本帖最后由 asd9988 于 2013-11-10 21:50 编辑
代码就是这样了…当然,现在是不能用了的。
方法取自于:http://www.52pojie.cn/thread-213623-1-1.html @junjun6304
还算是有一定的初学价值吧..........
[C++] 纯文本查看 复制代码 // LOLFUCK.cpp : Defines the entry point for the DLL application.
//
#include "stdafx.h"
#include "VMProtectSDK.h"
DWORD g_dwSrcAddr = 0;
DWORD g_dwJmpAddr = 0;
DWORD g_dwSrcAddrNext = 0;
DWORD g_dwSrcTimeAddr = 0;
DWORD g_dwJmpTimeAddr = 0;
DWORD g_dwTimePushAddr = 0;
DWORD g_dwServerIPChangeAddr = 0;
DWORD g_dwSrcTimeAddrNext = 0;
//跳转定位
unsigned char szJmp[5] = {0xE9};
char *szMsg = VMProtectDecryptStringA("程序已成功path,请输入帐号和密码[111111],点击登录即可 \r\n LOLLastHit破解版[当前支持:V1.952~V1.953]可能支持1.954级以后的版本 \r\n 这是免费的!如果你是在淘宝购买的,请立即退款给差评 \r\n 破解版发布地址:[url=http://www.52pojie.cn]http://www.52pojie.cn[/url]");
char *szCaption = VMProtectDecryptStringA("By:asd9988 For 吾爱破解");
//char* tmpData = "4\n2999/09/09 09:09:09\n0";
DWORD g_dwSrcCall; // 6F4D0 = 0x0046F4B0;
void __declspec (naked) PatchData()
{
VMProtectBegin("PatchData");
_asm
{
call g_dwSrcCall
mov byte ptr[edi+0x78],0x34//登录标志 = 4
// mov byte ptr[edi+0x80],0x39//测试
// mov byte ptr[edi+0x81],0x39//测试
// mov byte ptr[edi+0x82],0x38//测试
// mov byte ptr[edi+0x83],0x38//测试
//跳回
jmp g_dwSrcAddrNext
}
VMProtectEnd();
}
void __declspec (naked) PassTimeData()
{
VMProtectBegin("PassTimeData");
_asm
{
push g_dwTimePushAddr //IP计算
push eax
mov eax,g_dwServerIPChangeAddr
mov byte ptr ds:[eax+2],0x37
mov byte ptr ds:[eax+3],0x32
pop eax
//
jmp g_dwSrcTimeAddrNext
}
VMProtectEnd();
}
DWORD g_dwSrcUpdateAddr = 0;
DWORD g_dwJmpUpdateAddr = 0;
DWORD g_dwSrcUpdateAddrNext = 0;
void __declspec (naked) PassUpdate()
{
__asm
{
jmp g_dwSrcUpdateAddrNext
}
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{
VMProtectBegin("DLL_INIT");
//00401000
hModule = GetModuleHandle(NULL);
g_dwSrcAddr = (DWORD)hModule + 0x213F; //过登录
g_dwSrcTimeAddr = (DWORD)hModule + 0x1E88;//过异常
g_dwSrcUpdateAddr = (DWORD)hModule + 0x5386;//过更新
//目标地址 - 当前地址 - 5
g_dwJmpAddr = (DWORD)PatchData - g_dwSrcAddr - 5;
g_dwJmpTimeAddr = (DWORD)PassTimeData - g_dwSrcTimeAddr - 5;
g_dwJmpUpdateAddr = (DWORD)PassUpdate - g_dwSrcUpdateAddr - 5;
//回调
g_dwSrcAddrNext = g_dwSrcAddr + 5;
g_dwSrcTimeAddrNext = g_dwSrcTimeAddr + 5;
g_dwSrcUpdateAddrNext = g_dwSrcUpdateAddr + 0x28E;//回调
//push计算
g_dwTimePushAddr =(DWORD)hModule + 0xA8A38;//保护push //d0318
g_dwServerIPChangeAddr = (DWORD)hModule + 0xC031A;//IP计算
//call 计算
g_dwSrcCall = (DWORD)hModule + 0x6F4D0;//CALL
memcpy(&szJmp[1],&g_dwJmpAddr,4);
DWORD dwOld;
VirtualProtect((void*)g_dwSrcAddr,0x1000,PAGE_EXECUTE_READWRITE,&dwOld);
memcpy((void*)g_dwSrcAddr,szJmp,sizeof(szJmp));
memcpy(&szJmp[1],&g_dwJmpTimeAddr,4);
DWORD dwOlds;
VirtualProtect((void*)g_dwSrcTimeAddr,0x1000,PAGE_EXECUTE_READWRITE,&dwOlds);
memcpy((void*)g_dwSrcTimeAddr,szJmp,sizeof(szJmp));
memcpy(&szJmp[1],&g_dwJmpUpdateAddr,4);//组合
//VirtualProtect 参数 地址 大小 保护属性 保存的原先保护页面
VirtualProtect((void*)g_dwSrcUpdateAddr,0x1000,PAGE_EXECUTE_READWRITE,&dwOlds);//修改原保护页面
memcpy((void*)g_dwSrcUpdateAddr,szJmp,sizeof(szJmp));
::MessageBoxA(NULL,szMsg,szCaption,MB_OK|MB_ICONINFORMATION);
VMProtectEnd();
}
return TRUE;
}
|