-
-
[旧帖] [原创]一种母系氏族外挂破解思路 0.00雪花
-
发表于: 2009-1-22 23:14
-
一种母系氏族外挂破解思路
BY ミ木葉メ咔咔(Netki1l)
文章出处:二进制安全网
网址:http://www.hkcmb.com/
工具:OD
外挂下载地址1:仙机绿色辅助 v1.36 外挂下载地址2:仙机绿色辅助 v1.36 官方网站:仙机绿色辅助
--------------------------------------------------------------------
今天虫虫发来一个外挂说是很奇怪,让我看看!最新版本是v.37
他不让更新程序说是想学习各版本的破解 正用功 看来我也得努力才行了
第一次写完整的破文 写的不对之处还望大侠指正 谢谢
和往常一样OD载入
--------------------------------------------------------------------
OD主窗口返回信息
0150BD00 > 60 PUSHAD
0150BD01 BE 00104201 MOV ESI,yfkqwbh.01421000
0150BD06 8DBE 0000FEFE LEA EDI,DWORD PTR DS:[ESI+FEFE0000]
0150BD0C 57 PUSH EDI
0150BD0D 83CD FF OR EBP,FFFFFFFF
0150BD10 EB 10 JMP SHORT yfkqwbh.0150BD22
0150BD12 90 NOP
0150BD13 90 NOP
0150BD14 90 NOP
一看入口应该是UPX之类的简单压缩壳
--------------------------------------------------------------------
为了文章清晰 我就把壳脱了 脱壳就不说了 网上很多 脱壳后重新载入
OD主窗口返回信息
004EF06C > 55 PUSH EBP
004EF06D 8BEC MOV EBP,ESP
004EF06F 83C4 E0 ADD ESP,-20
004EF072 53 PUSH EBX
004EF073 56 PUSH ESI
004EF074 57 PUSH EDI
004EF075 33C0 XOR EAX,EAX
004EF077 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
004EF07A 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
004EF07D 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
004EF080 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
004EF083 B8 14EC4E00 MOV EAX,EF06C.004EEC14
这样看清晰多了 看头显示的是 Borland 开发的
本来想查字窜的,可是脱壳时就已经卡了好久了 程序脱壳后10多M
不想卡死的话就下API断点吧 下面我们直接F9
--------------------------------------------------------------------
OD主窗口返回信息
7C92E4F4 > C3 RETN
7C92E4F5 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]
7C92E4FC 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
7C92E500 > 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
7C92E504 CD 2E INT 2E
7C92E506 C3 RETN
7C92E507 90 NOP
--------------------------------------------------------------------
进程终止了??? 但是外挂的登陆窗口还在显示啊?? 难道双进程?
打开任务管理器(Taskmgr)监视运行一次试试
原来32个进程 运行后变成34然后又变成33个进程
看来父进程自杀了 生了个进程继续存活
立刻打开程序目录再此运行看看 果然同目录下生成了一个名为bipxflt.exe新的文件
关闭程序后生成的新文件bipxflt.exe就自动KILL了
于是再打开外挂又生成了一个名为ipwfn.exe的新文件不关闭外挂继续运行ipwfn.exe
又生成了一个名为ckryhpw.exe的文件 看来新生的文件名是个随机函数
再这样点下去的话恐怕点到天亮也点不完
好了,外挂的基本情况已经大致了解 下面再用OD载入
--------------------------------------------------------------------
OD主窗口返回信息
004EF06C > 55 PUSH EBP
004EF06D 8BEC MOV EBP,ESP
004EF06F 83C4 E0 ADD ESP,-20
004EF072 53 PUSH EBX
004EF073 56 PUSH ESI
004EF074 57 PUSH EDI
004EF075 33C0 XOR EAX,EAX
004EF077 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
004EF07A 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
004EF07D 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
004EF080 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
004EF083 B8 14EC4E00 MOV EAX,EF06C.004EEC14
004EF088 E8 7B78F1FF CALL EF06C.00406908
重新整理一下思路:
1 父进程执行了(CreateProcess)
2 父进程创建了一个新子的进程并打开其对象 (OpenProcess)
3 父进程终结了自己(ExitThread)
我们先下创建进程的断点bp CreateProcess 然后 F9 堆栈返回
--------------------------------------------------------------------
OD主窗口返回信息
004E4D2A /0F85 A9010000 JNZ EF06C.004E4ED9 ------------------------->这里跳到
CreateProcess下面
004E4D30 |33D2 XOR EDX,EDX 因此在这里
下个硬件断点
004E4D32 |55 PUSH EBP
004E4D33 |68 C14E4E00 PUSH EF06C.004E4EC1
004E4D38 |64:FF32 PUSH DWORD PTR FS:[EDX]
004E4D3B |64:8922 MOV DWORD PTR FS:[EDX],ESP
004E4D3E |8D85 A0FEFFFF LEA EAX,DWORD PTR SS:[EBP-160]
004E4D44 |50 PUSH EAX
004E4D45 |68 04010000 PUSH 104
004E4D4A |E8 B11FF2FF CALL <JMP.&kernel32.GetTempPathA>
004E4D4F |8D95 98FEFFFF LEA EDX,DWORD PTR SS:[EBP-168]
004E4D55 |33C0 XOR EAX,EAX
004E4D57 |E8 F8DDF1FF CALL EF06C.00402B54
004E4D5C |8B85 98FEFFFF MOV EAX,DWORD PTR SS:[EBP-168]
004E4D62 |8D95 9CFEFFFF LEA EDX,DWORD PTR SS:[EBP-164]
004E4D68 |E8 5349F2FF CALL EF06C.004096C0
004E4D6D |FFB5 9CFEFFFF PUSH DWORD PTR SS:[EBP-164]
004E4D73 |68 E44F4E00 PUSH EF06C.004E4FE4 ; \
004E4D78 |8D85 94FEFFFF LEA EAX,DWORD PTR SS:[EBP-16C]
004E4D7E |E8 C5FEFFFF CALL EF06C.004E4C48
004E4D83 |FFB5 94FEFFFF PUSH DWORD PTR SS:[EBP-16C]
004E4D89 |8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004E4D8C |BA 03000000 MOV EDX,3
004E4D91 |E8 E2FCF1FF CALL EF06C.00404A78
004E4D96 |8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004E4D99 |33C0 XOR EAX,EAX
004E4D9B |E8 B4DDF1FF CALL EF06C.00402B54
004E4DA0 |6A 40 PUSH 40
004E4DA2 |8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
