变速齿轮的原理

类别:编程语言 点击:0 评论:0 推荐:

变速齿轮通过修改API函数GETTICKCOUNT和TIMEGETTIME骗过了游戏和程序的定时器导致游戏和程序速度看起来被改变。下面以GETTICKCOUNT为例进行分析:原本的GETTICKCOUNT汇编:

kernel32!gettickcount     mov gs,[bffcaea18]

                                    mov eax,gs:[00000000]

                                    sub edx,edx

                                     mov  gs,dx

                                     ret

变速齿轮修改后的GETTICKCOUNT汇编:

kernel32!gettickcount

 这里是关键-->jmp 840500d9(840500d9并不是绝对的)

                      add [eax],al

                      add [ecx+00000000],ah

                      sub edx,edx    

                      mov  gs,dx    

                      ret     

     可以看出变速齿轮修改了gettickcount的代码,当游戏和程序使用gettickcount时就会自动跳转到840500d9处执行。再看看840500d9处的代码汇编:

             840500d9:CLI

                            push ebp

                            mov ebp,esp               

                            push ebx                   

                            push ecx                     

                           push edx

                           push esi

                           push edi

                            call 840500e7

             840500e7:pop edi

                           xor di,di

                           mov esi,edi

                           add esi,00402051

                           sub esi,00401f0b

                           push esi      

                           call edi

                           call 84050101

            84050101:pop edi

                           xor di,di    

                           call [edi+0000fef0]                     

                           call 84050110         

            84050110:sub eax,[edi+0000ff30]     

                           mul dword,ptr[edi+0000ff30] 

                           mov ebx,00100000                 

                           div ebx                

                           add eax,[edi+0000fe20]         

                           push eax                 

                            mov eax,00402072              

                            sub eax,00401f08          

                            add eax,edi              

                            push eax             

                            call edi                  

                            pop eax                     

                            pop edi               

                           pop esi             

                           pop edx                

                           pop ecx               

                           pop ebx                

                            pop ebp                 

                            sil                

                            ret  

以上正是变速齿轮变速的核心所在。(GETTICKCOUNT返回的是EAX的值你可以对EAX进行跟踪)

    下面说一下变速齿轮挂接API的方法:首先变速齿轮在MMF区(WIN9X/ME)申请一块内存,把上面的代码从程序中移到该内存。使用修改描述符的方法从应用程序级跳到核心级(具体可查看《电脑编程技巧与维护》2000年第6期34页)修改GETTICKCOUNT开头的代码使之指向申请的内存的首地址实现挂接。 以上就是我对变速齿轮分析,如果有什么意见或想查看详细的原代码请与我联系,我的邮箱:[email protected]我会尽快给你答复。

本文地址:http://com.8s8s.com/it/it29972.htm