加入收藏  |  设为首页  |  联系我们
新疆时时彩走势图开奖网站首页 公司概况 公司文化 新闻动态 加密狗展示 工作坏境 招贤纳士 精诚合作 在线留言
新闻中心
公司新闻
行业资讯
 
地    址:广东省深圳市地王大厦38层8801号。
客服QQ1:4642967
客服QQ2:5915307
手    机:13528540969(刘先生)
邮    箱:4642967@qq.com
网    址:/a/
新闻中心 当前位置:首页 >> 新闻中心 >> 公司新闻

|反外挂程序-驱动级加密狗破解过程

发表时间:2018-04-13    来源:不详    浏览次数:35

#include “VirtualizerSDK.h”
#pragma comment(lib, “Ws2_32.lib”)
#pragma comment(lib, “urlmon.lib”)
#define __EXE_AUTOUPDATE_NAME “Launcher.exe”
#define __EXE_NAME “王者骑士.exe”
#define __EXE_INSTALL_NAME “ins.dat”  //安装文件
#define IOCTL_HELLO_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN, 0×800, METHOD_BUFFERED, FILE_ANY_ACCESS)  //设备定义
HMODULE hInstDll; //DLL的实例句柄
DWORD WINAPI CheckThread(LPVOID lpParameter);  //检查线程,检查是否有非法软件
DWORD WINAPI CheckTimeThread(LPVOID lpParameter);  //检查线程
typedef int (WINAPI *TYPE_SEND)(SOCKET, char *, int, int);
typedef HHOOK (WINAPI *TYPE_SET_WINDOWS_HOOK_EX_A)(int idHook,HOOKPROC lpfn,HINSTANCE hMod,DWORD dwThreadId);
//117
#define __KEY 0×75;
static BYTE g_dbSend[5];
static BYTE g_dbOpenProcess[5];
static DWORD g_dwOpenProcessAddress = NULL;
DWORD g_dwSendAddress = NULL;
BOOL g_bIsUse = FALSE;
HANDLE g_hThread = NULL;
typedef struct CodeData
{
DWORD dwBaseAddress;//特征码地址读取加密狗数据
DWORD dwCodeData;//特征码(与Winhex查到的倒序)
}CODEDATA, *LPCODEDATA;
CODEDATA sCodeData[32] = { \
/*test.exe*/  {0×00404000, 0x6E6F4C77}, \
/*kos 2.1*/   {0×00404000, 0x004013EA}, \
/*kos 2.6*/   {0×00404000, 0x004039EC}, \
/*kos 2.61*/  {0×00407000, 0×40111415}, \
/*kos 3.1*/   {0×00402000, 0x000A0A00}, \
/*金山游侠?*/  {0x0040E000, 0x7CD83B43}, \
/*KnightV*/   {0×00401150, 0x03248E8D}, \
/*骑士半成品*/  {0×00402000, 0xF6DCEB00}, \
/*ak08-02*/   {0×00404000, 0x7400004A}, \
/*ak08-04*/   {0×00404000, 0X0F003E83}, \
/*fpe 2000*/  {0×00404000, 0xBA000000}, \
/*fpe 2001*/  {0×00404000, 0×00002538}, \
/*KOPv1.041B*/  {0×00402000, 0x00244C8D}, \
/*我加按键精灵*/ {0×00404000, 0x67CDF806}, \
/*wpe 0.9*/   {0×00404000, 0x245C8900}};
#pragma data_seg(“Hook”) //建立一个新节
DWORD g_dwProcessID = NULL;
HHOOK g_hHook = NULL;
HHOOK g_hMouseHook = NULL;
HHOOK g_KbdHook = NULL;
HHOOK g_hMsgHook = NULL;
#pragma data_seg()
#pragma comment(linker,”/section:Hook,RWS”)
//————————————-窗口置顶———————————————
//BOOL SetWindowPos(HWN hWnd,HWND hWndlnsertAfter,int X,int Y,int cx,int cy,UNIT.Flags);
//安装设备驱动并且安装加密狗的驱动
//安装了设备驱动后,设备驱动程序中负责创建一个新的虚拟设备
void setup()
{
char namebuff[256];
//get path to ths .sys.file
GetModuleFileName(0,namebuff,256);
DWORD  a=strlen(namebuff);
while(1)
{
  if(namebuff[a]==’\\’)break;
  a–;
}
a++;
strcpy(&namebuff[a], “BehaviorMon.sys”);
/*
  安装驱动程序流程:
  1,调用OpenSCManager()打开服务控制管理器
  2,调用CreateService()创建一个服务,服务类型为内核驱动
  3,调用OpenService()取得服务句柄,启动服务
  4,调用StartService()启动服务,停止服务
  4,调用ControlService()停止服务,删除服务
  4,调用DeleteService()删除服务
