|
|
上篇教程:
【原创】CE教程:逃跑吧少年地图透视思路以及实现
前言:
在上篇教程中我们实现了逃跑吧少年地图透视,在回帖中我发现有人想求成品的修改工具于是这篇教程就诞生了~(当然还有今早在某Q群中发生的一系列神奇的操作)
首先我们来上一个测试图,假设我已经写好了一个成品,打开后你会发现出现以下提示。
如上图所示,这就是逃跑吧少年中的非法进程检测,今天我们的目的就是来过掉这个检测。
思路猜想:
由测试图可见,游戏成功获取了非法工具所在的目录,并且判断为外挂程序。
实际上本游戏中是针对易语言程序,只要是由易语言编写的一律判定为外挂!
那么,到了这里就有一个过检测的思路,那就是移除易语言程序的特征,或者干脆用其他编程语言(如C~)编译一个。当然这方法应该是可行的,不过萌新我并不会这么高端的操作~所以有能力的可以试试。
下面推荐另外一种思路。
上图中,游戏通过“非法程序”的进程定位到了该程序所在的运行目录。
所以大概推测下检测流程为:打开进程获取进程句柄→识别该进程是否包含易语言程序特征→如果发现易语言程序特征→获取该程序运行目录并弹出游戏对话框→上传异常信息到游戏服务器→强制结束游戏进程
清楚了检测流程那么就好办了,我们直接从检测的第一步打开进程下手!
OpenProcess这就是打开进程的函数,我们来试试看看这个游戏是不是调用了这个函数来打开了进程。
C:\Users\admin\Desktop\测试.exe
下面我们来认识一个函数OpenProcess
OpenProcess
方法名称:OpenProcess
位置:Kernel32.dll
OpenProcess 函数用来打开一个已存在的进程对象,并返回进程的句柄。
1.函数原型
HANDLE OpenProcess(
DWORD dwDesiredAccess, //渴望得到的访问权限(标志)
BOOL bInheritHandle, // 是否继承句柄
DWORD dwProcessId// 进程标示符
以上信息来源于百度百科
实现过非法进程检测过程:
首先CE附加游戏进程→内存浏览→右键→转到地址→输入OpenProcess→确定
注:游戏存在驱动保护,如何附加进程请查看上篇教程中的方法!
在头部F5下一个断点
进入游戏没过一会,我们就发现下的断点已经有反应了[此时游戏主程序并没有同时断下来,那么我们可以推测该检测应该是利用线程进行检测的,这里我们先不用管
双击第一条返回的地址跟过去
跟过去到了这里,那么也就是说明上面这个Call里面调用了OpenProcess这个函数,并且上面这个Call
call snake_pc_helper.notify_hall_game_status_changed+870
"notify hall game status changed"我们简单的翻译一下“通知大厅游戏状态已更改” 嗯这个就很可疑了!
按下空格进入这个Call
发现一堆jmp继续空格跟过去,然后我们到了这里。
注:内存查看窗口记得拉大一点,可以看见后面的注释就行~这些东西很有帮助~ 到了这里之后,像我一样的萌新可就懵逼了 根本看不懂啊!对我也看不懂 但是不着急 前面说过的后面的注释可以帮助我们。 我们一路向下浏览这个段看看可以发现一些什么
snake_pc_helper.dll+117640 - 55 - push ebpsnake_pc_helper.dll+117641 - 8B EC - mov ebp,espsnake_pc_helper.dll+117643 - 6A FF - push -01 { 255 }snake_pc_helper.dll+117645 - 68 E50A1474 - push snake_pc_helper.dll+2F0AE5 { (139) }snake_pc_helper.dll+11764A - 64 A1 00000000 - mov eax,fs:[00000000] { 0 }snake_pc_helper.dll+117650 - 50 - push eaxsnake_pc_helper.dll+117651 - 81 EC A8070000 - sub esp,000007A8 { 1960 }snake_pc_helper.dll+117657 - 53 - push ebxsnake_pc_helper.dll+117658 - 56 - push esisnake_pc_helper.dll+117659 - 57 - push edisnake_pc_helper.dll+11765A - 8D BD 4CF8FFFF - lea edi,[ebp-000007B4]snake_pc_helper.dll+117660 - B9 EA010000 - mov ecx,000001EA { 490 }snake_pc_helper.dll+117665 - B8 CCCCCCCC - mov eax,CCCCCCCC { -858993460 }snake_pc_helper.dll+11766A - F3 AB - repe stosd snake_pc_helper.dll+11766C - A1 E0171B74 - mov eax,[snake_pc_helper.dll+3617E0] { (-1863603359) }snake_pc_helper.dll+117671 - 33 C5 - xor eax,ebpsnake_pc_helper.dll+117673 - 89 45 F0 - mov [ebp-10],eaxsnake_pc_helper.dll+117676 - 50 - push eaxsnake_pc_helper.dll+117677 - 8D 45 F4 - lea