#include "stdafx.h"
#include <windows.h>
int main(int argc, char* argv[])
{
#define PATCH_ADDRESS 0x00408EC2
char szFileName[] = "5Star.exe";
BOOL flag = TRUE;
BYTE ReadBuffer[128] = {0};
BYTE TarGetData[] = {0x0F,0x85,0x0A,0x00,0x00,0x00};
BYTE WriteData[] = {0x74,0x0E,0x90,0x90,0x90,0x90};
DWORD Oldpp;
STARTUPINFO si = {sizeof(STARTUPINFO)};
PROCESS_INFORMATION pi;
if (!CreateProcessA(szFileName,0,0,0,0,CREATE_SUSPENDED,0,0,&si,&pi))
{
MessageBox(NULL,"CreateProcess Failed","error",MB_ICONERROR);
return FALSE;
}
while (flag)
{
ResumeThread(pi.hThread);
Sleep(10);//程序运行10MS
SuspendThread(pi.hThread);//看程序是否已解码
ReadProcessMemory(pi.hProcess,(LPVOID)PATCH_ADDRESS,&ReadBuffer,6,NULL);
if (0 == memcmp(TarGetData,ReadBuffer,6))
{
VirtualProtectEx(pi.hProcess,(LPVOID)PATCH_ADDRESS,6,PAGE_EXECUTE_READWRITE,&Oldpp);
WriteProcessMemory(pi.hProcess,(LPVOID)PATCH_ADDRESS,&WriteData,6,0);
ResumeThread(pi.hThread);
flag = FALSE;
}
}
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return 0;
}
程序破解思路是
00408EC2 /0F85 0A000000 jnz 5Star.00408ED2 //改这里的跳位jz 00408EC8 |6A 00 push 0x0 00408ECA |E8 065C0000 call 5Star.0040EAD5 00408ECF |83C4 04 add esp,0x4 00408ED2 8B5D FC mov ebx,dword ptr ss:[ebp-0x4] 00408ED5 85DB test ebx,ebx 00408ED7 74 09 je X5Star.00408EE2