#include "stdafx.h" #include <windows.h> int main(int argc, char* argv[]) { #define PATCH_ADDRESS 0x00408EC2 char szFileName[] = "5Star.exe"; BOOL flag = TRUE; BYTE ReadBuffer[128] = {0}; BYTE TarGetData[] = {0x0F,0x85,0x0A,0x00,0x00,0x00}; BYTE WriteData[] = {0x74,0x0E,0x90,0x90,0x90,0x90}; DWORD Oldpp; STARTUPINFO si = {sizeof(STARTUPINFO)}; PROCESS_INFORMATION pi; if (!CreateProcessA(szFileName,0,0,0,0,CREATE_SUSPENDED,0,0,&si,&pi)) { MessageBox(NULL,"CreateProcess Failed","error",MB_ICONERROR); return FALSE; } while (flag) { ResumeThread(pi.hThread); Sleep(10);//程序运行10MS SuspendThread(pi.hThread);//看程序是否已解码 ReadProcessMemory(pi.hProcess,(LPVOID)PATCH_ADDRESS,&ReadBuffer,6,NULL); if (0 == memcmp(TarGetData,ReadBuffer,6)) { VirtualProtectEx(pi.hProcess,(LPVOID)PATCH_ADDRESS,6,PAGE_EXECUTE_READWRITE,&Oldpp); WriteProcessMemory(pi.hProcess,(LPVOID)PATCH_ADDRESS,&WriteData,6,0); ResumeThread(pi.hThread); flag = FALSE; } } CloseHandle(pi.hProcess); CloseHandle(pi.hThread); return 0; }
程序破解思路是
00408EC2 /0F85 0A000000 jnz 5Star.00408ED2 //改这里的跳位jz 00408EC8 |6A 00 push 0x0 00408ECA |E8 065C0000 call 5Star.0040EAD5 00408ECF |83C4 04 add esp,0x4 00408ED2 \8B5D FC mov ebx,dword ptr ss:[ebp-0x4] 00408ED5 85DB test ebx,ebx 00408ED7 74 09 je X5Star.00408EE2