去年分析过Tp的一些东西和思路
去年分析过Tp的一些东西和思路ring 0只懂皮毛,主要依靠一些大牛们的各类XGP 摆平分析。
说说ring3上Tp的分析,注入TP保护的游戏创建线程后(平时用D开发的多一些)很快被和谐,另外可能一些工具使用后TP有一些框框的提示,一些在内存里加载TP的dll(也就是前段时间有人在卖的所谓的隐藏dll,也许这种隐藏是一手段,主要还是满足一些心理安慰)一直执行各种遍历,对于tp这一些检测,很多都可以对抗,当自己dll注入后对游戏内存进行遍历,把tp主要的干坏事的dll定位后,查找各种检测函数,函数大都非常简单,
例如某一检测函数:
内存映射, 条目 30
地址=02C00000
大小=00267000 (2519040.)
属主= 02C00000 (自身)
区段=
类型=Priv 00021040
访问=RWE
初始访问=RWE
02C44910 55 push ebp
02C44911 8BEC mov ebp,esp
02C44913 B8 48000200 mov eax,0x20048
02C44918 E8 DBAC0700 call 02CBF5F8 ; jmp 到 ntdll._chkstk
02C4491D 57 push edi
02C4491E C745 F4 00000000 mov dword ptr ss:,0x0
02C44925 68 E8C0DB02 push 0x2DBC0E8 ; ASCII "ntdll.dll"
02C4492A FF15 FC52D902 call dword ptr ds: ; kernel32.GetModuleHandleA
02C44930 8945 F0 mov dword ptr ss:,eax
02C44933 837D F0 00 cmp dword ptr ss:,0x0
02C44937 74 21 je short 02C4495A
02C44939 68 F4C0DB02 push 0x2DBC0F4 ; ASCII "NtQueryInformationThread"
02C4493E 8B45 F0 mov eax,dword ptr ss:
02C44941 50 push eax
02C44942 FF15 0053D902 call dword ptr ds: ; kernel32.GetProcAddress
02C44948 8945 F4 mov dword ptr ss:,eax
02C4494B 837D F4 00 cmp dword ptr ss:,0x0
02C4494F 75 07 jnz short 02C44958
02C44951 33C0 xor eax,eax
02C44953 E9 A5030000 jmp 02C44XFD
02C44958 EB 07 jmp short 02C44961
02C4495A 33C0 xor eax,eax
02C4495C E9 9C030000 jmp 02C44XFD
02C44961 C785 DCBFFFFF 000000>mov dword ptr ss:,0x0
02C4496B B9 FF0F0000 mov ecx,0xFFF
02C44970 33C0 xor eax,eax
02C44972 8DBD E0BFFFFF lea edi,dword ptr ss:
02C44978 F3:AB rep stos dword ptr es:
02C4497A FF15 C050D902 call dword ptr ds: ; kernel32.GetCurrentProcessId
02C44980 50 push eax
02C44981 6A 00 push 0x0
02C44983 68 10040000 push 0x410
02C44988 FF15 E052D902 call dword ptr ds: ; kernel32.OpenProcess
02C4498E 8945 EC mov dword ptr ss:,eax
02C44991 837D EC 00 cmp dword ptr ss:,0x0
02C44995 75 07 jnz short 02C4499E
02C44997 33C0 xor eax,eax
02C44999 E9 5F030000 jmp 02C44XFD
02C4499E C745 FC FFFFFFFF mov dword ptr ss:,-0x1
02C449A5 6A 00 push 0x0
02C449A7 6A 04 push 0x4
02C449A9 E8 06E10000 call 02C52AB4 ; jmp 到 kernel32.CreateToolhelp32Snapshot
02C449AE 8945 FC mov dword ptr ss:,eax
02C449B1 837D FC FF cmp dword ptr ss:,-0x1
02C449B5 75 11 jnz short 02C449C8
02C449B7 8B4D EC mov ecx,dword ptr ss:
02C449BA 51 push ecx
02C449BB FF15 AC52D902 call dword ptr ds: ; kernel32.CloseHandle
02C449C1 33C0 xor eax,eax
02C449C3 E9 35030000 jmp 02C44XFD
02C449C8 C785 DXFFFDFF 000000>mov dword ptr ss:,0x0
02C449D2 B9 FF6F0000 mov ecx,0x6FFF
02C449D7 33C0 xor eax,eax
02C449D9 8DBD E0FFFDFF lea edi,dword ptr ss:
02C449DF F3:AB rep stos dword ptr es:
02C449E1 C785 DXFFFDFF 1C0000>mov dword ptr ss:,0x1C
