Pass all use tessafe.sys protect game
来源:互联网 发布:月光女神高改数据 编辑:程序博客网 时间:2024/05/31 19:28
;write by y3y3y3 from www.unpack.cn
.386
.model flat, stdcall
option casemap:none
include C:/RadASM/masm32/include/w2k/ntstatus.inc
include C:/RadASM/masm32/include/w2k/ntddk.inc
include C:/RadASM/masm32/include/w2k/ntoskrnl.inc
include C:/RadASM/masm32/include/w2k/w2kundoc.inc
includelib C:/RadASM/masm32/lib/w2k/ntoskrnl.lib
include C:/RadASM//masm32/Macros/Strings.mac
.data
CCOUNTED_UNICODE_STRING "KeAttachProcess",KeAttachProcess_String, 4
CCOUNTED_UNICODE_STRING "PsCreateSystemThread", PsCreateSystemThread_String, 4
CCOUNTED_UNICODE_STRING "ObOpenObjectByPointer",ObOpenObjectByPointer_String,4
CCOUNTED_UNICODE_STRING "NtOpenProcess",NtOpenProcess_String,4
CCOUNTED_UNICODE_STRING "NtOpenThread", NtOpenThread_String,4
PsCreateSystemThread_addr dd ?
NtWriteVirtualMemory_addr dd ?
NtReadVirtualMemory_addr dd ?
ObOpenObjectByPointer_addr dd ?
NtOpenThread_addr dd ?
NtOpenProcess_addr dd ?
KiAttachProcess_addr dd ?
NtWriteVirtualMemory_oldbyte db 10 dup (0)
PsCreateSystemThread_oldbyte db 10 dup (0)
NtReadVirtualMemory_oldbyte db 10 dup (0)
KiAttachProcess_oldbyte db 10 dup (0)
threadproc dd ?
sysbase dd ?
hook dd ?
.code
Getaddr proc apiString:dword
invoke MmGetSystemRoutineAddress,apiString
ret
Getaddr endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local pDeviceObject:PVOID
pushad
cli
mov eax, cr0
and eax,0fffeffffh
mov cr0, eax
mov edi, dword ptr [KeServiceDescriptorTable]
mov ebx, [edi]
mov esi, [ebx+(115h*4)]
mov ecx,9
mov NtWriteVirtualMemory_addr ,esi
mov edi,offset NtWriteVirtualMemory_oldbyte
rep movsb
mov ecx,9
mov esi, [ebx+(0bah*4)]
mov NtReadVirtualMemory_addr,esi
mov edi,offset NtReadVirtualMemory_oldbyte
rep movsb
invoke Getaddr,offset KeAttachProcess_String
add eax,47h
mov edx,dword ptr [eax+1]
lea eax,dword ptr [edx+eax+5]
mov KiAttachProcess_addr,eax
mov ecx,9
mov esi,eax
mov edi,offset KiAttachProcess_oldbyte
rep movsb
invoke Getaddr,offset ObOpenObjectByPointer_String
mov ObOpenObjectByPointer_addr,eax
invoke Getaddr,offset NtOpenProcess_String
mov NtOpenProcess_addr,eax
invoke Getaddr,offset NtOpenThread_String
mov NtOpenThread_addr,eax
invoke Getaddr,offset PsCreateSystemThread_String
mov PsCreateSystemThread_addr,eax
mov ecx,9
mov esi,eax
mov edi,offset PsCreateSystemThread_oldbyte
rep movsb
mov edx,offset ThreadHook
sub edx,eax
sub edx,5
mov dword ptr [hook],edx
mov eax,PsCreateSystemThread_addr
mov byte ptr [eax],0e9h
push dword ptr [hook]
pop dword ptr [eax+1]
mov eax, cr0
or eax,10000h
mov cr0, eax
sti
mov eax, pDriverObject
assume eax:PTR DRIVER_OBJECT
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
popad
mov eax, STATUS_SUCCESS
ret
DriverEntry endp
