How to Use windbg ko xxxx game Driver Protection

[Break text title] teach you how to use windbg ko xxxx game Driver Protection
[Author] lj8888
[Author mailbox] xxxx@163.com
[Author's homepage ]-
[Cracking tool] windbg 6.7
[Cracking platform] version d xp SP3
[Software name]
[Software size]
[Original download]
[Protection method]
[Software Overview] large online games in beta testing
[Statement of cracking] cainiao provides an alternative approach to crack verification. It is an accident to make any mistakes! Please visit the experts!
------------------------------------------------------------------------
It doesn't matter if you don't know the driver or the kernel. Today I will teach you how to use the kernel debugger WINDBG KO PerfectProtector. sys.

[Cracking process] The tool windbg 6.7 Chinese Version RkUnhooker 3.7 is required (Please download a lot of resources online)

First install windbg and run it with RkUnhooker (no particular order)

Then run the ghost legend and update it to the latest version. After the game is running, stop at the logon page.

Switch to RkUnhooker point SCAN.
Nt! NtOpenProcess
Nt! NtReadVirtualMemory
Nt! NtWriteVirtualMemory

01. GIF (48.97 KB)

The three functions show YES, indicating that the Address is written down by the HOOK. We can use WINDBG to check the Address.

Switch to the WINDBG menu and choose "open"> "kernel mode"> "local". Then, confirm whether to save or choose "yes ".

Menu-View-command browser we break into command uf 0xaa096314 (my Address here may be different from yours to see clearly !!)

02. GIF (116.31 KB)

Aa096314 PUSH EBP
Aa096315 mov ebp, ESP
Aa096317 add esp,-28
Aa09631a CALL AA096091
Aa09631f jmp short AA09633F

For more information about CALL AA096091 non-handler functions, run the command uf AA09633F.

Aa09633f PUSH AA096321
Aa096344 PUSH AA096424
Aa096349 PUSH AA0998D7
Aa09634e push dword ptr fs: [0]
Aa096355 mov fs: [0], ESP
Aa09635c mov dword ptr [EBP-4], C0000023
Aa096363 mov dword ptr [EBP-C], 0
Aa09636a CALL AA099D96
Aa09636f MOV [EBP-8], EAX
Aa096372 cmp dword ptr [EBP + 8],-1
Aa096376 jnz short AA096384
Aa096378 mov dword ptr [EBP-C],-1
Aa09637f JMP AA09640B
Aa096384 PUSH EDI
Aa096385 lea edi, [AA09ACC4]
Aa09638b mov ecx, 50
Aa096390 shr ecx, 2
Aa096393 mov eax, [EBP-8]
Aa096396 CLD
Aa096397 repne scas byte ptr es: [EDI]
Aa096398 scas dword ptr es: [EDI]
Aa096399 POP EDI
Aa09639a or ecx, ECX
Aa09639c je short AA0963A0
Aa09639e jmp short AA09640B
Aa0963a0 lea eax, [EBP-10]
Aa0963a3 PUSH EAX
Aa0963a4 PUSH 18
Aa0963a6 lea eax, [EBP-28]
Aa0963a9 PUSH EAX
Aa0963aa PUSH 0
Aa0963ac push dword ptr [EBP + 8]
Aa0963af CALL AA099CF4
Aa0963b4 or eax, EAX
Aa0963b6 jnz short AA0963C0
Aa0963b8 push dword ptr [EBP-18]
Aa0963bb pop dword ptr [EBP-C]
Aa0963be jmp short AA0963D2
Aa0963c0 PUSH EAX
Aa0963c1 PUSH 1
Aa0963c3 PUSH 83
Aa0963c8 CALL AA093ACB
Aa0963cd add esp, C
Aa0963d0 jmp short AA09640B
Aa0963d2 cmp dword ptr [EBP-C], 0
Aa0963d6 jnz short AA0963DA
Aa0963d8 jmp short AA09640B
Aa0963da mov eax, [EBP-C]
Aa0963dd cmp eax, [EBP-8]
Aa0963e0 jnz short AA0963E4
Aa0963e2 jmp short AA09640B
Aa0963e4 PUSH ESI
Aa0963e5 mov eax, 20
Aa0963ea shr eax, 2
Aa0963ed mov ecx, [EBP-C]
Aa0963f0 lea esi, [AA09C118]
Aa0963f6 jmp short AA096400
Aa0963f8 CMP [ESI], ECX
Aa0963fa je short AA096404
Aa0963fc add esi, 4
Aa0963ff DEC EAX
Aa096400 or eax, EAX
Aa096402 jnz short AA0963F8
Aa096404 POP ESI
Aa096405 or eax, EAX
Aa096407 je short AA09640B
Aa096409 jmp short AA096424
Aa09640b push dword ptr [EBP + 18]
Aa09640e push dword ptr [EBP + 14]
Aa096411 push dword ptr [EBP + 10]
Aa096414 push dword ptr [EBP + C]
Aa096417 push dword ptr [EBP + 8]
Aa09641a mov eax, [AA09AD1C]
Aa09641f CALL EAX
Aa096421 MOV [EBP-4], EAX
Aa096424 mov eax, [EBP-4]
Aa096427 pop dword ptr fs: [0]
Aa09642e add esp, C
Aa096431 dec dword ptr [AA09ADB8]
Aa096437 LEAVE
Aa096438 RETN 14