02C449EB 8D95 DXFFFDFF lea edx,dword ptr ss:
02C449F1 52 push edx
02C449F2 8B45 FC mov eax,dword ptr ss:
02C449F5 50 push eax
02C449F6 E8 1FE10000 call 02C52B1A ; jmp 到 kernel32.Thread32First
02C449FB 85C0 test eax,eax
02C449FD 75 1B jnz short 02C44A1A
02C449FF 8B4D FC mov ecx,dword ptr ss:
02C44A02 51 push ecx
02C44A03 FF15 AC52D902 call dword ptr ds: ; kernel32.CloseHandle
02C44A09 8B55 EC mov edx,dword ptr ss:
02C44A0C 52 push edx
02C44A0D FF15 AC52D902 call dword ptr ds: ; kernel32.CloseHandle
02C44A13 33C0 xor eax,eax
02C44A15 E9 E3020000 jmp 02C44XFD
02C44A1A FF15 C050D902 call dword ptr ds: ; kernel32.GetCurrentProcessId
02C44A20 8945 E0 mov dword ptr ss:,eax
02C44A23 C745 DC 00000000 mov dword ptr ss:,0x0
02C44A2A C745 E8 00000000 mov dword ptr ss:,0x0
02C44A31 C745 E4 00000000 mov dword ptr ss:,0x0
02C44A38 8B45 DC mov eax,dword ptr ss:
02C44A3B 6BC0 1C imul eax,eax,0x1C
02C44A3E 8B8C05 E8FFFDFF mov ecx,dword ptr ss:[ebp+eax+0xFFFDFFE8>
02C44A45 3B4D E0 cmp ecx,dword ptr ss:
02C44A48 75 09 jnz short 02C44A53
02C44A4A 8B55 DC mov edx,dword ptr ss:
02C44A4D 83C2 01 add edx,0x1
02C44A50 8955 DC mov dword ptr ss:,edx
02C44A53 817D DC 00100000 cmp dword ptr ss:,0x1000
02C44A5A 72 02 jb short 02C44A5E
02C44A5C EB 2C jmp short 02C44A8A
02C44A5E 8B45 DC mov eax,dword ptr ss:
02C44A61 6BC0 1C imul eax,eax,0x1C
02C44A64 C78405 DXFFFDFF 1C00>mov dword ptr ss:,0x>
02C44A6F 8B4D DC mov ecx,dword ptr ss:
02C44A72 6BC9 1C imul ecx,ecx,0x1C
02C44A75 8D940D DXFFFDFF lea edx,dword ptr ss:[ebp+ecx+0xFFFDFFDC>
02C44A7C 52 push edx
02C44A7D 8B45 FC mov eax,dword ptr ss:
02C44A80 50 push eax
02C44A81 E8 7CE00000 call 02C52B02 ; jmp 到 kernel32.Thread32Next
02C44A86 85C0 test eax,eax
02C44A88^ 75 AE jnz short 02C44A38
02C44A8A 8B4D FC mov ecx,dword ptr ss:
02C44A8D 51 push ecx
02C44A8E FF15 AC52D902 call dword ptr ds: ; kernel32.CloseHandle
02C44A94 8D55 F8 lea edx,dword ptr ss:
02C44A97 52 push edx
02C44A98 68 00400000 push 0x4000
02C44A9D 8D85 DCBFFFFF lea eax,dword ptr ss:
02C44AA3 50 push eax
02C44AA4 8B4D EC mov ecx,dword ptr ss:
02C44AA7 51 push ecx
02C44AA8 E8 C5DE1000 call 02D52972 ; jmp 到 psapi.EnumProcessModules
02C44AAD 85C0 test eax,eax
02C44AAF 75 11 jnz short 02C44AC2
02C44AB1 8B55 EC mov edx,dword ptr ss:
02C44AB4 52 push edx
02C44AB5 FF15 AC52D902 call dword ptr ds: ; kernel32.CloseHandle
02C44ABB 33C0 xor eax,eax
02C44ABD E9 3B020000 jmp 02C44XFD
02C44AC2 C745 E8 00000000 mov dword ptr ss:,0x0
02C44AC9 EB 09 jmp short 02C44AD4
02C44ACB 8B45 E8 mov eax,dword ptr ss:
02C44ACE 83C0 01 add eax,0x1
02C44AD1 8945 E8 mov dword ptr ss:,eax
02C44AD4 8B4D E8 mov ecx,dword ptr ss:
