鉴于网吧用户等在权限不足的情况下,运行maphack而产生的pid error,于是写了个程序来解除暴雪的pid保护
Wc3piderror122.exe下载地址
http://download.csdn.net/source/1019297
首先先找到path地址,用ollydbg窗口化加载war3.exe,忽略异常,alt+m打开内存窗口,在game.dll的领空搜索
ASCII "SetSecurityInfo",
我搜到的如下
6F865334 53 65 74 53 65 63 75 72 69 74 79 49 6E 66 6F 00 SetSecurityInfo.
6F865344 41 64 64 41 63 63 65 73 73 44 65 6E 69 65 64 41 AddAccessDeniedA
6F865354 63 65 00 00 49 6E 69 74 69 61 6C 69 7A 65 41 63 ce..InitializeAc
跳到cpu窗口的内存部分Ctrl+G找到6F865334 地址,选中SetSecurityInfo右击查找参考或Ctrl+R
找到参考位于 Game:.text 到 6F865334..6F865342, 条目 0
地址=6F00B352
反汇编=mov eax, 6F865334
注释=ASCII "SetSecurityInfo"
cpu窗口Ctrl+G,跳到6F865334,附近的代码如下
6F00B352 B8 3453866F mov eax, 6F865334 ; ASCII "SetSecurityInfo"
6F00B357 8BCE mov ecx, esi
6F00B359 E8 32FFFFFF call 6F00B290
6F00B35E 85C0 test eax, eax
6F00B360 74 64 je short 6F00B3C6
6F00B362 8D4C24 10 lea ecx, dword ptr [esp+10]
6F00B366 51 push ecx
6F00B367 53 push ebx
6F00B368 53 push ebx
6F00B369 53 push ebx
6F00B36A 53 push ebx
6F00B36B 53 push ebx
6F00B36C 53 push ebx
6F00B36D 53 push ebx
6F00B36E 53 push ebx
6F00B36F 6A 01 push 1
6F00B371 8D5424 4C lea edx, dword ptr [esp+4C]
6F00B375 52 push edx
6F00B376 FF5424 4C call dword ptr [esp+4C]
6F00B37A 85C0 test eax, eax
6F00B37C 74 48 je short 6F00B3C6
6F00B37E 6A 02 push 2
6F00B380 68 00020000 push 200
6F00B385 8D4424 34 lea eax, dword ptr [esp+34]
6F00B389 50 push eax
6F00B38A FF5424 28 call dword ptr [esp+28]
6F00B38E 85C0 test eax, eax
6F00B390 74 34 je short 6F00B3C6
6F00B392 8B4C24 10 mov ecx, dword ptr [esp+10]
6F00B396 51 push ecx
6F00B397 68 FEFF1FF0 push F01FFFFE
6F00B39C 6A 02 push 2
6F00B39E 8D5424 38 lea edx, dword ptr [esp+38]
6F00B3A2 52 push edx
6F00B3A3 FF5424 24 call dword ptr [esp+24]
6F00B3A7 85C0 test eax, eax
6F00B3A9 74 1B je short 6F00B3C6
6F00B3AB 53 push ebx
6F00B3AC 8D4424 30 lea eax, dword ptr [esp+30]
6F00B3B0 50 push eax
6F00B3B1 53 push ebx
6F00B3B2 53 push ebx
6F00B3B3 68 04000080 push 80000004
6F00B3B8 6A 06 push 6
6F00B3BA 55 push ebp
6F00B3BB FF5424 34 call dword ptr [esp+34]
6F00B3BF 85C0 test eax, eax
6F00B3C1 75 03 jnz short 6F00B3C6
6F00B3C3 8D7B 01 lea edi, dword ptr [ebx+1]
6F00B3C6 56 push esi
6F00B3C7 FF15 84C2856F call dword ptr [<&KERNEL32.FreeLibrar>; kernel32.FreeLibrary
6F00B3CD 8B4424 10 mov eax, dword ptr [esp+10]
6F00B3D1 3BC3 cmp eax, ebx
6F00B3D3 74 07 je short 6F00B3DC
6F00B3D5 50 push eax
6F00B3D6 FF15 14C0856F call dword ptr [<&ADVAPI32.FreeSid>] ; ADVAPI32.FreeSid
注意6F00B3A9这一行检验,把他跳掉
改为6F00B3A9 EB 1B jmp short 6F00B3C6
也就是将偏移量B3A9的数据74 改为EB
over
顺便写了个程序