多开限制突破

1.Findwindow突破

       bp FindWindowW,运行程序断下来,执行到返回,来到下面

004F0E5C    8BF4            mov esi,esp
004F0E5E    68 B8466A00     push FindWind.006A46B8                 ; UNICODE "FindWindow"
004F0E63    6A 00           push 0
004F0E65    FF15 28EE6F00   call dword ptr ds:[<&USER32.FindWindow>; USER32.FindWindowW
004F0E6B    3BF4            cmp esi,esp
004F0E6D    E8 280FFFFF     call FindWind.004E1D9A
004F0E72    8945 C8         mov dword ptr ss:[ebp-38],eax
004F0E75    837D C8 00      cmp dword ptr ss:[ebp-38],0
004F0E79    74 32           je short FindWind.004F0EAD
004F0E7B    6A 00           push 0
004F0E7D    6A 00           push 0
004F0E7F    68 9C466A00     push FindWind.006A469C
004F0E84    E8 86DBFEFF     call FindWind.004DEA0F
004F0E89    8BF4            mov esi,esp
004F0E8B    8B45 C8         mov eax,dword ptr ss:[ebp-38]
004F0E8E    50              push eax
004F0E8F    FF15 E8EC6F00   call dword ptr ds:[<&USER32.SetForegro>; USER32.SetForegroundWindow
004F0E95    3BF4            cmp esi,esp
004F0E97    E8 FE0EFFFF     call FindWind.004E1D9A
004F0E9C    8BF4            mov esi,esp
004F0E9E    6A 00           push 0
004F0EA0    FF15 74E96F00   call dword ptr ds:[<&KERNEL32.ExitProc>; kernel32.ExitProcess
004F0EA6    3BF4            cmp esi,esp
004F0EA8    E8 ED0EFFFF     call FindWind.004E1D9A
004F0EAD    68 B8466A00     push FindWind.006A46B8                 ; UNICODE "FindWindow"
004F0EB2    8B4D EC         mov ecx,dword ptr ss:[ebp-14]
004F0EB5    E8 F3DDFEFF     call FindWind.004DECAD

首先FindWindowW判断窗口是否存在(是否为NULL),下面有个je short FindWind.004F0EAD,存在就继续向下执行,可以看到继续向下的话,有个kernel32.ExitProcess了,所以我们直接将je改为jmp就可以。测试下可以多开了。也可以写程序直接SetWindowText将窗口标题改掉。

2.EnumWindows突破

bp EnumWindows,运行程序断下来,执行到返回

004F0F9C    8BF4            mov esi,esp
004F0F9E    6A 00           push 0
004F0FA0    68 679C4D00     push EnumWind.004D9C67
004F0FA5    FF15 34EE6F00   call dword ptr ds:[<&USER32.EnumWindow>; USER32.EnumWindows

我们知道EnumWindows有个回调函数,call上面压栈的参数地址应该就是回调函数地址,我们ctrl+g转到看下,是个jmp,那就继续转,下面来到的地方就是回调函数了

