-
-
[旧帖] [原创]简单HOOK按键神盾试用时间 0.00雪花
-
发表于: 2008-6-15 16:18
-
【文章标题】: 简单HOOK按键神盾试用时间
【文章作者】: 卡卡
【作者邮箱】: squnmm520@hotmail.com
【作者QQ群】: 18383453
【下载地址】: http://down.vrbrothers.com/qm6chs_683_reg_0522.zip
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
试用时间10分钟,转换为16进制就是927C0毫秒
UINT_PTR SetTimer(
HWND hWnd, // handle to window 【esp+4h】
UINT_PTR nIDEvent, // timer identifier 【esp+8h】
UINT uElapse, // time-out value 【esp+Ch】
TIMERPROC lpTimerFunc // timer procedure 【esp+10h】
);
bp SetTimer [esp+c]==927C0
点神盾,断下,反汇编跟随到程序领空,突现VM,那就HOOK下时间算了
下面是ASM代码,如果有个DLL更稳定,但是我喜欢没有DLL的
.386
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
CTEXT MACRO y:VARARG
LOCAL sym
CONST segment
ifidni <y>,<>
sym db 0
else
sym db y,0
endif
CONST ends
exitm <offset sym>
ENDM
.data
FileName db 'icy.exe',0
hook db 0b8h,00h,00h,00h,00h,0ffh,0e0h,90h,90h,90h
.data?
lpSetTimer dd ?
lpRemoteCode dd ?
mbi MEMORY_BASIC_INFORMATION<?>
lpapibak dd ?
hSnapShot dd ?
stProcess PROCESSENTRY32 <?>
hProcess dd ?
.const
sz123 db 'SetTimer',0
szUser32dll db 'User32.dll',0
.code
REMOTE_CODE_START:
_lpSetTimer dd ?
Shellcode proc
call @F
@@:
pop ebx
sub ebx,offset @B
.if dword ptr [esp+0ch]==927C0h;判断是要HOOK的时间?是就先还原API头N个字节,然后直接返回0
mov eax,[ebx+ _lpSetTimer]
mov dword ptr [eax+1], 121Eh
mov byte ptr [eax+1+4], 0bah
mov dword ptr [eax+1+1+4], 7FFE0300h
mov eax,0
ret 10h
.endif
mov ebx,[ebx+ _lpSetTimer]
add ebx,0ah
mov eax, 121Eh
mov edx, 7FFE0300h
jmp ebx
Shellcode endp
REMOTE_CODE_END:
start:
invoke LoadLibrary ,addr szUser32dll
invoke GetProcAddress,eax,addr sz123
mov lpSetTimer,eax
invoke RtlZeroMemory,addr stProcess,sizeof stProcess
mov stProcess.dwSize,sizeof stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov hSnapShot,eax
invoke Process32First,hSnapShot,addr stProcess
.while eax
invoke lstrcmp,addr FileName,addr stProcess.szExeFile
.if eax == NULL
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,stProcess.th32ProcessID
mov hProcess,eax
invoke VirtualAllocEx,hProcess,NULL, REMOTE_CODE_END-REMOTE_CODE_START, MEM_COMMIT, PAGE_EXECUTE_READWRITE
mov lpRemoteCode, eax
add eax,4h
mov dword ptr[hook[1]],eax
invoke VirtualQueryEx,hProcess,lpSetTimer,addr mbi,SIZEOF MEMORY_BASIC_INFORMATION
invoke VirtualProtectEx,hProcess, mbi.BaseAddress,0ah,PAGE_EXECUTE_READWRITE,addr mbi.Protect
invoke WriteProcessMemory,hProcess,lpSetTimer,offset hook,0ah,0
invoke WriteProcessMemory,hProcess, lpRemoteCode, offset REMOTE_CODE_START, REMOTE_CODE_END-REMOTE_CODE_START, NULL
invoke WriteProcessMemory,hProcess, lpRemoteCode,offset lpSetTimer,sizeof dword,NULL
invoke ExitProcess, 0
.endif
invoke Process32Next,hSnapShot,addr stProcess
.endw
end start
备注:如果你要用这代码生成的EXE来HOOK神盾试用时间.先选择好神盾要过得游戏后,在启动神盾保护前,运行下EXE,就可以!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于外面下着大雨只能吃米线时, 转载请注明作者并保持文章的完整, 谢谢!
