【破文标题】手把手教你使用WINDBG KO XXXX游戏驱动保护
【破文作者】lj8888
【作者邮箱】xxxx@163.com
【作者主页】-
【破解工具】windbg 6.7
【破解平台】D版 XP SP3
【软件名称】
【软件大小】
【原版下载】
【保护方式】
【软件简介】当前正在内测的大型网游
【破解声明】菜鸟提供一点破解验证另类思路。如有失误之处纯属意外! 请高手直接飘过!
------------------------------------------------------------------------
前言: 如果你不会写驱动 不懂内核 没关系 今天 就有我来手把手教你 使用内核调式器WINDBG KO PerfectProtector.sys
【破解过程】需要工具 windbg 6.7汉化版 RkUnhooker 3.7 (请自行网上下载 资源很多)
首先 安装后windbg 并运行它 与 RkUnhooker (无先后分别)
然后运行 神鬼传奇 并将它更新到最新版本 游戏运行完后 停在登陆界面
切换到 RkUnhooker 点 SCAN 向下看 我们看到
nt!NtOpenProcess
nt!NtReadVirtualMemory
nt!NtWriteVirtualMemory
01.GIF (48.97 KB)
2008-12-2 23:22
这3个函数显示 YES 表示被HOOK 记下Address地址 我们用WINDBG 去看看
好切换到WINDBG 菜单-打开-内核调式-本地的-确定 提示是否保存 选是
菜单-查看-命令浏览器 我们打入命令 uf 0xaa096314 (我这里的Address 和你的也许不同 注意看清楚!!)
02.GIF (116.31 KB)
2008-12-2 23:22
aa096314 PUSH EBP
aa096315 MOV EBP,ESP
aa096317 ADD ESP,-28
aa09631a CALL AA096091
aa09631f JMP SHORT AA09633F
简单浏览 CALL AA096091 非处理函数 我们直接 入命令 uf AA09633F
aa09633f PUSH AA096321
aa096344 PUSH AA096424
aa096349 PUSH AA0998D7
aa09634e PUSH DWORD PTR FS:[0]
aa096355 MOV FS:[0],ESP
aa09635c MOV DWORD PTR [EBP-4],C0000023
aa096363 MOV DWORD PTR [EBP-C],0
aa09636a CALL AA099D96
aa09636f MOV [EBP-8],EAX
aa096372 CMP DWORD PTR [EBP+8],-1
aa096376 JNZ SHORT AA096384
aa096378 MOV DWORD PTR [EBP-C],-1
aa09637f JMP AA09640B
aa096384 PUSH EDI
aa096385 LEA EDI,[AA09ACC4]
aa09638b MOV ECX,50
aa096390 SHR ECX,2
aa096393 MOV EAX,[EBP-8]
aa096396 CLD
aa096397 REPNE SCAS BYTE PTR ES:[EDI]
aa096398 SCAS DWORD PTR ES:[EDI]
aa096399 POP EDI
aa09639a OR ECX,ECX
aa09639c JE SHORT AA0963A0
aa09639e JMP SHORT AA09640B
aa0963a0 LEA EAX,[EBP-10]
aa0963a3 PUSH EAX
aa0963a4 PUSH 18
aa0963a6 LEA EAX,[EBP-28]
aa0963a9 PUSH EAX
aa0963aa PUSH 0
aa0963ac PUSH DWORD PTR [EBP+8]
aa0963af CALL AA099CF4
aa0963b4 OR EAX,EAX
aa0963b6 JNZ SHORT AA0963C0
aa0963b8 PUSH DWORD PTR [EBP-18]
aa0963bb POP DWORD PTR [EBP-C]
aa0963be JMP SHORT AA0963D2
aa0963c0 PUSH EAX
aa0963c1 PUSH 1
aa0963c3 PUSH 83
aa0963c8 CALL AA093ACB
aa0963cd ADD ESP,C
aa0963d0 JMP SHORT AA09640B
aa0963d2 CMP DWORD PTR [EBP-C],0
aa0963d6 JNZ SHORT AA0963DA
aa0963d8 JMP SHORT AA09640B
aa0963da MOV EAX,[EBP-C]
aa0963dd CMP EAX,[EBP-8]
aa0963e0 JNZ SHORT AA0963E4
aa0963e2 JMP SHORT AA09640B
aa0963e4 PUSH ESI
aa0963e5 MOV EAX,20
aa0963ea SHR EAX,2
aa0963ed MOV ECX,[EBP-C]
aa0963f0 LEA ESI,[AA09C118]
aa0963f6 JMP SHORT AA096400
aa0963f8 CMP [ESI],ECX
aa0963fa JE SHORT AA096404
aa0963fc ADD ESI,4
aa0963ff DEC EAX
aa096400 OR EAX,EAX
aa096402 JNZ SHORT AA0963F8
aa096404 POP ESI
aa096405 OR EAX,EAX
aa096407 JE SHORT AA09640B
aa096409 JMP SHORT AA096424
aa09640b PUSH DWORD PTR [EBP+18]
aa09640e PUSH DWORD PTR [EBP+14]
aa096411 PUSH DWORD PTR [EBP+10]
aa096414 PUSH DWORD PTR [EBP+C]
aa096417 PUSH DWORD PTR [EBP+8]
aa09641a MOV EAX,[AA09AD1C]
aa09641f CALL EAX
aa096421 MOV [EBP-4],EAX
aa096424 MOV EAX,[EBP-4]
aa096427 POP DWORD PTR FS:[0]
aa09642e ADD ESP,C
aa096431 DEC DWORD PTR [AA09ADB8]
aa096437 LEAVE
aa096438 RETN 14
我们简单的上下看了一下 基本结构很清晰 aa09640b 这里开始 是nt!NtWriteVirtualMemory 5个参数
aa09641a MOV EAX,[AA09AD1C] 应该指向原始函数地址 我们去看看
03.GIF (21.28 KB)
2008-12-2 23:22
菜单-查看-内存 在Virtual中打入 AA09AD1C 看到没有 如果你看不习惯可以这样选long hex 这样很直观了吧?
