ; |Text = "Not found the kernel library or the kernel library is invalid!"
004011B1 |. 6A 00 PUSH 0 ; |hOwner = NULL
004011B3 |. E8 08000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
004011B8 |. B8 FFFFFFFF MOV EAX,-1
004011BD |. C9 LEAVE
004011BE \. C3 RETN
004011BF CC INT3
004011C0 $- FF25 30204000 JMP DWORD PTR DS:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA
004011C6 .- FF25 1C204000 JMP DWORD PTR DS:[<&KERNEL32.ExitProcess>] ; kernel32.ExitProcess
004011CC $- FF25 10204000 JMP DWORD PTR DS:[<&KERNEL32.FreeLibrary>] ; kernel32.FreeLibrary
004011D2 $- FF25 24204000 JMP DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; kernel32.GetProcAddress
004011D8 $- FF25 20204000 JMP DWORD PTR DS:[<&KERNEL32.LoadLibraryA>] ; kernel32.LoadLibraryA
004011DE $- FF25 14204000 JMP DWORD PTR DS:[<&KERNEL32.lstrcatA>] ; kernel32.lstrcatA
004011E4 $- FF25 28204000 JMP DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; kernel32.lstrlenA
004011EA CC INT3
004011EB CC INT3
004011EC /$ 55 PUSH EBP
004011ED |. 8BEC MOV EBP,ESP
004011EF |. 68 80000000 PUSH 80 ; /BufSize = 80 (128.)
004011F4 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |PathBuffer
004011F7 |. 6A 00 PUSH 0 ; |hModule = NULL
004011F9 |. E8 28000000 CALL <JMP.&KERNEL32.GetModuleFileNameA> ; \GetModuleFileNameA
004011FE |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00401201 |. 8D4C08 FA LEA ECX,DWORD PTR DS:[EAX+ECX-6]
00401205 |> 8A01 MOV AL,BYTE PTR DS:[ECX]
00401207 |. 49 DEC ECX
00401208 |. 3C 5C CMP AL,5C
0040120A |.^ 75 F9 JNZ SHORT 未破.00401205
0040120C |. C641 02 00 MOV BYTE PTR DS:[ECX+2],0
00401210 |. C9 LEAVE
00401211 \. C2 0400 RETN 4
00401214 $- FF25 04204000 JMP DWORD PTR DS:[<&ADVAPI32.RegCloseKey>] ; ADVAPI32.RegCloseKey
0040121A $- FF25 08204000 JMP DWORD PTR DS:[<&ADVAPI32.RegOpenKeyExA>] ; ADVAPI32.RegOpenKeyExA
00401220 $- FF25 00204000 JMP DWORD PTR DS:[<&ADVAPI32.RegQueryValueExA>] ; ADVAPI32.RegQueryValueExA
00401226 $- FF25 18204000 JMP DWORD PTR DS:[<&KERNEL32.GetModuleFileNameA>] ; kernel32.GetModuleFileNameA
|
能力值:
( LV9,RANK:140 )
|
-
-
4 楼
那个高手帮助解答下吧,我看了相关的好多篇教程都不起用,找不到对比的函数
|
能力值:
( LV9,RANK:140 )
|
-
-
5 楼
路过的高手心心好解答下吧
|
能力值:
( LV9,RANK:140 )
|
-
-
6 楼
0012F9F0 00B3DDC1 /CALL 到 CreateFileA 来自 krnln.00B3DDBB
0012F9F4 00C0DFCC |FileName = "\\.\PhysicalDrive0"
0012F9F8 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012F9FC 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FA00 00000000 |pSecurity = NULL
0012FA04 00000003 |Mode = OPEN_EXISTING
0012FA08 00000000 |Attributes = 0
0012FA0C 00000000 \hTemplateFile = NULL
0012FA10 01088809
0012FA14 00C13940 krnln.00C13940
0012FA18 00394930
0012FA1C 00BDDC51 krnln.00BDDC51
0012FA20 00000000
0012FA24 5ADC3AA7 返回到 uxtheme.5ADC3AA7 来自 uxtheme.5ADC3985
0012FA28 0012FB68
0012FA2C 00BDDC51 krnln.00BDDC51
0012FA30 00000000
这个是下了BP CreateFileA断点,堆栈里的信息,还望高手指教下
|
能力值:
( LV9,RANK:140 )
|
-
-
7 楼
顶起来,希望有高手指点
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
哈哈...易语言...好熟悉哦...