004E4DA5 |B2 01 MOV DL,1
004E4DA7 |A1 FC7E4100 MOV EAX,DWORD PTR DS:[417EFC]
004E4DAC |E8 2F7FF3FF CALL EF06C.0041CCE0
004E4DB1 |8BD8 MOV EBX,EAX
004E4DB3 |68 FFFF0000 PUSH 0FFFF
004E4DB8 |8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
004E4DBB |B2 01 MOV DL,1
004E4DBD |A1 FC7E4100 MOV EAX,DWORD PTR DS:[417EFC]
004E4DC2 |E8 197FF3FF CALL EF06C.0041CCE0
004E4DC7 |8BF0 MOV ESI,EAX
004E4DC9 |6A 00 PUSH 0
004E4DCB |6A 00 PUSH 0
004E4DCD |8BD3 MOV EDX,EBX
004E4DCF |8BC6 MOV EAX,ESI
004E4DD1 |E8 8E7CF3FF CALL EF06C.0041CA64
004E4DD6 |E8 D9DDF1FF CALL EF06C.00402BB4
004E4DDB |8BC3 MOV EAX,EBX
004E4DDD |8B10 MOV EDX,DWORD PTR DS:[EAX]
004E4DDF |FF12 CALL DWORD PTR DS:[EDX]
004E4DE1 |83E8 64 SUB EAX,64
004E4DE4 |83DA 00 SBB EDX,0
004E4DE7 |E8 A8E3F1FF CALL EF06C.00403194
004E4DEC |99 CDQ
004E4DED |52 PUSH EDX
004E4DEE |50 PUSH EAX
004E4DEF |8BC3 MOV EAX,EBX
004E4DF1 |E8 F279F3FF CALL EF06C.0041C7E8
004E4DF6 |8BC3 MOV EAX,EBX
004E4DF8 |8B10 MOV EDX,DWORD PTR DS:[EAX]
004E4DFA |FF12 CALL DWORD PTR DS:[EDX]
004E4DFC |52 PUSH EDX
004E4DFD |50 PUSH EAX
004E4DFE |8BC3 MOV EAX,EBX
004E4E00 |E8 C379F3FF CALL EF06C.0041C7C8
004E4E05 |290424 SUB DWORD PTR SS:[ESP],EAX
004E4E08 |195424 04 SBB DWORD PTR SS:[ESP+4],EDX
004E4E0C |58 POP EAX
004E4E0D |5A POP EDX
004E4E0E |E8 81E3F1FF CALL EF06C.00403194
004E4E13 |99 CDQ
004E4E14 |52 PUSH EDX
004E4E15 |50 PUSH EAX
004E4E16 |8BD3 MOV EDX,EBX
004E4E18 |8BC6 MOV EAX,ESI
004E4E1A |E8 457CF3FF CALL EF06C.0041CA64
004E4E1F |8BC3 MOV EAX,EBX
004E4E21 |E8 BEEAF1FF CALL EF06C.004038E4
004E4E26 |8BC6 MOV EAX,ESI
004E4E28 |E8 B7EAF1FF CALL EF06C.004038E4
004E4E2D |8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
004E4E30 |33C9 XOR ECX,ECX
004E4E32 |BA 44000000 MOV EDX,44
004E4E37 |E8 38E3F1FF CALL EF06C.00403174
004E4E3C |C745 B0 4400000>MOV DWORD PTR SS:[EBP-50],44
004E4E43 |C745 DC 0100000>MOV DWORD PTR SS:[EBP-24],1
004E4E4A |66:C745 E0 0100 MOV WORD PTR SS:[EBP-20],1
004E4E50 |8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
004E4E53 |50 PUSH EAX
004E4E54 |8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
004E4E57 |50 PUSH EAX
004E4E58 |6A 00 PUSH 0
004E4E5A |6A 00 PUSH 0
004E4E5C |6A 20 PUSH 20
004E4E5E |6A FF PUSH -1
004E4E60 |6A 00 PUSH 0
004E4E62 |6A 00 PUSH 0
004E4E64 |FF75 F4 PUSH DWORD PTR SS:[EBP-C]
004E4E67 |68 F04F4E00 PUSH EF06C.004E4FF0 ; -run
004E4E6C |8D95 88FEFFFF LEA EDX,DWORD PTR SS:[EBP-178]
004E4E72 |33C0 XOR EAX,EAX
004E4E74 |E8 DBDCF1FF CALL EF06C.00402B54
004E4E79 |8B85 88FEFFFF MOV EAX,DWORD PTR SS:[EBP-178]
004E4E7F |8D95 8CFEFFFF LEA EDX,DWORD PTR SS:[EBP-174]
004E4E85 |E8 62D9FFFF CALL EF06C.004E27EC
004E4E8A |FFB5 8CFEFFFF PUSH DWORD PTR SS:[EBP-174]
004E4E90 |8D85 90FEFFFF LEA EAX,DWORD PTR SS:[EBP-170]
004E4E96 |BA 03000000 MOV EDX,3
004E4E9B |E8 D8FBF1FF CALL EF06C.00404A78
004E4EA0 |8B85 90FEFFFF MOV EAX,DWORD PTR SS:[EBP-170]
004E4EA6 |E8 0DFDF1FF CALL EF06C.00404BB8
004E4EAB |50 PUSH EAX
004E4EAC |6A 00 PUSH 0
004E4EAE |E8 051DF2FF CALL <JMP.&kernel32.CreateProcessA>
004E4EB3 |33C0 XOR EAX,EAX ------------------------->主窗
口返回至此
004E4D2A /0F85 A9010000 JNZ EF06C.004E4ED9 这里跳到CreateProcess下面
因此在这里下个硬件断点
004E4EB3 |33C0 XOR EAX,EAX 主窗口返回至此
在004E4D2A 处下好硬断后重新载入(CTRL+F2) 运行(F9)
--------------------------------------------------------------------
OD主窗口返回信息
004E4D2A /0F85 A9010000 JNZ EF06C.004E4ED9
004E4D30 |33D2 XOR EDX,EDX
004E4D32 |55 PUSH EBP
004E4D33 |68 C14E4E00 PUSH EF06C.004E4EC1
004E4D38 |64:FF32 PUSH DWORD PTR FS:[EDX]
004E4D3B |64:8922 MOV DWORD PTR FS:[EDX],ESP
004E4D3E |8D85 A0FEFFFF LEA EAX,DWORD PTR SS:[EBP-160]
004E4D44 |50 PUSH EAX
004E4D45 |68 04010000 PUSH 104
004E4D4A |E8 B11FF2FF CALL <JMP.&kernel32.GetTempPathA>
004E4D4F |8D95 98FEFFFF LEA EDX,DWORD PTR SS:[EBP-168]
004E4D55 |33C0 XOR EAX,EAX
004E4D57 |E8 F8DDF1FF CALL EF06C.00402B54
它要创建我们不让它创建jnz改成jz
接着我们下bp OpenProcess 继续F9
--------------------------------------------------------------------
OD堆栈返回信息
0012FF68 014E90B3 /CALL 到 OpenProcess
0012FF6C FFF51889 |Access =
TERMINATE|VM_OPERATION|CREATE_PROCESS|SYNCHRONIZE|STANDARD_RIGHTS_REQUIRED|FFE01800
0012FF70 00000000 |Inheritable = FALSE
0012FF74 0000270F \ProcessId = 270F
0012FF78 7FFD7000
0012FF7C 004D03AA 返回到 EF06C.004D03AA 来自 EF06C.004D0360
0012FF80 7FFD7000