04.GIF (24.89 KB)
2008-12-2 23:22
805b5394 就是原始 nt!NtWriteVirtualMemory 函数地址 我们记下这个结构
aa09640b PUSH DWORD PTR [EBP+18]
aa09640e PUSH DWORD PTR [EBP+14]
aa096411 PUSH DWORD PTR [EBP+10]
aa096414 PUSH DWORD PTR [EBP+C]
aa096417 PUSH DWORD PTR [EBP+8]
aa09641a MOV EAX,[AA09AD1C]
aa09641f CALL EAX
完美调用原始函数结构 现在知道了 关键代码 下面我们在回到函数头查看
aa096349 PUSH AA0998D7
aa09634e PUSH DWORD PTR FS:[0]
aa096355 MOV FS:[0],ESP
aa09635c MOV DWORD PTR [EBP-4],C0000023 传入参数C0000023
aa096363 MOV DWORD PTR [EBP-C],0 传入参数0
aa09636a CALL AA099D96 初步效验
aa09636f MOV [EBP-8],EAX 返回值赋予局部变量
aa096372 CMP DWORD PTR [EBP+8],-1 比较是否-1也就是 0FFFFFFFFh
aa096376 JNZ SHORT AA096384
aa096378 MOV DWORD PTR [EBP-C],-1
这里我们就直接KO它 改写aa09635c执行流程 让它直接执行到aa09640b
JMP aa09640b 这个怎么算的 目标地址-当前地址-5
好的回到内存窗口 打入aa09635c 切换为BYTE 字节查看
打入E9 AA 00 00 00 好的流程被改写了 这样这个nt!NtWriteVirtualMemory函数 就被KO了
05.GIF (19.03 KB)
2008-12-2 23:22
怎么样是不是很简单? 我们继续完成后面个函数 切换 windbg 命令窗口
打入uf 0xaa0961ee 我这里的nt!NtReadVirtualMemory HOOK 地址
aa0961ee PUSH EBP
aa0961ef MOV EBP,ESP
aa0961f1 ADD ESP,-28
aa0961f4 CALL AA096091
aa0961f9 JMP SHORT AA096218
aa096218 PUSH AA0961FB
aa09621d PUSH AA0962FD
aa096222 PUSH AA0998D7
aa096227 PUSH DWORD PTR FS:[0]
aa09622e MOV FS:[0],ESP
aa096235 MOV DWORD PTR [EBP-4],C0000023
aa09623c MOV DWORD PTR [EBP-C],0
aa096243 CALL AA099D96
aa096248 MOV [EBP-8],EAX
aa09624b CMP DWORD PTR [EBP+8],-1
aa09624f JNZ SHORT AA09625D
aa096251 MOV DWORD PTR [EBP-C],-1
aa096258 JMP AA0962E4
aa09625d PUSH EDI
aa09625e LEA EDI,[AA09ACC4]
aa096264 MOV ECX,50
aa096269 SHR ECX,2
aa09626c MOV EAX,[EBP-8]
aa09626f CLD
aa096270 REPNE SCAS BYTE PTR ES:[EDI]
aa096271 SCAS DWORD PTR ES:[EDI]
aa096272 POP EDI
aa096273 OR ECX,ECX
aa096275 JE SHORT AA096279
aa096277 JMP SHORT AA0962E4
aa096279 LEA EAX,[EBP-10]
aa09627c PUSH EAX
aa09627d PUSH 18
aa09627f LEA EAX,[EBP-28]
aa096282 PUSH EAX
aa096283 PUSH 0
aa096285 PUSH DWORD PTR [EBP+8]
aa096288 CALL AA099CF4
aa09628d OR EAX,EAX
aa09628f JNZ SHORT AA096299
aa096291 PUSH DWORD PTR [EBP-18]
aa096294 POP DWORD PTR [EBP-C]
aa096297 JMP SHORT AA0962AB
aa096299 PUSH EAX
aa09629a PUSH 1
aa09629c PUSH 82
aa0962a1 CALL AA093ACB
aa0962a6 ADD ESP,C
aa0962a9 JMP SHORT AA0962E4
aa0962ab CMP DWORD PTR [EBP-C],0
aa0962af JNZ SHORT AA0962B3
aa0962b1 JMP SHORT AA0962E4
aa0962b3 MOV EAX,[EBP-C]
aa0962b6 CMP EAX,[EBP-8]
aa0962b9 JNZ SHORT AA0962BD