02C44AD7 3B4D DC cmp ecx,dword ptr ss:
02C44ADA 0F83 0E020000 jnb 02C44CEE
02C44AE0 C785 D8FFFDFF 000000>mov dword ptr ss:,0x0
02C44AEA 833D 38A3E002 00 cmp dword ptr ds:,0x0
02C44AF1 74 20 je short 02C44B13
02C44AF3 8B55 E8 mov edx,dword ptr ss:
02C44AF6 6BD2 1C imul edx,edx,0x1C
02C44AF9 8B8415 E4FFFDFF mov eax,dword ptr ss:[ebp+edx+0xFFFDFFE4>
02C44B00 50 push eax
02C44B01 6A 00 push 0x0
02C44B03 6A 41 push 0x41
02C44B05 FF15 38A3E002 call dword ptr ds:
02C44B0B 8985 D8FFFDFF mov dword ptr ss:,eax
02C44B11 EB 1E jmp short 02C44B31
02C44B13 8B4D E8 mov ecx,dword ptr ss:
02C44B16 6BC9 1C imul ecx,ecx,0x1C
02C44B19 8B940D E4FFFDFF mov edx,dword ptr ss:[ebp+ecx+0xFFFDFFE4>
02C44B20 52 push edx
02C44B21 6A 00 push 0x0
02C44B23 6A 41 push 0x41
02C44B25 FF15 9C50D902 call dword ptr ds: ; kernel32.OpenThread
02C44B2B 8985 D8FFFDFF mov dword ptr ss:,eax
02C44B31 83BD D8FFFDFF 00 cmp dword ptr ss:,0x0
02C44B38 75 02 jnz short 02C44B3C
02C44B3A^ EB 8F jmp short 02C44ACB
02C44B3C C785 D0FFFDFF 000000>mov dword ptr ss:,0x0
02C44B46 C785 D4FFFDFF 000000>mov dword ptr ss:,0x0
02C44B50 8D85 D4FFFDFF lea eax,dword ptr ss:
02C44B56 50 push eax
02C44B57 6A 04 push 0x4
02C44B59 8D8D D0FFFDFF lea ecx,dword ptr ss:
02C44B5F 51 push ecx
02C44B60 6A 09 push 0x9
02C44B62 8B95 D8FFFDFF mov edx,dword ptr ss:
02C44B68 52 push edx
02C44B69 FF55 F4 call dword ptr ss:
02C44B6C 85C0 test eax,eax
02C44B6E 74 05 je short 02C44B75
02C44B70^ E9 56FFFFFF jmp 02C44ACB
02C44B75 8B85 D0FFFDFF mov eax,dword ptr ss:
02C44B7B 3B05 D4A2E002 cmp eax,dword ptr ds:
02C44B81 72 19 jb short 02C44B9C
02C44B83 8B0D D4A2E002 mov ecx,dword ptr ds:
02C44B89 030D D8A2E002 add ecx,dword ptr ds:
02C44B8F 398D D0FFFDFF cmp dword ptr ss:,ecx
02C44B95 73 05 jnb short 02C44B9C
02C44B97 E9 40010000 jmp 02C44CDC
02C44B9C C785 CXFFFDFF 000000>mov dword ptr ss:,0x0
02C44BA6 C745 E4 00000000 mov dword ptr ss:,0x0
02C44BAD EB 09 jmp short 02C44BB8
02C44BAF 8B55 E4 mov edx,dword ptr ss:
02C44BB2 83C2 01 add edx,0x1
02C44BB5 8955 E4 mov dword ptr ss:,edx
02C44BB8 8B45 F8 mov eax,dword ptr ss:
02C44BBB C1E8 02 shr eax,0x2
02C44BBE 3945 E4 cmp dword ptr ss:,eax
02C44BC1 73 51 jnb short 02C44C14
02C44BC3 6A 0C push 0xC
02C44BC5 8D8D C0FFFDFF lea ecx,dword ptr ss:
02C44BCB 51 push ecx
02C44BCC 8B55 E4 mov edx,dword ptr ss:
02C44BXF 8B8495 DCBFFFFF mov eax,dword ptr ss:[ebp+edx*4+0xFFFFBF>
02C44BD6 50 push eax
02C44BD7 8B4D EC mov ecx,dword ptr ss:
02C44BDA 51 push ecx
02C44BDB E8 80DD1000 call 02D52960 ; jmp 到 psapi.GetModuleInformation
02C44BE0 85C0 test eax,eax
02C44BE2 74 2E je short 02C44C12
02C44BE4 8B95 D0FFFDFF mov edx,dword ptr ss:
