OD附加进程后直接退出, SDO开内核模式还是不行
是一个私服的登录器, VMP3的壳, 其实根壳也没关系吧
我不在乎登录器, 因为登录器进程可以杀掉, 我真正要调试的游戏.
现在问题是我od附加热血江湖的游戏进程后 (无壳, 原版), 也会自己终止进程 (应该是里面的dll的远古, 我想去用别人的方法去冻结和暂停其检测线程, 但是
游戏的进程中的所有线程都是暂停状态, 只有exe的主线程和d3d的绘图线程两个线程在运行, 明显就不是检测线程).
但是我一附加游戏就会退出, 百思不得其解 (我附加之前已经吧登录器给干掉了)
我壳
登录器和游戏的下载地址:
http://www.528dh.cn/download.aspx
直接官网直接下载
如果各位检测到木马一定要告诉我
不好意思,夜里代码贴错了,重贴一下:
library d3d8thk;
uses Windows;
var
g_pFunc1, g_pFunc2, g_pFunc3, g_pFunc4, g_pFunc5, g_pFunc6, g_pFunc7, g_pFunc8, g_pFunc9, g_pFunc10,
g_pFunc11, g_pFunc12, g_pFunc13, g_pFunc14, g_pFunc15, g_pFunc16, g_pFunc17, g_pFunc18, g_pFunc19, g_pFunc20,
g_pFunc21, g_pFunc22, g_pFunc23, g_pFunc24, g_pFunc25, g_pFunc26, g_pFunc27, g_pFunc28, g_pFunc29, g_pFunc30,
g_pFunc31, g_pFunc32, g_pFunc33, g_pFunc34, g_pFunc35, g_pFunc36, g_pFunc37, g_pFunc38, g_pFunc39, g_pFunc40,
g_pFunc41, g_pFunc42, g_pFunc43, g_pFunc44, g_pFunc45, g_pFunc46, g_pFunc47, g_pFunc48, g_pFunc49, g_pFunc50,
g_pFunc51, g_pFunc52, g_pFunc53, g_pFunc54, g_pFunc55, g_pFunc56: Pointer;
g_nBakData: Int64;
procedure FakeProc1; asm jmp g_pFunc1 end;
procedure FakeProc2; asm jmp g_pFunc2 end;
procedure FakeProc3; asm jmp g_pFunc3 end;
procedure FakeProc4; asm jmp g_pFunc4 end;
procedure FakeProc5; asm jmp g_pFunc5 end;
procedure FakeProc6; asm jmp g_pFunc6 end;
procedure FakeProc7; asm jmp g_pFunc7 end;
procedure FakeProc8; asm jmp g_pFunc8 end;
procedure FakeProc9; asm jmp g_pFunc9 end;
procedure FakeProc10; asm jmp g_pFunc10 end;
procedure FakeProc11; asm jmp g_pFunc11 end;
procedure FakeProc12; asm jmp g_pFunc12 end;
procedure FakeProc13; asm jmp g_pFunc13 end;
procedure FakeProc14; asm jmp g_pFunc14 end;
procedure FakeProc15; asm jmp g_pFunc15 end;
procedure FakeProc16; asm jmp g_pFunc16 end;
procedure FakeProc17; asm jmp g_pFunc17 end;
procedure FakeProc18; asm jmp g_pFunc18 end;
procedure FakeProc19; asm jmp g_pFunc19 end;
procedure FakeProc20; asm jmp g_pFunc20 end;
procedure FakeProc21; asm jmp g_pFunc21 end;
procedure FakeProc22; asm jmp g_pFunc22 end;
procedure FakeProc23; asm jmp g_pFunc23 end;
procedure FakeProc24; asm jmp g_pFunc24 end;
procedure FakeProc25; asm jmp g_pFunc25 end;
procedure FakeProc26; asm jmp g_pFunc26 end;
procedure FakeProc27; asm jmp g_pFunc27 end;
procedure FakeProc28; asm jmp g_pFunc28 end;
procedure FakeProc29; asm jmp g_pFunc29 end;
procedure FakeProc30; asm jmp g_pFunc30 end;
procedure FakeProc31; asm jmp g_pFunc31 end;
procedure FakeProc32; asm jmp g_pFunc32 end;
procedure FakeProc33; asm jmp g_pFunc33 end;
procedure FakeProc34; asm jmp g_pFunc34 end;
procedure FakeProc35; asm jmp g_pFunc35 end;
procedure FakeProc36; asm jmp g_pFunc36 end;
procedure FakeProc37; asm jmp g_pFunc37 end;
procedure FakeProc38; asm jmp g_pFunc38 end;
procedure FakeProc39; asm jmp g_pFunc39 end;
procedure FakeProc40; asm jmp g_pFunc40 end;
procedure FakeProc41; asm jmp g_pFunc41 end;
procedure FakeProc42; asm jmp g_pFunc42 end;
procedure FakeProc43; asm jmp g_pFunc43 end;
procedure FakeProc44; asm jmp g_pFunc44 end;