eax,[ebp-0C]snake_pc_helper.dll+11767A - 64 A3 00000000 - mov fs:[00000000],eax { 0 }snake_pc_helper.dll+117680 - C7 45 FC 00000000 - mov [ebp-04],00000000 { 0 }snake_pc_helper.dll+117687 - B9 90361B74 - mov ecx,snake_pc_helper.dll+363690 { (0) }snake_pc_helper.dll+11768C - E8 89B8FEFF - call snake_pc_helper.get_version+4ABsnake_pc_helper.dll+117691 - 0FB6 C0 - movzx eax,alsnake_pc_helper.dll+117694 - 85 C0 - test eax,eaxsnake_pc_helper.dll+117696 - 0F84 2E010000 - je snake_pc_helper.dll+1177CAsnake_pc_helper.dll+11769C - 8D 4D 08 - lea ecx,[ebp+08]snake_pc_helper.dll+11769F - E8 C57DFEFF - call snake_pc_helper.async_request_if_can_join_room+C2Bsnake_pc_helper.dll+1176A4 - 89 45 E8 - mov [ebp-18],eaxsnake_pc_helper.dll+1176A7 - C7 45 DC 00000000 - mov [ebp-24],00000000 { 0 }snake_pc_helper.dll+1176AE - EB 09 - jmp snake_pc_helper.dll+1176B9snake_pc_helper.dll+1176B0 - 8B 45 DC - mov eax,[ebp-24]snake_pc_helper.dll+1176B3 - 83 C0 01 - add eax,01 { 1 }snake_pc_helper.dll+1176B6 - 89 45 DC - mov [ebp-24],eaxsnake_pc_helper.dll+1176B9 - 8B 45 DC - mov eax,[ebp-24]snake_pc_helper.dll+1176BC - 3B 45 E8 - cmp eax,[ebp-18]snake_pc_helper.dll+1176BF - 0F8D 05010000 - jnl snake_pc_helper.dll+1177CAsnake_pc_helper.dll+1176C5 - 8B 45 DC - mov eax,[ebp-24]snake_pc_helper.dll+1176C8 - 50 - push eaxsnake_pc_helper.dll+1176C9 - 8D 4D 08 - lea ecx,[ebp+08]snake_pc_helper.dll+1176CC - E8 0BD3FEFF - call snake_pc_helper.process_protect+89Dsnake_pc_helper.dll+1176D1 - 50 - push eaxsnake_pc_helper.dll+1176D2 - 8D 4D C4 - lea ecx,[ebp-3C]snake_pc_helper.dll+1176D5 - E8 B0B6FEFF - call snake_pc_helper.get_version+31Bsnake_pc_helper.dll+1176DA - C6 45 FC 01 - mov byte ptr [ebp-04],01 { 1 }snake_pc_helper.dll+1176DE - 8D 45 9C - lea eax,[ebp-64]snake_pc_helper.dll+1176E1 - 50 - push eaxsnake_pc_helper.dll+1176E2 - 68 20791574 - push snake_pc_helper.dll+307920 { ("list") }snake_pc_helper.dll+1176E7 - 8D 4D C4 - lea ecx,[ebp-3C]snake_pc_helper.dll+1176EA - E8 7519FEFF - call snake_pc_helper.dll+F9064snake_pc_helper.dll+1176EF - 8B C8 - mov ecx,eaxsnake_pc_helper.dll+1176F1 - E8 6F9AFEFF - call snake_pc_helper.fetch_param+B31snake_pc_helper.dll+1176F6 - C6 45 FC 02 - mov byte ptr [ebp-04],02 { 2 }snake_pc_helper.dll+1176FA - 8D 85 80F8FFFF - lea eax,[ebp-00000780]snake_pc_helper.dll+117700 - 50 - push eaxsnake_pc_helper.dll+117701 - B9 90361B74 - mov ecx,snake_pc_helper.dll+363690 { (0) }snake_pc_helper.dll+117706 - E8 1E36FEFF - call