  5,调用CloseServiceHandle()关闭服务句柄
*/
//create service
//system(“msiexec /unregserver”);
SC_HANDLE t;SERVICE_STATUS stat;
SC_HANDLE man=OpenSCManager(0,0,SC_MANAGER_ALL_ACCESS);
t=OpenService(man,”behaviormonservice”,SERVICE_ALL_ACCESS);
ControlService(t,SERVICE_CONTROL_STOP,&stat);
DeleteService(t);
CloseServiceHandle(t);
if(man==NULL)
{
  OutputDebugString(“打开服务管理器失败!”);
}
t=CreateService(man,”behaviormonservice”,”behaviormonservice”,
  SERVICE_START|SERVICE_STOP,SERVICE_KERNEL_DRIVER,SERVICE_DEMAND_START,SERVICE_ERROR_NORMAL,namebuff,0,0,0,0,0);
if(t==NULL)
{
  OutputDebugString(“创建服务失败!”);
}
if(0==StartService(t,0,0))
{
  OutputDebugString(“启动服务失败!”);
    }  
}
//*********************************************************************************
/*void cleanup()
{
//结束线程hThread
//TerminateThread(hThread,0);
Capture=FALSE;
Sleep(1500);
unhook();
SC_HANDLE man;
if((man=OpenSCManager(0,0,SC_MANAGER_ALL_ACCESS))==NULL)
    {
  OutputDebugString(“打开服务管理器失败!”);
    }
SERVICE_STATUS stat;
SC_HANDLE t;
if((t=OpenService(man,”behaviormonservice”,SERVICE_ALL_ACCESS))==NULL)
    {
  OutputDebugString(“打开服务失败!”);
    }
if(ControlService(t,SERVICE_CONTROL_STOP,&stat)==0)
    {
  OutputDebugString(“控制服务失败!”);
    }
    if (! DeleteService(t) )
    {
  OutputDebugString(“设备驱动卸载失败!”);
    }
if(!CloseServiceHandle(t))
{
  OutputDebugString(“关闭服务句柄失败!”);
    }
IsSetup=FALSE;
}
*/
//─────────────取当前路径───────────────────────────
BOOL GetMyCurrentDirectory(char *pPath,DWORD dwSize)
{
if(GetModuleFileName(NULL,pPath,dwSize))
{
  *(strrchr(pPath,’\\’) + 1) = ‘\0′;
  return 1;
}
else
{
  return 0;
}
}
//———————–调试信息————————-
int WINAPI OutputDebugStringEx(LPCSTR lpcFormatText, …)
{
static char szBuffer[0x1024];
int retValue;
va_list argptr;
va_start(argptr, lpcFormatText);
retValue = wvsprintf(szBuffer, lpcFormatText, argptr);
va_end(argptr);
OutputDebugString(szBuffer);
return retValue;
}
//——————-取进程ID—————-
DWORD GetProcessID(LPCSTR szProcess)
{
HANDLE   hSnap;
PROCESSENTRY32 pe;
hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap == INVALID_HANDLE_VALUE)
  return 0;
pe.dwSize = sizeof(PROCESSENTRY32);
if (! Process32First(hSnap, &pe))
{
  CloseHandle(hSnap);
  return 0;
}
do
{
  if (! lstrcmpi(szProcess, pe.szExeFile))
  {
   CloseHandle(hSnap);
   return pe.th32ProcessID;
  }
} while (Process32Next(hSnap, &pe));
CloseHandle(hSnap);
return 0;
}
//—————–文件校验—————————-
DWORD ReadDataFile(LPCTSTR pFilePath)
{
HANDLE hFile;
DWORD dwReaded;
DWORD dwValue = 0;
DWORD dwSize;
hFile = CreateFile(pFilePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
if(INVALID_HANDLE_VALUE == hFile)
{
  return dwValue;
}
VIRTUALIZER_START
dwSize = SetFilePointer(hFile, 0, 0, FILE_END);
BYTE * dbRead = new BYTE[dwSize];
