VC过HS保护代码

1. #define HS_JMP            0x63B31D
   
2. #define HS_JMP2            0x63B323
   
3. 
   
4. typedef int            (__cdecl *HS_GetProcAddress_t)( int hModule, int a2 );
   
5. typedef int            (__stdcall *HackshieldComm_t )( int, void*, void* );
   
6. typedef signed int    (__stdcall *KickProc_t)( int a1, int a2, int a3 );
   
7. 
   
8. HS_GetProcAddress_t      pHS_GetProcAddress = NULL;
   
9. HackshieldComm_t        pHackshieldComm  = NULL;
   
10. KickProc_t       pKickProc  = NULL;
    
11. 
    
12. signed int __stdcall new_KickProc( int a1, int a2, int a3 )
    
13. {
    
14.     return 1;
    
15. }
    
16. 
    
17. int __stdcall new_HackshieldComm( int hsCommCode, void *Param1, void *Param2 )
    
18. {
    
19.     if( hsCommCode == 4 || hsCommCode == 5 || hsCommCode == 13 ) //kill!
    
20.     {
    
21.         if( hsCommCode == 4 ) //replace kick proc
    
22.         {
    
23.             DWORD *dwParam1 = (DWORD *)Param1;
    
24. 
    
25.             pKickProc    = (KickProc_t)*dwParam1;
    
26.             *dwParam1    = (DWORD)new_KickProc;
    
27.         }
    
28. 
    
29.         int iReturn = pHackshieldComm( hsCommCode, Param1, Param2 );
    
30. 
    
31.         return 1;
    
32.     }
    
33. 
    
34.     int iReturn = pHackshieldComm( hsCommCode, Param1, Param2 );
    
35. 
    
36.     return iReturn;
    
37. }
    
38. 
    
39. void HookCommunication( EXCEPTION_POINTERS* pExceptionInfo )
    
40. {
    
41.     DWORD dwEbp        = pExceptionInfo->ContextRecord->Ebp;
    
42.     DWORD dwParam2    = 0;
    
43. 
    
44.     __asm
    
45.     {
    
46.         push eax;
    
47.         push edx;
    
48.         mov eax, dwEbp;
    
49.         mov edx, [eax+0xC];
    
50.         mov dwParam2, edx;
    
51.         pop edx;
    
52.         pop eax;
    
53.     }
    
54. 
    
55.     if( dwParam2 == 0xA ) //this is the ordinal of some export...hmm..
    
56.     {
    
57.         pHackshieldComm  = (HackshieldComm_t)pExceptionInfo->ContextRecord->Eax;
    
58.         pExceptionInfo->ContextRecord->Eax    = (DWORD)new_HackshieldComm;
    
59.     }
    
60. 
    
61.     pExceptionInfo->ContextRecord->Eip= HS_JMP2;
    
62. 
    
63.     return;
    
64. }
    
65. 
    
66. PVOID pContextHandler = NULL;
    
67. 
    
68. LONG WINAPI ***ExceptionHandler( EXCEPTION_POINTERS* pExceptionInfo )
    
69. {
    
70.     if( pExceptionInfo->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP )
    
71.     {
    
72.         return EXCEPTION_CONTINUE_SEARCH;
    
73.     }
    
74. 
    
75.     if( pExceptionInfo->ExceptionRecord->ExceptionAddress == (PVOID)HS_JMP )
    
76.     {
    
77.         HookCommunication( pExceptionInfo );
    
78.         return EXCEPTION_CONTINUE_EXECUTION;
    
79.     }
    
80. 
    
81.     return EXCEPTION_CONTINUE_SEARCH;
    
82. }
    
83. 
    
84. void InitContextHook()
    
85. {
    
86.     pContextHandler = AddVectoredExceptionHandler( 0x50BE17, ***ExceptionHandler );
    
87. 
    
88.     CONTEXT Context;
    
89.     Context.ContextFlags = CONTEXT_DEBUG_REGISTERS;
    
90.     GetThreadContext(GetCurrentThread(), &Context);
    
91.     Context.Dr0 = HS_JMP;
    
92.     Context.Dr7 = (1<<0)|(1<<2)|(1<<4)|(1<<6);
    
93.     SetThreadContext(GetCurrentThread(), &Context);
    
94. }

复制代码