procedure FakeProc45; asm jmp g_pFunc45 end;
procedure FakeProc46; asm jmp g_pFunc46 end;
procedure FakeProc47; asm jmp g_pFunc47 end;
procedure FakeProc48; asm jmp g_pFunc48 end;
procedure FakeProc49; asm jmp g_pFunc49 end;
procedure FakeProc50; asm jmp g_pFunc50 end;
procedure FakeProc51; asm jmp g_pFunc51 end;
procedure FakeProc52; asm jmp g_pFunc52 end;
procedure FakeProc53; asm jmp g_pFunc53 end;
procedure FakeProc54; asm jmp g_pFunc54 end;
procedure FakeProc55; asm jmp g_pFunc55 end;
procedure FakeProc56; asm jmp g_pFunc56 end;
exports
FakeProc56 name 'OsThunkDdWaitForVerticalBlank',
FakeProc55 name 'OsThunkDdUpdateOverlay',
FakeProc54 name 'OsThunkDdUnlockD3D',
FakeProc53 name 'OsThunkDdUnlock',
FakeProc52 name 'OsThunkDdUnattachSurface',
FakeProc51 name 'OsThunkDdSetOverlayPosition',
FakeProc50 name 'OsThunkDdSetGammaRamp',
FakeProc49 name 'OsThunkDdSetExclusiveMode',
FakeProc48 name 'OsThunkDdSetColorKey',
FakeProc47 name 'OsThunkDdResetVisrgn',
FakeProc46 name 'OsThunkDdRenderMoComp',
FakeProc45 name 'OsThunkDdReleaseDC',
FakeProc44 name 'OsThunkDdReenableDirectDrawObject',
FakeProc43 name 'OsThunkDdQueryMoCompStatus',
FakeProc42 name 'OsThunkDdQueryDirectDrawObject',
FakeProc41 name 'OsThunkDdLockD3D',
FakeProc40 name 'OsThunkDdLock',
FakeProc39 name 'OsThunkDdGetScanLine',
FakeProc38 name 'OsThunkDdGetMoCompGuids',
FakeProc37 name 'OsThunkDdGetMoCompFormats',
FakeProc36 name 'OsThunkDdGetMoCompBuffInfo',
FakeProc35 name 'OsThunkDdGetInternalMoCompInfo',
FakeProc34 name 'OsThunkDdGetFlipStatus',
FakeProc33 name 'OsThunkDdGetDxHandle',
FakeProc32 name 'OsThunkDdGetDriverState',
FakeProc31 name 'OsThunkDdGetDriverInfo',
FakeProc30 name 'OsThunkDdGetDC',
FakeProc29 name 'OsThunkDdGetBltStatus',
FakeProc28 name 'OsThunkDdGetAvailDriverMemory',
FakeProc27 name 'OsThunkDdFlipToGDISurface',
FakeProc26 name 'OsThunkDdFlip',
FakeProc25 name 'OsThunkDdEndMoCompFrame',
FakeProc24 name 'OsThunkDdDestroySurface',
FakeProc23 name 'OsThunkDdDestroyMoComp',
FakeProc22 name 'OsThunkDdDestroyD3DBuffer',
FakeProc21 name 'OsThunkDdDeleteSurfaceObject',
FakeProc20 name 'OsThunkDdDeleteDirectDrawObject',
FakeProc19 name 'OsThunkDdCreateSurfaceObject',
FakeProc18 name 'OsThunkDdCreateSurfaceEx',
FakeProc17 name 'OsThunkDdCreateSurface',
FakeProc16 name 'OsThunkDdCreateMoComp',
FakeProc15 name 'OsThunkDdCreateDirectDrawObject',
FakeProc14 name 'OsThunkDdCreateD3DBuffer',
FakeProc13 name 'OsThunkDdColorControl',
FakeProc12 name 'OsThunkDdCanCreateSurface',
FakeProc11 name 'OsThunkDdCanCreateD3DBuffer',
FakeProc10 name 'OsThunkDdBlt',
FakeProc9 name 'OsThunkDdBeginMoCompFrame',
FakeProc8 name 'OsThunkDdAttachSurface',
FakeProc7 name 'OsThunkDdAlphaBlt',
FakeProc6 name 'OsThunkDdAddAttachedSurface',
FakeProc5 name 'OsThunkD3dValidateTextureStageState',
FakeProc4 name 'OsThunkD3dDrawPrimitives2',
FakeProc3 name 'OsThunkD3dContextDestroyAll',
FakeProc2 name 'OsThunkD3dContextDestroy',
FakeProc1 name 'OsThunkD3dContextCreate';