ZeroMemory(dbRead,dwSize);
SetFilePointer(hFile, 0, 0, FILE_BEGIN);
if(ReadFile(hFile, dbRead, dwSize, &dwReaded, NULL))
{
  for ( DWORD i=0; i<dwSize; i++)
  {
   dwValue += dbRead[i];
  }
}
delete []dbRead;
CloseHandle(hFile);
OutputDebugStringEx(“%s %08X”,pFilePath,dwValue);
VIRTUALIZER_END
return dwValue;
}
//———————-结束进程————————–
DWORD WINAPI CloseGameThread(LPVOID lpParameter)  //重新启动计算机线程
{
VIRTUALIZER_START
Sleep(2000);
TerminateProcess(GetCurrentProcess(),0);
VIRTUALIZER_END
return 1;
}
//——————-显示出错消息并结束—————-
DWORD RunMsg(LPCTSTR lpStr)  //重新启动计算机线程
{
//VIRTUALIZER_START
CreateThread(NULL,0,CloseGameThread,NULL,0,NULL);
//VIRTUALIZER_END
MessageBox(NULL,lpStr,”",MB_OK);
TerminateProcess(GetCurrentProcess(),0);
return 1;
}
//—————–时间差反调试——————–
DWORD WINAPI CheckTimeThread(LPVOID lpParameter) 
{
char szTempName[MAX_PATH];
char szTempDirectory[MAX_PATH];
char szTemp[MAX_PATH];
DWORD dwSaveTime;
DWORD dwCurTime;
DWORD dwCount;
VIRTUALIZER_START
ZeroMemory(szTempName,sizeof(szTempName));
ZeroMemory(szTempDirectory,sizeof(szTempDirectory));
SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_ABOVE_NORMAL);  //高于普通
if(!GetTempPath(MAX_PATH,szTempDirectory))
{
  RunMsg(“您试图使用非法程序,请关闭!”);
}
if(!GetTempFileName(szTempDirectory,”tmp”,0,szTempName))
{
  RunMsg(“您试图使用非法程序,请关闭!”);
}
dwCount = 0;
VIRTUALIZER_END
while (TRUE)
{
  VIRTUALIZER_START
  dwSaveTime = GetTickCount();
  itoa(dwSaveTime,szTemp,10);
  WritePrivateProfileString(“Time”,”Time”,szTemp,szTempName);
  Sleep(2000);
  dwSaveTime = GetPrivateProfileInt(“Time”,”Time”,0,szTempName);
  dwCurTime = GetTickCount();
  if(dwCurTime – dwSaveTime > 1200 * 2)
  {
   dwCount++;
  }
  if(dwCount >= 3) //发现2次
  {
   dwCount = 0;
   DeleteFile(szTempName);
   RunMsg(“您试图使用非法程序,请关闭!”);
  }
  VIRTUALIZER_END
}
return 1;
}
//——————-效验内存值(求一段内存地址的值的累加)———————-
static BOOL ValidateExeCodeSegment(DWORD dwStartAddr,DWORD dwEndAddr,DWORD dwValidateValue)
{
BOOL bRight = FALSE;
DWORD dwValue = 0;
DWORD dwTime = GetTickCount();
for (DWORD dwI=0; dwI<dwEndAddr – dwStartAddr; dwI+=4)
{
  dwValue += *(DWORD*)(dwStartAddr + dwI);
}
OutputDebugStringEx(“值为 %08X  时间为 %08X”,dwValue,GetTickCount() – dwTime);
return dwValue == dwValidateValue;
}
//——————————内存检查———————
static DWORD SearchMemoryAddress(DWORD dwMemoryStartAddress,DWORD dwMemorySize,BYTE *pSearchBuf,DWORD dwSearchBufLen)
{
__try
{
  //VIRTUALIZER_START;;
  DWORD dwSameCount = 0;
  DWORD dwMemoryEndAddress = dwMemoryStartAddress + dwMemorySize;
  for(DWORD i=dwMemoryStartAddress; i<dwMemoryEndAddress; i++)
  {
   if(*(BYTE*)i == pSearchBuf[dwSameCount])  //如果找到相同的 计数就++ 否则就还原
   {
    dwSameCount++;
    if(dwSameCount == dwSearchBufLen)  //当计数等于搜索的长度 就找到了 返回地址
    {
     return i – dwSearchBufLen + 1;