0012FF84 004EF0D9 返回到 EF06C.004EF0D9 来自 EF06C.004D03A4 -------->在此回车跟入
0012FF88 0012FFB4 指向下一个 SEH 记录的指针
0012FF8C 004EF273 SE 处理器
0012FF90 0012FFC0
0012FF94 7C930208 ntdll.7C930208
0012FF84 004EF0D9 返回到 EF06C.004EF0D9 来自 EF06C.004D03A4 在此回车跟入
--------------------------------------------------------------------
OD主窗口返回信息
004EF0D9 B8 B9220000 MOV EAX,22B9 ; 堆栈返回来到此处
004EF0DE E8 B140F1FF CALL EF06C.00403194
004EF0E3 40 INC EAX
004EF0E4 8B15 44A84F00 MOV EDX,DWORD PTR DS:[4FA844] ; EF06C.0143E380
004EF0EA 8902 MOV DWORD PTR DS:[EDX],EAX
004EF0EC 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004EF0EF A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF0F4 8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF0F6 E8 259BF8FF CALL EF06C.00478C20
004EF0FB 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
004EF0FE 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
004EF101 E8 86A5F1FF CALL EF06C.0040968C
004EF106 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
004EF109 A1 24A64F00 MOV EAX,DWORD PTR DS:[4FA624]
004EF10E E8 3956F1FF CALL EF06C.0040474C
004EF113 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
004EF116 B8 02000000 MOV EAX,2
004EF11B E8 343AF1FF CALL EF06C.00402B54
004EF120 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
004EF123 BA 8CF24E00 MOV EDX,EF06C.004EF28C ; E:\sy\delphi\自_时空
\P.exe
004EF128 E8 D759F1FF CALL EF06C.00404B04
004EF12D 74 20 JE SHORT EF06C.004EF14F
004EF12F A1 A0A84F00 MOV EAX,DWORD PTR DS:[4FA8A0]
004EF134 50 PUSH EAX
004EF135 6A 00 PUSH 0
004EF137 6A 00 PUSH 0
004EF139 68 303F4E00 PUSH EF06C.004E3F30 ; h0u
004EF13E 6A 00 PUSH 0
004EF140 6A 00 PUSH 0
004EF142 E8 817AF1FF CALL <JMP.&kernel32.CreateThread>
004EF147 8B15 70A24F00 MOV EDX,DWORD PTR DS:[4FA270] ; EF06C.0143E954
004EF14D 8902 MOV DWORD PTR DS:[EDX],EAX
004EF14F A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF154 8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF156 E8 1D94F8FF CALL EF06C.00478578
004EF15B 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
004EF15E B8 03000000 MOV EAX,3
004EF163 E8 EC39F1FF CALL EF06C.00402B54
004EF168 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
004EF16B BA B0F24E00 MOV EDX,EF06C.004EF2B0 ; 127.0.0.1
004EF170 E8 8F59F1FF CALL EF06C.00404B04
004EF175 75 11 JNZ SHORT EF06C.004EF188
004EF177 A1 FCA54F00 MOV EAX,DWORD PTR DS:[4FA5FC]
004EF17C BA C4F24E00 MOV EDX,EF06C.004EF2C4 ;
http://192.168.1.8/qicheng_new
004EF181 E8 C655F1FF CALL EF06C.0040474C
004EF186 EB 0F JMP SHORT EF06C.004EF197
004EF188 A1 FCA54F00 MOV EAX,DWORD PTR DS:[4FA5FC]
004EF18D BA ECF24E00 MOV EDX,EF06C.004EF2EC ;
http://wt.chaoweinet.com/qicheng_new
004EF192 E8 B555F1FF CALL EF06C.0040474C
004EF197 E8 D47AF1FF CALL <JMP.&kernel32.GetCurrentProcessId>
004EF19C 50 PUSH EAX
004EF19D 6A 00 PUSH 0
004EF19F 68 10040000 PUSH 410
004EF1A4 E8 277CF1FF CALL <JMP.&kernel32.OpenProcess>
004EF1A9 8B15 ACA54F00 MOV EDX,DWORD PTR DS:[4FA5AC] ; EF06C.0143E978
004EF1AF 8902 MOV DWORD PTR DS:[EDX],EAX
004EF1B1 8B0D F8A74F00 MOV ECX,DWORD PTR DS:[4FA7F8] ; EF06C.004FBBF8
004EF1B7 8B09 MOV ECX,DWORD PTR DS:[ECX]
004EF1B9 B2 01 MOV DL,1
004EF1BB A1 04914D00 MOV EAX,DWORD PTR DS:[4D9104]
004EF1C0 E8 EB1BF8FF CALL EF06C.00470DB0
004EF1C5 8BD8 MOV EBX,EAX
004EF1C7 8BC3 MOV EAX,EBX
004EF1C9 8B10 MOV EDX,DWORD PTR DS:[EAX]
004EF1CB FF92 EC000000 CALL DWORD PTR DS:[EDX+EC] ; 注册窗体
004EF1D1 48 DEC EAX
004EF1D2 75 5D JNZ SHORT EF06C.004EF231 ; 进入外挂
004EF1D4 8BC3 MOV EAX,EBX
004EF1D6 E8 0947F1FF CALL EF06C.004038E4
004EF1DB 8B0D FCA94F00 MOV ECX,DWORD PTR DS:[4FA9FC] ; EF06C.01440638
004EF1E1 A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF1E6 8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF1E8 8B15 207F4E00 MOV EDX,DWORD PTR DS:[4E7F20] ; EF06C.004E7F6C
004EF1EE E8 9D93F8FF CALL EF06C.00478590 ; 未发现游戏
004EF1F3 8B0D 74A74F00 MOV ECX,DWORD PTR DS:[4FA774] ; EF06C.014405D8
004EF1F9 A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF1FE 8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF200 8B15 90834D00 MOV EDX,DWORD PTR DS:[4D8390] ; EF06C.004D83DC
004EF206 E8 8593F8FF CALL EF06C.00478590
004EF20B 8B0D 3CA54F00 MOV ECX,DWORD PTR DS:[4FA53C] ; EF06C.014405FC
