nt!KdDisableDebugger(检测双机调试函数):
804f8876 8bff mov edi,edi //首地址
804f8878 55 push ebp
804f8879 8bec mov ebp,esp
804f887b 51 push ecx
804f887c b102 mov cl,2
804f887e ff152c904d80 call dword ptr [nt!_imp_KfRaiseIrql (804d902c)]
804f8884 8845ff mov byte ptr [ebp-1],al
804f8887 e81c010000 call nt!KdpPortLock (804f89a8)
804f888c 833d486a558000 cmp dword ptr [nt!KdDisableCount (80556a48)],0
804f8893 753a jne nt!KdDisableDebugger+0x59 (804f88cf) // KdDisableDebugger+0x1d
//不让KdDisableDebugger检测双机调试
ew 804f8876 0xc390
804f8876 90 nop //首地址
804f8878 55 ret //返回到检测程序
// call TesSafe+0x26dc (ee0d66dc)进入
ee0d66dc a18c3e0eee mov eax,dword ptr [TesSafe+0xfe8c (ee0e3e8c)] //EAX=85DC1958
kd> u ee0d66dc L30
TesSafe+0x26dc:
ee0d66dc a18c3e0eee mov eax,dword ptr [TesSafe+0xfe8c (ee0e3e8c)] //EAX=804F872E
ee0d66e1 8b402c mov eax,dword ptr [eax+2Ch]
ee0d66e4 3305883e0eee xor eax,dword ptr [TesSafe+0xfe88 (ee0e3e88)] //EAX=804F8876
ee0d66ea 7402 je TesSafe+0x26ee (ee0d66ee) //修改为 75,跳过KeDisableDebugger函数
ee0d66ec ffd0 call eax // KeDisableDebugger函数
ee0d66ee 8b0dac0e0eee mov ecx,dword ptr [TesSafe+0xceac (ee0e0eac)]
ee0d66f4 85c9 test ecx,ecx
ee0d66f6 740f je TesSafe+0x2707 (ee0d6707) // TesSafe+26f6
ee0d66f8 a1b00e0eee mov eax,dword ptr [TesSafe+0xceb0 (ee0e0eb0)]
ee0d66fd 85c0 test eax,eax
ee0d66ff 7406 je TesSafe+0x2707 (ee0d6707) //// TesSafe+26ff
ee0d6701 3901 cmp dword ptr [ecx],eax //[ECX]=8066D1F8,EAX=804F8D6C
ee0d6703 7402 je TesSafe+0x2707 (ee0d6707) // TesSafe+2703,跳转处理
ee0d6705 8901 mov dword ptr [ecx],eax
ee0d6707 c3 ret
测试的是XX三国,第一次修改完毕后发现游戏无法打开
然后重新下断
发现还在检测KdDisableDebugger,重新执行上面方法
搞定
本内容仅供技术研究,请勿用作不正当行为,谢谢合作