随手写了个蜘蛛纸牌外挂
Date of posting: 2012-08-07 Last modification: 2012-08-14
Tags: programming win32api crack
休假在家,没帯自己的电脑,无法开展平时的工作。随意拿起家里电脑上的蜘蛛纸牌用网上能找到的绿色 OllyDbg 动态分析了一下。顺手写了个作弊程序验证一下猜想。实现了随意移牌与不减分。

作弊代码 Spider.c 如下: 

  1 #include <windows.h>
  2 #include <stdlib.h>
  3 #include <stddef.h>
  4 /*#include <assert.h>*/
  5 
  6 #define DllExport __declspec( dllexport ) __cdecl
  7 
  8 
  9 #define ADDR_MOVE_CARD 0x2D318
 10 #define ADDR_DEC_SCORE 0x2CE57
 11 
 12 #pragma data_seg(".s")
 13 HHOOK hHook
 14 #ifdef __GNUC__
 15 __attribute__((section (".shared"), shared))
 16 #endif /* __GNUC__ */
 17  = NULL;
 18 #pragma data_seg()
 19 #pragma comment(linker, "/section:.s,RWS")
 20 
 21 HINSTANCE hInst;
 22 char old_move_card, old_dec_score;
 23 
 24 LRESULT CALLBACK MouseProc(
 25     int nCode,
 26     WPARAM wParam,
 27     LPARAM lParam
 28 ){
 29     return CallNextHookEx(hHook, nCode, wParam, lParam);
 30 }
 31 
 32 int DllExport main()
 33 {
 34     hHook = SetWindowsHookEx(WH_MOUSE, MouseProc, hInst, 0);
 35     if (hHook == NULL) { 
 36         MessageBox(NULL, TEXT("挂钩失败"), TEXT("错误"), MB_OK | MB_ICONERROR);
 37         return 1;
 38     }
 39     MessageBox(NULL, TEXT("点击确定停止运行"), TEXT("蜘蛛纸牌作弊: 正在运行"), MB_OK | MB_ICONINFORMATION);
 40     UnhookWindowsHookEx(hHook);
 41     return 0;
 42 }
 43 
 44 void Inject(BOOL bInject) /* TRUE:Inject  ,  FALSE:Uninject */
 45 {
 46     DWORD op;
 47     HMODULE hExe;
 48     char *p;
 49 
 50     hExe = GetModuleHandle(NULL);
 51 
 52     p = (char*)(ptrdiff_t)hExe + ADDR_MOVE_CARD;
 53     VirtualProtect(p, 1, PAGE_EXECUTE_READWRITE, &op);
 54     if (bInject) {
 55         old_move_card = *p;
 56         *p = 0xEB;
 57     } else {
 58         *p = old_move_card;
 59     }
 60     VirtualProtect(p, 1, op, &op);
 61 
 62     p = (char*)(ptrdiff_t)hExe + ADDR_DEC_SCORE;
 63     VirtualProtect(p, 1, PAGE_EXECUTE_READWRITE, &op);
 64     if (bInject) {
 65         old_dec_score = *p;
 66         *p = 0x40;
 67     } else {
 68         *p = old_dec_score;
 69     }
 70     VirtualProtect(p, 1, op, &op);
 71 }
 72 
 73 
 74 BOOLEAN WINAPI DllMain(
 75     HINSTANCE hDllHandle,
 76     DWORD     nReason,
 77     LPVOID    Reserved
 78     )
 79 {
 80     TCHAR name[2000];
 81 
 82     switch (nReason) {
 83         case DLL_PROCESS_ATTACH:
 84             DisableThreadLibraryCalls(hDllHandle);
 85             hInst = hDllHandle;
 86             GetModuleFileName(NULL, name, 2000);
 87             if (hHook != NULL) {
 88                 int index = lstrlen(name);
 89                 index = index > 19 ? (index-19) : 0;
 90                 if (lstrcmpi(&name[index], TEXT("SpiderSolitaire.exe")) == 0) {
 91 //                  MessageBox(0, TEXT("Target found"), name, MB_OK);
 92                     Inject(TRUE);
 93                     return TRUE;
 94                 } else {
 95                     return FALSE;
 96                 }
 97             }
 98             break;
 99         case DLL_PROCESS_DETACH:
100             Inject(FALSE);
101             break;
102     }
103     return TRUE;
104 }
105 
106 /*
107 int WINAPI WinMain(
108     HINSTANCE hInstance,
109     HINSTANCE hPrevInstance,
110     LPSTR lpCmdLine,
111     int nCmdShow
112     )
113 {
114     hInst = hInstance;
115     main();
116     return 0;
117 }
118 */
可以用 mingw 编译: 
gcc -DUNICODE -s -mwindows -shared -Wall -Os Spider.c -o Spider.dll
strip -s Spider.dll
运行 
rundll32.exe spider.dll main