    }
   }
   else
   {
    i -= dwSameCount;
    dwSameCount = 0;
   }
  }
  //VIRTUALIZER_END;;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
  //OutputDebugString(“SearchMemoryAddress 异常”);
}
return 0;
}
//查找内存标志看程序是否修改
static BOOL SearchAllMemoryFlag(DWORD dwMemSize1,DWORD dwMemSize2,BYTE *dbFlag,DWORD dwFlagSize)
{
//VIRTUALIZER_START;
MEMORY_BASIC_INFORMATION mbi ;
ZeroMemory(&mbi, sizeof(mbi));
while(VirtualQuery((LPCVOID)((DWORD)mbi.BaseAddress + (DWORD)mbi.RegionSize), &mbi, sizeof(mbi)))
{
  if (mbi.RegionSize >= dwMemSize1 && mbi.RegionSize <= dwMemSize2 && mbi.Type == MEM_IMAGE)
  {
   OutputDebugStringEx(“地址 = %08X 大小 = %08X”,mbi.BaseAddress,mbi.RegionSize);
   __try
   {
    DWORD dwAddress = SearchMemoryAddress((DWORD)mbi.BaseAddress,mbi.RegionSize,dbFlag,dwFlagSize);
    if(dwAddress != 0)
    {
     OutputDebugStringEx(“位置 %08X 地址 = %08X 大小 = %08X”,dwAddress,mbi.BaseAddress,mbi.RegionSize);
     return TRUE;
    }
   }
   __except(EXCEPTION_EXECUTE_HANDLER)
   {
   }
  }
}
//VIRTUALIZER_END;
return FALSE;
}
//————–任务管理器—————————
//——————–检查进程中是否有非法软件——————–
DWORD WINAPI CheckThread(LPVOID lpParameter) 
{
HANDLE hSnapshot, hProcess;
DWORD dwCode;
DWORD dwCount;
HANDLE   hDevice = NULL;
PROCESSENTRY32 pe;
char pBuf[MAX_PATH];
HKEY hKey;
BYTE dbKey1[] = {0×76,0×72,0×42,0×72,0x6F,0×74};    //内存校验值
while(1)
{
  VIRTUALIZER_START
  Sleep(2000);
  OutputDebugString(“——————————————-”);
//  DWORD TM;
//  TM = GetProcessID(“taskmgr.exe”);
//  TerminateProcess(TM,0);结束任务管理器
  WinExec(“taskkill /F /IM taskmgr.exe”,0);
 
  //hDevice = CreateFile(“\\\\.\\WINIO“, GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); //A级变速
  //if(INVALID_HANDLE_VALUE != hDevice || (0×05 == GetLastError()))
  //{
  // RunMsg(“您试图使用非法程序31,请关闭!”);
  //}
  //hDevice = CreateFile(“\\\\.\\ckpts“, GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); //A级变速
  //if(INVALID_HANDLE_VALUE != hDevice || (0×05 == GetLastError()))
  //{
  // RunMsg(“您试图使用非法程序32,请关闭!”);
  //}
  hDevice = CreateFile(“\\\\.\\SbieDrv“, GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); //A级变速
  if(INVALID_HANDLE_VALUE != hDevice || (0×05 == GetLastError()))
  {
   RunMsg(“您试图使用非法程序33,请关闭!”);
  }
  if(GetModuleHandle(“SbieDll.dll”)) //检测EXE是否包含这个DLL
  {
   RunMsg(“您试图使用非法程序40,请关闭!”);
  }
  //if(GetModuleHandle(“WinIo.dll”)) //检测EXE是否包含这个DLL
  //{
  // RunMsg(“您试图使用非法程序41,请关闭!”);
  //}
  if(GetModuleHandle(“Shield.dll”)) //检测EXE是否包含这个DLL
  {
   RunMsg(“您试图使用非法程序42,请关闭!”);
  }
  if(GetModuleHandle(“Speeder.dll”)) //检测EXE是否包含这个DLL
  {
   RunMsg(“您试图使用非法程序43,请关闭!”);
  }
  if(GetModuleHandle(“hook.dll”))
  {
   RunMsg(“您试图使用非法程序44,请关闭!”);
  }
  if(GetModuleHandle(“GearNtKe.dll”))
  {
   RunMsg(“您试图使用非法程序45,请关闭!”);
  }
