|
楼主 |
发表于 2008-5-21 17:24:26
|
显示全部楼层
8, m_szRetCall[_FidUseId(m_szRetCall[wFindFixId].w2secId)].szRetBuffer);
__logger.Fflush();
}else if( *(WORD*)(pRecvBuffer + nPox + wFixPox - 2 ) == 0x15FF)
{
//CALL [XXXXX]
*(DWORD*)(pRecvBuffer + nPox + wFixPox) = (DWORD)&(m_szRetCall[wFindFixId].dwApiAddr);
__logger.Trace("Pox:%p CALL %s \n",wFixPox - nLastSum*4 - 8, m_szRetCall[_FidUseId(m_szRetCall[wFindFixId].w2secId)].szRetBuffer);
__logger.Fflush();
}else if( *(BYTE*)(pRecvBuffer + nPox + wFixPox - 2 ) == 0x8B ||
*(BYTE*)(pRecvBuffer + nPox + wFixPox - 1 ) == 0xA1 )
{
//MOV RB32 , [XXXXX]
*(DWORD*)(pRecvBuffer + nPox + wFixPox) = (DWORD)&(m_szRetCall[wFindFixId].dwApiAddr);
__logger.Trace("Pox:%p MOV RB32, %s \n",wFixPox - nLastSum*4 - 8, m_szRetCall[_FidUseId(m_szRetCall[wFindFixId].w2secId)].szRetBuffer);
__logger.Fflush();
}else if( *(BYTE*)(pRecvBuffer + nPox + wFixPox - 1 ) == 0x0B8 ||
*(BYTE*)(pRecvBuffer + nPox + wFixPox - 1 ) == 0x0B9 ||
*(BYTE*)(pRecvBuffer + nPox + wFixPox - 1 ) == 0x0BA ||
*(BYTE*)(pRecvBuffer + nPox + wFixPox - 1 ) == 0x0BB ||
*(BYTE*)(pRecvBuffer + nPox + wFixPox - 1 ) == 0x0BC ||
*(BYTE*)(pRecvBuffer + nPox + wFixPox - 1 ) == 0x0BD ||
*(BYTE*)(pRecvBuffer + nPox + wFixPox - 1 ) == 0x0BE ||
*(BYTE*)(pRecvBuffer + nPox + wFixPox - 1 ) == 0x0BF
)
{
//MOV RB32 , XXXXX
*(DWORD*)(pRecvBuffer + nPox + wFixPox) = (DWORD)&(m_szRetCall[wFindFixId].dwApiAddr);
__logger.Trace("Pox:%p MOV RB32, %p = %p \n",wFixPox - nLastSum*4 - 8, m_szRetCall[_FidUseId(m_szRetCall[wFindFixId].w2secId)].szRetBuffer);
__logger.Fflush();
}
}else
{
//此为读常量,非API地址的情况 (地址的地址)
*(DWORD*)(pRecvBuffer + nPox + wFixPox) = (DWORD)&(m_szRetCall[wFindFixId].pRetBuffer);
__logger.Trace("Pox:%p [%p] = %p \n",wFixPox - nLastSum*4 - 8,m_szRetCall[wFindFixId].szRetBuffer,*(DWORD*)m_szRetCall[wFindFixId].szRetBuffer);
__logger.Fflush();
}
}else
{
__logger.Trace("Pox:%p CALL [addr] = %p \n", wFixPox - nLastSum*4 - 8, wFixId);
__logger.Fflush();
dwRetEax = 0;
return dwRetEax;
}
}
}
//余下为CALL BUFFER
nPox += nLastLen;
ZeroMemory(m_szCallBuffer,sizeof(m_szCallBuffer));
__logger.Trace("\nCallBufferAddr: %p CallBufferLen: %p \n\n", &m_szCallBuffer, n1stTypeLen);
memcpy(m_szCallBuffer ,pRecvBuffer + nPox, n1stTypeLen);
m_szRetCall[wInsertId].pCallBufferAddr = (CHAR*)m_szCallBuffer;
nPox += n1stTypeLen;
break;
}
}
GS_EXIT:;
return dwRetEax;
}2,经过上面的解析后,根据数据进行函数初始化复制内容到剪贴板代码:
void _InitApiDate()
{
HINSTANCE hInstLibrary;
CHAR* cDllName;
CHAR* cApiName;
INT nFindId;
for(INT i = 0;i <= CALL_BUFFER_NO; i++)
{
if( m_szRetCall.wId != 0 &&
m_szRetCall.w1stId != 0 &&
m_szRetCall.dwApiAddr == 0 &&
m_szRetCall.w2secId != 0
)
{
nFindId = _FidUseId(m_szRetCall.w1stId);
cDllName = m_szRetCall[nFindId].szRetBuffer;
hInstLibrary = LoadLibrary(cDllName);
nFindId = _FidUseId(m_szRetCall.w2secId);
cApiName = m_szRetCall[nFindId].szRetBuffer;
m_szRetCall.dwApiAddr = (DWORD)GetProcAddress(hInstLibrary,cApiName);
FreeLibrary(hInstLibrary);
}
}
return;
}3,根据
case 2://开始执行CALL
去调用要执行的函数代码复制内容到剪贴板代码:
INT _CallBufferId(DWORD dwId)
{
CHAR* pCallBuffer;
INT nRet;
DWORD dwFindUseId;
BOOL bRetPortect;
DWORD dwOldType;
pCallBuffer = (CHAR*)m_szCallBuffer;
dwFindUseId = (DWORD)_FidUseId(dwId);
bRetPortect = VirtualProtect(m_szCallBuffer, 8190, PAGE_EXECUTE_READWRITE, &dwOldType);
if(m_szRetCall[dwFindUseId].pCallBufferAddr != 0)
{
__asm
{
pushad
pushfd
mov eax, pCallBuffer
call eax
mov nRet, eax
popfd
popad
}
}
bRetPortect = VirtualProtect(m_szCallBuffer, 8190, dwOldType, &dwOldType);
return nRet;
}这里返回的eax就是反外挂需要的数据,服务器根据此数据来判断你是否作弊。到此,这反外挂系统简单流程就是如此了。
专门看了下送来执行的几个函数,发现它们在检查这些数据:
1)代码crc
2)窗体判断
3)hookdll判断 |
|