The basic structure is clear. aa09640b is nt at the beginning! NtWriteVirtualMemory five parameters

Aa09641a mov eax, [AA09AD1C] should point to the original function address. Let's take a look.

03. GIF (21.28 KB)

Menu-View-enter AA09AD1C in the Virtual memory to see if you are not used to it. Can you choose long hex as this is intuitive?

04. GIF (24.89 KB)

805b5394 is the original nt! NtWriteVirtualMemory function address. Let's write down this structure.

Aa09640b push dword ptr [EBP + 18]
Aa09640e push dword ptr [EBP + 14]
Aa096411 push dword ptr [EBP + 10]
Aa096414 push dword ptr [EBP + C]
Aa096417 push dword ptr [EBP + 8]
Aa09641a mov eax, [AA09AD1C]
Aa09641f CALL EAX

The original function structure is called perfectly. Now we know the key code. Let's go back to the function header and check it.

Aa096349 PUSH AA0998D7
Aa09634e push dword ptr fs: [0]
Aa096355 mov fs: [0], ESP
Aa09635c mov dword ptr [EBP-4], C0000023 input parameter C0000023
Aa096363 mov dword ptr [EBP-C], 0 input parameter 0
Preliminary verification of aa09636a CALL AA099D96
Aa09636f MOV [EBP-8], EAX returned values assign local variables
Aa096372 cmp dword ptr [EBP + 8],-1 compare whether-1 is 0 FFFFFFFFh
Aa096376 jnz short AA096384
Aa096378 mov dword ptr [EBP-C],-1

Here we will simply write the aa09635c Execution Process and let it directly execute it to aa09640b.

How to calculate the target address of JMP aa09640b-Current address-5

Return to the memory window and enter aa09635c to switch to BYTE bytes.

The process of breaking into E9 AA 00 00 00 has been rewritten. This nt! The NtWriteVirtualMemory function is KO.

05. GIF (19.03 KB)

How is it easy? We continue to complete the next function switchover windbg command window.

Break uf 0xaa0961ee to my nt! NtReadVirtualMemory HOOK address

Aa0961ee PUSH EBP
Aa0961ef mov ebp, ESP
Aa0961f1 add esp,-28
Aa0961f4 CALL AA096091
Aa0961f9 jmp short AA096218