function HookApiHead(lpApi, lpNew, lpOrg: Pointer): BOOL;
var
nSize, nLen: Integer;
dwProtect, dwData, dwOffset: DWORD;
begin
Result := False;
//取备份字节长度
//nSize := GetBackUpSize(lpApi, 5);
//if nSize = 0 then Exit;
//复制/备份原始代码
nSize:=5;
nLen := nSize + 5;
dwProtect := 0;
if not VirtualProtect(lpOrg, nLen, PAGE_EXECUTE_READWRITE, @dwProtect) then Exit;
CopyMemory(lpOrg, lpApi, nSize);
dwData := DWORD(lpOrg) + nSize;
dwOffset := DWORD(lpApi) + nSize - dwData - 5;
PBYTE(dwData)^ := $E9;
Inc(dwData);
PDWORD(dwData)^ := dwOffset;
VirtualProtect(lpOrg, nLen, dwProtect, @dwProtect);
//开始HOOK API
dwProtect := 0;
if not VirtualProtect(lpApi, nSize, PAGE_EXECUTE_READWRITE, @dwProtect) then Exit;
dwData := DWORD(lpApi);
dwOffset := DWORD(lpNew) - dwData - 5;
PBYTE(dwData)^ := $E9;
Inc(dwData);
PDWORD(dwData)^ := dwOffset;
VirtualProtect(lpApi, nSize, dwProtect, @dwProtect);
Result := True;
end;
procedure Naked_ZwSetInformationThread;
asm
push eax;
mov eax, $11111111;
mov eax, $11111111;
pop eax;
end;
function MyZwSetInformationThread(hThread, dwClass, dwInfo, dwLen: DWORD): Integer; stdcall;
type TCall = function(hThread, dwClass, dwInfo, dwLen: DWORD): Integer; stdcall;
begin
Result := 0;
if dwClass = $11 then Exit;
Result := TCall(@Naked_ZwSetInformationThread)(hThread, dwClass, dwInfo, dwLen);
end;
procedure ReCoveryDbgUiRemoteBreakin(lpArg: PInt64);
var
nCount: Integer;
dwTemp: DWORD;
begin
nCount := 0;
while nCount < 6000 do begin
Sleep(100);
if lpArg^ <> g_nBakData then begin
if VirtualProtect(lpArg, 8, PAGE_EXECUTE_READWRITE, @dwTemp) then begin
lpArg^ := g_nBakData; //还原数据
VirtualProtect(lpArg, 8, dwTemp, @dwTemp);
end;
end;
Inc(nCount);
end;
end;
procedure InitHook;
var
dwMod: DWORD;
pApi: Pointer;
dwTid: DWORD;
begin
dwMod := GetModuleHandle('ntdll.dll');
pApi := GetProcAddress(dwMod, 'ZwSetInformationThread');
if pApi <> nil then HookApiHead(pApi, @MyZwSetInformationThread, @Naked_ZwSetInformationThread);
pApi := GetProcAddress(dwMod, 'DbgUiRemoteBreakin');
if pApi = nil then Exit;
try
g_nBakData := PInt64(pApi)^;
CloseHandle(BeginThread(nil, 0, @ReCoveryDbgUiRemoteBreakin, pApi, 0, dwTid));
except end;
end;
procedure EntryPoint(dwReason: DWORD);
var hMod: HMODULE;
begin
case dwReason of
DLL_PROCESS_ATTACH:
begin
InitHook;
hMod := LoadLibrary('C:\Windows\system32\d3d8thk.dll');
if hMod <> 0 then begin
g_pFunc1 := GetProcAddress(hMod, 'OsThunkD3dContextCreate');
g_pFunc2 := GetProcAddress(hMod, 'OsThunkD3dContextDestroy');
g_pFunc3 := GetProcAddress(hMod, 'OsThunkD3dContextDestroyAll');
g_pFunc4 := GetProcAddress(hMod, 'OsThunkD3dDrawPrimitives2');
g_pFunc5 := GetProcAddress(hMod, 'OsThunkD3dValidateTextureStageState');
g_pFunc6 := GetProcAddress(hMod, 'OsThunkDdAddAttachedSurface');
g_pFunc7 := GetProcAddress(hMod, 'OsThunkDdAlphaBlt');
g_pFunc8 := GetProcAddress(hMod, 'OsThunkDdAttachSurface');
g_pFunc9 := GetProcAddress(hMod, 'OsThunkDdBeginMoCompFrame');
g_pFunc10 := GetProcAddress(hMod, 'OsThunkDdBlt');