aa0962bb JMP SHORT AA0962E4
aa0962bd PUSH ESI
aa0962be MOV EAX,20
aa0962c3 SHR EAX,2
aa0962c6 MOV ECX,[EBP-C]
aa0962c9 LEA ESI,[AA09C118]
aa0962cf JMP SHORT AA0962D9
aa0962d1 CMP [ESI],ECX
aa0962d3 JE SHORT AA0962DD
aa0962d5 ADD ESI,4
aa0962d8 DEC EAX
aa0962d9 OR EAX,EAX
aa0962db JNZ SHORT AA0962D1
aa0962dd POP ESI
aa0962de OR EAX,EAX
aa0962e0 JE SHORT AA0962E4
aa0962e2 JMP SHORT AA0962FD
aa0962e4 PUSH DWORD PTR [EBP+18]
aa0962e7 PUSH DWORD PTR [EBP+14]
aa0962ea PUSH DWORD PTR [EBP+10]
aa0962ed PUSH DWORD PTR [EBP+C]
aa0962f0 PUSH DWORD PTR [EBP+8]
aa0962f3 MOV EAX,[AA09AD18]
aa0962f8 CALL EAX
aa0962fa MOV [EBP-4],EAX
aa0962fd MOV EAX,[EBP-4]
aa096300 POP DWORD PTR FS:[0]
aa096307 ADD ESP,C
aa09630a DEC DWORD PTR [AA09ADB8]
aa096310 LEAVE
aa096311 RETN 14
是不是很眼熟啊? 对滴 还记的哪个结构不?
aa0962e4 PUSH DWORD PTR [EBP+18]
aa0962e7 PUSH DWORD PTR [EBP+14]
aa0962ea PUSH DWORD PTR [EBP+10]
aa0962ed PUSH DWORD PTR [EBP+C]
aa0962f0 PUSH DWORD PTR [EBP+8]
aa0962f3 MOV EAX,[AA09AD18]
aa0962f8 CALL EAX
这里也和上面一样的操作 我就直接 说结果了 改写 aa096235 JMPaa0962e4
在内存窗口 打入 打入E9 AA 00 00 00 (连偏移都一样 汗一个)
打入uf 0xaa096098 我这里的nt!NtOpenProcess HOOK 地址
aa096098 PUSH EBP
aa096099 MOV EBP,ESP
aa09609b ADD ESP,-30
aa09609e CALL AA096091
aa0960a3 JMP SHORT AA0960BC
aa0960bc PUSH AA0960A5
aa0960c1 PUSH AA0961D7
aa0960c6 PUSH AA0998D7
aa0960cb PUSH DWORD PTR FS:[0]
aa0960d2 MOV FS:[0],ESP
aa0960d9 PUSH DWORD PTR [EBP+14]
aa0960dc PUSH DWORD PTR [EBP+10]
aa0960df PUSH DWORD PTR [EBP+C]
aa0960e2 PUSH DWORD PTR [EBP+8]
aa0960e5 MOV EAX,[AA09AD14]
aa0960ea CALL EAX
aa0960ec MOV [EBP-8],EAX
aa0960ef OR EAX,EAX
aa0960f1 JE SHORT AA0960F8
aa0960f3 JMP AA0961D7
aa0960f8 PUSH ECX
aa0960f9 MOV ECX,[EBP+C]
aa0960fc AND ECX,30
aa0960ff OR ECX,ECX
aa096101 JNZ SHORT AA096109
aa096103 POP ECX
aa096104 JMP AA0961D7
aa096109 POP ECX
aa09610a CALL AA099D96
aa09610f MOV [EBP-C],EAX
aa096112 PUSH EDI
aa096113 LEA EDI,[AA09ACC4]
aa096119 MOV ECX,50
aa09611e SHR ECX,2
aa096121 MOV EAX,[EBP-C]
aa096124 CLD
aa096125 REPNE SCAS BYTE PTR ES:[EDI]
aa096126 SCAS DWORD PTR ES:[EDI]
aa096127 POP EDI
aa096128 OR ECX,ECX
aa09612a JE SHORT AA096131
aa09612c JMP AA0961D7
aa096131 MOV EAX,[EBP+14]
aa096134 OR EAX,EAX
aa096136 JE SHORT AA09613F
aa096138 MOV EAX,[EAX]
aa09613a MOV [EBP-10],EAX
aa09613d JMP SHORT AA096146
aa09613f MOV DWORD PTR [EBP-10],0
