1.Findwindow突破
bp FindWindowW,运行程序断下来,执行到返回,来到下面
004F0E5C 8BF4 mov esi,esp 004F0E5E 68 B8466A00 push FindWind.006A46B8 ; UNICODE "FindWindow" 004F0E63 6A 00 push 0 004F0E65 FF15 28EE6F00 call dword ptr ds:[<&USER32.FindWindow>; USER32.FindWindowW 004F0E6B 3BF4 cmp esi,esp 004F0E6D E8 280FFFFF call FindWind.004E1D9A 004F0E72 8945 C8 mov dword ptr ss:[ebp-38],eax 004F0E75 837D C8 00 cmp dword ptr ss:[ebp-38],0 004F0E79 74 32 je short FindWind.004F0EAD 004F0E7B 6A 00 push 0 004F0E7D 6A 00 push 0 004F0E7F 68 9C466A00 push FindWind.006A469C 004F0E84 E8 86DBFEFF call FindWind.004DEA0F 004F0E89 8BF4 mov esi,esp 004F0E8B 8B45 C8 mov eax,dword ptr ss:[ebp-38] 004F0E8E 50 push eax 004F0E8F FF15 E8EC6F00 call dword ptr ds:[<&USER32.SetForegro>; USER32.SetForegroundWindow 004F0E95 3BF4 cmp esi,esp 004F0E97 E8 FE0EFFFF call FindWind.004E1D9A 004F0E9C 8BF4 mov esi,esp 004F0E9E 6A 00 push 0 004F0EA0 FF15 74E96F00 call dword ptr ds:[<&KERNEL32.ExitProc>; kernel32.ExitProcess 004F0EA6 3BF4 cmp esi,esp 004F0EA8 E8 ED0EFFFF call FindWind.004E1D9A 004F0EAD 68 B8466A00 push FindWind.006A46B8 ; UNICODE "FindWindow" 004F0EB2 8B4D EC mov ecx,dword ptr ss:[ebp-14] 004F0EB5 E8 F3DDFEFF call FindWind.004DECAD
首先FindWindowW判断窗口是否存在(是否为NULL),下面有个je short FindWind.004F0EAD,存在就继续向下执行,可以看到继续向下的话,有个kernel32.ExitProcess了,所以我们直接将je改为jmp就可以。测试下可以多开了。也可以写程序直接SetWindowText将窗口标题改掉。
2.EnumWindows突破
bp EnumWindows,运行程序断下来,执行到返回
004F0F9C 8BF4 mov esi,esp 004F0F9E 6A 00 push 0 004F0FA0 68 679C4D00 push EnumWind.004D9C67 004F0FA5 FF15 34EE6F00 call dword ptr ds:[<&USER32.EnumWindow>; USER32.EnumWindows
我们知道EnumWindows有个回调函数,call上面压栈的参数地址应该就是回调函数地址,我们ctrl+g转到看下,是个jmp,那就继续转,下面来到的地方就是回调函数了
004F0940 55 push ebp 004F0941 8BEC mov ebp,esp 004F0943 81EC CC020000 sub esp,2CC 004F0949 53 push ebx 004F094A 56 push esi 004F094B 57 push edi 004F094C 8DBD 34FDFFFF lea edi,dword ptr ss:[ebp-2CC] 004F0952 B9 B3000000 mov ecx,0B3 004F0957 B8 CCCCCCCC mov eax,CCCCCCCC 004F095C F3:AB rep stos dword ptr es:[edi] 004F095E A1 48526F00 mov eax,dword ptr ds:[6F5248] 004F0963 33C5 xor eax,ebp 004F0965 8945 FC mov dword ptr ss:[ebp-4],eax 004F0968 33C0 xor eax,eax 004F096A 66:8985 F8FDFFF>mov word ptr ss:[ebp-208],ax 004F0971 68 FE010000 push 1FE 004F0976 6A 00 push 0 004F0978 8D85 FAFDFFFF lea eax,dword ptr ss:[ebp-206] 004F097E 50 push eax 004F097F E8 2B40FFFF call EnumWind.004E49AF 004F0984 83C4 0C add esp,0C 004F0987 8BF4 mov esi,esp 004F0989 68 00010000 push 100 004F098E 8D85 F8FDFFFF lea eax,dword ptr ss:[ebp-208] 004F0994 50 push eax 004F0995 8B4D 08 mov ecx,dword ptr ss:[ebp+8] 004F0998 51 push ecx 004F0999 FF15 30EE6F00 call dword ptr ds:[<&USER32.GetWindowT>; USER32.GetWindowTextW 004F099F 3BF4 cmp esi,esp 004F09A1 E8 