02C44BEA 3B95 C0FFFDFF cmp edx,dword ptr ss:
02C44BF0 72 20 jb short 02C44C12
02C44BF2 8B85 C0FFFDFF mov eax,dword ptr ss:
02C44BF8 0385 C4FFFDFF add eax,dword ptr ss:
02C44BFE 3985 D0FFFDFF cmp dword ptr ss:,eax
02C44C04 73 0C jnb short 02C44C12
02C44C06 C785 CXFFFDFF 010000>mov dword ptr ss:,0x1
02C44C10 EB 02 jmp short 02C44C14
02C44C12^ EB 9B jmp short 02C44BAF
02C44C14 83BD CXFFFDFF 00 cmp dword ptr ss:,0x0
02C44C1B 0F85 BB000000 jnz 02C44CDC
02C44C21 C785 BXFFFDFF 000000>mov dword ptr ss:,0x0
02C44C2B 68 28A2E002 push 0x2E0A228
02C44C30 FF15 BC52D902 call dword ptr ds: ; ntdll.RtlEnterCriticalSection
02C44C36 C785 B8FFFDFF 000000>mov dword ptr ss:,0x0
02C44C40 EB 0F jmp short 02C44C51
02C44C42 8B8D B8FFFDFF mov ecx,dword ptr ss:
02C44C48 83C1 01 add ecx,0x1
02C44C4B 898D B8FFFDFF mov dword ptr ss:,ecx
02C44C51 8B95 B8FFFDFF mov edx,dword ptr ss:
02C44C57 3B15 5C86E002 cmp edx,dword ptr ds:
02C44C5D 73 2A jnb short 02C44C89
02C44C5F 8B45 E8 mov eax,dword ptr ss:
02C44C62 6BC0 1C imul eax,eax,0x1C
02C44C65 8B8D B8FFFDFF mov ecx,dword ptr ss:
02C44C6B 8B148D 4C06E002 mov edx,dword ptr ds:
02C44C72 3B9405 E4FFFDFF cmp edx,dword ptr ss:[ebp+eax+0xFFFDFFE4>
02C44C79 75 0C jnz short 02C44C87
02C44C7B C785 BXFFFDFF 010000>mov dword ptr ss:,0x1
02C44C85 EB 02 jmp short 02C44C89
02C44C87^ EB B9 jmp short 02C44C42
02C44C89 81BD B8FFFDFF 001000>cmp dword ptr ss:,0x1000
02C44C93 75 0A jnz short 02C44C9F
02C44C95 C785 BXFFFDFF 010000>mov dword ptr ss:,0x1
02C44C9F 68 28A2E002 push 0x2E0A228
02C44CA4 FF15 C052D902 call dword ptr ds: ; ntdll.RtlLeaveCriticalSection
02C44CAA 83BD BXFFFDFF 00 cmp dword ptr ss:,0x0
02C44CB1 75 29 jnz short 02C44CDC
02C44CB3 833D 3CA3E002 00 cmp dword ptr ds:,0x0
02C44CBA 74 11 je short 02C44CCD
02C44CBC 6A FF push -0x1
02C44CBE 8B85 D8FFFDFF mov eax,dword ptr ss:
02C44CC4 50 push eax
02C44CC5 FF15 3CA3E002 call dword ptr ds:
02C44CCB EB 0F jmp short 02C44CDC
02C44CCD 6A FF push -0x1
02C44CXF 8B8D D8FFFDFF mov ecx,dword ptr ss:
02C44CD5 51 push ecx
02C44CD6 FF15 2851D902 call dword ptr ds: ; kernel32.TerminateThread
02C44CDC 8B95 D8FFFDFF mov edx,dword ptr ss:
02C44CE2 52 push edx
02C44CE3 FF15 AC52D902 call dword ptr ds: ; kernel32.CloseHandle
02C44CE9^ E9 DDFDFFFF jmp 02C44ACB
02C44CEE 8B45 EC mov eax,dword ptr ss:
02C44XF1 50 push eax
02C44XF2 FF15 AC52D902 call dword ptr ds: ; kernel32.CloseHandle
02C44XF8 B8 01000000 mov eax,0x1
02C44XFD 5F pop edi
02C44XFE 8BE5 mov esp,ebp
02C44D00 5D pop ebp
02C44D01 C3 retn
这样的函数很多,找到他们也不难,和谐后TP会安静的多.
检测函数一般无CRC,即使有CRC,要对付的办法也有,就不展开,当然难度最大的还是TVM. 我只是路过,不发表意见 只有对楼主表示感谢,才能表达我现在的心情! 我只是看看这个是什么 一个字,强大,呵呵,当然如果有用的话
页:
[1]