|
|
无论什么游戏只要是NGS检测全部干掉!
以下是C++源码
拿跑跑卡丁车做例子
//需加载进卡丁车,一般在卡丁车登录界面调用【BypassNexonGameSecurity】第一个参数传递BlackCipher的进程ID
//cpp源码 .
#include "stdafx.h"
#include <string>
#include <TlHelp32.h>
#include "VMProtectSDK.h"
using namespace std;
bool __stdcall BypassNexonGameSecurity(ULONG pid/*=g_BlackCipherPID*/) {
VMProtectBegin("BypassNexonGameSecurity");
//if (*(PDWORD)0xF4C127 != 0x2ADDE4BB)
//{
// MyDbgFun("notcrc,exit");
// TerminateProcess(OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId()), NULL);
// return false;
//}
typedef struct _MODULEINFO {
LPVOID lpBaseOfDll;
DWORD SizeOfImage;
LPVOID EntryPoint;
} MODULEINFO, *LPMODULEINFO;
typedef BOOL(WINAPI* GetModuleInformation_t)(HANDLE hProcess,
HMODULE hModule,
LPMODULEINFO lpmodinfo,
DWORD cb);
typedef DWORD(WINAPI* GetMappedFileNameW_t)(HANDLE hProcess,
LPVOID lpv,
LPTSTR lpFilename,
DWORD nSize);
typedef NTSTATUS(NTAPI *NtQueryInformationThread_)(HANDLE ThreadHandle, THREADINFOCLASS ThreadInformationClass, PVOID ThreadInformation,
ULONG ThreadInformationLength, PULONG ReturnLength);
typedef NTSTATUS(NTAPI* NtQueryInformationProcess_t)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
typedef NTSTATUS(NTAPI* NtWriteVirtualMemory_t)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded);
typedef NTSTATUS(NTAPI* NtReadVirtualMemory_t)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded);
static NtReadVirtualMemory_t _NtReadVirtualMemory = reinterpret_cast<NtReadVirtualMemory_t>(GetProcAddress(GetModuleHandle(TEXT("ntdll")), "NtReadVirtualMemory"));
static NtWriteVirtualMemory_t _NtWriteVirtualMemory = reinterpret_cast<NtWriteVirtualMemory_t>(GetProcAddress(GetModuleHandle(TEXT("ntdll")), "NtWriteVirtualMemory"));
static NtQueryInformationProcess_t _NtQueryInformationProcess = reinterpret_cast<NtQueryInformationProcess_t>(GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")), "NtQueryInformationProcess"));
static GetMappedFileNameW_t MyGetMappedFileNameW = reinterpret_cast<GetMappedFileNameW_t>(GetProcAddress(LoadLibrary(TEXT("Psapi.dll")), "GetMappedFileNameW"));
static GetModuleInformation_t MyGetModuleInformation = reinterpret_cast<GetModuleInformation_t>(GetProcAddress(LoadLibrary(TEXT("Psapi.dll")), "GetModuleInformation"));
static NtQueryInformationThread_ MyNtQueryInformationThread = reinterpret_cast<NtQueryInformationThread_>(GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")), "NtQueryInformationThread"));
HANDLE hTdSnap, hpss, hTd; LPVOID lpbaseAddress; LONG status;
PVOID startaddr = NULL;
THREADENTRY32 te32 = { 0 };
CONTEXT ctx = { 0 };
BYTE phcode[10] = { 0x68, 0x00, 0x00, 0x00, 0x10,
0xE9, 0x00, 0x00, 0x00, 0x00 };
WCHAR sz_modulefilepath[MAX_PATH] = { 0 };
memset(&te32, 0, sizeof(te32));
te32.dwSize = sizeof(THREADENTRY32);
FARPROC lpSleep = GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "Sleep");
hpss = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (NULL == hpss) { return false; }
MODULEINFO pModuleInfo = { 0 };
if (!MyGetModuleInformation(hpss, NULL, &pModuleInfo, sizeof(pModuleInfo))) { return false; }
if (!pModuleInfo.EntryPoint) { return false; }
lpbaseAddress = VirtualAllocEx(hpss, NULL, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (NULL == lpbaseAddress) { return false; }
*(DWORD *)((DWORD)&phcode + 6) = (DWORD)lpSleep - (DWORD)lpbaseAddress - 10;
if (_NtWriteVirtualMemory(hpss, lpbaseAddress, (LPVOID)&phcode, sizeof(phcode), NULL)){ return false; }
hTdSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hTdSnap == INVALID_HANDLE_VALUE) { return false; }
BOOL bNext = Thread32First(hTdSnap, &te32);
while (bNext)
{
if (te32.th32OwnerProcessID == pid)
{
hTd = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID);
if (NULL == hTd) { return false; }
else
{
status = MyNtQueryInformationThread(hTd,
ThreadQuerySetWin32StartAddress,
&startaddr, sizeof(startaddr), NULL);
if (STATUS_SUCCESS != status)
{
CloseHandle(hTd);
return false;
}
else
{
if (startaddr == pModuleInfo.EntryPoint)
{
MyGetMappedFileNameW(hpss, startaddr, sz_modulefilepath, MAX_PATH);
wstring mfpath(sz_modulefilepath);
if (mfpath.find(TEXT("BlackCipher.aes")) != -1)
{
SuspendThread(hTd);
ctx.ContextFlags = CONTEXT_ALL | CONTEXT_CONTROL;
GetThreadContext(hTd, &ctx);
if (!ctx.Dr1)
{
ctx.Dr1 = 10086;
ctx.Eip = (DWORD)lpbaseAddress;
ctx.ContextFlags = CONTEXT_ALL | CONTEXT_CONTROL;
SetThreadContext(hTd, &ctx);
}
ResumeThread(hTd);
}
}
}
}
CloseHandle(hTd);
}
bNext = Thread32Next(hTdSnap, &te32);
}
CloseHandle(hTdSnap);
CloseHandle(hpss);
VMProtectEnd();
return true;
}
调用方法:
//1 BypassNexonGameSecurity 0F1E1280 0
//必须注入游戏后调用此函数
//动态调用,用完即删,不占用DLL模块。也可做内存加载
typedef bool(WINPAI *BypassNGS)(LONG pid);
HANDLE hLib=LoadLibrary(TEXT("bypassngs.dll"));
BypassNGS myfpProc=(BypassNGS)GetProcAddress(hLib,"BypassNexonGameSecurity");
if(!myfpProc(/*BlackCipherPID*/))
{
AfxMessageBox(TEXT("过检测失败"));
}
FreeLibrary(hLib);
1.这里只Sleep了一个入口线程,会卡NGS进程游戏关闭后需自己关
2.成品DLL限制国服可用,其他服全部掉线。想在台服用就自己改。
3.只要操作命名管道的线程存在其他线程都可Sleep无碍
|
评分
-
查看全部评分
|
粤公网安备 44522102000125 增值电信业务经营许可证 粤B2-20192173
发表于 2018-11-13 18:51:06
主题置顶卡
沉默卡
变色卡
扫一扫,关注易界动态