004F0940    55              push ebp
004F0941    8BEC            mov ebp,esp
004F0943    81EC CC020000   sub esp,2CC
004F0949    53              push ebx
004F094A    56              push esi
004F094B    57              push edi
004F094C    8DBD 34FDFFFF   lea edi,dword ptr ss:[ebp-2CC]
004F0952    B9 B3000000     mov ecx,0B3
004F0957    B8 CCCCCCCC     mov eax,CCCCCCCC
004F095C    F3:AB           rep stos dword ptr es:[edi]
004F095E    A1 48526F00     mov eax,dword ptr ds:[6F5248]
004F0963    33C5            xor eax,ebp
004F0965    8945 FC         mov dword ptr ss:[ebp-4],eax
004F0968    33C0            xor eax,eax
004F096A    66:8985 F8FDFFF>mov word ptr ss:[ebp-208],ax
004F0971    68 FE010000     push 1FE
004F0976    6A 00           push 0
004F0978    8D85 FAFDFFFF   lea eax,dword ptr ss:[ebp-206]
004F097E    50              push eax
004F097F    E8 2B40FFFF     call EnumWind.004E49AF
004F0984    83C4 0C         add esp,0C
004F0987    8BF4            mov esi,esp
004F0989    68 00010000     push 100
004F098E    8D85 F8FDFFFF   lea eax,dword ptr ss:[ebp-208]
004F0994    50              push eax
004F0995    8B4D 08         mov ecx,dword ptr ss:[ebp+8]
004F0998    51              push ecx
004F0999    FF15 30EE6F00   call dword ptr ds:[<&USER32.GetWindowT>; USER32.GetWindowTextW
004F099F    3BF4            cmp esi,esp
004F09A1    E8 F413FFFF     call EnumWind.004E1D9A
004F09A6    8D85 F8FDFFFF   lea eax,dword ptr ss:[ebp-208]
004F09AC    50              push eax
004F09AD    68 38436A00     push EnumWind.006A4338                 ; UNICODE "EnumWindows"
004F09B2    E8 00A7FEFF     call EnumWind.004DB0B7
004F09B7    83C4 08         add esp,8
004F09BA    85C0            test eax,eax
004F09BC    75 32           jnz short EnumWind.004F09F0
004F09BE    6A 00           push 0
004F09C0    6A 00           push 0
004F09C2    68 1C436A00     push EnumWind.006A431C
004F09C7    E8 4DE0FEFF     call EnumWind.004DEA19
004F09CC    8BF4            mov esi,esp
004F09CE    8B45 08         mov eax,dword ptr ss:[ebp+8]
004F09D1    50              push eax
004F09D2    FF15 ECEC6F00   call dword ptr ds:[<&USER32.SetForegro>; USER32.SetForegroundWindow
004F09D8    3BF4            cmp esi,esp
004F09DA    E8 BB13FFFF     call EnumWind.004E1D9A
004F09DF    8BF4            mov esi,esp
004F09E1    6A 00           push 0
004F09E3    FF15 78E96F00   call dword ptr ds:[<&KERNEL32.ExitProc>; kernel32.ExitProcess
004F09E9    3BF4            cmp esi,esp
004F09EB    E8 AA13FFFF     call EnumWind.004E1D9A
004F09F0    B8 01000000     mov eax,1
004F09F5    52              push edx
004F09F6    8BCD            mov ecx,ebp
004F09F8    50              push eax
004F09F9    8D15 280A4F00   lea edx,dword ptr ds:[4F0A28]
004F09FF    E8 E1D2FEFF     call EnumWind.004DDCE5
004F0A04    58              pop eax
004F0A05    5A              pop edx
004F0A06    5F              pop edi
004F0A07    5E              pop esi
004F0A08    5B              pop ebx
004F0A09    8B4D FC         mov ecx,dword ptr ss:[ebp-4]
004F0A0C    33CD            xor ecx,ebp
004F0A0E    E8 3BF6FEFF     call EnumWind.004E004E
004F0A13    81C4 CC020000   add esp,2CC
004F0A19    3BEC            cmp ebp,esp
004F0A1B    E8 7A13FFFF     call EnumWind.004E1D9A
004F0A20    8BE5            mov esp,ebp
004F0A22    5D              pop ebp
004F0A23    C2 0800         retn 8

向下拉看到GetWindowTextW了吧,回调函数中传进来的窗口句柄,通过GetWindowTextW获取窗口标题,然后比较,来判断是否结束实例

所以将004F09BC 75 32 jnz short EnumWind.004F09F0这一行的jnz改为jmp就可以了,保存修改,运行试下,可以多开了。

牵扯到通过窗口标题来防止多开的都可以SetWindowText将窗口标题改掉来突破多开。

 3.互斥对象突破

同样bp CreateMutexW,运行程序断下来,执行到返回

004F0E5E    68 B8466A00     push 互斥体单.006A46B8
004F0E63    6A 00           push 0
004F0E65    6A 00           push 0
004F0E67    FF15 74E96F00   call dword ptr ds:[<&KERNEL32.CreateMu>; kernel32.CreateMutexW
004F0E6D    3BF4            cmp esi,esp
004F0E6F    E8 300FFFFF     call 互斥体单.004E1DA4
004F0E74    A3 C46E6F00     mov dword ptr ds:[6F6EC4],eax
004F0E79    8BF4            mov esi,esp
004F0E7B    FF15 78E96F00   call dword ptr ds:[<&KERNEL32.GetLastE>; ntdll.RtlGetLastWin32Error
004F0E81    3BF4            cmp esi,esp
004F0E83    E8 1C0FFFFF     call 互斥体单.004E1DA4
004F0E88    3D B7000000     cmp eax,0B7
004F0E8D    75 1F           jnz short 互斥体单.004F0EAE


调用GetLastError返回值与0xB7比较,0xB7是ERROR_ALREADY_EXISTS错误代码,然后不相等就调走,所以将跳转改为JMP,保存测试,成功多开。

4.共享节法突破

思路是,共享节中的某个数据用来判断是否运行过实例,我们可以捕捉访问该段的代码。

OD载入ALT+M显示内存,这里可以看到许多段,选中Shared段右键在访问上设置中断,对整个内存块设置该类型断点,这个断点是一次性断点,当所在段被读取或执行时就中断,中断发生后,断点将被删除。F9运行程序来到下面

004F0E5C    833D 00407000 0>CMP DWORD PTR DS:[704000],0
004F0E63    75 0E           JNZ SHORT 共享节单.004F0E73

转到004F0E73这个地址我们看到有ExitProcess,可以断定这两句代码就是拿出共享段中得某个数据与0比较来判断是否有实例运行,我们将其JNZ NOP掉,让其永远不会跳转,保存修改,成功多开。

 

你可能感兴趣的:(c,user,测试,null)