Aa096218 PUSH AA0961FB
Aa09630d PUSH AA0962FD
Aa096222 PUSH AA0998D7
Aa096227 push dword ptr fs: [0]
Aa09622e mov fs: [0], ESP
Aa096235 mov dword ptr [EBP-4], C0000023
Aa09623c mov dword ptr [EBP-C], 0
Aa096243 CALL AA099D96
Aa096248 MOV [EBP-8], EAX
Aa09624b cmp dword ptr [EBP + 8],-1
Aa09624f jnz short AA09625D
Aa0961_mov dword ptr [EBP-C],-1
Aa096258 JMP AA0962E4
Aa09625d PUSH EDI
Aa09625e lea edi, [AA09ACC4]
Aa096264 mov ecx, 50
Aa096269 shr ecx, 2
Aa09626c mov eax, [EBP-8]
Aa09626f CLD
Aa096270 repne scas byte ptr es: [EDI]
Aa096271 scas dword ptr es: [EDI]
Aa096272 POP EDI
Aa096273 or ecx, ECX
Aa096275 je short AA096279
Aa096277 jmp short AA0962E4
Aa096279 lea eax, [EBP-10]
Aa09627c PUSH EAX
Aa09627d PUSH 18
Aa09627f lea eax, [EBP-28]
Aa096282 PUSH EAX
Aa096283 PUSH 0
Aa096285 push dword ptr [EBP + 8]
Aa096288 CALL AA099CF4
Aa09628d or eax, EAX
Aa09628f jnz short AA096299
Aa096291 push dword ptr [EBP-18]
Aa096294 pop dword ptr [EBP-C]
Aa096297 jmp short AA0962AB
Aa096299 PUSH EAX
Aa09629a PUSH 1
Aa09629c PUSH 82
Aa0962a1 CALL AA093ACB
Aa0962a6 add esp, C
Aa0962a9 jmp short AA0962E4
Aa0962ab cmp dword ptr [EBP-C], 0
Aa0962af jnz short AA0962B3
Aa0962b1 jmp short AA0962E4
Aa0962b3 mov eax, [EBP-C]
Aa0962b6 cmp eax, [EBP-8]
Aa0962b9 jnz short AA0962BD
Aa0962bb jmp short AA0962E4
Aa0962bd PUSH ESI
Aa0962be mov eax, 20
Aa0962c3 shr eax, 2
Aa0962c6 mov ecx, [EBP-C]
Aa0962c9 lea esi, [AA09C118]
Aa0962cf jmp short AA0962D9
Aa0962d1 CMP [ESI], ECX
Aa0962d3 je short AA0962DD
Aa0962d5 add esi, 4
Aa0962d8 DEC EAX
Aa0962d9 or eax, EAX
Aa0962db jnz short AA0962D1
Aa0962dd POP ESI
Aa0962de or eax, EAX
Aa0962e0 je short AA0962E4
Aa0962e2 jmp short AA0962FD
Aa0962e4 push dword ptr [EBP + 18]
Aa0962e7 push dword ptr [EBP + 14]
Aa0962ea push dword ptr [EBP + 10]
Aa0962ed push dword ptr [EBP + C]
Aa0962f0 push dword ptr [EBP + 8]
Aa0962f3 mov eax, [AA09AD18]
Aa0962f8 CALL EAX
Aa0962fa MOV [EBP-4], EAX
Aa0962fd mov eax, [EBP-4]
Aa096300 pop dword ptr fs: [0]
Aa096307 add esp, C
Aa09630a dec dword ptr [AA09ADB8]
Aa096310 LEAVE
Aa096311 RETN 14

Are you familiar with this? Which structure does the object still remember?

Aa0962e4 push dword ptr [EBP + 18]
Aa0962e7 push dword ptr [EBP + 14]
Aa0962ea push dword ptr [EBP + 10]
Aa0962ed push dword ptr [EBP + C]
Aa0962f0 push dword ptr [EBP + 8]
Aa0962f3 mov eax, [AA09AD18]
Aa0962f8 CALL EAX

Here, the same operation is also the same as above. I will directly explain the result and rewrite aa096235 JMPaa0962e4.

Enter the E9 AA 00 00 00 in the memory window (even the offset is the same)

Enter uf 0xaa096098. nt here! NtOpenProcess HOOK address

Aa096098 PUSH EBP
Aa096099 mov ebp, ESP
Aa09609b add esp,-30
Aa09609e CALL AA096091
Aa0960a3 jmp short AA0960BC