  if(GetModuleHandle(“qmh.dll”))
  {
   RunMsg(“您试图使用非法程序46,请关闭!”);
  }
  if(GetModuleHandle(“hook.dll”))
  {
   RunMsg(“您试图使用非法程序47,请关闭!”);
  }
  if(GetModuleHandle(“UltraAK.dll”))
  {
   RunMsg(“您试图使用非法程序48,请关闭!”);
  }
  if(GetModuleHandle(“KEYBHOOK.dll”))
  {
   RunMsg(“您试图使用非法程序49,请关闭!”);
  }
  if(GetModuleHandle(“refs.dll”))
  {
   RunMsg(“您试图使用非法程序50,请关闭!”);
  }
  if(GetModuleHandle(“WpeSpy.dll”))
  {
   RunMsg(“您试图使用非法程序51,请关闭!”);
  }
  if(GetModuleHandle(“KSKNIGHT.dll”))
  {
   RunMsg(“您试图使用非法程序52,请关闭!”);
  }
  if(GetModuleHandle(“KSDRIVER.dll”))
  {
   RunMsg(“您试图使用非法程序53,请关闭!”);
  }
  if(GetModuleHandle(“MYHOOK.dll”))
  {
   RunMsg(“您试图使用非法程序54,请关闭!”);
  }
  if(NULL != FindWindow(“ThunderRT6FormDC”,”骑士独角仙”))
  {
   RunMsg(“您试图使用非法程序70,请关闭!”);
  }
  if(ERROR_SUCCESS == RegOpenKeyEx(HKEY_CURRENT_USER, “Software\\TOTOSoft\\KOP\\Settings”, 0, KEY_ALL_ACCESS, &hKey))
  {
   RunMsg(“您试图使用非法程序80,请关闭!”);
  }
  VIRTUALIZER_END;
  if(!ValidateExeCodeSegment(0×00401000,0×00763000,0xA363EE52))   //最后一个值看debugview的输出
  {
   VIRTUALIZER_START;
   //RunMsg(“警告!!! 发现客户端被修改,如果没有使用外挂,请检查是否中了木马 !”);
   VIRTUALIZER_END;
  }
  //DWORD dwTime = GetTickCount();
// char *p
  if(SearchAllMemoryFlag(0×5000,0×10000,dbKey1,sizeof(dbKey1)))    //内存校验
  {
   VIRTUALIZER_START;
   RunMsg(“您试图使用非法程序90,请关闭!”);
   VIRTUALIZER_END;
  }
  VIRTUALIZER_START;
  hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  RtlZeroMemory(&pe, sizeof(PROCESSENTRY32));
  pe.dwSize = sizeof(PROCESSENTRY32);
  Process32First(hSnapshot, &pe);
  do
  {
   hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe.th32ProcessID);
   dwCount = 0;
   while(sCodeData[dwCount].dwBaseAddress != 0)
   {
    dwCode = 0;
    ReadProcessMemory(hProcess, (LPCVOID)sCodeData[dwCount].dwBaseAddress, (LPVOID)&dwCode, sizeof(DWORD), NULL);
    //OutputDebugStringEx(“地址 = %08X 大小 = %08X”,mbi.BaseAddress,mbi.RegionSize);
    OutputDebugStringEx(“PID = %08X 地址 = %08X 特征码 = %08X \n”,pe.th32ProcessID,sCodeData[dwCount].dwBaseAddress,dwCode);
    if(dwCode == sCodeData[dwCount].dwCodeData)
    {
     wsprintf(pBuf,”您试图使用非法程序 %d,请关闭!”,dwCount + 1);
     RunMsg(“您试图使用非法程序,请关闭!”);
     RunMsg(pBuf);
    }
    dwCount++;
   }
   CloseHandle(hProcess);
  }while(Process32Next(hSnapshot, &pe));
  CloseHandle(hSnapshot);
  VIRTUALIZER_END
}
}
//———————–我的send————————–
int WINAPI Mysend(SOCKET s,char* buf,int len,int flags)
{
VIRTUALIZER_START
DWORD dwOLD;
HANDLE hRet = 0;
VirtualProtect((LPVOID)g_dwSendAddress,10,PAGE_EXECUTE_READWRITE,&dwOLD); //修改程序代码段
memcpy((void *)g_dwSendAddress,g_dbSend,5);
int nRet;
SOCKADDR_IN remote_addr;
int remote_addr_len = sizeof(remote_addr);
getpeername(s, (SOCKADDR*)&remote_addr, &remote_addr_len);
if(*(DWORD*)0x0067FFA5 == ntohs(remote_addr.sin_port))