004EF211 A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF216 8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF218 8B15 80A44D00 MOV EDX,DWORD PTR DS:[4DA480] ; EF06C.004DA4CC
004EF21E E8 6D93F8FF CALL EF06C.00478590
004EF223 A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF228 8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF22A E8 E193F8FF CALL EF06C.00478610 ; 自动 更新
004EF22F EB 27 JMP SHORT EF06C.004EF258
004EF0D9 B8 B9220000 MOV EAX,22B9 堆栈返回来到此处
004EF1CB FF92 EC000000 CALL DWORD PTR DS:[EDX+EC] 注册窗体
004EF1D2 75 5D JNZ SHORT EF06C.004EF231 进入外挂
我们在进入外挂 地址 004EF1CB 下硬断 重新载入 运行
--------------------------------------------------------------------
OD主窗口返回信息
004EF1CB FF92 EC000000 CALL DWORD PTR DS:[EDX+EC] ; 注册窗体
004EF1D1 48 DEC EAX
004EF1D2 75 5D JNZ SHORT EF06C.004EF231 ; 进入外挂
004EF1D4 |8BC3 MOV EAX,EBX
004EF1D6 |E8 0947F1FF CALL EF06C.004038E4
004EF1DB |8B0D FCA94F00 MOV ECX,DWORD PTR DS:[4FA9FC] ; EF06C.01440638
004EF1E1 |A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF1E6 |8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF1E8 |8B15 207F4E00 MOV EDX,DWORD PTR DS:[4E7F20] ; EF06C.004E7F6C
004EF1EE |E8 9D93F8FF CALL EF06C.00478590 ; 未发现游戏
004EF1F3 |8B0D 74A74F00 MOV ECX,DWORD PTR DS:[4FA774] ; EF06C.014405D8
004EF1F9 |A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF1FE |8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF200 |8B15 90834D00 MOV EDX,DWORD PTR DS:[4D8390] ; EF06C.004D83DC
004EF206 |E8 8593F8FF CALL EF06C.00478590
004EF20B |8B0D 3CA54F00 MOV ECX,DWORD PTR DS:[4FA53C] ; EF06C.014405FC
004EF211 |A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF216 |8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF218 |8B15 80A44D00 MOV EDX,DWORD PTR DS:[4DA480] ; EF06C.004DA4CC
004EF21E |E8 6D93F8FF CALL EF06C.00478590
004EF223 |A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF228 |8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF22A |E8 E193F8FF CALL EF06C.00478610 ; 自动 更新
004EF22F |EB 27 JMP SHORT EF06C.004EF258
004EF231 \33C0 XOR EAX,EAX
这次程序在004EF1CB处就断下来了 我们把004EF1CB处和004EF1D2处NOP掉
F9 运行 进入外挂里面来了 这时我们点关按按钮会发现程序被删除了
结束进程还能自删除?? 很显然是释放删除BAT脚本了 我们再下个bp CreateFileA 断点
--------------------------------------------------------------------
OD堆栈返回信息
0012F010 00402DE9 /CALL 到 CreateFileA 来自 EF06C.00402DE4
0012F014 0012F0B4 |FileName = "C:\Documents and Settings\Netki1l$\桌面\新建文件夹\仙机绿色辅助\EF06C.bat"
0012F018 40000000 |Access = GENERIC_WRITE
0012F01C 00000001 |ShareMode = FILE_SHARE_READ
0012F020 00000000 |pSecurity = NULL
0012F024 00000002 |Mode = CREATE_ALWAYS
0012F028 00000080 |Attributes = NORMAL
0012F02C 00000000 \hTemplateFile = NULL
0012F030 0012D7B2
0012F034 00402C92 返回到 EF06C.00402C92
0012F010在此双击跟入 来到下面这里
--------------------------------------------------------------------
OD主窗口返回信息
00402DCE /0F84 B2000000 JE EF06C.00402E86 ------------------>在这里JE改成JNE
00402DD4 |6A 00 PUSH 0
00402DD6 |68 80000000 PUSH 80
00402DDB |51 PUSH ECX
00402DDC |6A 00 PUSH 0
00402DDE |52 PUSH EDX
00402DDF |50 PUSH EAX
00402DE0 |8D46 48 LEA EAX,DWORD PTR DS:[ESI+48]
00402DE3 |50 PUSH EAX
00402DE4 |E8 C3E4FFFF CALL <JMP.&kernel32.CreateFileA>
00402DE9 |83F8 FF CMP EAX,-1 ------------------>堆栈返回后来到此处
00402DEC |0F84 08010000 JE EF06C.00402EFA
00402DF2 |8906 MOV DWORD PTR DS:[ESI],EAX
00402DF4 |66:817E 04 B3D7 CMP WORD PTR DS:[ESI+4],0D7B3
00402DFA |0F85 C3000000 JNZ EF06C.00402EC3
00402DE9 83F8 FF CMP EAX,-1 堆栈返回后来到此处
00402DCE /0F84 B2000000 JE EF06C.00402E86 在这里JE改成JNE
--------------------------------------------------------------------
然后保存一下 运行 就可以直接进入外挂主体了
但是大家是不是发现目录里面会生下来一个又一个的子程序
是不是有点像母鸡下蛋啊?
至于如何让它不创建程序大家自己研究吧
完
--------------------------------------------------------------------
其它部分参考
效验软件版本:
http://wt.chaoweinet.com/qicheng_new/login_ok.asp?
loc_ver=1.36&mac=gmdatmuqtnzitntqtotgtmdk9r2vudwluzuludgvsozawmdawnkzeltaxmdiwodawltawmdbfm
zlelujgrujgqkz&rnd=1&yhm=&mm=&yzm=1ad66f9ec4b2eef7
网络用户注册:
http://wt.chaoweinet.com/qicheng_new/login.asp
--------------------------------------------------------------------
其它关键字窜片断提示:
004D9380 B8 60944D00 MOV EAX,EF06C.004D9460 ; exec:
004E5294 B8 E0534E00 MOV EAX,EF06C.004E53E0 ; 未发现游戏!!
004E5439 B8 6C554E00 MOV EAX,EF06C.004E556C ; 无法打开游戏!!
004E5F65 B8 F0604E00 MOV EAX,EF06C.004E60F0 ; 未找到程序!!
004E5FB9 B8 08614E00 MOV EAX,EF06C.004E6108 ; 无法打开游戏!!