g_pFunc11 := GetProcAddress(hMod, 'OsThunkDdCanCreateD3DBuffer');
g_pFunc12 := GetProcAddress(hMod, 'OsThunkDdCanCreateSurface');
g_pFunc13 := GetProcAddress(hMod, 'OsThunkDdColorControl');
g_pFunc14 := GetProcAddress(hMod, 'OsThunkDdCreateD3DBuffer');
g_pFunc15 := GetProcAddress(hMod, 'OsThunkDdCreateDirectDrawObject');
g_pFunc16 := GetProcAddress(hMod, 'OsThunkDdCreateMoComp');
g_pFunc17 := GetProcAddress(hMod, 'OsThunkDdCreateSurface');
g_pFunc18 := GetProcAddress(hMod, 'OsThunkDdCreateSurfaceEx');
g_pFunc19 := GetProcAddress(hMod, 'OsThunkDdCreateSurfaceObject');
g_pFunc20 := GetProcAddress(hMod, 'OsThunkDdDeleteDirectDrawObject');
g_pFunc21 := GetProcAddress(hMod, 'OsThunkDdDeleteSurfaceObject');
g_pFunc22 := GetProcAddress(hMod, 'OsThunkDdDestroyD3DBuffer');
g_pFunc23 := GetProcAddress(hMod, 'OsThunkDdDestroyMoComp');
g_pFunc24 := GetProcAddress(hMod, 'OsThunkDdDestroySurface');
g_pFunc25 := GetProcAddress(hMod, 'OsThunkDdEndMoCompFrame');
g_pFunc26 := GetProcAddress(hMod, 'OsThunkDdFlip');
g_pFunc27 := GetProcAddress(hMod, 'OsThunkDdFlipToGDISurface');
g_pFunc28 := GetProcAddress(hMod, 'OsThunkDdGetAvailDriverMemory');
g_pFunc29 := GetProcAddress(hMod, 'OsThunkDdGetBltStatus');
g_pFunc30 := GetProcAddress(hMod, 'OsThunkDdGetDC');
g_pFunc31 := GetProcAddress(hMod, 'OsThunkDdGetDriverInfo');
g_pFunc32 := GetProcAddress(hMod, 'OsThunkDdGetDriverState');
g_pFunc33 := GetProcAddress(hMod, 'OsThunkDdGetDxHandle');
g_pFunc34 := GetProcAddress(hMod, 'OsThunkDdGetFlipStatus');
g_pFunc35 := GetProcAddress(hMod, 'OsThunkDdGetInternalMoCompInfo');
g_pFunc36 := GetProcAddress(hMod, 'OsThunkDdGetMoCompBuffInfo');
g_pFunc37 := GetProcAddress(hMod, 'OsThunkDdGetMoCompFormats');
g_pFunc38 := GetProcAddress(hMod, 'OsThunkDdGetMoCompGuids');
g_pFunc39 := GetProcAddress(hMod, 'OsThunkDdGetScanLine');
g_pFunc40 := GetProcAddress(hMod, 'OsThunkDdLock');
g_pFunc41 := GetProcAddress(hMod, 'OsThunkDdLockD3D');
g_pFunc42 := GetProcAddress(hMod, 'OsThunkDdQueryDirectDrawObject');
g_pFunc43 := GetProcAddress(hMod, 'OsThunkDdQueryMoCompStatus');
g_pFunc44 := GetProcAddress(hMod, 'OsThunkDdReenableDirectDrawObject');
g_pFunc45 := GetProcAddress(hMod, 'OsThunkDdReleaseDC');
g_pFunc46 := GetProcAddress(hMod, 'OsThunkDdRenderMoComp');
g_pFunc47 := GetProcAddress(hMod, 'OsThunkDdResetVisrgn');
g_pFunc48 := GetProcAddress(hMod, 'OsThunkDdSetColorKey');
g_pFunc49 := GetProcAddress(hMod, 'OsThunkDdSetExclusiveMode');
g_pFunc50 := GetProcAddress(hMod, 'OsThunkDdSetGammaRamp');
g_pFunc51 := GetProcAddress(hMod, 'OsThunkDdSetOverlayPosition');
g_pFunc52 := GetProcAddress(hMod, 'OsThunkDdUnattachSurface');
g_pFunc53 := GetProcAddress(hMod, 'OsThunkDdUnlock');
g_pFunc54 := GetProcAddress(hMod, 'OsThunkDdUnlockD3D');
g_pFunc55 := GetProcAddress(hMod, 'OsThunkDdUpdateOverlay');
g_pFunc56 := GetProcAddress(hMod, 'OsThunkDdWaitForVerticalBlank');
end;
end;
DLL_PROCESS_DETACH: begin end;
end;
end;
begin
DllProc := @EntryPoint;
EntryPoint(DLL_PROCESS_ATTACH);
end.