|
能力值:
( LV9,RANK:140 )
|
-
-
9 楼
楼上熟悉,就说出来交流下吧,兄弟我是对这个实在头大
|
能力值:
( LV2,RANK:10 )
|
-
-
10 楼
你用dup做内存补丁 不需要用OD修改 这样就没有自效验了
|
能力值:
( LV9,RANK:140 )
|
-
-
11 楼
能不能麻烦楼上做个来参考下啊,小第先谢啦
|
能力值:
( LV9,RANK:140 )
|
-
-
12 楼
来个大哥帮忙看下吧
|
能力值:
( LV2,RANK:10 )
|
-
-
13 楼
看看能用不...放到与未脱壳的 "功勋符统计分析器.exe"一起
#include <windows.h>
#define MAIN
#ifdef MAIN
int WINAPI WinMain(
HINSTANCE hInstance, // handle to current instance
HINSTANCE hPrevInstance, // handle to previous instance
LPSTR lpCmdLine, // command line
int nCmdShow // show state
)
#else
int main(int,char**)
#endif
{
char name[]="功勋符统计分析器.exe";
unsigned char b[6]={0x90,0x90,0x90,0x90,0x90,0x90};
unsigned char c[5]={0x90,0x90,0x90,0x90,0x90};
unsigned char d[3]={0xC2,0x04,0x00};
STARTUPINFO info={sizeof(&info)};
PROCESS_INFORMATION ation;
memset(&ation ,0,sizeof(&ation));
BOOL process=CreateProcess(NULL,name,NULL,NULL,FALSE,0,NULL,NULL,&info,&ation);
if (process)
{
Sleep(2000);
DWORD pid=ation.dwProcessId;
HANDLE p=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
if (p)
{
WriteProcessMemory(p,(LPVOID)0x52FD25,(LPVOID)c,5,NULL);
WriteProcessMemory(p,(LPVOID)0x530F6C,(LPVOID)b,6,NULL);
WriteProcessMemory(p,(LPVOID)0x530E03,(LPVOID)b,6,NULL);
WriteProcessMemory(p,(LPVOID)0x530D50,(LPVOID)b,6,NULL);
WriteProcessMemory(p,(LPVOID)0x530DA1,(LPVOID)b,6,NULL);
WriteProcessMemory(p,(LPVOID)0x530DF2,(LPVOID)b,6,NULL);
WriteProcessMemory(p,(LPVOID)0x52AAC6,(LPVOID)d,3,NULL);
CloseHandle(p);
}
CloseHandle(p);
}
return 0;
}已经修正....呵呵...
|
能力值:
( LV2,RANK:10 )
|
-
-
14 楼
楼上的补丁有点问题,去除弹广告的地方找的不对,才会出来那个错误
我用MFC写了个.LZ试试吧
|
能力值:
( LV9,RANK:140 )
|
-
-
15 楼
谢谢两位,现在我也学习下啊
|
能力值:
( LV2,RANK:10 )
|
-
-
16 楼
已经修正...
|
能力值:
( LV9,RANK:140 )
|
-
-
17 楼
还是关闭两位,真不知道是那里出错啦
|
能力值:
( LV2,RANK:10 )
|
-
-
18 楼
呵呵...那没办法拉...我这里用那软件就一直显示需要什么9-12分钟...
如果是关闭的话你就直接用 BP ExitProcess 下断...然后找返回的地方...
应该不会出现那种情况啊....因为没脱壳.. 是其它验证吧.用退出进程API绝对可以找到的~
|
能力值:
( LV9,RANK:140 )
|
-
-
19 楼
谢谢你啊,这个程序是要在游戏中加载的,嘿嘿,我按照你说法去做吧,非常谢谢你
|
能力值:
( LV9,RANK:140 )
|
-
-
20 楼
他这个文件是多重网络验证,二位写的补丁只逃避了第一层验证,后面的没有逃避开
|
能力值:
( LV2,RANK:10 )
|
-
-
21 楼
这个要在游戏中调试,没装游戏无法调试
|
能力值:
( LV9,RANK:140 )
|
-
-
22 楼
我实验啦,我用瑞星防火墙,选择每次程序访问网络都要询问,我用2位的补丁试了下,在第一次和第二次是已经为127.0.0.1然后到后面的又被改为他原始的IP,所以在程序启动完成后就自动关闭程序
|
能力值:
( LV2,RANK:10 )
|
-
-
23 楼
进入之后一直在等待9-12分钟,没有访问网络
|
能力值:
( LV9,RANK:140 )
|
-
-
24 楼
我刚自己也写了个内存补丁,能运行三次,并且三次都是提示访问127.0.0.1第三次就自动断掉啦,这个程序真是牛掉啦
|
能力值:
( LV2,RANK:10 )
|
-
-
25 楼
这个需要游戏来配合.没有游戏也不知道他到底做了些什么手脚. 也不知道功能限制, 只是单单看了字符串的参考...所以后续工作 LZ继续努力...
|
|
|
|
