//需加載進卡丁車,一般在卡丁車登錄界面調用【BypassNexonGameSecurity】第一個參數傳遞BlackCipher的進程ID
//cpp源碼 .
#include "stdafx.h"
#include <string>
#include <TlHelp32.h>
#include "VMProtectSDK.h"
using namespace std;
bool __stdcall BypassNexonGameSecurity(ULONG pid/*=g_BlackCipherPID*/) {
VMProtectBegin("BypassNexonGameSecurity");
//if (*(PDWORD)0xF4C127 != 0x2ADDE4BB)
//{
// MyDbgFun("notcrc,exit");
// TerminateProcess(OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId()), NULL);
// return false;
//}
typedef struct _MODULEINFO {
LPVOID lpBaseOfDll;
DWORD SizeOfImage;
LPVOID EntryPoint;
} MODULEINFO, *LPMODULEINFO;
typedef BOOL(WINAPI* GetModuleInformation_t)(HANDLE hProcess,
HMODULE hModule,
LPMODULEINFO lpmodinfo,
DWORD cb);
typedef DWORD(WINAPI* GetMappedFileNameW_t)(HANDLE hProcess,
LPVOID lpv,
LPTSTR lpFilename,
DWORD nSize);
typedef NTSTATUS(NTAPI *NtQueryInformationThread_)(HANDLE ThreadHandle, THREADINFOCLASS ThreadInformationClass, PVOID ThreadInformation,
ULONG ThreadInformationLength, PULONG ReturnLength);
typedef NTSTATUS(NTAPI* NtQueryInformationProcess_t)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
typedef NTSTATUS(NTAPI* NtWriteVirtualMemory_t)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded);
typedef NTSTATUS(NTAPI* NtReadVirtualMemory_t)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded);
static NtReadVirtualMemory_t _NtReadVirtualMemory = reinterpret_cast<NtReadVirtualMemory_t>(GetProcAddress(GetModuleHandle(TEXT("ntdll")), "NtReadVirtualMemory"));
static NtWriteVirtualMemory_t _NtWriteVirtualMemory = reinterpret_cast<NtWriteVirtualMemory_t>(GetProcAddress(GetModuleHandle(TEXT("ntdll")), "NtWriteVirtualMemory"));
static NtQueryInformationProcess_t _NtQueryInformationProcess = reinterpret_cast<NtQueryInformationProcess_t>(GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")), "NtQueryInformationProcess"));
static GetMappedFileNameW_t MyGetMappedFileNameW = reinterpret_cast<GetMappedFileNameW_t>(GetProcAddress(LoadLibrary(TEXT("Psapi.dll")), "GetMappedFileNameW"));
static GetModuleInformation_t MyGetModuleInformation = reinterpret_cast<GetModuleInformation_t>(GetProcAddress(LoadLibrary(TEXT("Psapi.dll")), "GetModuleInformation"));
static NtQueryInformationThread_ MyNtQueryInformationThread = reinterpret_cast<NtQueryInformationThread_>(GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")), "NtQueryInformationThread"));
HANDLE hTdSnap, hpss, hTd; LPVOID lpbaseAddress; LONG status;
PVOID startaddr = NULL;
THREADENTRY32 te32 = { 0 };
CONTEXT ctx = { 0 };
BYTE phcode[10] = { 0x68, 0x00, 0x00, 0x00, 0x10,
0xE9, 0x00, 0x00, 0x00, 0x00 };
WCHAR sz_modulefilepath[MAX_PATH] = { 0 };
memset(&te32, 0, sizeof(te32));
te32.dwSize = sizeof(THREADENTRY32);
FARPROC lpSleep = GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "Sleep");
hpss = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (NULL == hpss) { return false; }
MODULEINFO pModuleInfo = { 0 };
if (!MyGetModuleInformation(hpss, NULL, &pModuleInfo, sizeof(pModuleInfo))) { return false; }
if (!pModuleInfo.EntryPoint) { return false; }
lpbaseAddress = VirtualAllocEx(hpss, NULL, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (NULL == lpbaseAddress) { return false; }
*(DWORD *)((DWORD)&phcode + 6) = (DWORD)lpSleep - (DWORD)lpbaseAddress - 10;
if (_NtWriteVirtualMemory(hpss, lpbaseAddress, (LPVOID)&phcode, sizeof(phcode), NULL)){ return false; }
hTdSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hTdSnap == INVALID_HANDLE_VALUE) { return false; }
BOOL bNext = Thread32First(hTdSnap, &te32);
while (bNext)
{
if (te32.th32OwnerProcessID == pid)
{
hTd = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID);
if (NULL == hTd) { return false; }
else
{
status = MyNtQueryInformationThread(hTd,
ThreadQuerySetWin32StartAddress,
&startaddr, sizeof(startaddr), NULL);
if (STATUS_SUCCESS != status)
{
CloseHandle(hTd);
return false;
}
else
{
if (startaddr == pModuleInfo.EntryPoint)
{
MyGetMappedFileNameW(hpss, startaddr, sz_modulefilepath, MAX_PATH);
wstring mfpath(sz_modulefilepath);
if (mfpath.find(TEXT("BlackCipher.aes")) != -1)
{
SuspendThread(hTd);
ctx.ContextFlags = CONTEXT_ALL | CONTEXT_CONTROL;
GetThreadContext(hTd, &ctx);
if (!ctx.Dr1)
{
ctx.Dr1 = 10086;
ctx.Eip = (DWORD)lpbaseAddress;
ctx.ContextFlags = CONTEXT_ALL | CONTEXT_CONTROL;
SetThreadContext(hTd, &ctx);
}
ResumeThread(hTd);
}
}
}
}
CloseHandle(hTd);
}
bNext = Thread32Next(hTdSnap, &te32);
}
CloseHandle(hTdSnap);
CloseHandle(hpss);
VMProtectEnd();
return true;
}
調用方法:
//1 BypassNexonGameSecurity 0F1E1280 0
//必須注入遊戲後調用此函數
//動態調用,用完即刪,不佔用DLL模塊。也可做內存加載
typedef bool(WINPAI *BypassNGS)(LONG pid);
HANDLE hLib=LoadLibrary(TEXT("bypassngs.dll"));
BypassNGS myfpProc=(BypassNGS)GetProcAddress(hLib,"BypassNexonGameSecurity");
if(!myfpProc(/*BlackCipherPID*/))
{
AfxMessageBox(TEXT("過檢測失敗"));
}
FreeLibrary(hLib);
下載
所有站內附件皆會附上安全掃描報告
請會員查看純淨度百分比後判斷使用
相關檔案須知:
取得檔案前,請先詳細閱讀文章內容
避免不必要錯誤與誤會發生。
也可多參考文章討論樓層內容
了解附件檔案相關討論資訊。
|
威望
藍鑽
GP
狗仔卡
收藏
分享
提升卡
變色卡
千斤頂