本帖最后由 iokey 于 2022-4-8 00:21 编辑
直接上代码吧
library d3d8thk;
uses Windows;
var
g_pFunc1, g_pFunc2, g_pFunc3, g_pFunc4, g_pFunc5, g_pFunc6, g_pFunc7, g_pFunc8, g_pFunc9, g_pFunc10,
g_pFunc11, g_pFunc12, g_pFunc13, g_pFunc14, g_pFunc15, g_pFunc16, g_pFunc17, g_pFunc18, g_pFunc19, g_pFunc20,
g_pFunc21, g_pFunc22, g_pFunc23, g_pFunc24, g_pFunc25, g_pFunc26, g_pFunc27, g_pFunc28, g_pFunc29, g_pFunc30,
g_pFunc31, g_pFunc32, g_pFunc33, g_pFunc34, g_pFunc35, g_pFunc36, g_pFunc37, g_pFunc38, g_pFunc39, g_pFunc40,
g_pFunc41, g_pFunc42, g_pFunc43, g_pFunc44, g_pFunc45, g_pFunc46, g_pFunc47, g_pFunc48, g_pFunc49, g_pFunc50,
g_pFunc51, g_pFunc52, g_pFunc53, g_pFunc54, g_pFunc55, g_pFunc56: Pointer;
g_dwCall: DWORD;
g_nBakData: Int64;
procedure FakeProc1; asm jmp g_pFunc1 end;
procedure FakeProc2; asm jmp g_pFunc2 end;
procedure FakeProc3; asm jmp g_pFunc3 end;
procedure FakeProc4; asm jmp g_pFunc4 end;
procedure FakeProc5; asm jmp g_pFunc5 end;
procedure FakeProc6; asm jmp g_pFunc6 end;
procedure FakeProc7; asm jmp g_pFunc7 end;
procedure FakeProc8; asm jmp g_pFunc8 end;
procedure FakeProc9; asm jmp g_pFunc9 end;
procedure FakeProc10; asm jmp g_pFunc10 end;
procedure FakeProc11; asm jmp g_pFunc11 end;
procedure FakeProc12; asm jmp g_pFunc12 end;
procedure FakeProc13; asm jmp g_pFunc13 end;
procedure FakeProc14; asm jmp g_pFunc14 end;
procedure FakeProc15; asm jmp g_pFunc15 end;
procedure FakeProc16; asm jmp g_pFunc16 end;
procedure FakeProc17; asm jmp g_pFunc17 end;
procedure FakeProc18; asm jmp g_pFunc18 end;
procedure FakeProc19; asm jmp g_pFunc19 end;
procedure FakeProc20; asm jmp g_pFunc20 end;
procedure FakeProc21; asm jmp g_pFunc21 end;
procedure FakeProc22; asm jmp g_pFunc22 end;
procedure FakeProc23; asm jmp g_pFunc23 end;
procedure FakeProc24; asm jmp g_pFunc24 end;
procedure FakeProc25; asm jmp g_pFunc25 end;
procedure FakeProc26; asm jmp g_pFunc26 end;
procedure FakeProc27; asm jmp g_pFunc27 end;
procedure FakeProc28; asm jmp g_pFunc28 end;
procedure FakeProc29; asm jmp g_pFunc29 end;
procedure FakeProc30; asm jmp g_pFunc30 end;
procedure FakeProc31; asm jmp g_pFunc31 end;
procedure FakeProc32; asm jmp g_pFunc32 end;
procedure FakeProc33; asm jmp g_pFunc33 end;
procedure FakeProc34; asm jmp g_pFunc34 end;
procedure FakeProc35; asm jmp g_pFunc35 end;
procedure FakeProc36; asm jmp g_pFunc36 end;
procedure FakeProc37; asm jmp g_pFunc37 end;
procedure FakeProc38; asm jmp g_pFunc38 end;
procedure FakeProc39; asm jmp g_pFunc39 end;
procedure FakeProc40; asm jmp g_pFunc40 end;
procedure FakeProc41; asm jmp g_pFunc41 end;
procedure FakeProc42; asm jmp g_pFunc42 end;
procedure FakeProc43; asm jmp g_pFunc43 end;
procedure FakeProc44; asm jmp g_pFunc44 end;
procedure FakeProc45; asm jmp g_pFunc45 end;
procedure FakeProc46; asm jmp g_pFunc46 end;
procedure FakeProc47; asm jmp g_pFunc47 end;
procedure FakeProc48; asm jmp g_pFunc48 end;
procedure FakeProc49; asm jmp g_pFunc49 end;
procedure FakeProc50; asm jmp g_pFunc50 end;
procedure FakeProc51; asm jmp g_pFunc51 end;
procedure FakeProc52; asm jmp g_pFunc52 end;
procedure FakeProc53; asm jmp g_pFunc53 end;
procedure FakeProc54; asm jmp g_pFunc54 end;
procedure FakeProc55; asm jmp g_pFunc55 end;
procedure FakeProc56; asm jmp g_pFunc56 end;