ThreadHook proc
pushad
mov eax,dword ptr [esp+18h+20h]
cmp byte ptr [eax-4],65h ;tessafe 'e'== 65h
jne @F
cli
mov eax, cr0
and eax,0fffeffffh
mov cr0, eax
mov eax,dword ptr [esp+18h+20h]
mov threadproc,eax
mov ecx,eax
and ecx,0ffh;取TX驱动地址最后一个byte
add ecx,2f00h
sub eax,ecx
mov sysbase,eax;base+2f00h+last byte == threadproc addr
mov dword ptr [esp+18h+20h],offset Thread
mov eax, cr0
or eax,10000h
mov cr0, eax
sti
@@: popad
mov edi,edi
push ebp
mov ebp,esp
push PsCreateSystemThread_addr
add dword ptr [esp],5
ret
ThreadHook endp
Thread proc
pushad
cli
mov eax, cr0
and eax,0fffeffffh
mov cr0, eax
mov eax,sysbase
add eax,1000h;缩小范围,开始搜索特征码
@@: cmp dword ptr [eax],8b005587h
je @F
add eax,1
jmp @B
@@: mov edx,dword ptr [eax-6]
mov byte ptr [edx],70h;patch debugproc clear 0
@@: cmp byte ptr [eax],0C3h
je @F
add eax,1
jmp @B
@@: mov edx,dword ptr [eax+6]
mov byte ptr [edx],0 ;patch mon Ntopenprocess
mov ecx,9
mov edi,NtReadVirtualMemory_addr
mov esi,offset NtReadVirtualMemory_oldbyte
rep movsb
mov ecx,9
mov edi,NtWriteVirtualMemory_addr
mov esi,offset NtWriteVirtualMemory_oldbyte
rep movsb
mov ecx,9
mov edi,KiAttachProcess_addr
mov esi,offset KiAttachProcess_oldbyte
rep movsb
;mov ecx,9
;mov edi,PsCreateSystemThread_addr
;mov esi,offset PsCreateSystemThread_oldbyte
;rep movsb
mov eax,NtOpenProcess_addr
add eax,13bh
mov edx,ObOpenObjectByPointer_addr
sub edx,eax
sub edx,5
mov dword ptr [eax+1],edx
mov eax,NtOpenThread_addr
add eax,151h
mov edx,ObOpenObjectByPointer_addr
sub edx,eax
sub edx,5
mov dword ptr [eax+1],edx
mov eax, cr0
or eax,10000h
mov cr0, eax
sti
popad
push threadproc
ret
Thread endp
DriverUnload proc pDriverObject:PDRIVER_OBJECT
pushad
cli
mov eax, cr0
and eax,0fffeffffh
mov cr0, eax
mov ecx,9
mov edi,PsCreateSystemThread_addr
mov esi,offset PsCreateSystemThread_oldbyte
rep movsb
mov eax, cr0
or eax,10000h
mov cr0, eax
sti
popad
ret
DriverUnload endp
end DriverEntry
- Pass all use tessafe.sys protect game
- 逆向TesSafe.sys
- 绕TX驱动保护TesSafe.sys方法
- 搞定QQ游戏系列驱动保护TesSafe.sys
- 最新绕过TX驱动保护TesSafe.sys方法
- why use two pass encode
- 搞定QQ游戏系列(寻仙,DNF等等)驱动保护TesSafe.sys
- 过游戏保护之 过TX驱动保护TesSafe.sys方法(现在可以用)3
- QQ游戏系列(寻仙,DNF等等)驱动保护TesSafe.sys
- 过NP 系列之一---搞定QQ游戏系列(寻仙,DNF等等)驱动保护TesSafe.sys
- protect
- Android cts all pass 全攻略
- Android cts all pass 全攻略
- Android cts all pass 全攻略
- Use the MachineKey API to protect values in ASP.NET
- why not all use english?
- oracle 应用 8. rman target sys/pass整理
- Use OpenCV for a game
- Windows核心编程:内存体系结构
- Spring2.5 注解学习
- 软件过程RUP初探
- HT IDE 3000 VPM 软件仿真 按钮按下 数码管显示数字 电路搭建以及源代码 VPM 应用 系列之五
- JAVA读取配置文件
- Pass all use tessafe.sys protect game
- 不同的方式处理 IRP 速查表
- 免费新闻代码
- ASP.NET页面刷新方法总结
- jar 打包成 exe 工具
- Spring3.0新特性
- 你会系统分析么
- 服务器跳转
- 可用的tinyos2.x&NesC插件及IDE推荐