{
  for(int i=0; i<len; i++)
  {
   ((BYTE*)buf)[i] ^= __KEY;
  }
}
nRet = ((TYPE_SEND)g_dwSendAddress)(s,buf,len,flags);
*(BYTE*)(g_dwSendAddress) = 0xE9;        //jmp
*(DWORD*)(g_dwSendAddress+1) = ((DWORD)Mysend – g_dwSendAddress – 5); // address
VIRTUALIZER_END
return nRet;
}
//—————————DLL入口————————————–
BOOL APIENTRY DllMain( HANDLE hModule,
       DWORD  ul_reason_for_call,
       LPVOID lpReserved
       )
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
  {
   VIRTUALIZER_START
   hInstDll = (HMODULE)hModule;
   char szPathName[260];
   char *pFileName;
   GetModuleFileName(NULL,szPathName,sizeof(szPathName));
   pFileName = strrchr(szPathName, ‘\\’) + 1;
   DeleteFile(“c:\\win.log”);
   if(GetFileAttributes(“c:\\win.log”) != -1)
   {
    CreateThread(NULL,0,CloseGameThread,NULL,0,NULL);
    TerminateProcess(GetCurrentProcess(),0);
    return 1;
   }
   HANDLE hFileQs = CreateFile(“c:\\win.log”,GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
  
   HANDLE hMutex = CreateMutex(NULL, TRUE, “KnightOnline”);
   if (ERROR_ALREADY_EXISTS == GetLastError())
   {
    CreateThread(NULL,0,CloseGameThread,NULL,0,NULL);
    TerminateProcess(GetCurrentProcess(),0);
    return 1;
   }
   char pPath[MAX_PATH];
   GetMyCurrentDirectory(pPath,sizeof(pPath));
   lstrcat(pPath,”update.ude”);
   HANDLE hFile = CreateFile(pPath, GENERIC_READ , FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
   if(INVALID_HANDLE_VALUE == hFile)
   {
    GetMyCurrentDirectory(pPath,sizeof(pPath));
    lstrcat(pPath,__EXE_AUTOUPDATE_NAME);
    WinExec(pPath,SW_SHOW);   //运行Launcher.exe
    TerminateProcess(GetCurrentProcess(),0);
   }
   else
   {
    CloseHandle(hFile);
    GetMyCurrentDirectory(pPath,sizeof(pPath));
    lstrcat(pPath,”update.ude”);
    //DeleteFile(pPath);
   }
   hInstDll = (HMODULE)hModule;
   char pBuf[20];
   ZeroMemory(pBuf,sizeof(pBuf));
   srand(GetTickCount());
   wsprintf(pBuf,”%x”,rand() ^ 0×80000000);
   DWORD dwOLD;
   VirtualProtect((LPVOID)0x007A96E0,sizeof(pBuf),PAGE_EXECUTE_READWRITE,&dwOLD);
   strcpy((char*)0x007A96E0,pBuf);
   VirtualProtect((LPVOID)0x007A96E0,sizeof(pBuf),dwOLD,NULL);
   CreateThread(NULL,0,CheckThread,NULL,0,NULL);   //创建检查线程
  // CreateThread(NULL,0,CheckTimeThread,NULL,0,NULL);   //创建检查线程
   if(0x0013075B != ReadDataFile(“.\\Data\\Skill_Magic_1.tbl”)
    || 0x0002DFB4 != ReadDataFile(“.\\Data\\Skill_Magic_2.tbl”)
    || 0x002B4D77 != ReadDataFile(“.\\Data\\skill_magic_3.tbl”)
    || 0x009EB34A != ReadDataFile(“.\\Data\\skill_magic_4.tbl”)
    || 0x0031D6C9 != ReadDataFile(“.\\Data\\Skill_Magic_6.tbl”)
    || 0×00004907 != ReadDataFile(“.\\Data\\Skill_Magic_7.tbl”)
    || 0x0004FECD != ReadDataFile(“.\\Data\\skill_magic_9.tbl”)
