闲来无事,找个反**系统的最软柿子捏捏,研究其原理也是一种快速的学习方法,比起没头没脑的看书效率要高吧,呵呵...
.text:00016672 ; =============== S U B R O U T I N E =======================================
.text:00016672 X_INT1 proc near
.text:00016672 pusha
.text:00016673 pushf
.text:00016674 push ds
.text:00016675 push ss
.text:00016676 push es
.text:00016677 push fs
.text:00016679 push gs
.text:0001667B cmp al, 0D2h ; 此处AL里的内容是啥,为何要和D2比较
.text:0001667D jnz short AL_NOT_EQUL_D2
.text:0001667F mov ds:0B581BE58h, eax
.text:00016684 mov eax, dr0
.text:00016687 mov ds:0B581BE68h, eax
.text:0001668C mov eax, dr1
.text:0001668F mov ds:0B581BE6Ch, eax
.text:00016694 mov eax, dr2
.text:00016697 mov ds:0B581BE70h, eax
.text:0001669C mov eax, dr3
.text:0001669F mov ds:0B581BE74h, eax
.text:000166A4 mov eax, dr6
.text:000166A7 mov ds:0B581BE78h, eax ; 保存调试寄存器的内容
.text:000166AC xor eax, eax
.text:000166AE mov dr0, eax
.text:000166B1 mov dr1, eax
.text:000166B4 mov dr2, eax
.text:000166B7 mov dr3, eax
.text:000166BA mov eax, dr6
.text:000166BD and eax, 0Fh ; 判断是陷阱标志还是调试寄存器触发单步Kitrap01
.text:000166C0 jz short SINGLE_STEP_INTERRUPT
.text:000166C2 xor eax, eax ; 调试寄存器触发Kitrap01
.text:000166C4 mov ax, dx ; 此处dx的内容是什么?
.text:000166C7 mov ds:0B581BE5Ch, eax
.text:000166CC mov eax, ds:0B581BE58h
.text:000166D1 and eax, 0FFh
.text:000166D6 mov ds:0B581BE60h, eax
.text:000166DB mov eax, ebp
.text:000166DD mov eax, [eax+4]
.text:000166E0 mov ds:0B581BE64h, eax ; 以上几句不明白什么意思
.text:000166E5 inc dword ptr ds:0B581BE7Ch
.text:000166EB jmp short ORG_INT1
.text:000166ED ; ---------------------------------------------------------------------------
.text:000166ED
.text:000166ED SINGLE_STEP_INTERRUPT: ; CODE XREF: X_INT1+4Ej
.text:000166ED jmp short ORG_INT1
.text:000166EF ; ---------------------------------------------------------------------------
.text:000166EF
.text:000166EF AL_NOT_EQUL_D2: ; CODE XREF: X_INT1+Bj
.text:000166EF mov eax, dr0
.text:000166F2 mov ds:0B581BE68h, eax
.text:000166F7 mov eax, dr1
.text:000166FA mov ds:0B581BE6Ch, eax
.text:000166FF mov eax, dr2
.text:00016702 mov ds:0B581BE70h, eax
.text:00016707 mov eax, dr3
.text:0001670A mov ds:0B581BE74h, eax
.text:0001670F mov eax, dr6
.text:00016712 mov ds:0B581BE78h, eax
.text:00016717 xor eax, eax
.text:00016719 mov dr0, eax
.text:0001671C mov dr1, eax
.text:0001671F mov dr2, eax
.text:00016722 mov dr3, eax
.text:00016725
.text:00016725 ORG_INT1: ; CODE XREF: X_INT1+79j
.text:00016725 ; X_INT1:SINGLE_STEP_INTERRUPTj
.text:00016725 mov eax, edx
.text:00016727 cmp al, 64h
.text:00016729 jz short INTERRUPT_RET
.text:0001672B mov eax, edx
.text:0001672D cmp al, 65h
.text:0001672F jz short INTERRUPT_RET
.text:00016731 call GetOrg_INT1
.text:00016736 mov eax, ds:0B581BE54h
.text:0001673B cmp eax, 0
.text:0001673E jz short INTERRUPT_RET
.text:00016740 pop gs
.text:00016742 pop fs
.text:00016744 pop es
.text:00016745 pop ss
.text:00016746 pop ds
.text:00016747 popf
.text:00016748 popa
.text:00016749 jmp dword ptr ds:0B581BE54h ; 原始中断例程入口处
.text:0001674F ; ---------------------------------------------------------------------------
.text:0001674F
.text:0001674F INTERRUPT_RET: ; CODE XREF: X_INT1+B7j
.text:0001674F ; X_INT1+BDj ...
.text:0001674F pop gs
.text:00016751 pop fs
.text:00016753 pop es
.text:00016754 pop ss
.text:00016755 pop ds
.text:00016756 popf
.text:00016757 popa
.text:00016758 push eax
.text:00016759 mov eax, ds:0B581BE68h
.text:0001675E mov dr0, eax
.text:00016761 mov eax, ds:0B581BE6Ch
.text:00016766 mov dr1, eax
.text:00016769 mov eax, ds:0B581BE70h
.text:0001676E mov dr2, eax
.text:00016771 mov eax, ds:0B581BE74h
.text:00016776 mov dr3, eax
.text:00016779 pop eax
.text:0001677A iret
.text:0001677A X_INT1 endp
大概的流程就是获取调试信息,然后跳转到原中断处理程序,其中用到了EAX,EDX寄存器,不知道这两个寄存器时干嘛用的,另外这个hook是如何知道正在调试游戏进程的呢?希望大家可以讨论讨论,也希望高手能指教一二...
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课