前几天有个朋友让我帮忙看看一个叫"HookDll.dll"的dll里面的函数该怎么调用.
他把dll的导出表截图我看了一下:
后来才知道,原来这个hookdll.dll是某游戏浏览器里面的一个文件,而他的主要作用就是用作Flash加速...
看上去貌似挺不错的,如果自己写一个小程序,也可以加速Flash那就好玩了.现在我们就来看看这几个dll怎么调用.需要传什么参数?
直接IDA
IDA载入进来Imagebase是 0x400000
StartHook,EndHook,SetSpeed,SoundHook的RVA加上0x400000即他们对应代码的位置了.
StartHook:
CODE:004124E4 public StartHook
CODE:004124E4 StartHook proc near
CODE:004124E4 push ebp
CODE:004124E5 mov ebp, esp
CODE:004124E7 call sub_412434
CODE:004124EC call sub_4121EC
CODE:004124F1 mov ds:dword_41488C, eax
CODE:004124F7 mov ds:dword_414890, edx
CODE:004124FD mov eax, ds:dword_41488C
CODE:00412503 mov ds:dword_414884, eax
CODE:00412509 mov eax, ds:dword_414890
CODE:0041250F mov ds:dword_414888, eax
CODE:00412515 call sub_412374
CODE:0041251A pop ebp
CODE:0041251B retn 4
CODE:0041251B StartHook endp
通过上面的代码我们可以看出 StartHook的函数定义应该是 void StartHook(void);
继续看EndHook和StartHook类似,定义 void EndHook(void);
SoundHook定义 void SoundHook(void);
SetSpeed:
CODE:00412538 public SetSpeed
CODE:00412538 SetSpeed proc near
CODE:00412538
CODE:00412538 arg_0 = dword ptr 8
CODE:00412538 arg_4 = dword ptr 0Ch
CODE:00412538
CODE:00412538 push ebp
CODE:00412539 mov ebp, esp
CODE:0041253B mov eax, [ebp+arg_0]
CODE:0041253E mov dword ptr ds:dbl_414898, eax
CODE:00412544 mov eax, [ebp+arg_4]
CODE:00412547 mov dword ptr ds:dbl_414898+4, eax
CODE:0041254D pop ebp
CODE:0041254E retn 8
CODE:0041254E SetSpeed endp
通过上面的代码我们可以看出SetSpeed需要传入两个dword类型的参数,函数定义为 void SetSpeed(dword dw1,dword dw2);
好了,现在我们相当于有了这个Hookdll的基本sdk了,可是SetSpeed这两个dword参数该传什么值呢?
直接OllyDbg附加上了某游戏浏览器,查看一上HookDll被加载的基址,同理加上RVA得到代码的地址,然后F2下个断点,拖动一下加速条,SetSpeed则被断下来了.
这里是加速接近2000%时传入的数值,0xCCCCCCCD,0x4033CCCC.
具体这个数值我们就不研究了,我们来调用看看是否有效果.
C++ code:[仅调用SetSpeed]
typedef void (CALLBACK *lpFnSetSpeed)(DWORD,DWORD);
int _tmain(int argc, _TCHAR* argv[])
{
HMODULE hMd=::LoadLibraryA("hookdll.dll");
if(hMd==NULL)
{
printf("未找到 hookdll.dll");
getchar();
return 0;
}
lpFnSetSpeed fnSetSpeed=(lpFnSetSpeed)GetProcAddress(hMd,"SetSpeed");
(*fnSetSpeed)(100,100);
printf("调用成功!");
getchar();
return 0;
}
上面我们看不到效果,mfc里的网页控件也有用过,但是不熟悉了,还是直接上.net的代码吧
public class FlashSpeed
{
[DllImport("hookdll.dll", EntryPoint = "StartHook", CharSet = CharSet.Ansi)]
public static extern void StartHook();
[DllImport("hookdll.dll", EntryPoint = "EndHook", CharSet = CharSet.Ansi)]
public static extern void EndHook();
[DllImport("hookdll.dll", EntryPoint = "SoundHook", CharSet = CharSet.Ansi)]
public static extern void SoundHook();
[DllImport("hookdll.dll", EntryPoint = "SetSpeed", CharSet = CharSet.Ansi)]
public static extern void SetSpeed(int arg1, int arg2);
}
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void Form1_Load(object sender, EventArgs e)
{
//某Flash游戏地址
this.webBrowser1.Navigate("http://wpnm.91mangrandi.com/flash/mcdt/index.html?agent_id=54286&placeid=26752&type=4&game_id=102&aid=mcdt&rand=1&ref=26752.html&t=0.9260381994779965");
}
private void BtnSpeed_Click(object sender, EventArgs e)
{
FlashSpeed.StartHook();
FlashSpeed.SetSpeed(0x43333333, 0x40333333);
FlashSpeed.EndHook();
}
}
Now,现在我们就实现自己的Flash加速器了:)
以上只是娱乐,有兴趣的可以自己尝试一下~ hookdll是别人的东西,请忽商用,后果自负:)