exports
FakeProc56 name 'OsThunkDdWaitForVerticalBlank',
FakeProc55 name 'OsThunkDdUpdateOverlay',
FakeProc54 name 'OsThunkDdUnlockD3D',
FakeProc53 name 'OsThunkDdUnlock',
FakeProc52 name 'OsThunkDdUnattachSurface',
FakeProc51 name 'OsThunkDdSetOverlayPosition',
FakeProc50 name 'OsThunkDdSetGammaRamp',
FakeProc49 name 'OsThunkDdSetExclusiveMode',
FakeProc48 name 'OsThunkDdSetColorKey',
FakeProc47 name 'OsThunkDdResetVisrgn',
FakeProc46 name 'OsThunkDdRenderMoComp',
FakeProc45 name 'OsThunkDdReleaseDC',
FakeProc44 name 'OsThunkDdReenableDirectDrawObject',
FakeProc43 name 'OsThunkDdQueryMoCompStatus',
FakeProc42 name 'OsThunkDdQueryDirectDrawObject',
FakeProc41 name 'OsThunkDdLockD3D',
FakeProc40 name 'OsThunkDdLock',
FakeProc39 name 'OsThunkDdGetScanLine',
FakeProc38 name 'OsThunkDdGetMoCompGuids',
FakeProc37 name 'OsThunkDdGetMoCompFormats',
FakeProc36 name 'OsThunkDdGetMoCompBuffInfo',
FakeProc35 name 'OsThunkDdGetInternalMoCompInfo',
FakeProc34 name 'OsThunkDdGetFlipStatus',
FakeProc33 name 'OsThunkDdGetDxHandle',
FakeProc32 name 'OsThunkDdGetDriverState',
FakeProc31 name 'OsThunkDdGetDriverInfo',
FakeProc30 name 'OsThunkDdGetDC',
FakeProc29 name 'OsThunkDdGetBltStatus',
FakeProc28 name 'OsThunkDdGetAvailDriverMemory',
FakeProc27 name 'OsThunkDdFlipToGDISurface',
FakeProc26 name 'OsThunkDdFlip',
FakeProc25 name 'OsThunkDdEndMoCompFrame',
FakeProc24 name 'OsThunkDdDestroySurface',
FakeProc23 name 'OsThunkDdDestroyMoComp',
FakeProc22 name 'OsThunkDdDestroyD3DBuffer',
FakeProc21 name 'OsThunkDdDeleteSurfaceObject',
FakeProc20 name 'OsThunkDdDeleteDirectDrawObject',
FakeProc19 name 'OsThunkDdCreateSurfaceObject',
FakeProc18 name 'OsThunkDdCreateSurfaceEx',
FakeProc17 name 'OsThunkDdCreateSurface',
FakeProc16 name 'OsThunkDdCreateMoComp',
FakeProc15 name 'OsThunkDdCreateDirectDrawObject',
FakeProc14 name 'OsThunkDdCreateD3DBuffer',
FakeProc13 name 'OsThunkDdColorControl',
FakeProc12 name 'OsThunkDdCanCreateSurface',
FakeProc11 name 'OsThunkDdCanCreateD3DBuffer',
FakeProc10 name 'OsThunkDdBlt',
FakeProc9 name 'OsThunkDdBeginMoCompFrame',
FakeProc8 name 'OsThunkDdAttachSurface',
FakeProc7 name 'OsThunkDdAlphaBlt',
FakeProc6 name 'OsThunkDdAddAttachedSurface',
FakeProc5 name 'OsThunkD3dValidateTextureStageState',
FakeProc4 name 'OsThunkD3dDrawPrimitives2',
FakeProc3 name 'OsThunkD3dContextDestroyAll',
FakeProc2 name 'OsThunkD3dContextDestroy',
FakeProc1 name 'OsThunkD3dContextCreate';
function HookApiFunc(lpApi, lpNew, lpOrg: Pointer): BOOL;
var
dwOffset: DWORD;
jmpCode: array of Byte;
begin
Result := False;
if (lpApi = nil) or (lpNew = nil) or (lpOrg = nil) then Exit;
if PDWORD(lpApi)^ <> $8B55FF8B then Exit;
if PByte(DWORD(lpApi) - 5)^ <> PByte(DWORD(lpApi) - 4)^ then Exit;
if (PDWORD(DWORD(lpApi) - 4)^ <> $90909090) and (PDWORD(DWORD(lpApi) - 4)^ <> $CCCCCCCC) then Exit;
dwOffset := DWORD(lpApi) + 2;
PDWORD(lpOrg)^ := dwOffset;
dwOffset := DWORD(lpNew) - DWORD(lpApi);
jmpCode := $E9;
PDWORD(@jmpCode)^ := dwOffset;
jmpCode := $EB;
jmpCode := $F9;
dwOffset := 0;
if VirtualProtect(PByte(DWORD(lpApi) - 5), 7, PAGE_EXECUTE_READWRITE, @dwOffset) then begin
CopyMemory(PByte(DWORD(lpApi) - 5), @jmpCode, 7);
VirtualProtect(PByte(DWORD(lpApi) - 5), 7, dwOffset, @dwOffset);
