今天无聊发点逆向某个游戏反外挂的东西

标题：今天无聊发点逆向某个游戏反外挂的东西
作者：ladengdie
时间：2009-12-31 02:10
链接：http://bbs.pediy.com/showthread.php?t=104184

mov     eax, dword ptr [ebp+8]
  call    eax                             //调用动态检测外挂入口
  mov     dword ptr [ebp-4], eax
  mov     eax, dword ptr [edi+2C]
  mov     ecx, dword ptr [edi+30]
  mov     edx, dword ptr [ebp-4]
  lea     esi, dword ptr [edi+28]
  cmp     eax, ecx
  mov     word ptr [ebp-C], bx
  mov     dword ptr [ebp-8], edx

第一种检测代码
push    ebp
  mov     ebp, esp
  push    ecx
  mov     dword ptr [ebp-4], 19D
  mov     eax, dword ptr [ebp-4]
  mov     edi, edi
  mov     edi, edi
  sub     eax, -1
  mov     edi, edi
  mov     edi, edi
  inc     eax
  xchg    al, al
  xchg    eax, eax
  xchg    eax, eax
  add     eax, 1
  mov     edi, edi
  mov     edx, eax
  dec     edx
  mov     eax, edx
  add     eax, 1
  leave
  retn

这段主要是对付脱机外挂，的，发一个常量19D过来，这时客户端从上面的入口进入这段代码运行完后，客户端要把得出的结果发回服务器，服务器那边这段代码先运行这段代码保

存结果，然后和客户端发过来的结果比较，要是不相等的话那么就能判定有人用了脱机外挂，结果就是请你OUT，这段代码有点意思的地方是，它可以随时NOP掉几个字节，象SUB

