青云志手游法宝:一种直接修改指令(修改汇编代码段/动态修改指令)改变软件行为/算法破解方法
来源:百度文库 编辑:九乡新闻网 时间:2024/04/29 21:07:44
主要用到了:::VirtualProtectEx, WriteProcessMemory。
通过加载dll直接修改主进程的代码,实现动态破解。(具体劫持方法参照前文)。
以下为示例代码:
DWORD modify_code_addr,ws,code;
//unsigned char code[1024];
// memset(code,0x90,1024);
//modify_code_addr=0;
_asm{
//push eax
//push ebx
mov eax,0x401000
add_eax:
inc eax
cmp eax,0x411000
jg exit_eax
cmp dword ptr [eax],0x12F815FF //004019AE |. FF15 F8124B00 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameW
jne add_eax
cmp word ptr [eax+4],0x4b
jne add_eax
modify_eax:
sub eax,14 ///往前移动到004019A0 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
mov modify_code_addr,eax
// jmp eax
// mov dword ptr [eax],0x90909090 /////这样直接写入会报告不能被written
exit_eax:
//mov eax,0xffffffff
};
if(modify_code_addr==0)
{
#ifdef _DEBUG
MessageBox(NULL,"ADDR=0","AAA",MB_OK);
#endif
}
else
{
char buff[32];
sprintf(buff,"ADDR=%x",modify_code_addr+14);
#ifdef _DEBUG
MessageBox(NULL,buff,"AAA",MB_OK);
#endif
}
//
if(modify_code_addr)
{
DWORD id;
id = ::GetCurrentProcessId();
HANDLE hProc;
HRESULT rs;
hProc=::OpenProcess( PROCESS_ALL_ACCESS, TRUE,id);
rs = ::VirtualProtectEx(hProc,(void *)modify_code_addr,1024,PAGE_EXECUTE_READWRITE,&ws);///设置为可读可写
code = 0x90909090;
rs = WriteProcessMemory(hProc, (void *)modify_code_addr,(void *)&code, 4, &ws); ////20个字节,nop填充,每次4个0x90
rs = WriteProcessMemory(hProc, (void *)(modify_code_addr+4),(void *)&code, 4, &ws);
rs = WriteProcessMemory(hProc, (void *)(modify_code_addr+8),(void *)&code, 4, &ws);
rs = WriteProcessMemory(hProc, (void *)(modify_code_addr+12),(void *)&code, 4, &ws);
rs = WriteProcessMemory(hProc, (void *)(modify_code_addr+16),(void *)&code, 4, &ws);
CloseHandle(hProc);
//__asm mov dword ptr [eax],0x90909090
//__asm jmp modify_code_addr;
}