剑网3过检测过保护

栀子花开 发表于 2017-10-24 22:37:07

剑网3过检测过保护
原理简单；在游戏启动之前HOOKZwSetInformationThread这个函数，PASS掉ThreadHideFromDebugger就能让调试器能够正常接收异常

程序
#include "stdafx.h"
int APIENTRY WinMain(HINSTANCE hInstance,
                  HINSTANCE hPrevInstance,
                  LPSTR lpCmdLine,
                  int    nCmdShow)
{
      // TODO: Place code here.
   STARTUPINFO si;
   memset(&si,0,sizeof(STARTUPINFO));//初始化si在内存块中的值（详见memset函数）
   si.cb=sizeof(STARTUPINFO);
   si.dwFlags=STARTF_USESHOWWINDOW;
   si.wShowWindow=SW_SHOW;
   PROCESS_INFORMATION pi;//必备参数设置结束
   ::CreateProcess(NULL, "JX3Client.exe DOTNOTSTARTGAMEBYX3CLIENT.EXE", NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
   char s[] = ".\\Jx3DLL.dll";
   int nSize = ::strlen(s) + 1;
   void *pParam = ::VirtualAllocEx(pi.hProcess, 0, nSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
   ::WriteProcessMemory(pi.hProcess, pParam, s, nSize, 0);
   HANDLE hThread = ::CreateRemoteThread(pi.hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, pParam, 0, NULL);
   ::WaitForSingleObject(hThread, INFINITE);
   ::CloseHandle(hThread);
   ::VirtualFreeEx(pi.hProcess, pParam, nSize, MEM_DECOMMIT);
   ::ResumeThread(pi.hThread);
   //不使用的句柄最好关掉
   CloseHandle(pi.hThread);
   CloseHandle(pi.hProcess);
   return 0;
}

dll
// Jx3DLL.cpp : Defines the entry point for the DLL application.
//
#include "stdafx.h"
typedef enum _THREADINFOCLASS {
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair_Reusable,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress,
ThreadIsIoPending,
ThreadHideFromDebugger,//这个就是用来将线程对调试器隐藏
ThreadBreakOnTermination,
ThreadSwitchLegacyState,
ThreadIsTerminated,
MaxThreadInfoClass
} THREADINFOCLASS;
typedef DWORD (WINAPI *ZWSETINFORMATIONTHREAD)(HANDLE, THREADINFOCLASS, PVOID, DWORD);
ZWSETINFORMATIONTHREAD ZwSetInformationThread = NULL;
BYTE ZwSetInformationThread_Begin = {0};
BYTE ZwSetInformationThread_Hook = {0xE9, 0, 0, 0, 0};
DWORD WINAPI MyZwSetInformationThread(HANDLE ThreadHandle, THREADINFOCLASS ThreadInformationClass, PVOID ThreadInformation, DWORD ThreadInformationLength)
{
   ::WriteProcessMemory(HANDLE(-1), ZwSetInformationThread, ZwSetInformationThread_Begin, 5, 0);
   DWORD Ret = TRUE;
   if(ThreadInformationClass != ThreadHideFromDebugger)
   {
            Ret = ZwSetInformationThread(ThreadHandle, ThreadInformationClass, ThreadInformation, ThreadInformationLength);
   }
   ::WriteProcessMemory(HANDLE(-1), ZwSetInformationThread, ZwSetInformationThread_Hook, 5, 0);
   return Ret;
}
BOOL APIENTRY DllMain( HANDLE hModule,
                  DWORDul_reason_for_call,
                  LPVOID lpReserved
                                    )
{
   switch (ul_reason_for_call)
{
   case DLL_PROCESS_ATTACH:
                     ZwSetInformationThread = (ZWSETINFORMATIONTHREAD)::GetProcAddress(::GetModuleHandle("NTDLL.dll"), "ZwSetInformationThread");
                     *(DWORD*)(ZwSetInformationThread_Hook+1) = (DWORD)MyZwSetInformationThread - (DWORD)ZwSetInformationThread - 5;
                     ::ReadProcessMemory(HANDLE(-1), ZwSetInformationThread, ZwSetInformationThread_Begin, 5, 0);
                     ::WriteProcessMemory(HANDLE(-1), ZwSetInformationThread, ZwSetInformationThread_Hook, 5, 0);
         break;
   case DLL_PROCESS_DETACH:
         break;
   case DLL_THREAD_ATTACH:
         break;
   case DLL_THREAD_DETACH:
         break;
}
return TRUE;
}

已做成成品程序
使用方法；下载后将解压的文件放到到游戏的“zhcn”目录下，然后运行“Jx3EXE.exe”启动游戏，这样OD和CE能够正常下断点和调试了

q765593142 发表于 2017-10-25 00:46:44

眼剑网3这游戏真心不错

heartsmail 发表于 2017-11-14 01:50:27

下载下来报毒啊{:cry:}

limaode123 发表于 2020-8-25 15:26:36

谢谢分享........

页: [1]

挂海论坛's Archiver

剑网3过检测过保护