004D3A46 /7F 12 JG SHORT EF06C.004D3A5A ; 跳到显示更新
004EF1D2 /75 5D JNZ SHORT EF06C.004EF231 ; 进入外挂
--------------------------------------------------------------------
本篇破解可以利用的API部分提示:
CreateProcess: 创建一个新的进程和它的主线程 这个新进程运行指定的可执行文件
OpenProcess: 是否打开以存在的进程对象
ExitThread: 结束线程
GetTempPath: 获取为临时文件指定的路径
CreateFileA: 打开和创建文件
--------------------------------------------------------------------
BY ミ木葉メ咔咔(Netki1l)
文章出处:二进制安全网
网址:http://www.hkcmb.com/
工具:OD
外挂下载地址1:仙机绿色辅助 v1.36 外挂下载地址2:仙机绿色辅助 v1.36 官方网站:仙机绿色辅助
--------------------------------------------------------------------
今天虫虫发来一个外挂说是很奇怪,让我看看!最新版本是v.37
他不让更新程序说是想学习各版本的破解 正用功 看来我也得努力才行了
第一次写完整的破文 写的不对之处还望大侠指正 谢谢
和往常一样OD载入
--------------------------------------------------------------------
OD主窗口返回信息
0150BD00 > 60 PUSHAD
0150BD01 BE 00104201 MOV ESI,yfkqwbh.01421000
0150BD06 8DBE 0000FEFE LEA EDI,DWORD PTR DS:[ESI+FEFE0000]
0150BD0C 57 PUSH EDI
0150BD0D 83CD FF OR EBP,FFFFFFFF
0150BD10 EB 10 JMP SHORT yfkqwbh.0150BD22
0150BD12 90 NOP
0150BD13 90 NOP
0150BD14 90 NOP
一看入口应该是UPX之类的简单压缩壳
--------------------------------------------------------------------
为了文章清晰 我就把壳脱了 脱壳就不说了 网上很多 脱壳后重新载入
OD主窗口返回信息
004EF06C > 55 PUSH EBP
004EF06D 8BEC MOV EBP,ESP
004EF06F 83C4 E0 ADD ESP,-20
004EF072 53 PUSH EBX
004EF073 56 PUSH ESI
004EF074 57 PUSH EDI
004EF075 33C0 XOR EAX,EAX
004EF077 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
004EF07A 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
004EF07D 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
004EF080 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
004EF083 B8 14EC4E00 MOV EAX,EF06C.004EEC14
这样看清晰多了 看头显示的是 Borland 开发的
本来想查字窜的,可是脱壳时就已经卡了好久了 程序脱壳后10多M
不想卡死的话就下API断点吧 下面我们直接F9
--------------------------------------------------------------------
OD主窗口返回信息
7C92E4F4 > C3 RETN
7C92E4F5 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]
7C92E4FC 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
7C92E500 > 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
7C92E504 CD 2E INT 2E
7C92E506 C3 RETN
7C92E507 90 NOP
--------------------------------------------------------------------
进程终止了??? 但是外挂的登陆窗口还在显示啊?? 难道双进程?
打开任务管理器(Taskmgr)监视运行一次试试
原来32个进程 运行后变成34然后又变成33个进程
看来父进程自杀了 生了个进程继续存活
立刻打开程序目录再此运行看看 果然同目录下生成了一个名为bipxflt.exe新的文件
关闭程序后生成的新文件bipxflt.exe就自动KILL了
于是再打开外挂又生成了一个名为ipwfn.exe的新文件不关闭外挂继续运行ipwfn.exe
又生成了一个名为ckryhpw.exe的文件 看来新生的文件名是个随机函数
再这样点下去的话恐怕点到天亮也点不完
好了,外挂的基本情况已经大致了解 下面再用OD载入
--------------------------------------------------------------------
OD主窗口返回信息
004EF06C > 55 PUSH EBP
004EF06D 8BEC MOV EBP,ESP
004EF06F 83C4 E0 ADD ESP,-20
004EF072 53 PUSH EBX
004EF073 56 PUSH ESI
004EF074 57 PUSH EDI
004EF075 33C0 XOR EAX,EAX
004EF077 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
004EF07A 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
004EF07D 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
004EF080 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
004EF083 B8 14EC4E00 MOV EAX,EF06C.004EEC14
004EF088 E8 7B78F1FF CALL EF06C.00406908
重新整理一下思路:
1 父进程执行了(CreateProcess)
2 父进程创建了一个新子的进程并打开其对象 (OpenProcess)
3 父进程终结了自己(ExitThread)
我们先下创建进程的断点bp CreateProcess 然后 F9 堆栈返回
--------------------------------------------------------------------
OD主窗口返回信息
004E4D2A /0F85 A9010000 JNZ EF06C.004E4ED9 ------------------------->这里跳到
CreateProcess下面
004E4D30 |33D2 XOR EDX,EDX 因此在这里
下个硬件断点
004E4D32 |55 PUSH EBP
004E4D33 |68 C14E4E00 PUSH EF06C.004E4EC1
004E4D38 |64:FF32 PUSH DWORD PTR FS:[EDX]
004E4D3B |64:8922 MOV DWORD PTR FS:[EDX],ESP
004E4D3E |8D85 A0FEFFFF LEA EAX,DWORD PTR SS:[EBP-160]
004E4D44 |50 PUSH EAX
004E4D45 |68 04010000 PUSH 104
004E4D4A |E8 B11FF2FF CALL <JMP.&kernel32.GetTempPathA>
004E4D4F |8D95 98FEFFFF LEA EDX,DWORD PTR SS:[EBP-168]
004E4D55 |33C0 XOR EAX,EAX
004E4D57 |E8 F8DDF1FF CALL EF06C.00402B54
004E4D5C |8B85 98FEFFFF MOV EAX,DWORD PTR SS:[EBP-168]
004E4D62 |8D95 9CFEFFFF LEA EDX,DWORD PTR SS:[EBP-164]
004E4D68 |E8 5349F2FF CALL EF06C.004096C0
004E4D6D |FFB5 9CFEFFFF PUSH DWORD PTR SS:[EBP-164]
004E4D73 |68 E44F4E00 PUSH EF06C.004E4FE4 ; \
004E4D78 |8D85 94FEFFFF LEA EAX,DWORD PTR SS:[EBP-16C]
004E4D7E |E8 C5FEFFFF CALL EF06C.004E4C48
004E4D83 |FFB5 94FEFFFF PUSH DWORD PTR SS:[EBP-16C]
004E4D89 |8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004E4D8C |BA 03000000 MOV EDX,3
004E4D91 |E8 E2FCF1FF CALL EF06C.00404A78
004E4D96 |8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004E4D99 |33C0 XOR EAX,EAX