Aa0960bc PUSH AA0960A5
Aa0960c1 PUSH AA0961D7
Aa0960c6 PUSH AA0998D7
Aa0960cb push dword ptr fs: [0]
Aa0960d2 mov fs: [0], ESP
Aa0960d9 push dword ptr [EBP + 14]
Aa0960dc push dword ptr [EBP + 10]
Aa0960df push dword ptr [EBP + C]
Aa0960e2 push dword ptr [EBP + 8]
Aa0960e5 mov eax, [AA09AD14]
Aa0960ea CALL EAX
Aa0960ec MOV [EBP-8], EAX
Aa0960ef or eax, EAX
Aa0960f1 je short AA0960F8
Aa0960f3 JMP AA0961D7
Aa0960f8 PUSH ECX
Aa0960f9 mov ecx, [EBP + C]
Aa0960fc and ecx, 30
Aa0960ff or ecx, ECX
Aa096101 jnz short AA096109
Aa096103 POP ECX
Aa096104 JMP AA0961D7
Aa096109 POP ECX
Aa09610a CALL AA099D96
Aa09610f MOV [EBP-C], EAX
Aa096112 PUSH EDI
Aa096113 lea edi, [AA09ACC4]
Aa096119 mov ecx, 50
Aa09611e shr ecx, 2
Aa096121 mov eax, [EBP-C]
Aa096124 CLD
Aa096125 repne scas byte ptr es: [EDI]
Aa096126 scas dword ptr es: [EDI]
Aa096127 POP EDI
Aa096128 or ecx, ECX
Aa09612a je short AA096131
Aa09612c JMP AA0961D7
Aa096131 mov eax, [EBP + 14]
Aa096134 or eax, EAX
Aa096136 je short AA09613F
Aa096138 mov eax, [EAX]
Aa09613a MOV [EBP-10], EAX
Aa09613d jmp short AA096146
Aa09613f mov dword ptr [EBP-10], 0
Aa096146 cmp dword ptr [EBP-10], 0
Aa09614a jnz short AA09618E
Aa09614c mov eax, [EBP + 8]
Aa09614f push dword ptr [EAX]
Aa096151 pop dword ptr [EBP-4]
Aa096154 lea eax, [EBP-14]
Aa096157 PUSH EAX
Aa096158 PUSH 18
Aa09615a lea eax, [EBP-30]
Aa09615d PUSH EAX
Aa09615e PUSH 0
Aa096160 push dword ptr [EBP-4]
Aa096163 CALL AA099CF4
Aa096168 or eax, EAX
Aa09616a jnz short AA096174
Aa09616c push dword ptr [EBP-20]
Aa09616f pop dword ptr [EBP-10]
Aa096172 jmp short AA096186
Aa096174 PUSH EAX
Aa096175 PUSH 1
Aa096177 PUSH 81
Aa09617c CALL AA093ACB
Aa096181 add esp, C
Aa096184 jmp short AA0961D7
Aa096186 cmp dword ptr [EBP-10], 0
Aa09618a jnz short AA09618E
Aa09618c jmp short AA0961D7
Aa09618e mov eax, [EBP-10]
Aa096191 cmp eax, [EBP-C]
Aa096194 jnz short AA096198
Aa096196 jmp short AA0961D7
Aa096198 PUSH ESI
Aa096199 mov eax, 20
Aa09619e shr eax, 2
Aa0961a1 mov ecx, [EBP-10]
Aa0961a4 lea esi, [AA09C118]
Aa0961aa jmp short AA0961B4
Aa0961ac CMP [ESI], ECX
Aa0961ae je short AA0961B8
Aa0961b0 add esi, 4
Aa0961b3 DEC EAX
Aa0961b4 or eax, EAX
Aa0961b6 jnz short AA0961AC
Aa0961b8 POP ESI
Aa0961b9 or eax, EAX
Aa0961bb je short AA0961D7
Aa0961bd push dword ptr [EBP-4]
Aa0961c0 CALL AA099DAE
Aa0961c5 mov eax, [EBP + 8]
Aa0961c8 mov dword ptr [EAX], 0
Aa0961ce mov dword ptr [EBP-8], C000000D
Aa0961d5 jmp short AA0961D7
Aa0961d7 mov eax, [EBP-8]
Aa0961da pop dword ptr fs: [0]
Aa0961e1 add esp, C
Aa0961e4 dec dword ptr [AA09ADB8]
Aa0961ea LEAVE
Aa0961eb RETN 10

This function is a little different. Let's hold on to its structure.

Aa0960d9 push dword ptr [EBP + 14]
Aa0960dc push dword ptr [EBP + 10]
Aa0960df push dword ptr [EBP + C]
Aa0960e2 push dword ptr [EBP + 8]
Aa0960e5 mov eax, [AA09AD14]
Aa0960ea CALL EAX

Nt! The four NtOpenProcess Parameters match.

Aa0960ec MOV [EBP-8], EAX
Aa0960ef or eax, EAX
Aa0960f1 je short AA0960F8
Aa0960f3 JMP AA0961D7

In simple analysis, the return value is stored in the variable or the operation is expected to continue processing. For details, see aa0960f3 JMP AA0961D7.

How to deal with inequality

Aa0961d7 mov eax, [EBP-8]
Aa0961da pop dword ptr fs: [0]
Aa0961e1 add esp, C
Aa0961e4 dec dword ptr [AA09ADB8]
Aa0961ea LEAVE
Aa0961eb RETN 10

Retrieve the returned value and pass it over? Obviously, KO aa0960f1 solves two 90 (NOP) attacks.

Here, the driver protects three functions that have been KO. We can directly read and write their memory. ^_^

Thank you for watching this tutorial.
------------------------------------------------------------------------
[Cracking Summary] miss the days in the ICY Group

For kernel operations, please pay attention to saving data to avoid loss of dead blue screens

If you don't understand it, you can understand the process.