F413FFFF call EnumWind.004E1D9A 004F09A6 8D85 F8FDFFFF lea eax,dword ptr ss:[ebp-208] 004F09AC 50 push eax 004F09AD 68 38436A00 push EnumWind.006A4338 ; UNICODE "EnumWindows" 004F09B2 E8 00A7FEFF call EnumWind.004DB0B7 004F09B7 83C4 08 add esp,8 004F09BA 85C0 test eax,eax 004F09BC 75 32 jnz short EnumWind.004F09F0 004F09BE 6A 00 push 0 004F09C0 6A 00 push 0 004F09C2 68 1C436A00 push EnumWind.006A431C 004F09C7 E8 4DE0FEFF call EnumWind.004DEA19 004F09CC 8BF4 mov esi,esp 004F09CE 8B45 08 mov eax,dword ptr ss:[ebp+8] 004F09D1 50 push eax 004F09D2 FF15 ECEC6F00 call dword ptr ds:[<&USER32.SetForegro>; USER32.SetForegroundWindow 004F09D8 3BF4 cmp esi,esp 004F09DA E8 BB13FFFF call EnumWind.004E1D9A 004F09DF 8BF4 mov esi,esp 004F09E1 6A 00 push 0 004F09E3 FF15 78E96F00 call dword ptr ds:[<&KERNEL32.ExitProc>; kernel32.ExitProcess 004F09E9 3BF4 cmp esi,esp 004F09EB E8 AA13FFFF call EnumWind.004E1D9A 004F09F0 B8 01000000 mov eax,1 004F09F5 52 push edx 004F09F6 8BCD mov ecx,ebp 004F09F8 50 push eax 004F09F9 8D15 280A4F00 lea edx,dword ptr ds:[4F0A28] 004F09FF E8 E1D2FEFF call EnumWind.004DDCE5 004F0A04 58 pop eax 004F0A05 5A pop edx 004F0A06 5F pop edi 004F0A07 5E pop esi 004F0A08 5B pop ebx 004F0A09 8B4D FC mov ecx,dword ptr ss:[ebp-4] 004F0A0C 33CD xor ecx,ebp 004F0A0E E8 3BF6FEFF call EnumWind.004E004E 004F0A13 81C4 CC020000 add esp,2CC 004F0A19 3BEC cmp ebp,esp 004F0A1B E8 7A13FFFF call EnumWind.004E1D9A 004F0A20 8BE5 mov esp,ebp 004F0A22 5D pop ebp 004F0A23 C2 0800 retn 8
向下拉看到GetWindowTextW了吧,回调函数中传进来的窗口句柄,通过GetWindowTextW获取窗口标题,然后比较,来判断是否结束实例
所以将004F09BC 75 32 jnz short EnumWind.004F09F0这一行的jnz改为jmp就可以了,保存修改,运行试下,可以多开了。
牵扯到通过窗口标题来防止多开的都可以SetWindowText将窗口标题改掉来突破多开。
3.互斥对象突破
同样bp CreateMutexW,运行程序断下来,执行到返回
004F0E5E 68 B8466A00 push 互斥体单.006A46B8 004F0E63 6A 00 push 0 004F0E65 6A 00 push 0 004F0E67 FF15 74E96F00 call dword ptr ds:[<&KERNEL32.CreateMu>; kernel32.CreateMutexW 004F0E6D 3BF4 cmp esi,esp 004F0E6F E8 300FFFFF call 互斥体单.004E1DA4 004F0E74 A3 C46E6F00 mov dword ptr ds:[6F6EC4],eax 004F0E79 8BF4 mov esi,esp 004F0E7B FF15 78E96F00 call dword ptr ds:[<&KERNEL32.GetLastE>; ntdll.RtlGetLastWin32Error 004F0E81 3BF4 cmp esi,esp 004F0E83 E8 1C0FFFFF call 互斥体单.004E1DA4 004F0E88 3D B7000000 cmp eax,0B7 004F0E8D 75 1F jnz short 互斥体单.004F0EAE
调用GetLastError返回值与0xB7比较,0xB7是ERROR_ALREADY_EXISTS错误代码,然后不相等就调走,所以将跳转改为JMP,保存测试,成功多开。
4.共享节法突破
思路是,共享节中的某个数据用来判断是否运行过实例,我们可以捕捉访问该段的代码。
OD载入ALT+M显示内存,这里可以看到许多段,选中Shared段右键在访问上设置中断,对整个内存块设置该类型断点,这个断点是一次性断点,当所在段被读取或执行时就中断,中断发生后,断点将被删除。F9运行程序来到下面
004F0E5C 833D 00407000 0>CMP DWORD PTR DS:[704000],0 004F0E63 75 0E JNZ SHORT 共享节单.004F0E73
转到004F0E73这个地址我们看到有ExitProcess,可以断定这两句代码就是拿出共享段中得某个数据与0比较来判断是否有实例运行,我们将其JNZ NOP掉,让其永远不会跳转,保存修改,成功多开。