Result := True;
end;
end;
function MyZwSetInformationThread(hThread, dwClass, dwInfo, dwLen: DWORD): Integer; stdcall;
type TCall = function(hThread, dwClass, dwInfo, dwLen: DWORD): Integer; stdcall;
begin
Result := 0;
if dwClass = $11 then Exit;
Result := TCall(g_dwCall)(hThread, dwClass, dwInfo, dwLen);
end;
procedure ReCoveryDbgUiRemoteBreakin(lpArg: PInt64);
var
nCount: Integer;
dwTemp: DWORD;
begin
nCount := 0;
while nCount < 6000 do begin
Sleep(100);
if lpArg^ <> g_nBakData then begin
if VirtualProtect(lpArg, 8, PAGE_EXECUTE_READWRITE, @dwTemp) then begin
lpArg^ := g_nBakData; //还原数据
VirtualProtect(lpArg, 8, dwTemp, @dwTemp);
end;
end;
Inc(nCount);
end;
end;
procedure InitHook;
var
dwMod: DWORD;
pApi: Pointer;
dwTid: DWORD;
begin
dwMod := GetModuleHandle('ntdll.dll');
pApi := GetProcAddress(dwMod, 'ZwSetInformationThread');
if pApi <> nil then HookApiFunc(pApi, @MyZwSetInformationThread, @g_dwCall);
pApi := GetProcAddress(dwMod, 'DbgUiRemoteBreakin');
if pApi = nil then Exit;
try
g_nBakData := PInt64(pApi)^;
CloseHandle(BeginThread(nil, 0, @ReCoveryDbgUiRemoteBreakin, pApi, 0, dwTid));
except end;
end;
procedure EntryPoint(dwReason: DWORD);
var hMod: HMODULE;
begin
case dwReason of
DLL_PROCESS_ATTACH:
begin
InitHook;
hMod := LoadLibrary('C:\Windows\system32\d3d8thk.dll');
if hMod <> 0 then begin
g_pFunc1 := GetProcAddress(hMod, 'OsThunkD3dContextCreate');
g_pFunc2 := GetProcAddress(hMod, 'OsThunkD3dContextDestroy');
g_pFunc3 := GetProcAddress(hMod, 'OsThunkD3dContextDestroyAll');
g_pFunc4 := GetProcAddress(hMod, 'OsThunkD3dDrawPrimitives2');
g_pFunc5 := GetProcAddress(hMod, 'OsThunkD3dValidateTextureStageState');
g_pFunc6 := GetProcAddress(hMod, 'OsThunkDdAddAttachedSurface');
g_pFunc7 := GetProcAddress(hMod, 'OsThunkDdAlphaBlt');
g_pFunc8 := GetProcAddress(hMod, 'OsThunkDdAttachSurface');
g_pFunc9 := GetProcAddress(hMod, 'OsThunkDdBeginMoCompFrame');
g_pFunc10 := GetProcAddress(hMod, 'OsThunkDdBlt');
g_pFunc11 := GetProcAddress(hMod, 'OsThunkDdCanCreateD3DBuffer');
g_pFunc12 := GetProcAddress(hMod, 'OsThunkDdCanCreateSurface');
g_pFunc13 := GetProcAddress(hMod, 'OsThunkDdColorControl');
g_pFunc14 := GetProcAddress(hMod, 'OsThunkDdCreateD3DBuffer');
g_pFunc15 := GetProcAddress(hMod, 'OsThunkDdCreateDirectDrawObject');
g_pFunc16 := GetProcAddress(hMod, 'OsThunkDdCreateMoComp');
g_pFunc17 := GetProcAddress(hMod, 'OsThunkDdCreateSurface');
g_pFunc18 := GetProcAddress(hMod, 'OsThunkDdCreateSurfaceEx');
g_pFunc19 := GetProcAddress(hMod, 'OsThunkDdCreateSurfaceObject');
g_pFunc20 := GetProcAddress(hMod, 'OsThunkDdDeleteDirectDrawObject');
g_pFunc21 := GetProcAddress(hMod, 'OsThunkDdDeleteSurfaceObject');
g_pFunc22 := GetProcAddress(hMod, 'OsThunkDdDestroyD3DBuffer');
g_pFunc23 := GetProcAddress(hMod, 'OsThunkDdDestroyMoComp');
g_pFunc24 := GetProcAddress(hMod, 'OsThunkDdDestroySurface');
g_pFunc25 := GetProcAddress(hMod, 'OsThunkDdEndMoCompFrame');
g_pFunc26 := GetProcAddress(hMod, 'OsThunkDdFlip');
g_pFunc27 := GetProcAddress(hMod, 'OsThunkDdFlipToGDISurface');
g_pFunc28 := GetProcAddress(hMod, 'OsThunkDdGetAvailDriverMemory');
g_pFunc29 := GetProcAddress(hMod, 'OsThunkDdGetBltStatus');
g_pFunc30 := GetProcAddress(hMod, 'OsThunkDdGetDC');