snake_pc_helper.compressJson+488snake_pc_helper.dll+11770B - 89 85 58F8FFFF - mov [ebp-000007A8],eaxsnake_pc_helper.dll+117711 - 8B 8D 58F8FFFF - mov ecx,[ebp-000007A8]snake_pc_helper.dll+117717 - 89 8D 54F8FFFF - mov [ebp-000007AC],ecxsnake_pc_helper.dll+11771D - C6 45 FC 03 - mov byte ptr [ebp-04],03 { 3 }snake_pc_helper.dll+117721 - 8B 95 54F8FFFF - mov edx,[ebp-000007AC]snake_pc_helper.dll+117727 - 52 - push edxsnake_pc_helper.dll+117728 - 8D 45 9C - lea eax,[ebp-64]snake_pc_helper.dll+11772B - 50 - push eaxsnake_pc_helper.dll+11772C - 8D 8D 6CF8FFFF - lea ecx,[ebp-00000794]snake_pc_helper.dll+117732 - 51 - push ecxsnake_pc_helper.dll+117733 - B9 90361B74 - mov ecx,snake_pc_helper.dll+363690 { (0) }snake_pc_helper.dll+117738 - E8 E898FEFF - call snake_pc_helper.fetch_param+9F1snake_pc_helper.dll+11773D - 89 85 50F8FFFF - mov [ebp-000007B0],eaxsnake_pc_helper.dll+117743 - 8B 95 50F8FFFF - mov edx,[ebp-000007B0]snake_pc_helper.dll+117749 - 89 95 4CF8FFFF - mov [ebp-000007B4],edxsnake_pc_helper.dll+11774F - C6 45 FC 04 - mov byte ptr [ebp-04],04 { 4 }snake_pc_helper.dll+117753 - 8B 8D 4CF8FFFF - mov ecx,[ebp-000007B4]snake_pc_helper.dll+117759 - E8 DDAFFEFF - call snake_pc_helper.Send+FFsnake_pc_helper.dll+11775E - 88 85 63F8FFFF - mov [ebp-0000079D],alsnake_pc_helper.dll+117764 - C6 45 FC 03 - mov byte ptr [ebp-04],03 { 3 }snake_pc_helper.dll+117768 - 8D 8D 6CF8FFFF - lea ecx,[ebp-00000794]snake_pc_helper.dll+11776E - E8 2819FEFF - call snake_pc_helper.dll+F909Bsnake_pc_helper.dll+117773 - C6 45 FC 02 - mov byte ptr [ebp-04],02 { 2 }snake_pc_helper.dll+117777 - 8D 8D 80F8FFFF - lea ecx,[ebp-00000780]snake_pc_helper.dll+11777D - E8 1919FEFF - call snake_pc_helper.dll+F909Bsnake_pc_helper.dll+117782 - 0FB6 85 63F8FFFF - movzx eax,byte ptr [ebp-0000079D]snake_pc_helper.dll+117789 - 85 C0 - test eax,eaxsnake_pc_helper.dll+11778B - 74 20 - je snake_pc_helper.dll+1177ADsnake_pc_helper.dll+11778D - 8D 45 9C - lea eax,[ebp-64]snake_pc_helper.dll+117790 - 50 - push eaxsnake_pc_helper.dll+117791 - 8D 8D 94F8FFFF - lea ecx,[ebp-0000076C]snake_pc_helper.dll+117797 - 51 - push ecxsnake_pc_helper.dll+117798 - B9 90361B74 - mov ecx,snake_pc_helper.dll+363690 { (0) }snake_pc_helper.dll+11779D - E8 664CFEFF - call snake_pc_helper.notify_hall_game_status_changed+49Csnake_pc_helper.dll+1177A2 - 8D 8D 94F8FFFF - lea ecx,[ebp-0000076C]snake_pc_helper.dll+1177A8 - E8 29D3FEFF - call snake_pc_helper.process_protect+997snake_pc_helper.dll+1177AD - C6 45 FC 01 - mov