有没有可能为假的,EBP返回地址+ 4。
我目前正在写,你会注入一个游戏,其中将要求游戏功能做的事情一个DLL,但功能我叫核对程序本身的返回地址,如果他们的基地以外的其检测到它。
所以基本上是没有什么办法来假以任何方式返回地址?
它的工作原理是这样的:
IF((_BYTE *)retaddr - (_BYTE *)unusedPadding> =(unsigned int类型)及byte_A6132A) { dword_11E59F8 | = 0x200000u; dword_162D06C = 0; 结果=(无效(*)())sub_51FEE0(dword_11E59FC,V5,(_BYTE *)retaddr - (_BYTE *)unusedPadding,ebx0,edi0,A1); }解决方案
更好的方法:
推returnshere 推your_second_argument 推your_first_argument 推address_of_fragment_in_exe JMP function_you_want_to_callreturnshere: ;更多code在哪里address_of_ret_in_exe就是这个片段的地址:
ADD ESP,8;推4 *数量的参数 RET这还没有修改游戏的二进制的优势。我见过一个以上的游戏,校验和本身的,所以如果你编辑它,即使在农闲的空间,你就麻烦了。如果他们经历了这么多的麻烦了,以验证调用来自游戏的二进制,比他们有可能有被编辑对游戏的二进制防御。只是很高兴他们没有跟踪调用图。
Would it be possible to fake the return address at, ebp + 4.
I'm currently writing a DLL that you would inject into a game, in which it would call game functions to do things, but the functions I call check the return address against the program itself, and if its outside their base it detects it.
So basically is there any way to fake the return address in any way?
It works like this:
if ( (_BYTE *)retaddr - (_BYTE *)unusedPadding >= (unsigned int)&byte_A6132A ) { dword_11E59F8 |= 0x200000u; dword_162D06C = 0; result = (void (*)())sub_51FEE0(dword_11E59FC, v5, (_BYTE *)retaddr - (_BYTE *)unusedPadding, ebx0, edi0, a1); }解决方案
Better way:
push returnshere push your_second_argument push your_first_argument push address_of_fragment_in_exe jmp function_you_want_to_call returnshere: ; more codeWhere address_of_ret_in_exe is the address of this fragment:
add esp, 8 ;4 * number of arguments pushed retThis has the advantage of not editing the game binary. I've seen more than one game that checksummed itself so if you edited it, even in slack space, you're in trouble. If they went through so much trouble as to verify calls come from the game binary, than they likely have defenses against the game binary from being edited. Just be glad they don't trace the call graph.
更多推荐
ASM伪造返回地址?
发布评论