EAX -1它NOP掉后结果就变了，就达到了动态检测的目地了

第二种检测手段
push    ebp
  mov     ebp, esp
  sub     esp, 4C4
  push    edi
  mov     dword ptr [ebp-28], 4425C0
  mov     dword ptr [ebp-24], 4425E0
  mov     dword ptr [ebp-8], 10E3
  mov     dword ptr [ebp-44], 6C
  mov     dword ptr [ebp-4C], 70617370
  mov     dword ptr [ebp-48], 6C642E69
  mov     dword ptr [ebp-38], 6C694665
  mov     dword ptr [ebp-40], 4D746547
  mov     dword ptr [ebp-3C], 6C75646F
  mov     dword ptr [ebp-34], 6D614E65
  mov     dword ptr [ebp-30], 41784565
  mov     dword ptr [ebp-2C], 0
  lea     eax, dword ptr [ebp-4C]
  push    eax
  call    dword ptr [9B8D098]
  mov     dword ptr [ebp-50], eax
  cmp     dword ptr [ebp-50], 0
  jnz L024
  mov     eax, 1
  jmp     1B18087B
L024:
  lea     ecx, dword ptr [ebp-40]
  push    ecx
  mov     edx, dword ptr [ebp-50]
  push    edx
  call    dword ptr [A1445A8]
  mov     dword ptr [ebp-14], eax
  mov     dword ptr [ebp-4], 0
  mov     dword ptr [ebp-C], 0
  push    10000
  lea     eax, dword ptr [ebp-4]
  push    eax
  call    dword ptr [ebp-28]
  mov     dword ptr [ebp-10], 0
  mov     ecx, dword ptr [ebp-8]
  add     ecx, 4
  mov     dword ptr [ebp-8], ecx
  cmp     dword ptr [ebp-4], 0
  je L052
  push    0
  push    2
  call    kernel32.CreateToolhelp32Snapshot
  mov     dword ptr [ebp-54], eax
  mov     eax, eax
  cmp     dword ptr [ebp-54], -1
  jnz L058
  mov     edx, dword ptr [ebp-4]
  push    edx
  call    dword ptr [ebp-24]
L052:
  cmp     dword ptr [ebp-10], 8
  jle     1B180878
  mov     eax, dword ptr [ebp-10]
  add     eax, 3E8
  nop
  jmp     1B18087B
L058:
  mov     dword ptr [ebp-180], 128
  lea     edx, dword ptr [ebp-180]
  push    edx
  mov     eax, dword ptr [ebp-54]
  push    eax
  call    kernel32.Process32First
  mov     dword ptr [ebp-58], eax
L065:
  cmp     dword ptr [ebp-58], 0
  je      1B180869
  mov     ecx, dword ptr [ebp-178]
  mov     dword ptr [ebp-288], ecx
  lea     edx, dword ptr [ebp-15C]
  mov     dword ptr [ebp-290], edx
  mov     eax, dword ptr [ebp-290]
  mov     ecx, dword ptr [eax+4]
  jmp L2147307716
  mov     dword ptr [F18197CB], eax
  mov     al, 53
  prefix repne:
  dec     ebx
  cmp     ecx, 28863DD5
  jnz L083
  mov     edx, dword ptr [ebp-290]
  cmp     dword ptr [edx], 6D656C65
  je L122
L083:
  mov     byte ptr [ebp-284], 0
  mov     ecx, 40
  sub     eax, eax
  lea     edi, dword ptr [ebp-283]
  rep     stos dword ptr es:[edi]
  stos    word ptr es:[edi]
  stos    byte ptr es:[edi]
  mov     dword ptr [ebp-294], 0
  mov     ecx, dword ptr [ebp-178]
  push    ecx
  push    8
  call    kernel32.CreateToolhelp32Snapshot
  mov     dword ptr [ebp-28C], eax
  cmp     dword ptr [ebp-28C], -1
  je L111
  mov     dword ptr [ebp-4BC], 224
  lea     edx, dword ptr [ebp-4BC]
  push    edx
  mov     eax, dword ptr [ebp-28C]
  xchg    ebp, ebp
  push    eax
  call    kernel32.Module32First
  mov     dword ptr [ebp-298], eax
  cmp     dword ptr [ebp-298], 0
  jnz L138
L108:
  mov     edx, dword ptr [ebp-28C]
  push    edx
  call    dword ptr [9255130]
L111:
  cmp     dword ptr [ebp-294], 0
  jmp L114
  and     al, 94
L114:
  jnz L141
L115:
  lea     edx, dword ptr [ebp-180]
  push    edx
  mov     eax, dword ptr [ebp-54]
  push    eax
  call    kernel32.Process32Next
  mov     dword ptr [ebp-58], eax
  jmp L065
L122:
  mov     eax, dword ptr [ebp-290]
  mov     ebx, ebx
  mov     ecx, dword ptr [eax+8]
  xor     ecx, 5240F490
  cmp     ecx, 3C259DFC
  je L129
  jmp L083
L129:
  mov     edx, dword ptr [ebp-290]
  cmp     dword ptr [edx+C], 78652E74
  nop
  je L134
  jmp L083
L134:
  mov     eax, dword ptr [ebp-10]
  add     eax, 1
  mov     dword ptr [ebp-10], eax
  jmp L083
L138:
  mov     ecx, dword ptr [ebp-4A8]
  mov     dword ptr [ebp-294], ecx
  jmp L108
L141:
  cmp     dword ptr [ebp-294], 1000000
  jnz L144
  jmp L115
L144:
  mov     eax, dword ptr [ebp-288]
  push    eax
  push    0
  push    410
  call    dword ptr [9376540]
  mov     dword ptr [ebp-4C0], eax
  jmp     short 1B1802EE
  in      eax, dx
  retf

这段代码最可恶，可以说它完全就是个木马，按法律来说是犯法了，它会把你当前正在运行的程序信息全部发出去，这些都是在客户不知情的情况下发出去的，只要用户开了这个游戏，那么你就毫无隐私可言了，还有好几种检测手段，这里就不罗列了。