004E4D9B |E8 B4DDF1FF CALL EF06C.00402B54
004E4DA0 |6A 40 PUSH 40
004E4DA2 |8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
004E4DA5 |B2 01 MOV DL,1
004E4DA7 |A1 FC7E4100 MOV EAX,DWORD PTR DS:[417EFC]
004E4DAC |E8 2F7FF3FF CALL EF06C.0041CCE0
004E4DB1 |8BD8 MOV EBX,EAX
004E4DB3 |68 FFFF0000 PUSH 0FFFF
004E4DB8 |8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
004E4DBB |B2 01 MOV DL,1
004E4DBD |A1 FC7E4100 MOV EAX,DWORD PTR DS:[417EFC]
004E4DC2 |E8 197FF3FF CALL EF06C.0041CCE0
004E4DC7 |8BF0 MOV ESI,EAX
004E4DC9 |6A 00 PUSH 0
004E4DCB |6A 00 PUSH 0
004E4DCD |8BD3 MOV EDX,EBX
004E4DCF |8BC6 MOV EAX,ESI
004E4DD1 |E8 8E7CF3FF CALL EF06C.0041CA64
004E4DD6 |E8 D9DDF1FF CALL EF06C.00402BB4
004E4DDB |8BC3 MOV EAX,EBX
004E4DDD |8B10 MOV EDX,DWORD PTR DS:[EAX]
004E4DDF |FF12 CALL DWORD PTR DS:[EDX]
004E4DE1 |83E8 64 SUB EAX,64
004E4DE4 |83DA 00 SBB EDX,0
004E4DE7 |E8 A8E3F1FF CALL EF06C.00403194
004E4DEC |99 CDQ
004E4DED |52 PUSH EDX
004E4DEE |50 PUSH EAX
004E4DEF |8BC3 MOV EAX,EBX
004E4DF1 |E8 F279F3FF CALL EF06C.0041C7E8
004E4DF6 |8BC3 MOV EAX,EBX
004E4DF8 |8B10 MOV EDX,DWORD PTR DS:[EAX]
004E4DFA |FF12 CALL DWORD PTR DS:[EDX]
004E4DFC |52 PUSH EDX
004E4DFD |50 PUSH EAX
004E4DFE |8BC3 MOV EAX,EBX
004E4E00 |E8 C379F3FF CALL EF06C.0041C7C8
004E4E05 |290424 SUB DWORD PTR SS:[ESP],EAX
004E4E08 |195424 04 SBB DWORD PTR SS:[ESP+4],EDX
004E4E0C |58 POP EAX
004E4E0D |5A POP EDX
004E4E0E |E8 81E3F1FF CALL EF06C.00403194
004E4E13 |99 CDQ
004E4E14 |52 PUSH EDX
004E4E15 |50 PUSH EAX
004E4E16 |8BD3 MOV EDX,EBX
004E4E18 |8BC6 MOV EAX,ESI
004E4E1A |E8 457CF3FF CALL EF06C.0041CA64
004E4E1F |8BC3 MOV EAX,EBX
004E4E21 |E8 BEEAF1FF CALL EF06C.004038E4
004E4E26 |8BC6 MOV EAX,ESI
004E4E28 |E8 B7EAF1FF CALL EF06C.004038E4
004E4E2D |8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
004E4E30 |33C9 XOR ECX,ECX
004E4E32 |BA 44000000 MOV EDX,44
004E4E37 |E8 38E3F1FF CALL EF06C.00403174
004E4E3C |C745 B0 4400000>MOV DWORD PTR SS:[EBP-50],44
004E4E43 |C745 DC 0100000>MOV DWORD PTR SS:[EBP-24],1
004E4E4A |66:C745 E0 0100 MOV WORD PTR SS:[EBP-20],1
004E4E50 |8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
004E4E53 |50 PUSH EAX
004E4E54 |8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
004E4E57 |50 PUSH EAX
004E4E58 |6A 00 PUSH 0
004E4E5A |6A 00 PUSH 0
004E4E5C |6A 20 PUSH 20
004E4E5E |6A FF PUSH -1
004E4E60 |6A 00 PUSH 0
004E4E62 |6A 00 PUSH 0
004E4E64 |FF75 F4 PUSH DWORD PTR SS:[EBP-C]
004E4E67 |68 F04F4E00 PUSH EF06C.004E4FF0 ; -run
004E4E6C |8D95 88FEFFFF LEA EDX,DWORD PTR SS:[EBP-178]
004E4E72 |33C0 XOR EAX,EAX
004E4E74 |E8 DBDCF1FF CALL EF06C.00402B54
004E4E79 |8B85 88FEFFFF MOV EAX,DWORD PTR SS:[EBP-178]
004E4E7F |8D95 8CFEFFFF LEA EDX,DWORD PTR SS:[EBP-174]
004E4E85 |E8 62D9FFFF CALL EF06C.004E27EC
004E4E8A |FFB5 8CFEFFFF PUSH DWORD PTR SS:[EBP-174]
004E4E90 |8D85 90FEFFFF LEA EAX,DWORD PTR SS:[EBP-170]
004E4E96 |BA 03000000 MOV EDX,3
004E4E9B |E8 D8FBF1FF CALL EF06C.00404A78
004E4EA0 |8B85 90FEFFFF MOV EAX,DWORD PTR SS:[EBP-170]
004E4EA6 |E8 0DFDF1FF CALL EF06C.00404BB8
004E4EAB |50 PUSH EAX
004E4EAC |6A 00 PUSH 0
004E4EAE |E8 051DF2FF CALL <JMP.&kernel32.CreateProcessA>
004E4EB3 |33C0 XOR EAX,EAX ------------------------->主窗
口返回至此
004E4D2A /0F85 A9010000 JNZ EF06C.004E4ED9 这里跳到CreateProcess下面
因此在这里下个硬件断点
004E4EB3 |33C0 XOR EAX,EAX 主窗口返回至此
在004E4D2A 处下好硬断后重新载入(CTRL+F2) 运行(F9)
--------------------------------------------------------------------
OD主窗口返回信息
004E4D2A /0F85 A9010000 JNZ EF06C.004E4ED9
004E4D30 |33D2 XOR EDX,EDX
004E4D32 |55 PUSH EBP
004E4D33 |68 C14E4E00 PUSH EF06C.004E4EC1
004E4D38 |64:FF32 PUSH DWORD PTR FS:[EDX]
004E4D3B |64:8922 MOV DWORD PTR FS:[EDX],ESP
004E4D3E |8D85 A0FEFFFF LEA EAX,DWORD PTR SS:[EBP-160]
004E4D44 |50 PUSH EAX
004E4D45 |68 04010000 PUSH 104
004E4D4A |E8 B11FF2FF CALL <JMP.&kernel32.GetTempPathA>
004E4D4F |8D95 98FEFFFF LEA EDX,DWORD PTR SS:[EBP-168]
004E4D55 |33C0 XOR EAX,EAX
004E4D57 |E8 F8DDF1FF CALL EF06C.00402B54
它要创建我们不让它创建jnz改成jz
接着我们下bp OpenProcess 继续F9
--------------------------------------------------------------------
OD堆栈返回信息
0012FF68 014E90B3 /CALL 到 OpenProcess
0012FF6C FFF51889 |Access =
TERMINATE|VM_OPERATION|CREATE_PROCESS|SYNCHRONIZE|STANDARD_RIGHTS_REQUIRED|FFE01800
0012FF70 00000000 |Inheritable = FALSE
0012FF74 0000270F \ProcessId = 270F
0012FF78 7FFD7000
0012FF7C 004D03AA 返回到 EF06C.004D03AA 来自 EF06C.004D0360
0012FF80 7FFD7000
0012FF84 004EF0D9 返回到 EF06C.004EF0D9 来自 EF06C.004D03A4 -------->在此回车跟入