aa096146 CMP DWORD PTR [EBP-10],0
aa09614a JNZ SHORT AA09618E
aa09614c MOV EAX,[EBP+8]
aa09614f PUSH DWORD PTR [EAX]
aa096151 POP DWORD PTR [EBP-4]
aa096154 LEA EAX,[EBP-14]
aa096157 PUSH EAX
aa096158 PUSH 18
aa09615a LEA EAX,[EBP-30]
aa09615d PUSH EAX
aa09615e PUSH 0
aa096160 PUSH DWORD PTR [EBP-4]
aa096163 CALL AA099CF4
aa096168 OR EAX,EAX
aa09616a JNZ SHORT AA096174
aa09616c PUSH DWORD PTR [EBP-20]
aa09616f POP DWORD PTR [EBP-10]
aa096172 JMP SHORT AA096186
aa096174 PUSH EAX
aa096175 PUSH 1
aa096177 PUSH 81
aa09617c CALL AA093ACB
aa096181 ADD ESP,C
aa096184 JMP SHORT AA0961D7
aa096186 CMP DWORD PTR [EBP-10],0
aa09618a JNZ SHORT AA09618E
aa09618c JMP SHORT AA0961D7
aa09618e MOV EAX,[EBP-10]
aa096191 CMP EAX,[EBP-C]
aa096194 JNZ SHORT AA096198
aa096196 JMP SHORT AA0961D7
aa096198 PUSH ESI
aa096199 MOV EAX,20
aa09619e SHR EAX,2
aa0961a1 MOV ECX,[EBP-10]
aa0961a4 LEA ESI,[AA09C118]
aa0961aa JMP SHORT AA0961B4
aa0961ac CMP [ESI],ECX
aa0961ae JE SHORT AA0961B8
aa0961b0 ADD ESI,4
aa0961b3 DEC EAX
aa0961b4 OR EAX,EAX
aa0961b6 JNZ SHORT AA0961AC
aa0961b8 POP ESI
aa0961b9 OR EAX,EAX
aa0961bb JE SHORT AA0961D7
aa0961bd PUSH DWORD PTR [EBP-4]
aa0961c0 CALL AA099DAE
aa0961c5 MOV EAX,[EBP+8]
aa0961c8 MOV DWORD PTR [EAX],0
aa0961ce MOV DWORD PTR [EBP-8],C000000D
aa0961d5 JMP SHORT AA0961D7
aa0961d7 MOV EAX,[EBP-8]
aa0961da POP DWORD PTR FS:[0]
aa0961e1 ADD ESP,C
aa0961e4 DEC DWORD PTR [AA09ADB8]
aa0961ea LEAVE
aa0961eb RETN 10
这个函数有点不一样哦 我们抓住它的结构不放
aa0960d9 PUSH DWORD PTR [EBP+14]
aa0960dc PUSH DWORD PTR [EBP+10]
aa0960df PUSH DWORD PTR [EBP+C]
aa0960e2 PUSH DWORD PTR [EBP+8]
aa0960e5 MOV EAX,[AA09AD14]
aa0960ea CALL EAX
nt!NtOpenProcess 的4个参数 吻合
aa0960ec MOV [EBP-8],EAX
aa0960ef OR EAX,EAX
aa0960f1 JE SHORT AA0960F8
aa0960f3 JMP AA0961D7
简单分析下 返回值保存在变量 然后 或运算 想等继续处理 我们查看 aa0960f3 JMP AA0961D7
不相等是如何处理
aa0961d7 MOV EAX,[EBP-8]
aa0961da POP DWORD PTR FS:[0]
aa0961e1 ADD ESP,C
aa0961e4 DEC DWORD PTR [AA09ADB8]
aa0961ea LEAVE
aa0961eb RETN 10
取出返回值 过场 这样就完了? 那很明显 直接KO aa0960f1 2个 90 (NOP) 解决
到这里 驱动保护 3个函数 已经被 KO了 我们可以直接读写他的内存了 ^_^
本次教程结束 谢谢观看
------------------------------------------------------------------------
【破解总结】怀念一下混于ICY群内的日子
内核操作请注意 保存资料 避免死机 蓝屏 损失
不懂的看个流程 懂的看个思路
------------------------------------------------------------------------
【版权声明】
欢迎盗版!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)