I want to open the dream hand more travel PC-side (Dream Hand Tour PC-side multi-open simple analysis and implementation method)

Objective:

Everyday work is very boring, always want to have some fun, but Mao not.

Find a game to play, hang up the game.

Found, this game is called ... Dream West Tour Hand tour. Dingshi's game ...

Since my phone is a function machine,

So, download a simulator to play,

After the download, after the installation, after the launch of the game, CPU giant card, maybe I have a little old computer.

What to do, see the hand Tour official online unexpectedly wrote has a PC end.

OK, get down and play.

PC end is not the same, the section is very delicate, also super not card, feel good,

But I have 2 numbers, what to do,

Open a client again,

SB, tell me already have, ask me how to do, or kill that.

Of course you can't kill it, or you can call it double open.

OK, this article has begun.

Body:

Ink for a half-day, and finally began.

(My goal is not to kill it, just to play more games, so here's a simple analysis, I just need a IDA)

Opening the client directly two times will prompt a situation

There is a hint, good, first to find out the relevant string, and then find the location of the string call ...

But after looking at the string resources, we found that the strings are not ANSI, IDA is old and weak, not enough energy to find the string, give up

MessageBox, simple solution, go directly to the MessageBox call on the line, how simple

There are so many places, the Jade Emperor has mercy on me ...

The first two, the call, does not look like, to the third place when called, it is quite like the

Take a look at the string of parameter 2

The string to invoke in the four, that's it, found it, right.

Well, our usual solution is to comb the branch and then write JNZ JZ related jumps to avoid this kind of error hint,

However, I do not want to directly modify the game files so do,

What I'm afraid of:

1: The program has signed, directly change the program, will destroy the signature.

2: If this program has its own integrity check, this is not a white toss.

3: Other problems that I may not be aware of.

What I want to do, that ... Of course to find the source, see how it works, and then try to avoid the past ...

Continue the analysis,

In fact, to this pop-up window this piece, is already doomed to be detected has been opened,

So, slowly go back to the code, fortunately this game client is x86, and IDA to x86 F5 support is very good,

Go ahead and find the source, not far away

In such a position, double-clicking into the function can be seen,

This should be a single-instance judgment,

The first function, is to use an ancient method to create a process list snapshot method traversal process, and then determine the process path name, if the specified, do not adjust the second function ...

The second function, more wonderful, with the enumeration process method, to traverse the process, to determine the path name ...

As long as the security over here to get, and then beyond the judgment, you can achieve more open, really easy ...

Look back slowly,

There is such a piece of code, which is what is being done,

See this string "NetEase (Hangzhou) Network Co. Ltd.", I guess, is verifying the certificate,

Go into the front of the function inside, go deep look for Ah,

will see certfindcertificateinstore this related function, OK, certificate related,

I'm not going to kill it, so I don't care about it,

Keep Looking back,

Go to the end of the big function,

This is the step before you actually start the game.

Into the function, the exciting moment is up.

It's funny, huh?

LoadLibrary GetProcAddress Then call

Just transferred the parameters,

This thing is so low-grade.

From beginning to end, analysis ends.

Final conclusion,

The simplest and most open method possible:

Directly simulate the function of EXE, directly load the DLL, and then call the function, directly can solve the problem.

Subsequent processing:

In fact, the first few steps are finished?

Really finished, can use, but can guarantee no problem, this really bad say,

Follow up with a few steps to deal with,

How to deal with it?

According to observation, you can see that the target DLL's interface is fixed, and the parameters are very few, and the information passed is almost useless information,

So it can be imagined that the DLL has very low may be directly based on memory to determine the current process as a trusted process,

So, if the DLL really does this, then it is likely to be judged by the local file of the process,

How to cheat DLL, here we need to ensure that the original EXE file exists, and the certificate is valid,

Then we get into the target EXE in some way, take control,

There are 3 simple ways to do this.

1, direct DLL hijacking, go to target process, mirror replace or hot patch to code.

2, breakpoint injection, mirror replacement or hot patch for code.

3, debug inject, mirror replace or hot patch to code.

In fact, starting from the start function, it can be seen that sub_40a830 this function is the WinMain function,

Because this is where it's called.

And what V7 is,

V7 is

Command-line arguments

What is the prototype of WinMain.

int WINAPI WinMain (hinstance hinstance,
HInstance hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow
);

That's it.

All right, work's over.

Actually analyzing this thing, plus writing code test, roughly took me two hours, after all, I don't count as a hand, and my Code is C,

It is estimated that by hand analysis of this, it will be half an hour after the finished.

PostScript

In fact, if there are ready-made tools, you can hide the process has been started, it should be OK,

In the middle,

Here, there is actually a mutex to judge, but it does not affect whether it can open more,

It only affects the arguments that are passed when the DLL is called.

The simplest way to do nothing is to write code directly to call the DLL's function,

However, the estimated three stone to help the client has a honeypot function, many many years ago, the end of the cover, is fishing law enforcement, and then sealed.

I want to open the dream hand more travel PC-side (Dream Hand Tour PC-side multi-open simple analysis and implementation method)