0012FF88 0012FFB4 指向下一个 SEH 记录的指针
0012FF8C 004EF273 SE 处理器
0012FF90 0012FFC0
0012FF94 7C930208 ntdll.7C930208
0012FF84 004EF0D9 返回到 EF06C.004EF0D9 来自 EF06C.004D03A4 在此回车跟入
--------------------------------------------------------------------
OD主窗口返回信息
004EF0D9 B8 B9220000 MOV EAX,22B9 ; 堆栈返回来到此处
004EF0DE E8 B140F1FF CALL EF06C.00403194
004EF0E3 40 INC EAX
004EF0E4 8B15 44A84F00 MOV EDX,DWORD PTR DS:[4FA844] ; EF06C.0143E380
004EF0EA 8902 MOV DWORD PTR DS:[EDX],EAX
004EF0EC 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004EF0EF A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF0F4 8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF0F6 E8 259BF8FF CALL EF06C.00478C20
004EF0FB 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
004EF0FE 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
004EF101 E8 86A5F1FF CALL EF06C.0040968C
004EF106 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
004EF109 A1 24A64F00 MOV EAX,DWORD PTR DS:[4FA624]
004EF10E E8 3956F1FF CALL EF06C.0040474C
004EF113 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
004EF116 B8 02000000 MOV EAX,2
004EF11B E8 343AF1FF CALL EF06C.00402B54
004EF120 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
004EF123 BA 8CF24E00 MOV EDX,EF06C.004EF28C ; E:\sy\delphi\自_时空
\P.exe
004EF128 E8 D759F1FF CALL EF06C.00404B04
004EF12D 74 20 JE SHORT EF06C.004EF14F
004EF12F A1 A0A84F00 MOV EAX,DWORD PTR DS:[4FA8A0]
004EF134 50 PUSH EAX
004EF135 6A 00 PUSH 0
004EF137 6A 00 PUSH 0
004EF139 68 303F4E00 PUSH EF06C.004E3F30 ; h0u
004EF13E 6A 00 PUSH 0
004EF140 6A 00 PUSH 0
004EF142 E8 817AF1FF CALL <JMP.&kernel32.CreateThread>
004EF147 8B15 70A24F00 MOV EDX,DWORD PTR DS:[4FA270] ; EF06C.0143E954
004EF14D 8902 MOV DWORD PTR DS:[EDX],EAX
004EF14F A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF154 8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF156 E8 1D94F8FF CALL EF06C.00478578
004EF15B 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
004EF15E B8 03000000 MOV EAX,3
004EF163 E8 EC39F1FF CALL EF06C.00402B54
004EF168 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
004EF16B BA B0F24E00 MOV EDX,EF06C.004EF2B0 ; 127.0.0.1
004EF170 E8 8F59F1FF CALL EF06C.00404B04
004EF175 75 11 JNZ SHORT EF06C.004EF188
004EF177 A1 FCA54F00 MOV EAX,DWORD PTR DS:[4FA5FC]
004EF17C BA C4F24E00 MOV EDX,EF06C.004EF2C4 ;
http://192.168.1.8/qicheng_new
004EF181 E8 C655F1FF CALL EF06C.0040474C
004EF186 EB 0F JMP SHORT EF06C.004EF197
004EF188 A1 FCA54F00 MOV EAX,DWORD PTR DS:[4FA5FC]
004EF18D BA ECF24E00 MOV EDX,EF06C.004EF2EC ;
http://wt.chaoweinet.com/qicheng_new
004EF192 E8 B555F1FF CALL EF06C.0040474C
004EF197 E8 D47AF1FF CALL <JMP.&kernel32.GetCurrentProcessId>
004EF19C 50 PUSH EAX
004EF19D 6A 00 PUSH 0
004EF19F 68 10040000 PUSH 410
004EF1A4 E8 277CF1FF CALL <JMP.&kernel32.OpenProcess>
004EF1A9 8B15 ACA54F00 MOV EDX,DWORD PTR DS:[4FA5AC] ; EF06C.0143E978
004EF1AF 8902 MOV DWORD PTR DS:[EDX],EAX
004EF1B1 8B0D F8A74F00 MOV ECX,DWORD PTR DS:[4FA7F8] ; EF06C.004FBBF8
004EF1B7 8B09 MOV ECX,DWORD PTR DS:[ECX]
004EF1B9 B2 01 MOV DL,1
004EF1BB A1 04914D00 MOV EAX,DWORD PTR DS:[4D9104]
004EF1C0 E8 EB1BF8FF CALL EF06C.00470DB0
004EF1C5 8BD8 MOV EBX,EAX
004EF1C7 8BC3 MOV EAX,EBX
004EF1C9 8B10 MOV EDX,DWORD PTR DS:[EAX]
004EF1CB FF92 EC000000 CALL DWORD PTR DS:[EDX+EC] ; 注册窗体
004EF1D1 48 DEC EAX
004EF1D2 75 5D JNZ SHORT EF06C.004EF231 ; 进入外挂
004EF1D4 8BC3 MOV EAX,EBX
004EF1D6 E8 0947F1FF CALL EF06C.004038E4
004EF1DB 8B0D FCA94F00 MOV ECX,DWORD PTR DS:[4FA9FC] ; EF06C.01440638
004EF1E1 A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF1E6 8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF1E8 8B15 207F4E00 MOV EDX,DWORD PTR DS:[4E7F20] ; EF06C.004E7F6C
004EF1EE E8 9D93F8FF CALL EF06C.00478590 ; 未发现游戏
004EF1F3 8B0D 74A74F00 MOV ECX,DWORD PTR DS:[4FA774] ; EF06C.014405D8
004EF1F9 A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF1FE 8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF200 8B15 90834D00 MOV EDX,DWORD PTR DS:[4D8390] ; EF06C.004D83DC
004EF206 E8 8593F8FF CALL EF06C.00478590
004EF20B 8B0D 3CA54F00 MOV ECX,DWORD PTR DS:[4FA53C] ; EF06C.014405FC
004EF211 A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF216 8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF218 8B15 80A44D00 MOV EDX,DWORD PTR DS:[4DA480] ; EF06C.004DA4CC
004EF21E E8 6D93F8FF CALL EF06C.00478590