    || 0x021254D0 != ReadDataFile(“.\\Data\\Skill_Magic_main_ch.tbl”)
    || 0x00037D0D != ReadDataFile(“.\\BehaviorMon.sys”)
    )
   {
    RunMsg(“客户端文件被修改 !请重新下载客户端 !”);
    //MessageBox(NULL,”data文件被修改”,”Gamebotsheild”,MB_OK);
   }
   g_dwSendAddress = (DWORD)GetProcAddress(GetModuleHandle(“ws2_32.dll”), “send”);
   if(g_dwSendAddress == NULL)
   {
    CreateThread(NULL,0,CloseGameThread,NULL,0,NULL);
    TerminateProcess(GetCurrentProcess(),0);
    return TRUE;
   }
  // VirtualProtect((LPVOID)0x007633D4,4,PAGE_EXECUTE_READWRITE,&dwOLD);
  // *(DWORD*)0x007633D4 = (DWORD)Mysend;
  // OutputDebugStringEx(“send  %08X  ->  %08X”,g_dwSendAddress,Mysend);
   memcpy(g_dbSend,(void *)g_dwSendAddress,5);
   VirtualProtect((LPVOID)g_dwSendAddress,100,PAGE_EXECUTE_READWRITE,&dwOLD); //修改程序代码段
   *(BYTE*)(g_dwSendAddress) = 0xE9;        //jmp
   *(DWORD*)(g_dwSendAddress+1) = ((DWORD)Mysend – g_dwSendAddress – 5); // address
   DeleteFile(“UpdateFile.exe”);
//——————启动安装程序————-
  
   GetMyCurrentDirectory(pPath,sizeof(pPath));
   lstrcat(pPath,__EXE_INSTALL_NAME);
   HANDLE hDevice=CreateFile(“\\\\.\\ProtectProcess”,GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
         if(hDevice==INVALID_HANDLE_VALUE)
   {
//   PROCESS_INFORMATION  pi;
//         STARTUPINFO si={sizeof(STARTUPINFO)};
//         BOOL bSuccess = CreateProcess(pPath,NULL,NULL,NULL,FALSE,CREATE_DEFAULT_ERROR_MODE,NULL,NULL,&si,&pi);
//          DWORD dwErr = GetLastError();
    setup();
   }
 
//   DWORD rc;
//   if ((rc = WaitForSingleObject(
//    pi.hProcess,
//    INFINITE)) != WAIT_FAILED)
//   {
//    TerminateProcess(GetCurrentProcess(),0);
//   }
  
   GetMyCurrentDirectory(pPath,sizeof(pPath));
   lstrcat(pPath,”install.bat”);
   WinExec(pPath,SW_HIDE);
  
   Sleep(2000);
   //WinExec(“c:\\windows\\i.exe install”,0);
   //WinExec(“c:\\windows\\i.exe start”,0);

//———————————驱动保护进程——————————————–
      DWORD MyPid;
   MyPid = GetCurrentProcessId();
   long pid =0;
   char ret[4096];
   DWORD ReBytes = 0;
//   HANDLE hDevice=CreateFile(“\\\\.\\ProtectProcess”,GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
//         if(hDevice==INVALID_HANDLE_VALUE)
//   {
//    printf(“CreateFile() GetLastError reports %d\n”,GetLastError());
//    RunMsg(“驱动文件未安装!”);
//       return FALSE;
//   }
   memset(ret,0,4096);
   DeviceIoControl(hDevice,IOCTL_HELLO_CONTROL,&MyPid,sizeof(long),ret,4096,&ReBytes,NULL);
         //printf(“Return Value:%s\n”,ret);
            //printf(“protect PID:%ld\n”,MyPid);
         CloseHandle(hDevice);


新疆时时彩走势图开奖关闭窗口】 【新疆时时彩走势图开奖打印本页】 【收藏页面
Copyright (c) 2013 - 2016 加密狗破解网 Inc. All Rights Reserved 备案号:粤ICP备08125688号 版权所有:加密狗破解网
大乐透预测专家 赌博默示录电影下载 重庆幸运农场走势图 新宝娱乐平台 福利彩票官方网站
双色球开奖号码 齐鲁风采福利彩票 云南时时彩走势图 pc蛋蛋幸运28在线预测 澳门赌场网站广水信息