byte ptr [ebp-04],01 { 1 }snake_pc_helper.dll+1177B1 - 8D 4D 9C - lea ecx,[ebp-64]snake_pc_helper.dll+1177B4 - E8 BB7BFEFF - call snake_pc_helper.async_request_if_can_join_room+B36snake_pc_helper.dll+1177B9 - C6 45 FC 00 - mov byte ptr [ebp-04],00 { 0 }snake_pc_helper.dll+1177BD - 8D 4D C4 - lea ecx,[ebp-3C]snake_pc_helper.dll+1177C0 - E8 B2D2FEFF - call snake_pc_helper.process_protect+938snake_pc_helper.dll+1177C5 - E9 E6FEFFFF - jmp snake_pc_helper.dll+1176B0snake_pc_helper.dll+1177CA - B9 74361B74 - mov ecx,snake_pc_helper.dll+363674 { (0) }snake_pc_helper.dll+1177CF - E8 46B7FEFF - call snake_pc_helper.get_version+4ABsnake_pc_helper.dll+1177D4 - 0FB6 C0 - movzx eax,alsnake_pc_helper.dll+1177D7 - 85 C0 - test eax,eaxsnake_pc_helper.dll+1177D9 - 0F84 76020000 - je snake_pc_helper.dll+117A55snake_pc_helper.dll+1177DF - 68 14791574 - push snake_pc_helper.dll+307914 { ("lsass.exe") }snake_pc_helper.dll+1177E4 - 8D 8D ACF8FFFF - lea ecx,[ebp-00000754]snake_pc_helper.dll+1177EA - E8 7054FEFF - call snake_pc_helper.notify_hall_game_status_changed+CF3snake_pc_helper.dll+1177EF - C6 45 FC 05 - mov byte ptr [ebp-04],05 { 5 }snake_pc_helper.dll+1177F3 - 8D 85 ACF8FFFF - lea eax,[ebp-00000754]snake_pc_helper.dll+1177F9 - 50 - push eaxsnake_pc_helper.dll+1177FA - 8D 8D D4F8FFFF - lea ecx,[ebp-0000072C]snake_pc_helper.dll+117800 - 51 - push ecxsnake_pc_helper.dll+117801 - B9 74361B74 - mov ecx,snake_pc_helper.dll+363674 { (0) }snake_pc_helper.dll+117806 - E8 FD4BFEFF - call snake_pc_helper.notify_hall_game_status_changed+49Csnake_pc_helper.dll+11780B - 8D 8D D4F8FFFF - lea ecx,[ebp-0000072C]snake_pc_helper.dll+117811 - E8 C0D2FEFF - call snake_pc_helper.process_protect+997snake_pc_helper.dll+117816 - C6 45 FC 00 - mov byte ptr [ebp-04],00 { 0 }snake_pc_helper.dll+11781A - 8D 8D ACF8FFFF - lea ecx,[ebp-00000754]snake_pc_helper.dll+117820 - E8 4F7BFEFF - call snake_pc_helper.async_request_if_can_join_room+B36snake_pc_helper.dll+117825 - 68 04791574 - push snake_pc_helper.dll+307904 { ("services.exe") }snake_pc_helper.dll+11782A - 8D 8D ECF8FFFF - lea ecx,[ebp-00000714]snake_pc_helper.dll+117830 - E8 2A54FEFF - call snake_pc_helper.notify_hall_game_status_changed+CF3snake_pc_helper.dll+117835 - C6 45 FC 06 - mov byte ptr [ebp-04],06 { 6 }snake_pc_helper.dll+117839 - 8D 85 ECF8FFFF - lea eax,[ebp-00000714]snake_pc_helper.dll+11783F - 50 - push eaxsnake_pc_helper.dll+117840 - 8D 8D 14F9FFFF - lea ecx,[ebp-000006EC]snake_pc_helper.dll+117846 - 51 - push ecxsnake_pc_helper.dll+117847 - B9 74361B74 - mov ecx,snake_pc_helper.dll+363674 { (0) }snake_pc_helper.dll+11784C - E8 B74BFEFF - call snake_pc_helper.notify_hall_game_status_changed+49Csnake_pc_helper.dll+117851 - 8D 8D 14F9FFFF - lea ecx,[ebp-000006EC]snake_pc_helper.dll+117857 - E8 7AD2FEFF - call snake_pc_helper.process_protect+997snake_pc_helper.dll+11785C - C6 45 FC 00 - mov byte ptr [ebp-04],00 { 0 }snake_pc_helper.dll+117860 - 8D 8D ECF8FFFF - lea ecx,[ebp-00000714]snake_pc_helper.dll+117866 - E8 097BFEFF - call snake_pc_helper.async_request_if_can_join_room+B36snake_pc_helper.dll+11786B - 68 F8781574 - push snake_pc_helper.dll+3078F8 { ("smss.exe") }snake_pc_helper.dll+117870 - 8D 8D 2CF9FFFF - lea ecx,[ebp-000006D4]snake_pc_helper.dll+117876 - E8 E453FEFF - call snake_pc_helper.notify_hall_game_status_changed+CF3snake_pc_helper.dll+11787B - C6 45 FC 07 - mov byte ptr [ebp-04],07 { 7 }snake_pc_helper.dll+11787F - 8D 85 2CF9FFFF - lea eax,[ebp-000006D4]snake_pc_helper.dll+117885 - 50 - push eaxsnake_pc_helper.dll+117886 - 8D 8D 54F9FFFF - lea ecx,[ebp-000006AC]snake_pc_helper.dll+11788C - 51 - push ecxsnake_pc_helper.dll+11788D - B9 74361B74 - mov ecx,snake_pc_helper.dll+363674 { (0) }snake_pc_helper.dll+117892 - E8 714BFEFF - call snake_pc_helper.notify_hall_game_status_changed+49Csnake_pc_helper.dll+117897 - 8D 8D 54F9FFFF - lea ecx,[ebp-000006AC]snake_pc_helper.dll+11789D - E8 34D2FEFF - call snake_pc_helper.process_protect+997snake_pc_helper.dll+1178A2 - C6 45 FC 00 - mov byte ptr [ebp-04],00 { 0 }snake_pc_helper.dll+1178A6 - 8D 8D 2CF9FFFF - lea ecx,[ebp-000006D4]snake_pc_helper.dll+1178AC - E8 C37AFEFF - call snake_pc_helper.async_request_if_can_join_room+B36snake_pc_helper.dll+1178B1 - 68 E8781574 - push snake_pc_helper.dll+3078E8 { ("winlogon.exe") }snake_pc_helper.dll+1178B6 - 8D 8D 6CF9FFFF - lea ecx,[ebp-00000694]snake_pc_helper.dll+1178BC - E8 9E53FEFF - call snake_pc_helper.notify_hall_game_status_changed+CF3snake_pc_helper.dll+1178C1 - C6 45 FC 08 - mov byte ptr [ebp-04],08 { 8 }snake_pc_helper.dll+1178C5 - 8D 85 6CF9FFFF - lea eax,[ebp-00000694]snake_pc_helper.dll+1178CB - 50 - push eaxsnake_pc_helper.dll+1178CC - 8D 8D 94F9FFFF - lea ecx,[ebp-0000066C]snake_pc_helper.dll+1178D2 - 51 - push ecxsnake_pc_helper.dll+1178D3 - B9 74361B74 - mov ecx,snake_pc_helper.dll+363674 { (0) }snake_pc_helper.dll+1178D8 - E8 2B4BFEFF - call snake_pc_helper.notify_hall_game_status_changed+49Csnake_pc_helper.dll+1178DD - 8D 8D 94F9FFFF - lea ecx,[ebp-0000066C]snake_pc_helper.dll+1178E3 - E8 EED1FEFF - call snake_pc_helper.process_protect+997snake_pc_helper.dll+1178E8 - C6 45 FC 00 - mov byte ptr [ebp-04],00 { 0 }snake_pc_helper.dll+1178EC - 8D 8D 6CF9FFFF - lea ecx,[ebp-00000694]snake_pc_helper.dll+1178F2 - E8 7D7AFEFF - call snake_pc_helper.async_request_if_can_join_room+B36snake_pc_helper.dll+1178F7 - 68 D8781574 - push snake_pc_helper.dll+3078D8 { ("explorer.exe") }snake_pc_helper.dll+1178FC - 8D 8D ACF9FFFF - lea ecx,[ebp-00000654]snake_pc_helper.dll+117902 - E8 5853FEFF - call snake_pc_helper.notify_hall_game_status_changed+CF3snake_pc_helper.dll+117907 - C6 45 FC 09 - mov byte ptr [ebp-04],09 { 9 }snake_pc_helper.dll+11790B - 8D 85 ACF9FFFF - lea eax,[ebp-00000654]snake_pc_helper.dll+117911 - 50 - push eaxsnake_pc_helper.dll+117912 - 8D 8D D4F9FFFF - lea ecx,[ebp-0000062C]snake_pc_helper.dll+117918 - 51 - push ecxsnake_pc_helper.dll+117919 - B9 74361B74 - mov ecx,snake_pc_helper.dll+363674 { (0) }snake_pc_helper.dll+11791E - E8 E54AFEFF - call snake_pc_helper.notify_hall_game_status_changed+49Csnake_pc_helper.dll+117923 - 8D 8D D4F9FFFF - lea ecx,[ebp-0000062C]snake_pc_helper.dll+117929 - E8 A8D1FEFF - call snake_pc_helper.process_protect+997snake_pc_helper.dll+11792E - C6 45 FC 00 - mov byte ptr [ebp-04],00 { 0 }snake_pc_helper.dll+117932 - 8D 8D ACF9FFFF - lea ecx,[ebp-00000654]snake_pc_helper.dll+117938 - E8 377AFEFF - call snake_pc_helper.async_request_if_can_join_room+B36snake_pc_helper.dll+11793D - 68 C8781574 - push snake_pc_helper.dll+3078C8 { ("wininit.exe") }snake_pc_helper.dll+117942 - 8D 8D ECF9FFFF - lea ecx,[ebp-00000614]snake_pc_helper.dll+117948 - E8 1253FEFF - call snake_pc_helper.notify_hall_game_status_changed+CF3snake_pc_helper.dll+11794D - C6 45 FC 0A - mov byte ptr [ebp-04],0A { 10 }snake_pc_helper.dll+117951 - 8D 85 ECF9FFFF - lea eax,[ebp-00000614]snake_pc_helper.dll+117957 - 50 - push eaxsnake_pc_helper.dll+117958 - 8D 8D 14FAFFFF - lea ecx,[ebp-000005EC]snake_pc_helper.dll+11795E - 51 - push ecxsnake_pc_helper.dll+11795F - B9 74361B74 - mov ecx,snake_pc_helper.dll+363674 { (0) }snake_pc_helper.dll+117964 - E8 9F4AFEFF - call snake_pc_helper.notify_hall_game_status_changed+49Csnake_pc_helper.dll+117969 - 8D 8D 14FAFFFF - lea ecx,[ebp-000005EC]snake_pc_helper.dll+11796F - E8 62D1FEFF - call snake_pc_helper.process_protect+997snake_pc_helper.dll+117974 - C6 45 FC 00 - mov byte ptr [ebp-04],00 { 0 }snake_pc_helper.dll+117978 - 8D 8D ECF9FFFF - lea ecx,[ebp-00000614]snake_pc_helper.dll+11797E - E8 F179FEFF - call snake_pc_helper.async_request_if_can_join_room+B36snake_pc_helper.dll+117983 - 68 E8781574 - push snake_pc_helper.dll+3078E8 { ("winlogon.exe") }snake_pc_helper.dll+117988 - 8D 8D 2CFAFFFF - lea ecx,[ebp-000005D4]snake_pc_helper.dll+11798E - E8 CC52FEFF - call snake_pc_helper.notify_hall_game_status_changed+CF3snake_pc_helper.dll+117993 - C6 45 FC 0B - mov byte ptr [ebp-04],0B { 11 }snake_pc_helper.dll+117997 - 8D 85 2CFAFFFF - lea eax,[ebp-000005D4]snake_pc_helper.dll+11799D - 50 - push eaxsnake_pc_helper.dll+11799E - 8D 8D 54FAFFFF - lea ecx,[ebp-000005AC]snake_pc_helper.dll+1179A4 - 51 - push ecxsnake_pc_helper.dll+1179A5 - B9 74361B74 - mov ecx,snake_pc_helper.dll+363674 { (0) }snake_pc_helper.dll+1179AA - E8 594AFEFF - call snake_pc_helper.notify_hall_game_status_changed+49Csnake_pc_helper.dll+1179AF - 8D 8D 54FAFFFF - lea ecx,[ebp-000005AC]snake_pc_helper.dll+1179B5 - E8 1CD1FEFF - call snake_pc_helper.process_protect+997snake_pc_helper.dll+1179BA - C6 45 FC 00 - mov byte ptr [ebp-04],00 { 0 }snake_pc_helper.dll+1179BE - 8D 8D 2CFAFFFF - lea ecx,[ebp-000005D4]snake_pc_helper.dll+1179C4 - E8 AB79FEFF - call snake_pc_helper.async_request_if_can_join_room+B36snake_pc_helper.dll+1179C9 - 68 B8781574 - push snake_pc_helper.dll+3078B8 { ("svchost.exe") }snake_pc_helper.dll+1179CE - 8D 8D 6CFAFFFF - lea ecx,[ebp-00000594]snake_pc_helper.dll+1179D4 - E8 8652FEFF - call snake_pc_helper.notify_hall_game_status_changed+CF3snake_pc_helper.dll+1179D9 - C6 45 FC 0C - mov byte ptr [ebp-04],0C { 12 }snake_pc_helper.dll+1179DD - 8D 85 6CFAFFFF - lea eax,[ebp-00000594]snake_pc_helper.dll+1179E3 - 50 - push eaxsnake_pc_helper.dll+1179E4 - 8D 8D 94FAFFFF - lea ecx,[ebp-0000056C]snake_pc_helper.dll+1179EA - 51 - push ecxsnake_pc_helper.dll+1179EB - B9 74361B74 - mov ecx,snake_pc_helper.dll+363674 { (0) }snake_pc_helper.dll+1179F0 - E8 134AFEFF - call snake_pc_helper.notify_hall_game_status_changed+49Csnake_pc_helper.dll+1179F5 - 8D 8D 94FAFFFF - lea ecx,[ebp-0000056C]snake_pc_helper.dll+1179FB - E8 D6D0FEFF - call snake_pc_helper.process_protect+997snake_pc_helper.dll+117A00 - C6 45 FC 00 - mov byte ptr [ebp-04],00 { 0 }snake_pc_helper.dll+117A04 - 8D 8D 6CFAFFFF - lea ecx,[ebp-00000594]snake_pc_helper.dll+117A0A - E8 6579FEFF - call snake_pc_helper.async_request_if_can_join_room+B36snake_pc_helper.dll+117A0F - 68 AC781574 - push snake_pc_helper.dll+3078AC { ("csrss.exe") }snake_pc_helper.dll+117A14 - 8D 8D ACFAFFFF - lea ecx,[ebp-00000554]snake_pc_helper.dll+117A1A - E8 4052FEFF - call snake_pc_helper.notify_hall_game_status_changed+CF3snake_pc_helper.dll+117A1F - C6 45 FC 0D - mov byte ptr [ebp-04],0D { 13 }snake_pc_helper.dll+117A23 - 8D 85 ACFAFFFF - lea eax,[ebp-00000554]snake_pc_helper.dll+117A29 - 50 - push eaxsnake_pc_helper.dll+117A2A - 8D 8D D4FAFFFF - lea ecx,[ebp-0000052C]snake_pc_helper.dll+117A30 - 51 - push ecxsnake_pc_helper.dll+117A31 - B9 74361B74 - mov ecx,snake_pc_helper.dll+363674 { (0) }snake_pc_helper.dll+117A36 - E8 CD49FEFF - call snake_pc_helper.notify_hall_game_status_changed+49Csnake_pc_helper.dll+117A3B - 8D 8D D4FAFFFF - lea ecx,[ebp-0000052C]snake_pc_helper.dll+117A41 - E8 90D0FEFF - call snake_pc_helper.process_protect+997snake_pc_helper.dll+117A46 - C6 45 FC 00 - mov byte ptr [ebp-04],00 { 0 }snake_pc_helper.dll+117A4A - 8D 8D ACFAFFFF - lea ecx,[ebp-00000554]snake_pc_helper.dll+117A50 - E8 1F79FEFF - call snake_pc_helper.async_request_if_can_join_room+B36snake_pc_helper.dll+117A55 - E8 FF57FEFF - call snake_pc_helper.notify_hall_game_status_changed+12ED
嗯 我这里复制了一段很长的代码~可能有点影响阅读,各位先见谅~ 我们清楚的可以看到CE注释里面包含了以下以下内容
("list") ("lsass.exe") ("services.exe") ("smss.exe") ("explorer.exe") ("wininit.exe") ("winlogon.exe") ("svchost.exe") ("csrss.exe")
到了这里我们已经基本上可以确定这里的确就是非法进程检测的地方了,上面这些进程名称很可能是一个“白名单”进行排除。
我们继续向下翻 找到我们想要的(不知道找什么????别忘了思路找什么地方调用了OpenProcess这个函数!)
很快我们就有了发现!注释里面明确注释了
snake_pc_helper.dll+117AEB - FF 15 CCA81B74 - call dword ptr [snake_pc_helper.dll+36A8CC] { ->kernel32.OpenProcess }
插入吐槽:不弄彩色字体了 累死我了下面还是继续黑色粗体吧
通过百度百科我们可以知道 OpenProcess 的返回值,如果OpenProcess成功则会返回这个进程的进程句柄,如果失败则返回空 并且可以调用GetLastError这个函数来获取错误代码!
OpenProcess 返回值:
如成功,返回值为指定进程的句柄。
如失败,返回值为空,可调用GetLastError获得错误代码。
那么按照我们猜测的进程流程:
打开进程获取进程句柄→识别该进程是否包含易语言程序特征→如果发现易语言程序特征→获取该程序运行目录并弹出游戏对话框→上传异常信息到游戏服务器→强制结束游戏进程
我们只要让获取不了进程句柄即可
好,那么我们代码向上翻一点
我们可以很明显的看见就在上面不远的地方就有一个jbe跳转跳过了以下的打开进程的操作
jbe al, blal里的内容小于或等于bl时跳转
那么为了保证它不会触发下面的打开进程的操作 我们把jbe改成jmp(无条件跳转)让他一直跳过。
来来来 让我们打开一个易语言程序测试下! 啦啦啦~~~成功!赶紧撒花! 快点 快点 一点要快(绝对不是在暗示什么)!!!!
后话:
{:301_972:} 别急!乐极生悲! 我们稍微等待一分钟(哇发现不到一分钟时间游戏竟然自己闪退了!我们还是被发现了吗???)
这里就牵涉到另外一个检测了(┭┮﹏┭┮或者说这个检测没过完整),嗯 让萌新缓一缓,欲知后事如何,请听下回分解!
萌新在线求热心值和CB,多少不重要,都是爱。
下篇教程:【原创】CE教程:逃跑吧少年过非法进程检测之绕过闪退(二)
来源:http://www.12558.net
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|
|Archiver|手机版|小黑屋|12558网页游戏私服论坛
|网站地图
发表于 2020-7-16 07:33:56