g_pFunc31 := GetProcAddress(hMod, 'OsThunkDdGetDriverInfo');
g_pFunc32 := GetProcAddress(hMod, 'OsThunkDdGetDriverState');
g_pFunc33 := GetProcAddress(hMod, 'OsThunkDdGetDxHandle');
g_pFunc34 := GetProcAddress(hMod, 'OsThunkDdGetFlipStatus');
g_pFunc35 := GetProcAddress(hMod, 'OsThunkDdGetInternalMoCompInfo');
g_pFunc36 := GetProcAddress(hMod, 'OsThunkDdGetMoCompBuffInfo');
g_pFunc37 := GetProcAddress(hMod, 'OsThunkDdGetMoCompFormats');
g_pFunc38 := GetProcAddress(hMod, 'OsThunkDdGetMoCompGuids');
g_pFunc39 := GetProcAddress(hMod, 'OsThunkDdGetScanLine');
g_pFunc40 := GetProcAddress(hMod, 'OsThunkDdLock');
g_pFunc41 := GetProcAddress(hMod, 'OsThunkDdLockD3D');
g_pFunc42 := GetProcAddress(hMod, 'OsThunkDdQueryDirectDrawObject');
g_pFunc43 := GetProcAddress(hMod, 'OsThunkDdQueryMoCompStatus');
g_pFunc44 := GetProcAddress(hMod, 'OsThunkDdReenableDirectDrawObject');
g_pFunc45 := GetProcAddress(hMod, 'OsThunkDdReleaseDC');
g_pFunc46 := GetProcAddress(hMod, 'OsThunkDdRenderMoComp');
g_pFunc47 := GetProcAddress(hMod, 'OsThunkDdResetVisrgn');
g_pFunc48 := GetProcAddress(hMod, 'OsThunkDdSetColorKey');
g_pFunc49 := GetProcAddress(hMod, 'OsThunkDdSetExclusiveMode');
g_pFunc50 := GetProcAddress(hMod, 'OsThunkDdSetGammaRamp');
g_pFunc51 := GetProcAddress(hMod, 'OsThunkDdSetOverlayPosition');
g_pFunc52 := GetProcAddress(hMod, 'OsThunkDdUnattachSurface');
g_pFunc53 := GetProcAddress(hMod, 'OsThunkDdUnlock');
g_pFunc54 := GetProcAddress(hMod, 'OsThunkDdUnlockD3D');
g_pFunc55 := GetProcAddress(hMod, 'OsThunkDdUpdateOverlay');
g_pFunc56 := GetProcAddress(hMod, 'OsThunkDdWaitForVerticalBlank');
end;
end;
DLL_PROCESS_DETACH: begin end;
end;
end;
begin
DllProc := @EntryPoint;
EntryPoint(DLL_PROCESS_ATTACH);
end.
复制代码到记事本中,另存为d3d8thk.dpr文件,然后百度搜索Delphi7精简版,5.5M的精简版就行,下载安装好后,运行delphi7打开d3d8thk.dpr编译成d3d8thk.dll文件,把d3d8thk.dll放到热血江湖客户端的client目录里面(跟client.exe同一个目录里),然后进入游戏,OD完美附加+下断 本帖最后由 amonsonic 于 2022-4-7 16:22 编辑
调试个破游戏真他妈的恶心
到嘴的鸭子没办法下嘴, 别提多难受了
52pojie的od, 自己看楼
用某论坛的vip od可以附加, 但是一点f9就会崩溃了
被调试的程序无壳, 应该是有干扰 api exit 相关, 下断点试试 本帖最后由 iokey 于 2022-4-7 18:11 编辑
游戏进程Client.exe调用了ntdll.ZwSetInformationThread隐藏了ThreadHideFromDebugger。
并且Hook了ntdll.DbgUiRemoteBreakin。
自己写个DLL劫持,处理一下可能检测的东西:
DbgBreakPoint
DbgUiRemoteBreakin
IsDebuggerPresent
CheckRemoteDebuggerPresent
hook ZwSetInformationThread 禁止调用参数ThreadHideFromDebugger
然后OD就能附加游戏了 iokey 发表于 2022-4-7 18:08
游戏进程Client.exe调用了ntdll.ZwSetInformationThread隐藏了ThreadHideFromDebugger。
并且Hook了ntdll. ...
大佬能说的稍微详细点我 我需要怎么做?
我用pchuner 常识去暂停, 卸载 client.exe中的 线程, 还有iyy2.dll(加了vmp3的壳) ,
还有暂停进程
玩来玩去没搞定, 结果蓝屏了 本帖最后由 amonsonic 于 2022-4-11 20:25 编辑
iokey 发表于 2022-4-8 00:19
直接上代码吧
library d3d8thk;
确实是可以附加了
但是只要一输入用户名, 游戏还是会崩溃
如果是进入游戏之后再附加的话, 虽然可以ollydbg附加的上但是游戏会失去响应, 根登陆框差不多进入失去响应状态
再比如已经打了你的反调试补丁的前提下,
用CE附加进程, 只要抓到内存访问断点之类的触发, 游戏也会立即崩溃
本帖最后由 amonsonic 于 2022-4-9 13:52 编辑
iokey 发表于 2022-4-8 07:54
不好意思,夜里代码贴错了,重贴一下:
library d3d8thk;
虽然原理还没全搞明白
但确实是可以附加了
但是好景不长, 几个小时以后老毛病又反了, 是v2.0的delphi dll补丁
好像会创建一个线程 (学破解的od能看到, 点f9以后)
现在附加后会断在 break这个断点上
iokey 发表于 2022-4-8 07:54
不好意思,夜里代码贴错了,重贴一下:
library d3d8thk;
www.rxjhgy.com (网站下载好像失效, 到群有下载)
这边还有一个, 一样无法调试
在虚拟机运行, 只要一运行就会退出. 没有任何提示
折中类型的登录器是主流, 就是有一个启动加速
还会释放多个文件 (除了游戏更新外, 其中有一个隐藏文件, 真实的登录器, 但是双击没反应)
页:
[1]
2