2008年06月15日 16:07:16
【文章作者】: 卡卡
【作者邮箱】: squnmm520@hotmail.com
【作者QQ群】: 18383453
【下载地址】: http://down.vrbrothers.com/qm6chs_683_reg_0522.zip
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
试用时间10分钟,转换为16进制就是927C0毫秒
UINT_PTR SetTimer(
HWND hWnd, // handle to window 【esp+4h】
UINT_PTR nIDEvent, // timer identifier 【esp+8h】
UINT uElapse, // time-out value 【esp+Ch】
TIMERPROC lpTimerFunc // timer procedure 【esp+10h】
);
bp SetTimer [esp+c]==927C0
点神盾,断下,反汇编跟随到程序领空,突现VM,那就HOOK下时间算了
下面是ASM代码,如果有个DLL更稳定,但是我喜欢没有DLL的
.386
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
CTEXT MACRO y:VARARG
LOCAL sym
CONST segment
ifidni <y>,<>
sym db 0
else
sym db y,0
endif
CONST ends
exitm <offset sym>
ENDM
.data
FileName db 'icy.exe',0
hook db 0b8h,00h,00h,00h,00h,0ffh,0e0h,90h,90h,90h
.data?
lpSetTimer dd ?
lpRemoteCode dd ?
mbi MEMORY_BASIC_INFORMATION<?>
lpapibak dd ?
hSnapShot dd ?
stProcess PROCESSENTRY32 <?>
hProcess dd ?
.const
sz123 db 'SetTimer',0
szUser32dll db 'User32.dll',0
.code
REMOTE_CODE_START:
_lpSetTimer dd ?
Shellcode proc
call @F
@@:
pop ebx
sub ebx,offset @B
.if dword ptr [esp+0ch]==927C0h;判断是要HOOK的时间?是就先还原API头N个字节,然后直接返回0
mov eax,[ebx+ _lpSetTimer]
mov dword ptr [eax+1], 121Eh
mov byte ptr [eax+1+4], 0bah
mov dword ptr [eax+1+1+4], 7FFE0300h
mov eax,0
ret 10h
.endif
mov ebx,[ebx+ _lpSetTimer]
add ebx,0ah
mov eax, 121Eh
mov edx, 7FFE0300h
jmp ebx
Shellcode endp
REMOTE_CODE_END:
start:
invoke LoadLibrary ,addr szUser32dll
invoke GetProcAddress,eax,addr sz123
mov lpSetTimer,eax
invoke RtlZeroMemory,addr stProcess,sizeof stProcess
mov stProcess.dwSize,sizeof stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov hSnapShot,eax
invoke Process32First,hSnapShot,addr stProcess
.while eax
invoke lstrcmp,addr FileName,addr stProcess.szExeFile
.if eax == NULL
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,stProcess.th32ProcessID
mov hProcess,eax
invoke VirtualAllocEx,hProcess,NULL, REMOTE_CODE_END-REMOTE_CODE_START, MEM_COMMIT, PAGE_EXECUTE_READWRITE
mov lpRemoteCode, eax
add eax,4h
mov dword ptr[hook[1]],eax
invoke VirtualQueryEx,hProcess,lpSetTimer,addr mbi,SIZEOF MEMORY_BASIC_INFORMATION
invoke VirtualProtectEx,hProcess, mbi.BaseAddress,0ah,PAGE_EXECUTE_READWRITE,addr mbi.Protect
invoke WriteProcessMemory,hProcess,lpSetTimer,offset hook,0ah,0
invoke WriteProcessMemory,hProcess, lpRemoteCode, offset REMOTE_CODE_START, REMOTE_CODE_END-REMOTE_CODE_START, NULL
invoke WriteProcessMemory,hProcess, lpRemoteCode,offset lpSetTimer,sizeof dword,NULL
invoke ExitProcess, 0
.endif
invoke Process32Next,hSnapShot,addr stProcess
.endw
end start
备注:如果你要用这代码生成的EXE来HOOK神盾试用时间.先选择好神盾要过得游戏后,在启动神盾保护前,运行下EXE,就可以!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于外面下着大雨只能吃米线时, 转载请注明作者并保持文章的完整, 谢谢!
2008年06月15日 16:07:16
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