004EF223 A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF228 8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF22A E8 E193F8FF CALL EF06C.00478610 ; 自动 更新
004EF22F EB 27 JMP SHORT EF06C.004EF258
004EF0D9 B8 B9220000 MOV EAX,22B9 堆栈返回来到此处
004EF1CB FF92 EC000000 CALL DWORD PTR DS:[EDX+EC] 注册窗体
004EF1D2 75 5D JNZ SHORT EF06C.004EF231 进入外挂
我们在进入外挂 地址 004EF1CB 下硬断 重新载入 运行
--------------------------------------------------------------------
OD主窗口返回信息
004EF1CB FF92 EC000000 CALL DWORD PTR DS:[EDX+EC] ; 注册窗体
004EF1D1 48 DEC EAX
004EF1D2 75 5D JNZ SHORT EF06C.004EF231 ; 进入外挂
004EF1D4 |8BC3 MOV EAX,EBX
004EF1D6 |E8 0947F1FF CALL EF06C.004038E4
004EF1DB |8B0D FCA94F00 MOV ECX,DWORD PTR DS:[4FA9FC] ; EF06C.01440638
004EF1E1 |A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF1E6 |8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF1E8 |8B15 207F4E00 MOV EDX,DWORD PTR DS:[4E7F20] ; EF06C.004E7F6C
004EF1EE |E8 9D93F8FF CALL EF06C.00478590 ; 未发现游戏
004EF1F3 |8B0D 74A74F00 MOV ECX,DWORD PTR DS:[4FA774] ; EF06C.014405D8
004EF1F9 |A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF1FE |8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF200 |8B15 90834D00 MOV EDX,DWORD PTR DS:[4D8390] ; EF06C.004D83DC
004EF206 |E8 8593F8FF CALL EF06C.00478590
004EF20B |8B0D 3CA54F00 MOV ECX,DWORD PTR DS:[4FA53C] ; EF06C.014405FC
004EF211 |A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF216 |8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF218 |8B15 80A44D00 MOV EDX,DWORD PTR DS:[4DA480] ; EF06C.004DA4CC
004EF21E |E8 6D93F8FF CALL EF06C.00478590
004EF223 |A1 F8A74F00 MOV EAX,DWORD PTR DS:[4FA7F8]
004EF228 |8B00 MOV EAX,DWORD PTR DS:[EAX]
004EF22A |E8 E193F8FF CALL EF06C.00478610 ; 自动 更新
004EF22F |EB 27 JMP SHORT EF06C.004EF258
004EF231 \33C0 XOR EAX,EAX
这次程序在004EF1CB处就断下来了 我们把004EF1CB处和004EF1D2处NOP掉
F9 运行 进入外挂里面来了 这时我们点关按按钮会发现程序被删除了
结束进程还能自删除?? 很显然是释放删除BAT脚本了 我们再下个bp CreateFileA 断点
--------------------------------------------------------------------
OD堆栈返回信息
0012F010 00402DE9 /CALL 到 CreateFileA 来自 EF06C.00402DE4
0012F014 0012F0B4 |FileName = "C:\Documents and Settings\Netki1l$\桌面\新建文件夹\仙机绿色辅助\EF06C.bat"
0012F018 40000000 |Access = GENERIC_WRITE
0012F01C 00000001 |ShareMode = FILE_SHARE_READ
0012F020 00000000 |pSecurity = NULL
0012F024 00000002 |Mode = CREATE_ALWAYS
0012F028 00000080 |Attributes = NORMAL
0012F02C 00000000 \hTemplateFile = NULL
0012F030 0012D7B2
0012F034 00402C92 返回到 EF06C.00402C92
0012F010在此双击跟入 来到下面这里
--------------------------------------------------------------------
OD主窗口返回信息
00402DCE /0F84 B2000000 JE EF06C.00402E86 ------------------>在这里JE改成JNE
00402DD4 |6A 00 PUSH 0
00402DD6 |68 80000000 PUSH 80
00402DDB |51 PUSH ECX
00402DDC |6A 00 PUSH 0
00402DDE |52 PUSH EDX
00402DDF |50 PUSH EAX
00402DE0 |8D46 48 LEA EAX,DWORD PTR DS:[ESI+48]
00402DE3 |50 PUSH EAX
00402DE4 |E8 C3E4FFFF CALL <JMP.&kernel32.CreateFileA>
00402DE9 |83F8 FF CMP EAX,-1 ------------------>堆栈返回后来到此处
00402DEC |0F84 08010000 JE EF06C.00402EFA
00402DF2 |8906 MOV DWORD PTR DS:[ESI],EAX
00402DF4 |66:817E 04 B3D7 CMP WORD PTR DS:[ESI+4],0D7B3
00402DFA |0F85 C3000000 JNZ EF06C.00402EC3
00402DE9 83F8 FF CMP EAX,-1 堆栈返回后来到此处
00402DCE /0F84 B2000000 JE EF06C.00402E86 在这里JE改成JNE
--------------------------------------------------------------------
然后保存一下 运行 就可以直接进入外挂主体了
但是大家是不是发现目录里面会生下来一个又一个的子程序
是不是有点像母鸡下蛋啊?
至于如何让它不创建程序大家自己研究吧
完
--------------------------------------------------------------------
其它部分参考
效验软件版本:
http://wt.chaoweinet.com/qicheng_new/login_ok.asp?
loc_ver=1.36&mac=gmdatmuqtnzitntqtotgtmdk9r2vudwluzuludgvsozawmdawnkzeltaxmdiwodawltawmdbfm
zlelujgrujgqkz&rnd=1&yhm=&mm=&yzm=1ad66f9ec4b2eef7
网络用户注册:
http://wt.chaoweinet.com/qicheng_new/login.asp
--------------------------------------------------------------------
其它关键字窜片断提示:
004D9380 B8 60944D00 MOV EAX,EF06C.004D9460 ; exec:
004E5294 B8 E0534E00 MOV EAX,EF06C.004E53E0 ; 未发现游戏!!
004E5439 B8 6C554E00 MOV EAX,EF06C.004E556C ; 无法打开游戏!!
004E5F65 B8 F0604E00 MOV EAX,EF06C.004E60F0 ; 未找到程序!!
004E5FB9 B8 08614E00 MOV EAX,EF06C.004E6108 ; 无法打开游戏!!
004D3A46 /7F 12 JG SHORT EF06C.004D3A5A ; 跳到显示更新
004EF1D2 /75 5D JNZ SHORT EF06C.004EF231 ; 进入外挂
--------------------------------------------------------------------
本篇破解可以利用的API部分提示:
CreateProcess: 创建一个新的进程和它的主线程 这个新进程运行指定的可执行文件
OpenProcess: 是否打开以存在的进程对象
ExitThread: 结束线程
GetTempPath: 获取为临时文件指定的路径
CreateFileA: 打开和创建文件
--------------------------------------------------------------------
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
