Analysis of "fairy" with NVIDIA perfhud

 

Analyze direct3d with NVIDIA perfhudProgramThere are two key steps: finding the call location of createdevice () and modifying the first two parameters passed in to createdevice () to meet the requirements of perfhud, in general, the first parameter is 1, and the second parameter is 2. You can also add one of the first two parameters that the application originally passed in. There are two methods to locate createdevice (): Dynamic Tracking and static analysis. Dynamic Tracing is to start the application with a debugger and break the breakpoint at the createdevice () function in d3d9. dll. Dynamic Tracking is the first choice for fast and accurate positioning. However, in many cases, the client of the online game is started through another program (such as an automatic update program), and cannot be started directly by the debugger, so it cannot be dynamically tracked. In this case, you can consider the static analysis method, this article will detail later.

Next we will take "fairy" as an example to look at this cracking process.

First, let's take a look at the Starting Process of "Fairy. The first task is to execute patcher.exe to automatically update and set parameters. Then, patcher.exestarts qqlogin.exe to verify the account and password. Connect to the main program tty3d.exe of QQ login.exeto search for fairy tales. Only available. Explain is very difficult. We hope to directly start qqlogin.exe. A dialog box appears indicating that qqlogin.exe.exe is started through patcher.exe and cannot be started independently. To clear the relationship between qqlogin.exeand patcher.exe, we use idato open patcher.exe, search "winexec" in the Disassembly window, and locate the winexec function (see). This is a function used by windows to start another process. Small-G 119.147.16.146: 3100, Sha Zi Zhou ". This is the starting command of qqlogin.exe. you can guess the necessary conditions for starting the latest qqlogin.exe. Therefore, a shortcut for qqlogin.exe is established, and "-G 119.147.16.146: 3100, Sha Zi Zhou" is used as the starting parameter. Start the shortcut with perfhud and find that perfhud is properly mounted to the main window of "Fairy. To solve this problem, we can jump through patcher.exeto start qqlogin.exe directly.

Use IDA to open the graphics module pg_device.dll of "fairy" and search for "device" or "+ 40 h]" in the compilation window. Quickly locate the address 1000503e and find the following command "Call dword ptr [EDI + 40 h]" (SEE ). 40 h is the offset address of the createdevice () function in the idirect3d9 interface. Combined with the nearby "cd3d9device: initdevice ()" string, this command at 1000503e becomes our key suspect object, this should be where the main program of "fairy" calls the createdevice () function. So far, we have completed the first key task and located the position for calling the createdevice () function. The following task is to modify the first two parameters passed to the createdevice () function.

The three commands before createdevice () is called are as follows:
Push edX
Push ECx
Push eax
Anyone familiar with C ++ knows that the last push eax command is pushed into this pointer, and the second and second commands are pushed into the first and second parameters of createdevice () respectively, that is, the parameter to be modified. Our task is to add one of the two parameters and then press them into the stack. To modify a parameter, you must modify a nearby command or add a new command. Before pushing the parameter to the stack, use Inc EDX and INC ECx to add two parameters. There is definitely not enough space to add new commands for in-situ modification. We need to jump somewhere else, and then perform createdevice () after the modification is completed (). Looking back, we found that the address 10005193 left a 13-byte blank area due to memory alignment (see figure), which should be enough to arrange the required commands.

Return to 1000503e and write the command "JMP loc_10005193" at 10005038 to overwrite the following four commands (SEE)
Push ECx
MoV ECx, [esi]
Push edX
Push ECx

This command causesCodeJump to address 10005193 (the blank space found previously). We can re-execute the overwritten command at address 10005193 and () before pushing the first two parameters to the stack, add them respectively, and then jump back to 1000503d for further execution (see ).

So far, we have completed the modification to pg_device.dll. Don't forget to save the modified pg_device.dll disk.

Re-use perfhudto start qqlogin.exe to enter the main program. The perfhud logo appears in front of us, indicating that we have successfully cracked the pg_device.dll. You can use perfhud to analyze the Painting Process of "Fairy.